diff --git a/README.md b/README.md index ec556fc221..5632320da9 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ docs/ ├── docs/ # Documentation content │ ├── 1secure/ # 1Secure product docs │ ├── usercube/ # UserCube on-premises docs -│ ├── usercube_saas/ # UserCube SaaS docs +│ ├── usercube/saas/ # UserCube SaaS docs │ ├── strongpoint*/ # StrongPoint product variants │ └── [other-products]/ # Other product documentation ├── static/ # Static assets (images, files) diff --git a/docs/1secure/admin/alerts/index.md b/docs/1secure/admin/alerts/index.md index 29a76056ba..bbbc247313 100644 --- a/docs/1secure/admin/alerts/index.md +++ b/docs/1secure/admin/alerts/index.md @@ -18,7 +18,7 @@ impact your organization's security, enabling you to respond swiftly to potentia You can access the generated alerts in the following ways: - View the alerts generated for an organization on the Netwrix 1Secure dashboard. See the - [1Secure Dashboard](../dashboard/index.md) topic for additional information. + [1Secure Dashboard](/docs/1secure/admin/dashboard/index.md) topic for additional information. - Receive alerts as email notifications sent to the specified email address(es). See the [Manage Delivery Settings for an Alert Profile](profiles.md#manage-delivery-settings-for-an-alert-profile) topic for setting up email notifications. @@ -29,7 +29,7 @@ Follow the steps to view the alerts within an alert profile. **Step 2 –** Click an alert profile. The alerts for the profile are displayed in a list. -![Alerts List within an alert profile](../../../../static/img/product_docs/1secure/admin/alerts/alertslist.webp) +![Alerts List within an alert profile](/img/product_docs/1secure/admin/alerts/alertslist.webp) You can view the following for each alert in the list: @@ -57,10 +57,10 @@ Follow the steps to add a custom alert. **Step 3 –** Click **Add**. The New Alert pane is displayed. -![New Alert Pane](../../../../static/img/product_docs/1secure/admin/alerts/addcustomalert.webp) +![New Alert Pane](/img/product_docs/1secure/admin/alerts/addcustomalert.webp) **Step 4 –** Select a custom report from the Report drop-down menu to trigger the alert when a new -record is generated for the report. See the [ Custom Reports](../searchandreports/customreports.md) +record is generated for the report. See the [ Custom Reports](/docs/1secure/admin/searchandreports/customreports.md) topic for additional information. **Step 5 –** Specify a name and description for the alert. diff --git a/docs/1secure/admin/alerts/profiles.md b/docs/1secure/admin/alerts/profiles.md index 2aadd0ca2b..d66ca68180 100644 --- a/docs/1secure/admin/alerts/profiles.md +++ b/docs/1secure/admin/alerts/profiles.md @@ -16,7 +16,7 @@ receive notifications when alerts in the profile are triggered. To view the alert profiles, navigate to Configuration > Alerts. -![Alert Profiles List](../../../../static/img/product_docs/1secure/admin/alerts/alertsprofiles.webp) +![Alert Profiles List](/img/product_docs/1secure/admin/alerts/alertsprofiles.webp) Alert profiles are displayed in the list with the following information: @@ -36,17 +36,17 @@ Follow the steps to add an alert profile. **Step 2 –** Click **Add profile**. The New alert profile pane is displayed. -![New Alert Profile pane](../../../../static/img/product_docs/1secure/admin/alerts/addalertprofile.webp) +![New Alert Profile pane](/img/product_docs/1secure/admin/alerts/addalertprofile.webp) **Step 3 –** Enter a name for the alert profile in the Name field and click **Save**. The alert profile is added to the list. You can: - Assign this profile to an organization. You can do this when creating a new organization or - editing an organization. See the [Add Organizations](../organizations/addorganizations.md) topic + editing an organization. See the [Add Organizations](/docs/1secure/admin/organizations/addorganizations.md) topic for additional information. - Click the profile to review the list of alerts, enable the desired alerts, make necessary edits - for alerts, and set delivery settings for the alert profile. See [Alerts](index.md) topic for + for alerts, and set delivery settings for the alert profile. See [Alerts](/docs/1secure/admin/alerts/index.md) topic for additional information. ## Modify the Name of an Alert Profile @@ -90,7 +90,7 @@ Follow the steps to configure alerts by email. **Step 3 –** Click the Email icon under Delivery Settings. The Email Delivery Settings pane is displayed. -![Email Delivery Settings pane](../../../../static/img/product_docs/1secure/admin/alerts/alertsemaildelivery.webp) +![Email Delivery Settings pane](/img/product_docs/1secure/admin/alerts/alertsemaildelivery.webp) **Step 4 –** . Toggle the Enabled switch to ON to enable email notifications for the alert profile. @@ -103,4 +103,4 @@ organization admins by email. **Step 7 –** Click Save. You may also link to a third-party ticketing system. See the -[Third-party systems](../../integrations/index.md) topic for additional information. +[Third-party systems](/docs/1secure/integrations/index.md) topic for additional information. diff --git a/docs/1secure/admin/alerts/timeline.md b/docs/1secure/admin/alerts/timeline.md index 5c5ef964e7..2de67445e6 100644 --- a/docs/1secure/admin/alerts/timeline.md +++ b/docs/1secure/admin/alerts/timeline.md @@ -24,7 +24,7 @@ To access the Alerts Timeline page, click **Home** at the top and do one of the page, then click the Alerts Timeline chart. It opens the Alerts Timeline page that displays alert-related data for the organization selected in the organizations list. -![Alerts Timeline Page](../../../../static/img/product_docs/1secure/admin/dashboard/alertstimeline.webp) +![Alerts Timeline Page](/img/product_docs/1secure/admin/dashboard/alertstimeline.webp) If you are a managed organization user, this page displays insights specific to your organization. @@ -74,7 +74,7 @@ This section lists all the triggered alerts with the following information: user, etc. - Activity Records – Click the Activity Records link for an alert to navigate to the Activity page, where you can view a detailed report for that alert type. See the - [Activity Reports](../searchandreports/activity.md) topic for additional information. + [Activity Reports](/docs/1secure/admin/searchandreports/activity.md) topic for additional information. Click a column header to sort data in the alerts list by that column in ascending order. An arrow appears next to the column name to indicate the sort order. Click the column header again to sort @@ -83,7 +83,7 @@ the data in descending order. Edit Alerts Settings Click the **Edit Alerts Settings** link to navigate to the Alerts page, where you can create a new -alert and modify existing ones. See the [Alerts](index.md) topic for additional +alert and modify existing ones. See the [Alerts](/docs/1secure/admin/alerts/index.md) topic for additional information. ## Filter Data diff --git a/docs/1secure/admin/dashboard/index.md b/docs/1secure/admin/dashboard/index.md index 2cf9b0cb8d..bdc51fa674 100644 --- a/docs/1secure/admin/dashboard/index.md +++ b/docs/1secure/admin/dashboard/index.md @@ -14,15 +14,15 @@ organizations, enabling managing organizations, such as Managed Service Provider identify and prioritize what requires immediate attention. It displays the alerts triggered by specific events, offering drill-down capabilities that enable you to access detailed information on specific alerts and issues, ensuring timely and effective responses. See the -[Alerts](../alerts) topic for additional information on alerts. +[Alerts](/docs/1secure/admin/alerts) topic for additional information on alerts. Click **Home** at the top of the page to access the dashboard. This page is also the default landing page of the application when you sign in. -![Dashboard Page for managing user](../../../../static/img/product_docs/1secure/admin/dashboard/dashboardpage.webp) +![Dashboard Page for managing user](/img/product_docs/1secure/admin/dashboard/dashboardpage.webp) If you are a managed organization user, this page displays insights specific to your organization. -See the [Organization Statistics](organizationstatistics.md) topic for additional information. +See the [Organization Statistics](/docs/1secure/admin/dashboard/organizationstatistics.md) topic for additional information. If you are a managing organization (MSP) user, this page provides insights for all your organizations. @@ -31,21 +31,21 @@ Top 5 Triggered Alerts by Type This card displays a bar chart that highlights the five most frequently triggered alert types. Hover over a bar to view the exact number of alerts for that type. Click a bar to navigate to the Alerts -Timeline page. See the [Alerts Timeline](../alerts/timeline.md) topic for additional information. +Timeline page. See the [Alerts Timeline](/docs/1secure/admin/alerts/timeline.md) topic for additional information. Top 5 Organizations with Most Alerts This card displays a bar chart that highlights the five organizations with the highest number of triggered alerts. Hover over a bar to view the exact number of alerts triggered for that organization. Click a bar to navigate to the Alerts Timeline page. See the -[Alerts Timeline](../alerts/timeline.md) topic for additional information. +[Alerts Timeline](/docs/1secure/admin/alerts/timeline.md) topic for additional information. Top 5 Organizations at Risk This card lists the five organizations with the highest risk levels. Each record includes the organization’s name, risk level (high, medium, or low), and the number of risks detected. Click a record to navigate to the Risk Assessment dashboard. See the -[Risk Assessment Dashboard](../riskprofiles/riskassessmentdashboard.md) topic for additional +[Risk Assessment Dashboard](/docs/1secure/admin/riskprofiles/riskassessmentdashboard.md) topic for additional information. Health Status @@ -58,20 +58,20 @@ Organizations List This section lists all managed organizations with the following information: - Name – Displays the name of an organization. Click an organization name to navigate to the - Organization Statistics page. See the [Organization Statistics](organizationstatistics.md) topic + Organization Statistics page. See the [Organization Statistics](/docs/1secure/admin/dashboard/organizationstatistics.md) topic for additional information. - Alerts – Displays the total number of alerts triggered for the organization. Click the value to - navigate to the Alerts Timeline page. See the [Alerts Timeline](../alerts/timeline.md) topic for + navigate to the Alerts Timeline page. See the [Alerts Timeline](/docs/1secure/admin/alerts/timeline.md) topic for additional information. - Risk Level – Displays the risk level for the organization such as, high, medium, or low. Click the value to navigate to the Risk Assessment dashboard. See the - [Risk Assessment Dashboard](../riskprofiles/riskassessmentdashboard.md) topic for additional + [Risk Assessment Dashboard](/docs/1secure/admin/riskprofiles/riskassessmentdashboard.md) topic for additional information. - Users – Displays the total number of users in the organization along with their percentage share with respect to the total number of users in the managed organizations (tenant) in 1Secure. Click the value to navigate to the Billable Users page. See the - [System Reports](../searchandreports/system.md) topic for additional information. + [System Reports](/docs/1secure/admin/searchandreports/system.md) topic for additional information. - Status – Displays the current health status of the organization, which can be: Healthy, Trial in Progress, New, Update Recommended, Needs Attention, Experiencing Issues, Offline, Disabled, Not Configured, and Pending Deletion. Click the value to navigate to the Health Status for @@ -85,7 +85,7 @@ to sort the data in descending order. Add Organization Click the Add Organization button to add a new organization. See the -[Add Organizations](../organizations/addorganizations.md) topic for additional information. +[Add Organizations](/docs/1secure/admin/organizations/addorganizations.md) topic for additional information. ## Filter Data diff --git a/docs/1secure/admin/dashboard/organizationstatistics.md b/docs/1secure/admin/dashboard/organizationstatistics.md index 094a5c6203..eb66694d2c 100644 --- a/docs/1secure/admin/dashboard/organizationstatistics.md +++ b/docs/1secure/admin/dashboard/organizationstatistics.md @@ -17,7 +17,7 @@ identify any potential vulnerabilities or areas for improvement. To view an organization's statistics, click **Home** in the top bar. On the dashboard, click an organization name in the Organizations list to open the Statistics page for it. -![Organization Statistics Page](../../../../static/img/product_docs/1secure/admin/dashboard/organizationstatistics.webp) +![Organization Statistics Page](/img/product_docs/1secure/admin/dashboard/organizationstatistics.webp) You can view the following insights for an organization. @@ -31,7 +31,7 @@ here to view the statistics for that Organization. This link displays the total number of users in the organization along with their percentage share with respect to the total number of users in the managed organizations (tenant) in 1Secure. Click the value to navigate to the Billable Users page. See the -[System Reports](../searchandreports/system.md) topic for additional information. +[System Reports](/docs/1secure/admin/searchandreports/system.md) topic for additional information. ## Health Status @@ -43,34 +43,34 @@ the organization. ## New Investigation Click the **New Investigation** card to navigate to the New Investigation page where you can create -a new investigation (custom report). See the [ Custom Reports](../searchandreports/customreports.md) +a new investigation (custom report). See the [ Custom Reports](/docs/1secure/admin/searchandreports/customreports.md) topic for additional information. ## Risk Assessment This card displays the risk level for the organization, such as high, medium, or low. Click the card to navigate to the Risk Assessment page for the selected organization. See the -[Risk Assessment Dashboard](../riskprofiles/riskassessmentdashboard.md) topic for additional +[Risk Assessment Dashboard](/docs/1secure/admin/riskprofiles/riskassessmentdashboard.md) topic for additional information. ## Saved Custom Reports This card displays a list of custom reports created for the organization. See the -[ Custom Reports](../searchandreports/customreports.md) topic for additional information. +[ Custom Reports](/docs/1secure/admin/searchandreports/customreports.md) topic for additional information. ## Alerts Timeline This card displays a line chart illustrating the number of alerts triggered during the past three months. Hover over a point on the chart to view the exact number of alerts triggered on any specific date. Click a point on the chart to navigate to the Alerts Timeline page. See the -[Alerts Timeline](../alerts/timeline.md) topic for additional information. +[Alerts Timeline](/docs/1secure/admin/alerts/timeline.md) topic for additional information. ## Changes By Date This card displays a line chart illustrating the number of changes made to monitored objects during the past three months. Hover over a point on the chart to view the exact number of changes made on any specific date. Click a point on the chart to navigate to the Activity page, where you can view -the complete Changes by Date report. See the [Activity Reports](../searchandreports/activity.md) +the complete Changes by Date report. See the [Activity Reports](/docs/1secure/admin/searchandreports/activity.md) topic for additional information on the Changes by Date report. ## Failed Logon Activity Trend @@ -79,7 +79,7 @@ This card displays a line chart illustrating the number of failed logon attempts during the past 3 months. Hover over a point on the chart to view the exact number of failed logon attempts on any specific date. Click a point on the chart to navigate to the Activity page, where you can view the complete Failed Logons report. See the -[Activity Reports](../searchandreports/activity.md) topic for additional information on the Failed +[Activity Reports](/docs/1secure/admin/searchandreports/activity.md) topic for additional information on the Failed Logons report. ## Accounts with Most Logon Activity (Past 7 Days) @@ -88,7 +88,7 @@ This card displays a bar chart highlighting the accounts with the highest number to the environment during the past 7 days. Each account is represented by a bar. Hover over a bar to view the exact number of logon attempts for that account. Click a bar to navigate to the Activity page, where you can view the complete All Logon Activity report. See the -[Activity Reports](../searchandreports/activity.md) topic for additional information on the All +[Activity Reports](/docs/1secure/admin/searchandreports/activity.md) topic for additional information on the All Logon Activity report. ## Who Made Most Changes (Past 7 Days) @@ -97,7 +97,7 @@ This card displays a bar chart highlighting the users who made the most changes during the past 7 days. Each user account is represented by a bar. Hover over a bar to view the exact number of changes by that user account. Click a bar to navigate to the Activity page, where you can view the complete Changes by User report. See the -[Activity Reports](../searchandreports/activity.md) topic for additional information on the Changes +[Activity Reports](/docs/1secure/admin/searchandreports/activity.md) topic for additional information on the Changes by User report. ## Organization Configuration diff --git a/docs/1secure/admin/datacollection/activedirectory/activedirectoryauditing.md b/docs/1secure/admin/datacollection/activedirectory/activedirectoryauditing.md index e1bd17e0e4..9491a3dee5 100644 --- a/docs/1secure/admin/datacollection/activedirectory/activedirectoryauditing.md +++ b/docs/1secure/admin/datacollection/activedirectory/activedirectoryauditing.md @@ -25,10 +25,10 @@ following aspects: | | | | -------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | In the target domain | Account Permission Required | -| Do you plan to use [Network Traffic Compression](../../../configuration/networktrafficcompression.md) for data processing? | If **YES**, account must belong to Domain Admin group. If **NO**, add an account to 'Manage auditing and security log' policy. See [Configure the Manage Auditing and Security Log Policy](manageauditingsecuritylog.md) for more information. | -| Do you plan to use AD Deleted Objects container for data processing? | If **YES**, account requires Read permission on the read container. See [Granting Permissions for 'Deleted Objects' Container](permissionsadcontainer.md) topic for more information. | -| Is auto-backup _enabled_ for the domain controller event logs? | If **YES**, account needs the following: - Access to specific registry key on the domain controllers. See[Assigning Permission To Read the Registry Key](permissionsregistrykeys.md) for additional information. - Membership in either Administrators, Print Operators, or Server Operators group. - Read/Write and Full Control permissions on the logs back up folder. | -| Is there an on-premises Exchange server in your Active Directory domain? | If **YES**, account needs the following: - Membership in the **Organization Management** or **Records Management** group or having Audit Logs management role. See [Assigning Management Roles](auditlogsrole.md) topic for additional information. - Adjustment of the Exchange Administrator Audit Logging settings. See [Configure Exchange Administrator Audit Logging Settings](auditlogging.md) topic for additional information. | +| Do you plan to use [Network Traffic Compression](/docs/1secure/configuration/networktrafficcompression.md) for data processing? | If **YES**, account must belong to Domain Admin group. If **NO**, add an account to 'Manage auditing and security log' policy. See [Configure the Manage Auditing and Security Log Policy](/docs/1secure/admin/datacollection/activedirectory/manageauditingsecuritylog.md) for more information. | +| Do you plan to use AD Deleted Objects container for data processing? | If **YES**, account requires Read permission on the read container. See [Granting Permissions for 'Deleted Objects' Container](/docs/1secure/admin/datacollection/activedirectory/permissionsadcontainer.md) topic for more information. | +| Is auto-backup _enabled_ for the domain controller event logs? | If **YES**, account needs the following: - Access to specific registry key on the domain controllers. See[Assigning Permission To Read the Registry Key](/docs/1secure/admin/datacollection/activedirectory/permissionsregistrykeys.md) for additional information. - Membership in either Administrators, Print Operators, or Server Operators group. - Read/Write and Full Control permissions on the logs back up folder. | +| Is there an on-premises Exchange server in your Active Directory domain? | If **YES**, account needs the following: - Membership in the **Organization Management** or **Records Management** group or having Audit Logs management role. See [Assigning Management Roles](/docs/1secure/admin/datacollection/activedirectory/auditlogsrole.md) topic for additional information. - Adjustment of the Exchange Administrator Audit Logging settings. See [Configure Exchange Administrator Audit Logging Settings](/docs/1secure/admin/datacollection/activedirectory/auditlogging.md) topic for additional information. | ## Use GMSA @@ -40,6 +40,6 @@ your on-premise Exchange server will not be possible. Thus, changes made to your domain via that Exchange server will be reported with _domain\\Exchange_server_name$_ instead of the initiator (user) name in the "_Who_" field of reports, search results and activity summaries. -For more information on gMSA, refer to [Using Group Managed Service Account (gMSA)](../gmsa.md) +For more information on gMSA, refer to [Using Group Managed Service Account (gMSA)](/docs/1secure/admin/datacollection/gmsa.md) and to [Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview). diff --git a/docs/1secure/admin/datacollection/activedirectory/logonasbatch.md b/docs/1secure/admin/datacollection/activedirectory/logonasbatch.md index d3f8b964e9..c0249a06bc 100644 --- a/docs/1secure/admin/datacollection/activedirectory/logonasbatch.md +++ b/docs/1secure/admin/datacollection/activedirectory/logonasbatch.md @@ -27,7 +27,7 @@ Administrative Tools (Windows 2012) and select Local Security Policy. **Step 2 –** Navigate to **Security Settings → Local Policies → User Rights Assignment** and locate the **Log on as a batch job** policy. -![manualconfig_ws_logonasbatch](../../../../../static/img/product_docs/1secure/admin/datacollection/activedirectory/manualconfig_ws_logonasbatch.webp) +![manualconfig_ws_logonasbatch](/img/product_docs/1secure/admin/datacollection/activedirectory/manualconfig_ws_logonasbatch.webp) **Step 3 –** Double-click the **Log on as a batch job** policy, and click **Add User or Group**. Specify the account that you want to define this policy for. diff --git a/docs/1secure/admin/datacollection/computer/index.md b/docs/1secure/admin/datacollection/computer/index.md index e3bfa6b4c2..4c6bd24073 100644 --- a/docs/1secure/admin/datacollection/computer/index.md +++ b/docs/1secure/admin/datacollection/computer/index.md @@ -16,8 +16,8 @@ Data Collection Accounts should meet the following policies and permissions: - The \_**\_Manage auditing and security log\_\_**and Backup files and directories policies must be defined for this account. See the - [Configure the Manage Auditing and Security Log Policy](../activedirectory/manageauditingsecuritylog.md) - and [Configure the Back up Files and Directories Policy](backupfilesdirectories.md) topics for + [Configure the Manage Auditing and Security Log Policy](/docs/1secure/admin/datacollection/activedirectory/manageauditingsecuritylog.md) + and [Configure the Back up Files and Directories Policy](/docs/1secure/admin/datacollection/computer/backupfilesdirectories.md) topics for additional information. - The **Read** share permission on the audited shared folders. - The **Read** NTFS permission on all objects in the audited folders. @@ -28,7 +28,7 @@ server must be a member of the local Administrators group. You can also use group Managed Service Accounts (gMSA) as a data collecting account. For more information on gMSA, see the following: -- [Using Group Managed Service Account (gMSA)](../gmsa.md) +- [Using Group Managed Service Account (gMSA)](/docs/1secure/admin/datacollection/gmsa.md) - Microsoft article: [Group Managed Service Accounts Overview](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) diff --git a/docs/1secure/admin/datacollection/datacollectingaccount.md b/docs/1secure/admin/datacollection/datacollectingaccount.md index 9c82edde25..531c9c5951 100644 --- a/docs/1secure/admin/datacollection/datacollectingaccount.md +++ b/docs/1secure/admin/datacollection/datacollectingaccount.md @@ -15,14 +15,14 @@ service account for that purpose. Depending on the data source and connector, th the corresponding requirements (see the table below). You can use group Managed Service Account (gMSA) as data collecting account. See the -[Using Group Managed Service Account (gMSA)](gmsa.md) topic for additional information. +[Using Group Managed Service Account (gMSA)](/docs/1secure/admin/datacollection/gmsa.md) topic for additional information. Currently, the following data sources are supported: | Data source | Provided connectors | Required rights and permissions: | | ----------------- | ------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | -| Active Directory | Active Directory Activity Active Directory Logons | [Active Directory Auditing](activedirectory/activedirectoryauditing.md) [Logon Activity Auditing](logonactivity/index.md) | -| Azure AD | Azure AD Activity Azure AD Logons | [Microsoft Entra ID Auditing](entraid.md) | -| Computer | File Server Activity | [Computer Auditing](computer/index.md) | -| SharePoint Online | SharePoint Online Activity | [SharePoint Online Auditing](sharepointonline.md) | -| Exchange Online | Exchange Online Activity | [Exchange Online Auditing](exchangeonline.md) | +| Active Directory | Active Directory Activity Active Directory Logons | [Active Directory Auditing](/docs/1secure/admin/datacollection/activedirectory/activedirectoryauditing.md) [Logon Activity Auditing](/docs/1secure/admin/datacollection/logonactivity/index.md) | +| Azure AD | Azure AD Activity Azure AD Logons | [Microsoft Entra ID Auditing](/docs/1secure/admin/datacollection/entraid.md) | +| Computer | File Server Activity | [Computer Auditing](/docs/1secure/admin/datacollection/computer/index.md) | +| SharePoint Online | SharePoint Online Activity | [SharePoint Online Auditing](/docs/1secure/admin/datacollection/sharepointonline.md) | +| Exchange Online | Exchange Online Activity | [Exchange Online Auditing](/docs/1secure/admin/datacollection/exchangeonline.md) | diff --git a/docs/1secure/admin/datacollection/entraid.md b/docs/1secure/admin/datacollection/entraid.md index fb9be3ce4d..8ffca6475d 100644 --- a/docs/1secure/admin/datacollection/entraid.md +++ b/docs/1secure/admin/datacollection/entraid.md @@ -24,5 +24,5 @@ settings to Netwrix 1Secure when configuring a monitored item. Support for modern authentication will allow you to audit the organizations where MFA is enabled for all users, including service accounts. See the -[App Registration and Configuration in Microsoft Entra ID](../../configuration/entraid/registerconfig.md) +[App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. diff --git a/docs/1secure/admin/datacollection/exchangeonline.md b/docs/1secure/admin/datacollection/exchangeonline.md index 30dcf28d39..f3cc48101b 100644 --- a/docs/1secure/admin/datacollection/exchangeonline.md +++ b/docs/1secure/admin/datacollection/exchangeonline.md @@ -16,5 +16,5 @@ tenant) settings. Netwrix 1Secure will access the cloud-based Office 365 infrastructure using a dedicated Microsoft Entra ID application, formerly Azure AD. This app should be created manually by user with administrative role and assigned required permissions. See the -[App Registration and Configuration in Microsoft Entra ID](../../configuration/entraid/registerconfig.md) +[App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. diff --git a/docs/1secure/admin/datacollection/gmsa.md b/docs/1secure/admin/datacollection/gmsa.md index fd23e3b51a..4cd7d3dd4a 100644 --- a/docs/1secure/admin/datacollection/gmsa.md +++ b/docs/1secure/admin/datacollection/gmsa.md @@ -71,7 +71,7 @@ When creating a new gMSA, you will need to specify: 1. Your Netwrix Cloud Agent host 2. If you are going to collect data using the network traffic compression (see the following section for more information: - [Network Traffic Compression](../../configuration/networktrafficcompression.md)), provide the + [Network Traffic Compression](/docs/1secure/configuration/networktrafficcompression.md)), provide the following: - For Logon Activity — domain controllers of the monitored domain @@ -97,4 +97,4 @@ To create a new gMSA in the root domain using PowerShell: ended with $, here __NCASrv$\_\_ To learn about the data collecting account, which collects data from the monitored items, go -to [Data Collecting Account](datacollectingaccount.md) article. +to [Data Collecting Account](/docs/1secure/admin/datacollection/datacollectingaccount.md) article. diff --git a/docs/1secure/admin/datacollection/logonactivity/index.md b/docs/1secure/admin/datacollection/logonactivity/index.md index 2d75c8e5c9..24c5fb042b 100644 --- a/docs/1secure/admin/datacollection/logonactivity/index.md +++ b/docs/1secure/admin/datacollection/logonactivity/index.md @@ -20,5 +20,5 @@ required: group; - If network traffic compression is disabled, then you can choose between account which belongs to the Domain Admins group or non-administrative account. See - [Configure Non-Administrative Account to Collect Logon Activity ](nondomainadmin.md)for more + [Configure Non-Administrative Account to Collect Logon Activity ](/docs/1secure/admin/datacollection/logonactivity/nondomainadmin.md)for more information; diff --git a/docs/1secure/admin/datacollection/logonactivity/nondomainadmin.md b/docs/1secure/admin/datacollection/logonactivity/nondomainadmin.md index 912d9a05f9..2690ac4a17 100644 --- a/docs/1secure/admin/datacollection/logonactivity/nondomainadmin.md +++ b/docs/1secure/admin/datacollection/logonactivity/nondomainadmin.md @@ -23,10 +23,10 @@ Do the following: **Step 1 –** Create a domain user with the following privileges: - Back up files and directories. - [Configure the Back up Files and Directories Policy](../computer/backupfilesdirectories.md) -- Log on as a batch job. [Define Log On As a Batch Job Policy](../activedirectory/logonasbatch.md) + [Configure the Back up Files and Directories Policy](/docs/1secure/admin/datacollection/computer/backupfilesdirectories.md) +- Log on as a batch job. [Define Log On As a Batch Job Policy](/docs/1secure/admin/datacollection/activedirectory/logonasbatch.md) - Manage auditing and security log. - [Configure the Manage Auditing and Security Log Policy](../activedirectory/manageauditingsecuritylog.md) + [Configure the Manage Auditing and Security Log Policy](/docs/1secure/admin/datacollection/activedirectory/manageauditingsecuritylog.md) **Step 2 –** Grant the _Read_ permission on the following registry keys to this user: @@ -34,5 +34,5 @@ Do the following: - `HKEY_LOCAL_MACHINE`\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg - `HKEY_LOCAL_MACHINE`\SYSTEM\CurrentControlSet\Services\EventLog\Security -[Assigning Permission To Read the Registry Key](../activedirectory/permissionsregistrykeys.md) how +[Assigning Permission To Read the Registry Key](/docs/1secure/admin/datacollection/activedirectory/permissionsregistrykeys.md) how to do it using Registry Editor. diff --git a/docs/1secure/admin/datacollection/sharepointonline.md b/docs/1secure/admin/datacollection/sharepointonline.md index 12dc134e87..2acd515b8b 100644 --- a/docs/1secure/admin/datacollection/sharepointonline.md +++ b/docs/1secure/admin/datacollection/sharepointonline.md @@ -13,7 +13,7 @@ Netwrix 1Secure allows you to audit Office 365 organizations that have establish authentication as their identity management approach, including support for [multi-factor authentication (MFA)](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks). See the Microsoft -[App Registration and Configuration in Microsoft Entra ID](../../configuration/entraid/registerconfig.md) +[App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) article for additional information. In this scenario, Netwrix 1Secure will access the cloud-based infrastructure via Microsoft Graph and @@ -25,7 +25,7 @@ app and provide its settings to Netwrix 1Securewhen adding a SharePoint Online d Support for modern authentication will allow you to audit the organizations where MFA is enabled for all users, including service accounts. See the -[App Registration and Configuration in Microsoft Entra ID](../../configuration/entraid/registerconfig.md) +[App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. ## Configure SharePoint Online Auditing @@ -37,7 +37,7 @@ administrative role will be required: Microsoft Entra ID application should be created manually by user with administrative role and assigned required permissions. This app will allow you to collect activity. See the -[App Registration and Configuration in Microsoft Entra ID](../../configuration/entraid/registerconfig.md) +[App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. ## diff --git a/docs/1secure/admin/login.md b/docs/1secure/admin/login.md index 936c9fa14d..87a0eab569 100644 --- a/docs/1secure/admin/login.md +++ b/docs/1secure/admin/login.md @@ -21,7 +21,7 @@ This email includes a unique access link to product’s web portal. You need to via the link within 2 days. If it expires, you will need to follow the link and request a new activation link. -![accountactivation](../../../static/img/product_docs/1secure/admin/login/accountactivation.webp) +![accountactivation](/img/product_docs/1secure/admin/login/accountactivation.webp) ## Activate an Account @@ -34,7 +34,7 @@ Follow the steps to activate an account: The Change Your Password page is displayed. -![Change Your Password page](../../../static/img/product_docs/groupid/groupid/admincenter/general/changepassword.webp) +![Change Your Password page](/img/product_docs/groupid/groupid/admincenter/general/changepassword.webp) **Step 2 –** In the **New password** field, enter a password to set for your account. @@ -53,21 +53,21 @@ Follow the steps to log in to 1Secure. **Step 1 –** Open the invitation email and click the Netwrix 1Secure tenant link. You are navigated to the 1Secure login page. -![Log In page](../../../static/img/product_docs/1secure/admin/login/companylogin.webp) +![Log In page](/img/product_docs/1secure/admin/login/companylogin.webp) **Step 2 –** On the login page, click the **Log In** button. **Step 3 –** In the Email address field, specify a valid email address registered with 1Secure, then click **Continue**. The Enter Your Password page is displayed. -![Enter Your Password page](../../../static/img/product_docs/1secure/admin/login/passwordpage.webp) +![Enter Your Password page](/img/product_docs/1secure/admin/login/passwordpage.webp) **Step 4 –** In the Password field, specify the valid password for the email address, then click **Continue**. The Keep Your Account Safe page is displayed, prompting you to choose an authentication method. When logging in for the first time, you must authorize your account using multi-factor authentication. -![Keep Your Account Safe page](../../../static/img/product_docs/1secure/admin/login/authenticationmethods.webp) +![Keep Your Account Safe page](/img/product_docs/1secure/admin/login/authenticationmethods.webp) **Step 5 –** Click **Google Authenticator or Similar** or **Security Key** to select an authentication method. After that, one of the following happens: @@ -82,7 +82,7 @@ authentication method. After that, one of the following happens: article for additional information. After successful authorization, You are redirected to the dashboard. See the -[1Secure Dashboard](dashboard/index.md) topic for additional information. +[1Secure Dashboard](/docs/1secure/admin/dashboard/index.md) topic for additional information. Once the initial login is completed, an MSP can configure Single Sign On (SSO) using supported authentication services, including Entra ID, 1Secure Authentication, or OpenID Connect. See the @@ -100,11 +100,11 @@ Follow the steps to reset the password of an account: **Step 3 –** In the Email address field, specify a valid email address registered with 1Secure, then click **Continue**. The Enter Your Password page is displayed. -![Enter Your Password page](../../../static/img/product_docs/1secure/admin/login/passwordpage.webp) +![Enter Your Password page](/img/product_docs/1secure/admin/login/passwordpage.webp) **Step 4 –** Click the **Forgot password** link. The Change Your Password page is displayed. -![Change Your Password page](../../../static/img/product_docs/groupid/groupid/admincenter/general/changepassword.webp) +![Change Your Password page](/img/product_docs/groupid/groupid/admincenter/general/changepassword.webp) **Step 5 –** In the **New password** field, enter a password to set for your account. @@ -133,12 +133,12 @@ When the Netwrix team adds a new user account for your organization, you will re invitation. This email will be sent from "noreply-account@netwrix.com" and will have the subject "Welcome to Netwrix 1Secure". -![1Secure Invitation Email](../../../static/img/product_docs/1secure/admin/login/1secureinvitation%28sso%29.webp) +![1Secure Invitation Email](/img/product_docs/1secure/admin/login/1secureinvitation(sso).webp) **Step 1 –** Click **Access 1Secure** button in the invitation email. You are navigated to the 1Secure login page. -![Log In page](../../../static/img/product_docs/1secure/admin/login/companylogin.webp) +![Log In page](/img/product_docs/1secure/admin/login/companylogin.webp) **Step 2 –** On the login page, click the **Log In** button. @@ -162,7 +162,7 @@ following authentication services: **NOTE:** When you first log in to 1Secure, SSO is not enabled, and 1Secure Authentication is applied by default. This method requires Multi-factor authentication (MFA) to verify your identity -for secure access. See the [Log In](index.md) topic for additional information on +for secure access. See the [Log In](/docs/1secure/admin/index.md) topic for additional information on Multi-factor authentication. #### Configure SSO with Microsoft Entra ID Authentication @@ -174,14 +174,14 @@ that lists the managed organizations defined in 1Secure. **Step 2 –** In the left pane, click **My organization**. The My organization page is displayed -![My Organization page](../../../static/img/product_docs/1secure/admin/login/myorg_authentication.webp) +![My Organization page](/img/product_docs/1secure/admin/login/myorg_authentication.webp) **Step 3 –** Under Authentication section, click **Edit Settings**. The Authentication settings pane is displayed. **Step 4 –** In Method drop-down menu, select **Entra ID**. -![Authentication Settings pane](../../../static/img/product_docs/1secure/admin/login/entraidauth.webp) +![Authentication Settings pane](/img/product_docs/1secure/admin/login/entraidauth.webp) **Step 5 –** In Client ID field, specify the client ID of the app registered in Microsoft Entra ID. See the @@ -200,14 +200,14 @@ that lists the managed organizations defined in 1Secure. **Step 2 –** In the left pane, click **My organization**. The My organization page is displayed -![My Organization page](../../../static/img/product_docs/1secure/admin/login/myorg_authentication.webp) +![My Organization page](/img/product_docs/1secure/admin/login/myorg_authentication.webp) **Step 3 –** Under Authentication section, click **Edit Settings**. The Authentication settings pane is displayed. **Step 4 –** In Method drop-down menu, select **OpenID Connect**. -![Authentication Settings pane](../../../static/img/product_docs/1secure/admin/login/openidconnectauth.webp) +![Authentication Settings pane](/img/product_docs/1secure/admin/login/openidconnectauth.webp) **Step 5 –** In Client ID field, specify the client ID of the OpenID application that 1Secure uses to communicate with the OpenID provider. @@ -246,4 +246,4 @@ It is recommended to copy these settings and keep them safe. - Application (client) ID – A client ID for the registered application - Directory (tenant) ID – A tenant ID for the registered application - Client Secret – A client secret value generated when a new client secret key is created for the - registered application. See the [Generate Client Secret Value](../configuration/entraid/registerconfig.md#generate-client-secret-value) topic for additional information. \ No newline at end of file + registered application. See the [Generate Client Secret Value](/docs/1secure/configuration/entraid/registerconfig.md#generate-client-secret-value) topic for additional information. \ No newline at end of file diff --git a/docs/1secure/admin/organizations/addingusers.md b/docs/1secure/admin/organizations/addingusers.md index 82ca01515a..274dc4a6ca 100644 --- a/docs/1secure/admin/organizations/addingusers.md +++ b/docs/1secure/admin/organizations/addingusers.md @@ -18,14 +18,14 @@ include: - Viewer You can add users both in Managing Organization and in Managed Organization. See the -[Manage Organizations](index.md) topic for additional information. +[Manage Organizations](/docs/1secure/admin/organizations/index.md) topic for additional information. Image keys: | Icon | Description | | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------- | -| ![deletebutton](../../../../static/img/product_docs/1secure/integration/deletebutton.webp) | Bin Icon. Click the Bin Icon to delete the user. | -| ![editbutton](../../../../static/img/product_docs/1secure/admin/organizations/editbutton.webp) | Edit icon. Click the Edit Icon to edit the user data. | +| ![deletebutton](/img/product_docs/1secure/integration/deletebutton.webp) | Bin Icon. Click the Bin Icon to delete the user. | +| ![editbutton](/img/product_docs/1secure/admin/organizations/editbutton.webp) | Edit icon. Click the Edit Icon to edit the user data. | ## Add Users to Managing Organization @@ -81,7 +81,7 @@ For example, if you are a tenant administrator and you allowed a access to a mem should edit 100 accounts before 08.03.2023, this member can manage these activities up to a certain period and the administrator does not need to suspend the rights manually. -![Add Users pane](../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/tab/addusers.webp) +![Add Users pane](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/tab/addusers.webp) **Step 4 –** Select one or more organization groups from the **Select organization group(s) for the user** drop-down menu. To specify multiple groups, select them one by one from the drop-down menu. @@ -104,7 +104,7 @@ shall be Verified. If the user has not registered within a system, the status will be Pending Verification. The administrator may select Resend Invite to re-notify this user. -![Users List](../../../../static/img/product_docs/1secure/admin/organizations/users_status.webp) +![Users List](/img/product_docs/1secure/admin/organizations/users_status.webp) When logging in, the users see the Home screen, on which they can do the following actions: @@ -132,11 +132,11 @@ The Business viewer role: Business viewer cannot add reports on their own. When creating the report, tick the option **Share with business users**. This way, all the business users can view the shared reports. See the -[ Custom Reports](../searchandreports/customreports.md) topic for additional information. +[ Custom Reports](/docs/1secure/admin/searchandreports/customreports.md) topic for additional information. As you add the business viewer, the created reports shall be automatically displayed. -![Add Users pane](../../../../static/img/product_docs/1secure/admin/organizations/businessusers.webp) +![Add Users pane](/img/product_docs/1secure/admin/organizations/businessusers.webp) Follow the steps to add the Business Viewer role. @@ -155,7 +155,7 @@ option. **NOTE:** The Business viewer role provides access to the Home screen, which displays the logged in organization. -![Home page](../../../../static/img/product_docs/1secure/admin/organizations/homescreen_2.webp) +![Home page](/img/product_docs/1secure/admin/organizations/homescreen_2.webp) **NOTE:** When logging in, if the Business Viewer account is registered with multiple organizations, select the one you wish to access. @@ -176,10 +176,10 @@ The Co-Managing Administrator role: The Co-Managing Administrator role cannot add reports on their own. When creating the report, select the option **Share with business users**. This way, all the business users can view the shared -reports. See the [ Custom Reports](../searchandreports/customreports.md) topic for additional +reports. See the [ Custom Reports](/docs/1secure/admin/searchandreports/customreports.md) topic for additional information. -![Add Users pane](../../../../static/img/product_docs/1secure/admin/organizations/comanagingadministrator.webp) +![Add Users pane](/img/product_docs/1secure/admin/organizations/comanagingadministrator.webp) Follow the steps to add the Co-managing Administrator role. diff --git a/docs/1secure/admin/organizations/addorganizations.md b/docs/1secure/admin/organizations/addorganizations.md index b7f6a583cf..453eacd7b6 100644 --- a/docs/1secure/admin/organizations/addorganizations.md +++ b/docs/1secure/admin/organizations/addorganizations.md @@ -14,7 +14,7 @@ Follow the steps to add an organization. **Step 1 –** On the Netwrix 1Secure Website, on the **Home** page, select the Add organization icon to add an organization. -![organization_adding](../../../../static/img/product_docs/1secure/admin/organizations/organization_adding.webp) +![organization_adding](/img/product_docs/1secure/admin/organizations/organization_adding.webp) **Step 2 –** On the Add Organization (Step 1 of 4) window, specify the following: @@ -32,7 +32,7 @@ to add an organization. Click **Next**. -![addorganizationsselectdatasource](../../../../static/img/product_docs/1secure/admin/organizations/addorganizationsselectdatasource.webp) +![addorganizationsselectdatasource](/img/product_docs/1secure/admin/organizations/addorganizationsselectdatasource.webp) **Step 3 –** On the Select Data Source (Step 2 of 4) window, add a preferred data source to your organization: @@ -43,36 +43,36 @@ organization: - Exchange Online - SharePoint Online -**NOTE:** See the [Sources and Connectors](sourcesandconnectors/index.md) topic for detailed +**NOTE:** See the [Sources and Connectors](/docs/1secure/admin/organizations/sourcesandconnectors/index.md) topic for detailed information. -![addorganizationssites](../../../../static/img/product_docs/1secure/admin/organizations/addorganizationssites.webp) +![addorganizationssites](/img/product_docs/1secure/admin/organizations/addorganizationssites.webp) **Step 4 –** On the Configure source details (Step 3 of 4) window, add a site for your organization. Sites are used to signify physical groupings within the organization. Click **Next**. **NOTE:** This step is displayed only when adding Active Directory and Computer sources. -See the [Add Sites to an Organization](addsites.md) topic for additional information. +See the [Add Sites to an Organization](/docs/1secure/admin/organizations/addsites.md) topic for additional information. -![addorganizationsagent](../../../../static/img/product_docs/1secure/admin/organizations/addorganizationsagent.webp) +![addorganizationsagent](/img/product_docs/1secure/admin/organizations/addorganizationsagent.webp) **Step 5 –** On the Configure source details (Step 3 of 4) window, follow the instructions to -install the agent. Please go to the [Install Agent](../../install/installagent.md) topic of the +install the agent. Please go to the [Install Agent](/docs/1secure/install/installagent.md) topic of the online help. Click **Next**. **NOTE:** Install the agent only for on-prem sources - Active Directory and Computer. This step is displayed only when adding these sources. -![addorganizationssourcedetails](../../../../static/img/product_docs/1secure/admin/organizations/addorganizationssourcedetails.webp) +![addorganizationssourcedetails](/img/product_docs/1secure/admin/organizations/addorganizationssourcedetails.webp) **Step 6 –** On the Configure source details (Step 3 of 4) window, specify your source settings. See -the [Sources and Connectors](sourcesandconnectors/index.md) topic for additional information. +the [Sources and Connectors](/docs/1secure/admin/organizations/sourcesandconnectors/index.md) topic for additional information. -![addorganizationssourcesandconnectors](../../../../static/img/product_docs/1secure/admin/organizations/addorganizationssourcesandconnectors.webp) +![addorganizationssourcesandconnectors](/img/product_docs/1secure/admin/organizations/addorganizationssourcesandconnectors.webp) **Step 7 –** On the Choose new connector (Step 4 of 4) window, add the connectors for your sources -on. See the [Sources and Connectors](sourcesandconnectors/index.md) topic for additional +on. See the [Sources and Connectors](/docs/1secure/admin/organizations/sourcesandconnectors/index.md) topic for additional information. **Step 8 –** Click **Finish** or **Save & Add another source** to add a source for your diff --git a/docs/1secure/admin/organizations/addsites.md b/docs/1secure/admin/organizations/addsites.md index 7259102953..d8559be3ed 100644 --- a/docs/1secure/admin/organizations/addsites.md +++ b/docs/1secure/admin/organizations/addsites.md @@ -17,24 +17,24 @@ for the agent updates. | Icon | Description | | ------------------------------------------------------------------------------------------------ | -------------------------------------------------------- | -| ![alerts_editicon](../../../../static/img/product_docs/1secure/integration/alerts_editicon.webp) | Edit Icon. Click the Edit Icon to edit the site details. | -| ![addicon](../../../../static/img/product_docs/1secure/admin/organizations/addicon.webp) | Add Icon. Click the Add Icon to add a site. | -| ![deletebutton](../../../../static/img/product_docs/1secure/integration/deletebutton.webp) | Bin Icon. Click the Bin Icon to delete a site. | +| ![alerts_editicon](/img/product_docs/1secure/integration/alerts_editicon.webp) | Edit Icon. Click the Edit Icon to edit the site details. | +| ![addicon](/img/product_docs/1secure/admin/organizations/addicon.webp) | Add Icon. Click the Add Icon to add a site. | +| ![deletebutton](/img/product_docs/1secure/integration/deletebutton.webp) | Bin Icon. Click the Bin Icon to delete a site. | ## Add a New Site Follow the steps to add a site to your organization. **Step 1 –** Add your organization or add a source to the created organization. See the -[Add Organizations](addorganizations.md) topic for additional information. +[Add Organizations](/docs/1secure/admin/organizations/addorganizations.md) topic for additional information. **NOTE:** You can add sites only for on-prem sources - Active Directory and Computer. These sources require an installation of the agent. See the -[Add a Source and Connectors for Active Directory](sourcesandconnectors/activedirectory.md) or -[Add a Source and Connectors for Computer](sourcesandconnectors/computer.md)topic for additional +[Add a Source and Connectors for Active Directory](/docs/1secure/admin/organizations/sourcesandconnectors/activedirectory.md) or +[Add a Source and Connectors for Computer](/docs/1secure/admin/organizations/sourcesandconnectors/computer.md)topic for additional information. -![addsourcessite](../../../../static/img/product_docs/1secure/admin/organizations/addsourcessite.webp) +![addsourcessite](/img/product_docs/1secure/admin/organizations/addsourcessite.webp) **Step 2 –** On the Configure source details window (Step 2 of 3) window, add a new site. In the "New site name" field, specify the name for your site. This could be a geographical location like @@ -44,8 +44,8 @@ information. multiple sites and each site can be associated with multiple sources. **Step 3 –** Finish adding a source for your organization. See the -[Add a Source and Connectors for Active Directory](sourcesandconnectors/activedirectory.md) or -[Add a Source and Connectors for Computer](sourcesandconnectors/computer.md) topic for additional +[Add a Source and Connectors for Active Directory](/docs/1secure/admin/organizations/sourcesandconnectors/activedirectory.md) or +[Add a Source and Connectors for Computer](/docs/1secure/admin/organizations/sourcesandconnectors/computer.md) topic for additional information. The site is now added. @@ -57,11 +57,11 @@ You can now add the created sites to your source. **Step 2 –** Select your site from the drop-down list or click the **Add** icon, if your want to add a new site. Click **Next**. -![sitesdropdown](../../../../static/img/product_docs/1secure/admin/organizations/sitesdropdown.webp) +![sitesdropdown](/img/product_docs/1secure/admin/organizations/sitesdropdown.webp) **Step 3 –** Finish adding the source. Screens will vary depending on the source added. See the -[Add a Source and Connectors for Active Directory](sourcesandconnectors/activedirectory.md) or -[Add a Source and Connectors for Computer](sourcesandconnectors/computer.md)topic for additional +[Add a Source and Connectors for Active Directory](/docs/1secure/admin/organizations/sourcesandconnectors/activedirectory.md) or +[Add a Source and Connectors for Computer](/docs/1secure/admin/organizations/sourcesandconnectors/computer.md)topic for additional information. ## View Sites and Agent Status @@ -72,11 +72,11 @@ Follow the steps to view the site for the organization. **Step 1 –** Navigate to Managed Organizations > "your organization" > Sites. -![updateagents2](../../../../static/img/product_docs/1secure/admin/updateagents2.webp) +![updateagents2](/img/product_docs/1secure/admin/updateagents2.webp) **Step 2 –** View the following details: -- Agent status – Agent status in color. See the [Statuses](../../index.md#system-statuses) topic for additional +- Agent status – Agent status in color. See the [Statuses](/docs/1secure/index.md#system-statuses) topic for additional information - Server name – Server from which the data is collected - Last Connected – Last connection time with your agent in UTC diff --git a/docs/1secure/admin/organizations/billableaccounts.md b/docs/1secure/admin/organizations/billableaccounts.md index badf28666d..922d36c9af 100644 --- a/docs/1secure/admin/organizations/billableaccounts.md +++ b/docs/1secure/admin/organizations/billableaccounts.md @@ -21,14 +21,14 @@ You can review the Active Directory/Microsoft Entra ID users on the following da - Managing Organization -![tabs](../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/tabs.webp) +![tabs](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/tabs.webp) - Managed Organization -![billableaccountsmanagedorg](../../../../static/img/product_docs/1secure/admin/organizations/billableaccountsmanagedorg.webp) +![billableaccountsmanagedorg](/img/product_docs/1secure/admin/organizations/billableaccountsmanagedorg.webp) You can also review the Billable Users reports with the detailed information for each account. See -the [Billable Users Report](../searchandreports/billableusers.md) topic for additional information. +the [Billable Users Report](/docs/1secure/admin/searchandreports/billableusers.md) topic for additional information. ## Calculation of the Numbers @@ -77,6 +77,6 @@ Directory accounts by default: You can also exclude service accounts from your billable accounts. To do this, add these accounts to an Azure Group or Active Directory Organizational Unit respectively and specify it in the source settings. See the -[Add a Source and Connectors for Microsoft Entra ID](sourcesandconnectors/entraid.md) or -[Add a Source and Connectors for Active Directory](sourcesandconnectors/activedirectory.md) topics +[Add a Source and Connectors for Microsoft Entra ID](/docs/1secure/admin/organizations/sourcesandconnectors/entraid.md) or +[Add a Source and Connectors for Active Directory](/docs/1secure/admin/organizations/sourcesandconnectors/activedirectory.md) topics for additional information. diff --git a/docs/1secure/admin/organizations/index.md b/docs/1secure/admin/organizations/index.md index 80498eb6f4..c9880336d5 100644 --- a/docs/1secure/admin/organizations/index.md +++ b/docs/1secure/admin/organizations/index.md @@ -18,7 +18,7 @@ data source, and other configurations for the Managed Service Provider. After authorizing in a system, Managed Service Providers (MSP) need to configure their organization. The Organization is the name of the company you use to log in. See the -[First Login to 1Secure](../login.md) topic for additional information. +[First Login to 1Secure](/docs/1secure/admin/login.md) topic for additional information. In system, there are parent tenants and child tenants. _Parent tenant_ or Managing Organization is the MSP you are authorizing with. The MSP or parent tenant may have lots of clients or _child @@ -28,15 +28,15 @@ Below you can see home pages of: - Managing Organization -![managedorganizations](../../../../static/img/product_docs/1secure/admin/organizations/managedorganizations.webp) +![managedorganizations](/img/product_docs/1secure/admin/organizations/managedorganizations.webp) - Managed Organization -![homepagemanaged](../../../../static/img/product_docs/1secure/admin/organizations/homepagemanaged.webp) +![homepagemanaged](/img/product_docs/1secure/admin/organizations/homepagemanaged.webp) See the following topics for additional information: -- [Add Organizations](addorganizations.md) -- [Add Users](addingusers.md) -- [Sources and Connectors](sourcesandconnectors/index.md) -- [ Manage Credentials ](managingcredentials.md) +- [Add Organizations](/docs/1secure/admin/organizations/addorganizations.md) +- [Add Users](/docs/1secure/admin/organizations/addingusers.md) +- [Sources and Connectors](/docs/1secure/admin/organizations/sourcesandconnectors/index.md) +- [ Manage Credentials ](/docs/1secure/admin/organizations/managingcredentials.md) diff --git a/docs/1secure/admin/organizations/managemyorganization.md b/docs/1secure/admin/organizations/managemyorganization.md index 2f21c9227a..fbb6f865dd 100644 --- a/docs/1secure/admin/organizations/managemyorganization.md +++ b/docs/1secure/admin/organizations/managemyorganization.md @@ -12,7 +12,7 @@ description: "Learn how to review and edit your organization profile settings an After you added your organization, you can review or edit your profile on Configuration > My Organization page. -![myorganization](../../../../static/img/product_docs/1secure/admin/organizations/myorganization.webp) +![myorganization](/img/product_docs/1secure/admin/organizations/myorganization.webp) - Optionally, specify Edit settings or Request Deletion for your Organization. diff --git a/docs/1secure/admin/organizations/managingcredentials.md b/docs/1secure/admin/organizations/managingcredentials.md index 4b3348f40a..4f551e68b3 100644 --- a/docs/1secure/admin/organizations/managingcredentials.md +++ b/docs/1secure/admin/organizations/managingcredentials.md @@ -19,8 +19,8 @@ the **Edit** or **Delete** icon. | Icon | Description | | ---------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![alert_icon](../../../../static/img/product_docs/1secure/admin/organizations/alert_icon.webp) | Alert Icon. Click the Alert Icon to notify that the credentials have expired or been lost after reinstallation of the Netwrix Cloud Agent and must be entered again before they can be used. | +| ![alert_icon](/img/product_docs/1secure/admin/organizations/alert_icon.webp) | Alert Icon. Click the Alert Icon to notify that the credentials have expired or been lost after reinstallation of the Netwrix Cloud Agent and must be entered again before they can be used. | **NOTE:** You can delete a credential if no sources are using those credentials. -![credentials](../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) +![credentials](/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) diff --git a/docs/1secure/admin/organizations/organizationgroups.md b/docs/1secure/admin/organizations/organizationgroups.md index 07b65b67c2..30ad202d75 100644 --- a/docs/1secure/admin/organizations/organizationgroups.md +++ b/docs/1secure/admin/organizations/organizationgroups.md @@ -21,11 +21,11 @@ Follow the steps to add an organization group. **Step 1 –** Navigate to the **Configuration** > **Organization groups** page. -![organizationggroups](../../../../static/img/product_docs/1secure/admin/organizations/organizationggroups.webp) +![organizationggroups](/img/product_docs/1secure/admin/organizations/organizationggroups.webp) **Step 2 –** Click **Create group**. The New Group pane is displayed. -![createorganizationgroup](../../../../static/img/product_docs/1secure/admin/organizations/createorganizationgroup.webp) +![createorganizationgroup](/img/product_docs/1secure/admin/organizations/createorganizationgroup.webp) **Step 3 –** Specify the following: @@ -56,7 +56,7 @@ Follow the steps to modify an organization group. **Step 1 –** Navigate to the **Configuration** > **Organization groups** page. -![modifyorganizationgroup](../../../../static/img/product_docs/1secure/admin/organizations/modifyorganizationgroup.webp) +![modifyorganizationgroup](/img/product_docs/1secure/admin/organizations/modifyorganizationgroup.webp) **Step 2 –** Click the Edit icon for the organization group you want to modify. The Editing Group `` pane is displayed. diff --git a/docs/1secure/admin/organizations/sourcesandconnectors/activedirectory.md b/docs/1secure/admin/organizations/sourcesandconnectors/activedirectory.md index e7261bd713..1e6394a8f6 100644 --- a/docs/1secure/admin/organizations/sourcesandconnectors/activedirectory.md +++ b/docs/1secure/admin/organizations/sourcesandconnectors/activedirectory.md @@ -20,11 +20,11 @@ page for the organization is displayed with the Sources tab selected by default. **Step 3 –** On the Sources tab, click **Add** to add a source. The Select Data Source (Step 1 of 3) pane is displayed. -![Select Data Source %28Step 1 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsources_exchange.webp) +![Select Data Source %28Step 1 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsources_exchange.webp) **Step 4 –** Select **Active Directory** and click **Next**. -![Configure Source Details %28Step 2 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/configuresourcedetails%28step2-3%29.webp) +![Configure Source Details %28Step 2 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/configuresourcedetails(step2-3).webp) **Step 5 –** On the Configure source details (Step 2 of 3) pane, use the Site drop-down menu to select an existing site or add a new one. To add a new site, select the **Add new site** option from @@ -32,19 +32,19 @@ the drop-down menu or click the **Add** icon. - When you choose to add a new site, you have to provide a name for it in the New site name field. Then click **Next** to proceed with configuring the agent for the site. See the - [Install Agent](../../../install/installagent.md) topic for details on configuring the agent, + [Install Agent](/docs/1secure/install/installagent.md) topic for details on configuring the agent, starting at Step 6. - When you select an existing site from the drop-down menu, one of the following happens: - If the agent has not been configured for the site, the system will proceed with the agent - configuration when you click _Next_. See the [Install Agent](../../../install/installagent.md) + configuration when you click _Next_. See the [Install Agent](/docs/1secure/install/installagent.md) topic for details on configuring the agent, starting at Step 6. - If the agent has already been configured for the site, the system will proceed with the Active Directory source and connector settings when you click _Next_. **Step 6 –** Click **Next**. -![Configure Source Details %28Step 2 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/ad_configsourcedetails%28step2of3%29.webp) +![Configure Source Details %28Step 2 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/ad_configsourcedetails(step2of3).webp) **Step 7 –** Specify the following settings: @@ -70,29 +70,29 @@ the drop-down menu or click the **Add** icon. **Step 8 –**  Click **Next**. -![Choose New Connector %28Step 3 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/ad_choosenewconnector.webp) +![Choose New Connector %28Step 3 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/ad_choosenewconnector.webp) **Step 9 –** The Choose new connector (Step 3 of 3) pane lists three connectors for Active Directory. Specufy the following: - Active Directory Activity – Toggle the **Active Directory Activity** switch to ON to collect and monitor data for this connector. With this, you can generate activity reports on Active Directory - data. See the [Active Directory](../../searchandreports/activity.md#active-directory) topic for + data. See the [Active Directory](/docs/1secure/admin/searchandreports/activity.md#active-directory) topic for additional information. - Activity Directory Logons – Toggle the **Active Directory Logons** switch to ON to collect and monitor data for this connector. With this, you can generate logon reports on Active Directory - data. See the [Active Directory](../../searchandreports/activity.md#active-directory) topic for + data. See the [Active Directory](/docs/1secure/admin/searchandreports/activity.md#active-directory) topic for additional information. - Activity Directory State – Toggle the **Active Directory State** switch to ON to collect and monitor data for this connector. With this, you can generate state-in-time reports on Active - Directory data. See the [State In Time Risks Reports](../../searchandreports/stateintime.md) topic + Directory data. See the [State In Time Risks Reports](/docs/1secure/admin/searchandreports/stateintime.md) topic for additional information. **Step 10 –** Optionally, select the following for each connector: - Enable traffic network compression – Select this checkbox to enable traffic network compression for the connector. See the - [Network Traffic Compression](../../../configuration/networktrafficcompression.md) topic for + [Network Traffic Compression](/docs/1secure/configuration/networktrafficcompression.md) topic for additional information. **CAUTION:** If Netwrix Auditor and Netwrix 1Secure audit the same domain, make sure that the @@ -102,7 +102,7 @@ Directory. Specufy the following: - Adjust audit settings automatically – Select this checkbox to adjust the audit settings automatically. With this approach, 1Secure will check your current audit settings at each data collection session and adjust them if necessary. See the - [Active Directory: automatic configuration](../../../configuration/activedirectory/auto.md) topic for + [Active Directory: automatic configuration](/docs/1secure/configuration/activedirectory/auto.md) topic for additional information. **Step 11 –** Click **Finish**. diff --git a/docs/1secure/admin/organizations/sourcesandconnectors/computer.md b/docs/1secure/admin/organizations/sourcesandconnectors/computer.md index e09e7f9897..022bb1dd77 100644 --- a/docs/1secure/admin/organizations/sourcesandconnectors/computer.md +++ b/docs/1secure/admin/organizations/sourcesandconnectors/computer.md @@ -20,11 +20,11 @@ page for the organization is displayed with the Sources tab selected by default. **Step 3 –** On the Sources tab, click **Add** to add a source. The Select Data Source (Step 1 of 3) pane is displayed. -![Select Data Source %28Step 1 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsources_exchange.webp) +![Select Data Source %28Step 1 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsources_exchange.webp) **Step 4 –** Select **Computer** and click **Next**. -![Configure Source Details %28Step 2 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/configuresourcedetails%28step2-3%29.webp) +![Configure Source Details %28Step 2 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/configuresourcedetails(step2-3).webp) **Step 5 –** On the Configure source details (Step 2 of 3) pane, use the Site drop-down menu to select an existing site or add a new one. To add a new site, select the **Add new site** option from @@ -32,19 +32,19 @@ the drop-down menu or click the **Add** icon. - When you choose to add a new site, you have to provide a name for it in the New site name field. Then click **Next** to proceed with configuring the agent for the site. See the - [Install Agent](../../../install/installagent.md) topic for details on configuring the agent, + [Install Agent](/docs/1secure/install/installagent.md) topic for details on configuring the agent, starting at Step 6. - When you select an existing site from the drop-down menu, one of the following happens: - If the agent has not been configured for the site, the system will proceed with the agent - configuration when you click _Next_. See the [Install Agent](../../../install/installagent.md) + configuration when you click _Next_. See the [Install Agent](/docs/1secure/install/installagent.md) topic for details on configuring the agent, starting at Step 6. - If the agent has already been configured for the site, the system will proceed with the Computer source and connector settings when you click _Next_. **Step 6 –** Click **Next**. -![Configure Source Details %28Step 2 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/configsourcedetails%28step2of3%29.webp) +![Configure Source Details %28Step 2 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/configsourcedetails(step2of3).webp) **Step 7 –** Select the **Manual** or **AD Container** option button. @@ -86,17 +86,17 @@ the drop-down menu or click the **Add** icon. **Step 8 –**  Click **Next**. -![Choose New Connector %28Step 3 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/computer_chooseconnector.webp) +![Choose New Connector %28Step 3 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/computer_chooseconnector.webp) **Step 9 –** The Choose new connector pane (Step 3 of 3) lists one connector for computer. Specify the following: - File Server Activity – Toggle the **File Server Activity** switch to ON to collect and monitor data for this connector. With this, you can generate activity reports on File Server data. See the - [File Server](../../searchandreports/activity.md#file-server) topic for additional information. + [File Server](/docs/1secure/admin/searchandreports/activity.md#file-server) topic for additional information. - Enable traffic network compression – Select this checkbox to enable traffic network compression for the connector. See the - [Network Traffic Compression](../../../configuration/networktrafficcompression.md) topic for + [Network Traffic Compression](/docs/1secure/configuration/networktrafficcompression.md) topic for additional information. **CAUTION:** If Netwrix Auditor and Netwrix 1Secure audit the same domain, make sure that the @@ -106,7 +106,7 @@ the following: - Adjust audit settings automatically – Select this checkbox to adjust the audit settings automatically. With this approach, 1Secure will check your current audit settings at each data collection session and adjust them if necessary. See the - [Active Directory: automatic configuration](../../../configuration/activedirectory/auto.md) topic for + [Active Directory: automatic configuration](/docs/1secure/configuration/activedirectory/auto.md) topic for additional information. - Monitor User Hidden Shares – Select this checkbox to monitor the user hidden shares on the computer. @@ -116,7 +116,7 @@ the following: - Advanced Activity Selection – Select this checkbox to choose the successful and failed actions to audit on the computer. -![Advanced Activity Selection options](../../../../../static/img/product_docs/1secure/configuration/computer/objectlevelaccessaudit.webp) +![Advanced Activity Selection options](/img/product_docs/1secure/configuration/computer/objectlevelaccessaudit.webp) **Step 10 –** Click **Finish**. diff --git a/docs/1secure/admin/organizations/sourcesandconnectors/entraid.md b/docs/1secure/admin/organizations/sourcesandconnectors/entraid.md index de854f46a3..59db520b32 100644 --- a/docs/1secure/admin/organizations/sourcesandconnectors/entraid.md +++ b/docs/1secure/admin/organizations/sourcesandconnectors/entraid.md @@ -20,11 +20,11 @@ page for the organization is displayed with the Sources tab selected by default. **Step 3 –** On the Sources tab, click **Add** to add a source. The Select Data Source (Step 1 of 3) pane is displayed. -![Select Data Source %28Step 1 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsources_exchange.webp) +![Select Data Source %28Step 1 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsources_exchange.webp) **Step 4 –** Select **Entra ID** and click **Next**. -![Configure Source Details %28Step 2 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/entra_configsourcedetails%28step2of3%29.webp) +![Configure Source Details %28Step 2 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/entra_configsourcedetails(step2of3).webp) **Step 5 –** On the Configure source details (Step 2 of 3) pane, specify the following settings: @@ -32,7 +32,7 @@ pane is displayed. sources, such as computers, allows them to share a common configuration and makes it easier to manage related sources together. - Tenant ID – The tenant ID of the app registered in Microsoft Entra ID. See the - [App Registration and Configuration in Microsoft Entra ID](../../../configuration/entraid/registerconfig.md) topic + [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. - Crawl Source – Toggle this option to ON to enable data collection for the source - Service Account Entra ID Groups – Specify Microsoft Entra ID groups to exclude their service @@ -45,33 +45,33 @@ pane is displayed. new Credentials** from the drop-down menu or click the **Add** icon, then specify the following: - Client ID – The client ID of the app registered in Microsoft Entra ID. See the - [App Registration and Configuration in Microsoft Entra ID](../../../configuration/entraid/registerconfig.md) topic + [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. - Client Secret – The client secret of the app registered in Microsoft Entra ID. See the - [App Registration and Configuration in Microsoft Entra ID](../../../configuration/entraid/registerconfig.md) topic + [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. - Download Certificate – For certain connectors, such as SharePoint Online State, authentication requires a certificate instead of a client secret. Download this certificate and then upload it to the app registered in Microsoft Entra ID. See the - [Upload a Certificate](../../../configuration/entraid/registerconfig.md#upload-a-certificate) topic + [Upload a Certificate](/docs/1secure/configuration/entraid/registerconfig.md#upload-a-certificate) topic for additional information. - Display Name – Specify a name you want to show for your credentials. It will be displayed on the Credentials tab of the Managed Organizations page. **Step 6 –** Click **Next**. -![Choose New Connector %28Step 3 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/entra_connector%28step3of3%29.webp) +![Choose New Connector %28Step 3 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/entra_connector(step3of3).webp) **Step 7 –** The Choose new connector (Step 3 of 3) pane lists three connectors for Microsoft Entra ID. Specify the following: - Entra ID Activity – Toggle the **Entra ID Activity** switch to ON to collect and monitor data for this connector. With this, you can generate activity reports on Microsoft Entra ID data. See the - [Microsoft Entra ID](../../searchandreports/activity.md#microsoft-entra-id) topic for additional + [Microsoft Entra ID](/docs/1secure/admin/searchandreports/activity.md#microsoft-entra-id) topic for additional information. - Entra ID Logons – Toggle the **Entra ID Logons** switch to ON to collect and monitor data for this connector. With this, you can generate logon reports on Microsoft Entra ID data. See the - [Microsoft Entra ID](../../searchandreports/activity.md#microsoft-entra-id) topic for additional + [Microsoft Entra ID](/docs/1secure/admin/searchandreports/activity.md#microsoft-entra-id) topic for additional information. - Collect Failed Logons – Select this checkbox to collect the failed logon data for Microsoft @@ -81,7 +81,7 @@ ID. Specify the following: - Entra ID State – Toggle the **Entra ID State** switch to ON to collect and monitor data for this connector. With this, you can generate state-in-time reports on Microsoft Entra ID data. See the - [State In Time Risks Reports](../../searchandreports/stateintime.md) topic for additional + [State In Time Risks Reports](/docs/1secure/admin/searchandreports/stateintime.md) topic for additional information. **Step 8 –** Click **Finish**. diff --git a/docs/1secure/admin/organizations/sourcesandconnectors/exchangeonline.md b/docs/1secure/admin/organizations/sourcesandconnectors/exchangeonline.md index d13aac1546..cdc33f1e88 100644 --- a/docs/1secure/admin/organizations/sourcesandconnectors/exchangeonline.md +++ b/docs/1secure/admin/organizations/sourcesandconnectors/exchangeonline.md @@ -20,11 +20,11 @@ page for the organization is displayed with the Sources tab selected by default. **Step 3 –** On the Sources tab, click **Add** to add a source. The Select Data Source (Step 1 of 3) pane is displayed. -![Select Data Source %28Step 1 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsources_exchange.webp) +![Select Data Source %28Step 1 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsources_exchange.webp) **Step 4 –** Select **Exchange Online** and click **Next**. -![Configure Source Details %28Step 2 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/exchangeonline_configsourcedetails.webp) +![Configure Source Details %28Step 2 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/exchangeonline_configsourcedetails.webp) **Step 5 –** On the Configure source details (Step 2 of 3) pane, specify the following settings: @@ -32,7 +32,7 @@ pane is displayed. sources, such as computers, allows them to share a common configuration and makes it easier to manage related sources together. - Tenant ID – The tenant ID of the app registered in Microsoft Entra ID. See the - [App Registration and Configuration in Microsoft Entra ID](../../../configuration/entraid/registerconfig.md) topic + [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. - Crawl Source – Toggle this option to ON to enable data collection for the source - Credentials – Displays the crdentials that have already been added, while also providing the @@ -41,39 +41,39 @@ pane is displayed. new Credentials** from the drop-down menu or click the **Add** icon, then specify the following: - Client ID – The client ID of the app registered in Microsoft Entra ID. See the - [App Registration and Configuration in Microsoft Entra ID](../../../configuration/entraid/registerconfig.md) topic + [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. - Client Secret – The client secret of the app registered in Microsoft Entra ID. See the - [App Registration and Configuration in Microsoft Entra ID](../../../configuration/entraid/registerconfig.md) topic + [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. - Download Certificate – For certain connectors, such as SharePoint Online State, authentication requires a certificate instead of a client secret. Download this certificate and then upload it to the app registered in Microsoft Entra ID. See the - [Upload a Certificate](../../../configuration/entraid/registerconfig.md#upload-a-certificate) topic + [Upload a Certificate](/docs/1secure/configuration/entraid/registerconfig.md#upload-a-certificate) topic for additional information. - Display Name – Specify a name you want to show for your credentials. It will be displayed on the Credentials tab of the Managed Organizations page. **Step 6 –** Click **Next**. -![Choose new connector %28Step 3 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsources_exchange3.webp) +![Choose new connector %28Step 3 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsources_exchange3.webp) **Step 7 –** The Choose new connector pane (Step 3 of 3) lists one connector for Exchange Online. Specify the following: - Exchange Online Activity – Toggle the **Exchange Online Activity** switch to ON to collect and monitor data for this connector. With this, you can generate activity reports on Exchange Online - data. See the [Exchange Online](../../searchandreports/activity.md#exchange-online) topic for + data. See the [Exchange Online](/docs/1secure/admin/searchandreports/activity.md#exchange-online) topic for additional information. - Collect non-owner mailbox audit data – Select this checkbox to collect data for the All Exchange Online Non-Owner Mailbox Access Events report. See the - [Exchange Online](../../searchandreports/activity.md#exchange-online) topic for additional + [Exchange Online](/docs/1secure/admin/searchandreports/activity.md#exchange-online) topic for additional information. **NOTE:** To collect the data for this report, you need to set up non-owner mailbox access auditing. See the - [Settings for Non-Owner Mailbox Access Audit: Using Application](../../../configuration/exchangeonlinenonowner.md) + [Settings for Non-Owner Mailbox Access Audit: Using Application](/docs/1secure/configuration/exchangeonlinenonowner.md) topic for additional information. **Step 8 –** Click **Finish**. diff --git a/docs/1secure/admin/organizations/sourcesandconnectors/index.md b/docs/1secure/admin/organizations/sourcesandconnectors/index.md index ef08086690..4898245551 100644 --- a/docs/1secure/admin/organizations/sourcesandconnectors/index.md +++ b/docs/1secure/admin/organizations/sourcesandconnectors/index.md @@ -25,5 +25,5 @@ Using connectors, Netwrix 1Secure can: - Connect to your sources for analyzing and processing the data **NOTE:** Before adding a data source, make sure its prerequisites are met. See the -[Requirements](../../../requirements.md#prerequisites-for-data-sources) topic for +[Requirements](/docs/1secure/requirements.md#prerequisites-for-data-sources) topic for additional information. diff --git a/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md b/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md index ce342f1e55..28d6a2b1f9 100644 --- a/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md +++ b/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md @@ -20,11 +20,11 @@ page for the organization is displayed with the Sources tab selected by default. **Step 3 –** On the Sources tab, click **Add** to add a source. The Select Data Source (Step 1 of 3) pane is displayed. -![Select Data Source %28Step 1 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsources_exchange.webp) +![Select Data Source %28Step 1 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsources_exchange.webp) **Step 4 –** Select **SharePoint Online** and click Next. -![Configure Source Details %28Step 2 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/configuresourcedetailssharepoint.webp) +![Configure Source Details %28Step 2 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/configuresourcedetailssharepoint.webp) **Step 5 –** On the Configure source details (Step 2 of 3) pane, specify the following settings: @@ -32,7 +32,7 @@ pane is displayed. sources, such as computers, allows them to share a common configuration and makes it easier to manage related sources together. - Tenant ID – The tenant ID of the app registered in Microsoft Entra ID. See the - [App Registration and Configuration in Microsoft Entra ID](../../../configuration/entraid/registerconfig.md) topic + [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. - Crawl Source – Toggle this option to ON to enable data collection for the source - Credentials – Displays the crdentials that have already been added, while also providing the @@ -41,29 +41,29 @@ pane is displayed. new Credentials** from the drop-down menu or click the **Add** icon, then specify the following: - Client ID – The client ID of the app registered in Microsoft Entra ID. See the - [App Registration and Configuration in Microsoft Entra ID](../../../configuration/entraid/registerconfig.md) topic + [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. - Client Secret – The client secret of the app registered in Microsoft Entra ID. See the - [App Registration and Configuration in Microsoft Entra ID](../../../configuration/entraid/registerconfig.md) topic + [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. - Download Certificate – For certain connectors, such as SharePoint Online State, authentication requires a certificate instead of a client secret. Download this certificate and then upload it to the app registered in Microsoft Entra ID. See the - [Upload a Certificate](../../../configuration/entraid/registerconfig.md#upload-a-certificate) topic + [Upload a Certificate](/docs/1secure/configuration/entraid/registerconfig.md#upload-a-certificate) topic for additional information. - Display Name – Specify a name you want to show for your credentials. It will be displayed on the Credentials tab of the Managed Organizations page. **Step 6 –** Click **Next**. -![Choose New Connector %28Step 3 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsourcesharepointonlineconnector.webp) +![Choose New Connector %28Step 3 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsourcesharepointonlineconnector.webp) **Step 7 –** The Choose new connector (Step 3 of 3) pane lists three connectors for SharePoint Online. Specify the following: - SharePoint Online Activity – Toggle the **SharePoint Online Activity** switch to ON to collect and monitor data for this connector. With this, you can generate activity reports on SharePoint Online - data. See the [SharePoint Online](../../searchandreports/activity.md#sharepoint-online) topic for + data. See the [SharePoint Online](/docs/1secure/admin/searchandreports/activity.md#sharepoint-online) topic for additional information. - Audit SharePoint Online read access – Select this checkbox to audit the files with read access @@ -71,7 +71,7 @@ Online. Specify the following: - SharePoint Online State – Toggle the **SharePoint Online State** switch to ON to collect and monitor data for this connector. With this, you can generate state-in-time reports on SharePoint - Online data. See the [State In Time Risks Reports](../../searchandreports/stateintime.md) topic + Online data. See the [State In Time Risks Reports](/docs/1secure/admin/searchandreports/stateintime.md) topic for additional information. - Collect state-in-time data for personal OneDrives – Select this checkbox to collect diff --git a/docs/1secure/admin/organizations/sourcesandconnectors/sqlserver.md b/docs/1secure/admin/organizations/sourcesandconnectors/sqlserver.md index 1544fc4c9f..0d22ab392c 100644 --- a/docs/1secure/admin/organizations/sourcesandconnectors/sqlserver.md +++ b/docs/1secure/admin/organizations/sourcesandconnectors/sqlserver.md @@ -20,11 +20,11 @@ page for the organization is displayed with the Sources tab selected by default. **Step 3 –** On the Sources tab, click **Add** to add a source. The Select Data Source (Step 1 of 3) pane is displayed. -![Select Data Source %28Step 1 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsources_exchange.webp) +![Select Data Source %28Step 1 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/addsources_exchange.webp) **Step 4 –** Select **SQL Server** and click **Next**. -![Configure Source Details %28Step 2 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/configuresourcedetails%28step2-3%29.webp) +![Configure Source Details %28Step 2 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/configuresourcedetails(step2-3).webp) **Step 5 –** On the Configure source details (Step 2 of 3) pane, use the Site drop-down menu to select an existing site or add a new one. To add a new site, select the **Add new site** option from @@ -32,19 +32,19 @@ the drop-down menu or click the **Add** icon. - When you choose to add a new site, you have to provide a name for it in the New site name field. Then click **Next** to proceed with configuring the agent for the site. See the - [Install Agent](../../../install/installagent.md) topic for details on configuring the agent, + [Install Agent](/docs/1secure/install/installagent.md) topic for details on configuring the agent, starting at Step 6. - When you select an existing site from the drop-down menu, one of the following happens: - If the agent has not been configured for the site, the system will proceed with the agent - configuration when you click _Next_. See the [Install Agent](../../../install/installagent.md) + configuration when you click _Next_. See the [Install Agent](/docs/1secure/install/installagent.md) topic for details on configuring the agent, starting at Step 6. - If the agent has already been configured for the site, the system will proceed with the SQL Server source and connector settings when you click _Next_. **Step 6 –** Click **Next**. -![Configure Source Details %28Step 2 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/configuresourcedetails%28step2-3%29a.webp) +![Configure Source Details %28Step 2 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/configuresourcedetails(step2-3)a.webp) **Step 7 –** Specify the following settings: @@ -66,12 +66,12 @@ the drop-down menu or click the **Add** icon. **Step 8 –** Click **Next**. -![Choose New Connector %28Step 3 of 3%29 pane](../../../../../static/img/product_docs/1secure/admin/organizations/sourcesandconnectors/choosenewconnector%28step3of3%29.webp) +![Choose New Connector %28Step 3 of 3%29 pane](/img/product_docs/1secure/admin/organizations/sourcesandconnectors/choosenewconnector(step3of3).webp) **Step 9 –** The Choose new connector (Step 3 of 3) pane lists one connector for SQL Server. Toggle the **SQL Logons** switch to ON to collect and monitor data for this connector. With this, you can generate logon reports on SQL Server data. See the -[SQL Database](../../searchandreports/activity.md#sql-database) topic for additional information. +[SQL Database](/docs/1secure/admin/searchandreports/activity.md#sql-database) topic for additional information. **Step 10 –** Choose one option from the following: diff --git a/docs/1secure/admin/organizations/viewtabsanddashboard.md b/docs/1secure/admin/organizations/viewtabsanddashboard.md index a9daaf6785..fe5cdbdef9 100644 --- a/docs/1secure/admin/organizations/viewtabsanddashboard.md +++ b/docs/1secure/admin/organizations/viewtabsanddashboard.md @@ -16,19 +16,19 @@ organizations** page. The Managed organizations page has the following tabs: -![tabsview](../../../../static/img/product_docs/1secure/admin/organizations/tabsview.webp) +![tabsview](/img/product_docs/1secure/admin/organizations/tabsview.webp) - Sources – Add, edit, or delete sources for your organization, review its statuses, and so on. See - the [Sources and Connectors](sourcesandconnectors/index.md) topic for additional information. + the [Sources and Connectors](/docs/1secure/admin/organizations/sourcesandconnectors/index.md) topic for additional information. - Sites – View the sites and status of your Netwrix Cloud Agent. See the - [Add Sites to an Organization](addsites.md) and - [Update Netwrix Cloud Agent](../../index.md#updating-netwrix-cloud-agent) topic for additional information. + [Add Sites to an Organization](/docs/1secure/admin/organizations/addsites.md) and + [Update Netwrix Cloud Agent](/docs/1secure/index.md#updating-netwrix-cloud-agent) topic for additional information. - Credentials – Review and edit the credentials of your organization. See - the[ Manage Credentials ](managingcredentials.md)topic for additional information. + the[ Manage Credentials ](/docs/1secure/admin/organizations/managingcredentials.md)topic for additional information. - Users – Review or add Business Viewers or Co-managing Administrators to the audited organization. - See the [Add Users](addingusers.md) topic for additional information. + See the [Add Users](/docs/1secure/admin/organizations/addingusers.md) topic for additional information. - Subscriptions– Review or edit the subscriptions of your organization. See the - [Subscriptions](../searchandreports/subscriptions.md) topic for additional information. + [Subscriptions](/docs/1secure/admin/searchandreports/subscriptions.md) topic for additional information. In addition to the tabs, the right upper corner of the page has the following options: @@ -41,7 +41,7 @@ Once you select **View dashboard** on your organization's tab, you can view the dashboards with the data applicable to your organization. These includes the following dashboards: - New investigation – Search incidents, create reports, and browse your data -- [Risk Assessment Dashboard](../riskprofiles/riskassessmentdashboard.md) – Go to Risk Assessment +- [Risk Assessment Dashboard](/docs/1secure/admin/riskprofiles/riskassessmentdashboard.md) – Go to Risk Assessment Dashboard to review risks of your organization - Saved Custom Reports – Look through the list of the created custom reports - Alerts Timeline – Review the activity of the alerts on the time schedule diff --git a/docs/1secure/admin/riskprofiles/index.md b/docs/1secure/admin/riskprofiles/index.md index cf387593fb..f15aaf8e3e 100644 --- a/docs/1secure/admin/riskprofiles/index.md +++ b/docs/1secure/admin/riskprofiles/index.md @@ -14,7 +14,7 @@ consists of a set of risk metrics, each with preconfigured risk thresholds that medium, and high risk levels for the metric. You cannot add new metrics but you can change the risk thresholds for each metric. A risk metric is a measurable security parameter that helps analyze potential vulnerabilities in an environment, such as disabled computer accounts, stale direct user -permission, inactive user accounts, etc. See the [ Manage Risk Metrics](riskmetrics.md) topic for +permission, inactive user accounts, etc. See the [ Manage Risk Metrics](/docs/1secure/admin/riskprofiles/riskmetrics.md) topic for additional information. You can assign a risk profile to one or more organizations. This profile examines the nature and @@ -23,10 +23,10 @@ can do the following: - Generate state-in-time risk reports to get detailed information on specific security aspects of your environment. A separate state-in-time report is generated for each risk metric in the - profile. See the [State In Time Risks Reports](../searchandreports/stateintime.md) topic for + profile. See the [State In Time Risks Reports](/docs/1secure/admin/searchandreports/stateintime.md) topic for additional information. - Analyze risks for your managed organizations on the Risk Assessment Dashboard page. See the - [Risk Assessment Dashboard](riskassessmentdashboard.md) topic for additional information. + [Risk Assessment Dashboard](/docs/1secure/admin/riskprofiles/riskassessmentdashboard.md) topic for additional information. **NOTE:** An organization can have only one risk profile assigned to it at a time. @@ -39,12 +39,12 @@ that lists the managed organizations defined in 1Secure. **Step 2 –** In the left pane, click **Risk profiles**.The Risk profiles page is displayed. -![Risk profiles list](../../../../static/img/product_docs/1secure/admin/riskprofiles/riskprofiles.webp) +![Risk profiles list](/img/product_docs/1secure/admin/riskprofiles/riskprofiles.webp) Risk profiles are displayed in the list with the following information: - Risk profile – The name of the risk profile. Click a profile name to view risk metrics for that - profile. See the [ Manage Risk Metrics](riskmetrics.md) topic for additional information. + profile. See the [ Manage Risk Metrics](/docs/1secure/admin/riskprofiles/riskmetrics.md) topic for additional information. - Used in organizations – The number of organizations the risk profile is applied to. Click a value to navigate to the Profile usage - `` pane that displays the organizations this risk profile is applied to. @@ -56,7 +56,7 @@ in descending order. **NOTE:** The risk profile named Default Profile is available by default and is automatically applied to all managed organizations. You can assign a different risk profile to an organization if needed. You can do this when creating a new organization or editing an organization. See the -[Add Organizations](../organizations/addorganizations.md) topic for additional information. +[Add Organizations](/docs/1secure/admin/organizations/addorganizations.md) topic for additional information. ## Add a Risk Profile @@ -69,18 +69,18 @@ that lists the managed organizations defined in 1Secure. **Step 3 –** Click **Add profile**. The New risk profile pane is displayed. -![New risk profile pane](../../../../static/img/product_docs/1secure/admin/riskprofiles/newriskprofilepane.webp) +![New risk profile pane](/img/product_docs/1secure/admin/riskprofiles/newriskprofilepane.webp) **Step 4 –** Enter a name for the risk profile in the Name field and click **Save**. The risk profile is added to the list on the Risk profiles page. You can: - Assign this profile to an organization. You can do this when creating a new organization or - editing an organization. See the [Add Organizations](../organizations/addorganizations.md) topic + editing an organization. See the [Add Organizations](/docs/1secure/admin/organizations/addorganizations.md) topic for additional information. Navigate to the configuration page of an organization to see the name of the risk profile assigned to it. - Configure risk thresholds for the metrics in the risk profile. See - the[ Manage Risk Metrics](riskmetrics.md) topic for additional information. + the[ Manage Risk Metrics](/docs/1secure/admin/riskprofiles/riskmetrics.md) topic for additional information. ## Modify the Name of a Risk Profile diff --git a/docs/1secure/admin/riskprofiles/riskassessmentdashboard.md b/docs/1secure/admin/riskprofiles/riskassessmentdashboard.md index 053d3a7340..dea7b2f1b5 100644 --- a/docs/1secure/admin/riskprofiles/riskassessmentdashboard.md +++ b/docs/1secure/admin/riskprofiles/riskassessmentdashboard.md @@ -28,7 +28,7 @@ On the Risk Assessment dashboard, you can check: _Remember,_ each organization has a risk profile associated with it and the risk analysis of an organization is based on the metrics included in the risk profile. See the -[Manage Risk Profiles](index.md) topic for additional information. +[Manage Risk Profiles](/docs/1secure/admin/riskprofiles/index.md) topic for additional information. ## View the Risk Assessment Dashboard @@ -43,7 +43,7 @@ of the following: page, then click the Risk Assessment card. It opens the Risk Assessment dashboard that displays risk-related data for the organization. -![Risk Assessment Dashboard](../../../../static/img/product_docs/1secure/admin/riskprofiles/riskassessmentdashboard.webp) +![Risk Assessment Dashboard](/img/product_docs/1secure/admin/riskprofiles/riskassessmentdashboard.webp) ## Filter Data @@ -148,7 +148,7 @@ The Risk Assessment dashboard provides a list of risks detected for an organizat applied filters. _Remember,_ each risk is basically a metric included in the risk profile associated with the -organization. See the [Risk Metrics List](metrics_list.md) topic for details on each of the risk +organization. See the [Risk Metrics List](/docs/1secure/admin/riskprofiles/metrics_list.md) topic for details on each of the risk metrics. Risks are categorized into two types: @@ -162,7 +162,7 @@ Risks are categorized into two types: In the Risks list, the information displayed for each risk varies depending on its type – enumerated or Boolean. -![Risks List](../../../../static/img/product_docs/1secure/admin/riskprofiles/dashboard_riskslist.webp) +![Risks List](/img/product_docs/1secure/admin/riskprofiles/dashboard_riskslist.webp) Enumerated Risks @@ -200,7 +200,7 @@ left pane. Enumerated Risk Details -![Enumerated Risk Details pane](../../../../static/img/product_docs/1secure/admin/riskprofiles/dashboard_riskdetails.webp) +![Enumerated Risk Details pane](/img/product_docs/1secure/admin/riskprofiles/dashboard_riskdetails.webp) The left pane displays the following details for an enumerated risk: @@ -231,17 +231,17 @@ The left pane displays the following details for an enumerated risk: - NIST Regulations – Displays the NIST regulation names associated with the risk metric - Open Report – Click this button to navigate to the State In Time Risk Reports page, where you can view a detailed report for that risk metric. See the - [State In Time Risks Reports](../searchandreports/stateintime.md) topic for additional + [State In Time Risks Reports](/docs/1secure/admin/searchandreports/stateintime.md) topic for additional information. - Remediate – On clicking this button, the Remediate `` pane is displayed, which provides AI-generated step-by-step guidance to help you remediate the risk. - Edit risk settings – Click this link to navigate to the Risk Profiles page where you can manage - the risk profiles. See the [Manage Risk Profiles](index.md) topic for additional + the risk profiles. See the [Manage Risk Profiles](/docs/1secure/admin/riskprofiles/index.md) topic for additional information. Boolean Risk Details -![Boolean Risk Details pane](../../../../static/img/product_docs/1secure/admin/riskprofiles/booleanriskdetails.webp) +![Boolean Risk Details pane](/img/product_docs/1secure/admin/riskprofiles/booleanriskdetails.webp) The left pane displays the following details for a Boolean risk: @@ -257,7 +257,7 @@ The left pane displays the following details for a Boolean risk: - Remediate – On clicking this button, the Remediate `` pane is displayed, which provides AI-generated step-by-step guidance to help you remediate the risk. - Edit risk settings – Click this link to navigate to the Risk Profiles page where you can manage - the risk profiles. See the [Manage Risk Profiles](index.md) topic for additional + the risk profiles. See the [Manage Risk Profiles](/docs/1secure/admin/riskprofiles/index.md) topic for additional information. ## Export a Risk Assessment Report for an Organization @@ -274,7 +274,7 @@ one if needed. **Step 2 –** Click **Export** in the upper right corner; the Exporting Risk Assessment pane is displayed. -![Exporting Risk Assessment pane](../../../../static/img/product_docs/1secure/admin/riskprofiles/export_riskassessment.webp) +![Exporting Risk Assessment pane](/img/product_docs/1secure/admin/riskprofiles/export_riskassessment.webp) **Step 3 –** In the **File Name** field, specify the name of the file the intended recipient(s) will receive. The default name is: Risk Assessment Report for `` ``. For @@ -296,7 +296,7 @@ report. By default, this option is selected. You can subscribe to the Risk Assessment report of a managed organization. A subscription is a regularly-scheduled report, which you can send to specific email addresses automatically, or upload it to a designated folder in SharePoint Online. See the -[Subscriptions](../searchandreports/subscriptions.md) topic for additional information. +[Subscriptions](/docs/1secure/admin/searchandreports/subscriptions.md) topic for additional information. Follow the steps to subscribe to a Risk Assessment report for an organization. @@ -306,6 +306,6 @@ one if needed. **Step 2 –** Click **Subscribe** in the upper right corner; the Subscription to `` Risk Assessment pane is displayed. See the -[Add a Subscription](../searchandreports/subscriptions.md#add-a-subscription) topic for additional +[Add a Subscription](/docs/1secure/admin/searchandreports/subscriptions.md#add-a-subscription) topic for additional information on adding a subscription, starting at Step 6. Remember to select the Include Low Risks check box if you want to include low risks in the report. diff --git a/docs/1secure/admin/riskprofiles/riskmetrics.md b/docs/1secure/admin/riskprofiles/riskmetrics.md index 47e77a7aab..043f8cf3ca 100644 --- a/docs/1secure/admin/riskprofiles/riskmetrics.md +++ b/docs/1secure/admin/riskprofiles/riskmetrics.md @@ -23,16 +23,16 @@ that lists the managed organizations defined in 1Secure. **Step 2 –** In the left pane, click **Risk profiles**.The Risk profiles page is displayed. **Step 3 –** Click a risk profile. The risk metrics for the profile are displayed in a list. See the -[Risk Metrics List](metrics_list.md) topic for a description of each risk metric. +[Risk Metrics List](/docs/1secure/admin/riskprofiles/metrics_list.md) topic for a description of each risk metric. -![Risks Metrics list](../../../../static/img/product_docs/1secure/admin/riskprofiles/riskslist.webp) +![Risks Metrics list](/img/product_docs/1secure/admin/riskprofiles/riskslist.webp) You can view the following for each risk metric: - Category – The name of the preconfigured category a risk metric belongs to, which can be Data, Identity, or Infrastructure. The State In Time Risk report generated for this metric can be found under this particular category on the Risk reports page, See the - [State In Time Risks Reports](../searchandreports/stateintime.md) topic for additional + [State In Time Risks Reports](/docs/1secure/admin/searchandreports/stateintime.md) topic for additional information. - Metric – The name of the risk metric. A risk metric is a measurable security parameter that helps analyze potential vulnerabilities in an environment, such as disabled computer accounts, stale @@ -64,7 +64,7 @@ that lists the managed organizations defined in 1Secure. **Step 4 –** Click the **Edit** icon for a risk metric. The `` pane is displayed. -![Modify risk threshold pane](../../../../static/img/product_docs/1secure/admin/riskprofiles/modifyriskthreshold.webp) +![Modify risk threshold pane](/img/product_docs/1secure/admin/riskprofiles/modifyriskthreshold.webp) **Step 5 –** Select a measurement type to calculate risk thresholds for the metric. Options are: @@ -126,7 +126,7 @@ that lists the managed organizations defined in 1Secure. **Step 4 –** Click the Edit icon for a Boolean risk metric. The `` pane is displayed. -![Modify Boolean metric pane](../../../../static/img/product_docs/1secure/admin/riskprofiles/modifyriskseverity.webp) +![Modify Boolean metric pane](/img/product_docs/1secure/admin/riskprofiles/modifyriskseverity.webp) **Step 5 –** Select a severity level to apply when the risk is detected. @@ -181,7 +181,7 @@ that lists the managed organizations defined in 1Secure. **Step 4 –** Click **Add**. The Add new risk threshold pane is displayed. -![Add new risk threshold pane](../../../../static/img/product_docs/1secure/admin/riskprofiles/addnumberthreshold.webp) +![Add new risk threshold pane](/img/product_docs/1secure/admin/riskprofiles/addnumberthreshold.webp) **Step 5 –** In the Risk Metric drop-down menu, select a number or percentage risk metric you want to add. @@ -213,7 +213,7 @@ that lists the managed organizations defined in 1Secure. **Step 4 –** Click **Add**. The Add new risk threshold pane is displayed. -![Add new risk threshold pane](../../../../static/img/product_docs/1secure/admin/riskprofiles/addbooleanriskmetric.webp) +![Add new risk threshold pane](/img/product_docs/1secure/admin/riskprofiles/addbooleanriskmetric.webp) **Step 5 –** In the Risk Metric drop-down menu, select a Boolean risk metric you want to add. diff --git a/docs/1secure/admin/searchandreports/activity.md b/docs/1secure/admin/searchandreports/activity.md index 9750b337c6..ba0b4a1ad4 100644 --- a/docs/1secure/admin/searchandreports/activity.md +++ b/docs/1secure/admin/searchandreports/activity.md @@ -152,10 +152,10 @@ Operator, and Value drop-down menus, then click **Search**. You can select more than one filter. For options displayed in the Operator drop-down menu, see the -[Filter Operators ](filteroperators.md)topic. +[Filter Operators ](/docs/1secure/admin/searchandreports/filteroperators.md)topic. Subscribe to Activity Reports You can subscribe to Activity reports to receive them automatically via email, or have them uploaded -to a specified folder in SharePoint Online. See the [Subscriptions](subscriptions.md) topic for +to a specified folder in SharePoint Online. See the [Subscriptions](/docs/1secure/admin/searchandreports/subscriptions.md) topic for additional information. diff --git a/docs/1secure/admin/searchandreports/applyfilters.md b/docs/1secure/admin/searchandreports/applyfilters.md index 85c1bac93b..5efeef9169 100644 --- a/docs/1secure/admin/searchandreports/applyfilters.md +++ b/docs/1secure/admin/searchandreports/applyfilters.md @@ -20,34 +20,34 @@ reports with the predefined filters. To create a unique set of filters, you can: value. For example, if you want to search for any of three names, do not enter _Anna Mark Bill_ but instead create a separate filter entry for each name. -![Activity Reports pane](../../../../static/img/product_docs/1secure/admin/searchandreports/reportsmain.webp) +![Activity Reports pane](/img/product_docs/1secure/admin/searchandreports/reportsmain.webp) **NOTE:** All reports on the **Reports** > **Activity** tab are associated with the respective alerts. Click the **Alerts Timeline Dashboard** in the upper left corner of the page to view the -alerts for your organization. See the [Alerts](../alerts/index.md) topic for additional +alerts for your organization. See the [Alerts](/docs/1secure/admin/alerts/index.md) topic for additional information. | Icon | Description | | --------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- | -| ![search_icon](../../../../static/img/product_docs/1secure/admin/searchandreports/search_icon.webp) | Info Icon. Click the Info Icon to view the activity records details. | +| ![search_icon](/img/product_docs/1secure/admin/searchandreports/search_icon.webp) | Info Icon. Click the Info Icon to view the activity records details. | Follow the steps to apply filters to your search. **Step 1 –** Select the **Reports**> **Activity** tab. -![Activity reports](../../../../static/img/product_docs/1secure/admin/searchandreports/search_filters.webp) +![Activity reports](/img/product_docs/1secure/admin/searchandreports/search_filters.webp) **NOTE:** You can also access the **Reports** > **Activity** page from your organization's page. On your Home screen, click **Configure** > **Reports** in the right upper corner of the page. -![Organization data sources list](../../../../static/img/product_docs/1secure/admin/searchandreports/reportsreportaccess.webp) +![Organization data sources list](/img/product_docs/1secure/admin/searchandreports/reportsreportaccess.webp) **Step 2 –** Select a filter from the Filter drop-down menu. See the [Filter Descriptions](#filter-descriptions) topic for additional information. **NOTE:** You must specify three columns: Filter, Operator, and Value. You may also select more than one filter. To review the Operator filter options, see the -[Filter Operators ](filteroperators.md)topic for additional information. To review the Filter +[Filter Operators ](/docs/1secure/admin/searchandreports/filteroperators.md)topic for additional information. To review the Filter values, see the Filter Values topic for additional information. **Step 3 –** If required, specify the property change filters. @@ -56,7 +56,7 @@ values, see the Filter Values topic for additional information. have the property changes, but only those with the property change on that record. For example, if the permission on the Active Directory has been added or resource ID in AzureAD has been removed. -![Filter property](../../../../static/img/product_docs/1secure/admin/searchandreports/reportspropertychanges.webp) +![Filter property](/img/product_docs/1secure/admin/searchandreports/reportspropertychanges.webp) **NOTE:** The drop-down list in the **Property** field shows all the properties retrieved in your records' list below the Search bar. It varies depending on the displayed records. You can filter the @@ -64,23 +64,23 @@ required Property, Action, Value operator, and Value within the list. The proper dynamic and are not related to a given report directly but the activity records. If the query changes, the shown property changes may also change. -![Filters list](../../../../static/img/product_docs/1secure/admin/searchandreports/search_search_function.webp) +![Filters list](/img/product_docs/1secure/admin/searchandreports/search_search_function.webp) **Step 4 –** Click Search to find and view your reports. The reports are displayed with the predefined filters. Your search results will display in the table. -![Filter results](../../../../static/img/product_docs/1secure/admin/searchandreports/search_searchresults.webp) +![Filter results](/img/product_docs/1secure/admin/searchandreports/search_searchresults.webp) **Step 5 –** Click the required activity record from the grid view the activity record details. You can see who, when, or where was the activity made. -![Activity record details](../../../../static/img/product_docs/1secure/admin/searchandreports/activityrecorddetails.webp) +![Activity record details](/img/product_docs/1secure/admin/searchandreports/activityrecorddetails.webp) **NOTE:** Navigate from one report to another by selecting **Prev** or **Next**. This will directly upload the details of the selected report. **NOTE:** You can also create your own reports with custom filters. See the -[ Custom Reports](customreports.md) topic for additional information. +[ Custom Reports](/docs/1secure/admin/searchandreports/customreports.md) topic for additional information. ## Filter Descriptions diff --git a/docs/1secure/admin/searchandreports/auditlogs.md b/docs/1secure/admin/searchandreports/auditlogs.md index 3bba7dcad5..501a271ba6 100644 --- a/docs/1secure/admin/searchandreports/auditlogs.md +++ b/docs/1secure/admin/searchandreports/auditlogs.md @@ -27,7 +27,7 @@ right. by default. However, you can select a different organization from the drop-down menu at the top of the left pane to view its All Self Audit Activity report. -![All Self Audit Activity Report](../../../../static/img/product_docs/1secure/admin/searchandreports/selfaudit.webp) +![All Self Audit Activity Report](/img/product_docs/1secure/admin/searchandreports/selfaudit.webp) **Step 3 –** In this report, a default filter is applied with the following settings: diff --git a/docs/1secure/admin/searchandreports/billableusers.md b/docs/1secure/admin/searchandreports/billableusers.md index 04643ded92..70fe803418 100644 --- a/docs/1secure/admin/searchandreports/billableusers.md +++ b/docs/1secure/admin/searchandreports/billableusers.md @@ -11,11 +11,11 @@ description: "Learn how to generate reports on billable Active Directory and Mic A Billable Users report provides information on the billable accounts – the enabled Active Directory/Microsoft Entra ID (formerly Azure AD) accounts for your organization. See the -[Billable Accounts](../organizations/billableaccounts.md) topic for additional information. +[Billable Accounts](/docs/1secure/admin/organizations/billableaccounts.md) topic for additional information. | Icon | Description | | --------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![businessuserslock](../../../../static/img/product_docs/1secure/admin/searchandreports/businessuserslock.webp) | Lock Icon. It shows that the business users cannot view the report. See the [Add Users](../organizations/addingusers.md) topic for additional information on the business users. | +| ![businessuserslock](/img/product_docs/1secure/admin/searchandreports/businessuserslock.webp) | Lock Icon. It shows that the business users cannot view the report. See the [Add Users](/docs/1secure/admin/organizations/addingusers.md) topic for additional information on the business users. | ## Review a Report @@ -26,22 +26,22 @@ Users** page opens. By default, it populates the data with the Users of your org - Dashboard for Managing Organization -![billableusersreportmanagingorg](../../../../static/img/product_docs/1secure/admin/searchandreports/billableusersreportmanagingorg.webp) +![billableusersreportmanagingorg](/img/product_docs/1secure/admin/searchandreports/billableusersreportmanagingorg.webp) - Dashboard for Managed Organization -![billableaccountsmanagedorg](../../../../static/img/product_docs/1secure/admin/organizations/billableaccountsmanagedorg.webp) +![billableaccountsmanagedorg](/img/product_docs/1secure/admin/organizations/billableaccountsmanagedorg.webp) **NOTE:** You can also access the report by navigating to the **Reports** > **System** page. -![BU Report screen](../../../../static/img/product_docs/1secure/admin/searchandreports/billableusersreport.webp) +![BU Report screen](/img/product_docs/1secure/admin/searchandreports/billableusersreport.webp) **Step 2 –** If necessary, you can filter the provided data. Select a filter, operator, and value from the Filter, Operator, and Value drop-down menus respectively. **NOTE:** You must specify three columns: Filter, Operator, and Value. You may also select more than one filter. To review the Operator filter options, see the -[Filter Operators ](filteroperators.md)topic for additional information. +[Filter Operators ](/docs/1secure/admin/searchandreports/filteroperators.md)topic for additional information. **Step 3 –** Click **Search**. diff --git a/docs/1secure/admin/searchandreports/compliance.md b/docs/1secure/admin/searchandreports/compliance.md index bb62947e88..9c0646da85 100644 --- a/docs/1secure/admin/searchandreports/compliance.md +++ b/docs/1secure/admin/searchandreports/compliance.md @@ -28,7 +28,7 @@ its reports. An organization is selected by default, but you can choose a differ **Step 3 –** Click the **Compliance** tab to access the compliance reports. This opens the Compliance page with the Group Membership report selected by default in the left pane. -![Compliance Reports Page](../../../../static/img/product_docs/1secure/admin/searchandreports/reportscompliance.webp) +![Compliance Reports Page](/img/product_docs/1secure/admin/searchandreports/reportscompliance.webp) **Step 4 –** In the left pane, click a category to view its reports. Categories are: @@ -71,7 +71,7 @@ A list of the available Compliance reports(category-wise) is given below. | Direct User Permissions | Lists user accounts with direct permissions to specific objects. Use this report to see which users have permissions to what data. | | High Risk Permissions | Lists the permissions and permission levels of high-risk trustees, such as Everyone, Authenticated Users, and Everyone except external users. | | Permissions Overview by Resource | Provides a summary of assigned permissions in your organization, including the count of direct user permissions, stale permissions, broken permission inheritance, and high-risk permissions for each object. Click any permissions value to navigate to the specific permissions report for the selected resource. For example, clicking a High Risk Permissions value will take you to the High Risk Permissions report. | -| Sensitive Documents | Lists the documents that are classified according to the sensitive data types enabled in the SharePoint Online Data Classification connector. See step 7 in the [Add a Source and Connectors for SharePoint Online](../organizations/sourcesandconnectors/sharepointonline.md) topic for addition information. | +| Sensitive Documents | Lists the documents that are classified according to the sensitive data types enabled in the SharePoint Online Data Classification connector. See step 7 in the [Add a Source and Connectors for SharePoint Online](/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md) topic for addition information. | | Sharing Links | Provides an overview of all the active sharing links within your SharePoint Online site. For each record, it displays the site collection, URL of the shared resource, name of the shared object, link creation and expiration dates, link type, assigned permissions, and more. Click the "Shared with" link to see exactly who or which groups have access. | Sort a Report @@ -88,7 +88,7 @@ Operator, and Value drop-down menus, then click **Search**. You can select more than one filter. For options displayed in the Operator drop-down menu, see the -[Filter Operators ](filteroperators.md)topic. +[Filter Operators ](/docs/1secure/admin/searchandreports/filteroperators.md)topic. ## Filter Descriptions @@ -131,4 +131,4 @@ This table provides a list of filters and descriptions. | Link Type | Lists the links based on any of the following sharing types: - Anonymous - Organization - Specific People | | Sensitive Data Types | Lists the documents based on the sensitive data type they contain. Available data types are: - PII - Financial Records - GDPR Restricted - GDPR - GLBA - HIPAA - PCI DSS - PHI - CCPA - CMMC - Credentials | | Sensitive Data Criteria | Lists the documents based on a sensitive data criteria. Each data type (e.g., PII) may have multiple data criteria, like PII >> Denmark, PII >> French passport, PII >> France, and so on. | -| Sensitivity Label | Lists the documents based on a sensitivity label. For example, if you specify a label named "sensitive", it lists all the documents with that label. Sensitivity labels are applied to documents on the basis of the settings configured for the SharePoint Online Data Classification connector in the SharePoint Online data source. See step 7 in the [Add a Source and Connectors for SharePoint Online](../organizations/sourcesandconnectors/sharepointonline.md) topic for additional information. | +| Sensitivity Label | Lists the documents based on a sensitivity label. For example, if you specify a label named "sensitive", it lists all the documents with that label. Sensitivity labels are applied to documents on the basis of the settings configured for the SharePoint Online Data Classification connector in the SharePoint Online data source. See step 7 in the [Add a Source and Connectors for SharePoint Online](/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md) topic for additional information. | diff --git a/docs/1secure/admin/searchandreports/customreports.md b/docs/1secure/admin/searchandreports/customreports.md index a87f596232..1732034ef5 100644 --- a/docs/1secure/admin/searchandreports/customreports.md +++ b/docs/1secure/admin/searchandreports/customreports.md @@ -23,13 +23,13 @@ opens to the Activity tab with New Investigation selected in the left pane. custom report for it. An organization is selected by default, but you can choose a different one if needed. -**Step 3 –** Define a filter criteria. See the [Apply Filters](applyfilters.md) topic for additional +**Step 3 –** Define a filter criteria. See the [Apply Filters](/docs/1secure/admin/searchandreports/applyfilters.md) topic for additional information. **Step 4 –** Click **Save as** in the upper right corner of the page. The Create Report pane is displayed. -![Create Report Pane](../../../../static/img/product_docs/1secure/admin/searchandreports/searchcreatereports.webp) +![Create Report Pane](/img/product_docs/1secure/admin/searchandreports/searchcreatereports.webp) **Step 5 –** In the Create Report pane, specify a name and description for the report in the Name and Description fields. @@ -48,7 +48,7 @@ generated. **Step 8 –** Optionally, select the **Share with business users** check box to share the report with business users. See the -[Add the Business Viewer Role](../organizations/addingusers.md#add-the-business-viewer-role) topic +[Add the Business Viewer Role](/docs/1secure/admin/organizations/addingusers.md#add-the-business-viewer-role) topic for additional information on shared reports. **NOTE:** This check box is not available for End Customer Organizations. @@ -58,7 +58,7 @@ for additional information on shared reports. Your custom report is created under the respective category. **NOTE:** You may link this report to an alert. See the -[Add a Custom Alert](../alerts/index.md#add-a-custom-alert) topic for additional information. +[Add a Custom Alert](/docs/1secure/admin/alerts/index.md#add-a-custom-alert) topic for additional information. ## Modify a Custom Report diff --git a/docs/1secure/admin/searchandreports/exportreport.md b/docs/1secure/admin/searchandreports/exportreport.md index 60ba3448d4..78fb45a965 100644 --- a/docs/1secure/admin/searchandreports/exportreport.md +++ b/docs/1secure/admin/searchandreports/exportreport.md @@ -33,7 +33,7 @@ you open them. Click **Search** to generate reports with a predefined filter set **Step 5 –** Click **Export**. The report is sent to you as an .xlsx file by email. -![Roports - Export option](../../../../static/img/product_docs/1secure/admin/searchandreports/exportreport.webp) +![Roports - Export option](/img/product_docs/1secure/admin/searchandreports/exportreport.webp) **NOTE:** A report cannot be exported if no data is available for it. In this case, the Export button remains disabled. @@ -49,7 +49,7 @@ opens to the Activity tab with New Investigation selected in the left pane. its reports. An organization is selected by default, but you can choose a different one if needed. **Step 3 –** Define a filter criteria, then click **Search** to generate the investigation results -based on it. See the [Apply Filters](applyfilters.md) topic for additional information. +based on it. See the [Apply Filters](/docs/1secure/admin/searchandreports/applyfilters.md) topic for additional information. **Step 4 –** Click **Export**. The investigation results report is sent to you as an .xlsx file by email. diff --git a/docs/1secure/admin/searchandreports/filteroperators.md b/docs/1secure/admin/searchandreports/filteroperators.md index 635bd48c48..533942864d 100644 --- a/docs/1secure/admin/searchandreports/filteroperators.md +++ b/docs/1secure/admin/searchandreports/filteroperators.md @@ -13,7 +13,7 @@ When applying filters at search, you can specify operators that should be used a data you want to retrieve and compare with the certain filter value. Examples of conditions include Contains, Starts with, etc. -![search_searchresults](../../../../static/img/product_docs/1secure/admin/searchandreports/search_searchresults.webp) +![search_searchresults](/img/product_docs/1secure/admin/searchandreports/search_searchresults.webp) The following operators can be used to specify search conditions: diff --git a/docs/1secure/admin/searchandreports/index.md b/docs/1secure/admin/searchandreports/index.md index b6a65650a2..40ae3149c3 100644 --- a/docs/1secure/admin/searchandreports/index.md +++ b/docs/1secure/admin/searchandreports/index.md @@ -33,6 +33,6 @@ is currently available for the following connectors: See the following topics for additional information: -- [Apply Filters](applyfilters.md) +- [Apply Filters](/docs/1secure/admin/searchandreports/applyfilters.md) - Create Reports with Custom Filters -- [State In Time Risks Reports](stateintime.md) +- [State In Time Risks Reports](/docs/1secure/admin/searchandreports/stateintime.md) diff --git a/docs/1secure/admin/searchandreports/stateintime.md b/docs/1secure/admin/searchandreports/stateintime.md index 801251e0ae..9391977e10 100644 --- a/docs/1secure/admin/searchandreports/stateintime.md +++ b/docs/1secure/admin/searchandreports/stateintime.md @@ -19,7 +19,7 @@ vulnerabilities in an environment. You can generate a separate state-in-time rep metric to get detailed information on specific security aspects of your environment. To view detailed risk-related data for your organization, see the -[Risk Assessment Dashboard](../riskprofiles/riskassessmentdashboard.md) topic. +[Risk Assessment Dashboard](/docs/1secure/admin/riskprofiles/riskassessmentdashboard.md) topic. State-in-time reports display data for the Active Directory, Microsoft Entra ID, and SharePoint Online platforms in your environment. You must enable the following connectors to collect data for @@ -27,15 +27,15 @@ the respective platforms: - Active Directory State (AD State) See Step 8 in the - [Add a Source and Connectors for Active Directory](../organizations/sourcesandconnectors/activedirectory.md) + [Add a Source and Connectors for Active Directory](/docs/1secure/admin/organizations/sourcesandconnectors/activedirectory.md) topic - Azure AD State See Step 6 in the - [Add a Source and Connectors for Microsoft Entra ID](../organizations/sourcesandconnectors/entraid.md) + [Add a Source and Connectors for Microsoft Entra ID](/docs/1secure/admin/organizations/sourcesandconnectors/entraid.md) topic - SharePoint Online State See Step 6 in the - [Add a Source and Connectors for SharePoint Online](../organizations/sourcesandconnectors/sharepointonline.md) + [Add a Source and Connectors for SharePoint Online](/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md) topic ## Review a Report @@ -53,10 +53,10 @@ with the High Risk Permissions on Documents report displayed by default. **NOTE:** Click the Risk Assessment Dashboard link in the left pane to navigate to the Risk Assessment page, where you can monitor the risks for the selected organization. See the -[Risk Assessment Dashboard](../riskprofiles/riskassessmentdashboard.md) topic for additional +[Risk Assessment Dashboard](/docs/1secure/admin/riskprofiles/riskassessmentdashboard.md) topic for additional information. -![Risk Reports page](../../../../static/img/product_docs/1secure/admin/searchandreports/sitrisks.webp) +![Risk Reports page](/img/product_docs/1secure/admin/searchandreports/sitrisks.webp) **Step 4 –** In the left pane, click a category to view its reports. Categories are: @@ -127,7 +127,7 @@ Operator, and Value drop-down menus, then click **Search**. You can select more than one filter. For options displayed in the Operator drop-down menu, see the -[Filter Operators ](filteroperators.md)topic. +[Filter Operators ](/docs/1secure/admin/searchandreports/filteroperators.md)topic. Filter Descriptions @@ -142,7 +142,7 @@ This table provides a list of filters and descriptions. | Member through | Specify whether a group is a member of a group explicitly or inherited from another group. For example, Group A > Admin Group (Group A is explicitly a member of Admin Group) Group B > Group C > Admin Group (Group C is explicitly a member of Admin Group while Group B is an inherited member of Admin Group) If you do not specify the value, it will include both. If your Value is Inherited, it will only show Group B, and if you Value is Explicit, it will show Group A and Group C | | Status | Filters the report based on any of the following user account statuses: - Enabled - Disabled | | Source Type | Filters the report based on any of the following source types: - AD Group - Entra ID Group - Windows Local Group - SharePoint Online Group | -| Source | Filters the report based on the name of a data source. The data source name corresponds to the value specified in the Source Group field when adding a data source. See the [Sources and Connectors](../organizations/sourcesandconnectors/index.md) topic for additional information. | +| Source | Filters the report based on the name of a data source. The data source name corresponds to the value specified in the Source Group field when adding a data source. See the [Sources and Connectors](/docs/1secure/admin/organizations/sourcesandconnectors/index.md) topic for additional information. | | Name | Filters the report based on the name of a user or computer account. | | Location | Filters the report based on the location of an account in the directory. For example, Guest is an account name and its location is SSA-D4.local/Users/Guest. | | Role | Filters the report based on a role, such as Global Administrator. | diff --git a/docs/1secure/admin/searchandreports/subscriptions.md b/docs/1secure/admin/searchandreports/subscriptions.md index df09102afc..047ad92470 100644 --- a/docs/1secure/admin/searchandreports/subscriptions.md +++ b/docs/1secure/admin/searchandreports/subscriptions.md @@ -37,7 +37,7 @@ Subscribe button remains disabled. **Step 5 –** Click **Subscribe** on the top right of the page. The Subscription to `` pane is displayed. -![Subscription to Report pane](../../../../static/img/product_docs/1secure/admin/searchandreports/subscriptions.webp) +![Subscription to Report pane](/img/product_docs/1secure/admin/searchandreports/subscriptions.webp) **Step 6 –** Set a start date, time, and time zone for sending the report to the intended recipients. @@ -70,7 +70,7 @@ Organization. **Step 11 –** Click the **Send reports by email** check box to specify email delivery settings. The Email Settings section expands to display the following: -![Email Delivery Settings](../../../../static/img/product_docs/1secure/admin/searchandreports/subscriptionsemailsettings.webp) +![Email Delivery Settings](/img/product_docs/1secure/admin/searchandreports/subscriptionsemailsettings.webp) - Recipients – Specify the email addresses of the recipients of the report subscription. You can enter multiple addresses separated by a comma. @@ -85,7 +85,7 @@ Email Settings section expands to display the following: variables, select them one by one from the drop-down menu. The available options are: Report Name, Export Date, Frequency, Num Records, Managing Organization, and Managed Organization. - ![Email Subject](../../../../static/img/product_docs/1secure/admin/searchandreports/subscriptions_2.webp) + ![Email Subject](/img/product_docs/1secure/admin/searchandreports/subscriptions_2.webp) **NOTE:** The End Customer Organization has the Organization Name variable instead of the Managed Organization and Managing Organization variables. @@ -97,7 +97,7 @@ specify the settings for SharePoint Online delivery. **NOTE:** If you encounter the message, Integration required, you must first configure your integration for SharePoint Online. See the -[SharePoint Online](../../integrations/sharepointonline.md) topic for additional information. +[SharePoint Online](/docs/1secure/integrations/sharepointonline.md) topic for additional information. Expand the SharePoint Online Settings section and specify the following settings for saving the report: @@ -131,7 +131,7 @@ Processing, Error Sending). **Step 4 –** (Optional) To disable a subscription, toggle OFF the switch for it. -![Organization Subscriptions Page](../../../../static/img/product_docs/1secure/admin/searchandreports/subscriptions_3.webp) +![Organization Subscriptions Page](/img/product_docs/1secure/admin/searchandreports/subscriptions_3.webp) **Step 5 –** Click the Edit icon for a subscription to modify it. The Subscription to `` pane is displayed. diff --git a/docs/1secure/admin/searchandreports/system.md b/docs/1secure/admin/searchandreports/system.md index 9af61ccab8..9b9d35399d 100644 --- a/docs/1secure/admin/searchandreports/system.md +++ b/docs/1secure/admin/searchandreports/system.md @@ -18,7 +18,7 @@ Follow the steps to review the Billable Users report. **Step 1 –** Navigate to the **Reports** > **System** tab. -![system](../../../../static/img/product_docs/1secure/admin/searchandreports/system.webp) +![system](/img/product_docs/1secure/admin/searchandreports/system.webp) **Step 2 –** Select the **Billable Users** report in the left pane to view it. @@ -33,7 +33,7 @@ Operator, and Value drop-down menus, then click **Search**. You can select more than one filter. For options displayed in the Operator drop-down menu, see the -[Filter Operators ](filteroperators.md)topic. +[Filter Operators ](/docs/1secure/admin/searchandreports/filteroperators.md)topic. ## Filter Descriptions diff --git a/docs/1secure/configuration/activedirectory/admanual.md b/docs/1secure/configuration/activedirectory/admanual.md index 2c9407b30d..76156cab3a 100644 --- a/docs/1secure/configuration/activedirectory/admanual.md +++ b/docs/1secure/configuration/activedirectory/admanual.md @@ -17,7 +17,7 @@ You can configure your Active Directory domain for monitoring in one of the fol detected with your current audit settings, automatic audit configuration will not be performed.For a full list of audit settings required for Netwrix 1Secure to collect comprehensive audit data and instructions on how to configure them, refer to - [Configure IT Infrastructure for Auditing and Monitoring](../configureitinfrastructure.md). + [Configure IT Infrastructure for Auditing and Monitoring](/docs/1secure/configuration/configureitinfrastructure.md). If you select to automatically configure audit in the target environment, your current audit settings will be checked on each data collection and adjusted if necessary. @@ -26,10 +26,10 @@ You can configure your Active Directory domain for monitoring in one of the fol Also, perform the following procedures: -- [Configure Basic Domain Audit Policies](domainauditpolicies.md) or - [Configure Advanced Audit Policies](advancedpolicy.md). Either local or advanced audit policies +- [Configure Basic Domain Audit Policies](/docs/1secure/configuration/activedirectory/domainauditpolicies.md) or + [Configure Advanced Audit Policies](/docs/1secure/configuration/activedirectory/advancedpolicy.md). Either local or advanced audit policies must be configured to track changes to accounts and groups, and to identify workstations where changes were made. -- [Configure Object-Level Auditing](objectlevel.md) +- [Configure Object-Level Auditing](/docs/1secure/configuration/activedirectory/objectlevel.md) - Adjust Security Event Log Size and Retention Settings -- [Enable Secondary Logon Service](secondarylogonservice.md) +- [Enable Secondary Logon Service](/docs/1secure/configuration/activedirectory/secondarylogonservice.md) diff --git a/docs/1secure/configuration/activedirectory/advancedpolicy.md b/docs/1secure/configuration/activedirectory/advancedpolicy.md index c242934ce8..5926ebeaa0 100644 --- a/docs/1secure/configuration/activedirectory/advancedpolicy.md +++ b/docs/1secure/configuration/activedirectory/advancedpolicy.md @@ -36,7 +36,7 @@ Options. **Step 4 –** Locate the Audit: Force audit policy subcategory settings to override audit policy category settings and make sure that policy setting is set to _"Enabled"_. -![manualconfig_ad_nla_audit_force_winserver2016](../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_ad_nla_audit_force_winserver2016.webp) +![manualconfig_ad_nla_audit_force_winserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_ad_nla_audit_force_winserver2016.webp) **Step 5 –** Navigate to **Start → Run** and type _"cmd"_. Input the `gpupdate /force` command and press **Enter**. The group policy will be updated. @@ -64,7 +64,7 @@ Configuration > Audit Policies. | DS Access | Audit Directory Service Access | _"Success"_ | | Logon/Logoff | - Audit Logoff - Audit Logon These policies are only required to collect the information on the originating workstation, i.e., the computer from which a change was made. | _"Success"_ | -![manualconfig_ad_advpol_winserver2016](../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_ad_advpol_winserver2016.webp) +![manualconfig_ad_advpol_winserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_ad_advpol_winserver2016.webp) **Step 5 –** Navigate to **Start > Run** and type _"cmd"_. Input the `gpupdate /force` command and press **Enter**. The group policy will be updated. diff --git a/docs/1secure/configuration/activedirectory/auto.md b/docs/1secure/configuration/activedirectory/auto.md index 5642584a0a..a50549f840 100644 --- a/docs/1secure/configuration/activedirectory/auto.md +++ b/docs/1secure/configuration/activedirectory/auto.md @@ -22,5 +22,5 @@ To adjust audit settings automatically, do any of the following: See also: -- [Configure Domain for Monitoring Active Directory](admanual.md) -- [Active Directory: manual configuration](cfgmanual.md) +- [Configure Domain for Monitoring Active Directory](/docs/1secure/configuration/activedirectory/admanual.md) +- [Active Directory: manual configuration](/docs/1secure/configuration/activedirectory/cfgmanual.md) diff --git a/docs/1secure/configuration/activedirectory/cfgmanual.md b/docs/1secure/configuration/activedirectory/cfgmanual.md index 504bf143bd..e4e04ae146 100644 --- a/docs/1secure/configuration/activedirectory/cfgmanual.md +++ b/docs/1secure/configuration/activedirectory/cfgmanual.md @@ -21,32 +21,32 @@ To configure your domain for monitoring manually, you will need: If these tools are not installed, refer to the related topics: -- [Install ADSI Edit](adsi.md) -- [Group Policy Management Console](grouppolicymanagementconsole.md) +- [Install ADSI Edit](/docs/1secure/configuration/activedirectory/adsi.md) +- [Group Policy Management Console](/docs/1secure/configuration/activedirectory/grouppolicymanagementconsole.md) Take the following configuration steps: **Step 1 –** Configure effective domain controllers policy (by default, Default Domain Controllers -Policy). See [Configure Basic Domain Audit Policies](domainauditpolicies.md) or -[Configure Advanced Audit Policies](advancedpolicy.md) for details. +Policy). See [Configure Basic Domain Audit Policies](/docs/1secure/configuration/activedirectory/domainauditpolicies.md) or +[Configure Advanced Audit Policies](/docs/1secure/configuration/activedirectory/advancedpolicy.md) for details. -**Step 2 –** [Configure Object-Level Auditing](objectlevel.md) +**Step 2 –** [Configure Object-Level Auditing](/docs/1secure/configuration/activedirectory/objectlevel.md) **Step 3 –** Adjust Security Event Log Size and Retention Settings **Step 4 –** If you have an on-premises Exchange server in your Active Directory domain, consider that some changes to AD can be made via that Exchange server. To be able to audit and report who made those changes, you should -[Configure Exchange Administrator Audit Logging Settings](../../admin/datacollection/activedirectory/auditlogging.md) +[Configure Exchange Administrator Audit Logging Settings](/docs/1secure/admin/datacollection/activedirectory/auditlogging.md) Also, remember to do the following for AD auditing: **Step 1 –** Configure Data Collecting Account, as described in -[Active Directory Auditing](../../admin/datacollection/activedirectory/activedirectoryauditing.md) +[Active Directory Auditing](/docs/1secure/admin/datacollection/activedirectory/activedirectoryauditing.md) **Step 2 –** Configure required protocols and ports, as described in -[Protocols and Ports Required for Monitoring Active Directory, Exchange, and Group Policy](protocolsandports.md) +[Protocols and Ports Required for Monitoring Active Directory, Exchange, and Group Policy](/docs/1secure/configuration/activedirectory/protocolsandports.md) topic. -**Step 3 –** [Enable Secondary Logon Service](secondarylogonservice.md) on the computer where +**Step 3 –** [Enable Secondary Logon Service](/docs/1secure/configuration/activedirectory/secondarylogonservice.md) on the computer where Netwrix Cloud Agent resides. diff --git a/docs/1secure/configuration/activedirectory/domainauditpolicies.md b/docs/1secure/configuration/activedirectory/domainauditpolicies.md index d03ed51890..5456e94e7d 100644 --- a/docs/1secure/configuration/activedirectory/domainauditpolicies.md +++ b/docs/1secure/configuration/activedirectory/domainauditpolicies.md @@ -11,7 +11,7 @@ description: "Learn how to configure basic domain audit policies to track user a Basic audit policies allow tracking changes to user accounts and groups and identifying originating workstations. You can configure advanced audit policies for the same purpose too. See the -[Configure Advanced Audit Policies](advancedpolicy.md) topic for additional information. +[Configure Advanced Audit Policies](/docs/1secure/configuration/activedirectory/advancedpolicy.md) topic for additional information. **Step 1 –** Open the **Group Policy Management** console on any domain controller in the target domain: navigate to Start > Windows Administrative Tools (Windows Server 2016 and higher) or @@ -33,7 +33,7 @@ Policies > Audit Policy.** | **Audit directory service access** | _"Success"_ | | **Audit logon events** | _"Success"_ | -![manualconfig_ad_localpolicy_winserver2016](../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_ad_localpolicy_winserver2016.webp) +![manualconfig_ad_localpolicy_winserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_ad_localpolicy_winserver2016.webp) The Audit logon events policy is only required to collect the information on the originating workstation, i.e., the computer from which a change was made. This functionality is optional and can diff --git a/docs/1secure/configuration/activedirectory/objectlevel.md b/docs/1secure/configuration/activedirectory/objectlevel.md index 15253fd1ba..6c72140341 100644 --- a/docs/1secure/configuration/activedirectory/objectlevel.md +++ b/docs/1secure/configuration/activedirectory/objectlevel.md @@ -24,13 +24,13 @@ higher) or Administrative Tools (Windows 2012) > **Active Directory Users and Co **Step 2 –** In the **Active Directory Users and Computers** dialog, click **View** in the main menu and ensure that the **Advanced Features** are enabled. -![manualconfig_aduc_advsecwinserver2016](../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_aduc_advsecwinserver2016.webp) +![manualconfig_aduc_advsecwinserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_aduc_advsecwinserver2016.webp) **Step 3 –** Right-click the **``** node and select **Properties.** Select the **Security** tab and click **Advanced**. In the **Advanced Security Settings for ``** dialog, select the **Auditing** tab. -![manualconfig_aduc_advauditing_winserver2016](../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_aduc_advauditing_winserver2016.webp) +![manualconfig_aduc_advauditing_winserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_aduc_advauditing_winserver2016.webp) **Step 4 –** Do one of the following depending on the OS: @@ -42,7 +42,7 @@ dialog, select the **Auditing** tab. except the following: _Full Control_, _List Contents_, _Read All Properties_ and _Read Permissions_. - ![manualconfig_objectlevel_entry2008](../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_objectlevel_entry2008.webp) + ![manualconfig_objectlevel_entry2008](/img/product_docs/1secure/configuration/ad/manualconfig_objectlevel_entry2008.webp) 3. Make sure that the **Apply these auditing entries to objects and/or containers within this container only** checkbox is cleared. Also, make sure that the **Apply onto** parameter is @@ -60,17 +60,17 @@ dialog, select the **Auditing** tab. 5. Scroll to the bottom of the list and make sure that the **Only apply these auditing settings to objects and/or containers within this container** checkbox is cleared. - ![manualconfig_objectlevel_winserver2016](../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_objectlevel_winserver2016.webp) + ![manualconfig_objectlevel_winserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_objectlevel_winserver2016.webp) 6. Click **Ok**. Follow the steps to enable object-level auditing for the Configuration partition. To perform this procedure, you will need the -[ADSI Edit]() utility. In Windows +[ADSI Edit](http://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspx) utility. In Windows Server 2008 and above, this component is installed together with the AD DS role, or it can be downloaded and installed along with Remote Server Administration Tools. See the -[Install ADSI Edit](adsi.md) topic for additional information on how to install the ADSI Edit +[Install ADSI Edit](/docs/1secure/configuration/activedirectory/adsi.md) topic for additional information on how to install the ADSI Edit utility. **Step 1 –** On any domain controller in the target domain, navigate to Start>Windows Administrative @@ -80,7 +80,7 @@ Tools (Windows Server 2016 and higher) or Administrative Tools **(Windows 2012)* Settings** dialog, enable **Select a well-known Naming Context** and select **Configuration** from the drop-down list. -![manualconfig_adsi_connectionwinserver2016](../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_adsi_connectionwinserver2016.webp) +![manualconfig_adsi_connectionwinserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_adsi_connectionwinserver2016.webp) **Step 3 –** Expand the **Configuration ``** node. Right-click the **CN=Configuration, DC=``,DC=``…** node and select **Properties.** @@ -99,7 +99,7 @@ dialog, open the **Auditing** tab. except the following: _Full Control_, _List Contents_, _Read All Properties_ and _Read Permissions_. - ![manualconfig_objectlevel_entry2008](../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_objectlevel_entry2008.webp) + ![manualconfig_objectlevel_entry2008](/img/product_docs/1secure/configuration/ad/manualconfig_objectlevel_entry2008.webp) 3. Make sure that the **Apply these auditing entries to objects and/or containers within this container only** checkbox is cleared. Also, make sure that the **Apply onto** parameter is @@ -117,6 +117,6 @@ dialog, open the **Auditing** tab. 5. Scroll to the bottom of the list and make sure that the **Only apply these auditing settings to objects and/or containers within this container** checkbox is cleared. - ![manualconfig_objectlevel_winserver2016](../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_objectlevel_winserver2016.webp) + ![manualconfig_objectlevel_winserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_objectlevel_winserver2016.webp) 6. Click **Ok**. diff --git a/docs/1secure/configuration/computer/advancedpolicy.md b/docs/1secure/configuration/computer/advancedpolicy.md index 0510470db8..4b8bf1b29b 100644 --- a/docs/1secure/configuration/computer/advancedpolicy.md +++ b/docs/1secure/configuration/computer/advancedpolicy.md @@ -11,7 +11,7 @@ description: "Learn how to configure advanced audit policies to limit event trac Configure advanced audit policies to limit the range of events tracked and recorded by the product, thus preventing your AuditArchive and the Security event log from overfilling. Perform procedures -below instead of those discussed in the [Configure Local Audit Policies](localpolicy.md) topic. +below instead of those discussed in the [Configure Local Audit Policies](/docs/1secure/configuration/computer/localpolicy.md) topic. ## Enforce Advanced Policies Over Local Policies @@ -27,7 +27,7 @@ Windows Administrative Tools > Local Security Policy. **Step 2 –** Navigate to Security Settings > Local Policies > Security Options and locate the Audit: Force audit policy subcategory settings policy. -![Local Security Policy snap-in ](../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_fileserver_graudit_secpol2016.webp) +![Local Security Policy snap-in ](/img/product_docs/1secure/configuration/computer/manualconfig_fileserver_graudit_secpol2016.webp) **Step 3 –** Double-click the policy and enable it. diff --git a/docs/1secure/configuration/computer/eventlog.md b/docs/1secure/configuration/computer/eventlog.md index 140fe3c2a0..b7976d4dac 100644 --- a/docs/1secure/configuration/computer/eventlog.md +++ b/docs/1secure/configuration/computer/eventlog.md @@ -22,7 +22,7 @@ Follow the steps to configure Event Log Size and Retention Settings. **Step 2 –** Navigate to Event Viewer tree > Windows Logs, right-click **Security** and select **Properties**. -![Log Properties dialog box](../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_ws_eventviewerpr2016_thumb_0_0.webp) +![Log Properties dialog box](/img/product_docs/1secure/configuration/computer/manualconfig_ws_eventviewerpr2016_thumb_0_0.webp) **Step 3 –** Make sure Enable logging is selected. diff --git a/docs/1secure/configuration/computer/firewallrules.md b/docs/1secure/configuration/computer/firewallrules.md index e82323a8a0..e8476bd9f7 100644 --- a/docs/1secure/configuration/computer/firewallrules.md +++ b/docs/1secure/configuration/computer/firewallrules.md @@ -28,7 +28,7 @@ settings** on the left. **Step 3 –** In the Windows Firewall with Advanced Security dialog, select Inbound Rules on the left. -![Windows Firewall Advanced Security window](../../../../static/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_inbound_connections2016.webp) +![Windows Firewall Advanced Security window](/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_inbound_connections2016.webp) **Step 4 –** Enable the following inbound connection rules: diff --git a/docs/1secure/configuration/computer/index.md b/docs/1secure/configuration/computer/index.md index 69dcd702c0..a98918a7df 100644 --- a/docs/1secure/configuration/computer/index.md +++ b/docs/1secure/configuration/computer/index.md @@ -15,7 +15,7 @@ data collection from the computer while working with Netwrix 1Secure. ## Check requirements Make sure the Windows File Servers you want to monitor meet the requirements listed in the -[Requirements](../../requirements.md#prerequisites-for-data-sources) section. +[Requirements](/docs/1secure/requirements.md#prerequisites-for-data-sources) section. ## Decide on audit data to collect @@ -87,7 +87,7 @@ You can apply the required audit settings to your Windows file servers in one of - Automatically - The current audit settings will be applied automatically. They will be periodically checked and adjusted if necessary. - See [Data Collecting Account](../../admin/datacollection/datacollectingaccount.md) for + See [Data Collecting Account](/docs/1secure/admin/datacollection/datacollectingaccount.md) for additional information. - Manually - Perform the following action to manually apply audit settings to Windows File Servers: @@ -97,9 +97,9 @@ You can apply the required audit settings to your Windows file servers in one of ## Configure Data Collecting Account Follow the instructions in the -[Data Collecting Account](../../admin/datacollection/datacollectingaccount.md) section. +[Data Collecting Account](/docs/1secure/admin/datacollection/datacollectingaccount.md) section. ## Configure required protocols and ports Set up protocols and ports as described in the -[Protocols and Ports Required for Monitoring File Servers](protocolsandports.md) section. +[Protocols and Ports Required for Monitoring File Servers](/docs/1secure/configuration/computer/protocolsandports.md) section. diff --git a/docs/1secure/configuration/computer/localpolicy.md b/docs/1secure/configuration/computer/localpolicy.md index e48bb15f5e..f9b2740d9e 100644 --- a/docs/1secure/configuration/computer/localpolicy.md +++ b/docs/1secure/configuration/computer/localpolicy.md @@ -10,7 +10,7 @@ description: "Learn how to configure local audit policies using the Local Securi # Configure Local Audit Policies You can choose to configure local audit policies or advanced audit policies. See the -[Configure Advanced Audit Policies](advancedpolicy.md) topic for additional information. +[Configure Advanced Audit Policies](/docs/1secure/configuration/computer/advancedpolicy.md) topic for additional information. Follow the steps to configure local audit policies. @@ -29,4 +29,4 @@ Windows Administrative Tools > Local Security Policy. Local audit policy is configured. -![Local Security Policy snap-in](../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_ws_local_audit_policies2016.webp) +![Local Security Policy snap-in](/img/product_docs/1secure/configuration/computer/manualconfig_ws_local_audit_policies2016.webp) diff --git a/docs/1secure/configuration/computer/objectlevel.md b/docs/1secure/configuration/computer/objectlevel.md index 71e13c70f5..8ecb17232e 100644 --- a/docs/1secure/configuration/computer/objectlevel.md +++ b/docs/1secure/configuration/computer/objectlevel.md @@ -11,7 +11,7 @@ description: "Learn how to configure object-level access auditing for comprehens Netwrix 1Secure can be configured to audit all the access types mentioned below: -![Advanced Activity Selection options](../../../../static/img/product_docs/1secure/configuration/computer/objectlevelaccessaudit.webp) +![Advanced Activity Selection options](/img/product_docs/1secure/configuration/computer/objectlevelaccessaudit.webp) ## Configure Object-level Access Auditing on Windows Server 2012 and Above @@ -25,7 +25,7 @@ Follow the steps to configure Object-level access auditing on Windows Server 201 **Step 3 –** In the Advanced Security Settings for `` dialog box, navigate to the Auditing tab. -![Advanced Security Settings for `` dialog box](../../../../static/img/product_docs/1secure/configuration/computer/auditing_entries_netapp_2016.webp) +![Advanced Security Settings for `` dialog box](/img/product_docs/1secure/configuration/computer/auditing_entries_netapp_2016.webp) **Step 4 –** Click **Add** to add a new principal. You can select **Everyone** (or another user-defined group containing users that are granted special permissions) and click **Edit**. diff --git a/docs/1secure/configuration/computer/remoteregistryservice.md b/docs/1secure/configuration/computer/remoteregistryservice.md index 07ee005379..7767ad2b9d 100644 --- a/docs/1secure/configuration/computer/remoteregistryservice.md +++ b/docs/1secure/configuration/computer/remoteregistryservice.md @@ -13,7 +13,7 @@ Follow the steps to enable the Remote Registry service. **Step 1 –** Navigate to Start > Windows Administrative Tools > Services. -![Services Console](../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry2016.webp) +![Services Console](/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry2016.webp) **Step 2 –** In the Services window, locate the Remote Registry service, right-click it and select **Properties**. @@ -21,7 +21,7 @@ Follow the steps to enable the Remote Registry service. **Step 3 –** In the Remote Registry Properties dialog box, make sure the Startup type parameter is set to _Automatic_ and click **Start**. -![Remote Registry Properties dialog box](../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry_start2016.webp) +![Remote Registry Properties dialog box](/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry_start2016.webp) **Step 4 –** In the Services window, ensure that the Remote Registry service has the _Running_ status on Windows Server 2012 and above. diff --git a/docs/1secure/configuration/configureitinfrastructure.md b/docs/1secure/configuration/configureitinfrastructure.md index 98bed5f0e5..9ef6a4fd11 100644 --- a/docs/1secure/configuration/configureitinfrastructure.md +++ b/docs/1secure/configuration/configureitinfrastructure.md @@ -18,8 +18,8 @@ You can configure your IT Infrastructure for monitoring in one of the following | Data source | Provided connectors | Required configuration | | ----------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --- | --- | --- | --- | --- | --- | ------------------------------------ | ------------------------ | --- | ----------------------------------------------------------- | -------- | --- | --------------------------- | ------------------------ | --- | ------------------------------ | ------------------------ | --- | --------------------------- | ------------------------ | --- | ----------------------------- | ------------------------ | --- | -------- | ------------------------ | --- | -------------------- | ------------------------ | --- | ---------------- | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | --- | --- | --- | ------------------- | --- | --- | ------------- | --- | --- | ---------------- | ----------- | --- | ----------------- | --------------------------- | --- | ------------------------- | --------------------------- | --- | ------------ | --- | --- | ----- | ----------- | --- | ------ | ----------- | --- | ------------- | --- | --- | ------------------------- | ----------- | --- | ------ | --- | --- | --------------------- | ----------- | --- | -------------------------------------------- | --- | --- | ------------- | --- | --- | ---------------- | ----------- | --- | ----------------- | --------------------------- | --- | ------------------------- | --------------------------- | --- | ------------------------- | ----------- | --- | ------------ | --- | --- | ----- | ----------- | --- | ------ | ----------- | --- | ------------- | --- | --- | ------------------------- | ----------- | --- | ------ | --- | --- | --------------------- | ----------- | ---------------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | --- | --- | --- | ------------- | --- | --- | ----------------- | ----------- | --- | ------------------------- | --------- | --- | ---------------- | --------- | --- | ------------- | --- | --- | ------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| Active Directory | Active Directory Activity | In the audited environment: See [Configure Domain for Monitoring Active Directory](activedirectory/admanual.md) for related settings and procedures. On the computer where Netwrix Cloud Agent is installed: - If you have enabled automatic log backup for the Security log of your domain controller, you can instruct Netwrix 1Secure to clear the old backups automatically. For that, use the **CleanAutoBackupLogs** registry key It is recommended that you adjust retention period for the backup files accordingly (default is **50** hours). - To provide for event data collection, the Secondary Logon service must be up and running . Open **Administrative Tools**→**Services**, right-click the **Secondary Logon** service and on the **General** tab make sure that **Startup type** for this service is other than _Disabled_. | +| Active Directory | Active Directory Activity | In the audited environment: See [Configure Domain for Monitoring Active Directory](/docs/1secure/configuration/activedirectory/admanual.md) for related settings and procedures. On the computer where Netwrix Cloud Agent is installed: - If you have enabled automatic log backup for the Security log of your domain controller, you can instruct Netwrix 1Secure to clear the old backups automatically. For that, use the **CleanAutoBackupLogs** registry key It is recommended that you adjust retention period for the backup files accordingly (default is **50** hours). - To provide for event data collection, the Secondary Logon service must be up and running . Open **Administrative Tools**→**Services**, right-click the **Secondary Logon** service and on the **General** tab make sure that **Startup type** for this service is other than _Disabled_. | | Active Directory | Active Directory Logons | In the audited environment: - The following policies must be set to _"Success"_ and _"Failure"_ for the effective domain controllers policy: - Audit Logon Events - Audit Account Logon Events - The Audit system events policy must be set to _"Success"_ for the effective domain controllers policy. - The Advanced audit policy settings can be configured instead of basic. - The Maximum Security event log size must be set to 4GB. The retention method of the Security event log must be set to _“Overwrite events as needed”_ or _"Archive the log when full"_. - The following Windows Firewall inbound rules must be enabled: - Remote Event Log Management (NP-In) - Remote Event Log Management (RPC) - Remote Event Log Management (RPC-EPMAP) | -| Azure AD | Azure AD Activity Azure AD Logons | No special settings are required. Remember to do the following: Configure Azure AD app as described in [App Registration and Configuration in Microsoft Entra ID](entraid/registerconfig.md) section. | +| Azure AD | Azure AD Activity Azure AD Logons | No special settings are required. Remember to do the following: Configure Azure AD app as described in [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) section. | | Computer | File Server Activity | **In the audited environment** - For a security principal (e.g., Everyone), the following options must be configured in the Advanced Security → Auditing settings for the audited shared folders: | | | | --- | --- | | List Folder / Read Data (Files only) | _"Success"_ and _"Fail"_ | | List Folder / Read Data (This folder, subfolders and files) | _"Fail"_ | | Create Files / Write Data\* | _"Success"_ and _"Fail"_ | | Create Folders / Append Data\* | _"Success"_ and _"Fail"_ | | Write Extended Attributes\* | _"Success"_ and _"Fail"_ | | Delete Subfolders and Files\* | _"Success"_ and _"Fail"_ | | Delete\* | _"Success"_ and _"Fail"_ | | Change Permissions\* | _"Success"_ and _"Fail"_ | | Take Ownership\* | _"Success"_ and _"Fail"_ | Select _"Fail_" only if you want to track failure events, it is not required for success events monitoring. If you want to get only state-in-time snapshots of your system configuration, limit your settings to the permissions marked with \* and set it to _"Success"_ (Apply onto: This folder, subfolders and files). - The following Advanced audit policy settings must be configured: - The Audit: Force audit policy subcategory settings (Windows 7 or later) security option must be enabled. - Depending on your OS version, configure the categories as follows: | | | | --- | --- | | Windows Server 2008 | | | Object Access | | | Audit File Share | _"Success"_ | | Audit File System | _"Success"_ and _"Failure"_ | | Audit Handle Manipulation | _"Success"_ and _"Failure"_ | | Logon/Logoff | | | Logon | _"Success"_ | | Logoff | _"Success"_ | | Policy Change | | | Audit Audit Policy Change | _"Success"_ | | System | | | Security State Change | _"Success"_ | | Windows Server 2008 R2 / Windows 7 and above | | | Object Access | | | Audit File Share | _"Success"_ | | Audit File System | _"Success"_ and _"Failure"_ | | Audit Handle Manipulation | _"Success"_ and _"Failure"_ | | Audit Detailed file share | _"Failure"_ | | Logon/Logoff | | | Logon | _"Success"_ | | Logoff | _"Success"_ | | Policy Change | | | Audit Audit Policy Change | _"Success"_ | | System | | | Security State Change | _"Success"_ | If you want to get only state-in-time snapshots of your system configuration, limit your audit settings to the following policies: | | | | --- | --- | | Object Access | | | Audit File System | _"Success"_ | | Audit Handle Manipulation | "Success" | | Audit File Share | "Success" | | Policy Change | | | Audit Audit Policy Change | "Success" | - The following legacy policies can be configured instead of advanced: - Audit object access policy must set to _"Success"_ and _"Failure"_. - Audit logon events policy must be set to _"Success"_. - Audit system events policy must be set to _"Success"_. - Audit policy change must be set to _"Success"_. - The Security event log maximum size must be set to 4GB. The retention method of the Security event log must be set to _“Overwrite events as needed”_. - The Remote Registry service must be started. - The following inbound Firewall rules must be enabled: - Remote Event Log Management (NP-In)\* - Remote Event Log Management (RPC)\* - Remote Event Log Management (RPC-EPMAP)\* - Windows Management Instrumentation (ASync-In) - Windows Management Instrumentation (DCOM-In) - Windows Management Instrumentation (WMI-In) - Network Discovery (NB-Name-In) - File and Printer Sharing (NB-Name-In) - File and Printer Sharing (Echo Request - ICMPv4-In) - File and Printer Sharing (Echo Request - ICMPv6-In) The rules marked with \* are required only if you do not want to use network traffic compression for auditing. If you plan to audit Windows Server 2019 or Windows 10 Update 1803 without network compression service, make sure the following inbound connection rules are enabled: - Remote Scheduled Tasks Management (RPC) - Remote Scheduled Tasks Management (RPC-EMAP) | -| SharePoint Online | SharePoint Online Activity | No special settings are required. Remember to do the following: Configure Azure AD app as described in [App Registration and Configuration in Microsoft Entra ID](entraid/registerconfig.md). | +| SharePoint Online | SharePoint Online Activity | No special settings are required. Remember to do the following: Configure Azure AD app as described in [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md). | diff --git a/docs/1secure/configuration/entraid/registerconfig.md b/docs/1secure/configuration/entraid/registerconfig.md index 0da6fd8d03..042892ab42 100644 --- a/docs/1secure/configuration/entraid/registerconfig.md +++ b/docs/1secure/configuration/entraid/registerconfig.md @@ -60,7 +60,7 @@ Register an application page is displayed. The Overview page for the newly registered application opens. The following settings of the registered application are required while adding a data source in Netwrix 1Secure. See the -[Sources and Connectors](../../admin/organizations/sourcesandconnectors/index.md) topic for +[Sources and Connectors](/docs/1secure/admin/organizations/sourcesandconnectors/index.md) topic for additional information on adding a data source. It is recommended to copy these settings and keep them safe. @@ -179,7 +179,7 @@ displayed. displayed in the Value column. The client secret value is required while adding a data source in Netwrix 1Secure. See the -[Sources and Connectors](../../admin/organizations/sourcesandconnectors/index.md) topic for +[Sources and Connectors](/docs/1secure/admin/organizations/sourcesandconnectors/index.md) topic for additional information on adding a data source. **CAUTION:** If you leave this page before copying the key, it cannot be retrieved, and you will @@ -190,7 +190,7 @@ need to repeat the process. Certain connecters require a certificate rather than a client secret for authentication. This certificate is downloaded while configuring a data source in Netwrix 1Secure. Once downloaded, you need to upload the certificate to the registered application in Microsoft Entra ID. See the -[Add a Source and Connectors for SharePoint Online](../../admin/organizations/sourcesandconnectors/sharepointonline.md)topic +[Add a Source and Connectors for SharePoint Online](/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md)topic for additional information on downloading a certificate. Follow the steps to upload a certificate to the registered application. diff --git a/docs/1secure/configuration/exchangeonlinenonowner.md b/docs/1secure/configuration/exchangeonlinenonowner.md index 8892045a4d..d9de29a494 100644 --- a/docs/1secure/configuration/exchangeonlinenonowner.md +++ b/docs/1secure/configuration/exchangeonlinenonowner.md @@ -18,7 +18,7 @@ Events report. See the Filters topic for additional information. **NOTE:** To start auditing the data for the report, you need to select the **Collect non-owner mailbox audit data** check box when adding the Exchange Online source. See the -[Add a Source and Connectors for Exchange Online](../admin/organizations/sourcesandconnectors/exchangeonline.md)topic +[Add a Source and Connectors for Exchange Online](/docs/1secure/admin/organizations/sourcesandconnectors/exchangeonline.md)topic for additional information. **NOTE:** Unified audit log must be enabled for a tenant. See the Microsoft diff --git a/docs/1secure/configuration/logonactivity/advancedaudit.md b/docs/1secure/configuration/logonactivity/advancedaudit.md index 485b442836..7c944ba055 100644 --- a/docs/1secure/configuration/logonactivity/advancedaudit.md +++ b/docs/1secure/configuration/logonactivity/advancedaudit.md @@ -32,7 +32,7 @@ Options. **Step 4 –** Locate the Audit: Force audit policy subcategory settings to override audit policy category settings and make sure that policy setting is set to _"Enabled"_. -![manualconfig_ad_nla_audit_force_winserver2016](../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_ad_nla_audit_force_winserver2016.webp) +![manualconfig_ad_nla_audit_force_winserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_ad_nla_audit_force_winserver2016.webp) **Step 5 –** Navigate to **Start** > **Run** and type _"cmd"_. Input the `gpupdate /force` command and press **Enter**. The group policy will be updated. @@ -61,7 +61,7 @@ Configuration > Audit Policies . | - Audit Logon | _"Success"_ and _"Failure"_ | | | System | - Audit Security State Change | _"Success"_ | -![manualconfig_nla_advpol2016](../../../../static/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_advpol2016.webp) +![manualconfig_nla_advpol2016](/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_advpol2016.webp) **Step 10 –** Set the following advanced audit policies to _"Success"_ and _"Failure"_: diff --git a/docs/1secure/configuration/logonactivity/basicauditpolicies.md b/docs/1secure/configuration/logonactivity/basicauditpolicies.md index a7a0ec1e35..2a904e02e3 100644 --- a/docs/1secure/configuration/logonactivity/basicauditpolicies.md +++ b/docs/1secure/configuration/logonactivity/basicauditpolicies.md @@ -11,7 +11,7 @@ description: "Learn how to configure basic domain audit policies for tracking us Basic local audit policies allow tracking changes to user accounts and groups and identifying originating workstations. You can configure advanced audit policies for the same purpose too. See -[Configure Advanced Audit Policies](advancedaudit.md) +[Configure Advanced Audit Policies](/docs/1secure/configuration/logonactivity/advancedaudit.md) **Step 1 –** Open the **Group Policy Management** console on any domain controller in the target domain: navigate to Start > Windows Administrative Tools (Windows Server 2016 and higher) or @@ -33,7 +33,7 @@ node on the left and navigate to **Policies** > **Windows Settings** > **Securit | Audit account logon events | _"Success"_ and _"Failure"_ | | Audit system events | _"Success"_ | -![manualconfig_nla_auditpolicies2016](../../../../static/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_auditpolicies2016.webp) +![manualconfig_nla_auditpolicies2016](/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_auditpolicies2016.webp) **Step 5 –** Set the Audit system events policy to **Success**. diff --git a/docs/1secure/configuration/logonactivity/firewallrules.md b/docs/1secure/configuration/logonactivity/firewallrules.md index 7a11703ce7..bfb60fc9a4 100644 --- a/docs/1secure/configuration/logonactivity/firewallrules.md +++ b/docs/1secure/configuration/logonactivity/firewallrules.md @@ -25,7 +25,7 @@ settings** on the left. **Step 3 –** In the Windows Firewall with Advanced Security dialog, select Inbound Rules on the left. -![manualconfig_nla_inbound_connections2016](../../../../static/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_inbound_connections2016.webp) +![manualconfig_nla_inbound_connections2016](/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_inbound_connections2016.webp) **Step 4 –** Enable the following inbound connection rules: diff --git a/docs/1secure/configuration/logonactivity/index.md b/docs/1secure/configuration/logonactivity/index.md index 53d89d4dd3..4778f22eae 100644 --- a/docs/1secure/configuration/logonactivity/index.md +++ b/docs/1secure/configuration/logonactivity/index.md @@ -14,7 +14,7 @@ You can configure your IT infrastructure for monitoring Logon Activity in one of - When creating an organization — select the **Adjust audit settings automatically** option. For existing organization, you can modify data collection settings for Logon Activity data source. - To configure your domain manually for monitoring Logon Activity, perform the following procedures: - - [Configure Basic Domain Audit Policies](basicauditpolicies.md) or - [Configure Advanced Audit Policies](advancedaudit.md) - - [Configure Security Event Log Size and Retention Settings](securitylogsize.md) - - [Configure Windows Firewall Inbound Connection Rules](firewallrules.md) + - [Configure Basic Domain Audit Policies](/docs/1secure/configuration/logonactivity/basicauditpolicies.md) or + [Configure Advanced Audit Policies](/docs/1secure/configuration/logonactivity/advancedaudit.md) + - [Configure Security Event Log Size and Retention Settings](/docs/1secure/configuration/logonactivity/securitylogsize.md) + - [Configure Windows Firewall Inbound Connection Rules](/docs/1secure/configuration/logonactivity/firewallrules.md) diff --git a/docs/1secure/configuration/logonactivity/securitylogsize.md b/docs/1secure/configuration/logonactivity/securitylogsize.md index 8d7ca4d8c4..92da230b41 100644 --- a/docs/1secure/configuration/logonactivity/securitylogsize.md +++ b/docs/1secure/configuration/logonactivity/securitylogsize.md @@ -20,7 +20,7 @@ default, it is the **Default Domain Controllers Policy**), and select **Edit** f **Step 3 –** Navigate to **Computer Configuration** > **Policies** > **Windows Settings > Security Settings** > **Event Log** and double-click the **Maximum security log size** policy. -![manualconfig_grouppolicymaxsecuritysizewinserver2016](../../../../static/img/product_docs/1secure/configuration/logonactivity/manualconfig_grouppolicymaxsecuritysizewinserver2016.webp) +![manualconfig_grouppolicymaxsecuritysizewinserver2016](/img/product_docs/1secure/configuration/logonactivity/manualconfig_grouppolicymaxsecuritysizewinserver2016.webp) **Step 4 –** In the **Maximum security log size Properties** dialog, select **Define this policy setting** and set maximum security log size to*"4194240"* kilobytes (4GB). diff --git a/docs/1secure/configuration/sqlserver/index.md b/docs/1secure/configuration/sqlserver/index.md index 18f25aae97..1b9a62eba9 100644 --- a/docs/1secure/configuration/sqlserver/index.md +++ b/docs/1secure/configuration/sqlserver/index.md @@ -33,5 +33,5 @@ The product collects successful and failed logon attempts for Windows and SQL lo Remember to do the following: - Configure a Data Collecting Account as described in the - [Permissions for SQL Server Auditing](permissions.md) topic. -- Configure ports as described in the [SQL Server Ports](ports.md) topic. + [Permissions for SQL Server Auditing](/docs/1secure/configuration/sqlserver/permissions.md) topic. +- Configure ports as described in the [SQL Server Ports](/docs/1secure/configuration/sqlserver/ports.md) topic. diff --git a/docs/1secure/configuration/sqlserver/permissions.md b/docs/1secure/configuration/sqlserver/permissions.md index 8679888486..b53914f3d9 100644 --- a/docs/1secure/configuration/sqlserver/permissions.md +++ b/docs/1secure/configuration/sqlserver/permissions.md @@ -43,7 +43,7 @@ All Programs > Microsoft SQL Server > SQL Server Management Studio. **Step 3 –** In the left pane, expand the Security node. Right-click the Logins node and select **New Login** from the pop-up menu. The Login - New window is displayed. -![Login - New window](../../../../static/img/product_docs/1secure/configuration/sqlserver/manualconfig_ssms_newlogin2016.webp) +![Login - New window](/img/product_docs/1secure/configuration/sqlserver/manualconfig_ssms_newlogin2016.webp) **Step 4 –** Click **Search** next to the Login Name box and specify the user you want to assign the sysadmin role. diff --git a/docs/1secure/index.md b/docs/1secure/index.md index 93377c1246..16dc678373 100644 --- a/docs/1secure/index.md +++ b/docs/1secure/index.md @@ -29,7 +29,7 @@ Netwrix 1Secure is a Microsoft Azure hosted, multi-tenant SaaS application that location to manage both on-premises and cloud environments. Solution architecture and components interactions are shown in the figure below. -![overview_table](../../static/img/product_docs/1secure/admin/overview_table.webp) +![overview_table](/img/product_docs/1secure/admin/overview_table.webp) Netwrix 1Secure On-Prem Agent is a lightweight Windows service which you deploy in your network. The agent collects aggregated data from your on-premises Netwrix 1SecureAPI and/or uploads the data to @@ -52,10 +52,10 @@ user's behalf. The Netwrix 1Secure data collection workflow is as follows: -**Step 1 –** Add organizations. See the [Add Organizations](admin/organizations/addorganizations.md) +**Step 1 –** Add organizations. See the [Add Organizations](/docs/1secure/admin/organizations/addorganizations.md) topic for additional information. -**Step 2 –** Install the agent. See the [Install Agent](install/installagent.md) topic for +**Step 2 –** Install the agent. See the [Install Agent](/docs/1secure/install/installagent.md) topic for additional information. Once you have added the organization and selected the domain for collecting the data, Netwrix @@ -72,7 +72,7 @@ expired credentials, and others. | Icon | Description | | --------------------------------------------------------------------------------------- | ------------------------------------------------------- | -| ![selfupdate_icon](../../static/img/product_docs/1secure/admin/selfupdate_icon.webp) | Bell icon. Click the Bell icon to look for the updates. | +| ![selfupdate_icon](/img/product_docs/1secure/admin/selfupdate_icon.webp) | Bell icon. Click the Bell icon to look for the updates. | Follow the steps to review notifications. @@ -80,7 +80,7 @@ Follow the steps to review notifications. **Step 2 –** You can select and fix any of the issues on the displayed panel. -![notifications](../../static/img/product_docs/1secure/admin/notifications.webp) +![notifications](/img/product_docs/1secure/admin/notifications.webp) **Step 3 –** Select **Fix**. @@ -90,14 +90,14 @@ Statuses in Netwrix 1Secure allow you check up the state of the system, specific agent, and connectors. As you add your sources, connectors, install the agent, Netwrix 1Secure provides several statuses for these: -![statuses_chart](../../static/img/product_docs/1secure/admin/statuses_chart.webp) +![statuses_chart](/img/product_docs/1secure/admin/statuses_chart.webp) **NOTE:** The New status changes to Healthy status when the agent finishes collection from the environment. The time frame for a change may be within a minute up to several hours depending on the environment size. You can also review the agent status while adding the organization. See the -[Manage Organizations](admin/organizations) topic for more information. +[Manage Organizations](/docs/1secure/admin/organizations) topic for more information. ### Updating Netwrix Cloud Agent @@ -109,7 +109,7 @@ During the update process, your activity monitoring will not be disrupted. | Icon | Description | | --------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | -| ![selfupdate_icon](../../static/img/product_docs/1secure/admin/selfupdate_icon.webp) | Bell Icon. Click the Bell Icon to look up for the available updates of the Netwrix Cloud Agent. | +| ![selfupdate_icon](/img/product_docs/1secure/admin/selfupdate_icon.webp) | Bell Icon. Click the Bell Icon to look up for the available updates of the Netwrix Cloud Agent. | #### Update Agents in Bulk @@ -118,7 +118,7 @@ Follow the steps to update agents in bulk. **Step 1 –** To update selected agents, on the Managed Organizations page, select **Bulk Update Agent**. -![updateagents](../../static/img/product_docs/1secure/admin/updateagents.webp) +![updateagents](/img/product_docs/1secure/admin/updateagents.webp) **Step 2 –** On the Update Agents page, check the boxes next to agents you wish to update and click **Confirm**. @@ -132,7 +132,7 @@ Follow the steps to update agent schedule. **Step 1 –** To edit the agent update schedule, on the Managed Organizations page, select **Agent Update Settings**. The Edit Agent Update Schedule page displays. -![editagentupdatesschedule2](../../static/img/product_docs/1secure/admin/editagentupdatesschedule2.webp) +![editagentupdatesschedule2](/img/product_docs/1secure/admin/editagentupdatesschedule2.webp) **Step 2 –** In the Update Schedule section, select Enabled. @@ -150,7 +150,7 @@ Follow the steps to enable the self-update function . **Step 1 –** To look up the available updates, click the **Bell** icon. The panel with available updates displays. -![selfupdate_panel](../../static/img/product_docs/1secure/admin/selfupdate_panel.webp) +![selfupdate_panel](/img/product_docs/1secure/admin/selfupdate_panel.webp) **Step 2 –** Click **Fix** for the agents to be updated. Now you can see the list of organizations and which agents may be updated to the new version. @@ -158,14 +158,14 @@ and which agents may be updated to the new version. **Step 3 –** Click **Update available** to update the agent to the current version. The Edit Agent Update Schedule page displays, offering you the proposed version. -![editagentupdatesschedule](../../static/img/product_docs/1secure/admin/editagentupdatesschedule.webp) +![editagentupdatesschedule](/img/product_docs/1secure/admin/editagentupdatesschedule.webp) **Step 4 –** Select **Confirm**. The agent shall update and upload a new .msi file of your agent. **Step 5 –** Alternately, update the version for an organization from the Managed organizations page. Select the **organization** and then the **Sites** tab. -![updateagents2](../../static/img/product_docs/1secure/admin/updateagents2.webp) +![updateagents2](/img/product_docs/1secure/admin/updateagents2.webp) **Step 6 –** Click Update. @@ -177,7 +177,7 @@ organization. **Step 9 –** On the Edit Agent Update Schedule window, select Enabled and apply the required parameters to specify when you want the update occur. -![editagentupdatesschedule2](../../static/img/product_docs/1secure/admin/editagentupdatesschedule2.webp) +![editagentupdatesschedule2](/img/product_docs/1secure/admin/editagentupdatesschedule2.webp) **Step 10 –** Click **Confirm**. diff --git a/docs/1secure/install/installagent.md b/docs/1secure/install/installagent.md index e14e39da33..2182b423aa 100644 --- a/docs/1secure/install/installagent.md +++ b/docs/1secure/install/installagent.md @@ -16,7 +16,7 @@ install an agent for collecting the data from your sources. This topic describes an installation of the agent for collecting the data from your sources. Prior to installing the agent, ensure that all installation requirements have been met. See the -[Netwrix Cloud Agent Software Requirements](../requirements.md) topic for +[Netwrix Cloud Agent Software Requirements](/docs/1secure/requirements.md) topic for additional information. ## Configure Netwrix Cloud Agent @@ -37,17 +37,17 @@ analyzing your data. **Step 4 –** Complete the [Install the Agent](#install-the-agent) steps. Ensure you tick Launch Netwrix Cloud Agent Configuration tool and click Finish. -![organization_cloudagent](../../../static/img/product_docs/1secure/install/organization_cloudagent.webp) +![organization_cloudagent](/img/product_docs/1secure/install/organization_cloudagent.webp) **Step 5 –** On the displayed Netwrix Cloud Agent Configuration screen, select Configure to configure with Netwrix Cloud Agent. -![installagent_copyagent](../../../static/img/product_docs/1secure/install/installagent_copyagent.webp) +![installagent_copyagent](/img/product_docs/1secure/install/installagent_copyagent.webp) **Step 6 –** Go back to your Netwrix 1Secure configuration panel and copy the agent connection details by selecting Copy Connection String. This information will be used for agent deployment. -![cloudagent_copyagent](../../../static/img/product_docs/1secure/install/cloudagent_copyagent.webp) +![cloudagent_copyagent](/img/product_docs/1secure/install/cloudagent_copyagent.webp) **Step 7 –** Paste the information in the Netwrix Cloud Agent Configuration that you copied earlier and save settings. @@ -65,21 +65,21 @@ Follow the steps to install the agent. **Step 2 –** Download the agent installer while adding the organization. -![organization_cloudagentsetup1](../../../static/img/product_docs/1secure/install/organization_cloudagentsetup1.webp) +![organization_cloudagentsetup1](/img/product_docs/1secure/install/organization_cloudagentsetup1.webp) **Step 3 –** Click **Next** to continue. -![installnetwrixcloudagent](../../../static/img/product_docs/1secure/install/installnetwrixcloudagent.webp) +![installnetwrixcloudagent](/img/product_docs/1secure/install/installnetwrixcloudagent.webp) **Step 4 –** Specify the installation folder and click **Next** to continue. -![installagentnetwrixcloudagentready](../../../static/img/product_docs/1secure/install/installagentnetwrixcloudagentready.webp) +![installagentnetwrixcloudagentready](/img/product_docs/1secure/install/installagentnetwrixcloudagentready.webp) **Step 5 –** Click **Install**. The agent starts the installation process. -![installagentnetwrixcloudagentinstalling](../../../static/img/product_docs/1secure/install/installagentnetwrixcloudagentinstalling.webp) +![installagentnetwrixcloudagentinstalling](/img/product_docs/1secure/install/installagentnetwrixcloudagentinstalling.webp) -![installagentnetwrixcloudagentfinish](../../../static/img/product_docs/1secure/install/installagentnetwrixcloudagentfinish.webp) +![installagentnetwrixcloudagentfinish](/img/product_docs/1secure/install/installagentnetwrixcloudagentfinish.webp) **Step 6 –** Keep the **Launch Netwrix Cloud Agent Configuration** tool checkbox selected and click Finish to complete the setup. diff --git a/docs/1secure/integrations/connectwise.md b/docs/1secure/integrations/connectwise.md index 71e482addd..262d4a5b2c 100644 --- a/docs/1secure/integrations/connectwise.md +++ b/docs/1secure/integrations/connectwise.md @@ -18,9 +18,9 @@ Image keys: | Icon | Description | | ------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | -| ![alerts_editicon](../../../static/img/product_docs/1secure/integration/alerts_editicon.webp) | Edit Icon. Click the Edit Icon to edit the settings of the integration type. | -| ![alerts_connectwisesprocketpng](../../../static/img/product_docs/1secure/integration/alerts_connectwisesprocketpng.webp) | ConnectWise Icon. Click the ConnectWise icon to make the settings for the ConnectWise. | -| ![deletebutton](../../../static/img/product_docs/1secure/integration/deletebutton.webp) | Bin Icon. Click the Bin icon to delete the ConnectWise integration | +| ![alerts_editicon](/img/product_docs/1secure/integration/alerts_editicon.webp) | Edit Icon. Click the Edit Icon to edit the settings of the integration type. | +| ![alerts_connectwisesprocketpng](/img/product_docs/1secure/integration/alerts_connectwisesprocketpng.webp) | ConnectWise Icon. Click the ConnectWise icon to make the settings for the ConnectWise. | +| ![deletebutton](/img/product_docs/1secure/integration/deletebutton.webp) | Bin Icon. Click the Bin icon to delete the ConnectWise integration | ## Add a ConnectWise Company in a System @@ -29,11 +29,11 @@ Follow the steps to add a ConnectWise company in Netwrix 1Secure. **Step 1 –** Go to **Configuration** > **Integrations** and click the **Add** icon to add the ConnectWise company. -![Integration Type pane](../../../static/img/product_docs/1secure/integration/integrationtypewindowconnectwise.webp) +![Integration Type pane](/img/product_docs/1secure/integration/integrationtypewindowconnectwise.webp) **Step 2 –** Click **ConnectWise** and then click **Next**. -![Configure connection pane](../../../static/img/product_docs/1secure/integration/integrationconfigureconnectionconnectwise.webp) +![Configure connection pane](/img/product_docs/1secure/integration/integrationconfigureconnectionconnectwise.webp) **Step 3 –** In the Configure Connection window, enter information in the required fields. @@ -52,7 +52,7 @@ information. The ConnectWise company is added now. The status displays "Ok" in green. -![Integrations List](../../../static/img/product_docs/1secure/integration/connectwise.webp) +![Integrations List](/img/product_docs/1secure/integration/connectwise.webp) Use the Edit icon or the Bin icon to edit or delete the integration. @@ -62,7 +62,7 @@ After adding your ConnectWise company, you can link it to your organization and settings. Also, when you add a new organization, you can specify your ConnectWise company from the start. See -the [Add Organizations](../admin/organizations/addorganizations.md) topic for additional +the [Add Organizations](/docs/1secure/admin/organizations/addorganizations.md) topic for additional information. Follow the steps to manage delivery settings for ConnectWise. @@ -72,7 +72,7 @@ Follow the steps to manage delivery settings for ConnectWise. **Step 2 –** Click the ConnectWise icon under the Delivery Settings. The ConnectWise Delivery Settings pane is displayed. -![ConnectWise Delivery Settings](../../../static/img/product_docs/1secure/integration/alerts_connectwisedeliverysettings.webp) +![ConnectWise Delivery Settings](/img/product_docs/1secure/integration/alerts_connectwisedeliverysettings.webp) **Step 3 –** Toggle on the Enabled button to enable the ConnectWise delivery. diff --git a/docs/1secure/integrations/servicenow.md b/docs/1secure/integrations/servicenow.md index 90df1a7fbd..e133d69798 100644 --- a/docs/1secure/integrations/servicenow.md +++ b/docs/1secure/integrations/servicenow.md @@ -22,9 +22,9 @@ Image keys: | Icon | Description | | --------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | -| ![alerts_editicon](../../../static/img/product_docs/1secure/integration/alerts_editicon.webp) | Edit Icon. Click the Edit Icon to edit the settings of the integration type. | -| ![servicenowicon](../../../static/img/product_docs/1secure/integration/servicenowicon.webp) | ServiceNow Icon. Click the ServiceNow icon to make the settings for ServiceNow. | -| ![deletebutton](../../../static/img/product_docs/1secure/integration/deletebutton.webp) | Bin Icon. Click the Bin icon to delete the ServiceNow integration | +| ![alerts_editicon](/img/product_docs/1secure/integration/alerts_editicon.webp) | Edit Icon. Click the Edit Icon to edit the settings of the integration type. | +| ![servicenowicon](/img/product_docs/1secure/integration/servicenowicon.webp) | ServiceNow Icon. Click the ServiceNow icon to make the settings for ServiceNow. | +| ![deletebutton](/img/product_docs/1secure/integration/deletebutton.webp) | Bin Icon. Click the Bin icon to delete the ServiceNow integration | ## Add a ServiceNow Integration System @@ -32,11 +32,11 @@ Follow the steps to add a ServiceNow integration system. **Step 1 –** Go to Configuration > **Integrations** and click the **Add** icon to add the system. -![integrationtypewindowservicenow](../../../static/img/product_docs/1secure/integration/integrationtypewindowservicenow.webp) +![integrationtypewindowservicenow](/img/product_docs/1secure/integration/integrationtypewindowservicenow.webp) **Step 2 –** In the displayed Integration type window, click **ServiceNow** and click **Next**. -![servicenowconnection](../../../static/img/product_docs/changetracker/changetracker/integration/itsm/servicenowconnection.webp) +![servicenowconnection](/img/product_docs/changetracker/changetracker/integration/itsm/servicenowconnection.webp) **Step 3 –** In the Configure connection window, specify the required boxes - Server Name, Username, and Password. @@ -57,7 +57,7 @@ View Fields Here: The ServiceNow profile is added now. The status displays "Ok" in green. -![servicenowstatus](../../../static/img/product_docs/1secure/integration/servicenowstatus.webp) +![servicenowstatus](/img/product_docs/1secure/integration/servicenowstatus.webp) Click the **Edit** icon or the **Bin** icon to edit or delete the integration. @@ -70,7 +70,7 @@ Follow the steps to manage delivery settings for ServiceNow. **Step 2 –** Click the Service Now icon\* under Delivery Settings. The ServiceNow Delivery Settings panel displays. -![alerts_servicenowdeliverysettings](../../../static/img/product_docs/1secure/integration/alerts_servicenowdeliverysettings.webp) +![alerts_servicenowdeliverysettings](/img/product_docs/1secure/integration/alerts_servicenowdeliverysettings.webp) **Step 3 –** Specify the Assignment Group, which should receive the tickets. diff --git a/docs/1secure/integrations/sharepointonline.md b/docs/1secure/integrations/sharepointonline.md index d4651581c5..c43fcc6bed 100644 --- a/docs/1secure/integrations/sharepointonline.md +++ b/docs/1secure/integrations/sharepointonline.md @@ -15,8 +15,8 @@ SharePoint Online. | Icon | Description | | --------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | -| ![alerts_editicon](../../../static/img/product_docs/1secure/integration/alerts_editicon.webp) | Edit Icon. Click the Edit Icon to edit the settings of the integration type. | -| ![deletebutton](../../../static/img/product_docs/1secure/integration/deletebutton.webp) | Bin Icon. Click the Bin icon to delete the SharePoint Online integration. | +| ![alerts_editicon](/img/product_docs/1secure/integration/alerts_editicon.webp) | Edit Icon. Click the Edit Icon to edit the settings of the integration type. | +| ![deletebutton](/img/product_docs/1secure/integration/deletebutton.webp) | Bin Icon. Click the Bin icon to delete the SharePoint Online integration. | ## Add a SharePoint Online Integration in a System @@ -25,41 +25,41 @@ Follow the steps to add the SharePoint Online integration in Netwrix 1Secure. **Step 1 –** Go to Configuration > **Integrations** and click the **Add** icon to add the SharePoint integration. -![Integration type pane](../../../static/img/product_docs/1secure/integration/integrationtypewindow.webp) +![Integration type pane](/img/product_docs/1secure/integration/integrationtypewindow.webp) **Step 2 –** In the displayed Integration type window, click **SharePoint Online** and click **Next**. -![Configure connection pane](../../../static/img/product_docs/1secure/integration/integrationconfigureconnectionsharepoint.webp) +![Configure connection pane](/img/product_docs/1secure/integration/integrationconfigureconnectionsharepoint.webp) **Step 3 –** In the Configure connection window, specify the required fields: - Client ID – The client ID of the app registered in Microsoft Entra ID. See the - [App Registration and Configuration in Microsoft Entra ID](../configuration/entraid/registerconfig.md) topic + [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. - Tenant ID – The tenant ID of the app registered in Microsoft Entra ID. See the - [App Registration and Configuration in Microsoft Entra ID](../configuration/entraid/registerconfig.md) topic + [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. - Client Secret – The client secret of the app registered in Microsoft Entra ID. See the - [App Registration and Configuration in Microsoft Entra ID](../configuration/entraid/registerconfig.md) topic + [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. See the -[App Registration and Configuration in Microsoft Entra ID](../configuration/entraid/registerconfig.md) +[App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. **Step 4 –** Click **Finish**. **NOTE:** You must firstly add a Sites.ReadWrite.All permission in your Microsoft Entra admin -center. See the [ Microsoft 365 Permissions](../configuration/entraid/permissions.md) topic for +center. See the [ Microsoft 365 Permissions](/docs/1secure/configuration/entraid/permissions.md) topic for additional information. The SharePoint Online integration is added now. The status displays "Ok" in green. -![Integrations list](../../../static/img/product_docs/1secure/integration/integrationssharepointonline.webp) +![Integrations list](/img/product_docs/1secure/integration/integrationssharepointonline.webp) You can click the **Edit** icon or the **Bin** icon to edit or delete the integration. -See the [Subscriptions](../admin/searchandreports/subscriptions.md) and -[Risk Assessment Dashboard](../admin/riskprofiles/riskassessmentdashboard.md) topics to learn how to +See the [Subscriptions](/docs/1secure/admin/searchandreports/subscriptions.md) and +[Risk Assessment Dashboard](/docs/1secure/admin/riskprofiles/riskassessmentdashboard.md) topics to learn how to add subscriptions and deliver it to SharePoint Online folder. diff --git a/docs/1secure/requirements.md b/docs/1secure/requirements.md index 65bc83833b..7f958c7644 100644 --- a/docs/1secure/requirements.md +++ b/docs/1secure/requirements.md @@ -19,10 +19,10 @@ This section lists platforms and systems that can be monitored with Netwrix 1Sec | Data source | Supported Versions | | ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Active Directory (including Logon Activity) | Domain Controller OS versions: - Windows Server 2022 - Windows Server 2019 - Windows Server 2016 - Windows Server 2012 R2 | -| Microsoft Entra ID | Microsoft Entra ID version provided within Microsoft Office 365 You may need to take some preparatory steps, depending on the authentication method you want to use for collecting Azure AD and Office 365 data. See the [App Registration and Configuration in Microsoft Entra ID](configuration/entraid/registerconfig.md) topic for additional information. | +| Microsoft Entra ID | Microsoft Entra ID version provided within Microsoft Office 365 You may need to take some preparatory steps, depending on the authentication method you want to use for collecting Azure AD and Office 365 data. See the [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. | | Computer (Windows File Server) | - Windows Server OS: - Windows Server 2022 - Windows Server 2019 - Windows Server 2016 - Windows Server 2012 R2 - Windows Desktop OS (32 and 64-bit): - Windows 10 - Windows 8.1 - Windows 7 Consider the following: - To collect data from 32-bit operating systems, network traffic compression must be disabled. - To collect data from Windows Failover Cluster, network traffic compression must be enabled. - Scale-Out File Server (SOFS) cluster is not supported. | -| SharePoint Online | Azure Active Directory version provided within Microsoft Office 365 You may need to take some preparatory steps, depending on the authentication method you want to use for collecting SharePoint Online and One Drive for Business. See the [App Registration and Configuration in Microsoft Entra ID](configuration/entraid/registerconfig.md) topic for additional information. | -| Exchange Online | Azure Active Directory version provided within Microsoft Office 365 You may need to take some preparatory steps, depending on the authentication method you want to use for collecting Exchange Online. See the [App Registration and Configuration in Microsoft Entra ID](configuration/entraid/registerconfig.md) topic for additional information. | +| SharePoint Online | Azure Active Directory version provided within Microsoft Office 365 You may need to take some preparatory steps, depending on the authentication method you want to use for collecting SharePoint Online and One Drive for Business. See the [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. | +| Exchange Online | Azure Active Directory version provided within Microsoft Office 365 You may need to take some preparatory steps, depending on the authentication method you want to use for collecting Exchange Online. See the [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/entraid/registerconfig.md) topic for additional information. | ## Netwrix Cloud Agent Software Requirements @@ -66,4 +66,4 @@ Configuration.xml file, which is located on the agent host at: `C:\ProgramData\Netwrix Cloud Agent\AgentCore\ConfigServer\Configuration.xml` You must also open the outbound TCP port 443 on the server where the Netwrix Cloud Agent resides. -See the [Install Agent](install/installagent.md) topic \ No newline at end of file +See the [Install Agent](/docs/1secure/install/installagent.md) topic \ No newline at end of file diff --git a/docs/accessanalyzer/11.6/config/activedirectory/access.md b/docs/accessanalyzer/11.6/config/activedirectory/access.md index 3c5de0bd84..5b95ac8921 100644 --- a/docs/accessanalyzer/11.6/config/activedirectory/access.md +++ b/docs/accessanalyzer/11.6/config/activedirectory/access.md @@ -107,7 +107,7 @@ minimum requirements, which must be configured at the Domain level in Active Dir **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. AD_WeakPasswords Job Permissions diff --git a/docs/accessanalyzer/11.6/config/activedirectory/overview.md b/docs/accessanalyzer/11.6/config/activedirectory/overview.md index 3f947ac340..fbcf046ce3 100644 --- a/docs/accessanalyzer/11.6/config/activedirectory/overview.md +++ b/docs/accessanalyzer/11.6/config/activedirectory/overview.md @@ -68,7 +68,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Integration between Enterprise Auditor and Activity Monitor diff --git a/docs/accessanalyzer/11.6/config/dellcelerravnx/overview.md b/docs/accessanalyzer/11.6/config/dellcelerravnx/overview.md index 2c4583a539..23273ab8ee 100644 --- a/docs/accessanalyzer/11.6/config/dellcelerravnx/overview.md +++ b/docs/accessanalyzer/11.6/config/dellcelerravnx/overview.md @@ -93,7 +93,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Dell Celerra & Dell VNX Devices diff --git a/docs/accessanalyzer/11.6/config/dellpowerscale/overview.md b/docs/accessanalyzer/11.6/config/dellpowerscale/overview.md index 637c267ed5..f9edd2c15e 100644 --- a/docs/accessanalyzer/11.6/config/dellpowerscale/overview.md +++ b/docs/accessanalyzer/11.6/config/dellpowerscale/overview.md @@ -187,7 +187,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Dell Isilon/PowerScale Devices diff --git a/docs/accessanalyzer/11.6/config/dellunity/overview.md b/docs/accessanalyzer/11.6/config/dellunity/overview.md index b8720fe0e8..47b2029765 100644 --- a/docs/accessanalyzer/11.6/config/dellunity/overview.md +++ b/docs/accessanalyzer/11.6/config/dellunity/overview.md @@ -93,7 +93,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Dell Unity Devices diff --git a/docs/accessanalyzer/11.6/config/hitachi/overview.md b/docs/accessanalyzer/11.6/config/hitachi/overview.md index 851300dc9f..d4d6a4a9fd 100644 --- a/docs/accessanalyzer/11.6/config/hitachi/overview.md +++ b/docs/accessanalyzer/11.6/config/hitachi/overview.md @@ -80,7 +80,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Integration between Enterprise Auditor and Activity Monitor diff --git a/docs/accessanalyzer/11.6/config/nasuni/overview.md b/docs/accessanalyzer/11.6/config/nasuni/overview.md index 761651c46f..6dcf31d170 100644 --- a/docs/accessanalyzer/11.6/config/nasuni/overview.md +++ b/docs/accessanalyzer/11.6/config/nasuni/overview.md @@ -72,7 +72,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Nasuni Edge Appliance diff --git a/docs/accessanalyzer/11.6/config/netapp7mode/overview.md b/docs/accessanalyzer/11.6/config/netapp7mode/overview.md index f8f960ebc1..17cff292fa 100644 --- a/docs/accessanalyzer/11.6/config/netapp7mode/overview.md +++ b/docs/accessanalyzer/11.6/config/netapp7mode/overview.md @@ -108,7 +108,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for NetApp Data ONTAP 7-Mode Device diff --git a/docs/accessanalyzer/11.6/config/netappcmode/overview.md b/docs/accessanalyzer/11.6/config/netappcmode/overview.md index 641fd6d481..fde6ad8b46 100644 --- a/docs/accessanalyzer/11.6/config/netappcmode/overview.md +++ b/docs/accessanalyzer/11.6/config/netappcmode/overview.md @@ -125,7 +125,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for NetApp Data ONTAP Cluster-Mode Device diff --git a/docs/accessanalyzer/11.6/config/nutanix/overview.md b/docs/accessanalyzer/11.6/config/nutanix/overview.md index b4f26cd26a..a16b9b861d 100644 --- a/docs/accessanalyzer/11.6/config/nutanix/overview.md +++ b/docs/accessanalyzer/11.6/config/nutanix/overview.md @@ -47,7 +47,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Nutanix Appliances diff --git a/docs/accessanalyzer/11.6/config/qumulo/overview.md b/docs/accessanalyzer/11.6/config/qumulo/overview.md index c29469c6b5..2070cbd410 100644 --- a/docs/accessanalyzer/11.6/config/qumulo/overview.md +++ b/docs/accessanalyzer/11.6/config/qumulo/overview.md @@ -44,7 +44,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Qumulo Devices diff --git a/docs/accessanalyzer/11.6/config/sharepoint/overview.md b/docs/accessanalyzer/11.6/config/sharepoint/overview.md index 9f5ce22236..56e879cbd8 100644 --- a/docs/accessanalyzer/11.6/config/sharepoint/overview.md +++ b/docs/accessanalyzer/11.6/config/sharepoint/overview.md @@ -62,7 +62,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Integration between Enterprise Auditor and Activity Monitor diff --git a/docs/accessanalyzer/11.6/config/sharepointonline/overview.md b/docs/accessanalyzer/11.6/config/sharepointonline/overview.md index 892e594d53..f282b65ffd 100644 --- a/docs/accessanalyzer/11.6/config/sharepointonline/overview.md +++ b/docs/accessanalyzer/11.6/config/sharepointonline/overview.md @@ -68,7 +68,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Integration between Enterprise Auditor and Activity Monitor diff --git a/docs/accessanalyzer/11.6/config/windowsfile/overview.md b/docs/accessanalyzer/11.6/config/windowsfile/overview.md index 942bba1d84..65717e516e 100644 --- a/docs/accessanalyzer/11.6/config/windowsfile/overview.md +++ b/docs/accessanalyzer/11.6/config/windowsfile/overview.md @@ -77,7 +77,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Integration between Enterprise Auditor and Activity Monitor diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/admin/analysis/sqlscripting.md b/docs/accessanalyzer/11.6/enterpriseauditor/admin/analysis/sqlscripting.md index 0ecbb1871a..a9a18f9d97 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/admin/analysis/sqlscripting.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/admin/analysis/sqlscripting.md @@ -32,7 +32,7 @@ The SQL Script Editor window has the following options: - Copy – Copies the highlighted script into the SQL script editor (Ctrl+C) - Paste – Pastes cut or copied script into the SQL script editor (Ctrl+V) - Online SQL Language Reference – Opens the Microsoft - [Transact-SQL Reference]() + [Transact-SQL Reference](https://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2005/ms189826(v=sql.90)) article Click **Save and Close** to return to the Analysis Properties page. If no changes were made or diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/adinventory/overview.md b/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/adinventory/overview.md index c79129b0bf..7187e682a4 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/adinventory/overview.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/adinventory/overview.md @@ -30,7 +30,7 @@ Permissions **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. ## Functional Design of the ADInventory Data Collector diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/adinventory/standardtables.md b/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/adinventory/standardtables.md index 77790ec63c..eff26eef41 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/adinventory/standardtables.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/adinventory/standardtables.md @@ -15,7 +15,7 @@ These tables and their associated views are outlined below: | SA_ADInventory_EffectiveGroupMembers | Contains expanded group membership which includes a flattened representation of members. | | | SA_ADInventory_Exceptions | Contains information about security issues and concerns. **NOTE:** See the [AD Exception Types Translated](#ad-exception-types-translated) topic for an explanation of Exception Types. | | | SA_ADInventory_ExceptionTypes | Identifies how many instances of exceptions exist on the audited domain. **NOTE:** See the [AD Exception Types Translated](#ad-exception-types-translated) topic for an explanation of Exception Types. | | -| SA_ADInventory_Exchange | Contains information about the Exchange Server, each database and storage group, and the HomeMDB property. | [ms-Exch-Home-MDB Attribute]() | +| SA_ADInventory_Exchange | Contains information about the Exchange Server, each database and storage group, and the HomeMDB property. | [ms-Exch-Home-MDB Attribute](https://learn.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2003/ms980583(v=exchg.65)) | | SA_ADInventory_ExtendedAttributes | Contains information gathered by the custom attributes component of the query configuration. | [Active Directory Schema](https://learn.microsoft.com/en-gb/windows/win32/adschema/active-directory-schema) | | SA_ADInventory_GroupMemberChanges | Contains a list of group principal identifiers and their corresponding membership changes for each differential scan that is performed against a domain. | [Member attribute](https://learn.microsoft.com/en-gb/windows/win32/adschema/a-member) | | SA_ADInventory_GroupMembers | Contains a map of groups to member distinguished names. | [Member attribute](https://learn.microsoft.com/en-gb/windows/win32/adschema/a-member) | diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/permissionmatrix.md b/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/permissionmatrix.md index 95573732f5..1f6ae43326 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/permissionmatrix.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/permissionmatrix.md @@ -11,7 +11,7 @@ license features. The following table provides a quick reference for each data c | -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | ActiveDirectory _\*requires license_ | The ActiveDirectory Data Collector audits objects published in Active Directory. | - ADSI - LDAP - RPC | - TCP 389/636 - TCP 135-139 - Randomly allocated high TCP ports | - Member of the Domain Administrators group | | ADActivity _\*requires license_ | The ADActivity Data Collector integrates with the Netwrix Activity Monitor by reading the Active Directory activity log files. | - HTTP - RPC | - TCP 4494 (configurable within the Netwrix Activity Monitor) | - Netwrix Activity Monitor API Access activity data - Netwrix Activity Monitor API Read - Read access to the Netwrix Activity Monitor Log Archive location | -| ADInventory | The ADInventory Data Collector is designed as a highly scalable and useful data collection mechanism to catalogue user, group, and computer object information that can be used by other solutions within Enterprise Auditor. | - LDAP | - TCP 389 - TCP 135-139 - Randomly allocated high TCP ports | - Read access to directory tree - List Contents & Read Property on the Deleted Objects Container **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft [Dsacls]() article for additional information. | +| ADInventory | The ADInventory Data Collector is designed as a highly scalable and useful data collection mechanism to catalogue user, group, and computer object information that can be used by other solutions within Enterprise Auditor. | - LDAP | - TCP 389 - TCP 135-139 - Randomly allocated high TCP ports | - Read access to directory tree - List Contents & Read Property on the Deleted Objects Container **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. | | ADPermissions _\*requires license_ | The ADPermissions Data Collector collects the advanced security permissions of objects in AD. | - ADSI - LDAP - RPC | - TCP 389 - TCP 135 – 139 - Randomly allocated high TCP ports | - LDAP Read permissions - Read on all AD objects - Read permissions on all AD Objects | | AWS | The AWS Data Collector collects IAM users, groups, roles, and policies, as well as S3 permissions, content, and sensitive data from the target Amazon Web Services (AWS) accounts. | - HTTPS | - 443 | - To collect details about the AWS Organization, the following permission is required: - organizations:DescribeOrganization - To collect details regarding IAM, the following permissions are required: - iam:GenerateCredentialReport - iam:GenerateServiceLastAccessedDetails - iam:Get\* - iam:List\* - iam:Simulate\* - sts:GetAccessKeyInfo - To collect details related to S3 buckets and objects, the following permissions are required: - s3:Describe\* - s3:Get\* - s3:HeadBucket - s3:List\* | | AzureADInventory | The AzureADInventory Data Collector catalogs user and group object information from Microsoft Entra ID, formerly Azure Active Directory. This data collector is a core component of Enterprise Auditor and is preconfigured in the .Entra ID Inventory Solution. | - HTTP - HTTPS - REST | - TCP 80 and 443 | - Microsoft Graph API - Application Permissions: - AuditLog.Read.All – Read all audit log data - Directory.Read.All – Read directory data - Delegated Permissions: - Group.Read.All – Read all groups - User.Read.All – Read all users' full profiles - Access URLs - https://login.windows.net - https://graph.windows.net - https://login.microsoftonline.com - https://graph.microsoft.com - All sub-directories of the access URLs listed | diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/smartlog/samplehost.md b/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/smartlog/samplehost.md index 6194145d91..27183d3e54 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/smartlog/samplehost.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/admin/datacollector/smartlog/samplehost.md @@ -24,7 +24,7 @@ and select a computer. The options in the Select Computer window are: - Enter the object name to select – Manually enter objects into the text field - Click the **examples** link to access the Microsoft - [Object Picker UI]() + [Object Picker UI](https://docs.microsoft.com/en-us/previous-versions/orphan-topics/ws.11/dn789205(v=ws.11)?redirectedfrom=MSDN) article for additional information - Check Names – Click to verify the object names in the text field diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/solutions/exchange/powershell.md b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/solutions/exchange/powershell.md index 9bbe849474..c6010f7ab6 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/solutions/exchange/powershell.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/solutions/exchange/powershell.md @@ -226,11 +226,11 @@ for Exchange. See the following Microsoft articles: [Enable mailbox auditing in Office 365](https://technet.microsoft.com/en-us/library/dn879651.aspx) article - Exchange 2016 – Exchange 2019 – - [Enable or disable mailbox audit logging for a mailbox]() + [Enable or disable mailbox audit logging for a mailbox](https://technet.microsoft.com/en-us/library/ff461937(v=exchg.160).aspx) article - Exchange 2013 – - [Enable or disable mailbox audit logging for a mailbox]() + [Enable or disable mailbox audit logging for a mailbox](https://technet.microsoft.com/en-us/library/ff461937(v=exchg.150).aspx) article - Exchange 2010 – - [Enable or Disable Mailbox Audit Logging for a Mailbox]() + [Enable or Disable Mailbox Audit Logging for a Mailbox](https://technet.microsoft.com/en-us/library/ff461937(v=exchg.141).aspx) article diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/box.md b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/box.md index 77e4dde287..4bdf71598f 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/box.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/box.md @@ -27,7 +27,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. For Box Data Collection diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/config/aws.md b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/config/aws.md index a6098a2272..78c9de4037 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/config/aws.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/config/aws.md @@ -83,7 +83,7 @@ and click **Create policy**. **NOTE:** If the designated scanning account is not in Root (Master Account), create a second policy in the Master Account with the following JSON definition: -[Copy]() +[Copy](javascript:void(0);) ``` { diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasedb2.md b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasedb2.md index 456503dda2..0370329a33 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasedb2.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasedb2.md @@ -41,7 +41,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. ## Ports diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasemysql.md b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasemysql.md index 838167db69..9c7f488587 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasemysql.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasemysql.md @@ -43,7 +43,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. For MySQL Data Collection diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databaseoracle.md b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databaseoracle.md index fa8c93066a..660251f366 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databaseoracle.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databaseoracle.md @@ -25,7 +25,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. For PowerShell Data Collection diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasepostgresql.md b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasepostgresql.md index 74a209141d..efb3c4e158 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasepostgresql.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasepostgresql.md @@ -31,7 +31,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. For PostgreSQL Data Collection diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databaseredshift.md b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databaseredshift.md index 442a2cd0b0..37362c1723 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databaseredshift.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databaseredshift.md @@ -39,7 +39,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. For Redshift Data Collection diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasesql.md b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasesql.md index 39b1a898ac..575697ee75 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasesql.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/databasesql.md @@ -50,7 +50,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. For SMARTLog Data Collection diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/exchange.md b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/exchange.md index ef24c5ca66..d30fecfbb9 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/exchange.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/exchange.md @@ -55,7 +55,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. For Exchange Web Services API Permissions with the EWSMailbox Data Collector diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/filesystems.md b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/filesystems.md index 31608af2ef..41b2045c43 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/filesystems.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/filesystems.md @@ -29,7 +29,7 @@ The following permissions are needed: **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. The following firewall ports are needed: diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/sharepoint.md b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/sharepoint.md index f19882c6d9..a47c857237 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/sharepoint.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/requirements/target/sharepoint.md @@ -27,7 +27,7 @@ The following permissions are needed: **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. The following firewall ports are needed: diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/ad_dsrmsettings.md b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/ad_dsrmsettings.md index 0d8a3117f1..7ed4532290 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/ad_dsrmsettings.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/ad_dsrmsettings.md @@ -4,7 +4,7 @@ The AD_DRSMSettings Job provides details on domain controller registry settings DSRMAdminLogonBehavior key. If this key is set to 1 or 2, the DSRM Admin Account can be used to log in to the domain controller even if it has not been started in DSRM which can present a potential security vulnerability. Additional information on this registry key is available in this -[Microsoft Document](). +[Microsoft Document](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732714(v=ws.10)?redirectedfrom=MSDN). ## Analysis Tasks for the AD_DSRMSettings Job @@ -28,4 +28,4 @@ the following pre-configured report: | Report | Description | Default Tags | Report Elements | | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------- | -| DSRM Admin Security | This report highlights domain controller registry settings for the DSRMAdminLogonBehavior key. If this key is set to 1 or 2, the DSRM Admin account can be used to log in to the domain controller even if it has not been started in DSRM. This is a potential vulnerability. See the Microsoft [Restartable AD DS Step-by-Step Guide]() for additional information. | None | This report is comprised of two elements: - Pie Chart – Displays DSRM admin logon  by domain controller - Table – Provides details on domain controllers | +| DSRM Admin Security | This report highlights domain controller registry settings for the DSRMAdminLogonBehavior key. If this key is set to 1 or 2, the DSRM Admin account can be used to log in to the domain controller even if it has not been started in DSRM. This is a potential vulnerability. See the Microsoft [Restartable AD DS Step-by-Step Guide](https://technet.microsoft.com/en-us/library/cc732714(v=ws.10).aspx) for additional information. | None | This report is comprised of two elements: - Pie Chart – Displays DSRM admin logon  by domain controller - Table – Provides details on domain controllers | diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/collection/ad_dsrm.md b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/collection/ad_dsrm.md index e1fdee822c..c9f5059feb 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/collection/ad_dsrm.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/collection/ad_dsrm.md @@ -4,7 +4,7 @@ The **0.Collection > AD_DSRM** Job collects data related to domain controller re the DSRMAdminLogonBehavior key. If this key is set to 1 or 2, the DSRM Admin Account can be used to log in to the domain controller even if it has not been started in DSRM which can present a potential security vulnerability. Additional information on this registry key is available in this -[Microsoft Document](). +[Microsoft Document](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732714(v=ws.10)?redirectedfrom=MSDN). ## Query for the AD_DSRM Job diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/collection/overview.md b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/collection/overview.md index 5e9eb46b79..204965520e 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/collection/overview.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/collection/overview.md @@ -15,6 +15,6 @@ The 0.Collection Job Group is comprised of: If this key is set to 1 or 2, the DSRM Admin Account can be used to log in to the domain controller even if it has not been started in DSRM which can present a potential security vulnerability. Additional information on this registry key is available in this - [Microsoft Document](). + [Microsoft Document](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732714(v=ws.10)?redirectedfrom=MSDN). - [AD_TimeSync Job](/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/collection/ad_timesync.md) – Collects TimeSync information from the registry for each domain controller within the domain diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/overview.md b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/overview.md index ff8a5b1e97..abfb519eb7 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/overview.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/domains/overview.md @@ -23,4 +23,4 @@ The following components comprises the 5.Domains Job Group: this key is set to 1 or 2, the DSRM Admin Account can be used to log in to the domain controller even if it has not been started in DSRM which can present a potential security vulnerability. Additional information on this registry key is available in this - [Microsoft Document](). + [Microsoft Document](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732714(v=ws.10)?redirectedfrom=MSDN). diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/users/ad_serviceaccounts.md b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/users/ad_serviceaccounts.md index c7fed3d3e8..14751259a5 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/users/ad_serviceaccounts.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/users/ad_serviceaccounts.md @@ -7,7 +7,7 @@ msDS-SupportedEncryptionTypes value supports RC4 as the highest encryption type. _Remember,_ the 1-AD_Scan Job needs to be configured to collect these Custom Attributes: - servicePrincipalName – Provides service account information. See the Microsoft - [Service Principal Names]() + [Service Principal Names](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961723(v=technet.10)) article for additional information. - msDS-SupportedEncryptionTypes – Identifies service accounts vulnerable to Kerberoasting attacks diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/users/ad_weakpasswords.md b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/users/ad_weakpasswords.md index 6bb4ddd13b..50c858d07f 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/users/ad_weakpasswords.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectory/users/ad_weakpasswords.md @@ -7,13 +7,13 @@ dictionaries and other exceptions. Exceptions include: - AES Key Missing – Account is set up using older functional AD levels, so has no AES key. These accounts use weaker encryption methods susceptible to brute force attacks. - Clear Text Password – Account has passwords stored with reversible encryption. See the Microsoft - [Store passwords using reversible encryption]() + [Store passwords using reversible encryption](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994559(v=ws.11)) article for additional information. - Default Computer Password – Computer has default computer passwords set - Delegable Admins – Administrator account is allowed to be delegated to a service - DES Encryption Only – Account is using Kerberos DES encryption. DES encryption is considered weak as the 56-bit key is prone to brute force attacks. See the Microsoft - [AD DS: User accounts and trusts in this domain should not be configured for DES only]() + [AD DS: User accounts and trusts in this domain should not be configured for DES only](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff646918(v=ws.10)) article for additional information. - Empty Password – Account has an empty password - Kerberos Pre-authentication is not required – Account does not require Kerberos diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectoryinventory/overview.md b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectoryinventory/overview.md index 7e22456203..8f3513d02d 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectoryinventory/overview.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/activedirectoryinventory/overview.md @@ -25,7 +25,7 @@ Permissions **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. Ports diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/authentication/overview.md b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/authentication/overview.md index 4f83e65500..5053175f96 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/authentication/overview.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/authentication/overview.md @@ -11,7 +11,7 @@ The jobs in the Authentication job group are: – This job lists LSA settings on all targeted hosts. In particular, the RunAsPPL, RestrictAnonymous, and ValidateKdcPacSignature keys are examined. If these keys are not set to 1, a host is vulnerable to mimikatz and other exploitation tools. See the Microsoft - [Configuring Additional LSA Protection]() + [Configuring Additional LSA Protection](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn408187(v=ws.11)) article for additional ininformation. - [SG_SecuritySupportProviders Job](/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/authentication/sg_securitysupportproviders.md) – This job identifies security support providers on all targeted hosts, highlighting potentially diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/authentication/sg_lsasettings.md b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/authentication/sg_lsasettings.md index 620abf8b71..a2df75aa11 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/authentication/sg_lsasettings.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/authentication/sg_lsasettings.md @@ -3,7 +3,7 @@ The SG_LASettings job lists settings on all targeted hosts. In particular, the RunAsPPL, RestrictAnonymous, and ValidateKdcPacSignature keys are examined. If these keys are not set to 1, a host is vulnerable to mimikatz and other exploitation tools. See the Microsoft -[Configuring Additional LSA Protection]() +[Configuring Additional LSA Protection](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn408187(v=ws.11)) article for additional information. ## Queries for the SG_LSASettings Job @@ -50,6 +50,6 @@ following pre-configured reports. | Report | Description | Default Tags | Report Elements | | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Additional LSA Protection | This report summarizes RunAsPPL registry settings on targeted hosts. This key governs whether or not additional LSA protection is enabled. See the Microsoft [Configuring Additional LSA Protection]() article for additional information. | None | This report is comprised of two elements: - Pie Chart – Displays additional LSA protection by host - Table – Provides additional LSA Protection Details | +| Additional LSA Protection | This report summarizes RunAsPPL registry settings on targeted hosts. This key governs whether or not additional LSA protection is enabled. See the Microsoft [Configuring Additional LSA Protection](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn408187(v=ws.11)) article for additional information. | None | This report is comprised of two elements: - Pie Chart – Displays additional LSA protection by host - Table – Provides additional LSA Protection Details | | PAC Validation | This report indicates whether or not PAC Validation is enabled on all targeted hosts. This is governed by the ValidateKdcPacSignature key. Default behavior in the event of this key's absence depends on the Windows version installed. See the Microsoft [Understanding Microsoft Kerberos PAC Validation](https://learn.microsoft.com/en-gb/archive/blogs/openspecification/understanding-microsoft-kerberos-pac-validation) article for additional information. | None | This report is comprised of two elements: - Pie Chart – Displays PAC validation status - Table – Provides PAC validation details | -| Restrict Anonymous Access | This report summarizes RestrictAnonymous registry settings on targeted hosts. This key governs whether or not access over anonymous connections is enabled. See the Microsoft [Restrict Anonymous check]() article for additional information. | None | This report is comprised of two elements: - Pie Chart – Displays anonymous access by host - Table – Provides anonymous access details | +| Restrict Anonymous Access | This report summarizes RestrictAnonymous registry settings on targeted hosts. This key governs whether or not access over anonymous connections is enabled. See the Microsoft [Restrict Anonymous check](https://learn.microsoft.com/en-us/previous-versions/tn-archive/bb418944(v=technet.10)) article for additional information. | None | This report is comprised of two elements: - Pie Chart – Displays anonymous access by host - Table – Provides anonymous access details | diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/privilegedaccounts/localadministrators/overview.md b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/privilegedaccounts/localadministrators/overview.md index e78e80d523..6c259e4adc 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/privilegedaccounts/localadministrators/overview.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/privilegedaccounts/localadministrators/overview.md @@ -13,7 +13,7 @@ The jobs in the Local Administrators group are: targeted hosts. This offers insight into LAPS enablement and configuration across an environment. LAPS allows for centralized local administrator password management within Active Directory. See the Microsoft - [Local Administrator Password Solution]() + [Local Administrator Password Solution](https://learn.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)) article for additional information. - [SG_Sessions Job](/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/privilegedaccounts/localadministrators/sg_sessions.md) – This job lists sessions and logged on users from all targeted hosts. These active sessions and diff --git a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/privilegedaccounts/localadministrators/sg_microsoftlaps.md b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/privilegedaccounts/localadministrators/sg_microsoftlaps.md index 8f1aea49de..aedca64fb2 100644 --- a/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/privilegedaccounts/localadministrators/sg_microsoftlaps.md +++ b/docs/accessanalyzer/11.6/enterpriseauditor/solutions/windows/privilegedaccounts/localadministrators/sg_microsoftlaps.md @@ -4,7 +4,7 @@ The SG_MicrosoftLAPS job assesses the Local Administrator Password Solution (LAP all targeted hosts. This offers insight into LAPS enablement and configuration across an environment. LAPS allows for centralized local administrator password management within Active Directory. See the Microsoft -[Local Administrator Password Solution]() +[Local Administrator Password Solution](https://learn.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)) article for additional information. ## Queries for the SG_MicrosoftLAPS Job diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations.md index fb997b7f52..e1dd6a1e21 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations.md @@ -3,24 +3,24 @@ Use Operations page to select one or more operations for the action to perform on the targeted Active Directory objects. Some operations have wizard pages to specify the configuration settings. -![Active Directory Action Module Wizard Operations page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) +![Active Directory Action Module Wizard Operations page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) The Operations drop-down menu contains the following operations: -- [Clear/Set SID History ](operations/sidhistory.md) -- [Computer Details](operations/computerdetails.md) -- [Disable/Enable Computers](operations/disableenablecomputers.md) -- [Create Groups](operations/creategroups.md) -- [Create Users](operations/createusers.md) +- [Clear/Set SID History ](/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/sidhistory.md) +- [Computer Details](/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/computerdetails.md) +- [Disable/Enable Computers](/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/disableenablecomputers.md) +- [Create Groups](/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/creategroups.md) +- [Create Users](/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/createusers.md) - [Delete Objects](#delete-objects) -- [Disable/Enable Users](operations/disableenableusers.md) -- [Group Details](operations/groupdetails.md) -- [Group Membership](operations/groupmembership.md) +- [Disable/Enable Users](/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/disableenableusers.md) +- [Group Details](/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/groupdetails.md) +- [Group Membership](/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/groupmembership.md) - [Groups Remove All Members ](#groups-remove-all-members) -- [Move Objects](operations/moveobjects.md) -- [Set/Reset Users Password ](operations/setresetpassword.md) +- [Move Objects](/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/moveobjects.md) +- [Set/Reset Users Password ](/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/setresetpassword.md) - [Unlock Users ](#unlock-users) -- [Users Details ](operations/usersdetails.md) +- [Users Details ](/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/usersdetails.md) Select an operation from the drop-down list and then click **Add**. The selection appears in the Selections pane as well as the navigation pane if there is an associated configuration page. If diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/computerdetails.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/computerdetails.md index b68aad0539..e43e88d91a 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/computerdetails.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/computerdetails.md @@ -2,7 +2,7 @@ Use the Computers Details page to select computer attributes to change. -![Active Directory Action Module Wizard Computer Details page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/computerdetails.webp) +![Active Directory Action Module Wizard Computer Details page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/computerdetails.webp) Highlight the attribute to edit: @@ -30,7 +30,7 @@ to use the Custom Attributes Import Wizard. **Step 1 –** On the Computer Details page of the Active Directory Action Module Wizard, click **Import**. The Custom Attribute Import Wizard opens. -![Custom Attributes Import Wizard Credentials page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) +![Custom Attributes Import Wizard Credentials page](/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) **Step 2 –** On the Credentials page, identify a domain either by entering one manually or selecting one from the **Domain Name** drop-down menu which displays a list of domains trusted by the one in @@ -43,13 +43,13 @@ attributes list from the domain: **Step 3 –** Click **Next**. -![Custom Attributes Import Wizard Attributes page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/attributescomputer.webp) +![Custom Attributes Import Wizard Attributes page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/attributescomputer.webp) **Step 4 –** The wizard populates available attributes from the domain specified on the Attributes page. Expand the desired object class and select the checkboxes for the custom attributes to be imported. Then click **Next**. -![Custom Attributes Import Wizard Completion page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/completionpage.webp) +![Custom Attributes Import Wizard Completion page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/completionpage.webp) **Step 5 –** On the Completion page, click **Finish**. diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/creategroups.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/creategroups.md index 08d2eae1c8..732d7c6271 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/creategroups.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/creategroups.md @@ -2,7 +2,7 @@ Use the Create Groups page to configure the action to create groups on the selected target. -![Active Directory Action Module Wizard Create Groups page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/creategroups.webp) +![Active Directory Action Module Wizard Create Groups page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/creategroups.webp) Use the following options to configure the action: diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/createusers.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/createusers.md index 6789ebb1ac..29b753ccbc 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/createusers.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/createusers.md @@ -2,7 +2,7 @@ Use the Create Users page to create users on the selected target. -![Active Directory Action Module Wizard Create Users page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/createusers.webp) +![Active Directory Action Module Wizard Create Users page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/createusers.webp) Use the following options to configure the action: diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/disableenablecomputers.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/disableenablecomputers.md index 5a798bc4c2..4e78719799 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/disableenablecomputers.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/disableenablecomputers.md @@ -3,7 +3,7 @@ Use the (Disable/Enable Computers page to configure the action to enable or disable users' operation options on target computers. -![Active Directory Action Module Wizard Disable/Enable Computers page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/disableenablecomputers.webp) +![Active Directory Action Module Wizard Disable/Enable Computers page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/disableenablecomputers.webp) Select the radio button for the desired option: diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/disableenableusers.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/disableenableusers.md index e36e2ba63d..cef475ade9 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/disableenableusers.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/disableenableusers.md @@ -2,7 +2,7 @@ Use the Disable/Enable Users page to enable or disable target users. -![Active Directory Action Module Wizard Disable/Enable Users page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/disableenableusers.webp) +![Active Directory Action Module Wizard Disable/Enable Users page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/disableenableusers.webp) Select the radio button for the desired option: diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/groupdetails.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/groupdetails.md index 2aa80c28f6..961f8a7ee8 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/groupdetails.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/groupdetails.md @@ -2,7 +2,7 @@ Use Groups Details page to edit selected group attributes. -![Active Directory Action Module Wizard Group Details page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/groupdetails.webp) +![Active Directory Action Module Wizard Group Details page](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/groupdetails.webp) Highlight the attribute to edit. Add or delete attributes using the buttons to the right of Insert field. @@ -33,7 +33,7 @@ to use the Custom Attributes Import Wizard. **Step 1 –** On the Group Details page of the Active Directory Action Module Wizard, click **Import**. The Custom Attribute Import Wizard opens. -![Custom Attributes Import Wizard Credentials page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) +![Custom Attributes Import Wizard Credentials page](/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) **Step 2 –** On the Credentials page, identify a domain either by entering one manually or selecting one from the **Domain Name** drop-down menu which displays a list of domains trusted by the one in @@ -46,13 +46,13 @@ attributes list from the domain: **Step 3 –** Click **Next**. -![Custom Attributes Import Wizard Attributes page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/attributesgroup.webp) +![Custom Attributes Import Wizard Attributes page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/attributesgroup.webp) **Step 4 –** The wizard populates available attributes from the domain specified on the Attributes page. Expand the desired object class and select the checkboxes for the custom attributes to be imported. Then click **Next**. -![Custom Attributes Import Wizard Completion page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/completionpage.webp) +![Custom Attributes Import Wizard Completion page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/completionpage.webp) **Step 5 –** On the Completion page, click **Finish**. On the Completion page, click **Finish**. diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/groupmembership.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/groupmembership.md index 6dc69ee5a2..19e8f4a100 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/groupmembership.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/groupmembership.md @@ -3,7 +3,7 @@ Use the Groups Membership page to add or remove group members. Values from the source table can also be used to specify if the object will be added or removed. -![Active Directory Action Module Wizard Group Membership page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/groupmembership.webp) +![Active Directory Action Module Wizard Group Membership page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/groupmembership.webp) Use the following options to configure the action: diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/moveobjects.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/moveobjects.md index fe1beb6507..41d913512a 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/moveobjects.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/moveobjects.md @@ -2,7 +2,7 @@ Use the Move Objects page to specify the OU in which to move objects. -![Active Directory Action Module Wizard Move Objects page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/moveobject.webp) +![Active Directory Action Module Wizard Move Objects page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/moveobject.webp) Use the following options to configure the action: diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/setresetpassword.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/setresetpassword.md index 37771189ec..62c66ae4a9 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/setresetpassword.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/setresetpassword.md @@ -2,7 +2,7 @@ Use the Set/Reset Users Password page to set or reset user passwords with the specified value. -![Active Directory Action Module Wizard Set/Reset Users Password page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/setresetpassword.webp) +![Active Directory Action Module Wizard Set/Reset Users Password page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/setresetpassword.webp) Use the following options to configure the action: diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/sidhistory.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/sidhistory.md index 4f270d62bd..df3bd3c1f4 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/sidhistory.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/sidhistory.md @@ -7,7 +7,7 @@ The source table used for this operation must contain a column with the followin - SID History data -![Active Directory Action Module Wizard Clear/Set SID History page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/sidhistory.webp) +![Active Directory Action Module Wizard Clear/Set SID History page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/sidhistory.webp) Configure the action with the following options: diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/usersdetails.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/usersdetails.md index e98c5daf39..ccc24b53db 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/usersdetails.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/operations/usersdetails.md @@ -2,7 +2,7 @@ Use the Users Details page to edit user attributes. -![Active Directory Action Module Wizard Users Details page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/usersdetails.webp) +![Active Directory Action Module Wizard Users Details page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/usersdetails.webp) Highlight the attribute to edit. The highlighted user attribute in the Selections pane determines the configuration options available at the bottom of the page. diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/options.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/options.md index de7f3e7997..1b2114864f 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/options.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/options.md @@ -3,7 +3,7 @@ The Options page provides the option to select to use the default domain or specific a domain to use. -![Active Directory Action Module Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Active Directory Action Module Wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) Use the following options to configure the action: diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/overview.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/overview.md index 4ab9e522cd..4986fa4404 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/overview.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/overview.md @@ -47,15 +47,15 @@ The Active Directory Action module is configured through the Active Directory Ac which contains the following wizard pages: - Welcome -- [Active Directory Action Target](target.md) -- [Active Directory Action Operations](operations.md) -- [Active Directory Action Options](options.md) -- [Active Directory Action Summary](summary.md) +- [Active Directory Action Target](/docs/accessanalyzer/12.0/admin/action/activedirectory/target.md) +- [Active Directory Action Operations](/docs/accessanalyzer/12.0/admin/action/activedirectory/operations.md) +- [Active Directory Action Options](/docs/accessanalyzer/12.0/admin/action/activedirectory/options.md) +- [Active Directory Action Summary](/docs/accessanalyzer/12.0/admin/action/activedirectory/summary.md) The Welcome page displays first in the Active Directory Action Module Wizard. Review the introductory and caution information about the Active Directory Action Module. -![Active Directory Action Module Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Active Directory Action Module Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The navigation pane contains links to the pages in the wizard. Note that the operations added on the Operations page will affect the list of pages in the navigation pane. Several operations have diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/summary.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/summary.md index 9b4c73ab6d..ebd310a133 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/summary.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured settings for the action. -![Active Directory Action Module Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Active Directory Action Module Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Active Directory Action Module Wizard to ensure that no accidental diff --git a/docs/accessanalyzer/12.0/admin/action/activedirectory/target.md b/docs/accessanalyzer/12.0/admin/action/activedirectory/target.md index c224b1556a..3a8941b288 100644 --- a/docs/accessanalyzer/12.0/admin/action/activedirectory/target.md +++ b/docs/accessanalyzer/12.0/admin/action/activedirectory/target.md @@ -5,7 +5,7 @@ Analyzer source table that uniquely identifies the target Active Directory objec perform the action. This process enables Access Analyzer to locate those objects within Active Directory. Added fields are displayed in the textbox. -![Active Directory Action Module Wizard Target page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/target.webp) +![Active Directory Action Module Wizard Target page](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/target.webp) Use the following options to configure the action: diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/action.md b/docs/accessanalyzer/12.0/admin/action/filesystem/action.md index 0241700e12..841a9440f5 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/action.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/action.md @@ -3,7 +3,7 @@ On the Action page, select the type of action to be configured, define a new action, and additional capabilities. -![File System Action Module Wizard Action page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/action.webp) +![File System Action Module Wizard Action page](/img/product_docs/accessanalyzer/admin/action/filesystem/action.webp) The following options are available: diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/appletsettings.md b/docs/accessanalyzer/12.0/admin/action/filesystem/appletsettings.md index a6b3b47a42..07ce1af0a0 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/appletsettings.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/appletsettings.md @@ -2,7 +2,7 @@ Use the Applet Settings page to specify the machines on which to execute the selected operation. -![File System Action Module Wizard Applet Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/appletsettings.webp) +![File System Action Module Wizard Applet Settings page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/appletsettings.webp) Specify how the operations will be executed: diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/destination.md b/docs/accessanalyzer/12.0/admin/action/filesystem/destination.md index 098df0ec20..ca183bc9e0 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/destination.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/destination.md @@ -9,7 +9,7 @@ The Destination page is available only if the following operations are selected: Define the destination location of the files that will be copied, moved, or renamed by building the destination path using the Fields and Environment Variables options as needed. -![File System Action Module Wizard Destination page](../../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/destination.webp) +![File System Action Module Wizard Destination page](/img/product_docs/accessanalyzer/install/filesystemproxy/destination.webp) Use the fields provided to select destination items and hosts from the drop-down lists and populate the Destination field, or edit the field manually. The Preview field updates based on the contents diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/environment.md b/docs/accessanalyzer/12.0/admin/action/filesystem/environment.md index e9c68a8543..b88dc1b7a8 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/environment.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/environment.md @@ -9,7 +9,7 @@ variables to build dynamic file path locations for the selected operation. **NOTE:** The environment variables from the local system load by default. -![File System Action Module Wizard Environment page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/environment.webp) +![File System Action Module Wizard Environment page](/img/product_docs/accessanalyzer/admin/action/filesystem/environment.webp) The connection status displays next to the Host field. To browse for another host, click the ellipsis (**…**) to open the Browse for Computer window. Once a host name appears in the field, diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/operation.md b/docs/accessanalyzer/12.0/admin/action/filesystem/operation.md index aa77743fc7..f0921e310d 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/operation.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/operation.md @@ -3,7 +3,7 @@ The Operation page is available when **Define a new action** is selected on the Action page. On the Operation page, define the action by selecting an operation from the drop-down list. -![File System Action Module Wizard Operation page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/operation.webp) +![File System Action Module Wizard Operation page](/img/product_docs/accessanalyzer/admin/action/filesystem/operation.webp) At the Available Operations drop-down selection list, choose the operation for the action to perform. The selection determines which pages are available in the wizard. The following operations diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/options.md b/docs/accessanalyzer/12.0/admin/action/filesystem/options.md index 299aad582b..a686c9cec9 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/options.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/options.md @@ -4,7 +4,7 @@ The Options page provides access to additional options for the action. Based on Operation page and other choices made within the wizard, not all options on this page may be available. -![File System Action Module Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![File System Action Module Wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) Select from the following additional operations: diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/overview.md b/docs/accessanalyzer/12.0/admin/action/filesystem/overview.md index 4c39341eef..12c77b3579 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/overview.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/overview.md @@ -90,22 +90,22 @@ contains the following wizard pages: **NOTE:** Depending on the selections on the various pages, not all pages may be accessible. - Welcome -- [File System Action: Action](action.md) -- [File System Action: Operation](operation.md) -- [File System Action: Prior Actions](prioractions.md) -- [File System Action: Environment](environment.md) -- [File System Action: Target](target.md) -- [File System Action: Parameters](parameters.md) -- [File System Action: Destination](destination.md) -- [File System Action: Rollback](rollback.md) -- [File System Action: Options](options.md) -- [File System Action: Applet Settings](appletsettings.md) -- [File System Action: Summary](summary.md) +- [File System Action: Action](/docs/accessanalyzer/12.0/admin/action/filesystem/action.md) +- [File System Action: Operation](/docs/accessanalyzer/12.0/admin/action/filesystem/operation.md) +- [File System Action: Prior Actions](/docs/accessanalyzer/12.0/admin/action/filesystem/prioractions.md) +- [File System Action: Environment](/docs/accessanalyzer/12.0/admin/action/filesystem/environment.md) +- [File System Action: Target](/docs/accessanalyzer/12.0/admin/action/filesystem/target.md) +- [File System Action: Parameters](/docs/accessanalyzer/12.0/admin/action/filesystem/parameters.md) +- [File System Action: Destination](/docs/accessanalyzer/12.0/admin/action/filesystem/destination.md) +- [File System Action: Rollback](/docs/accessanalyzer/12.0/admin/action/filesystem/rollback.md) +- [File System Action: Options](/docs/accessanalyzer/12.0/admin/action/filesystem/options.md) +- [File System Action: Applet Settings](/docs/accessanalyzer/12.0/admin/action/filesystem/appletsettings.md) +- [File System Action: Summary](/docs/accessanalyzer/12.0/admin/action/filesystem/summary.md) The Welcome page displays first and gives an overview of the action module. The navigation pane contains links to the pages in the wizard, which may change based on the Action selected on the Action page. -![File System Action Module Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![File System Action Module Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) To proceed, click **Next** or use the Steps navigation pane to open another page in the wizard. diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters.md b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters.md index cd2faf47fa..53338657dc 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters.md @@ -4,17 +4,17 @@ The Parameters page is available for some of the selections on the Operation pag operations below provides access to the operation-specific versions of the Parameters page for this wizard. Click on an operation to view its associated Parameters page. -- [Change Attributes](parameters/changeattributes.md) -- [Change Permissions and Auditing](parameters/changepermissionsauditing.md) -- [Change Permission Inheritance](parameters/changepermissioninheritance.md) -- [Change Share Permissions](parameters/changesharepermissions.md) -- [Remove File Permissions](parameters/removefilepermissions.md) -- [Remove Share Permissions](parameters/removesharepermissions.md) -- [Add Tags](parameters/addtags.md) -- [Remove Tags](parameters/removetags.md) -- [Change Owner](parameters/changeowner.md) +- [Change Attributes](/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changeattributes.md) +- [Change Permissions and Auditing](/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changepermissionsauditing.md) +- [Change Permission Inheritance](/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changepermissioninheritance.md) +- [Change Share Permissions](/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changesharepermissions.md) +- [Remove File Permissions](/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/removefilepermissions.md) +- [Remove Share Permissions](/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/removesharepermissions.md) +- [Add Tags](/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/addtags.md) +- [Remove Tags](/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/removetags.md) +- [Change Owner](/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changeowner.md) -![File System Action Module Wizard Change File Attributes Parameters page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/changeattributes.webp) +![File System Action Module Wizard Change File Attributes Parameters page](/img/product_docs/accessanalyzer/admin/action/filesystem/changeattributes.webp) The Navigation pane will list this as the Parameters page, but the title for each version indicates the type of parameter to be configured. diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/addtags.md b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/addtags.md index 27573c696d..1885192ccc 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/addtags.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/addtags.md @@ -2,7 +2,7 @@ Use the Parameters page to specify the file tags the action adds. -![File System Action Module Wizard Add Tags Parameters page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/addtags.webp) +![File System Action Module Wizard Add Tags Parameters page](/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/addtags.webp) Use the fields provided to select tags from the drop-down lists and populate the Tag field, or edit the field manually. The Preview field updates based on the contents of the Tag field. @@ -25,7 +25,7 @@ tags. - Click **Add** to add the tag field to the list - Click **Remove** to remove the tag field from the list -![Boldon James Column on Add Tags Parameters page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/addremovetagsboldonjames.webp) +![Boldon James Column on Add Tags Parameters page](/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/addremovetagsboldonjames.webp) - Type - Select which type of tag to add. The two types of tags that can be added are: diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changeattributes.md b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changeattributes.md index d43c5cf17f..20edba58e0 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changeattributes.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changeattributes.md @@ -3,7 +3,7 @@ Use the Change File Attributes Parameters page to change the attribute for one or more of the target systems or data. -![File System Action Module Wizard Change File Attributes Parameters page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/changeattributes.webp) +![File System Action Module Wizard Change File Attributes Parameters page](/img/product_docs/accessanalyzer/admin/action/filesystem/changeattributes.webp) Select from the following options: diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changeowner.md b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changeowner.md index a0897785f8..832ca1826b 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changeowner.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changeowner.md @@ -2,7 +2,7 @@ Use the Change Owner Parameters page to select a trustee to be the new owner. -![File System Action Module Wizard Change Owner Parameters page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/changeowner.webp) +![File System Action Module Wizard Change Owner Parameters page](/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/changeowner.webp) Use the options to enter the trustees: diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changepermissioninheritance.md b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changepermissioninheritance.md index 6f5f036c46..3a54adc4c1 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changepermissioninheritance.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changepermissioninheritance.md @@ -3,6 +3,6 @@ Use the Change Permission Inheritance Parameters page to specify how to change inherited permissions. -![File System Action Module Wizard Change Permissions Inheritance Parameters page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/changepermissionsinheritance.webp) +![File System Action Module Wizard Change Permissions Inheritance Parameters page](/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/changepermissionsinheritance.webp) Select the desired options for adding or removing inheritance. diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changepermissionsauditing.md b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changepermissionsauditing.md index 28a4590932..ac21597ae8 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changepermissionsauditing.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changepermissionsauditing.md @@ -3,7 +3,7 @@ Use the Change Permissions and Auditing Parameters page to specify the permissions and auditing settings the action changes. -![File System Action Module Wizard Change Permissions and Auditing Parameters page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/changepermissionsauditing.webp) +![File System Action Module Wizard Change Permissions and Auditing Parameters page](/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/changepermissionsauditing.webp) Use the following options to enter the Permissions: diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changesharepermissions.md b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changesharepermissions.md index 0fd530083d..a038907c50 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changesharepermissions.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/changesharepermissions.md @@ -3,6 +3,6 @@ Use the Change Share Permissions Parameters page to specify the permission status for what group or users are to be changed. -![File System Action Module Wizard Change Share Permissions Parameters page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/changesharepermissions.webp) +![File System Action Module Wizard Change Share Permissions Parameters page](/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/changesharepermissions.webp) Select the desired options for changing the permissions control of the selected group or users. diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/removefilepermissions.md b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/removefilepermissions.md index e081d27ff7..e0060fd5d6 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/removefilepermissions.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/removefilepermissions.md @@ -3,7 +3,7 @@ Use the Remove File Permissions Parameters page to specify whose file permissions the action removes. -![File System Action Module Wizard Remove File Permissions Parameters page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/removefilepermissions.webp) +![File System Action Module Wizard Remove File Permissions Parameters page](/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/removefilepermissions.webp) Use the options to enter the Permissions: diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/removesharepermissions.md b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/removesharepermissions.md index 2ddd976cfa..86aec0a251 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/removesharepermissions.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/removesharepermissions.md @@ -3,7 +3,7 @@ Use the Remove Share Permissions Parameters page to specify whose share permissions the action removes. -![File System Action Module Wizard Remove Share Permissions Parameters page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/removesharepermissions.webp) +![File System Action Module Wizard Remove Share Permissions Parameters page](/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/removesharepermissions.webp) Use the options to enter the Permissions: diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/removetags.md b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/removetags.md index be8c7be726..d544d2f169 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/removetags.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/parameters/removetags.md @@ -2,7 +2,7 @@ Use the Parameter page to specify the file tags the action removes. -![File System Action Module Wizard Remove Tags Parameters page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/removetags.webp) +![File System Action Module Wizard Remove Tags Parameters page](/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/removetags.webp) Use the fields provided to select tags from the drop-down lists and populate the Tag field, or edit the field manually. The Preview field updates based on the contents of the Tag field. @@ -25,7 +25,7 @@ tags. - Click **Add** to add the tag field to the list for removal - Click **Remove** to remove the tag field from the list for removal -![Boldon James Column on Remove Tags Parameters page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/addremovetagsboldonjames.webp) +![Boldon James Column on Remove Tags Parameters page](/img/product_docs/accessanalyzer/admin/action/filesystem/parameters/addremovetagsboldonjames.webp) - Type - Select which type of tag to remove. The two types of tags that can be removed are: diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/prioractions.md b/docs/accessanalyzer/12.0/admin/action/filesystem/prioractions.md index d042082897..aa91dfd146 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/prioractions.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/prioractions.md @@ -3,6 +3,6 @@ The Prior Actions page is available when **Rollback a previously executed action** is selected on the Action page . -![File System Action Module Wizard Prior Actions page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/prioractions.webp) +![File System Action Module Wizard Prior Actions page](/img/product_docs/accessanalyzer/admin/action/filesystem/prioractions.webp) Any previously executed actions appear in the table. diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/rollback.md b/docs/accessanalyzer/12.0/admin/action/filesystem/rollback.md index de53801c18..56c4e9a4ec 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/rollback.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/rollback.md @@ -6,7 +6,7 @@ left off. **NOTE:** Not all actions support Rollback. -![File System Action Module Wizard Rollback page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/rollback.webp) +![File System Action Module Wizard Rollback page](/img/product_docs/accessanalyzer/admin/action/filesystem/rollback.webp) Use the following options: diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/summary.md b/docs/accessanalyzer/12.0/admin/action/filesystem/summary.md index 6ae5ee86ee..a54d3a9cc4 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/summary.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured action. -![File System Action Module Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![File System Action Module Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the File System Action Module Wizard to ensure that no accidental clicks diff --git a/docs/accessanalyzer/12.0/admin/action/filesystem/target.md b/docs/accessanalyzer/12.0/admin/action/filesystem/target.md index 846f3976f9..904494a20a 100644 --- a/docs/accessanalyzer/12.0/admin/action/filesystem/target.md +++ b/docs/accessanalyzer/12.0/admin/action/filesystem/target.md @@ -5,7 +5,7 @@ Environmental variables (for example, Program Files, SystemRoot, SAInstallDir, a used when creating a path as well as fields in the raw table output to populate the **Target items** field. -![File System Action Module Wizard Target page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/target.webp) +![File System Action Module Wizard Target page](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/target.webp) Use the fields provided to select target items and hosts from the drop-down lists and populate the Target items field, or edit the field manually. The Preview field updates based on the contents of diff --git a/docs/accessanalyzer/12.0/admin/action/libraries.md b/docs/accessanalyzer/12.0/admin/action/libraries.md index 220bc383c6..ea34e714b3 100644 --- a/docs/accessanalyzer/12.0/admin/action/libraries.md +++ b/docs/accessanalyzer/12.0/admin/action/libraries.md @@ -14,7 +14,7 @@ preconfigured with table input, script body, and parameters. This helps you: On the job's **Configure** > **Action** node, the **Add from Library** option opens the Libraries window with the available Action Libraries and operations: -![Libraries window](../../../../../static/img/product_docs/accessanalyzer/admin/action/libraries.webp) +![Libraries window](/img/product_docs/accessanalyzer/admin/action/libraries.webp) When a specific operation within a library is chosen, the action is added in the disabled state to the job. The Action Properties page opens, which has a description, action module, and source table @@ -22,7 +22,7 @@ with relevant filters applied. When you click the **Configure Action** link, the action module's wizard opens. -![PowerShell Action Module Wizard](../../../../../static/img/product_docs/accessanalyzer/admin/action/powershellmodulewizard.webp) +![PowerShell Action Module Wizard](/img/product_docs/accessanalyzer/admin/action/powershellmodulewizard.webp) The following Action Libraries and Templates leverage the PowerShell Action module for running actions within the specific environment: @@ -49,11 +49,11 @@ right-click and copy the task. **Step 3 –** Click the green plus sign on the top left to add a new library. -![Add custom library on Libraries window](../../../../../static/img/product_docs/accessanalyzer/admin/action/librariescustom.webp) +![Add custom library on Libraries window](/img/product_docs/accessanalyzer/admin/action/librariescustom.webp) **Step 4 –** In the pop-up window, specify a name for the library and click **OK**. -![Libraries window paste button](../../../../../static/img/product_docs/accessanalyzer/admin/action/librariescustompaste.webp) +![Libraries window paste button](/img/product_docs/accessanalyzer/admin/action/librariescustompaste.webp) **Step 5 –** Select the new library and paste the copied action task. diff --git a/docs/accessanalyzer/12.0/admin/action/mailbox/affectedmailboxes.md b/docs/accessanalyzer/12.0/admin/action/mailbox/affectedmailboxes.md index 6eef694805..de6924d4e8 100644 --- a/docs/accessanalyzer/12.0/admin/action/mailbox/affectedmailboxes.md +++ b/docs/accessanalyzer/12.0/admin/action/mailbox/affectedmailboxes.md @@ -8,7 +8,7 @@ page for the following operations: - Add Delegates, Remove Delegates - Remove Stale SIDs -![New Mailbox Action Wizard Affected Mailboxes page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/affectedmailboxes.webp) +![New Mailbox Action Wizard Affected Mailboxes page](/img/product_docs/accessanalyzer/admin/action/mailbox/affectedmailboxes.webp) Select mailboxes to process using the following options: diff --git a/docs/accessanalyzer/12.0/admin/action/mailbox/criteriaselection.md b/docs/accessanalyzer/12.0/admin/action/mailbox/criteriaselection.md index 992ac0c117..9781adfa68 100644 --- a/docs/accessanalyzer/12.0/admin/action/mailbox/criteriaselection.md +++ b/docs/accessanalyzer/12.0/admin/action/mailbox/criteriaselection.md @@ -4,7 +4,7 @@ Use the Criteria Selection page to choose search criteria saved in a previous Ex Collector query or define new criteria. It is a wizard page for the Delete Mailbox Contents operation. -![New Mailbox Action Wizard Criteria Selection page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/criteriaselection.webp) +![New Mailbox Action Wizard Criteria Selection page](/img/product_docs/accessanalyzer/admin/action/mailbox/criteriaselection.webp) Choose whether to use existing Mailbox Search criteria or determine new criteria: diff --git a/docs/accessanalyzer/12.0/admin/action/mailbox/delegaterights.md b/docs/accessanalyzer/12.0/admin/action/mailbox/delegaterights.md index 57806b52f1..03ae1f3484 100644 --- a/docs/accessanalyzer/12.0/admin/action/mailbox/delegaterights.md +++ b/docs/accessanalyzer/12.0/admin/action/mailbox/delegaterights.md @@ -4,7 +4,7 @@ Use the Delegate Rights page to specify folder permissions for the selected dele level can be specified for each folder on the page. It is a wizard page for the Add Delegates operation. -![New Mailbox Action Wizard Delegate Rights page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/delegaterights.webp) +![New Mailbox Action Wizard Delegate Rights page](/img/product_docs/accessanalyzer/admin/action/mailbox/delegaterights.webp) Set delegate rights using the following options: diff --git a/docs/accessanalyzer/12.0/admin/action/mailbox/folderconditions.md b/docs/accessanalyzer/12.0/admin/action/mailbox/folderconditions.md index 0d48602bff..d3f69f6548 100644 --- a/docs/accessanalyzer/12.0/admin/action/mailbox/folderconditions.md +++ b/docs/accessanalyzer/12.0/admin/action/mailbox/folderconditions.md @@ -4,7 +4,7 @@ Use the Folder Conditions page to customize folder search filter conditions. It the **No, the query results do not contain a mailbox identification** column option on the Folder Identification page. -![New Mailbox Action Wizard Folder Conditions page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/folderconditions.webp) +![New Mailbox Action Wizard Folder Conditions page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/folderconditions.webp) Customize folder search conditions using the following options: @@ -24,7 +24,7 @@ Use the Folder Type window to select which folder types to run the action agains window opens if **specific** in **with specific folder type** is selected in the Edit Conditions box. . -![Folder Type Window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/foldertypewindow.webp) +![Folder Type Window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/foldertypewindow.webp) Select the checkbox next to any desired folder type to include it in the search criteria, including: @@ -42,7 +42,7 @@ Select the checkbox next to any desired folder type to include it in the search Use the Search Terms window to select terms contained in folder names to run the action against.The Search Terms window opens if **search terms** is selected in the Edit Conditions box. -![Search Terms Window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/searchtermswindow.webp) +![Search Terms Window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/searchtermswindow.webp) Edit the search terms using the following options: @@ -64,13 +64,13 @@ Use the Folder Inclusion/Exclusion window to select individual folders to add to action. The Folder Inclusion/Exclusion window opens if **specific** in **with specific folder(s) to include/exclude** is selected in the Edit Conditions box. -![Folder Inclusion/Exclusion Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/folderinclusionexclusionwindow.webp) +![Folder Inclusion/Exclusion Window](/img/product_docs/accessanalyzer/admin/action/mailbox/folderinclusionexclusionwindow.webp) Include/Exclude folders using the following options: - Click **Add** to populate a field to add a folder path - ![New field added on Folder Inclusion/Exclusion window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/folderinclusionexclusionwindownew.webp) + ![New field added on Folder Inclusion/Exclusion window](/img/product_docs/accessanalyzer/admin/action/mailbox/folderinclusionexclusionwindownew.webp) - Click the ellipsis (**…**) or enter the path to the desired folder in the text box - Scope auto-populates with **This folder**. Click **This folder** to reveal a drop-down menu to diff --git a/docs/accessanalyzer/12.0/admin/action/mailbox/folderidentification.md b/docs/accessanalyzer/12.0/admin/action/mailbox/folderidentification.md index 816602b829..461bb3f592 100644 --- a/docs/accessanalyzer/12.0/admin/action/mailbox/folderidentification.md +++ b/docs/accessanalyzer/12.0/admin/action/mailbox/folderidentification.md @@ -3,7 +3,7 @@ Use the Folder Identification page to specify folders to target. It is a wizard page for the Delete Mailbox Contents operation. -![New Mailbox Action Wizard Folder Identification page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/folderidentification.webp) +![New Mailbox Action Wizard Folder Identification page](/img/product_docs/accessanalyzer/admin/action/mailbox/folderidentification.webp) Select whether the query results contain a mailbox identification column using the following options: @@ -20,4 +20,4 @@ options: - No, the query results do not contain a mailbox folder identification column – Selecting this enables the Folder Conditions page, used to identify specific folders to target. See the - [Mailbox: Folder Conditions](folderconditions.md) topic for additional information. + [Mailbox: Folder Conditions](/docs/accessanalyzer/12.0/admin/action/mailbox/folderconditions.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/action/mailbox/identification.md b/docs/accessanalyzer/12.0/admin/action/mailbox/identification.md index 91ea4e4d56..ce1107eccf 100644 --- a/docs/accessanalyzer/12.0/admin/action/mailbox/identification.md +++ b/docs/accessanalyzer/12.0/admin/action/mailbox/identification.md @@ -6,7 +6,7 @@ the Delete Mailbox Contents operation. Depending on the data in the source table, users must specify a data table column containing either the Mailbox display name or email address. -![New Mailbox Action Wizard Mailbox Identification page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/identification.webp) +![New Mailbox Action Wizard Mailbox Identification page](/img/product_docs/accessanalyzer/admin/action/mailbox/identification.webp) Select which mailboxes to target using the following options: diff --git a/docs/accessanalyzer/12.0/admin/action/mailbox/messageactions.md b/docs/accessanalyzer/12.0/admin/action/mailbox/messageactions.md index 0bb314f389..9c43f5322f 100644 --- a/docs/accessanalyzer/12.0/admin/action/mailbox/messageactions.md +++ b/docs/accessanalyzer/12.0/admin/action/mailbox/messageactions.md @@ -3,7 +3,7 @@ Use the Message Actions page to specify the action to take with the messages that meet the search criteria. It is a wizard page for the **Delete Mailbox Contents** operation. -![New Mailbox Action Wizard Message Actions page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/messageactions.webp) +![New Mailbox Action Wizard Message Actions page](/img/product_docs/accessanalyzer/admin/action/mailbox/messageactions.webp) To select a message action, use the following options: @@ -28,7 +28,7 @@ To select a message action, use the following options: Use the Options window to add an appended text. The Options window opens if **Append Text Options** is selected in the Edit Conditions box. -![Options Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/optionswindow.webp) +![Options Window](/img/product_docs/accessanalyzer/admin/action/mailbox/optionswindow.webp) To append text to the attachment or body, select the checkbox to enable editing and enter the desired text to append in the textbox. diff --git a/docs/accessanalyzer/12.0/admin/action/mailbox/messageconditions.md b/docs/accessanalyzer/12.0/admin/action/mailbox/messageconditions.md index 804b226f64..f727d353c3 100644 --- a/docs/accessanalyzer/12.0/admin/action/mailbox/messageconditions.md +++ b/docs/accessanalyzer/12.0/admin/action/mailbox/messageconditions.md @@ -3,7 +3,7 @@ Use the Message Conditions page to customize message search filter conditions. It is a wizard page for the Delete Mailbox Contents operation. -![New Mailbox Action Wizard Mailbox Message Conditions page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/messageconditions.webp) +![New Mailbox Action Wizard Mailbox Message Conditions page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/messageconditions.webp) Customize the folder search conditions using the following options: @@ -40,13 +40,13 @@ Use the MessageClasses window to select a message class to apply to the scope of MessageClasses window opens if **specific** in **with specific message classes** is selected in the Edit Conditions box. -![MessageClasses Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/messageclasseswindow.webp) +![MessageClasses Window](/img/product_docs/accessanalyzer/admin/action/mailbox/messageclasseswindow.webp) Modify message classes using the following options: - Click **Add** to populate a field to add a message class - ![New class added in MessageClasses Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/messageclasseswindownew.webp) + ![New class added in MessageClasses Window](/img/product_docs/accessanalyzer/admin/action/mailbox/messageclasseswindownew.webp) - Click the ellipsis (**…**) or enter the path to the desired folder in the text box - Matching Strategy auto-populates with **Exact Match**. Click **Exact Match** to reveal a drop-down @@ -65,7 +65,7 @@ Use the Date Range Selection window to determine a time period to scope. The Dat window opens if **in specific date** in either the **that is created in specific date** or **that is received in specific date** conditions is selected in the Edit condition box. -![Data Range Selection Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/datarangeselectionwindow.webp) +![Data Range Selection Window](/img/product_docs/accessanalyzer/admin/action/mailbox/datarangeselectionwindow.webp) To specify a date range, use the following options: @@ -84,7 +84,7 @@ To specify a date range, use the following options: Use the Search Terms window to select terms in messages to run the action against. The Search Terms window opens if **search terms** in any condition is selected in the Edit Conditions box. -![Search Terms Window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/searchtermswindow.webp) +![Search Terms Window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/searchtermswindow.webp) Edit the search terms using the following options: @@ -103,7 +103,7 @@ Edit the search terms using the following options: Use the Values window to add or remove values to or from the search. The Values window opens if **specific** in **with specific Message ID** is selected in the Edit Conditions box. -![Values Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/valueswindow.webp) +![Values Window](/img/product_docs/accessanalyzer/admin/action/mailbox/valueswindow.webp) - To add a term to the search, enter the desired term into the upper text box and click **Add** - To remove a term from the search, select a term in the lower text box and click **Remove** diff --git a/docs/accessanalyzer/12.0/admin/action/mailbox/operations.md b/docs/accessanalyzer/12.0/admin/action/mailbox/operations.md index d3ad7e3166..9cdf762068 100644 --- a/docs/accessanalyzer/12.0/admin/action/mailbox/operations.md +++ b/docs/accessanalyzer/12.0/admin/action/mailbox/operations.md @@ -2,7 +2,7 @@ Use the Operations page to specify the operation to be performed as part of the action. -![New Mailbox Action Wizard Operations page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) +![New Mailbox Action Wizard Operations page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) Select from the following operations: diff --git a/docs/accessanalyzer/12.0/admin/action/mailbox/overview.md b/docs/accessanalyzer/12.0/admin/action/mailbox/overview.md index f787cc9330..3d0ad21e42 100644 --- a/docs/accessanalyzer/12.0/admin/action/mailbox/overview.md +++ b/docs/accessanalyzer/12.0/admin/action/mailbox/overview.md @@ -18,23 +18,23 @@ Use the New Mailbox Action Wizard to target mailboxes or folders and to define t perform against the selected objects. The wizard has the following pages: - Welcome -- [Mailbox: Operations](operations.md) -- [Mailbox: Criteria Selection](criteriaselection.md) -- [Mailbox: Sampling Host](samplinghost.md) -- [Mailbox: Mailbox Identification](identification.md) -- [Mailbox: Folder Identification](folderidentification.md) -- [Mailbox: Folder Conditions](folderconditions.md) -- [Mailbox: Message Conditions](messageconditions.md) -- [Mailbox: Message Actions](messageactions.md) -- [Mailbox: Permissions](permissions.md) -- [Mailbox: Affected Mailboxes](affectedmailboxes.md) -- [Mailbox: Trusted Users](trustedusers.md) -- [Mailbox: Delegate Rights](delegaterights.md) -- [Mailbox: Summary](summary.md) +- [Mailbox: Operations](/docs/accessanalyzer/12.0/admin/action/mailbox/operations.md) +- [Mailbox: Criteria Selection](/docs/accessanalyzer/12.0/admin/action/mailbox/criteriaselection.md) +- [Mailbox: Sampling Host](/docs/accessanalyzer/12.0/admin/action/mailbox/samplinghost.md) +- [Mailbox: Mailbox Identification](/docs/accessanalyzer/12.0/admin/action/mailbox/identification.md) +- [Mailbox: Folder Identification](/docs/accessanalyzer/12.0/admin/action/mailbox/folderidentification.md) +- [Mailbox: Folder Conditions](/docs/accessanalyzer/12.0/admin/action/mailbox/folderconditions.md) +- [Mailbox: Message Conditions](/docs/accessanalyzer/12.0/admin/action/mailbox/messageconditions.md) +- [Mailbox: Message Actions](/docs/accessanalyzer/12.0/admin/action/mailbox/messageactions.md) +- [Mailbox: Permissions](/docs/accessanalyzer/12.0/admin/action/mailbox/permissions.md) +- [Mailbox: Affected Mailboxes](/docs/accessanalyzer/12.0/admin/action/mailbox/affectedmailboxes.md) +- [Mailbox: Trusted Users](/docs/accessanalyzer/12.0/admin/action/mailbox/trustedusers.md) +- [Mailbox: Delegate Rights](/docs/accessanalyzer/12.0/admin/action/mailbox/delegaterights.md) +- [Mailbox: Summary](/docs/accessanalyzer/12.0/admin/action/mailbox/summary.md) The Welcome page gives an overview of the action module. The steps navigation pane contains links to the pages in the wizard, which change based on the operation selected on the Operations page. -![New Mailbox Action Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![New Mailbox Action Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) To proceed, click **Next** or use the Steps navigation pane to open another page in the wizard. diff --git a/docs/accessanalyzer/12.0/admin/action/mailbox/permissions.md b/docs/accessanalyzer/12.0/admin/action/mailbox/permissions.md index a01a1c8677..790b4914dd 100644 --- a/docs/accessanalyzer/12.0/admin/action/mailbox/permissions.md +++ b/docs/accessanalyzer/12.0/admin/action/mailbox/permissions.md @@ -3,7 +3,7 @@ Use the Permissions page to determine which permissions to remove. It is a wizard page for the **Add/Change Permissions** and **Remove Permissions** operations. -![New Mailbox Action Wizard Permissions page](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/permissions.webp) +![New Mailbox Action Wizard Permissions page](/img/product_docs/threatprevention/threatprevention/admin/policies/permissions.webp) Use the following options to add, change or remove Permissions: @@ -25,7 +25,7 @@ Use the following options to add, change or remove Permissions: Use the User window to select a user. The User window opens when the **User** down-arrow is selected on the Permissions page. -![User Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/userwindow.webp) +![User Window](/img/product_docs/accessanalyzer/admin/action/mailbox/userwindow.webp) Select a user using the following options: @@ -61,7 +61,7 @@ Select a user using the following options: Use the Folder window to select folders. The Folder window opens when the **Folder** down-arrow is selected on the Permissions page. -![Folder Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/folderwindow.webp) +![Folder Window](/img/product_docs/accessanalyzer/admin/action/mailbox/folderwindow.webp) Select a folder using the following options: @@ -83,7 +83,7 @@ Select a folder using the following options: Use the Permission window to specify permissions. The Permission window opens when the **Permission** down-arrow is selected on the Permissions page. -![Permission Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/permissionwindow.webp) +![Permission Window](/img/product_docs/accessanalyzer/admin/action/mailbox/permissionwindow.webp) Specify permissions using the following options: diff --git a/docs/accessanalyzer/12.0/admin/action/mailbox/samplinghost.md b/docs/accessanalyzer/12.0/admin/action/mailbox/samplinghost.md index 9b9d2b69d0..00810d2bea 100644 --- a/docs/accessanalyzer/12.0/admin/action/mailbox/samplinghost.md +++ b/docs/accessanalyzer/12.0/admin/action/mailbox/samplinghost.md @@ -3,7 +3,7 @@ Use the Sampling Host page to specify the Exchange server to target. It is a wizard page for all operation types. -![New Mailbox Action Wizard Sampling Host page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/samplinghost.webp) +![New Mailbox Action Wizard Sampling Host page](/img/product_docs/accessanalyzer/admin/action/mailbox/samplinghost.webp) Select an Exchange server to target using the following options: diff --git a/docs/accessanalyzer/12.0/admin/action/mailbox/summary.md b/docs/accessanalyzer/12.0/admin/action/mailbox/summary.md index c213a7ff60..b8add4729c 100644 --- a/docs/accessanalyzer/12.0/admin/action/mailbox/summary.md +++ b/docs/accessanalyzer/12.0/admin/action/mailbox/summary.md @@ -2,6 +2,6 @@ The Summary page summarizes the configuration of the action. -![New Mailbox Action Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![New Mailbox Action Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes and exit, or **Cancel** to exit with saving. diff --git a/docs/accessanalyzer/12.0/admin/action/mailbox/trustedusers.md b/docs/accessanalyzer/12.0/admin/action/mailbox/trustedusers.md index b736dfbbe3..ebf6fc7e7d 100644 --- a/docs/accessanalyzer/12.0/admin/action/mailbox/trustedusers.md +++ b/docs/accessanalyzer/12.0/admin/action/mailbox/trustedusers.md @@ -6,7 +6,7 @@ server with a mailbox environment. It is a wizard page for the following operati - Add Delegates - Remove Delegates -![New Mailbox Action Wizard Trusted Users page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/mailbox/trustedusers.webp) +![New Mailbox Action Wizard Trusted Users page](/img/product_docs/accessanalyzer/admin/action/mailbox/trustedusers.webp) Select Trusted User delegates using the following options: diff --git a/docs/accessanalyzer/12.0/admin/action/overview.md b/docs/accessanalyzer/12.0/admin/action/overview.md index e8806680b0..18196ce215 100644 --- a/docs/accessanalyzer/12.0/admin/action/overview.md +++ b/docs/accessanalyzer/12.0/admin/action/overview.md @@ -7,33 +7,33 @@ in detail in the relevant topics. The Access Analyzer actions are capable of changing users, permissions, files, and objects from a variety of environments. Action modules are assigned to a job at the **Configure** > **Actions** -node. See the [Actions Node](../jobs/job/configure/actions.md) topic for additional information on +node. See the [Actions Node](/docs/accessanalyzer/12.0/admin/jobs/job/configure/actions.md) topic for additional information on the Action Selection view. -![Action Selection page](../../../../../static/img/product_docs/accessanalyzer/admin/action/actionselection.webp) +![Action Selection page](/img/product_docs/accessanalyzer/admin/action/actionselection.webp) Configure the action through the Action Properties page. Navigate to the job’s **Configure** > **Actions** node. Select **Create Action** to add a new action task to a job. Select an existing action and click **Action Properties** to modify its configuration. The Action Properties page opens for either option. Pre-configured action tasks can be added from the Action Library. See the -[Action Libraries](libraries.md) topic for additional information. +[Action Libraries](/docs/accessanalyzer/12.0/admin/action/libraries.md) topic for additional information. Most action modules are available with a special Access Analyzer License. The following table provides brief descriptions of the action modules available in Access Analyzer. | Action Module | Description | | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Active Directory | Make changes to Active Directory such as deleting objects, creating users, and changing group membership. See the [Active Directory Action Module](activedirectory/overview.md) for additional information. | -| File System | Change attributes and permissions, as well as copy, delete, move, and rename file system contents. See the [File System Action Module](filesystem/overview.md) for additional information. | -| Mailbox | Add/change permissions, remove permissions, add/remove delegates, remove zombie SIDS, and delete mailbox content. See the [Mailbox Action Module](mailbox/overview.md) for additional information. | -| PowerShell | Run PowerShell scripts on the local machine or on remote hosts. See the [PowerShell Action Module](powershell/overview.md) for additional information. | -| PublicFolder | Make changes to Exchange Public Folders. See the [PublicFolder Action Module](publicfolder/overview.md) for additional information. | -| Registry | Make changes to the system registry. See the [Registry Action Module](registry/overview.md) for additional information. | -| SendMail | Communicate with target audiences to supply users with dynamic content from selected audit data. See the [SendMail Action Module](sendmail/overview.md) for additional information. | -| ServiceNow | Creates incidents in ServiceNow. See the [ServiceNow Action Module](servicenow/overview.md) for additional information. | +| Active Directory | Make changes to Active Directory such as deleting objects, creating users, and changing group membership. See the [Active Directory Action Module](/docs/accessanalyzer/12.0/admin/action/activedirectory/overview.md) for additional information. | +| File System | Change attributes and permissions, as well as copy, delete, move, and rename file system contents. See the [File System Action Module](/docs/accessanalyzer/12.0/admin/action/filesystem/overview.md) for additional information. | +| Mailbox | Add/change permissions, remove permissions, add/remove delegates, remove zombie SIDS, and delete mailbox content. See the [Mailbox Action Module](/docs/accessanalyzer/12.0/admin/action/mailbox/overview.md) for additional information. | +| PowerShell | Run PowerShell scripts on the local machine or on remote hosts. See the [PowerShell Action Module](/docs/accessanalyzer/12.0/admin/action/powershell/overview.md) for additional information. | +| PublicFolder | Make changes to Exchange Public Folders. See the [PublicFolder Action Module](/docs/accessanalyzer/12.0/admin/action/publicfolder/overview.md) for additional information. | +| Registry | Make changes to the system registry. See the [Registry Action Module](/docs/accessanalyzer/12.0/admin/action/registry/overview.md) for additional information. | +| SendMail | Communicate with target audiences to supply users with dynamic content from selected audit data. See the [SendMail Action Module](/docs/accessanalyzer/12.0/admin/action/sendmail/overview.md) for additional information. | +| ServiceNow | Creates incidents in ServiceNow. See the [ServiceNow Action Module](/docs/accessanalyzer/12.0/admin/action/servicenow/overview.md) for additional information. | | SharePoint | Add/remove trustees from sites, lists, or libraries in SharePoint on-premise, apply sensitivity labels, and move files. | -| Survey | Solicit feedback from users to expedite and aid in the decision making process. See the [Survey Action Module](survey/overview.md) for additional information. | -| Web Request | Sends data to Threat Manager. See the [WebRequest Action Module](webrequest/overview.md) for additional information. | +| Survey | Solicit feedback from users to expedite and aid in the decision making process. See the [Survey Action Module](/docs/accessanalyzer/12.0/admin/action/survey/overview.md) for additional information. | +| Web Request | Sends data to Threat Manager. See the [WebRequest Action Module](/docs/accessanalyzer/12.0/admin/action/webrequest/overview.md) for additional information. | ## Basic Procedure @@ -77,7 +77,7 @@ changes to a production environment. Use this page to view or specify properties for a selected action, including the name, description, action module, and source table. Access this page via the Action Selection view. -![Action Properties page for new action](../../../../../static/img/product_docs/accessanalyzer/admin/action/actionproperties.webp) +![Action Properties page for new action](/img/product_docs/accessanalyzer/admin/action/actionproperties.webp) **_RECOMMENDED:_** Provide unique and descriptive names and action task descriptions to all user created action tasks. @@ -97,7 +97,7 @@ created action tasks. the database can distinguish actions, even those with identical configurations. - Data Grid – Displays a sample of the selected Source table. This data grid functions the same as all data grids within Access Analyzer. Data can be filtered, and columns can be regrouped. See the - [Data Grid Functionality](../navigate/datagrid.md) topic for additional information. + [Data Grid Functionality](/docs/accessanalyzer/12.0/admin/navigate/datagrid.md) topic for additional information. ### Source Table Configuration diff --git a/docs/accessanalyzer/12.0/admin/action/powershell/executionoptions.md b/docs/accessanalyzer/12.0/admin/action/powershell/executionoptions.md index 9513f63c80..5c68897c6b 100644 --- a/docs/accessanalyzer/12.0/admin/action/powershell/executionoptions.md +++ b/docs/accessanalyzer/12.0/admin/action/powershell/executionoptions.md @@ -2,7 +2,7 @@ Specify the execution options for the PowerShell script using the Execution Options page. -![PowerShell Action Module Wizard Execution Options page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/commandlineutility/executionoptions.webp) +![PowerShell Action Module Wizard Execution Options page](/img/product_docs/accessanalyzer/admin/datacollector/commandlineutility/executionoptions.webp) The options on the Execution Options page are: diff --git a/docs/accessanalyzer/12.0/admin/action/powershell/overview.md b/docs/accessanalyzer/12.0/admin/action/powershell/overview.md index 57b3f594f6..58386ecb42 100644 --- a/docs/accessanalyzer/12.0/admin/action/powershell/overview.md +++ b/docs/accessanalyzer/12.0/admin/action/powershell/overview.md @@ -15,13 +15,13 @@ The PowerShell action module is configured through the PowerShell Action Module contains the following wizard pages: - Welcome -- [PowerShell Action: Script](script.md) -- [PowerShell Action: Execution Options](executionoptions.md) -- [PowerShell Action: Summary](summary.md) +- [PowerShell Action: Script](/docs/accessanalyzer/12.0/admin/action/powershell/script.md) +- [PowerShell Action: Execution Options](/docs/accessanalyzer/12.0/admin/action/powershell/executionoptions.md) +- [PowerShell Action: Summary](/docs/accessanalyzer/12.0/admin/action/powershell/summary.md) The Welcome page displays first and gives an overview of the action module. The navigation pane contains links to the pages in the wizard. -![PowerShell Action Module Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![PowerShell Action Module Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) To proceed, click **Next** or use the Steps navigation pane to open another page in the wizard. diff --git a/docs/accessanalyzer/12.0/admin/action/powershell/script.md b/docs/accessanalyzer/12.0/admin/action/powershell/script.md index 43dde5c6b7..d1ffa9973b 100644 --- a/docs/accessanalyzer/12.0/admin/action/powershell/script.md +++ b/docs/accessanalyzer/12.0/admin/action/powershell/script.md @@ -3,7 +3,7 @@ The Script page enables you to input the PowerShell script that will be used to perform the requested action. Built-in variables are available for use in the script. -![PowerShell Action Module Wizard Script page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/powershell/script.webp) +![PowerShell Action Module Wizard Script page](/img/product_docs/accessanalyzer/admin/action/powershell/script.webp) The PowerShell script can be entered manually into the Script window at the top of the Script page. To open a pre-existing PowerShell script from a file, click **Open** to select the script file. @@ -19,12 +19,12 @@ further. The tabs are: Use the Columns tab to select the available columns. -![Columns tab](../../../../../../static/img/product_docs/accessanalyzer/admin/action/powershell/scriptcolumns.webp) +![Columns tab](/img/product_docs/accessanalyzer/admin/action/powershell/scriptcolumns.webp) The table in the Columns tab displays the Columns that can be used for the PowerShell script. To use a Column, select the checkbox under the **Use** column. -![Right-click menu](../../../../../../static/img/product_docs/accessanalyzer/admin/action/powershell/scriptrightclickoption.webp) +![Right-click menu](/img/product_docs/accessanalyzer/admin/action/powershell/scriptrightclickoption.webp) Right-clicking any of the variable names brings up a **Copy variable name** option that enables users to paste the variable name into the PowerShell script. @@ -33,7 +33,7 @@ users to paste the variable name into the PowerShell script. The Parameters tab contains options to add, edit, or delete user-made PowerShell parameters. -![Parameters tab](../../../../../../static/img/product_docs/accessanalyzer/admin/action/powershell/scriptparamters.webp) +![Parameters tab](/img/product_docs/accessanalyzer/admin/action/powershell/scriptparamters.webp) The options are: @@ -52,7 +52,7 @@ The options are: Configure options for a new or existing parameter using the Add/Edit Variable window. -![Add/Edit Variable Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/powershell/addeditvariable.webp) +![Add/Edit Variable Window](/img/product_docs/accessanalyzer/admin/action/powershell/addeditvariable.webp) The options are: @@ -73,7 +73,7 @@ The options are: Preview how the input data will look in the Input Data tab. -![Input Data tab](../../../../../../static/img/product_docs/accessanalyzer/admin/action/powershell/scriptinputdata.webp) +![Input Data tab](/img/product_docs/accessanalyzer/admin/action/powershell/scriptinputdata.webp) Information in the Input Data tab varies depending on which source table the PowerShell action module is configured to pull data from. diff --git a/docs/accessanalyzer/12.0/admin/action/powershell/summary.md b/docs/accessanalyzer/12.0/admin/action/powershell/summary.md index d33e08a988..5f857eb7f6 100644 --- a/docs/accessanalyzer/12.0/admin/action/powershell/summary.md +++ b/docs/accessanalyzer/12.0/admin/action/powershell/summary.md @@ -2,7 +2,7 @@ View a summary of configured options on the Summary page. -![PowerShell Action Module Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![PowerShell Action Module Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save changes and exit the PowerShell Action Module Wizard. Click **Cancel** to exit the wizard without saving. diff --git a/docs/accessanalyzer/12.0/admin/action/publicfolder/action.md b/docs/accessanalyzer/12.0/admin/action/publicfolder/action.md index 83555c5609..cf57b1236e 100644 --- a/docs/accessanalyzer/12.0/admin/action/publicfolder/action.md +++ b/docs/accessanalyzer/12.0/admin/action/publicfolder/action.md @@ -6,7 +6,7 @@ selection in the Steps pane adjust based on this selection. **NOTE:** Once an action is selected and saved, and the wizard is closed, this page is no longer available and the selection cannot be altered. -![Public Folder Action Module Wizard Action page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/action.webp) +![Public Folder Action Module Wizard Action page](/img/product_docs/accessanalyzer/admin/action/filesystem/action.webp) Choose from the following actions: diff --git a/docs/accessanalyzer/12.0/admin/action/publicfolder/folders.md b/docs/accessanalyzer/12.0/admin/action/publicfolder/folders.md index 4e0caf62f0..6e216284db 100644 --- a/docs/accessanalyzer/12.0/admin/action/publicfolder/folders.md +++ b/docs/accessanalyzer/12.0/admin/action/publicfolder/folders.md @@ -2,7 +2,7 @@ The Folders page identifies which public folders are targeted by this action. -![Public Folder Action Module Wizard Folders page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/publicfolder/folders.webp) +![Public Folder Action Module Wizard Folders page](/img/product_docs/accessanalyzer/admin/action/publicfolder/folders.webp) The options on this page are: diff --git a/docs/accessanalyzer/12.0/admin/action/publicfolder/mapisettings.md b/docs/accessanalyzer/12.0/admin/action/publicfolder/mapisettings.md index 60e1f345a2..b3ed28b659 100644 --- a/docs/accessanalyzer/12.0/admin/action/publicfolder/mapisettings.md +++ b/docs/accessanalyzer/12.0/admin/action/publicfolder/mapisettings.md @@ -2,7 +2,7 @@ Use the MAPI Settings page to specify the proper MAPI settings. -![Public Folder Action Module Wizard MAPI Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchange2k/mapisettings.webp) +![Public Folder Action Module Wizard MAPI Settings page](/img/product_docs/accessanalyzer/admin/datacollector/exchange2k/mapisettings.webp) Use the following options to configure the action: diff --git a/docs/accessanalyzer/12.0/admin/action/publicfolder/operations.md b/docs/accessanalyzer/12.0/admin/action/publicfolder/operations.md index 2fe5dc30fc..1f8223a190 100644 --- a/docs/accessanalyzer/12.0/admin/action/publicfolder/operations.md +++ b/docs/accessanalyzer/12.0/admin/action/publicfolder/operations.md @@ -2,7 +2,7 @@ Use the Operations page to specify the operations to perform as part of the action. -![Public Folder Action Module Wizard Operations page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) +![Public Folder Action Module Wizard Operations page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) The **Add operation** drop-down menu lists the operations that can be performed. Each operation opens a corresponding window. Operations include: @@ -28,7 +28,7 @@ The buttons to the right of the drop-down control the operations in the field: Use the Rename Folder window to rename selected folders. It is a wizard page for the Rename operation. -![Rename Folder Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/publicfolder/renamefolder.webp) +![Rename Folder Window](/img/product_docs/accessanalyzer/admin/action/publicfolder/renamefolder.webp) Rename folders using the following options: @@ -43,7 +43,7 @@ Rename folders using the following options: Use the Change Permissions window to change the permissions. It is a wizard page for the Change permissions operation. -![Change Permissions Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/publicfolder/changepermissions.webp) +![Change Permissions Window](/img/product_docs/accessanalyzer/admin/action/publicfolder/changepermissions.webp) Change permissions using the following options: @@ -112,7 +112,7 @@ Change permissions using the following options: Use the Custom Attributes window to select custom attributes. It is a wizard page for the Custom Attributes operation. -![Custom Attributes Window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/customattributes.webp) +![Custom Attributes Window](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/customattributes.webp) Select attributes using the following options: @@ -126,7 +126,7 @@ Select attributes using the following options: Use the Replicas window to replicate servers. It is a wizard page for the Replicas operation. -![Replicas Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/publicfolder/replicas.webp) +![Replicas Window](/img/product_docs/accessanalyzer/admin/action/publicfolder/replicas.webp) Replicate servers using the following options: @@ -140,7 +140,7 @@ Replicate servers using the following options: Use the Limits window to select limits to the action. It is a wizard page for the Limits operation. -![Limits Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/publicfolder/limits.webp) +![Limits Window](/img/product_docs/accessanalyzer/admin/action/publicfolder/limits.webp) Use the options to select any changes for the categories. If applicable, use the dropdown to select desired values related to the corresponding option. @@ -156,7 +156,7 @@ desired values related to the corresponding option. Use the Delete Folder window to select deletion settings for the action. It is a wizard page for the Delete operation. -![Delete Folder Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/publicfolder/deletefolder.webp) +![Delete Folder Window](/img/product_docs/accessanalyzer/admin/action/publicfolder/deletefolder.webp) Select deletion settings using the following options: diff --git a/docs/accessanalyzer/12.0/admin/action/publicfolder/options.md b/docs/accessanalyzer/12.0/admin/action/publicfolder/options.md index 8a60276459..47a539a373 100644 --- a/docs/accessanalyzer/12.0/admin/action/publicfolder/options.md +++ b/docs/accessanalyzer/12.0/admin/action/publicfolder/options.md @@ -4,7 +4,7 @@ Use the Options page to edit the thread settings. **CAUTION:** Increasing the thread count increases the processing load on the servers. -![Public Folder Action Module Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Public Folder Action Module Wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) Use the following options to configure the operations: diff --git a/docs/accessanalyzer/12.0/admin/action/publicfolder/overview.md b/docs/accessanalyzer/12.0/admin/action/publicfolder/overview.md index 76a6e81a19..2cd1c485bf 100644 --- a/docs/accessanalyzer/12.0/admin/action/publicfolder/overview.md +++ b/docs/accessanalyzer/12.0/admin/action/publicfolder/overview.md @@ -21,19 +21,19 @@ The Public Folder action module is configured through the Public Folder Action M contains the following wizard pages: - Welcome -- [Public Folder: Action](action.md) -- [Public Folder: Prior Actions](prioractions.md) -- [Public Folder: Folders](folders.md) -- [Public Folder: MAPI Settings](mapisettings.md) -- [Public Folder: Operations](operations.md) -- [Public Folder: Rollback](rollback.md) -- [Public Folder: Options](options.md) -- [Public Folder: Summary](summary.md) +- [Public Folder: Action](/docs/accessanalyzer/12.0/admin/action/publicfolder/action.md) +- [Public Folder: Prior Actions](/docs/accessanalyzer/12.0/admin/action/publicfolder/prioractions.md) +- [Public Folder: Folders](/docs/accessanalyzer/12.0/admin/action/publicfolder/folders.md) +- [Public Folder: MAPI Settings](/docs/accessanalyzer/12.0/admin/action/publicfolder/mapisettings.md) +- [Public Folder: Operations](/docs/accessanalyzer/12.0/admin/action/publicfolder/operations.md) +- [Public Folder: Rollback](/docs/accessanalyzer/12.0/admin/action/publicfolder/rollback.md) +- [Public Folder: Options](/docs/accessanalyzer/12.0/admin/action/publicfolder/options.md) +- [Public Folder: Summary](/docs/accessanalyzer/12.0/admin/action/publicfolder/summary.md) The Welcome page gives an overview of the action module. The navigation pane contains links to the pages in the wizard. Review the introductory and caution information about the Public Folder Action Module before proceeding. -![Public Folder Action Module Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Public Folder Action Module Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) To proceed, click **Next** or use the Steps navigation pane to open another page in the wizard. diff --git a/docs/accessanalyzer/12.0/admin/action/publicfolder/prioractions.md b/docs/accessanalyzer/12.0/admin/action/publicfolder/prioractions.md index 1eccdecc84..1ff25927c0 100644 --- a/docs/accessanalyzer/12.0/admin/action/publicfolder/prioractions.md +++ b/docs/accessanalyzer/12.0/admin/action/publicfolder/prioractions.md @@ -6,7 +6,7 @@ The Prior Actions page selects previously executed actions for rollback. It is a **NOTE:** Once an action is selected and saved, and the wizard is closed, this page is no longer available and the selection cannot be altered. -![Public Folder Action Module Wizard Prior Actions page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/prioractions.webp) +![Public Folder Action Module Wizard Prior Actions page](/img/product_docs/accessanalyzer/admin/action/filesystem/prioractions.webp) The options on this page are: diff --git a/docs/accessanalyzer/12.0/admin/action/publicfolder/rollback.md b/docs/accessanalyzer/12.0/admin/action/publicfolder/rollback.md index 2ad472876e..acf4a3f928 100644 --- a/docs/accessanalyzer/12.0/admin/action/publicfolder/rollback.md +++ b/docs/accessanalyzer/12.0/admin/action/publicfolder/rollback.md @@ -3,7 +3,7 @@ Use the Rollback page to enable rollback capabilities for the action. If rollback isn’t selected at this step, the applied operations cannot be rolled back after execution of the action module. -![Public Folder Action Module Wizard Rollback page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/filesystem/rollback.webp) +![Public Folder Action Module Wizard Rollback page](/img/product_docs/accessanalyzer/admin/action/filesystem/rollback.webp) The options on this page are: diff --git a/docs/accessanalyzer/12.0/admin/action/publicfolder/summary.md b/docs/accessanalyzer/12.0/admin/action/publicfolder/summary.md index e82850c748..ceb454f370 100644 --- a/docs/accessanalyzer/12.0/admin/action/publicfolder/summary.md +++ b/docs/accessanalyzer/12.0/admin/action/publicfolder/summary.md @@ -2,7 +2,7 @@ The Summary page summarizes the configuration of the action. -![Public Folder Action Module Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Public Folder Action Module Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Public Folder Action Module Wizard to ensure that no accidental clicks diff --git a/docs/accessanalyzer/12.0/admin/action/registry/operations.md b/docs/accessanalyzer/12.0/admin/action/registry/operations.md index f263fdde57..e9c71b07c5 100644 --- a/docs/accessanalyzer/12.0/admin/action/registry/operations.md +++ b/docs/accessanalyzer/12.0/admin/action/registry/operations.md @@ -1,9 +1,9 @@ # Registry: Operations Use the Operations page to select the operations to apply to the target hosts. See the -[Registry: Target Hosts](targethosts.md) topic for additional information. +[Registry: Target Hosts](/docs/accessanalyzer/12.0/admin/action/registry/targethosts.md) topic for additional information. -![Registry Action Module Wizard Operations page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) +![Registry Action Module Wizard Operations page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) Select and configure the operations using the following options: @@ -29,7 +29,7 @@ Select and configure the operations using the following options: Use the Registry Browser window to navigate a computer’s registry and select a key. -![Registry Browser Window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/diskinfo/registrybrowser.webp) +![Registry Browser Window](/img/product_docs/accessanalyzer/admin/datacollector/diskinfo/registrybrowser.webp) Select a key using the following options: @@ -51,7 +51,7 @@ Select a key using the following options: Use the Select Users or Groups window to select a user, group, or built-in security principal. -![Select Users or Groups Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/registry/selectusersgroups.webp) +![Select Users or Groups Window](/img/product_docs/accessanalyzer/admin/action/registry/selectusersgroups.webp) The options are: @@ -78,7 +78,7 @@ The options are: Use the Object Types window to select which types of objects to query. -![Object Types Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/registry/objecttypes.webp) +![Object Types Window](/img/product_docs/accessanalyzer/admin/action/registry/objecttypes.webp) Select any of the following objects: @@ -90,7 +90,7 @@ Select any of the following objects: Use the Locations window to select a location. -![Locations Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/registry/locations.webp) +![Locations Window](/img/product_docs/accessanalyzer/admin/action/registry/locations.webp) Select a location using the explorer. @@ -98,7 +98,7 @@ Select a location using the explorer. Use the Advanced Select Users and Groups window to search for items with a finer focus. -![Advanced Select Users and Groups Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/registry/advancedselectusersgroups.webp) +![Advanced Select Users and Groups Window](/img/product_docs/accessanalyzer/admin/action/registry/advancedselectusersgroups.webp) This window contains the same options as the main Select Users or Groups window, but with the following additional options: @@ -126,7 +126,7 @@ following additional options: Use this window to select columns. The columns available varies based on the source table originally selected. -![Choose Columns Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/registry/choosecolumns.webp) +![Choose Columns Window](/img/product_docs/accessanalyzer/admin/action/registry/choosecolumns.webp) Choose columns using the following options: diff --git a/docs/accessanalyzer/12.0/admin/action/registry/overview.md b/docs/accessanalyzer/12.0/admin/action/registry/overview.md index fb82a3f2af..9f0aaa60e9 100644 --- a/docs/accessanalyzer/12.0/admin/action/registry/overview.md +++ b/docs/accessanalyzer/12.0/admin/action/registry/overview.md @@ -26,14 +26,14 @@ The Registry action module is configured through the Registry Action Module Wiza the following wizard pages: - Welcome -- [Registry: Target Hosts](targethosts.md) -- [Registry: Operations](operations.md) -- [Registry: Summary](summary.md) +- [Registry: Target Hosts](/docs/accessanalyzer/12.0/admin/action/registry/targethosts.md) +- [Registry: Operations](/docs/accessanalyzer/12.0/admin/action/registry/operations.md) +- [Registry: Summary](/docs/accessanalyzer/12.0/admin/action/registry/summary.md) The Welcome page gives an overview of the Registry Action Module Wizard. The steps navigation pane contains links to the pages in the wizard. Review the introductory and caution information about the Registry Action Module before proceeding. -![Registry Action Module Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Registry Action Module Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) To proceed, click Next or use the Steps navigation pane to open another page in the wizard. diff --git a/docs/accessanalyzer/12.0/admin/action/registry/summary.md b/docs/accessanalyzer/12.0/admin/action/registry/summary.md index d223d7efa1..21c1738315 100644 --- a/docs/accessanalyzer/12.0/admin/action/registry/summary.md +++ b/docs/accessanalyzer/12.0/admin/action/registry/summary.md @@ -2,7 +2,7 @@ The Summary page summarizes the configuration of the action. -![Registry Action Module Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Registry Action Module Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) When done configuring the action, click **Finish**. If no changes were made, it is a best practice to click **Cancel** to close the Registry Action Module Wizard to ensure that no accidental clicks diff --git a/docs/accessanalyzer/12.0/admin/action/registry/targethosts.md b/docs/accessanalyzer/12.0/admin/action/registry/targethosts.md index afe82052b3..be9b0fe1a2 100644 --- a/docs/accessanalyzer/12.0/admin/action/registry/targethosts.md +++ b/docs/accessanalyzer/12.0/admin/action/registry/targethosts.md @@ -3,7 +3,7 @@ Use the Target Hosts page to identify the target hosts whose registries the action examines or alters. -![Registry Action Module Wizard Target hosts page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/registry/targethosts.webp) +![Registry Action Module Wizard Target hosts page](/img/product_docs/accessanalyzer/admin/action/registry/targethosts.webp) Use the drop-down menu to select the field that identifies the systems to be targeted. The list displays columns from the specified source table. The action applies the specified operations to all diff --git a/docs/accessanalyzer/12.0/admin/action/sendmail/message.md b/docs/accessanalyzer/12.0/admin/action/sendmail/message.md index 3960021f74..d3892a862a 100644 --- a/docs/accessanalyzer/12.0/admin/action/sendmail/message.md +++ b/docs/accessanalyzer/12.0/admin/action/sendmail/message.md @@ -2,7 +2,7 @@ Use the Message page to specify the text of the email. -![Send Mail Action Module Wizard Message page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/sendmail/message.webp) +![Send Mail Action Module Wizard Message page](/img/product_docs/accessanalyzer/admin/action/sendmail/message.webp) Use the following fields to specify the text of the email: @@ -73,7 +73,7 @@ The Messaging Team The Messages Preview window displays a preview of the email, including any dynamic fields. This window displays after clicking the **Preview** button. -![Messages preview window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/survey/messagespreview.webp) +![Messages preview window](/img/product_docs/accessanalyzer/admin/action/survey/messagespreview.webp) - Blue arrow buttons – Click to view other recipients - Send – Sends a single message to the addresses in the Recipients field diff --git a/docs/accessanalyzer/12.0/admin/action/sendmail/overview.md b/docs/accessanalyzer/12.0/admin/action/sendmail/overview.md index 45bf2b4f31..8e29701db5 100644 --- a/docs/accessanalyzer/12.0/admin/action/sendmail/overview.md +++ b/docs/accessanalyzer/12.0/admin/action/sendmail/overview.md @@ -25,13 +25,13 @@ The SendMail Action module is configured through the SendMail Action Module Wiza the following wizard pages: - Welcome -- [SendMail Action: Properties](properties.md) -- [SendMail Action: Message](message.md) -- [SendMail Action: Summary](summary.md) +- [SendMail Action: Properties](/docs/accessanalyzer/12.0/admin/action/sendmail/properties.md) +- [SendMail Action: Message](/docs/accessanalyzer/12.0/admin/action/sendmail/message.md) +- [SendMail Action: Summary](/docs/accessanalyzer/12.0/admin/action/sendmail/summary.md) The Welcome page displays first and gives an overview of the action module. The navigation pane contains links to the pages in the wizard. -![Send Mail Action Module Wizard Welcome page](../../../../../../static/img/product_docs/threatprevention/threatprevention/siemdashboard/qradar/dashboard/overview.webp) +![Send Mail Action Module Wizard Welcome page](/img/product_docs/threatprevention/threatprevention/siemdashboard/qradar/dashboard/overview.webp) To proceed, click **Next** or use the Steps navigation pane to open another page in the wizard. diff --git a/docs/accessanalyzer/12.0/admin/action/sendmail/properties.md b/docs/accessanalyzer/12.0/admin/action/sendmail/properties.md index b2a78e6c85..027fdd6be7 100644 --- a/docs/accessanalyzer/12.0/admin/action/sendmail/properties.md +++ b/docs/accessanalyzer/12.0/admin/action/sendmail/properties.md @@ -2,7 +2,7 @@ Use the Properties page to specify the recipients of the email. -![Send Mail Action Module Wizard Properties page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) +![Send Mail Action Module Wizard Properties page](/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) Use the following fields to specify the recipient information: diff --git a/docs/accessanalyzer/12.0/admin/action/sendmail/summary.md b/docs/accessanalyzer/12.0/admin/action/sendmail/summary.md index e00a232c5e..65a4b74ae7 100644 --- a/docs/accessanalyzer/12.0/admin/action/sendmail/summary.md +++ b/docs/accessanalyzer/12.0/admin/action/sendmail/summary.md @@ -2,11 +2,11 @@ The Summary page displays the SendMail configuration. -![Send Mail Action Module Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Send Mail Action Module Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Send Mail Action Module Wizard to ensure that no accidental clicks are saved. To view the status of executed SendMail actions, see the -[Viewing the Status of SendMail Actions](viewstatus.md) for additional information. +[Viewing the Status of SendMail Actions](/docs/accessanalyzer/12.0/admin/action/sendmail/viewstatus.md) for additional information. diff --git a/docs/accessanalyzer/12.0/admin/action/sendmail/viewstatus.md b/docs/accessanalyzer/12.0/admin/action/sendmail/viewstatus.md index 9b2d64eb30..7c07bdf919 100644 --- a/docs/accessanalyzer/12.0/admin/action/sendmail/viewstatus.md +++ b/docs/accessanalyzer/12.0/admin/action/sendmail/viewstatus.md @@ -2,34 +2,34 @@ Follow the steps to view the status of an executed SendMail action: -![Analysis Properties page for SendMail View Status Analysis task](../../../../../../static/img/product_docs/accessanalyzer/admin/action/sendmail/viewstatusanalysisproperties.webp) +![Analysis Properties page for SendMail View Status Analysis task](/img/product_docs/accessanalyzer/admin/action/sendmail/viewstatusanalysisproperties.webp) **Step 1 –** Create a new SQLViewCreation analysis and choose **Configure Analysis**. The View and Table Creation Analysis Module wizard opens. -![Input Source wizard page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/sendmail/viewstatusinputsource.webp) +![Input Source wizard page](/img/product_docs/accessanalyzer/admin/action/sendmail/viewstatusinputsource.webp) **Step 2 –** On the Input Source page, choose the original source table for the SendMail action as the first table and `tablename_ActionStatus` as the second table. For example, if the source table is `MailEnabledPF`, then select `MailEnabledPF_ActionStatus` as the second table. -![Join Columns wizard page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/sendmail/viewstatusjoincolumns.webp) +![Join Columns wizard page](/img/product_docs/accessanalyzer/admin/action/sendmail/viewstatusjoincolumns.webp) **Step 3 –** For **Table 1 join property**, specify the column recipient of the SendMail action. For example, if sent to SMTP address, specify **SMTPaddress** as the column. For **Table 2 join property**, select **srcRowKey**. Leave everything else at the default settings. -![Result Columns wizard page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/sendmail/viewstatusresultcolumns.webp) +![Result Columns wizard page](/img/product_docs/accessanalyzer/admin/action/sendmail/viewstatusresultcolumns.webp) **Step 4 –** On the Results Columns page, select the columns to return from each table. Leave all other settings at their default. -![Result Type wizard page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/sendmail/viewstatusresulttype.webp) +![Result Type wizard page](/img/product_docs/accessanalyzer/admin/action/sendmail/viewstatusresulttype.webp) **Step 5 –** On the Result Type page, leave it as a table and provide a descriptive name, for example `SendMailStatus`. -![Results Sample wizard page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/sendmail/viewstatusresultsample.webp) +![Results Sample wizard page](/img/product_docs/accessanalyzer/admin/action/sendmail/viewstatusresultsample.webp) **Step 6 –** Click through the rest of the options. On the Result Sample page, click **Show Preview** to display the columns selected within the Columns page. Click **Summary** to navigate to diff --git a/docs/accessanalyzer/12.0/admin/action/servicenow/authentication.md b/docs/accessanalyzer/12.0/admin/action/servicenow/authentication.md index 5c55254b39..8ecf41cd37 100644 --- a/docs/accessanalyzer/12.0/admin/action/servicenow/authentication.md +++ b/docs/accessanalyzer/12.0/admin/action/servicenow/authentication.md @@ -5,7 +5,7 @@ The Authentication page implements signing into a ServiceNow account. A ServiceNow account must be set up and configured to determine which incidents will be visible on the Incident Creation page. -![ServiceNow Action Module wizard Authentication page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/box/authentication.webp) +![ServiceNow Action Module wizard Authentication page](/img/product_docs/accessanalyzer/admin/datacollector/box/authentication.webp) Use the following options to log into a ServiceNow account: diff --git a/docs/accessanalyzer/12.0/admin/action/servicenow/description.md b/docs/accessanalyzer/12.0/admin/action/servicenow/description.md index 9e8866fe93..4bbc21c6cb 100644 --- a/docs/accessanalyzer/12.0/admin/action/servicenow/description.md +++ b/docs/accessanalyzer/12.0/admin/action/servicenow/description.md @@ -4,7 +4,7 @@ The Description page provides details on the incidents entered into a field on t page. A description of the incident and related comments are included with the incident’s report to provide additional feedback to the system administrator, and may be saved to a template. -![ServiceNow Action Module wizard Description page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/servicenow/description.webp) +![ServiceNow Action Module wizard Description page](/img/product_docs/accessanalyzer/admin/action/servicenow/description.webp) Create a report using the following options: @@ -16,7 +16,7 @@ Create a report using the following options: - Click the file icon with the magnifying glass to preview the sourced table for values. The default is 1000 rows. - ![Sample Source Data window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/servicenow/samplesourcedata.webp) + ![Sample Source Data window](/img/product_docs/accessanalyzer/admin/action/servicenow/samplesourcedata.webp) - Click the **Clear Template** button to remove content from the Short Description section and Comments section @@ -27,6 +27,6 @@ Create a report using the following options: - Click the **Save to Template** link to preserve the Short Description and Comments sections for later use under a template name. - ![Save ServiceNow Template window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/servicenow/savetemplate.webp) + ![Save ServiceNow Template window](/img/product_docs/accessanalyzer/admin/action/servicenow/savetemplate.webp) Enter a name for the template, and click **OK**. diff --git a/docs/accessanalyzer/12.0/admin/action/servicenow/incidentcreation.md b/docs/accessanalyzer/12.0/admin/action/servicenow/incidentcreation.md index 9dae968f7b..82fe455450 100644 --- a/docs/accessanalyzer/12.0/admin/action/servicenow/incidentcreation.md +++ b/docs/accessanalyzer/12.0/admin/action/servicenow/incidentcreation.md @@ -5,7 +5,7 @@ this page belong to two fields: Mandatory and Optional. The type of field and it chosen within ServiceNow’s configuration page. Selecting a field and entering a value will include the incident within ServiceNow’s incident report. -![ServiceNow Action Module wizard New Incident page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/servicenow/incidentcreation.webp) +![ServiceNow Action Module wizard New Incident page](/img/product_docs/accessanalyzer/admin/action/servicenow/incidentcreation.webp) At the New Incident field list section, enter the fields for which incident to include on ServiceNow’s incident report. The ServiceNow account entered on the Authentication page determines diff --git a/docs/accessanalyzer/12.0/admin/action/servicenow/overview.md b/docs/accessanalyzer/12.0/admin/action/servicenow/overview.md index f822221070..cbcdc376c1 100644 --- a/docs/accessanalyzer/12.0/admin/action/servicenow/overview.md +++ b/docs/accessanalyzer/12.0/admin/action/servicenow/overview.md @@ -38,7 +38,7 @@ The following permissions are required to utilize Access Analyzer’s ServiceNow The following instructions can only be performed with a ServiceNow admin account and access to the ServiceNow Action Module XML file. -![ServiceNow Action Module XML file in Windows file explorer](../../../../../../static/img/product_docs/accessanalyzer/admin/action/servicenow/actionmodulexmlfile.webp) +![ServiceNow Action Module XML file in Windows file explorer](/img/product_docs/accessanalyzer/admin/action/servicenow/actionmodulexmlfile.webp) **Step 1 –** Navigate to the file path …\STEALTHbits\StealthAUDIT\Actions to access the `STEALTHbits SN Action Module v1.0_merged_rev2.0` file to use on ServiceNow’s website. @@ -79,16 +79,16 @@ The ServiceNow Action module is configured through the ServiceNow Action Module contains the following wizard pages: - Welcome -- [ServiceNow Action: Authentication](authentication.md) -- [ServiceNow Action: Incident Creation](incidentcreation.md) -- [ServiceNow Action: Description](description.md) -- [ServiceNow Action: Summary](summary.md) +- [ServiceNow Action: Authentication](/docs/accessanalyzer/12.0/admin/action/servicenow/authentication.md) +- [ServiceNow Action: Incident Creation](/docs/accessanalyzer/12.0/admin/action/servicenow/incidentcreation.md) +- [ServiceNow Action: Description](/docs/accessanalyzer/12.0/admin/action/servicenow/description.md) +- [ServiceNow Action: Summary](/docs/accessanalyzer/12.0/admin/action/servicenow/summary.md) **NOTE:** Not all pages may be accessible unless the user has a configured ServiceNow account. The Welcome page displays first in the ServiceNow Action Module Wizard. Review the introductory and caution information about the ServiceNow Action Module. -![ServiceNow Action Module wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![ServiceNow Action Module wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) To proceed, click **Next** or use the Steps navigation pane to open another page in the wizard. diff --git a/docs/accessanalyzer/12.0/admin/action/servicenow/summary.md b/docs/accessanalyzer/12.0/admin/action/servicenow/summary.md index 5c758c7f0f..5c37b5e5e7 100644 --- a/docs/accessanalyzer/12.0/admin/action/servicenow/summary.md +++ b/docs/accessanalyzer/12.0/admin/action/servicenow/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured query. -![ServiceNow Action Module wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![ServiceNow Action Module wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the ServiceNow Action Module Wizard to ensure that no accidental clicks diff --git a/docs/accessanalyzer/12.0/admin/action/survey/htmlstyle.md b/docs/accessanalyzer/12.0/admin/action/survey/htmlstyle.md index cc1991c953..db007e8b14 100644 --- a/docs/accessanalyzer/12.0/admin/action/survey/htmlstyle.md +++ b/docs/accessanalyzer/12.0/admin/action/survey/htmlstyle.md @@ -2,7 +2,7 @@ Choose an HTML style from the HTML Styles list. The Sample pane displays a preview of the style. -![Survey Action Module Wizard HTML Style page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/survey/htmlstyle.webp) +![Survey Action Module Wizard HTML Style page](/img/product_docs/accessanalyzer/admin/action/survey/htmlstyle.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/action/survey/introduction.md b/docs/accessanalyzer/12.0/admin/action/survey/introduction.md index 1b95801187..aac60e5f4e 100644 --- a/docs/accessanalyzer/12.0/admin/action/survey/introduction.md +++ b/docs/accessanalyzer/12.0/admin/action/survey/introduction.md @@ -1,10 +1,10 @@ # Survey: Introduction Use this page to specify web page introductory text (if any) for the web page specified on the Web -Server page. See the [Survey: Web Server](webserver.md) topic for additional information. The +Server page. See the [Survey: Web Server](/docs/accessanalyzer/12.0/admin/action/survey/webserver.md) topic for additional information. The introductory text appears on the landing page when recipients click on the survey link in the email. -![Survey Action Module Wizard Introduction Page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/survey/introduction.webp) +![Survey Action Module Wizard Introduction Page](/img/product_docs/accessanalyzer/admin/action/survey/introduction.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/action/survey/mailmessage.md b/docs/accessanalyzer/12.0/admin/action/survey/mailmessage.md index 5d6b45865a..fb377f43f8 100644 --- a/docs/accessanalyzer/12.0/admin/action/survey/mailmessage.md +++ b/docs/accessanalyzer/12.0/admin/action/survey/mailmessage.md @@ -4,7 +4,7 @@ Use this page to specify the text of the email. When first accessing this page, in the **Load from template** field. Survey templates are a legacy feature and Netwrix recommends not using them. -![Survey Action Module Wizard Mail – Message page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/survey/mailmessage.webp) +![Survey Action Module Wizard Mail – Message page](/img/product_docs/accessanalyzer/admin/action/survey/mailmessage.webp) Placeholder text displays in the Message box. This text includes a hyperlink to the web page hosting the survey. Placeholder text can be modified but the link cannot be removed. The link does not @@ -47,7 +47,7 @@ The Messages preview window opens when you click **Preview** on the Mail – Mes Survey Action Module Wizard. This window displays a preview of the email, including any dynamic fields. -![Messages preview window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/survey/messagespreview.webp) +![Messages preview window](/img/product_docs/accessanalyzer/admin/action/survey/messagespreview.webp) The window has the following options: diff --git a/docs/accessanalyzer/12.0/admin/action/survey/mailproperties.md b/docs/accessanalyzer/12.0/admin/action/survey/mailproperties.md index e88929647b..146670d0ff 100644 --- a/docs/accessanalyzer/12.0/admin/action/survey/mailproperties.md +++ b/docs/accessanalyzer/12.0/admin/action/survey/mailproperties.md @@ -2,7 +2,7 @@ Use this page to specify the email recipients. -![Survey Action Module Wizard Mail – Properties page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/survey/mailproperties.webp) +![Survey Action Module Wizard Mail – Properties page](/img/product_docs/accessanalyzer/admin/action/survey/mailproperties.webp) Use the following fields to specify the recipient information: diff --git a/docs/accessanalyzer/12.0/admin/action/survey/overview.md b/docs/accessanalyzer/12.0/admin/action/survey/overview.md index 9a9541ab3d..5b72a97b52 100644 --- a/docs/accessanalyzer/12.0/admin/action/survey/overview.md +++ b/docs/accessanalyzer/12.0/admin/action/survey/overview.md @@ -25,19 +25,19 @@ The Survey action module is configured through the Survey Action Module Wizard, following wizard pages: - Welcome -- [Survey: Template](template.md) (Legacy feature) -- [Survey: Introduction](introduction.md) -- [Survey: Questions](questions.md) -- [Survey HTML Style](htmlstyle.md) -- [Survey: Web Server](webserver.md) -- [Survey: Mail – Properties](mailproperties.md) -- [Survey: Mail – Message](mailmessage.md) -- [Survey: Test Survey](testsurvey.md) -- [Survey: Summary](summary.md) +- [Survey: Template](/docs/accessanalyzer/12.0/admin/action/survey/template.md) (Legacy feature) +- [Survey: Introduction](/docs/accessanalyzer/12.0/admin/action/survey/introduction.md) +- [Survey: Questions](/docs/accessanalyzer/12.0/admin/action/survey/questions.md) +- [Survey HTML Style](/docs/accessanalyzer/12.0/admin/action/survey/htmlstyle.md) +- [Survey: Web Server](/docs/accessanalyzer/12.0/admin/action/survey/webserver.md) +- [Survey: Mail – Properties](/docs/accessanalyzer/12.0/admin/action/survey/mailproperties.md) +- [Survey: Mail – Message](/docs/accessanalyzer/12.0/admin/action/survey/mailmessage.md) +- [Survey: Test Survey](/docs/accessanalyzer/12.0/admin/action/survey/testsurvey.md) +- [Survey: Summary](/docs/accessanalyzer/12.0/admin/action/survey/summary.md) The Welcome page displays first and gives an overview of the action module. The navigation pane contains links to the pages in the wizard. -![Survey Action Module Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Survey Action Module Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) To proceed, click **Next** or use the Steps navigation pane to open another page in the wizard. diff --git a/docs/accessanalyzer/12.0/admin/action/survey/questions.md b/docs/accessanalyzer/12.0/admin/action/survey/questions.md index dd87c86fc5..f1bb6c4db8 100644 --- a/docs/accessanalyzer/12.0/admin/action/survey/questions.md +++ b/docs/accessanalyzer/12.0/admin/action/survey/questions.md @@ -17,7 +17,7 @@ Use this page to specify the questions on the survey. Configure the following fo - The question type (**Yes/No**, **Text**, or **Multiple Choice**) - Any additional descriptive text to include for the question -![Survey Action Module Wizard Questions page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/survey/questions.webp) +![Survey Action Module Wizard Questions page](/img/product_docs/accessanalyzer/admin/action/survey/questions.webp) The configurable options are: @@ -56,7 +56,7 @@ The configurable options are: Select which subjects to use for the Survey question using the Select subjects window. -![Select subjects window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/survey/selectsubjects.webp) +![Select subjects window](/img/product_docs/accessanalyzer/admin/action/survey/selectsubjects.webp) Select a subject from the Available subjects list, then click the **Right Arrow** to move it into the Selected Subjects list. Remove a subject from the Selected Subjects list by selecting a subject diff --git a/docs/accessanalyzer/12.0/admin/action/survey/summary.md b/docs/accessanalyzer/12.0/admin/action/survey/summary.md index 60fb803fdf..9db0d0a1a1 100644 --- a/docs/accessanalyzer/12.0/admin/action/survey/summary.md +++ b/docs/accessanalyzer/12.0/admin/action/survey/summary.md @@ -2,11 +2,11 @@ A summary of the survey configuration displays. -![Survey Action Module Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Survey Action Module Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Save Template** to access the Save Survey Template window. -![Save Survey Template window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/survey/savesurveytemplate.webp) +![Save Survey Template window](/img/product_docs/accessanalyzer/admin/action/survey/savesurveytemplate.webp) Specify a name for the survey for future use. Click **OK** to return to the Summary page. diff --git a/docs/accessanalyzer/12.0/admin/action/survey/template.md b/docs/accessanalyzer/12.0/admin/action/survey/template.md index d04f26e8db..334a0da9a8 100644 --- a/docs/accessanalyzer/12.0/admin/action/survey/template.md +++ b/docs/accessanalyzer/12.0/admin/action/survey/template.md @@ -3,4 +3,4 @@ Survey templates require customization to meet the customer's business needs. Contact [Netwrix Support](https://www.netwrix.com/support.html) for additional information. -![Survey Action Module Wizard Survey Template page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/survey/surveytemplate.webp) +![Survey Action Module Wizard Survey Template page](/img/product_docs/accessanalyzer/admin/action/survey/surveytemplate.webp) diff --git a/docs/accessanalyzer/12.0/admin/action/survey/testsurvey.md b/docs/accessanalyzer/12.0/admin/action/survey/testsurvey.md index c799abdfc4..9f747a081c 100644 --- a/docs/accessanalyzer/12.0/admin/action/survey/testsurvey.md +++ b/docs/accessanalyzer/12.0/admin/action/survey/testsurvey.md @@ -2,7 +2,7 @@ Use this page to test a survey and verify proper configuration. -![Survey Action Module Wizard Test Survey page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/survey/testsurvey.webp) +![Survey Action Module Wizard Test Survey page](/img/product_docs/accessanalyzer/admin/action/survey/testsurvey.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/action/survey/webserver.md b/docs/accessanalyzer/12.0/admin/action/survey/webserver.md index 61e9fbed48..a689c1e4a8 100644 --- a/docs/accessanalyzer/12.0/admin/action/survey/webserver.md +++ b/docs/accessanalyzer/12.0/admin/action/survey/webserver.md @@ -2,7 +2,7 @@ Use this page to specify information about the web server hosting the survey website. -![Survey Action Module Wizard Web Server page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/survey/webserver.webp) +![Survey Action Module Wizard Web Server page](/img/product_docs/accessanalyzer/admin/action/survey/webserver.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/action/webrequest/destination.md b/docs/accessanalyzer/12.0/admin/action/webrequest/destination.md index 26d03efceb..29912edb1d 100644 --- a/docs/accessanalyzer/12.0/admin/action/webrequest/destination.md +++ b/docs/accessanalyzer/12.0/admin/action/webrequest/destination.md @@ -2,7 +2,7 @@ Use the Destination page to specify all settings for the destination of the web request. -![Web Request Action Module Wizard Destination page](../../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/destination.webp) +![Web Request Action Module Wizard Destination page](/img/product_docs/accessanalyzer/install/filesystemproxy/destination.webp) Use the following categories to establish the location of the web request: diff --git a/docs/accessanalyzer/12.0/admin/action/webrequest/header.md b/docs/accessanalyzer/12.0/admin/action/webrequest/header.md index 6319857680..470709fe3f 100644 --- a/docs/accessanalyzer/12.0/admin/action/webrequest/header.md +++ b/docs/accessanalyzer/12.0/admin/action/webrequest/header.md @@ -2,7 +2,7 @@ Use the Header page to enter the header values for the request. -![Web Request Action Module Wizard Header page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/webrequest/header.webp) +![Web Request Action Module Wizard Header page](/img/product_docs/accessanalyzer/admin/action/webrequest/header.webp) Use the following options to enter header values: diff --git a/docs/accessanalyzer/12.0/admin/action/webrequest/overview.md b/docs/accessanalyzer/12.0/admin/action/webrequest/overview.md index 4278ae97a3..8b43cb0279 100644 --- a/docs/accessanalyzer/12.0/admin/action/webrequest/overview.md +++ b/docs/accessanalyzer/12.0/admin/action/webrequest/overview.md @@ -13,15 +13,15 @@ The Web Request action module is configured through the Web Request Action Modul contains the following wizard pages: - Welcome -- [Web Request: Destination](destination.md) -- [Web Request: Header](header.md) -- [Web Request: Parameters](parameters.md) -- [Web Request: Settings](settings.md) -- [Web Request: Summary](summary.md) +- [Web Request: Destination](/docs/accessanalyzer/12.0/admin/action/webrequest/destination.md) +- [Web Request: Header](/docs/accessanalyzer/12.0/admin/action/webrequest/header.md) +- [Web Request: Parameters](/docs/accessanalyzer/12.0/admin/action/webrequest/parameters.md) +- [Web Request: Settings](/docs/accessanalyzer/12.0/admin/action/webrequest/settings.md) +- [Web Request: Summary](/docs/accessanalyzer/12.0/admin/action/webrequest/summary.md) The Welcome page gives an overview of the action module. The navigation pane contains links to the pages in the wizard. -![Web Request Action Module Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Web Request Action Module Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) To proceed, click **Next** or use the Steps navigation pane to open another page in the wizard. diff --git a/docs/accessanalyzer/12.0/admin/action/webrequest/parameters.md b/docs/accessanalyzer/12.0/admin/action/webrequest/parameters.md index d700e1176f..793736d576 100644 --- a/docs/accessanalyzer/12.0/admin/action/webrequest/parameters.md +++ b/docs/accessanalyzer/12.0/admin/action/webrequest/parameters.md @@ -2,7 +2,7 @@ Use the Parameters page to enter the parameter values. -![Web Request Action Module Wizard Parameters page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/webrequest/parameters.webp) +![Web Request Action Module Wizard Parameters page](/img/product_docs/accessanalyzer/admin/action/webrequest/parameters.webp) Enter parameter values using the following options: @@ -38,7 +38,7 @@ Enter parameter values using the following options: Use the Custom Attribute Editor window to create a custom attribute using the existing attributes and advanced functions. -![Custom Attribute Editor Window](../../../../../../static/img/product_docs/accessanalyzer/admin/action/webrequest/customattributeeditor.webp) +![Custom Attribute Editor Window](/img/product_docs/accessanalyzer/admin/action/webrequest/customattributeeditor.webp) Create custom attributes using the following options: diff --git a/docs/accessanalyzer/12.0/admin/action/webrequest/settings.md b/docs/accessanalyzer/12.0/admin/action/webrequest/settings.md index b7133d609c..e4beba8417 100644 --- a/docs/accessanalyzer/12.0/admin/action/webrequest/settings.md +++ b/docs/accessanalyzer/12.0/admin/action/webrequest/settings.md @@ -2,7 +2,7 @@ Use the settings page to specify the settings for the web request. -![Web Request Action Module Wizard Settings page](../../../../../../static/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) +![Web Request Action Module Wizard Settings page](/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) Establish the settings using the following options: diff --git a/docs/accessanalyzer/12.0/admin/action/webrequest/summary.md b/docs/accessanalyzer/12.0/admin/action/webrequest/summary.md index 3a41059df5..1af65fb6a7 100644 --- a/docs/accessanalyzer/12.0/admin/action/webrequest/summary.md +++ b/docs/accessanalyzer/12.0/admin/action/webrequest/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured action. -![Web Request Action Module Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Web Request Action Module Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Web Request Action Module Wizard to ensure that no accidental clicks diff --git a/docs/accessanalyzer/12.0/admin/analysis/autoaction.md b/docs/accessanalyzer/12.0/admin/analysis/autoaction.md index 73243c6a6f..1319077a94 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/autoaction.md +++ b/docs/accessanalyzer/12.0/admin/analysis/autoaction.md @@ -5,14 +5,14 @@ execution. To add an action to an analysis via the Auto Action analysis module, already exist and it must reside within the current job. **NOTE:** The Actions node can also automatically execute actions. See the -[Action Modules](../action/overview.md) topic for additional information. +[Action Modules](/docs/accessanalyzer/12.0/admin/action/overview.md) topic for additional information. ## Select Action Window The Select Action window lists the actions that currently exist within the Job that can be selected to automatically run upon job execution. -![Select Action Window](../../../../../static/img/product_docs/accessanalyzer/admin/analysis/autoaction.webp) +![Select Action Window](/img/product_docs/accessanalyzer/admin/analysis/autoaction.webp) Select an action from the list. Click **OK** to exit the window, and then click **Save** to preserve the changes made to the analysis module. The action now executes as part of the analysis task. If no diff --git a/docs/accessanalyzer/12.0/admin/analysis/businessrules/appliesto.md b/docs/accessanalyzer/12.0/admin/analysis/businessrules/appliesto.md index 827b0ab21a..8887cc7f0b 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/businessrules/appliesto.md +++ b/docs/accessanalyzer/12.0/admin/analysis/businessrules/appliesto.md @@ -4,7 +4,7 @@ Use the Applies To tab to specify the scope for application of the analysis rule to data collected from all hosts, from specific hosts, or from the specific host running the job (local data). Data is filtered based on a specified time window. -![Edit Rules window Applies To tab](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/businessrules/appliesto.webp) +![Edit Rules window Applies To tab](/img/product_docs/accessanalyzer/admin/analysis/businessrules/appliesto.webp) The Applies To tab provides the following options: diff --git a/docs/accessanalyzer/12.0/admin/analysis/businessrules/logic.md b/docs/accessanalyzer/12.0/admin/analysis/businessrules/logic.md index 12a27a19ea..7b71717a80 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/businessrules/logic.md +++ b/docs/accessanalyzer/12.0/admin/analysis/businessrules/logic.md @@ -2,7 +2,7 @@ Use the Logic tab to specify conditions and actions for the Business Rule. -![Edit Rules window Logic tab](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/businessrules/logic.webp) +![Edit Rules window Logic tab](/img/product_docs/accessanalyzer/admin/analysis/businessrules/logic.webp) The Logic tab contains the following sections and options: @@ -38,7 +38,7 @@ The Logic tab contains the following sections and options: Use the Sample Data Viewer window to examine data in a selected table. -![Sample Data Viewer Window](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/businessrules/sampledataviewer.webp) +![Sample Data Viewer Window](/img/product_docs/accessanalyzer/admin/analysis/businessrules/sampledataviewer.webp) The Sample Data Viewer window provides the following options: @@ -51,7 +51,7 @@ The Sample Data Viewer window provides the following options: Use the EditConditionsForm to configure conditions to be applied to the table. -![EditConditionsForm Window](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/businessrules/editconditionsform.webp) +![EditConditionsForm Window](/img/product_docs/accessanalyzer/admin/analysis/businessrules/editconditionsform.webp) The EditConditionsForm contains the following options: @@ -71,13 +71,13 @@ The EditConditionsForm contains the following options: The SQL Extract Preview window previews results of the conditions added to the table in the Conditions section. -![SQL Extract Preview Window](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/businessrules/sqlextractpreviewwindow.webp) +![SQL Extract Preview Window](/img/product_docs/accessanalyzer/admin/analysis/businessrules/sqlextractpreviewwindow.webp) The SQL script requires the table have these columns: `HOST`, `SA_Host`, and `JobRunTimeKey`. If there is a mismatch between table and SQL script, a SQL Syntax Check window describes any detected issue. -![SQL Syntax Check window](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/businessrules/sqlsyntaxcheck.webp) +![SQL Syntax Check window](/img/product_docs/accessanalyzer/admin/analysis/businessrules/sqlsyntaxcheck.webp) For example, this SQL Syntax Check window is reporting an error of missing information of an object or column. @@ -86,7 +86,7 @@ or column. Use this window to add exceptions to the scorecard. -![Configure Scorecard Action Window](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/businessrules/configurescorecardaction.webp) +![Configure Scorecard Action Window](/img/product_docs/accessanalyzer/admin/analysis/businessrules/configurescorecardaction.webp) The Configure Scorecard Options window provides the following options: diff --git a/docs/accessanalyzer/12.0/admin/analysis/businessrules/overview.md b/docs/accessanalyzer/12.0/admin/analysis/businessrules/overview.md index 3557be7a36..a3c9465be3 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/businessrules/overview.md +++ b/docs/accessanalyzer/12.0/admin/analysis/businessrules/overview.md @@ -23,6 +23,6 @@ To access and modify the Business Rules analysis module, navigate to the Job's * **Analysis** node and click **Configure Analysis** to open the Edit Rules window. The Edit Rules window has the following tabs: -- [Logic Tab](logic.md) -- [Variables Tab](variables.md) -- [Applies To Tab](appliesto.md) +- [Logic Tab](/docs/accessanalyzer/12.0/admin/analysis/businessrules/logic.md) +- [Variables Tab](/docs/accessanalyzer/12.0/admin/analysis/businessrules/variables.md) +- [Applies To Tab](/docs/accessanalyzer/12.0/admin/analysis/businessrules/appliesto.md) diff --git a/docs/accessanalyzer/12.0/admin/analysis/businessrules/variables.md b/docs/accessanalyzer/12.0/admin/analysis/businessrules/variables.md index a1a016e12e..1a638c7e32 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/businessrules/variables.md +++ b/docs/accessanalyzer/12.0/admin/analysis/businessrules/variables.md @@ -2,7 +2,7 @@ Use the Variables tab to specify values to substitute in the rule logic at run time. -![Edit Rules window Variables tab](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/businessrules/variables.webp) +![Edit Rules window Variables tab](/img/product_docs/accessanalyzer/admin/analysis/businessrules/variables.webp) This tab contains the following options: @@ -10,7 +10,7 @@ This tab contains the following options: ascending Value, click the column header again. The default is by ascending Value. - To delete a variable, select it and click **Delete** - ![JobVariables TSV file](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/businessrules/jobvariablestsv.webp) + ![JobVariables TSV file](/img/product_docs/accessanalyzer/admin/analysis/businessrules/jobvariablestsv.webp) - Click **View all variables for this job** to open the `JobVariables.TSV` file containing any variables for the current job diff --git a/docs/accessanalyzer/12.0/admin/analysis/changedetection/additionalfields.md b/docs/accessanalyzer/12.0/admin/analysis/changedetection/additionalfields.md index 06ea4c8cf0..3cfa32de59 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/changedetection/additionalfields.md +++ b/docs/accessanalyzer/12.0/admin/analysis/changedetection/additionalfields.md @@ -4,7 +4,7 @@ Use the Additional Fields page to choose any additional fields to include with t These fields do not detect change, but may provide additional information to help diagnose and analyze the changes reported. -![Change Detection Data Analysis Module wizard Additional Fields page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/changedetection/additionalfields.webp) +![Change Detection Data Analysis Module wizard Additional Fields page](/img/product_docs/accessanalyzer/admin/analysis/changedetection/additionalfields.webp) Choose any additional fields to be collected with change analysis using the following options: diff --git a/docs/accessanalyzer/12.0/admin/analysis/changedetection/fields.md b/docs/accessanalyzer/12.0/admin/analysis/changedetection/fields.md index 0c18917a05..57fc0eb7d9 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/changedetection/fields.md +++ b/docs/accessanalyzer/12.0/admin/analysis/changedetection/fields.md @@ -2,7 +2,7 @@ Use the Change Detection Fields page to select the columns on which to report changes. -![Change Detection Data Analysis Module wizard Fields page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/changedetection/fields.webp) +![Change Detection Data Analysis Module wizard Fields page](/img/product_docs/accessanalyzer/admin/analysis/changedetection/fields.webp) Choose which fields change detection analyzes using the following options: diff --git a/docs/accessanalyzer/12.0/admin/analysis/changedetection/input.md b/docs/accessanalyzer/12.0/admin/analysis/changedetection/input.md index 2ac3823d8c..b827021971 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/changedetection/input.md +++ b/docs/accessanalyzer/12.0/admin/analysis/changedetection/input.md @@ -2,7 +2,7 @@ Use the Input Data Source page to choose a data source to analyze for changes. -![Change Detection Data Analysis Module wizard Input Data Source page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/unix/input.webp) +![Change Detection Data Analysis Module wizard Input Data Source page](/img/product_docs/accessanalyzer/admin/datacollector/unix/input.webp) The configurable option is: diff --git a/docs/accessanalyzer/12.0/admin/analysis/changedetection/inputscope.md b/docs/accessanalyzer/12.0/admin/analysis/changedetection/inputscope.md index 0e9967fedb..7a3f061b01 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/changedetection/inputscope.md +++ b/docs/accessanalyzer/12.0/admin/analysis/changedetection/inputscope.md @@ -2,7 +2,7 @@ Use the Input Scope page to specify the input scope of the data source. -![Change Detection Data Analysis Module wizard Input Scope page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/inputscope.webp) +![Change Detection Data Analysis Module wizard Input Scope page](/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/inputscope.webp) Identify the scope of the data source from the following options: diff --git a/docs/accessanalyzer/12.0/admin/analysis/changedetection/options.md b/docs/accessanalyzer/12.0/admin/analysis/changedetection/options.md index 02b3f3db3d..769270bd9a 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/changedetection/options.md +++ b/docs/accessanalyzer/12.0/admin/analysis/changedetection/options.md @@ -3,7 +3,7 @@ Use the Options page to specify whether to save history, including a running tally of all changes made within a certain time period, or only changes between the last two runs of the source set. -![Change Detection Data Analysis Module wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Change Detection Data Analysis Module wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) Configure the additional options using the following: diff --git a/docs/accessanalyzer/12.0/admin/analysis/changedetection/overview.md b/docs/accessanalyzer/12.0/admin/analysis/changedetection/overview.md index fe9331dabd..f30733ff4e 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/changedetection/overview.md +++ b/docs/accessanalyzer/12.0/admin/analysis/changedetection/overview.md @@ -8,7 +8,7 @@ most recent collection. This module compares values collected for two different query instances. Therefore, as change detection depends on the existence of a **JobRunTimeKey**, history must be enabled and data collected at least twice to produce the desired results. Configure History settings under the job’s -**Settings** > **History** node. See the [History](../../settings/history.md) topic for additional +**Settings** > **History** node. See the [History](/docs/accessanalyzer/12.0/admin/settings/history.md) topic for additional information. ## Configuration @@ -16,19 +16,19 @@ information. The Change Detection Data Analysis Module wizard has the following pages: - Welcome -- [Change Detection: Input Scope](inputscope.md) -- [Change Detection: Input](input.md) -- [Change Detection: Unique Key](uniquekey.md) -- [Change Detection: Fields](fields.md) -- [Change Detection: Additional Fields](additionalfields.md) -- [Change Detection: Options](options.md) -- [Change Detection: Result Sample](resultsample.md) -- [Change Detection: Summary](summary.md) +- [Change Detection: Input Scope](/docs/accessanalyzer/12.0/admin/analysis/changedetection/inputscope.md) +- [Change Detection: Input](/docs/accessanalyzer/12.0/admin/analysis/changedetection/input.md) +- [Change Detection: Unique Key](/docs/accessanalyzer/12.0/admin/analysis/changedetection/uniquekey.md) +- [Change Detection: Fields](/docs/accessanalyzer/12.0/admin/analysis/changedetection/fields.md) +- [Change Detection: Additional Fields](/docs/accessanalyzer/12.0/admin/analysis/changedetection/additionalfields.md) +- [Change Detection: Options](/docs/accessanalyzer/12.0/admin/analysis/changedetection/options.md) +- [Change Detection: Result Sample](/docs/accessanalyzer/12.0/admin/analysis/changedetection/resultsample.md) +- [Change Detection: Summary](/docs/accessanalyzer/12.0/admin/analysis/changedetection/summary.md) The Welcome page gives an overview of the action module. The navigation pane contains links to the pages in the wizard. -![Change Detection Data Analysis Module wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Change Detection Data Analysis Module wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) There are no configurable settings on the Welcome page. To proceed, click **Next** or use the Steps navigation pane to open another page in the wizard. diff --git a/docs/accessanalyzer/12.0/admin/analysis/changedetection/resultsample.md b/docs/accessanalyzer/12.0/admin/analysis/changedetection/resultsample.md index 379effd614..fe021e48c1 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/changedetection/resultsample.md +++ b/docs/accessanalyzer/12.0/admin/analysis/changedetection/resultsample.md @@ -3,7 +3,7 @@ The Result Sample page generates a preview of the output based on the configurations selected on the previous pages. -![Change Detection Data Analysis Module wizard Result Sample page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/resultsample.webp) +![Change Detection Data Analysis Module wizard Result Sample page](/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/resultsample.webp) Click **Show Preview** to generate a preview of the results, which may take several minutes to populate. diff --git a/docs/accessanalyzer/12.0/admin/analysis/changedetection/summary.md b/docs/accessanalyzer/12.0/admin/analysis/changedetection/summary.md index 3a9796862f..5ea991bdbb 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/changedetection/summary.md +++ b/docs/accessanalyzer/12.0/admin/analysis/changedetection/summary.md @@ -2,7 +2,7 @@ The Summary page summarizes the configuration of the action. -![Change Detection Data Analysis Module wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Change Detection Data Analysis Module wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, click **Cancel** to close the Change Detection Data Analysis Module wizard to ensure no accidental configurations are saved. diff --git a/docs/accessanalyzer/12.0/admin/analysis/changedetection/uniquekey.md b/docs/accessanalyzer/12.0/admin/analysis/changedetection/uniquekey.md index 12bd671124..9b95532f17 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/changedetection/uniquekey.md +++ b/docs/accessanalyzer/12.0/admin/analysis/changedetection/uniquekey.md @@ -2,8 +2,8 @@ Use the Unique Key page to select one or more columns that, when put together as a ROWKEY, uniquely identify each row of data in the source table. Available fields vary based on data source selected -on the Input page. See the [Change Detection: Input](input.md) topic for additional information. +on the Input page. See the [Change Detection: Input](/docs/accessanalyzer/12.0/admin/analysis/changedetection/input.md) topic for additional information. -![Change Detection Data Analysis Module wizard Unique Key page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/changedetection/uniquekey.webp) +![Change Detection Data Analysis Module wizard Unique Key page](/img/product_docs/accessanalyzer/admin/analysis/changedetection/uniquekey.webp) Select one or more fields to form a unique key for the selected table and its columns. diff --git a/docs/accessanalyzer/12.0/admin/analysis/notification/changetype.md b/docs/accessanalyzer/12.0/admin/analysis/notification/changetype.md index 6118ef6b5b..5ae3252b34 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/notification/changetype.md +++ b/docs/accessanalyzer/12.0/admin/analysis/notification/changetype.md @@ -4,7 +4,7 @@ Use the Select Change Type page to choose the types of changes for which to trig The selections on this page are optional. This page is only active if Change Detection Table is selected on the Table Type page. -![Notification Data Analysis Module wizard Select Change Type page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/notification/changetype.webp) +![Notification Data Analysis Module wizard Select Change Type page](/img/product_docs/accessanalyzer/admin/analysis/notification/changetype.webp) The following options are available: diff --git a/docs/accessanalyzer/12.0/admin/analysis/notification/commandline.md b/docs/accessanalyzer/12.0/admin/analysis/notification/commandline.md index 1a6a7a9018..fda01c52dd 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/notification/commandline.md +++ b/docs/accessanalyzer/12.0/admin/analysis/notification/commandline.md @@ -3,7 +3,7 @@ The Command Line properties page is available when the Command-line Executable notification type is selected on the Type page. -![Notification Data Analysis Module wizard Command Line properties page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/notification/commandline.webp) +![Notification Data Analysis Module wizard Command Line properties page](/img/product_docs/accessanalyzer/admin/analysis/notification/commandline.webp) The following options are available: diff --git a/docs/accessanalyzer/12.0/admin/analysis/notification/criteria.md b/docs/accessanalyzer/12.0/admin/analysis/notification/criteria.md index 287c3ec8d0..81d070f545 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/notification/criteria.md +++ b/docs/accessanalyzer/12.0/admin/analysis/notification/criteria.md @@ -2,7 +2,7 @@ Use the Notification Criteria page to specify criteria to trigger a notification. -![Notification Data Analysis Module wizard Criteria page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) +![Notification Data Analysis Module wizard Criteria page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) The following options are available: @@ -12,5 +12,5 @@ The following options are available: or column in the database. The trigger can be if the property or column value is greater than, equal to, or less than the value provided. - Advanced Criteria – Use the Filter Builder to create custom triggers when a value meets the - defined conditions. See the [Advanced Search](../../navigate/datagrid.md#advanced-search) topic + defined conditions. See the [Advanced Search](/docs/accessanalyzer/12.0/admin/navigate/datagrid.md#advanced-search) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/analysis/notification/eventlog.md b/docs/accessanalyzer/12.0/admin/analysis/notification/eventlog.md index d7eac13b5f..a61879ce9f 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/notification/eventlog.md +++ b/docs/accessanalyzer/12.0/admin/analysis/notification/eventlog.md @@ -4,7 +4,7 @@ The Event Log properties page is available when the Event log notification type Type page. Use this page to specify the type of event, the event ID, and the description for the event. -![Notification Data Analysis Module wizard Event Log properties page](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/eventlog.webp) +![Notification Data Analysis Module wizard Event Log properties page](/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/eventlog.webp) The following options are available: diff --git a/docs/accessanalyzer/12.0/admin/analysis/notification/frequency.md b/docs/accessanalyzer/12.0/admin/analysis/notification/frequency.md index c508dcb7f4..14413fea34 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/notification/frequency.md +++ b/docs/accessanalyzer/12.0/admin/analysis/notification/frequency.md @@ -2,7 +2,7 @@ Use the Notification Frequency page to specify the frequency by which to generate the notifications. -![Notification Data Analysis Module wizard Notification Frequency page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/notification/frequency.webp) +![Notification Data Analysis Module wizard Notification Frequency page](/img/product_docs/accessanalyzer/admin/analysis/notification/frequency.webp) The following options are available: diff --git a/docs/accessanalyzer/12.0/admin/analysis/notification/hosts.md b/docs/accessanalyzer/12.0/admin/analysis/notification/hosts.md index 87aa622366..aa2412b31b 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/notification/hosts.md +++ b/docs/accessanalyzer/12.0/admin/analysis/notification/hosts.md @@ -2,7 +2,7 @@ Use the Select Hosts page to scope hosts and to select specific hosts to target. -![Notification Data Analysis Module wizard Select Hosts page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/notification/hosts.webp) +![Notification Data Analysis Module wizard Select Hosts page](/img/product_docs/accessanalyzer/admin/analysis/notification/hosts.webp) The following options are available: diff --git a/docs/accessanalyzer/12.0/admin/analysis/notification/overview.md b/docs/accessanalyzer/12.0/admin/analysis/notification/overview.md index 369575e7eb..d69f78f120 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/notification/overview.md +++ b/docs/accessanalyzer/12.0/admin/analysis/notification/overview.md @@ -7,7 +7,7 @@ The Notification Data Analysis Module has the following prerequisites: - Configure the **Notification** node in the global settings - - See the [Notification](../../settings/notification.md) topic for additional information + - See the [Notification](/docs/accessanalyzer/12.0/admin/settings/notification.md) topic for additional information - Enable History for the table specified as the source @@ -20,22 +20,22 @@ The Notification analysis module is configured through the Notification Data Ana which contains the following wizard pages: - Welcome -- [Notification: Table Type](tabletype.md) -- [Notification: Select Table](selecttable.md) -- [Notification: Change Type](changetype.md) -- [Notification: Criteria](criteria.md) -- [Notification: Hosts](hosts.md) -- [Notification: Type](type.md) -- [Notification: SMTP](smtp.md) -- [Notification: Command Line](commandline.md) -- [Notification: Event Log](eventlog.md) -- [Notification: Frequency](frequency.md) -- [Notification: Time Window](timewindow.md) -- [Notification: Summary](summary.md) +- [Notification: Table Type](/docs/accessanalyzer/12.0/admin/analysis/notification/tabletype.md) +- [Notification: Select Table](/docs/accessanalyzer/12.0/admin/analysis/notification/selecttable.md) +- [Notification: Change Type](/docs/accessanalyzer/12.0/admin/analysis/notification/changetype.md) +- [Notification: Criteria](/docs/accessanalyzer/12.0/admin/analysis/notification/criteria.md) +- [Notification: Hosts](/docs/accessanalyzer/12.0/admin/analysis/notification/hosts.md) +- [Notification: Type](/docs/accessanalyzer/12.0/admin/analysis/notification/type.md) +- [Notification: SMTP](/docs/accessanalyzer/12.0/admin/analysis/notification/smtp.md) +- [Notification: Command Line](/docs/accessanalyzer/12.0/admin/analysis/notification/commandline.md) +- [Notification: Event Log](/docs/accessanalyzer/12.0/admin/analysis/notification/eventlog.md) +- [Notification: Frequency](/docs/accessanalyzer/12.0/admin/analysis/notification/frequency.md) +- [Notification: Time Window](/docs/accessanalyzer/12.0/admin/analysis/notification/timewindow.md) +- [Notification: Summary](/docs/accessanalyzer/12.0/admin/analysis/notification/summary.md) The Welcome page lists the prerequisites needed for the Notification Analysis Module to function properly. -![Notification Data Analysis Module wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Notification Data Analysis Module wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) There are no configurable settings on the Welcome page. To proceed, click **Next**. diff --git a/docs/accessanalyzer/12.0/admin/analysis/notification/selecttable.md b/docs/accessanalyzer/12.0/admin/analysis/notification/selecttable.md index 710ba8d816..2b6efa2d68 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/notification/selecttable.md +++ b/docs/accessanalyzer/12.0/admin/analysis/notification/selecttable.md @@ -2,9 +2,9 @@ Select the table containing data on which to trigger a notification. The selection on the Table Type page determines the options available on this page. See the -[Notification: Table Type](tabletype.md) topic for additional information. +[Notification: Table Type](/docs/accessanalyzer/12.0/admin/analysis/notification/tabletype.md) topic for additional information. -![Notification Data Analysis Module wizard Select Table page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/notification/selecttable.webp) +![Notification Data Analysis Module wizard Select Table page](/img/product_docs/accessanalyzer/admin/analysis/notification/selecttable.webp) The Select table page has the following options: diff --git a/docs/accessanalyzer/12.0/admin/analysis/notification/smtp.md b/docs/accessanalyzer/12.0/admin/analysis/notification/smtp.md index 4a5e011d13..c0b6b77e77 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/notification/smtp.md +++ b/docs/accessanalyzer/12.0/admin/analysis/notification/smtp.md @@ -4,7 +4,7 @@ The SMTP properties page is available when the Email notification type is select Use this page to specify SMTP notification properties, including recipients, subject line, and email body. -![Notification Data Analysis Module wizard SMTP properties page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/notification/smtp.webp) +![Notification Data Analysis Module wizard SMTP properties page](/img/product_docs/accessanalyzer/admin/analysis/notification/smtp.webp) The following options are available: diff --git a/docs/accessanalyzer/12.0/admin/analysis/notification/summary.md b/docs/accessanalyzer/12.0/admin/analysis/notification/summary.md index 20c3d18e8c..9aa53355e3 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/notification/summary.md +++ b/docs/accessanalyzer/12.0/admin/analysis/notification/summary.md @@ -3,7 +3,7 @@ The Summary Page displays all the information input in each of the configured options from the previous pages of the wizard. -![Notification Data Analysis Module wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Notification Data Analysis Module wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is best practice to click **Cancel** to close the Notification Data Analysis Module wizard to ensure no accidental diff --git a/docs/accessanalyzer/12.0/admin/analysis/notification/tabletype.md b/docs/accessanalyzer/12.0/admin/analysis/notification/tabletype.md index da5b2e4f25..e6a1a74abb 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/notification/tabletype.md +++ b/docs/accessanalyzer/12.0/admin/analysis/notification/tabletype.md @@ -3,14 +3,14 @@ Use the Source Table Selection page to choose the type of table to use as the data source for notifications. -![Notification Data Analysis Module wizard Source Table Selection page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/notification/tabletype.webp) +![Notification Data Analysis Module wizard Source Table Selection page](/img/product_docs/accessanalyzer/admin/analysis/notification/tabletype.webp) The following options are available: - Change Detection Table – Sends notifications when changes are detected in the data. When selected, the option of **Show only tables for this job** becomes the default selection on the Select Table page. This option targets only change detection tables within the current job. Possible tables (if - any) display on the Select Table page. See the [Notification: Select Table](selecttable.md) topic + any) display on the Select Table page. See the [Notification: Select Table](/docs/accessanalyzer/12.0/admin/analysis/notification/selecttable.md) topic for additional information. **NOTE:** Change Detection Table also locks selections to tables on the Select Table page that diff --git a/docs/accessanalyzer/12.0/admin/analysis/notification/timewindow.md b/docs/accessanalyzer/12.0/admin/analysis/notification/timewindow.md index 1bcf5d3778..7911ef8bfe 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/notification/timewindow.md +++ b/docs/accessanalyzer/12.0/admin/analysis/notification/timewindow.md @@ -2,7 +2,7 @@ Use this page to specify whether to include only rows collected in the last execution. -![Notification Data Analysis Module wizard Time window page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/notification/timewindow.webp) +![Notification Data Analysis Module wizard Time window page](/img/product_docs/accessanalyzer/admin/analysis/notification/timewindow.webp) The following option is available: diff --git a/docs/accessanalyzer/12.0/admin/analysis/notification/type.md b/docs/accessanalyzer/12.0/admin/analysis/notification/type.md index f68425f2d6..0a29bf5592 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/notification/type.md +++ b/docs/accessanalyzer/12.0/admin/analysis/notification/type.md @@ -2,15 +2,15 @@ Use the Notification Type page to specify one or more notification types. -![Notification Data Analysis Module wizard Notification Type page](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/type.webp) +![Notification Data Analysis Module wizard Notification Type page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/type.webp) The following options are available: - Email – Sends a notification email to specified addresses defined on the SMTP page. See the - [Notification: SMTP](smtp.md) topic for additional information. + [Notification: SMTP](/docs/accessanalyzer/12.0/admin/analysis/notification/smtp.md) topic for additional information. - Command-line Executable – Runs a command-line program such as a batch file. On the Command Line page, define the specific application to run and any flags or arguments that must be set at - runtime. See the [Notification: Command Line](commandline.md) topic for additional information. + runtime. See the [Notification: Command Line](/docs/accessanalyzer/12.0/admin/analysis/notification/commandline.md) topic for additional information. - Event Log – Creates a Windows Event Log item on the Access Analyzer Event Log. On the Event Log page, define the following: @@ -18,4 +18,4 @@ The following options are available: - Event ID - Description of the event - See the [Notification: Event Log](eventlog.md) topic for additional information. + See the [Notification: Event Log](/docs/accessanalyzer/12.0/admin/analysis/notification/eventlog.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/analysis/overview.md b/docs/accessanalyzer/12.0/admin/analysis/overview.md index fa6ef59189..501dc07471 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/overview.md +++ b/docs/accessanalyzer/12.0/admin/analysis/overview.md @@ -2,10 +2,10 @@ The Access Analyzer analysis modules are capable of finding unique data and notifying users of its location from a variety of environments. Analysis modules are assigned to a job at the -**Configure** > **Analysis** node. See the [Analysis Node](../jobs/job/configure/analysis.md) topic +**Configure** > **Analysis** node. See the [Analysis Node](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysis.md) topic for information on the Analysis Selection view. -![Configure an analysis](../../../../../static/img/product_docs/accessanalyzer/admin/analysis/configure.webp) +![Configure an analysis](/img/product_docs/accessanalyzer/admin/analysis/configure.webp) Analysis tasks are configured through the Analysis Properties page. Navigate to the job’s **Configure** > Analysis node. The Analysis Properties page is opened from the Analysis Selection @@ -22,14 +22,14 @@ Analyzer. | Analysis Module | Description | | --------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | -| [AutoAction Analysis Module](autoaction.md) | Performs a specified action at the conclusion of an analysis task’s execution | -| [Business Rules Analysis Module](businessrules/overview.md) | Finds data that does not match user expectations for the target environment | -| [Change Detection Analysis Module](changedetection/overview.md) | Notifies when a change occurs in the results of a job and identifies the location of the change | -| [Notification Analysis Module](notification/overview.md) | Sends notifications to specified recipients when a specified event occurs | -| [SQLscripting Analysis Module](sqlscripting.md) | Executes free-form SQL scripts | +| [AutoAction Analysis Module](/docs/accessanalyzer/12.0/admin/analysis/autoaction.md) | Performs a specified action at the conclusion of an analysis task’s execution | +| [Business Rules Analysis Module](/docs/accessanalyzer/12.0/admin/analysis/businessrules/overview.md) | Finds data that does not match user expectations for the target environment | +| [Change Detection Analysis Module](/docs/accessanalyzer/12.0/admin/analysis/changedetection/overview.md) | Notifies when a change occurs in the results of a job and identifies the location of the change | +| [Notification Analysis Module](/docs/accessanalyzer/12.0/admin/analysis/notification/overview.md) | Sends notifications to specified recipients when a specified event occurs | +| [SQLscripting Analysis Module](/docs/accessanalyzer/12.0/admin/analysis/sqlscripting.md) | Executes free-form SQL scripts | | SQLTrend | Legacy action module | -| [SQLViewCreation Analysis Module](sqlviewcreation/overview.md) | Provides a scripting wizard for creating SQL tables or views | -| [VBscripting Analysis Module](vbscripting.md) | Executes free-form VB scripts | +| [SQLViewCreation Analysis Module](/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/overview.md) | Provides a scripting wizard for creating SQL tables or views | +| [VBscripting Analysis Module](/docs/accessanalyzer/12.0/admin/analysis/vbscripting.md) | Executes free-form VB scripts | ## Executing Analyses @@ -45,7 +45,7 @@ Analysis tasks can be created, deleted, and configured through the Analysis Sele with existing analysis tasks, the Analysis Selection page is used to change the order in which tasks are run, as well as enabling or disabling tasks. -![Analysis Selection Page](../../../../../static/img/product_docs/accessanalyzer/admin/analysis/analysisselectionpage.webp) +![Analysis Selection Page](/img/product_docs/accessanalyzer/admin/analysis/analysisselectionpage.webp) The Analysis Selection page has the following options: @@ -62,7 +62,7 @@ The Analysis Selection page has the following options: - Select All – Enables/disables all tasks in the list - The **Validate**, **Validate Selected**, and **Edit Rules** buttons are specific to the Business - Rules Analysis Module. See the [Business Rules Analysis Module](businessrules/overview.md) topic + Rules Analysis Module. See the [Business Rules Analysis Module](/docs/accessanalyzer/12.0/admin/analysis/businessrules/overview.md) topic for additional information on these buttons. ## Analysis Properties Page @@ -70,7 +70,7 @@ The Analysis Selection page has the following options: Configure task properties through the Analysis Properties page. The Analysis Properties page is accessed through the Analysis Selection page. -![Analysis Properties Page](../../../../../static/img/product_docs/accessanalyzer/admin/analysis/analysispropertiespage.webp) +![Analysis Properties Page](/img/product_docs/accessanalyzer/admin/analysis/analysispropertiespage.webp) The Analysis Properties page has the following options: diff --git a/docs/accessanalyzer/12.0/admin/analysis/sqlscripting.md b/docs/accessanalyzer/12.0/admin/analysis/sqlscripting.md index 6c30c354f0..c9c11dbad7 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/sqlscripting.md +++ b/docs/accessanalyzer/12.0/admin/analysis/sqlscripting.md @@ -2,7 +2,7 @@ Use the SQLscripting analysis module to apply SQL scripting to the selected job. -![SQL Script Editor](../../../../../static/img/product_docs/accessanalyzer/admin/analysis/sqlscripteditor.webp) +![SQL Script Editor](/img/product_docs/accessanalyzer/admin/analysis/sqlscripteditor.webp) The SQLscripting analysis module evaluates the Access Analyzer user’s permission level to determine whether to allow the connected user to run the scripted command. Since this evaluation is based on @@ -32,7 +32,7 @@ The SQL Script Editor window has the following options: - Copy – Copies the highlighted script into the SQL script editor (Ctrl+C) - Paste – Pastes cut or copied script into the SQL script editor (Ctrl+V) - Online SQL Language Reference – Opens the Microsoft - [Transact-SQL Reference]() + [Transact-SQL Reference](https://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2005/ms189826(v=sql.90)) article Click **Save and Close** to return to the Analysis Properties page. If no changes were made or @@ -44,7 +44,7 @@ accidental changes are saved. Use the Parameters window to add, edit, and delete temporary variables and tables defined by SQLscripting and users. The window only displays when **Parameters** is clicked. -![Parameters window](../../../../../static/img/product_docs/accessanalyzer/admin/analysis/sqlscriptparameters.webp) +![Parameters window](/img/product_docs/accessanalyzer/admin/analysis/sqlscriptparameters.webp) **CAUTION:** not modify any parameters where the Value states `Created during execution`. @@ -80,7 +80,7 @@ The parameters have the following properties: Click **Edit Table** to open the Edit Table window to modify parameters for the selected table. -![Edit Table window](../../../../../static/img/product_docs/accessanalyzer/admin/analysis/sqlscriptedittablewindow.webp) +![Edit Table window](/img/product_docs/accessanalyzer/admin/analysis/sqlscriptedittablewindow.webp) The Edit table window has the following options: diff --git a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/columns.md b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/columns.md index b52b970a5d..186af7686a 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/columns.md +++ b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/columns.md @@ -2,7 +2,7 @@ The Result Columns page lists the tables selected on the Input Select page. -![View and Table Creation Analysis Module wizard Result Columns page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/columns.webp) +![View and Table Creation Analysis Module wizard Result Columns page](/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/columns.webp) Expand the table to show its columns. Then, select the checkbox next to the column to include it in the resulting table or view. If two data tables are being joined, the resulting table displays at @@ -45,7 +45,7 @@ The grid provides the following options for formatting the resulting table or vi - Descending **NOTE:** If at least one columns is sorted by value, the **With ties** option is enabled on the -Result Constraints page. See the [SQLViewCreation: Result Constraints](resultconstraints.md) topic +Result Constraints page. See the [SQLViewCreation: Result Constraints](/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/resultconstraints.md) topic for additional information. After selecting the columns to include in the resulting table or view, click **Next** to further diff --git a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/export.md b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/export.md index 563f6958b8..9051ddc392 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/export.md +++ b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/export.md @@ -2,7 +2,7 @@ Use the Export settings page to specify data export settings. -![View and Table Creation Analysis Module wizard Export page](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/export.webp) +![View and Table Creation Analysis Module wizard Export page](/img/product_docs/threatprevention/threatprevention/admin/navigation/export.webp) Select the **Export results data** checkbox to enable the settings. The following options control the file type and destination of the exported data: diff --git a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/filter.md b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/filter.md index 18425cc5b6..fa521e0252 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/filter.md +++ b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/filter.md @@ -2,7 +2,7 @@ Use this page to add custom filters to the table using the Filter Builder. -![View and Table Creation Analysis Module wizard Filter page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filter.webp) +![View and Table Creation Analysis Module wizard Filter page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filter.webp) Filters reduce the amount of data visible in a column imported to the resulting table or view. By default, when the filter page is blank, all the data within each column is included. Use the @@ -10,7 +10,7 @@ following options to add and remove filters: - Edit – Opens the Filter window - - See the [Advanced Search](../../navigate/datagrid.md#advanced-search) topic for additional + - See the [Advanced Search](/docs/accessanalyzer/12.0/admin/navigate/datagrid.md#advanced-search) topic for additional information - Clear – Clears any specified filters diff --git a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/input.md b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/input.md index 27af4ae541..62e759420c 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/input.md +++ b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/input.md @@ -3,7 +3,7 @@ Use the Input Source page to select the source tables or views, containing data, to join or aggregate into a resulting table or view. -![View and Table Creation Analysis Module wizard Input Source page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/unix/input.webp) +![View and Table Creation Analysis Module wizard Input Source page](/img/product_docs/accessanalyzer/admin/datacollector/unix/input.webp) At the first drop-down, select a table. The drop-down lists on this page are determined by the selection made on the Input Scope page. To join or aggregate data from two tables, select a second diff --git a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/inputscope.md b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/inputscope.md index a6993739ad..317ab773a1 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/inputscope.md +++ b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/inputscope.md @@ -3,7 +3,7 @@ Use the Input Selection page to scope the source data tables. This option affects the tables available for selection on the subsequent pages. -![View and Table Creation Analysis Module wizard Input Selection page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/inputscope.webp) +![View and Table Creation Analysis Module wizard Input Selection page](/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/inputscope.webp) Select the source data to be used from the following options: diff --git a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/joincolumns.md b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/joincolumns.md index 09d5536862..ff36e7c96d 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/joincolumns.md +++ b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/joincolumns.md @@ -7,9 +7,9 @@ Input Source page. **NOTE:** The SQLViewCreation analysis module can join two tables, using a simple equi-join condition of two predicates. For composite joins with two or more tables using a conjunction of predicates, use the SQLscripting analysis module. See the -[SQLscripting Analysis Module](../sqlscripting.md) topic for additional information. +[SQLscripting Analysis Module](/docs/accessanalyzer/12.0/admin/analysis/sqlscripting.md) topic for additional information. -![View and Table Creation Analysis Module wizard Join Columns page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/joincolumns.webp) +![View and Table Creation Analysis Module wizard Join Columns page](/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/joincolumns.webp) Use the **Table 1 join property** and **Table 2 join property** fields to select join predicates from both tables. Join predicates are columns containing analogous values that are used to match diff --git a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/overview.md b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/overview.md index fb2809c4d4..bf5fe40c2d 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/overview.md +++ b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/overview.md @@ -14,21 +14,21 @@ configuring the module. Before the wizard, collect the desired data for manipula The wizard contains the following pages: - Welcome -- [SQLViewCreation: Input Scope](inputscope.md) -- [SQLViewCreation: Input Source](input.md) -- [SQLViewCreations: Join Columns](joincolumns.md) -- [SQLViewCreations: Columns](columns.md) -- [SQLViewCreation: Filter](filter.md) -- [SQLViewCreation: Time Window](timewindow.md) -- [SQLViewCreation: Result Constraints](resultconstraints.md) -- [SQLViewCreation: Result Type](result.md) -- [SQLViewCreation: Result Sample](resultsample.md) -- [SQLViewCreation: Export](export.md) -- [SQLViewCreation: Summary](summary.md) +- [SQLViewCreation: Input Scope](/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/inputscope.md) +- [SQLViewCreation: Input Source](/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/input.md) +- [SQLViewCreations: Join Columns](/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/joincolumns.md) +- [SQLViewCreations: Columns](/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/columns.md) +- [SQLViewCreation: Filter](/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/filter.md) +- [SQLViewCreation: Time Window](/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/timewindow.md) +- [SQLViewCreation: Result Constraints](/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/resultconstraints.md) +- [SQLViewCreation: Result Type](/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/result.md) +- [SQLViewCreation: Result Sample](/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/resultsample.md) +- [SQLViewCreation: Export](/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/export.md) +- [SQLViewCreation: Summary](/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/summary.md) The Welcome page provides an overview of the analysis module. -![View and Table Creation Analysis Module wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![View and Table Creation Analysis Module wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) There are no configurable settings on the Welcome page. Click **Next** to begin configuring a custom table or view using two formatted data sources, or use the Steps navigation pane to open another diff --git a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/result.md b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/result.md index 085b779129..10319727f3 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/result.md +++ b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/result.md @@ -2,7 +2,7 @@ Use the Result Type page to choose a SQL database table or view for the result’s output. -![View and Table Creation Analysis Module wizard Result Type page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/resulttype.webp) +![View and Table Creation Analysis Module wizard Result Type page](/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/resulttype.webp) The options on this page determine the visual representation and name of the combined data from the two sourced tables. Select from the following two options: diff --git a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/resultconstraints.md b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/resultconstraints.md index 21d731cc3a..5a4eed647b 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/resultconstraints.md +++ b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/resultconstraints.md @@ -2,7 +2,7 @@ Use the Result Constraints page to impose restraints on the dataset. -![View and Table Creation Analysis Module wizard Result constraints page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/resultconstraints.webp) +![View and Table Creation Analysis Module wizard Result constraints page](/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/resultconstraints.webp) Select one of the following options to choose if and how much data should be returned: @@ -17,23 +17,23 @@ Select one of the following options to choose if and how much data should be ret **NOTE:** This field is enabled by sorting at least one column in the table by value (for SQL, only a sorted column can contain ties). To sort columns, use the **Order By Operation** - field on the Columns page. See the [SQLViewCreations: Columns](columns.md) topic for + field on the Columns page. See the [SQLViewCreations: Columns](/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/columns.md) topic for additional information. ## With Ties Example The following example explains how the **With ties** option works. -![cid:image027.webp@01D4CF75.96F2E110](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/examplefull.webp) +![cid:image027.webp@01D4CF75.96F2E110](/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/examplefull.webp) Consider a table that has ten rows with one repeating entry under the value column. -![cid:image025.webp@01D4CF74.8A56D750](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/examplereduced.webp) +![cid:image025.webp@01D4CF74.8A56D750](/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/examplereduced.webp) If the table is sorted by the value column in ascending order and the **Return only** option is set to **40 percent**, then there should be four rows visible in the resulting table or view output. -![cid:image026.webp@01D4CF74.8A56D750](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/examplereducedwithties.webp) +![cid:image026.webp@01D4CF74.8A56D750](/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/examplereducedwithties.webp) However, if the first three values in the sort column are unique but the fourth value matches the fifth, selecting the **With ties** option returns the first three rows as well as both the fourth diff --git a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/resultsample.md b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/resultsample.md index b1daa79da5..bb443f0dce 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/resultsample.md +++ b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/resultsample.md @@ -2,7 +2,7 @@ Use this page to preview a sampling of the completed data manipulation. -![View and Table Creation Analysis Module wizard Result Sample page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/resultsample.webp) +![View and Table Creation Analysis Module wizard Result Sample page](/img/product_docs/accessanalyzer/admin/analysis/sqlviewcreation/resultsample.webp) Click **Show Preview** to populate the window with the selections from the previous pages. If the window does not populate, check the configurations for errors and try again. diff --git a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/summary.md b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/summary.md index 0bd8b6d640..536ec701b0 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/summary.md +++ b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/summary.md @@ -2,7 +2,7 @@ This page provides an overview of all the settings configured in the wizard. -![View and Table Creation Analysis Module wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![View and Table Creation Analysis Module wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the View and Table Creation Analysis Module wizard to ensure that no diff --git a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/timewindow.md b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/timewindow.md index f7af9a6ca9..b770613371 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/timewindow.md +++ b/docs/accessanalyzer/12.0/admin/analysis/sqlviewcreation/timewindow.md @@ -3,7 +3,7 @@ Use the Source and Time Window page to specify which data to access if using multiple Access Analyzer Consoles or history is enabled. -![View and Table Creation Analysis Module wizard Source and Time Window page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/notification/timewindow.webp) +![View and Table Creation Analysis Module wizard Source and Time Window page](/img/product_docs/accessanalyzer/admin/analysis/notification/timewindow.webp) Use the following options to select which sources of data to permit and the time frame in which the data was collected: diff --git a/docs/accessanalyzer/12.0/admin/analysis/vbscripting.md b/docs/accessanalyzer/12.0/admin/analysis/vbscripting.md index ade0de1b0d..70557de96c 100644 --- a/docs/accessanalyzer/12.0/admin/analysis/vbscripting.md +++ b/docs/accessanalyzer/12.0/admin/analysis/vbscripting.md @@ -3,7 +3,7 @@ Use the VBscripting analysis module to access the VBScript Editor and apply VB scripting to the current analysis. -![VBScript Editor](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/script/vbscripteditor.webp) +![VBScript Editor](/img/product_docs/accessanalyzer/admin/datacollector/script/vbscripteditor.webp) The VBScript Editor has the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/category.md b/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/category.md index bbf8f5735f..1745d79dc9 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/category.md @@ -3,7 +3,7 @@ The ActiveDirectory Data Collector Category page contains the following query categories, sub-divided by auditing focus: -![Active Directory Data Collector Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![Active Directory Data Collector Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The categories are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/directoryscope.md b/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/directoryscope.md index c195ee809b..a1fc8fe1f5 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/directoryscope.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/directoryscope.md @@ -3,7 +3,7 @@ The Directory Scope page provides configuration settings for the directory connection and the scope for the query. It is a wizard page for the category of **Directory Objects by Domain**. -![Active Directory Data Collector Wizard Directory Scope page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/activedirectory/directoryscope.webp) +![Active Directory Data Collector Wizard Directory Scope page](/img/product_docs/accessanalyzer/admin/datacollector/activedirectory/directoryscope.webp) The Directory Scope page has the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/options.md b/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/options.md index 7fd0df6c72..d4a341d1fa 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/options.md @@ -2,7 +2,7 @@ The Options page provides format options for returned data. It is a wizard page for all categories. -![Active Directory Data Collector Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Active Directory Data Collector Wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) - How to format collected results – Select from the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/overview.md index e0f351ff7f..fb0977454c 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/overview.md @@ -3,7 +3,7 @@ The ActiveDirectory Data Collector audits objects published in Active Directory. It has been preconfigured within the Active Directory Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[Active Directory Solution](../../../solutions/activedirectory/overview.md) topic for additional +[Active Directory Solution](/docs/accessanalyzer/12.0/solutions/activedirectory/overview.md) topic for additional information. Protocols @@ -28,13 +28,13 @@ The ActiveDirectory Data Collector is configured through the Active Directory Da which contains the following wizard pages: - Welcome -- [ActiveDirectory: Category](category.md) -- [ActiveDirectory: Directory Scope](directoryscope.md) -- [ActiveDirectory: Results](results.md) -- [ActiveDirectory: Options](options.md) -- [ActiveDirectory: Summary](summary.md) +- [ActiveDirectory: Category](/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/category.md) +- [ActiveDirectory: Directory Scope](/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/directoryscope.md) +- [ActiveDirectory: Results](/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/results.md) +- [ActiveDirectory: Options](/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/options.md) +- [ActiveDirectory: Summary](/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/summary.md) -![Active Directory Data Collector Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Active Directory Data Collector Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by selecting the **Do not display this page the next time** checkbox when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/results.md b/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/results.md index f2935da687..91ff878f7e 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/results.md @@ -3,7 +3,7 @@ The Results page is where Active Directory object properties to be gathered are selected. It is a wizard page for all categories. -![Active Directory Data Collector Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Active Directory Data Collector Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be selected individually or the **Check all**, **Uncheck all**, and **Reset to defaults** buttons can be used. All selected properties are gathered. Available properties vary diff --git a/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/summary.md index ec4c597ab2..735dce29d9 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured query. It wizard page for all categories. -![Active Directory Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Active Directory Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Active Directory Data Collector Wizard to ensure that no accidental diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/category.md b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/category.md index de3d854808..2a14d61f44 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/category.md @@ -2,7 +2,7 @@ Use the Category page to identify how activity data is retrieved or removed. -![Active Directory Activity DC wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![Active Directory Activity DC wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The ADActivity Data Collector Category page contains three query categories: @@ -10,4 +10,4 @@ The ADActivity Data Collector Category page contains three query categories: - Import From Share – Import activity from a network share - Remove Tables – Removes all tables and views from SQL Server database. This option is designed for troubleshooting. When this option is selected, the next wizard page is the Summary page. See the - [Clear ADActivity Tables](cleartables.md) topic for more information. + [Clear ADActivity Tables](/docs/accessanalyzer/12.0/admin/datacollector/adactivity/cleartables.md) topic for more information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/cleartables.md b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/cleartables.md index 2c1ad9ff77..85ebac6f7b 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/cleartables.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/cleartables.md @@ -5,12 +5,12 @@ reference tables. Follow the steps. **Step 1 –** Create a new job and assign a query using the ADActivity Data Collector. -![Active Directory Activity DC wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/categoryremovetables.webp) +![Active Directory Activity DC wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/categoryremovetables.webp) **Step 2 –** In the Active Directory Activity DC Wizard on the Category page, select the **Remove Tables** category task. -![Active Directory Activity DC wizard Results page for Remove Tables category](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adactivity/resultsremovetables.webp) +![Active Directory Activity DC wizard Results page for Remove Tables category](/img/product_docs/accessanalyzer/admin/datacollector/adactivity/resultsremovetables.webp) **Step 3 –** Click **Next** to go to the Results page. Optionally, select the **Success** checkbox to display a confirmation of successful removal in the results after the job is run. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/connection.md b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/connection.md index 670cafd89a..c5a5aac176 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/connection.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/connection.md @@ -5,7 +5,7 @@ Netwrix Activity Monitor. It is a wizard page for the category of: - Import from SAM -![Active Directory Activity DC wizard SAM connection settings page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/namconnection.webp) +![Active Directory Activity DC wizard SAM connection settings page](/img/product_docs/activitymonitor/config/activedirectory/namconnection.webp) The following connection setting can be configured to connect to the Netwrix Activity Monitor archive via an API Server: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/overview.md index 868bd73167..81cd00d0e5 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/overview.md @@ -3,7 +3,7 @@ The ADActivity Data Collector integrates with the Netwrix Activity Monitor by reading the Active Directory activity log files. It has been preconfigured within the Active Directory Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[Active Directory Solution](../../../solutions/activedirectory/overview.md) topic for additional +[Active Directory Solution](/docs/accessanalyzer/12.0/solutions/activedirectory/overview.md) topic for additional information. Protocols @@ -26,9 +26,9 @@ Permissions The ADActivity Data Collector is configured through the Active Directory Activity DC wizard, which contains the following wizard pages, which change based up on the query category selected: -- [ADActivity: Category](category.md) -- [ADActivity: SAM Connection](connection.md) -- [ADActivity: Share](share.md) -- [ADActivity: Scope](scope.md) -- [ADActivity: Results](results.md) -- [ADActivity: Summary](summary.md) +- [ADActivity: Category](/docs/accessanalyzer/12.0/admin/datacollector/adactivity/category.md) +- [ADActivity: SAM Connection](/docs/accessanalyzer/12.0/admin/datacollector/adactivity/connection.md) +- [ADActivity: Share](/docs/accessanalyzer/12.0/admin/datacollector/adactivity/share.md) +- [ADActivity: Scope](/docs/accessanalyzer/12.0/admin/datacollector/adactivity/scope.md) +- [ADActivity: Results](/docs/accessanalyzer/12.0/admin/datacollector/adactivity/results.md) +- [ADActivity: Summary](/docs/accessanalyzer/12.0/admin/datacollector/adactivity/summary.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/results.md b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/results.md index 01a71dc0c5..aa0d485419 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/results.md @@ -3,7 +3,7 @@ The Results page is where the properties to be gathered are selected. It is a wizard page for all of the categories. -![Active Directory Activity DC wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Active Directory Activity DC wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be selected individually or the **Select All** and **Clear All** buttons can be used. All selected properties are gathered. Available properties vary based on the category selected. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/scope.md b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/scope.md index 165061192a..cfb01017be 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/scope.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/scope.md @@ -6,7 +6,7 @@ the categories of: - Import From SAM - Import From Share -![Active Directory Activity DC wizard Scoping and Retention page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![Active Directory Activity DC wizard Scoping and Retention page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) The Timespan is defined according to the following two elements: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/share.md b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/share.md index 69718667b5..1a0f6ad63f 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/share.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/share.md @@ -5,7 +5,7 @@ of: - Import from Share -![Active Directory Activity DC wizard Share settings page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/share.webp) +![Active Directory Activity DC wizard Share settings page](/img/product_docs/activitymonitor/config/activedirectory/share.webp) The following connection setting can be configured to connect to the AD activity archives that must be located on a Domain Controller share: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/summary.md index 1eb8cdde88..670c71ed17 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adactivity/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adactivity/summary.md @@ -3,7 +3,7 @@ The Summary page is where configuration settings are summarized. It is a wizard page for all of the categories. -![Active Directory Activity DC wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Active Directory Activity DC wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Active Directory Activity DC wizard to ensure that no accidental diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/category.md b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/category.md index 38e5706e23..28dd676087 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/category.md @@ -2,7 +2,7 @@ Use the category page to identify which Active Directory task to perform. -![Active Directory Inventory DC Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![Active Directory Inventory DC Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The categories include the following tasks: @@ -13,7 +13,7 @@ The categories include the following tasks: When this option is selected, the next wizard page is the Results page. - Remove Tables – Removes all tables and views from SQL Server database. This option is designed for troubleshooting. When this option is selected, the next wizard page is the Summary page. See the - [Clear ADInventory Tables](cleartables.md) topic for more information. + [Clear ADInventory Tables](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/cleartables.md) topic for more information. - Drop Domain – Remove host domain related data from SQL server **NOTE:** The Scan Active Directory category is the pre-configured setting for the .Active Directory diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/cleartables.md b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/cleartables.md index d5d31128a0..5174bd677d 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/cleartables.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/cleartables.md @@ -8,7 +8,7 @@ data. **Step 1 –** Create a new job and assign a query using the **ADInventory** Data Collector. -![Remove Tables task selected on Active Directory Inventory DC Wizard Category page ](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/categoryremovetables.webp) +![Remove Tables task selected on Active Directory Inventory DC Wizard Category page ](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/categoryremovetables.webp) **Step 2 –** In the Active Directory Inventory DC Wizard on the Category page, select the **Remove Tables** category task. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/customattributes.md b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/customattributes.md index 6efa2c156d..90a7621001 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/customattributes.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/customattributes.md @@ -4,11 +4,11 @@ The Custom Attributes page provides ability to add Active Directory attributes t the environment or not collected by default to be gathered. It is a wizard page for the category of Scan Active Directory. -The [Standard Reference Tables & Views for the ADInventory Data Collector](standardtables.md) topic +The [Standard Reference Tables & Views for the ADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/standardtables.md) topic provides information on what is collected by default. Custom attributes added on this page are stored in the **SA_ADInventory_ExtendedAttributes** table. -![Active Directory Inventory DC Wizard Custom Attributes page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/customattributes.webp) +![Active Directory Inventory DC Wizard Custom Attributes page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/customattributes.webp) The Custom Attribute is defined according to the following three elements: @@ -36,7 +36,7 @@ Follow the steps to manually add custom attributes. **Step 1 –** On the Custom Attributes page of the Active Directory Inventory DC Wizard, click **Add**. The Custom Attribute window opens. -![Custom Attribute window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/customattributesadd.webp) +![Custom Attribute window](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/customattributesadd.webp) **Step 2 –** Enter the **Domain Filter**. This can be entered either as the short domain name or the fully qualified domain name. @@ -59,7 +59,7 @@ Wizard. **Step 1 –** On the Custom Attributes page of the Active Directory Inventory DC Wizard, click **Import**. The Custom Attribute Import Wizard opens. -![Custom Attributes Import Wizard Credentials page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/customattributesimportcredentials.webp) +![Custom Attributes Import Wizard Credentials page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/customattributesimportcredentials.webp) **Step 2 –** On the Credentials page, identify a domain either by entering one manually or selecting one from the **Domain Name** drop-down menu which displays a list of domains trusted by the one in @@ -72,13 +72,13 @@ attributes list from the domain: Click **Next** to continue. -![Custom Attributes Import Wizard Attributes page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/customattributesimportattributes.webp) +![Custom Attributes Import Wizard Attributes page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/customattributesimportattributes.webp) **Step 3 –** The wizard populates available attributes from the domain specified on the Attributes page. Expand the desired object class and select the checkboxes for the custom attributes to be imported. Then click **Next**. -![Custom Attributes Import Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/customattributesimportsummary.webp) +![Custom Attributes Import Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/customattributesimportsummary.webp) **Step 4 –** On the Summary page, click **Finish**. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/domains.md b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/domains.md index 140d898529..1fefae3033 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/domains.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/domains.md @@ -2,7 +2,7 @@ The Domains page removes host domain-related data from the SQL server for the selected domains. -![Active Directory Inventory DC Wizard Domains page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/domains.webp) +![Active Directory Inventory DC Wizard Domains page](/img/product_docs/activitymonitor/activitymonitor/install/agent/domains.webp) Select the checkbox next to a domain to remove host-related data from the SQL server for that domain. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/indexupdateoptions.md b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/indexupdateoptions.md index a449ce9a95..95ca9ba67c 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/indexupdateoptions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/indexupdateoptions.md @@ -3,7 +3,7 @@ Configure options for maintaining SQL Server indexes while running queries using the Index Update Options page. -![Active Directory Inventory DC Wizard Index Update Options page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/indexupdateoptions.webp) +![Active Directory Inventory DC Wizard Index Update Options page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/indexupdateoptions.webp) The options on the Index Update Options page are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/options.md b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/options.md index 18b3a2a885..8268d725d0 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/options.md @@ -3,7 +3,7 @@ The Options page provides options for Active Directory data collection. It is a wizard page for the category of Scan Active Directory. -![Active Directory Inventory DC Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Active Directory Inventory DC Wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) The Options page has the following configuration options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md index 6a244db0de..d6f97cf0e9 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md @@ -9,7 +9,7 @@ other solutions within Access Analyzer. The ADInventory Data Collector is a core component of Access Analyzer and has been preconfigured to be used within the .Active Directory Inventory Solution. Both this data collector and the solution are available with all Access Analyzer license options. See the -[.Active Directory Inventory Solution](../../../solutions/activedirectoryinventory/overview.md) +[.Active Directory Inventory Solution](/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/overview.md) topic for additional information. Protocols @@ -30,7 +30,7 @@ Permissions **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. ## Functional Design of the ADInventory Data Collector @@ -46,14 +46,14 @@ The ADInventory Data Collector is configured through the Active Directory Invent contains the following wizard pages: - Welcome -- [ADInventory: Category](category.md) -- [ADInventory: Results](results.md) -- [ADInventory: Options](options.md) -- [ADInventory: Index Update Options](indexupdateoptions.md) -- [ADInventory: Custom Attributes](customattributes.md) -- [ADInventory: Summary](summary.md) - -![Active Directory Inventory DC Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +- [ADInventory: Category](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/category.md) +- [ADInventory: Results](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/results.md) +- [ADInventory: Options](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/options.md) +- [ADInventory: Index Update Options](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/indexupdateoptions.md) +- [ADInventory: Custom Attributes](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/customattributes.md) +- [ADInventory: Summary](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/summary.md) + +![Active Directory Inventory DC Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by selecting the **Do not display this page the next time** checkbox when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/results.md b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/results.md index eb59553345..0895089818 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/results.md @@ -3,7 +3,7 @@ The Results page is where properties from Active Directory to be gathered are selected. It is a wizard page for the category of Scan Active Directory. -![Active Directory Inventory DC Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Active Directory Inventory DC Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be selected individually or the **Select All** or **Clear All** buttons can be used. All selected properties are gathered. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/standardtables.md b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/standardtables.md index 38f3715a58..33b9204a63 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/standardtables.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/standardtables.md @@ -15,7 +15,7 @@ These tables and their associated views are outlined below: | SA_ADInventory_EffectiveGroupMembers | Contains expanded group membership which includes a flattened representation of members. | | | SA_ADInventory_Exceptions | Contains information about security issues and concerns. **NOTE:** See the [AD Exception Types Translated](#ad-exception-types-translated) topic for an explanation of Exception Types. | | | SA_ADInventory_ExceptionTypes | Identifies how many instances of exceptions exist on the audited domain. **NOTE:** See the [AD Exception Types Translated](#ad-exception-types-translated) topic for an explanation of Exception Types. | | -| SA_ADInventory_Exchange | Contains information about the Exchange Server, each database and storage group, and the HomeMDB property. | [ms-Exch-Home-MDB Attribute]() | +| SA_ADInventory_Exchange | Contains information about the Exchange Server, each database and storage group, and the HomeMDB property. | [ms-Exch-Home-MDB Attribute](https://learn.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2003/ms980583(v=exchg.65)) | | SA_ADInventory_ExtendedAttributes | Contains information gathered by the custom attributes component of the query configuration. | [Active Directory Schema](https://learn.microsoft.com/en-gb/windows/win32/adschema/active-directory-schema) | | SA_ADInventory_GroupMemberChanges | Contains a list of group principal identifiers and their corresponding membership changes for each differential scan that is performed against a domain. | [Member attribute](https://learn.microsoft.com/en-gb/windows/win32/adschema/a-member) | | SA_ADInventory_GroupMembers | Contains a map of groups to member distinguished names. | [Member attribute](https://learn.microsoft.com/en-gb/windows/win32/adschema/a-member) | diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/summary.md index 5c45c83d49..a1665d567e 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adinventory/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adinventory/summary.md @@ -3,7 +3,7 @@ The Summary page is where configuration settings are summarized. It is a wizard page for all of the categories. -![Active Directory Inventory DC Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Active Directory Inventory DC Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Active Directory Inventory DC Wizard to ensure that no accidental diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/category.md b/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/category.md index 8195f6e10e..87e34f6ac6 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/category.md @@ -3,11 +3,11 @@ The ADPermissions Data Collector Category page identifies what kind of information to retrieve using the Category wizard page. -![ADPermissions Data Collector wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![ADPermissions Data Collector wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The categories on the ADPermissions Category page are: - Scan Active Directory Permissions – Scan permissions applied to objects - Scan Active Directory Audits – Scan audits applied to objects - Remove Tables – Remove all tables and views from SQL server. See the - [Remove ADPermissions Tables](removetables.md) topic for additional information. + [Remove ADPermissions Tables](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/removetables.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/customfilter.md b/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/customfilter.md index 653114668e..488a6edd4c 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/customfilter.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/customfilter.md @@ -7,7 +7,7 @@ the categories of: - Scan Active Directory Permissions - Scan Active Directory Audits -![ADPermissions Data Collector wizard Custom Filter page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/customfilter.webp) +![ADPermissions Data Collector wizard Custom Filter page](/img/product_docs/accessanalyzer/admin/datacollector/customfilter.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/options.md b/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/options.md index 8e9ce2e031..e2a3a5ee65 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/options.md @@ -6,7 +6,7 @@ is a wizard page for the categories of: - Scan Active Directory Permissions - Scan Active Directory Audits -![ADPermissions Data Collector wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![ADPermissions Data Collector wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/overview.md index da8456b783..b1682e86fe 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/overview.md @@ -3,7 +3,7 @@ The ADPermissions Data Collector collects the advanced security permissions of objects in AD. It is preconfigured within the Active Directory Permissions Analyzer Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[Active Directory Permissions Analyzer Solution](../../../solutions/activedirectorypermissionsanalyzer/overview.md) +[Active Directory Permissions Analyzer Solution](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/overview.md) topic for additional information. Protocols @@ -30,9 +30,9 @@ The ADPermissions Data Collector is configured through the Active Directory Perm Collector Wizard. The wizard contains the following pages, which change based upon the query category selected: -- [ADPermissions: Category](category.md) -- [ADPermissions: Scope](scope.md) -- [ADPermissions: Custom Filter](customfilter.md) -- [ADPermissions: Options](options.md) -- [ADPermissions: Results](results.md) -- [ADPermissions: Summary](summary.md) +- [ADPermissions: Category](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/category.md) +- [ADPermissions: Scope](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/scope.md) +- [ADPermissions: Custom Filter](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/customfilter.md) +- [ADPermissions: Options](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/options.md) +- [ADPermissions: Results](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/results.md) +- [ADPermissions: Summary](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/summary.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/results.md b/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/results.md index e88a1210e7..e07beefeb3 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/results.md @@ -3,7 +3,7 @@ The Results page is where properties that will be gathered are selected. It is a wizard page for all of the categories. -![ADPermissions Data Collector wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![ADPermissions Data Collector wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Available properties vary based on the category selected. Properties can be selected individually or the **Select All** and **Clear All** buttons can be used. All selected properties are gathered. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/scope.md b/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/scope.md index edb2f86eb9..2d9b178839 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/scope.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/scope.md @@ -6,7 +6,7 @@ wizard page for the categories of: - Scan Active Directory Permissions - Scan Active Directory Audits -![ADPermissions Data Collector wizard Scope page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![ADPermissions Data Collector wizard Scope page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/summary.md index c4a2fdc7b0..63b331c694 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/summary.md @@ -3,7 +3,7 @@ The Summary page is where configuration settings are summarized. It is a wizard page for all of the categories. -![ADPermissions Data Collector wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![ADPermissions Data Collector wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Active Directory Permissions Data Collector Wizard ensuring that no diff --git a/docs/accessanalyzer/12.0/admin/datacollector/aws/category.md b/docs/accessanalyzer/12.0/admin/datacollector/aws/category.md index c37d90f6a5..4dbe4d5b07 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/aws/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/aws/category.md @@ -3,7 +3,7 @@ Use the Category page to select the type of scan for the targeted AWS instance or maintenance task to perform. -![AWS Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![AWS Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The options on the Category page are: @@ -17,4 +17,4 @@ The options on the Category page are: - Maintenance - Drop AWS DC Tables – Removes AWS data collector data and tables from the Access Analyzer - database. See the [Drop AWS Tables](droptables.md) topic for additional information. + database. See the [Drop AWS Tables](/docs/accessanalyzer/12.0/admin/datacollector/aws/droptables.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/aws/criteria.md b/docs/accessanalyzer/12.0/admin/datacollector/aws/criteria.md index fc6c1b8f07..df0a1c31cd 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/aws/criteria.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/aws/criteria.md @@ -4,7 +4,7 @@ The Criteria (Select DLP criteria for this scan) page is where criteria to be us sensitive data during a scan is configured. It is a wizard page for the category of Collect SDD Data. -![AWS Query SDD Criteria](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) +![AWS Query SDD Criteria](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) Default criteria is set at the **Global Settings** > **Sensitive Data** node. Choose between the **Use Global Criteria** Selection and the **Use the Following Selected Criteria** radio buttons. @@ -19,5 +19,5 @@ The table contains the following types of criteria: User-defined criteria is created in the Criteria Editor, accessed through the **Global Settings** > **Sensitive Data** node. See the -[Sensitive Data Discovery](../../../sensitivedatadiscovery/overview.md) topic for additional +[Sensitive Data Discovery](/docs/accessanalyzer/12.0/sensitivedatadiscovery/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/aws/droptables.md b/docs/accessanalyzer/12.0/admin/datacollector/aws/droptables.md index 46636b3f50..216fd36fd8 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/aws/droptables.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/aws/droptables.md @@ -9,7 +9,7 @@ tables from the Access Analyzer database. Follow the steps to configure a job to **Step 3 –** Assign a query using the **AWS** Data Collector. -![Drop AWS DC Tables option on Amazon Web Services Data Collector Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/droptables.webp) +![Drop AWS DC Tables option on Amazon Web Services Data Collector Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/droptables.webp) **Step 4 –** In the Amazon Web Services Data Collector Wizard on the Category page, select the **Drop AWS DC Tables** category task. Click **Next**. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/aws/filters3objects.md b/docs/accessanalyzer/12.0/admin/datacollector/aws/filters3objects.md index 1d5b25b885..d882de5738 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/aws/filters3objects.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/aws/filters3objects.md @@ -6,7 +6,7 @@ queried for permissions and sensitive data. It is a wizard page for the categori - Collect S3 - Collect SDD Data -![Filter S3 Objects page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/aws/filters3objects.webp) +![Filter S3 Objects page](/img/product_docs/accessanalyzer/admin/datacollector/aws/filters3objects.webp) Use the buttons to customize the filter list: @@ -20,7 +20,7 @@ Use the buttons to customize the filter list: The Select a Bucket window shows the available buckets in the AWS instance. -![Select a bucket window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/aws/selectabucket.webp) +![Select a bucket window](/img/product_docs/accessanalyzer/admin/datacollector/aws/selectabucket.webp) Select from the available buckets and click **OK** to add them to the Filter S3 Objects page. @@ -28,7 +28,7 @@ Select from the available buckets and click **OK** to add them to the Filter S3 The Add Custom Filter window allows a custom filter to be configured. -![Add Custom Filter window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/customfilter.webp) +![Add Custom Filter window](/img/product_docs/accessanalyzer/admin/datacollector/customfilter.webp) Configure a custom filter using the following format: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/aws/loginroles.md b/docs/accessanalyzer/12.0/admin/datacollector/aws/loginroles.md index 8fdf51d940..415f63e0a8 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/aws/loginroles.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/aws/loginroles.md @@ -7,10 +7,10 @@ the categories of: - Collect IAM data - Collect S3 -![AWS Query Login Roles](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/aws/loginroles.webp) +![AWS Query Login Roles](/img/product_docs/accessanalyzer/admin/datacollector/aws/loginroles.webp) Add the login roles that will allow Access Analyzer to scan the AWS accounts. See the -[Configure AWS for Scans](../../../requirements/target/config/aws.md) topic for additional +[Configure AWS for Scans](/docs/accessanalyzer/12.0/requirements/target/config/aws.md) topic for additional information. The page has the following options: - Import From File – Browse to the location of a CSV file from which to import the roles diff --git a/docs/accessanalyzer/12.0/admin/datacollector/aws/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/aws/overview.md index a3da64a76e..e196377567 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/aws/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/aws/overview.md @@ -4,7 +4,7 @@ The AWS Data Collector collects IAM users, groups, roles, and policies, as well content, and sensitive data from the target Amazon Web Services (AWS) accounts. The AWS Data Collector has been preconfigured for the AWS Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[AWS Solution](../../../solutions/aws/overview.md) topic for additional information. +[AWS Solution](/docs/accessanalyzer/12.0/solutions/aws/overview.md) topic for additional information. Protocols @@ -47,10 +47,10 @@ is configured to scan 8 hosts at a time , then an extra 16 GB of RAM are require The AWS Data Collector is configured through the Amazon Web Services Data Collector Wizard. The wizard contains the following pages, which change based up on the query category selected: -- [AWS: Category](category.md) -- [AWS: Login Roles](loginroles.md) -- [AWS: Filter S3 Objects](filters3objects.md) -- [AWS: Sensitive Data Settings](sensitivedata.md) -- [AWS: Criteria ](criteria.md) -- [AWS: Results](results.md) -- [AWS: Summary](summary.md) +- [AWS: Category](/docs/accessanalyzer/12.0/admin/datacollector/aws/category.md) +- [AWS: Login Roles](/docs/accessanalyzer/12.0/admin/datacollector/aws/loginroles.md) +- [AWS: Filter S3 Objects](/docs/accessanalyzer/12.0/admin/datacollector/aws/filters3objects.md) +- [AWS: Sensitive Data Settings](/docs/accessanalyzer/12.0/admin/datacollector/aws/sensitivedata.md) +- [AWS: Criteria ](/docs/accessanalyzer/12.0/admin/datacollector/aws/criteria.md) +- [AWS: Results](/docs/accessanalyzer/12.0/admin/datacollector/aws/results.md) +- [AWS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/aws/summary.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/aws/results.md b/docs/accessanalyzer/12.0/admin/datacollector/aws/results.md index a56fee1196..8e529eaf0e 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/aws/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/aws/results.md @@ -3,7 +3,7 @@ The Results page is where properties that will be gathered are selected. It is a wizard page for all of the categories. -![Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be checked individually or the **Select All** or **Clear All** buttons can be used. All checked properties are gathered. Available properties vary based on the category selected. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/aws/sensitivedata.md b/docs/accessanalyzer/12.0/admin/datacollector/aws/sensitivedata.md index dfb72d9ddc..f391592af9 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/aws/sensitivedata.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/aws/sensitivedata.md @@ -3,7 +3,7 @@ The Sensitive Data Settings page is where sensitive data discovery settings are configured. It is a wizard page for the category of Collect SDD Data. -![Sensitive Data Settings page](../../../../../../static/img/product_docs/accessanalyzer/install/application/upgrade/sensitivedata.webp) +![Sensitive Data Settings page](/img/product_docs/accessanalyzer/install/application/upgrade/sensitivedata.webp) Configure the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/aws/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/aws/summary.md index e8763d95eb..c91e771766 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/aws/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/aws/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured query. It is a wizard page for all categories. -![summary](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![summary](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Amazon Web Services Data Collector Wizard to ensure that no accidental diff --git a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/category.md b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/category.md index 9aff1b7e4e..c7e61be45f 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/category.md @@ -2,7 +2,7 @@ The Category page identifies which Inventory task to perform. -![Entra ID Inventory DC Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![Entra ID Inventory DC Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The two categories are: @@ -11,7 +11,7 @@ The two categories are: and views. This is the standard option for this data collector. - Remove Tables – Removes all tables and views from SQL Server database. This option is designed for troubleshooting. When this option is selected, the next wizard page is the Summary page. See the - [Troubleshooting AzureADInventory Data Collector](troubleshooting.md) topic for more information. + [Troubleshooting AzureADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/troubleshooting.md) topic for more information. The Scan Entra ID category is the pre-configured setting for the .Entra ID Inventory Job Group. Therefore, accessing the Entra ID Inventory DC Wizard from the query within that job group does not diff --git a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/configurejob.md b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/configurejob.md index 8a2272457a..a4c1ea8c61 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/configurejob.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/configurejob.md @@ -8,7 +8,7 @@ during host list creation makes it necessary to configure the Connection Profile Creating the Connection Profile requires having the Client ID and Key that was generated when Access Analyzer was registered as a web application with Microsoft Entra ID. See the -[Microsoft Entra ID Auditing Configuration](../../../config/entraid/access.md) for additional +[Microsoft Entra ID Auditing Configuration](/docs/accessanalyzer/12.0/config/entraid/access.md) for additional information. Create a Connection Profile and set the following information on the User Credentials window: @@ -16,18 +16,18 @@ Create a Connection Profile and set the following information on the User Creden - Select Account Type – Azure Active Directory - Client ID – Application (client) ID of the Access Analyzer application registered with Microsoft Entra ID. See the - [Identify the Client ID](../../../config/entraid/access.md#identify-the-client-id) topic for + [Identify the Client ID](/docs/accessanalyzer/12.0/config/entraid/access.md#identify-the-client-id) topic for additional information. - Password Storage – Application (Uses the configured Profile Security setting as selected at the - **Settings** > **Application** node. See the [Application](../../settings/application/overview.md) + **Settings** > **Application** node. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information.) - Key – Client secret value for the Access Analyzer application registered with Microsoft Entra ID. See the - [Generate the Client Secret Key](../../../config/entraid/access.md#generate-the-client-secret-key) + [Generate the Client Secret Key](/docs/accessanalyzer/12.0/config/entraid/access.md#generate-the-client-secret-key) topic for additional information. Once the Connection Profile is created, it is time to create the custom host list. See the -[Connection](../../settings/connection/overview.md) topic for additional information. +[Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. ## Custom Host List @@ -36,8 +36,8 @@ The custom host list should include: - All Microsoft Entra ID tenants to be targeted. If there are multiple tenants, the Connection Profile should contain a credential for each. - The host name must be the domain name of the tenant, for example `company.onmicrosoft.com`. See - the [Identify the Client ID](../../../config/entraid/access.md#identify-the-client-id) topic + the [Identify the Client ID](/docs/accessanalyzer/12.0/config/entraid/access.md#identify-the-client-id) topic for additional information. -See the [Add Hosts](../../hostmanagement/actions/add.md) topic for instructions on creating a custom +See the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) topic for instructions on creating a custom static host list. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/customattributes.md b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/customattributes.md index 613f540988..6abcafe2af 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/customattributes.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/customattributes.md @@ -3,7 +3,7 @@ Use the Custom Attributes wizard page to define custom attributes that will be used in the Microsoft Entra ID scan. -![Entra ID Inventory Data Collector Wizard Custom Attributes page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/customattributes.webp) +![Entra ID Inventory Data Collector Wizard Custom Attributes page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/customattributes.webp) Configuration options for Custom Attributes include: @@ -35,7 +35,7 @@ custom attributes to be gathered by the scan. Use the **Add** button to open the Input custom attributes from Microsoft Entra ID environments using the Custom Attribute pop-up window. -![Custom Attribute Window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/azureadinventory/customattributewindow.webp) +![Custom Attribute Window](/img/product_docs/accessanalyzer/admin/datacollector/azureadinventory/customattributewindow.webp) The options on the Custom Attributes window are: @@ -61,7 +61,7 @@ steps to use this window: **Step 1 –** On the Custom Attributes page of the Entra Inventory DC wizard, click **Import**. The Custom Attributes Import Wizard opens. -![Custom Attributes Import Wizard](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/azureadinventory/customattributesimportwizard.webp) +![Custom Attributes Import Wizard](/img/product_docs/accessanalyzer/admin/datacollector/azureadinventory/customattributesimportwizard.webp) **Step 2 –** On the Connection page, enter the Tenant Name of the instance of Microsoft Entra ID to be targeted, and then select the method of supplying credentials for the specified tenant instance: @@ -76,8 +76,8 @@ be targeted, and then select the method of supplying credentials for the specifi **Settings** > **Connection** settings as a user defined profile. This ensures the connection profile displays in the dropdown menu. -See the [Microsoft Entra ID Auditing Configuration](../../../config/entraid/access.md) or the -[Microsoft Entra ID Connection Profile & Host List](configurejob.md) topics for additional +See the [Microsoft Entra ID Auditing Configuration](/docs/accessanalyzer/12.0/config/entraid/access.md) or the +[Microsoft Entra ID Connection Profile & Host List](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/configurejob.md) topics for additional information. **Step 3 –** Click **Test Connection** in order to connect to the tenant with the supplied @@ -86,7 +86,7 @@ available. Click **Next** to navigate to them. | | | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![customattributesimportwizardschema](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/azureadinventory/customattributesimportwizardapplication.webp) | +| ![customattributesimportwizardschema](/img/product_docs/accessanalyzer/admin/datacollector/azureadinventory/customattributesimportwizardapplication.webp) | | Schema Extended Attributes page | Application Extended Attributes page | **Step 4 –** On the Schema and Application Attributes pages, the wizard populates with the available diff --git a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/options.md b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/options.md index 7e90ab58e0..1ba49dbbf3 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/options.md @@ -3,7 +3,7 @@ The Options page provides scan options to use when gathering Microsoft Entra ID information. It is a wizard page for the Scan Entra ID category. -![Entra ID Inventory DC Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Entra ID Inventory DC Wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) Scan options for collecting Microsoft Entra ID information include: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/overview.md index 741d9206cb..21f4c2c8c4 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/overview.md @@ -5,7 +5,7 @@ ID, formerly Azure Active Directory. This data collector is a core component of is preconfigured in the .Entra ID Inventory Solution. Both this data collector and the solution are available with all Access Analyzer license options. -See the [.Entra ID Inventory Solution](../../../solutions/entraidinventory/overview.md) topic for +See the [.Entra ID Inventory Solution](/docs/accessanalyzer/12.0/solutions/entraidinventory/overview.md) topic for additional information. Protocols @@ -47,13 +47,13 @@ The AzureADInventory Data Collector is configured through the Entra ID Inventory contains the following wizard pages: - Welcome -- [AzureADInventory: Category](category.md) -- [AzureADInventory: Options](options.md) -- [AzureADInventory: Custom Attributes](customattributes.md) -- [AzureADInventory: Results](results.md) -- [AzureADInventory: Summary](summary.md) +- [AzureADInventory: Category](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/category.md) +- [AzureADInventory: Options](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/options.md) +- [AzureADInventory: Custom Attributes](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/customattributes.md) +- [AzureADInventory: Results](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/results.md) +- [AzureADInventory: Summary](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/summary.md) -![Entra ID Inventory Data Collector Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Entra ID Inventory Data Collector Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) Hide the Welcome page the next time this data collected is accessed by selecting the **Do not display this page the next time** checkbox. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/results.md b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/results.md index 614b998c45..84feaf245b 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/results.md @@ -3,7 +3,7 @@ The Results page is where the properties from Microsoft Entra ID to be gathered are selected. It is a wizard page for the category of Scan Entra ID. -![Entra ID Inventory DC Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Entra ID Inventory DC Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be checked individually or the **Select All** and **Clear All** buttons can be used. All checked properties are collected. This information is not available within the standard diff --git a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/summary.md index 87b8cdb71e..4b60f28bc4 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/summary.md @@ -3,7 +3,7 @@ The Summary page is where configuration settings are summarized. It is a wizard page for both of the categories. -![Entra ID Inventory DC Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Entra ID Inventory DC Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Entra ID Inventory DC Wizard to ensure that no accidental clicks are diff --git a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/troubleshooting.md b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/troubleshooting.md index 7fcb861cde..caea365fdd 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/troubleshooting.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/troubleshooting.md @@ -29,4 +29,4 @@ Error: An existing connection was forcible closed by the remote host Update the `` parameter to update the max delta token age. The default is 6. -See the [View Job XML File](../../jobs/job/properties/viewxml.md) topic for additional information. +See the [View Job XML File](/docs/accessanalyzer/12.0/admin/jobs/job/properties/viewxml.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/box/activityoperationscope.md b/docs/accessanalyzer/12.0/admin/datacollector/box/activityoperationscope.md index 2af4e94ed2..98ce70f058 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/box/activityoperationscope.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/box/activityoperationscope.md @@ -3,7 +3,7 @@ The Activity Operation Scope page (ActivityOperationScope) is where Box Enterprise events can be selected or unselected for scans. It is a wizard page for the Scan Box Activity category. -![Box DC Wizard Activity Operation Scope page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/box/activityoperation.webp) +![Box DC Wizard Activity Operation Scope page](/img/product_docs/accessanalyzer/admin/datacollector/box/activityoperation.webp) Event filters can be selected by group or the group may be expanded and the filters selected individually. All selected filters are gathered from the Box environment. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/box/activitytimeframescope.md b/docs/accessanalyzer/12.0/admin/datacollector/box/activitytimeframescope.md index f8566e56c0..769e42be63 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/box/activitytimeframescope.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/box/activitytimeframescope.md @@ -3,7 +3,7 @@ The Activity Timespan Scope page (ActivityTimeframeScope) is where Box activity data collection is configured. It is a wizard page for the Scan Box Activity category. -![Box DC Wizard Activity Timespan Scope page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/box/activitytimeframe.webp) +![Box DC Wizard Activity Timespan Scope page](/img/product_docs/accessanalyzer/admin/datacollector/box/activitytimeframe.webp) Select one of the following options to configure the timeframe for Box data collection: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/box/additionalscoping.md b/docs/accessanalyzer/12.0/admin/datacollector/box/additionalscoping.md index 50dc0e2dcd..724453dbb3 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/box/additionalscoping.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/box/additionalscoping.md @@ -3,12 +3,12 @@ The Additional Scoping page is where the scan can be limited by depth of the scan. It is a wizard page for the Scan Box Permissions category. -![Box DC Wizard Additional Scoping page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/box/additionalscoping.webp) +![Box DC Wizard Additional Scoping page](/img/product_docs/accessanalyzer/admin/datacollector/box/additionalscoping.webp) Configure the scan depth level: - Limit scanned depth to: [number] level – Select the checkbox and set the scan depth level to the desired depth. If this checkbox is not selected, then the entire Box environment will be scanned, - according to the [Box: Exclusions Page](exclusions.md) settings. If the scoping depth is set to + according to the [Box: Exclusions Page](/docs/accessanalyzer/12.0/admin/datacollector/box/exclusions.md) settings. If the scoping depth is set to **0** then only root will be scanned. Each increment will add another level of depth from root level. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/box/authenticate.md b/docs/accessanalyzer/12.0/admin/datacollector/box/authenticate.md index 9801088a2d..ff9c5be440 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/box/authenticate.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/box/authenticate.md @@ -3,12 +3,12 @@ The Authenticate page is where connection to the Box environment is configured. It is a wizard page for all categories. -![Box DC Wizard Authentication page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/box/authentication.webp) +![Box DC Wizard Authentication page](/img/product_docs/accessanalyzer/admin/datacollector/box/authentication.webp) Click **Authorize** to launch the BoxLogin window and generate an authorization code. This code will allow Access Analyzer to report on the Box Enterprise. -![BoxLogin window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/box/boxlogin.webp) +![BoxLogin window](/img/product_docs/accessanalyzer/admin/datacollector/box/boxlogin.webp) Enter an email address and password for an account with Enterprise Admin credentials in the targeted Box environment. Then click **Authorize** to grant access to Box and generate the code. The **Use diff --git a/docs/accessanalyzer/12.0/admin/datacollector/box/category.md b/docs/accessanalyzer/12.0/admin/datacollector/box/category.md index f8485181c2..d454c31b95 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/box/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/box/category.md @@ -2,7 +2,7 @@ Use the Category page to select the type of scan or import for the Box Enterprise targeted. -![Box DC Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![Box DC Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The Box Data Collector contains the following query categories: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/box/exclusions.md b/docs/accessanalyzer/12.0/admin/datacollector/box/exclusions.md index 53f8e8e3df..2bbdce3593 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/box/exclusions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/box/exclusions.md @@ -4,7 +4,7 @@ The Exclude or Include folders page (ExclusionsPage) is where the scan can be li to exclude folders within the Box Enterprise. It is a wizard page for of Scan Box Permissions category. -![Box DC Wizard Exclude or Include folders page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/box/exclusions.webp) +![Box DC Wizard Exclude or Include folders page](/img/product_docs/accessanalyzer/admin/datacollector/box/exclusions.webp) The options on the Exclusions Page are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/box/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/box/overview.md index 9fc5285b34..057faab987 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/box/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/box/overview.md @@ -8,7 +8,7 @@ necessary to deselect the **Skip Hosts that do not respond to PING** option on t The Box Data Collector has been preconfigured within the Box Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[Box Solution](../../../solutions/box/overview.md) topic for additional information. +[Box Solution](/docs/accessanalyzer/12.0/solutions/box/overview.md) topic for additional information. Protocols @@ -30,21 +30,21 @@ The Box Data Collector is configured through the Box Data Collector Wizard. The following pages, which change based up on the query category selected: - Welcome -- [Box: Category](category.md) -- [Box: Exclusions Page](exclusions.md) -- [Box: Scope by User Page](scopebyuser.md) -- [Box: Additional Scoping](additionalscoping.md) -- [Box: Activity Timeframe Scope](activitytimeframescope.md) -- [Box: Activity Operation Scope](activityoperationscope.md) -- [Box: Authenticate](authenticate.md) -- [Box: Results](results.md) -- [Box: Summary](summary.md) +- [Box: Category](/docs/accessanalyzer/12.0/admin/datacollector/box/category.md) +- [Box: Exclusions Page](/docs/accessanalyzer/12.0/admin/datacollector/box/exclusions.md) +- [Box: Scope by User Page](/docs/accessanalyzer/12.0/admin/datacollector/box/scopebyuser.md) +- [Box: Additional Scoping](/docs/accessanalyzer/12.0/admin/datacollector/box/additionalscoping.md) +- [Box: Activity Timeframe Scope](/docs/accessanalyzer/12.0/admin/datacollector/box/activitytimeframescope.md) +- [Box: Activity Operation Scope](/docs/accessanalyzer/12.0/admin/datacollector/box/activityoperationscope.md) +- [Box: Authenticate](/docs/accessanalyzer/12.0/admin/datacollector/box/authenticate.md) +- [Box: Results](/docs/accessanalyzer/12.0/admin/datacollector/box/results.md) +- [Box: Summary](/docs/accessanalyzer/12.0/admin/datacollector/box/summary.md) The Welcome page gives an overview of the data collector. To proceed through the pages, click **Next** or use the Steps navigation pane to open another page in the wizard. Review the introductory and caution information about the Box Data Collector before proceeding. -![Box DC Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Box DC Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by checking the **Do not display this page the next time** box when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/box/results.md b/docs/accessanalyzer/12.0/admin/datacollector/box/results.md index 4ebb2be42b..8ad9c25a09 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/box/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/box/results.md @@ -3,7 +3,7 @@ The Results page is where properties that will be gathered are selected. It is a wizard page for all categories. -![Box DC Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Box DC Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be selected individually or the **Select All** or **Clear All** buttons can be used. All selected properties will be gathered. Available properties vary based on the category selected. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/box/scopebyuser.md b/docs/accessanalyzer/12.0/admin/datacollector/box/scopebyuser.md index 13d18af668..9c8affd19b 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/box/scopebyuser.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/box/scopebyuser.md @@ -4,7 +4,7 @@ The User Scope Settings page (ScopeByUserPage) is where the scope of the scan ca specified users and the resulting scan will only scan for the specified users. It is a wizard page for the Scan Box Permissions category. -![Box DC Wizard User Scope Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/box/scopebyuser.webp) +![Box DC Wizard User Scope Settings page](/img/product_docs/accessanalyzer/admin/datacollector/box/scopebyuser.webp) Select whether to scan **All Users** or **Limited Users**. If scanning for **Limited Users**, click **Browse** and navigate to the path of the CSV file that contains the email addresses of users to be diff --git a/docs/accessanalyzer/12.0/admin/datacollector/box/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/box/summary.md index 330b048513..79e0b4369f 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/box/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/box/summary.md @@ -3,7 +3,7 @@ The Summary page is where configuration settings are summarized. It is a wizard page for all of the categories. -![Box DC Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Box DC Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Box Data Collector Wizard ensuring that no accidental clicks are diff --git a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/definefields.md b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/definefields.md index c4be866346..5e3b1036c8 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/definefields.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/definefields.md @@ -3,7 +3,7 @@ The Define Fields page provides options to define and configure fields for the Command Line Utility output. It is a wizard page for the **Edit Profile** and **Create a New Profile** profile types. -![Command Line Utility Data Collector Wizard Define Fields page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/commandlineutility/definefields.webp) +![Command Line Utility Data Collector Wizard Define Fields page](/img/product_docs/accessanalyzer/admin/datacollector/commandlineutility/definefields.webp) **CAUTION:** Do not modify this page without guidance from Netwrix or the data may not be processed by Access Analyzer. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/executionoptions.md b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/executionoptions.md index b844149b1d..137c5b99cc 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/executionoptions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/executionoptions.md @@ -3,7 +3,7 @@ The Execution Options page provides options to define the mode of execution. It is a wizard page for the **Edit Profile** and **Create a New Profile** selections on the Profile Type page. -![Command Line Utility Data Collector Wizard Execution Options page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/commandlineutility/executionoptions.webp) +![Command Line Utility Data Collector Wizard Execution Options page](/img/product_docs/accessanalyzer/admin/datacollector/commandlineutility/executionoptions.webp) The available options on the page vary depending on the selected profile type. The possible options are as follows: @@ -24,7 +24,7 @@ The output options include: - Preserve Output file – Stores the output file on the local machine - .Exe Present in Installed CLU Directory – Select the checkbox if the .exe utility is present in the installed CLU directory. The path on the Profile Parameters page should be the utility name - instead of the full path. See the [CLU: Profile Parameters](profileparameters.md) topic for + instead of the full path. See the [CLU: Profile Parameters](/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/profileparameters.md) topic for additional information. Remote Execution Options diff --git a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/overview.md index 1065e06cca..c4763c463d 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/overview.md @@ -26,15 +26,15 @@ configured through the Command Line Utility Data Collector Wizard, which contain pages: - Welcome -- [CLU: Profile Type](profiletype.md) -- [CLU: Profile Parameters](profileparameters.md) -- [CLU: Execution Options](executionoptions.md) -- [CLU: Define Fields](definefields.md) -- [CLU: Script Editor](scripteditor.md) -- [CLU: Results](results.md) -- [CLU: Summary](summary.md) - -![Command Line Utility Data Collector Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +- [CLU: Profile Type](/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/profiletype.md) +- [CLU: Profile Parameters](/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/profileparameters.md) +- [CLU: Execution Options](/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/executionoptions.md) +- [CLU: Define Fields](/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/definefields.md) +- [CLU: Script Editor](/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/scripteditor.md) +- [CLU: Results](/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/results.md) +- [CLU: Summary](/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/summary.md) + +![Command Line Utility Data Collector Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by selecting the **Do not display this page the next time** checkbox when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/profileparameters.md b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/profileparameters.md index cdb325afc9..f104022acb 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/profileparameters.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/profileparameters.md @@ -4,7 +4,7 @@ The Profile Parameters page provides settings to configure the parameters for th wizard page for the **Edit Profile** or **Create a New Profile** selections on the Profile Type page. -![Command Line Utility Data Collector Wizard Profile Parameters page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/commandlineutility/profileparameters.webp) +![Command Line Utility Data Collector Wizard Profile Parameters page](/img/product_docs/accessanalyzer/admin/datacollector/commandlineutility/profileparameters.webp) Profile parameters include: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/profiletype.md b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/profiletype.md index 9fb2f4cdfc..9f78f6ea3f 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/profiletype.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/profiletype.md @@ -2,7 +2,7 @@ The Profile Type page contains options to select a new or existing profile. -![Command Line Utility Data Collector Wizard Profile Type page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/commandlineutility/profiletype.webp) +![Command Line Utility Data Collector Wizard Profile Type page](/img/product_docs/accessanalyzer/admin/datacollector/commandlineutility/profiletype.webp) The options on the Profile Type page are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/results.md b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/results.md index ff512a277b..7a10276cea 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/results.md @@ -3,7 +3,7 @@ The Results page is where the properties to be returned as columns in the results table are selected. It is a wizard page for all profile types. -![Command Line Utility Data Collector Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Command Line Utility Data Collector Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Select one or more properties to be returned as columns in the results table. Click **Select All** to select all of the properties, or click **Clear All** to clear all the currently selected diff --git a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/scripteditor.md b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/scripteditor.md index 6e689446d2..b5bbc15540 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/scripteditor.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/scripteditor.md @@ -5,7 +5,7 @@ parse the output file created by the data collector after execution. The Script enabled when **Edit Profile** or **Create a New Profile** is selected on the Profile Type page. The page is disabled when the **Select Profile** option is selected on the Profile Type page. -![Command Line Utility Data Collector Wizard Script Editor page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/commandlineutility/scripteditor.webp) +![Command Line Utility Data Collector Wizard Script Editor page](/img/product_docs/accessanalyzer/admin/datacollector/commandlineutility/scripteditor.webp) **CAUTION:** Do not modify this page without guidance from Netwrix or the data may not be processed by Access Analyzer. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/summary.md index 0df7778060..72f86f3ff7 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/commandlineutility/summary.md @@ -3,7 +3,7 @@ The Summary page provides a summary of the query that has been created or edited. It is a wizard page for all profile types. -![Command Line Utility Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Command Line Utility Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Command Line Utility Data Collector Wizard to ensure that no diff --git a/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/overview.md index 2c83432928..20ec99ab37 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/overview.md @@ -25,11 +25,11 @@ The DiskInfo Data Collector is configured through the Disk Info wizard, which co wizard pages: - Welcome -- [DiskInfo: Target Disks](targetdisks.md) -- [DiskInfo: Results](results.md) -- [DiskInfo: Summary](summary.md) +- [DiskInfo: Target Disks](/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/targetdisks.md) +- [DiskInfo: Results](/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/results.md) +- [DiskInfo: Summary](/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/summary.md) -![Disk Info wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Disk Info wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by selecting the **Do not display this page the next time** checkbox when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/results.md b/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/results.md index 3d7ec69a3f..41b915b7d0 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/results.md @@ -4,7 +4,7 @@ The Results page provides a checklist of the data that is available for return b number of options can be selected at once, but at least one must be selected in order to complete the wizard. -![Disk Info wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Disk Info wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be selected individually, or you can use the **Select all** and **Clear all** buttons. The table below describes the available options. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/summary.md index 785477ab1c..e856a37396 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured query. -![Disk Info wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Disk Info wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Disk Info Data Collector Wizard to ensure that no accidental clicks diff --git a/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/targetdisks.md b/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/targetdisks.md index 732a0c4dcc..748ef8d908 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/targetdisks.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/diskinfo/targetdisks.md @@ -3,7 +3,7 @@ The Target Disks page provides a selection of storage devices from which to return data from the target host after a query. -![Disk Info wizard Target Disks page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/diskinfo/targetdisks.webp) +![Disk Info wizard Target Disks page](/img/product_docs/accessanalyzer/admin/datacollector/diskinfo/targetdisks.webp) Use the options to select the desired target disk. @@ -33,7 +33,7 @@ Clicking the browse button on the Target Disks wizard page opens the Access Anal Browser. Use this page to find registry keys and values that exist on a target host in the environment. -![Registry Browser](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/diskinfo/registrybrowser.webp) +![Registry Browser](/img/product_docs/accessanalyzer/admin/datacollector/diskinfo/registrybrowser.webp) The configurable options on the Registry Browser are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/dns/category.md b/docs/accessanalyzer/12.0/admin/datacollector/dns/category.md index 077a519674..ad180bbd5a 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/dns/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/dns/category.md @@ -3,7 +3,7 @@ The DNS Data Collector Category page contains the following query categories, sub-divided by auditing focus: -![Domain Name System Data Collector Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![Domain Name System Data Collector Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) - DNS Configuration – Collect data from the DNS configuration diff --git a/docs/accessanalyzer/12.0/admin/datacollector/dns/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/dns/overview.md index 23b715c076..bcb1010339 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/dns/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/dns/overview.md @@ -23,11 +23,11 @@ The DNS Data Collector is configured through the Domain Name System Data Collect contains the following wizard pages: - Welcome -- [DNS: Category](category.md) -- [DNS: Results](results.md) -- [DNS: Summary](summary.md) +- [DNS: Category](/docs/accessanalyzer/12.0/admin/datacollector/dns/category.md) +- [DNS: Results](/docs/accessanalyzer/12.0/admin/datacollector/dns/results.md) +- [DNS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/dns/summary.md) -![Domain Name System Data Collector Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Domain Name System Data Collector Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by selecting the Do not display this page the next time checkbox when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/dns/results.md b/docs/accessanalyzer/12.0/admin/datacollector/dns/results.md index 3132085ad4..4285f9c649 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/dns/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/dns/results.md @@ -3,7 +3,7 @@ The Results page is where DNS properties to be gathered are selected. It is a wizard page for all categories. -![Domain Name System Data Collector Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Domain Name System Data Collector Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Available properties can be selected individually, or the **Select All**, **Clear All**, and **Reset to defaults** buttons can be used. All selected properties are gathered. Available properties vary diff --git a/docs/accessanalyzer/12.0/admin/datacollector/dns/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/dns/summary.md index 16d5cc8fd8..515811e1ae 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/dns/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/dns/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured query. It is a wizard page for all categories. -![Domain Name System Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Domain Name System Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Domain Name System Data Collector Wizard to ensure that no accidental diff --git a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/category.md b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/category.md index 56a36b8dcd..0db5903e87 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/category.md @@ -3,7 +3,7 @@ Use the Category Selection Page to identify the type of information to retrieve. The DropboxAccess Data Collector contains the following query categories, sub-divided by auditing focus: -![Dropbox Access Auditor Data Collector Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![Dropbox Access Auditor Data Collector Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) - The Dropbox Access Audits scans for Dropbox access information: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/completion.md b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/completion.md index 1a06a3e4c7..60f8e073d2 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/completion.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/completion.md @@ -3,7 +3,7 @@ The Completion page, is where configuration settings are summarized. This page is a wizard page for all categories. -![Dropbox Access Auditor Data Collector Wizard Completion page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/dropboxaccess/completion.webp) +![Dropbox Access Auditor Data Collector Wizard Completion page](/img/product_docs/accessanalyzer/admin/datacollector/dropboxaccess/completion.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Dropbox Access Auditor Data Collector Wizard ensuring that no @@ -11,5 +11,5 @@ accidental clicks are saved. _Remember,_ if an Access Token was generated, use it as the credential within the Connection Profile. Then assign it to the job group or job which will be scanning the targeted Dropbox -environment. See the [Custom Dropbox Connection Profile & Host List](configurejob.md) topic for +environment. See the [Custom Dropbox Connection Profile & Host List](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/configurejob.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/configurejob.md b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/configurejob.md index f4493b2913..8f6cf3cc7b 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/configurejob.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/configurejob.md @@ -12,13 +12,13 @@ Create a Connection Profile and set the following information on the User Creden - Select Account Type – Dropbox - Password Storage – Application (Uses the configured Profile Security setting as selected at the - **Settings** > **Application** node. See the [Application](../../settings/application/overview.md) + **Settings** > **Application** node. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information.) - Access Token – Copy and paste the Access Token after it has been generated from the Scan Options page of the Dropbox Access Auditor Data Collector Wizard. See the - [DropboxAccess: Scan Options](scanoptions.md) topic for additional information. + [DropboxAccess: Scan Options](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scanoptions.md) topic for additional information. -See the [Connection](../../settings/connection/overview.md) topic for additional information. +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. ## Host List diff --git a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/dlpauditsettings.md b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/dlpauditsettings.md index c09f1b30dc..a289008568 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/dlpauditsettings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/dlpauditsettings.md @@ -3,7 +3,7 @@ Use the DLP Audit Settings page to configure sensitive data discovery settings. This page is a wizard page for the Scan for Sensitive Content category. -![Dropbox Access Auditor Data Collector Wizard DLP Audit Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/dlpauditsettings.webp) +![Dropbox Access Auditor Data Collector Wizard DLP Audit Settings page](/img/product_docs/accessanalyzer/admin/datacollector/spaa/dlpauditsettings.webp) Configure the DLP audit settings: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/overview.md index c877fee8e3..ef12db27c4 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/overview.md @@ -5,7 +5,7 @@ environment. Dropbox can scan the contents of over 400 file types to discover wh sensitive data using Sensitive Data Discovery. The DropboxAccess Data Collector has been preconfigured within the Dropbox Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[Dropbox Solution](../../../solutions/dropbox/overview.md) topic for additional information. +[Dropbox Solution](/docs/accessanalyzer/12.0/solutions/dropbox/overview.md) topic for additional information. Protocols @@ -34,14 +34,14 @@ Wizard. The wizard contains the following pages, which change based upon the que selected: - Welcome -- [DropboxAccess: Category](category.md) -- [DropboxAccess: Scan Options](scanoptions.md) -- [DropboxAccess: Scoping](scoping.md) -- [DropboxAccess: DLP Audit Settings](dlpauditsettings.md) -- [DropboxAccess: Select DLP Criteria](selectdlpcriteria.md) -- [DropboxAccess: Summary (Completion)](completion.md) - -![Dropbox Access Auditor Data Collector Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +- [DropboxAccess: Category](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/category.md) +- [DropboxAccess: Scan Options](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scanoptions.md) +- [DropboxAccess: Scoping](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scoping.md) +- [DropboxAccess: DLP Audit Settings](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/dlpauditsettings.md) +- [DropboxAccess: Select DLP Criteria](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/selectdlpcriteria.md) +- [DropboxAccess: Summary (Completion)](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/completion.md) + +![Dropbox Access Auditor Data Collector Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by selecting the **Do not display this page the next time** checkbox when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scanoptions.md b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scanoptions.md index d53dc9bf8f..bfa9d44037 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scanoptions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scanoptions.md @@ -14,22 +14,22 @@ The Scan Options page is a wizard page for the following categories: Follow the steps to create the Access Token: -![Dropbox Access Auditor Data Collector Wizard Scan Options page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/dropboxaccess/scanoptions.webp) +![Dropbox Access Auditor Data Collector Wizard Scan Options page](/img/product_docs/accessanalyzer/admin/datacollector/dropboxaccess/scanoptions.webp) **Step 1 –** Click the **Authorize** button to access the Dropbox Authentication page. -![Dropbox Log in page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/dropboxaccess/scanoptionsdropboxlogin.webp) +![Dropbox Log in page](/img/product_docs/accessanalyzer/admin/datacollector/dropboxaccess/scanoptionsdropboxlogin.webp) **Step 2 –** On the Dropbox Authentication page, log in as the Team Administrator. -![Copy Access Token](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/dropboxaccess/scanoptionsaccesstoken.webp) +![Copy Access Token](/img/product_docs/accessanalyzer/admin/datacollector/dropboxaccess/scanoptionsaccesstoken.webp) **Step 3 –** Once the Access Token has been generated, click **Copy to Clipboard**. Click **Next** to finish choosing the configuration options or click **Cancel** to close the Dropbox Access Auditor Data Collector Wizard. Create a Connection Profile using this access token as the credential. See the -[Custom Dropbox Connection Profile & Host List](configurejob.md) topic for additional information on +[Custom Dropbox Connection Profile & Host List](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/configurejob.md) topic for additional information on configuring the Dropbox credential. _Remember,_ assign this Connection Profile to the job group or job where the host assignment for the diff --git a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scoping.md b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scoping.md index 83997ebe53..9cdc1f6dc9 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scoping.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scoping.md @@ -6,7 +6,7 @@ limit the scan to specific users. The page is a wizard page for the following ca - Scan Dropbox Access - Scan for Sensitive Content -![Dropbox Access Auditor Data Collector Wizard Scoping Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/dropboxaccess/scoping.webp) +![Dropbox Access Auditor Data Collector Wizard Scoping Settings page](/img/product_docs/accessanalyzer/admin/datacollector/dropboxaccess/scoping.webp) Use the scoping options to select the depth of the scan: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/selectdlpcriteria.md b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/selectdlpcriteria.md index 023d8526b5..ef0112ecf4 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/selectdlpcriteria.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/selectdlpcriteria.md @@ -3,7 +3,7 @@ Use the Select DLP criteria for this scan page to configure criteria to use for discovering sensitive data. It is a wizard page for the Scan for Sensitive Content category. -![Dropbox Access Auditor Data Collector Wizard Select DLP criteria page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/selectdlpcriteria.webp) +![Dropbox Access Auditor Data Collector Wizard Select DLP criteria page](/img/product_docs/accessanalyzer/admin/datacollector/spaa/selectdlpcriteria.webp) Select the checkbox next to each criteria to be included in the search for sensitive data. You can also use the **Select All** and **Clear All** buttons. @@ -15,5 +15,5 @@ The table contains the following types of criteria: Use the **Edit** button to access the Criteria Editor where user-defined criteria can be created or customized. See the -[Sensitive Data Criteria Editor](../../../sensitivedatadiscovery/criteriaeditor/overview.md) topic +[Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/entra/options.md b/docs/accessanalyzer/12.0/admin/datacollector/entra/options.md index c299ac684f..d2ec50a26d 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/entra/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/entra/options.md @@ -2,7 +2,7 @@ The Scan options page provides options to use when gathering Microsoft Entra Roles information. -![Scan options page of the Entra Data Collector Wizard](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Scan options page of the Entra Data Collector Wizard](/img/product_docs/accessanalyzer/install/application/options.webp) The scan options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/entra/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/entra/overview.md index 8d03d419a9..3c1b180875 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/entra/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/entra/overview.md @@ -5,7 +5,7 @@ tenant. This data collector is preconfigured in the .Entra ID Inventory solutio Both this data collector and the .Entra Inventory solution are available with all Access Analyzer license options. See the -[.Entra ID Inventory Solution](../../../solutions/entraidinventory/overview.md) topic for additional +[.Entra ID Inventory Solution](/docs/accessanalyzer/12.0/solutions/entraidinventory/overview.md) topic for additional information. Protocols @@ -40,6 +40,6 @@ Permissions The Entra data collector is configured through the Entra Data Collector Wizard, which contains the following wizard pages: -- [Entra: Scan options](options.md) -- [Entra: Results](results.md) -- [Entra: Summary](summary.md) +- [Entra: Scan options](/docs/accessanalyzer/12.0/admin/datacollector/entra/options.md) +- [Entra: Results](/docs/accessanalyzer/12.0/admin/datacollector/entra/results.md) +- [Entra: Summary](/docs/accessanalyzer/12.0/admin/datacollector/entra/summary.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/entra/results.md b/docs/accessanalyzer/12.0/admin/datacollector/entra/results.md index d98b719662..517574ed74 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/entra/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/entra/results.md @@ -2,7 +2,7 @@ The Results page is where the properties from Microsoft Entra ID to be gathered are selected. -![Results page of the Entra Data Collector Wizard](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Results page of the Entra Data Collector Wizard](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be selected individually or the **Select All** and **Clear All** buttons can be used. All selected properties are collected. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/entra/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/entra/summary.md index 633863e82f..b5a4643fea 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/entra/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/entra/summary.md @@ -2,7 +2,7 @@ The Summary page is where configuration settings are summarized. -![Summary page of the Entra Data Collector Wizard](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Summary page of the Entra Data Collector Wizard](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Entra Data Collector Wizard to ensure that no accidental clicks are diff --git a/docs/accessanalyzer/12.0/admin/datacollector/eventlog.md b/docs/accessanalyzer/12.0/admin/datacollector/eventlog.md index 0b605289c7..177e4dd977 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/eventlog.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/eventlog.md @@ -23,7 +23,7 @@ Permissions The EventLog Data Collector is configured through the Event Log Browser window. -![Event Log Browser window](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/eventlogbrowser.webp) +![Event Log Browser window](/img/product_docs/accessanalyzer/admin/datacollector/eventlogbrowser.webp) Sample diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/category.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/category.md index 94e75af519..d8e74978a6 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/category.md @@ -2,7 +2,7 @@ The Category page identifies which type of EWSMailbox information is retrieved during the scan. -![EWS Mailbox Data Collector Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![EWS Mailbox Data Collector Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) Identify the EWS mailbox information type using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/criteria.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/criteria.md index 49a4a43c68..832a483fcd 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/criteria.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/criteria.md @@ -3,13 +3,13 @@ The Select DLP criteria for this scan page is where to select the criteria to use for the sensitive data scan are selected. It is a wizard page for the Sensitive Data category. -![EWS Mailbox Data Collector Wizard Criteria page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) +![EWS Mailbox Data Collector Wizard Criteria page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) The options on the Criteria page are: - Use Global Criterion Selection – Select this option to inherit sensitive data criteria settings from the **Settings** > **Sensitive Data** node. See the - [Sensitive Data](../../settings/sensitivedata/overview.md) topic for additional information. + [Sensitive Data](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/overview.md) topic for additional information. - Use the following selected criteria – Select this option to use the table to select which sensitive data criteria to scan for - Select All - Click **Select All** to enable all sensitive data criteria for scanning @@ -24,5 +24,5 @@ The table contains the following types of criteria: Use the Sensitive Data Criteria Editor in **Settings** > **Sensitive Data** to create and edit user-defined criteria. See the - [Sensitive Data Criteria Editor](../../../sensitivedatadiscovery/criteriaeditor/overview.md) + [Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filter.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filter.md index 5847f5cbda..8b75ea50bd 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filter.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filter.md @@ -7,7 +7,7 @@ the categories of: - Mailbox permissions - Sensitive data -![EWS Mailbox Data Collector Wizard Filter page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filter.webp) +![EWS Mailbox Data Collector Wizard Filter page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filter.webp) All folders and attachments are scanned by default. Scope the scan for specific folders and attachments: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/bodyoptions.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/bodyoptions.md index 71e65908de..fd6ec04522 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/bodyoptions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/bodyoptions.md @@ -2,7 +2,7 @@ Use the BodyOptions page to select the size unit of messages. -![Filter Wizard BodyOptions page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/bodyoptions.webp) +![Filter Wizard BodyOptions page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/bodyoptions.webp) Select the desired message size unit: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/folderconditions.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/folderconditions.md index ed9f1e4f11..ed6c28326c 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/folderconditions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/folderconditions.md @@ -2,7 +2,7 @@ Use the Folder Conditions page to apply folder-related filter criteria to the search. -![Filter Wizard Folder Conditions page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/folderconditions.webp) +![Filter Wizard Folder Conditions page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/folderconditions.webp) Customize folder search conditions using the following options: @@ -26,7 +26,7 @@ Customize folder search conditions using the following options: Use the Folder Type window to determine folder types to search for. The Folder Type window opens if **specific** is selected in the Edit Conditions box on the Folder Conditions page. -![Folder Type window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/foldertypewindow.webp) +![Folder Type window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/foldertypewindow.webp) Select the checkbox next to any folder type to include it in the search filter. @@ -35,7 +35,7 @@ Select the checkbox next to any folder type to include it in the search filter. Use the Search Terms window to determine terms for the search. The Search Terms window opens if **search terms** is selected in the Edit Conditions box. -![Search Terms window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/searchtermswindow.webp) +![Search Terms window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/searchtermswindow.webp) Determine terms for the search using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/messageconditions.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/messageconditions.md index 79f7b9dd59..45087ef791 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/messageconditions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/messageconditions.md @@ -2,7 +2,7 @@ Use the Message Conditions page to apply filters to the message category part of the search. -![Filter Wizard Message Conditions page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/messageconditions.webp) +![Filter Wizard Message Conditions page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/messageconditions.webp) Customize message search filter conditions using the following options: @@ -59,7 +59,7 @@ Customize message search filter conditions using the following options: Use the MessageClasses window to alter criteria related to message class. The Message Classes window opens if **specific** is clicked in the Edit Conditions box on the Message Conditions page. -![MessagesClasses window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/messageclassesmessage.webp) +![MessagesClasses window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/messageclassesmessage.webp) Determine MessageClass-related criteria using the following options: @@ -82,7 +82,7 @@ Use the Date Range Selection window to select a time period or range for the sea Selection window opens if **in specific date** is clicked in the Edit Conditions box on the Message Conditions page. -![Date Range Selection window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/daterangeselectionmessage.webp) +![Date Range Selection window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/daterangeselectionmessage.webp) Determine the time period or range of the search using the following options: @@ -97,7 +97,7 @@ Determine the time period or range of the search using the following options: Use the Search Terms window to determine terms for the search. The Search Terms window opens if **search terms** is selected in the Edit Conditions box. -![Search Terms window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/searchtermswindow.webp) +![Search Terms window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/searchtermswindow.webp) Determine terms for the search using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/savefilter.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/savefilter.md index 64d4d9f8af..cd20d02aad 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/savefilter.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/savefilter.md @@ -2,7 +2,7 @@ Use the Save Filter Page to name and describe the custom filter created in the wizard. -![Filter Wizard Save Filter page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/savefilter.webp) +![Filter Wizard Save Filter page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/savefilter.webp) Label the custom filter using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/searchfilter.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/searchfilter.md index cd075a60e3..c956da81ff 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/searchfilter.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/searchfilter.md @@ -2,7 +2,7 @@ Use the Search Filter page to choose a filter template for the search. -![Filter Wizard Search Filter page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/searchfilter.webp) +![Filter Wizard Search Filter page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/searchfilter.webp) Customize folder search conditions using the following options: @@ -31,7 +31,7 @@ Use the MessageClasses window to alter criteria related to message class. The Me opens if **Ipm.Note** or **Ipm.Appointment** is clicked in the Edit Conditions box on the Search Filter page. -![MessagesClasses window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/messageclassessearchfilter.webp) +![MessagesClasses window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/messageclassessearchfilter.webp) Determine MessageClass-related criteria using the following options: @@ -54,7 +54,7 @@ Use the Date Range Selection window to select a time period or range for the sea Selection window opens if **over 90 Day ago** is clicked in the Edit Conditions box on the Search Filter page. -![Date Range Selection window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/daterangeselectionsearchfilter.webp) +![Date Range Selection window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/daterangeselectionsearchfilter.webp) Determine the time period or range of the search using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/options.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/options.md index a94f7742a2..10b8022428 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/options.md @@ -2,7 +2,7 @@ The Scan options page provides general scan options. It is a wizard page for all categories. -![EWS Mailbox Data Collector Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![EWS Mailbox Data Collector Wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) Select the checkboxes to apply any desired scan options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/overview.md index e742d19702..692530a283 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/overview.md @@ -3,7 +3,7 @@ The EWSMailbox Data Collector provides configuration options to scan mailbox contents, permissions, and sensitive data, and is preconfigured within the Exchange Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[Exchange Solution](../../../solutions/exchange/overview.md) topic for additional information. +[Exchange Solution](/docs/accessanalyzer/12.0/solutions/exchange/overview.md) topic for additional information. Protocols @@ -36,13 +36,13 @@ which contains the following wizard pages: **NOTE:** The Category selected may alter the subsequent steps displayed by the wizard. -- [EWSMailbox: Category](category.md) -- [EWSMailbox: Options](options.md) -- [EWSMailbox: Scope](scope.md) -- [EWSMailbox: Scope Select](scopeselect.md) -- [EWSMailbox: SDD Options](sddoptions.md) -- [EWSMailbox: Criteria](criteria.md) -- [EWSMailbox: Filter](filter.md) -- [EWSMailbox: Search Filter](searchfilter.md) -- [EWSMailbox: Results](results.md) -- [EWSMailbox: Summary](summary.md) +- [EWSMailbox: Category](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/category.md) +- [EWSMailbox: Options](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/options.md) +- [EWSMailbox: Scope](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/scope.md) +- [EWSMailbox: Scope Select](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/scopeselect.md) +- [EWSMailbox: SDD Options](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/sddoptions.md) +- [EWSMailbox: Criteria](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/criteria.md) +- [EWSMailbox: Filter](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filter.md) +- [EWSMailbox: Search Filter](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/searchfilter.md) +- [EWSMailbox: Results](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/results.md) +- [EWSMailbox: Summary](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/summary.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/results.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/results.md index 5f131577b2..b05171cda3 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/results.md @@ -3,7 +3,7 @@ Use the Results page to select which properties are gathered out of those available for the category. It is a wizard page for all of the categories. -![EWS Mailbox Data Collector Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![EWS Mailbox Data Collector Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Select criteria using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/scope.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/scope.md index 74c7e67642..5249c1896f 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/scope.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/scope.md @@ -3,10 +3,10 @@ The Mailbox scope settings page is used to select which mailboxes are searched by the scan. It is a wizard page for all categories. -![EWS Mailbox Data Collector Wizard Scope page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![EWS Mailbox Data Collector Wizard Scope page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) Select an option to specify which mailboxes are searched: - All mailboxes – Search all mailboxes - Select mailboxes from list – Search only specific selected mailboxes. This option enables the - [EWSMailbox: Scope Select](scopeselect.md) page. + [EWSMailbox: Scope Select](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/scopeselect.md) page. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/scopeselect.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/scopeselect.md index 841bf39120..8015050b96 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/scopeselect.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/scopeselect.md @@ -2,9 +2,9 @@ The Scope select page is used to select specific mailboxes to scan. It is a wizard page for all categories when the **Select mailboxes from list** option is selected on the -[EWSMailbox: Scope](scope.md) page. +[EWSMailbox: Scope](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/scope.md) page. -![EWS Mailbox Data Collector Wizard Scope select page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/scopeselect.webp) +![EWS Mailbox Data Collector Wizard Scope select page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/scopeselect.webp) Use the following options to scope the scan to specific mailboxes: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/sddoptions.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/sddoptions.md index 9f4ef5076d..baa34a4f01 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/sddoptions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/sddoptions.md @@ -3,7 +3,7 @@ The Sensitive data scan options page is where options to be used for discovering sensitive data are configured. It is a wizard page for the Sensitive Data category. -![EWS Mailbox Data Collector Wizard SDD Options page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/sddoptions.webp) +![EWS Mailbox Data Collector Wizard SDD Options page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/sddoptions.webp) Select the applicable Sensitive data scan options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/searchfilter.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/searchfilter.md index 65ee040e8c..29519a0892 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/searchfilter.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/searchfilter.md @@ -3,7 +3,7 @@ The Search filter settings page applies a filter used to search mailboxes in the environment. It is a wizard page for the Mailbox Search categories. -![EWS Mailbox Data Collector Wizard Search filter page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/searchfilter.webp) +![EWS Mailbox Data Collector Wizard Search filter page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/searchfilter.webp) Click **Add Filter** to open the Filter Wizard. @@ -11,8 +11,8 @@ Click **Add Filter** to open the Filter Wizard. The Filter Wizard manages properties of the search filter. The Filter Wizard pages are: -- [EWSMailbox FW: Search Filter](filterwizard/searchfilter.md) -- [EWSMailbox FW: Folder Conditions](filterwizard/folderconditions.md) -- [EWSMailbox FW: Message Conditions](filterwizard/messageconditions.md) -- [EWSMailbox FW: BodyOptions](filterwizard/bodyoptions.md) -- [EWSMailbox FW: Save Filter](filterwizard/savefilter.md) +- [EWSMailbox FW: Search Filter](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/searchfilter.md) +- [EWSMailbox FW: Folder Conditions](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/folderconditions.md) +- [EWSMailbox FW: Message Conditions](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/messageconditions.md) +- [EWSMailbox FW: BodyOptions](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/bodyoptions.md) +- [EWSMailbox FW: Save Filter](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/filterwizard/savefilter.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/summary.md index f944eb70bd..6772572dcf 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured query. It wizard page for all categories. -![EWS Mailbox Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![EWS Mailbox Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the EWS Mailbox Data Collector Wizard to ensure that no accidental clicks diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/category.md b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/category.md index f9c14a54e4..c4177360a6 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/category.md @@ -2,7 +2,7 @@ The Category page contains the following Exchange Web Service categories to search: -![EWS Public Folder Data Collector Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![EWS Public Folder Data Collector Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) Select which type of EWS public folder information to retrieve from the following: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/critieria.md b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/critieria.md index 7874c51d62..1458d68f6a 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/critieria.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/critieria.md @@ -3,13 +3,13 @@ Use the Select DLP criteria for this scan page to select criteria for the sensitive data scan. It is a wizard page for the Sensitive Data category. -![EWS Public Folder Data Collector Wizard Criteria page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) +![EWS Public Folder Data Collector Wizard Criteria page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) The options on the Criteria page are: - Use Global Criterion Selection – Select this option to inherit sensitive data criteria settings from the **Settings** > **Sensitive Data** node. See the - [Sensitive Data](../../settings/sensitivedata/overview.md) topic for additional information. + [Sensitive Data](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/overview.md) topic for additional information. - Use the following selected criteria – Select this option to use the table to select which sensitive data criteria to scan for - Select All - Click **Select All** to enable all sensitive data criteria for scanning @@ -24,5 +24,5 @@ The table contains the following types of criteria: Use the Sensitive Data Criteria Editor in **Settings** > **Sensitive Data** to create and edit user-defined criteria. See the - [Sensitive Data Criteria Editor](../../../sensitivedatadiscovery/criteriaeditor/overview.md) + [Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filter.md b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filter.md index d18979d168..be0e818960 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filter.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filter.md @@ -7,7 +7,7 @@ the categories of: - Public Folder permissions - Sensitive Data -![EWS Public Folder Data Collector Wizard Filter page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filter.webp) +![EWS Public Folder Data Collector Wizard Filter page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filter.webp) All folders and attachments are scanned by default. Scope the scan for specific folders and attachments: @@ -29,7 +29,7 @@ and selecting the desired folders. Follow the steps to filter the scan by selecting public folders from a list. -![Choose folder to include window on Filter settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewspublicfolder/filterpublicfolders.webp) +![Choose folder to include window on Filter settings page](/img/product_docs/accessanalyzer/admin/datacollector/ewspublicfolder/filterpublicfolders.webp) **Step 1 –** Click the **+** button to the right of the Include Folders or Exclude Folders box to open the Choose folders to include or Choose folders to exclude window. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/bodyoptions.md b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/bodyoptions.md index f8c898b05e..2a40e4c919 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/bodyoptions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/bodyoptions.md @@ -2,7 +2,7 @@ The BodyOptions page is where the size of messages is selected. -![Filter Wizard BodyOptions page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/bodyoptions.webp) +![Filter Wizard BodyOptions page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/bodyoptions.webp) Select the desired message size unit: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/folderconditions.md b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/folderconditions.md index cf0d7b61c0..f08b6f97ef 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/folderconditions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/folderconditions.md @@ -2,7 +2,7 @@ The Folder Conditions page is where folder-related filter criteria can be applied to the search. -![Filter Wizard Folder Conditions page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/folderconditions.webp) +![Filter Wizard Folder Conditions page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/folderconditions.webp) Customize folder search conditions using the following options: @@ -26,7 +26,7 @@ Customize folder search conditions using the following options: Use the Folder Type window to determine folder types to search for. The Folder Type window opens if **specific** is selected in the Edit Conditions box on the Folder Conditions page. -![Folder Type window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/foldertypewindow.webp) +![Folder Type window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/foldertypewindow.webp) Select the checkbox next to any folder type to include it in the search filter. @@ -35,7 +35,7 @@ Select the checkbox next to any folder type to include it in the search filter. Use the Search Terms window to determine terms for the search. The Search Terms window opens if **search terms** is selected in the Edit Conditions box. -![Search Terms window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/searchtermswindow.webp) +![Search Terms window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/searchtermswindow.webp) Determine terms for the search using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/messageconditions.md b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/messageconditions.md index 4b1c79aa28..19803a0010 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/messageconditions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/messageconditions.md @@ -2,7 +2,7 @@ Use the Message Conditions page to apply filters to the message category part of the search. -![Filter Wizard Message Conditions page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/messageconditions.webp) +![Filter Wizard Message Conditions page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/messageconditions.webp) Customize message search filter conditions using the following options: @@ -57,7 +57,7 @@ Customize message search filter conditions using the following options: Use the MessageClasses window to alter criteria related to message class. The Message Classes window opens if **specific** is clicked in the Edit Conditions box on the Message Conditions page. -![MessagesClasses window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/messageclassesmessage.webp) +![MessagesClasses window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/messageclassesmessage.webp) Determine MessageClass-related criteria using the following options: @@ -80,7 +80,7 @@ Use the Date Range Selection window to select a time period or range for the sea Selection window opens if **in specific date** is clicked in the Edit Conditions box on the Message Conditions page. -![Date Range Selection window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/daterangeselectionmessage.webp) +![Date Range Selection window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/daterangeselectionmessage.webp) Determine the time period or range of the search using the following options: @@ -95,7 +95,7 @@ Determine the time period or range of the search using the following options: Use the Search Terms window to determine terms for the search. The Search Terms window opens if **search terms** is selected in the Edit Conditions box. -![Search Terms window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/searchtermswindow.webp) +![Search Terms window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/searchtermswindow.webp) Determine terms for the search using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/savefilter.md b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/savefilter.md index a0ea6da799..26ccea9f53 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/savefilter.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/savefilter.md @@ -2,7 +2,7 @@ Use the Save Filter Page to name and describe the custom filter created in the wizard. -![Filter Wizard Save Filter page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/savefilter.webp) +![Filter Wizard Save Filter page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/savefilter.webp) Label the custom filter using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/searchfilter.md b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/searchfilter.md index cb3a39acbc..42f30ae9db 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/searchfilter.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/searchfilter.md @@ -2,7 +2,7 @@ Use the Search Filter page to choose a filter template for the search. -![Filter Wizard Search Filter page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/searchfilter.webp) +![Filter Wizard Search Filter page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/searchfilter.webp) Customize folder search conditions using the following options: @@ -31,7 +31,7 @@ Use the MessageClasses window to alter criteria related to message class. The Me opens if **Ipm.Note** or **Ipm.Appointment** is clicked in the Edit Conditions box on the Search Filter page. -![MessagesClasses window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/messageclassessearchfilter.webp) +![MessagesClasses window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/messageclassessearchfilter.webp) Determine MessageClass-related criteria using the following options: @@ -54,7 +54,7 @@ Use the Date Range Selection window to select a time period or range for the sea Selection window opens if **over 90 Day ago** is clicked in the Edit Conditions box on the Search Filter page. -![Date Range Selection window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/daterangeselectionsearchfilter.webp) +![Date Range Selection window](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filterwizard/daterangeselectionsearchfilter.webp) Determine the time period or range of the search using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/options.md b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/options.md index 8fab67c84c..9bbdc91196 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/options.md @@ -2,7 +2,7 @@ The Scan options page provides general scan options. It is a wizard page for all of the categories. -![options](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![options](/img/product_docs/accessanalyzer/install/application/options.webp) Select any desired scan options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/overview.md index 568fcd5f3d..8e4e1e9445 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/overview.md @@ -3,7 +3,7 @@ The EWSPublicFolder Data Collector provides configuration options to extract public folder contents, permissions, and sensitive data, and is preconfigured within the Exchange Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[Exchange Solution](../../../solutions/exchange/overview.md) topic for additional information. +[Exchange Solution](/docs/accessanalyzer/12.0/solutions/exchange/overview.md) topic for additional information. Protocols @@ -36,11 +36,11 @@ Wizard. The wizard contains the following pages: **NOTE:** The Category selected may alter the subsequent steps displayed by the wizard. -- [EWSPublicFolder: Category](category.md) -- [EWSPublicFolder: Options](options.md) -- [EWSPublicFolder: SDD Options](sddoptions.md) -- [EWSPublicFolder: Critieria](critieria.md) -- [EWSPublicFolder: Filter](filter.md) -- [EWSPublicFolder: Search Filter](searchfilter.md) -- [EWSPublicFolder: Results](results.md) -- [EWSPublicFolder: Summary](summary.md) +- [EWSPublicFolder: Category](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/category.md) +- [EWSPublicFolder: Options](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/options.md) +- [EWSPublicFolder: SDD Options](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/sddoptions.md) +- [EWSPublicFolder: Critieria](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/critieria.md) +- [EWSPublicFolder: Filter](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filter.md) +- [EWSPublicFolder: Search Filter](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/searchfilter.md) +- [EWSPublicFolder: Results](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/results.md) +- [EWSPublicFolder: Summary](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/summary.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/results.md b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/results.md index 008e6cd0c8..56dd1ebf08 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/results.md @@ -3,7 +3,7 @@ The Results page is used to select which properties will be gathered out of those available for the category. It is a wizard page for all of the categories. -![EWS Public Folder Data Collector Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![EWS Public Folder Data Collector Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Select criteria using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/sddoptions.md b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/sddoptions.md index ad7a5c21f8..c11bba4485 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/sddoptions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/sddoptions.md @@ -3,7 +3,7 @@ Use the Sensitive data scan options page to configure options to for discovering sensitive data. It is a wizard page for the Sensitive Data category. -![EWS Public Folder Data Collector Wizard SDD Options page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/sddoptions.webp) +![EWS Public Folder Data Collector Wizard SDD Options page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/sddoptions.webp) Select the applicable Sensitive data scan options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/searchfilter.md b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/searchfilter.md index 904699b594..9335361cec 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/searchfilter.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/searchfilter.md @@ -5,7 +5,7 @@ a wizard page for the category of: - PublicFolder search -![EWS Public Folder Data Collector Wizard Search Filter page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/searchfilter.webp) +![EWS Public Folder Data Collector Wizard Search Filter page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/searchfilter.webp) Click **Add Filter** to open the Filter Wizard @@ -13,8 +13,8 @@ Click **Add Filter** to open the Filter Wizard The Filter Wizard manages properties of the search filter. The Filter Wizard pages are: -- [EWSPublicFolder FW: Search Filter](filterwizard/searchfilter.md) -- [EWSPublicFolder FW: Folder Conditions](filterwizard/folderconditions.md) -- [EWSPublicFolder FW: Message Conditions](filterwizard/messageconditions.md) -- [EWSPublicFolder FW: BodyOptions](filterwizard/bodyoptions.md) -- [EWSPublicFolder FW: Save Filter](filterwizard/savefilter.md) +- [EWSPublicFolder FW: Search Filter](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/searchfilter.md) +- [EWSPublicFolder FW: Folder Conditions](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/folderconditions.md) +- [EWSPublicFolder FW: Message Conditions](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/messageconditions.md) +- [EWSPublicFolder FW: BodyOptions](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/bodyoptions.md) +- [EWSPublicFolder FW: Save Filter](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filterwizard/savefilter.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/summary.md index 25819eeef8..ef6dc57cc4 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured query. It wizard page for all categories. -![EWS Public Folder Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![EWS Public Folder Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the EWS Public Folder Data Collector Wizard to ensure that no accidental diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/category.md b/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/category.md index fdf11292d7..309316dc95 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/category.md @@ -3,7 +3,7 @@ The Exchange2K Data Collector contains the following query categories, sub-divided by auditing focus: -![Exchange 2K+ Data Collector Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![Exchange 2K+ Data Collector Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) - Exchange Organization diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/mapisettings.md b/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/mapisettings.md index 494617f895..6d7b10e0e9 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/mapisettings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/mapisettings.md @@ -12,7 +12,7 @@ page for the categories of: - OrphanedMailboxes - OrphanedPublicFolders -![Exchange 2K+ Data Collector Wizard MAPI Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchange2k/mapisettings.webp) +![Exchange 2K+ Data Collector Wizard MAPI Settings page](/img/product_docs/accessanalyzer/admin/datacollector/exchange2k/mapisettings.webp) Configure the Connection Setting by selecting from the following: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/options.md b/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/options.md index d935fdcbeb..075c925d72 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/options.md @@ -3,7 +3,7 @@ The Options page provides additional configuration options for the query. Available options vary depending on the category selected. It is a wizard page for all of the categories. -![Exchange 2K+ Data Collector Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Exchange 2K+ Data Collector Wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) Configure the Options step using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/overview.md index aeb7b4cb59..ec2e024c0a 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/overview.md @@ -2,12 +2,12 @@ The Exchange2K Data Collector extracts configuration details from Exchange organizations for versions 2003 and later. This is a MAPI-based data collector which requires the **Settings** > -**Exchange** node to be enabled and configured. See the [Exchange](../../settings/exchange.md) topic +**Exchange** node to be enabled and configured. See the [Exchange](/docs/accessanalyzer/12.0/admin/settings/exchange.md) topic for additional information. The Exchange2K Data Collector has been preconfigured within the Exchange Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[Exchange Solution](../../../solutions/exchange/overview.md) topic for additional information. +[Exchange Solution](/docs/accessanalyzer/12.0/solutions/exchange/overview.md) topic for additional information. Protocols @@ -36,14 +36,14 @@ The Exchange2K Data Collector is configured through the Exchange 2K+ Data Collec contains the following wizard pages: - Welcome -- [Exchange2K: Category](category.md) -- [Exchange2K: Scope](scope.md) -- [Exchange2K: Results](results.md) -- [Exchange2K: MAPI Settings](mapisettings.md) -- [Exchange2K: Options](options.md) -- [Exchange2K: Summary](summary.md) - -![Exchange 2K+ Data Collector Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +- [Exchange2K: Category](/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/category.md) +- [Exchange2K: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/scope.md) +- [Exchange2K: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/results.md) +- [Exchange2K: MAPI Settings](/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/mapisettings.md) +- [Exchange2K: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/options.md) +- [Exchange2K: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/summary.md) + +![Exchange 2K+ Data Collector Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by selecting the **Do not show this page the next time** checkbox when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/results.md b/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/results.md index 9c0cb03bbf..f9eb421b92 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/results.md @@ -3,7 +3,7 @@ The Results page is where properties that will be gathered are selected. It is a wizard page for all. -![Exchange 2K+ Data Collector Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Exchange 2K+ Data Collector Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be selected individually or the **Check All**, **Uncheck All**, or **Reset Defaults** buttons can be used. All Selected properties will be gathered. Click **Expand All** to expand all diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/scope.md b/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/scope.md index b23ecf230e..51742a0808 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/scope.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/scope.md @@ -7,7 +7,7 @@ The Scope page is used to define where to search. It is a wizard page for the ca - Exchange Organization > Contacts - Exchange Organization > QBDGs -![Exchange 2K+ Data Collector Wizard Scope page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![Exchange 2K+ Data Collector Wizard Scope page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) Select where to connect for the search and click **Connect** to add the domain or server: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/summary.md index b003dfd969..dd74acb0ce 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/summary.md @@ -3,7 +3,7 @@ The Summary page displays a summary of the configured query. It is a wizard page for all of the categories. -![Exchange 2K+ Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Exchange 2K+ Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Exchange 2K+ Data Collector Wizard to ensure that no accidental clicks diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/category.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/category.md index 5802b127b1..91a8d35566 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/category.md @@ -3,7 +3,7 @@ The Exchange Mailbox Data Collector contains the following Exchange Mailbox categories for searching: -![Exchange Mailbox Data Collector Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![Exchange Mailbox Data Collector Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The Category page contains a list of objects the query searches for: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/options.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/options.md index a1ae739980..909eb9ce6e 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/options.md @@ -8,7 +8,7 @@ the following categories: - Mailbox permissions - Mailbox sensitive data discovery -![Exchange Mailbox Data Collector Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Exchange Mailbox Data Collector Wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) The following options can be configured: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/overview.md index 78830509eb..252939aadc 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/overview.md @@ -3,10 +3,10 @@ The ExchangeMailbox Data Collector extracts configuration details from the Exchange Store to provide statistical, content, permission, and sensitive data reporting on mailboxes. This is a MAPI-based data collector which requires the **Settings** > **Exchange** node to be enabled and configured. See -the [Exchange](../../settings/exchange.md) topic for additional information. +the [Exchange](/docs/accessanalyzer/12.0/admin/settings/exchange.md) topic for additional information. The ExchangeMailbox Data Collector is available with a special Access Analyzer license. See the -[Exchange Solution](../../../solutions/exchange/overview.md) topic for additional information. +[Exchange Solution](/docs/accessanalyzer/12.0/solutions/exchange/overview.md) topic for additional information. Protocols @@ -36,17 +36,17 @@ The ExchangeMailbox Data Collector is configured through the Exchange Mailbox Da which contains the following wizard pages: - Welcome -- [ExchangeMailbox: Category](category.md) -- [ExchangeMailbox: Scope](scope.md) -- [ExchangeMailbox: Properties](properties.md) -- [ExchangeMailbox: SDD Criteria](sddcriteria.md) -- [ExchangeMailbox: Options](options.md) -- [ExchangeMailbox: Summary](summary.md) +- [ExchangeMailbox: Category](/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/category.md) +- [ExchangeMailbox: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/scope.md) +- [ExchangeMailbox: Properties](/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/properties.md) +- [ExchangeMailbox: SDD Criteria](/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/sddcriteria.md) +- [ExchangeMailbox: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/options.md) +- [ExchangeMailbox: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/summary.md) The query requires special permissions to connect to target Exchange servers. Assign these permissions on the Welcome page. -![Exchange Mailbox Data Collector Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Exchange Mailbox Data Collector Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) Connection Setting diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/properties.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/properties.md index a28fd0ef19..d646ba73d5 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/properties.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/properties.md @@ -3,13 +3,13 @@ The Properties page is where properties that will be gathered are selected. The available properties depend on the category selected. It is a wizard page for all of the categories. -![Exchange Mailbox Data Collector Wizard Properties page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) +![Exchange Mailbox Data Collector Wizard Properties page](/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) Properties can be selected individually or you can use the Select All, Clear All, and Reset All buttons. All selected properties will be gathered. Click **Message Classes** to open the Message classes filters window. -![Message classes filters window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/messageclassesfilterswindow.webp) +![Message classes filters window](/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/messageclassesfilterswindow.webp) The wildcard (`*`) returns all message class filters. Enter the name of the class filter and click **Add** to add it to the list. **Delete** will remove the selected class filter from the list. The diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/scope.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/scope.md index 4aa8143cb7..29a2259c0e 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/scope.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/scope.md @@ -3,7 +3,7 @@ The Scope page is used to define which mailboxes are to be queried. It is a wizard page for all of the categories. -![Exchange Mailbox Data Collector Wizard Scope page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![Exchange Mailbox Data Collector Wizard Scope page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) At the top, configure the mailboxes to be queried. The selected option changes how the mailboxes are identified for scoping. @@ -13,7 +13,7 @@ identified for scoping. visible within the **Available mailboxes on connected server** list. The following options display: - ![Scope page with Selected mailboxes from server selected](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangemailbox/scopeselectedmailboxes.webp) + ![Scope page with Selected mailboxes from server selected](/img/product_docs/accessanalyzer/admin/datacollector/exchangemailbox/scopeselectedmailboxes.webp) - Retrieve – Enter the server and select Retrieve to display the list of mailboxes on that server @@ -26,7 +26,7 @@ identified for scoping. - Selected table – Populates the **Available tables** list with tables from the Access Analyzer database - ![Scope page with Selected table selected](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/scopeselectedtable.webp) + ![Scope page with Selected table selected](/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/scopeselectedtable.webp) - Table – Filters this list by tables. Select the table which hosts the list of mailboxes for which this query will be scoped. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/sddcriteria.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/sddcriteria.md index 9aaf43e3b7..09aa29cd44 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/sddcriteria.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/sddcriteria.md @@ -3,7 +3,7 @@ The SDD Criteria page is where criteria to be used for discovering sensitive data are configured. It is a wizard page for the Mailbox sensitive data discovery category. -![Exchange Mailbox Data Collector Wizard SDD Criteria page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/sddcriteria.webp) +![Exchange Mailbox Data Collector Wizard SDD Criteria page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/sddcriteria.webp) Select the checkbox for the criteria to be used to search for sensitive data. Criteria can also be selected using the **Select All** and **Select None** buttons. @@ -14,7 +14,7 @@ The table contains the following types of criteria: - User Criteria – Lists user-defined criteria - Edit – Click this button to access the Criteria Editor where user-defined criteria can be created or customized. See the - [Sensitive Data Criteria Editor](../../../sensitivedatadiscovery/criteriaeditor/overview.md) topic + [Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. - Store discovered sensitive data – Stores the potentially sensitive data that matches the selected criteria in the Access Analyzer database. Select this checkbox to store a copy of the criteria diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/summary.md index 44b8554c1d..816855c674 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured query. It wizard page for all categories. -![Exchange Mailbox Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Exchange Mailbox Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Exchange Mailbox Data Collector Wizard to ensure that no accidental diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/category.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/category.md index fd21634730..28af55c4da 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/category.md @@ -2,7 +2,7 @@ The Category page is used to identify the type of Exchange Metrics information to retrieve. -![Exchange Metrics Data Collector Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![Exchange Metrics Data Collector Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The ExchangeMetrics Data Collector contains the following query categories: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/collectmode.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/collectmode.md index afdcf8443b..ee5c4fce22 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/collectmode.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/collectmode.md @@ -16,7 +16,7 @@ of: - User’s Message Activity - User’s Message Activity Per Hour -![Exchange Metrics Data Collector Wizard Collect Mode page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangemetrics/collectmode.webp) +![Exchange Metrics Data Collector Wizard Collect Mode page](/img/product_docs/accessanalyzer/admin/datacollector/exchangemetrics/collectmode.webp) There are two types of collection modes: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/messageactivityfilter.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/messageactivityfilter.md index de71250606..a3ade35dcd 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/messageactivityfilter.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/messageactivityfilter.md @@ -8,7 +8,7 @@ mail sent to and received from an `@netwrix.com` address. It is a wizard page fo - User’s Message Activity - User’s Message Activity Per Hour -![Exchange Metrics Data Collector Wizard Message Activity Filter page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangemetrics/messageactivityfilter.webp) +![Exchange Metrics Data Collector Wizard Message Activity Filter page](/img/product_docs/accessanalyzer/admin/datacollector/exchangemetrics/messageactivityfilter.webp) Configure the Message Activity Filter using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/messagesizes.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/messagesizes.md index 149209bc49..d9a9c33625 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/messagesizes.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/messagesizes.md @@ -5,7 +5,7 @@ by server. It is a wizard page for the category of: - Message Size Statistics Custom. -![Exchange Metrics Data Collector Wizard Message Sizes page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangemetrics/messagesizes.webp) +![Exchange Metrics Data Collector Wizard Message Sizes page](/img/product_docs/accessanalyzer/admin/datacollector/exchangemetrics/messagesizes.webp) Configure the desired message size frames using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/options.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/options.md index d48077efb8..77ee53c741 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/options.md @@ -18,7 +18,7 @@ the category selected. It is a wizard page for the categories of: - Deploy or Change Applet Settings - Remove Applet Settings -![Exchange Metrics Data Collector Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Exchange Metrics Data Collector Wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) Select the checkbox of any of the following options to configure the query: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/overview.md index 7c7b9f8a4f..084550afdb 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/overview.md @@ -4,12 +4,12 @@ The ExchangeMetrics Data Collector collects Mail-Flow metrics from the Exchange Logs on the Exchange servers. Some examples of this include server volume and message size statistics. This data collector runs as an applet over RPC connection to process and collect summarized metrics from the Message Tracking Log. See the -[Exchange Support and Permissions Explained](../../../requirements/solutions/exchange/support.md) +[Exchange Support and Permissions Explained](/docs/accessanalyzer/12.0/requirements/solutions/exchange/support.md) topic for a complete list of supported platforms. The ExchangeMetrics Data Collector has been preconfigured within the Exchange Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[Exchange Solution](../../../solutions/exchange/overview.md) topic for additional information. +[Exchange Solution](/docs/accessanalyzer/12.0/solutions/exchange/overview.md) topic for additional information. Protocols @@ -25,7 +25,7 @@ Permissions - Member of the local Administrator group on the targeted Exchange server(s) -See the [Exchange Mail-Flow Permissions](../../../requirements/solutions/exchange/mailflow.md) topic +See the [Exchange Mail-Flow Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/mailflow.md) topic for additional information. ## ExchangeMetrics Query Configuration @@ -34,19 +34,19 @@ The ExchangeMetrics Data Collector is configured through the Exchange Metrics Da which contains the following wizard pages: - Welcome -- [ExchangeMetrics: Category](category.md) -- [ExchangeMetrics: Scope](scope.md) -- [ExchangeMetrics: Results](results.md) -- [ExchangeMetrics: Collect Mode](collectmode.md) -- [ExchangeMetrics: Time Frames](timeframes.md) -- [ExchangeMetrics: Message Sizes](messagesizes.md) -- [ExchangeMetrics: Options](options.md) -- [ExchangeMetrics: Message Activity Filter](messageactivityfilter.md) -- [ExchangeMetrics: Summary](summary.md) +- [ExchangeMetrics: Category](/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/category.md) +- [ExchangeMetrics: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/scope.md) +- [ExchangeMetrics: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/results.md) +- [ExchangeMetrics: Collect Mode](/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/collectmode.md) +- [ExchangeMetrics: Time Frames](/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/timeframes.md) +- [ExchangeMetrics: Message Sizes](/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/messagesizes.md) +- [ExchangeMetrics: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/options.md) +- [ExchangeMetrics: Message Activity Filter](/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/messageactivityfilter.md) +- [ExchangeMetrics: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/summary.md) **NOTE:** Pages available vary depending on the Category selected. -![Exchange Metrics Data Collector Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Exchange Metrics Data Collector Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by checking the **Do not display this page the next time** box when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/results.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/results.md index 9aa9ea3bf0..f07d96d0ca 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/results.md @@ -3,7 +3,7 @@ The Results page is where properties that will be gathered are selected. It is a wizard page for all of the categories. -![Exchange Metrics Data Collector Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Exchange Metrics Data Collector Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be selected individually or the **Check All**, **Uncheck All**, or **Reset Defaults** buttons can be used. Click **Expand All** to expand all property categories. All selected properties diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/scope.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/scope.md index 12a6b335c7..442fc3296e 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/scope.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/scope.md @@ -16,7 +16,7 @@ The Scope page is used to define where to search. It is a wizard page for the ca - User’s Message Activity Per Hour - Deploy or Change Applet Settings -![Exchange Metrics Data Collector Wizard Scope page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![Exchange Metrics Data Collector Wizard Scope page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) Define the scope of the query using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/summary.md index 0cf92c05d6..8df55cc5d2 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/summary.md @@ -3,7 +3,7 @@ The Summary page displays a summary of the configured query. It is a wizard page for all of the categories. -![Exchange Metrics Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Exchange Metrics Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Exchange Metrics Data Collector Wizard to ensure that no accidental diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/timeframes.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/timeframes.md index e7ca6a0769..17e1262c57 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/timeframes.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/timeframes.md @@ -5,7 +5,7 @@ metrics by server. It is a wizard page for the category of: - Delivery Time Custom. -![Exchange Metrics Data Collector Wizard Time Frames page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangemetrics/timeframes.webp) +![Exchange Metrics Data Collector Wizard Time Frames page](/img/product_docs/accessanalyzer/admin/datacollector/exchangemetrics/timeframes.webp) Configure the desired time frames using the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/category.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/category.md index 34e83aea81..e479134729 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/category.md @@ -4,7 +4,7 @@ The Category page contains a connection section where connection options are def where the query category is selected. The available query categories are sub-divided by auditing focus. -![ExchangePS Data Collector Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![ExchangePS Data Collector Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) ## Connection @@ -13,7 +13,7 @@ In the Connection section, select the method for connecting to the target Exchan - Use Global setting – Reads from the global configuration from the **Settings** > **Exchange** node, specifically the **Client Access Server** (CAS) field - - See the [Exchange](../../settings/exchange.md) topic for additional information on these + - See the [Exchange](/docs/accessanalyzer/12.0/admin/settings/exchange.md) topic for additional information on these settings - Use specific server – Use a different server from what is set in core @@ -104,11 +104,11 @@ Get-MailboxDatabase When this category is selected, the following ExchangePS Data Collector Wizard pages are available for configuration: -- [ExchangePS: Scope](scope.md) -- [ExchangePS: Results](results.md) -- [ExchangePS: Options](options.md) -- [ExchangePS: Error Logging](errorlogging.md) -- [ExchangePS: Summary](summary.md) +- [ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) +- [ExchangePS: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md) +- [ExchangePS: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md) +- [ExchangePS: Error Logging](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md) +- [ExchangePS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md) Mailbox Permissions @@ -125,11 +125,11 @@ Get-MailboxDatabase When this category is selected, the following ExchangePS Data Collector Wizard pages are available for configuration: -- [ExchangePS: Scope](scope.md) -- [ExchangePS: Results](results.md) -- [ExchangePS: Options](options.md) -- [ExchangePS: Error Logging](errorlogging.md) -- [ExchangePS: Summary](summary.md) +- [ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) +- [ExchangePS: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md) +- [ExchangePS: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md) +- [ExchangePS: Error Logging](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md) +- [ExchangePS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md) Mailbox Databases @@ -143,11 +143,11 @@ Get-MailboxDatabase When this category is selected, the following ExchangePS Data Collector Wizard pages are available for configuration: -- [ExchangePS: Scope](scope.md) -- [ExchangePS: Results](results.md) -- [ExchangePS: Options](options.md) -- [ExchangePS: Error Logging](errorlogging.md) -- [ExchangePS: Summary](summary.md) +- [ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) +- [ExchangePS: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md) +- [ExchangePS: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md) +- [ExchangePS: Error Logging](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md) +- [ExchangePS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md) Mailbox Rights @@ -161,11 +161,11 @@ Get-MailboxDatabase When this category is selected, the following ExchangePS Data Collector Wizard pages are available for configuration: -- [ExchangePS: Scope](scope.md) -- [ExchangePS: Results](results.md) -- [ExchangePS: Options](options.md) -- [ExchangePS: Error Logging](errorlogging.md) -- [ExchangePS: Summary](summary.md) +- [ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) +- [ExchangePS: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md) +- [ExchangePS: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md) +- [ExchangePS: Error Logging](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md) +- [ExchangePS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md) Mailbox AD Rights @@ -179,11 +179,11 @@ Get-MailboxDatabase When this category is selected, the following ExchangePS Data Collector Wizard pages are available for configuration: -- [ExchangePS: Scope](scope.md) -- [ExchangePS: Results](results.md) -- [ExchangePS: Options](options.md) -- [ExchangePS: Error Logging](errorlogging.md) -- [ExchangePS: Summary](summary.md) +- [ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) +- [ExchangePS: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md) +- [ExchangePS: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md) +- [ExchangePS: Error Logging](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md) +- [ExchangePS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md) Mailbox Search @@ -199,12 +199,12 @@ Get-MailboxDatabase When this category is selected, the following ExchangePS Data Collector Wizard pages are available for configuration: -- [ExchangePS: Scope](scope.md) -- [ExchangePS: Filter by Message](filtermessage.md) -- [ExchangePS: Results](results.md) -- [ExchangePS: Options](options.md) -- [ExchangePS: Error Logging](errorlogging.md) -- [ExchangePS: Summary](summary.md) +- [ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) +- [ExchangePS: Filter by Message](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/filtermessage.md) +- [ExchangePS: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md) +- [ExchangePS: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md) +- [ExchangePS: Error Logging](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md) +- [ExchangePS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md) Mailbox Access Logons @@ -220,12 +220,12 @@ Get-Mailbox When this category is selected, the following ExchangePS Data Collector Wizard pages are available for configuration: -- [ExchangePS: Scope](scope.md) -- [ExchangePS: Mailbox Logons](mailboxlogons.md) -- [ExchangePS: Results](results.md) -- [ExchangePS: Options](options.md) -- [ExchangePS: Error Logging](errorlogging.md) -- [ExchangePS: Summary](summary.md) +- [ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) +- [ExchangePS: Mailbox Logons](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/mailboxlogons.md) +- [ExchangePS: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md) +- [ExchangePS: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md) +- [ExchangePS: Error Logging](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md) +- [ExchangePS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md) ### Exchange Organization @@ -246,11 +246,11 @@ Get-ThrottlingPolicyAssociation When this category is selected, the following ExchangePS Data Collector Wizard pages are available for configuration: -- [ExchangePS: Scope](scope.md) -- [ExchangePS: Results](results.md) -- [ExchangePS: Options](options.md) -- [ExchangePS: Error Logging](errorlogging.md) -- [ExchangePS: Summary](summary.md) +- [ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) +- [ExchangePS: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md) +- [ExchangePS: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md) +- [ExchangePS: Error Logging](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md) +- [ExchangePS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md) ### Exchange ActiveSync @@ -269,11 +269,11 @@ Get-Mailbox When this category is selected, the following ExchangePS Data Collector Wizard pages are available for configuration: -- [ExchangePS: Scope](scope.md) -- [ExchangePS: Results](results.md) -- [ExchangePS: Options](options.md) -- [ExchangePS: Error Logging](errorlogging.md) -- [ExchangePS: Summary](summary.md) +- [ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) +- [ExchangePS: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md) +- [ExchangePS: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md) +- [ExchangePS: Error Logging](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md) +- [ExchangePS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md) ### Public Folder Information @@ -284,22 +284,22 @@ Public Folder Content This category returns general statistics and sizing for the public folder environment. When it is selected, the following ExchangePS Data Collector Wizard pages are available for configuration: -- [ExchangePS: Scope](scope.md) -- [ExchangePS: Results](results.md) -- [ExchangePS: Options](options.md) -- [ExchangePS: Error Logging](errorlogging.md) -- [ExchangePS: Summary](summary.md) +- [ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) +- [ExchangePS: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md) +- [ExchangePS: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md) +- [ExchangePS: Error Logging](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md) +- [ExchangePS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md) Public Folder Permissions This category returns permissions information for the public folder environment. When it is selected, the following ExchangePS Data Collector Wizard pages are available for configuration: -- [ExchangePS: Scope](scope.md) -- [ExchangePS: Results](results.md) -- [ExchangePS: Options](options.md) -- [ExchangePS: Error Logging](errorlogging.md) -- [ExchangePS: Summary](summary.md) +- [ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) +- [ExchangePS: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md) +- [ExchangePS: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md) +- [ExchangePS: Error Logging](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md) +- [ExchangePS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md) ### Office 365 @@ -310,12 +310,12 @@ Mail Flow Metrics This category returns information about mail flow in the target Exchange Online environment. When it is selected, the following ExchangePS Data Collector Wizard pages are available for configuration: -- [ExchangePS: Scope](scope.md) -- [ExchangePS: Mail Flow](mailflow.md) -- [ExchangePS: Results](results.md) -- [ExchangePS: Options](options.md) -- [ExchangePS: Error Logging](errorlogging.md) -- [ExchangePS: Summary](summary.md) +- [ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) +- [ExchangePS: Mail Flow](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/mailflow.md) +- [ExchangePS: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md) +- [ExchangePS: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md) +- [ExchangePS: Error Logging](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md) +- [ExchangePS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md) ### Domain Information @@ -326,8 +326,8 @@ Domains This category returns information about domains in the Exchange environment. When it is selected, the following ExchangePS Data Collector Wizard pages are available for configuration: -- [ExchangePS: Scope](scope.md) -- [ExchangePS: Results](results.md) -- [ExchangePS: Options](options.md) -- [ExchangePS: Error Logging](errorlogging.md) -- [ExchangePS: Summary](summary.md) +- [ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) +- [ExchangePS: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md) +- [ExchangePS: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md) +- [ExchangePS: Error Logging](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md) +- [ExchangePS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/configurejob.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/configurejob.md index 9932a24911..6bb0e37829 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/configurejob.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/configurejob.md @@ -49,21 +49,21 @@ Create a Connection Profile and set the following information on the User Creden - Select Account Type – Exchange Modern Authentication - Password Storage – Application (Uses the configured Profile Security setting as selected at the - **Settings** > **Application** node. See the [Application](../../settings/application/overview.md) + **Settings** > **Application** node. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information.) - Organization – The primary domain name of the Microsoft Entra tenant being leveraged to make the connection. See the - [Identify the Tenant's Name](../../../config/exchangeonline/access.md#identify-the-tenants-name) + [Identify the Tenant's Name](/docs/accessanalyzer/12.0/config/exchangeonline/access.md#identify-the-tenants-name) topic for additional information. - Email Address – The email address for the mailbox to be leveraged in Exchange Online environment scans. The mailbox must belong to the primary domain used in the Organization field. - AppID – Application (client) ID of the Access Analyzer application registered with Microsoft Entra ID. See the - [Identify the Client ID](../../../config/exchangeonline/access.md#identify-the-client-id) + [Identify the Client ID](/docs/accessanalyzer/12.0/config/exchangeonline/access.md#identify-the-client-id) topic for additional information. - Certificate Thumbprint – The thumbprint value of the certificate uploaded to the Microsoft Entra ID application. See the - [Upload Self-Signed Certificate](../../../config/exchangeonline/access.md#upload-self-signed-certificate) + [Upload Self-Signed Certificate](/docs/accessanalyzer/12.0/config/exchangeonline/access.md#upload-self-signed-certificate) topic for additional information. ### Exchange Online Host List @@ -73,8 +73,8 @@ Microsoft Entra tenant used to connect to Exchange Online. - The host name must be the domain name of the tenant, for example `company.onmicrosoft.com`. See the - [Identify the Tenant's Name](../../../config/exchangeonline/access.md#identify-the-tenants-name) + [Identify the Tenant's Name](/docs/accessanalyzer/12.0/config/exchangeonline/access.md#identify-the-tenants-name) topic for additional information. -See the [Add Hosts](../../hostmanagement/actions/add.md) topic for instructions on creating a custom +See the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) topic for instructions on creating a custom host list. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md index c5734777ec..cfc67cfb63 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md @@ -3,7 +3,7 @@ The Error Logging page is used to configure how long to keep the PowerShell logs. It is a wizard page for all of the categories. -![ExchangePS Data Collector Wizard Error Logging page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/errorlogging.webp) +![ExchangePS Data Collector Wizard Error Logging page](/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/errorlogging.webp) Select from the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/filtermessage.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/filtermessage.md index 857bd5bc1d..94325b6bca 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/filtermessage.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/filtermessage.md @@ -5,7 +5,7 @@ page for the category of: - Mailbox Search -![ExchangePS Data Collector Wizard Filter by Message Conditions page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/filtermessage.webp) +![ExchangePS Data Collector Wizard Filter by Message Conditions page](/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/filtermessage.webp) In the Select Conditions section, choose the filter logic: @@ -42,7 +42,7 @@ In the Select Search Mailbox Parameters section, select the desired filter param The Date Range Selection window is opened by the **Specify Date Range...** option for a date related filter on the Filter by Message page. -![Date Range Selection window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/daterangeselectionwindow.webp) +![Date Range Selection window](/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/daterangeselectionwindow.webp) Select the range category on the left and configure the range setting in the enabled fields: @@ -65,7 +65,7 @@ range. The Words window is opened by the **Specify words...** option for a word related filter on the Filter by Message page. -![Words window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/wordswindow.webp) +![Words window](/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/wordswindow.webp) In the Search property section, choose the filter logic: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/mailboxlogons.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/mailboxlogons.md index 3af87a60e1..0406d37702 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/mailboxlogons.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/mailboxlogons.md @@ -4,7 +4,7 @@ The Mailbox Logons page is used to define the type of mailbox logon events to re date range to be returned. It is a wizard page for the category of Mailbox Information > Mailbox Access Logons. -![ExchangePS Data Collector Wizard Mailbox Logons page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/mailboxlogons.webp) +![ExchangePS Data Collector Wizard Mailbox Logons page](/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/mailboxlogons.webp) Select the desired checkboxes to indicate which logons to audit: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/mailflow.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/mailflow.md index 945b441f25..e2b75f478b 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/mailflow.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/mailflow.md @@ -5,7 +5,7 @@ page for the category of: - Office 365 > Mail Flow Metrics -![ExchangePS Data Collector Wizard Mail Flow page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/mailflow.webp) +![ExchangePS Data Collector Wizard Mail Flow page](/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/mailflow.webp) Select and configure a date range from the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md index ac5336a333..6de7e19c68 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md @@ -3,7 +3,7 @@ The Options page is used to configure additional options. It is a wizard page for all of the categories. -![ExchangePS Data Collector Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![ExchangePS Data Collector Wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) The following options can be configured: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/overview.md index 0749b22f07..a4ee5a9922 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/overview.md @@ -4,7 +4,7 @@ The ExchangePS Data Collector utilizes the Exchange CMDlets to return informatio environment utilizing PowerShell. This data collector has been designed to work with Exchange 2010 and newer. The ExchangePS Data Collector has been preconfigured within the Exchange Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[Exchange Solution](../../../solutions/exchange/overview.md) topic for additional information. +[Exchange Solution](/docs/accessanalyzer/12.0/solutions/exchange/overview.md) topic for additional information. Protocols @@ -28,7 +28,7 @@ Permissions - Discovery Management Role - Organization Management Role -See the [Exchange PowerShell Permissions](../../../requirements/solutions/exchange/powershell.md) +See the [Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for additional information. ## Remote PowerShell @@ -47,7 +47,7 @@ $sess=New-PSSession -ConnectionUri 'https://{exchangeserver}/powershell?serializ Import-PSSession $sess ``` -See the [Exchange PowerShell Permissions](../../../requirements/solutions/exchange/powershell.md) +See the [Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for instructions on enabling Remote PowerShell. ## The Exchange Applet @@ -68,16 +68,16 @@ The following Exchange Snap-in is used when the applet is utilized: The ExchangePS Data Collector is configured through the ExchangePS Data Collector Wizard, which contains the following wizard pages: -- [ExchangePS: Category](category.md) -- [ExchangePS: Scope](scope.md) -- [ExchangePS: Scope by DB](scopedatabases.md) -- [ExchangePS: Scope by Mailboxes](scopemailboxes.md) -- [ExchangePS: Scope by Public Folders](scopepublicfolders.md) -- [ExchangePS: Filter by Message](filtermessage.md) -- [ExchangePS: Mailbox Logons](mailboxlogons.md) -- [ExchangePS: Results](results.md) -- [ExchangePS: Options](options.md) -- [ExchangePS: Error Logging](errorlogging.md) -- [ExchangePS: Summary](summary.md) +- [ExchangePS: Category](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/category.md) +- [ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) +- [ExchangePS: Scope by DB](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopedatabases.md) +- [ExchangePS: Scope by Mailboxes](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopemailboxes.md) +- [ExchangePS: Scope by Public Folders](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopepublicfolders.md) +- [ExchangePS: Filter by Message](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/filtermessage.md) +- [ExchangePS: Mailbox Logons](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/mailboxlogons.md) +- [ExchangePS: Results](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md) +- [ExchangePS: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/options.md) +- [ExchangePS: Error Logging](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/errorlogging.md) +- [ExchangePS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md) Available pages vary according to selections made throughout the wizard. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md index 5b066980f1..37fc5b0566 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/results.md @@ -3,7 +3,7 @@ The Results page is where properties that will be gathered are selected. It is a wizard page for all of the categories. -![ExchangePS Data Collector Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![ExchangePS Data Collector Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be selected individually or the **Select All** and **Clear All** buttons can be used. All selected properties will be gathered. Available properties vary based on the category selected. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md index 6c60cf8546..1546e74eb7 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md @@ -2,7 +2,7 @@ The Scope page establishes how mailboxes are scoped. It is a wizard page for all of the categories. -![ExchangePS Data Collector Wizard Scope page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![ExchangePS Data Collector Wizard Scope page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) Available scoping options vary based on the category selected. Scoping options include: @@ -10,7 +10,7 @@ Available scoping options vary based on the category selected. Scoping options i Organization - If this option is selected, then the data collector should be run against the host specified - on the Summary page. See the [ExchangePS: Summary](summary.md) topic for additional + on the Summary page. See the [ExchangePS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md) topic for additional information. - When using the applet, the data collector gathers information about the Exchange Forest in which the Access Analyzer Console currently resides @@ -21,10 +21,10 @@ Available scoping options vary based on the category selected. Scoping options i - Scope by Database Target Host: Local Host – Scope query to return results for specific databases. If this option is selected, the Scope by Database page is enabled in the wizard. See the - [ExchangePS: Scope by DB](scopedatabases.md) topic for additional information. + [ExchangePS: Scope by DB](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopedatabases.md) topic for additional information. - Scope by Mailbox Target Host: Local Host – Scope query to return results for specific mailboxes. If this option is selected, the Scope by Mailboxes page is enabled in the wizard. See the - [ExchangePS: Scope by Mailboxes](scopemailboxes.md) topic for additional information. + [ExchangePS: Scope by Mailboxes](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopemailboxes.md) topic for additional information. - Scope by Server Target Host: Exchange MB Server – Scope query to return results for specific servers selected in the job’s **Configure** > **Hosts** node @@ -32,11 +32,11 @@ Available scoping options vary based on the category selected. Scoping options i PowerShell on that server - For Remote PowerShell, the data collector does not deploy anapplet and utilizes the WinRM protocol to gather information about the objects on that server. See the - [Remote PowerShell](./overview#remote-powershell) and - [The Exchange Applet](./overview#the-exchange-applet) topics for additional information. + [Remote PowerShell](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/overview#remote-powershell) and + [The Exchange Applet](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/overview#the-exchange-applet) topics for additional information. - Scope by Public Folder – Scope query to return results for specific Public Folders. If this option is selected, the Scope by Public Folders page is enabled in the wizard. See the - [ExchangePS: Scope by Public Folders](scopepublicfolders.md) topic for additional information. + [ExchangePS: Scope by Public Folders](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopepublicfolders.md) topic for additional information. - View entire forest when querying for objects – Select this checkbox to scan the entire forest when querying for objects diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopedatabases.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopedatabases.md index a6dd28e007..1045399f62 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopedatabases.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopedatabases.md @@ -2,14 +2,14 @@ The Scope by Databases page is used to define specific databases to search. This page is enabled when **Scope by Database Target Host: Local Host** option is selected on the Scope page. See the -[ExchangePS: Scope](scope.md) topic for additional information. +[ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) topic for additional information. When using the applet, the data collector returns databases for the Exchange Organization in which the Access Analyzer Console currently resides, and only returns information about those databases. For Remote PowerShell, the data collector returns databases for the Exchange Forest and only returns information about those databases. -![ExchangePS Data Collector Wizard Scope by Databases page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/scopedatabases.webp) +![ExchangePS Data Collector Wizard Scope by Databases page](/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/scopedatabases.webp) Click **Retrieve** to return all databases in the Exchange Organization and populate them in the Available Databases list. Select the desired databases from Available Databases and click **Add**. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopemailboxes.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopemailboxes.md index fd08096524..bd852d6766 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopemailboxes.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopemailboxes.md @@ -2,14 +2,14 @@ The Scope by Mailboxes page is used to define specific mailboxes to search. This page is enabled when the **Scope by Mailbox Target Host: Local Host** option is selected on the Scope page. See the -[ExchangePS: Scope](scope.md) topic for additional information. +[ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) topic for additional information. When using the applet, the data collector will return mailboxes for the Exchange Forest in which the Access Analyzer Console currently resides, and only return information about those mailboxes. For Remote PowerShell, the data collector will return mailboxes for the Exchange Forest as well as return information about those mailboxes. -![ExchangePS Data Collector Wizard Scope by Mailboxes page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/scopemailboxes.webp) +![ExchangePS Data Collector Wizard Scope by Mailboxes page](/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/scopemailboxes.webp) Click **Retrieve** to return all mailboxes in the Exchange Organization and populate them in the Available Mailboxes list. Select desired mailboxes from the Available Mailboxes list and click diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopepublicfolders.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopepublicfolders.md index 28d2de4da8..11db3f68c0 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopepublicfolders.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopepublicfolders.md @@ -2,7 +2,7 @@ The Scope by Public Folders page is used to define specific public folders to search. This page is enabled when the **Scope by Public Folder** option is selected on the Scope page. See the -[ExchangePS: Scope](scope.md) topic for additional information. +[ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) topic for additional information. Configure the **Scope** option using the drop-down. The available options are: @@ -16,7 +16,7 @@ The option selected changes how the public folders are identified for scoping. The **Selected Public Folders** scope option retrieves all public folders in the Exchange organization, populating them in the Available list. -![ExchangePS Data Collector Wizard Scope by Public Folders page with Selected Public Folders option](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/scopepublicfolders.webp) +![ExchangePS Data Collector Wizard Scope by Public Folders page with Selected Public Folders option](/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/scopepublicfolders.webp) The **Search** feature filters this list. Select the desired public folders and click **Add**. The selected public folders are added to the Selected list. Use the **Remove** option to delete selected @@ -32,7 +32,7 @@ selection. Additional scoping options include: The **Selected Table** scope option populates the Available tables list with tables from the Access Analyzer database. -![ExchangePS Data Collector Wizard Scope by Public Folders page with Selected Table option](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/scopepublicfoldersselectedtable.webp) +![ExchangePS Data Collector Wizard Scope by Public Folders page with Selected Table option](/img/product_docs/accessanalyzer/admin/datacollector/exchangeps/scopepublicfoldersselectedtable.webp) The **Search** feature filters this list. Select the table that houses the list of public folders for which this query will be scoped. The Field containing EntryIDs list is populated with columns diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md index 9fd7d2ecda..bcb6a48ff3 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/summary.md @@ -3,7 +3,7 @@ The Summary page is where configuration settings are summarized. It is a wizard page for all of the categories. -![ExchangePS Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![ExchangePS Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the ExchangePS Data Collector Wizard to ensure that no accidental clicks diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/category.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/category.md index 296cccbd40..88ec48b487 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/category.md @@ -2,7 +2,7 @@ The Category page is used to select the objects to search. -![Exchange Public Folder Data Collector Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![Exchange Public Folder Data Collector Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The ExchangePublicFolder Data Collector contains the following query categories: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/options.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/options.md index e93631f116..3888815490 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/options.md @@ -3,7 +3,7 @@ The Options page provides additional configuration options for the query. It is a wizard page for all of the categories. Available options vary based on the category selected. -![Exchange Public Folder Data Collector Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Exchange Public Folder Data Collector Wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) The Options page contains the following options: @@ -19,7 +19,7 @@ The Options page contains the following options: - Include subfolders in message counters – This option is only available for the Contents category. When this option is selected, it will include subfolders in message counters, according to the - Scope page settings. See the [ExchangeMetrics: Scope](../exchangemetrics/scope.md) topic for + Scope page settings. See the [ExchangeMetrics: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/scope.md) topic for additional information. - Large attachment threshold (Kb) – Configure the desired size limit for attachments. The default value is 500. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/overview.md index bb4af64513..18a4f1ced7 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/overview.md @@ -3,11 +3,11 @@ The ExchangePublicFolder Data Collector audits an Exchange Public Folder, including contents, permissions, ownership, and replicas. This is a MAPI-based data collector which requires the **Settings > Exchange** node to be enabled and configured. See the -[Exchange](../../settings/exchange.md) topic for additional information. +[Exchange](/docs/accessanalyzer/12.0/admin/settings/exchange.md) topic for additional information. The ExchangePublicFolder Data Collector has been preconfigured within the Exchange Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[Exchange Solution](../../../solutions/exchange/overview.md) topic for additional information. +[Exchange Solution](/docs/accessanalyzer/12.0/solutions/exchange/overview.md) topic for additional information. Protocols @@ -36,17 +36,17 @@ The ExchangePublicFolder Data Collector is configured through the Exchange Publi Collector Wizard, which contains the following wizard pages: - Welcome -- [ExchangePublicFolder: Category](category.md) -- [ExchangePublicFolder: Scope](scope.md) -- [ExchangePublicFolder: Properties](properties.md) -- [ExchangePublicFolder: Options](options.md) -- [ExchangePublicFolder: Probable Owner](probableowner.md) -- [ExchangePublicFolder: Summary](summary.md) +- [ExchangePublicFolder: Category](/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/category.md) +- [ExchangePublicFolder: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/scope.md) +- [ExchangePublicFolder: Properties](/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/properties.md) +- [ExchangePublicFolder: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/options.md) +- [ExchangePublicFolder: Probable Owner](/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/probableowner.md) +- [ExchangePublicFolder: Summary](/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/summary.md) The query requires special permissions to connect to target Exchange servers. Configure these permissions on the Welcome page. -![Exchange Public Folder Data Collector Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Exchange Public Folder Data Collector Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) In the Connection Setting section, choose to either maintain the global inheritance, or configure query specific settings. @@ -59,7 +59,7 @@ break inheritance, and then select one of the following options: - Exchange Mailbox (2010 and newer) – Enter the Exchange mailbox - Client Access Server – Enter the CAS -See the [Exchange](../../settings/exchange.md) topic for additional information. +See the [Exchange](/docs/accessanalyzer/12.0/admin/settings/exchange.md) topic for additional information. In the Sampling server section, enter the Exchange server in the textbox to be used to test the connection settings. Click **Test sampling server** to ensure there is access to the server. The box diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/probableowner.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/probableowner.md index 2df08e8a53..d26cc8c6d2 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/probableowner.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/probableowner.md @@ -2,9 +2,9 @@ The Probable Owner Settings page provides configuration options to determine an owner. It is enabled when the Probable Owner property is selected on the Properties page. See the -[ExchangePublicFolder: Properties](properties.md) topic for additional information. +[ExchangePublicFolder: Properties](/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/properties.md) topic for additional information. -![Exchange Public Folder Data Collector Wizard Probable Owner page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/probableowner.webp) +![Exchange Public Folder Data Collector Wizard Probable Owner page](/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/probableowner.webp) In the Determine owner section, select the desired option to specify what setting to use to determine an owner: @@ -18,7 +18,7 @@ determine an owner: - Use custom weights – Select to enable the **Result weights** option to assign custom weights to the ownership categories - ![Probable Owner Settings window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/probableownersettingswindow.webp) + ![Probable Owner Settings window](/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/probableownersettingswindow.webp) - Result weights – This option is enabled when the **Use custom weights** option is selected. Click the ellipses to open the Probable Owner Settings window and assign ownership weights to distribute diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/properties.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/properties.md index f52ecdf063..a91d9b75b0 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/properties.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/properties.md @@ -3,13 +3,13 @@ The Properties page is where properties that will be gathered are selected. It is a wizard page for all of the categories. -![Exchange Public Folder Data Collector Wizard Properties page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) +![Exchange Public Folder Data Collector Wizard Properties page](/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) Properties can be selected individually or you can use the **Select All**, **Clear All**, or **Reset All** buttons. All selected properties will be gathered. The **Message Classes** button opens the Message classes filters window. -![Message classes filters window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/messageclassesfilterswindow.webp) +![Message classes filters window](/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/messageclassesfilterswindow.webp) The wildcard (`*`) returns all message class filters. Enter the name of a class filter and click **Add** to add it to the list. **Delete** will remove the selected class filter from the list. The diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/scope.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/scope.md index 471cb59bd5..ae1d5257a1 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/scope.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/scope.md @@ -3,7 +3,7 @@ The Scope page is used to define which folders will be included will be searched by this query. It is a wizard page for all of the categories. -![Exchange Public Folder Data Collector Wizard Scope page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![Exchange Public Folder Data Collector Wizard Scope page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) In the Choose Type of Public Folders to be queried section, select either: @@ -36,7 +36,7 @@ In the Choose Scope of Public Folders to be queried section, select one of the f When Scope to **Selected Public Folders** is selected on the Scope page, the options to specify the desired folders are enabled. -![Scope page with Selected Public Folders option selected](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/scopeselectedpublicfolders.webp) +![Scope page with Selected Public Folders option selected](/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/scopeselectedpublicfolders.webp) Configure the scope of the selected public folders to be queried: @@ -57,7 +57,7 @@ selected word from the filter list. When Scope to **Selected Table** is selected on the Scope page, the options to specify the desired tables are enabled. -![Scope page with Selected Table option selected](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/scopeselectedtable.webp) +![Scope page with Selected Table option selected](/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/scopeselectedtable.webp) Configure the selected tables to be queried: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/summary.md index e79e578b7e..54d60f7b9d 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/summary.md @@ -3,7 +3,7 @@ The Summary page displays a summary of the configured query. It is a wizard page for all of the categories. -![Exchange Public Folder Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Exchange Public Folder Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Exchange Public Folder Data Collector Wizard to ensure that no diff --git a/docs/accessanalyzer/12.0/admin/datacollector/file/category.md b/docs/accessanalyzer/12.0/admin/datacollector/file/category.md index 0b48192491..ff196d7264 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/file/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/file/category.md @@ -2,7 +2,7 @@ Use the Category page to identify the type of information to retrieve in this query. -![File Search Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![File Search Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The categories are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/file/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/file/overview.md index 69adbaa1c0..687c5f73e7 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/file/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/file/overview.md @@ -6,12 +6,12 @@ the target hosts. It can target any file extension. This data collector is a cor Access Analyzer and is available with all Access Analyzer licenses. **NOTE:** For enhanced file system data collections, use the -[FileSystemAccess Data Collector](../fsaa/overview.md). +[FileSystemAccess Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/overview.md). Supported Platforms This data collector can target the same servers supported for the FileSystemAccess Data Collector. -See the [File System Supported Platforms](../../../requirements/target/filesystems.md) topic for a +See the [File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/target/filesystems.md) topic for a full list of supported platforms. Protocols @@ -35,12 +35,12 @@ The **File** Data Collector is configured through the File Search Wizard, which following wizard pages: - Welcome -- [File: Category](category.md) -- [File: Target Files](targetfiles.md) -- [File: Results](results.md) -- [File: Summary](summary.md) +- [File: Category](/docs/accessanalyzer/12.0/admin/datacollector/file/category.md) +- [File: Target Files](/docs/accessanalyzer/12.0/admin/datacollector/file/targetfiles.md) +- [File: Results](/docs/accessanalyzer/12.0/admin/datacollector/file/results.md) +- [File: Summary](/docs/accessanalyzer/12.0/admin/datacollector/file/summary.md) -![File Search Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![File Search Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by selecting the **Do not display this page the next time** checkbox when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/file/results.md b/docs/accessanalyzer/12.0/admin/datacollector/file/results.md index 4a3a0ad70f..3df03657e9 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/file/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/file/results.md @@ -4,7 +4,7 @@ The Results page provides a list of available properties to be searched for and execution. The properties selected display as table columns in the results of the query. It is a wizard page for all of the categories. -![File Search Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![File Search Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be selected individually or in groups with the **Select All** or **Clear All** buttons. The properties available vary based on the category selected. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/file/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/file/summary.md index 80867a6f9f..74c90bf569 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/file/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/file/summary.md @@ -3,7 +3,7 @@ The Summary page is where configuration settings are summarized. It is a wizard page for all of the categories. -![File Search Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![File Search Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the File Data Collector Wizard ensuring that no accidental clicks are diff --git a/docs/accessanalyzer/12.0/admin/datacollector/file/targetfiles.md b/docs/accessanalyzer/12.0/admin/datacollector/file/targetfiles.md index 6097e5e05f..5cf55c7ffd 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/file/targetfiles.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/file/targetfiles.md @@ -3,7 +3,7 @@ The Target Files page provides filters to scope the data collection. This can provide better search results for the specific folder or file. It is a wizard page for all of the categories. -![File Search Wizard Target Files page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/inifile/targetfiles.webp) +![File Search Wizard Target Files page](/img/product_docs/accessanalyzer/admin/datacollector/inifile/targetfiles.webp) Within the Target files configuration page, select the desired method to refine the query. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/activitysettings.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/activitysettings.md index aa1758edd9..f1e1a444a8 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/activitysettings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/activitysettings.md @@ -3,7 +3,7 @@ The File System Activity Auditor Scan Filter Settings page is where activity scan filter settings are configured. It is a wizard page for the category of File System Activity Scan. -![FSAA Data Collector Wizard Activity Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/activitysettings.webp) +![FSAA Data Collector Wizard Activity Settings page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/activitysettings.webp) In the Scan Filters section, choose from the following options: @@ -44,7 +44,7 @@ In the Host Mapping section, configure the following: If desired, enable the host mapping feature and select **Configure Query** to open the Host Mapping Query window. -![Host Mapping Query window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/hostmappingquery.webp) +![Host Mapping Query window](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/hostmappingquery.webp) When the Enable host mapping checkbox is selected, the query textbox is enabled. The SQL query provided by a user should return a set of log locations, target hosts, and host names of the @@ -80,11 +80,11 @@ Activity Monitor Agents for a single targeted Host. See the examples below: Single-Host Single-Agent Example: -![Query Results window for single agent example](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/hostmappingsinglehostsingleagent.webp) +![Query Results window for single agent example](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/hostmappingsinglehostsingleagent.webp) Single-Host Multiple-Agent Example: -![Query Results window for multiple agent example](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/hostmappingsinglehostmultipleagent.webp) +![Query Results window for multiple agent example](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/hostmappingsinglehostmultipleagent.webp) **NOTE:** For multiple-agent setup, the configured Host Mapping table must have the same value for HostName and Host, as shown in the Single-Host Multiple-Agent example. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md index 912b16e185..ef73f0447e 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md @@ -8,10 +8,10 @@ is a wizard page for the categories of: - Sensitive Data Scan **NOTE:** This wizard page identifies options associated with the scan mode to be used. See the -[File System Scan Options](../../../requirements/solutions/filesystem/scanoptions.md) topic for +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. -![FSAA Data Collector Wizard Applet Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/appletsettings.webp) +![FSAA Data Collector Wizard Applet Settings page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/appletsettings.webp) In the Applet Launch Mechanism section, choose one of three radio buttons: @@ -20,7 +20,7 @@ In the Applet Launch Mechanism section, choose one of three radio buttons: - The Applet service runs as a Connection Profile credential unless the Local System checkbox is selected in the Applet Settings options below. Then it runs the service in Local mode. - Require applet to be running as a service on target (does not deploy or launch applet) - - See the [File System Proxy Service Installation](../../../install/filesystemproxy/wizard.md) + - See the [File System Proxy Service Installation](/docs/accessanalyzer/12.0/install/filesystemproxy/wizard.md) topic for additional information. - It requires the `FSAAAppletServer.exe` to run as a service on the proxy host in order to run a successful scan. When this radio button is selected, Access Analyzer does not deploy an applet @@ -31,13 +31,13 @@ In the Applet Launch Mechanism section, choose one of three radio buttons: applet can’t start** option. This option allows the scan to run in local mode when an applet cannot be deployed or the service is not running. -![Applet Settings section of the Applet Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/appletsettingsappletsettings.webp) +![Applet Settings section of the Applet Settings page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/appletsettingsappletsettings.webp) In the Applet Settings section, configure the following options: - Port number – Default port number is 8766 - See - [Custom Parameters for File System Proxy Service](../../../install/filesystemproxy/wizard.md#custom-parameters-for-file-system-proxy-service) + [Custom Parameters for File System Proxy Service](/docs/accessanalyzer/12.0/install/filesystemproxy/wizard.md#custom-parameters-for-file-system-proxy-service) topic for additional information. - Applet Log level – The type of log created on the target host. Checking the box to Enable Logging enables the Applet log level drop-down menu. The **Set To Default** button resets the log level to @@ -96,7 +96,7 @@ In the Applet Settings section, configure the following options: - Scan cancellation timeout: [number] minute(s) – When checked, this option will timeout the applet if there is an attempt to pause the scan and the applet does not respond -![Certificate Exchange Options section of the Applet Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/appletsettingscertificateexchangeoptions.webp) +![Certificate Exchange Options section of the Applet Settings page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/appletsettingscertificateexchangeoptions.webp) In the Certificate Exchange Options section, configure the following options: @@ -106,7 +106,7 @@ In the Certificate Exchange Options section, configure the following options: the default option. - Manual – The FSSA Data Collector and applet server expect all certificates to be valid and in their respective stores beforehand. See the - [FSAA Manual Certificate Configuration](manualcertificate.md) topic for additional + [FSAA Manual Certificate Configuration](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/manualcertificate.md) topic for additional information. **NOTE:** If the FSAA Data Collector and the applet server are on separate domains without a @@ -118,5 +118,5 @@ In the Certificate Exchange Options section, configure the following options: - Port – Select the checkbox to specify the port number for certificate exchange. The Default port number is 8767. -See the [FSAA Applet Certificate Management Overview](certificatemanagement.md) topic for additional +See the [FSAA Applet Certificate Management Overview](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/certificatemanagement.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/azuretenantmapping.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/azuretenantmapping.md index 96e07111db..92b759a4e4 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/azuretenantmapping.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/azuretenantmapping.md @@ -7,13 +7,13 @@ Information Protection (AIP) scanning. It is a wizard page for the categories of - File System SDD Scan Remember, select the **Enable scanning of files protected by Azure Information Protection** checkbox -on the [FSAA: Scan Settings](scansettings.md) page to enable this page in the data collector wizard. +on the [FSAA: Scan Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scansettings.md) page to enable this page in the data collector wizard. In order for FSAA to scan files protected by AIP, ensure that the prerequisites are met and an Azure Connection Profile is successfully created. See the -[Azure Information Protection Target Requirements](../../../requirements/target/config/azureinformationprotection.md) +[Azure Information Protection Target Requirements](/docs/accessanalyzer/12.0/requirements/target/config/azureinformationprotection.md) topic for additional information on configuring the File System solution to scan for AIP labels. -![FSAA Data Collector Wizard Azure Tenant Mapping page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/azuretenantmapping.webp) +![FSAA Data Collector Wizard Azure Tenant Mapping page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/azuretenantmapping.webp) Populate this page with the App ID (created during prerequisites) and a domain name or Tenant ID for an Azure environment. These values must be associated with each application ID in the Azure diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/bulkimport.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/bulkimport.md index 0af770e64f..502bb215ca 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/bulkimport.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/bulkimport.md @@ -7,7 +7,7 @@ wizard page for the categories of: - Bulk Import File System Activity - Bulk Import Sensitive Data -![FSAA Data Collector Wizard Bulk Import Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/bulkimport.webp) +![FSAA Data Collector Wizard Bulk Import Settings page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/bulkimport.webp) Select the **Import incomplete scan data** checkbox to enable imports of partial scan data. If the scan is stopped before successful completion, this option must be checked in order to bulk import diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/certificatemanagement.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/certificatemanagement.md index 34ccf8cc6a..9b35502add 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/certificatemanagement.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/certificatemanagement.md @@ -14,7 +14,7 @@ the user's certificate store that is running the FSAA Data Collector or Applet s administrative access is required for the computer's certificate store. When certificates are generated using the Automatic option below, they are stored in the user’s certificate store. -![Certificate Exchange Options section of the Applet Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/appletsettingscertificateexchangeoptions.webp) +![Certificate Exchange Options section of the Applet Settings page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/appletsettingscertificateexchangeoptions.webp) There are three Certificate Exchange Options provided by the FSAA Data collector: @@ -32,7 +32,7 @@ There are three Certificate Exchange Options provided by the FSAA Data collector - To create and store certificates, the `FSAACertificateManager.exe` tool can be used. This application was created to simplify the process of creating certificates and will store the certificates in the location that the FSAA Data Collector and Applet server expect them to be - stored. See the [FSAA Manual Certificate Configuration](manualcertificate.md) topic for + stored. See the [FSAA Manual Certificate Configuration](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/manualcertificate.md) topic for additional information. The `FSAACertificateManager.exe` tool is located in the diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions.md index efbf51be95..44f5a62fd6 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions.md @@ -8,10 +8,10 @@ categories of: - File System Access/Permission Auditing Scan - Sensitive Data Scan -![FSAA Data Collector Wizard Default Scoping Options page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scansettings.webp) +![FSAA Data Collector Wizard Default Scoping Options page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scansettings.webp) See the Scoping Options tab setting topics to target individual resources for the scan: -- [Scan Settings Tab](defaultscopingoptions/scansettings.md) -- [File Details Tab](defaultscopingoptions/filedetails.md) -- [File Properties (Folder Summary) Tab](defaultscopingoptions/fileproperties.md) +- [Scan Settings Tab](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/scansettings.md) +- [File Details Tab](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/filedetails.md) +- [File Properties (Folder Summary) Tab](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/fileproperties.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/filedetails.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/filedetails.md index a1d0e8c003..adb00b87f3 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/filedetails.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/filedetails.md @@ -2,7 +2,7 @@ The File Details tab allows configuration of settings for file detail collection. -![FSAA Data Collector Wizard Default Scoping Options page File Details tab](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/defaultscopingoptions/filedetails.webp) +![FSAA Data Collector Wizard Default Scoping Options page File Details tab](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/defaultscopingoptions/filedetails.webp) Select the desired settings for additional scoping: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/fileproperties.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/fileproperties.md index 2045b4be78..a161c6485f 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/fileproperties.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/fileproperties.md @@ -3,7 +3,7 @@ The File Properties (Folder Summary) tab is where file property collection settings for the scan is configured. -![FSAA Data Collector Wizard Default Scoping Options page File Properties (Folder Summary) tab](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/defaultscopingoptions/fileproperties.webp) +![FSAA Data Collector Wizard Default Scoping Options page File Properties (Folder Summary) tab](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/defaultscopingoptions/fileproperties.webp) - Scan for probable owners – Gathers file ownership information to determine the most probable owner of every resource diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/scansettings.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/scansettings.md index 325f9c0606..cfa0b285c0 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/scansettings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/scansettings.md @@ -2,7 +2,7 @@ The Scan Settings tab allows configuration of data collection settings. -![FSAA Data Collector Wizard Default Scoping Options page Scan Settings tab](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scansettings.webp) +![FSAA Data Collector Wizard Default Scoping Options page Scan Settings tab](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scansettings.webp) The Scan Settings tab has the following configurable options: @@ -27,7 +27,7 @@ The Scan Settings tab has the following configurable options: Selecting the **Last Access Time (LAT) preservation** checkbox enables the **Action on failure to enable LAT preservation** and **Action on changed LAT after scan** dropdown menus. -![Action on failure to enable LAT preservation dropdown options](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/defaultscopingoptions/actionlatpreservationfailure.webp) +![Action on failure to enable LAT preservation dropdown options](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/defaultscopingoptions/actionlatpreservationfailure.webp) - Action on failure to enable LAT Preservation – Before scanning each file, FSAA attempts to enable an operating system feature to preserve the LAT when accessing the file. This operation may fail @@ -45,7 +45,7 @@ enable LAT preservation** and **Action on changed LAT after scan** dropdown me file was skipped. - Abort the scan – FSAA will abort the scan. No further files will be processed. -![Action on changed LAT after scan dropdown options](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/defaultscopingoptions/actionchangedlat.webp) +![Action on changed LAT after scan dropdown options](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/defaultscopingoptions/actionchangedlat.webp) - Action on changed LAT After scan – Before scanning each file, the LAT of the current file is recorded. After scanning, it is verified whether the LAT has changed since then (likely scenarios diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/manualcertificate.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/manualcertificate.md index 9b04015e6e..77768b06da 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/manualcertificate.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/manualcertificate.md @@ -172,7 +172,7 @@ steps from the output locations. All of the required FSAA certificates have been stored in the FSAA managed certificate stores. The FSAA queries need to be configured to use the **Manual** certificate exchange option. This option can be found under Applet Settings in the FSAA Data Collector Wizard. See the -[FSAA: Applet Settings](appletsettings.md) topic for additional information. +[FSAA: Applet Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md) topic for additional information. For additional information on how to use the `FSAACertificateManager.exe` tool, run the `.\FSAACertificateManager.exe -help` command. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/overview.md index cfd0fd513f..7badb292b0 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/overview.md @@ -4,7 +4,7 @@ The FileSystemAccess (FSAA) Data Collector collects permissions, content, and ac sensitive data information for Windows and NAS file systems. The FSAA Data Collector has been preconfigured within the File System Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[File System Solution](../../../solutions/filesystem/overview.md) topic for additional information. +[File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/overview.md) topic for additional information. Protocols @@ -14,13 +14,13 @@ Protocols Ports - Ports vary based on the Scan Mode Option selected. See the - [File System Scan Options](../../../requirements/solutions/filesystem/scanoptions.md) topic for + [File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. Permissions - Permissions vary based on the Scan Mode Option selected. See the - [File System Supported Platforms](../../../requirements/target/filesystems.md) topic for + [File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/target/filesystems.md) topic for additional information. Sensitive Data Discovery Considerations @@ -35,16 +35,16 @@ time with two concurrent SDD threads, then an extra 32 GB of RAM are required (8 The FSAA Data Collector is configured through the File System Access Auditor Data Collector Wizard. The wizard contains the following pages, which change based up on the query category selected: -- [FSAA: Query Selection](queryselection.md) -- [FSAA: Applet Settings](appletsettings.md) -- [FSAA: Scan Server Selection](scanserverselection.md) -- [FSAA: Scan Settings](scansettings.md) -- [FSAA: Azure Tenant Mapping](azuretenantmapping.md) -- [FSAA: Activity Settings](activitysettings.md) -- [FSAA: Default Scoping Options](defaultscopingoptions.md) -- [FSAA: Scoping Options](scopingoptions.md) -- [FSAA: Scoping Queries](scopingqueries.md) -- [FSAA: Sensitive Data Settings](sensitivedatasettings.md) -- [FSAA: SDD Criteria Settings](sddcriteria.md) -- [FSAA: Bulk Import Settings](bulkimport.md) -- [FSAA: FSAA Update Service Setting](updateservicesettings.md) +- [FSAA: Query Selection](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/queryselection.md) +- [FSAA: Applet Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md) +- [FSAA: Scan Server Selection](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scanserverselection.md) +- [FSAA: Scan Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scansettings.md) +- [FSAA: Azure Tenant Mapping](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/azuretenantmapping.md) +- [FSAA: Activity Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/activitysettings.md) +- [FSAA: Default Scoping Options](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions.md) +- [FSAA: Scoping Options](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scopingoptions.md) +- [FSAA: Scoping Queries](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scopingqueries.md) +- [FSAA: Sensitive Data Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/sensitivedatasettings.md) +- [FSAA: SDD Criteria Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/sddcriteria.md) +- [FSAA: Bulk Import Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/bulkimport.md) +- [FSAA: FSAA Update Service Setting](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/updateservicesettings.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/queryselection.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/queryselection.md index b5f999534c..9d07eb0b48 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/queryselection.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/queryselection.md @@ -3,7 +3,7 @@ The FSAA Data Collector Query Selection page contains the following query categories, sub-divided by auditing focus: -![FSAA Data Collector Wizard Query Selection page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/queryselection.webp) +![FSAA Data Collector Wizard Query Selection page](/img/product_docs/accessanalyzer/admin/datacollector/queryselection.webp) - The File System Access/Permission Auditing options scan hosts for file system information, and there are two categories to choose from: @@ -34,7 +34,7 @@ auditing focus: - Scan and import – Collects Azure Files storage account information. The instant job preconfigured to use this query category must be used. See the - [FS_AzureTenantScan Job](../../../solutions/filesystem/collection/fs_azuretenantscan.md) topic + [FS_AzureTenantScan Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/fs_azuretenantscan.md) topic for additional information. - The Maintenance options perform maintenance for the FSAA Data Collector, and there are three @@ -67,7 +67,7 @@ The Maintenance Wizard is opened by clicking the **Maintenance** button on the Q of the FSAA Data Collector Wizard. You can use the wizard to reset hosts or repair file system data errors. -![Maintenance Wizard Maintenance Selection page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/maintenancewizardselection.webp) +![Maintenance Wizard Maintenance Selection page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/maintenancewizardselection.webp) The Maintenance Selection page allows you to select the type of maintenance to be performed: @@ -81,14 +81,14 @@ selection made. - If Reset Hosts was selected, the Reset Hosts page displays: - ![Maintenance Wizard Reset Hosts page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/maintenancewizardresethosts.webp) + ![Maintenance Wizard Reset Hosts page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/maintenancewizardresethosts.webp) Select the desired hosts to reset the SQL data for, and click **Reset Hosts** to perform the maintenance. - If Repair was selected, the Repair Tool page displays: - ![Maintenance Wizard Repair Tool page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/maintenancewizardrepair.webp) + ![Maintenance Wizard Repair Tool page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/maintenancewizardrepair.webp) Select the desired hosts to repair the SQL data for, and click **Run** to perform the maintenance. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scanserverselection.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scanserverselection.md index 199c5e458f..f60da6c4d1 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scanserverselection.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scanserverselection.md @@ -7,7 +7,7 @@ wizard page for the categories of: - File System Activity Scan - Sensitive Data Scan -![FSAA Data Collector Wizard Scan Server Selection page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scanserverselection.webp) +![FSAA Data Collector Wizard Scan Server Selection page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scanserverselection.webp) Using the radio buttons, select where the execution of the applet will take place: @@ -22,17 +22,17 @@ Using the radio buttons, select where the execution of the applet will take plac textbox. This option uses proxy architecture and requires the targeted server to have the File System Proxy deployed. - - See the [File System Proxy Service Installation](../../../install/filesystemproxy/wizard.md) + - See the [File System Proxy Service Installation](/docs/accessanalyzer/12.0/install/filesystemproxy/wizard.md) topic for additional information - Specific Remote Servers by Host List – Assign hosts from a custom created host list for scanning. This option uses proxy architecture and requires the targeted servers to have the File System Proxy deployed - - See the [File System Proxy Service Installation](../../../install/filesystemproxy/wizard.md) + - See the [File System Proxy Service Installation](/docs/accessanalyzer/12.0/install/filesystemproxy/wizard.md) topic for additional information - ![Select Host Lists window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/selecthostlists.webp) + ![Select Host Lists window](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/selecthostlists.webp) - Select Host Lists – Opens the Select Host Lists window displaying all the available hosts to choose from. If more than one list is selected, scanning is distributed across each host. @@ -42,7 +42,7 @@ Using the radio buttons, select where the execution of the applet will take plac It is best practice in global implementations to utilize a specific remote server or proxy scanner that is located in the same data center as the target hosts. This is particularly beneficial if the Access Analyzer Console server is in a different data center. See the -[Proxy Scanning Architecture](../../../install/filesystemproxy/overview.md#proxy-scanning-architecture) +[Proxy Scanning Architecture](/docs/accessanalyzer/12.0/install/filesystemproxy/overview.md#proxy-scanning-architecture) topic for additional information. In the bottom section, the checkbox options affect the execution of the applet: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scansettings.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scansettings.md index 9b82d60c25..77adc1f777 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scansettings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scansettings.md @@ -6,7 +6,7 @@ wizard page for the categories of: - System Access/Permission Auditing Scan - Sensitive Data -![FSAA Data Collector Wizard Scan Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scansettings.webp) +![FSAA Data Collector Wizard Scan Settings page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scansettings.webp) In the Scan Protocols section, select the desired checkboxes for including certain types of shared folders: @@ -22,7 +22,7 @@ In the middle section, select the desired checkboxes for additional settings: this wizard to scan for protection labels and encrypted files for sensitive data - See the - [Azure Information Protection Target Requirements](../../../requirements/target/config/azureinformationprotection.md) + [Azure Information Protection Target Requirements](/docs/accessanalyzer/12.0/requirements/target/config/azureinformationprotection.md) for additional information. - Use SQL query to manually specify shares – For advanced SQL users. This option provides a least @@ -34,7 +34,7 @@ In the middle section, select the desired checkboxes for additional settings: - NetApp communication security – This option provides the ability to choose levels of encryption and authentication applied during Access Auditing scans of NetApp devices - ![NetApp communication security options](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scansettingsnetapp.webp) + ![NetApp communication security options](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scansettingsnetapp.webp) - HTTPS – Encrypts communication and verifies the targeted server’s SSL certificate - HTTPS, Ignore Certificate Errors – Encrypts communication but ignores certificate errors @@ -69,7 +69,7 @@ Sensitive Data Scan categories and contains the following options: If desired, enable this feature and click **Configure Query** to open the Manual Share Query window. -![Maual Shares Query window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/maualsharesquery.webp) +![Maual Shares Query window](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/maualsharesquery.webp) The SQL query provided by a user should return a list of all shares in the target environment. The target tables must reside within the Access Analyzer database and contain at least the following diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scopingoptions.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scopingoptions.md index 4d3ff66589..d6c80b6810 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scopingoptions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scopingoptions.md @@ -7,7 +7,7 @@ following categories: - File System Access/Permission Auditing Scan - Sensitive Data -![FSAA Data Collector Wizard Scoping Options page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scopingoptions.webp) +![FSAA Data Collector Wizard Scoping Options page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scopingoptions.webp) The Scoping Options buttons have the following: @@ -43,7 +43,7 @@ The Scoping Configuration Window allows a specific share or folder to be include the scan. Only included resources require additional scoping. Remember, these settings override the default scoping settings for the selected resource. -![Scoping Configuration Window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scopingconfigurationwindow.webp) +![Scoping Configuration Window](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scopingconfigurationwindow.webp) Set the Resource Name and Host Name: @@ -83,7 +83,7 @@ Then set Scoping Type and Priority: it is excluded. **NOTE:** Any included files or folders inherit all options previously checked in the - [FSAA: Default Scoping Options](defaultscopingoptions.md) page. Manually apply new options if + [FSAA: Default Scoping Options](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions.md) page. Manually apply new options if the default ones are not desired in this scan. - Priority – Numerical value that determines which options are used in the case of more than one @@ -97,9 +97,9 @@ Then set Scoping Type and Priority: used. The scoping option with the child takes precedence over the parent. - Enable Button – Adds the scoping option to the scan criteria -See the [Scan Settings Tab](defaultscopingoptions/scansettings.md), -[File Details Tab](defaultscopingoptions/filedetails.md), and -[File Properties (Folder Summary) Tab](defaultscopingoptions/fileproperties.md) tabs for more detail +See the [Scan Settings Tab](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/scansettings.md), +[File Details Tab](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/filedetails.md), and +[File Properties (Folder Summary) Tab](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/fileproperties.md) tabs for more detail on these scoping options. ## Common Scoping Scenarios @@ -110,7 +110,7 @@ Scenario 1 Scan for all shares except one. -![Common Scoping Options example Scenario 1](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/commonscopingoptionsscenario1.webp) +![Common Scoping Options example Scenario 1](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/commonscopingoptionsscenario1.webp) All shares included except for the ProbableOwner share. @@ -118,7 +118,7 @@ Scenario 2 Scan for one share and exclude all others. -![Common Scoping Options example Scenario 2](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/commonscopingoptionsscenario2.webp) +![Common Scoping Options example Scenario 2](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/commonscopingoptionsscenario2.webp) The ProbableOwner Share is included. All other shares are excluded. Share Inclusion must have a priority that is greater than or equal to the Share Exclusion. @@ -127,7 +127,7 @@ Scenario 3 Scan all folders except one. -![Common Scoping Options example Scenario 3](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/commonscopingoptionsscenario3.webp) +![Common Scoping Options example Scenario 3](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/commonscopingoptionsscenario3.webp) All Shares are scanned and all folders are included except for C:\ProbableOwner\DifferentOwner. @@ -135,7 +135,7 @@ Scenario 4 Scan one folder and exclude all others. -![Common Scoping Options example Scenario 4](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/commonscopingoptionsscenario4.webp) +![Common Scoping Options example Scenario 4](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/commonscopingoptionsscenario4.webp) The ProbableOwner Share is included and all other shares are excluded. Within the ProbableOwner Share, Folder path C:\ProbableOwner\DifferentOwner is included. All other folder paths are excluded. @@ -144,7 +144,7 @@ Scenario 5 Scan one folder and all of its children and exclude all others. -![Common Scoping Options example Scenario 5](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/commonscopingoptionsscenario5.webp) +![Common Scoping Options example Scenario 5](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/commonscopingoptionsscenario5.webp) The ProbableOwner Share is included and all other shares are excluded. Within the ProbableOwner Share, Folder path C:\ProbableOwner\DifferentOwner is included along with all of its children @@ -154,7 +154,7 @@ Scenario 6 Scan for all content within a folder except one sub-folder. -![Common Scoping Options example Scenario 6](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/commonscopingoptionsscenario6.webp) +![Common Scoping Options example Scenario 6](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/commonscopingoptionsscenario6.webp) The ProbableOwner Share is included and all other shares are excluded. Within the ProbableOwner Share, Folder path C:\ProbableOwner\DifferentOwner is included along with all of its children @@ -172,6 +172,6 @@ For example, in the scenario below, the NFS export named NFS_Export is included. are excluded. Within the NFS_Export export, folder path \ifs\NFS_Export\Test_Folder is included. All other folder paths are excluded. -![FSAA Scoping Options NFS export example](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/commonscopingoptionsnfsexports.webp) +![FSAA Scoping Options NFS export example](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/commonscopingoptionsnfsexports.webp) Note the different slash types for exports compared to folders. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scopingqueries.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scopingqueries.md index 8cbfb2bb01..fca918e083 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scopingqueries.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scopingqueries.md @@ -8,7 +8,7 @@ wizard page for the following categories: - File System Access/Permission Auditing Scan - Sensitive Data -![FSAA Data Collector Wizard Scoping Queries page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scopingqueries.webp) +![FSAA Data Collector Wizard Scoping Queries page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scopingqueries.webp) The Scoping Queries buttons have the following functionality: @@ -47,13 +47,13 @@ the previous page of the wizard to exclude all other shares. For example, to restrict the scan to only Open Shares and exclude all other shares, the Scoping Options page should be configured as shown: -![FSAA Data Collector Wizard Scoping Options page Open shares configuration](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scopingoptionsopenshares.webp) +![FSAA Data Collector Wizard Scoping Options page Open shares configuration](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scopingoptionsopenshares.webp) The Scoping Queries page should be configured as shown: -![FSAA Data Collector Wizard Scoping Queries page Open shares configuration](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scopingqueriesopenshares.webp) +![FSAA Data Collector Wizard Scoping Queries page Open shares configuration](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scopingqueriesopenshares.webp) -See the [FSAA: Scoping Options](scopingoptions.md) topic for additional information and common +See the [FSAA: Scoping Options](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scopingoptions.md) topic for additional information and common scoping scenarios. ## Scoping Query Configuration Window @@ -61,7 +61,7 @@ scoping scenarios. The Scoping Query Configuration window allows you to create a custom Scoping Query to specify shares and folders to be included in or excluded from the scan. -![Scoping Query Configuration window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scopingqueryconfiguration.webp) +![Scoping Query Configuration window](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/scopingqueryconfiguration.webp) Configure the following fields: @@ -79,7 +79,7 @@ Configure the following fields: Clicking **Configure Query** on the Scoping Query Configuration Window brings up the Advanced Scoping Options Query Configuration window. -![Advanced Scoping Options Query Configuration window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/advancedscopingoptionsqueryconfiguration.webp) +![Advanced Scoping Options Query Configuration window](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/advancedscopingoptionsqueryconfiguration.webp) Follow the steps to configure a query. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/sddcriteria.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/sddcriteria.md index fc56139c9a..21bd82748c 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/sddcriteria.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/sddcriteria.md @@ -3,13 +3,13 @@ The SDD Criteria Settings page is where criteria to be used for discovering sensitive data during a scan is configured. It is a wizard page for the category of Sensitive Data Scan. -![FSAA Data Collector Wizard SDD Criteria Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/sddcriteria.webp) +![FSAA Data Collector Wizard SDD Criteria Settings page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/sddcriteria.webp) The options on the SDD Criteria Settings page are: - Use Global Criterion Selection – Select this option to inherit sensitive data criteria settings from the **Settings** > **Sensitive Data** node. See the - [Sensitive Data](../../settings/sensitivedata/overview.md) topic for additional information. + [Sensitive Data](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/overview.md) topic for additional information. - Use the following selected criteria – Select this option to use the table to select which sensitive data criteria to scan for - Select All - Click **Select All** to enable all sensitive data criteria for scanning @@ -24,5 +24,5 @@ The table contains the following types of criteria: Use the Sensitive Data Criteria Editor in the **Settings** > **Sensitive Data** to create and edit user-defined criteria. See the - [Sensitive Data Criteria Editor](../../../sensitivedatadiscovery/criteriaeditor/overview.md) + [Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/sensitivedatasettings.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/sensitivedatasettings.md index bba5b386d5..42bb0f8616 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/sensitivedatasettings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/sensitivedatasettings.md @@ -3,7 +3,7 @@ The Sensitive Data Settings page is where sensitive data discovery settings are configured. It is a wizard page for the category of Sensitive Data Scan. -![FSAA Data Collector Wizard Sensitive Data Settings page](../../../../../../static/img/product_docs/accessanalyzer/install/application/upgrade/sensitivedata.webp) +![FSAA Data Collector Wizard Sensitive Data Settings page](/img/product_docs/accessanalyzer/install/application/upgrade/sensitivedata.webp) - Don’t process files larger than: [number] MB – Limits the files to be scanned for sensitive content to only files smaller than the specified size diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/updateservicesettings.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/updateservicesettings.md index 8f64830116..d5db24b94e 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/updateservicesettings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/updateservicesettings.md @@ -5,7 +5,7 @@ updated on hosts where the service has already been installed. It requires the F Service to be v8.0 or later prior to using this feature. It is a wizard page for the category of Update Proxy Service. -![FSAA Data Collector Wizard FSAA Update Service Setting page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/updateservice.webp) +![FSAA Data Collector Wizard FSAA Update Service Setting page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/updateservice.webp) Configure the settings for the targeted File System Proxy Service: @@ -17,4 +17,4 @@ Configure the settings for the targeted File System Proxy Service: - Scan cancellation timeout: [number] minute(s) – When selected, this option will timeout the applet if there is an attempt to pause the scan and the applet does not respond -See the [FSAA: Applet Settings](appletsettings.md) topic for additional information. +See the [FSAA: Applet Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/workflows.md b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/workflows.md index d2f5094a65..d9734f0376 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/fsaa/workflows.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/fsaa/workflows.md @@ -38,7 +38,7 @@ window displays. **FILESYSTEMACCESS** and then click the **Configure** button. The File System Access Auditor Data Collector Wizard opens. -![FSAA Data Collector Wizard Query Selection page with Remove scan executables and data option selected](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/queryselectionremovescanexecutablesdata.webp) +![FSAA Data Collector Wizard Query Selection page with Remove scan executables and data option selected](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/queryselectionremovescanexecutablesdata.webp) **Step 4 –** On the Query Selection page, select the **Remove scan executables and data** category. @@ -65,7 +65,7 @@ the components are updated. Finally, the service restarts itself. manually updated to at least v8.0 on the proxy server before this query can be used to automate the process. -Follow the [Upgrade Proxy Service Procedure](../../../install/filesystemproxy/upgrade.md) and use +Follow the [Upgrade Proxy Service Procedure](/docs/accessanalyzer/12.0/install/filesystemproxy/upgrade.md) and use the FS_UpdateProxy Job. ## Remove Host Category @@ -93,7 +93,7 @@ window displays. **FILESYSTEMACCESS** and then click **Configure**. The File System Access Auditor Data Collector Wizard opens. -![FSAA Data Collector Wizard Query Selection page with Remove host data option selected](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/queryselectionremovehostdata.webp) +![FSAA Data Collector Wizard Query Selection page with Remove host data option selected](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/queryselectionremovehostdata.webp) **Step 4 –** On the Query Selection page, select the **Remove host data** category. @@ -111,9 +111,9 @@ configuration prior to job execution. The FS_SDD_DELETE job removes host and criteria sensitive data matches from the Tier 1 database. It is preconfigured to run analysis tasks with temporary tables that requires modification prior to job execution. It is available through the Instant Job Library under the File System library. See the -[Instant Job Wizard](../../jobs/instantjobs/overview.md) topic for additional information. +[Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for additional information. -![FS_SDD_DELETE Job in Job's Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/sdddelete.webp) +![FS_SDD_DELETE Job in Job's Tree](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/sdddelete.webp) The 0.Collection Job Group must be run before executing the FS_SDD_DELETE Job. @@ -124,7 +124,7 @@ The analysis tasks are deselected by default. View the analysis tasks by navigat **CAUTION:** Applying these analysis tasks result in the deletion of collected data. -![FS_SDD_DELETE Job Analysis Selection page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/sdddeleteanalysistasks.webp) +![FS_SDD_DELETE Job Analysis Selection page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/sdddeleteanalysistasks.webp) - Delete Criteria – Remove all SDD Data for a Specified Criteria - Delete Host – Remove all SDD Data Related to a Host @@ -170,7 +170,7 @@ Editor. Follow the steps to customize analysis task parameters. **Step 2 –** In the Analysis Selection view, select the desired analysis task and click on **Analysis Configuration**. The SQL Script Editor opens. -![ FS_SDD_DELETE Job Analysis Task in SQL Script Editor](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/sdddeletesqlscripteditor.webp) +![ FS_SDD_DELETE Job Analysis Task in SQL Script Editor](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/sdddeletesqlscripteditor.webp) **Step 3 –** In the Parameters section at the bottom of the editor, select either the **#Criteria** or **#hosts** row, depending on the analysis task chosen, and then **Edit Table**. The Edit Table @@ -178,7 +178,7 @@ window opens. **CAUTION:** Do not change any parameters where the Value states `Created during execution`. -![SQL Script Editor Edit Table window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/sdddeletesqlscripteditoredittable.webp) +![SQL Script Editor Edit Table window](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/sdddeletesqlscripteditoredittable.webp) **Step 4 –** Use the **Add New Item** button to enter host names or criteria to the temporary table list manually, or select the **Browse** button to upload a list of hosts in CSV format. Click **OK** @@ -201,9 +201,9 @@ System Solution as well as the standard tables and views generated by the FSAA D It is available through the Instant Job Library under the File System library. Since this job does not require a host to target, select Local host on the Hosts page of the Instant Job Wizard. See the -[Instant Job Wizard](../../jobs/instantjobs/overview.md) topic for additional information. +[Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for additional information. -![FS_DropTables Job in Job's Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/droptables.webp) +![FS_DropTables Job in Job's Tree](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/droptables.webp) The 0.Collection Job Group must be run before executing the FS_DropTables Job. @@ -214,7 +214,7 @@ The analysis tasks are deselected by default. View the analysis tasks by navigat **CAUTION:** Applying these analysis tasks result in the deletion of collected data. -![FS_DropTables Job Analysis Selection page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/droptablesanalysistasks.webp) +![FS_DropTables Job Analysis Selection page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/droptablesanalysistasks.webp) - 1. Drop FSAA functions – Removes all functions and views from previous runs of the File System Solution diff --git a/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/category.md b/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/category.md index 4c496cb132..f7e2e443d9 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/category.md @@ -2,7 +2,7 @@ On the GroupPolicy Data Collector Category page, select the required query category to be executed. -![Group Policy Data Collector Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![Group Policy Data Collector Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The available categories are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/options.md b/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/options.md index c686e75b4f..c65f276ee8 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/options.md @@ -3,7 +3,7 @@ The Options page is used to configure how to return multi-valued properties and how policy results are presented. It is a wizard page for all categories. -![Group Policy Data Collector Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Group Policy Data Collector Wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/overview.md index 9aa232a86f..51051192f8 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/overview.md @@ -11,8 +11,8 @@ within the Active Directory Solution and the Windows Solution. While the data co with all Access Analyzer license options, the Windows Solution is only available with a special Access Analyzer licenses. See the following topics for additional information: -- [Active Directory Solution](../../../solutions/activedirectory/overview.md) -- [Windows Solution](../../../solutions/windows/overview.md) +- [Active Directory Solution](/docs/accessanalyzer/12.0/solutions/activedirectory/overview.md) +- [Windows Solution](/docs/accessanalyzer/12.0/solutions/windows/overview.md) Protocols @@ -37,13 +37,13 @@ available pages change based upon the query category selected. It contains the f pages: - Welcome -- [GroupPolicy: Category](category.md) -- [GroupPolicy: Target](target.md) -- [GroupPolicy: Policies List](policieslist.md) -- [GroupPolicy: Options](options.md) -- [GroupPolicy: Summary](summary.md) +- [GroupPolicy: Category](/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/category.md) +- [GroupPolicy: Target](/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/target.md) +- [GroupPolicy: Policies List](/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/policieslist.md) +- [GroupPolicy: Options](/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/options.md) +- [GroupPolicy: Summary](/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/summary.md) -![Group Policy Data Collector Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Group Policy Data Collector Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by selecting the **Do not display this page the next time** checkbox when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/policieslist.md b/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/policieslist.md index 2025069eae..895a496c98 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/policieslist.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/policieslist.md @@ -7,7 +7,7 @@ a wizard page for the categories of: - Policies State for all GPOs - Local Policies -![Group Policy Data Collector Wizard Policies List page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/grouppolicy/policieslist.webp) +![Group Policy Data Collector Wizard Policies List page](/img/product_docs/accessanalyzer/admin/datacollector/grouppolicy/policieslist.webp) Select the policies or policy parts to be audited. The category dictates how this selection is applied across the domain or local host. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/summary.md index 2f130a62c0..16ef54664d 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured query. It is a wizard page for all categories. -![Group Policy Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Group Policy Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Group Policy Data Collector Wizard to ensure that no accidental clicks diff --git a/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/target.md b/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/target.md index e1a05fcc7b..d540c4f847 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/target.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/target.md @@ -7,7 +7,7 @@ identified. It is a wizard page for the categories of: - Policies State for all GPOs - Local Policies -![Group Policy Data Collector Wizard Target page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/target.webp) +![Group Policy Data Collector Wizard Target page](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/target.webp) In the Connect to section of the page, select from the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/inifile/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/inifile/overview.md index 88c28121a4..3355ceb393 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/inifile/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/inifile/overview.md @@ -24,11 +24,11 @@ The INIFile Data Collector is configured through the INI File Data Collector Wi following wizard pages: - Welcome -- [INIFile: Target Files](targetfiles.md) -- [INIFile: Properties](properties.md) -- [INIFile: Summary](summary.md) +- [INIFile: Target Files](/docs/accessanalyzer/12.0/admin/datacollector/inifile/targetfiles.md) +- [INIFile: Properties](/docs/accessanalyzer/12.0/admin/datacollector/inifile/properties.md) +- [INIFile: Summary](/docs/accessanalyzer/12.0/admin/datacollector/inifile/summary.md) -![INI File Data Collector Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![INI File Data Collector Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by selecting the **Do not display this page the next time** box when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/inifile/properties.md b/docs/accessanalyzer/12.0/admin/datacollector/inifile/properties.md index 99fb4da032..2c331a248d 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/inifile/properties.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/inifile/properties.md @@ -2,7 +2,7 @@ The Properties page identifies data about the INI file for auditing. -![INI File Data Collector Wizard Properties page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) +![INI File Data Collector Wizard Properties page](/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) Use the following options to determine which data to adult: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/inifile/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/inifile/summary.md index 586708d960..8489e36d18 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/inifile/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/inifile/summary.md @@ -2,7 +2,7 @@ The Summary page is where the selected configuration settings are listed. -![INI File Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![INI File Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the INIFile Data Collector Wizard ensuring that no accidental clicks are diff --git a/docs/accessanalyzer/12.0/admin/datacollector/inifile/targetfiles.md b/docs/accessanalyzer/12.0/admin/datacollector/inifile/targetfiles.md index 8b9218c1fe..262ade91b0 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/inifile/targetfiles.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/inifile/targetfiles.md @@ -3,7 +3,7 @@ The Target Files page identifies the location and name of the INI file from which to collect information. -![INI File Data Collector Wizard Target Files page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/inifile/targetfiles.webp) +![INI File Data Collector Wizard Target Files page](/img/product_docs/accessanalyzer/admin/datacollector/inifile/targetfiles.webp) Configure the Target Files options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/ldap.md b/docs/accessanalyzer/12.0/admin/datacollector/ldap.md index d24d71df15..7fe00089d6 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/ldap.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/ldap.md @@ -8,7 +8,7 @@ domain. Wildcards and LDAP filters can be applied to the query configurations. The LDAP Data Collector is a core component of Access Analyzer, but it has been preconfigured within the Active Directory Solution. While the data collector is available with all Access Analyzer license options, the Active Directory Solution is only available with a special Access Analyzer -license. See the [Active Directory Solution](../../solutions/activedirectory/overview.md) topic for +license. See the [Active Directory Solution](/docs/accessanalyzer/12.0/solutions/activedirectory/overview.md) topic for additional information. Protocols @@ -28,7 +28,7 @@ Permissions The LDAP Data Collector is configured through the LDAP template form. The LDAP template form has the following configuration options: -![LDAP template form](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/templateform.webp) +![LDAP template form](/img/product_docs/accessanalyzer/admin/datacollector/templateform.webp) - Connect to the server – Use the default domain controller entered in the box, or enter an alternate server @@ -59,7 +59,7 @@ The button bar provides additional options for selecting objects and attributes. The Options window contains configure connection options and multi-value results options. Click the **Options** button located in the upper right corner of the LDAP template form to open it. -![Options Window](../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Options Window](/img/product_docs/accessanalyzer/install/application/options.webp) - Connect Securely with TL/SSL – Connect using TLS/SSL. If the checkbox is selected, the server port defaults to `636`. @@ -89,7 +89,7 @@ The Options window contains configure connection options and multi-value results The Filter Options window is where to add filters to the query. Click the ellipses (**…**) button located to the right of the **LDAP filter** box in the LDAP template form to open this window. -![filteroptions](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/filteroptions.webp) +![filteroptions](/img/product_docs/accessanalyzer/admin/datacollector/filteroptions.webp) - Extract all objects (no filter) – No filters applied - Extract only objects of the following classes – Applies class filter for selected classes @@ -108,7 +108,7 @@ located to the right of the **LDAP filter** box in the LDAP template form to ope The Custom Filter window provides options for creating a complex filter. -![Custom Filter window](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/customfilter.webp) +![Custom Filter window](/img/product_docs/accessanalyzer/admin/datacollector/customfilter.webp) Select a **Field** and **Condition** from the drop-down lists. Enter a **Value** for the condition. Click **Add** to add the filter to the Filter Lines table. @@ -117,7 +117,7 @@ Click **Add** to add the filter to the Filter Lines table. selected by default. - Edit Raw Filter – Opens the Raw Filter Edit window - ![Raw Filter Edit window](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/rawfilteredit.webp) + ![Raw Filter Edit window](/img/product_docs/accessanalyzer/admin/datacollector/rawfilteredit.webp) Enter the entire LDAP filter in the textbox. Click **Verify** to confirm the filter, and then **OK** to add it to the custom filter list. @@ -130,17 +130,17 @@ Click **OK** to save the changes and close the Custom Filter window. The button bar provides several options for configuring the query. -![buttonbar](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/buttonbar.webp) +![buttonbar](/img/product_docs/accessanalyzer/admin/datacollector/buttonbar.webp) | Button | Name | Description | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------- | ------------------------------------------------------------------------- | -| ![Include sublevels button](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/sublevels.webp) | Include sublevels | Include sublevel folders of the selected folder. | -| ![Org wildcard button](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/orgwildcard.webp) | Org wildcard | Search for the attribute across multiple domains. | -| ![Wildcard the level button](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/wildcard.webp) | Wildcard the level | Search everything on the selected level. | -| ![Unwildcard all levels button](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/unwildcard.webp) | Unwildcard all levels | Removes the wildcard and returns the search scope to the selected domain. | -| ![Include a HostName Tag button](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/includehostname.webp) | Include a HostName Tag | Replaces the OU with a HostName Tag. | -| ![Remove all HostName Tags button](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/removehostname.webp) | Remove all HostName Tags | Removes the HostName Tag. | -| ![Add Security Properties for Selected Key button](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/addsecurityproperties.webp) | Add Security Properties for Selected Key | Adds the list of security properties. | -| ![Select Highlighted Attributes button](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/addattributes.webp) | Select Highlighted Attributes | Adds the highlighted attributes to the list. | -| ![Delete the Highlighted Selected Attributes button](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/deleteattributes.webp) | Delete the Highlighted Selected Attributes | Deletes the highlighted attributes from the list. | -| ![Find the Root Path in the Directory Objects button](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/rootpath.webp) | Find the Root Path in the Directory Objects | Returns the root path to the selected root. | +| ![Include sublevels button](/img/product_docs/accessanalyzer/admin/datacollector/sublevels.webp) | Include sublevels | Include sublevel folders of the selected folder. | +| ![Org wildcard button](/img/product_docs/accessanalyzer/admin/datacollector/orgwildcard.webp) | Org wildcard | Search for the attribute across multiple domains. | +| ![Wildcard the level button](/img/product_docs/accessanalyzer/admin/datacollector/wildcard.webp) | Wildcard the level | Search everything on the selected level. | +| ![Unwildcard all levels button](/img/product_docs/accessanalyzer/admin/datacollector/unwildcard.webp) | Unwildcard all levels | Removes the wildcard and returns the search scope to the selected domain. | +| ![Include a HostName Tag button](/img/product_docs/accessanalyzer/admin/datacollector/includehostname.webp) | Include a HostName Tag | Replaces the OU with a HostName Tag. | +| ![Remove all HostName Tags button](/img/product_docs/accessanalyzer/admin/datacollector/removehostname.webp) | Remove all HostName Tags | Removes the HostName Tag. | +| ![Add Security Properties for Selected Key button](/img/product_docs/accessanalyzer/admin/datacollector/addsecurityproperties.webp) | Add Security Properties for Selected Key | Adds the list of security properties. | +| ![Select Highlighted Attributes button](/img/product_docs/accessanalyzer/admin/datacollector/addattributes.webp) | Select Highlighted Attributes | Adds the highlighted attributes to the list. | +| ![Delete the Highlighted Selected Attributes button](/img/product_docs/accessanalyzer/admin/datacollector/deleteattributes.webp) | Delete the Highlighted Selected Attributes | Deletes the highlighted attributes from the list. | +| ![Find the Root Path in the Directory Objects button](/img/product_docs/accessanalyzer/admin/datacollector/rootpath.webp) | Find the Root Path in the Directory Objects | Returns the root path to the selected root. | diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nis/category.md b/docs/accessanalyzer/12.0/admin/datacollector/nis/category.md index 093a30eed7..252217728d 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nis/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nis/category.md @@ -2,7 +2,7 @@ The Category page is used to identify which type of NIS information to retrieve. -![NIS Data Collector Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![NIS Data Collector Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The NIS Data Collector contains two query categories: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nis/configurejob.md b/docs/accessanalyzer/12.0/admin/datacollector/nis/configurejob.md index c40c0ba654..ca39eb3fc5 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nis/configurejob.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nis/configurejob.md @@ -13,7 +13,7 @@ Create a Connection Profile and set the following information on the User Creden - Select Account Type – Unix Account - User name – Enter user name - Password Storage – Application (Uses the configured Profile Security setting as selected at the - **Settings** > **Application** node. See the [Application](../../settings/application/overview.md) + **Settings** > **Application** node. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information.) - Password/Confirm @@ -37,14 +37,14 @@ Create a Connection Profile and set the following information on the User Creden - If desired, select this option and provide the key value Once the Connection Profile is created, it is time to create the custom host list. See the -[Connection](../../settings/connection/overview.md) topic for additional information. +[Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. ## Custom Host List The custom host list only needs to include a single NIS server in the targeted NIS domain. Follow -the steps in the [Add Hosts](../../hostmanagement/actions/add.md) topic for instructions on how to +the steps in the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) topic for instructions on how to create a custom static host list. See the -[Recommended Configuration for the .NIS Inventory Solution](../../../solutions/nisinventory/recommended.md) +[Recommended Configuration for the .NIS Inventory Solution](/docs/accessanalyzer/12.0/solutions/nisinventory/recommended.md) topic for information on where to assign the Connection Profile and host list. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nis/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/nis/overview.md index 5ed33ca7a2..b8452929f6 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nis/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nis/overview.md @@ -4,7 +4,7 @@ The NIS Data Collector inventories a NIS domain for user and group information, Windows-style SIDs. This data collector is a core component of Access Analyzer and has been preconfigured within the .NIS Inventory Solution. Both this data collector and the solution are available with all Access Analyzer license options. See the -[.NIS Inventory Solution](../../../solutions/nisinventory/overview.md) topic for additional +[.NIS Inventory Solution](/docs/accessanalyzer/12.0/solutions/nisinventory/overview.md) topic for additional information. Protocols @@ -26,14 +26,14 @@ The NIS Data Collector is configured through the NIS Data Collector Wizard, whic following wizard pages: - Welcome -- [NIS: Category](category.md) -- [NIS: NIS Settings](settings.md) -- [NIS: SID Mappings](sidmappings.md) -- [NIS: NIS Query](query.md) -- [NIS: Results](results.md) -- [NIS: Summary](summary.md) - -![NIS Data Collector Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +- [NIS: Category](/docs/accessanalyzer/12.0/admin/datacollector/nis/category.md) +- [NIS: NIS Settings](/docs/accessanalyzer/12.0/admin/datacollector/nis/settings.md) +- [NIS: SID Mappings](/docs/accessanalyzer/12.0/admin/datacollector/nis/sidmappings.md) +- [NIS: NIS Query](/docs/accessanalyzer/12.0/admin/datacollector/nis/query.md) +- [NIS: Results](/docs/accessanalyzer/12.0/admin/datacollector/nis/results.md) +- [NIS: Summary](/docs/accessanalyzer/12.0/admin/datacollector/nis/summary.md) + +![NIS Data Collector Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by selecting the **Do not display this page the next time** checkbox when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nis/query.md b/docs/accessanalyzer/12.0/admin/datacollector/nis/query.md index 1022402931..3ca1139631 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nis/query.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nis/query.md @@ -5,7 +5,7 @@ wizard page for the category of: - Custom NIS Scan -![NIS Data Collector Wizard NIS Query page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/nis/query.webp) +![NIS Data Collector Wizard NIS Query page](/img/product_docs/accessanalyzer/admin/datacollector/nis/query.webp) The Data Source configuration options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nis/results.md b/docs/accessanalyzer/12.0/admin/datacollector/nis/results.md index bd38023feb..775132a230 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nis/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nis/results.md @@ -3,7 +3,7 @@ The Results page is where properties from Unix to be gathered are selected. It is a wizard page for both categories. -![NIS Data Collector Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![NIS Data Collector Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Available properties have checkboxes that can be selected individually, or you can use the **Select All**, **Clear All**, and **Reset to defaults** buttons. All selected properties are gathered. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nis/settings.md b/docs/accessanalyzer/12.0/admin/datacollector/nis/settings.md index 9457f64df5..55c48e7769 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nis/settings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nis/settings.md @@ -3,7 +3,7 @@ The NIS Settings page is where the NIS domain and a NIS server are configured for testing. It is a wizard page for both categories. -![NIS Data Collector Wizard NIS Settings page](../../../../../../static/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) +![NIS Data Collector Wizard NIS Settings page](/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) Configure the NIS domain and sample NIS server: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nis/sidmappings.md b/docs/accessanalyzer/12.0/admin/datacollector/nis/sidmappings.md index f1fde0ae20..24e92b9998 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nis/sidmappings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nis/sidmappings.md @@ -5,7 +5,7 @@ specified. It is a wizard page for the category of: - Scan NIS User and Groups -![NIS Data Collector Wizard SID Mappings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/nis/sidmappings.webp) +![NIS Data Collector Wizard SID Mappings page](/img/product_docs/accessanalyzer/admin/datacollector/nis/sidmappings.webp) The default settings work for most environments. Use this page to **Add**, **Edit**, or **Remove** ID Mappings. Multiple entries are allowed. For each range of User ID or Group ID entered, the offset diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nis/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/nis/summary.md index fd3246146a..8fe25c804f 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nis/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nis/summary.md @@ -3,7 +3,7 @@ The Summary page is where configuration settings are summarized. It is a wizard page for both categories. -![NIS Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![NIS Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the NIS Data Collector Wizard to ensure that no accidental clicks are diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nosql/category.md b/docs/accessanalyzer/12.0/admin/datacollector/nosql/category.md index 67a600da64..64d3b4d59a 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nosql/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nosql/category.md @@ -3,7 +3,7 @@ The Category page in the NoSQL Data Collector Wizard lists the following query categories, sub-divided by auditing focus: -![NoSQL Data Collector Wizard Category Page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![NoSQL Data Collector Wizard Category Page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The query categories are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nosql/configurejob.md b/docs/accessanalyzer/12.0/admin/datacollector/nosql/configurejob.md index 89d174e475..5200e6b07a 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nosql/configurejob.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nosql/configurejob.md @@ -19,10 +19,10 @@ For an Active Directory account, set the following on the User Credentials windo - Password Storage – Choose the option for credential password storage: - Application – Uses the configured Profile Security setting as selected at the **Settings** > - **Application** node. See the [Application](../../settings/application/overview.md) topic for + **Application** node. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information. - CyberArk – Uses the CyberArk Enterprise Password Vault. See the - [CyberArk Integration](../../settings/connection/cyberarkintegration.md) topic for additional + [CyberArk Integration](/docs/accessanalyzer/12.0/admin/settings/connection/cyberarkintegration.md) topic for additional information. The password fields do not apply for CyberArk password storage. - Password – Type the password @@ -35,21 +35,21 @@ For a SQL account, set the following on the User Credentials window: - Select Account Type – SQL Authentication - User name – Enter user name - Password Storage – Application (Uses the configured Profile Security setting as selected at the - **Settings** > **Application** node. See the [Application](../../settings/application/overview.md) + **Settings** > **Application** node. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information.) - Password – Type the password - Confirm – Re-type the password -See the [Connection](../../settings/connection/overview.md) and -[Application](../../settings/application/overview.md) topics for additional information. +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) and +[Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topics for additional information. ## Host List Jobs using the NoSQL Data Collector must create a host list with the servers containing the target databases. Setup the list of MongoDB hosts that needs to be monitored. Be sure to use a specific host name (if forcing the connection to a secondary host) or just the cluster name if connecting to -the cluster. See the [Host Management](../../hostmanagement/overview.md) topic for additional +the cluster. See the [Host Management](/docs/accessanalyzer/12.0/admin/hostmanagement/overview.md) topic for additional information. Additionally, the database clusters / instances must be added to the Filter page in the query -configuration. See the [NoSQL: Filter](filter.md) topic for additional information. +configuration. See the [NoSQL: Filter](/docs/accessanalyzer/12.0/admin/datacollector/nosql/filter.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nosql/criteria.md b/docs/accessanalyzer/12.0/admin/datacollector/nosql/criteria.md index 95567e9463..ab8ba9b4ec 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nosql/criteria.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nosql/criteria.md @@ -3,13 +3,13 @@ The Criteria page is where the criteria to be used for discovering sensitive data is configured. It is a wizard page for the category of Sensitive Data Collection. -![NoSQL Data Collector Wizard Criteria page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) +![NoSQL Data Collector Wizard Criteria page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) The options on the Criteria page are: - Use Global Criteria Selection – Select this option to inherit sensitive data criteria settings from the **Settings** > **Sensitive Data** node. See the - [Sensitive Data](../../settings/sensitivedata/overview.md) topic for additional information. + [Sensitive Data](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/overview.md) topic for additional information. - Use the following selected criteria – Select this option to use the table to select which sensitive data criteria to scan for @@ -25,7 +25,7 @@ The table contains the following types of criteria: Use the Sensitive Data Criteria Editor in **Settings** > **Sensitive Data** to create and edit user-defined criteria. See the - [Sensitive Data Criteria Editor](../../../sensitivedatadiscovery/criteriaeditor/overview.md) + [Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. **NOTE:** Adding unnecessary criteria can adversely impact the scanner performance and can cause the diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nosql/filter.md b/docs/accessanalyzer/12.0/admin/datacollector/nosql/filter.md index 7431d0e323..7bdbe8ada8 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nosql/filter.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nosql/filter.md @@ -6,7 +6,7 @@ wizard page for the Sensitive Data Collection category. It is necessary to populate the available Mongo databases/instances before the query can be scoped. See the [Manage Connections Window](#manage-connections-window) topic for additional information. -![NoSQL Data Collector Wizard Filter page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filter.webp) +![NoSQL Data Collector Wizard Filter page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filter.webp) The Filter page has the following buttons: @@ -47,7 +47,7 @@ The configurable filter options are: The Manage Connections window enables users to add MongoDB database instances to search for sensitive data. Click **Connections** to open the window. -![Manage Connections window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/nosql/manageconnections.webp) +![Manage Connections window](/img/product_docs/accessanalyzer/admin/datacollector/nosql/manageconnections.webp) The Manage Connections table lists the previously added database instances and their attributes. @@ -88,7 +88,7 @@ The Manage Connections window has the following buttons: The Build / Edit Pattern window enables users to apply a custom scoping filter to the query. -![Edit Existing Pattern window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/nosql/editpattern.webp) +![Edit Existing Pattern window](/img/product_docs/accessanalyzer/admin/datacollector/nosql/editpattern.webp) The Build / Edit Pattern window has the following features: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nosql/options.md b/docs/accessanalyzer/12.0/admin/datacollector/nosql/options.md index e0182d1eb5..83be66b9ac 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nosql/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nosql/options.md @@ -3,7 +3,7 @@ Use the Sensitive Data Scan Settings (Options) page to configure additional settings for the sensitive data scan. It is a wizard page for the Sensitive Data Collection category. -![NoSQL Data Collector Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![NoSQL Data Collector Wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) The sensitive data scan settings are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nosql/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/nosql/overview.md index 5b4c15d118..3edf77eb51 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nosql/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nosql/overview.md @@ -6,7 +6,7 @@ data. It also supports the execution of custom queries against all targeted Mong The NoSQL Data Collector has been preconfigured within the MongoDB Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[MongoDB Solution](../../../solutions/databases/mongodb/overview.md) topic for additional +[MongoDB Solution](/docs/accessanalyzer/12.0/solutions/databases/mongodb/overview.md) topic for additional information. Protocols @@ -44,9 +44,9 @@ is configured to scan 8 hosts at a time , then an extra 16 GB of RAM are require The NoSQL Data Collector is configured through the NoSQL Data Collector Wizard. The wizard contains the following pages, which change based upon the query category selected: -- [NoSQL: Category](category.md) -- [NoSQL: Options](options.md) -- [NoSQL: Criteria](criteria.md) -- [NoSQL: Filter](filter.md) -- [NoSQL: Results](results.md) -- [NoSQL: Summary](summary.md) +- [NoSQL: Category](/docs/accessanalyzer/12.0/admin/datacollector/nosql/category.md) +- [NoSQL: Options](/docs/accessanalyzer/12.0/admin/datacollector/nosql/options.md) +- [NoSQL: Criteria](/docs/accessanalyzer/12.0/admin/datacollector/nosql/criteria.md) +- [NoSQL: Filter](/docs/accessanalyzer/12.0/admin/datacollector/nosql/filter.md) +- [NoSQL: Results](/docs/accessanalyzer/12.0/admin/datacollector/nosql/results.md) +- [NoSQL: Summary](/docs/accessanalyzer/12.0/admin/datacollector/nosql/summary.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nosql/results.md b/docs/accessanalyzer/12.0/admin/datacollector/nosql/results.md index 1ee2eba965..39a3be5f1f 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nosql/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nosql/results.md @@ -3,7 +3,7 @@ The Results page is where the properties that will be gathered are selected. It is a wizard page for all of the categories. -![NoSQL Data Collector Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![NoSQL Data Collector Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be selected individually, or the **Select All**, **Clear All**, and **Reset to Defaults** buttons can be used. All selected properties are gathered. Available properties vary diff --git a/docs/accessanalyzer/12.0/admin/datacollector/nosql/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/nosql/summary.md index 4e763f04d8..d1f11bbb44 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/nosql/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/nosql/summary.md @@ -3,7 +3,7 @@ The Summary page is where the configuration settings are summarized. It is a wizard page for all of the categories. -![NoSQL Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![NoSQL Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the NoSQL Data Collector Wizard ensuring that no accidental clicks are diff --git a/docs/accessanalyzer/12.0/admin/datacollector/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/overview.md index 317ab2ad38..1feaed7122 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/overview.md @@ -1,15 +1,15 @@ # Data Collectors This topic covers the configuration wizards that are unique to each data collector. See the -[Jobs Tree](../jobs/overview.md) topic for additional information on job configuration. +[Jobs Tree](/docs/accessanalyzer/12.0/admin/jobs/overview.md) topic for additional information on job configuration. ## Query Selection The Access Analyzer data collectors can collect information from a wide range of environments. Data collection tasks are assigned to jobs at the **Configure** > **Queries** node level. See the -[Queries Node](../jobs/job/configure/queries.md) topic for additional information. +[Queries Node](/docs/accessanalyzer/12.0/admin/jobs/job/configure/queries.md) topic for additional information. -![Query Selection page](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/queryselection.webp) +![Query Selection page](/img/product_docs/accessanalyzer/admin/datacollector/queryselection.webp) The Query Selection page is split into the Tables and Queries sections. The Tables section has the following options: @@ -35,7 +35,7 @@ following options: Pre-built queries can be added to the Data Collector job through the Libraries window. -![Libraries window](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/addqueryfromlibrary.webp) +![Libraries window](/img/product_docs/accessanalyzer/admin/datacollector/addqueryfromlibrary.webp) The Libraries window toolbar has the following options: @@ -68,7 +68,7 @@ all three tabs listed. Use the General tab to modify the name or description of the query. -![General tab of the Query Properties window](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/querypropertiesgeneral.webp) +![General tab of the Query Properties window](/img/product_docs/accessanalyzer/admin/datacollector/querypropertiesgeneral.webp) The General tab displays: @@ -91,13 +91,13 @@ The General tab displays: When creating a new query, provide a unique, descriptive **Name** and **Description**. This information displays in the table on the Query Selection view. See the -[Queries Node](../jobs/job/configure/queries.md) topic for additional information. +[Queries Node](/docs/accessanalyzer/12.0/admin/jobs/job/configure/queries.md) topic for additional information. #### Data Source Tab Use the Data Source tab to configure the data collector and query. -| ![Data Source tab of Query Properties for new Query](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/querypropertiesdatasourceexisting.webp) | +| ![Data Source tab of Query Properties for new Query](/img/product_docs/accessanalyzer/admin/datacollector/querypropertiesdatasourceexisting.webp) | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | New Query | Existing Query | @@ -125,7 +125,7 @@ See the individual data collector section for configuration wizard page informat Use the Filters tab to include filters into the data collection process. -| ![Filters tab of Query Properties window](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/querypropertiesdatafilterswithfilter.webp) | +| ![Filters tab of Query Properties window](/img/product_docs/accessanalyzer/admin/datacollector/querypropertiesdatafilterswithfilter.webp) | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | No FIlter | With FIlter | diff --git a/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/category.md b/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/category.md index 2d690b0bce..50ed3fc01a 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/category.md @@ -3,10 +3,10 @@ This Category page in the Password Security Data Collection Wizard identifies the kind of password information retrieved during a scan of the Active Directory. -![Password Security Data Collection Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![Password Security Data Collection Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The Password Security Data Collection contains the following type of scan: - WeakPasswordScan – Scans an Active Directory for weak passwords. Returns password information per the configurable scan options including clear-text passwords. For additional information on scan - options, see the[PasswordSecurity: Options](options.md) topic. + options, see the[PasswordSecurity: Options](/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/options.md) topic. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/dictionaries.md b/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/dictionaries.md index c0899a1aaa..eb9e913594 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/dictionaries.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/dictionaries.md @@ -3,7 +3,7 @@ The Dictionaries page provides configuration settings for storing passwords to be used as a reference for the scan. -![Password Security Data Collection Wizard Dictionary options page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/passwordsecurity/dictionaries.webp) +![Password Security Data Collection Wizard Dictionary options page](/img/product_docs/accessanalyzer/admin/datacollector/passwordsecurity/dictionaries.webp) The configurable dictionary options are: @@ -100,7 +100,7 @@ Follow the steps to install the Pwnd Passwords Downloader. dotnet tool install --global haveibeenpwned-downloader ``` -![hibp_installation_0](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/hibp_installation_0.webp) +![hibp_installation_0](/img/product_docs/threatprevention/threatprevention/admin/configuration/hibp_installation_0.webp) **Step 5 –** Close the command prompt. @@ -116,7 +116,7 @@ Follow the steps to update an installed Pwnd Passwords Downloader. dotnet tool update --global haveibeenpwned-downloader ``` -![hibp_installation_1](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/hibp_installation_1.webp) +![hibp_installation_1](/img/product_docs/threatprevention/threatprevention/admin/configuration/hibp_installation_1.webp) ### Download NTML Hashes with the Pwnd Passwords Downloader @@ -133,7 +133,7 @@ Run: haveibeenpwned-downloader.exe -n pwnedpasswords_ntlm ``` -![hibp_installation_3](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/hibp_installation_3.webp) +![hibp_installation_3](/img/product_docs/threatprevention/threatprevention/admin/configuration/hibp_installation_3.webp) This screenshot shows the completed download. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/options.md b/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/options.md index db6763b16d..a55b733e71 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/options.md @@ -2,7 +2,7 @@ The Options page provides format options for returned data. -![Password Security Data Collection Wizard Scan options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Password Security Data Collection Wizard Scan options page](/img/product_docs/accessanalyzer/install/application/options.webp) The configurable scan options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/overview.md index 5019335cea..26a6b4ecf7 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/overview.md @@ -8,7 +8,7 @@ The PasswordSecurity Data Collector is a core component of Access Analyzer, but preconfigured within the Active Directory Solution. While the data collector is available with all Access Analyzer license options, the Active Directory Solution is only available with a special Access Analyzer license. See the -[Active Directory Solution](../../../solutions/activedirectory/overview.md) topic for additional +[Active Directory Solution](/docs/accessanalyzer/12.0/solutions/activedirectory/overview.md) topic for additional information. Protocols @@ -34,8 +34,8 @@ Permissions The PasswordSecurity Data Collector is configured through the Password Security Data Collector Wizard, which contains the following wizard pages: -- [PasswordSecurity: Category](category.md) -- [PasswordSecurity: Options](options.md) -- [PasswordSecurity: Dictionaries](dictionaries.md) -- [PasswordSecurity: Results](results.md) -- [PasswordSecurity: Summary](summary.md) +- [PasswordSecurity: Category](/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/category.md) +- [PasswordSecurity: Options](/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/options.md) +- [PasswordSecurity: Dictionaries](/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/dictionaries.md) +- [PasswordSecurity: Results](/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/results.md) +- [PasswordSecurity: Summary](/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/summary.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/results.md b/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/results.md index 5594a3e69f..c4911f7480 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/results.md @@ -2,7 +2,7 @@ The Results page is where Active Directory properties to be gathered are selected. -![Password Security Data Collection Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Password Security Data Collection Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be selected individually or by using the **Select All** or **Clear All** buttons. All selected properties are gathered. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/summary.md index dc3cc4d265..4287a6f9d3 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured query. -![Password Security Data Collection Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Password Security Data Collection Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Active Directory Data Collector Wizard to ensure that no accidental diff --git a/docs/accessanalyzer/12.0/admin/datacollector/permissionmatrix.md b/docs/accessanalyzer/12.0/admin/datacollector/permissionmatrix.md index b220b12226..5e90991281 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/permissionmatrix.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/permissionmatrix.md @@ -11,7 +11,7 @@ license features. The following table provides a quick reference for each data c | -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | ActiveDirectory _\*requires license_ | The ActiveDirectory Data Collector audits objects published in Active Directory. | - ADSI - LDAP - RPC | - TCP 389/636 - TCP 135-139 - Randomly allocated high TCP ports | - Member of the Domain Administrators group | | ADActivity _\*requires license_ | The ADActivity Data Collector integrates with the Netwrix Activity Monitor by reading the Active Directory activity log files. | - HTTP - RPC | - TCP 4494 (configurable within the Netwrix Activity Monitor) | - Netwrix Activity Monitor API Access activity data - Netwrix Activity Monitor API Read - Read access to the Netwrix Activity Monitor Log Archive location | -| ADInventory | The ADInventory Data Collector is designed as a highly scalable and useful data collection mechanism to catalogue user, group, and computer object information that can be used by other solutions within Access Analyzer. | - LDAP | - TCP 389 - TCP 135-139 - Randomly allocated high TCP ports | - Read access to directory tree - List Contents & Read Property on the Deleted Objects Container **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft [Dsacls]() article for additional information. | +| ADInventory | The ADInventory Data Collector is designed as a highly scalable and useful data collection mechanism to catalogue user, group, and computer object information that can be used by other solutions within Access Analyzer. | - LDAP | - TCP 389 - TCP 135-139 - Randomly allocated high TCP ports | - Read access to directory tree - List Contents & Read Property on the Deleted Objects Container **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. | | ADPermissions _\*requires license_ | The ADPermissions Data Collector collects the advanced security permissions of objects in AD. | - ADSI - LDAP - RPC | - TCP 389 - TCP 135 – 139 - Randomly allocated high TCP ports | - LDAP Read permissions - Read on all AD objects - Read permissions on all AD Objects | | AWS | The AWS Data Collector collects IAM users, groups, roles, and policies, as well as S3 permissions, content, and sensitive data from the target Amazon Web Services (AWS) accounts. | - HTTPS | - 443 | - To collect details about the AWS Organization, the following permission is required: - organizations:DescribeOrganization - To collect details regarding IAM, the following permissions are required: - iam:GenerateCredentialReport - iam:GenerateServiceLastAccessedDetails - iam:Get\* - iam:List\* - iam:Simulate\* - sts:GetAccessKeyInfo - To collect details related to S3 buckets and objects, the following permissions are required: - s3:Describe\* - s3:Get\* - s3:HeadBucket - s3:List\* | | AzureADInventory | The AzureADInventory Data Collector catalogs user and group object information from Microsoft Entra ID, formerly Azure Active Directory. This data collector is a core component of Access Analyzer and is preconfigured in the .Entra ID Inventory Solution. | - HTTP - HTTPS - REST | - TCP 80 and 443 | - Microsoft Graph API - Application Permissions: - AuditLog.Read.All – Read all audit log data - Directory.Read.All – Read directory data - Delegated Permissions: - Group.Read.All – Read all groups - User.Read.All – Read all users' full profiles - Access URLs - https://login.windows.net - https://graph.windows.net - https://login.microsoftonline.com - https://graph.microsoft.com - All sub-directories of the access URLs listed | @@ -30,7 +30,7 @@ license features. The following table provides a quick reference for each data c | ExchangePS _\*requires license_ | The ExchangePS Data Collector utilizes the Exchange CMDlets to return information about the Exchange environment utilizing PowerShell. This data collector has been designed to work with Exchange 2010 and newer. | - PowerShell | - TCP 135 - Randomly allocated high TCP ports | For Exchange servers: - Remote PowerShell enabled on a single Exchange server - Windows Authentication enabled for the PowerShell Virtual Directory on the same Exchange server where Remote PowerShell has been enabled - View-Only Organization Management Role Group - Discovery Search Management Role Group - Public Folder Management Role Group - Mailbox Search Role For Exchange Online: - Discovery Management Role - Organization Management Role | | ExchangePublicFolder _\*requires license_ | The ExchangePublicFolder Data Collector audits an Exchange Public Folder, including contents, permissions, ownership, and replicas. | - MAPI - RPC | - TCP 135 - Randomly allocated high TCP ports | - Member of the Exchange Administrator group - Organization Management | | File | The File Data Collector provides file and folder enumeration, properties, and permissions. | - RPC - WMI | - TCP 135-139 - Randomly allocated high TCP ports - Optional TCP 445 | - Member of the Local Administrators group | -| FileSystemAccess (FSAA) _\*requires license_ | The FileSystemAccess (FSAA) Data Collector collects permissions, content, and activity, and sensitive data information for Windows and NAS file systems. | - Remote Registry - WMI | - Ports vary based on the Scan Mode Option selected. See the [File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) topic for additional information. | - Permissions vary based on the Scan Mode Option selected. See the [File System Supported Platforms](../../requirements/target/filesystems.md) topic for additional information. | +| FileSystemAccess (FSAA) _\*requires license_ | The FileSystemAccess (FSAA) Data Collector collects permissions, content, and activity, and sensitive data information for Windows and NAS file systems. | - Remote Registry - WMI | - Ports vary based on the Scan Mode Option selected. See the [File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. | - Permissions vary based on the Scan Mode Option selected. See the [File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/target/filesystems.md) topic for additional information. | | GroupPolicy | The GroupPolicy Data Collector provides the ability to retrieve the GPO’s list in the domain and where they are linked, return information on configured policies and policy parts from the individual policies that have been selected, return information on selected policy parts from all policies within the domain, and return effective security policies in effect at the individual workstation. | - LDAP - RPC | - TCP 389 - TCP 135-139 - Randomly allocated high TCP ports | - Member of the Domain Administrators group (if targeting domain controllers) - Member of the Local Administrators group | | INIFile | The INIFile Data Collector provides options to configure a task to collect information about log entries on target hosts. | - RPC | - TCP 135-139 - Randomly allocated high TCP ports - Optional TCP 445 | - Member of the Local Administrators group | | LDAP | The LDAP Data Collector uses LDAP to query Active Directory returning the specified objects and attributes. | - LDAP | - TCP 389 | - Member of the Domain Administrators group | @@ -44,7 +44,7 @@ license features. The following table provides a quick reference for each data c | Registry | The Registry Data Collector queries the registry and returns keys, key values, and permissions on the keys. | - Remote Registry - RPC | - TCP 135-139 - Randomly allocated high TCP ports | - Member of the Local Administrators group | | Script | The Script Data Collector provides VB Script exit from Access Analyzer. | - VB Script | - Randomly allocated high TCP ports | - Member of the Local Administrators group - Member of the Domain Administrators group (if targeting domain controllers) | | Services | The Services Data Collector enumerates status and settings from remote services. | - RPC - WMI | - TCP 135-139 - Randomly allocated high TCP ports | - Member of the Local Administrators group | -| SharePointAccess (SPAA) _\*requires license_ | The SharePointAccess (SPAA) Data Collector audits access, group membership, and content within a SharePoint on-premises and SharePoint Online environment. The SPAA Data Collector has been preconfigured within the SharePoint Solution. | - MS SQL - Remote Registry - SP CSOM (Web Services via HTTP & HTTPS) - SP Server API - WCF AUTH via TCP (configurable) | - Ports vary based on the Scan Mode selected and target environment. See the [SharePoint Scan Options](../../requirements/solutions/sharepoint/scanoptions.md) topic for additional information. | - Permissions vary based on the Scan Mode selected and target environment. See the [SharePoint Support](../../requirements/target/sharepoint.md) topic for additional information. | +| SharePointAccess (SPAA) _\*requires license_ | The SharePointAccess (SPAA) Data Collector audits access, group membership, and content within a SharePoint on-premises and SharePoint Online environment. The SPAA Data Collector has been preconfigured within the SharePoint Solution. | - MS SQL - Remote Registry - SP CSOM (Web Services via HTTP & HTTPS) - SP Server API - WCF AUTH via TCP (configurable) | - Ports vary based on the Scan Mode selected and target environment. See the [SharePoint Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/scanoptions.md) topic for additional information. | - Permissions vary based on the Scan Mode selected and target environment. See the [SharePoint Support](/docs/accessanalyzer/12.0/requirements/target/sharepoint.md) topic for additional information. | | SMARTLog | The SMARTLog Data Collector provides search and extraction of details from Windows Event Logs (online or offline) and Microsoft Exchange Internet Information Server (IIS) logs. | - Log - Remote Event - RPC | - TCP 135 - TCP 445 - Randomly allocated high TCP ports | - Member of the Domain Administrators group (if targeting domain controllers) - Member of the local Administrators group | | SQL _\*requires license_ | The SQL Data Collector provides information on database configuration, permissions, data extraction, application name of the application responsible for activity events, an IP Address or Host name of the client server, and sensitive data reports. This data collector also provides information on Oracle databases including infrastructure and operations. | TCP | For Db2 Target: - Specified by Instances table (default is 5000) For MySQL Target: - Specified by Instances table (default is 3306) For Oracle Target: - Specified by Instances table (default is 1521) For PostgreSQL Target: - Specified by Instances table (default is 5432) For SQL Target: - Specified by Instances table (default is 1433) | For MySQL Target: - Read access to MySQL instance to include all databases contained within each instance - Windows Only — Domain Admin or Local Admin privilege For Oracle Target: - User with SYSDBA role - Local Administrator on the target servers – Only applies to Windows Servers and not on Linux or Unix operating systems For PostgreSQL Target: - Read access to all the databases in PostgreSQL cluster or instance - Windows Only — Domain Admin or Local Admin privilege For Redshift Target: - Read-access to the following tables: - pg_tables - pg_user For SQL Target: - For Instance Discovery, local rights on the target SQL Servers: - Local group membership to Remote Management Users - Permissions on the following WMI NameSpaces: `root\Microsoft\SQLServer, root\interop` - For permissions for data collection: - Read access to SQL instance - Requires SQL Full-Text and Semantic Extractions for Search feature to be installed on the target SQL instance(s) when using the **Scan full rows for sensitive data** option on the Options wizard page - Grant Authenticate Server to [DOMAIN\USER] - Grant Connect SQL to [DOMAIN\USER] - Grant View any database to [DOMAIN\USER] - Grant View any definition to [DOMAIN\USER] - Grant View server state to [DOMAIN\USER] - Grant Control Server to [DOMAIN\USER] (specifically required for the Weak Passwords Job) | | SystemInfo | The SystemInfo Data Collector extracts information from the target system based on the selected category. | - Remote Registry - RPC - WMI | - TCP 135-139 - Randomly allocated high TCP ports | - Member of the Local Administrators group | diff --git a/docs/accessanalyzer/12.0/admin/datacollector/powershell/editquery.md b/docs/accessanalyzer/12.0/admin/datacollector/powershell/editquery.md index 8b3b26436b..7c3c02dfa2 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/powershell/editquery.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/powershell/editquery.md @@ -3,7 +3,7 @@ The Edit Query page provides a screen to edit the query to execute. Users can import PowerShell script as well as use an input table to create and edit the PowerShell script. -![PowerShell Data Collector Wizard Edit Query page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/powershell/editquery.webp) +![PowerShell Data Collector Wizard Edit Query page](/img/product_docs/accessanalyzer/admin/datacollector/powershell/editquery.webp) The options on the Edit Query page are: @@ -19,7 +19,7 @@ The options on the Edit Query page are: Add, edit, and delete parameters for the PowerShell data collector using the Parameters window. -![Parameters Window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/powershell/editqueryparameters.webp) +![Parameters Window](/img/product_docs/accessanalyzer/admin/datacollector/powershell/editqueryparameters.webp) The options in the Parameters Window are: @@ -36,7 +36,7 @@ edited or deleted. Use the Add/Edit Variable Window to add and edit parameters for the PowerShell Data Collector. -![Add/Edit Variable Window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/powershell/editqueryvariable.webp) +![Add/Edit Variable Window](/img/product_docs/accessanalyzer/admin/datacollector/powershell/editqueryvariable.webp) The options in the Add/Edit Variable window are: @@ -58,7 +58,7 @@ The options in the Add/Edit Variable window are: When the Use table input for PowerShell script option is selected on the Edit Query page, additional options display to define the source for input data. -![Edit Query page input options](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/powershell/editqueryinput.webp) +![Edit Query page input options](/img/product_docs/accessanalyzer/admin/datacollector/powershell/editqueryinput.webp) The input options are: @@ -70,7 +70,7 @@ The input options are: include the column in the input. - Input Data – Preview how the input data will look in the Input Data tab -![Text Box and the Columns tab populated with information](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/powershell/editqueryinputtable.webp) +![Text Box and the Columns tab populated with information](/img/product_docs/accessanalyzer/admin/datacollector/powershell/editqueryinputtable.webp) Selecting an input table in the **Please select name** dropdown populates the Text Box and the Columns tab with information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/powershell/options.md b/docs/accessanalyzer/12.0/admin/datacollector/powershell/options.md index e147fed935..3522d4c3af 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/powershell/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/powershell/options.md @@ -2,7 +2,7 @@ The Options page provides the option to execute the script remotely on the target host. -![PowerShell Data Collector Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![PowerShell Data Collector Wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/powershell/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/powershell/overview.md index d923c3dfda..30645c3536 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/powershell/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/powershell/overview.md @@ -23,13 +23,13 @@ The PowerShell Data Collector is configured through the PowerShell Data Collecto contains the following pages: - Welcome -- [PowerShell: Edit Query](editquery.md) -- [PowerShell: Options](options.md) -- [PowerShell: Sample Server](sampleserver.md) -- [PowerShell: Results](results.md) -- [PowerShell: Summary](summary.md) +- [PowerShell: Edit Query](/docs/accessanalyzer/12.0/admin/datacollector/powershell/editquery.md) +- [PowerShell: Options](/docs/accessanalyzer/12.0/admin/datacollector/powershell/options.md) +- [PowerShell: Sample Server](/docs/accessanalyzer/12.0/admin/datacollector/powershell/sampleserver.md) +- [PowerShell: Results](/docs/accessanalyzer/12.0/admin/datacollector/powershell/results.md) +- [PowerShell: Summary](/docs/accessanalyzer/12.0/admin/datacollector/powershell/summary.md) -![PowerShell Data Collector Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![PowerShell Data Collector Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by checking the **Do not display this page the next time** box when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/powershell/results.md b/docs/accessanalyzer/12.0/admin/datacollector/powershell/results.md index edd619545d..2a1a04bf29 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/powershell/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/powershell/results.md @@ -3,7 +3,7 @@ The Results page provides configuration settings for the Properties to return and ROWKEY's components. -![PowerShell Data Collector Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![PowerShell Data Collector Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) The Results page options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/powershell/sampleserver.md b/docs/accessanalyzer/12.0/admin/datacollector/powershell/sampleserver.md index 3552936915..bde0907476 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/powershell/sampleserver.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/powershell/sampleserver.md @@ -2,7 +2,7 @@ The Sample Server page provides a box to select a server to generate the result columns. -![PowerShell Data Collector Wizard Select Server page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/powershell/selectserver.webp) +![PowerShell Data Collector Wizard Select Server page](/img/product_docs/accessanalyzer/admin/datacollector/powershell/selectserver.webp) The Select Server page options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/powershell/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/powershell/summary.md index e0d23ae237..e0a25a7377 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/powershell/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/powershell/summary.md @@ -3,7 +3,7 @@ The Summary page summarizes the selected configurations from the previous pages in the PowerShell Data Collector Wizard. -![PowerShell Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![PowerShell Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the PowerShell Data Collector Wizard ensuring that no accidental clicks diff --git a/docs/accessanalyzer/12.0/admin/datacollector/registry.md b/docs/accessanalyzer/12.0/admin/datacollector/registry.md index c6cbc64408..c1fa5b5cf0 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/registry.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/registry.md @@ -11,8 +11,8 @@ within both the Active Directory Solution and the Windows Solution. While the da available with all Access Analyzer license options, these solutions are only available with a special Access Analyzer licenses. See the following topics for additional information: -- [Active Directory Solution](../../solutions/activedirectory/overview.md) -- [Windows Solution](../../solutions/windows/overview.md) +- [Active Directory Solution](/docs/accessanalyzer/12.0/solutions/activedirectory/overview.md) +- [Windows Solution](/docs/accessanalyzer/12.0/solutions/windows/overview.md) Protocols @@ -32,7 +32,7 @@ Permissions The Registry Data Collector is configured through the Registry Browser window. -![Registry Browser window](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/browser.webp) +![Registry Browser window](/img/product_docs/accessanalyzer/admin/datacollector/browser.webp) The configurable options are: @@ -60,16 +60,16 @@ topic for additional information. The button bar is located right above the Selected Properties window. The button bar enables users to do the following: -![Button Bar](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/buttonbar.webp) +![Button Bar](/img/product_docs/accessanalyzer/admin/datacollector/buttonbar.webp) | Icon | Name | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | -| ![Select all peer keys for this node](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/selectall.webp) | Select all peer keys for this node | -| ![Add name of currently selected key](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/addname.webp) | Add name of currently selected key | -| ![Add full path of the currently selected key](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/addpath.webp) | Add full path of the currently selected key | -| ![Add last write date/time of currently selected key](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adddatetime.webp) | Add last write date/time of currently selected key | -| ![Add security properties for selected key](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/addproperties.webp) | Add security properties for selected key | -| ![Enumerate all values for this key](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/enumeratevalues.webp) | Enumerate all values for this key | -| ![Add currently selected value](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/addvalue.webp) | Add currently selected value | -| ![Delete properties from selection](../../../../../static/img/product_docs/strongpointfornetsuite/integrations/delete.webp) | Delete properties from selection | -| ![Go to selected key](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/goto.webp) | Go to selected key | +| ![Select all peer keys for this node](/img/product_docs/accessanalyzer/admin/datacollector/selectall.webp) | Select all peer keys for this node | +| ![Add name of currently selected key](/img/product_docs/accessanalyzer/admin/datacollector/addname.webp) | Add name of currently selected key | +| ![Add full path of the currently selected key](/img/product_docs/accessanalyzer/admin/datacollector/addpath.webp) | Add full path of the currently selected key | +| ![Add last write date/time of currently selected key](/img/product_docs/accessanalyzer/admin/datacollector/adddatetime.webp) | Add last write date/time of currently selected key | +| ![Add security properties for selected key](/img/product_docs/accessanalyzer/admin/datacollector/addproperties.webp) | Add security properties for selected key | +| ![Enumerate all values for this key](/img/product_docs/accessanalyzer/admin/datacollector/enumeratevalues.webp) | Enumerate all values for this key | +| ![Add currently selected value](/img/product_docs/accessanalyzer/admin/datacollector/addvalue.webp) | Add currently selected value | +| ![Delete properties from selection](/img/product_docs/strongpointfornetsuite/integrations/delete.webp) | Delete properties from selection | +| ![Go to selected key](/img/product_docs/accessanalyzer/admin/datacollector/goto.webp) | Go to selected key | diff --git a/docs/accessanalyzer/12.0/admin/datacollector/script/add.md b/docs/accessanalyzer/12.0/admin/datacollector/script/add.md index 0dd8da09a4..52c24f8d24 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/script/add.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/script/add.md @@ -12,9 +12,9 @@ Follow the steps to add a script. **Step 3 –** Select the **Data Source** tab and select the desired data collector in the Data Collector drop-down menu. -![Query Properties window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/script/querypropertiesexisting.webp) +![Query Properties window](/img/product_docs/accessanalyzer/admin/datacollector/script/querypropertiesexisting.webp) **Step 4 –** Click the **Browse Data Source** button to open the VBScript Editor page and add the script to run after data collection. -See the [VBScript Editor](editor.md) topic for additional information. +See the [VBScript Editor](/docs/accessanalyzer/12.0/admin/datacollector/script/editor.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/script/editor.md b/docs/accessanalyzer/12.0/admin/datacollector/script/editor.md index a01f7fc5b3..72c73348c7 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/script/editor.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/script/editor.md @@ -3,7 +3,7 @@ The VBScript Editor window provides the means to add a script. The window is ideal for editing small scripts and for pasting larger scripts from external scripting tools. -![VBScript Editor window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/script/vbscripteditor.webp) +![VBScript Editor window](/img/product_docs/accessanalyzer/admin/datacollector/script/vbscripteditor.webp) The options in the VBScript Editor are: @@ -24,5 +24,5 @@ The options in the VBScript Editor are: After adding or modifying a script, click **Save and close**. -See the [Script Example 1: Conversion of Data](example1.md) and -[Script Example 2: Command Query](example2.md) topics for additional information. +See the [Script Example 1: Conversion of Data](/docs/accessanalyzer/12.0/admin/datacollector/script/example1.md) and +[Script Example 2: Command Query](/docs/accessanalyzer/12.0/admin/datacollector/script/example2.md) topics for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/script/example1.md b/docs/accessanalyzer/12.0/admin/datacollector/script/example1.md index 01ff2ed408..5d721f0bd7 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/script/example1.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/script/example1.md @@ -20,7 +20,7 @@ minutes, and seconds. These values are then recorded in the Query object so that store this data. **NOTE:** In this task, the hours, minutes, and seconds properties were specified manually using the -task dialog. See the [Script Properties](properties.md) topic for additional information. +task dialog. See the [Script Properties](/docs/accessanalyzer/12.0/admin/datacollector/script/properties.md) topic for additional information. ## Example of Conversion of Data Script diff --git a/docs/accessanalyzer/12.0/admin/datacollector/script/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/script/overview.md index dd13b07f4d..3f1b2218d6 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/script/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/script/overview.md @@ -9,16 +9,16 @@ The following examples describe situations where using a script may be useful: - Conversions – One of the most frequent uses of a scriptis for converting a value from one thing to another, for example `build1230` to `at risk`. See the - [Script Example 1: Conversion of Data](example1.md) topic for additional information. + [Script Example 1: Conversion of Data](/docs/accessanalyzer/12.0/admin/datacollector/script/example1.md) topic for additional information. - Compound Queries – This is a query that cannot be performed using a single query. See the - [Script Example 2: Command Query](example2.md) topic for additional information. + [Script Example 2: Command Query](/docs/accessanalyzer/12.0/admin/datacollector/script/example2.md) topic for additional information. - Interfacing with External Systems – This is a query that requires access to external data. For example, the query needs to access a corporate database to obtain a location code. The Script Data Collector is a core component of Access Analyzer, but it has been preconfigured within the Windows Solution. While the data collector is available with all Access Analyzer license options, the Windows Solution is only available with a special Access Analyzer license. See the -[Windows Solution](../../../solutions/windows/overview.md) topic for additional information. +[Windows Solution](/docs/accessanalyzer/12.0/solutions/windows/overview.md) topic for additional information. Protocols diff --git a/docs/accessanalyzer/12.0/admin/datacollector/script/properties.md b/docs/accessanalyzer/12.0/admin/datacollector/script/properties.md index fc311f138b..21ea56743e 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/script/properties.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/script/properties.md @@ -52,7 +52,7 @@ may be added manually. Doing so allocates storage within Access Analyzer during creates corresponding columns in the output table. Use a script to reference and populate these properties. -![Properties on the Query Properties window](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) +![Properties on the Query Properties window](/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) To add properties manually, click the plus (**+**) button at the bottom of the property window. To remove properties, click the minus (-) button. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/script/reference.md b/docs/accessanalyzer/12.0/admin/datacollector/script/reference.md index f2bb881e19..b2b2522af1 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/script/reference.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/script/reference.md @@ -16,5 +16,5 @@ The Working Query object is identical to the Query object. This object supports properties as the Query object but its properties and methods do not access the current query. Think of this object as allowing the ability to create a task on the fly. Use this object to perform queries, while leaving the original task undisturbed. This is valuable when performing compound -queries isneeded. See the [Script Example 2: Command Query](example2.md) topic for additional +queries isneeded. See the [Script Example 2: Command Query](/docs/accessanalyzer/12.0/admin/datacollector/script/example2.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/script/run.md b/docs/accessanalyzer/12.0/admin/datacollector/script/run.md index c7481201d2..b0e8b32b08 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/script/run.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/script/run.md @@ -12,9 +12,9 @@ Follow the steps to add a script. **Step 3 –** Select the **Data Source** tab, and select **SCRIPT** in the Data Collector drop-down menu. -![Query Properties window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/script/querypropertiesstandalone.webp) +![Query Properties window](/img/product_docs/accessanalyzer/admin/datacollector/script/querypropertiesstandalone.webp) **Step 4 –** Click **Configure** or the **Browse Data Source** button to open the VBScript Editor page and add the script to run. -See the [VBScript Editor](editor.md) topic for additional information. +See the [VBScript Editor](/docs/accessanalyzer/12.0/admin/datacollector/script/editor.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/services.md b/docs/accessanalyzer/12.0/admin/datacollector/services.md index 78a2e10ecc..e3b3e407ef 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/services.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/services.md @@ -4,7 +4,7 @@ The Services Data Collector enumerates status and settings from remote services. Collector is a core component of Access Analyzer, but it has been preconfigured within the Windows Solution. While the data collector is available with all Access Analyzer license options, the Windows Solution is only available with a special Access Analyzer license. See the -[Windows Solution](../../solutions/windows/overview.md) topic for additional information. +[Windows Solution](/docs/accessanalyzer/12.0/solutions/windows/overview.md) topic for additional information. Protocols @@ -24,7 +24,7 @@ Permissions The Services Data Collector is configured through the Service Browser window. -![Service Browser window](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/servicebrowser.webp) +![Service Browser window](/img/product_docs/accessanalyzer/admin/datacollector/servicebrowser.webp) - Host – Enter a sample host which contains all of the services desired for the query - All Services – Select this option to build the query to extract information from all services on diff --git a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/collectionmethod.md b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/collectionmethod.md index f48e88f1ab..48befdd281 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/collectionmethod.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/collectionmethod.md @@ -3,7 +3,7 @@ The Collection Method page is used to select the collection method employed by the data collector. It is a wizard page for all log types. -![SMART Log DC Wizard Collection Method page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/smartlog/collectionmethod.webp) +![SMART Log DC Wizard Collection Method page](/img/product_docs/accessanalyzer/admin/datacollector/smartlog/collectionmethod.webp) Select the collection method from the following options to set how the collection routine is executed to collect the data from the target. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/criteria.md b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/criteria.md index 8d22285365..f2eb9d0bc8 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/criteria.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/criteria.md @@ -4,19 +4,19 @@ The Criteria page is used to specify the search criteria. A test query can be ru host entered on the Sample Host page to confirm the results that will be returned by the query. It is a wizard page for all log types. -![SMART Log DC Wizard Criteria page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) +![SMART Log DC Wizard Criteria page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) The **Limit number of records to** setting has a default of `1000`. Follow the steps to configure the search criteria. -![Filter button on Criteria page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/smartlog/criteriafilter.webp) +![Filter button on Criteria page](/img/product_docs/accessanalyzer/admin/datacollector/smartlog/criteriafilter.webp) **Step 1 –** Click **Filter** to add a condition or a group to the root of the query. - Click the ellipsis (**…**) to add a new condition or group under an existing group -![Configure search](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/smartlog/criteriarecordnumber.webp) +![Configure search](/img/product_docs/accessanalyzer/admin/datacollector/smartlog/criteriarecordnumber.webp) **Step 2 –** Click **RecordNumber** to configure the search to look for specific events or a range of events. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/eventlogoptions.md b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/eventlogoptions.md index 0b6244c0c4..85fc3a06ce 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/eventlogoptions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/eventlogoptions.md @@ -3,7 +3,7 @@ The Event Log Options page is used to configure additional options. It is a wizard page for all log types. -![SMART Log DC Wizard Event Log Options page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/smartlog/eventlogoptions.webp) +![SMART Log DC Wizard Event Log Options page](/img/product_docs/accessanalyzer/admin/datacollector/smartlog/eventlogoptions.webp) The following additional options can be selected: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/logstate.md b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/logstate.md index a53ab33bdc..cd72f56d9c 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/logstate.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/logstate.md @@ -3,7 +3,7 @@ The Log State page is used to configure how to search the log. It is a wizard page for all log types. -![SMART Log DC Wizard Log State page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/smartlog/logstate.webp) +![SMART Log DC Wizard Log State page](/img/product_docs/accessanalyzer/admin/datacollector/smartlog/logstate.webp) Select the **Persist log state** checkbox to search the log from where the search last left off. A state file is created for each host configured in the query. State files can be viewed within Access diff --git a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/logtype.md b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/logtype.md index 14743f3acf..c3f6238356 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/logtype.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/logtype.md @@ -2,7 +2,7 @@ The Log Type page is used to select the log type to be processed. -![SMART Log DC Wizard Log Type page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/smartlog/logtype.webp) +![SMART Log DC Wizard Log Type page](/img/product_docs/accessanalyzer/admin/datacollector/smartlog/logtype.webp) The log types are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/overview.md index 1b3cae0d75..f20ece4e71 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/overview.md @@ -9,10 +9,10 @@ While the data collector is available with all Access Analyzer license options, only available with a special Access Analyzer licenses. See following sections for additional information: -- [Active Directory Solution](../../../solutions/activedirectory/overview.md) -- [Exchange Solution](../../../solutions/exchange/overview.md) -- [SQL Job Group](../../../solutions/databases/sql/overview.md) -- [Windows Solution](../../../solutions/windows/overview.md) +- [Active Directory Solution](/docs/accessanalyzer/12.0/solutions/activedirectory/overview.md) +- [Exchange Solution](/docs/accessanalyzer/12.0/solutions/exchange/overview.md) +- [SQL Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/overview.md) +- [Windows Solution](/docs/accessanalyzer/12.0/solutions/windows/overview.md) Protocols @@ -32,7 +32,7 @@ Permissions - Member of the local Administrators group See the -[Exchange Remote Connections Permissions](../../../requirements/solutions/exchange/remoteconnections.md) +[Exchange Remote Connections Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/remoteconnections.md) topic for additional information related to permissions required for targeting Exchange servers. ## SMARTLog Query Configuration @@ -41,17 +41,17 @@ The SMARTLog Data Collector is configured through the SMART Log DC Wizard, which following wizard pages: - Welcome -- [SMARTLog: Log Type](logtype.md) -- [SMARTLog: Sample Host](samplehost.md) -- [SMARTLog: Target Log](targetlog.md) -- [SMARTLog: Results](results.md) -- [SMARTLog: Criteria](criteria.md) -- [SMARTLog: Collection Method](collectionmethod.md) -- [SMARTLog: Log State](logstate.md) -- [SMARTLog: Event Log Options](eventlogoptions.md) -- [SMARTLog: Summary](summary.md) - -![SMART Log DC Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +- [SMARTLog: Log Type](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/logtype.md) +- [SMARTLog: Sample Host](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/samplehost.md) +- [SMARTLog: Target Log](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlog.md) +- [SMARTLog: Results](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/results.md) +- [SMARTLog: Criteria](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/criteria.md) +- [SMARTLog: Collection Method](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/collectionmethod.md) +- [SMARTLog: Log State](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/logstate.md) +- [SMARTLog: Event Log Options](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/eventlogoptions.md) +- [SMARTLog: Summary](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/summary.md) + +![SMART Log DC Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) There are no configurable settings on the Welcome page. Click **Next** to proceed to the Log Type page. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/results.md b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/results.md index c1baef22b7..4eb6112990 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/results.md @@ -4,7 +4,7 @@ The Results page is where the events to be returned by the query are selected. I for all log types. The description strings within the log records can also be selected for the query. -![SMART Log DC Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![SMART Log DC Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Click **Check all** to select all properties, **Uncheck all** to deselect all properties, or **Reset Defaults** to return to the default settings. Available properties vary based on the category diff --git a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/samplehost.md b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/samplehost.md index 56ac60e464..2133fdce91 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/samplehost.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/samplehost.md @@ -2,7 +2,7 @@ The Sample Host page is used to configure the host. It is a wizard page for all log types. -![SMART Log DC Wizard Sample Host page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/wmicollector/samplehost.webp) +![SMART Log DC Wizard Sample Host page](/img/product_docs/accessanalyzer/admin/datacollector/wmicollector/samplehost.webp) Select a host for running a test query on the Criteria page from the following radio buttons: @@ -13,7 +13,7 @@ Select a host for running a test query on the Criteria page from the following r ## Select Computer Window -![Select Computer window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/smartlog/selectcomputerwindow.webp) +![Select Computer window](/img/product_docs/accessanalyzer/admin/datacollector/smartlog/selectcomputerwindow.webp) If selecting another computer for the host, click the ellipsis to open the Select Computer window and select a computer. The options in the Select Computer window are: @@ -24,13 +24,13 @@ and select a computer. The options in the Select Computer window are: - Enter the object name to select – Manually enter objects into the text field - Click the **examples** link to access the Microsoft - [Object Picker UI]() + [Object Picker UI](https://docs.microsoft.com/en-us/previous-versions/orphan-topics/ws.11/dn789205(v=ws.11)?redirectedfrom=MSDN) article for additional information - Check Names – Click to verify the object names in the text field - Advanced – Opens a window to perform advanced configurations of the Select Computer function -![Advanced Select Computer window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/smartlog/selectcomputerwindowadvanced.webp) +![Advanced Select Computer window](/img/product_docs/accessanalyzer/admin/datacollector/smartlog/selectcomputerwindowadvanced.webp) The Common Queries section is included on the advanced Select Computer window in addition to object type and location in the original Select Computer window. @@ -44,7 +44,7 @@ type and location in the original Select Computer window. - Select the number of **Days since last logon** from the drop-down menu - Click the **Columns** button to open the Choose Columns window - ![Choose Columns window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/smartlog/choosecolumnswindow.webp) + ![Choose Columns window](/img/product_docs/accessanalyzer/admin/datacollector/smartlog/choosecolumnswindow.webp) Select a column from the Columns available or Columns shown lists and click **Add** or **Remove** to add or remove them from each column diff --git a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/summary.md index 9b7ad769d6..c6c4577eec 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured query. It is a wizard page for all log types. -![SMART Log DC Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![SMART Log DC Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the SMART Log DC Wizard to ensure that no accidental clicks are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlog.md b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlog.md index 0cf4d5f4e9..4d34ecae7a 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlog.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlog.md @@ -6,11 +6,11 @@ wizard page that change based on log type. This version is a wizard page for the - Windows Event Log (Archived) - Internet Information Server Log -See the [SMARTLog: Target Log for Windows Event Log Type](targetlogtype/windowseventlog.md) and -[SMARTLog: Target Log for File Detection Log Type](targetlogtype/filedetectionlog.md) topics for +See the [SMARTLog: Target Log for Windows Event Log Type](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlogtype/windowseventlog.md) and +[SMARTLog: Target Log for File Detection Log Type](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlogtype/filedetectionlog.md) topics for information on the other versions of this wizard page. -![SMART Log DC Wizard Target Log page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/smartlog/targetlog.webp) +![SMART Log DC Wizard Target Log page](/img/product_docs/accessanalyzer/admin/datacollector/smartlog/targetlog.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlogtype/filedetectionlog.md b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlogtype/filedetectionlog.md index 7c667836de..8de4744e30 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlogtype/filedetectionlog.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlogtype/filedetectionlog.md @@ -3,7 +3,7 @@ The Target Log page is where logs are selected to be collected. This version is a wizard page for the File Change Detection log type. -![SMART Log DC Wizard Target Log page for File Change Detection Log](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/smartlog/targetlogtype/targetlogfiledetection.webp) +![SMART Log DC Wizard Target Log page for File Change Detection Log](/img/product_docs/accessanalyzer/admin/datacollector/smartlog/targetlogtype/targetlogfiledetection.webp) In the Exec server section, identify the server that will run the data collection by selecting one of the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlogtype/windowseventlog.md b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlogtype/windowseventlog.md index bc9ad70a78..3bc220f815 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlogtype/windowseventlog.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlogtype/windowseventlog.md @@ -3,7 +3,7 @@ The Target Log page is where logs are selected to be collected. This version is a wizard page for the log type of Windows Event Log. -![SMART Log DC Wizard Target Log page for Windows Event Log](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/smartlog/targetlogtype/targetlogwindowsevent.webp) +![SMART Log DC Wizard Target Log page for Windows Event Log](/img/product_docs/accessanalyzer/admin/datacollector/smartlog/targetlogtype/targetlogwindowsevent.webp) Only one log can be targeted per query task. The selected log is displayed at the bottom of the wizard page. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/activitydatescope.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/activitydatescope.md index fcd19d66a2..20ff1124c7 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/activitydatescope.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/activitydatescope.md @@ -3,7 +3,7 @@ The Activity Date Scope page is where the range of dates for which the SharePoint activity scan will collect data is configured. It is a wizard page for the category of Scan SharePoint Activity. -![Activity Date Scope page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/activitydatescope.webp) +![Activity Date Scope page](/img/product_docs/accessanalyzer/admin/datacollector/spaa/activitydatescope.webp) Use the radio buttons to select the **Scan Filters**. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/activityloglocations.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/activityloglocations.md index e0de67a1c3..f7aa01efd0 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/activityloglocations.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/activityloglocations.md @@ -4,7 +4,7 @@ The Activity Log Locations page is where to manually configure log locations to remote registry access to locate the activity event log files. It is a wizard page for the category of Scan SharePoint Activity. -![Activity Log Locations page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/activityloglocations.webp) +![Activity Log Locations page](/img/product_docs/accessanalyzer/admin/datacollector/spaa/activityloglocations.webp) The options in the Activity Log Locations page are: @@ -14,7 +14,7 @@ The options in the Activity Log Locations page are: click **OK** to save the changes. - Remove – Removes the selected host -![Customize Activity Log UNC Paths Window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/customizeactivityloguncpaths.webp) +![Customize Activity Log UNC Paths Window](/img/product_docs/accessanalyzer/admin/datacollector/spaa/customizeactivityloguncpaths.webp) The options in the Customize Activity Log UNC Paths Window are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/additionalscoping.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/additionalscoping.md index d18b417a8a..14d2f93777 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/additionalscoping.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/additionalscoping.md @@ -11,7 +11,7 @@ a subsequent scan (i.e. scanning fewer web applications, scanning fewer site col shallower depth scan). Those resources not included in a subsequent scan are marked as deleted in the Tier 2 database and subsequently removed from the Tier 1 database. -![Additional Scoping page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/box/additionalscoping.webp) +![Additional Scoping page](/img/product_docs/accessanalyzer/admin/datacollector/box/additionalscoping.webp) If checked, set the **Limit scanned depth to: [number] level(s)** option to the desired depth. If this option is not checked then the entire farm is scanned. If the scoping depth is set to **0** diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/agentsettings.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/agentsettings.md index c97e522101..bb7e54e1be 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/agentsettings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/agentsettings.md @@ -3,7 +3,7 @@ The Agent Settings page is where the SharePoint Agent Service is configured. It is a wizard page for the category of Scan SharePoint Access. -![Agent Settings page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/windowsagent.webp) +![Agent Settings page](/img/product_docs/activitymonitor/activitymonitor/install/agent/windowsagent.webp) The **Enable Agent Service Scans** checkbox enables collecting SharePoint data through the agent services instead of directly from SharePoint. This option requires a **Network Port** to be entered. @@ -15,5 +15,5 @@ Agent Service Identity radio buttons are: - The token `%HOST%` may be substituted for the host name This option requires the SharePoint Agent to be installed on the application server. See the -[SharePoint Agent Installation](../../../install/sharepointagent/overview.md) topic for additional +[SharePoint Agent Installation](/docs/accessanalyzer/12.0/install/sharepointagent/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/bulkimportsettings.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/bulkimportsettings.md index ef1f0b02dd..002c9ec8be 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/bulkimportsettings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/bulkimportsettings.md @@ -6,7 +6,7 @@ wizard page for the categories of: - Bulk Import Access Scan Results - Bulk Import Sensitive Content Scan Results -![Bulk Import Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/bulkimportsettings.webp) +![Bulk Import Settings page](/img/product_docs/accessanalyzer/admin/datacollector/spaa/bulkimportsettings.webp) Subsequent hosts in job lists will get host IDs incremented by 1. The Host Identifier may require an offset to avoid overlapping IDs in collected data. If the **Set Host ID** checkbox is left diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/category.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/category.md index 14e725d3bc..c056daa254 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/category.md @@ -3,7 +3,7 @@ The SPAA Data Collector Category page contains the following query categories, sub-divided by auditing focus: -![Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The options on the Category page are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/configurejob.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/configurejob.md index aac3bd5273..224749cc29 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/configurejob.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/configurejob.md @@ -30,7 +30,7 @@ Create a Connection Profile and set the following information on the User Creden - Confirm – Re-type the password Once the Connection Profile is created, it is time to create the custom host list. See the -[Connection](../../settings/connection/overview.md) topic for additional information. +[Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. ### SharePoint Farm Host in a Custom Host List @@ -39,7 +39,7 @@ The custom host list should include: - One application server per farm - Host name without a domain suffix, this means the host name should not contain a period character -See the [Add Hosts](../../hostmanagement/actions/add.md) section for instruction on creating a +See the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) section for instruction on creating a custom static host list. ## SharePoint Online @@ -50,7 +50,7 @@ scanning SharePoint Online using Modern Authentication. ### SharePoint Online Credential for a Connection Profile using Modern Authentication The provisioned credential should be an Microsoft Entra ID Application. See the -[SharePoint Online Access & Sensitive Data Auditing Configuration](../../../config/sharepointonline/access.md) +[SharePoint Online Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/12.0/config/sharepointonline/access.md) topic for instructions on registering and provisioning the Microsoft Entra ID Application manually or via the SP_RegisterAzureAppAuth Instant Job. @@ -60,7 +60,7 @@ Create a Connection Profile and set the following information on the User Creden - Client ID – Application (client) ID of the Access Analyzer application registered with Microsoft Entra ID - Password Storage – Application (Uses the configured Profile Security setting as selected at the - **Settings** > **Application** node. See the [Application](../../settings/application/overview.md) + **Settings** > **Application** node. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information.) - Key – The comma delimited string containing the path to the certificate PFX file, certificate password, and the Microsoft Entra ID environment identifier ( @@ -87,7 +87,7 @@ Create a Connection Profile and set the following information on the User Creden Job if that method was used. Once the Connection Profile is created, it is time to create the custom host list. See the -[Connection](../../settings/connection/overview.md) topic for additional information. +[Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. ### SharePoint Online Host in a Custom Host List @@ -100,5 +100,5 @@ The custom host list should include: - Do not use IP Addresses - Host name must be in DNS format -See the [Add Hosts](../../hostmanagement/actions/add.md) topic for instructions on creating a custom +See the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) topic for instructions on creating a custom static host list. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/dlpauditsettings.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/dlpauditsettings.md index 5639337cb0..e53df7d3e5 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/dlpauditsettings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/dlpauditsettings.md @@ -8,7 +8,7 @@ a subsequent scan (i.e. scanning fewer web applications, scanning fewer site col shallower depth scan). Those resources not included in a subsequent scan are marked as deleted in the Tier 2 database and subsequently removed from the Tier 1 database. -![DLP Audit Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/dlpauditsettings.webp) +![DLP Audit Settings page](/img/product_docs/accessanalyzer/admin/datacollector/spaa/dlpauditsettings.webp) Configure the **Scan Performance** options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/droptables.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/droptables.md index 41d30e824d..87c7cd10d3 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/droptables.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/droptables.md @@ -5,7 +5,7 @@ SP_DropTables Job is preconfigured to run analysis tasks that drop functions and SharePoint Solution as well as the standard tables and views generated by the **SPAA** Data Collector. It is available through the Instant Job Library under the SharePoint library. Since this job does not require a host to target, select **Local host** on the Hosts page of the Access -Analyzer Instant Job Wizard. See the [Instant Job Wizard](../../jobs/instantjobs/overview.md) topic +Analyzer Instant Job Wizard. See the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for additional information. ## Analysis Tasks for the SP_DropTables Job @@ -15,7 +15,7 @@ the analysis tasks. **CAUTION:** Applying these analysis tasks will result in the deletion of collected data. -![SP_DropTables Job Analysis tasks](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/droptablesanalysis.webp) +![SP_DropTables Job Analysis tasks](/img/product_docs/accessanalyzer/admin/datacollector/spaa/droptablesanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/overview.md index ea98474df0..8fc5d660d6 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/overview.md @@ -4,7 +4,7 @@ The SharePointAccess (SPAA) Data Collector audits access, group membership, and SharePoint on-premises and SharePoint Online environment. The SPAA Data Collector has been preconfigured within the SharePoint Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[SharePoint Solution](../../../solutions/sharepoint/overview.md) topic for additional information. +[SharePoint Solution](/docs/accessanalyzer/12.0/solutions/sharepoint/overview.md) topic for additional information. The SPAA Data Collector has the following requirements: Protocols @@ -18,13 +18,13 @@ Protocols Ports - Ports vary based on the Scan Mode selected and target environment. See the - [SharePoint Scan Options](../../../requirements/solutions/sharepoint/scanoptions.md) topic for + [SharePoint Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/scanoptions.md) topic for additional information. Permissions - Permissions vary based on the Scan Mode selected and target environment. See the - [SharePoint Support](../../../requirements/target/sharepoint.md) topic for additional information. + [SharePoint Support](/docs/accessanalyzer/12.0/requirements/target/sharepoint.md) topic for additional information. Sensitive Data Discovery Considerations @@ -39,21 +39,21 @@ Collector Wizard. The wizard contains the following pages, which change based up Category selected: - Welcome -- [SPAA: Category](category.md) -- [SPAA: SharePoint Data Collection Settings](settings.md) -- [SPAA: Scan Scoping Options](scanscopingoptions.md) -- [SPAA: Additional Scoping](additionalscoping.md) -- [SPAA: Agent Settings](agentsettings.md) -- [SPAA: Bulk Import Settings](bulkimportsettings.md) -- [SPAA: DLP Audit Settings](dlpauditsettings.md) -- [SPAA: Select DLP Criteria](selectdlpcriteria.md) -- [SPAA: Activity Date Scope](activitydatescope.md) -- [SPAA: Activity Log Locations](activityloglocations.md) -- [SPAA: Test Access](testaccess.md) -- [SPAA: Results](results.md) -- [SPAA: Summary Page](summary.md) - -![SPAA Data Collector Wizard Welcome Page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/welcomepage.webp) +- [SPAA: Category](/docs/accessanalyzer/12.0/admin/datacollector/spaa/category.md) +- [SPAA: SharePoint Data Collection Settings](/docs/accessanalyzer/12.0/admin/datacollector/spaa/settings.md) +- [SPAA: Scan Scoping Options](/docs/accessanalyzer/12.0/admin/datacollector/spaa/scanscopingoptions.md) +- [SPAA: Additional Scoping](/docs/accessanalyzer/12.0/admin/datacollector/spaa/additionalscoping.md) +- [SPAA: Agent Settings](/docs/accessanalyzer/12.0/admin/datacollector/spaa/agentsettings.md) +- [SPAA: Bulk Import Settings](/docs/accessanalyzer/12.0/admin/datacollector/spaa/bulkimportsettings.md) +- [SPAA: DLP Audit Settings](/docs/accessanalyzer/12.0/admin/datacollector/spaa/dlpauditsettings.md) +- [SPAA: Select DLP Criteria](/docs/accessanalyzer/12.0/admin/datacollector/spaa/selectdlpcriteria.md) +- [SPAA: Activity Date Scope](/docs/accessanalyzer/12.0/admin/datacollector/spaa/activitydatescope.md) +- [SPAA: Activity Log Locations](/docs/accessanalyzer/12.0/admin/datacollector/spaa/activityloglocations.md) +- [SPAA: Test Access](/docs/accessanalyzer/12.0/admin/datacollector/spaa/testaccess.md) +- [SPAA: Results](/docs/accessanalyzer/12.0/admin/datacollector/spaa/results.md) +- [SPAA: Summary Page](/docs/accessanalyzer/12.0/admin/datacollector/spaa/summary.md) + +![SPAA Data Collector Wizard Welcome Page](/img/product_docs/accessanalyzer/admin/datacollector/spaa/welcomepage.webp) The Welcome page can be hidden by checking the **Do not display this page the next time** box when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/results.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/results.md index ecb6d9333b..128868c421 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/results.md @@ -3,7 +3,7 @@ The Results page is where properties that will be gathered are selected. It is a wizard page for all of the categories. -![Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be checked individually, or the **Select All**and **Clear All** buttons can be used. All checked properties are gathered. Available properties vary based on the category selected. This diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/scanscopingoptions.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/scanscopingoptions.md index 956c66b772..bbd710834e 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/scanscopingoptions.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/scanscopingoptions.md @@ -6,7 +6,7 @@ is a wizard page for the categories of: - Scan SharePoint Access - Scan For Sensitive Content -![Scan Scoping Options page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/scanscopingoptions.webp) +![Scan Scoping Options page](/img/product_docs/accessanalyzer/admin/datacollector/spaa/scanscopingoptions.webp) The options on the Scan Scoping Options page are: @@ -34,7 +34,7 @@ web application URL `http://example.com`, follow the steps: **Step 1 –** Navigate to the **Scan Scoping Options** page. -![Enter URL on Scan Scoping Options page example](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/scanscopingoptionswebappurl.webp) +![Enter URL on Scan Scoping Options page example](/img/product_docs/accessanalyzer/admin/datacollector/spaa/scanscopingoptionswebappurl.webp) **Step 2 –** In the text box, enter an invalid URL prefixed with the **Web App URL** which contains the HNSCs. Click **Add**. @@ -45,7 +45,7 @@ the HNSCs. Click **Add**. - In the example, the HNSC URL entered to filter for is: `http://sample.com/documents/` -![Scan Scoping Options example](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/scanscopingoptionsexample.webp) +![Scan Scoping Options example](/img/product_docs/accessanalyzer/admin/datacollector/spaa/scanscopingoptionsexample.webp) **Step 4 –** The Web App URL must appear above the HNSC URL, as depicted in the example above. @@ -59,19 +59,19 @@ Site Collections for a single host down into subsets, or **Virtual Hosts**, that separate hosts by Access Analyzer. This allows multiple scans of a single host to be run concurrently. Follow the steps to configure this. -![CSV file with host and site collection information](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/virtualhostscsv.webp) +![CSV file with host and site collection information](/img/product_docs/accessanalyzer/admin/datacollector/spaa/virtualhostscsv.webp) **Step 1 –** Create a new CSV file. Add into rows the information for the host and site collection URLs you want to scan in the format `HOSTNAME#DESIGNATOR;URL`. - Each unique `DESIGNATOR` is treated as a separate host comprised of the specified URLs. -![Host List for targeting the Virtual Hosts](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/virtualhostshostlist.webp) +![Host List for targeting the Virtual Hosts](/img/product_docs/accessanalyzer/admin/datacollector/spaa/virtualhostshostlist.webp) **Step 2 –** Configure the Host List for SPAA or SPSEEK scans to target these Virtual Hosts using the format `HOSTNAME#DESIGNATOR`. -![SPAA Data Collector Wizard Scan Scoping Options page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/scanscopingoptionsvirtualhosts.webp) +![SPAA Data Collector Wizard Scan Scoping Options page](/img/product_docs/accessanalyzer/admin/datacollector/spaa/scanscopingoptionsvirtualhosts.webp) **Step 3 –** On the Scan Scoping Options page of the SharePoint Access Auditor Data Collector Wizard, use the **Import CSV** button to import the information from the CSV file created in Step 1. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/selectdlpcriteria.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/selectdlpcriteria.md index c2d7aeee66..52e4b49c32 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/selectdlpcriteria.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/selectdlpcriteria.md @@ -8,13 +8,13 @@ a subsequent scan (i.e. scanning fewer web applications, scanning fewer site col shallower depth scan). Those resources not included in a subsequent scan are marked as deleted in the Tier 2 database and subsequently removed from the Tier 1 database. -![Select DLP criteria for this scan page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/selectdlpcriteria.webp) +![Select DLP criteria for this scan page](/img/product_docs/accessanalyzer/admin/datacollector/spaa/selectdlpcriteria.webp) The options on the Select DLP Criteria page are: - Use Global Criterion Selection – Select this option to inherit sensitive data criteria settings from the **Settings** > **Sensitive Data** node. See the - [Sensitive Data](../../settings/sensitivedata/overview.md) topic for additional information. + [Sensitive Data](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/overview.md) topic for additional information. - Use the following selected criteria – Select this option to use the table to select which sensitive data criteria to scan for - Select All – Click **Select All** to enable all sensitive data criteria for scanning @@ -29,5 +29,5 @@ The table contains the following types of criteria: Use the Sensitive Data Criteria Editor in **Settings** > **Sensitive Data** to create and edit user-defined criteria. See the - [Sensitive Data Criteria Editor](../../../sensitivedatadiscovery/criteriaeditor/overview.md) + [Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/settings.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/settings.md index 5e03cf8f58..0e5b4e1d7c 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/settings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/settings.md @@ -11,7 +11,7 @@ a subsequent scan (i.e. scanning fewer web applications, scanning fewer site col shallower depth scan). Those resources not included in a subsequent scan are marked as deleted in the Tier 2 database and subsequently removed from the Tier 1 database. -![SharePoint data collection settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/datacollectionsettings.webp) +![SharePoint data collection settings page](/img/product_docs/accessanalyzer/admin/datacollector/spaa/datacollectionsettings.webp) The Probable Owners section provides options for how probable ownership will be calculated: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/summary.md index 39203259ce..7618bf46df 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/summary.md @@ -3,7 +3,7 @@ The Summary page is where configuration settings are summarized. It is a wizard page for all of the categories. --![Summary Page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/summarypage.webp) +-![Summary Page](/img/product_docs/accessanalyzer/admin/datacollector/spaa/summarypage.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the SharePoint Access Auditor Data Collector Wizard ensuring that no diff --git a/docs/accessanalyzer/12.0/admin/datacollector/spaa/testaccess.md b/docs/accessanalyzer/12.0/admin/datacollector/spaa/testaccess.md index af6407d237..c8872f99f2 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/spaa/testaccess.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/spaa/testaccess.md @@ -8,7 +8,7 @@ environment. The Test Access page tests access to the following: - SQL Access (for databases associated with the SharePoint farms) - All Web Applications in the SharePoint environment -![Test Access page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/testaccess.webp) +![Test Access page](/img/product_docs/accessanalyzer/admin/datacollector/spaa/testaccess.webp) The options and sections on the Test Access page are: @@ -26,5 +26,5 @@ The options and sections on the Test Access page are: | | | | ------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![Successful test example](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/testaccessbadtest.webp) | +| ![Successful test example](/img/product_docs/accessanalyzer/admin/datacollector/spaa/testaccessbadtest.webp) | | **Successful Test (Correct Credentials)** | **Unsuccessful Test (Incorrect Credentials)** | diff --git a/docs/accessanalyzer/12.0/admin/datacollector/sql/category.md b/docs/accessanalyzer/12.0/admin/datacollector/sql/category.md index 875823b33e..c3bd34f2ca 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/sql/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/sql/category.md @@ -3,7 +3,7 @@ The Category page in the SQL Data Collector Wizard lists the available query categories, sub-divided by auditing focus. -![SQL Data Collector Wizard Category Page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![SQL Data Collector Wizard Category Page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The query categories are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/sql/configurejob.md b/docs/accessanalyzer/12.0/admin/datacollector/sql/configurejob.md index e974617902..6e8ccd02e7 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/sql/configurejob.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/sql/configurejob.md @@ -18,9 +18,9 @@ Create a Connection Profile and set the following information on the User Creden - Application – Uses the configured Profile Security setting as selected at the **Settings** > **Application** node. See the - [Application](../../settings/application/overview.md) topic for additional information. + [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information. - CyberArk – Uses the CyberArk Enterprise Password Vault. See the - [CyberArk Integration](../../settings/connection/cyberarkintegration.md) topic for + [CyberArk Integration](/docs/accessanalyzer/12.0/admin/settings/connection/cyberarkintegration.md) topic for additional information. The password fields do not apply for CyberArk password storage. - Password – Type the password @@ -32,11 +32,11 @@ Create a Connection Profile and set the following information on the User Creden - User name – Enter user name - Password Storage – Application (Uses the configured Profile Security setting as selected at the **Settings** > **Application** node. See the - [Application](../../settings/application/overview.md) topic for additional information.) + [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information.) - Password – Type the password - Confirm – Re-type the password -See the [Connection](../../settings/connection/overview.md) topic for additional information. +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. ## Host List @@ -47,7 +47,7 @@ The required host list depends on the database that the SQL data collector is b Jobs using the SQL Data Collector can use the SQL Servers default host list. This is a dynamic host list that is populated from hosts in the Host Master Table which meet the host inventory criteria for the list, `IsSQLServer = True`. Since the SQL Servers host list is default, it is available to -jobs and job groups for host assignment. See the [Host Management](../../hostmanagement/overview.md) +jobs and job groups for host assignment. See the [Host Management](/docs/accessanalyzer/12.0/admin/hostmanagement/overview.md) topic for additional information. ### Oracle / MySQL / PostgreSQL / Db2 @@ -56,7 +56,7 @@ Jobs in the Oracle, MySQL, Postgre SQL, or Db2 solution using the SQL Data Colle configured to query a host list with the servers containing the target databases. Setup the list of hosts that needs to be monitored. Be sure to use a specific host name (if forcing the connection to a secondary host) or just the server name if connecting to the server. See the -[Host Management](../../hostmanagement/overview.md) topic for additional information. +[Host Management](/docs/accessanalyzer/12.0/admin/hostmanagement/overview.md) topic for additional information. Additionally, the database instances must be added to the Filter page in the query configuration. -See the [SQL: Filter](filter.md) topic for additional information. +See the [SQL: Filter](/docs/accessanalyzer/12.0/admin/datacollector/sql/filter.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/sql/criteria.md b/docs/accessanalyzer/12.0/admin/datacollector/sql/criteria.md index c917b8271b..82718be557 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/sql/criteria.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/sql/criteria.md @@ -3,13 +3,13 @@ The Criteria page is where criteria to be used for discovering sensitive data are configured. It is a wizard page for the Sensitive Data Collection category. -![SQL Data Collector Wizard Criteria page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) +![SQL Data Collector Wizard Criteria page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) The options on the Criteria page are: - Use Global Criterion Selection – Select this option to inherit sensitive data criteria settings from the **Settings > Sensitive Data** node. See the - [Sensitive Data](../../settings/sensitivedata/overview.md) topic for additional information. + [Sensitive Data](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/overview.md) topic for additional information. - Use the following selected criteria – Select this option to use the table to select which sensitive data criteria to scan for @@ -25,7 +25,7 @@ The table contains the following types of criteria: Use the Sensitive Data Criteria Editor in the **Settings > Sensitive Data** to create and edit user-defined criteria. See the - [Sensitive Data Criteria Editor](../../../sensitivedatadiscovery/criteriaeditor/overview.md) + [Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. **NOTE:** Adding unnecessary criteria can adversely impact the scanner performance and can cause the diff --git a/docs/accessanalyzer/12.0/admin/datacollector/sql/customqueryoracle.md b/docs/accessanalyzer/12.0/admin/datacollector/sql/customqueryoracle.md index f1ddf480df..49b5cde2ba 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/sql/customqueryoracle.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/sql/customqueryoracle.md @@ -4,7 +4,7 @@ The Custom Query page for a Custom Oracle Query contains the same options as the for a custom SQL query, with the addition of the **Convert CDB to DBA on non-container databases** checkbox. It is a wizard page for the Custom Oracle Query category. -![SQL Data Collector Wizard Custom Query page for a Custom Oracle Query](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/sql/customqueryoracle.webp) +![SQL Data Collector Wizard Custom Query page for a Custom Oracle Query](/img/product_docs/accessanalyzer/admin/datacollector/sql/customqueryoracle.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/sql/customquerysql.md b/docs/accessanalyzer/12.0/admin/datacollector/sql/customquerysql.md index b3753ae636..20bddbae70 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/sql/customquerysql.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/sql/customquerysql.md @@ -8,7 +8,7 @@ wizard page for the following categories: - Custom SQL Query - Custom Db2LUW Query -![SQL Data Collector Wizard Custom SQL Query Page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/sql/customsqlquery.webp) +![SQL Data Collector Wizard Custom SQL Query Page](/img/product_docs/accessanalyzer/admin/datacollector/sql/customsqlquery.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/sql/filter.md b/docs/accessanalyzer/12.0/admin/datacollector/sql/filter.md index f7ede84087..43f289104b 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/sql/filter.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/sql/filter.md @@ -43,13 +43,13 @@ wizard page for the categories of: It is necessary for the SA_SQL_Instances table to be populated before available databases/instances can populate the Available Server audits list. For Oracle and SQL, the SA_SQL_Instances table is populated through an instance discovery query. See the -[0-SQL_InstanceDiscovery Job](../../../solutions/databases/sql/collection/0-sql_instancediscovery.md) +[0-SQL_InstanceDiscovery Job](/docs/accessanalyzer/12.0/solutions/databases/sql/collection/0-sql_instancediscovery.md) topic for additional information. For PostgreSQL and MySQL Scans, the SA_SQL_Instances table is populated manually in the Manage Connections window. See the [Manage Connections Window](#manage-connections-window) topic for additional information. Once the table has been populated, a query can be scoped. -![SQL Data Collector Wizard Filter page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filter.webp) +![SQL Data Collector Wizard Filter page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filter.webp) The configurable filter options are: @@ -83,7 +83,7 @@ The configurable filter options are: The Manage Connections window enables you to add database instances to search. Click the **Connections** button to open it. -![Manage Connections window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/nosql/manageconnections.webp) +![Manage Connections window](/img/product_docs/accessanalyzer/admin/datacollector/nosql/manageconnections.webp) The Manage Connections table lists the previously added database instances and their attributes. Select a row in the table to edit that instance, or create a new instance to add to the table: @@ -119,7 +119,7 @@ The Manage Connections window has the following buttons: The Add custom filter window opens from the Filter page of the SQL Data Collector Wizard. It enables you to apply a custom scoping filter to the query. -![Add custom filter window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/sql/addcustomfilter.webp) +![Add custom filter window](/img/product_docs/accessanalyzer/admin/datacollector/sql/addcustomfilter.webp) Type the filter in the window and click Save. The following characters can be used in the filter: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/sql/options.md b/docs/accessanalyzer/12.0/admin/datacollector/sql/options.md index 0121f70eb1..e97529ebd4 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/sql/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/sql/options.md @@ -11,7 +11,7 @@ the category selected. The Options page is a wizard page for the categories of: Use the Options page to specify collection options to use when gathering server audits. This is a page for the Server Audits Events Collection category. -![SQL Data Collector Wizard Options page for Server Audit](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/sql/optionsserveraudits.webp) +![SQL Data Collector Wizard Options page for Server Audit](/img/product_docs/accessanalyzer/admin/datacollector/sql/optionsserveraudits.webp) The scan options are: @@ -29,7 +29,7 @@ The scan options are: Use the Sensitive Data Scan Settings (Options) page to specify collection options to use when gathering server audits. This is a page for the Sensitive Data Collection category. -![SQL Data Collector Wizard Options page for Sensitive Data](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/sql/optionssensitivedata.webp) +![SQL Data Collector Wizard Options page for Sensitive Data](/img/product_docs/accessanalyzer/admin/datacollector/sql/optionssensitivedata.webp) The sensitive data scan settings are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md index b944865c23..1dca2fefd8 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md @@ -10,12 +10,12 @@ MySQL, Oracle, PostgreSQL, Redshift, and SQL Server databases. Both this data Database Solution are available with a special Access Analyzer license. See the following topics for additional information: -- [Db2 Solution](../../../solutions/databases/db2/overview.md) -- [MySQL Solution](../../../solutions/databases/mysql/overview.md) -- [PostgreSQL Solution](../../../solutions/databases/postgresql/overview.md) -- [Oracle Solution](../../../solutions/databases/oracle/overview.md) -- [Redshift Solution](../../../solutions/databases/redshift/overview.md) -- [SQL Job Group](../../../solutions/databases/sql/overview.md) +- [Db2 Solution](/docs/accessanalyzer/12.0/solutions/databases/db2/overview.md) +- [MySQL Solution](/docs/accessanalyzer/12.0/solutions/databases/mysql/overview.md) +- [PostgreSQL Solution](/docs/accessanalyzer/12.0/solutions/databases/postgresql/overview.md) +- [Oracle Solution](/docs/accessanalyzer/12.0/solutions/databases/oracle/overview.md) +- [Redshift Solution](/docs/accessanalyzer/12.0/solutions/databases/redshift/overview.md) +- [SQL Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/overview.md) Protocols @@ -88,9 +88,9 @@ For SQL: - Grant View server state to [DOMAIN\USER] - Grant Control Server to [DOMAIN\USER] (specifically required for the Weak Passwords Job) -See the [Azure SQL Auditing Configuration](../../../requirements/target/config/azuresqlaccess.md) +See the [Azure SQL Auditing Configuration](/docs/accessanalyzer/12.0/requirements/target/config/azuresqlaccess.md) topic and the -[AzureSQL Target Least Privilege Model](../../../requirements/target/config/databaseazuresql.md) +[AzureSQL Target Least Privilege Model](/docs/accessanalyzer/12.0/requirements/target/config/databaseazuresql.md) topic for additional information. Sensitive Data Discovery Considerations @@ -107,13 +107,13 @@ following pages, which change based upon the query category selected: **NOTE:** The SQL Data Collector is used in multiple Access Analyzer Solutions, and the query categories used are dependent on the solution. -- [SQL: Category](category.md) -- [SQL: Options](options.md) -- [SQL: Criteria](criteria.md) -- [SQL: Filter](filter.md) -- [SQL: Settings](settings.md) -- [SQL: Custom SQL Query](customquerysql.md) -- [SQL: Custom Oracle Query](customqueryoracle.md) -- [SQL: Results](results.md) -- [SQL: Rowkey](rowkey.md) -- [SQL: Summary](summary.md) +- [SQL: Category](/docs/accessanalyzer/12.0/admin/datacollector/sql/category.md) +- [SQL: Options](/docs/accessanalyzer/12.0/admin/datacollector/sql/options.md) +- [SQL: Criteria](/docs/accessanalyzer/12.0/admin/datacollector/sql/criteria.md) +- [SQL: Filter](/docs/accessanalyzer/12.0/admin/datacollector/sql/filter.md) +- [SQL: Settings](/docs/accessanalyzer/12.0/admin/datacollector/sql/settings.md) +- [SQL: Custom SQL Query](/docs/accessanalyzer/12.0/admin/datacollector/sql/customquerysql.md) +- [SQL: Custom Oracle Query](/docs/accessanalyzer/12.0/admin/datacollector/sql/customqueryoracle.md) +- [SQL: Results](/docs/accessanalyzer/12.0/admin/datacollector/sql/results.md) +- [SQL: Rowkey](/docs/accessanalyzer/12.0/admin/datacollector/sql/rowkey.md) +- [SQL: Summary](/docs/accessanalyzer/12.0/admin/datacollector/sql/summary.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/sql/results.md b/docs/accessanalyzer/12.0/admin/datacollector/sql/results.md index f539f9b41b..e1632d8157 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/sql/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/sql/results.md @@ -3,7 +3,7 @@ The Results page is where the properties that will be gathered are selected. It is a wizard page for all of the categories. -![SQL Data Collector Wizard Results Page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![SQL Data Collector Wizard Results Page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be selected individually, or the **Select All** and **Clear All** buttons can be used. All selected properties are gathered. Available properties vary based on the category diff --git a/docs/accessanalyzer/12.0/admin/datacollector/sql/rowkey.md b/docs/accessanalyzer/12.0/admin/datacollector/sql/rowkey.md index 1122900234..4a083e7649 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/sql/rowkey.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/sql/rowkey.md @@ -3,7 +3,7 @@ The Rowkey page configures the Rowkey for the SQL query. It is a wizard page for the Custom Query categories. -![SQL Data Collector Wizard Rowkey Page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/sql/rowkey.webp) +![SQL Data Collector Wizard Rowkey Page](/img/product_docs/accessanalyzer/admin/datacollector/sql/rowkey.webp) Properties selected on the Results page are listed. Select the property or properties to act as the Rowkey. Properties can be selected individually, or the **Select All** and **Clear All** buttons can diff --git a/docs/accessanalyzer/12.0/admin/datacollector/sql/settings.md b/docs/accessanalyzer/12.0/admin/datacollector/sql/settings.md index 88e87b9c67..ff6e686f28 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/sql/settings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/sql/settings.md @@ -3,7 +3,7 @@ The Settings page configures the removal of data from the Access Analyzer database for specific instances. It is a wizard page for the category of Utilities. -![SQL Data Collector Wizard Data removal settings Page](../../../../../../static/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) +![SQL Data Collector Wizard Data removal settings Page](/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) Data from the selected categories will be removed from the Access Analyzer database: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/sql/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/sql/summary.md index c9d6ad2a43..b74599410e 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/sql/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/sql/summary.md @@ -3,7 +3,7 @@ The Summary page is where the configuration settings are summarized. It is a wizard page for all of the categories. -![SQL Data Collector Wizard Summary Page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![SQL Data Collector Wizard Summary Page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the SQL Data Collector Wizard ensuring that no accidental clicks are diff --git a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/category.md b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/category.md index cce3f5a1eb..9147469dd2 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/category.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/category.md @@ -2,7 +2,7 @@ The Category page contains the following categories: -![System Info Data Collector Wizard Category page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) +![System Info Data Collector Wizard Category page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/category.webp) The report categories are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/filetypes.md b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/filetypes.md index aa3887874e..6cb71f4899 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/filetypes.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/filetypes.md @@ -4,7 +4,7 @@ The File Types page is where to enable count file types and specify filename mas to count files of given types. Two properties are generated for every mask provided, one for size and one for count. It is a wizard page for the category of File Shares. -![System Info Data Collector Wizard File Types page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/filetypes.webp) +![System Info Data Collector Wizard File Types page](/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/filetypes.webp) To enable counting file types, select the **Count file types** checkbox. To add new file types, click **Add New**. To load a list of default file types for counting, click **Load Defaults**. To diff --git a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/jobscope.md b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/jobscope.md index 09f6e8d098..34a63b8d52 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/jobscope.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/jobscope.md @@ -3,7 +3,7 @@ The Job Scope page is where to select whether or not scoping should be used during execution. It is a wizard page for the category of File Shares. -![System Info Data Collector Wizard Job Scope page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/jobscope.webp) +![System Info Data Collector Wizard Job Scope page](/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/jobscope.webp) Select from the following options: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/options.md b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/options.md index 93ce4005ab..6c36faa24b 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/options.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/options.md @@ -14,7 +14,7 @@ Data Collector to gather this information. For the File Shares and Open File Shares categories: -![System Info Data Collector Wizard Options page for File Shares category](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/optionsfileshares.webp) +![System Info Data Collector Wizard Options page for File Shares category](/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/optionsfileshares.webp) Select from the following options to control the depth of processing and the amount of information to be returned by the query: @@ -40,7 +40,7 @@ to be returned by the query: For the Network Interface (NIC) category: -![System Info Data Collector Wizard Options page for NIC category](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/optionsnic.webp) +![System Info Data Collector Wizard Options page for NIC category](/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/optionsnic.webp) The configurable option is: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/overview.md index a27cb20648..ce4d8b62e2 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/overview.md @@ -4,7 +4,7 @@ The SystemInfo Data Collector extracts information from the target system based category. The SystemInfo Data Collector is a core component of Access Analyzer, but it has been preconfigured within the Windows Solution. While the data collector is available with all Access Analyzer license options, the Windows Solution is only available with a special Access Analyzer -license. See the [Windows Solution](../../../solutions/windows/overview.md) topic for additional +license. See the [Windows Solution](/docs/accessanalyzer/12.0/solutions/windows/overview.md) topic for additional information. Protocols @@ -28,16 +28,16 @@ The SystemInfo Data Collector is configured through the System Info Data Collect contains the following wizard pages: - Welcome -- [SystemInfo: Category](category.md) -- [SystemInfo: Results](results.md) -- [SystemInfo: Shares List](shareslist.md) -- [SystemInfo: Probable Owner](probableowner.md) -- [SystemInfo: VIP Membership](vipmembership.md) -- [SystemInfo: File Types](filetypes.md) -- [SystemInfo: Options](options.md) -- [SystemInfo: Summary](summary.md) - -![System Info Data Collector Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +- [SystemInfo: Category](/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/category.md) +- [SystemInfo: Results](/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/results.md) +- [SystemInfo: Shares List](/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/shareslist.md) +- [SystemInfo: Probable Owner](/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/probableowner.md) +- [SystemInfo: VIP Membership](/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/vipmembership.md) +- [SystemInfo: File Types](/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/filetypes.md) +- [SystemInfo: Options](/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/options.md) +- [SystemInfo: Summary](/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/summary.md) + +![System Info Data Collector Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by selecting the **Do not display this page the next time** checkbox when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/probableowner.md b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/probableowner.md index 79d393e6b7..a950aa42a7 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/probableowner.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/probableowner.md @@ -3,7 +3,7 @@ On the Probable Owner page, select options for determining the owner using weighted calculations. This page is enabled when the **Probable Owner** property is selected on the Results page. -![System Info Data Collector Wizard Probable Owner page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/probableowner.webp) +![System Info Data Collector Wizard Probable Owner page](/img/product_docs/accessanalyzer/admin/datacollector/exchangepublicfolder/probableowner.webp) Determine owner @@ -17,7 +17,7 @@ In the Determine owner section, select from the following options: These weights can be set by clicking the ellipsis next to the Result weights box to open the Probable Owner Settings window. -![Custom weights Probable Owner Settings window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/customweights.webp) +![Custom weights Probable Owner Settings window](/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/customweights.webp) The Result weights box displays the custom weights set in the Probable Owner Settings window. @@ -29,7 +29,7 @@ In the Exclude users list section, select from the following checkboxes: - Exclude locked out users - Exclude disabled users -![Exclude users Probable Owner Settings window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/excludeusers.webp) +![Exclude users Probable Owner Settings window](/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/excludeusers.webp) Click **Set Users to Exclude** to open the Probable Owner Settings window: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/results.md b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/results.md index 82ac5dc5be..9215f9c967 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/results.md @@ -3,7 +3,7 @@ The Results page is used to select which properties are gathered out of those available for the category. It is a wizard page for all categories. -![System Info Data Collector Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![System Info Data Collector Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be selected individually or the **Check all**, **Uncheck all**, and **Reset to defaults** buttons can be used. All selected properties are gathered. Available properties vary diff --git a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/shareslist.md b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/shareslist.md index fd95a40bbc..83214e58cd 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/shareslist.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/shareslist.md @@ -3,7 +3,7 @@ On the Shares List page, configure the shares to include and exclude. It is a wizard page for the category of File Shares. -![System Info Data Collector Wizard Shares List page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/shareslist.webp) +![System Info Data Collector Wizard Shares List page](/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/shareslist.webp) Select from the following options to exclude system or hidden shared folders from enumeration: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/summary.md index dd1a6a11bf..183ba1edef 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured query. It is a wizard page for all categories. -![System Info Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![System Info Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the System Info Data Collector Wizard ensuring that no accidental clicks diff --git a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/vipmembership.md b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/vipmembership.md index e78c85d970..004829310a 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/vipmembership.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/vipmembership.md @@ -4,7 +4,7 @@ The VIP Membership provides the option to add members to a VIP List and exclude about probable ownership. Any users can be added to VIP membership. This page is enabled when the VIPList property is selected on the Results page. -![System Info Data Collector Wizard VIP Membership page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/vipmembership.webp) +![System Info Data Collector Wizard VIP Membership page](/img/product_docs/accessanalyzer/admin/datacollector/systeminfo/vipmembership.webp) To add a user to the VIPList members table, enter the username in the User box in the `Domain\Username` format and click **Add user**. To remove a user from the list, select the user and diff --git a/docs/accessanalyzer/12.0/admin/datacollector/textsearch/advancedcriteria.md b/docs/accessanalyzer/12.0/admin/datacollector/textsearch/advancedcriteria.md index 9ae167ba30..e62f31b357 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/textsearch/advancedcriteria.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/textsearch/advancedcriteria.md @@ -5,7 +5,7 @@ criteria)** checkbox is selected on the Search Criteria page. This page provides options to specify the text to search for across the entire row of each file or within the specified column in each row. -![Text Search Data Collector Wizard Advanced Criteria page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/textsearch/advancedcriteria.webp) +![Text Search Data Collector Wizard Advanced Criteria page](/img/product_docs/accessanalyzer/admin/datacollector/textsearch/advancedcriteria.webp) The configurable options are: @@ -15,9 +15,9 @@ The configurable options are: of time it takes to load the data. - Customize – Click this button to open the Filter builder - ![Filter builder window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/textsearch/filterbuilder.webp) + ![Filter builder window](/img/product_docs/accessanalyzer/admin/datacollector/textsearch/filterbuilder.webp) - See the [Filtration Dialog](../../navigate/datagrid.md#filtration-dialog) topic for information + See the [Filtration Dialog](/docs/accessanalyzer/12.0/admin/navigate/datagrid.md#filtration-dialog) topic for information on using the Filter builder. The filter section cannot be blank. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/textsearch/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/textsearch/overview.md index ef0fb9af65..82fb9f2f22 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/textsearch/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/textsearch/overview.md @@ -4,7 +4,7 @@ The TextSearch Data Collector enables searches through text based log files. The Collector is a core component of Access Analyzer, but it has been preconfigured within the Windows Solution. While the data collector is available with all Access Analyzer license options, the Windows Solution is only available with a special Access Analyzer license. See the -[Windows Solution](../../../solutions/windows/overview.md) topic for additional information. +[Windows Solution](/docs/accessanalyzer/12.0/solutions/windows/overview.md) topic for additional information. Protocols @@ -25,13 +25,13 @@ The TextSearch Data Collector is configured through the Text Search Data Collect contains the following wizard pages: - Welcome -- [TextSearch: Source Files](sourcefiles.md) -- [TextSearch: Search Criteria](searchcriteria.md) -- [TextSearch: Advanced Criteria](advancedcriteria.md) -- [TextSearch: Results](results.md) -- [TextSearch: Summary](summary.md) +- [TextSearch: Source Files](/docs/accessanalyzer/12.0/admin/datacollector/textsearch/sourcefiles.md) +- [TextSearch: Search Criteria](/docs/accessanalyzer/12.0/admin/datacollector/textsearch/searchcriteria.md) +- [TextSearch: Advanced Criteria](/docs/accessanalyzer/12.0/admin/datacollector/textsearch/advancedcriteria.md) +- [TextSearch: Results](/docs/accessanalyzer/12.0/admin/datacollector/textsearch/results.md) +- [TextSearch: Summary](/docs/accessanalyzer/12.0/admin/datacollector/textsearch/summary.md) -![Text Search Data Collector Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Text Search Data Collector Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by selecting the **Do not display this page the next time** checkbox when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/textsearch/results.md b/docs/accessanalyzer/12.0/admin/datacollector/textsearch/results.md index be793281c6..ffb800ef9d 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/textsearch/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/textsearch/results.md @@ -2,7 +2,7 @@ The Results page is where properties that will be gathered are selected. -![Text Search Data Collector Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Text Search Data Collector Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Properties can be selected individually or the **Check all**, **Uncheck All**, and **Reset to Defaults** buttons can be used. All selected properties are gathered. Available properties vary diff --git a/docs/accessanalyzer/12.0/admin/datacollector/textsearch/searchcriteria.md b/docs/accessanalyzer/12.0/admin/datacollector/textsearch/searchcriteria.md index 5159d847e3..6e7aa18d15 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/textsearch/searchcriteria.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/textsearch/searchcriteria.md @@ -3,14 +3,14 @@ The Search Criteria page provides configuration options to specify the text to search for across the entire row of each file. -![Text Search Data Collector Wizard Search Criteria page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/textsearch/searchcriteria.webp) +![Text Search Data Collector Wizard Search Criteria page](/img/product_docs/accessanalyzer/admin/datacollector/textsearch/searchcriteria.webp) The configurable functions are: - Use advanced criteria (instead of simple criteria) – Select this checkbox to display the Advanced Criteria page and configure the search with additional filtering options. Advanced search criteria is configured on the Advanced Criteria page. See the - [TextSearch: Advanced Criteria](advancedcriteria.md) topic for additional information. + [TextSearch: Advanced Criteria](/docs/accessanalyzer/12.0/admin/datacollector/textsearch/advancedcriteria.md) topic for additional information. - Simple Criteria - Text to match – Find files that contain the text string entered diff --git a/docs/accessanalyzer/12.0/admin/datacollector/textsearch/sourcefiles.md b/docs/accessanalyzer/12.0/admin/datacollector/textsearch/sourcefiles.md index 0e16ecc5ab..98e1e0c7e3 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/textsearch/sourcefiles.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/textsearch/sourcefiles.md @@ -2,7 +2,7 @@ The Source Files page provides options to specify which files to search. -![Text Search Data Collector Wizard Source Files page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/textsearch/sourcefiles.webp) +![Text Search Data Collector Wizard Source Files page](/img/product_docs/accessanalyzer/admin/datacollector/textsearch/sourcefiles.webp) Location @@ -67,7 +67,7 @@ Clicking the ellipsis in the Location section of the Source Files page opens the Explorer search window. In the Remote Folder Explorer window, navigate to the file folder location and add the path to the scope. Multiple paths can be added to the scope. -![Remote Folder Explorer window](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/textsearch/remotefolderexplorer.webp) +![Remote Folder Explorer window](/img/product_docs/accessanalyzer/admin/datacollector/textsearch/remotefolderexplorer.webp) The Remote Folder Explorer functions are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/textsearch/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/textsearch/summary.md index dc4afdb1b8..432c595bb8 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/textsearch/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/textsearch/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured query. -![Text Search Data Collector Wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Text Search Data Collector Wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Text Search Data Collector Wizard ensuring that no accidental clicks diff --git a/docs/accessanalyzer/12.0/admin/datacollector/unix/editscript.md b/docs/accessanalyzer/12.0/admin/datacollector/unix/editscript.md index 0099c8a97d..148036c945 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/unix/editscript.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/unix/editscript.md @@ -2,7 +2,7 @@ The Edit Script page allows the script to be customized. -![Unix Data Collector Wizard Edit Script page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/unix/editscript.webp) +![Unix Data Collector Wizard Edit Script page](/img/product_docs/accessanalyzer/admin/datacollector/unix/editscript.webp) Edit the shell script in the textbox if desired. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/unix/input.md b/docs/accessanalyzer/12.0/admin/datacollector/unix/input.md index 436a16636d..735908c789 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/unix/input.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/unix/input.md @@ -2,7 +2,7 @@ The Input page configures the source for input data. -![Unix Data Collector Wizard Input page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/unix/input.webp) +![Unix Data Collector Wizard Input page](/img/product_docs/accessanalyzer/admin/datacollector/unix/input.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/unix/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/unix/overview.md index a23934e073..f25aba8cde 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/unix/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/unix/overview.md @@ -3,7 +3,7 @@ The Unix Data collector provides host inventory, software inventory, and logical volume inventory on UNIX & Linux platforms. The Unix Data Collector has been preconfigured within the Unix Solution. Both this data collector and the solution are available with a special Access Analyzer license. See -the [Unix Solution](../../../solutions/unix/overview.md) topic for additional information. +the [Unix Solution](/docs/accessanalyzer/12.0/solutions/unix/overview.md) topic for additional information. Protocols @@ -19,7 +19,7 @@ Permissions - Root permissions in Unix/Linux If the Root permission is unavailable, a least privileged model can be used. See the -[Least Privilege Model](../../../requirements/target/unix.md#least-privilege-model) topic additional +[Least Privilege Model](/docs/accessanalyzer/12.0/requirements/target/unix.md#least-privilege-model) topic additional information. ## Unix Query Configuration @@ -27,8 +27,8 @@ information. The Unix Data Collector is configured through the Unix Data Collector Wizard. It is designed to scan and import information from UNIX / Linux systems. The Unix Data Collector has these pages: -- [Unix: Settings](settings.md) -- [Unix: Input](input.md) -- [Unix: Edit Script](editscript.md) -- [Unix: Parsing](parsing.md) -- [Unix: Results](results.md) +- [Unix: Settings](/docs/accessanalyzer/12.0/admin/datacollector/unix/settings.md) +- [Unix: Input](/docs/accessanalyzer/12.0/admin/datacollector/unix/input.md) +- [Unix: Edit Script](/docs/accessanalyzer/12.0/admin/datacollector/unix/editscript.md) +- [Unix: Parsing](/docs/accessanalyzer/12.0/admin/datacollector/unix/parsing.md) +- [Unix: Results](/docs/accessanalyzer/12.0/admin/datacollector/unix/results.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/unix/parsing.md b/docs/accessanalyzer/12.0/admin/datacollector/unix/parsing.md index 03cebe1c7f..78b8e0ec8d 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/unix/parsing.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/unix/parsing.md @@ -3,7 +3,7 @@ The Parsing Configuration page configures the columns to return from the remote command and the parameters used to parse that output into those columns. -![Unix Data Collector Wizard Parsing Configuration page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/unix/parsing.webp) +![Unix Data Collector Wizard Parsing Configuration page](/img/product_docs/accessanalyzer/admin/datacollector/unix/parsing.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/unix/results.md b/docs/accessanalyzer/12.0/admin/datacollector/unix/results.md index 5be232726b..c640a6763b 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/unix/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/unix/results.md @@ -3,7 +3,7 @@ On the Results page, select which properties will be gathered out of those available for the query. Additionally select properties based on which ROWKEY will be built. -![Unix Data Collector Wizard Results page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Unix Data Collector Wizard Results page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/unix/settings.md b/docs/accessanalyzer/12.0/admin/datacollector/unix/settings.md index 8646f5b20c..8623c27ec6 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/unix/settings.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/unix/settings.md @@ -2,7 +2,7 @@ The Settings page configures the Unix Data Collector settings. -![Unix Data Collector Wizard Settings page](../../../../../../static/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) +![Unix Data Collector Wizard Settings page](/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/category/groups.md b/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/category/groups.md index af7604ed96..8628d6b39b 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/category/groups.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/category/groups.md @@ -2,7 +2,7 @@ The Groups Query category collects information for groups in different contexts. -![Users and Groups Browser wizard Results page for Groups category](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/usersgroups/category/groups.webp) +![Users and Groups Browser wizard Results page for Groups category](/img/product_docs/accessanalyzer/admin/datacollector/usersgroups/category/groups.webp) In the Groups section, select from the following options: @@ -32,7 +32,7 @@ offline. Clicking the ellipses for the **All groups containing the following users** and the **These groups** options opens the Find a Group or Find a User browser. -![Find a group window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/usersgroups/category/findagroup.webp) +![Find a group window](/img/product_docs/accessanalyzer/admin/datacollector/usersgroups/category/findagroup.webp) The Find a Group and Find a User browsers display a list of groups or users, depending on which one is being used, that can be selected for the option. Select from a specific host using the Sample diff --git a/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/category/security.md b/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/category/security.md index 2a7791bc1a..5c69827bca 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/category/security.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/category/security.md @@ -2,7 +2,7 @@ This Security policy is used to audit security policies. -![Users and Groups Browser wizard Results page Security category](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/usersgroups/category/security.webp) +![Users and Groups Browser wizard Results page Security category](/img/product_docs/accessanalyzer/admin/datacollector/usersgroups/category/security.webp) Select from the following options for what data will be returned: diff --git a/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/category/users.md b/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/category/users.md index aa54ee6c14..068628da93 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/category/users.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/category/users.md @@ -2,7 +2,7 @@ The Users Query category collects information for users in different contexts. -![Users and Groups Browser wizard Results page Users category](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/users.webp) +![Users and Groups Browser wizard Results page Users category](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/users.webp) In the Users section, select from the following options: @@ -50,7 +50,7 @@ offline. Clicking the ellipses for the **All users in the following groups** and the **These users** options opens the Find a Group or Find a User browser. -![Find a group window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/usersgroups/category/findagroup.webp) +![Find a group window](/img/product_docs/accessanalyzer/admin/datacollector/usersgroups/category/findagroup.webp) The Find a Group and Find a User browsers display a list of groups or users, depending on which one is being used, that can be selected for the option. Select from a specific host using the Sample diff --git a/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/overview.md index 49cdc3fdb7..0d831857c5 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/overview.md @@ -5,7 +5,7 @@ system policies. The UsersGroups Data Collector has been preconfigured within the Windows Solution. Both this data collector and the solution are available with a special Access Analyzer license. See the -[Windows Solution](../../../solutions/windows/overview.md) topic for additional information. +[Windows Solution](/docs/accessanalyzer/12.0/solutions/windows/overview.md) topic for additional information. Protocols @@ -35,10 +35,10 @@ The UsersGroups Data Collector is configured through the Users and Groups Browse contains the following wizard pages: - Welcome -- [UsersGroups: Results](results.md) -- [UsersGroups: Summary](summary.md) +- [UsersGroups: Results](/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/results.md) +- [UsersGroups: Summary](/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/summary.md) -![Users and Groups Browser wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Users and Groups Browser wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by selecting the **Do not display this page the next time** box when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/results.md b/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/results.md index 13f5f2c6c3..7b0c1300c0 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/results.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/results.md @@ -3,10 +3,10 @@ The Results page is where the type of data to be returned is configured. Each type has a different set of options. -![Users and Groups Browser wizard Results page Category selection](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) +![Users and Groups Browser wizard Results page Category selection](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) Choose from the following query categories: -- [UsersGroups: Users Category](category/users.md) -- [UsersGroups: Groups Category](category/groups.md) -- [UsersGroups: Security Category](category/security.md) +- [UsersGroups: Users Category](/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/category/users.md) +- [UsersGroups: Groups Category](/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/category/groups.md) +- [UsersGroups: Security Category](/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/category/security.md) diff --git a/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/summary.md index 49dacb3342..5ad65285e9 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/summary.md @@ -2,7 +2,7 @@ The Summary page displays a summary of the configured query. -![Users and Groups Browser wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Users and Groups Browser wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the Users and Groups Browser wizard ensuring that no accidental clicks are diff --git a/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/classes.md b/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/classes.md index cda70aa4df..9159561126 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/classes.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/classes.md @@ -2,7 +2,7 @@ On the Classes page, configure the WMICollector namespaces and classes to use as a data source. -![WMI Browser wizard Classes page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/wmicollector/classes.webp) +![WMI Browser wizard Classes page](/img/product_docs/accessanalyzer/admin/datacollector/wmicollector/classes.webp) Select the **Namespace** and **Class** from the drop-down lists to use as a data source. The default namespace, **root\CIMV2**, is typically what should be used. Select the **Win32 classes only** diff --git a/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/overview.md b/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/overview.md index c35b3ec04f..cd669e5535 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/overview.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/overview.md @@ -4,7 +4,7 @@ The WMICollector Data Collector identifies data for certain types of WMI classes WMICollector Data Collector is a core component of Access Analyzer, but it has been preconfigured within the Windows Solution. While the data collector is available with all Access Analyzer license options, the Windows Solution is only available with a special Access Analyzer license. See the -[Windows Solution](../../../solutions/windows/overview.md) topic for additional information. +[Windows Solution](/docs/accessanalyzer/12.0/solutions/windows/overview.md) topic for additional information. Protocols @@ -26,12 +26,12 @@ The WMICollector Data Collector is configured through the WMI Browser wizard, wh following wizard pages: - Welcome -- [WMICollector: Sample Host](samplehost.md) -- [WMICollector: Classes](classes.md) -- [WMICollector: Properties](properties.md) -- [WMICollector: Summary (Results)](summary.md) +- [WMICollector: Sample Host](/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/samplehost.md) +- [WMICollector: Classes](/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/classes.md) +- [WMICollector: Properties](/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/properties.md) +- [WMICollector: Summary (Results)](/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/summary.md) -![WMI Browser wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![WMI Browser wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) The Welcome page can be hidden by selecting the **Do not display this page the next time** checkbox when the wizard is open and configuration settings are saved. diff --git a/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/properties.md b/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/properties.md index 6c0a7c50d8..5613ee121d 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/properties.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/properties.md @@ -2,7 +2,7 @@ On the Properties page, select the properties to extract. -![WMI Browser wizard Properties page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) +![WMI Browser wizard Properties page](/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) If the **Extract only selected instances** checkbox is not selected, data is returned from all process instances displayed in the **Instances of `\`** box. To return data from a diff --git a/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/samplehost.md b/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/samplehost.md index 23a9d6f098..be9842e2b5 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/samplehost.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/samplehost.md @@ -2,7 +2,7 @@ On the Sample Host page, enter a sample host to populate options for the query. -![WMI Browser wizard Sample Host page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/wmicollector/samplehost.webp) +![WMI Browser wizard Sample Host page](/img/product_docs/accessanalyzer/admin/datacollector/wmicollector/samplehost.webp) On the Sample Host page, if the desired classes and namespaces to audit reside on the local host, click **Next**. (The local host is represented by `.` in the **Sample host name** box). If a diff --git a/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/summary.md b/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/summary.md index 4b08e34941..18cfda3c29 100644 --- a/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/summary.md +++ b/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/summary.md @@ -2,7 +2,7 @@ The Summary page, or Results page, displays a summary of the configured query. -![WMI Browser wizard Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![WMI Browser wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) Click **Finish** to save configuration changes. If no changes were made, it is a best practice to click **Cancel** to close the WMI Browser wizard ensuring that no accidental clicks are saved. diff --git a/docs/accessanalyzer/12.0/admin/hostdiscovery/activities.md b/docs/accessanalyzer/12.0/admin/hostdiscovery/activities.md index 7d90d7e1ee..15b9c80587 100644 --- a/docs/accessanalyzer/12.0/admin/hostdiscovery/activities.md +++ b/docs/accessanalyzer/12.0/admin/hostdiscovery/activities.md @@ -2,7 +2,7 @@ The Activities pane provides several options for managing Host Discovery queries. -![Activities pane](../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/activities.webp) +![Activities pane](/img/product_docs/accessanalyzer/admin/hostdiscovery/activities.webp) The options are: @@ -24,10 +24,10 @@ The options are: - Schedule – Opens the Schedule wizard to schedule query execution - - See the [Schedule](../settings/schedule.md) topic for additional information on the Schedule + - See the [Schedule](/docs/accessanalyzer/12.0/admin/settings/schedule.md) topic for additional information on the Schedule wizard -- View Host List – Opens the [Host Management](../hostmanagement/overview.md) node directly to the +- View Host List – Opens the [Host Management](/docs/accessanalyzer/12.0/admin/hostmanagement/overview.md) node directly to the selected query’s generated host list These options are also available through a pop-up menu accessed by right-clicking on a query. diff --git a/docs/accessanalyzer/12.0/admin/hostdiscovery/log.md b/docs/accessanalyzer/12.0/admin/hostdiscovery/log.md index aa3fb14fca..d7ebefbb89 100644 --- a/docs/accessanalyzer/12.0/admin/hostdiscovery/log.md +++ b/docs/accessanalyzer/12.0/admin/hostdiscovery/log.md @@ -3,10 +3,10 @@ The **Host Discovery** > **Discovery Log** node lists host discovery logs. These logs house transactions that transpire during the running of host discovery and host inventory tasks. -![Discovery Log](../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/discoverylog.webp) +![Discovery Log](/img/product_docs/accessanalyzer/admin/hostdiscovery/discoverylog.webp) The Discovery Log logging level is configured within the **Settings** > **Host Discovery** node. See -the [Host Discovery](../settings/hostdiscovery.md) topic for additional information. +the [Host Discovery](/docs/accessanalyzer/12.0/admin/settings/hostdiscovery.md) topic for additional information. The following options are above the data grid: diff --git a/docs/accessanalyzer/12.0/admin/hostdiscovery/overview.md b/docs/accessanalyzer/12.0/admin/hostdiscovery/overview.md index 8150a34fe6..794ce69081 100644 --- a/docs/accessanalyzer/12.0/admin/hostdiscovery/overview.md +++ b/docs/accessanalyzer/12.0/admin/hostdiscovery/overview.md @@ -8,11 +8,11 @@ The Host Discovery queries view displays a list of previously configured queries Discovery Wizard to create new queries, and is where host inventory process can be automated. The **Host Discovery** node houses the Discovery Log. The **Settings** > **Host Discovery** node contains the global settings that affect discovery queries. See the -[Host Discovery](../settings/hostdiscovery.md) topic for additional information. +[Host Discovery](/docs/accessanalyzer/12.0/admin/settings/hostdiscovery.md) topic for additional information. The Discovery node has four main panes: -- [Host Discovery Queries](queries.md) -- [Host Discovery Queries Activities Pane](activities.md) -- [Host Discovery Wizard](wizard/overview.md) -- [Discovery Log](log.md) +- [Host Discovery Queries](/docs/accessanalyzer/12.0/admin/hostdiscovery/queries.md) +- [Host Discovery Queries Activities Pane](/docs/accessanalyzer/12.0/admin/hostdiscovery/activities.md) +- [Host Discovery Wizard](/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/overview.md) +- [Discovery Log](/docs/accessanalyzer/12.0/admin/hostdiscovery/log.md) diff --git a/docs/accessanalyzer/12.0/admin/hostdiscovery/queries.md b/docs/accessanalyzer/12.0/admin/hostdiscovery/queries.md index c4d8130b2a..e5fae14a92 100644 --- a/docs/accessanalyzer/12.0/admin/hostdiscovery/queries.md +++ b/docs/accessanalyzer/12.0/admin/hostdiscovery/queries.md @@ -2,7 +2,7 @@ The Host Discovery Queries Pane contains a list of previously-configured queries. -![Host Discovery Queries Pane](../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/queries.webp) +![Host Discovery Queries Pane](/img/product_docs/accessanalyzer/admin/hostdiscovery/queries.webp) The list of previously configured queries is provided in a table format with the following columns: @@ -28,18 +28,18 @@ Follow the steps to view the hidden columns in the table: **Step 1 –** Right-click a header in the table, which opens a context menu. -![Field Chooser option on context menu](../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/queriesfieldchooser.webp) +![Field Chooser option on context menu](/img/product_docs/accessanalyzer/admin/hostdiscovery/queriesfieldchooser.webp) **Step 2 –** Select **Field Chooser**, which opens the Customization window. -![Customization window](../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/queriescustomizationwindow.webp) +![Customization window](/img/product_docs/accessanalyzer/admin/hostdiscovery/queriescustomizationwindow.webp) **Step 3 –** Select the **Columns** tab. -![Drag hidden colum into table](../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/queriesaddhiddencolumn.webp) +![Drag hidden colum into table](/img/product_docs/accessanalyzer/admin/hostdiscovery/queriesaddhiddencolumn.webp) **Step 4 –** Drag and drop the desired column between any header of the table. -![Host Discovery Queries table with column added](../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/querieshiddencolumnadded.webp) +![Host Discovery Queries table with column added](/img/product_docs/accessanalyzer/admin/hostdiscovery/querieshiddencolumnadded.webp) The header is now present in the table. diff --git a/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/addomaincontrollers.md b/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/addomaincontrollers.md index 518eabcbdd..ab414d45fa 100644 --- a/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/addomaincontrollers.md +++ b/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/addomaincontrollers.md @@ -4,12 +4,12 @@ Follow the steps to create a Host Discovery query using the **Query an Active Di (Discover Domain Controllers)** source option. This option scans the default domain controller or a specified server but is scoped to return only machines that are domain controllers. -![Host Discovey Wizard Source page for AD Domain Controllers query](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/source.webp) +![Host Discovey Wizard Source page for AD Domain Controllers query](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/source.webp) **Step 1 –** Open the Host Discovery Wizard. On the Source page, select the **Query an Active Directory server (Discover Domain Controllers)** option. Click **Next**. -![Host Discovey Wizard Query page for AD Domain Controllers query](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/nis/query.webp) +![Host Discovey Wizard Query page for AD Domain Controllers query](/img/product_docs/accessanalyzer/admin/datacollector/nis/query.webp) **Step 2 –** On the Query page, name the query and select the credentials used to access the source. @@ -26,12 +26,12 @@ Directory server (Discover Domain Controllers)** option. Click **Next**. - Credentials in this connection profile – Use the dropdown list to select a Connection Profile from those preconfigured at the global level (**Settings** > **Connection**) - See the [Connection](../../settings/connection/overview.md) topic for additional information on + See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on Connection Profiles. Click **Next** to continue. -![Host Discovey Wizard Domains & Sites page](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/domainssites.webp) +![Host Discovey Wizard Domains & Sites page](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/domainssites.webp) **Step 3 –** The Domains & Sites page is scoped to return all domain controllers in the targeted domains and sites. By default, all domains and sites are selected. If desired, scope to target @@ -61,7 +61,7 @@ specific domains and sites. Click **Next** to continue. -![Host Discovey Wizard Options page for AD Domain Controllers query](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Host Discovey Wizard Options page for AD Domain Controllers query](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 4 –** On the Options page, configure the query options as required. @@ -82,7 +82,7 @@ Click **Next** to continue. Click **Next** to continue. -![Host Discovey Wizard Inventory page for AD Domain Controllers query](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/inventory.webp) +![Host Discovey Wizard Inventory page for AD Domain Controllers query](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/inventory.webp) **Step 5 –** On the Inventory page, the host inventory process can be automatically included with the discovery query. @@ -101,18 +101,18 @@ the discovery query. - Credentials in this connection profile – Use the dropdown list to select a Connection Profile from those preconfigured at the global level (**Settings** > **Connection**) - See the [Connection](../../settings/connection/overview.md) topic for additional information on + See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on Connection Profiles. Click **Next** to continue. -![Host Discovey Wizard Summary page for AD Domain Controllers query](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Host Discovey Wizard Summary page for AD Domain Controllers query](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) **Step 6 –** The Summary page displays all the selected query configuration settings. To make changes, click **Back** to navigate to the relevant wizard page. Click Finish to complete the configuration process. -![Confirm dialog box](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/wizardconfirmdialog.webp) +![Confirm dialog box](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/wizardconfirmdialog.webp) **Step 7 –** A Confirm dialog box opens. Click **Yes** to run the query now or **No** to run the query at another time. diff --git a/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/adexchange.md b/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/adexchange.md index da484e1623..88e5de0909 100644 --- a/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/adexchange.md +++ b/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/adexchange.md @@ -5,12 +5,12 @@ Follow the steps to create a Host Discovery query using the Query an Active Dire specified server but is scoped to return only computer objects residing in the configuration container for Exchange servers. -![Host Discovery Wizard Source page for AD Exchange](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/source.webp) +![Host Discovery Wizard Source page for AD Exchange](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/source.webp) **Step 1 –** Open the Host Discovery Wizard. On the Source Page, select the **Query an Active Directory server (Discover Exchange servers)** option. Click **Next**. -![Host Discovery Wizard Query page for AD Exchange](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/nis/query.webp) +![Host Discovery Wizard Query page for AD Exchange](/img/product_docs/accessanalyzer/admin/datacollector/nis/query.webp) **Step 2 –** On the Query page, name the query and select the credentials used to access the source. @@ -27,20 +27,20 @@ Directory server (Discover Exchange servers)** option. Click **Next**. - Credentials in this connection profile – Use the dropdown list to select a Connection Profile from those preconfigured at the global level (**Settings** > **Connection**) - See the [Connection](../../settings/connection/overview.md) topic for additional information on + See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on Connection Profiles. Click **Next** to continue. -![Host Discovery Wizard Exchange Server Query page](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/exchangeserver.webp) +![Host Discovery Wizard Exchange Server Query page](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/exchangeserver.webp) **Step 3 –** The Exchange Server Query page is scoped to the default Microsoft container where all Exchange servers are housed. Leave this page unchanged. If you must modify this page, see the -[Query an Active Directory Server (General)](adgeneral.md) topic for instructions. Click **Next**. +[Query an Active Directory Server (General)](/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/adgeneral.md) topic for instructions. Click **Next**. -![Host Discovery Wizard Options page for AD Exchange](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Host Discovery Wizard Options page for AD Exchange](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 4 –** On the Options page, configure the query options as required. @@ -61,7 +61,7 @@ Leave this page unchanged. If you must modify this page, see the Click **Next** to continue. -![Host Discovery Wizard Inventory page for AD Exchange](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/inventory.webp) +![Host Discovery Wizard Inventory page for AD Exchange](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/inventory.webp) **Step 5 –** On the Inventory page, the host inventory process can be automatically included with the discovery query. @@ -80,18 +80,18 @@ the discovery query. - Credentials in this connection profile – Use the dropdown list to select a Connection Profile from those preconfigured at the global level (**Settings** > **Connection**) - See the [Connection](../../settings/connection/overview.md) topic for additional information on + See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on Connection Profiles. Click **Next** to continue. -![Host Discovery Wizard Summary page for AD Exchange](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Host Discovery Wizard Summary page for AD Exchange](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) **Step 6 –** The Summary page displays all the selected query configuration settings. To make changes, click **Back** to navigate to the relevant wizard page. Click Finish to complete the configuration process. -![Confirm dialog box](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/wizardconfirmdialog.webp) +![Confirm dialog box](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/wizardconfirmdialog.webp) **Step 7 –** A Confirm dialog box opens. Click **Yes** to run the query now or **No** to run the query at another time. diff --git a/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/adgeneral.md b/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/adgeneral.md index 0a59983dfa..67c1f39245 100644 --- a/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/adgeneral.md +++ b/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/adgeneral.md @@ -5,12 +5,12 @@ Follow the steps to create a Host Discovery query using the Query an Active Dire all computer objects. The query can be scoped to only return computer objects in specified containers or individual computer objects. See Step 3 for additional information. -![Host Discovery Wizard Source page for AD General](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/source.webp) +![Host Discovery Wizard Source page for AD General](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/source.webp) **Step 1 –** Open the Host Discovery Wizard. On the Source page, select the **Query an Active Directory server (General)** option. Click **Next**. -![Host Discovery Wizard Query page for AD General](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/nis/query.webp) +![Host Discovery Wizard Query page for AD General](/img/product_docs/accessanalyzer/admin/datacollector/nis/query.webp) **Step 2 –** On the Query page, name the query and select the credentials used to access the source. @@ -27,12 +27,12 @@ Directory server (General)** option. Click **Next**. - Credentials in this connection profile – Use the dropdown list to select a Connection Profile from those preconfigured at the global level (**Settings** > **Connection**) - See the [Connection](../../settings/connection/overview.md) topic for additional information on + See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on Connection Profiles. Click **Next** to continue. -![Host Discovery Wizard Active Directory page](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/activedirectory.webp) +![Host Discovery Wizard Active Directory page](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/activedirectory.webp) **Step 3 –** On the Active Directory page, identify the organizational units (OUs) to scan. @@ -62,7 +62,7 @@ Click **Next** to continue. Click **Next** to continue. -![Host Discovery Wizard Options page for AD General](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Host Discovery Wizard Options page for AD General](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 4 –** On the Options page, configure the query options as required. @@ -83,7 +83,7 @@ Click **Next** to continue. Click **Next** to continue. -![Host Discovery Wizard Inventory page for AD General](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/inventory.webp) +![Host Discovery Wizard Inventory page for AD General](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/inventory.webp) **Step 5 –** On the Inventory page, the host inventory process can be automatically included with the discovery query. @@ -102,18 +102,18 @@ the discovery query. - Credentials in this connection profile – Use the dropdown list to select a Connection Profile from those preconfigured at the global level (**Settings** > **Connection**) - See the [Connection](../../settings/connection/overview.md) topic for additional information on + See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on Connection Profiles. Click **Next** to continue. -![Host Discovery Wizard Summary page for AD General](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Host Discovery Wizard Summary page for AD General](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) **Step 6 –** The Summary page displays all the selected query configuration settings. To make changes, click **Back** to navigate to the relevant wizard page. Click Finish to complete the configuration process. -![Confirm dialog box](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/wizardconfirmdialog.webp) +![Confirm dialog box](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/wizardconfirmdialog.webp) **Step 7 –** A Confirm dialog box opens. Click **Yes** to run the query now or **No** to run the query at another time. diff --git a/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/csv.md b/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/csv.md index 82e5bc5c2b..f744e05949 100644 --- a/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/csv.md +++ b/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/csv.md @@ -7,12 +7,12 @@ option. it re-imports the host list. Therefore, deleting, renaming, or moving the import source file causes the query to fail. -![Host Discovery Wizard Source page for CSV import](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/source.webp) +![Host Discovery Wizard Source page for CSV import](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/source.webp) **Step 1 –** Open the Host Discovery Wizard. On the Source page, select the **Import from a CSV file** option on the Source page. Click **Next**. -![Host Discovery Wizard Query page for CSV import](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/nis/query.webp) +![Host Discovery Wizard Query page for CSV import](/img/product_docs/accessanalyzer/admin/datacollector/nis/query.webp) **Step 2 –** On the Query page, name the query and select the credentials used to access the source. @@ -31,12 +31,12 @@ file** option on the Source page. Click **Next**. - Credentials in this connection profile – Use the dropdown list to select a Connection Profile from those preconfigured at the global level (**Settings** > **Connection**) - See the [Connection](../../settings/connection/overview.md) topic for additional information on + See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on Connection Profiles. Click **Next** to continue. -![Host Discovery Wizard CSV File Import page](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/fileimport.webp) +![Host Discovery Wizard CSV File Import page](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/fileimport.webp) **Step 3 –** On the CSV File Import page, identify the CSV file to import and the column from within the file where the host names are located: @@ -51,7 +51,7 @@ the file where the host names are located: Click **Next** to continue. -![Host Discovery Wizard Options page for CSV import](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Host Discovery Wizard Options page for CSV import](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 4 –** On the Options page, configure the query options as required. @@ -72,7 +72,7 @@ Click **Next** to continue. Click **Next** to continue. -![Host Discovery Wizard Inventory page for CSV import](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/inventory.webp) +![Host Discovery Wizard Inventory page for CSV import](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/inventory.webp) **Step 5 –** On the Inventory page, the host inventory process can be automatically included with the discovery query. @@ -91,18 +91,18 @@ the discovery query. - Credentials in this connection profile – Use the dropdown list to select a Connection Profile from those preconfigured at the global level (**Settings** > **Connection**) - See the [Connection](../../settings/connection/overview.md) topic for additional information on + See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on Connection Profiles. Click **Next** to continue. -![Host Discovery Wizard Summary page for CSV import](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Host Discovery Wizard Summary page for CSV import](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) **Step 6 –** The Summary page displays all the selected query configuration settings. To make changes, click **Back** to navigate to the relevant wizard page. Click Finish to complete the configuration process. -![Confirm dialog box](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/wizardconfirmdialog.webp) +![Confirm dialog box](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/wizardconfirmdialog.webp) **Step 7 –** A Confirm dialog box opens. Click **Yes** to run the query now or **No** to run the query at another time. diff --git a/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/database.md b/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/database.md index 2bb7b2a172..feb24fddda 100644 --- a/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/database.md +++ b/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/database.md @@ -7,12 +7,12 @@ option. it re-imports the host list. Therefore, deleting, renaming, or moving the import source file causes the query to fail. -![Host Discovery Wizard Source page for database import](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/source.webp) +![Host Discovery Wizard Source page for database import](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/source.webp) **Step 1 –** Open the Host Discovery Wizard. On the Source page, select the **Import from a database** option. Click **Next**. -![Host Discovery Wizard Query page for database import](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/nis/query.webp) +![Host Discovery Wizard Query page for database import](/img/product_docs/accessanalyzer/admin/datacollector/nis/query.webp) **Step 2 –** On the Query page, name the query and select the credentials used to access the source. @@ -29,12 +29,12 @@ database** option. Click **Next**. - Credentials in this connection profile – Use the dropdown list to select a Connection Profile from those preconfigured at the global level (**Settings** > **Connection**) - See the [Connection](../../settings/connection/overview.md) topic for additional information on + See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on Connection Profiles. Click **Next** to continue. -![Host Discovery Wizard Database Import page](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/databaseimport.webp) +![Host Discovery Wizard Database Import page](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/databaseimport.webp) **Step 3 –** On the Database Import page, identify the database, table, and column where the host names are located: @@ -42,7 +42,7 @@ names are located: - Data source – Identify the database. Click the ellipsis (**…**) to open the Data Link Properties window. Then provide the required information on the Connection tab. - ![Data Link Properties window Connection tab](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/datalinkproperties.webp) + ![Data Link Properties window Connection tab](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/datalinkproperties.webp) - Server name – Use the drop-down menu to select the server. The **Refresh** button refreshes the list of available servers. @@ -54,7 +54,7 @@ names are located: **Allow saving password** option - If selected, the **Blank password** option indicates that no password is required - ![Test connection succeeded confirmation window](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/datalinkpropertiestestconnection.webp) + ![Test connection succeeded confirmation window](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/datalinkpropertiestestconnection.webp) - Click **Test Connection** to confirm a connection has been established. Click **OK** on the confirmation window. @@ -78,7 +78,7 @@ names are located: Click **Next** to continue. -![Host Discovery Wizard Options page for database import](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Host Discovery Wizard Options page for database import](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 4 –** On the Options page, configure the query options as required. @@ -99,7 +99,7 @@ Click **Next** to continue. Click **Next** to continue. -![Host Discovery Wizard Inventory page for database import](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/inventory.webp) +![Host Discovery Wizard Inventory page for database import](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/inventory.webp) **Step 5 –** On the Inventory page, the host inventory process can be automatically included with the discovery query. @@ -118,18 +118,18 @@ the discovery query. - Credentials in this connection profile – Use the dropdown list to select a Connection Profile from those preconfigured at the global level (**Settings** > **Connection**) - See the [Connection](../../settings/connection/overview.md) topic for additional information on + See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on Connection Profiles. Click **Next** to continue. -![Host Discovery Wizard Summary page for database import](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Host Discovery Wizard Summary page for database import](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) **Step 6 –** The Summary page displays all the selected query configuration settings. To make changes, click **Back** to navigate to the relevant wizard page. Click Finish to complete the configuration process. -![Confirm dialog box](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/wizardconfirmdialog.webp) +![Confirm dialog box](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/wizardconfirmdialog.webp) **Step 7 –** A Confirm dialog box opens. Click **Yes** to run the query now or **No** to run the query at another time. diff --git a/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/ipnetwork.md b/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/ipnetwork.md index b005129727..8292c1ff19 100644 --- a/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/ipnetwork.md +++ b/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/ipnetwork.md @@ -4,12 +4,12 @@ Follow the steps to create a Host Discovery query using the Scan your IP network option scans a specified range of IP Addresses for active hosts and resolves the names of machines using DNS. -![Host Discovey Wizard Source page for IP network scan](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/source.webp) +![Host Discovey Wizard Source page for IP network scan](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/source.webp) **Step 1 –** Open the Host Discovery Wizard. On the Source page, select the **Scan your IP network** option. Click **Next**. -![Host Discovey Wizard Query page for IP network scan](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/nis/query.webp) +![Host Discovey Wizard Query page for IP network scan](/img/product_docs/accessanalyzer/admin/datacollector/nis/query.webp) **Step 2 –** On the Query page, name the query and select the credentials used to access the source. @@ -26,12 +26,12 @@ option. Click **Next**. - Credentials in this connection profile – Use the dropdown list to select a Connection Profile from those preconfigured at the global level (**Settings** > **Connection**) - See the [Connection](../../settings/connection/overview.md) topic for additional information on + See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on Connection Profiles. Click **Next** to continue. -![Host Discovey Wizard IPSweep page](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/ipsweep.webp) +![Host Discovey Wizard IPSweep page](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/ipsweep.webp) **Step 3 –** On the IPSweep page, specify the range of IP Addresses to scan. @@ -72,7 +72,7 @@ Click **Next** to continue. Click **Next** to continue. -![Host Discovey Wizard Options page for IP network scan](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Host Discovey Wizard Options page for IP network scan](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 4 –** On the Options page, configure the query options as required. @@ -93,7 +93,7 @@ Click **Next** to continue. Click **Next** to continue. -![Host Discovey Wizard Inventory page for IP network scan](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/inventory.webp) +![Host Discovey Wizard Inventory page for IP network scan](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/inventory.webp) **Step 5 –** On the Inventory page, the host inventory process can be automatically included with the discovery query. @@ -112,18 +112,18 @@ the discovery query. - Credentials in this connection profile – Use the dropdown list to select a Connection Profile from those preconfigured at the global level (**Settings** > **Connection**) - See the [Connection](../../settings/connection/overview.md) topic for additional information on + See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on Connection Profiles. Click **Next** to continue. -![Host Discovey Wizard Summary page for IP network scan](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Host Discovey Wizard Summary page for IP network scan](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) **Step 6 –** The Summary page displays all the selected query configuration settings. To make changes, click **Back** to navigate to the relevant wizard page. Click Finish to complete the configuration process. -![Confirm dialog box](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/wizardconfirmdialog.webp) +![Confirm dialog box](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/wizardconfirmdialog.webp) **Step 7 –** A Confirm dialog box opens. Click **Yes** to run the query now or **No** to run the query at another time. diff --git a/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/overview.md b/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/overview.md index fdea716b92..f180caff75 100644 --- a/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/overview.md +++ b/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/overview.md @@ -3,7 +3,7 @@ The Host Discovery Wizard gives complete control over how hosts are discovered on the targeted network and which hosts are discovered. -![Console with Create Query Option Highlighted](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/createqueryhighlighted.webp) +![Console with Create Query Option Highlighted](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/createqueryhighlighted.webp) Use the Host Discovery Wizard to create new queries. The wizard opens in the Results pane. Use any of the following methods in order to access the Host Discovery Wizard from the Host Discovery node: @@ -13,23 +13,23 @@ of the following methods in order to access the Host Discovery Wizard from the H - Right-click anywhere in the Host Discovery Queries table and select **Create Query** from the pop-up menu -![Host Discovery Wizard](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/hostdiscoverywizard.webp) +![Host Discovery Wizard](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/hostdiscoverywizard.webp) The first step in creating a Host Discovery query is to select the source where the query searches for hosts. Hosts are discoverable using one of the following options: -- [Scan IP Network](ipnetwork.md) – Scans a specified range of IP Addresses for active hosts and +- [Scan IP Network](/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/ipnetwork.md) – Scans a specified range of IP Addresses for active hosts and resolves the names of machines using DNS -- [Query an Active Directory Server (General)](adgeneral.md) – Scans the default domain controller +- [Query an Active Directory Server (General)](/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/adgeneral.md) – Scans the default domain controller or a specified server for all computer objects, can be scoped -- [Query an Active Directory Server (Discover Exchange servers)](adexchange.md) – Scans the default +- [Query an Active Directory Server (Discover Exchange servers)](/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/adexchange.md) – Scans the default domain controller or a specified server but is scoped to return only computer objects sitting in the configuration container for Exchange servers -- [Query an Active Directory server (Discover Domain Controllers)](addomaincontrollers.md) – Scans +- [Query an Active Directory server (Discover Domain Controllers)](/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/addomaincontrollers.md) – Scans the default domain controller or a specified server but is scoped to return only machines which are domain controllers -- [Import From a Local CSV File](csv.md) – Imports a host list from a specified CSV file -- [Import From a Database](database.md) – Imports a host list from a specified SQL Server database +- [Import From a Local CSV File](/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/csv.md) – Imports a host list from a specified CSV file +- [Import From a Database](/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/database.md) – Imports a host list from a specified SQL Server database **NOTE:** The Advanced Options checkbox in the lower-left corner is a legacy item and should not be selected. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md index 6213355898..5dcac0caa7 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md @@ -3,11 +3,11 @@ The **Add Hosts** option creates a new host list. It can be accessed through the **Host Management** node. Follow the steps to add a new host list. -![Add Hosts option on Activities pane of the Host Management node](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/addhosts.webp) +![Add Hosts option on Activities pane of the Host Management node](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/addhosts.webp) **Step 1 –** Click **Add Hosts** to open the Host List Wizard in the Results pane. -![Host List Wizard Specify Manual Host Entry page](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/hostlistwizardhostentry.webp) +![Host List Wizard Specify Manual Host Entry page](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/hostlistwizardhostentry.webp) **Step 2 –** On the Manual Host Entry page, choose to either enter the hosts manually one at a time, or use the **Import** option. When the list is completed, click **Next**. @@ -15,11 +15,11 @@ or use the **Import** option. When the list is completed, click **Next**. - To enter hosts manually, type the host name in the **Host name** textbox. Then click **Add**. The entry will appear in the **Host list** box. Repeat the process until all hosts for this list have been entered. -- The **Import** option opens the Import Hosts window. See the [Import Hosts Option](importhost.md) +- The **Import** option opens the Import Hosts window. See the [Import Hosts Option](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/importhost.md) topic for additional information. - Use **Remove** to delete a selected host from the **Host list** box -![Host List Wizard Specify Host List Properties page](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/hostlistwizardproperties.webp) +![Host List Wizard Specify Host List Properties page](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/hostlistwizardproperties.webp) **Step 3 –** On the Specify Host List Properties page, provide a unique descriptive **Host List Name**. @@ -43,7 +43,7 @@ refreshed for hosts in the list and set the credentials to use to conduct the ho - Credentials in this connection profile – Use the dropdown list to select a Connection Profile from those preconfigured at the global level (**Settings** > **Connection**) - See the [Connection](../../settings/connection/overview.md) topic for additional information on + See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on Connection Profiles. **Step 5 –** Click **Finish** to save the host list and close the Host Lost Wizard. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/deletehost.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/deletehost.md index 0791d48f06..52fdbb4a31 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/deletehost.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/deletehost.md @@ -10,7 +10,7 @@ Follow the steps to delete a host from the Host Management node. **Step 1 –** In the Host Management node, select the host in the data grid and click **Delete Host(s)** on the Activities pane. -![Confirm dialog box](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/confirmdeletehost.webp) +![Confirm dialog box](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/confirmdeletehost.webp) **CAUTION:** A deletion from the host master table at the Host Management node cannot be undone, as it deletes it from the host management database tables. It also removes the host from any host list @@ -28,7 +28,7 @@ Follow the steps to delete a host from an individual host list. **Step 1 –** In the host list, select the host in the data grid and click **Delete Host(s)** on the Activities pane. -![Confirm dialog box](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/confirmdeletehost.webp) +![Confirm dialog box](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/confirmdeletehost.webp) **Step 2 –** A dialog box asks for confirmation of the action. Click **OK** to proceed with the deletion. @@ -36,7 +36,7 @@ deletion. Access Analyzer checks to see if the host exists in any other static host lists. If so, the deletion is limited to removing the selected host from the current host list. -![Confirm deletion from master host table dialog box](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/confirmdeletehostmaster.webp) +![Confirm deletion from master host table dialog box](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/confirmdeletehostmaster.webp) **CAUTION:** A deletion from the host master table cannot be undone, as it deletes it from the host management database tables. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/deletelist.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/deletelist.md index effc35abf9..d7106e201e 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/deletelist.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/deletelist.md @@ -7,7 +7,7 @@ individual host list node. **Step 1 –** In the Navigation pane, select the host list to delete and click **Delete List**. -![Confirm dialog box](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/confirmdeletelist.webp) +![Confirm dialog box](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/confirmdeletelist.webp) **CAUTION:** This action cannot be undone. Click **Cancel** to stop the deletion. @@ -16,7 +16,7 @@ individual host list node. Access Analyzer checks to see if any hosts within the host list are found in any other static host lists. -![Confirm deletion of orphaned hosts from master host table dialog box](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/confirmdeletelistmaster.webp) +![Confirm deletion of orphaned hosts from master host table dialog box](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/confirmdeletelistmaster.webp) **Step 3 –** If no hosts are found in any other host list, then Access Analyzer asks if you want to remove the host from the master host table. On the Confirm dialog box, select the desired option. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/editlist.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/editlist.md index 33f877e607..d6ca86aed0 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/editlist.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/editlist.md @@ -3,7 +3,7 @@ Use the **Edit List** option to edit properties for the selected host list. This option is available only from an individual host list node. -![Edit List option on Activities pane](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/editlist.webp) +![Edit List option on Activities pane](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/editlist.webp) Select the host list to edit and click **Edit List**. The Host List Wizard opens for the selected host list. If the selected host list is a custom static host list, the wizard opens on the Manual @@ -18,4 +18,4 @@ the Specify Host List Properties page where you can modify the following: - Refresh inventory setting - Credentials used for host inventory -See the [Add Hosts](add.md) topic for information on modifying these settings. +See the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) topic for information on modifying these settings. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/editquery.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/editquery.md index 11b5d27d33..f2b69dfc67 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/editquery.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/editquery.md @@ -2,10 +2,10 @@ Use the **Edit Query** option to modify host lists created by a Host Discovery query. -![Edit Query option on Activities pane](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/powershell/editquery.webp) +![Edit Query option on Activities pane](/img/product_docs/accessanalyzer/admin/datacollector/powershell/editquery.webp) In the Navigation pane, select the query-created host list to edit and click **Edit Query**. The Host Discovery Wizard opens to the Query page where the query settings for the selected query-created host list are modified. See the -[Host Discovery Wizard](../../hostdiscovery/wizard/overview.md) topic for information on modifying +[Host Discovery Wizard](/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/overview.md) topic for information on modifying these settings. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/export.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/export.md index c0be3fb811..7487b0a328 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/export.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/export.md @@ -5,19 +5,19 @@ selected host list to a HTML, XML , or CSV file. Follow the steps to export data **Step 1 –** Select the Host Management or individual host list node to export data from, and configure the data grid to contain all the columns you want to export. See the -[Host Inventory Data Grid](../datagrid.md) topic for additional information. +[Host Inventory Data Grid](/docs/accessanalyzer/12.0/admin/hostmanagement/datagrid.md) topic for additional information. -![Export Data option on the Activities pane](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/export.webp) +![Export Data option on the Activities pane](/img/product_docs/threatprevention/threatprevention/admin/navigation/export.webp) **Step 2 –** When the data grid contains all columns desired for export, click **Export Data**. A Save As window opens. -![Save As window](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/exportsaveas.webp) +![Save As window](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/exportsaveas.webp) **Step 3 –** On the Save As window, select the required format (HTML Files, XML Files, or CSV Files) and provide a name and location for the export file. -This export is now shareable. Unlike the [View/Edit Host](viewhost.md) export option, this file will +This export is now shareable. Unlike the [View/Edit Host](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/viewhost.md) export option, this file will be in the same format as the data grid. ## Export Examples @@ -26,12 +26,12 @@ The following examples show the different export format options. Example HTML File Export -![Example HTML File Export](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/exportexamplehtml.webp) +![Example HTML File Export](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/exportexamplehtml.webp) Example XML File Export -![Example XML File Export](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/exportexamplexml.webp) +![Example XML File Export](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/exportexamplexml.webp) Example CSV File Export -![Example CSV File Export](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/exportexamplecsv.webp) +![Example CSV File Export](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/exportexamplecsv.webp) diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/importhost.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/importhost.md index d9cd921e1e..c1b34418ab 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/importhost.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/importhost.md @@ -5,12 +5,12 @@ imported from either a CSV file or a database into the host list being created. Follow the steps to import hosts. -![Import option on the Manual Host Entry page of the Host List Wizard](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/hostlistwizardimport.webp) +![Import option on the Manual Host Entry page of the Host List Wizard](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/hostlistwizardimport.webp) **Step 1 –** On the Manual Host Entry page of the Host List Wizard, click **Import**. The Import Hosts window opens. -![Import Hosts window](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importhosts.webp) +![Import Hosts window](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importhosts.webp) **Step 2 –** On the Import Hosts window, use the **Import from** dropdown to select the source as either **CSV File** or **Database**. @@ -18,7 +18,7 @@ either **CSV File** or **Database**. **Step 3 –** Configure the source file. The necessary fields depend on the selection in the previous step. -![Import Hosts window for importing from CSV File](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importhostscsv.webp) +![Import Hosts window for importing from CSV File](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importhostscsv.webp) - CSV File @@ -28,14 +28,14 @@ step. - Includes header row – Select this checkbox if the file contains a header row. Otherwise, the header row will be included in the import (visible within the preview box). -![Import Hosts window for importing from Database](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importhostsdatabase.webp) +![Import Hosts window for importing from Database](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importhostsdatabase.webp) - Database - Data source – Identify the database. Click the ellipsis (**…**) to open the Data Link Properties window. Provide the required information on the Connection tab of the Data Link Properties window, and then click **OK**. See the - [Import From a Database](../../hostdiscovery/wizard/database.md) topic for additional + [Import From a Database](/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/database.md) topic for additional information. **NOTE:** The Provider, Advanced, and All tabs of the Data Link Properties window should not @@ -49,8 +49,8 @@ column containing the host names. The selected column is highlighted in the prev **Step 5 –** Click **OK** to complete the import. -![Imported hosts added in the Host list box on the Manual Host Entry page of the Host List Wizard](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importhostscomplete.webp) +![Imported hosts added in the Host list box on the Manual Host Entry page of the Host List Wizard](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importhostscomplete.webp) The Import Hosts window closes, and the imported list of host names is added in the Host list box on the Manual Host Entry page of the Host List Wizard. Click **Next** to proceed with configuring the -host list. See the [Add Hosts](add.md) topic for additional information on the Host List Wizard. +host list. See the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) topic for additional information on the Host List Wizard. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/importlocation.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/importlocation.md index cbab7fc9b8..c1ac99ac8b 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/importlocation.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/importlocation.md @@ -2,7 +2,7 @@ Use the **Import Location** option to import the physical location data for hosts and opens a customized version of the Import Hosts window. Add host locations from a CSV file or SQL Server -database without creating a new host list. See the [Host Inventory Data Grid](../datagrid.md) topic +database without creating a new host list. See the [Host Inventory Data Grid](/docs/accessanalyzer/12.0/admin/hostmanagement/datagrid.md) topic for information on the Location column of host inventory. Follow the steps to import physical location data for hosts. @@ -13,11 +13,11 @@ within Access Analyzer and the location. **NOTE:** When a host name does not match any existing hosts within the Host Master Table, it can be added as a new host. -![Import Location option on Activities pane](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importlocation.webp) +![Import Location option on Activities pane](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importlocation.webp) **Step 2 –** Select the host list and click **Import Location**. -![Import Hosts window for importing location](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importlocationwindow.webp) +![Import Hosts window for importing location](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importlocationwindow.webp) **Step 3 –** On the Import Hosts window, use the **Import from** dropdown to select the source as either **CSV File** or **Database**. @@ -38,7 +38,7 @@ step. - Data source – Identify the database. Click the ellipsis (**…**) to open the Data Link Properties window. Provide the required information on the Connection tab of the Data Link Properties window, and then click **OK**. See the - [Import From a Database](../../hostdiscovery/wizard/database.md) topic for additional + [Import From a Database](/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/database.md) topic for additional information. **NOTE:** The Provider, Advanced, and All tabs of the Data Link Properties window should not @@ -50,14 +50,14 @@ step. **Step 5 –** Use either the drop-down menu or click on the column in the preview box to select the column containing the host names. The selected column is highlighted in the preview box. -![Import Hosts window Location column selection](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importlocationcsv.webp) +![Import Hosts window Location column selection](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importlocationcsv.webp) **Step 6 –** Use the **Import column** drop-down menu to select the column containing the location information. The selected column is highlighted a lighter color in the preview box. **Step 7 –** Click **OK** to complete the import. -![Imported Location column data in the data grid](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importlocationcomplete.webp) +![Imported Location column data in the data grid](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/importlocationcomplete.webp) The Location column now contains the imported information. If any of the hosts included in the import file are not already in the Host Master Table, Access Analyzer prompts for confirmation on diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/overview.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/overview.md index a98293b1e1..4a83c8e8d5 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/overview.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/overview.md @@ -3,31 +3,31 @@ The Activities pane available at the Host Management node and at the individual host list nodes provides the tools needed to manage hosts and host lists. -| ![Activities pane in Host Management node](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/activitiesindividualhost.webp) | +| ![Activities pane in Host Management node](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/activitiesindividualhost.webp) | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Host Management Node | Individual Host List Nodes | The available actions are: -- [Add Hosts](add.md) – Create a new host list by manually entering hosts or importing a host list +- [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) – Create a new host list by manually entering hosts or importing a host list (only available in the Host Management node) -- [View/Edit Host](viewhost.md) – Open the Host Details View, which displays the collected host +- [View/Edit Host](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/viewhost.md) – Open the Host Details View, which displays the collected host inventory information for the selected host in an easier-to-read format and allows you to manually edit the host inventory information -- [Delete Host(s)](deletehost.md) – Delete host from the selected list (permanently deletes host +- [Delete Host(s)](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/deletehost.md) – Delete host from the selected list (permanently deletes host from the host master table if used in the Host Management node) -- [Import Location](importlocation.md) – Import the physical location data for hosts from a CSV file +- [Import Location](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/importlocation.md) – Import the physical location data for hosts from a CSV file or database without creating a new host list. Location column is in the - [Host Inventory Data Grid](../datagrid.md). -- [Refresh Hosts](refresh.md) – Manually executes the host inventory query for the selection -- [Save Current View](saveview.md) – Create a dynamic host list from the current (filtered) data + [Host Inventory Data Grid](/docs/accessanalyzer/12.0/admin/hostmanagement/datagrid.md). +- [Refresh Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/refresh.md) – Manually executes the host inventory query for the selection +- [Save Current View](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/saveview.md) – Create a dynamic host list from the current (filtered) data grid view -- [Save Selected To List](savetolist.md) – Create a static host list from the selected hosts within +- [Save Selected To List](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/savetolist.md) – Create a static host list from the selected hosts within the current data grid -- [Schedule (Activities Pane Option)](schedule.md) – Opens a customized Schedule Properties window +- [Schedule (Activities Pane Option)](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/schedule.md) – Opens a customized Schedule Properties window to schedule a host inventory query -- [Export Data](export.md) – Export the current data grid to a HTML, XML, or CSV file -- [Suspend/Resume Host Inventory](suspend.md) – Pause an **In progress** host inventory or resume a +- [Export Data](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/export.md) – Export the current data grid to a HTML, XML, or CSV file +- [Suspend/Resume Host Inventory](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/suspend.md) – Pause an **In progress** host inventory or resume a paused **In queue** host inventory - External commands – Sub-header (not activity) that separates the Activities above which occur within the Access Analyzer Console from the Activities below which open external processes: @@ -41,10 +41,10 @@ The available actions are: Activities available only at the individual host list nodes are: -- [Edit List](editlist.md) – Edit the selected host list in the Host List Wizard -- [Edit Query](editquery.md) – Edit the Host Discovery query settings for the selected query-created +- [Edit List](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/editlist.md) – Edit the selected host list in the Host List Wizard +- [Edit Query](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/editquery.md) – Edit the Host Discovery query settings for the selected query-created host list -- [Rename List](rename.md) – Rename the selected host list (should not be used if the host list has +- [Rename List](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/rename.md) – Rename the selected host list (should not be used if the host list has already been assigned to a job for execution) -- [Delete List](deletelist.md) – Delete the selected host list -- [View Query](viewquery.md) – Opens the Host Discovery Queries window +- [Delete List](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/deletelist.md) – Delete the selected host list +- [View Query](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/viewquery.md) – Opens the Host Discovery Queries window diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/refresh.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/refresh.md index 1eadeb6f91..f0584ca5b9 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/refresh.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/refresh.md @@ -9,10 +9,10 @@ for the following: filtering the data grid view - Individual host – Select a host from the current view -![Refresh Hosts option on Activities pane](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/refreshhosts.webp) +![Refresh Hosts option on Activities pane](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/refreshhosts.webp) Select the hosts or host list to inventory and then click **Refresh Hosts** in the Activities pane. -![Refresh Hosts Confirm dialog](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/refreshhostsconfirm.webp) +![Refresh Hosts Confirm dialog](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/refreshhostsconfirm.webp) When only particular hosts are selected in a list, a dialog box asks for confirmation of the action. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/rename.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/rename.md index 2fa2814cf4..9cde892572 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/rename.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/rename.md @@ -6,10 +6,10 @@ from an individual host list node. **CAUTION:** Changing the name on a host list that has been assigned to a job can cause the job to fail. -![Host list name window](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/hostlistname.webp) +![Host list name window](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/hostlistname.webp) Select the host list to rename and click **Rename List** to open the Host list name window. Enter the new name for the host list and click **OK**. **NOTE:** Host list names can also be changed using the **Edit List** option, see the -[Edit List](editlist.md) topic for additional information. +[Edit List](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/editlist.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/savetolist.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/savetolist.md index cb92a64283..4c9bca1d88 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/savetolist.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/savetolist.md @@ -2,12 +2,12 @@ Use the **Save Selected To List** option to create a static host list. This option is available from either the Host Management node or an individual host list node. See the -[Static Host Lists](../lists.md#static-host-lists) topic for additional information on static host +[Static Host Lists](/docs/accessanalyzer/12.0/admin/hostmanagement/lists.md#static-host-lists) topic for additional information on static host lists. This option is inactive until at least one host within the data grid is selected. -![Save Selected To List option in Host Management node](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/savetolist.webp) +![Save Selected To List option in Host Management node](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/savetolist.webp) Use the Windows Ctrl + left-click function to select multiple hosts from the data grid. In the Activities pane, click **Save Selected To List**. The Host List Wizard opens with the selected hosts -in the Host list box on the Manual Host Entry page. See the [Add Hosts](add.md) topic for +in the Host list box on the Manual Host Entry page. See the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) topic for information on creating a host list. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/saveview.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/saveview.md index 823c8a0a4f..99636987d0 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/saveview.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/saveview.md @@ -7,13 +7,13 @@ apply a filter to the data grid. Follow the steps to create a dynamic host list. **Step 1 –** Select the Host Management or individual host list node to create the host list from. **Step 2 –** Filter the data grid for the desired criteria. See the -[Host Inventory Data Grid](../datagrid.md) topic for additional information. +[Host Inventory Data Grid](/docs/accessanalyzer/12.0/admin/hostmanagement/datagrid.md) topic for additional information. -![savecurrentview](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/savecurrentview.webp) +![savecurrentview](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/savecurrentview.webp) **Step 3 –** Click **Save Current View** in the Activities pane. -![Host List name window](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/hostlistname.webp) +![Host List name window](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/hostlistname.webp) **Step 4 –** On the Host list name window, provide a unique, descriptive name for the new host list and click **OK**. @@ -26,5 +26,5 @@ inventory. **_RECOMMENDED:_** Do not modify the criteria once a dynamic based list has been created. It is better to delete and recreate the list in order to modify a dynamic-based list. -See the [Dynamic Host Lists](../lists.md#dynamic-host-lists) topic for more information on dynamic +See the [Dynamic Host Lists](/docs/accessanalyzer/12.0/admin/hostmanagement/lists.md#dynamic-host-lists) topic for more information on dynamic host lists. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/schedule.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/schedule.md index fa7af5fe61..29aa5f1b9e 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/schedule.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/schedule.md @@ -7,16 +7,16 @@ of the following: - An individual host list - Selected hosts in a list -![Schedule option on the Activities pane](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) +![Schedule option on the Activities pane](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) Select the hosts or host list to inventory and click **Schedule** in the Activities pane. The Schedule Wizard opens for the selected host or host list. -![Schedule Wizard for Host Inventory Query](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/schedulewizardhostmanagement.webp) +![Schedule Wizard for Host Inventory Query](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/schedulewizardhostmanagement.webp) Use the Schedule Wizard to configure the scheduled task. See the -[Schedule Wizard](../../schedule/wizard.md) topic for additional information. +[Schedule Wizard](/docs/accessanalyzer/12.0/admin/schedule/wizard.md) topic for additional information. The details of the scheduled Inventory query are available in the **Schedules** view, including the -next run date and time. See the [Schedules](../../schedule/overview.md) topic for additional +next run date and time. See the [Schedules](/docs/accessanalyzer/12.0/admin/schedule/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/suspend.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/suspend.md index 2f851f6f07..81c032b066 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/suspend.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/suspend.md @@ -2,7 +2,7 @@ Use the **Suspend Host Inventory** option to pause an in progress inventory. -![Suspend Host Inventory](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/suspendhostinventory.webp) +![Suspend Host Inventory](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/suspendhostinventory.webp) Once clicked, the option changes to **Resume Host Inventory** and the **In progress** host inventories change to an **In queue** state. @@ -10,6 +10,6 @@ inventories change to an **In queue** state. **NOTE:** Clicking **Refresh Hosts** while inventory is suspended adds to the queue but does not resume the inventory. -![Resume Host Inventory](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/resumehostinventory.webp) +![Resume Host Inventory](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/resumehostinventory.webp) Click **Resume Host Inventory** to resume the inventory queries. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/viewhost.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/viewhost.md index bd100da6d9..b42af1a01c 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/viewhost.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/viewhost.md @@ -3,12 +3,12 @@ Use the **View/Edit Host** option to open the Host Details View. This view displays the collected host inventory information for the selected host in an easy-to-read format. -![View/Edit Host option](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/viewedithost.webp) +![View/Edit Host option](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/viewedithost.webp) Select a host from either the Host Master Table or an individual host list and click **View/Edit Host**. -![Host Details View](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/hostdetailsview.webp) +![Host Details View](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/hostdetailsview.webp) The Host Details View displays in the Results pane, and the rest of the Access Analyzer Console is unavailable while it is open. You can use the view to manually edit the host inventory information. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/viewquery.md b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/viewquery.md index 593095e030..a96aaedde9 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/actions/viewquery.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/actions/viewquery.md @@ -2,7 +2,7 @@ Use the **View Query** option to open the Host Discovery Queries pane. -![View Query option on Activities pane](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/actions/viewquery.webp) +![View Query option on Activities pane](/img/product_docs/accessanalyzer/admin/hostmanagement/actions/viewquery.webp) Click **View Query** to go to the Host Discovery Queries pane. See the -[Host Discovery Queries](../../hostdiscovery/queries.md) topic for additional information. +[Host Discovery Queries](/docs/accessanalyzer/12.0/admin/hostdiscovery/queries.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/datagrid.md b/docs/accessanalyzer/12.0/admin/hostmanagement/datagrid.md index db9023ab7e..19a3c01d17 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/datagrid.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/datagrid.md @@ -2,17 +2,17 @@ The data grid provides all host inventory information collected on the hosts. View this information at the **Host Management** node (the Host Master Table) or at individual host list nodes. See the -[Hosts Lists](lists.md) topic for information on host lists. +[Hosts Lists](/docs/accessanalyzer/12.0/admin/hostmanagement/lists.md) topic for information on host lists. -![Host Inventory Data Grid](../../../../../static/img/product_docs/threatprevention/threatprevention/admin/investigate/datagrid.webp) +![Host Inventory Data Grid](/img/product_docs/threatprevention/threatprevention/admin/investigate/datagrid.webp) The icon for each host entry is an indicator of its inventory state: | Icon | Inventory State | | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- | -| ![Idle inventory state icon](../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/inventoryidle.webp) | Idle | -| ![In Queue inventory state icon](../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/inventoryinqueue.webp) | In Queue | -| ![In Progress inventory state icon](../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/inventoryinprogress.webp) | In Progress | +| ![Idle inventory state icon](/img/product_docs/accessanalyzer/admin/hostmanagement/inventoryidle.webp) | Idle | +| ![In Queue inventory state icon](/img/product_docs/accessanalyzer/admin/hostmanagement/inventoryinqueue.webp) | In Queue | +| ![In Progress inventory state icon](/img/product_docs/accessanalyzer/admin/hostmanagement/inventoryinprogress.webp) | In Progress | The **Name**, **HostStatus**, and **InventoryState** grid columns are fixed by default. If desired, you can move these columns to the scrollable section of the table. @@ -59,11 +59,11 @@ Use the horizontal scrollbar at the bottom to view the host inventory data, whic - ServerRole – Indicates what role is served by the server (only applicable to Exchange servers) - isIIS – True or False if IIS is present on the server - Location – Distinct physical location, entered manually through the - [Import Location](actions/importlocation.md) activity + [Import Location](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/importlocation.md) activity - ExchLocation – Distinct physical location of Exchange server, entered manually through the - [Import Location](actions/importlocation.md) activity + [Import Location](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/importlocation.md) activity - AltLocation – Alternate physical location, entered manually through the - [Import Location](actions/importlocation.md) activity + [Import Location](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/importlocation.md) activity - WinCluster – Name of the Windows cluster in which the host is a part, if applicable - ExchCluster – Name of the Exchange cluster in which the host is a part, if applicable - ExchangeServerRole – Name of the Exchange server roles served by the host @@ -71,21 +71,21 @@ Use the horizontal scrollbar at the bottom to view the host inventory data, whic - IsSQLServer – True or False if host serves the role of SQL Server - hostID – Unique identifier of the host within the Access Analyzer inventory tables -See the [Data Grid Functionality](../navigate/datagrid.md) topic for information on how to sort, +See the [Data Grid Functionality](/docs/accessanalyzer/12.0/admin/navigate/datagrid.md) topic for information on how to sort, filter, and search within the data grid. The Activities pane provides several options for managing hosts within the Host Management node. See -the [Host Management Activities](actions/overview.md) topic for information on these options. +the [Host Management Activities](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/overview.md) topic for information on these options. ## Host List Data Grid Right-Click Menus The right-click menu available in the Host Management data grid varies according to the selection in the Navigation pane. -| ![Host Management node right-click menu](../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/rightclickquerycreated.webp) | +| ![Host Management node right-click menu](/img/product_docs/accessanalyzer/admin/hostmanagement/rightclickquerycreated.webp) | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Host Management Node | Individual Host List | Query-Created Host List | These right-click menu options contain the Host Management Activities available for the selection. -See the [Host Management Activities](actions/overview.md) topic for additional information on these +See the [Host Management Activities](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/overview.md) topic for additional information on these options. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/lists.md b/docs/accessanalyzer/12.0/admin/hostmanagement/lists.md index 61644cac25..734a42bda2 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/lists.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/lists.md @@ -3,7 +3,7 @@ A host list is a grouping of hosts for the purpose of executing jobs against. Every host list created can be accessed by expanding the **Host Management** node in the Navigation pane. -![Host Management Node in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Host Management Node in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) There are two types of host lists: @@ -19,12 +19,12 @@ icon in front of the host list will indicate which type of host list it is: | Icon | Type of Host List | | ------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | -| ![Static Host List icon](../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/statichostlist.webp) | Default Host List or Custom Host List (Static or Dynamic) | -| ![Host Discovery Query List icon](../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/discoveryquerylist.webp) | Host Discovery Query List | -| ![Dynamic Host List icon](../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/dynamichostlist.webp) | Host List created by Job | +| ![Static Host List icon](/img/product_docs/accessanalyzer/admin/hostmanagement/statichostlist.webp) | Default Host List or Custom Host List (Static or Dynamic) | +| ![Host Discovery Query List icon](/img/product_docs/accessanalyzer/admin/hostmanagement/discoveryquerylist.webp) | Host Discovery Query List | +| ![Dynamic Host List icon](/img/product_docs/accessanalyzer/admin/hostmanagement/dynamichostlist.webp) | Host List created by Job | You can view host inventory information at the Host Discovery node (the Host Master Table) or at -individual host list nodes. See the [Host Inventory Data Grid](datagrid.md) topic for information on +individual host list nodes. See the [Host Inventory Data Grid](/docs/accessanalyzer/12.0/admin/hostmanagement/datagrid.md) topic for information on the data collected by host inventory. ## Dynamic Host Lists @@ -33,13 +33,13 @@ Dynamic host lists are lists of hosts that are grouped according to selected cri host inventory. Each time a host inventory record is refreshed, the hosts are automatically added to or removed from dynamic host lists in accordance with the criteria set for the list. They include both the default host lists and custom created dynamic host lists. See the -[Host Inventory](../settings/hostinventory.md) topic for a list of the default host lists and +[Host Inventory](/docs/accessanalyzer/12.0/admin/settings/hostinventory.md) topic for a list of the default host lists and instructions on controlling which of these lists are visible under the Host Management node. Custom dynamic host lists are created by filtering the data grid and using the -[Save Current View](actions/saveview.md) option in the Activities pane or right-click menu. This can +[Save Current View](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/saveview.md) option in the Activities pane or right-click menu. This can be done at the Host Management node with the Host Master Table or at any host list node. See the -[Filter](../navigate/datagrid.md#filter) topic for additional information on filtering data grids. +[Filter](/docs/accessanalyzer/12.0/admin/navigate/datagrid.md#filter) topic for additional information on filtering data grids. **_RECOMMENDED:_** Do not modify the criteria once a dynamic based list has been created. It is better to delete and recreate the list in order to modify a dynamic-based list. @@ -47,7 +47,7 @@ better to delete and recreate the list in order to modify a dynamic-based list. ## Static Host Lists Static host lists are created either through host discovery queries or manually entered within the -**Host Management** node. Lists created by [Host Discovery Node](../hostdiscovery/overview.md) +**Host Management** node. Lists created by [Host Discovery Node](/docs/accessanalyzer/12.0/admin/hostdiscovery/overview.md) queries are updated each time the query is run, manually or scheduled. Other static host lists can only be changed manually. Custom host lists are frequently created in order to scope a job to execute against a select set of hosts. @@ -58,11 +58,11 @@ for file shares. There are two common ways to create static host lists: -- Use the [Add Hosts](actions/add.md) option in the Activities pane or right-click menu to access +- Use the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) option in the Activities pane or right-click menu to access the Host List Wizard - Select multiple hosts from the data grid using the Windows Ctrl and left-click function. This can be done from the Host Mast Table or any host list under the Host Management node. Then use the - [Save Selected To List](actions/savetolist.md) option in the Activities pane or right-click menu + [Save Selected To List](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/savetolist.md) option in the Activities pane or right-click menu to open the Host List Wizard with a pre-filled in Manual Host Entry page. -See the [Add Hosts](actions/add.md) section for information using the Host List Wizard. +See the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) section for information using the Host List Wizard. diff --git a/docs/accessanalyzer/12.0/admin/hostmanagement/overview.md b/docs/accessanalyzer/12.0/admin/hostmanagement/overview.md index d573569b55..c80c6d84a7 100644 --- a/docs/accessanalyzer/12.0/admin/hostmanagement/overview.md +++ b/docs/accessanalyzer/12.0/admin/hostmanagement/overview.md @@ -4,30 +4,30 @@ The **Host Management** node is used to manage hosts in a targeted environment. under the **Host Management** node can be audited using other features in Access Analyzer. This node maintains information for audited computers. To view information on all computers in the environment, use the -[.Active Directory Inventory Solution](../../solutions/activedirectoryinventory/overview.md), +[.Active Directory Inventory Solution](/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/overview.md), specifically the Active Directory Summary report. The Host Management node provides a master list of every host ever introduced to Access Analyzer. -Introduce hosts through [Host Discovery Node](../hostdiscovery/overview.md) queries or by entering +Introduce hosts through [Host Discovery Node](/docs/accessanalyzer/12.0/admin/hostdiscovery/overview.md) queries or by entering them manually. Hosts are removed from this list only by manually deleting them. This master listing of hosts, or the Host Master Table, is designed around unique host names, not necessarily unique hosts themselves. The data grid provides all host inventory information collected on the hosts. See -the [Host Inventory Data Grid](datagrid.md) topic for additional information. +the [Host Inventory Data Grid](/docs/accessanalyzer/12.0/admin/hostmanagement/datagrid.md) topic for additional information. The Host Management process consists of the following phases: - Host Discovery – The process of discovering hosts to audit through Host Discovery queries, which can be scoped to identify computers with commonalities. These queries are managed under the Host - Discovery node. See the [Host Discovery Node](../hostdiscovery/overview.md) topic for additional + Discovery node. See the [Host Discovery Node](/docs/accessanalyzer/12.0/admin/hostdiscovery/overview.md) topic for additional information. - Host Inventory – The process of collecting key pieces of information about each host to aid in segregating the hosts into logical sub-groupings for targeted auditing. Use either the Host Discovery or Host Management nodes. - Host List Creation – Access Analyzer creates Default host lists based on Host Inventory results. Create and manage Custom host lists under the Host Management node. See the - [Hosts Lists](lists.md) topic for additional information. + [Hosts Lists](/docs/accessanalyzer/12.0/admin/hostmanagement/lists.md) topic for additional information. -![Host Management Node in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Host Management Node in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The nodes under the Host Management node are: @@ -35,5 +35,5 @@ The nodes under the Host Management node are: - Host lists generated by Host Discovery queries - Custom host lists -See the [Host Inventory](../settings/hostinventory.md) topic for global settings that affect Host +See the [Host Inventory](/docs/accessanalyzer/12.0/admin/settings/hostinventory.md) topic for global settings that affect Host Management. diff --git a/docs/accessanalyzer/12.0/admin/jobs/features.md b/docs/accessanalyzer/12.0/admin/jobs/features.md index aa60d8dc11..d04a654026 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/features.md +++ b/docs/accessanalyzer/12.0/admin/jobs/features.md @@ -22,7 +22,7 @@ the [Publish Reports Window](#publish-reports-window) topic for additional infor Job Configuration Change Tracking Jobs configuration changes can be tracked using the **Changes** option in the right-click menu from -the selected Jobs tree, job group, or job node. See the [Changes Window](./overview#changes-window) +the selected Jobs tree, job group, or job node. See the [Changes Window](/docs/accessanalyzer/12.0/admin/jobs/overview#changes-window) topic for additional information. Job Export @@ -32,7 +32,7 @@ selected job group or job node. See the [Export Job to Zip Archive Window](#export-job-to-zip-archive-window) topic for additional information. -See the [Jobs Tree Right-click Menus](../navigate/pane.md#jobs-tree-right-click-menus) section for +See the [Jobs Tree Right-click Menus](/docs/accessanalyzer/12.0/admin/navigate/pane.md#jobs-tree-right-click-menus) section for additional features. ## Export Job to Zip Archive Window @@ -40,11 +40,11 @@ additional features. The Export Job to Zip Archive window opens from the **Export** option in the right-click menu from the selected job group or job node. -![Export from Jobs Tree menu](../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/export.webp) +![Export from Jobs Tree menu](/img/product_docs/threatprevention/threatprevention/admin/navigation/export.webp) Select **Export** from the right-click menu to open the Export Group to Zip Archive window. -![Export Group to Zip Archive window](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/exportgrouptoziparchive.webp) +![Export Group to Zip Archive window](/img/product_docs/accessanalyzer/admin/jobs/exportgrouptoziparchive.webp) The **Include all job components** option will zip the job’s directory, the reports, the job log, and the SA_Debug log. The **Select specific components to export** option allows Access Analyzer @@ -59,7 +59,7 @@ There are two options for where to save the ZIP file: The **Email this archive**checkbox provides the opportunity to send an email notification with the attached ZIP file. -![Support Email window](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/supportemail.webp) +![Support Email window](/img/product_docs/accessanalyzer/admin/jobs/supportemail.webp) When the archive has been created, the Access Analyzer Support Email window opens. By default, the recipient is set to [Netwrix Support](https://www.netwrix.com/support.html) but it can be modified @@ -78,7 +78,7 @@ Follow the steps to publish the reports. **Step 1 –** Right-click on a job group or job and select **Publish** from the drop-down list. -![Publish Reports wizard Action Type page](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/publishreportsactiontype.webp) +![Publish Reports wizard Action Type page](/img/product_docs/accessanalyzer/admin/jobs/publishreportsactiontype.webp) **Step 2 –** On the Action Type page, select the type of action to be performed on the reports and click **Next**: @@ -86,7 +86,7 @@ click **Next**: - Publish Reports - Delete Reports -![Publish Reports wizard Report Tree page](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/publishreportsreporttree.webp) +![Publish Reports wizard Report Tree page](/img/product_docs/accessanalyzer/admin/jobs/publishreportsreporttree.webp) **Step 3 –** On the Report Tree page, select the reports to be published or removed (depending on the Action Type selected in the previous step). Click **Next** to proceed with the action. @@ -95,4 +95,4 @@ the Action Type selected in the previous step). Click **Next** to proceed with t **Finish** to exit the wizard. Published reports can be viewed under the **[Job]** > **Results** node or through the Web Console. -See the [Reporting](../report/overview.md) topic for additional information. +See the [Reporting](/docs/accessanalyzer/12.0/admin/report/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/jobs/group/connection.md b/docs/accessanalyzer/12.0/admin/jobs/group/connection.md index c4630424ad..423802e846 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/group/connection.md +++ b/docs/accessanalyzer/12.0/admin/jobs/group/connection.md @@ -3,10 +3,10 @@ At the job group level, the **Connection** node identifies the Connection Profile assigned for the job group. All Connection Profiles are created at the global level (**Settings** > **Connection**). -![Job Group Connection Settings](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/connection.webp) +![Job Group Connection Settings](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/connection.webp) By default, all job groups are set to inherit the **Use Default Profile** option from the global -level or a parent job group. See the [Connection](../../settings/connection/overview.md) topic for +level or a parent job group. See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. If the Default Setting is not preferred, select the custom type of connection settings desired diff --git a/docs/accessanalyzer/12.0/admin/jobs/group/history.md b/docs/accessanalyzer/12.0/admin/jobs/group/history.md index d2e1045e34..b9efb19d07 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/group/history.md +++ b/docs/accessanalyzer/12.0/admin/jobs/group/history.md @@ -3,10 +3,10 @@ At the job group level, the History node identifies data retention and log retention periods assigned for the job group. -![Job Group History Settings](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/history.webp) +![Job Group History Settings](/img/product_docs/threatprevention/threatprevention/admin/policies/history.webp) By default, all job groups are set to inherit **Use Default Setting** option from the global level -(**Settings** > **History**) or a parent job group. See the [History](../../settings/history.md) +(**Settings** > **History**) or a parent job group. See the [History](/docs/accessanalyzer/12.0/admin/settings/history.md) topic for additional information. **CAUTION:** It is important to understand that some pre-configured jobs require history retention diff --git a/docs/accessanalyzer/12.0/admin/jobs/group/hostlistsassignment.md b/docs/accessanalyzer/12.0/admin/jobs/group/hostlistsassignment.md index 50a1430618..5f61fd004d 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/group/hostlistsassignment.md +++ b/docs/accessanalyzer/12.0/admin/jobs/group/hostlistsassignment.md @@ -3,12 +3,12 @@ At the job group level, the Host Lists Assignment node identifies target host lists assigned for the job group. -![Job Group Host Lists Assignment](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/group/hostlistassignment.webp) +![Job Group Host Lists Assignment](/img/product_docs/accessanalyzer/admin/jobs/group/hostlistassignment.webp) At a top-level job group, there is no host list to be inherited. The **Use Default Settings** option is grayed-out. However, a sub-job group can inherit host lists from a parent job group. Host lists are configured through the **Host Management** node. See the -[Host Management](../../hostmanagement/overview.md) topic for additional information. +[Host Management](/docs/accessanalyzer/12.0/admin/hostmanagement/overview.md) topic for additional information. Several pre-defined solutions have default host lists already assigned to the solution, for example the .Active Directory Inventory Job Group has the Default domain controller assigned at the job diff --git a/docs/accessanalyzer/12.0/admin/jobs/group/overview.md b/docs/accessanalyzer/12.0/admin/jobs/group/overview.md index 813fb5a93c..81af90df86 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/group/overview.md +++ b/docs/accessanalyzer/12.0/admin/jobs/group/overview.md @@ -5,7 +5,7 @@ jobs are executed in the correct order. To create a new job group, right-click o location (Jobs tree or another job group) and select **Create Group**. Then provide a unique, descriptive name taking into consideration the alphanumeric ordering of the Jobs tree. -![Example of Job Group Structure](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/group/jobgroupstructure.webp) +![Example of Job Group Structure](/img/product_docs/accessanalyzer/admin/jobs/group/jobgroupstructure.webp) Job groups are organized similar to the Jobs tree, with the Settings node at the top, followed by sub-job groups (job group for collection first, if applicable), then followed by analysis and @@ -19,7 +19,7 @@ The Job Group Description page displays shortcuts, links, and important informat and the jobs contained within the Job Group. Depending on the type of job group, the description page will appear different and display information specific to the job group selected. -| ![Job Group Description page for a pre-configured job group](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/group/descriptionpagenewgroup.webp) | +| ![Job Group Description page for a pre-configured job group](/img/product_docs/accessanalyzer/admin/jobs/group/descriptionpagenewgroup.webp) | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Pre-Configured Job Group | User-Created Job Group | @@ -36,12 +36,12 @@ Job Library, and creating a job. Pre-configured job group description pages provide users with shortcuts and links to many of the functions that can be accessed in the Jobs Tree in the Navigation Pane. -![Job Group Description page](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/group/descriptionpage.webp) +![Job Group Description page](/img/product_docs/accessanalyzer/admin/jobs/group/descriptionpage.webp) The sections of the job group description page are: - Job Group Settings Shortcuts – These pages can also be accessed through the job group Settings - Nodes in the Navigation Pane. See the [Job Groups Settings Node](settings.md) topic for additional + Nodes in the Navigation Pane. See the [Job Groups Settings Node](/docs/accessanalyzer/12.0/admin/jobs/group/settings.md) topic for additional information. - Storage – Configure the job group’s Storage options @@ -58,9 +58,9 @@ The sections of the job group description page are: - Create Group – Creates a job group within the currently selected job group - Create Job – Creates a job within the currently selected Job - Add Instant Job – Add an Instant Job using the Instant Job Wizard. See the - [Instant Job Wizard](../instantjobs/overview.md) topic for additional information. + [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for additional information. -![Overview section of Job Group description page](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/group/descriptionpageoverview.webp) +![Overview section of Job Group description page](/img/product_docs/accessanalyzer/admin/jobs/group/descriptionpageoverview.webp) The Overview section provides summary information about the job group. This section includes the following information: @@ -69,7 +69,7 @@ following information: information on the hosts lists are assigned to the job group - Click on the **Assigned Host List** button to go to the Job Group's Host List Assignment node. - See the [Host Lists Assignment](hostlistsassignment.md) topic for additional information. + See the [Host Lists Assignment](/docs/accessanalyzer/12.0/admin/jobs/group/hostlistsassignment.md) topic for additional information. - Show Inherited Settings – Click on the **Show Inherited Settings** button to view information on the following: @@ -90,7 +90,7 @@ proper job group execution. Job group settings can be applied directly or inherited. On the job group level, it is considered that all settings are applied directly. -![Show Inherited Settings on Job Overview page](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/group/showinheritedsettings.webp) +![Show Inherited Settings on Job Overview page](/img/product_docs/accessanalyzer/admin/jobs/group/showinheritedsettings.webp) If not, click the **Show inherited settings** button to expand the inherited settings list (they are highlighted in blue). @@ -99,9 +99,9 @@ The following inherited settings are available: | Setting | Description | | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Connection profile | The tooltip shows the account name used in the connection profile. Clicking the button opens the parent Connection settings for the selected job group. See [Connection Node](connection.md) for more information. Clicking the three dots menu on the right part of the button opens the Edit menu. The following options are available: - Edit the Profile – Clicking the link opens the Connection settings for the current profile - Use Default Profile – Clicking the link applies the connection profile set as default on a global level to a job. In this case, this setting is hidden under the **Show Inherited Settings** button. - List of profiles – Allows switching between existing connection profiles and apply a desired one to a job | -| Data Retention Period | The tooltip shows the current value for the data retention period (by default, **Never retain previous job data**). Clicking the button opens the parent History settings for the selected job group. See the [History Node](history.md) topic for additional information. | -| Log Retention Period | The tooltip shows the current value for log retention period (by default, **Retain previous job log for 7 times**). Clicking the button opens the parent History settings for the selected job group. See the [History Node](history.md) topic for additional information. | -| Hosts Lists | The tooltip shows the names of the host lists assigned to this job group. If you have more than three host lists assigned to a job group, the tooltip shows 3 hosts name and the number of other hosts lists assigned (for example, if 5 hosts are assigned it shows `Host1, Host2, Host3 + 2 more`). Clicking the button opens the parent Host Lists setting for the selected job group. See the [Host Lists Assignment](hostlistsassignment.md) topic for additional information. | -| Reporting Settings | Clicking the Reporting Settings button opens the parent Reporting settings for the selected job group including publishing options, email settings, and roles. See the [Reporting Node](reporting.md) topic for additional information. | -| Storage Profile | The tooltip shows the current SQL Server instance, database name, user account, and authentication type used for the selected job group. See the [Storage Node](storage.md)s topic for additional information. Clicking the three dots menu on the right part of the button opens the Edit menu. The following options are available: - Edit This Profile – Clicking the link opens the Storage settings for the current profile - Use Default Profile – Clicking the link applies the storage profile set as default on a global level to a job. In this case, this setting is hidden under the **Show Inherited Settings** button - List of existing profiles – Allows switching between existing storage profiles and apply a desired one to a job | +| Connection profile | The tooltip shows the account name used in the connection profile. Clicking the button opens the parent Connection settings for the selected job group. See [Connection Node](/docs/accessanalyzer/12.0/admin/jobs/group/connection.md) for more information. Clicking the three dots menu on the right part of the button opens the Edit menu. The following options are available: - Edit the Profile – Clicking the link opens the Connection settings for the current profile - Use Default Profile – Clicking the link applies the connection profile set as default on a global level to a job. In this case, this setting is hidden under the **Show Inherited Settings** button. - List of profiles – Allows switching between existing connection profiles and apply a desired one to a job | +| Data Retention Period | The tooltip shows the current value for the data retention period (by default, **Never retain previous job data**). Clicking the button opens the parent History settings for the selected job group. See the [History Node](/docs/accessanalyzer/12.0/admin/jobs/group/history.md) topic for additional information. | +| Log Retention Period | The tooltip shows the current value for log retention period (by default, **Retain previous job log for 7 times**). Clicking the button opens the parent History settings for the selected job group. See the [History Node](/docs/accessanalyzer/12.0/admin/jobs/group/history.md) topic for additional information. | +| Hosts Lists | The tooltip shows the names of the host lists assigned to this job group. If you have more than three host lists assigned to a job group, the tooltip shows 3 hosts name and the number of other hosts lists assigned (for example, if 5 hosts are assigned it shows `Host1, Host2, Host3 + 2 more`). Clicking the button opens the parent Host Lists setting for the selected job group. See the [Host Lists Assignment](/docs/accessanalyzer/12.0/admin/jobs/group/hostlistsassignment.md) topic for additional information. | +| Reporting Settings | Clicking the Reporting Settings button opens the parent Reporting settings for the selected job group including publishing options, email settings, and roles. See the [Reporting Node](/docs/accessanalyzer/12.0/admin/jobs/group/reporting.md) topic for additional information. | +| Storage Profile | The tooltip shows the current SQL Server instance, database name, user account, and authentication type used for the selected job group. See the [Storage Node](/docs/accessanalyzer/12.0/admin/jobs/group/storage.md)s topic for additional information. Clicking the three dots menu on the right part of the button opens the Edit menu. The following options are available: - Edit This Profile – Clicking the link opens the Storage settings for the current profile - Use Default Profile – Clicking the link applies the storage profile set as default on a global level to a job. In this case, this setting is hidden under the **Show Inherited Settings** button - List of existing profiles – Allows switching between existing storage profiles and apply a desired one to a job | diff --git a/docs/accessanalyzer/12.0/admin/jobs/group/reporting.md b/docs/accessanalyzer/12.0/admin/jobs/group/reporting.md index f1e8c0c248..bf5912a0aa 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/group/reporting.md +++ b/docs/accessanalyzer/12.0/admin/jobs/group/reporting.md @@ -3,14 +3,14 @@ At the job group level, the **Reporting** node identifies the report publishing and email configurations assigned for the job group. By default, all job groups are set to inherit the reporting settings, the **Use default setting** option, from the global level (**Settings** > -**Reporting**), or a parent job group. See the [Reporting](../../settings/reporting.md) topic for +**Reporting**), or a parent job group. See the [Reporting](/docs/accessanalyzer/12.0/admin/settings/reporting.md) topic for additional information. **NOTE:** If the Role Based Access feature is enabled, it also displays a list of all accounts granted access to the published reports via the Web Console that are generated by any jobs within the job group. -![Job Group Reporting Settings page](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/reporting.webp) +![Job Group Reporting Settings page](/img/product_docs/accessanalyzer/admin/settings/reporting.webp) Checking the **Set all the child objects to inherit these settings** option at the bottom of the page forces inheritance of these settings to all sub-groups and jobs within the job group. When diff --git a/docs/accessanalyzer/12.0/admin/jobs/group/settings.md b/docs/accessanalyzer/12.0/admin/jobs/group/settings.md index e562f39664..6596a51366 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/group/settings.md +++ b/docs/accessanalyzer/12.0/admin/jobs/group/settings.md @@ -3,27 +3,27 @@ A job group’s Settings node is where custom configurations can be set and where the host lists are assigned to a job group. -![Job group settings in the Jobs Tree](../../../../../../static/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) +![Job group settings in the Jobs Tree](/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) These settings inherit the global settings down by default unless inheritance is broken at a job group or a job level. -- [Connection Node](connection.md) – Use the default Connection Profile or break inheritance to +- [Connection Node](/docs/accessanalyzer/12.0/admin/jobs/group/connection.md) – Use the default Connection Profile or break inheritance to select the Connection Profile needed for the assigned host lists for this job group -- [History Node](history.md) – Use the default history settings or break inheritance on data +- [History Node](/docs/accessanalyzer/12.0/admin/jobs/group/history.md) – Use the default history settings or break inheritance on data retention and log retention settings for this job group -- [Host Lists Assignment](hostlistsassignment.md) – Use the default host list configured on a parent +- [Host Lists Assignment](/docs/accessanalyzer/12.0/admin/jobs/group/hostlistsassignment.md) – Use the default host list configured on a parent job group or break inheritance on assigned host lists for this job group **NOTE:** Host List Assignments is not a global setting. The pre-configured solutions may contain Host List Assignments configured to use Global Default Host Lists, for example All Domain Controllers. See the - [Default Host Lists](../../settings/hostinventory.md#default-host-lists) topic for additional + [Default Host Lists](/docs/accessanalyzer/12.0/admin/settings/hostinventory.md#default-host-lists) topic for additional information. -- [Reporting Node](reporting.md) – Use the default report settings or break inheritance on Published +- [Reporting Node](/docs/accessanalyzer/12.0/admin/jobs/group/reporting.md) – Use the default report settings or break inheritance on Published Report settings, Email settings, and Report role assignment for this job group -- [Storage Node](storage.md) – Use the default storage profile or break inheritance on where this +- [Storage Node](/docs/accessanalyzer/12.0/admin/jobs/group/storage.md) – Use the default storage profile or break inheritance on where this job group's data is stored If changes are made, click **Save** to implement the changes. Changes are not implemented unless @@ -34,5 +34,5 @@ before executing a job group or job when data collection is included. The assign contains the hosts that are targeted by the job’s data collection queries. The assigned Connection Profile must have the appropriate level of permissions in order for the data collection to be successful. See the -[Permissions by Data Collector (Matrix)](../../datacollector/permissionmatrix.md) topic for +[Permissions by Data Collector (Matrix)](/docs/accessanalyzer/12.0/admin/datacollector/permissionmatrix.md) topic for information on the recommended permissions needed on the targeted hosts in order to collect data. diff --git a/docs/accessanalyzer/12.0/admin/jobs/group/storage.md b/docs/accessanalyzer/12.0/admin/jobs/group/storage.md index 93d2e14527..41eea1a3e3 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/group/storage.md +++ b/docs/accessanalyzer/12.0/admin/jobs/group/storage.md @@ -2,9 +2,9 @@ At the job group level, the Storage node identifies the Storage Profile assigned for the job group. All Storage Profiles are created at the global level (**Settings** > **Storage**). See the -[Storage](../../settings/storage/overview.md) topic for additional information. +[Storage](/docs/accessanalyzer/12.0/admin/settings/storage/overview.md) topic for additional information. -![Job Group Storage Settings](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/storage.webp) +![Job Group Storage Settings](/img/product_docs/accessanalyzer/admin/settings/storage/storage.webp) By default, all job groups are set to inherit the **Use Default Profile** option from the global level or a parent job group. If it is necessary for a job group to send data to a different diff --git a/docs/accessanalyzer/12.0/admin/jobs/instantiate.md b/docs/accessanalyzer/12.0/admin/jobs/instantiate.md index 5073a0f407..841a38c8a4 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/instantiate.md +++ b/docs/accessanalyzer/12.0/admin/jobs/instantiate.md @@ -6,12 +6,12 @@ Jobs directory. The default location is: …\STEALTHbits\StealthAUDIT\Jobs -![Explore Folder option from Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/explorefolder.webp) +![Explore Folder option from Jobs Tree](/img/product_docs/accessanalyzer/admin/jobs/explorefolder.webp) The folder is opened from within the Access Analyzer Console by right-clicking on the desired **Jobs** node and selecting **Explore Folder**. -![Jobs folder in File Explorer](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/explorefolderfileexplorer.webp) +![Jobs folder in File Explorer](/img/product_docs/accessanalyzer/admin/jobs/explorefolderfileexplorer.webp) The naming convention of the folders controls what is visible in the Jobs tree. `GROUP_` is the prefix for all job groups. `JOB_` is the prefix for all jobs. Changing the prefix removes the object @@ -39,7 +39,7 @@ colleague, or other entity, it is most likely in one of two formats: **Step 3 –** Place the job or job group into the Jobs directory. -![Extract zip file contents to the Jobs folder](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantiateextract.webp) +![Extract zip file contents to the Jobs folder](/img/product_docs/accessanalyzer/admin/jobs/instantiateextract.webp) - If in archive format, extract the desired content to the Jobs directory @@ -48,16 +48,16 @@ colleague, or other entity, it is most likely in one of two formats: - If in a folder format, copy and paste the job or job group folder into the Jobs directory -![New job added in the Jobs folder ](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantiatefileexplorer.webp) +![New job added in the Jobs folder ](/img/product_docs/accessanalyzer/admin/jobs/instantiatefileexplorer.webp) The new job or job group should be visible in the Jobs directory, and the naming convention should match that of the jobs or job groups that are already there. -![Refresh Tree](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/refreshtree.webp) +![Refresh Tree](/img/product_docs/accessanalyzer/admin/jobs/refreshtree.webp) **Step 4 –** In the Access Analyzer Console, right-click on the **Jobs** node and select **Refresh Tree**. -![Job displayed in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantiatejobstree.webp) +![Job displayed in the Jobs Tree](/img/product_docs/accessanalyzer/admin/jobs/instantiatejobstree.webp) The new job or job group now displays in the **Jobs** tree in alphanumeric order. diff --git a/docs/accessanalyzer/12.0/admin/jobs/instantjobs/ad_passwordexpirationnotification.md b/docs/accessanalyzer/12.0/admin/jobs/instantjobs/ad_passwordexpirationnotification.md index d165f9603a..a36d807695 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/instantjobs/ad_passwordexpirationnotification.md +++ b/docs/accessanalyzer/12.0/admin/jobs/instantjobs/ad_passwordexpirationnotification.md @@ -3,11 +3,11 @@ The AD_PasswordExpirationNotification Job determines when Active Directory user passwords are about to expire and can be configured to send notifications to users prior to password expiration. It is available through the Instant Job Library under the Active Directory library. See the -[Instant Job Wizard](overview.md) section for instructions to add this instant job into the Jobs +[Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) section for instructions to add this instant job into the Jobs tree. Since this job does not require a host to target, select Local host on the Hosts page of the Instant Job Wizard. -![AD_PasswordExpirationNotification job in the Jobs tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![AD_PasswordExpirationNotification job in the Jobs tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) Runtime Details: @@ -29,7 +29,7 @@ action task). Navigate to the **Jobs** > **AD_PasswordExpirationNotification** > **Configure** node and select **Analysis** to view the analysis tasks. -![Default Analysis Tasks for the Job](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/analysistasks.webp) +![Default Analysis Tasks for the Job](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/analysistasks.webp) The default analysis tasks are: @@ -60,7 +60,7 @@ Navigate to the **Jobs** > **AD_PasswordExpirationNotification** > **Configure** **CAUTION:** This action is enabled by default. -![Default Action Tasks for the Job](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/actiontasks.webp) +![Default Action Tasks for the Job](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/actiontasks.webp) The default actions are: @@ -102,7 +102,7 @@ Editor. Follow the steps to customize an analysis task’s parameters. **Step 2 –** In the Analysis Selection view, select the **1. User Password Information** Analysis Task and click on **Analysis Configuration**. The SQL Script Editor opens. -![1. User Password Information Analysis Task in SQL Script Editor](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/customizeanalysistask.webp) +![1. User Password Information Analysis Task in SQL Script Editor](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/customizeanalysistask.webp) **Step 3 –** In the parameters section at the bottom of the editor, find the Value column. Double-click on the current value and change as desired. @@ -146,13 +146,13 @@ organization’s name. Follow the steps to configure the 5. Help Desk Notificati **Step 2 –** In the Analysis Selection view, select the **5. Help Desk Notification Analysis Task** and click on **Analysis Configuration**. The Notification Data Analysis Module opens. -![SMTP properties page](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/smtpproperties.webp) +![SMTP properties page](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/smtpproperties.webp) **Step 3 –** Use the **Next** button to navigate to the SMTP properties page. Do not make changes to the preceding pages. The email configuration takes place on the SMTP page. Provide the recipients’ email addresses, Message Subject, and add the notification email content. -![SMTP properties add email recipients](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/smtppropertiesrecipients.webp) +![SMTP properties add email recipients](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/smtppropertiesrecipients.webp) In the Recipients section, provide the email addresses in the text box or distribution lists in the E-mail field (fully qualified address) for those who are to receive this notification, for example @@ -164,7 +164,7 @@ Recipients list. There is an option to **Combine multiple messages into single m checked by default so that it sends one email for all users in the record set instead of one email per user. -![Message section of SMTP properties page](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/smtppropertiesmessage.webp) +![Message section of SMTP properties page](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/smtppropertiesmessage.webp) In the Message section, the **Subject** should be configured. Then set the email content in the text box as desired. @@ -173,7 +173,7 @@ box as desired. page. Do not make changes to any other pages. Click **Finish**. The Notification Data Analysis Module window closes. -![Analyis Tasks view](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/analysistaskshelpdesknotification.webp) +![Analyis Tasks view](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/analysistaskshelpdesknotification.webp) **Step 5 –** This notification analysis task is now configured to send emails. In the Analysis Selection view, ensure the 5. Help Desk Notification Analysis Task is checked so that notifications @@ -226,7 +226,7 @@ on **Action Properties** to view the actions. the associated table are displayed. Click **Configure Action**. The Send Mail Action Module Wizard opens. -![Send Mail Action Module Wizard Message page](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/actionwizardmessage.webp) +![Send Mail Action Module Wizard Message page](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/actionwizardmessage.webp) **Step 4 –** Click **Next** to navigate to the Message page. Modify the message **Subject** and email content as desired. diff --git a/docs/accessanalyzer/12.0/admin/jobs/instantjobs/ex_registerazureappauth.md b/docs/accessanalyzer/12.0/admin/jobs/instantjobs/ex_registerazureappauth.md index e7890cb4fb..09d698e6d5 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/instantjobs/ex_registerazureappauth.md +++ b/docs/accessanalyzer/12.0/admin/jobs/instantjobs/ex_registerazureappauth.md @@ -49,7 +49,7 @@ to place the EX_RegistureAzureApp job into). **Step 3 –** Install the EX_RegisterAzureAppAuth Job from the Instant Job Library under the Exchange General library. After installation, the job tree automatically refreshes with the new job available -within the selected Job Group. See the [Instant Job Wizard](overview.md) topic for additional +within the selected Job Group. See the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for additional information. **Step 4 –** On the job description page, in the Configuration section, select the edit button for @@ -86,5 +86,5 @@ Online scans. There will be a new Connection Profile for this Application. Resta Analyzer Console and enter a password to use this Connection Profile. _Remember,_ the required rights and roles for Exchange Online still need to be configured. See the -[Target Exchange Online Requirements, Permissions, and Ports](../../../requirements/target/exchangeonline.md) +[Target Exchange Online Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/exchangeonline.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/jobs/instantjobs/fs_defend_sdd.md b/docs/accessanalyzer/12.0/admin/jobs/instantjobs/fs_defend_sdd.md index 9b720dc043..1735cece15 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/instantjobs/fs_defend_sdd.md +++ b/docs/accessanalyzer/12.0/admin/jobs/instantjobs/fs_defend_sdd.md @@ -2,13 +2,13 @@ The FS_DEFEND_SDD Job exports sensitive data matches collected by the File System Solution Sensitive Data Discovery Auditing jobs to Threat Manager. It is available through the Instant Job Library -under the File System library. See the [Instant Job Wizard](overview.md) topic for instructions to +under the File System library. See the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for instructions to add this instant job into the Jobs tree. For installing the job, select **Local host** on the Hosts page of the Instant Job Wizard. Then set the host list according to the following information. -![FS_DEFEND_SDD job in the Jobs tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![FS_DEFEND_SDD job in the Jobs tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) Runtime Details: @@ -34,7 +34,7 @@ Runtime Details: - Threat Manager target host is the Threat Manager host name with port, [HOST]:8080 - Format – [HOST]:8080 - Assign host list at the **FS_DEFEND_SDD** > **Configure** > **Hosts** (see the - [Hosts Node](../job/configure/hosts.md) topic for additional information) + [Hosts Node](/docs/accessanalyzer/12.0/admin/jobs/job/configure/hosts.md) topic for additional information) - Scheduling – This job should be scheduled to run as desired - History Retention – Not supported and should be turned off - Multi-console Support – Not supported @@ -48,7 +48,7 @@ Request Action Module to send the data to Threat Manager. Navigate to the **Jobs** > **FS_DEFEND_SDD** > **Configure** node and select **Analysis** to view the analysis tasks. -![Default Analysis tasks for the job](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/analysistasks.webp) +![Default Analysis tasks for the job](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/analysistasks.webp) The default analysis tasks are: @@ -62,7 +62,7 @@ actions. **CAUTION:** This action is enabled by default. -![Default Action Tasks for the Job](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/actiontasks.webp) +![Default Action Tasks for the Job](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/actiontasks.webp) The default action is: @@ -83,4 +83,4 @@ Create a Connection Profile and set the following information on the User Creden selected at the **Settings** > **Application** node - Access Token – Copy and paste the Threat Manager App Token -See the [Application](../../settings/application/overview.md) topic for additional information. +See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/jobs/instantjobs/fs_migrateschema.md b/docs/accessanalyzer/12.0/admin/jobs/instantjobs/fs_migrateschema.md index 326be592e4..5a022af553 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/instantjobs/fs_migrateschema.md +++ b/docs/accessanalyzer/12.0/admin/jobs/instantjobs/fs_migrateschema.md @@ -2,12 +2,12 @@ The FS_Migrate_Schema Job migrates the schema in order to support the use of 64-bit ResourceID's without affecting data. It is available through the Instant Job Library under the File System -library. See the [Instant Job Wizard](overview.md) topic for instructions to add this instant job +library. See the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for instructions to add this instant job into the Jobs tree. For installing the job, select **Local host** on the Hosts page of the Instant Job Wizard. -![FS_MigrateSchema job in the Jobs tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![FS_MigrateSchema job in the Jobs tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) Runtime Details: @@ -29,7 +29,7 @@ the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Default Analysis tasks for the job](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/analysistasks.webp) +![Default Analysis tasks for the job](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/analysistasks.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md b/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md index 698694500e..864d2c5597 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md +++ b/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md @@ -4,30 +4,30 @@ The Access Analyzer Instant Job Wizard provides access to a library of instant s jobs, which are pre-configured for Access Analyzer. Instant solutions contain groups of jobs to help solve a wide range of problems within each category. Instant jobs help solve specific problems. The instant solutions available align to an organization’s license key. See -the[Solutions](../../../solutions/overview.md) topic for additional information. +the[Solutions](/docs/accessanalyzer/12.0/solutions/overview.md) topic for additional information. Follow the steps to install an instant solution or an instant job with the Instant Job Wizard. -![Add Instant Job from context menu](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/addinstantjob.webp) +![Add Instant Job from context menu](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/addinstantjob.webp) **Step 1 –** Select the Jobs tree (for an instant solution) or the desired job group (for an instant job), right-click on the node, and select **Add Instant Job**. -![Instant Job Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Instant Job Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) **Step 2 –** On the Welcome page, click **Next**. -![Instant Job page](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/instantjob.webp) +![Instant Job page](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/instantjob.webp) **Step 3 –** On the Instant Job page, use the filter menu to only view instant jobs in a particular category, or click the plus icon (+) to expand a category group. -![Selected Instant Job](../../../../../../static/img/product_docs/accessanalyzer/admin/navigate/selectinstantjob.webp) +![Selected Instant Job](/img/product_docs/accessanalyzer/admin/navigate/selectinstantjob.webp) **Step 4 –** Select the desired instant solution or job. To select multiple instant solutions or jobs, press the Windows **Ctrl** key and select the items to install. Click **Next**. -![Host Assignment page](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/hostassignment.webp) +![Host Assignment page](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/hostassignment.webp) **Step 5 –** Some of the Library selections add a Host Assignment page. If this page does not appear, skip to Step 7. If the page does appear, select either the **Use default settings (Inherit @@ -35,7 +35,7 @@ from the parent group, if any)** or **Specify individual hosts or hosts lists** option is selected, skip to Step 7. If the second option is selected, click **Next** to go to the Host Lists and Individual Hosts wizard pages. -| ![Host Lists page](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/individualhosts.webp) | +| ![Host Lists page](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/individualhosts.webp) | | ------------------------------------------------------------------------------------------------------------------------------------ | --- | ------------------------------------------------------------------------------------------------------------------------------------------------ | | Host Lists page | | Individual Hosts page | @@ -43,13 +43,13 @@ Host Lists and Individual Hosts wizard pages. pages do not appear with the selection, skip to Step 7. If the pages do appear, check the host list to be assigned to the job group or job. Alternatively enter hosts manually. Then click **Next**. -![Summary page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) **Step 7 –** On the Summary page, click **Save & Exit**. -![Instant Solutions installation dialog](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/installationcomplete.webp) +![Instant Solutions installation dialog](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/installationcomplete.webp) **Step 8 –** For Instant Solutions, when the installation is complete, click **Finish**. The Instant Job Wizard closes, and the Jobs tree refreshes automatically. See the individual -sections in the [Solutions](../../../solutions/overview.md) topic for additional information. +sections in the [Solutions](/docs/accessanalyzer/12.0/solutions/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/jobs/instantjobs/sas_executionstatistics.md b/docs/accessanalyzer/12.0/admin/jobs/instantjobs/sas_executionstatistics.md index e296637469..959c3ed4f9 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/instantjobs/sas_executionstatistics.md +++ b/docs/accessanalyzer/12.0/admin/jobs/instantjobs/sas_executionstatistics.md @@ -3,15 +3,15 @@ The SAS_ExecutionStatistics Job tracks historical performance of Access Analyzer job and analysis functions and highlights when a particular task takes an abnormal length of time to execute. It is available through the Instant Job Library under the Access Analyzer Utilities library. See the -[Instant Job Wizard](overview.md) section for instructions to add this instant job into the Jobs +[Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) section for instructions to add this instant job into the Jobs tree. Since this job does not require a host to target, select Local host on the Hosts page of the Instant Job Wizard. The job is dependent upon the Job Statistics Retention configuration in the **Settings** > -**Application** node. See the [Application](../../settings/application/overview.md) topic for +**Application** node. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information. -![SAS_ExecutionStatistics job in the Jobs tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![SAS_ExecutionStatistics job in the Jobs tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) Runtime Details: @@ -35,7 +35,7 @@ to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Default Analysis tasks for the job](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/analysistasks.webp) +![Default Analysis tasks for the job](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/analysistasks.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/admin/jobs/instantjobs/sp_removehost.md b/docs/accessanalyzer/12.0/admin/jobs/instantjobs/sp_removehost.md index 2b547f18a5..80c9c47934 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/instantjobs/sp_removehost.md +++ b/docs/accessanalyzer/12.0/admin/jobs/instantjobs/sp_removehost.md @@ -2,9 +2,9 @@ The SP_RemoveHost Job removes desired SharePoint hosts from the Access Analyzer database. It is available through the Instant Job Library under the SharePoint library. See the -[Instant Job Wizard](overview.md) topic for instructions to add this instant job into the Jobs tree. +[Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for instructions to add this instant job into the Jobs tree. -![SP_RemoveHost job in the Jobs tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![SP_RemoveHost job in the Jobs tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) Runtime Details: @@ -26,7 +26,7 @@ the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Default Analysis tasks for the job](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/analysistasks.webp) +![Default Analysis tasks for the job](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/analysistasks.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/configure/actions.md b/docs/accessanalyzer/12.0/admin/jobs/job/configure/actions.md index 6ad4edb1b5..f6c700ed8f 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/configure/actions.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/configure/actions.md @@ -6,7 +6,7 @@ listing of locked-out accounts, an action can be executed to unlock those accoun **NOTE:** Action modules are available with a special Access Analyzer license. -![Action Selection page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/actionselection.webp) +![Action Selection page](/img/product_docs/accessanalyzer/admin/action/actionselection.webp) The Action Selection view lists all action tasks for the selected job. The listed information includes: @@ -16,7 +16,7 @@ includes: - Module – Name of the Access Analyzer action module - Table – Name of the source table for the action -![Options at the top of the Action Selection page](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/actionselectionoptions.webp) +![Options at the top of the Action Selection page](/img/product_docs/accessanalyzer/admin/jobs/job/configure/actionselectionoptions.webp) The Actions section at the top has five options: @@ -28,9 +28,9 @@ The Actions section at the top has five options: - Action Properties – Opens the Action Properties window for the selected action task - - See the [Action Properties Page](../../../action/overview.md#action-properties-page) topic for + - See the [Action Properties Page](/docs/accessanalyzer/12.0/admin/action/overview.md#action-properties-page) topic for additional information - - See the [Action Modules](../../../action/overview.md) topic for additional information + - See the [Action Modules](/docs/accessanalyzer/12.0/admin/action/overview.md) topic for additional information **NOTE:** The AutoAction task appears in the Analysis Selection view, not in the Action Selection view. @@ -39,7 +39,7 @@ The Actions section at the top has five options: - Does not require an action task to be checked, only selected -![Buttons at the bottom of Action Selection page](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/actionselectiontablebuttons.webp) +![Buttons at the bottom of Action Selection page](/img/product_docs/accessanalyzer/admin/jobs/job/configure/actionselectiontablebuttons.webp) At the bottom of the Action Selection view, there are action buttons that apply to the table: @@ -52,7 +52,7 @@ At the bottom of the Action Selection view, there are action buttons that apply The Action Selection view also has its own right-click menu for taking action on the action task or the job. -![Actions Right-Click Menu](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/actionsrightclickmenu.webp) +![Actions Right-Click Menu](/img/product_docs/accessanalyzer/admin/jobs/job/configure/actionsrightclickmenu.webp) The options for the Actions node right-click menu are: @@ -63,5 +63,5 @@ The options for the Actions node right-click menu are: - Properties – Opens the Action Properties window - Execute Action – Opens the Action execution window and runs an action - Run Job – Starts job execution for the selected job -- Add Instant Job – Opens the [Instant Job Wizard](../../instantjobs/overview.md) +- Add Instant Job – Opens the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) - Create Job (Ctrl + Alt + A) – Creates a new job at the same location as the selected job diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysis.md b/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysis.md index a963f9d864..4ebab8c3d7 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysis.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysis.md @@ -8,7 +8,7 @@ The Notification analysis module allows for the ability to send an email notice met, for example an email can be sent to an administrator to notify that disk space has reached a particular point (the trigger) and needs to be addressed before space runs out. -![Analysis Selection page](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/analysisselection.webp) +![Analysis Selection page](/img/product_docs/accessanalyzer/admin/jobs/job/configure/analysisselection.webp) The Analysis Selection view lists all analysis tasks for the selected job. The listed information includes: @@ -20,7 +20,7 @@ includes: applies to analysis modules that use host list filters, for example **Business Rules** analysis module -![Option at the top of the Analysis Section](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/analysisbuttonstop.webp) +![Option at the top of the Analysis Section](/img/product_docs/accessanalyzer/admin/jobs/job/configure/analysisbuttonstop.webp) The Analysis section at the top has four options: @@ -28,13 +28,13 @@ The Analysis section at the top has four options: - Delete Analysis – Deletes the selected analysis task from the list - This action does require confirmation - Analysis Properties – Opens the Analysis Properties window for the selected analysis task - - See the [Analysis Properties Page](../../../analysis/overview.md#analysis-properties-page) + - See the [Analysis Properties Page](/docs/accessanalyzer/12.0/admin/analysis/overview.md#analysis-properties-page) topic for additional information. - See the individual analysis module sections in the - [Analysis Modules](../../../analysis/overview.md) topic for additional information. + [Analysis Modules](/docs/accessanalyzer/12.0/admin/analysis/overview.md) topic for additional information. - Analysis Configuration – Opens the selected analysis task’s configuration window -![Buttons at the bottom of the Analysis Selection page](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/analysisbuttonsbottom.webp) +![Buttons at the bottom of the Analysis Selection page](/img/product_docs/accessanalyzer/admin/jobs/job/configure/analysisbuttonsbottom.webp) At the bottom of the Analysis Selection view, there are action buttons that apply to the table: @@ -52,7 +52,7 @@ At the bottom of the Analysis Selection view, there are action buttons that appl The Analysis Selection view also has its own right-click menu for taking action on the analysis task or the job. -![Analysis Selection page right-click menu](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/analysisrightclickmenu.webp) +![Analysis Selection page right-click menu](/img/product_docs/accessanalyzer/admin/jobs/job/configure/analysisrightclickmenu.webp) The options for the Analysis node right-click menu are: @@ -67,5 +67,5 @@ The options for the Analysis node right-click menu are: used - Execute Analyses – Executes or runs the checked (enabled) analysis tasks - Run Job – Starts job execution for the selected job -- Add Instant Job – Opens the [Instant Job Wizard](../../instantjobs/overview.md) +- Add Instant Job – Opens the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) - Create Job (Ctrl + Alt + A) – Creates a new job at the same location as the selected job diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md b/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md index 73d09b493c..87de05c692 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md @@ -13,7 +13,7 @@ Configuration**. The SQL Script Editor opens. **NOTE:** The image shown is a generic example. Table names and customizable parameters will change based on the Job. -![SQL Script Editor](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/customizableparameters.webp) +![SQL Script Editor](/img/product_docs/accessanalyzer/admin/jobs/job/configure/customizableparameters.webp) **Step 4 –** In the parameters section at the bottom of the editor, find the Value column. @@ -25,5 +25,5 @@ based on the Job. Repeat the steps as needed to customize analysis parameters. -See the [SQLscripting Analysis Module](../../../analysis/sqlscripting.md) topic for additional +See the [SQLscripting Analysis Module](/docs/accessanalyzer/12.0/admin/analysis/sqlscripting.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/configure/hosts.md b/docs/accessanalyzer/12.0/admin/jobs/job/configure/hosts.md index e26d572a13..b5fcc8d258 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/configure/hosts.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/configure/hosts.md @@ -3,7 +3,7 @@ The Hosts node provides the option to assign a preconfigured host list at the job level. It also provides a way to manually assign hosts to be targeted by the job using Host Selection pane. -![Host Selection page](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/hostselection.webp) +![Host Selection page](/img/product_docs/accessanalyzer/admin/jobs/job/configure/hostselection.webp) Use the default settings by selecting the **Use Default Setting** checkbox and inherit the job group’s assigned host lists. To break inheritance and assign host lists at the job level select from @@ -23,11 +23,11 @@ Hosts can be added manually at the job level even when inheritance (Use Default host list assignment. The job targets the hosts in any assigned host lists as well as any manually added at the job level. Follow these directions to manually add a host to a job. -![Job's Configure > Hosts node](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/hostsnode.webp) +![Job's Configure > Hosts node](/img/product_docs/accessanalyzer/admin/jobs/job/configure/hostsnode.webp) **Step 1 –** Navigate to the job’s **Configure** > **Hosts** node. -![Individual hosts section of the Host Selection view](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/hostselectionindividualhosts.webp) +![Individual hosts section of the Host Selection view](/img/product_docs/accessanalyzer/admin/jobs/job/configure/hostselectionindividualhosts.webp) **Step 2 –** In the Individual hosts section of the Host Selection view, enter the Host name in the textbox and click **Add**. diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/configure/overview.md b/docs/accessanalyzer/12.0/admin/jobs/job/configure/overview.md index 901aeab5dd..a6cda685ab 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/configure/overview.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/configure/overview.md @@ -6,27 +6,27 @@ job’s Description page. | | | | -------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![Configure Node](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/configurelinkjobpage.webp) | +| ![Configure Node](/img/product_docs/accessanalyzer/admin/jobs/job/configure/configurelinkjobpage.webp) | | Configure Node | Configure link on job description page | The sub-nodes under the **[Job]** > **Configure** node are: -- [Hosts Node](hosts.md) – Assign a host list at the job level or manually add hosts to be targeted +- [Hosts Node](/docs/accessanalyzer/12.0/admin/jobs/job/configure/hosts.md) – Assign a host list at the job level or manually add hosts to be targeted by the job -- [Queries Node](queries.md) – Select and configure a Access Analyzer data collector to scan +- [Queries Node](/docs/accessanalyzer/12.0/admin/jobs/job/configure/queries.md) – Select and configure a Access Analyzer data collector to scan targeted hosts -- [Analysis Node](analysis.md) – Create and configure Analysis and Notification tasks for collected +- [Analysis Node](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysis.md) – Create and configure Analysis and Notification tasks for collected data -- [Actions Node](actions.md) – Create and configure Action tasks for taking action on collected and +- [Actions Node](/docs/accessanalyzer/12.0/admin/jobs/job/configure/actions.md) – Create and configure Action tasks for taking action on collected and analyzed data -- [Reports Node](reports.md) – Create and configure Reports to be generated during job execution +- [Reports Node](/docs/accessanalyzer/12.0/admin/jobs/job/configure/reports.md) – Create and configure Reports to be generated during job execution ## Configure Page The job's Configure Page provides an overview with shortcuts for options that are configured in the job's Configure Node. -![Configure page](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/configurepage.webp) +![Configure page](/img/product_docs/accessanalyzer/admin/jobs/job/configure/configurepage.webp) The options on the Configure Page are: @@ -45,11 +45,11 @@ The options in the Configure section are: - Click **Properties** to view the task's properties - Click **Output Table** to view the Results for the task under the - [Results Node](../results.md) + [Results Node](/docs/accessanalyzer/12.0/admin/jobs/job/results.md) - Hosts - Lists the assigned hosts for the job - Reports - If applicable, displays a list of the job's Reports - - Click the reports name to access a report under the job's [Results Node](../results.md) + - Click the reports name to access a report under the job's [Results Node](/docs/accessanalyzer/12.0/admin/jobs/job/results.md) - Click **Configure** to edit the report parameters in the - [Report Configuration Wizard](../../../report/wizard/overview.md) + [Report Configuration Wizard](/docs/accessanalyzer/12.0/admin/report/wizard/overview.md) diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/configure/queries.md b/docs/accessanalyzer/12.0/admin/jobs/job/configure/queries.md index a4e2ae2cce..1f78db2117 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/configure/queries.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/configure/queries.md @@ -4,10 +4,10 @@ The Queries node uses a Access Analyzer data collector to run scans against the Different data collectors are designed for different types of collection. It is necessary for the Connection Profile associated with the target hosts to have a sufficient level of rights for the selected data collector. See the -[Permissions by Data Collector (Matrix)](../../../datacollector/permissionmatrix.md) topic for a +[Permissions by Data Collector (Matrix)](/docs/accessanalyzer/12.0/admin/datacollector/permissionmatrix.md) topic for a chart with recommended permissions per data collector. -![Query Selection page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/queryselection.webp) +![Query Selection page](/img/product_docs/accessanalyzer/admin/datacollector/queryselection.webp) The Query Selection view lists all queries for the selected job. Though it is possible to have multiple queries in a single job, it is not usually recommended. The listed information includes: @@ -30,7 +30,7 @@ multiple queries in a single job, it is not usually recommended. The listed info Add and configure native data tables through the Tables section in the Query Selection view. -![Tables section of Query Selection page](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/queryselectiontables.webp) +![Tables section of Query Selection page](/img/product_docs/accessanalyzer/admin/jobs/job/configure/queryselectiontables.webp) The Tables section at the top has three options: @@ -47,21 +47,21 @@ The Tables section at the top has three options: The Queries section is where the job’s preconfigured queries can be edited and where new queries can be added. -![Queries section of Query Selection page](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/queryselectionqueries.webp) +![Queries section of Query Selection page](/img/product_docs/accessanalyzer/admin/jobs/job/configure/queryselectionqueries.webp) The Queries section has four options and includes the list of queries for the selected job: - Add from Library – Opens the Libraries window to select preconfigured data collection queries. See - the [Add Query from Library](../../../datacollector/overview.md#add-query-from-library) topic for + the [Add Query from Library](/docs/accessanalyzer/12.0/admin/datacollector/overview.md#add-query-from-library) topic for additional information. - Create Query – Opens the Query Properties window for creating and configuring queries - Delete Query – Deletes the selected query from the list. This action does require confirmation. - Query Properties – Opens the Query Properties window for the selected query - This option is used for query modifications - See the - [Create or Modify a Query](../../../datacollector/overview.md#create-or-modify-a-query) topic + [Create or Modify a Query](/docs/accessanalyzer/12.0/admin/datacollector/overview.md#create-or-modify-a-query) topic for additional information - - See the topics for the individual [Data Collectors](../../../datacollector/overview.md) for + - See the topics for the individual [Data Collectors](/docs/accessanalyzer/12.0/admin/datacollector/overview.md) for additional information ## Right-click Menu @@ -69,7 +69,7 @@ The Queries section has four options and includes the list of queries for the se The Query Selection view also has its own right-click menu for taking action on the queries, tables, or the job. -![Right-click menu on the Query Selection page](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/queryrightclickmenu.webp) +![Right-click menu on the Query Selection page](/img/product_docs/accessanalyzer/admin/jobs/job/configure/queryrightclickmenu.webp) The options in the Queries node right-click menu are: @@ -85,7 +85,7 @@ The options in the Queries node right-click menu are: - Delete Table – Deletes the selected table - Rename Table – Opens the Rename Table window - Run Job – Starts job execution for the selected job -- Add Instant Job – Opens the [Instant Job Wizard](../../instantjobs/overview.md) +- Add Instant Job – Opens the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) - Create Job (**Ctrl + Alt + A**) – Creates a new job at the same location as the selected job ## Host List @@ -93,15 +93,15 @@ The options in the Queries node right-click menu are: Jobs with configured queries require a host list to be assigned. This can be done at either the Job Group or Job level. Whichever location is used to set the host list for query execution should also be the location where the Connection Profile is assigned. See the -[Job Properties](../properties/overview.md) topic for additional information. +[Job Properties](/docs/accessanalyzer/12.0/admin/jobs/job/properties/overview.md) topic for additional information. - Job Groups - Host List Assigned – **[Job Group]** > **Settings** > **Host Lists Assignment**. See the - [Host Lists Assignment](../../group/hostlistsassignment.md) topic for additional information. + [Host Lists Assignment](/docs/accessanalyzer/12.0/admin/jobs/group/hostlistsassignment.md) topic for additional information. - Connection Profile Selected – **[Job Group]** > **Settings** > **Connection**. See the - [Connection Node](../../group/connection.md) topic for additional information. + [Connection Node](/docs/accessanalyzer/12.0/admin/jobs/group/connection.md) topic for additional information. - Job Level - - Host List Assigned – **[Job]** > **Configure** > **Hosts**. See the [Hosts Node](hosts.md) + - Host List Assigned – **[Job]** > **Configure** > **Hosts**. See the [Hosts Node](/docs/accessanalyzer/12.0/admin/jobs/job/configure/hosts.md) topic for additional information. - Connection Profile Selected – Connection tab of the Job’s Properties Window. See the - [Connection Tab](../properties/connection.md) topic for additional information. + [Connection Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/connection.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/configure/reports.md b/docs/accessanalyzer/12.0/admin/jobs/job/configure/reports.md index 00e3163907..5b7b94b53f 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/configure/reports.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/configure/reports.md @@ -2,36 +2,36 @@ The Reports node is for configuring reports to be generated during job execution. -![Reports page](../../../../../../../static/img/product_docs/accessanalyzer/admin/report/reports.webp) +![Reports page](/img/product_docs/accessanalyzer/admin/report/reports.webp) The Reports view lists any reports that have been configured for the selected job and options related to configuring reports. The options at the top of the Reports view are: -- Properties – Opens the [Job Properties](../properties/overview.md) page for the job that the +- Properties – Opens the [Job Properties](/docs/accessanalyzer/12.0/admin/jobs/job/properties/overview.md) page for the job that the report is for - Run Now – Runs the currently selected job that the report is for - Open Folder – Opens the Report’s folder location with supporting files in the Windows Explorer - View Log – Opens the log for the job that the report is for -![Options on the Reports table header row](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/reportstableheaderoptions.webp) +![Options on the Reports table header row](/img/product_docs/accessanalyzer/admin/jobs/job/configure/reportstableheaderoptions.webp) The Reports table contains all of the configured reports for the job. The header row of the table contains the following options for adding reports to the table: - Create – Creates a new report for the selected job - - See the [Creating a Report](../../../report/create.md) topic for additional information + - See the [Creating a Report](/docs/accessanalyzer/12.0/admin/report/create.md) topic for additional information - Paste – Paste a cut or copied report into the selected job - The paste option is accessed from the vertical ellipsis menu of the header row of the Reports table -![Reports table row options](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/configure/reportstablerowoptions.webp) +![Reports table row options](/img/product_docs/accessanalyzer/admin/jobs/job/configure/reportstablerowoptions.webp) Clicking on the name of a report opens it in the Results node. Clicking **Configure** next to a report's name opens the Report Configuration wizard for the report, see the -[Report Configuration Wizard](../../../report/wizard/overview.md) topic for additional information. +[Report Configuration Wizard](/docs/accessanalyzer/12.0/admin/report/wizard/overview.md) topic for additional information. Additional options are available from the vertical ellipsis menu on a reports row: - Generate – Generates the report @@ -42,4 +42,4 @@ Once a report is generated, it can be viewed in several locations depending on t Report configurations may also be copied to other reports to generate preferred outputs for alternate jobs. However, all generated reports can be viewed in the job’s **Results** node. -See the [Reporting](../../../report/overview.md) topic for additional information. +See the [Reporting](/docs/accessanalyzer/12.0/admin/report/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/create.md b/docs/accessanalyzer/12.0/admin/jobs/job/create.md index 2ea160a5ec..1c357f2567 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/create.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/create.md @@ -2,12 +2,12 @@ Follow the steps to create a new job. -![Create Job from Jobs Tree context menu](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/createjob.webp) +![Create Job from Jobs Tree context menu](/img/product_docs/accessanalyzer/admin/jobs/job/createjob.webp) **Step 1 –** Select the Jobs tree or the desired job group to add the new job to. Right-click and select **Create Job**. -![New Job added to Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/navigate/newjob.webp) +![New Job added to Jobs Tree](/img/product_docs/accessanalyzer/admin/navigate/newjob.webp) **Step 2 –** Provide a unique, descriptive name for the job. The default name is `NewJob`. Some considerations for naming conventions: @@ -24,6 +24,6 @@ considerations for naming conventions: length. See the Microsoft article referenced above. The new job is now ready to be configured. See the -[Data Collectors](../../datacollector/overview.md), [Analysis Modules](../../analysis/overview.md), -[Action Modules](../../action/overview.md), and [Reporting](../../report/overview.md) topics for +[Data Collectors](/docs/accessanalyzer/12.0/admin/datacollector/overview.md), [Analysis Modules](/docs/accessanalyzer/12.0/admin/analysis/overview.md), +[Action Modules](/docs/accessanalyzer/12.0/admin/action/overview.md), and [Reporting](/docs/accessanalyzer/12.0/admin/report/overview.md) topics for additional information. diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/disableenable.md b/docs/accessanalyzer/12.0/admin/jobs/job/disableenable.md index 710bd8ba3c..e0fd97845a 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/disableenable.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/disableenable.md @@ -6,7 +6,7 @@ Individual jobs can be disabled or enabled at the job group or job level. Disabl execute when the parent job group is run. If the role based access feature is enabled, the ability to enable and disable jobs is limited by -the assigned role. See the [Role Based Access](../../settings/access/rolebased/overview.md) topic +the assigned role. See the [Role Based Access](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/overview.md) topic for additional information. ## Disable a Job @@ -20,16 +20,16 @@ task, or executed as part of the job group. Follow the steps to disable a job. disabled, but the job group is not disabled. Any additional jobs added to that job group at a later time will be enabled by default. -![Disable Job from Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/disablejob.webp) +![Disable Job from Jobs Tree](/img/product_docs/accessanalyzer/admin/jobs/job/disablejob.webp) **Step 2 –** Right-click on the job group or job and select **Disable Job(s)** from the menu. -![Disabled Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/disabledjob.webp) +![Disabled Job in the Jobs Tree](/img/product_docs/accessanalyzer/admin/jobs/job/disabledjob.webp) The job is now disabled. If a job group was selected, all the jobs in the group are now disabled. Disabled jobs are grayed out, and a red cross is displayed in front of the job. -![Disabled Job Description page banner](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/disabledjob2.webp) +![Disabled Job Description page banner](/img/product_docs/accessanalyzer/admin/jobs/job/disabledjob2.webp) A yellow banner also notifies users that a job is disabled in the Job’s Description page. @@ -45,7 +45,7 @@ disabled job. **Step 1 –** Select the disabled job. If multiple jobs in a job group are disabled, select the job group to enable all of the disabled jobs. -![Enable Job from Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/enablejob.webp) +![Enable Job from Jobs Tree](/img/product_docs/accessanalyzer/admin/jobs/job/enablejob.webp) **Step 2 –** Right-click on the job group or job and select **Enable Job(s)** from the menu. diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/overview.md b/docs/accessanalyzer/12.0/admin/jobs/job/overview.md index 0636ed5c0a..90fed84c98 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/overview.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/overview.md @@ -3,31 +3,31 @@ An Access Analyzer job is responsible for running data collection, conducting data analysis, executing actions on collected or analyzed data, or generating reports. Each of these are configured in the corresponding section under the job’s Configure node. A single job can be configured to -execute one or multiple tasks. See the [Configure Node](configure/overview.md) topic for additional +execute one or multiple tasks. See the [Configure Node](/docs/accessanalyzer/12.0/admin/jobs/job/configure/overview.md) topic for additional information. -![Job structure in the Job's Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/jobnode.webp) +![Job structure in the Job's Tree](/img/product_docs/accessanalyzer/admin/jobs/job/jobnode.webp) **_RECOMMENDED:_** Use job group organization to spread these tasks across jobs. For example, create a job to run a query and a second job to run analysis or generate a report. Then use the job group structure to run those jobs together in the proper order. Jobs do not have a Settings node like a job group. Job Properties provide the option to break -inheritance on global or job group settings. See the [Job Properties](properties/overview.md) topic +inheritance on global or job group settings. See the [Job Properties](/docs/accessanalyzer/12.0/admin/jobs/job/properties/overview.md) topic for additional information. Once a job has been configured and is being executed, job progress can be viewed at the **Running Instances** node on the Navigation pane. See the -[Running Instances Node](../../runninginstances/overview.md) topic for additional information. +[Running Instances Node](/docs/accessanalyzer/12.0/admin/runninginstances/overview.md) topic for additional information. -![Running Job](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/jobrunning.webp) +![Running Job](/img/product_docs/accessanalyzer/admin/jobs/job/jobrunning.webp) At the bottom of the Access Analyzer Console, there is an indication of how many jobs are in queue and the **View Job Progress** link, which opens the Running Instances node. When a job execution has completed, the tables, views, and reports generated by the job are -accessible under the job’s Status and Results nodes. See the [Status Node](status.md) and -[Results Node](results.md) topics for additional information. Reports are also accessible through +accessible under the job’s Status and Results nodes. See the [Status Node](/docs/accessanalyzer/12.0/admin/jobs/job/status.md) and +[Results Node](/docs/accessanalyzer/12.0/admin/jobs/job/results.md) topics for additional information. Reports are also accessible through the Web Console. ## Job Description Page @@ -38,7 +38,7 @@ profiles, job properties, SQL analysis parameters, and PowerShell parameters. D of job, the description page will appear different and display information specific to the job selected. -| ![Pre-Configured Job Description page](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/descriptionpagenewjob.webp) | +| ![Pre-Configured Job Description page](/img/product_docs/accessanalyzer/admin/jobs/job/descriptionpagenewjob.webp) | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | Pre-Configured Job | User-Created Job | @@ -54,24 +54,24 @@ Pre-configured job description pages provide users with shortcuts and links to m that can be accessed under the **[Job Group]** > **[Job]** node in the Jobs Tree in the Navigation Pane. -![Job Description page options](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/descriptionpageoptions.webp) +![Job Description page options](/img/product_docs/accessanalyzer/admin/jobs/job/descriptionpageoptions.webp) The sections and options of the job description page are: -- Properties – Opens the Job Properties window. See the [Job Properties](properties/overview.md) +- Properties – Opens the Job Properties window. See the [Job Properties](/docs/accessanalyzer/12.0/admin/jobs/job/properties/overview.md) topic for additional information. -- Status – Opens the job Status page. See the [Status Node](status.md) topic for additional +- Status – Opens the job Status page. See the [Status Node](/docs/accessanalyzer/12.0/admin/jobs/job/status.md) topic for additional information. -- Results – Opens the job Results page. See the [Results Node](results.md) topic for additional +- Results – Opens the job Results page. See the [Results Node](/docs/accessanalyzer/12.0/admin/jobs/job/results.md) topic for additional information. -- Configure – Opens the job Configure page. See the [Configure Node](configure/overview.md) topic +- Configure – Opens the job Configure page. See the [Configure Node](/docs/accessanalyzer/12.0/admin/jobs/job/configure/overview.md) topic for additional information. - Run Now – Executes the job - Schedule – Opens the Schedule Wizard - Open Folder – Opens the job folder location with supporting files in the Windows Explorer - View Log – Opens the job’s log -![Job Description page Overview section](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/group/descriptionpageoverview.webp) +![Job Description page Overview section](/img/product_docs/accessanalyzer/admin/jobs/group/descriptionpageoverview.webp) The Overview section provides summary information about the job, and includes the following information: @@ -110,7 +110,7 @@ Job settings can be applied directly or inherited from a parent job group or eve Settings level. If settings are applied directly to a job, these are shown in the Overview section under the job description: -![Job Inherited settings](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/inheritedsettings.webp) +![Job Inherited settings](/img/product_docs/accessanalyzer/admin/jobs/job/inheritedsettings.webp) In the example above, the **Assigned 1 Host List** setting is applied directly to the job. Other settings are inherited from the parent job group. Clicking the **Show inherited settings** button @@ -120,12 +120,12 @@ The following settings can be inherited from a parent: | Setting | Description | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| Connection profile | The tooltip shows the account name used in the connection profile. Clicking the button opens the parent Connection settings for the selected job. See the [Connection Node](../group/connection.md) topic for additional information. Clicking the three dots menu on the right part of the button opens the Edit menu. The following options are available: - Edit the Profile – Clicking the link opens the Connection settings for the current profile - Use Default Profile – Clicking the link applies the connection profile set as default on a global level to a job. In this case, this setting will be hidden under the **Show Inherited Settings** button. - List of existing profiles – Allows switching between existing connection profiles and apply a desired one to a job | -| Data Retention Period | The tooltip shows the current value for the data retention period (by default, Never retain previous job data). Clicking the button opens the parent History settings for the selected job. See the [History Node](../group/history.md) topic for additional information. | -| Log Retention Period | The tooltip shows the current value for the log retention period (by default, Retain previous job log for 7 times). Clicking the button opens the parent History settings for the selected job. See the [History Node](../group/history.md) topic for additional information. | -| Hosts Lists | The tooltip shows the number and the names of the host lists assigned to this job. If you have more than three host lists assigned to a job, the tooltip shows 3 hosts name and the number of other hosts lists assigned (for example, if 5 hosts are assigned it shows `Host1, Host2, Host3 + 2 more`). Clicking the button opens the parent Host Lists setting for the selected job. See the [Hosts Node](configure/hosts.md) topic for additional information. | -| Reporting Settings | Clicking the Reporting Settings button opens the parent Reporting settings for the selected job including publishing options, email settings, and roles. See the [Reporting Node](../group/reporting.md) topic for additional information. | -| Storage Profile | The tooltip shows the current SQL Server instance, database name, user account, and authentication type used for the selected job. See the [Storage Node](../group/storage.md) topic for additional information. Clicking the three dots menu on the right part of the button opens the Edit menu. The following options are available - Edit This Profile – Clicking the link opens the Storage settings for the current profile - Use Default Profile – Clicking the link applies the storage profile set as default on a global level to a job. In this case, this setting will be hidden under the **Show Inherited Settings** button - List of existing profiles – Allows switching between existing storage profiles and apply a desired one to a job | +| Connection profile | The tooltip shows the account name used in the connection profile. Clicking the button opens the parent Connection settings for the selected job. See the [Connection Node](/docs/accessanalyzer/12.0/admin/jobs/group/connection.md) topic for additional information. Clicking the three dots menu on the right part of the button opens the Edit menu. The following options are available: - Edit the Profile – Clicking the link opens the Connection settings for the current profile - Use Default Profile – Clicking the link applies the connection profile set as default on a global level to a job. In this case, this setting will be hidden under the **Show Inherited Settings** button. - List of existing profiles – Allows switching between existing connection profiles and apply a desired one to a job | +| Data Retention Period | The tooltip shows the current value for the data retention period (by default, Never retain previous job data). Clicking the button opens the parent History settings for the selected job. See the [History Node](/docs/accessanalyzer/12.0/admin/jobs/group/history.md) topic for additional information. | +| Log Retention Period | The tooltip shows the current value for the log retention period (by default, Retain previous job log for 7 times). Clicking the button opens the parent History settings for the selected job. See the [History Node](/docs/accessanalyzer/12.0/admin/jobs/group/history.md) topic for additional information. | +| Hosts Lists | The tooltip shows the number and the names of the host lists assigned to this job. If you have more than three host lists assigned to a job, the tooltip shows 3 hosts name and the number of other hosts lists assigned (for example, if 5 hosts are assigned it shows `Host1, Host2, Host3 + 2 more`). Clicking the button opens the parent Host Lists setting for the selected job. See the [Hosts Node](/docs/accessanalyzer/12.0/admin/jobs/job/configure/hosts.md) topic for additional information. | +| Reporting Settings | Clicking the Reporting Settings button opens the parent Reporting settings for the selected job including publishing options, email settings, and roles. See the [Reporting Node](/docs/accessanalyzer/12.0/admin/jobs/group/reporting.md) topic for additional information. | +| Storage Profile | The tooltip shows the current SQL Server instance, database name, user account, and authentication type used for the selected job. See the [Storage Node](/docs/accessanalyzer/12.0/admin/jobs/group/storage.md) topic for additional information. Clicking the three dots menu on the right part of the button opens the Edit menu. The following options are available - Edit This Profile – Clicking the link opens the Storage settings for the current profile - Use Default Profile – Clicking the link applies the storage profile set as default on a global level to a job. In this case, this setting will be hidden under the **Show Inherited Settings** button - List of existing profiles – Allows switching between existing storage profiles and apply a desired one to a job | ### Parameter Configuration @@ -138,18 +138,18 @@ Description Page: **Step 1 –** Navigate to the **Jobs > [Job Group] > [Job]** node. If the job has customizable parameters, they will be located under Configuration in the job's Overview section. -![Configuration section of Job description page](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/descriptionpageconfigurationsection.webp) +![Configuration section of Job description page](/img/product_docs/accessanalyzer/admin/jobs/job/descriptionpageconfigurationsection.webp) **Step 2 –** Click on a parameter to open the Parameter Configuration window. **NOTE:** To view a tool-tip that contains information about the Variable Name and the Task Name that the parameter is associated with, hover the mouse over the parameter. -![Parameter Configuration Window](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/parameterconfigurationwindow.webp) +![Parameter Configuration Window](/img/product_docs/accessanalyzer/admin/jobs/job/parameterconfigurationwindow.webp) **Step 3 –** Configure the parameter in the Parameter Configuration window. Click **Save** to save changes and exit the window. Click **Cancel** to exit without saving. The parameter has now been configured. The parameters can also be configured in the Analysis Node -under the job's Configure Node. See the [Analysis Node](configure/analysis.md) topic for additional +under the job's Configure Node. See the [Analysis Node](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysis.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/properties/autoretry.md b/docs/accessanalyzer/12.0/admin/jobs/job/properties/autoretry.md index 1df6f0423c..1b434480c2 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/properties/autoretry.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/properties/autoretry.md @@ -3,7 +3,7 @@ The Auto Retry tab provides the option to schedule the job to re-execute against hosts that match the selected host status values: Offline, Failed, Errors, and Warnings. -![Auto Retry tab of Job Properties](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/properties/autoretry.webp) +![Auto Retry tab of Job Properties](/img/product_docs/accessanalyzer/admin/jobs/job/properties/autoretry.webp) Check the desired Host Status values to generate a retry, and then configure the Refresh Data and Retry Options settings. Finally, enter a User name (domain\user) and Password in the Scheduler diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/properties/connection.md b/docs/accessanalyzer/12.0/admin/jobs/job/properties/connection.md index c36eaf35e8..a2ebd081ae 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/properties/connection.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/properties/connection.md @@ -10,10 +10,10 @@ list is set. For example, if the host list is set under the job group’s **Sett is where the Connection Profile should be configured. If the host list is set under the **[Job]** > **Configure** node, then this is where the Connection Profile should be configured. -![Connection tab of the Jop Properties](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/properties/viewxml.webp) +![Connection tab of the Jop Properties](/img/product_docs/accessanalyzer/admin/jobs/job/properties/viewxml.webp) Select the desired option to identify the required Connection Profile for the job. See the -[Connection Node](../../group/connection.md) topic for additional information for the three +[Connection Node](/docs/accessanalyzer/12.0/admin/jobs/group/connection.md) topic for additional information for the three connection options. Click **OK** to save configuration changes and close the Job Properties window. Click **Cancel** if diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/properties/general.md b/docs/accessanalyzer/12.0/admin/jobs/job/properties/general.md index f3f6d51732..da93fdd7c6 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/properties/general.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/properties/general.md @@ -2,7 +2,7 @@ The General tab is for changing the job name and description. -![General tab of Job Properties](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/general.webp) +![General tab of Job Properties](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/general.webp) The following options are available: @@ -45,6 +45,6 @@ The log level feature includes the following options: **NOTE:** You can switch between log levels. All the levels, including the one that you choose, shall be set for messaging in the application. -![Log Level Options](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/properties/generalloglevel.webp) +![Log Level Options](/img/product_docs/accessanalyzer/admin/jobs/job/properties/generalloglevel.webp) For example, this is where you set the messaging for Info, Warning, or Error at a job level. diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/properties/history.md b/docs/accessanalyzer/12.0/admin/jobs/job/properties/history.md index 76c7665848..83dadd1ffa 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/properties/history.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/properties/history.md @@ -4,12 +4,12 @@ The History tab is for configuring the Data Retention and Log Retention periods. use the default settings, which could be either the global configuration or configuration set via broken inheritance at a job group level, or to configure settings just for this job. -![History tab of the Job Properties](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/history.webp) +![History tab of the Job Properties](/img/product_docs/threatprevention/threatprevention/admin/policies/history.webp) By default, all jobs are set to inherit the Data Retention Period and Log Retention Period settings, the **Use Default Setting** option. Deselect the **Use Default Settings** option to configure custom settings for the job. Then provide the desired Data Retention Period and Log Retention Period -settings. See the [History](../../../settings/history.md) topic for additional information. +settings. See the [History](/docs/accessanalyzer/12.0/admin/settings/history.md) topic for additional information. Click **OK** to save configuration changes and close the Job Properties window. Click **Cancel** if no changes were made. diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/properties/notification.md b/docs/accessanalyzer/12.0/admin/jobs/job/properties/notification.md index 14b7f8a633..fc7c650c4f 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/properties/notification.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/properties/notification.md @@ -3,7 +3,7 @@ The Notification tab is where email notifications are configured at the job level. Choose either to inherit the global configuration or to configure settings just for this job. -![Notification tab of Job Properties](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/notification.webp) +![Notification tab of Job Properties](/img/product_docs/accessanalyzer/admin/settings/notification.webp) Deselect the **Use Global Settings** option to configure custom settings for the job. Then provide a specific list of recipients for email notifications generated by this job. Multiple email addresses diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/properties/overview.md b/docs/accessanalyzer/12.0/admin/jobs/job/properties/overview.md index c5c3bd2c07..3492e4bcaa 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/properties/overview.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/properties/overview.md @@ -3,7 +3,7 @@ Jobs can be configured to inherit global settings down through parent job groups or to be individually configured at the job level through the Job Properties window. -![Open Job Properties from Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Open Job Properties from Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) To configure a job’s properties, open the Job Properties window by right-clicking on the job's node in the Navigation pane and selecting **Properties**. @@ -11,18 +11,18 @@ in the Navigation pane and selecting **Properties**. The properties can be configured at the job level within the Job Properties window using the following tabs: -- [General Tab](general.md) -- [Performance Tab](performance.md) -- [Notification Tab](notification.md) -- [Report Settings Tab](reportsettings.md) -- [Report Roles Tab](reportroles.md) -- [Storage Tab](storage.md) -- [Connection Tab](connection.md) -- [Auto Retry Tab](autoretry.md) -- [History Tab](history.md) +- [General Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/general.md) +- [Performance Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/performance.md) +- [Notification Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/notification.md) +- [Report Settings Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/reportsettings.md) +- [Report Roles Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/reportroles.md) +- [Storage Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/storage.md) +- [Connection Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/connection.md) +- [Auto Retry Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/autoretry.md) +- [History Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/history.md) You can click the **View XML** button at the bottom of the window to open the job’s XML file. See -the [View Job XML File](viewxml.md) for additional information. +the [View Job XML File](/docs/accessanalyzer/12.0/admin/jobs/job/properties/viewxml.md) for additional information. Click **OK** to save configuration changes and close the Job Properties window. Click **Cancel** if no changes were made. diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/properties/performance.md b/docs/accessanalyzer/12.0/admin/jobs/job/properties/performance.md index 70d48d03ca..8de433e8f8 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/properties/performance.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/properties/performance.md @@ -2,7 +2,7 @@ The Performance tab provides options that can be used to improve job performance and runtime. -![Performance tab of Job Properties](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/properties/performance.webp) +![Performance tab of Job Properties](/img/product_docs/accessanalyzer/admin/jobs/job/properties/performance.webp) Adjust the following settings by sliding the needle up and down the line: diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/properties/reportroles.md b/docs/accessanalyzer/12.0/admin/jobs/job/properties/reportroles.md index cc189eb30c..8527136638 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/properties/reportroles.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/properties/reportroles.md @@ -3,10 +3,10 @@ The Report Roles tab is part of the Role Bases Access feature of Access Analyzer. If Role Based Access has been enabled, the table displays all accounts that can view reports within the Web Console. If Role Based Access has not been enabled, all accounts have access to all reports, and the -table is blank. See the [Role Based Access](../../../settings/access/rolebased/overview.md) topic +table is blank. See the [Role Based Access](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/overview.md) topic for additional information. -![Report Roles tab of Job Properties](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/properties/reportroles.webp) +![Report Roles tab of Job Properties](/img/product_docs/accessanalyzer/admin/jobs/job/properties/reportroles.webp) On the Report Roles tab, report role inheritance cannot be broken. Access to reports is inherited from the global level to job groups to jobs to report configuration. All user roles configured at diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/properties/reportsettings.md b/docs/accessanalyzer/12.0/admin/jobs/job/properties/reportsettings.md index 51e0cd2bf6..7e15f12f7b 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/properties/reportsettings.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/properties/reportsettings.md @@ -5,12 +5,12 @@ job. Choose either to use the default settings, which could be either the global configuration set via broken inheritance at a job group level, or to configure settings just for this job. -![Report Settings tab of Job Properties](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/reportsettings.webp) +![Report Settings tab of Job Properties](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/reportsettings.webp) Use the Publish Options drop-down menu to customize the publish setting for the job. To configure custom Email settings for the job, select the **Use These Email Settings** option and then provide the desired Email information. Multiple email addresses can be input by adding a semicolon (;) and -space between entries. See the [Reporting Node](../../group/reporting.md) topic for additional +space between entries. See the [Reporting Node](/docs/accessanalyzer/12.0/admin/jobs/group/reporting.md) topic for additional information on the Publish and Email options. Click **OK** to save configuration changes and close the Job Properties window. Click **Cancel** if diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/properties/storage.md b/docs/accessanalyzer/12.0/admin/jobs/job/properties/storage.md index a7e60af064..6484c83c56 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/properties/storage.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/properties/storage.md @@ -4,12 +4,12 @@ The Storage tab is for configuring the Storage Profile. Choose either to use the which could be either the global configuration or configuration set via broken inheritance at a job group level, or to configure settings just for this job. -![Storage tab of the Job Properties](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/storage.webp) +![Storage tab of the Job Properties](/img/product_docs/accessanalyzer/admin/settings/storage/storage.webp) By default, all jobs are set to inherit the storage setting, the **Use Default** option. To configure a different profile for the job, select the **Use This Profile** option and select the desired Storage Profile from the drop-down menu. Storage Profiles can only be configured at the -**Settings** > **Storage** node. See the [Storage](../../../settings/storage/overview.md) topic for +**Settings** > **Storage** node. See the [Storage](/docs/accessanalyzer/12.0/admin/settings/storage/overview.md) topic for additional information. Click **OK** to save configuration changes and close the Job Properties window. Click **Cancel** if diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/properties/viewxml.md b/docs/accessanalyzer/12.0/admin/jobs/job/properties/viewxml.md index 31453d8a2c..cc73bcd560 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/properties/viewxml.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/properties/viewxml.md @@ -3,7 +3,7 @@ At the bottom of the Job Properties window is the **View XML** button. To view the XML file, click **View** XML. -| ![View XML button on Job Properties window](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/properties/viewxml.webp) | +| ![View XML button on Job Properties window](/img/product_docs/accessanalyzer/admin/jobs/job/properties/viewxml.webp) | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | | Job Properties Window | Job XML File | diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/results.md b/docs/accessanalyzer/12.0/admin/jobs/job/results.md index 109aed75df..11e680f4e9 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/results.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/results.md @@ -8,7 +8,7 @@ Results node. and views are only generated by jobs with configured analysis or action tasks. Reports are only generated by jobs with configured reports. -![Results Node](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/resultsnode.webp) +![Results Node](/img/product_docs/accessanalyzer/admin/jobs/job/resultsnode.webp) Every job generates a native data table when executed, which appears at the top of the Results node. The native data table, or raw data table, is produced by query execution. It contains all raw data diff --git a/docs/accessanalyzer/12.0/admin/jobs/job/status.md b/docs/accessanalyzer/12.0/admin/jobs/job/status.md index 6ddd65c6bc..73e41be08b 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/job/status.md +++ b/docs/accessanalyzer/12.0/admin/jobs/job/status.md @@ -4,7 +4,7 @@ Once a job has been executed, it always generates the tables providing informati connection status, job statistics, job task statistics, and error and warning messages can be viewed under the job’s Status node: -![Status Node](../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job/statusnode.webp) +![Status Node](/img/product_docs/accessanalyzer/admin/jobs/job/statusnode.webp) The Status node tables are: @@ -19,7 +19,7 @@ The Status node tables are: **NOTE:** The Job Statistics Retention settings in the **Settings** > **Application** node control how long the job statistics history is kept in the database and displayed Job Stats and - Task Stats tables. See the [Application](../../settings/application/overview.md) topic for + Task Stats tables. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information. - Messages table – Provides a list of any warning or error messages that occurred during the diff --git a/docs/accessanalyzer/12.0/admin/jobs/overview.md b/docs/accessanalyzer/12.0/admin/jobs/overview.md index bcd62885bd..75db57fa72 100644 --- a/docs/accessanalyzer/12.0/admin/jobs/overview.md +++ b/docs/accessanalyzer/12.0/admin/jobs/overview.md @@ -6,7 +6,7 @@ housed within the Jobs tree of the Navigation pane. The Jobs Tree is located in the Navigation Pane on the Access Analyzer Console. -![Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/jobstreeoverview.webp) +![Jobs Tree](/img/product_docs/accessanalyzer/admin/jobs/jobstreeoverview.webp) Clicking on the arrow next to the Jobs node will expand it. The Jobs tree is organized alphanumerically, first by job groups and then by any jobs that are independent of job groups. @@ -15,26 +15,26 @@ Each component within the Jobs tree has an icon for quick reference. The icons a | Icon Description | Description | | -------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | -| ![jobgroup](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/jobgroup.webp) | Job Group | -| ![modifiedjobgroup](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/modifiedjobgroup.webp) | Modified Job Group | -| ![settings](../../../../../static/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) | Settings node for a Job Group/ Configure node for a job | -| ![job](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/job.webp) | Job | -| ![modifiedjob](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/modifiedjob.webp) | Modified Job | -| ![lockedjob](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/lockedjob.webp) | Locked Job (Only applicable to Role Based Access feature) | -| ![status](../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/status.webp) | Status node for a Job | -| ![connectstatus](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/connectstatus.webp) | Job’s ConnectStatus Node | -| ![jobstatus](../../../../../static/img/product_docs/strongpointfornetsuite/clean_up/jobstatus.webp) | Job Status for a Job | -| ![taskstatus](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/taskstatus.webp) | Task Status for a Job | -| ![results](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) | Results node for a Job | -| ![messages](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/messages.webp) | Job’s Messages table | -| ![jobsdata](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/jobsdata.webp) | Job’s Data Table or View | -| ![jobsreport](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/jobsreport.webp) | Job’s Report | +| ![jobgroup](/img/product_docs/accessanalyzer/admin/jobs/jobgroup.webp) | Job Group | +| ![modifiedjobgroup](/img/product_docs/accessanalyzer/admin/jobs/modifiedjobgroup.webp) | Modified Job Group | +| ![settings](/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) | Settings node for a Job Group/ Configure node for a job | +| ![job](/img/product_docs/accessanalyzer/admin/jobs/job.webp) | Job | +| ![modifiedjob](/img/product_docs/accessanalyzer/admin/jobs/modifiedjob.webp) | Modified Job | +| ![lockedjob](/img/product_docs/accessanalyzer/admin/jobs/lockedjob.webp) | Locked Job (Only applicable to Role Based Access feature) | +| ![status](/img/product_docs/dataclassification/ndc/admin/sources/status.webp) | Status node for a Job | +| ![connectstatus](/img/product_docs/accessanalyzer/admin/jobs/connectstatus.webp) | Job’s ConnectStatus Node | +| ![jobstatus](/img/product_docs/strongpointfornetsuite/clean_up/jobstatus.webp) | Job Status for a Job | +| ![taskstatus](/img/product_docs/accessanalyzer/admin/jobs/taskstatus.webp) | Task Status for a Job | +| ![results](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/results.webp) | Results node for a Job | +| ![messages](/img/product_docs/accessanalyzer/admin/jobs/messages.webp) | Job’s Messages table | +| ![jobsdata](/img/product_docs/accessanalyzer/admin/jobs/jobsdata.webp) | Job’s Data Table or View | +| ![jobsreport](/img/product_docs/accessanalyzer/admin/jobs/jobsreport.webp) | Job’s Report | A green checkmark over a Job or Job Group icon indicates a configuration change has been made to the job or job group. The global settings configured under the Settings node are inherited down through the Jobs tree to the job unless inheritance is broken in a job group’s Settings node, a job’s Configure node, or a job’s Properties window. See the -[Navigating the Console](../navigate/overview.md) for additional information. +[Navigating the Console](/docs/accessanalyzer/12.0/admin/navigate/overview.md) for additional information. ## Job Execution Options @@ -68,7 +68,7 @@ Remember, custom jobs are not shipped with Access Analyzer but instead user crea The Changes window opens from the **Changes** option in the right-click menu from the selected Jobs tree, job group, or job node. -![Changes Window](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/changeswindow.webp) +![Changes Window](/img/product_docs/accessanalyzer/admin/jobs/changeswindow.webp) Select **Enabled** from the drop-down menu in the upper-left corner to turn on change tracking of configuration settings. Select a modification from the table and click **Undo** to revert the @@ -93,13 +93,13 @@ If configuration change tracking is **Disabled**, configuration changes are only the job’s XML file. If the configuration change tracking feature was previously enabled and then disabled at a later time, an option is provided to merge changes back into the job’s XML file. -![Change Window Merge Changes](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/changeswindowmerge.webp) +![Change Window Merge Changes](/img/product_docs/accessanalyzer/admin/jobs/changeswindowmerge.webp) To merge the changes into the job’s XML file without disabling the configuration change tracking feature, click **Merge** on the bottom left corner of the Changes window and then click **Yes** on the Access Analyzer pop-up window to confirm the merge. -![Changes Window Locked](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/changeswindowlocked.webp) +![Changes Window Locked](/img/product_docs/accessanalyzer/admin/jobs/changeswindowlocked.webp) Changes between releases are tracked. Only jobs that are locked can be upgraded. diff --git a/docs/accessanalyzer/12.0/admin/maintenance/backuprecovery.md b/docs/accessanalyzer/12.0/admin/maintenance/backuprecovery.md index 3f4f4345c8..c9b0aca2f9 100644 --- a/docs/accessanalyzer/12.0/admin/maintenance/backuprecovery.md +++ b/docs/accessanalyzer/12.0/admin/maintenance/backuprecovery.md @@ -32,11 +32,11 @@ built-in environment variable `%SAINSTALLDIR%`): user. This can be as simple as copying the contents of the tasks folder from the following two locations: -![C:\Windows\Tasks](../../../../../static/img/product_docs/accessanalyzer/admin/maintenance/maintenance_3.webp) +![C:\Windows\Tasks](/img/product_docs/accessanalyzer/admin/maintenance/maintenance_3.webp) - C:\Windows\Tasks -![C:\Windows\System32\Tasks](../../../../../static/img/product_docs/accessanalyzer/admin/maintenance/maintenance_4.webp) +![C:\Windows\System32\Tasks](/img/product_docs/accessanalyzer/admin/maintenance/maintenance_4.webp) - C:\Windows\System32\Tasks @@ -47,7 +47,7 @@ All key components necessary for data recovery have now been backed up. Follow these steps for data recovery of the Access Analyzer Console server. **Step 1 –** Confirm the prerequisites have been met on the Access Analyzer Console Server. See the -[Requirements](../../requirements/overview.md) topic for specific prerequisites. +[Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topic for specific prerequisites. **Step 2 –** Install the Access Analyzer application. Do not start the Access Analyzer application at this time. @@ -85,12 +85,12 @@ Where SA_Node = @OHost; **Step 7 –** Enable Role Based Access to write the necessary registry keys: -![Role Based Access](../../../../../static/img/product_docs/accessanalyzer/admin/maintenance/maintenance_5.webp) +![Role Based Access](/img/product_docs/accessanalyzer/admin/maintenance/maintenance_5.webp) - Navigate to the **Settings** > **Access** node in the Access Analyzer Console and select **Access** - Use the **Add Access**, **Edit Member Role**, and **Delete Member Role** buttons to add, remove, and edit roles -- See the [Role Based Access](../settings/access/rolebased/overview.md) topic for more information +- See the [Role Based Access](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/overview.md) topic for more information The Access Analyzer Console Server is now restored. diff --git a/docs/accessanalyzer/12.0/admin/maintenance/overview.md b/docs/accessanalyzer/12.0/admin/maintenance/overview.md index 22c5e35c78..447be2ea11 100644 --- a/docs/accessanalyzer/12.0/admin/maintenance/overview.md +++ b/docs/accessanalyzer/12.0/admin/maintenance/overview.md @@ -3,8 +3,8 @@ The following topics contain information needed for application maintenance and troubleshooting for the Access Analyzer Console: -- [Antivirus Exclusions](antivirusexclusions.md) -- [Updating Passwords](updatepasswords.md) -- [Backup and Recovery](backuprecovery.md) -- [Troubleshooting](troubleshooting.md) -- [Best Practices](bestpractices.md) +- [Antivirus Exclusions](/docs/accessanalyzer/12.0/admin/maintenance/antivirusexclusions.md) +- [Updating Passwords](/docs/accessanalyzer/12.0/admin/maintenance/updatepasswords.md) +- [Backup and Recovery](/docs/accessanalyzer/12.0/admin/maintenance/backuprecovery.md) +- [Troubleshooting](/docs/accessanalyzer/12.0/admin/maintenance/troubleshooting.md) +- [Best Practices](/docs/accessanalyzer/12.0/admin/maintenance/bestpractices.md) diff --git a/docs/accessanalyzer/12.0/admin/maintenance/updatepasswords.md b/docs/accessanalyzer/12.0/admin/maintenance/updatepasswords.md index 200f280a78..23880fda3d 100644 --- a/docs/accessanalyzer/12.0/admin/maintenance/updatepasswords.md +++ b/docs/accessanalyzer/12.0/admin/maintenance/updatepasswords.md @@ -25,18 +25,18 @@ for additional information. ## Storage Profiles Storage Profiles manage user authentication with the database. See the -[Update Authentication Credentials in a Storage Profile](../settings/storage/updateauth.md) topic +[Update Authentication Credentials in a Storage Profile](/docs/accessanalyzer/12.0/admin/settings/storage/updateauth.md) topic for information about updating Storage Profile authentication credentials in the Access Analyzer Console. ## Connection Profiles Connection Profiles are used for scan authentication in the Access Analyzer console. See the -[Connection](../settings/connection/overview.md) topic for details on how to edit user credentials +[Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for details on how to edit user credentials for a Connection Profile. For Entra ID, formerly Microsoft Azure Active Directory, accounts, see the -[Microsoft Entra ID Auditing Configuration](../../config/entraid/access.md) topic for additional +[Microsoft Entra ID Auditing Configuration](/docs/accessanalyzer/12.0/config/entraid/access.md) topic for additional information. ## Schedule Service Accounts @@ -49,33 +49,33 @@ account can be assigned to either a Job or a Scheduled Task. The Settings > Schedule Node displays the Schedule page where you can configure the account used for executing a scheduled task. See the -[Edit a Schedule Service Account](../settings/schedule.md#edit-a-schedule-service-account) topic for +[Edit a Schedule Service Account](/docs/accessanalyzer/12.0/admin/settings/schedule.md#edit-a-schedule-service-account) topic for additional information on editing the user credentials for the account. ### Schedules Node The Schedules Node opens the Scheduled Actions pages where scheduled tasks are listed. From this page, actions can be scheduled using the Schedule wizard. See the -[Schedule Wizard](../schedule/wizard.md) topic for additional information on updating the +[Schedule Wizard](/docs/accessanalyzer/12.0/admin/schedule/wizard.md) topic for additional information on updating the credentials password in the Schedule wizard. ### Jobs Jobs are typically scheduled with the global scheduled account. However, Jobs can also be scheduled -with a custom account. See the [Auto Retry Tab](../jobs/job/properties/autoretry.md) topic for +with a custom account. See the [Auto Retry Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/autoretry.md) topic for information on updating the Schedule Authentication credentials. ## Notifications (if enabled) Email notifications are configured in the Notifications node. The following steps only apply if Notification authentication has been enabled for the Access Analyzer Console. See the -[Update Notification Authentication Credentials](../settings/notification.md#update-notification-authentication-credentials) +[Update Notification Authentication Credentials](/docs/accessanalyzer/12.0/admin/settings/notification.md#update-notification-authentication-credentials) topic for information on updating Notification authentication credentials. ## ServiceNow (if enabled) The ServiceNow Node controls the integration between Access Analyzer and ServiceNow. See the -[Update ServiceNow Authentication Credentials](../settings/servicenow.md#update-servicenow-authentication-credentials) +[Update ServiceNow Authentication Credentials](/docs/accessanalyzer/12.0/admin/settings/servicenow.md#update-servicenow-authentication-credentials) topic for information on updating ServiceNow authentication credentials. ## Services @@ -84,9 +84,9 @@ Depending on your configuration, the credentials for the accounts running the fo Access Analyzer (formerly Enterprise Auditor) services may need updating: - File System Proxy Service – This service is on the proxy server. See the - [File System Proxy Service Installation](../../install/filesystemproxy/wizard.md) topic for + [File System Proxy Service Installation](/docs/accessanalyzer/12.0/install/filesystemproxy/wizard.md) topic for additional information. -- Vault Service – See the [Vault](../settings/application/vault.md) topic for additional information +- Vault Service – See the [Vault](/docs/accessanalyzer/12.0/admin/settings/application/vault.md) topic for additional information - Web Server Service – See the - [Reports via the Web Console](../../install/application/reports/overview.md) topic for additional + [Reports via the Web Console](/docs/accessanalyzer/12.0/install/application/reports/overview.md) topic for additional information diff --git a/docs/accessanalyzer/12.0/admin/navigate/activitiespane.md b/docs/accessanalyzer/12.0/admin/navigate/activitiespane.md index f457d2e987..f260f131ae 100644 --- a/docs/accessanalyzer/12.0/admin/navigate/activitiespane.md +++ b/docs/accessanalyzer/12.0/admin/navigate/activitiespane.md @@ -7,7 +7,7 @@ for the wizard, e.g. the Access Analyzer Host Discovery Wizard. If the currently section has an associated Activities Pane, it can be found on the right-hand side of the Access Analyzer Console. -![activitiespane](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/activitiespane.webp) +![activitiespane](/img/product_docs/accessanalyzer/admin/navigate/activitiespane.webp) The following console sections have associated Activities Panes: diff --git a/docs/accessanalyzer/12.0/admin/navigate/datagrid.md b/docs/accessanalyzer/12.0/admin/navigate/datagrid.md index 9473ceb546..92761a6d12 100644 --- a/docs/accessanalyzer/12.0/admin/navigate/datagrid.md +++ b/docs/accessanalyzer/12.0/admin/navigate/datagrid.md @@ -3,7 +3,7 @@ All data grids within the Access Analyzer Console have functions and features that allow Access Analyzer users to group by, filter, and sort via the filtration dialog through the data. -![Search Methods - Data Grid](../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/datagridfunctionality.webp) +![Search Methods - Data Grid](/img/product_docs/threatprevention/threatprevention/admin/navigation/datagridfunctionality.webp) The different grouping, filtering, and search methods in the Data Grid are: @@ -26,7 +26,7 @@ for sorting, filtering, and searching. The right-click menu that affects data grid functionality is accessible by right-clicking on the data grid header row. -![Data Grid Functionality](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality1.webp) +![Data Grid Functionality](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality1.webp) The Data Grid Right-click menu contains the following selections: @@ -53,11 +53,11 @@ for information on right-click menus within a data grid. The Customization window can be used to customize the data grid to only display specific columns. -![Customization Window](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality2.webp) +![Customization Window](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality2.webp) To open the Customization window, select Field Chooser from the column header right-click menu. -![Customization Window](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality3.webp) +![Customization Window](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality3.webp) Any column that has been removed from the data grid, either by dragging it off the screen or by dropping it into this window, will be listed here. A column not currently displayed can be returned @@ -68,17 +68,17 @@ to the data grid by dragging-and-dropping it from this window onto the header ro The footer provides a data grid summation row. The summation capabilities exist for every column on the footer either for the entire data grid or by grouped sections of the data grid. -![Footer Option](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality4.webp) +![Footer Option](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality4.webp) To enable the footer, right-click in a column header and select Footer from the right-click menu. -![Footer display](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality5.webp) +![Footer display](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality5.webp) The footer appears as a gray bar at the bottom of the grid (or grid group). Right-click on the footer under the desired column. Only the options applicable to the desired column will be valid for selection. -![Footer options](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality6.webp) +![Footer options](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality6.webp) The different footer options are: @@ -93,7 +93,7 @@ The different footer options are: The data grid can be sorted in alphanumeric order by clicking on a column header. -![Sort Order](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality7.webp) +![Sort Order](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality7.webp) An arrow displays on the column header indicating if the sort is increasing or decreasing. This feature only works on one column at a time. @@ -102,7 +102,7 @@ feature only works on one column at a time. Users can interact and search through data grids in the Results Pane. -| ![Default Group By View](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality9.webp) | +| ![Default Group By View](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality9.webp) | | -------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | Default view | Organized by Column Header | @@ -110,14 +110,14 @@ To use this feature, drag a column header into the “Drag a column header here column” area. The data grid groups according to the data within that column. The sub-header provides a ‘count’ of records within each group. Expand the group to view the data. -![Expand Group View](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality10.webp) +![Expand Group View](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality10.webp) Multiple columns can be dragged into the Group By area to form tiered groupings. **NOTE:** Sorting by the FQDN column is an easy way to see if there are two entries for the same host. -![Column Header](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality11.webp) +![Column Header](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality11.webp) The data grid can also be grouped by dragging a column header beneath the other column headers either to the stationary section on the left or to the mobile section on the right. Each record @@ -134,7 +134,7 @@ Users can filter and search data in the Data Grid by using the dropdown arrow in to select from a list of filters, configuring a custom filter, or by using the Data Grid filtration dialog located above the Activities Pane. -![Filter](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality12.webp) +![Filter](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality12.webp) In the header of every column is a drop-down arrow. This provides users with the ability to filter the data grid for a particular item or items within a column. The drop-down menu has the options of @@ -150,7 +150,7 @@ grid. The Custom option opens a Custom Filter builder for the selected column. -![Custom Filter](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality13.webp) +![Custom Filter](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality13.webp) The Custom Filter window options are: @@ -172,7 +172,7 @@ Follow the steps to create a Custom Filter: **Step 1 –** Click the dropdown arrow in the column header for the column where the Custom Filter is going to be applied and select (Custom…) from the list. The Custom Filter window opens. -![Creating a Custom Filter](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality14.webp) +![Creating a Custom Filter](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality14.webp) **Step 2 –** Set the desired criteria for the custom filter. Select the logical operator from the drop-down menu on the left and set the criteria in the textbox on the right. @@ -188,7 +188,7 @@ records with an operating system name that contains “2008” but not “Standa 2008 Enterprise Edition, 64 bit and Windows Server 2008 R2 Datacenter Edition, 64-bit, etc. Complex filters can be created using the Advanced Search option in the Filtration Dialog. -![Selected Filter Criteria](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality15.webp) +![Selected Filter Criteria](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality15.webp) The selected filter criteria will appear at the top of the data grid. A red X appears in the filtration dialog, and the total rows value drops to the number of records that match the filter @@ -208,7 +208,7 @@ the data set for users to quickly return to a filtered view. The filtration dialog in the upper-right corner with the magnifying glass icon provides additional filtering options. -![Filtration Dialog](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality16.webp) +![Filtration Dialog](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality16.webp) The magnifying glass icon opens a dropdown list of columns for the selected data grid, the Advanced Search option, and the Recent Filters list. Typing in the textbox at the top filters the data grid @@ -220,7 +220,7 @@ open the list of the last server filters applied to this data grid. The Advanced Search option opens a Set Filter builder for users to build a filter for multiple columns using multiple logical operators. -![Advanced Search](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality17.webp) +![Advanced Search](/img/product_docs/accessanalyzer/admin/navigate/datagridfunctionality17.webp) The filter options and logical operators are: diff --git a/docs/accessanalyzer/12.0/admin/navigate/overview.md b/docs/accessanalyzer/12.0/admin/navigate/overview.md index 9b5a52d7f2..8df556e3ed 100644 --- a/docs/accessanalyzer/12.0/admin/navigate/overview.md +++ b/docs/accessanalyzer/12.0/admin/navigate/overview.md @@ -4,19 +4,19 @@ There are several options that can be used to navigate the Access Analyzer Conso covers basic Access Analyzer Console navigation, including menu options, buttons, and the different panes through which users can access Access Analyzer’s various functions and options. -![Console Navigation Overview](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/navigationoverview.webp) +![Console Navigation Overview](/img/product_docs/accessanalyzer/admin/navigate/navigationoverview.webp) The primary sections of the Access Analyzer Console are: -- [Top Navigation](top.md) – Comprised of the Menu Bar and the Actions Bar -- [Navigation Pane](pane.md) – Navigate through all of Access Analyzer’s major functions using the +- [Top Navigation](/docs/accessanalyzer/12.0/admin/navigate/top.md) – Comprised of the Menu Bar and the Actions Bar +- [Navigation Pane](/docs/accessanalyzer/12.0/admin/navigate/pane.md) – Navigate through all of Access Analyzer’s major functions using the Navigation Pane. Selecting a node or sub-folder in the Navigation Pane will change what can be done in the Results Pane. -- [Results Pane](resultspane.md) – Displays various interfaces based on what is selected in the +- [Results Pane](/docs/accessanalyzer/12.0/admin/navigate/resultspane.md) – Displays various interfaces based on what is selected in the Navigation Pane or Activities Pane -- [Activities Pane](activitiespane.md) – Displays a list of activities which can be conducted within +- [Activities Pane](/docs/accessanalyzer/12.0/admin/navigate/activitiespane.md) – Displays a list of activities which can be conducted within the currently selected console section Access Analyzer Data Grids also have specific navigation options that enable users to filter, group, -and search through data. See the [Data Grid Functionality](datagrid.md) topic for additional +and search through data. See the [Data Grid Functionality](/docs/accessanalyzer/12.0/admin/navigate/datagrid.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/navigate/pane.md b/docs/accessanalyzer/12.0/admin/navigate/pane.md index 7d012efd2a..b7c30438a8 100644 --- a/docs/accessanalyzer/12.0/admin/navigate/pane.md +++ b/docs/accessanalyzer/12.0/admin/navigate/pane.md @@ -4,26 +4,26 @@ The Navigation Pane, located on the left-hand side of the Access Analyzer Consol major functions of Access Analyzer in a collapsible list format. Clicking on any node with an arrow will open a collapsible list that shows more navigation, configuration, and use options. -![Configuration Settings](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/navigationmenu.webp) +![Configuration Settings](/img/product_docs/accessanalyzer/admin/navigate/navigationmenu.webp) The items in the Navigation Pane are: - Settings – Opens the Global Settings section for configurations which affect the running of Access - Analyzer jobs. See the [Global Settings](../settings/overview.md) topic for additional + Analyzer jobs. See the [Global Settings](/docs/accessanalyzer/12.0/admin/settings/overview.md) topic for additional information. - Host Management – Opens the Host Management section for inventorying and managing hosts to be - targeted by Access Analyzer jobs. See the [Host Management](../hostmanagement/overview.md) topic + targeted by Access Analyzer jobs. See the [Host Management](/docs/accessanalyzer/12.0/admin/hostmanagement/overview.md) topic for additional information. - Host Discovery - Opens the Host Discovery section for discovering hosts to be targeted by the Access Analyzer jobs. See the Host Discovery topic for additional information. - Running Instances – Displays progress for all running jobs. This includes jobs that are run by a scheduled task, interactively within the open Access Analyzer instance, or interactively in any other running instance of Access Analyzer See the - [Running Instances Node](../runninginstances/overview.md) topic for additional information. + [Running Instances Node](/docs/accessanalyzer/12.0/admin/runninginstances/overview.md) topic for additional information. - Schedules – Opens the Scheduled Actions view which displays information on all scheduled tasks. - See the [Schedules](../schedule/overview.md) topic for additional information. + See the [Schedules](/docs/accessanalyzer/12.0/admin/schedule/overview.md) topic for additional information. - Jobs – Lists all solutions, job groups, and jobs within a folder structure. See the - [Jobs Tree](../jobs/overview.md) topic for additional information. + [Jobs Tree](/docs/accessanalyzer/12.0/admin/jobs/overview.md) topic for additional information. The title above the Navigation Pane will change depending on what is selected. There are also several right-click or context menus available throughout the console. See the @@ -42,7 +42,7 @@ nodes or sub-nodes in the Navigation Pane. The different right-click menus are: The following right-click menus are available within the Host Management node. -See the [Host Management](../hostmanagement/overview.md) topic for additional information on these +See the [Host Management](/docs/accessanalyzer/12.0/admin/hostmanagement/overview.md) topic for additional information on these actions. #### Discovery Node @@ -50,11 +50,11 @@ actions. The Discovery node right click-menu can be accessed in the Host Management node in the Navigation Pane. -![Discovery Node options](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/navigationpane1.webp) +![Discovery Node options](/img/product_docs/accessanalyzer/admin/navigate/navigationpane1.webp) The Discovery node right-click menu options are: -- Create Query – Opens the [Host Discovery Wizard](../hostdiscovery/wizard/overview.md) +- Create Query – Opens the [Host Discovery Wizard](/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/overview.md) - Suspend/Resume Query Queue – Pauses or resumes the host discovery queue #### All Hosts Node @@ -62,16 +62,16 @@ The Discovery node right-click menu options are: The All Hosts node right-click menu can be accessed in the Host Management node in the Navigation Pane. -![All Hosts Node options](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/navigationpane2.webp) +![All Hosts Node options](/img/product_docs/accessanalyzer/admin/navigate/navigationpane2.webp) The All Hosts right-click menu options are: -- Add Hosts – Opens the [Add Hosts](../hostmanagement/actions/add.md) window +- Add Hosts – Opens the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) window - Refresh Lists – Refreshes host list - Refresh Hosts – Executes the host inventory query -- Save Selected to Lists – Opens the [Add Hosts](../hostmanagement/actions/add.md) window with the +- Save Selected to Lists – Opens the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) window with the selected hosts already added to a new list -- Schedule – Opens the [Schedule (Activities Pane Option)](../hostmanagement/actions/schedule.md) +- Schedule – Opens the [Schedule (Activities Pane Option)](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/schedule.md) window to schedule a host inventory query - Export Data – Export the current data grid to an HTML file, an XML file, or a CSV file - Suspend/Resume Host Inventory – Pauses or resumes a host inventory query @@ -81,18 +81,18 @@ The All Hosts right-click menu options are: The All Hosts > [Host List] right-click menu can be accessed in the Host Management node in the Navigation Pane. -![Host List Node options](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/navigationpane3.webp) +![Host List Node options](/img/product_docs/accessanalyzer/admin/navigate/navigationpane3.webp) The All Hosts > [Host List] node right-click menu options are: -- Edit List – Opens the [Add Hosts](../hostmanagement/actions/add.md) window for the selected list +- Edit List – Opens the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) window for the selected list - Rename List – Opens the Host list name window - Delete List – Delete the selected host list - Refresh List – Refreshes host list - Refresh Hosts – Executes the host inventory query -- Save Selected to List – Opens the [Add Hosts](../hostmanagement/actions/add.md) window with the +- Save Selected to List – Opens the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) window with the selected hosts already added to a new list -- Schedule – Opens the [Schedule (Activities Pane Option)](../hostmanagement/actions/schedule.md) +- Schedule – Opens the [Schedule (Activities Pane Option)](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/schedule.md) window to schedule a host inventory query - Export Data – Export the current data grid to an HTML file, an XML file, or a CSV file - Suspend Host Inventory – Pauses or resumes a host inventory query @@ -101,7 +101,7 @@ The All Hosts > [Host List] node right-click menu options are: The following right-click menus are available within the Jobs tree. -See the [Jobs Tree](../jobs/overview.md) topic for additional information on these actions. +See the [Jobs Tree](/docs/accessanalyzer/12.0/admin/jobs/overview.md) topic for additional information on these actions. #### Jobs Tree Primary Nodes @@ -110,7 +110,7 @@ The Job tree primary nodes have the following right-click menu items: **NOTE:** These menu items apply to a Jobs Tree, Job Group, and a Job. Depending on the chosen selection, some menu items are grayed out. -| ![Jobs Tree Primary Nodes](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/navigationpane6.webp) | +| ![Jobs Tree Primary Nodes](/img/product_docs/accessanalyzer/admin/navigate/navigationpane6.webp) | | --------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | | Jobs Tree Node | A Job Group Node | A Job Node | @@ -118,21 +118,21 @@ Menu items include: - Run Group/Jobs – Executes the selected job group or job - Publish – Publishes the reports from the selected job group or job without regenerating the - report. See the [Reporting](../report/overview.md) topic for additional information. + report. See the [Reporting](/docs/accessanalyzer/12.0/admin/report/overview.md) topic for additional information. - Lock Group/Job – Locks job group or job, indicating configuration has been approved and the job group or job is ready to be scheduled/run. This option only applies to Role Based Access. See the - [Role Based Access](../settings/access/rolebased/overview.md) topic for additional information. + [Role Based Access](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/overview.md) topic for additional information. - Unlock Group/Job – Unlocks job group or job, indicating the configuration has not been approved or needs to be modified. Unlocking a job will prevent Job Initiators from scheduling or running the job. This option only applies to Role Based Access. See the - [Role Based Access](../settings/access/rolebased/overview.md) for additional information. + [Role Based Access](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/overview.md) for additional information. - Enable/Disable Job(s) – Disables the selected job or job group and skips them during scan execution. When a job group is disabled, all existing jobs within the job group are disabled. See - the [Disable or Enable a Job](../jobs/job/disableenable.md) topic for more information. -- Schedules – Opens the [Schedule Jobs](../schedule/overview.md#schedule-jobs) to schedule job group + the [Disable or Enable a Job](/docs/accessanalyzer/12.0/admin/jobs/job/disableenable.md) topic for more information. +- Schedules – Opens the [Schedule Jobs](/docs/accessanalyzer/12.0/admin/schedule/overview.md#schedule-jobs) to schedule job group or job execution - Refresh Tree – Refreshes the Jobs tree -- Changes – Opens the [Changes Window](../jobs/overview.md#changes-window) to track changes to job +- Changes – Opens the [Changes Window](/docs/accessanalyzer/12.0/admin/jobs/overview.md#changes-window) to track changes to job configuration in a change log - Cut – Cuts the selected job group or job (Ctrl+X) - Copy – Copies the selected job group or job (Ctrl+C) @@ -142,7 +142,7 @@ Menu items include: from the database. - Delete Group/Job – Deletes the selected job group or job. See the - [Report Cleanup when Deleting a Job or Job Group](../report/cleanup.md) topic for additional + [Report Cleanup when Deleting a Job or Job Group](/docs/accessanalyzer/12.0/admin/report/cleanup.md) topic for additional information. **CAUTION:** Rename Group/Job will rename all tables that match the job’s naming convention @@ -153,31 +153,31 @@ Menu items include: and/or the job log and SA_Debug log. - Save the ZIP file to a desired location, and optionally attach it to an email to [Netwrix Support](https://www.netwrix.com/support.html). - - Email option requires [Notification](../settings/notification.md) settings to be configured. + - Email option requires [Notification](/docs/accessanalyzer/12.0/admin/settings/notification.md) settings to be configured. - Create Job (Ctrl+Alt+A) – Creates a new job at the same location as the selected job group or job. - See the [Create a New Job](../jobs/job/create.md) topic for additional information. -- Add Instant Job – Opens the [Instant Job Wizard](../jobs/instantjobs/overview.md). + See the [Create a New Job](/docs/accessanalyzer/12.0/admin/jobs/job/create.md) topic for additional information. +- Add Instant Job – Opens the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md). - Create Group – Creates a new job group within the selected location - Explore Folder – Opens the Windows Explorer folder for the select object -- Properties – Opens the [Job Properties](../jobs/job/properties/overview.md) window +- Properties – Opens the [Job Properties](/docs/accessanalyzer/12.0/admin/jobs/job/properties/overview.md) window #### [Job] > Status Node The [Job] > Status node has the following right-click menu items: -![Status Node](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/navigationpane7.webp) +![Status Node](/img/product_docs/accessanalyzer/admin/navigate/navigationpane7.webp) The Status node right-click menu items are: - Run Job – Executes the selected job -- Add Instant Job – Opens the [Instant Job Wizard](../jobs/instantjobs/overview.md) +- Add Instant Job – Opens the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) - Create Job – Creates a new job at the same location as the selected job group or job (Ctrl+Alt+A) #### [Job] > Status > [Table/View] Nodes The [Job] > Status > [Table/View] nodes have the following right-click menu items: -| ![Table/View Nodes](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/navigationpane10.webp) | +| ![Table/View Nodes](/img/product_docs/accessanalyzer/admin/navigate/navigationpane10.webp) | | -------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | | ConnectStatus Table | Job Stats & Task Stats Tables | Messages Table | @@ -189,62 +189,62 @@ are: - Edit Host List – Opens the Edit Dynamic Job Host Lists window - Export Data – Export the current data grid to an HTML file, an XML file, or a CSV file - Run Job – Executes the selected job -- Add Instant Job – Opens the [Instant Job Wizard](../jobs/instantjobs/overview.md) +- Add Instant Job – Opens the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) - Creates Job – Creates a new job at the same location as the selected job group or job (Ctrl+Alt+A) #### [Job] > Results Node The [Job] > Results node has the following right-click menu items: -![Results Node](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/navigationpane11.webp) +![Results Node](/img/product_docs/accessanalyzer/admin/navigate/navigationpane11.webp) The menu items are: - Refresh Tree – Refreshes the Jobs Tree - Run Job – Executes the selected job -- Add Instant Job – Opens the [Instant Job Wizard](../jobs/instantjobs/overview.md) +- Add Instant Job – Opens the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) - Create Job – Creates a new job at the same location as the selected job group or job (Ctrl+Alt+A) #### [Job] > Results > [Table/View] Nodes The [Job] > Results > [Table/View] nodes have the following right-click menu items: -![Results-Table View Nodes](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/navigationpane12.webp) +![Results-Table View Nodes](/img/product_docs/accessanalyzer/admin/navigate/navigationpane12.webp) The menu items are: - Create Hostlist From Data – Opens the New host list from job results window. See the - [Host Management](../hostmanagement/overview.md) topic for additional information. + [Host Management](/docs/accessanalyzer/12.0/admin/hostmanagement/overview.md) topic for additional information. - Edit Host List – Opens the Edit Dynamic Job Host Lists window. See the - [Host Management](../hostmanagement/overview.md) topic for additional information. + [Host Management](/docs/accessanalyzer/12.0/admin/hostmanagement/overview.md) topic for additional information. - Export Data – Export the current data grid to an HTML file, an XML file, or a CSV file -- Actions – Opens the selected [Action Modules](../action/overview.md) for the selected table/view +- Actions – Opens the selected [Action Modules](/docs/accessanalyzer/12.0/admin/action/overview.md) for the selected table/view - Run Job – Executes the selected job -- Add Instant Job – Opens the [Instant Job Wizard](../jobs/instantjobs/overview.md) +- Add Instant Job – Opens the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) - Create Job - Creates a new job at the same location as the selected job group or job (Ctrl+Alt+A) #### [Job] > Results > [Report] Nodes The [Job] > Results > [Report] nodes have the following right-click menu items: -![Results-Report Nodes](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/navigationpane13.webp) +![Results-Report Nodes](/img/product_docs/accessanalyzer/admin/navigate/navigationpane13.webp) The [Job] > Results > [Report] node right-click menu items are: - Run Job – Executes the selected job -- Add Instant Job – Opens the [Instant Job Wizard](../jobs/instantjobs/overview.md) +- Add Instant Job – Opens the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) - Create Job – Creates a new job at the same location as the selected job group or job (Ctrl+Alt+A) #### [Job] > Configure Node The [Job] >Configure node have the following right-click menu items: -![Configure Nodes](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/navigationpane13.webp) +![Configure Nodes](/img/product_docs/accessanalyzer/admin/navigate/navigationpane13.webp) The [Job] > Configure node right-click menu items are: - Run Job – Executes the selected job -- Add Instant Job – Opens the [Instant Job Wizard](../jobs/instantjobs/overview.md) +- Add Instant Job – Opens the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) - Create Job – Creates a new job at the same location as the selected job group or job (Ctrl+Alt+A) **NOTE:** This right-click menu is also opened at the Configure > Hosts node. @@ -254,31 +254,31 @@ The [Job] > Configure node right-click menu items are: The right-click menu items for the [Job] > Configure > [Configuration] node are the same right-click menus as those available within the job’s individual configuration views: -| ![Configure-Configuration Nodes](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/navigationpane16.webp) | +| ![Configure-Configuration Nodes](/img/product_docs/accessanalyzer/admin/navigate/navigationpane16.webp) | | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | Queries Node | Analysis Node | Actions Node | Each configuration node has a different right-click menu. For additional information on each: -- For the Queries node, see the [Jobs](../jobs/job/overview.md) section for information on these +- For the Queries node, see the [Jobs](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md) section for information on these options -- For the Analysis node, see the [Jobs](../jobs/job/overview.md) section for information on these +- For the Analysis node, see the [Jobs](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md) section for information on these options -- For the Actions node, see the [Jobs](../jobs/job/overview.md) section for information on these +- For the Actions node, see the [Jobs](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md) section for information on these options #### [Job] > Configure > Reports Node The [Job] >Configure > Reports node has the following right-click menu items: -![Configure-Reports Node](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/navigationpane17.webp) +![Configure-Reports Node](/img/product_docs/accessanalyzer/admin/navigate/navigationpane17.webp) The [Job] > Configure > Reports node right-click menu items are: - Create Report – Opens a new report Configuration under the job’s **Configure > Reports Node** - Paste Report – Paste a copied report from a different job into this job’s Reports node - Run Job – Executes the selected job -- Add Instant Job – Opens the [Instant Job Wizard](../jobs/instantjobs/overview.md) +- Add Instant Job – Opens the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) - Create Job – Creates a new job at the same location as the selected job group or job #### [Job] > Configure > Reports > [Report Configuration] Node @@ -286,7 +286,7 @@ The [Job] > Configure > Reports node right-click menu items are: The [Job] >Configure > Reports > [Report Configuration] node has the following right-click menu items: -![Reports Configuration Node](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/navigationpane18.webp) +![Reports Configuration Node](/img/product_docs/accessanalyzer/admin/navigate/navigationpane18.webp) The [Job] > Configure > Reports > [Report Configuration] node right-click menu items are: @@ -296,5 +296,5 @@ The [Job] > Configure > Reports > [Report Configuration] node right-click menu i - Copy Report – Copies the report configuration to clipboard. The copied report will have only the roles inherited from the parent job when pasted. - Run Job – Executes the selected job -- Add Instant Job – Opens the [Instant Job Wizard](../jobs/instantjobs/overview.md) +- Add Instant Job – Opens the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) - Create Job – Creates a new job at the same location as the selected job group or job (Ctrl+Alt+A) diff --git a/docs/accessanalyzer/12.0/admin/navigate/resultspane.md b/docs/accessanalyzer/12.0/admin/navigate/resultspane.md index 8bcbbc4cae..fb3440a9df 100644 --- a/docs/accessanalyzer/12.0/admin/navigate/resultspane.md +++ b/docs/accessanalyzer/12.0/admin/navigate/resultspane.md @@ -2,7 +2,7 @@ The Results pane displays all views for the selected console section. -![Results Pane](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/resultspane.webp) +![Results Pane](/img/product_docs/accessanalyzer/admin/navigate/resultspane.webp) The Results pane displays all views for the selected console section. This includes solution, job group, and job descriptions, configuration views, native and materialized data tables and views, and diff --git a/docs/accessanalyzer/12.0/admin/navigate/top.md b/docs/accessanalyzer/12.0/admin/navigate/top.md index 1976ef13fd..27cca4c7f2 100644 --- a/docs/accessanalyzer/12.0/admin/navigate/top.md +++ b/docs/accessanalyzer/12.0/admin/navigate/top.md @@ -10,7 +10,7 @@ Analyzer. The two parts of the Top Navigation section are: Users can access various Access Analyzer functions and actions in the Menu Bar. -![Menu Bar on Console](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/menubar.webp) +![Menu Bar on Console](/img/product_docs/accessanalyzer/admin/navigate/menubar.webp) The Menu Bar options are: @@ -19,7 +19,7 @@ The Menu Bar options are: - Create Job – Creates a new job (Ctrl+Alt+A) at the selected location within the Jobs tree - Add Instant Job – Opens the Access Analyzer Instant Job Wizard to install an instant job set at the selected location within the Jobs tree. See the - [Instant Job Wizard](../jobs/instantjobs/overview.md) section for information on installing + [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) section for information on installing instant solutions from the Access Analyzer Library. **CAUTION:** Delete Job will also delete all data tables with the job’s base naming @@ -27,7 +27,7 @@ The Menu Bar options are: - Delete Job – Deletes the selected job from the Jobs tree - Properties – Opens the Job Properties window for the selected job. See the - [Job Properties](../jobs/job/properties/overview.md) topic for additional information. + [Job Properties](/docs/accessanalyzer/12.0/admin/jobs/job/properties/overview.md) topic for additional information. - Export Data – Exports the selected data table or view to an HTML, XML, or CSV file format - Exit – Closes the Access Analyzer application @@ -48,13 +48,13 @@ The Menu Bar options are: - Reset Current Data View – This is a legacy feature - Show Change Deltas – This is a legacy feature - Show Job Progress – Redirects the Access Analyzer Console to the Running Job Node to view the - running job’s progress. See the [Running Instances Node](../runninginstances/overview.md) + running job’s progress. See the [Running Instances Node](/docs/accessanalyzer/12.0/admin/runninginstances/overview.md) topic for additional information. - Job - Add Instant Job – Opens the Access Analyzer Instant Job Wizard to install an instant job set at the selected location within the Jobs tree. See the - [Instant Job Wizard](../jobs/instantjobs/overview.md) section for information on installing + [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) section for information on installing instant solutions from the Access Analyzer Library. - Create Job – Creates a new job (Ctrl + Alt + A) at the selected location within the Jobs tree @@ -68,12 +68,12 @@ The Menu Bar options are: - Rename Job – Renames the selected job - Properties – Opens the Job Properties window for the selected job. See the - [Job Properties](../jobs/job/properties/overview.md) topic for additional information. + [Job Properties](/docs/accessanalyzer/12.0/admin/jobs/job/properties/overview.md) topic for additional information. - Execute: - Run Job or Group – Starts job execution for the selected job group or job - Stop Job or Group – Stops job execution for the selected job group or job - Schedule – Opens the selected job’s Schedule window. See the - [Schedule Jobs](../schedule/overview.md#schedule-jobs) topic for additional information. + [Schedule Jobs](/docs/accessanalyzer/12.0/admin/schedule/overview.md#schedule-jobs) topic for additional information. - Queries: - Add from Library – Opens the Library to add a query to the selected job’s Query Selection @@ -90,7 +90,7 @@ The Menu Bar options are: query. See the Query Selection topic for additional information. See the Data Collectors topic for additional information. See the - [Data Collectors](../datacollector/overview.md) topic for additional information. + [Data Collectors](/docs/accessanalyzer/12.0/admin/datacollector/overview.md) topic for additional information. - Reports - Create Report – Creates a new report at the selected Reports node @@ -102,14 +102,14 @@ The Menu Bar options are: - Schedules - Schedule – Opens the selected object’s Schedule window to create a new scheduled action. The Access Analyzer Console is redirected to the Schedules node. See the - [Schedule](../settings/schedule.md) topic for additional information. + [Schedule](/docs/accessanalyzer/12.0/admin/settings/schedule.md) topic for additional information. - Delete – Delete the selected scheduled task from the Scheduled Actions view of the Schedules node - Properties – Opens the selected scheduled task’s Schedule window. See the - [Schedule](../settings/schedule.md) topic for additional information. + [Schedule](/docs/accessanalyzer/12.0/admin/settings/schedule.md) topic for additional information. - Tools - Libraries – Opens the Add Query from Library window to add a query to the selected job’s Query - Selection view. See the [Schedule](../settings/schedule.md) topic for additional information. + Selection view. See the [Schedule](/docs/accessanalyzer/12.0/admin/settings/schedule.md) topic for additional information. - Options – Redirects the Access Analyzer Console to the Settings node - Help - Content – Opens Access Analyzer help documentation @@ -124,21 +124,21 @@ The Menu Bar options are: The Button bar provides quick links to various actions and functions in Access Analyzer. -![Button Bar](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/buttonbar.webp) +![Button Bar](/img/product_docs/accessanalyzer/admin/datacollector/buttonbar.webp) The options in the Button Bar are: | Icon | Icon Description | Name | | --------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | --------------------------------------------------- | -| ![selectinstantjob](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/selectinstantjob.webp) | Paper with plus sign | Select an Instant Job | -| ![newjob](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/newjob.webp) | Paper with pencil | Create a new job (Ctrl + Alt + A) | -| ![newgroup](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/newgroup.webp) | Folder with plus sign | Create a new group | -| ![newquery](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/newquery.webp) | Puzzle piece with plus sign | Create a new query and add it to the selected table | -| ![addreport](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/addreport.webp) | Graph with plus sign | Add a report | -| ![addquery](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/addquery.webp) | Book with plus sign | Add a query from a library | -| ![cut](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/cut.webp) | Scissors | Cut the selected query to the clipboard (Ctrl + X) | -| ![copy](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/copy.webp) | Duplicate papers | Copy the selected query to the clipboard (Ctrl + C) | -| ![paste](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/paste.webp) | Clipboard with paper | Paste the query from the clipboard (Ctrl + V) | -| ![delete](../../../../../static/img/product_docs/strongpointfornetsuite/integrations/delete.webp) | Red X | Delete the selected query | +| ![selectinstantjob](/img/product_docs/accessanalyzer/admin/navigate/selectinstantjob.webp) | Paper with plus sign | Select an Instant Job | +| ![newjob](/img/product_docs/accessanalyzer/admin/navigate/newjob.webp) | Paper with pencil | Create a new job (Ctrl + Alt + A) | +| ![newgroup](/img/product_docs/accessanalyzer/admin/navigate/newgroup.webp) | Folder with plus sign | Create a new group | +| ![newquery](/img/product_docs/accessanalyzer/admin/navigate/newquery.webp) | Puzzle piece with plus sign | Create a new query and add it to the selected table | +| ![addreport](/img/product_docs/accessanalyzer/admin/navigate/addreport.webp) | Graph with plus sign | Add a report | +| ![addquery](/img/product_docs/accessanalyzer/admin/navigate/addquery.webp) | Book with plus sign | Add a query from a library | +| ![cut](/img/product_docs/accessanalyzer/admin/navigate/cut.webp) | Scissors | Cut the selected query to the clipboard (Ctrl + X) | +| ![copy](/img/product_docs/accessanalyzer/admin/navigate/copy.webp) | Duplicate papers | Copy the selected query to the clipboard (Ctrl + C) | +| ![paste](/img/product_docs/accessanalyzer/admin/navigate/paste.webp) | Clipboard with paper | Paste the query from the clipboard (Ctrl + V) | +| ![delete](/img/product_docs/strongpointfornetsuite/integrations/delete.webp) | Red X | Delete the selected query | Select a button for the desired action. diff --git a/docs/accessanalyzer/12.0/admin/overview.md b/docs/accessanalyzer/12.0/admin/overview.md index fde345478e..8a5cc88a23 100644 --- a/docs/accessanalyzer/12.0/admin/overview.md +++ b/docs/accessanalyzer/12.0/admin/overview.md @@ -20,7 +20,7 @@ requirements, e.g. real-time file level activity monitoring, these agent-based a collection methods allow the kind of deep rich information, which can usually be obtained only by substantial manual effort. -See the [Data Collectors](datacollector/overview.md) topic for additional information. +See the [Data Collectors](/docs/accessanalyzer/12.0/admin/datacollector/overview.md) topic for additional information. ## Analysis Modules Overview @@ -38,7 +38,7 @@ ease: - Notification – Get alerts based upon any condition within any dataset, with control over how and how often alerts are generated -See the [Analysis Modules](analysis/overview.md) topic for additional information. +See the [Analysis Modules](/docs/accessanalyzer/12.0/admin/analysis/overview.md) topic for additional information. ## Action Modules Overview @@ -48,7 +48,7 @@ Distribution Lists, SharePoint sites, and Windows Registry. The Mail and Survey in conjunction with other Action Modules and datasets to instantiate workflows involving end-users such as data custodians to obtain answers and verifications. -See the [Action Modules](action/overview.md) topic for additional information. +See the [Action Modules](/docs/accessanalyzer/12.0/admin/action/overview.md) topic for additional information. ## Reporting Overview @@ -62,4 +62,4 @@ without requiring access to the Access Analyzer Console. It is accessed through Console, which is created during the installation of Access Analyzer. The Web Console can also provide access to the Access Information Center, and other Stealthbits products. -See the [Reporting](report/overview.md) topic for additional information. +See the [Reporting](/docs/accessanalyzer/12.0/admin/report/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/report/chartwizard/chartformat.md b/docs/accessanalyzer/12.0/admin/report/chartwizard/chartformat.md index 5147ca0c9a..a6156b87ab 100644 --- a/docs/accessanalyzer/12.0/admin/report/chartwizard/chartformat.md +++ b/docs/accessanalyzer/12.0/admin/report/chartwizard/chartformat.md @@ -3,7 +3,7 @@ The Chart Format page of the Chart Configuration wizard is where you can select the chart type and configure additional format options. -![Chart Configuration wizard Chart Format page](../../../../../../static/img/product_docs/accessanalyzer/admin/report/chartwizard/chartformat.webp) +![Chart Configuration wizard Chart Format page](/img/product_docs/accessanalyzer/admin/report/chartwizard/chartformat.webp) The Chart Format page has the following options: @@ -28,4 +28,4 @@ The Chart Format page has the following options: resets back to the default. Once you have configured the options as required, click **Next** to proceed to the Data Source page. -See the [Data Source](datasource.md) topic for additional information. +See the [Data Source](/docs/accessanalyzer/12.0/admin/report/chartwizard/datasource.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/report/chartwizard/configure.md b/docs/accessanalyzer/12.0/admin/report/chartwizard/configure.md index 3fc6b8c724..7c801c6e34 100644 --- a/docs/accessanalyzer/12.0/admin/report/chartwizard/configure.md +++ b/docs/accessanalyzer/12.0/admin/report/chartwizard/configure.md @@ -9,7 +9,7 @@ The Chart Configuration tab is split into three sections, label column selection configuration, and a chart preview. Use this tab to configure the columns from the data source to be shown in the chart. -![Chart Configuration wizard Configure page](../../../../../../static/img/product_docs/accessanalyzer/admin/analysis/configure.webp) +![Chart Configuration wizard Configure page](/img/product_docs/accessanalyzer/admin/analysis/configure.webp) The left side shows all the columns from the data source table that can be used for the label axis. For example, the label column is the x-axis on a line chart and the y-axis on a bar chart. Select @@ -50,7 +50,7 @@ Additionally, you can see a preview of the source data table in the Data Preview Once you have finished configuring the chart, click **Finish** to close the wizard. You are returned to the Widgets page of the Report Configuration wizard, where the newly configured chart is shown. You must complete the Report Configuration wizard to save the chart on the report. See the -[Widgets Page](../wizard/widgets.md) topic for additional information. +[Widgets Page](/docs/accessanalyzer/12.0/admin/report/wizard/widgets.md) topic for additional information. ### Add New Series / Edit Series Window @@ -58,7 +58,7 @@ The Add new series and Edit series windows allow you to configure the data serie appropriate window is opened by clicking **Add** to create a new series, or by selecting an existing series and clicking **Edit**. -![Add new series window](../../../../../../static/img/product_docs/accessanalyzer/admin/report/chartwizard/addnewseries.webp) +![Add new series window](/img/product_docs/accessanalyzer/admin/report/chartwizard/addnewseries.webp) These windows contain the following options for the data series: @@ -91,7 +91,7 @@ window without saving. At the bottom of the page a preview of the currently configured chart is displayed. -![Chart preview](../../../../../../static/img/product_docs/accessanalyzer/admin/report/chartwizard/configurechartpreview.webp) +![Chart preview](/img/product_docs/accessanalyzer/admin/report/chartwizard/configurechartpreview.webp) If the configuration is incomplete or invalid, a message with instructions to fix the configuration is displayed in the preview window instead. The following are possible messages and scenarios that @@ -107,7 +107,7 @@ would cause them: The Data Preview tab allows you to see and customize the data that is to be shown in the chart. -![Data Preview tab](../../../../../../static/img/product_docs/accessanalyzer/admin/report/chartwizard/configuredatapreview.webp) +![Data Preview tab](/img/product_docs/accessanalyzer/admin/report/chartwizard/configuredatapreview.webp) The buttons above the column names provide you the following options for configuring the table arrangement: diff --git a/docs/accessanalyzer/12.0/admin/report/chartwizard/datasource.md b/docs/accessanalyzer/12.0/admin/report/chartwizard/datasource.md index 4960652e86..060390efea 100644 --- a/docs/accessanalyzer/12.0/admin/report/chartwizard/datasource.md +++ b/docs/accessanalyzer/12.0/admin/report/chartwizard/datasource.md @@ -2,7 +2,7 @@ On the Data Source page of the Chart Configuration wizard configure the data source for the chart. -![Chart Configuration wizard Data Source page](../../../../../../static/img/product_docs/accessanalyzer/admin/report/chartwizard/datasource.webp) +![Chart Configuration wizard Data Source page](/img/product_docs/accessanalyzer/admin/report/chartwizard/datasource.webp) In order to generate results, a location must first be selected as the source of the data. The table on this wizard page contains a list of tables and views within Access Analyzer from jobs that have @@ -21,4 +21,4 @@ There are the following additional data source options: collections. It is keyed off of the Jobruntimekey column. Once you have selected the data source, click **Next** to proceed to the Configure page. See the -[Configure](configure.md) topic for additional information. +[Configure](/docs/accessanalyzer/12.0/admin/report/chartwizard/configure.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/report/chartwizard/overview.md b/docs/accessanalyzer/12.0/admin/report/chartwizard/overview.md index d346f3c736..6cfd85249b 100644 --- a/docs/accessanalyzer/12.0/admin/report/chartwizard/overview.md +++ b/docs/accessanalyzer/12.0/admin/report/chartwizard/overview.md @@ -2,13 +2,13 @@ The Chart Configuration wizard allows you to configure the charts that display on reports. The wizard opens when you select to configure a Chart widget from the Widgets page of the Report -Configuration Wizard. See the [Widgets Page](../wizard/widgets.md) topic for additional information. +Configuration Wizard. See the [Widgets Page](/docs/accessanalyzer/12.0/admin/report/wizard/widgets.md) topic for additional information. The Chart Configuration wizard consists of three pages: -- [Chart Format](chartformat.md) -- [Data Source](datasource.md) -- [Configure](configure.md) +- [Chart Format](/docs/accessanalyzer/12.0/admin/report/chartwizard/chartformat.md) +- [Data Source](/docs/accessanalyzer/12.0/admin/report/chartwizard/datasource.md) +- [Configure](/docs/accessanalyzer/12.0/admin/report/chartwizard/configure.md) Once you have finished configuring the chart, click **Finish** to close the wizard. You are returned to the Widgets page of the Report Configuration wizard, where the newly configured chart is shown. diff --git a/docs/accessanalyzer/12.0/admin/report/cleanup.md b/docs/accessanalyzer/12.0/admin/report/cleanup.md index aa3b4775b1..81d4debda4 100644 --- a/docs/accessanalyzer/12.0/admin/report/cleanup.md +++ b/docs/accessanalyzer/12.0/admin/report/cleanup.md @@ -6,25 +6,25 @@ job group that contains published reports. **CAUTION:** Deleted objects cannot be restored. -![Delete Group on right-click menu](../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Delete Group on right-click menu](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) **Step 1 –** In the Jobs tree, right-click on the job or group that you want to delete and select **Delete Job/Group**. -![Delete Group wizard page](../../../../../static/img/product_docs/accessanalyzer/admin/report/deletegroup.webp) +![Delete Group wizard page](/img/product_docs/accessanalyzer/admin/report/deletegroup.webp) **Step 2 –** On the Delete Job/Group page of the wizard, confirm it shows the correct job or group that you want to delete, then click **Next**. **NOTE:** If there are no published reports, clicking **Next** starts the deletion (skip to step 4). -![Delete Published Reports wizard page](../../../../../static/img/product_docs/accessanalyzer/admin/report/reporttree.webp) +![Delete Published Reports wizard page](/img/product_docs/accessanalyzer/admin/report/reporttree.webp) **Step 3 –** The Delete Published Reports page of the wizard shows the tree of published reports. Select the checkboxes next to all the reports you want to delete. You can also select reports by job group or job. Click **Next** to proceed with the deletion. -![Progress wizard page](../../../../../static/img/product_docs/accessanalyzer/install/application/upgrade/progress.webp) +![Progress wizard page](/img/product_docs/accessanalyzer/install/application/upgrade/progress.webp) **Step 4 –** The Progress page shows you the status of the deletion process. When it has completed, click **Finish** to exit the wizard. @@ -34,7 +34,7 @@ to delete any of the published reports contained in any of the deleted jobs, the reports can still be viewed in the Web Console, even though the parent has been removed from the Access Analyzer Console. -![Delete Published Reports page with a report from previous deletion](../../../../../static/img/product_docs/accessanalyzer/admin/report/reportfrompreviousdeletion.webp) +![Delete Published Reports page with a report from previous deletion](/img/product_docs/accessanalyzer/admin/report/reportfrompreviousdeletion.webp) The remaining published reports that weren't deleted are shown in the wizard if you are deleting the parent group of the previously deleted job or group. diff --git a/docs/accessanalyzer/12.0/admin/report/create.md b/docs/accessanalyzer/12.0/admin/report/create.md index b2e22b5e2d..920c4961ce 100644 --- a/docs/accessanalyzer/12.0/admin/report/create.md +++ b/docs/accessanalyzer/12.0/admin/report/create.md @@ -20,21 +20,21 @@ to create a new report. **Step 1 –** Navigate to **Jobs** > **[Job]** > **Configure** and select the **Reports** node. -![Create report option](../../../../../static/img/product_docs/threatprevention/threatprevention/eperestsite/create.webp) +![Create report option](/img/product_docs/threatprevention/threatprevention/eperestsite/create.webp) **Step 2 –** On the Reports page, click Create. **Step 3 –** The Report Configuration wizard is automatically launched. Use the wizard to configure -the new report as required, see the [Report Configuration Wizard](wizard/overview.md) topic for +the new report as required, see the [Report Configuration Wizard](/docs/accessanalyzer/12.0/admin/report/wizard/overview.md) topic for instructions. Click **Finish** on the final page of the wizard to create the report. The new report is added to the Reports table. -![Generate report](../../../../../static/img/product_docs/accessanalyzer/admin/report/generate.webp) +![Generate report](/img/product_docs/accessanalyzer/admin/report/generate.webp) **Step 4 –** Click the vertical ellipsis menu next to the report and select Generate. -The report is now created. To access the new report, see the [Viewing Generated Reports](view.md) +The report is now created. To access the new report, see the [Viewing Generated Reports](/docs/accessanalyzer/12.0/admin/report/view.md) topic. ## Copy an Existing Report @@ -43,12 +43,12 @@ You can create a new report by copying an existing report and pasting it in a jo You can then optionally customize the report as required. Follow the steps to create a copy of an existing report. -![Copy Report](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/copy.webp) +![Copy Report](/img/product_docs/accessanalyzer/admin/navigate/copy.webp) **Step 1 –** Navigate to the Reports node where the desired report to copy is located. Click the vertical ellipsis menu next to the report and select Copy. -![Paste Report](../../../../../static/img/product_docs/accessanalyzer/admin/navigate/paste.webp) +![Paste Report](/img/product_docs/accessanalyzer/admin/navigate/paste.webp) **Step 2 –** Navigate to the Reports node in the desired destination for the new report. Click the vertical ellipsis menu in the header row of the Reports table and select Paste. @@ -62,9 +62,9 @@ report is named Exceptions Summary, then the new report is named `Exceptions Sum **Step 3 –** (Optional) Click the **Configure** button next to the report. Use the Report Configuration wizard to modify the reports settings. See the -[Report Configuration Wizard](wizard/overview.md) topic for instructions. +[Report Configuration Wizard](/docs/accessanalyzer/12.0/admin/report/wizard/overview.md) topic for instructions. **Step 4 –** Click the vertical ellipsis menu next to the report and select Generate. -The report is now created. To access the new report, see the [Viewing Generated Reports](view.md) +The report is now created. To access the new report, see the [Viewing Generated Reports](/docs/accessanalyzer/12.0/admin/report/view.md) topic. diff --git a/docs/accessanalyzer/12.0/admin/report/edit.md b/docs/accessanalyzer/12.0/admin/report/edit.md index 1e1bd4452f..9534b3de52 100644 --- a/docs/accessanalyzer/12.0/admin/report/edit.md +++ b/docs/accessanalyzer/12.0/admin/report/edit.md @@ -11,17 +11,17 @@ Follow the steps to modify an existing report. **Step 1 –** Navigate to the Reports node that contains the report. -![Configure Report](../../../../../static/img/product_docs/accessanalyzer/admin/analysis/configure.webp) +![Configure Report](/img/product_docs/accessanalyzer/admin/analysis/configure.webp) **Step 2 –** Click the **Configure** button next to the report you want to modify. **Step 3 –** Use the Report Configuration wizard to make any required changes. See the -[Report Configuration Wizard](wizard/overview.md) topic for instructions. +[Report Configuration Wizard](/docs/accessanalyzer/12.0/admin/report/wizard/overview.md) topic for instructions. - You must go through all pages of the wizard, and click **Finish** on the final page to save your changes. Skip any sections or pages that do not require changes to the existing configuration. You can click **Cancel** on any page to exit the wizard without saving your changes. Your configuration updates have been saved. To view the updated report you need to first generate -the report or run it's associated job. See the [Viewing Generated Reports](view.md) topic for +the report or run it's associated job. See the [Viewing Generated Reports](/docs/accessanalyzer/12.0/admin/report/view.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/report/interactivegrids/copyingcells.md b/docs/accessanalyzer/12.0/admin/report/interactivegrids/copyingcells.md index 01c893277f..0078957e2a 100644 --- a/docs/accessanalyzer/12.0/admin/report/interactivegrids/copyingcells.md +++ b/docs/accessanalyzer/12.0/admin/report/interactivegrids/copyingcells.md @@ -4,7 +4,7 @@ Copying an individual cell within a generated report enables easier searching fo the AIC or other tools. The copy feature can only be used on interactive grids. Each cell listed under a column can be selected and copied to the clipboard. -![Copy Cell Data](../../../../../../static/img/product_docs/accessanalyzer/admin/report/interactivegrids/copycell.webp) +![Copy Cell Data](/img/product_docs/accessanalyzer/admin/report/interactivegrids/copycell.webp) To copy a cell, select the cell, then right-click on it and select **Copy Cell Data**. diff --git a/docs/accessanalyzer/12.0/admin/report/interactivegrids/grouping.md b/docs/accessanalyzer/12.0/admin/report/interactivegrids/grouping.md index 9c7262201e..2d7807482e 100644 --- a/docs/accessanalyzer/12.0/admin/report/interactivegrids/grouping.md +++ b/docs/accessanalyzer/12.0/admin/report/interactivegrids/grouping.md @@ -7,9 +7,9 @@ data can be grouped. Filter icon is disabled in the report. The following example shows an interactive grid in which grouping has been enabled. See the -[Grid](../wizard/widgets.md#grid) topic for additional information. +[Grid](/docs/accessanalyzer/12.0/admin/report/wizard/widgets.md#grid) topic for additional information. -![Group by option](../../../../../../static/img/product_docs/accessanalyzer/admin/report/interactivegrids/groupby.webp) +![Group by option](/img/product_docs/accessanalyzer/admin/report/interactivegrids/groupby.webp) The drop-down list to the right of the Group by field can be accessed by clicking the down arrow. Click an item from the drop-down list to group the report by that category. diff --git a/docs/accessanalyzer/12.0/admin/report/interactivegrids/overview.md b/docs/accessanalyzer/12.0/admin/report/interactivegrids/overview.md index 5ba77df3ca..8e59c0ed12 100644 --- a/docs/accessanalyzer/12.0/admin/report/interactivegrids/overview.md +++ b/docs/accessanalyzer/12.0/admin/report/interactivegrids/overview.md @@ -8,7 +8,7 @@ filter it as required. Interactive grids allow you to perform the following acti - Paging - Download data to a CSV file -![Interactive Grid actions bar](../../../../../../static/img/product_docs/accessanalyzer/admin/report/interactivegrids/interactivegridoptions.webp) +![Interactive Grid actions bar](/img/product_docs/accessanalyzer/admin/report/interactivegrids/interactivegridoptions.webp) The toolbar in an interactive grid can display the following options: @@ -18,11 +18,11 @@ The toolbar in an interactive grid can display the following options: - Up arrow and down arrow – Click to expand or collapse the groups - Download Data – Click to download all data to a CSV file. This option is displayed when the **Export table data as CSV** checkbox has been selected for the report, see the - [Grid](../wizard/widgets.md#grid) topic for additional information. + [Grid](/docs/accessanalyzer/12.0/admin/report/wizard/widgets.md#grid) topic for additional information. When enumeration is set on an interactive grid, a second download button is displayed. A CSV file can be downloaded that contains only data for the selected enumeration. -![Group by loading data](../../../../../../static/img/product_docs/accessanalyzer/admin/report/interactivegrids/groupbyloadingdata.webp) +![Group by loading data](/img/product_docs/accessanalyzer/admin/report/interactivegrids/groupbyloadingdata.webp) When grouping data, interactive grids display the percentage of data that has loaded on the page. diff --git a/docs/accessanalyzer/12.0/admin/report/interactivegrids/paging.md b/docs/accessanalyzer/12.0/admin/report/interactivegrids/paging.md index f0321165df..b7fba88c26 100644 --- a/docs/accessanalyzer/12.0/admin/report/interactivegrids/paging.md +++ b/docs/accessanalyzer/12.0/admin/report/interactivegrids/paging.md @@ -3,13 +3,13 @@ Paging allows users to interact with large sets of data more efficiently when viewing, filtering, and sorting generated report tables by limiting the amount of data being displayed at a given time. Reports provide the ability to navigate to specific pages using arrows at the bottom of the report. -Paging is enabled by default. See the [Grid](../wizard/widgets.md#grid) topic for additional +Paging is enabled by default. See the [Grid](/docs/accessanalyzer/12.0/admin/report/wizard/widgets.md#grid) topic for additional information. **NOTE:** Paging and grouping cannot be enabled at the same time. When Paging is enabled, the Grouping options are disabled for the report. -![Paging](../../../../../../static/img/product_docs/accessanalyzer/admin/report/interactivegrids/paging.webp) +![Paging](/img/product_docs/accessanalyzer/admin/report/interactivegrids/paging.webp) When paging is enabled, arrows are displayed that allow you to navigate to the next page, last page, previous page, or first page. If the data is filtered, it is indicated at the end of the line. Each diff --git a/docs/accessanalyzer/12.0/admin/report/interactivegrids/searchfilter.md b/docs/accessanalyzer/12.0/admin/report/interactivegrids/searchfilter.md index 48d4c00d06..8ec372c039 100644 --- a/docs/accessanalyzer/12.0/admin/report/interactivegrids/searchfilter.md +++ b/docs/accessanalyzer/12.0/admin/report/interactivegrids/searchfilter.md @@ -7,9 +7,9 @@ be done using the Filter icon. Search icon is disabled in the report. The following example shows an interactive grid in which searching has been enabled. See the -[Grid](../wizard/widgets.md#grid) topic for additional information. +[Grid](/docs/accessanalyzer/12.0/admin/report/wizard/widgets.md#grid) topic for additional information. -![Search](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/search.webp) +![Search](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/search.webp) Enter search criteria in the boxes under the columns to filter the data. Click the search icon again to clear the filters. @@ -22,7 +22,7 @@ column size to fit the largest length of text contained in the column. Enabling the enumerated column option, and choosing a column from the data set adds a list of column types to display as enumerated tables. -![Enumerated Table](../../../../../../static/img/product_docs/accessanalyzer/admin/report/interactivegrids/enumerated.webp) +![Enumerated Table](/img/product_docs/accessanalyzer/admin/report/interactivegrids/enumerated.webp) To change the enumeration in the report, select an option from the enumerated column list. When enumeration is set on an interactive grid, a second download button is displayed with the name of @@ -34,7 +34,7 @@ the data for the selected enumeration. Data can also be filtered on dates and times. Expanding the column's width activates hyperlinks to filter on specific time periods. -![Date column filter](../../../../../../static/img/product_docs/accessanalyzer/admin/report/interactivegrids/datefilter.webp) +![Date column filter](/img/product_docs/accessanalyzer/admin/report/interactivegrids/datefilter.webp) Enter a Start and End date and select the desired time period. @@ -56,7 +56,7 @@ filtering include the following: Columns can be added or removed from the table. -![Add and remove columns](../../../../../../static/img/product_docs/accessanalyzer/admin/report/interactivegrids/addremovecolumns.webp) +![Add and remove columns](/img/product_docs/accessanalyzer/admin/report/interactivegrids/addremovecolumns.webp) Right-click on a column to display a list of the available columns. Select the checkboxes of the columns you want to be displayed. Click the up or down arrows to scroll through the list of columns. diff --git a/docs/accessanalyzer/12.0/admin/report/overview.md b/docs/accessanalyzer/12.0/admin/report/overview.md index 6869b499ee..19c6913946 100644 --- a/docs/accessanalyzer/12.0/admin/report/overview.md +++ b/docs/accessanalyzer/12.0/admin/report/overview.md @@ -4,20 +4,20 @@ Access Analyzer provides the ability to report on collected data in multiple way views, graphs, and emails. Depending on the type of data collected, different reporting methods can simplify how to present and understand the information. -![Reports node](../../../../../static/img/product_docs/accessanalyzer/admin/report/reports.webp) +![Reports node](/img/product_docs/accessanalyzer/admin/report/reports.webp) The Reports node, contained within a job’s Configure node, lists any reports that are configured for the job. The page contains options to create a report, configure existing reports, and a link to view generated reports. The configuration of reports vary by use case, but they contain the same elements. The layout and elements of a report are configured using the -[Report Configuration Wizard](wizard/overview.md). +[Report Configuration Wizard](/docs/accessanalyzer/12.0/admin/report/wizard/overview.md). In addition, there are various ways to view and interact with generated reports. Generated reports can be viewed in the Access Analyzer Console or in the Web Console. Reports can also be configured to be downloaded as a CSV file, or sent as an email in various forms. See the -[Viewing Generated Reports](view.md) topic for additional information. +[Viewing Generated Reports](/docs/accessanalyzer/12.0/admin/report/view.md) topic for additional information. The global settings configured under the Settings node are inherited down through the Jobs tree to the job unless inheritance is broken in a job group’s Settings node, a job’s Properties window, or -in the Report Configuration Wizard. See the [Reporting](../settings/reporting.md) topic for +in the Report Configuration Wizard. See the [Reporting](/docs/accessanalyzer/12.0/admin/settings/reporting.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/report/tags.md b/docs/accessanalyzer/12.0/admin/report/tags.md index 28cbab5d76..953fdf4099 100644 --- a/docs/accessanalyzer/12.0/admin/report/tags.md +++ b/docs/accessanalyzer/12.0/admin/report/tags.md @@ -5,24 +5,24 @@ example, tags can be included in a report to show the compliance frameworks to w maps. To view tags or click on tag links, reports must be viewed in the Web Console. Tags are not supported in reports in the Jobs tree. -![Web Console Home Page](../../../../../static/img/product_docs/accessanalyzer/install/application/reports/webconsolehome.webp) +![Web Console Home Page](/img/product_docs/accessanalyzer/install/application/reports/webconsolehome.webp) If Reports from solutions that have been run have tags added to them, those tags can be found under the Tags tab in the Navigation section on the right-hand side of the Published Reports homepage. -| ![Tags tab on Web Console homepage](../../../../../static/img/product_docs/accessanalyzer/admin/report/privilegedaccountstag.webp) | +| ![Tags tab on Web Console homepage](/img/product_docs/accessanalyzer/admin/report/privilegedaccountstag.webp) | | -------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | | Privileged Accounts Tag on Published Reports homepage | Privileged Accounts Tag page | Click on a tag to view all reports that contain the selected tag. -![Job Group view in the Web Console](../../../../../static/img/product_docs/accessanalyzer/admin/report/jobgroupview.webp) +![Job Group view in the Web Console](/img/product_docs/accessanalyzer/admin/report/jobgroupview.webp) Clicking on a job group in the Published Reports menu displays the reports contained in that job group. Jobs within that job group that have tags are identified with a tag icon along with the tag name. -![Report header](../../../../../static/img/product_docs/accessanalyzer/admin/report/reportheader.webp) +![Report header](/img/product_docs/accessanalyzer/admin/report/reportheader.webp) When viewing a report in either the Web Console or the Access Analyzer console, tags are displayed below the report title. Click on a tag to view all reports that contain that tag. If the tag is diff --git a/docs/accessanalyzer/12.0/admin/report/view.md b/docs/accessanalyzer/12.0/admin/report/view.md index 69f898f803..b6df449d9a 100644 --- a/docs/accessanalyzer/12.0/admin/report/view.md +++ b/docs/accessanalyzer/12.0/admin/report/view.md @@ -13,11 +13,11 @@ or published reports can be viewed in the Web Console. Each job contains a results node where reports generated by that job can be viewed. Even if the report is unpublished, the report is still displayed here. -![Report in the Results node](../../../../../static/img/product_docs/accessanalyzer/admin/report/viewresultsnode.webp) +![Report in the Results node](/img/product_docs/accessanalyzer/admin/report/viewresultsnode.webp) Select the desired report to be viewed. The report displays in the Results pane of the console. -![Access report from configure page](../../../../../static/img/product_docs/accessanalyzer/admin/report/viewconfigure.webp) +![Access report from configure page](/img/product_docs/accessanalyzer/admin/report/viewconfigure.webp) You can also access the report from the **Configure** > **Reports** page for the job. Click the report title to view the report. @@ -26,21 +26,21 @@ report title to view the report. The most common place to view reports is the Web Console. For information on how to access the Web Console, see the -[Log into the Web Console](../../install/application/reports/overview.md#log-into-the-web-console) +[Log into the Web Console](/docs/accessanalyzer/12.0/install/application/reports/overview.md#log-into-the-web-console) topic. -![Web Console Home page](../../../../../static/img/product_docs/accessanalyzer/install/application/reports/webconsolehome.webp) +![Web Console Home page](/img/product_docs/accessanalyzer/install/application/reports/webconsolehome.webp) On the home page of the Web Console, select a solution to view a list of all published reports for that solution’s job group. This list includes reports with changed Publish Path locations. -![Web Console .Active Directory Inventory](../../../../../static/img/product_docs/accessanalyzer/admin/report/webconsolesolutioninventory.webp) +![Web Console .Active Directory Inventory](/img/product_docs/accessanalyzer/admin/report/webconsolesolutioninventory.webp) Clicking a report name link opens the selected report, or navigate through the folders to select a report. From within the Web Console, reports cannot be edited or deleted. However, the interactive grid -functions are enabled. See the [Interactive Grids](interactivegrids/overview.md) topic for +functions are enabled. See the [Interactive Grids](/docs/accessanalyzer/12.0/admin/report/interactivegrids/overview.md) topic for additional information. An additional feature available within the Web Console is the option to download data as a CSV file, which can be enabled for grid elements. This exports the data within tables, both interactive grid and plain HTML tables. See the [Grid](wizard/widgets.md#grid) topic @@ -48,5 +48,5 @@ for additional information. **NOTE:** Any browser used to access the Web Console must have JavaScript allowed for the site. See the -[Configure JavaScript Settings for the Web Console](../settings/reporting.md#configure-javascript-settings-for-the-web-console) +[Configure JavaScript Settings for the Web Console](/docs/accessanalyzer/12.0/admin/settings/reporting.md#configure-javascript-settings-for-the-web-console) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/report/wizard/authoring.md b/docs/accessanalyzer/12.0/admin/report/wizard/authoring.md index 350e16e09f..5b49ee8e3b 100644 --- a/docs/accessanalyzer/12.0/admin/report/wizard/authoring.md +++ b/docs/accessanalyzer/12.0/admin/report/wizard/authoring.md @@ -3,17 +3,17 @@ On the Authoring page of the Report Configuration wizard, you can configure the name, header information, and publish settings for the report. -![Report Configuration wizard Authoring page](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/authoring.webp) +![Report Configuration wizard Authoring page](/img/product_docs/accessanalyzer/admin/report/wizard/authoring.webp) Configure the following settings as required: -![name](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/name.webp) +![name](/img/product_docs/accessanalyzer/admin/report/wizard/name.webp) - Name – The name used for the report in the Access Analyzer console and Web Console. Header Options -![header](../../../../../../static/img/product_docs/accessanalyzer/admin/action/webrequest/header.webp) +![header](/img/product_docs/accessanalyzer/admin/action/webrequest/header.webp) - Title – The title of the report as displayed at the top of the generated report - Author – Name of the person or group who created the report. This is displayed at the top of the @@ -30,9 +30,9 @@ Publish Options Console when it is generated. - Use default setting – Applies the Global report settings, or the settings configured at the job group or job levels if inheritance has been broken. (See the - [Publish Option](../../settings/reporting.md#publish-option), - [Reporting Node](../../jobs/group/reporting.md), and - [Report Settings Tab](../../jobs/job/properties/reportsettings.md) topics for additional + [Publish Option](/docs/accessanalyzer/12.0/admin/settings/reporting.md#publish-option), + [Reporting Node](/docs/accessanalyzer/12.0/admin/jobs/group/reporting.md), and + [Report Settings Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/reportsettings.md) topics for additional information.) - Publish report – Select this option to publish the report - Do not publish report – Select this option to not publish the report @@ -42,7 +42,7 @@ Publish Options ## Add Tags to a Report You can add tags to reports to describe the content and use cases of the report (see the -[Tags](../tags.md) topic for additional information). The Tag Editor allows you to select the tags +[Tags](/docs/accessanalyzer/12.0/admin/report/tags.md) topic for additional information). The Tag Editor allows you to select the tags for a report, including creating new ones to select. Follow the steps to select tags using the Tag Editor. @@ -50,7 +50,7 @@ Follow the steps to select tags using the Tag Editor. **Step 1 –** On the Authoring page of the Report Configuration wizard, click the **Edit** button located next to the Tags text box. -![Tag Editor](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/tageditor.webp) +![Tag Editor](/img/product_docs/accessanalyzer/admin/report/wizard/tageditor.webp) **Step 2 –** In the Tag editor, select the checkbox next to the tags that should be applied to the report. diff --git a/docs/accessanalyzer/12.0/admin/report/wizard/email.md b/docs/accessanalyzer/12.0/admin/report/wizard/email.md index 1299f78cac..d8102bb17c 100644 --- a/docs/accessanalyzer/12.0/admin/report/wizard/email.md +++ b/docs/accessanalyzer/12.0/admin/report/wizard/email.md @@ -3,18 +3,18 @@ The E-mail page of the Report Configuration wizard gives you the option to break inheritance and select report specific settings for emailing the report. -![Report Configuration wizard E-mail page](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/email.webp) +![Report Configuration wizard E-mail page](/img/product_docs/accessanalyzer/admin/settings/email.webp) The default setting for new and included reports is **Use default setting**, which keeps the inheritance from the global, job group, or job settings (see the -[Email Report Options](../../settings/reporting.md#email-report-options), -[Reporting Node](../../jobs/group/reporting.md), and -[Report Settings Tab](../../jobs/job/properties/reportsettings.md) topics for additional +[Email Report Options](/docs/accessanalyzer/12.0/admin/settings/reporting.md#email-report-options), +[Reporting Node](/docs/accessanalyzer/12.0/admin/jobs/group/reporting.md), and +[Report Settings Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/reportsettings.md) topics for additional information). If you want to keep the default, then you can skip this page of the wizard by clicking **Next**. **NOTE:** In order for reports to be emailed, the SMTP server information must be configured in the -**Settings** > **Notification** node. See the [Notification](../../settings/notification.md) topic +**Settings** > **Notification** node. See the [Notification](/docs/accessanalyzer/12.0/admin/settings/notification.md) topic for additional information. To configure the setting for the report, use the Settings drop-down menu to select one of the @@ -29,7 +29,7 @@ following options: report. If it is selected, you must then configure the additional fields below. - Do not email this report – Select this option to not email the report -![Settings configured to email the report](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/emailconfigured.webp) +![Settings configured to email the report](/img/product_docs/accessanalyzer/admin/report/wizard/emailconfigured.webp) If the **Email this report** setting is selected, then the following fields are enabled for you to configure: diff --git a/docs/accessanalyzer/12.0/admin/report/wizard/layout.md b/docs/accessanalyzer/12.0/admin/report/wizard/layout.md index 7fb4911d5e..57be42a7d7 100644 --- a/docs/accessanalyzer/12.0/admin/report/wizard/layout.md +++ b/docs/accessanalyzer/12.0/admin/report/wizard/layout.md @@ -2,7 +2,7 @@ The Layout page allows you to configure the layout of the report's content. -![layout](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/layout.webp) +![layout](/img/product_docs/accessanalyzer/admin/report/wizard/layout.webp) Follow the steps to select the layout: @@ -12,7 +12,7 @@ row, 2 rows, or 3 rows. **Step 2 –** Click on the layout tile you want for the report. The layout for the report has been selected. Each box on the selected tile corresponds to a separate -widget that you next need to configure on the [Widgets Page](widgets.md) page of the Report +widget that you next need to configure on the [Widgets Page](/docs/accessanalyzer/12.0/admin/report/wizard/widgets.md) page of the Report Configuration wizard. ## Element Downgrade Editor @@ -20,7 +20,7 @@ Configuration wizard. If you are editing an existing report and you select a layout that has fewer elements than the number of already configured widgets, then the Element Downgrade Editor automatically displays. -![Element Downgrade Editor](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/elementdowngradeeditor.webp) +![Element Downgrade Editor](/img/product_docs/accessanalyzer/admin/report/wizard/elementdowngradeeditor.webp) The maximum number of elements allowed by the correctly selected layout is specified at the top of the editor. Select the checkboxes next to the title of all the configured widgets you want to keep diff --git a/docs/accessanalyzer/12.0/admin/report/wizard/overview.md b/docs/accessanalyzer/12.0/admin/report/wizard/overview.md index e4f40204a8..6646e65802 100644 --- a/docs/accessanalyzer/12.0/admin/report/wizard/overview.md +++ b/docs/accessanalyzer/12.0/admin/report/wizard/overview.md @@ -1,8 +1,8 @@ # Report Configuration Wizard You can use the Report Configuration Wizard to configure reports. The wizard can be launched for an -existing report or when creating a new report. See the [Creating a Report](../create.md) and -[Editing Existing Reports](../edit.md) topics for additional information. +existing report or when creating a new report. See the [Creating a Report](/docs/accessanalyzer/12.0/admin/report/create.md) and +[Editing Existing Reports](/docs/accessanalyzer/12.0/admin/report/edit.md) topics for additional information. Follow the steps to configure a report using the wizard. @@ -10,21 +10,21 @@ Follow the steps to configure a report using the wizard. **Step 1 –** Create a new report or open the Report Configuration wizard for an existing report. -**Step 2 –** Configure the settings on the [Authoring Page](authoring.md) page. These include Name, +**Step 2 –** Configure the settings on the [Authoring Page](/docs/accessanalyzer/12.0/admin/report/wizard/authoring.md) page. These include Name, Header information, and publish settings. Click **Next**. -**Step 3 –** On the [E-mail Page](email.md) page, use the inherited settings or configure report +**Step 3 –** On the [E-mail Page](/docs/accessanalyzer/12.0/admin/report/wizard/email.md) page, use the inherited settings or configure report specific settings. Click **Next**. -**Step 4 –** The [Publish Security Page](publishsecurity.md) page is only enabled if role-based +**Step 4 –** The [Publish Security Page](/docs/accessanalyzer/12.0/admin/report/wizard/publishsecurity.md) page is only enabled if role-based access is configured for the Access Analyzer console. On this page you can view and configure accounts with permissions to view the report. If you are not using role-based access, you can skip this page. Click **Next**. -**Step 5 –** On the [Layout Page](layout.md) page, select the number of rows using the dropdown +**Step 5 –** On the [Layout Page](/docs/accessanalyzer/12.0/admin/report/wizard/layout.md) page, select the number of rows using the dropdown menu. Then select the desired pre-defined layout from the options displayed. Click **Next**. -**Step 6 –** On the [Widgets Page](widgets.md) page, configure widgets for each element of the +**Step 6 –** On the [Widgets Page](/docs/accessanalyzer/12.0/admin/report/wizard/widgets.md) page, configure widgets for each element of the layout. **Step 7 –** Click **Finish** to save your changes. @@ -33,4 +33,4 @@ layout. to exit the wizard without saving your changes. Your configuration has been saved. For information on how to view your report, see the -[Viewing Generated Reports](../view.md) topic. +[Viewing Generated Reports](/docs/accessanalyzer/12.0/admin/report/view.md) topic. diff --git a/docs/accessanalyzer/12.0/admin/report/wizard/publishsecurity.md b/docs/accessanalyzer/12.0/admin/report/wizard/publishsecurity.md index 20f6ee6e48..abedd497d8 100644 --- a/docs/accessanalyzer/12.0/admin/report/wizard/publishsecurity.md +++ b/docs/accessanalyzer/12.0/admin/report/wizard/publishsecurity.md @@ -4,10 +4,10 @@ The Publish Security page of the Report Configuration wizard contains the accoun with inherited permissions to view the generated report. **NOTE:** This page is only enabled if Role Based Access is configured for the Access Analyzer -Console. See the [Role Based Access](../../settings/access/rolebased/overview.md) topic for +Console. See the [Role Based Access](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/overview.md) topic for additional information. -![Publish Security page](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/publishsecurity.webp) +![Publish Security page](/img/product_docs/accessanalyzer/admin/report/wizard/publishsecurity.webp) Roles assigned at the global level are inherited down to the report configuration. Additional report viewer privileges can also be added at the job group or job levels. @@ -21,12 +21,12 @@ steps to add an account. **Step 1 –** Click **Add**. -![Select User, Service Account, or Group window](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/addreportviewer.webp) +![Select User, Service Account, or Group window](/img/product_docs/accessanalyzer/admin/report/wizard/addreportviewer.webp) **Step 2 –** On the Select User, Service Account or Group window, select the desired account and then click **OK**. -![Report Viewer user added in wizard](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/reportviewer.webp) +![Report Viewer user added in wizard](/img/product_docs/accessanalyzer/admin/report/wizard/reportviewer.webp) The selected account is added to the list with a Role of Report Viewer. diff --git a/docs/accessanalyzer/12.0/admin/report/wizard/widgets.md b/docs/accessanalyzer/12.0/admin/report/wizard/widgets.md index a4f9900e24..b49e86010c 100644 --- a/docs/accessanalyzer/12.0/admin/report/wizard/widgets.md +++ b/docs/accessanalyzer/12.0/admin/report/wizard/widgets.md @@ -3,12 +3,12 @@ The Widgets page of the Report Configuration wizard allows you to configure the tables, charts, and text that form the report. -![Widgets page](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/widgets.webp) +![Widgets page](/img/product_docs/accessanalyzer/admin/report/wizard/widgets.webp) At the top of the page the selected layout is described. The table contains the available element locations where widgets need to be configured. -![Configure widgets](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/widgetsconfigure.webp) +![Configure widgets](/img/product_docs/accessanalyzer/admin/report/wizard/widgetsconfigure.webp) To add a new widget to an empty element, click **Configure** and select the desired widget type from the drop-down menu. The following widgets are available: @@ -20,7 +20,7 @@ the drop-down menu. The following widgets are available: The editor or wizard for the selected widget opens. See the relevant section below for information about configuring it. -![Table with configured widgets](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/widgetsconfigured.webp) +![Table with configured widgets](/img/product_docs/accessanalyzer/admin/report/wizard/widgetsconfigured.webp) For configured widgets the table shows the title, type, and data source. You can perform the following actions by selecting a row and clicking the relevant button: @@ -34,13 +34,13 @@ following actions by selecting a row and clicking the relevant button: The Grid widget type allows you to configure a table to be displayed on generated reports. -![Grid configuration window](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/widgetgrid.webp) +![Grid configuration window](/img/product_docs/accessanalyzer/admin/report/wizard/widgetgrid.webp) ### Options The Options section allows you to configure the title and data source for the Grid element. -![Options section](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/widgetgridoptions.webp) +![Options section](/img/product_docs/accessanalyzer/admin/report/wizard/widgetgridoptions.webp) The section contains the following options: @@ -72,7 +72,7 @@ You can configure the table to allow the data to be exported as a CSV file. as a CSV file from the generated report - When it is configured, you can click the **All Data** button on the table section of the report to save the report as a CSV file. See the - [Interactive Grids](../interactivegrids/overview.md) topic for more information. + [Interactive Grids](/docs/accessanalyzer/12.0/admin/report/interactivegrids/overview.md) topic for more information. - Rows – Limits the amount of rows exported to the CSV file. The default is **Visible**. - Visible – Only includes the amount of rows set by the **Limit Maximum number of displayed rows to** option in the DataSource Options section @@ -86,12 +86,12 @@ You can configure the table to allow the data to be exported as a CSV file. The Table Properties section allows you to configure the display features of the grid. -![Table Properties section](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/widgetgridtableproperties.webp) +![Table Properties section](/img/product_docs/accessanalyzer/admin/report/wizard/widgetgridtableproperties.webp) There are two types of grid displays: - Interactive grid – Allows the viewer to interact with the table in the generated report. See the - [Interactive Grids](../interactivegrids/overview.md) topic for additional information. + [Interactive Grids](/docs/accessanalyzer/12.0/admin/report/interactivegrids/overview.md) topic for additional information. - Non Interactive grid – Creates a report with fixed settings and stationary elements. This option disables all the fields within the Table Properties section. @@ -107,7 +107,7 @@ Grid Properties - Enable Paging – Enables Paging in reports. Paging allows users to interact with large sets of data more efficiently when viewing, filtering, and sorting generated report tables by limiting the amount of data being displayed at a given time. Paging is enabled by default. See the - [Paging](../interactivegrids/paging.md) topic for additional information. + [Paging](/docs/accessanalyzer/12.0/admin/report/interactivegrids/paging.md) topic for additional information. Column Properties @@ -126,7 +126,7 @@ Column Properties The selected data for the table is shown in the section at the bottom of the window. This section allows you to configure the data to be displayed in the table. -![Data display](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/widgetgriddata.webp) +![Data display](/img/product_docs/accessanalyzer/admin/report/wizard/widgetgriddata.webp) The buttons above the column names provide you options for configuring the table arrangement. @@ -141,7 +141,7 @@ The buttons above the column names provide you options for configuring the table Chart widgets allow you to create various chart types to represent data. A Chart Section can only display one chart type at a time. Charts are configured using the Chart Configuration wizard. See -the [Chart Configuration Wizard](../chartwizard/overview.md) topic for additional information. +the [Chart Configuration Wizard](/docs/accessanalyzer/12.0/admin/report/chartwizard/overview.md) topic for additional information. ## Text @@ -151,7 +151,7 @@ There are two types of text editor that allow you to configure a text element on - Advanced Text Editor – Provides advanced functionality like document formatting, inserting tables, and adding hyperlinks -![Text Editor selection window](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/texteditorselection.webp) +![Text Editor selection window](/img/product_docs/accessanalyzer/admin/report/wizard/texteditorselection.webp) When you first configure a new text element, a dialog displays allowing you to select the type of Text Editor. On this dialog, select either the Basic or Advanced Text Editor and click **Open @@ -161,7 +161,7 @@ Editor**. The selected editor then opens. ### Basic Text Editor -![Basic Text Editor](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/basictexteditor.webp) +![Basic Text Editor](/img/product_docs/accessanalyzer/admin/report/wizard/basictexteditor.webp) The Basic Text Editor has the following options: @@ -179,18 +179,18 @@ provide basic editing options for text entries. | Icon | Description | | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | -| ![Undo](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/undo.webp) | Undo a change to the text | -| ![Redo](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/redo.webp) | Redo a change to the text | -| ![Paste](../../../../../../static/img/product_docs/accessanalyzer/admin/navigate/paste.webp) | Paste the contents of the clipboard | -| ![Paste Special](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/pastespecial.webp) | Paste as either formatted text, unformatted text, or metafile | -| ![Cut](../../../../../../static/img/product_docs/accessanalyzer/admin/navigate/cut.webp) | Cut the selected text and put it on the clipboard | -| ![Find](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/find.webp) | Find and replace specified text | -| ![Font](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/font.webp) | Change the font face | -| ![Font Size](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/fontsize.webp) | Change the font size | +| ![Undo](/img/product_docs/accessanalyzer/admin/report/wizard/undo.webp) | Undo a change to the text | +| ![Redo](/img/product_docs/accessanalyzer/admin/report/wizard/redo.webp) | Redo a change to the text | +| ![Paste](/img/product_docs/accessanalyzer/admin/navigate/paste.webp) | Paste the contents of the clipboard | +| ![Paste Special](/img/product_docs/accessanalyzer/admin/report/wizard/pastespecial.webp) | Paste as either formatted text, unformatted text, or metafile | +| ![Cut](/img/product_docs/accessanalyzer/admin/navigate/cut.webp) | Cut the selected text and put it on the clipboard | +| ![Find](/img/product_docs/accessanalyzer/admin/report/wizard/find.webp) | Find and replace specified text | +| ![Font](/img/product_docs/accessanalyzer/admin/report/wizard/font.webp) | Change the font face | +| ![Font Size](/img/product_docs/accessanalyzer/admin/report/wizard/fontsize.webp) | Change the font size | ### Advanced Text Editor -![Advanced Text Editor](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/advancedtexteditor.webp) +![Advanced Text Editor](/img/product_docs/accessanalyzer/admin/report/wizard/advancedtexteditor.webp) The Advanced Text Editor has the following options: @@ -206,12 +206,12 @@ below. | Icon | Description | | -------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | -| ![Bold](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/bold.webp) | Makes the selected text bold | -| ![Italic](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/italic.webp) | Italicize the selected text | -| ![Decrease Indent](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/decreaseindent.webp) | Decrease the indent level of the paragraph | -| ![Increase Indent](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/increaseindent.webp) | Increase the indent level of the paragraph | -| ![Hyperlink](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/hyperlink.webp) | Create a link to a Web page, picture, email address, or program | -| ![Multilevel List](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/multilevel.webp) | Start a multilevel list | -| ![Numbering](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/numbering.webp) | Start a numbered list | -| ![Bullets](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/bullets.webp) | Start a bulleted list | -| ![Table](../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/table.webp) | Insert a table | +| ![Bold](/img/product_docs/accessanalyzer/admin/report/wizard/bold.webp) | Makes the selected text bold | +| ![Italic](/img/product_docs/accessanalyzer/admin/report/wizard/italic.webp) | Italicize the selected text | +| ![Decrease Indent](/img/product_docs/accessanalyzer/admin/report/wizard/decreaseindent.webp) | Decrease the indent level of the paragraph | +| ![Increase Indent](/img/product_docs/accessanalyzer/admin/report/wizard/increaseindent.webp) | Increase the indent level of the paragraph | +| ![Hyperlink](/img/product_docs/accessanalyzer/admin/report/wizard/hyperlink.webp) | Create a link to a Web page, picture, email address, or program | +| ![Multilevel List](/img/product_docs/accessanalyzer/admin/report/wizard/multilevel.webp) | Start a multilevel list | +| ![Numbering](/img/product_docs/accessanalyzer/admin/report/wizard/numbering.webp) | Start a numbered list | +| ![Bullets](/img/product_docs/accessanalyzer/admin/report/wizard/bullets.webp) | Start a bulleted list | +| ![Table](/img/product_docs/accessanalyzer/admin/report/wizard/table.webp) | Insert a table | diff --git a/docs/accessanalyzer/12.0/admin/runninginstances/jobdetails.md b/docs/accessanalyzer/12.0/admin/runninginstances/jobdetails.md index 07f96afe9b..3a6a7f53e8 100644 --- a/docs/accessanalyzer/12.0/admin/runninginstances/jobdetails.md +++ b/docs/accessanalyzer/12.0/admin/runninginstances/jobdetails.md @@ -19,7 +19,7 @@ There are three tabs: Current, History, and Queued Jobs. The **Current** tab displays information on the job actively being executed. -![Current tab](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/jobdetailscurrent.webp) +![Current tab](/img/product_docs/accessanalyzer/admin/runninginstances/jobdetailscurrent.webp) The tab includes: @@ -38,7 +38,7 @@ The tab includes: The History tab only displays information for the last job that completed. -![History tab](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/jobdetailshistory.webp) +![History tab](/img/product_docs/accessanalyzer/admin/runninginstances/jobdetailshistory.webp) The tab includes: @@ -60,16 +60,16 @@ You can filter what messages display by using the three filters in the message p a filter arrow in the column header and selecting an available option, you can filter by Time, Type, or Message. -![Custom Filter window](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/jobdetailshistorycustomfilter.webp) +![Custom Filter window](/img/product_docs/accessanalyzer/admin/runninginstances/jobdetailshistorycustomfilter.webp) If you select Custom, you can create a complex filter. See the -[Custom Filter](../navigate/datagrid.md#custom-filter) topic for additional information. +[Custom Filter](/docs/accessanalyzer/12.0/admin/navigate/datagrid.md#custom-filter) topic for additional information. ## Queued Jobs Tab The Queued Jobs tab displays a list of jobs in queue and the order in which they are executed. -![Queued Jobs tab](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/jobdetailsqueuedjobs.webp) +![Queued Jobs tab](/img/product_docs/accessanalyzer/admin/runninginstances/jobdetailsqueuedjobs.webp) The tab includes: diff --git a/docs/accessanalyzer/12.0/admin/runninginstances/overview.md b/docs/accessanalyzer/12.0/admin/runninginstances/overview.md index dee5d19cb7..27d7a15eef 100644 --- a/docs/accessanalyzer/12.0/admin/runninginstances/overview.md +++ b/docs/accessanalyzer/12.0/admin/runninginstances/overview.md @@ -6,7 +6,7 @@ other running instance of Access Analyzer. The Running Instances node displays t its status and position in the queue, run times for all instances, and detailed views of each instance. -![Running Instances node Overview page](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) +![Running Instances node Overview page](/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) This is the primary view of the Running Instances node that displays the progress of all jobs running. @@ -15,7 +15,7 @@ running. The Overview page displays information about all running jobs on the current server. -![Overview page](../../../../../static/img/product_docs/threatprevention/threatprevention/siemdashboard/qradar/dashboard/overview.webp) +![Overview page](/img/product_docs/threatprevention/threatprevention/siemdashboard/qradar/dashboard/overview.webp) For each instance this screen provides : @@ -41,7 +41,7 @@ Once the job is complete, these links are disabled. The host and Connection Prof to work. The **View Schedule** link only displays and is valid for jobs that are running via a scheduled task and is not enabled for interactive job executions. -![Number of jobs running on bottom bar](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/overviewbottombar.webp) +![Number of jobs running on bottom bar](/img/product_docs/accessanalyzer/admin/runninginstances/overviewbottombar.webp) The number of jobs currently being run can be found in the lower-left-hand corner of the Access Analyzer Console. @@ -50,11 +50,11 @@ Analyzer Console. This view identifies the host list associated with the running job. -![Host list link](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/viewhost.webp) +![Host list link](/img/product_docs/accessanalyzer/admin/runninginstances/viewhost.webp) Click the host list link to display the hosts assigned to the running job. -![Host list in Host Management node](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/viewhostlist.webp) +![Host list in Host Management node](/img/product_docs/accessanalyzer/admin/runninginstances/viewhostlist.webp) This view displays the host list table with host inventory data. @@ -65,38 +65,38 @@ Manager. In addition, the Process ID comes coupled with the file path of associ an identifier for the account running the current instance of Access Analyzer, and a timestamp for the length of the instance. -![Process ID link](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/processid.webp) +![Process ID link](/img/product_docs/accessanalyzer/admin/runninginstances/processid.webp) Click the Process ID link for additional details of the job status and queue. -![Job details page](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/jobdetails.webp) +![Job details page](/img/product_docs/accessanalyzer/admin/runninginstances/jobdetails.webp) The Process ID link displays a page with three tabs of information with details about the running -job. See the [Running Job Details](jobdetails.md) topic for additional information. +job. See the [Running Job Details](/docs/accessanalyzer/12.0/admin/runninginstances/jobdetails.md) topic for additional information. ## View Details Additional details on the status of the tasks the job is running are available. -![View Details link](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/viewdetails.webp) +![View Details link](/img/product_docs/accessanalyzer/admin/runninginstances/viewdetails.webp) Click the **View Details** link to display additional details of the job status and queue. -![Job details page](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/jobdetails.webp) +![Job details page](/img/product_docs/accessanalyzer/admin/runninginstances/jobdetails.webp) The View Details link opens the running job's details with three tabs of information. See the -[Running Job Details](jobdetails.md) topic for additional information. +[Running Job Details](/docs/accessanalyzer/12.0/admin/runninginstances/jobdetails.md) topic for additional information. ## View Log The log for this running job can be opened in a text editor, such as Notepad. -![View Log link](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/viewlog.webp) +![View Log link](/img/product_docs/accessanalyzer/admin/runninginstances/viewlog.webp) Click **View Log** to display the current job log. The View Log link is only enabled while a job is running. -![Log file in Notepad](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/logfile.webp) +![Log file in Notepad](/img/product_docs/accessanalyzer/admin/runninginstances/logfile.webp) The Log displays such details as errors, aborts, and terminations. @@ -106,22 +106,22 @@ The Access Analyzer Console can only run one job at a time. However, with the Sc Account, the StealthAUDIT application can run multiple jobs simultaneously via Windows Task Scheduler. -![View Schedule link](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/viewschedule.webp) +![View Schedule link](/img/product_docs/accessanalyzer/admin/runninginstances/viewschedule.webp) Click the **View Schedule** link to display the corresponding Scheduled Task for the running job or job group. This link is only enabled for jobs that are running via scheduled task and will not be enabled for interactive job executions. -![Schedule wizard](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/schedulewizard.webp) +![Schedule wizard](/img/product_docs/accessanalyzer/admin/runninginstances/schedulewizard.webp) The Schedule wizard for the running task opens. See the -[Schedule Wizard](../schedule/wizard.md) topic for additional information. +[Schedule Wizard](/docs/accessanalyzer/12.0/admin/schedule/wizard.md) topic for additional information. ## Stop The job execution can be stopped if needed. -![Stop button](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/stop.webp) +![Stop button](/img/product_docs/accessanalyzer/admin/runninginstances/stop.webp) Click **Stop** to abort all instances in the job queue. This link is only enabled while a job is running. diff --git a/docs/accessanalyzer/12.0/admin/schedule/overview.md b/docs/accessanalyzer/12.0/admin/schedule/overview.md index 8adc9cbd12..d6685d6ac9 100644 --- a/docs/accessanalyzer/12.0/admin/schedule/overview.md +++ b/docs/accessanalyzer/12.0/admin/schedule/overview.md @@ -2,7 +2,7 @@ The Access Analyzer Console can only run one task at a time. However, with the Schedule Service Account, the Access Analyzer application can run multiple tasks simultaneously. See the -[Schedule](../settings/schedule.md) topic for information on configuring the Schedule Service +[Schedule](/docs/accessanalyzer/12.0/admin/settings/schedule.md) topic for information on configuring the Schedule Service Account. The following tasks can be scheduled: @@ -10,26 +10,26 @@ The following tasks can be scheduled: - Job or Job Group – Schedule jobs to run at the job or job group level. See the [Schedule Jobs](#schedule-jobs) topic for additional information. - Host Discovery Query – Schedule Host Discovery queries from the Host Discovery node. See the - [Host Discovery Queries Activities Pane](../hostdiscovery/activities.md) topic for additional + [Host Discovery Queries Activities Pane](/docs/accessanalyzer/12.0/admin/hostdiscovery/activities.md) topic for additional information. - Host Inventory Query – Schedule Host Inventory queries from within the Host Management node. See - the [Schedule (Activities Pane Option)](../hostmanagement/actions/schedule.md) topic for + the [Schedule (Activities Pane Option)](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/schedule.md) topic for additional information. **NOTE:** If you attempt to rename a task after a scheduled task using custom credentials has been created, then the Rename Scheduled Task wizard displays to update the credentials. See the -[Rename Scheduled Task Wizard](renamewizard.md) topic for additional information. +[Rename Scheduled Task Wizard](/docs/accessanalyzer/12.0/admin/schedule/renamewizard.md) topic for additional information. ## Schedule Jobs Jobs can be scheduled at the job group or job level. -![Schedule option from Job Tree](../../../../../static/img/product_docs/accessanalyzer/admin/schedule/jobtree.webp) +![Schedule option from Job Tree](/img/product_docs/accessanalyzer/admin/schedule/jobtree.webp) Select the desired job group or job. Right-click on the node and select **Schedule** to open the Schedule wizard. -![Schedule Job wizard](../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) +![Schedule Job wizard](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) The Schedule wizard has five pages with options for setting up the schedule task: @@ -39,4 +39,4 @@ The Schedule wizard has five pages with options for setting up the schedule task - Run as - Options -See the [Schedule Wizard](wizard.md) topic for additional information. +See the [Schedule Wizard](/docs/accessanalyzer/12.0/admin/schedule/wizard.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/schedule/renamewizard.md b/docs/accessanalyzer/12.0/admin/schedule/renamewizard.md index b5c1205d6d..cf629e442d 100644 --- a/docs/accessanalyzer/12.0/admin/schedule/renamewizard.md +++ b/docs/accessanalyzer/12.0/admin/schedule/renamewizard.md @@ -12,7 +12,7 @@ the wizard. Follow the steps to update the credential for a scheduled task. -![Rename Scheduled Task wizard Tasks page](../../../../../static/img/product_docs/accessanalyzer/admin/schedule/tasks.webp) +![Rename Scheduled Task wizard Tasks page](/img/product_docs/accessanalyzer/admin/schedule/tasks.webp) **Step 1 –** The Rename Scheduled Task wizard opens on the Tasks page , which displays the task that is to be renamed and a table containing the credentials that need updating. The table shows you the @@ -20,7 +20,7 @@ account the task is set to run as, the status as a blue clock icon to indicate i credential, and the host list set in the scheduled task. Select the account to provide credentials for and click **Update**. -![Group with multiple sub-group credentials to be updated](../../../../../static/img/product_docs/accessanalyzer/admin/schedule/taskssubgroups.webp) +![Group with multiple sub-group credentials to be updated](/img/product_docs/accessanalyzer/admin/schedule/taskssubgroups.webp) - If you are renaming a group that has sub-groups that use custom credentials, then the wizard displays these accounts even if the parent group does not use custom credentials. For sub-groups, @@ -30,17 +30,17 @@ for and click **Update**. - For discovery queries that also have an Inventory query scheduled task created through the Host Management node, the wizard displays if either of the two scheduled tasks uses custom credentials -![Set Account window](../../../../../static/img/product_docs/accessanalyzer/admin/schedule/setaccount.webp) +![Set Account window](/img/product_docs/accessanalyzer/admin/schedule/setaccount.webp) **Step 2 –** On the Set Account window, click **Change User**. -![Schedule Custom Credentials window](../../../../../static/img/product_docs/accessanalyzer/admin/schedule/schedulecustomcredentials.webp) +![Schedule Custom Credentials window](/img/product_docs/accessanalyzer/admin/schedule/schedulecustomcredentials.webp) **Step 3 –** On the Schedule Custom Credentials window, reenter the Password for the selected user, and Click **OK**. Then, click **OK** again on the Set Account window. The Status icon updates to a green checkmark to indicate the credential has been provided. -![Tasks page after credentials updated](../../../../../static/img/product_docs/accessanalyzer/admin/schedule/tasksupdated.webp) +![Tasks page after credentials updated](/img/product_docs/accessanalyzer/admin/schedule/tasksupdated.webp) **Step 4 –** Repeat Steps 1 to 3 for each credential that needs updating. Once all the credentials show a green checkmark, click **Next**. @@ -48,7 +48,7 @@ show a green checkmark, click **Next**. **NOTE:** At this stage you can click **Cancel** to close the wizard and the task will not be renamed. -![Rename Scheduled Task wizard Progress page](../../../../../static/img/product_docs/accessanalyzer/install/application/upgrade/progress.webp) +![Rename Scheduled Task wizard Progress page](/img/product_docs/accessanalyzer/install/application/upgrade/progress.webp) **Step 5 –** The Progress page shows a progress bar and message. Once the scheduled tasks have been renamed successfully, click **Finish** to close the wizard. diff --git a/docs/accessanalyzer/12.0/admin/schedule/wizard.md b/docs/accessanalyzer/12.0/admin/schedule/wizard.md index 3bd0009558..6e040f868d 100644 --- a/docs/accessanalyzer/12.0/admin/schedule/wizard.md +++ b/docs/accessanalyzer/12.0/admin/schedule/wizard.md @@ -22,7 +22,7 @@ and close the window. The task is visible in the Schedule Actions view, at the S The Schedule page is for setting the schedule of when and how often the task will run. This tab needs to be properly configured for every scheduled task. -![Schedule wizard page](../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) +![Schedule wizard page](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) The options on the Schedule page are: @@ -30,7 +30,7 @@ The options on the Schedule page are: - Edit – Edits the selected Trigger in the Schedule view - Delete – Deletes the selected trigger -![Trigger window](../../../../../static/img/product_docs/accessanalyzer/admin/schedule/triggerwindow.webp) +![Trigger window](/img/product_docs/accessanalyzer/admin/schedule/triggerwindow.webp) The options in the Trigger window are: @@ -57,7 +57,7 @@ Access Analyzer task scheduling. See the Microsoft [Task Scheduler Overview](https://technet.microsoft.com/en-us/library/cc721871.aspx) article for additional information. -![Trigger window Advanced settings](../../../../../static/img/product_docs/accessanalyzer/admin/schedule/triggerwindowadvancedsettings.webp) +![Trigger window Advanced settings](/img/product_docs/accessanalyzer/admin/schedule/triggerwindowadvancedsettings.webp) The options in the Advanced settings section are: @@ -70,7 +70,7 @@ The options in the Advanced settings section are: The Host List page identifies the host list the task being scheduled queries. Customizations to the configuration of this tab is optional. -![Host List wizard page](../../../../../static/img/product_docs/accessanalyzer/admin/schedule/hostlist.webp) +![Host List wizard page](/img/product_docs/accessanalyzer/admin/schedule/hostlist.webp) Choose the desired setting from the following options: @@ -87,7 +87,7 @@ All** and **Clear All** links provide for quick selection and deselection. The Connection page identifies the Connection Profile that is applied to the targeted hosts being queried by the task being scheduled. Customizations to the configuration of this tab is optional. -![Connection wizard page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/connection.webp) +![Connection wizard page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/connection.webp) Choose the desired setting from the following options: @@ -105,9 +105,9 @@ Choose the desired setting from the following options: Select the Schedule Service account to run this task with on the Run as wizard page. To create or edit Schedule Service accounts, go to the **Settings** > **Schedule** node. See the -[Schedule](../settings/schedule.md) topic for additional information. +[Schedule](/docs/accessanalyzer/12.0/admin/settings/schedule.md) topic for additional information. -![Run as wizard page](../../../../../static/img/product_docs/accessanalyzer/admin/schedule/runas.webp) +![Run as wizard page](/img/product_docs/accessanalyzer/admin/schedule/runas.webp) The options on the Run as wizard page are: @@ -124,14 +124,14 @@ The options on the Run as wizard page are: new password - If you rename a task (job, job group, Host Discovery query, or Host Inventory query) after it has been scheduled using custom credentials, then the Rename Scheduled Task wizard displays - for you to update these credentials. See the [Rename Scheduled Task Wizard](renamewizard.md) + for you to update these credentials. See the [Rename Scheduled Task Wizard](/docs/accessanalyzer/12.0/admin/schedule/renamewizard.md) topic for additional information. ## Options Configure additional options for the task on the Options wizard page. -![Options wizard page](../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Options wizard page](/img/product_docs/accessanalyzer/install/application/options.webp) The configurable options are: diff --git a/docs/accessanalyzer/12.0/admin/settings/access/overview.md b/docs/accessanalyzer/12.0/admin/settings/access/overview.md index 8fa9e75485..23ef6a5396 100644 --- a/docs/accessanalyzer/12.0/admin/settings/access/overview.md +++ b/docs/accessanalyzer/12.0/admin/settings/access/overview.md @@ -2,18 +2,18 @@ Configure what applications, users, and groups have access to Access Analyzer using the Access node -![Access Window](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/access.webp) +![Access Window](/img/product_docs/accessanalyzer/admin/settings/access/access.webp) The first type of access that can be granted is Role Based Access for a user or group accessing the Access Analyzer Console. The second type of access grants access to an application accessing data remotely through the Web Service using the REST API. See these sections for additional information: -- [Role Based Access](rolebased/overview.md) -- [Web Service REST API for Applications Accessing Data Remotely](restapi/overview.md) +- [Role Based Access](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/overview.md) +- [Web Service REST API for Applications Accessing Data Remotely](/docs/accessanalyzer/12.0/admin/settings/access/restapi/overview.md) The Access Analyzer vault provides enhanced security through enhanced encryption to various credentials stored by the Access Analyzer application. See the -[Application](../application/overview.md) topic for additional information. +[Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information. The **Cancel** and **Save** buttons are in the lower-right corner of the Roles view. These buttons are enabled when modifications are made to the Roles global setting. diff --git a/docs/accessanalyzer/12.0/admin/settings/access/restapi/assignappaccess.md b/docs/accessanalyzer/12.0/admin/settings/access/restapi/assignappaccess.md index 1276548687..b56ce9fda2 100644 --- a/docs/accessanalyzer/12.0/admin/settings/access/restapi/assignappaccess.md +++ b/docs/accessanalyzer/12.0/admin/settings/access/restapi/assignappaccess.md @@ -3,23 +3,23 @@ An application can be assigned to access data remotely through the Web Service. Follow the steps to assign roles in the Console. -![Add Access option on Access page](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/addaccess.webp) +![Add Access option on Access page](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/addaccess.webp) **Step 1 –** Navigate to **Settings** > **Access** and click **Add Access**. The Access Type wizard opens. -![Access Type page of the Access Role wizard](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/restapi/accesstypeapplication.webp) +![Access Type page of the Access Role wizard](/img/product_docs/accessanalyzer/admin/settings/access/restapi/accesstypeapplication.webp) **Step 2 –** Select the **An application accessing data remotely through Web Service** option. Click **Next**. The Application Access window opens. -![Application Access page of the Access Role Wizard](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/restapi/applicationaccess.webp) +![Application Access page of the Access Role Wizard](/img/product_docs/accessanalyzer/admin/settings/access/restapi/applicationaccess.webp) **Step 3 –** The Application Access window displays a list of objects available in the database that are available for access. Select the database objects the application will access and click **Add** to open the Select database objects window. -![Select database objects window](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/restapi/selectdatabaseobjects.webp) +![Select database objects window](/img/product_docs/accessanalyzer/admin/settings/access/restapi/selectdatabaseobjects.webp) **Step 4 –** Select the database objects to access and then click **OK** to return to the Application Access page. @@ -35,7 +35,7 @@ Click Next to proceed. **NOTE:** Only select items that the application needs to access. Type in the **Filter objects by name** box to filter the list of objects by the characters entered. -![Application Details page of the Access Role Wizard](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/restapi/applicationdetails.webp) +![Application Details page of the Access Role Wizard](/img/product_docs/accessanalyzer/admin/settings/access/restapi/applicationdetails.webp) **Step 5 –** On the Application Details page, define the name of the application and generate the app token. diff --git a/docs/accessanalyzer/12.0/admin/settings/access/restapi/obtaintoken.md b/docs/accessanalyzer/12.0/admin/settings/access/restapi/obtaintoken.md index a2b3d24f74..09695da3e3 100644 --- a/docs/accessanalyzer/12.0/admin/settings/access/restapi/obtaintoken.md +++ b/docs/accessanalyzer/12.0/admin/settings/access/restapi/obtaintoken.md @@ -56,5 +56,5 @@ tokens. The Client Secret expires after 72 hours. The access token expires after 1 hour after which time you can request a refresh token. See the -[Use the Client Credentials to Grant a Refesh Token](refreshtoken.md) topic for additional +[Use the Client Credentials to Grant a Refesh Token](/docs/accessanalyzer/12.0/admin/settings/access/restapi/refreshtoken.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/settings/access/restapi/overview.md b/docs/accessanalyzer/12.0/admin/settings/access/restapi/overview.md index d631ddb68c..6401ad6e44 100644 --- a/docs/accessanalyzer/12.0/admin/settings/access/restapi/overview.md +++ b/docs/accessanalyzer/12.0/admin/settings/access/restapi/overview.md @@ -5,7 +5,7 @@ client credentials grant for authentication and providing the following access r - Read-Only – Read data only -See the [Use the Client Credentials Grant to Obtain an Access Token](obtaintoken.md) topic for +See the [Use the Client Credentials Grant to Obtain an Access Token](/docs/accessanalyzer/12.0/admin/settings/access/restapi/obtaintoken.md) topic for additional information. The client provides the access token in the HTTP header in the following format: diff --git a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/assignroles.md b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/assignroles.md index db8429769a..a5809d2914 100644 --- a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/assignroles.md +++ b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/assignroles.md @@ -10,15 +10,15 @@ roles and enable Role Based Access. Follow the steps to assign roles in the Access Analyzer Console. -![Add Access option on the Access page](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/addaccess.webp) +![Add Access option on the Access page](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/addaccess.webp) **Step 1 –** On the Access page, click **Add Access**. The Access Type wizard opens. -![Access Type page of the Access Role wizard](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/accesstypeuser.webp) +![Access Type page of the Access Role wizard](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/accesstypeuser.webp) **Step 2 –** Select the **A user or group accessing this console** option. Click **Next**. -![Console Access page of the Access Role wizard](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) +![Console Access page of the Access Role wizard](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) **Step 3 –** On the Console Access page, specify a group or user in the **Name** field. Use the ellipsis (**…**) to browse for accounts with the Select User or Group window. @@ -33,7 +33,7 @@ ellipsis (**…**) to browse for accounts with the Select User or Group window. - Add the gMSA name (`gMSAadmin$`), then click **OK**. - The Member Type will show as `msDS-GroupManagedServiceAccount` on the Access page. -![Console Access page with user added](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccessfinish.webp) +![Console Access page with user added](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccessfinish.webp) **Step 4 –** Select a role for the group or user from the Role list. Click **Finish**. The group or user and role is added to the Role Membership list in the Roles view. @@ -45,7 +45,7 @@ they are not saved. Role Based Access is enabled when the first role has been assigned. -![Error message when Administrator role is not specified](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/noadminerror.webp) +![Error message when Administrator role is not specified](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/noadminerror.webp) The first role or set of roles saved must include the Administrator role. Clicking **Save** for the first role or set or roles without including the Administrator generates an error message in the @@ -60,7 +60,7 @@ permissions. This allows roles to be leveraged without requiring local Administr **NOTE:** The Web Administrator and Report Viewer roles do not require access to the Access Analyzer console, so users assigned these roles are not added to the NEAUsers group. -![NEAUsers group](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/neausersgroup.webp) +![NEAUsers group](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/neausersgroup.webp) There are two separate sets of permissions: @@ -71,11 +71,11 @@ There are two separate sets of permissions: Follow the steps to edit a Access Analyzer user’s role. -![Edit Member Role](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/editmemberrole.webp) +![Edit Member Role](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/editmemberrole.webp) **Step 1 –** On the Access page, select the desired user and click **Edit Member Role**. -![Edit Console Access wizard page](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccessedit.webp) +![Edit Console Access wizard page](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccessedit.webp) **Step 2 –** Select a new role for the user from the Roles list. @@ -94,7 +94,7 @@ then the user needs to exit and re-launch the application for the role to take e Follow the steps to delete a user from having access to the Access Analyzer Console. -![Delete Role Member](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/deleterolemember.webp) +![Delete Role Member](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/deleterolemember.webp) **Step 1 –** On the Access page, select the desired user and click **Delete Role Member**. The selected user will be removed from the list. diff --git a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/configureroles.md b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/configureroles.md index 7ee979b638..34ccd1d314 100644 --- a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/configureroles.md +++ b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/configureroles.md @@ -17,7 +17,7 @@ This is a three-part process: - Delete Role Members **NOTE:** This configuration process is not required if only using Role Based Access to secure -Published Reports. See the [Securing Published Reports Only](securereports.md) topic for additional +Published Reports. See the [Securing Published Reports Only](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/securereports.md) topic for additional information. ## Configure the Installation Account @@ -61,7 +61,7 @@ default schema of [dbo] to function properly. To create the roles within the SQL Server database, run the following script. -![Query Window](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/sqlcreateroles.webp) +![Query Window](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/sqlcreateroles.webp) Be sure to set the context of this query to the Access Analyzer database by selecting the right database from the drop-down window. Alternatively, prefix the script with a @@ -116,7 +116,7 @@ users to SQL Server database roles. **Step 1 –** Connect to the Access Analyzer database through SQL Management Studio. -![Database Roles](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/sqldatabaseroles.webp) +![Database Roles](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/sqldatabaseroles.webp) **Step 2 –** Validate that the roles have been properly created by navigating to **Security** > **Roles** > **Database Roles**. The three new roles should be visible: @@ -127,12 +127,12 @@ users to SQL Server database roles. | | | | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | -| ![New User Option](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/sqlusersnewuser.webp) | +| ![New User Option](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/sqlusersnewuser.webp) | **Step 3 –** After confirmation of role creation, the next step is to map users to these roles. Right-click on the **Security** > **Users** node and select **New User**. -![Database User Window](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/sqluserwindow.webp) +![Database User Window](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/sqluserwindow.webp) **Step 4 –** Enter the user information in the dialog as follows: @@ -143,8 +143,8 @@ Right-click on the **Security** > **Users** node and select **New User**. - Login name – Qualified domain name of the user: `[DOMAIN]\[Username]` - Default Schema – Should be set to `dbo` - Database role membership – Should be set to the appropriate role for this user. See the - [Role Definitions](roledefinitions.md) topic for more information. + [Role Definitions](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/roledefinitions.md) topic for more information. When all of the users have been assigned to the appropriate SQL Server database roles, complete the process by assigning users to roles within the Access Analyzer Console. See the -[Assign User to Role Members](assignroles.md) topic for additional information. +[Assign User to Role Members](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/assignroles.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/eventlog.md b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/eventlog.md index d28e7288b2..31ce7aea8b 100644 --- a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/eventlog.md +++ b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/eventlog.md @@ -20,5 +20,5 @@ their corresponding role: - Job/Group Executions - Access Analyzer Console launches and exits -See the [Application Maintenance and Best Practices](../../../maintenance/overview.md) topic for +See the [Application Maintenance and Best Practices](/docs/accessanalyzer/12.0/admin/maintenance/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/faq.md b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/faq.md index cd089ba58b..da801a146b 100644 --- a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/faq.md +++ b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/faq.md @@ -11,7 +11,7 @@ only locked jobs can be run. Therefore, the Job Initiator can only run or schedu already been locked. **NOTE:** Locked jobs do not affect the functionality of the Administrator role. See the -[Role Definitions](roledefinitions.md) topic for more information. +[Role Definitions](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/roledefinitions.md) topic for more information. How can I make sure that a lock on a job will not get tampered with through the associated XML file? @@ -22,8 +22,8 @@ the Job Approver no longer needs access to the Jobs folder and cannot manually r the associated XML file. **NOTE:** If using a Job Initiator’s credentials for a Schedule Service Account, all jobs must be -locked in order for them to be executed. See the [Role Definitions](roledefinitions.md) and -[Roles & the Schedule Service Account](scheduleserviceaccount.md) topics for more information. +locked in order for them to be executed. See the [Role Definitions](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/roledefinitions.md) and +[Roles & the Schedule Service Account](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/scheduleserviceaccount.md) topics for more information. Why can the Host Management Administrator not manage settings for the Host Discovery and Host Inventory nodes under Settings? @@ -32,7 +32,7 @@ The Host Management Administrator role is designed specifically to access the Ho Therefore, this role does not grant access to the global settings menu under the Settings node. **NOTE:** In order to access this node, the user must have either the Administrator or the Global -Options Administrator role. See the [Role Definitions](roledefinitions.md) topic for more +Options Administrator role. See the [Role Definitions](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/roledefinitions.md) topic for more information. What rights do I need to give the user on the local machine in order to use Access Analyzer? @@ -44,7 +44,7 @@ This NEAUsers group is given the necessary permissions on the Access Analyzer ap When a user is assigned a role, they are added to the NEAUsers group to give them the necessary access to Access Analyzer. -See the [Assign User to Role Members](assignroles.md) topic for additional information. +See the [Assign User to Role Members](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/assignroles.md) topic for additional information. When a user’s role is changed, when does the new role take affect? @@ -68,8 +68,8 @@ unlocked. This event will be logged as a job-change related event by Administrat Analyzer Event Log. **NOTE:** If using a Job Initiator’s credentials for the Schedule Service Account, all jobs must be -locked in order for them to execute. See the [Role Definitions](roledefinitions.md), -[Workflow with Role Based Access Enabled](workflow.md), and [Roles and the Event Log](eventlog.md) +locked in order for them to execute. See the [Role Definitions](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/roledefinitions.md), +[Workflow with Role Based Access Enabled](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/workflow.md), and [Roles and the Event Log](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/eventlog.md) topics for more information. What should be the group type when assigning Role Based Access to an AD group in a multi-domain diff --git a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/overview.md b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/overview.md index 37ab98ad74..ab92b0ada7 100644 --- a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/overview.md +++ b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/overview.md @@ -12,7 +12,7 @@ viewers to the reports to which they should have access. Report security through Role Based Access can be applied without implementing a least privileged access model to the Access Analyzer Console. See the -[Securing Published Reports Only](securereports.md) topic for additional information. +[Securing Published Reports Only](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/securereports.md) topic for additional information. **NOTE:** The least privileged access model to the Access Analyzer Console does not work in conjunction with the Exchange Solution. Role Based Access can be enabled, but the Administrator role @@ -38,4 +38,4 @@ role officially enables Role Based Access within Access Analyzer. When Role Base enabled, an NEAUsers local group is created on the Access Analyzer server with the required permissions to the Access Analyzer application directory. When a user is assigned a role, they are added to the NEAUsers group to give them the necessary access. See the -[Assign User to Role Members](assignroles.md) topic for additional information. +[Assign User to Role Members](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/assignroles.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/roledefinitions.md b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/roledefinitions.md index 5d0b7363ce..c75890126f 100644 --- a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/roledefinitions.md +++ b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/roledefinitions.md @@ -215,10 +215,10 @@ specific reports at: - Job level – **[Job]** > **Properties** >**Report Roles** tab - Report Configuration level – **[Job]** > **Configure** > **Reports** node. Click **Configure** next to the report, and navigate to the Publish Security page of the Report Configuration wizard. - See the [Publish Security Page](../../../report/wizard/publishsecurity.md) topic for additional + See the [Publish Security Page](/docs/accessanalyzer/12.0/admin/report/wizard/publishsecurity.md) topic for additional information. -| ![Job Group Level](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/reportviewerreport.webp) | +| ![Job Group Level](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/reportviewerreport.webp) | | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Job Group Level | Job Level | Report Configuration Level | diff --git a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/scheduleserviceaccount.md b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/scheduleserviceaccount.md index 815e0222bf..80a9acff00 100644 --- a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/scheduleserviceaccount.md +++ b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/scheduleserviceaccount.md @@ -58,7 +58,7 @@ Do not choose the **Use local System account to schedule tasks** option. This ac the appropriate rights to apply locks on jobs. Therefore, it does not work in conjunction with Role Based Access. -See the [Schedule](../../schedule.md) topic for additional instructions on configuring the Schedule +See the [Schedule](/docs/accessanalyzer/12.0/admin/settings/schedule.md) topic for additional instructions on configuring the Schedule Service Account. _Remember,_ these credentials must be for a user with local Administrator privileges or rights to diff --git a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/securereports.md b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/securereports.md index 583602ed95..97a1b53308 100644 --- a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/securereports.md +++ b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/securereports.md @@ -23,20 +23,20 @@ Follow the steps to assign roles at the global level. **Step 1 –** Navigate to the **Settings** > **Access** node. -![Add Access option on the Access page](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/addaccess.webp) +![Add Access option on the Access page](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/addaccess.webp) **Step 2 –** On the Access page, click **Add Access**. The Access Type wizard opens. -![Access Type page of the Access Role wizard](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/accesstypeuser.webp) +![Access Type page of the Access Role wizard](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/accesstypeuser.webp) **Step 3 –** Select the **A user or group accessing this console** option. Click **Next**. -![Console Access page of the Access Role wizard](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) +![Console Access page of the Access Role wizard](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) **Step 4 –** On the Console Access page, specify a group or user in the **Name** field. Use the ellipsis (**…**) to browse for accounts with the Select User or Group window. -![Console Access page with user added](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccessfinish.webp) +![Console Access page with user added](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccessfinish.webp) **Step 5 –** Select a role for the group or user from the Role list. Click **Finish**. The group or user and role is added to the Role Membership list in the Roles view. @@ -53,7 +53,7 @@ they are not saved. Role Based Access is enabled when the first role has been assigned. -![Error message when Administrator role is not specified](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/noadminerror.webp) +![Error message when Administrator role is not specified](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/noadminerror.webp) The first role or set of roles saved must include the Administrator role. Clicking **Save** for the first role or set or roles without including the Administrator generates an error message in the @@ -61,7 +61,7 @@ Access Analyzer Console. When Role Based Access is first enabled, restart the Access Analyzer application to ensure all roles are properly active. The Report Viewer role can be assigned at the job group, job, and report -configuration levels. See the [Reporting Node](../../../jobs/group/reporting.md), -[Report Roles Tab](../../../jobs/job/properties/reportroles.md), and -[Publish Security Page](../../../report/wizard/publishsecurity.md) topics for additional +configuration levels. See the [Reporting Node](/docs/accessanalyzer/12.0/admin/jobs/group/reporting.md), +[Report Roles Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/reportroles.md), and +[Publish Security Page](/docs/accessanalyzer/12.0/admin/report/wizard/publishsecurity.md) topics for additional information. diff --git a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/workflow.md b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/workflow.md index 0a3311d5cd..6f067f560d 100644 --- a/docs/accessanalyzer/12.0/admin/settings/access/rolebased/workflow.md +++ b/docs/accessanalyzer/12.0/admin/settings/access/rolebased/workflow.md @@ -8,7 +8,7 @@ Access is enabled and roles have been assigned. **Step 2 –** The Job Approver reviews a new or edited job’s configuration, and either approves or rejects it -![Lock Job option in right-click menu](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/lockjob.webp) +![Lock Job option in right-click menu](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/lockjob.webp) - If a job is approved, then a lock needs to be applied by right-clicking the job title in the Jobs tree and selecting **Lock Job** @@ -16,7 +16,7 @@ rejects it - If the **Lock Job** option is visible, then the job has not yet been approved - If the **Lock Job** option is not visible, then the job has been approved -![Unlock Job option in right-click menu](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/unlockjob.webp) +![Unlock Job option in right-click menu](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/unlockjob.webp) **Step 3 –** The Job Initiator can choose to run the job directly through the Access Analyzer Console or schedule it to run with the Schedule Service Account. This user will know the job was @@ -35,14 +35,14 @@ approved by the grayed-out **Unlock Job** option in the right-click menu. - Publish – To publish reports which have already been generated to the Web Console - - See the [Report Settings Tab](../../../jobs/job/properties/reportsettings.md) topic for + - See the [Report Settings Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/reportsettings.md) topic for additional information -![Report under the Results Node in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/reportjobstree.webp) +![Report under the Results Node in the Jobs Tree](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/reportjobstree.webp) **Step 4 –** After a job has been successfully run, the **Job Viewer** can now view the results of the job under the job’s Status and Results node, or in the Web Console. See the -[Viewing Generated Reports](../../../report/view.md) topic for additional information. +[Viewing Generated Reports](/docs/accessanalyzer/12.0/admin/report/view.md) topic for additional information. **NOTE:** The Job Builder, Job Approver, and Job Initiator may also view these results within the Access Analyzer Console. Additionally, users with these roles can view reports within the Web diff --git a/docs/accessanalyzer/12.0/admin/settings/application/overview.md b/docs/accessanalyzer/12.0/admin/settings/application/overview.md index 7186097fa1..ddf97ad8a1 100644 --- a/docs/accessanalyzer/12.0/admin/settings/application/overview.md +++ b/docs/accessanalyzer/12.0/admin/settings/application/overview.md @@ -3,18 +3,18 @@ The **Application** node is for configuring general settings which affect the way the Access Analyzer Console functions. -![Application](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/application/application.webp) +![Application](/img/product_docs/accessanalyzer/admin/settings/application/application.webp) Application Log The Access Analyzer Application Log section determines what information is stored in the Access Analyzer application log. -![Application Log](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/application/applicationlog.webp) +![Application Log](/img/product_docs/accessanalyzer/admin/settings/application/applicationlog.webp) The Application log level controls the types of messages generated for each job and the application. It can be modified at the job level in the **Job Properties** window. See the -[General Tab](../../jobs/job/properties/general.md) topic for additional information. Options +[General Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/general.md) topic for additional information. Options available in the Application log level drop-down menu include: - Debug – Records everything that happens during job execution, most verbose level of logging @@ -52,12 +52,12 @@ Profile Security The Profile Security section provides the option to enable an enhanced method of encryption to various credentials stored by the Access Analyzer application. -![Profile Security](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/application/profilesecurity.webp). +![Profile Security](/img/product_docs/accessanalyzer/admin/settings/application/profilesecurity.webp). There are two options available in the Profiles stored with drop-down menu: - Application – Default setting, does not employ the enhanced encryption -- Vault – Enables the enhanced encryption of stored credentials. See the [Vault](vault.md) topic for +- Vault – Enables the enhanced encryption of stored credentials. See the [Vault](/docs/accessanalyzer/12.0/admin/settings/application/vault.md) topic for requirements and additional information. Usage Statistics @@ -65,7 +65,7 @@ Usage Statistics The Usage Statistics section allows you to select whether to send usage statistics data to Netwrix to help us improve our product. -![Usage Statistics](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/application/usagestatistics.webp) +![Usage Statistics](/img/product_docs/accessanalyzer/admin/settings/application/usagestatistics.webp) - If selected, usage statistics are collected and sent to Netwrix @@ -85,7 +85,7 @@ Host Target Options The Host Target Options section provides radio buttons to select the source that Access Analyzer should use to connect to hosts. -![Host Target Options](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/application/hosttargetoptions.webp) +![Host Target Options](/img/product_docs/accessanalyzer/admin/settings/application/hosttargetoptions.webp) Select from the following two options: @@ -97,7 +97,7 @@ Grid View Parameters The Grid View Parameters section controls how the data grids display within the Access Analyzer Console. -![Grid View Parameters](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/application/gridviewparameters.webp) +![Grid View Parameters](/img/product_docs/accessanalyzer/admin/settings/application/gridviewparameters.webp) - Automatically rename duplicate columns within a table – Checks for and renames columns with duplicate names @@ -118,14 +118,14 @@ Console. Filtered data grids are not lost if persistent filters are not saved. The Filtration Dialog available for every data grid maintains a list of recent filters. See the -[Data Grid Functionality](../../navigate/datagrid.md) topic for additional information. +[Data Grid Functionality](/docs/accessanalyzer/12.0/admin/navigate/datagrid.md) topic for additional information. Cleanup The Cleanup section is designed to conserve space in the SQL Database Transaction Log. It only works when the database is configured to use Simple Recovery Model. -![Cleanup Options](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/application/cleanup.webp) +![Cleanup Options](/img/product_docs/accessanalyzer/admin/settings/application/cleanup.webp) - Compact Database Transaction Log – If selected, every time the Access Analyzer application is closed, the Database Transaction Log is compacted @@ -144,13 +144,13 @@ Application Exit Options The Application Exit Options section controls whether or not a confirmation is displayed when the Access Analyzer application is closed. -![Application Exit Options](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/application/applicationexitoptions.webp) +![Application Exit Options](/img/product_docs/accessanalyzer/admin/settings/application/applicationexitoptions.webp) If selected, the **Show Confirmation Dialog** option causes a Confirm Exit window to open when the Access Analyzer user attempts to exit the application. If deselected, the Access Analyzer application closes without confirmation. -![Confirm Exit](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/application/confirmexitwindow.webp) +![Confirm Exit](/img/product_docs/accessanalyzer/admin/settings/application/confirmexitwindow.webp) The Confirm Exit window requires the **Yes** button to be clicked before the Access Analyzer application closes. diff --git a/docs/accessanalyzer/12.0/admin/settings/application/vault.md b/docs/accessanalyzer/12.0/admin/settings/application/vault.md index 5e54d4042e..5be6af2f52 100644 --- a/docs/accessanalyzer/12.0/admin/settings/application/vault.md +++ b/docs/accessanalyzer/12.0/admin/settings/application/vault.md @@ -23,7 +23,7 @@ be met in the order listed: Analyzer users should be given the Administrator role - No additional Role Based Access prerequisites are required for this option - - See the [Access](../access/overview.md) topic for additional information on Role Based Access + - See the [Access](/docs/accessanalyzer/12.0/admin/settings/access/overview.md) topic for additional information on Role Based Access **NOTE:** Once the vault has been enabled, it is not possible to disable Role Based Access without first disabling the vault. Please contact @@ -32,7 +32,7 @@ be met in the order listed: - The Profile Security section of the Application node must be set to **Vault** - ![Vault Security](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/application/vaultrbaerror.webp) + ![Vault Security](/img/product_docs/accessanalyzer/admin/settings/application/vaultrbaerror.webp) If the previous prerequisites have not been met, then one of the following errors will occur when attempting to save the Vault Profile Security setting: diff --git a/docs/accessanalyzer/12.0/admin/settings/connection/cyberarkintegration.md b/docs/accessanalyzer/12.0/admin/settings/connection/cyberarkintegration.md index 58a3d92492..15ed9cfd81 100644 --- a/docs/accessanalyzer/12.0/admin/settings/connection/cyberarkintegration.md +++ b/docs/accessanalyzer/12.0/admin/settings/connection/cyberarkintegration.md @@ -38,12 +38,12 @@ Password Vault, the following prerequisites must be completed: [Generate an application hash value](https://docs.cyberark.com/credential-providers/Latest/en/Content/CP%20and%20ASCP/Generating-Application-Hash-Value.htm) article for additional information. - ![Application Details page for the CyberArk Application](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/applicationidhash.webp) + ![Application Details page for the CyberArk Application](/img/product_docs/accessanalyzer/admin/settings/connection/applicationidhash.webp) Add the generated hash value in the Authentication tab of the Application Details page for the CyberArk Application. - ![Allowed Machines list for the CyberArk application](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/allowedmachines.webp) + ![Allowed Machines list for the CyberArk application](/img/product_docs/accessanalyzer/admin/settings/connection/allowedmachines.webp) - The machine name for the Access Analyzer console needs to be added on the Allowed Machines list for the CyberArk application @@ -54,7 +54,7 @@ Password Vault, the following prerequisites must be completed: during the Secrets Manager installation, as well as the account created automatically as a result of the application creation. - ![Owners window for the Safe containing the credentials](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/vaultownerswindow.webp) + ![Owners window for the Safe containing the credentials](/img/product_docs/accessanalyzer/admin/settings/connection/vaultownerswindow.webp) - The account created during the AIM installation is under the naming convention `Prov_[COMPUTERNAME]`, where `COMPUTERNAME` is the name of the computer on which AIM is @@ -77,7 +77,7 @@ Notepad. **CAUTION:** Ensure Access Analyzer is closed when modifying this file. -![GlobalOptions.xml file in Notepad](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/globaloptions.webp) +![GlobalOptions.xml file in Notepad](/img/product_docs/accessanalyzer/admin/settings/connection/globaloptions.webp) **Step 2 –** Find the `` section of the `GlobalOptions.xml` file. Add the Application Id of the configured CyberArk application for the integration in the `` tag. If @@ -117,7 +117,7 @@ If the Connection Profile with a Local Windows Account credential using CyberArk used to target multiple hosts, then the local credential on each host needs to have the exact same username and password combination. -![Connection view with CyberArk credentials](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/usercredentials.webp) +![Connection view with CyberArk credentials](/img/product_docs/accessanalyzer/admin/settings/connection/usercredentials.webp) The Connection view displays `CyberArk` in the Source column of the User Credentials list for the selected Connection Profile. @@ -127,7 +127,7 @@ selected Connection Profile. Match the User Credentials window settings in Access Analyzer with the privilege account properties in CyberArk. These values are case-sensitive, and must be an exact match. -![User Credentials window for Active Directory Account](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/usercredentialsad.webp) +![User Credentials window for Active Directory Account](/img/product_docs/accessanalyzer/admin/settings/connection/usercredentialsad.webp) The table below shows the values from your CyberArk configuration that the User Credentials window should be populated with: @@ -145,7 +145,7 @@ Match the User Credentials window settings in Access Analyzer with the privilege in CyberArk. These values are case-sensitive, and must be an exact match. The Access Analyzer Domain value is `` and the CyberArk Address property value is the server address. -![User Credentials window for Local Windows Account](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/usercredentialslocal.webp) +![User Credentials window for Local Windows Account](/img/product_docs/accessanalyzer/admin/settings/connection/usercredentialslocal.webp) The table below shows the values from your CyberArk configuration that the User Credentials window should be populated with: diff --git a/docs/accessanalyzer/12.0/admin/settings/connection/gmsa.md b/docs/accessanalyzer/12.0/admin/settings/connection/gmsa.md index b6667a0239..42ecd5bdd1 100644 --- a/docs/accessanalyzer/12.0/admin/settings/connection/gmsa.md +++ b/docs/accessanalyzer/12.0/admin/settings/connection/gmsa.md @@ -2,8 +2,8 @@ Access Analyzer can use a previously-configured Group Managed Service Accounts (gMSA/MSA) account. Make sure that Managed Service Account is selected in the User Credentials window. See the -[Create a Connection Profile](profile/create.md) or -[Create a Schedule Service Account](../schedule.md#create-a-schedule-service-account) topic for +[Create a Connection Profile](/docs/accessanalyzer/12.0/admin/settings/connection/profile/create.md) or +[Create a Schedule Service Account](/docs/accessanalyzer/12.0/admin/settings/schedule.md#create-a-schedule-service-account) topic for additional information. To run a job or scheduled task with a gMSA/MSA account, the following prerequisites must be met: diff --git a/docs/accessanalyzer/12.0/admin/settings/connection/overview.md b/docs/accessanalyzer/12.0/admin/settings/connection/overview.md index 6c12f77143..e944b9d368 100644 --- a/docs/accessanalyzer/12.0/admin/settings/connection/overview.md +++ b/docs/accessanalyzer/12.0/admin/settings/connection/overview.md @@ -3,7 +3,7 @@ The Connection node contains objects referred to as Connection Profiles. A Connection Profile houses the information Access Analyzer uses to connect to the target hosts during job execution. -![Connection](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/connectionpage.webp) +![Connection](/img/product_docs/accessanalyzer/admin/settings/connection/connectionpage.webp) There are two methods for authentication to a targeted host: @@ -49,24 +49,24 @@ Analyzer Vault. Certain types of credentials can be stored in CyberArk®. Choosing to store passwords in either the Access Analyzer application or the Access Analyzer Vault is a global setting configured in the **Settings** > **Application** node. See the -[Application](../application/overview.md) topic for additional information. +[Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information. The Access Analyzer vault provides enhanced security through enhanced encryption to various -credentials stored by the Access Analyzer application. See the [Vault](../application/vault.md) +credentials stored by the Access Analyzer application. See the [Vault](/docs/accessanalyzer/12.0/admin/settings/application/vault.md) topic for additional information. CyberArk integration stores supported credentials in the CyberArk Enterprise Password Vault. CyberArk Privileged Account Security Solution offers components designed to discover, secure, rotate, and control access to privileged account passwords used to access systems through the -enterprise IT environment. See the [CyberArk Integration](cyberarkintegration.md) topic for +enterprise IT environment. See the [CyberArk Integration](/docs/accessanalyzer/12.0/admin/settings/connection/cyberarkintegration.md) topic for additional information. -![Cancel and Save options](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/cancelsavebuttons.webp) +![Cancel and Save options](/img/product_docs/accessanalyzer/admin/settings/connection/cancelsavebuttons.webp) The **Cancel** and **Save** buttons are in the lower-right corner of the Connection view. These buttons become enabled when modifications are made to the Connection global setting. -![Information update message box](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/settingssavedmessage.webp) +![Information update message box](/img/product_docs/accessanalyzer/admin/settings/connection/settingssavedmessage.webp) Whenever changes are made at the global level, click **Save** and then **OK** to confirm the changes. Otherwise, click **Cancel** if no changes were intended. diff --git a/docs/accessanalyzer/12.0/admin/settings/connection/profile/activedirectory.md b/docs/accessanalyzer/12.0/admin/settings/connection/profile/activedirectory.md index d44f66fac1..becc3e5a88 100644 --- a/docs/accessanalyzer/12.0/admin/settings/connection/profile/activedirectory.md +++ b/docs/accessanalyzer/12.0/admin/settings/connection/profile/activedirectory.md @@ -3,7 +3,7 @@ If the account type selected on the User Credentials window is **Active Directory Account**, the following information is required for the credential: -![User Credentials Window - Active Directory](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/activedirectoryaccount.webp) +![User Credentials Window - Active Directory](/img/product_docs/accessanalyzer/admin/settings/connection/profile/activedirectoryaccount.webp) - Domain – Drop-down menu with available trusted domains will appear. Either type the short domain name in the textbox or select a domain from the menu. @@ -11,14 +11,14 @@ following information is required for the credential: - Password Storage – Choose the option for credential password storage: - Application – Uses the configured Profile Security setting as selected at the **Settings** > - **Application** node. See the [Application](../../application/overview.md) topic for + **Application** node. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information. - CyberArk – Uses the CyberArk Enterprise Password Vault. See the - [CyberArk Integration](../cyberarkintegration.md) topic for additional information. The + [CyberArk Integration](/docs/accessanalyzer/12.0/admin/settings/connection/cyberarkintegration.md) topic for additional information. The password fields do not apply for CyberArk password storage. - Managed Service Account – Use previously configured MSA and gMSAs for authentication. The password fields are not applicable when this option is selected. See the - [Group Managed Service Accounts (gMSA) Configuration](../gmsa.md) topic for additional + [Group Managed Service Accounts (gMSA) Configuration](/docs/accessanalyzer/12.0/admin/settings/connection/gmsa.md) topic for additional information. - Password – Type the password diff --git a/docs/accessanalyzer/12.0/admin/settings/connection/profile/aws.md b/docs/accessanalyzer/12.0/admin/settings/connection/profile/aws.md index 4b0c96d06b..2443867db2 100644 --- a/docs/accessanalyzer/12.0/admin/settings/connection/profile/aws.md +++ b/docs/accessanalyzer/12.0/admin/settings/connection/profile/aws.md @@ -3,7 +3,7 @@ The information in this section applies to **Select Account Type > Amazon Web Services** account type in the User Credentials window. -![User Credentials Window - AWS](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/connectionaws.webp) +![User Credentials Window - AWS](/img/product_docs/accessanalyzer/admin/settings/connection/profile/connectionaws.webp) The required credentials for Amazon Web Services are: @@ -27,7 +27,7 @@ A new connection profile will need to be created to be leveraged in the AWS Solu Access Token section. _Remember,_ these are obtained from AWS when the permissions are configured. See the -[Configure AWS for Scans](../../../../requirements/target/config/aws.md) topic for additional +[Configure AWS for Scans](/docs/accessanalyzer/12.0/requirements/target/config/aws.md) topic for additional information. **Step 4 –** Click OK in the User Credentials modal, name the Connection Profile, and click Save. diff --git a/docs/accessanalyzer/12.0/admin/settings/connection/profile/create.md b/docs/accessanalyzer/12.0/admin/settings/connection/profile/create.md index 8fb643f26f..f265424359 100644 --- a/docs/accessanalyzer/12.0/admin/settings/connection/profile/create.md +++ b/docs/accessanalyzer/12.0/admin/settings/connection/profile/create.md @@ -2,11 +2,11 @@ Follow the steps to create a Connection Profile. -![Add Connection Profile](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/addconnectionprofile.webp) +![Add Connection Profile](/img/product_docs/accessanalyzer/admin/settings/connection/profile/addconnectionprofile.webp) **Step 1 –** Click Add Connection profile at the top of the Connection view. -![Connection - Add Connection Profile](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/connectionprofilename.webp) +![Connection - Add Connection Profile](/img/product_docs/accessanalyzer/admin/settings/connection/profile/connectionprofilename.webp) **Step 2 –** A new profile displays in the list with a generic name. Provide a unique, descriptive name in the Connection profile name textbox. @@ -15,36 +15,36 @@ name in the Connection profile name textbox. time. If the profile name is changed after being applied to job groups or jobs, it requires the user to go back through all of those job groups or jobs and re-apply the Connection Profile. -![Add User Credential](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/addusercredential.webp) +![Add User Credential](/img/product_docs/accessanalyzer/admin/settings/addusercredential.webp) **Step 3 –** Now it is time to add credentials to this profile. Click Add User credential and the User Credentials window opens. -![User Credentials](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/activedirectoryaccount.webp) +![User Credentials](/img/product_docs/accessanalyzer/admin/settings/connection/profile/activedirectoryaccount.webp) **Step 4 –** The window options change according to the value for the Selected Account Type field. Select the appropriate account type and then provide the required information. The account types are: -- [Active Directory Account for User Credentials ](activedirectory.md) -- [Local Windows Account for User Credentials](localwindows.md) -- [Unix Account for User Credentials](unix.md) -- [SQL Authentication for User Credentials](sql.md) -- [Task for User Credentials](task.md) -- [Azure Active Directory for User Credentials](entraid.md) -- [Dropbox for User Credentials](dropbox.md) -- [Web Services (JWT) for User Credentials](webservices.md) -- [Oracle for User Credentials](oracle.md) -- [Exchange Modern Authentication for User Credentials](exchangemodernauth.md) +- [Active Directory Account for User Credentials ](/docs/accessanalyzer/12.0/admin/settings/connection/profile/activedirectory.md) +- [Local Windows Account for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/localwindows.md) +- [Unix Account for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/unix.md) +- [SQL Authentication for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/sql.md) +- [Task for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/task.md) +- [Azure Active Directory for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/entraid.md) +- [Dropbox for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/dropbox.md) +- [Web Services (JWT) for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/webservices.md) +- [Oracle for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/oracle.md) +- [Exchange Modern Authentication for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/exchangemodernauth.md) See the individual account type sections for information on the fields. Then click OK. -![Error Message for Password](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/passworddifferserror.webp) +![Error Message for Password](/img/product_docs/accessanalyzer/admin/settings/connection/profile/passworddifferserror.webp) **NOTE:** If the entered passwords are not the same, an error message will pop-up after clicking OK on the User Credentials window. Click OK on the error message and re-type the passwords. -![User Credentials](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/usercredentialslist.webp) +![User Credentials](/img/product_docs/accessanalyzer/admin/settings/connection/profile/usercredentialslist.webp) **Step 5 –** Repeat Steps 3-4 until the User Credentials list for this profile is complete. @@ -59,11 +59,11 @@ are no more credentials to try. considering that a successful authentication does not automatically mean that particular credential has the appropriate level of permissions in order for the data collection to occur. -![Arrange Priority](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/moveupdown.webp) +![Arrange Priority](/img/product_docs/accessanalyzer/admin/settings/connection/profile/moveupdown.webp) There are Move Up and Move Down buttons for arranging priority within the User Credentials list. -![Apply local login credentials](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/usewindowsaccountoption.webp) +![Apply local login credentials](/img/product_docs/accessanalyzer/admin/settings/connection/profile/usewindowsaccountoption.webp) **Step 6 –** (Optional): At the bottom of the Connection view, is the Use the Windows account that Access Analyzer runs with before trying the user credentials above option. This option is per @@ -82,14 +82,14 @@ or job level. Follow the steps to edit user credentials within a Connection Profile. -![Edit Connection Profile](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/editusercredentials.webp) +![Edit Connection Profile](/img/product_docs/accessanalyzer/admin/settings/connection/profile/editusercredentials.webp) **Step 1 –** Select the Connection Profile to be modified from the Profile list. Remember, changing the Connection Profile name results in breaking job groups or jobs that are assigned this profile. **Step 2 –** Select the user credential to be edited from the User Credentials list. Click Edit. -![User Credentials](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/selectaccounttype.webp) +![User Credentials](/img/product_docs/accessanalyzer/admin/settings/connection/profile/selectaccounttype.webp) **Step 3 –** Modify the information in the User Credentials window. For the password, choose between the Use the existing password option or the Specify a new password below option. Click OK. @@ -104,14 +104,14 @@ Profile. Follow the steps to delete a user credential from a Connection Profile. -![Delete User Credentials](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/deleteusercredentials.webp) +![Delete User Credentials](/img/product_docs/accessanalyzer/admin/settings/connection/profile/deleteusercredentials.webp) **Step 1 –** Select the Connection Profile to be modified from the Profile list. Remember, changing the Connection Profile name results in breaking job groups or jobs that are assigned this profile. **Step 2 –** Select the user credential to be edited from the User Credentials list. Click Delete. -![Confirmation message for deletion](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/deleteusercredentialsconfirm.webp) +![Confirmation message for deletion](/img/product_docs/accessanalyzer/admin/settings/connection/profile/deleteusercredentialsconfirm.webp) **Step 3 –** Click OK to confirm the deletion. @@ -125,11 +125,11 @@ Connection Profile. The default profile is marked with the green checkmark. -![defaultconnectionprofile](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/defaultconnectionprofile.webp) +![defaultconnectionprofile](/img/product_docs/accessanalyzer/admin/settings/connection/profile/defaultconnectionprofile.webp) Follow the steps to set a new default Connection Profile. -![Set a Default Connection Profile](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/setasdefaultconnectionprofile.webp) +![Set a Default Connection Profile](/img/product_docs/accessanalyzer/admin/settings/connection/profile/setasdefaultconnectionprofile.webp) **Step 1 –** Select the desired profile in the Connection Profile list and click Set as default. @@ -141,11 +141,11 @@ This Connection Profile is now used as the default Connection Profile. Follow the steps to delete a Connection Profile. -![Delete a Connection Profile](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/deleteconnectionprofile.webp) +![Delete a Connection Profile](/img/product_docs/accessanalyzer/admin/settings/connection/profile/deleteconnectionprofile.webp) **Step 1 –** Select the profile from the Connection Profile list and click Delete. -![Confirmation message for deletion](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/deleteconnectionprofileconfirm.webp) +![Confirmation message for deletion](/img/product_docs/accessanalyzer/admin/settings/connection/profile/deleteconnectionprofileconfirm.webp) **Step 2 –** Click OK to confirm the deletion. diff --git a/docs/accessanalyzer/12.0/admin/settings/connection/profile/dropbox.md b/docs/accessanalyzer/12.0/admin/settings/connection/profile/dropbox.md index aef261712b..b6c3dee680 100644 --- a/docs/accessanalyzer/12.0/admin/settings/connection/profile/dropbox.md +++ b/docs/accessanalyzer/12.0/admin/settings/connection/profile/dropbox.md @@ -3,12 +3,12 @@ The information in this topic applies to **Select Account Type** > **Dropbox** in the User Credentials window. -![User Credentials - Dropbox](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/dropbox.webp) +![User Credentials - Dropbox](/img/product_docs/accessanalyzer/admin/settings/connection/profile/dropbox.webp) The required credentials for Dropbox are: - Password Storage – Application (Uses the configured Profile Security setting as selected at the - **Settings** > **Application** node. See the [Application](../../application/overview.md) topic + **Settings** > **Application** node. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information.) - Access Token – Copy and paste the access token after it has been generated from the Scan Options page of the DropboxAccess Data Collector configuration wizard. See the Dropbox for User diff --git a/docs/accessanalyzer/12.0/admin/settings/connection/profile/entraid.md b/docs/accessanalyzer/12.0/admin/settings/connection/profile/entraid.md index 2d40bbaffa..ec33d46ae2 100644 --- a/docs/accessanalyzer/12.0/admin/settings/connection/profile/entraid.md +++ b/docs/accessanalyzer/12.0/admin/settings/connection/profile/entraid.md @@ -4,25 +4,25 @@ The information in this topic applies to **Select Account Type** > **Azure Activ User Credentials window. This account type is for Microsoft Entra ID, formerly Azure Active Directory. -![User Credentials Window - Azure Active Directory](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/entraid.webp) +![User Credentials Window - Azure Active Directory](/img/product_docs/accessanalyzer/admin/settings/connection/profile/entraid.webp) The required credentials for this account type are: - Client ID – Application (client) ID of the Access Analyzer application registered with Microsoft Entra ID. See the - [Identify the Client ID](../../../../config/entraid/access.md#identify-the-client-id) topic for + [Identify the Client ID](/docs/accessanalyzer/12.0/config/entraid/access.md#identify-the-client-id) topic for additional information. - Password Storage – Application (Uses the configured Profile Security setting as selected at the - **Settings** > **Application** node. See the [Application](../../application/overview.md) topic + **Settings** > **Application** node. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information.) - Key – The required Key depends on the target environment the Connection Profile is being used for: - Entra ID – Client secret value for the Access Analyzer application registered with Microsoft Entra ID. See the - [Generate the Client Secret Key](../../../../config/entraid/access.md#generate-the-client-secret-key) + [Generate the Client Secret Key](/docs/accessanalyzer/12.0/config/entraid/access.md#generate-the-client-secret-key) topic for additional information. - SharePoint Online – The comma delimited string containing the path to the certificate PFX file, certificate password, and the Microsoft Entra ID environment identifier ( `CertPath,CertPassword,AzureEnvironment`). See the - [SharePoint Online Credential for a Connection Profile using Modern Authentication](../../../datacollector/spaa/configurejob.md#sharepoint-online-credential-for-a-connection-profile-using-modern-authentication)topic + [SharePoint Online Credential for a Connection Profile using Modern Authentication](/docs/accessanalyzer/12.0/admin/datacollector/spaa/configurejob.md#sharepoint-online-credential-for-a-connection-profile-using-modern-authentication)topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/settings/connection/profile/exchangemodernauth.md b/docs/accessanalyzer/12.0/admin/settings/connection/profile/exchangemodernauth.md index 9c38d7fbc4..db06025a4e 100644 --- a/docs/accessanalyzer/12.0/admin/settings/connection/profile/exchangemodernauth.md +++ b/docs/accessanalyzer/12.0/admin/settings/connection/profile/exchangemodernauth.md @@ -3,24 +3,24 @@ The information in this topic applies to **Select Account Type** > **Exchange Modern Authentication** account type in the User Credentials window. -![User Credentials - Exchange Modern Authentication ](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/exchangemodernauthentication.webp) +![User Credentials - Exchange Modern Authentication ](/img/product_docs/accessanalyzer/admin/settings/connection/profile/exchangemodernauthentication.webp) The values for the required credentials for the Exchange Modern Authentication account are: - Password Storage – Application (Uses the configured Profile Security setting as selected at the - **Settings** > **Application** node. See the [Application](../../application/overview.md) topic + **Settings** > **Application** node. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information.) - Organization – The primary domain name of the Microsoft Entra tenant being leveraged to make the connection. See the - [Identify the Tenant's Name](../../../../config/exchangeonline/access.md#identify-the-tenants-name) + [Identify the Tenant's Name](/docs/accessanalyzer/12.0/config/exchangeonline/access.md#identify-the-tenants-name) topic for additional information. - Email Address – The email address for the mailbox to be leveraged in Exchange Online environment scans. The mailbox must belong to the primary domain used in the Organization field. - AppID – Application (client) ID of the Access Analyzer application registered with Microsoft Entra ID. See the - [Identify the Client ID](../../../../config/exchangeonline/access.md#identify-the-client-id) + [Identify the Client ID](/docs/accessanalyzer/12.0/config/exchangeonline/access.md#identify-the-client-id) topic for additional information. - Certificate Thumbprint – The thumbprint value of the certificate uploaded to the Microsoft Entra ID application. See the - [Upload Self-Signed Certificate](../../../../config/exchangeonline/access.md#upload-self-signed-certificate) + [Upload Self-Signed Certificate](/docs/accessanalyzer/12.0/config/exchangeonline/access.md#upload-self-signed-certificate) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/settings/connection/profile/localwindows.md b/docs/accessanalyzer/12.0/admin/settings/connection/profile/localwindows.md index d18fe2f1b4..9f404a2070 100644 --- a/docs/accessanalyzer/12.0/admin/settings/connection/profile/localwindows.md +++ b/docs/accessanalyzer/12.0/admin/settings/connection/profile/localwindows.md @@ -3,7 +3,7 @@ The information in this topic applies to **Select Account Type** > **Local Windows Account** in the User Credentials window. -![User Credentials - Local Windows Account](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/localwindowsaccount.webp) +![User Credentials - Local Windows Account](/img/product_docs/accessanalyzer/admin/settings/connection/profile/localwindowsaccount.webp) The required credentials for the Local Windows Account are: @@ -11,10 +11,10 @@ The required credentials for the Local Windows Account are: - Password Storage – Choose the option for credential password storage: - Application – Uses the configured Profile Security setting as selected at the **Settings** > - **Application** node. See the [Application](../../application/overview.md) topic for + **Application** node. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information. - CyberArk – Uses the CyberArk Enterprise Password Vault. See the - [CyberArk Integration](../cyberarkintegration.md) topic for additional information. The + [CyberArk Integration](/docs/accessanalyzer/12.0/admin/settings/connection/cyberarkintegration.md) topic for additional information. The password fields do not apply for CyberArk password storage. **NOTE:** If using the CyberArk option, then the associated Connection Profile can only have diff --git a/docs/accessanalyzer/12.0/admin/settings/connection/profile/oracle.md b/docs/accessanalyzer/12.0/admin/settings/connection/profile/oracle.md index dce666f689..5e3fce85da 100644 --- a/docs/accessanalyzer/12.0/admin/settings/connection/profile/oracle.md +++ b/docs/accessanalyzer/12.0/admin/settings/connection/profile/oracle.md @@ -3,7 +3,7 @@ The information in this section applies to Select Account Type > Oracle in the User Credentials window. -![User Credentials - Oracle](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/oracle.webp) +![User Credentials - Oracle](/img/product_docs/accessanalyzer/admin/settings/connection/profile/oracle.webp) The required credentials for Oracle are: diff --git a/docs/accessanalyzer/12.0/admin/settings/connection/profile/sql.md b/docs/accessanalyzer/12.0/admin/settings/connection/profile/sql.md index b3de147077..d5a753e98c 100644 --- a/docs/accessanalyzer/12.0/admin/settings/connection/profile/sql.md +++ b/docs/accessanalyzer/12.0/admin/settings/connection/profile/sql.md @@ -6,13 +6,13 @@ window. **NOTE:** SQL Authentication credentials are used in the Connection Profiles for the SQL, MySQL, and PostgreSQL Solutions. -![User Credentials - SQL Authentication](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/sqlauthentication.webp) +![User Credentials - SQL Authentication](/img/product_docs/accessanalyzer/admin/settings/connection/profile/sqlauthentication.webp) The required credentials for SQL Authentication are: - User name – Enter user name - Password Storage – Application (Uses the configured Profile Security setting as selected at the - **Settings** > **Application** node. See the [Application](../../application/overview.md) topic + **Settings** > **Application** node. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information.) - Password – Type the password - Confirm – Re-type the password diff --git a/docs/accessanalyzer/12.0/admin/settings/connection/profile/task.md b/docs/accessanalyzer/12.0/admin/settings/connection/profile/task.md index d84e2bb2fc..653806b165 100644 --- a/docs/accessanalyzer/12.0/admin/settings/connection/profile/task.md +++ b/docs/accessanalyzer/12.0/admin/settings/connection/profile/task.md @@ -3,7 +3,7 @@ The information in this section applies to Select Account Type > Task (Local) or Task (Domain) in the User Credentials window. -| ![User Credentials - Task (Local)](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/taskdomain.webp) | +| ![User Credentials - Task (Local)](/img/product_docs/accessanalyzer/admin/settings/connection/profile/taskdomain.webp) | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | _Task (Local)_ | _Task (Domain)_ | diff --git a/docs/accessanalyzer/12.0/admin/settings/connection/profile/unix.md b/docs/accessanalyzer/12.0/admin/settings/connection/profile/unix.md index 6a8dee01a2..aaa32e66ab 100644 --- a/docs/accessanalyzer/12.0/admin/settings/connection/profile/unix.md +++ b/docs/accessanalyzer/12.0/admin/settings/connection/profile/unix.md @@ -3,13 +3,13 @@ The information in this topic applies to **Select Account Type** > **Unix Account** in the User Credentials window. -![User Credentials - Unix](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/unixaccount.webp) +![User Credentials - Unix](/img/product_docs/accessanalyzer/admin/settings/connection/profile/unixaccount.webp) The required credentials for the Unix Account are: - User name – Enter user name - Password Storage – Application (Uses the configured Profile Security setting as selected at the - **Settings** > **Application** node. See the [Application](../../application/overview.md) topic + **Settings** > **Application** node. See the [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information.) - Password/Confirm diff --git a/docs/accessanalyzer/12.0/admin/settings/connection/profile/webservices.md b/docs/accessanalyzer/12.0/admin/settings/connection/profile/webservices.md index aca2f868cb..b1cba36089 100644 --- a/docs/accessanalyzer/12.0/admin/settings/connection/profile/webservices.md +++ b/docs/accessanalyzer/12.0/admin/settings/connection/profile/webservices.md @@ -3,7 +3,7 @@ The information in this section applies to Select Account Type > Web Services (JWT) in the User Credentials window. -![User Credentials - Web Services (JWT)](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/webservicesjwt.webp) +![User Credentials - Web Services (JWT)](/img/product_docs/accessanalyzer/admin/settings/connection/profile/webservicesjwt.webp) The required credentials for Web Services (JWT) are: @@ -11,5 +11,5 @@ The required credentials for Web Services (JWT) are: - Password Storage: Application – Uses the configured Profile Security setting as selected at the **Settings > Application** node - Access Token – Copy and paste the StealthDEFEND App Token after it has been generated within - StealthDEFEND. See the [FS_DEFEND_SDD Job](../../../jobs/instantjobs/fs_defend_sdd.md) topic for + StealthDEFEND. See the [FS_DEFEND_SDD Job](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/fs_defend_sdd.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/settings/exchange.md b/docs/accessanalyzer/12.0/admin/settings/exchange.md index 2a46219a52..acdf934f3d 100644 --- a/docs/accessanalyzer/12.0/admin/settings/exchange.md +++ b/docs/accessanalyzer/12.0/admin/settings/exchange.md @@ -3,12 +3,12 @@ The Exchange node is for configuring the settings needed to query Microsoft® Exchange Servers. These settings are exclusive to the Access Analyzer for Exchange Solution. -![Exchange - Set up the connection](../../../../../static/img/product_docs/accessanalyzer/admin/settings/exchange_1.webp) +![Exchange - Set up the connection](/img/product_docs/accessanalyzer/admin/settings/exchange_1.webp) The Exchange node is grayed-out by default. In order for these settings to be enabled, it is necessary to install both Access Analyzer MAPI CDO and Microsoft Exchange MAPI CDO on the Access Analyzer Console server. See the -[StealthAUDIT MAPI CDO Installation](../../stealthaudit/install_guides/mapi_cdo_install/stealthaudit_mapi_cdo_installation.md) +[StealthAUDIT MAPI CDO Installation](/docs/accessanalyzer/12.0/stealthaudit/install_guides/mapi_cdo_install/stealthaudit_mapi_cdo_installation.md) topic for additional information. Once the requirements have been met, the Exchange node is enabled for configuration. These settings @@ -17,7 +17,7 @@ Exchange2K, and ExchangePS Data Collectors. The Client Access Server field, or C by the ExchangePS Data Collector in order to make Remote PowerShell connections for Exchange 2010 or newer. The data collectors apply these settings unless modified inside the job query. -![Set up the connection](../../../../../static/img/product_docs/accessanalyzer/admin/settings/exchange_3.webp) +![Set up the connection](/img/product_docs/accessanalyzer/admin/settings/exchange_3.webp) The three options in the Exchange Connection Setting section at the top of the window are dependent on which version of Exchange is audited. @@ -53,13 +53,13 @@ In the Test Exchange Connection Settings section: - Enter a Mailbox Server with mailboxes to be audited in the Exchange Server textbox. - Click the Test Exchange settings link. - ![Test Exchange Connection Setting](../../../../../static/img/product_docs/accessanalyzer/admin/settings/exchange_4.webp) + ![Test Exchange Connection Setting](/img/product_docs/accessanalyzer/admin/settings/exchange_4.webp) If the Exchange Connection Settings are correct, an output field opens. At the bottom of the output field, a mailbox count is stated and a message appears which says, “You have successfully connected to this Exchange Server.” Click OK. -![exchange_6](../../../../../static/img/product_docs/accessanalyzer/admin/settings/exchange_6.webp) +![exchange_6](/img/product_docs/accessanalyzer/admin/settings/exchange_6.webp) The Cancel and Save buttons are in the lower-right corner of the Exchange view. These buttons become enabled when modifications are made to the Exchange global setting. Whenever changes are made at the diff --git a/docs/accessanalyzer/12.0/admin/settings/history.md b/docs/accessanalyzer/12.0/admin/settings/history.md index 6e5272e6bd..93e2e21c41 100644 --- a/docs/accessanalyzer/12.0/admin/settings/history.md +++ b/docs/accessanalyzer/12.0/admin/settings/history.md @@ -2,10 +2,10 @@ The History node is where the history retention of job data and job logs are configured. The setting specified here at the global level applies to all jobs in the Jobs tree unless specifically changed -at the job group or job level. See the [History Node](../jobs/group/history.md) and -[History Tab](../jobs/job/properties/history.md) topics for additional information. +at the job group or job level. See the [History Node](/docs/accessanalyzer/12.0/admin/jobs/group/history.md) and +[History Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/history.md) topics for additional information. -![History Global Settings](../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/history.webp) +![History Global Settings](/img/product_docs/threatprevention/threatprevention/admin/policies/history.webp) The Data Retention Period settings are for configuring the job data history retention within the database. There are three options: @@ -44,7 +44,7 @@ default setting. There are two settings: - SA_JobTaskStatsTbl - This setting is only available at the global settings level. The default value is 100 days. - This directly affects each job’s **Status** node. See the [Status Node](../jobs/job/status.md) + This directly affects each job’s **Status** node. See the [Status Node](/docs/accessanalyzer/12.0/admin/jobs/job/status.md) topic for additional information. For both the **Logs and Messages** and **Job Statistics** options above: @@ -80,7 +80,7 @@ The job logs are stored within the output folder of each job. They can be read i Analyzer Console within the job’s **Status** > **Messages** table. To access the logs within the job’s directory, right-click on the job’s node in the Navigation pane and select **Explore Folder**. -![Job Logs in the job's Output folder in File Explorer](../../../../../static/img/product_docs/accessanalyzer/admin/settings/historyjoblogs.webp) +![Job Logs in the job's Output folder in File Explorer](/img/product_docs/accessanalyzer/admin/settings/historyjoblogs.webp) The most recent log is open. Older jobs are stored as zip files, according to the Log Retention Period setting. Each log is named in the following format: diff --git a/docs/accessanalyzer/12.0/admin/settings/hostdiscovery.md b/docs/accessanalyzer/12.0/admin/settings/hostdiscovery.md index c3e4172d8e..28c3b28fb4 100644 --- a/docs/accessanalyzer/12.0/admin/settings/hostdiscovery.md +++ b/docs/accessanalyzer/12.0/admin/settings/hostdiscovery.md @@ -4,7 +4,7 @@ The Host Discovery node is for configuring the settings which dictate how Access newly discovered hosts, what information is logged during the host discovery process, and how long the logged information is stored. -![Host Discovery page](../../../../../static/img/product_docs/accessanalyzer/admin/settings/hostdiscovery.webp) +![Host Discovery page](/img/product_docs/accessanalyzer/admin/settings/hostdiscovery.webp) In the Host Discovery Options section at the top is a checkbox for the **Perform the first inventory right away for newly discovered hosts** option. This option is selected by default. @@ -19,7 +19,7 @@ The configurable options in the Discovery Log section are: default to 14 days which is based on average Access Analyzer usage. - Log level – Determines what information is stored in the Host Discover query log -![Log level options](../../../../../static/img/product_docs/accessanalyzer/admin/settings/hostdiscoveryloglevels.webp) +![Log level options](/img/product_docs/accessanalyzer/admin/settings/hostdiscoveryloglevels.webp) The log levels are: @@ -58,6 +58,6 @@ buttons become enabled when modifications are made to the Host Discovery global changes are made at the global level, click **Save** and then **OK** to confirm the changes. Otherwise, click **Cancel** if no changes were intended. -![Host Discovery Log under Host Discovery node](../../../../../static/img/product_docs/accessanalyzer/admin/settings/hostdiscoverylog.webp) +![Host Discovery Log under Host Discovery node](/img/product_docs/accessanalyzer/admin/settings/hostdiscoverylog.webp) The Host Discovery Log is located under the **Host Discovery** node. diff --git a/docs/accessanalyzer/12.0/admin/settings/hostinventory.md b/docs/accessanalyzer/12.0/admin/settings/hostinventory.md index d1f5127443..6d7dc49e66 100644 --- a/docs/accessanalyzer/12.0/admin/settings/hostinventory.md +++ b/docs/accessanalyzer/12.0/admin/settings/hostinventory.md @@ -4,7 +4,7 @@ The Host Inventory node is for selecting what information to collect from the ta host inventory process, for allocating console resources to the host inventory process, and for setting what out-of-the box host lists are visible in the Host Management node. -![Host Inventory Settings page](../../../../../static/img/product_docs/accessanalyzer/admin/settings/hostinventory.webp) +![Host Inventory Settings page](/img/product_docs/accessanalyzer/admin/settings/hostinventory.webp) In the Inventory Items section, there are four program property groups: @@ -60,7 +60,7 @@ host inventory process: - Months - This setting affects the Inventory page options on the Host Discovery Wizard. See the - [Host Discovery Wizard](../hostdiscovery/wizard/overview.md) topic for additional information. + [Host Discovery Wizard](/docs/accessanalyzer/12.0/admin/hostdiscovery/wizard/overview.md) topic for additional information. The Desired Host List Views section at the bottom contains all available host lists, both out-of-the-box lists and custom-created lists. There are seven Default Hosts Lists which correspond @@ -84,7 +84,7 @@ filter criteria. These lists correspond to the pre-configured solution jobs whic The **AD** Host List can be expanded and contains five sub-groups utilized by the Active Directory Solution and the Active Directory Inventory Solution: -![AD Host List](../../../../../static/img/product_docs/accessanalyzer/admin/settings/ad.webp) +![AD Host List](/img/product_docs/accessanalyzer/admin/settings/ad.webp) The sub-groups are: @@ -98,7 +98,7 @@ The sub-groups are: The **ALL WINDOWS HOSTS** Host List is utilized primarily by the Windows Solution. -![ALL WINDOWS HOSTS Host List](../../../../../static/img/product_docs/accessanalyzer/admin/settings/allwindowshosts.webp) +![ALL WINDOWS HOSTS Host List](/img/product_docs/accessanalyzer/admin/settings/allwindowshosts.webp) There are no sub-groups for ALL WINDOWS HOSTS. @@ -107,7 +107,7 @@ There are no sub-groups for ALL WINDOWS HOSTS. The **DG** Host List can be expanded and contains three sub-groups utilized by the Data Access Governance for File System Solution. -![DG Host List](../../../../../static/img/product_docs/accessanalyzer/admin/settings/dg.webp) +![DG Host List](/img/product_docs/accessanalyzer/admin/settings/dg.webp) The sub-groups are: @@ -120,7 +120,7 @@ The sub-groups are: The **EXCHANGE** Host List can be expanded and contains six sub-groups utilized by the Exchange Solution. Four of these sub-groups can also be expand. -![EXCHANGE Host List](../../../../../static/img/product_docs/accessanalyzer/admin/settings/exchange.webp) +![EXCHANGE Host List](/img/product_docs/accessanalyzer/admin/settings/exchange.webp) The sub-groups are: @@ -138,7 +138,7 @@ The sub-groups are: The **SQL SERVERS** Host List is utilized primarily by the SQL Solution. -![SQL Servers Host List](../../../../../static/img/product_docs/accessanalyzer/admin/settings/sqlservers.webp) +![SQL Servers Host List](/img/product_docs/accessanalyzer/admin/settings/sqlservers.webp) There are no sub-groups for SQL SERVERS. @@ -147,7 +147,7 @@ There are no sub-groups for SQL SERVERS. The **Windows Server** Host List can be expanded and contains three sub-groups utilized by the Windows Solution. -![Windows Server Host List](../../../../../static/img/product_docs/accessanalyzer/admin/settings/windowsserver.webp) +![Windows Server Host List](/img/product_docs/accessanalyzer/admin/settings/windowsserver.webp) The sub-groups are: @@ -160,7 +160,7 @@ The sub-groups are: The **Work Station** Host List can be expanded and contains one sub-group utilized by the Windows Solution. -![Work Station Host List](../../../../../static/img/product_docs/accessanalyzer/admin/settings/workstation.webp) +![Work Station Host List](/img/product_docs/accessanalyzer/admin/settings/workstation.webp) The single sub-group is: diff --git a/docs/accessanalyzer/12.0/admin/settings/notification.md b/docs/accessanalyzer/12.0/admin/settings/notification.md index de2056aecf..ef4b0db8d9 100644 --- a/docs/accessanalyzer/12.0/admin/settings/notification.md +++ b/docs/accessanalyzer/12.0/admin/settings/notification.md @@ -4,7 +4,7 @@ The Notification node is where email notifications are configured. Emails can be Access Analyzer Console for a variety of purposes: reports on collected data, change detection alerts, conformance analysis notification, and more. -![Global Settings Notification page](../../../../../static/img/product_docs/accessanalyzer/admin/settings/notification.webp) +![Global Settings Notification page](/img/product_docs/accessanalyzer/admin/settings/notification.webp) To enable notifications from the Access Analyzer Console, a mail server must be configured for Access Analyzer to employ for sending emails. @@ -26,7 +26,7 @@ Otherwise, click **Cancel** if no changes were intended. The Mail Server section at the top of the page is where an organization’s SMTP Server information is provided. -![Mail Server settings on Notification page](../../../../../static/img/product_docs/accessanalyzer/admin/settings/server.webp) +![Mail Server settings on Notification page](/img/product_docs/accessanalyzer/admin/settings/server.webp) Provide the following information to enable notifications from Access Analyzer. @@ -65,7 +65,7 @@ Console. The Sender Information section is where the sender information is provided. -![Sender Information section on Notification page](../../../../../static/img/product_docs/accessanalyzer/admin/settings/senderinformation.webp) +![Sender Information section on Notification page](/img/product_docs/accessanalyzer/admin/settings/senderinformation.webp) Configure the sender information for all Access Analyzer notifications. Since this is a global settings, any recipients configured at this level receive all notifications sent from Access @@ -80,7 +80,7 @@ level. The Email Content section is where the recipient information is provided. -![Email Content section on Notification page](../../../../../static/img/product_docs/accessanalyzer/admin/settings/emailcontent.webp) +![Email Content section on Notification page](/img/product_docs/accessanalyzer/admin/settings/emailcontent.webp) - To / CC / BCC – Enter the email addresses for the recipients of the email notifications. Use a semicolon (;) to separate multiple recipients. @@ -93,23 +93,23 @@ Once the global **Notification** settings have been configured, it is recommende email to ensure proper configuration. This verifies all settings are correct and email is received as expected. -![Test Email Settings button](../../../../../static/img/product_docs/accessanalyzer/admin/settings/test.webp) +![Test Email Settings button](/img/product_docs/accessanalyzer/admin/settings/test.webp) The Test Email Settings button sends a test email to the recipient list. It is recommended that you test by sending an email to yourself. Once all Notification settings are configured, click the **Test Email Settings** button. -![Test email sent successfully message](../../../../../static/img/product_docs/accessanalyzer/admin/settings/testsuccess.webp) +![Test email sent successfully message](/img/product_docs/accessanalyzer/admin/settings/testsuccess.webp) A message displays stating that the test e-mail was sent successfully. -![Test email error message example](../../../../../static/img/product_docs/accessanalyzer/admin/settings/testerror.webp) +![Test email error message example](/img/product_docs/accessanalyzer/admin/settings/testerror.webp) **NOTE:** If there are any problems with the information, an error message will appear during the Test Email settings process. Correct the Notification settings until the test email is sent successfully. -![Netwrix Enterprise Auditor test e-mail](../../../../../static/img/product_docs/accessanalyzer/admin/settings/testemail.webp) +![Netwrix Enterprise Auditor test e-mail](/img/product_docs/accessanalyzer/admin/settings/testemail.webp) This email is sent to all recipients when the **Test Email settings** link is clicked. When the Notification settings are configured, click **Save** and then **Ok** to complete the configuration. diff --git a/docs/accessanalyzer/12.0/admin/settings/overview.md b/docs/accessanalyzer/12.0/admin/settings/overview.md index 893ac20f89..430a2f28b8 100644 --- a/docs/accessanalyzer/12.0/admin/settings/overview.md +++ b/docs/accessanalyzer/12.0/admin/settings/overview.md @@ -5,31 +5,31 @@ inherited through a parent-child structure from the Settings node through the Jo individual jobs unless inheritance is broken by direct assignment at either the job group or the individual job level. -![Configuration Settings](../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/globalsettings.webp) +![Configuration Settings](/img/product_docs/dataclassification/ndc/admin/taxonomies/globalsettings.webp) Some of these settings are configured during the initial launching of theAccess Analyzer Console. Others are configured as desired by the end-user. Expand the Settings node in the Navigation pane to select a global setting to configure: -- [Access](access/overview.md) +- [Access](/docs/accessanalyzer/12.0/admin/settings/access/overview.md) - Configure what applications users, and groups have access to Access Analyzer - Configure Role Based Access control of Access Analyzer and the Web Console - Configure REST API -- [Application](application/overview.md) +- [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) - Configure the Access Analyzer application logging level - Configure profile security - Configure options to connecting to host targets - Configure grid view parameters for data tables and views - Configure database cleanup options - Configure the Access Analyzer application’s exit options -- [Connection](connection/overview.md) +- [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) - Optional configuration during the initial launch, but required for host inventory query execution and job execution - Provide credential sets with adequate permissions to remotely contact and gather information from target hosts - Creating a Connection Profile requires credentials with appropriate levels of permissions according to the data collector being used -- [Exchange](exchange.md) +- [Exchange](/docs/accessanalyzer/12.0/admin/settings/exchange.md) - Required for auditing an organization’s Exchange environment - Only enabled for configuration once the Access Analyzer for Exchange Solution prerequisites are installed @@ -37,26 +37,26 @@ select a global setting to configure: names - The ExchangeMailbox, Exchange2K, ExchangePS, and ExchangePublicFolder Data Collectors utilize these global settings -- [History](history.md) +- [History](/docs/accessanalyzer/12.0/admin/settings/history.md) - Configure job data retention period settings - Configure diagnostics retention period settings -- [Host Discovery](hostdiscovery.md) +- [Host Discovery](/docs/accessanalyzer/12.0/admin/settings/hostdiscovery.md) - Configure host discovery settings - Configure discovery log settings -- [Host Inventory](hostinventory.md) +- [Host Inventory](/docs/accessanalyzer/12.0/admin/settings/hostinventory.md) - Configure inventory items, performance tuning, and desired host list views -- [Notification](notification.md) +- [Notification](/docs/accessanalyzer/12.0/admin/settings/notification.md) - Required for the Access Analyzer application to send email - Provide SMTP server information and sender information - Configuration requires an organization’s SMTP server name and authentication credentials (if applicable) - Encryption Options can be configured -- [Reporting](reporting.md) +- [Reporting](/docs/accessanalyzer/12.0/admin/settings/reporting.md) - Required for report publishing - Configure settings for publishing reports outside of the Access Analyzer Console (e.g. distribution via email, posting to an internal share, or posting to the Report Index) - Use information to configure accessing published reports via the Web Console -- [Schedule](schedule.md) +- [Schedule](/docs/accessanalyzer/12.0/admin/settings/schedule.md) - Optional configuration during the initial launch if Windows authentication is used with the Storage Profile - Required in order to schedule host inventory, job, analysis task, and action task execution @@ -64,17 +64,17 @@ select a global setting to configure: with the Windows Task Scheduler - Creating a Schedule Service Account requires credentials on the Access Analyzer Console server - Multiple Schedule Service Accounts can be configured -- [Sensitive Data](sensitivedata/overview.md) +- [Sensitive Data](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/overview.md) - Flag locations which are known to contain false positive criteria matches to be filtered out of Sensitive Data Discovery reports -- [ServiceNow](servicenow.md) +- [ServiceNow](/docs/accessanalyzer/12.0/admin/settings/servicenow.md) - Required for integration between Access Analyzer and ServiceNow® - Configure the ServiceNow Action Module authentication credentials - Configuration requires an organization’s ServiceNow instance name and authentication credentials -- [Storage](storage/overview.md) +- [Storage](/docs/accessanalyzer/12.0/admin/settings/storage/overview.md) - Required configuration during the initial launch - Create profiles for storing output data from queries - Creating a Storage Profiles requires Microsoft® SQL® Server information -See the [Getting Started](../../gettingstarted.md) topic for additional information. +See the [Getting Started](/docs/accessanalyzer/12.0/gettingstarted.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/settings/reporting.md b/docs/accessanalyzer/12.0/admin/settings/reporting.md index 5e9b7a5ab0..70e230c821 100644 --- a/docs/accessanalyzer/12.0/admin/settings/reporting.md +++ b/docs/accessanalyzer/12.0/admin/settings/reporting.md @@ -5,11 +5,11 @@ The Web Console is where any reports which have been published can be viewed out Analyzer Console. The Web Console provides a consolidated logon housing both the published reports and the AIC (when applicable). -![Global Settings Reporting page](../../../../../static/img/product_docs/accessanalyzer/admin/settings/reporting.webp) +![Global Settings Reporting page](/img/product_docs/accessanalyzer/admin/settings/reporting.webp) The publishing of reports can be disabled at the global level by selecting **Do not publish reports** from the Publish Option drop-down menu. It can also be disabled at the job group, job, or -report configuration level. See the [Jobs Tree](../jobs/overview.md) topic for additional +report configuration level. See the [Jobs Tree](/docs/accessanalyzer/12.0/admin/jobs/overview.md) topic for additional information. The **Cancel** and **Save** buttons are in the lower-right corner of the Reporting view. These @@ -22,7 +22,7 @@ Otherwise, click **Cancel** if no changes were intended. The Website URL field contains address for the hosted website, the Web Console, where the published reports reside. -![Website URL on Global Settings Reporting page](../../../../../static/img/product_docs/accessanalyzer/admin/settings/websiteurl.webp) +![Website URL on Global Settings Reporting page](/img/product_docs/accessanalyzer/admin/settings/websiteurl.webp) The default address is: @@ -44,7 +44,7 @@ topic for additional information. The Publish Option allows you to enable or disable the publishing of reports at the global level. -![Publish Option on Global Settings Reporting page](../../../../../static/img/product_docs/accessanalyzer/admin/settings/publish.webp) +![Publish Option on Global Settings Reporting page](/img/product_docs/accessanalyzer/admin/settings/publish.webp) Select the **Publish reports** option to publish all Access Analyzer reports or select **Do not publish reports** to disable the publishing. The inheritance of this setting can be broken at the @@ -54,7 +54,7 @@ job group, job, or report levels. Configure email reports sent out by Access Analyzer using the Email Report options. -![Email options on Global Settings Reporting page](../../../../../static/img/product_docs/accessanalyzer/admin/settings/email.webp) +![Email options on Global Settings Reporting page](/img/product_docs/accessanalyzer/admin/settings/email.webp) The **E-mail reports** checkbox enables recipients to receive all published reports, unless inheritance is broken at the job group, job, or report level. Separate multiple recipients with a @@ -65,7 +65,7 @@ semicolons when the settings are saved. reports which apply to them. **NOTE:** Email reports does not work unless Access Analyzer has been configured to send email -notifications through the **Notification** node. See the [Notification](notification.md) topic for +notifications through the **Notification** node. See the [Notification](/docs/accessanalyzer/12.0/admin/settings/notification.md) topic for additional information. The **Do Not Email Report If Blank** checkbox prevents reports from being sent via email if all @@ -99,12 +99,12 @@ Follow the steps to allow JavaScript on the Web Console in Microsoft Edge. **Step 1 –** Open Microsoft Edge Settings. -![javascriptsitepermissions](../../../../../static/img/product_docs/accessanalyzer/admin/settings/javascriptsitepermissions.webp) +![javascriptsitepermissions](/img/product_docs/accessanalyzer/admin/settings/javascriptsitepermissions.webp) **Step 2 –** Go to the **Cookies and site permissions** settings page, and click **JavaScript** under All permissions. -![javascriptsettings](../../../../../static/img/product_docs/accessanalyzer/admin/settings/javascriptsettings.webp) +![javascriptsettings](/img/product_docs/accessanalyzer/admin/settings/javascriptsettings.webp) **Step 3 –** Click **Add** in the Allow section. On the Add a site window, enter the URL for the Web Console and click **Add**. diff --git a/docs/accessanalyzer/12.0/admin/settings/schedule.md b/docs/accessanalyzer/12.0/admin/settings/schedule.md index 28ef669b7b..b52a2673c1 100644 --- a/docs/accessanalyzer/12.0/admin/settings/schedule.md +++ b/docs/accessanalyzer/12.0/admin/settings/schedule.md @@ -3,13 +3,13 @@ The Schedule node contains objects referred to as Schedule Service Accounts. A Schedule Service Account is used to run scheduled tasks on the Access Analyzer Console server. -![Schedule node](../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) +![Schedule node](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) Jobs can be executed manually as desired or scheduled to execute at designated times. For example, you could schedule a job to run during hours when the office is closed and network traffic is low. Windows uses the Schedule Service Account to access the task folders when launching scheduled tasks. Schedule Service Accounts are configured at the global level, and this account can be used to -schedule jobs in the Schedule Wizard. See the [Schedules](../schedule/overview.md) topic for +schedule jobs in the Schedule Wizard. See the [Schedules](/docs/accessanalyzer/12.0/admin/schedule/overview.md) topic for additional information. **CAUTION:** On Windows 2016 servers, the Schedule Service Account cannot be signed into an active @@ -23,7 +23,7 @@ Access Analyzer Vault. Choosing between the Access Analyzer application and Access Analyzer Vault is a global setting configured in the **Settings** > **Application** node. See the -[Application](application/overview.md) topic for additional information. +[Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information. Permissions @@ -47,10 +47,10 @@ least the following to meet Least Privileged specifications: - Write Extended Attributes - To configure Least Privilege Model Schedule Service Accounts when Role Based Access is enabled, - see the [Role Based Access](access/rolebased/overview.md) topic for additional information + see the [Role Based Access](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/overview.md) topic for additional information - If using Windows authentication for the Storage Profile, the Schedule Service Account must have a sufficient level of rights to connect to and interact with the Access Analyzer database. See the - [Storage](storage/overview.md) topic for additional information. + [Storage](/docs/accessanalyzer/12.0/admin/settings/storage/overview.md) topic for additional information. The **Cancel** and **Save** buttons are in the lower-right corner of the Schedule view. These buttons become enabled when modifications are made to the Schedule global settings. Whenever changes @@ -58,14 +58,14 @@ are made at the global level, click **Save** and then **OK** to confirm the chan click **Cancel** if no changes were intended. The Access Analyzer vault provides enhanced security through enhanced encryption to various -credentials stored by the Access Analyzer application. See the [Vault](application/vault.md) topic +credentials stored by the Access Analyzer application. See the [Vault](/docs/accessanalyzer/12.0/admin/settings/application/vault.md) topic for additional information. ## Schedule Service Account Types There are two types of accounts that can be used to configure the Schedule Service Account. -![serviceaccounttypes](../../../../../static/img/product_docs/accessanalyzer/admin/settings/serviceaccounttypes.webp) +![serviceaccounttypes](/img/product_docs/accessanalyzer/admin/settings/serviceaccounttypes.webp) Use one of the following options for the Schedule Service Account: @@ -94,12 +94,12 @@ _Remember,_ the Schedule Service Account cannot be signed into an active session Analyzer Console server when the time comes for a scheduled task to start when it has a Windows 2016 operating system. -![Add User credential option in the Schedule view](../../../../../static/img/product_docs/accessanalyzer/admin/settings/addusercredential.webp) +![Add User credential option in the Schedule view](/img/product_docs/accessanalyzer/admin/settings/addusercredential.webp) **Step 1 –** Click **Add User credential** at the top of the Schedule view. The User Credentials window opens. -![User Credentials window](../../../../../static/img/product_docs/accessanalyzer/admin/settings/usercredentialswindow.webp) +![User Credentials window](/img/product_docs/accessanalyzer/admin/settings/usercredentialswindow.webp) **Step 2 –** The window options change according to the value for the **Selected Account Type** field. Select the appropriate account type and then provide the required information. The account @@ -116,7 +116,7 @@ types are: the **Settings** > **Application** node - Managed Service Account – Use previously configured MSA and gMSAs for authentication. The password fields are not applicable when this option is selected. See the - [Group Managed Service Accounts (gMSA) Configuration](connection/gmsa.md) topic for + [Group Managed Service Accounts (gMSA) Configuration](/docs/accessanalyzer/12.0/admin/settings/connection/gmsa.md) topic for additional information. - Password – Type the password @@ -139,28 +139,28 @@ messages might appear: - Passwords Do Not Match Error - ![Passwords Do Not Match Error](../../../../../static/img/product_docs/accessanalyzer/admin/settings/passwordsdontmatch.webp) + ![Passwords Do Not Match Error](/img/product_docs/accessanalyzer/admin/settings/passwordsdontmatch.webp) - This error indicates the two password entries do not match. Click **OK** and reenter the passwords. - Bad User Name or Password Error - ![Bad User Name or Password Error](../../../../../static/img/product_docs/accessanalyzer/admin/settings/incorrectlogondetails.webp) + ![Bad User Name or Password Error](/img/product_docs/accessanalyzer/admin/settings/incorrectlogondetails.webp) - This error indicates either the user account does not exist or the username and password do not match. Click **OK** and reenter the information. - Insufficient Rights Error - ![Insufficient Rights Error](../../../../../static/img/product_docs/accessanalyzer/admin/settings/insufficientrights.webp) + ![Insufficient Rights Error](/img/product_docs/accessanalyzer/admin/settings/insufficientrights.webp) - This error indicates the account supplied does not have sufficient rights to create and run scheduled tasks. Click **OK** and provide credentials with sufficient rights. - GPO Network Security Error - ![GPO Network Security Error](../../../../../static/img/product_docs/accessanalyzer/admin/settings/gponetworksecurity.webp) + ![GPO Network Security Error](/img/product_docs/accessanalyzer/admin/settings/gponetworksecurity.webp) - This error indicates that the GPO Network Security settings are configured to not allow storage of passwords and credentials for network authentication. Click OK. Disable the @@ -183,7 +183,7 @@ _Remember,_ the Schedule Service Account cannot be signed into an active session Analyzer Console server when the time comes for a scheduled task to start when it has a Windows 2016 operating system. -![Edit option in the Schedule view](../../../../../static/img/product_docs/accessanalyzer/admin/settings/edit.webp) +![Edit option in the Schedule view](/img/product_docs/accessanalyzer/admin/settings/edit.webp) **Step 1 –** Select a credential from the User Credentials list and click on **Edit**. The User Credentials window opens. @@ -201,12 +201,12 @@ Access Analyzer can now schedule tasks with this Scheduled Service Account. Follow the steps to delete a Schedule Service Account. -![Delete option in the Schedule view](../../../../../static/img/product_docs/strongpointfornetsuite/integrations/delete.webp) +![Delete option in the Schedule view](/img/product_docs/strongpointfornetsuite/integrations/delete.webp) **Step 1 –** Select the credential from the User Credentials list and click **Delete**. The Delete Credentials confirmation window appears. -![Delete Credentials confirmation window](../../../../../static/img/product_docs/accessanalyzer/admin/settings/deletecredentials.webp) +![Delete Credentials confirmation window](/img/product_docs/accessanalyzer/admin/settings/deletecredentials.webp) **Step 2 –** Click **OK** to confirm the deletion or **Cancel** to exit the deletion process. diff --git a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/criteria.md b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/criteria.md index 9213e4bfbd..77a03b5a34 100644 --- a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/criteria.md +++ b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/criteria.md @@ -3,7 +3,7 @@ Configure the list of selected sensitive data criteria that will be used within sensitive data scan jobs using the Criteria Tab. -![Sensitive Data Criteria tab](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/sensitivedata/criteriatab.webp) +![Sensitive Data Criteria tab](/img/product_docs/accessanalyzer/admin/settings/sensitivedata/criteriatab.webp) The options on the Criteria Tab are: @@ -12,7 +12,7 @@ The options on the Criteria Tab are: information. - Remove – Removes the selected criteria from being inherited by Sensitive Data scan jobs - Launch Editor – Opens the Sensitive Data Criteria Editor. See the - [Sensitive Data Criteria Editor](../../../sensitivedatadiscovery/criteriaeditor/overview.md) topic + [Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. - Search selected criteria – Filter the criteria listed in the Criteria tab @@ -25,11 +25,11 @@ Otherwise, click **Cancel** if no changes were intended. Follow the steps to add Search Criteria for Sensitive Data scan jobs. -![Add criteria](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/sensitivedata/addcriteria.webp) +![Add criteria](/img/product_docs/accessanalyzer/admin/settings/sensitivedata/addcriteria.webp) **Step 1 –** Click **Add** to open the Select Criteria window. -![Select Criteria window](../../../../../../static/img/product_docs/accessanalyzer/install/application/upgrade/selectcriteria.webp) +![Select Criteria window](/img/product_docs/accessanalyzer/install/application/upgrade/selectcriteria.webp) **Step 2 –** Select the checkbox to select the criteria. Use the **Search Criteria** text field to filter the list using keywords or expand each category to view and select individual Sensitive Data diff --git a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/add.md b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/add.md index efcd62f281..938c5d589c 100644 --- a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/add.md +++ b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/add.md @@ -2,11 +2,11 @@ Follow the steps to add a False Positive Exclusion Filter. -![Add Filter on False Positives tab](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/addfilter.webp) +![Add Filter on False Positives tab](/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/addfilter.webp) **Step 1 –** Click **Add Filter** to open the Add False Positive Exclusion Filter window. -![Add False Positive Exclusion Filter window](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/addexclusionfilterwindow.webp) +![Add False Positive Exclusion Filter window](/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/addexclusionfilterwindow.webp) **Step 2 –** Enter the **File Path** according to the type of format for the repository. diff --git a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/delete.md b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/delete.md index 7adebfd8ad..be58cf5cf0 100644 --- a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/delete.md +++ b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/delete.md @@ -2,7 +2,7 @@ Follow the steps to delete a False Positive Exclusion Filter. -![Delete Filter on False Positives tab](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/deletefilter.webp) +![Delete Filter on False Positives tab](/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/deletefilter.webp) **Step 1 –** Select a filter from the list and click **Delete Filter**. diff --git a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/edit.md b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/edit.md index 06a3bcc1bb..43234d3115 100644 --- a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/edit.md +++ b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/edit.md @@ -2,11 +2,11 @@ Follow the steps to edit a False Positive Exclusion Filter. -![Edit Filter on False Positives tab](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/editfilter.webp) +![Edit Filter on False Positives tab](/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/editfilter.webp) **Step 1 –** Click **Edit Filter** to open the Edit False Positive Exclusion Filter window. -![Edit False Positive Exclusion Filter window](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/editexclusionfilterwindow.webp) +![Edit False Positive Exclusion Filter window](/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/editexclusionfilterwindow.webp) **Step 2 –** Make modifications to the File Path, Source type, and Search Criteria. diff --git a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/export.md b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/export.md index 74d798c100..4e30ff2415 100644 --- a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/export.md +++ b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/export.md @@ -2,12 +2,12 @@ Follow the steps to export selected False Positive Exclusion Filters into a TXT file. -![Export on False Positives tab](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/exportfilter.webp) +![Export on False Positives tab](/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/exportfilter.webp) **Step 1 –** Select the false positive exclusion filters to export and click **Export**. The File Explorer opens. -![Select False Positive Exclusion filter file to export File Explorer window](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/exportfileexplorer.webp) +![Select False Positive Exclusion filter file to export File Explorer window](/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/exportfileexplorer.webp) **Step 2 –** Enter a File name for the TXT file that the exported false positive exclusion filters will be contained in. Click **Save**. diff --git a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/import.md b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/import.md index 85a9ab0e5a..2f2ea7c4e7 100644 --- a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/import.md +++ b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/import.md @@ -6,17 +6,17 @@ scoped to a single solution and a criteria set. Follow the steps to import a list of False Positive Exclusion Filter. -![Import on False Positives tab](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/importfilter.webp) +![Import on False Positives tab](/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/importfilter.webp) **Step 1 –** Click **Import** to open the Select False Positive Exclusion Filter file to import window. -![Select False Positive Exclusion Filter file to import window](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/importfileexplorer.webp) +![Select False Positive Exclusion Filter file to import window](/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/importfileexplorer.webp) **Step 2 –** Navigate to the file that will be imported. Select the file and click **Open**. The Configure Imported False Positive Exclusion Filters window opens. -![Configure Imported False Positive Exclusion Filters window](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/configureexclusionfilterwindow.webp) +![Configure Imported False Positive Exclusion Filters window](/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/configureexclusionfilterwindow.webp) **Step 3 –** Select the repository type from the **Source** drop-down menu. @@ -30,4 +30,4 @@ Filters window closes. The imported list of False Positive Exclusion Filters are now applied to Sensitive Data reports. If all of the files in the import were not meant to have the same Source and Criteria set, see the -[Editing False Positive Exclusion Filters](edit.md) topic for additional information. +[Editing False Positive Exclusion Filters](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/edit.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/overview.md b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/overview.md index d5dc3dcbd3..9eeb70bd52 100644 --- a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/overview.md +++ b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/overview.md @@ -4,23 +4,23 @@ Configure False Positive exclusion filters using the options in the False Positi Positives Filters listed here as False Positives results in the corresponding matches being removed from Access Analyzer and Access Information Center reports. -![False Positives tab](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/falsepositivestab.webp) +![False Positives tab](/img/product_docs/accessanalyzer/admin/settings/sensitivedata/exclusions/falsepositivestab.webp) The options under the False Positives Tab are: - Add Filter – Opens the Add False Positive Exclusion Filter window to add False Positive Exclusion - Filters. See the [Adding False Positive Exclusion Filters](add.md) topic for additional + Filters. See the [Adding False Positive Exclusion Filters](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/add.md) topic for additional information. - Edit Filter – Opens the Edit False Positive Exclusion Filter window to edit the selected filters - in the list. See the [Editing False Positive Exclusion Filters](edit.md) topic for additional + in the list. See the [Editing False Positive Exclusion Filters](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/edit.md) topic for additional information. - Delete Filter – Deletes the selected false positive exclusion filter. See the - [Deleting False Positive Exclusion Filters](delete.md) topic for additional information. + [Deleting False Positive Exclusion Filters](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/delete.md) topic for additional information. - Import – Imports a text file to populate the False Positives tab with False Positive Exclusion - Filters. See the [Importing False Positive Exclusion Filters](import.md) topic for additional + Filters. See the [Importing False Positive Exclusion Filters](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/import.md) topic for additional information. - Export – Exports selected false positive exclusion filters in a text file. See the - [Exporting False Positive Exclusion Filters](export.md) topic for additional information. + [Exporting False Positive Exclusion Filters](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/export.md) topic for additional information. The False Positives view displays the following information for the False Positive Exclusion Filters: diff --git a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/overview.md b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/overview.md index 03d9919a48..c5764c2e94 100644 --- a/docs/accessanalyzer/12.0/admin/settings/sensitivedata/overview.md +++ b/docs/accessanalyzer/12.0/admin/settings/sensitivedata/overview.md @@ -2,18 +2,18 @@ The Sensitive Data node provides configuration options to manage sensitive data criteria and false positive exclusion filters. These settings require Sensitive Data Discovery to be licensed. See the -[Sensitive Data Discovery](../../../sensitivedatadiscovery/overview.md) topic for additional +[Sensitive Data Discovery](/docs/accessanalyzer/12.0/sensitivedatadiscovery/overview.md) topic for additional information. **NOTE:** Sensitive data exclusion filters can only be applied to the -[File System Solution](../../../solutions/filesystem/overview.md) and the -[SharePoint Solution](../../../solutions/sharepoint/overview.md). +[File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/overview.md) and the +[SharePoint Solution](/docs/accessanalyzer/12.0/solutions/sharepoint/overview.md). -![Sensitive Data settings](../../../../../../static/img/product_docs/accessanalyzer/install/application/upgrade/sensitivedata.webp) +![Sensitive Data settings](/img/product_docs/accessanalyzer/install/application/upgrade/sensitivedata.webp) The tabs in the Sensitive Data node are: - Criteria – Configure Search Criteria to be used in Sensitive Data scan jobs. See the - [Criteria Tab](criteria.md) topic for additional information. + [Criteria Tab](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/criteria.md) topic for additional information. - False Positives – Configure False Positive exclusion filters. See the - [False Positives Tab](exclusions/overview.md) topic for additional information. + [False Positives Tab](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/exclusions/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/settings/servicenow.md b/docs/accessanalyzer/12.0/admin/settings/servicenow.md index 5eaafaa354..633a0d8d90 100644 --- a/docs/accessanalyzer/12.0/admin/settings/servicenow.md +++ b/docs/accessanalyzer/12.0/admin/settings/servicenow.md @@ -2,10 +2,10 @@ The ServiceNow® node is for configuring the settings needed to integrate with ServiceNow. These settings are exclusive to the Access Analyzer integration with ServiceNow and are used by the -ServiceNow Action Module. See the [ServiceNow Action Module](../action/servicenow/overview.md) topic +ServiceNow Action Module. See the [ServiceNow Action Module](/docs/accessanalyzer/12.0/admin/action/servicenow/overview.md) topic for additional information. -![ServiceNow node](../../../../../static/img/product_docs/accessanalyzer/admin/settings/servicenow.webp) +![ServiceNow node](/img/product_docs/accessanalyzer/admin/settings/servicenow.webp) Provide ServiceNow authentication information to your ServiceNow instance. diff --git a/docs/accessanalyzer/12.0/admin/settings/storage/add.md b/docs/accessanalyzer/12.0/admin/settings/storage/add.md index 1155793f81..a68f2f9313 100644 --- a/docs/accessanalyzer/12.0/admin/settings/storage/add.md +++ b/docs/accessanalyzer/12.0/admin/settings/storage/add.md @@ -2,27 +2,27 @@ Follow the steps to create a Storage Profile. -![Add Storage profile option](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/addprofile.webp) +![Add Storage profile option](/img/product_docs/accessanalyzer/admin/settings/storage/addprofile.webp) **Step 1 –** Click **Add Storage profile** at the top of the Storage view. -![New Storage profile added](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/addprofilename.webp) +![New Storage profile added](/img/product_docs/accessanalyzer/admin/settings/storage/addprofilename.webp) **Step 2 –** A new profile line appears in the Storage Profiles list with a generic name. Change the Profile name to a unique and descriptive name. -![Server Name field](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/addprofileservername.webp) +![Server Name field](/img/product_docs/accessanalyzer/admin/settings/storage/addprofileservername.webp) **Step 3 –** Type the SQL **Server name** in the textbox provided. This can be a NetBIOS name, a fully qualified domain name, or an IP Address. If the SQL Server specified is configured to use a named instance, provide the **Instance name** in the next textbox. -![Command timeout field](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/addprofiletimeout.webp) +![Command timeout field](/img/product_docs/accessanalyzer/admin/settings/storage/addprofiletimeout.webp) **Step 4 –** Specify the time in minutes that must expire before Access Analyzer halts any SQL queries running for that amount of time. -![Authentication options](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/addprofileauthentication.webp) +![Authentication options](/img/product_docs/accessanalyzer/admin/settings/storage/addprofileauthentication.webp) **Step 5 –** Select the radio button for the appropriate authentication mode. If using **SQL Server authentication** , provide a **User name** and **Password** in the textboxes. @@ -32,7 +32,7 @@ than SQL Server Authentication. See the Microsoft [Choose an authentication mode](https://learn.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode) article for additional information. -| ![Good connection test](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/addprofilebadconnection.webp) | +| ![Good connection test](/img/product_docs/accessanalyzer/admin/settings/storage/addprofilebadconnection.webp) | | -------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | Good Connection Test | Bad Connection Test | @@ -41,7 +41,7 @@ for additional information. the drop-down arrow for an existing database. If the connection is established, a listing of databases appears. If the connection cannot be established, an error warning displays. -![Database options](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/addprofiledatabase.webp) +![Database options](/img/product_docs/accessanalyzer/admin/settings/storage/addprofiledatabase.webp) **Step 7 –** Set the database through one of the following options: @@ -50,7 +50,7 @@ databases appears. If the connection cannot be established, an error warning dis - Create new database – Click this radio button and provide a unique, descriptive name in the textbox -![Connection report](../../../../../../static/img/product_docs/accessanalyzer/install/application/connectionreport.webp) +![Connection report](/img/product_docs/accessanalyzer/install/application/connectionreport.webp) **Step 8 –** Click **Apply** and a Connection report window opens. The Connection report checks for the appropriate permissions and lists any that are missing. If no permissions are present, an error diff --git a/docs/accessanalyzer/12.0/admin/settings/storage/default.md b/docs/accessanalyzer/12.0/admin/settings/storage/default.md index a456a458e5..87602ff846 100644 --- a/docs/accessanalyzer/12.0/admin/settings/storage/default.md +++ b/docs/accessanalyzer/12.0/admin/settings/storage/default.md @@ -4,12 +4,12 @@ While multiple Storage Profiles can exist, only one profile can be set as the de checkmark next to the profile name indicates the default Storage Profile. Follow the steps to change the default Storage Profile at the global level. -![Set as Default option on Storage page](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/default.webp) +![Set as Default option on Storage page](/img/product_docs/accessanalyzer/admin/settings/storage/default.webp) **Step 1 –** Select the profile to be the new default, and click **Set as default**. The Change storage profile window opens. -![Change storage profile window](../../../../../../static/img/product_docs/accessanalyzer/install/application/changestorageprofile.webp) +![Change storage profile window](/img/product_docs/accessanalyzer/install/application/changestorageprofile.webp) **Step 2 –** There are three options for host management data migration. Select the desired option, choose whether or not to apply the secondary option, and click **OK**. @@ -33,11 +33,11 @@ choose whether or not to apply the secondary option, and click **OK**. - Clear data in destination table – If selected, all host management data in the destination table is deleted -![Change storage profile window when transfer is complete](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/changestorageprofilefinish.webp) +![Change storage profile window when transfer is complete](/img/product_docs/accessanalyzer/admin/settings/storage/changestorageprofilefinish.webp) **Step 3 –** When the host management data migration has completed, click **Finish**. -![Storage page with new default storage profile](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/defaultsave.webp) +![Storage page with new default storage profile](/img/product_docs/accessanalyzer/admin/settings/storage/defaultsave.webp) **Step 4 –** A blue arrow now points to the new default Storage Profile. However, the arrow is also an indication that the new default is not fully recognized by Access Analyzer. Click **Save** and diff --git a/docs/accessanalyzer/12.0/admin/settings/storage/delete.md b/docs/accessanalyzer/12.0/admin/settings/storage/delete.md index 43cc7afaa9..4e05bbedca 100644 --- a/docs/accessanalyzer/12.0/admin/settings/storage/delete.md +++ b/docs/accessanalyzer/12.0/admin/settings/storage/delete.md @@ -5,11 +5,11 @@ Follow the steps to delete a Storage Profile. **NOTE:** This procedure does not delete databases from the SQL Server. It only removes the selected Storage Profile from this Access Analyzer Console. -![Delete Storage Profile option](../../../../../../static/img/product_docs/strongpointfornetsuite/integrations/delete.webp) +![Delete Storage Profile option](/img/product_docs/strongpointfornetsuite/integrations/delete.webp) **Step 1 –** Select the Storage Profile to be removed, and click **Delete**. -![Confirm delete selected profile dialog](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/deleteconfirm.webp) +![Confirm delete selected profile dialog](/img/product_docs/accessanalyzer/admin/settings/storage/deleteconfirm.webp) **Step 2 –** Confirm the operation by clicking **OK**. diff --git a/docs/accessanalyzer/12.0/admin/settings/storage/overview.md b/docs/accessanalyzer/12.0/admin/settings/storage/overview.md index 5be352fab8..0950b4fadb 100644 --- a/docs/accessanalyzer/12.0/admin/settings/storage/overview.md +++ b/docs/accessanalyzer/12.0/admin/settings/storage/overview.md @@ -3,7 +3,7 @@ The Storage node contains objects known as Storage Profiles. Storage Profiles house the information Access Analyzer uses to connect to a SQL Server database within your environment. -![Storage Node](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/storage.webp) +![Storage Node](/img/product_docs/accessanalyzer/admin/settings/storage/storage.webp) Each Storage Profile consists of the following parts: @@ -34,7 +34,7 @@ Each Storage Profile consists of the following parts: - Windows authentication – Leverages the account used to run the Access Analyzer Console **NOTE:** This option affects the credentials used for Schedule Service Accounts. See the - [Schedule](../schedule.md) topic for additional information. + [Schedule](/docs/accessanalyzer/12.0/admin/settings/schedule.md) topic for additional information. - SQL Server authentication – Leverages the account provided in the **User name** and **Password** textboxes @@ -49,15 +49,15 @@ Each Storage Profile consists of the following parts: - Create new database – Access Analyzer automatically creates a new database using the name provided in the textbox. This value should be a unique, descriptive name. -![Operations on the Storage view](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/storageoperations.webp) +![Operations on the Storage view](/img/product_docs/accessanalyzer/admin/settings/storage/storageoperations.webp) At the Storage view, the following operations are available: -- Add Storage profile – Create a new Storage Profile. See the [Add a Storage Profile](add.md) topic +- Add Storage profile – Create a new Storage Profile. See the [Add a Storage Profile](/docs/accessanalyzer/12.0/admin/settings/storage/add.md) topic for additional information. - Set as default – Change the default Storage Profile. See the - [Set a Default Storage Profile](default.md) topic for additional information. -- Delete – Remove a Storage Profile. See the [Delete a Storage Profile](delete.md) topic for + [Set a Default Storage Profile](/docs/accessanalyzer/12.0/admin/settings/storage/default.md) topic for additional information. +- Delete – Remove a Storage Profile. See the [Delete a Storage Profile](/docs/accessanalyzer/12.0/admin/settings/storage/delete.md) topic for additional information. **NOTE:** A green checkmark in the Storage Profiles list indicates the default Storage Profile. @@ -68,5 +68,5 @@ at the global level, click **Save** and then **OK** to confirm the changes. Othe **Cancel** if no changes were intended. The vault provides enhanced security through enhanced encryption to various credentials stored by -the Access Analyzer application. See the [Vault](../application/vault.md) topic for additional +the Access Analyzer application. See the [Vault](/docs/accessanalyzer/12.0/admin/settings/application/vault.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/admin/settings/storage/updateauth.md b/docs/accessanalyzer/12.0/admin/settings/storage/updateauth.md index 3f74a870ef..b694ff571b 100644 --- a/docs/accessanalyzer/12.0/admin/settings/storage/updateauth.md +++ b/docs/accessanalyzer/12.0/admin/settings/storage/updateauth.md @@ -7,7 +7,7 @@ Console. **Step 2 –** Locate and select a **Storage Profile** to update. -![Specify a new password below option on Storage page](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/storage/updateauth.webp) +![Specify a new password below option on Storage page](/img/product_docs/accessanalyzer/admin/settings/storage/updateauth.webp) **Step 3 –** In the Authentication section, click the **Specify a new password below** radio button. diff --git a/docs/accessanalyzer/12.0/cdsa/job.md b/docs/accessanalyzer/12.0/cdsa/job.md index 5605bec660..a0c7db3315 100644 --- a/docs/accessanalyzer/12.0/cdsa/job.md +++ b/docs/accessanalyzer/12.0/cdsa/job.md @@ -1,12 +1,12 @@ # CDSA Job The CDSA Job is available through the Instant Job Library under the CDSA library. See the -[Instant Job Wizard](../admin/jobs/instantjobs/overview.md) topic for instructions of how to add +[Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for instructions of how to add this instant job to the Jobs tree. When installing the job, select **Local host** on the Host pages of the Instant Job Wizard. Ensure the supporting solutions have successfully collected and analyzed data prior to running this -job. See the [Presentation Dependencies](presentation.md) topic for alignment between presentation +job. See the [Presentation Dependencies](/docs/accessanalyzer/12.0/cdsa/presentation.md) topic for alignment between presentation slides and jobs that supply the data points. The CDSA job generates three PowerPoint files: diff --git a/docs/accessanalyzer/12.0/cdsa/overview.md b/docs/accessanalyzer/12.0/cdsa/overview.md index 2c55b780bd..4c517e1172 100644 --- a/docs/accessanalyzer/12.0/cdsa/overview.md +++ b/docs/accessanalyzer/12.0/cdsa/overview.md @@ -5,7 +5,7 @@ Proper data security begins with a strong foundation. The Credential & Data Secu Directory, and Windows infrastructure. The CDSA job depends upon several Access Analyzer solutions for data collection. See the -[Requirements](../requirements/overview.md) topic for installation and database requirements. +[Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topic for installation and database requirements. ## Supporting Solutions @@ -15,40 +15,40 @@ generate the CDSA presentations: - .Active Directory Inventory Solution - See the - [.Active Directory Inventory Solution](../solutions/activedirectoryinventory/overview.md) + [.Active Directory Inventory Solution](/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/overview.md) topic for additional information - Active Directory Solution - - See the [Active Directory Solution](../solutions/activedirectory/overview.md) topic for + - See the [Active Directory Solution](/docs/accessanalyzer/12.0/solutions/activedirectory/overview.md) topic for additional information - Active Directory Permissions Analyzer Solution - See the - [Active Directory Permissions Analyzer Solution](../solutions/activedirectorypermissionsanalyzer/overview.md) + [Active Directory Permissions Analyzer Solution](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/overview.md) topic for additional information - File System Solution - - See the [File System Solution](../solutions/filesystem/overview.md) topic for additional + - See the [File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/overview.md) topic for additional information - Windows Solution - - See the [Windows Solution](../solutions/windows/overview.md) topic for additional information + - See the [Windows Solution](/docs/accessanalyzer/12.0/solutions/windows/overview.md) topic for additional information The following additional solutions also provide data to the CDSA job: -- [Entra ID Solution](../solutions/entraid/overview.md) -- [AWS Solution](../solutions/aws/overview.md) -- [Box Solution](../solutions/box/overview.md) -- [Dropbox Solution](../solutions/dropbox/overview.md) -- [Exchange Solution](../solutions/exchange/overview.md) -- [Oracle Solution](../solutions/databases/oracle/overview.md) -- [SharePoint Solution](../solutions/sharepoint/overview.md) -- [SQL Job Group](../solutions/databases/sql/overview.md) +- [Entra ID Solution](/docs/accessanalyzer/12.0/solutions/entraid/overview.md) +- [AWS Solution](/docs/accessanalyzer/12.0/solutions/aws/overview.md) +- [Box Solution](/docs/accessanalyzer/12.0/solutions/box/overview.md) +- [Dropbox Solution](/docs/accessanalyzer/12.0/solutions/dropbox/overview.md) +- [Exchange Solution](/docs/accessanalyzer/12.0/solutions/exchange/overview.md) +- [Oracle Solution](/docs/accessanalyzer/12.0/solutions/databases/oracle/overview.md) +- [SharePoint Solution](/docs/accessanalyzer/12.0/solutions/sharepoint/overview.md) +- [SQL Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/overview.md) Additionally, the Sensitive Data Discovery Add-On also contributes to the CDSA presentations. See -the [Sensitive Data Discovery](../sensitivedatadiscovery/overview.md) topic for additional +the [Sensitive Data Discovery](/docs/accessanalyzer/12.0/sensitivedatadiscovery/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/config/activedirectory/access.md b/docs/accessanalyzer/12.0/config/activedirectory/access.md index 43f516094b..f3e1a862bc 100644 --- a/docs/accessanalyzer/12.0/config/activedirectory/access.md +++ b/docs/accessanalyzer/12.0/config/activedirectory/access.md @@ -24,14 +24,14 @@ permissions in a Microsoft® Active Directory® environment described in this to subtopics. This solution employs the following data collectors to scan for groups, users, computers, passwords, permissions, group policies, and domain information: -- [ADInventory Data Collector](../../admin/datacollector/adinventory/overview.md) -- [ActiveDirectory Data Collector](../../admin/datacollector/activedirectory/overview.md) -- [ADActivity Data Collector](../../admin/datacollector/adactivity/overview.md) -- [GroupPolicy Data Collector](../../admin/datacollector/grouppolicy/overview.md) -- [LDAP Data Collector](../../admin/datacollector/ldap.md) -- [PasswordSecurity Data Collector](../../admin/datacollector/passwordsecurity/overview.md) -- [PowerShell Data Collector](../../admin/datacollector/powershell/overview.md) -- [Registry Data Collector](../../admin/datacollector/registry.md) +- [ADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md) +- [ActiveDirectory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/activedirectory/overview.md) +- [ADActivity Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adactivity/overview.md) +- [GroupPolicy Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/overview.md) +- [LDAP Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/ldap.md) +- [PasswordSecurity Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/overview.md) +- [PowerShell Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/powershell/overview.md) +- [Registry Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/registry.md) ## Permissions @@ -107,7 +107,7 @@ minimum requirements, which must be configured at the Domain level in Active Dir **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. AD_WeakPasswords Job Permissions diff --git a/docs/accessanalyzer/12.0/config/activedirectory/activity.md b/docs/accessanalyzer/12.0/config/activedirectory/activity.md index a5f1f118a9..b2d375f600 100644 --- a/docs/accessanalyzer/12.0/config/activedirectory/activity.md +++ b/docs/accessanalyzer/12.0/config/activedirectory/activity.md @@ -6,7 +6,7 @@ Access Analyzer: - API Server - File Archive Repository -See the [File Archive Repository Option](filearchive.md) topic for additional information on that +See the [File Archive Repository Option](/docs/accessanalyzer/12.0/config/activedirectory/filearchive.md) topic for additional information on that option. ## API Server Option @@ -176,11 +176,11 @@ against the target domain. **Step 3 –** On the Data Source tab, select **Configure**. The Active Directory Activity DC wizard opens. -![Active Directory Activity DC wizard Category page](../../../../../static/img/product_docs/activitymonitor/config/activedirectory/categoryimportfromnam.webp) +![Active Directory Activity DC wizard Category page](/img/product_docs/activitymonitor/config/activedirectory/categoryimportfromnam.webp) **Step 4 –** On the Category page, choose **Import from SAM** option and click **Next**. -![Active Directory Activity DC wizard SAM connection settings page](../../../../../static/img/product_docs/activitymonitor/config/activedirectory/namconnection.webp) +![Active Directory Activity DC wizard SAM connection settings page](/img/product_docs/activitymonitor/config/activedirectory/namconnection.webp) **Step 5 –** On the SAM connection page, the **Port** is set to the default 4494. This needs to match the port configured for the Activity Monitor API Server agent. @@ -194,7 +194,7 @@ last step. **Step 8 –** Click **Next**. -![Active Directory Activity DC wizard Scoping and Retention page](../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![Active Directory Activity DC wizard Scoping and Retention page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) **Step 9 –** On the Scope page, set the Timespan as desired. There are two options: diff --git a/docs/accessanalyzer/12.0/config/activedirectory/filearchive.md b/docs/accessanalyzer/12.0/config/activedirectory/filearchive.md index 568681a2c5..2fc64b5f9d 100644 --- a/docs/accessanalyzer/12.0/config/activedirectory/filearchive.md +++ b/docs/accessanalyzer/12.0/config/activedirectory/filearchive.md @@ -121,17 +121,17 @@ the target domain. **Step 3 –** On the Data Source tab, select **Configure**. The Active Directory Activity DC wizard opens. -![Active Directory Activity DC wizard Category page](../../../../../static/img/product_docs/activitymonitor/config/activedirectory/categoryimportfromshare.webp) +![Active Directory Activity DC wizard Category page](/img/product_docs/activitymonitor/config/activedirectory/categoryimportfromshare.webp) **Step 4 –** On the Category page, choose **Import from Share** option and click **Next**. -![Active Directory Activity DC wizard Share settings page](../../../../../static/img/product_docs/activitymonitor/config/activedirectory/share.webp) +![Active Directory Activity DC wizard Share settings page](/img/product_docs/activitymonitor/config/activedirectory/share.webp) **Step 5 –** On the Share page, provide the UNC path to the AD Activity share archive location. If there are multiple archives in the same network share, check the **Include Sub-Directories** box. Click **Next**. -![Active Directory Activity DC wizard Scoping and Retention page](../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![Active Directory Activity DC wizard Scoping and Retention page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) **Step 6 –** On the Scope page, set the Timespan as desired. There are two options: diff --git a/docs/accessanalyzer/12.0/config/activedirectory/overview.md b/docs/accessanalyzer/12.0/config/activedirectory/overview.md index 5068e23791..859d143f58 100644 --- a/docs/accessanalyzer/12.0/config/activedirectory/overview.md +++ b/docs/accessanalyzer/12.0/config/activedirectory/overview.md @@ -11,19 +11,19 @@ The following permission is needed: - Member of the Domain Administrators group Some collection jobs do allow for a least privilege model. See the -[Active Directory Auditing Configuration](access.md) topic for additional information. +[Active Directory Auditing Configuration](/docs/accessanalyzer/12.0/config/activedirectory/access.md) topic for additional information. ## Auditing Port Requirements Ports vary based on the data collector being used. See the -[Active Directory Auditing Configuration](access.md) topic for additional information. +[Active Directory Auditing Configuration](/docs/accessanalyzer/12.0/config/activedirectory/access.md) topic for additional information. ## Activity Auditing Permissions **NOTE:** Active Directory domain activity events can also be monitored through Netwrix Threat Prevention. This requires integration between it and Netwrix Activity Monitor to enable access to the data for Access Analyzer Active Directory Activity scans. See the -[Send Active Directory Event Data from Netwrix Threat Prevention to Netwrix Access Analyzer](threatprevention.md) +[Send Active Directory Event Data from Netwrix Threat Prevention to Netwrix Access Analyzer](/docs/accessanalyzer/12.0/config/activedirectory/threatprevention.md) topic for additional information. Requirements to Deploy the AD Agent on the Domain Controller @@ -50,7 +50,7 @@ READ and WRITE permissions on the archive location. Integration with Access Analyzer -See the [Active Directory Activity Auditing Configuration](activity.md) topic for target environment +See the [Active Directory Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/activedirectory/activity.md) topic for target environment requirements. ## Activity Auditing Port Requirements @@ -65,7 +65,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Integration between Access Analyzer and Activity Monitor diff --git a/docs/accessanalyzer/12.0/config/dellcelerravnx/activity.md b/docs/accessanalyzer/12.0/config/dellcelerravnx/activity.md index 09c5763ef3..ff1db57e1c 100644 --- a/docs/accessanalyzer/12.0/config/dellcelerravnx/activity.md +++ b/docs/accessanalyzer/12.0/config/dellcelerravnx/activity.md @@ -34,7 +34,7 @@ Checklist Item 2: Install Dell CEE - Dell CEE 8.4.2 through Dell CEE 8.6.1 are not supported for use with the VCAPS feature - Dell CEE requires .NET Framework 3.5 to be installed on the Windows proxy server -- See the [Install & Configure Dell CEE](installcee.md) topic for instructions. +- See the [Install & Configure Dell CEE](/docs/accessanalyzer/12.0/config/dellcelerravnx/installcee.md) topic for instructions. Checklist Item 3: Dell Device Configuration diff --git a/docs/accessanalyzer/12.0/config/dellcelerravnx/installcee.md b/docs/accessanalyzer/12.0/config/dellcelerravnx/installcee.md index 68b42142fb..40b05af2f7 100644 --- a/docs/accessanalyzer/12.0/config/dellcelerravnx/installcee.md +++ b/docs/accessanalyzer/12.0/config/dellcelerravnx/installcee.md @@ -23,7 +23,7 @@ guide to install and configure the CEE. The installation will add two services t **_RECOMMENDED:_** The latest version of .NET Framework and Dell CEE is recommended to use with the asynchronous bulk delivery (VCAPS) feature. -See the [CEE Debug Logs](../dellunity/validate.md#cee-debug-logs) section for information on +See the [CEE Debug Logs](/docs/accessanalyzer/12.0/config/dellunity/validate.md#cee-debug-logs) section for information on troubleshooting issues related to Dell CEE. After Dell CEE installation is complete, it is necessary to @@ -37,7 +37,7 @@ manually set the Dell CEE registry key to forward events. **Step 1 –** Open the Registry Editor (run regedit). -![registryeditor](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/registryeditor.webp) +![registryeditor](/img/product_docs/activitymonitor/config/dellpowerstore/registryeditor.webp) **Step 2 –** Navigate to following location: @@ -61,7 +61,7 @@ StealthAUDIT@192.168.30.15 **Step 7 –** Click OK. The Edit String window closes. Registry Editor can be closed. -![services](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) +![services](/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) **Step 8 –** Open Services (run `services.msc`). Start or Restart the EMC CEE Monitor service. diff --git a/docs/accessanalyzer/12.0/config/dellcelerravnx/overview.md b/docs/accessanalyzer/12.0/config/dellcelerravnx/overview.md index 55390383b3..d27f90392e 100644 --- a/docs/accessanalyzer/12.0/config/dellcelerravnx/overview.md +++ b/docs/accessanalyzer/12.0/config/dellcelerravnx/overview.md @@ -18,13 +18,13 @@ host: These permissions grant the credential the ability to enumerate shares, access the remote registry, and bypass NTFS security on folders. The credential used within the assigned Connection Profile for these target hosts requires these permissions. See the -[Dell Celerra & Dell VNX Access & Sensitive Data Auditing Configuration](access.md) topic for +[Dell Celerra & Dell VNX Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/12.0/config/dellcelerravnx/access.md) topic for instructions. **NOTE:** These permissions are in addition to those needed to either deploy applet scans for running scans in proxy mode with applet or installing the File System Proxy Service Permissions for running scans in proxy mode as a service. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. Troubleshooting Dell Celerra & Dell VNX Denied Access Errors @@ -41,7 +41,7 @@ website. The firewall ports required by Access Analyzer for Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans are based on the File System scan mode to be used. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Activity Auditing Permissions @@ -71,7 +71,7 @@ where the activity agent is deployed. EMC CEE requires .NET Framework 3.5 to be installed on the Windows proxy server in order for the EMC CEE service to start. -See the [Dell Celerra & Dell VNX Activity Auditing Configuration](activity.md) topic for +See the [Dell Celerra & Dell VNX Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/dellcelerravnx/activity.md) topic for instructions. Activity Monitor Archive Location @@ -92,7 +92,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Dell Celerra & Dell VNX Devices diff --git a/docs/accessanalyzer/12.0/config/dellcelerravnx/validate.md b/docs/accessanalyzer/12.0/config/dellcelerravnx/validate.md index 1402480769..01e0906c40 100644 --- a/docs/accessanalyzer/12.0/config/dellcelerravnx/validate.md +++ b/docs/accessanalyzer/12.0/config/dellcelerravnx/validate.md @@ -6,7 +6,7 @@ configuration must be validated to ensure events are being monitored. ## Validate Dell CEE Registry Key Settings **NOTE:** See the -[Configure Dell Registry Key Settings](../dellunity/installcee.md#configure-dell-registry-key-settings) +[Configure Dell Registry Key Settings](/docs/accessanalyzer/12.0/config/dellunity/installcee.md#configure-dell-registry-key-settings) topic for information on manually setting the registry key. After the Activity Monitor activity agent has been configured to monitor the Dell device, it will @@ -23,7 +23,7 @@ following steps. HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration -![registryeditorendpoint](../../../../../static/img/product_docs/activitymonitor/config/dellunity/registryeditorendpoint.webp) +![registryeditorendpoint](/img/product_docs/activitymonitor/config/dellunity/registryeditorendpoint.webp) **Step 2 –** Ensure that the Enabled parameter is set to 1. @@ -80,7 +80,7 @@ CEE services should be running. If the Activity Agent is not registering events set accurately, validate that the Dell CEE services are running. Open the Services (run `services.msc`). -![services](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) +![services](/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) The following services laid down by the Dell CEE installer should have Running as their status: diff --git a/docs/accessanalyzer/12.0/config/dellpowerscale/activity.md b/docs/accessanalyzer/12.0/config/dellpowerscale/activity.md index e9fcd63f0e..7082e66423 100644 --- a/docs/accessanalyzer/12.0/config/dellpowerscale/activity.md +++ b/docs/accessanalyzer/12.0/config/dellpowerscale/activity.md @@ -32,7 +32,7 @@ Checklist Item 1: Plan Deployment Isilon/PowerScale cluster with more than one pair of Dell CEE and Activity Monitor Agent. The activity will be evenly distributed between the pairs. -Checklist Item 2: [Install Dell CEE](installcee.md) +Checklist Item 2: [Install Dell CEE](/docs/accessanalyzer/12.0/config/dellpowerscale/installcee.md) - Dell CEE should be installed on a Windows or a Linux server. @@ -59,7 +59,7 @@ Checklist Item 3: Configure Auditing on the Dell Isilon/PowerScale Cluster Monitor - Choose between monitoring all Access Zones or scoping to specific Access Zones - - [Manually Configure Auditing in OneFS](manualconfiguration.md) + - [Manually Configure Auditing in OneFS](/docs/accessanalyzer/12.0/config/dellpowerscale/manualconfiguration.md) - After configuration, add the Isilon/PowerScale device to be monitored by the Activity Monitor @@ -131,4 +131,4 @@ Another way to check the privileges is to use the **OneFS Web UI** in the **OneF **Membership** > **User Mapping** > **Test User Mapping** section. Checklist Item 4: Configure Dell CEE to Forward Events to the Activity Agent. See the -[Validate Setup](validate.md) topic for additional information. +[Validate Setup](/docs/accessanalyzer/12.0/config/dellpowerscale/validate.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/config/dellpowerscale/installcee.md b/docs/accessanalyzer/12.0/config/dellpowerscale/installcee.md index 11dda1e6a7..0a3f846de3 100644 --- a/docs/accessanalyzer/12.0/config/dellpowerscale/installcee.md +++ b/docs/accessanalyzer/12.0/config/dellpowerscale/installcee.md @@ -35,7 +35,7 @@ manually set the Dell CEE registry key to forward events. **Step 1 –** Open the Registry Editor (run regedit). -![registryeditor](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/registryeditor.webp) +![registryeditor](/img/product_docs/activitymonitor/config/dellpowerstore/registryeditor.webp) **Step 2 –** Navigate to following location: @@ -59,7 +59,7 @@ StealthAUDIT@192.168.30.15 **Step 7 –** Click OK. The Edit String window closes. Registry Editor can be closed. -![services](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) +![services](/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) **Step 8 –** Open Services (run `services.msc`). Start or Restart the EMC CEE Monitor service. diff --git a/docs/accessanalyzer/12.0/config/dellpowerscale/manualconfiguration.md b/docs/accessanalyzer/12.0/config/dellpowerscale/manualconfiguration.md index 374b246d93..1e61850caf 100644 --- a/docs/accessanalyzer/12.0/config/dellpowerscale/manualconfiguration.md +++ b/docs/accessanalyzer/12.0/config/dellpowerscale/manualconfiguration.md @@ -6,7 +6,7 @@ Administration Console. **Step 1 –** Navigate to the **Cluster Management** tab, and select **Auditing**. -![settings](../../../../../static/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) +![settings](/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) **Step 2 –** In the Settings section, check the Enable Protocol Access Auditing box. @@ -37,7 +37,7 @@ For each monitored access zone: isi audit settings modify --zone ZONENAME --audit-success=close_file_modified,close_file_unmodified,create_file,create_directory,delete_file,delete_directory,rename_file,rename_directory,set_security_file,set_security_directory -![eventforwarding](../../../../../static/img/product_docs/activitymonitor/config/dellpowerscale/eventforwarding.webp) +![eventforwarding](/img/product_docs/activitymonitor/config/dellpowerscale/eventforwarding.webp) **Step 4 –** In the Event Forwarding section, add the CEE Server URI value for the Windows or Linux server hosting CEE. Use either of the following format: diff --git a/docs/accessanalyzer/12.0/config/dellpowerscale/overview.md b/docs/accessanalyzer/12.0/config/dellpowerscale/overview.md index 9987bb9f0e..27cc380ea9 100644 --- a/docs/accessanalyzer/12.0/config/dellpowerscale/overview.md +++ b/docs/accessanalyzer/12.0/config/dellpowerscale/overview.md @@ -24,7 +24,7 @@ these target hosts requires these permissions. See the topic for instructions. **NOTE:** These permissions are in addition to those needed to either deploy applet scans for running scans in proxy mode with applet or installing the File System Proxy Service Permissions for running scans in proxy mode as a service. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. Additional Sensitive Data Discovery Auditing Permission @@ -45,12 +45,12 @@ Administration Console. **Step 1 –** Navigate to the **Access** tab, and select **Membership & Roles** for the System Access Zone. -![Groups tab](../../../../../static/img/product_docs/accessanalyzer/config/dellpowerscale/groupstab.webp) +![Groups tab](/img/product_docs/accessanalyzer/config/dellpowerscale/groupstab.webp) **Step 2 –** On the **Groups** tab, set the Providers to **LOCAL: System**. Then select **View / Edit** for the Administrators group. The View Group Details window opens. -![Edit Group window](../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/editgroup.webp) +![Edit Group window](/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/editgroup.webp) **Step 3 –** Click **Edit Group** and the Edit Group window opens. Click **Add Members**, and enter the User Name and Provider in the Select a User window. Click **Select**, and then click **Save @@ -67,12 +67,12 @@ Administration Console. **Step 1 –** Navigate to the **Access** tab > **Membership & Roles** for the System Access Zone. -![One FS Dashboard](../../../../../static/img/product_docs/accessanalyzer/config/dellpowerscale/rolestab.webp) +![One FS Dashboard](/img/product_docs/accessanalyzer/config/dellpowerscale/rolestab.webp) **Step 2 –** On the Roles tab, select **View / Edit** for the BackupAdmin role. The View Role Details window opens. -![One FS Role Details Window](../../../../../static/img/product_docs/accessanalyzer/config/dellpowerscale/viewroledetails.webp) +![One FS Role Details Window](/img/product_docs/accessanalyzer/config/dellpowerscale/viewroledetails.webp) **Step 3 –** Click **Edit** role and the Edit role details window opens. @@ -135,7 +135,7 @@ be able to mount it. The firewall ports required by Access Analyzer for Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans are based on the File System scan mode to be used. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Activity Auditing Permissions @@ -165,7 +165,7 @@ where the activity agent is deployed. EMC CEE requires .NET Framework 3.5 to be installed on the Windows proxy server in order for the EMC CEE service to start. -See the [Dell Isilon/PowerScale Activity Auditing Configuration](activity.md) topic for +See the [Dell Isilon/PowerScale Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/dellpowerscale/activity.md) topic for instructions. Activity Monitor Archive Location @@ -186,7 +186,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Dell Isilon/PowerScale Devices diff --git a/docs/accessanalyzer/12.0/config/dellpowerscale/validate.md b/docs/accessanalyzer/12.0/config/dellpowerscale/validate.md index f6d3693399..94dc815fe5 100644 --- a/docs/accessanalyzer/12.0/config/dellpowerscale/validate.md +++ b/docs/accessanalyzer/12.0/config/dellpowerscale/validate.md @@ -19,7 +19,7 @@ following steps. HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration -![registryeditorendpoint](../../../../../static/img/product_docs/activitymonitor/config/dellunity/registryeditorendpoint.webp) +![registryeditorendpoint](/img/product_docs/activitymonitor/config/dellunity/registryeditorendpoint.webp) **Step 2 –** Ensure that the Enabled parameter is set to 1. @@ -76,7 +76,7 @@ CEE services should be running. If the Activity Agent is not registering events set accurately, validate that the Dell CEE services are running. Open the Services (run `services.msc`). -![services](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) +![services](/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) The following services laid down by the Dell CEE installer should have Running as their status: diff --git a/docs/accessanalyzer/12.0/config/dellunity/activity.md b/docs/accessanalyzer/12.0/config/dellunity/activity.md index cb5a13e273..3d4f226473 100644 --- a/docs/accessanalyzer/12.0/config/dellunity/activity.md +++ b/docs/accessanalyzer/12.0/config/dellunity/activity.md @@ -27,7 +27,7 @@ Checklist Item 1: Plan Deployment - [http://support.emc.com](http://support.emc.com/) -Checklist Item 2: [Install Dell CEE](installcee.md) +Checklist Item 2: [Install Dell CEE](/docs/accessanalyzer/12.0/config/dellunity/installcee.md) - Dell CEE should be installed on the Windows proxy server(s) where the Activity Monitor activity agent will be deployed @@ -46,7 +46,7 @@ Checklist Item 3: Dell Unity Device Configuration - Configure initial setup for a Unity device - - [Unity Initial Setup with Unisphere](setupunisphere.md) + - [Unity Initial Setup with Unisphere](/docs/accessanalyzer/12.0/config/dellunity/setupunisphere.md) Checklist Item 4: Activity Monitor Configuration @@ -64,4 +64,4 @@ agent will be deployed, the following steps are not needed. - Ensure the Dell CEE registry key has enabled set to 1 and has an EndPoint set to StealthAUDIT. - Ensure the Dell CAVA service and the Dell CEE Monitor service are running. -- See the [Validate Setup](validate.md) topic for instructions. +- See the [Validate Setup](/docs/accessanalyzer/12.0/config/dellunity/validate.md) topic for instructions. diff --git a/docs/accessanalyzer/12.0/config/dellunity/installcee.md b/docs/accessanalyzer/12.0/config/dellunity/installcee.md index a418ec06f8..7454943874 100644 --- a/docs/accessanalyzer/12.0/config/dellunity/installcee.md +++ b/docs/accessanalyzer/12.0/config/dellunity/installcee.md @@ -24,7 +24,7 @@ guide to install and configure the CEE. The installation will add two services t asynchronous bulk delivery (VCAPS) feature. After Dell CEE installation is complete, it is necessary to complete the -[Unity Initial Setup with Unisphere](setupunisphere.md). +[Unity Initial Setup with Unisphere](/docs/accessanalyzer/12.0/config/dellunity/setupunisphere.md). ## Configure Dell Registry Key Settings @@ -34,7 +34,7 @@ manually set the Dell CEE registry key to forward events. **Step 1 –** Open the Registry Editor (run regedit). -![registryeditor](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/registryeditor.webp) +![registryeditor](/img/product_docs/activitymonitor/config/dellpowerstore/registryeditor.webp) **Step 2 –** Navigate to following location: @@ -58,7 +58,7 @@ StealthAUDIT@192.168.30.15 **Step 7 –** Click OK. The Edit String window closes. Registry Editor can be closed. -![services](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) +![services](/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) **Step 8 –** Open Services (run `services.msc`). Start or Restart the EMC CEE Monitor service. diff --git a/docs/accessanalyzer/12.0/config/dellunity/overview.md b/docs/accessanalyzer/12.0/config/dellunity/overview.md index e7368f4f1b..93bb001984 100644 --- a/docs/accessanalyzer/12.0/config/dellunity/overview.md +++ b/docs/accessanalyzer/12.0/config/dellunity/overview.md @@ -18,12 +18,12 @@ host: These permissions grant the credential the ability to enumerate shares, access the remote registry, and bypass NTFS security on folders. The credential used within the assigned Connection Profile for these target hosts requires these permissions. See the -[Dell Unity Access & Sensitive Data Auditing Configuration](access.md) topic for instructions. +[Dell Unity Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/12.0/config/dellunity/access.md) topic for instructions. **NOTE:** These permissions are in addition to those needed to either deploy applet scans for running scans in proxy mode with applet or installing the File System Proxy Service Permissions for running scans in proxy mode as a service. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. Troubleshooting Dell Unity Denied Access Errors @@ -40,7 +40,7 @@ website. The firewall ports required by Access Analyzer for Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans are based on the File System scan mode to be used. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Activity Auditing Permissions @@ -70,7 +70,7 @@ where the activity agent is deployed. EMC CEE requires .NET Framework 3.5 to be installed on the Windows proxy server in order for the EMC CEE service to start. -See the [Dell Unity Activity Auditing Configuration](activity.md) topic for instructions. +See the [Dell Unity Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/dellunity/activity.md) topic for instructions. Activity Monitor Archive Location @@ -90,7 +90,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Dell Unity Devices diff --git a/docs/accessanalyzer/12.0/config/dellunity/setupunisphere.md b/docs/accessanalyzer/12.0/config/dellunity/setupunisphere.md index 719a101860..4f6c53a7c7 100644 --- a/docs/accessanalyzer/12.0/config/dellunity/setupunisphere.md +++ b/docs/accessanalyzer/12.0/config/dellunity/setupunisphere.md @@ -10,11 +10,11 @@ Follow the steps to configure the initial setup for a Unity device with Unispher Required Unity events needed for CIFS Activity: -![NAM Required Events For CIFS](../../../../../static/img/product_docs/activitymonitor/config/dellunity/eventscifs.webp) +![NAM Required Events For CIFS](/img/product_docs/activitymonitor/config/dellunity/eventscifs.webp) Required Unity events needed for NFS Activity: -![NAM Required Events For NFS](../../../../../static/img/product_docs/activitymonitor/config/dellunity/eventsnfs.webp) +![NAM Required Events For NFS](/img/product_docs/activitymonitor/config/dellunity/eventsnfs.webp) **Step 2 –** Enable Events Publishing: diff --git a/docs/accessanalyzer/12.0/config/dellunity/validate.md b/docs/accessanalyzer/12.0/config/dellunity/validate.md index 027357560b..ab3dc81383 100644 --- a/docs/accessanalyzer/12.0/config/dellunity/validate.md +++ b/docs/accessanalyzer/12.0/config/dellunity/validate.md @@ -6,7 +6,7 @@ configuration must be validated to ensure events are being monitored. ## Validate CEE Registry Key Settings **NOTE:** See the -[Configure Dell Registry Key Settings](../dellcelerravnx/installcee.md#configure-dell-registry-key-settings) +[Configure Dell Registry Key Settings](/docs/accessanalyzer/12.0/config/dellcelerravnx/installcee.md#configure-dell-registry-key-settings) topic for information on manually setting the registry key. After the Activity Monitor activity agent has been configured to monitor the Dell device, it will @@ -23,7 +23,7 @@ following steps. HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration -![registryeditorendpoint](../../../../../static/img/product_docs/activitymonitor/config/dellunity/registryeditorendpoint.webp) +![registryeditorendpoint](/img/product_docs/activitymonitor/config/dellunity/registryeditorendpoint.webp) **Step 2 –** Ensure that the Enabled parameter is set to 1. @@ -80,7 +80,7 @@ CEE services should be running. If the Activity Agent is not registering events set accurately, validate that the Dell CEE services are running. Open the Services (run `services.msc`). -![services](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) +![services](/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) The following services laid down by the Dell CEE installer should have Running as their status: diff --git a/docs/accessanalyzer/12.0/config/entraid/access.md b/docs/accessanalyzer/12.0/config/entraid/access.md index 7b10a86ef5..dec6b93a7f 100644 --- a/docs/accessanalyzer/12.0/config/entraid/access.md +++ b/docs/accessanalyzer/12.0/config/entraid/access.md @@ -10,7 +10,7 @@ Microsoft Entra ID. Data Collector -- [AzureADInventory Data Collector](../../admin/datacollector/azureadinventory/overview.md) +- [AzureADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/overview.md) Configuration Settings from the Registered Application @@ -115,7 +115,7 @@ Access Analyzer need to be collected. **NOTE:** Additional permissions need to be configured to collect Microsoft Entra roles information. See the -[Microsoft Entra Roles Auditing Configuration](../../requirements/solutions/entraid/entraroles.md) +[Microsoft Entra Roles Auditing Configuration](/docs/accessanalyzer/12.0/requirements/solutions/entraid/entraroles.md) topic for additional information. ## Identify the Client ID @@ -136,9 +136,9 @@ list. This Application (client) ID value is needed for the Access Analyzer Connection Profile and the Custom Attributes page of the AzureADInventory Data Collector. See the -[Azure Active Directory for User Credentials](../../admin/settings/connection/profile/entraid.md) +[Azure Active Directory for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/entraid.md) topic and the -[AzureADInventory: Custom Attributes](../../admin/datacollector/azureadinventory/customattributes.md) +[AzureADInventory: Custom Attributes](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/customattributes.md) topic for additional information. Next generate the application’s Client Secret Key. ## Generate the Client Secret Key @@ -181,9 +181,9 @@ Copy to clipboard button to copy the Client Secret. This Client Secret value is needed for the Access Analyzer Connection Profile and the Custom Attributes page of the AzureADInventory Data Collector. See the -[Azure Active Directory for User Credentials](../../admin/settings/connection/profile/entraid.md) +[Azure Active Directory for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/entraid.md) topic and the -[AzureADInventory: Custom Attributes](../../admin/datacollector/azureadinventory/customattributes.md) +[AzureADInventory: Custom Attributes](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/customattributes.md) topic for additional information. ## Identify the Tenant Name @@ -205,6 +205,6 @@ names** to open the Custom domain names list. This is needed for the Host List and the Custom Attributes page of the AzureADInventory Data Collector. See the -[Microsoft Entra ID Connection Profile & Host List](../../admin/datacollector/azureadinventory/configurejob.md) -and [AzureADInventory: Custom Attributes](../../admin/datacollector/azureadinventory/customattributes.md) +[Microsoft Entra ID Connection Profile & Host List](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/configurejob.md) +and [AzureADInventory: Custom Attributes](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/customattributes.md) topics for additional information. diff --git a/docs/accessanalyzer/12.0/config/entraid/overview.md b/docs/accessanalyzer/12.0/config/entraid/overview.md index 66c532fe41..21b54fe91b 100644 --- a/docs/accessanalyzer/12.0/config/entraid/overview.md +++ b/docs/accessanalyzer/12.0/config/entraid/overview.md @@ -10,7 +10,7 @@ in order for Access Analyzer to scan the environment. This generates the Client (App Key) needed for the Connection Profile credentials and the Custom Attributes Import Wizard page. -See the [Microsoft Entra ID Auditing Configuration](access.md) topic for additional information. +See the [Microsoft Entra ID Auditing Configuration](/docs/accessanalyzer/12.0/config/entraid/access.md) topic for additional information. ## Entra Roles Permissions @@ -19,7 +19,7 @@ are required to be assigned to the registered application. This includes creatin the required resource manager permissions. See the -[Microsoft Entra Roles Auditing Configuration](../../requirements/solutions/entraid/entraroles.md) +[Microsoft Entra Roles Auditing Configuration](/docs/accessanalyzer/12.0/requirements/solutions/entraid/entraroles.md) topic for additional information. ## Auditing Port Requirements diff --git a/docs/accessanalyzer/12.0/config/exchangeonline/access.md b/docs/accessanalyzer/12.0/config/exchangeonline/access.md index 78effe61f0..01dc3e86be 100644 --- a/docs/accessanalyzer/12.0/config/exchangeonline/access.md +++ b/docs/accessanalyzer/12.0/config/exchangeonline/access.md @@ -62,7 +62,7 @@ configure modern authentication for Exchange Online. It requires: ``` See the -[EX_RegisterAzureAppAuth Job](../../admin/jobs/instantjobs/ex_registerazureappauth.md) +[EX_RegisterAzureAppAuth Job](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/ex_registerazureappauth.md) topic for additional information. ## Prerequisites @@ -203,7 +203,7 @@ Optionally add a Description. The Certificate Thumbprint of this uploaded certificate is needed for the Access Analyzer Connection Profile. See the -[Exchange Modern Authentication for User Credentials](../../admin/settings/connection/profile/exchangemodernauth.md) +[Exchange Modern Authentication for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/exchangemodernauth.md) topic for additional information. ## Grant Permissions to the Registered Application @@ -258,7 +258,7 @@ names** to open the Custom domain names list. **Step 4 –** Save this value in a text file. This is needed for the Access Analyzer Connection Profile. See the -[Exchange Modern Authentication for User Credentials](../../admin/settings/connection/profile/exchangemodernauth.md) +[Exchange Modern Authentication for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/exchangemodernauth.md) topic for additional information. Next identify the application’s Client ID. ## Identify the Client ID @@ -278,5 +278,5 @@ list. **Step 3 –** Save this value in a text file. This is needed for the Access Analyzer Connection Profile. See the -[Exchange Modern Authentication for User Credentials](../../admin/settings/connection/profile/exchangemodernauth.md) +[Exchange Modern Authentication for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/exchangemodernauth.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/config/hitachi/activity.md b/docs/accessanalyzer/12.0/config/hitachi/activity.md index 0a4bcc55b4..d1c6d073cd 100644 --- a/docs/accessanalyzer/12.0/config/hitachi/activity.md +++ b/docs/accessanalyzer/12.0/config/hitachi/activity.md @@ -42,10 +42,10 @@ Configuration Checklist Complete the following checklist prior to configuring activity monitoring of Hitachi devices. Instructions for each item of the checklist are detailed within the following topics. -Checklist Item 1: [Configure Audit Logs on HNAS](configurelogs.md) +Checklist Item 1: [Configure Audit Logs on HNAS](/docs/accessanalyzer/12.0/config/hitachi/configurelogs.md) Checklist Item 2: -[Configure Access to HNAS Audit Logs on Activity Agent Server](configureaccesstologs.md) +[Configure Access to HNAS Audit Logs on Activity Agent Server](/docs/accessanalyzer/12.0/config/hitachi/configureaccesstologs.md) Checklist Item 3: Activity Monitor Configuration diff --git a/docs/accessanalyzer/12.0/config/hitachi/configurelogs.md b/docs/accessanalyzer/12.0/config/hitachi/configurelogs.md index 6ab144ed1a..be826a50dc 100644 --- a/docs/accessanalyzer/12.0/config/hitachi/configurelogs.md +++ b/docs/accessanalyzer/12.0/config/hitachi/configurelogs.md @@ -29,5 +29,5 @@ not support the Wrap policy. Click OK to close. Once access has been configured on the Hitachi device, it is necessary to configure access to the HNAS audit logs on the Windows server. See the -[Configure Access to HNAS Audit Logs on Activity Agent Server](configureaccesstologs.md) topic for +[Configure Access to HNAS Audit Logs on Activity Agent Server](/docs/accessanalyzer/12.0/config/hitachi/configureaccesstologs.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/config/hitachi/overview.md b/docs/accessanalyzer/12.0/config/hitachi/overview.md index 2c81bbef59..54bd396e08 100644 --- a/docs/accessanalyzer/12.0/config/hitachi/overview.md +++ b/docs/accessanalyzer/12.0/config/hitachi/overview.md @@ -18,14 +18,14 @@ used within the assigned Connection Profile for these target hosts requires thes **NOTE:** These permissions are in addition to those needed to either deploy applet scans for running scans in proxy mode with applet or installing the File System Proxy Service Permissions for running scans in proxy mode as a service. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Access & Sensitive Data Auditing Port Requirements The firewall ports required by Access Analyzer for Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans are based on the File System scan mode to be used. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Activity Auditing Permissions @@ -58,7 +58,7 @@ activity must be provisioned with: - Capability of enabling a File System Audit Policy on the Hitachi device - Audit rights to the Hitachi log directory -See the [Hitachi Activity Auditing Configuration](activity.md) topic for instructions. +See the [Hitachi Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/hitachi/activity.md) topic for instructions. Activity Monitor Archive Location @@ -78,7 +78,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Integration between Access Analyzer and Activity Monitor diff --git a/docs/accessanalyzer/12.0/config/nasuni/overview.md b/docs/accessanalyzer/12.0/config/nasuni/overview.md index d54131e4a1..90c1ccda8a 100644 --- a/docs/accessanalyzer/12.0/config/nasuni/overview.md +++ b/docs/accessanalyzer/12.0/config/nasuni/overview.md @@ -15,20 +15,20 @@ host: This is in addition to the API Key Name and Passcode which must be generated for each on-premise Nasuni Edge Appliance and cloud filer. The credential used within the assigned Connection Profile for these target hosts requires these permissions. See the -[Nasuni Edge Appliance Access & Sensitive Data Auditing Configuration](access.md) topic for +[Nasuni Edge Appliance Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/12.0/config/nasuni/access.md) topic for instructions. **NOTE:** These permissions are in addition to those needed to either deploy applet scans for running scans in proxy mode with applet or installing the File System Proxy Service Permissions for running scans in proxy mode as a service. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Access & Sensitive Data Auditing Port Requirements The firewall ports required by Access Analyzer for Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans are based on the File System scan mode to be used. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Activity Auditing Permissions @@ -51,7 +51,7 @@ Analyzer to read the activity log files must have also have this permission. Nasuni Edge Appliance Requirements Additionally, it is necessary to generate an API Access Key for Nasuni activity monitoring. See the -[Nasuni Edge Appliance Activity Auditing Configuration](activity.md) topic for instructions. +[Nasuni Edge Appliance Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/nasuni/activity.md) topic for instructions. Activity Monitor Archive Location @@ -71,7 +71,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Nasuni Edge Appliance diff --git a/docs/accessanalyzer/12.0/config/netapp7mode/access.md b/docs/accessanalyzer/12.0/config/netapp7mode/access.md index 96e6165c9e..5664691509 100644 --- a/docs/accessanalyzer/12.0/config/netapp7mode/access.md +++ b/docs/accessanalyzer/12.0/config/netapp7mode/access.md @@ -46,10 +46,10 @@ built-in Power User group, even when stripped of all roles, still has more file capabilities than any other non-built-in group. If only running the Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, proceed -to the [Provision Account](provisionaccess.md) topic for instructions. If also running Activity +to the [Provision Account](/docs/accessanalyzer/12.0/config/netapp7mode/provisionaccess.md) topic for instructions. If also running Activity Auditing (FSAC) scan, then the FPolicy Account Provisioned for the Netwrix Activity Monitor will meet the needs of the Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans. Proceed -to the [NetApp Data ONTAP 7-Mode Activity Auditing Configuration](activity.md) topic for +to the [NetApp Data ONTAP 7-Mode Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/netapp7mode/activity.md) topic for instructions. This credential is used within the Connection Profile assigned to the File System scans. diff --git a/docs/accessanalyzer/12.0/config/netapp7mode/activity.md b/docs/accessanalyzer/12.0/config/netapp7mode/activity.md index 32951747c6..f9ff5a5099 100644 --- a/docs/accessanalyzer/12.0/config/netapp7mode/activity.md +++ b/docs/accessanalyzer/12.0/config/netapp7mode/activity.md @@ -33,7 +33,7 @@ Checklist Item 1: Plan Deployment - Names of the vFiler™(s) to be monitored - DNS name of the CIFS shares(s) to be monitored -Checklist Item 2: [Provision FPolicy Account](provisionactivity.md) +Checklist Item 2: [Provision FPolicy Account](/docs/accessanalyzer/12.0/config/netapp7mode/provisionactivity.md) - Group membership with a role granting access to the following commands: @@ -71,9 +71,9 @@ Checklist Item 3: Firewall Configuration - TCP 135 - TCP 445 - Dynamic port range: TCP/UDP 137-139 -- See the [Enable HTTP or HTTPS](enablehttp.md) topic for instructions. +- See the [Enable HTTP or HTTPS](/docs/accessanalyzer/12.0/config/netapp7mode/enablehttp.md) topic for instructions. -Checklist Item 4: [Configure FPolicy](configurefpolicy.md) +Checklist Item 4: [Configure FPolicy](/docs/accessanalyzer/12.0/config/netapp7mode/configurefpolicy.md) - If using vFilers: diff --git a/docs/accessanalyzer/12.0/config/netapp7mode/configurefpolicy.md b/docs/accessanalyzer/12.0/config/netapp7mode/configurefpolicy.md index d5e60e9644..86d207021b 100644 --- a/docs/accessanalyzer/12.0/config/netapp7mode/configurefpolicy.md +++ b/docs/accessanalyzer/12.0/config/netapp7mode/configurefpolicy.md @@ -154,7 +154,7 @@ IMPORTANT: - The Activity Monitor must register with the NetApp device as an FPolicy server. By default, it looks for a policy named `StealthAUDIT`. See the - [Customize FPolicy Policy Name](customizefpolicy.md) section for information on using a different + [Customize FPolicy Policy Name](/docs/accessanalyzer/12.0/config/netapp7mode/customizefpolicy.md) section for information on using a different policy name. Use the following command to enable the FPolicy to monitor disconnected sessions: diff --git a/docs/accessanalyzer/12.0/config/netapp7mode/overview.md b/docs/accessanalyzer/12.0/config/netapp7mode/overview.md index f1aa30ed06..20a9cd1789 100644 --- a/docs/accessanalyzer/12.0/config/netapp7mode/overview.md +++ b/docs/accessanalyzer/12.0/config/netapp7mode/overview.md @@ -17,20 +17,20 @@ host: These permissions grant the credential the ability to enumerate shares, access the remote registry, and bypass NTFS security on folders. The credential used within the assigned Connection Profile for these target hosts requires these permissions. See the -[NetApp Data ONTAP 7-Mode Access & Sensitive Data Auditing Configuration](access.md) topic for +[NetApp Data ONTAP 7-Mode Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/12.0/config/netapp7mode/access.md) topic for instructions. **NOTE:** These permissions are in addition to those needed to either deploy applet scans for running scans in proxy mode with applet or installing the File System Proxy Service Permissions for running scans in proxy mode as a service. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Access & Sensitive Data Auditing Port Requirements The firewall ports required by Access Analyzer for Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans are based on the File System scan mode to be used. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Activity Auditing Permissions @@ -86,7 +86,7 @@ The credential must also have the following permissions on the target device: - ONTAP Power Users - ONTAP Backup Operators -See the [NetApp Data ONTAP 7-Mode Activity Auditing Configuration](activity.md) topic for +See the [NetApp Data ONTAP 7-Mode Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/netapp7mode/activity.md) topic for instructions. Activity Monitor Archive Location @@ -107,7 +107,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for NetApp Data ONTAP 7-Mode Device diff --git a/docs/accessanalyzer/12.0/config/netappcmode/access.md b/docs/accessanalyzer/12.0/config/netappcmode/access.md index 4a909bbe1d..2f28cf72ec 100644 --- a/docs/accessanalyzer/12.0/config/netappcmode/access.md +++ b/docs/accessanalyzer/12.0/config/netappcmode/access.md @@ -8,7 +8,7 @@ Configuring access to CIFS shares using FPolicy and ONTAP API for Access Anal following: - Configure Data LIF to Allow HTTPS Traffic -- [Configure Empty FPolicy](configureemptyfpolicy.md) +- [Configure Empty FPolicy](/docs/accessanalyzer/12.0/config/netappcmode/configureemptyfpolicy.md) See the [CIFS Method 2 Credential Configuration](#cifs-method-2-credential-configuration) topic for an alternative method. @@ -109,7 +109,7 @@ vserver cifs share access-control show -share c$ The output will list each SVM's ACL for its c$ share. For example: -![ONTAP CLI Command Output Example](../../../../../static/img/product_docs/accessanalyzer/config/netappcmode/accesscifsmethod2.webp) +![ONTAP CLI Command Output Example](/img/product_docs/accessanalyzer/config/netappcmode/accesscifsmethod2.webp) If the desired ACE does not exist on an SVM's c$ share, then one can be created with the following command: diff --git a/docs/accessanalyzer/12.0/config/netappcmode/activity.md b/docs/accessanalyzer/12.0/config/netappcmode/activity.md index 68529bd49a..1932c7095d 100644 --- a/docs/accessanalyzer/12.0/config/netappcmode/activity.md +++ b/docs/accessanalyzer/12.0/config/netappcmode/activity.md @@ -99,7 +99,7 @@ bursts of activity events. It uses a dedicated volume for each SVM as a staging buffer before the events are sent to Activity Monitor Agent. -Checklist Item 2: [Provision ONTAP Account](provisionactivity.md) +Checklist Item 2: [Provision ONTAP Account](/docs/accessanalyzer/12.0/config/netappcmode/provisionactivity.md) - Permission names depend on the API used, ONTAPI/ZAPI or REST API. - The case of domain and username created during the account provisioning process must match exactly @@ -169,7 +169,7 @@ Checklist Item 2: [Provision ONTAP Account](provisionactivity.md) - `security login role show-ontapi` – Readonly access -Checklist Item 3: [Configure Network](configurefirewall.md) +Checklist Item 3: [Configure Network](/docs/accessanalyzer/12.0/config/netappcmode/configurefirewall.md) - Agent must be able to connect to ONTAP API via a management LIF on ports HTTP (80) or HTTPS (443) @@ -184,7 +184,7 @@ Checklist Item 3: [Configure Network](configurefirewall.md) - Each data serving node should have its own LIF with the `data-fpolicy-client` service. - The default port 9999 can be changed in the agent's settings. -Checklist Item 4: [Configure FPolicy](configurefpolicy.md) +Checklist Item 4: [Configure FPolicy](/docs/accessanalyzer/12.0/config/netappcmode/configurefpolicy.md) - Remember: all FPolicy objects and SVM names are case sensitive. - FPolicy must be configured for each SVM to be monitored. diff --git a/docs/accessanalyzer/12.0/config/netappcmode/configureemptyfpolicy.md b/docs/accessanalyzer/12.0/config/netappcmode/configureemptyfpolicy.md index 3ea0a918fd..e2f3adef1f 100644 --- a/docs/accessanalyzer/12.0/config/netappcmode/configureemptyfpolicy.md +++ b/docs/accessanalyzer/12.0/config/netappcmode/configureemptyfpolicy.md @@ -137,7 +137,7 @@ security login show example\user1 Verify that the output is displayed as follows: -![validatesecuritylogincreation](../../../../../static/img/product_docs/activitymonitor/config/netappcmode/validatesecuritylogincreation.webp) +![validatesecuritylogincreation](/img/product_docs/activitymonitor/config/netappcmode/validatesecuritylogincreation.webp) Relevant NetApp Documentation: To learn more about creating security logins, please visit the NetApp website and read the @@ -191,7 +191,7 @@ fpolicy policy external-engine show ‑instance Verify that the output is displayed as follows: -![validateexternalenginecreation](../../../../../static/img/product_docs/accessanalyzer/config/netappcmode/validateexternalenginecreation.webp) +![validateexternalenginecreation](/img/product_docs/accessanalyzer/config/netappcmode/validateexternalenginecreation.webp) Relevant NetApp Documentation: To learn more about creating an external engine, please visit the NetApp website and read the @@ -236,7 +236,7 @@ fpolicy policy event show ‑event-name StealthAUDITScreening‑instance Verify that the output is displayed as follows: -![validatefpolciyeventcreation](../../../../../static/img/product_docs/accessanalyzer/config/netappcmode/validatefpolciyeventcreation.webp) +![validatefpolciyeventcreation](/img/product_docs/accessanalyzer/config/netappcmode/validatefpolciyeventcreation.webp) Relevant NetApp Documentation: To learn more about creating an event, please visit the NetApp website and read the @@ -287,7 +287,7 @@ Run the following command to validate the creation of the FPolicy policy: fpolicy policy show ‑instance ``` -![validatefpolicypolicycreation](../../../../../static/img/product_docs/accessanalyzer/config/netappcmode/validatefpolicypolicycreation.webp) +![validatefpolicypolicycreation](/img/product_docs/accessanalyzer/config/netappcmode/validatefpolicypolicycreation.webp) Relevant NetApp Documentation: To learn more about creating a policy, please visit the NetApp website and read the @@ -337,7 +337,7 @@ Run the following command to validate the FPolicy scope creation: fpolicy policy scope show ‑instance ``` -![validatefpolicyscopecreation](../../../../../static/img/product_docs/accessanalyzer/config/netappcmode/validatefpolicyscopecreation.webp) +![validatefpolicyscopecreation](/img/product_docs/accessanalyzer/config/netappcmode/validatefpolicyscopecreation.webp) Relevant NetApp Documentation: To learn more about creating scope, please visit the NetApp website and read the @@ -374,7 +374,7 @@ Run the following command to validate the FPolicy scope creation: vserver fpolicy show ``` -![validatefpolicyenabled](../../../../../static/img/product_docs/accessanalyzer/config/netappcmode/validatefpolicyenabled.webp) +![validatefpolicyenabled](/img/product_docs/accessanalyzer/config/netappcmode/validatefpolicyenabled.webp) Relevant NetApp Documentation: To learn more about enabling a policy, please visit the NetApp website and read the diff --git a/docs/accessanalyzer/12.0/config/netappcmode/configurefirewall.md b/docs/accessanalyzer/12.0/config/netappcmode/configurefirewall.md index cf3f498d0e..34027fecdf 100644 --- a/docs/accessanalyzer/12.0/config/netappcmode/configurefirewall.md +++ b/docs/accessanalyzer/12.0/config/netappcmode/configurefirewall.md @@ -137,7 +137,7 @@ system services firewall policy show ‑policy enterpriseauditorfirewall ‑serv Verify that the output is displayed as follows: -![validatefirewall](../../../../../static/img/product_docs/activitymonitor/config/netappcmode/validatefirewall.webp) +![validatefirewall](/img/product_docs/activitymonitor/config/netappcmode/validatefirewall.webp) ## FPolicy diff --git a/docs/accessanalyzer/12.0/config/netappcmode/overview.md b/docs/accessanalyzer/12.0/config/netappcmode/overview.md index ce6a7f27ae..39eb2beb52 100644 --- a/docs/accessanalyzer/12.0/config/netappcmode/overview.md +++ b/docs/accessanalyzer/12.0/config/netappcmode/overview.md @@ -31,20 +31,20 @@ host: These permissions grant the credential the ability to enumerate shares, access the remote registry, and bypass NTFS security on folders. The credential used within the assigned Connection Profile for these target hosts requires these permissions. See the -[NetApp Data ONTAP Cluster-Mode Access & Sensitive Data Auditing Configuration](access.md) topic for +[NetApp Data ONTAP Cluster-Mode Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/12.0/config/netappcmode/access.md) topic for instructions. **NOTE:** These permissions are in addition to those needed to either deploy applet scans for running scans in proxy mode with applet or installing the File System Proxy Service Permissions for running scans in proxy mode as a service. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Access & Sensitive Data Auditing Port Requirements The firewall ports required by Access Analyzer for Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans are based on the File System scan mode to be used. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Activity Auditing Permissions @@ -103,7 +103,7 @@ following CLI commands, according to the level of collection desired: - `security login role show-ontapi` – Readonly access -See the [NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration](activity.md) topic for +See the [NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/netappcmode/activity.md) topic for instructions. Activity Monitor Archive Location @@ -124,7 +124,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for NetApp Data ONTAP Cluster-Mode Device diff --git a/docs/accessanalyzer/12.0/config/netappcmode/provisionactivity.md b/docs/accessanalyzer/12.0/config/netappcmode/provisionactivity.md index 9c805d4e50..48b473c27f 100644 --- a/docs/accessanalyzer/12.0/config/netappcmode/provisionactivity.md +++ b/docs/accessanalyzer/12.0/config/netappcmode/provisionactivity.md @@ -99,7 +99,7 @@ security login rest-role create -role enterpriseauditorrest -api "/api/svm/svms" ``` **NOTE:** If the FPolicy account is configured with these permissions, it is necessary to manually -configure the FPolicy. See the [Configure FPolicy](configurefpolicy.md) topic for additional +configure the FPolicy. See the [Configure FPolicy](/docs/accessanalyzer/12.0/config/netappcmode/configurefpolicy.md) topic for additional information. ### Less Privileged: Enable/Connect FPolicy & Collect Events @@ -182,7 +182,7 @@ security login rest-role create -role enterpriseauditorrest -api "/api/protocols ``` **NOTE:** If the FPolicy account is configured with these permissions, it is necessary to manually -configure the FPolicy. See the [Configure FPolicy](configurefpolicy.md) topic for additional +configure the FPolicy. See the [Configure FPolicy](/docs/accessanalyzer/12.0/config/netappcmode/configurefpolicy.md) topic for additional information. ### Automatically Configure the FPolicy @@ -262,7 +262,7 @@ security login rest-role create -role enterpriseauditorrest -api "/api/security/ ``` **NOTE:** If the FPolicy account is configured with these permissions, the Activity Monitor can -automatically configure the FPolicy. See the [Configure FPolicy](configurefpolicy.md) topic for +automatically configure the FPolicy. See the [Configure FPolicy](/docs/accessanalyzer/12.0/config/netappcmode/configurefpolicy.md) topic for additional information. ### Access Analyzer Integration @@ -361,7 +361,7 @@ security login show example\user1 Verify that the output is displayed as follows: -![validatesecuritylogincreation](../../../../../static/img/product_docs/activitymonitor/config/netappcmode/validatesecuritylogincreation.webp) +![validatesecuritylogincreation](/img/product_docs/activitymonitor/config/netappcmode/validatesecuritylogincreation.webp) For more information about creating security logins, read the [security login create](https://docs.netapp.com/us-en/ontap-cli-9141/security-login-create.html) diff --git a/docs/accessanalyzer/12.0/config/nutanix/access.md b/docs/accessanalyzer/12.0/config/nutanix/access.md index f3b26e309d..40b7f624f0 100644 --- a/docs/accessanalyzer/12.0/config/nutanix/access.md +++ b/docs/accessanalyzer/12.0/config/nutanix/access.md @@ -14,7 +14,7 @@ Follow the steps to configure the required account in the Nutanix Prism Central **Step 3 –** On the new files URL page, locate the **Configuration** dropdown and select **Manage Roles**. -![Nutanix Backup Admin: Backup Access only role](../../../../../static/img/product_docs/accessanalyzer/config/nutanix/nutanixbackupadminrole.webp) +![Nutanix Backup Admin: Backup Access only role](/img/product_docs/accessanalyzer/config/nutanix/nutanixbackupadminrole.webp) **Step 4 –** On the Manage Roles window, add an account with the **Backup Admin: Backup Access only** role. diff --git a/docs/accessanalyzer/12.0/config/nutanix/activity.md b/docs/accessanalyzer/12.0/config/nutanix/activity.md index 98272fce6f..ee1dc3d5d7 100644 --- a/docs/accessanalyzer/12.0/config/nutanix/activity.md +++ b/docs/accessanalyzer/12.0/config/nutanix/activity.md @@ -18,7 +18,7 @@ audit. **Step 4 –** In the Manage roles dialog box locate the REST API access user section and click **+New user**. -![Manage Roles - File Server](../../../../../static/img/product_docs/activitymonitor/config/nutanix/activitynutanix.webp) +![Manage Roles - File Server](/img/product_docs/activitymonitor/config/nutanix/activitynutanix.webp) **Step 5 –** Enter local user account name and password, then click **Save** to save the settings. diff --git a/docs/accessanalyzer/12.0/config/nutanix/overview.md b/docs/accessanalyzer/12.0/config/nutanix/overview.md index 9cf7987ebd..9da78402e9 100644 --- a/docs/accessanalyzer/12.0/config/nutanix/overview.md +++ b/docs/accessanalyzer/12.0/config/nutanix/overview.md @@ -12,26 +12,26 @@ host: - Group membership in the role **Backup Admin: Backup Access Only** -See the [Nutanix Appliance Access & Sensitive Data Auditing Configuration](access.md) topic for +See the [Nutanix Appliance Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/12.0/config/nutanix/access.md) topic for additional information. **NOTE:** These permissions are in addition to those needed to either deploy applet scans for running scans in proxy mode with applet or installing the File System Proxy Service Permissions for running scans in proxy mode as a service. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Access & Sensitive Data Auditing Port Requirements The firewall ports required by Access Analyzer for Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans are based on the File System scan mode to be used. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Activity Auditing Permissions The Netwrix Activity Monitor can be configured to monitor activity on Nutanix devices. See the -[Nutanix Files Activity Auditing Configuration](activity.md) topic for instructions. +[Nutanix Files Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/nutanix/activity.md) topic for instructions. ## Activity Auditing Port Requirements @@ -45,7 +45,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Nutanix Appliances diff --git a/docs/accessanalyzer/12.0/config/qumulo/overview.md b/docs/accessanalyzer/12.0/config/qumulo/overview.md index c7d3935194..106bf250b4 100644 --- a/docs/accessanalyzer/12.0/config/qumulo/overview.md +++ b/docs/accessanalyzer/12.0/config/qumulo/overview.md @@ -15,20 +15,20 @@ host: **NOTE:** These permissions are in addition to those needed to either deploy applet scans for running scans in proxy mode with applet or installing the File System Proxy Service Permissions for running scans in proxy mode as a service. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Access & Sensitive Data Auditing Port Requirements The firewall ports required by Access Analyzer for Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans are based on the File System scan mode to be used. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Activity Auditing Permissions Netwrix Activity Monitor requires an account with the Observers role to monitor a Qumulo cluster. -See the [Qumulo Activity Auditing Configuration](activity.md) topic for instructions. +See the [Qumulo Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/qumulo/activity.md) topic for instructions. ## Activity Auditing Port Requirements @@ -42,7 +42,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Qumulo Devices diff --git a/docs/accessanalyzer/12.0/config/sharepoint/overview.md b/docs/accessanalyzer/12.0/config/sharepoint/overview.md index 7c0c98d4e9..e0b5d57058 100644 --- a/docs/accessanalyzer/12.0/config/sharepoint/overview.md +++ b/docs/accessanalyzer/12.0/config/sharepoint/overview.md @@ -8,16 +8,16 @@ Analyzer Activity Auditing (SPAC) scans. ## Access & Sensitive Data Auditing Permissions - Permissions vary based on the Scan Mode selected and target environment. See the - [SharePoint Support](../../requirements/target/sharepoint.md) topic for + [SharePoint Support](/docs/accessanalyzer/12.0/requirements/target/sharepoint.md) topic for additional information. -See the [SharePoint Access & Sensitive Data Auditing Configuration](access.md) topic for +See the [SharePoint Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/12.0/config/sharepoint/access.md) topic for instructions. ## Access & Sensitive Data Auditing Port Requirements - Ports vary based on the Scan Mode selected and target environment. See the - [SharePoint Scan Options](../../requirements/solutions/sharepoint/scanoptions.md) + [SharePoint Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/scanoptions.md) topic for additional information. ## Activity Auditing Permissions @@ -39,7 +39,7 @@ Analyzer to read the activity log files must have also have this permission. SharePoint Requirements -See the [SharePoint On-Premise Activity Auditing Configuration](activity.md) topic for instructions. +See the [SharePoint On-Premise Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/sharepoint/activity.md) topic for instructions. Activity Monitor Archive Location @@ -59,7 +59,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Integration between Access Analyzer and Activity Monitor diff --git a/docs/accessanalyzer/12.0/config/sharepointonline/access.md b/docs/accessanalyzer/12.0/config/sharepointonline/access.md index e0a2beefc5..af96c6c995 100644 --- a/docs/accessanalyzer/12.0/config/sharepointonline/access.md +++ b/docs/accessanalyzer/12.0/config/sharepointonline/access.md @@ -33,7 +33,7 @@ configure modern authentication for SharePoint Online. It requires: - Microsoft Graph API PowerShell module to be installed on targeted hosts See the -[SP_RegisterAzureAppAuth Job](../../admin/jobs/instantjobs/sp_registerazureappauth.md) +[SP_RegisterAzureAppAuth Job](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/sp_registerazureappauth.md) topic for additional information. ## Permissions @@ -294,5 +294,5 @@ list. **Step 3 –** Save this value in a text file. This is needed for the Access Analyzer Connection Profile. See the -[Azure Active Directory for User Credentials](../../admin/settings/connection/profile/entraid.md) +[Azure Active Directory for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/entraid.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/config/sharepointonline/overview.md b/docs/accessanalyzer/12.0/config/sharepointonline/overview.md index 2b6ff76fa4..12fca7a779 100644 --- a/docs/accessanalyzer/12.0/config/sharepointonline/overview.md +++ b/docs/accessanalyzer/12.0/config/sharepointonline/overview.md @@ -8,22 +8,22 @@ Analyzer Activity Auditing (SPAC) scans. ## Access & Sensitive Data Auditing Permissions - Permissions vary based on the Scan Mode selected and target environment. See the - [SharePoint Support](../../requirements/target/sharepoint.md) topic for + [SharePoint Support](/docs/accessanalyzer/12.0/requirements/target/sharepoint.md) topic for additional information. -See the [SharePoint Online Access & Sensitive Data Auditing Configuration](access.md) topic for +See the [SharePoint Online Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/12.0/config/sharepointonline/access.md) topic for instructions. **NOTE:** You can use the **SP_RegisterAzureAppAuth** instant job to make the configuration for SharePoint Online easier. This job registers the necessary Microsoft Entra ID application and provisions it with the required permissions. See the -[SP_RegisterAzureAppAuth Job](../../admin/jobs/instantjobs/sp_registerazureappauth.md) +[SP_RegisterAzureAppAuth Job](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/sp_registerazureappauth.md) topic for additional information. ## Access & Sensitive Data Auditing Port Requirements - Ports vary based on the Scan Mode selected and target environment. See the - [SharePoint Scan Options](../../requirements/solutions/sharepoint/scanoptions.md) + [SharePoint Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/scanoptions.md) topic for additional information. ## Activity Auditing Permissions @@ -45,7 +45,7 @@ Analyzer to read the activity log files must have also have this permission. SharePoint Requirements -See the [SharePoint Online Activity Auditing Configuration](activity.md) topic for instructions. +See the [SharePoint Online Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/sharepointonline/activity.md) topic for instructions. Activity Monitor Archive Location @@ -65,7 +65,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Integration between Access Analyzer and Activity Monitor diff --git a/docs/accessanalyzer/12.0/config/windowsfile/access.md b/docs/accessanalyzer/12.0/config/windowsfile/access.md index f99d1794cc..c746a8aab1 100644 --- a/docs/accessanalyzer/12.0/config/windowsfile/access.md +++ b/docs/accessanalyzer/12.0/config/windowsfile/access.md @@ -3,7 +3,7 @@ Permissions required for Access Analyzer to execute Access Auditing (SPAA) and/or Sensitive Data Discovery Auditing scans on a Windows file server are dependent upon the Scan Mode Option selected. See the -[File System Supported Platforms](../../requirements/target/filesystems.md) topic +[File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/target/filesystems.md) topic for additional information. However, additional considerations are needed when targeting a Windows File System Clusters or DFS @@ -21,15 +21,15 @@ Configure credentials on all cluster nodes according to the Windows Operating Sy permissions for the desired scan mode with these additional considerations: - For - [Applet Mode](../../requirements/solutions/filesystem/scanoptions.md#applet-mode) + [Applet Mode](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md#applet-mode) and - [Proxy Mode with Applet](../../requirements/solutions/filesystem/scanoptions.md#proxy-mode-with-applet): + [Proxy Mode with Applet](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md#proxy-mode-with-applet): - Applet will be deployed to each node - Credential used in the Connection Profile must have rights to deploy the applet to each node - For - [Proxy Mode as a Service](../../requirements/solutions/filesystem/scanoptions.md#proxy-mode-as-a-service): + [Proxy Mode as a Service](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md#proxy-mode-as-a-service): - Proxy Service must be installed on each node - For Sensitive Data Discovery Auditing scans, the Sensitive Data Discovery Add-on must be @@ -53,7 +53,7 @@ host entries must have the name of the cluster in the `WinCluster` column in the data. This may need to be updated manually. See the View/Edit section of the -[Host Management Activities](../../admin/hostmanagement/actions/overview.md) topic +[Host Management Activities](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/overview.md) topic for additional information on host inventory. - For FSAA and SDD scans, configure a custom host list to target the cluster's Role Server. @@ -82,7 +82,7 @@ Activity Auditing Scans The Netwrix Activity Monitor must deploy an Activity Agent on all nodes that comprise the Windows File System Cluster. The Activity Agent generates activity log files stored on each node. Access Analyzer targets the Windows File Server Cluster (name of the cluster) of interest in order to read -the activity. See the [Windows File Server Activity Auditing Configuration](activity.md) topic for +the activity. See the [Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/windowsfile/activity.md) topic for additional information. The credential used Access Analyzer to read the activity log files must have: @@ -90,9 +90,9 @@ The credential used Access Analyzer to read the activity log files must have: - Membership in the local Administrators group The FileSystemAccess Data Collector needs to be specially configured to run the -[1-FSAC System Scans Job](../../solutions/filesystem/collection/1-fsac_system_scans.md) +[1-FSAC System Scans Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-fsac_system_scans.md) against a Windows File System Cluster. On the -[FSAA: Activity Settings](../../admin/datacollector/fsaa/activitysettings.md), +[FSAA: Activity Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/activitysettings.md), configure the Host Mapping option. This provides a method for mapping between the target host and the hosts where activity logs reside. However, this feature requires **advanced SQL scripting knowledge** to build the query. @@ -128,4 +128,4 @@ DFS and Activity Auditing Consideration For activity monitoring, the Netwrix Activity Monitor must have a deployed Activity Agent on all DFS servers identified by the 0-FSDFS System Scans Job and populated into the dynamic host list. See the -[Windows File Server Activity Auditing Configuration](activity.md) topic for additional information. +[Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/windowsfile/activity.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/config/windowsfile/overview.md b/docs/accessanalyzer/12.0/config/windowsfile/overview.md index ec28dfc6b9..ffed99f7d6 100644 --- a/docs/accessanalyzer/12.0/config/windowsfile/overview.md +++ b/docs/accessanalyzer/12.0/config/windowsfile/overview.md @@ -8,24 +8,24 @@ Analyzer Activity Auditing (FSAC) scans. ## Access & Sensitive Data Auditing Permissions - Permissions vary based on the Scan Mode Option selected. See the - [File System Supported Platforms](../../requirements/target/filesystems.md) + [File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/target/filesystems.md) topic for additional information. Windows File System Cluster Requirements -See the [Windows File Server Access & Sensitive Data Auditing Configuration](access.md) topic for +See the [Windows File Server Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/12.0/config/windowsfile/access.md) topic for instructions. Windows File System DFS Namespaces Requirements -See the [Windows File Server Access & Sensitive Data Auditing Configuration](access.md) topic for +See the [Windows File Server Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/12.0/config/windowsfile/access.md) topic for instructions. ## Access & Sensitive Data Auditing Port Requirements The firewall ports required by Access Analyzer for Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans are based on the File System scan mode to be used. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. ## Activity Auditing Permissions @@ -47,11 +47,11 @@ Analyzer to read the activity log files must have also have this permission. Windows File System Cluster Requirements -See the [Windows File Server Activity Auditing Configuration](activity.md) topic for instructions. +See the [Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/windowsfile/activity.md) topic for instructions. Windows File System DFS Namespaces Requirements -See the [Windows File Server Activity Auditing Configuration](activity.md) topic for instructions. +See the [Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/windowsfile/activity.md) topic for instructions. Activity Monitor Archive Location @@ -71,7 +71,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Additional Firewall Rules for Integration between Access Analyzer and Activity Monitor diff --git a/docs/accessanalyzer/12.0/gettingstarted.md b/docs/accessanalyzer/12.0/gettingstarted.md index a40ddbd1a6..67bf521948 100644 --- a/docs/accessanalyzer/12.0/gettingstarted.md +++ b/docs/accessanalyzer/12.0/gettingstarted.md @@ -2,7 +2,7 @@ Once Access Analyzer is installed, the following workflow will quickly enable users to begin auditing the organization’s IT infrastructure. See the -[Navigating the Console](admin/navigate/overview.md) topic for additional information and data grid +[Navigating the Console](/docs/accessanalyzer/12.0/admin/navigate/overview.md) topic for additional information and data grid functionality. ## Initial Configuration During First Launch @@ -17,19 +17,19 @@ several key global settings: Analyzer database - Option to either create a new database or point to an existing database - If using Windows Authentication, the Schedule node must be configured also - - See the [Storage](admin/settings/storage/overview.md) topic for additional information + - See the [Storage](/docs/accessanalyzer/12.0/admin/settings/storage/overview.md) topic for additional information - Schedule - Only appears if the Storage Profile is configured to use Windows Authentication - If the Storage Profile is configured to use SQL Authentication, the setting is configured later - - See the [Schedule](admin/settings/schedule.md) topic for additional information + - See the [Schedule](/docs/accessanalyzer/12.0/admin/settings/schedule.md) topic for additional information - Instant Job - Install the pre-configured solutions for which the organization is licensed - - See the [Instant Job Wizard](admin/jobs/instantjobs/overview.md) topic for additional + - See the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for additional information ## Global Settings Configured @@ -38,40 +38,40 @@ The global Settings have an overall impact on the running of Access Analyzer job through the Settings node at the top of the Navigation pane. The following global Settings require configuration from the start: -- [Connection](admin/settings/connection/overview.md) – Configure the Default Connection Profile and +- [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) – Configure the Default Connection Profile and additional Connection Profiles as needed for intended data collection -- [Schedule](admin/settings/schedule.md) – Configure the Default Scheduled Service Account for +- [Schedule](/docs/accessanalyzer/12.0/admin/settings/schedule.md) – Configure the Default Scheduled Service Account for scheduling Access Analyzer job execution, if not configured via the initial configuration wizard -- [Notification](admin/settings/notification.md) – Configure an SMTP server for Access Analyzer to +- [Notification](/docs/accessanalyzer/12.0/admin/settings/notification.md) – Configure an SMTP server for Access Analyzer to use for sending email notifications The other global Settings provide additional options for impacting how Access Analyzer functions: -- [Access](admin/settings/access/overview.md) – Enable and configure Role Based Access for a least +- [Access](/docs/accessanalyzer/12.0/admin/settings/access/overview.md) – Enable and configure Role Based Access for a least privileged application of Access Analyzer and report viewing or the enable the REST API **NOTE:** If Role Based Access is enabled by accident, contact [Netwrix Support](https://www.netwrix.com/support.html) for assistance in disabling it. -- [Application](admin/settings/application/overview.md) – Configure additional settings not included +- [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) – Configure additional settings not included in the other nodes -- [Exchange](admin/settings/exchange.md) – Configure Microsoft® Exchange Server connections +- [Exchange](/docs/accessanalyzer/12.0/admin/settings/exchange.md) – Configure Microsoft® Exchange Server connections **CAUTION:** Do not configure data retention at the global level without ensuring History is supported by ALL solutions to be run. -- [History](admin/settings/history.md) – Configure data retention and log retention settings -- [Host Discovery](admin/settings/hostdiscovery.md) – Configure Host Discovery task settings -- [Host Inventory](admin/settings/hostinventory.md) – Configure Host Inventory settings -- [Reporting](admin/settings/reporting.md) – Configure reporting options, if necessary -- [Sensitive Data](admin/settings/sensitivedata/overview.md) – Flag false positive within discovered +- [History](/docs/accessanalyzer/12.0/admin/settings/history.md) – Configure data retention and log retention settings +- [Host Discovery](/docs/accessanalyzer/12.0/admin/settings/hostdiscovery.md) – Configure Host Discovery task settings +- [Host Inventory](/docs/accessanalyzer/12.0/admin/settings/hostinventory.md) – Configure Host Inventory settings +- [Reporting](/docs/accessanalyzer/12.0/admin/settings/reporting.md) – Configure reporting options, if necessary +- [Sensitive Data](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/overview.md) – Flag false positive within discovered potential sensitive data files -- [ServiceNow](admin/settings/servicenow.md) – Configure the ServiceNow Action Module authentication +- [ServiceNow](/docs/accessanalyzer/12.0/admin/settings/servicenow.md) – Configure the ServiceNow Action Module authentication credentials -- [Storage](admin/settings/storage/overview.md) – Configure additional SQL Server database Storage +- [Storage](/docs/accessanalyzer/12.0/admin/settings/storage/overview.md) – Configure additional SQL Server database Storage Profiles -See the [Global Settings](admin/settings/overview.md) topic for additional information. +See the [Global Settings](/docs/accessanalyzer/12.0/admin/settings/overview.md) topic for additional information. ## Discover Hosts @@ -82,7 +82,7 @@ Hosts are manually introduced at the Host Management node. Host management consists of maintaining up-to-date host inventories and host lists which can be assigned to job groups or jobs as targeted hosts. See the -[Host Management](admin/hostmanagement/overview.md) topic for additional information. +[Host Management](/docs/accessanalyzer/12.0/admin/hostmanagement/overview.md) topic for additional information. ## Job Workflow @@ -97,4 +97,4 @@ Solutions are pre-configured job groups which have been designed to target speci environments to audit for specific data sets, typically the most common types of information desired. -See the [Jobs Tree](admin/jobs/overview.md) topic for additional information. +See the [Jobs Tree](/docs/accessanalyzer/12.0/admin/jobs/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/install/application/database.md b/docs/accessanalyzer/12.0/install/application/database.md index 2101e09270..1081717f75 100644 --- a/docs/accessanalyzer/12.0/install/application/database.md +++ b/docs/accessanalyzer/12.0/install/application/database.md @@ -78,7 +78,7 @@ Analyzer. - Reporting Needs – Anticipated data needed to generate reports Recommended SQL Server database sizes are provided for specific solutions in the -[Requirements](../../requirements/overview.md) topics. These recommendations are based on +[Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topics. These recommendations are based on environmental factors, the number of target objects within an environment (users, hosts, mailboxes, etc.), and the applicable factors listed above for the specific solution. @@ -134,19 +134,19 @@ to achieve the minimum SQL security levels without breaking core Access Analyzer Use SQL Server Management Studio to create the Access Analyzer database and configure the settings for the server roles and user mappings. -![SQL Server Management Studio create New Database](../../../../../static/img/product_docs/accessanalyzer/install/application/createnewdatabase.webp) +![SQL Server Management Studio create New Database](/img/product_docs/accessanalyzer/install/application/createnewdatabase.webp) **Step 1 –** Create a new database for use with Access Analyzer. Right-click on the **Databases** node and choose **New Database**. -![SQL Server Management Studio New Database window](../../../../../static/img/product_docs/accessanalyzer/install/application/newdatabase.webp) +![SQL Server Management Studio New Database window](/img/product_docs/accessanalyzer/install/application/newdatabase.webp) **Step 2 –** Set the **Database name**. Set any other desired data files configuration per company standards. Click **OK** on the New Database window. **_RECOMMENDED:_** Enter Access Analyzer as the Database name. -![SQL Server Management Studio create New Login](../../../../../static/img/product_docs/accessanalyzer/install/application/newlogin.webp) +![SQL Server Management Studio create New Login](/img/product_docs/accessanalyzer/install/application/newlogin.webp) **Step 3 –** Create a new SQL Login account by right-clicking on the **Security** > **Logins** folder and selecting **New Login**. @@ -154,12 +154,12 @@ folder and selecting **New Login**. **Step 4 –** Choose the authentication mode as the login type for use with the newly created Access Analyzer database. The available options are Windows authentication and SQL Server authentication. -![SQL Server Management Studio new login with Windows authentication](../../../../../static/img/product_docs/accessanalyzer/install/application/loginwindows.webp) +![SQL Server Management Studio new login with Windows authentication](/img/product_docs/accessanalyzer/install/application/loginwindows.webp) - If **Windows authentication** is desired, then click **Search** and select the desired Windows account, which has been set up for use with Access Analyzer. -![SQL Server Management Studio new login with SQL Server authentication](../../../../../static/img/product_docs/accessanalyzer/install/application/loginsql.webp) +![SQL Server Management Studio new login with SQL Server authentication](/img/product_docs/accessanalyzer/install/application/loginsql.webp) - **_RECOMMENDED:_** If **SQL Server authentication** is desired, use a login name called Access Analyzer. @@ -167,7 +167,7 @@ Analyzer database. The available options are Windows authentication and SQL Serv **NOTE:** Set the **Default Database** as Access Analyzer (or the desired Access Analyzer database) and choose English as the **Default Language**. -![SQL Server Management Studio New Login User Mapping](../../../../../static/img/product_docs/accessanalyzer/install/application/loginusermapping.webp) +![SQL Server Management Studio New Login User Mapping](/img/product_docs/accessanalyzer/install/application/loginusermapping.webp) **Step 5 –** Navigate to the **User Mapping** menu, select the Access Analyzer (or the desired Access Analyzer database) database, and set the **Default Schema** to **DBO**. @@ -179,9 +179,9 @@ to save new user configuration information and continue on to configure the Acce secured login account. **NOTE:** This step requires the completion of the Access Analyzer installation. See the -[Access Analyzer Core Installation](wizard.md) topic for instructions. +[Access Analyzer Core Installation](/docs/accessanalyzer/12.0/install/application/wizard.md) topic for instructions. -![Storage Profile configuration page](../../../../../static/img/product_docs/accessanalyzer/install/application/storageprofile.webp) +![Storage Profile configuration page](/img/product_docs/accessanalyzer/install/application/storageprofile.webp) **Step 8 –** Launch Access Analyzer and navigate to **Settings** > **Storage**. @@ -192,13 +192,13 @@ secured login account. **Windows authentication** or **SQL Server authentication**. If using SQL Server authentication, enter the **User name** and **Password**. -![Connection report window](../../../../../static/img/product_docs/accessanalyzer/install/application/connectionreport.webp) +![Connection report window](/img/product_docs/accessanalyzer/install/application/connectionreport.webp) - Click **Apply** and a Connection report window will open. Verify that the connection and test table drop were performed successfully. - Click **Close** on the Connection report window and then **Save** the new Storage Profile. -![Change storage profile dialog](../../../../../static/img/product_docs/accessanalyzer/install/application/changestorageprofile.webp) +![Change storage profile dialog](/img/product_docs/accessanalyzer/install/application/changestorageprofile.webp) **NOTE:** If previously connected to another database which already had the Access Analyzer DB schema applied, then a prompt should appear to merge the host management data. Choose the @@ -210,7 +210,7 @@ configure or use Access Analyzer if a new database Storage Profile was chosen as The **blue arrow** signifies the default profile was changed but does not take effect until the required restart of the Access Analyzer Console. -See the [Access Analyzer Initial Configuration](firstlaunch.md) topic to perform these steps during +See the [Access Analyzer Initial Configuration](/docs/accessanalyzer/12.0/install/application/firstlaunch.md) topic to perform these steps during the initial configuration process after installation. ### Second Level of Security diff --git a/docs/accessanalyzer/12.0/install/application/firstlaunch.md b/docs/accessanalyzer/12.0/install/application/firstlaunch.md index 04d45d0444..a2f6a36b61 100644 --- a/docs/accessanalyzer/12.0/install/application/firstlaunch.md +++ b/docs/accessanalyzer/12.0/install/application/firstlaunch.md @@ -3,26 +3,26 @@ Once the Access Analyzer installation process is complete, and before performing actions within Access Analyzer, the initial settings for the Access Analyzer Console must be configured. -![Newrix Access Governance shortcut](../../../../../static/img/product_docs/accessanalyzer/install/application/shortcut.webp) +![Newrix Access Governance shortcut](/img/product_docs/accessanalyzer/install/application/shortcut.webp) **Step 1 –** Launch the Access Analyzer application. The installation wizard places the Access Analyzer icon on the desktop. -![Configuration Wizard Welcome page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Configuration Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) **Step 2 –** On the Welcome page of the Access Analyzer Configuration Wizard, click **Next** to continue. -![Configuration Wizard Version Selection page](../../../../../static/img/product_docs/accessanalyzer/install/application/versionselection.webp) +![Configuration Wizard Version Selection page](/img/product_docs/accessanalyzer/install/application/versionselection.webp) **Step 3 –** On the Version Selection page, select the **I have no previous versions to migrate data from** and click **Next** to continue. **NOTE:** If you are upgrading from a previous version of Access Analyzer, select **Choose a StealthAUDIT root folder path to copy from**. See the -[Access Analyzer Console Upgrade](upgrade/overview.md) topic for additional information. +[Access Analyzer Console Upgrade](/docs/accessanalyzer/12.0/install/application/upgrade/overview.md) topic for additional information. -![SQL Server Settings page](../../../../../static/img/product_docs/accessanalyzer/install/application/sqlserver.webp) +![SQL Server Settings page](/img/product_docs/accessanalyzer/install/application/sqlserver.webp) **Step 4 –** Configure the options on the SQL Server Settings page. @@ -63,7 +63,7 @@ topic for additional information on creating a SQL Server database for Access An - If Windows Server authentication is used, the **Schedule Account** page is enabled for configuration. Continue to Step 6. -![Schedule Account Configuration page](../../../../../static/img/product_docs/accessanalyzer/install/application/scheduleaccount.webp) +![Schedule Account Configuration page](/img/product_docs/accessanalyzer/install/application/scheduleaccount.webp) **Step 6 –** (Windows Authentication Only) Configure the schedule service account on the Scheduling page. The account configured here must be an Active Directory account and must have rights to the @@ -82,7 +82,7 @@ There are two options that can be selected: - Password – The password for the service account - Confirm – Re-enter the password for the service account -![Configuration wizard Options page](../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Configuration wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 7 –** On the Options page, select whether to send usage statistics to Netwrix to help us improve our product. After the Usage Statistics option is set as desired, click **Next** to @@ -101,7 +101,7 @@ continue. - If cleared, no usage statistics are collected or sent to Netwrix -![Progress page when upgrade process has completed](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Progress page when upgrade process has completed](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 8 –** After the Access Analyzer Configuration Wizard finishes configuring your installation, click **Finish** to open the Access Analyzer Console. @@ -109,11 +109,11 @@ click **Finish** to open the Access Analyzer Console. **NOTE:** To view the log for the setup process, click **View Log** to open it. If you need to view the log after exiting the wizard, it is located in the installation directory at `..\STEALTHbits\StealthAUDIT\SADatabase\Logs`. See the -[Troubleshooting](../../admin/maintenance/troubleshooting.md) topic for more information about logs. +[Troubleshooting](/docs/accessanalyzer/12.0/admin/maintenance/troubleshooting.md) topic for more information about logs. -![Netwrix Acces Governance Settings Node](../../../../../static/img/product_docs/accessanalyzer/install/application/settingsnode.webp) +![Netwrix Acces Governance Settings Node](/img/product_docs/accessanalyzer/install/application/settingsnode.webp) The Access Analyzer Console is now ready for custom configuration and use. There are a few additional steps to complete in order to begin collecting data, such as configuring a Connection Profile and a Schedule Service account as well as discovering hosts and setting up host lists. See -the [Getting Started](../../gettingstarted.md) topic for additional information. +the [Getting Started](/docs/accessanalyzer/12.0/gettingstarted.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/install/application/otherlanguages.md b/docs/accessanalyzer/12.0/install/application/otherlanguages.md index 6cb2885443..6d21191800 100644 --- a/docs/accessanalyzer/12.0/install/application/otherlanguages.md +++ b/docs/accessanalyzer/12.0/install/application/otherlanguages.md @@ -44,7 +44,7 @@ Follow the steps to change the collation at the database level. **Step 1 –** Access the Database Properties in SQL Server Management Studio. -![SQL Server Management Studio Database Properties window](../../../../../static/img/product_docs/accessanalyzer/install/application/databasepropertiescollation.webp) +![SQL Server Management Studio Database Properties window](/img/product_docs/accessanalyzer/install/application/databasepropertiescollation.webp) **Step 2 –** Select **Options** and set the collation. @@ -54,7 +54,7 @@ Now that the collations match, proceed with Access Analyzer installation. Follow the steps to change the collation at the SQL Server level. -![SQL Server Configuration Manager](../../../../../static/img/product_docs/accessanalyzer/install/application/sqlserverconfigurationmanager.webp) +![SQL Server Configuration Manager](/img/product_docs/accessanalyzer/install/application/sqlserverconfigurationmanager.webp) **Step 1 –** Stop the SQL Server service from the Configuration Manager. diff --git a/docs/accessanalyzer/12.0/install/application/overview.md b/docs/accessanalyzer/12.0/install/application/overview.md index ac6fc73211..5dbf873932 100644 --- a/docs/accessanalyzer/12.0/install/application/overview.md +++ b/docs/accessanalyzer/12.0/install/application/overview.md @@ -6,7 +6,7 @@ such as how to secure the Access Analyzer Database, and configuring the Web Cons reports outside of the Access Analyzer Console. Prior to installing Access Analyzer, please ensure that all of the prerequisites have been met. See -the [Requirements](../../requirements/overview.md) topic for more information. +the [Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topic for more information. ## Binaries @@ -26,7 +26,7 @@ Your Netwrix Representative will provide the appropriate binaries. - If your license includes Sensitive Data Discovery (SDD), the necessary SDD components are installed - - See the [File System Proxy Service Installation](../filesystemproxy/wizard.md) topic for + - See the [File System Proxy Service Installation](/docs/accessanalyzer/12.0/install/filesystemproxy/wizard.md) topic for additional information. - Activity Monitor binary – Installation package for monitoring Windows and NAS device file system @@ -41,14 +41,14 @@ Your Netwrix Representative will provide the appropriate binaries. - If your license includes Sensitive Data Discovery (SDD), the necessary SDD components are installed - - See the [SharePoint Agent Installation](../sharepointagent/overview.md) topic for additional + - See the [SharePoint Agent Installation](/docs/accessanalyzer/12.0/install/sharepointagent/overview.md) topic for additional information. - Access Analyzer MAPI CDO binary – One of two installation package needed to enable the Exchange Solution - See the - [StealthAUDIT MAPI CDO Installation](../../stealthaudit/install_guides/mapi_cdo_install/stealthaudit_mapi_cdo_installation.md) + [StealthAUDIT MAPI CDO Installation](/docs/accessanalyzer/12.0/stealthaudit/install_guides/mapi_cdo_install/stealthaudit_mapi_cdo_installation.md) topic for additional information. - Access Analyzer Reporting Services binary – Installation package for Survey Action Module @@ -74,9 +74,9 @@ Your Netwrix Representative will provide the appropriate binaries. Your Netwrix Representative will provide the necessary license key. The Access Analyzer license key (`StealthAUDIT.lic`) is needed for the Access Analyzer Core Installation. See the -[Access Analyzer Core Installation](wizard.md) topic for additional information. +[Access Analyzer Core Installation](/docs/accessanalyzer/12.0/install/application/wizard.md) topic for additional information. To grant access to additional Solution sets or enable Sensitive Data Discovery in an existing Access Analyzer installation, a new license key is required. To update the Access Analyzer license key without installing a new version of the Access Analyzer Console, see the -[Update License Key](updatelicense.md) topic for instructions. +[Update License Key](/docs/accessanalyzer/12.0/install/application/updatelicense.md) topic for instructions. diff --git a/docs/accessanalyzer/12.0/install/application/reports/adfs.md b/docs/accessanalyzer/12.0/install/application/reports/adfs.md index 334003602a..e8de2da9c6 100644 --- a/docs/accessanalyzer/12.0/install/application/reports/adfs.md +++ b/docs/accessanalyzer/12.0/install/application/reports/adfs.md @@ -26,7 +26,7 @@ Add Relying Party Trust Wizard to configure the relying party trust: **Next**. - On the Configure URL page, do not select any options and click **Next**. - ![Identifier added on the Configure Identifiers page](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/relyingpartytrustwizardidentifier.webp) + ![Identifier added on the Configure Identifiers page](/img/product_docs/accessanalyzer/install/application/reports/relyingpartytrustwizardidentifier.webp) - On the Configure Identifiers page, add an identifier of `https://` followed by the fully qualified domain name (FQDN) of your ADFS server. @@ -35,7 +35,7 @@ Add Relying Party Trust Wizard to configure the relying party trust: - Click **Next** to proceed through the remaining wizard pages and complete the wizard. -![Add an Endpoint window](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/addanendpointwindow.webp) +![Add an Endpoint window](/img/product_docs/accessanalyzer/install/application/reports/addanendpointwindow.webp) **Step 4 –** Double-click on the newly added relying party trust to open it's Properties window. Navigate to the Endpoints tab and click **Add WS-Federation**. On the Add an Endpoint window, add @@ -53,18 +53,18 @@ right-hand panel. - On the Choose Rule Type page of the Add Transform Claim Rule Wizard, select **Send LDAP Attributes as Claims** as the Claim rule template. Click **Next**. - ![Configure Claim Rule page](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/claimrulenameadfsconfig.webp) + ![Configure Claim Rule page](/img/product_docs/accessanalyzer/install/application/reports/claimrulenameadfsconfig.webp) - On the Configure Claim Rule page, enter a name in the **Claim rule name** field. If the SID claim is not configured by default, add it to the Claim Description as follows: -![Configure Claim Rule SID Properties](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/claimrulenamesidproperties.webp) +![Configure Claim Rule SID Properties](/img/product_docs/accessanalyzer/install/application/reports/claimrulenamesidproperties.webp) **Step 6 –** Navigate to the Access Analyzer installation directory and open the `WebServer.exe.config` file in a text editor. -![WebServer.exe.config file in Notepad](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigadfs.webp) +![WebServer.exe.config file in Notepad](/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigadfs.webp) **Step 7 –** In the `WebServer.exe.config` file, change the following parameters: @@ -81,7 +81,7 @@ If the SID claim is not configured by default, add it to the Claim Description ``` - ![URL required for WsFederationRealm attribute](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/wsfederationrealmurl.webp) + ![URL required for WsFederationRealm attribute](/img/product_docs/accessanalyzer/install/application/reports/wsfederationrealmurl.webp) You can retrieve the URL value from the Identifiers tab of the relying party trust properties window. @@ -93,7 +93,7 @@ If the SID claim is not configured by default, add it to the Claim Description ``` - ![URL required for WsFederationReply attribute](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/wsfederationreplyurl.webp) + ![URL required for WsFederationReply attribute](/img/product_docs/accessanalyzer/install/application/reports/wsfederationreplyurl.webp) You can obtain the URL required for this parameter from the Endpoints tab of the relying party trust properties window. Select the endpoint and click **Edit** to open the Edit Endpoint @@ -122,7 +122,7 @@ Reports URL for ADFS: **Step 1 –** Right-click the Published Reports shortcut on the desktop and select **Properties**. -![Published Reports desktop shortcut properties](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/publishedreportsproperties.webp) +![Published Reports desktop shortcut properties](/img/product_docs/accessanalyzer/install/application/reports/publishedreportsproperties.webp) **Step 2 –** Replace the URL with `https://SAWebConsole.domain.com:8082`. diff --git a/docs/accessanalyzer/12.0/install/application/reports/disclaimer.md b/docs/accessanalyzer/12.0/install/application/reports/disclaimer.md index 337ca60dc3..cd13a03d15 100644 --- a/docs/accessanalyzer/12.0/install/application/reports/disclaimer.md +++ b/docs/accessanalyzer/12.0/install/application/reports/disclaimer.md @@ -7,7 +7,7 @@ Follow the steps to configure the optional disclaimer message: **Step 1 –** Navigate to the Web folder of the installation directory: ` …\STEALTHbits\StealthAUDIT\Web`. -![Disclaimer.txt file added to the Web folder](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/disclaimertxt.webp) +![Disclaimer.txt file added to the Web folder](/img/product_docs/accessanalyzer/install/application/reports/disclaimertxt.webp) **Step 2 –** Create a `Disclaimer.txt` file in the Web folder. Write a custom disclaimer that displays on the login page for the Web Console. @@ -15,11 +15,11 @@ displays on the login page for the Web Console. - The text file must be named `Disclaimer.txt`. The disclaimer message option is not configured properly if using a text file with a different name. -![File Explorer WebServer.exe.config](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigfile.webp) +![File Explorer WebServer.exe.config](/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigfile.webp) **Step 3 –** Locate the `WebServer.exe.config` file and open it. -![WebServer.exe.config file in Notepad](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigdisclaimer.webp) +![WebServer.exe.config file in Notepad](/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigdisclaimer.webp) **Step 4 –** Find the following line in the text: @@ -35,7 +35,7 @@ displays on the login page for the Web Console. **Step 6 –** Save the changes to enable the disclaimer message on the Web Console login page. -![Web Console login page with disclaimer message](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/webconsolelogindisclaimer.webp) +![Web Console login page with disclaimer message](/img/product_docs/accessanalyzer/install/application/reports/webconsolelogindisclaimer.webp) **Step 7 –** To check if the disclaimer message was configured correctly, open the Web Console to access the login page. diff --git a/docs/accessanalyzer/12.0/install/application/reports/domains.md b/docs/accessanalyzer/12.0/install/application/reports/domains.md index f952909b84..04044db0ea 100644 --- a/docs/accessanalyzer/12.0/install/application/reports/domains.md +++ b/docs/accessanalyzer/12.0/install/application/reports/domains.md @@ -13,7 +13,7 @@ Analyzer resides. Follow the steps to allow access to the Web Console from other **Step 1 –** Open the **WebServer.exe.config** file with a text editor, for example Notepad. It is located within the Web folder of the Access Analyzer installation directory. -![WebServer.exe.config file in Notepad](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigmultipledomains.webp) +![WebServer.exe.config file in Notepad](/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigmultipledomains.webp) **Step 2 –** Add the desired domains to the value for the `AuthenticationDomains` parameter: diff --git a/docs/accessanalyzer/12.0/install/application/reports/entraidsso.md b/docs/accessanalyzer/12.0/install/application/reports/entraidsso.md index 381b8db820..af16566e90 100644 --- a/docs/accessanalyzer/12.0/install/application/reports/entraidsso.md +++ b/docs/accessanalyzer/12.0/install/application/reports/entraidsso.md @@ -60,7 +60,7 @@ table, and then click **Save**. Once configured they should show under Additional claims as below: -![Claims configured](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/entraidssoclaims.webp) +![Claims configured](/img/product_docs/accessanalyzer/install/application/reports/entraidssoclaims.webp) **Step 7 –** In the **Manage** > **Users and groups** section for your application, add any required users or groups to give permission to access the application. @@ -74,12 +74,12 @@ To enable Microsoft Entra ID SSO for the Web Console, the web server config fi with values from Microsoft Entra ID. Follow the steps to enable the SSO. _Remember,_ Enabling Entra ID SSO requires SSL to already have been enabled for the web server. See -the [Securing the Web Console](secure.md) topic for additional information. +the [Securing the Web Console](/docs/accessanalyzer/12.0/install/application/reports/secure.md) topic for additional information. **Step 1 –** Open the **WebServer.exe.config** file with a text editor, for example Notepad. It is located within the Web folder of the Access Analyzer installation directory. -![Parameters in the web server config file](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigfileentrasso.webp) +![Parameters in the web server config file](/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigfileentrasso.webp) **Step 2 –** Locate the **WsFederationMetaData**, **WsFederationRealm**, and **WsFederationReply** Parameters in the config file, and add the required values from your Microsoft Entra ID application: diff --git a/docs/accessanalyzer/12.0/install/application/reports/kerberosencryption.md b/docs/accessanalyzer/12.0/install/application/reports/kerberosencryption.md index e9d1955bdb..405f5bc8b4 100644 --- a/docs/accessanalyzer/12.0/install/application/reports/kerberosencryption.md +++ b/docs/accessanalyzer/12.0/install/application/reports/kerberosencryption.md @@ -8,7 +8,7 @@ If encryption methods have been configured for Kerberos on the Access Analyzer s service account running the Access Analyzer Web Server service, then users will not be able to log-in to the Web Console and will receive the below error message. -![Kerberos Error Message](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/kerberoserrormessage.webp) +![Kerberos Error Message](/img/product_docs/accessanalyzer/install/application/reports/kerberoserrormessage.webp) When this occurs, the following error will be logged: @@ -29,14 +29,14 @@ Follow the steps to configure a Local Security Policy to allow Kerberos. **Step 1 –** Open the Local Security Policy window. -![Local Security Policy Window](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/localsecuritypolicywindow.webp) +![Local Security Policy Window](/img/product_docs/accessanalyzer/install/application/reports/localsecuritypolicywindow.webp) **Step 2 –** From the Security Settings list, navigate to **Local Policies** > **Security Options**. **Step 3 –** Right-click the **Network Security: Configure encryption types allows for Kerberos** policy > click **Properties**. -![Configure Local Security Setting Window](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/configurelocalsecuritysettingwindow.webp) +![Configure Local Security Setting Window](/img/product_docs/accessanalyzer/install/application/reports/configurelocalsecuritysettingwindow.webp) **Step 4 –** Configure necessary settings by checking each applicable box. @@ -53,7 +53,7 @@ Follow the steps to configure a Local Group Security Policy to allow Kerberos. **Step 1 –** Open the Local Group Policy Editor window. -![Local Group Policy Editor window](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/localgrouppolicywindow.webp) +![Local Group Policy Editor window](/img/product_docs/accessanalyzer/install/application/reports/localgrouppolicywindow.webp) **Step 2 –** From the Local Computer Policy list, navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** folder . @@ -61,7 +61,7 @@ Settings** > **Security Settings** > **Local Policies** > **Security Options* **Step 3 –** Right-click the **Network Security: Configure encryption types allows for Kerberos** policy, then click **Properties**. -![Configure Local Security Setting Window](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/configurelocalsecuritysettingwindow.webp) +![Configure Local Security Setting Window](/img/product_docs/accessanalyzer/install/application/reports/configurelocalsecuritysettingwindow.webp) **Step 4 –** Configure necessary settings by checking each applicable box. @@ -83,13 +83,13 @@ reflect the configuration options selected in the two sections above. See the **Step 1 –** Open the Active Directory Users and Computers window. -![Active Directory Users and Computers Window](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/activedirectoryusersandcomputerswindows.webp) +![Active Directory Users and Computers Window](/img/product_docs/accessanalyzer/install/application/reports/activedirectoryusersandcomputerswindows.webp) **Step 2 –** Click and expand the Domain from the left-hand menu and click **Users**. **Step 3 –** Right-click a **User** from the list of available users, then click **Properties**. -![User Properties Window](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/userproperteswindow.webp) +![User Properties Window](/img/product_docs/accessanalyzer/install/application/reports/userproperteswindow.webp) **Step 4 –** Click the **Account** tab. diff --git a/docs/accessanalyzer/12.0/install/application/reports/okta.md b/docs/accessanalyzer/12.0/install/application/reports/okta.md index ed7e64fcef..29d8e1beb3 100644 --- a/docs/accessanalyzer/12.0/install/application/reports/okta.md +++ b/docs/accessanalyzer/12.0/install/application/reports/okta.md @@ -10,7 +10,7 @@ Follow the steps to create an Access Analyzer Application in Okta Using the WS- **Step 3 –** Click **Create App Integration**. -![Okta Browse App Integration Catalog](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/oktawsfedtemplate.webp) +![Okta Browse App Integration Catalog](/img/product_docs/accessanalyzer/install/application/reports/oktawsfedtemplate.webp) **Step 4 –** Browse the App Integration Catalog and select **Template WS-Fed**. @@ -18,7 +18,7 @@ Follow the steps to create an Access Analyzer Application in Okta Using the WS- Retrieve the Values to Paste into the Access Analyzer WebServer.exe.config File -![Okta Application copy link address](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/oktacopylinkaddress.webp) +![Okta Application copy link address](/img/product_docs/accessanalyzer/install/application/reports/oktacopylinkaddress.webp) **Step 1 –** In the Access Analyzer application, click the **Sign On** tab. @@ -49,7 +49,7 @@ located in the Web folder within the Access Analyzer installation. ``` -![Okta application values in WebServer.exe.config file](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigokta.webp) +![Okta application values in WebServer.exe.config file](/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigokta.webp) **Step 3 –** Update the following values in the **WebServer.exe.config** file with the values retrieved from the Access Analyzer Okta application. @@ -99,16 +99,16 @@ populate the following fields. http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname|${user.__samaccountname__}|, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid|${user.__SID__}|,http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn|${user.__upn__}| -![oktaprofileeditor](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/oktaprofileeditor.webp) +![oktaprofileeditor](/img/product_docs/accessanalyzer/install/application/reports/oktaprofileeditor.webp) **Step 2 –** Navigate to the Directory menu and select **Profile Editor** from the drop-down menu. Click the **Edit Profile** button for the Access Analyzer application. -![Okta Add Attribute button](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/oktaaddattribute.webp) +![Okta Add Attribute button](/img/product_docs/accessanalyzer/install/application/reports/oktaaddattribute.webp) **Step 3 –** Click **Add Attribute** to open the Add Attribute window. -![Okta Add Atrribute window](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/oktaaddattributewindow.webp) +![Okta Add Atrribute window](/img/product_docs/accessanalyzer/install/application/reports/oktaaddattributewindow.webp) **Step 4 –** In the Add Attribute window, add the following attributes: @@ -123,25 +123,25 @@ Click the **Edit Profile** button for the Access Analyzer application. Click **Save** to save the attribute details and close the Add Attribute window. To add another attribute, click **Save and Add Another**. -![To Okta option under the Directory Provisioning Tab](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/oktadirectoryprovisioningtookta.webp) +![To Okta option under the Directory Provisioning Tab](/img/product_docs/accessanalyzer/install/application/reports/oktadirectoryprovisioningtookta.webp) **Step 5 –** Navigate to the **Directory** menu and click on the **Provisioning** tab. Click **To Okta**. -![Okta Show Unmapped Attributes](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/oktashowunmappedattributes.webp) +![Okta Show Unmapped Attributes](/img/product_docs/accessanalyzer/install/application/reports/oktashowunmappedattributes.webp) **Step 6 –** Locate and map the attributes that were added for the profile by clicking the **Pencil** icon to edit attributes. To locate the attributes, scroll down and select **Show Unmapped Attributes**. -![Okta Unmapped Attribute configuration window](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/oktaunmappedattributeconfigscreen.webp) +![Okta Unmapped Attribute configuration window](/img/product_docs/accessanalyzer/install/application/reports/oktaunmappedattributeconfigscreen.webp) **Step 7 –** Click the pencil icon for **SID**, **upn**, and **samAccountName** to map the attributes. They will display in the mapped section. **Step 8 –** Click **Save** and return to the **Okta Attribute Mappings** page. -![Okta Attribute Mappings Force Sync](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/oktaattributemappingsforcesync.webp) +![Okta Attribute Mappings Force Sync](/img/product_docs/accessanalyzer/install/application/reports/oktaattributemappingsforcesync.webp) **Step 9 –** On the Okta Attribute Mappings page, click **Force Sync**. The new attributes will display for any user under the profile. @@ -154,7 +154,7 @@ additional information. Follow the steps to configure multi-factor-authentication for Access Analyzer: -![Okta MFA App Sign on Rule window](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/oktamfaappsignonrule.webp) +![Okta MFA App Sign on Rule window](/img/product_docs/accessanalyzer/install/application/reports/oktamfaappsignonrule.webp) **Step 1 –** Navigate to the **Sign On Policy** page and click **Add Rule**. The App Sign On Rule opens. Configure the following options: @@ -163,7 +163,7 @@ opens. Configure the following options: - Conditions – Select whether the rule applies to either the **Users assigned to this app** or **The following groups and users**. -![Okta MFA App Sign on Rule window Access section](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/oktamfaappsignonruleaccess.webp) +![Okta MFA App Sign on Rule window Access section](/img/product_docs/accessanalyzer/install/application/reports/oktamfaappsignonruleaccess.webp) **Step 2 –** Scroll down to the Access section. Check the **Prompt for factor** box and select **Every Sign On**. Click **Save**. diff --git a/docs/accessanalyzer/12.0/install/application/reports/overview.md b/docs/accessanalyzer/12.0/install/application/reports/overview.md index 0836915312..b1cbcc8df6 100644 --- a/docs/accessanalyzer/12.0/install/application/reports/overview.md +++ b/docs/accessanalyzer/12.0/install/application/reports/overview.md @@ -15,7 +15,7 @@ Console upon installation. Access Analyzer database. This may be a different account than the one used to connect Access Analyzer to the database. If the Access Analyzer Vault service is running, the account running the Web Server service must be an Access Analyzer Administrator. See the -[Vault](../../../admin/settings/application/vault.md) topic for additional information. +[Vault](/docs/accessanalyzer/12.0/admin/settings/application/vault.md) topic for additional information. The Web folder that the Access Analyzer installer places at the root of the Access Analyzer directory also contains a `WebServer.exe.config` file. This file contains configurable parameters. @@ -23,7 +23,7 @@ directory also contains a `WebServer.exe.config` file. This file contains config **CAUTION:** If encryption methods have been configured for Kerberos on the Access Analyzer server but not on the service account running the Access Analyzer Web Server service, then users will not be able to log-in to the Web Console and will receive an error message. See the -[Manage Kerberos Encryption Warning for the Web Console](kerberosencryption.md) topic for additional +[Manage Kerberos Encryption Warning for the Web Console](/docs/accessanalyzer/12.0/install/application/reports/kerberosencryption.md) topic for additional information on configuring security polices to allow Kerberos encryption. ## Log into the Web Console @@ -36,7 +36,7 @@ the username needs to be in the `domain\username` format. Access to reports in the Web Console can be managed through the Role Based Access feature of Access Analyzer (**Settings** > **Access**). The Web Administrator role and the Report Viewer role grant access to the published reports. See the -[Role Based Access](../../../admin/settings/access/rolebased/overview.md) topic for addition +[Role Based Access](/docs/accessanalyzer/12.0/admin/settings/access/rolebased/overview.md) topic for addition information. **NOTE:** Access to the AIC and other Netwrix products is controlled from within those products. @@ -50,7 +50,7 @@ for additional information. **NOTE:** Any browser used to access the Web Console must have JavaScript allowed for the site. See the -[Configure JavaScript Settings for the Web Console](../../../admin/settings/reporting.md#configure-javascript-settings-for-the-web-console) +[Configure JavaScript Settings for the Web Console](/docs/accessanalyzer/12.0/admin/settings/reporting.md#configure-javascript-settings-for-the-web-console) topic for additional information. Follow the steps to login to the Web Console. @@ -67,12 +67,12 @@ Follow the steps to login to the Web Console. **NOTE:** The URL that is used may need to be added to the browser’s list of trusted sites. -![Web Console Login page](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/webconsolelogin.webp) +![Web Console Login page](/img/product_docs/accessanalyzer/install/application/reports/webconsolelogin.webp) **Step 2 –** Enter your **User Name** and **Password**. Click **Login**. -![Web Console Home page](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/webconsolehome.webp) +![Web Console Home page](/img/product_docs/accessanalyzer/install/application/reports/webconsolehome.webp) The home page shows the solutions with published reports available. See the -[Web Console](../../../admin/report/view.md#web-console) topic for information on using the Web +[Web Console](/docs/accessanalyzer/12.0/admin/report/view.md#web-console) topic for information on using the Web Console. diff --git a/docs/accessanalyzer/12.0/install/application/reports/secure.md b/docs/accessanalyzer/12.0/install/application/reports/secure.md index 77420be74d..aa63f1a833 100644 --- a/docs/accessanalyzer/12.0/install/application/reports/secure.md +++ b/docs/accessanalyzer/12.0/install/application/reports/secure.md @@ -13,10 +13,10 @@ Additional configuration options for enhanced security include: - Enable Single Sign-On – The `WindowsAuthentication` parameter allows domain users to be automatically logged into the Web Console. By default this parameter is set to `false`, which requires domain users to login each time the Web Console is accessed. See the - [Enable Single Sign-On](sso.md) topic for additional information. + [Enable Single Sign-On](/docs/accessanalyzer/12.0/install/application/reports/sso.md) topic for additional information. **NOTE:** The Web Console also supports using Microsoft Entra ID single sign-on. See the - [Microsoft Entra ID Single Sign-On](entraidsso.md) topic for additional information. + [Microsoft Entra ID Single Sign-On](/docs/accessanalyzer/12.0/install/application/reports/entraidsso.md) topic for additional information. These parameters can be configured within the **WebServer.exe.config** file in the Web folder of the Access Analyzer installation directory `…\STEALTHbits\StealthAUDIT\Web`. @@ -66,7 +66,7 @@ dir cert:\localmachine\my **Step 3 –** Open the **WebServer.exe.config** file with a text editor, for example Notepad. It is located within the Web folder of the Access Analyzer installation directory. -![WebServer.exe.config file in Notepad](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfig.webp) +![WebServer.exe.config file in Notepad](/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfig.webp) **Step 4 –** Change the value for the `BindingUrl` parameter from `http` to `https`: @@ -110,7 +110,7 @@ Follow the steps to update the Website URL in the **Settings** > **Reporting** n **Step 1 –** Expand **Settings** and select the **Reporting** node. -![Access Governance Reporting Settings page](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/websiteurlreporting.webp) +![Access Governance Reporting Settings page](/img/product_docs/accessanalyzer/install/application/reports/websiteurlreporting.webp) **Step 2 –** In the **Website URL** box, update the URL to: `https://[hostname.domain.com]:8082` @@ -125,7 +125,7 @@ Properties window. **Step 1 –** Right click on the **Published Reports** desktop shortcut and click **Properties**. -![Published Reports desktop icon properties](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/publishedreportsproperties.webp) +![Published Reports desktop icon properties](/img/product_docs/accessanalyzer/install/application/reports/publishedreportsproperties.webp) **Step 2 –** On the **Web Document** tab, update the **URL** in the text box to: `https://localhost:8082/` @@ -178,17 +178,17 @@ Follow these steps to confirm the certificate is in Microsoft Management Console **Step 1 –** Open Microsoft Management Console (`mmc.exe`). -![Microsoft Management Console Certificates snap-in](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/certificateaddsnapin.webp) +![Microsoft Management Console Certificates snap-in](/img/product_docs/accessanalyzer/install/application/reports/certificateaddsnapin.webp) **Step 2 –** Select **File** > **Add/Remove Snap-in**. The Add or Remove Snap-ins window opens. Select **Certificates**, and click **Add**. Then select **Computer account** in the Certificates snap-in window. -![Microsoft Management Console Certificates snap-in Select Computer dialog](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/certificateselectcomputer.webp) +![Microsoft Management Console Certificates snap-in Select Computer dialog](/img/product_docs/accessanalyzer/install/application/reports/certificateselectcomputer.webp) **Step 3 –** Click **Next** and select **Local computer**. Click **Finish**. -![Microsoft Management Console Certificates Add or Remove Snap-ins window](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/certificatesnapins.webp) +![Microsoft Management Console Certificates Add or Remove Snap-ins window](/img/product_docs/accessanalyzer/install/application/reports/certificatesnapins.webp) **Step 4 –** The certificate will appear in the Selected snap-ins list in the Add or Remove Snap-ins window. Click **OK** to close the window. @@ -207,12 +207,12 @@ Follow the steps to remove the certificate error. **Step 1 –** Open the Web Console in your browser. -![Your connection isn't private warning in Microsoft Edge](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/certificateconnectionnotprivate.webp) +![Your connection isn't private warning in Microsoft Edge](/img/product_docs/accessanalyzer/install/application/reports/certificateconnectionnotprivate.webp) **Step 2 –** Click **Advanced**, and then use the link to continue to the site. This loads the main page of the Web Console. -![Access Certificat Viewer from Not Secure error in Microsoft Edge address bar](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/certificatenotsecureerror.webp) +![Access Certificat Viewer from Not Secure error in Microsoft Edge address bar](/img/product_docs/accessanalyzer/install/application/reports/certificatenotsecureerror.webp) **Step 3 –** Click the **Not Secure** warning in the browser's address bar. Open the Certificate Viewer from the warning details. @@ -221,25 +221,25 @@ Viewer from the warning details. the certificate icon. - In Google Chrome, click **Certificate is not valid**. -![Web browser Certificate Viewer window](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/certificateviewer.webp) +![Web browser Certificate Viewer window](/img/product_docs/accessanalyzer/install/application/reports/certificateviewer.webp) **Step 4 –** On the Details tab of the Certificate Viewer, click **Export**. Save the security certificate and close the Certificate Viewer. -![Certificate window](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/certificatewindow.webp) +![Certificate window](/img/product_docs/accessanalyzer/install/application/reports/certificatewindow.webp) **Step 5 –** Navigate to the save location from the previous step and open the exported security certificate. On the Certificate window, click **Install Certificate**. The Certificate Import Wizard opens. -![Certificate Import Wizard](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/certificateimportwizard.webp) +![Certificate Import Wizard](/img/product_docs/accessanalyzer/install/application/reports/certificateimportwizard.webp) **Step 6 –** On the Certificate Import Wizard, select the Store Location as **Local Machine**, and click **Next**. Keep the default selection of **Automatically select the certificate store based on the type of certificate**. Navigate through the wizard to save this configuration. A pop-up message should state that the import was successful. Click **OK** to close out all dialogs. -![Microsoft Management Console Trusted Root Certification Authorities Certificates](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/addcertificateconsole.webp) +![Microsoft Management Console Trusted Root Certification Authorities Certificates](/img/product_docs/accessanalyzer/install/application/reports/addcertificateconsole.webp) **Step 7 –** In the Microsoft Management Console, check the **Trusted Root Certification Authorities** > **Certificates**. The self-signed certificate should now be listed there. diff --git a/docs/accessanalyzer/12.0/install/application/reports/sso.md b/docs/accessanalyzer/12.0/install/application/reports/sso.md index 61652b7911..e057dd97d1 100644 --- a/docs/accessanalyzer/12.0/install/application/reports/sso.md +++ b/docs/accessanalyzer/12.0/install/application/reports/sso.md @@ -6,14 +6,14 @@ domain, the user will be prompted for credentials from a pop-up windows. After a user will be automatically logged in the Web Console. **NOTE:** The Web Console also supports using Microsoft Entra ID single sign-on. See the -[Microsoft Entra ID Single Sign-On](entraidsso.md) topic for additional information. +[Microsoft Entra ID Single Sign-On](/docs/accessanalyzer/12.0/install/application/reports/entraidsso.md) topic for additional information. Follow the steps to enable single sign-on for the Web Console. **Step 1 –** Open the **WebServer.exe.config** file with a text editor, for example Notepad. It is located within the Web folder of the Access Analyzer installation directory. -![WebServer.exe.config file in Notepad](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigsso.webp) +![WebServer.exe.config file in Notepad](/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigsso.webp) **Step 2 –** Change the value for the `WindowsAuthentication` parameter to: @@ -39,16 +39,16 @@ Follow the steps to configure local intranet settings. **Step 1 –** Open Windows Internet Properties (**Control Panel** > **Network and Internet** > **Internet Options**). -![ConfigureLocalIntranetSettingsforSSO - 1](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/internetproperties.webp) +![ConfigureLocalIntranetSettingsforSSO - 1](/img/product_docs/accessanalyzer/install/application/reports/internetproperties.webp) **Step 2 –** Go to the Security tab, and select the **Local Intranet** option. Then, click the **Sites** button. -![localintranet](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/localintranet.webp) +![localintranet](/img/product_docs/accessanalyzer/install/application/reports/localintranet.webp) **Step 3 –** Click the **Advanced** button. -![localintranetadvanced](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/localintranetadvanced.webp) +![localintranetadvanced](/img/product_docs/accessanalyzer/install/application/reports/localintranetadvanced.webp) **Step 4 –** Enter a domain in the **Add this website in the zone** field. Ensure the fully qualified domain name is in the following format: `https://..com` diff --git a/docs/accessanalyzer/12.0/install/application/reports/timeout.md b/docs/accessanalyzer/12.0/install/application/reports/timeout.md index cfffc87b38..e1ea1ae1cb 100644 --- a/docs/accessanalyzer/12.0/install/application/reports/timeout.md +++ b/docs/accessanalyzer/12.0/install/application/reports/timeout.md @@ -10,7 +10,7 @@ Follow the steps to modify the timeout parameter for the Web Console. **Step 1 –** Open the **WebServer.exe.config** file with a text editor, for example Notepad. -![WebServer.exe.config file in Notepad](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigtimeout.webp) +![WebServer.exe.config file in Notepad](/img/product_docs/accessanalyzer/install/application/reports/webserverexeconfigtimeout.webp) **Step 2 –** Change the value for the `SessionTimeout` parameter to the desired number of minutes: diff --git a/docs/accessanalyzer/12.0/install/application/updatelicense.md b/docs/accessanalyzer/12.0/install/application/updatelicense.md index 61e1deb017..8ee1ad31f7 100644 --- a/docs/accessanalyzer/12.0/install/application/updatelicense.md +++ b/docs/accessanalyzer/12.0/install/application/updatelicense.md @@ -18,39 +18,39 @@ Access Analyzer Console. **Step 1 –** Ensure the new `StealthAUDIT.lic` license file is stored locally on the Access Analyzer Console server in order to be referenced during the installation process. -![Windows Control Panel Uninstall or change a program window](../../../../../static/img/product_docs/accessanalyzer/install/application/controlpaneluninstall.webp) +![Windows Control Panel Uninstall or change a program window](/img/product_docs/accessanalyzer/install/application/controlpaneluninstall.webp) **Step 2 –** From Programs and Features (**Control Panel** > **Programs** > **Programs and Features**), select the Access Analyzer application and click **Change**. -![Setup Wizard Welcome page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Setup Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) **Step 3 –** On the Welcome page, click **Next**. -![Setup Wizard Change, Repair, or Remove Installation page](../../../../../static/img/product_docs/accessanalyzer/install/application/change.webp) +![Setup Wizard Change, Repair, or Remove Installation page](/img/product_docs/accessanalyzer/install/application/change.webp) **Step 4 –** On the Change, Repair, or Remove Installation page, click **Change**. | | | | | ----------------------------------------------------------------------------------------------------------------------- | --- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![License File page](../../../../../static/img/product_docs/accessanalyzer/install/application/licensemapped.webp) | +| ![License File page](/img/product_docs/accessanalyzer/install/application/licensemapped.webp) | | Default License File Page | | Mapped License File | **Step 5 –** On the License File page, click **Browse** and navigate to the **StealthAUDIT.lic** file. It must be stored on the Access Analyzer Console server before the installation begins. When the path to the file is visible in the text box, click **Next**. The license will be imported. -![License Features page](../../../../../static/img/product_docs/accessanalyzer/install/application/licensefeatures.webp) +![License Features page](/img/product_docs/accessanalyzer/install/application/licensefeatures.webp) **Step 6 –** The License Features page displays a list of all features covered by the imported license. It also displays the name of the organization which owns the license, the expiration date, and the host limit. These are the features that will be installed. Click **Next**. -![Setup Wizard Ready to change page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) +![Setup Wizard Ready to change page](/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) **Step 7 –** On the Ready to Change Access Analyzer page, click **Change** to begin the update. -![Setup Wizard Completed page](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Setup Wizard Completed page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 8 –** When the installation has completed, click **Finish** to exit the wizard. diff --git a/docs/accessanalyzer/12.0/install/application/upgrade/overview.md b/docs/accessanalyzer/12.0/install/application/upgrade/overview.md index dc2e75d6e6..5a24b38d0d 100644 --- a/docs/accessanalyzer/12.0/install/application/upgrade/overview.md +++ b/docs/accessanalyzer/12.0/install/application/upgrade/overview.md @@ -13,7 +13,7 @@ The purpose of this document is to provide the basic steps needed for upgrading the stock solutions. Contact [Netwrix Support](https://www.netwrix.com/support.html) for additional information. -See the [What's New](../../../whatsnew.md) topic for release information. +See the [What's New](/docs/accessanalyzer/12.0/whatsnew.md) topic for release information. ## Considerations @@ -55,7 +55,7 @@ versions for the Access Analyzer database. To grant access to additional Solutions in an existing Access Analyzer installation, a new license key is required. To update the Access Analyzer license key without installing a new version of the -Access Analyzer Console, see the [Update License Key](../updatelicense.md) topic for instructions. +Access Analyzer Console, see the [Update License Key](/docs/accessanalyzer/12.0/install/application/updatelicense.md) topic for instructions. License Key Changes @@ -73,5 +73,5 @@ The following changes in licensing requires the organization needing a new key: - No additional licenses are required for this version -See the [Update License Key](../updatelicense.md) section for instructions on updating the license +See the [Update License Key](/docs/accessanalyzer/12.0/install/application/updatelicense.md) section for instructions on updating the license key. diff --git a/docs/accessanalyzer/12.0/install/application/upgrade/solutionconsiderations.md b/docs/accessanalyzer/12.0/install/application/upgrade/solutionconsiderations.md index 62a10c5652..f9c1e0200c 100644 --- a/docs/accessanalyzer/12.0/install/application/upgrade/solutionconsiderations.md +++ b/docs/accessanalyzer/12.0/install/application/upgrade/solutionconsiderations.md @@ -41,7 +41,7 @@ Active Directory Solution Considerations File System Solution Considerations - For Proxy Mode as a Service – File System Proxy Service needs to be updated on the proxy servers. - See the [Upgrade Proxy Service Procedure](../../filesystemproxy/upgrade.md) topic for + See the [Upgrade Proxy Service Procedure](/docs/accessanalyzer/12.0/install/filesystemproxy/upgrade.md) topic for instructions. - For Activity – Ensure the Netwrix Activity Monitor is a compatible version. See the Upgrade Instructions in the @@ -52,7 +52,7 @@ SharePoint Solution Considerations - For SharePoint Agent – Access Analyzer SharePoint Agent needs to be updated on the SharePoint server where it was installed. See the - [Upgrade SharePoint Agent](../../sharepointagent/upgrade.md) section for instructions. + [Upgrade SharePoint Agent](/docs/accessanalyzer/12.0/install/sharepointagent/upgrade.md) section for instructions. - For Activity – Ensure the Stealthbits Activity Monitor is a compatible version. See the Upgrade Instructions in the [Netwrix Activity Monitor Documentation](https://helpcenter.netwrix.com/category/activitymonitor) @@ -76,7 +76,7 @@ database schema. This database schema migration should be performed before running other jobs in the File System Solution after upgrading to Access Analyzer 12.0. -See the [File System Solution](../../../solutions/filesystem/overview.md) topic for additional +See the [File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/overview.md) topic for additional information. ## Configure Global Sensitive Data Settings @@ -93,19 +93,19 @@ If the same Sensitive Data Criteria are used for all solutions, configure the cr the global **Settings** > **Sensitive Data** node, which will then be used by default in all solutions. The Sensitive Data node provides configuration options to manage Sensitive Data Criteria and false positive exclusion filters. See the -[Sensitive Data](../../../admin/settings/sensitivedata/overview.md) topic for additional +[Sensitive Data](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/overview.md) topic for additional information. Follow the steps to configure Sensitive Data Criteria at the global level. -![Global Settings Sensitive Data node](../../../../../../static/img/product_docs/accessanalyzer/install/application/upgrade/sensitivedata.webp) +![Global Settings Sensitive Data node](/img/product_docs/accessanalyzer/install/application/upgrade/sensitivedata.webp) **Step 1 –** If the same Sensitive Data Criteria are used for all solutions, configure the criteria selection at the global Settings level, which will then be used by default in all solution sets. Navigate to the **Settings** > **Sensitive Data** node and click **Add** to open the Select Criteria window. -![Sensitive Data Select Criteria window](../../../../../../static/img/product_docs/accessanalyzer/install/application/upgrade/selectcriteria.webp) +![Sensitive Data Select Criteria window](/img/product_docs/accessanalyzer/install/application/upgrade/selectcriteria.webp) **Step 2 –** Select the desired criteria. Use the **Search Criteria** text field to filter the list using keywords or expand each category to view and select individual Sensitive Data search criteria, diff --git a/docs/accessanalyzer/12.0/install/application/upgrade/wizard.md b/docs/accessanalyzer/12.0/install/application/upgrade/wizard.md index ec14fa5df5..634b53755b 100644 --- a/docs/accessanalyzer/12.0/install/application/upgrade/wizard.md +++ b/docs/accessanalyzer/12.0/install/application/upgrade/wizard.md @@ -18,7 +18,7 @@ Sensitive Data Criteria must be reconfigured after an upgrade. See the [Configure Global Sensitive Data Settings](solutionconsiderations.md#configure-global-sensitive-data-settings) topic for additional information. -![Windows Control Panel Uninstall or change a program window](../../../../../../static/img/product_docs/accessanalyzer/install/application/controlpaneluninstall.webp) +![Windows Control Panel Uninstall or change a program window](/img/product_docs/accessanalyzer/install/application/controlpaneluninstall.webp) **Step 1 –** From Programs and Features (**Control Panel** > **Programs** > **Programs and Features**), uninstall the previous version of Access Analyzer. Jobs, application configuration @@ -32,9 +32,9 @@ installed as part of the main installation if your license includes it. folder of the installation directory. Any custom application settings contained in this file are kept as part of this upgrade process. -![Setup Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Setup Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) -**Step 2 –** Install Access Analyzer 12.0. See the [Access Analyzer Core Installation](../wizard.md) +**Step 2 –** Install Access Analyzer 12.0. See the [Access Analyzer Core Installation](/docs/accessanalyzer/12.0/install/application/wizard.md) topic for detailed instructions. - Before installation, ensure the new `StealthAUDIT.lic` license file is stored locally on the @@ -92,14 +92,14 @@ Follow the steps to use the Upgrade Wizard. **Step 1 –** Launch the Access Analyzer application. The installation wizard placed the Access Analyzer icon on the desktop. -![Configuration Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Configuration Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) **Step 2 –** The Access Analyzer Configuration Wizard opens. Click **Next** to continue. **NOTE:** When Access Analyzer12.0 is installed on a server where a previous version of Access Analyzer had been installed, the Version Selection page of the Configuration Wizard will not appear. -![Configuration Wizard Solution Set Files page with conflicts](../../../../../../static/img/product_docs/accessanalyzer/install/application/upgrade/solutionsetfiles.webp) +![Configuration Wizard Solution Set Files page with conflicts](/img/product_docs/accessanalyzer/install/application/upgrade/solutionsetfiles.webp) **Step 3 –** On the Solution Set Files page, only upgrade conflicts are displayed by default. @@ -114,7 +114,7 @@ Additional options include: - Advanced – Opens the Advanced Upgrade Options window to view or modify the Upgrade option per solution -![View conflicts in the Changes window](../../../../../../static/img/product_docs/accessanalyzer/install/application/upgrade/changes.webp) +![View conflicts in the Changes window](/img/product_docs/accessanalyzer/install/application/upgrade/changes.webp) **Step 5 –** (Optional) Conflicts can be resolved on the Changes window, which is opened by the **View conflicts** button. Remember, if the conflict is resolved prior to a solution upgrade, then @@ -123,7 +123,7 @@ the customization will not be archived. To resolve a conflict, select it from th **Step 6 –** When the Upgrade options have been set as desired. Click **Next**. -![Configuration wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Configuration wizard Options page](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 7 –** On the Options page, select whether to send usage statistics to Netwrix to help us improve our product. After the Usage Statistics option is set as desired, click **Next** to @@ -142,7 +142,7 @@ continue. - If cleared, no usage statistics are collected or sent to Netwrix -![Configuration Wizard Progress page](../../../../../../static/img/product_docs/accessanalyzer/install/application/upgrade/progress.webp) +![Configuration Wizard Progress page](/img/product_docs/accessanalyzer/install/application/upgrade/progress.webp) **Step 8 –** The Upgrade Progress page opens and displays the progress of the upgrade actions. When the action completes, click **Finish**. diff --git a/docs/accessanalyzer/12.0/install/application/wizard.md b/docs/accessanalyzer/12.0/install/application/wizard.md index d53afd2a18..1019982582 100644 --- a/docs/accessanalyzer/12.0/install/application/wizard.md +++ b/docs/accessanalyzer/12.0/install/application/wizard.md @@ -13,16 +13,16 @@ is run in Administrative/privilege mode. **Step 1 –** Run the **NetwrixEnterpriseAuditor.exe** executable to open the Access Analyzer Setup Wizard. -![Setup Wizard Welcome page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Setup Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) **Step 2 –** On the Welcome page, click **Next** to begin the installation. -![ End User License Agreement](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) +![ End User License Agreement](/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) **Step 3 –** On the End-User License Agreement page, read the End User License Agreement, then check the **I accept the terms in the License Agreement** box and click **Next**. -![Destinations Folder page](../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/destination.webp) +![Destinations Folder page](/img/product_docs/accessanalyzer/install/filesystemproxy/destination.webp) **Step 4 –** On the Destination Folder page, click **Change** to select the folder location to install Access Analyzer. The default destination folder is @@ -30,7 +30,7 @@ install Access Analyzer. The default destination folder is | | | | | ----------------------------------------------------------------------------------------------------------------------- | --- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![License File page](../../../../../static/img/product_docs/accessanalyzer/install/application/licensemapped.webp) | +| ![License File page](/img/product_docs/accessanalyzer/install/application/licensemapped.webp) | | Default License File Page | | Mapped License File | **Step 5 –** On the License File page, click **Browse** and navigate to your **StealthAUDIT.lic** @@ -39,18 +39,18 @@ file. When the path to the file is visible in the textbox, click **Next**. **NOTE:** The license file must be stored on the Access Analyzer Console server before the installation begins. -![License Features page](../../../../../static/img/product_docs/accessanalyzer/install/application/licensefeatures.webp) +![License Features page](/img/product_docs/accessanalyzer/install/application/licensefeatures.webp) **Step 6 –** The License Features page displays a list of all features covered by the imported license. It also displays the name of the organization which owns the license, the expiration date, and the host limit. These are the features that will be installed. Click **Next**. -![Ready to install Netwrix Access Governance page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) +![Ready to install Netwrix Access Governance page](/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) **Step 7 –** On the Ready to install Access Analyzer page, click **Install** to begin the installation. -![Setup Wizard Completed page](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Setup Wizard Completed page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 8 –** When the installation has completed, click **Finish** to exit the wizard. diff --git a/docs/accessanalyzer/12.0/install/filesystemproxy/configuredatacollector.md b/docs/accessanalyzer/12.0/install/filesystemproxy/configuredatacollector.md index c4cf45e7e7..c1212c83e8 100644 --- a/docs/accessanalyzer/12.0/install/filesystemproxy/configuredatacollector.md +++ b/docs/accessanalyzer/12.0/install/filesystemproxy/configuredatacollector.md @@ -18,7 +18,7 @@ On the Scan Server Selection wizard page, select either of the following options in the host list selected within the wizard via the **Select Hosts Lists** button See the -[FSAA Query Configuration](../../admin/datacollector/fsaa/overview.md#fsaa-query-configuration) +[FSAA Query Configuration](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/overview.md#fsaa-query-configuration) topic for additional information. **_RECOMMENDED:_** When choosing to use proxy mode as a service for any of the File System Solution diff --git a/docs/accessanalyzer/12.0/install/filesystemproxy/overview.md b/docs/accessanalyzer/12.0/install/filesystemproxy/overview.md index 076d0ffd20..5f31e2edaf 100644 --- a/docs/accessanalyzer/12.0/install/filesystemproxy/overview.md +++ b/docs/accessanalyzer/12.0/install/filesystemproxy/overview.md @@ -22,7 +22,7 @@ using HTTPS requests. The version of the proxy service must match the major version of Access Analyzer. -See the [File System Solution](../../requirements/solutions/filesystem.md) topic for information on +See the [File System Solution](/docs/accessanalyzer/12.0/requirements/solutions/filesystem.md) topic for information on the required prerequisites. ## Supported Platforms @@ -60,7 +60,7 @@ local mode-type scan to each of the target hosts. The final step in data collect and transfer the data collected in the SQLite databases, or Tier 2 databases, back to the Access Analyzer Console server. -![Diagram of Enterprise Auditor server sending an FSAA applet to a proxy server](../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/proxymodewithapplet.webp) +![Diagram of Enterprise Auditor server sending an FSAA applet to a proxy server](/img/product_docs/accessanalyzer/install/filesystemproxy/proxymodewithapplet.webp) The diagram illustrates the Access Analyzer server sending an FSAA applet to a proxy server, which runs the scan against a file server, and then returns data to the Access Analyzer server. @@ -87,9 +87,9 @@ Auditing Data Collector Wizard. The credential provided for the secure communica installation wizard is also added to the Access Analyzer Connection Profile assigned to the File System Solution. -See the [File System Proxy Service Installation](wizard.md) topic for additional information. +See the [File System Proxy Service Installation](/docs/accessanalyzer/12.0/install/filesystemproxy/wizard.md) topic for additional information. -![Diagram of Enterprise Auditor server communicating securely with the proxy service on a proxy server](../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/proxymodeasservicewithsecurerpc.webp) +![Diagram of Enterprise Auditor server communicating securely with the proxy service on a proxy server](/img/product_docs/accessanalyzer/install/filesystemproxy/proxymodeasservicewithsecurerpc.webp) The diagram illustrates the Access Analyzer server communicating securely with the proxy service on a proxy server, which runs the scan against a file server, collecting the data locally and securely. @@ -100,7 +100,7 @@ scanned across all proxy hosts. Access Analyzer monitors the scans from the cent all proxy hosts have completed scanning, all results and SQLite databases are returned to the Access Analyzer Console server. -![Diagram of difference between an implementation with and without proxy servers](../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/fsaaproxyarchitecture.webp) +![Diagram of difference between an implementation with and without proxy servers](/img/product_docs/accessanalyzer/install/filesystemproxy/fsaaproxyarchitecture.webp) The diagram shows the difference between an implementation of Access Analyzer without proxy servers (on the left) and with proxy servers (on the right). On the right side of the diagram, the scans @@ -113,7 +113,7 @@ The proxy functionality for the FSAA Data Collector provides security and reliab _Remember,_ It is recommended that the File System Proxy Service is installed on the proxy server before running File System scans in proxy mode as a service. Once installed, the FileSystemAccess (FSAA) Data Collector must be configured to use the service. See the -[File System Data Collection Configuration for Proxy as a Service](configuredatacollector.md) topic +[File System Data Collection Configuration for Proxy as a Service](/docs/accessanalyzer/12.0/install/filesystemproxy/configuredatacollector.md) topic for additional information. ## Sensitive Data Discovery Auditing Consideration diff --git a/docs/accessanalyzer/12.0/install/filesystemproxy/uninstall.md b/docs/accessanalyzer/12.0/install/filesystemproxy/uninstall.md index e152c7297d..294a784242 100644 --- a/docs/accessanalyzer/12.0/install/filesystemproxy/uninstall.md +++ b/docs/accessanalyzer/12.0/install/filesystemproxy/uninstall.md @@ -5,7 +5,7 @@ uninstalling of the Access Analyzer File System Scanning Proxy program. **Step 1 –** Open Control Panel and select **Programs** > **Uninstall a program**. -![Programs and Features](../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/uninstall.webp) +![Programs and Features](/img/product_docs/accessanalyzer/install/filesystemproxy/uninstall.webp) **Step 2 –** Select Netwrix Access Analyzer (formerly Enterprise Auditor) File System Scanning Proxy and click **Uninstall**. @@ -14,6 +14,6 @@ and click **Uninstall**. the two SPN values are removed for that machine in Active Directory. If the service is running with a supplied account, the SPN values would need to be manually removed for that machine in Active Directory (unless the uninstall was completed as part of the -[Upgrade Proxy Service Procedure](upgrade.md)). +[Upgrade Proxy Service Procedure](/docs/accessanalyzer/12.0/install/filesystemproxy/upgrade.md)). When the uninstall process is complete, this program is removed from the list. diff --git a/docs/accessanalyzer/12.0/install/filesystemproxy/upgrade.md b/docs/accessanalyzer/12.0/install/filesystemproxy/upgrade.md index d4782818f0..264075cf26 100644 --- a/docs/accessanalyzer/12.0/install/filesystemproxy/upgrade.md +++ b/docs/accessanalyzer/12.0/install/filesystemproxy/upgrade.md @@ -26,7 +26,7 @@ Wizard window opens. **Step 2 –** On the Welcome page, click **Next**. -![FS_UpdateProxy Job in the Instant Job Wizard](../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/updateproxyinstantjob.webp) +![FS_UpdateProxy Job in the Instant Job Wizard](/img/product_docs/accessanalyzer/install/filesystemproxy/updateproxyinstantjob.webp) **Step 3 –** On the Instant Job page, locate the **Library Name: File System** category group. Expand the category and select the **FS_UpgradeProxy** Job. Click **Next**. @@ -48,12 +48,12 @@ host lists have been updated. Follow the steps on the servers hosting the File System Proxy Service. -![Programs and Features](../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/uninstall.webp) +![Programs and Features](/img/product_docs/accessanalyzer/install/filesystemproxy/uninstall.webp) **Step 1 –** Navigate to Programs and Features (**Control Panel** > **Programs** > **Programs and Features**). Uninstall the previous version of Access Analyzer File System Scanning Proxy. **Step 2 –** Install the new version of the File System Proxy Service. See the -[File System Proxy Service Installation](wizard.md) topic for instructions. +[File System Proxy Service Installation](/docs/accessanalyzer/12.0/install/filesystemproxy/wizard.md) topic for instructions. The File System Solution can now use the proxy architecture for the latest version of the solution. diff --git a/docs/accessanalyzer/12.0/install/filesystemproxy/wizard.md b/docs/accessanalyzer/12.0/install/filesystemproxy/wizard.md index ffe5a7e322..278f228a41 100644 --- a/docs/accessanalyzer/12.0/install/filesystemproxy/wizard.md +++ b/docs/accessanalyzer/12.0/install/filesystemproxy/wizard.md @@ -8,22 +8,22 @@ to install the FSAA service on the targeted proxy servers. **Step 1 –** Run the `FileSystemProxy.exe` executable. The Netwrix Access Analyzer (formerly Enterprise Auditor) File System Scanning Proxy Setup wizard opens. -![File System Proxy Setup Wizard Welcome page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![File System Proxy Setup Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) **Step 2 –** On the Welcome page, click **Next** to begin the installation. -![File System Proxy Setup Wizard End-User License Agreement page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) +![File System Proxy Setup Wizard End-User License Agreement page](/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) **Step 3 –** On the End-User License Agreement page, select the **I accept the terms in the License Agreement** checkbox and click **Next**. -![File System Proxy Setup Wizard Destination Folder page](../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/destination.webp) +![File System Proxy Setup Wizard Destination Folder page](/img/product_docs/accessanalyzer/install/filesystemproxy/destination.webp) **Step 4 –** On the Destination Folder page, click **Next** to install to the default folder or click **Change** to select a different location. Clicking **Change** opens the Change destination folder page. -![File System Proxy Setup Wizard Change destination folder page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/changedestination.webp) +![File System Proxy Setup Wizard Change destination folder page](/img/product_docs/activitymonitor/activitymonitor/install/agent/changedestination.webp) On the Change destination folder page, choose a different destination folder for the installation. @@ -36,7 +36,7 @@ On the Change destination folder page, choose a different destination folder for Click **OK** to save changes or click **Cancel** to return to the Destination Folder page without saving. -![File System Proxy Setup Wizard Configure Service page](../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/configureservice.webp) +![File System Proxy Setup Wizard Configure Service page](/img/product_docs/accessanalyzer/install/filesystemproxy/configureservice.webp) **Step 5 –** On the Configure Service page, configure the credential to run the service using the radio buttons. Then, click **Next**. @@ -47,11 +47,11 @@ radio buttons. Then, click **Next**. Administrator on the proxy server and have the Log on as a service privilege in the proxy server's Local Security Policy. -![File System Proxy Setup Wizard Ready to install page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) +![File System Proxy Setup Wizard Ready to install page](/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) **Step 6 –** On the Ready to install page, click **Install** to start installation. -![File System Proxy Setup Wizard Completed page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/complete.webp) +![File System Proxy Setup Wizard Completed page](/img/product_docs/activitymonitor/activitymonitor/install/complete.webp) **Step 7 –** When the installation completes, click **Finish** to exit the wizard. @@ -60,7 +60,7 @@ of proxy servers should also be created in Netwrix Access Analyzer (formerly Ent Once the File System Proxy Service has been installed on any proxy server, it is necessary to configure the File System Solution certificate exchange method for Proxy Mode as a Service. See the -[FSAA Applet Certificate Management Overview](../../admin/datacollector/fsaa/certificatemanagement.md) +[FSAA Applet Certificate Management Overview](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/certificatemanagement.md) topic for additional information. ## Custom Parameters for File System Proxy Service @@ -85,13 +85,13 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\StealthAUDITFSAA\ImagePath Follow the steps to configure these service parameters. -![Netwrix Enterprise Auditor FSAA Proxy Scanner service in the Services Management Console](../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/service.webp) +![Netwrix Enterprise Auditor FSAA Proxy Scanner service in the Services Management Console](/img/product_docs/accessanalyzer/install/filesystemproxy/service.webp) **Step 1 –** After installing the File System Proxy Service, open Services Management Console (`services.msc`). To stop the service, right-click on the Netwrix Access Analyzer (formerly Enterprise Auditor) FSAA Proxy Scanner service and select **Stop**. -![File System Proxy ImagePath registry key in the Registry Editor](../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/regedit.webp) +![File System Proxy ImagePath registry key in the Registry Editor](/img/product_docs/accessanalyzer/install/filesystemproxy/regedit.webp) **Step 2 –** Open Registry Editor (`regedit`) and navigate to the following registry key: @@ -117,14 +117,14 @@ during installation according to the installation directory location selected. **Step 5 –** Return to the Services Management Console and start the Netwrix Access Analyzer (formerly Enterprise Auditor) FSAA Proxy Scanner service. Close the Services Management Console. -![Port number on File System Access Auditor Data Collector Wizard Applet Settings page](../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/dcwizardportnumber.webp) +![Port number on File System Access Auditor Data Collector Wizard Applet Settings page](/img/product_docs/accessanalyzer/install/filesystemproxy/dcwizardportnumber.webp) **Step 6 –** In the Access Analyzer Console, navigate to the **FileSystem** > **0.Collection** > **[Job]** > **Configure** > **Queries** node and open the File System Access Auditor Data Collector Wizard. On the Applet Settings wizard page, change the **Port number** to the custom port. **NOTE:** See the -[File System Data Collection Configuration for Proxy as a Service](configuredatacollector.md) +[File System Data Collection Configuration for Proxy as a Service](/docs/accessanalyzer/12.0/install/filesystemproxy/configuredatacollector.md) section for additional configurations required to run scans in proxy mode as a service. **Step 7 –** Repeat the previous step for each of the **FileSystem** > **0.Collection** jobs to diff --git a/docs/accessanalyzer/12.0/install/overview.md b/docs/accessanalyzer/12.0/install/overview.md index b47bd3ff57..8d4dfff7ec 100644 --- a/docs/accessanalyzer/12.0/install/overview.md +++ b/docs/accessanalyzer/12.0/install/overview.md @@ -10,7 +10,7 @@ required when first launching the Access Analyzer Console. It also includes addi such as how to secure the Access Analyzer Database, and configuring the Web Console for viewing reports outside of the Access Analyzer Console. -See the [Installation & Configuration Overview](application/overview.md) topic for additional +See the [Installation & Configuration Overview](/docs/accessanalyzer/12.0/install/application/overview.md) topic for additional information. ## File System Proxy Service @@ -19,7 +19,7 @@ The File System Solution can be enabled to use proxy servers for scanning target very large or widely dispersed environments. The File System Proxy installer is designed to simplify the process of setting up File System Scanning Proxy as a service on the designated proxy server. -See the [File System Proxy as a Service Overview](filesystemproxy/overview.md) topic for additional +See the [File System Proxy as a Service Overview](/docs/accessanalyzer/12.0/install/filesystemproxy/overview.md) topic for additional information. ## SharePoint Agent @@ -27,5 +27,5 @@ information. The SharePoint Agent is capable of auditing permissions and content, or Access Auditing (SPAA) and Sensitive Data Discovery Auditing, on SharePoint servers. -See the [SharePoint Agent Installation](sharepointagent/overview.md) topic for additional +See the [SharePoint Agent Installation](/docs/accessanalyzer/12.0/install/sharepointagent/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/install/sharepointagent/overview.md b/docs/accessanalyzer/12.0/install/sharepointagent/overview.md index 6855f963d5..e0d7cfd455 100644 --- a/docs/accessanalyzer/12.0/install/sharepointagent/overview.md +++ b/docs/accessanalyzer/12.0/install/sharepointagent/overview.md @@ -9,10 +9,10 @@ Auditing (SPAA) and Sensitive Data Discovery Auditing scans against the targeted environment. For information on the required prerequisites and permissions, see the -[SharePoint Agent Permissions](../../requirements/solutions/sharepoint/agentpermissions.md) topic. +[SharePoint Agent Permissions](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/agentpermissions.md) topic. The version of the SharePoint Agent must also match the major version of Access Analyzer. See the -[What's New](../../whatsnew.md) topic for additional information. +[What's New](/docs/accessanalyzer/12.0/whatsnew.md) topic for additional information. ## Supported Platforms diff --git a/docs/accessanalyzer/12.0/install/sharepointagent/upgrade.md b/docs/accessanalyzer/12.0/install/sharepointagent/upgrade.md index d6939ad491..88d66192f7 100644 --- a/docs/accessanalyzer/12.0/install/sharepointagent/upgrade.md +++ b/docs/accessanalyzer/12.0/install/sharepointagent/upgrade.md @@ -2,7 +2,7 @@ Follow the steps to upgrade the SharePoint Agent. -![Windows Control Panel Uninstall or change a program window](../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/uninstall.webp) +![Windows Control Panel Uninstall or change a program window](/img/product_docs/accessanalyzer/install/filesystemproxy/uninstall.webp) **Step 1 –** From Programs and Features (**Control Panel** > **Programs** > **Programs and Features**), uninstall the previous version of SharePoint Agent. @@ -12,7 +12,7 @@ it before continuing with this upgrade. For Access Analyzer 12.0, Sensitive Data installed as part of the main installation if your license includes it. **Step 2 –** Install the new version of the SharePoint Agent. See the -[Installing the SharePoint Agent](wizard.md) topic for instructions. +[Installing the SharePoint Agent](/docs/accessanalyzer/12.0/install/sharepointagent/wizard.md) topic for instructions. Now that the SharePoint Agent has been upgraded, it can be used by the SharePoint Solution. See the -[SharePoint Solution](../../solutions/sharepoint/overview.md) topic for additional information. +[SharePoint Solution](/docs/accessanalyzer/12.0/solutions/sharepoint/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/install/sharepointagent/wizard.md b/docs/accessanalyzer/12.0/install/sharepointagent/wizard.md index 87359ae9af..cf6dc0c808 100644 --- a/docs/accessanalyzer/12.0/install/sharepointagent/wizard.md +++ b/docs/accessanalyzer/12.0/install/sharepointagent/wizard.md @@ -6,7 +6,7 @@ the account used to connect to and enumerate SharePoint. The service account cre need to be a member of the Log on as a service local policy. Additionally, the credentials provided for Step 5 should also be a part of the Connection Profile used by the SharePoint Solution within the Access Analyzer Console. See the -[SharePoint Scan Options](../../requirements/solutions/sharepoint/scanoptions.md) topic for detailed +[SharePoint Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/scanoptions.md) topic for detailed permission information. Follow the steps to install the SharePoint Agent on the application server which hosts the Central @@ -15,35 +15,35 @@ Administration component of the targeted SharePoint farms. **Step 1 –** Run the `SharePointAgent.exe` executable to open the Netwrix Access Analyzer (formerly Enterprise Auditor) SharePoint Agent Setup Wizard. -![SharePoint Agent Setup Wizard Welcome page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![SharePoint Agent Setup Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) **Step 2 –** On the Welcome page, click **Next** to begin the installation. -![SharePoint Agent Setup Wizard End-User License Agreement page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) +![SharePoint Agent Setup Wizard End-User License Agreement page](/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) **Step 3 –** On the End-User License Agreement page, select the **I accept the terms in the License Agreement** checkbox and click **Next**. -![SharePoint Agent Setup Wizard Destination Folder page](../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/destination.webp) +![SharePoint Agent Setup Wizard Destination Folder page](/img/product_docs/accessanalyzer/install/filesystemproxy/destination.webp) **Step 4 –** On the Destination Folder page, click **Next** to install to the default folder or click **Change** to select a different location. -![SharePoint Agent Setup Wizard Configure Service Security page](../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/configureservice.webp) +![SharePoint Agent Setup Wizard Configure Service Security page](/img/product_docs/accessanalyzer/install/filesystemproxy/configureservice.webp) **Step 5 –** On the Configure Service Security page, enter the **User Name** and **Password** for the SharePoint Service Account. Click **Next**. -![SharePoint Agent Setup Wizard Ready to install page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) +![SharePoint Agent Setup Wizard Ready to install page](/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) **Step 6 –** On the Ready to install Netwrix Access Analyzer (formerly Enterprise Auditor) SharePoint Agent page, click **Install** to start the installation. -![SharePoint Agent Setup Wizard Completed page](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![SharePoint Agent Setup Wizard Completed page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 7 –** When the installation has completed, click **Finish** to exit the wizard. Now that the SharePoint Agent has been installed on the appropriate application server, it can be used by the SharePoint Solution. See the -[SharePoint Solution](../../solutions/sharepoint/overview.md) topic for instructions on enabling +[SharePoint Solution](/docs/accessanalyzer/12.0/solutions/sharepoint/overview.md) topic for instructions on enabling agent service scans on the Agent Settings page. diff --git a/docs/accessanalyzer/12.0/overview.md b/docs/accessanalyzer/12.0/overview.md index daf883789f..10ff48c7f8 100644 --- a/docs/accessanalyzer/12.0/overview.md +++ b/docs/accessanalyzer/12.0/overview.md @@ -33,7 +33,7 @@ accessed by other Access Analyzer solutions and the Netwrix Access Information C This is a core solution available to all Access Analyzer users. -See the [.Active Directory Inventory Solution](solutions/activedirectoryinventory/overview.md) topic +See the [.Active Directory Inventory Solution](/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/overview.md) topic for additional information. ### .Entra ID Inventory Solution @@ -52,7 +52,7 @@ effective role permissions. This is a core solution available to all Access Analyzer users. -See the [.Entra ID Inventory Solution](solutions/entraidinventory/overview.md) topic for additional +See the [.Entra ID Inventory Solution](/docs/accessanalyzer/12.0/solutions/entraidinventory/overview.md) topic for additional information. ### .NIS Inventory Solution @@ -63,7 +63,7 @@ information to the File Systems Solution when auditing NFS shares. This is a core solution available to all Access Analyzer users. -See the [.NIS Inventory Solution](solutions/nisinventory/overview.md) topic for additional +See the [.NIS Inventory Solution](/docs/accessanalyzer/12.0/solutions/nisinventory/overview.md) topic for additional information. ### Active Directory Solution @@ -72,7 +72,7 @@ The Active Directory Solution is designed to provide the information every admin regarding Active Directory configuration, operational management, troubleshooting, analyzing effective permissions, and tracking who is making what changes within your organization. -See the [Active Directory Solution](solutions/activedirectory/overview.md) topic for additional +See the [Active Directory Solution](/docs/accessanalyzer/12.0/solutions/activedirectory/overview.md) topic for additional information. ### Active Directory Permissions Analyzer Solution @@ -82,7 +82,7 @@ effective permissions applied to any and all Active Directory objects, at any sc the most authoritative view available of who has access to what in Active Directory. See the -[Active Directory Permissions Analyzer Solution](solutions/activedirectorypermissionsanalyzer/overview.md) +[Active Directory Permissions Analyzer Solution](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/overview.md) topic for additional information. ### Amazon Web Services Solution @@ -92,7 +92,7 @@ Access Analyzer for AWS allows organizations to secure their data residing in Am of S3 permissions, sensitive data, and ultimately a consolidated view of user access rights across dozens of structured and unstructured data resources both on-premises and in the cloud. -See the [AWS Solution](solutions/aws/overview.md) topic for additional information. +See the [AWS Solution](/docs/accessanalyzer/12.0/solutions/aws/overview.md) topic for additional information. ### Entra ID Solution @@ -101,7 +101,7 @@ regarding Microsoft Entra ID configuration, operational management, and trouble within this group help pinpoint potential areas of administrative and security concerns related to Microsoft Entra ID users and groups, including syncing with on-premises Active Directory. -See the [Entra ID Solution](solutions/entraid/overview.md) topic for additional information. +See the [Entra ID Solution](/docs/accessanalyzer/12.0/solutions/entraid/overview.md) topic for additional information. ### Box Solution @@ -109,7 +109,7 @@ The Box solution set contains jobs to provide visibility into Box access rights, configurations, activities, and more, ensuring you never lose sight or control of your critical assets residing in Box. -See the [Box Solution](solutions/box/overview.md) topic for additional information. +See the [Box Solution](/docs/accessanalyzer/12.0/solutions/box/overview.md) topic for additional information. ### Databases Solutions @@ -152,7 +152,7 @@ reports that provide visibility into various aspects of supported databases. SQL Server database. Key capabilities include effective access calculation, sensitive data discovery, security configuration assessment, and database activity monitoring. -See the [Databases Solutions](solutions/databases/overview.md) topic for additional information. +See the [Databases Solutions](/docs/accessanalyzer/12.0/solutions/databases/overview.md) topic for additional information. ### Dropbox Solution @@ -161,7 +161,7 @@ Key capabilities include effective access calculation, sensitive data discovery, inspection, inactive access and stale data identification, and entitlement collection for integration with Identity & Access Management (IAM) processes. -See the [Dropbox Solution](solutions/dropbox/overview.md) topic for additional information. +See the [Dropbox Solution](/docs/accessanalyzer/12.0/solutions/dropbox/overview.md) topic for additional information. **NOTE:** Sensitive data auditing requires the Sensitive Data Discovery Add-on. @@ -172,7 +172,7 @@ environment to assist with identifying risk, understanding usage, and decreasing focus include Audit and Compliance, Maintenance and Cleanup, Metrics and Capacity, Operations and Health, Public Folders and Configuration Baseline. -See the [Exchange Solution](solutions/exchange/overview.md) topic for additional information. +See the [Exchange Solution](/docs/accessanalyzer/12.0/solutions/exchange/overview.md) topic for additional information. **NOTE:** Sensitive data auditing requires the Sensitive Data Discovery Add-on. @@ -184,7 +184,7 @@ identification, governance workflows including entitlement reviews and self-serv sensitive data discovery and classification, open access remediation, least-privilege access transformation, and file activity monitoring. -See the [File System Solution](solutions/filesystem/overview.md) topic for additional information. +See the [File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/overview.md) topic for additional information. **NOTE:** Activity auditing requires the Activity Monitor. Sensitive data auditing requires the Sensitive Data Discovery Add-on. @@ -195,7 +195,7 @@ The SharePoint Solution is a comprehensive set of audit jobs and reports which p information every administrator needs regarding SharePoint on-premises and SharePoint Online infrastructure, configuration, performance, permissions, required ports, and effective rights. -See the [SharePoint Solution](solutions/sharepoint/overview.md) topic for additional information. +See the [SharePoint Solution](/docs/accessanalyzer/12.0/solutions/sharepoint/overview.md) topic for additional information. **NOTE:** Sensitive data auditing requires the Sensitive Data Discovery Add-on. @@ -205,7 +205,7 @@ The Unix Solution reports on areas of administrative concern for Unix and Linux is given to users and group details, privileged access rights, and NFS and Samba sharing configurations. -See the [Unix Solution](solutions/unix/overview.md) topic for additional information. +See the [Unix Solution](/docs/accessanalyzer/12.0/solutions/unix/overview.md) topic for additional information. ### Windows Solution @@ -214,4 +214,4 @@ desktop and server infrastructure from a central location. Key capabilities incl account discovery, security configuration and vulnerability assessment, compliance reporting, and asset inventory. -See the [Windows Solution](solutions/windows/overview.md) topic for additional information. +See the [Windows Solution](/docs/accessanalyzer/12.0/solutions/windows/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/requirements/overview.md b/docs/accessanalyzer/12.0/requirements/overview.md index 855f002bfc..d13e169dca 100644 --- a/docs/accessanalyzer/12.0/requirements/overview.md +++ b/docs/accessanalyzer/12.0/requirements/overview.md @@ -40,7 +40,7 @@ SharePoint Solution-Specific Components - Access Analyzer SharePoint Agent Server – For agent-based scans, this application can be installed on the SharePoint application server that hosts the “Central Administration” component of the targeted farm(s) to auditing permissions, content, and sensitive data for SharePoint On-Premise. - See the [SharePoint Scan Options](solutions/sharepoint/scanoptions.md) topic for server + See the [SharePoint Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/scanoptions.md) topic for server requirements. Activity Event Data Considerations diff --git a/docs/accessanalyzer/12.0/requirements/solutions/activedirectory.md b/docs/accessanalyzer/12.0/requirements/solutions/activedirectory.md index 1de33f1e20..9a18d7cdcd 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/activedirectory.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/activedirectory.md @@ -2,7 +2,7 @@ The core components for Netwrix Access Analyzer (formerly Enterprise Auditor) are the Access Analyzer Console server, SQL Server, and Access Information Center. See the -[Requirements](../overview.md) topic for the core requirements. +[Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topic for the core requirements. In addition to these, integration with either the Netwrix Activity Monitor or the Netwrix Threat Prevention is required for event activity data to be scanned. See the @@ -11,7 +11,7 @@ the [Netwrix Threat Prevention Documentation](https://helpcenter.netwrix.com/category/threatprevention) for installation requirements and information on collecting activity data. -See the [Active Directory Domain Target Requirements](../../config/activedirectory/overview.md) +See the [Active Directory Domain Target Requirements](/docs/accessanalyzer/12.0/config/activedirectory/overview.md) topic for target environment requirements. ## Active Directory Solution Requirements on the Access Analyzer Console diff --git a/docs/accessanalyzer/12.0/requirements/solutions/activedirectorypermissionsanalyzer.md b/docs/accessanalyzer/12.0/requirements/solutions/activedirectorypermissionsanalyzer.md index 5b58db0872..503dde2e54 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/activedirectorypermissionsanalyzer.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/activedirectorypermissionsanalyzer.md @@ -2,10 +2,10 @@ The core components for Netwrix Access Analyzer (formerly Enterprise Auditor) are the Access Analyzer Console server, SQL Server, and Access Information Center. See the -[Requirements](../overview.md) topic for the core requirements. +[Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topic for the core requirements. See the -[Domain Target Requirements, Permissions, and Ports](../target/activedirectorypermissionsanalyzer.md) +[Domain Target Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/activedirectorypermissionsanalyzer.md) topic for target environment requirements. ## Active Directory Permissions Analyzer Solution Requirements on the Access Analyzer Console diff --git a/docs/accessanalyzer/12.0/requirements/solutions/aws.md b/docs/accessanalyzer/12.0/requirements/solutions/aws.md index cf7d557af0..18991062ca 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/aws.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/aws.md @@ -2,9 +2,9 @@ The core components for Netwrix Access Analyzer (formerly Enterprise Auditor) are the Access Analyzer Console server, SQL Server, and Access Information Center. See the -[Requirements](../overview.md) topic for the core requirements. +[Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topic for the core requirements. -See the [Target Amazon Web Service Requirements, Permissions, and Ports](../target/aws.md) topic for +See the [Target Amazon Web Service Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/aws.md) topic for target environment requirements. ## AWS Solution Requirements on the Access Analyzer Console diff --git a/docs/accessanalyzer/12.0/requirements/solutions/box.md b/docs/accessanalyzer/12.0/requirements/solutions/box.md index f505700cd7..6b65215033 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/box.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/box.md @@ -2,9 +2,9 @@ The core components for Netwrix Access Analyzer (formerly Enterprise Auditor) are the Access Analyzer Console server, SQL Server, and Access Information Center. See the -[Requirements](../overview.md) topic for the core requirements. +[Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topic for the core requirements. -See the [Target Box Requirements, Permissions, and Ports](../target/box.md) topic for target +See the [Target Box Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/box.md) topic for target environment requirements. ## Box Solution Requirements on the Access Analyzer Console diff --git a/docs/accessanalyzer/12.0/requirements/solutions/databases.md b/docs/accessanalyzer/12.0/requirements/solutions/databases.md index 5e015bd340..0563a923aa 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/databases.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/databases.md @@ -2,7 +2,7 @@ The core components for Netwrix Access Analyzer (formerly Enterprise Auditor) are the Access Analyzer Console server, SQL Server, and Access Information Center. See the -[Requirements](../overview.md) topic for the core requirements. +[Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topic for the core requirements. In addition to these, integration with either the Netwrix Activity Monitor is required for event activity data to be scanned. See the @@ -11,13 +11,13 @@ for installation requirements and information on collecting activity data. See the following topics for target environment requirements: -- [Target Db2 Requirements, Permissions, and Ports](../target/databasedb2.md) -- [Target MongoDB Requirements, Permissions, and Ports](../target/databasemongodb.md) -- [Target MySQL Requirements, Permissions, and Ports](../target/databasemysql.md) -- [Target Oracle Requirements, Permissions, and Ports](../target/databaseoracle.md) -- [Target PostgreSQL Requirements, Permissions, and Ports](../target/databasepostgresql.md) -- [Target Redshift Requirements, Permissions, and Ports](../target/databaseredshift.md) -- [Target SQL Server Requirements, Permissions, and Ports](../target/databasesql.md) +- [Target Db2 Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/databasedb2.md) +- [Target MongoDB Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/databasemongodb.md) +- [Target MySQL Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/databasemysql.md) +- [Target Oracle Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/databaseoracle.md) +- [Target PostgreSQL Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/databasepostgresql.md) +- [Target Redshift Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/databaseredshift.md) +- [Target SQL Server Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/databasesql.md) ## Databases Solution Requirements on the Access Analyzer Console diff --git a/docs/accessanalyzer/12.0/requirements/solutions/dropbox.md b/docs/accessanalyzer/12.0/requirements/solutions/dropbox.md index e3db43c746..a1f3acdfe6 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/dropbox.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/dropbox.md @@ -2,7 +2,7 @@ The core components for Netwrix Access Analyzer (formerly Enterprise Auditor) are the Access Analyzer Console server, SQL Server, and Access Information Center. See the -[Requirements](../overview.md) topic for the core requirements. +[Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topic for the core requirements. In addition to these, integration with either the Netwrix Activity Monitor or the Netwrix Threat Prevention is required for event activity data to be scanned. See the @@ -11,7 +11,7 @@ the [Netwrix Threat Prevention Documentation](https://helpcenter.netwrix.com/category/threatprevention) for installation requirements and information on collecting activity data. -See the [Target Dropbox Requirements, Permissions, and Ports](../target/dropbox.md) topic for target +See the [Target Dropbox Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/dropbox.md) topic for target environment requirements. ## Dropbox Solution Requirements on the Access Analyzer Console diff --git a/docs/accessanalyzer/12.0/requirements/solutions/entraid.md b/docs/accessanalyzer/12.0/requirements/solutions/entraid.md index e9ecffad8c..e2a9b440e3 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/entraid.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/entraid.md @@ -4,9 +4,9 @@ The core components for Netwrix Access Analyzer (formerly Enterprise Auditor) are the Access Analyzer Console server, SQL Server, and Access Information Center. See the -[Requirements](../overview.md) topic for the core requirements. +[Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topic for the core requirements. -See the [Microsoft Entra ID Tenant Target Requirements](../../config/entraid/overview.md) topic +See the [Microsoft Entra ID Tenant Target Requirements](/docs/accessanalyzer/12.0/config/entraid/overview.md) topic for target environment requirements. ## Entra ID Solution Requirements on the Access Analyzer Console diff --git a/docs/accessanalyzer/12.0/requirements/solutions/entraid/entraroles.md b/docs/accessanalyzer/12.0/requirements/solutions/entraid/entraroles.md index 7ea95d9a3d..fd2ec94473 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/entraid/entraroles.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/entraid/entraroles.md @@ -9,7 +9,7 @@ Microsoft Entra ID. Data Collector -- [Entra Data Collector](../../../admin/datacollector/entra/overview.md) +- [Entra Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/entra/overview.md) Configuration Settings from the Registered Application @@ -50,7 +50,7 @@ The following permissions are required for Microsoft Entra Roles auditing: You must have a registered application to assign the required permissions to. It is recommended to use the same registered application that is used for access auditing using the AzureADInventory data collector. See the -[Register a Microsoft Entra ID Application](../../../config/entraid/access.md#register-a-microsoft-entra-id-application) +[Register a Microsoft Entra ID Application](/docs/accessanalyzer/12.0/config/entraid/access.md#register-a-microsoft-entra-id-application) topic for additional information on registering an application. The Client ID and Key for the registered application are required for the Access Analyzer connection @@ -58,7 +58,7 @@ profile. If, as recommended, you are using a single registered application for t do not need to add an additional user credential in the connection profile. If you create a separate registered application for Entra roles auditing, then the Client ID and Key for this must be added to the connection profile as an additional Azure Active Directory user credential. See the -[Microsoft Entra ID Connection Profile & Host List](../../../admin/datacollector/azureadinventory/configurejob.md) +[Microsoft Entra ID Connection Profile & Host List](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/configurejob.md) topic for additional information. Once you have the registered application, the next step is to grant it the required permissions for diff --git a/docs/accessanalyzer/12.0/requirements/solutions/exchange.md b/docs/accessanalyzer/12.0/requirements/solutions/exchange.md index ab198ac5c9..d20640ad17 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/exchange.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/exchange.md @@ -2,7 +2,7 @@ The core components for Netwrix Access Analyzer (formerly Enterprise Auditor) are the Access Analyzer Console server, SQL Server, and Access Information Center. See the -[Requirements](../overview.md) topic for the core requirements. +[Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topic for the core requirements. In addition to these, integration with either the Netwrix Activity Monitor or the Netwrix Threat Prevention is required for event activity data to be scanned. See the @@ -13,8 +13,8 @@ for installation requirements and information on collecting activity data. See the following topics for target environment requirements: -- [Target Exchange Servers Requirements, Permissions, and Ports](../target/exchange.md) -- [Target Exchange Online Requirements, Permissions, and Ports](../target/exchangeonline.md) +- [Target Exchange Servers Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/exchange.md) +- [Target Exchange Online Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/exchangeonline.md) ## Exchange Solution Requirements on the Access Analyzer Console @@ -48,7 +48,7 @@ the Exchange Solution: - Outlook should not be installed - StealthAUDIT MAPI CDO installed (for MAPI- based data collectors). See the - [StealthAUDIT MAPI CDO Installation](../../stealthaudit/install_guides/mapi_cdo_install/stealthaudit_mapi_cdo_installation.md) + [StealthAUDIT MAPI CDO Installation](/docs/accessanalyzer/12.0/stealthaudit/install_guides/mapi_cdo_install/stealthaudit_mapi_cdo_installation.md) topic for additional information. - Exchange MAPI CDO installed (for MAPI- based data collectors) - For targeting Exchange 2010 – Exchange Management Tools 2010 installed on the Access Analyzer diff --git a/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md b/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md index d7ac46d0fb..c9a3c87345 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md @@ -12,7 +12,7 @@ assigned to these job groups requires the following permissions: - 2. CAS Metrics - This job group also requires remote connection permissions for the SMARTLog Data Collector. - See the [Exchange Remote Connections Permissions](remoteconnections.md) topic for additional + See the [Exchange Remote Connections Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/remoteconnections.md) topic for additional information. - 3. Databases @@ -34,7 +34,7 @@ assigned to these job groups requires the following permissions: - 8. Exchange Online - This job group uses Modern Authentication to target Exchange Online. See the - [Exchange Online Auditing Configuration](../../../config/exchangeonline/access.md) topic + [Exchange Online Auditing Configuration](/docs/accessanalyzer/12.0/config/exchangeonline/access.md) topic for additional information. ## Permissions Explained @@ -98,7 +98,7 @@ Console currently resides. For Remote PowerShell, the data collector will gather the Exchange Organization to which the Remote PowerShell connection was made. This refers to the server entered in the Client Access Server (CAS) field of the global configuration from the **Settings** > **Exchange** node or on the Scope Page of the data collector wizard. See the -[ExchangePS: Scope](../../../admin/datacollector/exchangeps/scope.md) topic for additional +[ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) topic for additional information. Scope by Database @@ -109,7 +109,7 @@ Exchange Organization in which the Access Analyzer Console currently resides, as return information about those databases. For Remote PowerShell, the data collector will return databases in the Scope by DB page of the data collector wizard for the Exchange Forest, as well as, only return information about those databases. See the -[ExchangePS: Scope by DB](../../../admin/datacollector/exchangeps/scopedatabases.md) topic for +[ExchangePS: Scope by DB](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopedatabases.md) topic for additional information. Scope by Mailbox @@ -120,7 +120,7 @@ the Exchange Forest in which the Access Analyzer Console currently resides, as w information about those mailboxes. For Remote PowerShell, the data collector will return mailboxes in the Scope by Mailboxes page of the data collector wizard for the Exchange Forest, as well as, only return information about those mailboxes. See the -[ExchangePS: Scope by Mailboxes](../../../admin/datacollector/exchangeps/scopemailboxes.md) topic +[ExchangePS: Scope by Mailboxes](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopemailboxes.md) topic for additional information. Scope by Server @@ -141,7 +141,7 @@ resides, as well as, only return information about those public folders. For Rem data collector will return public folders in the Scope by Public Folders page of the data collector wizard for the Exchange Forest, as well as, only return information about those public folders. See the -[ExchangePS: Scope by Public Folders](../../../admin/datacollector/exchangeps/scopepublicfolders.md) +[ExchangePS: Scope by Public Folders](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopepublicfolders.md) topic for additional information. ## Enable Remote PowerShell for ExchangePS Data Collector @@ -174,12 +174,12 @@ Follow these steps to enable Windows Authentication. **Step 1 –** On the server where Remote PowerShell was enabled, open the Internet Information Services (IIS) Manager. -![IIS Authentication Open Feature](../../../../../../static/img/product_docs/accessanalyzer/requirements/solutions/exchange/iismanager.webp) +![IIS Authentication Open Feature](/img/product_docs/accessanalyzer/requirements/solutions/exchange/iismanager.webp) **Step 2 –** Traverse to the **PowerShell** Virtual Directory under the **Default Web Site**. Select **Authentication** and click **Open Feature**. -![IIS Enable Windows Authentication](../../../../../../static/img/product_docs/accessanalyzer/requirements/solutions/exchange/iismanagerauth.webp) +![IIS Enable Windows Authentication](/img/product_docs/accessanalyzer/requirements/solutions/exchange/iismanagerauth.webp) **Step 3 –** Right-click on **Windows Authentication** and select **Enable**. @@ -195,7 +195,7 @@ roles. **Step 2 –** Add a new role group by clicking on the + button, and the New Role Group window opens. -![New role group window](../../../../../../static/img/product_docs/accessanalyzer/requirements/solutions/exchange/rolegroup.webp) +![New role group window](/img/product_docs/accessanalyzer/requirements/solutions/exchange/rolegroup.webp) **Step 3 –** Configure the new role group with the following settings: @@ -225,11 +225,11 @@ for Exchange. See the following Microsoft articles: [Enable mailbox auditing in Office 365](https://technet.microsoft.com/en-us/library/dn879651.aspx) article - Exchange 2016 – Exchange 2019 – - [Enable or disable mailbox audit logging for a mailbox]() + [Enable or disable mailbox audit logging for a mailbox](https://technet.microsoft.com/en-us/library/ff461937(v=exchg.160).aspx) article - Exchange 2013 – - [Enable or disable mailbox audit logging for a mailbox]() + [Enable or disable mailbox audit logging for a mailbox](https://technet.microsoft.com/en-us/library/ff461937(v=exchg.150).aspx) article - Exchange 2010 – - [Enable or Disable Mailbox Audit Logging for a Mailbox]() + [Enable or Disable Mailbox Audit Logging for a Mailbox](https://technet.microsoft.com/en-us/library/ff461937(v=exchg.141).aspx) article diff --git a/docs/accessanalyzer/12.0/requirements/solutions/exchange/remoteconnections.md b/docs/accessanalyzer/12.0/requirements/solutions/exchange/remoteconnections.md index 45012589e5..96b9b63ec7 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/exchange/remoteconnections.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/exchange/remoteconnections.md @@ -19,7 +19,7 @@ on default settings): Rights - Permissions required by the ExchangePS Data Collector. See the - [Exchange PowerShell Permissions](powershell.md) topic for additional information. + [Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for additional information. Applet Permissions diff --git a/docs/accessanalyzer/12.0/requirements/solutions/exchange/support.md b/docs/accessanalyzer/12.0/requirements/solutions/exchange/support.md index 24c4f7d091..bb042c4cf0 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/exchange/support.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/exchange/support.md @@ -46,17 +46,17 @@ The following tables provide a breakdown of support by job group: See the following sections for permission requirements according to the job group, data collector, or action module to be used: -- [Exchange Mail-Flow Permissions](mailflow.md) +- [Exchange Mail-Flow Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/mailflow.md) - ExchangeMetrics Data Collector - 1. HUB Metrics Job Group -- [Exchange Remote Connections Permissions](remoteconnections.md) +- [Exchange Remote Connections Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/remoteconnections.md) - SMARTLog Data Collector - 2. CAS Metrics Job Group -- [Exchange PowerShell Permissions](powershell.md) +- [Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) - ExchangePS Data Collector - PublicFolder Action Module @@ -67,13 +67,13 @@ or action module to be used: - 5. Public Folders Job Group - 8. Exchange Online Job Group -- [Exchange Web Services API Permissions](webservicesapi.md) +- [Exchange Web Services API Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/webservicesapi.md) - EWSMailbox Data Collector - EWSPublicFolder Data Collector - 7. Sensitive Data Job Group -- [MAPI-Based Data Collector Permissions](mapi.md) +- [MAPI-Based Data Collector Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/mapi.md) - Exchange2K Data Collector - ExchangeMailbox Data Collector diff --git a/docs/accessanalyzer/12.0/requirements/solutions/filesystem.md b/docs/accessanalyzer/12.0/requirements/solutions/filesystem.md index c07aa41f5e..15d9db754b 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/filesystem.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/filesystem.md @@ -2,10 +2,10 @@ The core components for Netwrix Access Analyzer (formerly Enterprise Auditor) are the Access Analyzer Console server, SQL Server, and Access Information Center. See the -[Requirements](../overview.md) topic for the core requirements. +[Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topic for the core requirements. The File System solution can be configure to use Proxy servers either an applet or as a service. See -the [File System Scan Options](filesystem/scanoptions.md) topic for additional information. +the [File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. In addition to these, integration with either the Netwrix Activity Monitor or the Netwrix Threat Prevention is required for event activity data to be scanned. See the @@ -16,8 +16,8 @@ for installation requirements and information on collecting activity data. See the following topics for target environment requirements: -- [File System Scan Options](filesystem/scanoptions.md) -- [File System Supported Platforms](../target/filesystems.md) +- [File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) +- [File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/target/filesystems.md) ## File System Solution Requirements on the Access Analyzer Console @@ -91,8 +91,8 @@ installation directory. This is required by either the user account running the application, when manually executing jobs from the console, or the Schedule Service Account assigned within Access Analyzer, when running jobs as a scheduled tasks. -See the [File System Scan Options](filesystem/scanoptions.md) topic and the -[File System Supported Platforms](../target/filesystems.md) topic for permissions required to scan +See the [File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic and the +[File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/target/filesystems.md) topic for permissions required to scan the environment. ## File System Solution Requirements on the SQL Server diff --git a/docs/accessanalyzer/12.0/requirements/solutions/filesystem/appletmodepermissions.md b/docs/accessanalyzer/12.0/requirements/solutions/filesystem/appletmodepermissions.md index 8a826f7f24..79add9b116 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/filesystem/appletmodepermissions.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/filesystem/appletmodepermissions.md @@ -38,4 +38,4 @@ within the Connection Profile assigned to the File System scans must be properly explained above. Also the firewall rules must be configured to allow for communication between the applicable servers. -See the [Applet Mode Port Requirements](appletmodeports.md) topic for firewall rule information. +See the [Applet Mode Port Requirements](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/appletmodeports.md) topic for firewall rule information. diff --git a/docs/accessanalyzer/12.0/requirements/solutions/filesystem/localmodepermissions.md b/docs/accessanalyzer/12.0/requirements/solutions/filesystem/localmodepermissions.md index 9bf7878fd7..718b8d8fac 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/filesystem/localmodepermissions.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/filesystem/localmodepermissions.md @@ -43,4 +43,4 @@ within the Connection Profile assigned to the File System scans must be properly explained above. Also the firewall rules must be configured to allow for communication between the applicable servers. -See the [Local Mode Port Requirements](localmodeports.md) topic for firewall rule information. +See the [Local Mode Port Requirements](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/localmodeports.md) topic for firewall rule information. diff --git a/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeappletpermissions.md b/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeappletpermissions.md index e1367f7e73..369f26408e 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeappletpermissions.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeappletpermissions.md @@ -15,7 +15,7 @@ Configure the credential(s) with the following rights on the proxy server(s): - If the applet is deployed as a service, the service account requires the Log on as a service privilege - - See the [FSAA: Applet Settings](../../../admin/datacollector/fsaa/appletsettings.md) topic for + - See the [FSAA: Applet Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md) topic for additional information on the applet launch mechanism - If running FSAC, the service account in the credential profile requires access to the admin share @@ -55,7 +55,7 @@ within the Connection Profile assigned to the File System scans must be properly explained above. Also the firewall rules must be configured to allow for communication between the applicable servers. -See the [Proxy Mode with Applet Port Requirements](proxymodeappletports.md) topic for firewall rule +See the [Proxy Mode with Applet Port Requirements](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeappletports.md) topic for firewall rule information. Secure Proxy Communication Considerations @@ -63,5 +63,5 @@ Secure Proxy Communication Considerations For Proxy Mode with Applet scans, the certificate exchange mechanism and certificate exchange port must be configured via the File System Access Auditing Data Collector Wizard prior to executing a scan. See the -[FSAA Applet Certificate Management Overview](../../../admin/datacollector/fsaa/certificatemanagement.md) +[FSAA Applet Certificate Management Overview](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/certificatemanagement.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeserver.md b/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeserver.md index d4fbb32025..a2739b1550 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeserver.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeserver.md @@ -97,10 +97,10 @@ use: - Proxy Mode with Applet - - [Proxy Mode with Applet Permissions](proxymodeappletpermissions.md) - - [Proxy Mode with Applet Port Requirements](proxymodeappletports.md) + - [Proxy Mode with Applet Permissions](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeappletpermissions.md) + - [Proxy Mode with Applet Port Requirements](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeappletports.md) - Proxy Mode as a Service - - [Proxy Mode as a Service Permissions](proxymodeservicepermissions.md) - - [Proxy Mode as a Service Port Requirements](proxymodeserviceports.md) + - [Proxy Mode as a Service Permissions](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeservicepermissions.md) + - [Proxy Mode as a Service Port Requirements](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeserviceports.md) diff --git a/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeservicepermissions.md b/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeservicepermissions.md index ecc2f0b12a..d9e49075e3 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeservicepermissions.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeservicepermissions.md @@ -70,7 +70,7 @@ Secure Proxy Communication and Certificate Exchange For Proxy Mode as a Service Scans, the certificate exchange mechanism and certificate exchange port must be configured via the File System Access Auditing Data Collector Wizard prior to executing a scan. See the -[FSAA Applet Certificate Management Overview](../../../admin/datacollector/fsaa/certificatemanagement.md) +[FSAA Applet Certificate Management Overview](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/certificatemanagement.md) topic for additional information. Access Analyzer Connection Profile @@ -80,5 +80,5 @@ within the Connection Profile assigned to the File System scans must be properly explained above. Also the firewall rules must be configured to allow for communication between the applicable servers. -See the [Proxy Mode as a Service Port Requirements](proxymodeserviceports.md) topic for firewall +See the [Proxy Mode as a Service Port Requirements](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeserviceports.md) topic for firewall rule information. diff --git a/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md b/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md index 54cdf89505..25bb893243 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md @@ -17,14 +17,14 @@ conducted by the Access Analyzer Console server across the network. The data is SQLite database(s), or Tier 2 database(s), on the Access Analyzer Console server, and then imported into the Access Analyzer database, or Tier 1 database, on the SQL Server. -![Illustrates the Enterprise Auditor server running the scan against a file server](../../../../../../static/img/product_docs/accessanalyzer/requirements/solutions/filesystem/localmode.webp) +![Illustrates the Enterprise Auditor server running the scan against a file server](/img/product_docs/accessanalyzer/requirements/solutions/filesystem/localmode.webp) The diagram illustrates the Access Analyzer server running the scan against a file server. See the following topics for additional information: -- [Local Mode Permissions](localmodepermissions.md) -- [Local Mode Port Requirements](localmodeports.md) +- [Local Mode Permissions](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/localmodepermissions.md) +- [Local Mode Port Requirements](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/localmodeports.md) ## Applet Mode @@ -39,15 +39,15 @@ data collected in the SQLite database(s), or Tier 2 database(s), back to the Acc server. If the target host is a NAS device, the File System scans will default to local mode for that host. -![Illustrates the Enterprise Auditor server sending an FSAA applet to a targeted Windows file server, which runs the scan against locally, and then returns data to the Enterprise Auditor server](../../../../../../static/img/product_docs/accessanalyzer/requirements/solutions/filesystem/appletmode.webp) +![Illustrates the Enterprise Auditor server sending an FSAA applet to a targeted Windows file server, which runs the scan against locally, and then returns data to the Enterprise Auditor server](/img/product_docs/accessanalyzer/requirements/solutions/filesystem/appletmode.webp) The diagram illustrates the Access Analyzer server sending an FSAA applet to a targeted Windows file server, which runs the scan against locally, and then returns data to the Access Analyzer server. See the following topics for additional information: -- [Applet Mode Permissions](appletmodepermissions.md) -- [Applet Mode Port Requirements](appletmodeports.md) +- [Applet Mode Permissions](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/appletmodepermissions.md) +- [Applet Mode Port Requirements](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/appletmodeports.md) ## Proxy Mode with Applet @@ -61,16 +61,16 @@ local mode-type scan to each of the target hosts. The final step in data collect and transfer the data collected in the SQLite databases, or Tier 2 databases, back to the Access Analyzer Console server. -![Diagram of Enterprise Auditor server sending an FSAA applet to a proxy server](../../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/proxymodewithapplet.webp) +![Diagram of Enterprise Auditor server sending an FSAA applet to a proxy server](/img/product_docs/accessanalyzer/install/filesystemproxy/proxymodewithapplet.webp) The diagram illustrates the Access Analyzer server sending an FSAA applet to a proxy server, which runs the scan against a file server, and then returns data to the Access Analyzer server. See the following topics for additional information: -- [Proxy Mode Server Requirements](proxymodeserver.md) -- [Proxy Mode with Applet Permissions](proxymodeappletpermissions.md) -- [Proxy Mode with Applet Port Requirements](proxymodeappletports.md) +- [Proxy Mode Server Requirements](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeserver.md) +- [Proxy Mode with Applet Permissions](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeappletpermissions.md) +- [Proxy Mode with Applet Port Requirements](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeappletports.md) ## Proxy Mode as a Service @@ -94,10 +94,10 @@ Auditing Data Collector Wizard. The credential provided for the secure communica installation wizard is also added to the Access Analyzer Connection Profile assigned to the File System Solution. -See the [File System Proxy Service Installation](../../../install/filesystemproxy/wizard.md) topic +See the [File System Proxy Service Installation](/docs/accessanalyzer/12.0/install/filesystemproxy/wizard.md) topic for additional information. -![Diagram of Enterprise Auditor server communicating securely with the proxy service on a proxy server](../../../../../../static/img/product_docs/accessanalyzer/install/filesystemproxy/proxymodeasservicewithsecurerpc.webp) +![Diagram of Enterprise Auditor server communicating securely with the proxy service on a proxy server](/img/product_docs/accessanalyzer/install/filesystemproxy/proxymodeasservicewithsecurerpc.webp) The diagram illustrates the Access Analyzer server communicating securely with the proxy service on a proxy server, which runs the scan against a file server, collecting the data locally and securely. @@ -105,6 +105,6 @@ Then the proxy service returns data securely to the Access Analyzer server. See the following topics for additional information: -- [Proxy Mode Server Requirements](proxymodeserver.md) -- [Proxy Mode as a Service Permissions](proxymodeservicepermissions.md) -- [Proxy Mode as a Service Port Requirements](proxymodeserviceports.md) +- [Proxy Mode Server Requirements](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeserver.md) +- [Proxy Mode as a Service Permissions](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeservicepermissions.md) +- [Proxy Mode as a Service Port Requirements](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/proxymodeserviceports.md) diff --git a/docs/accessanalyzer/12.0/requirements/solutions/sharepoint.md b/docs/accessanalyzer/12.0/requirements/solutions/sharepoint.md index 6a750d8781..09f2f90225 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/sharepoint.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/sharepoint.md @@ -2,10 +2,10 @@ The core components for Netwrix Access Analyzer (formerly Enterprise Auditor) are the Access Analyzer Console server, SQL Server, and Access Information Center. See the -[Requirements](../overview.md) topic for the core requirements. +[Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topic for the core requirements. The SharePoint solution can be configured to run without an agent or to use the Access Analyzer -SharePoint Agent. See the [SharePoint Agent Installation](../../install/sharepointagent/overview.md) +SharePoint Agent. See the [SharePoint Agent Installation](/docs/accessanalyzer/12.0/install/sharepointagent/overview.md) topic for additional information. In addition to these, integration with either the Netwrix Activity Monitor is required for event @@ -21,13 +21,13 @@ in both the Documents and Items section and the List, Libraries, and Site sectio See the following topics for the SharePoint Agent and the target environment requirements: -- [SharePoint Scan Options](sharepoint/scanoptions.md) -- [SharePoint Support](../target/sharepoint.md) +- [SharePoint Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/scanoptions.md) +- [SharePoint Support](/docs/accessanalyzer/12.0/requirements/target/sharepoint.md) **NOTE:** You can use the **SP_RegisterAzureAppAuth** instant job to make the configuration for SharePoint Online easier. This job registers the necessary Microsoft Entra ID application and provisions it with the required permissions. See the -[SP_RegisterAzureAppAuth Job](../../admin/jobs/instantjobs/sp_registerazureappauth.md) topic for +[SP_RegisterAzureAppAuth Job](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/sp_registerazureappauth.md) topic for additional information. ## SharePoint Solution Requirements on the Access Analyzer Console diff --git a/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/scanoptions.md b/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/scanoptions.md index 71567fdc46..ddc2da64d0 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/scanoptions.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/scanoptions.md @@ -21,8 +21,8 @@ Agent server back to the Access Analyzer Console server. See the following topics for additional information: -- [SharePoint Agent Permissions](agentpermissions.md) -- [SharePoint Agent Ports](agentports.md) +- [SharePoint Agent Permissions](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/agentpermissions.md) +- [SharePoint Agent Ports](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/agentports.md) ## Agent-Less Type @@ -39,10 +39,10 @@ See the following topics for additional information: - SharePoint Online - - [SharePoint Online Permissions](onlinepermissions.md) - - [SharePoint Online Ports](onlineports.md) + - [SharePoint Online Permissions](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/onlinepermissions.md) + - [SharePoint Online Ports](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/onlineports.md) - SharePoint On-Premise - - [SharePoint Agent-Less Permissions](agentlesspermissions.md) - - [SharePoint Agent-Less Ports](agentlessports.md) + - [SharePoint Agent-Less Permissions](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/agentlesspermissions.md) + - [SharePoint Agent-Less Ports](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/agentlessports.md) diff --git a/docs/accessanalyzer/12.0/requirements/solutions/unix.md b/docs/accessanalyzer/12.0/requirements/solutions/unix.md index 88a3e42e5c..e1e3a17021 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/unix.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/unix.md @@ -2,9 +2,9 @@ The core components for Netwrix Access Analyzer (formerly Enterprise Auditor) are the Access Analyzer Console server, SQL Server, and Access Information Center. See the -[Requirements](../overview.md) topic for the core requirements. +[Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topic for the core requirements. -See the [Target Unix Requirements, Permissions, and Ports](../target/unix.md) topic for target +See the [Target Unix Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/unix.md) topic for target environment requirements. ## Unix Solution Requirements on the Access Analyzer Console diff --git a/docs/accessanalyzer/12.0/requirements/solutions/windows.md b/docs/accessanalyzer/12.0/requirements/solutions/windows.md index f4a0bfc508..b2bcf28db6 100644 --- a/docs/accessanalyzer/12.0/requirements/solutions/windows.md +++ b/docs/accessanalyzer/12.0/requirements/solutions/windows.md @@ -2,10 +2,10 @@ The core components for Netwrix Access Analyzer (formerly Enterprise Auditor) are the Access Analyzer Console server, SQL Server, and Access Information Center. See the -[Requirements](../overview.md) topic for the core requirements. +[Requirements](/docs/accessanalyzer/12.0/requirements/overview.md) topic for the core requirements. See the -[Target Windows Server and Desktop Requirements, Permissions, and Ports](../target/windows.md) topic +[Target Windows Server and Desktop Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/windows.md) topic for target environment requirements. ## Windows Solution Requirements on the Access Analyzer Console diff --git a/docs/accessanalyzer/12.0/requirements/target/activedirectorypermissionsanalyzer.md b/docs/accessanalyzer/12.0/requirements/target/activedirectorypermissionsanalyzer.md index 5138cdfdc8..424278bbf5 100644 --- a/docs/accessanalyzer/12.0/requirements/target/activedirectorypermissionsanalyzer.md +++ b/docs/accessanalyzer/12.0/requirements/target/activedirectorypermissionsanalyzer.md @@ -23,8 +23,8 @@ Successful use of the Access Analyzer Active Directory Permissions Analyzer solu necessary settings and permissions in a Microsoft® Active Directory® environment described in this topic and its subtopics. This solution employs the following data collectors to scan the domain: -- [ADInventory Data Collector](../../admin/datacollector/adinventory/overview.md) -- [ADPermissions Data Collector](../../admin/datacollector/adpermissions/overview.md) +- [ADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md) +- [ADPermissions Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/overview.md) ## Permissions diff --git a/docs/accessanalyzer/12.0/requirements/target/aws.md b/docs/accessanalyzer/12.0/requirements/target/aws.md index adaae6bc2d..59833babcb 100644 --- a/docs/accessanalyzer/12.0/requirements/target/aws.md +++ b/docs/accessanalyzer/12.0/requirements/target/aws.md @@ -11,7 +11,7 @@ Data Collector This solution employs the following data collector to scan the target environment: -- [AWS Data Collector](../../admin/datacollector/aws/overview.md) +- [AWS Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/aws/overview.md) ## Permissions @@ -39,7 +39,7 @@ collected: - s3:List\* This provides a least privilege model for your auditing needs. See the -[Configure AWS for Scans](config/aws.md) topic for additional information. +[Configure AWS for Scans](/docs/accessanalyzer/12.0/requirements/target/config/aws.md) topic for additional information. ## Ports diff --git a/docs/accessanalyzer/12.0/requirements/target/box.md b/docs/accessanalyzer/12.0/requirements/target/box.md index deb3beb148..26f8251af9 100644 --- a/docs/accessanalyzer/12.0/requirements/target/box.md +++ b/docs/accessanalyzer/12.0/requirements/target/box.md @@ -14,8 +14,8 @@ Data Collectors This solution employs the following data collector to scan the target environment: -- [ADInventory Data Collector](../../admin/datacollector/adinventory/overview.md) -- [Box Data Collector](../../admin/datacollector/box/overview.md) +- [ADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md) +- [Box Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/box/overview.md) ## Permissions @@ -27,7 +27,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. For Box Data Collection @@ -45,7 +45,7 @@ code. The following can be used as a least privilege model: **NOTE:** Scans run with Co-Admin account credentials will complete. However, the data returned from the scan might not include content owned by the Enterprise Admin account. -See the [Recommended Configurations for the Box Solution](../../solutions/box/recommended.md) topic +See the [Recommended Configurations for the Box Solution](/docs/accessanalyzer/12.0/solutions/box/recommended.md) topic for additional information. ## Ports diff --git a/docs/accessanalyzer/12.0/requirements/target/config/aws.md b/docs/accessanalyzer/12.0/requirements/target/config/aws.md index b5c656dcf6..df5637b6b9 100644 --- a/docs/accessanalyzer/12.0/requirements/target/config/aws.md +++ b/docs/accessanalyzer/12.0/requirements/target/config/aws.md @@ -16,7 +16,7 @@ the service account to assume the configured role in each target account. **Step 4 –** Add Role to Access Analyzer. The Role created in the scanning account will need to be added to the **1-AWS_OrgScan**, **2-AWS_S3Scan**, and **3-AWS_IAMScan** job query configurations. -See the [AWS: Login Roles](../../../admin/datacollector/aws/loginroles.md) topic for additional +See the [AWS: Login Roles](/docs/accessanalyzer/12.0/admin/datacollector/aws/loginroles.md) topic for additional information. Once these steps are completed, the role must be added to the AWS queries within Access Analyzer. @@ -28,12 +28,12 @@ The following steps will need to be completed in each target account. **Step 1 –** Sign into the Identity and Access Management Console (IAM) as an administrator of the Trusting account. -![Create policy in Identity and Access Management (IAM) Console](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/policies.webp) +![Create policy in Identity and Access Management (IAM) Console](/img/product_docs/accessanalyzer/requirements/target/config/policies.webp) **Step 2 –** Browse to the Identity and Access Management (IAM) Console. Navigate to **Policies** and click **Create policy**. -![JSON tab in the Policy editor](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/jsontabpolicies.webp) +![JSON tab in the Policy editor](/img/product_docs/accessanalyzer/requirements/target/config/jsontabpolicies.webp) **Step 3 –** Select the **JSON** tab. @@ -75,14 +75,14 @@ and click **Create policy**. **Step 6 –** Enter a name for the policy in the **Name** box. -![Review policy page](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/reviewpolicy.webp) +![Review policy page](/img/product_docs/accessanalyzer/requirements/target/config/reviewpolicy.webp) **Step 7 –** Click **Create Policy**. **NOTE:** If the designated scanning account is not in Root (Master Account), create a second policy in the Master Account with the following JSON definition: -[Copy]() +[Copy](javascript:void(0);) ``` { @@ -116,18 +116,18 @@ scanning account as well. **Step 1 –** Sign into the Identity and Access Management Console (IAM) as an administrator of the target account. -![Create role in Identity and Access Management (IAM) Console](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/roles.webp) +![Create role in Identity and Access Management (IAM) Console](/img/product_docs/accessanalyzer/requirements/target/config/roles.webp) **Step 2 –** Navigate to **Access management** > **Roles** and click **Create role**. -![Create role page Another AWS account option](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/createrole.webp) +![Create role page Another AWS account option](/img/product_docs/accessanalyzer/requirements/target/config/createrole.webp) **Step 3 –** Select the **Another AWS Account** option and add the Account ID of the scanning account that will be leveraged within Access Analyzer. **Step 4 –** Click **Next: Permissions**. -![Add policies to role](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/policiesadd.webp) +![Add policies to role](/img/product_docs/accessanalyzer/requirements/target/config/policiesadd.webp) **Step 5 –** Add the policy or policies created earlier in this topic to this role. @@ -135,7 +135,7 @@ account that will be leveraged within Access Analyzer. **Step 7 –** Click **Next: Review**. -![Create role Review page](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/reviewrole.webp) +![Create role Review page](/img/product_docs/accessanalyzer/requirements/target/config/reviewrole.webp) **Step 8 –** Enter a **Role name**. @@ -152,11 +152,11 @@ roles configured in each target account. **Step 1 –** Sign into the Identity and Access Management Console (IAM) as an administrator of the scanning account. -![Create policy in Identity and Access Management (IAM) Console](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/policies.webp) +![Create policy in Identity and Access Management (IAM) Console](/img/product_docs/accessanalyzer/requirements/target/config/policies.webp) **Step 2 –** Navigate to **Access Management** > **Policies** and click **Create policy**. -![JSON tab in the Policy editor](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/jsontabaccount.webp) +![JSON tab in the Policy editor](/img/product_docs/accessanalyzer/requirements/target/config/jsontabaccount.webp) **Step 3 –** Select the **JSON** tab. @@ -191,7 +191,7 @@ different in each account, then a policy will need to be created for each distin **Step 5 –** Click **Review Policy**. -![Review policy page Name field](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/reviewpolicyaccount.webp) +![Review policy page Name field](/img/product_docs/accessanalyzer/requirements/target/config/reviewpolicyaccount.webp) **Step 6 –** Enter a **Policy Name**. @@ -201,11 +201,11 @@ different in each account, then a policy will need to be created for each distin **Step 9 –** Under **Access Management** > **Users**, select the service account user. -![Security credentials tab](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/securitycredentials.webp) +![Security credentials tab](/img/product_docs/accessanalyzer/requirements/target/config/securitycredentials.webp) **Step 10 –** In the Security credentials tab, click **Create access key**. Make sure to note the Access key ID and Secret access key which need to be input into Access Analyzer. You can now create the Connection Profile for the AWS Solution. See the -[Amazon Web Services for User Credentials](../../../admin/settings/connection/profile/aws.md) topic +[Amazon Web Services for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/aws.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/requirements/target/config/azurefiles.md b/docs/accessanalyzer/12.0/requirements/target/config/azurefiles.md index bc637fc1d0..97fb89a597 100644 --- a/docs/accessanalyzer/12.0/requirements/target/config/azurefiles.md +++ b/docs/accessanalyzer/12.0/requirements/target/config/azurefiles.md @@ -18,13 +18,13 @@ A host list containing the desired target Azure hosts must be created and assign jobs. You can create the host list with either of the following two methods: - Use the FS_AzureTenantScan instant job to create the host list automatically. See the - [FS_AzureTenantScan Job](../../../solutions/filesystem/collection/fs_azuretenantscan.md) topic for + [FS_AzureTenantScan Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/fs_azuretenantscan.md) topic for additional information. - Manually add hosts to a host list in the following format: `.file.core.windows.net` - See the [Add Hosts](../../../admin/hostmanagement/actions/add.md) topic for additional + See the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) topic for additional information. ## Configure Connection Profile @@ -37,14 +37,14 @@ applet, and credentials for each storage account. These should be configured as - Select Account type – Active Directory - Provide the credentials for an account with the privileges to run the FSAA applet. See the - [File System Scan Options](../../solutions/filesystem/scanoptions.md) topic for additional + [File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information on the required permissions. - Accounts for storage accounts - Select Account Type – Azure Active Directory - ![Storage account name and Connection string in Azure](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/accesskeys.webp) + ![Storage account name and Connection string in Azure](/img/product_docs/accessanalyzer/requirements/target/config/accesskeys.webp) - Client ID – The name of the storage account @@ -56,7 +56,7 @@ applet, and credentials for each storage account. These should be configured as If you are targeting multiple storage accounts, a user credential of this type is required for each storage account. -See the [Connection](../../../admin/settings/connection/overview.md) topic for additional +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. ## Job and Query Configuration @@ -68,13 +68,13 @@ Azure Files scans require the following configuration of the job and query perfo For FSAA and SEEK scans targeting Azure Files storage accounts, you must clear the **Skip Hosts that do not respond to PING** option in the job properties. -![Skip Hosts option on Performance tab of the Job Properties window](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/skiphostsoption.webp) +![Skip Hosts option on Performance tab of the Job Properties window](/img/product_docs/accessanalyzer/requirements/target/config/skiphostsoption.webp) Right-click on the required scan job in the Jobs tree, and select **Properties** to open the Job Properties window. Navigate to the Performance tab, and ensure the **Skip Hosts that do not respond to PING** option is not selected. See the -[Job Properties](../../../admin/jobs/job/properties/overview.md) and -[Performance Tab](../../../admin/jobs/job/properties/performance.md) topics for additional +[Job Properties](/docs/accessanalyzer/12.0/admin/jobs/job/properties/overview.md) and +[Performance Tab](/docs/accessanalyzer/12.0/admin/jobs/job/properties/performance.md) topics for additional information. ### Query Configuration Considerations @@ -82,11 +82,11 @@ information. Last Access Time (LAT) preservation is not supported for Azure Files scans. This option must not be selected in the query for the FSAA or SEEK scan job. -![Last Access Time (LAT) preservation option in FSAA DC wizard](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/latpreservationoption.webp) +![Last Access Time (LAT) preservation option in FSAA DC wizard](/img/product_docs/accessanalyzer/requirements/target/config/latpreservationoption.webp) The **Last Access Time (LAT) preservation** option is located on the Default Scoping Options page of the File System Access Auditor Data Collector Wizard. See the -[Configure the (FSAA) File System Scan Query](../../../solutions/filesystem/collection/1-fsaa_system_scans.md#configure-the-fsaa-file-system-scan-query) +[Configure the (FSAA) File System Scan Query](/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-fsaa_system_scans.md#configure-the-fsaa-file-system-scan-query) or -[Configure the (SEEK) File System Scan Query](../../../solutions/filesystem/collection/1-seek_system_scans.md#configure-the-seek-file-system-scan-query) +[Configure the (SEEK) File System Scan Query](/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-seek_system_scans.md#configure-the-seek-file-system-scan-query) topic for additional information. diff --git a/docs/accessanalyzer/12.0/requirements/target/config/azureinformationprotection.md b/docs/accessanalyzer/12.0/requirements/target/config/azureinformationprotection.md index 361fcfbfcf..443c67f483 100644 --- a/docs/accessanalyzer/12.0/requirements/target/config/azureinformationprotection.md +++ b/docs/accessanalyzer/12.0/requirements/target/config/azureinformationprotection.md @@ -24,7 +24,7 @@ labels, certain prerequisites are required both in Access Analyzer and Azure env 6. Enable settings in FSAA Data Collector in Access Analyzer. - See the FileSystemAccess Data Collector section in the - [File System Solution](../../../solutions/filesystem/overview.md) topic for additional + [File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/overview.md) topic for additional information ## Prerequisites @@ -153,7 +153,7 @@ scan. To collect tags for files protected with Azure Information Protection, an Azure connection profile must be configured in Access Analyzer before an FSAA scan runs. See the -[Global Settings](../../../admin/settings/overview.md) topic for additional information on how to +[Global Settings](/docs/accessanalyzer/12.0/admin/settings/overview.md) topic for additional information on how to set up a connection profile at the global level. **Step 1 –** In Access Analyzer, add a credential for an Azure Active Directory account type to the @@ -220,5 +220,5 @@ For SEEK System Scans: page only applies for SEEK scans. See the FileSystemAccess Data Collector section in the -[File System Solution](../../../solutions/filesystem/overview.md) topic for additional information +[File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/overview.md) topic for additional information on these scoping options. diff --git a/docs/accessanalyzer/12.0/requirements/target/config/azuresqlaccess.md b/docs/accessanalyzer/12.0/requirements/target/config/azuresqlaccess.md index 22ced1a4e3..e35ccc85c3 100644 --- a/docs/accessanalyzer/12.0/requirements/target/config/azuresqlaccess.md +++ b/docs/accessanalyzer/12.0/requirements/target/config/azuresqlaccess.md @@ -27,7 +27,7 @@ This will enable Access Analyzer to discover all the SQL databases present in th Follow the steps below to create an Azure SQL custom role at the subscription level. -![Azure Portal - Azure Services](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_1.webp) +![Azure Portal - Azure Services](/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_1.webp) **Step 1 –** Sign in to Azure. Navigate to the Azure Services section and click **Subscriptions**. This will navigate you to the Pay-As-You-Go page of the Azure Portal. @@ -35,7 +35,7 @@ This will navigate you to the Pay-As-You-Go page of the Azure Portal. **Step 2 –** Locate and click the **Access Control (IAM)** view option blade from the available subscriptions in the left-hand menu. -![Azure Portal - Pay as you Go - Access Control (IAM)](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_2.webp) +![Azure Portal - Pay as you Go - Access Control (IAM)](/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_2.webp) **Step 3 –** Click **Add** > Add **Custom Role**. @@ -105,7 +105,7 @@ example below) and save it to a local directory. } ``` -![Azure SQL Configuration - Create a Custom Role section](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_3.webp) +![Azure SQL Configuration - Create a Custom Role section](/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_3.webp) **Step 5 –** Once created, click **Start from JSON** in the Azure portal and select the JSON file. Once that file is chosen, the Review + Create button should be enabled. @@ -115,7 +115,7 @@ Once the JSON file is opened, the Custom Role Name and Description boxes will be automatically. The name and description of the custom role can be customized if required in this step. -![Azure SQL Configuration - Create a Cusotm Role window](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_4.webp) +![Azure SQL Configuration - Create a Cusotm Role window](/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_4.webp) **Step 6 –** Click Create. This action will save and finalize a custom role entitled Access Analyzer Azure SQL Role. @@ -132,11 +132,11 @@ Follow the steps below to create an Azure SQL Application Registration in the Az **Step 1 –** In the Azure portal under Azure Services, click the **App Registration** icon. -![AzureSQL - App Registrations - New Registration](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_5.webp) +![AzureSQL - App Registrations - New Registration](/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_5.webp) **Step 2 –** Click **New Registration** in the Register an application blade. -![Azure SQL - Register an Application](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_6.webp) +![Azure SQL - Register an Application](/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_6.webp) **Step 3 –** Enter a **Name** for the application and select an appropriate option from the Supported account types options. @@ -148,7 +148,7 @@ been registered, the App registration overview blade will appear. Take note of t **NOTE:** The _Application (client) ID_ is required to create a Connection Profile within the Access Analyzer. -![Azure SQL - Register and App - Application ID](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_8.webp) +![Azure SQL - Register and App - Application ID](/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_8.webp) **Step 5 –** Click the **Certificates & secrets** blade in the left-hand menu. Click **New Client secret**. @@ -163,7 +163,7 @@ frame is reached (within 24 months, for example). **NOTE:** The Value key on this paged will be used to create the Access Analyzer connection profile. -![Azure SQL - Access Control (IAM) page](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_11z.webp) +![Azure SQL - Access Control (IAM) page](/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_11z.webp) ## Add a Role Assignment @@ -173,7 +173,7 @@ Analyzer Azure SQL application. **Step 1 –** Navigate to the Subscriptions blade and click the **Access Control (IAM)** option. Click the **Add** drop down > Click **Add role assignment**. -![Azure SQL - Add a Role Assignment](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_13z.webp) +![Azure SQL - Add a Role Assignment](/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_13z.webp) **Step 2 –** Search for and click the recently created custom role from the Role drop down. See [Create a StealthAUDIT Custom Role](#create-a-stealthaudit-custom-role) for steps required to create @@ -184,7 +184,7 @@ drop down. See [Register an Azure SQL Application](#register-an-azure-sql-applic required to register an Azure SQL application in the Azure portal. The registered application will be visible in the Selected members window. Click **Save** when finished. -![Azure SQL - Add a role assignment window](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_14z.webp) +![Azure SQL - Add a role assignment window](/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_14z.webp) **Step 4 –** Search for and select the SQL Server Contributor role in the Role drop down. @@ -193,7 +193,7 @@ drop down. See [Register an Azure SQL Application](#register-an-azure-sql-applic required to register an Azure SQL application in the Azure portal. The registered application will be visible in the Selected members window. Click **Save** when finished. -![Azure SQL - Access Control (IAM) window](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_16z.webp) +![Azure SQL - Access Control (IAM) window](/img/product_docs/accessanalyzer/requirements/target/config/azuresqlperm_customrolecreation_16z.webp) **Step 6 –** Navigate to the **Subscriptions** blade. Click **Access Control (IAM)**. diff --git a/docs/accessanalyzer/12.0/requirements/target/config/databaseoracle.md b/docs/accessanalyzer/12.0/requirements/target/config/databaseoracle.md index d2442af4c0..2f4a6c9d26 100644 --- a/docs/accessanalyzer/12.0/requirements/target/config/databaseoracle.md +++ b/docs/accessanalyzer/12.0/requirements/target/config/databaseoracle.md @@ -29,7 +29,7 @@ GRANT CREATE SESSION TO %USERNAME% CONTAINER=ALL;          When using a least privileged model for Oracle, **SYSDBA** must be selected for the Role in the User Credentials window for the Oracle Connection Profile. See the -[Oracle for User Credentials](../../../admin/settings/connection/profile/oracle.md) topic for +[Oracle for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/oracle.md) topic for additional information. ## Oracle Server Discovery @@ -54,7 +54,7 @@ of plink gets installed with the Nmap utility. The syntax is as follows: -![administratorcommandprompt](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/administratorcommandprompt.webp) +![administratorcommandprompt](/img/product_docs/accessanalyzer/requirements/target/config/administratorcommandprompt.webp) Run the following on the command prompt: diff --git a/docs/accessanalyzer/12.0/requirements/target/databasedb2.md b/docs/accessanalyzer/12.0/requirements/target/databasedb2.md index 22ae6bbf1b..34db873327 100644 --- a/docs/accessanalyzer/12.0/requirements/target/databasedb2.md +++ b/docs/accessanalyzer/12.0/requirements/target/databasedb2.md @@ -28,8 +28,8 @@ Data Collectors This solution employs the following data collector to scan the target environment: -- [ADInventory Data Collector](../../admin/datacollector/adinventory/overview.md) -- [SQL Data Collector](../../admin/datacollector/sql/overview.md) +- [ADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md) +- [SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) ## Permissions @@ -41,7 +41,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. ## Ports diff --git a/docs/accessanalyzer/12.0/requirements/target/databasemongodb.md b/docs/accessanalyzer/12.0/requirements/target/databasemongodb.md index b4d7380283..8786d1c619 100644 --- a/docs/accessanalyzer/12.0/requirements/target/databasemongodb.md +++ b/docs/accessanalyzer/12.0/requirements/target/databasemongodb.md @@ -17,7 +17,7 @@ Data Collectors This solution employs the following data collector to scan the target environment: -- [NoSQL Data Collector](../../admin/datacollector/nosql/overview.md) +- [NoSQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/nosql/overview.md) ## Permissions diff --git a/docs/accessanalyzer/12.0/requirements/target/databasemysql.md b/docs/accessanalyzer/12.0/requirements/target/databasemysql.md index f0c21c7846..c9a4e13b38 100644 --- a/docs/accessanalyzer/12.0/requirements/target/databasemysql.md +++ b/docs/accessanalyzer/12.0/requirements/target/databasemysql.md @@ -19,8 +19,8 @@ Data Collectors This solution employs the following data collector to scan the target environment: -- [ADInventory Data Collector](../../admin/datacollector/adinventory/overview.md) -- [SQL Data Collector](../../admin/datacollector/sql/overview.md) +- [ADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md) +- [SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) ## Requirements @@ -43,7 +43,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. For MySQL Data Collection diff --git a/docs/accessanalyzer/12.0/requirements/target/databaseoracle.md b/docs/accessanalyzer/12.0/requirements/target/databaseoracle.md index 60cc64b056..c31bb8e3e4 100644 --- a/docs/accessanalyzer/12.0/requirements/target/databaseoracle.md +++ b/docs/accessanalyzer/12.0/requirements/target/databaseoracle.md @@ -11,9 +11,9 @@ Data Collectors This solution employs the following data collector to scan the target environment: -- [ADInventory Data Collector](../../admin/datacollector/adinventory/overview.md) -- [PowerShell Data Collector](../../admin/datacollector/powershell/overview.md) -- [SQL Data Collector](../../admin/datacollector/sql/overview.md) +- [ADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md) +- [PowerShell Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/powershell/overview.md) +- [SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) ## Permissions @@ -25,7 +25,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. For PowerShell Data Collection @@ -39,7 +39,7 @@ For Oracle Data Collection Unix operating systems There is a least privilege model for scanning your domain. See the -[Oracle Target Least Privilege Model](config/databaseoracle.md) topic for additional information. +[Oracle Target Least Privilege Model](/docs/accessanalyzer/12.0/requirements/target/config/databaseoracle.md) topic for additional information. ## Ports diff --git a/docs/accessanalyzer/12.0/requirements/target/databasepostgresql.md b/docs/accessanalyzer/12.0/requirements/target/databasepostgresql.md index 316a2d5478..433fb03127 100644 --- a/docs/accessanalyzer/12.0/requirements/target/databasepostgresql.md +++ b/docs/accessanalyzer/12.0/requirements/target/databasepostgresql.md @@ -12,8 +12,8 @@ Data Collectors This solution employs the following data collector to scan the target environment: -- [ADInventory Data Collector](../../admin/datacollector/adinventory/overview.md) -- [SQL Data Collector](../../admin/datacollector/sql/overview.md) +- [ADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md) +- [SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) ## Requirements @@ -31,7 +31,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. For PostgreSQL Data Collection diff --git a/docs/accessanalyzer/12.0/requirements/target/databaseredshift.md b/docs/accessanalyzer/12.0/requirements/target/databaseredshift.md index d717375d0b..1cf7a13ff9 100644 --- a/docs/accessanalyzer/12.0/requirements/target/databaseredshift.md +++ b/docs/accessanalyzer/12.0/requirements/target/databaseredshift.md @@ -26,8 +26,8 @@ Data Collectors This solution employs the following data collector to scan the target environment: -- [ADInventory Data Collector](../../admin/datacollector/adinventory/overview.md) -- [SQL Data Collector](../../admin/datacollector/sql/overview.md) +- [ADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md) +- [SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) ## Permissions @@ -39,7 +39,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. For Redshift Data Collection diff --git a/docs/accessanalyzer/12.0/requirements/target/databasesql.md b/docs/accessanalyzer/12.0/requirements/target/databasesql.md index 7d41446b43..e0c998912f 100644 --- a/docs/accessanalyzer/12.0/requirements/target/databasesql.md +++ b/docs/accessanalyzer/12.0/requirements/target/databasesql.md @@ -36,9 +36,9 @@ Data Collectors This solution employs the following data collector to scan the target environment: -- [ADInventory Data Collector](../../admin/datacollector/adinventory/overview.md) -- [SMARTLog Data Collector](../../admin/datacollector/smartlog/overview.md) -- [SQL Data Collector](../../admin/datacollector/sql/overview.md) +- [ADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md) +- [SMARTLog Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/overview.md) +- [SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) ## Permissions @@ -50,7 +50,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. For SMARTLog Data Collection @@ -77,7 +77,7 @@ For SQL Server Data Collection - Grant View server state to [DOMAIN\USER] - Grant Control Server to [DOMAIN\USER] (specifically required for the Weak Passwords Job) -See the [Azure SQL Auditing Configuration](config/azuresqlaccess.md) topic for additional +See the [Azure SQL Auditing Configuration](/docs/accessanalyzer/12.0/requirements/target/config/azuresqlaccess.md) topic for additional information. ## Ports diff --git a/docs/accessanalyzer/12.0/requirements/target/dropbox.md b/docs/accessanalyzer/12.0/requirements/target/dropbox.md index dc90ffb76b..a0be3c21bf 100644 --- a/docs/accessanalyzer/12.0/requirements/target/dropbox.md +++ b/docs/accessanalyzer/12.0/requirements/target/dropbox.md @@ -8,7 +8,7 @@ Data Collector This solution employs the following data collector to scan the target environment: -- [DropboxAccess Data Collector](../../admin/datacollector/dropboxaccess/overview.md) +- [DropboxAccess Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/overview.md) ## Permissions @@ -18,7 +18,7 @@ The DropboxAccess Data Collector requires the generation of an access token that configure the Connection Profile for Dropbox. The access token is generated from within the Dropbox Access Auditor Data Collector Wizard on the Scan Options page. Once the access token is copied into a Connection Profile for Dropbox, it will be saved and does not need to be generated again. See the -[DropboxAccess: Scan Options](../../admin/datacollector/dropboxaccess/scanoptions.md) topic for +[DropboxAccess: Scan Options](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scanoptions.md) topic for additional information. ## Ports diff --git a/docs/accessanalyzer/12.0/requirements/target/exchange.md b/docs/accessanalyzer/12.0/requirements/target/exchange.md index df83a597b8..99347e2119 100644 --- a/docs/accessanalyzer/12.0/requirements/target/exchange.md +++ b/docs/accessanalyzer/12.0/requirements/target/exchange.md @@ -8,7 +8,7 @@ as targets: - Exchange 2013 - Exchange 2010 (Limited) -See the [Exchange Support and Permissions Explained](../solutions/exchange/support.md) topic for +See the [Exchange Support and Permissions Explained](/docs/accessanalyzer/12.0/requirements/solutions/exchange/support.md) topic for details on the type of auditing supported by data collector and by job group. Domain Controller Requirements @@ -27,22 +27,22 @@ The following are requirements for the Exchange servers to be scanned: Data Collector. If the global Settings have been configured for "MAPI over HTTPS," then the global Settings will have a web address instead of an actual server. Therefore, each ExchangePS query requires the CAS server to be set as the specific server on the Category page. See the - [ExchangePS Data Collector & Client Access Server](../../solutions/exchange/recommended.md) + [ExchangePS Data Collector & Client Access Server](/docs/accessanalyzer/12.0/solutions/exchange/recommended.md) topic for a list of queries for which this would apply. Data Collectors This solution employs the following data collector to scan the target environment: -- [ADInventory Data Collector](../../admin/datacollector/adinventory/overview.md) -- [EWSMailbox Data Collector](../../admin/datacollector/ewsmailbox/overview.md) -- [EWSPublicFolder Data Collector](../../admin/datacollector/ewspublicfolder/overview.md) -- [Exchange2K Data Collector](../../admin/datacollector/exchange2k/overview.md) -- [ExchangeMailbox Data Collector](../../admin/datacollector/exchangemailbox/overview.md) -- [ExchangeMetrics Data Collector](../../admin/datacollector/exchangemetrics/overview.md) -- [ExchangePS Data Collector](../../admin/datacollector/exchangeps/overview.md) -- [ExchangePublicFolder Data Collector](../../admin/datacollector/exchangepublicfolder/overview.md) -- [SMARTLog Data Collector](../../admin/datacollector/smartlog/overview.md) +- [ADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md) +- [EWSMailbox Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/overview.md) +- [EWSPublicFolder Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/overview.md) +- [Exchange2K Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/exchange2k/overview.md) +- [ExchangeMailbox Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/exchangemailbox/overview.md) +- [ExchangeMetrics Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/overview.md) +- [ExchangePS Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/overview.md) +- [ExchangePublicFolder Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/overview.md) +- [SMARTLog Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/overview.md) ## Permissions @@ -54,7 +54,7 @@ For .Active Directory Inventory Prerequisite **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. For Exchange Web Services API Permissions with the EWSMailbox Data Collector @@ -64,7 +64,7 @@ For Exchange Web Services API Permissions with the EWSMailbox Data Collector - Application Impersonation Role - Exchange Online License -See the [Exchange Web Services API Permissions](../solutions/exchange/webservicesapi.md) topic for +See the [Exchange Web Services API Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/webservicesapi.md) topic for additional information. For Exchange Web Services API Permissions with the EWSPublicFolder Data Collector @@ -74,7 +74,7 @@ For Exchange Web Services API Permissions with the EWSPublicFolder Data Collecto - Application Impersonation Role - Exchange Online License with a mailbox -See the [Exchange Web Services API Permissions](../solutions/exchange/webservicesapi.md) topic for +See the [Exchange Web Services API Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/webservicesapi.md) topic for additional information. For Exchange2K Data Collector @@ -93,14 +93,14 @@ For Exchange Mail Flow with ExchangeMetrics Data Collector - Member of the local Administrator group on the targeted Exchange server(s) -See the [Exchange Mail-Flow Permissions](../solutions/exchange/mailflow.md) topic for additional +See the [Exchange Mail-Flow Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/mailflow.md) topic for additional information. For Exchange Remote Connection with SMARTLog Data Collector - Member of the local Administrators group -See the [Exchange Remote Connections Permissions](../solutions/exchange/remoteconnections.md) topic +See the [Exchange Remote Connections Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/remoteconnections.md) topic for additional information. For Exchange PowerShell with ExchangePS Data Collector @@ -113,7 +113,7 @@ For Exchange PowerShell with ExchangePS Data Collector - Public Folder Management Role Group - Mailbox Search Role -See the [Exchange PowerShell Permissions](../solutions/exchange/powershell.md) topic for additional +See the [Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for additional information. For ExchangePublicFolders Data Collector diff --git a/docs/accessanalyzer/12.0/requirements/target/exchangeonline.md b/docs/accessanalyzer/12.0/requirements/target/exchangeonline.md index 8b2986ba19..df62983682 100644 --- a/docs/accessanalyzer/12.0/requirements/target/exchangeonline.md +++ b/docs/accessanalyzer/12.0/requirements/target/exchangeonline.md @@ -4,17 +4,17 @@ The Access Analyzer for Exchange Solution provides the ability to audit Exchange - Exchange Online (Limited) -See the [Exchange Support and Permissions Explained](../solutions/exchange/support.md) topic for +See the [Exchange Support and Permissions Explained](/docs/accessanalyzer/12.0/requirements/solutions/exchange/support.md) topic for details on the type of auditing supported by data collector and by job group. Data Collectors This solution employs the following data collectors to scan the target environment: -- [AzureADInventory Data Collector](../../admin/datacollector/azureadinventory/overview.md) -- [EWSMailbox Data Collector](../../admin/datacollector/ewsmailbox/overview.md) -- [EWSPublicFolder Data Collector](../../admin/datacollector/ewspublicfolder/overview.md) -- [ExchangePS Data Collector](../../admin/datacollector/exchangeps/overview.md) +- [AzureADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/overview.md) +- [EWSMailbox Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/overview.md) +- [EWSPublicFolder Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/overview.md) +- [ExchangePS Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/overview.md) ## Permissions @@ -41,7 +41,7 @@ For .Entra ID Inventory Prerequisite with the AzureADInventory Data Collector - All sub-directories of the access URLs listed -See the [Microsoft Entra ID Auditing Configuration](../../config/entraid/access.md) topic for +See the [Microsoft Entra ID Auditing Configuration](/docs/accessanalyzer/12.0/config/entraid/access.md) topic for additional information. Permissions for the Registered Microsoft Entra ID Application: Office 365 Exchange Online @@ -53,7 +53,7 @@ Permissions for the Registered Microsoft Entra ID Application: Office 365 Excha - Exchange Administrator role assigned to the registered application's service principal -See the [Exchange Online Auditing Configuration](../../config/exchangeonline/access.md) topic for +See the [Exchange Online Auditing Configuration](/docs/accessanalyzer/12.0/config/exchangeonline/access.md) topic for additional information. For Exchange Web Services API Permissions with the EWSMailbox Data Collector @@ -62,7 +62,7 @@ For Exchange Web Services API Permissions with the EWSMailbox Data Collector - Discovery Management Role - Exchange Online License -See the [Exchange Web Services API Permissions](../solutions/exchange/webservicesapi.md) topic for +See the [Exchange Web Services API Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/webservicesapi.md) topic for additional information. For Exchange Web Services API Permissions with the EWSPublicFolder Data Collector @@ -71,7 +71,7 @@ For Exchange Web Services API Permissions with the EWSPublicFolder Data Collecto - Discovery Management Role - Exchange Online License with a mailbox -See the [Exchange Web Services API Permissions](../solutions/exchange/webservicesapi.md) topic for +See the [Exchange Web Services API Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/webservicesapi.md) topic for additional information. For Exchange PowerShell with ExchangePS Data Collector @@ -79,7 +79,7 @@ For Exchange PowerShell with ExchangePS Data Collector - Discovery Management Role - Organization Management Role -See the [Exchange PowerShell Permissions](../solutions/exchange/powershell.md) topic for additional +See the [Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for additional information. ## Ports diff --git a/docs/accessanalyzer/12.0/requirements/target/filesystems.md b/docs/accessanalyzer/12.0/requirements/target/filesystems.md index fec3c26c16..b107f88513 100644 --- a/docs/accessanalyzer/12.0/requirements/target/filesystems.md +++ b/docs/accessanalyzer/12.0/requirements/target/filesystems.md @@ -16,8 +16,8 @@ Data Collectors This solution employs the following data collector to scan the target environment: -- [ADInventory Data Collector](../../admin/datacollector/adinventory/overview.md) -- [FileSystemAccess Data Collector](../../admin/datacollector/fsaa/overview.md) +- [ADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md) +- [FileSystemAccess Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/overview.md) Permissions and Ports for ADInventory Data Collector Prerequisite @@ -29,7 +29,7 @@ The following permissions are needed: **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. The following firewall ports are needed: @@ -51,7 +51,7 @@ The following are supported Microsoft® Windows® operating systems: - Windows Server 2019 - Windows Server 2016 -See the [Windows File Server Target Requirements](../../config/windowsfile/overview.md) topic for +See the [Windows File Server Target Requirements](/docs/accessanalyzer/12.0/config/windowsfile/overview.md) topic for target environment requirements. Windows File System Clusters @@ -68,7 +68,7 @@ Azure Files is a fully managed, cloud-based file sharing service from Microsoft access file shares from anywhere as a virtual network drive. Access Analyzer supports Access Auditing (FSAA) and Sensitive Data Discovery Auditing scans of Azure Files. -See the [Azure Files Target Requirements](config/azurefiles.md) topic for additional information. +See the [Azure Files Target Requirements](/docs/accessanalyzer/12.0/requirements/target/config/azurefiles.md) topic for additional information. ## Supported Network Attached Storage Devices @@ -80,33 +80,33 @@ Dell Celerra® & VNX - VNX 7.1 - VNX 8.1 -See the [Dell Celerra & Dell VNX Target Requirements](../../config/dellcelerravnx/overview.md) +See the [Dell Celerra & Dell VNX Target Requirements](/docs/accessanalyzer/12.0/config/dellcelerravnx/overview.md) topic for target environment requirements. Dell Isilon/PowerScale - 7.0+ -See the [Dell Isilon/PowerScale Target Requirements](../../config/dellpowerscale/overview.md) +See the [Dell Isilon/PowerScale Target Requirements](/docs/accessanalyzer/12.0/config/dellpowerscale/overview.md) topic for target environment requirements. Dell Unity -See the [Dell Unity Target Requirements](../../config/dellunity/overview.md) topic for target +See the [Dell Unity Target Requirements](/docs/accessanalyzer/12.0/config/dellunity/overview.md) topic for target environment requirements. Hitachi - 11.2+ -See the [Hitachi Target Requirements](../../config/hitachi/overview.md) topic for target +See the [Hitachi Target Requirements](/docs/accessanalyzer/12.0/config/hitachi/overview.md) topic for target environment requirements. Nasuni Nasuni Edge Appliances - 8.0+ -See the [Nasuni Target Requirements](../../config/nasuni/overview.md) topic for target +See the [Nasuni Target Requirements](/docs/accessanalyzer/12.0/config/nasuni/overview.md) topic for target environment requirements. NetApp Data ONTAP @@ -116,19 +116,19 @@ NetApp Data ONTAP See the following topics for target environment requirements: -- [NetApp Data ONTAP Cluster-Mode Target Requirements](../../config/netappcmode/overview.md) -- [NetApp Data ONTAP 7-Mode Target Requirements](../../config/netapp7mode/overview.md) +- [NetApp Data ONTAP Cluster-Mode Target Requirements](/docs/accessanalyzer/12.0/config/netappcmode/overview.md) +- [NetApp Data ONTAP 7-Mode Target Requirements](/docs/accessanalyzer/12.0/config/netapp7mode/overview.md) Nutanix -See the [Nutanix Target Requirements](../../config/nutanix/overview.md) topic for target +See the [Nutanix Target Requirements](/docs/accessanalyzer/12.0/config/nutanix/overview.md) topic for target environment requirements. Qumulo - Qumulo Core 5.0.0.1B+ -See the [Qumulo Target Requirements](../../config/qumulo/overview.md) topic for target +See the [Qumulo Target Requirements](/docs/accessanalyzer/12.0/config/qumulo/overview.md) topic for target environment requirements. ## Supported Unix Platforms diff --git a/docs/accessanalyzer/12.0/requirements/target/sharepoint.md b/docs/accessanalyzer/12.0/requirements/target/sharepoint.md index c431dc688a..388b8f8aee 100644 --- a/docs/accessanalyzer/12.0/requirements/target/sharepoint.md +++ b/docs/accessanalyzer/12.0/requirements/target/sharepoint.md @@ -13,9 +13,9 @@ Data Collectors This solution employs the following data collector to scan the target environment: -- [ADInventory Data Collector](../../admin/datacollector/adinventory/overview.md) -- [AzureADInventory Data Collector](../../admin/datacollector/azureadinventory/overview.md) -- [SharePointAccess Data Collector](../../admin/datacollector/spaa/overview.md) +- [ADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/overview.md) +- [AzureADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/overview.md) +- [SharePointAccess Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/spaa/overview.md) Permissions and Ports for ADInventory Data Collector Prerequisite @@ -27,7 +27,7 @@ The following permissions are needed: **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. The following firewall ports are needed: @@ -74,13 +74,13 @@ The following are supported Microsoft® SharePoint® Online: - OneDrive® for Business (Access Auditing and/or Sensitive Data Discovery Auditing for Agent-less mode scans only) -See the [SharePoint Scan Options](../solutions/sharepoint/scanoptions.md) topic for additional +See the [SharePoint Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/scanoptions.md) topic for additional information. **NOTE:** You can use the **SP_RegisterAzureAppAuth** instant job to make the configuration for SharePoint Online easier. This job registers the necessary Microsoft Entra ID application and provisions it with the required permissions. See the -[SP_RegisterAzureAppAuth Job](../../admin/jobs/instantjobs/sp_registerazureappauth.md) topic for +[SP_RegisterAzureAppAuth Job](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/sp_registerazureappauth.md) topic for additional information. ## Supported SharePoint On-Premise @@ -91,5 +91,5 @@ The following are supported Microsoft® SharePoint® operating systems: - SharePoint® 2016 - SharePoint® 2013 -See the [SharePoint Scan Options](../solutions/sharepoint/scanoptions.md) topic for additional +See the [SharePoint Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/scanoptions.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/requirements/target/unix.md b/docs/accessanalyzer/12.0/requirements/target/unix.md index dd8d85b4b0..3bdbbd7725 100644 --- a/docs/accessanalyzer/12.0/requirements/target/unix.md +++ b/docs/accessanalyzer/12.0/requirements/target/unix.md @@ -14,8 +14,8 @@ Data Collectors This solution employs the following data collectors to scan the target environment: -- [NIS Data Collector](../../admin/datacollector/nis/overview.md) -- [Unix Data Collector](../../admin/datacollector/unix/overview.md) +- [NIS Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/nis/overview.md) +- [Unix Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/unix/overview.md) ## Permissions diff --git a/docs/accessanalyzer/12.0/requirements/target/windows.md b/docs/accessanalyzer/12.0/requirements/target/windows.md index e886302a3d..76251e10c8 100644 --- a/docs/accessanalyzer/12.0/requirements/target/windows.md +++ b/docs/accessanalyzer/12.0/requirements/target/windows.md @@ -16,16 +16,16 @@ Data Collectors This solution employs the following data collector to scan the target environment: -- [GroupPolicy Data Collector](../../admin/datacollector/grouppolicy/overview.md) -- [PowerShell Data Collector](../../admin/datacollector/powershell/overview.md) -- [Registry Data Collector](../../admin/datacollector/registry.md) -- [Script Data Collector](../../admin/datacollector/script/overview.md) -- [Services Data Collector](../../admin/datacollector/services.md) -- [SMARTLog Data Collector](../../admin/datacollector/smartlog/overview.md) -- [SystemInfo Data Collector](../../admin/datacollector/systeminfo/overview.md) -- [TextSearch Data Collector](../../admin/datacollector/textsearch/overview.md) -- [UsersGroups Data Collector](../../admin/datacollector/usersgroups/overview.md) -- [WMICollector Data Collector](../../admin/datacollector/wmicollector/overview.md) +- [GroupPolicy Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/overview.md) +- [PowerShell Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/powershell/overview.md) +- [Registry Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/registry.md) +- [Script Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/script/overview.md) +- [Services Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/services.md) +- [SMARTLog Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/overview.md) +- [SystemInfo Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/overview.md) +- [TextSearch Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/textsearch/overview.md) +- [UsersGroups Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/usersgroups/overview.md) +- [WMICollector Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/wmicollector/overview.md) ## Permissions diff --git a/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/configuration.md b/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/configuration.md index 76ab2aeb70..2c1ace7d90 100644 --- a/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/configuration.md +++ b/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/configuration.md @@ -3,12 +3,12 @@ Use the configuration pane to view sub-criteria information for System Criteria and to view, add, edit, and remove sub-criteria information for User Criteria. -![Configuration Pane](../../../../../static/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/configurationpanesystemcriteria.webp) +![Configuration Pane](/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/configurationpanesystemcriteria.webp) The information in the configuration pane changes based on the criteria currently selected in the navigation pane. -![Options at the top of the configuration pane](../../../../../static/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/configurationpanetop.webp) +![Options at the top of the configuration pane](/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/configurationpanetop.webp) The options at the top of the Configuration Pane are: @@ -40,7 +40,7 @@ The options at the top of the Configuration Pane are: - Minimum Matches – Minimum number of match hits required for a sub-criteria match hit - Match Type – Displays whether the sub-criteria **Must match** or **Must not match** -![Options at the bottom of the configuration pane](../../../../../static/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/configurationpanebottom.webp) +![Options at the bottom of the configuration pane](/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/configurationpanebottom.webp) The options at the bottom of the configuration pane are: @@ -50,9 +50,9 @@ The options at the bottom of the configuration pane are: that can be added are **Keyword**, **Pattern**, and **Summary**. See the following topics for additional information: - - [Keyword Criteria](criteriatype/keyword.md) - - [Regular Expression (Pattern) Criteria](criteriatype/regularexpression.md) - - [Summary Criteria](criteriatype/summary.md) + - [Keyword Criteria](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/criteriatype/keyword.md) + - [Regular Expression (Pattern) Criteria](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/criteriatype/regularexpression.md) + - [Summary Criteria](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/criteriatype/summary.md) - Remove – Remove sub-criteria from the Required matched sub-criteria list - Edit – Edit the currently selected sub-criteria @@ -84,7 +84,7 @@ The options at the bottom of the configuration pane are: the criteria. Delete a metadata type by clicking the **X** button in the gray metadata tag. - For a list of available out-of-the-box metadata tags, see the - [Default Metadata Tag Values](../metadatatags.md) topic for additional information + [Default Metadata Tag Values](/docs/accessanalyzer/12.0/sensitivedatadiscovery/metadatatags.md) topic for additional information - Cancel – Exit the Sensitive Data Criteria Editor without saving changes - Save – Save changes made to the current criteria @@ -93,7 +93,7 @@ The options at the bottom of the configuration pane are: Use the Criteria Tester window to test current criteria configurations. -![Criteria Tester window](../../../../../static/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/criteriatester.webp) +![Criteria Tester window](/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/criteriatester.webp) The options in the Criteria Tester are: diff --git a/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/criteriatype/keyword.md b/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/criteriatype/keyword.md index fd36be8a75..5530acd621 100644 --- a/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/criteriatype/keyword.md +++ b/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/criteriatype/keyword.md @@ -3,7 +3,7 @@ Keyword criteria consists of a list of comma-separated words. If any word in the list is found in the file, it is considered a hit. -![Keywords window](../../../../../../static/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/criteriatype/keywordswindow.webp) +![Keywords window](/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/criteriatype/keywordswindow.webp) The options on the Keywords window are: diff --git a/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/criteriatype/regularexpression.md b/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/criteriatype/regularexpression.md index 7c6025a697..2241d99a07 100644 --- a/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/criteriatype/regularexpression.md +++ b/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/criteriatype/regularexpression.md @@ -4,7 +4,7 @@ Regular Expression criteria are a set of pattern matching rules that provide a c means for matching strings of text. This criteria type can be used to verify a series of numbers as potentially valid, for example credit card numbers. -![Regular Expression window](../../../../../../static/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/criteriatype/regularexpression.webp) +![Regular Expression window](/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/criteriatype/regularexpression.webp) The options on the Regular Expression window are: @@ -15,7 +15,7 @@ The options on the Regular Expression window are: - Validation – Select a validation method from the Validation drop-down. The default value is **No validation required**. - **NOTE:** See the [Sensitive Data System Criteria](../../systemcriteria.md) topic for additional + **NOTE:** See the [Sensitive Data System Criteria](/docs/accessanalyzer/12.0/sensitivedatadiscovery/systemcriteria.md) topic for additional information on validation methods. - Sample Value – Text entered into the Sample Value text box is used to test pattern matches for the diff --git a/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/criteriatype/summary.md b/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/criteriatype/summary.md index 81e9f9b656..2a8b585f71 100644 --- a/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/criteriatype/summary.md +++ b/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/criteriatype/summary.md @@ -3,18 +3,18 @@ Summary criteria are designed as a way of combining Regular Expression (Pattern) criteria and Keyword criteria. -![Edit new Summary criteria](../../../../../../static/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/criteriatype/newsummarycriteria.webp) +![Edit new Summary criteria](/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/criteriatype/newsummarycriteria.webp) Click **Add** and select **Summary** to add a new Summary criteria to the Required matched criteria list. Select the new criteria and click **Edit** to configure the new Summary criteria. -![Summary criteria configuration page](../../../../../../static/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/criteriatype/summarycriteriaconfiguration.webp) +![Summary criteria configuration page](/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/criteriatype/summarycriteriaconfiguration.webp) The options on the Summary criteria configuration page are: - Name – Name of the Summary sub-criteria - Test Criteria – Opens the Criteria Tester window to test current Summary criteria configurations. - See the [Criteria Tester Window](../configuration.md#criteria-tester-window) topic for additional + See the [Criteria Tester Window](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/configuration.md#criteria-tester-window) topic for additional information. - Required matched criteria – Lists sub-criteria configured for currently selected criteria in the navigation pane. The columns in the table are: diff --git a/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md b/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md index ec71e91b9b..2cd813f24d 100644 --- a/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md +++ b/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md @@ -5,9 +5,9 @@ The Sensitive Data Criteria Editor is accessed from the Criteria Tab in the criteria and to customize or create user-defined criteria. Sensitive Data Criteria can be configured in individual data collectors that use Sensitive Data Discovery or can be configured to inherit Sensitive Data Criteria settings from the **Settings** > **Sensitive Data** node. See the -[Sensitive Data](../../admin/settings/sensitivedata/overview.md) topic for additional information. +[Sensitive Data](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/overview.md) topic for additional information. -![Sensitive Data Criteria Editor](../../../../../static/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/sensitivdatacriteriaeditor.webp) +![Sensitive Data Criteria Editor](/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/sensitivdatacriteriaeditor.webp) The Sensitive Data Criteria Editor contains two sections: @@ -15,13 +15,13 @@ The Sensitive Data Criteria Editor contains two sections: the Add or Remove options. See the [Navigation Pane](#navigation-pane) topic for additional information. - Configuration pane – Displays configured settings for the currently selected criteria in the - navigation pane. See the [Configuration Pane](configuration.md) topic for additional information. + navigation pane. See the [Configuration Pane](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/configuration.md) topic for additional information. ## Navigation Pane The navigation pane lists all user-created and pre-configured Sensitive Data criteria. -![Navigation Pane](../../../../../static/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/navigationpane.webp) +![Navigation Pane](/img/product_docs/accessanalyzer/sensitivedatadiscovery/criteriaeditor/navigationpane.webp) The options in the Navigation Pane are: @@ -29,7 +29,7 @@ The options in the Navigation Pane are: - Remove Criteria – Removes a user-created criteria from the User Criteria list - User Criteria – Lists all user-created criteria - System Criteria – Lists all pre-configured criteria. For a list of pre-configured System Criteria, - see the [Sensitive Data System Criteria](../systemcriteria.md) topic for additional information. + see the [Sensitive Data System Criteria](/docs/accessanalyzer/12.0/sensitivedatadiscovery/systemcriteria.md) topic for additional information. - System Criteria cannot be modified or removed. To use existing System Criteria configurations in a User Criteria, right-click on a System Criteria and select **Duplicate** from the diff --git a/docs/accessanalyzer/12.0/sensitivedatadiscovery/supportedformats.md b/docs/accessanalyzer/12.0/sensitivedatadiscovery/supportedformats.md index 977828d83e..e244c25b47 100644 --- a/docs/accessanalyzer/12.0/sensitivedatadiscovery/supportedformats.md +++ b/docs/accessanalyzer/12.0/sensitivedatadiscovery/supportedformats.md @@ -98,7 +98,7 @@ attachment’s file type is a scan-able format, then it can extract text from th Character Recognition (OCR) scans for Raster image files by enabling the option on the SDD Audit Settings page in the File System Access Auditor Data Collector Wizard. This is an option for the Sensitive Data Scan category. See the -[1-SEEK System Scans Job](../solutions/filesystem/collection/1-seek_system_scans.md) topic for +[1-SEEK System Scans Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-seek_system_scans.md) topic for additional information. ### Spreadsheet diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_activitycollection.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_activitycollection.md index 0219842eb2..5b02d0cb07 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_activitycollection.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_activitycollection.md @@ -4,7 +4,7 @@ The AD_ActivityCollection Job located in the 0.Collection Job Group, imports dat Activity Monitor logs into the Access Analyzer Database. Retention can be modified in the query (120 days default). -![AD_ActivityCollection Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![AD_ActivityCollection Job in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) There are two ways AD Activity data can be retrieved by Access Analyzer: @@ -19,10 +19,10 @@ additional information. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. -![Configuration section on the AD_ActivityCollection job Overview page](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/overviewconfiguration.webp) +![Configuration section on the AD_ActivityCollection job Overview page](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/overviewconfiguration.webp) The AD_ActivityCollection page has the following configurable parameters: @@ -32,7 +32,7 @@ The AD_ActivityCollection page has the following configurable parameters: **NOTE:** The import of AD events and authentication events is disabled by default. You must enable these parameters for the activity data to be imported into the Netwrix Access Information Center. See the - [(Optional) Configure Import of AD Activity into Netwrix Access Information Center](../../../config/activedirectory/activity.md#optional-configure-import-of-ad-activity-into-netwrix-access-information-center) + [(Optional) Configure Import of AD Activity into Netwrix Access Information Center](/docs/accessanalyzer/12.0/config/activedirectory/activity.md#optional-configure-import-of-ad-activity-into-netwrix-access-information-center) topic for instructions. - List of attributes to track for Object Modified changes @@ -50,7 +50,7 @@ archive logs for AD Activity. **NOTE:** The query can be configured to connect directly to the network share where the archive logs are stored or the API Server. -![Queries for the AD_ActivityCollection Job](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/queries.webp) +![Queries for the AD_ActivityCollection Job](/img/product_docs/accessanalyzer/admin/hostdiscovery/queries.webp) The AD_ActivityCollection Job uses the ADActivity Data Collector for the following query: @@ -64,7 +64,7 @@ API server. **NOTE:** Ensure the Activity Monitor API Server and the required Connection Profile are successfully set up. See the -[Active Directory Activity Auditing Configuration](../../../config/activedirectory/activity.md) +[Active Directory Activity Auditing Configuration](/docs/accessanalyzer/12.0/config/activedirectory/activity.md) topic for additional information. **Step 1 –** Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **0.Collection** > @@ -75,11 +75,11 @@ topic for additional information. **Step 3 –** On the Data Source tab, select **Configure**. The Active Directory Activity DC wizard opens. -![Active Directory Activity DC wizard Category page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/categoryimportfromnam.webp) +![Active Directory Activity DC wizard Category page](/img/product_docs/activitymonitor/config/activedirectory/categoryimportfromnam.webp) **Step 4 –** On the Category page, choose **Import from SAM** option and click **Next**. -![Active Directory Activity DC wizard SAM connection settings page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/namconnection.webp) +![Active Directory Activity DC wizard SAM connection settings page](/img/product_docs/activitymonitor/config/activedirectory/namconnection.webp) **Step 5 –** On the SAM connection page, the **Port** is set to the default 4494. This needs to match the port configured for the Activity Monitor API Server agent. @@ -93,7 +93,7 @@ last step. **Step 8 –** Click **Next**. -![Active Directory Activity DC wizard Scoping and Retention page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![Active Directory Activity DC wizard Scoping and Retention page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) **Step 9 –** On the Scope page, set the Timespan as desired. There are two options: @@ -132,7 +132,7 @@ share. **NOTE:** Ensure the Activity Monitor domain output and the required Connection Profile are successfully set up. See the -[File Archive Repository Option](../../../config/activedirectory/filearchive.md) topic for +[File Archive Repository Option](/docs/accessanalyzer/12.0/config/activedirectory/filearchive.md) topic for additional information. **Step 1 –** Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **0.Collection** > @@ -143,17 +143,17 @@ additional information. **Step 3 –** On the Data Source tab, select **Configure**. The Active Directory Activity DC wizard opens. -![Active Directory Activity DC wizard Category page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/categoryimportfromshare.webp) +![Active Directory Activity DC wizard Category page](/img/product_docs/activitymonitor/config/activedirectory/categoryimportfromshare.webp) **Step 4 –** On the Category page, choose **Import from Share** option and click **Next**. -![Active Directory Activity DC wizard Share settings page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/share.webp) +![Active Directory Activity DC wizard Share settings page](/img/product_docs/activitymonitor/config/activedirectory/share.webp) **Step 5 –** On the Share page, provide the UNC path to the AD Activity share archive location. If there are multiple archives in the same network share, check the **Include Sub-Directories** box. Click **Next**. -![Active Directory Activity DC wizard Scoping and Retention page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![Active Directory Activity DC wizard Scoping and Retention page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) **Step 6 –** On the Scope page, set the Timespan as desired. There are two options: @@ -183,7 +183,7 @@ Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **0.Collecti **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_ActivityCollection Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/analysis.webp) +![Analysis Tasks for the AD_ActivityCollection Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/analysis.webp) The following analysis tasks are selected by default: @@ -213,5 +213,5 @@ the Netwrix Access Information Center. | AIC Import - Activity Retention | @Days | 120 | Number of days to retain activity data in the AIC | See the -[Configure the Customizable Parameters in an Analysis Task](../../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_ldapqueries.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_ldapqueries.md index 884b372804..7cc487ea3d 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_ldapqueries.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_ldapqueries.md @@ -4,7 +4,7 @@ The **LDAP** > **AD_LDAPQueries** Job analyzes LDAP traffic to determine trends expensive queries, most active servers and users, successful/failed and signing status. This data can be used to troubleshoot performance issues, load balancing, and poorly configured services. -![AD_LDAPQueries Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/ldapjobstree.webp) +![AD_LDAPQueries Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/ldapjobstree.webp) **_RECOMMENDED:_** Schedule this job to run with the 0.Collection job group. @@ -16,7 +16,7 @@ Navigate to the **Active Directory** > **6.Activity** > **LDAP** > **AD_LDAPQuer **CAUTION:** Except for the **Largest Queries** task, do not modify or deselect the remaining selected analysis tasks. The remaining analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_LDAPQueries Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/ldapqueriesanalysis.webp) +![Analysis Tasks for the AD_LDAPQueries Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/ldapqueriesanalysis.webp) The following non-configurable analysis tasks are selected by default: @@ -49,14 +49,14 @@ analysis task’s parameters. **Step 1 –** Navigate to the **Active Directory** > **6.Activity** > **LDAP** > **AD_LDAPQueries** > **Configure** node and select **Analysis**. -![Largest Queries analysis task configuration](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/ldapqueriesanalysisconfiguration.webp) +![Largest Queries analysis task configuration](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/ldapqueriesanalysisconfiguration.webp) **Step 2 –** In the Analysis Selection view, select the **Largest Queries** analysis task and click **Analysis Configuration**. The SQL Script Editor opens. **CAUTION:** Do not change any parameters where the Value states `Created during execution`. -![Largest Queries analysis task in the SQL Script Editor](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/ldapsqlscripteditor.webp) +![Largest Queries analysis task in the SQL Script Editor](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/ldapsqlscripteditor.webp) **Step 3 –** In the parameters section at the bottom of the editor, find the Value column. There are two integer variables that can be modified. Double-click on the current **value** and change as diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_lockouts.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_lockouts.md index 8002eabcad..f33c83e705 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_lockouts.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_lockouts.md @@ -4,7 +4,7 @@ The **Lockouts** > **AD_Lockouts** Job provides a listing of all account lockout occurring in the past 30 days, failed authentications and host information is provided to aid troubleshooting. -![AD_Lockouts Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/lockoutsjobstree.webp) +![AD_Lockouts Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/lockoutsjobstree.webp) **_RECOMMENDED:_** Schedule this job to run with the 0.Collection job group. @@ -16,7 +16,7 @@ Navigate to the **Active Directory** > **6.Activity** > **Lockouts** > **AD_Lock **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_Lockouts Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/lockoutsanalysis.webp) +![Analysis Tasks for the AD_Lockouts Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/lockoutsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/ad_computermodifications.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/ad_computermodifications.md index 35eebd31b7..60b24ee75f 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/ad_computermodifications.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/ad_computermodifications.md @@ -10,7 +10,7 @@ Navigate to the **Active Directory** > **6.Activity** > **Changes** > **AD_Compu **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_ComputerModifications Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/changes/computermodificationsanalysis.webp) +![Analysis Tasks for the AD_ComputerModifications Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/changes/computermodificationsanalysis.webp) The following non-configurable analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/ad_groupmodifications.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/ad_groupmodifications.md index ba74808b8b..efda8d4f3a 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/ad_groupmodifications.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/ad_groupmodifications.md @@ -12,7 +12,7 @@ Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **Changes** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_GroupModifications Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/changes/groupmodificationsanalysis.webp) +![Analysis Tasks for the AD_GroupModifications Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/changes/groupmodificationsanalysis.webp) The following non-configurable analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/ad_usermodifications.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/ad_usermodifications.md index 1cdeead7dd..b3f231a7e0 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/ad_usermodifications.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/ad_usermodifications.md @@ -10,7 +10,7 @@ Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **Changes** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_UserModifications Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/changes/usermodificationsanalysis.webp) +![Analysis Tasks for the AD_UserModifications Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/changes/usermodificationsanalysis.webp) The following non-configurable analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/overview.md index b6fda7526c..e06f643bb3 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/overview.md @@ -3,15 +3,15 @@ The Changes Job Group provides an audit trail for changes made to Computer, Group and User objects within the environment. -![Changes Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Changes Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following Jobs make up the Changes Job Group: **_RECOMMENDED:_** Schedule these jobs to run with the 0.Collection job group. -- [AD_ComputerModifications Job](ad_computermodifications.md) – Reports on activity relating to +- [AD_ComputerModifications Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/ad_computermodifications.md) – Reports on activity relating to changes made on computer objects -- [AD_GroupModifications Job](ad_groupmodifications.md) – Reports on activity relating to changes +- [AD_GroupModifications Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/ad_groupmodifications.md) – Reports on activity relating to changes made on a group objects and changes made to group membership -- [AD_UserModifications Job](ad_usermodifications.md) – Reports on activity relating to changes made +- [AD_UserModifications Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/ad_usermodifications.md) – Reports on activity relating to changes made on user objects diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/ad_accesschanges.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/ad_accesschanges.md index ede86119df..9d086134e3 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/ad_accesschanges.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/ad_accesschanges.md @@ -12,7 +12,7 @@ Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **Group Usage **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_AccessChanges Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/groupusage/accesschangesanalysis.webp) +![Analysis Tasks for the AD_AccessChanges Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/groupusage/accesschangesanalysis.webp) The following non-configurable analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/ad_grouphosts.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/ad_grouphosts.md index 0977f1a5d4..8b84f00edf 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/ad_grouphosts.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/ad_grouphosts.md @@ -10,7 +10,7 @@ Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **GroupUsage* **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_GroupHosts Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/groupusage/grouphostsanalysis.webp) +![Analysis Tasks for the AD_GroupHosts Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/groupusage/grouphostsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/ad_groupmemberactivity.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/ad_groupmemberactivity.md index 1d50ad498a..a37689159a 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/ad_groupmemberactivity.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/ad_groupmemberactivity.md @@ -9,7 +9,7 @@ logons. Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **Group Usage** > **AD_GroupMemberActivity** > **Configure** node and select **Analysis** to view the analysis tasks. -![Analysis Tasks for the AD_GroupMemberActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/groupusage/groupmemberactivityanalysis.webp) +![Analysis Tasks for the AD_GroupMemberActivity Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/groupusage/groupmemberactivityanalysis.webp) The default analysis task is: @@ -32,14 +32,14 @@ bottom of the SQL Script Editor. Follow the steps to customize an analysis task **Step 1 –** Navigate to the **Active Directory** > **6.Activity** > **Group Usage** > **AD_GroupMemberActivity** > **Configure** node and select **Analysis**. -![Group Member Activity analysis task configuration](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/groupusage/groupmemberactivityanalysisconfiguration.webp) +![Group Member Activity analysis task configuration](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/groupusage/groupmemberactivityanalysisconfiguration.webp) **Step 2 –** In the Analysis Selection view, select the Group Member Activity analysis task and click on **Analysis Configuration**. The SQL Script Editor opens. **CAUTION:** Do not change any parameters where the Value states `Created during execution`. -![Group Member Activity Analysis Task in the SQL Script Editor](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/groupusage/groupmemberactivitysqlscripteditor.webp) +![Group Member Activity Analysis Task in the SQL Script Editor](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/groupusage/groupmemberactivitysqlscripteditor.webp) **Step 3 –** In the parameters section at the bottom of the editor, find the Value column. Select the cell for the temporary table called #admingroups, and click **Edit Table** to modify the value. diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/overview.md index 2034abac96..5b54c30da8 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/overview.md @@ -4,16 +4,16 @@ The Group Usage Job Group reports shows how group membership changes have affect entire environment, the actions taken by the members of a group, and identifies where groups may be used for authorization in applications. -![Group Usage Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Group Usage Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following Jobs make up the Group Usage Job Group: **_RECOMMENDED:_** Schedule these jobs to run with the 0.Collection job group. -- [AD_AccessChanges Job](ad_accesschanges.md) – Reports on activity relating to access changes for +- [AD_AccessChanges Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/ad_accesschanges.md) – Reports on activity relating to access changes for Active Directory groups, highlighting membership changes that have created large access change within the environment -- [AD_GroupHosts Job](ad_grouphosts.md) – Reports on what hosts groups are being used on within the +- [AD_GroupHosts Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/ad_grouphosts.md) – Reports on what hosts groups are being used on within the environment -- [AD_GroupMemberActivity Job](ad_groupmemberactivity.md) – Reports on the activity that group +- [AD_GroupMemberActivity Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/ad_groupmemberactivity.md) – Reports on the activity that group members are taking within the Active Directory environment diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_authenticationprotocol.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_authenticationprotocol.md index 9fea7b7cd1..90ee8a3fc1 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_authenticationprotocol.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_authenticationprotocol.md @@ -12,7 +12,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_AuthenticationProtocol Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/operations/authenticationprotocolanalysis.webp) +![Analysis Tasks for the AD_AuthenticationProtocol Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/operations/authenticationprotocolanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_domaincontrollertraffic.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_domaincontrollertraffic.md index 98b0f3cfe5..0b4c5185c5 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_domaincontrollertraffic.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_domaincontrollertraffic.md @@ -14,7 +14,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_DomainControllerTraffic Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/operations/dctrafficanalysis.webp) +![Analysis Tasks for the AD_DomainControllerTraffic Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/operations/dctrafficanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_hardcodeddcs.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_hardcodeddcs.md index 68a4a50763..797e19711d 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_hardcodeddcs.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_hardcodeddcs.md @@ -10,7 +10,7 @@ Navigate to the **Active Directory** > **6.Activity** > **Operations** > **AD_Ha **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_HardcodedDCs Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/operations/hardcodeddcsanalysis.webp) +![Analysis Tasks for the AD_HardcodedDCs Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/operations/hardcodeddcsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_loadbalancing.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_loadbalancing.md index 95d231ae2e..16830ec46b 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_loadbalancing.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_loadbalancing.md @@ -13,7 +13,7 @@ Navigate to the **Active Directory** > **6.Activity** > **Operations** > **AD_Lo **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Task for the AD_LoadBalancing Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/operations/loadbalancinganalysis.webp) +![Analysis Task for the AD_LoadBalancing Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/operations/loadbalancinganalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_machineowners.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_machineowners.md index 58c2b9e879..a189703e7c 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_machineowners.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_machineowners.md @@ -10,7 +10,7 @@ Navigate to the **Active Directory** > **6.Activity** > **Operations** > **AD_Ma **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_MachineOwners Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/operations/machineownersanalysis.webp) +![Analysis Tasks for the AD_MachineOwners Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/operations/machineownersanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/overview.md index ba480ea6be..cb00124d9a 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/overview.md @@ -4,23 +4,23 @@ The Operations Job Group reports on Active Directory activity events related to activity. This group can help report on probable machine owners based on authentications, domain controller traffic and activity, and authentication protocols being used in the environment. -![Operations Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Operations Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following Jobs make up the Operations Job Group: **_RECOMMENDED:_** Schedule these jobs to run with the 0.Collection job group. -- [AD_AuthenticationProtocol Job](ad_authenticationprotocol.md) – Shows what protocols are being +- [AD_AuthenticationProtocol Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_authenticationprotocol.md) – Shows what protocols are being used to authenticate across the environment and will help to identify what services and computers may be affected when disabling NTLM -- [AD_DomainControllerTraffic Job](ad_domaincontrollertraffic.md) – Provides a summary of the amount +- [AD_DomainControllerTraffic Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_domaincontrollertraffic.md) – Provides a summary of the amount of traffic for Changes, Authentication, Replication, and LDAP Queries for each domain controller which can be used to identify issues with load balancing. If the AD_DCSummary job has been run, the roles for each DC will be provided. -- [AD_HardcodedDCs Job](ad_hardcodeddcs.md) – Highlight machines that have communicated with only +- [AD_HardcodedDCs Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_hardcodeddcs.md) – Highlight machines that have communicated with only one DC -- [AD_LoadBalancing Job](ad_loadbalancing.md) – Analyzes each domain controller's traffic to show +- [AD_LoadBalancing Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_loadbalancing.md) – Analyzes each domain controller's traffic to show what percent of all LDAP, Replication, Authentication and Changes are being handled by that particular machine. This helps to highlight domain controllers which are over utilized relative to others within the domain, or unused domain controllers which may be decommissioned. -- [AD_MachineOwners Job](ad_machineowners.md) – Helps to identify the owner of a particular host +- [AD_MachineOwners Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/ad_machineowners.md) – Helps to identify the owner of a particular host diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/overview.md index 8a0e713fe6..88d8bee840 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/overview.md @@ -10,27 +10,27 @@ reports. _Remember,_ this job group requires the Active Directory Activity license. -![6.Activity Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![6.Activity Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 6.Activity Job Group is comprised of the following jobs: -- [0.Collection > AD_ActivityCollection Job](ad_activitycollection.md) – Imports data from the +- [0.Collection > AD_ActivityCollection Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_activitycollection.md) – Imports data from the Netwrix Activity Monitor logs into the Access Analyzer Database. Retention can be modified in the query (120 days default). -- [Changes Job Group](changes/overview.md) – Provides an audit trail for changes made to Computer, +- [Changes Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/changes/overview.md) – Provides an audit trail for changes made to Computer, Group and User objects within the environment -- [Group Usage Job Group](groupusage/overview.md) – Shows how group membership changes have affected +- [Group Usage Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/groupusage/overview.md) – Shows how group membership changes have affected access across the entire environment, the actions taken by the members of a group, and identifies where groups may be used for authorization in applications -- [LDAP > AD_LDAPQueries Job](ad_ldapqueries.md) – Analyzes LDAP traffic to determine trends such as +- [LDAP > AD_LDAPQueries Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_ldapqueries.md) – Analyzes LDAP traffic to determine trends such as most expensive queries, most active servers and users, successful/failed and signing status. This data can be used to troubleshoot performance issues, load balancing, and poorly configured services. -- [Lockouts > AD_Lockouts Job](ad_lockouts.md)– Provides a listing of all account lockouts with +- [Lockouts > AD_Lockouts Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_lockouts.md)– Provides a listing of all account lockouts with relevant details which can be used to aid troubleshooting -- [Operations Job Group](operations/overview.md) – Reports on Active Directory activity events +- [Operations Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/operations/overview.md) – Reports on Active Directory activity events related to operational activity. This group can help report on probable machine owners based on authentications, domain controller traffic and activity, and authentication protocols being used in the environment. -- [Privileged Accounts Job Group](privilegedaccounts/overview.md)– Highlights the activity performed +- [Privileged Accounts Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/privilegedaccounts/overview.md)– Highlights the activity performed by this accounts, to identify potential abuses or unused accounts that can be deprovisioned diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/privilegedaccounts/ad_adminaccounts.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/privilegedaccounts/ad_adminaccounts.md index 62620f0b00..a589433399 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/privilegedaccounts/ad_adminaccounts.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/privilegedaccounts/ad_adminaccounts.md @@ -10,7 +10,7 @@ Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **Privileged **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_AdminAccounts Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/privilegedaccounts/adminaccountsanalysis.webp) +![Analysis Tasks for the AD_AdminAccounts Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/privilegedaccounts/adminaccountsanalysis.webp) The default analysis tasks are: @@ -38,14 +38,14 @@ the bottom of the SQL Script Editor. Follow the steps to customize an analysis t **Step 1 –** Navigate to the **Active Directory** > **6.Activity** > **Privileged Accounts** > **AD_AdminAccounts** > **Configure** node and select **Analysis**. -![Summarizes Administrative Account Activity analysis task configuration](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/privilegedaccounts/adminaccountsanalysisconfiguration.webp) +![Summarizes Administrative Account Activity analysis task configuration](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/privilegedaccounts/adminaccountsanalysisconfiguration.webp) **Step 2 –** In the Analysis Selection view, select the **Summarizes Administrative Account Activity** analysis task and click **Analysis Configuration**. The SQL Script Editor opens. **CAUTION:** Do not change any parameters where the Value states `Created during execution`. -![Summarizes Administrative Account Activity analysis task in the SQL Script Editor](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/privilegedaccounts/adminaccountssqlscripteditor.webp) +![Summarizes Administrative Account Activity analysis task in the SQL Script Editor](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/privilegedaccounts/adminaccountssqlscripteditor.webp) **Step 3 –** In the parameters section at the bottom of the editor, find the Value column. Select the cell for the temporary table called #AdminGroups, and click **Edit Table** to modify the value. diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/privilegedaccounts/ad_serviceaccountauth.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/privilegedaccounts/ad_serviceaccountauth.md index 244b0b8643..c536757dcb 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/privilegedaccounts/ad_serviceaccountauth.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/privilegedaccounts/ad_serviceaccountauth.md @@ -11,7 +11,7 @@ Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **Operations* **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Task for the AD_ServiceAccountAuth Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/activity/privilegedaccounts/serviceaccountauthanalysis.webp) +![Analysis Task for the AD_ServiceAccountAuth Job](/img/product_docs/accessanalyzer/solutions/activedirectory/activity/privilegedaccounts/serviceaccountauthanalysis.webp) The following non-configurable analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/privilegedaccounts/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/privilegedaccounts/overview.md index e0bf812f42..391db2c604 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/privilegedaccounts/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/privilegedaccounts/overview.md @@ -3,13 +3,13 @@ The Privileged Accounts Job Group highlights the activity performed by this accounts, to identify potential abuses or unused accounts which can be deprovisioned. -![Privileged Accounts Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Privileged Accounts Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following Jobs make up the Privileged Accounts Job Group: **_RECOMMENDED:_** Schedule these jobs to run with the 0.Collection job group. -- [AD_AdminAccounts Job](ad_adminaccounts.md) – Shows all actions taken by domain administrators +- [AD_AdminAccounts Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/privilegedaccounts/ad_adminaccounts.md) – Shows all actions taken by domain administrators within the environment being compromised -- [AD_ServiceAccountAuth Job](ad_serviceaccountauth.md) – Shows the last time a service account, +- [AD_ServiceAccountAuth Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/privilegedaccounts/ad_serviceaccountauth.md) – Shows the last time a service account, identified by the presence of a servicePrincipalName, was active within the environment diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/recommended.md b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/recommended.md index 3bed5414a9..389fa7544b 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/activity/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/activity/recommended.md @@ -20,13 +20,13 @@ Netwrix Activity Monitor API Server or the host with the network share housing a Connection Profile Connection Profiles must be set directly on the -[0.Collection > AD_ActivityCollection Job](ad_activitycollection.md) in order to connect to either +[0.Collection > AD_ActivityCollection Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_activitycollection.md) in order to connect to either the SAM API Server or the host with the network share housing the archived log files. Access Token Required for SAM API Server integration for the -[0.Collection > AD_ActivityCollection Job](ad_activitycollection.md). +[0.Collection > AD_ActivityCollection Job](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/ad_activitycollection.md). Scheduling Frequency @@ -65,5 +65,5 @@ group data with other jobs. **Step 8 –** Review the reports generated by the jobs. -See the [Active Directory Solution](../../../requirements/solutions/activedirectory.md) topic for +See the [Active Directory Solution](/docs/accessanalyzer/12.0/requirements/solutions/activedirectory.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/ad_securityassessment.md b/docs/accessanalyzer/12.0/solutions/activedirectory/ad_securityassessment.md index ff97559ca2..0c924a7657 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/ad_securityassessment.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/ad_securityassessment.md @@ -5,7 +5,7 @@ order to proactively identify critical security configurations that leave Active vulnerable to attack. The result are reports that provide a listing of findings by severity and category with corresponding details that can be used to prioritize and remediate security issues. -![AD Security Assessment Job](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/securityassessmentjobstree.webp) +![AD Security Assessment Job](/img/product_docs/accessanalyzer/solutions/activedirectory/securityassessmentjobstree.webp) ## Recommended Configurations for the AD_SecurityAssessment Job @@ -76,7 +76,7 @@ Navigate to the **Jobs** > Active Directory > AD_SecurityAssessment > Configure **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Selection](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/securityassessmentanalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/activedirectory/securityassessmentanalysis.webp) The following non-configurable analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/ad_cacollection.md b/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/ad_cacollection.md index f9bed6dbd4..4d4217f969 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/ad_cacollection.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/ad_cacollection.md @@ -14,7 +14,7 @@ controller** host list. The AD_CACollection job uses the PowerShell data collector to collect details about Certificate Authorities, templates, and requests. -![Queries for the AD_CACollection Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/certificateauthority/cacollectionqueries.webp) +![Queries for the AD_CACollection Job](/img/product_docs/accessanalyzer/solutions/activedirectory/certificateauthority/cacollectionqueries.webp) The queries for the job are: @@ -35,7 +35,7 @@ Navigate to the **Active Directory** > **7.Certificate Authority** > **Collectio **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_CACollection Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/certificateauthority/cacollectionanalysis.webp) +![Analysis Tasks for the AD_CACollection Job](/img/product_docs/accessanalyzer/solutions/activedirectory/certificateauthority/cacollectionanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/ad_certificateaudit.md b/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/ad_certificateaudit.md index 283684e54b..3f0f47b616 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/ad_certificateaudit.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/ad_certificateaudit.md @@ -10,7 +10,7 @@ Navigate to the **Active Directory** > **7.Certificate Authority** > **AD_Certif **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_CertificateAudit Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/certificateauthority/certificateauditanalysis.webp) +![Analysis Tasks for the AD_CertificateAudit Job](/img/product_docs/accessanalyzer/solutions/activedirectory/certificateauthority/certificateauditanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/ad_certificaterequests.md b/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/ad_certificaterequests.md index ee84961b01..4488b7d809 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/ad_certificaterequests.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/ad_certificaterequests.md @@ -7,7 +7,7 @@ are expiring soon. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The AD_CertificateRequests job has the following configurable parameter: @@ -26,7 +26,7 @@ Navigate to the **Active Directory** > **7.Certificate Authority** > **AD_Certif **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_CertificateRequests Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/certificateauthority/certificaterequestsanalysis.webp) +![Analysis Tasks for the AD_CertificateRequests Job](/img/product_docs/accessanalyzer/solutions/activedirectory/certificateauthority/certificaterequestsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/overview.md index d2e88ef9b2..898c4ebd63 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/overview.md @@ -4,14 +4,14 @@ The 7.Certificate Authority job group collects settings, permissions, and config Certificate Authorities. It details access rights for the Certificate Authority and reports on certificate requests, highlighting any that might expire soon. -![7.Certificate Authority job group in the Jobs tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![7.Certificate Authority job group in the Jobs tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following jobs comprise the job group: -- [Collection > AD_CACollection Job](ad_cacollection.md) – Collects Certificate Authority details +- [Collection > AD_CACollection Job](/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/ad_cacollection.md) – Collects Certificate Authority details and settings for analysis against potential vulnerabilities that exist in Active Directory Certificate Services configurations -- [AD_CertificateAudit Job](ad_certificateaudit.md) – Provides details on access rights to the +- [AD_CertificateAudit Job](/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/ad_certificateaudit.md) – Provides details on access rights to the Certificate Authority -- [AD_CertificateRequests Job](ad_certificaterequests.md) – Provides details about certificate +- [AD_CertificateRequests Job](/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/ad_certificaterequests.md) – Provides details about certificate requests, and highlights any that are expiring soon diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/ad_cleanupprogress.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/ad_cleanupprogress.md index 69888283c2..69d747f9c2 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/ad_cleanupprogress.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/ad_cleanupprogress.md @@ -5,7 +5,7 @@ to proactively identify critical security configurations that leave Active Direc attack. The result is a report which provides a listing of findings by severity and category with corresponding details that can be used to prioritize and remediate security issues. -![AD_CleanupProgress Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/cleanupprogressjobstree.webp) +![AD_CleanupProgress Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/cleanupprogressjobstree.webp) Workflow @@ -31,7 +31,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the AD_CleanupProgress Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/cleanupprogressanalysis.webp) +![Analysis Tasks for the AD_CleanupProgress Job](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/cleanupprogressanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/computers/ad_deprovisioncomputers.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/computers/ad_deprovisioncomputers.md index 79c894f639..76b44b3742 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/computers/ad_deprovisioncomputers.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/computers/ad_deprovisioncomputers.md @@ -15,7 +15,7 @@ staging OU. The default is 365 days. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The AD_DeprovisionComputers page has the following configurable parameters: @@ -31,7 +31,7 @@ topic for additional information. Navigate to the **Active Directory** > **Cleanup** > **3.Computers** > **AD_Deprovision Computers** > **Configure** node and select **Analysis** to view the analysis tasks. -![Analysis Tasks for the AD_DeprovisionComputers Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/computers/deprovisioncomputersanalysis.webp) +![Analysis Tasks for the AD_DeprovisionComputers Job](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/computers/deprovisioncomputersanalysis.webp) The default analysis tasks are: @@ -54,7 +54,7 @@ this job’s analysis. | Computer Accounts to Delete | @days_before_deleting | 365 | Days in the staging OU before deleting account | See the -[Configure the Customizable Parameters in an Analysis Task](../../../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information. ## Action Tasks for the AD_DeprovisionComputers Job @@ -65,7 +65,7 @@ Navigate to the **Active Directory** > **Cleanup** > **3.Computers** > **AD_Depr **CAUTION:** Do not enable the actions unless it is required. Disable the actions after execution to prevent making unintended and potentially harmful changes to Active Directory. -![Action Tasks for the AD_DeprovisionComputers Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/computers/deprovisioncomputersaction.webp) +![Action Tasks for the AD_DeprovisionComputers Job](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/computers/deprovisioncomputersaction.webp) The action tasks are: @@ -74,7 +74,7 @@ The action tasks are: - Move Computers – Move computers to staging OU for deletion - The target staging OU must be set in the Move Computers Action Task prior to executing the - action tasks. See the [Configure the Target OU](../configuretargetou.md) topic for additional + action tasks. See the [Configure the Target OU](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/configuretargetou.md) topic for additional information. - Notify Manager – Notify assigned manager by email of the impending deletion diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/computers/ad_deprovisioncomputers_status.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/computers/ad_deprovisioncomputers_status.md index 81891b3dcf..592c4cd71b 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/computers/ad_deprovisioncomputers_status.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/computers/ad_deprovisioncomputers_status.md @@ -12,7 +12,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for AD_DeprovisionComputers_Status Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/computers/deprovisioncomputersstatusanalysis.webp) +![Analysis Tasks for AD_DeprovisionComputers_Status Job](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/computers/deprovisioncomputersstatusanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/computers/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/computers/overview.md index eb31baef28..0c8d4b8069 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/computers/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/computers/overview.md @@ -3,13 +3,13 @@ The 3.Computers Job Group identifies stale computer accounts, providing a workflow to safely deprovision identified accounts. -![3.Computers Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/computers/computersjobtree.webp) +![3.Computers Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/computers/computersjobtree.webp) The jobs in the 3.Computers Job Group are: -- [AD_DeprovisionComputers Job](ad_deprovisioncomputers.md) – Provides a simple, automated workflow +- [AD_DeprovisionComputers Job](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/computers/ad_deprovisioncomputers.md) – Provides a simple, automated workflow to deprovision stale and unused user accounts -- [AD_DeprovisionComputers_Status Job](ad_deprovisioncomputers_status.md) – Tracks all actions taken +- [AD_DeprovisionComputers_Status Job](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/computers/ad_deprovisioncomputers_status.md) – Tracks all actions taken by the included deprovisioning workflow Workflow diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/configuretargetou.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/configuretargetou.md index d587801504..1c0e582248 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/configuretargetou.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/configuretargetou.md @@ -4,7 +4,7 @@ Follow the steps to configure the target staging OU. **Step 1 –** Navigate to the **[Job]** > **Configure** > **Actions** node. -![Action Properties button on Action Selection page](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/configuretargetouactionproperties.webp) +![Action Properties button on Action Selection page](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/configuretargetouactionproperties.webp) **Step 2 –** On the Action Selection page, select the desired action task and click **Action Properties**. @@ -12,7 +12,7 @@ Properties**. **Step 3 –** In the Action Properties window, select **Configure Action**. The Active Directory Action Module Wizard opens. -![Move Objects page of the Active Directory Action Module Wizard](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/configuretargetouactionmodulewizard.webp) +![Move Objects page of the Active Directory Action Module Wizard](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/configuretargetouactionmodulewizard.webp) **Step 4 –** Navigate to the Move Objects page of the Active Directory Action Module Wizard. In the OU field, enter or browse to the desired target OU. To create the target OU location, select the diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/ad_deprovisiongroups.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/ad_deprovisiongroups.md index 571737a4c6..43603f7932 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/ad_deprovisiongroups.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/ad_deprovisiongroups.md @@ -18,7 +18,7 @@ staging OU. The default is 365 days. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../../../admin/jobs/job/overview.md#parameter-configuration) topic +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The AD_DeprovisionGroups page has the following configurable parameters: @@ -34,7 +34,7 @@ topic for additional information. Navigate to the **Active Directory** > **Cleanup** > **1.Groups** > **1. Deprovision Groups** > **AD_Deprovision Groups** > **Configure** node and select **Analysis** to view the analysis tasks. -![Analysis Tasks for the AD_DeprovisionGroups Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/deprovision/deprovisiongroupsanalysis.webp) +![Analysis Tasks for the AD_DeprovisionGroups Job](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/deprovision/deprovisiongroupsanalysis.webp) The default analysis tasks are: @@ -56,7 +56,7 @@ this job’s analysis. | Groups to Delete | @days_before_deleting | 365 | Days in the staging OU before deletion | See the -[Configure the Customizable Parameters in an Analysis Task](../../../../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information. ## Action Tasks for the AD_DepvisionGroups Job @@ -67,7 +67,7 @@ Navigate to the **Active Directory** > **Cleanup** > **1.Groups** > **1. Deprovi **CAUTION:** Do not enable the actions unless it is required. Disable the actions after execution to prevent making unintended and potentially harmful changes to Active Directory. -![Action Tasks for the AD_DepvisionGroups Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/deprovision/deprovisiongroupsaction.webp) +![Action Tasks for the AD_DepvisionGroups Job](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/deprovision/deprovisiongroupsaction.webp) The action tasks are: @@ -76,7 +76,7 @@ The action tasks are: - Move Groups – Move groups to staging OU - The target staging OU must be set in the Move Groups Action Task prior to executing the action - tasks. See the [Configure the Target OU](../../configuretargetou.md) topic for additional + tasks. See the [Configure the Target OU](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/configuretargetou.md) topic for additional information. - Disable Groups – The group is changed to a distribution list diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/ad_deprovisiongroups_status.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/ad_deprovisiongroups_status.md index ebcd177da9..f9c93a395c 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/ad_deprovisiongroups_status.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/ad_deprovisiongroups_status.md @@ -11,7 +11,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis tasks is preconfigured for this job. -![Analysis Task for the AD_DeprovisionGroups_Status Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/deprovision/deprovisiongroupsstatusanalysis.webp) +![Analysis Task for the AD_DeprovisionGroups_Status Job](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/deprovision/deprovisiongroupsstatusanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/overview.md index 50612d41ab..4021cacb0a 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/overview.md @@ -3,11 +3,11 @@ The 1. Deprovision Groups Job Group provides a simple, automated workflow to deprovision stale groups. The action tasks in this job group provide an automated workflow. -![1.Deprovision Job Group in the Jobs Tree](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/deprovision/groupsdeprovisionjobtree.webp) +![1.Deprovision Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/deprovision/groupsdeprovisionjobtree.webp) The jobs in the 1. Deprovision Groups Job Group are: -- [AD_DeprovisionGroups Job](ad_deprovisiongroups.md) – This job provides an automated workflow to +- [AD_DeprovisionGroups Job](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/ad_deprovisiongroups.md) – This job provides an automated workflow to deprovision stale groups -- [AD_DeprovisionGroups_Status Job](ad_deprovisiongroups_status.md) – This job tracks and reports on +- [AD_DeprovisionGroups_Status Job](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/ad_deprovisiongroups_status.md) – This job tracks and reports on the progress of all actions taken by the included Deprovisioning workflow diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/overview.md index 6e4487e06b..3957627189 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/overview.md @@ -3,25 +3,25 @@ The 1.Groups Job Group provides a workflow to safely deprovision groups, as well as the ability to stamp security groups with what resources they are given access to. -![1.Groups Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/groupsjobtree.webp) +![1.Groups Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/groupsjobtree.webp) The jobs in the 1.Groups Job Group are: -- [1.Deprovision Job Group](deprovision/overview.md) – This job group provides a simple, automated +- [1.Deprovision Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/overview.md) – This job group provides a simple, automated workflow to deprovision stale groups - - [AD_DeprovisionGroups Job](deprovision/ad_deprovisiongroups.md) – This job provides a simple + - [AD_DeprovisionGroups Job](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/ad_deprovisiongroups.md) – This job provides a simple automated workflow to deprovision stale groups - - [AD_DeprovisionGroups_Status Job](deprovision/ad_deprovisiongroups_status.md) – This job + - [AD_DeprovisionGroups_Status Job](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/deprovision/ad_deprovisiongroups_status.md) – This job tracks and reports on the progress of the deprovisioning workflow -- [2.Group Stamping Job Group](stamping/overview.md) – This job group updates the Notes attribute +- [2.Group Stamping Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/overview.md) – This job group updates the Notes attribute for all security groups to show where the group is provisioned inside the environment. - - [AD_GroupCleanup_Permissions Job](stamping/ad_groupcleanup_permissions.md) – This job reports + - [AD_GroupCleanup_Permissions Job](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/ad_groupcleanup_permissions.md) – This job reports on where security groups are being used to assign permissions. This can be used to prioritize remediation for groups that are rarely used. - - [AD_GroupStamping Job](stamping/ad_groupstamping.md) – This job replaces the Notes attribute + - [AD_GroupStamping Job](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/ad_groupstamping.md) – This job replaces the Notes attribute for all security groups to show where the group is provisioned inside the environment. This overwrites the Notes field with data from Access Analyzer. diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/ad_groupcleanup_permissions.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/ad_groupcleanup_permissions.md index f447b9188e..a5ecf5c842 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/ad_groupcleanup_permissions.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/ad_groupcleanup_permissions.md @@ -12,7 +12,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_GroupCleanup_Permissions Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/stamping/groupcleanuppermissionsanalysis.webp) +![Analysis Tasks for the AD_GroupCleanup_Permissions Job](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/stamping/groupcleanuppermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/ad_groupstamping.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/ad_groupstamping.md index 0b1b07ca9c..2536baf783 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/ad_groupstamping.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/ad_groupstamping.md @@ -12,7 +12,7 @@ AD_GroupStamping** > **Configure** node and select **Analysis** to view the anal **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_GroupStamping Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/stamping/groupstampinganalysis.webp) +![Analysis Tasks for the AD_GroupStamping Job](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/stamping/groupstampinganalysis.webp) The default analysis tasks are: @@ -32,7 +32,7 @@ the following pre-configured reports. View the action tasks by navigating to the **Active Directory** > **Cleanup** > **1.Groups** > **2. Group Stamping AD_GroupStamping** > **Configure** node and select **Actions**. -![Action Tasks for the AD_GroupStamping Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/stamping/groupstampingaction.webp) +![Action Tasks for the AD_GroupStamping Job](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/stamping/groupstampingaction.webp) - Stamp Groups – Update Notes field with Permissions diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/overview.md index 0acfb824ee..9b70ab9293 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/overview.md @@ -3,11 +3,11 @@ The 2. Group Stamping Job Group updates the Notes attribute for all security groups to show where the group is provisioned inside the environment. -![2.Group Stamping Job Group in the Jobs Tree](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/stamping/groupsstampingjobtree.webp) +![2.Group Stamping Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/groups/stamping/groupsstampingjobtree.webp) The jobs in the 2. Group Stamping Job Group are: -- [AD_GroupCleanup_Permissions Job](ad_groupcleanup_permissions.md) – Reports on where security +- [AD_GroupCleanup_Permissions Job](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/ad_groupcleanup_permissions.md) – Reports on where security groups are being used to assign permissions -- [AD_GroupStamping Job](ad_groupstamping.md) – Updates the Note attribute for all security groups +- [AD_GroupStamping Job](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/stamping/ad_groupstamping.md) – Updates the Note attribute for all security groups to show where the group is provisioned inside of the environment diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/overview.md index dca6878efb..11cdea9035 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/overview.md @@ -11,17 +11,17 @@ negatively impact Active Directory. **_RECOMMENDED:_** Run the actions in a test environment before making changes to a production environment. -![Cleanup Job Group Overview page](../../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) +![Cleanup Job Group Overview page](/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) The job groups in the Cleanup Job Group are: -- [1.Groups Job Group](groups/overview.md) – Provides an automated workflow to safely deprovision +- [1.Groups Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/groups/overview.md) – Provides an automated workflow to safely deprovision groups, as well as the ability to stamp security groups with what resources they are given access to -- [2.Users Job Group](users/overview.md) – Provides an automated workflow to deprovision stale and +- [2.Users Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/users/overview.md) – Provides an automated workflow to deprovision stale and unused user accounts -- [3.Computers Job Group](computers/overview.md) – Provides an automated workflow to deprovision +- [3.Computers Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/computers/overview.md) – Provides an automated workflow to deprovision stale computer accounts -- [AD_CleanupProgress Job](ad_cleanupprogress.md) – Tracks Active Directory computer, group, and +- [AD_CleanupProgress Job](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/ad_cleanupprogress.md) – Tracks Active Directory computer, group, and user exceptions over time. This information can be used to provide a high-level picture of an organization's Active Directory cleanup effort. diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/users/ad_deprovisionusers.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/users/ad_deprovisionusers.md index 1b03bc9835..dcddbf3af8 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/users/ad_deprovisionusers.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/users/ad_deprovisionusers.md @@ -19,7 +19,7 @@ accounts. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The AD_DeprovisionUsers page has the following configurable parameters: @@ -35,7 +35,7 @@ topic for additional information. Navigate to the **Active Directory** > **Cleanup** > **2.Users** > **AD_DeprovisionUsers** > **Configure** node and select **Analysis** to view the analysis tasks. -![Analysis Tasks for the AD_DeprovisionUsers Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/users/deprovisionusersanalysis.webp) +![Analysis Tasks for the AD_DeprovisionUsers Job](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/users/deprovisionusersanalysis.webp) The default analysis tasks are: @@ -59,7 +59,7 @@ this job’s analysis. | User Accounts to Delete | @days_before_deleting | 365 | Days in the Stale Users OU before being deleted | See the -[Configure the Customizable Parameters in an Analysis Task](../../../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information. ## Action Tasks for the AD_DeprovisionUsers Job @@ -70,7 +70,7 @@ Navigate to the **Active Directory** > **Cleanup** > **2.Users** > **AD_Deprovis **CAUTION:** Do not enable the actions unless it is required. Disable the actions after execution to prevent making unintended and potentially harmful changes to Active Directory. -![Action Tasks for the AD_DeprovisionUsers Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/users/deprovisionusersaction.webp) +![Action Tasks for the AD_DeprovisionUsers Job](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/users/deprovisionusersaction.webp) The action tasks are: @@ -79,7 +79,7 @@ The action tasks are: - Move Users – Move users to staging OU for deletion - The target OU must be set in the Move Users Action Task prior to executing the action tasks. - See the [Configure the Target OU](../configuretargetou.md) topic for additional information. + See the [Configure the Target OU](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/configuretargetou.md) topic for additional information. - Notify Manager – Notify assigned manager by email of the impending deletion - Disable Users – Disable user accounts diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/users/ad_deprovisionusers_status.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/users/ad_deprovisionusers_status.md index 5bc9d1ef8f..c5de984e43 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/users/ad_deprovisionusers_status.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/users/ad_deprovisionusers_status.md @@ -10,7 +10,7 @@ Navigate to the **Active Directory** > **Cleanup** > **2.Users** > **AD_Deprovis **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the AD_DeprovisionUsers_Status Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/users/deprovisionusersstatusanalysis.webp) +![Analysis Tasks for the AD_DeprovisionUsers_Status Job](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/users/deprovisionusersstatusanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/users/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/users/overview.md index 33f76e976a..51afd86607 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/users/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/users/overview.md @@ -2,13 +2,13 @@ The 2.Users Job Group provides a workflow to deprovision stale and unused user accounts. -![2.Users Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/users/usersjobtree.webp) +![2.Users Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/users/usersjobtree.webp) The jobs in the 2.Users Job Group are: -- [AD_DeprovisionUsers Job](ad_deprovisionusers.md) – Provides a simple and automated workflow to +- [AD_DeprovisionUsers Job](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/users/ad_deprovisionusers.md) – Provides a simple and automated workflow to deprovisions stale and unused user accounts -- [AD_DeprovisionUsers_Status Job](ad_deprovisionusers_status.md) – Tracks and reports all actions +- [AD_DeprovisionUsers_Status Job](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/users/ad_deprovisionusers_status.md) – Tracks and reports all actions taken by the included Deprovisioning workflow Workflow diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/computers/ad_computerdelegation.md b/docs/accessanalyzer/12.0/solutions/activedirectory/computers/ad_computerdelegation.md index d71a737a3a..df2e973e15 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/computers/ad_computerdelegation.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/computers/ad_computerdelegation.md @@ -16,7 +16,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the analysis task. The analysis task is preconfigured for this job. -![Analysis Task for the AD_ComputerDelegation Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/computers/computerdelegationanalysis.webp) +![Analysis Task for the AD_ComputerDelegation Job](/img/product_docs/accessanalyzer/solutions/activedirectory/computers/computerdelegationanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/computers/ad_stalecomputers.md b/docs/accessanalyzer/12.0/solutions/activedirectory/computers/ad_stalecomputers.md index a032b75f74..2d78d29b6b 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/computers/ad_stalecomputers.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/computers/ad_stalecomputers.md @@ -6,7 +6,7 @@ The AD_StaleComputers Job provides details on stale computers that may be candid The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The AD_StaleComputers Job has the following configurable parameters: @@ -26,7 +26,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the **2. Summarize by Domain** analysis task. This analysis task is preconfigured for this job. -![Analysis Tasks for the AD_StaleComputers Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/computers/stalecomputersanalysis.webp) +![Analysis Tasks for the AD_StaleComputers Job](/img/product_docs/accessanalyzer/solutions/activedirectory/computers/stalecomputersanalysis.webp) The default analysis tasks are: @@ -57,5 +57,5 @@ Analysis parameters that can be customized have the following default values: | 1. Identify Stale Computers | @consider_disable | 1 | A computer object that has been disabled: - Value 1 = Disabled computers are included as stale - Value 0 = Disabled computers are not included as stale | See the -[Configure the Customizable Parameters in an Analysis Task](../../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/computers/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/computers/overview.md index b792c5ccb4..30cb91b1a7 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/computers/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/computers/overview.md @@ -3,16 +3,16 @@ The 3.Computers Job Group help to pinpoint potential areas of administrative concern related to computer accounts, including stale computers and computers that have been trusted for delegation. -![3.Computers Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![3.Computers Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following jobs comprise the 3.Computers Job Group: -- [AD_ComputerDelegation Job](ad_computerdelegation.md) – Provides details on computer accounts that +- [AD_ComputerDelegation Job](/docs/accessanalyzer/12.0/solutions/activedirectory/computers/ad_computerdelegation.md) – Provides details on computer accounts that have been trusted for delegation. Once this configuration is enabled for a computer, any time an account connects to the computer for any reason, their ticket-granting ticket (TGT) is stored in memory so it can be used later by the computer for impersonation, which exposes a significant security risk in cases where privileged accounts access the computer.  See the [What Is Kerberos Delegation?](https://blog.netwrix.com/2021/11/30/what-is-kerberos-delegation-an-overview-of-kerberos-delegation/) Netwrix blog article for more information about this configuration and the related security risks. -- [AD_StaleComputers Job](ad_stalecomputers.md) – Provides details on stale computers that may be +- [AD_StaleComputers Job](/docs/accessanalyzer/12.0/solutions/activedirectory/computers/ad_stalecomputers.md) – Provides details on stale computers that may be candidates for cleanup diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_dcsummary.md b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_dcsummary.md index c055e14adf..82f60412e8 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_dcsummary.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_dcsummary.md @@ -12,7 +12,7 @@ Navigate to the **Active Directory > 5.Domains > AD_DCSummary > Configure** node **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/domains/dcsummaryanalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/activedirectory/domains/dcsummaryanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_domaininfo.md b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_domaininfo.md index 6cd4b9b7a8..ceb38584fc 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_domaininfo.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_domaininfo.md @@ -11,7 +11,7 @@ following queries: **CAUTION:** Do not modify the queries. The queries are preconfigured for this job. -![Query Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/domains/domaininfoquery.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/activedirectory/domains/domaininfoquery.webp) The queries for this job are: @@ -32,7 +32,7 @@ Navigate to the **Active Directory > 5.Domains > AD_DomainInfo > Configure** nod **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/domains/domaininfoanalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/activedirectory/domains/domaininfoanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_dsrmsettings.md b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_dsrmsettings.md index fc85293ac3..170ce250ce 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_dsrmsettings.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_dsrmsettings.md @@ -4,7 +4,7 @@ The AD_DRSMSettings Job provides details on domain controller registry settings DSRMAdminLogonBehavior key. If this key is set to 1 or 2, the DSRM Admin Account can be used to log in to the domain controller even if it has not been started in DSRM which can present a potential security vulnerability. Additional information on this registry key is available in this -[Microsoft Document](). +[Microsoft Document](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732714(v=ws.10)?redirectedfrom=MSDN). ## Analysis Tasks for the AD_DSRMSettings Job @@ -14,7 +14,7 @@ Navigate to the **Active Directory > 5.Domains > AD_DSRMSettings > Configure** n **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![dsrmsettingsanalysis](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/domains/dsrmsettingsanalysis.webp) +![dsrmsettingsanalysis](/img/product_docs/accessanalyzer/solutions/activedirectory/domains/dsrmsettingsanalysis.webp) The default analysis tasks are: @@ -28,4 +28,4 @@ the following pre-configured report: | Report | Description | Default Tags | Report Elements | | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------- | -| DSRM Admin Security | This report highlights domain controller registry settings for the DSRMAdminLogonBehavior key. If this key is set to 1 or 2, the DSRM Admin account can be used to log in to the domain controller even if it has not been started in DSRM. This is a potential vulnerability. See the Microsoft [Restartable AD DS Step-by-Step Guide]() for additional information. | None | This report is comprised of two elements: - Pie Chart – Displays DSRM admin logon  by domain controller - Table – Provides details on domain controllers | +| DSRM Admin Security | This report highlights domain controller registry settings for the DSRMAdminLogonBehavior key. If this key is set to 1 or 2, the DSRM Admin account can be used to log in to the domain controller even if it has not been started in DSRM. This is a potential vulnerability. See the Microsoft [Restartable AD DS Step-by-Step Guide](https://technet.microsoft.com/en-us/library/cc732714(v=ws.10).aspx) for additional information. | None | This report is comprised of two elements: - Pie Chart – Displays DSRM admin logon  by domain controller - Table – Provides details on domain controllers | diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_kerberoastingrisk.md b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_kerberoastingrisk.md index ea040cbc14..182d2b595d 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_kerberoastingrisk.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_kerberoastingrisk.md @@ -18,7 +18,7 @@ article for additional information on kerberoasting. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The AD_KerberoastingRisk job has the following configurable parameters: @@ -39,7 +39,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_KerberoastingRisk Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/domains/kerberoastingriskanalysis.webp) +![Analysis Tasks for the AD_KerberoastingRisk Job](/img/product_docs/accessanalyzer/solutions/activedirectory/domains/kerberoastingriskanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/ad_domaincontrollers.md b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/ad_domaincontrollers.md index 55b8575aa6..8c5593341e 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/ad_domaincontrollers.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/ad_domaincontrollers.md @@ -11,7 +11,7 @@ the following queries: **CAUTION:** Except the first query, do not modify the remaining queries. The remaining queries are preconfigured for this job. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/domains/collection/domaincontrollersquery.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/activedirectory/domains/collection/domaincontrollersquery.webp) The queries for this job are: @@ -47,11 +47,11 @@ Data Collector. This query can be optionally configured to connect securely with **Step 3 –** Select the **Data Source** tab, and click **Configure**. The LDAP template form wizard opens. -![LDAP template form](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/domains/collection/ldaptemplate.webp) +![LDAP template form](/img/product_docs/accessanalyzer/solutions/activedirectory/domains/collection/ldaptemplate.webp) **Step 4 –** Click **Options**. -![Connection Options](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/domains/collection/ldaptemplateoptions.webp) +![Connection Options](/img/product_docs/accessanalyzer/solutions/activedirectory/domains/collection/ldaptemplateoptions.webp) **Step 5 –** On the Options page, select **Connect Securely with TLS/SSL**. Optionally, select **Ignore Certificate Errors** to connect even if certificate errors occur. Use **Server Port** 686 diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/ad_dsrm.md b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/ad_dsrm.md index 4fafcd1573..3bda821425 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/ad_dsrm.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/ad_dsrm.md @@ -4,7 +4,7 @@ The **0.Collection > AD_DSRM** Job collects data related to domain controller re the DSRMAdminLogonBehavior key. If this key is set to 1 or 2, the DSRM Admin Account can be used to log in to the domain controller even if it has not been started in DSRM which can present a potential security vulnerability. Additional information on this registry key is available in this -[Microsoft Document](). +[Microsoft Document](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732714(v=ws.10)?redirectedfrom=MSDN). ## Query for the AD_DSRM Job @@ -12,10 +12,10 @@ The AD_TimeSync Job uses the Registry Data Collector for the following query: **CAUTION:** Do not modify this query. The query is preconfigured for this job. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/domains/collection/dsrmquery.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/activedirectory/domains/collection/dsrmquery.webp) The queries for this job are: - Check LSA registry keys – Targets all domain controllers check LSA registry keys - - See the [Registry Data Collector](../../../../admin/datacollector/registry.md) topic for + - See the [Registry Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/registry.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/ad_timesync.md b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/ad_timesync.md index c90c649cf0..070af94e0e 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/ad_timesync.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/ad_timesync.md @@ -9,11 +9,11 @@ The AD_TimeSync Job uses the Registry Data Collector for the following query: **CAUTION:** Do not modify this query. The query is preconfigured for this job. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/domains/collection/timesyncquery.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/activedirectory/domains/collection/timesyncquery.webp) The queries for this job are: - Timesync Info – Targets one domain controller per domain known to Access Analyzer to determine TimeSync information from the registry - - See the [Registry Data Collector](../../../../admin/datacollector/registry.md) topic for + - See the [Registry Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/registry.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/overview.md index 75efe16641..6947b1dc08 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/overview.md @@ -3,16 +3,16 @@ The **5.Domains > 0.Collection** Job Group collects the data which will be further analyzed in order to provide details on domains, sites, and trusts. -![0.Collection Job Group](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![0.Collection Job Group](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The 0.Collection Job Group is comprised of: -- [AD_DomainControllers Job](ad_domaincontrollers.md) – Collects domain controller details which +- [AD_DomainControllers Job](/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/ad_domaincontrollers.md) – Collects domain controller details which will be further analyzed in order to provide information on domains, sites, and trusts. -- [AD_DSRM Job](ad_dsrm.md) – Collects data related to domain controller registry settings for the +- [AD_DSRM Job](/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/ad_dsrm.md) – Collects data related to domain controller registry settings for the DSRMAdminLogonBehavior key. If this key is set to 1 or 2, the DSRM Admin Account can be used to log in to the domain controller even if it has not been started in DSRM which can present a potential security vulnerability. Additional information on this registry key is available in this - [Microsoft Document](). -- [AD_TimeSync Job](ad_timesync.md) – Collects TimeSync information from the registry for each + [Microsoft Document](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732714(v=ws.10)?redirectedfrom=MSDN). +- [AD_TimeSync Job](/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/ad_timesync.md) – Collects TimeSync information from the registry for each domain controller within the domain diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/overview.md index f3b3f1046f..42e6518c9a 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/overview.md @@ -3,23 +3,23 @@ The 5.Domains job group provides details on domains, sites, and trusts, and highlights domain level configurations that may leave your environment at risk. -![Domains Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Domains Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following components comprises the 5.Domains job group: -- [0.Collection Job Group](collection/overview.md) – Collects the data which will be further +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/domains/collection/overview.md) – Collects the data which will be further analyzed in order to provide details on domains, sites, and trusts -- [AD_DCSummary Job](ad_dcsummary.md) – Provides operational reporting related to the details +- [AD_DCSummary Job](/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_dcsummary.md) – Provides operational reporting related to the details collected for each domain controller. For each domain controller, the report identifies the FSMO role, whether it is a bridgehead server, whether it is a global catalog, and the time server it syncs to. -- [AD_DomainInfo Job](ad_domaininfo.md) – Provides operational reporting related to the collected +- [AD_DomainInfo Job](/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_domaininfo.md) – Provides operational reporting related to the collected domains, sites, and trusts, providing details such as high level object counts by domain or site, domain and forest functional levels, and types and directions of trusts -- [AD_DSRMSettings Job](ad_dsrmsettings.md) – Provides details on domain controller registry +- [AD_DSRMSettings Job](/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_dsrmsettings.md) – Provides details on domain controller registry settings for the DSRMAdminLogonBehavior key. If this key is set to 1 or 2, the DSRM Admin Account can be used to log in to the domain controller even if it has not been started in DSRM which can present a potential security vulnerability. -- [AD_KerberoastingRisk Job](ad_kerberoastingrisk.md) – Identifies accounts vulnerable to +- [AD_KerberoastingRisk Job](/docs/accessanalyzer/12.0/solutions/activedirectory/domains/ad_kerberoastingrisk.md) – Identifies accounts vulnerable to kerberoasting. Kerberoasting is a threat where attackers target service accounts in Active Directory to steal their passwords. diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/recommended.md b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/recommended.md index ab02e811d7..0de8af7da7 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/domains/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/domains/recommended.md @@ -47,7 +47,7 @@ modified. The following query can be modified to use a secure connection with TLS/SSL: - Domain Controller Listing Query which uses the - [LDAP Data Collector](../../../admin/datacollector/ldap.md) + [LDAP Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/ldap.md) Workflow diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_cpassword.md b/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_cpassword.md index 9e3629c69f..56f46c5e13 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_cpassword.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_cpassword.md @@ -16,14 +16,14 @@ The AD_CPassword Job uses the PowerShell Data Collector for the following query: **CAUTION:** Do not modify the query. The query is preconfigured for this job -![Query for the AD_CPassword Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/grouppolicy/cpasswordquery.webp) +![Query for the AD_CPassword Job](/img/product_docs/accessanalyzer/solutions/activedirectory/grouppolicy/cpasswordquery.webp) The queries for this job are: - Sysvol – Targets one domain controller per domain known to Access Analyzer to determine CPassword security - - See the [PowerShell Data Collector](../../../admin/datacollector/powershell/overview.md) topic + - See the [PowerShell Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/powershell/overview.md) topic for additional information. In addition to the tables created by the data collector, the AD_CPassword Job produces the following diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_grouppolicy.md b/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_grouppolicy.md index 4419a9c79d..0ca115f145 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_grouppolicy.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_grouppolicy.md @@ -9,7 +9,7 @@ The AD_GroupPolicy Job uses the GroupPolicy Data Collector for the following que **CAUTION:** Do not modify the queries. The queries are preconfigured for this job. -![Queries for the AD_GroupPolicy Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/grouppolicy/grouppolicyquery.webp) +![Queries for the AD_GroupPolicy Job](/img/product_docs/accessanalyzer/solutions/activedirectory/grouppolicy/grouppolicyquery.webp) The queries for this job are: @@ -17,7 +17,7 @@ The queries for this job are: list for the domain - Settings – Targets the default domain controller known to Access Analyzer to return the state for domain policies for all GPOs. See the - [GroupPolicy Data Collector](../../../admin/datacollector/grouppolicy/overview.md) topic for + [GroupPolicy Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/grouppolicy/overview.md) topic for additional information. ## Analysis Tasks for the AD_GroupPolicy Job @@ -28,7 +28,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_GroupPolicy Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/grouppolicy/grouppolicyanalysis.webp) +![Analysis Tasks for the AD_GroupPolicy Job](/img/product_docs/accessanalyzer/solutions/activedirectory/grouppolicy/grouppolicyanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_overlappinggpos.md b/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_overlappinggpos.md index fc24559d4f..edda88d3ab 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_overlappinggpos.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_overlappinggpos.md @@ -11,7 +11,7 @@ node and select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected first analysis task. The first analysis task is preconfigured for this job. -![Analysis Tasks for the AD_OverlappingGPOs Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/grouppolicy/overlappinggposanalysis.webp) +![Analysis Tasks for the AD_OverlappingGPOs Job](/img/product_docs/accessanalyzer/solutions/activedirectory/grouppolicy/overlappinggposanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_passwordpolicies.md b/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_passwordpolicies.md index ef47486b76..c4100081d4 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_passwordpolicies.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_passwordpolicies.md @@ -10,14 +10,14 @@ The AD_PasswordPolicies Job uses the LDAP Data Collector for the following query **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query for the AD_PasswordPolicies Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/grouppolicy/passwordpoliciesquery.webp) +![Query for the AD_PasswordPolicies Job](/img/product_docs/accessanalyzer/solutions/activedirectory/grouppolicy/passwordpoliciesquery.webp) The query for this job is: - Fine-grained Policies – Targets one domain controller per domain known to Access Analyzer to return fine-grained password policies - - See the [LDAP Data Collector](../../../admin/datacollector/ldap.md) topic for additional + - See the [LDAP Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/ldap.md) topic for additional information ## Analysis Task for the AD_PasswordPolicies Job @@ -28,7 +28,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Task for the AD_PasswordPolicies Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/grouppolicy/passwordpoliciesanalysis.webp) +![Analysis Task for the AD_PasswordPolicies Job](/img/product_docs/accessanalyzer/solutions/activedirectory/grouppolicy/passwordpoliciesanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/overview.md index 02ec50bfe5..3c28b55555 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/overview.md @@ -4,11 +4,11 @@ The 4.Group Policy Job Group audits GPOs and their settings, and provides in dep conditions such as where GPOs have been linked, misconfigurations that can cause security or operational issues, and redundant GPOs that can be consolidated. -![4.Group Policy Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![4.Group Policy Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following components comprise the 4.Group Policy Job Group: -- [AD_CPassword Job](ad_cpassword.md) – Identifies passwords that are stored in Group Policy +- [AD_CPassword Job](/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_cpassword.md) – Identifies passwords that are stored in Group Policy Preferences which present a security risk allowing attackers access to these passwords. Microsoft published the AES private key, which can be used to decrypt passwords stored in Group Policy Preferences. See the Microsoft @@ -18,11 +18,11 @@ The following components comprise the 4.Group Policy Job Group: SYSVOL to decrypt them. GPOs can be stored in the `%ProgramData%\Microsoft\Group Policy\History` folder on each machine, meaning any results found by this job should be deleted off every computer once this policy has been removed. -- [AD_GroupPolicy Job](ad_grouppolicy.md) – Audits all Group Policies that are present on the Domain +- [AD_GroupPolicy Job](/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_grouppolicy.md) – Audits all Group Policies that are present on the Domain Controller, and provides details on the containers they are linked to and the settings that are configured -- [AD_OverlappingGPOs Job](ad_overlappinggpos.md) – Identifies conflicting and redundant GPO +- [AD_OverlappingGPOs Job](/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_overlappinggpos.md) – Identifies conflicting and redundant GPO settings based on link location. These GPO settings should be cleaned up or consolidated. -- [AD_PasswordPolicies Job](ad_passwordpolicies.md) – Identifies fine-grained domain password +- [AD_PasswordPolicies Job](/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/ad_passwordpolicies.md) – Identifies fine-grained domain password policies that are stored within the Password Settings Container. Fine-Grained password policies allow AD administrators to apply different password policies within a single domain. diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_circularnesting.md b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_circularnesting.md index af68c8aa54..c34313f0e7 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_circularnesting.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_circularnesting.md @@ -11,7 +11,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_CircularNesting Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/circularnestinganalysis.webp) +![Analysis Tasks for the AD_CircularNesting Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/circularnestinganalysis.webp) The default analysis tasks are : diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_dclogongroups.md b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_dclogongroups.md index a3d93e7327..d301af9757 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_dclogongroups.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_dclogongroups.md @@ -13,7 +13,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_DCLogonGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/groups/dclogongroupsanalysis.webp) +![Analysis Tasks for the AD_DCLogonGroups Job](/img/product_docs/accessanalyzer/solutions/activedirectory/groups/dclogongroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_duplicategroups.md b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_duplicategroups.md index 6ff45a97f7..7023bb8c7a 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_duplicategroups.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_duplicategroups.md @@ -11,7 +11,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Task for the AD_DuplicateGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/groups/duplicategroupsanalysis.webp) +![Analysis Task for the AD_DuplicateGroups Job](/img/product_docs/accessanalyzer/solutions/activedirectory/groups/duplicategroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_emptygroups.md b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_emptygroups.md index 0a181169f0..a778449737 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_emptygroups.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_emptygroups.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_EmptyGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/emptygroupsanalysis.webp) +![Analysis Tasks for the AD_EmptyGroups Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/emptygroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_groupprobableowners.md b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_groupprobableowners.md index 4321f3aea0..f062c28785 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_groupprobableowners.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_groupprobableowners.md @@ -12,7 +12,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_GroupProbableOwners Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/groups/groupprobableownersanalysis.webp) +![Analysis Tasks for the AD_GroupProbableOwners Job](/img/product_docs/accessanalyzer/solutions/activedirectory/groups/groupprobableownersanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_largestgroups.md b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_largestgroups.md index 41b224d90e..4d046db454 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_largestgroups.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_largestgroups.md @@ -12,7 +12,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Task for the AD_LargestGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/largestgroupsanalysis.webp) +![Analysis Task for the AD_LargestGroups Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/largestgroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_mailsecuritygroups.md b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_mailsecuritygroups.md index 88ed9078f1..0f342376ae 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_mailsecuritygroups.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_mailsecuritygroups.md @@ -10,7 +10,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_MailSecurityGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/groups/mailsecuritygroupsanalysis.webp) +![Analysis Tasks for the AD_MailSecurityGroups Job](/img/product_docs/accessanalyzer/solutions/activedirectory/groups/mailsecuritygroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_nestedgroups.md b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_nestedgroups.md index ff454d3257..7b05c6f845 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_nestedgroups.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_nestedgroups.md @@ -13,7 +13,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_NestedGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/nestedgroupsanalysis.webp) +![Analysis Tasks for the AD_NestedGroups Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/nestedgroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_sensitivesecuritygroups.md b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_sensitivesecuritygroups.md index 1e065ee2f7..71bef16cdf 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_sensitivesecuritygroups.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_sensitivesecuritygroups.md @@ -13,7 +13,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_SensitiveSecurityGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/groups/sensitivesecuritygroupsanalysis.webp) +![Analysis Tasks for the AD_SensitiveSecurityGroups Job](/img/product_docs/accessanalyzer/solutions/activedirectory/groups/sensitivesecuritygroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_stalegroups.md b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_stalegroups.md index 8acc1dd01b..6f4b9c031d 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_stalegroups.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_stalegroups.md @@ -12,7 +12,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_StaleGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/stalegroupsanalysis.webp) +![Analysis Tasks for the AD_StaleGroups Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/stalegroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/overview.md index e0fd9fa891..7693187791 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/groups/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/groups/overview.md @@ -3,58 +3,58 @@ The 1.Groups Job Group identifies effective group membership and pinpoints potential areas of administrative concern such as nested or stale groups. -![1.Groups Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![1.Groups Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following jobs comprise the 1.Groups Job Group: -- [AD_CircularNesting Job](ad_circularnesting.md) – Identifies circularly nested groups within +- [AD_CircularNesting Job](/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_circularnesting.md) – Identifies circularly nested groups within Active Directory which can pose administrative and operational challenges with identifying effective access to resources -- [AD_DCLogonGroups Job](ad_dclogongroups.md) – Identifies users who are able to log on to Domain +- [AD_DCLogonGroups Job](/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_dclogongroups.md) – Identifies users who are able to log on to Domain Controllers through effective membership to the Enterprise Admins, Domain Admins, Administrators, Backup Operators, Account Operators, Print Operators, or Remote Desktop Users groups. This type of access should be limited to only those individuals who require this level of administrative privileges. -- [AD_DuplicateGroups Job](ad_duplicategroups.md) – Identifies duplicate groups within Active +- [AD_DuplicateGroups Job](/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_duplicategroups.md) – Identifies duplicate groups within Active Directory. Duplicate groups contain the same group membership as one another and are suitable candidates for cleanup. -- [AD_EmptyGroups Job](ad_emptygroups.md) – Identifies empty and single member groups which are +- [AD_EmptyGroups Job](/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_emptygroups.md) – Identifies empty and single member groups which are suitable candidates for consolidation or cleanup -- [AD_GroupProbableOwners Job](ad_groupprobableowners.md) – Determines potential owners for Active +- [AD_GroupProbableOwners Job](/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_groupprobableowners.md) – Determines potential owners for Active Directory Groups which can be used to perform automated membership reviews and enable self-service group management and membership requests -- [AD_LargestGroups Job](ad_largestgroups.md) – Identifies groups with large effective member +- [AD_LargestGroups Job](/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_largestgroups.md) – Identifies groups with large effective member counts. These types of groups may cause administrative overhead and burden in being able to easily understand who is getting access to resources, or how much access is being granted to resources through these groups. - The definition of a large group is set by the **.Active Directory Inventory** > **3-AD_Exceptions** Job. It can be customized. See the - [3-AD_Exceptions Job](../../activedirectoryinventory/3-ad_exceptions.md) topic for additional + [3-AD_Exceptions Job](/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/3-ad_exceptions.md) topic for additional information. -- [AD_MailSecurityGroups Job](ad_mailsecuritygroups.md) – Identifies mail-enabled security groups +- [AD_MailSecurityGroups Job](/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_mailsecuritygroups.md) – Identifies mail-enabled security groups within Active Directory -- [AD_NestedGroups Job](ad_nestedgroups.md) – Identifies nested groups within Active Directory and +- [AD_NestedGroups Job](/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_nestedgroups.md) – Identifies nested groups within Active Directory and provides details such as the levels of nesting. While Active Directory provides the ability to nest certain types of groups within other groups, Microsoft recommends nesting does not go beyond two levels in order to avoid difficulties in understanding effective membership and access. - The definition of a deeply nested group is set by the **.Active Directory Inventory** > **3-AD_Exceptions** Job. It can be customized. See the - [3-AD_Exceptions Job](../../activedirectoryinventory/3-ad_exceptions.md) topic for additional + [3-AD_Exceptions Job](/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/3-ad_exceptions.md) topic for additional information. -- [AD_SensitiveSecurityGroups Job](ad_sensitivesecuritygroups.md) – Identifies users who are granted +- [AD_SensitiveSecurityGroups Job](/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_sensitivesecuritygroups.md) – Identifies users who are granted administrative access within Active Directory through membership to the Enterprise Admins, Domain Admins, Schema Admins, DNS Admins, or Administrators groups. This level of access should be limited to only those individuals who require this level of administrative privileges. -- [AD_StaleGroups Job](ad_stalegroups.md) – Identifies groups that contain potentially stale users. +- [AD_StaleGroups Job](/docs/accessanalyzer/12.0/solutions/activedirectory/groups/ad_stalegroups.md) – Identifies groups that contain potentially stale users. Users are considered stale if they have never logged onto the domain, have not logged onto the domain in the past 60 days, or are disabled. These group memberships should be reviewed and possibly removed. - The definition of a stale user” is set by the **.Active Directory Inventory** > **3-AD_Exceptions** Job. It can be customized. See the - [3-AD_Exceptions Job](../../activedirectoryinventory/3-ad_exceptions.md) topic for additional + [3-AD_Exceptions Job](/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/3-ad_exceptions.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/overview.md index a3dbc374eb..1c89216e84 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/overview.md @@ -16,17 +16,17 @@ article for additional information. Requirements, Permissions, and Ports -See the [Active Directory Domain Target Requirements](../../config/activedirectory/overview.md) +See the [Active Directory Domain Target Requirements](/docs/accessanalyzer/12.0/config/activedirectory/overview.md) topic for additional information. Location The Active Directory Solution requires a special Access Analyzer license. It can be installed from the Access Analyzer Instant Job Wizard. See the -[Instant Job Wizard](../../admin/jobs/instantjobs/overview.md) topic for additional information. +[Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for additional information. Once installed into the Jobs tree, navigate to the solution: **Jobs** > **Active Directory**. -![Active Directory Solution](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/solutionoverview.webp) +![Active Directory Solution](/img/product_docs/accessanalyzer/solutions/activedirectory/solutionoverview.webp) Each job group works independently from the other job groups. Some job groups run analysis tasks against the analyzed data collected by the .Active Directory Inventory Solution to generate reports, @@ -44,41 +44,41 @@ information every administrator needs for Active Directory configuration, operat troubleshooting, analyzing effective permissions, and tracking who is making what changes within an organization. -![Active Directory Job Group](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/adsolutionjobgroup.webp) +![Active Directory Job Group](/img/product_docs/accessanalyzer/solutions/activedirectory/adsolutionjobgroup.webp) The following job groups comprise the Active Directory solution: -- [1.Groups Job Group](groups/overview.md) – Identifies effective group membership and pinpoints +- [1.Groups Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/groups/overview.md) – Identifies effective group membership and pinpoints potential areas of administrative concern such as nested or stale groups -- [2.Users Job Group](users/overview.md) – Identifies user conditions and pinpoint potential areas +- [2.Users Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/users/overview.md) – Identifies user conditions and pinpoint potential areas of administrative concern such as weak passwords, user token size, or stale users -- [3.Computers Job Group](computers/overview.md) – Pinpoints potential areas of administrative +- [3.Computers Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/computers/overview.md) – Pinpoints potential areas of administrative concern related to computer accounts, including stale computers and computers that have been trusted for delegation -- [4.Group Policy Job Group](grouppolicy/overview.md) – Audits GPOs and their settings, and provides +- [4.Group Policy Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/grouppolicy/overview.md) – Audits GPOs and their settings, and provides in depth analysis of conditions such as where GPOs have been linked, misconfigurations that can cause security or operational issues, and redundant GPOs that can be consolidated -- [5.Domains Job Group](domains/overview.md) – Provides details on domains, sites, and trusts, and +- [5.Domains Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/domains/overview.md) – Provides details on domains, sites, and trusts, and highlight domain level configurations that may leave your environment at risk -- [6.Activity Job Group](activity/overview.md) – Provides insights into access sprawl, privileged +- [6.Activity Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/activity/overview.md) – Provides insights into access sprawl, privileged account usage, and operational health of the Active Directory environment. Information collected includes Active Directory Changes, Authentication, LDAP Traffic, Replication Traffic, and LSASS.EXE process injection on domain controllers - Requires the Active Directory Activity license feature to function -- [7.Certificate Authority Job Group](certificateauthority/overview.md) – Collects settings, +- [7.Certificate Authority Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/certificateauthority/overview.md) – Collects settings, permissions, and configurations for Certificate Authorities. It details access rights for the Certificate Authority and reports on certificate requests, highlighting any that might expire soon. -- [Cleanup Job Group](cleanup/overview.md) – Identifies potential stale and unused users, computers, +- [Cleanup Job Group](/docs/accessanalyzer/12.0/solutions/activedirectory/cleanup/overview.md) – Identifies potential stale and unused users, computers, and groups as well as issues with group membership. Remediation workflows are included to de-provision unnecessary objects to help increase security and reduce complexity. - Requires the Active Directory Actions license feature to function - Requires the Active Directory Actions Module to be installed -- [AD Security Assessment Job](ad_securityassessment.md) – Summarizes security related results from +- [AD Security Assessment Job](/docs/accessanalyzer/12.0/solutions/activedirectory/ad_securityassessment.md) – Summarizes security related results from the Active Directory solution and the Active Directory Permissions Analyzer solution Since each job group within the Active Directory solution is designed to run independently, refer to diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_directmembership.md b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_directmembership.md index ff1db6786e..a8059bc74a 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_directmembership.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_directmembership.md @@ -11,7 +11,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_DirectMembership Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/directmembershipanalysis.webp) +![Analysis Tasks for the AD_DirectMembership Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/directmembershipanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_duplicateusers.md b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_duplicateusers.md index 48d204b964..663bdb6231 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_duplicateusers.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_duplicateusers.md @@ -12,7 +12,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_DuplicateUsers Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/duplicateusersanalysis.webp) +![Analysis Tasks for the AD_DuplicateUsers Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/duplicateusersanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_orphanedusers.md b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_orphanedusers.md index 09448bbf5c..923d940c5a 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_orphanedusers.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_orphanedusers.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_OrphanedUsers Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/orphanedusersanalysis.webp) +![Analysis Tasks for the AD_OrphanedUsers Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/orphanedusersanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_passwordstatus.md b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_passwordstatus.md index 7e0a3f6807..88c5089c62 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_passwordstatus.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_passwordstatus.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigure for this job. -![Analysis Tasks for the AD_PasswordStatus Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/passwordstatusanalysis.webp) +![Analysis Tasks for the AD_PasswordStatus Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/passwordstatusanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_serviceaccounts.md b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_serviceaccounts.md index 38aae38a49..40f8dfcea9 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_serviceaccounts.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_serviceaccounts.md @@ -7,7 +7,7 @@ msDS-SupportedEncryptionTypes value supports RC4 as the highest encryption type. _Remember,_ the 1-AD_Scan Job needs to be configured to collect these Custom Attributes: - servicePrincipalName – Provides service account information. See the Microsoft - [Service Principal Names]() + [Service Principal Names](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961723(v=technet.10)) article for additional information. - msDS-SupportedEncryptionTypes – Identifies service accounts vulnerable to Kerberoasting attacks @@ -19,7 +19,7 @@ select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Task for the AD_ServiceAccounts Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/serviceaccountsanalysis.webp) +![Analysis Task for the AD_ServiceAccounts Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/serviceaccountsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_sidhistory.md b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_sidhistory.md index cfdc19b9a3..4715dc7bb4 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_sidhistory.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_sidhistory.md @@ -13,7 +13,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_SIDHistory Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/sidhistoryanalysis.webp) +![Analysis Tasks for the AD_SIDHistory Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/sidhistoryanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_staleusers.md b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_staleusers.md index 4f8aa5bcab..c5a3cceb5e 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_staleusers.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_staleusers.md @@ -8,7 +8,7 @@ cleaned up in order to increase security and reduce complexity. parameters, including the number of days since last login to be considered stale (by default 60 days), can be customized within the **.Active Directory Inventory** > **3-AD_Exceptions** job's **Stale Users** analysis task. See the -[3-AD_Exceptions Job](../../activedirectoryinventory/3-ad_exceptions.md) topic for additional +[3-AD_Exceptions Job](/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/3-ad_exceptions.md) topic for additional information. ## Analysis Tasks for the AD_StaleUsers Job @@ -19,7 +19,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_StaleUsers Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/staleusersanalysis.webp) +![Analysis Tasks for the AD_StaleUsers Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/staleusersanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_userattributecompletion.md b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_userattributecompletion.md index f91fc0c097..0960e3e717 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_userattributecompletion.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_userattributecompletion.md @@ -12,7 +12,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_UserAttributeCompletion Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/userattributecompletionanalysis.webp) +![Analysis Tasks for the AD_UserAttributeCompletion Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/userattributecompletionanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_userdelegation.md b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_userdelegation.md index 98e27e5b95..5c81f948c0 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_userdelegation.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_userdelegation.md @@ -14,7 +14,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Task for the AD_UserDelegation Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/userdelegationanalysis.webp) +![Analysis Task for the AD_UserDelegation Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/userdelegationanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_usertoken.md b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_usertoken.md index cba65a1529..38c448fe7c 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_usertoken.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_usertoken.md @@ -14,7 +14,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Task for the AD_UserToken Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/usertokenanalysis.webp) +![Analysis Task for the AD_UserToken Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/usertokenanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_weakpasswords.md b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_weakpasswords.md index 5e4cfcd31e..2d44662cae 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_weakpasswords.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_weakpasswords.md @@ -7,13 +7,13 @@ dictionaries and other exceptions. Exceptions include: - AES Key Missing – Account is set up using older functional AD levels, so has no AES key. These accounts use weaker encryption methods susceptible to brute force attacks. - Clear Text Password – Account has passwords stored with reversible encryption. See the Microsoft - [Store passwords using reversible encryption]() + [Store passwords using reversible encryption](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994559(v=ws.11)) article for additional information. - Default Computer Password – Computer has default computer passwords set - Delegable Admins – Administrator account is allowed to be delegated to a service - DES Encryption Only – Account is using Kerberos DES encryption. DES encryption is considered weak as the 56-bit key is prone to brute force attacks. See the Microsoft - [AD DS: User accounts and trusts in this domain should not be configured for DES only]() + [AD DS: User accounts and trusts in this domain should not be configured for DES only](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff646918(v=ws.10)) article for additional information. - Empty Password – Account has an empty password - Kerberos Pre-authentication is not required – Account does not require Kerberos @@ -35,14 +35,14 @@ dictionaries and other exceptions. Exceptions include: The AD_WeakPasswords Job uses the PasswordSecurity Data Collector. -![Query for the AD_WeakPasswords Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/weakpasswordsquery.webp) +![Query for the AD_WeakPasswords Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/weakpasswordsquery.webp) The query for this job are: - Weak Passwords – Collects password hashes to identify weak passwords - See the - [PasswordSecurity Data Collector](../../../admin/datacollector/passwordsecurity/overview.md) + [PasswordSecurity Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/overview.md) topic for additional information ### Configure the Weak Passwords Query @@ -58,21 +58,21 @@ Properties**. The Query Properties window opens. **Step 3 –** Select the Data Source tab, and click **Configure**. The Password Security Data Collector Wizard opens. -![Password Security Data Collection Wizard Scan options page](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/optionsweakpassword.webp) +![Password Security Data Collection Wizard Scan options page](/img/product_docs/accessanalyzer/solutions/activedirectory/users/optionsweakpassword.webp) **CAUTION:** Read the warning prior to enabling the cleartext password feature. **Step 4 –** On the Options page, configure the scan options by enabling communication with the Active Directory via SSL or returning cleartext password entries. -![Password Security Data Collection Wizard Dictionary options page](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/dictionariesweakpassword.webp) +![Password Security Data Collection Wizard Dictionary options page](/img/product_docs/accessanalyzer/solutions/activedirectory/users/dictionariesweakpassword.webp) **Step 5 –** On the Dictionaries page, configure the dictionary options by enabling the Netwrix weak password dictionary or click **Add…** to upload a custom dictionary with NTLM hashes or plaintext passwords to use during the scan. - See the - [PasswordSecurity: Dictionaries](../../../admin/datacollector/passwordsecurity/dictionaries.md) + [PasswordSecurity: Dictionaries](/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/dictionaries.md) topic for additional information **Step 6 –** Navigate to the Summary page, click **Finish** to save any setting modifications or @@ -88,7 +88,7 @@ select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_WeakPasswords Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/weakpasswordsanalysis.webp) +![Analysis Tasks for the AD_WeakPasswords Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/weakpasswordsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/users/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectory/users/overview.md index d98a14859c..a6e7cdce23 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/users/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/users/overview.md @@ -3,40 +3,40 @@ The 2.Users Job Group identifies user conditions and pinpoint potential areas of administrative concern such as weak passwords, user token size, or stale users. -![2.Users Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![2.Users Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following components comprise the 2.Users Job Group: -- [AD_DirectMembership Job](ad_directmembership.md) – Identifies users who do not have any group +- [AD_DirectMembership Job](/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_directmembership.md) – Identifies users who do not have any group membership. This condition may indicate unnecessary user accounts that are suitable candidates for review and cleanup. -- [AD_DuplicateUsers Job](ad_duplicateusers.md) – Identifies multiple user accounts which may be +- [AD_DuplicateUsers Job](/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_duplicateusers.md) – Identifies multiple user accounts which may be owned by a single employee. A user may have accounts in multiple domains or administrative accounts with greater access than their normal account. -- [AD_OrphanedUsers Job](ad_orphanedusers.md) – Identifies users whose managers are stale or +- [AD_OrphanedUsers Job](/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_orphanedusers.md) – Identifies users whose managers are stale or disabled. These user accounts should be reviewed and appropriate management should be assigned. -- [AD_PasswordStatus Job](ad_passwordstatus.md) – Highlights potential issues with user password +- [AD_PasswordStatus Job](/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_passwordstatus.md) – Highlights potential issues with user password settings that may exploited or compromised if not addressed -- [AD_ServiceAccounts Job](ad_serviceaccounts.md) – Offers information about service accounts and if +- [AD_ServiceAccounts Job](/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_serviceaccounts.md) – Offers information about service accounts and if they are vulnerable to Kerberoasting. An account is deemed vulnerable to a Kerberoasting attack if the msDS-SupportedEncryptionTypes value supports RC4 as the highest encryption type. -- [AD_SIDHistory Job](ad_sidhistory.md) – Enumerates historical SIDs in the audited environment and +- [AD_SIDHistory Job](/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_sidhistory.md) – Enumerates historical SIDs in the audited environment and highlights exceptions involving the SIDHistory attribute on AD user objects. Specific conditions include when a user has a historical SID from their current domain, or when a non-admin user has a historical SID with administrative rights, both of which may be indicators of compromise. -- [AD_StaleUsers Job](ad_staleusers.md) – Identifies potentially stale users based on the amount of +- [AD_StaleUsers Job](/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_staleusers.md) – Identifies potentially stale users based on the amount of time since their last login to the domain, or if the account has been disabled. These accounts should be reviewed and cleaned up in order to increase security and reduce complexity. -- [AD_UserAttributeCompletion Job](ad_userattributecompletion.md) – Identifies which attributes are +- [AD_UserAttributeCompletion Job](/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_userattributecompletion.md) – Identifies which attributes are present within User fields in Active Directory, and which ones are blank for a majority of objects. This may indicate accounts within Active Directory which are lacking appropriate information. -- [AD_UserDelegation Job](ad_userdelegation.md) – Highlights user accounts which are trusted for +- [AD_UserDelegation Job](/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_userdelegation.md) – Highlights user accounts which are trusted for delegation. Kerberos delegation enables an application to access resources hosted on a different server, and opens up several avenues to compromise based on the type of delegation enabled. -- [AD_UserToken Job](ad_usertoken.md) – Identifies and reports the number of SIDS and estimated +- [AD_UserToken Job](/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_usertoken.md) – Identifies and reports the number of SIDS and estimated token size associated with each user. Token bloat can lead to issues during login and can also cause applications that use Kerberos authentication to fail. -- [AD_WeakPasswords Job](ad_weakpasswords.md) – Analyzes user account password hashes to determine +- [AD_WeakPasswords Job](/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_weakpasswords.md) – Analyzes user account password hashes to determine how easily each could be compromised or the likelihood their passwords are known through comparison with compromised password dictionaries and other exceptions diff --git a/docs/accessanalyzer/12.0/solutions/activedirectory/users/recommended.md b/docs/accessanalyzer/12.0/solutions/activedirectory/users/recommended.md index 77aad8b9cb..d0860e612a 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectory/users/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectory/users/recommended.md @@ -14,9 +14,9 @@ Dependencies - For the **AD_WeakPassword** Job: - Requires the DSInternals PowerShell Module, which is a third-party package. See the - [AD_WeakPasswords Job](ad_weakpasswords.md) topic for additional information. + [AD_WeakPasswords Job](/docs/accessanalyzer/12.0/solutions/activedirectory/users/ad_weakpasswords.md) topic for additional information. - The AD_WeakPasswords Job depends on a dictionary file. See the - [PasswordSecurity: Dictionaries](../../../admin/datacollector/passwordsecurity/dictionaries.md) + [PasswordSecurity: Dictionaries](/docs/accessanalyzer/12.0/admin/datacollector/passwordsecurity/dictionaries.md) topic for additional information. **_RECOMMENDED:_** If this job is not to be used, disable the job to prevent execution when the @@ -35,7 +35,7 @@ Only the **AD_WeakPasswords** Job requires a Connection Profile. It must be set **AD_WeakPasswords** Job (through the Job Properties window) with Domain Administrator privileges. **NOTE:** The **AD_WeakPassword** Job can be executed with a least privilege credential. See the -[Active Directory Auditing Configuration](../../../config/activedirectory/access.md) topic for +[Active Directory Auditing Configuration](/docs/accessanalyzer/12.0/config/activedirectory/access.md) topic for additional information. Schedule Frequency diff --git a/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/1-ad_scan.md b/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/1-ad_scan.md index ef35c4f958..89db6e5106 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/1-ad_scan.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/1-ad_scan.md @@ -9,7 +9,7 @@ Directory, see the [Enable SSL Option](#enable-ssloption) topic for additional The 1-AD_Scan Job uses the ADInventory Data Collector for the following query: -![Queries for the 1-AD Scan Job](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scanqueries.webp) +![Queries for the 1-AD Scan Job](/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scanqueries.webp) - AD Inventory – Targets a domain controller to collect inventory data for user, group, and computer objects @@ -36,7 +36,7 @@ DC Wizard opens. **CAUTION:** Do not make changes to other wizard pages as they have been pre-configured for the purpose of this job. -![Active Directory Inventory DC Wizard Options page](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scandcwizardoptions.webp) +![Active Directory Inventory DC Wizard Options page](/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scandcwizardoptions.webp) **Step 4 –** (Optional) On the Options page, you can: @@ -44,14 +44,14 @@ purpose of this job. - Configure the differential scan settings using the **Collect only updates since last scan** settings -See the [ADInventory: Options](../../admin/datacollector/adinventory/options.md) topic for more +See the [ADInventory: Options](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/options.md) topic for more information. -![Active Directory Inventory DC Wizard Custom Attributes page](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scandcwizardcustomattributes.webp) +![Active Directory Inventory DC Wizard Custom Attributes page](/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scandcwizardcustomattributes.webp) **Step 5 –** (Optional) On the Custom Attributes page, add any desired custom attributes to be used in the Active Directory scan. See the -[ADInventory: Custom Attributes](../../admin/datacollector/adinventory/customattributes.md) +[ADInventory: Custom Attributes](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/customattributes.md) topic for additional information. **Step 6 –** Navigate to the Summary page. Click **Finish** to save any setting modifications or @@ -74,7 +74,7 @@ View the analysis tasks by navigating to the **.Active Directory Inventory** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the 1-AD_Scan Job](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scananalysis.webp) +![Analysis Tasks for the 1-AD_Scan Job](/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scananalysis.webp) The following analysis tasks are selected by default: @@ -98,7 +98,7 @@ have been accidentally hidden: - Remove ADI Stored Procedures – Removes the built-in ADI stored procedures In addition to the tables and views explained in the -[Standard Reference Tables & Views for the ADInventory Data Collector](../../admin/datacollector/adinventory/standardtables.md) +[Standard Reference Tables & Views for the ADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/standardtables.md) topic, the 1-AD_Scan Job produces the following pre-configured report: | Report | Description | Default Tags | Report Elements | @@ -119,7 +119,7 @@ Follow the steps to add the custom attributes. **Step 1 –** Navigate to the Active Directory Inventory DC Wizard for the AD Inventory Query within the 1-AD_Scan Job. -![Active Directory Inventory DC Wizard Options page](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scandcwizardoptionsnfs.webp) +![Active Directory Inventory DC Wizard Options page](/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scandcwizardoptionsnfs.webp) **Step 2 –** Navigate to the Options page. Ensure the **Collect only updates since last scan** option is deselected. @@ -127,11 +127,11 @@ option is deselected. **NOTE:** Whenever query configurations are modified, it is necessary to do a full scan. After the first full scan, differential scanning can be re-enabled. -![Active Directory Inventory DC Wizard Custom Attributes page](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scandcwizardcustomattributesnfs.webp) +![Active Directory Inventory DC Wizard Custom Attributes page](/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scandcwizardcustomattributesnfs.webp) **Step 3 –** Use the **Next** button to navigate to the Custom Attributes page. Add both **uid** and **uidNumber** attributes to the existing list of custom attributes. See the -[ADInventory: Custom Attributes](../../admin/datacollector/adinventory/customattributes.md) +[ADInventory: Custom Attributes](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/customattributes.md) topic for additional information. - **uid** attribute: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/2-ad_changes.md b/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/2-ad_changes.md index e87448338d..a2e4ee7a40 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/2-ad_changes.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/2-ad_changes.md @@ -18,7 +18,7 @@ View the analysis tasks by navigating to the **.Active Directory Inventory** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the 2-AD_Changes Job](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/changesanalysis.webp) +![Analysis Tasks for the 2-AD_Changes Job](/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/changesanalysis.webp) The following analysis tasks are selected by default: @@ -124,7 +124,7 @@ following pre-configured reports: In order for Access Analyzer to send email notifications, it is necessary for the **Settings** > **Notification** node to be properly configured. See the -[Notification](../../admin/settings/notification.md) topic for instructions on enabling the Access +[Notification](/docs/accessanalyzer/12.0/admin/settings/notification.md) topic for instructions on enabling the Access Analyzer Console to send email notifications. Once email notifications have been enabled, the individual notification analysis tasks can be configured and enabled. Follow the steps to configure a notification analysis task. @@ -132,18 +132,18 @@ a notification analysis task. **Step 1 –** Navigate to the **.Active Directory Inventory** > **2-AD_Changes** > **Configure** node and select **Analysis**. -![Notification Analysis Tasks for the 2-AD_Changes Job](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/changesanalysisnotification.webp) +![Notification Analysis Tasks for the 2-AD_Changes Job](/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/changesanalysisnotification.webp) **Step 2 –** In the Analysis Selection view, select the desired notification analysis task and click **Analysis Configuration**. The Notification Data Analysis Module opens. -![Notification Data Analysis Module SMTP properties page](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/notificationanalysissmtp.webp) +![Notification Data Analysis Module SMTP properties page](/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/notificationanalysissmtp.webp) **CAUTION:** Do not make changes to the pages preceding the SMTP page. **Step 3 –** Use the **Next** button to navigate to the email configuration SMTP page. -![Recipients section of SMTP properties page](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/notificationanalysissmtprecipients.webp) +![Recipients section of SMTP properties page](/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/notificationanalysissmtprecipients.webp) **Step 4 –** In the Recipients section, provide the email addresses or distribution lists (fully qualified address) for those who are to receive this notification. Multiple addresses can be @@ -154,7 +154,7 @@ provided. You can use the following options: - Combine multiple messages into single message – Sends one email for all objects in the record set instead of one email per object to all recipients -![Message section of SMTP properties page](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/notificationanalysissmtpmessage.webp) +![Message section of SMTP properties page](/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/notificationanalysissmtpmessage.webp) **Step 5 –** In the Message section, edit the **Subject**. It is not recommended to remove any parameters. Then, customize the email content in the textbox to provide an explanation of the diff --git a/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/3-ad_exceptions.md b/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/3-ad_exceptions.md index bc9eba60e2..d86d939fc0 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/3-ad_exceptions.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/3-ad_exceptions.md @@ -8,7 +8,7 @@ running the 1-AD_Scan Job, also located in the .Active Directory Inventory Job G The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The 3-AD_Exceptions Job has the following configurable parameters: @@ -34,7 +34,7 @@ the security concerns within them can be modified. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the 3-AD_Exceptions Job](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/exceptionsanalysis.webp) +![Analysis Tasks for the 3-AD_Exceptions Job](/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/exceptionsanalysis.webp) The following analysis tasks are selected by default: @@ -134,7 +134,7 @@ parameters: | Admin Historical SID | #ADMIN_GROUPS | - Domain Admins - Enterprise Admins - Schema Admins | List of administrative groups | See the -[Configure the Customizable Parameters in an Analysis Task](../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for instructions to modify the parameters. See the -[AD Exception Types Translated](../../admin/datacollector/adinventory/standardtables.md#ad-exception-types-translated) +[AD Exception Types Translated](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/standardtables.md#ad-exception-types-translated) topic for an explanation of Exception Types. diff --git a/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/overview.md index 620a157e0c..f76c02e6da 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/overview.md @@ -25,7 +25,7 @@ Permissions **NOTE:** See the Microsoft [Searching for Deleted Objects](https://technet.microsoft.com/en-us/library/cc978013.aspx) article and the Microsoft - [Dsacls]() article for + [Dsacls](https://technet.microsoft.com/en-us/library/cc771151(v=ws.11).aspx) article for additional information. Ports @@ -46,16 +46,16 @@ the top of the Jobs tree. This Job Group is comprised of three jobs that collect, analyze, and report on data. The data collection is conducted by the ADInventory Data Collector. See the -[Standard Reference Tables & Views for the ADInventory Data Collector](../../admin/datacollector/adinventory/standardtables.md) +[Standard Reference Tables & Views for the ADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adinventory/standardtables.md) topic for database table information. -![.Active Directory Inventory Solution Overview page](../../../../../static/img/product_docs/threatprevention/threatprevention/siemdashboard/qradar/dashboard/overview.webp) +![.Active Directory Inventory Solution Overview page](/img/product_docs/threatprevention/threatprevention/siemdashboard/qradar/dashboard/overview.webp) The .Active Directory Inventory Solution has the following jobs: -- [1-AD_Scan Job](1-ad_scan.md) – Collects data and generates the standard reference tables and +- [1-AD_Scan Job](/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/1-ad_scan.md) – Collects data and generates the standard reference tables and views -- [2-AD_Changes Job](2-ad_changes.md) – Analyzes the collected data to track and alert on changes +- [2-AD_Changes Job](/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/2-ad_changes.md) – Analyzes the collected data to track and alert on changes within all scanned domains that occurred since the last scan -- [3-AD_Exceptions Job](3-ad_exceptions.md) – Analyzes the collected data to identify security and +- [3-AD_Exceptions Job](/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/3-ad_exceptions.md) – Analyzes the collected data to identify security and provisioning concerns, such as circular nesting and stale membership diff --git a/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/recommended.md b/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/recommended.md index a00e6fb041..798d36a4d5 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/recommended.md @@ -55,15 +55,15 @@ Query Configuration The solution is best run with the default query configuration. However, a possible modification might be to include configurations of the scan options or additional custom attributes within the -[1-AD_Scan Job](1-ad_scan.md). +[1-AD_Scan Job](/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/1-ad_scan.md). Analysis Configuration The solution is best run with the default analysis configuration. However, possible modifications might be to: -- Enable notification analysis tasks within the [2-AD_Changes Job](2-ad_changes.md) -- Customize exception analysis parameters within the [3-AD_Exceptions Job](3-ad_exceptions.md) +- Enable notification analysis tasks within the [2-AD_Changes Job](/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/2-ad_changes.md) +- Customize exception analysis parameters within the [3-AD_Exceptions Job](/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/3-ad_exceptions.md) Workflow diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_brokeninheritance.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_brokeninheritance.md index 78c6d12b7f..5bcd7c6a65 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_brokeninheritance.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_brokeninheritance.md @@ -3,7 +3,7 @@ The AD_BrokenInheritance Job reports on all locations within Active Directory where inheritance is broken within the targeted domains. -![6.Broken Inheritance Job Group in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/brokeninheritancejobstree.webp) +![6.Broken Inheritance Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/filesystem/brokeninheritancejobstree.webp) The AD_BrokenInheritance Job is located in the 6.Broken Inheritance Job Group. @@ -15,7 +15,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **6.BrokenInheritanc **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_BrokenInheritance Job](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/brokeninheritanceanalysis.webp) +![Analysis Tasks for the AD_BrokenInheritance Job](/img/product_docs/accessanalyzer/solutions/filesystem/brokeninheritanceanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_openaccess.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_openaccess.md index 911d8162c9..b5f5b3b144 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_openaccess.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_openaccess.md @@ -4,7 +4,7 @@ The AD_OpenAccess Job reports on all Active Directory permissions granting open targeted domains. Open Access can be defined as access granted to security principals such as: Domain Users, Authenticated Users, and Everyone. -![5.Open Access Job Group in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/openaccessjobstree.webp) +![5.Open Access Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/filesystem/openaccessjobstree.webp) The AD_OpenAccess Job is located in the 5.Open Access Job Group. @@ -16,7 +16,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **5.Open Access** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_OpenAccess Job](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/openaccessanalysis.webp) +![Analysis Tasks for the AD_OpenAccess Job](/img/product_docs/accessanalyzer/solutions/filesystem/openaccessanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_oupermissions.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_oupermissions.md index 51756e76ad..3a420b732a 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_oupermissions.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_oupermissions.md @@ -3,7 +3,7 @@ The AD_OUPermissions job reports on all Active Directory permissions and ownership applied to organizational unit (OU) objects within the targeted domains. -![3.OUs Job Group in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/ousjobstree.webp) +![3.OUs Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/ousjobstree.webp) The AD_OUPermissions job is located in the 3.OUs job group. @@ -15,7 +15,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **3.OUs** > **AD_OUP **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_OUPermissions Job](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/oupermissionsanalysis.webp) +![Analysis Tasks for the AD_OUPermissions Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/oupermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_shadowaccess.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_shadowaccess.md index 64028b91c3..1e526379fc 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_shadowaccess.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_shadowaccess.md @@ -18,7 +18,7 @@ This job will analyze the following links between resources and privileges in yo - Administrative rights on SQL Servers that hold sensitive data The AD_ShadowAccess Job has special dependencies. See the -[Recommended Configurations for AD Permissions Analyzer Solution](recommended.md) topic for +[Recommended Configurations for AD Permissions Analyzer Solution](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/recommended.md) topic for additional information. ## Analysis Tasks for the AD_ShadowAccess Job @@ -31,7 +31,7 @@ and select **Analysis** to view the analysis tasks. **Calculate Shadow Access** analysis task is the only analysis task that has customizable parameters. -![Analysis Tasks for the AD_ShadowAccess Job](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccessanalysis.webp) +![Analysis Tasks for the AD_ShadowAccess Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccessanalysis.webp) The default analysis tasks are: @@ -91,12 +91,12 @@ parameters. **Step 1 –** Navigate to the **Active Directory Permissions Analyzer** > **AD_ShadowAccess** > **Configure** node and select **Analysis** to view analysis tasks. -![Configure Calculate Shadow Access task from Analysis Selection view](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccessanalysisconfigure.webp) +![Configure Calculate Shadow Access task from Analysis Selection view](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccessanalysisconfigure.webp) **Step 2 –** In the Analysis Selection view, select the **Calculate Shadow Access** analysis task, then click **Analysis Configuration**. The SQL Script Editor opens. -![SQL Script Editor](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccesssqlscripteditor.webp) +![SQL Script Editor](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccesssqlscripteditor.webp) **Step 3 –** In the parameters section at the bottom of the editor, find the Value column. Double-click on the current value and change as desired. @@ -115,15 +115,15 @@ The customizable analysis task parameters are now configured and ready to run. The reports generated by the AD_ShadowAccess Job presents users with an overview of vulnerabilities and attack paths within the targeted environments. -![Shadow Access reports in the job's Results node](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccessreports.webp) +![Shadow Access reports in the job's Results node](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccessreports.webp) Navigate to the **Active Directory Permissions Analyzer** > **AD_ShadowAccess** > **Results** node to view the AD_ShadowAccess job reports. **NOTE:** These reports can also be accessed through the Web Console. See the -[Viewing Generated Reports](../../admin/report/view.md) topic for additional information. +[Viewing Generated Reports](/docs/accessanalyzer/12.0/admin/report/view.md) topic for additional information. -![Exploited Permissions and Vulnerabilities on Shadow Access reports](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccessreport1.webp) +![Exploited Permissions and Vulnerabilities on Shadow Access reports](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccessreport1.webp) The Domain Shadow Access and Sensitive Data Shadow Access reports provide information on the exploited permissions and vulnerabilities that can be used as attack paths for shadow access to @@ -134,14 +134,14 @@ domain and sensitive data. - Vulnerabilities – Displays summary information of the vulnerabilities that were detected and the number of occurrences of those vulnerabilities -![Report element displaying information on potential attack paths for users found in the targeted domain](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccessreport2.webp) +![Report element displaying information on potential attack paths for users found in the targeted domain](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccessreport2.webp) The last report element displays information on potential attack paths for users found in the targeted domain. Clicking on the green plus sign next to an attack path will open an Attack Path window that displays a step-by-step process of how a user object, if compromised, can be used to conduct a shadow attack. -![Attack Path window example](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccessreport3.webp) +![Attack Path window example](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccessreport3.webp) The Attack Path window displays how a user object can be used in a shadow attack. @@ -151,7 +151,7 @@ The Attack Path window displays how a user object can be used in a shadow attack - `LSA` can modify group membership of `Domain Admins` - The Attack Path window reveals that every user in the domain is effectively a Domain Admin -![Attack Path window example](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccessreport4.webp) +![Attack Path window example](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/shadowaccessreport4.webp) The number of objects and the direction of the arrows can change depending on the attack path and related elements. diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_certificaterights.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_certificaterights.md index 353182cacc..ec31e57ce5 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_certificaterights.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_certificaterights.md @@ -9,11 +9,11 @@ The AD_CertificateRights job uses the ADPermissions data collector for the follo **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query for the AD_CertificateRights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/certificaterightsquery.webp) +![Query for the AD_CertificateRights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/certificaterightsquery.webp) - Certificate Template Permissions – Collects certificate templates from Active Directory - - See the [ADPermissions Data Collector](../../../admin/datacollector/adpermissions/overview.md) + - See the [ADPermissions Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/overview.md) topic for additional information ## Analysis Tasks for the AD_CertificateRights Job @@ -24,7 +24,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **0.Collection** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_CertificateRights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/certificaterightsanalysis.webp) +![Analysis Tasks for the AD_CertificateRights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/certificaterightsanalysis.webp) - Certificate Rights View – Creates the SA_AD_CertificateRights_Details_PermissionsView visible under the job’s Results node diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_computerrights.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_computerrights.md index 8e70532160..4338628069 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_computerrights.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_computerrights.md @@ -9,11 +9,11 @@ The AD_ComputerRights Job uses the ADPermissions Data Collector for the followin **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query for the AD_ComputerRights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/computerrightsquery.webp) +![Query for the AD_ComputerRights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/computerrightsquery.webp) - Computer Access Permissions – Returns computer access permission - - See the [ADPermissions Data Collector](../../../admin/datacollector/adpermissions/overview.md) + - See the [ADPermissions Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/overview.md) topic for additional information ## Analysis Tasks for the AD_ComputerRights Job @@ -24,7 +24,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **0.Collection** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Task for the AD_ComputerRights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/computerrightsanalysis.webp) +![Analysis Task for the AD_ComputerRights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/computerrightsanalysis.webp) - Computer Rights View – Creates the SA_AD_ComputerRights_Details_PermissionsView visible under the job’s Results node diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_containerrights.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_containerrights.md index 7ba28e6c08..5cc17fa7f3 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_containerrights.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_containerrights.md @@ -9,11 +9,11 @@ The AD_ContainerRights Job uses the ADPermissions Data Collector for the followi **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query for the AD_ContainerRights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/containerrightsquery.webp) +![Query for the AD_ContainerRights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/containerrightsquery.webp) - Container Access Permissions – Returns containers under the given scope - - See the [ADPermissions Data Collector](../../../admin/datacollector/adpermissions/overview.md) + - See the [ADPermissions Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/overview.md) topic for additional information ## Analysis Tasks for the AD_ContainerRights Job @@ -24,7 +24,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **0.Collection** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_ContainerRights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/containerrightsanalysis.webp) +![Analysis Tasks for the AD_ContainerRights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/containerrightsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_domainrights.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_domainrights.md index ceb4e492cf..e8a4d3144a 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_domainrights.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_domainrights.md @@ -9,11 +9,11 @@ The AD_DomainRights Job uses the ADPermissions Data Collector for the following **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query for the AD_DomainRights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/domainrightsquery.webp) +![Query for the AD_DomainRights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/domainrightsquery.webp) - Domain Access Permissions – Returns domain access permissions - - See the [ADPermissions Data Collector](../../../admin/datacollector/adpermissions/overview.md) + - See the [ADPermissions Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/overview.md) topic for additional information ## Analysis Tasks for the AD_DomainRights Job @@ -24,7 +24,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **0.Collection** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_DomainRights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/domainrightsanalysis.webp) +![Analysis Tasks for the AD_DomainRights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/domainrightsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_grouprights.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_grouprights.md index 15217b5bdb..c0572d0b38 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_grouprights.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_grouprights.md @@ -9,11 +9,11 @@ The AD_GroupRights Job uses the ADPermissions Data Collector for the following q **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query for the AD_GroupRights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/grouprightsquery.webp) +![Query for the AD_GroupRights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/grouprightsquery.webp) - Group Access Permissions – Returns group access permissions - - See the [ADPermissions Data Collector](../../../admin/datacollector/adpermissions/overview.md) + - See the [ADPermissions Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/overview.md) topic for additional information ## Analysis Tasks for the AD_GroupRights Job @@ -24,7 +24,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **0.Collection** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_GroupRights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/grouprightsanalysis.webp) +![Analysis Tasks for the AD_GroupRights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/grouprightsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_ourights.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_ourights.md index dfa08e2aeb..e18f52429b 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_ourights.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_ourights.md @@ -9,11 +9,11 @@ The AD_OURights Job uses the ADPermissions Data Collector for the following quer **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query for the AD_OURights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/ourightsquery.webp) +![Query for the AD_OURights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/ourightsquery.webp) - OU Access Permissions – Returns organizational unit permissions - - See the [ADPermissions Data Collector](../../../admin/datacollector/adpermissions/overview.md) + - See the [ADPermissions Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/overview.md) topic for additional information ## Analysis Tasks for the AD_OURights Job @@ -24,7 +24,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **0.Collection** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_OURights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/ourightsanalysis.webp) +![Analysis Tasks for the AD_OURights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/ourightsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_siterights.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_siterights.md index 21c054aac1..9aba7ff9ec 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_siterights.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_siterights.md @@ -9,11 +9,11 @@ The AD_SiteRights Job uses the ADPermissions Data Collector for the following qu **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query for the AD_SiteRights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/siterightsquery.webp) +![Query for the AD_SiteRights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/siterightsquery.webp) - Site Access Permissions – Returns site permissions - - See the [ADPermissions Data Collector](../../../admin/datacollector/adpermissions/overview.md) + - See the [ADPermissions Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/overview.md) topic for additional information ## Analysis Tasks for the AD_SiteRights Job @@ -24,7 +24,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **0.Collection** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_SiteRights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/userrightsanalysis.webp) +![Analysis Tasks for the AD_SiteRights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/userrightsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_userrights.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_userrights.md index 6628e7f32f..3b2268538f 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_userrights.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_userrights.md @@ -9,11 +9,11 @@ The AD_UserRights Job uses the ADPermissions Data Collector for the following qu **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query for the AD_UserRights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/userrightsquery.webp) +![Query for the AD_UserRights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/userrightsquery.webp) - User Access Permissions – Returns user permissions - - See the [ADPermissions Data Collector](../../../admin/datacollector/adpermissions/overview.md) + - See the [ADPermissions Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/adpermissions/overview.md) topic for additional information ## Analysis Tasks for the AD_UserRights Job @@ -24,7 +24,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **0.Collection** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_UserRights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/userrightsanalysis.webp) +![Analysis Tasks for the AD_UserRights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/collection/userrightsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/overview.md index 09f65a3b86..372e9401cf 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/overview.md @@ -4,23 +4,23 @@ The 0.Collection job group collects data on permissions applied to certificates, organizational units, and users. It is dependent on data collected by the .Active Directory Inventory job group. The jobs which comprise the 0.Collection job group process analysis tasks. -![0.Collection Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![0.Collection Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 0.Collection job group are: -- [AD_CertificateRights Job](ad_certificaterights.md) – Collects all Active Directory permissions +- [AD_CertificateRights Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_certificaterights.md) – Collects all Active Directory permissions applied to certificate objects within the targeted domains -- [AD_ComputerRights Job](ad_computerrights.md) – Collects all Active Directory permissions applied +- [AD_ComputerRights Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_computerrights.md) – Collects all Active Directory permissions applied to computer objects within the targeted domains -- [AD_ContainerRights Job](ad_containerrights.md) – Collects all Active Directory permissions +- [AD_ContainerRights Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_containerrights.md) – Collects all Active Directory permissions applied to container objects within the targeted domains -- [AD_DomainRights Job](ad_domainrights.md) – Collects all Active Directory permissions applied to +- [AD_DomainRights Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_domainrights.md) – Collects all Active Directory permissions applied to domain objects within the targeted domains -- [AD_GroupRights Job](ad_grouprights.md) – Collects all Active Directory permissions applied to +- [AD_GroupRights Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_grouprights.md) – Collects all Active Directory permissions applied to group objects within the targeted domains -- [AD_OURights Job](ad_ourights.md) – Collects all Active Directory permissions applied to group +- [AD_OURights Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_ourights.md) – Collects all Active Directory permissions applied to group objects within the targeted domains -- [AD_SiteRights Job](ad_siterights.md) – Collects all Active Directory permissions applied to site +- [AD_SiteRights Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_siterights.md) – Collects all Active Directory permissions applied to site objects within the targeted domains -- [AD_UserRights Job](ad_userrights.md) – Collects all Active Directory permissions applied to user +- [AD_UserRights Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/ad_userrights.md) – Collects all Active Directory permissions applied to user objects within the targeted domains diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/computers/ad_computerpermissions.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/computers/ad_computerpermissions.md index 4c9e329b78..59dcda4136 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/computers/ad_computerpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/computers/ad_computerpermissions.md @@ -11,7 +11,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **4.Computers** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_ComputerPermissions Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/computers/computerpermissionsanalysis.webp) +![Analysis Tasks for the AD_ComputerPermissions Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/computers/computerpermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/computers/ad_lapspermissions.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/computers/ad_lapspermissions.md index 27b9d00cfd..5fa7bcf48e 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/computers/ad_lapspermissions.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/computers/ad_lapspermissions.md @@ -11,7 +11,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **4.Computers** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_LAPSPermissions Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/computers/lapspermissionsanalysis.webp) +![Analysis Tasks for the AD_LAPSPermissions Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/computers/lapspermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/computers/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/computers/overview.md index 76dda42e97..a66be67243 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/computers/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/computers/overview.md @@ -3,12 +3,12 @@ The 4.Computers Job Group reports on all Active Directory permissions applied to computer objects within the targeted domains. -![4.Computers Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![4.Computers Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 4.Computers Job Group are: -- [AD_ComputerPermissions Job](ad_computerpermissions.md) – Reports on all Active Directory +- [AD_ComputerPermissions Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/computers/ad_computerpermissions.md) – Reports on all Active Directory permissions applied to computer objects within the targeted domains -- [AD_LAPSPermissions Job](ad_lapspermissions.md) – Identifies Active Directory objects that have +- [AD_LAPSPermissions Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/computers/ad_lapspermissions.md) – Identifies Active Directory objects that have access to LAPS attributes and access to computer objects that may lead to unintended access to LAPS attributes diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/containers/ad_adminsdholder.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/containers/ad_adminsdholder.md index 9aa016c960..69b7847866 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/containers/ad_adminsdholder.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/containers/ad_adminsdholder.md @@ -10,11 +10,11 @@ The AD_AdminSDHolder Job uses the PowerShell Data Collector for the following qu **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Queries for the AD_AdminSDHolder Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/containers/adminsdholderquery.webp) +![Queries for the AD_AdminSDHolder Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/containers/adminsdholderquery.webp) - Default AdminSDHolder Perms – Creates a table of default AdminSDHolder permissions - - See the [PowerShell Data Collector](../../../admin/datacollector/powershell/overview.md) topic + - See the [PowerShell Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/powershell/overview.md) topic for additional information ## Analysis Tasks for the AD_AdminSDHolder Job @@ -25,7 +25,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **7.Containers** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_AdminSDHolder Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/containers/adminsdholderanalysis.webp) +![Analysis Tasks for the AD_AdminSDHolder Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/containers/adminsdholderanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/containers/ad_containerpermissions.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/containers/ad_containerpermissions.md index 89608ebdba..2dad8a2733 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/containers/ad_containerpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/containers/ad_containerpermissions.md @@ -11,7 +11,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **7.Containers** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_ContainerPermissions Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/containers/containerpermissionsanalysis.webp) +![Analysis Tasks for the AD_ContainerPermissions Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/containers/containerpermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/containers/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/containers/overview.md index 65735ec63e..9b91abb017 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/containers/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/containers/overview.md @@ -3,15 +3,15 @@ The 7.Containers Job Group reports on all Active Directory permissions applied to container objects within the targeted domains. -![7.Containers Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![7.Containers Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 7.Containers Job Group are: -- [AD_AdminSDHolder Job](ad_adminsdholder.md) – Reports on all non-default Active Directory +- [AD_AdminSDHolder Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/containers/ad_adminsdholder.md) – Reports on all non-default Active Directory permissions applied to the AdminSDHolder container within the targeted domains. The AdminSDHolder container can be leveraged by an attacker to create persistence within the environment. See the Microsoft [AdminSDHolder, Protected Groups and SDPROP](https://technet.microsoft.com/en-us/library/2009.09.sdadminholder.aspx) article for additional information. -- [AD_ContainerPermissions Job](ad_containerpermissions.md) – Reports on all Active Directory +- [AD_ContainerPermissions Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/containers/ad_containerpermissions.md) – Reports on all Active Directory permissions applied to container objects within the targeted domains diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_certificateauthorityrights.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_certificateauthorityrights.md index 392562877d..afdb0c77d0 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_certificateauthorityrights.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_certificateauthorityrights.md @@ -12,7 +12,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_CertificateAuthorityRights Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/domains/certificateauthorityrightsanalysis.webp) +![Analysis Tasks for the AD_CertificateAuthorityRights Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/domains/certificateauthorityrightsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_certificatetemplates.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_certificatetemplates.md index 10fa0d8ca2..3ad7b80a11 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_certificatetemplates.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_certificatetemplates.md @@ -10,7 +10,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **8.Domains** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_CertificateTemplates Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/domains/certificatetemplatesanalysis.webp) +![Analysis Tasks for the AD_CertificateTemplates Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/domains/certificatetemplatesanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_certificatevulnerabilities.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_certificatevulnerabilities.md index 6faf4f05d5..07dcfbf87f 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_certificatevulnerabilities.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_certificatevulnerabilities.md @@ -12,7 +12,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the AD_CertificateVulnerabilities Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/domains/certificatevulnerabilitiesanalysis.webp) +![Analysis Tasks for the AD_CertificateVulnerabilities Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/domains/certificatevulnerabilitiesanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_domainpermissions.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_domainpermissions.md index fc0dc81636..236b0bbab4 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_domainpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_domainpermissions.md @@ -11,7 +11,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **8.Domains** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_DomainPermissions Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/domains/domainpermissionsanalysis.webp) +![Analysis Tasks for the AD_DomainPermissions Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/domains/domainpermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_domainreplication.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_domainreplication.md index 5b5a9e7f69..acdce103cd 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_domainreplication.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_domainreplication.md @@ -11,7 +11,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **8.Domains** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_DomainReplication Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/domains/domainreplicationanalysis.webp) +![Analysis Tasks for the AD_DomainReplication Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/domains/domainreplicationanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/overview.md index 3a73d040c5..9e6ff13a14 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/overview.md @@ -3,19 +3,19 @@ The 8.Domains job group reports on all Active Directory permissions applied to domain objects within the targeted domains. -![8.Domains Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![8.Domains Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 8.Domains job group are: -- [AD_CertificateAuthorityRights Job](ad_certificateauthorityrights.md) – Provides details on +- [AD_CertificateAuthorityRights Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_certificateauthorityrights.md) – Provides details on certificate enrollment permissions, specifically risky permissions where users have write or higher access -- [AD_CertificateTemplates Job](ad_certificatetemplates.md) – Provides details on certificate +- [AD_CertificateTemplates Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_certificatetemplates.md) – Provides details on certificate template settings -- [AD_CertificateVulnerabilities Job](ad_certificatevulnerabilities.md) – Highlights vulnerabilities +- [AD_CertificateVulnerabilities Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_certificatevulnerabilities.md) – Highlights vulnerabilities in the configuration and permission of the Certificate Authority, certificate templates, and Active Directory -- [AD_DomainPermissions Job](ad_domainpermissions.md) – Reports on all Active Directory permissions +- [AD_DomainPermissions Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_domainpermissions.md) – Reports on all Active Directory permissions applied to domain objects within the targeted domains -- [AD_DomainReplication Job](ad_domainreplication.md) – Highlights all Active Directory permissions +- [AD_DomainReplication Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/ad_domainreplication.md) – Highlights all Active Directory permissions applied to domain objects within the targeted domains diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/groups/ad_groupmembershippermissions.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/groups/ad_groupmembershippermissions.md index 0dab3fac5c..00fbe10594 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/groups/ad_groupmembershippermissions.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/groups/ad_groupmembershippermissions.md @@ -12,7 +12,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_GroupMembershipPermissions Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/groups/groupmembershippermissionsanalysis.webp) +![Analysis Tasks for the AD_GroupMembershipPermissions Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/groups/groupmembershippermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/groups/ad_grouppermissions.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/groups/ad_grouppermissions.md index 7bfb61c722..d2bfea8597 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/groups/ad_grouppermissions.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/groups/ad_grouppermissions.md @@ -11,7 +11,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **2.Groups** > **AD_ **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_GroupPermissions Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/groups/grouppermissionsanalysis.webp) +![Analysis Tasks for the AD_GroupPermissions Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/groups/grouppermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/groups/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/groups/overview.md index 791ba27319..a676325021 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/groups/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/groups/overview.md @@ -3,11 +3,11 @@ The 2.Groups Job Group reports on all Active Directory permissions applied to group objects within the targeted domains. -![2.Groups Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![2.Groups Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 2.Groups Job Group are: -- [AD_GroupMembershipPermissions Job](ad_groupmembershippermissions.md) – Highlights all Active +- [AD_GroupMembershipPermissions Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/groups/ad_groupmembershippermissions.md) – Highlights all Active Directory users that are capable of modifying group membership within the targeted domains -- [AD_GroupPermissions Job](ad_grouppermissions.md) – Reports on all Active Directory permissions +- [AD_GroupPermissions Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/groups/ad_grouppermissions.md) – Reports on all Active Directory permissions applied to group objects within the targeted domains diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/overview.md index ec19f58f78..8b25d6a917 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/overview.md @@ -23,14 +23,14 @@ article for additional information. Requirements, Permissions, and Ports See the -[Domain Target Requirements, Permissions, and Ports](../../requirements/target/activedirectorypermissionsanalyzer.md) +[Domain Target Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/activedirectorypermissionsanalyzer.md) topic for additional information. Location The Active Directory Permissions Analyzer requires a special Access Analyzer license. It can be installed from the Instant Job Wizard, see the -[Instant Job Wizard](../../admin/jobs/instantjobs/overview.md) topic for additional information. +[Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for additional information. When purchased separately, the Permissions Analyzer Solution is installed into the Jobs tree with the Active Directory instant solution. The license limits the solution to just the **Jobs** > **Active Directory Permissions Analyzer** Job Group. Once installed into the Jobs tree, navigate to @@ -48,32 +48,32 @@ Data Collector and the PowerShell Data Collector to return advanced security per analysis tasks and generate reports. The collected data is then available to the Netwrix Access Information Center for analysis. -![Active Directory Permissions Analyzer Solution Overview page](../../../../../static/img/product_docs/threatprevention/threatprevention/siemdashboard/qradar/dashboard/overview.webp) +![Active Directory Permissions Analyzer Solution Overview page](/img/product_docs/threatprevention/threatprevention/siemdashboard/qradar/dashboard/overview.webp) The job groups and jobs in the Active Directory Permissions Analyzer Solution are: -- [0.Collection Job Group](collection/overview.md) – Collects all Active Directory permissions +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/collection/overview.md) – Collects all Active Directory permissions information from the targeted domain -- [1.Users Job Group](users/overview.md) – Reports on all Active Directory permissions applied to +- [1.Users Job Group](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/users/overview.md) – Reports on all Active Directory permissions applied to user objects within the targeted domains -- [2.Groups Job Group](groups/overview.md) – Reports on all Active Directory permissions applied to +- [2.Groups Job Group](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/groups/overview.md) – Reports on all Active Directory permissions applied to group objects within the targeted domains -- [3.OUs > AD_OUPermissions Job](ad_oupermissions.md) – Reports on all Active Directory permissions +- [3.OUs > AD_OUPermissions Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_oupermissions.md) – Reports on all Active Directory permissions applied to organizational unit objects within the targeted domains -- [4.Computers Job Group](computers/overview.md) – Reports on all Active Directory permissions +- [4.Computers Job Group](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/computers/overview.md) – Reports on all Active Directory permissions applied to computer objects within the targeted domains -- [5.Open Access > AD_OpenAccess Job](ad_openaccess.md) – Reports on all Active Directory +- [5.Open Access > AD_OpenAccess Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_openaccess.md) – Reports on all Active Directory permissions granting open access within the targeted domains. Open Access can be defined as access granted to security principals such as: Domain Users, Authenticated Users, and Everyone. -- [6.Broken Inheritance > AD_BrokenInheritance Job](ad_brokeninheritance.md) – Reports on all +- [6.Broken Inheritance > AD_BrokenInheritance Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_brokeninheritance.md) – Reports on all locations within Active Directory where inheritance is broken within the targeted domains -- [7.Containers Job Group](containers/overview.md) – Reports on all Active Directory permissions +- [7.Containers Job Group](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/containers/overview.md) – Reports on all Active Directory permissions applied to container objects within the targeted domains -- [8.Domains Job Group](domains/overview.md) – Reports on all Active Directory permissions applied +- [8.Domains Job Group](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/domains/overview.md) – Reports on all Active Directory permissions applied to domain objects within the targeted domains -- [9.Sites Job Group](sites/overview.md) – Reports on all Active Directory permissions applied to +- [9.Sites Job Group](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/sites/overview.md) – Reports on all Active Directory permissions applied to domain objects within the targeted domains -- [AD_ShadowAccess Job](ad_shadowaccess.md) – Finds shadow access that leads to compromise of a +- [AD_ShadowAccess Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_shadowaccess.md) – Finds shadow access that leads to compromise of a domain or sensitive data. Attackers can chain vulnerabilities to escalate privileges from a non-privileged user to administrator with only a few steps. This job generates the shortest path between every non-privileged user to a domain administrative group, total domain compromise, or diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/recommended.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/recommended.md index ff43d87887..0768aa995b 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/recommended.md @@ -6,7 +6,7 @@ The following Access Analyzer job groups need to be successfully run: - .Active Directory Inventory Job Group -The following jobs need to be run prior to running the [AD_ShadowAccess Job](ad_shadowaccess.md): +The following jobs need to be run prior to running the [AD_ShadowAccess Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_shadowaccess.md): - .Active Directory Inventory >1-AD_Scan > ADInventory - Active Directory > 1.Groups > AD_SensitiveSecurityGroups @@ -16,7 +16,7 @@ The following jobs need to be run prior to running the [AD_ShadowAccess Job](ad_ - Active Directory Permissions Analyzer > 2.Groups > AD_GroupMembershipPermissions The following jobs can be optionally run to enhance reporting in the -[AD_ShadowAccess Job](ad_shadowaccess.md): +[AD_ShadowAccess Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/ad_shadowaccess.md): - Active Directory > 2.Users > AD_WeakPasswords - FileSystem > 7.Sensitive Data > FS_DLPResults > FS_DLPResults @@ -37,7 +37,7 @@ Assign a Connection Profile at the **Active Directory Permissions Analyzer** > * **Settings** > **Connection** node with local Administrator privileges on the target host, or Domain Administrator privileges if the target host is a domain controller. -See the [Connection](../../admin/settings/connection/overview.md) topic for additional information. +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. Schedule Frequency diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/sites/ad_dcshadowpermissions.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/sites/ad_dcshadowpermissions.md index 6a37b3db91..3419f8b6d7 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/sites/ad_dcshadowpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/sites/ad_dcshadowpermissions.md @@ -11,7 +11,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **9.Sites** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_DCShadowPermissions Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/sites/dcshadowpermissionsanalysis.webp) +![Analysis Tasks for the AD_DCShadowPermissions Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/sites/dcshadowpermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/sites/ad_sitepermissions.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/sites/ad_sitepermissions.md index 1c436e94c7..17fcb49de3 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/sites/ad_sitepermissions.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/sites/ad_sitepermissions.md @@ -11,7 +11,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **9.Sites** > **AD_S **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_SitePermissions Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/sites/sitepermissionsanalysis.webp) +![Analysis Tasks for the AD_SitePermissions Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/sites/sitepermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/sites/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/sites/overview.md index 9e8c24c38b..68146ee39d 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/sites/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/sites/overview.md @@ -3,11 +3,11 @@ The 9.Sites Job Group reports on all Active Directory permissions applied to site objects within the targeted domains. -![9.Sites Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![9.Sites Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 9.Sites Job Group are: -- [AD_DCShadowPermissions Job](ad_dcshadowpermissions.md) – Highlights all Active Directory users +- [AD_DCShadowPermissions Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/sites/ad_dcshadowpermissions.md) – Highlights all Active Directory users that are capable of potentially performing a DCShadow attack within the targeted domains -- [AD_SitePermissions Job](ad_sitepermissions.md) – Reports on all Active Directory permissions +- [AD_SitePermissions Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/sites/ad_sitepermissions.md) – Reports on all Active Directory permissions applied to site objects within the targeted domains diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/users/ad_resetpasswordpermissions.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/users/ad_resetpasswordpermissions.md index b6f8e7f73a..e1e265da42 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/users/ad_resetpasswordpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/users/ad_resetpasswordpermissions.md @@ -14,7 +14,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_ResetPasswordPermissions Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/users/resetpasswordpermissionsanalysis.webp) +![Analysis Tasks for the AD_ResetPasswordPermissions Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/users/resetpasswordpermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/users/ad_userpermissions.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/users/ad_userpermissions.md index bea08b8f7e..22c27af788 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/users/ad_userpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/users/ad_userpermissions.md @@ -12,7 +12,7 @@ Navigate to the **Active Directory Permissions Analyzer** > **1.Users** > **AD_U **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AD_UserPermissions Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/users/userpermissionsanalysis.webp) +![Analysis Tasks for the AD_UserPermissions Job](/img/product_docs/accessanalyzer/solutions/activedirectorypermissionsanalyzer/users/userpermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/users/overview.md b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/users/overview.md index 8d811d79bd..721e7a9715 100644 --- a/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/users/overview.md +++ b/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/users/overview.md @@ -3,11 +3,11 @@ The 1.Users Job Group reports on all Active Directory permissions applied to user objects within the targeted domains -![1.Users Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![1.Users Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following jobs comprise the 1.Users Job Group: -- [AD_ResetPasswordPermissions Job](ad_resetpasswordpermissions.md) – Highlights all Active +- [AD_ResetPasswordPermissions Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/users/ad_resetpasswordpermissions.md) – Highlights all Active Directory users that are capable of resetting another user’s password within the targeted domains -- [AD_UserPermissions Job](ad_userpermissions.md) – Reports on all Active Directory permissions +- [AD_UserPermissions Job](/docs/accessanalyzer/12.0/solutions/activedirectorypermissionsanalyzer/users/ad_userpermissions.md) – Reports on all Active Directory permissions applied to user objects within the targeted domains diff --git a/docs/accessanalyzer/12.0/solutions/anyid/anyid_csv.md b/docs/accessanalyzer/12.0/solutions/anyid/anyid_csv.md index 4fc63798cb..137d7545a6 100644 --- a/docs/accessanalyzer/12.0/solutions/anyid/anyid_csv.md +++ b/docs/accessanalyzer/12.0/solutions/anyid/anyid_csv.md @@ -5,7 +5,7 @@ native integration may not be available, or an export is the best option. **_RECOMMENDED:_** Copy the CSV file to the Access Analyzer Console for the best import performance. -![AnyID_CSV Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/csvjoblocation.webp) +![AnyID_CSV Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/anyid/csvjoblocation.webp) The AnyID_CSV job is located in the **Jobs** > **AnyID Connectors** job group. @@ -27,7 +27,7 @@ The AnyID_CSV job does not require a connection profile. History Retention -Default Retention Period. See the [History](../../admin/settings/history.md) topic for additional +Default Retention Period. See the [History](/docs/accessanalyzer/12.0/admin/settings/history.md) topic for additional information. Multi-Console Support @@ -62,7 +62,7 @@ Workflow The AnyID_CSV query uses the PowerShell Data Collector. -![Queries for the AnyID_CSV Job](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/csvqueries.webp) +![Queries for the AnyID_CSV Job](/img/product_docs/accessanalyzer/solutions/anyid/csvqueries.webp) The query is: @@ -73,7 +73,7 @@ The query is: Follow the steps to configure the AnyID_CSV query. -![ The name of the source repository parameter on the job Overview page](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/csvoverviewpage.webp) +![ The name of the source repository parameter on the job Overview page](/img/product_docs/accessanalyzer/solutions/anyid/csvoverviewpage.webp) **Step 1 –** Navigate to and select the **AnyID Connectors** > **AnyID_CSV** node. In the Configuration section of the job's Overview page, click the configure button for the **The name of @@ -89,7 +89,7 @@ Properties**. The Query Properties window opens. **Step 4 –** Select the **Data Source** tab, and click **Configure**. The PowerShell Data Collector Wizard opens. -![Edit Query Page](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/csvqueryeditquery.webp) +![Edit Query Page](/img/product_docs/accessanalyzer/solutions/anyid/csvqueryeditquery.webp) **Step 5 –** Navigate to the Edit Query page. Click the **Parameters** tab on the right-hand side of the page to expand the Parameters window. Configure the following attributes: @@ -129,7 +129,7 @@ Navigate to the **Jobs** > **AnyID Connectors** > **AnyID_CSV** > **Configure** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AnyID_CSV Job](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/csvanalyses.webp) +![Analysis Tasks for the AnyID_CSV Job](/img/product_docs/accessanalyzer/solutions/anyid/csvanalyses.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/anyid/anyid_epicclarity.md b/docs/accessanalyzer/12.0/solutions/anyid/anyid_epicclarity.md index 1a16588c45..0858a6d69a 100644 --- a/docs/accessanalyzer/12.0/solutions/anyid/anyid_epicclarity.md +++ b/docs/accessanalyzer/12.0/solutions/anyid/anyid_epicclarity.md @@ -4,7 +4,7 @@ The AnyID_EpicClarity job collects patient information from Epic including MRNs, IDs, and Account IDs. An account with read access to the underlying Clarity Oracle database is required in order to run queries. -![AnyID_EpicClarity Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/epicclarityjoblocation.webp) +![AnyID_EpicClarity Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/anyid/epicclarityjoblocation.webp) The AnyID_EpicClarity job is located in the **Jobs** > **AnyID Connectors** job group. @@ -29,7 +29,7 @@ Read Access to the underlying Clarity Oracle database. History Retention -Default Retention Period. See the [History](../../admin/settings/history.md) topic for additional +Default Retention Period. See the [History](/docs/accessanalyzer/12.0/admin/settings/history.md) topic for additional information. Multi-Console Support @@ -62,7 +62,7 @@ Workflow The AnyID_EpicClarity job uses the PowerShell Data Collector for queries. -![Queries for the AnyID_EpicClarity Job](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/epicclarityqueries.webp) +![Queries for the AnyID_EpicClarity Job](/img/product_docs/accessanalyzer/solutions/anyid/epicclarityqueries.webp) The queries are: @@ -88,11 +88,11 @@ Properties window opens. **Step 3 –** Select the **Data Source** tab, and click **Configure**. The PowerShell Data Collector Wizard opens. -![Edit Query Page](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/epicclarityqueryeditquery.webp) +![Edit Query Page](/img/product_docs/accessanalyzer/solutions/anyid/epicclarityqueryeditquery.webp) **Step 4 –** Navigate to the Edit Query page. Click the **Parameters** tab on the right-hand side of the page to expand the Parameters window. See the -[PowerShell: Edit Query](../../admin/datacollector/powershell/editquery.md) topic for additional +[PowerShell: Edit Query](/docs/accessanalyzer/12.0/admin/datacollector/powershell/editquery.md) topic for additional information. Configure the following attributes as needed: - $portNumber – The port number used to access the Oracle Database Server @@ -126,7 +126,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AnyID_EpicClarity Job](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/epicclarityanalyses.webp) +![Analysis Tasks for the AnyID_EpicClarity Job](/img/product_docs/accessanalyzer/solutions/anyid/epicclarityanalyses.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/anyid/anyid_paycom.md b/docs/accessanalyzer/12.0/solutions/anyid/anyid_paycom.md index 20a527e35b..bf67dbacc6 100644 --- a/docs/accessanalyzer/12.0/solutions/anyid/anyid_paycom.md +++ b/docs/accessanalyzer/12.0/solutions/anyid/anyid_paycom.md @@ -5,7 +5,7 @@ and SSN. Contact the organization's Paycom administrator in order to generate th required for this job. The recommended approach is to copy the CSV file to the Access Analyzer Console for best import performance. -![AnyID_Paycom Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/paycomjoblocation.webp) +![AnyID_Paycom Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/anyid/paycomjoblocation.webp) The AnyID_Paycom job is located in the **Jobs** > **AnyID Connectors** job group. @@ -27,7 +27,7 @@ The AnyID_Paycom job does not require a connection profile. History Retention -Default Retention Period. See the [History](../../admin/settings/history.md) topic for additional +Default Retention Period. See the [History](/docs/accessanalyzer/12.0/admin/settings/history.md) topic for additional information. Multi-Console Support @@ -61,7 +61,7 @@ Workflow The AnyID_Paycom job uses the PowerShell Data Collector for the query. -![Queries for the AnyID_Paycom Job](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/paycomqueries.webp) +![Queries for the AnyID_Paycom Job](/img/product_docs/accessanalyzer/solutions/anyid/paycomqueries.webp) The queries are: @@ -82,11 +82,11 @@ Properties**. The Query Properties window opens. **Step 3 –** Select the **Data Source** tab, and click **Configure**. The PowerShell Data Collector Wizard opens. -![Edit Query Page](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/paycomqueryeditquery.webp) +![Edit Query Page](/img/product_docs/accessanalyzer/solutions/anyid/paycomqueryeditquery.webp) **Step 4 –** Navigate to the Edit Query page. Click the **Parameters** tab on the right-hand side of the page to expand the Parameters window. See the -[PowerShell: Edit Query](../../admin/datacollector/powershell/editquery.md) topic for additional +[PowerShell: Edit Query](/docs/accessanalyzer/12.0/admin/datacollector/powershell/editquery.md) topic for additional information. Configure the following attributes as needed: - $SAHOSTNAME – Created during execution. This parameter cannot be modified. @@ -125,7 +125,7 @@ Navigate to the **Jobs** > **AnyID Connectors** > **AnyID_Paycom** > **Configur **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AnyID_Paycom Job](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/paycomanalyses.webp) +![Analysis Tasks for the AnyID_Paycom Job](/img/product_docs/accessanalyzer/solutions/anyid/paycomanalyses.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/anyid/anyid_salesforce.md b/docs/accessanalyzer/12.0/solutions/anyid/anyid_salesforce.md index 48c98531eb..2b76a7730c 100644 --- a/docs/accessanalyzer/12.0/solutions/anyid/anyid_salesforce.md +++ b/docs/accessanalyzer/12.0/solutions/anyid/anyid_salesforce.md @@ -4,7 +4,7 @@ The AnyID_Salesforce job collects Salesforce contact details including phone, ad date of birth. This job requires API access to Salesforce in order to collect this information. The list of collected attributes can be adjusted as necessary. -![AnyID_Salesforce Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/salesforcejoblocation.webp) +![AnyID_Salesforce Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/anyid/salesforcejoblocation.webp) The AnyID_Salesforce job is located in the **Jobs** > **AnyID Connectors** job group. @@ -36,7 +36,7 @@ Ensure that a connection profile is configured with the required credentials. Se History Retention -Default Retention Period. See the [History](../../admin/settings/history.md) topic for additional +Default Retention Period. See the [History](/docs/accessanalyzer/12.0/admin/settings/history.md) topic for additional information. Multi-Console Support @@ -71,7 +71,7 @@ Workflow The AnyID_Salesforce job uses the PowerShell Data Collector for the query. -![Query for the AnyID_Salesforce Job](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/salesforcequeries.webp) +![Query for the AnyID_Salesforce Job](/img/product_docs/accessanalyzer/solutions/anyid/salesforcequeries.webp) The query is: @@ -92,11 +92,11 @@ Properties**. The Query Properties window opens. **Step 3 –** Select the **Data Source** tab, and click **Configure**. The PowerShell Data Collector Wizard opens. -![Edit Query Page](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/salesforcequeryeditquery.webp) +![Edit Query Page](/img/product_docs/accessanalyzer/solutions/anyid/salesforcequeryeditquery.webp) **Step 4 –** Navigate to the Edit Query page. Click the **Parameters** tab on the right-hand side of the page to expand the Parameters window. See the -[PowerShell: Edit Query](../../admin/datacollector/powershell/editquery.md) topic for additional +[PowerShell: Edit Query](/docs/accessanalyzer/12.0/admin/datacollector/powershell/editquery.md) topic for additional information. Configure the following attributes as needed: - $SAHOSTNAME – Created during execution. This parameter cannot be modified. @@ -131,7 +131,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AnyID_Salesforce Job](../../../../../static/img/product_docs/accessanalyzer/solutions/anyid/salesforceanalyses.webp) +![Analysis Tasks for the AnyID_Salesforce Job](/img/product_docs/accessanalyzer/solutions/anyid/salesforceanalyses.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/anyid/overview.md b/docs/accessanalyzer/12.0/solutions/anyid/overview.md index 51176dfc45..c9089c5b0f 100644 --- a/docs/accessanalyzer/12.0/solutions/anyid/overview.md +++ b/docs/accessanalyzer/12.0/solutions/anyid/overview.md @@ -29,10 +29,10 @@ activities involve consumer, patient, resident, and other subject data. ## Location The AnyID Connectors Solution requires a special Access Analyzer license. It can be installed from -the Instant Job Wizard. See the [Instant Job Wizard](../../admin/jobs/instantjobs/overview.md) topic +the Instant Job Wizard. See the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for additional information. -![AnyID Connectors Solution in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![AnyID Connectors Solution in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) Once installed into the Jobs tree, navigate to the solution: **Jobs** > **AnyID Connectors**. @@ -48,19 +48,19 @@ attributes about potential subjects which are then used by Access Analyzer’s S Discovery engine to perform exact data matching against virtually any cloud or on-premises data repository. -![AnyID Connectors Solution Overview page](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) +![AnyID Connectors Solution Overview page](/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) The jobs in the AnyID Connectors Solution are: -- [AnyID_CSV Job](anyid_csv.md) – Imports a list of identities and attributes from a CSV file. Use +- [AnyID_CSV Job](/docs/accessanalyzer/12.0/solutions/anyid/anyid_csv.md) – Imports a list of identities and attributes from a CSV file. Use this when a native integration may not be available, or an export is the best option. -- [AnyID_EpicClarity Job](anyid_epicclarity.md) – Collects patient information from Epic including +- [AnyID_EpicClarity Job](/docs/accessanalyzer/12.0/solutions/anyid/anyid_epicclarity.md) – Collects patient information from Epic including MRNs, SSNs, Subscriber IDs, and Account IDs. An account with read access to the underlying Clarity Oracle database is required in order to run queries. -- [AnyID_Paycom Job](anyid_paycom.md) – Pulls employee information from Paycom including Name, +- [AnyID_Paycom Job](/docs/accessanalyzer/12.0/solutions/anyid/anyid_paycom.md) – Pulls employee information from Paycom including Name, Address, Date of Birth, and SSN. Contact your Paycom administrator in order to generate the CSV export required for this job. -- [AnyID_Salesforce Job](anyid_salesforce.md) – Collects Salesforce Contact details including Phone, +- [AnyID_Salesforce Job](/docs/accessanalyzer/12.0/solutions/anyid/anyid_salesforce.md) – Collects Salesforce Contact details including Phone, Address, Email, and Date of birth. This job requires API access to Salesforce in order to collect this information. diff --git a/docs/accessanalyzer/12.0/solutions/aws/collection/1.aws_orgscan.md b/docs/accessanalyzer/12.0/solutions/aws/collection/1.aws_orgscan.md index aba74e75a8..b72076d632 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/collection/1.aws_orgscan.md +++ b/docs/accessanalyzer/12.0/solutions/aws/collection/1.aws_orgscan.md @@ -8,7 +8,7 @@ accounts within the organization. The Org Scan query uses the AWS Data Collector to target all AWS instances and has been preconfigured to use the Collect Org Data category. -![Queries for the 1.AWS_OrgScan Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/collection/orgscanqueries.webp) +![Queries for the 1.AWS_OrgScan Job](/img/product_docs/accessanalyzer/solutions/aws/collection/orgscanqueries.webp) The 1.AWS_OrgScan job has the following configurable query: @@ -28,13 +28,13 @@ opens. **Step 3 –** Select the **Data Source** tab, and click **Configure**. The Amazon Web Services Data Collector Wizard opens. -![AWS Data Collector Login Roles wizard page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/aws/loginroles.webp) +![AWS Data Collector Login Roles wizard page](/img/product_docs/accessanalyzer/admin/datacollector/aws/loginroles.webp) **Step 4 –** On the Login Roles page, add the created AWS Roles: - Enter the Role in the Role Name field and click **Add** - Alternatively, import multiple Roles from a CSV file -- See the [Configure AWS for Scans](../../../requirements/target/config/aws.md) topic for additional +- See the [Configure AWS for Scans](/docs/accessanalyzer/12.0/requirements/target/config/aws.md) topic for additional information **Step 5 –** On the Summary page, click **Finish** to save any modifications or click **Cancel** if diff --git a/docs/accessanalyzer/12.0/solutions/aws/collection/2.aws_s3scan.md b/docs/accessanalyzer/12.0/solutions/aws/collection/2.aws_s3scan.md index 283e1beab2..89d6180122 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/collection/2.aws_s3scan.md +++ b/docs/accessanalyzer/12.0/solutions/aws/collection/2.aws_s3scan.md @@ -8,7 +8,7 @@ in those buckets. The S3 Scan query uses the AWS Data Collector to target all AWS instances and has been preconfigured to use the Collect S3 category. -![Query Selection page](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/collection/s3scanqueries.webp) +![Query Selection page](/img/product_docs/accessanalyzer/solutions/aws/collection/s3scanqueries.webp) The 2.AWS_S3Scan job has the following configurable query: @@ -28,22 +28,22 @@ opens. **Step 3 –** Select the **Data Source** tab, and click **Configure**. The Amazon Web Services Data Collector Wizard opens. -![AWS Data Collector Login Roles wizard page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/aws/loginroles.webp) +![AWS Data Collector Login Roles wizard page](/img/product_docs/accessanalyzer/admin/datacollector/aws/loginroles.webp) **Step 4 –** On the Login Roles page, add the created AWS Roles: - Enter the Role in the Role Name field and click **Add** - Alternatively, import multiple Roles from a CSV file -- See the [Configure AWS for Scans](../../../requirements/target/config/aws.md) topic for additional +- See the [Configure AWS for Scans](/docs/accessanalyzer/12.0/requirements/target/config/aws.md) topic for additional information -![AWS Data Collector Filter S3 Objects wizard page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/aws/filters3objects.webp) +![AWS Data Collector Filter S3 Objects wizard page](/img/product_docs/accessanalyzer/admin/datacollector/aws/filters3objects.webp) **Step 5 –** On the Filter S3 Objects page, scope the scan to target specific S3 objects: - Click **Add** to select from AWS Buckets in the target environment - Alternatively, click **Add Custom Filter** to configure a custom filter as a text string -- See the [AWS: Filter S3 Objects](../../../admin/datacollector/aws/filters3objects.md) topic for +- See the [AWS: Filter S3 Objects](/docs/accessanalyzer/12.0/admin/datacollector/aws/filters3objects.md) topic for additional information **Step 6 –** On the Summary page, click **Finish** to save any modifications or click **Cancel** if @@ -59,7 +59,7 @@ Navigate to the **AWS** > **0.Collection** > **2.AWS_S3Scan** > **Configure** no **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the 2.AWS_S3Scan Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/collection/s3scananaylsistasks.webp) +![Analysis Tasks for the 2.AWS_S3Scan Job](/img/product_docs/accessanalyzer/solutions/aws/collection/s3scananaylsistasks.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/collection/3.aws_iamscan.md b/docs/accessanalyzer/12.0/solutions/aws/collection/3.aws_iamscan.md index 714c62828d..f02f443727 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/collection/3.aws_iamscan.md +++ b/docs/accessanalyzer/12.0/solutions/aws/collection/3.aws_iamscan.md @@ -8,7 +8,7 @@ identities. The IAM Scan query uses the AWS Data Collector to target all AWS instances and has been preconfigured to use the Collect IAM Data category. -![Queries for the 3.AWS_IAMScan Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/collection/iamscanqueries.webp) +![Queries for the 3.AWS_IAMScan Job](/img/product_docs/accessanalyzer/solutions/aws/collection/iamscanqueries.webp) The 3.AWS_IAMScan job has the following configurable query: @@ -28,13 +28,13 @@ opens. **Step 3 –** Select the **Data Source** tab, and click **Configure**. The Amazon Web Services Data Collector Wizard opens. -![AWS Data Collector Login Roles wizard page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/aws/loginroles.webp) +![AWS Data Collector Login Roles wizard page](/img/product_docs/accessanalyzer/admin/datacollector/aws/loginroles.webp) **Step 4 –** On the Login Roles page, add the created AWS Roles: - Enter the Role in the Role Name field and click **Add** - Alternatively, import multiple Roles from a CSV file -- See the [Configure AWS for Scans](../../../requirements/target/config/aws.md) topic for additional +- See the [Configure AWS for Scans](/docs/accessanalyzer/12.0/requirements/target/config/aws.md) topic for additional information **Step 5 –** On the Summary page, click **Finish** to save any modifications or click **Cancel** if @@ -50,7 +50,7 @@ View the analysis tasks by navigating to the **AWS** > **0.Collection** > **3.AW **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the 3.AWS_IAM Scan Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/collection/iamscananalysistasks.webp) +![Analysis Tasks for the 3.AWS_IAM Scan Job](/img/product_docs/accessanalyzer/solutions/aws/collection/iamscananalysistasks.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/collection/4.aws_s3sddscan.md b/docs/accessanalyzer/12.0/solutions/aws/collection/4.aws_s3sddscan.md index d1df46237d..a592cefbc2 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/collection/4.aws_s3sddscan.md +++ b/docs/accessanalyzer/12.0/solutions/aws/collection/4.aws_s3sddscan.md @@ -7,7 +7,7 @@ The 4.AWS_S3SDDScan job collects details about S3 objects containing sensitive d The AWS S3 Sensitive Data Scan query uses the AWS Data Collector to target all AWS instances and has been preconfigured to use the Collect SDD Data category. -![Queries for the 4.AWS_S3SDDScan Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/collection/s3sddscanqueries.webp) +![Queries for the 4.AWS_S3SDDScan Job](/img/product_docs/accessanalyzer/solutions/aws/collection/s3sddscanqueries.webp) The 4.AWS_S3SDDScan job has the following configurable query: @@ -28,16 +28,16 @@ opens. **Step 3 –** Select the **Data Source** tab, and click **Configure**. The Amazon Web Services Data Collector Wizard opens. -![AWS Data Collector Filter S3 Objects wizard page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/aws/filters3objects.webp) +![AWS Data Collector Filter S3 Objects wizard page](/img/product_docs/accessanalyzer/admin/datacollector/aws/filters3objects.webp) **Step 4 –** On the Filter S3 Objects page, scope the scan to target specific S3 objects: - Click **Add** to select from AWS Buckets in the target environment - Alternatively, click **Add Custom Filter** to configure a custom filter as a text string -- See the [AWS: Filter S3 Objects](../../../admin/datacollector/aws/filters3objects.md) topic for +- See the [AWS: Filter S3 Objects](/docs/accessanalyzer/12.0/admin/datacollector/aws/filters3objects.md) topic for additional information -![AWS Data Collector Sensitive Data Settings wizard page](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/collection/s3sddsensitivedata.webp) +![AWS Data Collector Sensitive Data Settings wizard page](/img/product_docs/accessanalyzer/solutions/aws/collection/s3sddsensitivedata.webp) **Step 5 –** On the Sensitive Data Settings page, configure the following options: @@ -57,13 +57,13 @@ Collector Wizard opens. documents and may not be able to recognize text on images of credit cards, driver's licenses, or other identity cards. -![AWS Data Collector Select DLP criteria for this scan wizard page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) +![AWS Data Collector Select DLP criteria for this scan wizard page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) **Step 6 –** On the Criteria page, add or remove criteria as desired: - (Optional) Create custom criteria on the global **Settings** > **Sensitive Data** Node - See - the[Sensitive Data Criteria Editor](../../../sensitivedatadiscovery/criteriaeditor/overview.md) + the[Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information and instructions **NOTE:** By default, discovered sensitive data strings are stored in the Access Analyzer database. @@ -81,7 +81,7 @@ View the analysis tasks by navigating to the **AWS** > **0.Collection** > **4.AW **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the 4.AWS_S3SDD Scan Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/collection/s3sddscananaylsistasks.webp) +![Analysis Tasks for the 4.AWS_S3SDD Scan Job](/img/product_docs/accessanalyzer/solutions/aws/collection/s3sddscananaylsistasks.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/collection/overview.md b/docs/accessanalyzer/12.0/solutions/aws/collection/overview.md index 8fb5c177f3..d8dfd36a1e 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/aws/collection/overview.md @@ -3,15 +3,15 @@ The 0.Collection job group scans and collects details on IAM and S3 buckets within an AWS organization. -![0.Collection Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![0.Collection Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 0.Collection Job Group is comprised of: -- [1.AWS_OrgScan Job](1.aws_orgscan.md) – Collects details about the AWS Organization including +- [1.AWS_OrgScan Job](/docs/accessanalyzer/12.0/solutions/aws/collection/1.aws_orgscan.md) – Collects details about the AWS Organization including password policies and accounts within the organization -- [2.AWS_S3Scan Job](2.aws_s3scan.md) – Collects details about the AWS S3 buckets including details +- [2.AWS_S3Scan Job](/docs/accessanalyzer/12.0/solutions/aws/collection/2.aws_s3scan.md) – Collects details about the AWS S3 buckets including details about the objects in those buckets -- [3.AWS_IAMScan Job](3.aws_iamscan.md) – Collects details about users, groups, policies, roles and +- [3.AWS_IAMScan Job](/docs/accessanalyzer/12.0/solutions/aws/collection/3.aws_iamscan.md) – Collects details about users, groups, policies, roles and other IAM related identities -- [4.AWS_S3SDDScan Job](4.aws_s3sddscan.md) – Collects details about S3 objects containing sensitive +- [4.AWS_S3SDDScan Job](/docs/accessanalyzer/12.0/solutions/aws/collection/4.aws_s3sddscan.md) – Collects details about S3 objects containing sensitive data diff --git a/docs/accessanalyzer/12.0/solutions/aws/groups/aws_groupmembers.md b/docs/accessanalyzer/12.0/solutions/aws/groups/aws_groupmembers.md index 57d76bfe51..a300449207 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/groups/aws_groupmembers.md +++ b/docs/accessanalyzer/12.0/solutions/aws/groups/aws_groupmembers.md @@ -11,7 +11,7 @@ Navigate to the **AWS** > **3.Groups** > **AWS_GroupMembers** > **Configure** no **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_GroupMembers Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/groups/groupmembersanalysis.webp) +![Analysis Tasks for the AWS_GroupMembers Job](/img/product_docs/accessanalyzer/solutions/aws/groups/groupmembersanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/groups/aws_nopolicygroups.md b/docs/accessanalyzer/12.0/solutions/aws/groups/aws_nopolicygroups.md index 1b8575e739..f3fd9f6853 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/groups/aws_nopolicygroups.md +++ b/docs/accessanalyzer/12.0/solutions/aws/groups/aws_nopolicygroups.md @@ -10,7 +10,7 @@ Navigate to the **AWS** > **3.Groups** > **AWS_NoPolicyGroups** > **Configure** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_NoPolicyGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/groups/nopolicygroupsanalysis.webp) +![Analysis Tasks for the AWS_NoPolicyGroups Job](/img/product_docs/accessanalyzer/solutions/aws/groups/nopolicygroupsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/groups/aws_stalegroups.md b/docs/accessanalyzer/12.0/solutions/aws/groups/aws_stalegroups.md index a2cf11dc83..cf077bd04b 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/groups/aws_stalegroups.md +++ b/docs/accessanalyzer/12.0/solutions/aws/groups/aws_stalegroups.md @@ -7,7 +7,7 @@ definition for staleness is set by default to 60 days. This can be configured. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The AWS_StaleGroups job has the following configurable parameter: @@ -26,7 +26,7 @@ Navigate to the **AWS** > **3.Groups** > **AWS_StaleGroups** > **Configure** nod **CAUTION:** Do not deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. Only modify the analysis tasks listed in the customizable analysis tasks section. -![Analysis Tasks for the AWS_StaleGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/stalegroupsanalysis.webp) +![Analysis Tasks for the AWS_StaleGroups Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/stalegroupsanalysis.webp) The following analysis tasks are selected by default: @@ -51,7 +51,7 @@ The default values for parameters that can be customized are: | Stale Group Details | @StaleThreshold | 60 | Days without login to consider an account stale | See the -[Configure the Customizable Parameters in an Analysis Task](../../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for instructions on how to modify parameters. ## Report for the AWS_StaleGroups Job diff --git a/docs/accessanalyzer/12.0/solutions/aws/groups/overview.md b/docs/accessanalyzer/12.0/solutions/aws/groups/overview.md index 8cac28c186..cebf32be0f 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/groups/overview.md +++ b/docs/accessanalyzer/12.0/solutions/aws/groups/overview.md @@ -3,13 +3,13 @@ The 3.Groups job group provides details on AWS IAM group membership, orphaned groups (those with no policy assigned to them), sensitive security group membership, and stale groups. -![3.Groups Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![3.Groups Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 3.Groups job group is comprised of: -- [AWS_GroupMembers Job](aws_groupmembers.md) – Provides details about group members and the +- [AWS_GroupMembers Job](/docs/accessanalyzer/12.0/solutions/aws/groups/aws_groupmembers.md) – Provides details about group members and the policies assigned to those groups -- [AWS_NoPolicyGroups Job](aws_nopolicygroups.md) – Provides details on groups that have no policies +- [AWS_NoPolicyGroups Job](/docs/accessanalyzer/12.0/solutions/aws/groups/aws_nopolicygroups.md) – Provides details on groups that have no policies assigned to them -- [AWS_StaleGroups Job](aws_stalegroups.md) – Highlights groups that have members that are +- [AWS_StaleGroups Job](/docs/accessanalyzer/12.0/solutions/aws/groups/aws_stalegroups.md) – Highlights groups that have members that are considered stale diff --git a/docs/accessanalyzer/12.0/solutions/aws/organizations/aws_accounts.md b/docs/accessanalyzer/12.0/solutions/aws/organizations/aws_accounts.md index 74587915d1..fb3f6d3401 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/organizations/aws_accounts.md +++ b/docs/accessanalyzer/12.0/solutions/aws/organizations/aws_accounts.md @@ -13,7 +13,7 @@ Navigate to the **AWS** > **1.Organizations** > **AWS_Accounts** > **Configure** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_Accounts Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/organizations/accountsanalysis.webp) +![Analysis Tasks for the AWS_Accounts Job](/img/product_docs/accessanalyzer/solutions/aws/organizations/accountsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/organizations/aws_memberaccountusers.md b/docs/accessanalyzer/12.0/solutions/aws/organizations/aws_memberaccountusers.md index e5fdd9b25f..0038a143e3 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/organizations/aws_memberaccountusers.md +++ b/docs/accessanalyzer/12.0/solutions/aws/organizations/aws_memberaccountusers.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_MemberAccountUsers Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/organizations/memberaccountusersanalysis.webp) +![Analysis Tasks for the AWS_MemberAccountUsers Job](/img/product_docs/accessanalyzer/solutions/aws/organizations/memberaccountusersanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/organizations/overview.md b/docs/accessanalyzer/12.0/solutions/aws/organizations/overview.md index d95607489c..9b55f3e2ec 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/organizations/overview.md +++ b/docs/accessanalyzer/12.0/solutions/aws/organizations/overview.md @@ -3,13 +3,13 @@ The 1.Organizations job group analyzes and reports on the AWS Organization including password policies and accounts within the organization. -![1.Organizations Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![1.Organizations Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 1.Organizations job jroup is comprised of: -- [AWS_Accounts Job](aws_accounts.md) – Provides detailed information about the accounts that exist +- [AWS_Accounts Job](/docs/accessanalyzer/12.0/solutions/aws/organizations/aws_accounts.md) – Provides detailed information about the accounts that exist in each AWS Organization. This job also determines the AWS Master Account for each Organization. The AWS Master Account can be set manually by adding a line for each Organization in the temporary table #IdentitySourceAccount in the analysis task parameters for this job. -- [AWS_MemberAccountUsers Job](aws_memberaccountusers.md) – Highlights users that are not located in +- [AWS_MemberAccountUsers Job](/docs/accessanalyzer/12.0/solutions/aws/organizations/aws_memberaccountusers.md) – Highlights users that are not located in the primary AWS Identity Source, which is generally the Master AWS Account for the Organization diff --git a/docs/accessanalyzer/12.0/solutions/aws/overview.md b/docs/accessanalyzer/12.0/solutions/aws/overview.md index 499425b79d..a815612924 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/overview.md +++ b/docs/accessanalyzer/12.0/solutions/aws/overview.md @@ -25,7 +25,7 @@ Supported Platforms Requirements, Permissions, and Ports See the -[Target Amazon Web Service Requirements, Permissions, and Ports](../../requirements/target/aws.md) +[Target Amazon Web Service Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/aws.md) topic for additional information. Sensitive Data Discovery Considerations @@ -42,7 +42,7 @@ conflict with other JDKs or Java Runtimes in the same environment. Location The AWS Solution requires a special Access Analyzer license. It can be installed from the Access -Analyzer Instant Job Wizard. See the [Instant Job Wizard](../../admin/jobs/instantjobs/overview.md) +Analyzer Instant Job Wizard. See the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for information on installing instant solutions from the Access Analyzer Library. Once it has been installed into the Jobs tree, navigate to the solution: **Jobs** > **AWS**. @@ -53,28 +53,28 @@ The AWS solution is a comprehensive set of pre-configured audit jobs and report visibility into IAM users, groups, roles, and policies, as well as S3 permissions, content, and sensitive data from target AWS accounts. -![AWS Solution Overview page](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) +![AWS Solution Overview page](/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) The AWS Solution is comprised of the following job groups: -- [0.Collection Job Group](collection/overview.md) – The 0.Collection Job Group scans and collects +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/aws/collection/overview.md) – The 0.Collection Job Group scans and collects details on IAM and S3 buckets within an AWS organization -- [1.Organizations Job Group](organizations/overview.md) – The 1.Organizations Job Group provides +- [1.Organizations Job Group](/docs/accessanalyzer/12.0/solutions/aws/organizations/overview.md) – The 1.Organizations Job Group provides details on AWS accounts and users -- [2.Users Job Group](users/overview.md) – The 2.Users Job Group provides details on AWS IAM user +- [2.Users Job Group](/docs/accessanalyzer/12.0/solutions/aws/users/overview.md) – The 2.Users Job Group provides details on AWS IAM user MFA status, access key usage, and staleness -- [3.Groups Job Group](groups/overview.md) – The 3.Groups Job Group provides details on AWS IAM +- [3.Groups Job Group](/docs/accessanalyzer/12.0/solutions/aws/groups/overview.md) – The 3.Groups Job Group provides details on AWS IAM group membership, orphaned groups (those with no policy assigned to them), sensitive security group membership, and stale groups -- [4.Roles Job Group](roles/overview.md) – The 4.Roles Job Group provides details on roles in the +- [4.Roles Job Group](/docs/accessanalyzer/12.0/solutions/aws/roles/overview.md) – The 4.Roles Job Group provides details on roles in the AWS IAM environment -- [5.Policies Job Group](policies/overview.md) – The 5.Policies Job Group provides details on AWS +- [5.Policies Job Group](/docs/accessanalyzer/12.0/solutions/aws/policies/overview.md) – The 5.Policies Job Group provides details on AWS IAM policies including the various types of policies, the permissions they grant, and where they are applied in the AWS organization -- [6.S3 Permissions Job Group](s3permissions/overview.md) – The 6.S3 Permissions Job Group provides +- [6.S3 Permissions Job Group](/docs/accessanalyzer/12.0/solutions/aws/s3permissions/overview.md) – The 6.S3 Permissions Job Group provides details on permissions assigned to AWS S3 buckets, highlighting specific threats like broken inheritance and open buckets -- [7.S3 Content Job Group](s3content/overview.md) – The 7.S3 Content Job Group provide details on +- [7.S3 Content Job Group](/docs/accessanalyzer/12.0/solutions/aws/s3content/overview.md) – The 7.S3 Content Job Group provide details on AWS S3 buckets and objects contained in those buckets -- [8.S3 Sensitive Data Job Group](sensitivedata/overview.md) – The 8.S3 Sensitive Data Job Group +- [8.S3 Sensitive Data Job Group](/docs/accessanalyzer/12.0/solutions/aws/sensitivedata/overview.md) – The 8.S3 Sensitive Data Job Group provides details on AWS S3 buckets and objects containing sensitive data diff --git a/docs/accessanalyzer/12.0/solutions/aws/policies/aws_custommanagedpolicies.md b/docs/accessanalyzer/12.0/solutions/aws/policies/aws_custommanagedpolicies.md index 45f0906c34..e30da709c2 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/policies/aws_custommanagedpolicies.md +++ b/docs/accessanalyzer/12.0/solutions/aws/policies/aws_custommanagedpolicies.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_CustomManagedPolicies Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/policies/custommanagedpoliciesanalysis.webp) +![Analysis Tasks for the AWS_CustomManagedPolicies Job](/img/product_docs/accessanalyzer/solutions/aws/policies/custommanagedpoliciesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/policies/aws_inlinepolicies.md b/docs/accessanalyzer/12.0/solutions/aws/policies/aws_inlinepolicies.md index dbb8026f67..06f11a671b 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/policies/aws_inlinepolicies.md +++ b/docs/accessanalyzer/12.0/solutions/aws/policies/aws_inlinepolicies.md @@ -11,7 +11,7 @@ Navigate to the **AWS** > **5.Policies** > **AWS_InlinePolicies** > **Configure* **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_InlinePolicies Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/policies/inlinepoliciesanalysis.webp) +![Analysis Tasks for the AWS_InlinePolicies Job](/img/product_docs/accessanalyzer/solutions/aws/policies/inlinepoliciesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/policies/aws_managedpolicies.md b/docs/accessanalyzer/12.0/solutions/aws/policies/aws_managedpolicies.md index 09047c667b..9514cacefd 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/policies/aws_managedpolicies.md +++ b/docs/accessanalyzer/12.0/solutions/aws/policies/aws_managedpolicies.md @@ -10,7 +10,7 @@ Navigate to the **AWS** > **5.Policies** > **AWS_ManagedPolicies** > **Configure **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_ManagedPolicies Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/policies/managedpoliciesanalysis.webp) +![Analysis Tasks for the AWS_ManagedPolicies Job](/img/product_docs/accessanalyzer/solutions/aws/policies/managedpoliciesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/policies/aws_sensitivepolicies.md b/docs/accessanalyzer/12.0/solutions/aws/policies/aws_sensitivepolicies.md index 316a450e9c..3ea59a52c6 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/policies/aws_sensitivepolicies.md +++ b/docs/accessanalyzer/12.0/solutions/aws/policies/aws_sensitivepolicies.md @@ -11,7 +11,7 @@ Navigate to the **AWS** > **5.Policies** > **AWS_SensitivePolicies** > **Configu **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_SensitivePolicies Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/policies/sensitivepoliciesanalysis.webp) +![Analysis Tasks for the AWS_SensitivePolicies Job](/img/product_docs/accessanalyzer/solutions/aws/policies/sensitivepoliciesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/policies/aws_unusedmanagedpolicies.md b/docs/accessanalyzer/12.0/solutions/aws/policies/aws_unusedmanagedpolicies.md index e4753a260a..07c4ce4373 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/policies/aws_unusedmanagedpolicies.md +++ b/docs/accessanalyzer/12.0/solutions/aws/policies/aws_unusedmanagedpolicies.md @@ -8,7 +8,7 @@ analysis task. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The AWS_UnusedManagedPolicies job has the following configurable parameter: @@ -27,7 +27,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. Only modify the analysis tasks listed in the customizable analysis tasks section. -![Analysis Tasks for the AWS_UnusedManagedPolicies Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/policies/unusedmanagedpoliciesanalysis.webp) +![Analysis Tasks for the AWS_UnusedManagedPolicies Job](/img/product_docs/accessanalyzer/solutions/aws/policies/unusedmanagedpoliciesanalysis.webp) The following analysis tasks are selected by default: @@ -50,7 +50,7 @@ The default values for parameters that can be customized are: | Unused Managed Policies | @IncludeAWSManaged | False | True or False value to include policies managed by AWS. | See the -[Configure the Customizable Parameters in an Analysis Task](../../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for instructions on how to modify parameters. ## Report for the AWS_UnusedManagedPolicies Job diff --git a/docs/accessanalyzer/12.0/solutions/aws/policies/aws_userpolicies.md b/docs/accessanalyzer/12.0/solutions/aws/policies/aws_userpolicies.md index 6fc8a937c3..8d8705fe2d 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/policies/aws_userpolicies.md +++ b/docs/accessanalyzer/12.0/solutions/aws/policies/aws_userpolicies.md @@ -11,7 +11,7 @@ Navigate to the **AWS** > **5.Policies** > **AWS_UserPolicies** > **Configure** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_UserPolicies Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/policies/userpoliciesanalysis.webp) +![Analysis Tasks for the AWS_UserPolicies Job](/img/product_docs/accessanalyzer/solutions/aws/policies/userpoliciesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/policies/overview.md b/docs/accessanalyzer/12.0/solutions/aws/policies/overview.md index c599b19713..775af70f99 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/policies/overview.md +++ b/docs/accessanalyzer/12.0/solutions/aws/policies/overview.md @@ -3,21 +3,21 @@ The 5.Policies job group provides details on AWS IAM policies including the various types of policies, the permissions they grant, and where they are applied in the AWS organization. -![5.Policies Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![5.Policies Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 5.Policies job group is comprised of: -- [AWS_CustomManagedPolicies Job](aws_custommanagedpolicies.md) – Provides details on customer +- [AWS_CustomManagedPolicies Job](/docs/accessanalyzer/12.0/solutions/aws/policies/aws_custommanagedpolicies.md) – Provides details on customer managed policies created in the AWS Organization -- [AWS_InlinePolicies Job](aws_inlinepolicies.md) – Provides details on customer managed policies +- [AWS_InlinePolicies Job](/docs/accessanalyzer/12.0/solutions/aws/policies/aws_inlinepolicies.md) – Provides details on customer managed policies that are directly assigned to a user or group -- [AWS_ManagedPolicies Job](aws_managedpolicies.md) – Provides details on policies managed by Amazon +- [AWS_ManagedPolicies Job](/docs/accessanalyzer/12.0/solutions/aws/policies/aws_managedpolicies.md) – Provides details on policies managed by Amazon in the AWS Organization -- [AWS_SensitivePolicies Job](aws_sensitivepolicies.md) – Provides details on users, groups, and +- [AWS_SensitivePolicies Job](/docs/accessanalyzer/12.0/solutions/aws/policies/aws_sensitivepolicies.md) – Provides details on users, groups, and roles as well as the policies granting them sensitive permissions -- [AWS_UnusedManagedPolicies Job](aws_unusedmanagedpolicies.md) – Provides details on customer +- [AWS_UnusedManagedPolicies Job](/docs/accessanalyzer/12.0/solutions/aws/policies/aws_unusedmanagedpolicies.md) – Provides details on customer managed policies that exist in the AWS Organization. Optionally, AWS managed policies can be included by changing the @IncludeAWSManaged parameter on the analysis task. -- [AWS_UserPolicies Job](aws_userpolicies.md) – Provides details outlining user policy assignment. +- [AWS_UserPolicies Job](/docs/accessanalyzer/12.0/solutions/aws/policies/aws_userpolicies.md) – Provides details outlining user policy assignment. This includes where the policy is assigned, directly or at a group level, and if the policy assignment has been duplicated. diff --git a/docs/accessanalyzer/12.0/solutions/aws/recommended.md b/docs/accessanalyzer/12.0/solutions/aws/recommended.md index 2617a728e7..8ed25a930f 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/aws/recommended.md @@ -10,10 +10,10 @@ For AWS IAM Auditing: - AWS Permissions must be configured on the target databases. - - See the [Configure AWS for Scans](../../requirements/target/config/aws.md) topic for + - See the [Configure AWS for Scans](/docs/accessanalyzer/12.0/requirements/target/config/aws.md) topic for information on configuring Roles within AWS and obtaining an Access Key - See the - [Target Amazon Web Service Requirements, Permissions, and Ports](../../requirements/target/aws.md) + [Target Amazon Web Service Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/aws.md) topic for additional information on permissions Some of the 0.Collection job group queries can be scoped to target specific S3 Objects. However, it @@ -30,7 +30,7 @@ Connection Profile The AWS Data Collector requires a specific set of permissions. The account used can be either a Web Services (JWT) account or an Amazon Web Services account. Once the account has been provisioned, create a custom Connection Profile containing the credentials for the targeted environment. See the -[Amazon Web Services for User Credentials](../../admin/settings/connection/profile/aws.md) topic for +[Amazon Web Services for User Credentials](/docs/accessanalyzer/12.0/admin/settings/connection/profile/aws.md) topic for additional information. The Connection Profile is assigned under the **AWS** > **Settings** > **Connection** node. It is set @@ -39,14 +39,14 @@ Connection Profile with the necessary permissions for targeting the AWS instance **Select one of the following user defined profiles** option and select the appropriate Connection Profile. -See the [Connection](../../admin/settings/connection/overview.md) topic for additional information +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on creating a Connection Profile. Access Token Creating the Connection Profile requires having the **Access Key ID** and the **Secret Access Key** that was generated by the Amazon Web Services application. See the -[Configure AWS for Scans](../../requirements/target/config/aws.md) topic for additional information. +[Configure AWS for Scans](/docs/accessanalyzer/12.0/requirements/target/config/aws.md) topic for additional information. Schedule Frequency @@ -84,14 +84,14 @@ Query Configuration The following queries in the 0.Collection job group require the created AWS Roles to be added to the Login Roles page: -- [1.AWS_OrgScan Job](collection/1.aws_orgscan.md) -- [2.AWS_S3Scan Job](collection/2.aws_s3scan.md) -- [3.AWS_IAMScan Job](collection/3.aws_iamscan.md) +- [1.AWS_OrgScan Job](/docs/accessanalyzer/12.0/solutions/aws/collection/1.aws_orgscan.md) +- [2.AWS_S3Scan Job](/docs/accessanalyzer/12.0/solutions/aws/collection/2.aws_s3scan.md) +- [3.AWS_IAMScan Job](/docs/accessanalyzer/12.0/solutions/aws/collection/3.aws_iamscan.md) The following queries in the 0.Collection job group can be modified to limit the depth of the scan: -- [2.AWS_S3Scan Job](collection/2.aws_s3scan.md) -- [4.AWS_S3SDDScan Job](collection/4.aws_s3sddscan.md) +- [2.AWS_S3Scan Job](/docs/accessanalyzer/12.0/solutions/aws/collection/2.aws_s3scan.md) +- [4.AWS_S3SDDScan Job](/docs/accessanalyzer/12.0/solutions/aws/collection/4.aws_s3sddscan.md) Analysis Configuration diff --git a/docs/accessanalyzer/12.0/solutions/aws/roles/aws_roles.md b/docs/accessanalyzer/12.0/solutions/aws/roles/aws_roles.md index 2e006b1902..bb896a1747 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/roles/aws_roles.md +++ b/docs/accessanalyzer/12.0/solutions/aws/roles/aws_roles.md @@ -10,7 +10,7 @@ to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_Roles Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/roles/rolesanalysis.webp) +![Analysis Tasks for the AWS_Roles Job](/img/product_docs/accessanalyzer/solutions/aws/roles/rolesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/roles/aws_staleroles.md b/docs/accessanalyzer/12.0/solutions/aws/roles/aws_staleroles.md index 3a0b25119c..ad4d5ce64a 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/roles/aws_staleroles.md +++ b/docs/accessanalyzer/12.0/solutions/aws/roles/aws_staleroles.md @@ -8,7 +8,7 @@ configurable. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The AWS_StaleRoles job has the following configurable parameter: @@ -27,7 +27,7 @@ Navigate to the **AWS** > **4.Roles** > **AWS_StaleRoles** > **Configure** node **CAUTION:** Do not deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. Only modify the analysis tasks listed in the customizable analysis tasks section. -![Analysis Tasks for the AWS_StaleRoles Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/roles/stalerolesanalysis.webp) +![Analysis Tasks for the AWS_StaleRoles Job](/img/product_docs/accessanalyzer/solutions/aws/roles/stalerolesanalysis.webp) The following analysis tasks are selected by default: @@ -51,7 +51,7 @@ The default values for parameters that can be customized are: | Stale Role Details | @StaleThreshold | 60 | Days without login to consider an account stale. | See the -[Configure the Customizable Parameters in an Analysis Task](../../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for instructions on how to modify parameters. ## Report for the AWS_StaleRoles Job diff --git a/docs/accessanalyzer/12.0/solutions/aws/roles/overview.md b/docs/accessanalyzer/12.0/solutions/aws/roles/overview.md index a491e853d5..327c239049 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/roles/overview.md +++ b/docs/accessanalyzer/12.0/solutions/aws/roles/overview.md @@ -2,11 +2,11 @@ The 4.Roles job group provides details on roles in the AWS IAM environment. -![4.Roles Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![4.Roles Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 4.Roles job group is comprised of: -- [AWS_Roles Job](aws_roles.md) – Provides details on roles in the AWS IAM environment -- [AWS_StaleRoles Job](aws_staleroles.md) – Provides details on roles that are considered stale. +- [AWS_Roles Job](/docs/accessanalyzer/12.0/solutions/aws/roles/aws_roles.md) – Provides details on roles in the AWS IAM environment +- [AWS_StaleRoles Job](/docs/accessanalyzer/12.0/solutions/aws/roles/aws_staleroles.md) – Provides details on roles that are considered stale. Highlighting roles that have not been used in more than 60 days and those that have never been used. diff --git a/docs/accessanalyzer/12.0/solutions/aws/s3content/aws_s3buckets.md b/docs/accessanalyzer/12.0/solutions/aws/s3content/aws_s3buckets.md index 06ee705131..b67ef94765 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/s3content/aws_s3buckets.md +++ b/docs/accessanalyzer/12.0/solutions/aws/s3content/aws_s3buckets.md @@ -10,7 +10,7 @@ Navigate to the **AWS** > **7.S3 Content** > **AWS_S3Buckets** > **Configure** n **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Task for the AWS_S3Buckets Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/s3content/s3bucketsanalysis.webp) +![Analysis Task for the AWS_S3Buckets Job](/img/product_docs/accessanalyzer/solutions/aws/s3content/s3bucketsanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/s3content/aws_s3buckettags.md b/docs/accessanalyzer/12.0/solutions/aws/s3content/aws_s3buckettags.md index 48cc3249e0..92500c8ab5 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/s3content/aws_s3buckettags.md +++ b/docs/accessanalyzer/12.0/solutions/aws/s3content/aws_s3buckettags.md @@ -11,7 +11,7 @@ Navigate to the **AWS** > **7.S3 Content** > **AWS_S3BucketTags** > **Configure* **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_S3BucketTagsJob](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/s3content/s3buckettagsanalysis.webp) +![Analysis Tasks for the AWS_S3BucketTagsJob](/img/product_docs/accessanalyzer/solutions/aws/s3content/s3buckettagsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/s3content/overview.md b/docs/accessanalyzer/12.0/solutions/aws/s3content/overview.md index ac87a5f6c9..44e4c487b7 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/s3content/overview.md +++ b/docs/accessanalyzer/12.0/solutions/aws/s3content/overview.md @@ -2,12 +2,12 @@ The 7.S3 Content job group provide details on AWS S3 buckets and objects contained in those buckets. -![7.S3 Content Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![7.S3 Content Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 7.S3 Content job group is comprised of: -- [AWS_S3Buckets Job](aws_s3buckets.md) – Provides a summary of AWS S3 buckets including total +- [AWS_S3Buckets Job](/docs/accessanalyzer/12.0/solutions/aws/s3content/aws_s3buckets.md) – Provides a summary of AWS S3 buckets including total object size and counts -- [AWS_S3BucketTags Job](aws_s3buckettags.md) – Identifies tags associated with AWS S3 Buckets. +- [AWS_S3BucketTags Job](/docs/accessanalyzer/12.0/solutions/aws/s3content/aws_s3buckettags.md) – Identifies tags associated with AWS S3 Buckets. Tagging can be helpful to identify the storage class or purpose of a bucket and can be used in AWS IAM Policy assignments. diff --git a/docs/accessanalyzer/12.0/solutions/aws/s3permissions/aws_brokeninheritance.md b/docs/accessanalyzer/12.0/solutions/aws/s3permissions/aws_brokeninheritance.md index 102d51a250..5fd572eddf 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/s3permissions/aws_brokeninheritance.md +++ b/docs/accessanalyzer/12.0/solutions/aws/s3permissions/aws_brokeninheritance.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_BrokenInheritance Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/brokeninheritanceanalysis.webp) +![Analysis Tasks for the AWS_BrokenInheritance Job](/img/product_docs/accessanalyzer/solutions/filesystem/brokeninheritanceanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/s3permissions/aws_effectivepermissions.md b/docs/accessanalyzer/12.0/solutions/aws/s3permissions/aws_effectivepermissions.md index 49280292e6..d1ed880a54 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/s3permissions/aws_effectivepermissions.md +++ b/docs/accessanalyzer/12.0/solutions/aws/s3permissions/aws_effectivepermissions.md @@ -11,7 +11,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_Accounts Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/permissions/effectivepermissionsanalysis.webp) +![Analysis Tasks for the AWS_Accounts Job](/img/product_docs/accessanalyzer/solutions/databases/db2/permissions/effectivepermissionsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/s3permissions/aws_openbuckets.md b/docs/accessanalyzer/12.0/solutions/aws/s3permissions/aws_openbuckets.md index ba28bbdfc3..c112a5d1d4 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/s3permissions/aws_openbuckets.md +++ b/docs/accessanalyzer/12.0/solutions/aws/s3permissions/aws_openbuckets.md @@ -11,7 +11,7 @@ Navigate to the **AWS** > **6.S3 Permissions** > **AWS_OpenBuckets** > **Configu **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Task for the AWS_OpenBuckets Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/s3permissions/openbucketsanalysis.webp) +![Analysis Task for the AWS_OpenBuckets Job](/img/product_docs/accessanalyzer/solutions/aws/s3permissions/openbucketsanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/s3permissions/overview.md b/docs/accessanalyzer/12.0/solutions/aws/s3permissions/overview.md index cd819b70d7..505dbeb014 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/s3permissions/overview.md +++ b/docs/accessanalyzer/12.0/solutions/aws/s3permissions/overview.md @@ -3,14 +3,14 @@ The 6.S3 Permissions job group provides details on permissions assigned to AWS S3 buckets, highlighting specific threats like broken inheritance and open buckets. -![6.S3 Permissions Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![6.S3 Permissions Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 6.S3 Permissions job group is comprised of: -- [AWS_BrokenInheritance Job](aws_brokeninheritance.md) – Highlights permissions in an AWS S3 bucket +- [AWS_BrokenInheritance Job](/docs/accessanalyzer/12.0/solutions/aws/s3permissions/aws_brokeninheritance.md) – Highlights permissions in an AWS S3 bucket that differ from those assigned at the bucket level, those assigned directly on objects within the bucket -- [AWS_EffectivePermissions Job](aws_effectivepermissions.md) – Identifies and summarizes effective +- [AWS_EffectivePermissions Job](/docs/accessanalyzer/12.0/solutions/aws/s3permissions/aws_effectivepermissions.md) – Identifies and summarizes effective permissions on AWS S3 buckets and bucket objects -- [AWS_OpenBuckets Job](aws_openbuckets.md) – Identifies buckets that have permissions assigned to +- [AWS_OpenBuckets Job](/docs/accessanalyzer/12.0/solutions/aws/s3permissions/aws_openbuckets.md) – Identifies buckets that have permissions assigned to everyone at the top level of the AWS S3 bucket diff --git a/docs/accessanalyzer/12.0/solutions/aws/sensitivedata/aws_sensitivedata.md b/docs/accessanalyzer/12.0/solutions/aws/sensitivedata/aws_sensitivedata.md index ba9b7c8e8b..96c53d72d1 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/sensitivedata/aws_sensitivedata.md +++ b/docs/accessanalyzer/12.0/solutions/aws/sensitivedata/aws_sensitivedata.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_SensitiveData Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedataanalysis.webp) +![Analysis Tasks for the AWS_SensitiveData Job](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedataanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/sensitivedata/aws_sensitivedata_permissions.md b/docs/accessanalyzer/12.0/solutions/aws/sensitivedata/aws_sensitivedata_permissions.md index 0bdd470dc8..d716b435c4 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/sensitivedata/aws_sensitivedata_permissions.md +++ b/docs/accessanalyzer/12.0/solutions/aws/sensitivedata/aws_sensitivedata_permissions.md @@ -11,7 +11,7 @@ Navigate to the **AWS** > **8.S3 Sensitive Data** > **AWS_SensitiveData_Permissi **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_SensitiveData_Permissions Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/sensitivedata/sensitivedatapermissionsanalysis.webp) +![Analysis Tasks for the AWS_SensitiveData_Permissions Job](/img/product_docs/accessanalyzer/solutions/databases/db2/sensitivedata/sensitivedatapermissionsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/sensitivedata/overview.md b/docs/accessanalyzer/12.0/solutions/aws/sensitivedata/overview.md index d83bd084b8..888eb48690 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/sensitivedata/overview.md +++ b/docs/accessanalyzer/12.0/solutions/aws/sensitivedata/overview.md @@ -3,11 +3,11 @@ The 8.S3 Sensitive Data job group provides details on AWS S3 buckets and objects containing sensitive data. -![8.S3 Sensitive Data Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![8.S3 Sensitive Data Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 8.S3 Sensitive Data job group is comprised of: -- [AWS_SensitiveData Job](aws_sensitivedata.md) – Provides details on AWS S3 buckets and the objects +- [AWS_SensitiveData Job](/docs/accessanalyzer/12.0/solutions/aws/sensitivedata/aws_sensitivedata.md) – Provides details on AWS S3 buckets and the objects in them which contain sensitive data -- [AWS_SensitiveData_Permissions Job](aws_sensitivedata_permissions.md) – Provides details on the +- [AWS_SensitiveData_Permissions Job](/docs/accessanalyzer/12.0/solutions/aws/sensitivedata/aws_sensitivedata_permissions.md) – Provides details on the permissions assigned to AWS S3 buckets and the objects in them which contain sensitive data diff --git a/docs/accessanalyzer/12.0/solutions/aws/users/aws_accesskeys.md b/docs/accessanalyzer/12.0/solutions/aws/users/aws_accesskeys.md index c58e4f7a93..58eabc4606 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/users/aws_accesskeys.md +++ b/docs/accessanalyzer/12.0/solutions/aws/users/aws_accesskeys.md @@ -11,7 +11,7 @@ Navigate to the **AWS** > **2.Users** > **AWS_AccessKeys** > **Configure** node **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_AccessKeys Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/users/accesskeysanalysis.webp) +![Analysis Tasks for the AWS_AccessKeys Job](/img/product_docs/accessanalyzer/solutions/aws/users/accesskeysanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/users/aws_mfastatus.md b/docs/accessanalyzer/12.0/solutions/aws/users/aws_mfastatus.md index 7cd3c1caf1..5419ba7f51 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/users/aws_mfastatus.md +++ b/docs/accessanalyzer/12.0/solutions/aws/users/aws_mfastatus.md @@ -11,7 +11,7 @@ Navigate to the **AWS** > **2.Users** > **AWS_MFAStatus** > **Configure** node a **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_MFAStatus Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/users/mfastatusanalysis.webp) +![Analysis Tasks for the AWS_MFAStatus Job](/img/product_docs/accessanalyzer/solutions/aws/users/mfastatusanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/users/aws_rootaccounts.md b/docs/accessanalyzer/12.0/solutions/aws/users/aws_rootaccounts.md index a0127267a5..8fbca5cd76 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/users/aws_rootaccounts.md +++ b/docs/accessanalyzer/12.0/solutions/aws/users/aws_rootaccounts.md @@ -11,7 +11,7 @@ Navigate to the **AWS** > **2.Users** > **AWS_RootAccounts** > **Configure** nod **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AWS_RootAccounts Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/aws/users/rootaccountsanalysis.webp) +![Analysis Tasks for the AWS_RootAccounts Job](/img/product_docs/accessanalyzer/solutions/aws/users/rootaccountsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/aws/users/aws_staleusers.md b/docs/accessanalyzer/12.0/solutions/aws/users/aws_staleusers.md index 12eab0ed23..5a277cd307 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/users/aws_staleusers.md +++ b/docs/accessanalyzer/12.0/solutions/aws/users/aws_staleusers.md @@ -7,7 +7,7 @@ used, highlighting those over specified number of days (default 60) or that have The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The AWS_StaleUsers job has the following configurable parameter: @@ -26,7 +26,7 @@ Navigate to the **AWS** > **2.Users** > **AWS_StaleUsers** > **Configure** node **CAUTION:** Do not deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. Only modify the analysis tasks listed in the customizable analysis tasks section. -![Analysis Tasks for the AWS_StaleUsers Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/staleusersanalysis.webp) +![Analysis Tasks for the AWS_StaleUsers Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/staleusersanalysis.webp) The following analysis tasks are selected by default: @@ -49,7 +49,7 @@ The default values for parameters that can be customized are: | Stale Users | @StaleThreshold | 60 | Number of days before considering a user stale | See the -[Configure the Customizable Parameters in an Analysis Task](../../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for instructions on how to modify parameters. ## Report for the AWS_StaleUsers Job diff --git a/docs/accessanalyzer/12.0/solutions/aws/users/overview.md b/docs/accessanalyzer/12.0/solutions/aws/users/overview.md index ad49cce371..17f6e7ec99 100644 --- a/docs/accessanalyzer/12.0/solutions/aws/users/overview.md +++ b/docs/accessanalyzer/12.0/solutions/aws/users/overview.md @@ -2,15 +2,15 @@ The 2.Users job group provides details on AWS IAM user MFA status, access key usage, and staleness. -![2.Users Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![2.Users Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 2.Users job group is comprised of: -- [AWS_AccessKeys Job](aws_accesskeys.md) – Provides details on the last time an access key was +- [AWS_AccessKeys Job](/docs/accessanalyzer/12.0/solutions/aws/users/aws_accesskeys.md) – Provides details on the last time an access key was rotated or used, highlighting keys that were last rotated over a year ago -- [AWS_MFAStatus Job](aws_mfastatus.md) – Provides details on each user's MFA status, highlighting +- [AWS_MFAStatus Job](/docs/accessanalyzer/12.0/solutions/aws/users/aws_mfastatus.md) – Provides details on each user's MFA status, highlighting users that have it disabled -- [AWS_RootAccounts Job](aws_rootaccounts.md) – Provides details on AWS root accounts and how they +- [AWS_RootAccounts Job](/docs/accessanalyzer/12.0/solutions/aws/users/aws_rootaccounts.md) – Provides details on AWS root accounts and how they conform to recommended security practices -- [AWS_StaleUsers Job](aws_staleusers.md) – Provides details on the last time each user logged in or +- [AWS_StaleUsers Job](/docs/accessanalyzer/12.0/solutions/aws/users/aws_staleusers.md) – Provides details on the last time each user logged in or their access key was used, highlighting those over 60 days or that have never logged in diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_deletions.md b/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_deletions.md index bf55bf783e..28be739637 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_deletions.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_deletions.md @@ -12,7 +12,7 @@ select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Box_Deletions Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/forensics/deletionsanalysis.webp) +![Analysis Tasks for the Box_Deletions Job](/img/product_docs/accessanalyzer/solutions/box/activity/forensics/deletionsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_downloads.md b/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_downloads.md index 2341ba882c..6003f71f81 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_downloads.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_downloads.md @@ -11,7 +11,7 @@ select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Box_Downloads Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/forensics/downloadsanalysis.webp) +![Analysis Tasks for the Box_Downloads Job](/img/product_docs/accessanalyzer/solutions/box/activity/forensics/downloadsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_externaluseractivity.md b/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_externaluseractivity.md index 7356af8eaf..370b8585bd 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_externaluseractivity.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_externaluseractivity.md @@ -13,7 +13,7 @@ node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis for the Box_ExternalUserActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/forensics/externaluseractivityanalysis.webp) +![Analysis for the Box_ExternalUserActivity Job](/img/product_docs/accessanalyzer/solutions/box/activity/forensics/externaluseractivityanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_externalusercollaborations.md b/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_externalusercollaborations.md index ba6192e51a..359a0712b7 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_externalusercollaborations.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_externalusercollaborations.md @@ -12,7 +12,7 @@ Navigate to **Box** > **1.Activity** > **Forensics** > **Box_ExternalUserCollabo **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Box_ExternalUserCollaborations Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/forensics/externalusercollaborationsanalysis.webp) +![Analysis Tasks for the Box_ExternalUserCollaborations Job](/img/product_docs/accessanalyzer/solutions/box/activity/forensics/externalusercollaborationsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_permissionchanges.md b/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_permissionchanges.md index eadd1fe7b6..1e8c67181e 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_permissionchanges.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_permissionchanges.md @@ -11,7 +11,7 @@ node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Box_PermissionChanges Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/forensics/permissionchangesanalysis.webp) +![Analysis Tasks for the Box_PermissionChanges Job](/img/product_docs/accessanalyzer/solutions/box/activity/forensics/permissionchangesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_sharing.md b/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_sharing.md index 07458697c3..6e61d98414 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_sharing.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_sharing.md @@ -10,7 +10,7 @@ select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Box_Sharing Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/forensics/sharinganalysis.webp) +![Analysis Tasks for the Box_Sharing Job](/img/product_docs/accessanalyzer/solutions/box/activity/forensics/sharinganalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/forensics/overview.md b/docs/accessanalyzer/12.0/solutions/box/activity/forensics/overview.md index 10a633d3eb..427f1d61a6 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/forensics/overview.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/forensics/overview.md @@ -5,20 +5,20 @@ activity, collaboration activity and high-risk collaborations within the targete It is dependent on data collected by the 0.Collection Job Group, also housed in the Box Job Group. The jobs that comprise the 1.Activity Job Group process analysis tasks and generate a report. -![Forensics Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Forensics Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The Forensics Job Group is comprised of: -- [Box_Deletions Job](box_deletions.md) – Provides details on file and folder deletions that have +- [Box_Deletions Job](/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_deletions.md) – Provides details on file and folder deletions that have occurred over the past 30 days -- [Box_Downloads Job](box_downloads.md) – Provides details on file and folder deletions that have +- [Box_Downloads Job](/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_downloads.md) – Provides details on file and folder deletions that have occurred over the past 30 days -- [Box_ExternalUserActivity Job](box_externaluseractivity.md) – Identifies and analyzes external +- [Box_ExternalUserActivity Job](/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_externaluseractivity.md) – Identifies and analyzes external user activity which has occurred over the past 30 days -- [Box_ExternalUserCollaborations Job](box_externalusercollaborations.md) – Identifies collaboration +- [Box_ExternalUserCollaborations Job](/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_externalusercollaborations.md) – Identifies collaboration invites sent to external users. These collaborations should be reviewed to ensure sensitive data is not being shared outside of your organization. -- [Box_PermissionChanges Job](box_permissionchanges.md) – Provides details on permission changes +- [Box_PermissionChanges Job](/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_permissionchanges.md) – Provides details on permission changes that have occurred over the past 30 days -- [Box_Sharing Job](box_sharing.md) – Provides details on sharing activity that has occurred over +- [Box_Sharing Job](/docs/accessanalyzer/12.0/solutions/box/activity/forensics/box_sharing.md) – Provides details on sharing activity that has occurred over the past 30 days diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/overview.md b/docs/accessanalyzer/12.0/solutions/box/activity/overview.md index f0da84e7ea..3217384a34 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/overview.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/overview.md @@ -4,16 +4,16 @@ The **Box** > **1.Activity** Job Group identifies long term trends of activity p into user activity, usage statistics, and suspicious behavior identifies long-term trends of activity providing insight into user activity, usage statistics, and suspicious behavior. -![1.Activity Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![1.Activity Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 1.Activity Job Group is comprised of: -- [Forensics Job Group](forensics/overview.md) – Provides details on the types of operations +- [Forensics Job Group](/docs/accessanalyzer/12.0/solutions/box/activity/forensics/overview.md) – Provides details on the types of operations occurring within audited Box enterprises, including deletions, file downloads, permission changes, and more -- [Suspicious Activity Job Group](suspiciousactivity/overview.md) – Identifies areas and times of +- [Suspicious Activity Job Group](/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/overview.md) – Identifies areas and times of abnormal activity by analyzing typical activity patterns and identifying outliers based on factors such as amount of activity or time of day -- [Usage Statistics Job Group](usagestatistics/overview.md) – Identifies long-term trends of +- [Usage Statistics Job Group](/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/overview.md) – Identifies long-term trends of activity and usage statistics across your Box environment, highlighting conditions such as most active or stale folders diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_failedlogins.md b/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_failedlogins.md index 6216ff0ee2..3b5bc047f8 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_failedlogins.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_failedlogins.md @@ -12,7 +12,7 @@ Navigate to **Box** > **1.Activity** > **Suspicious Activity** > **Box_FailedLog **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Box_FailedLogins Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/suspiciousactivity/failedloginsanalysis.webp) +![Analysis Tasks for the Box_FailedLogins Job](/img/product_docs/accessanalyzer/solutions/box/activity/suspiciousactivity/failedloginsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_firsttimefolderaccess.md b/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_firsttimefolderaccess.md index eb511d9de9..a41774d763 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_firsttimefolderaccess.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_firsttimefolderaccess.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **Box** > **1.Activity** > **Suspic **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Box_FirstTimeFolderAccess Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/suspiciousactivity/firsttimefolderaccessanalysis.webp) +![Analysis Tasks for the Box_FirstTimeFolderAccess Job](/img/product_docs/accessanalyzer/solutions/box/activity/suspiciousactivity/firsttimefolderaccessanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_unusualdownloadactivity.md b/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_unusualdownloadactivity.md index 82d3f3eccb..265d47959c 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_unusualdownloadactivity.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_unusualdownloadactivity.md @@ -12,7 +12,7 @@ Navigate to **Box** > **1.Activity** > **Suspicious Activity** > **Box_UnusualDo **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Task for the Box_UnusualDownloadActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/suspiciousactivity/unusualdownloadactivityanalysis.webp) +![Analysis Task for the Box_UnusualDownloadActivity Job](/img/product_docs/accessanalyzer/solutions/box/activity/suspiciousactivity/unusualdownloadactivityanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_unusualuseractivity.md b/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_unusualuseractivity.md index 50b46ca7d5..ec41ba1533 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_unusualuseractivity.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_unusualuseractivity.md @@ -12,7 +12,7 @@ Navigate to **Box** > **1.Activity** > **Suspicious Activity** > **Box_UnusualUs **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Box_UnusualUserActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/suspiciousactivity/unusualuseractivityanalysis.webp) +![Analysis Tasks for the Box_UnusualUserActivity Job](/img/product_docs/accessanalyzer/solutions/box/activity/suspiciousactivity/unusualuseractivityanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_weekendactivity.md b/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_weekendactivity.md index 7306833fe9..b21b178c1c 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_weekendactivity.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_weekendactivity.md @@ -12,7 +12,7 @@ Navigate to **Box** > **1.Activity** > **Suspicious Activity** > **Box_WeekendAc **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Box_WeekendActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/suspiciousactivity/weekendactivityanalysis.webp) +![Analysis Tasks for the Box_WeekendActivity Job](/img/product_docs/accessanalyzer/solutions/box/activity/suspiciousactivity/weekendactivityanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/overview.md b/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/overview.md index 20bc734ce8..d41481a919 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/overview.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/overview.md @@ -4,18 +4,18 @@ The Suspicious Activity Job Group identifies areas and times of abnormal activit typical activity patterns and identifying outliers based on factors such as amount of activity or time of day. -![Suspicious Activity Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Suspicious Activity Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The Suspicious Activity Job Group is comprised of: -- [Box_FailedLogins Job](box_failedlogins.md) – Identifies failed logon events that have occurred +- [Box_FailedLogins Job](/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_failedlogins.md) – Identifies failed logon events that have occurred over the last 30 days -- [Box_FirstTimeFolderAccess Job](box_firsttimefolderaccess.md) – Identifies the first time a user +- [Box_FirstTimeFolderAccess Job](/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_firsttimefolderaccess.md) – Identifies the first time a user performs any activity on a folder or a file over the past 30 days -- [Box_UnusualDownloadActivity Job](box_unusualdownloadactivity.md) – Highlights unusual download +- [Box_UnusualDownloadActivity Job](/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_unusualdownloadactivity.md) – Highlights unusual download activity for a user on a specific day by analyzing the download activity for a given user and looking for outliers -- [Box_UnusualUserActivity Job](box_unusualuseractivity.md) – Highlights unusual activity for a user +- [Box_UnusualUserActivity Job](/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_unusualuseractivity.md) – Highlights unusual activity for a user on a specific day by analyzing the activity for a given user and looking for outliers -- [Box_WeekendActivity Job](box_weekendactivity.md) – Identifies Box activity events which have +- [Box_WeekendActivity Job](/docs/accessanalyzer/12.0/solutions/box/activity/suspiciousactivity/box_weekendactivity.md) – Identifies Box activity events which have occurred on weekends over the last 30 days diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/box_folders_mostactive.md b/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/box_folders_mostactive.md index f67cfedf80..122b4d42bb 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/box_folders_mostactive.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/box_folders_mostactive.md @@ -11,7 +11,7 @@ Navigate to **Box** > **1.Activity** > **Usage Statistics** > **Box_Folders_Most **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Box_Folders_MostActive Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/usagestatistics/foldersmostactiveanalysis.webp) +![Analysis Tasks for the Box_Folders_MostActive Job](/img/product_docs/accessanalyzer/solutions/box/activity/usagestatistics/foldersmostactiveanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/box_folders_stale.md b/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/box_folders_stale.md index cd80a12a79..91140f310f 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/box_folders_stale.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/box_folders_stale.md @@ -12,7 +12,7 @@ node and select **Analysis** to view analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Box_Folders_Stale Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/usagestatistics/foldersstaleanalysis.webp) +![Analysis Tasks for the Box_Folders_Stale Job](/img/product_docs/accessanalyzer/solutions/box/activity/usagestatistics/foldersstaleanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/box_users_mostactive.md b/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/box_users_mostactive.md index dab506c20a..3612d3fe64 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/box_users_mostactive.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/box_users_mostactive.md @@ -11,7 +11,7 @@ Navigate to **Box** > **1.Activity** > **Usage Statistics** > **Box_Users_MostAc **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Box_Users_MostActive Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/usagestatistics/usersmostactiveanalysis.webp) +![Analysis Tasks for the Box_Users_MostActive Job](/img/product_docs/accessanalyzer/solutions/box/activity/usagestatistics/usersmostactiveanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/overview.md b/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/overview.md index 9cf60bec46..c219ae8921 100644 --- a/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/overview.md +++ b/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/overview.md @@ -3,16 +3,16 @@ The Usage Statistics Job Group identifies long term trends of activity and usage statistics across your Box environment, highlighting conditions such as most active or stale folders. -![Usage Statistics Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Usage Statistics Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The Usage Statistics Job Group is comprised of: -- [Box_Folders_MostActive Job](box_folders_mostactive.md) – Identifies long-term trends of activity +- [Box_Folders_MostActive Job](/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/box_folders_mostactive.md) – Identifies long-term trends of activity and usage statistics across your Box environment, highlighting conditions such as most active or stale folders -- [Box_Folders_Stale Job](box_folders_stale.md) – Identifies long-term trends of activity and usage +- [Box_Folders_Stale Job](/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/box_folders_stale.md) – Identifies long-term trends of activity and usage statistics across your Box environment, highlighting conditions such as most active or stale folders -- [Box_Users_MostActive Job](box_users_mostactive.md) – Identifies long-term trends of activity and +- [Box_Users_MostActive Job](/docs/accessanalyzer/12.0/solutions/box/activity/usagestatistics/box_users_mostactive.md) – Identifies long-term trends of activity and usage statistics across your Box environment, highlighting conditions such as most active or stale folders diff --git a/docs/accessanalyzer/12.0/solutions/box/box_access.md b/docs/accessanalyzer/12.0/solutions/box/box_access.md index 78c86d1a05..4bdad0a90f 100644 --- a/docs/accessanalyzer/12.0/solutions/box/box_access.md +++ b/docs/accessanalyzer/12.0/solutions/box/box_access.md @@ -12,7 +12,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Box_Access Job](../../../../../static/img/product_docs/accessanalyzer/solutions/box/accessanalysis.webp) +![Analysis Tasks for the Box_Access Job](/img/product_docs/accessanalyzer/solutions/box/accessanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/box/box_groupmembership.md b/docs/accessanalyzer/12.0/solutions/box/box_groupmembership.md index 6e69de8824..16d9c1934b 100644 --- a/docs/accessanalyzer/12.0/solutions/box/box_groupmembership.md +++ b/docs/accessanalyzer/12.0/solutions/box/box_groupmembership.md @@ -11,7 +11,7 @@ analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Box_GroupMembership Job](../../../../../static/img/product_docs/accessanalyzer/solutions/box/groupmembershipanalysis.webp) +![Analysis Tasks for the Box_GroupMembership Job](/img/product_docs/accessanalyzer/solutions/box/groupmembershipanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/box/collection/1-box_access_scans.md b/docs/accessanalyzer/12.0/solutions/box/collection/1-box_access_scans.md index 0a6702727f..150c02de1c 100644 --- a/docs/accessanalyzer/12.0/solutions/box/collection/1-box_access_scans.md +++ b/docs/accessanalyzer/12.0/solutions/box/collection/1-box_access_scans.md @@ -10,7 +10,7 @@ the Scan Box Permissions Category. If this query is not configured but has the a scan of all folders at full depth is performed. Optionally, configure the query to limit the depth of the scan. -![Queries for the 1-Box_Access Scans Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/box/collection/accessqueries.webp) +![Queries for the 1-Box_Access Scans Job](/img/product_docs/accessanalyzer/solutions/box/collection/accessqueries.webp) The 1-Box_Access Scans Job has the following queries: @@ -45,26 +45,26 @@ Query Properties window opens. **Step 2 –** Select the **Data Source** tab, and click **Configure**. The Box Data Collector Wizard opens. -![Box Data Collector Wizard Exclusions page](../../../../../../static/img/product_docs/accessanalyzer/solutions/box/collection/accessexclusions.webp) +![Box Data Collector Wizard Exclusions page](/img/product_docs/accessanalyzer/solutions/box/collection/accessexclusions.webp) **Step 3 –** On the Exclusions Page: - Add folders to be excluded - Add folders to be included (scope scan to only these folders) -![Box Data Collector Wizard Additional Scoping page](../../../../../../static/img/product_docs/accessanalyzer/solutions/box/collection/accessadditionalscoping.webp) +![Box Data Collector Wizard Additional Scoping page](/img/product_docs/accessanalyzer/solutions/box/collection/accessadditionalscoping.webp) **Step 4 –** On the Additional Scoping page: - Optionally, select this option to limit the depth of the scan across the targeted Box account -![Box Data Collector Wizard Scope by User page](../../../../../../static/img/product_docs/accessanalyzer/solutions/box/collection/accessuserscope.webp) +![Box Data Collector Wizard Scope by User page](/img/product_docs/accessanalyzer/solutions/box/collection/accessuserscope.webp) **Step 5 –** On the Scope By User Page: - Optionally, limit the scope of the scan to specified users by providing a CSV file -![Box Data Collector Wizard Authenticate page](../../../../../../static/img/product_docs/accessanalyzer/solutions/box/collection/accessauthenticate.webp) +![Box Data Collector Wizard Authenticate page](/img/product_docs/accessanalyzer/solutions/box/collection/accessauthenticate.webp) **Step 6 –** The Authenticate page is where the connection to the target Box environment is configured. Click **Authorize** to launch the BoxLogin window and generate an authorization code. diff --git a/docs/accessanalyzer/12.0/solutions/box/collection/1-box_activity_scans.md b/docs/accessanalyzer/12.0/solutions/box/collection/1-box_activity_scans.md index 19941f0380..810ad08cb4 100644 --- a/docs/accessanalyzer/12.0/solutions/box/collection/1-box_activity_scans.md +++ b/docs/accessanalyzer/12.0/solutions/box/collection/1-box_activity_scans.md @@ -8,7 +8,7 @@ visibility into user activity events within Box. The Scan Query uses the Box Data Collector to target all Box hosts and has been preconfigured to use the Scan Box Permissions Category. -![Queries for the 1-Box_Activity Scans Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/box/collection/activityqueries.webp) +![Queries for the 1-Box_Activity Scans Job](/img/product_docs/accessanalyzer/solutions/box/collection/activityqueries.webp) The 1-Box_Activity Scans Job has the following queries: @@ -45,39 +45,39 @@ Query Properties window displays. **Step 3 –** Select the Data Source tab, and click **Configure**. The Box Data Collector Wizard opens. -![Box Data Collector Wizard Exclusions page](../../../../../../static/img/product_docs/accessanalyzer/solutions/box/collection/activityexclusions.webp) +![Box Data Collector Wizard Exclusions page](/img/product_docs/accessanalyzer/solutions/box/collection/activityexclusions.webp) **Step 4 –** On the Exclusions page: - Add folders to be excluded - Add folders to be included (scope scan to only these folders) -![Box Data Collector Wizard Additional Scoping page](../../../../../../static/img/product_docs/accessanalyzer/solutions/box/collection/activityadditionalscoping.webp) +![Box Data Collector Wizard Additional Scoping page](/img/product_docs/accessanalyzer/solutions/box/collection/activityadditionalscoping.webp) **Step 5 –** On the Additional Scoping page: - Optionally, select this option to limit the depth of the scan across the targeted Box account -![Box Data Collector Wizard Scope by User page](../../../../../../static/img/product_docs/accessanalyzer/solutions/box/collection/activityuserscope.webp) +![Box Data Collector Wizard Scope by User page](/img/product_docs/accessanalyzer/solutions/box/collection/activityuserscope.webp) **Step 6 –** On the Scope By User Page: - Optionally, limit the scope of the scan to specified users by providing a CSV file -![Box Data Collector Wizard Activity Timespan Scope page](../../../../../../static/img/product_docs/accessanalyzer/solutions/box/collection/activitytimespanscope.webp) +![Box Data Collector Wizard Activity Timespan Scope page](/img/product_docs/accessanalyzer/solutions/box/collection/activitytimespanscope.webp) **Step 7 –** On the Activity Timespan Scope page: - Collect activity data within a Relative Timespan - Collect activity data within an Absolute Timespan -![Box Data Collector Wizard Activity Operation Scope page](../../../../../../static/img/product_docs/accessanalyzer/solutions/box/collection/activityoperationscope.webp) +![Box Data Collector Wizard Activity Operation Scope page](/img/product_docs/accessanalyzer/solutions/box/collection/activityoperationscope.webp) **Step 8 –** On the Activity Operation Scope page: - Select Box enterprise event operations to collect -![Box Data Collector Wizard Authenticate page](../../../../../../static/img/product_docs/accessanalyzer/solutions/box/collection/activityauthenticate.webp) +![Box Data Collector Wizard Authenticate page](/img/product_docs/accessanalyzer/solutions/box/collection/activityauthenticate.webp) **Step 9 –** The Authenticate page is where the connection to the target Box environment is configured. Click **Authorize** to launch the BoxLogin window and generate an authorization code. diff --git a/docs/accessanalyzer/12.0/solutions/box/collection/2-box_import.md b/docs/accessanalyzer/12.0/solutions/box/collection/2-box_import.md index 6d93daa672..245c319cda 100644 --- a/docs/accessanalyzer/12.0/solutions/box/collection/2-box_import.md +++ b/docs/accessanalyzer/12.0/solutions/box/collection/2-box_import.md @@ -9,7 +9,7 @@ provide detailed reports on Box access rights, policies, configurations, activit The Import Query uses the Box Data Collector and has been preconfigured to use the Import Box Permissions Category. -![Queries for the 2-Box_Import Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/box/collection/importqueries.webp) +![Queries for the 2-Box_Import Job](/img/product_docs/accessanalyzer/solutions/box/collection/importqueries.webp) The 2-Box_Import Job has the following query: diff --git a/docs/accessanalyzer/12.0/solutions/box/collection/overview.md b/docs/accessanalyzer/12.0/solutions/box/collection/overview.md index d6a87e15a5..c385e04c46 100644 --- a/docs/accessanalyzer/12.0/solutions/box/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/box/collection/overview.md @@ -3,14 +3,14 @@ The 0.Collection Job Group collects data which will be further analyzed in order to provide details on Box access rights, policies, configurations, activities, and content. -![Box > Collection Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Box > Collection Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 0.Collection Job Group is comprised of: -- [1-Box_Access Scans Job](1-box_access_scans.md) – Collects the data which will be further analyzed +- [1-Box_Access Scans Job](/docs/accessanalyzer/12.0/solutions/box/collection/1-box_access_scans.md) – Collects the data which will be further analyzed in order to provide details on Box access rights, policies, configurations, and content -- [1-Box_Activity Scans Job](1-box_activity_scans.md) – Collects the data which will be further +- [1-Box_Activity Scans Job](/docs/accessanalyzer/12.0/solutions/box/collection/1-box_activity_scans.md) – Collects the data which will be further analyzed in order to provide visibility into user activity events within Box -- [2-Box_Import Job](2-box_import.md) – Takes the data that has been collected from Box and imports +- [2-Box_Import Job](/docs/accessanalyzer/12.0/solutions/box/collection/2-box_import.md) – Takes the data that has been collected from Box and imports it to the Access Analyzer database to be analyzed in order to provide detailed reports on Box access rights, policies, configurations, activities, and content diff --git a/docs/accessanalyzer/12.0/solutions/box/content/box_filemetrics.md b/docs/accessanalyzer/12.0/solutions/box/content/box_filemetrics.md index 7dbe855996..75c43c0be2 100644 --- a/docs/accessanalyzer/12.0/solutions/box/content/box_filemetrics.md +++ b/docs/accessanalyzer/12.0/solutions/box/content/box_filemetrics.md @@ -12,7 +12,7 @@ Navigate to **Box** > **2.Content** > **Box_FileMetrics** > **Configure** node a **CAUTION:** Most of these analysis tasks should never be modified and never be deselected. -![Analysis Tasks for the Box_FileMetrics Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/box/content/filemetricsanalysis.webp) +![Analysis Tasks for the Box_FileMetrics Job](/img/product_docs/accessanalyzer/solutions/box/content/filemetricsanalysis.webp) The following analysis tasks are selected by default: @@ -48,5 +48,5 @@ The default values for parameters that can be customized are: | File Metrics Details | @STALE_THRESHOLD | 30 | Consider content stale after 30 days | See the -[Configure the Customizable Parameters in an Analysis Task](../../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for instructions on how to modify parameters. diff --git a/docs/accessanalyzer/12.0/solutions/box/content/box_foldermetrics.md b/docs/accessanalyzer/12.0/solutions/box/content/box_foldermetrics.md index d04c30b405..441d182aca 100644 --- a/docs/accessanalyzer/12.0/solutions/box/content/box_foldermetrics.md +++ b/docs/accessanalyzer/12.0/solutions/box/content/box_foldermetrics.md @@ -14,7 +14,7 @@ Navigate to **Box** > **2.Content** > **Box_FolderMetrics** > **Configure** node **CAUTION:** Most of these analysis tasks should never be modified and never be deselected. -![Analysis Tasks for the Box_FolderMetrics Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/box/content/foldermetricsanalysis.webp) +![Analysis Tasks for the Box_FolderMetrics Job](/img/product_docs/accessanalyzer/solutions/box/content/foldermetricsanalysis.webp) The following analysis tasks are selected by default: @@ -46,5 +46,5 @@ The default values for parameters that can be customized are: | Folder Metrics Details | @STALE_THRESHOLD | 30 | Consider content stale after 30 days | See the -[Configure the Customizable Parameters in an Analysis Task](../../../admin/jobs/job/configure/analysiscustomizableparameters.md) topic +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for instructions on how to modify parameters. diff --git a/docs/accessanalyzer/12.0/solutions/box/content/overview.md b/docs/accessanalyzer/12.0/solutions/box/content/overview.md index 0d5b18e316..02c4b5a988 100644 --- a/docs/accessanalyzer/12.0/solutions/box/content/overview.md +++ b/docs/accessanalyzer/12.0/solutions/box/content/overview.md @@ -4,14 +4,14 @@ The 2.Content Job Group analyzes and summarizes the content of the targeted Box highlighting users with the most content as well as what type of content exists. This information can also be used to identify stale content that can be removed or archived to reduce risk. -![2.Content Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![2.Content Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 2.Content Job Group is comprised of: -- [Box_FileMetrics Job](box_filemetrics.md) – Offers insight into content sizing, staleness, and +- [Box_FileMetrics Job](/docs/accessanalyzer/12.0/solutions/box/content/box_filemetrics.md) – Offers insight into content sizing, staleness, and ownership of files in the Box environment. The staleness threshold can be customized within the **File Metrics Details** analysis. -- [Box_FolderMetrics Job](box_foldermetrics.md) – Offers insight into content sizing, staleness, and +- [Box_FolderMetrics Job](/docs/accessanalyzer/12.0/solutions/box/content/box_foldermetrics.md) – Offers insight into content sizing, staleness, and ownership of folders in the Box environment. The staleness threshold can be customized within the **Folder Metrics Details** analysis. Largest and smallest folder size thresholds can be configured in a similar way in their respective analysis tasks. diff --git a/docs/accessanalyzer/12.0/solutions/box/overview.md b/docs/accessanalyzer/12.0/solutions/box/overview.md index b4f857953c..3670fba88c 100644 --- a/docs/accessanalyzer/12.0/solutions/box/overview.md +++ b/docs/accessanalyzer/12.0/solutions/box/overview.md @@ -10,7 +10,7 @@ Supported Platforms Requirements, Permissions, and Ports -See the [Target Box Requirements, Permissions, and Ports](../../requirements/target/box.md) topic +See the [Target Box Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/box.md) topic for additional information. Location @@ -19,7 +19,7 @@ The Box Solution requires a special Access Analyzer license. It can be installed Job Wizard. Once it has been installed into the Jobs tree, navigate to the solution: **Jobs** > **Box**. -![Box Solution in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Box Solution in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 0.Collection Job Group collects the data. The other job groups run analysis on the collected data and generate reports. @@ -29,20 +29,20 @@ data and generate reports. The Box solution contains jobs to highlight access, analyze content, and expand group membership in an organization's Box environment. -![Box Solution Overview page](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) +![Box Solution Overview page](/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) The Box Solution has the following job groups and jobs: -- [0.Collection Job Group](collection/overview.md) – Collects the data which will be further +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/box/collection/overview.md) – Collects the data which will be further analyzed in order to provide details on Box access rights, policies, configurations, activities, and content -- [1.Activity Job Group](activity/overview.md) – Identifies long term trends of activity providing +- [1.Activity Job Group](/docs/accessanalyzer/12.0/solutions/box/activity/overview.md) – Identifies long term trends of activity providing insight into user activity, usage statistics, and suspicious behavior by analyzing enterprise events within the Box environment -- [2.Content Job Group](content/overview.md) – Analyzes and summarizes the content of the Box +- [2.Content Job Group](/docs/accessanalyzer/12.0/solutions/box/content/overview.md) – Analyzes and summarizes the content of the Box environment, highlighting users with the most content as well as what type of content exists -- [Box_Access Job](box_access.md) – Analyzes access granted to users and groups in an organization's +- [Box_Access Job](/docs/accessanalyzer/12.0/solutions/box/box_access.md) – Analyzes access granted to users and groups in an organization's Box environment in order to report on effective access rights, file-level permissions, and inactive access rights that can be revoked -- [Box_GroupMembership Job](box_groupmembership.md) – Expands group membership in an organization's +- [Box_GroupMembership Job](/docs/accessanalyzer/12.0/solutions/box/box_groupmembership.md) – Expands group membership in an organization's Box environment diff --git a/docs/accessanalyzer/12.0/solutions/box/recommended.md b/docs/accessanalyzer/12.0/solutions/box/recommended.md index 32f5c75266..1489a66a9d 100644 --- a/docs/accessanalyzer/12.0/solutions/box/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/box/recommended.md @@ -30,7 +30,7 @@ account with permission to **Run new reports and access existing reports** enabl needed to generate an authorization code in the form of an Access Token. This can be done through the query configuration either in the 1-Box_Access Scans Job’ Authentication wizard page or the 1-Box_Activity Scans Job’s Authentication wizard page of the Box Data Collector Wizard. See the -[Box Data Collector](../../admin/datacollector/box/overview.md) topic for additional information. +[Box Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/box/overview.md) topic for additional information. Access Token diff --git a/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/0-azuresql_instancediscovery.md b/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/0-azuresql_instancediscovery.md index b94f8ce080..908c33a039 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/0-azuresql_instancediscovery.md +++ b/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/0-azuresql_instancediscovery.md @@ -8,7 +8,7 @@ will be used throughout the solution set. The 0-AzureSQL_InstanceDiscovery job uses the SQL Data Collector for the following query: -![Query Selection - Instance Discovery](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/instancediscquery.webp) +![Query Selection - Instance Discovery](/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/instancediscquery.webp) - Azure SQL Instance Discovery — Collects the list of Azure SQL Server Instances from target endpoints and populates the necessary instance connection information @@ -21,7 +21,7 @@ Navigate to the **Databases** > **0.Collection** > **AzureSQL** > **0-AzureSQL_I **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/instancediscanalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/instancediscanalysis.webp) The default analysis tasks is: diff --git a/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/1-azuresql_permissionscan.md b/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/1-azuresql_permissionscan.md index fe01d4efd1..4abdd93875 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/1-azuresql_permissionscan.md +++ b/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/1-azuresql_permissionscan.md @@ -7,7 +7,7 @@ permissions from all the targeted instances. The 1–AzureSQL_PermissionsScan Job uses the SQL Data Collector for the following query: -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/permissionjob.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/permissionjob.webp) - PermissionScan — Collects permissions from the targeted instances @@ -27,10 +27,10 @@ Properties. The Query Properties window appears. **CAUTION:** Do not make changes to other wizard pages as they have been pre-configured for this job. -![Filters](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/1sqlpermissionscanfilterpage.webp) +![Filters](/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/1sqlpermissionscanfilterpage.webp) **Step 4 –** To query for specific databases/instances, navigate to the -[SQL Data Collector](../../../../admin/datacollector/sql/overview.md) page. The default query target +[SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) page. The default query target is All databases. The default query scope is Only select database objects and click Retrieve. The Available database objects will be populated. Databases and instances can be added in the following ways: @@ -39,7 +39,7 @@ ways: - Use the Import CSV button to import a list from a CSV file, if desired. - Optionally, use the Add Custom Filter button to create and apply a custom filter. -![Managed Connection Window](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/managedconnections.webp) +![Managed Connection Window](/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/managedconnections.webp) **Step 5 –** To view all managed connections discovered during the 1-AzureSQL_PermissionScan Job run, click Connections within the Filter page. This screen will list the following items retrieved @@ -64,7 +64,7 @@ node and select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/jobanalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/jobanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/2-azuresql_sensitivedatascan.md b/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/2-azuresql_sensitivedatascan.md index 6cfbe85132..dbd1b2de39 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/2-azuresql_sensitivedatascan.md +++ b/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/2-azuresql_sensitivedatascan.md @@ -7,7 +7,7 @@ instances and databases based on pre-defined or user-defined search criteria. The 2–AzureSQL_SensitiveDataScan Job uses the SQL Data Collector for the following query: -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/sensitivedatascanjob.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/sensitivedatascanjob.webp) - Sensitive Data Scan — Collects sensitive data from targeted instances @@ -19,7 +19,7 @@ Navigate to the **Databases** > **0.Collection** > **AzureSQL** > **2–AzureSQL **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/sensitivedatascananalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/sensitivedatascananalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/3-azuresql_activityscan.md b/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/3-azuresql_activityscan.md index e07ecf8188..c45961ebb7 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/3-azuresql_activityscan.md +++ b/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/3-azuresql_activityscan.md @@ -7,7 +7,7 @@ databases. The 3–AzureSQL_ActivityScan Job uses the SQL Data Collector for the following query: -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/activityscanjob.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/activityscanjob.webp) - Activity — Collects activity events for Azure SQL @@ -19,7 +19,7 @@ Navigate to the **Databases** > **0.Collection** > **Azure SQL** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![3-AzureSQL_ActivityScan Job - Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/activityscanjobanalysis.webp) +![3-AzureSQL_ActivityScan Job - Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/activityscanjobanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/4-azuresql_serversettings.md b/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/4-azuresql_serversettings.md index 30e39eae40..c2b280c064 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/4-azuresql_serversettings.md +++ b/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/4-azuresql_serversettings.md @@ -7,7 +7,7 @@ configuration settings so they can be evaluated against recommended best practic The 4–AzureSQL_ServerSettings Job uses the SQL Data Collector for the following query: -![0.Collection_4–AzureSQL_ServerSettings Job - Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/serversettings.webp) +![0.Collection_4–AzureSQL_ServerSettings Job - Query Selection](/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/serversettings.webp) - Database Sizing— Returns details on database sizing - Server Details — Collects Azure SQL Server properties @@ -25,7 +25,7 @@ task. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/serversettingsanalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/serversettingsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/overview.md b/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/overview.md index a4b7b03a0e..741f369a22 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/overview.md @@ -4,21 +4,21 @@ The 0.Collection Job Group, located at **Databases** > **0.Collection** > **Azur high–level summary information from targeted Azure SQL Instances. This information is used by other jobs in the Azure SQL solution further analysis and for producing respective reports. -![0.Collection Job Group - Azure SQL](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/collectionjobmenu.webp) +![0.Collection Job Group - Azure SQL](/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/collectionjobmenu.webp) The jobs in 0.Collection Jobs Group are: - 0-AzureSQL_InstanceDiscovery Job — Enumerates a list of Azure SQL Server Instances from target endpoints and populates the necessary instance connection information which is used throughout the solution set -- [1-AzureSQL_PermissionScan Job](1-azuresql_permissionscan.md) — Collects Azure SQL database level +- [1-AzureSQL_PermissionScan Job](/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/1-azuresql_permissionscan.md) — Collects Azure SQL database level permissions from all targeted Azure SQL database servers -- [2-AzureSQL_SensitiveDataScan Job](2-azuresql_sensitivedatascan.md) — Discovers sensitive data in +- [2-AzureSQL_SensitiveDataScan Job](/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/2-azuresql_sensitivedatascan.md) — Discovers sensitive data in Azure SQL databases across all targeted Azure SQL database servers based on pre-defined or user-defined search criteria -- [3-AzureSQL_ActivityScan Job](3-azuresql_activityscan.md) — Captures user activity from all +- [3-AzureSQL_ActivityScan Job](/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/3-azuresql_activityscan.md) — Captures user activity from all targeted Azure SQL instances and databases -- [4-AzureSQL_ServerSettings Job](4-azuresql_serversettings.md) — Collects Azure SQL instances and +- [4-AzureSQL_ServerSettings Job](/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/4-azuresql_serversettings.md) — Collects Azure SQL instances and database configuration settings to evaluate them against recommended best practices Workflow diff --git a/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_configuration.md b/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_configuration.md index cc7556aeec..4c7b8a99b1 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_configuration.md +++ b/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_configuration.md @@ -7,7 +7,7 @@ respective reports. The 3-Db2_Configuration Job uses the SQL Data Collector for queries. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/configurationquery.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/configurationquery.webp) The query is: @@ -22,4 +22,4 @@ changes be made to the 0.Collection jobs before they run. It is also recommended that the connection only be established for the 1-Db2 SensitiveDataScan Job. Once the connection is established, it applies to all jobs in the 0.Collection job group. It does not apply to any other job groups. For additional information on establishing a database connection, -see [1-Db2_SensitiveDataScan](db2_sensitivedatascan.md). +see [1-Db2_SensitiveDataScan](/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_sensitivedatascan.md). diff --git a/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_permissionscan.md b/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_permissionscan.md index 01657f0bb7..0821127b51 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_permissionscan.md +++ b/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_permissionscan.md @@ -8,7 +8,7 @@ The 2-Db2_PermissionScan Job uses the SQL Data Collector for queries. **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/collection/permissionsscanquery.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/db2/collection/permissionsscanquery.webp) The query is: @@ -23,7 +23,7 @@ changes be made to the 0.Collection jobs before they run. It is also recommended that the connection only be established for the 1-Db2 SensitiveDataScan Job. Once the connection is established, it applies to all jobs in the 0.Collection job group. It does not apply to any other job groups. For additional information on establishing a database connection, -see [1-Db2_SensitiveDataScan](db2_sensitivedatascan.md). +see [1-Db2_SensitiveDataScan](/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_sensitivedatascan.md). ## Analysis Tasks for the 2-Db2_PermissionScan Job @@ -33,7 +33,7 @@ Navigate to the **Databases** > **0.Collection** > **Db2** > **2-Db2_PermissionS **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/collection/permissionsscananalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/db2/collection/permissionsscananalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_sensitivedatascan.md b/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_sensitivedatascan.md index 119bc9715e..eec111faec 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_sensitivedatascan.md +++ b/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_sensitivedatascan.md @@ -7,7 +7,7 @@ based on pre-defined or user-defined criteria. The 1-Db2 Sensitive Data Job uses the SQL Data Collector for the following queries. -![sensitivedatascanquery](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/collection/sensitivedatascanquery.webp) +![sensitivedatascanquery](/img/product_docs/accessanalyzer/solutions/databases/db2/collection/sensitivedatascanquery.webp) The query is: @@ -28,14 +28,14 @@ Properties. The Query Properties window appears. **Step 3 –** Select the Data Source tab, and click Configure. The SQL Data Collector Wizard opens with Sensitive Data Collection category selected. -![Category page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/collection/sensitivedatacategory.webp) +![Category page](/img/product_docs/accessanalyzer/solutions/databases/db2/collection/sensitivedatacategory.webp) **Step 4 –** Click **Next**. The Sensitive Data Scan Settings view appears. -![Sensitive Data Scan Settings](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/collection/sensitivedatajoboptions.webp) +![Sensitive Data Scan Settings](/img/product_docs/accessanalyzer/solutions/databases/db2/collection/sensitivedatajoboptions.webp) **Step 5 –** To modify sensitive data scan options, select the desired scan options. See the -[SQL: Options](../../../../admin/datacollector/sql/options.md) page for additional information. +[SQL: Options](/docs/accessanalyzer/12.0/admin/datacollector/sql/options.md) page for additional information. **CAUTION:** The Sensitive Data Scan Settings are preconfigured for optimal performance for a high-level table scan. Configuring these settings to increase the scope of the sensitive data scan @@ -43,26 +43,26 @@ may significantly increase scan time. **Step 6 –** Click **Next**. The Select Criteria view appears. -![Select Criteria](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/collection/sensitivedatacriteria.webp) +![Select Criteria](/img/product_docs/accessanalyzer/solutions/databases/db2/collection/sensitivedatacriteria.webp) **Step 7 –** To modify criteria, click on **Use the following selected criteria:** and select your choices. By default, the Sensitive Data Scan job is set to **Use Global Criteria**. **NOTE:** For more information on adding or deleting criteria, navigate to the -[SQL: Criteria](../../../../admin/datacollector/sql/criteria.md) page or See the -[Sensitive Data Criteria Editor](../../../../sensitivedatadiscovery/criteriaeditor/overview.md) +[SQL: Criteria](/docs/accessanalyzer/12.0/admin/datacollector/sql/criteria.md) page or See the +[Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. **Step 8 –** Click **Next**. The Filters view appears. -![Filters](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/collection/sensitivedatafilter.webp) +![Filters](/img/product_docs/accessanalyzer/solutions/databases/db2/collection/sensitivedatafilter.webp) **Step 9 –** Click **Connections** to open the Manage Connections window. **NOTE:** SQL databases must be added to the query before they can be scanned. Before you can add a query, you must establish a connection to the database. -![Manage Connections](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/collection/sensitivedataconnection.webp) +![Manage Connections](/img/product_docs/accessanalyzer/solutions/databases/db2/collection/sensitivedataconnection.webp) **Step 10 –** In the Manage Connections window, enter the following information: @@ -81,7 +81,7 @@ the new connection. Once validated, click **Create New Connection** to finalize objects**. Collection queries are configured by default to target Only select database objects. **NOTE:** For more information on filtering, see the -[SQL: Filter](../../../../admin/datacollector/sql/filter.md) page. +[SQL: Filter](/docs/accessanalyzer/12.0/admin/datacollector/sql/filter.md) page. **Step 13 –** Click Retrieve. The Available database objects box will populate. @@ -108,7 +108,7 @@ Navigate to the **Databases** > **0.Collection** > **Db2** > **1-Db2_SensitiveDa **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/sensitivedatascananalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/sensitivedatascananalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/db2/collection/overview.md b/docs/accessanalyzer/12.0/solutions/databases/db2/collection/overview.md index 7c7d55a476..67faab8c2c 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/db2/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/db2/collection/overview.md @@ -4,14 +4,14 @@ The Db2 Solution Set Collection Group collects high level summary information fr Database Servers. Other jobs in the Db2 Solution Set use this information for further analysis and for producing respective reports. -![jobstree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![jobstree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 0.Collection Job Group are: -- [1-Db2_SensitiveDataScan](db2_sensitivedatascan.md) — Discovers sensitive data in the Db2 +- [1-Db2_SensitiveDataScan](/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_sensitivedatascan.md) — Discovers sensitive data in the Db2 databases across all the targeted Db2 database servers based on pre-defined or user-defined search criteria -- [2-Db2_PermissionScan Job](db2_permissionscan.md) — Collects Db2 database level permissions from +- [2-Db2_PermissionScan Job](/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_permissionscan.md) — Collects Db2 database level permissions from all the targeted Db2 database servers -- [3-Db2_Configuration Job](db2_configuration.md)— Collects Db2 database configuration settings for +- [3-Db2_Configuration Job](/docs/accessanalyzer/12.0/solutions/databases/db2/collection/db2_configuration.md)— Collects Db2 database configuration settings for use in the following analysis jobs and respective reports diff --git a/docs/accessanalyzer/12.0/solutions/databases/db2/db2_databasesizing.md b/docs/accessanalyzer/12.0/solutions/databases/db2/db2_databasesizing.md index d84877e26e..8c27bf20cc 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/db2/db2_databasesizing.md +++ b/docs/accessanalyzer/12.0/solutions/databases/db2/db2_databasesizing.md @@ -2,7 +2,7 @@ The Db2_DatabaseSizing job provides details on overall database sizes. -![Configuration > Db2_DatabaseSizing Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/configurationjobstree.webp) +![Configuration > Db2_DatabaseSizing Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/databases/db2/configurationjobstree.webp) This job is located in the Configuration job group. @@ -14,7 +14,7 @@ Navigate to the **Jobs** > **Databases** > **Db2** > **Configuration** > **Db2_ **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Db2_DatabaseSizing Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/databasesizinganalysis.webp) +![Analysis Tasks for the Db2_DatabaseSizing Job](/img/product_docs/accessanalyzer/solutions/databases/db2/databasesizinganalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/db2/overview.md b/docs/accessanalyzer/12.0/solutions/databases/db2/overview.md index 826f1039d4..bc71853c45 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/db2/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/db2/overview.md @@ -11,7 +11,7 @@ Supported Platforms Requirements, Permissions, and Ports See the -[Target Db2 Requirements, Permissions, and Ports](../../../requirements/target/databasedb2.md) topic +[Target Db2 Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/databasedb2.md) topic for additional information. Sensitive Data Discovery Considerations @@ -45,19 +45,19 @@ The Access Analyzer Db2 Solution is a comprehensive set of preconfigured audit j provide visibility into various aspects of a Db2 Databases: Sensitive Data Discovery and Objects Permissions. -![Db2 Overview](../../../../../../static/img/product_docs/threatprevention/threatprevention/siemdashboard/qradar/dashboard/overview.webp) +![Db2 Overview](/img/product_docs/threatprevention/threatprevention/siemdashboard/qradar/dashboard/overview.webp) The following comprises the Db2 solution: -- [0.Collection Job Group](collection/overview.md) — Collects high level summary information from +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/databases/db2/collection/overview.md) — Collects high level summary information from targeted Db2 Servers. This information is used by other jobs in the Db2 Solution Set for further analysis and producing respective report. -- [Configuration > Db2_DatabaseSizing Job](db2_databasesizing.md) — Provides insight into Db2 server +- [Configuration > Db2_DatabaseSizing Job](/docs/accessanalyzer/12.0/solutions/databases/db2/db2_databasesizing.md) — Provides insight into Db2 server configuration settings -- [Permissions Job Group](permissions/overview.md)— Provides insight into all types of permissions +- [Permissions Job Group](/docs/accessanalyzer/12.0/solutions/databases/db2/permissions/overview.md)— Provides insight into all types of permissions at the database and object level across all the targeted Db2 database servers -- [Sensitive Data Job Group](sensitivedata/overview.md) — Provides insight into where sensitive data +- [Sensitive Data Job Group](/docs/accessanalyzer/12.0/solutions/databases/db2/sensitivedata/overview.md) — Provides insight into where sensitive data exists and who has access to it across all the targeted Db2 databases diff --git a/docs/accessanalyzer/12.0/solutions/databases/db2/permissions/db2_directpermissions.md b/docs/accessanalyzer/12.0/solutions/databases/db2/permissions/db2_directpermissions.md index 015efa0f90..0ab3227187 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/db2/permissions/db2_directpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/db2/permissions/db2_directpermissions.md @@ -11,7 +11,7 @@ Navigate to the **Jobs** > **Databases** > **Db2** > **Permissions** > **Db2_Dir **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Db2_DirectPermissions Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/permissions/directpermissionsanalysis.webp) +![Analysis Tasks for the Db2_DirectPermissions Job](/img/product_docs/accessanalyzer/solutions/databases/db2/permissions/directpermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/db2/permissions/db2_effectivepermissions.md b/docs/accessanalyzer/12.0/solutions/databases/db2/permissions/db2_effectivepermissions.md index 8db5d12e9b..9b743ecf76 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/db2/permissions/db2_effectivepermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/db2/permissions/db2_effectivepermissions.md @@ -12,7 +12,7 @@ Tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Db2 _EffectivePermissions Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/permissions/effectivepermissionsanalysis.webp) +![Analysis Tasks for the Db2 _EffectivePermissions Job](/img/product_docs/accessanalyzer/solutions/databases/db2/permissions/effectivepermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/db2/permissions/overview.md b/docs/accessanalyzer/12.0/solutions/databases/db2/permissions/overview.md index 9d516a9577..2d43d3dfc9 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/db2/permissions/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/db2/permissions/overview.md @@ -3,11 +3,11 @@ This job group provides insight into all types of permissions at the database and object level across all the targeted Db2 database servers. -![Permissions Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/permissions/permissionsjobstree.webp) +![Permissions Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/databases/db2/permissions/permissionsjobstree.webp) The jobs in the Permission job group are: -- [Db2_DirectPermissions Job](db2_directpermissions.md) – Provides insight into direct user and role +- [Db2_DirectPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/db2/permissions/db2_directpermissions.md) – Provides insight into direct user and role permissions to all the database objects in the targeted Db2 database servers -- [Db2_EffectivePermissions Job](db2_effectivepermissions.md) – Provides insight into effective user +- [Db2_EffectivePermissions Job](/docs/accessanalyzer/12.0/solutions/databases/db2/permissions/db2_effectivepermissions.md) – Provides insight into effective user and role permissions to all the database objects in the targeted Db2 database servers diff --git a/docs/accessanalyzer/12.0/solutions/databases/db2/recommended.md b/docs/accessanalyzer/12.0/solutions/databases/db2/recommended.md index 35a8b238b1..42254b63a2 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/db2/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/databases/db2/recommended.md @@ -38,7 +38,7 @@ The SQL Data Collector requires a specific set of permissions. See the Permissio necessary permissions. The account used can be either an Active Directory account or a SQL account. Once the account has been provisioned, create a custom Connection Profile containing the credentials for the targeted environment. See the -[SQL Custom Connection Profile & Default Dynamic Host List](../../../admin/datacollector/sql/configurejob.md) +[SQL Custom Connection Profile & Default Dynamic Host List](/docs/accessanalyzer/12.0/admin/datacollector/sql/configurejob.md) topic for additional information. The Connection Profile should be assigned under the Databases > 0.Collection > Db2 > Settings > @@ -47,7 +47,7 @@ However, since this may not be the Connection Profile with the necessary permiss assigned hosts, click the radio button for the Select one of the following user defined profiles option and select the appropriate Connection Profile drop-down menu. -See the [Connection](../../../admin/settings/connection/overview.md) topic for additional +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. Schedule Frequency diff --git a/docs/accessanalyzer/12.0/solutions/databases/db2/sensitivedata/db2_sensitivedata.md b/docs/accessanalyzer/12.0/solutions/databases/db2/sensitivedata/db2_sensitivedata.md index 87ad34801b..602b38be15 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/db2/sensitivedata/db2_sensitivedata.md +++ b/docs/accessanalyzer/12.0/solutions/databases/db2/sensitivedata/db2_sensitivedata.md @@ -11,7 +11,7 @@ Navigate to the **Jobs** > **Databases** > **Db2** > **Sensitive Data** > **Db2_ **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Db2 _SensitiveData Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedataanalysis.webp) +![Analysis Tasks for the Db2 _SensitiveData Job](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedataanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/db2/sensitivedata/db2_sensitivedatapermissions.md b/docs/accessanalyzer/12.0/solutions/databases/db2/sensitivedata/db2_sensitivedatapermissions.md index 894fc9d5f4..19d1c1d686 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/db2/sensitivedata/db2_sensitivedatapermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/db2/sensitivedata/db2_sensitivedatapermissions.md @@ -12,7 +12,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Db2_SensitiveDataPermissions Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/sensitivedata/sensitivedatapermissionsanalysis.webp) +![Analysis Tasks for the Db2_SensitiveDataPermissions Job](/img/product_docs/accessanalyzer/solutions/databases/db2/sensitivedata/sensitivedatapermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/db2/sensitivedata/overview.md b/docs/accessanalyzer/12.0/solutions/databases/db2/sensitivedata/overview.md index eefe1c8bb1..1ee546a30b 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/db2/sensitivedata/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/db2/sensitivedata/overview.md @@ -3,12 +3,12 @@ This job group provides insight into where sensitive data exists and who has access to it across all the targeted Db2 database servers. -![Sensitive Data Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/sensitivedata/sensitivedatajobstree.webp) +![Sensitive Data Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/databases/db2/sensitivedata/sensitivedatajobstree.webp) The jobs in the Sensitive Data job group are: -- [Db2_SensitiveData Job](db2_sensitivedata.md) – Provides information on all the sensitive data +- [Db2_SensitiveData Job](/docs/accessanalyzer/12.0/solutions/databases/db2/sensitivedata/db2_sensitivedata.md) – Provides information on all the sensitive data that was discovered in the targeted Db2 database servers based on the selection scan criteria -- [Db2_SensitiveDataPermissions Job](db2_sensitivedatapermissions.md) – Provides all types of +- [Db2_SensitiveDataPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/db2/sensitivedata/db2_sensitivedatapermissions.md) – Provides all types of permissions on database objects containing sensitive data across all the targeted Db2 database servers diff --git a/docs/accessanalyzer/12.0/solutions/databases/mongodb/collection/mongodb_configuration.md b/docs/accessanalyzer/12.0/solutions/databases/mongodb/collection/mongodb_configuration.md index 4079fce6c4..49567a6d60 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mongodb/collection/mongodb_configuration.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mongodb/collection/mongodb_configuration.md @@ -9,7 +9,7 @@ The MongoDB_Configuration Job uses the NoSQL Data Collector for queries. **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query Selection - Mongo DB](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mongodb/collection/configurationjob.webp) +![Query Selection - Mongo DB](/img/product_docs/accessanalyzer/solutions/databases/mongodb/collection/configurationjob.webp) The query is: diff --git a/docs/accessanalyzer/12.0/solutions/databases/mongodb/collection/mongodb_sensitivedatascan.md b/docs/accessanalyzer/12.0/solutions/databases/mongodb/collection/mongodb_sensitivedatascan.md index d3aece918e..1381a65e29 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mongodb/collection/mongodb_sensitivedatascan.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mongodb/collection/mongodb_sensitivedatascan.md @@ -7,7 +7,7 @@ on pre-defined or user-defined search criteria. The MongoDB_SensitiveDataScan Job uses the NOSQL Data Collector for queries. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mongodb/collection/sensitivedatascan_job.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/mongodb/collection/sensitivedatascan_job.webp) The query is: @@ -33,36 +33,36 @@ The Query Properties window opens. **CAUTION:** Do not make changes to wizard pages not listed in these steps. They have been pre-configured for this job. -**Step 4 –** Navigate to the [NoSQL: Options](../../../../admin/datacollector/nosql/options.md) +**Step 4 –** Navigate to the [NoSQL: Options](/docs/accessanalyzer/12.0/admin/datacollector/nosql/options.md) page. -![Sensitive Data Scan Settings](../../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Sensitive Data Scan Settings](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 5 –** Select the desired scan options. -**Step 6 –** Navigate to the [NoSQL: Criteria](../../../../admin/datacollector/nosql/criteria.md) +**Step 6 –** Navigate to the [NoSQL: Criteria](/docs/accessanalyzer/12.0/admin/datacollector/nosql/criteria.md) page. -![Criteria Page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) +![Criteria Page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) **Step 7 –** To modify criteria, navigate to the -[NoSQL: Criteria](../../../../admin/datacollector/nosql/criteria.md) page. By default, the Sensitive +[NoSQL: Criteria](/docs/accessanalyzer/12.0/admin/datacollector/nosql/criteria.md) page. By default, the Sensitive Data Scan job is configured to scan for criteria configured in the Global Criteria settings. See the -[Sensitive Data Criteria Editor](../../../../sensitivedatadiscovery/criteriaeditor/overview.md) +[Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. **NOTE:** The Sensitive Data Scan Settings are pre-configured for optimal performance for a high-level table scan. Configuring these settings to increase the scope of the sensitive data scan may significantly increase scan time. -**Step 8 –** Navigate to the [NoSQL: Filter](../../../../admin/datacollector/nosql/filter.md) page. +**Step 8 –** Navigate to the [NoSQL: Filter](/docs/accessanalyzer/12.0/admin/datacollector/nosql/filter.md) page. -![Database Selection Settings](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filter.webp) +![Database Selection Settings](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/filter.webp) **Step 9 –** MongoDB databases must be added to the query before they can be scanned. Click **Connections** to open the Manage Connections window. -![Manage Connections window](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/nosql/manageconnections.webp) +![Manage Connections window](/img/product_docs/accessanalyzer/admin/datacollector/nosql/manageconnections.webp) **Step 10 –** In the Manage Connections window, click **Create New** and add the following information: @@ -89,7 +89,7 @@ collections. **Step 14 –** (Optional) Right click on an object in the list to include or exclude it from the sensitive data scan, or build /edit a pattern to create a custom filter. See the -[NoSQL: Filter](../../../../admin/datacollector/nosql/filter.md) topic for additional information. +[NoSQL: Filter](/docs/accessanalyzer/12.0/admin/datacollector/nosql/filter.md) topic for additional information. **Step 15 –** Click **Validate** and then **Save** to apply the scoping. Navigating away from this page without saving will undo any changes made. @@ -107,7 +107,7 @@ and select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mongodb/collection/analysissensitivedatascan.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/mongodb/collection/analysissensitivedatascan.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/mongodb/collection/overview.md b/docs/accessanalyzer/12.0/solutions/databases/mongodb/collection/overview.md index 9ea3341724..51d9cf9240 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mongodb/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mongodb/collection/overview.md @@ -4,11 +4,11 @@ The MongoDB Solution Collection group is designed to collect high level summary targeted MongoDB Servers.  This information is used by other jobs in the MongoDB Solution Set for further analysis and producing respective reports. -![0](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mongodb/collection/0.collecitonjobgroup.webp) +![0](/img/product_docs/accessanalyzer/solutions/databases/mongodb/collection/0.collecitonjobgroup.webp) The jobs in the 0.Collection Job Group are: -- [MongoDB_Configuration Job](mongodb_configuration.md) — Collects MongoDB server instance and +- [MongoDB_Configuration Job](/docs/accessanalyzer/12.0/solutions/databases/mongodb/collection/mongodb_configuration.md) — Collects MongoDB server instance and database configuration settings for use in the following analysis jobs and respective reports. -- [MongoDB_SensitiveDataScan Job](mongodb_sensitivedatascan.md) — Discovers sensitive data in +- [MongoDB_SensitiveDataScan Job](/docs/accessanalyzer/12.0/solutions/databases/mongodb/collection/mongodb_sensitivedatascan.md) — Discovers sensitive data in MongoDB databases based on pre-defined or user-defined search criteria diff --git a/docs/accessanalyzer/12.0/solutions/databases/mongodb/mongodb_databasesizing.md b/docs/accessanalyzer/12.0/solutions/databases/mongodb/mongodb_databasesizing.md index caf9ad40b6..f6ab4c0fc5 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mongodb/mongodb_databasesizing.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mongodb/mongodb_databasesizing.md @@ -6,7 +6,7 @@ node and select Analysis to view the Analysis Tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mongodb/databasesizingjobanalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/mongodb/databasesizingjobanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/mongodb/mongodb_sensitivedata.md b/docs/accessanalyzer/12.0/solutions/databases/mongodb/mongodb_sensitivedata.md index fc49a5cd4e..f8545c6824 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mongodb/mongodb_sensitivedata.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mongodb/mongodb_sensitivedata.md @@ -3,7 +3,7 @@ The Sensitive Data Job Group is designed to provide insight into where sensitive data exists and who has access to it across all the targeted MongoDB databases. -![Sensitive Data Job Group](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/sensitivedata/sensitivedatajobgroup.webp) +![Sensitive Data Job Group](/img/product_docs/accessanalyzer/solutions/databases/postgresql/sensitivedata/sensitivedatajobgroup.webp) The job in the Sensitive Data Job Group is: @@ -18,7 +18,7 @@ and select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mongodb/analysismongodbsensitivedatajob.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/mongodb/analysismongodbsensitivedatajob.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/mongodb/overview.md b/docs/accessanalyzer/12.0/solutions/databases/mongodb/overview.md index d1a33fbbd6..86ee12246b 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mongodb/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mongodb/overview.md @@ -30,7 +30,7 @@ Supported Platforms Requirements, Permissions, and Ports See the -[Target MongoDB Requirements, Permissions, and Ports](../../../requirements/target/databasemongodb.md) +[Target MongoDB Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/databasemongodb.md) topic for additional information. Sensitive Data Discovery Considerations @@ -66,14 +66,14 @@ sensitive data. The Access Analyzer MongoDB Solution Set is a set of pre-configured jobs and reports that provides visibility into MongoDB Sensitive Data. -![MongoDB Overview](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mongodb/mongdbjobgroupoverview.webp) +![MongoDB Overview](/img/product_docs/accessanalyzer/solutions/databases/mongodb/mongdbjobgroupoverview.webp) The following job groups comprise the MongoDB Solution: -- [ 0.Collection Job Group](collection/overview.md) — Collects high level summary information from +- [ 0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/databases/mongodb/collection/overview.md) — Collects high level summary information from targeted MongoDB Servers. This information is used by other jobs in the MongoDB Solution Set for further analysis and producing respective reports. -- [Analysis Tasks for the MongoDB_Database_Sizing Job](mongodb_databasesizing.md) — Provides insight +- [Analysis Tasks for the MongoDB_Database_Sizing Job](/docs/accessanalyzer/12.0/solutions/databases/mongodb/mongodb_databasesizing.md) — Provides insight into MongoDB server configuration settings -- [Sensitive Data > MongoDB_SensitiveData Job](mongodb_sensitivedata.md) — Provides insight into +- [Sensitive Data > MongoDB_SensitiveData Job](/docs/accessanalyzer/12.0/solutions/databases/mongodb/mongodb_sensitivedata.md) — Provides insight into where sensitive data exists and who has access to it across all the targeted MongoDB databases diff --git a/docs/accessanalyzer/12.0/solutions/databases/mongodb/recommended.md b/docs/accessanalyzer/12.0/solutions/databases/mongodb/recommended.md index 4ea145e0f0..3308f0426c 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mongodb/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mongodb/recommended.md @@ -23,7 +23,7 @@ The NoSQL Data Collector requires a specific set of permission. See the Permissi necessary permissions. The account used can be either an Active Directory account or a SQL account. Once the account has been provisioned, create a custom Connection Profile containing the credentials for the targeted environment. See the -[NoSQL Custom Connection Profile & Host List](../../../admin/datacollector/nosql/configurejob.md) +[NoSQL Custom Connection Profile & Host List](/docs/accessanalyzer/12.0/admin/datacollector/nosql/configurejob.md) topic for additional information. The Connection Profile should be assigned under the MongoDB > 0.Collection > Settings > Connection @@ -32,7 +32,7 @@ since this may not be the Connection Profile with the necessary permissions for click the radio button for the Select one of the following user defined profiles option and select the appropriate Connection Profile drop-down menu. -See the [Connection](../../../admin/settings/connection/overview.md) topic for additional +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. Schedule Frequency @@ -53,12 +53,12 @@ Workflow 1. Set a Connection Profile for the 0.Collection Job Group with the permissions listed in the Recommended Configurations section. See the - [NoSQL Custom Connection Profile & Host List](../../../admin/datacollector/nosql/configurejob.md) + [NoSQL Custom Connection Profile & Host List](/docs/accessanalyzer/12.0/admin/datacollector/nosql/configurejob.md) topic for additional information. 2. Set the Host list for the 0.Collection Job Group with the servers containing the target databases. Additionally, the database clusters / instances must be added to the Filter page in the query configuration. See the - [NoSQL Custom Connection Profile & Host List](../../../admin/datacollector/nosql/configurejob.md) + [NoSQL Custom Connection Profile & Host List](/docs/accessanalyzer/12.0/admin/datacollector/nosql/configurejob.md) topic for additional information. 3. (Optional) Configure the queries for the jobs in the 0.Collection Job Group 4. Schedule the 0.Collection Job Group to run daily or as desired diff --git a/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/mysql_configuration.md b/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/mysql_configuration.md index bc20a09f68..e0f9042285 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/mysql_configuration.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/mysql_configuration.md @@ -9,7 +9,7 @@ The MySQL_Configuration Job uses the SQL Data Collector for queries. **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mongodb/collection/configurationjob.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/mongodb/collection/configurationjob.webp) The query is: diff --git a/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/mysql_sensitivedatascan.md b/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/mysql_sensitivedatascan.md index 6c5417fe2a..5b17c3618c 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/mysql_sensitivedatascan.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/mysql_sensitivedatascan.md @@ -7,7 +7,7 @@ pre-defined or user-defined search criteria. The MySQL_SensitiveDataScan Job uses the SQL Data Collector for queries. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/sensitivedatascan.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/sensitivedatascan.webp) The query is: @@ -31,29 +31,29 @@ Properties. The Query Properties window appears. **CAUTION:** Do not make changes to other wizard pages as they have been pre-configured for this job. -![Sensitive Data Scan Settings](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/sensitivedatscan_optionspage.webp) +![Sensitive Data Scan Settings](/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/sensitivedatscan_optionspage.webp) **Step 4 –** To modify sensitive data scan options, select the desired scan options. See the -[SQL: Options](../../../../admin/datacollector/sql/options.md) page for additional information. +[SQL: Options](/docs/accessanalyzer/12.0/admin/datacollector/sql/options.md) page for additional information. **NOTE:** The Sensitive Data Scan Settings are pre-configured for optimal performance for a high-level table scan. Configuring these settings to increase the scope of the sensitive data scan may significantly increase scan time. -![DLP Criteria for Scan](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/sensitivedatscan_criteriapage.webp) +![DLP Criteria for Scan](/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/sensitivedatscan_criteriapage.webp) **Step 5 –** To modify criteria, navigate to the -[SQL: Criteria](../../../../admin/datacollector/sql/criteria.md) page. By default, the Sensitive +[SQL: Criteria](/docs/accessanalyzer/12.0/admin/datacollector/sql/criteria.md) page. By default, the Sensitive Data Scan job is configured to scan for criteria configured in the Global Criteria settings. See the -[Sensitive Data Criteria Editor](../../../../sensitivedatadiscovery/criteriaeditor/overview.md) +[Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. -![Filters Page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/sensitivedatscan_filterspage.webp) +![Filters Page](/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/sensitivedatscan_filterspage.webp) **Step 6 –** MySQL databases must be added to the query before they can be scanned. Navigate to the **Filter** page and click **Connections** to open the Manage Connections window. -![Manage Connections](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/manageconnectionsmysql.webp) +![Manage Connections](/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/manageconnectionsmysql.webp) **Step 7 –** In the Manage Connections window, click **New Connection** and add the following information: @@ -87,7 +87,7 @@ Navigate to the **Databases** > **0.Collection** > **MySQL** > **MySQL_Sensitive **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/analysismysqlsensitivedatascan.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/analysismysqlsensitivedatascan.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/mysql_tableprivileges.md b/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/mysql_tableprivileges.md index a41181e423..9ec7851047 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/mysql_tableprivileges.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/mysql_tableprivileges.md @@ -9,7 +9,7 @@ The MySQL_TablePrivileges Job uses the SQL Data Collector for queries. **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/querytableprivileges.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/querytableprivileges.webp) The query is: @@ -23,7 +23,7 @@ Navigate to the **Databases** > **0.Collection** > **MySQL** > **MySQL_TablePriv **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/analysistableprivileges.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/mysql/collection/analysistableprivileges.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/overview.md b/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/overview.md index 456b514088..1aa39cb434 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/overview.md @@ -4,22 +4,22 @@ The MySQL Solution Collection group is designed to collect high level summary in targeted MySQL Servers. This information is used by other jobs in the MySQL Solution Set for further analysis and producing respective reports. -![0.Collection Job Group for MySQL](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/0.collectionjobgroup.webp) +![0.Collection Job Group for MySQL](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/0.collectionjobgroup.webp) The jobs in the 0.Collection Job Group are: -- [MySQL_Configuration Job](mysql_configuration.md) – Designed to collect MySQL server instance and +- [MySQL_Configuration Job](/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/mysql_configuration.md) – Designed to collect MySQL server instance and database configuration settings for use in the following analysis jobs and respective reports -- [MySQL_SensitiveDataScan Job](mysql_sensitivedatascan.md) – Designed to discover sensitive data in +- [MySQL_SensitiveDataScan Job](/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/mysql_sensitivedatascan.md) – Designed to discover sensitive data in MySQL databases based on pre-defined or user-defined search criteria -- [MySQL_TablePrivileges Job](mysql_tableprivileges.md) – Designed to collect MySQL table privileges +- [MySQL_TablePrivileges Job](/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/mysql_tableprivileges.md) – Designed to collect MySQL table privileges from all the targeted servers. Workflow 1. Set a Connection Profile for the 0.Collection Job Group with the permissions listed in the Recommended Configurations section. See the - [Connection](../../../../admin/settings/connection/overview.md) topic for additional information. + [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. 2. For Sensitive Data Discovery Auditing – Ensure the Sensitive Data Discovery Add-On is installed on the StealthAUDIT Console server. 3. Schedule the solution to run daily or as desired. diff --git a/docs/accessanalyzer/12.0/solutions/databases/mysql/mysql_databasesizing.md b/docs/accessanalyzer/12.0/solutions/databases/mysql/mysql_databasesizing.md index 23f3ad37a4..eff7e8da00 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mysql/mysql_databasesizing.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mysql/mysql_databasesizing.md @@ -2,7 +2,7 @@ The Configuration Job Group is designed to provide insight into MySQL server configuration settings. -![Configuration Job Group](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/configurationjobgroup.webp) +![Configuration Job Group](/img/product_docs/accessanalyzer/solutions/databases/postgresql/configurationjobgroup.webp) The job in the Configuration Job Group is: @@ -16,7 +16,7 @@ and select Analysis to view the Analysis Tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mysql/analysismysqldatabasesizing.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/mysql/analysismysqldatabasesizing.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/mysql/overview.md b/docs/accessanalyzer/12.0/solutions/databases/mysql/overview.md index 68be982e19..167fb0029c 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mysql/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mysql/overview.md @@ -37,7 +37,7 @@ Supported Platforms Requirements, Permissions, and Ports See the -[Target MySQL Requirements, Permissions, and Ports](../../../requirements/target/databasemysql.md) +[Target MySQL Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/databasemysql.md) topic for additional information. Sensitive Data Discovery Considerations @@ -70,14 +70,14 @@ sensitive data. The Access Analyzer MySQL Solution Set is a set of pre-configured audit jobs and reports that provides visibility into MySQL Sensitive Data. -![MySQL Job Group Overview](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mysql/mysqljobgroupoverview.webp) +![MySQL Job Group Overview](/img/product_docs/accessanalyzer/solutions/databases/mysql/mysqljobgroupoverview.webp) The job groups in the MySQL Solution are: -- [0.Collection Job Group](collection/overview.md) – Designed to collect high level summary +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/databases/mysql/collection/overview.md) – Designed to collect high level summary information from targeted MySQL Servers. This information is used by other jobs in the MySQL Solution Set for further analysis and producing respective reports. -- [Configuration > MySQL_DatabaseSizing Job](mysql_databasesizing.md) – Designed to provide insight +- [Configuration > MySQL_DatabaseSizing Job](/docs/accessanalyzer/12.0/solutions/databases/mysql/mysql_databasesizing.md) – Designed to provide insight into MySQL server configuration settings -- [MySQL_SensitiveData Job](sensitivedata/mysql_sensitivedata.md) – Designed to provide insight into +- [MySQL_SensitiveData Job](/docs/accessanalyzer/12.0/solutions/databases/mysql/sensitivedata/mysql_sensitivedata.md) – Designed to provide insight into where sensitive data exists and who has access to it across all the targeted MySQL databases. diff --git a/docs/accessanalyzer/12.0/solutions/databases/mysql/recommended.md b/docs/accessanalyzer/12.0/solutions/databases/mysql/recommended.md index bc8dd49819..1b018703ed 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mysql/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mysql/recommended.md @@ -22,7 +22,7 @@ Connection Profile The SQL Data Collector requires a specific set of permissions. For the MySQL Solution, the credentials configured in the Connection Profile must be able to access the MySQL Database. See the -[Connection](../../../admin/settings/connection/overview.md) topic for additional information on +[Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on permissions and creating a SQL custom connection profile. The Connection Profile is set to Use the Default Profile, as configured at the global settings diff --git a/docs/accessanalyzer/12.0/solutions/databases/mysql/sensitivedata/mysql_sensitivedata.md b/docs/accessanalyzer/12.0/solutions/databases/mysql/sensitivedata/mysql_sensitivedata.md index 268ff48dc5..acac7c4f50 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mysql/sensitivedata/mysql_sensitivedata.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mysql/sensitivedata/mysql_sensitivedata.md @@ -11,7 +11,7 @@ Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mysql/sensitivedata/analysismysqlsensitivedata.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/mysql/sensitivedata/analysismysqlsensitivedata.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/mysql/sensitivedata/mysql_sensitivedatapermissions.md b/docs/accessanalyzer/12.0/solutions/databases/mysql/sensitivedata/mysql_sensitivedatapermissions.md index 6f5115b333..4b7463cd44 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mysql/sensitivedata/mysql_sensitivedatapermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mysql/sensitivedata/mysql_sensitivedatapermissions.md @@ -12,7 +12,7 @@ and select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/mysql/sensitivedata/analysismysqlsensitivedatapermission.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/mysql/sensitivedata/analysismysqlsensitivedatapermission.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/mysql/sensitivedata/overview.md b/docs/accessanalyzer/12.0/solutions/databases/mysql/sensitivedata/overview.md index 18bc75fb13..1adeb2d5b5 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/mysql/sensitivedata/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/mysql/sensitivedata/overview.md @@ -3,13 +3,13 @@ The Sensitive Data Job Group is designed to provide insight into where sensitive data exists and who has access to it across all the targeted MySQL databases. -![Sensitive Data Job Group](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/sensitivedata/sensitivedatajobgroup.webp) +![Sensitive Data Job Group](/img/product_docs/accessanalyzer/solutions/databases/postgresql/sensitivedata/sensitivedatajobgroup.webp) The job in the Sensitive Data Job Group is: -- [MySQL_SensitiveData Job](mysql_sensitivedata.md) - Designed to provide information on all the +- [MySQL_SensitiveData Job](/docs/accessanalyzer/12.0/solutions/databases/mysql/sensitivedata/mysql_sensitivedata.md) - Designed to provide information on all the sensitive data that was discovered in the targeted MySQL servers based on the selected scan criteria -- [MySQL_SensitiveDataPermissions Job](mysql_sensitivedatapermissions.md) - Designed to provide +- [MySQL_SensitiveDataPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/mysql/sensitivedata/mysql_sensitivedatapermissions.md) - Designed to provide information on all types of permissions on database objects containing sensitive data across all the targeted MySQL servers based on the selected scan criteria. diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_activity.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_activity.md index b4ab7d8267..bc776445b4 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_activity.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_activity.md @@ -11,7 +11,7 @@ Navigate to the **Oracle** > **2.Activity** > **Oracle_Activity** > **Configure* **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup26.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup26.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_logons.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_logons.md index 626d5b424e..d5583b846f 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_logons.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_logons.md @@ -11,7 +11,7 @@ Navigate to the **Oracle** > **2.Activity** > **Oracle_Logons** > **Configure** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup27.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup27.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_permissionchanges.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_permissionchanges.md index c155a078d7..da97e9ce8d 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_permissionchanges.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_permissionchanges.md @@ -12,7 +12,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup28.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup28.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_schemachanges.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_schemachanges.md index b2483c11b5..61c1edb7f7 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_schemachanges.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_schemachanges.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup29.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup29.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_sensitivedataactivity.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_sensitivedataactivity.md index e6d12957b5..54a3661cb4 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_sensitivedataactivity.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_sensitivedataactivity.md @@ -11,7 +11,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup30.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup30.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_suspiciousactivity.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_suspiciousactivity.md index 2e204a71f8..efdc9727ce 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_suspiciousactivity.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_suspiciousactivity.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup31.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup31.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_unusualactivity.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_unusualactivity.md index 2cf886d8ed..854341d96e 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_unusualactivity.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_unusualactivity.md @@ -12,7 +12,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup32.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup32.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/overview.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/overview.md index 4e24f4be37..25a273576a 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/overview.md @@ -4,27 +4,27 @@ The 2.Activity Job Group is designed to provide insight into user login activity changes, unusual database activity, SQL activity against sensitive data, and SQL activity against selective or all database objects. -![Activity Job Group](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup25.webp) +![Activity Job Group](/img/product_docs/accessanalyzer/solutions/databases/oracle/activity/jobgroup25.webp) The jobs in the 2.Activity Job Group are: -- [Oracle_Activity Job](oracle_activity.md) – This job is designed to provide insight into user +- [Oracle_Activity Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_activity.md) – This job is designed to provide insight into user activity in target Oracle database server instances and databases in each instance based on the Oracle Unified Audit settings -- [Oracle_Logons Job](oracle_logons.md) – This job group is designed to provide insight into failed +- [Oracle_Logons Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_logons.md) – This job group is designed to provide insight into failed and successful Oracle database login activity across all the targeted Oracle database servers -- [Oracle_PermissionChanges Job](oracle_permissionchanges.md) – This job is designed to provide +- [Oracle_PermissionChanges Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_permissionchanges.md) – This job is designed to provide detailed information about the changes in permissions across all the database objects. Audited activities include granting, altering, and revoking permissions on database objects. -- [Oracle_SchemaChanges Job](oracle_schemachanges.md) – This job is designed to provide detailed +- [Oracle_SchemaChanges Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_schemachanges.md) – This job is designed to provide detailed information about the changes in permissions across all the database objects. Audited activities include granting, altering, and revoking permissions on database objects. -- [Oracle_SensitiveDataActivity Job](oracle_sensitivedataactivity.md) – This job is designed to +- [Oracle_SensitiveDataActivity Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_sensitivedataactivity.md) – This job is designed to provide detailed information about all the DML (UPDATE, INSERT, DELETE, TRUNCATE) against objects containing sensitive data -- [Oracle_SuspiciousActivity Job](oracle_suspiciousactivity.md) – This job is designed to provide +- [Oracle_SuspiciousActivity Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_suspiciousactivity.md) – This job is designed to provide insight into suspicious behavior based on user activity that does not conform to normal database activity -- [Oracle_UnusualActivity Job](oracle_unusualactivity.md) – This job is designed to analyze user +- [Oracle_UnusualActivity Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/oracle_unusualactivity.md) – This job is designed to analyze user activity based on the audited actions and identify any outliers based on a modified z-score. Modified z-scores of 3.5 or higher are considered to be possible outliers. diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/0-oracle_servers.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/0-oracle_servers.md index 7232d43511..7bb6ac8b57 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/0-oracle_servers.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/0-oracle_servers.md @@ -9,7 +9,7 @@ The Server Discovery query uses the PowerShell Data Collector for the following **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup3.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup3.webp) - Oracle Servers – Returns a list of Oracle servers from the specified host list @@ -17,7 +17,7 @@ Regarding Oracle instance discovery, there may be errors running the query that additional log to store the issues has been added for instance discoveries named `Oracle_Server_log_[target_hostname]`. This file can be found in `%sainstalldir%\Jobs\GROUP_ORACLE_0.Collection\GROUP_1.Discovery\JOB_Oracle_Servers\OUTPUT`. See the -[PowerShell Data Collector](../../../../admin/datacollector/powershell/overview.md) topic for +[PowerShell Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/powershell/overview.md) topic for additional information. ## Analysis Task for the Oracle_Servers Job @@ -28,7 +28,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup4.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup4.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/1-oracle_permissionsscan.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/1-oracle_permissionsscan.md index b42a88b2b4..33fd81adbf 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/1-oracle_permissionsscan.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/1-oracle_permissionsscan.md @@ -7,7 +7,7 @@ targeted Oracle database servers. The PermissionsScan query uses the SQL Data Collector for the following query: -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup6.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup6.webp) - PermissionsScan – Collects permissions from targeted instances @@ -28,7 +28,7 @@ Properties. The Query Properties window opens. **CAUTION:** Do not make changes to wizard pages not listed in these steps. They have been pre-configured for this job. -![Filter Page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/1oraclepermissionscanjobqueryfilter.webp) +![Filter Page](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/1oraclepermissionscanjobqueryfilter.webp) **Step 4 –** To query for specific databases/instances, navigate to the Filter page. The default query target is All Databases. The default query scope is Only select database objects. Click @@ -52,7 +52,7 @@ Navigate to the **Databases** > **0.Collection** > **Oracle** > **1-Oracle_Permi **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup8.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup8.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/2-oracle_sensitivedatascan.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/2-oracle_sensitivedatascan.md index 13e193690d..4582708230 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/2-oracle_sensitivedatascan.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/2-oracle_sensitivedatascan.md @@ -2,14 +2,14 @@ The 2-Oracle_SensitiveDataScan job discovers sensitive data in Oracle databases across all targeted Oracle database servers based on pre-defined or user-defined search criteria. See the -[Sensitive Data Discovery](../../../../sensitivedatadiscovery/overview.md) topic for additional +[Sensitive Data Discovery](/docs/accessanalyzer/12.0/sensitivedatadiscovery/overview.md) topic for additional information. ## Query for the 2-Oracle_SensitiveDataScan Job The SensitiveDataScan Query uses the SQL Data Collector for the following query: -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup9.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup9.webp) - SensitiveDataScan – Collects Sensitive Data from targeted instances @@ -31,17 +31,17 @@ opens. **CAUTION:** Do not make changes to wizard pages not listed in these steps. They have been pre-configured for this job. -![Sensitive Data Scan Settings](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/optionspage.webp) +![Sensitive Data Scan Settings](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/optionspage.webp) **Step 4 –** Navigate to the Options page. Enable or disable configuration options as needed. Click **Next** to continue. -![Criteria Page of the SQL Data Collector Wizard](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/criteriapage.webp) +![Criteria Page of the SQL Data Collector Wizard](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/criteriapage.webp) **Step 5 –** Navigate to the Criteria page. Select or deselect criteria used to define sensitive data. Click **Next** to continue. -![Filter Page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/2oraclesensitivedatascanfilterpgae.webp) +![Filter Page](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/2oraclesensitivedatascanfilterpgae.webp) **Step 6 –** To query for specific databases/instances, navigate to the Filter page. The default query target is **All Databases**. The default query scope is **Only select database objects**. @@ -65,7 +65,7 @@ Navigate to the **Databases** > **0.Collection** > **Oracle** > **2-Oracle_Sensi **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup13.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup13.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/3-oracle_activityscan.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/3-oracle_activityscan.md index 45aed7442d..f9cc0bf3ab 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/3-oracle_activityscan.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/3-oracle_activityscan.md @@ -14,7 +14,7 @@ Special Dependency The ActivityScan Query uses the SQL Data Collector for the following query: -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup14.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup14.webp) - ActivityScan – Collects activity from targeted instances @@ -35,12 +35,12 @@ Properties. The Query Properties window opens. **CAUTION:** Do not make changes to wizard pages not listed in these steps. They have been pre-configured for this job. -![Sensitive Data Scan Settings](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/optionspage.webp) +![Sensitive Data Scan Settings](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/optionspage.webp) **Step 4 –** Navigate to the Options page. Enable or disable configuration options as needed. Click Next to continue. -![Filter Page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/3oracleactivityscanfilterpage.webp) +![Filter Page](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/3oracleactivityscanfilterpage.webp) **Step 5 –** To query for specific databases/instances, navigate to the Filter page. The default query target is All Databases. The default query scope is Only select database objects. Click @@ -64,7 +64,7 @@ Navigate to the **Databases** > **0.Collection** > **Oracle** > **3-Oracle_Activ **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup16.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup16.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/4-oracle_defaultpasswordusers.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/4-oracle_defaultpasswordusers.md index e8146a9a9e..04cc4eb9f3 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/4-oracle_defaultpasswordusers.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/4-oracle_defaultpasswordusers.md @@ -7,7 +7,7 @@ to use default passwords. The 4-Oracle_DefaultPasswordUsers Job uses the SQL Data Collector for the following query: -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup17.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/jobgroup17.webp) - Users with Default Passwords – Collects usernames of users whose passwords have not been updated since the database creation @@ -29,7 +29,7 @@ Query Properties. The Query Properties window opens. **CAUTION:** Do not make changes to wizard pages not listed in these steps. They have been pre-configured for this job. -![Filters Page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/4oracledefaultpasswordsfilterpage.webp) +![Filters Page](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/4oracledefaultpasswordsfilterpage.webp) **Step 4 –** To query for specific databases/instances, navigate to the Filter page. The default query target is All Databases. The default query scope is Only select database objects. Click diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/5-oracle_configuration.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/5-oracle_configuration.md index eb2673d1a2..718842afbb 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/5-oracle_configuration.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/5-oracle_configuration.md @@ -7,7 +7,7 @@ servers. The queries for the 5-Oracle_Configuration Job query uses the SQL Data Collector. -![5oracleconfigurationqueries](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/5oracleconfigurationqueries.webp) +![5oracleconfigurationqueries](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/5oracleconfigurationqueries.webp) The queries are: @@ -30,7 +30,7 @@ The Query Properties window opens. **CAUTION:** Do not make changes to wizard pages not listed in these steps. They have been pre-configured for this job. -![Filters page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/5oracleconfigjobqueryfilterpage.webp) +![Filters page](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/5oracleconfigjobqueryfilterpage.webp) **Step 4 –** To query for specific databases/instances, navigate to the Filter page. The default query target is All Databases. The default query scope is Only select database objects. Click diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/overview.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/overview.md index fe05d63fbe..c80e07b87d 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/overview.md @@ -4,20 +4,20 @@ The Oracle Job Group is designed to collect a high level summary of information Oracle Database Servers. This information is used by other jobs in the Oracle Job Group for further analysis, and for producing reports. -![Oracle 0Collection Job Group](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/0collection.webp) +![Oracle 0Collection Job Group](/img/product_docs/accessanalyzer/solutions/databases/oracle/collection/0collection.webp) The job groups in the 0.Collection Job Group are: -- [0-Oracle_Servers Job](0-oracle_servers.md) – This job is designed to enumerate and store the list +- [0-Oracle_Servers Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/0-oracle_servers.md) – This job is designed to enumerate and store the list of Oracle Database Instances running on the targeted servers -- [1-Oracle_PermissionsScan Job](1-oracle_permissionsscan.md) – This job is designed to collect +- [1-Oracle_PermissionsScan Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/1-oracle_permissionsscan.md) – This job is designed to collect Oracle database level permissions from all the targeted Oracle database servers -- [2-Oracle_SensitiveDataScan Job](2-oracle_sensitivedatascan.md) – This job is designed to discover +- [2-Oracle_SensitiveDataScan Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/2-oracle_sensitivedatascan.md) – This job is designed to discover sensitive data in the Oracle database across all the targeted Oracle database servers based on pre-defined or user-defined search criteria -- [3-Oracle_ActivityScan Job](3-oracle_activityscan.md) – This job is designed to capture user +- [3-Oracle_ActivityScan Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/3-oracle_activityscan.md) – This job is designed to capture user activity from all the targeted Oracle database servers -- [4-Oracle_DefaultPasswordUsers Job](4-oracle_defaultpasswordusers.md) – This job is designed to +- [4-Oracle_DefaultPasswordUsers Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/4-oracle_defaultpasswordusers.md) – This job is designed to provide a list of users in the database that are configured to use default passwords -- [5-Oracle_Configuration Job](5-oracle_configuration.md) – This job is designed to return +- [5-Oracle_Configuration Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/5-oracle_configuration.md) – This job is designed to return additional configuration settings from Oracle servers. diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_databaselinks.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_databaselinks.md index a400013162..573aef8393 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_databaselinks.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_databaselinks.md @@ -11,7 +11,7 @@ Job >Configure** node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/configuration/analysisdblinks.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/configuration/analysisdblinks.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_databasesizing.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_databasesizing.md index 7515dabcf3..e30433f473 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_databasesizing.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_databasesizing.md @@ -11,7 +11,7 @@ Job >Configure** node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/configuration/analysisdbsizing.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/configuration/analysisdbsizing.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_datadictionaryprotection.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_datadictionaryprotection.md index 6d797632e0..df2f8397a9 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_datadictionaryprotection.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_datadictionaryprotection.md @@ -13,7 +13,7 @@ Configure** node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/configuration/analysisddprotection.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/configuration/analysisddprotection.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_instancenameissues.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_instancenameissues.md index 26c32ad230..a94aee7d97 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_instancenameissues.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_instancenameissues.md @@ -12,7 +12,7 @@ Configure** node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/configuration/analysisinstancenameissues.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/configuration/analysisinstancenameissues.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_remoteosauthentication.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_remoteosauthentication.md index 9925ffe79a..8343ef9f18 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_remoteosauthentication.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_remoteosauthentication.md @@ -11,7 +11,7 @@ Configure** node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/configuration/analysisremoteosauth.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/configuration/analysisremoteosauth.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/overview.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/overview.md index 4e2b112010..0d4fbaeb2e 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/overview.md @@ -3,21 +3,21 @@ The SQL > 4.Configuration Job Group Is designed to provide insight into potential vulnerabilities related to Oracle Database Instance configuration settings. -![Configuration Job Group - Oracle](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/configuration/configoverview.webp) +![Configuration Job Group - Oracle](/img/product_docs/accessanalyzer/solutions/databases/oracle/configuration/configoverview.webp) The jobs in the 4.Configuration Job Group are: -- [Oracle_DatabaseLinks Job](oracle_databaselinks.md) – Contains a report that provides information +- [Oracle_DatabaseLinks Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_databaselinks.md) – Contains a report that provides information on Database Links where the listed Oracle Server is able to execute remote commands -- [Oracle_DatabaseSizing Job](oracle_databasesizing.md) – Provides details on tablespace file sizes +- [Oracle_DatabaseSizing Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_databasesizing.md) – Provides details on tablespace file sizes and overall tablespace sizes -- [Oracle_DataDictionaryProtection Job](oracle_datadictionaryprotection.md) – This job is designed +- [Oracle_DataDictionaryProtection Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_datadictionaryprotection.md) – This job is designed to identify if the Oracle data dictionary views are accessible by all the schemas or not. Oracle best practice recommendations are to restrict access to data dictionary views by default and grant explicit system privilege to access the dictionary views when needed. -- [Oracle_InstanceNameIssues Job](oracle_instancenameissues.md) – This job is designed to find out +- [Oracle_InstanceNameIssues Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_instancenameissues.md) – This job is designed to find out if the names used for the Oracle database instances conform to Oracle recommended best practices. The job also checks to see if the Oracle SID conforms to DISA STIG V-61413 – Oracle instance name or SID should not contain Oracle version numbers. -- [Oracle_RemoteOSAuthentication Job](oracle_remoteosauthentication.md) – This job is designed to +- [Oracle_RemoteOSAuthentication Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/oracle_remoteosauthentication.md) – This job is designed to find out if remote OS authentication is enabled for the targeted Oracle database servers diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/oracle_securityassessment.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/oracle_securityassessment.md index 19912fc054..b6a8584ec6 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/oracle_securityassessment.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/oracle_securityassessment.md @@ -3,14 +3,14 @@ The Oracle_SecurityAssessment Job is designed to summarize and categorize the security findings from the Oracle Solution into HIGH, MEDIUM, LOW, and NO FINDING categories base on severity. -![Oracle Security Assessment Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/jobgroup46.webp) +![Oracle Security Assessment Job](/img/product_docs/accessanalyzer/solutions/databases/oracle/jobgroup46.webp) ## Analysis Tasks for the Oracle_SecurityAssessment Job Navigate to the **Databases** > **Oracle** > **Oracle_SecurityAssessment** > **Configure** node and select Analysis to view the analysis tasks. -![Analysis Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/jobgroup47.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/jobgroup47.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/overview.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/overview.md index bbfec5a8b0..f3aa2aa601 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/overview.md @@ -35,7 +35,7 @@ Supported Platforms Requirements, Permissions, and Ports See the -[Target Oracle Requirements, Permissions, and Ports](../../../requirements/target/databaseoracle.md) +[Target Oracle Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/databaseoracle.md) topic for additional information. Sensitive Data Discovery Considerations @@ -71,27 +71,27 @@ visibility into various aspects of an Oracle Database Server, including informat Roles, Sensitive Data Discovery, Object Permissions, Configuration, User Activity, and overall Security Assessment. -![Oracle Job Group](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/oraclejobgroup.webp) +![Oracle Job Group](/img/product_docs/accessanalyzer/solutions/databases/oracle/oraclejobgroup.webp) The job groups/jobs in the Oracle Solution are: -- [0.Collection Job Group](collection/overview.md) – This job group is designed to collect high +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/overview.md) – This job group is designed to collect high level summary information from targeted Oracle Database Servers. This information is used by other jobs in the Oracle solution set for further analysis and for producing respective reports. The O.Collection job group is located at **Jobs** > **Databases** > **0.Collection** > **Oracle**. -- [1.Users and Roles Job Group](usersroles/overview.md) – This job group is designed to provide +- [1.Users and Roles Job Group](/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/overview.md) – This job group is designed to provide insight into user security, roles, and object permissions on all the Oracle database objects -- [2.Activity Job Group](activity/overview.md) – This job group is designed to provide insight into +- [2.Activity Job Group](/docs/accessanalyzer/12.0/solutions/databases/oracle/activity/overview.md) – This job group is designed to provide insight into user login activity, object permission changes, any unusual database activity, SQL activity against sensitive data, and SQL activity against selective or all database objects -- [3.Permissions Job Group](permissions/overview.md) – This job group is designed to provide insight +- [3.Permissions Job Group](/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/overview.md) – This job group is designed to provide insight into all types of permissions at the instance, database, and object level across all the targeted Oracle database servers -- [4.Configuration Job Group](configuration/overview.md) – This job group is designed to provide +- [4.Configuration Job Group](/docs/accessanalyzer/12.0/solutions/databases/oracle/configuration/overview.md) – This job group is designed to provide insight into potential vulnerabilities related to Oracle Database Instance configuration settings -- [5.Sensitive Data Job Group](sensitivedata/overview.md) – This job is designed to provide insight +- [5.Sensitive Data Job Group](/docs/accessanalyzer/12.0/solutions/databases/oracle/sensitivedata/overview.md) – This job is designed to provide insight into where sensitive data exists, and who has access to it across all the targeted Oracle database servers -- [Oracle_SecurityAssessment Job](oracle_securityassessment.md) – This job is designed to summarize +- [Oracle_SecurityAssessment Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/oracle_securityassessment.md) – This job is designed to summarize and categorize the security findings into HIGH, MEDIUM, LOW, and NO FINDING categories based on their severity diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_domainuserpermissions.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_domainuserpermissions.md index 87e797ac62..17d12da664 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_domainuserpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_domainuserpermissions.md @@ -11,7 +11,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/permissions/jobgroup34.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/permissions/jobgroup34.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_objectpermissions.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_objectpermissions.md index dce1e1d167..4907adf9d1 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_objectpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_objectpermissions.md @@ -11,7 +11,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/permissions/jobgroup35.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/permissions/jobgroup35.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_publicpermissions.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_publicpermissions.md index 14e4abf540..ae67664787 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_publicpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_publicpermissions.md @@ -11,7 +11,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/permissions/jobgroup36.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/permissions/jobgroup36.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_serverpermissions.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_serverpermissions.md index 32a2962539..8bd4b05935 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_serverpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_serverpermissions.md @@ -11,7 +11,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/permissions/jobgroup37.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/permissions/jobgroup37.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_sysschemapermissions.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_sysschemapermissions.md index b0345194b9..1f91ec7af4 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_sysschemapermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_sysschemapermissions.md @@ -11,7 +11,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/permissions/jobgroup38.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/permissions/jobgroup38.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/overview.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/overview.md index f7d64c07f5..3eef530c59 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/overview.md @@ -3,20 +3,20 @@ The 3.Permissions Job Group is designed to provide insight into all types of permissions at the instance, database, and object levels across all targeted Oracle database servers. -![Permissions Job Group](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/permissions/jobgroup33.webp) +![Permissions Job Group](/img/product_docs/accessanalyzer/solutions/databases/oracle/permissions/jobgroup33.webp) The jobs in the 3.Permissions Job Group are: -- [Oracle_DomainUserPermissions Job](oracle_domainuserpermissions.md) – This job will provide +- [Oracle_DomainUserPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_domainuserpermissions.md) – This job will provide insight into Microsoft Active Directory domain users access to Oracle database objects both at the instance and object level -- [Oracle_ObjectPermissions Job](oracle_objectpermissions.md) – This job will provide insight into +- [Oracle_ObjectPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_objectpermissions.md) – This job will provide insight into user and role permissions to all the database objects in the targeted Oracle database server -- [Oracle_PublicPermissions Job](oracle_publicpermissions.md) – This job provides the list of all +- [Oracle_PublicPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_publicpermissions.md) – This job provides the list of all the permission assigned to the PUBLIC profile in all the targeted Oracle database servers -- [Oracle_ServerPermissions Job](oracle_serverpermissions.md) – This job analyzes all the permission +- [Oracle_ServerPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_serverpermissions.md) – This job analyzes all the permission granted at the database level and repots on the effective database level permissions across all the audited Oracle database servers -- [Oracle_SysSchemaPermissions Job](oracle_sysschemapermissions.md) – This job provides insight into +- [Oracle_SysSchemaPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/permissions/oracle_sysschemapermissions.md) – This job provides insight into all the users who have access to the objects in the SYS schema and the type permissions to those objects across all the audited Oracle database servers diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/recommended.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/recommended.md index d85fd061a9..0605a9eb60 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/recommended.md @@ -38,7 +38,7 @@ most customer environments, but it is possible. If the required permissions are assigned to one Active Directory credential, once the account has been provisioned, create a custom Connection Profile containing the credentials for the targeted -environment. See the [SQL Data Collector](../../../admin/datacollector/sql/overview.md) topic for +environment. See the [SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) topic for additional information on permissions and creating a SQL custom connection profile. Alternatively, create a connection profile with both the Oracle database credentials and the server @@ -62,7 +62,7 @@ level. However, since this may not be the Connection Profile with the necessary assigned hosts, click the radio button for the Select one of the following user defined profiles option and select the appropriate Connection Profile drop-down menu. -See the [Connection](../../../admin/settings/connection/overview.md) topic for additional +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. Schedule Frequency @@ -94,7 +94,7 @@ SQL Data Collector configurations can be modified if desired: - 2-Oracle_SensitiveDataScan Job - Filter page – Scope the query to target specific databases/instances in the following jobs: - Remember, it is necessary for the [0-Oracle_Servers Job](collection/0-oracle_servers.md) to run + Remember, it is necessary for the [0-Oracle_Servers Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/0-oracle_servers.md) to run at least once before attempting to scope any of the following queries: - 1-Oracle_PermissionsScan Job @@ -119,7 +119,7 @@ disable a job or job group, right-click on the item and select Disable Job. Workflow 1. Set a Connection Profile for the 0.Collection Job Group with the permissions listed in the - Recommended Configurations section. See the [0.Collection Job Group](collection/overview.md) + Recommended Configurations section. See the [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/databases/oracle/collection/overview.md) section for additional information. 2. Schedule the solution to run daily or as desired. 3. Review the reports generated by the jobs. diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/sensitivedata/oracle_sensitivedata.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/sensitivedata/oracle_sensitivedata.md index 6c698082e2..4413c8765b 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/sensitivedata/oracle_sensitivedata.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/sensitivedata/oracle_sensitivedata.md @@ -11,7 +11,7 @@ Navigate to the **Oracle > 5.Sensitve Data > Oracle_SensitveData > Configure** n **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/sensitivedata/jobgroup44.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/sensitivedata/jobgroup44.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/sensitivedata/oracle_sensitivedatapermissions.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/sensitivedata/oracle_sensitivedatapermissions.md index b8fe2baf69..ad1ed4aa72 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/sensitivedata/oracle_sensitivedatapermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/sensitivedata/oracle_sensitivedatapermissions.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/sensitivedata/jobgroup45.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/sensitivedata/jobgroup45.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/sensitivedata/overview.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/sensitivedata/overview.md index dbaed294f2..276aafb8fd 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/sensitivedata/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/sensitivedata/overview.md @@ -3,13 +3,13 @@ The 5.Sensitive Data Job Group is designed to provide insight into where sensitive data exists and who has access to said data across all targeted Oracle database servers. -![Sensitive Data Job Group](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/sensitivedata/jobgroup43.webp) +![Sensitive Data Job Group](/img/product_docs/accessanalyzer/solutions/databases/oracle/sensitivedata/jobgroup43.webp) The jobs in the 5.Sensitive Data Job Group are: -- [Oracle_SensitiveData Job](oracle_sensitivedata.md) – This job is designed to provide information +- [Oracle_SensitiveData Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/sensitivedata/oracle_sensitivedata.md) – This job is designed to provide information on all the sensitive data that was discovered in the targeted Oracle database servers based on the selected scan criteria -- [Oracle_SensitiveDataPermissions Job](oracle_sensitivedatapermissions.md) – This job is designed +- [Oracle_SensitiveDataPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/sensitivedata/oracle_sensitivedatapermissions.md) – This job is designed to provide all types of permissions on database objects containing sensitive data across all the targeted Oracle database servers diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_passwordissues.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_passwordissues.md index b8b6c3de47..8f85aeff21 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_passwordissues.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_passwordissues.md @@ -10,12 +10,12 @@ The Oracle_PasswordIssues Job uses the PowerShell Data Collector for the followi **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/usersroles/jobgroup20.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/usersroles/jobgroup20.webp) - Weak Password Hash – Locates the dictionary file used to compare Oracle passwords to determine if they are weak. -See the [PowerShell Data Collector](../../../../admin/datacollector/powershell/overview.md) topic +See the [PowerShell Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/powershell/overview.md) topic for additional information. ## Analysis Tasks for the Oracle_PasswordIssues Job @@ -26,7 +26,7 @@ Navigate to the **Jobs** > **Oracle** > **1.Users and Roles** > **Oracle_Passwor **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/usersroles/jobgroup21.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/usersroles/jobgroup21.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_rolemembers.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_rolemembers.md index a81eb429dd..b3b6f18a6a 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_rolemembers.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_rolemembers.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/usersroles/jobgroup22.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/usersroles/jobgroup22.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_systemadministrators.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_systemadministrators.md index 34c8915775..60a5c50716 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_systemadministrators.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_systemadministrators.md @@ -11,7 +11,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/usersroles/jobgroup23.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/usersroles/jobgroup23.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_users.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_users.md index d70b2c5c86..0299060381 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_users.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_users.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/usersroles/jobgroup24.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/oracle/usersroles/jobgroup24.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/overview.md b/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/overview.md index 8a7743b32b..a80b473f8a 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/overview.md @@ -3,19 +3,19 @@ The 1.Users and Roles Job Group is designed to provide insight into user security, roles, and object permissions on all Oracle database objects. -![Users and Roles Job Group](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/oracle/usersroles/jobgroup19.webp) +![Users and Roles Job Group](/img/product_docs/accessanalyzer/solutions/databases/oracle/usersroles/jobgroup19.webp) The jobs in the 1.Users and Roles Job Group are: -- [Oracle_PasswordIssues Job](oracle_passwordissues.md) – This job group is designed to analyze the +- [Oracle_PasswordIssues Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_passwordissues.md) – This job group is designed to analyze the Oracle user passwords and evaluate if they comply with the prescribed password policies. In addition, the job will also scan the passwords for weak passwords. -- [Oracle_RoleMembers Job](oracle_rolemembers.md) – This job is designed to analyze and provide +- [Oracle_RoleMembers Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_rolemembers.md) – This job is designed to analyze and provide information about all the role members in each of the Oracle database roles across all the targeted Oracle database servers -- [Oracle_SystemAdministrators Job](oracle_systemadministrators.md) – This job group is designed to +- [Oracle_SystemAdministrators Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_systemadministrators.md) – This job group is designed to provide insight into all the users who have DBA, SYSDBA, and SYSOPER roles across all the targeted Oracle database servers -- [Oracle_Users Job](oracle_users.md) – This job group is designed to provide insight into all the +- [Oracle_Users Job](/docs/accessanalyzer/12.0/solutions/databases/oracle/usersroles/oracle_users.md) – This job group is designed to provide insight into all the attributes associated with all the users in the Oracle database across all targeted Oracle database servers diff --git a/docs/accessanalyzer/12.0/solutions/databases/overview.md b/docs/accessanalyzer/12.0/solutions/databases/overview.md index 8fcb82e6f1..931f5c4f4f 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/overview.md @@ -3,25 +3,25 @@ Access Analyzer Databases Solution Set is a comprehensive set of pre-configured audit jobs and reports that provide visibility into various aspects of supported databases: -- [Db2 Solution](db2/overview.md) – Db2 Solution is a comprehensive set of pre-configured audit jobs +- [Db2 Solution](/docs/accessanalyzer/12.0/solutions/databases/db2/overview.md) – Db2 Solution is a comprehensive set of pre-configured audit jobs and reports that provide visibility into various aspects of Db2, such as Data Collection, Configuration, user Permissions, and Sensitive Data. -- [MongoDB Solution](mongodb/overview.md) – Access Analyzerfor MongoDB automates the process of +- [MongoDB Solution](/docs/accessanalyzer/12.0/solutions/databases/mongodb/overview.md) – Access Analyzerfor MongoDB automates the process of understanding where MongoDB databases exist and provides an overview of the MongoDB environment in order to answer questions around data access. -- [MySQL Solution](mysql/overview.md) – Access Analyzer for MySQL automates the process of +- [MySQL Solution](/docs/accessanalyzer/12.0/solutions/databases/mysql/overview.md) – Access Analyzer for MySQL automates the process of understanding where MySQL databases exist and provides an overview of the MySQL environment in order to answer questions around data access. -- [Oracle Solution](oracle/overview.md) – Access Analyzer for Oracle automates the process of +- [Oracle Solution](/docs/accessanalyzer/12.0/solutions/databases/oracle/overview.md) – Access Analyzer for Oracle automates the process of understanding where Oracle databases exist and provides an overview of the Oracle environment in order to answer questions around data access. -- [PostgreSQL Solution](postgresql/overview.md) – Access Analyzer for PostgreSQL automates the +- [PostgreSQL Solution](/docs/accessanalyzer/12.0/solutions/databases/postgresql/overview.md) – Access Analyzer for PostgreSQL automates the process of understanding where PostgreSQL databases exist and provides an overview of the PostgreSQL environment in order to answer questions around data access. -- [Redshift Solution](redshift/overview.md) – Redshift Solution Set is a comprehensive set of +- [Redshift Solution](/docs/accessanalyzer/12.0/solutions/databases/redshift/overview.md) – Redshift Solution Set is a comprehensive set of pre-configured audit jobs and reports that provide visibility into various aspects of Redshift: Data Collection, Configuration, and Sensitive Data. -- [SQL Job Group](sql/overview.md) – SQL Job Group is a comprehensive set of pre-configured audit +- [SQL Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/overview.md) – SQL Job Group is a comprehensive set of pre-configured audit jobs and reports that provide information on users and roles, activity, permissions, configuration, sensitive data, and overall security assessment for both the SQL 0.Collection Job Group and Azure SQL 0.Collection Job Group. diff --git a/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/overview.md b/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/overview.md index 4348c9dd4e..e64bf721f9 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/overview.md @@ -4,22 +4,22 @@ The PostgreSQL Solution Collection Job Group is designed to collect high level from targeted PostgreSQL Servers. This information is used by other jobs in the PostgreSQL Solution Set for further analysis and producing respective reports. -![0.Collection Job Group](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/0.collectionjobgroup.webp) +![0.Collection Job Group](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/0.collectionjobgroup.webp) The jobs in the 0.Collection Job Group are: -- [PgSQL_Configuration Job](pgsql_configuration.md) - Designed to return additional configuration +- [PgSQL_Configuration Job](/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/pgsql_configuration.md) - Designed to return additional configuration settings from PostgreSQL servers -- [PgSQL_SensitiveDataScan Job](pgsql_sensitivedatascan.md) - Designed to discover sensitive data in +- [PgSQL_SensitiveDataScan Job](/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/pgsql_sensitivedatascan.md) - Designed to discover sensitive data in PostgreSQL databases based on pre-defined or user-defined search criteria -- [PgSQL_TablePrivileges Job](pgsql_tableprivileges.md) - Designed to collect PostgreSQL table +- [PgSQL_TablePrivileges Job](/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/pgsql_tableprivileges.md) - Designed to collect PostgreSQL table privileges from all the targeted servers. Workflow 1. Set a Connection Profile for the 0.Collection Job Group with the permissions listed in the Recommended Configurations section. See the - [Connection](../../../../admin/settings/connection/overview.md) topic for additional information. + [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. 2. For Sensitive Data Discovery Auditing – Ensure the Sensitive Data Discovery Add-On is installed on the Access Analyzer Console server. 3. Schedule the solution to run daily or as desired. diff --git a/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/pgsql_configuration.md b/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/pgsql_configuration.md index 8fc0bc3d7d..c5e188903b 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/pgsql_configuration.md +++ b/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/pgsql_configuration.md @@ -9,10 +9,10 @@ The PgSQL_Configuration Job uses the SQL Data Collector. **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/configurationquery.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/configurationquery.webp) The query is: - PostgreSQL Database Sizing - Collects details about PostgreSQL databases. See the - [SQL Data Collector](../../../../admin/datacollector/sql/overview.md) topic for additional + [SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/pgsql_sensitivedatascan.md b/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/pgsql_sensitivedatascan.md index 97888da99e..9ae24f45c8 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/pgsql_sensitivedatascan.md +++ b/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/pgsql_sensitivedatascan.md @@ -7,12 +7,12 @@ on pre-defined or user-defined search criteria. The PgSQL_SensitiveDataScan Job uses the SQL Data Collector. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedataquery.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedataquery.webp) The query is: - PostgreSQL — Scans the PostgreSQL database for sensitive data. For configuring the - [SQL Data Collector](../../../../admin/datacollector/sql/overview.md), see the SQL Data Collector + [SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md), see the SQL Data Collector topic for additional information. ### Configure the SensitiveDataScan Query @@ -31,31 +31,31 @@ The Query Properties window appears. **CAUTION:** Do not make changes to other wizard pages as they have been pre-configured for this job. -![Sensitive Data Scan Settings](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/datascanjobsettings.webp) +![Sensitive Data Scan Settings](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/datascanjobsettings.webp) **Step 4 –** To modify sensitive data scan options, navigate to the -[SQL Data Collector](../../../../admin/datacollector/sql/overview.md) page. Select the desired scan +[SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) page. Select the desired scan options. **NOTE:** The Sensitive Data Scan Settings are pre-configured for optimal performance for a high-level table scan. Configuring these settings to increase the scope of the sensitive data scan may significantly increase scan time. -![Select DLP Criteria](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedatascancriteria.webp) +![Select DLP Criteria](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedatascancriteria.webp) **Step 5 –** To modify criteria, navigate to the -[SQL Data Collector](../../../../admin/datacollector/sql/overview.md) page. By default, the +[SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) page. By default, the Sensitive Data Scan job is configured to scan for criteria configured in the Global Criteria settings. See the -[Sensitive Data Criteria Editor](../../../../sensitivedatadiscovery/criteriaeditor/overview.md) +[Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. -![Filters page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedatascanfilter.webp) +![Filters page](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedatascanfilter.webp) **Step 6 –** PostgreSQL databases must be added to the query before they can be scanned. Navigate to the **Filter** page and click **Connections** to open the Manage Connections window. -![Manage Connections](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/manageconnectionspgsql.webp) +![Manage Connections](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/manageconnectionspgsql.webp) **Step 7 –** In the Manage Connections window, click **New Connection** and add the following information: @@ -90,7 +90,7 @@ Navigate to the **Databases** > **0.Collection** > **PostgreSQL** > **PgSQL_Sen **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedataanalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedataanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/pgsql_tableprivileges.md b/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/pgsql_tableprivileges.md index a4e7b901c0..5910b45f3b 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/pgsql_tableprivileges.md +++ b/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/pgsql_tableprivileges.md @@ -9,7 +9,7 @@ The PgSQL_TablePrivileges Job uses the SQL Data Collector for queries. **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/tableprivileges_query.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/tableprivileges_query.webp) The query is: @@ -23,7 +23,7 @@ Navigate to the **Databases** > **0.Collection** > **PostgreSQL** > **PgSQL_Tabl **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/tableprivileges_analysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/tableprivileges_analysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/databases/postgresql/overview.md b/docs/accessanalyzer/12.0/solutions/databases/postgresql/overview.md index 1c10f5eb52..2169b74a42 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/postgresql/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/postgresql/overview.md @@ -30,7 +30,7 @@ Supported Platforms Requirements, Permissions, and Ports See the -[Target PostgreSQL Requirements, Permissions, and Ports](../../../requirements/target/databasepostgresql.md) +[Target PostgreSQL Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/databasepostgresql.md) topic for additional information. Sensitive Data Discovery Considerations @@ -66,15 +66,15 @@ sensitive data. The Access Analyzer PosgreSQL Solution Set is a set of pre-configured audit jobs and reports that provides visibility into PostgreSQL Sensitive Data. -![PostgreSQL Job Group](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/postgresqljobgroup.webp) +![PostgreSQL Job Group](/img/product_docs/accessanalyzer/solutions/databases/postgresql/postgresqljobgroup.webp) The job groups in the PostgreSQL Solution are: -- [0.Collection Job Group](collection/overview.md) - Designed to collect high level summary +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/databases/postgresql/collection/overview.md) - Designed to collect high level summary information from targeted PostgreSQL Servers. This information is used by other jobs in the PostgreSQL Solution Set for further analysis and producing respective reports -- [Configuration > PgSQL_DatabaseSizing Job](pgsql_databasesizing.md) - Designed to provide insight +- [Configuration > PgSQL_DatabaseSizing Job](/docs/accessanalyzer/12.0/solutions/databases/postgresql/pgsql_databasesizing.md) - Designed to provide insight into details about the PostgreSQL environment and potential vulnerabilities related to instance configuration settings -- [Sensitive Data Job Group](sensitivedata/overview.md) - Designed to provide insight into where +- [Sensitive Data Job Group](/docs/accessanalyzer/12.0/solutions/databases/postgresql/sensitivedata/overview.md) - Designed to provide insight into where sensitive data exists and who has access to it across all the targeted PostgreSQL databases diff --git a/docs/accessanalyzer/12.0/solutions/databases/postgresql/pgsql_databasesizing.md b/docs/accessanalyzer/12.0/solutions/databases/postgresql/pgsql_databasesizing.md index 02472940f2..f0a1df97f3 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/postgresql/pgsql_databasesizing.md +++ b/docs/accessanalyzer/12.0/solutions/databases/postgresql/pgsql_databasesizing.md @@ -3,7 +3,7 @@ The Configuration Job Group is designed to provide insight into details about the PostgreSQL environment and potential vulnerabilities related to instance configuration settings. -![Configuration Job Group - PostgreSQL](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/configurationjobgroup.webp) +![Configuration Job Group - PostgreSQL](/img/product_docs/accessanalyzer/solutions/databases/postgresql/configurationjobgroup.webp) The job in the Configuration Job Groups is: @@ -17,7 +17,7 @@ node and select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/pssqldatabasesizinganalysistasks.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/postgresql/pssqldatabasesizinganalysistasks.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/postgresql/recommended.md b/docs/accessanalyzer/12.0/solutions/databases/postgresql/recommended.md index f982cd3b2c..b2a5a00e5c 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/postgresql/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/databases/postgresql/recommended.md @@ -23,7 +23,7 @@ Connection Profile The SQL Data Collector requires a specific set of permissions. For the PostgreSQL Solution, the credentials configured in the Connection Profile must be able to access the PostgreSQL Database. See -the [Connection](../../../admin/settings/connection/overview.md) topic for additional information on +the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on permissions and creating a SQL custom connection profile. The Connection Profile is set to **Use the Default Profile**, as configured at the global settings diff --git a/docs/accessanalyzer/12.0/solutions/databases/postgresql/sensitivedata/overview.md b/docs/accessanalyzer/12.0/solutions/databases/postgresql/sensitivedata/overview.md index a271668821..947113f869 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/postgresql/sensitivedata/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/postgresql/sensitivedata/overview.md @@ -3,13 +3,13 @@ The Sensitive Data Job Group is designed to provide insight into where sensitive data exists and who has access to it across all the targeted PostgreSQL databases. -![Sensitive Data Job Group](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/sensitivedata/sensitivedatajobgroup.webp) +![Sensitive Data Job Group](/img/product_docs/accessanalyzer/solutions/databases/postgresql/sensitivedata/sensitivedatajobgroup.webp) The job in the Sensitive Data Job Group is: -- [PgSQL_SensitiveData Job](pgsql_sensitivedata.md) - Designed to provide information on all the +- [PgSQL_SensitiveData Job](/docs/accessanalyzer/12.0/solutions/databases/postgresql/sensitivedata/pgsql_sensitivedata.md) - Designed to provide information on all the sensitive data that was discovered in the targeted PostgreSQL servers based on the selected scan criteria -- [PgSQL_SensitiveDataPermissions Job](pgsql_sensitivedatapermissions.md) - Designed to provide +- [PgSQL_SensitiveDataPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/postgresql/sensitivedata/pgsql_sensitivedatapermissions.md) - Designed to provide information on all types of permissions on database objects containing sensitive data across all the targeted PostgreSQL servers based on the selected scan criteria. diff --git a/docs/accessanalyzer/12.0/solutions/databases/postgresql/sensitivedata/pgsql_sensitivedata.md b/docs/accessanalyzer/12.0/solutions/databases/postgresql/sensitivedata/pgsql_sensitivedata.md index 48c42905ed..77a7fe59cb 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/postgresql/sensitivedata/pgsql_sensitivedata.md +++ b/docs/accessanalyzer/12.0/solutions/databases/postgresql/sensitivedata/pgsql_sensitivedata.md @@ -11,7 +11,7 @@ node and select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![pgsqlsensitivedataanalysis](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/sensitivedata/pgsqlsensitivedataanalysis.webp) +![pgsqlsensitivedataanalysis](/img/product_docs/accessanalyzer/solutions/databases/postgresql/sensitivedata/pgsqlsensitivedataanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/postgresql/sensitivedata/pgsql_sensitivedatapermissions.md b/docs/accessanalyzer/12.0/solutions/databases/postgresql/sensitivedata/pgsql_sensitivedatapermissions.md index a8ad896214..c6fe6ee018 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/postgresql/sensitivedata/pgsql_sensitivedatapermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/postgresql/sensitivedata/pgsql_sensitivedatapermissions.md @@ -13,7 +13,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/sensitivedata/sensitivedatapermission.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/postgresql/sensitivedata/sensitivedatapermission.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/overview.md b/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/overview.md index 06863f97b7..ba5532cb88 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/overview.md @@ -4,13 +4,13 @@ The Redshift Solution Collection group collects high level summary information f Redshift Servers.  Other jobs in the Redshift Solution Set use this information for further analysis and for producing respective reports. -![0](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/0.collection.webp) +![0](/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/0.collection.webp) The jobs in the 0.Collection Job Group are: -- [Redshift_Configuration Job](redshift_configuration.md) — Returns additional configuration +- [Redshift_Configuration Job](/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_configuration.md) — Returns additional configuration settings from Redshift servers -- [Redshift_SensitiveDataScan Job](redshift_sensitivedatascan.md) — Discovers sensitive data in +- [Redshift_SensitiveDataScan Job](/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_sensitivedatascan.md) — Discovers sensitive data in PostgreSQL databases based on pre-defined or user-defined search criteria -- [Redshift_TablePrivileges Job](redshift_tableprivileges.md) - Designed to collect Redshift table +- [Redshift_TablePrivileges Job](/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_tableprivileges.md) - Designed to collect Redshift table privileges from all the targeted servers. diff --git a/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_configuration.md b/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_configuration.md index 518c3135e8..65e9a2160a 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_configuration.md +++ b/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_configuration.md @@ -8,7 +8,7 @@ The Redshift_Configuration Job uses the SQL Data Collector for queries. **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![0](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/0.collectionconfiguration.webp) +![0](/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/0.collectionconfiguration.webp) The query is: diff --git a/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_sensitivedatascan.md b/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_sensitivedatascan.md index 9c80ee7f59..f6ff55e5f8 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_sensitivedatascan.md +++ b/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_sensitivedatascan.md @@ -6,7 +6,7 @@ This job discovers sensitive data in PostgreSQL databases on pre-defined or user The Redshift_SensitiveDataScan Job uses the SQL Data Collector for queries. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/collectionsensitivedataquery.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/collectionsensitivedataquery.webp) The query is: @@ -29,14 +29,14 @@ Query Properties. The Query Properties window appears. **Step 3 –** Select the Data Source tab, and click Configure. The SQL Data Collector Wizard opens with Sensitive Data Collection category selected. -![Category Page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/collectionsensitivedatacategory.webp) +![Category Page](/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/collectionsensitivedatacategory.webp) **Step 4 –** Click **Next**. The Sensitive Data Scan Settings view appears. -![Sensitive Data Scan Settings](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/collectionsensitivedatajoboptions.webp) +![Sensitive Data Scan Settings](/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/collectionsensitivedatajoboptions.webp) **Step 5 –** To modify sensitive data scan options, select the desired scan options. See the -[SQL: Options](../../../../admin/datacollector/sql/options.md) page for additional information. +[SQL: Options](/docs/accessanalyzer/12.0/admin/datacollector/sql/options.md) page for additional information. **NOTE:** The Sensitive Data Scan Settings are preconfigured for optimal performance for a high-level table scan. Configuring these settings to increase the scope of the sensitive data scan @@ -44,7 +44,7 @@ may significantly increase scan time. **Step 6 –** Click **Next**. The Select Criteria view appears. -![Select DLP Criteria for Scan](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/collectionsensitivedatacriteria.webp) +![Select DLP Criteria for Scan](/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/collectionsensitivedatacriteria.webp) **Step 7 –** To modify criteria, click on **Use the following selected criteria:** and select your choices. By default, the Sensitive Data Scan job is set to **Use Global Criteria**. Also by default, @@ -57,20 +57,20 @@ the following System Criteria have been selected: - Password **NOTE:** For more information on adding or deleting criteria, navigate to the -[SQL: Criteria](../../../../admin/datacollector/sql/criteria.md) page or See the -[Sensitive Data Criteria Editor](../../../../sensitivedatadiscovery/criteriaeditor/overview.md) +[SQL: Criteria](/docs/accessanalyzer/12.0/admin/datacollector/sql/criteria.md) page or See the +[Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. **Step 8 –** Click **Next**. The Filters view appears. -![Filters Page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/collectionsensitivedatafilter.webp) +![Filters Page](/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/collectionsensitivedatafilter.webp) **Step 9 –** Click **Connections** to open the Manage Connections window. **NOTE:** SQL databases must be added to the query before they can be scanned. Before you can add a query, you must establish a connection to the database. -![Manage Connections](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/collectionsensitivedataconnection.webp) +![Manage Connections](/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/collectionsensitivedataconnection.webp) **Step 10 –** In the Manage Connections window, click **Create New Connection** and add the following information: @@ -89,7 +89,7 @@ following information: configured by default to target Only select database objects. **NOTE:** For more information on filtering, see the -[SQL: Filter](../../../../admin/datacollector/sql/filter.md) page. +[SQL: Filter](/docs/accessanalyzer/12.0/admin/datacollector/sql/filter.md) page. **Step 13 –** Click Retrieve. The Available database objects box will populate. @@ -118,7 +118,7 @@ not collect data themselves. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/analysiscollectionsensitivedatascan.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/analysiscollectionsensitivedatascan.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_tableprivileges.md b/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_tableprivileges.md index 4ecb1f351b..429ea6319f 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_tableprivileges.md +++ b/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_tableprivileges.md @@ -9,7 +9,7 @@ The Redshift_TablePrivileges Job uses the SQL Data Collector for queries. **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/tableprivilegesquery.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/tableprivilegesquery.webp) The query is: @@ -23,7 +23,7 @@ Navigate to the **Databases** > **0.Collection** > **Redshift** > **Redshift_Tab **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/tableprivilegesanalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/redshift/collection/tableprivilegesanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/databases/redshift/overview.md b/docs/accessanalyzer/12.0/solutions/databases/redshift/overview.md index c86b36d1ba..d4553e3383 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/redshift/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/redshift/overview.md @@ -15,7 +15,7 @@ Supported Platforms Requirements, Permissions, and Ports See the -[Target Redshift Requirements, Permissions, and Ports](../../../requirements/target/databaseredshift.md) +[Target Redshift Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/databaseredshift.md) topic for additional information. Sensitive Data Discovery Considerations @@ -50,26 +50,26 @@ sensitive data. The Access Analyzer Redshift  Solution Set is a set of preconfigured audit jobs and reports that provides visibility into Redshift Sensitive Data. -![redshiftjobgrpoverview](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/redshift/redshiftjobgrpoverview.webp) +![redshiftjobgrpoverview](/img/product_docs/accessanalyzer/solutions/databases/redshift/redshiftjobgrpoverview.webp) The following job groups comprise the Redshift Job Group: -- [0.Collection Job Group](collection/overview.md) — Collects high level summary information from +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/overview.md) — Collects high level summary information from targeted Redshift Servers. Other jobs in the Redshift Solution Set use this information for further analysis and producing respective report. This Job Group is comprised of the following jobs(s) - - [Redshift_Configuration Job](collection/redshift_configuration.md) - - [Redshift_SensitiveDataScan Job](collection/redshift_sensitivedatascan.md) - - [Redshift_TablePrivileges Job](collection/redshift_tableprivileges.md) + - [Redshift_Configuration Job](/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_configuration.md) + - [Redshift_SensitiveDataScan Job](/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_sensitivedatascan.md) + - [Redshift_TablePrivileges Job](/docs/accessanalyzer/12.0/solutions/databases/redshift/collection/redshift_tableprivileges.md) -- [Configuration > Redshift_DatabaseSizing Job](redshift_databasesizing.md) — Provides insight into +- [Configuration > Redshift_DatabaseSizing Job](/docs/accessanalyzer/12.0/solutions/databases/redshift/redshift_databasesizing.md) — Provides insight into details about the Redshift environment and potential vulnerabilities relating to instance configuration settings. -- [Sensitive Data Job Group](sensitive_data/overview.md) — Provides insight into where sensitive +- [Sensitive Data Job Group](/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/overview.md) — Provides insight into where sensitive data exists and who has access to it across all the targeted Redshift databases.This Job Group is comprised of the following job(s): - - [Redshift_SensitiveData Job](sensitive_data/redshift_sensitivedata.md) - - [Redshift_SensitiveDataPermissions Job](sensitive_data/redshift_sensitivedatapermissions.md) + - [Redshift_SensitiveData Job](/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/redshift_sensitivedata.md) + - [Redshift_SensitiveDataPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/redshift_sensitivedatapermissions.md) diff --git a/docs/accessanalyzer/12.0/solutions/databases/redshift/recommended.md b/docs/accessanalyzer/12.0/solutions/databases/redshift/recommended.md index 19e2334250..89b52fbd06 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/redshift/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/databases/redshift/recommended.md @@ -23,7 +23,7 @@ The SQL Data Collector requires a specific set of permissions. See the Permissio necessary permissions. The account used can be either an Active Directory account or a SQL account. Once the account has been provisioned, create a custom Connection Profile containing the credentials for the targeted environment. See the -[SQL Custom Connection Profile & Default Dynamic Host List](../../../admin/datacollector/sql/configurejob.md) +[SQL Custom Connection Profile & Default Dynamic Host List](/docs/accessanalyzer/12.0/admin/datacollector/sql/configurejob.md) topic for additional information. The Connection Profile should be assigned under the **Redshift** > **0.Collection** > **Settings** > @@ -32,7 +32,7 @@ level. However, since this may not be the Connection Profile with the necessary assigned hosts, click the radio button for the **Select one of the following user defined profiles** option and select the appropriate Connection Profile drop-down menu. -See the [Connection](../../../admin/settings/connection/overview.md) topic for additional +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. Schedule Frequency diff --git a/docs/accessanalyzer/12.0/solutions/databases/redshift/redshift_databasesizing.md b/docs/accessanalyzer/12.0/solutions/databases/redshift/redshift_databasesizing.md index 336e037ddf..1bbda643c2 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/redshift/redshift_databasesizing.md +++ b/docs/accessanalyzer/12.0/solutions/databases/redshift/redshift_databasesizing.md @@ -3,7 +3,7 @@ This group provides insight into details about the Redshift environment and potential vulnerabilities related to instance configuration settings. -![configurationjobgroup](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/configurationjobgroup.webp) +![configurationjobgroup](/img/product_docs/accessanalyzer/solutions/databases/postgresql/configurationjobgroup.webp) The job(s) in the Configuration Job Group are: @@ -17,7 +17,7 @@ Navigate to the **Jobs** > **Databases**> **Redshift** > **Configuration** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![analysisredshiftconfigurationjob](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/redshift/analysisredshiftconfigurationjob.webp) +![analysisredshiftconfigurationjob](/img/product_docs/accessanalyzer/solutions/databases/redshift/analysisredshiftconfigurationjob.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/overview.md b/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/overview.md index aa3469fad2..f9e2057313 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/overview.md @@ -3,12 +3,12 @@ This job provides insight into where sensitive data exists and who has access to it across all the targeted Redshift databases. -![sensitivedatajobgroup](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/sensitivedata/sensitivedatajobgroup.webp) +![sensitivedatajobgroup](/img/product_docs/accessanalyzer/solutions/databases/postgresql/sensitivedata/sensitivedatajobgroup.webp) The job(s) in the Sensitive Data Job Group are: -- [Redshift_SensitiveData Job](redshift_sensitivedata.md) - Provides information on all the data +- [Redshift_SensitiveData Job](/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/redshift_sensitivedata.md) - Provides information on all the data that was discovered in the targeted Redshift database servers based on the selected scan criteria -- [Redshift_SensitiveDataPermissions Job](redshift_sensitivedatapermissions.md) - Designed to +- [Redshift_SensitiveDataPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/redshift_sensitivedatapermissions.md) - Designed to provide information on all types of permissions on database objects containing sensitive data across all the targeted PostgreSQL servers based on the selected scan criteria. diff --git a/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/redshift_sensitivedata.md b/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/redshift_sensitivedata.md index 67e9210ab0..ab7dec8fa2 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/redshift_sensitivedata.md +++ b/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/redshift_sensitivedata.md @@ -11,7 +11,7 @@ Navigate to the **Jobs** > **Databases** > **Redshift** >  **Sensitive Data** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/redshift/sensitive_data/analysissensitivedata.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/redshift/sensitive_data/analysissensitivedata.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/redshift_sensitivedatapermissions.md b/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/redshift_sensitivedatapermissions.md index 6559a1ea5c..2d0314dcb8 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/redshift_sensitivedatapermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/redshift/sensitive_data/redshift_sensitivedatapermissions.md @@ -13,7 +13,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/sensitivedata/sensitivedatapermission.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/postgresql/sensitivedata/sensitivedatapermission.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/activity/overview.md b/docs/accessanalyzer/12.0/solutions/databases/sql/activity/overview.md index bd2414333f..5704e508d4 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/activity/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/activity/overview.md @@ -4,22 +4,22 @@ The jobs in the 2. Activity Job Group provides insight into user login activity, changes, unusual database activity, SQL and Azure SQL activities against sensitive data, and SQL and Azure SQL activities against selected or all database objects. -![2.Activity Job Group](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/activity/sqljobgroup30.webp) +![2.Activity Job Group](/img/product_docs/accessanalyzer/solutions/databases/sql/activity/sqljobgroup30.webp) The jobs in the 2.Activity Job Group are: -- [SQL_Activity Job](sql_activity.md) – This job is designed to provide insight into user activity +- [SQL_Activity Job](/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_activity.md) – This job is designed to provide insight into user activity in target SQL and Azure SQL server instances and databases in each instance based on the SQL Server Audit Specification settings -- [SQL_Logons Job](sql_logons.md) – This job is designed to provide insight into failed or +- [SQL_Logons Job](/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_logons.md) – This job is designed to provide insight into failed or successful SQL and Azure SQL server logon activity across all the targeted SQL and Azure SQL Servers -- [SQL_PermissionChanges Job](sql_permissionchanges.md) – This job is designed to provide detailed +- [SQL_PermissionChanges Job](/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_permissionchanges.md) – This job is designed to provide detailed information about the changes in permissions across all the database objects, specifically objects containing sensitive data -- [SQL_SensitiveDataActivity Job](sql_sensitivedataactivity.md) – This job is designed to provide +- [SQL_SensitiveDataActivity Job](/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_sensitivedataactivity.md) – This job is designed to provide detailed information about all the DML (UPDATE, INSERT, DELETE, TRUNCATE) against objects containing selective data -- [SQL_UnusualActivity Job](sql_unusualactivity.md) – This job group is designed to highlight any +- [SQL_UnusualActivity Job](/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_unusualactivity.md) – This job group is designed to highlight any anomalies related to outlying user activity by database across all the targeted SQL and Azure SQL server instances. diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_activity.md b/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_activity.md index 67f219a89b..ca10edbfce 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_activity.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_activity.md @@ -11,7 +11,7 @@ to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/activity/sqljobgroup31.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/activity/sqljobgroup31.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_logons.md b/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_logons.md index 9632b8dcd2..daf31b49f9 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_logons.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_logons.md @@ -11,7 +11,7 @@ to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/activity/sqljobgroup32.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/activity/sqljobgroup32.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_permissionchanges.md b/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_permissionchanges.md index 50ae4e7b1e..0afa72bb01 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_permissionchanges.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_permissionchanges.md @@ -11,7 +11,7 @@ Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/activity/sqljobgroup33.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/activity/sqljobgroup33.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_sensitivedataactivity.md b/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_sensitivedataactivity.md index d5ddb41010..77fde1f602 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_sensitivedataactivity.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_sensitivedataactivity.md @@ -11,7 +11,7 @@ select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/activity/sqljobgroup34.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/activity/sqljobgroup34.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_unusualactivity.md b/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_unusualactivity.md index e708940cd5..11d1112cbe 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_unusualactivity.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/activity/sql_unusualactivity.md @@ -11,7 +11,7 @@ Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/activity/sqljobgroup35.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/activity/sqljobgroup35.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/collection/0-sql_instancediscovery.md b/docs/accessanalyzer/12.0/solutions/databases/sql/collection/0-sql_instancediscovery.md index 1c5b0308e4..38d7d8f2b8 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/collection/0-sql_instancediscovery.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/collection/0-sql_instancediscovery.md @@ -7,7 +7,7 @@ the targeted servers. The 0-SQL_InstanceDiscovery job uses the SQL Data Collector for the following query: -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/instancedisc_query.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/instancedisc_query.webp) - SQL Server Instance Discovery — Collects the list of SQL Server Instances from target endpoints and populates the necessary instance connection information @@ -20,7 +20,7 @@ Navigate to the **Databases** > **0.Collection** > **SQL** > **0-SQL_InstanceDis **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/instancedisc_analysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/instancedisc_analysis.webp) The default analysis tasks is: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/collection/1-sql_permissionsscan.md b/docs/accessanalyzer/12.0/solutions/databases/sql/collection/1-sql_permissionsscan.md index d20674ba73..4200ce9dc0 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/collection/1-sql_permissionsscan.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/collection/1-sql_permissionsscan.md @@ -7,7 +7,7 @@ targeted servers. The 1-SQL_PermissionsScan Job uses the SQL Data Collector for the following query: -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup6.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup6.webp) - PermissionsScan – Collects permissions from targeted instances - (Optional) This query can be modified to target specific databases/instances. See the @@ -30,10 +30,10 @@ Properties. The Query Properties window appears. **CAUTION:** Do not make changes to other wizard pages as they have been pre-configured for this job. -![Filters](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/1sqlpermissionscanfilterpage.webp) +![Filters](/img/product_docs/accessanalyzer/solutions/databases/azuresql/collection/1sqlpermissionscanfilterpage.webp) **Step 4 –** To query for specific databases/instances, navigate to the -[SQL Data Collector](../../../../admin/datacollector/sql/overview.md) page. The default query target +[SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) page. The default query target is All databases. The default query scope is Only select database objects and click Retrieve. The Available database objects will be populated. Databases and instances can be added in the following ways: @@ -55,7 +55,7 @@ select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup8.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup8.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/collection/2-sql_sensitivedatascan.md b/docs/accessanalyzer/12.0/solutions/databases/sql/collection/2-sql_sensitivedatascan.md index fab351925e..9b4eab7f05 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/collection/2-sql_sensitivedatascan.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/collection/2-sql_sensitivedatascan.md @@ -6,9 +6,9 @@ databases based on a pre-defined or user defined search criteria. Special Dependency - Sensitive Data Discovery Add-On installed on the Access Analyzer Console server - - See the [Installation & Configuration Overview](../../../../install/application/overview.md) + - See the [Installation & Configuration Overview](/docs/accessanalyzer/12.0/install/application/overview.md) topic for installation information. - - See the [Sensitive Data Discovery](../../../../sensitivedatadiscovery/overview.md) topic for + - See the [Sensitive Data Discovery](/docs/accessanalyzer/12.0/sensitivedatadiscovery/overview.md) topic for additional information. Though the job is visible within the console, it requires an additional installer package before @@ -18,7 +18,7 @@ data collection occurs. The SensitiveDataScan Job uses the SQL Data Collector for the following query: -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup9.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup9.webp) - SensitiveDataScan – Collects Sensitive Data from targeting instances - (Optional) This query can be modified to target specific databases/instances. See the @@ -41,19 +41,19 @@ Properties. The Query Properties window appears. **CAUTION:** Do not make changes to other wizard pages as they have been pre-configured for this job. -![2sqlsensitivedatascanoptionspage](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/2sqlsensitivedatascanoptionspage.webp) +![2sqlsensitivedatascanoptionspage](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/2sqlsensitivedatascanoptionspage.webp) **Step 4 –** Select the desired scan options. Navigate to the -[SQL: Options](../../../../admin/datacollector/sql/options.md) page for additional information. +[SQL: Options](/docs/accessanalyzer/12.0/admin/datacollector/sql/options.md) page for additional information. **NOTE:** The Sensitive Data Scan Settings are pre-configured for optimal performance for a high-level table scan. Configuring these settings to increase the scope of the sensitive data scan may significantly increase scan time. -![Criteria Page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/2sqlsensitivedatascanquerycriteriapage.webp) +![Criteria Page](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/2sqlsensitivedatascanquerycriteriapage.webp) **Step 5 –** To modify criteria, navigate to the -[SQL: Criteria](../../../../admin/datacollector/sql/criteria.md) page. By default, the following +[SQL: Criteria](/docs/accessanalyzer/12.0/admin/datacollector/sql/criteria.md) page. By default, the following System Criteria have been selected: - Credit Cards @@ -63,13 +63,13 @@ System Criteria have been selected: - Password Add or remove criteria if needed. See the - [Sensitive Data Criteria Editor](../../../../sensitivedatadiscovery/criteriaeditor/overview.md) + [Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. -![Filter Page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/2sqlsensitivedatascanfilterpage.webp) +![Filter Page](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/2sqlsensitivedatascanfilterpage.webp) **Step 6 –** To query for specific database/instance, navigate to the -[SQL: Filter](../../../../admin/datacollector/sql/filter.md) page. The query is configured by +[SQL: Filter](/docs/accessanalyzer/12.0/admin/datacollector/sql/filter.md) page. The query is configured by default to target Only select database objects. Click Retrieve. The Available database objects box will populate. Databases and instances can be added in the following ways: @@ -90,7 +90,7 @@ select Analysis to view the analysis task. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup13.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup13.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/collection/3-sql_activityscan.md b/docs/accessanalyzer/12.0/solutions/databases/sql/collection/3-sql_activityscan.md index 97a524eda8..669cb730ca 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/collection/3-sql_activityscan.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/collection/3-sql_activityscan.md @@ -14,7 +14,7 @@ Special Dependency The ActivityScan Job uses the SQL Data Collector for the following query: -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup14.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup14.webp) - ActivityScan – Collects activity from targeted instances - (Optional) This query can be modified to target specific databases/instances. See the @@ -37,10 +37,10 @@ appears. **CAUTION:** Do not make changes to other wizard pages as they have been pre-configured for the purpose of this job. -![Options Page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/3sqlactivityscanoptionspage.webp) +![Options Page](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/3sqlactivityscanoptionspage.webp) **Step 4 –** To modify scan options, navigate to the -[SQL Data Collector](../../../../admin/datacollector/sql/overview.md) page. Select the desired scan +[SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) page. Select the desired scan options. The query is preconfigured with the following default settings: - Collect only events since last scan – Collects activity recorded since the previous scan @@ -48,10 +48,10 @@ options. The query is preconfigured with the following default settings: - Collect audits by name – Finds available audits in the database - Collect audits by path – Collects audits by a specified path -![Filter Page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/3sqlactivityscanfilterpage.webp) +![Filter Page](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/3sqlactivityscanfilterpage.webp) **Step 5 –** To scope the query for specific database/instance, navigate to the -[SQL Data Collector](../../../../admin/datacollector/sql/overview.md) page. The query is configured +[SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) page. The query is configured by default to target Only select database objects. Click Retrieve. The Available database objects will be populated. Databases and instances can be added in the following ways: @@ -74,7 +74,7 @@ Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup17.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup17.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/collection/4-sql_serverlogons.md b/docs/accessanalyzer/12.0/solutions/databases/sql/collection/4-sql_serverlogons.md index 8ed86e550e..2a94fab8a3 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/collection/4-sql_serverlogons.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/collection/4-sql_serverlogons.md @@ -10,8 +10,8 @@ Windows Event Log Type. **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![sqljobgroup18](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup18.webp) +![sqljobgroup18](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup18.webp) - AppnLogSQL – Uses SmartLog Data Collector to gather logon events - - See the [SMARTLog Data Collector](../../../../admin/datacollector/smartlog/overview.md) topic + - See the [SMARTLog Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/overview.md) topic for additional information diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/collection/5-sql_serversettings.md b/docs/accessanalyzer/12.0/solutions/databases/sql/collection/5-sql_serversettings.md index 10551f7471..4bc03d1886 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/collection/5-sql_serversettings.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/collection/5-sql_serversettings.md @@ -7,7 +7,7 @@ evaluation against recommended best practices. The 5-SQL_ServerSettings Job uses the SQL Data Collector for the following queries: -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup19.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup19.webp) - Configuration – Collects configuration properties - (Optional) This query can be modified to target specific databases/instances. See the @@ -43,10 +43,10 @@ open. **CAUTION:** Do not make changes to other wizard pages as they have been pre-configured for the purpose of this job. -![Instance Filters](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/5sqlserversettingsfilterpage.webp) +![Instance Filters](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/5sqlserversettingsfilterpage.webp) **Step 4 –** To scope the query for specific database/instance, navigate to the -[SQL Data Collector](../../../../admin/datacollector/sql/overview.md) page. The query is configured +[SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) page. The query is configured by default to target All instances. Change the query scope to Only select instances, and click Retrieve. The Available server audits will be populated. Databases and instances can be added in the following ways: @@ -79,10 +79,10 @@ open. **CAUTION:** Do not make changes to other wizard pages as they have been pre-configured for the purpose of this job. -![Filter Page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/5sqlserversettingsfilterpage.webp) +![Filter Page](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/5sqlserversettingsfilterpage.webp) **Step 4 –** To scope the query for specific database/instance, navigate to the -[SQL Data Collector](../../../../admin/datacollector/sql/overview.md) page. The query is configured +[SQL Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/sql/overview.md) page. The query is configured by default to target All instances. Change the query scope to Only select instances, and click Retrieve. The Available server audits will be populated. Databases and instances can be added in the following ways: @@ -91,7 +91,7 @@ following ways: - Use the Import CSV button to import a list from a CSV file. - Optionally use the Add Custom Filter button to create and apply a custom filter. - Remember, it is necessary for the [0-SQL_InstanceDiscovery Job](0-sql_instancediscovery.md) to + Remember, it is necessary for the [0-SQL_InstanceDiscovery Job](/docs/accessanalyzer/12.0/solutions/databases/sql/collection/0-sql_instancediscovery.md) to run before attempting to scope this query. **Step 5 –** On the Summary page, click Finish to save any setting modifications or click Cancel if diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/collection/overview.md b/docs/accessanalyzer/12.0/solutions/databases/sql/collection/overview.md index 8f23e17699..b5f96e5e3a 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/collection/overview.md @@ -4,21 +4,21 @@ The 0.Collection Job Group is designed to collect high level summary information Microsoft SQL Servers. This information is used by other jobs in the SQL solution set for further analysis and for producing reports. -![0.Collection Job Group - SQL](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup1.webp) +![0.Collection Job Group - SQL](/img/product_docs/accessanalyzer/solutions/databases/sql/collection/sqljobgroup1.webp) The jobs in the 0.Collection Job Group are: -- [0-SQL_InstanceDiscovery Job](0-sql_instancediscovery.md) – This job is designed to enumerate and +- [0-SQL_InstanceDiscovery Job](/docs/accessanalyzer/12.0/solutions/databases/sql/collection/0-sql_instancediscovery.md) – This job is designed to enumerate and store the list of SQL Server Instances running on the targeted servers -- [1-SQL_PermissionsScan](1-sql_permissionsscan.md) – This job is designed to collect SQL Server +- [1-SQL_PermissionsScan](/docs/accessanalyzer/12.0/solutions/databases/sql/collection/1-sql_permissionsscan.md) – This job is designed to collect SQL Server instance and database level permissions from all targeted servers -- [2-SQL_SensitiveDataScan Job](2-sql_sensitivedatascan.md) – This job is designed to discover +- [2-SQL_SensitiveDataScan Job](/docs/accessanalyzer/12.0/solutions/databases/sql/collection/2-sql_sensitivedatascan.md) – This job is designed to discover sensitive data in the database SQL Server instances and databases based on a pre-defined or user-defined search criteria -- [3-SQL_ActivityScan Job](3-sql_activityscan.md) – This job is designed to capture user activity +- [3-SQL_ActivityScan Job](/docs/accessanalyzer/12.0/solutions/databases/sql/collection/3-sql_activityscan.md) – This job is designed to capture user activity from all targeted SQL server instances and databases -- [4-SQL_ServerLogons Job](4-sql_serverlogons.md) – This job is designed to capture all types of SQL +- [4-SQL_ServerLogons Job](/docs/accessanalyzer/12.0/solutions/databases/sql/collection/4-sql_serverlogons.md) – This job is designed to capture all types of SQL server logon activity including successful or failed logons -- [5-SQL_ServerSettings Job](5-sql_serversettings.md) – This job is designed to collect SQL server +- [5-SQL_ServerSettings Job](/docs/accessanalyzer/12.0/solutions/databases/sql/collection/5-sql_serversettings.md) – This job is designed to collect SQL server instance and database configuration settings so that they can be evaluated against recommended best practices diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/overview.md b/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/overview.md index 133a364b53..d18358e9fd 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/overview.md @@ -3,24 +3,24 @@ The 4.Configuration Job Group provides information on potential vulnerabilities related to SQL and Azure SQL server configuration settings. -![configurationjobgroup](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/configurationjobgroup.webp) +![configurationjobgroup](/img/product_docs/accessanalyzer/solutions/databases/postgresql/configurationjobgroup.webp) The jobs in the 4.Configuration Job Group are: -- [SQL_Authentication Job](sql_authentication.md) – This job identifies authentication settings on +- [SQL_Authentication Job](/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_authentication.md) – This job identifies authentication settings on targeted SQL and Azure SQL servers that allow SQL server authentication in addition to Windows authentication. Microsoft recommends that the SQL and Azure SQL servers should be generally configured to utilize Windows authentication versus SQL authentication. -- [SQL_BestPractices Job](sql_bestpractices.md) – This job is designed to analyze SQL and Azure SQL +- [SQL_BestPractices Job](/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_bestpractices.md) – This job is designed to analyze SQL and Azure SQL server configuration settings and report on any findings that deviate from recommended Microsoft Best Practices when it comes to creating, maintaining, and securing SQL servers -- [SQL_CMDShell Job](sql_cmdshell.md) – This job is designed to report if the `xp_cmdshell `stored +- [SQL_CMDShell Job](/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_cmdshell.md) – This job is designed to report if the `xp_cmdshell `stored procedure is enabled or disabled. Since `xp_cmdshell` allows a user to execute operating system commands when connected to the SQL or Azure SQL server, it can be used to launch malicious attacks. Microsoft recommends that the `xp_cmdshell` stored procedure be disabled. -- [SQL_DatabaseSizing Job](sql_databasesizing.md) – Provides details on database file sizes and +- [SQL_DatabaseSizing Job](/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_databasesizing.md) – Provides details on database file sizes and overall database sizes -- [SQL_LinkedServers Job](sql_linkedservers.md) – Identifies Linked Servers or remote database +- [SQL_LinkedServers Job](/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_linkedservers.md) – Identifies Linked Servers or remote database servers on which the identified SQL and Azure SQL server can execute commands. Some of the common remote OLE DB providers include IBM DB2, Oracle, Access and Excel. Typically, linked servers are used to handle distributed queries in SQL and Azure SQL server. diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_authentication.md b/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_authentication.md index f0ce5390a9..b1c980932c 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_authentication.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_authentication.md @@ -13,7 +13,7 @@ select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/configuration/sqljobgroup43.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/configuration/sqljobgroup43.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_bestpractices.md b/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_bestpractices.md index f4fd0eb207..3e29bc621d 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_bestpractices.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_bestpractices.md @@ -12,7 +12,7 @@ select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/configuration/sqljobgroup44.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/configuration/sqljobgroup44.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_cmdshell.md b/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_cmdshell.md index e9ddd430b5..821b278b45 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_cmdshell.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_cmdshell.md @@ -13,7 +13,7 @@ Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/configuration/sqljobgroup45.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/configuration/sqljobgroup45.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_databasesizing.md b/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_databasesizing.md index a54c620ab4..450de19967 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_databasesizing.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_databasesizing.md @@ -10,7 +10,7 @@ node and select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/configuration/analysistask.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/configuration/analysistask.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_linkedservers.md b/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_linkedservers.md index 769342d8e9..9698fd9020 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_linkedservers.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/sql_linkedservers.md @@ -13,7 +13,7 @@ and select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are pre-configured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/admin/jobs/instantjobs/analysistasks.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/admin/jobs/instantjobs/analysistasks.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/overview.md b/docs/accessanalyzer/12.0/solutions/databases/sql/overview.md index a0634836bb..b68392b99b 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/overview.md @@ -17,7 +17,7 @@ Supported Platforms Requirements, Permissions, and Ports See the -[Target SQL Server Requirements, Permissions, and Ports](../../../requirements/target/databasesql.md) +[Target SQL Server Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/databasesql.md) topic for additional information. Sensitive Data Discovery Considerations @@ -39,32 +39,32 @@ The Database Solution license includes all supported database platforms supporte Analyzer. Additionally, Sensitive Data Discovery enables the solution to search database content for sensitive data. -![SQL Job Group](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/sqljobgroup.webp) +![SQL Job Group](/img/product_docs/accessanalyzer/solutions/databases/sql/sqljobgroup.webp) The SQL Job Group includes: -- Databases > 0.Collection > SQL > [0.Collection > SQL Job Group](collection/overview.md) – This job +- Databases > 0.Collection > SQL > [0.Collection > SQL Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/collection/overview.md) – This job group is designed to collect high level summary information from Microsoft SQL servers. This information is used by other jobs in the SQL solution set for further analysis and for producing respective reports. - Databases > 0.Collection > AzureSQL > - [0.Collection > Azure SQL Job Group](../azuresql/collection/overview.md) — This job group is + [0.Collection > Azure SQL Job Group](/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/overview.md) — This job group is designed to collect high level summary information from targeted Azure SQL Instances. This information is used by other jobs in the Azure SQL solution set to provide further analysis and for producing respective reports. -- [1.Users and Roles Job Group](usersroles/overview.md)– This job group is designed to provide +- [1.Users and Roles Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/overview.md)– This job group is designed to provide insight into user security, roles, and object permissions to all the SQL server objects -- [2.Activity Job Group](activity/overview.md) – This job group is designed to provide insight into +- [2.Activity Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/activity/overview.md) – This job group is designed to provide insight into use login activity, object permission changes, any unusual database activity, SQL activity against sensitive data, SQL activity against selective or all database objects -- [3.Permissions Job Group](permissions/overview.md) – This job group is designed to provide insight +- [3.Permissions Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/overview.md) – This job group is designed to provide insight into all types of permissions at the instance, database, and object level across all the targeted SQL servers -- [4.Configuration Job Group](configuration/overview.md) – This job group is designed to provide +- [4.Configuration Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/configuration/overview.md) – This job group is designed to provide insight into potential vulnerabilities related to SQL server configuration settings -- [5.Sensitive Data Job Group](sensitivedata/overview.md)– This job group is designed to provide +- [5.Sensitive Data Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/overview.md)– This job group is designed to provide insight into where sensitive data exists and who has access to it across all the targeted SQL server databases -- [SQL_SecurityAssessment Job](sql_securityassessment.md) – This job is designed to summarize and +- [SQL_SecurityAssessment Job](/docs/accessanalyzer/12.0/solutions/databases/sql/sql_securityassessment.md) – This job is designed to summarize and categorize the security findings into HIGH, MEDIUM, LOW, and NO FINDING categories based on their severity. diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/overview.md b/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/overview.md index ee16bd871e..66182d4f97 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/overview.md @@ -3,21 +3,21 @@ The 3.Permissions Job Group provides insight into permissions at the instance, database, and object level across all targeted SQL and Azure SQL servers. -![sqljobgroup36](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/permissions/sqljobgroup36.webp) +![sqljobgroup36](/img/product_docs/accessanalyzer/solutions/databases/sql/permissions/sqljobgroup36.webp) The jobs in the 3.Permissions Job Group are: -- [SQL_ControlServer Job](sql_controlserver.md) – This job will provide information on control +- [SQL_ControlServer Job](/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_controlserver.md) – This job will provide information on control server permissions. Users with control server permissions allow users to command full control of a SQL and Azure SQL server instances -- [SQL_DirectPermissions Job](sql_directpermissions.md) – This job will provide information about +- [SQL_DirectPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_directpermissions.md) – This job will provide information about the permissions granted to users at the schema, database, and server levels -- [SQL_DomainUserPermissions Job](sql_domainuserpermissions.md) – This job will provide insight into +- [SQL_DomainUserPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_domainuserpermissions.md) – This job will provide insight into Microsoft Active Directory domain users’ access to SQL and Azure SQL server objects both at the instance and database level -- [SQL_PublicPermissions Job](sql_publicpermissions.md) – This job analyzes all the permissions +- [SQL_PublicPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_publicpermissions.md) – This job analyzes all the permissions granted at the server level and reports on the effective server level permissions across all the audited SQL and Azure SQL server instances -- [SQL_ServerPermissions Job](sql_serverpermissions.md) – This job provides the list of SQL and +- [SQL_ServerPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_serverpermissions.md) – This job provides the list of SQL and Azure SQL server logins that have the PUBLIC roles assigned. In addition, it also provides the list of permissions assigned to the PUBLIC role as well diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_controlserver.md b/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_controlserver.md index 4fd584102a..f6bd31cfd9 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_controlserver.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_controlserver.md @@ -11,7 +11,7 @@ Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/permissions/sqljobgroup37.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/permissions/sqljobgroup37.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_directpermissions.md b/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_directpermissions.md index 0678e82d17..d7175f9128 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_directpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_directpermissions.md @@ -11,7 +11,7 @@ select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/permissions/sqljobgroup38.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/permissions/sqljobgroup38.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_domainuserpermissions.md b/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_domainuserpermissions.md index bc3e5c280b..4ccacba372 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_domainuserpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_domainuserpermissions.md @@ -11,7 +11,7 @@ select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/permissions/sqljobgroup39.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/permissions/sqljobgroup39.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_publicpermissions.md b/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_publicpermissions.md index d3bbff00ba..135efe85e4 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_publicpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_publicpermissions.md @@ -11,7 +11,7 @@ select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/permissions/sqljobgroup40.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/permissions/sqljobgroup40.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_serverpermissions.md b/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_serverpermissions.md index ae34082521..98abfd076e 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_serverpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_serverpermissions.md @@ -11,7 +11,7 @@ select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/permissions/sqljobgroup41.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/permissions/sqljobgroup41.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/recommended.md b/docs/accessanalyzer/12.0/solutions/databases/sql/recommended.md index f56022af3f..358bf4330a 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/recommended.md @@ -22,16 +22,16 @@ Dependencies article for additional information. - For the SQL_SecurityAssessment Job – One or more of the following jobs or job groups must be run to produce results: - - [0.Collection > SQL Job Group](collection/overview.md) - - [1.Users and Roles Job Group](usersroles/overview.md) - - [3.Permissions Job Group](permissions/overview.md) - - [5.Sensitive Data Job Group](sensitivedata/overview.md) - - [Privileged Accounts Job Group](../../windows/privilegedaccounts/overview.md) - - [Privileged Accounts Job Group](../../windows/privilegedaccounts/overview.md) + - [0.Collection > SQL Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/collection/overview.md) + - [1.Users and Roles Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/overview.md) + - [3.Permissions Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/overview.md) + - [5.Sensitive Data Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/overview.md) + - [Privileged Accounts Job Group](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/overview.md) + - [Privileged Accounts Job Group](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/overview.md) Some of the 0.Collection Job Group queries can be scoped to target specific databases/instances. However, it is necessary for the SA_SQL_Instances table to be populated before attempting to scope -the queries. Therefore, the [0-SQL_InstanceDiscovery Job](collection/0-sql_instancediscovery.md) +the queries. Therefore, the [0-SQL_InstanceDiscovery Job](/docs/accessanalyzer/12.0/solutions/databases/sql/collection/0-sql_instancediscovery.md) must be manually executed before attempting to scope the 0.Collection Job Group queries. Targeted Host(s) @@ -50,7 +50,7 @@ The SQL Data Collector requires a specific set of permissions. See the Permissio necessary permissions. The account used can be either an Active Directory account or a SQL account. Once the account has been provisioned, create a custom Connection Profile containing the credentials for the targeted environment. See the -[SQL Custom Connection Profile & Default Dynamic Host List](../../../admin/datacollector/sql/configurejob.md) +[SQL Custom Connection Profile & Default Dynamic Host List](/docs/accessanalyzer/12.0/admin/datacollector/sql/configurejob.md) topic for additional information. The Connection Profile should be assigned under the SQL > 0.Collection > Settings > Connection node. @@ -59,7 +59,7 @@ this may not be the Connection Profile with the necessary permissions for the as the radio button for the Select one of the following user defined profiles option and select the appropriate Connection Profile drop-down menu. -See the [Connection](../../../admin/settings/connection/overview.md) topic for additional +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. Schedule Frequency @@ -121,7 +121,7 @@ Dependencies profiles to accommodate multiple credentials. - Define and validate connection information in the Connection screen -- [0-AzureSQL_InstanceDiscovery Job](../azuresql/collection/0-azuresql_instancediscovery.md) run +- [0-AzureSQL_InstanceDiscovery Job](/docs/accessanalyzer/12.0/solutions/databases/azuresql/collection/0-azuresql_instancediscovery.md) run successfully Targeted Host(s) @@ -136,7 +136,7 @@ The SQL Data Collector requires a specific set of permissions. See the Permissio necessary permissions. The account used can be either an Active Directory account with database login enabled or a SQL account. Once the account has been provisioned, create a custom Connection Profile containing the credentials for the targeted environment. See the -[SQL Custom Connection Profile & Default Dynamic Host List](../../../admin/datacollector/sql/configurejob.md) +[SQL Custom Connection Profile & Default Dynamic Host List](/docs/accessanalyzer/12.0/admin/datacollector/sql/configurejob.md) topic for additional information. The Connection Profile should be assigned under the **Databases** > 0.Collection > Azure SQL > @@ -145,7 +145,7 @@ settings level. However, since this may not be the Connection Profile with the n for the assigned hosts, click the radio button for the Select one of the following user defined profiles option and select the appropriate Connection Profile drop-down menu. -See the [Connection](../../../admin/settings/connection/overview.md) topic for additional +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. Schedule Frequency diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/overview.md b/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/overview.md index dce334dfa5..c7e02523f3 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/overview.md @@ -3,13 +3,13 @@ The 5.Sensitive Data Job Group provides information on where sensitive data exists, and who has access to that sensitive data, across all targeted SQL and Azure SQL server databases. -![5.Sensitive Data Job Group](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/sensitivedata/sqljobgroup46.webp) +![5.Sensitive Data Job Group](/img/product_docs/accessanalyzer/solutions/databases/sql/sensitivedata/sqljobgroup46.webp) The jobs in the 5.Sensitive Data Job Group are: -- [SQL_SensitiveData Job](sql_sensitivedata.md) – This job is designed to provide information on all +- [SQL_SensitiveData Job](/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/sql_sensitivedata.md) – This job is designed to provide information on all the sensitive data that was discovered in the targeted SQL or Azure SQL servers based on the selected scan criteria -- [SQL_SensitiveDataPermissions Job](sql_sensitivedatapermissions.md) – This job is designed to +- [SQL_SensitiveDataPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/sql_sensitivedatapermissions.md) – This job is designed to provide all types of permissions on database objects containing sensitive data across all the targeted SQL or Azure SQL servers diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/sql_sensitivedata.md b/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/sql_sensitivedata.md index b83a99b3ea..73b669b98f 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/sql_sensitivedata.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/sql_sensitivedata.md @@ -11,7 +11,7 @@ select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/sensitivedata/sqljobgroup47.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/sensitivedata/sqljobgroup47.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/sql_sensitivedatapermissions.md b/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/sql_sensitivedatapermissions.md index f077d4fa9d..7fc98e6005 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/sql_sensitivedatapermissions.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/sql_sensitivedatapermissions.md @@ -11,7 +11,7 @@ node and select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/sensitivedata/sqljobgroup48.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/sensitivedata/sqljobgroup48.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/sql_securityassessment.md b/docs/accessanalyzer/12.0/solutions/databases/sql/sql_securityassessment.md index 06991ccc31..037bf09a1c 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/sql_securityassessment.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/sql_securityassessment.md @@ -3,19 +3,19 @@ The SQL_SecurityAssessment Job summarizes and categorizes security findings into HIGH, MEDIUM, LOW, and NO FINDINGS categories based on severity. -![SQL_SecurityAssessment](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/sqljobgroup49.webp) +![SQL_SecurityAssessment](/img/product_docs/accessanalyzer/solutions/databases/sql/sqljobgroup49.webp) Special Dependencies One or more of the following jobs or job groups must be run to produce results: -- [0.Collection > SQL Job Group](collection/overview.md) -- [SQL_PasswordIssues Job](usersroles/sql_passwordissues.md) -- [SQL_RoleMembers Job](usersroles/sql_rolemembers.md) -- [SQL_PublicPermissions Job](permissions/sql_publicpermissions.md) -- [5.Sensitive Data Job Group](sensitivedata/overview.md) -- [Privileged Accounts Job Group](../../windows/privilegedaccounts/overview.md) -- [Privileged Accounts Job Group](../../windows/privilegedaccounts/overview.md) +- [0.Collection > SQL Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/collection/overview.md) +- [SQL_PasswordIssues Job](/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_passwordissues.md) +- [SQL_RoleMembers Job](/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_rolemembers.md) +- [SQL_PublicPermissions Job](/docs/accessanalyzer/12.0/solutions/databases/sql/permissions/sql_publicpermissions.md) +- [5.Sensitive Data Job Group](/docs/accessanalyzer/12.0/solutions/databases/sql/sensitivedata/overview.md) +- [Privileged Accounts Job Group](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/overview.md) +- [Privileged Accounts Job Group](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/overview.md) Only information collected from jobs/groups being run will produce findings. @@ -24,7 +24,7 @@ Only information collected from jobs/groups being run will produce findings. Navigate to the SQL > SQL_SecurityAssesment > Configure node and select Analysis to view the analysis task. -![Analysis Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/sqljobgroup50.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/sqljobgroup50.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/overview.md b/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/overview.md index 1e54d279b1..2e3f3001a0 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/overview.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/overview.md @@ -3,24 +3,24 @@ The 1.Users and Roles Job Group is designed to provide insight into user security, roles, and object permissions to all SQL or Azure SQL server objects. -![Users and Roles Job Group](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqljobgroup22.webp) +![Users and Roles Job Group](/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqljobgroup22.webp) The jobs in the 1.Users and Roles Job Group are: -- [SQL_DatabasePrinciples Job](sql_databaseprinciples.md) – This job group is designed to provide +- [SQL_DatabasePrinciples Job](/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_databaseprinciples.md) – This job group is designed to provide detailed information on database principals across all the targeted SQL or Azure SQL server instances -- [SQL_PasswordIssues Job](sql_passwordissues.md) – This job group is designed to analyze the SQL or +- [SQL_PasswordIssues Job](/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_passwordissues.md) – This job group is designed to analyze the SQL or Azure SQL login passwords and evaluate if they comply with the prescribed password policies. In addition, it checks for weak passwords. -- [SQL_RoleMembers Job](sql_rolemembers.md) – This job is designed to analyze and provide +- [SQL_RoleMembers Job](/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_rolemembers.md) – This job is designed to analyze and provide information about all the role members in each o the SQL or Azure SQL server role groups, both at the instance and database level, across all the targeted SQL or Azure SQL servers -- [SQL_ServerPrincipals Job](sql_serverprincipals.md) – This job is designed to provide information +- [SQL_ServerPrincipals Job](/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_serverprincipals.md) – This job is designed to provide information about all the server principals on the instances across all the targeted SQL or Azure SQL servers -- [SQL_SQLLogins Job](sql_sqllogins.md) – This job is designed to provide information on both +- [SQL_SQLLogins Job](/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_sqllogins.md) – This job is designed to provide information on both successful and failed SQL or Azure SQL server logins across all the targeted SQL or Azure SQL servers -- [SQL_SysAdmins Job](sql_sysadmins.md) – This job group is designed to provide insight into all the +- [SQL_SysAdmins Job](/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_sysadmins.md) – This job group is designed to provide insight into all the users who have SQL or Azure SQL server administration roles across all the targeted SQL or Azure SQL servers diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_databaseprinciples.md b/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_databaseprinciples.md index f48017499c..39c1bf1728 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_databaseprinciples.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_databaseprinciples.md @@ -11,7 +11,7 @@ and select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqljobgroup23.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqljobgroup23.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_passwordissues.md b/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_passwordissues.md index 2e010cf4f9..8760cd2afb 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_passwordissues.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_passwordissues.md @@ -10,11 +10,11 @@ The Collect Weak Passwords Job uses the PowerShell Data Collector for the follow **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqljobgroup24.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqljobgroup24.webp) - Collect Weak Passwords – Locate the dictionary file containing the weak passwords and import the passwords - - See [PowerShell Data Collector](../../../../admin/datacollector/powershell/overview.md) for + - See [PowerShell Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/powershell/overview.md) for additional information. ## Analysis Tasks for the SQL_PasswordIssues Job @@ -25,7 +25,7 @@ and select Analysis to view the analysis tasks. **CAUTION:** Most of these analysis tasks are preconfigured and should not be modified and or deselected unless otherwise specified. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqlpasswordissuesanalysistasks.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqlpasswordissuesanalysistasks.webp) The default analysis tasks are: @@ -34,7 +34,7 @@ The default analysis tasks are: - @ShowPassword – Set to **0** by default. Set to **1** to enable the analysis task to bring back the plain-text password that was found - See the - [Configure the Customizable Parameters in an Analysis Task](../../../../admin/jobs/job/configure/analysiscustomizableparameters.md) + [Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information on modifying analysis parameters. - Shared Passwords – Highlights SQL Server Logins with shared password hashes - No Password – Inserts users that do not have a password set into the details table diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_rolemembers.md b/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_rolemembers.md index afb7903280..f2425cb8d9 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_rolemembers.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_rolemembers.md @@ -11,7 +11,7 @@ select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqljobgroup26.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqljobgroup26.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_serverprincipals.md b/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_serverprincipals.md index 6af410a7da..c6b448e417 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_serverprincipals.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_serverprincipals.md @@ -11,7 +11,7 @@ select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqljobgroup27.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqljobgroup27.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_sqllogins.md b/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_sqllogins.md index bf331f7221..c055959047 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_sqllogins.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_sqllogins.md @@ -11,7 +11,7 @@ Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqljobgroup28.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqljobgroup28.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_sysadmins.md b/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_sysadmins.md index b339f8a860..669a60a2b3 100644 --- a/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_sysadmins.md +++ b/docs/accessanalyzer/12.0/solutions/databases/sql/usersroles/sql_sysadmins.md @@ -11,7 +11,7 @@ Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task(s). The analysis task(s) are preconfigured for this job. -![Analysis Selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqljobgroup29.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/databases/sql/usersroles/sqljobgroup29.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/dropbox/collection/1-dropbox_permissions_scan.md b/docs/accessanalyzer/12.0/solutions/dropbox/collection/1-dropbox_permissions_scan.md index 90cadd8230..a87eea4c86 100644 --- a/docs/accessanalyzer/12.0/solutions/dropbox/collection/1-dropbox_permissions_scan.md +++ b/docs/accessanalyzer/12.0/solutions/dropbox/collection/1-dropbox_permissions_scan.md @@ -11,7 +11,7 @@ environment. The 1-Dropbox_Permissions Scan job has been preconfigured to run with the default settings with the category of Dropbox Access. -![Queries for the 1-Dropbox_Permissions Scan Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/collection/permissionsscanquery.webp) +![Queries for the 1-Dropbox_Permissions Scan Job](/img/product_docs/accessanalyzer/solutions/databases/db2/collection/permissionsscanquery.webp) The query for the 1-Dropbox_Permissions Scan job is: @@ -31,7 +31,7 @@ window. **Step 3 –** Select the **Data Source** tab, and click **Configure**. The Dropbox Access Auditor Data Collector Wizard opens. -![Dropbox Access Auditor Data Collector Wizard Scan Options page](../../../../../../static/img/product_docs/accessanalyzer/solutions/dropbox/collection/permissionsscanoptionspage.webp) +![Dropbox Access Auditor Data Collector Wizard Scan Options page](/img/product_docs/accessanalyzer/solutions/dropbox/collection/permissionsscanoptionspage.webp) **Step 4 –** T Use the Scan Options page ito generate the access token prior to the first execution of the job group. @@ -40,12 +40,12 @@ of the job group. button, and use it in the Connection Profile assigned to the Dropbox Solution. Once the access token has been generated and copied, if no customizations are to be made, click **Cancel** to close the Dropbox Access Auditor Data Collector wizard. -- See the [DropboxAccess: Scan Options](../../../admin/datacollector/dropboxaccess/scanoptions.md) +- See the [DropboxAccess: Scan Options](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scanoptions.md) topic for full instructions on generating the access token **Step 5 –** If query customizations are desired, click **Next** to continue. -![Dropbox Access Auditor Data Collector Wizard Scoping page](../../../../../../static/img/product_docs/accessanalyzer/solutions/dropbox/collection/permissionsscopingpage.webp) +![Dropbox Access Auditor Data Collector Wizard Scoping page](/img/product_docs/accessanalyzer/solutions/dropbox/collection/permissionsscopingpage.webp) **Step 6 –** On the Scoping page, select whether to scan **All Users** or **Limited Users**. If **Limited Users** is selected, browse to a CSV file with one email address per row for the desired diff --git a/docs/accessanalyzer/12.0/solutions/dropbox/collection/1-dropbox_sdd_scan.md b/docs/accessanalyzer/12.0/solutions/dropbox/collection/1-dropbox_sdd_scan.md index ed565bc1f7..6dbf34a671 100644 --- a/docs/accessanalyzer/12.0/solutions/dropbox/collection/1-dropbox_sdd_scan.md +++ b/docs/accessanalyzer/12.0/solutions/dropbox/collection/1-dropbox_sdd_scan.md @@ -8,7 +8,7 @@ policies, configurations, content and sensitive data. The 1-Dropbox_SDD Scan job has been preconfigured to run under the default settings within the category of Scan for Sensitive Content. -![Queries for the 1-Dropbox_SDD Scan Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/dropbox/collection/sddscanquery.webp) +![Queries for the 1-Dropbox_SDD Scan Job](/img/product_docs/accessanalyzer/solutions/dropbox/collection/sddscanquery.webp) The query for the 1-Dropbox_SDD Scan job is: @@ -28,16 +28,16 @@ window. **Step 3 –** Select the **Data Source** tab, and click **Configure**. The Dropbox Access Auditor Data Collector Wizard opens. -![Dropbox Access Auditor Data Collector Wizard Scoping page](../../../../../../static/img/product_docs/accessanalyzer/solutions/dropbox/collection/sddscopingpage.webp) +![Dropbox Access Auditor Data Collector Wizard Scoping page](/img/product_docs/accessanalyzer/solutions/dropbox/collection/sddscopingpage.webp) **Step 4 –** On the Scoping page, select whether to scan **All Users** or **Limited Users**. If **Limited Users** is selected, browse to a CSV file with one email address per row for the desired users. In the File Permissions section, select the **Collect File Level Permissions** checkbox to collect permissions at the file level. See the -[DropboxAccess: Scoping](../../../admin/datacollector/dropboxaccess/scoping.md) topic for additional +[DropboxAccess: Scoping](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scoping.md) topic for additional information. -![Dropbox Access Auditor Data Collector Wizard DLP Audit Settings page](../../../../../../static/img/product_docs/accessanalyzer/solutions/dropbox/collection/sdddlpsettings.webp) +![Dropbox Access Auditor Data Collector Wizard DLP Audit Settings page](/img/product_docs/accessanalyzer/solutions/dropbox/collection/sdddlpsettings.webp) **Step 5 –** On theDLP Audit Settings page: @@ -47,19 +47,19 @@ information. - Enable differential scanning See the -[DropboxAccess: DLP Audit Settings](../../../admin/datacollector/dropboxaccess/dlpauditsettings.md) +[DropboxAccess: DLP Audit Settings](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/dlpauditsettings.md) topic for additional information. -![Dropbox Access Auditor Data Collector Wizard Select DLP criteria page](../../../../../../static/img/product_docs/accessanalyzer/solutions/dropbox/collection/sddselectdlpcriteria.webp) +![Dropbox Access Auditor Data Collector Wizard Select DLP criteria page](/img/product_docs/accessanalyzer/solutions/dropbox/collection/sddselectdlpcriteria.webp) **Step 6 –** On the Select DLP Criteria for This Scan page , add or remove criteria as desired. - (Optional) Create custom criteria with the **Edit** option. See the - [Sensitive Data Criteria Editor](../../../sensitivedatadiscovery/criteriaeditor/overview.md) topic + [Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. See the -[DropboxAccess: Select DLP Criteria](../../../admin/datacollector/dropboxaccess/selectdlpcriteria.md) +[DropboxAccess: Select DLP Criteria](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/selectdlpcriteria.md) topic for additional information. **Step 7 –** On the Completion Page, click **Finish** to save any setting modifications or click diff --git a/docs/accessanalyzer/12.0/solutions/dropbox/collection/2-dropbox_permissions_bulk_import.md b/docs/accessanalyzer/12.0/solutions/dropbox/collection/2-dropbox_permissions_bulk_import.md index 7c7418a26f..632474d939 100644 --- a/docs/accessanalyzer/12.0/solutions/dropbox/collection/2-dropbox_permissions_bulk_import.md +++ b/docs/accessanalyzer/12.0/solutions/dropbox/collection/2-dropbox_permissions_bulk_import.md @@ -11,7 +11,7 @@ environment. The 2-Dropbox_Permissions Bulk Import job has been preconfigured to run with the default settings with the category of Bulk Import Access Scan Results. -![Queries for the 2-Dropbox_Permissions Bulk Import Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/dropbox/collection/permissionsbulkimportquery.webp) +![Queries for the 2-Dropbox_Permissions Bulk Import Job](/img/product_docs/accessanalyzer/solutions/dropbox/collection/permissionsbulkimportquery.webp) The query for the 2-Dropbox_Permissions Bulk Import job is: diff --git a/docs/accessanalyzer/12.0/solutions/dropbox/collection/2-dropbox_sdd_bulk_import.md b/docs/accessanalyzer/12.0/solutions/dropbox/collection/2-dropbox_sdd_bulk_import.md index f61e3fa1df..2cf17b2b77 100644 --- a/docs/accessanalyzer/12.0/solutions/dropbox/collection/2-dropbox_sdd_bulk_import.md +++ b/docs/accessanalyzer/12.0/solutions/dropbox/collection/2-dropbox_sdd_bulk_import.md @@ -8,7 +8,7 @@ Access Analyzer database for use by the analysis tasks. The 2-Dropbox_SDD Bulk Import Job has been preconfigured to run with the default settings with the category of Bulk Import Sensitive Content Scan. -![Queries for the 2-Dropbox_SDD Bulk Import Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/dropbox/collection/sddbulkimportquery.webp) +![Queries for the 2-Dropbox_SDD Bulk Import Job](/img/product_docs/accessanalyzer/solutions/dropbox/collection/sddbulkimportquery.webp) The query for the 2-Dropbox_SDD Bulk Import job is: diff --git a/docs/accessanalyzer/12.0/solutions/dropbox/collection/overview.md b/docs/accessanalyzer/12.0/solutions/dropbox/collection/overview.md index 09bcc742d5..d2cea6942c 100644 --- a/docs/accessanalyzer/12.0/solutions/dropbox/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/dropbox/collection/overview.md @@ -4,21 +4,21 @@ The **Dropbox** > **0.Collection** job group scans the targeted Dropbox site usi Data Collector. The collected data is then available to other job groups in the Dropbox solution and the Access Information Center for analysis. -![0.Collection Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![0.Collection Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 0.Collection job group is comprised of: -- [1-Dropbox_Permissions Scan Job](1-dropbox_permissions_scan.md) – This job is responsible for +- [1-Dropbox_Permissions Scan Job](/docs/accessanalyzer/12.0/solutions/dropbox/collection/1-dropbox_permissions_scan.md) – This job is responsible for scanning the target Dropbox site -- [1-Dropbox_SDD Scan Job](1-dropbox_sdd_scan.md) – This job is responsible for scanning sensitive +- [1-Dropbox_SDD Scan Job](/docs/accessanalyzer/12.0/solutions/dropbox/collection/1-dropbox_sdd_scan.md) – This job is responsible for scanning sensitive data in the target Dropbox site. The Sensitive Data Discovery Add-On is required to run this job. The Dropbox sensitive data Discovery Reports in the Access Information Center are also populated by this data. See the Resource Audits Overview topic in the [Netwrix Access Information Center Documentation](https://helpcenter.netwrix.com/category/accessinformationcenter) for additional information. -- [2-Dropbox_Permissions Bulk Import Job](2-dropbox_permissions_bulk_import.md) – This job is +- [2-Dropbox_Permissions Bulk Import Job](/docs/accessanalyzer/12.0/solutions/dropbox/collection/2-dropbox_permissions_bulk_import.md) – This job is responsible for importing the collected data into the Access Analyzer database -- [2-Dropbox_SDD Bulk Import Job](2-dropbox_sdd_bulk_import.md) – This job is responsible for +- [2-Dropbox_SDD Bulk Import Job](/docs/accessanalyzer/12.0/solutions/dropbox/collection/2-dropbox_sdd_bulk_import.md) – This job is responsible for importing the collected sensitive data into the Access Analyzer database. The Sensitive Data Discovery Add-On is required to run this job. The Dropbox sensitive data Discovery Reports in the Access Information Center are also populated by this data. See the Resource Audits Overview topic diff --git a/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_access.md b/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_access.md index a3e5397bd7..affbaa5732 100644 --- a/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_access.md +++ b/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_access.md @@ -5,7 +5,7 @@ Dropbox environment, specifically highlighting inactive access rights that can b dependent on data collected by the 0.Collection job group. This job processes analysis tasks and generates reports. -![1.Access > Dropbox_Access Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/dropbox/accessjobstree.webp) +![1.Access > Dropbox_Access Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/dropbox/accessjobstree.webp) The Dropbox_Access job is located in the 1.Access job group. @@ -17,7 +17,7 @@ pbox_Access** > **Configure** node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Dropbox_Access Job](../../../../../static/img/product_docs/accessanalyzer/solutions/box/accessanalysis.webp) +![Analysis Tasks for the Dropbox_Access Job](/img/product_docs/accessanalyzer/solutions/box/accessanalysis.webp) - Get access details – Creates the SA_Dropbox_Access_Details table accessible under the job’s Results node diff --git a/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_content.md b/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_content.md index cde4072a94..36c3c2fac2 100644 --- a/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_content.md +++ b/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_content.md @@ -4,7 +4,7 @@ The Dropbox_Content job provides insight into the type, size, and age of the con targeted Dropbox environment. It is dependent on data collected by the 0.Collection job group. This job processes analysis tasks and generates reports. -![4.Content > Dropbox_Content Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/content/contentjobstree.webp) +![4.Content > Dropbox_Content Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/sharepoint/content/contentjobstree.webp) The Dropbox_Content job is located in the 4.Content job group. @@ -12,7 +12,7 @@ The Dropbox_Content job is located in the 4.Content job group. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The Dropbox_Content job has the following customizable parameter: @@ -31,7 +31,7 @@ View the analysis tasks by navigating to the **Jobs** > **Dropbox** > **4.Conten **CAUTION:** Most of the analysis tasks should not be modified or deselected. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Dropbox_Content Job](../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/content/contentanalysis.webp) +![Analysis Tasks for the Dropbox_Content Job](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/content/contentanalysis.webp) - Summarizes content by mimetype, classification – Creates an interim processing table in the database for use by downstream analysis and report generation @@ -65,5 +65,5 @@ enables you to easily set this value. The parameter can be customized and is listed in a section at the bottom of the SQL Script Editor. See the -[Configure the Customizable Parameters in an Analysis Task](../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_groupmembership.md b/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_groupmembership.md index 61b8f3f92f..84ed553a41 100644 --- a/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_groupmembership.md +++ b/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_groupmembership.md @@ -4,7 +4,7 @@ The Dropbox_GroupMembership job provides insight into group membership within th environment, highlighting the largest groups. It is dependent on data collected by the 0.Collection job group. This job processes analysis tasks and generates a report. -![3.Group Membership > Dropbox_GroupMembership Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/dropbox/groupmembershipjobstree.webp) +![3.Group Membership > Dropbox_GroupMembership Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/dropbox/groupmembershipjobstree.webp) The Dropbox_GroupMembership job is located in the 3.Group Membership job group. @@ -16,7 +16,7 @@ View the analysis tasks by navigating to the **Jobs** > **Dropbox** > **3.Group **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Dropbox_GroupMembership Job](../../../../../static/img/product_docs/accessanalyzer/solutions/box/groupmembershipanalysis.webp) +![Analysis Tasks for the Dropbox_GroupMembership Job](/img/product_docs/accessanalyzer/solutions/box/groupmembershipanalysis.webp) - Get group membership details – Creates an interim processing table in the database for use by downstream analysis and report generation diff --git a/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_sensitivedata.md b/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_sensitivedata.md index 5776492460..4958e72c62 100644 --- a/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_sensitivedata.md +++ b/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_sensitivedata.md @@ -6,7 +6,7 @@ discovered by the Dropbox SDD jobs. The generated reports give visibility into t sensitive data found, where it exists, who has access to it, and the sharing policies configured on it. -![5.Sensitive Data > Dropbox_SensitiveData Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/sensitivedata/sensitivedatajobstree.webp) +![5.Sensitive Data > Dropbox_SensitiveData Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/databases/db2/sensitivedata/sensitivedatajobstree.webp) The Dropbox_SensitiveData job is located in the 5.Sensitive Data job group. @@ -18,7 +18,7 @@ View the analysis tasks by navigating to the **Jobs** > **Dropbox** > **5.Sensit **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Dropbox_SensitiveData Job](../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedataanalysis.webp) +![Analysis Tasks for the Dropbox_SensitiveData Job](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedataanalysis.webp) - 1. Enterprise Summary – Creates the SA_Dropbox_SensitiveData_EnterpriseSummary table accessible under the job’s Results node diff --git a/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_sharing.md b/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_sharing.md index d8e99351fd..69ad02168b 100644 --- a/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_sharing.md +++ b/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_sharing.md @@ -7,7 +7,7 @@ sharing occurs. Best practices often dictate that these resources should be care to the amount of access to the data. If these resources contain privileged data, the access should be reevaluated or the sensitive resources relocated. -![2.Sharing > Dropbox_Sharing Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/dropbox/sharingjobstree.webp) +![2.Sharing > Dropbox_Sharing Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/dropbox/sharingjobstree.webp) The Dropbox_Sharing job is located in the 2.Sharing job group. @@ -19,7 +19,7 @@ View the analysis tasks by navigating to the **Jobs** > **Dropbox** > **2.Sharin **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the Dropbox_Sharing Job](../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/forensics/sharinganalysis.webp) +![Analysis Tasks for the Dropbox_Sharing Job](/img/product_docs/accessanalyzer/solutions/box/activity/forensics/sharinganalysis.webp) - Get shared folder details – Creates the SA_Dropbox_Sharing_Details table accessible under the job’s Results node diff --git a/docs/accessanalyzer/12.0/solutions/dropbox/overview.md b/docs/accessanalyzer/12.0/solutions/dropbox/overview.md index 0e0c368bbb..88a4ada85d 100644 --- a/docs/accessanalyzer/12.0/solutions/dropbox/overview.md +++ b/docs/accessanalyzer/12.0/solutions/dropbox/overview.md @@ -15,7 +15,7 @@ scanning the targeted Dropbox site. Key information includes: Dropbox can scan the contents of over 400 file types to discover which files contain sensitive data using Sensitive Data Discovery. See the -[Sensitive Data Discovery](../../sensitivedatadiscovery/overview.md) topic for additional +[Sensitive Data Discovery](/docs/accessanalyzer/12.0/sensitivedatadiscovery/overview.md) topic for additional information. Supported Platforms @@ -24,7 +24,7 @@ Supported Platforms Requirements, Permissions, and Ports -See the [Target Dropbox Requirements, Permissions, and Ports](../../requirements/target/dropbox.md) +See the [Target Dropbox Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/dropbox.md) topic for additional information. Sensitive Data Discovery Considerations @@ -52,22 +52,22 @@ data and generate reports. The Dropbox Solution offers an overview of an organization’s Dropbox environment by scanning the targeted Dropbox site. It is comprised of jobs which collect, analyze, and report on data. The data collection is conducted by the DropboxAccess Data Collector. See the -[Standard Reference Tables & Views for the DropboxAccess Data Collector](../../admin/datacollector/dropboxaccess/standardtables.md) +[Standard Reference Tables & Views for the DropboxAccess Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/standardtables.md) topic for database table information. -![Dropbox Solution Overview page](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) +![Dropbox Solution Overview page](/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) The following jobs comprise the Dropbox Solution: -- [0.Collection Job Group](collection/overview.md) – Scans the targeted Dropbox site and generates +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/dropbox/collection/overview.md) – Scans the targeted Dropbox site and generates the standard reference tables and views -- [1.Access > Dropbox_Access Job](dropbox_access.md) – Reports on effective access to Dropbox +- [1.Access > Dropbox_Access Job](/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_access.md) – Reports on effective access to Dropbox resources in the targeted environment -- [2.Sharing > Dropbox_Sharing Job](dropbox_sharing.md) – Reports on the sharing of Dropbox +- [2.Sharing > Dropbox_Sharing Job](/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_sharing.md) – Reports on the sharing of Dropbox resources in the targeted environment -- [3.Group Membership > Dropbox_GroupMembership Job](dropbox_groupmembership.md) – Reports on +- [3.Group Membership > Dropbox_GroupMembership Job](/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_groupmembership.md) – Reports on Dropbox group membership in the targeted environment -- [4.Content > Dropbox_Content Job](dropbox_content.md) – Reports on Dropbox content by size, type, +- [4.Content > Dropbox_Content Job](/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_content.md) – Reports on Dropbox content by size, type, and owner in the targeted environment -- [5.Sensitive Data > Dropbox_SensitiveData Job](dropbox_sensitivedata.md) – Reports on sensitive +- [5.Sensitive Data > Dropbox_SensitiveData Job](/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_sensitivedata.md) – Reports on sensitive data in the targeted Dropbox site diff --git a/docs/accessanalyzer/12.0/solutions/dropbox/recommended.md b/docs/accessanalyzer/12.0/solutions/dropbox/recommended.md index f73db80dc7..2fee27ebe3 100644 --- a/docs/accessanalyzer/12.0/solutions/dropbox/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/dropbox/recommended.md @@ -19,7 +19,7 @@ Dropbox Access Auditor Data Collector Wizard on the Scan Options page (accessed **1-Dropbox_Permissions Scan** job’s **Queries** node). The access token only needs to be generated once, prior to running the job group for the first time. Then it is used as the credential in the Connection Profile. See the -[DropboxAccess: Scan Options](../../admin/datacollector/dropboxaccess/scanoptions.md) topic for +[DropboxAccess: Scan Options](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scanoptions.md) topic for additional information. The Dropbox solution has been configured to inherit the Connection Profile from the collection job @@ -28,11 +28,11 @@ group level. The Connection Profile should be assigned under the **Dropbox** > * global settings level. However, since this may not be the Connection Profile with the necessary permissions for Dropbox, select the **Select one of the following user defined profiles** option and select the appropriate Connection Profile from the drop-down menu. See the -[Custom Dropbox Connection Profile & Host List](../../admin/datacollector/dropboxaccess/configurejob.md) +[Custom Dropbox Connection Profile & Host List](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/configurejob.md) topic for additional information on configuring the Dropbox credential. The Dropbox bulk import jobs requires the same connection profile as used in the corresponding Dropbox scan jobs -See the [Connection](../../admin/settings/connection/overview.md) topic for additional information +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information on creating Connection Profiles. Schedule Frequency @@ -63,7 +63,7 @@ Query Configuration This solution can be run with the default query configurations. The Scoping page of the Dropbox Access Auditor Data Collector Wizard can be customized to target specific user accounts. See the -[DropboxAccess: Scoping](../../admin/datacollector/dropboxaccess/scoping.md) topic for additional +[DropboxAccess: Scoping](/docs/accessanalyzer/12.0/admin/datacollector/dropboxaccess/scoping.md) topic for additional information. Analysis Configuration @@ -80,7 +80,7 @@ modified: - Configured within the **4.Content** > **Dropbox_Content** job - **Determines stale data by owner** analysis task - - See the [4.Content > Dropbox_Content Job](dropbox_content.md) topic for additional information + - See the [4.Content > Dropbox_Content Job](/docs/accessanalyzer/12.0/solutions/dropbox/dropbox_content.md) topic for additional information Additional Consideration diff --git a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_circularnesting.md b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_circularnesting.md index 23e1155298..705f264dea 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_circularnesting.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_circularnesting.md @@ -11,7 +11,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis tasks for AAD_CircularNesting Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/circularnestinganalysis.webp) +![Analysis tasks for AAD_CircularNesting Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/circularnestinganalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_duplicategroups.md b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_duplicategroups.md index 274f07f462..a77b7cef88 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_duplicategroups.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_duplicategroups.md @@ -11,7 +11,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Anaylsis tasks for AAD_DuplicateGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/groups/duplicategroupsanalysis.webp) +![Anaylsis tasks for AAD_DuplicateGroups Job](/img/product_docs/accessanalyzer/solutions/activedirectory/groups/duplicategroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_emptygroups.md b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_emptygroups.md index 8c39dbc578..b9327881ef 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_emptygroups.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_emptygroups.md @@ -11,7 +11,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis tasks for AAD_EmptyGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/emptygroupsanalysis.webp) +![Analysis tasks for AAD_EmptyGroups Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/emptygroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_groupdirsync.md b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_groupdirsync.md index b5cd404190..20511a09b5 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_groupdirsync.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_groupdirsync.md @@ -11,7 +11,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis tasks for AAD_GroupDirSync Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/entraid/groups/groupdirsyncanalysis.webp) +![Analysis tasks for AAD_GroupDirSync Job](/img/product_docs/accessanalyzer/solutions/entraid/groups/groupdirsyncanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_largestgroups.md b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_largestgroups.md index 981f93be5f..13ccde48c5 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_largestgroups.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_largestgroups.md @@ -12,7 +12,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis tasks for AAD_LargestGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/largestgroupsanalysis.webp) +![Analysis tasks for AAD_LargestGroups Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/largestgroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_nestedgroups.md b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_nestedgroups.md index 88cbfe709f..5d9a0929f3 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_nestedgroups.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_nestedgroups.md @@ -13,7 +13,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis tasks for AAD_NestedGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/nestedgroupsanalysis.webp) +![Analysis tasks for AAD_NestedGroups Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/nestedgroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_probableowners.md b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_probableowners.md index 6e72f0be7c..798103e688 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_probableowners.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_probableowners.md @@ -12,7 +12,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis tasks for AAD_ProbableOwners Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/entraid/groups/probableownersanalysis.webp) +![Analysis tasks for AAD_ProbableOwners Job](/img/product_docs/accessanalyzer/solutions/entraid/groups/probableownersanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_stalegroups.md b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_stalegroups.md index 93e757b332..56c9a90c99 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_stalegroups.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_stalegroups.md @@ -13,7 +13,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis tasks for AAD_StaleGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/stalegroupsanalysis.webp) +![Analysis tasks for AAD_StaleGroups Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/stalegroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/entraid/groups/overview.md b/docs/accessanalyzer/12.0/solutions/entraid/groups/overview.md index 6a771d7bb0..495d663608 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/groups/overview.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/groups/overview.md @@ -3,32 +3,32 @@ The jobs in the 1.Groups group identify group conditions and areas of administrative concern within Microsoft Entra ID, such as toxic group conditions or synchronization issues. -![1.Groups Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![1.Groups Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 1.Groups Job Group are: -- [AAD_CircularNesting Job](aad_circularnesting.md) – Identifies circularly-nested groups within +- [AAD_CircularNesting Job](/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_circularnesting.md) – Identifies circularly-nested groups within Microsoft Entra ID which can pose administrative and operational challenges with identifying effective access to resources -- [AAD_DuplicateGroups Job](aad_duplicategroups.md) – Identifies duplicate groups within Microsoft +- [AAD_DuplicateGroups Job](/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_duplicategroups.md) – Identifies duplicate groups within Microsoft Entra ID. Duplicate groups contain the same group membership as one another and are suitable candidates for cleanup -- [AAD_EmptyGroups Job](aad_emptygroups.md) – Identifies empty groups within Microsoft Entra ID +- [AAD_EmptyGroups Job](/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_emptygroups.md) – Identifies empty groups within Microsoft Entra ID which are suitable candidates for consolidation or cleanup -- [AAD_GroupDirSync Job](aad_groupdirsync.md) – Summarizes on-premises Active Directory syncing in +- [AAD_GroupDirSync Job](/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_groupdirsync.md) – Summarizes on-premises Active Directory syncing in the audited Microsoft Entra ID environment -- [AAD_LargestGroups Job](aad_largestgroups.md) – Identifies groups with large effective member +- [AAD_LargestGroups Job](/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_largestgroups.md) – Identifies groups with large effective member counts. These types of groups may cause administrative overhead and burden in being able to easily understand who is getting access to resources, or how much access is being granted to resources through these groups. -- [AAD_NestedGroups Job](aad_nestedgroups.md) – Identifies nested groups within Microsoft Entra ID +- [AAD_NestedGroups Job](/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_nestedgroups.md) – Identifies nested groups within Microsoft Entra ID and provides details such as the levels of nesting. While Microsoft Entra ID provides the ability to nest certain types of groups within other groups, Microsoft recommends nesting does not go beyond two levels in order to avoid difficulties in understanding effective membership and access. -- [AAD_ProbableOwners Job](aad_probableowners.md) – Determines potential owners for Microsoft Entra +- [AAD_ProbableOwners Job](/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_probableowners.md) – Determines potential owners for Microsoft Entra ID Groups which can be used to perform automated membership reviews and enable self-service group management and membership requests -- [AAD_StaleGroups Job](aad_stalegroups.md)– Identifies Microsoft Entra ID groups that contain +- [AAD_StaleGroups Job](/docs/accessanalyzer/12.0/solutions/entraid/groups/aad_stalegroups.md)– Identifies Microsoft Entra ID groups that contain potentially stale users. Users are considered stale if they have never logged onto the domain, have not logged onto the domain in the past 30 days, or are disabled. These group memberships should be reviewed and possibly removed. diff --git a/docs/accessanalyzer/12.0/solutions/entraid/overview.md b/docs/accessanalyzer/12.0/solutions/entraid/overview.md index 3bed2ef732..9d3a95ef28 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/overview.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/overview.md @@ -11,13 +11,13 @@ Supported Platforms Requirements, Permissions, and Ports -See the [Microsoft Entra ID Tenant Target Requirements](../../config/entraid/overview.md) topic +See the [Microsoft Entra ID Tenant Target Requirements](/docs/accessanalyzer/12.0/config/entraid/overview.md) topic for additional information. Location The Entra ID Solution requires a special Access Analyzer license. It can be installed from the -Instant Job Wizard, see the [Instant Job Wizard](../../admin/jobs/instantjobs/overview.md) topic for +Instant Job Wizard, see the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for additional information. Once it has been installed into the Jobs tree, navigate to the solution: **Jobs** > **Entra ID**. @@ -26,11 +26,11 @@ generate reports on the collected data. ## Job Groups -![Entra ID Job Group Overview page](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) +![Entra ID Job Group Overview page](/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) The job groups in the Entra ID Solution are: -- [1.Groups Job Group](groups/overview.md) – Identifies group conditions and pinpoints potential +- [1.Groups Job Group](/docs/accessanalyzer/12.0/solutions/entraid/groups/overview.md) – Identifies group conditions and pinpoints potential areas of administrative concern -- [2.Users Job Group](users/overview.md) – Identifies areas of administrative concern related to +- [2.Users Job Group](/docs/accessanalyzer/12.0/solutions/entraid/users/overview.md) – Identifies areas of administrative concern related to Microsoft Entra ID users diff --git a/docs/accessanalyzer/12.0/solutions/entraid/recommended.md b/docs/accessanalyzer/12.0/solutions/entraid/recommended.md index cd96ff37a4..18186e8e2f 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/recommended.md @@ -10,7 +10,7 @@ Running the .Entra ID Inventory Job Group provides essential data to the Entra Running the .Active Directory Inventory Job Group is required to collect on-premises directory syncing information. See the -[.Active Directory Inventory Solution](../activedirectoryinventory/overview.md) topic for additional +[.Active Directory Inventory Solution](/docs/accessanalyzer/12.0/solutions/activedirectoryinventory/overview.md) topic for additional information. Targeted Hosts @@ -38,7 +38,7 @@ Solution. Information received includes manager, email addresses, and direct mem within the **.Entra ID Inventory** > **2-AAD_Exceptions** Job's Deeply Nested Groups and Large Groups analysis tasks. -See the [.Entra ID Inventory Solution](../entraidinventory/overview.md) topic for additional +See the [.Entra ID Inventory Solution](/docs/accessanalyzer/12.0/solutions/entraidinventory/overview.md) topic for additional information. Workflow diff --git a/docs/accessanalyzer/12.0/solutions/entraid/users/aad_directmembership.md b/docs/accessanalyzer/12.0/solutions/entraid/users/aad_directmembership.md index f61a6dfc40..afdeec0c79 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/users/aad_directmembership.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/users/aad_directmembership.md @@ -12,7 +12,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AAD_DirectMembership Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/directmembershipanalysis.webp) +![Analysis Tasks for the AAD_DirectMembership Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/directmembershipanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/entraid/users/aad_disabledusers.md b/docs/accessanalyzer/12.0/solutions/entraid/users/aad_disabledusers.md index c6a0f49ef2..3bfd06a6e7 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/users/aad_disabledusers.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/users/aad_disabledusers.md @@ -11,7 +11,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AAD_DisabledUsers Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/entraid/users/disabledusersanalysis.webp) +![Analysis Tasks for the AAD_DisabledUsers Job](/img/product_docs/accessanalyzer/solutions/entraid/users/disabledusersanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/entraid/users/aad_staleusers.md b/docs/accessanalyzer/12.0/solutions/entraid/users/aad_staleusers.md index 4f2165c410..fbbef050b5 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/users/aad_staleusers.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/users/aad_staleusers.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AAD_StaleUsers Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/staleusersanalysis.webp) +![Analysis Tasks for the AAD_StaleUsers Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/staleusersanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/entraid/users/aad_userattributecompletion.md b/docs/accessanalyzer/12.0/solutions/entraid/users/aad_userattributecompletion.md index a44e321679..f951a4b066 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/users/aad_userattributecompletion.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/users/aad_userattributecompletion.md @@ -12,7 +12,7 @@ Navigate to the **Jobs** > **Entra ID** > **2.Users** > **AAD_UserAttributeCompl **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AAD_UserAttributeCompletion Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/userattributecompletionanalysis.webp) +![Analysis Tasks for the AAD_UserAttributeCompletion Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/userattributecompletionanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/entraid/users/aad_userdirsync.md b/docs/accessanalyzer/12.0/solutions/entraid/users/aad_userdirsync.md index f255020221..63c5083eb9 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/users/aad_userdirsync.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/users/aad_userdirsync.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the AAD_UserDirSync Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/entraid/users/userdirsyncanalysis.webp) +![Analysis Tasks for the AAD_UserDirSync Job](/img/product_docs/accessanalyzer/solutions/entraid/users/userdirsyncanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/entraid/users/overview.md b/docs/accessanalyzer/12.0/solutions/entraid/users/overview.md index 691fc97565..72027428bc 100644 --- a/docs/accessanalyzer/12.0/solutions/entraid/users/overview.md +++ b/docs/accessanalyzer/12.0/solutions/entraid/users/overview.md @@ -3,22 +3,22 @@ The jobs in the 2.Users group identify user conditions and pinpoint potential areas of administrative concerns within Microsoft Entra ID such as disabled or stale users. -![2.Users Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![2.Users Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 2.Users Job Group are: -- [AAD_DirectMembership Job](aad_directmembership.md) – Identifies Microsoft Entra ID users who do +- [AAD_DirectMembership Job](/docs/accessanalyzer/12.0/solutions/entraid/users/aad_directmembership.md) – Identifies Microsoft Entra ID users who do not have any group membership. This condition may indicate unnecessary user accounts that are suitable candidates for review and cleanup. -- [AAD_DisabledUsers Job](aad_disabledusers.md) – Identifies disabled user accounts within Microsoft +- [AAD_DisabledUsers Job](/docs/accessanalyzer/12.0/solutions/entraid/users/aad_disabledusers.md) – Identifies disabled user accounts within Microsoft Entra ID. These accounts should be reviewed and cleaned up in order to increase security and reduce complexity. -- [AAD_StaleUsers Job](aad_staleusers.md)– Identifies potentially stale users based on a variety of +- [AAD_StaleUsers Job](/docs/accessanalyzer/12.0/solutions/entraid/users/aad_staleusers.md)– Identifies potentially stale users based on a variety of factors. These accounts should be reviewed and cleaned up in order to increase security and reduce complexity. -- [AAD_UserAttributeCompletion Job](aad_userattributecompletion.md)– Identifies which attributes are +- [AAD_UserAttributeCompletion Job](/docs/accessanalyzer/12.0/solutions/entraid/users/aad_userattributecompletion.md)– Identifies which attributes are present within User fields in Microsoft Entra ID, and which ones are blank for a majority of objects. This may indicate accounts within Microsoft Entra ID which are lacking appropriate information. -- [AAD_UserDirSync Job](aad_userdirsync.md) – Summarizes on-premises Active Directory syncing in the +- [AAD_UserDirSync Job](/docs/accessanalyzer/12.0/solutions/entraid/users/aad_userdirsync.md) – Summarizes on-premises Active Directory syncing in the audited Microsoft Entra ID environment diff --git a/docs/accessanalyzer/12.0/solutions/entraidinventory/1-aad_scan.md b/docs/accessanalyzer/12.0/solutions/entraidinventory/1-aad_scan.md index 575ddcc655..c8f28d7d55 100644 --- a/docs/accessanalyzer/12.0/solutions/entraidinventory/1-aad_scan.md +++ b/docs/accessanalyzer/12.0/solutions/entraidinventory/1-aad_scan.md @@ -6,14 +6,14 @@ activity with the scan. **NOTE:** This job requires an Microsoft Entra ID application with the appropriate permissions to perform the scan. See the -[Microsoft Entra ID Tenant Target Requirements](../../config/entraid/overview.md) topic for +[Microsoft Entra ID Tenant Target Requirements](/docs/accessanalyzer/12.0/config/entraid/overview.md) topic for information on the prerequisites for this job. ## Queries for the 1-AAD_Scan Job The 1-AAD_Scan job uses the AzureADInventory and Entra Data Collectors for the following queries: -![Query Selection page](../../../../../static/img/product_docs/accessanalyzer/solutions/entraidinventory/scanqueryselection.webp) +![Query Selection page](/img/product_docs/accessanalyzer/solutions/entraidinventory/scanqueryselection.webp) - AAD Inventory – Targets Microsoft Entra tenants to collect inventory data for user group objects @@ -31,17 +31,17 @@ ID. Follow the steps to customize configurations. **Step 1 –** Navigate to the **.Entra ID Inventory** > **1-AAD_Scan** > **Configure** node and select **Queries**. -![Query Properties button on Query Selection page](../../../../../static/img/product_docs/accessanalyzer/solutions/entraidinventory/scanqueryselectionproperties.webp) +![Query Properties button on Query Selection page](/img/product_docs/accessanalyzer/solutions/entraidinventory/scanqueryselectionproperties.webp) **Step 2 –** In the Query Selection view, click on **Query Properties** to open the Query Properties window. -![Query Properties window](../../../../../static/img/product_docs/accessanalyzer/solutions/entraidinventory/scanqueryproperties.webp) +![Query Properties window](/img/product_docs/accessanalyzer/solutions/entraidinventory/scanqueryproperties.webp) **Step 3 –** Select the **Data Source** tab, and click **Configure** to open the Entra ID Inventory DC Wizard. -![Entra ID Inventory DC Wizard Options page](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scandcwizardoptions.webp) +![Entra ID Inventory DC Wizard Options page](/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scandcwizardoptions.webp) **Step 4 –** On the Options page, select the different Scan Options as needed: @@ -54,7 +54,7 @@ DC Wizard. objects. A message will alert users that deselecting this option will disable this function. - Collect Directory Audit Events – Collect Microsoft Entra ID audit logs -![Entra ID Inventory DC Wizard Custom Attributes page](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scandcwizardcustomattributes.webp) +![Entra ID Inventory DC Wizard Custom Attributes page](/img/product_docs/accessanalyzer/solutions/activedirectoryinventory/scandcwizardcustomattributes.webp) **Step 5 –** On the Custom Attributes page, click **Add** or **Import** to add or import custom attributes. @@ -65,7 +65,7 @@ attributes. **NOTE:** Enabling this option overrides the differential scan setting and will direct the data controller to run a full scan every time the job is run. -- See the [AzureADInventory Data Collector](../../admin/datacollector/azureadinventory/overview.md) +- See the [AzureADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/overview.md) topic for additional information on adding and importing custom attributes. **Step 6 –** Navigate to the Summary page. Click **Finish** to save changes or click **Cancel** to @@ -81,7 +81,7 @@ Navigate to the **.Entra ID Inventory** > **1-AAD_Scan** > **Configure** node an **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for 1-AAD_Scan Job](../../../../../static/img/product_docs/accessanalyzer/solutions/entraidinventory/scananalysistasks.webp) +![Analysis Tasks for 1-AAD_Scan Job](/img/product_docs/accessanalyzer/solutions/entraidinventory/scananalysistasks.webp) The default analysis tasks are: @@ -100,7 +100,7 @@ The default analysis tasks are: and report generation In addition to the tables and views listed in the -[Standard Reference Tables & Views for the AzureADInventory Data Collector](../../admin/datacollector/azureadinventory/standardtables.md) +[Standard Reference Tables & Views for the AzureADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/standardtables.md) topic, the 1-AAD_Scan job produces the following preconfigured report. | Report | Description | Default Tags | Report Elements | diff --git a/docs/accessanalyzer/12.0/solutions/entraidinventory/2-aad_exceptions.md b/docs/accessanalyzer/12.0/solutions/entraidinventory/2-aad_exceptions.md index 7821b644e9..6507cb481c 100644 --- a/docs/accessanalyzer/12.0/solutions/entraidinventory/2-aad_exceptions.md +++ b/docs/accessanalyzer/12.0/solutions/entraidinventory/2-aad_exceptions.md @@ -13,7 +13,7 @@ modified. deselected. There are a few which are deselected by default, as they are for troubleshooting purposes. -![Analysis Tasks for 2-AAD_Exceptions Job](../../../../../static/img/product_docs/accessanalyzer/solutions/entraidinventory/exceptionsanalysistasks.webp) +![Analysis Tasks for 2-AAD_Exceptions Job](/img/product_docs/accessanalyzer/solutions/entraidinventory/exceptionsanalysistasks.webp) The default analysis tasks are: @@ -73,7 +73,7 @@ The default values for parameters that can be customized are: See the [Configure the Analysis Tasks for the 2-AAD_Exceptions Job](#configure-the-analysis-tasks-for-the-2-aad_exceptions-job) section for instructions to modify parameters. See the -[AzureADInventory Exception Types Translated](../../admin/datacollector/azureadinventory/standardtables.md#azureadinventory-exception-types-translated) +[AzureADInventory Exception Types Translated](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/standardtables.md#azureadinventory-exception-types-translated) topic for an explanation of Exception Types. ### Configure the Analysis Tasks for the 2-AAD_Exceptions Job @@ -89,14 +89,14 @@ dependency. **Step 1 –** Navigate to the **.Entra ID Inventory** > **2-AAD_Exceptions** > **Configure** node and select **Analysis**. -![Analysis Configuration option on Analysis Selection page](../../../../../static/img/product_docs/accessanalyzer/solutions/entraidinventory/exceptionsanalysisconfiguration.webp) +![Analysis Configuration option on Analysis Selection page](/img/product_docs/accessanalyzer/solutions/entraidinventory/exceptionsanalysisconfiguration.webp) **Step 2 –** In the Analysis Selection view, select an analysis task and click **Analysis Configuration**. The SQL Script Editor opens. **Step 3 –** Click Parameters to open the Parameters section. -![Change Parameter Value in SQL Script Editor](../../../../../static/img/product_docs/accessanalyzer/solutions/entraidinventory/exceptionssqlscripteditor.webp) +![Change Parameter Value in SQL Script Editor](/img/product_docs/accessanalyzer/solutions/entraidinventory/exceptionssqlscripteditor.webp) **Step 4 –** Double-click in a field in the Value column and enter a custom value. diff --git a/docs/accessanalyzer/12.0/solutions/entraidinventory/overview.md b/docs/accessanalyzer/12.0/solutions/entraidinventory/overview.md index 690763d93f..5f96961760 100644 --- a/docs/accessanalyzer/12.0/solutions/entraidinventory/overview.md +++ b/docs/accessanalyzer/12.0/solutions/entraidinventory/overview.md @@ -18,32 +18,32 @@ Supported Platforms Requirements, Permissions, and Ports -See the [Microsoft Entra ID Tenant Target Requirements](../../config/entraid/overview.md) topic +See the [Microsoft Entra ID Tenant Target Requirements](/docs/accessanalyzer/12.0/config/entraid/overview.md) topic for additional information. Location The .Entra ID Inventory Solution is a core component of all Access Analyzer installations. It can be installed from the Access Analyzer Instant Job Wizard. See the -[Instant Job Wizard](../../admin/jobs/instantjobs/overview.md) topic for additional information. +[Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for additional information. Navigate to the solution by expanding the Jobs tree and selecting the **.Entra ID Inventory** Job Group. This group has been named in such a way to keep it at the top of the Jobs tree. ## Jobs -![.Entra ID Inventory overview page](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) +![.Entra ID Inventory overview page](/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) The jobs in the .Entra ID Inventory Solution are: -- [1-AAD_Scan Job](1-aad_scan.md) – Provides essential Microsoft Entra ID User and Group membership +- [1-AAD_Scan Job](/docs/accessanalyzer/12.0/solutions/entraidinventory/1-aad_scan.md) – Provides essential Microsoft Entra ID User and Group membership details to several Access Analyzer built-in solution sets. Key information includes user status, user attributes, and group membership. This job also collects Microsoft Entra roles information. -- [2-AAD_Exceptions Job](2-aad_exceptions.md) – Runs analysis on the collected data and identifies +- [2-AAD_Exceptions Job](/docs/accessanalyzer/12.0/solutions/entraidinventory/2-aad_exceptions.md) – Runs analysis on the collected data and identifies toxic conditions that exist within Microsoft Entra ID which may leave your environment at risk or add unnecessary administrative overhead The data collection is conducted by the AzureADInventory and Entra data collectors. See the -[Standard Reference Tables & Views for the AzureADInventory Data Collector](../../admin/datacollector/azureadinventory/standardtables.md) +[Standard Reference Tables & Views for the AzureADInventory Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/standardtables.md) topic for database table information. **NOTE:** This solution is required for SharePoint Online reports in the Netwrix Access Information diff --git a/docs/accessanalyzer/12.0/solutions/entraidinventory/recommended.md b/docs/accessanalyzer/12.0/solutions/entraidinventory/recommended.md index 0d0fa080f0..40391190f2 100644 --- a/docs/accessanalyzer/12.0/solutions/entraidinventory/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/entraidinventory/recommended.md @@ -19,7 +19,7 @@ is set to **Use the Default Profile**, as configured at the global **Settings** this is not the Connection Profile with the necessary permissions for targeting the Microsoft Entra tenants, select the **Select one of the following user defined profiles** option and select the appropriate Connection Profile. See the -[Microsoft Entra ID Connection Profile & Host List](../../admin/datacollector/azureadinventory/configurejob.md) +[Microsoft Entra ID Connection Profile & Host List](/docs/accessanalyzer/12.0/admin/datacollector/azureadinventory/configurejob.md) topic for information. History Retention @@ -44,14 +44,14 @@ entire solution, instead of the individual jobs. Query Configuration Run the solution with the default query configuration for best results. While it is recommended to -make no changes to the [1-AAD_Scan Job](1-aad_scan.md), a possible modification might be to scope +make no changes to the [1-AAD_Scan Job](/docs/accessanalyzer/12.0/solutions/entraidinventory/1-aad_scan.md), a possible modification might be to scope the query to not collect login activity. Analysis Configuration Run the solution with the default analysis configuration for best results. However, a possible modification might be to customize exception analysis parameters within the -[2-AAD_Exceptions Job](2-aad_exceptions.md). +[2-AAD_Exceptions Job](/docs/accessanalyzer/12.0/solutions/entraidinventory/2-aad_exceptions.md). Workflow diff --git a/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_activesync.md b/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_activesync.md index c0789fc124..6e7018d8ba 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_activesync.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_activesync.md @@ -2,7 +2,7 @@ The EX_ActiveSync job provides visibility into ActiveSync Traffic in the Organization. -![ActiveSync > EX_ActiveSync Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/activesyncjobstree.webp) +![ActiveSync > EX_ActiveSync Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/activesyncjobstree.webp) The EX_ActiveSync job is located in the ActiveSync job group. @@ -14,7 +14,7 @@ View the analysis tasks by navigating to the **Exchange** > **2. CAS Metrics** > **CAUTION:** Most of these analysis tasks are preconfigured and should not be modified or deselected. There are some that are deselected by default, as they are for troubleshooting purposes. -![Analysis Tasks for the EX_ActiveSync Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/activesyncanalysis.webp) +![Analysis Tasks for the EX_ActiveSync Job](/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/activesyncanalysis.webp) The following analysis tasks are selected by default: @@ -34,7 +34,7 @@ The following analysis tasks are selected by default: - The default is **6 months**. It can be modified. - See the - [Exchange History Retention](../hubmetrics/collection/ex_metricscollection.md#exchange-history-retention) + [Exchange History Retention](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#exchange-history-retention) topic for additional information The following analysis task deletes table data from the analysis jobs. This analysis task should @@ -46,7 +46,7 @@ troubleshooting and cleanup only. Data will be deleted from the database. - 0. Delete all History - See the - [Troubleshooting Data Collection](../hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) + [Troubleshooting Data Collection](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) topic for additional information The following analysis task updates the table to clean the data so that any UserAgent information diff --git a/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_aspolicies.md b/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_aspolicies.md index f321a69015..64ea6804ad 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_aspolicies.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_aspolicies.md @@ -6,7 +6,7 @@ The EX_ASPolicies Job provides insight into what policies are enabled for which The EX_ASPolicies Job uses the ExchangePS Data Collector. -![Queries for the EX_ASPolicies Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/aspoliciesquery.webp) +![Queries for the EX_ASPolicies Job](/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/aspoliciesquery.webp) The following query is included in the EX_ASPolicies Job. @@ -32,25 +32,25 @@ Wizard opens. **CAUTION:** Do not modify other wizard pages. The wizard pages are pre-configured for this job. -![ExchangePS Data Collector Wizard Scope page](../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![ExchangePS Data Collector Wizard Scope page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) **Step 4 –** Navigate to the Scope page, and select the desired scoping method from those available. -See the [ExchangePS: Scope](../../../admin/datacollector/exchangeps/scope.md) topic for additional +See the [ExchangePS: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scope.md) topic for additional information. - Scope by Database – Select the **Scope by Database Target Host: Local Host** option. Then, click **Next** and identify the desired databases on the Scope by Databases page. See the - [ExchangePS: Scope by DB](../../../admin/datacollector/exchangeps/scopedatabases.md) topic for + [ExchangePS: Scope by DB](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopedatabases.md) topic for additional information. - Scope by Mailbox – Select the **Scope by Mailbox Target Host: Local Host** option. Then, click **Next** and identify the desired mailboxes on the Scope by Mailboxes page. See the - [ExchangePS: Scope by Mailboxes](../../../admin/datacollector/exchangeps/scopemailboxes.md) topic + [ExchangePS: Scope by Mailboxes](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopemailboxes.md) topic for additional information. - Scope by Server – Select the **Scope by Server Target Host: Exchange MB Server** option. The job returns results for specific servers selected in job’s **Configure** > **Hosts** node. - Scope by Public Folder – Select the **Scope by Public Folder** option. Then, click **Next** and identify the desired mailboxes on the Scope by Public Folders page. See the - [ExchangePS: Scope by Public Folders](../../../admin/datacollector/exchangeps/scopepublicfolders.md) topic + [ExchangePS: Scope by Public Folders](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/scopepublicfolders.md) topic for additional information. - _Remember,_ the scoping options available vary based on the pre-defined query configurations. @@ -66,7 +66,7 @@ View the analysis tasks by navigating to the **Exchange** > **2. CAS Metrics** > **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the EX_ASPolicies Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/aspoliciesanalysis.webp) +![Analysis Tasks for the EX_ASPolicies Job](/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/aspoliciesanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_iislogs.md b/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_iislogs.md index 11ffa782a3..7e453c0587 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_iislogs.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_iislogs.md @@ -4,7 +4,7 @@ The 0.Collection > EX_IISLogs Job provides data collection to be utilized in the Web Access, and Outlook Anywhere Reports. This job goes out to each server that contains the IIS Logs and parses the log to return the data to the Access Analyzer database. -![0.Collection > EX_IISLogs Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![0.Collection > EX_IISLogs Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The EX_IISLogs job is located in the 0.Collection Job Group. @@ -12,7 +12,7 @@ The EX_IISLogs job is located in the 0.Collection Job Group. The EX_IISLogs Job uses the SMARTLog Data Collector. -![Queries for the EX_IISLogs Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/iislogsquery.webp) +![Queries for the EX_IISLogs Job](/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/iislogsquery.webp) The following query is included in the EX_IISLogs Job: @@ -27,7 +27,7 @@ The following query is included in the EX_IISLogs Job: The EX_IISLogs Job has been preconfigured to run with the default settings with the Log Type of Internet Information Server Log. However, the time frame for the log files to be processed can be modified on the Target Log page of the SMART Log DC Wizard. See the -[SMARTLog Data Collector](../../../admin/datacollector/smartlog/overview.md) topic for additional +[SMARTLog Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/overview.md) topic for additional information. Follow the steps to modify the query configuration. @@ -43,10 +43,10 @@ opens. **CAUTION:** Do not modify other wizard pages. The other wizard pages are pre-configured for this job. -![SMART Log DC Wizard Target Log page](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/smartlogdctargetlog.webp) +![SMART Log DC Wizard Target Log page](/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/smartlogdctargetlog.webp) **Step 4 –** Navigate to the Target Log page, and configure the time frame as required. See the -[SMARTLog: Target Log](../../../admin/datacollector/smartlog/targetlog.md) topic for additional +[SMARTLog: Target Log](/docs/accessanalyzer/12.0/admin/datacollector/smartlog/targetlog.md) topic for additional information. _Remember,_ if the date range configuration includes data older than the last scan, the **Persist diff --git a/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_owatraffic.md b/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_owatraffic.md index f82eac5c6c..e518533e31 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_owatraffic.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_owatraffic.md @@ -2,7 +2,7 @@ The EX_OWATraffic Job provides visibility into Outlook Web Access Traffic in the organization. -![Outlook Web Access > EX_OWATraffic Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/outlookwebaccessjobstree.webp) +![Outlook Web Access > EX_OWATraffic Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/outlookwebaccessjobstree.webp) The EX_OWATraffic job is located in the Outlook Web Access Job Group. @@ -14,7 +14,7 @@ Access** > **EX_OWATraffic** > **Configure** node and select **Analysis**. **CAUTION:** Most of these analysis tasks are preconfigured and should not be modified ordeselected. There is one that is deselected by default, as it is for troubleshooting purposes. -![Analysis Tasks for the EX_OWATraffic Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/owatrafficanalysis.webp) +![Analysis Tasks for the EX_OWATraffic Job](/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/owatrafficanalysis.webp) The following analysis tasks are selected by default: @@ -30,7 +30,7 @@ The following analysis tasks are selected by default: - By default it is set to retain 6 months. This can be modified. - See the - [Exchange History Retention](../hubmetrics/collection/ex_metricscollection.md#exchange-history-retention) + [Exchange History Retention](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#exchange-history-retention) topic for additional information The following analysis task deletes table data from data collection and analysis jobs. This analysis @@ -41,7 +41,7 @@ troubleshooting and cleanup only. Data will be deleted from the database. - 0. Deletes all History - LEAVE UNCHECKED – Clears all historical data - See the - [Troubleshooting Data Collection](../hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) + [Troubleshooting Data Collection](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) topic for additional information In addition to the tables and views created by the analysis tasks, the EX_OWATraffic Job produces diff --git a/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_rpctraffic.md b/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_rpctraffic.md index adeb8068d6..1ef51024c6 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_rpctraffic.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_rpctraffic.md @@ -3,7 +3,7 @@ The EX_RPCTraffic job provides visibility into Outlook Anywhere or RPC\HTTPs Traffic in the organization. -![Outlook Anywhere > EX_RPCTraffic Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/outlookanywherejobstree.webp) +![Outlook Anywhere > EX_RPCTraffic Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/outlookanywherejobstree.webp) The EX_RPCTraffic job is located in the Outlook Anywhere job group. @@ -15,7 +15,7 @@ Anywhere** > **EX_RPCTraffic** > **Configure** node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_RPCTraffic Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/rpctrafficanalysis.webp) +![Analysis Tasks for the EX_RPCTraffic Job](/img/product_docs/accessanalyzer/solutions/exchange/casmetrics/rpctrafficanalysis.webp) The following analysis tasks are selected by default: @@ -31,7 +31,7 @@ The following analysis tasks are selected by default: - The default is 6 months. It can be modified. - See the - [Exchange History Retention](../hubmetrics/collection/ex_metricscollection.md#exchange-history-retention) + [Exchange History Retention](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#exchange-history-retention) topic for additional information The following analysis tasks deletes table data from data collection and analysis jobs. These @@ -43,7 +43,7 @@ troubleshooting and cleanup only. Data will be deleted from the database. - 0. Delete all History - LEAVE UNCHECKED – Clears all historical data - See the - [Troubleshooting Data Collection](../hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) + [Troubleshooting Data Collection](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) topic for additional information In addition to the tables and views created by the analysis tasks, the EX_RPCTraffic Job produces diff --git a/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/overview.md index 7f1da0e80b..11b5c14993 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/overview.md @@ -5,25 +5,25 @@ remote connections (Outlook Web Access, ActiveSync, and Outlook Anywhere Access) your organization. This job group goes out to each server that contains the IIS Logs and parses the logs to return the data to the Access Analyzer database. -![2.CAS Metrics Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![2.CAS Metrics Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 2.CAS Metrics Job Group are: -- [0.Collection > EX_IISLogs Job](ex_iislogs.md) – Provides data collection to be utilized in the +- [0.Collection > EX_IISLogs Job](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_iislogs.md) – Provides data collection to be utilized in the ActiveSync, Outlook Web Access, and Outlook Anywhere Reports. This job group goes out to each server that contains the IIS Logs and parses the logs to return the data to the Access Analyzer database. -- [ActiveSync > EX_ActiveSync Job](ex_activesync.md) – Provides visibility into ActiveSync Traffic +- [ActiveSync > EX_ActiveSync Job](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_activesync.md) – Provides visibility into ActiveSync Traffic in the Organization -- [Outlook Anywhere > EX_RPCTraffic Job](ex_rpctraffic.md) – Provides visibility into Outlook +- [Outlook Anywhere > EX_RPCTraffic Job](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_rpctraffic.md) – Provides visibility into Outlook Anywhere or RPC\HTTPs Traffic in the organization -- [Outlook Web Access > EX_OWATraffic Job](ex_owatraffic.md) – Provides visibility into Outlook Web +- [Outlook Web Access > EX_OWATraffic Job](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_owatraffic.md) – Provides visibility into Outlook Web Access Traffic in the organization -- [EX_ASPolicies Job](ex_aspolicies.md) – Comprised of data collection and a report to show +- [EX_ASPolicies Job](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_aspolicies.md) – Comprised of data collection and a report to show information about what policies are enabled for which users **NOTE:** An actual CAS name is required for the data collection. When targeting Exchange 2013 or 2016, it is possible for the **Settings** > **Exchange** node to have been configured with a web address instead of an actual server. See the - [ExchangePS Data Collector & Client Access Server](../recommended.md) topic for additional + [ExchangePS Data Collector & Client Access Server](/docs/accessanalyzer/12.0/solutions/exchange/recommended.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/recommended.md b/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/recommended.md index b2b26d39e1..b785c5bb6a 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/recommended.md @@ -28,12 +28,12 @@ Connection Profile A Connection Profile must be set directly on the EX_IISLogs Job and the EX_ASPolicies Job. See the -[Exchange Remote Connections Permissions](../../../requirements/solutions/exchange/remoteconnections.md) +[Exchange Remote Connections Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/remoteconnections.md) topic for the EX_IISLogs Job required permissions. See the -[Exchange PowerShell Permissions](../../../requirements/solutions/exchange/powershell.md) topic for +[Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for the EX_ASPolicies Job requirements. -See the [Connection](../../../admin/settings/connection/overview.md) topic for additional +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. Schedule Frequency diff --git a/docs/accessanalyzer/12.0/solutions/exchange/databases/collection/ex_dbinfo.md b/docs/accessanalyzer/12.0/solutions/exchange/databases/collection/ex_dbinfo.md index a746f3121c..af21dd08e4 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/databases/collection/ex_dbinfo.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/databases/collection/ex_dbinfo.md @@ -2,21 +2,21 @@ The EX_DBInfo job utilizes Exchange PowerShell to gather 2010/2013 Mailbox Size information. -![1.Local > EX_DBInfo Job in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/localjobstree.webp) +![1.Local > EX_DBInfo Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/localjobstree.webp) The EX_DBInfo job is located in the 1.Local job group. **NOTE:** An actual CAS name is required for the data collection. When targeting Exchange 2013 or 2016, it is possible for the **Settings** > **Exchange** node to have been configured with a web address instead of an actual server. See the -[ExchangePS Data Collector & Client Access Server](../../recommended.md) topic for additional +[ExchangePS Data Collector & Client Access Server](/docs/accessanalyzer/12.0/solutions/exchange/recommended.md) topic for additional information. ## Queries for the EX_DBInfo Job The EX_DBInfo Job uses the ExchangePS Data Collector. -![Queries for the EX_DBInfo Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/dbinfoquery.webp) +![Queries for the EX_DBInfo Job](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/dbinfoquery.webp) The following query is included in the EX_DBInfo Job: @@ -24,5 +24,5 @@ The following query is included in the EX_DBInfo Job: - By default set to search all mailboxes. It can be scoped. - See the - [Scope the ExchangePS Data Collector](../../casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) + [Scope the ExchangePS Data Collector](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) topic for additional information diff --git a/docs/accessanalyzer/12.0/solutions/exchange/databases/collection/ex_pfinfo.md b/docs/accessanalyzer/12.0/solutions/exchange/databases/collection/ex_pfinfo.md index e7c338819c..94221897fb 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/databases/collection/ex_pfinfo.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/databases/collection/ex_pfinfo.md @@ -3,7 +3,7 @@ The EX_PFInfo job utilizes MAPI to gather Public Folder Database Information focusing on database sizing, growth, and trends. -![2.PF > EX_PFInfo Job in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/pfjobstree.webp) +![2.PF > EX_PFInfo Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/pfjobstree.webp) The EX_PFInfo job is located in the 2.PF job group. @@ -13,7 +13,7 @@ The EX_PFInfo Job uses the Exchange2K Data Collector for the query. **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Queries for the EX_PFInfo Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/pfinfoquery.webp) +![Queries for the EX_PFInfo Job](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/pfinfoquery.webp) The following query is included in the EX_PFInfo Job: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/databases/collection/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/databases/collection/overview.md index 1f717c6150..09b27b2699 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/databases/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/databases/collection/overview.md @@ -3,11 +3,11 @@ The 0.Collection Job Group is comprised of data collection, analysis, and reports that focus on database sizing, growth, and trends. -![0.Collection Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![0.Collection Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The jobs in the 0.Collection Job Group are: -- [1.Local > EX_DBInfo Job](ex_dbinfo.md) – Utilizes Exchange PowerShell to gather 2010/2013 Mailbox +- [1.Local > EX_DBInfo Job](/docs/accessanalyzer/12.0/solutions/exchange/databases/collection/ex_dbinfo.md) – Utilizes Exchange PowerShell to gather 2010/2013 Mailbox Size Information -- [2.PF > EX_PFInfo Job](ex_pfinfo.md) – Utilizes MAPI to gather Public Folder Database Information +- [2.PF > EX_PFInfo Job](/docs/accessanalyzer/12.0/solutions/exchange/databases/collection/ex_pfinfo.md) – Utilizes MAPI to gather Public Folder Database Information focusing on database sizing, growth, and trends diff --git a/docs/accessanalyzer/12.0/solutions/exchange/databases/ex_dbsizing.md b/docs/accessanalyzer/12.0/solutions/exchange/databases/ex_dbsizing.md index f53ab44289..07d650a8da 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/databases/ex_dbsizing.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/databases/ex_dbsizing.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **Exchange** > **3. Databases** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_DBSizing Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/dbsizinganalysis.webp) +![Analysis Tasks for the EX_DBSizing Job](/img/product_docs/accessanalyzer/solutions/exchange/databases/dbsizinganalysis.webp) The following analysis tasks are selected by default: @@ -21,7 +21,7 @@ The following analysis tasks are selected by default: - The default is 6 months. It can be modified. - See the - [Exchange History Retention](../hubmetrics/collection/ex_metricscollection.md#exchange-history-retention) + [Exchange History Retention](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#exchange-history-retention) topic for additional information - 3. Database details table – Creates the SA_EX_DBSizing_StoreDetails table, accessible under the @@ -40,7 +40,7 @@ troubleshooting and cleanup only. Data will be deleted from the database. - 1. Deletes all Stored Data - See the - [Troubleshooting Data Collection](../hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) + [Troubleshooting Data Collection](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) topic for additional information In addition to the tables and views created by the analysis tasks, the EX_DBSizing Job produces the diff --git a/docs/accessanalyzer/12.0/solutions/exchange/databases/ex_dbtrending.md b/docs/accessanalyzer/12.0/solutions/exchange/databases/ex_dbtrending.md index d463da89bb..0803de4d66 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/databases/ex_dbtrending.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/databases/ex_dbtrending.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **Exchange** > **3. Databases** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_DBTrending Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/dbtrendinganalysis.webp) +![Analysis Tasks for the EX_DBTrending Job](/img/product_docs/accessanalyzer/solutions/exchange/databases/dbtrendinganalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/databases/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/databases/overview.md index 3481afdd2a..9bfb728b48 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/databases/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/databases/overview.md @@ -3,15 +3,15 @@ The 3. Databases Job Group is comprised of data collection, analyses, and reports that focus on database sizing, growth, and trends. -![3.Databases Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![3.Databases Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following comprise the 3. Databases Job Group: -- [0.Collection Job Group](collection/overview.md) – Comprised of data collection, analysis, and +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/exchange/databases/collection/overview.md) – Comprised of data collection, analysis, and reports that focus on database sizing, growth, and trends -- [EX_DBSizing Job](ex_dbsizing.md) – Comprised of analyses and reports which provide information on +- [EX_DBSizing Job](/docs/accessanalyzer/12.0/solutions/exchange/databases/ex_dbsizing.md) – Comprised of analyses and reports which provide information on current database sizes, growth statistics, and historical sizing information -- [EX_DBTrending](ex_dbtrending.md) – Creates trend projections for mailbox and public folder +- [EX_DBTrending](/docs/accessanalyzer/12.0/solutions/exchange/databases/ex_dbtrending.md) – Creates trend projections for mailbox and public folder databases for the entire organization The 3. Databases Job Group uses a MAPI-based data collector, Exchange2K. Therefore, it requires both @@ -19,4 +19,4 @@ Access Analyzer MAPI CDO and Microsoft Exchange MAPI CDO to be installed on the Console server. Once these have been installed, the **Settings** > **Exchange** node must be configured for proper connection to the Exchange server. -See the [Exchange](../../../admin/settings/exchange.md) topic for additional information. +See the [Exchange](/docs/accessanalyzer/12.0/admin/settings/exchange.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/exchange/databases/recommended.md b/docs/accessanalyzer/12.0/solutions/exchange/databases/recommended.md index eab83174f6..1ac25e4f9e 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/databases/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/databases/recommended.md @@ -27,12 +27,12 @@ through host inventory results. Connection Profile A Connection Profile must be set directly on the EX_DBInfo Job and the EX_PFInfo Job. See the -[Exchange PowerShell Permissions](../../../requirements/solutions/exchange/powershell.md) topic for +[Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for the Ex_DBInfo Job required permissions. See the -[MAPI-Based Data Collector Permissions](../../../requirements/solutions/exchange/mapi.md) topic for +[MAPI-Based Data Collector Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/mapi.md) topic for the EX_PFInfo Job requirements. -See the [Connection](../../../admin/settings/connection/overview.md) topic for additional +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. Schedule Frequency diff --git a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/ex_dlcleanup.md b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/ex_dlcleanup.md index fd083d9ed7..cc981ce54d 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/ex_dlcleanup.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/ex_dlcleanup.md @@ -12,7 +12,7 @@ View the analysis task by navigating to the **Exchange** > **6. Distribution Lis **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the EX_DLCleanup Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/dlcleanupanalysis.webp) +![Analysis Tasks for the EX_DLCleanup Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/dlcleanupanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/ex_groupexpansion.md b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/ex_groupexpansion.md index 9b3ea5a7d1..9d40299fc8 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/ex_groupexpansion.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/ex_groupexpansion.md @@ -2,7 +2,7 @@ The EX_GroupExpansion job expands the direct membership of distribution groups in the environment. -![Effective Membership > EX_GroupExpansion Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/effectivemembershipjobstree.webp) +![Effective Membership > EX_GroupExpansion Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/effectivemembershipjobstree.webp) The EX_GroupExpansion job is located in the Effective Membership job group. @@ -14,7 +14,7 @@ Membership** > **EX_GroupExpansion** > **Configure** node and select **Analysis* **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_GroupExpansion Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/groupexpansionanalysis.webp) +![Analysis Tasks for the EX_GroupExpansion Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/groupexpansionanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_circularnesting.md b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_circularnesting.md index 8e2fff6942..4ece659669 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_circularnesting.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_circularnesting.md @@ -10,7 +10,7 @@ Analysis** > **EX_CircularNesting** > **Configure** node and select **Analysis** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_CircularNesting Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/circularnestinganalysis.webp) +![Analysis Tasks for the EX_CircularNesting Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/circularnestinganalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_emptygroups.md b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_emptygroups.md index 85ced7bd92..eaec0cf035 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_emptygroups.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_emptygroups.md @@ -10,7 +10,7 @@ Analysis** > **EX_EmptyGroups** > **Configure** node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_EmptyGroups Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/emptygroupsanalysis.webp) +![Analysis Tasks for the EX_EmptyGroups Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/emptygroupsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_largestgroups.md b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_largestgroups.md index dee97da879..2fd4a6891a 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_largestgroups.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_largestgroups.md @@ -10,7 +10,7 @@ Analysis** > **EX_LargestGroups** > **Configure** node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the EX_LargestGroups Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/largestgroupsanalysis.webp) +![Analysis Tasks for the EX_LargestGroups Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/largestgroupsanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_nestedgroups.md b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_nestedgroups.md index ed2b398073..44c1fdfaf9 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_nestedgroups.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_nestedgroups.md @@ -10,7 +10,7 @@ Analysis** > **EX_NestedGroups** > **Configure** node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_NestedGroups Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/nestedgroupsanalysis.webp) +![Analysis Tasks for the EX_NestedGroups Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/nestedgroupsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_stalegroups.md b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_stalegroups.md index 3d2c187947..54f485cb51 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_stalegroups.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_stalegroups.md @@ -11,7 +11,7 @@ Analysis** > **EX_StaleGroups** > **Configure** node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_StaleGroups Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/stalegroupsanalysis.webp) +![Analysis Tasks for the EX_StaleGroups Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/stalegroupsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/overview.md index 92f5659f02..0fc0ed3791 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/overview.md @@ -4,17 +4,17 @@ The Membership Analysis job group provides visibility into toxic conditions cont environment, such as circular nesting, large groups, empty groups, nesting, and potentially stale groups. -![Membership Analysis Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/membershipanalysisjobstree.webp) +![Membership Analysis Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/membershipanalysisjobstree.webp) The jobs in the Membership Analysis job group are: -- [EX_CircularNesting Job](ex_circularnesting.md) – Identifies where circular nesting exists within +- [EX_CircularNesting Job](/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_circularnesting.md) – Identifies where circular nesting exists within distribution groups -- [EX_EmptyGroups Job](ex_emptygroups.md) – Identifies empty distribution groups that are candidates +- [EX_EmptyGroups Job](/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_emptygroups.md) – Identifies empty distribution groups that are candidates for cleanup -- [EX_LargestGroups Job](ex_largestgroups.md) – Identifies distribution groups with a high member +- [EX_LargestGroups Job](/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_largestgroups.md) – Identifies distribution groups with a high member count -- [EX_NestedGroups Job](ex_nestedgroups.md) – Identifies where nesting exists within distribution +- [EX_NestedGroups Job](/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_nestedgroups.md) – Identifies where nesting exists within distribution groups -- [EX_StaleGroups Job](ex_stalegroups.md) – Identifies potentially stale distribution groups based +- [EX_StaleGroups Job](/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/ex_stalegroups.md) – Identifies potentially stale distribution groups based on the last domain logon of the members. These groups should be reviewed and cleaned up. diff --git a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/overview.md index 0d5344573d..3bb182ac5d 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/overview.md @@ -3,17 +3,17 @@ The 6. Distribution Lists job group lists the direct and effective membership to distribution lists, in addition to providing context around potentially stale distribution lists. -![6. Distribution Lists Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![6. Distribution Lists Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following comprise the 6. Distribution Lists job group: **NOTE:** These jobs are compatible with the Office 365 environment. -- [Effective Membership > EX_GroupExpansion Job](ex_groupexpansion.md) – Expands the direct +- [Effective Membership > EX_GroupExpansion Job](/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/ex_groupexpansion.md) – Expands the direct membership of distribution groups in the environment -- [Membership Analysis Job Group](membershipanalysis/overview.md) – Provides visibility into toxic +- [Membership Analysis Job Group](/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/membershipanalysis/overview.md) – Provides visibility into toxic conditions contained with the environment, such as circular nesting, large groups, empty groups, nesting, and potentially stale groups -- [EX_DLCleanup Job](ex_dlcleanup.md) – Identifies potentially stale distribution groups based on +- [EX_DLCleanup Job](/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/ex_dlcleanup.md) – Identifies potentially stale distribution groups based on the last domain logon of the members, membership counts, and last time mail was sent to the distribution lists. These DLs should be reviewed and cleaned up. diff --git a/docs/accessanalyzer/12.0/solutions/exchange/ex_useroverview.md b/docs/accessanalyzer/12.0/solutions/exchange/ex_useroverview.md index bf6d8a0537..9e8ace0e05 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/ex_useroverview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/ex_useroverview.md @@ -5,7 +5,7 @@ information for each user about their mailbox size, mailbox access rights, mail remote connectivity to the Exchange environment. These reports provide user impact analysis on the environment. -![EX_UserOverview Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailflowuseroverviewjobstree.webp) +![EX_UserOverview Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/mailflowuseroverviewjobstree.webp) Dependencies @@ -32,7 +32,7 @@ and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_Mailflow_UserOverview Job](../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailflowuseroverviewanalysis.webp) +![Analysis Tasks for the EX_Mailflow_UserOverview Job](/img/product_docs/accessanalyzer/solutions/exchange/mailflowuseroverviewanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/appletstatuscheck.md b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/appletstatuscheck.md index 484479110b..7ea31000ff 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/appletstatuscheck.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/appletstatuscheck.md @@ -9,7 +9,7 @@ The .AppletStatusCheck Job uses the Script Data Collector. **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Queries for the .AppletStatusCheck Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/appletstatuscheckquery.webp) +![Queries for the .AppletStatusCheck Job](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/appletstatuscheckquery.webp) The following query is included with the .AppletStatusCheck Job: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md index 2c2ba7dbb9..792038f037 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md @@ -11,14 +11,14 @@ been enabled in the query. **_RECOMMENDED:_** Run this job with the default configuration settings for all queries. See the -[ExchangeMetrics Data Collector](../../../../admin/datacollector/exchangemetrics/overview.md) topic +[ExchangeMetrics Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/overview.md) topic for additional information. ## Queries for the EX_MetricsCollection Job The EX_MetricsCollection Job uses the ExchangeMetrics Data Collector. -![Queries for the EX_MetricsCollection Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/metricscollectionqueries.webp) +![Queries for the EX_MetricsCollection Job](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/metricscollectionqueries.webp) The following queries are included in the EX_MetricsCollection Job: @@ -38,7 +38,7 @@ View the analysis tasks by navigating to the **Exchange** > **1. HUB Metrics** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_MetrixCollection Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/metricscollectionanalysis.webp) +![Analysis Tasks for the EX_MetrixCollection Job](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/metricscollectionanalysis.webp) The following analysis tasks are selected by default: @@ -82,12 +82,12 @@ can be set to a specified number of days. Follow these steps to modify the histo **Step 1 –** Navigate to the job’s **Configure** node and select **Analysis**. -![08. SET HISTORY RETENTION task in the Analysis Selection view](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/sethistoryretentiontask.webp) +![08. SET HISTORY RETENTION task in the Analysis Selection view](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/sethistoryretentiontask.webp) **Step 2 –** In the Analysis Selection view, select the **08. SET HISTORY RETENTION** analysis task and click **Analysis Configuration**. The SQL Script Editor opens. -![History Retention task in SQL Script Editor](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/sethistoryretentionscripteditor.webp) +![History Retention task in SQL Script Editor](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/sethistoryretentionscripteditor.webp) **Step 3 –** To modify the number of months: On line 6, modify the value for the months parameter: @@ -128,7 +128,7 @@ Follow these steps to troubleshoot data collection: **Step 1 –** Navigate to the job’s **Configure** node and select **Analysis**. -![Troubleshooting task selection](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/troubleshootingtaskselection.webp) +![Troubleshooting task selection](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/troubleshootingtaskselection.webp) **Step 2 –** In the Analysis Selection view, clear all default analysis tasks (if any) and select the analysis task which purges data. diff --git a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricsdetails.md b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricsdetails.md index 8eec45941d..8a9748ed65 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricsdetails.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricsdetails.md @@ -10,7 +10,7 @@ collection does not return. The EX_MetricsDetails Job uses the ExchangeMetrics Data Collector. -![Queries for the EX_MetricsDetails Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/metricsdetailsquery.webp) +![Queries for the EX_MetricsDetails Job](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/metricsdetailsquery.webp) The following query is included in the EX_MetricsDetails Job: @@ -38,10 +38,10 @@ Collector Wizard opens. **CAUTION:** Do not modify other wizard pages. The wizard pages are pre-configured for this job. -![Exchange Metrics Data Collector Wizard Message Activity Filter page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/exchangemetricsmessageactivityfilter.webp) +![Exchange Metrics Data Collector Wizard Message Activity Filter page](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/exchangemetricsmessageactivityfilter.webp) **Step 4 –** Navigate to the -[ExchangeMetrics: Message Activity Filter](../../../../admin/datacollector/exchangemetrics/messageactivityfilter.md) +[ExchangeMetrics: Message Activity Filter](/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/messageactivityfilter.md) page to configure the internal domains from which to collect the sender to recipient traffic. The filter should remain **Ends With**. Replace the `@netwrix.com` variable for both the **Senders** and **Recipients** with the `@domain.com` variable to be audited. @@ -58,7 +58,7 @@ View the analysis tasks by navigating to the **Exchange** > **1. HUB Metrics** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_MetricsDetails Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/metricsdetailsanalysis.webp) +![Analysis Tasks for the EX_MetricsDetails Job](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/collection/metricsdetailsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/overview.md index 32db928cc3..df7c198a11 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/overview.md @@ -3,20 +3,20 @@ The 0.Collection Job Group is comprised of jobs that process and analyze the message tracking logs on the Exchange Servers in the environment. -![jobstree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![jobstree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 0.Collection Job Group are: -- [.AppletStatusCheck Job](appletstatuscheck.md) – Checks the health and status of the applet +- [.AppletStatusCheck Job](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/appletstatuscheck.md) – Checks the health and status of the applet deployed to the target Exchange servers -- [EX_MetricsCollection Job](ex_metricscollection.md) – Comprised of multiple queries that utilize +- [EX_MetricsCollection Job](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md) – Comprised of multiple queries that utilize the Exchange Metrics Data Collect to process and collect the message tracking logs on the Exchange servers in the environment. These queries collect server, domain, user, and distribution list traffic including but not limited to sent, received, journal, NDRs, and transports message. These queries are configured to process and collect that previous 7 days of Message Tracking Logs the first time this job is run, after that it only collects the previous day assuming persistence has not been disabled inside the query. -- [EX_MetricsDetails Job](ex_metricsdetails.md) – Collects user to user traffic per day +- [EX_MetricsDetails Job](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricsdetails.md) – Collects user to user traffic per day **NOTE:** This job's query needs to be configured to the internal domains from which to collect the sender to recipient traffic. By default, the query is configured to collect the previous 1 diff --git a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_deliverytimes.md b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_deliverytimes.md index 96ceac2792..60c946d16e 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_deliverytimes.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_deliverytimes.md @@ -10,7 +10,7 @@ View the analysis tasks by navigating to the **Exchange** > **1. HUB Metrics** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_DeliveryTimes Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/deliverytimesanalysis.webp) +![Analysis Tasks for the EX_DeliveryTimes Job](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/deliverytimesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_dlmetrics.md b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_dlmetrics.md index 21f9d1f1ea..99095208e3 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_dlmetrics.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_dlmetrics.md @@ -10,7 +10,7 @@ View the analysis tasks by navigating to the **Exchange** > **1. HUB Metrics** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_DLMetrics Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/dlmetricsanalysis.webp) +![Analysis Tasks for the EX_DLMetrics Job](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/dlmetricsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_domainmetrics.md b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_domainmetrics.md index b12b83edff..1034fe5bb3 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_domainmetrics.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_domainmetrics.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **Exchange** > **1. HUB Metrics** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_DomainMetrics Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/domainmetricsanalysis.webp) +![Analysis Tasks for the EX_DomainMetrics Job](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/domainmetricsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_hourlymetrics.md b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_hourlymetrics.md index ad6dd2837f..a8fed73c90 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_hourlymetrics.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_hourlymetrics.md @@ -14,7 +14,7 @@ preconfigured for this job. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_HourlyMetrics Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/hourlymetricsanalysis.webp) +![Analysis Tasks for the EX_HourlyMetrics Job](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/hourlymetricsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_messagesize.md b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_messagesize.md index c98cbd854c..331710e6d4 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_messagesize.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_messagesize.md @@ -10,7 +10,7 @@ View the analysis task by navigating to the **Exchange** > **1. HUB Metrics** > **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the EX_MessageSize Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/messagesizeanalysis.webp) +![Analysis Tasks for the EX_MessageSize Job](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/messagesizeanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_servermetrics.md b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_servermetrics.md index 444ff6ee0e..372cab7e7e 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_servermetrics.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_servermetrics.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **Exchange** > **1. HUB Metrics** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_ServerMetrics Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/servermetricsanalysis.webp) +![Analysis Tasks for the EX_ServerMetrics Job](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/servermetricsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_usermetrics.md b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_usermetrics.md index d13dce22c4..31146cf416 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_usermetrics.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_usermetrics.md @@ -10,7 +10,7 @@ View the analysis tasks by navigating to the **Exchange** > **1. HUB Metrics** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_UserMetrics Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/usermetricsanalysis.webp) +![Analysis Tasks for the EX_UserMetrics Job](/img/product_docs/accessanalyzer/solutions/exchange/hubmetrics/usermetricsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/overview.md index 12f3bd47c9..9d357a1fbf 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/overview.md @@ -5,22 +5,22 @@ mail-flow activity occurring within your organization. This job group goes out t contains the Message Tracking Logs and parse the log to return the data to the Access Analyzer database. -![1.HUB Metrics Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![1.HUB Metrics Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following job groups and jobs comprise the 1. HUB Metrics Job Group: -- [0. Collection Job Group](collection/overview.md) – Comprised of jobs that process and analyze the +- [0. Collection Job Group](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/overview.md) – Comprised of jobs that process and analyze the message tracking logs on the Exchange Servers in the environment -- [EX_DeliveryTimes Job](ex_deliverytimes.md) – Provides information around organizational and +- [EX_DeliveryTimes Job](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_deliverytimes.md) – Provides information around organizational and server level delivery times -- [EX_DLMetrics Job](ex_dlmetrics.md) – Provides information around distribution list usage -- [EX_DomainMetrics Job](ex_domainmetrics.md) – Provides information about which domains mail-flow +- [EX_DLMetrics Job](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_dlmetrics.md) – Provides information around distribution list usage +- [EX_DomainMetrics Job](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_domainmetrics.md) – Provides information about which domains mail-flow is going to and coming from -- [EX_HourlyMetrics Job](ex_hourlymetrics.md) – Provides visibility into how much mail-flow the +- [EX_HourlyMetrics Job](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_hourlymetrics.md) – Provides visibility into how much mail-flow the organization sends and receives each hour -- [EX_MessageSize Job](ex_messagesize.md) – Provides information around size of messages sent and +- [EX_MessageSize Job](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_messagesize.md) – Provides information around size of messages sent and received -- [EX_ServerMetrics Job](ex_servermetrics.md) – Provides visibility into server mail-flow +- [EX_ServerMetrics Job](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_servermetrics.md) – Provides visibility into server mail-flow statistics, such as, sent, received, journaling, transport and NDR counts and sizes -- [EX_UserMetrics Job](ex_usermetrics.md) – Provides information around each user’s mail-flow in the +- [EX_UserMetrics Job](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/ex_usermetrics.md) – Provides information around each user’s mail-flow in the organization diff --git a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/recommended.md b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/recommended.md index dc94844d62..a3add8c486 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/recommended.md @@ -23,10 +23,10 @@ through host inventory results. Connection Profile A Connection Profile must be set directly on the EX_MetricsCollection Job and the EX_MetricsDetails -Job. See the [Exchange Mail-Flow Permissions](../../../requirements/solutions/exchange/mailflow.md) +Job. See the [Exchange Mail-Flow Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/mailflow.md) topic for required permissions. -See the [Connection](../../../admin/settings/connection/overview.md) topic for additional +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. Schedule Frequency @@ -59,7 +59,7 @@ following exceptions: - All queries in the 1.HUB Metrics Job Group that use the ExchangeMetrics Data Collector – (Optional) The **Enable Persistent Log State** option can be enabled on the Options page of the Exchange Metrics Data Collector Wizard to search the log from where the previous search left off. - See the [ExchangeMetrics: Options](../../../admin/datacollector/exchangemetrics/options.md) topic + See the [ExchangeMetrics: Options](/docs/accessanalyzer/12.0/admin/datacollector/exchangemetrics/options.md) topic for additional information. Analysis Configuration diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/ex_features.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/ex_features.md index 069dc2258b..256b4f01a3 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/ex_features.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/ex_features.md @@ -5,7 +5,7 @@ which features have been enabled or disabled on Mailboxes, such as ActiveSync, I **_RECOMMENDED:_** Schedule the Features Job Group to run weekly on any desired recurrence. -![Features > EX_Features Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/featuresjobstree.webp) +![Features > EX_Features Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/featuresjobstree.webp) The EX_Features job is located in the Features job group. @@ -13,7 +13,7 @@ The EX_Features job is located in the Features job group. The EX_Features Job uses the ExchangePS Data Collector. -![Queries for the EX_Features Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/featuresquery.webp) +![Queries for the EX_Features Job](/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/featuresquery.webp) The following query is included with the EX_Features Job: @@ -21,12 +21,12 @@ The following query is included with the EX_Features Job: - By default set to search all mailboxes. It can be scoped. - See the - [Scope the ExchangePS Data Collector](../casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) + [Scope the ExchangePS Data Collector](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) topic for additional information **NOTE:** The ExchangePS Data Collector is capable of targeting Exchange Online as well as Exchange on-premises environments. See the - [Exchange PowerShell Permissions](../../../requirements/solutions/exchange/powershell.md) topic + [Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for credential requirements. In addition to the table created by the query, the EX_Features Job produces the following diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/logons/ex_mailboxactivity.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/logons/ex_mailboxactivity.md index 23453c78ad..a87ca38de6 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/logons/ex_mailboxactivity.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/logons/ex_mailboxactivity.md @@ -3,7 +3,7 @@ The EX_MailboxActivity job collects logs of Native Mailbox Access Auditing from Exchange to provide reporting around mailbox logon activity. -![0.Collection > EX_MailboxActivity Job in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![0.Collection > EX_MailboxActivity Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The EX_MailboxActivity job is located in the 0.Collection job group. @@ -13,7 +13,7 @@ The EX_MailboxActivity job is located in the 0.Collection job group. The EX_MailboxActivity Job uses the ExchangePS Data Collector. -![Queries for the EX_MailboxActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/logons/mailboxactivityquery.webp) +![Queries for the EX_MailboxActivity Job](/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/logons/mailboxactivityquery.webp) The following query is included with the EX_MailboxActivity job: @@ -21,10 +21,10 @@ The following query is included with the EX_MailboxActivity job: - By default set to search all mailboxes. It can be scoped. - See the - [Scope the ExchangePS Data Collector](../../casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) + [Scope the ExchangePS Data Collector](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) topic for additional information **NOTE:** The ExchangePS Data Collector is capable of targeting Exchange Online as well as Exchange on-premises environments. See the - [Exchange PowerShell Permissions](../../../../requirements/solutions/exchange/powershell.md) + [Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for credential requirements. diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/logons/ex_mailboxlogons.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/logons/ex_mailboxlogons.md index 6ce01fdfb9..a458e8bd4f 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/logons/ex_mailboxlogons.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/logons/ex_mailboxlogons.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **Exchange** > **4. Mailboxes** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_MailboxLogons Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/logons/mailboxlogonsanalysis.webp) +![Analysis Tasks for the EX_MailboxLogons Job](/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/logons/mailboxlogonsanalysis.webp) The following analysis tasks are selected by default: @@ -23,7 +23,7 @@ The following analysis tasks are selected by default: - By default set to retain 6 months. It can be modified. - See the - [Exchange History Retention](../../hubmetrics/collection/ex_metricscollection.md#exchange-history-retention) + [Exchange History Retention](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#exchange-history-retention) topic for additional information - 04.Last Week Top Offenders – Creates the SA_EX_MailboxLogons_LastWeekSummary table, accessible @@ -41,7 +41,7 @@ troubleshooting and cleanup only. Data will be deleted from the database. - 00.Delete All Historical Data - See the - [Troubleshooting Data Collection](../../hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) + [Troubleshooting Data Collection](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) topic for additional information In addition to the tables and views created by the analysis tasks, the EX_MailboxLogons Job produces diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/logons/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/logons/overview.md index 9ef72723e2..b43ca6570c 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/logons/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/logons/overview.md @@ -8,11 +8,11 @@ provide reporting around mailbox logon activity. The data collection job requires that Exchange Access Auditing is enabled in the Exchange environment. -![Logons Job Group](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Logons Job Group](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the Logons Job Group are: -- [0.Collection > EX_MailboxActivity Job](ex_mailboxactivity.md) – Collects logs of Native Mailbox +- [0.Collection > EX_MailboxActivity Job](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/logons/ex_mailboxactivity.md) – Collects logs of Native Mailbox Access Auditing from Exchange to provide reporting around mailbox logon activity -- [EX_MailboxLogons Job](ex_mailboxlogons.md) – Provides details around Mailbox logon activity +- [EX_MailboxLogons Job](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/logons/ex_mailboxlogons.md) – Provides details around Mailbox logon activity occurring within the Exchange environment diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/overview.md index 543ff5e4ad..e5a5d4ebe6 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/overview.md @@ -3,19 +3,19 @@ The 4. Mailboxes job group is comprised of data collection, analysis, and reports around mailbox features, logons, permissions, and sizing. -![4.Mailboxes Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![4.Mailboxes Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following comprise the 4. Mailboxes job group: **NOTE:** These jobs are compatible with the Office 365 environment. -- [Features > EX_Features Job](ex_features.md) – Comprised of data collection and a report that +- [Features > EX_Features Job](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/ex_features.md) – Comprised of data collection and a report that provides information around which features have been enabled or disabled on mailboxes, such as ActiveSync, IMAP, POP and more -- [Logons Job Group](logons/overview.md) – Provides collection of Native Mailbox Access Auditing +- [Logons Job Group](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/logons/overview.md) – Provides collection of Native Mailbox Access Auditing logs from Exchange to provide reporting around mailbox logon activity -- [Permissions Job Group](permissions/overview.md) – Comprised of data collection, analysis and +- [Permissions Job Group](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/overview.md) – Comprised of data collection, analysis and reports that focus on access granted to each mailbox in the environment including, Mailbox Rights, Active Directory Permissions, Delegation, and Folder Permissions -- [Sizing Job Group](sizing/overview.md) – Provides data collection, analyses, and reports which +- [Sizing Job Group](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/overview.md) – Provides data collection, analyses, and reports which focus on mailbox sizing, growth, and trends diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_delegates.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_delegates.md index 0645b5474b..bcfc42766e 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_delegates.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_delegates.md @@ -7,7 +7,7 @@ mailbox. The EX_Delegates job uses the ExchangePS Data Collector. -![Queries for the EX_Delegates Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/permissions/collection/delegatesquery.webp) +![Queries for the EX_Delegates Job](/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/permissions/collection/delegatesquery.webp) The following query is included with the EX_Delegates job: @@ -15,10 +15,10 @@ The following query is included with the EX_Delegates job: - By default set to search all mailboxes. It can be scoped. - See the - [Scope the ExchangePS Data Collector](../../../casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) + [Scope the ExchangePS Data Collector](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) topic for additional information **NOTE:** The ExchangePS Data Collector is capable of targeting Exchange Online as well as Exchange on-premises environments. See the - [Exchange PowerShell Permissions](../../../../../requirements/solutions/exchange/powershell.md) + [Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for credential requirements. diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_mbrights.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_mbrights.md index 135b58f6d7..c15f6a5e74 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_mbrights.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_mbrights.md @@ -7,7 +7,7 @@ mailbox. The EX_MBRights job uses the ExchangePS Data Collector. -![Queries for the EX_MBRights Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/permissions/collection/mbrightsquery.webp) +![Queries for the EX_MBRights Job](/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/permissions/collection/mbrightsquery.webp) The following query is included in the EX_MBRights Job: @@ -15,10 +15,10 @@ The following query is included in the EX_MBRights Job: - By default set to search all mailboxes. It can be scoped. - See the - [Scope the ExchangePS Data Collector](../../../casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) + [Scope the ExchangePS Data Collector](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) topic for additional information **NOTE:** The ExchangePS Data Collector is capable of targeting Exchange Online as well as Exchange on-premises environments. See the - [Exchange PowerShell Permissions](../../../../../requirements/solutions/exchange/powershell.md) + [Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for credential requirements. diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_perms.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_perms.md index 3c86a5feac..bed6d1d08d 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_perms.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_perms.md @@ -7,12 +7,12 @@ mailboxes. The EX_Perms job uses the EWSMailbox Data Collector. -![Queries for the EX_Perms Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/permissions/collection/permsquery.webp) +![Queries for the EX_Perms Job](/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/permissions/collection/permsquery.webp) The following query is included in the EX_Perms job. - Exchange Mailbox Permissions – Returns Exchange mailbox folder permissions - By default set to search all mailboxes. It can be scoped. - - See the [EWSMailbox Data Collector](../../../../../admin/datacollector/ewsmailbox/overview.md) + - See the [EWSMailbox Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/overview.md) topic for additional information diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_sendas.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_sendas.md index 52569df7b6..7c2e80d0e1 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_sendas.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_sendas.md @@ -7,7 +7,7 @@ applied to a mailbox. The EX_SendAs job uses the ExchangePS Data Collector. -![Queries for the EX_SendAs Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/permissions/collection/sendasquery.webp) +![Queries for the EX_SendAs Job](/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/permissions/collection/sendasquery.webp) The following query is included in the EX_SendAs Job: @@ -15,12 +15,12 @@ The following query is included in the EX_SendAs Job: - By default set to search all mailboxes. It can be scoped. - See the - [Scope the ExchangePS Data Collector](../../../casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) + [Scope the ExchangePS Data Collector](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) topic for additional information **NOTE:** The ExchangePS Data Collector is capable of targeting Exchange Online as well as Exchange on-premises environments. See the - [Exchange PowerShell Permissions](../../../../../requirements/solutions/exchange/powershell.md) + [Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for credential requirements. ## Analysis Tasks for the EX_SendAs Job @@ -31,7 +31,7 @@ View the analysis task by navigating to the **Exchange** > **4. Mailboxes** > ** **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the EX_SendAs Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/permissions/collection/sendasanalysis.webp) +![Analysis Tasks for the EX_SendAs Job](/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/permissions/collection/sendasanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/overview.md index c72cac19a0..961267c665 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/overview.md @@ -4,15 +4,15 @@ The 0. Collection job group is comprised of data collection and analysis that fo granted to each mailbox in the environment including: Mailbox Rights, Active Directory Permissions, Delegation, and Folder Permissions. -![0.Collection Job Group in the Jobs Tree](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![0.Collection Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The jobs in the 0. Collection job group are: -- [EX_Delegates Job](ex_delegates.md) – Collects data from Active Directory to identify the +- [EX_Delegates Job](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_delegates.md) – Collects data from Active Directory to identify the delegates applied to a mailbox -- [EX_MBRights Job](ex_mbrights.md) – Collects data from Active Directory to identify the mailbox +- [EX_MBRights Job](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_mbrights.md) – Collects data from Active Directory to identify the mailbox rights applied to a mailbox -- [EX_Perms Job](ex_perms.md) – Collects information about permissions applied to the folders within +- [EX_Perms Job](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_perms.md) – Collects information about permissions applied to the folders within Exchange mailboxes -- [EX_SendAs Job](ex_sendas.md) – Collects data from Active Directory to identify the Active +- [EX_SendAs Job](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/ex_sendas.md) – Collects data from Active Directory to identify the Active Directory rights applied to a mailbox diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/ex_admingroups.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/ex_admingroups.md index 0c9c1c09ef..200239d39b 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/ex_admingroups.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/ex_admingroups.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **Exchange** > **4. Mailboxes** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_AdminGroups Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/permissions/admingroupsanalysis.webp) +![Analysis Tasks for the EX_AdminGroups Job](/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/permissions/admingroupsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/ex_mailboxaccess.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/ex_mailboxaccess.md index 5c7f13bdef..1892578cc7 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/ex_mailboxaccess.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/ex_mailboxaccess.md @@ -12,7 +12,7 @@ View the analysis tasks by navigating to the **Exchange** > **4. Mailboxes** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_Mailbox Access Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/permissions/mailboxaccessanalysis.webp) +![Analysis Tasks for the EX_Mailbox Access Job](/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/permissions/mailboxaccessanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/overview.md index 263e026960..7fa8fe7318 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/overview.md @@ -6,15 +6,15 @@ Delegation, and Folder Permissions. **_RECOMMENDED:_** Schedule the Permissions job group to run weekly on Fridays at 6 PM. -![Permissions Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Permissions Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The job groups and jobs in the Permissions job group are: -- [0. Collection Job Group](collection/overview.md) – Comprised of data collection and analysis that +- [0. Collection Job Group](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/collection/overview.md) – Comprised of data collection and analysis that focus on access granted to each mailbox in the environment including: Mailbox Rights, Active Directory Permissions, Delegation, and Folder Permissions -- [EX_AdminGroups Job](ex_admingroups.md) – Provides visibility into the direct and effective +- [EX_AdminGroups Job](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/ex_admingroups.md) – Provides visibility into the direct and effective membership of Exchange Administrative groups -- [EX_MailboxAccess Job](ex_mailboxaccess.md) – Provides visibility into access granted to each +- [EX_MailboxAccess Job](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/permissions/ex_mailboxaccess.md) – Provides visibility into access granted to each mailbox in the environment taking into consideration Mailbox Rights, Active Directory Permissions, Delegation, and Folder Permissions diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/recommended.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/recommended.md index c6026fe042..8de86f9562 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/recommended.md @@ -7,7 +7,7 @@ This job group requires the following items to be enabled: - Exchange Access Auditing is enabled in the Exchange environment - This is required for the Logons Job Group. See the - [Enable Exchange Mailbox Access Auditing](../../../requirements/solutions/exchange/powershell.md#enable-exchange-mailbox-access-auditing) + [Enable Exchange Mailbox Access Auditing](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md#enable-exchange-mailbox-access-auditing) topic for additional information. The following job groups need to be successfully run: @@ -49,9 +49,9 @@ A Connection Profile must be set directly on the collection jobs within each sub - **Sizing** > **0. Collection** > **EX_MBSize** Job -See the [Exchange PowerShell Permissions](../../../requirements/solutions/exchange/powershell.md) +See the [Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for the required permissions. See the -[Exchange Custom Connection Profile & Host List](../../../admin/datacollector/exchangeps/configurejob.md) +[Exchange Custom Connection Profile & Host List](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/configurejob.md) topic for additional information. Schedule Frequency diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_mailboxsizes.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_mailboxsizes.md index 7f1a7be29e..58a97385aa 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_mailboxsizes.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_mailboxsizes.md @@ -10,7 +10,7 @@ View the analysis tasks by navigating to the **Exchange** > **4. Mailboxes** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_Mailbox Sizes Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/sizing/mailboxsizesanalysis.webp) +![Analysis Tasks for the EX_Mailbox Sizes Job](/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/sizing/mailboxsizesanalysis.webp) The following analysis tasks are selected by default: @@ -22,7 +22,7 @@ The following analysis tasks are selected by default: - The default is 6 months. It can be modified. - See the - [Exchange History Retention](../../hubmetrics/collection/ex_metricscollection.md#exchange-history-retention) + [Exchange History Retention](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#exchange-history-retention) topic for additional information - 04.Store History – Creates the SA_EX_MailboxSizes_StoreHistory table, accessible under the job’s @@ -43,7 +43,7 @@ troubleshooting and cleanup only. Data will be deleted from the database: - 00.Delete All Data - See the - [Troubleshooting Data Collection](../../hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) + [Troubleshooting Data Collection](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) topic for additional information In addition to the tables and views created by the analysis tasks, the EX_MailboxAccess Job produces diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_mbsize.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_mbsize.md index f2e4faddcb..9f6a53f3ce 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_mbsize.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_mbsize.md @@ -3,7 +3,7 @@ The EX_MBSize job collects information from the Exchange environment about the mailbox sizes in the environment. -![0.Collection > EX_MBSize Job in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![0.Collection > EX_MBSize Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The EX_MBSize job is located in the 0.Collection job group. @@ -11,7 +11,7 @@ The EX_MBSize job is located in the 0.Collection job group. The EX_MBSize Job uses the ExchangePS Data Collector. -![Queries for the EX_MBSize Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/sizing/mbsizequery.webp) +![Queries for the EX_MBSize Job](/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/sizing/mbsizequery.webp) The following query is included in the EX_MBSize Job: @@ -19,10 +19,10 @@ The following query is included in the EX_MBSize Job: - By default set to search all mailboxes. It can be scoped. - See the - [Scope the ExchangePS Data Collector](../../casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) + [Scope the ExchangePS Data Collector](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) topic for additional information **NOTE:** The ExchangePS Data Collector is capable of targeting Exchange Online as well as Exchange on-premises environments. See the - [Exchange PowerShell Permissions](../../../../requirements/solutions/exchange/powershell.md) + [Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for credential requirements. diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_stalemailboxes.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_stalemailboxes.md index 53db66cc10..cd9a63d81e 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_stalemailboxes.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_stalemailboxes.md @@ -10,7 +10,7 @@ View the analysis tasks by navigating to the **Exchange** > **4. Mailboxes** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_StaleMailboxes Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/sizing/stalemailboxesanalysis.webp) +![Analysis Tasks for the EX_StaleMailboxes Job](/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/sizing/stalemailboxesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_storesizes.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_storesizes.md index c6a6902028..356c607366 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_storesizes.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_storesizes.md @@ -10,7 +10,7 @@ View the analysis tasks by navigating to the **Exchange** > **4. Mailboxes** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_StoreSizes Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/sizing/storesizesanalysis.webp) +![Analysis Tasks for the EX_StoreSizes Job](/img/product_docs/accessanalyzer/solutions/exchange/mailboxes/sizing/storesizesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/overview.md index 93ffc254ee..ff6fc58f17 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/overview.md @@ -5,15 +5,15 @@ growth, and trends. **_RECOMMENDED:_** Schedule the Sizing job group to run daily at 4 AM. -![Sizing Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Sizing Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the Sizing job group are: -- [0.Collection > EX_MBSize Job](ex_mbsize.md) – Collects information from the environment about the +- [0.Collection > EX_MBSize Job](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_mbsize.md) – Collects information from the environment about the mailbox sizes in the environment -- [EX_MailboxSizes Job](ex_mailboxsizes.md) – Provides analysis and reporting around Mailbox sizing +- [EX_MailboxSizes Job](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_mailboxsizes.md) – Provides analysis and reporting around Mailbox sizing and growth -- [EX_StaleMailboxes Job](ex_stalemailboxes.md) – Provides analysis and reporting around orphaned +- [EX_StaleMailboxes Job](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_stalemailboxes.md) – Provides analysis and reporting around orphaned and Stale Mailboxes -- [EX_StoreSizes Job](ex_storesizes.md) – Provides analysis and reporting around Database Sizing +- [EX_StoreSizes Job](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/sizing/ex_storesizes.md) – Provides analysis and reporting around Database Sizing based on Mailbox Sizes diff --git a/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow.md b/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow.md index 53ba3f2110..74ea84670f 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow.md @@ -2,7 +2,7 @@ The EX_Mailflow job collects message trace data from Office 365. -![0. Collection > EX_Mailflow Job in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![0. Collection > EX_Mailflow Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The EX_Mailflow job is located in the **Mailflow** > **0. Collection** job group. @@ -10,7 +10,7 @@ The EX_Mailflow job is located in the **Mailflow** > **0. Collection** job group The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The EX_Mailflow job has the following configurable parameter: @@ -24,7 +24,7 @@ additional information. The EX_Mailflow job uses the ExchangePS Data Collector. -![Queries for the EX_Mailflow Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailflowqueries.webp) +![Queries for the EX_Mailflow Job](/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailflowqueries.webp) The following queries are included in the EX_Mailflow job: @@ -39,7 +39,7 @@ The following queries are included in the EX_Mailflow job: **CAUTION:** Do not modify this query. The query is preconfigured for this job. - - See the [ExchangePS Data Collector](../../../../admin/datacollector/exchangeps/overview.md) + - See the [ExchangePS Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/overview.md) topic for additional information ### Configure the ExchangePS Data Collector for Mail Flow Metrics @@ -60,11 +60,11 @@ Wizard opens. **CAUTION:** Do not modify other wizard pages. The wizard pages are pre-configured for this job. -![ExchangePS Data Collector Wizard Mail Flow page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailflowmetricsdcwizard.webp) +![ExchangePS Data Collector Wizard Mail Flow page](/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailflowmetricsdcwizard.webp) **Step 4 –** To modify the report dates, navigate to the Mail Flow page. Set the report data range as desired. See the -[ExchangePS Data Collector](../../../../admin/datacollector/exchangeps/overview.md) topic for +[ExchangePS Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/overview.md) topic for additional information. _Remember,_ the date range must be 7 days or less. @@ -81,7 +81,7 @@ Collection** > **EX_Mailflow** > **Configure** node and selecting **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_Mailflow Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailflowanalysis.webp) +![Analysis Tasks for the EX_Mailflow Job](/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailflowanalysis.webp) The following analysis tasks are selected by default: @@ -95,7 +95,7 @@ The following analysis tasks are selected by default: - By default, retention is set to 6 months. This period can be modified. See the [Parameter Configuration](#parameter-configuration) topic for additional information. - Alternatively, the `@Months` parameter can be modified in the SQL Script Editor. See the - [Configure the Customizable Parameters in an Analysis Task](../../../../admin/jobs/job/configure/analysiscustomizableparameters.md) + [Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information The following analysis task deletes table data from data collection and analysis jobs. This analysis @@ -107,5 +107,5 @@ troubleshooting and cleanup only. Data will be deleted from the database. - 0. Deletes all Stored Data - LEAVE UNCHECKED – Deletes all historical data - See the - [Troubleshooting Data Collection](../../hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) + [Troubleshooting Data Collection](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) topic for additional information diff --git a/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_dl.md b/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_dl.md index 1cecd186c5..b6ca1b022b 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_dl.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_dl.md @@ -10,7 +10,7 @@ View the analysis tasks by navigating to the **Exchange** > **8. Exchange Online **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_Mailflow_DL Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailflowdlanalysis.webp) +![Analysis Tasks for the EX_Mailflow_DL Job](/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailflowdlanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_domain.md b/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_domain.md index ee96131c19..d05403df19 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_domain.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_domain.md @@ -7,7 +7,7 @@ coming from. This job is set to analyze the last 30 days. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The EX_Mailflow_Domain job has the following configurable parameter: @@ -26,7 +26,7 @@ View the analysis task by navigating to the **Exchange** > **8. Exchange Online* **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the EX_Mailflow_Domain Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailflowdomainanalysis.webp) +![Analysis Tasks for the EX_Mailflow_Domain Job](/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailflowdomainanalysis.webp) The following analysis task is selected by default: @@ -37,7 +37,7 @@ The following analysis task is selected by default: modified. See the [Parameter Configuration](#parameter-configuration) topic for additional information. - Alternatively, the `@Days` parameter can be modified in the SQL Script Editor. See the - [Configure the Customizable Parameters in an Analysis Task](../../../../admin/jobs/job/configure/analysiscustomizableparameters.md) + [Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information In addition to the tables and views created by the analysis task, the EX_Mailflow_Domain job diff --git a/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_mailbox.md b/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_mailbox.md index c1845926e4..04d2414487 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_mailbox.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_mailbox.md @@ -7,7 +7,7 @@ This job is set to analyze the last 30 days. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The EX_Mailflow_Mailbox job has the following configurable parameter: @@ -27,7 +27,7 @@ View the analysis tasks by navigating to the **Exchange** > **8. Exchange Online **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_Mailflow_Mailbox Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailflowmailboxanalysis.webp) +![Analysis Tasks for the EX_Mailflow_Mailbox Job](/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailflowmailboxanalysis.webp) The following analysis tasks are selected by default: @@ -39,7 +39,7 @@ The following analysis tasks are selected by default: - By default, counts are collected for the last 30 days. The number of days can be modified with the `@Days` parameter. - See the - [Configure the Customizable Parameters in an Analysis Task](../../../../admin/jobs/job/configure/analysiscustomizableparameters.md) + [Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information - User Mailboxes by Message Size – Creates the EX_MailFlow_UserBySize table, accessible under the @@ -48,7 +48,7 @@ The following analysis tasks are selected by default: - By default, sizes are selected for the last 30 days. The number of days can be modified with the `@Days` parameter. - See the - [Configure the Customizable Parameters in an Analysis Task](../../../../admin/jobs/job/configure/analysiscustomizableparameters.md) + [Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information In addition to the tables and views created by the analysis tasks, the EX_Mailflow_Mailbox job diff --git a/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_orgoverview.md b/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_orgoverview.md index 9f3b5ba41f..68969333e4 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_orgoverview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_orgoverview.md @@ -7,7 +7,7 @@ This job is set to analyze the last 30 days. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The EX_Mailflow_OrgOverview job has the following configurable parameter: @@ -23,7 +23,7 @@ topic for additional information. View the analysis tasks by navigating to the **Exchange** > **8. Exchange Online** > **EX_OrgOverview_Mailbox** > **Configure** node and select **Analysis**. -![Analysis Tasks for the EX_Mailflow_OrgOverview Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailfloworgoverviewanalysis.webp) +![Analysis Tasks for the EX_Mailflow_OrgOverview Job](/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailfloworgoverviewanalysis.webp) The following analysis task is selected by default: @@ -33,7 +33,7 @@ The following analysis task is selected by default: - By default, data for 30 days is displayed. This number of days can be modified by a parameter. See the [Parameter Configuration](#parameter-configuration) topic for additional information. - Alternatively, the `@Days` parameter can be modified in the SQL Script Editor. See the - [Configure the Customizable Parameters in an Analysis Task](../../../../admin/jobs/job/configure/analysiscustomizableparameters.md) + [Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information. In addition to the tables and views created by the analysis task, the EX_Mailflow_OrgOverview job diff --git a/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/overview.md index 5fed06c7e1..f33644c4ac 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/overview.md @@ -4,17 +4,17 @@ The Mailbox job group is comprised of jobs that process and analyze the Message Office 365 environment. This job group parses message tracking and stores the data for analysis and reporting in the Access Analyzer database. -![Mailflow Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailflowjobstree.webp) +![Mailflow Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/online/mailflow/mailflowjobstree.webp) The jobs in the Mailflow job group are: -- [0. Collection > EX_Mailflow Job](ex_mailflow.md) – Collects message trace data from an Office 365 +- [0. Collection > EX_Mailflow Job](/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow.md) – Collects message trace data from an Office 365 server -- [EX_Mailflow_DL Job](ex_mailflow_dl.md) – Comprised of analysis and reports which provide +- [EX_Mailflow_DL Job](/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_dl.md) – Comprised of analysis and reports which provide information around distribution list usage -- [EX_Mailflow_Domain Job](ex_mailflow_domain.md) – Comprised of analysis and reports which provide +- [EX_Mailflow_Domain Job](/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_domain.md) – Comprised of analysis and reports which provide information about which domains mail flow is going to and coming from -- [EX_Mailflow_Mailbox Job](ex_mailflow_mailbox.md) – Comprised of analysis and reports which +- [EX_Mailflow_Mailbox Job](/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_mailbox.md) – Comprised of analysis and reports which provide information around each user's mail-flow in the organization -- [EX_Mailflow_OrgOverview Job](ex_mailflow_orgoverview.md) – Comprised of analysis and reports +- [EX_Mailflow_OrgOverview Job](/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/ex_mailflow_orgoverview.md) – Comprised of analysis and reports which provide information around the overall traffic in the organization diff --git a/docs/accessanalyzer/12.0/solutions/exchange/online/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/online/overview.md index 9fed81c895..3a4b969b11 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/online/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/online/overview.md @@ -2,10 +2,10 @@ The 8. Exchange Online job group collects message trace data from Office 365. -![8.Exchange Online Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![8.Exchange Online Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The job group in the 8. Exchange Online job group is: -- [Mailflow Job Group](mailflow/overview.md) – Comprised of Jobs that process and analyze the +- [Mailflow Job Group](/docs/accessanalyzer/12.0/solutions/exchange/online/mailflow/overview.md) – Comprised of Jobs that process and analyze the Message Tracking Logs in the Office 365 environment. This job group parses message tracking and stores the data for analysis and reporting in the Access Analyzer database. diff --git a/docs/accessanalyzer/12.0/solutions/exchange/online/recommended.md b/docs/accessanalyzer/12.0/solutions/exchange/online/recommended.md index befe777120..7b73ce8318 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/online/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/online/recommended.md @@ -17,12 +17,12 @@ PowerShell Data Collector. The host list needs to be set to one of the following - The host list should include the tenant name of the Microsoft Entra tenant used to connect to Exchange Online. See the - [Exchange Online Host List](../../../admin/datacollector/exchangeps/configurejob.md#exchange-online-host-list) + [Exchange Online Host List](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/configurejob.md#exchange-online-host-list) topic for additional information. Connection Profile -See the [Exchange PowerShell Permissions](../../../requirements/solutions/exchange/powershell.md) +See the [Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for the EX_Mailflow job requirements. Additionally, the Exchange Online job group needs access to the following Exchange Online URLs to @@ -33,7 +33,7 @@ perform collection: - EWS – https://outlook.office365.com/EWS/Exchange.asmx See the -[Exchange Custom Connection Profile & Host List](../../../admin/datacollector/exchangeps/configurejob.md) +[Exchange Custom Connection Profile & Host List](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/configurejob.md) topic for additional information. Schedule Frequency diff --git a/docs/accessanalyzer/12.0/solutions/exchange/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/overview.md index 53513e56cb..1a263c2a25 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/overview.md @@ -16,15 +16,15 @@ Supported Platforms - Exchange 2010 (Limited) See the -[Exchange Support and Permissions Explained](../../requirements/solutions/exchange/support.md) topic +[Exchange Support and Permissions Explained](/docs/accessanalyzer/12.0/requirements/solutions/exchange/support.md) topic for additional information. Requirements, Permissions, and Ports See the -[Target Exchange Servers Requirements, Permissions, and Ports](../../requirements/target/exchange.md) +[Target Exchange Servers Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/exchange.md) and -[Target Exchange Online Requirements, Permissions, and Ports](../../requirements/target/exchangeonline.md) +[Target Exchange Online Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/exchangeonline.md) topics for additional information. Sensitive Data Discovery Considerations @@ -53,42 +53,42 @@ generates reports. The Exchange Solution is divided into categories based upon what is being audited. -![Exchange Job Group Overview page](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) +![Exchange Job Group Overview page](/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) The following job groups comprise the Exchange Solution: -- [1.HUB Metrics Job Group](hubmetrics/overview.md) – Comprised of data collection, analysis and +- [1.HUB Metrics Job Group](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/overview.md) – Comprised of data collection, analysis and reports that focus on mail-flow activity occurring within your organization. This job group goes out to each server that contains the Message Tracking Logs and parses the log to return the data to the Access Analyzer database. -- [2.CAS Metrics Job Group](casmetrics/overview.md) – Comprised of data collection, analysis and +- [2.CAS Metrics Job Group](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/overview.md) – Comprised of data collection, analysis and reports that focus on remote connections (Outlook Web Access, ActiveSync, and Outlook Anywhere Access) occurring within your organization. This job group goes out to each server that contains the IIS Logs and parses the log to return the data to the Access Analyzer database. -- [3.Databases Job Group](databases/overview.md) – Comprised of data collection, analysis and +- [3.Databases Job Group](/docs/accessanalyzer/12.0/solutions/exchange/databases/overview.md) – Comprised of data collection, analysis and reports that focus on database sizing, growth, and trends -- [4.Mailboxes Job Group](mailboxes/overview.md) – Comprised of data collection, analyses, and +- [4.Mailboxes Job Group](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/overview.md) – Comprised of data collection, analyses, and reports around mailbox features, logons, permissions, and sizing **CAUTION:** It is not recommended to run this job group at this job group level. - - See the [Recommended Configurations for the 4. Mailboxes Job Group](mailboxes/recommended.md) + - See the [Recommended Configurations for the 4. Mailboxes Job Group](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/recommended.md) topic for this job group. All jobs within this group are compatible with the Office 365 environment. -- [5. Public Folders Job Group](publicfolders/overview.md) – Comprised of data collection, analysis +- [5. Public Folders Job Group](/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/overview.md) – Comprised of data collection, analysis and reports that focus on public folder sizing, content aging, entitlement, ownership, and the identification of each public folder’s Most Probable Owner. The Most Probable Owner is a unique algorithm built into the public folder data collector that is determined based on folder ownership, content posted, and size of content posted. -- [6. Distribution Lists Job Group](distributionlists/overview.md) – Lists the direct and effective +- [6. Distribution Lists Job Group](/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/overview.md) – Lists the direct and effective membership to distribution lists in addition to providing context around potentially stale distribution lists -- [7.Sensitive Data Job Group](sensitivedata/overview.md) – Comprised of jobs which locate sensitive +- [7.Sensitive Data Job Group](/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/overview.md) – Comprised of jobs which locate sensitive data found in mailboxes and public folders in the Exchange environment -- [8.Exchange Online Job Group](online/overview.md) – Comprised of jobs that locate sensitive data +- [8.Exchange Online Job Group](/docs/accessanalyzer/12.0/solutions/exchange/online/overview.md) – Comprised of jobs that locate sensitive data found in mailboxes and public folders in the Exchange environment -- [EX_UserOverview Job](ex_useroverview.md) – provides correlation from multiple data collection +- [EX_UserOverview Job](/docs/accessanalyzer/12.0/solutions/exchange/ex_useroverview.md) – provides correlation from multiple data collection points to show information for each user about their mailbox size, mailbox access rights, mail-flow metrics and remote connectivity to the Exchange environment. These reports provide user impact analysis on the environment. This job depends upon multiple job groups. @@ -96,4 +96,4 @@ The following job groups comprise the Exchange Solution: The MAPI-based data collectors require both Access Analyzer MAPI CDO and Microsoft Exchange MAPI CDO to be installed on the Access Analyzer Console server. Once these have been installed, configure the **Settings** > **Exchange** node for proper connection to the Exchange server. See the -[Exchange](../../admin/settings/exchange.md) topic for additional information. +[Exchange](/docs/accessanalyzer/12.0/admin/settings/exchange.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/content/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/content/overview.md index 65266badb4..f3421210da 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/content/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/content/overview.md @@ -2,11 +2,11 @@ The Content job group provides visibility into public folder sizing and content aging. -![Content Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Content Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the Content job group are: -- [Collection > PF_ContentScans Job](pf_contentscans.md) – Comprised of data collection that focuses +- [Collection > PF_ContentScans Job](/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/content/pf_contentscans.md) – Comprised of data collection that focuses on public folder content aging within each public folder -- [PF_Content Job](pf_content.md) – Comprised of analysis and reports which focus on public folder +- [PF_Content Job](/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/content/pf_content.md) – Comprised of analysis and reports which focus on public folder sizing and content aging diff --git a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/content/pf_content.md b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/content/pf_content.md index dd774909b8..a87f748cad 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/content/pf_content.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/content/pf_content.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **Exchange** > **5. Public Folders* **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the PF_Content Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/content/contentanalysis.webp) +![Analysis Tasks for the PF_Content Job](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/content/contentanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/content/pf_contentscans.md b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/content/pf_contentscans.md index e92c039c65..68ebb1f44b 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/content/pf_contentscans.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/content/pf_contentscans.md @@ -3,7 +3,7 @@ The PF_ContentScans job is comprised of data collection that focuses on public folder content aging within each public folder. -![Collection > PF_ContentScans Job in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![Collection > PF_ContentScans Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The PF_ContentScans job is located in the 0.Collection job group. @@ -11,7 +11,7 @@ The PF_ContentScans job is located in the 0.Collection job group. The PF_ContentScans job uses the ExchangePS Data Collector. -![Queries for the PF_ContentScans Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/content/contentscansquery.webp) +![Queries for the PF_ContentScans Job](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/content/contentscansquery.webp) The following query is included in the PF_ContentScans job: @@ -19,7 +19,7 @@ The following query is included in the PF_ContentScans job: - By default set to search all public folders. It can be scoped. - See the - [Scope the ExchangePS Data Collector](../../casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) + [Scope the ExchangePS Data Collector](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) topic for additional information ## Analysis Tasks for the PF_ContentScans Job @@ -30,7 +30,7 @@ View the analysis task by navigating to the **Exchange** > **5. Public Folders** **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the PF_ContentScans Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/content/contentscansanalysis.webp) +![Analysis Tasks for the PF_ContentScans Job](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/content/contentscansanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/growthsize/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/growthsize/overview.md index f3eaf9a034..3ac0434982 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/growthsize/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/growthsize/overview.md @@ -3,11 +3,11 @@ The Growth and Size job group is comprised of data collection, analysis, and reports that focus on public folder sizing and growth. -![Growth and Size Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Growth and Size Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the Growth and Size job group are: -- [Collection > PF_FolderScans Job](pf_folderscans.md) – Comprised of data collection that focuses +- [Collection > PF_FolderScans Job](/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/growthsize/pf_folderscans.md) – Comprised of data collection that focuses on collecting sizing information for each public folder -- [PF_FolderSize Job](pf_foldersize.md) – Provides details related to public folder sizing and +- [PF_FolderSize Job](/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/growthsize/pf_foldersize.md) – Provides details related to public folder sizing and growth diff --git a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/growthsize/pf_folderscans.md b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/growthsize/pf_folderscans.md index efc82537d3..7b8d209724 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/growthsize/pf_folderscans.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/growthsize/pf_folderscans.md @@ -3,7 +3,7 @@ The PF_FolderScans job is comprised of data collection that focuses on collecting sizing information for each public folder. -![Collection > PF_FolderScans Job in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![Collection > PF_FolderScans Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The PF_FolderScans job is located in the Collection job group. @@ -11,7 +11,7 @@ The PF_FolderScans job is located in the Collection job group. The PF_FolderScans job uses the ExchangePS Data Collector. -![Queries for the PF_FolderScans Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/growthsize/folderscansquery.webp) +![Queries for the PF_FolderScans Job](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/growthsize/folderscansquery.webp) The following query is included in the PF_FolderScans Job: @@ -19,7 +19,7 @@ The following query is included in the PF_FolderScans Job: - By default set to search all public folders. It can be scoped. - See the - [Scope the ExchangePS Data Collector](../../casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) + [Scope the ExchangePS Data Collector](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) topic for additional information ## Analysis Tasks for the PF_FolderScans Job @@ -30,7 +30,7 @@ Size** > **Collection** > **PF_FolderScans** > **Configure** node and select ** **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the PF_FolderScans Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/growthsize/folderscansanalysis.webp) +![Analysis Tasks for the PF_FolderScans Job](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/growthsize/folderscansanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/growthsize/pf_foldersize.md b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/growthsize/pf_foldersize.md index c8c6c304ba..b6f3eefe01 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/growthsize/pf_foldersize.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/growthsize/pf_foldersize.md @@ -10,7 +10,7 @@ Size** > **PF_FolderSize** > **Configure** node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the PF_FolderSize Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/growthsize/foldersizeanalysis.webp) +![Analysis Tasks for the PF_FolderSize Job](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/growthsize/foldersizeanalysis.webp) The following analysis tasks are selected by default: @@ -20,7 +20,7 @@ The following analysis tasks are selected by default: - The default is 3 months. It can be modified. - See the - [Exchange History Retention](../../hubmetrics/collection/ex_metricscollection.md#exchange-history-retention) + [Exchange History Retention](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#exchange-history-retention) topic for additional information - 03.Latest Run Per Folder – Creates the SA_PF_FolderSize_Latest table, accessible under the job’s @@ -36,7 +36,7 @@ troubleshooting and cleanup only. Data will be deleted from the database. - 00.Delete all Historical Data - See the - [Troubleshooting Data Collection](../../hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) + [Troubleshooting Data Collection](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) topic for additional information In addition to the tables and views created by the analysis tasks, the PF_FolderSize job produces diff --git a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/overview.md index 288c217598..a38c738e82 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/overview.md @@ -6,20 +6,20 @@ folder’s Most Probable Owner. The Most Probable Owner is a unique algorithm folder data collector that is determined based on folder ownership, content posted, and size of content posted. -![5.Public Folders Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![5.Public Folders Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following comprise the 5. Public Folders job group: -- [Content Job Group](content/overview.md) – Provides visibility into public folder sizing and +- [Content Job Group](/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/content/overview.md) – Provides visibility into public folder sizing and content aging -- [Growth and Size Job Group](growthsize/overview.md) – Comprised of data collection, analysis, and +- [Growth and Size Job Group](/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/growthsize/overview.md) – Comprised of data collection, analysis, and reports that focus on public folder sizing and growth -- [Ownership Job Group](ownership/overview.md) – Comprised of analysis and reports that focus on +- [Ownership Job Group](/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/ownership/overview.md) – Comprised of analysis and reports that focus on public folder ownership, and most importantly the identification of each public folder's Most Probable Owner -- [Permissions Job Group](permissions/overview.md) – Provides visibility into permissions applied to +- [Permissions Job Group](/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/permissions/overview.md) – Provides visibility into permissions applied to each public folder -- [PF_Overview Job](pf_overview.md) – Comprised of analysis and reports that provides a top level +- [PF_Overview Job](/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/pf_overview.md) – Comprised of analysis and reports that provides a top level summary of each parent public folder and correlates information from the message tracking logs to identify the last time a public folder received mail @@ -27,4 +27,4 @@ The **5. Public Folders** > **Ownership** job group uses the ExchangePublicFolde collector. Therefore, it requires both Access Analyzer MAPI CDO and Microsoft Exchange MAPI CDO to be installed on the Access Analyzer Console server. Once these have been installed, the **Settings** > **Exchange** node must be configured for proper connection to the Exchange server. -See the [Exchange](../../../admin/settings/exchange.md) topic for additional information. +See the [Exchange](/docs/accessanalyzer/12.0/admin/settings/exchange.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/ownership/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/ownership/overview.md index 66ac82d63a..5f4d794b88 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/ownership/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/ownership/overview.md @@ -5,12 +5,12 @@ and most importantly the identification of each public folder's Most Probable O Probable Owner is a unique algorithm built into the public folder data collector that is determined based on folder ownership, content posted, and size of content posted. -![Ownership Job Group](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Ownership Job Group](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The obs in the Ownership job group are: -- [Collection > PF_FolderOwnership Job](pf_folderownership.md) – Focuses on public folder sizing, +- [Collection > PF_FolderOwnership Job](/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/ownership/pf_folderownership.md) – Focuses on public folder sizing, content aging, entitlement, ownership, and most importantly the identification of each public folder's Most Probable Owner -- [PF_Owners Job](pf_owners.md) – Comprised of analysis and reports that focus on public folder +- [PF_Owners Job](/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/ownership/pf_owners.md) – Comprised of analysis and reports that focus on public folder ownership, and most importantly the identification of each public folder's Most Probable Owner diff --git a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/ownership/pf_folderownership.md b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/ownership/pf_folderownership.md index 5feb9d5d4e..ff7c745503 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/ownership/pf_folderownership.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/ownership/pf_folderownership.md @@ -6,7 +6,7 @@ algorithm built into the public folder data collector that is determined based o content posted, and size of content posted. Modifications can be made to the data collector to change the way the Most Probable Owner is determined. -![Collection > PF_FolderOwnership Job in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![Collection > PF_FolderOwnership Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The PF_FolderOwnership job is located in the Collection job group. @@ -14,7 +14,7 @@ The PF_FolderOwnership job is located in the Collection job group. The PF_FolderOwnership job uses the ExchangePublicFolder Data Collector. -![Queries for the PF_FolderOwnership Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/ownership/folderownershipquery.webp) +![Queries for the PF_FolderOwnership Job](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/ownership/folderownershipquery.webp) The following queries are included in the PF_FolderOwnership job: @@ -52,7 +52,7 @@ Data Collector Wizard opens. **CAUTION:** Do not modify other wizard pages. The wizard pages are pre-configured for this job. -![Exchange Public Folder Data Collector Wizard Scope page](../../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![Exchange Public Folder Data Collector Wizard Scope page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) **Step 4 –** To modify the scope of the search, navigate to the Scope page. The scope is configured using the following settings: @@ -80,10 +80,10 @@ using the following settings: _Remember,_ the scoping options available vary based on the pre-defined query configurations. -See the [ExchangePublicFolder: Scope](../../../../admin/datacollector/exchangepublicfolder/scope.md) +See the [ExchangePublicFolder: Scope](/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/scope.md) topic for additional information. -![Exchange Public Folder Data Collector Wizard Probable Owner Settings page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/ownership/dcwizardprobableownersettings.webp) +![Exchange Public Folder Data Collector Wizard Probable Owner Settings page](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/ownership/dcwizardprobableownersettings.webp) **Step 5 –** To modify the probable owner calculation, navigate to the Probable Owner page. The calculation is configured with the following defaults: @@ -94,7 +94,7 @@ calculation is configured with the following defaults: - Output options – Configures the number of returned probable owners See the -[ExchangePublicFolder: Probable Owner](../../../../admin/datacollector/exchangepublicfolder/probableowner.md) +[ExchangePublicFolder: Probable Owner](/docs/accessanalyzer/12.0/admin/datacollector/exchangepublicfolder/probableowner.md) topic for additional information. **Step 6 –** Navigate to the Summary page. Click **Finish**. @@ -109,7 +109,7 @@ View the analysis task by navigating to the **Exchange** > **5. Public Folders** **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the PF_FolderOwnership Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/ownership/folderownershipanalysis.webp) +![Analysis Tasks for the PF_FolderOwnership Job](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/ownership/folderownershipanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/ownership/pf_owners.md b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/ownership/pf_owners.md index 257b4f6baf..6b5bb9c327 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/ownership/pf_owners.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/ownership/pf_owners.md @@ -13,7 +13,7 @@ View the analysis tasks by navigating to the **Exchange** > **5. Public Folders* **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the PF_Owners Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/ownership/ownersanalysis.webp) +![Analysis Tasks for the PF_Owners Job](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/ownership/ownersanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/permissions/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/permissions/overview.md index fa7d4df744..369ea7414d 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/permissions/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/permissions/overview.md @@ -2,11 +2,11 @@ The Permissions job group provides visibility into permissions applied to each public folder. -![Permissions Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Permissions Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the Permissions job group are: -- [Collection > PF_EntitlementScans Job](pf_entitlementscans.md) – Comprised of data collection that +- [Collection > PF_EntitlementScans Job](/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/permissions/pf_entitlementscans.md) – Comprised of data collection that focuses on public folder permissions -- [PF_Entitlements Job](pf_entitlements.md) – Comprised of analyses and reports that provide +- [PF_Entitlements Job](/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/permissions/pf_entitlements.md) – Comprised of analyses and reports that provide visibility into permissions applied to each public folder within the Exchange environment diff --git a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/permissions/pf_entitlements.md b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/permissions/pf_entitlements.md index 8c6b40957e..41990972f8 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/permissions/pf_entitlements.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/permissions/pf_entitlements.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **Exchange** > **5. Public Folders* **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the PF_EntitlementScans Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/permissions/entitlementsanalysis.webp) +![Analysis Tasks for the PF_EntitlementScans Job](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/permissions/entitlementsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/permissions/pf_entitlementscans.md b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/permissions/pf_entitlementscans.md index 1fd496f8dc..ace03f784e 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/permissions/pf_entitlementscans.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/permissions/pf_entitlementscans.md @@ -3,7 +3,7 @@ The PF_EntitlementScans job is comprised of data collection that focuses on public folder permissions. -![Collection > PF_EntitlementScans Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![Collection > PF_EntitlementScans Job](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The PF_EntitlementScans job is located in the Collection job group. @@ -11,7 +11,7 @@ The PF_EntitlementScans job is located in the Collection job group. The PF_EntitlementScans job uses the ExchangePS Data Collector. -![Queries for the PF_EntitlementScans Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/permissions/entitlementscansquery.webp) +![Queries for the PF_EntitlementScans Job](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/permissions/entitlementscansquery.webp) The following query is included in the PF_EntitlementScans job: @@ -19,7 +19,7 @@ The following query is included in the PF_EntitlementScans job: - By default set to search all public folders. It can be scoped. - See the - [Scope the ExchangePS Data Collector](../../casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) + [Scope the ExchangePS Data Collector](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/ex_aspolicies.md#scope-the-exchangeps-data-collector) topic for additional information ## Analysis Tasks for the PF_EntitlementScans Job @@ -31,7 +31,7 @@ View the analysis tasks by navigating to the **Exchange** > **5. Public Folders* **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the PF_EntitlementScans Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/permissions/entitlementscansanalysis.webp) +![Analysis Tasks for the PF_EntitlementScans Job](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/permissions/entitlementscansanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/pf_overview.md b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/pf_overview.md index 97bdcf35e3..23f95c9c62 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/pf_overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/pf_overview.md @@ -12,7 +12,7 @@ View the analysis tasks by navigating to the **Exchange** > **5. Public Folders* **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the PF_Overview Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/overviewanalysis.webp) +![Analysis Tasks for the PF_Overview Job](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/overviewanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/recommended.md b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/recommended.md index 4ac2fa1b93..523a691a45 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/recommended.md @@ -41,19 +41,19 @@ list: Connection Profile A Connection Profile must be set directly on the collection jobs. See the -[Exchange PowerShell Permissions](../../../requirements/solutions/exchange/powershell.md) topic for +[Exchange PowerShell Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/powershell.md) topic for credential requirements and assign the Connection Profile to the following jobs: - **Content** > **Collection** > **PF_ContentScans** Job - **Growth and Size** > **Collection** > **PF_FolderScans** Job - **Permissions** > **Collection** > **PF_EntitlementScans** Job -See the [MAPI-Based Data Collector Permissions](../../../requirements/solutions/exchange/mapi.md) +See the [MAPI-Based Data Collector Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/mapi.md) topic for credential requirements and assign the Connection Profile to the following job: - **Ownership** > **Collection** > **PF_FolderOwnership** Job -See the [Connection](../../../admin/settings/connection/overview.md) topic for additional +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. Schedule Frequency diff --git a/docs/accessanalyzer/12.0/solutions/exchange/recommended.md b/docs/accessanalyzer/12.0/solutions/exchange/recommended.md index c010f73710..6047b25b52 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/recommended.md @@ -3,14 +3,14 @@ Each job group within the Exchange Solution has its own Recommended Configurations topic. See the relevant topic for specific information on job group settings and recommended schedule frequency. -- [Recommended Configurations for the 1. HUB Metrics Job Group](hubmetrics/recommended.md) -- [Recommended Configurations for the 2. CAS Metrics Job Group](casmetrics/recommended.md) -- [Recommended Configurations for the 3. Databases Job Group](databases/recommended.md) -- [Recommended Configurations for the 4. Mailboxes Job Group](mailboxes/recommended.md) -- [Recommended Configurations for the 5. Public Folders Job Group](publicfolders/recommended.md) -- [Recommended Configurations for the 6. Distribution Lists Job Group](distributionlists/recommended.md) -- [Recommended Configurations for the 7. Sensitive Data Job Group](sensitivedata/recommended.md) -- [Recommended Configurations for the 8. Exchange Online Job Group](online/recommended.md) +- [Recommended Configurations for the 1. HUB Metrics Job Group](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/recommended.md) +- [Recommended Configurations for the 2. CAS Metrics Job Group](/docs/accessanalyzer/12.0/solutions/exchange/casmetrics/recommended.md) +- [Recommended Configurations for the 3. Databases Job Group](/docs/accessanalyzer/12.0/solutions/exchange/databases/recommended.md) +- [Recommended Configurations for the 4. Mailboxes Job Group](/docs/accessanalyzer/12.0/solutions/exchange/mailboxes/recommended.md) +- [Recommended Configurations for the 5. Public Folders Job Group](/docs/accessanalyzer/12.0/solutions/exchange/publicfolders/recommended.md) +- [Recommended Configurations for the 6. Distribution Lists Job Group](/docs/accessanalyzer/12.0/solutions/exchange/distributionlists/recommended.md) +- [Recommended Configurations for the 7. Sensitive Data Job Group](/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/recommended.md) +- [Recommended Configurations for the 8. Exchange Online Job Group](/docs/accessanalyzer/12.0/solutions/exchange/online/recommended.md) ## ExchangePS Data Collector & Client Access Server @@ -41,11 +41,11 @@ Wizard opens. **CAUTION:** Unless otherwise indicated within the job group section, do not make changes to other wizard pages as they have been pre-configured for the purpose of the job. -![CAS name on ExchangePS Data Collector Wizard Category page](../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/exchangepscas.webp) +![CAS name on ExchangePS Data Collector Wizard Category page](/img/product_docs/accessanalyzer/solutions/exchange/exchangepscas.webp) **Step 4 –** On the Category page, select the **Use specific server** option and enter the CAS name in the text box. See the -[ExchangePS: Category](../../admin/datacollector/exchangeps/category.md) topic for additional +[ExchangePS: Category](/docs/accessanalyzer/12.0/admin/datacollector/exchangeps/category.md) topic for additional information. **Step 5 –** Navigate to the Summary page. Click **Finish**. diff --git a/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/collection/ex_mailbox_sdd.md b/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/collection/ex_mailbox_sdd.md index db2dd57518..6fd7aae089 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/collection/ex_mailbox_sdd.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/collection/ex_mailbox_sdd.md @@ -6,7 +6,7 @@ The EX_Mailbox_SDD job locates sensitive data found in mailboxes in the Exchange The EX_Mailbox_SDD job uses the EWSMailbox Data Collector. -![Queries for the EX_Mailbox_SDD Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/mailboxsddquery.webp) +![Queries for the EX_Mailbox_SDD Job](/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/mailboxsddquery.webp) The following query is included in the EX_Mailbox_SDD job: @@ -44,46 +44,46 @@ Wizard opens. **CAUTION:** Do not make changes to other wizard pages as they have been pre-configured for the purpose of this job. -![EWS Mailbox Data Collector Wizard Mailbox scope settings page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/mailboxscopesettings.webp) +![EWS Mailbox Data Collector Wizard Mailbox scope settings page](/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/mailboxscopesettings.webp) **Step 4 –** To scope the query for specific mailboxes, navigate to the Scope page. The query is configured by default to target **All mailboxes**. Change the Mailboxes to be queried to **Select mailboxes from list**. See the -[EWSMailbox: Scope](../../../../admin/datacollector/ewsmailbox/scope.md) topic for additional +[EWSMailbox: Scope](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/scope.md) topic for additional information. -![EWS Mailbox Data Collector Wizard Scope select page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/mailboxscopeselect.webp) +![EWS Mailbox Data Collector Wizard Scope select page](/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/mailboxscopeselect.webp) **Step 5 –** To retrieve available mailboxes, click **Retrieve** on the Scope Select page. Select the desired mailboxes and click **Add**. See the -[EWSMailbox: Scope Select](../../../../admin/datacollector/ewsmailbox/scopeselect.md) topic for +[EWSMailbox: Scope Select](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/scopeselect.md) topic for additional information. -![EWS Mailbox Data Collector Wizard SDD Options page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/sddoptions.webp) +![EWS Mailbox Data Collector Wizard SDD Options page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/sddoptions.webp) **Step 6 –** To enable storage of discovered sensitive data, navigate to the SDD Options page. Sensitive data matches can be limited to reduce storage space. See the -[EWSMailbox: SDD Options](../../../../admin/datacollector/ewsmailbox/sddoptions.md) topic for +[EWSMailbox: SDD Options](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/sddoptions.md) topic for additional information. **NOTE:** By default, discovered sensitive data strings are not stored in the Access Analyzer database. -![EWS Mailbox Data Collector Wizard Criteria page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) +![EWS Mailbox Data Collector Wizard Criteria page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) **Step 7 –** To modify criteria, navigate to the Criteria page. Add or remove criteria as desired. -See the [EWSMailbox: Criteria](../../../../admin/datacollector/ewsmailbox/criteria.md) topic for +See the [EWSMailbox: Criteria](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/criteria.md) topic for additional information. - (Optional) To create custom criteria, see the - [Sensitive Data Criteria Editor](../../../../sensitivedatadiscovery/criteriaeditor/overview.md) + [Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information -![EWS Mailbox Data Collector Wizard Filter page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/mailboxfiltersettings.webp) +![EWS Mailbox Data Collector Wizard Filter page](/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/mailboxfiltersettings.webp) **Step 8 –** To filter the scan to specific mailbox folders, navigate to the Filter page. Include or exclude folders and attachments as desired. See the -[EWSMailbox Data Collector](../../../../admin/datacollector/ewsmailbox/overview.md) topic for +[EWSMailbox Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/overview.md) topic for additional information. - To modify the threshold for message size, set the **Limit message size to** value as desired. The @@ -91,10 +91,10 @@ additional information. - To modify the threshold for large attachment size, set the **Limit attachment size to** value as desired. The default is 2000 KB. -![EWS Mailbox Data Collector Wizard Results page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/mailboxresults.webp) +![EWS Mailbox Data Collector Wizard Results page](/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/mailboxresults.webp) **Step 9 –** Navigate to the Results page to select which properties are gathered based on category. -See the [EWSMailbox: Results](../../../../admin/datacollector/ewsmailbox/results.md) topic for +See the [EWSMailbox: Results](/docs/accessanalyzer/12.0/admin/datacollector/ewsmailbox/results.md) topic for additional information. **NOTE:** By default, all categories are selected under sensitive data. @@ -112,7 +112,7 @@ View the analysis task by navigating to the **Exchange** > **7.Sensitive Data** **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the EX_Mailbox_SDD Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/mailboxsddanalysis.webp) +![Analysis Tasks for the EX_Mailbox_SDD Job](/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/mailboxsddanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/collection/ex_publicfolder_sdd.md b/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/collection/ex_publicfolder_sdd.md index 637331f727..413eaf001b 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/collection/ex_publicfolder_sdd.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/collection/ex_publicfolder_sdd.md @@ -7,7 +7,7 @@ environment. The EX_PublicFolder_SDD job uses the EWSPublicFolder Data Collector. -![Queries for the EX_PublicFolder_SDD Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/publicfoldersddquery.webp) +![Queries for the EX_PublicFolder_SDD Job](/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/publicfoldersddquery.webp) The following query is included in the EX_PublicFolder_SDD job: @@ -41,31 +41,31 @@ Collector Wizard opens. **CAUTION:** Do not modify other wizard pages. The wizard pages are pre-configured for this job. -![EWS Public Folder Data Collector Wizard SDD Options page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/sddoptions.webp) +![EWS Public Folder Data Collector Wizard SDD Options page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/sddoptions.webp) **Step 4 –** To enable storage of discovered sensitive data, navigate to the SDD Options page. Sensitive data matches can be limited to reduce storage space. See the -[EWSPublicFolder: SDD Options](../../../../admin/datacollector/ewspublicfolder/sddoptions.md) topic +[EWSPublicFolder: SDD Options](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/sddoptions.md) topic for additional information. **NOTE:** By default, discovered sensitive data strings are not stored in the Access Analyzer database. -![EWS Public Folder Data Collector Wizard Criteria page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) +![EWS Public Folder Data Collector Wizard Criteria page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) **Step 5 –** To modify criteria, navigate to the Criteria page. Add or remove criteria as desired. -See the [EWSPublicFolder: Critieria](../../../../admin/datacollector/ewspublicfolder/critieria.md) +See the [EWSPublicFolder: Critieria](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/critieria.md) topic for additional information. - (Optional) To create custom criteria, see the - [Sensitive Data Criteria Editor](../../../../sensitivedatadiscovery/criteriaeditor/overview.md) + [Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information -![EWS Public Folder Data Collector Wizard Filter Settings page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/publicfolderfiltersettings.webp) +![EWS Public Folder Data Collector Wizard Filter Settings page](/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/publicfolderfiltersettings.webp) **Step 6 –** To filter the scan to specific mailbox folders, navigate to the Filter page. Include or exclude folders and attachments as desired. See the -[EWSPublicFolder: Filter](../../../../admin/datacollector/ewspublicfolder/filter.md) topic for +[EWSPublicFolder: Filter](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/filter.md) topic for additional information. - To modify the threshold for message size, set the **Limit message size to** value as desired. The @@ -73,11 +73,11 @@ additional information. - To modify the threshold for large attachment size, set the **Limit attachment size to** value as desired. The default is 2000 KB. -![EWS Public Folder Data Collector Wizard Results page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/publicfolderresults.webp) +![EWS Public Folder Data Collector Wizard Results page](/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/collection/publicfolderresults.webp) **Step 7 –** To select which properties are gathered based on category, navigate to the Results page.  See the -[EWSPublicFolder: Results](../../../../admin/datacollector/ewspublicfolder/results.md) topic for +[EWSPublicFolder: Results](/docs/accessanalyzer/12.0/admin/datacollector/ewspublicfolder/results.md) topic for additional information. **NOTE:** By default, all categories are selected under sensitive data. diff --git a/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/collection/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/collection/overview.md index d9707e6ba3..63b5dd6a76 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/collection/overview.md @@ -3,10 +3,10 @@ The 0.Collection job group locates sensitive data found in mailboxes and public folders in the Exchange environment. -![0.Collection Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![0.Collection Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The jobs in the 0.Collection job group are: -- [EX_Mailbox_SDD Job](ex_mailbox_sdd.md) – Collects potentially sensitive data in mailboxes -- [EX_PublicFolder_SDD Job](ex_publicfolder_sdd.md) – Collects potentially sensitive data in public +- [EX_Mailbox_SDD Job](/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/collection/ex_mailbox_sdd.md) – Collects potentially sensitive data in mailboxes +- [EX_PublicFolder_SDD Job](/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/collection/ex_publicfolder_sdd.md) – Collects potentially sensitive data in public folders diff --git a/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/ex_sddresults.md b/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/ex_sddresults.md index 0791c734c4..23a0d168d6 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/ex_sddresults.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/ex_sddresults.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **Exchange** > **7. Sensitive Data* **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the EX_SDDResults Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/sddresultsanalysis.webp) +![Analysis Tasks for the EX_SDDResults Job](/img/product_docs/accessanalyzer/solutions/exchange/sensitivedata/sddresultsanalysis.webp) The following analysis tasks are selected by default: @@ -37,7 +37,7 @@ troubleshooting and cleanup only. Data will be deleted from the database. - Deletes all Stored Data - LEAVE UNCHECKED – Clears all historical SDD data - See the - [Troubleshooting Data Collection](../hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) + [Troubleshooting Data Collection](/docs/accessanalyzer/12.0/solutions/exchange/hubmetrics/collection/ex_metricscollection.md#troubleshooting-data-collection) topic for additional information In addition to the tables and views created by the analysis tasks, the EX_SDDResults Job produces diff --git a/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/overview.md b/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/overview.md index b2e8d01d04..3a63f8f389 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/overview.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/overview.md @@ -3,20 +3,20 @@ The 7. Sensitive Data job group is comprised of jobs which locate sensitive data found in mailboxes and public folders in the Exchange environment. -![7.Sensitive Data Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![7.Sensitive Data Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The following comprise the 7. Sensitive Data job group: **NOTE:** These jobs are compatible with the Office 365 environment. -- [0.Collection Job Group](collection/overview.md) – Locates sensitive data found in mailboxes and +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/collection/overview.md) – Locates sensitive data found in mailboxes and public folders in the Exchange environment -- [EX_SDDResults Job](ex_sddresults.md) – Contains analyses and reports to provide insight into the +- [EX_SDDResults Job](/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/ex_sddresults.md) – Contains analyses and reports to provide insight into the types of sensitive data that was located within Exchange mailboxes and public folders within the environment The 7. Sensitive Data job group is comprised of jobs that utilize the EWSMailbox and EWSPublicFolder Data Collectors to locate sensitive data found in mailboxes and public folders in the Exchange environment. It also contains analysis and reporting jobs to order and analyze the data returned by -the queries. See the [Exchange](../../../admin/settings/exchange.md) topic for additional +the queries. See the [Exchange](/docs/accessanalyzer/12.0/admin/settings/exchange.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/recommended.md b/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/recommended.md index cdc2e8c7b1..a8d1b3126e 100644 --- a/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/exchange/sensitivedata/recommended.md @@ -27,10 +27,10 @@ through host inventory results. Connection Profile A Connection Profile must be set directly on jobs within the 0.Collection job group. See the -[Exchange Web Services API Permissions](../../../requirements/solutions/exchange/webservicesapi.md) +[Exchange Web Services API Permissions](/docs/accessanalyzer/12.0/requirements/solutions/exchange/webservicesapi.md) topic for the EX_PFInfo job requirements. -See the [Connection](../../../admin/settings/connection/overview.md) topic for additional +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. Schedule Frequency diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/fs_deletions.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/fs_deletions.md index d59280a98a..d294fd111a 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/fs_deletions.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/fs_deletions.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **5.Activity** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_Deletions Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/forensics/deletionsanalysis.webp) +![Analysis Tasks for the FS_Deletions Job](/img/product_docs/accessanalyzer/solutions/box/activity/forensics/deletionsanalysis.webp) The following analysis tasks are selected by default: @@ -57,11 +57,11 @@ Follow the steps to configure a notification analysis task. **CAUTION:** Do not make changes to other wizard pages as they have been pre-configured for the purpose of this job. -![Notification Data Analysis Module wizard SMTP page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/forensics/notificationsmtp.webp) +![Notification Data Analysis Module wizard SMTP page](/img/product_docs/accessanalyzer/solutions/filesystem/activity/forensics/notificationsmtp.webp) **Step 3 –** Navigate to the SMTP page of the wizard. -![Recipients section](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/forensics/notificationsmtprecipients.webp) +![Recipients section](/img/product_docs/accessanalyzer/solutions/filesystem/activity/forensics/notificationsmtprecipients.webp) **Step 4 –** In the Recipients section, provide the email addresses or distribution lists (fully qualified address) for those who are to receive this notification. Multiple addresses can be @@ -74,7 +74,7 @@ provided. You can use the following options: **_RECOMMENDED:_** Leave the **Combine multiple messages into single message** option selected. -![Message section](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/forensics/notificationsmtpmessage.webp) +![Message section](/img/product_docs/accessanalyzer/solutions/filesystem/activity/forensics/notificationsmtpmessage.webp) **Step 5 –** In the Message section, edit the **Subject**. It is not recommended to remove any parameters. Then, customize the email content in the textbox to provide an explanation of the diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/fs_permissionchanges.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/fs_permissionchanges.md index f87cf1a563..0d4a72e0da 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/fs_permissionchanges.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/fs_permissionchanges.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **5.Activity** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_PermissionChanges Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/forensics/permissionchangesanalysis.webp) +![Analysis Tasks for the FS_PermissionChanges Job](/img/product_docs/accessanalyzer/solutions/box/activity/forensics/permissionchangesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/overview.md index 61cf4fec47..48974e867b 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/overview.md @@ -3,17 +3,17 @@ The Forensics job group is designed to report on forensic related activity event information from targeted file servers. -![Forensics Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Forensics Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The Forensics job group is comprised of: -- [FS_Deletions Job](fs_deletions.md) – Designed to report on deletion activity event information +- [FS_Deletions Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/fs_deletions.md) – Designed to report on deletion activity event information from targeted file servers - Includes a Notification analysis task option - Requires **Access Auditing** component data collection -- [FS_PermissionChanges Job](fs_permissionchanges.md) – Designed to report on permission change +- [FS_PermissionChanges Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/fs_permissionchanges.md) – Designed to report on permission change activity event information from targeted file servers - Includes a Notification analysis task option diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/fs_leastprivilegedaccess.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/fs_leastprivilegedaccess.md index d94f0b1100..a0294db438 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/fs_leastprivilegedaccess.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/fs_leastprivilegedaccess.md @@ -5,7 +5,7 @@ in identifying least privilege from targeted file servers. It identifies where t leveraging their permissions to resources from targeted file servers. Requires **Access Auditing** component data collection. -![Least Privileged Access > FS_LeastPrivilegedAccess Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/leastprivilegedaccessjobstree.webp) +![Least Privileged Access > FS_LeastPrivilegedAccess Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/filesystem/activity/leastprivilegedaccessjobstree.webp) The FS_LeastPrivilegedAccess job is located in the Least Privileged Access job group. @@ -17,7 +17,7 @@ Access** > **FS_LeastPrivilegedAccess** > **Configure** node and select **Analys **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_LeastPrivilegedAccess Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/leastprivilegedaccessanalysis.webp) +![Analysis Tasks for the FS_LeastPrivilegedAccess Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/leastprivilegedaccessanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/overview.md index b77c047d7f..1370e01015 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/overview.md @@ -3,18 +3,18 @@ The 5.Activity job group is designed to report on activity event information from targeted file servers. -![5.Activity Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![5.Activity Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 5.Activity job group is comprised of: -- [Forensics Job Group](forensics/overview.md) – Designed to report on forensic related activity +- [Forensics Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/overview.md) – Designed to report on forensic related activity event information from targeted file servers -- [Least Privileged Access > FS_LeastPrivilegedAccess Job](fs_leastprivilegedaccess.md) – Designed +- [Least Privileged Access > FS_LeastPrivilegedAccess Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/fs_leastprivilegedaccess.md) – Designed to report on activity event information that can assist in identifying least privilege from targeted file servers -- [Security Job Group](security/overview.md) – Designed to report on security related activity event +- [Security Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/overview.md) – Designed to report on security related activity event information from targeted file servers -- [Suspicious Activity Job Group](suspiciousactivity/overview.md) – Designed to report on +- [Suspicious Activity Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/overview.md) – Designed to report on potentially suspicious activity event information from targeted file servers -- [Usage Statistics Job Group](usagestatistics/overview.md) – Designed to report on usage statistics +- [Usage Statistics Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/overview.md) – Designed to report on usage statistics from targeted file servers diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_adminactvity.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_adminactvity.md index 9cac89ccee..fddfcbd5be 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_adminactvity.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_adminactvity.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **5.Activity** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_AdminActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/security/adminactivityanalysis.webp) +![Analysis Tasks for the FS_AdminActivity Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/security/adminactivityanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_highriskactivity.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_highriskactivity.md index 7f1e4c2845..91246035b2 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_highriskactivity.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_highriskactivity.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **5.Activity** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_HighRiskActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/security/highriskactivityanalysis.webp) +![Analysis Tasks for the FS_HighRiskActivity Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/security/highriskactivityanalysis.webp) - 0. Drop Tables – Drops tables from previous runs - 1. Analyze for High Risk Activity – Creates the SA_FS_HighRiskActivity_HighRiskUserActivity diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_localuseractivity.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_localuseractivity.md index 5001b2f9df..d926ebfc13 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_localuseractivity.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_localuseractivity.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **5.Activity** > * **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the LocalUserActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/security/localuseractivityanalysis.webp) +![Analysis Tasks for the LocalUserActivity Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/security/localuseractivityanalysis.webp) - 1. Local User Activity Details – Creates the SA_FS_LocalUserActivity_Details table accessible under the job’s Results node diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/overview.md index 72b50087df..4d2dbb848c 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/overview.md @@ -3,19 +3,19 @@ The Security job group is designed to report on security related activity event information from targeted file servers. -![Security Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Security Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The Security Job Group is comprised of: -- [FS_AdminActvity Job](fs_adminactvity.md) – Designed to report on administrator related activity +- [FS_AdminActvity Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_adminactvity.md) – Designed to report on administrator related activity event information from targeted file servers - Requires **Access Auditing** component data collection -- [FS_HighRiskActivity Job](fs_highriskactivity.md) – Designed to report on high risk activity event +- [FS_HighRiskActivity Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_highriskactivity.md) – Designed to report on high risk activity event information from targeted file servers - Requires **Access Auditing** component data collection -- [FS_LocalUserActivity Job](fs_localuseractivity.md) – Designed to report on local user activity +- [FS_LocalUserActivity Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_localuseractivity.md) – Designed to report on local user activity event information from targeted file servers diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_deniedactivity.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_deniedactivity.md index 8902b2cfb3..ce680a2bc9 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_deniedactivity.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_deniedactivity.md @@ -11,7 +11,7 @@ Activity** > **FS_DeniedActivity** > **Configure** node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_DeniedActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/deniedactivityanalysis.webp) +![Analysis Tasks for the FS_DeniedActivity Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/deniedactivityanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_highesthourlyactivity.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_highesthourlyactivity.md index e8963cf842..9263a46b9a 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_highesthourlyactivity.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_highesthourlyactivity.md @@ -11,7 +11,7 @@ Activity** > **FS_HighestHourlyActivity** > **Configure** node and select **Anal **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_HighestHourlyActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/highesthourlyactivityanalysis.webp) +![Analysis Tasks for the FS_HighestHourlyActivity Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/highesthourlyactivityanalysis.webp) The following analysis task is selected by default: @@ -31,7 +31,7 @@ enabling it. The following analysis task is deselected by default: - Add recipients, notification subject, and email content - See the - [Configure the Notification Analysis Task](../forensics/fs_deletions.md#configure-the-notification-analysis-task) + [Configure the Notification Analysis Task](/docs/accessanalyzer/12.0/solutions/filesystem/activity/forensics/fs_deletions.md#configure-the-notification-analysis-task) topic for additional information In addition to the tables and views created by the analysis tasks, the FS_HighestHourlyActivity job diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_hourlyshareactivity.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_hourlyshareactivity.md index b773aab684..30144d4480 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_hourlyshareactivity.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_hourlyshareactivity.md @@ -11,7 +11,7 @@ Activity** > **FS_HourlyShareActivity** > **Configure** node and select **Analys **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_HourlyShareActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/hourlyshareactivityanalysis.webp) +![Analysis Tasks for the FS_HourlyShareActivity Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/hourlyshareactivityanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_modifiedbinaries.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_modifiedbinaries.md index 4142ba5e18..e3b3152d67 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_modifiedbinaries.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_modifiedbinaries.md @@ -11,7 +11,7 @@ Activity** > **FS_ModifiedBinaries** > **Configure** node and select **Analysis* **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_ModifiedBinaries Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/modifiedbinariesanalysis.webp) +![Analysis Tasks for the FS_ModifiedBinaries Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/modifiedbinariesanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_peergroupactivity.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_peergroupactivity.md index 0adbe687fe..d4442f7965 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_peergroupactivity.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_peergroupactivity.md @@ -11,7 +11,7 @@ Activity** > **FS_PeerGroupActivity** > **Configure** node and select **Analysis **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_PeerGroupActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/peergroupactivityanalysis.webp) +![Analysis Tasks for the FS_PeerGroupActivity Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/peergroupactivityanalysis.webp) - Summarize Hourly Norms and Deviations – Creates the SA_FS_PeerGroupActivity_Details table accessible under the job’s Results node diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_ransomware.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_ransomware.md index 538e438d20..02220b48ad 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_ransomware.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_ransomware.md @@ -13,7 +13,7 @@ Activity** > **FS_Ransomware** > **Configure** node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_Ransomeware Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/ransomewareanalysis.webp) +![Analysis Tasks for the FS_Ransomeware Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/ransomewareanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_sensitivedataactivity.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_sensitivedataactivity.md index e628bf53f4..f7d6223204 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_sensitivedataactivity.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_sensitivedataactivity.md @@ -11,7 +11,7 @@ Activity** > **FS_SensitiveDataActivity** > **Configure** node and select **Anal **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_SensitiveDataActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/sensitivedataactivityanalysis.webp) +![Analysis Tasks for the FS_SensitiveDataActivity Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/sensitivedataactivityanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_stalefileactivity.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_stalefileactivity.md index fb5ada4e43..a64bf9573b 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_stalefileactivity.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_stalefileactivity.md @@ -11,7 +11,7 @@ Activity** > **FS_StaleFileActivity** > **Configure** node and select **Analysis **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_StaleFileActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/stalefileactivityanalysis.webp) +![Analysis Tasks for the FS_StaleFileActivity Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/stalefileactivityanalysis.webp) - Summarize Hourly Norms and Deviations – Creates the SA_FS_StaleFileActivity_Details table accessible under the job’s Results node diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_usershareactivity.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_usershareactivity.md index 97d86ff497..f60c9b95f5 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_usershareactivity.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_usershareactivity.md @@ -11,7 +11,7 @@ Activity** > **FS_UserShareActivity** > **Configure** node and select **Analysis **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_UserShareActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/usershareactivityanalysis.webp) +![Analysis Tasks for the FS_UserShareActivity Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/usershareactivityanalysis.webp) - Track Latest Activity Per User Per Share – Creates the SA_FS_UserShareActivity_LatestActivity table accessible under the job’s Results node diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_weekendactivity.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_weekendactivity.md index 02a47b8d1c..a47923b1b3 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_weekendactivity.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_weekendactivity.md @@ -13,7 +13,7 @@ Activity** > **FS_WeekendActivity** > **Configure** node and select **Analysis** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_WeekendActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/suspiciousactivity/weekendactivityanalysis.webp) +![Analysis Tasks for the FS_WeekendActivity Job](/img/product_docs/accessanalyzer/solutions/box/activity/suspiciousactivity/weekendactivityanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/overview.md index 4909af0ccf..db21cc4b13 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/overview.md @@ -3,32 +3,32 @@ The Suspicious Activity job group is designed to report on potentially suspicious activity event information from targeted file servers. -![Suspicious Activity Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Suspicious Activity Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The Suspicious Activity job group is comprised of: -- [FS_DeniedActivity Job](fs_deniedactivity.md) – Designed to report on denied activity event +- [FS_DeniedActivity Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_deniedactivity.md) – Designed to report on denied activity event information from targeted file servers - Requires **Access Auditing** component data collection - [FS_HighestHourlyActivity Job](fs_highesthourlyactivity.md) – Designed to report on the highest + [FS_HighestHourlyActivity Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_highesthourlyactivity.md) – Designed to report on the highest hourly activity event information from targeted file servers broken down by user - Includes a Notification analysis task option - Requires **Access Auditing** component data collection -- [FS_HourlyShareActivity Job](fs_hourlyshareactivity.md) – Designed to report on the highest hourly +- [FS_HourlyShareActivity Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_hourlyshareactivity.md) – Designed to report on the highest hourly activity event information from targeted file servers broken down by share - Requires **Access Auditing** component data collection -- [FS_ModifiedBinaries Job](fs_modifiedbinaries.md) – Designed to report on activity event +- [FS_ModifiedBinaries Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_modifiedbinaries.md) – Designed to report on activity event information where binaries were modified from targeted file servers - Requires **Access Auditing** component data collection -- [FS_PeerGroupActivity Job](fs_peergroupactivity.md) – Designed to report on abnormal activity +- [FS_PeerGroupActivity Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_peergroupactivity.md) – Designed to report on abnormal activity event information based on peer group analysis from targeted file servers - Requires **Access Auditing** component data collection @@ -37,23 +37,23 @@ The Suspicious Activity job group is comprised of: [Netwrix Access Information Center Documentation](https://helpcenter.netwrix.com/category/accessinformationcenter) for additional information. -- [FS_Ransomware Job](fs_ransomware.md) – Designed to report on potential ransomware activity event +- [FS_Ransomware Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_ransomware.md) – Designed to report on potential ransomware activity event information based on file extensions and large number of modified file events from targeted file servers -- [FS_SensitiveDataActivity Job](fs_sensitivedataactivity.md) – Designed to report on activity event +- [FS_SensitiveDataActivity Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_sensitivedataactivity.md) – Designed to report on activity event information on resources identified to contain sensitive information from targeted file servers - Requires **Access Auditing** component data collection - Requires **Sensitive Data Discovery Auditing** component data collection -- [FS_StaleFileActivity Job](fs_stalefileactivity.md) – Designed to report on user activity event +- [FS_StaleFileActivity Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_stalefileactivity.md) – Designed to report on user activity event information involving stale files from targeted file servers -- [FS_UserShareActivity Job](fs_usershareactivity.md) – Designed to report on normal user activity +- [FS_UserShareActivity Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_usershareactivity.md) – Designed to report on normal user activity within a share from targeted file servers - Requires **Access Auditing** component data collection -- [FS_WeekendActivity Job](fs_weekendactivity.md) – Designed to report on activity events that occur +- [FS_WeekendActivity Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/suspiciousactivity/fs_weekendactivity.md) – Designed to report on activity events that occur over the weekend from targeted file servers - Requires **Access Auditing** component data collection diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_groupusage.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_groupusage.md index dd9355f2e4..9ca6661460 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_groupusage.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_groupusage.md @@ -10,7 +10,7 @@ Statistics** > **FS_GroupUsage** > **Configure** node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_GroupUsage Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/usagestatistics/groupusageanalysis.webp) +![Analysis Tasks for the FS_GroupUsage Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/usagestatistics/groupusageanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_mostactiveservers.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_mostactiveservers.md index 4fff9fbd48..2ee9098242 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_mostactiveservers.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_mostactiveservers.md @@ -10,7 +10,7 @@ Statistics** > **FS_MostActiveServers** > **Configure** node and select **Analys **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Task for the FS_MostActiveServers Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/usagestatistics/mostactiveserversanalysis.webp) +![Analysis Task for the FS_MostActiveServers Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/usagestatistics/mostactiveserversanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_mostactiveusers.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_mostactiveusers.md index 9d236cadc3..6a0682664a 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_mostactiveusers.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_mostactiveusers.md @@ -10,7 +10,7 @@ Statistics** > **FS_MostActiveUsers** > **Configure** node and select **Analysis **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_MostActiveUsers Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/usagestatistics/mostactiveusersanalysis.webp) +![Analysis Tasks for the FS_MostActiveUsers Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/usagestatistics/mostactiveusersanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_staleshares.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_staleshares.md index 44fe641982..dd72cb7c80 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_staleshares.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_staleshares.md @@ -10,7 +10,7 @@ Statistics** > **FS_StaleShares** > **Configure** node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_StaleShares Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/usagestatistics/stalesharesanalysis.webp) +![Analysis Tasks for the FS_StaleShares Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/usagestatistics/stalesharesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/overview.md index 30c12f3f04..507abf93c5 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/overview.md @@ -2,20 +2,20 @@ The Usage Statistics job group is designed to report on usage statistics from targeted file servers. -![Usage Statistics Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Usage Statistics Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The Usage Statistics job group is comprised of: -- [FS_GroupUsage Job](fs_groupusage.md) – Designed to report on group usage from targeted file +- [FS_GroupUsage Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_groupusage.md) – Designed to report on group usage from targeted file servers - Requires **Access Auditing** component data collection -- [FS_MostActiveServers Job](fs_mostactiveservers.md) – Designed to report on the most active +- [FS_MostActiveServers Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_mostactiveservers.md) – Designed to report on the most active servers within an environment -- [FS_MostActiveUsers Job](fs_mostactiveusers.md) – Designed to report on the most active users +- [FS_MostActiveUsers Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_mostactiveusers.md) – Designed to report on the most active users within an environment -- [FS_StaleShares Job](fs_staleshares.md) – Designed to report on stale shares from targeted file +- [FS_StaleShares Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/usagestatistics/fs_staleshares.md) – Designed to report on stale shares from targeted file servers - Requires **Access Auditing** component data collection diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/fs_shareaudit.md b/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/fs_shareaudit.md index 6e7077f3db..4fecb7e094 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/fs_shareaudit.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/fs_shareaudit.md @@ -11,7 +11,7 @@ node and select Analysis. **CAUTION:** Do not modify or deselect the last three selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/adhocaudits/shareauditanalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/filesystem/adhocaudits/shareauditanalysis.webp) The following analysis tasks are selected by default: @@ -22,7 +22,7 @@ The following analysis tasks are selected by default: then selecting the #UNC table in the SQL Script Editor window and clicking **Edit Table**. - This brings up the Edit Table window where the user can manually enter UNC paths of each share to be audited or upload a CSV file containing one row for each share to be audited. - See the [SQLscripting Analysis Module](../../../admin/analysis/sqlscripting.md) section + See the [SQLscripting Analysis Module](/docs/accessanalyzer/12.0/admin/analysis/sqlscripting.md) section for additional information. - List one shared folder per row, using the format: \\HOST\SHARE. - 2. Direct Permissions – Creates the SA_FS_ShareAudit_DirectPermissions table accessible under diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/fs_trusteepermissions.md b/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/fs_trusteepermissions.md index f332579cc4..d459868b74 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/fs_trusteepermissions.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/fs_trusteepermissions.md @@ -11,7 +11,7 @@ Configure node and select Analysis. **CAUTION:** Do not modify or deselect the second selected analysis task. The analysis task is preconfigured for this job. -![Analysis Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/adhocaudits/trusteepermissionsanalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/filesystem/adhocaudits/trusteepermissionsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/overview.md index 0735b923fa..6a992f736b 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/overview.md @@ -8,13 +8,13 @@ the required information before job execution. **_RECOMMENDED:_** Run these jobs independently of the solution. -![Ad Hoc Audits Job Group](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Ad Hoc Audits Job Group](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The Ad Hoc Audits Job Group is comprised of: -- [FS_ShareAudit Job](fs_shareaudit.md) – Designed to report on shares from targeted file servers +- [FS_ShareAudit Job](/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/fs_shareaudit.md) – Designed to report on shares from targeted file servers based on user input -- [FS_TrusteePermissions Job](fs_trusteepermissions.md) – Designed to report on trustees from +- [FS_TrusteePermissions Job](/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/fs_trusteepermissions.md) – Designed to report on trustees from targeted file servers based on user input For both of these jobs, the host list is set to Local host at the job level. The assigned Connection diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/fs_deletefiles.md b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/fs_deletefiles.md index 8c031cc05c..d3e1f4c236 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/fs_deletefiles.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/fs_deletefiles.md @@ -7,7 +7,7 @@ previously quarantined and can be deleted. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The FS_DeleteFiles job has the following configurable parameter: @@ -26,7 +26,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_DeleteFiles Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/delete/deletefilesanalysis.webp) +![Analysis Tasks for the FS_DeleteFiles Job](/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/delete/deletefilesanalysis.webp) The following analysis tasks are selected by default: @@ -46,7 +46,7 @@ The default values for parameters that can be customized are: | Determine candidates for deletion | @DELETE_THRESHOLD | 180 | Set the number of days without access after which a file becomes a candidate for deletion | See the -[Configure the Customizable Parameters in an Analysis Task](../../../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for instructions to modify parameters. ## Action Tasks for the FS_DeleteFiles Job @@ -57,7 +57,7 @@ node and select **Actions** to view the action tasks. **CAUTION:** Do not enable the action unless it is required. Disable the action after execution to prevent making unintended and potentially harmful changes to Active Directory. -![Action Tasks for the FS_DeleteFiles Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/delete/deletefilesaction.webp) +![Action Tasks for the FS_DeleteFiles Job](/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/delete/deletefilesaction.webp) The following actions are deselected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/fs_deletefiles_status.md b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/fs_deletefiles_status.md index 61ddfd2522..a12291f673 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/fs_deletefiles_status.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/fs_deletefiles_status.md @@ -1,7 +1,7 @@ # FS_DeleteFiles_Status Job The FS_DeleteFiles_Status job is designed to report on deleted resources from targeted file servers -that were deleted from the FS_DeleteFiles job. See the [FS_DeleteFiles Job](fs_deletefiles.md) topic +that were deleted from the FS_DeleteFiles job. See the [FS_DeleteFiles Job](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/fs_deletefiles.md) topic for additional information. ## Analysis Tasks for the FS_DeleteFiles_Status Job @@ -12,7 +12,7 @@ Navigate to the **FileSystem** > **Cleanup** > **4. Delete** > **FS_DeleteFiles_ **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_DeleteFiles_Status Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/delete/deletefilesstatusanalysis.webp) +![Analysis Tasks for the FS_DeleteFiles_Status Job](/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/delete/deletefilesstatusanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/overview.md index 688b0474db..aa96cce647 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/overview.md @@ -3,13 +3,13 @@ The 4. Delete job group is designed to report on and take action against resources from targeted file servers that can be deleted. -![4. Delete Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![4. Delete Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) This job group includes the following jobs: -- [FS_DeleteFiles Job](fs_deletefiles.md) – Designed to delete resources from targeted file servers +- [FS_DeleteFiles Job](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/fs_deletefiles.md) – Designed to delete resources from targeted file servers that were previously quarantined and can be deleted -- [FS_DeleteFiles_Status Job](fs_deletefiles_status.md) – Designed to report on deleted resources +- [FS_DeleteFiles_Status Job](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/fs_deletefiles_status.md) – Designed to report on deleted resources from targeted file servers that were deleted from the DeleteFiles job Workflow diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/fs_cleanupassessment.md b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/fs_cleanupassessment.md index 1095085969..cf1db3f464 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/fs_cleanupassessment.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/fs_cleanupassessment.md @@ -9,7 +9,7 @@ Information Center Manage Owners page. See the Resource Owners topics in the [Netwrix Access Information Center Documentation](https://helpcenter.netwrix.com/category/accessinformationcenter) for additional information. -![1. Cleanup Assessment > FS_CleanupAssessment Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![1. Cleanup Assessment > FS_CleanupAssessment Job in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The FS_CleanupAssessment job is located in the 1. Cleanup Assessment job group. @@ -31,7 +31,7 @@ have completed. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The FS_CleanupAssessment job has the following configurable parameters: @@ -54,7 +54,7 @@ Navigate to the **FileSystem** > **Cleanup** > **1. Cleanup Assessment** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_CleanupAssessment Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/cleanupassessmentanalysis.webp) +![Analysis Tasks for the FS_CleanupAssessment Job](/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/cleanupassessmentanalysis.webp) The following analysis tasks are selected by default: @@ -101,7 +101,7 @@ The default values for parameters that can be customized are: | @MAX_STALE_THRESHOLD | 365 | Set the upper bound of the files to be included in the FileDetails table (by Last Modfied, in days) | | See the -[Configure the Customizable Parameters in an Analysis Task](../../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for instructions to modify parameters. ### Include Metadata Tag Information @@ -119,11 +119,11 @@ Properties**. The Query Properties window opens. **Step 3 –** Select the **Data Source** tab, and click **Configure**. The File System Access Auditor Data Collector Wizard opens. -![File Details tab of the FSAA Data Collector Wizard Default Scoping Options page](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/fsaa/defaultscopingoptions/filedetails.webp) +![File Details tab of the FSAA Data Collector Wizard Default Scoping Options page](/img/product_docs/accessanalyzer/admin/datacollector/fsaa/defaultscopingoptions/filedetails.webp) **Step 4 –** Navigate to the **Default Scoping Options** page and click the **File Details** tab. -![Options to select on File Details tab](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/includemetadatatagoptions.webp) +![Options to select on File Details tab](/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/includemetadatatagoptions.webp) **Step 5 –** On the File Details tab, select the **Scan file-level details** option, and then select the **Collect tags/keywords from file metadata properties** option. diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/fs_cleanupprogress.md b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/fs_cleanupprogress.md index 203b223645..ffca6901d4 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/fs_cleanupprogress.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/fs_cleanupprogress.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_CleanupProgress Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/cleanupprogressanalysis.webp) +![Analysis Tasks for the FS_CleanupProgress Job](/img/product_docs/accessanalyzer/solutions/activedirectory/cleanup/cleanupprogressanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/fs_notifyowners.md b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/fs_notifyowners.md index 419aee6dbc..4bb68dccbc 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/fs_notifyowners.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/fs_notifyowners.md @@ -12,7 +12,7 @@ node and select **Actions** to view the action tasks. **CAUTION:** Do not enable the action unless it is required. Disable the action after execution to prevent making unintended and potentially harmful changes to Active Directory. -![Action Tasks for the FS_NotifyOwners Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/notify/notifyownersaction.webp) +![Action Tasks for the FS_NotifyOwners Job](/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/notify/notifyownersaction.webp) The following action task is deselected by default. @@ -27,7 +27,7 @@ information. The recipients and the text of the email can be customized on the Properties page within the Send Mail Action Module Wizard. The -[1. Cleanup Assessment > FS_CleanupAssessment Job](../fs_cleanupassessment.md) must be run before +[1. Cleanup Assessment > FS_CleanupAssessment Job](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/fs_cleanupassessment.md) must be run before the Send Mail Action Module Wizard can be opened. Follow these steps to customize the Notify Owners action task. @@ -41,7 +41,7 @@ Properties** to view the Action Properties page. _Remember,_ the FS_CleanupAssessment job must be run before the Send Mail Action Module Wizard can be opened. -![Send Mail Action Module Wizard Properties page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/notify/sendmailwizardproperties.webp) +![Send Mail Action Module Wizard Properties page](/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/notify/sendmailwizardproperties.webp) **Step 4 –** On the Properties page, customize the following fields: @@ -50,7 +50,7 @@ be opened. **NOTE:** Email recipients may also be added within the Notification node under the Global Settings pane. -![Send Mail Action Module Wizard Message page](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/notify/sendmailwizardmessage.webp) +![Send Mail Action Module Wizard Message page](/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/notify/sendmailwizardmessage.webp) **Step 5 –** On the Message page, customize the following fields: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/fs_notifyowners_status.md b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/fs_notifyowners_status.md index 0aba29df07..6304dc821c 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/fs_notifyowners_status.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/fs_notifyowners_status.md @@ -1,7 +1,7 @@ # FS_NotifyOwners_Status Job The FS_NotifyOwners_Status job is comprised of analysis and reports that summarize the actions -performed by the FS_NotifyOwners job. See the [FS_NotifyOwners Job](fs_notifyowners.md) topic for +performed by the FS_NotifyOwners job. See the [FS_NotifyOwners Job](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/fs_notifyowners.md) topic for additional information. ## Analysis Tasks for the FS_NotifyOwners_Status Job @@ -12,7 +12,7 @@ Navigate to the **FileSystem** > **Cleanup** > **2. Notify** > **FS_NotifyOwners **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_NotifyOwners_Status Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/notify/notifyownersstatusanalysis.webp) +![Analysis Tasks for the FS_NotifyOwners_Status Job](/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/notify/notifyownersstatusanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/overview.md index 4a46e85f17..595951a158 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/overview.md @@ -4,16 +4,16 @@ The 2. Notify job group is designed to report on and notify owners of resources servers that data is pending cleanup. **NOTE:** The SendMail action module requires configuration of the Notification Settings in the -Global Settings. See the [Notification](../../../../admin/settings/notification.md) topic for +Global Settings. See the [Notification](/docs/accessanalyzer/12.0/admin/settings/notification.md) topic for additional information. -![2. Notify Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![2. Notify Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) This job group includes the following jobs: -- [FS_NotifyOwners Job](fs_notifyowners.md) – Designed to notify share owners that there is data +- [FS_NotifyOwners Job](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/fs_notifyowners.md) – Designed to notify share owners that there is data within their share pending cleanup -- [FS_NotifyOwners_Status Job](fs_notifyowners_status.md) – Designed to summarize the actions taken +- [FS_NotifyOwners_Status Job](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/fs_notifyowners_status.md) – Designed to summarize the actions taken by the NotifyOwners job Workflow diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/overview.md index 4e2f5cfaca..390953fa10 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/overview.md @@ -8,26 +8,26 @@ the rest of the File System solution. **NOTE:** The Cleanup job group requires additional licenses to function. For information, contact your Netwrix representative. -![Cleanup Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Cleanup Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The Cleanup job group includes the following job groups and jobs: -- [1. Cleanup Assessment > FS_CleanupAssessment Job](fs_cleanupassessment.md) – Designed to report +- [1. Cleanup Assessment > FS_CleanupAssessment Job](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/fs_cleanupassessment.md) – Designed to report on and assess the status of target file servers that can be cleaned up -- [2. Notify Job Group](notify/overview.md) – Designed to report on and notify the owners of +- [2. Notify Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/notify/overview.md) – Designed to report on and notify the owners of resources of target file servers that data is pending cleanup -- [3. Quarantine Job Group](quarantine/overview.md) – This job group offers a framework for using +- [3. Quarantine Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/overview.md) – This job group offers a framework for using the File System actions modules to quarantine files, and to restore access to quarantined files if necessary -- [4. Delete Job Group](delete/overview.md) – Designed to report on and take action against +- [4. Delete Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/delete/overview.md) – Designed to report on and take action against resources from targeted file servers that can be deleted -- [FS_CleanupProgress Job](fs_cleanupprogress.md) – Summarizes the progress of the Cleanup effort +- [FS_CleanupProgress Job](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/fs_cleanupprogress.md) – Summarizes the progress of the Cleanup effort and highlights the amount of storage reclaimed on each host Many jobs in this group include one or more pre-built actions designed to apply operations to the data tables generated by the job’s analysis tasks. These actions perform the cleanup operations. By default, the actions do not execute as part of the job group. You must select the actions you want -to run prior to execution. See the [Action Modules](../../../admin/action/overview.md) topic for +to run prior to execution. See the [Action Modules](/docs/accessanalyzer/12.0/admin/action/overview.md) topic for additional information. ## Recommended Configurations for the FS Cleanup Job Group @@ -47,7 +47,7 @@ The Cleanup job group has the following prerequisites: - Collect ownership and permission information for files See the - [FSAA: Default Scoping Options](../../../admin/datacollector/fsaa/defaultscopingoptions.md) + [FSAA: Default Scoping Options](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions.md) topic for additional information. Individual jobs and job groups within the Cleanup job group may have their own prerequisites and diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_quarantinedata.md b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_quarantinedata.md index 6fdb83a22b..983d03e966 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_quarantinedata.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_quarantinedata.md @@ -12,7 +12,7 @@ to prevent making unintended and potentially harmful changes to Active Directory **CAUTION:** Do not modify the action tasks. The action tasks are preconfigured for this job. -![Action Tasks for the FS_QuarantineData Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/quarantine/quarantinedataactions.webp) +![Action Tasks for the FS_QuarantineData Job](/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/quarantine/quarantinedataactions.webp) The following action tasks are deselected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_quarantinedata_status.md b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_quarantinedata_status.md index 32a3b6dedc..e4dbc45cdd 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_quarantinedata_status.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_quarantinedata_status.md @@ -1,7 +1,7 @@ # FS_QuarantineData_Status Job The FS_QuarantineData_Status job is designed to report on the FS_QuarantineData job. See the -[FS_QuarantineData Job](fs_quarantinedata.md) topic for additional information. +[FS_QuarantineData Job](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_quarantinedata.md) topic for additional information. ## Analysis Tasks for the FS_QuarantineData_Status Job @@ -11,7 +11,7 @@ Navigate to the **FileSystem** > **Cleanup** > **3. Quarantine** > **FS_Quaranti **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_QuarantineData_Status Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/quarantine/quarantinedatastatusanalysis.webp) +![Analysis Tasks for the FS_QuarantineData_Status Job](/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/quarantine/quarantinedatastatusanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_restoreinheritance.md b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_restoreinheritance.md index 91246d7e77..e3dcf2f551 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_restoreinheritance.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_restoreinheritance.md @@ -10,7 +10,7 @@ Navigate to the **FileSystem** > **Cleanup** > **3. Quarantine** > **FS_RestoreI **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_RestoreInheritance Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/quarantine/restoreinheritanceanalysis.webp) +![Analysis Tasks for the FS_RestoreInheritance Job](/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/quarantine/restoreinheritanceanalysis.webp) The following analysis task is selected by default: @@ -27,7 +27,7 @@ prevent making unintended and potentially harmful changes to Active Directory. **CAUTION:** Do not modify the action task. The action task is preconfigured for this job. -![Action Tasks for the FS_RestoreInheritance Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/quarantine/restoreinheritanceaction.webp) +![Action Tasks for the FS_RestoreInheritance Job](/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/quarantine/restoreinheritanceaction.webp) The following action tasks are deselected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_restoreinheritance_status.md b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_restoreinheritance_status.md index 00a3c18592..ba741c51a6 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_restoreinheritance_status.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_restoreinheritance_status.md @@ -12,7 +12,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_RestoreInheritance_Status Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/quarantine/restoreinheritancestatusanalysis.webp) +![Analysis Tasks for the FS_RestoreInheritance_Status Job](/img/product_docs/accessanalyzer/solutions/filesystem/cleanup/quarantine/restoreinheritancestatusanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/overview.md index fd2b850fa8..cfe457d802 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/overview.md @@ -2,17 +2,17 @@ The 3. Quarantine job group is designed to report on and quarantine files that are pending cleanup. -![3. Quarantine Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![3. Quarantine Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) This job group includes the following jobs: -- [FS_QuarantineData Job](fs_quarantinedata.md) – Designed to quarantine files subject to be cleaned +- [FS_QuarantineData Job](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_quarantinedata.md) – Designed to quarantine files subject to be cleaned up -- [FS_QuarantineData_Status Job](fs_quarantinedata_status.md) – Designed to report on the +- [FS_QuarantineData_Status Job](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_quarantinedata_status.md) – Designed to report on the FS_QuarantineData job -- [FS_RestoreInheritance Job](fs_restoreinheritance.md) – Designed to restore inheritance to +- [FS_RestoreInheritance Job](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_restoreinheritance.md) – Designed to restore inheritance to previously quarantined files -- [FS_RestoreInheritance_Status Job](fs_restoreinheritance_status.md) – Designed to report on +- [FS_RestoreInheritance_Status Job](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/quarantine/fs_restoreinheritance_status.md) – Designed to report on inheritance that was restored to previously quarantined files Workflow diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-create_schema.md b/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-create_schema.md index 913fc0c7bf..b305efb7e7 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-create_schema.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-create_schema.md @@ -16,7 +16,7 @@ Schema** > **Configure** node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection for the 0-Create Schema Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/createschemaanalysis.webp) +![Analysis Selection for the 0-Create Schema Job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/createschemaanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-fs_nasuni.md b/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-fs_nasuni.md index cc9c4d5fa1..247add3fb9 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-fs_nasuni.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-fs_nasuni.md @@ -2,7 +2,7 @@ The 0-FS_Nasuni job is required in order to target Nasuni Edge Appliances. The job can be added from the Access Analyzer Instant Job Library. See the -[Instant Job Wizard](../../../admin/jobs/instantjobs/overview.md) topic to add this instant job to +[Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic to add this instant job to the 0.Collection job group. **CAUTION:** It is necessary to rename the job after it has been added to the 0.Collection job group @@ -21,7 +21,7 @@ volume data, and share data from the Nasuni environment. **CAUTION:** Do not modify the queries. The queries are preconfigured for this job. -![Queries for the 0-FS_Nasuni Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsnasuniquery.webp) +![Queries for the 0-FS_Nasuni Job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsnasuniquery.webp) The queries for the 0-FS_Nasuni job are: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-fsdfs_system_scans.md b/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-fsdfs_system_scans.md index 3a0dc5e538..f81540c659 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-fsdfs_system_scans.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-fsdfs_system_scans.md @@ -10,7 +10,7 @@ Scan Category. **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query for the 0-FSDFS System Scans Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsdfssystemscansquery.webp) +![Query for the 0-FSDFS System Scans Job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsdfssystemscansquery.webp) - DFS System Scan – Scans the DFS System @@ -22,7 +22,7 @@ Scans** > **Configure** node and selecting **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the 0-FSDFS System Scans Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsdfssystemscansanalysis.webp) +![Analysis Tasks for the 0-FSDFS System Scans Job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsdfssystemscansanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-fsaa_system_scans.md b/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-fsaa_system_scans.md index 27209d46a8..2e6590d804 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-fsaa_system_scans.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-fsaa_system_scans.md @@ -7,7 +7,7 @@ servers. The File System Scan query uses the FSAA Data Collector. -![Query for the 1-FSAA System Scans Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaasystemscansquery.webp) +![Query for the 1-FSAA System Scans Job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaasystemscansquery.webp) The following default configurations are commonly customized: @@ -26,7 +26,7 @@ The following default configurations are commonly customized: - Set to **Limit subfolder scan depth to 2 level(s)** -See the [Recommended Configuration for the File System Solution](../recommended.md) topic for a +See the [Recommended Configuration for the File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/recommended.md) topic for a complete list of customizable settings. See the [Configure the (FSAA) File System Scan Query](#configure-the-fsaa-file-system-scan-query) topic for additional information. @@ -49,34 +49,34 @@ Data Collector Wizard opens. **CAUTION:** Do not make changes to other wizard pages as they have been pre-configured for the purpose of this job. -![Applet Settings](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekappletsettings.webp) +![Applet Settings](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekappletsettings.webp) **Step 4 –** The Applet Settings page applies to the applet and proxy mode scans. If employing proxy -servers, see the [FSAA: Applet Settings](../../../admin/datacollector/fsaa/appletsettings.md) topic +servers, see the [FSAA: Applet Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md) topic for configuration instructions. -![Scan Server Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekserverselection.webp) +![Scan Server Selection](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekserverselection.webp) **Step 5 –** On the Scan Server Selection page, select the server that will execute the scan. See -the [FSAA: Scan Server Selection](../../../admin/datacollector/fsaa/scanserverselection.md) topic +the [FSAA: Scan Server Selection](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scanserverselection.md) topic for additional information. -![Scan Settings](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekscansettings.webp) +![Scan Settings](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekscansettings.webp) **Step 6 –** On the Scan Settings page, you can enable streaming. See the -[FSAA: Scan Settings](../../../admin/datacollector/fsaa/scansettings.md) topic for additional +[FSAA: Scan Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scansettings.md) topic for additional information. **NOTE:** If streaming is enabled, the **2-FSAA Bulk Import** job is no longer needed as part of the **0.Collection** job group. -![Azure Tennant Mapping](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekazuretenantmapping.webp) +![Azure Tennant Mapping](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekazuretenantmapping.webp) **Step 7 –** On the Azure Tenant Mapping page, add the AppPrincipalID (App ID) and Tenant ID. See -the [FSAA: Azure Tenant Mapping](../../../admin/datacollector/fsaa/azuretenantmapping.md) topic for +the [FSAA: Azure Tenant Mapping](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/azuretenantmapping.md) topic for additional information. -![Default Scoping Options](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaadefaultscopingoptions.webp) +![Default Scoping Options](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaadefaultscopingoptions.webp) **Step 8 –** On the Default Scoping Options page, configure the following on the Scan Setting tab: @@ -121,19 +121,19 @@ additional information. - Abort the scan – FSAA will abort the scan. LAT will be updated for the processed file. No other files will be processed -See the [Scan Settings Tab](../../../admin/datacollector/fsaa/defaultscopingoptions/scansettings.md) +See the [Scan Settings Tab](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/scansettings.md) topic for additional information. -![File Details tab of the Default Scoping Options page](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaadefaultscopingoptionsfiledetails.webp) +![File Details tab of the Default Scoping Options page](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaadefaultscopingoptionsfiledetails.webp) **Step 9 –** On the File Details tab of the Default Scoping Options page, you can enable file-level scans. See the -[File Details Tab](../../../admin/datacollector/fsaa/defaultscopingoptions/filedetails.md) +[File Details Tab](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/filedetails.md) **_RECOMMENDED:_** Carefully consider configuring the following settings. Applying filters when file detail scanning has been enabled reduces the impact on the database. -![File Properties (Folder Summary) tab of the Default Scoping Options page](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaadefaultscopingoptionsfileproperties.webp) +![File Properties (Folder Summary) tab of the Default Scoping Options page](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaadefaultscopingoptionsfileproperties.webp) **Step 10 –** On the File Properties (Folder Summary) tab of the Default Scoping Options page, you can configure the following: @@ -145,16 +145,16 @@ can configure the following: - Enable return of files with only comma-separated values (CSV files). See the -[File Properties (Folder Summary) Tab](../../../admin/datacollector/fsaa/defaultscopingoptions/fileproperties.md) +[File Properties (Folder Summary) Tab](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/fileproperties.md) topic for additional information. -![Scoping Options](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekscopingoptions.webp) +![Scoping Options](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekscopingoptions.webp) **Step 11 –** On the Scoping Options page, add share/folder inclusions and exclusions. See the -[FSAA: Scoping Options](../../../admin/datacollector/fsaa/scopingoptions.md) topic for additional +[FSAA: Scoping Options](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scopingoptions.md) topic for additional information. -![Scoping Queries](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekscopingqueries.webp) +![Scoping Queries](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekscopingqueries.webp) **Step 12 –** On the Scoping Queries page: @@ -162,7 +162,7 @@ information. - Add folder/share exclusions - Restrict scans to DFS shares or Open shares -See the [FSAA: Scoping Queries](../../../admin/datacollector/fsaa/scopingqueries.md) topic for +See the [FSAA: Scoping Queries](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scopingqueries.md) topic for additional information. **Step 13 –** Click **Finish** to save any setting modifications or click **Cancel** if no changes @@ -178,7 +178,7 @@ Scans** > **Configure** node and selecting **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Task for the 1-FSAA System Scans Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaasystemscansanalysis.webp) +![Analysis Task for the 1-FSAA System Scans Job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaasystemscansanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-fsac_system_scans.md b/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-fsac_system_scans.md index 411b549834..f34d5838b2 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-fsac_system_scans.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-fsac_system_scans.md @@ -7,7 +7,7 @@ The 1-FSAC System Scans job is designed to collect activity events from the targ The Activity Scan query uses the FSAA Data Collector and has been preconfigured to use the File system activity Scan category. -![Query for the 1-FSAC System Scans Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsacsystemscansquery.webp) +![Query for the 1-FSAC System Scans Job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsacsystemscansquery.webp) - Activity Scan – Scans for File System Activity @@ -22,7 +22,7 @@ The following default configurations are commonly customized: - Set scan filter for detailed activity **60** days - Set filter for statistics of activity **120** days -See the [Recommended Configuration for the File System Solution](../recommended.md) topic for a +See the [Recommended Configuration for the File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/recommended.md) topic for a complete list of customizable settings. See the [Configure the Activity Scan Query](#configure-the-activity-scan-query) topic for instructions. @@ -43,21 +43,21 @@ Data Collector Wizard opens. **CAUTION:** Do not make changes to other wizard pages as they have been pre-configured for the purpose of this job. -![Applet Settings](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsacappletsettings.webp) +![Applet Settings](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsacappletsettings.webp) **Step 4 –** The Applet Settings page applies to the applet and proxy mode scans which are selected on the Scan Server Level Page. If employing proxy servers, see the -[FSAA: Applet Settings](../../../admin/datacollector/fsaa/appletsettings.md) topic for configuration +[FSAA: Applet Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md) topic for configuration instructions. -![Scan Server Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsacscanserverselection.webp) +![Scan Server Selection](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsacscanserverselection.webp) **Step 5 –** The Scan Server Selection page applies to the applet and proxy mode scans. Remember, each mode has different provisioning requirements. See the -[FSAA: Scan Server Selection](../../../admin/datacollector/fsaa/scanserverselection.md) topic for +[FSAA: Scan Server Selection](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scanserverselection.md) topic for additional information. -![Activity Settings](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsacactivitysettings.webp) +![Activity Settings](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsacactivitysettings.webp) **Step 6 –** On the Activity Settings page: @@ -65,7 +65,7 @@ additional information. - Modify the number of days activity statistics are kept - Modify log parsing limits -See the [FSAA: Activity Settings](../../../admin/datacollector/fsaa/activitysettings.md) topic for +See the [FSAA: Activity Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/activitysettings.md) topic for additional information. **Step 7 –** Click **Finish** to save any setting modifications or click **Cancel** if no changes diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-seek_system_scans.md b/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-seek_system_scans.md index 0c96679976..e6f71955d7 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-seek_system_scans.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-seek_system_scans.md @@ -7,7 +7,7 @@ The 1-SEEK System Scans job is designed to collect sensitive data from the targe The File System Scan query uses the FSAA Data Collector and has been preconfigured to use the Sensitive data Scan category. -![Query for the 1-SEEK System Scans Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/seeksystemscansquery.webp) +![Query for the 1-SEEK System Scans Job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/seeksystemscansquery.webp) - File System Scan – Scans the File System @@ -42,7 +42,7 @@ The following default configurations are commonly customized: - Tax Forms - US SSN -See the [Recommended Configuration for the File System Solution](../recommended.md) topic for a +See the [Recommended Configuration for the File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/recommended.md) topic for a complete list of customizable settings. See the [Configure the (SEEK) File System Scan Query](#configure-the-seek-file-system-scan-query) topic for instructions. @@ -64,37 +64,37 @@ Data Collector Wizard opens. **CAUTION:** Do not make changes to other wizard pages as they have been pre-configured for the purpose of this job. -![Applet Settings](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekappletsettings.webp) +![Applet Settings](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekappletsettings.webp) **Step 4 –** The Applet Settings page applies to the applet and proxy mode scans which are selected on the Scan Server Level page. If employing proxy servers, see the -[FSAA: Applet Settings](../../../admin/datacollector/fsaa/appletsettings.md) topic for configuration +[FSAA: Applet Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md) topic for configuration instructions. -![Scan Server Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekserverselection.webp) +![Scan Server Selection](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekserverselection.webp) **Step 5 –** The Scan Server Selection page applies to the applet and proxy mode scans. Remember, each mode has different provisioning requirements. In addition to changing the type of scan mode, you can modify the scan restart settings. See the -[FSAA: Scan Server Selection](../../../admin/datacollector/fsaa/scanserverselection.md) topic for +[FSAA: Scan Server Selection](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scanserverselection.md) topic for additional information. -![Scan Settings](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekscansettings.webp) +![Scan Settings](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekscansettings.webp) **Step 6 –** On the Scan Settings page, you can enable streaming. See the -[FSAA: Scan Settings](../../../admin/datacollector/fsaa/scansettings.md) topic for additional +[FSAA: Scan Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scansettings.md) topic for additional information. **NOTE:** If streaming is enabled, the **2-SEEK Bulk Import** job is no longer needed as part of the **0.Collection** job group. -![Azure Tenant Mapping](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekazuretenantmapping.webp) +![Azure Tenant Mapping](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekazuretenantmapping.webp) **Step 7 –** On the Azure Tenant Mapping page, enable Azure Information Protection (AIP). See the -[FSAA: Azure Tenant Mapping](../../../admin/datacollector/fsaa/azuretenantmapping.md) topic for +[FSAA: Azure Tenant Mapping](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/azuretenantmapping.md) topic for additional information. -![Default Scoping Options](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/seekdefaultscopingoptions.webp) +![Default Scoping Options](/img/product_docs/accessanalyzer/solutions/filesystem/collection/seekdefaultscopingoptions.webp) **Step 8 –** On the Default Scoping Options page, configure the following on the Scan Setting tab: @@ -140,16 +140,16 @@ additional information. - Abort the scan – FSAA will abort the scan. LAT will be updated for the processed file. No other files will be processed -See the [Scan Settings Tab](../../../admin/datacollector/fsaa/defaultscopingoptions/scansettings.md) +See the [Scan Settings Tab](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/defaultscopingoptions/scansettings.md) topic for additional information. -![Scoping Options](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekscopingoptions.webp) +![Scoping Options](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekscopingoptions.webp) **Step 9 –** On the Scoping Options page, add share/folder inclusions and exclusions. See the -[FSAA: Scoping Options](../../../admin/datacollector/fsaa/scopingoptions.md) topic for additional +[FSAA: Scoping Options](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scopingoptions.md) topic for additional information: -![Scoping Queries](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekscopingqueries.webp) +![Scoping Queries](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaseekscopingqueries.webp) **Step 10 –** On the Scoping Queries page: @@ -159,10 +159,10 @@ information: **NOTE:** This option only works in conjunction with File System Access Auditing. -See the [FSAA: Scoping Queries](../../../admin/datacollector/fsaa/scopingqueries.md) topic for +See the [FSAA: Scoping Queries](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/scopingqueries.md) topic for additional information. -![Sensitive Data Settings](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/seeksystemscanssensitivedatasettings.webp) +![Sensitive Data Settings](/img/product_docs/accessanalyzer/solutions/filesystem/collection/seeksystemscanssensitivedatasettings.webp) **Step 11 –** On the Sensitive Data Settings page: @@ -182,17 +182,17 @@ additional information. documents and may not be able to recognize text on images of credit cards, driver's licenses, or other identity cards. -See the [FSAA: Sensitive Data Settings](../../../admin/datacollector/fsaa/sensitivedatasettings.md) +See the [FSAA: Sensitive Data Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/sensitivedatasettings.md) topic for additional information. -![SDD Criteria Settings](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/seeksddcriteriasettings.webp) +![SDD Criteria Settings](/img/product_docs/accessanalyzer/solutions/filesystem/collection/seeksddcriteriasettings.webp) **Step 12 –** On the SDD Criteria Settings page, add or remove criteria as desired. See the -[FSAA: SDD Criteria Settings](../../../admin/datacollector/fsaa/sddcriteria.md) topic for additional +[FSAA: SDD Criteria Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/sddcriteria.md) topic for additional information. - _(Optional)_ To create custom criteria, see the - [Sensitive Data Criteria Editor](../../../sensitivedatadiscovery/criteriaeditor/overview.md) topic + [Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information **NOTE:** By default, discovered sensitive data strings are not stored in the Access Analyzer diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/collection/2-fsaa_bulk_import.md b/docs/accessanalyzer/12.0/solutions/filesystem/collection/2-fsaa_bulk_import.md index 05edeb6f5c..a6c6ccbe80 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/collection/2-fsaa_bulk_import.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/collection/2-fsaa_bulk_import.md @@ -8,12 +8,12 @@ servers. The Bulk import query uses the FSAA Data Collector and has been preconfigured to use the File system access/permission auditing Bulk import category. -![Query for the 2-FSAA Bulk Import Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaabulkimportquery.webp) +![Query for the 2-FSAA Bulk Import Job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaabulkimportquery.webp) - Bulk import – Imports scan data into SQL Server - Typically, this query is not modified. See the - [FileSystemAccess Data Collector](../../../admin/datacollector/fsaa/overview.md) topic for + [FileSystemAccess Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/overview.md) topic for information on when this query should be modified. ## Analysis Tasks for the 2-FSAA Bulk Import Job @@ -24,7 +24,7 @@ Import** > **Configure** node and selecting **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the 2-FSAA Bulk Import Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaabulkimportanalysis.webp) +![Analysis Tasks for the 2-FSAA Bulk Import Job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaabulkimportanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/collection/2-fsac_bulk_import.md b/docs/accessanalyzer/12.0/solutions/filesystem/collection/2-fsac_bulk_import.md index 5affc92ca4..9fa44dfe2d 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/collection/2-fsac_bulk_import.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/collection/2-fsac_bulk_import.md @@ -8,10 +8,10 @@ servers. The Bulk Import query uses the FSAA Data Collector and has been preconfigured to use the File system activity Bulk import category. -![Query for the 2-FSAC Bulk Import Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsacbulkimportquery.webp) +![Query for the 2-FSAC Bulk Import Job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsacbulkimportquery.webp) - Bulk Import – Imports data into SQL Server - Typically this query is not modified. See the - [FileSystemAccess Data Collector](../../../admin/datacollector/fsaa/overview.md) topic for + [FileSystemAccess Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/overview.md) topic for information on when this query should be modified. diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/collection/2-seek_bulk_import.md b/docs/accessanalyzer/12.0/solutions/filesystem/collection/2-seek_bulk_import.md index eb7685e121..4389be5cb5 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/collection/2-seek_bulk_import.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/collection/2-seek_bulk_import.md @@ -8,10 +8,10 @@ targeted file servers. The Bulk Import query uses the FSAA Data Collector and has been preconfigured to use the Sensitive data Bulk import category. -![Query for the 2-SEEK Bulk Import Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/seekbulkimportquery.webp) +![Query for the 2-SEEK Bulk Import Job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/seekbulkimportquery.webp) - Bulk Import – Imports data into SQL server - Typically this query is not modified. See the - [FileSystemAccess Data Collector](../../../admin/datacollector/fsaa/overview.md) topic for + [FileSystemAccess Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/overview.md) topic for information on when this query should be modified. diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/collection/3-fsaa_exceptions.md b/docs/accessanalyzer/12.0/solutions/filesystem/collection/3-fsaa_exceptions.md index 3e983c0ae4..9092e432da 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/collection/3-fsaa_exceptions.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/collection/3-fsaa_exceptions.md @@ -7,7 +7,7 @@ returned by the Access Auditing collection jobs to identify potential security c The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The 3-FSAA Exceptions job has the following customizable parameter: @@ -26,7 +26,7 @@ Exceptions** > **Configure** node and select **Analysis**. **CAUTION:** Most of these analysis tasks are preconfigured and should not be modified and or deselected. While it is possible to deselect particular tasks as specified, it is not recommended. -![Analysis Tasks for the 3-FSAA Exceptions Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaexceptionsanalysis.webp) +![Analysis Tasks for the 3-FSAA Exceptions Job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsaaexceptionsanalysis.webp) The following analysis tasks are selected by default: @@ -35,7 +35,7 @@ The following analysis tasks are selected by default: - Well known high risk SIDS have been set in the `#SIDS` parameter. Do not remove these, but additional custom SIDS can be added. See the - [Configure the Customizable Parameters in an Analysis Task](../../../admin/jobs/job/configure/analysiscustomizableparameters.md) + [Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information. - Disabled users – Any folders where disabled users have been granted access diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/collection/3-fsac_exceptions.md b/docs/accessanalyzer/12.0/solutions/filesystem/collection/3-fsac_exceptions.md index 1b6edded15..0443328db9 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/collection/3-fsac_exceptions.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/collection/3-fsac_exceptions.md @@ -6,7 +6,7 @@ The 3-FSAC Exceptions job is designed to analyze collected access information fo The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The 3-FSAC Exceptions job has many customizable parameters. See the @@ -21,7 +21,7 @@ Exceptions** > **Configure** node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the 3-FSAC Exceptions Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsacexceptionsanalysis.webp) +![Analysis Tasks for the 3-FSAC Exceptions Job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/fsacexceptionsanalysis.webp) The following analysis tasks are selected by default: @@ -109,5 +109,5 @@ analysis. The 3-FSAC Exceptions job contains the following customizable paramete | Unusual user stale data activity | @STALETHRESHOLD | 365 | Number of days after which resources are considered stale | See the -[Configure the Customizable Parameters in an Analysis Task](../../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information on modifying analysis parameters. diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/collection/fs_azuretenantscan.md b/docs/accessanalyzer/12.0/solutions/filesystem/collection/fs_azuretenantscan.md index 7bd01eca05..624e1c163f 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/collection/fs_azuretenantscan.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/collection/fs_azuretenantscan.md @@ -5,7 +5,7 @@ Azure tenant. This job produces a host list containing the storage accounts to t Files scans. You can add this job from the Access Analyzer Instant Job Library. See the -[Instant Job Wizard](../../../admin/jobs/instantjobs/overview.md) topic for additional information. +[Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for additional information. Before running the FS_AzureTenantScan job, you must ensure all the below prerequisites have been met, and that the required host list and connection profile have been assigned to the job. @@ -51,17 +51,17 @@ The host list must target the Azure tenant name. For example, `YourTenantName.on The FS_AzureTenantScan job requires a connection profile with the following user credentials: -![User Credentials for FS_AzureTenantScan job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/azuretenantscanusercredentials.webp) +![User Credentials for FS_AzureTenantScan job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/azuretenantscanusercredentials.webp) - Select Account Type – Azure Active Directory - Client ID – Application ID for the app registration created in Azure that is assigned to your desired resource group - Password Storage – Application (Uses the configured Profile Security setting as selected at the **Settings** > **Application** node. See the - [Application](../../../admin/settings/application/overview.md) topic for additional information.) + [Application](/docs/accessanalyzer/12.0/admin/settings/application/overview.md) topic for additional information.) - Key – Client secret value for the app registration -See the [Connection](../../../admin/settings/connection/overview.md) topic for additional +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. ## Query for the FS_AzureTenantScan Job @@ -71,7 +71,7 @@ Scan and import category. **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query for the FS_AzureTenantScan Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/collection/azuretenantscanquery.webp) +![Query for the FS_AzureTenantScan Job](/img/product_docs/accessanalyzer/solutions/filesystem/collection/azuretenantscanquery.webp) The job has the following query: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/collection/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/collection/overview.md index a220ae7daf..81a5ca205c 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/collection/overview.md @@ -3,7 +3,7 @@ The 0.Collection job group is designed to collect information from targeted file servers. Information collected includes access control information, activity events, and sensitive data. -![0.Collection Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![0.Collection Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 0.Collection job group has the following collection components: @@ -30,7 +30,7 @@ The 0.Collection job group has the following collection components: These jobs are numbered to keep them in the necessary run order. Not all jobs need be run. See the appropriate auditing topic for specific job relationships and recommended workflows. The 0-Create Schema job ensures the database schema is properly configured for the current version of the data -collector. See the [0-Create Schema Job](0-create_schema.md) topic for additional information. +collector. See the [0-Create Schema Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-create_schema.md) topic for additional information. _Remember,_ the relationship between system scans and bulk import jobs requires the following considerations: @@ -53,36 +53,36 @@ directly into the Tier-1 database. Access Auditing (FSAA) is the primary component of the 0.Collection job group. It collects file system permission, content metadata, and additional file system information. The jobs, tables, and views specifically incorporated into this component are prefixed with `FSAA`. See the -[Standard Reference Tables & Views for the FSAA Data Collector](../../../admin/datacollector/fsaa/standardtables.md) +[Standard Reference Tables & Views for the FSAA Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/standardtables.md) topic for additional information on the data collected. The 0.Collection jobs that comprise this auditing component are: -- [1-FSAA System Scans Job](1-fsaa_system_scans.md) – Collects access information from the targeted +- [1-FSAA System Scans Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-fsaa_system_scans.md) – Collects access information from the targeted file servers -- [2-FSAA Bulk Import Job](2-fsaa_bulk_import.md) – Imports collected access information from the +- [2-FSAA Bulk Import Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/2-fsaa_bulk_import.md) – Imports collected access information from the targeted file servers - The 2-FSAA Bulk Import job does not need to be run when streaming is enabled -- [3-FSAA Exceptions Job](3-fsaa_exceptions.md) – Analyzes collected access information for +- [3-FSAA Exceptions Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/3-fsaa_exceptions.md) – Analyzes collected access information for exceptions The following job groups and jobs in the File System solution depend on data collected by these jobs to generate reports: -- [1.Open Access > FS_OpenAccess Job](../fs_openaccess.md) -- [2.Direct Permissions Job Group](../directpermissions/overview.md) -- [3.Broken Inheritance > FS_BrokenInheritance Job](../fs_brokeninheritance.md) -- [4.Content Job Group](../content/overview.md) -- [5.Activity Job Group](../activity/overview.md) (also requires Activity Auditing) -- [6.Probable Owner > FS_ProbableOwner Job](../fs_probableowner.md) (also requires Activity +- [1.Open Access > FS_OpenAccess Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_openaccess.md) +- [2.Direct Permissions Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/overview.md) +- [3.Broken Inheritance > FS_BrokenInheritance Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_brokeninheritance.md) +- [4.Content Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/content/overview.md) +- [5.Activity Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/activity/overview.md) (also requires Activity Auditing) +- [6.Probable Owner > FS_ProbableOwner Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_probableowner.md) (also requires Activity Auditing) -- [7.Sensitive Data > FS_DLPResults Job](../fs_dlpresults.md) (also requires Activity Auditing and +- [7.Sensitive Data > FS_DLPResults Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_dlpresults.md) (also requires Activity Auditing and Sensitive Data Discovery Auditing) -- [Ad Hoc Audits Job Group](../adhocaudits/overview.md) -- [FileSystemOverview Job](../filesystemoverview.md) -- [FS_SecurityAssessment Job](../fs_securityassessment.md) +- [Ad Hoc Audits Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/overview.md) +- [FileSystemOverview Job](/docs/accessanalyzer/12.0/solutions/filesystem/filesystemoverview.md) +- [FS_SecurityAssessment Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_securityassessment.md) The File System Access Reports in the Access Information Center are also populated by this data. See the File System Reports topics in the @@ -113,7 +113,7 @@ The recommended workflow for Access Auditing only is as follows: **Step 4 –** Run the desired corresponding analysis and reporting sub-job groups. -**NOTE:** Please see the [Recommended Configuration for the File System Solution](../recommended.md) +**NOTE:** Please see the [Recommended Configuration for the File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/recommended.md) topic before continuing with this workflow. See the other auditing sections for workflows which include multiple auditing types. @@ -124,19 +124,19 @@ DFS Auditing (FSDFS) is the component of the 0.Collection job group which collec System (DFS) mappings from Active Directory or self-hosted DFS servers and compares them to the file system information. It works in conjunction with the Access Auditing component. The jobs, tables, and views specifically incorporated into this component are prefixed with `FSDFS`. See the -[Standard Reference Tables & Views for the FSAA Data Collector](../../../admin/datacollector/fsaa/standardtables.md) +[Standard Reference Tables & Views for the FSAA Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/standardtables.md) topic for additional information on the data collected. The 0.Collection jobs that comprise the DFS auditing component are: -- [0-FSDFS System Scans Job](0-fsdfs_system_scans.md) – This job is responsible for enumerating a +- [0-FSDFS System Scans Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-fsdfs_system_scans.md) – This job is responsible for enumerating a list of all root and link targets in the distributed file system and creating a dynamic host list that will be used by the other 0.Collection jobs - The Connection Profile and required permissions for the 0-FSDFS System Scans job are the same as those required for collecting system data from supported Windows operating systems. They are dependent on the file system scan option being used. See the - [File System Scan Options](../../../requirements/solutions/filesystem/scanoptions.md) topic + [File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. - The target host you should assign to the 0-FSDFS System Scans job depends on the type of DFS namespace being audited: @@ -248,7 +248,7 @@ only). **Step 11 –** Run the desired corresponding analysis and reporting sub-job groups. -**NOTE:** Please see the [Recommended Configuration for the File System Solution](../recommended.md) +**NOTE:** Please see the [Recommended Configuration for the File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/recommended.md) topic before continuing with these workflows. To scope the 0.Collection job group to only collect DFS information, see Step 9 of the @@ -261,7 +261,7 @@ Activity Auditing (FSAC) is the component of the 0.Collection job group that imp information collected by the Activity Monitor. It can be run independently or in conjunction with the FSAA component, though it is recommended to run them together. The jobs, tables, and views specifically incorporated into this component are prefixed with `FSAC`. See the -[Standard Reference Tables & Views for the FSAA Data Collector](../../../admin/datacollector/fsaa/standardtables.md) +[Standard Reference Tables & Views for the FSAA Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/standardtables.md) topic for additional information on the data collected. **NOTE:** The Activity Auditing component requires the Activity Monitor be deployed, configured, and @@ -291,22 +291,22 @@ for information on the Access Analyzer Integration. The **0.Collection** jobs that comprise this auditing component are: -- [1-FSAC System Scans Job](1-fsac_system_scans.md) – Collects activity events from the targeted +- [1-FSAC System Scans Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-fsac_system_scans.md) – Collects activity events from the targeted file servers -- [2-FSAC Bulk Import Job](2-fsac_bulk_import.md) – Imports collected activity events from the +- [2-FSAC Bulk Import Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/2-fsac_bulk_import.md) – Imports collected activity events from the targeted file servers -- [3-FSAC Exceptions Job](3-fsac_exceptions.md) – Analyzes the collected activity events for +- [3-FSAC Exceptions Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/3-fsac_exceptions.md) – Analyzes the collected activity events for exceptions The following job groups and jobs in the File System solution depend on data collected by these jobs to generate reports: -- [5.Activity Job Group](../activity/overview.md) (also requires Access Auditing) -- [6.Probable Owner > FS_ProbableOwner Job](../fs_probableowner.md) (also requires Access Auditing) -- [7.Sensitive Data > FS_DLPResults Job](../fs_dlpresults.md) (also requires Access Auditing and +- [5.Activity Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/activity/overview.md) (also requires Access Auditing) +- [6.Probable Owner > FS_ProbableOwner Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_probableowner.md) (also requires Access Auditing) +- [7.Sensitive Data > FS_DLPResults Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_dlpresults.md) (also requires Access Auditing and Sensitive Data Discovery Auditing) -- [FileSystemOverview Job](../filesystemoverview.md) -- [FS_SecurityAssessment Job](../fs_securityassessment.md) +- [FileSystemOverview Job](/docs/accessanalyzer/12.0/solutions/filesystem/filesystemoverview.md) +- [FS_SecurityAssessment Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_securityassessment.md) The File System Activity Reports in the Access Information Center are also populated by this data. See the @@ -434,7 +434,7 @@ only). **Step 5 –** Run the desired corresponding analysis and reporting sub-job groups. -**NOTE:** Please see the [Recommended Configuration for the File System Solution](../recommended.md) +**NOTE:** Please see the [Recommended Configuration for the File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/recommended.md) topic before continuing with these workflows. ### Identify a Log File @@ -462,7 +462,7 @@ Sensitive Data Discovery Auditing (SEEK) is the component of the 0.Collection jo searches file content for sensitive data. It can be run independently or in conjunction with the Access Auditing component to limit searches to Open Shares. The jobs for this component are prefixed with `SEEK`. The tables and views are prefixed with `FSDLP`. See the -[Standard Reference Tables & Views for the FSAA Data Collector](../../../admin/datacollector/fsaa/standardtables.md) +[Standard Reference Tables & Views for the FSAA Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/standardtables.md) topic for additional information on the data collected. Customized search criteria can be created with the Criteria Editor accessible through the SDD @@ -472,7 +472,7 @@ topic for additional information. _Remember,_ changes made in the Criteria Editor are global for Sensitive Data Discovery in Access Analyzer. See the -[Sensitive Data Criteria Editor](../../../sensitivedatadiscovery/criteriaeditor/overview.md) topic +[Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. Option to Enable Last Access Timestamp @@ -485,22 +485,22 @@ Since files are read during the Sensitive Data Discovery Auditing scan, when the in Windows the scan causes each file's LAT to update each time the file is scanned. Therefore, there is a feature within the job XML file which enables the scan to call a special API in order to keep each file's LAT from updating when it's scanned. This feature can be enabled by adding -`` tag to the XML. See the [1-SEEK System Scans Job](1-seek_system_scans.md) +`` tag to the XML. See the [1-SEEK System Scans Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-seek_system_scans.md) topic for additional information and instructions. This feature works for all scan modes when targeting Windows machines. For additional information on preserving Last Access Time during SDD scans and Metadata tag -collection, see the [File System Supported Platforms](../../../requirements/target/filesystems.md) +collection, see the [File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/target/filesystems.md) topic. File System Sensitive Data Discovery Auditing (SEEK) Jobs The 0.Collection jobs that comprise this auditing component are: -- [1-SEEK System Scans Job](1-seek_system_scans.md) – Collects sensitive data from the targeted file +- [1-SEEK System Scans Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-seek_system_scans.md) – Collects sensitive data from the targeted file servers -- [2-SEEK Bulk Import Job](2-seek_bulk_import.md) – Imports collected sensitive data information +- [2-SEEK Bulk Import Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/2-seek_bulk_import.md) – Imports collected sensitive data information from the targeted file servers - The 2-SEEK Bulk Import job does not need to be run when streaming is enabled @@ -508,10 +508,10 @@ The 0.Collection jobs that comprise this auditing component are: The following job group and jobs in the File System solution depend on data collected by these jobs to generate reports: -- [7.Sensitive Data > FS_DLPResults Job](../fs_dlpresults.md) (also requires Access Auditing and +- [7.Sensitive Data > FS_DLPResults Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_dlpresults.md) (also requires Access Auditing and Activity Auditing) -- [FileSystemOverview Job](../filesystemoverview.md) -- [FS_SecurityAssessment Job](../fs_securityassessment.md) +- [FileSystemOverview Job](/docs/accessanalyzer/12.0/solutions/filesystem/filesystemoverview.md) +- [FS_SecurityAssessment Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_securityassessment.md) The File System Sensitive Data Discovery Reports in the Access Information Center are also populated by this data. See the @@ -646,5 +646,5 @@ Activity Auditing components. **Step 3 –** Run the desired corresponding analysis and reporting sub-job groups. -**NOTE:** Please see the [Recommended Configuration for the File System Solution](../recommended.md) +**NOTE:** Please see the [Recommended Configuration for the File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/recommended.md) topic before continuing with these workflows. diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/content/fs_filetypes.md b/docs/accessanalyzer/12.0/solutions/filesystem/content/fs_filetypes.md index 986e5265fb..ef6cd1e99b 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/content/fs_filetypes.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/content/fs_filetypes.md @@ -2,7 +2,7 @@ The FS_FileTypes job is designed to report on file type information from targeted file servers. -![File Types > FS_FileTypes Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/content/filetypesjobstree.webp) +![File Types > FS_FileTypes Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/filesystem/content/filetypesjobstree.webp) The FS_FileTypes job is located in the File Types job group. @@ -14,7 +14,7 @@ View the analysis tasks by navigating to the **FileSystem** > **4.Content** > ** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_FileTypes Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/content/filetypesanalysis.webp) +![Analysis Tasks for the FS_FileTypes Job](/img/product_docs/accessanalyzer/solutions/filesystem/content/filetypesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/content/fs_stalecontent.md b/docs/accessanalyzer/12.0/solutions/filesystem/content/fs_stalecontent.md index 961984115d..c795097eea 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/content/fs_stalecontent.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/content/fs_stalecontent.md @@ -3,7 +3,7 @@ The FS_StaleContent job is designed to report on stale content information from targeted file servers. -![Stale > FS_StaleContent Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/content/stalejobstree.webp) +![Stale > FS_StaleContent Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/filesystem/content/stalejobstree.webp) The FS_StaleContent job is located in the Stale job group. @@ -15,7 +15,7 @@ View the analysis tasks by navigating to the **FileSystem** > **4.Content** > ** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_StaleContent Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/content/stalecontentanalysis.webp) +![Analysis Tasks for the FS_StaleContent Job](/img/product_docs/accessanalyzer/solutions/filesystem/content/stalecontentanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/content/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/content/overview.md index d275ea8c26..c1e3e38f80 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/content/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/content/overview.md @@ -3,15 +3,15 @@ The 4.Content job group is designed to report on content information from targeted file servers. Key information reported on in this group is: File Types, File Sizing, Stale Content, and File Tags. -![4.Content Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![4.Content Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 4.Content job group is comprised of: -- [File Types > FS_FileTypes Job](fs_filetypes.md) – Designed to report on file type information +- [File Types > FS_FileTypes Job](/docs/accessanalyzer/12.0/solutions/filesystem/content/fs_filetypes.md) – Designed to report on file type information from targeted file servers -- [Sizing Job Group](sizing/overview.md) – Designed to report on file sizing information from +- [Sizing Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/overview.md) – Designed to report on file sizing information from targeted file servers -- [Stale > FS_StaleContent Job](fs_stalecontent.md) – Designed to report on stale content +- [Stale > FS_StaleContent Job](/docs/accessanalyzer/12.0/solutions/filesystem/content/fs_stalecontent.md) – Designed to report on stale content information from targeted file servers -- [Tags Job Group](tags/overview.md) – Designed to report on content classification information from +- [Tags Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/content/tags/overview.md) – Designed to report on content classification information from targeted file servers diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/fs_emptyresources.md b/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/fs_emptyresources.md index 2619f43f84..e461624ca5 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/fs_emptyresources.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/fs_emptyresources.md @@ -10,7 +10,7 @@ View the analysis tasks by navigating to the **FileSystem** > **4.Content** > ** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_EmptyResources Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/content/sizing/emptyresourcesanalysis.webp) +![Analysis Tasks for the FS_EmptyResources Job](/img/product_docs/accessanalyzer/solutions/filesystem/content/sizing/emptyresourcesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/fs_largestresources.md b/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/fs_largestresources.md index 9552515531..136f9e6999 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/fs_largestresources.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/fs_largestresources.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **4.Content** > ** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_LargestResources Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/content/sizing/largestresourcesanalysis.webp) +![Analysis Tasks for the FS_LargestResources Job](/img/product_docs/accessanalyzer/solutions/filesystem/content/sizing/largestresourcesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/fs_smallestresources.md b/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/fs_smallestresources.md index 7657c82198..a308341672 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/fs_smallestresources.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/fs_smallestresources.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **4.Content** > ** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_SmallestResources Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/content/sizing/smallestresourcesanalysis.webp) +![Analysis Tasks for the FS_SmallestResources Job](/img/product_docs/accessanalyzer/solutions/filesystem/content/sizing/smallestresourcesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/overview.md index 6801328595..90ac28b2c1 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/overview.md @@ -2,13 +2,13 @@ The Sizing job group is designed to report on file sizing information from targeted file servers. -![Sizing Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/content/sizing/sizingjobstree.webp) +![Sizing Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/filesystem/content/sizing/sizingjobstree.webp) The Sizing job group is comprised of: -- [FS_EmptyResources Job](fs_emptyresources.md) – Designed to report on empty resources from +- [FS_EmptyResources Job](/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/fs_emptyresources.md) – Designed to report on empty resources from targeted file servers -- [FS_LargestResources Job](fs_largestresources.md) – Designed to report on the largest resources +- [FS_LargestResources Job](/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/fs_largestresources.md) – Designed to report on the largest resources from targeted file servers -- [FS_SmallestResources Job](fs_smallestresources.md) – Designed to report on the smallest resources +- [FS_SmallestResources Job](/docs/accessanalyzer/12.0/solutions/filesystem/content/sizing/fs_smallestresources.md) – Designed to report on the smallest resources from targeted file servers diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/content/tags/fs_aiplabels.md b/docs/accessanalyzer/12.0/solutions/filesystem/content/tags/fs_aiplabels.md index 3464092314..acbfc92c82 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/content/tags/fs_aiplabels.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/content/tags/fs_aiplabels.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **4.Content** > ** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_AIPLabels Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/content/tags/aiplabelsanalysis.webp) +![Analysis Tasks for the FS_AIPLabels Job](/img/product_docs/accessanalyzer/solutions/filesystem/content/tags/aiplabelsanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/content/tags/fs_filetags.md b/docs/accessanalyzer/12.0/solutions/filesystem/content/tags/fs_filetags.md index a07f1d800a..7455c953f7 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/content/tags/fs_filetags.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/content/tags/fs_filetags.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **4.Content** > ** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_FileTags Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/content/tags/filetagsanalysis.webp) +![Analysis Tasks for the FS_FileTags Job](/img/product_docs/accessanalyzer/solutions/filesystem/content/tags/filetagsanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/content/tags/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/content/tags/overview.md index 6c1218bf30..9b2ee145ed 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/content/tags/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/content/tags/overview.md @@ -3,11 +3,11 @@ The Tags job group is designed to report on content classification information from targeted file servers. -![Tags Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/content/tags/tagsjobstree.webp) +![Tags Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/filesystem/content/tags/tagsjobstree.webp) The Tags job group is comprised of: -- [FS_AIPLabels Job](fs_aiplabels.md) – Designed to report on resources classified by AIP labels +- [FS_AIPLabels Job](/docs/accessanalyzer/12.0/solutions/filesystem/content/tags/fs_aiplabels.md) – Designed to report on resources classified by AIP labels from targeted file servers -- [FS_FileTags Job](fs_filetags.md) – Designed to report on resources classified with metadata file +- [FS_FileTags Job](/docs/accessanalyzer/12.0/solutions/filesystem/content/tags/fs_filetags.md) – Designed to report on resources classified with metadata file tags from targeted file servers diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_domainuseracls.md b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_domainuseracls.md index 9949e3a158..a461e4537f 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_domainuseracls.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_domainuseracls.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **2.Direct Permiss **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_DomainUserACLs Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/directpermissions/domainuseraclsanalysis.webp) +![Analysis Tasks for the FS_DomainUserACLs Job](/img/product_docs/accessanalyzer/solutions/filesystem/directpermissions/domainuseraclsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_highriskacls.md b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_highriskacls.md index 2d6aef2989..2de996e5c5 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_highriskacls.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_highriskacls.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **2.Direct Permiss **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_HighRiskACLs Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/directpermissions/highriskaclsanalysis.webp) +![Analysis Tasks for the FS_HighRiskACLs Job](/img/product_docs/accessanalyzer/solutions/filesystem/directpermissions/highriskaclsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_localusersandgroups.md b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_localusersandgroups.md index 91e61ab91d..254b71d567 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_localusersandgroups.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_localusersandgroups.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **2.Direct Permiss **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_LocalUsersAndGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/directpermissions/localusersandgroupsanalysis.webp) +![Analysis Tasks for the FS_LocalUsersAndGroups Job](/img/product_docs/accessanalyzer/solutions/filesystem/directpermissions/localusersandgroupsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_missingfullcontrol.md b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_missingfullcontrol.md index a512145a20..3fc2e6c30e 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_missingfullcontrol.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_missingfullcontrol.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **2.Direct Permiss **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_MissingFullControl Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/directpermissions/missingfullcontrolanalysis.webp) +![Analysis Tasks for the FS_MissingFullControl Job](/img/product_docs/accessanalyzer/solutions/filesystem/directpermissions/missingfullcontrolanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_nestedshares.md b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_nestedshares.md index 5b578e43ff..e74fc7ca06 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_nestedshares.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_nestedshares.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **2.Direct Permiss **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_NestedShares Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/directpermissions/nestedsharesanalysis.webp) +![Analysis Tasks for the FS_NestedShares Job](/img/product_docs/accessanalyzer/solutions/filesystem/directpermissions/nestedsharesanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_sidhistory.md b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_sidhistory.md index 91060b4e34..95fcbe71b3 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_sidhistory.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_sidhistory.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **2.Direct Permiss **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_SIDHistory Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/sidhistoryanalysis.webp) +![Analysis Tasks for the FS_SIDHistory Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/sidhistoryanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_unresolvedsids.md b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_unresolvedsids.md index 43d8879f0f..93c7c4dbd3 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_unresolvedsids.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_unresolvedsids.md @@ -11,7 +11,7 @@ View the analysis tasks by navigating to the **FileSystem** > **2.Direct Permiss **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FS_UnresolvedSIDs Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/directpermissions/unresolvedsidsanalysis.webp) +![Analysis Tasks for the FS_UnresolvedSIDs Job](/img/product_docs/accessanalyzer/solutions/filesystem/directpermissions/unresolvedsidsanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/overview.md index f480018bea..74eeb07194 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/overview.md @@ -3,21 +3,21 @@ The 2.Direct Permissions job group is designed to report on Direct Permissions information from targeted file servers. -![2.Direct Permissions Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![2.Direct Permissions Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 2.Direct Permissions job group is comprised of: -- [FS_DomainUserACLs Job](fs_domainuseracls.md) – Reports on domain users that have been granted +- [FS_DomainUserACLs Job](/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_domainuseracls.md) – Reports on domain users that have been granted direct permissions on resources from targeted file servers -- [FS_HighRiskACLs Job](fs_highriskacls.md) – Reports on high risk security principals that have +- [FS_HighRiskACLs Job](/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_highriskacls.md) – Reports on high risk security principals that have been granted direct permissions on resources from targeted file servers -- [FS_LocalUsersAndGroups Job](fs_localusersandgroups.md) – Reports on local users and groups that +- [FS_LocalUsersAndGroups Job](/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_localusersandgroups.md) – Reports on local users and groups that have been granted direct permissions on resources from targeted file servers -- [FS_MissingFullControl Job](fs_missingfullcontrol.md) – Reports on resources from targeted file +- [FS_MissingFullControl Job](/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_missingfullcontrol.md) – Reports on resources from targeted file servers that have no Full Control rights granted to it -- [FS_NestedShares Job](fs_nestedshares.md) – Reports on nested shares that have been granted direct +- [FS_NestedShares Job](/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_nestedshares.md) – Reports on nested shares that have been granted direct permissions from targeted file servers -- [FS_SIDHistory Job](fs_sidhistory.md) – Reports on trustees that have a historical SID that has +- [FS_SIDHistory Job](/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_sidhistory.md) – Reports on trustees that have a historical SID that has been granted direct permissions on resources from targeted file servers -- [FS_UnresolvedSIDs Job](fs_unresolvedsids.md) – Reports on unresolved SIDs that have been granted +- [FS_UnresolvedSIDs Job](/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_unresolvedsids.md) – Reports on unresolved SIDs that have been granted direct permissions on resources from targeted file servers diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/filesystemoverview.md b/docs/accessanalyzer/12.0/solutions/filesystem/filesystemoverview.md index 151d87c213..97dea054f2 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/filesystemoverview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/filesystemoverview.md @@ -2,11 +2,11 @@ The FileSystemOverview job provides insight into all targeted file servers. It is dependent on data collected by the [File System Access Auditing](collection/overview.md#file-system-access-auditing) -components and the components of the [0.Collection Job Group](collection/overview.md). It also +components and the components of the [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/collection/overview.md). It also depends on the running of the sub-job groups within the solution. If only select sub-job groups have been run, there will be blank sections in the overview report. -![FileSystemOverview Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/filesystemoverviewjobstree.webp) +![FileSystemOverview Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/filesystem/filesystemoverviewjobstree.webp) The FileSystemOverview job is designed to provide an overview of all relevant information from targeted file servers. @@ -19,7 +19,7 @@ node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the FileSystemOverview Job](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/filesystemoverviewanalysis.webp) +![Analysis Tasks for the FileSystemOverview Job](/img/product_docs/accessanalyzer/solutions/filesystem/filesystemoverviewanalysis.webp) The following analysis task is selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/fs_brokeninheritance.md b/docs/accessanalyzer/12.0/solutions/filesystem/fs_brokeninheritance.md index 6a497cbfeb..7c018dbe5a 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/fs_brokeninheritance.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/fs_brokeninheritance.md @@ -3,7 +3,7 @@ The FS_BrokenInheritance job is designed to report on resources with Broken Inheritance from targeted file servers. -![3.Broken Inheritance > FS_BrokenInheritance Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/brokeninheritancejobstree.webp) +![3.Broken Inheritance > FS_BrokenInheritance Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/filesystem/brokeninheritancejobstree.webp) The FS_BrokenInheritance job is located in the 3.Broken Inheritance job group. @@ -11,7 +11,7 @@ The FS_BrokenInheritance job is located in the 3.Broken Inheritance job group. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The FS_BrokenInheritance job has the following configurable parameter: @@ -34,7 +34,7 @@ View the analysis tasks by navigating to the **FileSystem** > **3.Broken Inherit **CAUTION:** Most of these analysis tasks are preconfigured and should not be modified and or deselected. There are some that are deselected by default, as they are for troubleshooting purposes. -![Analysis Tasks for the FS_BrokenInheritance Job](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/brokeninheritanceanalysis.webp) +![Analysis Tasks for the FS_BrokenInheritance Job](/img/product_docs/accessanalyzer/solutions/filesystem/brokeninheritanceanalysis.webp) The following analysis tasks are selected by default: @@ -56,7 +56,7 @@ The following analysis tasks are selected by default: information. - Alternatively, this can be set by modifying the `@FILTER_TO_CHANGED_RESOURCES` parameter. See the - [Configure the Customizable Parameters in an Analysis Task](../../admin/jobs/job/configure/analysiscustomizableparameters.md) + [Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information. - 3. Determine Permission Changes – Creates an interim processing table in the database for use by diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/fs_dlpresults.md b/docs/accessanalyzer/12.0/solutions/filesystem/fs_dlpresults.md index fba520cc73..99fdf3b1f5 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/fs_dlpresults.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/fs_dlpresults.md @@ -5,7 +5,7 @@ sensitive data from targeted file servers. It is comprised of analysis and repor data collected by the **0.Collection** job group to provide information on where sensitive data is being shared. Best practices often dictate moving files with sensitive data out of open shares. -![7.Sensitive Data > FS_DLPResults Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/sensitivedata/sensitivedatajobstree.webp) +![7.Sensitive Data > FS_DLPResults Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/databases/db2/sensitivedata/sensitivedatajobstree.webp) The FS_DLPResults job is located in the 7.Sensitive Data job group. @@ -17,7 +17,7 @@ View the analysis tasks by navigating to the **FileSystem** > **7.Sensitive Data **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_DLPResults Job](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/dlpresultsanalysis.webp) +![Analysis Tasks for the FS_DLPResults Job](/img/product_docs/accessanalyzer/solutions/filesystem/dlpresultsanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/fs_openaccess.md b/docs/accessanalyzer/12.0/solutions/filesystem/fs_openaccess.md index f74b719f36..a34ae071fa 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/fs_openaccess.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/fs_openaccess.md @@ -4,7 +4,7 @@ The FS_OpenAccess job is designed to report on Open Access information from targ The definition of Open Access is when a security principal, such as Everyone, Authenticated Users, or Domain Users, have permissions on a resource. -![1.Open Access > FS_OpenAccess Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/openaccessjobstree.webp) +![1.Open Access > FS_OpenAccess Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/filesystem/openaccessjobstree.webp) The FS_OpenAccess job is located in the 1.Open Access job group. @@ -16,7 +16,7 @@ View the analysis tasks by navigating to the **FileSystem** > **1.Open Access** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the FS_OpenAccess Job](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/openaccessanalysis.webp) +![Analysis Tasks for the FS_OpenAccess Job](/img/product_docs/accessanalyzer/solutions/filesystem/openaccessanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/fs_probableowner.md b/docs/accessanalyzer/12.0/solutions/filesystem/fs_probableowner.md index dd39904bc9..72c4fa361a 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/fs_probableowner.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/fs_probableowner.md @@ -3,7 +3,7 @@ The 6.Probable Owner Job Group is designed to report on probable owners of resources from targeted file servers. -![probableownerjobstree](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/probableownerjobstree.webp) +![probableownerjobstree](/img/product_docs/accessanalyzer/solutions/filesystem/probableownerjobstree.webp) The 6.Probable Owner Job Group is comprised of: @@ -18,7 +18,7 @@ Configure node and select Analysis. **CAUTION:** Do not modify or deselect the first and third selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Selection](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/probableowneranalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/filesystem/probableowneranalysis.webp) The following analysis tasks are selected by default: @@ -35,7 +35,7 @@ The following analysis tasks are selected by default: excluded. When the job is run, SIDs specified in the #FILTERED_TRUSTEES variable are excluded from the analysis and not reported as probable owners. - See the - [Configure the Customizable Parameters in an Analysis Task](../../admin/jobs/job/configure/analysiscustomizableparameters.md) + [Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for additional information. - Identify Folders with no Owner Found – Creates the SA_FS_ProbableOwner_NoOwnerFound table accessible under the job’s Results node diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/fs_securityassessment.md b/docs/accessanalyzer/12.0/solutions/filesystem/fs_securityassessment.md index b5c4a73c95..7bb91fca50 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/fs_securityassessment.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/fs_securityassessment.md @@ -5,23 +5,23 @@ information from targeted file servers. It is dependent upon the following jobs: - 2.Direct Permissions Job Group - - [FS_LocalUsersAndGroups Job](directpermissions/fs_localusersandgroups.md) - - [FS_NestedShares Job](directpermissions/fs_nestedshares.md) - - [FS_SIDHistory Job](directpermissions/fs_sidhistory.md) + - [FS_LocalUsersAndGroups Job](/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_localusersandgroups.md) + - [FS_NestedShares Job](/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_nestedshares.md) + - [FS_SIDHistory Job](/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/fs_sidhistory.md) -- [3.Broken Inheritance > FS_BrokenInheritance Job](fs_brokeninheritance.md) +- [3.Broken Inheritance > FS_BrokenInheritance Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_brokeninheritance.md) - 5.Activity Job Group - - [Least Privileged Access > FS_LeastPrivilegedAccess Job](activity/fs_leastprivilegedaccess.md) - - Security > [FS_HighRiskActivity Job](activity/security/fs_highriskactivity.md) + - [Least Privileged Access > FS_LeastPrivilegedAccess Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/fs_leastprivilegedaccess.md) + - Security > [FS_HighRiskActivity Job](/docs/accessanalyzer/12.0/solutions/filesystem/activity/security/fs_highriskactivity.md) - 7.Sensitive Data Job Group - - [7.Sensitive Data > FS_DLPResults Job](fs_dlpresults.md) + - [7.Sensitive Data > FS_DLPResults Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_dlpresults.md) If only select sub-job groups have been run, there are blank sections in the overview report. -![FS_SecurityAssessment Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/securityassessmentjobstree.webp) +![FS_SecurityAssessment Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/activedirectory/securityassessmentjobstree.webp) The FS_SecurityAssessment job is comprised of analysis and reports which use the data collected by the 0.Collection job group and analyzed by the jobs listed above. @@ -34,7 +34,7 @@ View the analysis tasks by navigating to the **FileSystem** > **FS_SecurityAsses **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Task for the FS_SecurityAssessment Job](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/securityassessmentanalysis.webp) +![Analysis Task for the FS_SecurityAssessment Job](/img/product_docs/accessanalyzer/solutions/activedirectory/securityassessmentanalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/overview.md index 2442d878c8..5ea5f4150f 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/overview.md @@ -23,17 +23,17 @@ sensitive data, or Sensitive Data Discovery Auditing (SEEK). Supported Platforms -- See the [File System Supported Platforms](../../requirements/target/filesystems.md) topic for a +- See the [File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/target/filesystems.md) topic for a full list of supported platforms. Requirements, Permissions, and Ports - Permissions vary based on the Scan Mode Option selected. See the - [File System Supported Platforms](../../requirements/target/filesystems.md) topic for additional + [File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/target/filesystems.md) topic for additional information. - Ports vary based on the Scan Mode Option selected. See the - [File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) topic for + [File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. Sensitive Data Discovery Considerations @@ -53,12 +53,12 @@ The File System Solution requires a special Access Analyzer license. It can be i Instant Job Wizard. Once it has been installed into the Jobs tree, navigate to the solution: **Jobs** > **FileSystem**. -The [0.Collection Job Group](collection/overview.md) collects the data. The other job groups run -analysis on the collected data. The [FileSystemOverview Job](filesystemoverview.md) generates a +The [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/collection/overview.md) collects the data. The other job groups run +analysis on the collected data. The [FileSystemOverview Job](/docs/accessanalyzer/12.0/solutions/filesystem/filesystemoverview.md) generates a statistical overview report of the targeted file systems. -**NOTE:** The [Cleanup Job Group](cleanup/overview.md) and the -[Resource Based Groups Job Group](resourcebasedgroups/overview.md) require additional licenses to +**NOTE:** The [Cleanup Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/overview.md) and the +[Resource Based Groups Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/overview.md) require additional licenses to function. See the [Job Groups](#job-groups) topic for additional information. ## Job Groups @@ -67,10 +67,10 @@ The File System Solution offers information on multiple aspects of an organizati infrastructure. This solution is comprised of eleven job groups and an overview job which collect, analyze, and report on data as well as run action tasks for environmental remediation. The data collection is conducted by the FileSystemAccess (FSAA) Data Collector. See the -[Standard Reference Tables & Views for the FSAA Data Collector](../../admin/datacollector/fsaa/standardtables.md) +[Standard Reference Tables & Views for the FSAA Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/standardtables.md) section for database table information. -![File System Solution](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) +![File System Solution](/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) Each type of auditing depends on specific jobs within the 0.Collection Job Group to collect the data and its corresponding analysis and reporting job groups. The Access Auditing components represent @@ -84,52 +84,52 @@ If intending to run three or all auditing types, see each auditing type section to first run the 0.Collection Job Group components in the default order for the desired auditing types to ensure successful data collection, and then to run the desired sub-groups for reports. -See the [Recommended Configuration for the File System Solution](recommended.md) topic for +See the [Recommended Configuration for the File System Solution](/docs/accessanalyzer/12.0/solutions/filesystem/recommended.md) topic for additional information on run frequency and job group settings. The File System Solution is available with the File System Reports license feature and is comprised of the following jobs: -- [0.Collection Job Group](collection/overview.md) – Designed to collect information from targeted +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/collection/overview.md) – Designed to collect information from targeted file servers. Information collected includes access control information, activity events, and sensitive data. - This job group is available with the File System license feature. -- [1.Open Access > FS_OpenAccess Job](fs_openaccess.md) – Designed to report on Open Access +- [1.Open Access > FS_OpenAccess Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_openaccess.md) – Designed to report on Open Access information from targeted file servers -- [2.Direct Permissions Job Group](directpermissions/overview.md) – Designed to report on Direct +- [2.Direct Permissions Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/directpermissions/overview.md) – Designed to report on Direct Permissions information from targeted file servers -- [3.Broken Inheritance > FS_BrokenInheritance Job](fs_brokeninheritance.md) – Designed to report on +- [3.Broken Inheritance > FS_BrokenInheritance Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_brokeninheritance.md) – Designed to report on Broken Inheritance information from targeted file servers -- [4.Content Job Group](content/overview.md) – Designed to report on content information from +- [4.Content Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/content/overview.md) – Designed to report on content information from targeted file servers. Key information reported on in this group is: File Types, File Sizing, Stale Content, and File Tags. -- [5.Activity Job Group](activity/overview.md) – Designed to report on activity event information +- [5.Activity Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/activity/overview.md) – Designed to report on activity event information from targeted file servers - Requires the Activity Monitor -- [6.Probable Owner > FS_ProbableOwner Job](fs_probableowner.md) – Designed to report on probable +- [6.Probable Owner > FS_ProbableOwner Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_probableowner.md) – Designed to report on probable owners of resources from targeted file servers -- [7.Sensitive Data > FS_DLPResults Job](fs_dlpresults.md) – Designed to report on resources that +- [7.Sensitive Data > FS_DLPResults Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_dlpresults.md) – Designed to report on resources that have been identified to contain sensitive data from targeted file servers - Requires Sensitive Data Discovery -- [Ad Hoc Audits Job Group](adhocaudits/overview.md) – Designed to report on resources and trustees +- [Ad Hoc Audits Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/adhocaudits/overview.md) – Designed to report on resources and trustees that have been provided by the user from targeted file servers - Typically, this is run independently from the rest of the solution -- [Cleanup Job Group](cleanup/overview.md) – Designed to report on and take action against resources +- [Cleanup Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/cleanup/overview.md) – Designed to report on and take action against resources from targeted file servers that can be cleaned up - Requires the File System Actions license feature to function - This job group is run independently from the rest of the solution -- [Resource Based Groups Job Group](resourcebasedgroups/overview.md) – Designed to report on and +- [Resource Based Groups Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/overview.md) – Designed to report on and take action against resources from targeted file servers that can be have their permissions structure transformed to a resource-based group implementation - Requires the File System Actions and Active Directory Actions license features to function - This job group is run independently from the rest of the solution -- [FileSystemOverview Job](filesystemoverview.md) – Designed to provide an overview of all relevant +- [FileSystemOverview Job](/docs/accessanalyzer/12.0/solutions/filesystem/filesystemoverview.md) – Designed to provide an overview of all relevant information from targeted file servers -- [FS_SecurityAssessment Job](fs_securityassessment.md) – Designed to provide a security assessment +- [FS_SecurityAssessment Job](/docs/accessanalyzer/12.0/solutions/filesystem/fs_securityassessment.md) – Designed to provide a security assessment of all relevant information from targeted file servers When targeting Nasuni Edge Appliances, it is necessary to add a job from the Instant Job Library (FS_Nasuni Job) which uses the PowerShell Data collector to gather system information, volume data, and share data from the Nasuni environment. This job should be added to the 0.Collection Job Group and should be renamed (0-FS_Nasuni) to run immediately after the 0-Create Schema Job. See the -[0-FS_Nasuni Job](collection/0-fs_nasuni.md) topic for additional information. +[0-FS_Nasuni Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-fs_nasuni.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/recommended.md b/docs/accessanalyzer/12.0/solutions/filesystem/recommended.md index 81f5c8fb7b..b9e58f403e 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/recommended.md @@ -7,7 +7,7 @@ scheduled. _Remember,_ the credential permissions required for the scan and host lists are affected by the scan mode selected. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) topic for +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic for additional information. Dependencies @@ -35,7 +35,7 @@ containing all on-premise Nasuni Edge Appliances and cloud filers. If using multiple proxy servers, these should also be configured within a different custom-created host list. Then assign the proxy servers host list on the -[FSAA: Applet Settings](../../admin/datacollector/fsaa/appletsettings.md) page of the File System +[FSAA: Applet Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md) page of the File System Access Auditor Data Collector Wizard within the following jobs in the 0.Collection Job Group according to the type of auditing being conducted: @@ -48,7 +48,7 @@ necessary to target the Windows File Server Cluster (name of the cluster) of int scan against a Windows File System Cluster. Within the Access Analyzer Master Host Table, there should be a host entry for the cluster as well as for each node. Additionally, each of these host entries must have the name of the cluster in the WinCluster column in the host inventory data. This -may need to be updated manually. See the [Host Inventory](../../admin/settings/hostinventory.md) +may need to be updated manually. See the [Host Inventory](/docs/accessanalyzer/12.0/admin/settings/hostinventory.md) topic for additional information. **NOTE:** The host targeted by the File System scans is only the host entry for the cluster. For @@ -76,8 +76,8 @@ Connection Profile The FSAA Data Collector requires permissions based on the platform being targeted for data collection as well as the scan mode selected. See the -[File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) topic and the -[File System Supported Platforms](../../requirements/target/filesystems.md) topic for necessary +[File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic and the +[File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/target/filesystems.md) topic for necessary permissions for the supported target platforms. See the [Netwrix Activity Monitor Documentation](https://helpcenter.netwrix.com/category/activitymonitor) for the necessary permission for collecting activity data. Then create a custom Connection Profile @@ -94,7 +94,7 @@ Connection Profile containing the **API Access Key** and **Passcode** for each o Edge Appliance and cloud filer in the target environment. Nasuni API key names are case sensitive. When providing them, ensure they are entered in the exact same case as generated. -See the [Connection](../../admin/settings/connection/overview.md) topic for additional information. +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. Schedule Frequency @@ -122,10 +122,10 @@ only select sub-job groups are run. **_RECOMMENDED:_** If only conducting one or two types of auditing, scope the solution by disabling the undesired collection jobs. Disabling them allows the solution to run more efficiently. It is not recommended to delete any jobs. See the -[Disable or Enable a Job](../../admin/jobs/job/disableenable.md) topic for additional information. +[Disable or Enable a Job](/docs/accessanalyzer/12.0/admin/jobs/job/disableenable.md) topic for additional information. **NOTE:** If targeting Nasuni Edge Appliances, it is necessary to add the -[0-FS_Nasuni Job](collection/0-fs_nasuni.md) to the **0.Collection** Job Group. +[0-FS_Nasuni Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/0-fs_nasuni.md) to the **0.Collection** Job Group. Query Configuration @@ -133,7 +133,7 @@ This solution can be run with the default query configuration. However, the most customizations include: - Use proxy scanning architecture, see the - [File System Data Collection Configuration for Proxy as a Service](../../install/filesystemproxy/configuredatacollector.md) + [File System Data Collection Configuration for Proxy as a Service](/docs/accessanalyzer/12.0/install/filesystemproxy/configuredatacollector.md) topic for instructions - Default Scoping Options page > File Properties tab, optionally configure the following: @@ -174,8 +174,8 @@ customizations include: - Scan Server Selection page, set the type of mode the scans will run on - The mode configured must align with the provisioning of the credential and environment. See - the [File System Scan Options](../../requirements/solutions/filesystem/scanoptions.md) topic - and the [File System Supported Platforms](../../requirements/target/filesystems.md) topic for + the [File System Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/filesystem/scanoptions.md) topic + and the [File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/target/filesystems.md) topic for additional information. - Local Mode – All of the data collection processing is conducted by the Access Analyzer Console server across the network diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_resourcebasedgroupaicimport.md b/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_resourcebasedgroupaicimport.md index 6671817c2f..77ff9cf298 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_resourcebasedgroupaicimport.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_resourcebasedgroupaicimport.md @@ -27,7 +27,7 @@ Schedule Frequency This job group can be scheduled to run as desired. Throughout this document reference to executing a job refers to either manual execution or scheduled execution, according to the needs of the organization. See the -[Scheduling the Resource Based Groups Job Group](./overview#scheduling-the-resource-based-groups-job-group) +[Scheduling the Resource Based Groups Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/overview#scheduling-the-resource-based-groups-job-group) topic for additional information. History Retention diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_resourcebasedgroups.md b/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_resourcebasedgroups.md index aa37220b5b..4a430ba2db 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_resourcebasedgroups.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_resourcebasedgroups.md @@ -56,12 +56,12 @@ host list at the job level to target only those servers. Additional Options **Step 8 –** (Optional) Create and apply permissions for traverse groups based on previous resource -based groups. See the [FS_TraverseGroups Job](fs_traversegroups.md) topic for additional +based groups. See the [FS_TraverseGroups Job](/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_traversegroups.md) topic for additional information. **Step 9 –** (Optional) Import resources and access groups from the FS_ResoureBasedGroup Job into the Netwrix Access Information Center. See the -[FS_ResourceBasedGroupAICImport Job](fs_resourcebasedgroupaicimport.md) topic for additional +[FS_ResourceBasedGroupAICImport Job](/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_resourcebasedgroupaicimport.md) topic for additional information. ## Model Intended Changes @@ -76,7 +76,7 @@ for group permissions that should be configured and then reviewed in the Change View the analysis tasks by navigating to the **Jobs** > **FileSystem** > **ResourceBasedGroups** > **FS_ResourceBasedGroups** > **Configure** node and select **Analysis**. -![Analyze Group Permissions analysis task in the FS_ResourceBasedGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/resourcebasedgroups/rbganalysis.webp) +![Analyze Group Permissions analysis task in the FS_ResourceBasedGroups Job](/img/product_docs/accessanalyzer/solutions/filesystem/resourcebasedgroups/rbganalysis.webp) - Analyze Group Permissions – Creates the FS_ResourceBasedGroups_NewACLs table accessible under the job’s Results node. @@ -85,7 +85,7 @@ View the analysis tasks by navigating to the **Jobs** > **FileSystem** > **Resou @naming_convention, @add_admin_groups, #folders, @activity_filter. Configure the following parameters. See the -[SQLscripting Analysis Module](../../../admin/analysis/sqlscripting.md) topic for additional +[SQLscripting Analysis Module](/docs/accessanalyzer/12.0/admin/analysis/sqlscripting.md) topic for additional information. | Analysis Task | Customizable Parameter Name | Default Value | Value Indicates | @@ -155,7 +155,7 @@ the same domain controller. View the action tasks by navigating to the **Jobs** > **FileSystem** > **Resourced Based Groups** > **FS_ResourceBasedGroups** > **Configure** node and select **Actions**. -![Active Directory Action Tasks](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/resourcebasedgroups/rbgactivedirectoryactions.webp) +![Active Directory Action Tasks](/img/product_docs/accessanalyzer/solutions/filesystem/resourcebasedgroups/rbgactivedirectoryactions.webp) There are the following two Active Directory action tasks: @@ -181,7 +181,7 @@ Follow the steps to configure the Create Groups action task. **Step 3 –** In the Active Directory Action Module Wizard, navigate to the Create Groups page. -![AD Action Module Wizard Create Groups page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/creategroups.webp) +![AD Action Module Wizard Create Groups page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/creategroups.webp) **Step 4 –** In the OU box, select the OU where the groups will be created. @@ -205,7 +205,7 @@ Follow the steps to configure the Create Groups action task. **Step 3 –** In the Active Directory Action Module Wizard, navigate to the Group Membership page. -![AD Action Module Wizard Groups Membership page](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/resourcebasedgroups/rbggroupsmembership.webp) +![AD Action Module Wizard Groups Membership page](/img/product_docs/accessanalyzer/solutions/filesystem/resourcebasedgroups/rbggroupsmembership.webp) **Step 4 –** On the Create Groups page, **Target Group by OU** is selected by default. In the OU box, select the target OU. @@ -256,7 +256,7 @@ Break Inheritance actions modules do not require any configuration. View the action tasks by navigating to the **Jobs** > **FileSystem** > **Resourced Based Groups** > **FS_ResourceBasedGroups** > **Configure** node and select **Actions**. -![File System action tasks](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/resourcebasedgroups/rbgfilesystemactions.webp) +![File System action tasks](/img/product_docs/accessanalyzer/solutions/filesystem/resourcebasedgroups/rbgfilesystemactions.webp) There are the following two File System action tasks: diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_traversegroups.md b/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_traversegroups.md index 0ffcbbe031..6216c72a2b 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_traversegroups.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_traversegroups.md @@ -5,7 +5,7 @@ on previous resource based groups. This job would be used in the case where the resource based groups permissions are applied is not the root share folder, or at the root of the share. This job prevents users from losing the ability to navigate through the directory structure if the folder is nested. The FS_TraverseGroups Job must be installed from the Instant Job library. -See the [Instant Job Wizard](../../../admin/jobs/instantjobs/./overview) topic for additional +See the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview) topic for additional information. ## Recommended Configurations for the FS_TraverseGroups Job @@ -24,7 +24,7 @@ Schedule Frequency This job can be scheduled to run as desired. Throughout this document reference to executing a job refers to either manual execution or scheduled execution, according to the needs of the organization. See the -[Scheduling the Resource Based Groups Job Group](./overview#scheduling-the-resource-based-groups-job-group) +[Scheduling the Resource Based Groups Job Group](/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/overview#scheduling-the-resource-based-groups-job-group) topic for additional information. History Retention @@ -83,7 +83,7 @@ was installed from the Instant Jobs library. Then go to the **FS_TraverseGroups* node and select **Analysis**. The Create Groups analysis task contains an analysis parameter that should be configured to set the naming convention for list groups. -![FS_TraverseGroups analysis tasks](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/resourcebasedgroups/traverseanalysis.webp) +![FS_TraverseGroups analysis tasks](/img/product_docs/accessanalyzer/solutions/filesystem/resourcebasedgroups/traverseanalysis.webp) The job has the following analysis tasks: @@ -102,7 +102,7 @@ The job has the following analysis tasks: | Create Groups | @naming_convention | FS*[HostName]*[ShareName]\_[FolderName]\_List | Naming convention for list groups | For instructions on configuring analysis parameters, see the -[SQLscripting Analysis Module](../../../admin/analysis/sqlscripting.md) topic. +[SQLscripting Analysis Module](/docs/accessanalyzer/12.0/admin/analysis/sqlscripting.md) topic. ### Execute Analysis Tasks @@ -137,7 +137,7 @@ specify the OU for group creation. **_RECOMMENDED:_** It is recommended to execute the actions one at a time and in order as opposed to running the entire job group with the actions enabled. -![FS_TraverseGroups action tasks](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/resourcebasedgroups/traverseactions.webp) +![FS_TraverseGroups action tasks](/img/product_docs/accessanalyzer/solutions/filesystem/resourcebasedgroups/traverseactions.webp) There are the following action tasks: @@ -165,7 +165,7 @@ Follow the steps to configure the Create Groups action task. **Step 3 –** In the Active Directory Action Module Wizard, navigate to the Create Groups page. -![AD Action Module Wizard Create Groups page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/creategroups.webp) +![AD Action Module Wizard Create Groups page](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/creategroups.webp) **Step 4 –** In the OU box, select the OU where the groups will be created. diff --git a/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/overview.md b/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/overview.md index 5717f0b51e..aec90ce431 100644 --- a/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/overview.md +++ b/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/overview.md @@ -27,13 +27,13 @@ The **File System** > **Resource Based Groups** Job Group is a separately licens Access Analyzer File System solution set. Typically this job group is added during installation, but it can be installed from the Instant Job Wizard. -![Resource Based Groups Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Resource Based Groups Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) Once it has been installed into the Jobs tree, navigate to the solution: **Jobs** > **FileSystem** > **Resource Based Groups**. The FS_TraverseGroups Job and the FS_ResourceBasedGroupsAICImport Job must be installed from the -Instant Job library. See the [Instant Job Wizard](../../../admin/jobs/instantjobs/overview.md) topic +Instant Job library. See the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for additional information. ## Jobs @@ -41,16 +41,16 @@ for additional information. The Resource Based Groups Job Group will transform permissions on specified folders to a resource based groups model. -![Job Group Overview page](../../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) +![Job Group Overview page](/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) The following jobs comprise the Resource Based Groups Job Group: -- [FS_ResourceBasedGroups Job](fs_resourcebasedgroups.md) – This job will transform permission on +- [FS_ResourceBasedGroups Job](/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_resourcebasedgroups.md) – This job will transform permission on specified folders to a resource based groups model -- [FS_TraverseGroups Job](fs_traversegroups.md) – (Optional) This job can be used to create and +- [FS_TraverseGroups Job](/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_traversegroups.md) – (Optional) This job can be used to create and apply permissions for traverse groups based on previous resource based groups. The FS_TraverseGroupsJob must be added from the Instant Job Library in order to be used. -- [FS_ResourceBasedGroupAICImport Job](fs_resourcebasedgroupaicimport.md) – (Optional) This job +- [FS_ResourceBasedGroupAICImport Job](/docs/accessanalyzer/12.0/solutions/filesystem/resourcebasedgroups/fs_resourcebasedgroupaicimport.md) – (Optional) This job imports resources and access groups from the FS_ResoureBasedGroup Job into the Netwrix Access Information Center. The FS_ResourceBasedGroupsAICImport Job must be added from the Instant Job Library to be used. @@ -85,7 +85,7 @@ Netwrix recommends that the job be run by a scheduled task with an unlimited tim job will not be aborted when an interactive session is ended due to logoff (a logoff based on inactivity is common in enterprise environments). Netwrix also recommends that the job only be scheduled for discrete one-time runs so that results may be reviewed after each execution. See the -[Schedule Jobs](../../../admin/schedule/overview.md#schedule-jobs) topic for additional information. +[Schedule Jobs](/docs/accessanalyzer/12.0/admin/schedule/overview.md#schedule-jobs) topic for additional information. Throughout this document reference to executing a job refers to either manual execution or scheduled execution, according to the needs of the organization. diff --git a/docs/accessanalyzer/12.0/solutions/nisinventory/nis_scan.md b/docs/accessanalyzer/12.0/solutions/nisinventory/nis_scan.md index 99283444f7..79a44c39df 100644 --- a/docs/accessanalyzer/12.0/solutions/nisinventory/nis_scan.md +++ b/docs/accessanalyzer/12.0/solutions/nisinventory/nis_scan.md @@ -11,7 +11,7 @@ The NIS Scan Job uses the NIS Data Collector for the following query: **CAUTION:** This query must be modified. See the [Configure the NIS Scan Query](#configure-the-nis-scan-query) topic for additional information. -![Query for the NIS Scan Job](../../../../../static/img/product_docs/accessanalyzer/solutions/nisinventory/nisscanquery.webp) +![Query for the NIS Scan Job](/img/product_docs/accessanalyzer/solutions/nisinventory/nisscanquery.webp) - Inventory Scan – Targets a NIS server to collect inventory data for user and group objects @@ -33,18 +33,18 @@ opens. **CAUTION:** Do not make changes to other wizard pages as they have been pre-configured for the purpose of this job. -![NIS Settings page](../../../../../static/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) +![NIS Settings page](/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) **Step 4 –** On the NIS Settings page, enter the **NIS Domain Name** for the targeted NIS domain. This step is required prior to running this query. See the -[NIS: NIS Settings](../../admin/datacollector/nis/settings.md) topic for additional information. +[NIS: NIS Settings](/docs/accessanalyzer/12.0/admin/datacollector/nis/settings.md) topic for additional information. - Optional: Test the connection to the domain using the Sample NIS Server section of the page -![SID Mappings page](../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/nis/sidmappings.webp) +![SID Mappings page](/img/product_docs/accessanalyzer/admin/datacollector/nis/sidmappings.webp) **Step 5 –** On the SID Mappings page, you can add multiple SID mapping entries. See the -[NIS: SID Mappings](../../admin/datacollector/nis/sidmappings.md) topic for additional information. +[NIS: SID Mappings](/docs/accessanalyzer/12.0/admin/datacollector/nis/sidmappings.md) topic for additional information. **Step 6 –** Navigate to the Summary page. Click **Finish** to save any setting modifications or click **Cancel** if no changes were made. Then click **OK** to close the Query Properties window. @@ -59,7 +59,7 @@ and select **Analysis**. **CAUTION:** Most of these analysis tasks are preconfigured and should not be modified or deselected. There is one that is deselected by default, as it is for troubleshooting purposes. -![Analysis Tasks for the NIS Scan Job](../../../../../static/img/product_docs/accessanalyzer/solutions/nisinventory/nisscananalysis.webp) +![Analysis Tasks for the NIS Scan Job](/img/product_docs/accessanalyzer/solutions/nisinventory/nisscananalysis.webp) The following analysis tasks are selected by default: diff --git a/docs/accessanalyzer/12.0/solutions/nisinventory/overview.md b/docs/accessanalyzer/12.0/solutions/nisinventory/overview.md index b5d4c8a797..05b8519649 100644 --- a/docs/accessanalyzer/12.0/solutions/nisinventory/overview.md +++ b/docs/accessanalyzer/12.0/solutions/nisinventory/overview.md @@ -24,7 +24,7 @@ Location The .NIS Inventory Solution is a core component of all Access Analyzer installations. It can be installed from the Access Analyzer Instant Job Wizard.. -![.NIS Inventory Solution in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![.NIS Inventory Solution in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) Once it has been installed into the Jobs tree, navigate to the solution: **Jobs** > **.NIS Inventory**. This group has been named in such a way to keep it at the top of the Jobs tree. @@ -34,9 +34,9 @@ Inventory**. This group has been named in such a way to keep it at the top of th The .NIS Inventory Solution contains a single job. This job is configured to use the NIS Data Collector and then runs analysis on the collected data. -![.NIS Inventory Solution Overview page](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) +![.NIS Inventory Solution Overview page](/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) The following job comprises the .NIS Inventory job group: -- [NIS Scan Job](nis_scan.md) – Provides essential user and group membership details to built-in +- [NIS Scan Job](/docs/accessanalyzer/12.0/solutions/nisinventory/nis_scan.md) – Provides essential user and group membership details to built-in solution sets diff --git a/docs/accessanalyzer/12.0/solutions/nisinventory/recommended.md b/docs/accessanalyzer/12.0/solutions/nisinventory/recommended.md index a995bf5e47..5aaca035b4 100644 --- a/docs/accessanalyzer/12.0/solutions/nisinventory/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/nisinventory/recommended.md @@ -12,7 +12,7 @@ Targeted Hosts The host list assignment should be assigned under the **.NIS Inventory** > **NIS Scan** > **Hosts** node. Select the custom host list containing the NIS servers or manually add the host in the **Individual hosts** section. See the -[Unix Connection Profile & Host List](../../admin/datacollector/nis/configurejob.md) topic for +[Unix Connection Profile & Host List](/docs/accessanalyzer/12.0/admin/datacollector/nis/configurejob.md) topic for additional information. Connection Profile @@ -22,7 +22,7 @@ Properties** window on the **Connection** tab. It is set to **Use the Default Pr configured at the global settings level. However, if this is not the Connection Profile with the necessary permissions for targeting the NIS servers, select the **Select one of the following user defined profiles** option and select the appropriate Connection Profile. See the -[Unix Connection Profile & Host List](../../admin/datacollector/nis/configurejob.md) topic for +[Unix Connection Profile & Host List](/docs/accessanalyzer/12.0/admin/datacollector/nis/configurejob.md) topic for additional information. Schedule Frequency @@ -39,7 +39,7 @@ Query Configuration The solution requires the NIS domain to be configured in the **Inventory Scan** query. Navigate to the **NIS Settings** page of the NIS Data Collector Wizard. Optionally, modifications can be made -for SID mappings within the **NIS Scan** job. See the [NIS Scan Job](nis_scan.md) topic for +for SID mappings within the **NIS Scan** job. See the [NIS Scan Job](/docs/accessanalyzer/12.0/solutions/nisinventory/nis_scan.md) topic for additional information. Analysis Configuration diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/overview.md b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/overview.md index d57df12814..d50240fb41 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/overview.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/overview.md @@ -3,13 +3,13 @@ This group will highlight deletions, group membership changes, permission changes, and activity around sensitive data. -![Forensics Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/activity/forensics/forensicsjobstree.webp) +![Forensics Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/sharepoint/activity/forensics/forensicsjobstree.webp) The jobs in the Forensics Job Group are: -- [SP_Deletions Job](sp_deletions.md) – Identifies SharePoint deletion events which have occurred +- [SP_Deletions Job](/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/sp_deletions.md) – Identifies SharePoint deletion events which have occurred over the past 30 days -- [SP_PermissionChanges Job](sp_permissionchanges.md) – Identifies permission changes which have +- [SP_PermissionChanges Job](/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/sp_permissionchanges.md) – Identifies permission changes which have been performed on all monitored SharePoint sites over the past 30 days -- [SP_SensitiveDataActivity Job](sp_sensitivedataactivity.md) – Highlights user activity involving +- [SP_SensitiveDataActivity Job](/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/sp_sensitivedataactivity.md) – Highlights user activity involving sensitive data and provides details on who is interacting with your environments sensitive content diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/sp_deletions.md b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/sp_deletions.md index c3e322918b..ba9b230b5c 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/sp_deletions.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/sp_deletions.md @@ -10,7 +10,7 @@ Navigate to the **Jobs** > **SharePoint** > **7.Activity** > **Forensics** > **S **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the SP_Deletions Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/forensics/deletionsanalysis.webp) +![Analysis Tasks for the SP_Deletions Job](/img/product_docs/accessanalyzer/solutions/box/activity/forensics/deletionsanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/sp_permissionchanges.md b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/sp_permissionchanges.md index f34f5242bd..7519350feb 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/sp_permissionchanges.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/sp_permissionchanges.md @@ -11,7 +11,7 @@ Navigate to the **Jobs** > **SharePoint** > **7.Activity** > **Forensics** > **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SP_PermissionChanges Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/box/activity/forensics/permissionchangesanalysis.webp) +![Analysis Tasks for the SP_PermissionChanges Job](/img/product_docs/accessanalyzer/solutions/box/activity/forensics/permissionchangesanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/sp_sensitivedataactivity.md b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/sp_sensitivedataactivity.md index 57c02c1a4a..66e084bd2b 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/sp_sensitivedataactivity.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/sp_sensitivedataactivity.md @@ -12,7 +12,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SP_SensitiveDataActivity Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/sensitivedataactivityanalysis.webp) +![Analysis Tasks for the SP_SensitiveDataActivity Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/suspiciousactivity/sensitivedataactivityanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/overview.md b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/overview.md index 6fa2455a79..814f5f04e8 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/overview.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/overview.md @@ -4,11 +4,11 @@ The 7.Activity job group generates summary and detail reports of SharePoint acti specified sites. These reports can be used for identifying file, folder, and user related activity across your SharePoint environment. -![7.Activity Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![7.Activity Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The job groups in the 7.Activity Job Group are: -- [Forensics Job Group](forensics/overview.md) – Highlights deletions, group membership changes, +- [Forensics Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/activity/forensics/overview.md) – Highlights deletions, group membership changes, permission changes, and activity around sensitive data -- [Usage Statistics Job Group](usagestatistics/overview.md)– Identifies long term trends of activity +- [Usage Statistics Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/overview.md)– Identifies long term trends of activity across your SharePoint environment highlighting most active sites and users as well as stale users diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/overview.md b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/overview.md index 31e1ee9cd7..a9f8159a43 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/overview.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/overview.md @@ -3,14 +3,14 @@ The Usage Statistics job group identifies long term trends of activity across your SharePoint environment highlighting most active sites and users as well as stale sites. -![Usage Statistics Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/activity/usagestatistics/usagestatisticsjobstree.webp) +![Usage Statistics Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/sharepoint/activity/usagestatistics/usagestatisticsjobstree.webp) The jobs in the Usage Statistics Job Group are: -- [SP_InactiveSites Job](sp_inactivesites.md) – Highlights your environments least active Sites or +- [SP_InactiveSites Job](/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/sp_inactivesites.md) – Highlights your environments least active Sites or Site Collections -- [SP_MostActiveSites Job](sp_mostactivesites.md) – Identifies the top five most active sites +- [SP_MostActiveSites Job](/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/sp_mostactivesites.md) – Identifies the top five most active sites monitored by Access Analyzer -- [SP_MostActiveUsers Job](sp_mostactiveusers.md) – Identifies the most active users from the last +- [SP_MostActiveUsers Job](/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/sp_mostactiveusers.md) – Identifies the most active users from the last 30 days on all monitored SharePoint servers with a view of Reads, Updates, Deletes, and Permission changes performed by a user diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/sp_inactivesites.md b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/sp_inactivesites.md index e6666aad2a..11e20bca67 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/sp_inactivesites.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/sp_inactivesites.md @@ -10,7 +10,7 @@ Navigate to the **Jobs** > **SharePoint** > **7.Activity** > **Usage Statistics* **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the SP_InactiveSites Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/activity/usagestatistics/inactivesitesanalysis.webp) +![Analysis Tasks for the SP_InactiveSites Job](/img/product_docs/accessanalyzer/solutions/sharepoint/activity/usagestatistics/inactivesitesanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/sp_mostactivesites.md b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/sp_mostactivesites.md index dcfa5e0ff3..f41c577065 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/sp_mostactivesites.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/sp_mostactivesites.md @@ -10,7 +10,7 @@ Navigate to the **Jobs** > **SharePoint** > **7.Activity** > **Usage Statistics* **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the SP_MostActiveSites Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/activity/usagestatistics/mostactivesitesanalysis.webp) +![Analysis Tasks for the SP_MostActiveSites Job](/img/product_docs/accessanalyzer/solutions/sharepoint/activity/usagestatistics/mostactivesitesanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/sp_mostactiveusers.md b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/sp_mostactiveusers.md index 18dc15e045..967a30fb1b 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/sp_mostactiveusers.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/activity/usagestatistics/sp_mostactiveusers.md @@ -11,7 +11,7 @@ Navigate to the **Jobs** > **SharePoint** > **7.Activity** > **Usage Statistics* **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the SP_MostActiveUsers Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/activity/usagestatistics/mostactiveusersanalysis.webp) +![Analysis Tasks for the SP_MostActiveUsers Job](/img/product_docs/accessanalyzer/solutions/filesystem/activity/usagestatistics/mostactiveusersanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/1-spseek_systemscans.md b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/1-spseek_systemscans.md index 0b849dfabb..c3bab885a8 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/1-spseek_systemscans.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/1-spseek_systemscans.md @@ -7,7 +7,7 @@ information regarding sensitive content that exists within SharePoint. The 1-SPSEEK SystemScans Job uses the SharePoint Access Data Collector for the following query: -![The query for the 1-SPSEEK SystemScans Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spseeksystemscansquery.webp) +![The query for the 1-SPSEEK SystemScans Job](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spseeksystemscansquery.webp) The query for the 1-SPSEEK SystemScans Job is: @@ -34,35 +34,35 @@ displays. **Step 3 –** Select the **Data Source** tab, and click **Configure**. -![SharePoint Data Collection Settings](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/datacollectionsettingsspseek.webp) +![SharePoint Data Collection Settings](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/datacollectionsettingsspseek.webp) **Step 4 –** On the -[SPAA: SharePoint Data Collection Settings](../../../admin/datacollector/spaa/settings.md) page, +[SPAA: SharePoint Data Collection Settings](/docs/accessanalyzer/12.0/admin/datacollector/spaa/settings.md) page, customize as desired and click **Next**. -![Scan Scoping Options](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/scanscopingoptions.webp) +![Scan Scoping Options](/img/product_docs/accessanalyzer/admin/datacollector/spaa/scanscopingoptions.webp) **Step 5 –** On the -[SPAA: Scan Scoping Options](../../../admin/datacollector/spaa/scanscopingoptions.md) page, no web +[SPAA: Scan Scoping Options](/docs/accessanalyzer/12.0/admin/datacollector/spaa/scanscopingoptions.md) page, no web applications or site collections have been added. If desired, limit the scope of the scan to specific web applications or site collections. Click **Next**. -![Additional Scoping](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/additionalscopingspseek.webp) +![Additional Scoping](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/additionalscopingspseek.webp) **Step 6 –** On the -[SPAA: Additional Scoping](../../../admin/datacollector/spaa/additionalscoping.md) page, **Limit +[SPAA: Additional Scoping](/docs/accessanalyzer/12.0/admin/datacollector/spaa/additionalscoping.md) page, **Limit scanned depth to:** is selected with the default set at **2** levels. Customize this setting as desired and click **Next**. -![Agent Settings](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/windowsagent.webp) +![Agent Settings](/img/product_docs/activitymonitor/activitymonitor/install/agent/windowsagent.webp) -**Step 7 –** On the [SPAA: Agent Settings](../../../admin/datacollector/spaa/agentsettings.md) page, +**Step 7 –** On the [SPAA: Agent Settings](/docs/accessanalyzer/12.0/admin/datacollector/spaa/agentsettings.md) page, use the default settings unless an agent scan mode is desired. Click **Next**. -![DLP Audit Settings](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/dlpauditsettingsspseek.webp) +![DLP Audit Settings](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/dlpauditsettingsspseek.webp) **Step 8 –** On the -[SPAA: DLP Audit Settings](../../../admin/datacollector/spaa/dlpauditsettings.md) page, the default +[SPAA: DLP Audit Settings](/docs/accessanalyzer/12.0/admin/datacollector/spaa/dlpauditsettings.md) page, the default setting is to **Don’t process files larger than: 2 MB** and to **Scan typical documents (recommended, fastest)**. These settings can be customized to adjust for scan time or database size. Click **Next**. @@ -72,13 +72,13 @@ Click **Next**. .sty, .wps, .wpt, .yml, .tex, .pdf, .csv, .xlr, .xls, .xlsx, .gsheet, .nb, .numbers, .ods, .qpw, .sdc, .wks, .xlsb, .xltm, .xltx, .aws, .fods, .ots, .rdf, .sxc, .uos, .xlsm, .txt -![Select DLP Criteria Page of the SPAA Data Collector Wizard](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/selectdlpcriteriaspseek.webp) +![Select DLP Criteria Page of the SPAA Data Collector Wizard](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/selectdlpcriteriaspseek.webp) **Step 9 –** On the -[SPAA: Select DLP Criteria](../../../admin/datacollector/spaa/selectdlpcriteria.md) page, add or +[SPAA: Select DLP Criteria](/docs/accessanalyzer/12.0/admin/datacollector/spaa/selectdlpcriteria.md) page, add or remove criteria as desired by either manually selecting criteria or using the **Select All** and **Clear All** buttons. Click **Next**. _(Optional)_ To create custom criteria, see the -[Sensitive Data Criteria Editor](../../../sensitivedatadiscovery/criteriaeditor/overview.md) topic +[Sensitive Data Criteria Editor](/docs/accessanalyzer/12.0/sensitivedatadiscovery/criteriaeditor/overview.md) topic for additional information. **CAUTION:** Do not configure the options on the Results page. diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/2-spaa_systemscans.md b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/2-spaa_systemscans.md index a7669e47e8..e67875f658 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/2-spaa_systemscans.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/2-spaa_systemscans.md @@ -7,7 +7,7 @@ structural level in the SharePoint farm. The 2-SPAA_SystemScans Job uses the SharePoint Access Data Collector for the following query: -![Query Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spaasystemscansquery.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spaasystemscansquery.webp) The query for the 2-SPAA_SystemScans Job is: @@ -34,29 +34,29 @@ displays. **Step 3 –** Select the **Data Source** tab, and click **Configure**. -![SharePoint Data Collection Settings](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/datacollectionsettingsspaa.webp) +![SharePoint Data Collection Settings](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/datacollectionsettingsspaa.webp) **Step 4 –** On the -[SPAA: SharePoint Data Collection Settings](../../../admin/datacollector/spaa/settings.md) page, +[SPAA: SharePoint Data Collection Settings](/docs/accessanalyzer/12.0/admin/datacollector/spaa/settings.md) page, customize as desired and click **Next**. -![Scan Scoping Options](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/scanscopingoptions.webp) +![Scan Scoping Options](/img/product_docs/accessanalyzer/admin/datacollector/spaa/scanscopingoptions.webp) **Step 5 –** On the -[SPAA: Scan Scoping Options](../../../admin/datacollector/spaa/scanscopingoptions.md) page, no web +[SPAA: Scan Scoping Options](/docs/accessanalyzer/12.0/admin/datacollector/spaa/scanscopingoptions.md) page, no web applications or site collections have been added. If desired, limit the scope of the scan to specific web applications or site collections. Click **Next**. -![Additional Scoping](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/additionalscopingspaa.webp) +![Additional Scoping](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/additionalscopingspaa.webp) **Step 6 –** On the -[SPAA: Additional Scoping](../../../admin/datacollector/spaa/additionalscoping.md) page, **Limit +[SPAA: Additional Scoping](/docs/accessanalyzer/12.0/admin/datacollector/spaa/additionalscoping.md) page, **Limit scanned depth to:** is selected with the default set at **2** levels. Customize this setting as desired and click **Next**. -![Agent Settings](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/windowsagent.webp) +![Agent Settings](/img/product_docs/activitymonitor/activitymonitor/install/agent/windowsagent.webp) -**Step 7 –** On the [SPAA: Agent Settings](../../../admin/datacollector/spaa/agentsettings.md) page, +**Step 7 –** On the [SPAA: Agent Settings](/docs/accessanalyzer/12.0/admin/datacollector/spaa/agentsettings.md) page, use the default settings unless an agent scan mode is desired. Click **Next**. **CAUTION:** Do not configure the options on the Results page. diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/3-spac_systemscans.md b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/3-spac_systemscans.md index 2183022d0f..e43ab28dea 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/3-spac_systemscans.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/3-spac_systemscans.md @@ -11,7 +11,7 @@ Access Auditor Data Collector Wizard when opened from within this job. **CAUTION:** Do not modify the query. The query is preconfigured for this job. -![Query Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spacsystemscansquery.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spacsystemscansquery.webp) The query for the 3-SPAC_SystemScans Job is: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/4-spseek_bulkimport.md b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/4-spseek_bulkimport.md index d9560884b8..b50e951a21 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/4-spseek_bulkimport.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/4-spseek_bulkimport.md @@ -7,7 +7,7 @@ SQL Server where Access Analyzer stores data. The 4-SPSEEK Bulk Import Job uses the SharePoint Access Data Collector for the following query: -![Query Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spseekbulkimportquery.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spseekbulkimportquery.webp) The query for the 4-SPSEEK Bulk Import Job is: @@ -28,10 +28,10 @@ displays. **Step 3 –** Select the **Data Source** tab, and click **Configure**. -![Bulk Import Settings](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/bulkimportsettings.webp) +![Bulk Import Settings](/img/product_docs/accessanalyzer/admin/datacollector/spaa/bulkimportsettings.webp) **Step 4 –** On the -[SPAA: Bulk Import Settings](../../../admin/datacollector/spaa/bulkimportsettings.md) page, the +[SPAA: Bulk Import Settings](/docs/accessanalyzer/12.0/admin/datacollector/spaa/bulkimportsettings.md) page, the **Set Host Identifier** is not configured by default. Click **Next**. **NOTE:** Unless SQL Server Replication is used, it should not be necessary to adjust the **Host @@ -54,7 +54,7 @@ Navigate to the **Jobs** > **SharePoint** > **0.Collection** > **4-SPSEEK_BulkIm **CAUTION:** The analysis tasks are preconfigured for this job. Never modify or deselect the selected analysis tasks. -![Analysis Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spseekbulkimportanalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spseekbulkimportanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/5-spaa_bulkimport.md b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/5-spaa_bulkimport.md index fccab76981..f06caa8e27 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/5-spaa_bulkimport.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/5-spaa_bulkimport.md @@ -7,7 +7,7 @@ Access Analyzer SQL database. The 5-SPAA_BulkImport Job uses the SharePoint Access Data Collector for the following query: -![spaabulkimportquery](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spaabulkimportquery.webp) +![spaabulkimportquery](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spaabulkimportquery.webp) The query for the 5-SPAA_BulkImport Job is: @@ -28,10 +28,10 @@ displays. **Step 3 –** Select the **Data Source** tab, and click **Configure**. -![Bulk Import Settings](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/bulkimportsettings.webp) +![Bulk Import Settings](/img/product_docs/accessanalyzer/admin/datacollector/spaa/bulkimportsettings.webp) **Step 4 –** On the -[SPAA: Bulk Import Settings](../../../admin/datacollector/spaa/bulkimportsettings.md) page, the +[SPAA: Bulk Import Settings](/docs/accessanalyzer/12.0/admin/datacollector/spaa/bulkimportsettings.md) page, the **Set Host Identifier** is not configured by default. Click **Next**. **NOTE:** Unless SQL Server Replication is used, it should not be necessary to adjust the **Host @@ -54,7 +54,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** The analysis tasks are preconfigured for this job. Never modify or deselect the selected analysis tasks. -![Analysis Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spaabulkimportanalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spaabulkimportanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/6-spac_bulkimport.md b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/6-spac_bulkimport.md index 69f6d4e28c..b2a549e229 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/6-spac_bulkimport.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/6-spac_bulkimport.md @@ -7,7 +7,7 @@ Access Analyzer SQL database. The 6-SPAC_BulkImport Job uses the SharePoint Access Data Collector for the following query: -![Query Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spacbulkimportquery.webp) +![Query Selection](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spacbulkimportquery.webp) The query for the 6-SPAC_BulkImport Job is: @@ -28,10 +28,10 @@ displays. **Step 3 –** Select the **Data Source** tab, and click **Configure**. -![Bulk Import Settings](../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/spaa/bulkimportsettings.webp) +![Bulk Import Settings](/img/product_docs/accessanalyzer/admin/datacollector/spaa/bulkimportsettings.webp) **Step 4 –** On the -[SPAA: Bulk Import Settings](../../../admin/datacollector/spaa/bulkimportsettings.md) page, the +[SPAA: Bulk Import Settings](/docs/accessanalyzer/12.0/admin/datacollector/spaa/bulkimportsettings.md) page, the **Set Host Identifier** is not configured by default. Click **Next**. **NOTE:** Unless SQL Server Replication is used, it should not be necessary to adjust the **Host @@ -54,7 +54,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** The analysis tasks are preconfigured for this job. Never modify or deselect the selected analysis tasks. -![Analysis Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spacbulkimportanalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spacbulkimportanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/7-spaa_exceptions.md b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/7-spaa_exceptions.md index 0e5d329d05..c1c13aec83 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/7-spaa_exceptions.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/7-spaa_exceptions.md @@ -7,7 +7,7 @@ summary of SharePoint exceptions per host. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The 7-SPAA_Exceptions page has the following configurable parameters: @@ -31,7 +31,7 @@ returned by the 2-SPAA_BulkImport Job. View the analysis tasks by navigating to **CAUTION:** The analysis tasks are preconfigured for this job. Never modify or deselect the selected analysis tasks. -![Analysis Selection](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spaaexceptionsanalysis.webp) +![Analysis Selection](/img/product_docs/accessanalyzer/solutions/sharepoint/collection/spaaexceptionsanalysis.webp) The default analysis tasks are: @@ -58,5 +58,5 @@ The default values for customizable parameters are: | Open resources | #opengroups | Empty | Groups must be entered exactly as they are listed in SA_SPAA_Trustees. Copy and paste the Group name as it appears in the Name Column. | See the -[Configure the Customizable Parameters in an Analysis Task](../../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/overview.md b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/overview.md index 9aed97d53e..8dbd1400a7 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/collection/overview.md @@ -4,24 +4,24 @@ The **SharePoint** > **0.Collection** Job Group is designed to collect informati farms using the SPAA Data Collector. The collected data is then available to other SharePoint Solution sub-job groups and the Access Information Center for analysis. -![0.Collection Job Group](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![0.Collection Job Group](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 0.Collection Job Group are: -- [1-SPSEEK_SystemScans Job](1-spseek_systemscans.md) – Responsible for building the Tier2 SPDLP +- [1-SPSEEK_SystemScans Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/1-spseek_systemscans.md) – Responsible for building the Tier2 SPDLP database repositories, which contain information regarding sensitive content that exists within SharePoint -- [2-SPAA_SystemScans Job](2-spaa_systemscans.md) – Collects information on permissions, users, and +- [2-SPAA_SystemScans Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/2-spaa_systemscans.md) – Collects information on permissions, users, and groups to determine who has access to each structural level in the SharePoint farm -- [3-SPAC_SystemScans Job](3-spac_systemscans.md) – Collects information on activity, users, and +- [3-SPAC_SystemScans Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/3-spac_systemscans.md) – Collects information on activity, users, and groups to determine who has performed activity in each structural level in the SharePoint farm -- [4-SPSEEK_BulkImport Job](4-spseek_bulkimport.md) – Responsible for retrieving the Tier 2 SPDLP +- [4-SPSEEK_BulkImport Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/4-spseek_bulkimport.md) – Responsible for retrieving the Tier 2 SPDLP database information and importing it to the SQL Server where Access Analyzer stores data -- [5-SPAA_BulkImport Job](5-spaa_bulkimport.md) – Responsible for retrieving the SPAA Tier 2 +- [5-SPAA_BulkImport Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/5-spaa_bulkimport.md) – Responsible for retrieving the SPAA Tier 2 Database information and importing it to the Access Analyzer SQL database -- [6-SPAC_BulkImport Job](6-spac_bulkimport.md) – Responsible for retrieving the SPAC Tier 2 +- [6-SPAC_BulkImport Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/6-spac_bulkimport.md) – Responsible for retrieving the SPAC Tier 2 Database information and importing it to the Access Analyzer SQL database -- [7-SPAA_Exceptions Job](7-spaa_exceptions.md) – Searches scanned data for resources that match +- [7-SPAA_Exceptions Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/7-spaa_exceptions.md) – Searches scanned data for resources that match high risk conditions, retrieving a summary of SharePoint exceptions per host Additionally, the jobs in the 0.Collection Job Group are organized into the following collection @@ -69,54 +69,54 @@ information on permissions, users, and groups to determine who has access to eac in the SharePoint farm, on-premises and online, using the SPAA Data Collector. The jobs, tables, and views specifically incorporated into this component are prefaced with `SPAA`. See the SharePointAccess Data Collector -[Standard Reference Tables & Views for the SPAA Data Collector](../../../admin/datacollector/spaa/standardtables.md) +[Standard Reference Tables & Views for the SPAA Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/spaa/standardtables.md) topic for additional information on the data collected. The 0.Collection jobs that comprise this auditing component are: -- [2-SPAA_SystemScans Job](2-spaa_systemscans.md) – Collects information on permissions, users, and +- [2-SPAA_SystemScans Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/2-spaa_systemscans.md) – Collects information on permissions, users, and groups to determine who has access to each structural level in the SharePoint farm -- [5-SPAA_BulkImport Job](5-spaa_bulkimport.md) – Responsible for retrieving the SPAA tier 2 +- [5-SPAA_BulkImport Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/5-spaa_bulkimport.md) – Responsible for retrieving the SPAA tier 2 database information and import it to the Access Analyzer SQL database -- [7-SPAA_Exceptions Job](7-spaa_exceptions.md) – Searches scanned data for resources that match +- [7-SPAA_Exceptions Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/7-spaa_exceptions.md) – Searches scanned data for resources that match high risk conditions, retrieving a summary of SharePoint exceptions per host The following job groups and jobs in the SharePoint Solution depend on data collected by these jobs to generate reports: -- [1.Direct Permissions Job Group](../directpermissions/overview.md) -- [2.High Risk Sites > SP_OpenAccess Job](../sp_openaccess.md) -- [3.Broken Inheritance > SP_BrokenInheritance Job](../sp_brokeninheritance.md) -- [4.Content Job Group](../content/overview.md) -- [Effective Access Audits Job Group](../effectiveaccessaudits/overview.md) -- [5.Probable Owner > SP_ProbableOwner Job](../sp_probableowner.md) -- [SP_Overview Job](../sp_overview.md) +- [1.Direct Permissions Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/overview.md) +- [2.High Risk Sites > SP_OpenAccess Job](/docs/accessanalyzer/12.0/solutions/sharepoint/sp_openaccess.md) +- [3.Broken Inheritance > SP_BrokenInheritance Job](/docs/accessanalyzer/12.0/solutions/sharepoint/sp_brokeninheritance.md) +- [4.Content Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/content/overview.md) +- [Effective Access Audits Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/overview.md) +- [5.Probable Owner > SP_ProbableOwner Job](/docs/accessanalyzer/12.0/solutions/sharepoint/sp_probableowner.md) +- [SP_Overview Job](/docs/accessanalyzer/12.0/solutions/sharepoint/sp_overview.md) The SharePoint Sensitive Data Discovery Reports in the Access Information Center are also populated by this data. See the SharePoint Reports topics in the [Netwrix Access Information Center Documentation](https://helpcenter.netwrix.com/category/accessinformationcenter) for additional information. -See the [Recommended Configuration for the SharePoint Solution](../recommended.md) topic for other +See the [Recommended Configuration for the SharePoint Solution](/docs/accessanalyzer/12.0/solutions/sharepoint/recommended.md) topic for other Runtime Details. Workflow -**Step 1 –** Run [2-SPAA_SystemScans Job](2-spaa_systemscans.md). +**Step 1 –** Run [2-SPAA_SystemScans Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/2-spaa_systemscans.md). -**Step 2 –** Run [5-SPAA_BulkImport Job](5-spaa_bulkimport.md). +**Step 2 –** Run [5-SPAA_BulkImport Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/5-spaa_bulkimport.md). -**Step 3 –** Run [7-SPAA_Exceptions Job](7-spaa_exceptions.md). +**Step 3 –** Run [7-SPAA_Exceptions Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/7-spaa_exceptions.md). **Step 4 –** Run desired corresponding analysis and reporting sub-job groups. -Please see the [Recommended Configuration for the SharePoint Solution](../recommended.md) topic +Please see the [Recommended Configuration for the SharePoint Solution](/docs/accessanalyzer/12.0/solutions/sharepoint/recommended.md) topic before continuing with this workflow. **_RECOMMENDED:_** Scope the 0.Collection Job Group to only include the collection components desired by disabling the undesired collection jobs. Disabling them allows the solution to run more efficiently. It is not recommended to delete any jobs. See the -[Disable or Enable a Job](../../../admin/jobs/job/disableenable.md) topic for additional +[Disable or Enable a Job](/docs/accessanalyzer/12.0/admin/jobs/job/disableenable.md) topic for additional information. ## SharePoint Activity Auditing @@ -125,7 +125,7 @@ Activity Auditing (SPAC) is the component of the 0.Collection Job Group that col activity, users, and groups to determine who has performed activity in each structural level in the SharePoint on-premises farm, or SharePoint online tenant, using the SPAA Data Collector. The jobs and tables specifically incorporated into this component are prefaced with SPAC. See the -[Standard Reference Tables & Views for the SPAA Data Collector](../../../admin/datacollector/spaa/standardtables.md) +[Standard Reference Tables & Views for the SPAA Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/spaa/standardtables.md) topic for additional information on the data collected. The Access Auditing components must be run in order to create the tables in the database for the @@ -137,12 +137,12 @@ Scan and Bulk Import jobs as needed. The 0.Collection jobs that comprise this auditing component are: -- [3-SPAC_SystemScans Job](3-spac_systemscans.md) – Collects information on activity, users, and +- [3-SPAC_SystemScans Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/3-spac_systemscans.md) – Collects information on activity, users, and groups to determine who has perform activity in each structural level in the SharePoint farm -- [6-SPAC_BulkImport Job](6-spac_bulkimport.md) – Responsible for retrieving the SPAC tier 2 +- [6-SPAC_BulkImport Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/6-spac_bulkimport.md) – Responsible for retrieving the SPAC tier 2 database information and import it to the Access Analyzer SQL data base -The [SP_Overview Job](../sp_overview.md) and [7.Activity Job Group](../activity/overview.md) in the +The [SP_Overview Job](/docs/accessanalyzer/12.0/solutions/sharepoint/sp_overview.md) and [7.Activity Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/activity/overview.md) in the SharePoint Solution uses the data collected by these jobs to generate reports. The SharePoint Activity Reports in the Access Information Center are also populated by this data. @@ -152,15 +152,15 @@ for additional information. Recommended Workflow 1 (for Access & Activity Auditing) -**Step 1 –** Run [2-SPAA_SystemScans Job](2-spaa_systemscans.md). +**Step 1 –** Run [2-SPAA_SystemScans Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/2-spaa_systemscans.md). -**Step 2 –** Run [3-SPAC_SystemScans Job](3-spac_systemscans.md). +**Step 2 –** Run [3-SPAC_SystemScans Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/3-spac_systemscans.md). -**Step 3 –** Run [5-SPAA_BulkImport Job](5-spaa_bulkimport.md). +**Step 3 –** Run [5-SPAA_BulkImport Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/5-spaa_bulkimport.md). -**Step 4 –** Run [6-SPAC_BulkImport Job](6-spac_bulkimport.md). +**Step 4 –** Run [6-SPAC_BulkImport Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/6-spac_bulkimport.md). -**Step 5 –** Run [7-SPAA_Exceptions Job](7-spaa_exceptions.md). +**Step 5 –** Run [7-SPAA_Exceptions Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/7-spaa_exceptions.md). **Step 6 –** Run desired corresponding analysis and reporting sub-job groups. @@ -174,15 +174,15 @@ Recommended Workflow 2 (for Access, Sensitive Data Discovery & Activity Auditing 1-SPAA_SystemScan and 2-SPAA_BulkImport jobs and run the 0.Collection Job Group because the remaining jobs are in the wrong order. Renaming the jobs is not an option. -**Step 1 –** Run [1-SPSEEK_SystemScans Job](1-spseek_systemscans.md). +**Step 1 –** Run [1-SPSEEK_SystemScans Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/1-spseek_systemscans.md). -**Step 2 –** Run [3-SPAC_SystemScans Job](3-spac_systemscans.md). +**Step 2 –** Run [3-SPAC_SystemScans Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/3-spac_systemscans.md). -**Step 3 –** Run [4-SPSEEK_BulkImport Job](4-spseek_bulkimport.md). +**Step 3 –** Run [4-SPSEEK_BulkImport Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/4-spseek_bulkimport.md). -**Step 4 –** Run [6-SPAC_BulkImport Job](6-spac_bulkimport.md). +**Step 4 –** Run [6-SPAC_BulkImport Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/6-spac_bulkimport.md). -**Step 5 –** Run [7-SPAA_Exceptions Job](7-spaa_exceptions.md). +**Step 5 –** Run [7-SPAA_Exceptions Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/7-spaa_exceptions.md). **Step 6 –** Run desired corresponding analysis and reporting sub-job groups. @@ -192,19 +192,19 @@ concurrently with the SPAC Scans and the Bulk Import jobs as desired. Optional Workflow (for Activity Auditing Only) -**Step 1 –** Run [3-SPAC_SystemScans Job](3-spac_systemscans.md). +**Step 1 –** Run [3-SPAC_SystemScans Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/3-spac_systemscans.md). -**Step 2 –** Run [6-SPAC_BulkImport Job](6-spac_bulkimport.md). +**Step 2 –** Run [6-SPAC_BulkImport Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/6-spac_bulkimport.md). **Step 3 –** Run desired corresponding analysis and reporting sub-job groups. -**NOTE:** Please see the [Recommended Configuration for the SharePoint Solution](../recommended.md) +**NOTE:** Please see the [Recommended Configuration for the SharePoint Solution](/docs/accessanalyzer/12.0/solutions/sharepoint/recommended.md) topic before continuing with this workflow. **_RECOMMENDED:_** Scope the 0.Collection Job Group to only include the collection components desired by disabling the undesired collection jobs. Disabling them allows the solution to run more efficiently. It is not recommended to delete any jobs. See the -[Disable or Enable a Job](../../../admin/jobs/job/disableenable.md) topic for additional +[Disable or Enable a Job](/docs/accessanalyzer/12.0/admin/jobs/job/disableenable.md) topic for additional information. ## SharePoint Sensitive Data Discovery Auditing (SEEK) @@ -214,36 +214,36 @@ searches file content for sensitive data. It also collects information on permis groups to determine who has access to each structural level in the SharePoint farm, on-premises and online, using the SPAA Data Collector. The jobs for this component are prefaced with `SPSEEK`. The tables and views are prefaced with `SPDLP`. See the -[SharePoint Sensitive Data Discovery Auditing Tables & Views](../../../admin/datacollector/spaa/standardtables.md) +[SharePoint Sensitive Data Discovery Auditing Tables & Views](/docs/accessanalyzer/12.0/admin/datacollector/spaa/standardtables.md) topic for additional information on the data collected. Customized search criteria can be created with the Criteria Editor accessible through the -[SPAA: Select DLP Criteria](../../../admin/datacollector/spaa/selectdlpcriteria.md) page of the +[SPAA: Select DLP Criteria](/docs/accessanalyzer/12.0/admin/datacollector/spaa/selectdlpcriteria.md) page of the SharePoint Access Auditor Data Collector Wizard. See the -[Sensitive Data](../../../admin/settings/sensitivedata/overview.md) topic for additional +[Sensitive Data](/docs/accessanalyzer/12.0/admin/settings/sensitivedata/overview.md) topic for additional information. The 0.Collection jobs that comprise this auditing component are: -- [1-SPSEEK_SystemScans Job](1-spseek_systemscans.md) – Responsible for building the Tier2 SPDLP +- [1-SPSEEK_SystemScans Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/1-spseek_systemscans.md) – Responsible for building the Tier2 SPDLP database repositories, which contain information regarding sensitive content that exists within SharePoint -- [4-SPSEEK_BulkImport Job](4-spseek_bulkimport.md) – Responsible for retrieving the Tier 2 SPDLP +- [4-SPSEEK_BulkImport Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/4-spseek_bulkimport.md) – Responsible for retrieving the Tier 2 SPDLP database information and importing it to the SQL Server where Access Analyzer stores data -- [7-SPAA_Exceptions Job](7-spaa_exceptions.md) – Searches scanned data for resources that match +- [7-SPAA_Exceptions Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/7-spaa_exceptions.md) – Searches scanned data for resources that match high risk conditions, retrieving a summary of SharePoint exceptions per host The following job groups and jobs in the SharePoint Solution depend on data collected by these jobs to generate reports: -- [1.Direct Permissions Job Group](../directpermissions/overview.md) -- [2.High Risk Sites > SP_OpenAccess Job](../sp_openaccess.md) -- [3.Broken Inheritance > SP_BrokenInheritance Job](../sp_brokeninheritance.md) -- [4.Content Job Group](../content/overview.md) -- [Effective Access Audits Job Group](../effectiveaccessaudits/overview.md) -- [5.Probable Owner > SP_ProbableOwner Job](../sp_probableowner.md) -- [6.Sensitive Data > SP_SensitiveData Job](../sp_sensitivedata.md) -- [SP_Overview Job](../sp_overview.md) +- [1.Direct Permissions Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/overview.md) +- [2.High Risk Sites > SP_OpenAccess Job](/docs/accessanalyzer/12.0/solutions/sharepoint/sp_openaccess.md) +- [3.Broken Inheritance > SP_BrokenInheritance Job](/docs/accessanalyzer/12.0/solutions/sharepoint/sp_brokeninheritance.md) +- [4.Content Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/content/overview.md) +- [Effective Access Audits Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/overview.md) +- [5.Probable Owner > SP_ProbableOwner Job](/docs/accessanalyzer/12.0/solutions/sharepoint/sp_probableowner.md) +- [6.Sensitive Data > SP_SensitiveData Job](/docs/accessanalyzer/12.0/solutions/sharepoint/sp_sensitivedata.md) +- [SP_Overview Job](/docs/accessanalyzer/12.0/solutions/sharepoint/sp_overview.md) The SharePoint Sensitive Data Discovery Reports in the Access Information Center are also populated by this data. See the @@ -252,11 +252,11 @@ for additional information. Recommended Workflow 1 (for Access & Sensitive Data Discovery Auditing) -**Step 1 –** Run [1-SPSEEK_SystemScans Job](1-spseek_systemscans.md). +**Step 1 –** Run [1-SPSEEK_SystemScans Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/1-spseek_systemscans.md). -**Step 2 –** Run [4-SPSEEK_BulkImport Job](4-spseek_bulkimport.md). +**Step 2 –** Run [4-SPSEEK_BulkImport Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/4-spseek_bulkimport.md). -**Step 3 –** Run [7-SPAA_Exceptions Job](7-spaa_exceptions.md). +**Step 3 –** Run [7-SPAA_Exceptions Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/7-spaa_exceptions.md). **Step 4 –** Run desired corresponding analysis and reporting sub-job groups. @@ -266,15 +266,15 @@ Recommended Workflow 2 (for Access, Sensitive Data Discovery & Activity Auditing 2-SPAA_SystemScan and 5-SPAA_BulkImport jobs and run the 0.Collection Job Group because the remaining jobs are in the wrong order. Renaming the jobs is not an option. -**Step 1 –** Run [1-SPSEEK_SystemScans Job](1-spseek_systemscans.md). +**Step 1 –** Run [1-SPSEEK_SystemScans Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/1-spseek_systemscans.md). -**Step 2 –** Run [3-SPAC_SystemScans Job](3-spac_systemscans.md). +**Step 2 –** Run [3-SPAC_SystemScans Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/3-spac_systemscans.md). -**Step 3 –** Run [4-SPSEEK_BulkImport Job](4-spseek_bulkimport.md). +**Step 3 –** Run [4-SPSEEK_BulkImport Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/4-spseek_bulkimport.md). -**Step 4 –** Run [6-SPAC_BulkImport Job](6-spac_bulkimport.md). +**Step 4 –** Run [6-SPAC_BulkImport Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/6-spac_bulkimport.md). -**Step 5 –** Run [7-SPAA_Exceptions Job](7-spaa_exceptions.md). +**Step 5 –** Run [7-SPAA_Exceptions Job](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/7-spaa_exceptions.md). **Step 6 –** Run desired corresponding analysis and reporting sub-job groups. @@ -282,11 +282,11 @@ remaining jobs are in the wrong order. Renaming the jobs is not an option. corresponding 4-SPSEEK Bulk Import job have been run, then the SPSEEK Scans can be run concurrently with the SPAC Scans and the Bulk Import jobs as desired. -**NOTE:** Please see the [Recommended Configuration for the SharePoint Solution](../recommended.md) +**NOTE:** Please see the [Recommended Configuration for the SharePoint Solution](/docs/accessanalyzer/12.0/solutions/sharepoint/recommended.md) topic before continuing with this workflow. **_RECOMMENDED:_** Scope the 0.Collection Job Group to only include the collection components desired by disabling the undesired collection jobs. Disabling them allows the solution to run more efficiently. It is not recommended to delete any jobs. See the -[Disable or Enable a Job](../../../admin/jobs/job/disableenable.md) topic for additional +[Disable or Enable a Job](/docs/accessanalyzer/12.0/admin/jobs/job/disableenable.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/content/overview.md b/docs/accessanalyzer/12.0/solutions/sharepoint/content/overview.md index 8382d498ef..6afec7d324 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/content/overview.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/content/overview.md @@ -6,15 +6,15 @@ space, the content that has not been accessed for extended periods of time, and describing SharePoint content and the configuration of the repositories such as lists and libraries which store that content. -![4.Content Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/content/contentjobstree.webp) +![4.Content Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/sharepoint/content/contentjobstree.webp) The 4.Content Job Group is comprised of: -- [SP_LargestFiles Job](sp_largestfiles.md) – Identifies the largest files across SharePoint farms. +- [SP_LargestFiles Job](/docs/accessanalyzer/12.0/solutions/sharepoint/content/sp_largestfiles.md) – Identifies the largest files across SharePoint farms. Changes to a document or its metadata create new versions that result in added storage. It is therefore important to manage file size and control versioning. Report includes file names, URLs, total file size, versions, and version size, along with file owner and file editor information. -- [SP_StaleFiles Job](sp_stalefiles.md) – Identifies files that have been modified in at least a +- [SP_StaleFiles Job](/docs/accessanalyzer/12.0/solutions/sharepoint/content/sp_stalefiles.md) – Identifies files that have been modified in at least a year across SharePoint farms. This aids administrators and users in cleaning up or archiving old and unchanged files to help maintain a clean and healthy SharePoint environment. Report includes files, their last modified time, total file size, versions and version size, along with file owner diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/content/sp_largestfiles.md b/docs/accessanalyzer/12.0/solutions/sharepoint/content/sp_largestfiles.md index 81f929c325..1e7c9c699b 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/content/sp_largestfiles.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/content/sp_largestfiles.md @@ -13,7 +13,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the SP_LargestFiles Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/content/largestfilesanalysis.webp) +![Analysis Tasks for the SP_LargestFiles Job](/img/product_docs/accessanalyzer/solutions/sharepoint/content/largestfilesanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/content/sp_stalefiles.md b/docs/accessanalyzer/12.0/solutions/sharepoint/content/sp_stalefiles.md index 17c79f788e..1ee27c3d42 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/content/sp_stalefiles.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/content/sp_stalefiles.md @@ -10,7 +10,7 @@ information. The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The SP_StaleFiles page has the following configurable parameters: @@ -29,7 +29,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. Only the `@stale` parameter can be configured for the analysis task. -![Analysis Tasks for the SP_StaleFiles Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/content/stalefilesanalysis.webp) +![Analysis Tasks for the SP_StaleFiles Job](/img/product_docs/accessanalyzer/solutions/sharepoint/content/stalefilesanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/overview.md b/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/overview.md index 5d52e45e38..be94e3a1f5 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/overview.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/overview.md @@ -2,31 +2,31 @@ The **SharePoint** > **1.Direct Permissions** Job Group provides insight into how directly applied permissions are configured within the targeted SharePoint environment. It is dependent on data -collected by the [SharePoint Access Auditing](../collection/overview.md#sharepoint-access-auditing) +collected by the [SharePoint Access Auditing](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/overview.md#sharepoint-access-auditing) or -[SharePoint Sensitive Data Discovery Auditing (SEEK)](../collection/overview.md#sharepoint-sensitive-data-discovery-auditing-seek) -components of the [0.Collection Job Group](../collection/overview.md). The jobs which comprise the +[SharePoint Sensitive Data Discovery Auditing (SEEK)](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/overview.md#sharepoint-sensitive-data-discovery-auditing-seek) +components of the [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/overview.md). The jobs which comprise the 1.Direct Permissions Job Group process analysis tasks and generate reports. -![1.Direct Permissions Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![1.Direct Permissions Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The 1.Direct Permissions Job Group is comprised of: -- [SP_DomainUsers Job](sp_domainusers.md) – Identifies locations where there are domain users +- [SP_DomainUsers Job](/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_domainusers.md) – Identifies locations where there are domain users directly applied on permissions. Best practices dictate that groups should be used to provide access to resources. -- [SP_EmptyDomainGroupPerms Job](sp_emptydomaingroupperms.md) – Identifies empty security groups +- [SP_EmptyDomainGroupPerms Job](/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_emptydomaingroupperms.md) – Identifies empty security groups with directly assigned permissions to resources, these groups should be deleted from SharePoint farms, where found. Inadvertent changes to group membership may open up unwanted access. -- [SP_HighRiskPermissions Job](sp_highriskpermissions.md) – Identifies where Authenticated Users, +- [SP_HighRiskPermissions Job](/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_highriskpermissions.md) – Identifies where Authenticated Users, Everyone Except External Users, Anonymous Logon, or Domain users have been directly assigned permissions -- [SP_SiteCollectionPerms Job](sp_sitecollectionperms.md) – Most content will inherit the +- [SP_SiteCollectionPerms Job](/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_sitecollectionperms.md) – Most content will inherit the permissions configured at the root of the site collection. Having an understanding of how those permissions are assigned is useful for gaining perspective on the overall SharePoint permission configuration. -- [SP_StaleUsers Job](sp_staleusers.md) – Identifies locations where there are stale users directly +- [SP_StaleUsers Job](/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_staleusers.md) – Identifies locations where there are stale users directly applied on SharePoint resources. These permissions can be safely removed. -- [SP_UnresolvedSIDs Job](sp_unresolvedsids.md) – Identifies Unresolved SIDs that have permissions +- [SP_UnresolvedSIDs Job](/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_unresolvedsids.md) – Identifies Unresolved SIDs that have permissions to any SharePoint resources. Unresolved SIDs can be safely cleaned up without affecting user access. diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_domainusers.md b/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_domainusers.md index f9fc494d12..6e80c07ab3 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_domainusers.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_domainusers.md @@ -11,7 +11,7 @@ Navigate to the **Jobs** > **SharePoint** > **1.Direct Permissions** > **SP_Doma **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SP_DomainUsers Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/directpermissions/domainusersanalysis.webp) +![Analysis Tasks for the SP_DomainUsers Job](/img/product_docs/accessanalyzer/solutions/sharepoint/directpermissions/domainusersanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_emptydomaingroupperms.md b/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_emptydomaingroupperms.md index d3c4bdc090..9154929510 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_emptydomaingroupperms.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_emptydomaingroupperms.md @@ -13,7 +13,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SP_EmptyDomainGroupPerms Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/directpermissions/emptydomaingrouppermsanalysis.webp) +![Analysis Tasks for the SP_EmptyDomainGroupPerms Job](/img/product_docs/accessanalyzer/solutions/sharepoint/directpermissions/emptydomaingrouppermsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_highriskpermissions.md b/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_highriskpermissions.md index 1c835b5e71..c82b3f05d6 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_highriskpermissions.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_highriskpermissions.md @@ -11,7 +11,7 @@ Navigate to the **Jobs** > **SharePoint** > **1.Direct Permissions** > **SP_High **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SP_HighRiskPermissions Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/directpermissions/highriskpermissionsanalysis.webp) +![Analysis Tasks for the SP_HighRiskPermissions Job](/img/product_docs/accessanalyzer/solutions/sharepoint/directpermissions/highriskpermissionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_sitecollectionperms.md b/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_sitecollectionperms.md index e4349476e1..0fb3b74dd2 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_sitecollectionperms.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_sitecollectionperms.md @@ -12,7 +12,7 @@ Navigate to the **Jobs** > **SharePoint** > **1.Direct Permissions** > **SP_Site **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SP_SiteCollectionPerms Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/directpermissions/sitecollectionpermsanalysis.webp) +![Analysis Tasks for the SP_SiteCollectionPerms Job](/img/product_docs/accessanalyzer/solutions/sharepoint/directpermissions/sitecollectionpermsanalysis.webp) They need to remain in the default order: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_staleusers.md b/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_staleusers.md index 5749105a5f..f0e9b20a70 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_staleusers.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_staleusers.md @@ -12,7 +12,7 @@ Navigate to the **Jobs** > **SharePoint** > **1.Direct Permissions** > **SP_Stal **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SP_StaleUsers Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/staleusersanalysis.webp) +![Analysis Tasks for the SP_StaleUsers Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/staleusersanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_unresolvedsids.md b/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_unresolvedsids.md index e33ec6acbe..d4c85acc16 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_unresolvedsids.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/sp_unresolvedsids.md @@ -11,7 +11,7 @@ Navigate to the **Jobs** > **SharePoint** > **1.Direct Permissions** > **SP_Unre **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SP_UnresolvedSIDs Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/directpermissions/unresolvedsidsanalysis.webp) +![Analysis Tasks for the SP_UnresolvedSIDs Job](/img/product_docs/accessanalyzer/solutions/filesystem/directpermissions/unresolvedsidsanalysis.webp) They need to remain in the default order: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/overview.md b/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/overview.md index 4852949581..b5902d4b16 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/overview.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/overview.md @@ -3,15 +3,15 @@ This group returns reports identifying specific trustees’ effective access across the entire SharePoint environment. -![Effective Access Audits Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Effective Access Audits Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The Effective Access Audits Job Group is comprised of: -- [Scoping > SP_TrusteeAccess Job](sp_trusteeaccess.md) – Scopes a list of users to audit their +- [Scoping > SP_TrusteeAccess Job](/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/sp_trusteeaccess.md) – Scopes a list of users to audit their access across the SharePoint environment. This can also be accomplished by looking users up in the Access Information Center. However, it is recommended to use this job in scenarios where a report on multiple users’ effective access at once needs to be generated. -- [SP_TrusteeAudit Job](sp_trusteeaudit.md) – Provides functionality similar to the Access +- [SP_TrusteeAudit Job](/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/sp_trusteeaudit.md) – Provides functionality similar to the Access Information Center by allowing scoped audits of users’ access across the environment For the SP_TrusteeAccess Job, the host list is set to Local host at the Scoping Job Group level. The diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/sp_trusteeaccess.md b/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/sp_trusteeaccess.md index cb3617696f..e44b11619f 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/sp_trusteeaccess.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/sp_trusteeaccess.md @@ -10,7 +10,7 @@ the [Configure CSV File for the Query for the SP_TrusteeAccess Job](#configure-csv-file-for-the-query-for-the-sp_trusteeaccess-job) topic for additional information. -![Scoping > SP_TrusteeAccess Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/effectiveaccessaudits/scopingjobstree.webp) +![Scoping > SP_TrusteeAccess Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/sharepoint/effectiveaccessaudits/scopingjobstree.webp) The SP_TrusteeAccess job is located in the Scoping Job Group. @@ -18,7 +18,7 @@ The SP_TrusteeAccess job is located in the Scoping Job Group. The SP_TrusteeAccess Job uses the TextSearch Data Collector for the following query: -![Queries for the SP_TrusteeAccess Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/effectiveaccessaudits/trusteeaccessquery.webp) +![Queries for the SP_TrusteeAccess Job](/img/product_docs/accessanalyzer/solutions/sharepoint/effectiveaccessaudits/trusteeaccessquery.webp) The default query is: @@ -34,11 +34,11 @@ Follow the steps to specify trustees in the `UserScoping.csv` file. **SP_TrusteeAccess** Job and right-click on the job. Select **Explore Folder** and the job’s directory opens. -![UserScoping.csv in the SP_TrusteeAccess Job folder in File Explorer](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/effectiveaccessaudits/userscopingfileexplorer.webp) +![UserScoping.csv in the SP_TrusteeAccess Job folder in File Explorer](/img/product_docs/accessanalyzer/solutions/sharepoint/effectiveaccessaudits/userscopingfileexplorer.webp) **Step 2 –** Open the `UserScoping.csv` file with a text editor, for example Notepad. -![UserScoping.csv file in Notepad](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/effectiveaccessaudits/userscopingnotepad.webp) +![UserScoping.csv file in Notepad](/img/product_docs/accessanalyzer/solutions/sharepoint/effectiveaccessaudits/userscopingnotepad.webp) **Step 3 –** Enter the trustees using a `Domain\UserName` format. Enter one trustee per row. diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/sp_trusteeaudit.md b/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/sp_trusteeaudit.md index 9cf08e8b8b..717e461152 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/sp_trusteeaudit.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/sp_trusteeaudit.md @@ -12,7 +12,7 @@ Navigate to the **Jobs** > **SharePoint** > **Effective Access Audits** > **SP_T **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SP_TrusteeAudit Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/effectiveaccessaudits/trusteeauditanalysis.webp) +![Analysis Tasks for the SP_TrusteeAudit Job](/img/product_docs/accessanalyzer/solutions/sharepoint/effectiveaccessaudits/trusteeauditanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/overview.md b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/overview.md index 5a3082ba99..0dd26a4346 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/overview.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/overview.md @@ -4,23 +4,23 @@ The 8.M365 Job Group generates summary and detail reports of SharePoint Activity Teams sites. These reports can be used for identifying file, folder, and user related activity across your SharePoint environment. -![8.M365 Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![8.M365 Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 8.M365 Job Group are: -- [SP_ExternalUsers Job](sp_externalusers.md) – Identifies activity of external users on all +- [SP_ExternalUsers Job](/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_externalusers.md) – Identifies activity of external users on all monitored Sharepoint servers -- [SP_OneDrives Job](sp_onedrives.md) – Collects the activity, sensitive data, summary level +- [SP_OneDrives Job](/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_onedrives.md) – Collects the activity, sensitive data, summary level information across OneDrives -- [SP_SharedLinks Job](sp_sharedlinks.md) – Provides an overview of the shared links configured with +- [SP_SharedLinks Job](/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_sharedlinks.md) – Provides an overview of the shared links configured with Sharpoint Online, with visibility into Anonymous Sharing, External User Sharing, and activity pertaining to Shared Links -- [SP_StaleTeamSites Job](sp_staleteamsites.md) – Identifies Teams that have not had activity for a +- [SP_StaleTeamSites Job](/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_staleteamsites.md) – Identifies Teams that have not had activity for a number of days that can be set in the analysis (Set at 30 Days by Default) -- [SP_Teams](sp_teams.md) – Identifies activities, sensitive data and a summary of collected data +- [SP_Teams](/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_teams.md) – Identifies activities, sensitive data and a summary of collected data for SharePoint Teams -- [SP_TeamsExternalUserActivity Job](sp_teamsexternaluseractivity.md) – Identifies all activity +- [SP_TeamsExternalUserActivity Job](/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_teamsexternaluseractivity.md) – Identifies all activity events performed by external users in Teams, including details on the date/time, resource, and operation -- [SP_TeamsSensitiveData Job](sp_teamssensitivedata.md) – Analyzes sensitive data activity within +- [SP_TeamsSensitiveData Job](/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_teamssensitivedata.md) – Analyzes sensitive data activity within Teams sites diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_externalusers.md b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_externalusers.md index 92943861a8..212903cc56 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_externalusers.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_externalusers.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SP_ExternalUsers Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/m365/externalusersanalysis.webp) +![Analysis Tasks for the SP_ExternalUsers Job](/img/product_docs/accessanalyzer/solutions/sharepoint/m365/externalusersanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_onedrives.md b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_onedrives.md index 9d5e3771cf..6bf3a86c6e 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_onedrives.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_onedrives.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the OneDrives Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/m365/onedrivesanalysis.webp) +![Analysis Tasks for the OneDrives Job](/img/product_docs/accessanalyzer/solutions/sharepoint/m365/onedrivesanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_sharedlinks.md b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_sharedlinks.md index 0d106c2018..999bc3e84e 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_sharedlinks.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_sharedlinks.md @@ -12,7 +12,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SharedLinks Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/m365/sharedlinksanalysis.webp) +![Analysis Tasks for the SharedLinks Job](/img/product_docs/accessanalyzer/solutions/sharepoint/m365/sharedlinksanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_staleteamsites.md b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_staleteamsites.md index 13642dd6aa..a3862e6281 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_staleteamsites.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_staleteamsites.md @@ -7,7 +7,7 @@ be set in the analysis (Set as 30 Days by Default). The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The SP_StaleTeamSites page has the following configurable parameters: @@ -23,7 +23,7 @@ for additional information. Navigate to the **Jobs** > **SharePoint** > **8.M365** > **SP_StaleTeamSites** >**Configure** node and select **Analysis** to view the analysis tasks. -![Analysis Tasks for the SP_StaleTeamSites Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/m365/staleteamsitesanalysis.webp) +![Analysis Tasks for the SP_StaleTeamSites Job](/img/product_docs/accessanalyzer/solutions/sharepoint/m365/staleteamsitesanalysis.webp) The default analysis task is: @@ -50,5 +50,5 @@ The default values for customizable parameters are: | Find Stale Teams | @days | 30 | Desired number of days since last activity to determine staleness. | See the -[Configure the Customizable Parameters in an Analysis Task](../../../admin/jobs/job/configure/analysiscustomizableparameters.md) +[Configure the Customizable Parameters in an Analysis Task](/docs/accessanalyzer/12.0/admin/jobs/job/configure/analysiscustomizableparameters.md) topic for instructions on customizing the analysis parameters. diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_teams.md b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_teams.md index 20972d7692..6a29bf53ac 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_teams.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_teams.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SP_Teams Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/m365/teamsanalysis.webp) +![Analysis Tasks for the SP_Teams Job](/img/product_docs/accessanalyzer/solutions/sharepoint/m365/teamsanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_teamsexternaluseractivity.md b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_teamsexternaluseractivity.md index 0b71981da9..b2698baf1f 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_teamsexternaluseractivity.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_teamsexternaluseractivity.md @@ -12,7 +12,7 @@ tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the SP_TeamsExternalUserActivity Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/m365/teamsexternaluseractivityanalysis.webp) +![Analysis Tasks for the SP_TeamsExternalUserActivity Job](/img/product_docs/accessanalyzer/solutions/sharepoint/m365/teamsexternaluseractivityanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_teamssensitivedata.md b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_teamssensitivedata.md index 92353e7fd7..8f21296bbd 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_teamssensitivedata.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/m365/sp_teamssensitivedata.md @@ -10,7 +10,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the SP_TeamsSensitiveData Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/m365/teamssensitivedataanalysis.webp) +![Analysis Tasks for the SP_TeamsSensitiveData Job](/img/product_docs/accessanalyzer/solutions/sharepoint/m365/teamssensitivedataanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/overview.md b/docs/accessanalyzer/12.0/solutions/sharepoint/overview.md index a5db25cd53..5711c417fe 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/overview.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/overview.md @@ -21,16 +21,16 @@ Supported Platforms Requirements, Permissions, and Ports - Permissions vary based on the Scan Mode selected and target environment. See the - [SharePoint Support](../../requirements/target/sharepoint.md) topic for additional information. + [SharePoint Support](/docs/accessanalyzer/12.0/requirements/target/sharepoint.md) topic for additional information. - Ports vary based on the Scan Mode selected and target environment. See the - [SharePoint Scan Options](../../requirements/solutions/sharepoint/scanoptions.md) topic for + [SharePoint Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/scanoptions.md) topic for additional information. **NOTE:** You can use the **SP_RegisterAzureAppAuth** instant job to make the configuration for SharePoint Online easier. This job registers the necessary Microsoft Entra ID application and provisions it with the required permissions. See the -[SP_RegisterAzureAppAuth Job](../../admin/jobs/instantjobs/sp_registerazureappauth.md) topic for +[SP_RegisterAzureAppAuth Job](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/sp_registerazureappauth.md) topic for additional information. Sensitive Data Discovery Considerations @@ -59,10 +59,10 @@ This SharePoint solution offers information on multiple aspects of an organizati on-premises and SharePoint Online environments. This solution is comprised of 10 sub-job groups and an overview job which collect, analyze, and report on data. The data collection is conducted by the SharePointAccess (SPAA) Data Collector. See the corresponding -[Standard Reference Tables & Views for the SPAA Data Collector](../../admin/datacollector/spaa/standardtables.md) +[Standard Reference Tables & Views for the SPAA Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/spaa/standardtables.md) topic for database table information. -![SharePoint Job Group](../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/sharepointjobgroup.webp) +![SharePoint Job Group](/img/product_docs/accessanalyzer/solutions/sharepoint/sharepointjobgroup.webp) The following types of auditing can be conducted with the SharePoint Solution: @@ -83,57 +83,57 @@ If intending to run two or all auditing types, see each auditing type section wi to first run the 0.Collection Job Group components in the default order for the desired auditing types to ensure successful data collection, and then to run the desired sub-groups for reports. -See the [Recommended Configuration for the SharePoint Solution](recommended.md) topic for additional +See the [Recommended Configuration for the SharePoint Solution](/docs/accessanalyzer/12.0/solutions/sharepoint/recommended.md) topic for additional information on frequency and job group settings. The SharePoint Solution is available with the SharePoint Reports license feature and is comprised of the following job groups and jobs: -- [0.Collection Job Group](collection/overview.md) – Designed to collect high level summary +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/overview.md) – Designed to collect high level summary information from SharePoint servers. This information is used to populate the SMP Reports based around the SharePoint and is a requirement for the Access Information Center – SharePoint reports. - This job group is available with the SharePoint license feature -- [1.Direct Permissions Job Group](directpermissions/overview.md) – Provides insight into how +- [1.Direct Permissions Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/directpermissions/overview.md) – Provides insight into how directly applied permissions are configured within the SharePoint environment. The group contains surface-level configuration settings that can quickly assess the SharePoint permission structure. -- [2.High Risk Sites > SP_OpenAccess Job](sp_openaccess.md) – Provides insight into any high-risk +- [2.High Risk Sites > SP_OpenAccess Job](/docs/accessanalyzer/12.0/solutions/sharepoint/sp_openaccess.md) – Provides insight into any high-risk repositories and high-risk data that may exist within an organization’s SharePoint environment. High risk data is effectively open to the entire organization through modification of SharePoint permissions to apply well known security principles such as NT AUTHORITY\Authenticated Users, Everyone, and Everyone Except External Users. This data must be monitored closely because of its exposure. -- [3.Broken Inheritance > SP_BrokenInheritance Job](sp_brokeninheritance.md) – Keeping track of +- [3.Broken Inheritance > SP_BrokenInheritance Job](/docs/accessanalyzer/12.0/solutions/sharepoint/sp_brokeninheritance.md) – Keeping track of directly applied permissions at mass is not realistic, this job is responsible for performing data analysis and generating SharePoint broken inheritance reports at the site level. This includes looking at site broken inheritance and the trustees who are assigned to those sites where inheritance is broken so that you can remove that access in favor of providing access via group membership. -- [4.Content Job Group](content/overview.md) – Provides insight into content stored across +- [4.Content Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/content/overview.md) – Provides insight into content stored across SharePoint farms in order to help more efficiently manage that content. It will provide information on the content taking up the most space, the content that has not been accessed for extended periods of time, and additional data describing SharePoint content and the configuration of the repositories such as lists and libraries which store that content. -- [5.Probable Owner > SP_ProbableOwner Job](sp_probableowner.md) – Provides reports about probable +- [5.Probable Owner > SP_ProbableOwner Job](/docs/accessanalyzer/12.0/solutions/sharepoint/sp_probableowner.md) – Provides reports about probable ownership. The goal of this report is to help you either identify who most likely owns the SharePoint resource or at least someone who can tell you who does. -- [6.Sensitive Data > SP_SensitiveData Job](sp_sensitivedata.md) – Highlights sensitive data +- [6.Sensitive Data > SP_SensitiveData Job](/docs/accessanalyzer/12.0/solutions/sharepoint/sp_sensitivedata.md) – Highlights sensitive data identified across targeted SharePoint farms - Requires Sensitive Data Discovery -- [7.Activity Job Group](activity/overview.md)– Generates summary and detail reports of SharePoint +- [7.Activity Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/activity/overview.md)– Generates summary and detail reports of SharePoint activity on the specified sites. These reports can be used for identifying file, folder, and user related activity across your SharePoint environment. -- [8.M365 Job Group](m365/overview.md) – Generates summary and detail reports of SharePoint Activity +- [8.M365 Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/m365/overview.md) – Generates summary and detail reports of SharePoint Activity on the specified Teams sites. These reports can be used for identifying file, folder, and user related activity across your SharePoint environment. -- [Effective Access Audits Job Group](effectiveaccessaudits/overview.md) – Returns reports +- [Effective Access Audits Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/effectiveaccessaudits/overview.md) – Returns reports identifying specific trustees’ effective access across the entire SharePoint environment - Typically, this is run independently from the rest of the solution -- [SP_Overview Job](sp_overview.md) – Provides an overview of the SharePoint environment, providing +- [SP_Overview Job](/docs/accessanalyzer/12.0/solutions/sharepoint/sp_overview.md) – Provides an overview of the SharePoint environment, providing a high level view into what makes up your SharePoint environment and the types of security risks and toxic permissions found during scans diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/recommended.md b/docs/accessanalyzer/12.0/solutions/sharepoint/recommended.md index 4a1b1d5031..d917c37406 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/recommended.md @@ -27,13 +27,13 @@ SharePoint environments to be targeted. Select the checkbox for the custom-creat Since SharePoint Online environments can only be targeted for Access Auditing and Sensitive Data Discovery Auditing, it is best practice to set the host list at the job level. -See the [Add Hosts](../../admin/hostmanagement/actions/add.md) topic for additional information. +See the [Add Hosts](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/add.md) topic for additional information. Connection Profile The SPAA Data Collector requires a specific set of permissions. See the -[SharePoint Scan Options](../../requirements/solutions/sharepoint/scanoptions.md) and -[SharePoint Support](../../requirements/target/sharepoint.md) topics for the necessary permissions +[SharePoint Scan Options](/docs/accessanalyzer/12.0/requirements/solutions/sharepoint/scanoptions.md) and +[SharePoint Support](/docs/accessanalyzer/12.0/requirements/target/sharepoint.md) topics for the necessary permissions for both on-premises and online target environments. Then create a custom Connection Profile containing the appropriate credentials for the targeted environment. If a single Connection Profile contains both on-premises and online credentials, it is necessary for the online credentials to be @@ -51,7 +51,7 @@ rights on the Access Analyzer Console server to access the CSV file saved in the The Connection Profile can be set at either the **Effective Access Audits** > **Settings** > **Connection** node (applies to both jobs) or in the job’s Properties window on the Connection tab. -See the [Connection](../../admin/settings/connection/overview.md) topic for additional information. +See the [Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. Schedule Frequency @@ -74,7 +74,7 @@ and the 2-SPAC Bulk Import Job default analysis tasks. **_RECOMMENDED:_** If only conducting one or two types of auditing, scope the solution by disabling the undesired collection jobs. Disabling them allows the solution to run more efficiently. It is not recommended to delete any jobs. See the -[Disable or Enable a Job](../../admin/jobs/job/disableenable.md) topic for additional information. +[Disable or Enable a Job](/docs/accessanalyzer/12.0/admin/jobs/job/disableenable.md) topic for additional information. Query Configuration diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/sp_brokeninheritance.md b/docs/accessanalyzer/12.0/solutions/sharepoint/sp_brokeninheritance.md index 74ded15a62..7ce674391f 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/sp_brokeninheritance.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/sp_brokeninheritance.md @@ -6,7 +6,7 @@ the site level. This includes looking at site broken inheritance and the trustee to those sites where inheritance is broken so that you can remove that access in favor of providing access via group membership. -![3.Broken Inheritance > SP_BrokenInheritance Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/brokeninheritancejobstree.webp) +![3.Broken Inheritance > SP_BrokenInheritance Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/filesystem/brokeninheritancejobstree.webp) The SP_BrokenInheritance job is located in the 3.Broken Inheritance Job Group. @@ -18,7 +18,7 @@ Navigate to the **Jobs** > **SharePoint** > **3.Broken Inheritance** > **SP_Brok **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SP_BrokenInheritance Job](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/brokeninheritanceanalysis.webp) +![Analysis Tasks for the SP_BrokenInheritance Job](/img/product_docs/accessanalyzer/solutions/filesystem/brokeninheritanceanalysis.webp) They need to remain in the default order: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/sp_openaccess.md b/docs/accessanalyzer/12.0/solutions/sharepoint/sp_openaccess.md index 2cff1b9cc1..e667a31d0e 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/sp_openaccess.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/sp_openaccess.md @@ -6,7 +6,7 @@ entire organization through modification of SharePoint permissions to apply well principals such as NT AUTHORITY\Authenticated Users. The data must be monitored closely because of its exposure. -![2.High Risk Sites > SP_OpenAccess Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/openaccessjobstree.webp) +![2.High Risk Sites > SP_OpenAccess Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/filesystem/openaccessjobstree.webp) The job group is comprised of the SP_OpenAccess Job. Minimizing your attack surface is the goal. Open site collections can potentially provide access to privileged data, greatly increasing your @@ -16,7 +16,7 @@ be accessed by a very large amount of employees. It is dependent on data collected by the [SharePoint Access Auditing](collection/overview.md#sharepoint-access-auditing) or [SharePoint Sensitive Data Discovery Auditing (SEEK)](collection/overview.md#sharepoint-sensitive-data-discovery-auditing-seek) -components of the [0.Collection Job Group](collection/overview.md). +components of the [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/overview.md). ## Analysis Tasks for the SP_OpenAccess Job @@ -26,7 +26,7 @@ Navigate to the **Jobs** > **SharePoint** > **2.High Risk Sites** > **SP_OpenAcc **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SP_OpenAccess Job](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/openaccessanalysis.webp) +![Analysis Tasks for the SP_OpenAccess Job](/img/product_docs/accessanalyzer/solutions/filesystem/openaccessanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/sp_overview.md b/docs/accessanalyzer/12.0/solutions/sharepoint/sp_overview.md index 1774175eea..2b4543beb5 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/sp_overview.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/sp_overview.md @@ -4,13 +4,13 @@ The SP_Overview job provides an overview of the SharePoint Environment, providin into what makes up a SharePoint Environment and the types of security risks and toxic permissions found during scans. -![SP_Overview Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/sharepoint/overviewjobstree.webp) +![SP_Overview Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/sharepoint/overviewjobstree.webp) It is dependent on data collected by the [SharePoint Access Auditing](collection/overview.md#sharepoint-access-auditing), [SharePoint Sensitive Data Discovery Auditing (SEEK)](collection/overview.md#sharepoint-sensitive-data-discovery-auditing-seek), and [SharePoint Activity Auditing](collection/overview.md#sharepoint-activity-auditing) components -of the [0.Collection Job Group](collection/overview.md). It also depends on the running of the +of the [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/sharepoint/collection/overview.md). It also depends on the running of the sub-job groups within the solution. If only select sub-job groups have been run, there will be blank sections of this overview report. @@ -22,7 +22,7 @@ Navigate to the **Jobs** > **SharePoint** > **SP_Overview** > **Configure** node **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the SP_Overview Job](../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/overviewanalysis.webp) +![Analysis Tasks for the SP_Overview Job](/img/product_docs/accessanalyzer/solutions/exchange/publicfolders/overviewanalysis.webp) The default analysis tasks is: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/sp_probableowner.md b/docs/accessanalyzer/12.0/solutions/sharepoint/sp_probableowner.md index b785b2a8b7..3ac6ada60a 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/sp_probableowner.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/sp_probableowner.md @@ -5,7 +5,7 @@ Sites, which can be used for entitlement reviews. Probably Owner calculation is ownership, management structure, and file activity. The goal of this report is to help you identify who most likely owns the SharePoint resource or at least someone who can tell you who does. -![5.Probable Owner > SP_ProbableOwner Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/probableownerjobstree.webp) +![5.Probable Owner > SP_ProbableOwner Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/filesystem/probableownerjobstree.webp) The SP_ProbableOwner Job is located in the 5.Probable Owner Job Group. @@ -17,7 +17,7 @@ Navigate to the **Jobs** > **SharePoint** > **5.Probable Owner** > **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the SP_ProbableOwner Job](../../../../../static/img/product_docs/accessanalyzer/solutions/filesystem/probableowneranalysis.webp) +![Analysis Tasks for the SP_ProbableOwner Job](/img/product_docs/accessanalyzer/solutions/filesystem/probableowneranalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/sharepoint/sp_sensitivedata.md b/docs/accessanalyzer/12.0/solutions/sharepoint/sp_sensitivedata.md index 15e80d6172..5c45ffb733 100644 --- a/docs/accessanalyzer/12.0/solutions/sharepoint/sp_sensitivedata.md +++ b/docs/accessanalyzer/12.0/solutions/sharepoint/sp_sensitivedata.md @@ -3,7 +3,7 @@ The SP_SensitiveData Job identifies where sensitive data is located inside SharePoint farms. Special care is paid to access and user activity in these locations. -![6.Sensitve Data > SP_SensitiveData Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/databases/db2/sensitivedata/sensitivedatajobstree.webp) +![6.Sensitve Data > SP_SensitiveData Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/databases/db2/sensitivedata/sensitivedatajobstree.webp) The SP_SensitiveData Job is located in the 6.Sensitive Data Job Group. @@ -15,7 +15,7 @@ Navigate to the **Jobs** > **SharePoint** > **6.Sensitive Data** > **SP_Sensitiv **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SP_SensitiveData Job](../../../../../static/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedataanalysis.webp) +![Analysis Tasks for the SP_SensitiveData Job](/img/product_docs/accessanalyzer/solutions/databases/postgresql/collection/sensitivedataanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/unix/overview.md b/docs/accessanalyzer/12.0/solutions/unix/overview.md index 47c4b279c2..9885d1b24a 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/overview.md +++ b/docs/accessanalyzer/12.0/solutions/unix/overview.md @@ -16,7 +16,7 @@ Supported Platforms Requirements, Permissions, and Ports -See the [Target Unix Requirements, Permissions, and Ports](../../requirements/target/unix.md) topic +See the [Target Unix Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/unix.md) topic for additional information. Location @@ -30,19 +30,19 @@ solution: **Jobs** > **Unix**. The Unix solution is a set of audit jobs and reports that provide visibility into important Unix and Linux administration concepts. -![Unix Solution Overview page](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) +![Unix Solution Overview page](/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) The job groups in the Unix Solution are: -- [1.Users and Groups Job Group](usersgroups/overview.md) – The jobs within this group provide +- [1.Users and Groups Job Group](/docs/accessanalyzer/12.0/solutions/unix/usersgroups/overview.md) – The jobs within this group provide visibility into users and groups, helping to pinpoint potential areas of administrative concern -- [2.Privileged Access Job Group](privilegedaccess/overview.md) – The jobs within this group provide +- [2.Privileged Access Job Group](/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/overview.md) – The jobs within this group provide visibility into privileged users within audited Unix and Linux environments by identifying all rights granted via sudoers and the owners of critical files such as passwd, shadow, sudoers, hosts.deny, and more -- [3.Sharing Job Group](sharing/overview.md) – Provides information on NFS and Samba share +- [3.Sharing Job Group](/docs/accessanalyzer/12.0/solutions/unix/sharing/overview.md) – Provides information on NFS and Samba share configuration, and highlights potentially high-risk shares Each job group within the Unix Solution is designed to run independently. See the -[Recommended Configurations for the Unix Job Group](recommended.md) topic for information on +[Recommended Configurations for the Unix Job Group](/docs/accessanalyzer/12.0/solutions/unix/recommended.md) topic for information on frequency and job group settings. diff --git a/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/overview.md b/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/overview.md index 72acf42f03..834ec74132 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/overview.md +++ b/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/overview.md @@ -4,12 +4,12 @@ The 2.Privileged Access job group contains jobs that provide visibility into pri audited Unix and Linux environments by identifying all rights granted via sudoers and the owners of critical files such as passwd, shadow, sudoers, hosts.deny, and more. -![2.Privileged Access Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![2.Privileged Access Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 2.Privileged Access job group are: -- [ Sudoers Job Group](sudoers/overview.md) – The jobs in this job group provide visibility into all +- [ Sudoers Job Group](/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/overview.md) – The jobs in this job group provide visibility into all rights granted via sudoers within audited Unix and Linux environments -- [UX_CriticalFiles Job](ux_criticalfiles.md) – This job provides visibility into owners of critical +- [UX_CriticalFiles Job](/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/ux_criticalfiles.md) – This job provides visibility into owners of critical files within audited Unix and Linux environments such as passwd, shadow, sudoers, hosts.deny, and more diff --git a/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/collection/overview.md b/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/collection/overview.md index bd347c37cd..1f652a8665 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/collection/overview.md @@ -3,11 +3,11 @@ The 0.Collection job group collects details on all rights granted via sudoers within audited Unix and Linux Environments. -![0.Collection Job Group in the Jobs Tree](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![0.Collection Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The jobs in the 0.Collection job group are: -- [UX_MakeDirectory Job](ux_makedirectory.md) – This job creates a temporary Access Analyzer +- [UX_MakeDirectory Job](/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/collection/ux_makedirectory.md) – This job creates a temporary Access Analyzer directory on target Unix and Linux environments to be used by the UX_ParseSudoers job -- [UX_ParseSudeors Job](ux_parsesudeors.md) – This job parses all rights granted via sudoers in the +- [UX_ParseSudeors Job](/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/collection/ux_parsesudeors.md) – This job parses all rights granted via sudoers in the audited environment diff --git a/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/collection/ux_makedirectory.md b/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/collection/ux_makedirectory.md index fbed2825aa..57c446e825 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/collection/ux_makedirectory.md +++ b/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/collection/ux_makedirectory.md @@ -9,6 +9,6 @@ The UX_MakeDirectory job uses the Unix Data Collector for the following query: **CAUTION:** The query is preconfigured for this job. Never modify the query. -![Queries for the UX_MakeDirectory Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/privilegedaccess/sudoers/collection/makedirectoryquery.webp) +![Queries for the UX_MakeDirectory Job](/img/product_docs/accessanalyzer/solutions/unix/privilegedaccess/sudoers/collection/makedirectoryquery.webp) - MakeDirectory – Makes a directory for the sudoers.pl file on the target host diff --git a/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/collection/ux_parsesudeors.md b/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/collection/ux_parsesudeors.md index 3b01d9a700..99671f5468 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/collection/ux_parsesudeors.md +++ b/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/collection/ux_parsesudeors.md @@ -8,7 +8,7 @@ The UX_ParseSudoers job uses the Unix Data Collector for the following query: **CAUTION:** The query is preconfigured for this job. Never modify the query. -![Queries for the UX_ParseSudoers Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/privilegedaccess/sudoers/collection/parsesudoersquery.webp) +![Queries for the UX_ParseSudoers Job](/img/product_docs/accessanalyzer/solutions/unix/privilegedaccess/sudoers/collection/parsesudoersquery.webp) The query for the UX_ParseSudoers job is: diff --git a/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/overview.md b/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/overview.md index ea5fd9600a..54620ecfcb 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/overview.md +++ b/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/overview.md @@ -3,11 +3,11 @@ The Sudoers job group provides visibility into all rights granted via sudoers within audited Unix and Linux environments. -![Sudoers Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/privilegedaccess/sudoers/sudoersjobstree.webp) +![Sudoers Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/unix/privilegedaccess/sudoers/sudoersjobstree.webp) The jobs in the Sudoers job group are: -- [0.Collection Job Group](collection/overview.md) – This group collects details on all rights +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/collection/overview.md) – This group collects details on all rights granted via sudoers within audited Unix and Linux environments -- [UX_Sudoers Job](ux_sudoers.md) – This job details all rights granted via sudoers in the audited +- [UX_Sudoers Job](/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/ux_sudoers.md) – This job details all rights granted via sudoers in the audited environment diff --git a/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/ux_sudoers.md b/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/ux_sudoers.md index 26b4d7c3f7..c9eae42399 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/ux_sudoers.md +++ b/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/sudoers/ux_sudoers.md @@ -11,7 +11,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the UX_Sudoers Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/privilegedaccess/sudoers/sudoersanalysis.webp) +![Analysis Tasks for the UX_Sudoers Job](/img/product_docs/accessanalyzer/solutions/unix/privilegedaccess/sudoers/sudoersanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/ux_criticalfiles.md b/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/ux_criticalfiles.md index cb5e5ca2a8..0665070693 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/ux_criticalfiles.md +++ b/docs/accessanalyzer/12.0/solutions/unix/privilegedaccess/ux_criticalfiles.md @@ -9,7 +9,7 @@ The UX_CriticalFIles job uses the Unix Data Collector for the following query: **CAUTION:** The query is preconfigured for this job. Never modify the query. -![Queries for the UX_CriticalFiles Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/privilegedaccess/criticalfilesquery.webp) +![Queries for the UX_CriticalFiles Job](/img/product_docs/accessanalyzer/solutions/unix/privilegedaccess/criticalfilesquery.webp) The query for the UX_CriticalFiles job is: @@ -23,7 +23,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the UX_CriticalFiles Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/privilegedaccess/criticalfilesanalysis.webp) +![Analysis Tasks for the UX_CriticalFiles Job](/img/product_docs/accessanalyzer/solutions/unix/privilegedaccess/criticalfilesanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/unix/recommended.md b/docs/accessanalyzer/12.0/solutions/unix/recommended.md index 21df9e343b..e72275ba25 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/unix/recommended.md @@ -22,7 +22,7 @@ Connection Profile Set a Connection Profile on the Unix job group with root permissions for Unix/Linux. If the Root permission is unavailable, a least privileged model can be used. See the -[Least Privilege Model](../../requirements/target/unix.md#least-privilege-model) topic for +[Least Privilege Model](/docs/accessanalyzer/12.0/requirements/target/unix.md#least-privilege-model) topic for permissions needed to target the supported platforms for data collection. Schedule Frequency diff --git a/docs/accessanalyzer/12.0/solutions/unix/sharing/collection/overview.md b/docs/accessanalyzer/12.0/solutions/unix/sharing/collection/overview.md index 414b8df37e..3a1adca4a9 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/sharing/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/unix/sharing/collection/overview.md @@ -3,13 +3,13 @@ The jobs within this group collect NFS and Samba configuration information which will be further analyzed to identify and categorize risk within audited Unix and Linux environments. -![0.Collection Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![0.Collection Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The jobs in the 0.Collection job group are: -- [UX_NFSConfiguration Job](ux_nfsconfiguration.md) – Collects NFS configuration information which +- [UX_NFSConfiguration Job](/docs/accessanalyzer/12.0/solutions/unix/sharing/collection/ux_nfsconfiguration.md) – Collects NFS configuration information which will be further analyzed to identify and categorize risk within audited Unix and Linux environments -- [UX_NFSConfiguration Job](ux_nfsconfiguration.md) – Collects Samba configuration information which +- [UX_NFSConfiguration Job](/docs/accessanalyzer/12.0/solutions/unix/sharing/collection/ux_nfsconfiguration.md) – Collects Samba configuration information which will be further analyzed to identify and categorize risk within audited Unix and Linux environments diff --git a/docs/accessanalyzer/12.0/solutions/unix/sharing/collection/ux_nfsconfiguration.md b/docs/accessanalyzer/12.0/solutions/unix/sharing/collection/ux_nfsconfiguration.md index cfb2168602..bd7d45ae00 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/sharing/collection/ux_nfsconfiguration.md +++ b/docs/accessanalyzer/12.0/solutions/unix/sharing/collection/ux_nfsconfiguration.md @@ -9,7 +9,7 @@ The UX_NFSConfiguration job uses the Unix Data Collector for the following queri **CAUTION:** The queries are preconfigured for this job. Never modify the queries. -![Queries for the UX_NFSConfiguration Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/sharing/collection/nfsconfigurationqueries.webp) +![Queries for the UX_NFSConfiguration Job](/img/product_docs/accessanalyzer/solutions/unix/sharing/collection/nfsconfigurationqueries.webp) The queries for the UX_NFSConfiguration job are: @@ -24,7 +24,7 @@ Navigate to the **Unix** > **3.Sharing** > **0.Collection** > **UX_NFSConfigurat **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the UX_NFSConfiguration Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/sharing/collection/nfsconfigurationanalysis.webp) +![Analysis Tasks for the UX_NFSConfiguration Job](/img/product_docs/accessanalyzer/solutions/unix/sharing/collection/nfsconfigurationanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/unix/sharing/collection/ux_sambaconfiguration.md b/docs/accessanalyzer/12.0/solutions/unix/sharing/collection/ux_sambaconfiguration.md index f545e2c46c..3b05d67b20 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/sharing/collection/ux_sambaconfiguration.md +++ b/docs/accessanalyzer/12.0/solutions/unix/sharing/collection/ux_sambaconfiguration.md @@ -9,7 +9,7 @@ The UX_SambaConfiguration job uses the Unix Data Collector for the following que **CAUTION:** The queries are preconfigured for this job. Never modify the queries. -![Queries for the UX_SambaConfiguration Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/sharing/collection/sambaconfigurationqueries.webp) +![Queries for the UX_SambaConfiguration Job](/img/product_docs/accessanalyzer/solutions/unix/sharing/collection/sambaconfigurationqueries.webp) The queries for the UX_SambaConfiguration Job are: @@ -24,7 +24,7 @@ Navigate to the **Unix** > **3.Sharing** > **0.Collection** > **UX_SambaConfigur **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the UX_SambaConfiguration Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/sharing/collection/sambaconfigurationanalysis.webp) +![Analysis Tasks for the UX_SambaConfiguration Job](/img/product_docs/accessanalyzer/solutions/unix/sharing/collection/sambaconfigurationanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/unix/sharing/overview.md b/docs/accessanalyzer/12.0/solutions/unix/sharing/overview.md index 75495d0a11..c21528e746 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/sharing/overview.md +++ b/docs/accessanalyzer/12.0/solutions/unix/sharing/overview.md @@ -2,15 +2,15 @@ The 3.Sharing job group highlights potentially insecure share configurations on Unix hosts. -![3.Sharing Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![3.Sharing Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 3.Sharing job group are: -- [0.Collection Job Group](collection/overview.md) - Collects NFS and Samba configuration +- [0.Collection Job Group](/docs/accessanalyzer/12.0/solutions/unix/sharing/collection/overview.md) - Collects NFS and Samba configuration information which will be further analyzed to identify and categorize risk within audited Unix and Linux environments -- [UX_NFS Job](ux_nfs.md) – This job identifies potentially insecure NFS share options which are +- [UX_NFS Job](/docs/accessanalyzer/12.0/solutions/unix/sharing/ux_nfs.md) – This job identifies potentially insecure NFS share options which are categorized by their risk level. Separate lists of options are checked based on target operating system. -- [UX_Samba Job](ux_samba.md) – This job identifies potentially insecure Samba share configurations +- [UX_Samba Job](/docs/accessanalyzer/12.0/solutions/unix/sharing/ux_samba.md) – This job identifies potentially insecure Samba share configurations which are categorized by their risk level diff --git a/docs/accessanalyzer/12.0/solutions/unix/sharing/ux_nfs.md b/docs/accessanalyzer/12.0/solutions/unix/sharing/ux_nfs.md index 24c8af450f..4819943166 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/sharing/ux_nfs.md +++ b/docs/accessanalyzer/12.0/solutions/unix/sharing/ux_nfs.md @@ -11,7 +11,7 @@ to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the UX_NFS Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/sharing/nfsanalysis.webp) +![Analysis Tasks for the UX_NFS Job](/img/product_docs/accessanalyzer/solutions/unix/sharing/nfsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/unix/sharing/ux_samba.md b/docs/accessanalyzer/12.0/solutions/unix/sharing/ux_samba.md index 7c79282e5e..57324a55b8 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/sharing/ux_samba.md +++ b/docs/accessanalyzer/12.0/solutions/unix/sharing/ux_samba.md @@ -11,7 +11,7 @@ node and select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the UX_Samba Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/sharing/sambaanalysis.webp) +![Analysis Tasks for the UX_Samba Job](/img/product_docs/accessanalyzer/solutions/unix/sharing/sambaanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/overview.md b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/overview.md index cd4efbeef2..6caca16602 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/overview.md +++ b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/overview.md @@ -3,25 +3,25 @@ The jobs within the 1.Users and Groups job group provide visibility into users and groups, helping to pinpoint potential areas of administrative concern. -![1.Users and Groups Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![1.Users and Groups Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the 1.Users and Groups job group are: -- [0.Collection > UX_UsersAndGroups Job](ux_usersandgroups.md) – Collects user and group related +- [0.Collection > UX_UsersAndGroups Job](/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_usersandgroups.md) – Collects user and group related information from /etc/shadow and their equivalents in order to provide details on user and group conditions to help pinpoint areas of administrative concerns -- [UX_DuplicateGroups Job](ux_duplicategroups.md) – This job identifies duplicate groups within the +- [UX_DuplicateGroups Job](/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_duplicategroups.md) – This job identifies duplicate groups within the audited Unix or Linux environment. Duplicate groups contain the same group membership as one another and are suitable candidates for cleanup. -- [UX_EmptyGroups Job](ux_emptygroups.md) – This job identifies empty groups found within the +- [UX_EmptyGroups Job](/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_emptygroups.md) – This job identifies empty groups found within the audited Unix or Linux environment. These are suitable candidates for consolidation or cleanup. -- [UX_LargeGroups Job](ux_largegroups.md) – This job identifies groups with large member counts. +- [UX_LargeGroups Job](/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_largegroups.md) – This job identifies groups with large member counts. These types of groups may cause administrative overhead and burden in being able to easily understand who is getting access to resources, or how much access is being granted to resources through these groups. -- [UX_LocalGroups Job](ux_localgroups.md) – This job provides an overview of all local groups within +- [UX_LocalGroups Job](/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_localgroups.md) – This job provides an overview of all local groups within the audited Unix and Linux environments -- [UX_LocalUsers Job](ux_localusers.md) – This job provides an overview of all local users within +- [UX_LocalUsers Job](/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_localusers.md) – This job provides an overview of all local users within the audited Unix and Linux environments -- [UX_PasswordSettings Job](ux_passwordsettings.md) – This job provides visibility into user +- [UX_PasswordSettings Job](/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_passwordsettings.md) – This job provides visibility into user passwords and system password configurations within audited Unix and Linux environments diff --git a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_duplicategroups.md b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_duplicategroups.md index f87c134b29..46f6151a11 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_duplicategroups.md +++ b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_duplicategroups.md @@ -12,7 +12,7 @@ select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the UX_DuplicateGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/groups/duplicategroupsanalysis.webp) +![Analysis Tasks for the UX_DuplicateGroups Job](/img/product_docs/accessanalyzer/solutions/activedirectory/groups/duplicategroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_emptygroups.md b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_emptygroups.md index 440698fc1b..7e8717cfac 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_emptygroups.md +++ b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_emptygroups.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the UX_EmptyGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/emptygroupsanalysis.webp) +![Analysis Tasks for the UX_EmptyGroups Job](/img/product_docs/accessanalyzer/solutions/exchange/distributionlists/membershipanalysis/emptygroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_largegroups.md b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_largegroups.md index 364dc9a08c..aa2af1bb63 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_largegroups.md +++ b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_largegroups.md @@ -8,7 +8,7 @@ resources, or how much access is being granted to resources through these groups The Configuration section on a Job's overview page allows you to easily modify any customizable parameters used by analysis tasks in the job. See the -[Parameter Configuration](../../../admin/jobs/job/overview.md#parameter-configuration) topic for +[Parameter Configuration](/docs/accessanalyzer/12.0/admin/jobs/job/overview.md#parameter-configuration) topic for instructions on how to edit parameters on a job overview page. The UX_LargeGroups job has the following customizable parameter: @@ -24,7 +24,7 @@ select Analysis to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the UX_LargeGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/usersgroups/largegroupsanalysis.webp) +![Analysis Tasks for the UX_LargeGroups Job](/img/product_docs/accessanalyzer/solutions/unix/usersgroups/largegroupsanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_localgroups.md b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_localgroups.md index 44a19f4155..afbe36d929 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_localgroups.md +++ b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_localgroups.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the UX_LocalGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/usersgroups/localgroupsanalysis.webp) +![Analysis Tasks for the UX_LocalGroups Job](/img/product_docs/accessanalyzer/solutions/unix/usersgroups/localgroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_localusers.md b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_localusers.md index 5ebb78ac0c..9cd0c18909 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_localusers.md +++ b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_localusers.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the UX_LocalUsers Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/usersgroups/localusersanalysis.webp) +![Analysis Tasks for the UX_LocalUsers Job](/img/product_docs/accessanalyzer/solutions/unix/usersgroups/localusersanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_passwordsettings.md b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_passwordsettings.md index 9b48adbd86..b114b3c5b7 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_passwordsettings.md +++ b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_passwordsettings.md @@ -11,7 +11,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the UX_PasswordSettings Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/usersgroups/passwordsettingsanalysis.webp) +![Analysis Tasks for the UX_PasswordSettings Job](/img/product_docs/accessanalyzer/solutions/unix/usersgroups/passwordsettingsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_usersandgroups.md b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_usersandgroups.md index 9559bc9fa8..caacc40fb0 100644 --- a/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_usersandgroups.md +++ b/docs/accessanalyzer/12.0/solutions/unix/usersgroups/ux_usersandgroups.md @@ -4,7 +4,7 @@ The UX_UsersAndGroups job collects user and group information from /etc/passwd, their equivalents in order to provide details on user and group conditions to help pinpoint potential areas of administrative concern. -![0.Collection > UX_UsersAndGroups Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![0.Collection > UX_UsersAndGroups Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The UX_UsersAndGroups job is located in the 0.Collection job group. @@ -14,7 +14,7 @@ The UX_UsersandGroups job uses the Unix Data Collector for the following queries **CAUTION:** The queries are preconfigured for this job. Never modify the queries. -![Queries for the UX_UsersAndGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/usersgroups/usersandgroupsqueries.webp) +![Queries for the UX_UsersAndGroups Job](/img/product_docs/accessanalyzer/solutions/unix/usersgroups/usersandgroupsqueries.webp) The queries for the UX_UsersAndGroups job are: @@ -37,7 +37,7 @@ Navigate to the **Unix** > **1.Users and Groups** > **0.Collection** > **UX_User **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the UX_UsersAndGroups Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/usersgroups/usersandgroupsanalysis.webp) +![Analysis Tasks for the UX_UsersAndGroups Job](/img/product_docs/accessanalyzer/solutions/unix/usersgroups/usersandgroupsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/windows/applications/overview.md b/docs/accessanalyzer/12.0/solutions/windows/applications/overview.md index 44343593e3..0bc65619da 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/applications/overview.md +++ b/docs/accessanalyzer/12.0/solutions/windows/applications/overview.md @@ -3,14 +3,14 @@ The Applications job group tracks various aspects of installed application management, identifying installed software and utilization, unauthorized programs and rogue systems, and more. -![Applications Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Applications Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the Applications job group are: -- [SG_InstalledApplications Job](sg_installedapplications.md) – This job identifies installed +- [SG_InstalledApplications Job](/docs/accessanalyzer/12.0/solutions/windows/applications/sg_installedapplications.md) – This job identifies installed applications on all targeted hosts, highlighting the most common applications installed across the audited environment -- [SG_RunAtBoot Job](sg_runatboot.md) – This job lists applications which are set to **Run** or +- [SG_RunAtBoot Job](/docs/accessanalyzer/12.0/solutions/windows/applications/sg_runatboot.md) – This job lists applications which are set to **Run** or **Run Once** on all targeted hosts -- [SG_ScheduledTasks Job](sg_scheduledtasks.md) – This job lists scheduled task details on all +- [SG_ScheduledTasks Job](/docs/accessanalyzer/12.0/solutions/windows/applications/sg_scheduledtasks.md) – This job lists scheduled task details on all targeted hosts diff --git a/docs/accessanalyzer/12.0/solutions/windows/applications/sg_installedapplications.md b/docs/accessanalyzer/12.0/solutions/windows/applications/sg_installedapplications.md index 769c0917ac..3e4c61fd9a 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/applications/sg_installedapplications.md +++ b/docs/accessanalyzer/12.0/solutions/windows/applications/sg_installedapplications.md @@ -8,7 +8,7 @@ The SG_InstalledApplications job uses the WMICollector Data Collector for the fo **CAUTION:** The query is preconfigured for this job. Never modify the query. -![Queries for the SG_InstalledApplications Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/applications/installedapplicationsquery.webp) +![Queries for the SG_InstalledApplications Job](/img/product_docs/accessanalyzer/solutions/windows/applications/installedapplicationsquery.webp) The query for the SG_InstalledApplications job are: @@ -23,7 +23,7 @@ and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SG_InstalledApplications Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/applications/installedapplicationsanalysis.webp) +![Analysis Tasks for the SG_InstalledApplications Job](/img/product_docs/accessanalyzer/solutions/windows/applications/installedapplicationsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/windows/applications/sg_runatboot.md b/docs/accessanalyzer/12.0/solutions/windows/applications/sg_runatboot.md index 7def49a885..5685d42d6d 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/applications/sg_runatboot.md +++ b/docs/accessanalyzer/12.0/solutions/windows/applications/sg_runatboot.md @@ -9,7 +9,7 @@ The SG_RunAtBoot job uses the Registry Data Collector for the following queries: **CAUTION:** The queries are preconfigured for this job. Never modify the queries. -![Queries for the SG_RunAtBoot Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/applications/runatbootqueries.webp) +![Queries for the SG_RunAtBoot Job](/img/product_docs/accessanalyzer/solutions/windows/applications/runatbootqueries.webp) The queries for the SG_RunAtBoot job are: @@ -24,7 +24,7 @@ Navigate to the **Windows** > **Applications** > **SG_RunAtBoot** > **Configure* **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SG_RunAtBoot Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/applications/runatbootanalysis.webp) +![Analysis Tasks for the SG_RunAtBoot Job](/img/product_docs/accessanalyzer/solutions/windows/applications/runatbootanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/windows/applications/sg_scheduledtasks.md b/docs/accessanalyzer/12.0/solutions/windows/applications/sg_scheduledtasks.md index 74d749043e..4b53159d09 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/applications/sg_scheduledtasks.md +++ b/docs/accessanalyzer/12.0/solutions/windows/applications/sg_scheduledtasks.md @@ -8,7 +8,7 @@ The SG_ScheduledTasks job uses the SystemInfo Data Collector for the following q **CAUTION:** The query is preconfigured for this job. Never modify the query. -![Queries for the SG_ScheduledTasks Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/applications/scheduledtasksquery.webp) +![Queries for the SG_ScheduledTasks Job](/img/product_docs/accessanalyzer/solutions/windows/applications/scheduledtasksquery.webp) The query for the SG_ScheduledTasks job is: @@ -23,7 +23,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SG_ScheduledTasks Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/applications/scheduledtasksanalysis.webp) +![Analysis Tasks for the SG_ScheduledTasks Job](/img/product_docs/accessanalyzer/solutions/windows/applications/scheduledtasksanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/windows/authentication/overview.md b/docs/accessanalyzer/12.0/solutions/windows/authentication/overview.md index 37c045eb82..05492bb905 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/authentication/overview.md +++ b/docs/accessanalyzer/12.0/solutions/windows/authentication/overview.md @@ -3,19 +3,19 @@ The Authentication job group provides information on authentication settings within audited systems to help identify potential security vulnerabilities and reduce risk within the environment. -![Authentication Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Authentication Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the Authentication job group are: -- [SG_LSASettings Job](sg_lsasettings.md) – This job lists LSA settings on all targeted hosts. In +- [SG_LSASettings Job](/docs/accessanalyzer/12.0/solutions/windows/authentication/sg_lsasettings.md) – This job lists LSA settings on all targeted hosts. In particular, the RunAsPPL, RestrictAnonymous, and ValidateKdcPacSignature keys are examined. If these keys are not set to 1, a host is vulnerable to mimikatz and other exploitation tools. See the Microsoft - [Configuring Additional LSA Protection]() + [Configuring Additional LSA Protection](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn408187(v=ws.11)) article for additional ininformation. -- [SG_SecuritySupportProviders Job](sg_securitysupportproviders.md) – This job identifies security +- [SG_SecuritySupportProviders Job](/docs/accessanalyzer/12.0/solutions/windows/authentication/sg_securitysupportproviders.md) – This job identifies security support providers on all targeted hosts, highlighting potentially malicious SSPs -- [SG_WDigestSettings Job](sg_wdigestsettings.md) – This job lists WDigest settings on all targeted +- [SG_WDigestSettings Job](/docs/accessanalyzer/12.0/solutions/windows/authentication/sg_wdigestsettings.md) – This job lists WDigest settings on all targeted hosts. In particular, the UseLogonCredentials key is examined. If the KB is not installed, and this key is not set properly for a given host, cleartext passwords will be stored in memory. See the diff --git a/docs/accessanalyzer/12.0/solutions/windows/authentication/sg_lsasettings.md b/docs/accessanalyzer/12.0/solutions/windows/authentication/sg_lsasettings.md index 09bb83db28..591567be40 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/authentication/sg_lsasettings.md +++ b/docs/accessanalyzer/12.0/solutions/windows/authentication/sg_lsasettings.md @@ -3,7 +3,7 @@ The SG_LASettings job lists settings on all targeted hosts. In particular, the RunAsPPL, RestrictAnonymous, and ValidateKdcPacSignature keys are examined. If these keys are not set to 1, a host is vulnerable to mimikatz and other exploitation tools. See the Microsoft -[Configuring Additional LSA Protection]() +[Configuring Additional LSA Protection](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn408187(v=ws.11)) article for additional information. ## Queries for the SG_LSASettings Job @@ -12,7 +12,7 @@ The SG_LSASettings job uses the Registry Data Collector for the following querie **CAUTION:** The queries are preconfigured for this job. Never modify the queries. -![Queries for the SG_LSASettings Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/authentication/lsasettingsqueries.webp) +![Queries for the SG_LSASettings Job](/img/product_docs/accessanalyzer/solutions/windows/authentication/lsasettingsqueries.webp) The queries for the SG_LSASettings Job are: @@ -27,7 +27,7 @@ select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SG_LSASettings Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/authentication/lsasettingsanalysis.webp) +![Analysis Tasks for the SG_LSASettings Job](/img/product_docs/accessanalyzer/solutions/windows/authentication/lsasettingsanalysis.webp) The default analysis tasks are: @@ -50,6 +50,6 @@ following pre-configured reports. | Report | Description | Default Tags | Report Elements | | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Additional LSA Protection | This report summarizes RunAsPPL registry settings on targeted hosts. This key governs whether or not additional LSA protection is enabled. See the Microsoft [Configuring Additional LSA Protection]() article for additional information. | None | This report is comprised of two elements: - Pie Chart – Displays additional LSA protection by host - Table – Provides additional LSA Protection Details | +| Additional LSA Protection | This report summarizes RunAsPPL registry settings on targeted hosts. This key governs whether or not additional LSA protection is enabled. See the Microsoft [Configuring Additional LSA Protection](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn408187(v=ws.11)) article for additional information. | None | This report is comprised of two elements: - Pie Chart – Displays additional LSA protection by host - Table – Provides additional LSA Protection Details | | PAC Validation | This report indicates whether or not PAC Validation is enabled on all targeted hosts. This is governed by the ValidateKdcPacSignature key. Default behavior in the event of this key's absence depends on the Windows version installed. See the Microsoft [Understanding Microsoft Kerberos PAC Validation](https://learn.microsoft.com/en-gb/archive/blogs/openspecification/understanding-microsoft-kerberos-pac-validation) article for additional information. | None | This report is comprised of two elements: - Pie Chart – Displays PAC validation status - Table – Provides PAC validation details | -| Restrict Anonymous Access | This report summarizes RestrictAnonymous registry settings on targeted hosts. This key governs whether or not access over anonymous connections is enabled. See the Microsoft [Restrict Anonymous check]() article for additional information. | None | This report is comprised of two elements: - Pie Chart – Displays anonymous access by host - Table – Provides anonymous access details | +| Restrict Anonymous Access | This report summarizes RestrictAnonymous registry settings on targeted hosts. This key governs whether or not access over anonymous connections is enabled. See the Microsoft [Restrict Anonymous check](https://learn.microsoft.com/en-us/previous-versions/tn-archive/bb418944(v=technet.10)) article for additional information. | None | This report is comprised of two elements: - Pie Chart – Displays anonymous access by host - Table – Provides anonymous access details | diff --git a/docs/accessanalyzer/12.0/solutions/windows/authentication/sg_securitysupportproviders.md b/docs/accessanalyzer/12.0/solutions/windows/authentication/sg_securitysupportproviders.md index f8df4c64f1..88175f2b47 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/authentication/sg_securitysupportproviders.md +++ b/docs/accessanalyzer/12.0/solutions/windows/authentication/sg_securitysupportproviders.md @@ -9,7 +9,7 @@ The SG_SecuritySupportProviders job uses the Registry Data Collector for the fol **CAUTION:** The queries are preconfigured for this job. Never modify the queries. -![Queries for the SG_SecuritySupportProviders Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/authentication/securitysupportprovidersqueries.webp) +![Queries for the SG_SecuritySupportProviders Job](/img/product_docs/accessanalyzer/solutions/windows/authentication/securitysupportprovidersqueries.webp) The queries for the SG_SecuritySupportProviders job are: @@ -24,7 +24,7 @@ node and select **Analysis** to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SG_SecuritySupportProviders Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/authentication/securitysupportprovidersanalysis.webp) +![Analysis Tasks for the SG_SecuritySupportProviders Job](/img/product_docs/accessanalyzer/solutions/windows/authentication/securitysupportprovidersanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/windows/authentication/sg_wdigestsettings.md b/docs/accessanalyzer/12.0/solutions/windows/authentication/sg_wdigestsettings.md index ffc206abf5..45df10741b 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/authentication/sg_wdigestsettings.md +++ b/docs/accessanalyzer/12.0/solutions/windows/authentication/sg_wdigestsettings.md @@ -13,7 +13,7 @@ queries: **CAUTION:** The queries are preconfigured for this job. Never modify the queries. -![Queries for the SG_WDigestSettings Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/authentication/wdigestsettingsqueries.webp) +![Queries for the SG_WDigestSettings Job](/img/product_docs/accessanalyzer/solutions/windows/authentication/wdigestsettingsqueries.webp) The queries for the SG_WDigestSettings job are: @@ -29,7 +29,7 @@ select **Analysis**. **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SG_WDigestSettings Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/authentication/wdigestsettingsanalysis.webp) +![Analysis Tasks for the SG_WDigestSettings Job](/img/product_docs/accessanalyzer/solutions/windows/authentication/wdigestsettingsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/windows/openaccess/overview.md b/docs/accessanalyzer/12.0/solutions/windows/openaccess/overview.md index 1c7cd9bc2e..94d55c181f 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/openaccess/overview.md +++ b/docs/accessanalyzer/12.0/solutions/windows/openaccess/overview.md @@ -2,9 +2,9 @@ The Open Access job group identifies instances of open access in the audited environment. -![Open Access Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Open Access Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The job in the Open Access job group is: -- [SG_OpenFolders Job](sg_openfolders.md) – This job enumerates folders with open access across the +- [SG_OpenFolders Job](/docs/accessanalyzer/12.0/solutions/windows/openaccess/sg_openfolders.md) – This job enumerates folders with open access across the audited environment diff --git a/docs/accessanalyzer/12.0/solutions/windows/openaccess/sg_openfolders.md b/docs/accessanalyzer/12.0/solutions/windows/openaccess/sg_openfolders.md index 653cbe5b5c..4ee12dc98f 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/openaccess/sg_openfolders.md +++ b/docs/accessanalyzer/12.0/solutions/windows/openaccess/sg_openfolders.md @@ -6,7 +6,7 @@ The SG_OpenFolders job enumerates folders with open access across the audited en The SG_OpenFolders job uses the SystemInfo Data Collector for the following query: -![Queries for the SG_OpenFolders Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/openaccess/openfoldersquery.webp) +![Queries for the SG_OpenFolders Job](/img/product_docs/accessanalyzer/solutions/windows/openaccess/openfoldersquery.webp) The query for the SG_OpenFolders job is: @@ -22,7 +22,7 @@ The query for the SG_OpenFolders job is: The OpenAccess query has been preconfigured to run with the default settings. However, the subfolder depth can optionally be increased on the Options page in the System Info Data Collector Wizard. Follow the steps to customize the query. See the -[SystemInfo Data Collector](../../../admin/datacollector/systeminfo/overview.md) topic for +[SystemInfo Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/systeminfo/overview.md) topic for additional information. **Step 1 –** Navigate to the **Jobs** > **Windows** > **Open Access** > **SG_OpenFolders** > @@ -34,7 +34,7 @@ opens. **Step 3 –** Select the **Data Source** tab, and click **Configure**. The System Info Data Collector Wizard opens. -![System Info Data Collector Wizard Options page](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/openaccess/configuresubfolderdepth.webp) +![System Info Data Collector Wizard Options page](/img/product_docs/accessanalyzer/solutions/windows/openaccess/configuresubfolderdepth.webp) **Step 4 –** Navigate to the Options page and select the **Enumerate subfolders within shared folder** checkbox and then the **Limit returned subfolders depth to** checkbox. @@ -53,7 +53,7 @@ Navigate to the **Windows** > **OpenAccess** > **SG_OpenFolders** > **Configure* **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SG_OpenFolders Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/openaccess/openfoldersanalysis.webp) +![Analysis Tasks for the SG_OpenFolders Job](/img/product_docs/accessanalyzer/solutions/windows/openaccess/openfoldersanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/windows/overview.md b/docs/accessanalyzer/12.0/solutions/windows/overview.md index 4ee37eadbc..c50fb78bca 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/overview.md +++ b/docs/accessanalyzer/12.0/solutions/windows/overview.md @@ -16,17 +16,17 @@ Supported Platforms Requirements, Permissions, and Ports See the -[Target Windows Server and Desktop Requirements, Permissions, and Ports](../../requirements/target/windows.md) +[Target Windows Server and Desktop Requirements, Permissions, and Ports](/docs/accessanalyzer/12.0/requirements/target/windows.md) topic for additional information. Location The Windows Solution requires a special Access Analyzer license. It can be installed from the -Instant Job Wizard. See the [Instant Job Wizard](../../admin/jobs/instantjobs/overview.md) topic for +Instant Job Wizard. See the [Instant Job Wizard](/docs/accessanalyzer/12.0/admin/jobs/instantjobs/overview.md) topic for additional information. Once it has been installed in the Jobs tree, navigate to the solution: **Jobs** > **Windows**. -![Windows Solution in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Windows Solution in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) Each job group works independently from the other job groups. All of the job groups have their own collections that are used to analyze and report on data specific to the groups function. The @@ -37,25 +37,25 @@ SG_SecurityAssessment job summarizes security related results from the Windows s The Windows Solution provides both high-level and granular views into any sized organization’s infrastructure. -![Windows Solution Overview page](../../../../../static/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) +![Windows Solution Overview page](/img/product_docs/accessanalyzer/admin/runninginstances/overviewpage.webp) The jobs and job groups in the Windows Solution are: -- [Applications Job Group](applications/overview.md) – The jobs in this group track various aspects +- [Applications Job Group](/docs/accessanalyzer/12.0/solutions/windows/applications/overview.md) – The jobs in this group track various aspects of installed application management, highlighting installed software and utilization, unauthorized programs, rogue systems, and more -- [Authentication Job Group](authentication/overview.md) – This group offers insight into +- [Authentication Job Group](/docs/accessanalyzer/12.0/solutions/windows/authentication/overview.md) – This group offers insight into authentication settings within audited systems to help identify potential security vulnerabilities and reduce risk within the environment -- [Open Access Job Group](openaccess/overview.md) – This group highlights instances of open access +- [Open Access Job Group](/docs/accessanalyzer/12.0/solutions/windows/openaccess/overview.md) – This group highlights instances of open access across the audited environment -- [Privileged Accounts Job Group](privilegedaccounts/overview.md) – Vital to security is the ability +- [Privileged Accounts Job Group](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/overview.md) – Vital to security is the ability to accurately assess who has administrative privileges to each system and how. This group provides the collection and correlation capabilities needed to unravel complex access assignments, including local administrator membership, users with remote logon rights, and service accounts. -- [Security Utilities Job Group](securityutilities/overview.md) – This group provides a series of +- [Security Utilities Job Group](/docs/accessanalyzer/12.0/solutions/windows/securityutilities/overview.md) – This group provides a series of security element checks across the audited environment -- [SG_SecurityAssessment Job](sg_securityassessment.md) – This job performs checks against Windows +- [SG_SecurityAssessment Job](/docs/accessanalyzer/12.0/solutions/windows/sg_securityassessment.md) – This job performs checks against Windows security best practices in order to proactively identify critical security configurations that leave the environment vulnerable to attack. The result is a report which provides a listing of findings by severity and category with corresponding details that can be used to prioritize and diff --git a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/overview.md b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/overview.md index 3949ada380..733ad3672b 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/overview.md +++ b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/overview.md @@ -1,18 +1,18 @@ # Local Administrators Job Group -![Local Administrators Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Local Administrators Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs in the Local Administrators group are: -- [SG_LocalAdmins Job](sg_localadmins.md) – This job identifies the effective membership for all +- [SG_LocalAdmins Job](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/sg_localadmins.md) – This job identifies the effective membership for all local administrator groups to gain an understanding of what accounts within the environment are privileged and should be monitored closely -- [SG_MicrosoftLAPS Job](sg_microsoftlaps.md) – This job assesses the LAPS (Local Administrator +- [SG_MicrosoftLAPS Job](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/sg_microsoftlaps.md) – This job assesses the LAPS (Local Administrator Password Solution) local policies on all targeted hosts. This offers insight into LAPS enablement and configuration across an environment. LAPS allows for centralized local administrator password management within Active Directory. See the Microsoft - [Local Administrator Password Solution]() + [Local Administrator Password Solution](https://learn.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)) article for additional information. -- [SG_Sessions Job](sg_sessions.md) – This job lists sessions and logged on users from all targeted +- [SG_Sessions Job](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/sg_sessions.md) – This job lists sessions and logged on users from all targeted hosts. These active sessions and logged on users may have their hashes stored in memory on the target machine, which could be leveraged in a Pass the Hash attack. diff --git a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/sg_localadmins.md b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/sg_localadmins.md index c6fea8b7bb..6ee04df345 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/sg_localadmins.md +++ b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/sg_localadmins.md @@ -10,7 +10,7 @@ The SG_LocalAdmins job uses the UsersGroups Data Collector for the following que **CAUTION:** The query is preconfigured for this job. Never modify the query. -![Queries for the SG_LocalAdmins Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/localadministrators/localadminsquery.webp) +![Queries for the SG_LocalAdmins Job](/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/localadministrators/localadminsquery.webp) The query for the SG_LocalAdmins job is: @@ -24,7 +24,7 @@ Navigate to the **Windows** > **Privileged Accounts** > **Local Administrators** **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SG_LocalAdmins Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/localadministrators/localadminsanalysis.webp) +![Analysis Tasks for the SG_LocalAdmins Job](/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/localadministrators/localadminsanalysis.webp) The default analysis tasks are: @@ -53,4 +53,4 @@ on the target host. However if a less-privileged option is required, you can ins domain user that has been added to the **Network access: Restrict clients allowed to make remote calls to SAM** Local Security Policy. -![User added to the Local Securtiy Policy](../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/localadministrators/leastprivilegemodel.webp) +![User added to the Local Securtiy Policy](/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/localadministrators/leastprivilegemodel.webp) diff --git a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/sg_microsoftlaps.md b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/sg_microsoftlaps.md index aa77ed9d5b..7908a7d07d 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/sg_microsoftlaps.md +++ b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/sg_microsoftlaps.md @@ -4,7 +4,7 @@ The SG_MicrosoftLAPS job assesses the Local Administrator Password Solution (LAP all targeted hosts. This offers insight into LAPS enablement and configuration across an environment. LAPS allows for centralized local administrator password management within Active Directory. See the Microsoft -[Local Administrator Password Solution]() +[Local Administrator Password Solution](https://learn.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)) article for additional information. ## Queries for the SG_MicrosoftLAPS Job @@ -13,7 +13,7 @@ The SG_MicrosoftLAPS job uses the Registry Data Collector for the following quer **CAUTION:** The query is preconfigured for this job. Never modify the query. -![Queries for the SG_MicrosoftLAPS Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/localadministrators/microsoftlapsquery.webp) +![Queries for the SG_MicrosoftLAPS Job](/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/localadministrators/microsoftlapsquery.webp) The query for the SG_MicrosoftLAPS job is: @@ -27,7 +27,7 @@ Navigate to the **Windows** > **Privileged Accounts** > **Local Administrators** **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the SG_MicrosoftLAPS Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/localadministrators/microsoftlapsanalysis.webp) +![Analysis Tasks for the SG_MicrosoftLAPS Job](/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/localadministrators/microsoftlapsanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/sg_sessions.md b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/sg_sessions.md index 88775fe7cc..68a7c8301a 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/sg_sessions.md +++ b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/sg_sessions.md @@ -10,7 +10,7 @@ The SG_Sessions job uses the SystemInfo Data Collector for the following queries **CAUTION:** The queries) are preconfigured for this job. Never modify the queries. -![Queries for the SG_Sessions Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/localadministrators/sessionsqueries.webp) +![Queries for the SG_Sessions Job](/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/localadministrators/sessionsqueries.webp) The queries for the SG_Sessions job are: @@ -22,7 +22,7 @@ The queries for the SG_Sessions job are: Navigate to the **Windows** > **Privileged Accounts** > **Local Administrators** > **SG_Sessions** > **Configure** node and select **Analysis** to view the analysis tasks. -![Analysis Tasks for the SG_Sessions Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/localadministrators/sessionsanalysis.webp) +![Analysis Tasks for the SG_Sessions Job](/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/localadministrators/sessionsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/overview.md b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/overview.md index 7994fbcfd3..cb914ccbb4 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/overview.md +++ b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/overview.md @@ -4,14 +4,14 @@ The Collection job group collects group policy settings, local users, and local information from Windows servers which will be further analyzed to provide insight into privileged users within the environment. -![Collection Job Group in the Jobs Tree](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) +![Collection Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/exchange/databases/collection/collectionjobstree.webp) The jobs in the Collection job group are: -- [SG_GroupPolicy Job](sg_grouppolicy.md) – This job collects policy assignments from all targeted +- [SG_GroupPolicy Job](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/sg_grouppolicy.md) – This job collects policy assignments from all targeted servers. In particular, **Allow log on locally**, **Log on as a batch job**, **Allow log on through Remote Desktop Services**, and **Log on as a service** are audited. -- [SG_LocalMembership Job](sg_localmembership.md) – This job collects local group membership details +- [SG_LocalMembership Job](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/sg_localmembership.md) – This job collects local group membership details from all targeted servers -- [SG_LocalUsers Job](sg_localusers.md) – This job collects local user accounts from all targeted +- [SG_LocalUsers Job](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/sg_localusers.md) – This job collects local user accounts from all targeted servers diff --git a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/sg_grouppolicy.md b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/sg_grouppolicy.md index 3f01340352..4c8f3f702e 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/sg_grouppolicy.md +++ b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/sg_grouppolicy.md @@ -14,7 +14,7 @@ The SG_GroupPolicy job uses the GroupPolicy Data Collector for the following que **CAUTION:** The query is preconfigured for this job. Never modify the query. -![Queries for the SG_GroupPolicy Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/grouppolicy/grouppolicyquery.webp) +![Queries for the SG_GroupPolicy Job](/img/product_docs/accessanalyzer/solutions/activedirectory/grouppolicy/grouppolicyquery.webp) The query for the SG_GroupPolicy job is: diff --git a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/sg_localmembership.md b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/sg_localmembership.md index 1a69d4ac9c..b5d63b61c6 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/sg_localmembership.md +++ b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/sg_localmembership.md @@ -8,7 +8,7 @@ The SG_LocalMembership job uses the UsersGroups Data Collector for the following **CAUTION:** The query is preconfigured for this job. Never modify the query. -![Queries for the SG_LocalMembership Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/logonrights/collection/localmembershipquery.webp) +![Queries for the SG_LocalMembership Job](/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/logonrights/collection/localmembershipquery.webp) The query for the SG_LocalMembership job is: @@ -22,7 +22,7 @@ Navigate to the **Windows** > **Privileged Accounts** > **Logon Rights** > **Col **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the SG_LocalMembership Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/logonrights/collection/localmembershipanalysis.webp) +![Analysis Tasks for the SG_LocalMembership Job](/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/logonrights/collection/localmembershipanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/sg_localusers.md b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/sg_localusers.md index d87368df29..f5132df7fb 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/sg_localusers.md +++ b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/sg_localusers.md @@ -8,7 +8,7 @@ The SG_LocalMembership job uses the UsersGroups Data Collector for the following **CAUTION:** The query is preconfigured for this job. Never modify the query. -![Queries for the SG_LocalUsers Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/logonrights/collection/localusersquery.webp) +![Queries for the SG_LocalUsers Job](/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/logonrights/collection/localusersquery.webp) The query for the SG_LocalUsers job is: @@ -22,7 +22,7 @@ Navigate to the **Windows** > **Privileged Accounts** > **Logon Rights** > **Col **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the SG_LocalUsers Job](../../../../../../../../static/img/product_docs/accessanalyzer/solutions/unix/usersgroups/localusersanalysis.webp) +![Analysis Tasks for the SG_LocalUsers Job](/img/product_docs/accessanalyzer/solutions/unix/usersgroups/localusersanalysis.webp) The default analysis tasks is: diff --git a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/overview.md b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/overview.md index af5d65282b..1c59c9fbfb 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/overview.md +++ b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/overview.md @@ -2,14 +2,14 @@ The Logon Rights job group collects local policy information and reports on privileged users. -![Logon Rights Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Logon Rights Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs and job groups in the Logon Rights job group are: -- [Collection Job Group](collection/overview.md) – The jobs within this group collect group policy +- [Collection Job Group](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/collection/overview.md) – The jobs within this group collect group policy settings, local users, and local group membership from Windows servers which will be further analyzed to provide insight into privileged users within the environment -- [SG_AccountPrivileges Job](sg_accountprivileges.md) – This job highlights account privileges +- [SG_AccountPrivileges Job](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/sg_accountprivileges.md) – This job highlights account privileges across the audited environment, filtering out default privileges present on Windows servers -- [SG_LocalPolicies Job](sg_localpolicies.md) – This job identifies privileged accounts across the +- [SG_LocalPolicies Job](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/sg_localpolicies.md) – This job identifies privileged accounts across the audited environments, based on the number of local security policies assigned diff --git a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/sg_accountprivileges.md b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/sg_accountprivileges.md index 608a9af92c..46d1c0d45f 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/sg_accountprivileges.md +++ b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/sg_accountprivileges.md @@ -12,7 +12,7 @@ The SG_AccountPrivileges job uses the PowerShell Data Collector for the followin **CAUTION:** The query is preconfigured for this job. Never modify the query. -![Queries for the SG_AccountPrivileges Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/logonrights/accountprivilegesquery.webp) +![Queries for the SG_AccountPrivileges Job](/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/logonrights/accountprivilegesquery.webp) The query for the SG_AccountPrivileges job is: @@ -26,7 +26,7 @@ Navigate to the **Windows** > **Privileged Accounts** > **Logon Rights** > **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the SG_AccountPrivileges Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/logonrights/accountprivilegesanalysis.webp) +![Analysis Tasks for the SG_AccountPrivileges Job](/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/logonrights/accountprivilegesanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/sg_localpolicies.md b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/sg_localpolicies.md index 18fed7e116..1317009d15 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/sg_localpolicies.md +++ b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/sg_localpolicies.md @@ -10,7 +10,7 @@ Navigate to the **Windows** > **Privileged Accounts** > **Logon Rights** > **SG_ **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SG_LocalPolicies Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/logonrights/localpoliciesanalysis.webp) +![Analysis Tasks for the SG_LocalPolicies Job](/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/logonrights/localpoliciesanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/overview.md b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/overview.md index d077fbc18b..cf439279cf 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/overview.md +++ b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/overview.md @@ -5,16 +5,16 @@ system and how. The Privileged Accounts job group provides the collection and co capabilities needed to unravel complex access assignments, including local administrator membership, users with remote logon rights, and service accounts. -![Privileged Accounts Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Privileged Accounts Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The job groups in the Privileged Accounts job group are: -- [Local Administrators Job Group](localadministrators/overview.md) – This group identifies the +- [Local Administrators Job Group](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/localadministrators/overview.md) – This group identifies the effective membership for all local administrator groups along with LAPS local policies configured on the target hosts to provide an understanding of what accounts within the environment are privileged and how they are being secured -- [Logon Rights Job Group](logonrights/overview.md) – The jobs within this group collect local +- [Logon Rights Job Group](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/logonrights/overview.md) – The jobs within this group collect local policy information to provide insight into privileged users within the environment -- [Service Accounts > SG_ServiceAccounts Job](sg_serviceaccounts.md) – This job indicates which +- [Service Accounts > SG_ServiceAccounts Job](/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/sg_serviceaccounts.md) – This job indicates which domain accounts are being used to run services on member servers, highlighting password age and settings diff --git a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/sg_serviceaccounts.md b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/sg_serviceaccounts.md index 45edb02b17..533f9e7d1f 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/sg_serviceaccounts.md +++ b/docs/accessanalyzer/12.0/solutions/windows/privilegedaccounts/sg_serviceaccounts.md @@ -3,7 +3,7 @@ The SG_ServiceAccounts job determines which domain accounts are being used to run services on member servers, identifying password age and settings. -![Service Accounts > SG_ServiceAccounts Job in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/serviceaccountsjobstree.webp) +![Service Accounts > SG_ServiceAccounts Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/serviceaccountsjobstree.webp) The SG_ServiceAccounts job is located in the Service Account job group. @@ -13,13 +13,13 @@ The SG_ServiceAccounts job uses the Services Data Collector for the following qu **CAUTION:** The query is preconfigured for this job. Never modify the query. -![Queries for the SG_ServiceAccounts Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/serviceaccountsquery.webp) +![Queries for the SG_ServiceAccounts Job](/img/product_docs/accessanalyzer/solutions/windows/privilegedaccounts/serviceaccountsquery.webp) The query for the SG_ServiceAccounts job is: - Service Accounts – Collects information on service accounts -See the [Services Data Collector](../../../admin/datacollector/services.md) topic for additional +See the [Services Data Collector](/docs/accessanalyzer/12.0/admin/datacollector/services.md) topic for additional information. ## Analysis Tasks for the SG_ServiceAccounts Job @@ -30,7 +30,7 @@ Navigate to the **Jobs** > **Windows** > **Privileged Accounts** > **Service Acc **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SG_ServiceAccounts Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/users/serviceaccountsanalysis.webp) +![Analysis Tasks for the SG_ServiceAccounts Job](/img/product_docs/accessanalyzer/solutions/activedirectory/users/serviceaccountsanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/windows/recommended.md b/docs/accessanalyzer/12.0/solutions/windows/recommended.md index 723a2005c1..50a8961008 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/recommended.md +++ b/docs/accessanalyzer/12.0/solutions/windows/recommended.md @@ -16,7 +16,7 @@ Connection Profile The Connection Profile used for this job needs to have local administrator privileges. By default, this job group's Connection Profile is set to **Use Default Profile (Inherit from the parent group, if any, or the global Default setting)**. See the -[Connection](../../admin/settings/connection/overview.md) topic for additional information. +[Connection](/docs/accessanalyzer/12.0/admin/settings/connection/overview.md) topic for additional information. History Retention diff --git a/docs/accessanalyzer/12.0/solutions/windows/securityutilities/openportscan/overview.md b/docs/accessanalyzer/12.0/solutions/windows/securityutilities/openportscan/overview.md index f03e1dc64d..72b3eb26b5 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/securityutilities/openportscan/overview.md +++ b/docs/accessanalyzer/12.0/solutions/windows/securityutilities/openportscan/overview.md @@ -4,14 +4,14 @@ The OpenPortScan job group reveals all open ports along with the associated exec targeted systems leveraging the jobs within this group. This is accomplished through remotely executing a netstat command on the target hosts and collecting the results for reporting. -![OpenPortScan Job Group in the Jobs Tree](../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/securityutilities/openportscan/openportscanjobstree.webp) +![OpenPortScan Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/windows/securityutilities/openportscan/openportscanjobstree.webp) _Remember,_ both jobs need to be assigned the same host list under the Host List Assignments node in the OpenPortScan job group’s settings. The jobs in the OpenPortScan job group are: -- [RemoteOpenPort Job](remoteopenport.md) – This job remotely executes `netstat -a -b -n` command to +- [RemoteOpenPort Job](/docs/accessanalyzer/12.0/solutions/windows/securityutilities/openportscan/remoteopenport.md) – This job remotely executes `netstat -a -b -n` command to gather information about the available port on the targeted hosts -- [RetrieveNetstat Job](retrievenetstat.md) – This job reveals all open ports along with the +- [RetrieveNetstat Job](/docs/accessanalyzer/12.0/solutions/windows/securityutilities/openportscan/retrievenetstat.md) – This job reveals all open ports along with the associated executable on  targeted systems diff --git a/docs/accessanalyzer/12.0/solutions/windows/securityutilities/openportscan/remoteopenport.md b/docs/accessanalyzer/12.0/solutions/windows/securityutilities/openportscan/remoteopenport.md index 9188f3dcd1..e0c356f61d 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/securityutilities/openportscan/remoteopenport.md +++ b/docs/accessanalyzer/12.0/solutions/windows/securityutilities/openportscan/remoteopenport.md @@ -9,7 +9,7 @@ The RemoteOpenPort job uses the Script Data Collector for the following query: **CAUTION:** The query is preconfigured for this job. Never modify the query. -![Queries for the RemoteOpenPort Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/securityutilities/openportscan/remoteopenportquery.webp) +![Queries for the RemoteOpenPort Job](/img/product_docs/accessanalyzer/solutions/windows/securityutilities/openportscan/remoteopenportquery.webp) The query for the RemoteOpenPort job is: @@ -24,7 +24,7 @@ Navigate to the **Windows** > **Security Utilities** > **OpenPortScan** > **Remo **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the RemoteOpenPort Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/securityutilities/openportscan/remoteopenportanalysis.webp) +![Analysis Tasks for the RemoteOpenPort Job](/img/product_docs/accessanalyzer/solutions/windows/securityutilities/openportscan/remoteopenportanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/solutions/windows/securityutilities/openportscan/retrievenetstat.md b/docs/accessanalyzer/12.0/solutions/windows/securityutilities/openportscan/retrievenetstat.md index bf32a5976e..de1dd7d950 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/securityutilities/openportscan/retrievenetstat.md +++ b/docs/accessanalyzer/12.0/solutions/windows/securityutilities/openportscan/retrievenetstat.md @@ -9,7 +9,7 @@ The RetrieveNetstat job is uses the TextSearch Data Collector for the following **CAUTION:** The query is preconfigured for this job. Never modify the query. -![Queries for the RetrieveNetstat Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/securityutilities/openportscan/remoteopenportquery.webp) +![Queries for the RetrieveNetstat Job](/img/product_docs/accessanalyzer/solutions/windows/securityutilities/openportscan/remoteopenportquery.webp) The query for the RetrieveNetstat job is: @@ -24,7 +24,7 @@ Navigate to the **Windows** > **Security Utilities** > **OpenPortScan** > **Retr **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the RetrieveNetstat Job](../../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/securityutilities/openportscan/retrievenetstatanalysis.webp) +![Analysis Tasks for the RetrieveNetstat Job](/img/product_docs/accessanalyzer/solutions/windows/securityutilities/openportscan/retrievenetstatanalysis.webp) The default analysis tasks are: diff --git a/docs/accessanalyzer/12.0/solutions/windows/securityutilities/overview.md b/docs/accessanalyzer/12.0/solutions/windows/securityutilities/overview.md index 8179bb49a1..550c0c3be2 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/securityutilities/overview.md +++ b/docs/accessanalyzer/12.0/solutions/windows/securityutilities/overview.md @@ -4,13 +4,13 @@ The Security Utilities job group is designed to reveal all open ports along with executable on the targeted systems. The job remotely executes a netstat command on the target hosts and collects the results for reporting. -![Security Utilities Job Group in the Jobs Tree](../../../../../../static/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) +![Security Utilities Job Group in the Jobs Tree](/img/product_docs/accessanalyzer/admin/hostmanagement/jobstree.webp) The jobs and job groups in the Security Utilities job group are: -- [OpenPortScan Job Group](openportscan/overview.md) – Reveals all open ports along with the +- [OpenPortScan Job Group](/docs/accessanalyzer/12.0/solutions/windows/securityutilities/openportscan/overview.md) – Reveals all open ports along with the associated executable on the targeted systems leveraging the jobs within this group. This is accomplished through remotely executing a netstat command on the target hosts and collecting the results for reporting. -- [SG_PowerShellCommands Job](sg_powershellcommands.md) – This job highlights instances where +- [SG_PowerShellCommands Job](/docs/accessanalyzer/12.0/solutions/windows/securityutilities/sg_powershellcommands.md) – This job highlights instances where suspicious PowerShell commands have been found in a host’s PowerShell log diff --git a/docs/accessanalyzer/12.0/solutions/windows/securityutilities/sg_powershellcommands.md b/docs/accessanalyzer/12.0/solutions/windows/securityutilities/sg_powershellcommands.md index b49981e326..3b784b6a62 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/securityutilities/sg_powershellcommands.md +++ b/docs/accessanalyzer/12.0/solutions/windows/securityutilities/sg_powershellcommands.md @@ -10,7 +10,7 @@ The SG_PowerShellCommands job uses the SmartLog Data Collector for the following **CAUTION:** The Check PowerShell Operations log query is preconfigured for this job. Never modify the query. -![Queries for the SG_PowerShellCommands Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/securityutilities/powershellcommandsqueries.webp) +![Queries for the SG_PowerShellCommands Job](/img/product_docs/accessanalyzer/solutions/windows/securityutilities/powershellcommandsqueries.webp) The queries for the SG_PowerShellCommands job are: @@ -40,7 +40,7 @@ Wizard opens. **Step 4 –** If the **Criteria** tab is grayed out, click **Next** through the windows until the tab is accessible. -![Smart Log Data Collector Wizard Criteria page](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/securityutilities/smartlogdcwizardcriteria.webp) +![Smart Log Data Collector Wizard Criteria page](/img/product_docs/accessanalyzer/solutions/windows/securityutilities/smartlogdcwizardcriteria.webp) **Step 5 –** On the Criteria page, click the **press the button to add a new condition** box. @@ -58,7 +58,7 @@ View the analysis tasks by navigating to the **Windows** > **Security Utilities* **CAUTION:** Do not modify or deselect the selected analysis tasks. The analysis tasks are preconfigured for this job. -![Analysis Tasks for the SG_PowerShellCommands Job](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/securityutilities/powershellcommandsanalysis.webp) +![Analysis Tasks for the SG_PowerShellCommands Job](/img/product_docs/accessanalyzer/solutions/windows/securityutilities/powershellcommandsanalysis.webp) The default analysis tasks are: @@ -92,12 +92,12 @@ Follow these steps to configure the notification analysis task. **Step 2 –** In the Analysis Selection view, select the **Notify on suspicious commands** analysis task and click **Analysis Configuration**. The Notification Data Analysis Module opens. -![Notification Data Analysis Module wizard SMTP properties page](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/securityutilities/powershellcommandsnotifysmtp.webp) +![Notification Data Analysis Module wizard SMTP properties page](/img/product_docs/accessanalyzer/solutions/windows/securityutilities/powershellcommandsnotifysmtp.webp) **Step 3 –** Use the **Next** button to navigate to the SMTP page. Do not make changes to the preceding pages. -![Recipients section](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/securityutilities/powershellcommandsnotifyrecipients.webp) +![Recipients section](/img/product_docs/accessanalyzer/solutions/windows/securityutilities/powershellcommandsnotifyrecipients.webp) **Step 4 –** In the Recipients section, provide the email addresses or distribution lists (fully qualified address) for those who are to receive this notification. Multiple addresses can be @@ -108,7 +108,7 @@ provided. You can use the following options: - Combine multiple messages into single message – Sends one email for all objects in the record set instead of one email per object to all recipients -![Message section](../../../../../../static/img/product_docs/accessanalyzer/solutions/windows/securityutilities/powershellcommandsnotifymessage.webp) +![Message section](/img/product_docs/accessanalyzer/solutions/windows/securityutilities/powershellcommandsnotifymessage.webp) **Step 5 –** In the Message section, edit the **Subject**. It is not recommended to remove any parameters. Then, customize the email content in the textbox to provide an explanation of the diff --git a/docs/accessanalyzer/12.0/solutions/windows/sg_securityassessment.md b/docs/accessanalyzer/12.0/solutions/windows/sg_securityassessment.md index 87b97f24c5..1ae4071b4a 100644 --- a/docs/accessanalyzer/12.0/solutions/windows/sg_securityassessment.md +++ b/docs/accessanalyzer/12.0/solutions/windows/sg_securityassessment.md @@ -5,7 +5,7 @@ proactively identify critical security configurations that leave the environment attack. The result is a report which provides a listing of findings by severity and category with corresponding details that can be used to prioritize and remediate security issues. -![SG_SecurityAssessment Job in the Jobs Tree](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/securityassessmentjobstree.webp) +![SG_SecurityAssessment Job in the Jobs Tree](/img/product_docs/accessanalyzer/solutions/activedirectory/securityassessmentjobstree.webp) ## Recommended Configurations for the SG_SecurityAssessment Job @@ -60,7 +60,7 @@ to view the analysis tasks. **CAUTION:** Do not modify or deselect the selected analysis task. The analysis task is preconfigured for this job. -![Analysis Tasks for the SG_SecurityAssessment Job](../../../../../static/img/product_docs/accessanalyzer/solutions/activedirectory/securityassessmentanalysis.webp) +![Analysis Tasks for the SG_SecurityAssessment Job](/img/product_docs/accessanalyzer/solutions/activedirectory/securityassessmentanalysis.webp) The default analysis task is: diff --git a/docs/accessanalyzer/12.0/stealthaudit/install_guides/mapi_cdo_install/appendix.md b/docs/accessanalyzer/12.0/stealthaudit/install_guides/mapi_cdo_install/appendix.md index ac76c8ca48..e5f45b70fb 100644 --- a/docs/accessanalyzer/12.0/stealthaudit/install_guides/mapi_cdo_install/appendix.md +++ b/docs/accessanalyzer/12.0/stealthaudit/install_guides/mapi_cdo_install/appendix.md @@ -19,26 +19,26 @@ Follow these steps to install the Microsoft Exchange MAPI CDO. **NOTE:** The steps may be slightly different than the following. See Microsoft’s website for additional detail. -![appendix_for_the_stealthaudit](../../../../../../static/img/product_docs/accessanalyzer/stealthaudit/install_guides/mapi_cdo_install/appendix_for_the_stealthaudit.webp) +![appendix_for_the_stealthaudit](/img/product_docs/accessanalyzer/stealthaudit/install_guides/mapi_cdo_install/appendix_for_the_stealthaudit.webp) **Step 2 –** Choose the “Directory For Extracted Files” or accept the default location. Click OK. -![appendix_for_the_stealthaudit_1](../../../../../../static/img/product_docs/accessanalyzer/stealthaudit/install_guides/mapi_cdo_install/appendix_for_the_stealthaudit_1.webp) +![appendix_for_the_stealthaudit_1](/img/product_docs/accessanalyzer/stealthaudit/install_guides/mapi_cdo_install/appendix_for_the_stealthaudit_1.webp) **Step 3 –** When the extraction is complete, click OK. -![appendix_for_the_stealthaudit_2](../../../../../../static/img/product_docs/accessanalyzer/stealthaudit/install_guides/mapi_cdo_install/appendix_for_the_stealthaudit_2.webp) +![appendix_for_the_stealthaudit_2](/img/product_docs/accessanalyzer/stealthaudit/install_guides/mapi_cdo_install/appendix_for_the_stealthaudit_2.webp) **Step 4 –** Open the ExchangeMapiCdo folder and run the ExchangeMapiCdo application installer. | | | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![appendix_for_the_stealthaudit_3](../../../../../../static/img/product_docs/accessanalyzer/stealthaudit/install_guides/mapi_cdo_install/appendix_for_the_stealthaudit_4.webp) | +| ![appendix_for_the_stealthaudit_3](/img/product_docs/accessanalyzer/stealthaudit/install_guides/mapi_cdo_install/appendix_for_the_stealthaudit_4.webp) | **Step 5 –** On the Welcome page of the Installation Wizard, click Next. Accept the license agreement and click Next. -![appendix_for_the_stealthaudit_5](../../../../../../static/img/product_docs/accessanalyzer/stealthaudit/install_guides/mapi_cdo_install/appendix_for_the_stealthaudit_5.webp) +![appendix_for_the_stealthaudit_5](/img/product_docs/accessanalyzer/stealthaudit/install_guides/mapi_cdo_install/appendix_for_the_stealthaudit_5.webp) **Step 6 –** When the installation is complete, click Finish. diff --git a/docs/accessanalyzer/12.0/stealthaudit/install_guides/mapi_cdo_install/stealthaudit_mapi_cdo_installation.md b/docs/accessanalyzer/12.0/stealthaudit/install_guides/mapi_cdo_install/stealthaudit_mapi_cdo_installation.md index e5faf03d40..44a68b915f 100644 --- a/docs/accessanalyzer/12.0/stealthaudit/install_guides/mapi_cdo_install/stealthaudit_mapi_cdo_installation.md +++ b/docs/accessanalyzer/12.0/stealthaudit/install_guides/mapi_cdo_install/stealthaudit_mapi_cdo_installation.md @@ -3,16 +3,16 @@ Both the Access Analyzer MAPI CDO and the Microsoft® Exchange MAPI CDO must to be installed in order to enable the Settings > Exchange node. -![exchangenode](../../../../../../static/img/product_docs/accessanalyzer/stealthaudit/install_guides/mapi_cdo_install/exchangenode.webp) +![exchangenode](/img/product_docs/accessanalyzer/stealthaudit/install_guides/mapi_cdo_install/exchangenode.webp) The Microsoft Exchange MAPI CDO is only required to run the MAPI-based data collectors. See the -[Exchange Solution](../../../solutions/exchange/overview.md) topic for additional +[Exchange Solution](/docs/accessanalyzer/12.0/solutions/exchange/overview.md) topic for additional information. The Access Analyzer MAPI CDO can be downloaded from the [Product Downloads](https://www.stealthbits.com/product-downloads) page of the Netwrix website. The Microsoft Exchange MAPI CDO can be downloaded directly from Microsoft. See the -[Appendix for the StealthAUDIT MAPI CDO Installation Guide](appendix.md) for requirements and +[Appendix for the StealthAUDIT MAPI CDO Installation Guide](/docs/accessanalyzer/12.0/stealthaudit/install_guides/mapi_cdo_install/appendix.md) for requirements and installation steps to install the Microsoft Exchange MAPI CDO. **CAUTION:** The Access Analyzer MAPI CDO must be installed first before installing the Microsoft @@ -31,10 +31,10 @@ Follow the steps to install the Access Analyzer MAPI CDO. **Step 1 –** Run the StealthAuditMapiCDO executable. -![stealthaudit_mapi_cdo_installation_1](../../../../../../static/img/product_docs/accessanalyzer/stealthaudit/install_guides/mapi_cdo_install/stealthaudit_mapi_cdo_installation_1.webp) +![stealthaudit_mapi_cdo_installation_1](/img/product_docs/accessanalyzer/stealthaudit/install_guides/mapi_cdo_install/stealthaudit_mapi_cdo_installation_1.webp) **Step 2 –** Click OK to confirm the path. The application will install and the wizard will close automatically when it is finished. See the -[Appendix for the StealthAUDIT MAPI CDO Installation Guide](appendix.md) for information on +[Appendix for the StealthAUDIT MAPI CDO Installation Guide](/docs/accessanalyzer/12.0/stealthaudit/install_guides/mapi_cdo_install/appendix.md) for information on installing the Microsoft Exchange MAPI CDO. diff --git a/docs/accessinformationcenter/12.0/access/general/datagrid.md b/docs/accessinformationcenter/12.0/access/general/datagrid.md index 162495bc03..5b719cb571 100644 --- a/docs/accessinformationcenter/12.0/access/general/datagrid.md +++ b/docs/accessinformationcenter/12.0/access/general/datagrid.md @@ -6,7 +6,7 @@ The data grids within various tables have several features to improve your exper There is a Search box above a table's header row that can be used to filter the table data. -![Search box above a table header row](../../../../../static/img/product_docs/accessinformationcenter/access/general/tablesearch.webp) +![Search box above a table header row](/img/product_docs/accessinformationcenter/access/general/tablesearch.webp) Begin typing in the Search box. The filter acts as a wildcard, filtering the table data as you type. @@ -15,7 +15,7 @@ Begin typing in the Search box. The filter acts as a wildcard, filtering the tab There is a filter icon to the right of each column name that can be used to apply a column specific filter. You can apply filters to multiple columns simultaneously. -![tablecolumnfilter](../../../../../static/img/product_docs/accessinformationcenter/access/general/tablecolumnfilter.webp) +![tablecolumnfilter](/img/product_docs/accessinformationcenter/access/general/tablecolumnfilter.webp) Click the filter icon for the column you want to filter. Select the values you want to filter for from the list, and click **Apply**. @@ -23,7 +23,7 @@ from the list, and click **Apply**. **NOTE:** Hold the **Shift** key and click the first and last values to select a group of adjacent values, or hold the **Ctrl** key and click each value to select multiple values individually. -![tablecolumnfilterclear](../../../../../static/img/product_docs/accessinformationcenter/access/general/tablecolumnfilterclear.webp) +![tablecolumnfilterclear](/img/product_docs/accessinformationcenter/access/general/tablecolumnfilterclear.webp) The filter icon is highlighted orange for a column where a filter is applied. To clear an applied filter, click the filter icon and click **Clear**. @@ -32,7 +32,7 @@ filter, click the filter icon and click **Clear**. Table column widths can be resized to change the width. -![Table header showing column line to be used to resize the column](../../../../../static/img/product_docs/accessinformationcenter/access/general/tableresize.webp) +![Table header showing column line to be used to resize the column](/img/product_docs/accessinformationcenter/access/general/tableresize.webp) Simply select the edges of the column headers and drag to the desired width. @@ -40,7 +40,7 @@ Simply select the edges of the column headers and drag to the desired width. Data within a table can be sorted alphanumerically for a column. -![Table column header showing arrow indicating ascending sort](../../../../../static/img/product_docs/accessinformationcenter/access/general/tablesort.webp) +![Table column header showing arrow indicating ascending sort](/img/product_docs/accessinformationcenter/access/general/tablesort.webp) Click on any column header. An arrow will appear next to the column name indicating the sort to be ascending or descending order. @@ -50,7 +50,7 @@ ascending or descending order. Columns can be hidden or unhidden. Available columns for a table are listed in the column selector menu that appears when you right-click on a column header. -![Column selector menu showing a hidden column](../../../../../static/img/product_docs/accessinformationcenter/access/general/tablecolumns.webp) +![Column selector menu showing a hidden column](/img/product_docs/accessinformationcenter/access/general/tablecolumns.webp) The column selector menu shows all available columns for the table. Check columns are visible. Unchecked columns are hidden. @@ -60,7 +60,7 @@ Unchecked columns are hidden. There are two export buttons above a table's header row that can be used to export the data currently displayed within the table. -![Export buttons at the top of a table](../../../../../static/img/product_docs/accessinformationcenter/access/general/tableexports.webp) +![Export buttons at the top of a table](/img/product_docs/accessinformationcenter/access/general/tableexports.webp) - CSV Export – Downloads the data within the table in a CSV file format - Excel Export – Downloads the data within the table in an Excel file format diff --git a/docs/accessinformationcenter/12.0/access/general/editnotes.md b/docs/accessinformationcenter/12.0/access/general/editnotes.md index c42627460f..4ff4d2d1bc 100644 --- a/docs/accessinformationcenter/12.0/access/general/editnotes.md +++ b/docs/accessinformationcenter/12.0/access/general/editnotes.md @@ -5,7 +5,7 @@ note. **Step 1 –** Select the item in the interface and click Edit Notes. The Edit Notes window opens. -![Edit Notes window showing note entry field](../../../../../static/img/product_docs/accessinformationcenter/access/general/editnotes.webp) +![Edit Notes window showing note entry field](/img/product_docs/accessinformationcenter/access/general/editnotes.webp) **Step 2 –** Type or edit the note in the textbox. diff --git a/docs/accessinformationcenter/12.0/access/general/groupmembership.md b/docs/accessinformationcenter/12.0/access/general/groupmembership.md index 61329ac5ae..5e35071dfa 100644 --- a/docs/accessinformationcenter/12.0/access/general/groupmembership.md +++ b/docs/accessinformationcenter/12.0/access/general/groupmembership.md @@ -3,7 +3,7 @@ When a group trustee appears in the Trustee Name column of a review, it appears as a blue hyperlink in addition to the group icon displayed in front of the name. -![Resource Reviews page showing the Group Membership window](../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/groupmembership.webp) +![Resource Reviews page showing the Group Membership window](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/groupmembership.webp) Click the hyperlink to open the Group Membership window. The group’s direct membership is listed for review. Click **Close** to return to the review. diff --git a/docs/accessinformationcenter/12.0/access/general/removechanges.md b/docs/accessinformationcenter/12.0/access/general/removechanges.md index 1bd656df8c..20f0f17751 100644 --- a/docs/accessinformationcenter/12.0/access/general/removechanges.md +++ b/docs/accessinformationcenter/12.0/access/general/removechanges.md @@ -3,7 +3,7 @@ Select the desired resource on a Review Details page and click **Remove Changes**. The Remove changes window opens to confirm the action. -![Remove changes window](../../../../../static/img/product_docs/accessinformationcenter/access/general/removechanges.webp) +![Remove changes window](/img/product_docs/accessinformationcenter/access/general/removechanges.webp) **CAUTION:** This will clear all owner-recommended changes and notes for the resource. The owner will be required to complete the review again. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/expiration.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/expiration.md index baa4dd72b8..8b25be34cd 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/expiration.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/expiration.md @@ -3,8 +3,8 @@ If only temporary access was granted, once the date expires, the user will be automatically removed from the resource, and will receive an email notification informing them of the removal. -![Access Expired email](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/expired.webp) +![Access Expired email](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/expired.webp) -On the [Request History Page](../youraccessportal/requesthistory.md) of the Your Access portal, you +On the [Request History Page](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/requesthistory.md) of the Your Access portal, you can see that the icon in the Expired column has changed and it's tooltip indicates that the access has expired. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/reminder.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/reminder.md index eecea3d8d0..dfdc89ec6d 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/reminder.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/reminder.md @@ -3,8 +3,8 @@ The Request Administrator may send reminder email from the Access Information Center for pending access requests. -![Reminder email](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/reminder.webp) +![Reminder email](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/reminder.webp) Click **Sign in** to open the Access Information Center login page. Within the Owner portal, navigate to the Access Requests page to process the request. See the -[Pending Access Requests](../owners/pendingrequests.md) topic for additional information. +[Pending Access Requests](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/pendingrequests.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/request.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/request.md index c8485ba3de..774265d38b 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/request.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/request.md @@ -2,7 +2,7 @@ When a domain user submits a request, you receive an email notification. -![User Access Request email](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/owners/request.webp) +![User Access Request email](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/owners/request.webp) The email will include the following information: @@ -21,7 +21,7 @@ See the Process Request Via Email topic for additional information. There are options for accepting or declining the request in the original email notification. -![Request email response buttons](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/requestbuttons.webp) +![Request email response buttons](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/requestbuttons.webp) You can use these buttons to either accept or decline the request from the email notification. @@ -34,16 +34,16 @@ default browser for security authentication. **Step 2 –** Log into the Access Information Center using your domain credentials. -![Request accepted message](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/requestaccepted.webp) +![Request accepted message](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/requestaccepted.webp) **Step 3 –** A message displays confirming that your response has been saved. Click **Close** to close the browser window. The requester will receive an email notification on the updated status of the request. See the -[Access Request Updated Email](updated.md) topic for an example of this email. +[Access Request Updated Email](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/updated.md) topic for an example of this email. You can view the history of requests processed for your resources in the Owner portal. See the -[Access Request History](../owners/requesthistory.md) topic for additional information. +[Access Request History](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/requesthistory.md) topic for additional information. ### Decline Request @@ -54,20 +54,20 @@ default browser for security authentication. **Step 2 –** Log into the Access Information Center using your domain credentials. -![Decline access message](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/requestdecline.webp) +![Decline access message](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/requestdecline.webp) **Step 3 –** A message displays giving you the option to add an explanation for the user before the response is processed. Any note added here is included in the email nonfiction to the requesting user. Optionally enter an explanation into the Notes box, and click **Submit**. -![Access declined message](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/requestdeclined.webp) +![Access declined message](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/requestdeclined.webp) **Step 4 –** A message displays confirming that your response has been saved. Click **Close** to close the browser window. The requester will receive an email notification on the updated status of the request, including any -note you added. See the [Access Request Updated Email](updated.md) topic for an example of this +note you added. See the [Access Request Updated Email](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/updated.md) topic for an example of this email. You can view the history of requests processed for your resources in the Owner portal. See the -[Access Request History](../owners/requesthistory.md) topic for additional information. +[Access Request History](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/requesthistory.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/updated.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/updated.md index d8f75d334b..a243cad88e 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/updated.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/updated.md @@ -10,19 +10,19 @@ following: When a resource owner approves your access request, you will receive an email notification. -![Access Request Accepted status update email](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/updatedaccepted.webp) +![Access Request Accepted status update email](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/updatedaccepted.webp) The Decision row indicates the request was accepted. On the -[Request History Page](../youraccessportal/requesthistory.md) of the Your Access portal, you will +[Request History Page](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/requesthistory.md) of the Your Access portal, you will see a green check mark in the Decision column. ## Decision Denied Email When a resource owner denies your access request, you will receive an email notification. -![Access Request Declined status update email](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/updateddeclined.webp) +![Access Request Declined status update email](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/email/updateddeclined.webp) The Decision row indicates the request was denied. The owner may have provided a note explaining the decision, which will be visible at the bottom. On the -[Request History Page](../youraccessportal/requesthistory.md) of the Your Access portal, you will +[Request History Page](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/requesthistory.md) of the Your Access portal, you will see a Denied icon in the Decision column. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/interface.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/interface.md index a1d2afcbfb..b926b3a0de 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/interface.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/interface.md @@ -17,7 +17,7 @@ For both tabs the interface also includes: The Pending Requests tab in the Access Requests interface displays information for pending requests that are awaiting an owner response. -![Access Requests interface Pending Requests tab](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/interfacepending.webp) +![Access Requests interface Pending Requests tab](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/interfacepending.webp) The information displayed in the table includes: @@ -65,24 +65,24 @@ The information displayed in the table includes: Active Directory The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. The buttons at the bottom enable you to perform the following actions: -![Pending Requests tab buttons](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/interfacependingbuttons.webp) +![Pending Requests tab buttons](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/interfacependingbuttons.webp) | Button | Description | | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Send Reminders | Opens the Sending Reminder window, which displays the status of the notification action. The action sends email reminders to owners with pending requests. Click **OK** to close the window once the status is complete. | | View Notes | Opens the View Notes window for the selected request. Clicking on the Notes icon in the table will also open the View Notes window. Click **OK** to close the window. | -| Cancel | Opens the Cancel Request wizard. See the [Cancel Request Wizard](wizard/cancel.md) topic for additional information. | +| Cancel | Opens the Cancel Request wizard. See the [Cancel Request Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/wizard/cancel.md) topic for additional information. | ## Request History Tab The Request History tab in the Access Requests interface displays information for processed requests. -![Access Requests interface Request History tab](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/interfacehistory.webp) +![Access Requests interface Request History tab](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/interfacehistory.webp) The information displayed in the table includes: @@ -141,13 +141,13 @@ The information displayed in the table includes: Active Directory The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. The buttons at the bottom enable you to perform the following actions: -![Request History tab buttons](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/interfacehistorybuttons.webp) +![Request History tab buttons](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/interfacehistorybuttons.webp) | Button | Description | | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| View Changes | Opens the Changes window to view all access changes for the selected trustee. See the [Changes Window](window/changes.md) topic for additional information. | +| View Changes | Opens the Changes window to view all access changes for the selected trustee. See the [Changes Window](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/changes.md) topic for additional information. | | View Notes | Opens the View Notes window for the selected request. Clicking on the Notes icon in the table will also open the View Notes window. Click **OK** to close the window. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/overview.md index cc54d2433f..5c3de96f86 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/overview.md @@ -18,7 +18,7 @@ also have the Allow access requests option selected. **_RECOMMENDED:_** When deploying the Access Information Center in an organization to enable Self-Service Access Requests, notifications should be sent to assigned owners as well as domain -users. See the [Owner Confirmation Request Email](../resourceowners/email/confirmationrequest.md) +users. See the [Owner Confirmation Request Email](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/email/confirmationrequest.md) topic for additional information. The Your Access portal provides domain users with the ability to view current access to managed @@ -30,7 +30,7 @@ Home page. Domain users without an Access Information Center user role who are a owners navigate to the Your Access portal with the My Access link in the Owner portal. Domain users without an Access Information Center role and who are not assigned resource ownership are directed to the Your Access portal at login. See the -[Your Access Portal Overview](youraccessportal/overview.md) topic for additional information. +[Your Access Portal Overview](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/overview.md) topic for additional information. Who Can Manage Self-Service Access Requests (Request Administrators)? @@ -43,7 +43,7 @@ Who Participates in Self-Service Access Requests? - Owners — Approve or deny access requests - Request Administrators — Manage requests and nudge owners to respond to pending requests -See the [Access Requests Interface](interface.md) section for information. +See the [Access Requests Interface](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/interface.md) section for information. ## Workflow of Self-Service Access Requests @@ -51,23 +51,23 @@ Prerequisites: - Self-Service Access License - Access Information Center configured to send Notifications. See the - [Notifications Page](../admin/configuration/notifications.md) topic for additional information. + [Notifications Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/notifications.md) topic for additional information. **NOTE:** By default, the Access Information Center is configured to send notifications only to the primary owner. However, this can be customized to send notifications to all assigned owners. - See the [Notifications Page](../admin/configuration/notifications.md) topic for additional + See the [Notifications Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/notifications.md) topic for additional information. - Access Information Center configured to commit AD changes - Resources and groups must be known to the Access Information Center, having been audited by Access Analyzer - Owners assigned to resources within the Resource Owners interface. See the - [Resource Owners Overview](../resourceowners/overview.md) topic for additional information. + [Resource Owners Overview](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/overview.md) topic for additional information. - Resource is configured to Allow access requests when it is assigned an owner. See the - [Add New Resource Wizard](../resourceowners/wizard/add.md) and - [Update Resource Wizard](../resourceowners/wizard/update.md) topics for additional information. + [Add New Resource Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/add.md) and + [Update Resource Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/update.md) topics for additional information. - Access groups configured within the environment for resources to be managed through the Access - Information Center. See the [Access Groups](../resourceowners/accessgroups.md) topic for + Information Center. See the [Access Groups](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/accessgroups.md) topic for additional information. Workflow: @@ -95,5 +95,5 @@ groups. Netwrix recommends notifying them with the following information: directly to the Access Information Center website. - How to access the instructions on how to submit access requests. You can link to the - [Your Access Portal Overview](youraccessportal/overview.md) topic or download that topic and its + [Your Access Portal Overview](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/overview.md) topic or download that topic and its subtopics as a PDF and make it available within your corporate resources diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/overview.md index c644d7b85a..2dd8ecef5f 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/overview.md @@ -5,25 +5,25 @@ assigned owner, it means you, the business user or data custodian, are responsib denying requests by domain users for access to your resource. When a domain user submits a request, you receive an email notification. -![User Access Request email](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/owners/request.webp) +![User Access Request email](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/owners/request.webp) The request can be processed by using the buttons in the email, which require an Access Information -Center authentication. See the [User Access Request Email](../email/request.md) topic for additional +Center authentication. See the [User Access Request Email](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/request.md) topic for additional information. You can also process access requests through the Owner portal. -![Access Requests link in Owners Portal](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/owners/ownersportal.webp) +![Access Requests link in Owners Portal](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/owners/ownersportal.webp) The Owner portal displays a number next to the Access Requests link to indicate how many requests are pending your approval. Click the link to open the Access Requests page. The Access Requests page has two tabs: - Pending Requests – Shows any pending access requests waiting on your approval. See the - [Pending Access Requests](pendingrequests.md) topic for additional information. + [Pending Access Requests](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/pendingrequests.md) topic for additional information. - Request History – Shows the history of access requests for your resources. See the - [Access Request History](requesthistory.md) topic for additional information. + [Access Request History](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/requesthistory.md) topic for additional information. You may receive a reminder email, sent via the Access Information Center from your Request -Administrator. See the [Access Request Reminder Email](../email/reminder.md) topic for additional +Administrator. See the [Access Request Reminder Email](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/reminder.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/pendingrequests.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/pendingrequests.md index edfcaec7ce..2cbee8d848 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/pendingrequests.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/pendingrequests.md @@ -3,7 +3,7 @@ The Pending Requests tab of the Access Requests page accessed through the Owner portal is where you can view pending requests for your resources. -![Pending Requests tab of the Resource Owners Acces Requests page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/owners/pendingrequests.webp) +![Pending Requests tab of the Resource Owners Acces Requests page](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/owners/pendingrequests.webp) The information displayed in the table includes: @@ -36,18 +36,18 @@ The information displayed in the table includes: Ownership Administrator or the assigned owner The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. The buttons at the bottom enable you to perform the following actions: -![Pending Requests interface buttons](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/owners/pendingrequestsbuttons.webp) +![Pending Requests interface buttons](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/owners/pendingrequestsbuttons.webp) | Button | Function | | ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Accept | Approves the request and triggers the Access Information Center to process the approved request, granting the requested access. The Saving request window displays the action status. Click **OK** to close the window. The request is visible on the [Access Request History](requesthistory.md). | -| Decline | Denies the request and opens the Decline Access window. See the [Decline Access Window](../window/declineaccess.md) topic for additional information. | -| More Options | Opens the Select Access window, which allows you to grant an access level other than the one requested. This is only applicable to file system and SharePoint resources. See the [Select Access Window](../window/selectaccess.md) topic for additional information. | +| Accept | Approves the request and triggers the Access Information Center to process the approved request, granting the requested access. The Saving request window displays the action status. Click **OK** to close the window. The request is visible on the [Access Request History](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/requesthistory.md). | +| Decline | Denies the request and opens the Decline Access window. See the [Decline Access Window](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/declineaccess.md) topic for additional information. | +| More Options | Opens the Select Access window, which allows you to grant an access level other than the one requested. This is only applicable to file system and SharePoint resources. See the [Select Access Window](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/selectaccess.md) topic for additional information. | | View Notes | Opens the View Notes window for the selected request. Clicking on the Notes icon in the table will also open the View Notes window. Click **OK** to close the window. | Once a request has been processed , it is moved from the Pending Request page to the -[Access Request History](requesthistory.md). +[Access Request History](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/requesthistory.md). diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/requesthistory.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/requesthistory.md index 69c2a1be2d..3aa54612e5 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/requesthistory.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/requesthistory.md @@ -3,7 +3,7 @@ The Request History tab of the Access Requests page accessed through the Owner portal is where you can view the request history for your resources. -![Request History tab of the Resource Owners Acces Requests page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/requesthistory.webp) +![Request History tab of the Resource Owners Acces Requests page](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/requesthistory.webp) The information displayed in the table includes: @@ -60,11 +60,11 @@ The information displayed in the table includes: Active Directory The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. The buttons at the bottom enable you to perform the following actions: -![Request History tab buttons](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/requesthistorybuttons.webp) +![Request History tab buttons](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/requesthistorybuttons.webp) | Button | Description | | ---------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/cancelrequest.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/cancelrequest.md index 3b208c5079..4e13987789 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/cancelrequest.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/cancelrequest.md @@ -2,19 +2,19 @@ The Cancel Request window opens from the Request History Page of the Your Access portal when you select to cancel an access request. See the -[Request History Page](../youraccessportal/requesthistory.md) topic for additional information. +[Request History Page](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/requesthistory.md) topic for additional information. Follow the steps to cancel an access request. **Step 1 –** On the Request History Page of the Your Access portal, select the desired request and click **Cancel**. The Cancel Request window opens to confirm the action. -![Cancel Request window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/cancelrequest.webp) +![Cancel Request window](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/cancelrequest.webp) **Step 2 –** Click **Yes** to cancel the request. **NOTE:** You can click **No** to keep the pending request and close the Cancel Request window. -![Cancel Request window request has been cancelled message](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/cancelrequestcomplete.webp) +![Cancel Request window request has been cancelled message](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/cancelrequestcomplete.webp) **Step 3 –** The Access Information Center starts the action. When the action completes successfully, click **OK** to close the Cancel Request window. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/changes.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/changes.md index 21b032fede..9f0ac2ddb9 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/changes.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/changes.md @@ -1,9 +1,9 @@ # Changes Window -Select the desired request on the [Request History Tab](../interface.md#request-history-tab) of the +Select the desired request on the [Request History Tab](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/interface.md#request-history-tab) of the Access Requests interface and click **View Changes**. The Changes window opens. -![Changes window](../../../../../../../static/img/product_docs/accessanalyzer/install/application/upgrade/changes.webp) +![Changes window](/img/product_docs/accessanalyzer/install/application/upgrade/changes.webp) The table displays the following information for selected trustee: @@ -12,11 +12,11 @@ The table displays the following information for selected trustee: mark), Declined (red **x**), or Canceled (orange circle with slash) - Group Name – Name of the group where membership was modified to process the change in Active Directory. Access to File System and SharePoint resources are controlled through Access Groups. - See the [Access Groups](../../resourceowners/accessgroups.md) topic for additional information. + See the [Access Groups](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/accessgroups.md) topic for additional information. - Update Type – Indicates if group membership was added or removed to process the change - Member Name – sAMAccountName associated with the domain user whose membership was being changed **NOTE:** The table data grid functions the same way as other Access Information Center table grids. -See the [Data Grid Features](../../../general/datagrid.md) topic for additional information. +See the [Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. Click **OK** to close the window. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/declineaccess.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/declineaccess.md index 3ce5cd0a21..c9c17e9ab9 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/declineaccess.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/declineaccess.md @@ -2,13 +2,13 @@ The Decline Access window opens from the Pending Access Requests Page of the Owner portal when you select to decline an access request to your resource. See the -[Pending Access Requests](../owners/pendingrequests.md) topic for additional information. Follow the +[Pending Access Requests](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/pendingrequests.md) topic for additional information. Follow the steps to decline an access request. **Step 1 –** On the Pending Access Requests Page, select the desired request and click **Decline**. The Decline Access window opens. -![Decline Access window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/declineaccess.webp) +![Decline Access window](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/declineaccess.webp) **Step 2 –** Optionally enter a reason for denying the request, which will be included in the notification sent to the requester. @@ -17,7 +17,7 @@ notification sent to the requester. **NOTE:** You can click **Cancel** to close the window without denying the request. -![Saving Request window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/savingrequest.webp) +![Saving Request window](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/savingrequest.webp) **Step 4 –** The Access Information Center starts the action with the status displayed in the Saving request window. When the action completes successfully, click **OK** to close the Saving request @@ -25,4 +25,4 @@ window. The access request has been declined and the requester sent an email notification informing them. The request is visible on the Access Request History Page. See the -[Access Request History](../owners/requesthistory.md) topic for additional information. +[Access Request History](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/requesthistory.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/removeaccess.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/removeaccess.md index 8b65215107..a7cda3c9ec 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/removeaccess.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/removeaccess.md @@ -6,13 +6,13 @@ access to a resource. Follow the steps to remove your access. **Step 1 –** In the Your Access portal, select the desired resource from the list of current access and click **Remove Access**. The Remove Access window opens to confirm the action. -![Remove Access window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/removeaccess.webp) +![Remove Access window](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/removeaccess.webp) **Step 2 –** Click **Yes** to cancel the remove your access for the selected resource. **NOTE:** You can click **No** to keep the access and close the Remove Access window. -![Remove Access window access removed message](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/removeaccesscomplete.webp) +![Remove Access window access removed message](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/removeaccesscomplete.webp) **Step 3 –** The Access Information Center starts the action. When the action completes successfully, click **OK** to close the Remove Access window. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/selectaccess.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/selectaccess.md index c24db84ddb..ec6db251ff 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/selectaccess.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/selectaccess.md @@ -2,13 +2,13 @@ The Select Access window opens from the Pending Access Requests Page of the Owner portal and allows you to select an access level different to what has been requested. See the -[Pending Access Requests](../owners/pendingrequests.md) topic for additional information. Follow the +[Pending Access Requests](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/pendingrequests.md) topic for additional information. Follow the steps to grant a different access level. **Step 1 –** On the Pending Access Requests Page of the Owner portal, select the desired request and click **More Options**. The Select Access window opens. -![Select Access window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/selectaccess.webp) +![Select Access window](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/selectaccess.webp) **Step 2 –** The drop-down menu provides alternative access levels. Options vary based on how the resource was configured for self-service. Select the desired Access Level. @@ -29,7 +29,7 @@ date: **NOTE:** You can click **Cancel** to close the window without changing the Access Level or approving the request. -![Saving Request window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/savingrequest.webp) +![Saving Request window](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/window/savingrequest.webp) **Step 5 –** The Access Information Center starts the action with the status displayed on the Saving request window. When the action completes successfully, click **OK** to close the Saving Request @@ -37,4 +37,4 @@ window. The access has been granted and the requester sent an email notification informing them. The request is visible on the Access Request History Page. See the -[Access Request History](../owners/requesthistory.md) topic for additional information. +[Access Request History](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/requesthistory.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/wizard/cancel.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/wizard/cancel.md index a0a8385ab0..922db72017 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/wizard/cancel.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/wizard/cancel.md @@ -1,9 +1,9 @@ # Cancel Request Wizard The Cancel Request wizard is opened with the **Cancel** button on the -[Pending Requests Tab](../interface.md#pending-requests-tab) of the Access Requests interface. +[Pending Requests Tab](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/interface.md#pending-requests-tab) of the Access Requests interface. -![Cancel Request wizard Add Notes page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/addnotes.webp) +![Cancel Request wizard Add Notes page](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/addnotes.webp) It contains one page: @@ -19,13 +19,13 @@ Follow the steps to cancel an access request. **Step 1 –** On the Pending Requests tab of the Access Requests interface, select the request and click **Cancel**. The Cancel Request wizard opens. -![Cancel Request wizard Add Notes page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/addnotes.webp) +![Cancel Request wizard Add Notes page](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/addnotes.webp) **Step 2 –** On the Add Notes page, optionally enter a reason for canceling the request, which will be included in the e-mail notification sent to the requester. Click **Next** and the Access Information Center starts the action. -![Cancel Request wizard complete message](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Cancel Request wizard complete message](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 3 –** The action status displays on the page. When the cancellation action has completed (100%), click **Finish**. The Cancel Request wizard closes. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/wizard/requestaccess.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/wizard/requestaccess.md index 703c1c0d5c..69ff7f2192 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/wizard/requestaccess.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/wizard/requestaccess.md @@ -2,7 +2,7 @@ The Request Access wizard is opened with the **Request Access** button in the Your Access portal. -![Request Access Wizard Select Resource page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectresource.webp) +![Request Access Wizard Select Resource page](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectresource.webp) It contains two pages: @@ -21,7 +21,7 @@ Follow the steps to submit a resource request. **Step 1 –** In the Your Access portal, click **Request Access**. The Request Access wizard opens. -![Request Access Wizard Select Resource page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectresource.webp) +![Request Access Wizard Select Resource page](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectresource.webp) **Step 2 –** On the Select Resource page, locate the desired resources using the Search Catalog and browse options. @@ -61,14 +61,14 @@ indicated by the green plus (+) button, click the button to rotate through and s access level. Multiple resources can be selected using ether the Ctrl or Shift key with mouse click combinations. Click **Add** to place a selected resource into your list. -![Selected Resources Window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectedresources.webp) +![Selected Resources Window](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectedresources.webp) **Step 4 –** Use the **View Selections** button to open the Selected Resources window. If an extra resource is in your list, select it and click **Remove**. Click **OK** to close the window. **Step 5 –** When you selection list is set as desired, click **Next**. -![Request Access wizard Add Notes page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/addnotes.webp) +![Request Access wizard Add Notes page](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/addnotes.webp) **Step 6 –** On the Add Notes page, enter the following information: @@ -83,7 +83,7 @@ resource is in your list, select it and click **Remove**. Click **OK** to close **Step 7 –** Click **Next** and the Access Information Center starts the action. -![Request Access wizard request sent message](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Request Access wizard request sent message](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 8 –** The action status displays on the page. When the action has completed (100%), click **Finish**. The Request Access wizard closes. @@ -91,7 +91,7 @@ resource is in your list, select it and click **Remove**. Click **OK** to close The Access Information Center sends an email to the owner containing the note you supplied. You also receive an email about the pending request. The access request is pending until the owner approves or denies it. You can check on the status of your request on the -[Request History Page](../youraccessportal/requesthistory.md). +[Request History Page](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/requesthistory.md). When the request has been processed by the owner, you will be notified via email. See the -[Access Request Updated Email](../email/updated.md) topic for additional information. +[Access Request Updated Email](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/email/updated.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/overview.md index ec60192be2..76b670f5f3 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/overview.md @@ -20,7 +20,7 @@ whether or not you have Access Information Center Console access. The Your Access portal displays your current access for resources managed through the Access Information Center. -![Your Access portal interface](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) +![Your Access portal interface](/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) The information displayed in the table includes: @@ -43,10 +43,10 @@ The information displayed in the table includes: The buttons above and below the table enable you to perform the following actions: -![Your Access portal interface buttons](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/interfacebuttons.webp) +![Your Access portal interface buttons](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/interfacebuttons.webp) | Button | Description | | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Request Access | Opens the Request Access wizard, which allows you to submit access requests. See the [Request Access Wizard](../wizard/requestaccess.md) topic for additional information. | -| View History | Opens the Request History page, which displays information on all of your pending and processed requests. See the [Request History Page](requesthistory.md) topic for additional information. | -| Remove Access | Opens the Remove Access window, which allows you to remove access for yourself for the selected resource. See the [Remove Access Window](../window/removeaccess.md) topic for additional information. | +| Request Access | Opens the Request Access wizard, which allows you to submit access requests. See the [Request Access Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/wizard/requestaccess.md) topic for additional information. | +| View History | Opens the Request History page, which displays information on all of your pending and processed requests. See the [Request History Page](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/requesthistory.md) topic for additional information. | +| Remove Access | Opens the Remove Access window, which allows you to remove access for yourself for the selected resource. See the [Remove Access Window](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/removeaccess.md) topic for additional information. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/requesthistory.md b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/requesthistory.md index 98c51ec564..f030845c67 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/requesthistory.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/requesthistory.md @@ -3,7 +3,7 @@ The Request History page in the Your Access portal is where you can view the status of previously submitted requests, both pending and processed. -![Your Access portal Request History page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/requesthistory.webp) +![Your Access portal Request History page](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/requesthistory.webp) The information displayed in the table includes: @@ -51,9 +51,9 @@ The information displayed in the table includes: The buttons below the table enable you to perform the following actions: -![Request History page buttons](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/requesthistorybuttons.webp) +![Request History page buttons](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/requesthistorybuttons.webp) | Button | Description | | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Cancel | Opens the Cancel Request window. This button is only enabled for a selected pending requests. See the [Cancel Request Window](../window/cancelrequest.md) topic for additional information. | +| Cancel | Opens the Cancel Request window. This button is only enabled for a selected pending requests. See the [Cancel Request Window](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/window/cancelrequest.md) topic for additional information. | | View Notes | Opens the View Notes window for the selected request. Clicking on the Notes icon in the table will also open the View Notes window. Click **OK** to close the window. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/aliasserver.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/aliasserver.md index df2c0a1491..2c8860a673 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/aliasserver.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/aliasserver.md @@ -18,7 +18,7 @@ Follow the steps to supply an alias server host name for notification hyperlinks **Step 1 –** Open the `AccessInformationCenter.Service.exe.config` file in a text editor, for example Notepad. -![Response Server Host Name parameter in config file](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/configfileresponseservername.webp) +![Response Server Host Name parameter in config file](/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/configfileresponseservername.webp) **Step 2 –** Locate the `ResponseServerHostName` parameter. By default, the value is blank. If left blank, the default URL is used in notifications. Edit this parameter value by adding an alias server diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/commitchanges.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/commitchanges.md index 7373a2aaa4..b12fce8396 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/commitchanges.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/commitchanges.md @@ -15,12 +15,12 @@ interface must not only be a domain user but must also have these minimal rights When File System or SharePoint resources will be managed through the AIC, it is necessary to configure access groups for those resources in the target environment. An access group provides one of the following access levels to a specific resource: Read, Modify, or Full Control. See the -[Access Groups](../../resourceowners/accessgroups.md) topic for additional information. +[Access Groups](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/accessgroups.md) topic for additional information. **NOTE:** The Access Information Center can only commit group membership changes to domains it has access to, that is the domain where it resides or domains with a trust that are known to it. Also, the Active Directory service account must have the required permissions for all applicable domains. -See the [Multiple Domains](../configuration/activedirectory.md#multiple-domains) topic for +See the [Multiple Domains](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/activedirectory.md#multiple-domains) topic for additional information. ## Best Practice for Least Privilege @@ -39,7 +39,7 @@ two options for assigning the Active Directory service account: is the least privileged model. - The **Use the account running this service: [domain]\[username]** option is not a least privilege option, but can be used as the Active Directory service account. See the - [Active Directory Page](../configuration/activedirectory.md) topic for additional information. + [Active Directory Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/activedirectory.md) topic for additional information. **_RECOMMENDED:_** The best practice is to create at least two OUs for ease of organization: a security group OU and a distribution list group OU. @@ -51,4 +51,4 @@ If access groups assigned for resource management through the Access Information reside within an OU with the Allow Read Members and Allow Write Members rights delegated to the Active Directory service account, attempting to change Active Directory membership from within the Access Information Center will result in an error message. See the -[Service Account Delegation](../troubleshooting/delegation.md) topic for additional information. +[Service Account Delegation](/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/delegation.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/emailtemplates.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/emailtemplates.md index 652316a642..d7a70c5479 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/emailtemplates.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/emailtemplates.md @@ -56,7 +56,7 @@ Follow the steps to customize the email templates. **NOTE:** To successfully modify these Notifications email templates, a familiarity with basic HTML is necessary. -![Templates Zip file in the Installation Directory](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/emailtemplateszipfile.webp) +![Templates Zip file in the Installation Directory](/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/emailtemplateszipfile.webp) **Step 1 –** Navigate to the Access Information Center installation directory: @@ -68,7 +68,7 @@ named `Templates`. **CAUTION:** The customized email templates must be in the `Templates` folder within the installation directory to be preserved during future application upgrades. -![Unzipped Email Templates in Templates Folder](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/emailtemplatesunzipped.webp) +![Unzipped Email Templates in Templates Folder](/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/emailtemplatesunzipped.webp) **Step 3 –** Locate the desired HTML message template. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/entraidsso.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/entraidsso.md index e96934e83b..44ac791680 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/entraidsso.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/entraidsso.md @@ -62,7 +62,7 @@ table, and then click **Save**. Once configured they should show under Additional claims as below: -![Claims configured](../../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/entraidssoclaims.webp) +![Claims configured](/img/product_docs/accessanalyzer/install/application/reports/entraidssoclaims.webp) **Step 7 –** In the **Manage** > **Users and groups** section for your application, add any required users or groups to give permission to access the application. @@ -77,7 +77,7 @@ updated with values from Microsoft Entra ID. Follow the steps to enable the SSO _Remember,_ Enabling Entra ID SSO requires SSL to be enabled. If this was not done during the installation, then you must manually configure it. See the -[Securing the Access Information Center](../../installation/secure.md) topic for additional +[Securing the Access Information Center](/docs/accessinformationcenter/12.0/access/informationcenter/installation/secure.md) topic for additional information. **Step 1 –** Open the `AccessInformationCenter.Service.exe.config` file in a text editor, such as @@ -85,7 +85,7 @@ Notepad. The file is located in the Access Information Center installation direc …\Program Files\STEALTHbits\Access Information Center -![Parameters in the config file](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/configfileentrasso.webp) +![Parameters in the config file](/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/configfileentrasso.webp) **Step 2 –** Locate the **WsFederationMetaData**, **WsFederationRealm**, and **WsFederationReply** parameters in the config file. If these are not present, then manually add them to your config file diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/gmsa.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/gmsa.md index 2c975c4a05..9eb7ec476e 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/gmsa.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/gmsa.md @@ -16,7 +16,7 @@ gMSA: - Netwrix Access Information Center has been installed using one of the regular authentication methods, and not using the gMSA. See the - [Install the Access Information Center](../../installation/install.md) topic for additional + [Install the Access Information Center](/docs/accessinformationcenter/12.0/access/informationcenter/installation/install.md) topic for additional information. - If the gMSA is to be used to connect to Active Directory or an email server, the gMSA account must have the necessary rights to Active Directory and Exchange @@ -32,7 +32,7 @@ Follow the steps to configure the Netwrix Access Information Center service to r **Step 1 –** Open the Services Console. Right-click on the Netwrix Access Information Center service and select **Properties**. -![Netwrix Access Information Center service properties window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/gmsaserviceproperties.webp) +![Netwrix Access Information Center service properties window](/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/gmsaserviceproperties.webp) **Step 2 –** On the Log On tab of the properties window, select the **This account** option. Enter the gMSA account name and leave the password fields blank. @@ -59,7 +59,7 @@ Configuration page. - To configure the connection to Active Directory, select the **Active Directory** page - To configure the connection to your email server, select the **Notifications** page -![Use the windows account running this service option on Database Configuration page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/gmsadatabaseconfiguration.webp) +![Use the windows account running this service option on Database Configuration page](/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/gmsadatabaseconfiguration.webp) **Step 3 –** On the Configuration page, select the **Use the account running this service** option. Click **Save**. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/overview.md index 1840038ba6..3f5540ff6b 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/overview.md @@ -3,10 +3,10 @@ In addition to the settings that are available on the Configuration interface, the following configurations and customizations can be done by Administrators: -- [Activity Days Sample for Recommendations](recommendations.md) -- [Alias Server Host Name](aliasserver.md) -- [Commit Active Directory Changes](commitchanges.md) -- [Email Templates](emailtemplates.md) -- [Timeout Parameter](timeoutparameter.md) -- [Group Managed Service Account (gMSA) Configuration](gmsa.md) -- [Microsoft Entra ID Single Sign-On](entraidsso.md) +- [Activity Days Sample for Recommendations](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/recommendations.md) +- [Alias Server Host Name](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/aliasserver.md) +- [Commit Active Directory Changes](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/commitchanges.md) +- [Email Templates](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/emailtemplates.md) +- [Timeout Parameter](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/timeoutparameter.md) +- [Group Managed Service Account (gMSA) Configuration](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/gmsa.md) +- [Microsoft Entra ID Single Sign-On](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/entraidsso.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/recommendations.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/recommendations.md index 2d459cbe95..c61a996f88 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/recommendations.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/recommendations.md @@ -14,7 +14,7 @@ Follow the steps to modify the activity days parameter. **Step 1 –** Open the `AccessInformationCenter.Service.exe.config` file with a text editor, for example Notepad. -![Activity Days parameter in the config file](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/configfileactivitydays.webp) +![Activity Days parameter in the config file](/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/configfileactivitydays.webp) **Step 2 –** Locate the `ActivityDays` parameter. By default, the value will be set to 90 days. Change the value to the desired number of Activity Days for the sample. For example, the parameter diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/timeoutparameter.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/timeoutparameter.md index afce51a330..f77fcc9f78 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/timeoutparameter.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/timeoutparameter.md @@ -19,7 +19,7 @@ Follow the steps to modify the timeout parameter. **Step 1 –** Open the `AccessInformationCenter.Service.exe.config` file with a text editor, for example Notepad. -![Timeout Parameter in the config file](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/configfiletimeoutparameter.webp) +![Timeout Parameter in the config file](/img/product_docs/accessinformationcenter/access/informationcenter/admin/additionalconfig/configfiletimeoutparameter.webp) **Step 2 –** Change the value for the `AuthSessionTimeout` parameter to the desired number of minutes. For example: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/activedirectory.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/activedirectory.md index d06894317c..eb715a9cdb 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/activedirectory.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/activedirectory.md @@ -13,7 +13,7 @@ connecting to the database. If your Database service account uses: - Windows authentication credentials — The same domain credentials are also used for the Active Directory service account -![Configuration interface showing the Active Directory page](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/activedirectory.webp) +![Configuration interface showing the Active Directory page](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/activedirectory.webp) There are two options for the type of Active Directory service account: @@ -21,7 +21,7 @@ There are two options for the type of Active Directory service account: - A group Managed Service Account (gMSA) can be used by configuring it to run the Netwrix Access Information Center service. See the - [Group Managed Service Account (gMSA) Configuration](../additionalconfig/gmsa.md) topic for + [Group Managed Service Account (gMSA) Configuration](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/gmsa.md) topic for additional information. - Use the following Active Directory account – Uses a domain account with the required permissions @@ -57,7 +57,7 @@ permissions and setup. Once the prerequisites are in place, it can be enabled on When checked, the **Allow this account to make changes to group membership** option uses the Active Directory service account to commit group membership changes. See the -[Commit Active Directory Changes](../additionalconfig/commitchanges.md) topic for additional +[Commit Active Directory Changes](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/commitchanges.md) topic for additional information on provisioning the Active Directory service account and best practices for group and resource management through the Access Information Center @@ -70,7 +70,7 @@ the **Use the following Active Directory account** option. **Step 1 –** On the Active Directory page, enter the new password in the correct field. -![Saving configuration window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/savedchangeswindow.webp) +![Saving configuration window](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/savedchangeswindow.webp) **Step 2 –** Click **Save**. Then click **OK** to confirm. After the settings are saved, a re-authentication is required to continue using the Access Information Center. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/consoleaccess.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/consoleaccess.md index 86f9b6a7aa..f060aa651e 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/consoleaccess.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/consoleaccess.md @@ -4,7 +4,7 @@ Console access to the is configured through the **Configuration** > **Console Ac users to the Access Information Center requires data to be collected by the Access Analyzer .Active Directory Inventory Solution. -![Console Access Configuration page](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) +![Console Access Configuration page](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) There are five levels of access, or Roles, which can be granted to domain users or groups: @@ -39,7 +39,7 @@ See the Modify the Builtin Administrator Account topic for additional informatio Once users have been granted console access, they can login with their domain credentials. Console access is not a requirement for participation as owners or domain users in the Resource Reviews and -Self-Service Access Requests workflows. See the [URL & Login](../login.md) topic for information on +Self-Service Access Requests workflows. See the [URL & Login](/docs/accessinformationcenter/12.0/access/informationcenter/admin/login.md) topic for information on how users will log in and where they are directed after login based on their assigned role or lack of role. @@ -47,12 +47,12 @@ of role. Follow the steps to grant domain users or groups console access. -![Console Access Configuration page](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) +![Console Access Configuration page](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) **Step 1 –** In the Configuration interface on the Console Access page, click Add. The Console Access wizard opens. -![Console Access wizard showing the Select Trustee page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/consoleaccessaddselecttrustee.webp) +![Console Access wizard showing the Select Trustee page](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/consoleaccessaddselecttrustee.webp) **Step 2 –** On the Select Trustee page, enter the following information and click Next: @@ -62,7 +62,7 @@ Access wizard opens. - Search — Begin typing the sAMAccountName or display name and the field will auto-populate options from Active Directory sAMAccountName -![Console Access wizard showing the Select Access page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/consoleaccessaddselectaccess.webp) +![Console Access wizard showing the Select Access page](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/consoleaccessaddselectaccess.webp) **Step 3 –** On the Select Access page, enter the following information and click **Finish**: @@ -81,7 +81,7 @@ Access wizard opens. - Access is enabled – A user's account must be enabled in order to log into the console. Unchecking this option allows you to configure access to be granted at a future time. -![Console Access Page displaying users with various assigned roles](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/consoleaccesswithusers.webp) +![Console Access Page displaying users with various assigned roles](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/consoleaccesswithusers.webp) **Step 4 –** The new user displays in the list on the Console Access page. Repeat these steps for each trustee to be granted console access. @@ -101,7 +101,7 @@ additional information. **Step 1 –** In the Configuration interface on the Console Access page, select the user to be modified and click Modify. The Console Access wizard opens to the Select Access page. -![Console Access wizard showing the Select Access page when modifying](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/consoleaccessmodify.webp) +![Console Access wizard showing the Select Access page when modifying](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/consoleaccessmodify.webp) **Step 2 –** Modify the desired settings and click **Finish**: @@ -129,7 +129,7 @@ user is to disable their access. See the Modify Console Users topic for addition Follow the steps to remove a user’s configured console access. -![Console Access Page showing various user accounts, with one selected enabling the Modify and Remove buttons](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/consoleaccessremove.webp) +![Console Access Page showing various user accounts, with one selected enabling the Modify and Remove buttons](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/consoleaccessremove.webp) **Step 1 –** In the Configuration interface on the Console Access page, select the user. @@ -142,7 +142,7 @@ The user is removed from the list on the Console Access page. The Builtin Administrator account can be disabled or its password can be changed. Follow the steps to modify this account. -![modifybuiltinadministrator](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/modifybuiltinadministrator.webp) +![modifybuiltinadministrator](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/modifybuiltinadministrator.webp) **Step 1 –** In the Configuration interface on the Console Access page, select the Builtin Administrator account and click **Modify**. The Builtin Administrator window opens. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/database.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/database.md index 36877cb157..3d68c71b6b 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/database.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/database.md @@ -4,7 +4,7 @@ The Access Information Center must have access to the SQL Server hosting the dat configured during installation. If it is necessary to modify these setting after installation, that is done on the Database Page of the Configuration interface. -![Configuration interface showing the Database page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/database.webp) +![Configuration interface showing the Database page](/img/product_docs/threatprevention/threatprevention/install/database.webp) SQL Server database information: @@ -35,7 +35,7 @@ Database service account information: - A group Managed Service Account (gMSA) can be used by configuring it to run the Netwrix Access Information Center service. See the - [Group Managed Service Account (gMSA) Configuration](../additionalconfig/gmsa.md) topic for + [Group Managed Service Account (gMSA) Configuration](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/gmsa.md) topic for additional information. - Use the following SQL account – Uses SQL Authentication to the database. Provide the properly diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/diagnostics.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/diagnostics.md index 1f50e28003..f5249de1e7 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/diagnostics.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/diagnostics.md @@ -3,7 +3,7 @@ Download logs and enable debug log level for troubleshooting with Netwrix Support on the Diagnostics page of the Configuration interface. -![Configuration interface showing the Diagnostics page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/diagnostics.webp) +![Configuration interface showing the Diagnostics page](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/diagnostics.webp) When requested by [Netwrix Support](https://www.netwrix.com/support.html), click Download Logs to download the archive of all application logs. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/license.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/license.md index 0a2b13695e..49b0fd9240 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/license.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/license.md @@ -8,7 +8,7 @@ with your Netwrix Account Representative. If the features displayed in this tab features actually licensed, contact [Netwrix Support](https://www.netwrix.com/support.html). See the Upload License topic for information on updating the license key. -![Configuration interface showing the License page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/license.webp) +![Configuration interface showing the License page](/img/product_docs/activitymonitor/activitymonitor/install/agent/license.webp) The Access Information Center version is displayed at the top. Then the following product features are controlled through the license: @@ -41,14 +41,14 @@ Follow the steps to update the license key. **NOTE:** The LIC file must be named to `StealthAUDIT.lic`. If it has another name, rename it before completing the steps. -![Configuration interface showing the License page with unlicensed features](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/licenseunlicensedfeatures.webp) +![Configuration interface showing the License page with unlicensed features](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/licenseunlicensedfeatures.webp) **Step 1 –** In the Configuration interface on the License page, click **Upload New License**. **Step 2 –** Navigate to the license key location. Select the `StealthAUDIT.lic` file and click **Open**. -![Complete window confirming new license is uploaded](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/licenseupdated.webp) +![Complete window confirming new license is uploaded](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/licenseupdated.webp) **Step 3 –** When the upload is complete, click **OK**. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/notifications.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/notifications.md index 6c4e02233b..675bb6b771 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/notifications.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/notifications.md @@ -4,7 +4,7 @@ The Access Information Center uses the Simple Mail Transfer Protocol (SMTP) to s SMTP server information and several messaging options can be set through the Configuration > Notifications page. -![Notifications Page](../../../../../../../static/img/product_docs/1secure/admin/notifications.webp) +![Notifications Page](/img/product_docs/1secure/admin/notifications.webp) At the top, the SMTP server and email security settings are configured. The Notification options is where you configure the sender information, and other optional settings. The Reminders section is @@ -17,7 +17,7 @@ SMTP server settings from Access Analyzer should be populated automatically. SMT can be supplied and modified on the Notifications page. Follow the steps to configure or modify the SMTP settings. -![Notifications page SMTP server settings section](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationsserversettings.webp) +![Notifications page SMTP server settings section](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationsserversettings.webp) **Step 1 –** In the Configuration interface, select the Notifications page. @@ -50,7 +50,7 @@ email/messaging administrator who will know the proper value for the SMTP port. used to authenticate to the SMTP server. - A group Managed Service Account (gMSA) can be used by configuring it to run the Netwrix Access Information Center service. See the - [Group Managed Service Account (gMSA) Configuration](../additionalconfig/gmsa.md) topic + [Group Managed Service Account (gMSA) Configuration](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/gmsa.md) topic for additional information. - Use the following AD Account @@ -60,12 +60,12 @@ email/messaging administrator who will know the proper value for the SMTP port. - Select this radio button to specify either domain account or a traditional SMTP account and password to authenticate to the SMTP server. -![Test Settings window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationstestsettings.webp) +![Test Settings window](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationstestsettings.webp) **Step 5 –** Click **Test Settings** to ensure a connection to the SMTP server. The Test Settings window opens. Enter a valid email address and click **OK**. -![Testing your settings window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationstestconfirm.webp) +![Testing your settings window](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationstestconfirm.webp) **Step 6 –** If the SMTP settings are configured correctly, you receive a successful message. Click **OK** to close the Testing your settings window. The test recipient should have recieved a test @@ -84,7 +84,7 @@ additional Notification options. Once the SMTP server is configured, there are additional options. Only the Reply-To field must be populated: -![Notifications page showing Notification Options section](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationsnotificationoptions.webp) +![Notifications page showing Notification Options section](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationsnotificationoptions.webp) - Reply-To — The email address that receives responses to notifications sent by the application. This can be a “no reply” address. @@ -109,7 +109,7 @@ Resource Owners receive notification email when there are new pending tasks asso resources. You can also set up automated weekly reminders for outstanding pending tasks. Follow the steps to configure weekly reminders to resource owners. -![Notifications page showing the Reminders section](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationsreminders.webp) +![Notifications page showing the Reminders section](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationsreminders.webp) **Step 1 –** In the Configuration interface, select the Notifications page and scroll down to the Reminders section. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/overview.md index 31b7050b68..e3de530695 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/overview.md @@ -3,16 +3,16 @@ The Configuration interface is available only to users with the Administrator role. It is opened by the **Configure Console** link on the Home page. -![Configuration interface showing the Console Access page](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) +![Configuration interface showing the Console Access page](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) It has the following pages: -- [Active Directory Page](activedirectory.md) – Configure the Active Directory service account used +- [Active Directory Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/activedirectory.md) – Configure the Active Directory service account used to add console users. Optionally, enable the Access Information Center to commit changes in Active Directory. -- [Console Access Page](consoleaccess.md) – Grant users console access -- [Database Page](database.md) – Configure the connection to the database -- [Diagnostics Page](diagnostics.md) – Download logs and enable debug log level for troubleshooting -- [License Page](license.md) – View license details and upload a new license -- [Notifications Page](notifications.md) – Configure the SMTP server, email security settings, +- [Console Access Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/consoleaccess.md) – Grant users console access +- [Database Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/database.md) – Configure the connection to the database +- [Diagnostics Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/diagnostics.md) – Download logs and enable debug log level for troubleshooting +- [License Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/license.md) – View license details and upload a new license +- [Notifications Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/notifications.md) – Configure the SMTP server, email security settings, notification options, and owner reminder settings diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/firstlaunch.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/firstlaunch.md index 87862a86b4..616cef528d 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/firstlaunch.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/firstlaunch.md @@ -3,11 +3,11 @@ The installer places the following icon on the desktop which opens the Access Information Center with the independent URL: -![Desktop Icon](../../../../../../static/img/product_docs/threatprevention/threatprevention/install/desktopicon.webp) +![Desktop Icon](/img/product_docs/threatprevention/threatprevention/install/desktopicon.webp) Use this icon to launch the Access Information Center for the first time. -![AIC Login Page](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/loginpage.webp) +![AIC Login Page](/img/product_docs/accessinformationcenter/access/informationcenter/admin/loginpage.webp) The Access Information Center is installed with a Builtin Administrator account. Use the following login credential for the first launch: @@ -17,7 +17,7 @@ login credential for the first launch: You will be prompted to change the Builtin Administrator password. -![Change Administrator Password propmt](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/changeadminpassword.webp) +![Change Administrator Password propmt](/img/product_docs/accessinformationcenter/access/informationcenter/admin/changeadminpassword.webp) The new password must be eight or more characters long. After setting the password, you will need to login with the Builtin Administrator account. @@ -28,19 +28,19 @@ Administrator account. See the [Modify the Builtin Administrator Account](configuration/consoleaccess.md#modify-the-builtin-administrator-account) topic for additional information. -![Home page for the Builtin Admin account on first launch](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/builtinadminhome.webp) +![Home page for the Builtin Admin account on first launch](/img/product_docs/accessinformationcenter/access/informationcenter/admin/builtinadminhome.webp) After changing the Builtin Administrator password at first launch, you will be asked to login again. The Home page opens. The first thing that should be done is to configure console access for domain users. Additionally, other settings can be configured or modified through the Configuration interface. Click **Configure Console** in the Your Links section to open the Configuration -interface. See the [Console Access Page](configuration/consoleaccess.md) topic for additional +interface. See the [Console Access Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/consoleaccess.md) topic for additional information. Once console access to the has been configured, there are a few login methods you can offer users. The features available to users are controlled by the role assigned and your license key. See the -[URL & Login](login.md) topic for information on how users will log in and where they are directed +[URL & Login](/docs/accessinformationcenter/12.0/access/informationcenter/admin/login.md) topic for information on how users will log in and where they are directed after login. -See the [Navigation](navigate.md) topic for information on each of the interfaces and portals +See the [Navigation](/docs/accessinformationcenter/12.0/access/informationcenter/admin/navigate.md) topic for information on each of the interfaces and portals accessible from the Home page. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/gettingstarted.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/gettingstarted.md index 2b254a3146..5a7daf2d3a 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/gettingstarted.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/gettingstarted.md @@ -3,7 +3,7 @@ The Access Information Center is installed with a Builtin Administrator account used to enable console access. Launch the Access Information Center using the desktop icon for the first time and set the password for the Builtin Administrator account. Then log in with that account. See the -[First Launch](firstlaunch.md) topic for additional information. +[First Launch](/docs/accessinformationcenter/12.0/access/informationcenter/admin/firstlaunch.md) topic for additional information. ## Initial Configuration @@ -11,7 +11,7 @@ Next, configure the Access Information Center for your environment: - Console Users — Grant users access to the application starting with an Administrator account. There are five levels of access: Administrator, Security Team, Reader, Data Privacy, and User - Access Administrator. See the [Console Access Page](configuration/consoleaccess.md) topic for + Access Administrator. See the [Console Access Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/consoleaccess.md) topic for information. - Optionally, disable the Builtin Administrator account. See the @@ -20,9 +20,9 @@ Next, configure the Access Information Center for your environment: - Active Directory Service Account — Provide the service account to be used for accessing Active Directory. Optionally, enable the application to make group membership changes. See the - [Active Directory Page](configuration/activedirectory.md) topic for information. + [Active Directory Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/activedirectory.md) topic for information. - Notification — Configure the Notification settings required in order for the application to send - email. See the [Notifications Page](configuration/notifications.md) topic for information. + email. See the [Notifications Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/notifications.md) topic for information. ## Enable Console Users @@ -37,22 +37,22 @@ Access Information Center users granted one of the available roles should be not You should also provide links to the appropriate topics based on the user's role: - Reader and Data Privacy — Send the URL link for the - [Resource Audit Overview](../resourceaudit/overview.md) topic + [Resource Audit Overview](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/overview.md) topic - Security Team — Need topics that align to the work the will be doing in the Access Information Center: - Accessing Resource Audits — Send the URL link for the - [Resource Audit Overview](../resourceaudit/overview.md) topic + [Resource Audit Overview](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/overview.md) topic - Ownership Administrator — Send the URL link for the - [Resource Owners Overview](../resourceowners/overview.md) topic + [Resource Owners Overview](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/overview.md) topic - Review Administrator — Send the URL link for the - [Resource Reviews Overview](../resourcereviews/overview.md) topic + [Resource Reviews Overview](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/overview.md) topic - Request Administrator — Send the URL link for the - [Access Requests Overview](../accessrequests/overview.md) topic + [Access Requests Overview](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/overview.md) topic -- Administrator — Send the URL link for the [Administrator Overview](overview.md) topic +- Administrator — Send the URL link for the [Administrator Overview](/docs/accessinformationcenter/12.0/access/informationcenter/admin/overview.md) topic - User Access Administrator — Send the URL link for the - [Console Access Page](configuration/consoleaccess.md) topic + [Console Access Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/consoleaccess.md) topic ## Resource Ownership Configuration @@ -61,9 +61,9 @@ application. Also, ownership of resources must be assigned in order to use the R Access Requests workflows. - Resource Ownership — Assign ownership for resources to be managed through the application. See the - [Resource Owners Interface](../resourceowners/interface.md) topic for additional information. + [Resource Owners Interface](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/interface.md) topic for additional information. - Enable Owners — Send a notification to your owners about resource ownership with the application. - See the [Notification to Owners](../resourceowners/overview.md#notification-to-owners) topic for + See the [Notification to Owners](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/overview.md#notification-to-owners) topic for additional information. ## Resource Review Workflow @@ -79,7 +79,7 @@ workflow consists of: **_RECOMMENDED:_** Set expectations for response time from owners. Reviews can be run multiple times, maintaining a historical record for each instance. See the -[Resource Reviews Overview](../resourcereviews/overview.md) topic for additional information. +[Resource Reviews Overview](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/overview.md) topic for additional information. ## Access Requests Workflow @@ -89,8 +89,8 @@ consists of: - Enable Domain Users — Send a notification to your domain users about access requests with the Access Information Center. See the - [Notification to Domain Users](../accessrequests/overview.md#notification-to-domain-users) topic + [Notification to Domain Users](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/overview.md#notification-to-domain-users) topic for additional information. - Owner Response — Set expectations for response time from owners -See the [Access Requests Overview](../accessrequests/overview.md) topic for additional information. +See the [Access Requests Overview](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/overview.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/login.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/login.md index 5e01223446..4374cb05f2 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/login.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/login.md @@ -44,7 +44,7 @@ administrators may be necessary to make the web server accessible to remote user configurations, DNS settings, etc.). The server name in the URL can be replaced with an alias. See the -[Alias Server Host Name](additionalconfig/aliasserver.md) topic for additional information. +[Alias Server Host Name](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/aliasserver.md) topic for additional information. ## Login Page @@ -54,17 +54,17 @@ Access Information Center, then the username needs to be entered in the `domain\ **NOTE:** The URL may need to be added to the browser’s list of trusted sites. -![AIC Login page](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/loginpage.webp) +![AIC Login page](/img/product_docs/accessinformationcenter/access/informationcenter/admin/loginpage.webp) The Access Information Center login page displays the Netwrix Access Analyzer (formerly Enterprise Auditor) logo at the top and the browser tab is named Access Information Center. Logging in here will take users directly to the Access Information Center. The interface a user arrives at depends -upon the assigned role or lack of assigned role. See the [User Landing Page](userlanding.md) topic +upon the assigned role or lack of assigned role. See the [User Landing Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/userlanding.md) topic for information on where different types of users are directed after login. ## Web Console Login Page -![Web Console Login page](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/webconsolelogin.webp) +![Web Console Login page](/img/product_docs/accessanalyzer/install/application/reports/webconsolelogin.webp) The Access Analyzer Web Console login page displays the Netwrix Access Analyzer (formerly Enterprise Auditor) logo at the top and the browser tab is named Netwrix Access Analyzer (formerly Enterprise @@ -74,17 +74,17 @@ users to the Access Analyzer Reports home page. Follow the steps to open the Access Information Center. -![Menu icon on Web Console home page](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/accessfromwebconsole.webp) +![Menu icon on Web Console home page](/img/product_docs/accessinformationcenter/access/informationcenter/admin/accessfromwebconsole.webp) **Step 1 –** On any page of the Web Console, click the menu icon to the left of the Netwrix Access Analyzer (formerly Enterprise Auditor) logo. -![Apps slide-out menu](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/accessfromwebconsoleappsmenu.webp) +![Apps slide-out menu](/img/product_docs/accessinformationcenter/access/informationcenter/admin/accessfromwebconsoleappsmenu.webp) **Step 2 –** On the Apps slide-out menu, click Access Information Center. -![AIC opened from the Web Console](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/aicfromwebconsole.webp) +![AIC opened from the Web Console](/img/product_docs/accessinformationcenter/access/informationcenter/admin/aicfromwebconsole.webp) The Access Information Center opens in a new tab in your browser. The interface a user arrives at -depends upon the assigned role or lack of assigned role. See the [User Landing Page](userlanding.md) +depends upon the assigned role or lack of assigned role. See the [User Landing Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/userlanding.md) topic for information on where different types of users are directed after login. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/navigate.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/navigate.md index 5a2d99c83b..9790c918d2 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/navigate.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/navigate.md @@ -3,7 +3,7 @@ The Access Information Center has several interfaces for viewing reports and using the available workflows. Upon login, users granted console access are brought to the Home page. -![Administrator user home page](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/homeadmin.webp) +![Administrator user home page](/img/product_docs/accessinformationcenter/access/informationcenter/admin/homeadmin.webp) The signed in user is displayed in the upper-right corner, along with the **Sign out** link. The options enabled on the Home page change according to what components are licensed as well as the @@ -16,7 +16,7 @@ Directory service account, notification settings, database access, and diagnosti Additionally you can view license details and upload a new license. This interface is available only to users with the Administrator role. See the -[Configuration Interface Overview](configuration/overview.md) topic for additional information. +[Configuration Interface Overview](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/overview.md) topic for additional information. **NOTE:** Users with the User Access Administrator role have access only to the Console Access page of the Configuration interface. @@ -37,7 +37,7 @@ Owners** button is associated to the Access Requests and Entitlement Reviews lic Center. This interface is available only to users with either the Security Team or Administrator role. See -the [Resource Owners Interface](../resourceowners/interface.md) topic for additional information. +the [Resource Owners Interface](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/interface.md) topic for additional information. The **Resource Reviews** button opens the Manage Reviews interface. Create and manage reviews. There are four types of reviews for resources being managed within the Access Information Center: access, @@ -49,7 +49,7 @@ Reviews license feature. Active Directory is an optional component of the Resource Reviews workflow. This interface is available only to users with either the Security Team or Administrator role. See -the [Resource Reviews Interface](../resourcereviews/interface.md) topic for additional information. +the [Resource Reviews Interface](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/interface.md) topic for additional information. The **Access Requests** button opens the Access Requests interface. View pending and historical access requests and send reminders to owners. This does require the Access Information Center to be @@ -59,7 +59,7 @@ the target environment for the resources being managed by the Access Information **Access Requests** button is associated to the Access Requests license feature. This interface is available only to users with either the Security Team or Administrator role. See -the [Access Requests Interface](../accessrequests/interface.md) topic for additional information. +the [Access Requests Interface](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/interface.md) topic for additional information. For Reader, Data Privacy, Security Team, & Administrator @@ -68,12 +68,12 @@ groups, computers, and sensitive content. Reports are available for resources sc Access Analyzer (formerly Enterprise Auditor). It is available to all console users with the minimum of Reader role. Assigned owners without a user role can access this interface through the Owner portal, but it is scoped to only the owned resource. See the -[Access Requests Interface](../accessrequests/interface.md) topic for additional information. +[Access Requests Interface](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/interface.md) topic for additional information. The Search Features include a **Search** bar and a **Recent Searches** box on the Home page. These features will direct you to the reports for the selected object: resource, user, group, computer, or sensitive content. These features are available to all users with an assigned user role. See the -[Search Features](../resourceaudit/navigate/search.md) topic for additional information. +[Search Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/search.md) topic for additional information. For Assigned Owner @@ -88,7 +88,7 @@ Requests workflows. The Owner portal is available to any domain user who has been assigned ownership of a resource or group within the Access Information Center. See the -[Owner Portal Overview](../resourceowners/ownerportal/overview.md) topic for additional information. +[Owner Portal Overview](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/overview.md) topic for additional information. For All Domain Users @@ -98,7 +98,7 @@ access to resources managed through the Access Information Center, view their ow resources, and view access request history. It is part of the Self-Service Access Requests workflow. The Your Access portal is available to any domain user in the target environment. See the -[Your Access Portal Overview](../accessrequests/youraccessportal/overview.md) topic for additional +[Your Access Portal Overview](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/overview.md) topic for additional information. ## Interface Quick Reference diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/overview.md index 3fab848b5e..6ef03bb32e 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/overview.md @@ -3,10 +3,10 @@ Access Information Center administrators have access to the Configuration interface where there application settings reside. This topic covers: -- [Getting Started](gettingstarted.md) -- [First Launch](firstlaunch.md) -- [Navigation](navigate.md) -- [Configuration Interface Overview](configuration/overview.md) -- [Additional Configuration Options](additionalconfig/overview.md) -- Instructions on how different users access the application (see the [URL & Login](login.md) topic) -- [Troubleshooting](troubleshooting/overview.md) +- [Getting Started](/docs/accessinformationcenter/12.0/access/informationcenter/admin/gettingstarted.md) +- [First Launch](/docs/accessinformationcenter/12.0/access/informationcenter/admin/firstlaunch.md) +- [Navigation](/docs/accessinformationcenter/12.0/access/informationcenter/admin/navigate.md) +- [Configuration Interface Overview](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/overview.md) +- [Additional Configuration Options](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/overview.md) +- Instructions on how different users access the application (see the [URL & Login](/docs/accessinformationcenter/12.0/access/informationcenter/admin/login.md) topic) +- [Troubleshooting](/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/overview.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/credentialpasswords.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/credentialpasswords.md index 47af0a9c6c..8656694f74 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/credentialpasswords.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/credentialpasswords.md @@ -14,7 +14,7 @@ may be impacted by password changes or security policies: The Database service account grants access to the SQL Server database. It can be updated on the Database page of the Configuration interface. See the -[Update the Database Service Account Password](../configuration/database.md#update-the-database-service-account-password) +[Update the Database Service Account Password](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/database.md#update-the-database-service-account-password) topic for instructions. ## Active Directory Service Account @@ -22,7 +22,7 @@ topic for instructions. The Active Directory service account handles user authentication to the Access Information Center. It can be updated on the Active Directory page of the Configuration interface. It is also used to commit changes in Active Directory, if that feature has been enabled. See the -[Update the Active Directory Service Account Password](../configuration/activedirectory.md#update-the-active-directory-service-account-password) +[Update the Active Directory Service Account Password](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/activedirectory.md#update-the-active-directory-service-account-password) topic for instructions. ## SMTP Authentication Service Account @@ -30,7 +30,7 @@ topic for instructions. An SMTP server is required for the application to send notifications. If the SMTP server requires authentication, the service account can be updated on the Notifications page of the Configuration interface. See the -[Configure SMTP Server Settings](../configuration/notifications.md#configure-smtp-server-settings) +[Configure SMTP Server Settings](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/notifications.md#configure-smtp-server-settings) topic for instructions. ## Builtin Administrator Account @@ -40,5 +40,5 @@ It is used to complete the initial configuration steps and to grant console acce This account can be disabled after Administrator users are added. However, if it is enabled and a security policy requires the password to be reset, it can be updated on the Console Access page of the Configuration interface. See the -[Modify the Builtin Administrator Account](../configuration/consoleaccess.md#modify-the-builtin-administrator-account) +[Modify the Builtin Administrator Account](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/consoleaccess.md#modify-the-builtin-administrator-account) topic for modification instructions. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/delegation.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/delegation.md index 8f04cd659d..c64b2ed42b 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/delegation.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/delegation.md @@ -4,22 +4,22 @@ Delegation can be used to grant the Active Directory service account the minimal allow the Access Information Center to commit changes in Active Directory. Apply delegation to the OUs housing the security and distribution list groups to be managed to grant the rights of Allow Read Members and Allow Write Members to the service account. See the -[Commit Active Directory Changes](../additionalconfig/commitchanges.md) topic for best practices for +[Commit Active Directory Changes](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/commitchanges.md) topic for best practices for group and resource management through the Access Information Center. Follow the steps to apply delegation to the desired OUs. -![Active Directory Users and Computers showing right-click menu](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/troubleshooting/delegatecontrol.webp) +![Active Directory Users and Computers showing right-click menu](/img/product_docs/accessinformationcenter/access/informationcenter/admin/troubleshooting/delegatecontrol.webp) **Step 1 –** In Active Directory Users and Computers, right-click on the OU housing the groups to be managed. Select **Delegate Control**. The Delegation of Control Wizard opens. -![Delegation of Control wizard showing the Users or Groups page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/troubleshooting/delegatecontrolwizarduser.webp) +![Delegation of Control wizard showing the Users or Groups page](/img/product_docs/accessinformationcenter/access/informationcenter/admin/troubleshooting/delegatecontrolwizarduser.webp) **Step 2 –** Navigate to the Users or Groups page. Click **Add**. Enter the Active Directory service account. Click **Next**. -![Delegation of Control wizard showing the Tasks to Delegate page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/troubleshooting/delegatecontrolwizardtask.webp) +![Delegation of Control wizard showing the Tasks to Delegate page](/img/product_docs/accessinformationcenter/access/informationcenter/admin/troubleshooting/delegatecontrolwizardtask.webp) **Step 3 –** Navigate to the Tasks to Delegate page. Select the **Delegate the following tasks** option and check the **Modify the membership of a group** task. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/loglevel.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/loglevel.md index 44f3f73678..0e2bef45b3 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/loglevel.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/loglevel.md @@ -10,7 +10,7 @@ Follow the steps to modify the log level. **Step 1 –** Open the `AccessInformationCenter.Service.exe.config` file in a text editor, for example Notepad. -![Log Level parameter in the config file](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/troubleshooting/loglevel.webp) +![Log Level parameter in the config file](/img/product_docs/accessinformationcenter/access/informationcenter/admin/troubleshooting/loglevel.webp) **Step 2 –** The level value is set in the `LogLevel` parameter, where 0 is the default level. As the logging level increases from 0 to 3, the types of information and level of detail included diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/overview.md index 12888fd45e..39e3e296ad 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/overview.md @@ -8,22 +8,22 @@ Service Account Delegation Delegation can be used to grant the Active Directory service account the minimal rights necessary to allow the Access Information Center to commit changes in Active Directory. See the -[Service Account Delegation](delegation.md) topic for additional information. +[Service Account Delegation](/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/delegation.md) topic for additional information. Log File By default the Access Information Center is configured to log at the Error level. When requested by Netwrix Support, you can enable Debug level from the Diagnostics page of the Configuration -interface. See the [Diagnostics Page](../configuration/diagnostics.md) topic for additional +interface. See the [Diagnostics Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/diagnostics.md) topic for additional information. If a different log level is needed or desired, the `aic.log` file can be modified. See the -[Change Log Level](loglevel.md) topic for additional information. +[Change Log Level](/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/loglevel.md) topic for additional information. Credential Password Changes The Access Information Center uses several different types of service accounts. If a credential password for one of these accounts is no longer valid, it will impact application functionality. Additionally, if the Builtin Administrator account remains enabled, it may be necessary to reset the -password. See the [Update Credential Passwords](credentialpasswords.md) topic for additional +password. See the [Update Credential Passwords](/docs/accessinformationcenter/12.0/access/informationcenter/admin/troubleshooting/credentialpasswords.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/admin/userlanding.md b/docs/accessinformationcenter/12.0/access/informationcenter/admin/userlanding.md index 589f12ed2b..8ffd2d8b24 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/admin/userlanding.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/admin/userlanding.md @@ -12,7 +12,7 @@ additional information. Users granted the Administrator role are directed to the Home page upon login with access to all interfaces based on your organizations licensed features. -![Administrator user home page](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/homeadmin.webp) +![Administrator user home page](/img/product_docs/accessinformationcenter/access/informationcenter/admin/homeadmin.webp) Administrators are the only ones with access to the Configuration interface through the **Configure Console** link. The Manage Your Resources link is available if the logged in user is also assigned @@ -23,7 +23,7 @@ Requests workflow has been enabled. Users granted the Security Team role are directed to the Home page upon login. -![Home page for Security Team role](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/homesecurityteam.webp) +![Home page for Security Team role](/img/product_docs/accessinformationcenter/access/informationcenter/admin/homesecurityteam.webp) Available buttons are limited by the organization’s license. Security Team members only lack access to the Configuration interface, which is only available to Administrators. The Manage Your Resources @@ -34,7 +34,7 @@ Access link is available if the Self-Service Access Requests workflow has been e Users granted the Reader role are directed to the Home page upon login. -![Home page for Reader role](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/homereader.webp) +![Home page for Reader role](/img/product_docs/accessinformationcenter/access/informationcenter/admin/homereader.webp) These users only have access to the Resource Audit interfaces and Search feature. The Manage Your Resources link is available if the logged in user is also assigned ownership of a resource. The @@ -44,7 +44,7 @@ Manage Your Access link is available if the Self-Service Access Requests workflo Users granted the Data Privacy role are directed to the Home page upon login. -![Home page for Data Privacy role](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/homedataprivacy.webp) +![Home page for Data Privacy role](/img/product_docs/accessinformationcenter/access/informationcenter/admin/homedataprivacy.webp) These users only have access to the Search feature. The Manage Your Resources link is available if the logged in user is also assigned ownership of a resource. The Manage Your Access link is @@ -55,7 +55,7 @@ available if the Self-Service Access Requests workflow has been enabled. Users granted the User Access Administrator role are directed to the Console Access page in the Configuration interface upon login. -![Home page for User Access Administrator role](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/homeuseraccessadmin.webp) +![Home page for User Access Administrator role](/img/product_docs/accessinformationcenter/access/informationcenter/admin/homeuseraccessadmin.webp) These users only have access to the Console Access page. @@ -64,7 +64,7 @@ These users only have access to the Console Access page. Users assigned ownership of a resource but not granted a user role are directed to the Owner portal upon login. -![Home page for Resource Owner with no assigned role](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/homeresourceowner.webp) +![Home page for Resource Owner with no assigned role](/img/product_docs/accessinformationcenter/access/informationcenter/admin/homeresourceowner.webp) Features available to owners is dependent upon the features enabled by the Owner Administrators. @@ -74,6 +74,6 @@ Users not granted a user role and not assigned resource ownership are directed t portal upon login if the Self-Service Access Requests workflow has been enabled for your organization. -![Home page for user with no User Role or Resource Ownership](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/homeyouraccess.webp) +![Home page for user with no User Role or Resource Ownership](/img/product_docs/accessinformationcenter/access/informationcenter/admin/homeyouraccess.webp) Users can view current access, request access, and view request history. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/home.md b/docs/accessinformationcenter/12.0/access/informationcenter/home.md index 67a4c3d226..32d6dc7b32 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/home.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/home.md @@ -1,34 +1,34 @@ # Netwrix Access Analyzer (formerly Enterprise Auditor) v12.0 Access Information Center -- [Installation Overview](installation/overview.md) topic and subtopics cover the prerequisites, +- [Installation Overview](/docs/accessinformationcenter/12.0/access/informationcenter/installation/overview.md) topic and subtopics cover the prerequisites, installation process, steps for securing the Access Information Center, and upgrade process. -- [Administrator Overview](admin/overview.md) topic and subtopics cover configuration settings, +- [Administrator Overview](/docs/accessinformationcenter/12.0/access/informationcenter/admin/overview.md) topic and subtopics cover configuration settings, enabling user access, and navigation. The Console Configuration interface is only available to users with Administrator access. -- [Resource Audit Overview](resourceaudit/overview.md) topic and subtopics cover reports on +- [Resource Audit Overview](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/overview.md) topic and subtopics cover reports on resources, users, groups, computer, and sensitive content. The Resource Audit and Search interfaces are available to users with assigned roles and to owners assigned to specific resources and groups. -- [Resource Owners Overview](resourceowners/overview.md) topic and subtopics cover the process of +- [Resource Owners Overview](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/overview.md) topic and subtopics cover the process of managing ownership of resources and groups through the Access Information Center. The Resource Owners interface is available to users with either Security Team or Administrator access. Managing ownership is core component for both the Resource Reviews and the Self-Service Access Requests workflows. - - [Resource Ownership with the Access Information Center](resourceowners/owneroverview.md) topic + - [Resource Ownership with the Access Information Center](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/owneroverview.md) topic and subtopics are written for assigned owners. -- [Resource Reviews Overview](resourcereviews/overview.md) topic and subtopics cover the process of +- [Resource Reviews Overview](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/overview.md) topic and subtopics cover the process of managing resource reviews through the Access Information Center. The Resource Review workflow enables business owners to conduct resource and group reviews and recommend changes. It is necessary to first assign resource Owners in the Resource Owners interface. The Resource Reviews interface is available to users with either Security Team or Administrator access. -- [Access Requests Overview](accessrequests/overview.md) topic and subtopics cover the Self-Service +- [Access Requests Overview](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/overview.md) topic and subtopics cover the Self-Service Access Requests workflow, which enables domain users to request access to resources or to request membership in Active Directory groups or distribution lists. The approval process involves the business owners, so it is necessary to first assign resource Owners in the Resource Owners interface. The Access Requests interface is available to users with either Security Team or Administrator access. - - [Your Access Portal Overview](accessrequests/youraccessportal/overview.md) topic and subtopics + - [Your Access Portal Overview](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/overview.md) topic and subtopics are written for domain users who want to request access or view their own request history. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/installation/install.md b/docs/accessinformationcenter/12.0/access/informationcenter/installation/install.md index 79c919a92b..0ef9d5e4a6 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/installation/install.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/installation/install.md @@ -9,16 +9,16 @@ information. **Step 1 –** Run the `AccessInformationCenter.exe` executable and the Netwrix Access Information Center Setup wizard opens. -![Netwrix Access Information Center Setup Wizard Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Netwrix Access Information Center Setup Wizard Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) **Step 2 –** On the Welcome page, click **Next** to begin the installation process. -![AIC Setup Wizard End-User License Agreement page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) +![AIC Setup Wizard End-User License Agreement page](/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) **Step 3 –** On the End-User License Agreement page, select the **I accept the terms in the License Agreement** checkbox and click **Next**. -![AIC Setup Wizard Destination Folder page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/destinationfolder.webp) +![AIC Setup Wizard Destination Folder page](/img/product_docs/activitymonitor/activitymonitor/install/destinationfolder.webp) **Step 4 –** On the Destination Folder page, you can choose between the default destination folder and a custom folder. Click **Change** to browse for a different location. When the destination is @@ -27,7 +27,7 @@ set as desired, click **Next**. **NOTE:** The default location is `C:\Program Files\STEALTHbits\Access Information Center\`. There are no specific requirements for changing the path. -![AIC Setup Wizard SQL Server Connection page](../../../../../../static/img/product_docs/accessanalyzer/install/application/sqlserver.webp) +![AIC Setup Wizard SQL Server Connection page](/img/product_docs/accessanalyzer/install/application/sqlserver.webp) **Step 5 –** On the SQL Server Connection page, provide the required database information. Click **Next** to test the connection to the SQL Server. If there are no errors, the next wizard page @@ -53,10 +53,10 @@ opens. **NOTE:** The Server and Database information are available in the Access Analyzer Console in the **Settings** > **Storage** node, and will be auto-populated if installing the Access Information Center on the same server as Access Analyzer. The Database settings can be modified after -installation. See the [Database Page](../admin/configuration/database.md) topic for additional +installation. See the [Database Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/database.md) topic for additional information. -![AIC Setup Wizard Configure Web Server page](../../../../../../static/img/product_docs/accessanalyzer/admin/action/survey/webserver.webp) +![AIC Setup Wizard Configure Web Server page](/img/product_docs/accessanalyzer/admin/action/survey/webserver.webp) **Step 6 –** On the Configure Web Server page, select the URL protocol and port on which the application will be accessible. @@ -73,7 +73,7 @@ Access Information Center. When the protocol and port are set as desired, click **Next**. If you selected the http option, skip to step 8. -![AIC Setup Wizard Configure Server Certificate page](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/installation/servercertificate.webp) +![AIC Setup Wizard Configure Server Certificate page](/img/product_docs/accessinformationcenter/access/informationcenter/installation/servercertificate.webp) **Step 7 –** On the Configure Server Certificate page, provide the certificate for the SSL binding. @@ -82,13 +82,13 @@ to step 8. - Click **Browse** to open the file explorer window. Browse to the folder where the certificate is located and select the certificate, then click **Open**. - ![Certificate Password window](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/installation/certificatepassword.webp) + ![Certificate Password window](/img/product_docs/accessinformationcenter/access/informationcenter/installation/certificatepassword.webp) - On the Certificate Password window, enter the password for the certificate. Click **OK**. - The certificate information is displayed in the fields. Optionally, select the **Import the certificate to the personal on the local machine for local browsing** option. - ![Certificate Missing Private Key window](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/installation/certificatemissingprivatekey.webp) + ![Certificate Missing Private Key window](/img/product_docs/accessinformationcenter/access/informationcenter/installation/certificatemissingprivatekey.webp) **NOTE:** If the selected certificate resides in any of the Local Computer stores but does not have a private key, or if the certificate is not found in any of the stores, then it cannot be @@ -96,29 +96,29 @@ to step 8. informing you that it will be imported to the Personal store. This means that the Import option is selected by default and grayed out to mandate the import of the certificate. - ![Valid certficate detected bound to the port](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/installation/servercertificatevalid.webp) + ![Valid certficate detected bound to the port](/img/product_docs/accessinformationcenter/access/informationcenter/installation/servercertificatevalid.webp) - If a valid certificate is already bound to the port used by the Access Information Center, then this is detected automatically and the fields are populated with the certificate information without needing to select the certificate or provide a password. The Import option is disabled. - ![Expired certificate detected bound to the port](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/installation/servercertificateexpired.webp) + ![Expired certificate detected bound to the port](/img/product_docs/accessinformationcenter/access/informationcenter/installation/servercertificateexpired.webp) - If an expired certificate is detected, the certificate information is populated, but a warning message is displayed. You must provide a new valid certificate, before you can continue. Once the certificate has been provided, click **Next** to continue. -![AIC Setup Wizard Ready to install page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) +![AIC Setup Wizard Ready to install page](/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) **Step 8 –** On the Ready to install page, click **Install** to begin the process. -![AIC Setup Wizard Completed page](../../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![AIC Setup Wizard Completed page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 9 –** Once the installation has successfully completed, click **Finish** to exit the wizard. The installation wizard placed an Netwrix Access Information Center icon on the desktop. Now proceed -to the [First Launch](../admin/firstlaunch.md) topic for next steps. +to the [First Launch](/docs/accessinformationcenter/12.0/access/informationcenter/admin/firstlaunch.md) topic for next steps. **NOTE:** If SSL was enabled, the provided certificate was bound to the port and the Access Information Center desktop icon contains the appropriate URL to the secured site. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/installation/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/installation/overview.md index a846cb4ea3..9c36d039a0 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/installation/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/installation/overview.md @@ -39,7 +39,7 @@ these will be referred to as the Database service account and the Active Directo and Resource Audits require the Active Directory service account to have rights to read Active Directory. This credential is configured during installation based on the account used for connecting to the database. See the - [Active Directory Page](../admin/configuration/activedirectory.md) topic for additional + [Active Directory Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/activedirectory.md) topic for additional information. Commit Active Directory Changes @@ -56,7 +56,7 @@ groups to be managed: - Allow Read Members - Allow Write Members -See the [Commit Active Directory Changes](../admin/additionalconfig/commitchanges.md) topic for +See the [Commit Active Directory Changes](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/commitchanges.md) topic for additional information and best practices. ### SSL Certificate @@ -98,7 +98,7 @@ Latest Version Compatibility | Netwrix Access Analyzer (formerly Enterprise Auditor) | Ver. 12.0\* | | Netwrix Access Information Center | Ver. v12.0\* | -See the [Upgrade Procedure](upgrade.md) topic for additional information. +See the [Upgrade Procedure](/docs/accessinformationcenter/12.0/access/informationcenter/installation/upgrade.md) topic for additional information. ## Supported Browsers diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/installation/secure.md b/docs/accessinformationcenter/12.0/access/informationcenter/installation/secure.md index 0fd578ba93..259ba4193a 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/installation/secure.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/installation/secure.md @@ -3,7 +3,7 @@ There are two options for accessing the Access Information Center. You can either go to the Access Information Center website directly or you can access it via the Web Console. The Web Console uses an embedded website installed with Access Analyzer. It provides a consolidated logon for both Access -Analyzer reports and the Access Information Center. See the [URL & Login](../admin/login.md) +Analyzer reports and the Access Information Center. See the [URL & Login](/docs/accessinformationcenter/12.0/access/informationcenter/admin/login.md) topic for additional information. In order to secure the Access Information Center, it is first necessary to enable SSL for theAccess @@ -14,7 +14,7 @@ topic in the additional information. **NOTE:** SSL for the Access Information Center can be enabled during installation. See the -[Install the Access Information Center](install.md) topic for additional information. +[Install the Access Information Center](/docs/accessinformationcenter/12.0/access/informationcenter/installation/install.md) topic for additional information. ## Enable SSL for the AIC Website @@ -82,7 +82,7 @@ Notepad. The file is located in the Access Information Center installation direc …\Program Files\STEALTHbits\Access Information Center -![AccessInformationCenter.Service.exe config file](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/installation/configfilessl.webp) +![AccessInformationCenter.Service.exe config file](/img/product_docs/accessinformationcenter/access/informationcenter/installation/configfilessl.webp) **Step 2 –** Change the `BindingUrl` key value to `"https://+:481"` (ensure the port number matches the port number used in the PowerShell command run to create the SSL Binding). @@ -103,7 +103,7 @@ Follow the steps to update the AIC’s desktop icon's Access Information Center' **Step 1 –** Right click on the **Access Information Center** desktop shortcut and click **Properties**. -![Access Information Center desktop icon properties](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/installation/aicproperties.webp) +![Access Information Center desktop icon properties](/img/product_docs/accessinformationcenter/access/informationcenter/installation/aicproperties.webp) **Step 2 –** On the **Web Document** tab, enter the updated **URL** in the text box to: `https://[hostname.domain.com]:481/v2/login` @@ -123,19 +123,19 @@ configured for the Web Console. See the Enable Single Sign-On topic of the additional information. **NOTE:** The Access Information Center also supports using Microsoft Entra ID single sign-on. See -the [Microsoft Entra ID Single Sign-On](../admin/additionalconfig/entraidsso.md) topic for +the [Microsoft Entra ID Single Sign-On](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/entraidsso.md) topic for additional information. Follow the steps to enable SSO for accessing the Access Information Center website directly. -![AccessInformationCenter.Service.exe config file in File Explorer](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/installation/configfilelocation.webp) +![AccessInformationCenter.Service.exe config file in File Explorer](/img/product_docs/accessinformationcenter/access/informationcenter/installation/configfilelocation.webp) **Step 1 –** Open the `AccessInformationCenter.Service.exe.config` file in a text editor, such as Notepad. The file is located in the Access Information Center installation directory: …\Program Files\STEALTHbits\Access Information Center -![AccessInformationCenter.Service.exe config file](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/installation/configfilesso.webp) +![AccessInformationCenter.Service.exe config file](/img/product_docs/accessinformationcenter/access/informationcenter/installation/configfilesso.webp) **Step 2 –** Locate the line containing the `AuthAllowWindowsAuthentication` parameter. By default, the value will be set to `False`: @@ -168,16 +168,16 @@ Follow the steps to configure local intranet settings. **Step 1 –** Open Windows Internet Properties (**Control Panel** > **Network and Internet** > **Internet Options**). -![ConfigureLocalIntranetSettingsforSSO - 1](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/internetproperties.webp) +![ConfigureLocalIntranetSettingsforSSO - 1](/img/product_docs/accessanalyzer/install/application/reports/internetproperties.webp) **Step 2 –** Go to the Security tab, and select the **Local Intranet** option. Then, click the **Sites** button. -![localintranet](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/localintranet.webp) +![localintranet](/img/product_docs/accessanalyzer/install/application/reports/localintranet.webp) **Step 3 –** Click the **Advanced** button. -![localintranetadvanced](../../../../../../static/img/product_docs/accessanalyzer/install/application/reports/localintranetadvanced.webp) +![localintranetadvanced](/img/product_docs/accessanalyzer/install/application/reports/localintranetadvanced.webp) **Step 4 –** Enter a domain in the **Add this website in the zone** field. Ensure the fully qualified domain name is in the following format: `https://..com` diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/installation/upgrade.md b/docs/accessinformationcenter/12.0/access/informationcenter/installation/upgrade.md index 5a34221f5c..5be9b7f18c 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/installation/upgrade.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/installation/upgrade.md @@ -7,7 +7,7 @@ Center must also be upgraded. To upgrade the Access Information Center application to a newer version, simply run the new `AccessInformationCenter.msi` executable. You do not need to uninstall the existing version. See the -[Install the Access Information Center](install.md) topic for additional information. +[Install the Access Information Center](/docs/accessinformationcenter/12.0/access/informationcenter/installation/install.md) topic for additional information. Any config file and email template customizations that were made in the previous version are preserved during the upgrade. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/exceptions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/exceptions.md index 8061bd0d43..6e38a83c44 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/exceptions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/exceptions.md @@ -3,7 +3,7 @@ The Exceptions report at the domain level provides a list of exceptions found on the selected domain. This report includes a Details table. -![Exceptions report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/domain/domainexceptions.webp) +![Exceptions report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/domain/domainexceptions.webp) An exception is defined as a problem or risk to Active Directory security. Exceptions include deeply nested groups and stale membership. This table is blank if no exceptions are found within the diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/membershipchanges.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/membershipchanges.md index 4af6861a31..2c92b6dda7 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/membershipchanges.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/membershipchanges.md @@ -3,7 +3,7 @@ The Membership Changes report at the domain level provides list of groups that had membership changes on the selected domain during the specified date range. -![Membership Changes report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/domain/membershipchanges.webp) +![Membership Changes report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/domain/membershipchanges.webp) This table is blank if no changes occurred during the specified date range. This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/overview.md index 2a14a8f9f9..4a048004f8 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/overview.md @@ -3,6 +3,6 @@ The following reports are available at the **Domain** level: - Activity – Displayed but not populated at the domain level -- [Exceptions Report](exceptions.md) -- [Membership Changes Report](membershipchanges.md) -- [Principal Attribute Changes Report](principalattributechanges.md) +- [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/exceptions.md) +- [Membership Changes Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/membershipchanges.md) +- [Principal Attribute Changes Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/principalattributechanges.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/principalattributechanges.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/principalattributechanges.md index 6c1beb3f0f..84a7c85c13 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/principalattributechanges.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/principalattributechanges.md @@ -3,7 +3,7 @@ The Principal Attribute Changes report at the domain level provides change event information by trustee on the selected domain during the specified date range. -![Principal Attribute Changes report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/domain/principalattributechanges.webp) +![Principal Attribute Changes report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/domain/principalattributechanges.webp) This table is blank if no changes occurred during the specified date range. This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/access.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/access.md index 61bb5504a4..924f642d90 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/access.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/access.md @@ -3,7 +3,7 @@ The Access report at the domain object level provides information on the level of access trustees have at the domain object level. This report includes a Permission Source table. -![Access report at the domain object level](../../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/access.webp) +![Access report at the domain object level](/img/product_docs/accessanalyzer/admin/settings/access/access.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/overview.md index d32838da39..3495a75722 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/overview.md @@ -2,7 +2,7 @@ The following reports are displayed at the Domain Object level: -- [Access Report](access.md) +- [Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/access.md) - Activity – Displayed but not populated at the Domain Object level -- [Permissions Report](permissions.md) +- [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/permissions.md) - Sensitive Content – Displayed but not populated at the Domain Object level diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/permissions.md index c94861021f..2d85da4298 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/permissions.md @@ -3,7 +3,7 @@ The Permissions report at the domain object level provides the trustees that have rights on the selected Active Directory object. -![Permissions report at the domain object level](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/permissions.webp) +![Permissions report at the domain object level](/img/product_docs/threatprevention/threatprevention/admin/policies/permissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainsummary.md index 6eb479f5be..f78c5065c9 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainsummary.md @@ -3,7 +3,7 @@ The Domain Summary report at the **Active Directory** node provides a top-level view of domains that have been scanned. -![Domain Summary report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/domainsummary.webp) +![Domain Summary report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/domainsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions.md index 1e9671b1f2..e6e36812d6 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions.md @@ -3,7 +3,7 @@ The Exceptions report at the **Active Directory** node provides a list of exceptions that were found across the targeted Active Directory environment. This report includes a Details table. -![Exceptions report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions.webp) +![Exceptions report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions.webp) An exception is defined as a problem or risk to Active Directory security. Exceptions include deeply nested groups and stale membership. This table will be blank if no exceptions were found within the diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptions.md index 34e2a5345c..038bfd452b 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptions.md @@ -3,7 +3,7 @@ The Exceptions report at the **Exceptions** node provides a list of exceptions found on the domain. This report includes a Details table. -![Exceptions report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsexceptions.webp) +![Exceptions report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsexceptions.webp) An exception is defined as a problem or risk to Active Directory security. Exceptions include deeply nested groups and stale membership. This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytype.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytype.md index b0071b6115..dba745dde7 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytype.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytype.md @@ -4,7 +4,7 @@ The Exceptions report at the exception type level provides details on the select An exception is defined as a problem or risk to Active Directory security. Each of these reports includes a Member Of table. Certain exception types also include a Members table. -![Exceptions report at the Exception Type level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytype.webp) +![Exceptions report at the Exception Type level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytype.webp) This report is comprised of the following columns: @@ -28,7 +28,7 @@ displays the group membership, including nested groups. There are two tables at the bottom displaying Member Of and Members for the selected trustee. -![Member Of table](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytypememberoftable.webp) +![Member Of table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytypememberoftable.webp) The Member Of table contains the following additional information for the selected trustee: @@ -53,7 +53,7 @@ The Member Of table contains the following additional information for the select - ManagedBy Department – Department of the group’s manager - ManagedBy Mail – Email address for the group’s manager -![Members table](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytypememberstable.webp) +![Members table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytypememberstable.webp) When the selected trustee is a group, the Members table contains additional information for the selected trustee: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/overview.md index 990bbd9ac4..c2bbe39bd8 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/overview.md @@ -2,7 +2,7 @@ The following report is available at the **Exceptions** node: -- [Exceptions Report](exceptions.md) +- [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptions.md) The Exceptions node displays when exceptions have been identified on the selected domain. When it is present, it can be expanded to view the exception type level reports. The following nodes may show @@ -18,4 +18,4 @@ under the Exceptions node for a domain when that exception type has been identif - Stale Users – Users who have not logged onto the domain for an extended period of time The Exceptions report for each exception type level displays filtered exception information. See the -[Exceptions by Type Report](exceptionsbytype.md) topic for additional information. +[Exceptions by Type Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytype.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/overview.md index a07e2b67d7..914b1b000b 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/overview.md @@ -19,5 +19,5 @@ Directory environment: The following reports are available at the **Active Directory** node: -- [Domain Summary Report](domainsummary.md) -- [Exceptions Report](exceptions.md) +- [Domain Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainsummary.md) +- [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/quickreference.md index 0894777bf2..bcdc84ff69 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/quickreference.md @@ -8,8 +8,8 @@ The following reports are available at the Active Directory node level: | Report | Description | | ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | -| [Domain Summary Report](domainsummary.md) | Provides a top-level view of domains that have been scanned. | -| [Exceptions Report](exceptions.md) | Provides a list of exceptions that were found across the targeted Active Directory environment. This report includes a Details table. | +| [Domain Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainsummary.md) | Provides a top-level view of domains that have been scanned. | +| [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions.md) | Provides a list of exceptions that were found across the targeted Active Directory environment. This report includes a Details table. | ## Active Directory > Domain Level Reports @@ -18,9 +18,9 @@ The following reports are available at the domain level: | Report | Description | | ------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | | Activity Report | Displayed but not populated at the domain level. | -| [Exceptions Report](domain/exceptions.md) | Provides a list of exceptions found on the selected domain. This report includes a Details table. | -| [Membership Changes Report](domain/membershipchanges.md) | Provides a list of groups that had membership changes on the selected domain during the specified date range. | -| [Principal Attribute Changes Report](domain/principalattributechanges.md) | Provides change event information by trustee on the selected domain during the specified date range. | +| [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/exceptions.md) | Provides a list of exceptions found on the selected domain. This report includes a Details table. | +| [Membership Changes Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/membershipchanges.md) | Provides a list of groups that had membership changes on the selected domain during the specified date range. | +| [Principal Attribute Changes Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domain/principalattributechanges.md) | Provides change event information by trustee on the selected domain during the specified date range. | ## Active Directory > Domain > Domain Object Level Report @@ -28,8 +28,8 @@ The following reports are available at the domain object level: | Report | Description | | ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | -| [Access Report](domainobject/access.md) | Provides information on the level of access trustees have at the domain object level. This report includes a Permission Source table. | -| [Permissions Report](domainobject/permissions.md) | Provides the trustees that have rights on the selected Active Directory object. | +| [Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/access.md) | Provides information on the level of access trustees have at the domain object level. This report includes a Permission Source table. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/domainobject/permissions.md) | Provides the trustees that have rights on the selected Active Directory object. | ## Active Directory > Domain > Exceptions Node Report @@ -37,7 +37,7 @@ The following report is available at the Exceptions node level: | Report | Description | | --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | -| [Exceptions Report](exceptions/exceptions.md) | Provides the trustees that have rights on the selected Active Directory object. This report includes a Details table. | +| [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptions.md) | Provides the trustees that have rights on the selected Active Directory object. This report includes a Details table. | ## Active Directory > Domain > Exceptions > Exception Type Level Report @@ -45,4 +45,4 @@ The following report is available at the exception type level: | Report | Description | | ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Exceptions by Type Report](exceptions/exceptionsbytype.md) | Provides details on the selected exception type. An exception is defined as a problem or risk to Active Directory security. Each of these reports includes a Member Of table. Certain exception types also include a Members table. | +| [Exceptions by Type Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytype.md) | Provides details on the selected exception type. An exception is defined as a problem or risk to Active Directory security. Each of these reports includes a Member Of table. Certain exception types also include a Members table. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/overview.md index f80607fbc8..1954ba5c89 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/overview.md @@ -3,5 +3,5 @@ The following reports are available at the Bucket level: - Activity Report – Displayed but not populated at the Bucket level -- [Permissions Report](permissions.md) -- [Sensitive Content Report](sensitivecontent.md) +- [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/permissions.md) +- [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/sensitivecontent.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/permissions.md index 36bce467c7..ee04add71c 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/permissions.md @@ -3,7 +3,7 @@ The Permissions report at the Bucket level shows the permissions for the trustee on the selected resource. -![Permissions report at the Bucket level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/aws/bucket/bucketpermissions.webp) +![Permissions report at the Bucket level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/aws/bucket/bucketpermissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/sensitivecontent.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/sensitivecontent.md index 9ca6606631..08198048b9 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/sensitivecontent.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/sensitivecontent.md @@ -6,7 +6,7 @@ criteria Matches visible to Access Information Center users with either Security Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content report at the Bucket level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/aws/bucket/bucketsensitivecontent.webp) +![Sensitive Content report at the Bucket level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/aws/bucket/bucketsensitivecontent.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/overview.md index 0c21049dcb..7f65c64fde 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/overview.md @@ -3,5 +3,5 @@ The following reports are available at the Organization level: - Activity Report – Displayed but not populated at the Organization level -- [Sensitive Content Details Report](sensitivecontentdetails.md) -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/sensitivecontentdetails.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/sensitivecontentdetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/sensitivecontentdetails.md index e56fa47925..7aa57ae675 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/sensitivecontentdetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/sensitivecontentdetails.md @@ -6,7 +6,7 @@ Matches visible to Access Information Center users with either Security Team Mem roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content Details report at the Organization level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/server/serversensitivecontentdetails.webp) +![Sensitive Content Details report at the Organization level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/server/serversensitivecontentdetails.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/sensitivecontentsummary.md index 6f9f3df6ba..3cfad9529a 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the Organization level provides a count of files where criteria matches were found on the selected instance. This report includes a Details table. -![Sensitive Content Summary report at the Organization level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/server/serversensitivecontentsummary.webp) +![Sensitive Content Summary report at the Organization level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/server/serversensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/overview.md index 8080ce1bab..0364deece0 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/overview.md @@ -14,4 +14,4 @@ Amazon (AWS) reports fall into the following categories: The following report is available at the **Amazon** node: -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/quickreference.md index 33964db3f2..d451ae31cf 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/quickreference.md @@ -8,7 +8,7 @@ The following report is available at the Amazon node level: | Report | Description | | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -| [Sensitive Content Summary Report](sensitivecontentsummary.md) | Provides a count of files where criteria matches were found in the targeted environment. This report includes a Details table. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/sensitivecontentsummary.md) | Provides a count of files where criteria matches were found in the targeted environment. This report includes a Details table. | ## Amazon > Organization Level Reports @@ -16,8 +16,8 @@ The following reports are available at the Organization level: | Report | Description | | --------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Sensitive Content Details Report](organization/sensitivecontentdetails.md) | Provides a count of files where criteria matches were found on the selected instance. This report includes a table with criteria Matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | -| [Sensitive Content Summary Report](organization/sensitivecontentsummary.md) | Provides a count of files where criteria matches were found on the selected instance. This report includes a Details table. | +| [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/sensitivecontentdetails.md) | Provides a count of files where criteria matches were found on the selected instance. This report includes a table with criteria Matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/organization/sensitivecontentsummary.md) | Provides a count of files where criteria matches were found on the selected instance. This report includes a Details table. | ## Amazon > Organization > Bucket Level Reports @@ -25,5 +25,5 @@ The following reports are available at the Bucket level: | Report | Description | | ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Permissions Report](bucket/permissions.md) | Shows the permissions for the trustee on the selected resource. | -| [Sensitive Content Report](bucket/sensitivecontent.md) | Provides a list of files and a hit count per file where criteria matches were found on the selected resource. This report includes a table with criteria Matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/permissions.md) | Shows the permissions for the trustee on the selected resource. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/bucket/sensitivecontent.md) | Provides a list of files and a hit count per file where criteria matches were found on the selected resource. This report includes a table with criteria Matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/sensitivecontentsummary.md index 7cf557b6c7..b6b164f7f1 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the **Amazon** node provides a count of files where criteria matches were found in the targeted environment. This report includes a Details table. -![Sensitive Content Summary report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) +![Sensitive Content Summary report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/clear.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/clear.md index 47bc65c544..dd3ba46f7d 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/clear.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/clear.md @@ -7,7 +7,7 @@ changes without signing out. **Step 1 –** Click the **Change Group Membership** button in the Group Membership pane to open the Group Membership Changes window. -![Group Membership Changes window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/clearcommit.webp) +![Group Membership Changes window](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/clearcommit.webp) **Step 2 –** Select all changes being modeled. Use the Window’s ctrl and left-click key command to select multiple changes. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/commit.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/commit.md index 8da47f1506..38cf0eff5c 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/commit.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/commit.md @@ -8,7 +8,7 @@ The following user roles can commit changes: - Administrators – This role can configure the Access Information Center to commit changes and can commit modeled changes. See the - [Commit Active Directory Changes](../../admin/additionalconfig/commitchanges.md) topic for + [Commit Active Directory Changes](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/commitchanges.md) topic for additional information. - Security Team Members – This role can commit modeled changes, if the Access Information Center has already been configured to do so @@ -21,7 +21,7 @@ portal. Return to the Group Membership Changes window to view the modeled changes by clicking the **Change Group Membership** button on the Group Membership pane. -![Group Membership Changes window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/clearcommit.webp) +![Group Membership Changes window](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/clearcommit.webp) Additional changes can be modeled using the **Add** and **Remove** buttons. @@ -29,7 +29,7 @@ Manually Commit Changes You can export the list of modeled changes as either a CSV or Excel file, which can be sent to your organization’s IT team. Select between the **CSV Export** and **Excel Export** buttons above the -table. See the [Data Grid Features](../../../general/datagrid.md) topic for additional information. +table. See the [Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. Access Information Center Automatically Commits Changes diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/model.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/model.md index 58b8528326..c7e670d76e 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/model.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/model.md @@ -5,34 +5,34 @@ Follow the steps to model resource access changes for a single trustee or multip **Step 1 –** Navigate to a desired file system resource and select the **Effective Access** report in the Reports pane. -![Select trustee on Effective Access report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/effectiveaccessreport.webp) +![Select trustee on Effective Access report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/effectiveaccessreport.webp) **Step 2 –** Select a trustee from the top table in the report. The Permission Source table displays the Source Path, or methods of access, to the selected resource. In this example, the trustee has access through three sources on policies, shares, and folders. -![Select Group in Group Membership pane of Effective Access report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/effectiveaccessreportgroup.webp) +![Select Group in Group Membership pane of Effective Access report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/effectiveaccessreportgroup.webp) **Step 3 –** In the Group Membership pane, begin to enter the name of the group that grants the access to be changed. Select it from the list that shows in the drop-down menu. The group’s membership list opens. -![Group Membership pane](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/groupmembershippane.webp) +![Group Membership pane](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/groupmembershippane.webp) **Step 4 –** Click the **Change Group Membership** button on the Group Membership pane. The Group Membership Changes window opens. -![Group Membership Changes window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/groupmembershipchanges.webp) +![Group Membership Changes window](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/groupmembershipchanges.webp) **Step 5 –** If this is the first change being modeled, the table is empty. If other changes are being modeled, they are listed in the table. Click **Add** to open the Add Membership Change wizard. -![Add Membership Change wizard Select Group page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/addmembershipchangeselectgroup.webp) +![Add Membership Change wizard Select Group page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/addmembershipchangeselectgroup.webp) **Step 6 –** On the Select Group page, the selected group is displayed. You can search to select a different group. Click **Next**. -![Add Membership Change wizard Change Type page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/addmembershipchangetype.webp) +![Add Membership Change wizard Change Type page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/addmembershipchangetype.webp) **Step 7 –** On the Change Type page, indicate the type of change to be modeled: @@ -42,19 +42,19 @@ different group. Click **Next**. Click **Next**. -![Add Membership Change wizard Add Members page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/addmembershipchangeaddmembers.webp) +![Add Membership Change wizard Add Members page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/addmembershipchangeaddmembers.webp) **Step 8 –** Begin to enter the trustee name in the search box. Available groups and users auto-populate in the drop-down menu. Select the desired trustee and the new member is added in the user list. Repeat as desired to add multiple members. -![Add Members page User Name table](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/addmembershipchangememberadded.webp) +![Add Members page User Name table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/addmembershipchangememberadded.webp) **Step 9 –** The members to be added are shown in the User Name table. Click **Next**. The Add Membership Change wizard closes, and the new members are listed on the Group Membership Changes window. Skip to Step 12. -![Add Membership Change wizard Remove Members page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/addmembershipchangeremovemembers.webp) +![Add Membership Change wizard Remove Members page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/addmembershipchangeremovemembers.webp) **Step 10 –** On the Remove Members page, the existing group members are listed. Select the desired members and click **Select**. @@ -62,7 +62,7 @@ members and click **Select**. **NOTE:** The number on the **View Removals** button changes to reflect the number of users selected. -![Members selected for removal window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/membersforremoval.webp) +![Members selected for removal window](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/membersforremoval.webp) **Step 11 –** (Optional) Click **View Removals** to view the members selected for removal. To remove a member from this list, click **Remove** and then click **OK**. @@ -71,13 +71,13 @@ a member from this list, click **Remove** and then click **OK**. The Add Membership Change wizard closes, and the members to be removed are listed on the Group Membership Changes window. -![Group Membership Changes window with changes to be modeled](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/groupmembershipchangesstaged.webp) +![Group Membership Changes window with changes to be modeled](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/groupmembershipchangesstaged.webp) **Step 13 –** Repeat Steps 5-9 to model adding more members. Repeat Steps 5-7 and 10-11 to model removing more members. When the changes to be modeled are set as desired, click **OK**. The Group Membership Changes window closes. -![Effective access changes illustration](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/modeledchanges.webp) +![Effective access changes illustration](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/modeledchanges.webp) When the modeled changes impact the effective access for a trustee, it is displayed in the top section of the Effective Access report selected in Step 1. An illustration shows exactly how the @@ -85,4 +85,4 @@ modeled changes would impact a trustee’s access to the selected resource. It m trustee from multiple groups or adding the trustee to another group before access is modified as desired. View the global impact these changes will have on the trustee’s access to all organizational resources in the Modeled Access Changes report at the **File System** node level. See -the [Modeled Access Changes Report](modeledaccesschanges.md) topic for additional information. +the [Modeled Access Changes Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/modeledaccesschanges.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/modeledaccesschanges.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/modeledaccesschanges.md index cbf150cc70..3b634a3660 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/modeledaccesschanges.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/modeledaccesschanges.md @@ -8,7 +8,7 @@ changes have no impact on the environment. This report includes the following ta - Activity – Displays additional information on recent activity performed by the trustee which would have been impacted by the modeled change -![Modeled Access Changes report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/modeledaccesschanges.webp) +![Modeled Access Changes report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/changemodeling/modeledaccesschanges.webp) This report is comprised of the following columns: @@ -86,7 +86,7 @@ will be blank if any of the following are true: - The FSAC jobs within Access Analyzer have not been run - There were no operation events logged for the selected trustee -![Activity Table](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sensitivecontent/activitytable.webp) +![Activity Table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sensitivecontent/activitytable.webp) This table is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/overview.md index 0f9769dd2f..6f4abdfc4e 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/overview.md @@ -5,12 +5,12 @@ membership. This allows Access Information Center users to see what steps must b access or group membership, and see what impact these changes would have on access across the targeted file systems. -![Modeled Access Changes report](../../../../../../../static/img/product_docs/threatprevention/threatprevention/siemdashboard/qradar/dashboard/overview.webp) +![Modeled Access Changes report](/img/product_docs/threatprevention/threatprevention/siemdashboard/qradar/dashboard/overview.webp) The change modeling process is a feature of the Group Membership pane. You should begin by reviewing a trustee's effective access to a File System resource in -[Effective Access Report](../filesystem/sharesubfolder/effectiveaccess.md) at the share and +[Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/effectiveaccess.md) at the share and subfolder levels. Then use the Group Membership pane Changes feature to model the changes for the selected resource. Finally, review the changes across the entire File System environment in the -[Modeled Access Changes Report](modeledaccesschanges.md) at the **File System** node. See the -[Model Changes in the AIC](model.md) topic for detailed instructions on this process. +[Modeled Access Changes Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/modeledaccesschanges.md) at the **File System** node. See the +[Model Changes in the AIC](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/model.md) topic for detailed instructions on this process. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/activitydetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/activitydetails.md index f3ade6df6d..240e7d5d31 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/activitydetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/activitydetails.md @@ -4,7 +4,7 @@ The Activity Details report for a computer object provides details on every acti the audited computer during the selected date range. This report includes a Permission Changes table. -![Activity Details report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/user/activitydetails.webp) +![Activity Details report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/user/activitydetails.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/activitystatistics.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/activitystatistics.md index 3e02fe37f7..8a50c9bba4 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/activitystatistics.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/activitystatistics.md @@ -4,7 +4,7 @@ The Activity Statistics report for a computer object provides statistical activi for the audited computer during the selected date range. This report includes a line graph for Traffic Trend. -![Activity Statistics report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/user/activitystatistics.webp) +![Activity Statistics report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/user/activitystatistics.webp) This report is comprised of the following columns: @@ -20,11 +20,11 @@ This report is comprised of the following columns: - Deletes – Count of delete operations on resource The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. There is one line graph at the bottom displaying the Traffic Trend for the audited computer. It provides a visual representation of the number of operations events that occurred by operation type over the selected date range. It indicates what volume of operations occurred per day. Each operation type is provided with a different color, as indicated by the legend. See the -[Activity Report Results Pane Features](../navigate/overview.md#activity-report-results-pane-features) +[Activity Report Results Pane Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#activity-report-results-pane-features) topic for instructions on filtering the Trend graph. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/attributechanges.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/attributechanges.md index 1f488b4375..01d3fb7e61 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/attributechanges.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/attributechanges.md @@ -3,7 +3,7 @@ The Attribute Changes report for a computer object provides specific details for every attribute change to the audited computer that was logged during the selected date range. -![Attribute Changes report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/attributechanges.webp) +![Attribute Changes report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/attributechanges.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/effectiveaccess.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/effectiveaccess.md index c1c2f15d6a..7281ce51e0 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/effectiveaccess.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/effectiveaccess.md @@ -5,12 +5,12 @@ computer has access to and what level of access has been granted. Effective acce based on several variables according to the type of resource. This report includes a Permission Source table. -See the [Effective Access Report](../filesystem/sharesubfolder/effectiveaccess.md) topic for File +See the [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/effectiveaccess.md) topic for File Systems for additional information on the effective access calculations for file system resources. -See the [Effective Access Report](../sharepoint/sitecollections/effectiveaccess.md) topic for +See the [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/effectiveaccess.md) topic for SharePoint for additional information on the effective access calculations for SharePoint resources. -![Effective Access report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/effectiveaccess.webp) +![Effective Access report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/effectiveaccess.webp) This report contains a list of all resources the audited computer has the ability to access within the targeted environments. When this report is opened, the Access Information Center begins @@ -25,7 +25,7 @@ to load until all data has been analyzed for the audited user. The scoping options allow Access Information Center users to specifying what collected data should be analyzed in order to generate this report. Unlike other filter options, this may impact the loading time depending on the scoping options selected. See the -[Scope an Effective Access Report](../navigate/scopeeffectiveaccess.md) topic for instructions on +[Scope an Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/scopeeffectiveaccess.md) topic for instructions on using this feature. This report is comprised of the following columns: @@ -51,7 +51,7 @@ The following rights are a normalized representation of the permissions granted There is one table at the bottom displaying Permission Source for the select resource. It contains all of the ways the audited computer has been granted rights to the selected resource. -![Permission Source table](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/effectiveaccesstable.webp) +![Permission Source table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/effectiveaccesstable.webp) The number of rows for this table indicates the number of ways the audited computer has been granted access to selected resource. This table is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/memberof.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/memberof.md index bd0134e6e4..41d25150f3 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/memberof.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/memberof.md @@ -3,7 +3,7 @@ The Member Of report for a computer object provides a list of all groups of which the audited computer is a member. This report includes a Membership Paths table. -![Member Of report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/memberof.webp) +![Member Of report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/memberof.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/objectpermissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/objectpermissions.md index 6a0438f9f2..10ada2c0bd 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/objectpermissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/objectpermissions.md @@ -8,7 +8,7 @@ Analyzer solution. See the Active Directory Permissions Analyzer Solution topic [Netwrix Access Analyzer Documentation](https://helpcenter.netwrix.com/category/accessanalyzer) for additional information. -![Object Permissions report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/objectpermissions.webp) +![Object Permissions report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/objectpermissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/overview.md index fe03aebe10..d78d08eac7 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/overview.md @@ -1,7 +1,7 @@ # Computer Reports Computer reports are accessed through the Computer Audit interface. You can access Computer reports -by searching for computer objects on the Home page. See the [Search Features](../navigate/search.md) +by searching for computer objects on the Home page. See the [Search Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/search.md) topic for additional information. The computer object being reviewed is identified in the upper-left corner. The data within these reports is collected by the Access Analyzer solutions which provide data to the Resource reports. See the desired solution topic in the @@ -16,19 +16,19 @@ Computer reports identify the following information as scanned from the targeted The Computer Audit interface resembles the Resource Audit Interface but lacks the **Resources** pane. The computer object being reviewed is identified in the upper-left corner. See the -[Resource Audit Interface](../navigate/resource.md) topic for additional information. +[Resource Audit Interface](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/resource.md) topic for additional information. Activity reports display information for a selected date range. Some of the reports also include Trend graphs. Trend graphs provide a visual representation of the activity that occurred over the selected date range. See the -[Activity Report Results Pane Features](../navigate/overview.md#activity-report-results-pane-features) +[Activity Report Results Pane Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#activity-report-results-pane-features) topic for instructions on selecting a date range and filtering the Trend graphs. Activity reports display local time stamps. Activity information is represented in two ways: - Activity Statistics – Statistics reports show the count of operation events performed for the selected resource within the selected date range. These events are normalized into the operations of Reads, Writes, Deletes, and Manages. See the - [Activity Statistics Report](activitystatistics.md) topic for additional information. + [Activity Statistics Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/activitystatistics.md) topic for additional information. - Activity Details – Details reports show the specific operation events that occurred for the selected resource within the selected date range. See the - [Activity Details Report](activitydetails.md) topic for additional information. + [Activity Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/activitydetails.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/permissions.md index 35c713712e..fbc2b72905 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/permissions.md @@ -3,10 +3,10 @@ The Permissions report for a computer object provides a list of all resources where the audited computer has been assigned permissions. The **Include Inherited** filter option is active by default, which means the report displays both direct and inherited permissions unless modified by -the Access Information Center user. See the [Results Pane](../navigate/overview.md#results-pane) +the Access Information Center user. See the [Results Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#results-pane) topic for information on filter options. -![Permissions report](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/permissions.webp) +![Permissions report](/img/product_docs/threatprevention/threatprevention/admin/policies/permissions.webp) This report is comprised of the following columns: @@ -32,4 +32,4 @@ The following rights are a normalized representation of the permissions granted - Manage – Equivalent to full control over resources The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/quickreference.md index 418b828a9d..40ffa7887e 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/quickreference.md @@ -4,10 +4,10 @@ The following reports are available for selection within the Computer Audit inte | Report | Description | | --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| [Activity Details Report](activitydetails.md) | Provides details on every activity event logged by the audited computer during the selected date range. This report includes a Permission Changes table. | -| [Activity Statistics Report](activitystatistics.md) | Provides statistical activity event information for the audited computer during the selected date range. This report includes a line graph for Traffic Trend. | -| [Attribute Changes Report](attributechanges.md) | Provides specific details for every attribute change to the audited computer that was logged during the selected date range. | -| [Effective Access Report](effectiveaccess.md) | Provides insight into every resource the audited computer has access to and what level of access has been granted. Effective access is a calculation based on several variables according to the type of resource. This report includes a Permission Source table. | -| [Member Of Report](memberof.md) | Provides a list of all groups of which the audited computer is a member. This report includes a Membership Paths table. | -| [Object Permissions Report](objectpermissions.md) | Provides details on Active Directory permissions to the object. | -| [Permissions Report](permissions.md) | Provides a list of all resources where the audited computer has been assigned permissions. | +| [Activity Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/activitydetails.md) | Provides details on every activity event logged by the audited computer during the selected date range. This report includes a Permission Changes table. | +| [Activity Statistics Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/activitystatistics.md) | Provides statistical activity event information for the audited computer during the selected date range. This report includes a line graph for Traffic Trend. | +| [Attribute Changes Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/attributechanges.md) | Provides specific details for every attribute change to the audited computer that was logged during the selected date range. | +| [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/effectiveaccess.md) | Provides insight into every resource the audited computer has access to and what level of access has been granted. Effective access is a calculation based on several variables according to the type of resource. This report includes a Permission Source table. | +| [Member Of Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/memberof.md) | Provides a list of all groups of which the audited computer is a member. This report includes a Membership Paths table. | +| [Object Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/objectpermissions.md) | Provides details on Active Directory permissions to the object. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/permissions.md) | Provides a list of all resources where the audited computer has been assigned permissions. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/overview.md index 332ca49a3d..f553c6cef8 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/overview.md @@ -14,4 +14,4 @@ Dropbox reports fall into the following categories: The following report is available at the **Dropbox** node: -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/quickreference.md index 131e64bf2c..2e760c3fd7 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/quickreference.md @@ -8,7 +8,7 @@ The following report is available at the Dropbox node level: | Report | Description | | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -| [Sensitive Content Summary Report](sensitivecontentsummary.md) | Provides a count of files where criteria matches were found in the targeted environment. This report includes a Details table. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/sensitivecontentsummary.md) | Provides a count of files where criteria matches were found in the targeted environment. This report includes a Details table. | ## Dropbox > Team Level Reports @@ -16,8 +16,8 @@ The following reports are available at the Team level: | Report | Description | | ------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Sensitive Content Details Report](team/sensitivecontentdetails.md) | Provides details of files where criteria matches were found on the selected instance. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | -| [Sensitive Content Summary Report](team/sensitivecontentsummary.md) | Provides a count of files where criteria matches were found on the selected instance. This report includes a Details table. | +| [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/sensitivecontentdetails.md) | Provides details of files where criteria matches were found on the selected instance. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/sensitivecontentsummary.md) | Provides a count of files where criteria matches were found on the selected instance. This report includes a Details table. | ## Dropbox > Team > Team Member Level Reports @@ -25,8 +25,8 @@ The following reports are available at the Team Member level: | Report | Description | | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Permissions Report](teammemberresource/permissions.md) | Shows the permissions for the trustee on the selected resource. | -| [Sensitive Content Report](teammemberresource/sensitivecontent.md) | Provides a list of files and a hit count per file where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/permissions.md) | Shows the permissions for the trustee on the selected resource. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/sensitivecontent.md) | Provides a list of files and a hit count per file where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | ## Dropbox > Team > Team Member > Resource & Subfolder Level Reports @@ -34,5 +34,5 @@ The following reports are available at the Resource and subfolder level: | Report | Description | | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Permissions Report](teammemberresource/permissions.md) | Shows the permissions for the trustee on the selected resource. | -| [Sensitive Content Report](teammemberresource/sensitivecontent.md) | Provides a list of files and a hit count per file where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/permissions.md) | Shows the permissions for the trustee on the selected resource. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/sensitivecontent.md) | Provides a list of files and a hit count per file where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/sensitivecontentsummary.md index 2ab8926f8c..318c4a285d 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the **Dropbox** node provides a count of files where criteria matches were found in the targeted environment. This report includes a Details table. -![Sensitive Content Summary report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) +![Sensitive Content Summary report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/overview.md index 7ea55d839d..f58fbae519 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/overview.md @@ -3,5 +3,5 @@ The following reports are available at the Team level: - Activity Report – Displayed but not populated at the Team level -- [Sensitive Content Details Report](sensitivecontentdetails.md) -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/sensitivecontentdetails.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/sensitivecontentdetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/sensitivecontentdetails.md index 7f167a883d..7bfb0753a8 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/sensitivecontentdetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/sensitivecontentdetails.md @@ -6,7 +6,7 @@ visible to Access Information Center users with either Security Team Member or A The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content Details report at the Team level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/dropbox/team/teamsensitivecontentdetails.webp) +![Sensitive Content Details report at the Team level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/dropbox/team/teamsensitivecontentdetails.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/sensitivecontentsummary.md index 3c3928645d..148f72aad3 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/team/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the Team level provides a count of files where criteria matches were found on the selected instance. This report includes a Details table. -![Sensitive Content Summary report at the Team level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/dropbox/team/teamsensitivecontentsummary.webp) +![Sensitive Content Summary report at the Team level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/dropbox/team/teamsensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/overview.md index 76493fcffc..6a07faca66 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/overview.md @@ -3,5 +3,5 @@ The following reports are available at the Team Member, Resource, and Subfolder level: - Activity Report – Displayed but not populated at the Team Member, Resource, and Subfolder level -- [Permissions Report](permissions.md) -- [Sensitive Content Report](sensitivecontent.md) +- [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/permissions.md) +- [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/sensitivecontent.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/permissions.md index 7a3ef730a0..654eafda0d 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/permissions.md @@ -3,7 +3,7 @@ The Permissions report at the Team Member, Resource, and Subfolder level shows the permissions for the trustee on the selected resource. -![Permissions report at the Team Member, Resource, and Subfolder level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/dropbox/teammemberresource/teammemberpermissions.webp) +![Permissions report at the Team Member, Resource, and Subfolder level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/dropbox/teammemberresource/teammemberpermissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/sensitivecontent.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/sensitivecontent.md index 0058d32e26..b6c5f6a17b 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/sensitivecontent.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/teammemberresource/sensitivecontent.md @@ -6,7 +6,7 @@ report includes a table with criteria matches visible to Access Information Cent Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content report at the Team Member, Resource, and Subfolder level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/dropbox/teammemberresource/teammembersensitivecontent.webp) +![Sensitive Content report at the Team Member, Resource, and Subfolder level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/dropbox/teammemberresource/teammembersensitivecontent.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/overview.md index 27b46a165d..32d9325ab3 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/overview.md @@ -3,5 +3,5 @@ The following reports are available at the mailbox and folder level: - Activity Report – Displayed but not populated at the mailbox and folder level -- [Permissions Report](permissions.md) -- [Sensitive Content Report](sensitivecontent.md) +- [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/permissions.md) +- [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/sensitivecontent.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/permissions.md index 4d2b00f1cd..64a18383f1 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/permissions.md @@ -3,7 +3,7 @@ The Permissions report at the mailbox and folder level shows the permissions for the trustee on the selected resource. -![Permissions report at the mailbox and folder level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/mailboxfolder/mailboxpermissions.webp) +![Permissions report at the mailbox and folder level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/mailboxfolder/mailboxpermissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/sensitivecontent.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/sensitivecontent.md index 376dcd9e16..46fc88630d 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/sensitivecontent.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/sensitivecontent.md @@ -6,7 +6,7 @@ table with criteria matches visible to Access Information Center users with eith Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content report at the mailbox and folder level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/mailboxfolder/mailboxsensitivecontent.webp) +![Sensitive Content report at the mailbox and folder level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/mailboxfolder/mailboxsensitivecontent.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/overview.md index 8ff2ba67a7..b9de8c674e 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/overview.md @@ -15,4 +15,4 @@ own node in the Access Information Center. Exchange reports fall into the follow The following report is available at the **Exchange** node: -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/quickreference.md index 93c35f30b9..84e832cffc 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/quickreference.md @@ -8,7 +8,7 @@ The following report is available at the Exchange node level: | Report | Description | | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -| [Sensitive Content Summary Report](sensitivecontentsummary.md) | Provides a count of files where criteria matches were found in the targeted environment. This report includes a Details table. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/sensitivecontentsummary.md) | Provides a count of files where criteria matches were found in the targeted environment. This report includes a Details table. | ## Exchange > Server Level Reports @@ -16,8 +16,8 @@ The following reports are available at the server level: | Report | Description | | --------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Sensitive Content Details Report](server/sensitivecontentdetails.md) | Provides details of files where criteria matches were found on the selected instance. This report includes a table with criteria Matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | -| [Sensitive Content Summary Report](server/sensitivecontentsummary.md) | Provides a count of files where criteria matches were found on the selected instance. This report includes a Details table. | +| [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/sensitivecontentdetails.md) | Provides details of files where criteria matches were found on the selected instance. This report includes a table with criteria Matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/sensitivecontentsummary.md) | Provides a count of files where criteria matches were found on the selected instance. This report includes a Details table. | ## Exchange > Server > Mailbox and Folder Level Reports @@ -25,5 +25,5 @@ The following reports are available at the mailbox and folder level: | Report | Description | | ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Permissions Report](mailboxfolder/permissions.md) | Shows the permissions for the trustee on the selected resource. | -| [Sensitive Content Report](mailboxfolder/sensitivecontent.md) | Provides a list of files and a hit count per file where criteria matches were found on the selected resource. This report includes a table with criteria Matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/permissions.md) | Shows the permissions for the trustee on the selected resource. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/mailboxfolder/sensitivecontent.md) | Provides a list of files and a hit count per file where criteria matches were found on the selected resource. This report includes a table with criteria Matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/sensitivecontentsummary.md index fd8299a41f..b2bd70dd79 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the **Exchange** node provides a count of files where criteria matches were found in the targeted environment. This report includes a Details table. -![Sensitive Content Summary report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) +![Sensitive Content Summary report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/overview.md index 686a155bbd..0f86903ac5 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/overview.md @@ -3,5 +3,5 @@ The following reports are available at the server level: - Activity Report – Displayed but not populated at the server level -- [Sensitive Content Details Report](sensitivecontentdetails.md) -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/sensitivecontentdetails.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/sensitivecontentdetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/sensitivecontentdetails.md index 394ea1bf4c..fb302d9c14 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/sensitivecontentdetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/sensitivecontentdetails.md @@ -6,7 +6,7 @@ visible to Access Information Center users with either Security Team Member or A The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content Details report at the server level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/server/serversensitivecontentdetails.webp) +![Sensitive Content Details report at the server level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/server/serversensitivecontentdetails.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/sensitivecontentsummary.md index 12d8bf11f1..3f613df926 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/server/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the server level provides a count of files where criteria matches were found on the selected instance. This report includes a Details table. -![Sensitive Content Summary report at the server level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/server/serversensitivecontentsummary.webp) +![Sensitive Content Summary report at the server level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/server/serversensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/activitysummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/activitysummary.md index ade7f9bd38..0e56e902f3 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/activitysummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/activitysummary.md @@ -6,7 +6,7 @@ performed in each server, including operations in folders that are not shared. T does not include a date range filter as it contains totals for all operations ever monitored by Access Analyzer for the targeted environment. -![Activity Summary report at the File System node](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/activitysummary.webp) +![Activity Summary report at the File System node](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/activitysummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/adminshares/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/adminshares/overview.md index c3a0727f5e..bdebafced2 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/adminshares/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/adminshares/overview.md @@ -2,7 +2,7 @@ The following report is available at the **Admin Shares** node: -- [Scan Summary Report](scansummary.md) +- [Scan Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/adminshares/scansummary.md) -See the [Share & Subfolder Levels Reports](../sharesubfolder/overview.md) topic for information on +See the [Share & Subfolder Levels Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/overview.md) topic for information on reports found under this node. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/adminshares/scansummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/adminshares/scansummary.md index 52c0eb7011..dbea3586ef 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/adminshares/scansummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/adminshares/scansummary.md @@ -3,7 +3,7 @@ The Scan Summary report at the **Admin Shares** node provides a summary view of all shares on the server with the share type of Admin. -![Scan Summary report at the Admin Shares node](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/adminshares/adminsharesscansummary.webp) +![Scan Summary report at the Admin Shares node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/adminshares/adminsharesscansummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions.md index 1b2bb94963..1e2ed319bf 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions.md @@ -3,7 +3,7 @@ The Exceptions report at the **File System** node provides a list of exceptions that were found across the targeted environment. This report includes a Details table. -![Exceptions report at the File System node](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions.webp) +![Exceptions report at the File System node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions.webp) An exception is defined as a problem or risk to data governance security. Exceptions include open shares and permissions granted to stale or disabled users. This table is blank if no exceptions were diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/exceptions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/exceptions.md index bb33973d91..0d316708db 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/exceptions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/exceptions.md @@ -3,7 +3,7 @@ The Exceptions report at the **Exceptions** node provides a list of exceptions found on the server. This report includes a Details table. -![Exceptions report at the Exceptions node](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsexceptions.webp) +![Exceptions report at the Exceptions node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsexceptions.webp) An exception is defined as a problem or risk to data governance security. Exceptions include open shares and permissions granted to stale or disabled users. This report is comprised of the following diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/exceptionsbytype.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/exceptionsbytype.md index 02a5742553..042c9cf848 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/exceptionsbytype.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/exceptionsbytype.md @@ -3,7 +3,7 @@ The Exceptions report at the exception type level provides details on the selected exception type. This report includes a Permission Source table. -![Exceptions report at the exception type level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytype.webp) +![Exceptions report at the exception type level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytype.webp) An exception is defined as a problem or risk to data governance security. This report is comprised of the following columns: @@ -17,7 +17,7 @@ displays the group membership, including nested groups. There is one table at the bottom displaying Permission Source for the select trustee. It contains all of the ways the selected trustee has been granted rights to the selected resource. -![Permission Source table](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/exceptions/exceptionsbytypetable.webp) +![Permission Source table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/exceptions/exceptionsbytypetable.webp) The number of rows for this table indicates the number of ways this trustee has been granted access. This table is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/overview.md index b66fcd40e4..62daec02ee 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/overview.md @@ -2,7 +2,7 @@ The following report is available at the **Exceptions** node: -- [Exceptions Report](exceptions.md) +- [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/exceptions.md) The **Exceptions** node displays when exceptions have been identified on the selected server. When it is present, it can be expanded to view the exception type level reports. The following nodes may @@ -14,4 +14,4 @@ identified: - Stale Users – Folders where stale users have been granted access The Exceptions report for each exception type level displays filtered exception information. See the -[Exceptions Report by Type](exceptionsbytype.md) topic for the report details. +[Exceptions Report by Type](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/exceptionsbytype.md) topic for the report details. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/effectivepolicy.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/effectivepolicy.md index 32afbd52e4..bf67bd626f 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/effectivepolicy.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/effectivepolicy.md @@ -3,7 +3,7 @@ The Effective Policy report at the local policy level provides a list of users and groups who are effectively granted or denied access through the selected policy. -![Effective Policy report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/localpolicies/effectivepolicy.webp) +![Effective Policy report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/localpolicies/effectivepolicy.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/overview.md index 4e3925c187..d46bf9f136 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/overview.md @@ -3,5 +3,5 @@ Local policies have an impact on effective access. There are no reports at the **Local Policies** node, but the following reports are available at the local policy level: -- [Effective Policy Report](effectivepolicy.md) -- [Policy Report](policy.md) +- [Effective Policy Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/effectivepolicy.md) +- [Policy Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/policy.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/policy.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/policy.md index 8400cb5dc4..606239dfa1 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/policy.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/policy.md @@ -3,7 +3,7 @@ The Policy report at the local policy level provides a list of policies assigned for the selected local policy. -![Policy report](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/policy.webp) +![Policy report](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/policy.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/activitydetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/activitydetails.md index fcc02699e2..4fd048a874 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/activitydetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/activitydetails.md @@ -3,10 +3,10 @@ The Activity Details report at the NFS Exports share and subfolder levels provides details on every operations logged during the selected date range. This report includes a Permission Changes table. The **Include subfolders** option is active by default until removed. See the -[Results Pane](../../navigate/overview.md#results-pane) topic for information on changing this +[Results Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#results-pane) topic for information on changing this option. -![Activity Details report at the NFS Exports share and subfolder levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/nfsactivitydetails.webp) +![Activity Details report at the NFS Exports share and subfolder levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/nfsactivitydetails.webp) This report is comprised of the following columns: @@ -52,4 +52,4 @@ the following columns: - Access Rights – Type of right assigned The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/activitystatistics.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/activitystatistics.md index 2d4f22fd1e..83876ec8a5 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/activitystatistics.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/activitystatistics.md @@ -4,10 +4,10 @@ The Activity Statistics report at the NFS Exports share and subfolder levels p activity event information by user on the selected resource during the specified date range. This report includes line graphs for Active Users Trend and Traffic Trend. The **Include subfolders** option is active by default until removed. See the -[Results Pane](../../navigate/overview.md#results-pane) topic for information on changing this +[Results Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#results-pane) topic for information on changing this option. -![Activity Statistics report at the NFS Exports share and subfolder levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/nfsactivitystatistics.webp) +![Activity Statistics report at the NFS Exports share and subfolder levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/nfsactivitystatistics.webp) This report is comprised of the following columns: @@ -30,22 +30,22 @@ This report is comprised of the following columns: - Deletes – Count of delete operations on files and subfolders The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. There are two line graphs at the bottom displaying Active Users Trend and Traffic Trend for the selected resource. -![Active Users Trend line graph](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/activeuserstrendgraph.webp) +![Active Users Trend line graph](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/activeuserstrendgraph.webp) The Active Users Trend line graph provides a visual representation of the number of active users over the selected date range. It indicates how many users are performing operations per day. -![Traffic Trend line graph](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/traffictrendgraph.webp) +![Traffic Trend line graph](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/traffictrendgraph.webp) The Traffic Trend line graph provides a visual representation of the number of operations events that occurred by operation type over the selected date range. It indicates what volume of operations occurred per day. Each operation type is shown with a different color, as indicated by the legend. See the -[Activity Report Results Pane Features](../../navigate/overview.md#activity-report-results-pane-features) +[Activity Report Results Pane Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#activity-report-results-pane-features) topic for instructions on filtering the trend graphs. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/overview.md index 2d32ba464a..98fd886913 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/overview.md @@ -4,11 +4,11 @@ NFS share data can be imported into the Access Information Center through config Analyzer File System Sensitive Data Discovery Auditing collection jobs. The following report is available at the **NFS Exports** node: -- [Scan Summary Report](scansummary.md) +- [Scan Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/scansummary.md) The following reports are available at the share and subfolder levels below the NFS Exports node: -- [Activity Details Report](activitydetails.md) -- [Activity Statistics Report](activitystatistics.md) -- [Permissions Report](permissions.md) -- [Sensitive Content Report](sensitivecontent.md) +- [Activity Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/activitydetails.md) +- [Activity Statistics Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/activitystatistics.md) +- [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/permissions.md) +- [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/sensitivecontent.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/permissions.md index c864fca7bd..908b833d09 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/permissions.md @@ -3,7 +3,7 @@ The Permissions report at the NFS Exports share and subfolder levels provides a list of trustees with permissions for the selected resource and access level for each trustee. -![Permissions report at the NFS Exports share and subfolder levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/nfspermissions.webp) +![Permissions report at the NFS Exports share and subfolder levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/nfspermissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/scansummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/scansummary.md index 2c336f0f63..283aca4be4 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/scansummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/scansummary.md @@ -3,7 +3,7 @@ The Scan Summary report at the **NFS Exports** node provides a summary view of all shares on the server with the share type of Shared. -![Scan Summary report at the NFS Exports node](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/nfsscansummary.webp) +![Scan Summary report at the NFS Exports node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/nfsscansummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/sensitivecontent.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/sensitivecontent.md index a5e7cab202..66e4a5748d 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/sensitivecontent.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/sensitivecontent.md @@ -6,7 +6,7 @@ includes a table with criteria matches visible to Access Information Center user Administrator or Security Team roles. The Matches table requires the **store discovered sensitive data** configuration for the Access Analyzer data collection or it will be blank. -![Sensitive Content report at the NFS Exports share and subfolder levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/nfssensitivecontent.webp) +![Sensitive Content report at the NFS Exports share and subfolder levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/nfssensitivecontent.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/overview.md index 203e712567..0f731eb316 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/overview.md @@ -39,7 +39,7 @@ File System reports fall into the following categories: - Display information for a selected date range with local time stamps - Some of the reports also include trend graphs. Trend graphs provide a visual representation of the activity that occurred over the selected date range. See the - [Activity Report Results Pane Features](../navigate/overview.md#activity-report-results-pane-features) + [Activity Report Results Pane Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#activity-report-results-pane-features) topic for instructions on selecting a date range and filtering the trend graphs. - Activity information is represented in two ways: @@ -65,7 +65,7 @@ File System reports fall into the following categories: The following reports are available at the **File System** node: -- [Activity Summary Report](activitysummary.md) -- [Exceptions Report](exceptions.md) -- [Sensitive Content Summary Report](sensitivecontentsummary.md) -- [Server Summary Report](serversummary.md) +- [Activity Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/activitysummary.md) +- [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sensitivecontentsummary.md) +- [Server Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/serversummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/quickreference.md index def7540bb6..ea750f4b72 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/quickreference.md @@ -8,11 +8,11 @@ The following reports are available at the File System node level: | Report | Description | | -------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Activity Summary Report](activitysummary.md) | Provides an overview of activity performed on files and folders in each of the scanned servers. It reflects the total count of operations performed in each server, including activity in folders that are not shared. This is an activity report that does not include a date range filter, as it contains totals for all operations ever monitored by Access Analyzer for the targeted environment. | -| [Exceptions Report](exceptions.md) | Provides a list of exceptions that were found across the targeted environment. This report includes a Details table. | -| [Modeled Access Changes Report](../changemodeling/modeledaccesschanges.md) | Provides an enterprise wide view of modeled access changes. This report is blank if no changes have been modeled or if the modeled changes have no impact on the environment. This report includes the following tables: - Permission Source – Displays all of the ways the trustee has been granted rights to the resource - Activity – Displays additional information on recent activity performed by the trustee which would have been impacted by the modeled change | -| [Sensitive Content Summary Report](sensitivecontentsummary.md) | Provides a count of files where criteria matches were found in the targeted environment. This report includes a Details table. | -| [Server Summary Report](serversummary.md) | Provides a top-level view of servers that have been scanned. | +| [Activity Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/activitysummary.md) | Provides an overview of activity performed on files and folders in each of the scanned servers. It reflects the total count of operations performed in each server, including activity in folders that are not shared. This is an activity report that does not include a date range filter, as it contains totals for all operations ever monitored by Access Analyzer for the targeted environment. | +| [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions.md) | Provides a list of exceptions that were found across the targeted environment. This report includes a Details table. | +| [Modeled Access Changes Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/modeledaccesschanges.md) | Provides an enterprise wide view of modeled access changes. This report is blank if no changes have been modeled or if the modeled changes have no impact on the environment. This report includes the following tables: - Permission Source – Displays all of the ways the trustee has been granted rights to the resource - Activity – Displays additional information on recent activity performed by the trustee which would have been impacted by the modeled change | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sensitivecontentsummary.md) | Provides a count of files where criteria matches were found in the targeted environment. This report includes a Details table. | +| [Server Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/serversummary.md) | Provides a top-level view of servers that have been scanned. | ## File System > Server Level Reports @@ -20,13 +20,13 @@ The following reports are available at the server level: | Report | Description | | --------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Activity Details Report](server/activitydetails.md) | Provides details on every operation logged during the selected date range. Activity on DFS Namespaces at this level is rolled up to the server hosting the DFS Namespace. This report includes a Permission Changes table. | -| [Activity Statistics Report](server/activitystatistics.md) | Provides statistical activity event information by user on the selected server during the specified date range. Activity on DFS Namespaces at this level is rolled up to the server hosting the DFS Namespace. This report includes line graphs for Active Users Trend and Traffic Trend. | -| [Exceptions Report](server/exceptions.md) | Provides a list of exceptions that were found within shares on the selected server. This report includes a Details table. | -| [Scan Summary Report](server/scansummary.md) | Provides a summary view of all shares on the selected server. | -| [Sensitive Content Details Report](server/sensitivecontentdetails.md) | Provides details of files where criteria matches were found on the selected resource. This report includes a Matches table. | -| [Sensitive Content Summary Report](server/sensitivecontentsummary.md) | Provides a count of files where criteria matches were found on the selected resource. This report includes a Details table. | -| [Share Activity Summary Report](server/shareactivitysummary.md) | Provides statistical activity event information by share on the selected server during the specified date range. Activity on DFS Namespaces at this level is rolled up to the server hosting the DFS Namespace. | +| [Activity Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/activitydetails.md) | Provides details on every operation logged during the selected date range. Activity on DFS Namespaces at this level is rolled up to the server hosting the DFS Namespace. This report includes a Permission Changes table. | +| [Activity Statistics Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/activitystatistics.md) | Provides statistical activity event information by user on the selected server during the specified date range. Activity on DFS Namespaces at this level is rolled up to the server hosting the DFS Namespace. This report includes line graphs for Active Users Trend and Traffic Trend. | +| [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/exceptions.md) | Provides a list of exceptions that were found within shares on the selected server. This report includes a Details table. | +| [Scan Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/scansummary.md) | Provides a summary view of all shares on the selected server. | +| [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/sensitivecontentdetails.md) | Provides details of files where criteria matches were found on the selected resource. This report includes a Matches table. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/sensitivecontentsummary.md) | Provides a count of files where criteria matches were found on the selected resource. This report includes a Details table. | +| [Share Activity Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/shareactivitysummary.md) | Provides statistical activity event information by share on the selected server during the specified date range. Activity on DFS Namespaces at this level is rolled up to the server hosting the DFS Namespace. | ## File System > Server > Local Policies > Policy Level Reports @@ -36,8 +36,8 @@ The following reports are available at the local policy level: | Report | Description | | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | -| [Effective Policy Report](localpolicies/effectivepolicy.md) | Provides a list of users and groups who are effectively granted or denied access through the selected policy. | -| [Policy Report](localpolicies/policy.md) | Provides a list of policies assigned for the selected local policy. | +| [Effective Policy Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/effectivepolicy.md) | Provides a list of users and groups who are effectively granted or denied access through the selected policy. | +| [Policy Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/localpolicies/policy.md) | Provides a list of policies assigned for the selected local policy. | ## File System > Server > NFS Exports Node Report @@ -45,7 +45,7 @@ The following report is available at the NFS Exports node level: | Report | Description | | ------------------------------------------------ | ---------------------------------------------------------------------------------- | -| [Scan Summary Report](nfsexports/scansummary.md) | Provides a summary view of all shares on the server with the share type of Shared. | +| [Scan Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/scansummary.md) | Provides a summary view of all shares on the server with the share type of Shared. | ## File System > Server > NFS Exports > Share & Subfolder Levels @@ -53,10 +53,10 @@ The following reports are available at the share and subfolder levels under the | Report | Description | | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Activity Details Report](nfsexports/activitydetails.md) | Provides details on every operation logged during the selected date range. This report includes a Permission Changes table. | -| [Activity Statistics Report](nfsexports/activitystatistics.md) | Provides statistical activity event information by user on the selected resource during the specified date range. This report includes line graphs for Active Users Trend and Traffic Trend. | -| [Permissions Report](nfsexports/permissions.md) | Provides a list of trustees with permissions for the selected resource and access level for each trustee. | -| [Sensitive Content Report](nfsexports/sensitivecontent.md) | Provides a list of files and a hit count per file where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Administrator or Security Team roles. The Matches table requires the store discovered sensitive data configuration for the Access Analyzer data collection or it will be blank. | +| [Activity Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/activitydetails.md) | Provides details on every operation logged during the selected date range. This report includes a Permission Changes table. | +| [Activity Statistics Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/activitystatistics.md) | Provides statistical activity event information by user on the selected resource during the specified date range. This report includes line graphs for Active Users Trend and Traffic Trend. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/permissions.md) | Provides a list of trustees with permissions for the selected resource and access level for each trustee. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/nfsexports/sensitivecontent.md) | Provides a list of files and a hit count per file where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Administrator or Security Team roles. The Matches table requires the store discovered sensitive data configuration for the Access Analyzer data collection or it will be blank. | ## File System > Server > Admin Shares Nodes Report @@ -64,7 +64,7 @@ The following report is available at the Admin Shares node level: | Report | Description | | ------------------------------------------------- | --------------------------------------------------------------------------------- | -| [Scan Summary Report](adminshares/scansummary.md) | Provides a summary view of all shares on the server with the share type of Admin. | +| [Scan Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/adminshares/scansummary.md) | Provides a summary view of all shares on the server with the share type of Admin. | ## File System > Server > Shared Folders Node Report @@ -72,7 +72,7 @@ The following report is available at the Shared Folders node level: | Report | Description | | --------------------------------------------------- | ---------------------------------------------------------------------------------- | -| [Scan Summary Report](sharedfolders/scansummary.md) | Provides a summary view of all shares on the server with the share type of Shared. | +| [Scan Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharedfolders/scansummary.md) | Provides a summary view of all shares on the server with the share type of Shared. | ## File System > Server > Shared Folders > Share & Subfolder Level Reports @@ -80,12 +80,12 @@ The following reports are available at the share and subfolder levels: | Report | Description | | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Activity Details Report](sharesubfolder/activitydetails.md) | Provides details on every operations logged during the selected date range. This report includes a Permission Changes table. | -| [Activity Statistics Report](sharesubfolder/activitystatistics.md) | Provides statistical activity event information by user on the selected server during the specified date range This report includes line graphs for Active Users Trend and Traffic Trend. | -| [Effective Access Report](sharesubfolder/effectiveaccess.md) | Provides insight into who has what level of access to this resource through a calculation that encompasses server policies, share and folder permissions, and group membership. It contains a list of all trustees with access to the selected resource and specifies the effective access level. This report includes a Permission Source table. | -| [Exceptions Report](sharesubfolder/exceptions.md) | Displays a list of all trustees with access that are causing exceptions on the selected resource. This report includes a Permission Source table. | -| [Permissions Report](sharesubfolder/permissions.md) | Provides a list of trustees with permissions for the selected resource. This report includes a table with trustee access levels Compared to Parent. | -| [Sensitive Content Report](sharesubfolder/sensitivecontent.md) | Provides a list of files and a hit count per file where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Administrator or Security Team roles. The Matches table requires the store discovered sensitive data configuration for the Access Analyzer data collection or it will be blank. | +| [Activity Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/activitydetails.md) | Provides details on every operations logged during the selected date range. This report includes a Permission Changes table. | +| [Activity Statistics Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/activitystatistics.md) | Provides statistical activity event information by user on the selected server during the specified date range This report includes line graphs for Active Users Trend and Traffic Trend. | +| [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/effectiveaccess.md) | Provides insight into who has what level of access to this resource through a calculation that encompasses server policies, share and folder permissions, and group membership. It contains a list of all trustees with access to the selected resource and specifies the effective access level. This report includes a Permission Source table. | +| [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/exceptions.md) | Displays a list of all trustees with access that are causing exceptions on the selected resource. This report includes a Permission Source table. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/permissions.md) | Provides a list of trustees with permissions for the selected resource. This report includes a table with trustee access levels Compared to Parent. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/sensitivecontent.md) | Provides a list of files and a hit count per file where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Administrator or Security Team roles. The Matches table requires the store discovered sensitive data configuration for the Access Analyzer data collection or it will be blank. | ## File System > Server > Exceptions Node Report @@ -93,7 +93,7 @@ The following report is available at the Exceptions node level: | Report | Description | | --------------------------------------------- | ---------------------------------------------------------------------------------------- | -| [Exceptions Report](exceptions/exceptions.md) | Provides a list of exceptions found on the server. This report includes a Details table. | +| [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/exceptions.md) | Provides a list of exceptions found on the server. This report includes a Details table. | ## File System > Server > Exceptions > Exception Type Level Report @@ -101,4 +101,4 @@ The following report is available at the exceptions type level: | Report | Description | | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------ | -| [Exceptions Report by Type](exceptions/exceptionsbytype.md) | Provides details on the selected exception type. This report includes a Permission Source table. | +| [Exceptions Report by Type](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/exceptions/exceptionsbytype.md) | Provides details on the selected exception type. This report includes a Permission Source table. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sensitivecontentsummary.md index 500818207e..8eac1f2cb7 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the **File System** node provides a count of files where criteria matches were found in the targeted environment. This report includes a Details table. -![Sensitive Content Summary report at the File System node](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) +![Sensitive Content Summary report at the File System node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/activitydetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/activitydetails.md index 81e90f80f9..07ccfcbd82 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/activitydetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/activitydetails.md @@ -4,7 +4,7 @@ The Activity Details report at the server level provides details on every operat the selected date range. Activity on DFS Namespaces at this level is rolled up to the server hosting the DFS Namespace. This report includes a Permission Changes table. -![Activity Details report at the server level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/server/serveractivitydetails.webp) +![Activity Details report at the server level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/server/serveractivitydetails.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/activitystatistics.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/activitystatistics.md index ce5bb15b17..144b1bace5 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/activitystatistics.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/activitystatistics.md @@ -5,7 +5,7 @@ by user on the selected server during the specified date range. Activity on DFS level is rolled up to the server hosting the DFS Namespace. This report includes line graphs for Active Users Trend and Traffic Trend. -![Activity Statistics report at the server level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/server/serveractivitystatistics.webp) +![Activity Statistics report at the server level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/server/serveractivitystatistics.webp) This report is comprised of the following columns: @@ -28,22 +28,22 @@ This report is comprised of the following columns: - Deletes – Count of delete operations on files and subfolders The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. There are two line graphs at the bottom displaying Active Users Trend and Traffic Trend for the selected resource. -![Active Users Trend line graph](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/activeuserstrendgraph.webp) +![Active Users Trend line graph](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/activeuserstrendgraph.webp) The Active Users Trend line graph provides a visual representation of the number of active users over the selected date range. It indicates how many users are performing operations per day. -![Traffic Trend line graph](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/traffictrendgraph.webp) +![Traffic Trend line graph](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/nfsexports/traffictrendgraph.webp) The Traffic Trend line graph provides a visual representation of the number of operations events that occurred by operation type over the selected date range. It indicates what volume of operations occurred per day. Each operation type is shown with a different color, as indicated by the legend. See the -[Activity Report Results Pane Features](../../navigate/overview.md#activity-report-results-pane-features) +[Activity Report Results Pane Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#activity-report-results-pane-features) topic for instructions on filtering the trend graphs. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/exceptions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/exceptions.md index c57a01a740..03bd1f9595 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/exceptions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/exceptions.md @@ -3,7 +3,7 @@ The Exceptions report at the server level provides a list of exceptions that were found within shares on the selected server. This report includes a Details table. -![Exceptions report at the server level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/server/serverexceptions.webp) +![Exceptions report at the server level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/server/serverexceptions.webp) An exception is defined as a problem or risk to data governance security. Exceptions include open shares and permissions granted to stale or disabled users. This report will be blank if no diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/overview.md index 472f2bfe4a..44f9409143 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/overview.md @@ -2,10 +2,10 @@ The following reports are available at the server level: -- [Activity Details Report](activitydetails.md) -- [Activity Statistics Report](activitystatistics.md) -- [Exceptions Report](exceptions.md) -- [Scan Summary Report](scansummary.md) -- [Sensitive Content Details Report](sensitivecontentdetails.md) -- [Sensitive Content Summary Report](sensitivecontentsummary.md) -- [Share Activity Summary Report](shareactivitysummary.md) +- [Activity Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/activitydetails.md) +- [Activity Statistics Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/activitystatistics.md) +- [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/exceptions.md) +- [Scan Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/scansummary.md) +- [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/sensitivecontentdetails.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/sensitivecontentsummary.md) +- [Share Activity Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/shareactivitysummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/scansummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/scansummary.md index abbee449ee..b7314b65d5 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/scansummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/scansummary.md @@ -3,7 +3,7 @@ The Scan Summary report at the server level provides a summary view of all shares on the selected server. -![Scan Summary report at the server level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/server/serverscansummary.webp) +![Scan Summary report at the server level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/server/serverscansummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/sensitivecontentdetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/sensitivecontentdetails.md index 28ac577365..89ba0e76de 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/sensitivecontentdetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/sensitivecontentdetails.md @@ -3,7 +3,7 @@ The Sensitive Content Details report at the server level provides details of files where criteria matches were found on the selected resource. This report includes a Matches table. -![Sensitive Content Details report at the server level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/server/serversensitivecontentdetails.webp) +![Sensitive Content Details report at the server level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/server/serversensitivecontentdetails.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/sensitivecontentsummary.md index 454da0a213..74ce2a51bf 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the server level provides a count of files where criteria matches were found on the selected resource. This report includes a Details table. -![Sensitive Content Summary report at the server level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/server/serversensitivecontentsummary.webp) +![Sensitive Content Summary report at the server level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/exchange/server/serversensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/shareactivitysummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/shareactivitysummary.md index 62d6352c8c..bbbb32bc68 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/shareactivitysummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/server/shareactivitysummary.md @@ -4,7 +4,7 @@ The Share Activity Summary report at the server level provides statistical activ information by share on the selected server during the specified date range. Activity on DFS Namespaces at this level is rolled up to the server hosting the DFS Namespace. -![Share Activity Summary report at the server level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/server/servershareactivitysummary.webp) +![Share Activity Summary report at the server level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/server/servershareactivitysummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/serversummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/serversummary.md index 563fb0ee87..aa058beda7 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/serversummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/serversummary.md @@ -3,7 +3,7 @@ The Server Summary report at the **File System** node provides a top-level view of servers that have been scanned. -![Server Summary report at the File System node](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/serversummary.webp) +![Server Summary report at the File System node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/serversummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharedfolders/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharedfolders/overview.md index 8e0adb9071..031bdac67b 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharedfolders/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharedfolders/overview.md @@ -2,7 +2,7 @@ The following report is available at the **Shared Folder** node: -- [Scan Summary Report](scansummary.md) +- [Scan Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharedfolders/scansummary.md) -See the [Share & Subfolder Levels Reports](../sharesubfolder/overview.md) topic for information on +See the [Share & Subfolder Levels Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/overview.md) topic for information on reports found under this node. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharedfolders/scansummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharedfolders/scansummary.md index 8b9622608e..7f07bdc617 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharedfolders/scansummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharedfolders/scansummary.md @@ -3,7 +3,7 @@ The Scan Summary report at the **Shared Folders** node provides a summary view of all shares on the server with the share type of Shared. -![Scan Summary report at the Shared Folders node](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharedfolders/sharedfoldersscansummary.webp) +![Scan Summary report at the Shared Folders node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharedfolders/sharedfoldersscansummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/activitydetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/activitydetails.md index bf7dd8d6a0..58e9940cb6 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/activitydetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/activitydetails.md @@ -3,10 +3,10 @@ The Activity Details report at the share and subfolder levels provides details on every operations logged during the selected date range. This report includes a Permission Changes table. The **Include subfolders** option is active by default until removed. See the -[Results Pane](../../navigate/overview.md#results-pane) topic for information on changing this +[Results Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#results-pane) topic for information on changing this option. -![Activity Details report at the share and subfolder levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/shareactivitydetails.webp) +![Activity Details report at the share and subfolder levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/shareactivitydetails.webp) This report is comprised of the following columns: @@ -50,4 +50,4 @@ the following columns: - Access Rights – Type of right assigned The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/activitystatistics.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/activitystatistics.md index 2c19afbed9..4903460af9 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/activitystatistics.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/activitystatistics.md @@ -3,10 +3,10 @@ The Activity Statistics report at the share and subfolder levels provides statistical activity event information by user on the selected server during the specified date range. This report includes line graphs for Active Users Trend and Traffic Trend. The **Include subfolders** option is active by -default until removed. See the [Results Pane](../../navigate/overview.md#results-pane) topic for +default until removed. See the [Results Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#results-pane) topic for information on changing this option. -![Activity Statistics report at the share and subfolder levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/shareactivitystatistics.webp) +![Activity Statistics report at the share and subfolder levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/shareactivitystatistics.webp) This report is comprised of the following columns: @@ -29,22 +29,22 @@ This report is comprised of the following columns: - Deletes – Count of delete operations on files and subfolders The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. There are two line graphs at the bottom displaying Active Users Trend and Traffic Trend for the selected resource. -![Active Users Trend line graph](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/shareactiveuserstrendgraph.webp) +![Active Users Trend line graph](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/shareactiveuserstrendgraph.webp) The Active Users Trend line graph provides a visual representation of the number of active users over the selected date range. It indicates how many users are performing operations per day. -![Traffic Trend line graph](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/sharetraffictrendgraph.webp) +![Traffic Trend line graph](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/sharetraffictrendgraph.webp) The Traffic Trend line graph provides a visual representation of the number of operations events that occurred by operation type over the selected date range. It indicates what volume of operations occurred per day. Each operation type is shown with a different color, as indicated by the legend. See the -[Activity Report Results Pane Features](../../navigate/overview.md#activity-report-results-pane-features) +[Activity Report Results Pane Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#activity-report-results-pane-features) topic for instructions on filtering the trend graphs. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/effectiveaccess.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/effectiveaccess.md index 9f053a5d84..cd881c903d 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/effectiveaccess.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/effectiveaccess.md @@ -6,7 +6,7 @@ folder permissions, and group membership. It contains a list of all trustees wit selected resource and specifies the effective access level. This report includes a Permission Source table. -![Effective Access report at the share and subfolder levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/shareeffectiveaccess.webp) +![Effective Access report at the share and subfolder levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/shareeffectiveaccess.webp) This report is comprised of the following columns: @@ -43,7 +43,7 @@ displays the group membership, including nested groups. There is one table at the bottom displaying Permission Source for the select trustee. It contains all of the ways the selected trustee has been granted rights to the selected resource. -![Permission Source table](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/shareeffectiveaccesstable.webp) +![Permission Source table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/shareeffectiveaccesstable.webp) The number of rows for this table indicates the number of ways this trustee has been granted access. This table is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/exceptions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/exceptions.md index d461d0089b..7ad1964aab 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/exceptions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/exceptions.md @@ -4,12 +4,12 @@ The Exceptions report at the share and subfolder levels provides a list of all t that are causing exceptions on the selected resource. This report includes a Permission Source table. -![Exceptions report at the share and subfolder levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/shareexceptions.webp) +![Exceptions report at the share and subfolder levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/shareexceptions.webp) An exception is defined as a problem or risk to data governance security. Exceptions include open shares and permissions granted to stale or disabled users. This table is blank unless an Exception icon is attached to the resource in the Resources pane, indicating exceptions were found. See the -[Resources Pane](../../navigate/resource.md#resources-pane) topic for additional information. +[Resources Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/resource.md#resources-pane) topic for additional information. This report is comprised of the following columns: @@ -20,7 +20,7 @@ This report is comprised of the following columns: There is one table at the bottom displaying Permission Source for the select trustee. It contains all of the ways the selected trustee has been granted rights to the selected resource. -![Permission Source table](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/shareexceptionstable.webp) +![Permission Source table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/shareexceptionstable.webp) The number of rows for this table indicates the number of ways this trustee has been granted access. This table is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/overview.md index 0b4645f619..aeeb4803be 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/overview.md @@ -2,9 +2,9 @@ The following reports are available at the share and subfolder levels: -- [Activity Details Report](activitydetails.md) -- [Activity Statistics Report](activitystatistics.md) -- [Effective Access Report](effectiveaccess.md) -- [Exceptions Report](exceptions.md) -- [Permissions Report](permissions.md) -- [Sensitive Content Report](sensitivecontent.md) +- [Activity Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/activitydetails.md) +- [Activity Statistics Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/activitystatistics.md) +- [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/effectiveaccess.md) +- [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/exceptions.md) +- [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/permissions.md) +- [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/sensitivecontent.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/permissions.md index 1850d6602a..6fda75185b 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/permissions.md @@ -7,7 +7,7 @@ Compared to Parent. If activity is being monitored for the selected resource, then this report indicates where stale permissions exist. See the Stale Permissions topic for additional information. -![Permissions report at the share and subfolder levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/sharepermissions.webp) +![Permissions report at the share and subfolder levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/sharepermissions.webp) This report is comprised of the following columns: @@ -50,10 +50,10 @@ displays the group membership, including nested groups. There is one table at the bottom displaying Compared to Parent permissions for the select trustee. It contains information on explicit permissions granted for the selected resource. -![Compared to Parent table](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/sharepermissionstable.webp) +![Compared to Parent table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/sharepermissionstable.webp) This table will be blank unless an Explicit Permissions icon is attached to the resource in the -Resources pane. See the [Resources Pane](../../navigate/resource.md#resources-pane) topic for +Resources pane. See the [Resources Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/resource.md#resources-pane) topic for additional information. This table is comprised of the same columns as the primary report. ## Stale Permissions @@ -73,21 +73,21 @@ resource, a yellow icon is displayed for the permission type to indicate the acc perform the activity. Therefore, access level cells not highlighted when activity is being monitored represent permissions that are identified as stale. -![Stale and active permissions](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/stalepermissions.webp) +![Stale and active permissions](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/stalepermissions.webp) In the Permissions report, the yellow icons show permissions that are active, and the green check marks show permissions that are stale. The example shows that Jazmina’s activity has used the List, Write, Delete, and Manage permissions but not the Read permission. It also shows there are at least three other trustees with stale permissions. -![Activity Statistics report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/stalepermissionsevents.webp) +![Activity Statistics report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/stalepermissionsevents.webp) The Activity Statisticsreport indicates that the trustee Jazmina has performed write, manage, and delete events on the selected resource. See the -[Activity Statistics Report](activitystatistics.md) topic for additional information. +[Activity Statistics Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/activitystatistics.md) topic for additional information. -![Effective Access report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/stalepermissionsaccess.webp) +![Effective Access report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/stalepermissionsaccess.webp) The Effective Access report shows that Jazmina has access to the resource through the Group_Manage group, and the access is directly applied. See the -[Effective Access Report](effectiveaccess.md) topic for additional information. +[Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/effectiveaccess.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/sensitivecontent.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/sensitivecontent.md index a2feb60826..140dd32c1f 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/sensitivecontent.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/sensitivecontent.md @@ -6,7 +6,7 @@ table with criteria matches visible to Access Information Center users with eith Security Team roles. The Matches table requires the **store discovered sensitive data** configuration for the Access Analyzer data collection or it will be blank. -![Sensitive Content report at the share and subfolder levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/sharesensitivecontent.webp) +![Sensitive Content report at the share and subfolder levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/sharesubfolder/sharesensitivecontent.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/activity.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/activity.md index 097b38734e..307945a7b0 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/activity.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/activity.md @@ -2,9 +2,9 @@ The Activity report for imported data displays activity on the resource during the selected date range. The **Include Subfolders** option is active by default until removed. See the -[Results Pane](../navigate/overview.md#results-pane) topic for information on changing this option. +[Results Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#results-pane) topic for information on changing this option. -![Activity report for imported data](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/flexibleimports/activity.webp) +![Activity report for imported data](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/flexibleimports/activity.webp) This report is comprised of the following columns: @@ -29,4 +29,4 @@ This report is comprised of the following columns: - Process Name – Name of the process which performed the operation The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/permissions.md index f4537b71d1..ef3e098fa9 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/permissions.md @@ -2,7 +2,7 @@ The Permissions report for imported data shows the permissions for trustees on the resource. -![Permissions report for imported data](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/permissions.webp) +![Permissions report for imported data](/img/product_docs/threatprevention/threatprevention/admin/policies/permissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/quickreference.md index 1ff6fda8f4..f6b1307397 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/quickreference.md @@ -9,19 +9,19 @@ Environment Node Report | Report | Description | | ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Sensitive Content Report](sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria Matches that is visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria Matches that is visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | Environment > Host Level Reports | Report | Description | | ----------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Activity Report](activity.md) | Provides details on activity across the resource for every activity logged during the selected date range. | -| [Sensitive Content Report](sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria Matches that is visible to Access Information Center users with either Security Team Member or Administrator roles . The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Activity Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/activity.md) | Provides details on activity across the resource for every activity logged during the selected date range. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria Matches that is visible to Access Information Center users with either Security Team Member or Administrator roles . The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | Environment > Host > Sub-level Reports | Report | Description | | ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Activity Report](activity.md) | Displays activity on the resource during the selected date range. | -| [Permissions Report](permissions.md) | Shows the permissions for the trustee on the selected resource. | -| [Sensitive Content Report](sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria Matches that is visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Activity Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/activity.md) | Displays activity on the resource during the selected date range. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/permissions.md) | Shows the permissions for the trustee on the selected resource. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria Matches that is visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/sensitivecontent.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/sensitivecontent.md index fb7df15be9..ff8e1a9225 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/sensitivecontent.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/sensitivecontent.md @@ -5,10 +5,10 @@ where criteria matches were found on the selected resource. This report includes Access Information Center users with either Security Team Member or Administrator roles with criteria Matches. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. The **Include Subfolders** option is active by default -until removed. See the [Results Pane](../navigate/overview.md#results-pane) topic for information on +until removed. See the [Results Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#results-pane) topic for information on changing this option. -![Sensitive Content report for imported data](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sensitivecontent.webp) +![Sensitive Content report for imported data](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sensitivecontent.webp) This report is comprised of the following columns: @@ -30,4 +30,4 @@ were found: - Sub File – File name if the sensitive data files reside in a PST file or a ZIP file The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/attributechanges.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/attributechanges.md index f6248b35ea..a3ca964fd4 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/attributechanges.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/attributechanges.md @@ -3,7 +3,7 @@ The Attribute Changes report for a group object provides specific details for every attribute change to the audited group during the selected date range. -![Attribute Changes report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/attributechanges.webp) +![Attribute Changes report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/attributechanges.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/effectiveaccess.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/effectiveaccess.md index 2b2f441d67..535a264eb3 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/effectiveaccess.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/effectiveaccess.md @@ -5,12 +5,12 @@ group has access to and what level of access has been granted. Effective access based on several variables according to the type of resource. This report includes a Permission Source table. -See the [Effective Access Report](../filesystem/sharesubfolder/effectiveaccess.md) topic for File +See the [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/effectiveaccess.md) topic for File Systems for additional information on the effective access calculations for file system resources. -See the [Effective Access Report](../sharepoint/sitecollections/effectiveaccess.md) topic for +See the [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/effectiveaccess.md) topic for SharePoint for additional information on the effective access calculations for SharePoint resources. -![Effective Access report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/effectiveaccess.webp) +![Effective Access report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/effectiveaccess.webp) This report contains a list of all resources the audited group has the ability to access within the targeted environments. When this report is opened, the Access Information Center begins analyzing @@ -25,7 +25,7 @@ to load until all data has been analyzed for the audited group. The scoping options allow Access Information Center users to specifying what collected data should be analyzed in order to generate this report. Unlike other filter options, this can impact the loading time depending on the scoping options selected. See the -[Scope an Effective Access Report](../navigate/scopeeffectiveaccess.md) topic for instructions on +[Scope an Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/scopeeffectiveaccess.md) topic for instructions on using this feature. This report is comprised of the following columns: @@ -51,7 +51,7 @@ The following rights are a normalized representation of the permissions granted There is one table at the bottom displaying Permission Source for the selected resource. It contains all of the ways the audited group has been granted rights to the selected resource. -![Permission Source table](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/effectiveaccesstable.webp) +![Permission Source table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/effectiveaccesstable.webp) The number of rows for this table indicates the number of ways the audited group has been granted access to this resource. This table is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/effectiveaccess.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/effectiveaccess.md index 65114a3f55..1423dbc7c4 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/effectiveaccess.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/effectiveaccess.md @@ -5,12 +5,12 @@ Entra ID (formerly Azure Active Directory) group has access to and what level of granted. Effective access is a calculation based on several variables according to the type of resource. This report includes a Permission Source table. -See the [Effective Access Report](../../filesystem/sharesubfolder/effectiveaccess.md) topic for File +See the [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/effectiveaccess.md) topic for File Systems for additional information on the effective access calculations for file system resources. -See the [Effective Access Report](../../sharepoint/sitecollections/effectiveaccess.md) topic for +See the [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/effectiveaccess.md) topic for SharePoint for additional information on the effective access calculations for SharePoint resources. -![Effective Access report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/effectiveaccessentraid.webp) +![Effective Access report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/effectiveaccessentraid.webp) This report contains a list of all resources the audited Entra ID group has the ability to access within the targeted environments. When this report is opened, the Access Information Center begins @@ -25,7 +25,7 @@ to load until all data has been analyzed for the audited group. The scoping options allow Access Information Center users to specifying what collected data should be analyzed in order to generate this report. Unlike other filter options, this can impact the loading time depending on the scoping options selected. See the -[Scope an Effective Access Report](../../navigate/scopeeffectiveaccess.md) topic for instructions on +[Scope an Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/scopeeffectiveaccess.md) topic for instructions on using this feature. This report is comprised of the following columns: @@ -51,7 +51,7 @@ The following rights are a normalized representation of the permissions granted There is one table at the bottom displaying Permission Source for the select resource. It contains all of the ways the audited Entra ID group has been granted rights to the selected resource. -![Permission Source table](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/effectiveaccessentraidtable.webp) +![Permission Source table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/effectiveaccessentraidtable.webp) The number of rows for this table indicates the number of ways the audited Entra ID group has been granted access to this resource. This table is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/memberof.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/memberof.md index afce0c4b69..7f1396726c 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/memberof.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/memberof.md @@ -4,7 +4,7 @@ The Member Of report for a group object provides a list of all Entra Id (formerl Directory) groups of which the audited group is a member. This report includes a Membership Paths table. -![Member Of report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/memberofentraid.webp) +![Member Of report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/memberofentraid.webp) This report is comprised of the following columns: @@ -23,7 +23,7 @@ This report is comprised of the following columns: Since this report is a list of Entra ID groups, the Group Membership pane displays the group membership, including nested groups. -![Membership Paths table](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/memberofentraidtable.webp) +![Membership Paths table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/memberofentraidtable.webp) There is one table at the bottom displaying Membership Paths for the selected Entra ID group. It contains all of the ways the audited group has been granted membership to the selected group. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/members.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/members.md index c110cc185e..ac7c22fae4 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/members.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/members.md @@ -4,7 +4,7 @@ The Members report for a group object provides a list of all trustees, users, an membership in the audited Entra ID (formerly Azure Active Directory) group. This report includes a Membership Paths table. -![Members report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/membersentraid.webp) +![Members report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/membersentraid.webp) This report is comprised of the following columns: @@ -24,7 +24,7 @@ This report is comprised of the following columns: If the selected trustee is a group, the Group Membership pane displays the group membership, including nested groups. -![Membership Paths table](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/membersentraidtable.webp) +![Membership Paths table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/membersentraidtable.webp) There is one table at the bottom displaying Membership Paths for the selected Entra ID group. It contains all of the ways the audited group has been granted membership to the selected group. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/permissions.md index 97bbe2b577..698190612e 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/permissions.md @@ -4,9 +4,9 @@ The Permissions report for a group object provides a list of all resources where ID (formerly Azure Active Directory) group has been assigned permissions. The **Include Inherited** filter checkbox is active by default, which means the report displays both direct and inherited permissions unless modified by the Access Information Center user. See the -[Results Pane](../../navigate/overview.md#results-pane) topic for information on filter options. +[Results Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#results-pane) topic for information on filter options. -![Permissions report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/permissionsentraid.webp) +![Permissions report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/permissionsentraid.webp) This report is comprised of the following columns: @@ -35,4 +35,4 @@ The following columns display the combined direct and inherited rights: deny rights The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/memberchanges.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/memberchanges.md index bd933a5af1..a88ed576d3 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/memberchanges.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/memberchanges.md @@ -3,7 +3,7 @@ The Member Changes report for a group object provides specific details for any membership changes to the audited group during the selected date range. -![Member Changes report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/memberchanges.webp) +![Member Changes report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/memberchanges.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/memberof.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/memberof.md index 97a4a85c91..67d1349232 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/memberof.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/memberof.md @@ -3,7 +3,7 @@ The Member Of report for a group object provides a list of all groups of which the audited group is a member. This report includes a Membership Paths table. -![Member Of report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/memberof.webp) +![Member Of report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/memberof.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/members.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/members.md index ededf28571..60048670e6 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/members.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/members.md @@ -4,10 +4,10 @@ The Members report for a group object provides a list of all trustees, users, an membership in the audited group. This report includes a Membership Paths table. _Remember,_ the Members report for a built-in group contains different information to the other -group types. See the [Members Report for a Built-in Group](membersbuiltin.md) topic for additional +group types. See the [Members Report for a Built-in Group](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/membersbuiltin.md) topic for additional information. -![Members report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/members.webp) +![Members report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/members.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/membersbuiltin.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/membersbuiltin.md index 21aa54f8df..2df619bf17 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/membersbuiltin.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/membersbuiltin.md @@ -6,7 +6,7 @@ membership in the audited group. This report includes a Membership Paths table. _Remember,_ the Members report for a built-in group contains different information than the other group types. -![Members report for a built-in group](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/membersbuiltin.webp) +![Members report for a built-in group](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/membersbuiltin.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/objectpermissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/objectpermissions.md index b632865cb7..ea1a86807c 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/objectpermissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/objectpermissions.md @@ -8,7 +8,7 @@ Analyzer solution. See the Active Directory Permissions Analyzer Solution topic [Netwrix Access Analyzer Documentation](https://helpcenter.netwrix.com/category/accessanalyzer) for additional information. -![Object Permissions report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/objectpermissions.webp) +![Object Permissions report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/objectpermissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/overview.md index 969c97f9bd..fdce30d565 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/overview.md @@ -1,7 +1,7 @@ # Group Reports Group reports are accessed through the Group Audit interface. You can access Group reports by -searching for group objects on the Home page. See the [Search Features](../navigate/search.md) topic +searching for group objects on the Home page. See the [Search Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/search.md) topic for additional information. The group object being reviewed is identified in the upper-left corner. The data within these reports is collected by the Access Analyzer solutions which provide data to the Resource reports. See the desired solution topics in the @@ -28,5 +28,5 @@ Built-in group reports are opened through a search conducted for any of the foll - Account Operators **NOTE:** The Members report for a built-in group contains different information than the other -group types. See the [Members Report for a Built-in Group](membersbuiltin.md) topic for additional +group types. See the [Members Report for a Built-in Group](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/membersbuiltin.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/permissions.md index c08dc50e1e..1e1367489e 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/permissions.md @@ -3,10 +3,10 @@ The Permissions report for a group object provides a list of all resources where the audited group has been assigned permissions. The **Include Inherited** filter checkbox is active by default, which means the report displays both direct and inherited permissions unless modified by the Access -Information Center user. See the [Results Pane](../navigate/overview.md#results-pane) topic for +Information Center user. See the [Results Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#results-pane) topic for information on filter options. -![Permissions report](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/permissions.webp) +![Permissions report](/img/product_docs/threatprevention/threatprevention/admin/policies/permissions.webp) This report is comprised of the following columns: @@ -35,4 +35,4 @@ The following columns display the combined direct and inherited rights: deny rights The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/quickreference.md index 4eadc4df5d..fbaac2754b 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/quickreference.md @@ -5,14 +5,14 @@ Directory Group: | Report | Description | | -------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Attribute Changes Report](attributechanges.md) | Provides specific details for every attribute change to the audited group during the selected date range. | -| [Effective Access Report](effectiveaccess.md) | Provides insight into every resource the audited group has access to and what level of access has been granted. Effective access is a calculation based on several variables according to the type of resource. This report includes a Permission Source table. | -| [Member Changes Report](memberchanges.md) | Provides specific details for any membership changes to the audited group during the selected date range. | -| [Member Of Report](memberof.md) | Provides a list of all groups of which the audited group is a member. This report includes a Membership Paths table. | -| [Members Report](members.md) | Provides a list of all trustees, users, and groups with membership in the audited group. This report includes a Membership Paths table. | -| [Members Report for a Built-in Group](membersbuiltin.md) | Provides a list of all trustees, users, and groups with membership in the audited built-in group. This report includes a Membership Paths table. | -| [Object Permissions Report](objectpermissions.md) | Provides details on Active Directory permissions to the object. | -| [Permissions Report](permissions.md) | Provides a list of all resources where the audited group has been assigned permissions. | +| [Attribute Changes Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/attributechanges.md) | Provides specific details for every attribute change to the audited group during the selected date range. | +| [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/effectiveaccess.md) | Provides insight into every resource the audited group has access to and what level of access has been granted. Effective access is a calculation based on several variables according to the type of resource. This report includes a Permission Source table. | +| [Member Changes Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/memberchanges.md) | Provides specific details for any membership changes to the audited group during the selected date range. | +| [Member Of Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/memberof.md) | Provides a list of all groups of which the audited group is a member. This report includes a Membership Paths table. | +| [Members Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/members.md) | Provides a list of all trustees, users, and groups with membership in the audited group. This report includes a Membership Paths table. | +| [Members Report for a Built-in Group](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/membersbuiltin.md) | Provides a list of all trustees, users, and groups with membership in the audited built-in group. This report includes a Membership Paths table. | +| [Object Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/objectpermissions.md) | Provides details on Active Directory permissions to the object. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/permissions.md) | Provides a list of all resources where the audited group has been assigned permissions. | ## Entra ID Group Reports @@ -21,7 +21,7 @@ The following reports are available for selection within the Group Audit interfa | Report | Description | | ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| [Effective Access Report for Entra ID Group](entraid/effectiveaccess.md) | Provides insight into every resource the audited Entra ID group has access to and what level of access has been granted. Effective access is a calculation based on several variables according to the type of resource. This report includes a Permission Source table. | -| [Member Of Report for Entra ID Group](entraid/memberof.md) | Provides a list of all Entra ID groups of which the audited group is a member. This report includes a Membership Paths table. | -| [Members Report for Entra ID Group](entraid/members.md) | Provides a list of all trustees, users, and groups with membership in the audited Entra ID group. This report includes a Membership Paths table. | -| [Permissions Report for Entra ID Group](entraid/permissions.md) | Provides a list of all resources where the audited Entra ID group has been assigned permissions. | +| [Effective Access Report for Entra ID Group](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/effectiveaccess.md) | Provides insight into every resource the audited Entra ID group has access to and what level of access has been granted. Effective access is a calculation based on several variables according to the type of resource. This report includes a Permission Source table. | +| [Member Of Report for Entra ID Group](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/memberof.md) | Provides a list of all Entra ID groups of which the audited group is a member. This report includes a Membership Paths table. | +| [Members Report for Entra ID Group](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/members.md) | Provides a list of all trustees, users, and groups with membership in the audited Entra ID group. This report includes a Membership Paths table. | +| [Permissions Report for Entra ID Group](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/entraid/permissions.md) | Provides a list of all resources where the audited Entra ID group has been assigned permissions. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/overview.md index f89d0699e1..674ea18c5f 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/overview.md @@ -3,5 +3,5 @@ The following reports are available at the database and collection levels: - Activity Report – Displayed but not populated at the database and collection level -- [Permissions Report](permissions.md) -- [Sensitive Content Report](sensitivecontent.md) +- [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/permissions.md) +- [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/sensitivecontent.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/permissions.md index 1ea1219049..045b2d27e6 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/permissions.md @@ -3,7 +3,7 @@ The Permissions report at the database and collections level shows the permissions for the trustee on the selected resource. -![Permissions report at the database and collections level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasepermissions.webp) +![Permissions report at the database and collections level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasepermissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/sensitivecontent.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/sensitivecontent.md index ca6603a556..cc723f534f 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/sensitivecontent.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/sensitivecontent.md @@ -6,7 +6,7 @@ includes a table with criteria matches visible to Access Information Center user Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content report at the database and collections level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasesensitivecontent.webp) +![Sensitive Content report at the database and collections level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasesensitivecontent.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/overview.md index b8f8680005..f6ede78039 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/overview.md @@ -3,5 +3,5 @@ The following reports are available at the instance level: - Activity Report – Displayed but not populated at the instance level -- [Sensitive Content Details Report](sensitivecontentdetails.md) -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/sensitivecontentdetails.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/sensitivecontentdetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/sensitivecontentdetails.md index e256bb15df..9e89854e59 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/sensitivecontentdetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/sensitivecontentdetails.md @@ -6,7 +6,7 @@ matches visible to Access Information Center users with either Security Team Mem roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content Details report at the instance level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentdetails.webp) +![Sensitive Content Details report at the instance level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentdetails.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/sensitivecontentsummary.md index ebcd2bb861..a1351b13bf 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the instance level provides a count of collections where criteria matches were found on the selected instance. This report includes a Details table. -![Sensitive Content Summary report at the instance level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentsummary.webp) +![Sensitive Content Summary report at the instance level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/overview.md index fda8f305a0..cfa437c1f5 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/overview.md @@ -15,4 +15,4 @@ own node in the Access Information Center. MongoDB reports fall into the followi The following report is available at the **MongoDB** node: -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/quickreference.md index 94bc93a067..643af8d320 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/quickreference.md @@ -8,7 +8,7 @@ The following report is available at the MongoDB node level: | Report | Description | | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | -| [Sensitive Content Summary Report](sensitivecontentsummary.md) | Provides a count of collections where criteria matches were found in the targeted environment. This report includes a Details table. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/sensitivecontentsummary.md) | Provides a count of collections where criteria matches were found in the targeted environment. This report includes a Details table. | ## MongoDB > Instance Level Reports @@ -16,8 +16,8 @@ The following reports are available at the instance level: | Report | Description | | ----------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Sensitive Content Details Report](instance/sensitivecontentdetails.md) | Provides details of collections where criteria matches were found on the selected instance. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | -| [Sensitive Content Summary Report](instance/sensitivecontentsummary.md) | Provides a count of collections where criteria matches were found on the selected instance. This report includes a Details table. | +| [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/sensitivecontentdetails.md) | Provides details of collections where criteria matches were found on the selected instance. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/instance/sensitivecontentsummary.md) | Provides a count of collections where criteria matches were found on the selected instance. This report includes a Details table. | ## MongoDB > Instance > Databases Node Reports @@ -25,8 +25,8 @@ The following reports are available at the Databases node level: | Report | Description | | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Permissions Report](databasecollection/permissions.md) | Shows the permissions for the trustee on the selected resource. | -| [Sensitive Content Report](databasecollection/sensitivecontent.md) | Provides a list of paths and a hit count per collection where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/permissions.md) | Shows the permissions for the trustee on the selected resource. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/sensitivecontent.md) | Provides a list of paths and a hit count per collection where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | ## MongoDB > Instance > Databases Node > Database and Collection Level Reports @@ -34,5 +34,5 @@ The following reports are available at the database and collection level: | Report | Description | | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Permissions Report](databasecollection/permissions.md) | Shows the permissions for the trustee on the selected resource. | -| [Sensitive Content Report](databasecollection/sensitivecontent.md) | Provides a list of paths and a hit count per collection where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/permissions.md) | Shows the permissions for the trustee on the selected resource. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/databasecollection/sensitivecontent.md) | Provides a list of paths and a hit count per collection where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/sensitivecontentsummary.md index 4130b0557c..553cd1b5c7 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the **MongoDB** node provides a count of collections where criteria matches were found in the targeted environment. This report includes a Details table. -![Sensitive Content Summary report at the MongoDB node](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) +![Sensitive Content Summary report at the MongoDB node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/overview.md index 51f2b74964..fcf61031c4 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/overview.md @@ -3,5 +3,5 @@ The following reports are available at the database and table levels: - Activity Report – Displayed but not populated at the database and table levels -- [Permissions Report](permissions.md) -- [Sensitive Content Report](sensitivecontent.md) +- [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/permissions.md) +- [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/sensitivecontent.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/permissions.md index 20f698991b..cb7e2634b1 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/permissions.md @@ -3,7 +3,7 @@ The Permissions report at the database and table level shows the permissions for the trustee on the selected resource. -![Permissions report at the database and tables level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasepermissions.webp) +![Permissions report at the database and tables level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasepermissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/sensitivecontent.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/sensitivecontent.md index 57c313fbdf..e3f56c0319 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/sensitivecontent.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/sensitivecontent.md @@ -6,7 +6,7 @@ table with criteria matches visible to Access Information Center users with eith Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content report at the database and table level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasesensitivecontent.webp) +![Sensitive Content report at the database and table level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasesensitivecontent.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/overview.md index b8f8680005..1eef047eab 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/overview.md @@ -3,5 +3,5 @@ The following reports are available at the instance level: - Activity Report – Displayed but not populated at the instance level -- [Sensitive Content Details Report](sensitivecontentdetails.md) -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/sensitivecontentdetails.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/sensitivecontentdetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/sensitivecontentdetails.md index e5943b5c6e..95a10ba324 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/sensitivecontentdetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/sensitivecontentdetails.md @@ -6,7 +6,7 @@ visible to Access Information Center users with either Security Team Member or A The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content Details report at the instance level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentdetails.webp) +![Sensitive Content Details report at the instance level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentdetails.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/sensitivecontentsummary.md index f421aceb04..95ac9b671c 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the instance level provides a count of tables where criteria matches were found on the selected instance. This report includes a Details table. -![Sensitive Content Summary report at the instance level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentsummary.webp) +![Sensitive Content Summary report at the instance level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/overview.md index 7d7212cc15..96be0ba613 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/overview.md @@ -14,4 +14,4 @@ node in the Access Information Center. MySQL reports fall into the following cat The following report is available at the **MySQL** node: -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/quickreference.md index e6f50c7811..75960dcfe7 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/quickreference.md @@ -8,7 +8,7 @@ The following report is available at the MySQL node level: | Report | Description | | -------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | -| [Sensitive Content Summary Report](sensitivecontentsummary.md) | Provides a count of databases where criteria matches were found in the targeted environment. This report includes a Details table. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/sensitivecontentsummary.md) | Provides a count of databases where criteria matches were found in the targeted environment. This report includes a Details table. | ## MySQL > Instance Level Reports @@ -16,8 +16,8 @@ The following reports are available at the instance level: | Report | Description | | ----------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Sensitive Content Details Report](instance/sensitivecontentdetails.md) | Provides details of tables where criteria matches were found on the selected instance. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | -| [Sensitive Content Summary Report](instance/sensitivecontentsummary.md) | Provides a count of tables where criteria matches were found on the selected instance. This report includes a Details table. | +| [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/sensitivecontentdetails.md) | Provides details of tables where criteria matches were found on the selected instance. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/instance/sensitivecontentsummary.md) | Provides a count of tables where criteria matches were found on the selected instance. This report includes a Details table. | ## MySQL > Instance > Databases Node Reports @@ -25,8 +25,8 @@ The following reports are available at the Databases node level: | Report | Description | | -------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Permissions Report](databasetables/permissions.md) | Shows the permissions for the trustee on the selected resource. | -| [Sensitive Content Report](databasetables/sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/permissions.md) | Shows the permissions for the trustee on the selected resource. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | ## MySQL > Instance > Database Node > Database and Table Level Reports @@ -34,5 +34,5 @@ The following reports are available at the database and table levels: | Report | Description | | -------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Permissions Report](databasetables/permissions.md) | Shows the permissions for the trustee on the selected resource. | -| [Sensitive Content Report](databasetables/sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/permissions.md) | Shows the permissions for the trustee on the selected resource. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/databasetables/sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/sensitivecontentsummary.md index 4fcfcebae9..f9bec38f7d 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the **MySQL** node provides a count of databases where criteria matches were found in the targeted environment. This report includes a Details table. -![Sensitive Content Summary report at the MySQL node](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) +![Sensitive Content Summary report at the MySQL node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/computer.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/computer.md index c3c86fea6b..f08f2469ae 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/computer.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/computer.md @@ -1,10 +1,10 @@ # Computer Audit Interface The Computer Audit interface is opened by searching for a particular computer. See the -[Search Features](search.md) topic for additional information. It contains three panes in all audit +[Search Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/search.md) topic for additional information. It contains three panes in all audit interfaces: Reports, Results, and Group Membership. -![Computer Audit Interface](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/computerauditinterface.webp) +![Computer Audit Interface](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/computerauditinterface.webp) The computer being audited is identified at the top of the interface as part of the interface -breadcrumb. See the [Computer Reports](../computer/overview.md) topic for additional information. +breadcrumb. See the [Computer Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/overview.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/group.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/group.md index f5c388498d..8236a71f43 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/group.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/group.md @@ -1,10 +1,10 @@ # Group Audit Interface The Group Audit interface is opened by searching for a particular Active Directory or Entra ID -group. See the [Search Features](search.md) topic for additional information. It contains three +group. See the [Search Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/search.md) topic for additional information. It contains three panes in all audit interfaces: Reports, Results, and Group Membership. -![Group Audit Interface](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/groupauditinterface.webp) +![Group Audit Interface](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/groupauditinterface.webp) The group being audited is identified at the top of the interface as part of the interface -breadcrumb. See the [Group Reports](../group/overview.md) topic for additional information. +breadcrumb. See the [Group Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/overview.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/icons.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/icons.md index e040e2001e..3429360266 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/icons.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/icons.md @@ -9,53 +9,53 @@ The following table contains icons for resource types: | Icon | Description | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | -| ![File System icon](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/eventtype/filesystem.webp) | File System | -| ![Windows Server icon](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/windows.webp) | Windows Server | -| ![Server icon](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/server.webp) | Server | -| ![Policies icon](../../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/policies.webp) | Policies | -| ![Shares icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/shares.webp) | Shares | -| ![Share icon](../../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/share.webp) | Share | -| ![Folder icon](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/folder.webp) | Folder | -| ![File icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/file.webp) | File | -| ![Permission Change icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/permissionchange.webp) | Permission Change | -| ![Exception icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/exception.webp) | Exception | -| ![SharePoint icon](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sharepoint.webp) | SharePoint | -| ![Web Application icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/webapplication.webp) | Web Application | -| ![Site Collection icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/sitecollection.webp) | Site Collection | -| ![OneDrive icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/onedrive.webp) | OneDrive | -| ![Web Application Url icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/webapplicationurl.webp) | Web Application Url | -| ![Site icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/site.webp) | Site | -| ![Library icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/library.webp) | Library | -| ![List icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/list.webp) | List | -| ![Unknown custom node icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/unknowncustom.webp) | Unknown, custom node | -| ![Active Directory icon](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/activedirectory.webp) | Active Directory | -| ![Domain icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/domain.webp) | Domain | -| ![Box icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/box.webp) | Box | -| ![Google Drive icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/googledrive.webp) | Google Drive | -| ![Exchange icon](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/exchange.webp) | Exchange | -| ![SQL Server/Azure SQL icon](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sql.webp) | SQL Server or Azure SQL | -| ![Microsoft Teams icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/teams.webp) | Microsoft Teams | -| ![MongoDB icon](../../../../../../../static/img/product_docs/changetracker/changetracker/install/mongodb.webp) | MongoDB | -| ![Office 365 icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/office365.webp) | Office 365 | -| ![Salesforce icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/salesforce.webp) | Salesforce | -| ![VMware icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/vmware.webp) | VMware | -| ![Hyper-V icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/hyperv.webp) | Hyper-V | -| ![Amazon icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/amazon.webp) | Amazon | -| ![Dropbox icon](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/dropbox.webp) | Dropbox | -| ![PostgreSQL icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/postgresql.webp) | PostgreSQL | -| ![MySQL icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/mysql.webp) | MySQL | -| ![Oracle SQL icon](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/oracle.webp) | Oracle SQL | -| ![GitHub icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/github.webp) | GitHub | -| ![Snowflake icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/snowflake.webp) | Snowflake | -| ![Administrative icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/administrative.webp) | Administrative | -| ![User/Schema icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/schemauser.webp) | User or Schema | -| ![Group icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/groupresource.webp) | Group | -| ![Server/Virtual Machine icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/servervm.webp) | Server or Virtual Machine | -| ![Instance/Database icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/instancedatabase.webp) | Instance or Database | -| ![Table icon](../../../../../../../static/img/product_docs/accessanalyzer/admin/report/wizard/table.webp) | Table | -| ![Function/Procedure icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/functionprocedure.webp) | Function or Procedure | -| ![View icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/view.webp) | View | -| ![Index icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/index.webp) | Index | +| ![File System icon](/img/product_docs/threatprevention/threatprevention/admin/policies/eventtype/filesystem.webp) | File System | +| ![Windows Server icon](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/windows.webp) | Windows Server | +| ![Server icon](/img/product_docs/accessanalyzer/admin/settings/server.webp) | Server | +| ![Policies icon](/img/product_docs/accessanalyzer/requirements/target/config/policies.webp) | Policies | +| ![Shares icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/shares.webp) | Shares | +| ![Share icon](/img/product_docs/activitymonitor/config/activedirectory/share.webp) | Share | +| ![Folder icon](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/folder.webp) | Folder | +| ![File icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/file.webp) | File | +| ![Permission Change icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/permissionchange.webp) | Permission Change | +| ![Exception icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/exception.webp) | Exception | +| ![SharePoint icon](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sharepoint.webp) | SharePoint | +| ![Web Application icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/webapplication.webp) | Web Application | +| ![Site Collection icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/sitecollection.webp) | Site Collection | +| ![OneDrive icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/onedrive.webp) | OneDrive | +| ![Web Application Url icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/webapplicationurl.webp) | Web Application Url | +| ![Site icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/site.webp) | Site | +| ![Library icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/library.webp) | Library | +| ![List icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/list.webp) | List | +| ![Unknown custom node icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/unknowncustom.webp) | Unknown, custom node | +| ![Active Directory icon](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/activedirectory.webp) | Active Directory | +| ![Domain icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/domain.webp) | Domain | +| ![Box icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/box.webp) | Box | +| ![Google Drive icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/googledrive.webp) | Google Drive | +| ![Exchange icon](/img/product_docs/accessanalyzer/admin/settings/exchange.webp) | Exchange | +| ![SQL Server/Azure SQL icon](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sql.webp) | SQL Server or Azure SQL | +| ![Microsoft Teams icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/teams.webp) | Microsoft Teams | +| ![MongoDB icon](/img/product_docs/changetracker/changetracker/install/mongodb.webp) | MongoDB | +| ![Office 365 icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/office365.webp) | Office 365 | +| ![Salesforce icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/salesforce.webp) | Salesforce | +| ![VMware icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/vmware.webp) | VMware | +| ![Hyper-V icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/hyperv.webp) | Hyper-V | +| ![Amazon icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/amazon.webp) | Amazon | +| ![Dropbox icon](/img/product_docs/accessanalyzer/admin/settings/connection/profile/dropbox.webp) | Dropbox | +| ![PostgreSQL icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/postgresql.webp) | PostgreSQL | +| ![MySQL icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/mysql.webp) | MySQL | +| ![Oracle SQL icon](/img/product_docs/accessanalyzer/admin/settings/connection/profile/oracle.webp) | Oracle SQL | +| ![GitHub icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/github.webp) | GitHub | +| ![Snowflake icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/snowflake.webp) | Snowflake | +| ![Administrative icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/administrative.webp) | Administrative | +| ![User/Schema icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/schemauser.webp) | User or Schema | +| ![Group icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/groupresource.webp) | Group | +| ![Server/Virtual Machine icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/servervm.webp) | Server or Virtual Machine | +| ![Instance/Database icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/instancedatabase.webp) | Instance or Database | +| ![Table icon](/img/product_docs/accessanalyzer/admin/report/wizard/table.webp) | Table | +| ![Function/Procedure icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/functionprocedure.webp) | Function or Procedure | +| ![View icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/view.webp) | View | +| ![Index icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/index.webp) | Index | ## Trustee Types Icons @@ -63,11 +63,11 @@ The following table contains icons for trustee types: | Icon | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ | -| ![Unknown icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/unknowntrustee.webp) | Unknown | -| ![Security/Domain Principal icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/principal.webp) | Security Principal or Domain Principal | -| ![User icon](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/user.webp) | User – Local, Domain, SharePoint, or Unix | -| ![Group icon](../../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/group.webp) | Group – Local, Domain, SharePoint, or Unix | -| ![Unsupported icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/unsupported.webp) | Unsupported | -| ![Service Account icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/serviceaccount.webp) | Service Account | -| ![Computer icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/computer.webp) | Computer | -| ![Azure Contact icon](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/azurecontact.webp) | Azure Contact | +| ![Unknown icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/unknowntrustee.webp) | Unknown | +| ![Security/Domain Principal icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/principal.webp) | Security Principal or Domain Principal | +| ![User icon](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/user.webp) | User – Local, Domain, SharePoint, or Unix | +| ![Group icon](/img/product_docs/changetracker/changetracker/integration/splunk/group.webp) | Group – Local, Domain, SharePoint, or Unix | +| ![Unsupported icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/unsupported.webp) | Unsupported | +| ![Service Account icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/serviceaccount.webp) | Service Account | +| ![Computer icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/computer.webp) | Computer | +| ![Azure Contact icon](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/azurecontact.webp) | Azure Contact | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md index c4d8e397ba..009d2cc793 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md @@ -2,7 +2,7 @@ The audit interfaces are accessible from the home page of the Access Information Center. -![Home page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/auditinterface.webp) +![Home page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/auditinterface.webp) The **Resource Audit** button opens the Resource Audit interface. The search features, which include a search bar and a Recent Searches box, can be used to open any audit interface. @@ -12,7 +12,7 @@ a search bar and a Recent Searches box, can be used to open any audit interface. All audit interfaces consist of at least three components, and the Resource Audit interface includes a fourth pane. -![Interface components](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/interfacecomponents.webp) +![Interface components](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/interfacecomponents.webp) The main section of the audit interface is the Results pane. On the right-side of the page are the Reports and Group Membership panes. On the Resource Audit interface, the Resources pane is to the @@ -28,7 +28,7 @@ left of the Results pane. Theses panes have the following functions: The Reports pane lists available reports based on the type of resource selected. -![Reports pane](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/reportspane.webp) +![Reports pane](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/reportspane.webp) The report for the selected resource displays in the Results pane. @@ -37,10 +37,10 @@ The report for the selected resource displays in the Results pane. The Results pane displays report data based on the selections in both the Resources pane and the Reports pane. Reports may consist of multiple tables and graphs. -![Results pane](../../../../../../../static/img/product_docs/accessanalyzer/admin/navigate/resultspane.webp) +![Results pane](/img/product_docs/accessanalyzer/admin/navigate/resultspane.webp) Tables and graphs that display at the bottom of the pane vary according to the selected report. See -the [Data Grid Features](../../../general/datagrid.md) topic for additional information on table +the [Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information on table options. See the individual report topics for specific information on columns and displayed data for a report. @@ -54,7 +54,7 @@ There are two checkbox options depending on the report selected: a yellow icon is displayed for the permission type to indicate the access level used to perform the activity. Therefore, access level cells not highlighted when activity is being monitored represent permissions that are identified as stale. See the - [Stale Permissions](../filesystem/sharesubfolder/permissions.md#stale-permissions) topic for + [Stale Permissions](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/permissions.md#stale-permissions) topic for additional information. #### Activity Report Results Pane Features @@ -73,7 +73,7 @@ Trend Graphs Trend graphs are line graphs that provide a visual representation of the activity that occurred over the selected date range. -![trendgraph](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/trendgraph.webp) +![trendgraph](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/trendgraph.webp) The vertical axis (X-axis) is the activity count value for the graph (unit is the number of events). The horizontal axis (Y-axis) is the time line for the graph. The legend identifies what the colors @@ -81,7 +81,7 @@ represent. Hover over any point on the graph for the details to appear. Trend gr to only display specific objects from the legend. Deselect an object in the legend to remove that object from the graph, only showing the remaining objects. -![Trend graph with Writes line removed](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/trendgraphremoved.webp) +![Trend graph with Writes line removed](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/trendgraphremoved.webp) For example, if the **Writes** operation is deselected, only the operations of **Reads**, **Deletes**, and **Manages** remain on the line graph. @@ -91,11 +91,11 @@ For example, if the **Writes** operation is deselected, only the operations of * The Group Membership pane list members for an Active Directory or Entra ID group selected in the Results pane. Groups can also be searched for using the textbox at the top of the pane. -![Group Membership pane](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/groupmembership.webp) +![Group Membership pane](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/groupmembership.webp) All group members are listed, including any nested group membership. The **Change Group Membership** button displays any access changes being modeled. This is a primary component of change modeling. -See the [Change Modeling](../changemodeling/overview.md) topic for additional information. +See the [Change Modeling](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/overview.md) topic for additional information. **NOTE:** If the Access Information Center has been configured to commit changes to Active Directory, then there is a **Commit** button within the **Changes** window. Click **Commit** to @@ -112,7 +112,7 @@ the **Change Access** button in the Owner portal to commit changes. In the upper-left corner of every interface, with the exception of the home page, is the Access Information Center Console navigation path, or breadcrumb. -![Interface breadcrumb](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/breadcrumb.webp) +![Interface breadcrumb](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/breadcrumb.webp) In this example, the path is **Home > Resource Audit**. If a link from a resource report is used to view a particular user audit, it would read **Home > Resource Audit > User Audit**. Clicking any diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/resource.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/resource.md index 23a1f26483..566020421c 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/resource.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/resource.md @@ -8,18 +8,18 @@ the search features to open a filtered view for a resource. Available reports vary based on the type of resource and the level within the resource. See the following topics for specific report details: -- [File System Reports](../filesystem/overview.md) -- [SharePoint Reports](../sharepoint/overview.md) -- [Active Directory Reports](../activedirectory/overview.md) -- [Amazon (AWS) Reports](../aws/overview.md) -- [Dropbox Reports](../dropbox/overview.md) -- [Exchange Reports](../exchange/overview.md) -- [MongoDB Reports](../mongodb/overview.md) -- [MySQL Reports](../mysql/overview.md) -- [Oracle Reports](../oracle/overview.md) -- [PostgreSQL Reports](../postgresql/overview.md) -- [SQL Server Reports](../sql/overview.md) -- [Flexible Imports Feature](../flexibleimports/overview.md) +- [File System Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/overview.md) +- [SharePoint Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/overview.md) +- [Active Directory Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/overview.md) +- [Amazon (AWS) Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/overview.md) +- [Dropbox Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/overview.md) +- [Exchange Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/overview.md) +- [MongoDB Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/overview.md) +- [MySQL Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/overview.md) +- [Oracle Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/overview.md) +- [PostgreSQL Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/overview.md) +- [SQL Server Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/overview.md) +- [Flexible Imports Feature](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/overview.md) ## Resources Pane @@ -28,7 +28,7 @@ available resources. Only those resource environments that have been scanned by introduced to the Access Information Center with Flexible Imports are available. Explore the desired resource by expanding the levels. -![Resources pane](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/resourcespane.webp) +![Resources pane](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/resourcespane.webp) Select a resource in the Resources pane and a report in the Reports pane to to view the report data in the Results pane. Hover over any icon in the Access Information Center interface to view its @@ -59,4 +59,4 @@ pane. These icons are designed to draw attention to resources where potential security concerns may exist. **NOTE:** The Domain Group icon is used to indicate both Active Directory groups and Entra ID -groups. See the [AIC Icons ](icons.md)topic for additional information. +groups. See the [AIC Icons ](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/icons.md)topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/scopeeffectiveaccess.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/scopeeffectiveaccess.md index c120f9f7fa..5efc3f1cd7 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/scopeeffectiveaccess.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/scopeeffectiveaccess.md @@ -4,12 +4,12 @@ Once an Effective Access report’s loading process has stopped, either by compl the targeted environments or via the **Cancel** button, follow the steps to change the scoping settings. -![Scope button](../../../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![Scope button](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) **Step 1 –** Click **Scope** at the top of the report in the Results pane. The Scope Configuration window opens. -![Scope Configuration window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/scopeconfiguration.webp) +![Scope Configuration window](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/scopeconfiguration.webp) **Step 2 –** There are three scoping options that can be applied individually or in any combination: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/search.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/search.md index d7269c3dc4..baf6252614 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/search.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/search.md @@ -2,7 +2,7 @@ The Search features consist of the search bar and the Recent Searches box on the home page. -![Search features](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/searchfeatures.webp) +![Search features](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/searchfeatures.webp) Selecting a search object from either the search bar or the Recent Searches box opens the associated audit interface. @@ -18,7 +18,7 @@ with `SDD` followed by a space. The **Recent Searches** box displays all recent searches conducted by the current Access Information Center user. -![Recent Searches box](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/recentsearches.webp) +![Recent Searches box](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/recentsearches.webp) The last searched object is always at the top of the list. A timestamp indicates when the search was conducted. The historical searches included within this box were conducted by the logged in Access diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/sensitivecontent.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/sensitivecontent.md index 9f7afb1303..f7dd2bdbcd 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/sensitivecontent.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/sensitivecontent.md @@ -1,7 +1,7 @@ # Sensitive Content Audit Interface The Sensitive Content Audit interface is opened by searching for a particular criteria value. See -the [Search Features](search.md) topic for additional information. It contains three panes in all +the [Search Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/search.md) topic for additional information. It contains three panes in all audit interfaces: Reports, Results, and Group Membership. In order to enable the criteria match search feature, the **Store discovered sensitive data** option @@ -10,8 +10,8 @@ relevant solution topic in the [Netwrix Access Analyzer Documentation](https://helpcenter.netwrix.com/category/accessanalyzer) for additional information on the data collection options. -![Sensitive Content Audit Interface](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/files.webp) +![Sensitive Content Audit Interface](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/files.webp) The criterion being audited is identified at the top of the interface as part of the interface -breadcrumb. See the [Sensitive Content Reports](../sensitivecontent/overview.md) topic for +breadcrumb. See the [Sensitive Content Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sensitivecontent/overview.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/user.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/user.md index 33ca5e00ae..31a2375763 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/user.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/user.md @@ -1,10 +1,10 @@ # User Audit Interface The User Audit interface is opened by searching for a particular Active Directory or Entra ID user. -See the [Search Features](search.md) topic for additional information. It contains three panes in +See the [Search Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/search.md) topic for additional information. It contains three panes in all audit interfaces: Reports, Results, and Group Membership. -![User Audit Interface](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/userauditinterface.webp) +![User Audit Interface](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/userauditinterface.webp) The user being audited is identified at the top of the interface as part of the interface -breadcrumb. See the [User Reports](../user/overview.md) topic for additional information. +breadcrumb. See the [User Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/overview.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/overview.md index 9621bcfbb6..a9f3b7aa44 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/overview.md @@ -3,5 +3,5 @@ The following reports are available at the database and library levels: - Activity Report – Displayed but not populated at the database and library level -- [Permissions Report](permissions.md) -- [Sensitive Content Report](sensitivecontent.md) +- [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/permissions.md) +- [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/sensitivecontent.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/permissions.md index 37525eae4e..86a874d4f2 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/permissions.md @@ -3,7 +3,7 @@ The Permissions report at the database and library level shows the permissions for the trustee on the selected resource. -![Permissions report at the database and library level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasepermissions.webp) +![Permissions report at the database and library level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasepermissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/sensitivecontent.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/sensitivecontent.md index efff0e92b9..8e6e690495 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/sensitivecontent.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/sensitivecontent.md @@ -6,7 +6,7 @@ second table with criteria matches visible to Access Information Center users wi Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content report at the database and library level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasesensitivecontent.webp) +![Sensitive Content report at the database and library level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasesensitivecontent.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/overview.md index b8f8680005..1fb6756df8 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/overview.md @@ -3,5 +3,5 @@ The following reports are available at the instance level: - Activity Report – Displayed but not populated at the instance level -- [Sensitive Content Details Report](sensitivecontentdetails.md) -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/sensitivecontentdetails.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/sensitivecontentdetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/sensitivecontentdetails.md index e5943b5c6e..95a10ba324 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/sensitivecontentdetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/sensitivecontentdetails.md @@ -6,7 +6,7 @@ visible to Access Information Center users with either Security Team Member or A The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content Details report at the instance level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentdetails.webp) +![Sensitive Content Details report at the instance level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentdetails.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/sensitivecontentsummary.md index cdc14a8e17..a576d4b7b4 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the instance level provides a count of tables where criteria matches were found on the selected instance. This report includes a Details table. -![Sensitive Content Summary report at the instance level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentsummary.webp) +![Sensitive Content Summary report at the instance level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/overview.md index 2dd86d292c..a9a75809c5 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/overview.md @@ -14,4 +14,4 @@ own node in the Access Information Center. Oracle reports fall into the followin The following report is available at the **Oracle** node: -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/quickreference.md index aeb7cca163..9d7790df0b 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/quickreference.md @@ -8,7 +8,7 @@ The following report is available at the Oracle node level: | Report | Description | | -------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | -| [Sensitive Content Summary Report](sensitivecontentsummary.md) | Provides a count of databases where criteria matches were found in the targeted environment. This report includes a Details table. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/sensitivecontentsummary.md) | Provides a count of databases where criteria matches were found in the targeted environment. This report includes a Details table. | ## Oracle > Instance Level Reports @@ -16,8 +16,8 @@ The following reports are available at the instance level: | Report | Description | | ----------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Sensitive Content Details Report](instance/sensitivecontentdetails.md) | Provides details of tables where criteria matches were found on the selected instance. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | -| [Sensitive Content Summary Report](instance/sensitivecontentsummary.md) | Provides a count of tables where criteria matches were found on the selected instance. This report includes a Details table. | +| [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/sensitivecontentdetails.md) | Provides details of tables where criteria matches were found on the selected instance. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/instance/sensitivecontentsummary.md) | Provides a count of tables where criteria matches were found on the selected instance. This report includes a Details table. | ## Oracle > Instance > Databases Node Reports @@ -25,8 +25,8 @@ The following reports are available at the Databases node level: | Report | Description | | --------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Permissions Report](databaselibrary/permissions.md) | Shows the permissions for the trustee on the selected resource. | -| [Sensitive Content Report](databaselibrary/sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/permissions.md) | Shows the permissions for the trustee on the selected resource. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | ## Oracle > Instance > Databases Node > Database and Library Level Reports @@ -34,5 +34,5 @@ The following reports are available at the database and library level: | Report | Description | | --------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Permissions Report](databaselibrary/permissions.md) | Shows the permissions for the trustee on the selected resource. | -| [Sensitive Content Report](databaselibrary/sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/permissions.md) | Shows the permissions for the trustee on the selected resource. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/databaselibrary/sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/sensitivecontentsummary.md index 34bff8f3da..2786a2bb7f 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the **Oracle** node provides a count of databases where criteria matches were found in the targeted environment. This report includes a Details table. -![Sensitive Content Summary report at the Oracle node](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) +![Sensitive Content Summary report at the Oracle node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/overview.md index 63cdb6bfe3..08c05a9ddf 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/overview.md @@ -31,18 +31,18 @@ The Resource reports provide insight into: See the following topics for additional information on specific resource reports: -- [File System Reports](filesystem/overview.md) -- [SharePoint Reports](sharepoint/overview.md) -- [Active Directory Reports](activedirectory/overview.md) -- [Amazon (AWS) Reports](aws/overview.md) -- [Dropbox Reports](dropbox/overview.md) -- [Exchange Reports](exchange/overview.md) -- [MongoDB Reports](mongodb/overview.md) -- [MySQL Reports](mysql/overview.md) -- [Oracle Reports](oracle/overview.md) -- [PostgreSQL Reports](postgresql/overview.md) -- [SQL Server Reports](sql/overview.md) -- [Flexible Imports Feature](flexibleimports/overview.md) +- [File System Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/overview.md) +- [SharePoint Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/overview.md) +- [Active Directory Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/activedirectory/overview.md) +- [Amazon (AWS) Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/aws/overview.md) +- [Dropbox Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/dropbox/overview.md) +- [Exchange Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/exchange/overview.md) +- [MongoDB Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mongodb/overview.md) +- [MySQL Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/mysql/overview.md) +- [Oracle Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/oracle/overview.md) +- [PostgreSQL Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/overview.md) +- [SQL Server Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/overview.md) +- [Flexible Imports Feature](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/overview.md) ## User Reports @@ -51,7 +51,7 @@ The User reports provide insight into: - The resources a particular user has access to - What a user is doing with their access -See the [User Reports](user/overview.md) topic for additional information. +See the [User Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/overview.md) topic for additional information. ## Group Reports @@ -61,7 +61,7 @@ The Group reports provide insight into: - The members of the group - What group membership changes have occurred -See the [Group Reports](group/overview.md) topic for additional information. +See the [Group Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/group/overview.md) topic for additional information. ## Computer Reports @@ -71,13 +71,13 @@ The Computer reports provide insight into: - What a computer is doing with it's access - What Active Directory permissions are applied to the computer object -See the [Computer Reports](computer/overview.md) topic for additional information. +See the [Computer Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/computer/overview.md) topic for additional information. ## Sensitive Content Reports The Sensitive Content reports provide insight into which files contain specific sensitive data. -See the [Sensitive Content Reports](sensitivecontent/overview.md) topic for additional information. +See the [Sensitive Content Reports](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sensitivecontent/overview.md) topic for additional information. ## Flexible Imports @@ -87,7 +87,7 @@ Reports associated with the flexible imports provide insight into: - What trustees are doing with their access - What potentially sensitive data exists across the targeted environment -See the [Flexible Imports Feature](flexibleimports/overview.md) topic for additional information. +See the [Flexible Imports Feature](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/flexibleimports/overview.md) topic for additional information. ## Access & Membership Change Modeling @@ -96,4 +96,4 @@ be taken to adjust a trustee’s access to a specific resource, as well as what will have on that trustee’s access across the targeted file system and Active Directory environments. -See the [Change Modeling](changemodeling/overview.md) topic for additional information. +See the [Change Modeling](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/overview.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/overview.md index 51f2b74964..74fe12f4db 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/overview.md @@ -3,5 +3,5 @@ The following reports are available at the database and table levels: - Activity Report – Displayed but not populated at the database and table levels -- [Permissions Report](permissions.md) -- [Sensitive Content Report](sensitivecontent.md) +- [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/permissions.md) +- [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/sensitivecontent.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/permissions.md index 20f698991b..cb7e2634b1 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/permissions.md @@ -3,7 +3,7 @@ The Permissions report at the database and table level shows the permissions for the trustee on the selected resource. -![Permissions report at the database and tables level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasepermissions.webp) +![Permissions report at the database and tables level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasepermissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/sensitivecontent.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/sensitivecontent.md index 57c313fbdf..e3f56c0319 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/sensitivecontent.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/sensitivecontent.md @@ -6,7 +6,7 @@ table with criteria matches visible to Access Information Center users with eith Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content report at the database and table level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasesensitivecontent.webp) +![Sensitive Content report at the database and table level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasesensitivecontent.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/overview.md index b8f8680005..8c64ca81a5 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/overview.md @@ -3,5 +3,5 @@ The following reports are available at the instance level: - Activity Report – Displayed but not populated at the instance level -- [Sensitive Content Details Report](sensitivecontentdetails.md) -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/sensitivecontentdetails.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/sensitivecontentdetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/sensitivecontentdetails.md index e5943b5c6e..95a10ba324 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/sensitivecontentdetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/sensitivecontentdetails.md @@ -6,7 +6,7 @@ visible to Access Information Center users with either Security Team Member or A The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content Details report at the instance level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentdetails.webp) +![Sensitive Content Details report at the instance level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentdetails.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/sensitivecontentsummary.md index 12d3e35d34..68d3153baa 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the instance level provides a count of tables where criteria matches were found on the selected instance. This report includes a Details table. -![Sensitive Content Summary report at the instance level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentsummary.webp) +![Sensitive Content Summary report at the instance level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/overview.md index 85dfa10674..0df79f6c3c 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/overview.md @@ -16,4 +16,4 @@ categories: The following report is available at the **PostgreSQL** node: -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/quickreference.md index 9f113030c2..1800c78621 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/quickreference.md @@ -8,7 +8,7 @@ The following report is available at the PostgreSQL node level: | Report | Description | | -------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | -| [Sensitive Content Summary Report](sensitivecontentsummary.md) | Provides a count of databases where criteria matches were found in the targeted environment. This report includes a Details table. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.md) | Provides a count of databases where criteria matches were found in the targeted environment. This report includes a Details table. | ## PostgreSQL > Instance Level Reports @@ -16,8 +16,8 @@ The following reports are available at the instance level: | Report | Description | | ----------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Sensitive Content Details Report](instance/sensitivecontentdetails.md) | Provides details of tables where criteria matches were found on the selected instance. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | -| [Sensitive Content Summary Report](instance/sensitivecontentsummary.md) | Provides a count of tables where criteria matches were found on the selected instance. This report includes a Details table. | +| [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/sensitivecontentdetails.md) | Provides details of tables where criteria matches were found on the selected instance. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/instance/sensitivecontentsummary.md) | Provides a count of tables where criteria matches were found on the selected instance. This report includes a Details table. | ## PostgreSQL > Instance > Databases Node Reports @@ -25,8 +25,8 @@ The following reports are available at the Databases node level: | Report | Description | | ------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Permissions Report](databasetable/permissions.md) | Shows the permissions for the trustee on the selected resource. | -| [Sensitive Content Report](databasetable/sensitivecontent.md) | Provides a list of tables and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/permissions.md) | Shows the permissions for the trustee on the selected resource. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/sensitivecontent.md) | Provides a list of tables and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | ## PostgreSQL > Instance > Database Node > Database and Table Level Reports @@ -34,5 +34,5 @@ The following reports are available at the database and table levels: | Report | Description | | ------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Permissions Report](databasetable/permissions.md) | Shows the permissions for the trustee on the selected resource. | -| [Sensitive Content Report](databasetable/sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/permissions.md) | Shows the permissions for the trustee on the selected resource. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/databasetable/sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.md index e67f3a5c78..80e08d3f5d 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the **PostgreSQL** node provides a count of databases where criteria matches were found in the targeted environment. This report includes a Details table. -![Sensitive Content Summary report at the PostgreSQL node](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) +![Sensitive Content Summary report at the PostgreSQL node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sensitivecontent/files.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sensitivecontent/files.md index b4704188fa..424a706e32 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sensitivecontent/files.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sensitivecontent/files.md @@ -10,7 +10,7 @@ additional tables: - Permissions – Displays information on the trustees with effective access to the parent object or folder that contains the selected sensitive data file -![Files report for sensitive content](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/files.webp) +![Files report for sensitive content](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/files.webp) This report is comprised of the following columns: @@ -42,7 +42,7 @@ selected date. It will be blank if any of the following are true: - The activity collection job within Access Analyzer for the environment have not been run - There were no operation events logged on the selected file for the selected date range -![Activity table](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sensitivecontent/activitytable.webp) +![Activity table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sensitivecontent/activitytable.webp) This table is comprised of the following columns: @@ -73,7 +73,7 @@ This table is comprised of the following columns: The Permissions table displays information on the trustees with effective access to the parent object or folder housing the selected sensitive data file. -![Permissions table](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sensitivecontent/permissionstable.webp) +![Permissions table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sensitivecontent/permissionstable.webp) This table is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sensitivecontent/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sensitivecontent/overview.md index 79ea2100a4..e951da0ab5 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sensitivecontent/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sensitivecontent/overview.md @@ -3,7 +3,7 @@ Sensitive Content reports are accessed through the Content Audit interface. You can access Sensitive Content reports by searching for sensitive data criterion or values on the Home page. These searches must be preceded by `SDD` and a space, for example `SDD credit cards`. Searches are not case -sensitive. See the [Search Features](../navigate/search.md) topic for additional information. The +sensitive. See the [Search Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/search.md) topic for additional information. The sensitive data being reviewed is identified in the upper-left corner. The data within these reports is collected by the Access Analyzer solutions which provide data to the Resource reports. See the desired solution topic in the diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sensitivecontent/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sensitivecontent/quickreference.md index 0beb9dc33d..e6be694683 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sensitivecontent/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sensitivecontent/quickreference.md @@ -4,4 +4,4 @@ The following report is available for selection within the Content Audit interfa | Report | Description | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| [Files Report](files.md) | Provides a list of all files for the targeted environments which have matches to the searched Sensitive Data Discovery criteria. This report includes additional tables: - Matches – Displays information on the criteria hits found on the selected file - Activity – Displays information on activity performed on the selected file during the selected date range - Permissions – Displays information on the trustees with effective access to the parent object or folder that contains the selected sensitive data file | +| [Files Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sensitivecontent/files.md) | Provides a list of all files for the targeted environments which have matches to the searched Sensitive Data Discovery criteria. This report includes additional tables: - Matches – Displays information on the criteria hits found on the selected file - Activity – Displays information on activity performed on the selected file during the selected date range - Permissions – Displays information on the trustees with effective access to the parent object or folder that contains the selected sensitive data file | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions.md index 0d35d28f20..d45cb5b105 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions.md @@ -4,7 +4,7 @@ The Exceptions report at the **SharePoint** node provides a list of exceptions t across the targeted SharePoint on-premise farms and SharePoint Online instances. This report includes a Details table. -![Exceptions report at the SharePoint node](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions.webp) +![Exceptions report at the SharePoint node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions.webp) An exception is defined as a problem or risk to data governance security. Exceptions include open access and permissions granted to stale or disabled users. This table will be blank if no exceptions diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/exceptions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/exceptions.md index 8e5d99892d..abe61357b7 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/exceptions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/exceptions.md @@ -3,7 +3,7 @@ The Exceptions report at the **Exceptions** node provides a list of exceptions found on the farm/instance. This report includes a Details table. -![Exceptions report at the Exceptions node](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsexceptions.webp) +![Exceptions report at the Exceptions node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsexceptions.webp) An exception is defined as a problem or risk to data governance security. Exceptions include open access and permissions granted to stale or disabled users. This report is comprised of the following diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/exceptionsbytype.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/exceptionsbytype.md index ed119d9cfb..12ef4b8697 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/exceptionsbytype.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/exceptionsbytype.md @@ -4,7 +4,7 @@ The Exceptions report at the exception type level provides details on the select An exception is defined as a problem or risk to data governance security. This report includes a Permission Source table. -![Exceptions report at the exception type level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytype.webp) +![Exceptions report at the exception type level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/activedirectory/exceptions/exceptionsbytype.webp) This report is comprised of the following columns: @@ -17,7 +17,7 @@ displays the group membership, including nested groups. There is one table at the bottom displaying Permission Source for the select trustee. It contains all of the ways the selected trustee has been granted rights to the selected resource. -![Permission Source table](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/exceptions/exceptionsbytypetable.webp) +![Permission Source table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/exceptions/exceptionsbytypetable.webp) The number of rows for this table indicates the number of ways this trustee has been granted access. This table is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/overview.md index cf76e0b0fa..11a8b020d2 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/overview.md @@ -2,7 +2,7 @@ The following report is available at the **Exceptions** node: -- [Exceptions Report](exceptions.md) +- [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/exceptions.md) The Exceptions node displays when exceptions have been identified on the selected farm/instance. When it is present, it can be expanded to view the exception type level reports. The following nodes @@ -19,4 +19,4 @@ identified: or Entra ID for online instances, have been granted access The Exceptions report for each exception type level displays filtered exception information. See the -[Exceptions by Type Report](exceptionsbytype.md) topic for the report details. +[Exceptions by Type Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/exceptionsbytype.md) topic for the report details. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/activitydetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/activitydetails.md index ea3a09611e..59ba8eaec5 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/activitydetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/activitydetails.md @@ -4,7 +4,7 @@ The Activity Details report at the on-premise farm and online instance levels pr activity event information by user on the selected farm during the specified date range. This report includes a line graph for Active Users Trend. -![Activity Details report at the on-premise farm and online instance levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/farminstance/instanceactivitydetails.webp) +![Activity Details report at the on-premise farm and online instance levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/farminstance/instanceactivitydetails.webp) This report is comprised of the following columns: @@ -30,15 +30,15 @@ This report is comprised of the following columns: - Process Name – Name of the process which performed the operation The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. There is one line graph at the bottom displaying Active Users Trend for the selected resource. -![Active Users Trend graph](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/farminstance/instanceactivitydetailstrendgraph.webp) +![Active Users Trend graph](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/farminstance/instanceactivitydetailstrendgraph.webp) The Active Users Trend line graph provides a visual representation of the number of active users over the selected date range. It indicates how many users are performing activity per day. See the -[Activity Report Results Pane Features](../../navigate/overview.md#activity-report-results-pane-features) +[Activity Report Results Pane Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#activity-report-results-pane-features) topic for instructions on filtering the trend graph. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/anonymousaccesslinks.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/anonymousaccesslinks.md index 84c3d66ff8..aab08bb1a6 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/anonymousaccesslinks.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/anonymousaccesslinks.md @@ -3,7 +3,7 @@ The Anonymous Access Links report at the online instance level displays files that have access links generated to be shared with people outside the organization (guest/anonymous users). -![Anonymous Access Links report at the online instance level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/farminstance/instanceanonymousaccesslinks.webp) +![Anonymous Access Links report at the online instance level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/farminstance/instanceanonymousaccesslinks.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/exceptions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/exceptions.md index b47759b488..b4ea1eed7e 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/exceptions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/exceptions.md @@ -3,7 +3,7 @@ The Exceptions report at the on-premise farm and online instance levels provides a list of exceptions that were found within the selected farm/instance. This report includes a Details table. -![Exceptions report at the on-premise farm and online instance levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/farminstance/instanceexceptions.webp) +![Exceptions report at the on-premise farm and online instance levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/farminstance/instanceexceptions.webp) An exception is defined as a problem or risk to data governance security. Exceptions include open access and permissions granted to stale or disabled users. This report will be blank if no diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/externalsharing.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/externalsharing.md index 106f2a0118..910f181f7d 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/externalsharing.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/externalsharing.md @@ -3,7 +3,7 @@ The External Sharing report at the online instance level displays resources that are shared with external users, such as users who are invited to sign in using their gmail accounts. -![External Sharing report at the online instance level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/farminstance/instanceexternalsharing.webp) +![External Sharing report at the online instance level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/farminstance/instanceexternalsharing.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/overview.md index fb189345fb..d1101ee062 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/overview.md @@ -3,10 +3,10 @@ The following reports are available at the on-premise farm and online instance levels and provide information for both on-premise farms and online instances, unless otherwise specified: -- [Activity Details Report](activitydetails.md) -- [Anonymous Access Links Report](anonymousaccesslinks.md) – Online instance only -- [Exceptions Report](exceptions.md) -- [External Sharing Report](externalsharing.md) – Online instance only -- [Scan Summary Report](scansummary.md) -- [Sensitive Content Details Report](sensitivecontentdetails.md) -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Activity Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/activitydetails.md) +- [Anonymous Access Links Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/anonymousaccesslinks.md) – Online instance only +- [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/exceptions.md) +- [External Sharing Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/externalsharing.md) – Online instance only +- [Scan Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/scansummary.md) +- [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/sensitivecontentdetails.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/scansummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/scansummary.md index c0f2f2b9c5..a31eb67d10 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/scansummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/scansummary.md @@ -3,7 +3,7 @@ The Scan Summary report at the on-premise farm and online instance levels provides a summary view of all site collections on the selected farm/instance. -![Scan Summary report at the on-premise farm and online instance levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/farminstance/instancescansummary.webp) +![Scan Summary report at the on-premise farm and online instance levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/farminstance/instancescansummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/sensitivecontentdetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/sensitivecontentdetails.md index 3d87637a9c..3e45753843 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/sensitivecontentdetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/sensitivecontentdetails.md @@ -4,7 +4,7 @@ The Sensitive Content Details report at the on-premise farm and online instance details of files where criteria matches were found on the site collection. This report includes a Matches table. -![Sensitive Content Details report at the on-premise farm and online instance levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentdetails.webp) +![Sensitive Content Details report at the on-premise farm and online instance levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentdetails.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/sensitivecontentsummary.md index a20e6dea39..fb62ca46ef 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/sensitivecontentsummary.md @@ -4,7 +4,7 @@ The Sensitive Content Summary report at the on-premise farm and online instance count of files where criteria matches were found on the site collection. This report includes a Details table. -![Sensitive Content Summary report at the on-premise farm and online instance levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentsummary.webp) +![Sensitive Content Summary report at the on-premise farm and online instance levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/onedrive/anonymousaccesslinks.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/onedrive/anonymousaccesslinks.md index b40c38aa9f..9bfcd19095 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/onedrive/anonymousaccesslinks.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/onedrive/anonymousaccesslinks.md @@ -4,7 +4,7 @@ The Anonymous Access Links report at the **OneDrive for Business** level display that have access links generated to be shared with people outside of the organization (guest/anonymous users). -![Anonymous Access Links report at the OneDrive for Business level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/onedrive/onedriveanonymousaccesslinks.webp) +![Anonymous Access Links report at the OneDrive for Business level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/onedrive/onedriveanonymousaccesslinks.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/onedrive/onedrivescansummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/onedrive/onedrivescansummary.md index 649eb37c05..897193a207 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/onedrive/onedrivescansummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/onedrive/onedrivescansummary.md @@ -3,7 +3,7 @@ The OneDrive Scan Summary report at the **OneDrive for Business** node provides an overview of scanned personal drives. -![OneDrive Scan Summary report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/onedrive/onedrivescansummary.webp) +![OneDrive Scan Summary report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/onedrive/onedrivescansummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/onedrive/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/onedrive/overview.md index a7cfc7ac52..9fcf2b4a76 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/onedrive/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/onedrive/overview.md @@ -3,5 +3,5 @@ The following reports are available at the **OneDrive for Business** node and provide information for SharePoint Online instances: -- [Anonymous Access Links Report](anonymousaccesslinks.md) -- [OneDrive Scan Summary Report](onedrivescansummary.md) +- [Anonymous Access Links Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/onedrive/anonymousaccesslinks.md) +- [OneDrive Scan Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/onedrive/onedrivescansummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/overview.md index feb35267e3..0134ecf02d 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/overview.md @@ -30,7 +30,7 @@ SharePoint reports fall into the following categories: - Display information for a selected date range with local time stamps - Some of the reports also include trend graphs. Trend graphs provide a visual representation of the activity that occurred over the selected date range. See the - [Activity Report Results Pane Features](../navigate/overview.md#activity-report-results-pane-features) + [Activity Report Results Pane Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#activity-report-results-pane-features) topic for instructions on selecting a date range and filtering the trend graphs. - Activity information is represented in two ways: @@ -49,6 +49,6 @@ SharePoint reports fall into the following categories: The following reports are available at the **SharePoint** node and provide information for both SharePoint on-premise farms and SharePoint Online instances: -- [Exceptions Report](exceptions.md) -- [Sensitive Content Summary Report](sensitivecontentsummary.md) -- [Server Summary Report](serversummary.md) +- [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sensitivecontentsummary.md) +- [Server Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/serversummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/quickreference.md index ba34a69093..ca9832ca10 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/quickreference.md @@ -8,9 +8,9 @@ The following reports are available at the SharePoint node level: | Report | Description | | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| [Exceptions Report](exceptions.md) | Provides a list of exceptions that were found across the targeted SharePoint on-premise farms and SharePoint Online instances. This report includes a Details table. | -| [Sensitive Content Summary Report](sensitivecontentsummary.md) | Provides a count of files where criteria matches were found in the targeted SharePoint on-premise farms and SharePoint Online instances. This report includes a Details table. | -| [Server Summary Report](serversummary.md) | Provides a top-level view of servers and instances that are representative of the targeted SharePoint on-premise farms and SharePoint Online instances. | +| [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions.md) | Provides a list of exceptions that were found across the targeted SharePoint on-premise farms and SharePoint Online instances. This report includes a Details table. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sensitivecontentsummary.md) | Provides a count of files where criteria matches were found in the targeted SharePoint on-premise farms and SharePoint Online instances. This report includes a Details table. | +| [Server Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/serversummary.md) | Provides a top-level view of servers and instances that are representative of the targeted SharePoint on-premise farms and SharePoint Online instances. | ## SharePoint > Farm / Instance Levels Reports @@ -18,13 +18,13 @@ The following reports are available at the on-premise farm and online instance l | Report | Description | | --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Activity Details Report](farminstance/activitydetails.md) | Provides statistical activity event information by user on the selected farm during the specified date range. This report includes a line graph for Active Users Trend. | -| [Anonymous Access Links Report](farminstance/anonymousaccesslinks.md) | Displays files that have access links generated to be shared with people outside the organization (guest/anonymous users). | -| [Exceptions Report](farminstance/exceptions.md) | Provides a list of exceptions that were found within the selected farm/instance. This report includes a Details table. | -| [External Sharing Report](farminstance/externalsharing.md) | Displays resources that are shared with external users, such as users who are invited to sign in using their gmail accounts. | -| [Scan Summary Report](farminstance/scansummary.md) | Provides a summary view of all site collections on the selected farm/instance. | -| [Sensitive Content Details Report](farminstance/sensitivecontentdetails.md) | Provides details of files where criteria matches were found on the site collection. This report includes a Matches table. | -| [Sensitive Content Summary Report](farminstance/sensitivecontentsummary.md) | Provides a count of files where criteria matches were found on the site collection. This report includes a Details table. | +| [Activity Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/activitydetails.md) | Provides statistical activity event information by user on the selected farm during the specified date range. This report includes a line graph for Active Users Trend. | +| [Anonymous Access Links Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/anonymousaccesslinks.md) | Displays files that have access links generated to be shared with people outside the organization (guest/anonymous users). | +| [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/exceptions.md) | Provides a list of exceptions that were found within the selected farm/instance. This report includes a Details table. | +| [External Sharing Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/externalsharing.md) | Displays resources that are shared with external users, such as users who are invited to sign in using their gmail accounts. | +| [Scan Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/scansummary.md) | Provides a summary view of all site collections on the selected farm/instance. | +| [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/sensitivecontentdetails.md) | Provides details of files where criteria matches were found on the site collection. This report includes a Matches table. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/farminstance/sensitivecontentsummary.md) | Provides a count of files where criteria matches were found on the site collection. This report includes a Details table. | ## SharePoint > Farm > Web Application & Web Application URL Levels Reports @@ -32,8 +32,8 @@ The following reports are available at the web application and web application U | Report | Description | | ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| [Effective Policy Report](webapplication/effectivepolicy.md) | Provides a list of users and groups who are effectively granted or denied access to the SharePoint on-premise farm web application through a particular web application policy with the rights being either granted or denied. | -| [Policy Report](webapplication/policy.md) | Provides a list of web application policies assigned for the selected SharePoint on-premise farm web application. | +| [Effective Policy Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/effectivepolicy.md) | Provides a list of users and groups who are effectively granted or denied access to the SharePoint on-premise farm web application through a particular web application policy with the rights being either granted or denied. | +| [Policy Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/policy.md) | Provides a list of web application policies assigned for the selected SharePoint on-premise farm web application. | ## SharePoint > Instance > Teams Node Reports @@ -41,7 +41,7 @@ The following report is available at the Teams node level: | Report | Description | | ----------------------------------------------- | ---------------------------------------------- | -| [Teams Scan Summary](teams/teamsscansummary.md) | Provides an overview of scanned Teams servers. | +| [Teams Scan Summary](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/teams/teamsscansummary.md) | Provides an overview of scanned Teams servers. | ## SharePoint > Farm / Instance > Web Application > Site Collections / Sites / Lists / Libraries / Folders Levels Reports @@ -49,12 +49,12 @@ The following reports are available at the site collection, site, list, library, | Report | Description | | ---------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Activity Details Report](sitecollections/activitydetails.md) | Provides statistical activity event information by user on the selected server during the specified date range. This report includes a line graph for Active Users Trend. | -| [Effective Access Report](sitecollections/effectiveaccess.md) | Provides insight into who has what level of access to this resource through a calculation that encompasses web application policies, administrative access, resource permissions, and group membership. It contains a list of all trustees with access to the selected resource and specifies the effective access level. This report includes a Permission Source table. | -| [Exceptions Report](sitecollections/exceptions.md) | Provides a list of all trustees with access that are causing exceptions on the selected resource. This report includes a Permissions Source table. | -| [Permissions Report](sitecollections/permissions.md) | Provides a list of trustees with permissions for the selected resource. This report includes a table with trustee access levels Compared to Parent. | -| [Sensitive Content Report](sitecollections/sensitivecontent.md) | Provides a list of files and a hit count per file where criteria matches were found on the selected resource. This report includes a Matches table. | -| [Site Collection Roles Report](sitecollections/sitecollectionroles.md) | Provides a list of all roles or permission levels for the selected site collection, including custom defined roles and role descriptions. It also displays a calculation of the actual rights that each role grants within the targeted SharePoint on-premise farm or SharePoint Online instance. **NOTE:** This report is only available at the site collection level. | +| [Activity Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/activitydetails.md) | Provides statistical activity event information by user on the selected server during the specified date range. This report includes a line graph for Active Users Trend. | +| [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/effectiveaccess.md) | Provides insight into who has what level of access to this resource through a calculation that encompasses web application policies, administrative access, resource permissions, and group membership. It contains a list of all trustees with access to the selected resource and specifies the effective access level. This report includes a Permission Source table. | +| [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/exceptions.md) | Provides a list of all trustees with access that are causing exceptions on the selected resource. This report includes a Permissions Source table. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/permissions.md) | Provides a list of trustees with permissions for the selected resource. This report includes a table with trustee access levels Compared to Parent. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/sensitivecontent.md) | Provides a list of files and a hit count per file where criteria matches were found on the selected resource. This report includes a Matches table. | +| [Site Collection Roles Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitecollectionroles.md) | Provides a list of all roles or permission levels for the selected site collection, including custom defined roles and role descriptions. It also displays a calculation of the actual rights that each role grants within the targeted SharePoint on-premise farm or SharePoint Online instance. **NOTE:** This report is only available at the site collection level. | ## SharePoint > Farm / Instance > Exceptions Node Reports @@ -62,7 +62,7 @@ The following report is available at the Exceptions node level: | Report | Description | | --------------------------------------------- | ----------------------------------------------------------------------------------------------- | -| [Exceptions Report](exceptions/exceptions.md) | Provides a list of exceptions found on the farm/instance. This report includes a Details table. | +| [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/exceptions.md) | Provides a list of exceptions found on the farm/instance. This report includes a Details table. | ## SharePoint > Farm / Instance > Exceptions > Exception Type Level Reports @@ -70,4 +70,4 @@ The following report is available at the exceptions type level: | Report | Description | | ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Exceptions by Type Report](exceptions/exceptionsbytype.md) | Provides details on the selected exception type. An exception is defined as a problem or risk to data governance security. This report includes a Permission Source table. | +| [Exceptions by Type Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/exceptions/exceptionsbytype.md) | Provides details on the selected exception type. An exception is defined as a problem or risk to data governance security. This report includes a Permission Source table. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sensitivecontentsummary.md index a01d363b34..acbb2c4cdf 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sensitivecontentsummary.md @@ -4,7 +4,7 @@ The Sensitive Content Summary report at the **SharePoint** node provides a count criteria matches were found in the targeted SharePoint on-premise farms and SharePoint Online instances. This report includes a Details table. -![Sensitive Content Summary report at the SharePoint node](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sensitivecontent.webp) +![Sensitive Content Summary report at the SharePoint node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sensitivecontent.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/serversummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/serversummary.md index 4b82754ae4..b0752abe16 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/serversummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/serversummary.md @@ -4,7 +4,7 @@ The Server Summary report at the **SharePoint** node provides a top-level view o instances that are representative of the targeted SharePoint on-premise farms and SharePoint Online instances. -![Server Summary report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/serversummary.webp) +![Server Summary report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/filesystem/serversummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/activitydetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/activitydetails.md index 5bfbbca5d2..2db3af8663 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/activitydetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/activitydetails.md @@ -5,10 +5,10 @@ statistical activity event information by user on the selected server during the range. This report includes a line graph for Active Users Trend. The **Include subfolders** option is active by default until removed. See the -[Results Pane](../../navigate/overview.md#results-pane) topic for information on changing this +[Results Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#results-pane) topic for information on changing this option. -![Activity Details report at the site collection, site, list, library, and folder levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/siteactivitydetails.webp) +![Activity Details report at the site collection, site, list, library, and folder levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/siteactivitydetails.webp) This report is comprised of the following columns: @@ -34,15 +34,15 @@ This report is comprised of the following columns: - Process Name – Name of the process which performed the operation The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. There is one line graph at the bottom displaying the Active Users Trend for the selected event. -![Active Users Trend graph](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/siteactivitydetailstrendgraph.webp) +![Active Users Trend graph](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/siteactivitydetailstrendgraph.webp) The line graph provides a visual representation of the number of active users over the selected date range. It indicates how many users are performing activity per day. See the -[Activity Report Results Pane Features](../../navigate/overview.md#activity-report-results-pane-features) +[Activity Report Results Pane Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#activity-report-results-pane-features) topic for instructions on filtering the trend graph. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/effectiveaccess.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/effectiveaccess.md index a6205615c2..01a14b80ac 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/effectiveaccess.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/effectiveaccess.md @@ -6,7 +6,7 @@ web application policies, administrative access, resource permissions, and group contains a list of all trustees with access to the selected resource and specifies the effective access level. This report includes a Permission Source table. -![Effective Access report at the site collection, site, list, library, and folder levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/siteeffectiveaccess.webp) +![Effective Access report at the site collection, site, list, library, and folder levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/siteeffectiveaccess.webp) This report is comprised of the following columns: @@ -51,7 +51,7 @@ all of the ways the selected trustee has been granted rights to the selected res granular rights granted through SharePoint permission levels (SharePoint Roles), see the **Role Name** column. -![Permission Source table](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/siteeffectiveaccesstable.webp) +![Permission Source table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/siteeffectiveaccesstable.webp) The number of rows for this table indicates the number of ways this trustee has been granted access. This table is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/exceptions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/exceptions.md index 94464f5e90..b7318f3091 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/exceptions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/exceptions.md @@ -4,12 +4,12 @@ The Exceptions report at the site collection, site, list, library, and folder le of all trustees with access that are causing exceptions on the selected resource. This report includes a Permission Source table. -![Exceptions report at the site collection, site, list, library, and folder levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/siteexceptions.webp) +![Exceptions report at the site collection, site, list, library, and folder levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/siteexceptions.webp) An exception is defined as a problem or risk to data governance security. Exceptions include open access and permissions granted to stale or disabled users. This table is blank unless an Exception icon is attached to the resource in the Resources pane, indicating exceptions were found. See the -[Resources Pane](../../navigate/resource.md#resources-pane) topic for additional information. +[Resources Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/resource.md#resources-pane) topic for additional information. This report is comprised of the following columns: @@ -20,7 +20,7 @@ This report is comprised of the following columns: There is one table at the bottom displaying Permission Source for the select trustee. It contains all of the ways the selected trustee has been granted rights to the selected resource. -![Permission Source table](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/siteexceptionstable.webp) +![Permission Source table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/siteexceptionstable.webp) The number of rows for this table indicates the number of ways this trustee has been granted access. This table is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/overview.md index 0c05d1dacf..085a8b0b5b 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/overview.md @@ -3,10 +3,10 @@ The following reports are available at the site collection, site, list, library, and folder levels and provide information for both SharePoint on-premise farms and SharePoint Online instances: -- [Activity Details Report](activitydetails.md) -- [Effective Access Report](effectiveaccess.md) -- [Exceptions Report](exceptions.md) -- [Permissions Report](permissions.md) -- [Sensitive Content Report](sensitivecontent.md) -- [Site Collection Roles Report](sitecollectionroles.md) – Available only at the site collection +- [Activity Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/activitydetails.md) +- [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/effectiveaccess.md) +- [Exceptions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/exceptions.md) +- [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/permissions.md) +- [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/sensitivecontent.md) +- [Site Collection Roles Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitecollectionroles.md) – Available only at the site collection level diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/permissions.md index 98059cef2e..6f75048e99 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/permissions.md @@ -4,7 +4,7 @@ The Permissions report at the site collection, site, list, library, and folder l list of trustees with permissions for the selected resource. This report includes a table with trustee access levels Compared to Parent. -![Permissions report at the site collection, site, list, library, and folder levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitepermissions.webp) +![Permissions report at the site collection, site, list, library, and folder levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitepermissions.webp) This report is comprised of the following columns: @@ -32,7 +32,7 @@ This report is comprised of the following columns: - Type – Direct or Inherited type of permission - Roles – Role name for the SharePoint permission level. For additional detail on what permissions each Role grants, see the Permission Mask column in the - [Site Collection Roles Report](sitecollectionroles.md). + [Site Collection Roles Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitecollectionroles.md). The following rights are a normalized representation of the SharePoint permission levels (SharePoint Roles) granted to the trustee: @@ -48,9 +48,9 @@ displays the group membership, including nested groups. There is one table at the bottom displaying Compared to Parent permissions for the select trustee. It contains information on explicit permissions granted for the selected resource. -![Compared to Parent table](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitepermissionstable.webp) +![Compared to Parent table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitepermissionstable.webp) This table is blank unless an **Explicit Permissions** icon is attached to the resource in the -Resources pane. See the [Resources Pane](../../navigate/resource.md#resources-pane) topic for +Resources pane. See the [Resources Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/resource.md#resources-pane) topic for additional information. This table is comprised of the same columns as the primary report, with the exception that it does not have the **Roles** column. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/sensitivecontent.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/sensitivecontent.md index fcf01b58d4..0f8408fc73 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/sensitivecontent.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/sensitivecontent.md @@ -4,7 +4,7 @@ The Sensitive Content report at the site collection, site, list, library, and fo a list of files and a hit count per file where criteria matches were found on the selected resource. This report includes a Matches table. -![Sensitive Content report at the site collection, site, list, library, and folder levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitesensitivecontent.webp) +![Sensitive Content report at the site collection, site, list, library, and folder levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitesensitivecontent.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitecollectionroles.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitecollectionroles.md index 623ad2f813..eca08e1b8c 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitecollectionroles.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitecollectionroles.md @@ -7,7 +7,7 @@ targeted SharePoint on-premise farm or SharePoint Online instance. **NOTE:** This report is only available at the site collection level. -![Site Collections Roles report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitecollectionroles.webp) +![Site Collections Roles report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitecollectionroles.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/teams/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/teams/overview.md index 5f43bd6c0c..b22a3fbfa5 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/teams/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/teams/overview.md @@ -3,4 +3,4 @@ The following reports are available at the **Teams** node and provide information for SharePoint Online instances: -- [Teams Scan Summary](teamsscansummary.md) +- [Teams Scan Summary](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/teams/teamsscansummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/teams/teamsscansummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/teams/teamsscansummary.md index 1b435d5b7b..2020d6b18b 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/teams/teamsscansummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/teams/teamsscansummary.md @@ -2,7 +2,7 @@ The Teams Scan Summary report at the **Teams** node provides an overview of scanned Teams servers. -![Teams Scan Summary report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/teams/teamsscansummary.webp) +![Teams Scan Summary report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/teams/teamsscansummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/effectivepolicy.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/effectivepolicy.md index 3b0fb55fa3..249a1b89bd 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/effectivepolicy.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/effectivepolicy.md @@ -5,7 +5,7 @@ users and groups who are effectively granted or denied access to the SharePoint application through a particular web application policy with the rights being either granted or denied. -![Effective Policy report at the web application and web application URL levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/webapplication/webappeffectivepolicy.webp) +![Effective Policy report at the web application and web application URL levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/webapplication/webappeffectivepolicy.webp) This report is comprised of the following columns: @@ -37,6 +37,6 @@ If the selected trustee in the top section of the report is a group, the Group M displays the group membership, including nested groups. To view the granular rights granted through SharePoint permission levels (SharePoint Roles), see the -**Roles** column in the [Permissions Report](../sitecollections/permissions.md). For additional +**Roles** column in the [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/permissions.md). For additional detail on what permissions each SharePoint Role grants, see the **Permission Mask** column in the -[Site Collection Roles Report](../sitecollections/sitecollectionroles.md). +[Site Collection Roles Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/sitecollectionroles.md). diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/overview.md index f68c1fc3e2..d3937c20f1 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/overview.md @@ -3,5 +3,5 @@ The following reports are available at the web application and web application URL levels and provide information for SharePoint on-premise farms: -- [Effective Policy Report](effectivepolicy.md) -- [Policy Report](policy.md) +- [Effective Policy Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/effectivepolicy.md) +- [Policy Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/policy.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/policy.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/policy.md index 83413f9b0c..b6484f6612 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/policy.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/webapplication/policy.md @@ -3,7 +3,7 @@ The Policy report at the web application and web application URL levels provides a list of web application policies assigned for the selected SharePoint on-premise farm web application. -![Policy report at the web application and web application URL levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/webapplication/webapppolicy.webp) +![Policy report at the web application and web application URL levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sharepoint/webapplication/webapppolicy.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/activity.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/activity.md index 6e7f1789a2..3de3aeef03 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/activity.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/activity.md @@ -2,10 +2,10 @@ The Activity report at the Databases node displays activity across the databases logged during the selected date range. The **Include Subfolders** option is active by default until removed. See the -[Results Pane](../../navigate/overview.md#results-pane) topic for information on changing this +[Results Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#results-pane) topic for information on changing this option. -![Activity report at the Databases node](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sql/databases/databasesactivity.webp) +![Activity report at the Databases node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sql/databases/databasesactivity.webp) This report is comprised of the following columns: @@ -30,4 +30,4 @@ This report is comprised of the following columns: - Process Name – Not populated for SQL Server reports The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/overview.md index ce1245ba51..5998fc1c6b 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/overview.md @@ -2,6 +2,6 @@ The following reports are displayed at the **Databases** node: -- [Activity Report](activity.md) +- [Activity Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/activity.md) - Permissions – Displayed but not populated at the **Databases** node -- [Sensitive Content Report](sensitivecontent.md) +- [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/sensitivecontent.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/sensitivecontent.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/sensitivecontent.md index b7c7f1cc11..9d20febf88 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/sensitivecontent.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/sensitivecontent.md @@ -6,7 +6,7 @@ criteria matches visible to Access Information Center users with either Security Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content report at the Databases node](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sql/databases/databasessensitivecontent.webp) +![Sensitive Content report at the Databases node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sql/databases/databasessensitivecontent.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/activity.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/activity.md index f43ff48856..cbf43111fe 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/activity.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/activity.md @@ -2,10 +2,10 @@ The Activity report at the database and table levels displays activity on the selected resource logged during the selected date range. The **Include Subfolders** option is active by default until -removed. See the [Results Pane](../../navigate/overview.md#results-pane) topic for information on +removed. See the [Results Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#results-pane) topic for information on changing this option. -![Activity report at the database and table levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sql/databasetable/databaseactivity.webp) +![Activity report at the database and table levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sql/databasetable/databaseactivity.webp) This report is comprised of the following columns: @@ -30,4 +30,4 @@ This report is comprised of the following columns: - Process Name – Not populated for SQL Server reports The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/overview.md index 513a2db4e7..6b2b75e83e 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/overview.md @@ -2,6 +2,6 @@ The following reports are available at the database and table levels: -- [Activity Report](activity.md) -- [Permissions Report](permissions.md) -- [Sensitive Content Report](sensitivecontent.md) +- [Activity Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/activity.md) +- [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/permissions.md) +- [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/sensitivecontent.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/permissions.md index b201b90b64..fbe3877f68 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/permissions.md @@ -3,7 +3,7 @@ The Permissions report at the database and table levels shows the permissions for the trustee on the selected resource. -![Permissions report at the database and table levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasepermissions.webp) +![Permissions report at the database and table levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasepermissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/sensitivecontent.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/sensitivecontent.md index 308400cc31..8677c662b2 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/sensitivecontent.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/sensitivecontent.md @@ -6,7 +6,7 @@ table with criteria matches visible to Access Information Center users with eith Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content report at the database and table levels](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasesensitivecontent.webp) +![Sensitive Content report at the database and table levels](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/databasetable/databasesensitivecontent.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/activity.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/activity.md index c65b0d4603..a4902216bc 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/activity.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/activity.md @@ -3,7 +3,7 @@ The Activity report at the instance level displays activity across the entire instance logged during the selected date range. -![Activity report at the instance level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sql/instance/instanceactivity.webp) +![Activity report at the instance level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sql/instance/instanceactivity.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/overview.md index b4e0c25aee..b72ff2bd74 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/overview.md @@ -2,10 +2,10 @@ The following reports are available at the instance level: -- [Activity Report](activity.md) -- [Sensitive Content Details Report](sensitivecontentdetails.md) -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Activity Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/activity.md) +- [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/sensitivecontentdetails.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/sensitivecontentsummary.md) Remember, instance permissions are populated at the **Instance Permissions** node. See the -[Instance Permissions Node Report](../instancepermissions/overview.md) topic for additional +[Instance Permissions Node Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instancepermissions/overview.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/sensitivecontentdetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/sensitivecontentdetails.md index 76d6899a01..4ad8e7b1ba 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/sensitivecontentdetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/sensitivecontentdetails.md @@ -6,7 +6,7 @@ matches visible to Access Information Center users with either Security Team Mem roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. -![Sensitive Content Details report at the iInstance level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentdetails.webp) +![Sensitive Content Details report at the iInstance level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentdetails.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/sensitivecontentsummary.md index a65a279df3..c40dc40475 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content Summary report at the instance level provides a count of tables where criteria matches were found on the selected instance. This report includes a Details table. -![Sensitive Content Summary report at the instance level](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentsummary.webp) +![Sensitive Content Summary report at the instance level](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/instance/instancesensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instancepermissions/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instancepermissions/overview.md index ceb5034997..61407844f7 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instancepermissions/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instancepermissions/overview.md @@ -3,5 +3,5 @@ The following report is available at the **Instance Permissions** node: - Activity – Displayed but not populated at the **Instance Permissions** node -- [Permissions Report](permissions.md) +- [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instancepermissions/permissions.md) - Sensitive Content – Displayed but not populated at the **Instance Permissions** node diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instancepermissions/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instancepermissions/permissions.md index c5a48e4cc5..9fd97d7d8f 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instancepermissions/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instancepermissions/permissions.md @@ -3,7 +3,7 @@ The Permissions report at the **Instance Permissions** node shows the instance permissions for the trustee. -![Permissions report at the Instance Permissions node](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sql/instancepermissions/instancepermissions.webp) +![Permissions report at the Instance Permissions node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sql/instancepermissions/instancepermissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/overview.md index 1d08e57286..4e0b30cdbe 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/overview.md @@ -16,4 +16,4 @@ node in the Access Information Center. SQL Server reports fall into the followin The following report is available at the **SQL Server** node: -- [Sensitive Content Summary Report](sensitivecontentsummary.md) +- [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/sensitivecontentsummary.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/quickreference.md index 7407bfd4e3..d5aeb008d7 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/quickreference.md @@ -8,7 +8,7 @@ The following report is available at the SQL Server node level: | Report | Description | | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | -| [Sensitive Content Summary Report](sensitivecontentsummary.md) | Provides a count of tables where criteria matches were found in the targeted environment. This report includes a Details table. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/sensitivecontentsummary.md) | Provides a count of tables where criteria matches were found in the targeted environment. This report includes a Details table. | ## SQL Server > Instance Level Reports @@ -16,9 +16,9 @@ The following reports are available at the instance level: | Report | Description | | ----------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Activity Report](instance/activity.md) | Displays activity across the entire instance logged during the selected date range. | -| [Sensitive Content Details Report](instance/sensitivecontentdetails.md) | Provides details of tables where criteria matches were found on the selected instance. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | -| [Sensitive Content Summary Report](instance/sensitivecontentsummary.md) | Provides a count of tables where criteria matches were found on the selected instance. This report includes a Details table. | +| [Activity Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/activity.md) | Displays activity across the entire instance logged during the selected date range. | +| [Sensitive Content Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/sensitivecontentdetails.md) | Provides details of tables where criteria matches were found on the selected instance. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Sensitive Content Summary Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instance/sensitivecontentsummary.md) | Provides a count of tables where criteria matches were found on the selected instance. This report includes a Details table. | ## SQL Server > Databases Node Reports @@ -26,8 +26,8 @@ The following reports are available at the Databases node level: | Report | Description | | --------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Activity Report](databases/activity.md) | Displays activity across the databases logged during the selected date range. | -| [Sensitive Content Report](databases/sensitivecontent.md) | Provides a list of tables and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Activity Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/activity.md) | Displays activity across the databases logged during the selected date range. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databases/sensitivecontent.md) | Provides a list of tables and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | ## SQL Server > Databases Node > Database & Table Levels Reports @@ -35,9 +35,9 @@ The following reports are available at the database and table levels: | Report | Description | | ------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Activity Report](databasetable/activity.md) | Displays activity across the databases logged during the selected date range. | -| [Permissions Report](databasetable/permissions.md) | Shows the permissions for the trustee on the selected resource. | -| [Sensitive Content Report](databasetable/sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | +| [Activity Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/activity.md) | Displays activity across the databases logged during the selected date range. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/permissions.md) | Shows the permissions for the trustee on the selected resource. | +| [Sensitive Content Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/databasetable/sensitivecontent.md) | Provides a list of paths and a hit count per table where criteria matches were found on the selected resource. This report includes a table with criteria matches visible to Access Information Center users with either Security Team Member or Administrator roles. The Matches table requires the storage of discovered sensitive data within the Access Analyzer database or it will be blank. | ## SQL Server > Instance Permissions Node Report @@ -45,7 +45,7 @@ The following report is available at the Permissions node level: | Report | Description | | -------------------------------------------------------- | ------------------------------------------------------ | -| [Permissions Report](instancepermissions/permissions.md) | Shows the permissions for the trustee on the instance. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/instancepermissions/permissions.md) | Shows the permissions for the trustee on the instance. | ## SQL Server > Roles Node Report @@ -53,4 +53,4 @@ The following report is available at the Roles node level: | Report | Description | | ------------------------------------------ | --------------------------------------------------- | -| [Permissions Report](roles/permissions.md) | Shows the permissions for the instance’s SQL roles. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/roles/permissions.md) | Shows the permissions for the instance’s SQL roles. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/roles/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/roles/overview.md index 759b68f475..946872164e 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/roles/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/roles/overview.md @@ -3,5 +3,5 @@ The following report is available at the **Roles** node: - Activity – Displayed but not populated at the **Roles** node -- [Permissions Report](permissions.md) +- [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/roles/permissions.md) - Sensitive Content – Displayed but not populated at the **Roles** node diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/roles/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/roles/permissions.md index 2af461e602..62d96afcfd 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/roles/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/roles/permissions.md @@ -2,7 +2,7 @@ The Permissions report at the **Roles** node shows the permissions for the instance’s SQL roles. -![Permissions report at the Roles node](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sql/roles/rolespermissions.webp) +![Permissions report at the Roles node](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/sql/roles/rolespermissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/sensitivecontentsummary.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/sensitivecontentsummary.md index e1a65f0e0f..106bf9f95f 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/sensitivecontentsummary.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sql/sensitivecontentsummary.md @@ -3,7 +3,7 @@ The Sensitive Content report at the **SQL Server** node provides a count of tables where criteria matches were found in the targeted environment. This report includes a Details table. -![Sensitive Content report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) +![Sensitive Content report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/postgresql/sensitivecontentsummary.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/activitydetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/activitydetails.md index db259fd780..67e61d1459 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/activitydetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/activitydetails.md @@ -3,7 +3,7 @@ The Activity Details report for a user object provides details on every activity event logged by the audited user during the selected date range. This report includes a Permission Changes table. -![Activity Details report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/user/activitydetails.webp) +![Activity Details report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/user/activitydetails.webp) This report is comprised of the following columns: @@ -27,7 +27,7 @@ This report is comprised of the following columns: There is one table at the bottom of the report displaying Permission Changes for the selected event. It contains details on the trustee whose permissions were updated, added, or removed. -![Permission Changes table](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/user/activitydetailstable.webp) +![Permission Changes table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/user/activitydetailstable.webp) This table is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/activitystatistics.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/activitystatistics.md index 72060bd84c..8732df7932 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/activitystatistics.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/activitystatistics.md @@ -4,7 +4,7 @@ The Activity Statistics report for a user object provides statistical activity e the audited user during the selected date range. This report includes a line graph for Traffic Trend. -![Activity Statistics report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/user/activitystatistics.webp) +![Activity Statistics report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/user/activitystatistics.webp) This report is comprised of the following columns: @@ -20,11 +20,11 @@ This report is comprised of the following columns: - Deletes – Count of delete operations on resource The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. There is one line graph at the bottom displaying the Traffic Trend for the audited user. It provides a visual representation of the number of operations events that occurred by operation type over the selected date range. It indicates what volume of operations occurred per day. Each operation type is provided with a different color, as indicated by the legend. See the -[Activity Report Results Pane Features](../navigate/overview.md#activity-report-results-pane-features) +[Activity Report Results Pane Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#activity-report-results-pane-features) topic for instructions on filtering the Trend graph. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/attributechanges.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/attributechanges.md index 2b6d50e122..d906323930 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/attributechanges.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/attributechanges.md @@ -3,7 +3,7 @@ The Attribute Changes report for a user object provides specific details for every attribute change to the audited user during the selected date range. -![Attribute Changes report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/attributechanges.webp) +![Attribute Changes report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/attributechanges.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/effectiveaccess.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/effectiveaccess.md index bc2105cf2c..5b3090d32f 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/effectiveaccess.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/effectiveaccess.md @@ -4,12 +4,12 @@ The Effective Access report for a user object provides insight into every resour has access to and what level of access has been granted. Effective access is a calculation based on several variables according to the type of resource. This report includes a Permission Source table. -See the [Effective Access Report](../filesystem/sharesubfolder/effectiveaccess.md) topic for File +See the [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/effectiveaccess.md) topic for File Systems for additional information on the effective access calculations for file system resources. -See the [Effective Access Report](../sharepoint/sitecollections/effectiveaccess.md) topic for +See the [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/effectiveaccess.md) topic for SharePoint for additional information on the effective access calculations for SharePoint resources. -![Effective Access report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/effectiveaccess.webp) +![Effective Access report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/effectiveaccess.webp) This report contains a list of all resources the audited user has the ability to access within the targeted environments. When this report is opened, the Access Information Center begins analyzing @@ -24,7 +24,7 @@ to load until all data has been analyzed for the audited user. The scoping options allow Access Information Center users to specifying what collected data should be analyzed in order to generate this report. Unlike other filter options, this can impact the loading time depending on the scoping options selected. See the -[Scope an Effective Access Report](../navigate/scopeeffectiveaccess.md) topic for instructions on +[Scope an Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/scopeeffectiveaccess.md) topic for instructions on using this feature. This report is comprised of the following columns: @@ -50,7 +50,7 @@ The following rights are a normalized representation of the permissions granted There is one table at the bottom displaying Permission Source for the select resource. It contains all of the ways the audited user has been granted rights to the selected resource. -![Permission Source table](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/effectiveaccesstable.webp) +![Permission Source table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/effectiveaccesstable.webp) The number of rows for this table indicates the number of ways this audited user has been granted access. This table is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/activitydetails.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/activitydetails.md index 98bf7b9df4..19512819ea 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/activitydetails.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/activitydetails.md @@ -4,7 +4,7 @@ The Activity Details report for an Entra ID (formerly Azure Active Directory) us details on every activity event logged by the audited user during the selected date range. This report includes a Permission Changes table. -![Activity Details report for an Entra ID user](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/user/entraid/activitydetailsentraid.webp) +![Activity Details report for an Entra ID user](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/user/entraid/activitydetailsentraid.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/effectiveaccess.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/effectiveaccess.md index 7432422228..c2095a30fc 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/effectiveaccess.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/effectiveaccess.md @@ -5,12 +5,12 @@ ID (formerly Azure Active Directory) user has access to and what level of access Effective access is a calculation based on several variables according to the type of resource. This report includes a Permission Source table. -See the [Effective Access Report](../../filesystem/sharesubfolder/effectiveaccess.md) topic for File +See the [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/filesystem/sharesubfolder/effectiveaccess.md) topic for File Systems for additional information on the effective access calculations for file system resources. -See the [Effective Access Report](../../sharepoint/sitecollections/effectiveaccess.md) topic for +See the [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/sharepoint/sitecollections/effectiveaccess.md) topic for SharePoint for additional information on the effective access calculations for SharePoint resources. -![Effective Access report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/effectiveaccessentraid.webp) +![Effective Access report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/effectiveaccessentraid.webp) This report contains a list of all resources the audited user has the ability to access within the targeted environments. When this report is opened, the Access Information Center begins analyzing @@ -25,7 +25,7 @@ to load until all data has been analyzed for the audited user. The scoping options allow Access Information Center users to specifying what collected data should be analyzed in order to generate this report. Unlike other filter options, this can impact the loading time depending on the scoping options selected. See the -[Scope an Effective Access Report](../../navigate/scopeeffectiveaccess.md) topic for instructions on +[Scope an Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/scopeeffectiveaccess.md) topic for instructions on using this feature. This report is comprised of the following columns: @@ -51,7 +51,7 @@ The following rights are a normalized representation of the permissions granted There is one table at the bottom displaying Permission Source for the select resource. It contains all of the ways the audited user has been granted rights to the selected resource. -![Permission Source table](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/effectiveaccessentraidtable.webp) +![Permission Source table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/effectiveaccessentraidtable.webp) The number of rows for this table indicates the number of ways this audited user has been granted access. This table is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/memberof.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/memberof.md index c3638c938e..586858c275 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/memberof.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/memberof.md @@ -3,7 +3,7 @@ The Member Of report for a user object provides a list of all groups of which the audited Entra ID (formerly Azure Active Directory) user is a member. This report includes a Membership Paths table. -![Member Of report](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/memberofentraid.webp) +![Member Of report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/memberofentraid.webp) This report is comprised of the following columns: @@ -22,7 +22,7 @@ This report is comprised of the following columns: Since this report is a list of Entra ID groups, the Group Membership pane displays the group membership, including nested groups. -![Membership Paths table](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/memberofentraidtable.webp) +![Membership Paths table](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/memberofentraidtable.webp) There is one table at the bottom displaying Membership Paths for the select group. It contains all of the ways the audited user has been granted membership to the selected group. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/permissions.md index 8abf166395..c04c07e10c 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/permissions.md @@ -4,9 +4,9 @@ The Permissions report for a user object provides a list of all resources where (formerly Azure Active Directory) user has been assigned permissions. The **Include Inherited** filter checkbox is active by default, which means the report displays both direct and inherited permissions unless modified by the Access Information Center user. See the -[Results Pane](../../navigate/overview.md#results-pane) topic for information on filter options. +[Results Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#results-pane) topic for information on filter options. -![Permissions report for Entra ID](../../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/permissionsentraid.webp) +![Permissions report for Entra ID](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/entraid/permissionsentraid.webp) This report is comprised of the following columns: @@ -35,4 +35,4 @@ The following columns display the combined direct and inherited rights: deny rights The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/memberof.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/memberof.md index a1db87a538..a9a7496710 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/memberof.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/memberof.md @@ -3,7 +3,7 @@ The Member Of report for a user object provides a list of all groups of which the audited user is a member. This report includes a Membership Paths table. -![Member Of report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/memberof.webp) +![Member Of report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/memberof.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/objectpermissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/objectpermissions.md index 0fd954c12f..3a9695e91a 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/objectpermissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/objectpermissions.md @@ -8,7 +8,7 @@ Analyzer solution. See the Active Directory Permissions Analyzer Solution topic [Netwrix Access Analyzer Documentation](https://helpcenter.netwrix.com/category/accessanalyzer) for additional information. -![Object Permissions report](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/objectpermissions.webp) +![Object Permissions report](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/group/objectpermissions.webp) This report is comprised of the following columns: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/overview.md index a3fa278a46..3234992de3 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/overview.md @@ -1,7 +1,7 @@ # User Reports User reports are accessed through the User Audit interface. You can access User reports by searching -for user objects on the Home page. See the [Search Features](../navigate/search.md) topic for +for user objects on the Home page. See the [Search Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/search.md) topic for additional information. The user object being reviewed is identified in the upper-left corner. The data within these reports is collected by the Access Analyzer solutions which provide data to the Resource reports. See the desired solution topic of the @@ -18,7 +18,7 @@ User reports identify the following information as scanned from the targeted env Activity reports display information for a selected date range. Some of the reports also include trend graphs. Trend graphs provide a visual representation of the activity that occurred over the selected date range. See the -[Activity Report Results Pane Features](../navigate/overview.md#activity-report-results-pane-features) +[Activity Report Results Pane Features](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#activity-report-results-pane-features) topic for instructions on selecting a date range and filtering the trend graphs. Activity reports display local time stamps. Activity information is represented in two ways: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/permissions.md index aa3ead613a..71e7fb73a9 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/permissions.md @@ -3,10 +3,10 @@ The Permissions report for a user object provides a list of all resources where the audited user has been assigned permissions. The **Include Inherited** filter checkbox is active by default, which means the report displays both direct and inherited permissions unless modified by the Access -Information Center user. See the [Results Pane](../navigate/overview.md#results-pane) topic for +Information Center user. See the [Results Pane](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md#results-pane) topic for information on filter options. -![Permissions report](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/permissions.webp) +![Permissions report](/img/product_docs/threatprevention/threatprevention/admin/policies/permissions.webp) This report is comprised of the following columns: @@ -35,4 +35,4 @@ The following columns display the combined direct and inherited rights: deny rights The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/quickreference.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/quickreference.md index 25c5a414f8..63ade16d61 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/quickreference.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/quickreference.md @@ -5,13 +5,13 @@ Directory user: | Report | Description | | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Activity Details Report](activitydetails.md) | Provides details on every activity event logged by the audited user during the selected date range. This report includes a Permission Changes table. | -| [Activity Statistics Report](activitystatistics.md) | Provides statistical activity event information for the audited user during the selected date range. This report includes a line graph for Traffic Trend. | -| [Attribute Changes Report](attributechanges.md) | Provides specific details for every attribute change to the audited user during the selected date range. | -| [Effective Access Report](effectiveaccess.md) | Provides insight into every resource the audited user has access to and what level of access has been granted. Effective access is a calculation based on several variables according to the type of resource. This report includes a Permission Source table. | -| [Member Of Report](memberof.md) | Provides a list of all groups of which the audited user is a member. This report includes a Membership Paths table. | -| [Object Permissions Report](objectpermissions.md) | Provides details on Active Directory permissions for the object. | -| [Permissions Report](permissions.md) | Provides a list of all resources where the audited user has been assigned permissions. | +| [Activity Details Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/activitydetails.md) | Provides details on every activity event logged by the audited user during the selected date range. This report includes a Permission Changes table. | +| [Activity Statistics Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/activitystatistics.md) | Provides statistical activity event information for the audited user during the selected date range. This report includes a line graph for Traffic Trend. | +| [Attribute Changes Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/attributechanges.md) | Provides specific details for every attribute change to the audited user during the selected date range. | +| [Effective Access Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/effectiveaccess.md) | Provides insight into every resource the audited user has access to and what level of access has been granted. Effective access is a calculation based on several variables according to the type of resource. This report includes a Permission Source table. | +| [Member Of Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/memberof.md) | Provides a list of all groups of which the audited user is a member. This report includes a Membership Paths table. | +| [Object Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/objectpermissions.md) | Provides details on Active Directory permissions for the object. | +| [Permissions Report](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/permissions.md) | Provides a list of all resources where the audited user has been assigned permissions. | ## Entra ID User Reports @@ -20,7 +20,7 @@ The following reports are available for selection within the User Audit interfac | Report | Description | | ----------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [Activity Details Report for Entra ID User](entraid/activitydetails.md) | Provides details on every activity event logged by the audited Entra ID user during the selected date range. | -| [Effective Access Report for Entra ID User](entraid/effectiveaccess.md) | Provides insight into every resource the audited Entra ID user has access to and what level of access has been granted. Effective access is a calculation based on several variables according to the type of resource. This report includes a Permission Source table. | -| [Member Of Report for Entra ID User](entraid/memberof.md) | Provides a list of all groups of which the audited Entra ID user is a member. This report includes a Membership Paths table. | -| [Permissions Report for Entra ID User](entraid/permissions.md) | Provides a list of all resources where the audited Entra ID user has been assigned permissions. | +| [Activity Details Report for Entra ID User](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/activitydetails.md) | Provides details on every activity event logged by the audited Entra ID user during the selected date range. | +| [Effective Access Report for Entra ID User](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/effectiveaccess.md) | Provides insight into every resource the audited Entra ID user has access to and what level of access has been granted. Effective access is a calculation based on several variables according to the type of resource. This report includes a Permission Source table. | +| [Member Of Report for Entra ID User](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/memberof.md) | Provides a list of all groups of which the audited Entra ID user is a member. This report includes a Membership Paths table. | +| [Permissions Report for Entra ID User](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/user/entraid/permissions.md) | Provides a list of all resources where the audited Entra ID user has been assigned permissions. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/accessgroups.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/accessgroups.md index 56e03c756d..beeb78ca09 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/accessgroups.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/accessgroups.md @@ -5,7 +5,7 @@ configure access groups for those resources in the target environment. An access of the following access levels to a specific resource: Read, Modify, or Full Control. In the Resource Owners interface, the Ownership Administrator can then designate which group will be used to grant which level of access to the resource. This can be done through either the -[Add New Resource Wizard](wizard/add.md) or the [Update Resource Wizard](wizard/update.md). +[Add New Resource Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/add.md) or the [Update Resource Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/update.md). If an access group is not identified for a specific access level, then the owner will be unable to change access to that level. For example, ownership configuration for the Finance share has been set @@ -19,7 +19,7 @@ When the Ownership Administrator assigns access groups, the Access Information C which groups grant access through folder permissions to the selected resource. The Access Information Center completes the evaluation of group access levels from the data collected by Access Analyzer. A list of possible groups is made available for the selected access level in the -[Select Group Window](window/selectgroup.md). If no groups are listed that means the Access +[Select Group Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/selectgroup.md). If no groups are listed that means the Access Information Center could not identify any groups for that access level. In these cases it will be necessary to set up a group with the appropriate permissions to the resource and rescan the host with Access Analyzer. @@ -35,7 +35,7 @@ Access Information Center. _Remember,_ it is a best practice is to create at least two OUs for groups to be managed through the Access Information Center: a security group OU and a distribution list group OU. See the -[Commit Active Directory Changes](../admin/additionalconfig/commitchanges.md) topic for additional +[Commit Active Directory Changes](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/commitchanges.md) topic for additional information. **NOTE:** For SharePoint resources, the access groups must be Active Directory groups, not diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/confirmation.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/confirmation.md index ddb6679eb8..d751491a74 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/confirmation.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/confirmation.md @@ -6,23 +6,23 @@ assigned owner needs to claim that ownership responsibility. Resources that do n owners may fall through the cracks. **NOTE:** This requires the Notification settings to be configured for the Access Information -Center. See the [Notifications Page](../admin/configuration/notifications.md) topic for additional +Center. See the [Notifications Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/notifications.md) topic for additional information. -![Status Column in Resource Owners interface](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownershipconfirmation.webp) +![Status Column in Resource Owners interface](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownershipconfirmation.webp) The table in the Resource Owners interface includes a Status column. The following icons appear in this column to indicate confirmation status: | Icon | Meaning | Description | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![Yellow circle with white question mark](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statusnostatus.webp) | No Status | Indicates ownership confirmation has not been requested, and there is no ownership status at this time The exception is if ownership was automatically confirmed with the [Import Owners Wizard](wizard/import.md). | -| ![Blue circle with white clock face](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statuswaiting.webp) | Waiting | Indicates a request for confirmation has been sent, and you are waiting for a response from the assigned owner. Hover over the icon to view the date timestamp of the request. | -| ![Green circle with white checkmark](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statusconfirmed.webp) | Confirmed | Indicates the assigned owner confirmed ownership of the resource. Hover over the icon to view the date timestamp of the confirmation. | -| ![Red circle with white X](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statusdeclined.webp) | Declined | Indicates the assigned owner declined ownership of the resource. These individuals would have been asked to suggest an alternative owner. Check the Notes for the resource to view this information. Hover over the icon to view the date timestamp of the decline. _Remember,_ a resource with declined ownership needs to be updated to assign a new owner. See the [Update Resource Wizard](wizard/update.md) topic for additional information. | +| ![Yellow circle with white question mark](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statusnostatus.webp) | No Status | Indicates ownership confirmation has not been requested, and there is no ownership status at this time The exception is if ownership was automatically confirmed with the [Import Owners Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/import.md). | +| ![Blue circle with white clock face](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statuswaiting.webp) | Waiting | Indicates a request for confirmation has been sent, and you are waiting for a response from the assigned owner. Hover over the icon to view the date timestamp of the request. | +| ![Green circle with white checkmark](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statusconfirmed.webp) | Confirmed | Indicates the assigned owner confirmed ownership of the resource. Hover over the icon to view the date timestamp of the confirmation. | +| ![Red circle with white X](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statusdeclined.webp) | Declined | Indicates the assigned owner declined ownership of the resource. These individuals would have been asked to suggest an alternative owner. Check the Notes for the resource to view this information. Hover over the icon to view the date timestamp of the decline. _Remember,_ a resource with declined ownership needs to be updated to assign a new owner. See the [Update Resource Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/update.md) topic for additional information. | If multiple owners have been assigned, there is a choice for which assigned owner(s) should receive the confirmation. If multiple owners were sent the request, the column remains as a waiting symbol until the assigned Primary owner replies. -See the [Confirm Ownership Wizard](wizard/confirm.md) topic for additional information. +See the [Confirm Ownership Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/confirm.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/email/confirmationrequest.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/email/confirmationrequest.md index 737d285121..7db11c0bca 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/email/confirmationrequest.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/email/confirmationrequest.md @@ -3,7 +3,7 @@ The Ownership Administrator may request ownership confirmation for a resource being managed through the Access Information Center. As an assigned owner, you will receive the following email. -![Ownership Confirmation Request Email with Yes and No buttons for responding](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/email/confirmationrequestemail.webp) +![Ownership Confirmation Request Email with Yes and No buttons for responding](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/email/confirmationrequestemail.webp) The Ownership Confirmation Request email provides buttons for confirming (Yes) or declining (No) ownership of the listed resource. You will be asked to authenticate for your response to be @@ -15,7 +15,7 @@ complete the process. One of two messages will appear according to if you confir If you have accepted ownership for the assigned resource, the browser will display the following message after authentication: -![Ownership accepted browser message](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/email/emailresponseconfirmed.webp) +![Ownership accepted browser message](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/email/emailresponseconfirmed.webp) You have successfully confirmed your ownership and can now close the browser window. @@ -24,11 +24,11 @@ You have successfully confirmed your ownership and can now close the browser win If you have declined ownership for the assigned resource, the browser will display the following message after authentication: -![Ownership declined browser message](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/email/emailresponsedeclined.webp) +![Ownership declined browser message](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/email/emailresponsedeclined.webp) Enter your suggestion for possible owners in the textbox, and then click **Submit** to complete the process. -![emailresponsedeclined2](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/email/emailresponsedeclined2.webp) +![emailresponsedeclined2](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/email/emailresponsedeclined2.webp) You can now close the browser window. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/interface.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/interface.md index 83f4c7a597..17419837a9 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/interface.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/interface.md @@ -4,7 +4,7 @@ The Resource Owners interface opened by the **Resource Owners** button on the Ac Center Home page is where Ownership Administrators perform many operations around assigning and managing ownership. -![Resource Owners Interface in Netwrix Access Information Center](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) +![Resource Owners Interface in Netwrix Access Information Center](/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) The information displayed in the table includes: @@ -12,7 +12,7 @@ The information displayed in the table includes: such as the UNC path for a file system resource, the URL for SharePoint resource, or Group name (e.g., [Domain]\[Group]). The hyperlink will open the Resource Audit interface or Group Audit interface directly to the selected resource. See the - [Audit Interfaces](../resourceaudit/navigate/overview.md) topic for additional information on + [Audit Interfaces](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md) topic for additional information on available reports. - Description – Description or explanation of the resource as supplied by either the Ownership Administrator or the assigned owner See the Notes & Descriptions topic for additional information. @@ -22,10 +22,10 @@ The information displayed in the table includes: Tool-tips display when hovering over the icons indicating whether the resource ownership has been confirmed, declined, pending response, or that a confirmation has not been requested. The tool-tip also displays the date timestamp for when confirmation was received. See the - [Ownership Confirmation](confirmation.md) topic for additional information. + [Ownership Confirmation](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/confirmation.md) topic for additional information. - Notes – Icon indicates a Note has been added. Click on the icon to read the attached note(s). Notes can be added by Ownership Administrators or populated with alternative owners by individuals - who declined ownership. See the [Edit Notes Window](../../general/editnotes.md) and the Notes & + who declined ownership. See the [Edit Notes Window](/docs/accessinformationcenter/12.0/access/general/editnotes.md) and the Notes & Descriptions topic for additional information. - Access Groups – Indicates whether or not access groups have been assigned to this resource. When the resource is a group, the Access Groups column is automatically checked, since the group itself @@ -35,33 +35,33 @@ The information displayed in the table includes: or Full Control. Access groups are required to enable the owner ad hoc changes, to enable the Access Information Center to automatically commit approved changes requested during entitlement reviews, to enable the Self-Service Access Requests workflow, and for publishing resources to IAM. - See the [Access Groups](accessgroups.md) topic for additional information. + See the [Access Groups](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/accessgroups.md) topic for additional information. - Access Requests – Indicates whether or not the Self-Service Access Requests workflow has been - enabled for the resource. See the [Access Requests Overview](../accessrequests/overview.md) topic + enabled for the resource. See the [Access Requests Overview](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/overview.md) topic for additional information. - Owner Updates – Indicates whether or not ad hoc changes feature has been enabled for the resource - Last Reviewed – Date timestamp when the last review took place for the resource. The hyperlink will open the Manage Reviews interface to that resource. See the - [Manage Reviews Page](../resourcereviews/interface.md#manage-reviews-page) topic for additional + [Manage Reviews Page](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/interface.md#manage-reviews-page) topic for additional information. - Active Review – Indicates whether or not there is a pending review The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. The buttons at the bottom enable you to conduct the following actions: -![Action buttons in the Resource Owners Interface](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/interfacebuttons.webp) +![Action buttons in the Resource Owners Interface](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/interfacebuttons.webp) | Button | Function | | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| Add | Launches the Add new resource wizard to add a new resource to the list. This allows you to add one resource at a time, assign a reviewer, and optionally assign access groups. See the [Add New Resource Wizard](wizard/add.md) topic for additional information. | -| Import | Opens the Import Owners window to perform a bulk import of resources and assigned owners from a CSV file. See the [Import Owners Wizard](wizard/import.md) topic for additional information. | -| Update | Launches the Update resource wizard for the selected resource. This allows you to make changes to the assigned owners, to enable Access Requests, to enable owner ad hoc changes, and to change or assign access groups. See the [Update Resource Wizard](wizard/update.md) topic for additional information. | -| Remove | Opens the Confirm removal window to removes the selected resource from being managed through the application. _Remember,_ only resources with an assigned owner will be visible in the table. Removing a resource from this table does not delete the resource from the application database. See the [Confirm Removal Window](window/confirmremoval.md) topic for additional information. | -| Request Confirmation | Opens the Confirm Ownership wizard. Sends an email to the assigned owner(s) for the selected resource requesting ownership confirmation. See the [Confirm Ownership Wizard](wizard/confirm.md) topic for additional information. | -| Edit Notes | Opens the Edit Notes window for the selected resource and allows free-text editing of the notes. See the [Edit Notes Window](../../general/editnotes.md) topic for additional information. | -| Resource Audit | Opens the Resource Audit interface for the selected resource. See the [Resource Audit Overview](../resourceaudit/overview.md) topic for additional information. | +| Add | Launches the Add new resource wizard to add a new resource to the list. This allows you to add one resource at a time, assign a reviewer, and optionally assign access groups. See the [Add New Resource Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/add.md) topic for additional information. | +| Import | Opens the Import Owners window to perform a bulk import of resources and assigned owners from a CSV file. See the [Import Owners Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/import.md) topic for additional information. | +| Update | Launches the Update resource wizard for the selected resource. This allows you to make changes to the assigned owners, to enable Access Requests, to enable owner ad hoc changes, and to change or assign access groups. See the [Update Resource Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/update.md) topic for additional information. | +| Remove | Opens the Confirm removal window to removes the selected resource from being managed through the application. _Remember,_ only resources with an assigned owner will be visible in the table. Removing a resource from this table does not delete the resource from the application database. See the [Confirm Removal Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/confirmremoval.md) topic for additional information. | +| Request Confirmation | Opens the Confirm Ownership wizard. Sends an email to the assigned owner(s) for the selected resource requesting ownership confirmation. See the [Confirm Ownership Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/confirm.md) topic for additional information. | +| Edit Notes | Opens the Edit Notes window for the selected resource and allows free-text editing of the notes. See the [Edit Notes Window](/docs/accessinformationcenter/12.0/access/general/editnotes.md) topic for additional information. | +| Resource Audit | Opens the Resource Audit interface for the selected resource. See the [Resource Audit Overview](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/overview.md) topic for additional information. | ## Notes & Descriptions diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/overview.md index 837118cf2f..dc554f61d6 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/overview.md @@ -27,7 +27,7 @@ feature has been enabled for the resource. The Owner portal is only accessible t been assigned ownership of at least one resource. Owners without an Access Information Center user role are directed to the Owner portal at login. Owners with an Access Information Center user role access the Owner portal by clicking the **Manage Your Resources** link in the Your Links section of -the Home page. See the [Owner Portal Overview](ownerportal/overview.md) topic for additional +the Home page. See the [Owner Portal Overview](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/overview.md) topic for additional information. Who Can Assign Ownership (Ownership Administrators)? @@ -58,7 +58,7 @@ What Can Resource Owners Do? The Matches table in the report will only be populated for Console User with Security Team and Administrator roles. -See the [Resource Owners Interface](interface.md) topic for additional information. +See the [Resource Owners Interface](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/interface.md) topic for additional information. ## Workflow of Ownership Assignment @@ -66,7 +66,7 @@ Prerequisites: - Entitlement Reviews License or Self-Service Access License - Optional: The Access Information Center is configured to send Notifications. See the - [Notifications Page](../admin/configuration/notifications.md) topic for additional information. + [Notifications Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/notifications.md) topic for additional information. **NOTE:** By default, the application is configured to send notifications only to the primary owner. However, this can be customized on the Configuration > Notifications page to send @@ -81,7 +81,7 @@ Prerequisites: - Resources and groups must be known to the application - Optional: Access groups configured within the environment for resources to be managed through the application, which requires the Access Information Center to be configured to commit AD changes. - See the [Access Groups](accessgroups.md) topic for additional information. + See the [Access Groups](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/accessgroups.md) topic for additional information. Workflow: @@ -89,11 +89,11 @@ Workflow: workflow. - Add resources to be managed by associating a business data owner with a resource. - - See the [Add New Resource Wizard](wizard/add.md) topic for additional information about adding + - See the [Add New Resource Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/add.md) topic for additional information about adding individual resources. - - See the [Import Owners Wizard](wizard/import.md) topic for additional information about adding + - See the [Import Owners Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/import.md) topic for additional information about adding resources with a bulk import. -- Confirm resource ownership. See the [Ownership Confirmation](confirmation.md) topic for additional +- Confirm resource ownership. See the [Ownership Confirmation](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/confirmation.md) topic for additional information. - Notify owners of their responsibilities. See the Notification to Owners topic for additional information. @@ -108,7 +108,7 @@ information: - You will need to decide if you are sending owners to the Web Console or directly to the Access Information Center. - How to access instructions on how to complete a review. You can link to the - [Resource Ownership with the Access Information Center](owneroverview.md) topic or download that + [Resource Ownership with the Access Information Center](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/owneroverview.md) topic or download that topic and its subtopics as a PDF and make it available within your corporate resources. - If you plan to enable the Resource Reviews workflow, also include: - An explanation of what a Resource Review is and why your organization is conducting them diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/actionspanel.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/actionspanel.md index 9b40ed6cd9..a6cd7d0f6a 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/actionspanel.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/actionspanel.md @@ -3,7 +3,7 @@ The Actions panel provides access to the Resource Reviews and the Self-Service Access Requests workflow features. -![Actions panel section of the Owner portal](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/actionspanel.webp) +![Actions panel section of the Owner portal](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/actionspanel.webp) Resource Review Workflow Features @@ -12,7 +12,7 @@ The Reviews link in the Actions panel is part of the Resource Review feature. - Reviews — Opens the Reviews page. If any of your resources have pending reviews, a count of pending reviews displays next to the link. The Reviews page allows you to view both pending and historical resource reviews. See the - [Owners & Resource Reviews](../../resourcereviews/pendingreviews.md) topic for additional + [Owners & Resource Reviews](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/pendingreviews.md) topic for additional information. Self-Service Access Requests Workflow Features @@ -23,11 +23,11 @@ Requests feature. - Access Requests — Opens the Access Requests page. If any of your resources have pending access requests, a count of pending requests displays next to the link. The Access Requests page allows you to view pending and historical access requests for you resources. See the - [Owners & Access Requests](../../accessrequests/owners/overview.md) topic for additional + [Owners & Access Requests](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/owners/overview.md) topic for additional information. - My Access — Opens the Your Access portal. The Your Access portal allows you to see your existing access, request access to resources, and view your access request history. See the - [Your Access Portal Overview](../../accessrequests/youraccessportal/overview.md) topic for + [Your Access Portal Overview](/docs/accessinformationcenter/12.0/access/informationcenter/accessrequests/youraccessportal/overview.md) topic for additional information. **NOTE:** If you have an assigned user role, you can access the Your Access portal with the diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/assignedresources.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/assignedresources.md index 48126c6ba5..86bffcbc74 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/assignedresources.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/assignedresources.md @@ -2,7 +2,7 @@ The Assigned Resources section lists all resources assigned to you. -![Assigned Resources section of the Owner portal](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/assignedresources.webp) +![Assigned Resources section of the Owner portal](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/assignedresources.webp) The table contains one row per assigned resource. The information in this table includes: @@ -28,15 +28,15 @@ The table contains one row per assigned resource. The information in this table after the owner leaves the Owner portal or logs out. The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. The buttons at the bottom enable you to conduct the following actions: | Button | Function | | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Update | Opens the Update Resource Window for the selected resource, which allows you to confirm or decline ownership of the resource and to add a description. | -| Change Access | Opens the [Change Resource Access Wizard](changeaccess.md) for the selected resource, which allows you to make ad hoc changes to access and group membership. This button is only enabled if the feature was enabled for the selected resource by the Ownership Administrators. | -| Resource Audit | Opens the Resource Audit interface or Group Audit interface directly to the selected resource. See the [Audit Interfaces](../../resourceaudit/navigate/overview.md) topic for additional information. | +| Change Access | Opens the [Change Resource Access Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/changeaccess.md) for the selected resource, which allows you to make ad hoc changes to access and group membership. This button is only enabled if the feature was enabled for the selected resource by the Ownership Administrators. | +| Resource Audit | Opens the Resource Audit interface or Group Audit interface directly to the selected resource. See the [Audit Interfaces](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/navigate/overview.md) topic for additional information. | ## Update Resource Window @@ -44,7 +44,7 @@ The **Update** button on the Owner portal opens the Update Resource window for t resource. You can confirm ownership, decline ownership, and optionally enter a description for the resource. -![Update Resource window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/updateresource.webp) +![Update Resource window](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/updateresource.webp) There are two options for ownership confirmation: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/changeaccess.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/changeaccess.md index 31a9f8219f..d6b1d2909d 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/changeaccess.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/changeaccess.md @@ -4,7 +4,7 @@ The **Change Access** button on the Owner portal opens the Change Resource Acces selected resource. You can make ad hoc changes to resource access when this feature is enabled for the resource by the Ownership Administrators. -![Change Resource Access wizard showing 1. Select Change page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/selectchangeadd.webp) +![Change Resource Access wizard showing 1. Select Change page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/selectchangeadd.webp) This wizard has four pages, but you will only be directed to the pages applicable to your selection on the first page: @@ -29,13 +29,13 @@ Follow the steps to add new user access to the selected resource. **Step 1 –** Select the desired resource in the Owner portal and click **Change Access**. The Change Resource Access wizard opens. -![Change Resource Access wizard showing 1. Select Change page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/selectchangeadd.webp) +![Change Resource Access wizard showing 1. Select Change page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/selectchangeadd.webp) **Step 2 –** On the Select Change page, select the **Add access for a new user** option. If selected, the **Notify users about their change in access** option will send an email to the users who have been granted access to the resource. Click **Next**. -![Change Resource Access wizard showing 2. Add Access page](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/addaccess.webp) +![Change Resource Access wizard showing 2. Add Access page](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/addaccess.webp) **Step 3 –** On the Add Access page, indicate the new users. Entering a name or email address in the search field to find and select users from Active Directory, which populate in a drop-down menu as @@ -56,7 +56,7 @@ menu. **Step 5 –** Click **Next** to continue. The wizard advances to the Add Notes page. -![Change Resource Access wizard showing the 4. Add Notes page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/addnotesadd.webp) +![Change Resource Access wizard showing the 4. Add Notes page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/addnotesadd.webp) **Step 6 –** On the Add Notes page, optionally enter the following information: @@ -71,7 +71,7 @@ menu. _Remember,_ Notes are included in the notification sent to the user (if selected) and recorded with the historical record of this change. -![Change Resource Access wizard completed updates message](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Change Resource Access wizard completed updates message](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 8 –** The action status displays on the page. When the update has completed (100%), click **Finish**. The Change Resource Access wizard closes. @@ -88,7 +88,7 @@ Requests page via the **Access Requests** link on the Actions panel. A CSV file can be created to import a list of users. -![Example CSV File for adding user access imports](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/importfile.webp) +![Example CSV File for adding user access imports](/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/importfile.webp) The CSV file must contain one user per row. Use the NTAccount [Domain\SamAccountName] format for the user name, for example `NWXTECH\JSmith`. @@ -100,13 +100,13 @@ Follow the steps to change or remove access for the selected resource. **Step 1 –** Select the desired resource in the Owner portal and click **Change Access**. The Change Resource Access wizard opens. -![Change Resource Access wizard with the 1. Select Change page with Change access for an existing user option selected](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/selectchangechange.webp) +![Change Resource Access wizard with the 1. Select Change page with Change access for an existing user option selected](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/selectchangechange.webp) **Step 2 –** On the Select Change page, select the **Change access for an existing user** option. If checked, the **Notify users about their change in access** option will send an email to the users having access to the resource changed. Click **Next**. -![Change Resource Access wizard 3. Change Access page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/changeaccess.webp) +![Change Resource Access wizard 3. Change Access page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/changeaccess.webp) **Step 3 –** On the Change Access page, select the users from the list and click **Select**. Use the Windows ctrl-left-click key command to select multiple users. The **View Selections** button shows a @@ -122,7 +122,7 @@ drop-down menu. **Step 5 –** Click **Next** to continue. -![Change Resource Access wizard 4. Add Notes page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/addnoteschange.webp) +![Change Resource Access wizard 4. Add Notes page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/addnoteschange.webp) **Step 6 –** On the Add Notes page, optionally enter any useful tracking information or description explaining the reason for the change. Click **Next**. The Access Information Center will begin to @@ -131,7 +131,7 @@ process the updates. _Remember,_ Notes are included in the notification sent to the user (if selected) and recorded with the historical record of this change. -![Change Resource Access wizard completed updates message](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Change Resource Access wizard completed updates message](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 7 –** The action status displays on the page. When the update has completed (100%), click **Finish**. The Change Resource Access wizard closes. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/overview.md index ef03d63d59..7f49b18859 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/overview.md @@ -11,11 +11,11 @@ been assigned a user role beyond owner. - For an owner without an assigned user role, the Access Information Center will open directly to the Owner portal. -![Owner Portal interface with 3 sections identified](../../../../../../../static/img/product_docs/threatprevention/threatprevention/siemdashboard/qradar/dashboard/overview.webp) +![Owner Portal interface with 3 sections identified](/img/product_docs/threatprevention/threatprevention/siemdashboard/qradar/dashboard/overview.webp) The Owner portal has three sections: -- [Actions Panel](actionspanel.md) — provides access to the Resource Reviews and Self-Service Access +- [Actions Panel](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/actionspanel.md) — provides access to the Resource Reviews and Self-Service Access Requests workflow features - Access Requests— Navigates to the Access Requests page where you can view both pending and @@ -25,7 +25,7 @@ The Owner portal has three sections: - My Access — Navigates to the Your Access portal where you can submit access requests, view pending requests, and view the history of your access requests -- [Assigned Resources](assignedresources.md) — A table of assigned resources with action buttons +- [Assigned Resources](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/ownerportal/assignedresources.md) — A table of assigned resources with action buttons below - Ownership Status — Displays a graphical representation of confirmed ownership for assigned resources @@ -34,7 +34,7 @@ The Owner portal has three sections: The Ownership Status section contains a confirmation chart. -![Ownership Status donut graph](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/ownershipstatus.webp) +![Ownership Status donut graph](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/ownerportal/ownershipstatus.webp) It displays a graphical representation of the percentage of resources assigned to you that have been confirmed. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/addowner.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/addowner.md index 65dec2edad..9a5d6f4f43 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/addowner.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/addowner.md @@ -1,14 +1,14 @@ # Add Owner Window -The Add Owner window opens from either the [Add New Resource Wizard](../wizard/add.md) or the -[Update Resource Wizard](../wizard/update.md). Choose between: +The Add Owner window opens from either the [Add New Resource Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/add.md) or the +[Update Resource Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/update.md). Choose between: - Select a Probable Owner — Select from a calculated list of probable owners - Search for Owner — Browsing Active Directory for a user account ## Select a Probable Owner -![Add Owner window showing Probable Owner option](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/window/addownerprobable.webp) +![Add Owner window showing Probable Owner option](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/window/addownerprobable.webp) Probable owners are calculated from the available data: @@ -39,7 +39,7 @@ selected user appears in the Owner list. ## Search for Owner -![Add Owner window showing Search option](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/window/addownersearch.webp) +![Add Owner window showing Search option](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/window/addownersearch.webp) Enter a name in the search field to find and select users from Active Directory, which populates in a drop-down menu as you type. If multiple domains are known to the application, ensure the correct diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/confirmremoval.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/confirmremoval.md index 2fabfb0176..d47bf53fae 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/confirmremoval.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/confirmremoval.md @@ -10,7 +10,7 @@ Follow the steps to remove a resource from being managed through the application **Step 1 –** In the Resource Owners interface, select the resource and click Remove. The Confirm Removal window opens. -![Confirm Removal window asking are you sure you wish to remove](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/confirmremoval.webp) +![Confirm Removal window asking are you sure you wish to remove](/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/confirmremoval.webp) **Step 2 –** Click Yes to complete the removal process or **No** to cancel it. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/selectgroup.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/selectgroup.md index b120174174..a7943f9281 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/selectgroup.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/selectgroup.md @@ -1,9 +1,9 @@ # Select Group Window -The Select Group window opens from either the [Add New Resource Wizard](../wizard/add.md) or the -[Update Resource Wizard](../wizard/update.md). +The Select Group window opens from either the [Add New Resource Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/add.md) or the +[Update Resource Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/update.md). -![Select Group window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/window/selectgroup.webp) +![Select Group window](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/window/selectgroup.webp) The window displays groups with the selected access level for this resource. If there are no groups displayed, then it will be necessary to create a group and grant it this level of access to the diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/add.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/add.md index 39bb791e26..71d072505e 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/add.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/add.md @@ -2,7 +2,7 @@ The Add new resource wizard is opened with the **Add** button in the Resource Owners interface. -![Add new resource wizard page showing 1. Select Resources page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectresource.webp) +![Add new resource wizard page showing 1. Select Resources page](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectresource.webp) It contains five pages: @@ -17,7 +17,7 @@ It contains five pages: **NOTE:** This feature requires the Access Information Center is to be configured to commit changes in Active Directory. Additionally, resource based groups must be set up on the resource. - See the [Commit Active Directory Changes](../../admin/additionalconfig/commitchanges.md) topic + See the [Commit Active Directory Changes](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/commitchanges.md) topic for additional information. - 5. Summary — This page provides a preview of the settings selected within the wizard @@ -30,7 +30,7 @@ Follow the steps to add resources one at a time and assign owners. **Step 1 –** In the Resource Owners interface, click **Add**. The Add new resource wizard opens. -![Add new resource wizard page showing 1. Select Resources page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectresource.webp) +![Add new resource wizard page showing 1. Select Resources page](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectresource.webp) **Step 2 –** On the Select Resource page, select the resource to be managed. Then click **Next**. @@ -44,13 +44,13 @@ Follow the steps to add resources one at a time and assign owners. - Browse option – Navigate through the resource tree to select the desired File System or SharePoint resource. -![Add new resources wizard showing 2. Select Owners page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) +![Add new resources wizard showing 2. Select Owners page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) **Step 3 –** On the Select Owners page, click **Add** to browse for an owner. Repeat this Step to -add multiple owners. See the [Add Owner Window](../window/addowner.md) topic for additional +add multiple owners. See the [Add Owner Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/addowner.md) topic for additional information. -![Add new resources wizard with the 2. Select Owners page showing multiple owners selected](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectownerswithowners.webp) +![Add new resources wizard with the 2. Select Owners page showing multiple owners selected](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectownerswithowners.webp) **Step 4 –** When only one owner is assigned, the owner will be the Primary by default. When multiple owners are assigned, the first owner in the list is the Primary owner. Use the arrow @@ -67,12 +67,12 @@ the owners: Tool-tips display when hovering over the icons indicating whether the resource ownership has been confirmed, declined, pending response, or that a confirmation has not been requested. -![Add new resource wizard showing 3. Description page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/servicenow/description.webp) +![Add new resource wizard showing 3. Description page](/img/product_docs/accessanalyzer/admin/action/servicenow/description.webp) **Step 5 –** On the Description page, optionally add a description for the resource in the textbox. Then click **Next**. -![Add new resource wizard showing 4. Access Groups page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/accessgroups.webp) +![Add new resource wizard showing 4. Access Groups page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/accessgroups.webp) **Step 6 –** On the Access Groups page, optionally enable Access Requests and Owner Ad Hoc changes for this resource: @@ -82,7 +82,7 @@ for this resource: - Allow owners to change access — Check this option to enable the owner to make ad hoc access changes for this resource -![Add new resource wizard showing 4. Access Groups page with groups configured](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/accessgroupsconfigured.webp) +![Add new resource wizard showing 4. Access Groups page with groups configured](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/accessgroupsconfigured.webp) **Step 7 –** When File System or SharePoint resources will be managed through the AIC, it is necessary to configure access groups for those resources in the target environment. An access group @@ -91,16 +91,16 @@ If either option in Step 6 is selected for this resource, it is necessary to set least one access level. Select the desired access level and click **Change**. The Select Group Window opens. Select the desired group and click **OK**. The Select Group window closes and the group appears in the table. Repeat this step for each access level desired. See the -[Select Group Window](../window/selectgroup.md) topic for additional information. +[Select Group Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/selectgroup.md) topic for additional information. **Step 8 –** Click **Next** to continue. -![Add new resource wizard showing 5. Summary page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Add new resource wizard showing 5. Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) **Step 9 –** On the Summary page, review the settings and click **Next**. The Access Information Center begins to process the ownership configuration. -![Add new resource wizard completed page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Add new resource wizard completed page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 10 –** The action status displays on the page. When the task has completed (100%), click **Close**. The Add new resource wizard closes. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/confirm.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/confirm.md index 95aed73f89..33303d2928 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/confirm.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/confirm.md @@ -3,7 +3,7 @@ The Confirm Ownership wizard is opened with the **Request Confirmation** button in the Resource Owners interface. It can be opened for one or multiple resources. -![Confirm Ownership wizard showing 1.Select Owners page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) +![Confirm Ownership wizard showing 1.Select Owners page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) It contains one page: @@ -18,7 +18,7 @@ Follow the steps to request ownership confirmation. **Step 1 –** In the Resource Owners interface, select the desired resource or resources and click Request Confirmation. The Confirm Ownership wizard opens. -![Confirm Ownership wizard showing 1.Select Owners page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) +![Confirm Ownership wizard showing 1.Select Owners page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) **Step 2 –** On the Select Owners page, you can optionally remove owners you do not want or need ownership confirmation from. Select those owners and click **Remove**. Those owners will not receive @@ -33,12 +33,12 @@ Center begins to send the confirmation email. The table provides the following i Tool-tips display when hovering over the icons indicating whether the resource ownership has been confirmed, declined, pending response, or that a confirmation has not been requested. -![Owners have been notified message](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Owners have been notified message](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 3 –** The action status displays on the page. When the owner confirmation notification has completed (100%), click Close. The Confirm Ownership wizard closes. The selected owners receive an email from the Access Information Center asking if they are the owner of the assigned resource. See the -[Owner Confirmation Request Email](../email/confirmationrequest.md) topic for additional +[Owner Confirmation Request Email](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/email/confirmationrequest.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/import.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/import.md index 562e9677f6..e0b5fe8dd7 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/import.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/import.md @@ -2,7 +2,7 @@ The Import Owners wizard is opened with the **Import** button in the Resource Owners interface. -![Import Owners wizard showing 1. Select File page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectfile.webp) +![Import Owners wizard showing 1. Select File page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectfile.webp) It contains two pages: @@ -17,7 +17,7 @@ The CSV file should list one resource per row using the following format: [ResourcePath],[Owner1];[Owner2];[Owner3],[Description] -![Example CSV File showing file system, SharePoint, and group resource formats](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/csvfileformat.webp) +![Example CSV File showing file system, SharePoint, and group resource formats](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/csvfileformat.webp) - Resource Formats: @@ -45,7 +45,7 @@ The CSV file should list one resource per row using the following format: _Remember,_ if the CSV file contains resources other than just Groups, this method only imports resources with owners. It will be necessary to update each resource to enable Access Requests and -Owner Ad Hoc changes. See the [Update Resource Wizard](update.md) topic for additional information. +Owner Ad Hoc changes. See the [Update Resource Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/update.md) topic for additional information. See the Import Owners topic for additional information. @@ -56,12 +56,12 @@ interface. **Step 1 –** In the Resource Owners interface, click **Import**. The Import Owners wizard opens. -![Import Owners wizard showing 1. Select File page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectfile.webp) +![Import Owners wizard showing 1. Select File page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectfile.webp) **Step 2 –** On the Select Files page, click **Add**.Navigate to the CSV file to be imported and click **Open**. -![Import Owners wizard with the 1. Select File page showing resources with assigned owners to be imported](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectfilepreview.webp) +![Import Owners wizard with the 1. Select File page showing resources with assigned owners to be imported](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectfilepreview.webp) **Step 3 –** A preview of the resources and owners appears in the table. The Status column indicates whether or not there is a problem (invalid resource or owner). Ensure all resources in the table @@ -72,7 +72,7 @@ exclamation icon. You can not continue with the import if any row contains an in owner. To remove a resource from the table, select the row and click **Remove**. The row is removed from the table. -![Import Owners wizard 2. Options page](../../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Import Owners wizard 2. Options page](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 4 –** On the Options page, configure the available options as required. @@ -89,11 +89,11 @@ from the table. **Step 5 –** Click **Next**. The Access Information Center will begin to process the import. -![Import Owners wizard completed import page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Import Owners wizard completed import page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 6 –** The action status displays on the page. When the update has completed (100%), click **Close**. The Import Owners wizard closes. These resources are now being manages by the Access Information Center. See the -[Update Resource Wizard](update.md) topic for information on making alterations to the imported +[Update Resource Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/update.md) topic for information on making alterations to the imported resources. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/update.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/update.md index bbd6707713..261d600f27 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/update.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/wizard/update.md @@ -2,7 +2,7 @@ The Update resource wizard is opened with the **Update** button in the Resource Owners interface. -![Update Resource wizard showing 1. Select Owners page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) +![Update Resource wizard showing 1. Select Owners page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) It contains four pages: @@ -17,7 +17,7 @@ It contains four pages: **NOTE:** This feature requires the Access Information Center is to be configured to commit changes in Active Directory. Additionally, resource based groups must be set up on the resource. - See the [Commit Active Directory Changes](../../admin/additionalconfig/commitchanges.md) topic + See the [Commit Active Directory Changes](/docs/accessinformationcenter/12.0/access/informationcenter/admin/additionalconfig/commitchanges.md) topic for additional information. - 4. Summary — Provides a preview of the settings selected within the wizard @@ -31,13 +31,13 @@ Follow the steps to update ownership configuration for a resource. **Step 1 –** In the Resource Owners interface, select the desired resource and click **Update**. The Update resource wizard opens. -![Update Resource wizard showing 1. Select Owners page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) +![Update Resource wizard showing 1. Select Owners page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) **Step 2 –** The Select Owners page lists the currently assigned owner(s). Modify as desired and click **Next** to continue. - Add new owners — Click **Add** to browse for a new owner. See the - [Add Owner Window](../window/addowner.md) topic for additional information. + [Add Owner Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/addowner.md) topic for additional information. - Remove an owner — Select an owner and click **Remove** - Change owner priority — Select an owner and use the arrow buttons to change the order @@ -53,13 +53,13 @@ information on the owners: Tool-tips display when hovering over the icons indicating whether the resource ownership has been confirmed, declined, pending response, or that a confirmation has not been requested. -![Update resource wizard showing 2. Description page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/servicenow/description.webp) +![Update resource wizard showing 2. Description page](/img/product_docs/accessanalyzer/admin/action/servicenow/description.webp) **Step 3 –** The Description page displays any description that has been provided by either the Ownership Administrator or the assigned owner(s) for the resource. Modify as desired by typing in the textbox. Then click **Next** to continue. -![Update resource wizard showing 3. Access Groups page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/accessgroups.webp) +![Update resource wizard showing 3. Access Groups page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/accessgroups.webp) **Step 4 –** The Access Groups page indicates whether or not the resource is available for Access Requests or Owner Ad Hoc changes. Modify as desired and click **Next** to continue. @@ -74,14 +74,14 @@ level of access: Read, Modify, and Full Control. If either option is selected fo is necessary to set a group for at least one access level. Select the desired access level and click **Change**. The Select Group Window opens. Select the desired group and click **OK**. The Select Group window closes and the group appears in the table. Repeat this step for each access level -desired. See the [Select Group Window](../window/selectgroup.md) topic for additional information. +desired. See the [Select Group Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/window/selectgroup.md) topic for additional information. -![Update resource wizard showing 4. Summary page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Update resource wizard showing 4. Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) **Step 5 –** On the Summary page, review the settings and click **Next**. The Access Information Center begins to process the ownership configuration. -![Update resource wizard completed page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Update resource wizard completed page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 6 –** The action status displays on the page. When the update has completed (100%), click **Close**. The Update resource wizard closes. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/approvalprocess.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/approvalprocess.md index 436d2b6876..42a5d26996 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/approvalprocess.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/approvalprocess.md @@ -3,7 +3,7 @@ After all owners assigned to a specific review have submitted their review, its status on the Manage Reviews page of the Resource Reviews interface changes to Responses awaiting review. -![Manage Reviews page with responses awaiting review](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/interfaceapproval.webp) +![Manage Reviews page with responses awaiting review](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/interfaceapproval.webp) In the approval process, the Review Administrator looks at the owner-recommended changes and chooses to approve, deny, or defer the changes. @@ -12,7 +12,7 @@ The Review Administrator may choose to model the requested changes to see how th access will be impacted. Change modeling is conducted through the Resource Audit interface. You can access this interface via the **Resource Audit** button on the [Review Details Page](interface.md#review-details-page). See the -[Model Changes in the AIC](../resourceaudit/changemodeling/model.md) topic for additional +[Model Changes in the AIC](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/changemodeling/model.md) topic for additional information. **CAUTION:** If the Access Information Center has been configured to commit changes to Active @@ -40,7 +40,7 @@ be committed when the review is complete. **Step 1 –** On the Manage Reviews page, select a review and click **View Details**. The Review Details page opens. -![Review Details page for reviews awaiting processing](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewdetailsprocess.webp) +![Review Details page for reviews awaiting processing](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewdetailsprocess.webp) **Step 2 –** Select a resource in the list and click **View Responses**. The View Responses window opens. @@ -48,11 +48,11 @@ opens. _Remember,_ the **Resource Audit** button opens the Resource Audit interface filtered to that resource's reports. This is where you can conduct change modeling. -![viewresponses](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/viewresponses.webp) +![viewresponses](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/viewresponses.webp) **Step 3 –** By default, the table displays only the recommended changes. Select an item and click the desired action button: Accept, Decline, or Defer. The Approval column icon updates. See the -[View Responses Window](window/viewresponses.md) topic for additional information. +[View Responses Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/viewresponses.md) topic for additional information. **Step 4 –** Repeat Step 3 until all changes have been processed. Then click **Close**. The View Responses window closes. @@ -86,7 +86,7 @@ be committed when the review is complete. **Step 1 –** On the Manage Reviews page, select a review and click **View Details**. The Review Details page opens. -![Review Details page for reviews awaiting processing](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewdetailsprocess.webp) +![Review Details page for reviews awaiting processing](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewdetailsprocess.webp) **Step 2 –** Select a resource in the list and open the **Process Changes** drop-down menu. You can also select multiple resources in the list to be processed at once using the **Ctrl** and **Shift** diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/email/resourcereviewed.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/email/resourcereviewed.md index 692769c164..d38c4b86cc 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/email/resourcereviewed.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/email/resourcereviewed.md @@ -7,11 +7,11 @@ each resource included in the review. This option can be selected by an Administrator or Security Team user when creating a new review with the Create Review Wizard, or when creating a new review instance using the Run Again option. You can also select the option for a pending review using the Edit Review wizard. See the -[Create Review Wizard](../wizard/create.md) and [Edit Review Wizard](../wizard/edit.md) topics for +[Create Review Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/wizard/create.md) and [Edit Review Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/wizard/edit.md) topics for additional information. -![Response Received email](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/email/responsereceived.webp) +![Response Received email](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/email/responsereceived.webp) The email includes information about the review and the number of changes that have been submitted by the resource owner. Sign in to see the response and process the review. See the -[Approval Process](../approvalprocess.md) topic for additional information. +[Approval Process](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/approvalprocess.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/interface.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/interface.md index 97c572045b..7487e321eb 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/interface.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/interface.md @@ -12,7 +12,7 @@ This interface has multiple pages: The Manage Reviews page is the first page in the Resource Reviews interface. It displays high-level information for reviews. -![Resource Reviews interface showing Manage Reviews page](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) +![Resource Reviews interface showing Manage Reviews page](/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) The interface includes: @@ -58,23 +58,23 @@ The information displayed in the table includes: has been run multiple times, this is the date timestamp of the last instance. The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. The buttons at the bottom enable you to conduct the following actions: -![Action buttons in the Resource Reviews Interface](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/interfacebuttons.webp) +![Action buttons in the Resource Reviews Interface](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/interfacebuttons.webp) | Button | Description | | -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Create | Launches the Create Review wizard for creating a new review. See the [Create Review Wizard](wizard/create.md) topic for additional information. | -| Rename | Opens the Rename Review window for modifying the review name. See the [Rename Review Window](window/renamereview.md) topic for additional information. | -| Edit | Opens the Edit Review wizard for the selected review. This allows you to edit some options for an in progress review. See the [Edit Review Wizard](wizard/edit.md) for additional information. | -| Delete | Opens the Delete Review window to delete review and its instance history, which asks for confirmation of the action. See the [Delete Review Window](window/deletereview.md) topic for additional information. | -| Stop | Opens the Stop Review window, which asks for confirmation of the action. See the [Stop Review Window](window/stopreview.md) topic for additional information. | +| Create | Launches the Create Review wizard for creating a new review. See the [Create Review Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/wizard/create.md) topic for additional information. | +| Rename | Opens the Rename Review window for modifying the review name. See the [Rename Review Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/renamereview.md) topic for additional information. | +| Edit | Opens the Edit Review wizard for the selected review. This allows you to edit some options for an in progress review. See the [Edit Review Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/wizard/edit.md) for additional information. | +| Delete | Opens the Delete Review window to delete review and its instance history, which asks for confirmation of the action. See the [Delete Review Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/deletereview.md) topic for additional information. | +| Stop | Opens the Stop Review window, which asks for confirmation of the action. See the [Stop Review Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/stopreview.md) topic for additional information. | | Mark Completed | Closes the selected review as-is and marks it as completed. Requires the owner(s) to have responded. **CAUTION:** No confirmation is requested for this action. | -| Run Again | Opens the Create Review wizard for the selected review without the option to change the review type. Modify as desired and relaunch the review. See the [Review Instances](reviewinstances.md) topic for additional information. | +| Run Again | Opens the Create Review wizard for the selected review without the option to change the review type. Modify as desired and relaunch the review. See the [Review Instances](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/reviewinstances.md) topic for additional information. | | View Details | Opens the Review Details page for the selected review. See the Review Details Page topic for additional information. | -| Send Reminders | Sends a notification email to the assigned owner(s), reminding of the pending review. Opens the Send Reminders window, which indicates an action status. See the [Send Reminders Window](window/sendreminders.md) topic for additional information. | +| Send Reminders | Sends a notification email to the assigned owner(s), reminding of the pending review. Opens the Send Reminders window, which indicates an action status. See the [Send Reminders Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/sendreminders.md) topic for additional information. | ## Review Details Page @@ -82,7 +82,7 @@ The Review Details page displays information for all instances of the selected r named in the page breadcrumb. This page is opened by selecting a review and clicking **View Details**. -![Resource Reviews interface showing the Review Details page](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewdetails.webp) +![Resource Reviews interface showing the Review Details page](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewdetails.webp) Instances are selected from the drop-down menu. By default the most current instance will be displayed. Instances are named with date timestamps indicating the start and end times for the @@ -116,22 +116,22 @@ The information displayed in the table includes: - Approval Notes – Icon indicates a Note has been added. Click on the icon to read the attached note(s). Notes displayed here can only be added or viewed by the Review Administrator. See the - [Edit Notes Window](../../general/editnotes.md) topic for additional information. + [Edit Notes Window](/docs/accessinformationcenter/12.0/access/general/editnotes.md) topic for additional information. The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. The buttons at the top and bottom enable you to conduct the following actions: -![Action buttons on the Review Details page](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewdetailsbuttons.webp) +![Action buttons on the Review Details page](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewdetailsbuttons.webp) | Button | Description | | --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Delete | Opens the Delete Review window to delete selected review instance, which asks for confirmation of the action. See the [Delete Review Window](window/deletereview.md) topic for additional information. | -| Export Excel | Exports the selected review instance information to an Excel spreadsheet. This automatically downloads the spreadsheet. See the [Data Grid Features](../../general/datagrid.md) topic for additional information. | -| Export CSV | Exports the selected review instance information to a CSV file. This automatically downloads the file. See the [Data Grid Features](../../general/datagrid.md) topic for additional information. | -| Edit Notes | Opens the Edit Notes window for the selected resource and allows free-text editing of the notes. See the [Edit Notes Window](../../general/editnotes.md) topic for additional information. | -| View Responses | Opens the View Responses window, which is only available if the owner has recommended changes for the resource. This window displays all recommended changes, notes provided by the owner for the recommended change, and action buttons to Accept, Decline, or Defer the recommended change. See the [View Responses Window](window/viewresponses.md) topic for additional information. | +| Delete | Opens the Delete Review window to delete selected review instance, which asks for confirmation of the action. See the [Delete Review Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/deletereview.md) topic for additional information. | +| Export Excel | Exports the selected review instance information to an Excel spreadsheet. This automatically downloads the spreadsheet. See the [Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. | +| Export CSV | Exports the selected review instance information to a CSV file. This automatically downloads the file. See the [Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. | +| Edit Notes | Opens the Edit Notes window for the selected resource and allows free-text editing of the notes. See the [Edit Notes Window](/docs/accessinformationcenter/12.0/access/general/editnotes.md) topic for additional information. | +| View Responses | Opens the View Responses window, which is only available if the owner has recommended changes for the resource. This window displays all recommended changes, notes provided by the owner for the recommended change, and action buttons to Accept, Decline, or Defer the recommended change. See the [View Responses Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/viewresponses.md) topic for additional information. | | Process Changes | Opens a drop-down menu to Accept, Decline, or Defer all owner-recommended changes for the selected resource. This option allows the Review Administrator to process responses in batches, so all owner-recommended changes for the selected resource will be processed with the same action. **CAUTION:** If the Access Information Center has been configured to commit changes to Active Directory and the automation prerequisites have been met for this type of review, selecting Accept will commit the requested changes. | -| Remove Changes | Opens the Remove changes window. Clears all requested changes for the selected resource. The resource is returned to a ‘Waiting’ status, requiring the owner to review the resource again. See the [Remove Changes Window](../../general/removechanges.md) topic for additional information. | -| Resource Audit | Opens the Resource Audit interface for the selected resource. See the [Resource Audit Overview](../resourceaudit/overview.md) topic for additional information. | +| Remove Changes | Opens the Remove changes window. Clears all requested changes for the selected resource. The resource is returned to a ‘Waiting’ status, requiring the owner to review the resource again. See the [Remove Changes Window](/docs/accessinformationcenter/12.0/access/general/removechanges.md) topic for additional information. | +| Resource Audit | Opens the Resource Audit interface for the selected resource. See the [Resource Audit Overview](/docs/accessinformationcenter/12.0/access/informationcenter/resourceaudit/overview.md) topic for additional information. | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/overview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/overview.md index c9581c54d3..b65fff40fa 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/overview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/overview.md @@ -46,7 +46,7 @@ There are four types of reviews: The Matches table in the report will only be populated for Console User with Security Team and Administrator roles. This is also required for Sensitive Data reviews. -See the [Resource Reviews Interface](interface.md) topic for additional information. +See the [Resource Reviews Interface](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/interface.md) topic for additional information. Ignored Trustees @@ -61,14 +61,14 @@ Prerequisites: - Entitlement Reviews License - The Access Information Center is configured to send Notifications. See the - [Notifications Page](../admin/configuration/notifications.md) topic for additional information. + [Notifications Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/notifications.md) topic for additional information. **NOTE:** By default, the application is configured to send notifications only to the primary owner. However, this can be customized on the Configuration > Notifications page to send notifications to all assigned owners. - Owners assigned to resources within the Resource Owners interface. See the - [Resource Owners Overview](../resourceowners/overview.md) topic for additional information. + [Resource Owners Overview](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/overview.md) topic for additional information. - Sensitive Data reviews have specific requirements for Access Analyzer configuration. See the [Data Collection Prerequisites](prerequisites.md#data-collection-prerequisites) topic for additional information. @@ -80,17 +80,17 @@ Workflow: **_RECOMMENDED:_** When deploying the Access Information Center in an organization to process reviews, owners should be notified prior to launching the first set of reviews. See the -[Notification to Owners](../resourceowners/overview.md#notification-to-owners) topic for additional +[Notification to Owners](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/overview.md#notification-to-owners) topic for additional information. **Step 1 –** Review Administrator creates a review or starts a new review instance. See the -[Create Review Wizard](wizard/create.md) topic for additional information. +[Create Review Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/wizard/create.md) topic for additional information. **Step 2 –** Owner performs a review. See the [Pending Reviews Page](pendingreviews.md#pending-reviews-page) topic for additional information. **Step 3 –** Review Administrator approves owner recommendations. See the -[Approval Process](approvalprocess.md) topic for additional information. +[Approval Process](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/approvalprocess.md) topic for additional information. **Step 4 –** Implement approved changes in your organization: @@ -99,4 +99,4 @@ information. - Manually, export a list of approved changes and deliver it to your IT department When desired, the Review Administrator runs another instance of the review and the workflow starts -again. See the [Review Instances](reviewinstances.md) topic for additional information. +again. See the [Review Instances](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/reviewinstances.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/pendingreviews.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/pendingreviews.md index 4699a2b060..8aa893b9d0 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/pendingreviews.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/pendingreviews.md @@ -6,24 +6,24 @@ privileges users have to your resource. When the Review Administrator creates a a new instance of an existing review, you receive an email notification that includes a link to the your pending reviews. -![Email notification of pending review](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/newreview.webp) +![Email notification of pending review](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/newreview.webp) Use the **Sign in** link at the bottom to open the Owner portal in the Access Information Center. _Remember,_ Your company domain credentials are used to log in. -![Reviews link on the Ownership portal](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/ownershipportal.webp) +![Reviews link on the Ownership portal](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/ownershipportal.webp) The Owner portal displays a number next to the **Reviews**link to indicate how many of your resources are included in pending reviews. Click the link to open the Reviews interface. The Reviews interface has two pages: Pending Reviews and Review History. See the Pending Reviews Page and -[Review History Page](reviewhistory.md) topics for additional information. +[Review History Page](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/reviewhistory.md) topics for additional information. ## Pending Reviews Page The Pending Reviews page lists all of your resources included in pending reviews. -![Pending Reviews page of the Reviews interface](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/pendingreviews.webp) +![Pending Reviews page of the Reviews interface](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/pendingreviews.webp) The information displayed in the table includes: @@ -43,7 +43,7 @@ The information displayed in the table includes: - Last Reviewed — Date timestamp when the last review took place for the resource. The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. Performing a review means you are evaluating the resources. You can leave the resource unchanged or make recommendations for changes. Consider the following examples: @@ -62,7 +62,7 @@ recommendation and processes those changes. The **Begin Review** button opens the Resource Review page to start the review. -![Resource Review page for an Access review](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewpageaccess.webp) +![Resource Review page for an Access review](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewpageaccess.webp) The Resource Review page varies based on the type of review; however, there are several common features: @@ -92,7 +92,7 @@ features: The content within the table varies, and additional options may appear depending on the type of review being conducted. See the following sections for step by step instructions: -- [Perform an Access Review](review/access.md) -- [Perform a Membership Review](review/membership.md) -- [Perform a Permissions Review](review/permissions.md) -- [Perform a Sensitive Data Review](review/sensitivedata.md) +- [Perform an Access Review](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/access.md) +- [Perform a Membership Review](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/membership.md) +- [Perform a Permissions Review](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/permissions.md) +- [Perform a Sensitive Data Review](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/sensitivedata.md) diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/prerequisites.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/prerequisites.md index 57e31bbb93..12cf740057 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/prerequisites.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/prerequisites.md @@ -79,7 +79,7 @@ automation of approved changes. must be manually done outside of the application. See the Sensitive Data Review Automation topic for additional information. -See the [Access Groups](../resourceowners/accessgroups.md) topic for additional information. +See the [Access Groups](/docs/accessinformationcenter/12.0/access/informationcenter/resourceowners/accessgroups.md) topic for additional information. ### Sensitive Data Review Automation diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/access.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/access.md index a735e1ce70..33c4b33033 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/access.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/access.md @@ -6,13 +6,13 @@ to perform an Access review. **Step 1 –** On the Pending Reviews page, select the resource with a pending Access review and click **Begin Review**. The Resource Review page opens to the 1 Make changes tab. -![Resource Reviews page showing an Access Review on 1 Make Changes tab](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewpageaccess.webp) +![Resource Reviews page showing an Access Review on 1 Make Changes tab](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewpageaccess.webp) The table displays access information for the resource being reviewed: - Trustee Name — Name of the trustee with access to this resource. If the trustee is a group, click the hyperlink to open the Group Membership window. See the - [Group Membership Window](../../../general/groupmembership.md) topic for additional information. + [Group Membership Window](/docs/accessinformationcenter/12.0/access/general/groupmembership.md) topic for additional information. - User Title — Trustee's title as read from Active Directory - User Department — Trustee's department as read from Active Directory - User E-mail — Trustee's email address as read from Active Directory @@ -37,7 +37,7 @@ pending until you submit all recommendations for this resource. **Step 4 –** When the recommended changes are set as desired, click **Next**. The 2 Review changes tab opens in the Resource Review page. -![Resource Reviews page showing an Access Review on 2 Review changes tab](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpageaccess2.webp) +![Resource Reviews page showing an Access Review on 2 Review changes tab](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpageaccess2.webp) **Step 5 –** This tab displays a filtered table of trustees with recommended changes. Confirm your recommendations and optionally add notes to the Review Administrator. Owners are encouraged to leave diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/membership.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/membership.md index 663563f64e..d2e843938a 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/membership.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/membership.md @@ -6,13 +6,13 @@ review. **Step 1 –** On the Pending Reviews page, select the resource with a pending Membership review and click **Begin Review**. The Resource Review page opens to the 1 Make changes tab. -![Membership review Make changes tab](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpagemembership.webp) +![Membership review Make changes tab](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpagemembership.webp) The table displays membership information for the group being reviewed: - Trustee Name — Name of the trustee with group membership. If the trustee is a group, click the hyperlink to open the Group Membership window. See the - [Group Membership Window](../../../general/groupmembership.md) topic for additional information. + [Group Membership Window](/docs/accessinformationcenter/12.0/access/general/groupmembership.md) topic for additional information. - User Title — Trustee's title as read from Active Directory - User Department — Trustee's department as read from Active Directory - User E-mail — Trustee's email address as read from Active Directory @@ -33,7 +33,7 @@ pending until you submit all recommendations for this resource. **Step 3 –** When the recommended changes are set as desired, click **Next**. The 2 Review changes tab opens in the Resource Review page. -![Membership review Review changes tab](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpagemembership2.webp) +![Membership review Review changes tab](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpagemembership2.webp) **Step 4 –** This tab displays a filtered table of trustees with recommended changes. Confirm your recommendations and optionally add notes to the Review Administrator. Owners are encouraged to leave diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/permissions.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/permissions.md index 1a715fbcb4..80b1db1646 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/permissions.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/permissions.md @@ -6,12 +6,12 @@ steps to perform a Permissions review. **Step 1 –** On the Pending Reviews page, select the resource with a pending Permissions review and click **Begin Review**. The Resource Review page opens to the 1 Make Changes tab. -![Permissions review Make changes tab](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpagepermissions.webp) +![Permissions review Make changes tab](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpagepermissions.webp) The table displays permission information for the resource being reviewed: - Trustee Name — Name of the trustee. If the trustee is a group, click the hyperlink to open the - Group Membership window. See the [Group Membership Window](../../../general/groupmembership.md) + Group Membership window. See the [Group Membership Window](/docs/accessinformationcenter/12.0/access/general/groupmembership.md) topic for additional information. - User Title — Trustee's title as read from Active Directory - User Department — Trustee's department as read from Active Directory @@ -40,7 +40,7 @@ pending until you submit all recommendations for this resource. **Step 4 –** When the recommended changes are set as desired, click **Next**. The 2 Review changes tab opens in the Resource Review page. -![Permissions review Review changes tab](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpagepermissions2.webp) +![Permissions review Review changes tab](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpagepermissions2.webp) **Step 5 –** This tab displays a filtered table of trustees with recommended changes. Confirm your recommendations and optionally add notes to the Review Administrator. Owners are encouraged to leave diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/sensitivedata.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/sensitivedata.md index 5f1ceb6dce..68dc50cab6 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/sensitivedata.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/review/sensitivedata.md @@ -6,7 +6,7 @@ steps to perform a Sensitive Data review. **Step 1 –** On the Pending Reviews page, select the resource with a pending Sensitive Data review and click **Begin Review**. The Resource Review page opens to the 1 Make Changes tab. -![Sensitive Data Resource Review Make changes page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpagesensitivedata.webp) +![Sensitive Data Resource Review Make changes page](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpagesensitivedata.webp) The table displays files where potentially sensitive data has been found on the resource being reviewed: @@ -16,7 +16,7 @@ reviewed: - Last Modified – Last modified date timestamp of the file from scanned the file details - Owner – Owner of the file from scanned the file details - Criteria – Name of the criteria with match hits found within the file. The hyperlink opens the - Criteria Matches window. See the [Criteria Matches Window](../window/criteriamatches.md) topic for + Criteria Matches window. See the [Criteria Matches Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/criteriamatches.md) topic for additional information. **Step 2 –** For each file listed, make a recommendation by clicking on the icon in either the Keep, @@ -33,7 +33,7 @@ pending until you submit all recommendations for this resource. **Step 3 –** When the recommended changes are set as desired, click **Next**. The 2 Review changes tab opens in the Resource Review page. -![Sensitive Data review Review changes tab](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpagesensitivedata2.webp) +![Sensitive Data review Review changes tab](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpagesensitivedata2.webp) **Step 4 –** This tab displays the table of files with your recommendations. Confirm your recommendations and optionally add notes to the Review Administrator. Owners are encouraged to leave diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/reviewhistory.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/reviewhistory.md index a7394ca3a2..da0d6514d2 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/reviewhistory.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/reviewhistory.md @@ -2,7 +2,7 @@ The Review History page lists all completed review instances for your resources. -![Review History Tab](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewhistory.webp) +![Review History Tab](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewhistory.webp) The information displayed in the table includes: @@ -23,14 +23,14 @@ The information displayed in the table includes: or Waiting. Hover over a status icon to display its tooltip. The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. ## Review Details Window The View Details button at the bottom of the Review History page opens the Review Details window for a resource where changes were recommended. -![Review Details Window](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewdetails.webp) +![Review Details Window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewdetails.webp) The information displayed in the table includes: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/reviewinstances.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/reviewinstances.md index fc4bb85679..1ef2710021 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/reviewinstances.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/reviewinstances.md @@ -6,15 +6,15 @@ review. Each instance is identified by date timestamps indicating its start and **_RECOMMENDED:_** Prior to running another review instance, ensure the most up to date information is available to owners for review. -![Manage Reviews page with completed review selected](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/interfacerunagain.webp) +![Manage Reviews page with completed review selected](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/interfacerunagain.webp) On the Manage Reviews page in the Resource Reviews interface, a review with a Completed status can be started again. Select the review and click **Run Again**. The Create Review wizard opens without the Review Type page. The review can be run as-is by navigating through the wizard with the **Next** buttons, or you can modify as desired. Completing the wizard process restarts the review. See the -[Create Review Wizard](wizard/create.md) topic for additional information. +[Create Review Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/wizard/create.md) topic for additional information. -![Instance drop-down on Review Details page](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewinstances.webp) +![Instance drop-down on Review Details page](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewinstances.webp) Previous instances for a review can be viewed on the Review Details page. Select the instance from the drop-down menu to show the details for it. See the diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/criteriamatches.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/criteriamatches.md index 177846fa3c..c2d82cf0b5 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/criteriamatches.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/criteriamatches.md @@ -3,7 +3,7 @@ The criteria type listed in a Sensitive Data review appears as a blue hyperlink. Click the hyperlink to open the Criteria Matches window. -![Criteria Matches window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/criteriamatches.webp) +![Criteria Matches window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/criteriamatches.webp) The table displays the following information for each match found on the selected file: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/deletereview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/deletereview.md index de338e254f..5ba9be36a2 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/deletereview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/deletereview.md @@ -1,8 +1,8 @@ # Delete Review Window The Delete Review window opens from either the -[Manage Reviews Page](../interface.md#manage-reviews-page) or the -[Review Details Page](../interface.md#review-details-page) of the Resource Reviews interface: +[Manage Reviews Page](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/interface.md#manage-reviews-page) or the +[Review Details Page](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/interface.md#review-details-page) of the Resource Reviews interface: - Delete Entire Review — Deleting a review from the Manage Reviews page will delete all instances of the selected review @@ -14,7 +14,7 @@ The Delete Review window opens from either the Select the desired review on the Manage Reviews page and click **Delete**. The Delete Review window opens to confirm the action. -![Delete Review window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/deletereviewentire.webp) +![Delete Review window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/deletereviewentire.webp) **CAUTION:** This will delete all instances of the selected review and all historical data associated with it. @@ -26,7 +26,7 @@ Click **Yes** to complete the deletion. Click **No** to cancel it. The Delete Re Select the desired review instance from the drop-down menu on the Review Details page and click **Delete**. The Delete Review window opens to confirm the action. -![Delete Review window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/deletereviewinstance.webp) +![Delete Review window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/deletereviewinstance.webp) **CAUTION:** This will delete all historical data associated to the selected review instance. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/missingitems.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/missingitems.md index 23a4c9e727..56fb567b3a 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/missingitems.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/missingitems.md @@ -4,12 +4,12 @@ The Some items could not be found message displays when importing a resource lis Review or Edit Review wizards if items specified in the CSV file can not be found or are not valid for the review. -![Some items could not be found dialog](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/missingitemsmessage.webp) +![Some items could not be found dialog](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/missingitemsmessage.webp) Click **Yes** to open the Missing Items window or click **No** to complete the import without viewing the missing items. -![Missing items window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/missingitems.webp) +![Missing items window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/missingitems.webp) Review the list of resources. Items can be listed for multiple reasons: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/renamereview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/renamereview.md index 6daa766553..0f11df7b88 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/renamereview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/renamereview.md @@ -1,11 +1,11 @@ # Rename Review Window -The Rename Review window opens from the [Manage Reviews Page](../interface.md#manage-reviews-page) +The Rename Review window opens from the [Manage Reviews Page](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/interface.md#manage-reviews-page) of the Resource Reviews interface. Follow the steps to rename a review. **Step 1 –** Select the review and click **Rename**. The Rename Review window opens. -![Rename Review window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/renamereview.webp) +![Rename Review window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/renamereview.webp) **Step 2 –** Edit the review name in the textbox. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/selectedresources.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/selectedresources.md index 3034763dfc..0a85dd64fb 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/selectedresources.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/selectedresources.md @@ -1,9 +1,9 @@ # Selected Resources Window The Selected Resources window opens from the **View Selections** button in the -[Create Review Wizard](../wizard/create.md). +[Create Review Wizard](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/wizard/create.md). -![Selected Resources windwo](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectedresources.webp) +![Selected Resources windwo](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectedresources.webp) The table displays: diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/sendreminders.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/sendreminders.md index 09b5bd85a1..dbda308374 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/sendreminders.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/sendreminders.md @@ -1,14 +1,14 @@ # Send Reminders Window -The Send Reminders window opens from the [Manage Reviews Page](../interface.md#manage-reviews-page) +The Send Reminders window opens from the [Manage Reviews Page](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/interface.md#manage-reviews-page) of the Resource Reviews interface. Select the desired active review(s) and click **Send Reminders** to send immediate reminder notifications. The Send Reminders window opens to display an action status. -![Send Reminders window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/sendreminders.webp) +![Send Reminders window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/sendreminders.webp) The window displays the action status. When a successful status is indicated, assigned owners were sent a reminder email. Click **OK** to close the Send Reminders window. _Remember,_ automatic weekly reminders can be configured on the -[Notifications Page](../../admin/configuration/notifications.md) of the Configuration interface. +[Notifications Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/notifications.md) of the Configuration interface. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/stopreview.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/stopreview.md index fa2e1ae9a8..46a31dddb4 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/stopreview.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/stopreview.md @@ -1,10 +1,10 @@ # Stop Review Window -The Stop Review window opens from the [Manage Reviews Page](../interface.md#manage-reviews-page) of +The Stop Review window opens from the [Manage Reviews Page](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/interface.md#manage-reviews-page) of the Resource Reviews interface. Select the desired active review(s) and click **Stop**. The Stop Review window opens to confirm the action. -![Stop Review window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/stopreview.webp) +![Stop Review window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/stopreview.webp) **CAUTION:** This will prevent owners from completing the review, removing associated resources from their Pending Reviews list. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/viewresponses.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/viewresponses.md index 912fa4f352..29c6809b82 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/viewresponses.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/viewresponses.md @@ -1,10 +1,10 @@ # View Responses Window The View Responses window opens from the **View Response** button on the -[Review Details Page](../interface.md#review-details-page) of the Resource Reviews interface. It +[Review Details Page](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/interface.md#review-details-page) of the Resource Reviews interface. It displays all owner-recommended changes and notes for the selected resource. -![View Responses window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/viewresponses.webp) +![View Responses window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/viewresponses.webp) The information displayed in the table includes: @@ -42,15 +42,15 @@ according to the type of review: - Sensitive Data — The only action that can be committed is to flag a file as a false positive for the selected criteria -See the [Data Collection & Automation Prerequisites](../prerequisites.md) topic for additional +See the [Data Collection & Automation Prerequisites](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/prerequisites.md) topic for additional information. The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/accessinformationcenter/12.0/access/general/datagrid.md) topic for additional information. Select an item in the table, and use the action buttons at the bottom to identify the decision: -![viewresponsesbuttons](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/viewresponsesbuttons.webp) +![viewresponsesbuttons](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/viewresponsesbuttons.webp) | Button | Description | | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/wizard/create.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/wizard/create.md index 68c3d6d08e..67635b3522 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/wizard/create.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/wizard/create.md @@ -1,9 +1,9 @@ # Create Review Wizard The Create Review wizard is opened with the **Create** button on the Resource Reviews interface. See -the [Manage Reviews Page](../interface.md#manage-reviews-page) topic for additional information. +the [Manage Reviews Page](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/interface.md#manage-reviews-page) topic for additional information. -![Create Review wizard](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/wizard/reviewtype.webp) +![Create Review wizard](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/wizard/reviewtype.webp) It contains four pages: @@ -46,7 +46,7 @@ Follow the steps to create a review. **Step 1 –** On the Manage Reviews page, click Create. The Create Review wizard opens. -![Create Review wizard Review Type page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/wizard/reviewtype.webp) +![Create Review wizard Review Type page](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/wizard/reviewtype.webp) **Step 2 –** On the Review Type page, provide the following information and click **Next**: @@ -63,7 +63,7 @@ Follow the steps to create a review. - Notify the review creator when resources are reviewed — When selected, an email is sent to the review creator when the review has been completed by the resource owner. If the review contains multiple resources, an email is sent when each resource is reviewed. See the - [Resource Reviewed Email](../email/resourcereviewed.md) topic for additional information. + [Resource Reviewed Email](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/email/resourcereviewed.md) topic for additional information. **NOTE:** This option is not available for the Builtin Administrator account as it has no email to receive notifications. @@ -77,7 +77,7 @@ Follow the steps to create a review. **NOTE:** If creating a Sensitive Data review, continue to Step 3. For all other review types, skip to Step 5. -![Create Review wizard Criteria page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) +![Create Review wizard Criteria page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) **Step 3 –** On the Criteria page, select the types of sensitive criteria to include in the Sensitive Data review from the list on the left and click **Add**. Multiple items can be selected @@ -97,7 +97,7 @@ Netwrix Access Analyzer (formerly Enterprise Auditor) for all of the resources s the One or more resources selected have not been scanned error occurs. The Create Review wizard will not allow the review to be created until those resources have been removed or the option unchecked. -![Create Review wizard Resources page](../../../../../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) +![Create Review wizard Resources page](/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) **Step 5 –** On the Resources page, select the resources to be included in the review. The Search feature is available to filter the list of available resource that match the type of review being @@ -122,11 +122,11 @@ created. - Select the desired resource(s) and click **Add**. The **View Selections** button indicates how many resources have been selected. Click the button to open the Selected Resources window, where you can view and modify the selections. See the - [Selected Resources Window](../window/selectedresources.md) topic for additional information. + [Selected Resources Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/selectedresources.md) topic for additional information. - Alternatively you can import a list of resources from a CSV file. Click the **Import** button and then select the CSV file. A message displays if items are not found or not valid for the review. Any valid resources are selected and can be viewed in the Selected Resources window.  See the - [Missing Items Window](../window/missingitems.md) topic for additional information + [Missing Items Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/missingitems.md) topic for additional information The CSV file must use the following format for the resources: @@ -137,12 +137,12 @@ created. - Once the desired resources have been selected, click **Next**. -![Create Review wizard Summary page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Create Review wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) **Step 6 –** On the Summary page, review the settings and click **Next**. The Access Information Center begins to create the review. -![Create Review wizard review created message](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/wizard/created.webp) +![Create Review wizard review created message](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/wizard/created.webp) **Step 7 –** The action status displays on the page. When the review has been created (100%), click **Close**. The Create Review wizard closes. @@ -151,4 +151,4 @@ The new review displays in the table on the Manage Reviews page. An email was se owner assigned to the resource(s) in this review. By default, the application is configured to send notifications only to the primary owner. However, this can be customized on the Configuration > Notifications page to send notifications to all assigned owners. See the -[Notifications Page](../../admin/configuration/notifications.md) topic for additional information. +[Notifications Page](/docs/accessinformationcenter/12.0/access/informationcenter/admin/configuration/notifications.md) topic for additional information. diff --git a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/wizard/edit.md b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/wizard/edit.md index 91b0a4ea50..64fe4e0eb5 100644 --- a/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/wizard/edit.md +++ b/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/wizard/edit.md @@ -1,9 +1,9 @@ # Edit Review Wizard The Edit Review wizard is opened with the **Edit** button on the Resource Reviews interface. See the -[Manage Reviews Page](../interface.md#manage-reviews-page) topic for additional information. +[Manage Reviews Page](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/interface.md#manage-reviews-page) topic for additional information. -![Edit Review wizard](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/wizard/reviewtype.webp) +![Edit Review wizard](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/wizard/reviewtype.webp) It contains four pages: @@ -22,7 +22,7 @@ Follow the steps to edit an active review. **Step 1 –** On the Manage Reviews page, click **Edit**. The Edit Review wizard opens. -![Edit Review wizard Review Type page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/wizard/reviewtype.webp) +![Edit Review wizard Review Type page](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/wizard/reviewtype.webp) **Step 2 –** On the Review Type page, configure the notify review creator option as required. The Review Name and type are shown on the page but can not be edited. For Permissions, Access, and @@ -32,12 +32,12 @@ edited. - Notify the review creator when resources are reviewed — When selected, an email is sent to the review creator when the review has been completed by the resource owner. If the review contains multiple resources, an email is sent when each resource is reviewed. See the - [Resource Reviewed Email](../email/resourcereviewed.md) topic for additional information. + [Resource Reviewed Email](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/email/resourcereviewed.md) topic for additional information. **NOTE:** If creating a Sensitive Data review, continue to Step 3. For all other review types, skip to Step 5. -![Edit Review wizard Criteria page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) +![Edit Review wizard Criteria page](/img/product_docs/accessanalyzer/admin/datacollector/ewsmailbox/criteria.webp) **Step 3 –** On the Criteria page, you can modify the selected types of sensitive criteria to include in the Sensitive Data review if no responses have been received. If responses for one or @@ -62,7 +62,7 @@ the “One or more resources selected have not been scanned” error occurs. The will not allow the review to be created until those resources have been removed or the option unchecked. -![Edit Review wizard Resources page](../../../../../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) +![Edit Review wizard Resources page](/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) **Step 5 –** On the Resources page, modify the list of resources to be included in the review. @@ -88,11 +88,11 @@ or removing parent resources from the review also adds or removes their children - Select the desired resource(s) and click **Add**. The **View Selections** button indicates how many resources have been selected. Click the button to open the Selected Resources window, where you can view and modify the selections. See the - [Selected Resources Window](../window/selectedresources.md) topic for additional information. + [Selected Resources Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/selectedresources.md) topic for additional information. - Alternatively you can import a list of resources from a CSV file. Click the **Import** button and then select the CSV file. A message displays if items are not found or not valid for the review. Any valid resources are selected and can be viewed in the Selected Resources window.  See the - [Missing Items Window](../window/missingitems.md) topic for additional information + [Missing Items Window](/docs/accessinformationcenter/12.0/access/informationcenter/resourcereviews/window/missingitems.md) topic for additional information The CSV file must use the following format for the resources: @@ -103,12 +103,12 @@ or removing parent resources from the review also adds or removes their children - Once the desired resources have been selected, click **Next**. -![Edit Review wizard Summary page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Edit Review wizard Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) **Step 6 –** On the Summary page, review the updated settings and click **Next**. The Access Information Center begins to update the review. -![Edit Review wizard update completed message](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Edit Review wizard update completed message](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 7 –** The action status displays on the page. When the review has been updated (100%), click **Close**. The Edit Review wizard closes. diff --git a/docs/activitymonitor/7.1/activitymonitor/requirements/activityagentports.md b/docs/activitymonitor/7.1/activitymonitor/requirements/activityagentports.md index a41d0b41e6..b2a214925e 100644 --- a/docs/activitymonitor/7.1/activitymonitor/requirements/activityagentports.md +++ b/docs/activitymonitor/7.1/activitymonitor/requirements/activityagentports.md @@ -10,7 +10,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. There might be a need for additional ports for the target environment. diff --git a/docs/activitymonitor/7.1/activitymonitor/restapi/resources.md b/docs/activitymonitor/7.1/activitymonitor/restapi/resources.md index e922723a35..5f3a850952 100644 --- a/docs/activitymonitor/7.1/activitymonitor/restapi/resources.md +++ b/docs/activitymonitor/7.1/activitymonitor/restapi/resources.md @@ -1828,7 +1828,7 @@ Response: array of Policy Example: -[Copy]() +[Copy](javascript:void(0);) ```json [ diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/activedirectory.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/activedirectory.md index c4efe8b0a1..29fd0a3e7f 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/activedirectory.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/activedirectory.md @@ -1,7 +1,7 @@ # Active Directory Agent Deployment Before deploying the Active Directory (AD) agent, ensure all -[AD Agent Server Requirements](../../../requirements/adagent.md) have been met. To effectively +[AD Agent Server Requirements](/docs/activitymonitor/8.0/activitymonitor/requirements/adagent.md) have been met. To effectively monitor Active Directory, it is necessary to deploy an AD agent to every domain controller, including the read only domain controllers. However, it is possible to deploy the agents in batches. Follow the steps to deploy the AD agents to the domain controllers in the target domain. @@ -10,7 +10,7 @@ Follow the steps to deploy the AD agents to the domain controllers in the target **Step 1 –** On the Agents tab, click Add agent to open the Add New Agent(s) window. -![Install New Agent](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/installnew.webp) +![Install New Agent](/img/product_docs/activitymonitor/activitymonitor/install/agent/installnew.webp) **Step 2 –** Click on the Install agents on Active Directory domain controllers link to deploy activity agents to multiple domain controllers. @@ -18,34 +18,34 @@ activity agents to multiple domain controllers. **NOTE:** The Activity Monitor will validate the entered Host Name or IP Address entered in the **Server Name** text box. -![Specify Agent Port](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/portdefault.webp) +![Specify Agent Port](/img/product_docs/activitymonitor/activitymonitor/install/agent/portdefault.webp) **Step 3 –** Specify the port that should be used by the new agent(s). -![Agent Install Location](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/locationdefault.webp) +![Agent Install Location](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/locationdefault.webp) **Step 4 –** Select the agent installation path. **_RECOMMENDED:_** Use the default installation path. -![Active Directory Connection page with blank text boxes](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/adconnectionblank.webp) +![Active Directory Connection page with blank text boxes](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/adconnectionblank.webp) **Step 5 –** On the Active Directory Connection page, enter the domain, and specify an account that is a member of BUILTIN\Administrators group on the domain. Then, click **Connect**. -![Example of a successful connection on the Active Directory Connection page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/adconnectionsuccessful.webp) +![Example of a successful connection on the Active Directory Connection page](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/adconnectionsuccessful.webp) When the connection is successful, the Next button is enabled. Click Next to continue. **NOTE:** An Administrator’s credentials are required to test the connection to the server. This is the only way to enable the Next button. -![Domains to Monitor page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/domainstomonitorpage.webp) +![Domains to Monitor page](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/domainstomonitorpage.webp) **Step 6 –** On the Domains To Monitor page, available domains display in a list, checked by default. Check/uncheck the boxes as desired to identify the domains to monitor, then click Next. -![Domain Controllers to Deploy the Agent to page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/dcstodeploytheagenttopage.webp) +![Domain Controllers to Deploy the Agent to page](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/dcstodeploytheagenttopage.webp) **Step 7 –** On the Domain Controllers to deploy the Agent to page, available domain controllers display in a list, checked by default. Check/uncheck the boxes as desired to identify the domain @@ -54,12 +54,12 @@ controllers where the AD agent is to be deployed. **NOTE:** Agents can be gradually deployed, but the AD agent needs to be installed on all domain controllers to monitor all activity of the domain. -![Test Connection to Domain Controller](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/dcsdeployagentconnection.webp) +![Test Connection to Domain Controller](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/dcsdeployagentconnection.webp) **Step 8 –** Click the **Test** button to verify the connection to the domains selected. Once the connection is verified, click **Next** to continue. -![Windows Agent Settings Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/windowsagentsettingspage.webp) +![Windows Agent Settings Page](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/windowsagentsettingspage.webp) **Step 9 –** On the Windows Agent Settings page, there are two settings to configure. @@ -79,9 +79,9 @@ deployed to and installed on the target host. During the installation process, the status will be Installing. If there are any errors, the Activity Monitor stops the installation and lists the errors in the Agent messages box. -![AD Agent Installed](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/adagentinstalled.webp) +![AD Agent Installed](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/adagentinstalled.webp) When the AD agent installation is complete, the status changes to **Installed** and the agent version populates in the AD Module column. The next step is to configure the domains to be -monitored. See the [Monitored Domains Tab](../../monitoreddomains/overview.md) section for +monitored. See the [Monitored Domains Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/overview.md) section for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/linux.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/linux.md index d29aefebb9..1b51b5e284 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/linux.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/linux.md @@ -13,7 +13,7 @@ It also provides the ability to feed activity data to other Netwrix products: - Netwrix Threat Manager Prior to adding a Windows host to the Activity Monitor, the prerequisites for the target environment -must be met. See the [Linux Agent Server Requirements](../../../requirements/linuxagent.md) topic +must be met. See the [Linux Agent Server Requirements](/docs/activitymonitor/8.0/activitymonitor/requirements/linuxagent.md) topic for additional information. ## Deploy Linux Agent @@ -22,17 +22,17 @@ Follow the steps to deploy the agent to the Linux host. **Step 1 –** On the Agents tab, click Add agent to open the Add New Agent(s) window. -![Install New Agent page of the Add New Agent(s) Wizard](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/installnew.webp) +![Install New Agent page of the Add New Agent(s) Wizard](/img/product_docs/activitymonitor/activitymonitor/install/agent/installnew.webp) **Step 2 –** On the Install New Agent page, enter the server name for the Linux host. Click **Next**. -![Specify Agent Port](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/portdefault.webp) +![Specify Agent Port](/img/product_docs/activitymonitor/activitymonitor/install/agent/portdefault.webp) **Step 3 –** On the Agent Port page, specify the port to be used by the new agent. The default port is **4498**. Click **Next**. -![Credentials to Connect](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/credentialsservers.webp) +![Credentials to Connect](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/credentialsservers.webp) **Step 4 –** On the Credentials To Connect To The Server(s) page, connect to the Linux Server using either a **User name** and **Password**, or a Public Key. @@ -42,14 +42,14 @@ The options for connecting with a Password are: - User name - Password -![Public Key Credentials](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/publickey.webp) +![Public Key Credentials](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/publickey.webp) The options for connecting with a Public Key are: - User name - Private Key -![Client Certificate Credentials](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/clientcertificate.webp) +![Client Certificate Credentials](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/clientcertificate.webp) To connect with a Client Certificate, select the **Client Certificate** (for already installed agents) option. Run the following commands on the Linux machine: @@ -87,7 +87,7 @@ cat ~/.ssh/id_ecdsa **Next**. If the connection is unsuccessful, see the status message that appears for information on the failed connection. -![Linux Agent Options](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/linuxagentoptions.webp) +![Linux Agent Options](/img/product_docs/activitymonitor/activitymonitor/install/agent/linuxagentoptions.webp) **Step 6 –** On the Linux Agent Options page, select which user name to use to run the daemon. To use root, leave the **Service user name** field blank. Click **Test** to test the connection. @@ -98,21 +98,21 @@ deployed to and installed on the target host. During the installation process, the status will be **Installing**. If there are any errors, Activity Monitor stops the installation and lists the errors in the **Agent messages** box. -![Linux Agent Installed](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/activitymonitorwithlinuxagentinstalled.webp) +![Linux Agent Installed](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/activitymonitorwithlinuxagentinstalled.webp) When the Linux agent installation is complete, the status changes to **Installed**. The Monitored Host is also configured, and the added Linux host is displayed in the monitored hosts table. See the -[Monitored Hosts Tab](../../monitoredhosts/overview.md) topic for additional information. +[Monitored Hosts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/overview.md) topic for additional information. Once a host has been added for monitoring, configure the desired outputs. See the -[Output for Monitored Hosts](../../monitoredhosts/output.md) topic for additional information. +[Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for Linux Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [Inactivity Alerts Tab](../../monitoredhosts/properties/inactivityalerts.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../../monitoredhosts/properties/overview.md) topic for additional +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/multiple.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/multiple.md index 2f723a56d9..ff4fd7ba5d 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/multiple.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/multiple.md @@ -2,7 +2,7 @@ Before deploying the activity agent, ensure all Prerequisites are met, including those for NAS devices when applicable. Follow the steps to deploy the activity agent to a multiple Windows -servers. See the [Activity Agent Server Requirements](../../../requirements/activityagent.md) topic +servers. See the [Activity Agent Server Requirements](/docs/activitymonitor/8.0/activitymonitor/requirements/activityagent.md) topic for additional information. **NOTE:** These steps are specific to deploying activity agents for monitoring supported target @@ -10,17 +10,17 @@ environments. **Step 1 –** On the Agents tab, click Add agent to open the Add New Agent(s) window. -![Install New Agent](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/installnew.webp) +![Install New Agent](/img/product_docs/activitymonitor/activitymonitor/install/agent/installnew.webp) **Step 2 –** On the Install new agent page, click the install agents on multiple hosts link to deploy activity agents to multiple hosts. -![Specify Agent Port page - specify port that should be used by new agent](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/portdefault.webp) +![Specify Agent Port page - specify port that should be used by new agent](/img/product_docs/activitymonitor/activitymonitor/install/agent/portdefault.webp) **Step 3 –** On the Specify Agent Port page, specify the port that should be used by the new agent. The default port is 4498. Click **Next**. -![Install Agents on Multiple Hosts page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/installagentsonmultiplehosts.webp) +![Install Agents on Multiple Hosts page](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/installagentsonmultiplehosts.webp) **Step 4 –** Windows or Linux hosts can be entered as either a name or an IP Address. The options are: @@ -37,7 +37,7 @@ Manual Entry Use **Manual Entry** to manually type the host names or IP addresses of the servers to be monitored. -![Enter Host Name or IP Address window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/hostnameoripaddresswindow.webp) +![Enter Host Name or IP Address window](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/hostnameoripaddresswindow.webp) For Manual Entry, the options are: @@ -51,7 +51,7 @@ Import a List Use **Import a List** to import host names or IP addresses from an external source. -![Import Hosts from a CSV File window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/importhostsfromacsvfilewindow.webp) +![Import Hosts from a CSV File window](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/importhostsfromacsvfilewindow.webp) For Import a List: @@ -67,7 +67,7 @@ For Import a List: The Activity Monitor will monitor the Host Names or IP Address added to the **Install Agents on Multiple Hosts** table. Click **Next**. -![Credentials to Connect to the Server(s) window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) +![Credentials to Connect to the Server(s) window](/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) **Step 5 –** On the Credentials To Connect To The Server(s) page, connect to the server using either a **User name** and **password**, a Public Key, or a Client Certificate. @@ -77,7 +77,7 @@ The options for connecting with a Password are: - User name - Password -![Credentials to Connect to the Server(s) ](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/publickey.webp) +![Credentials to Connect to the Server(s) ](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/publickey.webp) The options for connecting with a Public Key are: @@ -86,7 +86,7 @@ The options for connecting with a Public Key are: - Use the Public Key option to install an agent using SSH -![clientcertificate](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/clientcertificate.webp) +![clientcertificate](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/clientcertificate.webp) To connect with a Client Certificate, select the Client Certificate (for already installed agents) option. Copy the following command into a command prompt: @@ -104,12 +104,12 @@ failed connection. Activity agents are only successfully deployed for servers wh returns Ok. Failed deployments can be retried through the Connection tab of the agent’s Properties window. When one or more of the connections are successful, click Next. -![Agent Installation Path page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/agentinstalllocation.webp) +![Agent Installation Path page](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/agentinstalllocation.webp) **Step 7 –** On the Agent Install Location page, browse to theselect the agent installation path. The default path is `C:\Program Files\Netwrix\Activity Monitor\Agent`. Click **Next**. -![Windows Agent Settings](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/enablewindowsfileactivitymonitoring.webp) +![Windows Agent Settings](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/enablewindowsfileactivitymonitoring.webp) **Step 8 –** On the Windows Agent Settings window, configure the following options: @@ -128,8 +128,8 @@ During the installation process, the status will be **Installing**. If there are Activity Monitor stops the installation for that host and lists the errors in the **Agent messages** box. -![Multiple Agents Installed](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/adagentinstalled.webp) +![Multiple Agents Installed](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/adagentinstalled.webp) When the activity agent installation completes, the status changes to **Installed** and the activity agent version populates. The next step is to add hosts to be monitored. See the -[Monitored Hosts Tab](../../monitoredhosts/overview.md) topic for additional information. +[Monitored Hosts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/single.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/single.md index 8bf11269b9..470f02d41f 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/single.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/single.md @@ -1,7 +1,7 @@ # Single Activity Agent Deployment Before deploying the activity agent, ensure all -[Activity Agent Server Requirements](../../../requirements/activityagent.md) have been met, +[Activity Agent Server Requirements](/docs/activitymonitor/8.0/activitymonitor/requirements/activityagent.md) have been met, including those for NAS devices when applicable. Follow the steps to deploy the activity agent to a single Windows server. @@ -10,33 +10,33 @@ environments. **Step 1 –** On the Agents tab, click Add agent to open the Add New Agent(s) window. -![Install New Agent window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/installnew.webp) +![Install New Agent window](/img/product_docs/activitymonitor/activitymonitor/install/agent/installnew.webp) **Step 2 –** On the Install new agent page, enter the Server name (name or IP Address) to deploy to a single server. Leave the field blank to deploy the agent on the local server. Click Next. -![Specify Agent Port page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/portdefault.webp) +![Specify Agent Port page](/img/product_docs/activitymonitor/activitymonitor/install/agent/portdefault.webp) **Step 3 –** On the Specify Port page, specify the port that should be used by the new agent. The default port is 4498. Click **Next**. -![Credentials to Connect to the Server(s) page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) +![Credentials to Connect to the Server(s) page](/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) **Step 4 –** On the Credentials To Connect To The Server(s) page, select ether Windows or Linux file monitoring. Then, enter the **User name** and **Password** to connect to the API Server. -![Test Account Connection](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/testaccountconnection.webp) +![Test Account Connection](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/testaccountconnection.webp) **Step 5 –** Click **Connect** to test the connection. If the connection is successful, click **Next**. If the connection is unsuccessful, see the status message that appears for information on the failed connection and correct the error to proceed. -![agentinstalllocation](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/agentinstalllocation.webp) +![agentinstalllocation](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/agentinstalllocation.webp) **Step 6 –** On the Agent Install location page, specify the **Agent installation path**. The default path is `C:\Program Files\Netwrix\Activity Monitor\Agent`. Click **Next**. -![Enable Windows File Activity Monitoring page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/enablewindowsfileactivitymonitoring.webp) +![Enable Windows File Activity Monitoring page](/img/product_docs/activitymonitor/activitymonitor/admin/agents/add/enablewindowsfileactivitymonitoring.webp) **Step 7 –** On the Windows Agent Settings window, configure the following options: @@ -56,8 +56,8 @@ and installed on the target host. During the installation process of the agent, the status will display Installing. If there are any errors, the Activity Monitor stops the installation and lists the errors in the Agent messages box. -![consolewithagent](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/consolewithagent.webp) +![consolewithagent](/img/product_docs/activitymonitor/activitymonitor/install/agent/consolewithagent.webp) When the activity agent installation is complete, the status changes to **Installed** and the activity agent version populates. The next step is to add hosts to be monitored. See the -[Monitored Hosts Tab](../../monitoredhosts/overview.md) topic for additional information. +[Monitored Hosts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/overview.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/overview.md index fe05c58f04..e3ca9ac22a 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/overview.md @@ -3,7 +3,7 @@ The **Agents** tab is used to deploy activity agents and manage settings. This is the only tab available until an agent is installed. -![Image of Agents Home Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/agentaddedfinalimage.webp) +![Image of Agents Home Page](/img/product_docs/activitymonitor/activitymonitor/admin/agents/agentaddedfinalimage.webp) The Agents tab is comprised of a button bar, a table of servers hosting activity agents, and an Agent Messages box. The button bar allows users to take the following actions: @@ -11,17 +11,17 @@ Agent Messages box. The button bar allows users to take the following actions: - Add Agent – Opens the Add New Agent(s) window to deploy the activity/AD agent to a single server or to multiple servers at the same time. The following sections provide additional information: - - [Single Activity Agent Deployment](add/single.md) - - [Multiple Activity Agents Deployment](add/multiple.md) - - [Active Directory Agent Deployment](add/activedirectory.md) - - [Linux Agent Deployment](add/linux.md) + - [Single Activity Agent Deployment](/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/single.md) + - [Multiple Activity Agents Deployment](/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/multiple.md) + - [Active Directory Agent Deployment](/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/activedirectory.md) + - [Linux Agent Deployment](/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/linux.md) - Remove – Opens the Remove Agents window where users can choose to remove the hosting server from the activity agents table or uninstalling the activity agent from the hosting server before removing the activity agent from the table. See the - [Remove Agents](../../install/removeagent.md) topic for additional information. + [Remove Agents](/docs/activitymonitor/8.0/activitymonitor/install/removeagent.md) topic for additional information. - Edit – Opens the selected server’s Properties window to modify the server name or credentials. See - the [Agent Properties Window](properties/overview.md) topic for additional information. + the [Agent Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/overview.md) topic for additional information. - Start pending modules – Starts AD agent monitoring modules which were not yet started - Occasionally a Microsoft Security Bulletin impacting LSASS can interfere with the AD agent @@ -34,7 +34,7 @@ Agent Messages box. The button bar allows users to take the following actions: - Upgrade – [When Agent Status is Outdated] Replaces outdated activity agent with current version - Update Installer – Opens a browser window to select the newer AD agent installer. A confirmation window then opens and identifies the new installer version. See the - [Update AD Agent Installer](../../install/updateadagentinstaller.md) topic for additional + [Update AD Agent Installer](/docs/activitymonitor/8.0/activitymonitor/install/updateadagentinstaller.md) topic for additional information. - Refresh all – Refresh the status of all activity agents @@ -53,7 +53,7 @@ The table of servers hosting activity agents provides the following information: - Archive Location – If archiving is enabled for the activity agent, displays the archive file path - Archive Size – If archiving is enabled for the activity agent, displays the archive size -![Agent Messages](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/agentmessages.webp) +![Agent Messages](/img/product_docs/activitymonitor/activitymonitor/admin/agents/agentmessages.webp) The **Agent messages** box displays any error or warning messages from the selected activity agent. These messages are related to deployment/installation, communication between the console and the @@ -63,4 +63,4 @@ activity/AD agent, and upgrade of an activity/AD agent. v4.0+ Console. For additional information on how to deploy agents manually, see the -[Agent Information](../../install/agents.md) topic. +[Agent Information](/docs/activitymonitor/8.0/activitymonitor/install/agents.md) topic. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/activedirectory.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/activedirectory.md index a54d835fb4..892eebd1e7 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/activedirectory.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/activedirectory.md @@ -4,7 +4,7 @@ The Active Directory tab provides options to configure the agent settings for mo Directory domain controller. These settings are part of the Active Directory monitoring and can only be enabled for agents on domain controllers. -![Agent Properties - Active Directory Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/mainimage.webp) +![Agent Properties - Active Directory Tab](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/mainimage.webp) The Agent Settings allow users to control the AD agent’s properties: @@ -60,7 +60,7 @@ used for Active Directory Activity Monitoring from the Threat Prevention Admin C **Step 1 –** Configure the File, Syslog, or Threat Manager outputs on the Monitored Domains Tab in the Activity Monitor Console. See the -[Output for Monitored Domains](../../monitoreddomains/output.md) topic for additional information. +[Output for Monitored Domains](/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/output.md) topic for additional information. **Step 2 –** Within the Threat Prevention Admin Console, select the Threat Manager Event Sink Configuration Window option under the Configuration menu, and enter amqp://localhost:4499 within the diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/additionalproperties.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/additionalproperties.md index 2fc69c7f29..ec8ff8fbe2 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/additionalproperties.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/additionalproperties.md @@ -7,7 +7,7 @@ varies based on the type of agent selected. The Additional Properties tab for the Activity Agent has the following configuration options: -![Agent Additional Properties Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/additionalpropertiestab.webp) +![Agent Additional Properties Tab](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/additionalpropertiestab.webp) - Comment – Create an annotation for the agent in the **Comment** text box. Annotations entered here will appear in the Comment column in the table on the Agents tab. @@ -50,7 +50,7 @@ Properties window closes. The Additional Properties tab for the Linux Agent has the following configuration options: -![Linux Agent Additional Properties Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/linuxagentadditionalpropertiestab.webp) +![Linux Agent Additional Properties Tab](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/linuxagentadditionalpropertiestab.webp) - Comment – Create an annotation for the agent in the **Comment** text box. Annotations entered here will appear in the Comment column in the table on the Agents tab. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/adusers.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/adusers.md index d94ea267cd..e60e4f54ac 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/adusers.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/adusers.md @@ -2,7 +2,7 @@ Use the AD Users tab to customize Active Directory service queries and caching behavior. -![AD Users Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/aduserstab.webp) +![AD Users Tab](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/aduserstab.webp) The configurable options are: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/apiserver.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/apiserver.md index 83768a583e..93a3885e69 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/apiserver.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/apiserver.md @@ -5,7 +5,7 @@ agents, agent configuration, and agent data to applications remotely. If an appl read the activity data using the API, the API Server must be enabled on each agent collecting activity. -![API Server Tab for Agent Properties](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/apiservertab.webp) +![API Server Tab for Agent Properties](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/apiservertab.webp) Check the Enable API access on this agent box to utilize the options on this tab: @@ -22,7 +22,7 @@ Check the Enable API access on this agent box to utilize the options on this tab Grant or revoke access to the API Server by registering applications. -![Add or Edit API Client popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/addoreditapiclient.webp) +![Add or Edit API Client popup window](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/addoreditapiclient.webp) Click Add Application to open the Add or edit API client window. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/archiving.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/archiving.md index 973e94f398..58777635e4 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/archiving.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/archiving.md @@ -4,7 +4,7 @@ By default, the Activity Monitor keeps the activity logs on the servers where th are deployed. The Archiving tab provides users with options to enable archiving for the activity agent and move the archived files to another location on the server or to a network location. -![Archiving Tab for Agent Properties](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/archiving_tab.webp) +![Archiving Tab for Agent Properties](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/archiving_tab.webp) The Days to keep Log files option, listed under the Log Files tab within Host Properties, applies to Archive log files. When the entered number of days entered have passed, the activity logs and @@ -20,7 +20,7 @@ is disabled by default. activity agent. When archiving is enabled, this is the default selection. Click Configure to open the Configure a network share on this computer window and provide the following information: -![Popup window for Configure a network share on this computer option](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/archivingtabconfigure.webp) +![Popup window for Configure a network share on this computer option](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/archivingtabconfigure.webp) The options in the Configure a network share on this computer window are: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/connection.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/connection.md index 066aa8acca..feecf1554e 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/connection.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/connection.md @@ -10,7 +10,7 @@ agent to a new server. The credentials can be updated or modified as well. _Remember,_ **Test** the credentials before clicking OK to ensure a successful connection. -![Connection Tab for Agent Properties](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/connectiontab.webp) +![Connection Tab for Agent Properties](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/connectiontab.webp) Agent server fields: @@ -41,7 +41,7 @@ the local Administrators group. The Specify account or group window is opened from a field where a Windows account is needed. -![Specify Account or Group popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/windowsspecifyaccountorgroup.webp) +![Specify Account or Group popup window](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/windowsspecifyaccountorgroup.webp) Follow the steps to use this window. @@ -71,7 +71,7 @@ agent to a new server. The credentials can be updated or modified as well. _Remember,_ **Test** the credentials before clicking OK to ensure a successful connection. -![linuxconnectiontab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/linuxconnectiontab.webp) +![linuxconnectiontab](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/linuxconnectiontab.webp) Agent server fields: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/dellceeoptions.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/dellceeoptions.md index cb99f9dd1b..6415e71a87 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/dellceeoptions.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/dellceeoptions.md @@ -12,7 +12,7 @@ only support HTTP protocols. **NOTE:** Dell CEE can be installed on the same host as the activity agent, or on a different host. If it is installed on the same host, the activity agent can configure it automatically. -![EMC CEE Options Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/emcceeoptionstab.webp) +![EMC CEE Options Tab](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/emcceeoptionstab.webp) The options are: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/diskquota.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/diskquota.md index 93b1643226..56bd2b1310 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/diskquota.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/diskquota.md @@ -2,7 +2,7 @@ The **Disk Quota Tab** is used to limit the size of logs to save disk space. -![diskquotatab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/diskquotatab.webp) +![diskquotatab](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/diskquotatab.webp) The configurable options are: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/dns.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/dns.md index fb383fb017..a8389f4231 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/dns.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/dns.md @@ -2,7 +2,7 @@ Use the DNS tab to customize how the agent queries and caches DNS results. -![DNS Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/dnstab.webp) +![DNS Tab](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/dnstab.webp) The configurable options are: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/inactivityalerts.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/inactivityalerts.md index 6efd60ba7c..b564ef19d5 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/inactivityalerts.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/inactivityalerts.md @@ -5,7 +5,7 @@ receiving events for a specific time frame. The tab varies based on the type of Check the **Enable Inactivity alerting for this agent** box to enable the options on this tab. -![Inactivity Alerts Tab for Agent Properties](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/inactivityalerts.webp) +![Inactivity Alerts Tab for Agent Properties](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/inactivityalerts.webp) Once enabled, set the alerting parameters: @@ -27,7 +27,7 @@ Properties window closes. The Syslog alert sends a notification that the activity agent has not received event data for the configured interval. The alert is sent to the Syslog configured on the **Syslog Alerts** tab. -![inactivityalertssyslogalerts](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/inactivityalertssyslogalerts.webp) +![inactivityalertssyslogalerts](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/inactivityalertssyslogalerts.webp) - Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:PORT format in the text box. The server name can be short name, fully qualified name (FQDN), or IP Address, as @@ -60,7 +60,7 @@ configured interval. The alert is sent to the Syslog configured on the **Syslog (…) to open the Syslog Message Template window. The Syslog template provided is **AlienVault / Generic Syslog**. -![Message Template popup window for Syslog Alerts](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/inactivityalertssyslogalertsmessagetemplate.webp) +![Message Template popup window for Syslog Alerts](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/inactivityalertssyslogalertsmessagetemplate.webp) Custom templates can be created. Select the desired template or create a new template by modifying an existing template within the Syslog Message Template window. The new message template is named @@ -73,7 +73,7 @@ Click **OK** to apply changes and exit, or **Cancel** to exit without saving any The email alert sends a notification that the activity agent has not received event data for the configured interval. The alert is sent to the configured recipients on the Email Alerts tab. -![inactivityalertsemailalerts](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/inactivityalertsemailalerts.webp) +![inactivityalertsemailalerts](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/inactivityalertsemailalerts.webp) - Syslog server in SERVER[:PORT] format – Type the **SMTP server name** with a SERVER:PORT format in the text box. The server name can be short name, fully qualified name (FQDN), or IP Address, as @@ -86,12 +86,12 @@ configured interval. The alert is sent to the configured recipients on the Email - From email address – Enter the Sender’s email address - To email address – Enter the Recipient’s email address. Multiple addresses are comma separated. -![Email Alerts - Message Subject popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/inactivityalertsemailalertsmessagesubject.webp) +![Email Alerts - Message Subject popup window](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/inactivityalertsemailalertsmessagesubject.webp) - Message subject – Click the ellipsis (…) to open the Message Template window to customize the subject. Macros can be used to insert -![Email Alerts - Message Body popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/inactivityalertsemailalertsmessagebody.webp) +![Email Alerts - Message Body popup window](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/inactivityalertsemailalertsmessagebody.webp) - Message body – Click the ellipsis (…) to open the Message Template window to customize the body - Test – The Test button sends a test message to the receiver’s email address to check the diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/linux.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/linux.md index 9524bd0b83..c87cfe95ea 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/linux.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/linux.md @@ -3,7 +3,7 @@ The service user name configured during agent installation can be updated on the Agent Properties Linux Tab. -![linuxtab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/linuxtab.webp) +![linuxtab](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/linuxtab.webp) Enter a new service user name to run daemon and click **Test** to verify the connection. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/netappfpolicyoptions.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/netappfpolicyoptions.md index 25f60c40e7..15a24eb61b 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/netappfpolicyoptions.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/netappfpolicyoptions.md @@ -3,7 +3,7 @@ The NetApp FPolicy Options tab provides options to configure FPolicy server settings for monitoring a NetApp Data ONTAP Cluster-Mode device. -![Agent Properties - NetApp FPolicy Options page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/netappfpolicyoptions.webp) +![Agent Properties - NetApp FPolicy Options page](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/netappfpolicyoptions.webp) The available options are: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/network.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/network.md index 8942ae5499..5811682abb 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/network.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/network.md @@ -3,7 +3,7 @@ Use the Network Tab to specify the network interface that NAS devices or API Server users use to connect to this server. -![Agent Properties - Network Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/networktab.webp) +![Agent Properties - Network Tab](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/networktab.webp) If an agent machine has multiple network adapters, network interfaces can be specified in the Network Tab. Select a network interface option from the **Network Interface** dropdown menu. The diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/networkproxy.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/networkproxy.md index c8c6600d80..df002f3ec2 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/networkproxy.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/networkproxy.md @@ -4,7 +4,7 @@ Use the Network Proxy tab to set the proxy for connection to Microsoft Entra ID and Office 365 monitoring. You can leave the properties blank to connect to Microsoft Entra ID directly. -![Agent Properties - Network Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/networkproxytab.webp) +![Agent Properties - Network Tab](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/networkproxytab.webp) The configurable options are: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/nutanix.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/nutanix.md index 65d6ed0f36..290c7aab21 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/nutanix.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/nutanix.md @@ -2,7 +2,7 @@ The Nutanix tab provides features to configure settings for monitoring Nutanix devices. -![Agent Properties - Nutanix](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/nutanix.webp) +![Agent Properties - Nutanix](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/nutanix.webp) The available Agent server settings for Nutanix are: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/overview.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/overview.md index 080f72889b..ab52e46489 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/overview.md @@ -3,24 +3,24 @@ On the Agents tab, the Edit button opens the agent’s Properties window, which contains the following tabs: -- [Active Directory Tab](activedirectory.md) – AD Agent only -- [AD Users Tab](adusers.md) -- [API Server Tab](apiserver.md) -- [Archiving Tab](archiving.md) -- [Additional Properties Tab](additionalproperties.md) -- [Connection Tab](connection.md) -- [Disk Quota Tab](diskquota.md) -- [Dell CEE Options Tab](dellceeoptions.md) – Activity Agent only -- [ DNS Tab](dns.md) -- [Inactivity Alerts Tab](inactivityalerts.md) -- [Linux Tab](linux.md) – Linux Agent only -- [NetApp FPolicy Options Tab](netappfpolicyoptions.md) – Activity Agent only -- [Network Tab](network.md) -- [Network Proxy Tab](networkproxy.md) -- [Nutanix Tab](nutanix.md) – Activity Agent only -- [Panzura Tab](panzura.md) – Activity Agent only -- [Qumulo Tab](qumulo.md) – Activity Agent only +- [Active Directory Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/activedirectory.md) – AD Agent only +- [AD Users Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/adusers.md) +- [API Server Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/apiserver.md) +- [Archiving Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/archiving.md) +- [Additional Properties Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/additionalproperties.md) +- [Connection Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/connection.md) +- [Disk Quota Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/diskquota.md) +- [Dell CEE Options Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/dellceeoptions.md) – Activity Agent only +- [ DNS Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/dns.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/inactivityalerts.md) +- [Linux Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/linux.md) – Linux Agent only +- [NetApp FPolicy Options Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/netappfpolicyoptions.md) – Activity Agent only +- [Network Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/network.md) +- [Network Proxy Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/networkproxy.md) +- [Nutanix Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/nutanix.md) – Activity Agent only +- [Panzura Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/panzura.md) – Activity Agent only +- [Qumulo Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/qumulo.md) – Activity Agent only Select the desired agent and click **Edit** to open the agent’s Properties window. -![Properties Window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/mainimage.webp) +![Properties Window](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/mainimage.webp) diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/panzura.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/panzura.md index 06c2403c65..57fa14a8aa 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/panzura.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/panzura.md @@ -2,7 +2,7 @@ The Panzura Tab provides features to configure settings for monitoring Panzura devices. -![Agent Properties - Panzura Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/panzuratab.webp) +![Agent Properties - Panzura Tab](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/panzuratab.webp) The available options are: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/qumulo.md b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/qumulo.md index 79a67075cc..c47c7259f5 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/qumulo.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/qumulo.md @@ -2,7 +2,7 @@ The Qumulo tab provides features to configure settings for monitoring Qumulo devices. -![Agent Properties - Qumulo](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/qumulo.webp) +![Agent Properties - Qumulo](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/qumulo.webp) The available options are: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/authentication.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/authentication.md index 11b2102c88..535eb89aab 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/authentication.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/authentication.md @@ -3,7 +3,7 @@ The Authentication tab on a domain’s Configuration window allows users to configure communication with servers. -![AD Monitoring Configuration - Authentication Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operationstab.webp) +![AD Monitoring Configuration - Authentication Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operationstab.webp) After checking the Enable Authentication box, the following event filters can be modified on the sub-tabs: @@ -24,7 +24,7 @@ modified PAC. By manipulating the PAC, a field in the Kerberos ticket that conta authorization data (in Active Directory this is group membership), an attacker is able to grant themselves additional elevated privileges. -![AD Monitoring Configuration - Authentication Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/forgedpac.webp) +![AD Monitoring Configuration - Authentication Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/forgedpac.webp) Double-click text box to enter specific **RIDs**. Click OK. The AD agent then compares against the PAC and user’s access token for a mismatch to trigger the incident. @@ -40,7 +40,7 @@ The Hosts (from) option is where the policy can be scoped to only monitor specif originators of an authentication event or to exclude specific hosts from being monitored for authentication events. -![Host (From) Tab in the Authentication Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) +![Host (From) Tab in the Authentication Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) Underneath each section, there are additional Host details: @@ -58,7 +58,7 @@ The Hosts (to) option is where the policy can be scoped to only monitor specific hosts of an authentication event or to exclude specific hosts from being monitored as targets of authentication events. -![Host (To) Tab in the Authentication Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/hostto.webp) +![Host (To) Tab in the Authentication Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/hostto.webp) Underneath each section, there are additional Host details: @@ -76,7 +76,7 @@ The IP Addresses (from) option is where the policy can be scoped to only monitor Addresses as originators of an authentication event or to exclude specific IP Addresses from being monitored for authentication events. -![IP Addresses (From) Tab in the Authenticatoin Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/ipaddressesfrom.webp) +![IP Addresses (From) Tab in the Authenticatoin Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/ipaddressesfrom.webp) Underneath each section, there is an additional Address detail: @@ -91,7 +91,7 @@ The IP Addresses (to) option is where the policy can be scoped to only monitor s as target hosts of an authentication event or to exclude specific IP Addresses from being monitored as targets of authentication events. -![IP Addresses (To) Tab in the Authentication Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/ipaddressesto.webp) +![IP Addresses (To) Tab in the Authentication Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/ipaddressesto.webp) Underneath each section, there is an additional Address detail: @@ -104,7 +104,7 @@ Press the Enter or Tab key to add another text box. The Operations option filters for successful events, failed events, or both. -![Operations Tab in the Authentication Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operationstab.webp) +![Operations Tab in the Authentication Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operationstab.webp) The **Monitor These Attempts** section is where monitoring is set to filter for successful events, failed events, or both: @@ -140,7 +140,7 @@ Local Interactive and/or Remote Interactive logins to the Domain Controllers: The Servers option targets servers to be included or excluded when filtering for authentication. -![Servers Tab in the Authentication Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) +![Servers Tab in the Authentication Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) In both sections, servers must be specified in the form 'DOMAIN\SERVER', where DOMAIN is NetBIOS Domain name and SERVER is NetBIOS server name. @@ -154,7 +154,7 @@ The Users filter is where the policy can be scoped to only monitor specific secu committing changes within Active Directory or to exclude specific users committing changes from being monitored. -![Users Tab in the Authentication Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) +![Users Tab in the Authentication Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) The following details appear beneath both sections: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/changes.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/changes.md index 0999dd0c3a..42e09d2577 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/changes.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/changes.md @@ -3,7 +3,7 @@ The Changes tab for AD Monitoring Configuration window provides additional options to monitor changes made to the domain. -![Operations Tab in the Changes Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operationtab.webp) +![Operations Tab in the Changes Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operationtab.webp) After checking the Enable AD Changes box, the following event filters can be modified on the sub-tabs: @@ -24,7 +24,7 @@ The Attributes Tab is where monitoring can be scoped to include events with spec within Active Directory. Further scoping of attributes can enable monitoring to only capture events based on the new value. -![Attributes Tab in the Changes Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/attributestab.webp) +![Attributes Tab in the Changes Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/attributestab.webp) Double-click the text box beneath Name to enter the desired attribute to include or exclude. Double-click the text box beneath Value to enter the desired attribute value to reference. Choose @@ -52,7 +52,7 @@ filter based on the new value of the attribute, use the Operation drop-down menu The Classes Tab is where the policy can be scoped to only monitor specific classes within Active Directory or to exclude specific classes from being monitored. -![Classes Tab in the Changes Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/classestab.webp) +![Classes Tab in the Changes Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/classestab.webp) Double-click the text box beneath Name to enter the desired classes to include or exclude. Press the **Enter** or **Tab** key to add another text box. @@ -67,7 +67,7 @@ The Context Tab is where the policy can be scoped to only monitor specific conte and Organizational Units) within Active Directory or to exclude specific contexts from being monitored. -![Context Tab in the Changes Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/contexttab.webp) +![Context Tab in the Changes Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/contexttab.webp) Underneath each section, there are additional Context details: @@ -86,7 +86,7 @@ The Hosts (from) Tab is where the policy can be scoped to only monitor specific of an authentication event or to exclude specific hosts from being monitored for authentication events. -![Host (From) Tab in the Changes Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) +![Host (From) Tab in the Changes Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) Underneath each section, there are additional Host details. @@ -104,7 +104,7 @@ The IP Addresses (from) Tab is where the policy can be scoped to only monitor sp as originators of an authentication event or to exclude specific IP Addresses from being monitored for authentication events. -![IP Addresses (From) Tab in the Changes Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/ipaddressesfrom.webp) +![IP Addresses (From) Tab in the Changes Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/ipaddressesfrom.webp) Underneath each section, there is an additional Address detail. @@ -118,7 +118,7 @@ Press **Enter** or **Tab** key to add another text box. The Objects Tab is where the policy can be scoped to only monitor specific objects within Active Directory or to exclude specific objects from being monitored. -![Objects Tab in the Changes Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/objectstab.webp) +![Objects Tab in the Changes Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/objectstab.webp) Underneath each section, there is an additional Object detail. @@ -132,7 +132,7 @@ exclude. Press the **Enter** or **Tab** key to add another text box. The Operations Tab provides additional configuration filters for AD event collection. -![Operations Tab in the Changes Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operationtab.webp) +![Operations Tab in the Changes Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operationtab.webp) Monitor These Attempts – Filter for successful events, failed events, or both can be selected. @@ -150,7 +150,7 @@ Operations – Filter for Active Directory events to be monitored. The Servers Tab targets servers to be included or excluded when filtering for changes. -![Servers Tab in the Changes Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) +![Servers Tab in the Changes Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) In both sections, servers must be specified in the form 'DOMAIN\SERVER', where DOMAIN is NetBIOS Domain name and SERVER is NetBIOS server name. @@ -164,7 +164,7 @@ The Users Tab is where the policy can be scoped to only monitor specific securit committing changes within Active Directory or to exclude specific users committing changes from being monitored. -![Users Tab in the Changes Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) +![Users Tab in the Changes Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) The following details appear beneath both sections. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/globalfilters.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/globalfilters.md index f123ea145f..03d3be7e9c 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/globalfilters.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/globalfilters.md @@ -3,7 +3,7 @@ The Global Filters options are for excluding specific Active Directory and Authentication events from being monitored. -![Global Filters Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/globalfilterstab.webp) +![Global Filters Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/globalfilterstab.webp) The filter options are grouped by AD Global Pre-Filters, and Authentication Global Pre-Filters. Check the boxes to activate the filters. To disable for diagnostic purposes, simply uncheck the @@ -75,7 +75,7 @@ conditions to be excluded: This option is enabled by default to filter out machine logins. Click the configure link to open the Edit Accounts window. -![Edit Accounts window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/editaccountsexcludeloginsmachineaccounts.webp) +![Edit Accounts window](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/editaccountsexcludeloginsmachineaccounts.webp) The Exclude Logins from Machine Accounts collection is only accessible for configuration through the Global Filters tab. @@ -106,7 +106,7 @@ noisy ‘machine accounts’. This option is disabled by default as it requires configuration before it can be enabled. Click the selected hosts link to open the Edit Hosts window. -![edithostsexcludeselectedhosts](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/edithostsexcludeselectedhosts.webp) +![edithostsexcludeselectedhosts](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/edithostsexcludeselectedhosts.webp) The Exclude Authentication Events from selected hosts collection is only accessible for configuration through the Global Filters tab. All three methods of identification for a host (IP @@ -123,7 +123,7 @@ been entered in the list. Then click **OK**. This option is disabled by default as it requires configuration before it can be enabled. Click the selected accounts link to open the Edit Accounts window. -![editaccountsexcludeauthenticationselectedaccounts](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/editaccountsexcludeauthenticationselectedaccounts.webp) +![editaccountsexcludeauthenticationselectedaccounts](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/editaccountsexcludeauthenticationselectedaccounts.webp) The Exclude Authentication Events from selected accounts collection is only accessible for configuration through the Global Filtering tab. Account names [domain name\account] can also be diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor.md index fec29c6e04..6ff0373cba 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor.md @@ -3,7 +3,7 @@ The LDAP Monitor tab on a domain’s Configuration window allows users to scope monitoring by adding filters for accounts by name or type. -![Operations Tab in the LDAP Monitor Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) +![Operations Tab in the LDAP Monitor Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) After checking the Enable Ldap Monitor box, the following event filters can be modified on the sub-tabs: @@ -23,7 +23,7 @@ The Hosts (from) option is where the policy can be scoped to only monitor specif originators of an authentication event or to exclude specific hosts from being monitored for authentication events. -![Host (From) Tab in the LDAP Monitor Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) +![Host (From) Tab in the LDAP Monitor Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) Underneath each section, there are additional Host details: @@ -39,7 +39,7 @@ from authentication event collection. The LDAP option is where query and result objects can be monitored by group type. -![LDAP Tab in the LDAP Monitor Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/ldap.webp) +![LDAP Tab in the LDAP Monitor Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/ldap.webp) The Query section is where monitoring can be scoped to those LDAP queries that contain at least one of the user-supplied string as a substring in BaseDN or in Query field of the LDAP Search request. @@ -68,7 +68,7 @@ Example Value: The Operations option filters for successful events, failed events, or both. -![Operations Tab in the LDAP Monitor Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) +![Operations Tab in the LDAP Monitor Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) The Monitor These Attempts section is where monitoring is set to filter for successful events, failed events, or both: @@ -80,7 +80,7 @@ failed events, or both: The Servers option targets servers to be included or excluded when filtering for a LDAP changes. -![Servers Tab in the LDAP Monitor Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/servers.webp) +![Servers Tab in the LDAP Monitor Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/servers.webp) In both sections, servers must be specified in the form 'DOMAIN\SERVER', where DOMAIN is NetBIOS Domain name and SERVER is NetBIOS server name. @@ -94,7 +94,7 @@ The Users option is where the policy can be scoped to only monitor specific secu committing changes within Active Directory or to exclude specific users committing changes from being monitored. -![Users Tab in the LDAP Monitor Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/users.webp) +![Users Tab in the LDAP Monitor Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/users.webp) The following details appear beneath both sections: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/lsassguardian.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/lsassguardian.md index 86e49c0ce8..dd27fc1d7e 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/lsassguardian.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/lsassguardian.md @@ -3,7 +3,7 @@ The LSASS Guardian tab allows users to modify settings that were populated with the information entered when the host was added to prevent, monitor, or block LSASS code injections. -![Operations Tab in the LSASS Guardian Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) +![Operations Tab in the LSASS Guardian Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) After checking the Enable LSASS Guardian box, the following event filters can be modified on the sub-tabs: @@ -23,7 +23,7 @@ LSASS, e.g. third-party malware applications. The Operations option filters for successful events, failed events, or both. -![Operations Tab in the LSASS Guardian Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) +![Operations Tab in the LSASS Guardian Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) The Open Process Flags section is where monitoring can be scoped for requested handles that would maliciously impact LSASS processes. @@ -38,7 +38,7 @@ Check the box to select the process flag(s) to be monitored: The Processes option is where legitimate processes, which make changes to LSASS, e.g. third-party malware applications, can be included/excluded from being monitored by the policy. -![Processes Tab in the LSASS Guardian Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/processes.webp) +![Processes Tab in the LSASS Guardian Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/processes.webp) Double-click the text box beneath Name to enter the desired processes to include or exclude. Press the Enter or Tab key to add another text box. @@ -51,7 +51,7 @@ malicious processes would not be monitored in this case. The Servers option targets servers to be included or excluded when filtering for LSASS changes. -![Servers Tab in the LSASS Guardian Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/servers.webp) +![Servers Tab in the LSASS Guardian Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/servers.webp) In both sections, servers must be specified in the form 'DOMAIN\SERVER', where DOMAIN is NetBIOS Domain name and SERVER is NetBIOS server name. @@ -65,7 +65,7 @@ The Users option is where the policy can be scoped to only monitor specific secu committing changes within Active Directory or to exclude specific users committing changes from being monitored. -![Users Tab in the LSASS Guardian Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) +![Users Tab in the LSASS Guardian Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) The following details appear beneath both sections: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/overview.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/overview.md index a245f58597..2e34976fcb 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/overview.md @@ -3,15 +3,15 @@ On the Monitored Domains tab, select the domain and click **Edit** to open the AD Monitoring Configuration window. -![AD Monitoring Configuration - Global Filters Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/globalfilterstab.webp) +![AD Monitoring Configuration - Global Filters Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/globalfilterstab.webp) This initially configured when the AD Agent is deployed to a domain controller. However, the monitoring configuration can be edited after that. Use the following tabs to modify monitoring of AD events: -- [Global Filters Tab](globalfilters.md) -- [Changes Tab](changes.md) -- [Authentication Tab](authentication.md) -- [Replication Tab](replication.md) -- [LSASS Guardian Tab](lsassguardian.md) -- [LDAP Monitor Tab](ldapmonitor.md) +- [Global Filters Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/globalfilters.md) +- [Changes Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/changes.md) +- [Authentication Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/authentication.md) +- [Replication Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/replication.md) +- [LSASS Guardian Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/lsassguardian.md) +- [LDAP Monitor Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor.md) diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/replication.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/replication.md index 51227fa699..5907d5b8ec 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/replication.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/replication.md @@ -3,7 +3,7 @@ The Replication tab on a domain’s Configuration window monitors domain controller syncing and replication. -![Servers Tab in the Replication Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) +![Servers Tab in the Replication Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) After checking the Enable Replication box, the following event filters can be modified on the sub-tabs: @@ -25,7 +25,7 @@ The Hosts (From) option is where the policy can be scoped to only monitor specif originators of an authentication event or to exclude specific hosts from being monitored for authentication events. -![Host (From) Tab in the Replication Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) +![Host (From) Tab in the Replication Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) Underneath each section, there are additional Host details: @@ -45,7 +45,7 @@ configuration. It is necessary for it to be configured to exclude domain control The Servers option targets servers to be included or excluded when filtering for replication. -![Servers Tab in the Replication Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) +![Servers Tab in the Replication Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) In both cases, servers must be specified in the form 'DOMAIN\SERVER', where DOMAIN is NetBIOS Domain name and SERVER is NetBIOS server name. @@ -59,7 +59,7 @@ The Users option is where the policy can be scoped to only monitor specific secu committing changes within Active Directory or to exclude specific users committing changes from being monitored -![Users Tab in the Replication Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) +![Users Tab in the Replication Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) The following details appear beneath both sections: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/ldapthreatmanager.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/ldapthreatmanager.md index 8dd9b1f35b..d363cf5d7f 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/ldapthreatmanager.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/ldapthreatmanager.md @@ -5,13 +5,13 @@ Manager. **NOTE:** LDAP Monitoring is not enabled, it must be enabled in the Monitored Domains tab. -![Activity Monitor with SD Only](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/actiivtymonitordomainsdonly.webp) +![Activity Monitor with SD Only](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/actiivtymonitordomainsdonly.webp) **Step 1 –** In the Activity Monitor, click on the **Monitored Domains** tab. **Step 2 –** Select a domain and click **Edit**. -![LDAP Monitoring Configuration for Threat Manager](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/sdldapmonitoring.webp) +![LDAP Monitoring Configuration for Threat Manager](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/sdldapmonitoring.webp) **Step 3 –** Select the **LDAP Monitor** tab. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/output.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/output.md index 9dd263965f..79f47321ba 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/output.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/output.md @@ -2,7 +2,7 @@ Once a domain is being monitored the event stream can be sent to multiple outputs. -![Monitored Domains tab with Domain Outputs added](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/actiivtymonitordomainoutputsadded.webp) +![Monitored Domains tab with Domain Outputs added](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/actiivtymonitordomainoutputsadded.webp) Configured outputs are grouped under the domain. You can have multiple outputs configured for a domain. The domain event outputs are: @@ -24,14 +24,14 @@ Follow the steps to add a File output. **Step 2 –** Select **File** from the drop-down menu. The Add New Output window opens. -![Log Files configuration](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/logfiles.webp) +![Log Files configuration](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/logfiles.webp) **Step 3 –** Configure the tab(s) as desired. **Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. The new output displays in the table. Click the **Edit** button to open the Output properties window -to modify these settings. See the [Output Types](../outputs/overview.md) topic for additional +to modify these settings. See the [Output Types](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/overview.md) topic for additional information. ## Add Syslog Output @@ -42,14 +42,14 @@ Follow the steps to add a Syslog output. **Step 2 –** Select **Syslog** from the drop-down menu. The Add New Output window opens. -![Syslog Properties](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/syslogudp.webp) +![Syslog Properties](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/syslogudp.webp) **Step 3 –** Configure the tab(s) as desired. **Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. The new output displays in the table. Click the **Edit** button to open the Output properties window -to modify these settings. See the [Output Types](../outputs/overview.md) topic for additional +to modify these settings. See the [Output Types](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/overview.md) topic for additional information. ## Add Netwrix Threat Manager Output @@ -66,12 +66,12 @@ Follow the steps to add a Netwrix Threat Manager output. **Step 2 –** Select **Netwrix Threat Manager (StealthDEFEND)** from the drop-down menu. The Add New Output window opens. -![StealthDEFEND Properties](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/stealthdefendproperties.webp) +![StealthDEFEND Properties](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/stealthdefendproperties.webp) **Step 3 –** Configure the tab(s) as desired. **Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. The new output displays in the table. Click the **Edit** button to open the Output properties window -to modify these settings. See the [Output Types](../outputs/overview.md) topic for additional +to modify these settings. See the [Output Types](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/overview.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/overview.md index 628c0cfcda..528cae02c1 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/overview.md @@ -36,21 +36,21 @@ output needs to be designated to view data after an activity search has been per The button bar allows users to take the following actions: -![Monitored Domains Tab in the Activiy Monitor](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/activtymonitorblank.webp) +![Monitored Domains Tab in the Activiy Monitor](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/activtymonitorblank.webp) - Add Output – Select an output from the Add Output dropdown. The outputs are: File, Syslog, and - StealthDEFEND. See the [Output for Monitored Domains](output.md) + StealthDEFEND. See the [Output for Monitored Domains](/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/output.md) - Remove – Removes the configured domain from the table of domains being monitored and end monitoring. Confirmation of this option will be asked for. - Edit – Opens the selected AD Monitoring Configuration window to modify monitoring settings. See - the [AD Monitoring Configuration Window](admonitoringconfiguration/overview.md) topic for + the [AD Monitoring Configuration Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/overview.md) topic for additional information. ## Table The table of Domains being monitored provides the following information: -![Monitored Domains Tab with Domain Outputs added](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/actiivtymonitordomainoutputsadded.webp) +![Monitored Domains Tab with Domain Outputs added](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/actiivtymonitordomainoutputsadded.webp) - Domain – Name or IP Address of the domain being monitored @@ -67,7 +67,7 @@ provides visibility into a domain's monitoring state. Domain monitoring status i Monitored Domains table under the Status column. Users can expand the Error Propagation section to view more information on various status conditions. -![Error Propagation](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/errorpropagation.webp) +![Error Propagation](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/errorpropagation.webp) Click the **Down Arrow** to expand the Error Propagation section. The information listed is dependent on which domain is currently selected in the Monitored Domains table. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellcelerravnx.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellcelerravnx.md index 39ff6e66e0..7242270282 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellcelerravnx.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellcelerravnx.md @@ -11,9 +11,9 @@ It provides the ability to feed activity data to SIEM products. The following da specifically created for Activity Monitor event data: - For IBM® QRadar®, see the - [Netwrix File Activity Monitor App for QRadar](../../../siem/qradar/overview.md) for additional + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md) for additional information. -- For Splunk®, see the [File Activity Monitor App for Splunk](../../../siem/splunk/overview.md) for +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/8.0/activitymonitor/siem/splunk/overview.md) for additional information. It also provides the ability to feed activity data to other Netwrix products: @@ -24,7 +24,7 @@ It also provides the ability to feed activity data to other Netwrix products: Prior to adding a Dell Celerra or VNX host to the Activity Monitor, the prerequisites for the target environment must be met. See the -[Dell Celerra & Dell VNX Activity Auditing Configuration](../../../../config/dellcelerravnx/Activity.md) +[Dell Celerra & Dell VNX Activity Auditing Configuration](/docs/activitymonitor/8.0/config/dellcelerravnx/Activity.md) topic for additional information. _Remember,_ the Activity Agent must be deployed to a Windows server that acts as a proxy for @@ -36,12 +36,12 @@ Follow the steps to add a Dell Celerra or VNX host to be monitored. **Step 1 –** Navigate to the Monitored Hosts tab and click Add. The Add New Host window opens. -![Choose Agent Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) +![Choose Agent Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) **Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device. Click **Next**. -![Add Dell VNX or Celerra Host](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostemcvnxcelerra.webp) +![Add Dell VNX or Celerra Host](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostemcvnxcelerra.webp) **Step 3 –** On the Add Host page, select the Dell VNX/Celerra radio button and enter the **CIFS Server NetBIOS Name** for the device. If desired, add a **Comment**. Click **Next**. @@ -50,14 +50,14 @@ Server NetBIOS Name** for the device. If desired, add a **Comment**. Click **Nex order to collect events. Activity Monitor will detect if the CEE Monitor is not installed and display a warning to install the service. If the CEE Monitor service is installed on a remote machine, manual configuration is required. See the -[Dell CEE Options Tab](../../agents/properties/dellceeoptions.md) topic for additional information. +[Dell CEE Options Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/dellceeoptions.md) topic for additional information. -![Protocol Monitoring Options](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/isilonprotocols.webp) +![Protocol Monitoring Options](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/isilonprotocols.webp) **Step 4 –** On the Protocols page, select which protocols to monitor. The list of protocols that can be monitored are All, CIFS, or NIFS. Click **Next**. -![Configure Operations Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperationsforemcisilon.webp) +![Configure Operations Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperationsforemcisilon.webp) **Step 5 –** On the Configure Operations page, select the **File Operations** and **Directory Operations** to be monitored. Additional options include: @@ -69,7 +69,7 @@ feature may delay reporting of activity. Click **Next**. -![Configure Basic Options Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptions.webp) +![Configure Basic Options Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptions.webp) **Step 6 –** On the Configure Basic Options page, choose which settings to enable. The "Log files" are the activity logs created by the activity agent on the proxy host. Select the desired options: @@ -98,12 +98,12 @@ are the activity logs created by the activity agent on the proxy host. Select th Click **Next**. -![Where to Log the Activity Page Generic](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) +![Where to Log the Activity Page Generic](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) **Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a **Log File** or **Syslog Server**. Click **Next**. -![File Output Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) +![File Output Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) **Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File Output** page can be configured. @@ -127,7 +127,7 @@ Output** page can be configured. Click **Next**. -![Syslog Output Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) +![Syslog Output Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) **Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog Output page can be configured. @@ -145,7 +145,7 @@ Output page can be configured. - TLS The TCP and TLS protocols add the Message framing drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - Syslog message template – Click the ellipsis (…) to open the Syslog Message Template window. The following Syslog templates have been provided: @@ -190,23 +190,23 @@ Output page can be configured. - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click **Finish**. -![activitymonitoremcvnxcelerra](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitoremcvnxcelerra.webp) +![activitymonitoremcvnxcelerra](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitoremcvnxcelerra.webp) The added Dell Celerra or VNX host is displayed in the Monitored Hosts table. Once a host has been added for monitoring, configure the desired ouptuts. See the -[Output for Monitored Hosts](../output.md) topic for additional information. +[Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for Dell Celerra or VNX Configuration settings can be edited through the tabs in the host's Properties window. The configurable host properties are: -- [Dell Tab](../properties/dell.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) -- [Unix IDs Tab](../properties/unixids.md) +- [Dell Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/dell.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) +- [Unix IDs Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/unixids.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellpowerscale.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellpowerscale.md index 8a28b52524..a7775a931f 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellpowerscale.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellpowerscale.md @@ -11,9 +11,9 @@ It provides the ability to feed activity data to SIEM products. The following da specifically created for Activity Monitor event data: - For IBM® QRadar®, see the - [Netwrix File Activity Monitor App for QRadar](../../../siem/qradar/overview.md) for additional + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md) for additional information. -- For Splunk®, see the [File Activity Monitor App for Splunk](../../../siem/splunk/overview.md) for +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/8.0/activitymonitor/siem/splunk/overview.md) for additional information. It also provides the ability to feed activity data to other Netwrix products: @@ -24,7 +24,7 @@ It also provides the ability to feed activity data to other Netwrix products: Prior to adding a Dell Isilon/PowerScale host to the Activity Monitor, the prerequisites for the target environment must be met. See the -[Dell Isilon/PowerScale Activity Auditing Configuration](../../../../config/dellpowerscale/activity.md) +[Dell Isilon/PowerScale Activity Auditing Configuration](/docs/activitymonitor/8.0/config/dellpowerscale/activity.md) topic for additional information. _Remember,_ the Activity Agent must be deployed to a Windows server that acts as a proxy for @@ -36,12 +36,12 @@ Follow the steps to add a Dell Isilon/PowerScale host to be monitored. **Step 1 –** Navigate to the Monitored Hosts tab and click Add. The Add New Host window opens. -![Choose Agent page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) +![Choose Agent page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) **Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device. Click **Next**. -![Add Host page with Dell Isilon selected](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostemcisilon.webp) +![Add Host page with Dell Isilon selected](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostemcisilon.webp) **Step 3 –** On the Add Host page, select the Dell Isilon radio button and enter both the **Server name or address** and the **CIFS/NFS server name** for the device. The CIFS/NFS server name can be @@ -52,9 +52,9 @@ left blank to collect activity from the Isilon cluster. If desired, add a **Comm order to collect events. Activity Monitor will detect if the CEE Monitor is not installed and display a warning to install the service. If the CEE Monitor service is installed on a remote machine, manual configuration is required. See the -[Dell CEE Options Tab](../../agents/properties/dellceeoptions.md) topic for additional information. +[Dell CEE Options Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/dellceeoptions.md) topic for additional information. -![Isilon Options page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/isilonoptions.webp) +![Isilon Options page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/isilonoptions.webp) **Step 4 –** On the Isilon Options page, choose whether or not to automatically enable and configure auditing on the Isilon cluster. If a manual configuration has been completed, do not enable these @@ -89,12 +89,12 @@ Follow these steps to use this automated option: Click **Next**. -![Protocols selection page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/isilonprotocols.webp) +![Protocols selection page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/isilonprotocols.webp) **Step 5 –** On the Protocols page, select which protocol to monitor. The list of protocols that can be monitored are All, CIFS, or NIFS. Click **Next**. -![Configure Operations page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperationsforemcisilon.webp) +![Configure Operations page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperationsforemcisilon.webp) **Step 6 –** On the Configure Operations page, select the **File Operations** and **Directory Operations** options to be monitored. Additional options include: @@ -106,7 +106,7 @@ feature may delay reporting of activity. Click **Next**. -![Configure Basic Options](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptions.webp) +![Configure Basic Options](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptions.webp) **Step 7 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” are the activity logs created by the activity agent on the proxy host. Select the desired options: @@ -135,12 +135,12 @@ are the activity logs created by the activity agent on the proxy host. Select th Click **Next**. -![Where to Log the Activity Page Generic](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) +![Where to Log the Activity Page Generic](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) **Step 8 –** On the Where To Log The Activity page, select whether to send the activity to either a **Log File** or **Syslog Server**. Click **Next**. -![File Output Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) +![File Output Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) **Step 9 –** If **Log File)** is selected on the **Where To Log The Activity** page, the **File Output** page can be configured. @@ -164,7 +164,7 @@ Output** page can be configured. Click **Next**. -![Syslog Output Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) +![Syslog Output Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) **Step 10 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog Output page can be configured. @@ -182,7 +182,7 @@ Output page can be configured. - TLS The TCP and TLS protocols add the Message framing drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - Syslog message template – Click the ellipsis (…) to open the Syslog Message Template window. The following Syslog templates have been provided: @@ -227,24 +227,24 @@ Output page can be configured. - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click **Finish**. -![Activity Monitor with Dell Isilon added](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitoremcisilon.webp) +![Activity Monitor with Dell Isilon added](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitoremcisilon.webp) The added Dell Isilon/PowerScale host is displayed in the monitored hosts table. Once a host has been added for monitoring, configure the desired ouptuts. See the -[Output for Monitored Hosts](../output.md) topic for additional information. +[Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for Dell Isilon/PowerScale Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [Dell Tab](../properties/dell.md) -- [Auditing Tab](../properties/auditing.md) -- [Unix IDs Tab](../properties/unixids.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) +- [Dell Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/dell.md) +- [Auditing Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/auditing.md) +- [Unix IDs Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/unixids.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellpowerstore.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellpowerstore.md index 9a6b1a41ad..ada3acb668 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellpowerstore.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellpowerstore.md @@ -11,9 +11,9 @@ It provides the ability to feed activity data to SIEM products. The following da specifically created for Activity Monitor event data: - For IBM® QRadar®, see the - [Netwrix File Activity Monitor App for QRadar](../../../siem/qradar/overview.md) for additional + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md) for additional information. -- For Splunk®, see the [File Activity Monitor App for Splunk](../../../siem/splunk/overview.md) for +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/8.0/activitymonitor/siem/splunk/overview.md) for additional information. It also provides the ability to feed activity data to other Netwrix products: @@ -23,7 +23,7 @@ It also provides the ability to feed activity data to other Netwrix products: Prior to adding a Dell PowerStore host to the Activity Monitor, the prerequisites for the target environment must be met. See the -[Dell PowerStore Activity Auditing Configuration](../../../../config/dellpowerstore/activity.md) +[Dell PowerStore Activity Auditing Configuration](/docs/activitymonitor/8.0/config/dellpowerstore/activity.md) topic for additional information. _Remember,_ the Activity Agent must be deployed to a Windows server that acts as a proxy for @@ -36,12 +36,12 @@ Follow the steps to add a Dell PowerStore host to be monitored. **Step 1 –** In Activity Monitor, go to the Monitored Hosts tab and click **Add**. The Add New Host window opens. -![addagent01](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addagent01.webp) +![addagent01](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addagent01.webp) **Step 2 –** On the **Choose Agent** page, select the Agent to monitor the file server. Click**Next**. -![powerstoreaddhost01](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost01.webp) +![powerstoreaddhost01](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost01.webp) **Step 3 –** On the Add Host page, select the Dell PowerStore radio button and enter the file server name. Click **Next**. @@ -50,14 +50,14 @@ name. Click **Next**. order to collect events. Activity Monitor will detect if the CEE Monitor is not installed and display a warning to install the service. If the CEE Monitor service is installed on a remote machine, manual configuration is required. See the -[Dell CEE Options Tab](../../agents/properties/dellceeoptions.md) topic for additional information. +[Dell CEE Options Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/dellceeoptions.md) topic for additional information. -![powerstoreaddhost02](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost02.webp) +![powerstoreaddhost02](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost02.webp) **Step 4 –** On the Protocols page, specify the protocols to monitor. The list of protocols that can be monitored are, All, CIFS, or NFS. Once a protocol is selected, click **Next**. -![powerstoreaddhost03](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost03.webp) +![powerstoreaddhost03](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost03.webp) **Step 5 –** On the Configure Operations page, select the File Operations and Directory Operations to be monitored. @@ -67,7 +67,7 @@ to be monitored. Click **Next**. -![powerstoreaddhost04](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost04.webp) +![powerstoreaddhost04](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost04.webp) **Step 6 –** On the Configure Basic Operations page, choose which settings to enable. Select one of the following options: @@ -91,14 +91,14 @@ the following options: Click **Next**. -![powerstoreaddhost05](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost05.webp) +![powerstoreaddhost05](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost05.webp) **Step 7 –** On the Where to log the activity page, select whether to send the activity to either a Log File or Syslog Server. Click **Next**. **NOTE:** An option must be selected before moving to the next step. -![powerstoreaddhost06](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost06.webp) +![powerstoreaddhost06](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost06.webp) **Step 8 –** If Log File is selected on the Where To Log The Activity page, the File Output page can be configured. @@ -125,7 +125,7 @@ be configured. Click **Next**. -![powerstoreaddhost07](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost07.webp) +![powerstoreaddhost07](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost07.webp) **Step 9 –** If Syslog Server is selected on the Where To Log The Activity page, the Syslog Output page can be configured. @@ -142,7 +142,7 @@ page can be configured. - TLS The TCP and TLS protocols add the **Message framing** drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary @@ -152,14 +152,14 @@ page can be configured. - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click **Finish**. -![powerstoreaddhost08](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost08.webp) +![powerstoreaddhost08](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/powerstoreaddhost08.webp) The added Dell PowerStore host is displayed in the monitored hosts table. Once a host has been added -for monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](../output.md) +for monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for Dell PowerStore @@ -167,7 +167,7 @@ topic for additional information. Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [Dell Tab](../properties/dell.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) +- [Dell Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/dell.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellunity.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellunity.md index 3fb98ae29e..15059fb519 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellunity.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellunity.md @@ -11,9 +11,9 @@ It provides the ability to feed activity data to SIEM products. The following da specifically created for Activity Monitor event data: - For IBM® QRadar®, see the - [Netwrix File Activity Monitor App for QRadar](../../../siem/qradar/overview.md) for additional + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md) for additional information. -- For Splunk®, see the [File Activity Monitor App for Splunk](../../../siem/splunk/overview.md) for +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/8.0/activitymonitor/siem/splunk/overview.md) for additional information. It also provides the ability to feed activity data to other Netwrix products: @@ -24,7 +24,7 @@ It also provides the ability to feed activity data to other Netwrix products: Prior to adding a Dell Unity host to the Activity Monitor, the prerequisites for the target environment must be met. See the -[Dell Unity Activity Auditing Configuration](../../../../config/dellunity/activity.md) topic for +[Dell Unity Activity Auditing Configuration](/docs/activitymonitor/8.0/config/dellunity/activity.md) topic for additional information. _Remember,_ the Activity Agent must be deployed to a Windows server that acts as a proxy for @@ -37,11 +37,11 @@ Follow the steps to add a Dell Unity host to be monitored. **Step 1 –** In Activity Monitor, go to the Monitored Hosts tab and click Add. The Add New Host window opens. -![Choose Agent window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) +![Choose Agent window](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) **Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device. -![Add Host window with Dell Unity selected](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addnewhostemcunity.webp) +![Add Host window with Dell Unity selected](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addnewhostemcunity.webp) **Step 3 –** On the Add Host page, select the Dell Unity radio button and enter the **NAS Server Name** for the device. If desired, add a **Comment**. Click **Next**. @@ -50,14 +50,14 @@ Name** for the device. If desired, add a **Comment**. Click **Next**. order to collect events. Activity Monitor will detect if the CEE Monitor is not installed and display a warning to install the service. If the CEE Monitor service is installed on a remote machine, manual configuration is required. See the -[Dell CEE Options Tab](../../agents/properties/dellceeoptions.md) topic for additional information. +[Dell CEE Options Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/dellceeoptions.md) topic for additional information. -![Protocol Monitoring Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/isilonprotocols.webp) +![Protocol Monitoring Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/isilonprotocols.webp) **Step 4 –** On the Protocols page, select which protocols to monitor. The protocols that can be monitored are All, CIFS, or NIFS. Click **Next**. -![Configure Operations Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperationsforemcisilon.webp) +![Configure Operations Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperationsforemcisilon.webp) **Step 5 –** On the Configure Operations page, select the **File Operations** and **Directory Operations** to be monitored. Additional options include: @@ -69,7 +69,7 @@ feature may delay reporting of activity. Click **Next**. -![Configure Basic Options Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptions.webp) +![Configure Basic Options Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptions.webp) **Step 6 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” are the activity logs created by the activity agent on the proxy host. Select the desired options: @@ -98,12 +98,12 @@ are the activity logs created by the activity agent on the proxy host. Select th Click **Next**. -![wheretologgeneric](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) +![wheretologgeneric](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) **Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a **Log File** or **Syslog Server**. Click **Next**. -![File Output Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) +![File Output Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) **Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File Output** page can be configured. @@ -127,7 +127,7 @@ Output** page can be configured. Click **Next**. -![Syslog Output Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) +![Syslog Output Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) **Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog Output page can be configured. @@ -145,7 +145,7 @@ Output page can be configured. - TLS The TCP and TLS protocols add the Message framing drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - Syslog message template – Click the ellipsis (…) to open the Syslog Message Template window. The following Syslog templates have been provided: @@ -190,14 +190,14 @@ Output page can be configured. - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click **Finish**. -![Activity Monitor with Dell Unity host added](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitoremcunity.webp) +![Activity Monitor with Dell Unity host added](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitoremcunity.webp) The added Dell Unity host is displayed in the monitored hosts table. Once a host has been added for -monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](../output.md) topic +monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for Dell Unity @@ -205,8 +205,8 @@ for additional information. Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [Dell Tab](../properties/dell.md) -- [Unix IDs Tab](../properties/unixids.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) +- [Dell Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/dell.md) +- [Unix IDs Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/unixids.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/entraid.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/entraid.md index 97ae9f3f51..11e76f3622 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/entraid.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/entraid.md @@ -36,7 +36,7 @@ It also provides the ability to feed activity data to other Netwrix products: Prior to adding aMicrosoft Entra ID host to the Activity Monitor, the prerequisites for the target environment must be met. See the -[Microsoft Entra ID Activity Auditing Configuration](../../../../config/entraid/activity.md) topic +[Microsoft Entra ID Activity Auditing Configuration](/docs/activitymonitor/8.0/config/entraid/activity.md) topic for additional information. _Remember,_ the Activity Agent must be deployed to a Windows server that acts as a proxy for @@ -49,30 +49,30 @@ Follow the steps to add a Microsoft Entra ID host to be monitored. **Step 1 –** In the Activity Monitor, go to the Monitored Hosts tab and click Add. The Add New Host window opens. -![Add Host - Choose Agent](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) +![Add Host - Choose Agent](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) **Step 2 –** On the Choose Agent page, select the Agent to monitor the storage device. -![Add Host page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostentraid.webp) +![Add Host page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostentraid.webp) **Step 3 –** On the Add Host page, select the **Azure Active Directory / Entra ID** radio button and enter the Primary domain in the **Domain name** field. _(Optional)_ Enter a comment for the Microsoft Entra ID host. -![entraidconnection](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/entraidconnection.webp) +![entraidconnection](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/entraidconnection.webp) **Step 4 –** On the Azure AD / Entra ID Connection page, enter a Tenant ID, Client ID, and Client Secret. Optional add a Region. Then click **Connect** to grant permissions to read the audit log. Click **Open Instruction...** for steps on registering the Activity Monitor with Microsoft Entra ID. Click **Next**. -![Add Host - Azure AD Operations page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/entraidoperations.webp) +![Add Host - Azure AD Operations page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/entraidoperations.webp) **Step 5 –** On the Azure AD / Entra ID Operations page, select which audit activity to monitor. Click **Next**. -![wheretologgeneric](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) +![wheretologgeneric](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) **Step 6 –** On the Where To Log The Activity page, select where to send the activity events: @@ -80,7 +80,7 @@ Click **Next**. - Syslog Server – Sends to a configured SIEM system - Netwrix Threat Manager (StealthDEFEND) – Sends to Netwrix Threat Manager -![fileoutputpage](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) +![fileoutputpage](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) **Step 7 –** If **Log Files** is selected on the **Where To Log The Activity** page, the **File Output** page can be configured. The configurable options are: @@ -103,7 +103,7 @@ Output** page can be configured. The configurable options are: Click **Next**. -![syslogoutputpage](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutputpage.webp) +![syslogoutputpage](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutputpage.webp) **Step 8 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog Output page can be configured. The configurable options are: @@ -121,7 +121,7 @@ Output page can be configured. The configurable options are: - TLS The TCP and TLS protocols add the Message framing drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary @@ -131,22 +131,22 @@ Output page can be configured. The configurable options are: - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click **Finish**. -![Azure Active Directory in Activity Monitor](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/entraidadded.webp) +![Azure Active Directory in Activity Monitor](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/entraidadded.webp) The added Microsoft Entra ID host is displayed in the monitored hosts table. Once a host has been added for monitoring, configure the desired ouptuts. See the -[Output for Monitored Hosts](../output.md) topic for additional information. +[Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for Microsoft Entra ID Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [Connection Tab](../properties/connection.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) +- [Connection Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/connection.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/exchangeonline.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/exchangeonline.md index 7b4d8a084e..69bb94823a 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/exchangeonline.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/exchangeonline.md @@ -2,7 +2,7 @@ Prior to adding an Exchange Online host to the Activity Monitor, the prerequisites for the target environment must be met. See the -[Exchange Online Activity Auditing Configuration](../../../../config/exchangeonline/activity.md) +[Exchange Online Activity Auditing Configuration](/docs/activitymonitor/8.0/config/exchangeonline/activity.md) topic for additional information. _Remember,_ the Activity Agent must be deployed to a Windows server that acts as a proxy for @@ -15,24 +15,24 @@ Follow the steps to add an Exchange Online host to be monitored. **Step 1 –** In the Activity Monitor, go to the Monitored Hosts tab and click Add. The Add New Host window opens. -![Add Host - Choose Agent](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) +![Add Host - Choose Agent](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) **Step 2 –** On the Choose Agent page, select the Agent to monitor the storage device. -![Add Host Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addexchangeonline.webp) +![Add Host Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addexchangeonline.webp) **Step 3 –** On the Add Host page, select the Exchange Online radio button and enter the domain name. _(Optional)_ Enter a comment for the Exchange Online host. -![Azure AD Connection - Exchange Online](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/connection.webp) +![Azure AD Connection - Exchange Online](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/connection.webp) **Step 4 –** On the Azure AD / Entra ID Connection page, enter Tenant ID, Client ID, Client Secret, and Region(optional) then click **Connect** to verify the connection.. Click **Open Instruction...** for steps on registering the Activity Monitor with Microsoft Azure. Click **Next**. -![operations](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) +![operations](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) **Step 5 –** On the Exchange Online Operations page, configure the options found in the following tabs: @@ -43,24 +43,24 @@ tabs: - Other These options can be configured again in a Exchange Online host's properties window. See the -[Operations Tab](../../outputs/operations.md) for additional information. Click **Next**. +[Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) for additional information. Click **Next**. -![Mailboxes to Exclude](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/mailboxesexclude.webp) +![Mailboxes to Exclude](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/mailboxesexclude.webp) **Step 6 –** Click **Add Mailbox** to display the Select User dialog box. Specify the mailboxes that will be filtered during collection. Click **Next**. -![usersexclude](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/usersexclude.webp) +![usersexclude](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/usersexclude.webp) **Step 7 –** Click **Add User** to display the Select User dialog box. Specify the user or email that will be filtered during collection. Click **Next**. -![Where to log activity - Exchange Online](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologactivity.webp) +![Where to log activity - Exchange Online](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologactivity.webp) **Step 8 –** On the Where To Log The Activity page, select whether to send the activity to either a **Log File** or **Syslog Server**. -![File Output - Exchange Online](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutput.webp) +![File Output - Exchange Online](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutput.webp) **Step 9 –** If **Log Files** is selected on the **Where To Log The Activity** page, the **File Output** page can be configured. The configurable options are: @@ -83,7 +83,7 @@ Output** page can be configured. The configurable options are: Click **Next**. -![Syslog Output - Exchange Online](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) +![Syslog Output - Exchange Online](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) **Step 10 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog Output page can be configured. The configurable options are: @@ -101,7 +101,7 @@ Output page can be configured. The configurable options are: - TLS The TCP and TLS protocols add the Message framing drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary @@ -111,14 +111,14 @@ Output page can be configured. The configurable options are: - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click **Finish**. -![Exchange Online in Activity Monitor](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/exchangeonline.webp) +![Exchange Online in Activity Monitor](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/exchangeonline.webp) The added Exchange Online host is displayed in the monitored hosts table. Once a host has been added -for monitoring, configure the desired outputs. See the [Output for Monitored Hosts](../output.md) +for monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for Exchange Online @@ -126,7 +126,7 @@ topic for additional information. Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [Connection Tab](../properties/connection.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) +- [Connection Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/connection.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/hitachi.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/hitachi.md index c9c56c6246..1830de10d8 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/hitachi.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/hitachi.md @@ -11,9 +11,9 @@ It provides the ability to feed activity data to SIEM products. The following da specifically created for Activity Monitor event data: - For IBM® QRadar®, see the - [Netwrix File Activity Monitor App for QRadar](../../../siem/qradar/overview.md) for additional + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md) for additional information. -- For Splunk®, see the [File Activity Monitor App for Splunk](../../../siem/splunk/overview.md) for +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/8.0/activitymonitor/siem/splunk/overview.md) for additional information. It also provides the ability to feed activity data to other Netwrix products: @@ -24,7 +24,7 @@ It also provides the ability to feed activity data to other Netwrix products: Prior to adding a Hitachi host to the Activity Monitor, the prerequisites for the target environment must be met. See the -[Hitachi Activity Auditing Configuration](../../../../config/hitachi/activity.md) topic for +[Hitachi Activity Auditing Configuration](/docs/activitymonitor/8.0/config/hitachi/activity.md) topic for additional information. _Remember,_ the Activity Agent must be deployed to a Windows server that acts as a proxy for @@ -37,28 +37,28 @@ Follow the steps to add a Hitachi host to be monitored. **Step 1 –** In Activity Monitor, go to the Monitored Hosts tab and click Add. The Add New Host window opens. -![Choose Agent page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) +![Choose Agent page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) **Step 2 –** On the Choose Agent page, select the Agent to monitor the storage device. Click **Next**. -![Add Host page with Hitachi NAS selected](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhosthitachi.webp) +![Add Host page with Hitachi NAS selected](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhosthitachi.webp) **Step 3 –** On the Add Host page, select the Hitachi NAS radio button and enter the **EVS or file system name** for the device. If desired, add a **Comment**. Click **Next**. -![Hitachi NAS Options page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/hitachinasoptions.webp) +![Hitachi NAS Options page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/hitachinasoptions.webp) **Step 4 –** On the Hitachi NAS Options page, enter the **Logs path (UNC)** and the **Active Log file name**. Then enter the credentials to access the HNAS Log files. Click Connect to validate the connection with the Hitachi device. Click **Next**. -![Configure Operations page for Hitachi NAS](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperationshitachi.webp) +![Configure Operations page for Hitachi NAS](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperationshitachi.webp) **Step 5 –** On the Configure Operations page, select the **File Operations** and **Directory Operations** to be monitored. Click **Next**. -![Configure Basic Options page for Hitachi NAS](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptionshitachi.webp) +![Configure Basic Options page for Hitachi NAS](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptionshitachi.webp) **Step 6 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” are the activity logs created by the activity agent on the proxy host. Select the desired options: @@ -78,12 +78,12 @@ are the activity logs created by the activity agent on the proxy host. Select th Click **Next**. -![Where To Log The Activity](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologtheactivity.webp) +![Where To Log The Activity](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologtheactivity.webp) **Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a **Log File)** or **Syslog Server**. Click **Next**. -![File Output Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) +![File Output Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) **Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File Output** page can be configured. @@ -107,7 +107,7 @@ Output** page can be configured. Click **Next**. -![syslogoutput](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) +![syslogoutput](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) **Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog Output page can be configured. @@ -125,7 +125,7 @@ Output page can be configured. - TLS The TCP and TLS protocols add the Message framing drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary @@ -135,14 +135,14 @@ Output page can be configured. - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click **Finish**. -![Activity Monitor with Hitachi Host added](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitorhitachi.webp) +![Activity Monitor with Hitachi Host added](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitorhitachi.webp) The added Hitachi host is displayed in the monitored hosts table. Once a host has been added for -monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](../output.md) topic +monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for Hitachi @@ -150,7 +150,7 @@ for additional information. Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [Hitachi NAS Tab](../properties/hitachinas.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) +- [Hitachi NAS Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/hitachinas.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/nasuni.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/nasuni.md index 7bf16715e6..c63e1d1ca6 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/nasuni.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/nasuni.md @@ -11,9 +11,9 @@ It provides the ability to feed activity data to SIEM products. The following da specifically created for Activity Monitor event data: - For IBM® QRadar®, see the - [Netwrix File Activity Monitor App for QRadar](../../../siem/qradar/overview.md) for additional + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md) for additional information. -- For Splunk®, see the [File Activity Monitor App for Splunk](../../../siem/splunk/overview.md) for +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/8.0/activitymonitor/siem/splunk/overview.md) for additional information. It also provides the ability to feed activity data to other Netwrix products: @@ -24,7 +24,7 @@ It also provides the ability to feed activity data to other Netwrix products: Prior to adding a Nasuni Edge Appliance host to the Activity Monitor, the prerequisites for the target environment must be met. See the -[Nasuni Edge Appliance Activity Auditing Configuration](../../../../config/nasuni/activity.md) topic +[Nasuni Edge Appliance Activity Auditing Configuration](/docs/activitymonitor/8.0/config/nasuni/activity.md) topic for additional information. _Remember,_ the Activity Agent must be deployed to a Windows server that acts as a proxy for @@ -37,18 +37,18 @@ Follow the steps to add a Nasuni Edge Appliance host to be monitored. **Step 1 –** In Activity Monitor, go to the Monitored Hosts tab and click Add. The Add New Host window opens. -![Choose Agent page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) +![Choose Agent page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) **Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device. Click **Next**. -![Add Host page with Nasuni selected](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostnasuni.webp) +![Add Host page with Nasuni selected](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostnasuni.webp) **Step 3 –** On the Add Host page, select the Nasuni radio button and enter the host name or IP Address of the Nasuni Edge Appliance in the Nasuni Filer textbox. If desired, add a **Comment**. Click **Next**. -![Nasuni Options page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nasunioptions.webp) +![Nasuni Options page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nasunioptions.webp) **Step 4 –** On the Nasuni Options page, enter the **API Key Name** and the **API Key Value**. Click Connect to validate the connection with the Nasuni device. @@ -61,7 +61,7 @@ Connect to validate the connection with the Nasuni device. Click **Next**. -![Trusted Server Certificate popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp) +![Trusted Server Certificate popup window](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp) - HTTPS Options – Opens the Trusted server certificate window to customize the certificate verification during a TLS session @@ -88,7 +88,7 @@ in Read events not being monitored. Click **Next**. -![Configure Basic Options page for Nasuni](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptionsnasuni.webp) +![Configure Basic Options page for Nasuni](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptionsnasuni.webp) **Step 6 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” are the activity logs created by the activity agent on the proxy host. Select the desired options: @@ -113,12 +113,12 @@ are the activity logs created by the activity agent on the proxy host. Select th Click **Next**. -![Where to log the activity page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) +![Where to log the activity page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) **Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a **Log File)** or **Syslog Server**. Click **Next**. -![File Output Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) +![File Output Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) **Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File Output** page can be configured. @@ -142,7 +142,7 @@ Output** page can be configured. Click **Next**. -![Syslog Output page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutputpage.webp) +![Syslog Output page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutputpage.webp) **Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog Output page can be configured. @@ -160,7 +160,7 @@ Output page can be configured. - TLS The TCP and TLS protocols add the Message framing drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary @@ -170,14 +170,14 @@ Output page can be configured. - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click **Finish**. -![Activity Monitor with Nasuni host added](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitornasuni.webp) +![Activity Monitor with Nasuni host added](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitornasuni.webp) The added Nasuni host is displayed in the monitored hosts table. Once a host has been added for -monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](../output.md) topic +monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for Nasuni @@ -185,8 +185,8 @@ for additional information. Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [Nasuni Tab](../properties/nasuni.md) -- [Unix IDs Tab](../properties/unixids.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) +- [Nasuni Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/nasuni.md) +- [Unix IDs Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/unixids.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/netapp.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/netapp.md index 3401d0f872..29332dc54c 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/netapp.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/netapp.md @@ -11,9 +11,9 @@ It provides the ability to feed activity data to SIEM products. The following da specifically created for Activity Monitor event data: - For IBM® QRadar®, see the - [Netwrix File Activity Monitor App for QRadar](../../../siem/qradar/overview.md) for additional + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md) for additional information. -- For Splunk®, see the [File Activity Monitor App for Splunk](../../../siem/splunk/overview.md) for +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/8.0/activitymonitor/siem/splunk/overview.md) for additional information. It also provides the ability to feed activity data to other Netwrix products: @@ -24,9 +24,9 @@ It also provides the ability to feed activity data to other Netwrix products: Prior to adding a NetApp Data ONTAP host to the Activity Monitor, the prerequisites for the target environment must be met. See the -[NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration](../../../../config/netappcmode/activity.md) +[NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration](/docs/activitymonitor/8.0/config/netappcmode/activity.md) topic or the -[NetApp Data ONTAP 7-Mode Activity Auditing Configuration](../../../../config/netapp7mode/activity.md) +[NetApp Data ONTAP 7-Mode Activity Auditing Configuration](/docs/activitymonitor/8.0/config/netapp7mode/activity.md) topic in the for additional information. _Remember,_ the Activity Agent must be deployed to a Windows server that acts as a proxy for @@ -39,12 +39,12 @@ Follow the steps to add a NetApp Data ONTAP host to be monitored. **Step 1 –** In Activity Monitor, go to the Monitored Hosts tab and click Add. The Add New Host window opens. -![Add New Host - Choose Agent page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) +![Add New Host - Choose Agent page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) **Step 2 –** On the Choose Agent page, select the Agent to monitor the storage device. Click **Next**. -![Add New Host - Add Host page with NetApp selected](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostnetapp.webp) +![Add New Host - Add Host page with NetApp selected](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostnetapp.webp) **Step 3 –** On the Add Host page, select the NetApp radio button. Then, in the NetApp Filer/SVM textbox, enter the following information: @@ -55,7 +55,7 @@ textbox, enter the following information: Click **Next**. -![NetApp Host Connection Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/netappconnection.webp) +![NetApp Host Connection Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/netappconnection.webp) **CAUTION:** Cluster-Mode is case sensitive. The case of the Filer or SVM name must match exactly to how it is in NetApp's FPolicy configuration. @@ -76,7 +76,7 @@ how it is in NetApp's FPolicy configuration. Click **Next**. -![Trusted Server Certificate popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp) +![Trusted Server Certificate popup window](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp) - HTTPS Options – Opens the Trusted server certificate window to customize the certificate verification during a TLS session @@ -86,7 +86,7 @@ Click **Next**. connects to matches the name in the certificate (CN name) - Click OK to close the window and save the modifications. -![NetApp FPolicy Configuration page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/netappfpolicyconfiguration.webp) +![NetApp FPolicy Configuration page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/netappfpolicyconfiguration.webp) **Step 5 –** On the NetApp Mode FPolicy Configuration page, choose whether or not to automatically configure FPolicy through Activity Monitor. If that is desired, check the Configure FPolicy option. @@ -112,7 +112,7 @@ configuring the FPolicy, do not select the ConfigureFPolicy checkbox. If automatic configuration is selected, proceed to the Configure Privileged Access section after successfully adding the host. -![NetApp FPolicy Enable and Connect window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/netappfpolicyenableconnect.webp) +![NetApp FPolicy Enable and Connect window](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/netappfpolicyenableconnect.webp) The options on the Configure Operations page require the provisioned user account to have, at a minimum, the less privileged permissions. For Cluster-mode devices, the credentials are identified @@ -136,7 +136,7 @@ availability file monitoring, use this option. Click **Next**. -![protocolspage](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/protocolspage.webp) +![protocolspage](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/protocolspage.webp) **Step 6 –** On the Protocols page, select which protocols to monitor. The protocols that can be monitored are: @@ -147,7 +147,7 @@ monitored are: Click **Next**. -![Configure Operations window for NetApp](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperationsnetapp.webp) +![Configure Operations window for NetApp](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperationsnetapp.webp) **Step 7 –** On the Configure Operations page, select the File Operations and Directory Operations to be monitored. @@ -175,7 +175,7 @@ in Read events not being monitored. Click **Next**. -![Configure Basic Options page for NetApp](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptionsnetapp.webp) +![Configure Basic Options page for NetApp](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptionsnetapp.webp) **Step 8 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” are the activity logs created by the activity agent on the proxy host. Select the desired options: @@ -201,12 +201,12 @@ are the activity logs created by the activity agent on the proxy host. Select th Click **Next**. -![wheretologgeneric](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) +![wheretologgeneric](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) **Step 9 –** On the Where To Log The Activity page, select whether to send the activity to either a **Log File** or **Syslog Server**. Click **Next**. -![fileoutput](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutput.webp) +![fileoutput](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutput.webp) **Step 10 –** If **Log File)** is selected on the **Where To Log The Activity** page, the **File Output** page can be configured. @@ -230,7 +230,7 @@ Output** page can be configured. Click **Next**. -![syslogoutput](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) +![syslogoutput](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) **Step 11 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog Output page can be configured. @@ -248,7 +248,7 @@ Output page can be configured. - TLS The TCP and TLS protocols add the Message framing drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary @@ -258,14 +258,14 @@ Output page can be configured. - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click **Finish**. -![Activity Monitor with NetApp Host added](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitornetapp.webp) +![Activity Monitor with NetApp Host added](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitornetapp.webp) The added NetApp host is displayed in the monitored hosts table. Once a host has been added for -monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](../output.md) topic +monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. _Remember,_ if automatic configuration of the FPolicy was selected, it is necessary to Configure @@ -281,7 +281,7 @@ this requires the provisioned user account to have full permissions, identified **Step 1 –** On to the Monitored Hosts tab, select the desired host and click Edit. The host’s Properties window opens. -![NetApp Host Properties FPolicy Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/netappfpolicytab.webp) +![NetApp Host Properties FPolicy Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/netappfpolicytab.webp) **Step 2 –** On the FPolicy tab, select the **Privileged Access** tab. Select the Allow privileged access checkbox and provide the Privileged user name in the textbox. @@ -291,7 +291,7 @@ access checkbox and provide the Privileged user name in the textbox. Privileged access must be allowed and configured with appropriate credentials to leverage Access Analyzer permission (FSAA) scans for this NetApp device -For information on the other options for this tab, see the [FPolicy Tab](../properties/fpolicy.md) +For information on the other options for this tab, see the [FPolicy Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/fpolicy.md) section. ## Host Properties for NetApp @@ -299,9 +299,9 @@ section. Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [NetApp Tab](../properties/netapp.md) -- [FPolicy Tab](../properties/fpolicy.md) -- [Unix IDs Tab](../properties/unixids.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) +- [NetApp Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/netapp.md) +- [FPolicy Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/fpolicy.md) +- [Unix IDs Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/unixids.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/nutanix.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/nutanix.md index 4ee2fc5dbf..22e85a2050 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/nutanix.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/nutanix.md @@ -11,9 +11,9 @@ It provides the ability to feed activity data to SIEM products. The following da specifically created for Activity Monitor event data: - For IBM® QRadar®, see the - [Netwrix File Activity Monitor App for QRadar](../../../siem/qradar/overview.md) for additional + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md) for additional information. -- For Splunk®, see the [File Activity Monitor App for Splunk](../../../siem/splunk/overview.md) for +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/8.0/activitymonitor/siem/splunk/overview.md) for additional information. It also provides the ability to feed activity data to other Netwrix products: @@ -24,7 +24,7 @@ It also provides the ability to feed activity data to other Netwrix products: Prior to adding a Nutanix files host to the Activity Monitor, the prerequisites for the target environment must be met. See -[Nutanix Files Activity Auditing Configuration](../../../../config/nutanix/activity.md) for more +[Nutanix Files Activity Auditing Configuration](/docs/activitymonitor/8.0/config/nutanix/activity.md) for more information. _Remember,_ the Activity Agent must be deployed to a Windows server that acts as a proxy for @@ -35,11 +35,11 @@ monitoring the target environment. Ensure that the correct network adapter is specified in the Network page for an agent before adding a Nutanix file server to be monitored. -![nutanixnetworkadapter](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixnetworkadapter.webp) +![nutanixnetworkadapter](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixnetworkadapter.webp) The agent registers the IP address of the network adapter in the Nutanix auditing configuration for activity delivery. Nutanix Files server connects to the agent using the TCP port 4501. See the -[Network Tab](../../agents/properties/network.md) topic for additional information. +[Network Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/network.md) topic for additional information. ## Add Nutanix Host @@ -48,17 +48,17 @@ Follow the steps to add a Nutanix files host to be monitored. **Step 1 –** In Activity Monitor, go to the Monitored Hosts tab and click **Add**. The Add New Host window opens. -![Choose Agent](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addagent01.webp) +![Choose Agent](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addagent01.webp) **Step 2 –** On the Choose Agent page, select the Agent to monitor the file server from the drop-down list. Click **Next**. -![Add Host](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhost02.webp) +![Add Host](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhost02.webp) **Step 3 –** On the Add Host page, select the **Nutanix Files** radio button and enter the file server name. Click **Next**. -![Nutanix Options](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_04.webp) +![Nutanix Options](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_04.webp) **Step 4 –** On the Nutanix Options page, enter the user name and password. @@ -74,14 +74,14 @@ access. Click **Next**. -![Configure Operations](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_05.webp) +![Configure Operations](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_05.webp) **Step 5 –** On the Configure Operations page, select the File Operations and Directory Operations to be monitored. Click **Next**. -![Configure Operations](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_06.webp) +![Configure Operations](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_06.webp) **Step 6 –** On the Configure Basic Operations page, choose which settings to enable. The “Log files” are the activity logs created by the activity agent on the agent's server. Select one of the @@ -98,14 +98,14 @@ following options: Click **Next**. -![Where to log the activity](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_07.webp) +![Where to log the activity](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_07.webp) **Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a Log File or Syslog Server. Click **Next**. **NOTE:** An option must be selected before moving to the next step. -![File Output](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_08.webp) +![File Output](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_08.webp) **Step 8 –** If Log File is selected on the Where To Log The Activity page, configure the File Output page. @@ -132,7 +132,7 @@ Output page. Click **Next**. -![Syslog Output](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_09.webp) +![Syslog Output](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_09.webp) **Step 9 –** If Syslog Server is selected on the Where To Log The Activity page, configure the Syslog Output page. @@ -149,7 +149,7 @@ Syslog Output page. - TLS The TCP and TLS protocols add the **Message framing** drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary @@ -159,14 +159,14 @@ Syslog Output page. - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click **Finish**. -![nutanixoptions_10](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_10.webp) +![nutanixoptions_10](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_10.webp) The added Nutanix host is displayed in the monitored hosts table. Once a host has been added for -monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](../output.md) topic +monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for Nutanix @@ -174,7 +174,7 @@ for additional information. Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [Nutanix Tab](../properties/nutanix.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) +- [Nutanix Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/nutanix.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/overview.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/overview.md index 8239ee9702..538838878d 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/overview.md @@ -3,25 +3,25 @@ Once an agent has been deployed, you can configure a host to be monitored by clicking the Add Host button on the Monitored Hosts tab. -![Add New Host window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addnewhost.webp) +![Add New Host window](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addnewhost.webp) The window opens for all types of hosts that can be monitored with an Activity Agent. See the following topics for additional information: -- [CTERA Activity Auditing Configuration](../../../../config/ctera/Activity.md) -- [Dell Celerra or VNX](dellcelerravnx.md) -- [Dell Isilon/PowerScale](dellpowerscale.md) -- [Dell PowerStore](dellpowerstore.md) -- [Dell Unity](dellunity.md) -- [Exchange Online](exchangeonline.md) -- [Hitachi](hitachi.md) -- [Microsoft Entra ID](entraid.md) -- [Nasuni](nasuni.md) -- [NetApp](netapp.md) -- [Nutanix](nutanix.md) -- [Panzura](panzura.md) -- [Qumulo](qumulo.md) -- [SharePoint](sharepoint.md) -- [SharePoint Online](sharepointonline.md) -- [SQL Server](sqlserver.md) -- [Windows](windows.md) +- [CTERA Activity Auditing Configuration](/docs/activitymonitor/8.0/config/ctera/Activity.md) +- [Dell Celerra or VNX](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellcelerravnx.md) +- [Dell Isilon/PowerScale](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellpowerscale.md) +- [Dell PowerStore](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellpowerstore.md) +- [Dell Unity](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/dellunity.md) +- [Exchange Online](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/exchangeonline.md) +- [Hitachi](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/hitachi.md) +- [Microsoft Entra ID](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/entraid.md) +- [Nasuni](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/nasuni.md) +- [NetApp](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/netapp.md) +- [Nutanix](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/nutanix.md) +- [Panzura](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/panzura.md) +- [Qumulo](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/qumulo.md) +- [SharePoint](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/sharepoint.md) +- [SharePoint Online](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/sharepointonline.md) +- [SQL Server](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/sqlserver.md) +- [Windows](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/windows.md) diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/panzura.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/panzura.md index c0d9dbb8e0..bbb2e2566d 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/panzura.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/panzura.md @@ -11,9 +11,9 @@ It provides the ability to feed activity data to SIEM products. The following da specifically created for Activity Monitor event data: - For IBM® QRadar®, see the - [Netwrix File Activity Monitor App for QRadar](../../../siem/qradar/overview.md) for additional + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md) for additional information. -- For Splunk®, see the [File Activity Monitor App for Splunk](../../../siem/splunk/overview.md) for +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/8.0/activitymonitor/siem/splunk/overview.md) for additional information. It also provides the ability to feed activity data to other Netwrix products: @@ -24,7 +24,7 @@ It also provides the ability to feed activity data to other Netwrix products: ## Add Panzura Host Prior to adding a Panzura host to the Activity Monitor, the prerequisites for the target environment -must be met. See the [Panzura CloudFS Monitoring](../../../../config/panzura/activity.md) topic for +must be met. See the [Panzura CloudFS Monitoring](/docs/activitymonitor/8.0/config/panzura/activity.md) topic for additional information. _Remember,_ the Activity Agent must be deployed to a Windows server that acts as a proxy for @@ -35,17 +35,17 @@ Follow the steps to add a Panzura host to be monitored. **Step 1 –** In Activity Monitor, go to the Monitored Hosts tab and click Add. The Add New Host window opens. -![Choose Agent](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) +![Choose Agent](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) **Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device. Click **Next**. -![Add Host](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostpanzura.webp) +![Add Host](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostpanzura.webp) **Step 3 –** On the Add Host page, select the **Panzura** radio button and enter the **Panzura filer name**. Click **Next**. -![Panzura Properties](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/panzuraoptions.webp) +![Panzura Properties](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/panzuraoptions.webp) **Step 4 –** On the Panzura Options page, enter the **Username**, **Password**, and select the **Protocol** to be used by the Panzura host. @@ -60,7 +60,7 @@ name**. Click **Next**. Click **Next**. -![Customize Certifiacte Verification](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp) +![Customize Certifiacte Verification](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp) - HTTPS Options – Opens the Trusted server certificate window to customize the certificate verification during a TLS session @@ -73,7 +73,7 @@ Click **Next**. Click **Connect** to connect to the Panzura device. Click **Next**. -![Configure Operations](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/panzuraconfigureoperations.webp) +![Configure Operations](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/panzuraconfigureoperations.webp) **Step 5 –** On the Configure Operations page, select the **File Operations** and **Directory Operations** to be monitored. @@ -84,7 +84,7 @@ Operations** to be monitored. Click **Next**. -![configurebasicoptionspanzura](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptionspanzura.webp) +![configurebasicoptionspanzura](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptionspanzura.webp) **Step 6 –** On the Configure Basic Options page, choose which of the following settings to enable: @@ -108,14 +108,14 @@ Click **Next**. Click **Next**. -![wheretologgeneric](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) +![wheretologgeneric](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) **Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a **Log File)** or **Syslog Server**. Click **Next**. **NOTE:** An option must be selected before moving to the next step. -![fileoutput](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutput.webp) +![fileoutput](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutput.webp) **Step 8 –** If **Log File)** is selected on the **Where To Log The Activity** page, the **File Output** page can be configured. @@ -139,7 +139,7 @@ Output** page can be configured. Click **Next**. -![syslogoutput](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) +![syslogoutput](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) **Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog Output page can be configured. @@ -157,7 +157,7 @@ Output page can be configured. - TLS The TCP and TLS protocols add the **Message framing** drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary @@ -167,14 +167,14 @@ Output page can be configured. - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click **Finish**. -![activitymonitorpanzura](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitorpanzura.webp) +![activitymonitorpanzura](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitorpanzura.webp) The added Panzura host is displayed in the monitored hosts table. Once a host has been added for -monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](../output.md) topic +monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for Panzura @@ -182,7 +182,7 @@ for additional information. Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [Panzura Tab](../properties/panzura.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) +- [Panzura Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/panzura.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/qumulo.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/qumulo.md index 2ce7175698..e7b8351ecf 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/qumulo.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/qumulo.md @@ -11,9 +11,9 @@ It provides the ability to feed activity data to SIEM products. The following da specifically created for Activity Monitor event data: - For IBM® QRadar®, see the - [Netwrix File Activity Monitor App for QRadar](../../../siem/qradar/overview.md) for additional + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md) for additional information. -- For Splunk®, see the [File Activity Monitor App for Splunk](../../../siem/splunk/overview.md) for +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/8.0/activitymonitor/siem/splunk/overview.md) for additional information. It also provides the ability to feed activity data to other Netwrix products: @@ -23,7 +23,7 @@ It also provides the ability to feed activity data to other Netwrix products: - Netwrix Threat Manager Prior to adding a Qumulo host to the Activity Monitor, the prerequisites for the target environment -must be met. See the [Qumulo Activity Auditing Configuration](../../../../config/qumulo/activity.md) +must be met. See the [Qumulo Activity Auditing Configuration](/docs/activitymonitor/8.0/config/qumulo/activity.md) topic for additional information. _Remember,_ the Activity Agent must be deployed to a Windows server that acts as a proxy for @@ -36,17 +36,17 @@ Follow the steps to add a Qumulo host to be monitored. **Step 1 –** In Activity Monitor, go to the Monitored Hosts tab and click **Add**. The Add New Host window opens. -![addagent01](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addagent01.webp) +![addagent01](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addagent01.webp) **Step 2 –** On the Choose Agent page, select the Agent to monitor the file server from the drop-down list. Click **Next**. -![addhostqumulo01](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostqumulo01.webp) +![addhostqumulo01](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostqumulo01.webp) **Step 3 –** On the Add Host page, select the **Qumulo** radio button and enter the file server name. Click **Next**. -![addhostqumulo02](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostqumulo02.webp) +![addhostqumulo02](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostqumulo02.webp) **Step 4 –** On the Qumulo Options page, enter the user name and password. @@ -65,14 +65,14 @@ Qumulo. Click **Next**. -![nutanixoptions_07](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_07.webp) +![nutanixoptions_07](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_07.webp) **Step 5 –** On the Where To Log The Activity page, select whether to send the activity to either a Log File or Syslog Server. Click **Next**. **NOTE:** An option must be selected before moving to the next step. -![addhostqumulo04](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostqumulo04.webp) +![addhostqumulo04](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostqumulo04.webp) **Step 6 –** If Log File is selected on the Where To Log The Activity page, configure the File Output page. @@ -98,7 +98,7 @@ Output page. Click **Next**. -![nutanixoptions_09](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_09.webp) +![nutanixoptions_09](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/nutanixoptions_09.webp) **Step 7 –** If Syslog Server is selected on the Where To Log The Activity page, configure the Syslog Output page. @@ -115,7 +115,7 @@ Syslog Output page. - TLS The TCP and TLS protocols add the **Message framing** drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary @@ -125,14 +125,14 @@ Syslog Output page. - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click **Finish**. -![addhostqumulo06](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostqumulo06.webp) +![addhostqumulo06](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostqumulo06.webp) The added Qumulo host is displayed in the monitored hosts table. Once a host has been added for -monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](../output.md) topic +monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for Qumulo @@ -140,7 +140,7 @@ for additional information. Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [Qumulo Tab](../properties/qumulo.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) +- [Qumulo Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/qumulo.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/sharepoint.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/sharepoint.md index b9efa7c5fb..25efecf806 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/sharepoint.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/sharepoint.md @@ -23,7 +23,7 @@ It also provides the ability to feed activity data to other Netwrix products: Prior to adding a SharePoint host to the Activity Monitor, the prerequisites for the target environment must be met. See the -[SharePoint On-Premise Activity Auditing Configuration](../../../../config/sharepoint/activity.md) +[SharePoint On-Premise Activity Auditing Configuration](/docs/activitymonitor/8.0/config/sharepoint/activity.md) topic for additional information. _Remember,_ the Activity Agent must be deployed to the SharePoint Application server that hosts the @@ -36,17 +36,17 @@ Follow the steps to add a SharePoint host to be monitored. **Step 1 –** In Activity Monitor, go to the Monitored Hosts tab and click Add. The Add New Host window opens. -![Choose Agent page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) +![Choose Agent page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) **Step 2 –** On the Choose Agent page, select the Agent deployed on the SharePoint Application server that hosts the “Central Administration” component. Click **Next**. -![Add Host page with SharePoint selected](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostsharepoint.webp) +![Add Host page with SharePoint selected](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostsharepoint.webp) **Step 3 –** On the Add Host page, select the SharePoint radio button. If desired, add a Comment. Click **Next**. -![Add Host - SharePoint Options page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/sharepointoptions.webp) +![Add Host - SharePoint Options page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/sharepointoptions.webp) **Step 4 –** On the SharePoint Options page, choose to audit all sites or scope the monitoring to specific site(s): @@ -68,17 +68,17 @@ specific site(s): Click **Next**. -![Configure Operations page for SharePoint](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperationssharepoint.webp) +![Configure Operations page for SharePoint](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperationssharepoint.webp) **Step 5 –** On the Configure Operations page, select the SharePoint Operations and Permissions Operations to be monitored. Click **Next**. -![Where to log the activity page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) +![Where to log the activity page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) **Step 6 –** On the Where To Log The Activity page, select whether to send the activity to either a **Log File)** or **Syslog Server**. Click **Next**. -![File Output Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) +![File Output Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) **Step 7 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File Output** page can be configured. @@ -101,7 +101,7 @@ Output** page can be configured. Click **Next**. -![Syslog Output Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutputpage.webp) +![Syslog Output Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutputpage.webp) **Step 8 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog Output page can be configured. The configurable options are: @@ -119,7 +119,7 @@ Output page can be configured. The configurable options are: - TLS The TCP and TLS protocols add the Message framing drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary @@ -129,14 +129,14 @@ Output page can be configured. The configurable options are: - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click Finish. -![Activity Monitor with SharePoint host added](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitorsharepoint.webp) +![Activity Monitor with SharePoint host added](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitorsharepoint.webp) The added SharePoint host is displayed in the monitored hosts table. Once a host has been added for -monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](../output.md) topic +monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for SharePoint @@ -144,7 +144,7 @@ for additional information. Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [SharePoint Tab](../properties/sharepoint.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) +- [SharePoint Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/sharepoint.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/sharepointonline.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/sharepointonline.md index bc53de79d5..1ebc8e5097 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/sharepointonline.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/sharepointonline.md @@ -23,7 +23,7 @@ It also provides the ability to feed activity data to other Netwrix products: Prior to adding a SharePoint Online host to the Activity Monitor, the prerequisites for the target environment must be met. See the -[SharePoint Online Activity Auditing Configuration](../../../../config/sharepointonline/activity.md) +[SharePoint Online Activity Auditing Configuration](/docs/activitymonitor/8.0/config/sharepointonline/activity.md) topic for additional information. _Remember,_ the Activity Agent must be deployed to a Windows server that acts as a proxy for @@ -36,19 +36,19 @@ Follow the steps to add a SharePoint Online host to be monitored. **Step 1 –** In the Activity Monitor, go to the Monitored Hosts tab and click Add. The Add New Host window opens. -![Choose Agent](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) +![Choose Agent](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) **Step 2 –** On the Choose Agent page, select the Agent to monitor SharePoint Online. **CAUTION:** The domain name must match the SharePoint Online host name in order to properly integrate SharePoint Online activity monitoring with Access Analyzer. -![Add Host page with SharePoint Online selected](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhost.webp) +![Add Host page with SharePoint Online selected](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhost.webp) **Step 3 –** On the Add Host page, select the SharePoint Online radio button and enter the Microsoft Entra ID (formerly Azure AD) domain name. Click **Next**. -![Add New Host - Azure AD Connection for SharePoint Online](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/azureadconnection.webp) +![Add New Host - Azure AD Connection for SharePoint Online](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/azureadconnection.webp) **Step 4 –** On the Azure AD / Entra ID Connection page, enter a Client ID and Client Secret, then click **Sign-In** to grant permissions to read the auditing and directory data. Click **Open @@ -62,12 +62,12 @@ Instruction...** for steps on registering the Activity Monitor with Microsoft En API access using the Client ID and Secret. - See the - [SharePoint Online Activity Auditing Configuration](../../../../config/sharepointonline/activity.md) + [SharePoint Online Activity Auditing Configuration](/docs/activitymonitor/8.0/config/sharepointonline/activity.md) topic for additional information. Click **Next**. -![SharePoint Online Operations page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileandpagetab.webp) +![SharePoint Online Operations page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileandpagetab.webp) **Step 5 –** On the SharePoint Online Operations page, configure the options found in the following tabs: @@ -85,14 +85,14 @@ tabs: - Other These options can be configured again in a SharePoint Online host's properties window. See the -[Operations Tab](../../outputs/operations.md) for additional information. Click **Next**. +[Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) for additional information. Click **Next**. -![Where to log the activity page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) +![Where to log the activity page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) **Step 6 –** On the Where To Log The Activity page, select whether to send the activity to either a **Log File** or **Syslog Server**. Click **Next**. -![File Output Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) +![File Output Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutputpage.webp) **Step 7 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File Output** page can be configured. The configurable options are: @@ -114,7 +114,7 @@ Output** page can be configured. The configurable options are: Click **Next**. -![Syslog Output Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutputpage.webp) +![Syslog Output Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutputpage.webp) **Step 8 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog Output page can be configured. The configurable options are: @@ -132,7 +132,7 @@ Output page can be configured. The configurable options are: - TLS The TCP and TLS protocols add the Message framing drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary @@ -142,22 +142,22 @@ Output page can be configured. The configurable options are: - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click **Finish**. -![Activity Monitor with SharePoint Online host added](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/sharepointonline.webp) +![Activity Monitor with SharePoint Online host added](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/sharepointonline.webp) The added SharePoint Online host is displayed in the monitored hosts table. Once a host has been added for monitoring, configure the desired ouptuts. See the -[Output for Monitored Hosts](../output.md) topic for additional information. +[Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for SharePoint Online Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [Connection Tab](../properties/connection.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) +- [Connection Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/connection.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/sqlserver.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/sqlserver.md index 667034bfb7..8b4c6b5e76 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/sqlserver.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/sqlserver.md @@ -8,7 +8,7 @@ The Activity Monitor provides the ability to feed activity data to other Netwrix Prior to adding a SQL Server host to the Activity Monitor, the prerequisites for the target environment must be met. See the -[SQL Server Activity Auditing Configuration](../../../../config/sqlserver/activity.md) topic for +[SQL Server Activity Auditing Configuration](/docs/activitymonitor/8.0/config/sqlserver/activity.md) topic for additional information. _Remember,_ the Activity Agent must be deployed to a Windows server that acts as a proxy for @@ -21,41 +21,41 @@ Follow the steps to add a SQL Server host to be monitored. **Step 1 –** In Activity Monitor, go to the Monitored Hosts tab and click Add. The Add New Host window opens. -![chooseagent](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) +![chooseagent](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) **Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device, then click **Next**. -![addhost](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhost.webp) +![addhost](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhost.webp) **Step 3 –** On the **Add Host** page, select **MS SQL Server** and enter the **Server name or address** for the SQL Server host., then click **Next**. -![mssqlserveroptionspage](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/mssqlserveroptionspage.webp) +![mssqlserveroptionspage](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/mssqlserveroptionspage.webp) **Step 4 –** On the MS SQL Server Options page, configure the following options: - Enable Audit automatically — Check the box to enable automatic auditing if it is ever disabled - Open instruction — Opens the **How to create a SQL Login for Monitoring** page. See the SQL Server Database section of the - [SQL Server Activity Auditing Configuration](../../../../config/sqlserver/activity.md) topic for + [SQL Server Activity Auditing Configuration](/docs/activitymonitor/8.0/config/sqlserver/activity.md) topic for additional information. - User name — Enter the user name for the credentials for the SQL Server - User password — Enter the password for the credentials for the SQL Server Click **Connect** to test the settings, then click **Next**. -![configureoperations](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperations.webp) +![configureoperations](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperations.webp) **Step 5 –** On the Configure Operations page, select which SQL Server events to monitor, then click **Next**. -![SQL Server Objects Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/sqlserverobjects.webp) +![SQL Server Objects Page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/sqlserverobjects.webp) **Step 6 –** On the SQL Server Objects page, click **Refresh**. Select the SQL Server objects to be monitored. Click **Next**. -![sqlserverlogontriggerpage](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/sqlserverlogontriggerpage.webp) +![sqlserverlogontriggerpage](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/sqlserverlogontriggerpage.webp) **Step 7 –** On the SQL Server Logon Trigger page, copy and paste the SQL script into a New Query in the SQL database. Execute the query to create a logon trigger. Netwrix Activity Monitor will monitor @@ -65,11 +65,11 @@ SQL logon events and obtain IP addresses for connections. The script is: CREATE TRIGGER SBAudit_LOGON_Trigger ON ALL SERVER FOR LOGON AS BEGIN declare @str varchar(max)=cast(EVENTDATA() as varchar(max));raiserror(@str,1,1);END ``` -![SQL Server Logon Success](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/sqlserverlogontriggersuccess.webp) +![SQL Server Logon Success](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/sqlserverlogontriggersuccess.webp) > Click **Check Status** to see if the trigger is configured properly, then click **Next**. -![configurebasicoptions](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptions.webp) +![configurebasicoptions](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptions.webp) **Step 8 –** On the Configure Basic Options page, @@ -81,12 +81,12 @@ CREATE TRIGGER SBAudit_LOGON_Trigger ON ALL SERVER FOR LOGON AS BEGIN declare @s Click **Next**. -![Where To Log The Activity page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) +![Where To Log The Activity page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) **Step 9 –** On the Where To Log The Activity page, select whether to send the activity to either a **Log File (TSV)** or **Syslog Server**, then click **Next**. -![fileoutput](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutput.webp) +![fileoutput](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileoutput.webp) **Step 10 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File Output** page can be configured. @@ -106,7 +106,7 @@ Output** page can be configured. - While Activity Monitor can have multiple configurations per host, Access Analyzer can only read one of them. -![syslogoutput](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) +![syslogoutput](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutput.webp) **Step 11 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog Output page can be configured. @@ -124,7 +124,7 @@ Output page can be configured. - TLS The TCP and TLS protocols add the Message framing drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary @@ -134,14 +134,14 @@ Output page can be configured. - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click **Finish**. -![activitymonitorsqlserverhost](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitorsqlserverhost.webp) +![activitymonitorsqlserverhost](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitorsqlserverhost.webp) The added SQL Server host is displayed in the monitored hosts table. Once a host has been added for -monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](../output.md) topic +monitoring, configure the desired ouptuts. See the [Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for SQL Server @@ -149,9 +149,9 @@ for additional information. Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [MS SQL Server Tab](../properties/mssqlserver.md) -- [Logon Trigger Tab](../properties/logontrigger.md) -- [Tweak Options Tab](../properties/tweakoptions.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) +- [MS SQL Server Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/mssqlserver.md) +- [Logon Trigger Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/logontrigger.md) +- [Tweak Options Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/tweakoptions.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/windows.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/windows.md index dbf2f7c2f5..4c6bcee2bd 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/windows.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/windows.md @@ -11,9 +11,9 @@ It provides the ability to feed activity data to SIEM products. The following da specifically created for Activity Monitor event data: - For IBM® QRadar®, see the - [Netwrix File Activity Monitor App for QRadar](../../../siem/qradar/overview.md) for additional + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md) for additional information. -- For Splunk®, see the [File Activity Monitor App for Splunk](../../../siem/splunk/overview.md) for +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/8.0/activitymonitor/siem/splunk/overview.md) for additional information. It also provides the ability to feed activity data to other Netwrix products: @@ -23,7 +23,7 @@ It also provides the ability to feed activity data to other Netwrix products: Prior to adding a Windows host to the Activity Monitor, the prerequisites for the target environment must be met. See the -[Windows File Server Activity Auditing Configuration](../../../../config/windowsfile/activity.md) +[Windows File Server Activity Auditing Configuration](/docs/activitymonitor/8.0/config/windowsfile/activity.md) topic for additional information. _Remember,_ the Activity Agent must be deployed to the server. It cannot be deployed to a proxy @@ -37,18 +37,18 @@ deployed. **Step 1 –** In Activity Monitor, go to the Monitored Hosts tab and click Add. The Add New Host window opens. -![Choose Agent](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) +![Choose Agent](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/chooseagent.webp) **Step 2 –** On the Choose Agent page, select the **Agent** to monitor deployed on the Windows file server. Click **Next**. -![Add Host page with Windows selected](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostwindows.webp) +![Add Host page with Windows selected](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/addhostwindows.webp) **Step 3 –** On the Add Host page, select the Agent’s Windows host radio button. Remember, the agent must be deployed on the Windows file server to be monitored. If desired, add a **Comment**. Click **Next**. -![Protocols page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/protocolspage.webp) +![Protocols page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/protocolspage.webp) **Step 4 –** On the Protocols page, select which protocols to monitor. The protocols that can be monitored are: @@ -59,7 +59,7 @@ monitored are: Click **Next**. -![Configure Operations page for Windows host](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperationswindows.webp) +![Configure Operations page for Windows host](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configureoperationswindows.webp) **Step 5 –** On the Configure Operations page, select the **File Operations**,**Directory Operations**, **Share Operations** and **VSS Opertions** to be monitored. Users may also filter @@ -92,7 +92,7 @@ in Read events not being monitored. Click **Next**. -![Configure Basic Options page for Windows](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptionswindows.webp) +![Configure Basic Options page for Windows](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/configurebasicoptionswindows.webp) **Step 6 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” are the activity logs created by the activity agent on the target host. Select the desired options: @@ -111,12 +111,12 @@ are the activity logs created by the activity agent on the target host. Select t Click **Next**. -![Where to log activity page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) +![Where to log activity page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/wheretologgeneric.webp) **Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a **Log File)** or **Syslog Server**. Click **Next**. -![File Output page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileouputpage.webp) +![File Output page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/fileouputpage.webp) **Step 8 –** If **Log File)** is selected on the **Where To Log The Activity** page, the **File Output** page can be configured. @@ -138,7 +138,7 @@ Output** page can be configured. Click **Next**. -![Syslog Output page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutputpage.webp) +![Syslog Output page](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/syslogoutputpage.webp) **Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog Output page can be configured. @@ -156,7 +156,7 @@ Output page can be configured. - TLS The TCP and TLS protocols add the Message framing drop-down menu. See the - [Syslog Tab](../../outputs/syslog.md) topic for additional information. + [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. - The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary @@ -166,22 +166,22 @@ Output page can be configured. - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails - See the [Syslog Tab](../../outputs/syslog.md) topic for additional information. + See the [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md) topic for additional information. Click **Finish**. -![Activity Monitor with Windows Host added](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitorwindows.webp) +![Activity Monitor with Windows Host added](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/activitymonitorwindows.webp) The added Windows file server host is displayed in the monitored hosts table. Once a host has been added for monitoring, configure the desired ouptuts. See the -[Output for Monitored Hosts](../output.md) topic for additional information. +[Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for additional information. ## Host Properties for Windows File Server Configuration settings can be edited through the tabs in the host’s Properties window. The configurable host properties are: -- [Windows Tab](../properties/windows.md) -- [Inactivity Alerts Tab](../properties/inactivityalerts.md) +- [Windows Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/windows.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) -See the [Host Properties Window](../properties/overview.md) topic for additional information. +See the [Host Properties Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md index 53f5aa5b2f..9cb94c7f5b 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md @@ -2,7 +2,7 @@ Once a host is being monitored the event stream can be sent to multiple outputs. -![Output Properties Overview](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/outputpropertiesoverview.webp) +![Output Properties Overview](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/outputpropertiesoverview.webp) Configured outputs are grouped under the host. You can have multiple outputs configured for a host. The host event outputs are: @@ -19,14 +19,14 @@ Follow the steps to add a File output. **Step 2 –** Select **File** from the drop-down menu. The Add New Output window opens. -![addnewoutputfile](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/addnewoutputfile.webp) +![addnewoutputfile](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/addnewoutputfile.webp) **Step 3 –** Configure the tab(s) as desired. **Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. The new output displays in the table. Click the **Edit** button to open the Output properties window -to modify these settings. See the [Output Types](../outputs/overview.md) topic for additional +to modify these settings. See the [Output Types](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/overview.md) topic for additional information. ## Add Syslog Output @@ -37,12 +37,12 @@ Follow the steps to add a Syslog output. **Step 2 –** Select **Syslog** from the drop-down menu. The Add New Output window opens. -![addnewoutputsyslog](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/addnewoutputsyslog.webp) +![addnewoutputsyslog](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/addnewoutputsyslog.webp) **Step 3 –** Configure the tab(s) as desired. **Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. The new output displays in the table. Click the **Edit** button to open the Output properties window -to modify these settings. See the [Output Types](../outputs/overview.md) topic for additional +to modify these settings. See the [Output Types](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/overview.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/overview.md index daac921712..777a1fb51e 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/overview.md @@ -12,7 +12,7 @@ Agent: - Dell Unity - Hitachi - Linux – Configuration of a Linux host is done during agent deployment. See the - [Linux Agent Deployment](../agents/add/linux.md) topic for additional information. + [Linux Agent Deployment](/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/linux.md) topic for additional information. - Nasuni - NetApp - Nutanix @@ -24,7 +24,7 @@ Agent: - Exchange Online - SQL Server -See the [Add New Host Window](add/overview.md) topic for additional information. +See the [Add New Host Window](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/overview.md) topic for additional information. Agents @@ -48,7 +48,7 @@ listed under each monitored host. These are destinations to which events are for The button bar allows users to take the following actions: -![Activity Monitor with Monitored Hosts tab identified](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/monitoredhoststab.webp) +![Activity Monitor with Monitored Hosts tab identified](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/monitoredhoststab.webp) - Toggle Collapse – Expands and collapses all Monitored Hosts for viewing or hiding host's outputs - Add Host – Opens the Add New Host window to configure monitoring of a new host or platform. See @@ -108,7 +108,7 @@ For integration with Netwrix Access Analyzer (formerly Enterprise Auditor), only of a 'monitored host' can be set as the Netwrix Access Analyzer (formerly Enterprise Auditor) output. After a 'monitored host' has been added, use the Edit feature to identify the configuration as being for Netwrix Access Analyzer (formerly Enterprise Auditor) on the Log Files tab of the -host's Properties window. See the [Log Files Tab](../outputs/logfiles.md) topic for additional +host's Properties window. See the [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md) topic for additional information. ## Monitoring Status @@ -118,7 +118,7 @@ visibility into a host's monitoring state and history of state changes. Host mon depicted in the Monitored Hosts table under the Status column. Users can expand the Status section to view more information on various status conditions. -![errorpropogationpopulated](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/errorpropogationpopulated.webp) +![errorpropogationpopulated](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/errorpropogationpopulated.webp) Click the **Down Arrow** to expand the Status section. The information listed is dependent on which host or output is currently selected in the Monitored Hosts table. Users can find information on the diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/auditing.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/auditing.md index 8b6e900ac8..b10433546b 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/auditing.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/auditing.md @@ -3,7 +3,7 @@ The Auditing tab allows users to modify to modify the Isilon Options setting which was populated with the information entered when the Dell Isilon host is added to the Monitored Hosts list. -![Auditing Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/auditingtab.webp) +![Auditing Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/auditingtab.webp) The **Enable Protocol Access Auditing in OneFS if it is disabled** box allows the activity agent to automatically enable and configure auditing on the Isilon cluster. If a manual configuration has diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/connection.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/connection.md index fc2feccb54..9add1e8468 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/connection.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/connection.md @@ -4,7 +4,7 @@ Once a host is added to the monitored hosts table, the configuration settings ar tabs in the host’s Properties window. The Connection tab on a host’s Properties window is specific to Microsoft Entra ID (formerly Azure AD), Exchange Online, and SharePoint Online hosts. -![Conneciton Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/azure.webp) +![Conneciton Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/azure.webp) Configure App Registration information for a Microsoft Entra ID host in the Connection Tab of the host's Properties window. Click **Open instructions...** for steps on registering the diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/dell.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/dell.md index 36892c305c..dbd76cfd58 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/dell.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/dell.md @@ -5,6 +5,6 @@ Dell PowerStore, or Dell Unity host to be monitored for activity and any host al populated with the information entered when the Dell host is added to the monitored hosts table. If desired, specify a different device to be monitored for activity. -![Dell Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/emctabemcvnxcelerra.webp) +![Dell Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/emctabemcvnxcelerra.webp) If changes are made to these configuration options, click **OK** to save the changes. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/fpolicy.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/fpolicy.md index 30861b3572..7d1948a5ee 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/fpolicy.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/fpolicy.md @@ -3,14 +3,14 @@ The FPolicy tab allows users to modify FPolicy settings for NetApp devices, privileged access, and enabling/connecting to cluster nodes. -![FPolicy Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/fpolicytab.webp) +![FPolicy Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/fpolicytab.webp) On the **FPolicy** tab, the agent can configure and/or enable FPolicy automatically. The recommended setting is dependent on the type of NetApp device being targeted. The permissions required for each option are listed. See the -[NetApp Data ONTAP 7-Mode Activity Auditing Configuration](../../../../config/netapp7mode/activity.md) +[NetApp Data ONTAP 7-Mode Activity Auditing Configuration](/docs/activitymonitor/8.0/config/netapp7mode/activity.md) topic or the -[NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration](../../../../config/netappcmode/activity.md) +[NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration](/docs/activitymonitor/8.0/config/netappcmode/activity.md) topic for additional information. At the bottom are two additional tabs with setting options. On this tab, specify the protocols to @@ -18,17 +18,17 @@ monitor by selecting the radio buttons. ## Privileged Access Tab -![Privileged Access section in the FPolicy Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/privilegedaccess.webp) +![Privileged Access section in the FPolicy Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/privilegedaccess.webp) The Privileged Access tab is enabled when the Configure FPolicy checkbox is selected at the top. The Privileged Access tab must be configured if automatic configuration of the FPolicy for NetApp Data ONTAP Cluster-Mode devices is used. See the -[Configure Privileged Access](../add/netapp.md#configure-privileged-access) topic for additional +[Configure Privileged Access](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/netapp.md#configure-privileged-access) topic for additional information. ## Enable and Connect settings Tab -![Enable and Connect Settings - FPolicy Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/enableorconnectsettings.webp) +![Enable and Connect Settings - FPolicy Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/enableorconnectsettings.webp) The Enable and Connect settings tab is enabled when the Enable and connect FPolicy checkbox is selected. @@ -36,14 +36,14 @@ selected. **NOTE:** Adding nodes are not needed if set user is using a role that has Network Interface permissions. -![Add or Edit Cluster Node popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/enableorconnectsettingsaddoreditclusternode.webp) +![Add or Edit Cluster Node popup window](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/enableorconnectsettingsaddoreditclusternode.webp) Add a list of cluster nodes to connect to FPolicy by clicking Add, which opens the Add or Edit Cluster Node window. Enter at least one cluster node in the textbox. Separate multiple nodes with either commas (,), semicolons (;), or spaces. Click OK and the node(s) is displayed in the **Node name** list. -![Connect to Cluster popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/enableorconnectsettingsconnecttocluster.webp) +![Connect to Cluster popup window](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/enableorconnectsettingsconnecttocluster.webp) Click Discover to open the Connect to cluster window and retrieve nodes from the cluster. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/hitachinas.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/hitachinas.md index 0965447310..a5b55e2f1f 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/hitachinas.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/hitachinas.md @@ -4,7 +4,7 @@ Once a Hitachi host is added to the monitored hosts table, the configuration set through the tabs in the host’s Properties window. The Hitachi NAS tab on a host’s Properties window is specific to Hitachi hosts. -![Host Properties - Hitachi Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/hitachihostproperties.webp) +![Host Properties - Hitachi Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/hitachihostproperties.webp) The Hitachi NAS tab allows users to modify settings that were populated with the information entered when the Hitachi host was added. Additionally, the Path pooling interval can be configured. The Path diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md index ead9a7e845..d8f4cd6a6f 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md @@ -3,7 +3,7 @@ The Inactivity Alerts tab on a host's Properties window is used to configure alerts that are sent when monitored hosts receive no events for a specified period of time. -![inactivityalertstab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/inactivityalertstab.webp) +![inactivityalertstab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/inactivityalertstab.webp) The configurable options are: @@ -19,7 +19,7 @@ The configurable options are: Configure Syslog alerts using the Syslog Alerts Tab. -![Syslog Alerts Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/syslogalertstab.webp) +![Syslog Alerts Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/syslogalertstab.webp) The configurable options are: @@ -41,10 +41,10 @@ The configurable options are: - LogRhythm - McAfee - QRadar – Use this template for IBM QRadar integration. See the - [Netwrix File Activity Monitor App for QRadar](../../../siem/qradar/overview.md) topic for + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md) topic for additional information. - Splunk – Use this template for Splunk integration. See the - [File Activity Monitor App for Splunk](../../../siem/splunk/overview.md) section for + [File Activity Monitor App for Splunk](/docs/activitymonitor/8.0/activitymonitor/siem/splunk/overview.md) section for additional information. - StealthDEFEND – Use this template for Netwrix Threat Manager integration. This is the only supported template for Threat Manager. @@ -53,7 +53,7 @@ The configurable options are: Configure Email alerts using the Email Alerts Tab. -![Email Alerts Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/emailalertstab.webp) +![Email Alerts Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/emailalertstab.webp) The configurable options are: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/logontrigger.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/logontrigger.md index f6c582e6bb..4a1d5f7459 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/logontrigger.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/logontrigger.md @@ -3,7 +3,7 @@ The Logon trigger tab on a SQL Server host's properties window is used to configure logon triggers for SQL activity monitoring. -![logontriggertab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/logontriggertab.webp) +![logontriggertab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/logontriggertab.webp) Copy and paste the SQL Script into a SQL query and execute to enable the Activity Monitor to obtain IP addresses of client connections. Click **Check Status** to check if the trigger is properly diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/mssqlserver.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/mssqlserver.md index d908a426ee..4c4a7f093a 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/mssqlserver.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/mssqlserver.md @@ -3,7 +3,7 @@ The MS SQL Server tab on SQL Server host's properties window is used to configure properties for SQL activity monitoring on the host. -![MS SQL Server Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/mssqlservertab.webp) +![MS SQL Server Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/mssqlservertab.webp) The configurable options are: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/nasuni.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/nasuni.md index c9a80e8bb8..1ec1f42b4f 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/nasuni.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/nasuni.md @@ -3,7 +3,7 @@ After a Nasuni host is added to the monitored hosts table, the configuration settings are edited using the tabs in the Properties window of the host. -![Nasuni Host Properties - Nasuni Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/nasunitab.webp) +![Nasuni Host Properties - Nasuni Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/nasunitab.webp) The **Nasuni** tab allows users to modify settings which were populated with the information entered when the Nasuni host was added. @@ -21,7 +21,7 @@ The configurable options are: - Connect – Click to connect using the selected protocol and validate the connection with Nasuni -![Trusted Server Certificate popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp)- +![Trusted Server Certificate popup window](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp)- HTTPS Options – Opens the Trusted server certificate window to customize the certificate verification during a TLS session diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/netapp.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/netapp.md index eab3601a54..a90536599d 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/netapp.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/netapp.md @@ -3,7 +3,7 @@ The NetApp tab on a host’s Properties window allows users to modify settings, which are populated with the information entered when the NetApp host is added to the monitored hosts table. -![Host Properties NetApp Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/netapptab.webp) +![Host Properties NetApp Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/netapptab.webp) Modify the targeted NetApp device by specifying a NetApp device to be monitored for activity and credentials to access it with the Data ONTAP API. @@ -15,7 +15,7 @@ credentials to access it with the Data ONTAP API. - HTTP - Connect – Click to connect using the selected protocol and validate the connection with NetApp -![Trusted Server Certificate popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp)- +![Trusted Server Certificate popup window](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp)- HTTPS Options – Opens the Trusted server certificate window to customize the certificate verification during a TLS session diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/nutanix.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/nutanix.md index a6ea662dd8..a00838dedd 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/nutanix.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/nutanix.md @@ -4,7 +4,7 @@ The Nutanix tab allows users to modify settings after a Nutanix host has been co Nutanix host is added to the monitored hosts table, the configuration can be edited in the host Properties. -![Nutanix Host Properties](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/nutanixhostprop01.webp) +![Nutanix Host Properties](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/nutanixhostprop01.webp) The configurable options are: @@ -19,7 +19,7 @@ The configurable options are: - Connect – Click to connect using the selected protocol and validate the connection with Nutanix -![Trusted Server Certificate popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp)- +![Trusted Server Certificate popup window](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp)- HTTPS Options – Opens the Trusted server certificate window to customize the certificate verification during a TLS session diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md index 4f332eb34f..f9a3165fab 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/overview.md @@ -3,26 +3,26 @@ Once a host has been added to the Monitored Hosts list, the configuration settings can be modified through the host’s Properties window. -![Activity Monitor with Edit button identified ](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/hostpropertiesoverview.webp) +![Activity Monitor with Edit button identified ](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/hostpropertiesoverview.webp) On the Monitored Hosts tab, select the host and click Edit, or right-click on a host and select **Edit Host** from the right-click menu, to open the host’s Properties window. The tabs vary based on the type of host selected: -- [Auditing Tab](auditing.md) — Dell Isilon/PowerScale devices only -- [Connection Tab](connection.md) — Microsoft Entra ID, Exchange Online, and SharePoint Online only -- [Dell Tab](dell.md) — Dell devices only -- [FPolicy Tab](fpolicy.md) — NetApp devices only -- [Hitachi NAS Tab](hitachinas.md) — Hitachi NAS devices only -- [Inactivity Alerts Tab](inactivityalerts.md) -- [Logon Trigger Tab](logontrigger.md) — SQL Server hosts only -- [MS SQL Server Tab](mssqlserver.md) — SQL Server hosts only -- [Nasuni Tab](nasuni.md) — Nasuni Edge Appliances only -- [NetApp Tab](netapp.md) — NetApp devices only -- [Nutanix Tab](nutanix.md) — Nutanix devices only -- [Panzura Tab](panzura.md) — Panzura devices only -- [Qumulo Tab](qumulo.md) — Qumulo devices only -- [SharePoint Tab](sharepoint.md) — SharePoint only -- [Tweak Options Tab](tweakoptions.md) — SQL Server hosts only -- [Unix IDs Tab](unixids.md) — NetApp devices, Dell devices, and Nasuni Edge Appliances only -- [Windows Tab](windows.md) — Windows hosts only +- [Auditing Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/auditing.md) — Dell Isilon/PowerScale devices only +- [Connection Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/connection.md) — Microsoft Entra ID, Exchange Online, and SharePoint Online only +- [Dell Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/dell.md) — Dell devices only +- [FPolicy Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/fpolicy.md) — NetApp devices only +- [Hitachi NAS Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/hitachinas.md) — Hitachi NAS devices only +- [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) +- [Logon Trigger Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/logontrigger.md) — SQL Server hosts only +- [MS SQL Server Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/mssqlserver.md) — SQL Server hosts only +- [Nasuni Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/nasuni.md) — Nasuni Edge Appliances only +- [NetApp Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/netapp.md) — NetApp devices only +- [Nutanix Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/nutanix.md) — Nutanix devices only +- [Panzura Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/panzura.md) — Panzura devices only +- [Qumulo Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/qumulo.md) — Qumulo devices only +- [SharePoint Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/sharepoint.md) — SharePoint only +- [Tweak Options Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/tweakoptions.md) — SQL Server hosts only +- [Unix IDs Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/unixids.md) — NetApp devices, Dell devices, and Nasuni Edge Appliances only +- [Windows Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/windows.md) — Windows hosts only diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/panzura.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/panzura.md index 6249ef5a65..1aa000665b 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/panzura.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/panzura.md @@ -3,7 +3,7 @@ After a Panzura host is added to the monitored hosts table, the configuration settings are edited using the tabs in the Properties window of the host. -![panzuratab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/panzuratab.webp) +![panzuratab](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/panzuratab.webp) The **Panzura** tab allows users to modify settings which were populated with the information entered when the Panzura host was added. @@ -21,7 +21,7 @@ The configurable options are: - Connect – Click to connect using the selected protocol and validate the connection with Panzura -![Trusted Server Certificate popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp)- +![Trusted Server Certificate popup window](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp)- HTTPS Options – Opens the Trusted server certificate window to customize the certificate verification during a TLS session diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/qumulo.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/qumulo.md index b70d729333..c3da9d3704 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/qumulo.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/qumulo.md @@ -4,7 +4,7 @@ The Qumulo tab allows users to modify settings after a Qumulo host has been conf Qumulo host is added to the monitored hosts table, the configuration can be edited in the host Properties. -![Qumulo Host Properties](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/qumulohostproperties.webp) +![Qumulo Host Properties](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/qumulohostproperties.webp) The configurable options are: @@ -19,7 +19,7 @@ The configurable options are: - Connect – Click to connect using the selected protocol and validate the connection with Qumulo -![Trusted Server Certificate popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp)- +![Trusted Server Certificate popup window](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/add/trustedservercertificate.webp)- HTTPS Options – Opens the Trusted server certificate window to customize the certificate verification during a TLS session diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/sharepoint.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/sharepoint.md index 2f453aea0e..090983a412 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/sharepoint.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/sharepoint.md @@ -3,7 +3,7 @@ The SharePoint tab on a host’s Properties window allows users to modify settings that are populated with the information entered when the SharePoint host is added. -![SharePoint Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/sharepointtab.webp) +![SharePoint Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/sharepointtab.webp) The configurable options are: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/tweakoptions.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/tweakoptions.md index fe8d51861a..3cb1d6eb46 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/tweakoptions.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/tweakoptions.md @@ -3,4 +3,4 @@ The Tweak Options tab on a SQL Server host's properties window is used to configure extended events operations for SQL activity monitoring. -![Tweak Options Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/tweakoptionstab.webp) +![Tweak Options Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/tweakoptionstab.webp) diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/unixids.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/unixids.md index 7b5b56ba82..b9a96d6c05 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/unixids.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/unixids.md @@ -8,7 +8,7 @@ on the operating system, the UID can be mapped to Active Directory accounts usin attribute in Active Directory. The activity agent resolves the Active Directory SID based on the UID from the activity event. -![Unix ID Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/unixid.webp) +![Unix ID Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/unixid.webp) The options are: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/windows.md b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/windows.md index 69554c9566..6e151546c8 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/windows.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/windows.md @@ -2,7 +2,7 @@ The Windows tab on a host's Properties window is specific to Windows hosts. -![Host Properties - Windows Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/windows.webp) +![Host Properties - Windows Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/windows.webp) Select whether to report the host name as either a **NETBIOS name** or a **Fully qualified domain name**. The Host Name can be previewed to see how it appears depending on the option selected. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md index 7725f6d3f3..2cce993168 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md @@ -10,13 +10,13 @@ window. The tab varies based on the type of host selected. The tab contains the following settings: -![Account Exclusions tab for Exchange Online](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/accountexclusions_exchangeonline.webp) +![Account Exclusions tab for Exchange Online](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/accountexclusions_exchangeonline.webp) - Add Windows Account – Opens the Specify account or group window to add an account for exclusion. - See the [Specify Account or Group Window](window/specifywindowsaccount.md) topic for additional + See the [Specify Account or Group Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifywindowsaccount.md) topic for additional information. - Add Unix Account – Opens the Specify Unix Account window to add an account for exclusion. See the - [Specify Unix Account Window](window/specifyunixaccount.md) topic for additional information. + [Specify Unix Account Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifyunixaccount.md) topic for additional information. - Remove – Removes the selected account from exclusion. Confirmation is not requested. **CAUTION:** If an account is removed by accident, use the **Cancel** button to discard the @@ -35,13 +35,13 @@ Properties window closes. The tab contains the following settings: -![linux](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/linux.webp) +![linux](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/linux.webp) - Add Windows Account – Opens the Specify account or group window to add an account for exclusion. - See the [Specify Account or Group Window](window/specifywindowsaccount.md) topic for additional + See the [Specify Account or Group Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifywindowsaccount.md) topic for additional information. - Add Unix Account – Opens the Specify Unix Account window to add an account for exclusion. See the - [Specify Unix Account Window](window/specifyunixaccount.md) topic for additional information. + [Specify Unix Account Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifyunixaccount.md) topic for additional information. - Remove – Removes the selected account from exclusion. Confirmation is not requested. **CAUTION:** If an account is removed by accident, use the **Cancel** button to discard the @@ -60,13 +60,13 @@ Properties window closes. The tab contains the following settings: -![Account Exclusions tab for NAS Hosts](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/nasdevices.webp) +![Account Exclusions tab for NAS Hosts](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/nasdevices.webp) - Add Windows Account – Opens the Specify account or group window to add an account for exclusion. - See the [Specify Account or Group Window](window/specifywindowsaccount.md) topic for additional + See the [Specify Account or Group Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifywindowsaccount.md) topic for additional information. - Add Unix Account – Opens the Specify Unix Account window to add an account for exclusion. See the - [Specify Unix Account Window](window/specifyunixaccount.md) topic for additional information. + [Specify Unix Account Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifyunixaccount.md) topic for additional information. - Remove – Removes the selected account from exclusion. Confirmation is not requested. **CAUTION:** If an account is removed by accident, use the **Cancel** button to discard the @@ -85,13 +85,13 @@ Properties window closes. The tab contains the following settings: -![Account Exclusions tab for SharePoint hosts](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sharepoint.webp) +![Account Exclusions tab for SharePoint hosts](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sharepoint.webp) - Add Windows Account – Opens the Specify account or group window to add an account for exclusion. - See the [Specify Account or Group Window](window/specifywindowsaccount.md) topic for additional + See the [Specify Account or Group Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifywindowsaccount.md) topic for additional information. - Add SharePoint Account – Opens the Specify account window to add an account for exclusion. See the - [Specify Account Window](window/specifysharepointaccount.md) topic for additional information. + [Specify Account Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifysharepointaccount.md) topic for additional information. - Remove – Removes the selected account from exclusion. Confirmation is not requested. **CAUTION:** If an account is removed by accident, use the **Cancel** button to discard the @@ -110,10 +110,10 @@ Properties window closes. The tab contains the following settings: -![sqlhosts](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sqlhosts.webp) +![sqlhosts](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sqlhosts.webp) - Add Sql User – Opens the Specify Sql User name window to add an account for exclusion. See the - [Specify Sql User Name Window](window/specifysqluser.md) topic for additional information. + [Specify Sql User Name Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifysqluser.md) topic for additional information. - Remove – Removes the selected account from exclusion. Confirmation is not requested. **CAUTION:** If an account is removed by accident, use the **Cancel** button to discard the @@ -132,10 +132,10 @@ Properties window closes. The tab contains the following settings: -![Account Exlcusions tab for Windows Hosts](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/windows.webp) +![Account Exlcusions tab for Windows Hosts](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/windows.webp) - Add Windows Account – Opens the Specify account or group window to add an account for exclusion. - See the [Specify Account or Group Window](window/specifywindowsaccount.md) topic for additional + See the [Specify Account or Group Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifywindowsaccount.md) topic for additional information. - Remove – Removes the selected account from exclusion. Confirmation is not requested. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md index 277308baf1..95caffe2a3 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md @@ -6,7 +6,7 @@ name can be modified. These settings are initially configured when the output is Select an output from the Monitored Hosts tab and click **Edit** to open the output Properties window. -![Additional Properties](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/additionalpropertiestab.webp) +![Additional Properties](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/additionalpropertiestab.webp) The options are: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/gidexclusions.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/gidexclusions.md index fc90c125c9..c713950ba2 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/gidexclusions.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/gidexclusions.md @@ -6,18 +6,18 @@ modified. These settings are initially configured when the output is added. Select an output for a Linux host on the Monitored Hosts tab and click **Edit** to open the output Properties window. -![gidexclusionstab](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/gidexclusionstab.webp) +![gidexclusionstab](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/gidexclusionstab.webp) The tab contains the following settings: - Add – Opens the Add or Edit GID window to add a group for exclusion. See the - [Add or Edit GID Window](window/addeditgid.md) topic for additional information. + [Add or Edit GID Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditgid.md) topic for additional information. - Remove – Removes the selected group from exclusion. Confirmation is not requested. **CAUTION:** If an account is removed by group, use the **Cancel** button to discard the change. - Edit – Opens the Add or Edit GID window to edit a selected group for exclusion. See the - [Add or Edit GID Window](window/addeditgid.md) topic for additional information. + [Add or Edit GID Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditgid.md) topic for additional information. The table lists groups that are being excluded from monitoring, displayed in the GID column. By default, no groups are being excluded. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md index 975ab333d0..55f0e9c224 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md @@ -11,7 +11,7 @@ selected. The tab contains the following settings: -![logfilesactivedirectory](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/logfilesactivedirectory.webp) +![logfilesactivedirectory](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/logfilesactivedirectory.webp) - Log file path – Identifies the full path of the activity log files on the activity agent server. The date timestamp is appended to the file name automatically. @@ -43,7 +43,7 @@ Properties window closes. The tab contains the following settings: -![Log File Tab - Windows File servers and NAS devices hosts](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/windowsfilenasdevices.webp) +![Log File Tab - Windows File servers and NAS devices hosts](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/windowsfilenasdevices.webp) - Log file path – Identifies the full path of the activity log files on the activity agent server. The date timestamp is appended to the file name automatically. @@ -105,7 +105,7 @@ Properties window closes. The tab contains the following settings: -![Log Files Tab for Linux Hosts](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/linux.webp) +![Log Files Tab for Linux Hosts](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/linux.webp) - Log file path – Identifies the full path of the activity log files on the activity agent server. The date timestamp is appended to the file name automatically. @@ -149,7 +149,7 @@ Properties window closes. The tab contains the following settings: -![Log File Tab - Azure Active Directory](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/azuread.webp) +![Log File Tab - Azure Active Directory](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/azuread.webp) - Log file path – Identifies the full path of the activity log files on the activity agent server. The date timestamp is appended to the file name automatically. @@ -176,13 +176,13 @@ Properties window closes. The tab contains the following settings: -![Log File Tab - SharePoint On-Premises hosts](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sharepointonprem.webp) +![Log File Tab - SharePoint On-Premises hosts](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sharepointonprem.webp) - Log file path – Identifies the full path of the activity log files on the activity agent server. The date timestamp is appended to the file name automatically. - Log file format – Indicates the file type used for the activity log. The default is JSON. See - [SharePoint JSON Log File](logfile/sharepointjson.md) topic and the - [SharePoint TSV Log File](logfile/sharepointtsv.md) topic for additional information. + [SharePoint JSON Log File](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfile/sharepointjson.md) topic and the + [SharePoint TSV Log File](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfile/sharepointtsv.md) topic for additional information. - Period to keep Log files – Activity logs are deleted after the number of days entered. The default is 10 days. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/objects.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/objects.md index 1e91f553f7..9f44df3fca 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/objects.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/objects.md @@ -6,7 +6,7 @@ be modified. These settings are initially configured when the output is added. Select an output for a SQL Server host on the Monitored Hosts tab and click **Edit** to open the output Properties window. -![Objects Tab](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/objectstab.webp) +![Objects Tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/objectstab.webp) The **Refresh** button populates the list of SQL Server objects for the selected host. By default, all objects are checked and will be monitored. Check and uncheck objects as desired. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md index 57e9f7d4e9..e56853f13d 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md @@ -10,7 +10,7 @@ window. The tab varies based on the type of host selected. The tab contains the following settings and features: -![linux](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/linux.webp) +![linux](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/linux.webp) Use the options in the Operations tab to filter the list of available audit activities. The options are: @@ -27,7 +27,7 @@ Properties window closes. The tab contains the following settings and features: -![Host Properties - Azure AD Operations tab](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/azureadoperationstab.webp) +![Host Properties - Azure AD Operations tab](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/azureadoperationstab.webp) - Monitor Sign-Ins activity – Indicates if user sign-ins activity is monitored - Monitor Audit activity – Indicates if audit for all operations is monitored @@ -72,7 +72,7 @@ Properties window closes. The tab contains the following settings and features: -![operations](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) +![operations](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operations.webp) - File Operations – Scope by file operation events: Add, Delete, Rename, Permission change, Read, Update @@ -85,7 +85,7 @@ Properties window closes. The tab contains the following settings and features: -![qumulooutputproperties](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/qumulooutputproperties.webp) +![qumulooutputproperties](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/qumulooutputproperties.webp) - File Operations – Scope by file operation events: Add, Delete, Rename, Permission change, Read, Update @@ -102,7 +102,7 @@ Properties window closes. The tab contains the following settings and features: -![Operations Tab for SharePoint](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sp.webp) +![Operations Tab for SharePoint](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sp.webp) - SharePoint operations – Scope by SharePoint operation events: Check-Out, View, Update, Child Delete, Undelete, Copy, Audit Mask Change, Child Move, Custom, Check-In, Delete, Profile Change, @@ -121,7 +121,7 @@ Properties window closes. The tab contains a subset of tabs. Each tab has a **Select All** check box to include all events for that tab. -![Operations Tab for SharePoint Online Properties](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operationstab.webp) +![Operations Tab for SharePoint Online Properties](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/operationstab.webp) You can scope by the following events: @@ -283,7 +283,7 @@ Properties window closes. The tab contains the following settings and features: -![sql](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sql.webp) +![sql](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sql.webp) - DML operations – Scope by DML operation events: Select, Update, Merge, Insert, Delete, Execute - Audit operations – Scope by audit operation events: Login, Logout, Login Failed, Error @@ -297,7 +297,7 @@ Properties window closes. The tab contains the following settings and features: -![Operations Tab for File System](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/fs.webp) +![Operations Tab for File System](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/fs.webp) - Operation Type – Scope events by operation type: @@ -335,4 +335,4 @@ The tab contains the following settings and features: Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output Properties window closes. -See[Suppress Windows Explorer Activity](suppress.md) topic for more information. +See[Suppress Windows Explorer Activity](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/suppress.md) topic for more information. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/overview.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/overview.md index 9fc7c6f83a..39b41c337b 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/overview.md @@ -12,8 +12,8 @@ are three types of outputs: **NOTE:** This output is only available for Monitored Domains -See the [Output for Monitored Domains](../monitoreddomains/output.md) topic and the -[Output for Monitored Hosts](../monitoredhosts/output.md) topic for information on adding an output. +See the [Output for Monitored Domains](/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/output.md) topic and the +[Output for Monitored Hosts](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/output.md) topic for information on adding an output. Output configurations vary based on the type of domain/host selected. @@ -21,166 +21,166 @@ Output configurations vary based on the type of domain/host selected. Output Properties window has the following tabs: -- [Log Files Tab](logfiles.md), File output only -- [Syslog Tab](syslog.md), Syslog output only -- [Threat Manager Tab](threatmanager.md), Netwrix Threat Manageroutput only +- [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md), File output only +- [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md), Syslog output only +- [Threat Manager Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/threatmanager.md), Netwrix Threat Manageroutput only ## For Dell Device Hosts Output Properties window has the following tabs: -- [Account Exclusions Tab](accountexclusions.md) -- [Additional Properties Tab](additionalproperties.md) -- [Log Files Tab](logfiles.md), File output only -- [Operations Tab](operations.md) -- [Path Filtering Tab](pathfiltering.md) -- [Protocols Tab](protocols.md) -- [Syslog Tab](syslog.md), Syslog output only +- [Account Exclusions Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/pathfiltering.md) +- [Protocols Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/protocols.md) +- [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md), Syslog output only ## For Exchange Online Hosts Output Properties window has the following tabs: -- [Account Exclusions Tab](accountexclusions.md) -- [Additional Properties Tab](additionalproperties.md) +- [Account Exclusions Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md) - Application Exclusions Tab -- [Log Files Tab](logfiles.md), File output only +- [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md), File output only - Mailbox Exclusions Tab -- [Operations Tab](operations.md) -- [Syslog Tab](syslog.md), Syslog output only +- [Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) +- [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md), Syslog output only ## For Hitachi Hosts Output Properties window has the following tabs: -- [Account Exclusions Tab](accountexclusions.md) -- [Additional Properties Tab](additionalproperties.md) -- [Log Files Tab](logfiles.md), File output only -- [Operations Tab](operations.md) -- [Path Filtering Tab](pathfiltering.md) -- [Syslog Tab](syslog.md), Syslog output only +- [Account Exclusions Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/pathfiltering.md) +- [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md), Syslog output only ## For Linux Hosts Output Properties window has the following tabs: -- [Account Exclusions Tab](accountexclusions.md) -- [Additional Properties Tab](additionalproperties.md) -- [GID Exclusions Tab](gidexclusions.md) -- [Log Files Tab](logfiles.md), File output only -- [Operations Tab](operations.md) -- [Path Filtering Tab](pathfiltering.md) -- [Protocols Tab](protocols.md) -- [Syslog Tab](syslog.md), Syslog output only +- [Account Exclusions Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md) +- [GID Exclusions Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/gidexclusions.md) +- [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/pathfiltering.md) +- [Protocols Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/protocols.md) +- [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md), Syslog output only ## For Microsoft Entra ID Hosts Output Properties window has the following tabs: -- [Additional Properties Tab](additionalproperties.md) -- [Log Files Tab](logfiles.md), File output only -- [Operations Tab](operations.md) -- [Syslog Tab](syslog.md), Syslog output only +- [Additional Properties Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) +- [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md), Syslog output only ## For Nasuni Hosts Output Properties window has the following tabs: -- [Account Exclusions Tab](accountexclusions.md) -- [Additional Properties Tab](additionalproperties.md) -- [Log Files Tab](logfiles.md), File output only -- [Operations Tab](operations.md) -- [Path Filtering Tab](pathfiltering.md) -- [Protocols Tab](protocols.md) -- [Syslog Tab](syslog.md), Syslog output only +- [Account Exclusions Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/pathfiltering.md) +- [Protocols Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/protocols.md) +- [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md), Syslog output only ## For NetApp Hosts Output Properties window has the following tabs: -- [Account Exclusions Tab](accountexclusions.md) -- [Additional Properties Tab](additionalproperties.md) -- [Log Files Tab](logfiles.md), File output only -- [Operations Tab](operations.md) -- [Path Filtering Tab](pathfiltering.md) -- [Protocols Tab](protocols.md) -- [Syslog Tab](syslog.md), Syslog output only +- [Account Exclusions Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/pathfiltering.md) +- [Protocols Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/protocols.md) +- [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md), Syslog output only ## For Nutanix Hosts Output Properties window has the following tabs: -- [Account Exclusions Tab](accountexclusions.md) -- [Additional Properties Tab](additionalproperties.md) -- [Log Files Tab](logfiles.md), File output only -- [Operations Tab](operations.md) -- [Path Filtering Tab](pathfiltering.md) -- [Protocols Tab](protocols.md) -- [Syslog Tab](syslog.md), Syslog output only +- [Account Exclusions Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/pathfiltering.md) +- [Protocols Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/protocols.md) +- [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md), Syslog output only ## For Panzura Hosts Output Properties window has the following tabs: -- [Account Exclusions Tab](accountexclusions.md) -- [Additional Properties Tab](additionalproperties.md) -- [Log Files Tab](logfiles.md), File output only -- [Operations Tab](operations.md) -- [Path Filtering Tab](pathfiltering.md) -- [Syslog Tab](syslog.md), Syslog output only +- [Account Exclusions Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/pathfiltering.md) +- [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md), Syslog output only ## For Qumulo Hosts Output Properties window has the following tabs: -- [Account Exclusions Tab](accountexclusions.md) -- [Additional Properties Tab](additionalproperties.md) -- [Log Files Tab](logfiles.md), File output only -- [Operations Tab](operations.md) -- [Path Filtering Tab](pathfiltering.md) -- [Protocols Tab](protocols.md) -- [Syslog Tab](syslog.md), Syslog output only +- [Account Exclusions Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/pathfiltering.md) +- [Protocols Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/protocols.md) +- [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md), Syslog output only ## For SharePoint Hosts Output Properties window has the following tabs: -- [Account Exclusions Tab](accountexclusions.md) -- [Additional Properties Tab](additionalproperties.md) -- [Log Files Tab](logfiles.md), File output only -- [Operations Tab](operations.md) -- [Path Filtering Tab](pathfiltering.md) -- [Syslog Tab](syslog.md), Syslog output only +- [Account Exclusions Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/pathfiltering.md) +- [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md), Syslog output only ## For SharePoint Online Hosts Output Properties window has the following tabs: -- [Additional Properties Tab](additionalproperties.md) -- [Log Files Tab](logfiles.md), File output only -- [Operations Tab](operations.md) -- [Syslog Tab](syslog.md), Syslog output only +- [Additional Properties Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) +- [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md), Syslog output only ## For SQL Server Hosts Output Properties window has the following tabs: -- [Account Exclusions Tab](accountexclusions.md) -- [Additional Properties Tab](additionalproperties.md) -- [Log Files Tab](logfiles.md), File output only -- [Operations Tab](operations.md) -- [Objects Tab](objects.md) -- [Syslog Tab](syslog.md), Syslog output only +- [Account Exclusions Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) +- [Objects Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/objects.md) +- [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md), Syslog output only ## For Windows File Server Hosts Output Properties window has the following tabs: -- [Account Exclusions Tab](accountexclusions.md) -- [Additional Properties Tab](additionalproperties.md) -- [Log Files Tab](logfiles.md), File output only -- [Operations Tab](operations.md) -- [Path Filtering Tab](pathfiltering.md) -- [Protocols Tab](protocols.md) -- [Process Exclusions Tab](processexclusions.md) -- [Syslog Tab](syslog.md), Syslog output only +- [Account Exclusions Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/pathfiltering.md) +- [Protocols Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/protocols.md) +- [Process Exclusions Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/processexclusions.md) +- [Syslog Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md), Syslog output only diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/pathfiltering.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/pathfiltering.md index 38c721a72d..7b6cd6675b 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/pathfiltering.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/pathfiltering.md @@ -11,10 +11,10 @@ window. The tab varies based on the type of host selected. The tab contains the following settings and features: -![pathfilteringtab](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/pathfilteringtab.webp) +![pathfilteringtab](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/pathfilteringtab.webp) - Add – Opens the Add or Edit Path window to add a new path to the list. See the - [Add or Edit Path Window](window/addeditpath.md) topic for additional information. + [Add or Edit Path Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditpath.md) topic for additional information. - Remove – Removes the selected path from the list. Confirmation is not requested. **CAUTION:** If a path is removed by accident, use the **Cancel** button to discard the change. @@ -22,7 +22,7 @@ The tab contains the following settings and features: - Move Up / Move Down – Since path filters are evaluated in the order specified by the table, these buttons move the selected path up or down in the list - Edit – Opens the Add or Edit Path window to modify the selected path. See the - [Add or Edit Path Window](window/addeditpath.md) topic for additional information. + [Add or Edit Path Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditpath.md) topic for additional information. - Type a path below to test whether it will be included or excluded – Enter a path in the textbox to test whether it will be included/excluded based on the path filtering list @@ -52,10 +52,10 @@ Properties window closes. The tab contains the following settings and features: -![Host Properties - Path Filtering Tab](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/pathfilteringtab.webp) +![Host Properties - Path Filtering Tab](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/pathfilteringtab.webp) - Add – Opens the Add or Edit Path window to add a new path to the list. See the - [Add or Edit Path Window](window/addeditpath.md) topic for additional information. + [Add or Edit Path Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditpath.md) topic for additional information. - Remove – Removes the selected path from the list. Confirmation is not requested. **CAUTION:** If a path is removed by accident, use the **Cancel** button to discard the change. @@ -63,7 +63,7 @@ The tab contains the following settings and features: - Move Up / Move Down – Since path filters are evaluated in the order specified by the table, these buttons move the selected path up or down in the list - Edit – Opens the Add or Edit Path window to modify the selected path. See the - [Add or Edit Path Window](window/addeditpath.md) topic for additional information. + [Add or Edit Path Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditpath.md) topic for additional information. - Type a path below to test whether it will be included or excluded – Enter a path in the textbox to test whether it will be included/excluded based on the path filtering list @@ -94,7 +94,7 @@ Properties window closes. For a SharePoint host, the Path Filtering tab is for including and excluding sites. The tab contains the following settings and features: -![Path Filtering Tab for SharePoint Hosts](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/pathfilteringsharepointhosts.webp) +![Path Filtering Tab for SharePoint Hosts](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/pathfilteringsharepointhosts.webp) - To audit all sites, leave the textbox blank - To include a specific site, enter the URL @@ -110,7 +110,7 @@ Use a semicolon (;) to separate multiple URLs. The tab contains the following settings and features: - Add – Opens the Add or Edit Path window to add a new path to the list. See the - [Add or Edit Path Window](window/addeditpath.md) topic for additional information. + [Add or Edit Path Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditpath.md) topic for additional information. - Remove – Removes the selected path from the list. Confirmation is not requested. **CAUTION:** If a path is removed by accident, use the **Cancel** button to discard the change. @@ -118,7 +118,7 @@ The tab contains the following settings and features: - Move Up / Move Down – Since path filters are evaluated in the order specified by the table, these buttons move the selected path up or down in the list - Edit – Opens the Add or Edit Path window to modify the selected path. See the - [Add or Edit Path Window](window/addeditpath.md) topic for additional information. + [Add or Edit Path Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditpath.md) topic for additional information. - Add all local drives – Retrieves and adds all local drives to the bottom of the list with a type of Include - Type a path below to test whether it will be included or excluded – Enter a path in the textbox to diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/processexclusions.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/processexclusions.md index ad17a28fc8..2e227f143b 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/processexclusions.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/processexclusions.md @@ -8,19 +8,19 @@ processes can be modified. These settings are initially configured when the outp Select an output for a Windows file server host on the Monitored Hosts tab and click **Edit** to open the output Properties window. -![Process Exclusions Tab](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/processexclusions.webp) +![Process Exclusions Tab](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/processexclusions.webp) The tab contains the following settings and features: - Add – Opens the Add or Edit Process window to add a new process to the list. See the - [Add or Edit Process Window](window/addeditprocess.md) topic for additional information. + [Add or Edit Process Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditprocess.md) topic for additional information. - Remove – Removes the selected path from the list. Confirmation is not requested. **CAUTION:** If a process is removed by accident, use the **Cancel** button to discard the change. - Edit – Opens the Add or Edit Process window to modify the selected process. See the - [Add or Edit Process Window](window/addeditprocess.md) topic for additional information. + [Add or Edit Process Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditprocess.md) topic for additional information. The table lists process that will be excluded, displaying columns for Process Name and Events. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/protocols.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/protocols.md index 3dac0584eb..2c644bf6d9 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/protocols.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/protocols.md @@ -6,7 +6,7 @@ modified. These settings are initially configured when the output is added. Select an output from the Monitored Hosts tab and click **Edit** to open the output Properties window. -![Protocols Tab](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/protocolstab.webp) +![Protocols Tab](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/protocolstab.webp) The tab contains the following settings: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md index f4911216bc..a113dbb54e 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/syslog.md @@ -12,7 +12,7 @@ selected. The tab contains the following settings: -![syslogactivedirectory](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/syslogactivedirectory.webp) +![syslogactivedirectory](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/syslogactivedirectory.webp) - Syslog server in SERVER:PORT format – Server name of the SIEM server and the communication port being used between the applications. The format must be SERVER:PORT, e.g. newyorksrv20:10000. @@ -27,7 +27,7 @@ The tab contains the following settings: delimiter, NUL (ASCII 0) delimiter, and Octet Count (RFC 5425). - Syslog message template – Template that controls what data is sent in the event stream. The ellipsis (…) button opens the Syslog Message Template window. See the - [Message Template Window](window/messagetemplate.md) topic for additional information. + [Message Template Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/messagetemplate.md) topic for additional information. - Enable periodic AD Status Check event reporting – Indicates periodic AD Status Check event reporting is enabled, which means the agent will send out status messages every five minutes to verify whether the connection is still active. @@ -48,7 +48,7 @@ Properties window closes. The tab contains the following settings: -![sysloglinux](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sysloglinux.webp) +![sysloglinux](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/sysloglinux.webp) - Syslog server in SERVER:PORT format – Server name of the SIEM server and the communication port being used between the applications. The format must be SERVER:PORT, e.g. newyorksrv20:10000. @@ -67,7 +67,7 @@ The tab contains the following settings: delimiter, NUL (ASCII 0) delimiter, and Octet Count (RFC 5425). - Syslog message template – Template that controls what data is sent in the event stream. The ellipsis (…) button opens the Syslog Message Template window. See the - [Message Template Window](window/messagetemplate.md) topic for additional information. + [Message Template Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/messagetemplate.md) topic for additional information. - Add C:\ to the beginning of the reported file paths – Indicates a Windows-style drive path (C:\) is added to the beginning of the NAS file paths in the activity data stream, e.g. `C:\Folder\file.txt` @@ -88,7 +88,7 @@ Properties window closes. The tab contains the following settings: -![syslogentraid](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/syslogentraid.webp) +![syslogentraid](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/syslogentraid.webp) - Syslog server in SERVER:PORT format – Server name of the SIEM server and the communication port being used between the applications. The format must be SERVER:PORT, e.g. newyorksrv20:10000. @@ -103,7 +103,7 @@ The tab contains the following settings: delimiter, NUL (ASCII 0) delimiter, and Octet Count (RFC 5425). - Syslog message template – Template that controls what data is sent in the event stream. The ellipsis (…) button opens the Syslog Message Template window. See the - [Message Template Window](window/messagetemplate.md) topic for additional information. + [Message Template Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/messagetemplate.md) topic for additional information. The Test button sends a test message to the Syslog server to check the connection. A green check mark or red x will indicate whether the test message has been sent or failed to send. Test messages @@ -121,7 +121,7 @@ Properties window closes. The tab contains the following settings: -![syslognas](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/syslognas.webp) +![syslognas](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/syslognas.webp) - Syslog server in SERVER:PORT format – Server name of the SIEM server and the communication port being used between the applications. The format must be SERVER:PORT, e.g. newyorksrv20:10000. @@ -140,7 +140,7 @@ The tab contains the following settings: delimiter, NUL (ASCII 0) delimiter, and Octet Count (RFC 5425). - Syslog message template – Template that controls what data is sent in the event stream. The ellipsis (…) button opens the Syslog Message Template window. See the - [Message Template Window](window/messagetemplate.md) topic for additional information. + [Message Template Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/messagetemplate.md) topic for additional information. - Add C:\ to the beginning of the reported file paths – Indicates a Windows-style drive path (C:\) is added to the beginning of the NAS file paths in the activity data stream, e.g. `C:\Folder\file.txt` @@ -162,7 +162,7 @@ Properties window closes. The tab contains the following settings: -![syslogwindows](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/syslogwindows.webp) +![syslogwindows](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/syslogwindows.webp) - Syslog server in SERVER:PORT format – Server name of the SIEM server and the communication port being used between the applications. The format must be SERVER:PORT, e.g. newyorksrv20:10000. @@ -181,7 +181,7 @@ The tab contains the following settings: delimiter, NUL (ASCII 0) delimiter, and Octet Count (RFC 5425). - Syslog message template – Template that controls what data is sent in the event stream. The ellipsis (…) button opens the Syslog Message Template window. See the - [Message Template Window](window/messagetemplate.md) topic for additional information. + [Message Template Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/messagetemplate.md) topic for additional information. - Resolve UNC paths The Test button sends a test message to the Syslog server to check the connection. A green check diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/threatmanager.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/threatmanager.md index 2246df9ea5..fbf3e3b51d 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/threatmanager.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/threatmanager.md @@ -12,7 +12,7 @@ additional information. Select a Threat Manager output from the Monitored Domains tab and click **Edit** to open the output Properties window. -![threatmanager](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/threatmanager.webp) +![threatmanager](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/threatmanager.webp) The tab contains the following settings: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditgid.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditgid.md index 4b668b8217..b5263ef4dd 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditgid.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditgid.md @@ -2,7 +2,7 @@ The Add or Edit GID window is opened from a field where a Linux group is needed. -![addoreditgidwindow](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/window/addoreditgidwindow.webp) +![addoreditgidwindow](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/window/addoreditgidwindow.webp) Type the GID for the desired group in the textbox. Then click OK. The Add or Edit GID window closes, and the group is added to the field where the window was opened. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditpath.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditpath.md index cbc7bcc91a..1587222401 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditpath.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditpath.md @@ -3,7 +3,7 @@ The Add or Edit Path window is opened from the Path Filtering tab of a monitored host's output Properties window. -![addoreditpath](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/window/addoreditpath.webp) +![addoreditpath](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/window/addoreditpath.webp) - Specify a path to filter during collection – Enter a file path in the textbox or use the ellipsis (…) to browse for a folder @@ -16,7 +16,7 @@ the monitored host. For NAS devices, the activity agent can configured to add ‘C:\’ to the beginning of the path, which is a requirement for the output that is designated for StealthAUDIT.exe or being read by a Netwrix -Threat Prevention agent. That configuration is on the [Log Files Tab](../logfiles.md). If the option +Threat Prevention agent. That configuration is on the [Log Files Tab](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/logfiles.md). If the option is enabled for this monitored device, start your paths with C:\. ## Wildcard diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditprocess.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditprocess.md index fc7a33ea9a..538dfef8b6 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditprocess.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/addeditprocess.md @@ -3,7 +3,7 @@ The Add or Edit Process window is opened from the Process Exclusions tab of a monitored host's output Properties window. -![Add or Edit Process popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/window/addoreditprocessprocessexclusions.webp) +![Add or Edit Process popup window](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/window/addoreditprocessprocessexclusions.webp) - Process name – Displays the name of the process to be excluded. You can enter a process name in the textbox or select a process from the Running processes list. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/messagetemplate.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/messagetemplate.md index 26c08e01e7..d9652ae8aa 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/messagetemplate.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/messagetemplate.md @@ -3,7 +3,7 @@ The Message Template window is opened from the ellipsis (…) button for the Syslog Message Template field on the Syslog tab of the output Properties window. -![Message Template window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/window/syslogmessagetemplate.webp) +![Message Template window](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/window/syslogmessagetemplate.webp) You can select a preconfigured template from the drop-down menu or create a custom template. The available preconfigured templates vary based on the type of domain/host selected. @@ -88,10 +88,10 @@ Monitored Hosts Syslog outputs have the following preconfigured Templates: - LogRhythm - McAfee - QRadar – Use this template for IBM QRadar integration. See the - [Netwrix File Activity Monitor App for QRadar](../../../siem/qradar/overview.md) topic for + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md) topic for additional information. - Splunk – Use this template for Splunk integration. See the Configure the - [File Activity Monitor App for Splunk](../../../siem/splunk/overview.md) topic for additional + [File Activity Monitor App for Splunk](/docs/activitymonitor/8.0/activitymonitor/siem/splunk/overview.md) topic for additional information. - Netwrix Threat Manager (StealthDEFEND) – Use this template for Netwrix Threat Manager integration. This is the only supported template for Threat Manager. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifysharepointaccount.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifysharepointaccount.md index 1b66c01ee8..6273c2ff87 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifysharepointaccount.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifysharepointaccount.md @@ -2,7 +2,7 @@ The Specify account window is opened from a field where a SharePoint account is needed. -![Specify Account popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/window/sharepointspecifyaccount.webp) +![Specify Account popup window](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/window/sharepointspecifyaccount.webp) There are two options for specifying an account: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifysqluser.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifysqluser.md index 31628eb18f..9877e76d75 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifysqluser.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifysqluser.md @@ -2,7 +2,7 @@ The Specify Sql User name window is opened from a field where a SQL Server account is needed. -![specifysqlusernamewindow](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/window/specifysqlusernamewindow.webp) +![specifysqlusernamewindow](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/window/specifysqlusernamewindow.webp) Enter the SQL Server user name into the text box. Multiple user names can be added using a semicolon (;), a comma (,), or a space. Then click OK. The Specify Sql User name window closes, and the diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifyunixaccount.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifyunixaccount.md index 7fb488de4d..14e47b1dd9 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifyunixaccount.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifyunixaccount.md @@ -2,7 +2,7 @@ The Specify Unix Account or group window is opened from a field where a Unix account is needed. -![Specify Unix Account popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/window/unixspecifyunixaccount.webp) +![Specify Unix Account popup window](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/window/unixspecifyunixaccount.webp) Type the UID for the desired account in the textbox. Multiple UIDs can be added using a semicolon (;), a comma (,), or a space. Then click OK. The Specify Unix Account window closes, and the account diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifywindowsaccount.md b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifywindowsaccount.md index eb277a825c..eb378104ee 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifywindowsaccount.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifywindowsaccount.md @@ -2,7 +2,7 @@ The Specify account or group window is opened from a field where a Windows account is needed. -![Specify Account or Group popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/windowsspecifyaccountorgroup.webp) +![Specify Account or Group popup window](/img/product_docs/activitymonitor/activitymonitor/admin/agents/properties/windowsspecifyaccountorgroup.webp) Follow the steps to use this window. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/overview.md b/docs/activitymonitor/8.0/activitymonitor/admin/overview.md index 747de5b55d..c71ff92f0d 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/overview.md @@ -3,28 +3,28 @@ The Activity Monitor Console is used to deploy and manage activity agents, configure host monitoring, and search events within activity log files. -![Activity Monitor with Navigation tabs identified](../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/activitymonitormain.webp) +![Activity Monitor with Navigation tabs identified](/img/product_docs/activitymonitor/activitymonitor/admin/activitymonitormain.webp) There are up to three tabs at the top left of the window: - Agents – Deploy activity / AD agents and manage settings. This is the only tab available until an - agent is installed. See the [Agent Information](../install/agents.md) topic for additional + agent is installed. See the [Agent Information](/docs/activitymonitor/8.0/activitymonitor/install/agents.md) topic for additional information - Monitored Domains – Configure activity monitoring per host (appears after the first Active - Directory agent is deployed). See the [Monitored Domains Tab](monitoreddomains/overview.md) topic + Directory agent is deployed). See the [Monitored Domains Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/overview.md) topic for additional information. - Monitored Hosts – Configure activity monitoring per host (appears after first activity agent is - deployed). See the [Monitored Hosts Tab](monitoredhosts/overview.md) + deployed). See the [Monitored Hosts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/overview.md) - Search – Magnifying glass icon used to search activity log files (appears after first activity agent is deployed) - - See the [Search Feature](search/overview.md) topic for additional information. + - See the [Search Feature](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md) topic for additional information. In the Status bar at the bottom of the console is the following information: - Version – Version number for the Activity Monitor - License information – Identifies the organization associated with the license. See the - [Install Application](../install/application.md) topic for additional information. + [Install Application](/docs/activitymonitor/8.0/activitymonitor/install/application.md) topic for additional information. - Trace Level – Creates Trace Logs to provide troubleshooting information. See the - [Trace Logs](../troubleshooting/tracelogs.md) topic for additional information. + [Trace Logs](/docs/activitymonitor/8.0/activitymonitor/troubleshooting/tracelogs.md) topic for additional information. - Collect Logs – Collects Trace Logs produced by Trace level diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md index fa44a20646..d42a568395 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md @@ -4,7 +4,7 @@ The search feature consolidates and compartmentalizes search results based on ev users, hosts, etc. Search results populate based on which query filters are chosen. Results may then be sorted, filtered, and/or exported into a CSV file or JSON file, depending on the type data. -![Search Tab](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/searchtab.webp) +![Search Tab](/img/product_docs/dataclassification/ndc/admin/taxonomies/searchtab.webp) **NOTE:** Search results are pulled from the File output of the monitored host or domain. @@ -52,7 +52,7 @@ Follow the steps to use the search feature. The drop-down menu for a column header in the search results data grid provides the option to filter the search results further. -![Operations Filter Dropdown Menu](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/operationssdropdownfiltermenu.webp) +![Operations Filter Dropdown Menu](/img/product_docs/activitymonitor/activitymonitor/admin/search/operationssdropdownfiltermenu.webp) Choose between checking/unchecking the desired field values from the list of available values and typing in the search textbox. The Clear filter option removes all filters from the selected column. @@ -67,7 +67,7 @@ Clicking on any column header in the search results data grid sorts the results that column, and an arrow shows next to the column name indicating the sort to be ascending or descending order. -![Sort Options](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/sort.webp) +![Sort Options](/img/product_docs/activitymonitor/activitymonitor/admin/search/sort.webp) The drop-down menu on the column header has options to Sort A to Z or Sort Z to A for the selected column. Sorting can only occur for one column at a time. @@ -78,7 +78,7 @@ column. Sorting can only occur for one column at a time. The search results data grid can be exported to a CSV/JSON file. -![Export Button](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/exportbutton.webp) +![Export Button](/img/product_docs/activitymonitor/activitymonitor/admin/search/exportbutton.webp) Once the search results are configured as desired, click the Export button located at the top left corner of the window. Set the name and location of the CSV/JSON file. diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/activedirectory.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/activedirectory.md index b0d75b53a2..38f20d7d45 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/activedirectory.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/activedirectory.md @@ -4,7 +4,7 @@ You can search domain activity that has been monitored and recorded to a File ou select **Active Directory** from the magnifying glass drop-down menu, a New Search tab opens with the applicable query filters. -![Search - Active Directory New Search Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/activedirectorynewsearchtab.webp) +![Search - Active Directory New Search Tab](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/activedirectorynewsearchtab.webp) The filters are separated into the following categories: @@ -19,8 +19,8 @@ filters will scope results returned. Set the filters as desired and click **Search**. The application searches through the appropriate activity log files and returns the events that match the filters. You can -[Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the column -headers. Below the Search button is the [Export](../overview.md#export) option. +[Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. Filter Value Entry @@ -43,7 +43,7 @@ The General category addresses who, what, where, and when an object, user, host, controller is affected by the events selected in the other categories. The time frame filter must be configured for every search query. -![Active Directory Search - General Filter](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/generalfilters.webp) +![Active Directory Search - General Filter](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/generalfilters.webp) This section has the following filters: @@ -64,7 +64,7 @@ This section has the following filters: - Specify account or group (...) – The ellipsis button beside the User textbox opens the Specify account or group window. Use this window to resolve the account for the user. See the - [Specify Account or Group Window](../../outputs/window/specifywindowsaccount.md) topic for + [Specify Account or Group Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifywindowsaccount.md) topic for additional information. - From Hosts – Filter the data for a specific originating host of the event @@ -75,7 +75,7 @@ This section has the following filters: The Object Changes category scopes the query by objects with change activity. -![Object Changes Filter](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/objectchangesfilters.webp) +![Object Changes Filter](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/objectchangesfilters.webp) This section has the following filters: @@ -94,7 +94,7 @@ This section has the following filters: The LSASS Guardian category scopes the query by LSASS Guardian activity. -![LSASS Guardian Filters](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/lsassguardianfilters.webp) +![LSASS Guardian Filters](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/lsassguardianfilters.webp) This section has the following filters: @@ -106,7 +106,7 @@ This section has the following filters: The LDAP Queries category scopes the query by LDAP query activity. -![LDAP Queries Filter](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/ldapqueriesfilters.webp) +![LDAP Queries Filter](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/ldapqueriesfilters.webp) This section has the following filters: @@ -117,7 +117,7 @@ This section has the following filters: The Authentication category scopes the query by authentication activity. -![Authentication Filters](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/authenticationfilters.webp) +![Authentication Filters](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/authenticationfilters.webp) This section has the following filters: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/entraid.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/entraid.md index 492d2287ce..4dbd341125 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/entraid.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/entraid.md @@ -4,7 +4,7 @@ You can search activity in Microsoft Entra ID (Azure AD) that has been monitore File output. When you select **Azure AD / Entra ID** from the magnifying glass drop-down menu, a New Search tab opens with the applicable query filters. -![Search Query - Entra ID](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/searchquery.webp) +![Search Query - Entra ID](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/searchquery.webp) The filters are separated into the following categories: @@ -20,8 +20,8 @@ filters will scope results returned. Set the filters as desired and click **Search**. The application searches through the appropriate activity log files and returns the events that match the filters. You can -[Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the column -headers. Below the Search button is the [Export](../overview.md#export) option. +[Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. Filter Value Entry @@ -43,7 +43,7 @@ field. Field options vary based on the selected query filter: The General category scopes the query by the most common types of filters. The time frame filter must be configured for every search query. -![Search Query - General Filter](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/generalfilters.webp) +![Search Query - General Filter](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/generalfilters.webp) This section has the following filters: @@ -63,7 +63,7 @@ This section has the following filters: The User category scopes the query by the user, or perpetrator of the activity. -![Search Query - User](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/userfilters.webp) +![Search Query - User](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/userfilters.webp) This section has the following filters: @@ -76,7 +76,7 @@ This section has the following filters: The Audit Events category scopes the query by the event type of the activity. -![Search Query - Audit Events](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/auditeventsfilters.webp) +![Search Query - Audit Events](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/auditeventsfilters.webp) This section has the following filters: @@ -97,7 +97,7 @@ This section has the following filters: The Target Resource category scopes the query by the target of the activity. -![Search Query - Target Resource](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/targetresourcefilters.webp) +![Search Query - Target Resource](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/targetresourcefilters.webp) This section has the following filters: @@ -110,7 +110,7 @@ This section has the following filters: The Sign-in Events category scopes the query by the sign-in event. -![Search Query - Sign-in Events](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/signinevents.webp) +![Search Query - Sign-in Events](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/signinevents.webp) This section has the following filters: @@ -121,7 +121,7 @@ This section has the following filters: The Location category scopes the query by the location of the user. -![Search Query - Location](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/locationfilters.webp) +![Search Query - Location](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/locationfilters.webp) This section has the following filters: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/exchangeonline.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/exchangeonline.md index dc49963ace..29227fa76e 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/exchangeonline.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/exchangeonline.md @@ -4,7 +4,7 @@ You can search Exchange Online activity that has been monitored and recorded to you select **Exchange Online** from the magnifying glass drop-down menu, a New Search tab opens with the applicable query filters. -![Exchange Online - Search Quary Bar](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/searchquerybar.webp) +![Exchange Online - Search Quary Bar](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/searchquerybar.webp) The filters are separated into the following categories: @@ -18,8 +18,8 @@ filters will scope results returned. Set the filters as desired and click **Search**. The application searches through the appropriate activity log files and returns the events that match the filters.You can -[Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the column -headers. Below the Search button is the [Export](../overview.md#export) option. +[Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. Filter Value Entry @@ -41,7 +41,7 @@ field. Field options vary based on the selected query filter: The General category scopes the query by the most common types of filters. The time frame filter must be configured for every search query. -![Exchange Online - General Category](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/general.webp) +![Exchange Online - General Category](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/general.webp) This section has the following filters: @@ -63,7 +63,7 @@ This section has the following filters: The User category scopes the query by the user, or perpetrator of the activity. -![Exchange Online Search - User Filter](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/user.webp) +![Exchange Online Search - User Filter](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/user.webp) This section has the following filters: @@ -77,7 +77,7 @@ This section has the following filters: The Target category scopes the query by the target of the file. -![Exchange Online Search - Target Filter](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/target.webp) +![Exchange Online Search - Target Filter](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/target.webp) This section has the following filters: @@ -89,7 +89,7 @@ This section has the following filters: The DLP category scopes the query by the DLP policy. -![Exchange Online Search - DLP Filter](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/dlp.webp) +![Exchange Online Search - DLP Filter](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/dlp.webp) This section has the following filters: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/file.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/file.md index 52ab54839b..6a5c5575a2 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/file.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/file.md @@ -4,15 +4,15 @@ You can search Windows file server and NAS device activity that has been monitor File output. When you select **File** from the magnifying glass drop-down menu, a New Search tab opens with the applicable query filters. -![Search UI Options Toolbar](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/searchuitop.webp) +![Search UI Options Toolbar](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/searchuitop.webp) By default, the query is set to return all event activity for the past day. Configuring query filters will scope results returned. Set the filters as desired and click **Search**. The application searches through the appropriate activity log files and returns the events that match the filters. You can -[Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the column -headers. Below the Search button is the [Export](../overview.md#export) option. +[Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. Filter Value Entry @@ -52,7 +52,7 @@ The sections have the following filters: - Specify account or group (...) – The ellipsis button beside the User textbox opens the Specify account or group window. Use this window to resolve the account for the user. See the - [Specify Account or Group Window](../../outputs/window/specifywindowsaccount.md) topic for + [Specify Account or Group Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifywindowsaccount.md) topic for additional information. - GID diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/linux.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/linux.md index c2591aa97a..5983b96ace 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/linux.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/linux.md @@ -4,15 +4,15 @@ You can search Linux file server and NAS device activity that has been monitored File output. When you select **Linux** from the magnifying glass drop-down menu, a New Search tab opens with the applicable query filters. -![Linux Search Query](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/linuxsearchquerybar.webp) +![Linux Search Query](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/linuxsearchquerybar.webp) By default, the query is set to return all event activity for the past day. Configuring query filters will scope results returned. Set the filters as desired and click **Search**. The application searches through the appropriate activity log files and returns the events that match the filters. You can -[Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the column -headers. Below the Search button is the [Export](../overview.md#export) option. +[Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. Filter Value Entry @@ -47,7 +47,7 @@ The sections have the following filters: - Specify account or group (...) – The ellipsis button beside the User textbox opens the Specify account or group window. Use this window to resolve the account for the user. See the - [Specify Account or Group Window](../../outputs/window/specifywindowsaccount.md) topic for + [Specify Account or Group Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifywindowsaccount.md) topic for additional information. - GID diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/sharepoint.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/sharepoint.md index 95b4006171..dcab1c3f9e 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/sharepoint.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/sharepoint.md @@ -4,7 +4,7 @@ You can search SharePoint activity that has been monitored and recorded to a Fil select **SharePoint** from the magnifying glass drop-down menu, a New Search tab opens with the applicable query filters. -![SharePoint New Search Tab](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/sharepointnewsearchtab.webp) +![SharePoint New Search Tab](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/sharepointnewsearchtab.webp) The filters are separated into the following categories: @@ -20,8 +20,8 @@ filters will scope results returned. Set the filters as desired and click **Search**. The application searches through the appropriate activity log files and returns the events that match the filters.You can -[Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the column -headers. Below the Search button is the [Export](../overview.md#export) option. +[Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. Filter Value Entry @@ -44,7 +44,7 @@ The General category addresses who, what, where, and when an object, user, host, controller is affected by the events selected in the other categories. The time frame filter must be configured for every search query. -![General Category - SharePoint](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/generalfilters.webp) +![General Category - SharePoint](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/generalfilters.webp) This section has the following filters: @@ -77,7 +77,7 @@ This section has the following filters: - Specify account or group (...) – The ellipsis button beside the User textbox opens the Specify account or group window. Use this window to resolve the account for the user. See the - [Specify Account or Group Window](../../outputs/window/specifywindowsaccount.md) topic for + [Specify Account or Group Window](/docs/activitymonitor/8.0/activitymonitor/admin/outputs/window/specifywindowsaccount.md) topic for additional information. - Search Limit – Set the maximum number of rows returned in the search results. The default is @@ -89,7 +89,7 @@ This section has the following filters: The Audit category scopes the query by audit mask activity. -![SharePoint Search - Audit filter section](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/auditmask.webp) +![SharePoint Search - Audit filter section](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/auditmask.webp) This section has the following filters: @@ -101,7 +101,7 @@ This section has the following filters: The Move/Delete/Copy/Checkin category scopes the query by file move and version activity. -![SharePoint Search Query - Move/Delete/Copy/Checkin Filters](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/movedeletecopycheckinfilters.webp) +![SharePoint Search Query - Move/Delete/Copy/Checkin Filters](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/movedeletecopycheckinfilters.webp) This section has the following filters: @@ -113,7 +113,7 @@ This section has the following filters: The Delete category scopes the query by type of delete activity. -![SharePoint Search Query - Delete FIlters](../../../../../../../static/img/product_docs/strongpointfornetsuite/integrations/delete.webp) +![SharePoint Search Query - Delete FIlters](/img/product_docs/strongpointfornetsuite/integrations/delete.webp) This section has the following filters: @@ -123,7 +123,7 @@ This section has the following filters: The Search category scopes the query by search activity. -![SharePoint Search Query - Search Filters](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/searchfilters.webp) +![SharePoint Search Query - Search Filters](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/searchfilters.webp) This section has the following filters: @@ -134,7 +134,7 @@ This section has the following filters: The Permissions category scopes the query by permission change activity. -![SharePoint Search Query - Permissions Filters](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/permissionsfilters.webp) +![SharePoint Search Query - Permissions Filters](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/permissionsfilters.webp) This section has the following filters: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/sharepointonline.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/sharepointonline.md index 41d2d86616..ee1ba75178 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/sharepointonline.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/sharepointonline.md @@ -4,7 +4,7 @@ You can search SharePoint Online activity that has been monitored and recorded t When you select **SharePoint Online** from the magnifying glass drop-down menu, a New Search tab opens with the applicable query filters. -![SharePoint Online - Search Quary Bar](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/sharepointonlinesearchquerybar.webp) +![SharePoint Online - Search Quary Bar](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/sharepointonlinesearchquerybar.webp) The filters are separated into the following categories: @@ -21,8 +21,8 @@ filters will scope results returned. Set the filters as desired and click **Search**. The application searches through the appropriate activity log files and returns the events that match the filters. You can -[Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the column -headers. Below the Search button is the [Export](../overview.md#export) option. +[Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. Filter Value Entry @@ -44,7 +44,7 @@ field. Field options vary based on the selected query filter: The General category scopes the query by the most common types of filters. The time frame filter must be configured for every search query. -![SharePoint Online Search - General Filters](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/generalfilters.webp) +![SharePoint Online Search - General Filters](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/generalfilters.webp) This section has the following filters: @@ -68,7 +68,7 @@ This section has the following filters: The User category scopes the query by the user, or perpetrator of the activity. -![SharePoint Online Search - User Filter](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/user.webp) +![SharePoint Online Search - User Filter](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/user.webp) This section has the following filters: @@ -83,7 +83,7 @@ This section has the following filters: The Location category scopes the query by the location of the file. -![SharePoint Online Search - Location Filter](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/location.webp) +![SharePoint Online Search - Location Filter](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/location.webp) This section has the following filters: @@ -95,7 +95,7 @@ This section has the following filters: The Item category scopes the query by the item. -![SharePoint Online Search - Item Filter](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/item.webp) +![SharePoint Online Search - Item Filter](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/item.webp) This section has the following filters: @@ -108,7 +108,7 @@ This section has the following filters: The Sharing category scopes the query by the type of sharing. -![SharePoint Online Search - Sharing Filter](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/sharing.webp) +![SharePoint Online Search - Sharing Filter](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/sharing.webp) This section has the following filters: @@ -121,7 +121,7 @@ This section has the following filters: The DLP category scopes the query by the DLP policy. -![SharePoint Online Search - DLP Filter](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/dlp.webp) +![SharePoint Online Search - DLP Filter](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/dlp.webp) This section has the following filters: @@ -131,7 +131,7 @@ This section has the following filters: The Custom category scopes the query by custom event activity. -![SharePoint Online Search - Custom Filter](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/custom.webp) +![SharePoint Online Search - Custom Filter](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/custom.webp) This section has the following filters: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/sqlserver.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/sqlserver.md index 097ef07347..df58a0e47d 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/query/sqlserver.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/query/sqlserver.md @@ -4,7 +4,7 @@ You can search SQL Server activity that has been monitored and recorded to a Fil select **SQL Server** from the magnifying glass drop-down menu, a New Search tab opens with the applicable query filters. -![SQL Server Search Query](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/sqlsearchquerytoolbar.webp) +![SQL Server Search Query](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/sqlsearchquerytoolbar.webp) The filters are separated into the following categories: @@ -17,8 +17,8 @@ filters will scope results returned. Set the filters as desired and click **Search**. The application searches through the appropriate activity log files and returns the events that match the filters. You can -[Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the column -headers. Below the Search button is the [Export](../overview.md#export) option. +[Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. Filter Value Entry @@ -40,7 +40,7 @@ field. Field options vary based on the selected query filter: The General category scopes the query by the most common types of filters. The time frame filter must be configured for every search query. -![General Filters](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/generalfilter.webp) +![General Filters](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/generalfilter.webp) This section has the following filters: @@ -58,7 +58,7 @@ This section has the following filters: The User category scopes the query by the user, or perpetrator of the activity. -![userfilter](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/userfilter.webp) +![userfilter](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/userfilter.webp) This section has the following filters: @@ -69,7 +69,7 @@ This section has the following filters: The SQL category scopes the query by SQL Server activity. -![SQL Filters](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/sqlfilters.webp) +![SQL Filters](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/sqlfilters.webp) This section has the following filters: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/activedirectory.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/activedirectory.md index 5b90a6edf7..5319917f17 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/activedirectory.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/activedirectory.md @@ -2,10 +2,10 @@ When a search has been started, the Search Status table at the bottom displays the percentage complete according to the size and quantity of the activity log files being searched per AD agent. -You can [Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the column -headers. Below the Search button is the [Export](../overview.md#export) option. +You can [Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. -![Active Directory Search Results](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/results/activedirectorysearchresults.webp) +![Active Directory Search Results](/img/product_docs/activitymonitor/activitymonitor/admin/search/results/activedirectorysearchresults.webp) The results data grid columns display the following information for each event: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/entraid.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/entraid.md index f7e81ace54..ee7e69806b 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/entraid.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/entraid.md @@ -2,10 +2,10 @@ When a search has been started, the Search Status table at the bottom displays the percentage complete according to the size and quantity of the activity log files being searched per activity -agent. You can [Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the -column headers. Below the Search button is the [Export](../overview.md#export) option. +agent. You can [Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. -![Azure Active Directory - Search Results](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/results/searchresults.webp) +![Azure Active Directory - Search Results](/img/product_docs/activitymonitor/activitymonitor/admin/search/results/searchresults.webp) The results data grid columns display the following information for each event: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/exchangeonline.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/exchangeonline.md index 9f5bbc3e05..f824a0a6e4 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/exchangeonline.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/exchangeonline.md @@ -2,10 +2,10 @@ When a search has been started, the Search Status table at the bottom displays the percentage complete according to the size and quantity of the activity log files being searched per activity -agent. You can [Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the -column headers. Below the Search button is the [Export](../overview.md#export) option. +agent. You can [Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. -![Exchange Online - Search Results](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/results/searchresults.webp) +![Exchange Online - Search Results](/img/product_docs/activitymonitor/activitymonitor/admin/search/results/searchresults.webp) The results data grid columns display the following information for each event: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/file.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/file.md index 12c2392089..193f3882d2 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/file.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/file.md @@ -2,10 +2,10 @@ When a search has been started, the Search Status table at the bottom displays the percentage complete according to the size and quantity of the activity log files being searched per activity -agent. You can [Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the -column headers. Below the Search button is the [Export](../overview.md#export) option. +agent. You can [Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. -![File Search Results UI](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/results/filesearchresults.webp) +![File Search Results UI](/img/product_docs/activitymonitor/activitymonitor/admin/search/results/filesearchresults.webp) The results data grid columns display the following information for each event: @@ -55,12 +55,12 @@ applicable to the event) are displayed. When the results data grid displays information about permissions changes, additional information is made available. -![Search Results with Permissions listed in the Operations Column](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/results/filesearchresultspermissionsimage.webp) +![Search Results with Permissions listed in the Operations Column](/img/product_docs/activitymonitor/activitymonitor/admin/search/results/filesearchresultspermissionsimage.webp) A link displays in the **Operation** column of the results data grid. Click the Permissions Change link to open the Permissions Change Details window. -![File Search Results Permissions link popup window](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/results/permissionslpopupwindow.webp) +![File Search Results Permissions link popup window](/img/product_docs/activitymonitor/activitymonitor/admin/search/results/permissionslpopupwindow.webp) The window displays details about the changes of the security descriptor with information from the new line added to a DACL: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/linux.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/linux.md index 5c3f59da6e..8924f00780 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/linux.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/linux.md @@ -2,10 +2,10 @@ When a search has been started, the Search Status table at the bottom displays the percentage complete according to the size and quantity of the activity log files being searched per Linux -agent. You can [Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the -column headers. Below the Search button is the [Export](../overview.md#export) option. +agent. You can [Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. -![linuxsearchresults](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/results/linuxsearchresults.webp) +![linuxsearchresults](/img/product_docs/activitymonitor/activitymonitor/admin/search/results/linuxsearchresults.webp) The results data grid columns display the following information for each event: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/sharepoint.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/sharepoint.md index ebe791e73e..d68e23bb41 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/sharepoint.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/sharepoint.md @@ -2,10 +2,10 @@ When a search has been started, the Search Status table at the bottom displays the percentage complete according to the size and quantity of the activity log files being searched per activity -agent. You can [Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the -column headers. Below the Search button is the [Export](../overview.md#export) option. +agent. You can [Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. -![SharePoint Search - Results](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/results/sharepointsearchresults.webp) +![SharePoint Search - Results](/img/product_docs/activitymonitor/activitymonitor/admin/search/results/sharepointsearchresults.webp) The results data grid columns display the following information for each event: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/sharepointonline.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/sharepointonline.md index 0d3bb1f169..bb3372f70b 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/sharepointonline.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/sharepointonline.md @@ -2,10 +2,10 @@ When a search has been started, the Search Status table at the bottom displays the percentage complete according to the size and quantity of the activity log files being searched per activity -agent. You can [Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the -column headers. Below the Search button is the [Export](../overview.md#export) option. +agent. You can [Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. -![SharePoint Online Search Results](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/results/sharepointonlinesearchresults.webp) +![SharePoint Online Search Results](/img/product_docs/activitymonitor/activitymonitor/admin/search/results/sharepointonlinesearchresults.webp) The results data grid columns display the following information for each event: diff --git a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/sqlserver.md b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/sqlserver.md index 5a483a1362..b95c268992 100644 --- a/docs/activitymonitor/8.0/activitymonitor/admin/search/results/sqlserver.md +++ b/docs/activitymonitor/8.0/activitymonitor/admin/search/results/sqlserver.md @@ -2,10 +2,10 @@ When a search has been started, the Search Status table at the bottom displays the percentage complete according to the size and quantity of the activity log files being searched per activity -agent. You can [Filter](../overview.md#filter) and [Sort](../overview.md#sort) the results using the -column headers. Below the Search button is the [Export](../overview.md#export) option. +agent. You can [Filter](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md#export) option. -![SQL Server Search Results](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/results/sqlsearchresults.webp) +![SQL Server Search Results](/img/product_docs/activitymonitor/activitymonitor/admin/search/results/sqlsearchresults.webp) The results data grid columns display the following information for each event: diff --git a/docs/activitymonitor/8.0/activitymonitor/gettingstarted.md b/docs/activitymonitor/8.0/activitymonitor/gettingstarted.md index 91683bebfe..887897f5a7 100644 --- a/docs/activitymonitor/8.0/activitymonitor/gettingstarted.md +++ b/docs/activitymonitor/8.0/activitymonitor/gettingstarted.md @@ -10,8 +10,8 @@ the target environment and configured to monitor activity. It is necessary to pr environment and configure the credentials used by the agents. Each supported environment has different requirements. See the following topics for additional information: -- Console server [Requirements ](requirements/overview.md) -- [Activity Agent Server Requirements](requirements/activityagent.md) for monitoring: +- Console server [Requirements ](/docs/activitymonitor/8.0/activitymonitor/requirements/overview.md) +- [Activity Agent Server Requirements](/docs/activitymonitor/8.0/activitymonitor/requirements/activityagent.md) for monitoring: - Exchange Online - Microsoft Entra ID @@ -21,17 +21,17 @@ different requirements. See the following topics for additional information: - SQL Servers - Windows File servers -- [AD Agent Server Requirements](requirements/adagent.md) for monitoring Active Directory -- [Linux Agent Server Requirements](requirements/linuxagent.md) for monitoring Linux file servers +- [AD Agent Server Requirements](/docs/activitymonitor/8.0/activitymonitor/requirements/adagent.md) for monitoring Active Directory +- [Linux Agent Server Requirements](/docs/activitymonitor/8.0/activitymonitor/requirements/linuxagent.md) for monitoring Linux file servers ## Install & Deploy Agents Once the prerequisites are accomplished, you are ready to install the application and deploy agents. See the following topics for additional information: -- [Install Application](install/application.md) -- [Agent Information](install/agents.md) -- [Import License Key](install/importlicensekey.md) +- [Install Application](/docs/activitymonitor/8.0/activitymonitor/install/application.md) +- [Agent Information](/docs/activitymonitor/8.0/activitymonitor/install/agents.md) +- [Import License Key](/docs/activitymonitor/8.0/activitymonitor/install/importlicensekey.md) ## Configure Monitoring @@ -41,11 +41,11 @@ target environments it is done after the agent is deployed. You will configure w monitored as well as where the collected data will go (outputs). See the following topics for additional information: -- [Monitored Domains Tab](admin/monitoreddomains/overview.md) for Active Directory monitoring -- [Monitored Hosts Tab](admin/monitoredhosts/overview.md) for all other target environments. +- [Monitored Domains Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoreddomains/overview.md) for Active Directory monitoring +- [Monitored Hosts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/overview.md) for all other target environments. ## Search Activity Event Data You can query the activity logs created by the activity agents from within the console. Using the search feature, set filters for the query to view monitored events. See the -[Search Feature](admin/search/overview.md) topic for additional information. +[Search Feature](/docs/activitymonitor/8.0/activitymonitor/admin/search/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/install/agent/manual.md b/docs/activitymonitor/8.0/activitymonitor/install/agent/manual.md index 225c455659..98c5462348 100644 --- a/docs/activitymonitor/8.0/activitymonitor/install/agent/manual.md +++ b/docs/activitymonitor/8.0/activitymonitor/install/agent/manual.md @@ -13,31 +13,31 @@ installation package. The default location is: **Step 3 –** Click the Activity Monitor agent installation package and the Wizard opens. -![Activity Monitor Agent Setup Wizard - Welcome Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Activity Monitor Agent Setup Wizard - Welcome Page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) **Step 4 –** On the welcome page click **Next**. -![End-User License Agreement Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) +![End-User License Agreement Page](/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) **Step 5 –** On the End-User License Agreement page, select the **I accept the terms in the License Agreement** option and click **Next**. -![Destination Folder Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/destinationfolder.webp) +![Destination Folder Page](/img/product_docs/activitymonitor/activitymonitor/install/destinationfolder.webp) **Step 6 –** (Optional) On the Destination Folder page, click **Change** to change the installation directory location. -![Change Destination Folder Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/changedestination.webp) +![Change Destination Folder Page](/img/product_docs/activitymonitor/activitymonitor/install/agent/changedestination.webp) **Step 7 –** Click **OK** on the Change destination folder page to return to the Destination folder page. Click **Next**. -![Ready to install Netwrix Activity Monitor Agent 64-bit Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/readyinstall.webp) +![Ready to install Netwrix Activity Monitor Agent 64-bit Page](/img/product_docs/activitymonitor/activitymonitor/install/agent/readyinstall.webp) **Step 8 –** On the Ready to install page, click **Install**. The installation process begins. The Setup wizard displays the installation status. -![Completion Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/complete.webp) +![Completion Page](/img/product_docs/activitymonitor/activitymonitor/install/complete.webp) **Step 9 –** When installation is complete, click Finish. @@ -85,14 +85,14 @@ Example: ## Add the Activity Agent to the Console Before deploying the Activity Monitor agent, ensure all -[Activity Agent Server Requirements](../../requirements/activityagent.md) have been met, including +[Activity Agent Server Requirements](/docs/activitymonitor/8.0/activitymonitor/requirements/activityagent.md) have been met, including those for NAS devices when applicable. **NOTE:** These steps are specific to deploying activity agents for monitoring file systems, SharePoint, SQL Server, Azure and Office 365 environments. See the -[Active Directory Agent Deployment](../../admin/agents/add/activedirectory.md) section for +[Active Directory Agent Deployment](/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/activedirectory.md) section for instruction on deploying the AD agent. See the -[Linux Agent Deployment](../../admin/agents/add/linux.md) topic for instructions on deploying agents +[Linux Agent Deployment](/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/linux.md) topic for instructions on deploying agents to Linux servers. Follow the steps to deploy the activity agent to a single Windows server. @@ -101,21 +101,21 @@ Follow the steps to deploy the activity agent to a single Windows server. **Step 2 –** On the Agents tab, click **Add Agent**. The Add New Agent(s) window opens. -![Install New Agent Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/installnew.webp) +![Install New Agent Page](/img/product_docs/activitymonitor/activitymonitor/install/agent/installnew.webp) **Step 3 –** Specify the server name where the agent will be deployed. To add multiple server names, -see the [Multiple Activity Agents Deployment](../../admin/agents/add/multiple.md) topic for +see the [Multiple Activity Agents Deployment](/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/multiple.md) topic for additional information. Click **Next**. -![Agent Port Configuration](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/portdefault.webp) +![Agent Port Configuration](/img/product_docs/activitymonitor/activitymonitor/install/agent/portdefault.webp) **Step 4 –** Specify the port to be used for the agent. Click **Next**. -![Credentials to connect to servers](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) +![Credentials to connect to servers](/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) **Step 5 –** On the Credentials to Connect to the Server(s) page, specify the credentials for the server to which the agent is deployed. See the -[Single Activity Agent Deployment](../../admin/agents/add/single.md) topic for additional +[Single Activity Agent Deployment](/docs/activitymonitor/8.0/activitymonitor/admin/agents/add/single.md) topic for additional information on credential options. Click **Connect**. **NOTE:** When clicking **Connect** while adding the Agent to the Console, the connection may fail. @@ -126,12 +126,12 @@ installed. **Step 6 –** Regardless of the warning messages that the agent cannot be installed or upgraded, click **Next**. The console will automatically detect the agent as it is already installed. -![Agent Install Location](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/installlocation.webp) +![Agent Install Location](/img/product_docs/activitymonitor/activitymonitor/install/agent/installlocation.webp) **Step 7 –** Specify the path of the Activity Monitor Agent, that has already been installed. Click **Next**. -![Windows Agent Settings](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/windowsagent.webp) +![Windows Agent Settings](/img/product_docs/activitymonitor/activitymonitor/install/agent/windowsagent.webp) **Step 8 –** Specify the Activity Monitor Agent Management Group (if desired). Click Finish. @@ -143,7 +143,7 @@ The Agent is now added to the Activity Monitor. During the installation process of the agent, the status will display Installing. If there are any errors, the Activity Monitor stops the installation and lists the errors in the Agent messages box. -![Activity Monitor Agent Installed](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/consolewithagent.webp) +![Activity Monitor Agent Installed](/img/product_docs/activitymonitor/activitymonitor/install/agent/consolewithagent.webp) When the Activity Monitor agent installation is complete, the status changes to **Installed** and the activity agent version populates. The next step is to add hosts to be monitored. diff --git a/docs/activitymonitor/8.0/activitymonitor/install/agent/manualad.md b/docs/activitymonitor/8.0/activitymonitor/install/agent/manualad.md index c27587de39..4a5d6e5f26 100644 --- a/docs/activitymonitor/8.0/activitymonitor/install/agent/manualad.md +++ b/docs/activitymonitor/8.0/activitymonitor/install/agent/manualad.md @@ -9,28 +9,28 @@ Follow the steps to manually deploy the AD Module. you want to install the Agent. Then run the executable. The Netwrix Threat Prevention Windows Agent Setup wizard opens. -![StealthINTERCEPT Windows Agent Setup wizard on the Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![StealthINTERCEPT Windows Agent Setup wizard on the Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) **Step 2 –** On the Welcome page, click **Install**. The Setup Progress page is displayed, followed by another Welcome page. -![Threat Prevention Windows Agent - Welcome Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/welcome2.webp) +![Threat Prevention Windows Agent - Welcome Page](/img/product_docs/activitymonitor/activitymonitor/install/agent/welcome2.webp) **Step 3 –** Click **Next**. -![End-User License Agreement Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/license.webp) +![End-User License Agreement Page](/img/product_docs/activitymonitor/activitymonitor/install/agent/license.webp) **Step 4 –** On the End-User License Agreement page, check the **I accept the terms in the License Agreement** box and click **Next**. -![Destination Folder Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/destinationfolder.webp) +![Destination Folder Page](/img/product_docs/activitymonitor/activitymonitor/install/destinationfolder.webp) **Step 5 –** _(Optional)_ On the Destination Folder page, change the installation directory location. - To change the default installation directory location, click **Change…**. -![Change Destination Folder Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/changedestination.webp) +![Change Destination Folder Page](/img/product_docs/activitymonitor/activitymonitor/install/agent/changedestination.webp) > > - Use the Look In field to select the desired installation folder. > > - When the Folder name is as desired, click **OK**. The wizard returns to the Destination Folder @@ -40,13 +40,13 @@ location. > To use the default installation directory location, skip the previous step and click **Next** on > the Destination Folder page. -![CA Certificate Configiration Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/cacertconfig.webp) +![CA Certificate Configiration Page](/img/product_docs/activitymonitor/activitymonitor/install/agent/cacertconfig.webp) **Step 6 –** Keep the default radio button selection, Managed by Threat Prevention. **NOTE:** The CA Certificate Configuration page is not applicable to the Activity Monitor. -![Enterprise Manager Location Information Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/enterprisemanageram.webp) +![Enterprise Manager Location Information Page](/img/product_docs/activitymonitor/activitymonitor/install/agent/enterprisemanageram.webp) **Step 7 –** On the Enterprise Manager Location Information page, select the **Option** button for a product to enable communication with it. @@ -79,17 +79,17 @@ product to enable communication with it. - When the settings are configured, click **Next**. -![Select Event Sources Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/eventsourcesad.webp) +![Select Event Sources Page](/img/product_docs/activitymonitor/activitymonitor/install/agent/eventsourcesad.webp) **Step 8 –** On the Select Event Sources page, select **Windows Active Directory Events** as needed by the Activity Monitor for the Active Directory solution. Click **Next**. -![Windows Agent Setup wizard on the Ready page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/readytoinstall.webp) +![Windows Agent Setup wizard on the Ready page](/img/product_docs/activitymonitor/activitymonitor/install/agent/readytoinstall.webp) **Step 9 –** On the Ready to install Threat Prevention Windows Agent page, click **Install**. The Setup wizard displays the installation status. -![Windows Agent Setup wizard on the Operation successful page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/success.webp) +![Windows Agent Setup wizard on the Operation successful page](/img/product_docs/activitymonitor/activitymonitor/install/agent/success.webp) **Step 10 –** When installation is complete, click **Close**. @@ -103,31 +103,31 @@ Follow the steps to add the Activity Monitor Windows Agent (with the AD Module) **Step 2 –** On the Agents tab, click **Add Agent**. The Add New Agent(s) window opens. -![Install New Agent](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/installnew.webp) +![Install New Agent](/img/product_docs/activitymonitor/activitymonitor/install/agent/installnew.webp) **Step 3 –** Click the **install agents on Active Directory domain controllers** link. -![Specify Agent Port](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/specifyport.webp) +![Specify Agent Port](/img/product_docs/activitymonitor/activitymonitor/install/agent/specifyport.webp) **Step 4 –** Specify the port for the Activity Monitor Agent. Click **Next**. -![Agent Install Location](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/installlocation.webp) +![Agent Install Location](/img/product_docs/activitymonitor/activitymonitor/install/agent/installlocation.webp) **Step 5 –** Specify the path of the Activity Monitor Agent, that has already been installed. Click **Next**. -![Active Directory Connection](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/adconnection.webp) +![Active Directory Connection](/img/product_docs/activitymonitor/activitymonitor/install/agent/adconnection.webp) **Step 6 –** On the Active Directory Connection page, specify the credentials for the domain or domain controller(s) where the agent is installed. Click **Connect** to verify connection to the domain. Click **Next**. -![Domains to Monitor](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/domains.webp) +![Domains to Monitor](/img/product_docs/activitymonitor/activitymonitor/install/agent/domains.webp) **Step 7 –** Select the domain of the domain controller(s) where the agent is installed. Click **Next**. -![Domain Controllers to Deploy Agent](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/domaincontroller.webp) +![Domain Controllers to Deploy Agent](/img/product_docs/activitymonitor/activitymonitor/install/agent/domaincontroller.webp) **Step 8 –** Select the domain controller(s) where the agent is installed. Click **Test**. @@ -139,7 +139,7 @@ installed. **Step 9 –** Ignore the warning messages that the agent cannot be installed or upgraded and click **Next**. -![Windows Agent Settings](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/windowsagent.webp) +![Windows Agent Settings](/img/product_docs/activitymonitor/activitymonitor/install/agent/windowsagent.webp) **Step 10 –** Specify the Activity Monitor Agent Management Group (if desired). Click **Finish**. diff --git a/docs/activitymonitor/8.0/activitymonitor/install/agent/manuallinux.md b/docs/activitymonitor/8.0/activitymonitor/install/agent/manuallinux.md index ba92b16b26..54bb8aa533 100644 --- a/docs/activitymonitor/8.0/activitymonitor/install/agent/manuallinux.md +++ b/docs/activitymonitor/8.0/activitymonitor/install/agent/manuallinux.md @@ -10,7 +10,7 @@ pscp.exe -P 22 -p -v "C:\Program Files\Netwrix\Activity Monitor\Console\Agents\activity-monitor-agentd-7.0.0-1234.rhel.x86_64.rpm" root@123.456.789.123:/tmp/ -![pscp Command](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/screen1.webp) +![pscp Command](/img/product_docs/activitymonitor/activitymonitor/install/agent/screen1.webp) **Step 2 –** Install the Activity Monitor Linux Agent RPM Package on the Linux server. @@ -18,7 +18,7 @@ For example, the following command can be used: sudo yum localinstall activity-monitor-agentd-7.0.0-1234.rhel.x86_64.rpm -![Install Linux Agent RPM Package on the Linux server](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/screen2.webp) +![Install Linux Agent RPM Package on the Linux server](/img/product_docs/activitymonitor/activitymonitor/install/agent/screen2.webp) **Step 3 –** Add firewall rules to the Linux server, and restart firewall service. @@ -42,7 +42,7 @@ cd /usr/bin/activity-monitor-agentd/ sudo ./activity-monitor-agentd create-client-certificate --name amagent -![Generate the Activity Monitor Agent Client Certificate](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/screen3.webp) +![Generate the Activity Monitor Agent Client Certificate](/img/product_docs/activitymonitor/activitymonitor/install/agent/screen3.webp) **Step 5 –** Copy full certificate output from previous command on the Linux server. @@ -53,7 +53,7 @@ sudo ./activity-monitor-agentd create-client-certificate --name amagent Before deploying the Activity agent in a Linux environment, ensure all Prerequisites have been met. To effectively monitor activity on a Linux host, it is necessary to deploy an agent to the host. Follow the steps to deploy the agent to the Linux host. See the -[Linux Agent Server Requirements](../../requirements/linuxagent.md) topic for additional +[Linux Agent Server Requirements](/docs/activitymonitor/8.0/activitymonitor/requirements/linuxagent.md) topic for additional information. Follow the steps to add the agent to the console. @@ -62,17 +62,17 @@ Follow the steps to add the agent to the console. **Step 2 –** On the Agents tab, click **Add Agent**. The Add New Agent(s) window opens. -![Install New Agent](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/installnew.webp) +![Install New Agent](/img/product_docs/activitymonitor/activitymonitor/install/agent/installnew.webp) **Step 3 –** Specify the server name or IP Address that already has the Linux agent installed. To add multiple server names, see the Multiple Activity Agents Deployment topic for additional information. Click **Next**. -![Specify Agent Port](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/specifyagentport.webp) +![Specify Agent Port](/img/product_docs/activitymonitor/activitymonitor/install/agent/specifyagentport.webp) **Step 4 –** Specify the port to be used for the agent. Click **Next**. -![Credentials to Connect to Server.](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) +![Credentials to Connect to Server.](/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) **Step 5 –** In Activity Monitor console add the Linux agent using the client certificate option, and paste the full output of the client certificate information (from Step 3 of ‘Manually Installing @@ -84,7 +84,7 @@ clicking Connect, the Activity Monitor verifies not only its ability to manage t console's ability to deploy the agent as well. Errors can be ignored if the agent was manually installed. -![Linux Agent Options](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/linuxagentoptions.webp) +![Linux Agent Options](/img/product_docs/activitymonitor/activitymonitor/install/agent/linuxagentoptions.webp) **Step 6 –** On the Linux Agent Options page, select which user name to use to run the daemon. To use root, leave the **Service user name** field blank. Click **Test** to test the connection. @@ -99,7 +99,7 @@ The Agent is now added to the Activity Monitor Console. **Step 8 –** On the Agents tab of the console, select the newly added agent. Click **Edit** to view Agent Properties. -![Server Properties](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) +![Server Properties](/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) **Step 9 –** Specify Linux account credentials (to be able to install, upgrade, and uninstall agent). Click **Test** to verify. Then press **OK** to save changes. diff --git a/docs/activitymonitor/8.0/activitymonitor/install/agents.md b/docs/activitymonitor/8.0/activitymonitor/install/agents.md index f67c9e7aeb..8fcfcd45a2 100644 --- a/docs/activitymonitor/8.0/activitymonitor/install/agents.md +++ b/docs/activitymonitor/8.0/activitymonitor/install/agents.md @@ -44,12 +44,12 @@ You will need the following information to deploy agents from the console: - Credentials – Account used to deploy must be a member of the BUILTIN\Administrators group on the target server -See the [Agents Tab](../admin/agents/overview.md) topic for additional information on how to deploy +See the [Agents Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/overview.md) topic for additional information on how to deploy agents using console. The Activity Monitor Agent may also be deployed manually. Use one of the following to manually install an agent: -- [Manually Install the Activity Agent](agent/manual.md) -- [ Manually Install the Linux Agent](agent/manuallinux.md) -- [Manually Install the AD Module](agent/manualad.md) +- [Manually Install the Activity Agent](/docs/activitymonitor/8.0/activitymonitor/install/agent/manual.md) +- [ Manually Install the Linux Agent](/docs/activitymonitor/8.0/activitymonitor/install/agent/manuallinux.md) +- [Manually Install the AD Module](/docs/activitymonitor/8.0/activitymonitor/install/agent/manualad.md) diff --git a/docs/activitymonitor/8.0/activitymonitor/install/application.md b/docs/activitymonitor/8.0/activitymonitor/install/application.md index 22b328afda..1929e0c520 100644 --- a/docs/activitymonitor/8.0/activitymonitor/install/application.md +++ b/docs/activitymonitor/8.0/activitymonitor/install/application.md @@ -9,35 +9,35 @@ Follow the steps to install the Netwrix Activity Monitor Console. **Step 1 –** Run the NetwrixActivityMonitorSetup.msi executable to open the Netwrix Activity Monitor Setup wizard. -![Activty Monitor Setup Wizard - Welcome Page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Activty Monitor Setup Wizard - Welcome Page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) **Step 2 –** On the Activity Monitor Setup Wizard welcome page, click **Next** . -![End-User License Agreement Page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) +![End-User License Agreement Page](/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) **Step 3 –** On the End User License Agreement page, check the I accept the terms in the License Agreement box and click Next. -![Destination Folder Page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/destinationfolder.webp) +![Destination Folder Page](/img/product_docs/activitymonitor/activitymonitor/install/destinationfolder.webp) **Step 4 –** On the Destination Folder page, select a destination folder for Activity Monitor. The default destination folder is `C:\Program Files\Netwrix\Activity Monitor\Console\`. Click **Next**. -![Ready to Install Netwrix Activity Monitor Page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) +![Ready to Install Netwrix Activity Monitor Page](/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) **Step 5 –** Click **Install** to begin installation. -![Installation Netwrix Activity Monitor Progress Bar](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/inprogress.webp) +![Installation Netwrix Activity Monitor Progress Bar](/img/product_docs/activitymonitor/activitymonitor/install/inprogress.webp) **Step 6 –** The installer displays a status page during the installation process. Wait for the next window to appear when the status is complete. -![Installation Complete Page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/complete.webp) +![Installation Complete Page](/img/product_docs/activitymonitor/activitymonitor/install/complete.webp) **Step 7 –** Once installation is complete, click Finish. The setup wizard closes and the Activity Monitor Console opens. The Activity Monitor Console installs with a 10-day, 1-host license key. After completing the -installation, see the [Import License Key](importlicensekey.md) topic for instructions on importing +installation, see the [Import License Key](/docs/activitymonitor/8.0/activitymonitor/install/importlicensekey.md) topic for instructions on importing an organization’s license key. diff --git a/docs/activitymonitor/8.0/activitymonitor/install/importlicensekey.md b/docs/activitymonitor/8.0/activitymonitor/install/importlicensekey.md index 604016a51d..a5ba449420 100644 --- a/docs/activitymonitor/8.0/activitymonitor/install/importlicensekey.md +++ b/docs/activitymonitor/8.0/activitymonitor/install/importlicensekey.md @@ -7,26 +7,26 @@ information from the Access Analyzer installation directory. Follow the steps to import a license key file. -![Activity Monitor Installation with Trial License](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/triallicense.webp) +![Activity Monitor Installation with Trial License](/img/product_docs/activitymonitor/activitymonitor/install/triallicense.webp) **Step 1 –** Click the `__Licensed to: __` hyperlink in the lower-left corner of the Console. Alternatively, click the **View License** link in the yellow warning bar at the top. The License Information window opens. -![Trial License Information](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/triallicenseinfo.webp) +![Trial License Information](/img/product_docs/activitymonitor/activitymonitor/install/triallicenseinfo.webp) **Step 2 –** Click Load New License File and navigate to where the key is located. A Windows file explorer opens. -![Open Dialog Box to load New License File](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/loadlicense.webp) +![Open Dialog Box to load New License File](/img/product_docs/activitymonitor/activitymonitor/install/loadlicense.webp) **Step 3 –** Select the `.lic` file and click Open. The selected license key is then read. -![Activity Monitor License Information](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/licenseinfo.webp) +![Activity Monitor License Information](/img/product_docs/activitymonitor/activitymonitor/install/licenseinfo.webp) **Step 4 –** In the License Information window, click **Apply** to import the License Key. -![Activity Monitor with License](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/licenseadded.webp) +![Activity Monitor with License](/img/product_docs/activitymonitor/activitymonitor/install/licenseadded.webp) **Step 5 –** The organization's license key is now imported into the Activity Monitor. The Console returns to the Agents tab and is ready to deploy activity agents. diff --git a/docs/activitymonitor/8.0/activitymonitor/install/overview.md b/docs/activitymonitor/8.0/activitymonitor/install/overview.md index 8ad4d86f61..550ae3b32f 100644 --- a/docs/activitymonitor/8.0/activitymonitor/install/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/install/overview.md @@ -2,7 +2,7 @@ This topic describes the console installation and agent deployment the process for Activity Monitor. Prior to installing the application, ensure that all requirements have been met. See the -[Requirements ](../requirements/overview.md) topic for additional information. +[Requirements ](/docs/activitymonitor/8.0/activitymonitor/requirements/overview.md) topic for additional information. ## Software Compatibility & Versions diff --git a/docs/activitymonitor/8.0/activitymonitor/install/removeagent.md b/docs/activitymonitor/8.0/activitymonitor/install/removeagent.md index d193fe3ee1..6cd16a730e 100644 --- a/docs/activitymonitor/8.0/activitymonitor/install/removeagent.md +++ b/docs/activitymonitor/8.0/activitymonitor/install/removeagent.md @@ -4,7 +4,7 @@ On the Agents tab of the Activity Monitor Console, the Remove button allows user selected activity agent from the Agents list and/or uninstall the activity agent from the hosting server. -![Remove Agents Popup Window](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/removeagents.webp) +![Remove Agents Popup Window](/img/product_docs/activitymonitor/activitymonitor/install/removeagents.webp) To only remove the server from the Agents list, click Remove. To also uninstall the activity agent from the server, click Uninstall and remove. During the uninstall process, the status will be diff --git a/docs/activitymonitor/8.0/activitymonitor/install/updateadagentinstaller.md b/docs/activitymonitor/8.0/activitymonitor/install/updateadagentinstaller.md index 16013f53ec..fd474a0d6a 100644 --- a/docs/activitymonitor/8.0/activitymonitor/install/updateadagentinstaller.md +++ b/docs/activitymonitor/8.0/activitymonitor/install/updateadagentinstaller.md @@ -16,12 +16,12 @@ Then follow the steps to update the AD Agent installer used by the Activity Moni installer package (SI Agent.exe) windowSelect Active Directory Module installer package (SI Agent.exe) window opens. -![Update Agent Installer](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/updateagentinstaller.webp) +![Update Agent Installer](/img/product_docs/activitymonitor/activitymonitor/install/updateagentinstaller.webp) **Step 2 –** Navigate to the location of the latest AD Agent installation package. Select the installer and click **Open**. -![Confirmation Window](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/updateagentinstallerpopup.webp) +![Confirmation Window](/img/product_docs/activitymonitor/activitymonitor/install/updateagentinstallerpopup.webp) **Step 3 –** A confirmation window opens displaying the version information for the selected installer. Click **Yes** to update to this version or **No** to cancel the operation. A confirmation diff --git a/docs/activitymonitor/8.0/activitymonitor/install/upgrade.md b/docs/activitymonitor/8.0/activitymonitor/install/upgrade.md index 66fa8a31d9..3aee0b5e3d 100644 --- a/docs/activitymonitor/8.0/activitymonitor/install/upgrade.md +++ b/docs/activitymonitor/8.0/activitymonitor/install/upgrade.md @@ -1,7 +1,7 @@ # Upgrade Procedure The purpose of this chapter is to provide the basic steps needed for upgrading Activity Monitor. See -the [Software Compatibility & Versions](overview.md) section for information on integration with +the [Software Compatibility & Versions](/docs/activitymonitor/8.0/activitymonitor/install/overview.md) section for information on integration with other Netwrix products. ## Considerations @@ -22,7 +22,7 @@ Follow the steps to upgrade from the Netwrix Activity Monitor V7.1 to Netwrix Ac _Prerequisite_ – Ensure console and agent servers have .NET Framework 4.7.2 installed. **Step 1 –** Install the Activity Monitor 8.0 on the same machine where the V7.1 console resides -following the instructions in the [Install Application](application.md) section. +following the instructions in the [Install Application](/docs/activitymonitor/8.0/activitymonitor/install/application.md) section. **CAUTION:** Launch the Activity Monitor Console and navigate to the Agents tab. diff --git a/docs/activitymonitor/8.0/activitymonitor/overview.md b/docs/activitymonitor/8.0/activitymonitor/overview.md index a08d5a45c8..d1a26b6683 100644 --- a/docs/activitymonitor/8.0/activitymonitor/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/overview.md @@ -6,4 +6,4 @@ and alerting purposes. The Activity Monitor also provides operational efficienci into a wide spectrum of human and machine data interactions with a standardized format that is used to gain deeper visibility into activity associated with the access, use, and modification of data. -See the [Getting Started](gettingstarted.md) topic for additional information. +See the [Getting Started](/docs/activitymonitor/8.0/activitymonitor/gettingstarted.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/requirements/activityagent.md b/docs/activitymonitor/8.0/activitymonitor/requirements/activityagent.md index eaa25ea689..0704d99404 100644 --- a/docs/activitymonitor/8.0/activitymonitor/requirements/activityagent.md +++ b/docs/activitymonitor/8.0/activitymonitor/requirements/activityagent.md @@ -23,7 +23,7 @@ and the retention settings. Number of events per user per day may vary from tens single file system event is roughly 300 bytes. Old files are zipped, typical compression ratio is 20. Optionally, old files are moved from the -server to a network share. See the [Archiving Tab](../admin/agents/properties/archiving.md) topic +server to a network share. See the [Archiving Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/archiving.md) topic for additional information. Additional Server Requirements @@ -46,7 +46,7 @@ The following permission is required to install and manage the agent: Activity Agent Ports -See the [Activity Agent Ports](activityagentports.md) topic for firewall port requirements. +See the [Activity Agent Ports](/docs/activitymonitor/8.0/activitymonitor/requirements/activityagentports.md) topic for firewall port requirements. ## Supported Exchange Online @@ -57,7 +57,7 @@ that acts as a proxy for monitoring the target environment. - Exchange Online -See the [Exchange Online Activity Auditing Configuration](../../config/exchangeonline/activity.md) +See the [Exchange Online Activity Auditing Configuration](/docs/activitymonitor/8.0/config/exchangeonline/activity.md) topic for target environment requirements. ## Supported Microsoft Entra ID @@ -69,7 +69,7 @@ that acts as a proxy for monitoring the target environment. - Microsoft Entra ID (formerly Azure AD) -See the [Microsoft Entra ID Activity Auditing Configuration](../../config/entraid/activity.md) topic +See the [Microsoft Entra ID Activity Auditing Configuration](/docs/activitymonitor/8.0/config/entraid/activity.md) topic for target environment requirements. ## Supported Network Attached Storage Devices @@ -84,7 +84,7 @@ CTERA Edge Filter - CTERA Portal 7.5.x+ - CTERA Edge Filer 7.5.x+ -See the [CTERA Activity Auditing Configuration](../../config/ctera/Activity.md) topic for target +See the [CTERA Activity Auditing Configuration](/docs/activitymonitor/8.0/config/ctera/Activity.md) topic for target environment requirements. Dell Celerra® & VNX @@ -94,7 +94,7 @@ Dell Celerra® & VNX - VNX 8.1 See the -[Dell Celerra & Dell VNX Activity Auditing Configuration](../../config/dellcelerravnx/Activity.md) +[Dell Celerra & Dell VNX Activity Auditing Configuration](/docs/activitymonitor/8.0/config/dellcelerravnx/Activity.md) topic for target environment requirements. Dell Isilon/PowerScale @@ -102,31 +102,31 @@ Dell Isilon/PowerScale - 7.0+ See the -[Dell Isilon/PowerScale Activity Auditing Configuration](../../config/dellpowerscale/activity.md) +[Dell Isilon/PowerScale Activity Auditing Configuration](/docs/activitymonitor/8.0/config/dellpowerscale/activity.md) topic for target environment requirements. Dell PowerStore® -See the [Dell PowerStore Activity Auditing Configuration](../../config/dellpowerstore/activity.md) +See the [Dell PowerStore Activity Auditing Configuration](/docs/activitymonitor/8.0/config/dellpowerstore/activity.md) topic for target environment requirements. Dell Unity -See the [Dell Unity Activity Auditing Configuration](../../config/dellunity/activity.md) topic for +See the [Dell Unity Activity Auditing Configuration](/docs/activitymonitor/8.0/config/dellunity/activity.md) topic for target environment requirements. Hitachi - 11.2+ -See the [Hitachi Activity Auditing Configuration](../../config/hitachi/activity.md) topic for target +See the [Hitachi Activity Auditing Configuration](/docs/activitymonitor/8.0/config/hitachi/activity.md) topic for target environment requirements. Nasuni Nasuni Edge Appliances - 8.0+ -See the [Nasuni Edge Appliance Activity Auditing Configuration](../../config/nasuni/activity.md) +See the [Nasuni Edge Appliance Activity Auditing Configuration](/docs/activitymonitor/8.0/config/nasuni/activity.md) topic for target environment requirements. NetApp Data ONTAP @@ -136,24 +136,24 @@ NetApp Data ONTAP See the following topics for target environment requirements: -- [NetApp Data ONTAP 7-Mode Activity Auditing Configuration](../../config/netapp7mode/activity.md) -- [NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration](../../config/netappcmode/activity.md) +- [NetApp Data ONTAP 7-Mode Activity Auditing Configuration](/docs/activitymonitor/8.0/config/netapp7mode/activity.md) +- [NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration](/docs/activitymonitor/8.0/config/netappcmode/activity.md) Nutanix -See the [Nutanix Files Activity Auditing Configuration](../../config/nutanix/activity.md) topic for +See the [Nutanix Files Activity Auditing Configuration](/docs/activitymonitor/8.0/config/nutanix/activity.md) topic for target environment requirements. Panzura -See the [Panzura CloudFS Monitoring](../../config/panzura/activity.md) topic for target environment +See the [Panzura CloudFS Monitoring](/docs/activitymonitor/8.0/config/panzura/activity.md) topic for target environment requirements. Qumulo - Qumulo Core 5.0.0.1B+ -See the [Qumulo Activity Auditing Configuration](../../config/qumulo/activity.md) topic for target +See the [Qumulo Activity Auditing Configuration](/docs/activitymonitor/8.0/config/qumulo/activity.md) topic for target environment requirements. ## Supported SharePoint Farms Platforms @@ -169,7 +169,7 @@ Application server that hosts the "Central Administration" component of the Shar - SharePoint® Server Subscription Edition -See the [SharePoint On-Premise Activity Auditing Configuration](../../config/sharepoint/activity.md) +See the [SharePoint On-Premise Activity Auditing Configuration](/docs/activitymonitor/8.0/config/sharepoint/activity.md) topic for target environment requirements. ## Supported SharePoint Online @@ -182,7 +182,7 @@ that acts as a proxy for monitoring the target environment. - SharePoint Online® See the -[SharePoint Online Activity Auditing Configuration](../../config/sharepointonline/activity.md) topic +[SharePoint Online Activity Auditing Configuration](/docs/activitymonitor/8.0/config/sharepointonline/activity.md) topic for target environment requirements. ## Supported SQL Server Platforms @@ -199,7 +199,7 @@ deployed to a Windows server that acts as a proxy for monitoring the target envi - SQL Server 2017 - SQL Server 2016 -See the [SQL Server Activity Auditing Configuration](../../config/sqlserver/activity.md) topic for +See the [SQL Server Activity Auditing Configuration](/docs/activitymonitor/8.0/config/sqlserver/activity.md) topic for target environment requirements. ## Supported Windows File Servers Platforms @@ -213,5 +213,5 @@ It cannot be deployed to a proxy server. - Windows Server 2019 - Windows Server 2016 -See the [Windows File Server Activity Auditing Configuration](../../config/windowsfile/activity.md) +See the [Windows File Server Activity Auditing Configuration](/docs/activitymonitor/8.0/config/windowsfile/activity.md) topic for target environment requirements. diff --git a/docs/activitymonitor/8.0/activitymonitor/requirements/activityagentports.md b/docs/activitymonitor/8.0/activitymonitor/requirements/activityagentports.md index 1f434266ca..0bceac9c05 100644 --- a/docs/activitymonitor/8.0/activitymonitor/requirements/activityagentports.md +++ b/docs/activitymonitor/8.0/activitymonitor/requirements/activityagentports.md @@ -10,7 +10,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. There might be a need for additional ports for the target environment. diff --git a/docs/activitymonitor/8.0/activitymonitor/requirements/adagent.md b/docs/activitymonitor/8.0/activitymonitor/requirements/adagent.md index 71b002c975..73ce960018 100644 --- a/docs/activitymonitor/8.0/activitymonitor/requirements/adagent.md +++ b/docs/activitymonitor/8.0/activitymonitor/requirements/adagent.md @@ -12,12 +12,12 @@ Threat Manager, feeding them AD activity data. Activity Monitor Agents: This option focuses solely on monitoring AD activity, providing basic visibility into AD events without additional features. -![nam_admodule](../../../../../static/img/product_docs/activitymonitor/activitymonitor/requirements/nam_admodule.webp) +![nam_admodule](/img/product_docs/activitymonitor/activitymonitor/requirements/nam_admodule.webp) Netwrix Threat Prevention: Offers a more comprehensive and flexible monitoring experience, including advanced features like operation blocking and enhanced monitoring capabilities. -![ntp](../../../../../static/img/product_docs/activitymonitor/activitymonitor/requirements/ntp.webp) +![ntp](/img/product_docs/activitymonitor/activitymonitor/requirements/ntp.webp) These methods provide organizations with a choice between basic AD activity monitoring and a more versatile, security-enhanced option. @@ -55,7 +55,7 @@ The disk space requirement covers the following: - Diagnostic Logging – 1 GB Old files are zipped, typical compression ratio is 20. Optionally, old files are moved from the -server to a network share. See the [Archiving Tab](../admin/agents/properties/archiving.md) topic +server to a network share. See the [Archiving Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/archiving.md) topic for additional information. Additional Server Requirements @@ -85,7 +85,7 @@ controllers within the domain to be monitored. - Windows Server 2019 - Windows Server 2016 -See the [Active Directory Activity Auditing Configuration](../../config/activedirectory/activity.md) +See the [Active Directory Activity Auditing Configuration](/docs/activitymonitor/8.0/config/activedirectory/activity.md) topic for target environment requirements. ## AD Agent Compatibility with Non-Netwrix Security Products diff --git a/docs/activitymonitor/8.0/activitymonitor/requirements/overview.md b/docs/activitymonitor/8.0/activitymonitor/requirements/overview.md index 3d22cc09db..9b719427ff 100644 --- a/docs/activitymonitor/8.0/activitymonitor/requirements/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/requirements/overview.md @@ -21,12 +21,12 @@ Core Component - Activity Agent – The Activity Agent is installed on Windows servers to monitor Microsoft Entra ID, Network Attached Storage (NAS) devices, SharePoint farms, SharePoint Online, SQL Server, - and Windows file servers. See the [Activity Agent Server Requirements](activityagent.md) topic + and Windows file servers. See the [Activity Agent Server Requirements](/docs/activitymonitor/8.0/activitymonitor/requirements/activityagent.md) topic for additional information. - AD Agent – The AD Agent is deployed to every domain controllers to monitor Active Directory - domains. See the [AD Agent Server Requirements](adagent.md) topic for additional information. + domains. See the [AD Agent Server Requirements](/docs/activitymonitor/8.0/activitymonitor/requirements/adagent.md) topic for additional information. - Linux Agent – The Linux Agent is deployed to Linux servers to be monitored. See the - [Linux Agent Server Requirements](linuxagent.md) topic for additional information. + [Linux Agent Server Requirements](/docs/activitymonitor/8.0/activitymonitor/requirements/linuxagent.md) topic for additional information. Target Environment Considerations diff --git a/docs/activitymonitor/8.0/activitymonitor/restapi/overview.md b/docs/activitymonitor/8.0/activitymonitor/restapi/overview.md index fe28af097f..b798ffdf10 100644 --- a/docs/activitymonitor/8.0/activitymonitor/restapi/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/restapi/overview.md @@ -14,10 +14,10 @@ Activity Monitor Agent and is the HTTPS access to the log files. See the following topics for additional information: -- [Security and Access Control](security.md) -- [Schema and Resources](resources.md) +- [Security and Access Control](/docs/activitymonitor/8.0/activitymonitor/restapi/security.md) +- [Schema and Resources](/docs/activitymonitor/8.0/activitymonitor/restapi/resources.md) - - [Agent](agent.md) - - [Domain](domain.md) - - [Host](host.md) - - [Output](output.md) + - [Agent](/docs/activitymonitor/8.0/activitymonitor/restapi/agent.md) + - [Domain](/docs/activitymonitor/8.0/activitymonitor/restapi/domain.md) + - [Host](/docs/activitymonitor/8.0/activitymonitor/restapi/host.md) + - [Output](/docs/activitymonitor/8.0/activitymonitor/restapi/output.md) diff --git a/docs/activitymonitor/8.0/activitymonitor/restapi/resources.md b/docs/activitymonitor/8.0/activitymonitor/restapi/resources.md index 882404f351..d3adb9f3b0 100644 --- a/docs/activitymonitor/8.0/activitymonitor/restapi/resources.md +++ b/docs/activitymonitor/8.0/activitymonitor/restapi/resources.md @@ -7,7 +7,7 @@ The 8.0 API model consists of the following resources: agents in the 6.0 API. You can list all the agents or the agents of a domain (AD-monitoring agents on the domain controllers). Children: Host, Domain - See the [Agent](agent.md) topic for additional information. + See the [Agent](/docs/activitymonitor/8.0/activitymonitor/restapi/agent.md) topic for additional information. - Host – Represents a host or platform monitored by the product (Windows, NetApp, SharePoint, SQL Server, etc). It is a Monitored Host in the Console. You can list all the hosts of the agent, or @@ -17,14 +17,14 @@ The 8.0 API model consists of the following resources: Output. Each Host can have multiple child Outputs, and each Output has its own unique filter settings. Children: Output - See the [Host](host.md) topic for additional information. + See the [Host](/docs/activitymonitor/8.0/activitymonitor/restapi/host.md) topic for additional information. - Domain – It is a Monitored Domain in the Console. The API provides summary information about each monitored domain. Similar to host, the domain also has one or more output. These outputs are common for all AD-monitoring agents of the domain. Each domain controller has the same log file settings, syslog, and AMQP. Children: Output, Agent - See the [Domain](domain.md) topic for additional information. + See the [Domain](/docs/activitymonitor/8.0/activitymonitor/restapi/domain.md) topic for additional information. - Output – A log file or Syslog or AMQP (DEFEND) destination for the activity data. Typical properties of the **Output** include log file settings (path, retention etc.), syslog settings @@ -38,7 +38,7 @@ The 8.0 API model consists of the following resources: - Policy represents an Active Directory monitoring policy. The API allows you to create new policies, list, modify, and delete existing. - See the [Output](output.md) topic for additional information. + See the [Output](/docs/activitymonitor/8.0/activitymonitor/restapi/output.md) topic for additional information. Data is transmitted as JSON objects or as JSON Merge Patch for PATCH requests. Dates are formatted in UTC using the `YYYY-MM-DDTHH:MM:SS` DateTime format. Security-sensitive data like passwords, diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/overview.md b/docs/activitymonitor/8.0/activitymonitor/siem/overview.md index 776074a4d0..bbfce0d386 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/overview.md @@ -10,7 +10,7 @@ to correlate file system activity with any log source. Preconfigured Stealthbits File Activity Monitor Apps are: -- Splunk - See the [File Activity Monitor App for Splunk](splunk/overview.md) topic for additional +- Splunk - See the [File Activity Monitor App for Splunk](/docs/activitymonitor/8.0/activitymonitor/siem/splunk/overview.md) topic for additional information -- QRadar - See the [Netwrix File Activity Monitor App for QRadar](qradar/overview.md) topic for +- QRadar - See the [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md) topic for additional information diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/app.md b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/app.md index 874cdefc4e..e42f302b0c 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/app.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/app.md @@ -5,7 +5,7 @@ predefined dashboards: File Activity (Home), Ransomware, Permission Changes, Del Investigation, and Host Investigation. There is also an About dashboard with additional information and a Settings interface for configuring the QRadar SEC token. -![file_activity_monitor_app](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/siem/qradar/file_activity_monitor_app.webp) +![file_activity_monitor_app](/img/product_docs/activitymonitor/activitymonitor/siem/qradar/file_activity_monitor_app.webp) The User Investigation and Host Investigation dashboards only appear when a search is conducted. This can be done by clicking a hyperlink within the Username or Destination IP columns of a table diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/about.md b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/about.md index 223f9c0fd6..3017036feb 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/about.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/about.md @@ -2,6 +2,6 @@ The About dashboard provides information about the application. -![About Dashboard for Stealthbits Activity Monitor App for QRadar](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/aboutdashboard.webp) +![About Dashboard for Stealthbits Activity Monitor App for QRadar](/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/aboutdashboard.webp) Information on how to obtain a license for the applicable Stealthbits software is included. diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/deletions.md b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/deletions.md index f056c205d1..aef1e73e3a 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/deletions.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/deletions.md @@ -2,7 +2,7 @@ The Deletions dashboard contains the following cards: -![Deletions Dashboard for Stealthbits Activivty Monitor App for QRadar](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/deletionsdashboard.webp) +![Deletions Dashboard for Stealthbits Activivty Monitor App for QRadar](/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/deletionsdashboard.webp) - Activity – Timeline of all deletion events over the specified time interval - Top Users – Displays up-to the top five users associated with deletion events over the specified @@ -10,7 +10,7 @@ The Deletions dashboard contains the following cards: - Latest Events – Tabular format of all deletion events which occurred over the specified time interval - - See the [Table Card Features ](../app.md#table-card-features) topic for additional + - See the [Table Card Features ](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/app.md#table-card-features) topic for additional information. The time interval is identified in the upper-right corner with the Start and End boxes. This is set diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/home.md b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/home.md index 5949dc60f7..228fd2039e 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/home.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/home.md @@ -2,7 +2,7 @@ The File System Activity Home dashboard contains the following cards: -![Home Dashboard for Stealthbits Activivty Monitor App for QRadar](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/homedashboard.webp) +![Home Dashboard for Stealthbits Activivty Monitor App for QRadar](/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/homedashboard.webp) - Active Users – Number of distinct users recorded performing any type of file activity to/from any host over the specified time interval @@ -11,7 +11,7 @@ The File System Activity Home dashboard contains the following cards: - Open Offenses – Number of ransomware offenses detected within QRadar from the file activity event data - - The value for this card is a hyperlink to the [Ransomware Dashboard](ransomware.md). + - The value for this card is a hyperlink to the [Ransomware Dashboard](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/ransomware.md). - File Activity – Timeline of all file activity over the specified time interval - Top Users – Displays up-to the top five users associated with file activity over the specified @@ -21,7 +21,7 @@ The File System Activity Home dashboard contains the following cards: - Latest Events – Tabular format of all file activity events which occurred over the specified time interval - - See the [Table Card Features ](../app.md#table-card-features) topic for additional + - See the [Table Card Features ](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/app.md#table-card-features) topic for additional information. The time interval is identified in the upper-right corner with the Start and End boxes. This is set diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/hostinvestigation.md b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/hostinvestigation.md index 43dd7c4151..0e51e24d41 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/hostinvestigation.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/hostinvestigation.md @@ -4,7 +4,7 @@ The Host Investigation dashboard only appears when a search is conducted. This c clicking a hyperlink within the Destination IP column of a table card. Alternatively, type the complete host IP Address in the Search box on the right side of the navigation bar. -![Home Investigation Dashboard for Stealthbits Activivty Monitor App for QRadar](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/userinvestigationdashboard.webp) +![Home Investigation Dashboard for Stealthbits Activivty Monitor App for QRadar](/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/userinvestigationdashboard.webp) The Host Investigation dashboard contains the following cards: @@ -19,13 +19,13 @@ The Host Investigation dashboard contains the following cards: - Details of File Activity – Tabular format of all file activity events associated with the host which occurred over the specified time interval - - See the [Table Card Features ](../app.md#table-card-features) topic for additional + - See the [Table Card Features ](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/app.md#table-card-features) topic for additional information. - Destination Host Offenses – QRadar offenses associated with the host which occurred over the specified time interval - - See the [Table Card Features ](../app.md#table-card-features) topic for additional + - See the [Table Card Features ](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/app.md#table-card-features) topic for additional information. The time interval is identified in the upper-right corner with the Start and End boxes. This is set diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/permissionchanges.md b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/permissionchanges.md index 220aeafc3b..0755a6619c 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/permissionchanges.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/permissionchanges.md @@ -3,7 +3,7 @@ The Permission Changes Dashboard for QRadar shows information on changes made to permissions using various metrics. -![Permission Changes Dashboard for Stealthbits Activivty Monitor App for QRadar](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/permissionchangesdashboard.webp) +![Permission Changes Dashboard for Stealthbits Activivty Monitor App for QRadar](/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/permissionchangesdashboard.webp) The Permission Changes dashboard contains the following cards: @@ -13,7 +13,7 @@ The Permission Changes dashboard contains the following cards: - Latest Events – Tabular format of all permission change events which occurred over the specified time interval - - See the [Table Card Features ](../app.md#table-card-features) topic for additional + - See the [Table Card Features ](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/app.md#table-card-features) topic for additional information. The time interval is identified in the upper-right corner with the Start and End boxes. This is set diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/ransomware.md b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/ransomware.md index a8125420d1..76a2a0e23b 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/ransomware.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/ransomware.md @@ -2,21 +2,21 @@ The Ransomware Dashboard for QRadar shows a list of suspected ransomware events. -![Ransomware Dashboard for Stealthbits Activivty Monitor App for QRadar](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/ransomwaredashboard.webp) +![Ransomware Dashboard for Stealthbits Activivty Monitor App for QRadar](/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/ransomwaredashboard.webp) The Ransomware dashboard contains the following cards: - Offenses – List of offenses detected within QRadar from the file activity data as a potential ransomware attack - - See the [Table Card Features ](../app.md#table-card-features) topic for additional + - See the [Table Card Features ](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/app.md#table-card-features) topic for additional information. - Details of Ransomware Attack – Tabular format of all file activity events for the selected offense which occurred over the specified time interval - Only visible after clicking Search on an offense - - See the [Table Card Features ](../app.md#table-card-features) topic for additional + - See the [Table Card Features ](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/app.md#table-card-features) topic for additional information. - Breakdown of File Types – Pie chart of the top eight file extensions of the affected files for the diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/userinvestigation.md b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/userinvestigation.md index cc8b8d363e..6cab33b08a 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/userinvestigation.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/userinvestigation.md @@ -4,7 +4,7 @@ The User Investigation dashboard only appears when a search is conducted. This c clicking a hyperlink within the Username column of a table card. Alternatively, type the complete user name in the Search box on the right side of the navigation bar. -![User Investigation Dashboard for Stealthbits Activivty Monitor App for QRadar](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/userinvestigationdashboard.webp) +![User Investigation Dashboard for Stealthbits Activivty Monitor App for QRadar](/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/userinvestigationdashboard.webp) The User Investigation dashboard contains the following cards: @@ -17,11 +17,11 @@ The User Investigation dashboard contains the following cards: - The graph values can be toggled on an off by clicking on individual elements in the legend. - Details of File Activity – Tabular format of all file activity events associated with the user which occurred over the specified time interval - - See the [Table Card Features ](../app.md#table-card-features) topic for additional + - See the [Table Card Features ](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/app.md#table-card-features) topic for additional information. - Destination Host Offenses – QRadar offenses associated with the destination IP Addresses accessed by the user during the specified time interval - - See the [Table Card Features ](../app.md#table-card-features) topic for additional + - See the [Table Card Features ](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/app.md#table-card-features) topic for additional information. The time interval is identified in the upper-right corner with the Start and End boxes. This is set diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/offenses.md b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/offenses.md index 038b0f3f77..1fe28d6fc6 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/offenses.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/offenses.md @@ -2,9 +2,9 @@ The Activity Monitor App for QRadar feeds a couple of QRadar Offenses. -![Stealthbits Offenses in QRadar](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/siem/qradar/stealthbitsoffenses.webp) +![Stealthbits Offenses in QRadar](/img/product_docs/activitymonitor/activitymonitor/siem/qradar/stealthbitsoffenses.webp) -While the [Ransomware Dashboard](dashboard/ransomware.md) reports on incidents of Ransomware attacks +While the [Ransomware Dashboard](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/dashboard/ransomware.md) reports on incidents of Ransomware attacks monitored by StealthINTERCEPT, the following offenses may be generated by the Stealthbits File Activity Monitor App. diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md index 7a80d5e3ff..1e17b1c7a8 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/overview.md @@ -38,7 +38,7 @@ within QRadar. The File Activity Monitor tab will appear within QRadar. It is necessary for the QRadar SEC token to be saved to the Settings interface of the **File Activity Monitor** App. See the -[Settings](settings.md) topic for additional information. +[Settings](/docs/activitymonitor/8.0/activitymonitor/siem/qradar/settings.md) topic for additional information. ## Initial Configuration of the QRadar App diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/settings.md b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/settings.md index 3c6974d726..71c5a73dd2 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/qradar/settings.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/qradar/settings.md @@ -3,7 +3,7 @@ Use the gear icon next to the **Search** box to open the **Settings** interface. It is necessary for the QRadar SEC token to be saved to the **Settings** interface. -![Settings for Stealthbits Activivty Monitor App for QRadar](../../../../../../static/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) +![Settings for Stealthbits Activivty Monitor App for QRadar](/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) The **More information** link will open the IBM Knowledge Center with information on generating the QRadar SEC token. Once the token is generated, copy and paste it here and click Save. diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/splunk/app.md b/docs/activitymonitor/8.0/activitymonitor/siem/splunk/app.md index 5666c885dc..200c94360f 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/splunk/app.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/splunk/app.md @@ -3,7 +3,7 @@ Stealthbits File Activity Monitor App for Splunk contains several predefined dashboards: File Activity (Overview), Ransomware, Permission Changes, and Deletions. -![file_activity_monitor_app](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/siem/qradar/file_activity_monitor_app.webp) +![file_activity_monitor_app](/img/product_docs/activitymonitor/activitymonitor/siem/qradar/file_activity_monitor_app.webp) The date time search feature uses the default Splunk search features. diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/deletions.md b/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/deletions.md index bb616dc19f..0a8ff2021e 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/deletions.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/deletions.md @@ -2,7 +2,7 @@ View deletion information in the Deletions Dashboard for Splunk. -![Deletions Dashboard for Stealthbits Activivty Monitor App for Splunk](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/deletionsdashboard.webp) +![Deletions Dashboard for Stealthbits Activivty Monitor App for Splunk](/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/deletionsdashboard.webp) The Deletions dashboard contains the following cards: diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/overview.md b/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/overview.md index 6049543942..72fe12ab63 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/overview.md @@ -2,7 +2,7 @@ View general information on the Overview Dashboard for Splunk. -![Overview Dashboard for Stealthbits Activivty Monitor App for Splunk](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/siem/splunk/dashboard/overviewdashboard.webp) +![Overview Dashboard for Stealthbits Activivty Monitor App for Splunk](/img/product_docs/activitymonitor/activitymonitor/siem/splunk/dashboard/overviewdashboard.webp) The File System Activity Overview dashboard contains the following cards: diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/permissionchanges.md b/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/permissionchanges.md index 0f759f18e1..cf47d0b281 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/permissionchanges.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/permissionchanges.md @@ -2,7 +2,7 @@ View information on permissions changes on the through the Permission Changes Dashboard for Splunk. -![Permission Changes Dashboard for Stealthbits Activivty Monitor App for Splunk](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/permissionchangesdashboard.webp) +![Permission Changes Dashboard for Stealthbits Activivty Monitor App for Splunk](/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/permissionchangesdashboard.webp) The Permission Changes dashboard contains the following cards: diff --git a/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/ransomware.md b/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/ransomware.md index b09ba2c103..a6fcc004ff 100644 --- a/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/ransomware.md +++ b/docs/activitymonitor/8.0/activitymonitor/siem/splunk/dashboard/ransomware.md @@ -2,7 +2,7 @@ View information on ransomware using the Ransomware Dashboard for Splunk. -![Ransomware Dashboard for Stealthbits Activivty Monitor App for Splunk](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/ransomwaredashboard.webp) +![Ransomware Dashboard for Stealthbits Activivty Monitor App for Splunk](/img/product_docs/activitymonitor/activitymonitor/siem/qradar/dashboard/ransomwaredashboard.webp) The Ransomware dashboard contains the following cards: diff --git a/docs/activitymonitor/8.0/activitymonitor/troubleshooting/backuprestore/agentbackup.md b/docs/activitymonitor/8.0/activitymonitor/troubleshooting/backuprestore/agentbackup.md index 197fe93a78..ba30615a4d 100644 --- a/docs/activitymonitor/8.0/activitymonitor/troubleshooting/backuprestore/agentbackup.md +++ b/docs/activitymonitor/8.0/activitymonitor/troubleshooting/backuprestore/agentbackup.md @@ -45,6 +45,6 @@ C:\ProgramData\Netwrix\Activity Monitor\Agent\ActivityLogs `%ALLUSERSPROFILE%` in the File Explorer. The location of the files depend on the configuration and whether the archiving is enabled. See the -[Archiving Tab](../../admin/agents/properties/archiving.md) topic for additional information. +[Archiving Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/archiving.md) topic for additional information. All key components necessary for data recovery have now been backed up for the agents. diff --git a/docs/activitymonitor/8.0/activitymonitor/troubleshooting/backuprestore/overview.md b/docs/activitymonitor/8.0/activitymonitor/troubleshooting/backuprestore/overview.md index de4da570c5..73207b91b9 100644 --- a/docs/activitymonitor/8.0/activitymonitor/troubleshooting/backuprestore/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/troubleshooting/backuprestore/overview.md @@ -3,9 +3,9 @@ The Netwrix Activity Monitor is comprised of the following components: - Activity Monitor Console - Controls configuration settings. See the - [Administration](../../admin/overview.md)topic for additional information. + [Administration](/docs/activitymonitor/8.0/activitymonitor/admin/overview.md)topic for additional information. - Deployed Agents - Monitor targeted servers and domains. See the - [Agent Information](../../install/agents.md) topic for additional information. + [Agent Information](/docs/activitymonitor/8.0/activitymonitor/install/agents.md) topic for additional information. The configuration settings are stored on individual agents, and the console stores which agents have been deployed. Agents also store activity log files of monitored environments, which can optionally @@ -14,7 +14,7 @@ Activity Monitor Console and the activity agents. The sections in this document are: -- [Agent Backup](agentbackup.md) -- [Agent Restoration](agentrestore.md) -- [Console Backup](consolebackup.md) -- [Console Restoration](consolerestore.md) +- [Agent Backup](/docs/activitymonitor/8.0/activitymonitor/troubleshooting/backuprestore/agentbackup.md) +- [Agent Restoration](/docs/activitymonitor/8.0/activitymonitor/troubleshooting/backuprestore/agentrestore.md) +- [Console Backup](/docs/activitymonitor/8.0/activitymonitor/troubleshooting/backuprestore/consolebackup.md) +- [Console Restoration](/docs/activitymonitor/8.0/activitymonitor/troubleshooting/backuprestore/consolerestore.md) diff --git a/docs/activitymonitor/8.0/activitymonitor/troubleshooting/credentialpasswords.md b/docs/activitymonitor/8.0/activitymonitor/troubleshooting/credentialpasswords.md index 31467d8ea6..eed04151e7 100644 --- a/docs/activitymonitor/8.0/activitymonitor/troubleshooting/credentialpasswords.md +++ b/docs/activitymonitor/8.0/activitymonitor/troubleshooting/credentialpasswords.md @@ -20,27 +20,27 @@ account can be updated in the agent properties under the **Connection** tab. **NOTE:** If the AD monitoring account is changed, all accounts on the domain controllers will need to be updated as well. -![Agent User Account Credentials](../../../../../static/img/product_docs/activitymonitor/activitymonitor/troubleshooting/agentuseraccount.webp) +![Agent User Account Credentials](/img/product_docs/activitymonitor/activitymonitor/troubleshooting/agentuseraccount.webp) -See the [Connection Tab](../admin/agents/properties/connection.md) topic for additional information. +See the [Connection Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/connection.md) topic for additional information. ## Archive User Account The Archive User Account is used to store log files from the agent and store them on a remote server or share. The credentials can be updated in the agent properties under the **Archiving** tab. -![Archive User Account Credentials](../../../../../static/img/product_docs/activitymonitor/activitymonitor/troubleshooting/archiveuseraccount.webp) +![Archive User Account Credentials](/img/product_docs/activitymonitor/activitymonitor/troubleshooting/archiveuseraccount.webp) -See the [Archiving Tab](../admin/agents/properties/archiving.md) topic for additional information. +See the [Archiving Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/archiving.md) topic for additional information. ## Panzura MQ Protection The Panzura MQ Protection Credentials are used to send activity to the Activity Monitor agent. The credentials can be updated in the agent properties under the **Panzura** tab. -![Panzura MQ Protection Account Credentials](../../../../../static/img/product_docs/activitymonitor/activitymonitor/troubleshooting/panzuramqprotectionaccount.webp) +![Panzura MQ Protection Account Credentials](/img/product_docs/activitymonitor/activitymonitor/troubleshooting/panzuramqprotectionaccount.webp) -See the [Panzura Tab](../admin/agents/properties/panzura.md) topic for additional information. +See the [Panzura Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/panzura.md) topic for additional information. ## Monitored Host User Credentials @@ -48,9 +48,9 @@ The Monitored Host User Credentials is used to connect to the monitored host dev activity to the agent. The credentials can be updated in monitored host properties. Select a host under the **Monitored Host** tab. Then, click the **Edit** button to update the account credentials. -![Monitored Host User Account](../../../../../static/img/product_docs/activitymonitor/activitymonitor/troubleshooting/monitoredhostuseraccount.webp) +![Monitored Host User Account](/img/product_docs/activitymonitor/activitymonitor/troubleshooting/monitoredhostuseraccount.webp) -See the [Nutanix Tab](../admin/monitoredhosts/properties/nutanix.md) topic for additional +See the [Nutanix Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/nutanix.md) topic for additional information. ## Agent Inactivity Alerts Email Account @@ -59,9 +59,9 @@ The Agent Inactivity Alerts Email Account is used to automate email alerts for i by the agent. It can be updated in agent properties under **Inactivity Alerts** tab then Email Alerts. This can also be changed in the monitored host properties. -![agentinactivityalertsemailcredentials](../../../../../static/img/product_docs/activitymonitor/activitymonitor/troubleshooting/agentinactivityalertsemailcredentials.webp) +![agentinactivityalertsemailcredentials](/img/product_docs/activitymonitor/activitymonitor/troubleshooting/agentinactivityalertsemailcredentials.webp) -See the [Inactivity Alerts Tab](../admin/agents/properties/inactivityalerts.md) topic for additional +See the [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/inactivityalerts.md) topic for additional information. ## Monitored Host Inactivity Alerts Email Account @@ -69,7 +69,7 @@ information. The Monitored Host Inactivity Alerts Email Account are used to automate email alerts for inactivity detected by the monitored host. The credentials can be updated in the monitored **Host Properties**. -![Monitored Host Inactivity Alerts Email Credentials Page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/troubleshooting/monitoredhostinactivityalertsemailcredentials.webp) +![Monitored Host Inactivity Alerts Email Credentials Page](/img/product_docs/activitymonitor/activitymonitor/troubleshooting/monitoredhostinactivityalertsemailcredentials.webp) -See the [Inactivity Alerts Tab](../admin/monitoredhosts/properties/inactivityalerts.md) topic for +See the [Inactivity Alerts Tab](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/properties/inactivityalerts.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/activitymonitor/troubleshooting/overview.md b/docs/activitymonitor/8.0/activitymonitor/troubleshooting/overview.md index 58c673bce7..d2a3f2e75b 100644 --- a/docs/activitymonitor/8.0/activitymonitor/troubleshooting/overview.md +++ b/docs/activitymonitor/8.0/activitymonitor/troubleshooting/overview.md @@ -3,8 +3,8 @@ This section provides an overview of troubleshooting and maintenance steps and processes for Activity Monitor. See the following topics for additional information: -- [Update Credential Passwords](credentialpasswords.md) -- [Trace Logs](tracelogs.md) -- [Antivirus Exclusions](antivirusexclusions.md) -- [Performance Monitoring](performancemonitoring.md) -- [Backup & Restoration](backuprestore/overview.md) +- [Update Credential Passwords](/docs/activitymonitor/8.0/activitymonitor/troubleshooting/credentialpasswords.md) +- [Trace Logs](/docs/activitymonitor/8.0/activitymonitor/troubleshooting/tracelogs.md) +- [Antivirus Exclusions](/docs/activitymonitor/8.0/activitymonitor/troubleshooting/antivirusexclusions.md) +- [Performance Monitoring](/docs/activitymonitor/8.0/activitymonitor/troubleshooting/performancemonitoring.md) +- [Backup & Restoration](/docs/activitymonitor/8.0/activitymonitor/troubleshooting/backuprestore/overview.md) diff --git a/docs/activitymonitor/8.0/activitymonitor/troubleshooting/tracelogs.md b/docs/activitymonitor/8.0/activitymonitor/troubleshooting/tracelogs.md index d7963d92c8..64f87aa2e5 100644 --- a/docs/activitymonitor/8.0/activitymonitor/troubleshooting/tracelogs.md +++ b/docs/activitymonitor/8.0/activitymonitor/troubleshooting/tracelogs.md @@ -5,7 +5,7 @@ Monitor creates Trace Logs that aid in troubleshooting issues. The Trace level o drop-down list in the lower right corner of the Activity Monitor Console determines the kind of information kept in the activity agent and monitored hosts logs. -![Activity Monitor with location of trace logs](../../../../../static/img/product_docs/activitymonitor/activitymonitor/troubleshooting/tracelogs.webp) +![Activity Monitor with location of trace logs](/img/product_docs/activitymonitor/activitymonitor/troubleshooting/tracelogs.webp) The selected log level applies to all hosts added to the **Agents** list (if not specified in agent properties). Select from the following trace log levels: @@ -22,15 +22,15 @@ When the log level is changed in the Activity Monitor Console, the new log level applied immediately to all of the activity agents that do not have custom trace setting. **NOTE:** Trace level can be adjusted in the Agent Properties for the selected agent. See the -[Archiving Tab](../admin/agents/properties/archiving.md) topic for additional information. +[Archiving Tab](/docs/activitymonitor/8.0/activitymonitor/admin/agents/properties/archiving.md) topic for additional information. -![Collect Logs button](../../../../../static/img/product_docs/activitymonitor/activitymonitor/troubleshooting/collectlogsbutton.webp) +![Collect Logs button](/img/product_docs/activitymonitor/activitymonitor/troubleshooting/collectlogsbutton.webp) The Activity Monitor Console has a function to copy Trace Logs from the activity agents to the Console machine. Click the Collect Logs button to open the log collection dialog and select Start to begin the log collection. -![Copying the log files popup window](../../../../../static/img/product_docs/activitymonitor/activitymonitor/troubleshooting/collectlogswindow.webp) +![Copying the log files popup window](/img/product_docs/activitymonitor/activitymonitor/troubleshooting/collectlogswindow.webp) Specific agents or console can be selected. After log collection is successful the logs are compressed into a zip file and file explorer opens with the zip file selected. diff --git a/docs/activitymonitor/8.0/activitymonitor/whatsnew.md b/docs/activitymonitor/8.0/activitymonitor/whatsnew.md index 4fafb56bcb..32793cab76 100644 --- a/docs/activitymonitor/8.0/activitymonitor/whatsnew.md +++ b/docs/activitymonitor/8.0/activitymonitor/whatsnew.md @@ -19,7 +19,7 @@ New: Platform Support for CTERA - Multitenant Configuration Support — Enables efficient security management for multiple tenants with scalable, flexible monitoring tailored to diverse organizational needs. -See the [CTERA Activity Auditing Configuration](../config/ctera/Activity.md) topic for additional +See the [CTERA Activity Auditing Configuration](/docs/activitymonitor/8.0/config/ctera/Activity.md) topic for additional information. **NOTE:** For Netwrix Access Analyzer (formerly Enterprise Auditor) users, these capabilities will @@ -34,7 +34,7 @@ New: FPolicy Persistent Store Enhancements volumes to reduce setup complexity and improve storage efficiency for high-volume event data, without requiring additional permissions. -See the [Configure FPolicy](../config/netappcmode/configurefpolicy.md) topic for additional +See the [Configure FPolicy](/docs/activitymonitor/8.0/config/netappcmode/configurefpolicy.md) topic for additional information. New: Improved Microsoft Office Filtering Accuracy @@ -51,4 +51,4 @@ New: REST API Enhancements - Tailor Security Solutions — Supports custom use cases and tailors security solutions with expanded API capabilities. -See the [REST API](restapi/overview.md) topic for additional information. +See the [REST API](/docs/activitymonitor/8.0/activitymonitor/restapi/overview.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/config/activedirectory/activity.md b/docs/activitymonitor/8.0/config/activedirectory/activity.md index a5f1f118a9..6420a0a3a4 100644 --- a/docs/activitymonitor/8.0/config/activedirectory/activity.md +++ b/docs/activitymonitor/8.0/config/activedirectory/activity.md @@ -6,7 +6,7 @@ Access Analyzer: - API Server - File Archive Repository -See the [File Archive Repository Option](filearchive.md) topic for additional information on that +See the [File Archive Repository Option](/docs/activitymonitor/8.0/config/activedirectory/filearchive.md) topic for additional information on that option. ## API Server Option @@ -176,11 +176,11 @@ against the target domain. **Step 3 –** On the Data Source tab, select **Configure**. The Active Directory Activity DC wizard opens. -![Active Directory Activity DC wizard Category page](../../../../../static/img/product_docs/activitymonitor/config/activedirectory/categoryimportfromnam.webp) +![Active Directory Activity DC wizard Category page](/img/product_docs/activitymonitor/config/activedirectory/categoryimportfromnam.webp) **Step 4 –** On the Category page, choose **Import from SAM** option and click **Next**. -![Active Directory Activity DC wizard SAM connection settings page](../../../../../static/img/product_docs/activitymonitor/config/activedirectory/namconnection.webp) +![Active Directory Activity DC wizard SAM connection settings page](/img/product_docs/activitymonitor/config/activedirectory/namconnection.webp) **Step 5 –** On the SAM connection page, the **Port** is set to the default 4494. This needs to match the port configured for the Activity Monitor API Server agent. @@ -194,7 +194,7 @@ last step. **Step 8 –** Click **Next**. -![Active Directory Activity DC wizard Scoping and Retention page](../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![Active Directory Activity DC wizard Scoping and Retention page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) **Step 9 –** On the Scope page, set the Timespan as desired. There are two options: diff --git a/docs/activitymonitor/8.0/config/activedirectory/filearchive.md b/docs/activitymonitor/8.0/config/activedirectory/filearchive.md index 568681a2c5..2fc64b5f9d 100644 --- a/docs/activitymonitor/8.0/config/activedirectory/filearchive.md +++ b/docs/activitymonitor/8.0/config/activedirectory/filearchive.md @@ -121,17 +121,17 @@ the target domain. **Step 3 –** On the Data Source tab, select **Configure**. The Active Directory Activity DC wizard opens. -![Active Directory Activity DC wizard Category page](../../../../../static/img/product_docs/activitymonitor/config/activedirectory/categoryimportfromshare.webp) +![Active Directory Activity DC wizard Category page](/img/product_docs/activitymonitor/config/activedirectory/categoryimportfromshare.webp) **Step 4 –** On the Category page, choose **Import from Share** option and click **Next**. -![Active Directory Activity DC wizard Share settings page](../../../../../static/img/product_docs/activitymonitor/config/activedirectory/share.webp) +![Active Directory Activity DC wizard Share settings page](/img/product_docs/activitymonitor/config/activedirectory/share.webp) **Step 5 –** On the Share page, provide the UNC path to the AD Activity share archive location. If there are multiple archives in the same network share, check the **Include Sub-Directories** box. Click **Next**. -![Active Directory Activity DC wizard Scoping and Retention page](../../../../../static/img/product_docs/activitymonitor/config/activedirectory/scope.webp) +![Active Directory Activity DC wizard Scoping and Retention page](/img/product_docs/activitymonitor/config/activedirectory/scope.webp) **Step 6 –** On the Scope page, set the Timespan as desired. There are two options: diff --git a/docs/activitymonitor/8.0/config/ctera/Activity.md b/docs/activitymonitor/8.0/config/ctera/Activity.md index 6401fa580e..b33d99b325 100644 --- a/docs/activitymonitor/8.0/config/ctera/Activity.md +++ b/docs/activitymonitor/8.0/config/ctera/Activity.md @@ -8,7 +8,7 @@ file is generated by each Edge Filer and audit events from these files are colle Portal. The CTERA Portal forwards the events from the Edge Filers to the Activity Monitor Agent through the Messaging and Syslog services. -![Monitoring Process -CTERA Portal](../../../../../static/img/product_docs/activitymonitor/config/ctera/cterasyslogmsg.webp) +![Monitoring Process -CTERA Portal](/img/product_docs/activitymonitor/config/ctera/cterasyslogmsg.webp) To prepare CTERA for monitoring: diff --git a/docs/activitymonitor/8.0/config/dellcelerravnx/Activity.md b/docs/activitymonitor/8.0/config/dellcelerravnx/Activity.md index 41bc8a4521..2bf5691a2c 100644 --- a/docs/activitymonitor/8.0/config/dellcelerravnx/Activity.md +++ b/docs/activitymonitor/8.0/config/dellcelerravnx/Activity.md @@ -34,7 +34,7 @@ Checklist Item 2: Install Dell CEE - Dell CEE 8.4.2 through Dell CEE 8.6.1 are not supported for use with the VCAPS feature - Dell CEE requires .NET Framework 3.5 to be installed on the Windows proxy server -- See the [Install & Configure Dell CEE](InstallCEE.md) topic for instructions. +- See the [Install & Configure Dell CEE](/docs/activitymonitor/8.0/config/dellcelerravnx/InstallCEE.md) topic for instructions. Checklist Item 3: Dell Device Configuration diff --git a/docs/activitymonitor/8.0/config/dellcelerravnx/InstallCEE.md b/docs/activitymonitor/8.0/config/dellcelerravnx/InstallCEE.md index 6532f6184d..de17294fbb 100644 --- a/docs/activitymonitor/8.0/config/dellcelerravnx/InstallCEE.md +++ b/docs/activitymonitor/8.0/config/dellcelerravnx/InstallCEE.md @@ -23,7 +23,7 @@ guide to install and configure the CEE. The installation will add two services t **_RECOMMENDED:_** The latest version of .NET Framework and Dell CEE is recommended to use with the asynchronous bulk delivery (VCAPS) feature. -See the [CEE Debug Logs](../dellunity/Validate.md#cee-debug-logs) section for information on +See the [CEE Debug Logs](/docs/activitymonitor/8.0/config/dellunity/Validate.md#cee-debug-logs) section for information on troubleshooting issues related to Dell CEE. After Dell CEE installation is complete, it is necessary to Connect Data Movers to the Dell CEE @@ -37,7 +37,7 @@ manually set the Dell CEE registry key to forward events. **Step 1 –** Open the Registry Editor (run regedit). -![registryeditor](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/registryeditor.webp) +![registryeditor](/img/product_docs/activitymonitor/config/dellpowerstore/registryeditor.webp) **Step 2 –** Navigate to following location: @@ -61,7 +61,7 @@ StealthAUDIT@192.168.30.15 **Step 7 –** Click OK. The Edit String window closes. Registry Editor can be closed. -![services](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) +![services](/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) **Step 8 –** Open Services (run `services.msc`). Start or Restart the EMC CEE Monitor service. diff --git a/docs/activitymonitor/8.0/config/dellcelerravnx/Validate.md b/docs/activitymonitor/8.0/config/dellcelerravnx/Validate.md index adbb197047..bc0fd32ddf 100644 --- a/docs/activitymonitor/8.0/config/dellcelerravnx/Validate.md +++ b/docs/activitymonitor/8.0/config/dellcelerravnx/Validate.md @@ -6,7 +6,7 @@ configuration must be validated to ensure events are being monitored. ## Validate Dell CEE Registry Key Settings **NOTE:** See the -[Configure Dell Registry Key Settings](../dellunity/InstallCEE.md#configure-dell-registry-key-settings) +[Configure Dell Registry Key Settings](/docs/activitymonitor/8.0/config/dellunity/InstallCEE.md#configure-dell-registry-key-settings) topic for information on manually setting the registry key. After the Activity Monitor activity agent has been configured to monitor the Dell device, it will @@ -23,7 +23,7 @@ following steps. HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration -![registryeditorendpoint](../../../../../static/img/product_docs/activitymonitor/config/dellunity/registryeditorendpoint.webp) +![registryeditorendpoint](/img/product_docs/activitymonitor/config/dellunity/registryeditorendpoint.webp) **Step 2 –** Ensure that the Enabled parameter is set to 1. @@ -79,7 +79,7 @@ CEE services should be running. If the Activity Agent is not registering events set accurately, validate that the Dell CEE services are running. Open the Services (run `services.msc`). -![services](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) +![services](/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) The following services laid down by the Dell CEE installer should have Running as their status: diff --git a/docs/activitymonitor/8.0/config/dellpowerscale/InstallCEE.md b/docs/activitymonitor/8.0/config/dellpowerscale/InstallCEE.md index 11dda1e6a7..0a3f846de3 100644 --- a/docs/activitymonitor/8.0/config/dellpowerscale/InstallCEE.md +++ b/docs/activitymonitor/8.0/config/dellpowerscale/InstallCEE.md @@ -35,7 +35,7 @@ manually set the Dell CEE registry key to forward events. **Step 1 –** Open the Registry Editor (run regedit). -![registryeditor](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/registryeditor.webp) +![registryeditor](/img/product_docs/activitymonitor/config/dellpowerstore/registryeditor.webp) **Step 2 –** Navigate to following location: @@ -59,7 +59,7 @@ StealthAUDIT@192.168.30.15 **Step 7 –** Click OK. The Edit String window closes. Registry Editor can be closed. -![services](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) +![services](/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) **Step 8 –** Open Services (run `services.msc`). Start or Restart the EMC CEE Monitor service. diff --git a/docs/activitymonitor/8.0/config/dellpowerscale/activity.md b/docs/activitymonitor/8.0/config/dellpowerscale/activity.md index 6b5efde699..811a096f1d 100644 --- a/docs/activitymonitor/8.0/config/dellpowerscale/activity.md +++ b/docs/activitymonitor/8.0/config/dellpowerscale/activity.md @@ -32,7 +32,7 @@ Checklist Item 1: Plan Deployment Isilon/PowerScale cluster with more than one pair of Dell CEE and Activity Monitor Agent. The activity will be evenly distributed between the pairs. -Checklist Item 2: [Install Dell CEE](InstallCEE.md) +Checklist Item 2: [Install Dell CEE](/docs/activitymonitor/8.0/config/dellpowerscale/InstallCEE.md) - Dell CEE should be installed on a Windows or a Linux server. @@ -59,7 +59,7 @@ Checklist Item 3: Configure Auditing on the Dell Isilon/PowerScale Cluster Monitor - Choose between monitoring all Access Zones or scoping to specific Access Zones - - [Manually Configure Auditing in OneFS](manualconfiguration.md) + - [Manually Configure Auditing in OneFS](/docs/activitymonitor/8.0/config/dellpowerscale/manualconfiguration.md) - After configuration, add the Isilon/PowerScale device to be monitored by the Activity Monitor @@ -99,4 +99,4 @@ Checklist Item 3: Configure Auditing on the Dell Isilon/PowerScale Cluster documentation for additional information. Checklist Item 4: Configure Dell CEE to Forward Events to the Activity Agent. See the -[Validate Setup](validate.md) topic for additional information. +[Validate Setup](/docs/activitymonitor/8.0/config/dellpowerscale/validate.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/config/dellpowerscale/manualconfiguration.md b/docs/activitymonitor/8.0/config/dellpowerscale/manualconfiguration.md index 374b246d93..1e61850caf 100644 --- a/docs/activitymonitor/8.0/config/dellpowerscale/manualconfiguration.md +++ b/docs/activitymonitor/8.0/config/dellpowerscale/manualconfiguration.md @@ -6,7 +6,7 @@ Administration Console. **Step 1 –** Navigate to the **Cluster Management** tab, and select **Auditing**. -![settings](../../../../../static/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) +![settings](/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) **Step 2 –** In the Settings section, check the Enable Protocol Access Auditing box. @@ -37,7 +37,7 @@ For each monitored access zone: isi audit settings modify --zone ZONENAME --audit-success=close_file_modified,close_file_unmodified,create_file,create_directory,delete_file,delete_directory,rename_file,rename_directory,set_security_file,set_security_directory -![eventforwarding](../../../../../static/img/product_docs/activitymonitor/config/dellpowerscale/eventforwarding.webp) +![eventforwarding](/img/product_docs/activitymonitor/config/dellpowerscale/eventforwarding.webp) **Step 4 –** In the Event Forwarding section, add the CEE Server URI value for the Windows or Linux server hosting CEE. Use either of the following format: diff --git a/docs/activitymonitor/8.0/config/dellpowerscale/validate.md b/docs/activitymonitor/8.0/config/dellpowerscale/validate.md index cd6bbd35c9..e38cdff2cc 100644 --- a/docs/activitymonitor/8.0/config/dellpowerscale/validate.md +++ b/docs/activitymonitor/8.0/config/dellpowerscale/validate.md @@ -19,7 +19,7 @@ following steps. HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration -![registryeditorendpoint](../../../../../static/img/product_docs/activitymonitor/config/dellunity/registryeditorendpoint.webp) +![registryeditorendpoint](/img/product_docs/activitymonitor/config/dellunity/registryeditorendpoint.webp) **Step 2 –** Ensure that the Enabled parameter is set to 1. @@ -75,7 +75,7 @@ CEE services should be running. If the Activity Agent is not registering events set accurately, validate that the Dell CEE services are running. Open the Services (run `services.msc`). -![services](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) +![services](/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) The following services laid down by the Dell CEE installer should have Running as their status: diff --git a/docs/activitymonitor/8.0/config/dellpowerstore/activity.md b/docs/activitymonitor/8.0/config/dellpowerstore/activity.md index 423c147e11..a14b311db8 100644 --- a/docs/activitymonitor/8.0/config/dellpowerstore/activity.md +++ b/docs/activitymonitor/8.0/config/dellpowerstore/activity.md @@ -28,7 +28,7 @@ Checklist Item 1: Plan Deployment - [http://support.emc.com](http://support.emc.com/) -Checklist Item 2: [Install Dell CEE](installcee.md) +Checklist Item 2: [Install Dell CEE](/docs/activitymonitor/8.0/config/dellpowerstore/installcee.md) - Dell CEE should be installed on the Windows proxy server(s) where the Activity Monitor activity agent will be deployed @@ -45,7 +45,7 @@ Checklist Item 3: Dell PowerStore Device Configuration - Enable auditing on the PowerStore device - - See the [Enable Auditing for Dell PowerStore](auditing.md) topic for additional information. + - See the [Enable Auditing for Dell PowerStore](/docs/activitymonitor/8.0/config/dellpowerstore/auditing.md) topic for additional information. Checklist Item 4: Activity Monitor Configuration diff --git a/docs/activitymonitor/8.0/config/dellpowerstore/auditing.md b/docs/activitymonitor/8.0/config/dellpowerstore/auditing.md index 80b8bca787..101e9539d8 100644 --- a/docs/activitymonitor/8.0/config/dellpowerstore/auditing.md +++ b/docs/activitymonitor/8.0/config/dellpowerstore/auditing.md @@ -20,7 +20,7 @@ Follow the steps tTo create a new event publishing pool.: **Step 3 –** Specify CEE's address or addresses. -![Create Event Publishing Pool](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/eventpublishingpool.webp) +![Create Event Publishing Pool](/img/product_docs/activitymonitor/config/dellpowerstore/eventpublishingpool.webp) - For SMB shares monitoring (CIFS) enable following Post-Events: – @@ -62,17 +62,17 @@ Follow the steps tTo create a an event publisher.: **Step 1 –** Select **Storage** > **NAS Servers** > **NAS Settings** > **Events Publishers**. -![Events Publishing](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/nasservers.webp) +![Events Publishing](/img/product_docs/activitymonitor/config/dellpowerstore/nasservers.webp) **Step 2 –** Click **Create**. -![publishingpools](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/publishingpools.webp) +![publishingpools](/img/product_docs/activitymonitor/config/dellpowerstore/publishingpools.webp) **Step 3 –** Specify the name of the publisher. **Step 4 –** Select the pool and click **Next**. -![configeventpublisher](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/configeventpublisher.webp) +![configeventpublisher](/img/product_docs/activitymonitor/config/dellpowerstore/configeventpublisher.webp) **Step 5 –** Specify Pre-Events Failure Policy as "Ignore - Consider pre-event acknowledged when CEPA servers are offline". @@ -90,13 +90,13 @@ Follow the steps tTo enable or disable event publishing for the NAS Server.: **Step 1 –** Select **Storage** > **NAS Servers**. -![NAS Servers](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/nasserver.webp) +![NAS Servers](/img/product_docs/activitymonitor/config/dellpowerstore/nasserver.webp) **Step 2 –** Go to **[NAS SERVER]** > **Security & Events** > **Events Publishing**. **Step 3 –** Enable and select the publisher. -![nasserver1](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/nasserver1.webp) +![nasserver1](/img/product_docs/activitymonitor/config/dellpowerstore/nasserver1.webp) **Step 4 –** You can enable the event publishing for all file systems on the NAS by checking the box and selecting protocols. @@ -111,7 +111,7 @@ the following: **Step 1 –** Select **Storage** > **File Systems** > **[FILE SYSTEM]** > **Security & Events** > **Events Publishing**. -![Event Publising Option for File System](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/fseventpublishing.webp) +![Event Publising Option for File System](/img/product_docs/activitymonitor/config/dellpowerstore/fseventpublishing.webp) **Step 2 –** Enable and select protocols needed. diff --git a/docs/activitymonitor/8.0/config/dellpowerstore/installcee.md b/docs/activitymonitor/8.0/config/dellpowerstore/installcee.md index e53e632154..230cac9b21 100644 --- a/docs/activitymonitor/8.0/config/dellpowerstore/installcee.md +++ b/docs/activitymonitor/8.0/config/dellpowerstore/installcee.md @@ -31,7 +31,7 @@ manually set the Dell CEE registry key to forward events. **Step 1 –** Open the Registry Editor (run regedit). -![registryeditor](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/registryeditor.webp) +![registryeditor](/img/product_docs/activitymonitor/config/dellpowerstore/registryeditor.webp) **Step 2 –** Navigate to following location: @@ -55,7 +55,7 @@ StealthAUDIT@192.168.30.15 **Step 7 –** Click OK. The Edit String window closes. Registry Editor can be closed. -![services](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) +![services](/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) **Step 8 –** Open Services (run `services.msc`). Start or Restart the EMC CEE Monitor service. diff --git a/docs/activitymonitor/8.0/config/dellunity/InstallCEE.md b/docs/activitymonitor/8.0/config/dellunity/InstallCEE.md index a418ec06f8..9248ef2872 100644 --- a/docs/activitymonitor/8.0/config/dellunity/InstallCEE.md +++ b/docs/activitymonitor/8.0/config/dellunity/InstallCEE.md @@ -24,7 +24,7 @@ guide to install and configure the CEE. The installation will add two services t asynchronous bulk delivery (VCAPS) feature. After Dell CEE installation is complete, it is necessary to complete the -[Unity Initial Setup with Unisphere](setupunisphere.md). +[Unity Initial Setup with Unisphere](/docs/activitymonitor/8.0/config/dellunity/setupunisphere.md). ## Configure Dell Registry Key Settings @@ -34,7 +34,7 @@ manually set the Dell CEE registry key to forward events. **Step 1 –** Open the Registry Editor (run regedit). -![registryeditor](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/registryeditor.webp) +![registryeditor](/img/product_docs/activitymonitor/config/dellpowerstore/registryeditor.webp) **Step 2 –** Navigate to following location: @@ -58,7 +58,7 @@ StealthAUDIT@192.168.30.15 **Step 7 –** Click OK. The Edit String window closes. Registry Editor can be closed. -![services](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) +![services](/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) **Step 8 –** Open Services (run `services.msc`). Start or Restart the EMC CEE Monitor service. diff --git a/docs/activitymonitor/8.0/config/dellunity/Validate.md b/docs/activitymonitor/8.0/config/dellunity/Validate.md index cf7136ec25..4ce3da5a8a 100644 --- a/docs/activitymonitor/8.0/config/dellunity/Validate.md +++ b/docs/activitymonitor/8.0/config/dellunity/Validate.md @@ -6,7 +6,7 @@ configuration must be validated to ensure events are being monitored. ## Validate CEE Registry Key Settings **NOTE:** See the -[Configure Dell Registry Key Settings](../dellcelerravnx/InstallCEE.md#configure-dell-registry-key-settings) +[Configure Dell Registry Key Settings](/docs/activitymonitor/8.0/config/dellcelerravnx/InstallCEE.md#configure-dell-registry-key-settings) topic for information on manually setting the registry key. After the Activity Monitor activity agent has been configured to monitor the Dell device, it will @@ -23,7 +23,7 @@ following steps. HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration -![registryeditorendpoint](../../../../../static/img/product_docs/activitymonitor/config/dellunity/registryeditorendpoint.webp) +![registryeditorendpoint](/img/product_docs/activitymonitor/config/dellunity/registryeditorendpoint.webp) **Step 2 –** Ensure that the Enabled parameter is set to 1. @@ -79,7 +79,7 @@ CEE services should be running. If the Activity Agent is not registering events set accurately, validate that the Dell CEE services are running. Open the Services (run `services.msc`). -![services](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) +![services](/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) The following services laid down by the Dell CEE installer should have Running as their status: diff --git a/docs/activitymonitor/8.0/config/dellunity/activity.md b/docs/activitymonitor/8.0/config/dellunity/activity.md index 76f2bec040..937c78d31c 100644 --- a/docs/activitymonitor/8.0/config/dellunity/activity.md +++ b/docs/activitymonitor/8.0/config/dellunity/activity.md @@ -27,7 +27,7 @@ Checklist Item 1: Plan Deployment - [http://support.emc.com](http://support.emc.com/) -Checklist Item 2: [Install Dell CEE](InstallCEE.md) +Checklist Item 2: [Install Dell CEE](/docs/activitymonitor/8.0/config/dellunity/InstallCEE.md) - Dell CEE should be installed on the Windows proxy server(s) where the Activity Monitor activity agent will be deployed @@ -46,7 +46,7 @@ Checklist Item 3: Dell Unity Device Configuration - Configure initial setup for a Unity device - - [Unity Initial Setup with Unisphere](setupunisphere.md) + - [Unity Initial Setup with Unisphere](/docs/activitymonitor/8.0/config/dellunity/setupunisphere.md) Checklist Item 4: Activity Monitor Configuration @@ -64,4 +64,4 @@ agent will be deployed, the following steps are not needed. - Ensure the Dell CEE registry key has enabled set to 1 and has an EndPoint set to StealthAUDIT. - Ensure the Dell CAVA service and the Dell CEE Monitor service are running. -- See the [Validate Setup](Validate.md) topic for instructions. +- See the [Validate Setup](/docs/activitymonitor/8.0/config/dellunity/Validate.md) topic for instructions. diff --git a/docs/activitymonitor/8.0/config/dellunity/setupunisphere.md b/docs/activitymonitor/8.0/config/dellunity/setupunisphere.md index 719a101860..4f6c53a7c7 100644 --- a/docs/activitymonitor/8.0/config/dellunity/setupunisphere.md +++ b/docs/activitymonitor/8.0/config/dellunity/setupunisphere.md @@ -10,11 +10,11 @@ Follow the steps to configure the initial setup for a Unity device with Unispher Required Unity events needed for CIFS Activity: -![NAM Required Events For CIFS](../../../../../static/img/product_docs/activitymonitor/config/dellunity/eventscifs.webp) +![NAM Required Events For CIFS](/img/product_docs/activitymonitor/config/dellunity/eventscifs.webp) Required Unity events needed for NFS Activity: -![NAM Required Events For NFS](../../../../../static/img/product_docs/activitymonitor/config/dellunity/eventsnfs.webp) +![NAM Required Events For NFS](/img/product_docs/activitymonitor/config/dellunity/eventsnfs.webp) **Step 2 –** Enable Events Publishing: diff --git a/docs/activitymonitor/8.0/config/exchangeonline/activity.md b/docs/activitymonitor/8.0/config/exchangeonline/activity.md index 6a75b3539f..fe419c622b 100644 --- a/docs/activitymonitor/8.0/config/exchangeonline/activity.md +++ b/docs/activitymonitor/8.0/config/exchangeonline/activity.md @@ -130,7 +130,7 @@ list. **Step 3 –** Save this value in a text file. This is needed for adding a Exchange Online host in the Activity Monitor. See the -[Exchange Online](../../activitymonitor/admin/monitoredhosts/add/exchangeonline.md) topic for +[Exchange Online](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/exchangeonline.md) topic for additional information. Next identify the Tenant ID. ## Identify the Tenant ID @@ -147,7 +147,7 @@ to copy the Tenant ID from the registered application Overview blade. **Step 2 –** Save this value in a text file. This is needed for adding a Exchange Online host in the Activity Monitor. See the -[Exchange Online](../../activitymonitor/admin/monitoredhosts/add/exchangeonline.md) topic for +[Exchange Online](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/exchangeonline.md) topic for additional information. Next identify the Tenant ID. Next generate the application’s Client Secret Key. @@ -166,7 +166,7 @@ documentation for additional information. **Step 3 –** Save this value in a text file. This is needed for adding a Exchange Online host in the Activity Monitor. See the -[Exchange Online](../../activitymonitor/admin/monitoredhosts/add/exchangeonline.md) topic for +[Exchange Online](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/exchangeonline.md) topic for additional information. Next identify the Tenant ID. Next generate the application’s Client Secret Key. @@ -209,7 +209,7 @@ Copy to clipboard button to copy the Client Secret. **Step 7 –** Save this value in a text file. This is needed for adding a Exchange Online host in the Activity Monitor. See the -[Exchange Online](../../activitymonitor/admin/monitoredhosts/add/exchangeonline.md) topic for +[Exchange Online](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/exchangeonline.md) topic for additional information. ## Enable Auditing for Exchange Online diff --git a/docs/activitymonitor/8.0/config/hitachi/activity.md b/docs/activitymonitor/8.0/config/hitachi/activity.md index 0a4bcc55b4..f28f57e1f2 100644 --- a/docs/activitymonitor/8.0/config/hitachi/activity.md +++ b/docs/activitymonitor/8.0/config/hitachi/activity.md @@ -42,10 +42,10 @@ Configuration Checklist Complete the following checklist prior to configuring activity monitoring of Hitachi devices. Instructions for each item of the checklist are detailed within the following topics. -Checklist Item 1: [Configure Audit Logs on HNAS](configurelogs.md) +Checklist Item 1: [Configure Audit Logs on HNAS](/docs/activitymonitor/8.0/config/hitachi/configurelogs.md) Checklist Item 2: -[Configure Access to HNAS Audit Logs on Activity Agent Server](configureaccesstologs.md) +[Configure Access to HNAS Audit Logs on Activity Agent Server](/docs/activitymonitor/8.0/config/hitachi/configureaccesstologs.md) Checklist Item 3: Activity Monitor Configuration diff --git a/docs/activitymonitor/8.0/config/hitachi/configurelogs.md b/docs/activitymonitor/8.0/config/hitachi/configurelogs.md index 6ab144ed1a..7e06df7feb 100644 --- a/docs/activitymonitor/8.0/config/hitachi/configurelogs.md +++ b/docs/activitymonitor/8.0/config/hitachi/configurelogs.md @@ -29,5 +29,5 @@ not support the Wrap policy. Click OK to close. Once access has been configured on the Hitachi device, it is necessary to configure access to the HNAS audit logs on the Windows server. See the -[Configure Access to HNAS Audit Logs on Activity Agent Server](configureaccesstologs.md) topic for +[Configure Access to HNAS Audit Logs on Activity Agent Server](/docs/activitymonitor/8.0/config/hitachi/configureaccesstologs.md) topic for additional information. diff --git a/docs/activitymonitor/8.0/config/netapp7mode/activity.md b/docs/activitymonitor/8.0/config/netapp7mode/activity.md index 32951747c6..2bfcd734b5 100644 --- a/docs/activitymonitor/8.0/config/netapp7mode/activity.md +++ b/docs/activitymonitor/8.0/config/netapp7mode/activity.md @@ -33,7 +33,7 @@ Checklist Item 1: Plan Deployment - Names of the vFiler™(s) to be monitored - DNS name of the CIFS shares(s) to be monitored -Checklist Item 2: [Provision FPolicy Account](provisionactivity.md) +Checklist Item 2: [Provision FPolicy Account](/docs/activitymonitor/8.0/config/netapp7mode/provisionactivity.md) - Group membership with a role granting access to the following commands: @@ -71,9 +71,9 @@ Checklist Item 3: Firewall Configuration - TCP 135 - TCP 445 - Dynamic port range: TCP/UDP 137-139 -- See the [Enable HTTP or HTTPS](enablehttp.md) topic for instructions. +- See the [Enable HTTP or HTTPS](/docs/activitymonitor/8.0/config/netapp7mode/enablehttp.md) topic for instructions. -Checklist Item 4: [Configure FPolicy](configurefpolicy.md) +Checklist Item 4: [Configure FPolicy](/docs/activitymonitor/8.0/config/netapp7mode/configurefpolicy.md) - If using vFilers: diff --git a/docs/activitymonitor/8.0/config/netapp7mode/configurefpolicy.md b/docs/activitymonitor/8.0/config/netapp7mode/configurefpolicy.md index e90cdbfd70..1254e9342e 100644 --- a/docs/activitymonitor/8.0/config/netapp7mode/configurefpolicy.md +++ b/docs/activitymonitor/8.0/config/netapp7mode/configurefpolicy.md @@ -151,7 +151,7 @@ IMPORTANT: - The Activity Monitor must register with the NetApp device as an FPolicy server. By default, it looks for a policy named `StealthAUDIT`. See the - [Customize FPolicy Policy Name](customizefpolicy.md) section for information on using a different + [Customize FPolicy Policy Name](/docs/activitymonitor/8.0/config/netapp7mode/customizefpolicy.md) section for information on using a different policy name. Use the following command to enable the FPolicy to monitor disconnected sessions: diff --git a/docs/activitymonitor/8.0/config/netappcmode/activity.md b/docs/activitymonitor/8.0/config/netappcmode/activity.md index 68529bd49a..da00d1c8dd 100644 --- a/docs/activitymonitor/8.0/config/netappcmode/activity.md +++ b/docs/activitymonitor/8.0/config/netappcmode/activity.md @@ -99,7 +99,7 @@ bursts of activity events. It uses a dedicated volume for each SVM as a staging buffer before the events are sent to Activity Monitor Agent. -Checklist Item 2: [Provision ONTAP Account](provisionactivity.md) +Checklist Item 2: [Provision ONTAP Account](/docs/activitymonitor/8.0/config/netappcmode/provisionactivity.md) - Permission names depend on the API used, ONTAPI/ZAPI or REST API. - The case of domain and username created during the account provisioning process must match exactly @@ -169,7 +169,7 @@ Checklist Item 2: [Provision ONTAP Account](provisionactivity.md) - `security login role show-ontapi` – Readonly access -Checklist Item 3: [Configure Network](configurefirewall.md) +Checklist Item 3: [Configure Network](/docs/activitymonitor/8.0/config/netappcmode/configurefirewall.md) - Agent must be able to connect to ONTAP API via a management LIF on ports HTTP (80) or HTTPS (443) @@ -184,7 +184,7 @@ Checklist Item 3: [Configure Network](configurefirewall.md) - Each data serving node should have its own LIF with the `data-fpolicy-client` service. - The default port 9999 can be changed in the agent's settings. -Checklist Item 4: [Configure FPolicy](configurefpolicy.md) +Checklist Item 4: [Configure FPolicy](/docs/activitymonitor/8.0/config/netappcmode/configurefpolicy.md) - Remember: all FPolicy objects and SVM names are case sensitive. - FPolicy must be configured for each SVM to be monitored. diff --git a/docs/activitymonitor/8.0/config/netappcmode/configurefirewall.md b/docs/activitymonitor/8.0/config/netappcmode/configurefirewall.md index cf3f498d0e..34027fecdf 100644 --- a/docs/activitymonitor/8.0/config/netappcmode/configurefirewall.md +++ b/docs/activitymonitor/8.0/config/netappcmode/configurefirewall.md @@ -137,7 +137,7 @@ system services firewall policy show ‑policy enterpriseauditorfirewall ‑serv Verify that the output is displayed as follows: -![validatefirewall](../../../../../static/img/product_docs/activitymonitor/config/netappcmode/validatefirewall.webp) +![validatefirewall](/img/product_docs/activitymonitor/config/netappcmode/validatefirewall.webp) ## FPolicy diff --git a/docs/activitymonitor/8.0/config/netappcmode/provisionactivity.md b/docs/activitymonitor/8.0/config/netappcmode/provisionactivity.md index 87f70664df..87e9c6620b 100644 --- a/docs/activitymonitor/8.0/config/netappcmode/provisionactivity.md +++ b/docs/activitymonitor/8.0/config/netappcmode/provisionactivity.md @@ -97,7 +97,7 @@ security login rest-role create -role enterpriseauditorrest -api "/api/svm/svms" ``` **NOTE:** If the FPolicy account is configured with these permissions, it is necessary to manually -configure the FPolicy. See the [Configure FPolicy](configurefpolicy.md) topic for additional +configure the FPolicy. See the [Configure FPolicy](/docs/activitymonitor/8.0/config/netappcmode/configurefpolicy.md) topic for additional information. ### Less Privileged: Enable/Connect FPolicy & Collect Events @@ -180,7 +180,7 @@ security login rest-role create -role enterpriseauditorrest -api "/api/protocols ``` **NOTE:** If the FPolicy account is configured with these permissions, it is necessary to manually -configure the FPolicy. See the [Configure FPolicy](configurefpolicy.md) topic for additional +configure the FPolicy. See the [Configure FPolicy](/docs/activitymonitor/8.0/config/netappcmode/configurefpolicy.md) topic for additional information. ### Automatically Configure the FPolicy @@ -260,7 +260,7 @@ security login rest-role create -role enterpriseauditorrest -api "/api/security/ ``` **NOTE:** If the FPolicy account is configured with these permissions, the Activity Monitor can -automatically configure the FPolicy. See the [Configure FPolicy](configurefpolicy.md) topic for +automatically configure the FPolicy. See the [Configure FPolicy](/docs/activitymonitor/8.0/config/netappcmode/configurefpolicy.md) topic for additional information. ### Access Analyzer Integration @@ -359,7 +359,7 @@ security login show example\user1 Verify that the output is displayed as follows: -![validatesecuritylogincreation](../../../../../static/img/product_docs/activitymonitor/config/netappcmode/validatesecuritylogincreation.webp) +![validatesecuritylogincreation](/img/product_docs/activitymonitor/config/netappcmode/validatesecuritylogincreation.webp) For more information about creating security logins, read the [security login create](https://docs.netapp.com/us-en/ontap-cli-9141/security-login-create.html) diff --git a/docs/activitymonitor/8.0/config/nutanix/activity.md b/docs/activitymonitor/8.0/config/nutanix/activity.md index 98272fce6f..ee1dc3d5d7 100644 --- a/docs/activitymonitor/8.0/config/nutanix/activity.md +++ b/docs/activitymonitor/8.0/config/nutanix/activity.md @@ -18,7 +18,7 @@ audit. **Step 4 –** In the Manage roles dialog box locate the REST API access user section and click **+New user**. -![Manage Roles - File Server](../../../../../static/img/product_docs/activitymonitor/config/nutanix/activitynutanix.webp) +![Manage Roles - File Server](/img/product_docs/activitymonitor/config/nutanix/activitynutanix.webp) **Step 5 –** Enter local user account name and password, then click **Save** to save the settings. diff --git a/docs/activitymonitor/8.0/config/panzura/activity.md b/docs/activitymonitor/8.0/config/panzura/activity.md index 1747d2d76a..3fc7faff82 100644 --- a/docs/activitymonitor/8.0/config/panzura/activity.md +++ b/docs/activitymonitor/8.0/config/panzura/activity.md @@ -13,11 +13,11 @@ Auditing must be enabled on the master Panzura node and optionally overridden on nodes to support different deployment scenarios depending on the expected load and network latency. A single agent monitors several Panzura nodes. -![panzurasingleagntmonitor](../../../../../static/img/product_docs/activitymonitor/config/panzura/panzurasingleagntmonitor.webp) +![panzurasingleagntmonitor](/img/product_docs/activitymonitor/config/panzura/panzurasingleagntmonitor.webp) Audit events are distributed between two agents. Audit settings are overridden on one Panzura node. -![auditeventstwoagnt_panzura](../../../../../static/img/product_docs/activitymonitor/config/panzura/auditeventstwoagnt_panzura.webp) +![auditeventstwoagnt_panzura](/img/product_docs/activitymonitor/config/panzura/auditeventstwoagnt_panzura.webp) The monitoring process relies on the Third Party Vendor Support auditing feature of the Panzura CloudFS platform, which uses the AMQP protocol for event delivery. Unlike typical uses of the AMQP @@ -30,7 +30,7 @@ The credentials to access the API must be specified when a Panzura host is added for monitoring. Additionally, the IP address of the port is 4497 by default and can be customized in the properties for the Agent. -**NOTE:** See the [Panzura](../../activitymonitor/admin/monitoredhosts/add/panzura.md) topic for +**NOTE:** See the [Panzura](/docs/activitymonitor/8.0/activitymonitor/admin/monitoredhosts/add/panzura.md) topic for additional information on Panzura Host. To prepare Panzura CloudFS for monitoring, auditing must be enabled. diff --git a/docs/auditor/10.6/auditor/configuration/activedirectory/manual.md b/docs/auditor/10.6/auditor/configuration/activedirectory/manual.md index 9a6812eacf..17ed7f7fa9 100644 --- a/docs/auditor/10.6/auditor/configuration/activedirectory/manual.md +++ b/docs/auditor/10.6/auditor/configuration/activedirectory/manual.md @@ -12,8 +12,8 @@ To configure your domain for monitoring manually, you will need: **NOTE:** If these tools are not installed, refer to the following Microsoft articles: -- [Group Policy Management Console]() -- [ADSI Edit]() +- [Group Policy Management Console](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11)) +- [ADSI Edit](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773354(v=ws.10)?redirectedfrom=MSDN) Follow the steps to configure your domain for monitoring. diff --git a/docs/auditor/10.6/auditor/configuration/activedirectory/objectlevel.md b/docs/auditor/10.6/auditor/configuration/activedirectory/objectlevel.md index a4543e37bd..caff62c1ec 100644 --- a/docs/auditor/10.6/auditor/configuration/activedirectory/objectlevel.md +++ b/docs/auditor/10.6/auditor/configuration/activedirectory/objectlevel.md @@ -64,7 +64,7 @@ and Schema partitions: ## Enabling object-level auditing for the Configuration and Schema partitions To perform this procedure, you will need the -[ADSI Edit]() utility. In Windows +[ADSI Edit](http://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspx) utility. In Windows Server 2008 and above, this component is installed together with the AD DS role, or it can be downloaded and installed along with Remote Server Administration Tools. See the topic for additional information on how to install the ADSI Edit utility. diff --git a/docs/auditor/10.6/auditor/configuration/activedirectory/overview.md b/docs/auditor/10.6/auditor/configuration/activedirectory/overview.md index 472f6e47b3..20cae5d0f9 100644 --- a/docs/auditor/10.6/auditor/configuration/activedirectory/overview.md +++ b/docs/auditor/10.6/auditor/configuration/activedirectory/overview.md @@ -48,8 +48,8 @@ Domain, Configuration and Schema partitions. It also tracks changes to new objec attributes added due to the Active Directory Schema extension. For detailed information, refer to Microsoft articles: -- [A full list of Active Directory object classes]() -- [A full list of Active Directory object attributes]() +- [A full list of Active Directory object classes](http://msdn.microsoft.com/en-us/library/ms680938(v=vs.85).aspx) +- [A full list of Active Directory object attributes](http://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx) Review the following limitations: diff --git a/docs/auditor/10.6/auditor/configuration/activedirectory/tombstone.md b/docs/auditor/10.6/auditor/configuration/activedirectory/tombstone.md index c6869116c4..16cf19f51b 100644 --- a/docs/auditor/10.6/auditor/configuration/activedirectory/tombstone.md +++ b/docs/auditor/10.6/auditor/configuration/activedirectory/tombstone.md @@ -16,7 +16,7 @@ and operability. To change the tombstone lifetime attribute To perform this procedure, you will need the -[ADSI Edit]() utility. In Windows +[ADSI Edit](http://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspx) utility. In Windows Server 2008 and above, this component is installed together with the AD DS role, or it can be downloaded and installed along with Remote Server Administration Tools. See the topic for additional information on how to install the ADSI Edit utility. diff --git a/docs/auditor/10.6/auditor/configuration/fileservers/overview.md b/docs/auditor/10.6/auditor/configuration/fileservers/overview.md index ce4f412b1b..5e85d31d2c 100644 --- a/docs/auditor/10.6/auditor/configuration/fileservers/overview.md +++ b/docs/auditor/10.6/auditor/configuration/fileservers/overview.md @@ -41,7 +41,7 @@ topic for additional information on how to enable monitoring of sensitive data i The table below lists the object types and attributes that can be monitored by Auditor. For more information on the attributes marked with (\*) , refer to the following Microsoft article: -[File Attribute Constants](). +[File Attribute Constants](https://msdn.microsoft.com/en-us/library/windows/desktop/gg258117(v=vs.85).aspx). | Object type | Attributes | | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | diff --git a/docs/auditor/10.6/auditor/configuration/oracle/wallet.md b/docs/auditor/10.6/auditor/configuration/oracle/wallet.md index 2f6ef7bc96..fc47445346 100644 --- a/docs/auditor/10.6/auditor/configuration/oracle/wallet.md +++ b/docs/auditor/10.6/auditor/configuration/oracle/wallet.md @@ -49,7 +49,7 @@ credentials. For example: Windows-based platforms: WALLET_LOCATION = (SOURCE = (METHOD = file) (METHOD_DATA = -(DIRECTORY="D:\\myapp\\atp_credentials"))) +(DIRECTORY="D:\\myapp\\atp_credentials") SSL_SERVER_DN_MATCH=yes @@ -136,7 +136,7 @@ Do the following: 1. Update your sqlnet.ora file. Example: WALLET_LOCATION = (SOURCE = (METHOD = file) (METHOD_DATA = - (DIRECTORY="/home/atpc_credentials"))) + (DIRECTORY="/home/atpc_credentials") 2. Copy the entries in the `tnsnames.ora` file provided in the Autonomous Transaction Processing wallet to your existing `tnsnames.ora` file. diff --git a/docs/auditor/10.6/auditor/tools/objectrestoread.md b/docs/auditor/10.6/auditor/tools/objectrestoread.md index e905bb42b8..ec566dbb36 100644 --- a/docs/auditor/10.6/auditor/tools/objectrestoread.md +++ b/docs/auditor/10.6/auditor/tools/objectrestoread.md @@ -28,7 +28,7 @@ are retained when accounts are being deleted. To modify schema container settings To perform this procedure, you will need the -[ADSI Edit]() utility. In Windows +[ADSI Edit](http://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspx) utility. In Windows Server 2008 and above, this component is installed together with the AD DS role, or it can be downloaded and installed along with Remote Server Administration Tools. See the topic for additional information on how to install the ADSI Edit utility. diff --git a/docs/auditor/10.7/access/general/datagrid.md b/docs/auditor/10.7/access/general/datagrid.md index 162495bc03..5b719cb571 100644 --- a/docs/auditor/10.7/access/general/datagrid.md +++ b/docs/auditor/10.7/access/general/datagrid.md @@ -6,7 +6,7 @@ The data grids within various tables have several features to improve your exper There is a Search box above a table's header row that can be used to filter the table data. -![Search box above a table header row](../../../../../static/img/product_docs/accessinformationcenter/access/general/tablesearch.webp) +![Search box above a table header row](/img/product_docs/accessinformationcenter/access/general/tablesearch.webp) Begin typing in the Search box. The filter acts as a wildcard, filtering the table data as you type. @@ -15,7 +15,7 @@ Begin typing in the Search box. The filter acts as a wildcard, filtering the tab There is a filter icon to the right of each column name that can be used to apply a column specific filter. You can apply filters to multiple columns simultaneously. -![tablecolumnfilter](../../../../../static/img/product_docs/accessinformationcenter/access/general/tablecolumnfilter.webp) +![tablecolumnfilter](/img/product_docs/accessinformationcenter/access/general/tablecolumnfilter.webp) Click the filter icon for the column you want to filter. Select the values you want to filter for from the list, and click **Apply**. @@ -23,7 +23,7 @@ from the list, and click **Apply**. **NOTE:** Hold the **Shift** key and click the first and last values to select a group of adjacent values, or hold the **Ctrl** key and click each value to select multiple values individually. -![tablecolumnfilterclear](../../../../../static/img/product_docs/accessinformationcenter/access/general/tablecolumnfilterclear.webp) +![tablecolumnfilterclear](/img/product_docs/accessinformationcenter/access/general/tablecolumnfilterclear.webp) The filter icon is highlighted orange for a column where a filter is applied. To clear an applied filter, click the filter icon and click **Clear**. @@ -32,7 +32,7 @@ filter, click the filter icon and click **Clear**. Table column widths can be resized to change the width. -![Table header showing column line to be used to resize the column](../../../../../static/img/product_docs/accessinformationcenter/access/general/tableresize.webp) +![Table header showing column line to be used to resize the column](/img/product_docs/accessinformationcenter/access/general/tableresize.webp) Simply select the edges of the column headers and drag to the desired width. @@ -40,7 +40,7 @@ Simply select the edges of the column headers and drag to the desired width. Data within a table can be sorted alphanumerically for a column. -![Table column header showing arrow indicating ascending sort](../../../../../static/img/product_docs/accessinformationcenter/access/general/tablesort.webp) +![Table column header showing arrow indicating ascending sort](/img/product_docs/accessinformationcenter/access/general/tablesort.webp) Click on any column header. An arrow will appear next to the column name indicating the sort to be ascending or descending order. @@ -50,7 +50,7 @@ ascending or descending order. Columns can be hidden or unhidden. Available columns for a table are listed in the column selector menu that appears when you right-click on a column header. -![Column selector menu showing a hidden column](../../../../../static/img/product_docs/accessinformationcenter/access/general/tablecolumns.webp) +![Column selector menu showing a hidden column](/img/product_docs/accessinformationcenter/access/general/tablecolumns.webp) The column selector menu shows all available columns for the table. Check columns are visible. Unchecked columns are hidden. @@ -60,7 +60,7 @@ Unchecked columns are hidden. There are two export buttons above a table's header row that can be used to export the data currently displayed within the table. -![Export buttons at the top of a table](../../../../../static/img/product_docs/accessinformationcenter/access/general/tableexports.webp) +![Export buttons at the top of a table](/img/product_docs/accessinformationcenter/access/general/tableexports.webp) - CSV Export – Downloads the data within the table in a CSV file format - Excel Export – Downloads the data within the table in an Excel file format diff --git a/docs/auditor/10.7/access/general/editnotes.md b/docs/auditor/10.7/access/general/editnotes.md index c42627460f..4ff4d2d1bc 100644 --- a/docs/auditor/10.7/access/general/editnotes.md +++ b/docs/auditor/10.7/access/general/editnotes.md @@ -5,7 +5,7 @@ note. **Step 1 –** Select the item in the interface and click Edit Notes. The Edit Notes window opens. -![Edit Notes window showing note entry field](../../../../../static/img/product_docs/accessinformationcenter/access/general/editnotes.webp) +![Edit Notes window showing note entry field](/img/product_docs/accessinformationcenter/access/general/editnotes.webp) **Step 2 –** Type or edit the note in the textbox. diff --git a/docs/auditor/10.7/access/general/groupmembership.md b/docs/auditor/10.7/access/general/groupmembership.md index 61329ac5ae..5e35071dfa 100644 --- a/docs/auditor/10.7/access/general/groupmembership.md +++ b/docs/auditor/10.7/access/general/groupmembership.md @@ -3,7 +3,7 @@ When a group trustee appears in the Trustee Name column of a review, it appears as a blue hyperlink in addition to the group icon displayed in front of the name. -![Resource Reviews page showing the Group Membership window](../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/groupmembership.webp) +![Resource Reviews page showing the Group Membership window](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/groupmembership.webp) Click the hyperlink to open the Group Membership window. The group’s direct membership is listed for review. Click **Close** to return to the review. diff --git a/docs/auditor/10.7/access/general/removechanges.md b/docs/auditor/10.7/access/general/removechanges.md index 1bd656df8c..20f0f17751 100644 --- a/docs/auditor/10.7/access/general/removechanges.md +++ b/docs/auditor/10.7/access/general/removechanges.md @@ -3,7 +3,7 @@ Select the desired resource on a Review Details page and click **Remove Changes**. The Remove changes window opens to confirm the action. -![Remove changes window](../../../../../static/img/product_docs/accessinformationcenter/access/general/removechanges.webp) +![Remove changes window](/img/product_docs/accessinformationcenter/access/general/removechanges.webp) **CAUTION:** This will clear all owner-recommended changes and notes for the resource. The owner will be required to complete the review again. diff --git a/docs/auditor/10.7/access/reviews/admin/additionalconfig/emailtemplates.md b/docs/auditor/10.7/access/reviews/admin/additionalconfig/emailtemplates.md index 99eca1d2f8..87705a0773 100644 --- a/docs/auditor/10.7/access/reviews/admin/additionalconfig/emailtemplates.md +++ b/docs/auditor/10.7/access/reviews/admin/additionalconfig/emailtemplates.md @@ -42,7 +42,7 @@ Follow the steps to customize the email templates. **NOTE:** To successfully modify these Notifications email templates, a familiarity with basic HTML is necessary. -![Access Reviews installation directory showing the Templates zip file](../../../../../../../static/img/product_docs/auditor/access/reviews/admin/additionalconfig/emailtemplates.webp) +![Access Reviews installation directory showing the Templates zip file](/img/product_docs/auditor/access/reviews/admin/additionalconfig/emailtemplates.webp) **Step 1 –** Navigate to the Access Reviews installation directory. @@ -52,7 +52,7 @@ named `Templates`. **CAUTION:** The customized email templates must be in the `Templates` folder within the installation directory to be preserved during future application upgrades. -![Templates folder showing email templates](../../../../../../../static/img/product_docs/auditor/access/reviews/admin/additionalconfig/emailtemplatesfolder.webp) +![Templates folder showing email templates](/img/product_docs/auditor/access/reviews/admin/additionalconfig/emailtemplatesfolder.webp) **Step 3 –** Locate the desired HTML message template. diff --git a/docs/auditor/10.7/access/reviews/admin/additionalconfig/overview.md b/docs/auditor/10.7/access/reviews/admin/additionalconfig/overview.md index 1ee2e5f46e..5b3eaa972d 100644 --- a/docs/auditor/10.7/access/reviews/admin/additionalconfig/overview.md +++ b/docs/auditor/10.7/access/reviews/admin/additionalconfig/overview.md @@ -3,5 +3,5 @@ In addition to the settings that are available on the Configuration interface, the following configurations and customizations can be done by Administrators: -- [Email Templates](emailtemplates.md) -- [Timeout Parameter](timeoutparameter.md) +- [Email Templates](/docs/auditor/10.7/access/reviews/admin/additionalconfig/emailtemplates.md) +- [Timeout Parameter](/docs/auditor/10.7/access/reviews/admin/additionalconfig/timeoutparameter.md) diff --git a/docs/auditor/10.7/access/reviews/admin/additionalconfig/timeoutparameter.md b/docs/auditor/10.7/access/reviews/admin/additionalconfig/timeoutparameter.md index 3ac71b21aa..71d5a8b1db 100644 --- a/docs/auditor/10.7/access/reviews/admin/additionalconfig/timeoutparameter.md +++ b/docs/auditor/10.7/access/reviews/admin/additionalconfig/timeoutparameter.md @@ -13,7 +13,7 @@ Follow the steps to modify the timeout parameter. **Step 1 –** Open the `AccessInformationCenter.Service.exe.Config` file with a text editor, e.g. Notepad. -![Notepad showing the AccessInformationCenter.Service.exe.Config file](../../../../../../../static/img/product_docs/auditor/access/reviews/admin/additionalconfig/timeout.webp) +![Notepad showing the AccessInformationCenter.Service.exe.Config file](/img/product_docs/auditor/access/reviews/admin/additionalconfig/timeout.webp) **Step 2 –** Change the value for the `AuthSessionTimeout` parameter to the desired number of minutes. For example: diff --git a/docs/auditor/10.7/access/reviews/admin/configuration/activedirectory.md b/docs/auditor/10.7/access/reviews/admin/configuration/activedirectory.md index add61750cb..0dacd40045 100644 --- a/docs/auditor/10.7/access/reviews/admin/configuration/activedirectory.md +++ b/docs/auditor/10.7/access/reviews/admin/configuration/activedirectory.md @@ -13,7 +13,7 @@ connecting to the database. If your Database service account uses: - Windows authentication credentials — The same domain credentials are also used for the Active Directory service account -![Configuration interface showing the Active Directory page](../../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/activedirectory.webp) +![Configuration interface showing the Active Directory page](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/activedirectory.webp) There are two options for the type of Active Directory service account: diff --git a/docs/auditor/10.7/access/reviews/admin/configuration/consoleaccess.md b/docs/auditor/10.7/access/reviews/admin/configuration/consoleaccess.md index ae59de3295..c34c289f73 100644 --- a/docs/auditor/10.7/access/reviews/admin/configuration/consoleaccess.md +++ b/docs/auditor/10.7/access/reviews/admin/configuration/consoleaccess.md @@ -3,7 +3,7 @@ Console access is configured through the Configuration > Console Access page. Adding users to the Access Reviews Console requires the Active Directory service account to be configured. -![Configuration interface showing the Console Access page](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) +![Configuration interface showing the Console Access page](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) There are two levels of access, or roles, which can be granted to domain users or groups: @@ -22,19 +22,19 @@ See the Modify the Builtin Administrator Account topic for additional informatio Once users have been granted console access, they can login with their domain credentials. Console access is not a requirement for owners to complete Access Reviews. See the -[URL & Login](../login.md) topic for information on how users will log in and where they are +[URL & Login](/docs/auditor/10.7/access/reviews/admin/login.md) topic for information on how users will log in and where they are directed after login based on their assigned role or lack of role. ## Add Console Users Follow the steps to grant domain users or groups console access. -![Console Access Page](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) +![Console Access Page](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) **Step 1 –** In the Configuration interface on the Console Access page, click Add. The Console Access wizard opens. -![Console Access wizard showing the Select Trustees page](../../../../../../../static/img/product_docs/auditor/access/reviews/admin/configuration/consoleaccessselecttrustee.webp) +![Console Access wizard showing the Select Trustees page](/img/product_docs/auditor/access/reviews/admin/configuration/consoleaccessselecttrustee.webp) **Step 2 –** On the Select Trustee page, enter the following information and click Next: @@ -43,7 +43,7 @@ Access wizard opens. - Search — Begin typing the sAMAccountName or display name and the field will auto-populate options from Active Directory sAMAccountName -![Console Access wizard showing the Select Access page](../../../../../../../static/img/product_docs/auditor/access/reviews/admin/configuration/consoleaccessselectaccess.webp) +![Console Access wizard showing the Select Access page](/img/product_docs/auditor/access/reviews/admin/configuration/consoleaccessselectaccess.webp) **Step 3 –** On the Select Access page, enter the following information and click **Finish**: @@ -58,7 +58,7 @@ Access wizard opens. - Access is enabled – A user's account must be enabled in order to log into the console. Unchecking this option allows you to configure access to be granted at a future time. -![Console Access Page displaying users with various assigned roles](../../../../../../../static/img/product_docs/auditor/access/reviews/admin/configuration/consoleaccessadd.webp) +![Console Access Page displaying users with various assigned roles](/img/product_docs/auditor/access/reviews/admin/configuration/consoleaccessadd.webp) **Step 4 –** The new user displays in the list on the Console Access page. Repeat these steps for each trustee to be granted console access. @@ -78,7 +78,7 @@ additional information. **Step 1 –** In the Configuration interface on the Console Access page, select the user to be modified and click Modify. The Console Access wizard opens to the Select Access page. -![Console Access wizard showing the Select Access page when modifying](../../../../../../../static/img/product_docs/auditor/access/reviews/admin/configuration/consoleaccessmodifyselectaccess.webp) +![Console Access wizard showing the Select Access page when modifying](/img/product_docs/auditor/access/reviews/admin/configuration/consoleaccessmodifyselectaccess.webp) **Step 2 –** Modify the desired settings and click **Finish**: @@ -106,7 +106,7 @@ user is to disable their access. See the Modify Console Users topic for addition Follow the steps to remove a user’s configured console access. -![Console Access Page showing various user accounts, with one selected enabling the Modify and Remove buttons](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/consoleaccessremove.webp) +![Console Access Page showing various user accounts, with one selected enabling the Modify and Remove buttons](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/consoleaccessremove.webp) **Step 1 –** In the Configuration interface on the Console Access page, select the user. @@ -119,7 +119,7 @@ The user is removed from the list on the Console Access page. The Builtin Administrator account can be disabled or its password can be changed. Follow the steps to modify this account. -![modifybuiltinadministrator](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/modifybuiltinadministrator.webp) +![modifybuiltinadministrator](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/modifybuiltinadministrator.webp) **Step 1 –** In the Configuration interface on the Console Access page, select the Builtin Administrator account and click **Modify**. The Builtin Administrator window opens. diff --git a/docs/auditor/10.7/access/reviews/admin/configuration/database.md b/docs/auditor/10.7/access/reviews/admin/configuration/database.md index 7628ad766c..16bb8bac05 100644 --- a/docs/auditor/10.7/access/reviews/admin/configuration/database.md +++ b/docs/auditor/10.7/access/reviews/admin/configuration/database.md @@ -4,7 +4,7 @@ The Access Reviews application must have access to the SQL Server hosting the da configured during installation. If it is necessary to modify these setting after installation, that is done on the Database Page of the Configuration interface. -![Configuration interface showing the Database page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/database.webp) +![Configuration interface showing the Database page](/img/product_docs/threatprevention/threatprevention/install/database.webp) SQL Server database information: diff --git a/docs/auditor/10.7/access/reviews/admin/configuration/diagnostics.md b/docs/auditor/10.7/access/reviews/admin/configuration/diagnostics.md index 1f50e28003..f5249de1e7 100644 --- a/docs/auditor/10.7/access/reviews/admin/configuration/diagnostics.md +++ b/docs/auditor/10.7/access/reviews/admin/configuration/diagnostics.md @@ -3,7 +3,7 @@ Download logs and enable debug log level for troubleshooting with Netwrix Support on the Diagnostics page of the Configuration interface. -![Configuration interface showing the Diagnostics page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/diagnostics.webp) +![Configuration interface showing the Diagnostics page](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/diagnostics.webp) When requested by [Netwrix Support](https://www.netwrix.com/support.html), click Download Logs to download the archive of all application logs. diff --git a/docs/auditor/10.7/access/reviews/admin/configuration/notifications.md b/docs/auditor/10.7/access/reviews/admin/configuration/notifications.md index 9d731a7e68..59544b9acb 100644 --- a/docs/auditor/10.7/access/reviews/admin/configuration/notifications.md +++ b/docs/auditor/10.7/access/reviews/admin/configuration/notifications.md @@ -4,7 +4,7 @@ The Access Reviews application uses the Simple Mail Transfer Protocol (SMTP) to SMTP server information and several messaging options can be set through the Configuration > Notifications page. -![Notifications Page](../../../../../../../static/img/product_docs/1secure/admin/notifications.webp) +![Notifications Page](/img/product_docs/1secure/admin/notifications.webp) At the top, the SMTP server and email security settings are configured. The Notification options is where you configure the sender information, and other optional settings. The Reminders section is @@ -15,7 +15,7 @@ for configuring weekly reminders for owners with outstanding reviews. SMTP server information is supplied and modified on the Notifications page. Follow the steps to configure or modify the SMTP settings. -![Notifications page SMTP server settings section](../../../../../../../static/img/product_docs/auditor/access/reviews/admin/configuration/notificationssmtp.webp) +![Notifications page SMTP server settings section](/img/product_docs/auditor/access/reviews/admin/configuration/notificationssmtp.webp) **Step 1 –** In the Configuration interface, select the Notifications page. @@ -54,12 +54,12 @@ email/messaging administrator who will know the proper value for the SMTP port. - Select this radio button to specify either domain account or a traditional SMTP account and password to authenticate to the SMTP server. -![Test Settings window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationstestsettings.webp) +![Test Settings window](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationstestsettings.webp) **Step 5 –** Click **Test Settings** to ensure a connection to the SMTP server. The Test Settings window opens. Enter a valid email address and click **OK**. -![Testing your settings window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationstestconfirm.webp) +![Testing your settings window](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationstestconfirm.webp) **Step 6 –** If the SMTP settings are configured correctly, you receive a successful message. Click **OK** to close the Testing your settings window. The test recipient should have recieved a test @@ -75,7 +75,7 @@ Notification options. Once the SMTP server is configured, there are additional options. Only the Reply-To field must be populated: -![Notifications page showing Notification Options section](../../../../../../../static/img/product_docs/auditor/access/reviews/admin/configuration/notificationsoptions.webp) +![Notifications page showing Notification Options section](/img/product_docs/auditor/access/reviews/admin/configuration/notificationsoptions.webp) - Reply-To — The email address that receives responses to notifications sent by the application. This can be a “no reply” address. @@ -96,7 +96,7 @@ Resource Owners receive notification email when there are new pending tasks asso resources. You can also set up automated weekly reminders for outstanding pending tasks. Follow the steps to configure weekly reminders to resource owners. -![Notifications page showing the Reminders section](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationsreminders.webp) +![Notifications page showing the Reminders section](/img/product_docs/accessinformationcenter/access/informationcenter/admin/configuration/notificationsreminders.webp) **Step 1 –** In the Configuration interface, select the Notifications page and scroll down to the Reminders section. diff --git a/docs/auditor/10.7/access/reviews/admin/configuration/overview.md b/docs/auditor/10.7/access/reviews/admin/configuration/overview.md index 96764f467d..b26e1cf856 100644 --- a/docs/auditor/10.7/access/reviews/admin/configuration/overview.md +++ b/docs/auditor/10.7/access/reviews/admin/configuration/overview.md @@ -3,14 +3,14 @@ The Configuration interface is available only to users with the Administrator role. It is opened by the **Configuration** tab. -![Configuration interface showing the Console Access page](../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) +![Configuration interface showing the Console Access page](/img/product_docs/accessanalyzer/admin/settings/access/rolebased/consoleaccess.webp) It has the following pages: -- [Console Access Page](consoleaccess.md) – Grant users console access -- [Active Directory Page](activedirectory.md) – Configure the Active Directory service account used +- [Console Access Page](/docs/auditor/10.7/access/reviews/admin/configuration/consoleaccess.md) – Grant users console access +- [Active Directory Page](/docs/auditor/10.7/access/reviews/admin/configuration/activedirectory.md) – Configure the Active Directory service account used to add console users. -- [Notifications Page](notifications.md) – Configure the SMTP server, email security settings, +- [Notifications Page](/docs/auditor/10.7/access/reviews/admin/configuration/notifications.md) – Configure the SMTP server, email security settings, notification options, and owner reminder settings -- [Database Page](database.md) – Configure the connection to the database -- [Diagnostics Page](diagnostics.md) – Download logs and enable debug log level for troubleshooting +- [Database Page](/docs/auditor/10.7/access/reviews/admin/configuration/database.md) – Configure the connection to the database +- [Diagnostics Page](/docs/auditor/10.7/access/reviews/admin/configuration/diagnostics.md) – Download logs and enable debug log level for troubleshooting diff --git a/docs/auditor/10.7/access/reviews/admin/firstlaunch.md b/docs/auditor/10.7/access/reviews/admin/firstlaunch.md index 47a09d7949..dbfd73c034 100644 --- a/docs/auditor/10.7/access/reviews/admin/firstlaunch.md +++ b/docs/auditor/10.7/access/reviews/admin/firstlaunch.md @@ -2,11 +2,11 @@ The installer places the following icon on the desktop which opens the Access Reviews Console: -![desktopicon](../../../../../../static/img/product_docs/threatprevention/threatprevention/install/desktopicon.webp) +![desktopicon](/img/product_docs/threatprevention/threatprevention/install/desktopicon.webp) Use this icon to launch the Access Reviews Console for the first time. -![Set Builtin Administrator Password page](../../../../../../static/img/product_docs/auditor/access/reviews/admin/firstlaunchpassword.webp) +![Set Builtin Administrator Password page](/img/product_docs/auditor/access/reviews/admin/firstlaunchpassword.webp) The Access Reviews application is installed with a Builtin Administrator account; "admin" is the User Name. You will be prompted to set the account's password. It must be eight or more characters @@ -18,15 +18,15 @@ Administrator account. See the [Modify the Builtin Administrator Account](configuration/consoleaccess.md#modify-the-builtin-administrator-account) topic for additional information. -![firstlaunchlandingpage](../../../../../../static/img/product_docs/auditor/access/reviews/admin/firstlaunchlandingpage.webp) +![firstlaunchlandingpage](/img/product_docs/auditor/access/reviews/admin/firstlaunchlandingpage.webp) The Resource Owners interface opens. The first thing that should be done is to configure console access for domain users and configure notification settings. Select the Configuration tab. See the -[Console Access Page](configuration/consoleaccess.md) and -[Notifications Page](configuration/notifications.md) topics for additional information. +[Console Access Page](/docs/auditor/10.7/access/reviews/admin/configuration/consoleaccess.md) and +[Notifications Page](/docs/auditor/10.7/access/reviews/admin/configuration/notifications.md) topics for additional information. The interfaces available to console users are controlled by the role assigned. Owners do not need to -be assigned console access. See the [URL & Login](login.md) topic for information on how users will +be assigned console access. See the [URL & Login](/docs/auditor/10.7/access/reviews/admin/login.md) topic for information on how users will log in and where they are directed after login. -See the [Navigation](navigate.md) topic for information on each of the interfaces. +See the [Navigation](/docs/auditor/10.7/access/reviews/admin/navigate.md) topic for information on each of the interfaces. diff --git a/docs/auditor/10.7/access/reviews/admin/login.md b/docs/auditor/10.7/access/reviews/admin/login.md index d9bcf449ca..868c311792 100644 --- a/docs/auditor/10.7/access/reviews/admin/login.md +++ b/docs/auditor/10.7/access/reviews/admin/login.md @@ -41,7 +41,7 @@ username needs to be entered in the `domain\username` format. **NOTE:** The URL may need to be added to the browser’s list of trusted sites. -![Access Information Center Login page](../../../../../../static/img/product_docs/threatprevention/threatprevention/eperestsite/login.webp) +![Access Information Center Login page](/img/product_docs/threatprevention/threatprevention/eperestsite/login.webp) The interface a user arrives at depends upon the assigned role or lack of assigned role. @@ -52,14 +52,14 @@ Role based access controls what interfaces users can see and where each user is **_RECOMMENDED:_** Send an email to your users. Let them know why you are implementing use of the application, provide the URL, and explain how to login with their domain credentials and the username format. See the -[Enable Console Users](../../../auditor/accessreviews.md#enable-console-users) topic for additional +[Enable Console Users](/docs/auditor/10.7/auditor/accessreviews.md#enable-console-users) topic for additional information. ### Administrator Role Users granted the Administrator role are directed to the Resource Owners interface upon login. -![Resource Owners interface as the landing page for an Administrator user](../../../../../../static/img/product_docs/auditor/access/reviews/admin/landingadmin.webp) +![Resource Owners interface as the landing page for an Administrator user](/img/product_docs/auditor/access/reviews/admin/landingadmin.webp) Administrators are the only ones with access to the Configuration interface. The My Reviews interface is available if the logged in user is also assigned ownership of a resource. @@ -68,7 +68,7 @@ interface is available if the logged in user is also assigned ownership of a res Users granted the Security Team role are directed to the Resource Owners interface upon login. -![Resource Owners interface as the landing page for a Security Team user](../../../../../../static/img/product_docs/auditor/access/reviews/admin/landingsecurityteam.webp) +![Resource Owners interface as the landing page for a Security Team user](/img/product_docs/auditor/access/reviews/admin/landingsecurityteam.webp) Security Team members only lack access to the Configuration interface, which is only available to Administrators. The My Reviews interface is available if the logged in user is also assigned @@ -79,6 +79,6 @@ ownership of a resource. Users assigned ownership of a resource but not granted a user role are directed to the My Reviews interface upon login. -![My Reviews interface as the landing page for an Owner without a user role](../../../../../../static/img/product_docs/auditor/access/reviews/admin/landingowner.webp) +![My Reviews interface as the landing page for an Owner without a user role](/img/product_docs/auditor/access/reviews/admin/landingowner.webp) Owners can view pending reviews and view historical reviews. diff --git a/docs/auditor/10.7/access/reviews/admin/navigate.md b/docs/auditor/10.7/access/reviews/admin/navigate.md index efbd92099f..b964d608c4 100644 --- a/docs/auditor/10.7/access/reviews/admin/navigate.md +++ b/docs/auditor/10.7/access/reviews/admin/navigate.md @@ -3,7 +3,7 @@ The Access Reviews Console has four interfaces. Upon login, users granted console access are brought to the Resource Owners interface. -![Access Information Center landing page, Resource Owners interface, with all 4 tabs available to an Administrator who is also an assigned owner](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) +![Access Information Center landing page, Resource Owners interface, with all 4 tabs available to an Administrator who is also an assigned owner](/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) The signed in user is displayed in the upper-right corner, along with the **Sign out** link. The available interfaces change according to the role assigned to the user. @@ -14,7 +14,7 @@ The Configuration tab opens the Configuration interface. Configure console acces service account, notification settings, database access, and diagnostic logging level. This interface is available only to users with the Administrator role. See the -[Configuration Interface Overview](configuration/overview.md) topic for additional information. +[Configuration Interface Overview](/docs/auditor/10.7/access/reviews/admin/configuration/overview.md) topic for additional information. For Security Team & Administrator @@ -24,7 +24,7 @@ Reviews workflow must first be assigned at least one owner within the Resource O Assigned owners can log in to complete reviews. This interface is available only to users with either the Security Team or Administrator role. See -the [Resource Owners Interface](../resourceowners/interface.md) topic for additional information. +the [Resource Owners Interface](/docs/auditor/10.7/access/reviews/resourceowners/interface.md) topic for additional information. The Entitlement Reviews tab opens the Entitlement Reviews interface. Create and manage reviews. There are two types of reviews for resources being managed within the Access Reviews application: @@ -32,7 +32,7 @@ resource Access reviews and group Membership reviews. This does require the Acce application to be configured to send notifications. This interface is available only to users with either the Security Team or Administrator role. See -the [Entitlement Reviews Interface](../entitlementreviews/interface.md) topic for additional +the [Entitlement Reviews Interface](/docs/auditor/10.7/access/reviews/entitlementreviews/interface.md) topic for additional information. For Assigned Owner @@ -42,7 +42,7 @@ an assigned owner of at least one resource. Assigned owners without a user role My Reviews interface at login. The My Reviews interface is available to any domain user who has been assigned ownership of a -resource. See the [Owners & Access Reviews](../resourceowners/owneroverview.md) topic for additional +resource. See the [Owners & Access Reviews](/docs/auditor/10.7/access/reviews/resourceowners/owneroverview.md) topic for additional information. ## Interface Quick Reference diff --git a/docs/auditor/10.7/access/reviews/admin/overview.md b/docs/auditor/10.7/access/reviews/admin/overview.md index 3595cf22ac..1a9ed9f413 100644 --- a/docs/auditor/10.7/access/reviews/admin/overview.md +++ b/docs/auditor/10.7/access/reviews/admin/overview.md @@ -3,10 +3,10 @@ Access Reviews administrators have access to the Configuration interface where there application settings reside. This topic includes the following subtopics: -- [Getting Started](../../../auditor/accessreviews.md#getting-started) -- [First Launch](firstlaunch.md) -- [Navigation](navigate.md) -- [Configuration Interface Overview](configuration/overview.md) -- [Additional Configuration Options](additionalconfig/overview.md) -- [URL & Login](login.md) -- [Troubleshooting](troubleshooting/overview.md) +- [Getting Started](/docs/auditor/10.7/auditor/accessreviews.md#getting-started) +- [First Launch](/docs/auditor/10.7/access/reviews/admin/firstlaunch.md) +- [Navigation](/docs/auditor/10.7/access/reviews/admin/navigate.md) +- [Configuration Interface Overview](/docs/auditor/10.7/access/reviews/admin/configuration/overview.md) +- [Additional Configuration Options](/docs/auditor/10.7/access/reviews/admin/additionalconfig/overview.md) +- [URL & Login](/docs/auditor/10.7/access/reviews/admin/login.md) +- [Troubleshooting](/docs/auditor/10.7/access/reviews/admin/troubleshooting/overview.md) diff --git a/docs/auditor/10.7/access/reviews/admin/troubleshooting/credentialpasswords.md b/docs/auditor/10.7/access/reviews/admin/troubleshooting/credentialpasswords.md index a0463c74a2..bc565c8b3d 100644 --- a/docs/auditor/10.7/access/reviews/admin/troubleshooting/credentialpasswords.md +++ b/docs/auditor/10.7/access/reviews/admin/troubleshooting/credentialpasswords.md @@ -14,14 +14,14 @@ may be impacted by password changes or security policies: The Database service account grants access to the SQL Server database. It can be updated on the Database page of the Configuration interface. See the -[Update the Database Service Account Password](../configuration/database.md#update-the-database-service-account-password) +[Update the Database Service Account Password](/docs/auditor/10.7/access/reviews/admin/configuration/database.md#update-the-database-service-account-password) topic for instructions. ## Active Directory Service Account The Active Directory service account handles user authentication to the Access Reviews Console. It can be updated on the Active Directory page of the Configuration interface. See the -[Update the Active Directory Service Account Password](../configuration/activedirectory.md#update-the-active-directory-service-account-password) +[Update the Active Directory Service Account Password](/docs/auditor/10.7/access/reviews/admin/configuration/activedirectory.md#update-the-active-directory-service-account-password) topic for instructions. ## SMTP Authentication Service Account @@ -29,7 +29,7 @@ topic for instructions. An SMTP server is required for the application to send notifications. If the SMTP server requires authentication, the service account can be updated on the Notifications page of the Configuration interface. See the -[Configure SMTP Server Settings](../configuration/notifications.md#configure-smtp-server-settings) +[Configure SMTP Server Settings](/docs/auditor/10.7/access/reviews/admin/configuration/notifications.md#configure-smtp-server-settings) topic for instructions. ## Application Service Account @@ -46,5 +46,5 @@ It is used to complete the initial configuration steps and to grant console acce This account can be disabled after Administrator users are added. However, if it is enabled and a security policy requires the password to be reset, it can be updated on the Console Access page of the Configuration interface. See the -[Modify the Builtin Administrator Account](../configuration/consoleaccess.md#modify-the-builtin-administrator-account) +[Modify the Builtin Administrator Account](/docs/auditor/10.7/access/reviews/admin/configuration/consoleaccess.md#modify-the-builtin-administrator-account) topic for modification instructions. diff --git a/docs/auditor/10.7/access/reviews/admin/troubleshooting/loglevel.md b/docs/auditor/10.7/access/reviews/admin/troubleshooting/loglevel.md index 5c98cdfa7d..f855f5b3d6 100644 --- a/docs/auditor/10.7/access/reviews/admin/troubleshooting/loglevel.md +++ b/docs/auditor/10.7/access/reviews/admin/troubleshooting/loglevel.md @@ -10,7 +10,7 @@ Follow the steps to modify the log level. **Step 1 –** Open the `AccessInformationCenter.Service.exe.Config` file in a text editor, e.g. Notepad. -![AccessInformationCenter.Service.exe.Config file in Notepad](../../../../../../../static/img/product_docs/auditor/access/reviews/admin/troubleshooting/logvalue.webp) +![AccessInformationCenter.Service.exe.Config file in Notepad](/img/product_docs/auditor/access/reviews/admin/troubleshooting/logvalue.webp) **Step 2 –** The level value is set in the `LogLevel` parameter, where "2" is the default level. As the logging level increases from 0 to 3, the types of information and level of detail included diff --git a/docs/auditor/10.7/access/reviews/admin/troubleshooting/overview.md b/docs/auditor/10.7/access/reviews/admin/troubleshooting/overview.md index da68753e89..018a33358c 100644 --- a/docs/auditor/10.7/access/reviews/admin/troubleshooting/overview.md +++ b/docs/auditor/10.7/access/reviews/admin/troubleshooting/overview.md @@ -12,22 +12,22 @@ account. Check the Database, Active Directory, and Notification pages in the Con to confirm where the account is in use before modifying it to ensure these functionality are not impaired. If this account is changed, a new account must have the **Full Control** permission to files and folders in the Access Reviews installation directory. See the -[Application Service Account](serviceaccount.md) topic for additional information. +[Application Service Account](/docs/auditor/10.7/access/reviews/admin/troubleshooting/serviceaccount.md) topic for additional information. Log File: By default the Access Reviews application is configured to log at the Info level. When requested by Netwrix Support, you can enable Debug level from the Diagnostics page of the Configuration -interface. See the [Diagnostics Page](../configuration/diagnostics.md) topic for additional +interface. See the [Diagnostics Page](/docs/auditor/10.7/access/reviews/admin/configuration/diagnostics.md) topic for additional information. If a different log level is needed or desired, the `aic.log` file can be modified. See the -[Change Log Level](loglevel.md) topic for additional information. +[Change Log Level](/docs/auditor/10.7/access/reviews/admin/troubleshooting/loglevel.md) topic for additional information. Credential Password Changes: The Access Reviews application uses several different types of service accounts. If a credential password for one of these accounts is no longer valid, it will impact application functionality. Additionally, if the Builtin Administrator account remains enabled, it may be necessary to reset the -password. See the [Update Credential Passwords](credentialpasswords.md) topic for additional +password. See the [Update Credential Passwords](/docs/auditor/10.7/access/reviews/admin/troubleshooting/credentialpasswords.md) topic for additional information. diff --git a/docs/auditor/10.7/access/reviews/admin/troubleshooting/serviceaccount.md b/docs/auditor/10.7/access/reviews/admin/troubleshooting/serviceaccount.md index 6dd2378791..3966244871 100644 --- a/docs/auditor/10.7/access/reviews/admin/troubleshooting/serviceaccount.md +++ b/docs/auditor/10.7/access/reviews/admin/troubleshooting/serviceaccount.md @@ -24,12 +24,12 @@ Access Reviews service. **Step 1 –** Navigate to Service Control Manager (`services.msc`). The Services Control Manager opens. -![Services Manager Console showing the Netwrix Access Information Center service and the right-click Menu](../../../../../../../static/img/product_docs/auditor/access/reviews/admin/troubleshooting/servicesmanager.webp) +![Services Manager Console showing the Netwrix Access Information Center service and the right-click Menu](/img/product_docs/auditor/access/reviews/admin/troubleshooting/servicesmanager.webp) **Step 2 –** Right-click on the Netwrix Auditor Access Reviews service and select **Properties**. The service Properties window opens. -![Netwrix Access Information Center service Properties window with Select User browser window](../../../../../../../static/img/product_docs/auditor/access/reviews/admin/troubleshooting/serviceproperties.webp) +![Netwrix Access Information Center service Properties window with Select User browser window](/img/product_docs/auditor/access/reviews/admin/troubleshooting/serviceproperties.webp) **Step 3 –** On the **Log On** tab, select the **This account** radio button. Enter the account name using NTAccount format [```DOMAIN\username```]. Optionally, use the **Browse** button to search for diff --git a/docs/auditor/10.7/access/reviews/entitlementreviews/approvalprocess.md b/docs/auditor/10.7/access/reviews/entitlementreviews/approvalprocess.md index 98baa89f89..523f5e8a68 100644 --- a/docs/auditor/10.7/access/reviews/entitlementreviews/approvalprocess.md +++ b/docs/auditor/10.7/access/reviews/entitlementreviews/approvalprocess.md @@ -3,7 +3,7 @@ After all owners assigned to a specific review have submitted their review, its status on the Manage Reviews page of the Entitlement Reviews interface changes to Responses awaiting review. -![Resource Reviews interface showing Manage Reviews page](../../../../../../static/img/product_docs/auditor/access/reviews/entitlementreviews/managereviewspage.webp) +![Resource Reviews interface showing Manage Reviews page](/img/product_docs/auditor/access/reviews/entitlementreviews/managereviewspage.webp) In the approval process, the Review Administrator looks at the owner-recommended changes and chooses to approve, deny, or defer the changes. @@ -19,16 +19,16 @@ Follow the steps to perform a granular review of a resource owner's recommended **Step 1 –** On the Manage Reviews page, select a review and click **View Details**. The Review Details page opens. -![Resource Reviews interface showing the Review Details page](../../../../../../static/img/product_docs/auditor/access/reviews/entitlementreviews/reviewdetailspage.webp) +![Resource Reviews interface showing the Review Details page](/img/product_docs/auditor/access/reviews/entitlementreviews/reviewdetailspage.webp) **Step 2 –** Select a resource in the list and click **View Responses**. The View Responses window opens. -![viewresponses](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/viewresponses.webp) +![viewresponses](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/viewresponses.webp) **Step 3 –** By default, the table displays only the recommended changes. Select an item and click the desired action button: Accept, Decline, or Defer. The Approval column icon updates. See the -[View Responses Window](window/viewresponses.md) topic for additional information. +[View Responses Window](/docs/auditor/10.7/access/reviews/entitlementreviews/window/viewresponses.md) topic for additional information. **Step 4 –** Repeat Step 3 until all changes have been processed. Then click **Close**. The View Responses window closes. @@ -51,7 +51,7 @@ Follow the steps to perform a batch processing of a resource owner's recommended **Step 1 –** On the Manage Reviews page, select a review and click **View Details**. The Review Details page opens. . -![Resource Reviews interface showing the Review Details page](../../../../../../static/img/product_docs/auditor/access/reviews/entitlementreviews/reviewdetailspage.webp) +![Resource Reviews interface showing the Review Details page](/img/product_docs/auditor/access/reviews/entitlementreviews/reviewdetailspage.webp) **Step 2 –** Select a resource in the list and open the **Process Changes** drop-down menu. diff --git a/docs/auditor/10.7/access/reviews/entitlementreviews/interface.md b/docs/auditor/10.7/access/reviews/entitlementreviews/interface.md index b68b8f416e..e39c5fb640 100644 --- a/docs/auditor/10.7/access/reviews/entitlementreviews/interface.md +++ b/docs/auditor/10.7/access/reviews/entitlementreviews/interface.md @@ -11,7 +11,7 @@ Administrators perform many operations around managing reviews. This interface h The Manage Reviews page is the first page in the Entitlement Reviews interface. It displays high-level information for reviews. -![Entitlement Reviews interface showing Manage Reviews page](../../../../../../static/img/product_docs/auditor/access/reviews/entitlementreviews/managereviewspage.webp) +![Entitlement Reviews interface showing Manage Reviews page](/img/product_docs/auditor/access/reviews/entitlementreviews/managereviewspage.webp) The interface includes: @@ -55,20 +55,20 @@ The information displayed in the table includes: has been run multiple times, this is the date timestamp of the last instance. The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/auditor/10.7/access/general/datagrid.md) topic for additional information. The buttons at the bottom enable you to conduct the following actions: | Button | Description | | -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Create | Launches the Create Review wizard for creating a new review. See the [Create Review Wizard](wizard/create.md) topic for additional information. | -| Rename | Opens the Rename Review window for modifying the review name. See the [Rename Review Window](window/renamereview.md) topic for additional information. | -| Delete | Opens the Delete Review window to delete review and its instance history, which asks for confirmation of the action. See the [Delete Review Window](window/deletereview.md) topic for additional information. | -| Stop | Opens the Stop Review window, which asks for confirmation of the action. See the [Stop Review Window](window/stopreview.md) topic for additional information. | +| Create | Launches the Create Review wizard for creating a new review. See the [Create Review Wizard](/docs/auditor/10.7/access/reviews/entitlementreviews/wizard/create.md) topic for additional information. | +| Rename | Opens the Rename Review window for modifying the review name. See the [Rename Review Window](/docs/auditor/10.7/access/reviews/entitlementreviews/window/renamereview.md) topic for additional information. | +| Delete | Opens the Delete Review window to delete review and its instance history, which asks for confirmation of the action. See the [Delete Review Window](/docs/auditor/10.7/access/reviews/entitlementreviews/window/deletereview.md) topic for additional information. | +| Stop | Opens the Stop Review window, which asks for confirmation of the action. See the [Stop Review Window](/docs/auditor/10.7/access/reviews/entitlementreviews/window/stopreview.md) topic for additional information. | | View Details | Opens the Review Details page for the selected review. See the Review Details Page topic for additional information. | | Mark Completed | Closes the selected review as-is and marks it as completed. Requires the owner(s) to have responded. **CAUTION:** No confirmation is requested for this action. | -| Run Again | Opens the Create Review wizard for the selected review without the option to change the review type. Modify as desired and relaunch the review. See the [Review Instances](reviewinstances.md) topic for additional information. | -| Send Reminders | Sends a notification email to the assigned owner(s), reminding of the pending review. Opens the Send Reminders window, which indicates an action status. See the [Send Reminders Window](window/sendreminders.md) topic for additional information. | +| Run Again | Opens the Create Review wizard for the selected review without the option to change the review type. Modify as desired and relaunch the review. See the [Review Instances](/docs/auditor/10.7/access/reviews/entitlementreviews/reviewinstances.md) topic for additional information. | +| Send Reminders | Sends a notification email to the assigned owner(s), reminding of the pending review. Opens the Send Reminders window, which indicates an action status. See the [Send Reminders Window](/docs/auditor/10.7/access/reviews/entitlementreviews/window/sendreminders.md) topic for additional information. | ## Review Details Page @@ -76,7 +76,7 @@ The Review Details page displays information for all instances of the selected r named in the page breadcrumb. This page is opened by selecting a review on the Manage Reviews page and clicking **View Details**. -![Entitlement Reviews interface showing the Review Details page](../../../../../../static/img/product_docs/auditor/access/reviews/entitlementreviews/reviewdetailspage.webp) +![Entitlement Reviews interface showing the Review Details page](/img/product_docs/auditor/access/reviews/entitlementreviews/reviewdetailspage.webp) Instances are selected from the drop-down menu. By default the most current instance will be displayed. Instances are named with date timestamps indicating the start and end times for the @@ -108,19 +108,19 @@ The information displayed in the table includes: - Approval Notes – Icon indicates a Note has been added. Click on the icon to read the attached note(s). Notes displayed here can only be added or viewed by the Review Administrator. See the - [Edit Notes Window](../../general/editnotes.md) topic for additional information. + [Edit Notes Window](/docs/auditor/10.7/access/general/editnotes.md) topic for additional information. The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/auditor/10.7/access/general/datagrid.md) topic for additional information. The buttons at the top and bottom enable you to conduct the following actions: | Button | Description | | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Delete | Opens the Delete Review window to delete selected review instance, which asks for confirmation of the action. See the [Delete Review Window](window/deletereview.md) topic for additional information. | -| Export Excel | Exports the selected review instance information to an Excel spreadsheet. This automatically downloads the spreadsheet. See the [Data Grid Features](../../general/datagrid.md) topic for additional information. | -| Export CSV | Exports the selected review instance information to a CSV file. This automatically downloads the file. See the [Data Grid Features](../../general/datagrid.md) topic for additional information. | -| Edit Notes | Opens the Edit Notes window for the selected resource and allows free-text editing of the notes. See the [Edit Notes Window](../../general/editnotes.md) topic for additional information. | -| View Responses | Opens the View Responses window, which is only available if the owner has recommended changes for the resource. This window displays all recommended changes, notes provided by the owner for the recommended change, and action buttons to Accept, Decline, or Defer the recommended change. See the [View Responses Window](window/viewresponses.md) topic for additional information. | +| Delete | Opens the Delete Review window to delete selected review instance, which asks for confirmation of the action. See the [Delete Review Window](/docs/auditor/10.7/access/reviews/entitlementreviews/window/deletereview.md) topic for additional information. | +| Export Excel | Exports the selected review instance information to an Excel spreadsheet. This automatically downloads the spreadsheet. See the [Data Grid Features](/docs/auditor/10.7/access/general/datagrid.md) topic for additional information. | +| Export CSV | Exports the selected review instance information to a CSV file. This automatically downloads the file. See the [Data Grid Features](/docs/auditor/10.7/access/general/datagrid.md) topic for additional information. | +| Edit Notes | Opens the Edit Notes window for the selected resource and allows free-text editing of the notes. See the [Edit Notes Window](/docs/auditor/10.7/access/general/editnotes.md) topic for additional information. | +| View Responses | Opens the View Responses window, which is only available if the owner has recommended changes for the resource. This window displays all recommended changes, notes provided by the owner for the recommended change, and action buttons to Accept, Decline, or Defer the recommended change. See the [View Responses Window](/docs/auditor/10.7/access/reviews/entitlementreviews/window/viewresponses.md) topic for additional information. | | Process Changes | Opens a drop-down menu to Accept, Decline, or Defer all owner-recommended changes for the selected resource. This option allows the Review Administrator to process responses in batches, so all owner-recommended changes for the selected resource will be processed with the same action. | -| Remove Changes | Opens the Remove changes window. Clears all requested changes for the selected resource. The resource is returned to a ‘Waiting’ status, requiring the owner to review the resource again. See the [Remove Changes Window](../../general/removechanges.md) topic for additional information. | +| Remove Changes | Opens the Remove changes window. Clears all requested changes for the selected resource. The resource is returned to a ‘Waiting’ status, requiring the owner to review the resource again. See the [Remove Changes Window](/docs/auditor/10.7/access/general/removechanges.md) topic for additional information. | diff --git a/docs/auditor/10.7/access/reviews/entitlementreviews/overview.md b/docs/auditor/10.7/access/reviews/entitlementreviews/overview.md index 042c4e01d0..acd3c60f1b 100644 --- a/docs/auditor/10.7/access/reviews/entitlementreviews/overview.md +++ b/docs/auditor/10.7/access/reviews/entitlementreviews/overview.md @@ -40,37 +40,37 @@ There are two types of reviews: - Access – Review user access rights to resources - Membership – Review group membership -See the [Entitlement Reviews Interface](interface.md) topic for additional information. +See the [Entitlement Reviews Interface](/docs/auditor/10.7/access/reviews/entitlementreviews/interface.md) topic for additional information. ## Workflow of Reviews Prerequisite: - The Access Reviews application is configured to send Notifications. See the - [Notifications Page](../admin/configuration/notifications.md) topic for additional information. + [Notifications Page](/docs/auditor/10.7/access/reviews/admin/configuration/notifications.md) topic for additional information. **NOTE:** By default, the application is configured to send notifications only to the primary owner. However, this can be customized on the Configuration > Notifications page to send notifications to all assigned owners. - Owners assigned to resources within the Resource Owners interface. See the - [Resource Owners Overview](../resourceowners/overview.md) topic for additional information. + [Resource Owners Overview](/docs/auditor/10.7/access/reviews/resourceowners/overview.md) topic for additional information. Workflow: **_RECOMMENDED:_** When deploying the Access Reviews application in an organization to process reviews, owners should be notified prior to launching the first set of reviews. See the -[Notification to Owners](../resourceowners/overview.md#notification-to-owners) topic for additional +[Notification to Owners](/docs/auditor/10.7/access/reviews/resourceowners/overview.md#notification-to-owners) topic for additional information. 1. Review Administrator creates a review or starts a new review instance. See the - [Create Review Wizard](wizard/create.md) topic for additional information. -2. Owner performs a review. See the [Pending Reviews](pendingreviews.md) topic for additional + [Create Review Wizard](/docs/auditor/10.7/access/reviews/entitlementreviews/wizard/create.md) topic for additional information. +2. Owner performs a review. See the [Pending Reviews](/docs/auditor/10.7/access/reviews/entitlementreviews/pendingreviews.md) topic for additional information. 3. Review Administrator approves owner recommendations. See the - [Approval Process](approvalprocess.md) topic for additional information. + [Approval Process](/docs/auditor/10.7/access/reviews/entitlementreviews/approvalprocess.md) topic for additional information. 4. Implement approved changes in your organization. Manually, export a list of approved changes and deliver it to your IT department. When desired, the Review Administrator runs another instance of the review and the workflow starts -again. See the [Review Instances](reviewinstances.md) topic for additional information. +again. See the [Review Instances](/docs/auditor/10.7/access/reviews/entitlementreviews/reviewinstances.md) topic for additional information. diff --git a/docs/auditor/10.7/access/reviews/entitlementreviews/pendingreviews.md b/docs/auditor/10.7/access/reviews/entitlementreviews/pendingreviews.md index c826b5b15d..ceb71b0c1b 100644 --- a/docs/auditor/10.7/access/reviews/entitlementreviews/pendingreviews.md +++ b/docs/auditor/10.7/access/reviews/entitlementreviews/pendingreviews.md @@ -6,7 +6,7 @@ have to your resource. When the Review Administrator creates a new review or sta of an existing review, you receive an email notification that includes a link to the your pending reviews. -![Email announcing a pending review](../../../../../../static/img/product_docs/auditor/access/reviews/entitlementreviews/pendingreviewemail.webp) +![Email announcing a pending review](/img/product_docs/auditor/access/reviews/entitlementreviews/pendingreviewemail.webp) Use the **Sign in** link at the bottom to open the My Reviews interface in the Access Reviews Console. @@ -14,13 +14,13 @@ Console. _Remember,_ your company domain credentials are used to log in. The My Reviews interface has two pages: Pending Reviews and Review History. See the -[Review History Page](reviewhistory.md) topic for additional information. +[Review History Page](/docs/auditor/10.7/access/reviews/entitlementreviews/reviewhistory.md) topic for additional information. ## Pending Reviews Page The Pending Reviews page lists all of your resources included in pending reviews. -![My Reviews interface showing Pending Reviews page](../../../../../../static/img/product_docs/auditor/access/reviews/entitlementreviews/pendingreivewspage.webp) +![My Reviews interface showing Pending Reviews page](/img/product_docs/auditor/access/reviews/entitlementreviews/pendingreivewspage.webp) The information displayed in the table includes: @@ -36,7 +36,7 @@ The information displayed in the table includes: - Last Reviewed — Date timestamp when the last review took place for the resource. The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/auditor/10.7/access/general/datagrid.md) topic for additional information. Performing a review means you are evaluating the resources. You can leave the resource unchanged or make recommendations for changes. Consider the following examples: @@ -51,7 +51,7 @@ recommendation and processes those changes. The Begin Review button opens the Resource Review page to start the review. -![Resource Reviews page showing the 1 Make changes tab](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewpageaccess.webp) +![Resource Reviews page showing the 1 Make changes tab](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewpageaccess.webp) The Resource Review page varies based on the type of review; however, there are several common features: @@ -79,5 +79,5 @@ features: The content within the table varies, and additional options may appear depending on the type of review being conducted. See the following sections for step by step instructions: -- [Perform an Access Review](review/access.md) -- [Perform a Membership Review](review/membership.md) +- [Perform an Access Review](/docs/auditor/10.7/access/reviews/entitlementreviews/review/access.md) +- [Perform a Membership Review](/docs/auditor/10.7/access/reviews/entitlementreviews/review/membership.md) diff --git a/docs/auditor/10.7/access/reviews/entitlementreviews/review/access.md b/docs/auditor/10.7/access/reviews/entitlementreviews/review/access.md index 3e13f374b2..68cca63d42 100644 --- a/docs/auditor/10.7/access/reviews/entitlementreviews/review/access.md +++ b/docs/auditor/10.7/access/reviews/entitlementreviews/review/access.md @@ -6,13 +6,13 @@ to perform an Access review. **Step 1 –** On the Pending Reviews page, select the resource with a pending Access review and click **Begin Review**. The Resource Review page opens to the 1 Make changes tab. -![Resource Reviews page showing an Access Review on 1 Make changes tab](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewpageaccess.webp) +![Resource Reviews page showing an Access Review on 1 Make changes tab](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewpageaccess.webp) The table displays access information for the resource being reviewed: - Trustee Name — Name of the trustee with access to this resource. If the trustee is a group, click the hyperlink to open the Group Membership window. See the - [Group Membership Window](../../../general/groupmembership.md) topic for additional information. + [Group Membership Window](/docs/auditor/10.7/access/general/groupmembership.md) topic for additional information. - Access Level (Full Control, Modify, and Read) columns — Blue checkmark icon indicates current access level @@ -30,7 +30,7 @@ pending until you submit all recommendations for this resource. **Step 4 –** When the recommended changes are set as desired, click **Next**. The 2 Review changes tab opens in the Resource Review page. -![Resource Reviews page showing an Access Review on 2 Review changes tab](../../../../../../../static/img/product_docs/auditor/access/reviews/entitlementreviews/review/reviewpageaccesstab2.webp) +![Resource Reviews page showing an Access Review on 2 Review changes tab](/img/product_docs/auditor/access/reviews/entitlementreviews/review/reviewpageaccesstab2.webp) **Step 5 –** This tab displays a filtered table of trustees with recommended changes. Confirm your recommendations and optionally add notes to the Review Administrator. Owners are encouraged to leave diff --git a/docs/auditor/10.7/access/reviews/entitlementreviews/review/membership.md b/docs/auditor/10.7/access/reviews/entitlementreviews/review/membership.md index 485fa13c02..728b5e5ec6 100644 --- a/docs/auditor/10.7/access/reviews/entitlementreviews/review/membership.md +++ b/docs/auditor/10.7/access/reviews/entitlementreviews/review/membership.md @@ -6,13 +6,13 @@ review. **Step 1 –** On the Pending Reviews page, select the resource with a pending Membership review and click **Begin Review**. The Resource Review page opens to the 1 Make changes tab. -![Resource Reviews page showing a Membership Review on 1 Make changes tab](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpagemembership.webp) +![Resource Reviews page showing a Membership Review on 1 Make changes tab](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/review/reviewpagemembership.webp) The table displays membership information for the group being reviewed: - Trustee Name — Name of the trustee with group membership. If the trustee is a group, click the hyperlink to open the Group Membership window. See the - [Group Membership Window](../../../general/groupmembership.md) topic for additional information. + [Group Membership Window](/docs/auditor/10.7/access/general/groupmembership.md) topic for additional information. - Member — Blue checkmark icon indicates current membership **Step 2 –** Recommend removing membership by selecting one or more trustees and clicking the @@ -25,7 +25,7 @@ pending until you submit all recommendations for this resource. **Step 3 –** When the recommended changes are set as desired, click **Next**. The 2 Review changes tab opens in the Resource Review page. -![Resource Reviews page showing a Membership Review on 2 Review changes tab](../../../../../../../static/img/product_docs/auditor/access/reviews/entitlementreviews/review/reviewpagemembershiptab2.webp) +![Resource Reviews page showing a Membership Review on 2 Review changes tab](/img/product_docs/auditor/access/reviews/entitlementreviews/review/reviewpagemembershiptab2.webp) **Step 4 –** This tab displays a filtered table of trustees with recommended changes. Confirm your recommendations and optionally add notes to the Review Administrator. Owners are encouraged to leave diff --git a/docs/auditor/10.7/access/reviews/entitlementreviews/reviewhistory.md b/docs/auditor/10.7/access/reviews/entitlementreviews/reviewhistory.md index de7b840ab3..7384ae912d 100644 --- a/docs/auditor/10.7/access/reviews/entitlementreviews/reviewhistory.md +++ b/docs/auditor/10.7/access/reviews/entitlementreviews/reviewhistory.md @@ -2,7 +2,7 @@ The Review History page lists all completed review instances for your resources. -![Review History page](../../../../../../static/img/product_docs/auditor/access/reviews/entitlementreviews/reviewhistorypage.webp) +![Review History page](/img/product_docs/auditor/access/reviews/entitlementreviews/reviewhistorypage.webp) The information displayed in the table includes: @@ -16,14 +16,14 @@ The information displayed in the table includes: or Waiting. Hover over a status icon to display its tooltip. The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/auditor/10.7/access/general/datagrid.md) topic for additional information. ## Review Details Window The View Details button at the bottom of the Review History page opens the Review Details window for a resource where changes were recommended. -![Review Details Window](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewdetails.webp) +![Review Details Window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/reviewdetails.webp) The information displayed in the table includes: diff --git a/docs/auditor/10.7/access/reviews/entitlementreviews/reviewinstances.md b/docs/auditor/10.7/access/reviews/entitlementreviews/reviewinstances.md index 9e0993bf3e..b9adfed668 100644 --- a/docs/auditor/10.7/access/reviews/entitlementreviews/reviewinstances.md +++ b/docs/auditor/10.7/access/reviews/entitlementreviews/reviewinstances.md @@ -6,10 +6,10 @@ review. Each instance is identified by date timestamps indicating its start and **_RECOMMENDED:_** Prior to running another review instance, ensure the most up to date information is available to owners for review. -![Entitlement Reviews interface showing the Manage Review page](../../../../../../static/img/product_docs/auditor/access/reviews/entitlementreviews/managereviewspage.webp) +![Entitlement Reviews interface showing the Manage Review page](/img/product_docs/auditor/access/reviews/entitlementreviews/managereviewspage.webp) On the Manage Reviews page in the Entitlement Reviews interface, a review with a Completed status can be started again. Select the review and click **Run Again**. The Create Review wizard opens without the Review Type page. The review can be run as-is by navigating through the wizard with the **Next** buttons, or you can modify as desired. Completing the wizard process restarts the review. -See the [Create Review Wizard](wizard/create.md) topic for additional information. +See the [Create Review Wizard](/docs/auditor/10.7/access/reviews/entitlementreviews/wizard/create.md) topic for additional information. diff --git a/docs/auditor/10.7/access/reviews/entitlementreviews/window/deletereview.md b/docs/auditor/10.7/access/reviews/entitlementreviews/window/deletereview.md index cf85373555..e5a7c1e236 100644 --- a/docs/auditor/10.7/access/reviews/entitlementreviews/window/deletereview.md +++ b/docs/auditor/10.7/access/reviews/entitlementreviews/window/deletereview.md @@ -1,8 +1,8 @@ # Delete Review Window The Delete Review window opens from either the -[Manage Reviews Page](../interface.md#manage-reviews-page) or the -[Review Details Page](../interface.md#review-details-page) of the Entitlement Reviews interface: +[Manage Reviews Page](/docs/auditor/10.7/access/reviews/entitlementreviews/interface.md#manage-reviews-page) or the +[Review Details Page](/docs/auditor/10.7/access/reviews/entitlementreviews/interface.md#review-details-page) of the Entitlement Reviews interface: - Delete Entire Review — Deleting a review from the Manage Reviews page will delete all instances of the selected review @@ -14,7 +14,7 @@ The Delete Review window opens from either the Select the desired review on the Manage Reviews page and click **Delete**. The Delete Review window opens to confirm the action. -![Delete Review window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/deletereviewentire.webp) +![Delete Review window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/deletereviewentire.webp) **CAUTION:** This will delete all instances of the selected review and all historical data associated with it. @@ -26,7 +26,7 @@ Click **Yes** to complete the deletion. Click **No** to cancel it. The Delete Re Select the desired review instance from the drop-down menu on the Review Details page and click **Delete**. The Delete Review window opens to confirm the action. -![Delete Review window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/deletereviewinstance.webp) +![Delete Review window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/deletereviewinstance.webp) **CAUTION:** This will delete all historical data associated to the selected review instance. diff --git a/docs/auditor/10.7/access/reviews/entitlementreviews/window/renamereview.md b/docs/auditor/10.7/access/reviews/entitlementreviews/window/renamereview.md index e073f6899c..80de42b187 100644 --- a/docs/auditor/10.7/access/reviews/entitlementreviews/window/renamereview.md +++ b/docs/auditor/10.7/access/reviews/entitlementreviews/window/renamereview.md @@ -1,11 +1,11 @@ # Rename Review Window -The Rename Review window opens from the [Manage Reviews Page](../interface.md#manage-reviews-page) +The Rename Review window opens from the [Manage Reviews Page](/docs/auditor/10.7/access/reviews/entitlementreviews/interface.md#manage-reviews-page) of the Entitlement Reviews interface. Follow the steps to rename a review. **Step 1 –** Select the review and click **Rename**. The Rename Review window opens. -![Rename Review window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/renamereview.webp) +![Rename Review window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/renamereview.webp) **Step 2 –** Edit the review name in the textbox. diff --git a/docs/auditor/10.7/access/reviews/entitlementreviews/window/selectedresources.md b/docs/auditor/10.7/access/reviews/entitlementreviews/window/selectedresources.md index 3034763dfc..47245ceee5 100644 --- a/docs/auditor/10.7/access/reviews/entitlementreviews/window/selectedresources.md +++ b/docs/auditor/10.7/access/reviews/entitlementreviews/window/selectedresources.md @@ -1,9 +1,9 @@ # Selected Resources Window The Selected Resources window opens from the **View Selections** button in the -[Create Review Wizard](../wizard/create.md). +[Create Review Wizard](/docs/auditor/10.7/access/reviews/entitlementreviews/wizard/create.md). -![Selected Resources windwo](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectedresources.webp) +![Selected Resources windwo](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectedresources.webp) The table displays: diff --git a/docs/auditor/10.7/access/reviews/entitlementreviews/window/sendreminders.md b/docs/auditor/10.7/access/reviews/entitlementreviews/window/sendreminders.md index 47fc1d4e19..5341401b30 100644 --- a/docs/auditor/10.7/access/reviews/entitlementreviews/window/sendreminders.md +++ b/docs/auditor/10.7/access/reviews/entitlementreviews/window/sendreminders.md @@ -1,14 +1,14 @@ # Send Reminders Window -The Send Reminders window opens from the [Manage Reviews Page](../interface.md#manage-reviews-page) +The Send Reminders window opens from the [Manage Reviews Page](/docs/auditor/10.7/access/reviews/entitlementreviews/interface.md#manage-reviews-page) of the Entitlement Reviews interface. Select the desired active review(s) and click **Send Reminders** to send immediate reminder notifications. The Send Reminders window opens to display an action status. -![Send Reminders window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/sendreminders.webp) +![Send Reminders window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/sendreminders.webp) The window displays the action status. When a successful status is indicated, assigned owners were sent a reminder email. Click **OK** to close the Send Reminders window. _Remember,_ automatic weekly reminders can be configured on the -[Notifications Page](../../admin/configuration/notifications.md) of the Configuration interface. +[Notifications Page](/docs/auditor/10.7/access/reviews/admin/configuration/notifications.md) of the Configuration interface. diff --git a/docs/auditor/10.7/access/reviews/entitlementreviews/window/stopreview.md b/docs/auditor/10.7/access/reviews/entitlementreviews/window/stopreview.md index b7afd4b989..b47dda7ce4 100644 --- a/docs/auditor/10.7/access/reviews/entitlementreviews/window/stopreview.md +++ b/docs/auditor/10.7/access/reviews/entitlementreviews/window/stopreview.md @@ -1,10 +1,10 @@ # Stop Review Window -The Stop Review window opens from the [Manage Reviews Page](../interface.md#manage-reviews-page) of +The Stop Review window opens from the [Manage Reviews Page](/docs/auditor/10.7/access/reviews/entitlementreviews/interface.md#manage-reviews-page) of the Entitlement Reviews interface. Select the desired active review(s) and click **Stop**. The Stop Review window opens to confirm the action. -![Stop Review window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/stopreview.webp) +![Stop Review window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/stopreview.webp) **CAUTION:** This will prevent owners from completing the review, removing associated resources from their Pending Reviews list. diff --git a/docs/auditor/10.7/access/reviews/entitlementreviews/window/viewresponses.md b/docs/auditor/10.7/access/reviews/entitlementreviews/window/viewresponses.md index a789111d16..2cbcad5f79 100644 --- a/docs/auditor/10.7/access/reviews/entitlementreviews/window/viewresponses.md +++ b/docs/auditor/10.7/access/reviews/entitlementreviews/window/viewresponses.md @@ -1,10 +1,10 @@ # View Responses Window The View Responses window opens from the **View Response** button on the -[Review Details Page](../interface.md#review-details-page) of the Entitlement Reviews interface. It +[Review Details Page](/docs/auditor/10.7/access/reviews/entitlementreviews/interface.md#review-details-page) of the Entitlement Reviews interface. It displays all owner-recommended changes and notes for the selected resource. -![View Responses window](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/viewresponses.webp) +![View Responses window](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/viewresponses.webp) The information displayed in the table includes: @@ -26,11 +26,11 @@ selecting the items with no changes in the grid, the change buttons at the botto disabled. The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/auditor/10.7/access/general/datagrid.md) topic for additional information. Select an item in the table, and use the action buttons at the bottom to identify the decision: -![viewresponsesbuttons](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/viewresponsesbuttons.webp) +![viewresponsesbuttons](/img/product_docs/accessinformationcenter/access/informationcenter/resourcereviews/window/viewresponsesbuttons.webp) | Button | Description | | ---------- | ---------------------------------------------------- | diff --git a/docs/auditor/10.7/access/reviews/entitlementreviews/wizard/create.md b/docs/auditor/10.7/access/reviews/entitlementreviews/wizard/create.md index a7d6c46e8c..11a05e3ae8 100644 --- a/docs/auditor/10.7/access/reviews/entitlementreviews/wizard/create.md +++ b/docs/auditor/10.7/access/reviews/entitlementreviews/wizard/create.md @@ -1,9 +1,9 @@ # Create Review Wizard The Create Review wizard is opened with the **Create** button on the Entitlement Reviews interface. -See the [Manage Reviews Page](../interface.md#manage-reviews-page) topic for additional information. +See the [Manage Reviews Page](/docs/auditor/10.7/access/reviews/entitlementreviews/interface.md#manage-reviews-page) topic for additional information. -![Create Review wizard](../../../../../../../static/img/product_docs/auditor/access/reviews/entitlementreviews/wizard/createreviewreviewtype.webp) +![Create Review wizard](/img/product_docs/auditor/access/reviews/entitlementreviews/wizard/createreviewreviewtype.webp) It contains three pages: @@ -30,7 +30,7 @@ Follow the steps to create a review. **Step 1 –** On the Manage Reviews page, click Create. The Create Review wizard opens. -![Create Review wizard showing the Review Type page](../../../../../../../static/img/product_docs/auditor/access/reviews/entitlementreviews/wizard/createreviewreviewtype.webp) +![Create Review wizard showing the Review Type page](/img/product_docs/auditor/access/reviews/entitlementreviews/wizard/createreviewreviewtype.webp) **Step 2 –** On the Review Type page, provide the following information and click **Next**: @@ -42,7 +42,7 @@ Follow the steps to create a review. - Membership – Review group membership - Access – Review user access rights to resources -![Create Review wizrd showing the Resources page](../../../../../../../static/img/product_docs/auditor/access/reviews/entitlementreviews/wizard/createreviewresources.webp) +![Create Review wizrd showing the Resources page](/img/product_docs/auditor/access/reviews/entitlementreviews/wizard/createreviewresources.webp) **Step 3 –** On the Resources page, select the resources to be included in the review. The Search feature is available to filter the list of available resource that match the type of review being @@ -66,10 +66,10 @@ created. - Select the desired resource(s) and click **Add**. The **View Selections** button indicates how many resources have been selected. Click the button to open the Selected Resources window, where you can view and modify the selections. See the - [Selected Resources Window](../window/selectedresources.md) topic for additional information. + [Selected Resources Window](/docs/auditor/10.7/access/reviews/entitlementreviews/window/selectedresources.md) topic for additional information. - Once the desired resources have been selected, click **Next**. -![Create Review wizard showing the Summary page](../../../../../../../static/img/product_docs/auditor/access/reviews/entitlementreviews/wizard/createreviewsummary.webp) +![Create Review wizard showing the Summary page](/img/product_docs/auditor/access/reviews/entitlementreviews/wizard/createreviewsummary.webp) **Step 4 –** On the Summary page, review the settings and click Finish. The Access Reviews begins to create the review. Action status displays on the page. When the update has completed (100%), click @@ -79,4 +79,4 @@ The new review displays in the table on the Manage Reviews page. An email was se owner assigned to the resource(s) in this review. By default, the application is configured to send notifications only to the primary owner. However, this can be customized on the Configuration > Notifications page to send notifications to all assigned owners. See the -[Notifications Page](../../admin/configuration/notifications.md) topic for additional information. +[Notifications Page](/docs/auditor/10.7/access/reviews/admin/configuration/notifications.md) topic for additional information. diff --git a/docs/auditor/10.7/access/reviews/installation/install.md b/docs/auditor/10.7/access/reviews/installation/install.md index 7a7e31fb0b..f752eb7622 100644 --- a/docs/auditor/10.7/access/reviews/installation/install.md +++ b/docs/auditor/10.7/access/reviews/installation/install.md @@ -5,16 +5,16 @@ Once the prerequisites have been met, follow the steps to install the Access Rev **Step 1 –** Run the `AccessReviews.exe` executable, and the Netwrix Auditor Access Reviews Setup wizard opens. -![Netwrix Auditor Access Reviews Setup wizard Welcome page](../../../../../../static/img/product_docs/auditor/access/reviews/installation/installwelcome.webp) +![Netwrix Auditor Access Reviews Setup wizard Welcome page](/img/product_docs/auditor/access/reviews/installation/installwelcome.webp) **Step 2 –** On the Welcome page, click **Next** to begin the installation process. -![Netwrix Auditor Access Reviews Setup wizard End-User License Agreement page](../../../../../../static/img/product_docs/auditor/access/reviews/installation/installeula.webp) +![Netwrix Auditor Access Reviews Setup wizard End-User License Agreement page](/img/product_docs/auditor/access/reviews/installation/installeula.webp) **Step 3 –** On the End-User License Agreement page, select the **I accept the terms in the License Agreement** checkbox and click **Next**. -![Netwrix Auditor Access Reviews Setup wizard Destination Folder page](../../../../../../static/img/product_docs/auditor/access/reviews/installation/installdestinationfolder.webp) +![Netwrix Auditor Access Reviews Setup wizard Destination Folder page](/img/product_docs/auditor/access/reviews/installation/installdestinationfolder.webp) **Step 4 –** On the Destination Folder page, you can choose between the default destination folder and a custom folder. Click **Change** to browse for a different location. When the destination is @@ -23,7 +23,7 @@ set as desired, click **Next**. **NOTE:** The default location is `C:\Program Files\Netwrix\Access Access Reviews\`. There are no specific requirements for changing the path. -![Netwrix Auditor Access Reviews Setup wizard SQL Server Connection page](../../../../../../static/img/product_docs/auditor/access/reviews/installation/installsql.webp) +![Netwrix Auditor Access Reviews Setup wizard SQL Server Connection page](/img/product_docs/auditor/access/reviews/installation/installsql.webp) **Step 5 –** On the SQL Server Connection page, provide the required database information. Click **Next** to test the connection to the SQL Server. @@ -45,15 +45,15 @@ specific requirements for changing the path. - For Windows Authentication – **User Name** format must be `[DOMAIN]\[username]` , for example `NWXTECH\ad.bruce` -**NOTE:** See the [Database Page](../admin/configuration/database.md) topic for additional +**NOTE:** See the [Database Page](/docs/auditor/10.7/access/reviews/admin/configuration/database.md) topic for additional information. -![Database does not exist Confirmation Window](../../../../../../static/img/product_docs/auditor/access/reviews/installation/installsqldatabase.webp) +![Database does not exist Confirmation Window](/img/product_docs/auditor/access/reviews/installation/installsqldatabase.webp) **Step 6 –** If there are no errors, you will be asked to confirm creation of the new database. Click **Yes**. -![Netwrix Auditor Access Reviews Setup wizard Configure Web Server page](../../../../../../static/img/product_docs/auditor/access/reviews/installation/installconfigurewebserver.webp) +![Netwrix Auditor Access Reviews Setup wizard Configure Web Server page](/img/product_docs/auditor/access/reviews/installation/installconfigurewebserver.webp) **Step 7 –** On the Configure Web Server page, you can choose between the default port and a custom port on which the application will be accessible. To change the port, enter a new port number in the @@ -61,13 +61,13 @@ field. When the port is set as desired, click **Next**. **NOTE:** The default port is 81. -![Netwrix Auditor Access Reviews Setup wizard Ready to Install page](../../../../../../static/img/product_docs/auditor/access/reviews/installation/installready.webp) +![Netwrix Auditor Access Reviews Setup wizard Ready to Install page](/img/product_docs/auditor/access/reviews/installation/installready.webp) **Step 8 –** On the Ready to install page, click **Install** to begin the process. -![Netwrix Auditor Access Reviews Setup wizard Completed page](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/installcompleted.webp) +![Netwrix Auditor Access Reviews Setup wizard Completed page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/installcompleted.webp) **Step 9 –** Once the installation has successfully completed, click **Finish** to exit the wizard. The installation wizard placed a Netwrix Auditor Access Reviews icon on the desktop. Now proceed to -the [First Launch](../admin/firstlaunch.md) topic for next steps. +the [First Launch](/docs/auditor/10.7/access/reviews/admin/firstlaunch.md) topic for next steps. diff --git a/docs/auditor/10.7/access/reviews/installation/overview.md b/docs/auditor/10.7/access/reviews/installation/overview.md index bdbc1119b7..c2e60690e1 100644 --- a/docs/auditor/10.7/access/reviews/installation/overview.md +++ b/docs/auditor/10.7/access/reviews/installation/overview.md @@ -26,7 +26,7 @@ these will be referred to as the Database service account and the Active Directo - Active Directory service account – The Access Reviews Console login authentication requires the Active Directory service account to have rights to "read" Active Directory. This credential is configured during installation based on the account used for connecting to the database. See the - [Active Directory Page](../admin/configuration/activedirectory.md) topic for additional + [Active Directory Page](/docs/auditor/10.7/access/reviews/admin/configuration/activedirectory.md) topic for additional information. ## Software Compatibility & Versions @@ -45,7 +45,7 @@ Latest Version Compatibility Last Updated 6/6/2022 -See the [Upgrade Procedure](upgrade.md) topic for additional information. +See the [Upgrade Procedure](/docs/auditor/10.7/access/reviews/installation/upgrade.md) topic for additional information. ## Supported Browsers diff --git a/docs/auditor/10.7/access/reviews/installation/secure.md b/docs/auditor/10.7/access/reviews/installation/secure.md index 959a9b6ca0..ca3d6a24be 100644 --- a/docs/auditor/10.7/access/reviews/installation/secure.md +++ b/docs/auditor/10.7/access/reviews/installation/secure.md @@ -60,7 +60,7 @@ Notepad. It is located in the installation directory: ...\Netwrix\Access Reviews -![AccessInformationCenter.Service.exe.Config file showing the BindingUrl key](../../../../../../static/img/product_docs/auditor/access/reviews/installation/securebindingurlparameter.webp) +![AccessInformationCenter.Service.exe.Config file showing the BindingUrl key](/img/product_docs/auditor/access/reviews/installation/securebindingurlparameter.webp) **Step 2 –** Change the `BindingUrl` key value to `"https://+:481"` (ensure the port number matches the port number used in the PowerShell command run to create the SSL Binding. diff --git a/docs/auditor/10.7/access/reviews/installation/upgrade.md b/docs/auditor/10.7/access/reviews/installation/upgrade.md index e5600e244f..0c86099048 100644 --- a/docs/auditor/10.7/access/reviews/installation/upgrade.md +++ b/docs/auditor/10.7/access/reviews/installation/upgrade.md @@ -5,7 +5,7 @@ the Netwrix Auditor Access Reviews application, see the Special Considerations t steps. To upgrade the Access Reviews application to a newer version, simply run the new `AccessReviews.msi` -executable. It is not necessary to uninstall the existing version. See the [Install](install.md) +executable. It is not necessary to uninstall the existing version. See the [Install](/docs/auditor/10.7/access/reviews/installation/install.md) topic for additional information. _Remember,_ the Access Reviews version must align to the compatible Netwrix Auditor version. @@ -37,7 +37,7 @@ the service, and the default name of the database created by the installer. Foll replace Netwrix Access Information Center with Netwrix Auditor Access Reviews. **Step 1 –** Install the Netwrix Auditor Access Reviews application on the same server where the -Netwrix Access Information Center was installed. See the [Install](install.md) topic for additional +Netwrix Access Information Center was installed. See the [Install](/docs/auditor/10.7/access/reviews/installation/install.md) topic for additional information. On the SQL Server Connection page: - Supply the information for the existing database. The default name for the original database was @@ -47,13 +47,13 @@ information. On the SQL Server Connection page: **NOTE:** The new destination folder will be `...\Netwrix\Access Reviews`. **Step 2 –** Launch the application and reset the Builtin Administrator password. See the -[First Launch](../admin/firstlaunch.md) topic for additional information. +[First Launch](/docs/auditor/10.7/access/reviews/admin/firstlaunch.md) topic for additional information. **Step 3 –** It will be necessary to add your Console Users again. See the -[Console Access Page](../admin/configuration/consoleaccess.md) topic for additional information. +[Console Access Page](/docs/auditor/10.7/access/reviews/admin/configuration/consoleaccess.md) topic for additional information. **Step 4 –** It will be necessary to configure the Notification settings. See the -[Notifications Page](../admin/configuration/notifications.md) topic for additional information. +[Notifications Page](/docs/auditor/10.7/access/reviews/admin/configuration/notifications.md) topic for additional information. **Step 5 –** If you have customized your email templates, it will be necessary to copy the Templates folder from the old `...\Netwrix\Access Information Center` installation directory to the new diff --git a/docs/auditor/10.7/access/reviews/resourceowners/confirmation.md b/docs/auditor/10.7/access/reviews/resourceowners/confirmation.md index 2908318545..85d0489710 100644 --- a/docs/auditor/10.7/access/reviews/resourceowners/confirmation.md +++ b/docs/auditor/10.7/access/reviews/resourceowners/confirmation.md @@ -6,23 +6,23 @@ needs to claim that ownership responsibility. Resources that do not have confirm through the cracks. **NOTE:** This does require the Notification settings to be configured for the Access Reviews -application. See the [Notifications Page](../admin/configuration/notifications.md) topic for +application. See the [Notifications Page](/docs/auditor/10.7/access/reviews/admin/configuration/notifications.md) topic for additional information. -![Table in Resource Owners interface showing several resources being managed and all confirmation status icons](../../../../../../static/img/product_docs/auditor/access/reviews/resourceowners/tablestatus.webp) +![Table in Resource Owners interface showing several resources being managed and all confirmation status icons](/img/product_docs/auditor/access/reviews/resourceowners/tablestatus.webp) The table in the Resource Owners interface includes a Status column. The following icons appear in this column to indicate the owner confirmation status: | Icon | Meaning | Description | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![Yellow circle with whit question mark](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statusnostatus.webp) | No Status | Indicates ownership confirmation has not been requested, and there is no ownership status at this time | -| ![Blue circle with white clock face](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statuswaiting.webp) | Waiting | Indicates a request for confirmation has been sent, and you are waiting for a response from the assigned owner. Hover over the icon to view the date timestamp of the request. | -| ![Green circle with white checkmark](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statusconfirmed.webp) | Confirmed | Indicates the assigned owner confirmed ownership of the resource. Hover over the icon to view the date timestamp of the confirmation. | -| ![Red circle with white X](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statusdeclined.webp) | Declined | Indicates the assigned owner declined ownership of the resource. These individuals would have been asked to suggest an alternative owner. Check the Notes for the resource to view this information. Hover over the icon to view the date timestamp of the decline. _Remember,_ a resource with declined ownership needs to be updated to assign a new owner. See the [Update Resource Wizard](wizard/update.md) topic for additional information. | +| ![Yellow circle with whit question mark](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statusnostatus.webp) | No Status | Indicates ownership confirmation has not been requested, and there is no ownership status at this time | +| ![Blue circle with white clock face](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statuswaiting.webp) | Waiting | Indicates a request for confirmation has been sent, and you are waiting for a response from the assigned owner. Hover over the icon to view the date timestamp of the request. | +| ![Green circle with white checkmark](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statusconfirmed.webp) | Confirmed | Indicates the assigned owner confirmed ownership of the resource. Hover over the icon to view the date timestamp of the confirmation. | +| ![Red circle with white X](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/statusdeclined.webp) | Declined | Indicates the assigned owner declined ownership of the resource. These individuals would have been asked to suggest an alternative owner. Check the Notes for the resource to view this information. Hover over the icon to view the date timestamp of the decline. _Remember,_ a resource with declined ownership needs to be updated to assign a new owner. See the [Update Resource Wizard](/docs/auditor/10.7/access/reviews/resourceowners/wizard/update.md) topic for additional information. | If multiple owners have been assigned, there is a choice for which assigned owner(s) should receive the confirmation. If multiple owners were sent the request, the column remains as a waiting symbol until the assigned Primary owner replies. -See the [Confirm Ownership Wizard](wizard/confirm.md) topic for additional information. +See the [Confirm Ownership Wizard](/docs/auditor/10.7/access/reviews/resourceowners/wizard/confirm.md) topic for additional information. diff --git a/docs/auditor/10.7/access/reviews/resourceowners/email/confirmationrequest.md b/docs/auditor/10.7/access/reviews/resourceowners/email/confirmationrequest.md index fa544b932d..c48a35065d 100644 --- a/docs/auditor/10.7/access/reviews/resourceowners/email/confirmationrequest.md +++ b/docs/auditor/10.7/access/reviews/resourceowners/email/confirmationrequest.md @@ -3,7 +3,7 @@ The Ownership Administrator may request ownership confirmation for a resource being managed through the Access Reviews application. As an assigned owner, you will receive the following email. -![Ownership Confirmation Request Email with Yes and No buttons for responding](../../../../../../../static/img/product_docs/auditor/access/reviews/resourceowners/email/confirmemail.webp) +![Ownership Confirmation Request Email with Yes and No buttons for responding](/img/product_docs/auditor/access/reviews/resourceowners/email/confirmemail.webp) The Ownership Confirmation Request email provides buttons for confirming (Yes) or declining (No) ownership of the listed resource. You will be asked to authenticate for your response to be @@ -15,7 +15,7 @@ complete the process. One of two messages will appear according to if you confir If you have accepted ownership for the assigned resource, the browser will display the following message after authentication: -![confirmemailaccept](../../../../../../../static/img/product_docs/auditor/access/reviews/resourceowners/email/confirmemailaccept.webp) +![confirmemailaccept](/img/product_docs/auditor/access/reviews/resourceowners/email/confirmemailaccept.webp) "Your response has been saved. You may close this window and delete the confirmation request e-mail." @@ -25,12 +25,12 @@ e-mail." If you have declined ownership for the assigned resource, the browser will display the following message after authentication: -![Ownership declined browser message](../../../../../../../static/img/product_docs/auditor/access/reviews/resourceowners/email/confirmemaildecline.webp) +![Ownership declined browser message](/img/product_docs/auditor/access/reviews/resourceowners/email/confirmemaildecline.webp) "Before we update ownership can you suggest another owner?" Enter possible owners in the textbox. Click **Submit** to complete the process. -![Ownership declined browser message after an alternative owner is submitted](../../../../../../../static/img/product_docs/auditor/access/reviews/resourceowners/email/confirmemaildecline2.webp) +![Ownership declined browser message after an alternative owner is submitted](/img/product_docs/auditor/access/reviews/resourceowners/email/confirmemaildecline2.webp) "Your response has been saved. You may close this window and delete the confirmation request e-mail." diff --git a/docs/auditor/10.7/access/reviews/resourceowners/interface.md b/docs/auditor/10.7/access/reviews/resourceowners/interface.md index 0f4b58f040..8c52bbf13e 100644 --- a/docs/auditor/10.7/access/reviews/resourceowners/interface.md +++ b/docs/auditor/10.7/access/reviews/resourceowners/interface.md @@ -3,7 +3,7 @@ The Resource Owners interface opened by the Resource Owners tab is where Ownership Administrators perform many operations around assigning and managing ownership. -![Resource Owners Tab in Netwrix Access Information Center](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) +![Resource Owners Tab in Netwrix Access Information Center](/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) The information displayed in the table includes: @@ -18,35 +18,35 @@ The information displayed in the table includes: - Status – Indicates whether or not the assigned owner has confirmed ownership of that resource. Tool-tips display when hovering over the icons indicating whether the resource ownership has been confirmed, declined, pending response, or that a confirmation has not been requested. See the - [Ownership Confirmation](confirmation.md) topic for additional information. + [Ownership Confirmation](/docs/auditor/10.7/access/reviews/resourceowners/confirmation.md) topic for additional information. - Notes – Icon indicates a Note has been added. Click on the icon to read the attached note(s). Notes can be added by Ownership Administrators or populated with alternative owners by individuals - who declined ownership. See the [Edit Notes Window](../../general/editnotes.md) and the Notes & + who declined ownership. See the [Edit Notes Window](/docs/auditor/10.7/access/general/editnotes.md) and the Notes & Descriptions topics for additional information. - Last Reviewed – Date timestamp when the last review took place for the resource. The hyperlink will open the Entitlement Reviews interface to that Review Details page displaying the historical review instance. See the - [Review Details Page](../entitlementreviews/interface.md#review-details-page) topic for additional + [Review Details Page](/docs/auditor/10.7/access/reviews/entitlementreviews/interface.md#review-details-page) topic for additional information. - Active Review – Indicates whether or not there is a pending review. The hyperlink will open the Entitlement Reviews interface to that Review Details page displaying the active review instance. - See the [Review Details Page](../entitlementreviews/interface.md#review-details-page) topic for + See the [Review Details Page](/docs/auditor/10.7/access/reviews/entitlementreviews/interface.md#review-details-page) topic for additional information. The table data grid functions the same way as other table grids. See the -[Data Grid Features](../../general/datagrid.md) topic for additional information. +[Data Grid Features](/docs/auditor/10.7/access/general/datagrid.md) topic for additional information. The buttons at the bottom enable you to conduct the following actions: -![Action buttons in the Resource Owners Interface](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/interfacebuttons.webp) +![Action buttons in the Resource Owners Interface](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/youraccessportal/interfacebuttons.webp) | Button | Function | | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| Add | Launches the Add new resource wizard to add a new resource to the list. This allows you to add one resource at a time and assign an owner. See the [Add New Resource Wizard](wizard/add.md) topic for additional information. | -| Update | Launches the Update resource wizard for the selected resource. This allows you to make changes to the assigned owners or add/edit the resource description. See the [Update Resource Wizard](wizard/update.md) topic for additional information. | -| Remove | Opens the Confirm removal window to removes the selected resource from being managed through the application. _Remember,_ only resources with an assigned owner will be visible in the table. Removing a resource from this table does not delete the resource from the application database. See the [Confirm Removal Window](window/confirmremoval.md) topic for additional information. | -| Request Confirmation | Opens the Confirm Ownership wizard. Sends an email to the assigned owner(s) for the selected resource requesting ownership confirmation. See the[Confirm Ownership Wizard](wizard/confirm.md) topic for additional information. | -| Edit Notes | Opens the Edit Notes window for the selected resource and allows free-text editing of the notes. See the [Edit Notes Window](../../general/editnotes.md) topic for additional information. | +| Add | Launches the Add new resource wizard to add a new resource to the list. This allows you to add one resource at a time and assign an owner. See the [Add New Resource Wizard](/docs/auditor/10.7/access/reviews/resourceowners/wizard/add.md) topic for additional information. | +| Update | Launches the Update resource wizard for the selected resource. This allows you to make changes to the assigned owners or add/edit the resource description. See the [Update Resource Wizard](/docs/auditor/10.7/access/reviews/resourceowners/wizard/update.md) topic for additional information. | +| Remove | Opens the Confirm removal window to removes the selected resource from being managed through the application. _Remember,_ only resources with an assigned owner will be visible in the table. Removing a resource from this table does not delete the resource from the application database. See the [Confirm Removal Window](/docs/auditor/10.7/access/reviews/resourceowners/window/confirmremoval.md) topic for additional information. | +| Request Confirmation | Opens the Confirm Ownership wizard. Sends an email to the assigned owner(s) for the selected resource requesting ownership confirmation. See the[Confirm Ownership Wizard](/docs/auditor/10.7/access/reviews/resourceowners/wizard/confirm.md) topic for additional information. | +| Edit Notes | Opens the Edit Notes window for the selected resource and allows free-text editing of the notes. See the [Edit Notes Window](/docs/auditor/10.7/access/general/editnotes.md) topic for additional information. | ## Notes & Descriptions diff --git a/docs/auditor/10.7/access/reviews/resourceowners/overview.md b/docs/auditor/10.7/access/reviews/resourceowners/overview.md index bf82ff36d0..13ba5760dd 100644 --- a/docs/auditor/10.7/access/reviews/resourceowners/overview.md +++ b/docs/auditor/10.7/access/reviews/resourceowners/overview.md @@ -19,7 +19,7 @@ The My Reviews interface provides owners with access to historical and pending r Reviews interface is only accessible to users who have been assigned ownership of at least one resource. Owners without a console user role are directed to the My Reviews interface at login. Owners with a console user role access the pending and historical reviews for their resources by -clicking the My Reviews tab. See the [Pending Reviews](../entitlementreviews/pendingreviews.md) +clicking the My Reviews tab. See the [Pending Reviews](/docs/auditor/10.7/access/reviews/entitlementreviews/pendingreviews.md) topic for additional information. Who Can Assign Ownership (Ownership Administrators)? @@ -42,14 +42,14 @@ What Can Resource Owners Do? - Perform an access review (when there is a pending review) - View historical information on access reviews -See the [Resource Owners Interface](interface.md) topic for additional information. +See the [Resource Owners Interface](/docs/auditor/10.7/access/reviews/resourceowners/interface.md) topic for additional information. ## Workflow of Ownership Assignment Prerequisite: - Optional: The Access Reviews application is configured to send Notifications. See the - [Notifications Page](../admin/configuration/notifications.md) topic for additional information. + [Notifications Page](/docs/auditor/10.7/access/reviews/admin/configuration/notifications.md) topic for additional information. **NOTE:** By default, the application is configured to send notifications only to the primary owner. However, this can be customized on the Configuration > Notifications page to send @@ -68,8 +68,8 @@ Workflow: workflow. - Add resources to be managed by associating a business data owner with a resource. See the - [Add New Resource Wizard](wizard/add.md) topic for additional information. -- Confirm resource ownership. See the [Ownership Confirmation](confirmation.md) topic for additional + [Add New Resource Wizard](/docs/auditor/10.7/access/reviews/resourceowners/wizard/add.md) topic for additional information. +- Confirm resource ownership. See the [Ownership Confirmation](/docs/auditor/10.7/access/reviews/resourceowners/confirmation.md) topic for additional information. - Notify owners of their responsibilities. See the Notification to Owners topic for additional information. @@ -84,5 +84,5 @@ information: - How owners should log into the application console, specifically what URL and credentials to use. - Expectation on response times - How to access instructions on how to complete a review. You can link to the - [Owners & Access Reviews](owneroverview.md) topic or download that topic and its subtopics as a + [Owners & Access Reviews](/docs/auditor/10.7/access/reviews/resourceowners/owneroverview.md) topic or download that topic and its subtopics as a PDF and make it available within your corporate resources. diff --git a/docs/auditor/10.7/access/reviews/resourceowners/window/addowner.md b/docs/auditor/10.7/access/reviews/resourceowners/window/addowner.md index ffb24cedd3..06eca64bb5 100644 --- a/docs/auditor/10.7/access/reviews/resourceowners/window/addowner.md +++ b/docs/auditor/10.7/access/reviews/resourceowners/window/addowner.md @@ -1,10 +1,10 @@ # Add Owner Window -The Add Owner window opens from either the [Add New Resource Wizard](../wizard/add.md) of the -[Update Resource Wizard](../wizard/update.md). This window is used to search for a user account by +The Add Owner window opens from either the [Add New Resource Wizard](/docs/auditor/10.7/access/reviews/resourceowners/wizard/add.md) of the +[Update Resource Wizard](/docs/auditor/10.7/access/reviews/resourceowners/wizard/update.md). This window is used to search for a user account by browsing Active Directory. -![Add Owner window showing Search options](../../../../../../../static/img/product_docs/auditor/access/reviews/resourceowners/window/addowner.webp) +![Add Owner window showing Search options](/img/product_docs/auditor/access/reviews/resourceowners/window/addowner.webp) Enter a name in the search field to find and select users from Active Directory, which populates in a drop-down menu as you type. If multiple domains are known to the application, ensure the correct diff --git a/docs/auditor/10.7/access/reviews/resourceowners/window/confirmremoval.md b/docs/auditor/10.7/access/reviews/resourceowners/window/confirmremoval.md index 6586226296..052cb461af 100644 --- a/docs/auditor/10.7/access/reviews/resourceowners/window/confirmremoval.md +++ b/docs/auditor/10.7/access/reviews/resourceowners/window/confirmremoval.md @@ -10,7 +10,7 @@ Follow the steps to remove a resource from being managed through the application **Step 1 –** In the Resource Owners interface, select the resource and click Remove. The Confirm Removal window opens. -![Confirm Removal window asking are you sure you wish to remove](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/confirmremoval.webp) +![Confirm Removal window asking are you sure you wish to remove](/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/confirmremoval.webp) **Step 2 –** Click Yes to complete the removal process or **No** to cancel it. diff --git a/docs/auditor/10.7/access/reviews/resourceowners/wizard/add.md b/docs/auditor/10.7/access/reviews/resourceowners/wizard/add.md index 9548cb6307..4c7d742852 100644 --- a/docs/auditor/10.7/access/reviews/resourceowners/wizard/add.md +++ b/docs/auditor/10.7/access/reviews/resourceowners/wizard/add.md @@ -2,7 +2,7 @@ The Add new resource wizard is opened with the **Add** button in the Resource Owners interface. -![Add new resource wizard showing 1. Select Resources page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectresource.webp) +![Add new resource wizard showing 1. Select Resources page](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectresource.webp) It contains four pages: @@ -19,7 +19,7 @@ Follow the steps to add resources one at a time and assign owners. **Step 1 –** In the Resource Owners interface, click **Add**. The Add new resource wizard opens. -![Add new resource wizard page showing 1. Select Resources page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectresource.webp) +![Add new resource wizard page showing 1. Select Resources page](/img/product_docs/accessinformationcenter/access/informationcenter/accessrequests/wizard/selectresource.webp) **Step 2 –** On the Select Resource page, select the resource to be managed. Then click **Next**. @@ -33,13 +33,13 @@ Follow the steps to add resources one at a time and assign owners. - Browse option – Navigate through the resource tree to select the desired File System or SharePoint resource. -![Add new resources wizard showing 2. Select Owners page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) +![Add new resources wizard showing 2. Select Owners page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) **Step 3 –** On the Select Owners page, click **Add** to browse for an owner. Repeat this Step to -add multiple owners. See the [Add Owner Window](../window/addowner.md) topic for additional +add multiple owners. See the [Add Owner Window](/docs/auditor/10.7/access/reviews/resourceowners/window/addowner.md) topic for additional information. -![Add new resources wizard with the 2. Select Owners page showing multiple owners selected](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectownerswithowners.webp) +![Add new resources wizard with the 2. Select Owners page showing multiple owners selected](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectownerswithowners.webp) **Step 4 –** When only one owner is assigned, the owner will be the Primary by default. When multiple owners are assigned, the first owner in the list is the Primary owner. Use the arrow @@ -56,17 +56,17 @@ the owners: Tool-tips display when hovering over the icons indicating whether the resource ownership has been confirmed, declined, pending response, or that a confirmation has not been requested. -![Add new resource wizard showing 3. Description page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/servicenow/description.webp) +![Add new resource wizard showing 3. Description page](/img/product_docs/accessanalyzer/admin/action/servicenow/description.webp) **Step 5 –** On the Description page, optionally add a description for the resource in the textbox. Then click **Next**. -![Add new resource wizard showing 4. Summary page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Add new resource wizard showing 4. Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) **Step 6 –** On the Summary page, review the settings and click Finish. The Access Reviews application begins to process the ownership configuration. -![Add new resource wizard with 4. Summary page showing action status 100% completed](../../../../../../../static/img/product_docs/auditor/access/reviews/resourceowners/wizard/summarytaskcompleted.webp) +![Add new resource wizard with 4. Summary page showing action status 100% completed](/img/product_docs/auditor/access/reviews/resourceowners/wizard/summarytaskcompleted.webp) **Step 7 –** The action status displays on the page. When the task has completed (100%), click **Close**. The Add new resource wizard closes. diff --git a/docs/auditor/10.7/access/reviews/resourceowners/wizard/confirm.md b/docs/auditor/10.7/access/reviews/resourceowners/wizard/confirm.md index e8acc77b1d..3a39e89b53 100644 --- a/docs/auditor/10.7/access/reviews/resourceowners/wizard/confirm.md +++ b/docs/auditor/10.7/access/reviews/resourceowners/wizard/confirm.md @@ -3,7 +3,7 @@ The Confirm Ownership wizard is opened with the **Request Confirmation** button in the Resource Owners interface. It can be opened for one or multiple resources. -![Confirm Ownership wizard showing 1.Select Owners page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) +![Confirm Ownership wizard showing 1.Select Owners page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) It contains one page: @@ -16,7 +16,7 @@ Follow the steps to request ownership confirmation. **Step 1 –** In the Resource Owners interface, select the desired resource or resources and click Request Confirmation. The Confirm Ownership wizard opens. -![Confirm Ownership wizard showing 1.Select Owners page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) +![Confirm Ownership wizard showing 1.Select Owners page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) **Step 2 –** On the Select Owners page, you can optionally remove owners you do not want or need ownership confirmation from. Select those owners and click **Remove**. Those owners will not receive @@ -31,12 +31,12 @@ application begins to send the confirmation email. The table provides the follow Tool-tips display when hovering over the icons indicating whether the resource ownership has been confirmed, declined, pending response, or that a confirmation has not been requested. -![selectownerstaskcompleted](../../../../../../../static/img/product_docs/auditor/access/reviews/resourceowners/wizard/selectownerstaskcompleted.webp) +![selectownerstaskcompleted](/img/product_docs/auditor/access/reviews/resourceowners/wizard/selectownerstaskcompleted.webp) **Step 3 –** The action status displays on the page. When the owner confirmation notification has completed (100%), click Close. The Confirm Ownership wizard closes. The selected owners receive an email from the Access Reviews application asking if they are the owner of the assigned resource. See the -[Ownership Confirmation Request Email](../email/confirmationrequest.md) topic for additional +[Ownership Confirmation Request Email](/docs/auditor/10.7/access/reviews/resourceowners/email/confirmationrequest.md) topic for additional information. diff --git a/docs/auditor/10.7/access/reviews/resourceowners/wizard/update.md b/docs/auditor/10.7/access/reviews/resourceowners/wizard/update.md index cc212ef462..c4bf7ee46b 100644 --- a/docs/auditor/10.7/access/reviews/resourceowners/wizard/update.md +++ b/docs/auditor/10.7/access/reviews/resourceowners/wizard/update.md @@ -2,7 +2,7 @@ The Update resource wizard is opened with the **Update** button in the Resource Owners interface. -![Update Resource wizard showing 1. Select Owners page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) +![Update Resource wizard showing 1. Select Owners page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) It contains three pages: @@ -20,13 +20,13 @@ Follow the steps to update ownership configuration for a resource. **Step 1 –** In the Resource Owners interface, select the desired resource and click **Update**. The Update resource wizard opens. -![Update resource wizard showing 1. Select Owners page](../../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) +![Update resource wizard showing 1. Select Owners page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceowners/wizard/selectowners.webp) **Step 2 –** The Select Owners page lists the currently assigned owner(s). Modify as desired and click **Next** to continue. - Add new owners — Click **Add** to browse for a new owner. See the - [Add Owner Window](../window/addowner.md) topic for additional information. + [Add Owner Window](/docs/auditor/10.7/access/reviews/resourceowners/window/addowner.md) topic for additional information. - Remove an owner — Select an owner and click **Remove** - Change owner priority — Select an owner and use the arrow buttons to change the order @@ -42,18 +42,18 @@ information on the owners: Tool-tips display when hovering over the icons indicating whether the resource ownership has been confirmed, declined, pending response, or that a confirmation has not been requested. -![Update resource wizard showing 2. Description page](../../../../../../../static/img/product_docs/accessanalyzer/admin/action/servicenow/description.webp) +![Update resource wizard showing 2. Description page](/img/product_docs/accessanalyzer/admin/action/servicenow/description.webp) **Step 3 –** The Description page displays any description that has been provided by either the Ownership Administrator or the assigned owner(s) for the resource. Modify as desired by typing in the textbox. Then click **Next** to continue. -![Update resource wizard showing 3. Summary page](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) +![Update resource wizard showing 3. Summary page](/img/product_docs/accessanalyzer/admin/datacollector/adinventory/summary.webp) **Step 4 –** On the Summary page, review the settings and click Finish. The Access Reviews application begins to process the ownership changes. -![Update resource wizard with 3. Summary page showing action status 100% complete](../../../../../../../static/img/product_docs/auditor/access/reviews/resourceowners/wizard/summarytaskcompleted.webp) +![Update resource wizard with 3. Summary page showing action status 100% complete](/img/product_docs/auditor/access/reviews/resourceowners/wizard/summarytaskcompleted.webp) **Step 5 –** The action status displays on the page. When the update has completed (100%), click **Close**. The Update resource wizard closes. diff --git a/docs/auditor/10.7/auditor/accessreviews.md b/docs/auditor/10.7/auditor/accessreviews.md index 4b1c04d41a..4f38587129 100644 --- a/docs/auditor/10.7/auditor/accessreviews.md +++ b/docs/auditor/10.7/auditor/accessreviews.md @@ -21,7 +21,7 @@ for a supported data source. **NOTE:** Access Reviews is a separately licensed product and is not included with Netwrix Auditor. Make sure that you have the Access Reviews license enabled in Auditor. -See the [Licenses](admin/settings/licenses.md) topic for additional information. +See the [Licenses](/docs/auditor/10.7/auditor/admin/settings/licenses.md) topic for additional information. _Remember,_ there is one single Access Review license for all data sources that can send data to the application. @@ -29,16 +29,16 @@ application. Follow the steps to use Netwrix Auditor Access Reviews in conjuction with Auditor. **Step 1 –** Install Access Reviews on the same computer where Netwrix Auditor is installed. See the -[Installation Overview](../access/reviews/installation/overview.md) topic for prerequisites and +[Installation Overview](/docs/auditor/10.7/access/reviews/installation/overview.md) topic for prerequisites and additional information. **Step 2 –** Configure Access Reviews. The Configuration interface is only available to users with -the Administrator role. See the [Administrator Overview](../access/reviews/admin/overview.md) topic +the Administrator role. See the [Administrator Overview](/docs/auditor/10.7/access/reviews/admin/overview.md) topic for configuration settings and enabling user access. **Step 3 –** Use the Access reviews configuration tool to setup the data flow from the Auditor database to the Access Reviews database. See the -[Select Data Sources](accessreviewsconfiguration.md) topic for additional information. +[Select Data Sources](/docs/auditor/10.7/auditor/accessreviewsconfiguration.md) topic for additional information. **NOTE:** Data upload speed depends on the amount of collected data and Auditor collectors configuration. @@ -46,16 +46,16 @@ configuration. **Step 4 –** Configure resource ownership through the Access Reviews Console. The Resource Owners interface is available to users with either the Security Team or Administrator role. Managing ownership is core component for the Access Reviews workflow. See the -[Resource Owners Overview](../access/reviews/resourceowners/overview.md) topic for additional +[Resource Owners Overview](/docs/auditor/10.7/access/reviews/resourceowners/overview.md) topic for additional information. -**NOTE:** The [Owners & Access Reviews](../access/reviews/resourceowners/owneroverview.md) topic and +**NOTE:** The [Owners & Access Reviews](/docs/auditor/10.7/access/reviews/resourceowners/owneroverview.md) topic and subtopics are written for the assigned owners. You can distribute the URL to this topic or download a PDF to be distributed to your assigned resource owners. **Step 5 –** Configure and run reviews. The Entitlement Reviews interface is available to users with either the Security Team or Administrator role. See the -[Reviews Overview](../access/reviews/entitlementreviews/overview.md) topic for additional +[Reviews Overview](/docs/auditor/10.7/access/reviews/entitlementreviews/overview.md) topic for additional information. Netwrix Auditor Access Reviews is now configured and ready to use. @@ -87,16 +87,16 @@ Review the following considerations: - Console Users — Grant users access to the application starting with an Administrator account. There are two levels of access: Administrator and Security Team. See the - [Console Access Page](../access/reviews/admin/configuration/consoleaccess.md) topic for + [Console Access Page](/docs/auditor/10.7/access/reviews/admin/configuration/consoleaccess.md) topic for information. - Optionally, disable the Builtin Administrator account. See the - [Modify the Builtin Administrator Account](../access/reviews/admin/configuration/consoleaccess.md#modify-the-builtin-administrator-account) + [Modify the Builtin Administrator Account](/docs/auditor/10.7/access/reviews/admin/configuration/consoleaccess.md#modify-the-builtin-administrator-account) topic for additional information. - Notification — Configure the Notification settings required in order for the application to send email. See the - [Notifications Page](../access/reviews/admin/configuration/notifications.md) topic for + [Notifications Page](/docs/auditor/10.7/access/reviews/admin/configuration/notifications.md) topic for information. ## Enable Console Users @@ -115,23 +115,23 @@ Review the following considerations: Console: - Ownership Administrator — Send the URL link for the - [Resource Owners Overview](../access/reviews/resourceowners/overview.md) topic. + [Resource Owners Overview](/docs/auditor/10.7/access/reviews/resourceowners/overview.md) topic. - Review Administrator — Send the URL link for the - [Reviews Overview](../access/reviews/entitlementreviews/overview.md) topic. + [Reviews Overview](/docs/auditor/10.7/access/reviews/entitlementreviews/overview.md) topic. - Administrator — Send the URL link for the - [Administrator Overview](../access/reviews/admin/overview.md) topic. + [Administrator Overview](/docs/auditor/10.7/access/reviews/admin/overview.md) topic. ## Resource Ownership Configuration Ownership of resources must be assigned in order to use the Access Reviews workflow: - Resource Ownership — Assign ownership for resources to be managed through the application. See - the [Resource Owners Interface](../access/reviews/resourceowners/interface.md) topic for + the [Resource Owners Interface](/docs/auditor/10.7/access/reviews/resourceowners/interface.md) topic for additional information. - Enable Owners — Send a notification to your owners about resource ownership with the application. See the - [Notification to Owners](../access/reviews/resourceowners/overview.md#notification-to-owners) + [Notification to Owners](/docs/auditor/10.7/access/reviews/resourceowners/overview.md#notification-to-owners) topic for additional information. ## Access Reviews Workflow @@ -146,5 +146,5 @@ Review the following considerations: **_RECOMMENDED:_** Set expectations for response time from owners. Reviews can be run multiple times, maintaining a historical record for each instance. See the - [Reviews Overview](../access/reviews/entitlementreviews/overview.md) topic for additional + [Reviews Overview](/docs/auditor/10.7/access/reviews/entitlementreviews/overview.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/accessreviewsconfiguration.md b/docs/auditor/10.7/auditor/accessreviewsconfiguration.md index c58c14350b..7f7b4e8986 100644 --- a/docs/auditor/10.7/auditor/accessreviewsconfiguration.md +++ b/docs/auditor/10.7/auditor/accessreviewsconfiguration.md @@ -16,11 +16,11 @@ Follow the steps to configure Access Reviews in the Netwrix Auditor. **Step 1 –** Go to **Settings > General > Access Reviews**. -![senddataar](../../../../static/img/product_docs/auditor/auditor/senddataar.webp) +![senddataar](/img/product_docs/auditor/auditor/senddataar.webp) **Step 2 –** Click **Manage**. -![manageaccessreviews](../../../../static/img/product_docs/auditor/auditor/manageaccessreviews.webp) +![manageaccessreviews](/img/product_docs/auditor/auditor/manageaccessreviews.webp) **Step 3 –** Select the desired data sources to review. @@ -41,7 +41,7 @@ Follow the steps to configure Access Reviews in the Netwrix Auditor. **Step 3 –** Click **Edit data source** button on the left. -![enablear](../../../../static/img/product_docs/auditor/auditor/enablear.webp) +![enablear](/img/product_docs/auditor/auditor/enablear.webp) **Step 4 –** Navigate to the Send data for Access Reviews and select the checkbox. diff --git a/docs/auditor/10.7/auditor/accountlockoutexaminer/usage.md b/docs/auditor/10.7/auditor/accountlockoutexaminer/usage.md index f48b71bb33..41d35d3ccd 100644 --- a/docs/auditor/10.7/auditor/accountlockoutexaminer/usage.md +++ b/docs/auditor/10.7/auditor/accountlockoutexaminer/usage.md @@ -5,20 +5,20 @@ download completes, run the executable from your browser menu or from your **Dow To find out why an Active Directory account was locked out, perform the following steps: -1. Set up the auditing as described in [Planning and Preparation](configure.md) section. +1. Set up the auditing as described in [Planning and Preparation](/docs/auditor/10.7/auditor/accountlockoutexaminer/configure.md) section. 2. Download the application onto a computer within the domain where lockouts happen. 3. Run the application. When prompted, accept the end-user license agreement. 4. If you wish, select to participate in Netwrix Customer Experience Improvement program. You can later change your preference using the product settings (see the next section for details). -![ale_usage_stats_thumb_0_0](../../../../../static/img/product_docs/auditor/auditor/accountlockoutexaminer/ale_usage_stats_thumb_0_0.webp) +![ale_usage_stats_thumb_0_0](/img/product_docs/auditor/auditor/accountlockoutexaminer/ale_usage_stats_thumb_0_0.webp) 5. In the main window, supply the name of the account that was locked out. 6. Specify examiner credentials – the user account that will be used to run the examination, access domain controllers, and so on. The account must be a member of the **Domain Admins** group. 7. Click **Examine**. -![ale_new_start_thumb_0_0](../../../../../static/img/product_docs/auditor/auditor/accountlockoutexaminer/ale_new_start_thumb_0_0.webp) +![ale_new_start_thumb_0_0](/img/product_docs/auditor/auditor/accountlockoutexaminer/ale_new_start_thumb_0_0.webp) Once the examination completes, you will be presented with a list of reasons why the account you supplied is being locked out. @@ -35,7 +35,7 @@ After you click **Settings** in the main window, you can apply the following opt | **Usage statistics** | | | | Take part in Netwrix Customer Experience Improvement program | Select this option to participate in the program. See [this Knowledge Base article](https://kb.netwrix.com/5820) for more information on the program. | | -![ale_settings_thumb_0_0](../../../../../static/img/product_docs/auditor/auditor/accountlockoutexaminer/ale_settings_thumb_0_0.webp) +![ale_settings_thumb_0_0](/img/product_docs/auditor/auditor/accountlockoutexaminer/ale_settings_thumb_0_0.webp) ## Troubleshooting @@ -47,7 +47,7 @@ Lockout Examiner\Logs_ folder. | In the environments with root/child domains, you may receive the "_Could not query ComputerName. Access is denied_." error. | The account used to run Netwrix Account Lockout Examiner is not a member of the local **Administrators** group on the workstations in both root and child domains. Administrative rights are required to access the Security Event logs on these workstations. | Make sure this account is included in the local **Administrators** group. | | **Issues encountered during examination** section is shown in the examination results. | Most probably this means that **Netwrix Account Lockout Examiner** cannot reach some of the data sources it needs. | - Check that you have configured the audit settings in the target domain as described in [Required audit settings](configure.md#required-audit-settings) section. - Check that network connectivity between the Account Lockout Examiner machine and the domain controllers in your domain works properly. | -![ale_new_results](../../../../../static/img/product_docs/auditor/auditor/accountlockoutexaminer/ale_new_results.webp) +![ale_new_results](/img/product_docs/auditor/auditor/accountlockoutexaminer/ale_new_results.webp) We welcome any feedback and ideas you might have. Please take a minute to check in on [Netwrix page at Spiceworks](https://community.spiceworks.com/pages/NetWrix?tab=353) or submit diff --git a/docs/auditor/10.7/auditor/addon/alienvaultusm/collecteddata.md b/docs/auditor/10.7/auditor/addon/alienvaultusm/collecteddata.md index 2ce7797ba5..21628f0323 100644 --- a/docs/auditor/10.7/auditor/addon/alienvaultusm/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/alienvaultusm/collecteddata.md @@ -8,6 +8,6 @@ Services Logs** >Netwrix Auditor Integration log. **Step 3 –** Review events. -![EventLog_Export_Example](../../../../../../static/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexportexample_thumb_0_0.webp) +![EventLog_Export_Example](/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexportexample_thumb_0_0.webp) Now you can augment Windows event log with data collected by the Auditor. diff --git a/docs/auditor/10.7/auditor/addon/alienvaultusm/deployment.md b/docs/auditor/10.7/auditor/addon/alienvaultusm/deployment.md index d906fb28ca..784b3c39f3 100644 --- a/docs/auditor/10.7/auditor/addon/alienvaultusm/deployment.md +++ b/docs/auditor/10.7/auditor/addon/alienvaultusm/deployment.md @@ -3,7 +3,7 @@ Auditor Add-on for the SIEM solution runs on any computer in your environment. For example, you can run the add-on on the computer where Auditor is installed or on a remote server. Depending on the execution scenario you choose, you have to define a different set of parameters. See the -[Define Parameters](parameters.md) topic for additional information. +[Define Parameters](/docs/auditor/10.7/auditor/addon/alienvaultusm/parameters.md) topic for additional information. Netwrix suggests the following execution scenarios: diff --git a/docs/auditor/10.7/auditor/addon/alienvaultusm/integrationeventlog.md b/docs/auditor/10.7/auditor/addon/alienvaultusm/integrationeventlog.md index 7c245dfa54..d616e08a86 100644 --- a/docs/auditor/10.7/auditor/addon/alienvaultusm/integrationeventlog.md +++ b/docs/auditor/10.7/auditor/addon/alienvaultusm/integrationeventlog.md @@ -4,7 +4,7 @@ This section describes how the add-on fills in the Netwrix Auditor **Integration with data retrieved from Activity Records. The Activity Record structure is described in the -[Reference for Creating Activity Records](../../api/activityrecordreference.md)topic. +[Reference for Creating Activity Records](/docs/auditor/10.7/auditor/api/activityrecordreference.md)topic. | Event log field name | Filled in with value | Details | | -------------------- | --------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -12,7 +12,7 @@ The Activity Record structure is described in the | EventID | **`{Calculated by add-on}`** -OR- **0** | Depending on _GenerateEventId_ in-script parameter (calculation result also depends on _IncludeDataSourceToMakeEventId_ parameter — if _GenerateEventId_ = _True_). | | Task Category | **`{DataSource ID}`** -OR- **1** | Depending on _SetDataSourceAsEventCategory_ in-script parameter. | -See the [Define Parameters](parameters.md) topic for additional information. +See the [Define Parameters](/docs/auditor/10.7/auditor/addon/alienvaultusm/parameters.md) topic for additional information. EventData is filled in with data from the Activity Record fields as follows: @@ -31,4 +31,4 @@ EventData is filled in with data from the Activity Record fields as follows: Details are filled in only if this Activity Record field is not empty. -![eventlogexample_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexample_thumb_0_0.webp) +![eventlogexample_thumb_0_0](/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexample_thumb_0_0.webp) diff --git a/docs/auditor/10.7/auditor/addon/alienvaultusm/overview.md b/docs/auditor/10.7/auditor/addon/alienvaultusm/overview.md index 1366d5c423..c22fce9420 100644 --- a/docs/auditor/10.7/auditor/addon/alienvaultusm/overview.md +++ b/docs/auditor/10.7/auditor/addon/alienvaultusm/overview.md @@ -25,7 +25,7 @@ On a high level, the add-on works as follows: 3. The add-on creates a special Windows event log named **Netwrix_Auditor_Integration** and stores events there. These events are structured and ready for integration with the SIEM solution. -See the [Integration API](../../api/overview.md) topic for additional information on the structure +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the Netwrix Auditor Integration API. ## Prerequisites @@ -35,7 +35,7 @@ follows: | On... | Ensure that... | | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](../../api/prerequisites.md) and [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | +| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | | The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. | ## Compatibility Notice diff --git a/docs/auditor/10.7/auditor/addon/alienvaultusm/parameters.md b/docs/auditor/10.7/auditor/addon/alienvaultusm/parameters.md index 7162c290ce..86ce8fccb0 100644 --- a/docs/auditor/10.7/auditor/addon/alienvaultusm/parameters.md +++ b/docs/auditor/10.7/auditor/addon/alienvaultusm/parameters.md @@ -3,7 +3,7 @@ Before running or scheduling the add-on, you must define connection details: Auditor Server host, user credentials, etc. Most parameters are optional, the script uses the default values unless parameters are explicitly defined. You can skip or define parameters depending on your execution -scenario and security policies. See the [Choose Appropriate Execution Scenario](deployment.md) topic +scenario and security policies. See the [Choose Appropriate Execution Scenario](/docs/auditor/10.7/auditor/addon/alienvaultusm/deployment.md) topic for additional information. | Parameter | Default value | Description | @@ -25,7 +25,7 @@ dynamically calculated EventIDs will be modified and applied incorrectly. | Parameter | Default value | Description | | -------------------------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **EventID generation** | | | -| GenerateEventId | True | Defines whether to generated unique EventIDs. Possible parameter values: - True — generate unique EventIDs using Activity Record fields - False — do not generate a unique ID, set EventID=0 for all cases EventID is generated through CRC32 calculation that involves the following Activity Record field values: - ObjectType - Action - DataSource (optional, see below for details) Only the lowest 16 bits of the calculation result are used. See the [Activity Records](../../api/postdata/activityrecords.md) topic for additional information. | +| GenerateEventId | True | Defines whether to generated unique EventIDs. Possible parameter values: - True — generate unique EventIDs using Activity Record fields - False — do not generate a unique ID, set EventID=0 for all cases EventID is generated through CRC32 calculation that involves the following Activity Record field values: - ObjectType - Action - DataSource (optional, see below for details) Only the lowest 16 bits of the calculation result are used. See the [Activity Records](/docs/auditor/10.7/auditor/api/postdata/activityrecords.md) topic for additional information. | | IncludeDataSourceToMakeEventId\* | True | Defines whether the DataSource field of Activity Record should be used in the EventID calculation. This parameter is applied only if GenerateEventId is set to _TRUE_. | | SetDataSourceAsEventCategory | True | Defines whether to fill in Event Category event field with a numeric value derived from the DataSource field of Activity Record. Possible parameter values: - True — generate a numeric value for Event Category using Activity Record field - False — do not generate a numeric value, set Event Category=1 for all cases The Event Category field value is generated through CRC32 calculation that involves the DataSource field of Activity Record. Only the lowest 9 bits of the calculation result are used. | | SetDataSourceAsEventSource | False | Defines whether to fill in the Event Source event field with the value from the DataSource field of Activity Record. Possible parameter values: - True — fill in the Event Source with the value from DataSource field of Activity Record, adding the prefix defined by $EventSourcePrefix. Default prefix is _NA_, for example:_NA Windows Server_ - False — set Event Source to _Netwrix_Auditor_Integration_API_ for all cases If the script cannot fill in the Event Source for some DataSource, the default value _Netwrix_Auditor_Integration_API_ will be used. If the event source for particular DataSource does not exist in the Netwrix_Auditor_Integration event log, elevated privileges are required for add-on execution. | @@ -33,5 +33,5 @@ dynamically calculated EventIDs will be modified and applied incorrectly. \* When configuring the **IncludeDataSourceToMakeEventId** parameter, consider that the _Object Type - Action_ pair may be identical for several data sources (e.g., Object='User' and Action='Added'); thus, excluding DataSource from calculation may lead to the same EventID -(duplicates). See the [Run the Add-On with PowerShell](powershell.md) topic for additional +(duplicates). See the [Run the Add-On with PowerShell](/docs/auditor/10.7/auditor/addon/alienvaultusm/powershell.md) topic for additional information about duplicates. diff --git a/docs/auditor/10.7/auditor/addon/amazonwebservices/collecteddata.md b/docs/auditor/10.7/auditor/addon/amazonwebservices/collecteddata.md index f7971d8e97..67353d62c7 100644 --- a/docs/auditor/10.7/auditor/addon/amazonwebservices/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/amazonwebservices/collecteddata.md @@ -6,7 +6,7 @@ Follow the steps to work with collected data. **Step 2 –** Click **Search**. -![activityrecords](../../../../../../static/img/product_docs/auditor/auditor/addon/arcsight/activityrecords.webp) +![activityrecords](/img/product_docs/auditor/auditor/addon/arcsight/activityrecords.webp) You might want to apply a filter to narrow down your search results to the NetwrixAPI data source only. diff --git a/docs/auditor/10.7/auditor/addon/amazonwebservices/deployment.md b/docs/auditor/10.7/auditor/addon/amazonwebservices/deployment.md index d90c2eddc7..b6f5e8e581 100644 --- a/docs/auditor/10.7/auditor/addon/amazonwebservices/deployment.md +++ b/docs/auditor/10.7/auditor/addon/amazonwebservices/deployment.md @@ -2,7 +2,7 @@ The Add-on runs on any computer in your environment. For example, you can run the add-on on the computer where Auditor is installed or on a remote server. Depending on the execution scenario you -choose, you have to define a different set of parameters. See the [Amazon Web Services](overview.md) +choose, you have to define a different set of parameters. See the [Amazon Web Services](/docs/auditor/10.7/auditor/addon/amazonwebservices/overview.md) topic for additional information. Netwrix suggests the following execution scenarios: diff --git a/docs/auditor/10.7/auditor/addon/amazonwebservices/overview.md b/docs/auditor/10.7/auditor/addon/amazonwebservices/overview.md index 92d48f0aa3..8edf6093e6 100644 --- a/docs/auditor/10.7/auditor/addon/amazonwebservices/overview.md +++ b/docs/auditor/10.7/auditor/addon/amazonwebservices/overview.md @@ -36,12 +36,12 @@ On a high level, the add-on works as follows: - Using the Integration API, the add-on sends the activity events to the Auditor Server, which writes them to the **Long-Term Archive** and the **Audit Database**. -See the [Integration API](../../api/overview.md) topic for additional information. +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information. ## Compatibility Notice Make sure to check your product version, and then review and update your add-ons and scripts leveraging the Integration API. Download the latest add-on version in the Add-on Store. -See the [Integration API](../../api/overview.md) topic for additional information about schema +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information about schema updates. diff --git a/docs/auditor/10.7/auditor/addon/amazonwebservices/parameters.md b/docs/auditor/10.7/auditor/addon/amazonwebservices/parameters.md index ae362fc656..b2ee758840 100644 --- a/docs/auditor/10.7/auditor/addon/amazonwebservices/parameters.md +++ b/docs/auditor/10.7/auditor/addon/amazonwebservices/parameters.md @@ -3,7 +3,7 @@ Before running or scheduling the add-on, you must define connection details: Auditor Server host, user credentials, etc. Most parameters are optional, the script uses the default values unless parameters are explicitly defined. You can skip or define parameters depending on your execution -scenario and security policies. See the [Choose Appropriate Execution Scenario](deployment.md)  +scenario and security policies. See the [Choose Appropriate Execution Scenario](/docs/auditor/10.7/auditor/addon/amazonwebservices/deployment.md)  topic for additional information. First, provide a path to your add-on followed by script parameters with their values. Each parameter diff --git a/docs/auditor/10.7/auditor/addon/arcsight/collecteddata.md b/docs/auditor/10.7/auditor/addon/arcsight/collecteddata.md index b70b50d19d..d4159677ae 100644 --- a/docs/auditor/10.7/auditor/addon/arcsight/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/arcsight/collecteddata.md @@ -14,6 +14,6 @@ more than one Netwrix Auditor Server, add all of them in the search field. **NOTE:** You might want to modify time range and the fields shown. -![activityrecords](../../../../../../static/img/product_docs/auditor/auditor/addon/arcsight/activityrecords.webp) +![activityrecords](/img/product_docs/auditor/auditor/addon/arcsight/activityrecords.webp) **Step 4 –** Review imported Activity Records. diff --git a/docs/auditor/10.7/auditor/addon/arcsight/overview.md b/docs/auditor/10.7/auditor/addon/arcsight/overview.md index 050beff911..52b82c37ec 100644 --- a/docs/auditor/10.7/auditor/addon/arcsight/overview.md +++ b/docs/auditor/10.7/auditor/addon/arcsight/overview.md @@ -22,7 +22,7 @@ On a high level, the add-on works as follows: 3. The add-on uploads audit trails to ArcSight Logger making it immediately ready for review and analysis. ArcSight SmartConnector configured as Syslog Daemon is supported as well. -See the [Integration API](../../api/overview.md) topic for additional information on the structure +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the Integration API. ## Prerequisites @@ -32,15 +32,15 @@ follows: | on... | Ensure that... | | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| The Auditor Server side | - The Audit Database settings are configured in the Auditor. See the [Audit Database](../../admin/settings/auditdatabase.md) topic for additional information. - The TCP 9699 port (default Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the **Global reviewer** role in Auditor or is a member of the **Netwrix Auditor Client Users** group. Alternatively, you can grant the **Global administrator** role or add the user to the **Netwrix Auditor Administrators** group. In this case, this user will have the most extended permissions in the product. | -| On the ArcSight side | - The UDP Receiver is enabled and is configured to receive CEF as source and use the default port **514**. - To check receiver settings or add a new receiver, start the ArcSight Logger web interface and navigate to **Configuration** > **Receivers**. ![configuration](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configuration.webp) **NOTE:** You can configure TCP Receiver and switch to TCP protocol and port **515**. - The user running the script must have sufficient permissions to supply data to ArcSight. | +| The Auditor Server side | - The Audit Database settings are configured in the Auditor. See the [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topic for additional information. - The TCP 9699 port (default Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the **Global reviewer** role in Auditor or is a member of the **Netwrix Auditor Client Users** group. Alternatively, you can grant the **Global administrator** role or add the user to the **Netwrix Auditor Administrators** group. In this case, this user will have the most extended permissions in the product. | +| On the ArcSight side | - The UDP Receiver is enabled and is configured to receive CEF as source and use the default port **514**. - To check receiver settings or add a new receiver, start the ArcSight Logger web interface and navigate to **Configuration** > **Receivers**. ![configuration](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configuration.webp) **NOTE:** You can configure TCP Receiver and switch to TCP protocol and port **515**. - The user running the script must have sufficient permissions to supply data to ArcSight. | | The computer where the script will be executed | - Execution policy for powershell scripts is set to "_Unrestricted_". Run **Windows PowerShell** as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the **write** permission on the script folder—the add-on creates a special .bin file with the last exported event. | ## Compatibility Notice Make sure to check your product version, and then review and update your add-ons and scripts leveraging the Integration API. Download the latest add-on version in the Add-on Store. See the -[Integration API](../../api/overview.md)topic for additional information. +[Integration API](/docs/auditor/10.7/auditor/api/overview.md)topic for additional information. The add-on was renamed due to HPE acquisition by Micro Focus. The former add-on name was Netwrix Auditor Add-on for HPE ArcSight. This name may still be present in the add-on files and diff --git a/docs/auditor/10.7/auditor/addon/arcsight/parameters.md b/docs/auditor/10.7/auditor/addon/arcsight/parameters.md index 45274e9b02..b3b1332d30 100644 --- a/docs/auditor/10.7/auditor/addon/arcsight/parameters.md +++ b/docs/auditor/10.7/auditor/addon/arcsight/parameters.md @@ -3,7 +3,7 @@ Before running or scheduling the add-on, you must define connection details: Auditor Server host, user credentials, etc. Most parameters are optional, the script uses the default values unless parameters are explicitly defined. You can skip or define parameters depending on your execution -scenario and security policies. See the[Choose Appropriate Execution Scenario](deployment.md) topic +scenario and security policies. See the[Choose Appropriate Execution Scenario](/docs/auditor/10.7/auditor/addon/arcsight/deployment.md) topic for additional information. First, provide a path to your add-on followed by script parameters with their values. Each parameter diff --git a/docs/auditor/10.7/auditor/addon/azurefiles/collecteddata.md b/docs/auditor/10.7/auditor/addon/azurefiles/collecteddata.md index f0a54fb6de..003f6cc0d0 100644 --- a/docs/auditor/10.7/auditor/addon/azurefiles/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/azurefiles/collecteddata.md @@ -20,6 +20,6 @@ source only. See the following topics for additional information: -- [Alerts](../../admin/alertsettings/overview.md) -- [View and Search Collected Data](../../admin/search/overview.md) -- [Subscriptions](../../admin/subscriptions/overview.md) +- [Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/overview.md) +- [View and Search Collected Data](/docs/auditor/10.7/auditor/admin/search/overview.md) +- [Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) diff --git a/docs/auditor/10.7/auditor/addon/azurefiles/deployment.md b/docs/auditor/10.7/auditor/addon/azurefiles/deployment.md index af51fdcd9e..9e1f34a49e 100644 --- a/docs/auditor/10.7/auditor/addon/azurefiles/deployment.md +++ b/docs/auditor/10.7/auditor/addon/azurefiles/deployment.md @@ -4,11 +4,11 @@ Follow the steps to install Azure Files add-on. **Step 1 –** Accept EULA. -![azurefileeula](../../../../../../static/img/product_docs/auditor/auditor/addon/azurefiles/azurefileeula.webp) +![azurefileeula](/img/product_docs/auditor/auditor/addon/azurefiles/azurefileeula.webp) **Step 2 –** Select the installation folder and click **Next**. -![azurefileinstfolder](../../../../../../static/img/product_docs/auditor/auditor/addon/azurefiles/azurefileinstfolder.webp) +![azurefileinstfolder](/img/product_docs/auditor/auditor/addon/azurefiles/azurefileinstfolder.webp) **Step 3 –** Click **Install**. The wizard will start and ask the additional parameters. @@ -52,7 +52,7 @@ automatically - open it from the installation folder. **Step 2 –** Select **Proceed**. **Step 3 –** Provide Auditor Server IP address and port number followed by endpoint for posting -Activity Records. See the [API Endpoints](../../api/endpoints.md) topic for more information. +Activity Records. See the [API Endpoints](/docs/auditor/10.7/auditor/api/endpoints.md) topic for more information. This assumes that the add-on runs on the computer hosting Auditor Server and uses default port 9699. @@ -63,7 +63,7 @@ erprise.local:9999). **CAUTION:** Do not modify the endpoint part (_/netwrix/api_). -![generalsettings](../../../../../../static/img/product_docs/auditor/auditor/addon/azurefiles/generalsettings.webp) +![generalsettings](/img/product_docs/auditor/auditor/addon/azurefiles/generalsettings.webp) **Step 4 –** Specify Active Directory credentials: @@ -71,15 +71,15 @@ erprise.local:9999). service runs under the account currently logged on. - Password – Provide the password for the selected account. -![adcredentials](../../../../../../static/img/product_docs/auditor/auditor/addon/copilot/adcredentials.webp) +![adcredentials](/img/product_docs/auditor/auditor/addon/copilot/adcredentials.webp) **Step 5 –** Paste Azure Connection String in the corresponded field and click **Next**. -![azurefileconnectionstring](../../../../../../static/img/product_docs/auditor/auditor/addon/azurefiles/azurefileconnectionstring.webp) +![azurefileconnectionstring](/img/product_docs/auditor/auditor/addon/azurefiles/azurefileconnectionstring.webp) **Step 6 –** Enter Tenant ID, App ID and App Secret of the Azure App you registered for the add-on. Click **Next**. -![microsoftgraphapi](../../../../../../static/img/product_docs/auditor/auditor/addon/azurefiles/microsoftgraphapi.webp) +![microsoftgraphapi](/img/product_docs/auditor/auditor/addon/azurefiles/microsoftgraphapi.webp) **Step 7 –** Click **Run** and close the window. The service should start the data collection now. diff --git a/docs/auditor/10.7/auditor/addon/azurefiles/overview.md b/docs/auditor/10.7/auditor/addon/azurefiles/overview.md index 12778ca5f8..30078e6fb5 100644 --- a/docs/auditor/10.7/auditor/addon/azurefiles/overview.md +++ b/docs/auditor/10.7/auditor/addon/azurefiles/overview.md @@ -13,8 +13,8 @@ deletions. To get the add-on up and running, please read the following topics: -- [Deployment Procedure](deployment.md) -- [Work with Collected Data](collecteddata.md) +- [Deployment Procedure](/docs/auditor/10.7/auditor/addon/azurefiles/deployment.md) +- [Work with Collected Data](/docs/auditor/10.7/auditor/addon/azurefiles/collecteddata.md) ## Prerequisites @@ -22,20 +22,20 @@ Before running the add-on, ensure that all the necessary components and policies follows: - The Audit Database settings are configured in Auditor Server. See the - [Prerequisites](../../api/prerequisites.md) and - [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. + [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and + [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Integration API port) is open for inbound connections. - The user writing data to the Audit Database is granted the Contributor role in Auditor. See the - [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional + [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. - Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. - Azure Files environment is configured for auditing. The connection of Azure file share to Windows should be configured with authentication through Active Directory or Entra ID (as opposed to the - account key). See the [Deployment Procedure](deployment.md)topic for more information. + account key). See the [Deployment Procedure](/docs/auditor/10.7/auditor/addon/azurefiles/deployment.md)topic for more information. - Active Directory Domain Services or Microsoft Entra Kerberos is used as an Identity source. See - the [Deployment Procedure](deployment.md) topic for additional information. + the [Deployment Procedure](/docs/auditor/10.7/auditor/addon/azurefiles/deployment.md) topic for additional information. ## How It Works diff --git a/docs/auditor/10.7/auditor/addon/connectwise/configure.md b/docs/auditor/10.7/auditor/addon/connectwise/configure.md index ac612dcd32..ac6da6489d 100644 --- a/docs/auditor/10.7/auditor/addon/connectwise/configure.md +++ b/docs/auditor/10.7/auditor/addon/connectwise/configure.md @@ -14,7 +14,7 @@ them, you will need an API Member account. See wizard to configure connection to ConnectWise Manage and ticketing options. At the Connection Setup step, specify the following: -![1_connection](../../../../../../static/img/product_docs/auditor/auditor/addon/connectwise/connectionsetup.webp) +![1_connection](/img/product_docs/auditor/auditor/addon/connectwise/connectionsetup.webp) | Parameter | Description | | ---------- | --------------------------------------------------------------------------------------------- | @@ -25,7 +25,7 @@ step, specify the following: **Step 3 –** At the Service Ticket Routing step, specify the following: -![serviceticketrouting](../../../../../../static/img/product_docs/auditor/auditor/addon/connectwise/serviceticketrouting.webp) +![serviceticketrouting](/img/product_docs/auditor/auditor/addon/connectwise/serviceticketrouting.webp) | Parameter | Description | | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -37,7 +37,7 @@ step, specify the following: **Step 4 –** Configure how Auditor activity record fields will be mapped with **ConnectWise Manage** ticket fields. -![ticketfieldmapping](../../../../../../static/img/product_docs/auditor/auditor/addon/connectwise/ticketfieldmapping.webp) +![ticketfieldmapping](/img/product_docs/auditor/auditor/addon/connectwise/ticketfieldmapping.webp) | Parameter | Description | | --------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -51,15 +51,15 @@ ConnectWise Manage to help you verify the connection and ticketing settings you Its Summary field will contain _[Netwrix Auditor] Test Alert_; its Initial Description field will contain _This ticket was created to test the functionality of Netwrix Auditor Add-on for ConnectWise Manage_. Also, the test ticket will have a sample attachment (_TestAttachment.txt_). -![testalert](../../../../../../static/img/product_docs/auditor/auditor/addon/connectwise/testalert.webp) +![testalert](/img/product_docs/auditor/auditor/addon/connectwise/testalert.webp) **Step 5 –** Finally, at the **Summary** step, review the location of configuration file with the settings you specified: _C:\Addon\ITSM_CW\ConnectWiseSettings.xml_. -![summary_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/addon/connectwise/summary_thumb_0_0.webp) +![summary_thumb_0_0](/img/product_docs/auditor/auditor/addon/connectwise/summary_thumb_0_0.webp) If needed, you can edit the configuration file manually. See the -[Connection and Ticketing Settings](connectionticketingsettings.md) topic for additional +[Connection and Ticketing Settings](/docs/auditor/10.7/auditor/addon/connectwise/connectionticketingsettings.md) topic for additional information. Click **Finish** to restart the add-on service so that the changes can take effect. diff --git a/docs/auditor/10.7/auditor/addon/connectwise/connectionticketingsettings.md b/docs/auditor/10.7/auditor/addon/connectwise/connectionticketingsettings.md index c29064d588..ee340baa83 100644 --- a/docs/auditor/10.7/auditor/addon/connectwise/connectionticketingsettings.md +++ b/docs/auditor/10.7/auditor/addon/connectwise/connectionticketingsettings.md @@ -17,7 +17,7 @@ values are provided. Add more ticket parameters or update values if necessary. | `` | `` | Description | | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Summary | [Netwrix Auditor] %AlertName% | Instructs the system to fill in the Summary ticket field with the Auditor alert name (e.g., _[Netwrix Auditor] Password Reset)_. | -| InitialDescription | Alert Details: Who: %Who% Action: %Action% Object type: %ObjectType% What: %What% When: %When% Where: %Where% Workstation: %Workstation% Details: %Details% Data source: %DataSource% Monitoring plan: %MonitoringPlanName% Item: %Item% Sent by Netwrix Auditor from %Computer% | Instructs the system to fill in the InitialDescription ticket field with the Auditor activity record data. To read more about activity records, see the [Reference for Creating Activity Records](../../api/activityrecordreference.md) topic for additional information. You may need to fill in the internal description intended for use by MSP only (this description will not be visible to managed clients), perform the following steps: **Step 1 –** Run the configuration wizard (or modify _ConnectWiseSettings.xml_) to specify the settings you need. **Step 2 –** Then open _ConnectWiseSettings.xml_ for edit. **Step 3 –** Locate the **InitialDescription** parameter and change the Name attribute to _initialInternalAnalysis_. | +| InitialDescription | Alert Details: Who: %Who% Action: %Action% Object type: %ObjectType% What: %What% When: %When% Where: %Where% Workstation: %Workstation% Details: %Details% Data source: %DataSource% Monitoring plan: %MonitoringPlanName% Item: %Item% Sent by Netwrix Auditor from %Computer% | Instructs the system to fill in the InitialDescription ticket field with the Auditor activity record data. To read more about activity records, see the [Reference for Creating Activity Records](/docs/auditor/10.7/auditor/api/activityrecordreference.md) topic for additional information. You may need to fill in the internal description intended for use by MSP only (this description will not be visible to managed clients), perform the following steps: **Step 1 –** Run the configuration wizard (or modify _ConnectWiseSettings.xml_) to specify the settings you need. **Step 2 –** Then open _ConnectWiseSettings.xml_ for edit. **Step 3 –** Locate the **InitialDescription** parameter and change the Name attribute to _initialInternalAnalysis_. | | Impact/Urgency | Medium | Instructs the system to set ticket Impact/Urgency to _Medium_. | ## Parameters for Handling Related Tickets diff --git a/docs/auditor/10.7/auditor/addon/connectwise/deployment.md b/docs/auditor/10.7/auditor/addon/connectwise/deployment.md index 275a7d119e..887e538382 100644 --- a/docs/auditor/10.7/auditor/addon/connectwise/deployment.md +++ b/docs/auditor/10.7/auditor/addon/connectwise/deployment.md @@ -5,9 +5,9 @@ Follow the steps to deploy the Add-On for ConnectWise. **Step 1 –** Prepare Auditor for using the add-on: 1. In the Auditor settings, enable Integration API and specify connection port. See the - [Integrations](../../admin/settings/integrations.md) topic for additional information. + [Integrations](/docs/auditor/10.7/auditor/admin/settings/integrations.md) topic for additional information. 2. Make sure your monitoring plans set up in Auditor are using Audit Databases to store collected - data. See the [Audit Database](../../admin/settings/auditdatabase.md) topic for additional + data. See the [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topic for additional information. **Step 2 –** Download the add-on package and copy it to the computer where Auditor Server resides. @@ -20,10 +20,10 @@ Manage Integration Service**. **Step 5 –** Run the ConfigureConnection.exe and follow the steps of the wizard to configure connection and ticketing settings for ConectWise Manage. See the -[Configure ConnectWise ](configure.md)topic for additional information. +[Configure ConnectWise ](/docs/auditor/10.7/auditor/addon/connectwise/configure.md)topic for additional information. **Step 6 –** (optional) To adjust the add-on operation and data flow settings, edit the -ITSMSettings.xml file. See the [Operational Settings](operationalsettings.md) topic for additional +ITSMSettings.xml file. See the [Operational Settings](/docs/auditor/10.7/auditor/addon/connectwise/operationalsettings.md) topic for additional information. **Step 7 –** In Auditor, go to Alerts, select the required alerts, click Edit, and in the Response diff --git a/docs/auditor/10.7/auditor/addon/connectwise/msp.md b/docs/auditor/10.7/auditor/addon/connectwise/msp.md index 6e1b60f745..07b639add1 100644 --- a/docs/auditor/10.7/auditor/addon/connectwise/msp.md +++ b/docs/auditor/10.7/auditor/addon/connectwise/msp.md @@ -5,12 +5,12 @@ Consider a situation when a password is reset for a user, computer, or **inetOrg After deploying and configuring the add-on as described in this guide, the MSP (Managed Service Providers) staff member enabled Auditor integration feature: -![Integration API Settings](../../../../../../static/img/product_docs/auditor/auditor/addon/connectwise/integrations_thumb_0_0.webp) +![Integration API Settings](/img/product_docs/auditor/auditor/addon/connectwise/integrations_thumb_0_0.webp) Also, she enabled the ‘**Password Reset**’ alert from the Auditor predefined set of alerts and specified the add-on launch as response action. -![addon](../../../../../../static/img/product_docs/auditor/auditor/addon/connectwise/addon.webp) +![addon](/img/product_docs/auditor/auditor/addon/connectwise/addon.webp) Then a new ticket is automatically created shortly after any account password is reset. @@ -18,4 +18,4 @@ All necessary details about the case are automatically entered into the ConnectW Description_ field), including the name of the workstation, the name of the account in question, and the time when the event occurred: -![serviceboard](../../../../../../static/img/product_docs/auditor/auditor/addon/connectwise/serviceboard.webp) +![serviceboard](/img/product_docs/auditor/auditor/addon/connectwise/serviceboard.webp) diff --git a/docs/auditor/10.7/auditor/addon/connectwise/overview.md b/docs/auditor/10.7/auditor/addon/connectwise/overview.md index 2056d8d93c..68d69949bb 100644 --- a/docs/auditor/10.7/auditor/addon/connectwise/overview.md +++ b/docs/auditor/10.7/auditor/addon/connectwise/overview.md @@ -29,7 +29,7 @@ To implement the solution, Managed Service Provider does the following on the cl On a high level, the workflow is as follows: -![CW_workflow](../../../../../../static/img/product_docs/auditor/auditor/addon/connectwise/diagramworkflow_thumb_0_0.webp) +![CW_workflow](/img/product_docs/auditor/auditor/addon/connectwise/diagramworkflow_thumb_0_0.webp) 1. Managed Service Provider installs and configures the add-on on AuditorServer. MSP also enables the necessary alerts in Netwrix Auditor, specifying add-on launch as the response action in the @@ -45,7 +45,7 @@ On a high level, the workflow is as follows: Solution architecture and key components are shown in the figure below: -![diagram](../../../../../../static/img/product_docs/auditor/auditor/addon/splunk/diagram.webp) +![diagram](/img/product_docs/auditor/auditor/addon/splunk/diagram.webp) - **Alert Handler (Netwrix.ITSM.AlertResponseAction.exe)** — the executable that is specified in the Auditor alerts as the response action. Alert Handler: @@ -54,7 +54,7 @@ Solution architecture and key components are shown in the figure below: the alert into the service queue. For details on the alert response action, see the -[Configure a Response Action for Alert](../../admin/alertsettings/responseaction.md) topic for +[Configure a Response Action for Alert](/docs/auditor/10.7/auditor/admin/alertsettings/responseaction.md) topic for additional information. - **Netwrix Auditor ConnectWise Manage Integration Service (Netwrix.ITSM.IntegrationServiceCW.exe)** @@ -71,5 +71,5 @@ follows: | Location | Prerequisites | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| Auditor Server | - The add-on supports Auditor version 9.96. - The add-on will run on the computer where Auditor Server works, so the add-on package should be copied to that machine. - For add-on operation, **NET 4.5** framework is required on Auditor Server. - Starting with add-on build 1.0.12.0, **TLS 1.2** protocol is supported. By default, this capability is disabled. For detailed information on enabling it, see the [Deploy the Add-On](deployment.md) topic for additional information. **Auditor settings** - The Audit Database settings should be configured in Auditor Server. - Monitoring plans should be configured to store data to the Audit Database. - The **TCP 9699** port (default Integration API port) should be open for inbound connections. **Required permissions** - Unless specified, the **Netwrix.ITSM.IntegrationServiceCW.exe** Windows service (main add-on co mponent) will run under the **LocalSystem** account. - The account that will be used by Netwrix.ITSM.IntegrationServiceCW.exe component to access Auditor Server must be granted the Global administrator role in Auditor. -OR- be a member of the Netwrix Auditor **Administrators** group. | +| Auditor Server | - The add-on supports Auditor version 9.96. - The add-on will run on the computer where Auditor Server works, so the add-on package should be copied to that machine. - For add-on operation, **NET 4.5** framework is required on Auditor Server. - Starting with add-on build 1.0.12.0, **TLS 1.2** protocol is supported. By default, this capability is disabled. For detailed information on enabling it, see the [Deploy the Add-On](/docs/auditor/10.7/auditor/addon/connectwise/deployment.md) topic for additional information. **Auditor settings** - The Audit Database settings should be configured in Auditor Server. - Monitoring plans should be configured to store data to the Audit Database. - The **TCP 9699** port (default Integration API port) should be open for inbound connections. **Required permissions** - Unless specified, the **Netwrix.ITSM.IntegrationServiceCW.exe** Windows service (main add-on co mponent) will run under the **LocalSystem** account. - The account that will be used by Netwrix.ITSM.IntegrationServiceCW.exe component to access Auditor Server must be granted the Global administrator role in Auditor. -OR- be a member of the Netwrix Auditor **Administrators** group. | | ConnectWise Manage | - By default, the add-on connects to the latest version of the ConnectWise Manage application (v4_6_release). **Required permissions** - To connect to ConnectWise Manage via its REST API, you will require an API Member account — it is needed to log in to ConnectWise Manage. See [this article](https://docs.connectwise.com/ConnectWise_Documentation/090/040/010/040) for details. - It is recommended to assign the **API Member** account to a limited security role with the following permissions: - **System** – **Table Setup** – **Inquire Level** = **All** - **Companies** – **Company Maintenance** – **Add(all)**, **Inquire(all)** - **Companies** – **Manage Attachments** – **Add(all)**, **Inquire(all)** - **Service Desk** – **Service Tickets** – **Add(all)**, **Inquire(all)** | diff --git a/docs/auditor/10.7/auditor/addon/copilot/deployment.md b/docs/auditor/10.7/auditor/addon/copilot/deployment.md index adbcdbaf27..7421970ae4 100644 --- a/docs/auditor/10.7/auditor/addon/copilot/deployment.md +++ b/docs/auditor/10.7/auditor/addon/copilot/deployment.md @@ -34,11 +34,11 @@ Follow the steps to configure the add-on. service runs under the account currently logged on. - Password – Provide the password for the selected account. -![adcredentials](../../../../../../static/img/product_docs/auditor/auditor/addon/copilot/adcredentials.webp) +![adcredentials](/img/product_docs/auditor/auditor/addon/copilot/adcredentials.webp) **Step 2 –** Enter Tenant ID, App ID and App Secret of the Azure App you registered for the add-on. Click **Next**. -![tenantapp](../../../../../../static/img/product_docs/auditor/auditor/addon/copilot/tenantapp.webp) +![tenantapp](/img/product_docs/auditor/auditor/addon/copilot/tenantapp.webp) **Step 3 –** Click **Run** and close the window. The service should start the data collection now. diff --git a/docs/auditor/10.7/auditor/addon/copilot/overview.md b/docs/auditor/10.7/auditor/addon/copilot/overview.md index b59f24d9ab..1bdb4ab4b8 100644 --- a/docs/auditor/10.7/auditor/addon/copilot/overview.md +++ b/docs/auditor/10.7/auditor/addon/copilot/overview.md @@ -11,8 +11,8 @@ related to Copilot activity. The Netwrix Auditor Add-On for Microsoft Copilot works in collaboration with Netwrix Auditor. To get the add-on up and running, refer the following topics: -- [Deployment Procedure](deployment.md) -- [Work with Collected Data](collecteddata.md) +- [Deployment Procedure](/docs/auditor/10.7/auditor/addon/copilot/deployment.md) +- [Work with Collected Data](/docs/auditor/10.7/auditor/addon/copilot/collecteddata.md) ## Prerequisites @@ -20,17 +20,17 @@ Before running the add-on, ensure that all the necessary components and policies follows: - The Audit Database settings are configured in Auditor Server. See the - [Prerequisites](../../api/prerequisites.md) and - [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. + [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and + [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Integration API port) is open for inbound connections. - The user writing data to the Audit Database is granted the Contributor role in Auditor. See the - [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional + [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. - Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. - Active Directory Domain Services or Microsoft Entra Kerberos is used as an Identity source. See - the [Deployment Procedure](../azurefiles/deployment.md) topic for additional information. + the [Deployment Procedure](/docs/auditor/10.7/auditor/addon/azurefiles/deployment.md) topic for additional information. ## How the Copilot Add-on Works diff --git a/docs/auditor/10.7/auditor/addon/ctera/collecteddata.md b/docs/auditor/10.7/auditor/addon/ctera/collecteddata.md index 0da56c5e06..b7f8ef7099 100644 --- a/docs/auditor/10.7/auditor/addon/ctera/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/ctera/collecteddata.md @@ -8,7 +8,7 @@ To leverage data collected with the add-on, you can do the following in Auditor: You can apply a filter to narrow down your search results to the Netwrix **API** data source only. -![ctera](../../../../../../static/img/product_docs/auditor/auditor/addon/ctera/ctera.webp) +![ctera](/img/product_docs/auditor/auditor/addon/ctera/ctera.webp) - Also, you can click **Tools** in the upper-right corner and select the command you need. For example: @@ -21,9 +21,9 @@ You can apply a filter to narrow down your search results to the Netwrix **API** See the following topics for additional information: -- [Alerts](../../admin/alertsettings/overview.md) -- [View and Search Collected Data](../../admin/search/overview.md) -- [Subscriptions](../../admin/subscriptions/overview.md) +- [Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/overview.md) +- [View and Search Collected Data](/docs/auditor/10.7/auditor/admin/search/overview.md) +- [Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) To leverage data collected with the add-on, you can do the following in Auditor: @@ -33,7 +33,7 @@ To leverage data collected with the add-on, you can do the following in Auditor: You can apply a filter to narrow down your search results to the Netwrix **API** data source only. -![AR from CyberArk in NA](../../../../../../static/img/product_docs/auditor/auditor/addon/cyberark/cyberark_thumb_0_0.webp) +![AR from CyberArk in NA](/img/product_docs/auditor/auditor/addon/cyberark/cyberark_thumb_0_0.webp) - Also, you can click **Tools** in the upper-right corner and select the command you need. For example: @@ -46,6 +46,6 @@ You can apply a filter to narrow down your search results to the Netwrix **API** See the following topics for additional information: -- [Alerts](../../admin/alertsettings/overview.md) -- [View and Search Collected Data](../../admin/search/overview.md) -- [Subscriptions](../../admin/subscriptions/overview.md) +- [Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/overview.md) +- [View and Search Collected Data](/docs/auditor/10.7/auditor/admin/search/overview.md) +- [Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) diff --git a/docs/auditor/10.7/auditor/addon/ctera/overview.md b/docs/auditor/10.7/auditor/addon/ctera/overview.md index 89cd3a993d..71097be5c4 100644 --- a/docs/auditor/10.7/auditor/addon/ctera/overview.md +++ b/docs/auditor/10.7/auditor/addon/ctera/overview.md @@ -15,7 +15,7 @@ On a high level, the add-on works as follows: 3. Using the Integration API, the add-on sends the activity records to the Netwrix Auditor Server, which writes them to the Long-Term Archive and the Audit Database. -See the [Integration API](../../api/overview.md) topic for additional information on the structure +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the Integration API. ## Prerequisites @@ -25,7 +25,7 @@ follows: | On... | Ensure that... | | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| The Auditor Server side | - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](../../api/prerequisites.md) and [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. - The TCP **9699** port (default Integration API port) is open for inbound connections. - The user writing data to the Audit Database is granted the **Contributor** role in Auditor. See the [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the **Global administrator** role or add the user to the **Netwrix Auditor Administrators** group. In this case, this user will have the most extended permissions in the product. | +| The Auditor Server side | - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The TCP **9699** port (default Integration API port) is open for inbound connections. - The user writing data to the Audit Database is granted the **Contributor** role in Auditor. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the **Global administrator** role or add the user to the **Netwrix Auditor Administrators** group. In this case, this user will have the most extended permissions in the product. | | The computer where the add-on will be installed | - The UDP 514 port is open for inbound connections. - .Net Framework 4.7.2 and above is installed. Review the following Microsoft technical article for additional information on how to install .Net Framework 4.7.2: [Microsoft .NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2). | ### Configure Logging for CTERA Edge Filer @@ -48,7 +48,7 @@ installed on the same server. space usage. - If you are using Netwrix Auditor for Network Devices, the 514 UDP port may be already in use, and you should specify another port when configuring the add-on settings (see the - [Install Add-On](install.md) and [Define Parameters](parameters.md) topics for additional + [Install Add-On](/docs/auditor/10.7/auditor/addon/ctera/install.md) and [Define Parameters](/docs/auditor/10.7/auditor/addon/ctera/parameters.md) topics for additional information). Another option is to install the add-on and Auditor Server on different machines. ## Compatibility Notice diff --git a/docs/auditor/10.7/auditor/addon/ctera/parameters.md b/docs/auditor/10.7/auditor/addon/ctera/parameters.md index 21ed3b99a6..31ef70877e 100644 --- a/docs/auditor/10.7/auditor/addon/ctera/parameters.md +++ b/docs/auditor/10.7/auditor/addon/ctera/parameters.md @@ -2,7 +2,7 @@ The configuration wizard opens in the default web browser: -![configwizard](../../../../../../static/img/product_docs/auditor/auditor/addon/privilegeduserlinux/configwizard.webp) +![configwizard](/img/product_docs/auditor/auditor/addon/privilegeduserlinux/configwizard.webp) Click **Proceed** and complete the following fields: diff --git a/docs/auditor/10.7/auditor/addon/cyberark/collecteddata.md b/docs/auditor/10.7/auditor/addon/cyberark/collecteddata.md index c829eda2b6..3226579ad4 100644 --- a/docs/auditor/10.7/auditor/addon/cyberark/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/cyberark/collecteddata.md @@ -8,7 +8,7 @@ To leverage data collected with the add-on, you can do the following in Auditor: You can apply a filter to narrow down your search results to the Netwrix **API** data source only. -![AR from CyberArk in NA](../../../../../../static/img/product_docs/auditor/auditor/addon/cyberark/cyberark_thumb_0_0.webp) +![AR from CyberArk in NA](/img/product_docs/auditor/auditor/addon/cyberark/cyberark_thumb_0_0.webp) - Also, you can click **Tools** in the upper-right corner and select the command you need. For example: @@ -21,6 +21,6 @@ You can apply a filter to narrow down your search results to the Netwrix **API** See the following topics for additional information: -- [Alerts](../../admin/alertsettings/overview.md) -- [View and Search Collected Data](../../admin/search/overview.md) -- [Subscriptions](../../admin/subscriptions/overview.md) +- [Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/overview.md) +- [View and Search Collected Data](/docs/auditor/10.7/auditor/admin/search/overview.md) +- [Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) diff --git a/docs/auditor/10.7/auditor/addon/cyberark/deployment.md b/docs/auditor/10.7/auditor/addon/cyberark/deployment.md index 95e00df07c..dbe44f16da 100644 --- a/docs/auditor/10.7/auditor/addon/cyberark/deployment.md +++ b/docs/auditor/10.7/auditor/addon/cyberark/deployment.md @@ -19,7 +19,7 @@ In Auditor client, go to the Integrations section and verify Integration API set 1. Make sure the **Leverage Integration API** is switched to **ON**. 2. Check the TCP communication port number – default is **9699**. -See the [Prerequisites](../../api/prerequisites.md) topic for additional information. +See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) topic for additional information. By default, activity records are written to _Netwrix_Auditor_API_ database which is not associated with a specific monitoring plan. @@ -27,11 +27,11 @@ with a specific monitoring plan. Optionally, you can create a dedicated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. Target it at Netwrix API data source and enable for monitoring. Add a dedicated item of _Integration_ type to the plan for data to be filtered by item -name. See the [Integration API](../../api/overview.md) topic for additional information. +name. See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information. In such scenario, you will need to specify this monitoring plan in the _naplan_ and _naplanitem_ attributes of the _`` ® `
`_ configuration parameters. See the -[Add-On Parameters](parameters.md) topic for additional information. +[Add-On Parameters](/docs/auditor/10.7/auditor/addon/cyberark/parameters.md) topic for additional information. ## Configure Syslog Message Forwarding in CyberArk @@ -61,9 +61,9 @@ folder and open the **dbparam.ini** file for editing. add-on. Specify **UDP** protocol. - **SyslogMessageCodeFilter** - IDs of events to forward. The add-on will only collect and process events you specify in this parameter. For the full list of supported events, see - [Monitored Events](monitoredevents.md). Use comma as a separator. + [Monitored Events](/docs/auditor/10.7/auditor/addon/cyberark/monitoredevents.md). Use comma as a separator. -![dbparamfile_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/addon/cyberark/dbparamfile_thumb_0_0.webp) +![dbparamfile_thumb_0_0](/img/product_docs/auditor/auditor/addon/cyberark/dbparamfile_thumb_0_0.webp) **Step 4 –** Save the **dbparam.ini** file. @@ -98,7 +98,7 @@ Follow the steps to install the Add-On: The configuration wizard opens in the default web browser: -![ConfigurationWizard](../../../../../../static/img/product_docs/auditor/auditor/addon/privilegeduserlinux/configwizard.webp) +![ConfigurationWizard](/img/product_docs/auditor/auditor/addon/privilegeduserlinux/configwizard.webp) Click **Proceed** and complete the following fields: diff --git a/docs/auditor/10.7/auditor/addon/cyberark/overview.md b/docs/auditor/10.7/auditor/addon/cyberark/overview.md index a84b9f6e9d..a000ff0f66 100644 --- a/docs/auditor/10.7/auditor/addon/cyberark/overview.md +++ b/docs/auditor/10.7/auditor/addon/cyberark/overview.md @@ -30,7 +30,7 @@ into actions related to CyberArk tools, in particular: The add-on is implemented as a syslog service that collects activity data from CyberArk system (PAS) and sends it to Auditor using the Integration API. -![HIW_CyberArch](../../../../../../static/img/product_docs/auditor/auditor/addon/cyberark/diagram_thumb_0_0.webp) +![HIW_CyberArch](/img/product_docs/auditor/auditor/addon/cyberark/diagram_thumb_0_0.webp) The add-on operates as a syslog listener for the CyberArk system. On a high level, the solution works as follows: @@ -46,7 +46,7 @@ works as follows: parameters for syslog message forwarding, including add-on installation server settings, the IDs of events to be monitored, etc. - See the [Monitored Events](monitoredevents.md) topic for additional information on the events + See the [Monitored Events](/docs/auditor/10.7/auditor/addon/cyberark/monitoredevents.md) topic for additional information on the events supported for monitoring out of the box. 3. On the add-on installation server, the administrator runs the installation file and configures @@ -60,7 +60,7 @@ works as follows: them to the Audit Database and Long-Term Archive. Data is sent periodically, by default every 5 seconds. -See the [Integration API](../../api/overview.md) topic for additional information on the structure +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on the structure of the activity record and the capabilities of the Integration API. 7. Users open Auditor Client to work with collected data: @@ -77,7 +77,7 @@ follows: | Where | Prerequisite to check | | ------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| The Auditor Server side | - The Integration API and Audit Database settings are configured in Auditor Server settings. See the [Prerequisites](../../api/prerequisites.md) and [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. - The **TCP 9699** port must be open on Windows firewall for inbound connections. - User account under which data will be written to the Audit Database requires the **Contributor** role in Auditor. See the [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) for additional information. Alternatively, you can grant it the **Global administrator** role, or add that account to the **Netwrix Auditor Administrators** group. | +| The Auditor Server side | - The Integration API and Audit Database settings are configured in Auditor Server settings. See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The **TCP 9699** port must be open on Windows firewall for inbound connections. - User account under which data will be written to the Audit Database requires the **Contributor** role in Auditor. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) for additional information. Alternatively, you can grant it the **Global administrator** role, or add that account to the **Netwrix Auditor Administrators** group. | | The machine where the Add-On will be installed (Auditor Server is recommended) | - The **UDP 514** port must be open on Windows firewall for inbound connections. If you are using Netwrix Auditor for Network Devices, this port may be already in use, and you should provide another one. Another option is to install the add-on and Auditor Server on different machines. - .Net Framework 4.7.2 and above is installed. Review the following Microsoft technical article for additional information on how to install .Net Framework 4.7.2: [Microsoft .NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2). | | CyperArk PAS | Version 10.10. | @@ -86,7 +86,7 @@ follows: By default, the add-on will run under the _Local System_ account. So, if the add-on and Auditor will be running on different machines, the corresponding computer account will require at least the **Contributor** role in Auditor. See the -[Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional +[Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. In case the add-on and Auditor are installed on the same server, no special settings are needed. @@ -99,7 +99,7 @@ In case the add-on and Auditor are installed on the same server, no special sett space usage. - If you are using Netwrix Auditor for Network Devices, the 514 UDP port may be already in use, and you should specify another port when configuring the add-on settings (see - [Deploy the Add-On](deployment.md) and [Add-On Parameters](parameters.md) topics for additional + [Deploy the Add-On](/docs/auditor/10.7/auditor/addon/cyberark/deployment.md) and [Add-On Parameters](/docs/auditor/10.7/auditor/addon/cyberark/parameters.md) topics for additional information). Another option is to install the add-on and Auditor Server on different machines. ## Compatibility Notice diff --git a/docs/auditor/10.7/auditor/addon/hyperv/collecteddata.md b/docs/auditor/10.7/auditor/addon/hyperv/collecteddata.md index 0052207654..2d39c48d95 100644 --- a/docs/auditor/10.7/auditor/addon/hyperv/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/hyperv/collecteddata.md @@ -17,4 +17,4 @@ only. - To create an alert on the specific occurrences, click **Create alert**. - To export filtered data to PDF or CSV, click **Export data**. - You can also configure and receive alerts on the events you are interested in. See the - [Administration](../../admin/overview.md) topic for additional information. + [Administration](/docs/auditor/10.7/auditor/admin/overview.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/addon/hyperv/deployment.md b/docs/auditor/10.7/auditor/addon/hyperv/deployment.md index a5bc4e30cb..9147f35d71 100644 --- a/docs/auditor/10.7/auditor/addon/hyperv/deployment.md +++ b/docs/auditor/10.7/auditor/addon/hyperv/deployment.md @@ -7,11 +7,11 @@ is installed together with Auditor server): 1. Add-on running on the same machine as SCVMM server (with Management Console): -![deployment_1](../../../../../../static/img/product_docs/auditor/auditor/addon/hyperv/diagram1server.webp) +![deployment_1](/img/product_docs/auditor/auditor/addon/hyperv/diagram1server.webp) 2. Add-on and SCVMM server (with Management Console) running on different machines: -![deployment_2](../../../../../../static/img/product_docs/auditor/auditor/addon/hyperv/diagram2servers_thumb_0_0.webp) +![deployment_2](/img/product_docs/auditor/auditor/addon/hyperv/diagram2servers_thumb_0_0.webp) In this scenario, the account used to access SCVMM server must be a member of the _Remote Management Users_ local group on the SCVMM server. @@ -19,11 +19,11 @@ Users_ local group on the SCVMM server. 3. Add-on running on the same machine as SCVMM Management Console; SCVMM server running on the remote machine: -![deployment_3](../../../../../../static/img/product_docs/auditor/auditor/addon/hyperv/diagram3servers_thumb_0_0.webp) +![deployment_3](/img/product_docs/auditor/auditor/addon/hyperv/diagram3servers_thumb_0_0.webp) In this scenario, make sure to specify SCVMM server address in the **DataCollectionServer** parameter (not the machine where SCVMM console runs) in the **settings.xml** configuration file. See -the [Add-On Parameters](parameters.md)topic for additional information. +the [Add-On Parameters](/docs/auditor/10.7/auditor/addon/hyperv/parameters.md)topic for additional information. Depending on the deployment scenario you choose, you will need to define a set of the add-on parameters. Several examples are provided below. diff --git a/docs/auditor/10.7/auditor/addon/hyperv/install.md b/docs/auditor/10.7/auditor/addon/hyperv/install.md index 47093958f0..0b37fe2109 100644 --- a/docs/auditor/10.7/auditor/addon/hyperv/install.md +++ b/docs/auditor/10.7/auditor/addon/hyperv/install.md @@ -17,7 +17,7 @@ In Auditor client, go to the Integrations section and verify Integration API set 1. Make sure the **Leverage Integration API** is switched to **ON**. 2. Check the TCP communication port number – default is **9699**. -See the [Prerequisites](../../api/prerequisites.md) topic for additional information. +See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) topic for additional information. By default, activity records are written to _Netwrix_Auditor_API_ database which is not associated with a specific monitoring plan. @@ -25,11 +25,11 @@ with a specific monitoring plan. Optionally, you can create a dedicated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. Target it at Netwrix API data source and enable for monitoring. Add a dedicated item of _Integration_ type to the plan for data to be filtered by item -name. See the [Integration API](../../api/overview.md) topic for additional information. +name. See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information. In such scenario, you will need to specify this monitoring plan in the _NetwrixAuditorPlan_ and _NetwrixAuditorPlanItem_ parameters in the **settings.xml** file. See the -[Add-On Parameters](parameters.md) topic for additional information. +[Add-On Parameters](/docs/auditor/10.7/auditor/addon/hyperv/parameters.md) topic for additional information. ## Download the Add-On @@ -41,7 +41,7 @@ _NetwrixAuditorPlanItem_ parameters in the **settings.xml** file. See the In the add-on folder, open the **settings.xml** file and configure the add-on parameters for data collection, as listed below. -See the [Add-On Parameters](parameters.md)topic for the full list of configuration parameters. +See the [Add-On Parameters](/docs/auditor/10.7/auditor/addon/hyperv/parameters.md)topic for the full list of configuration parameters. | Parameter | Default value | Description | | ---------------------- | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -53,7 +53,7 @@ See the [Add-On Parameters](parameters.md)topic for the full list of configurati Save the **settings.xml** file. New configuration settings will be applied automatically at the next data collection. -For the full list of parameters, see the [Add-On Parameters](parameters.md) topic for additional +For the full list of parameters, see the [Add-On Parameters](/docs/auditor/10.7/auditor/addon/hyperv/parameters.md) topic for additional information. ## Register Windows Scheduled Task diff --git a/docs/auditor/10.7/auditor/addon/hyperv/overview.md b/docs/auditor/10.7/auditor/addon/hyperv/overview.md index 68a020272b..ce30cc10f3 100644 --- a/docs/auditor/10.7/auditor/addon/hyperv/overview.md +++ b/docs/auditor/10.7/auditor/addon/hyperv/overview.md @@ -29,7 +29,7 @@ Major benefits: The add-on is implemented as a stand-alone application that collects activity data from Virtual Machine Manager and sends it to Auditor using the Integration API. -![HIW](../../../../../../static/img/product_docs/auditor/auditor/addon/cyberark/diagram_thumb_0_0.webp) +![HIW](/img/product_docs/auditor/auditor/addon/cyberark/diagram_thumb_0_0.webp) On a high level, the solution works as follows: @@ -49,7 +49,7 @@ On a high level, the solution works as follows: 5. This script creates a Windows scheduled task that will run periodically (every 15 minutes) to collect audit data from VMM server. - See the [Monitoring Scope](monitoredevents.md) for additional information on the default list of + See the [Monitoring Scope](/docs/auditor/10.7/auditor/addon/hyperv/monitoredevents.md) for additional information on the default list of the events supported out-of-the box. 6. The add-on component **HVARunner.exe** starts collecting activity data from VMM. Data @@ -58,7 +58,7 @@ On a high level, the solution works as follows: Record contains the Who-What-When-Where-Action information (that is, initiator's account, time, action, and other details). -See the [Integration API](../../api/overview.md) topic for additional information on the structure +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the Integration API. 8. The add-on uses the Integration API to send the Activity Records to Auditor Server, where this @@ -88,7 +88,7 @@ follows: | On... | Ensure that... | | ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Auditor Server | - Integration API and Audit Database settings are configured in Auditor Server settings. See the [Prerequisites](../../api/prerequisites.md) and [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. - The **TCP 9699** port must be open on Windows firewall for inbound connections. - User account under which data will be written to the Audit Database requires the **Contributor** role in Netwrix Auditor. See the [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant it the **Global administrator** role, or add that account to the **Netwrix Auditor Administrators** group. | +| Auditor Server | - Integration API and Audit Database settings are configured in Auditor Server settings. See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The **TCP 9699** port must be open on Windows firewall for inbound connections. - User account under which data will be written to the Audit Database requires the **Contributor** role in Netwrix Auditor. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant it the **Global administrator** role, or add that account to the **Netwrix Auditor Administrators** group. | | Add-on installation server, i.e. the machine where the add-on will be installed | - The **TCP 5985** port must be open on Windows firewall for inbound connections. - NET Framework 4.5 or later. | | Microsoft System Center Virtual Machine Manager | SCVMM versions: - 2019 - 2016 | | Virtualization hosts | - Microsoft Hyper-V (hardware and nested-virtualization) - VMware ESXi | @@ -101,7 +101,7 @@ This account should have the following minimal rights and permissions: - **Administrator** role in SCVMM - **Contributor** role in Auditor. See the - [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional + [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. ### Considerations and Limitations diff --git a/docs/auditor/10.7/auditor/addon/hyperv/troubleshooting.md b/docs/auditor/10.7/auditor/addon/hyperv/troubleshooting.md index 323b31fd43..f5358fcd4a 100644 --- a/docs/auditor/10.7/auditor/addon/hyperv/troubleshooting.md +++ b/docs/auditor/10.7/auditor/addon/hyperv/troubleshooting.md @@ -46,7 +46,7 @@ Alternatively, you can use **Windows Task Scheduler**. The WinRM client cannot process the request. -See the [Deployment Scenarios](deployment.md)topic for additional information. +See the [Deployment Scenarios](/docs/auditor/10.7/auditor/addon/hyperv/deployment.md)topic for additional information. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the diff --git a/docs/auditor/10.7/auditor/addon/ibmqradar/collecteddata.md b/docs/auditor/10.7/auditor/addon/ibmqradar/collecteddata.md index 4b47413dba..f6c2bdb74a 100644 --- a/docs/auditor/10.7/auditor/addon/ibmqradar/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/ibmqradar/collecteddata.md @@ -10,6 +10,6 @@ Services Logs** >Netwrix Auditor Integration log. **Step 3 –** Review events. -![EventLog_Export_Example](../../../../../../static/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexportexample_thumb_0_0.webp) +![EventLog_Export_Example](/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexportexample_thumb_0_0.webp) Now you can augment Windows event log with data collected by the Auditor. diff --git a/docs/auditor/10.7/auditor/addon/ibmqradar/deployment.md b/docs/auditor/10.7/auditor/addon/ibmqradar/deployment.md index caa0a3d381..084ae177bf 100644 --- a/docs/auditor/10.7/auditor/addon/ibmqradar/deployment.md +++ b/docs/auditor/10.7/auditor/addon/ibmqradar/deployment.md @@ -3,7 +3,7 @@ Auditor Add-on for the SIEM solution runs on any computer in your environment. For example, you can run the add-on on the computer where Auditor is installed or on a remote server. Depending on the execution scenario you choose, you have to define a different set of parameters. See the -[Define Parameters](parameters.md) topic for additional information. +[Define Parameters](/docs/auditor/10.7/auditor/addon/ibmqradar/parameters.md) topic for additional information. Netwrix suggests the following execution scenarios: diff --git a/docs/auditor/10.7/auditor/addon/ibmqradar/integrationeventlog.md b/docs/auditor/10.7/auditor/addon/ibmqradar/integrationeventlog.md index f0980f37fd..2d32b3797d 100644 --- a/docs/auditor/10.7/auditor/addon/ibmqradar/integrationeventlog.md +++ b/docs/auditor/10.7/auditor/addon/ibmqradar/integrationeventlog.md @@ -4,7 +4,7 @@ This section describes how the add-on fills in the Netwrix Auditor **Integration with data retrieved from Activity Records. The Activity Record structure is described in the -[Reference for Creating Activity Records](../../api/activityrecordreference.md)topic. +[Reference for Creating Activity Records](/docs/auditor/10.7/auditor/api/activityrecordreference.md)topic. | Event log field name | Filled in with value | Details | | -------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -12,7 +12,7 @@ The Activity Record structure is described in the | EventID | **`{Calculated by add-on}`** -OR- **0** | Depending on _GenerateEventId_ in-script parameter (calculation result also depends on _IncludeDataSourceToMakeEventId_ parameter — if _GenerateEventId_ = _True_). | | Task Category | **`{DataSource ID}`** -OR- **1** | Depending on _SetDataSourceAsEventCategory_ in-script parameter. | -See the [Define Parameters](parameters.md) topic for additional information. +See the [Define Parameters](/docs/auditor/10.7/auditor/addon/ibmqradar/parameters.md) topic for additional information. EventData is filled in with data from the Activity Record fields as follows: @@ -31,4 +31,4 @@ EventData is filled in with data from the Activity Record fields as follows: Details are filled in only if this Activity Record field is not empty. -![eventlogexample_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexample_thumb_0_0.webp) +![eventlogexample_thumb_0_0](/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexample_thumb_0_0.webp) diff --git a/docs/auditor/10.7/auditor/addon/ibmqradar/overview.md b/docs/auditor/10.7/auditor/addon/ibmqradar/overview.md index d4df859421..910b9708c4 100644 --- a/docs/auditor/10.7/auditor/addon/ibmqradar/overview.md +++ b/docs/auditor/10.7/auditor/addon/ibmqradar/overview.md @@ -25,7 +25,7 @@ On a high level, the add-on works as follows: 3. The add-on creates a special Windows event log named **Netwrix_Auditor_Integration** and stores events there. These events are structured and ready for integration with the SIEM solution. -See the [Integration API](../../api/overview.md) topic for additional information on the structure +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the Netwrix Auditor Integration API.\ ## Prerequisites @@ -35,7 +35,7 @@ follows: | On... | Ensure that... | | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](../../api/prerequisites.md) and [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | +| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | | The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. | ## Compatibility Notice diff --git a/docs/auditor/10.7/auditor/addon/ibmqradar/parameters.md b/docs/auditor/10.7/auditor/addon/ibmqradar/parameters.md index 7162c290ce..9c308d0552 100644 --- a/docs/auditor/10.7/auditor/addon/ibmqradar/parameters.md +++ b/docs/auditor/10.7/auditor/addon/ibmqradar/parameters.md @@ -3,7 +3,7 @@ Before running or scheduling the add-on, you must define connection details: Auditor Server host, user credentials, etc. Most parameters are optional, the script uses the default values unless parameters are explicitly defined. You can skip or define parameters depending on your execution -scenario and security policies. See the [Choose Appropriate Execution Scenario](deployment.md) topic +scenario and security policies. See the [Choose Appropriate Execution Scenario](/docs/auditor/10.7/auditor/addon/ibmqradar/deployment.md) topic for additional information. | Parameter | Default value | Description | @@ -25,7 +25,7 @@ dynamically calculated EventIDs will be modified and applied incorrectly. | Parameter | Default value | Description | | -------------------------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **EventID generation** | | | -| GenerateEventId | True | Defines whether to generated unique EventIDs. Possible parameter values: - True — generate unique EventIDs using Activity Record fields - False — do not generate a unique ID, set EventID=0 for all cases EventID is generated through CRC32 calculation that involves the following Activity Record field values: - ObjectType - Action - DataSource (optional, see below for details) Only the lowest 16 bits of the calculation result are used. See the [Activity Records](../../api/postdata/activityrecords.md) topic for additional information. | +| GenerateEventId | True | Defines whether to generated unique EventIDs. Possible parameter values: - True — generate unique EventIDs using Activity Record fields - False — do not generate a unique ID, set EventID=0 for all cases EventID is generated through CRC32 calculation that involves the following Activity Record field values: - ObjectType - Action - DataSource (optional, see below for details) Only the lowest 16 bits of the calculation result are used. See the [Activity Records](/docs/auditor/10.7/auditor/api/postdata/activityrecords.md) topic for additional information. | | IncludeDataSourceToMakeEventId\* | True | Defines whether the DataSource field of Activity Record should be used in the EventID calculation. This parameter is applied only if GenerateEventId is set to _TRUE_. | | SetDataSourceAsEventCategory | True | Defines whether to fill in Event Category event field with a numeric value derived from the DataSource field of Activity Record. Possible parameter values: - True — generate a numeric value for Event Category using Activity Record field - False — do not generate a numeric value, set Event Category=1 for all cases The Event Category field value is generated through CRC32 calculation that involves the DataSource field of Activity Record. Only the lowest 9 bits of the calculation result are used. | | SetDataSourceAsEventSource | False | Defines whether to fill in the Event Source event field with the value from the DataSource field of Activity Record. Possible parameter values: - True — fill in the Event Source with the value from DataSource field of Activity Record, adding the prefix defined by $EventSourcePrefix. Default prefix is _NA_, for example:_NA Windows Server_ - False — set Event Source to _Netwrix_Auditor_Integration_API_ for all cases If the script cannot fill in the Event Source for some DataSource, the default value _Netwrix_Auditor_Integration_API_ will be used. If the event source for particular DataSource does not exist in the Netwrix_Auditor_Integration event log, elevated privileges are required for add-on execution. | @@ -33,5 +33,5 @@ dynamically calculated EventIDs will be modified and applied incorrectly. \* When configuring the **IncludeDataSourceToMakeEventId** parameter, consider that the _Object Type - Action_ pair may be identical for several data sources (e.g., Object='User' and Action='Added'); thus, excluding DataSource from calculation may lead to the same EventID -(duplicates). See the [Run the Add-On with PowerShell](powershell.md) topic for additional +(duplicates). See the [Run the Add-On with PowerShell](/docs/auditor/10.7/auditor/addon/ibmqradar/powershell.md) topic for additional information about duplicates. diff --git a/docs/auditor/10.7/auditor/addon/ibmqradar/powershell.md b/docs/auditor/10.7/auditor/addon/ibmqradar/powershell.md index 850d33ab21..796b4ecd3c 100644 --- a/docs/auditor/10.7/auditor/addon/ibmqradar/powershell.md +++ b/docs/auditor/10.7/auditor/addon/ibmqradar/powershell.md @@ -32,7 +32,7 @@ take a while. Ensure the script execution completed successfully. The Netwrix Au By default, the Netwrix Auditor **Integration** event log size is set to **1GB**, and retention is set to "_Overwrite events as needed_". See the -[Integration Event Log Fields](integrationeventlog.md) topic for additional information. +[Integration Event Log Fields](/docs/auditor/10.7/auditor/addon/ibmqradar/integrationeventlog.md) topic for additional information. **NOTE:** Event records with more than 30,000 characters length will be trimmed. diff --git a/docs/auditor/10.7/auditor/addon/intelsecurity/collecteddata.md b/docs/auditor/10.7/auditor/addon/intelsecurity/collecteddata.md index 4b47413dba..f6c2bdb74a 100644 --- a/docs/auditor/10.7/auditor/addon/intelsecurity/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/intelsecurity/collecteddata.md @@ -10,6 +10,6 @@ Services Logs** >Netwrix Auditor Integration log. **Step 3 –** Review events. -![EventLog_Export_Example](../../../../../../static/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexportexample_thumb_0_0.webp) +![EventLog_Export_Example](/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexportexample_thumb_0_0.webp) Now you can augment Windows event log with data collected by the Auditor. diff --git a/docs/auditor/10.7/auditor/addon/intelsecurity/deployment.md b/docs/auditor/10.7/auditor/addon/intelsecurity/deployment.md index 655c655124..f3e138f6cf 100644 --- a/docs/auditor/10.7/auditor/addon/intelsecurity/deployment.md +++ b/docs/auditor/10.7/auditor/addon/intelsecurity/deployment.md @@ -3,7 +3,7 @@ Auditor Add-on for the SIEM solution runs on any computer in your environment. For example, you can run the add-on on the computer where Auditor is installed or on a remote server. Depending on the execution scenario you choose, you have to define a different set of parameters. See the -[Define Parameters](parameters.md) topic for additional information. +[Define Parameters](/docs/auditor/10.7/auditor/addon/intelsecurity/parameters.md) topic for additional information. Netwrix suggests the following execution scenarios: diff --git a/docs/auditor/10.7/auditor/addon/intelsecurity/integrationeventlog.md b/docs/auditor/10.7/auditor/addon/intelsecurity/integrationeventlog.md index f0980f37fd..76878c6f62 100644 --- a/docs/auditor/10.7/auditor/addon/intelsecurity/integrationeventlog.md +++ b/docs/auditor/10.7/auditor/addon/intelsecurity/integrationeventlog.md @@ -4,7 +4,7 @@ This section describes how the add-on fills in the Netwrix Auditor **Integration with data retrieved from Activity Records. The Activity Record structure is described in the -[Reference for Creating Activity Records](../../api/activityrecordreference.md)topic. +[Reference for Creating Activity Records](/docs/auditor/10.7/auditor/api/activityrecordreference.md)topic. | Event log field name | Filled in with value | Details | | -------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -12,7 +12,7 @@ The Activity Record structure is described in the | EventID | **`{Calculated by add-on}`** -OR- **0** | Depending on _GenerateEventId_ in-script parameter (calculation result also depends on _IncludeDataSourceToMakeEventId_ parameter — if _GenerateEventId_ = _True_). | | Task Category | **`{DataSource ID}`** -OR- **1** | Depending on _SetDataSourceAsEventCategory_ in-script parameter. | -See the [Define Parameters](parameters.md) topic for additional information. +See the [Define Parameters](/docs/auditor/10.7/auditor/addon/intelsecurity/parameters.md) topic for additional information. EventData is filled in with data from the Activity Record fields as follows: @@ -31,4 +31,4 @@ EventData is filled in with data from the Activity Record fields as follows: Details are filled in only if this Activity Record field is not empty. -![eventlogexample_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexample_thumb_0_0.webp) +![eventlogexample_thumb_0_0](/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexample_thumb_0_0.webp) diff --git a/docs/auditor/10.7/auditor/addon/intelsecurity/overview.md b/docs/auditor/10.7/auditor/addon/intelsecurity/overview.md index 5294327858..55b41891ba 100644 --- a/docs/auditor/10.7/auditor/addon/intelsecurity/overview.md +++ b/docs/auditor/10.7/auditor/addon/intelsecurity/overview.md @@ -25,7 +25,7 @@ On a high level, the add-on works as follows: 3. The add-on creates a special Windows event log named **Netwrix_Auditor_Integration** and stores events there. These events are structured and ready for integration with the SIEM solution. -See the [Integration API](../../api/overview.md) topic for additional information on the structure +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the Netwrix Auditor Integration API. ## Prerequisites @@ -35,7 +35,7 @@ follows: | On... | Ensure that... | | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](../../api/prerequisites.md) and [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | +| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | | The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. | ## Compatibility Notice diff --git a/docs/auditor/10.7/auditor/addon/intelsecurity/parameters.md b/docs/auditor/10.7/auditor/addon/intelsecurity/parameters.md index b0baf7cd44..00f0d8ee61 100644 --- a/docs/auditor/10.7/auditor/addon/intelsecurity/parameters.md +++ b/docs/auditor/10.7/auditor/addon/intelsecurity/parameters.md @@ -3,7 +3,7 @@ Before running or scheduling the add-on, you must define connection details: Auditor Server host, user credentials, etc. Most parameters are optional, the script uses the default values unless parameters are explicitly defined. You can skip or define parameters depending on your execution -scenario and security policies. See the [Choose Appropriate Execution Scenario](deployment.md) topic +scenario and security policies. See the [Choose Appropriate Execution Scenario](/docs/auditor/10.7/auditor/addon/intelsecurity/deployment.md) topic for additional information. | Parameter | Default value | Description | @@ -25,7 +25,7 @@ dynamically calculated EventIDs will be modified and applied incorrectly. | Parameter | Default value | Description | | -------------------------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **EventID generation** | | | -| GenerateEventId | True | Defines whether to generated unique EventIDs. Possible parameter values: - True — generate unique EventIDs using Activity Record fields - False — do not generate a unique ID, set EventID=0 for all cases EventID is generated through CRC32 calculation that involves the following Activity Record field values: - ObjectType - Action - DataSource (optional, see below for details) Only the lowest 16 bits of the calculation result are used. See the [Activity Records](../../api/postdata/activityrecords.md) topic for additional information. | +| GenerateEventId | True | Defines whether to generated unique EventIDs. Possible parameter values: - True — generate unique EventIDs using Activity Record fields - False — do not generate a unique ID, set EventID=0 for all cases EventID is generated through CRC32 calculation that involves the following Activity Record field values: - ObjectType - Action - DataSource (optional, see below for details) Only the lowest 16 bits of the calculation result are used. See the [Activity Records](/docs/auditor/10.7/auditor/api/postdata/activityrecords.md) topic for additional information. | | IncludeDataSourceToMakeEventId\* | True | Defines whether the DataSource field of Activity Record should be used in the EventID calculation. This parameter is applied only if GenerateEventId is set to _TRUE_. | | SetDataSourceAsEventCategory | True | Defines whether to fill in Event Category event field with a numeric value derived from the DataSource field of Activity Record. Possible parameter values: - True — generate a numeric value for Event Category using Activity Record field - False — do not generate a numeric value, set Event Category=1 for all cases The Event Category field value is generated through CRC32 calculation that involves the DataSource field of Activity Record. Only the lowest 9 bits of the calculation result are used. | | SetDataSourceAsEventSource | False | Defines whether to fill in the Event Source event field with the value from the DataSource field of Activity Record. Possible parameter values: - True — fill in the Event Source with the value from DataSource field of Activity Record, adding the prefix defined by $EventSourcePrefix. Default prefix is _NA_, for example:_NA Windows Server_ - False — set Event Source to _Netwrix_Auditor_Integration_API_ for all cases If the script cannot fill in the Event Source for some DataSource, the default value _Netwrix_Auditor_Integration_API_ will be used. If the event source for particular DataSource does not exist in the Netwrix_Auditor_Integration event log, elevated privileges are required for add-on execution. | @@ -33,5 +33,5 @@ dynamically calculated EventIDs will be modified and applied incorrectly. \* When configuring the **IncludeDataSourceToMakeEventId** parameter, consider that the _Object Type - Action_ pair may be identical for several data sources (e.g., Object='User' and Action='Added'); thus, excluding DataSource from calculation may lead to the same EventID -(duplicates). See the [Run the Add-On with PowerShell](../ibmqradar/powershell.md) topic for +(duplicates). See the [Run the Add-On with PowerShell](/docs/auditor/10.7/auditor/addon/ibmqradar/powershell.md) topic for additional information about duplicates. diff --git a/docs/auditor/10.7/auditor/addon/intelsecurity/powershell.md b/docs/auditor/10.7/auditor/addon/intelsecurity/powershell.md index 42ea498a93..895b01e175 100644 --- a/docs/auditor/10.7/auditor/addon/intelsecurity/powershell.md +++ b/docs/auditor/10.7/auditor/addon/intelsecurity/powershell.md @@ -31,7 +31,7 @@ take a while. Ensure the script execution completed successfully. The Netwrix Au **Integration** event log will be created and filled with events. By default, the Netwrix Auditor **Integration** event log size is set to 1GB, and retention is set -to "_Overwrite events as needed_". See the [Integration Event Log Fields](integrationeventlog.md) +to "_Overwrite events as needed_". See the [Integration Event Log Fields](/docs/auditor/10.7/auditor/addon/intelsecurity/integrationeventlog.md) topic for additional information. **NOTE:** Event records with more than 30,000 characters length will be trimmed. diff --git a/docs/auditor/10.7/auditor/addon/linux/overview.md b/docs/auditor/10.7/auditor/addon/linux/overview.md index cef58aa842..e7052ecb15 100644 --- a/docs/auditor/10.7/auditor/addon/linux/overview.md +++ b/docs/auditor/10.7/auditor/addon/linux/overview.md @@ -22,7 +22,7 @@ Records). Each Activity Record contains the user account, action, time, and othe **Step 4 –** Using the Integration API, the add-on sends the activity records to the Netwrix Auditor Server, which writes them to the Long-Term Archive and the Audit Database. -See the [Integration API](../../api/overview.md) topic for additional information on the structure +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the NIntegration API. ## Prerequisites diff --git a/docs/auditor/10.7/auditor/addon/linux/parameters.md b/docs/auditor/10.7/auditor/addon/linux/parameters.md index 1893ed3794..13e3e453e4 100644 --- a/docs/auditor/10.7/auditor/addon/linux/parameters.md +++ b/docs/auditor/10.7/auditor/addon/linux/parameters.md @@ -2,7 +2,7 @@ The configuration wizard opens in the default web browser: -![GenericLinuxConfigWizard](../../../../../../static/img/product_docs/auditor/auditor/addon/privilegeduserlinux/configwizard.webp) +![GenericLinuxConfigWizard](/img/product_docs/auditor/auditor/addon/privilegeduserlinux/configwizard.webp) Click **Proceed** and complete the following fields: diff --git a/docs/auditor/10.7/auditor/addon/logrhythm/collecteddata.md b/docs/auditor/10.7/auditor/addon/logrhythm/collecteddata.md index 8056192ac4..abc2c200a2 100644 --- a/docs/auditor/10.7/auditor/addon/logrhythm/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/logrhythm/collecteddata.md @@ -10,6 +10,6 @@ Services Logs** >Netwrix Auditor Integration log. **Step 3 –** Review events. -![EventLog_Export_Example](../../../../../../static/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexportexample_thumb_0_0.webp) +![EventLog_Export_Example](/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexportexample_thumb_0_0.webp) Now you can augment Windows event log with data collected by the Auditor. diff --git a/docs/auditor/10.7/auditor/addon/logrhythm/deployment.md b/docs/auditor/10.7/auditor/addon/logrhythm/deployment.md index 2d4945a66d..11b4f90ca2 100644 --- a/docs/auditor/10.7/auditor/addon/logrhythm/deployment.md +++ b/docs/auditor/10.7/auditor/addon/logrhythm/deployment.md @@ -3,7 +3,7 @@ Auditor Add-on for the SIEM solution runs on any computer in your environment. For example, you can run the add-on on the computer where Auditor is installed or on a remote server. Depending on the execution scenario you choose, you have to define a different set of parameters. See the -[Define Parameters](parameters.md) topic for additional information. +[Define Parameters](/docs/auditor/10.7/auditor/addon/logrhythm/parameters.md) topic for additional information. Netwrix suggests the following execution scenarios: diff --git a/docs/auditor/10.7/auditor/addon/logrhythm/integrationeventlog.md b/docs/auditor/10.7/auditor/addon/logrhythm/integrationeventlog.md index f0980f37fd..034f81f0a1 100644 --- a/docs/auditor/10.7/auditor/addon/logrhythm/integrationeventlog.md +++ b/docs/auditor/10.7/auditor/addon/logrhythm/integrationeventlog.md @@ -4,7 +4,7 @@ This section describes how the add-on fills in the Netwrix Auditor **Integration with data retrieved from Activity Records. The Activity Record structure is described in the -[Reference for Creating Activity Records](../../api/activityrecordreference.md)topic. +[Reference for Creating Activity Records](/docs/auditor/10.7/auditor/api/activityrecordreference.md)topic. | Event log field name | Filled in with value | Details | | -------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -12,7 +12,7 @@ The Activity Record structure is described in the | EventID | **`{Calculated by add-on}`** -OR- **0** | Depending on _GenerateEventId_ in-script parameter (calculation result also depends on _IncludeDataSourceToMakeEventId_ parameter — if _GenerateEventId_ = _True_). | | Task Category | **`{DataSource ID}`** -OR- **1** | Depending on _SetDataSourceAsEventCategory_ in-script parameter. | -See the [Define Parameters](parameters.md) topic for additional information. +See the [Define Parameters](/docs/auditor/10.7/auditor/addon/logrhythm/parameters.md) topic for additional information. EventData is filled in with data from the Activity Record fields as follows: @@ -31,4 +31,4 @@ EventData is filled in with data from the Activity Record fields as follows: Details are filled in only if this Activity Record field is not empty. -![eventlogexample_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexample_thumb_0_0.webp) +![eventlogexample_thumb_0_0](/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexample_thumb_0_0.webp) diff --git a/docs/auditor/10.7/auditor/addon/logrhythm/overview.md b/docs/auditor/10.7/auditor/addon/logrhythm/overview.md index ca5f9a26ff..3516d6ee91 100644 --- a/docs/auditor/10.7/auditor/addon/logrhythm/overview.md +++ b/docs/auditor/10.7/auditor/addon/logrhythm/overview.md @@ -25,7 +25,7 @@ On a high level, the add-on works as follows: 3. The add-on creates a special Windows event log named **Netwrix_Auditor_Integration** and stores events there. These events are structured and ready for integration with the SIEM solution. -See the [Integration API](../../api/overview.md) topic for additional information on the structure +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the Netwrix Auditor Integration API. ## Prerequisites @@ -35,7 +35,7 @@ follows: | On... | Ensure that... | | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](../../api/prerequisites.md) and [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | +| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | | The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. | ## Compatibility Notice diff --git a/docs/auditor/10.7/auditor/addon/logrhythm/parameters.md b/docs/auditor/10.7/auditor/addon/logrhythm/parameters.md index 17bbd56c79..ff3489baf2 100644 --- a/docs/auditor/10.7/auditor/addon/logrhythm/parameters.md +++ b/docs/auditor/10.7/auditor/addon/logrhythm/parameters.md @@ -3,7 +3,7 @@ Before running or scheduling the add-on, you must define connection details: Auditor Server host, user credentials, etc. Most parameters are optional, the script uses the default values unless parameters are explicitly defined. You can skip or define parameters depending on your execution -scenario and security policies. See the [Choose Appropriate Execution Scenario](deployment.md) topic +scenario and security policies. See the [Choose Appropriate Execution Scenario](/docs/auditor/10.7/auditor/addon/logrhythm/deployment.md) topic for additional information. | Parameter | Default value | Description | @@ -25,7 +25,7 @@ dynamically calculated EventIDs will be modified and applied incorrectly. | Parameter | Default value | Description | | -------------------------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **EventID generation** | | | -| GenerateEventId | True | Defines whether to generated unique EventIDs. Possible parameter values: - True — generate unique EventIDs using Activity Record fields - False — do not generate a unique ID, set EventID=0 for all cases EventID is generated through CRC32 calculation that involves the following Activity Record field values: - ObjectType - Action - DataSource (optional, see below for details) Only the lowest 16 bits of the calculation result are used. See the [Activity Records](../../api/postdata/activityrecords.md) topic for additional information. | +| GenerateEventId | True | Defines whether to generated unique EventIDs. Possible parameter values: - True — generate unique EventIDs using Activity Record fields - False — do not generate a unique ID, set EventID=0 for all cases EventID is generated through CRC32 calculation that involves the following Activity Record field values: - ObjectType - Action - DataSource (optional, see below for details) Only the lowest 16 bits of the calculation result are used. See the [Activity Records](/docs/auditor/10.7/auditor/api/postdata/activityrecords.md) topic for additional information. | | IncludeDataSourceToMakeEventId\* | True | Defines whether the DataSource field of Activity Record should be used in the EventID calculation. This parameter is applied only if GenerateEventId is set to _TRUE_. | | SetDataSourceAsEventCategory | True | Defines whether to fill in Event Category event field with a numeric value derived from the DataSource field of Activity Record. Possible parameter values: - True — generate a numeric value for Event Category using Activity Record field - False — do not generate a numeric value, set Event Category=1 for all cases The Event Category field value is generated through CRC32 calculation that involves the DataSource field of Activity Record. Only the lowest 9 bits of the calculation result are used. | | SetDataSourceAsEventSource | False | Defines whether to fill in the Event Source event field with the value from the DataSource field of Activity Record. Possible parameter values: - True — fill in the Event Source with the value from DataSource field of Activity Record, adding the prefix defined by $EventSourcePrefix. Default prefix is _NA_, for example:_NA Windows Server_ - False — set Event Source to _Netwrix_Auditor_Integration_API_ for all cases If the script cannot fill in the Event Source for some DataSource, the default value _Netwrix_Auditor_Integration_API_ will be used. If the event source for particular DataSource does not exist in the Netwrix_Auditor_Integration event log, elevated privileges are required for add-on execution. | @@ -33,5 +33,5 @@ dynamically calculated EventIDs will be modified and applied incorrectly. \* When configuring the **IncludeDataSourceToMakeEventId** parameter, consider that the _Object Type - Action_ pair may be identical for several data sources (e.g., Object='User' and Action='Added'); thus, excluding DataSource from calculation may lead to the same EventID -(duplicates). See the [Run the Add-On with PowerShell](../ibmqradar/powershell.md) topic for +(duplicates). See the [Run the Add-On with PowerShell](/docs/auditor/10.7/auditor/addon/ibmqradar/powershell.md) topic for additional information about duplicates.\* diff --git a/docs/auditor/10.7/auditor/addon/logrhythm/powershell.md b/docs/auditor/10.7/auditor/addon/logrhythm/powershell.md index 1b262ca031..3d02ec4df7 100644 --- a/docs/auditor/10.7/auditor/addon/logrhythm/powershell.md +++ b/docs/auditor/10.7/auditor/addon/logrhythm/powershell.md @@ -31,7 +31,7 @@ take a while. Ensure the script execution completed successfully. The Netwrix Au event log will be created and filled with events. By default, the Auditor Integration event log size is set to 1GB, and retention is set to -"_Overwrite events as needed_". See the [Integration Event Log Fields](integrationeventlog.md) topic +"_Overwrite events as needed_". See the [Integration Event Log Fields](/docs/auditor/10.7/auditor/addon/logrhythm/integrationeventlog.md) topic for additional information. **NOTE:** Event records with more than 30,000 characters length will be trimmed. diff --git a/docs/auditor/10.7/auditor/addon/nasuni/collecteddata.md b/docs/auditor/10.7/auditor/addon/nasuni/collecteddata.md index c829eda2b6..3226579ad4 100644 --- a/docs/auditor/10.7/auditor/addon/nasuni/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/nasuni/collecteddata.md @@ -8,7 +8,7 @@ To leverage data collected with the add-on, you can do the following in Auditor: You can apply a filter to narrow down your search results to the Netwrix **API** data source only. -![AR from CyberArk in NA](../../../../../../static/img/product_docs/auditor/auditor/addon/cyberark/cyberark_thumb_0_0.webp) +![AR from CyberArk in NA](/img/product_docs/auditor/auditor/addon/cyberark/cyberark_thumb_0_0.webp) - Also, you can click **Tools** in the upper-right corner and select the command you need. For example: @@ -21,6 +21,6 @@ You can apply a filter to narrow down your search results to the Netwrix **API** See the following topics for additional information: -- [Alerts](../../admin/alertsettings/overview.md) -- [View and Search Collected Data](../../admin/search/overview.md) -- [Subscriptions](../../admin/subscriptions/overview.md) +- [Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/overview.md) +- [View and Search Collected Data](/docs/auditor/10.7/auditor/admin/search/overview.md) +- [Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) diff --git a/docs/auditor/10.7/auditor/addon/nasuni/overview.md b/docs/auditor/10.7/auditor/addon/nasuni/overview.md index 5396999967..03ab013105 100644 --- a/docs/auditor/10.7/auditor/addon/nasuni/overview.md +++ b/docs/auditor/10.7/auditor/addon/nasuni/overview.md @@ -15,7 +15,7 @@ On a high level, the add-on works as follows: 3. Using the Integration API, the add-on sends the activity records to the Netwrix Auditor Server, which writes them to the Long-Term Archive and the Audit Database. -See the [Integration API](../../api/overview.md) topic for additional information on the structure +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the NIntegration API. ## Prerequisites @@ -25,7 +25,7 @@ follows: | On... | Ensure that... | | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| The Auditor Server side | - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](../../api/prerequisites.md) and [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. - The TCP **9699** port (default Integration API port) is open for inbound connections. - The user writing data to the Audit Database is granted the **Contributor** role in Auditor. See the [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the **Global administrator** role or add the user to the **Netwrix Auditor Administrators** group. In this case, this user will have the most extended permissions in the product. | +| The Auditor Server side | - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The TCP **9699** port (default Integration API port) is open for inbound connections. - The user writing data to the Audit Database is granted the **Contributor** role in Auditor. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the **Global administrator** role or add the user to the **Netwrix Auditor Administrators** group. In this case, this user will have the most extended permissions in the product. | | The computer where the add-on will be installed | - The UDP 514 port is open for inbound connections. - .Net Framework 4.7.2 and above is installed. Review the following Microsoft technical article for additional information on how to install .Net Framework 4.7.2: [Microsoft .NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2). | ### Configure Logging for @@ -66,7 +66,7 @@ admin privileges. space usage. - If you are using Netwrix Auditor for Network Devices, the 514 UDP port may be already in use, and you should specify another port when configuring the add-on settings (see the - [Install Add-On](install.md) and [Define Parameters](parameters.md) topics for additional + [Install Add-On](/docs/auditor/10.7/auditor/addon/nasuni/install.md) and [Define Parameters](/docs/auditor/10.7/auditor/addon/nasuni/parameters.md) topics for additional information). Another option is to install the add-on and Auditor Server on different machines. ## Compatibility Notice diff --git a/docs/auditor/10.7/auditor/addon/nasuni/parameters.md b/docs/auditor/10.7/auditor/addon/nasuni/parameters.md index 21ed3b99a6..31ef70877e 100644 --- a/docs/auditor/10.7/auditor/addon/nasuni/parameters.md +++ b/docs/auditor/10.7/auditor/addon/nasuni/parameters.md @@ -2,7 +2,7 @@ The configuration wizard opens in the default web browser: -![configwizard](../../../../../../static/img/product_docs/auditor/auditor/addon/privilegeduserlinux/configwizard.webp) +![configwizard](/img/product_docs/auditor/auditor/addon/privilegeduserlinux/configwizard.webp) Click **Proceed** and complete the following fields: diff --git a/docs/auditor/10.7/auditor/addon/nutanixahv/collecteddata.md b/docs/auditor/10.7/auditor/addon/nutanixahv/collecteddata.md index 96fa64e073..3cc3ce14a7 100644 --- a/docs/auditor/10.7/auditor/addon/nutanixahv/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/nutanixahv/collecteddata.md @@ -9,7 +9,7 @@ To leverage data collected with the add-on, you can do the following in Auditor: You might want to apply a filter to narrow down your search results to the Netwrix**API** data source only. -![screen_results](../../../../../../static/img/product_docs/auditor/auditor/addon/nutanixahv/nutanixahv_thumb_0_0.webp) +![screen_results](/img/product_docs/auditor/auditor/addon/nutanixahv/nutanixahv_thumb_0_0.webp) - Also, you can click **Tools** in the upper-right corner and select the command you need. For example: @@ -22,6 +22,6 @@ source only. See the following topics for additional information: -- [Alerts](../../admin/alertsettings/overview.md) -- [View and Search Collected Data](../../admin/search/overview.md) -- [Subscriptions](../../admin/subscriptions/overview.md) +- [Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/overview.md) +- [View and Search Collected Data](/docs/auditor/10.7/auditor/admin/search/overview.md) +- [Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) diff --git a/docs/auditor/10.7/auditor/addon/nutanixahv/deployment.md b/docs/auditor/10.7/auditor/addon/nutanixahv/deployment.md index 8a4022898a..5a2f610460 100644 --- a/docs/auditor/10.7/auditor/addon/nutanixahv/deployment.md +++ b/docs/auditor/10.7/auditor/addon/nutanixahv/deployment.md @@ -23,7 +23,7 @@ https://172.28.6.19:9699/netwrix/api/v1/activity_records Integrations** and click **Go to add-on store** button. The following menu will appear: -![addonstore](../../../../../static/img/product_docs/auditor/auditor/addon/addonstore.webp) +![addonstore](/img/product_docs/auditor/auditor/addon/addonstore.webp) Netwrix Auditor Integration API uses HTTPS with an automatically generated certificate for running requests to its endpoints. By default, add-ons are configured to accept all certificates that is appropriate for evaluation purposes and allows running the script without adjusting. -Refer to [Security](../api/security.md) for detailed instructions on how to assign a new certificate +Refer to [Security](/docs/auditor/10.7/auditor/api/security.md) for detailed instructions on how to assign a new certificate and enable trust on remote computers. ## Use Add-Ons @@ -69,7 +69,7 @@ is explicitly defined. If necessary, modify the parameters as required. **Step 5 –** Review the add-on operation results. For example, if you are using the add-on that imports data to Netwrix Auditor, you can search Activity Records in the Netwrix Auditor client. -![api_thumb_0_0](../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/nutanix/api_thumb_0_0.webp) +![api_thumb_0_0](/img/product_docs/auditor/auditor/configuration/fileservers/nutanix/api_thumb_0_0.webp) **Step 6 –** (optional) For PowerShell based add-ons, you can schedule a daily task to ensure your audit data is always up-to-date. diff --git a/docs/auditor/10.7/auditor/addon/privilegeduserlinux/overview.md b/docs/auditor/10.7/auditor/addon/privilegeduserlinux/overview.md index 0c46ddedfe..62d98d6378 100644 --- a/docs/auditor/10.7/auditor/addon/privilegeduserlinux/overview.md +++ b/docs/auditor/10.7/auditor/addon/privilegeduserlinux/overview.md @@ -27,9 +27,9 @@ follows: | On... | Ensure that... | | ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| The Auditor Server side | - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](../../api/prerequisites.md) and [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. - The TCP **9699** port (default Integration API port) is open for inbound connections. - The user writing data to the Audit Database is granted the **Contributor** role in Auditor. See the [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the **Global administrator** role or add the user to the **Netwrix Auditor Administrators** group. In this case, this user will have the most extended permissions in the product. | +| The Auditor Server side | - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The TCP **9699** port (default Integration API port) is open for inbound connections. - The user writing data to the Audit Database is granted the **Contributor** role in Auditor. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the **Global administrator** role or add the user to the **Netwrix Auditor Administrators** group. In this case, this user will have the most extended permissions in the product. | | The computer where the service will be installed | - The UDP 514 port is open for inbound connections. - .Net Framework 4.7.2 and above is installed. Review the following Microsoft technical article for additional information on how to install .Net Framework 4.7.2: [Microsoft .NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2). | | The target syslog-based platform | The **Syslog daemon** is configured to redirect events. The procedure below explains how to configure redirection: **NOTE:** Red Hat Enterprise Linux 7 and 6, SUSE Linux Enterprise Server 12, openSUSE 42, and Ubuntu 16 are supported out of the box. For other distributions, deployment of rsyslog package may be required. - On Red Hat Enterprise Linux 7: 1. Open the **/etc/rsyslog.conf** file. 2. Add the following line: `auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format` where `name `is a FQDN, NetBIOS name or IP address of the computer where Netwrix Auditor Server is installed. For example: `auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_ SyslogProtocol23Format` 3. Launch the **RHEL console** and execute the following command: `service rsyslog restart`. - On Ubuntu 16: 1. Navigate to the **/etc/rsyslog.d/50-default.conf** file. 2. Add the following line: `auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format` where `name `is a FQDN, NetBIOS name or IP address of the computer where Netwrix Auditor Server is installed. For example: `auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_ SyslogProtocol23Format` 3. Launch the **UBUNTU console** and execute the following command: `service rsyslog restart`. | -See the the [Integration API](../../api/overview.md) topic for additional information on the +See the the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the Integration API diff --git a/docs/auditor/10.7/auditor/addon/privilegeduserlinux/parameters.md b/docs/auditor/10.7/auditor/addon/privilegeduserlinux/parameters.md index fce26eb7ae..6d391ddd41 100644 --- a/docs/auditor/10.7/auditor/addon/privilegeduserlinux/parameters.md +++ b/docs/auditor/10.7/auditor/addon/privilegeduserlinux/parameters.md @@ -2,7 +2,7 @@ The configuration wizard opens in the default web browser: -![PrivilegedUsersConfigWizard](../../../../../../static/img/product_docs/auditor/auditor/addon/privilegeduserlinux/configwizard.webp) +![PrivilegedUsersConfigWizard](/img/product_docs/auditor/auditor/addon/privilegeduserlinux/configwizard.webp) Click **Proceed** and complete the following fields: diff --git a/docs/auditor/10.7/auditor/addon/qumulo/collecteddata.md b/docs/auditor/10.7/auditor/addon/qumulo/collecteddata.md index 18190ad515..557ad3587c 100644 --- a/docs/auditor/10.7/auditor/addon/qumulo/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/qumulo/collecteddata.md @@ -9,7 +9,7 @@ To leverage data collected with the add-on, you can do the following in Netwrix You might want to apply a filter to narrow down your search results to the Netwrix API data source only. -![Qumulo screen](../../../../../../static/img/product_docs/auditor/auditor/addon/qumulo/qumulo_thumb_0_0.webp) +![Qumulo screen](/img/product_docs/auditor/auditor/addon/qumulo/qumulo_thumb_0_0.webp) - Also, you can click **Tools** in the upper-right corner and select the command you need. For example: diff --git a/docs/auditor/10.7/auditor/addon/qumulo/overview.md b/docs/auditor/10.7/auditor/addon/qumulo/overview.md index 62c67ed63b..f60d487952 100644 --- a/docs/auditor/10.7/auditor/addon/qumulo/overview.md +++ b/docs/auditor/10.7/auditor/addon/qumulo/overview.md @@ -32,7 +32,7 @@ Major benefits: The add-on is implemented as a Syslog service that collects activity data from Qumulo Cluster and sends it to Auditor using the Integration API. -![diagram_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/addon/cyberark/diagram_thumb_0_0.webp) +![diagram_thumb_0_0](/img/product_docs/auditor/auditor/addon/cyberark/diagram_thumb_0_0.webp) On a high level, the solution works as follows: @@ -57,7 +57,7 @@ On a high level, the solution works as follows: them to the **Netwrix_Auditor_API** database (SQL server database) and file-based Long-Term Archive. Data is sent periodically, by default every 5 seconds. For more information on the Activity Record structure and capabilities of the Integration API, refer to the - [Integration API](../../api/overview.md) topic. + [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic. 7. Users open Auditor Client to work with collected data: - Search for file changes using certain criteria - Export data to PDF or CSV files diff --git a/docs/auditor/10.7/auditor/addon/radius/collecteddata.md b/docs/auditor/10.7/auditor/addon/radius/collecteddata.md index f1d155b00b..78057f2423 100644 --- a/docs/auditor/10.7/auditor/addon/radius/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/radius/collecteddata.md @@ -9,7 +9,7 @@ Follow the steps to see results. **Step 2 –** Click **Search**. -![radius](../../../../../../static/img/product_docs/auditor/auditor/addon/radius/radius.webp) +![radius](/img/product_docs/auditor/auditor/addon/radius/radius.webp) **NOTE:** You might want to apply a filter to narrow down your search results to the RADIUS Logon object type only. diff --git a/docs/auditor/10.7/auditor/addon/radius/customreport.md b/docs/auditor/10.7/auditor/addon/radius/customreport.md index ca632a86ee..bbae45b598 100644 --- a/docs/auditor/10.7/auditor/addon/radius/customreport.md +++ b/docs/auditor/10.7/auditor/addon/radius/customreport.md @@ -20,7 +20,7 @@ group. After running the script, the RADIUS server logons since yesterday custom report appears in **Reports** > **Custom**. You can access the search instantly to receive it on a regular basis. -![radiusfilters](../../../../../../static/img/product_docs/auditor/auditor/addon/radius/radiusfilters.webp) +![radiusfilters](/img/product_docs/auditor/auditor/addon/radius/radiusfilters.webp) Clicking the saved search tile opens the search with preset filters, which shows RADIUS logon activity data for 2 days (yesterday and today). diff --git a/docs/auditor/10.7/auditor/addon/radius/deployment.md b/docs/auditor/10.7/auditor/addon/radius/deployment.md index 627f52c4d4..b97e69810d 100644 --- a/docs/auditor/10.7/auditor/addon/radius/deployment.md +++ b/docs/auditor/10.7/auditor/addon/radius/deployment.md @@ -4,7 +4,7 @@ Auditor Add-on for RADIUS Server runs on any computer in your environment. For e the add-on on the computer where Auditor is installed or on your RADIUS server. Depending on the execution scenario you choose, you have to define a different set of script -parameters. See the [Define Parameters](parameters.md) topic for additional information. +parameters. See the [Define Parameters](/docs/auditor/10.7/auditor/addon/radius/parameters.md) topic for additional information. Netwrixsuggests the following execution scenarios: diff --git a/docs/auditor/10.7/auditor/addon/radius/overview.md b/docs/auditor/10.7/auditor/addon/radius/overview.md index 45bcb430fb..14c1882f84 100644 --- a/docs/auditor/10.7/auditor/addon/radius/overview.md +++ b/docs/auditor/10.7/auditor/addon/radius/overview.md @@ -56,7 +56,7 @@ On a high level, the add-on works as follows: events to the Netwrix Auditor server, which writes them to the Long-Term Archive and the Audit Database. -See the [Integration API](../../api/overview.md) topic for additional information on the structure +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the Netwrix Auditor Integration API. ## Prerequisites @@ -66,7 +66,7 @@ follows: | On... | Ensure that... | | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| The Auditor Server side | - Auditor version is **9.8** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](../../api/prerequisites.md) and [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | +| The Auditor Server side | - Auditor version is **9.8** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | | The RADIUS server | - The **Remote Event Log Management (RPC)** inbound firewall rule is enabled. - The account collecting RADIUS logon events is member of the **Domain Users** group and have the **Manage auditing and security log** right. | | The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. | diff --git a/docs/auditor/10.7/auditor/addon/radius/parameters.md b/docs/auditor/10.7/auditor/addon/radius/parameters.md index 54c3d6ea9f..cb99975564 100644 --- a/docs/auditor/10.7/auditor/addon/radius/parameters.md +++ b/docs/auditor/10.7/auditor/addon/radius/parameters.md @@ -4,7 +4,7 @@ Before running or scheduling the add-on, you must define connection details: Aud user credentials, etc. Most parameters are optional, the script uses the default values unless parameters are explicitly defined. You can skip or define parameters depending on your execution scenario and security policies. See the -[Choose Appropriate Execution Scenario](../logrhythm/deployment.md) topic for additional +[Choose Appropriate Execution Scenario](/docs/auditor/10.7/auditor/addon/logrhythm/deployment.md) topic for additional information. | Parameter | Default value | Description | diff --git a/docs/auditor/10.7/auditor/addon/servicenow/install.md b/docs/auditor/10.7/auditor/addon/servicenow/install.md index f1a243333e..e0475aa477 100644 --- a/docs/auditor/10.7/auditor/addon/servicenow/install.md +++ b/docs/auditor/10.7/auditor/addon/servicenow/install.md @@ -11,4 +11,4 @@ will use the default Integration API port **9699**. Unless specified, the servic To use the add-on, you should check the prerequisites and specify configuration settings, as described in the next sections. After that, run the installer that will apply settings and start the -service. See the [Deploy the Service](deployment.md) topic for additional information. +service. See the [Deploy the Service](/docs/auditor/10.7/auditor/addon/servicenow/deployment.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/addon/servicenow/overview.md b/docs/auditor/10.7/auditor/addon/servicenow/overview.md index 3ef19375c8..4ab5713aca 100644 --- a/docs/auditor/10.7/auditor/addon/servicenow/overview.md +++ b/docs/auditor/10.7/auditor/addon/servicenow/overview.md @@ -30,7 +30,7 @@ follows: | On... | Ensure that... | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| The Auditor Server side | - Auditor version is **9.8** or later. - The Audit Database settings are configured in the Auditor. See the [Audit Database](../../admin/settings/auditdatabase.md)topic for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in the Auditor or is a member of the Netwrix Auditor Client Users group. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | +| The Auditor Server side | - Auditor version is **9.8** or later. - The Audit Database settings are configured in the Auditor. See the [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md)topic for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in the Auditor or is a member of the Netwrix Auditor Client Users group. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | | On the ServiceNow side | - ServiceNow version should be any of the following: - Helsinki - Istanbul - Kingston - London **NOTE:** Currently, Jakarta version has only experimental support. - A new user is created and has sufficient permissions to create tickets and update them. The **itil** role is recommended. If you want to reopen closed tickets, you must be granted the right to perform **Write** operations on inactive incidents. | -See the [Integration API](../../api/overview.md) topic for additional information. +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/addon/siem/activityrecords.md b/docs/auditor/10.7/auditor/addon/siem/activityrecords.md index 11fbf9c81d..0294367453 100644 --- a/docs/auditor/10.7/auditor/addon/siem/activityrecords.md +++ b/docs/auditor/10.7/auditor/addon/siem/activityrecords.md @@ -4,7 +4,7 @@ To export only important audit data, that is, the Activity Records that led to the alert triggering, configure the alert response action, providing path to -**Netwrix_Auditor_Alerts_to_Event_Log_Add-on.ps1**. See the [SIEM](overview.md) topic for additional +**Netwrix_Auditor_Alerts_to_Event_Log_Add-on.ps1**. See the [SIEM](/docs/auditor/10.7/auditor/addon/siem/overview.md) topic for additional information. ## Export Activity Records in Bulk @@ -42,7 +42,7 @@ while. Ensure the script execution completed successfully. The Netwrix Auditor I will be created and filled with events. By default, the Netwrix Auditor Integration event log size is set to _1GB_, and retention is set to -_"Overwrite events as needed"_. See the [Integration Event Log Fields](integrationeventlog.md) topic +_"Overwrite events as needed"_. See the [Integration Event Log Fields](/docs/auditor/10.7/auditor/addon/siem/integrationeventlog.md) topic for additional information. Event records with more than 30,000 characters length will be trimmed. diff --git a/docs/auditor/10.7/auditor/addon/siem/collecteddata.md b/docs/auditor/10.7/auditor/addon/siem/collecteddata.md index 4b47413dba..f6c2bdb74a 100644 --- a/docs/auditor/10.7/auditor/addon/siem/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/siem/collecteddata.md @@ -10,6 +10,6 @@ Services Logs** >Netwrix Auditor Integration log. **Step 3 –** Review events. -![EventLog_Export_Example](../../../../../../static/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexportexample_thumb_0_0.webp) +![EventLog_Export_Example](/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexportexample_thumb_0_0.webp) Now you can augment Windows event log with data collected by the Auditor. diff --git a/docs/auditor/10.7/auditor/addon/siem/configure.md b/docs/auditor/10.7/auditor/addon/siem/configure.md index b81f227995..e9e1395756 100644 --- a/docs/auditor/10.7/auditor/addon/siem/configure.md +++ b/docs/auditor/10.7/auditor/addon/siem/configure.md @@ -5,7 +5,7 @@ Before running or scheduling the add-on, you must define connection details: Auditor Server host, user credentials, etc. Most parameters are optional, the script uses the default values unless parameters are explicitly defined. You can skip or define parameters depending on your execution -scenario and security policies. See the [Choose Appropriate Execution Scenario](deployment.md) topic +scenario and security policies. See the [Choose Appropriate Execution Scenario](/docs/auditor/10.7/auditor/addon/siem/deployment.md) topic for more information. | Parameter | Default value | Description | @@ -27,8 +27,8 @@ dynamically calculated EventIDs will be modified and applied incorrectly. | Parameter | Default value | Description | | ------------------------------ | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **EventID generation** | | | -| GenerateEventId | True | Defines whether to generated unique EventIDs. Possible parameter values: - True — generate unique EventIDs using Activity Record fields - False — do not generate a unique ID, set EventID=0 for all cases EventID is generated through CRC32 calculation that involves the following Activity Record field values: - ObjectType - Action - DataSource (optional, see below for details) Only the lowest 16 bits of the calculation result are used. See the [Activity Records](../../api/postdata/activityrecords.md) topic for additional information. | -| IncludeDataSourceToMakeEventId | True | Defines whether the DataSource field of Activity Record should be used in the EventID calculation. This parameter is applied only if GenerateEventId is set to TRUE. _Object Type - Action_ pair may be identical for several data sources (e.g., Object='User' and Action='Added'); thus, excluding DataSource from calculation may lead to the same EventID (duplicates). See the [Export Activity Records ](activityrecords.md) topic for additional information.. | +| GenerateEventId | True | Defines whether to generated unique EventIDs. Possible parameter values: - True — generate unique EventIDs using Activity Record fields - False — do not generate a unique ID, set EventID=0 for all cases EventID is generated through CRC32 calculation that involves the following Activity Record field values: - ObjectType - Action - DataSource (optional, see below for details) Only the lowest 16 bits of the calculation result are used. See the [Activity Records](/docs/auditor/10.7/auditor/api/postdata/activityrecords.md) topic for additional information. | +| IncludeDataSourceToMakeEventId | True | Defines whether the DataSource field of Activity Record should be used in the EventID calculation. This parameter is applied only if GenerateEventId is set to TRUE. _Object Type - Action_ pair may be identical for several data sources (e.g., Object='User' and Action='Added'); thus, excluding DataSource from calculation may lead to the same EventID (duplicates). See the [Export Activity Records ](/docs/auditor/10.7/auditor/addon/siem/activityrecords.md) topic for additional information.. | | SetDataSourceAsEventCategory | True | Defines whether to fill in Event Category event field with a numeric value derived from the **DataSource** field of Activity Record. Possible parameter values: - True — generate a numeric value for Event Category using Activity Record field - False — do not generate a numeric value, set Event Category=1 for all cases The Event Category field value is generated through CRC32 calculation that involves the **DataSource** field of Activity Record. Only the lowest 9 bits of the calculation result are used. | | SetDataSourceAsEventSource | False | Defines whether to fill in the Event Source event field with the value from the **DataSource** field of Activity Record. Possible parameter values: - True — fill in the Event Source with the value from DataSource field of Activity Record, adding the prefix defined by $EventSourcePrefix. Default prefix is _NA_, for example:_NA Windows Server_ - False — set Event Source to _Netwrix_Auditor_Integration_API_ for all cases If the script cannot fill in the Event Source for some DataSource, the default value _Netwrix_Auditor_Integration_API_ will be used. If the event source for particular **DataSource** does not exist in the Netwrix_Auditor_Integration event log, elevated privileges are required for add-on execution. | diff --git a/docs/auditor/10.7/auditor/addon/siem/deployment.md b/docs/auditor/10.7/auditor/addon/siem/deployment.md index 9d86e7c7b0..4dc5949c86 100644 --- a/docs/auditor/10.7/auditor/addon/siem/deployment.md +++ b/docs/auditor/10.7/auditor/addon/siem/deployment.md @@ -5,7 +5,7 @@ Auditor Add-on for the SIEM solution runs on any computer in your environment. For example, you can run the add-on on the computer where Auditor is installed or on a remote server. Depending on the execution scenario you choose, you have to define a different set of parameters. See the -[Configuration](configure.md) topic for additional information. +[Configuration](/docs/auditor/10.7/auditor/addon/siem/configure.md) topic for additional information. Netwrix suggests the following execution scenarios: @@ -28,5 +28,5 @@ By default, Auditor uses the _LocalSystem_ account to run PowerShell scripts. If another account, in the alert settings go to **Response Action**, select the **Use custom credentials** checkbox and specify user name and password. Make sure this account has **Log on as batch job** privilege. See the -[Configure a Response Action for Alert](../../admin/alertsettings/responseaction.md) topic for +[Configure a Response Action for Alert](/docs/auditor/10.7/auditor/admin/alertsettings/responseaction.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/addon/siem/integrationeventlog.md b/docs/auditor/10.7/auditor/addon/siem/integrationeventlog.md index 9e5355fff6..03addcfc53 100644 --- a/docs/auditor/10.7/auditor/addon/siem/integrationeventlog.md +++ b/docs/auditor/10.7/auditor/addon/siem/integrationeventlog.md @@ -4,7 +4,7 @@ This section describes how the add-on fills in the Netwrix Auditor **Integration with data retrieved from Activity Records. The Activity Record structure is described in the -[Reference for Creating Activity Records](../../api/activityrecordreference.md)topic. +[Reference for Creating Activity Records](/docs/auditor/10.7/auditor/api/activityrecordreference.md)topic. | Event log field name | Filled in with value | Details | | -------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -12,7 +12,7 @@ The Activity Record structure is described in the | EventID | **`{Calculated by add-on}`** -OR- **0** | Depending on _GenerateEventId_ in-script parameter (calculation result also depends on _IncludeDataSourceToMakeEventId_ parameter — if _GenerateEventId_ = _True_). | | Task Category | **`{DataSource ID}`** -OR- **1** | Depending on _SetDataSourceAsEventCategory_ in-script parameter. | -See the [Configuration](configure.md) topic for additional information. +See the [Configuration](/docs/auditor/10.7/auditor/addon/siem/configure.md) topic for additional information. EventData is filled in with data from the Activity Record fields as follows: @@ -31,4 +31,4 @@ EventData is filled in with data from the Activity Record fields as follows: Details are filled in only if this Activity Record field is not empty. -![eventlogexample_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexample_thumb_0_0.webp) +![eventlogexample_thumb_0_0](/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexample_thumb_0_0.webp) diff --git a/docs/auditor/10.7/auditor/addon/siem/overview.md b/docs/auditor/10.7/auditor/addon/siem/overview.md index da25a5a802..30d925eba3 100644 --- a/docs/auditor/10.7/auditor/addon/siem/overview.md +++ b/docs/auditor/10.7/auditor/addon/siem/overview.md @@ -25,7 +25,7 @@ On a high level, the add-on works as follows: 3. The add-on creates a special Windows event log named **Netwrix_Auditor_Integration** and stores events there. These events are structured and ready for integration with the SIEM solution. -See the [Integration API](../../api/overview.md) topic for additional information on the structure +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the Netwrix Auditor Integration API. ## Prerequisites @@ -63,7 +63,7 @@ On a high level, this add-on works as follows: events there. These events are structured and ready for integration with Windows event log. For more information on the structure of the Activity Record and the capabilities of the Netwrix -Auditor Integration API, refer to [Integration API](../../api/overview.md). +Auditor Integration API, refer to [Integration API](/docs/auditor/10.7/auditor/api/overview.md). ## Netwrix Auditor Alerts to Event Log Add-on @@ -71,7 +71,7 @@ This add-on works as response action to the alert, as follows: 1. The administrator enables and configured response action for selected alert, as described in the following topic: - [Configure a Response Action for Alert](../../admin/alertsettings/responseaction.md). Make sure + [Configure a Response Action for Alert](/docs/auditor/10.7/auditor/admin/alertsettings/responseaction.md). Make sure to provide correct path to the script file and to select the Write data to CSV file option. 2. When the alert is triggered, the script starts - it retrieves audit data (activity record fields) from the CSV file and processes it into log events. Each event contains the user account, action, @@ -79,5 +79,5 @@ This add-on works as response action to the alert, as follows: 3. The add-on creates a special Windows event log named Netwrix_Auditor_Integration and stores events there. These events are structured and ready for integration with SIEM system. -See the [Configure a Response Action for Alert](../../admin/alertsettings/responseaction.md) +See the [Configure a Response Action for Alert](/docs/auditor/10.7/auditor/admin/alertsettings/responseaction.md) topic for additional information on the alert response actions and CSV file. diff --git a/docs/auditor/10.7/auditor/addon/siemcefexport/deployment.md b/docs/auditor/10.7/auditor/addon/siemcefexport/deployment.md index 080dc34505..4a34c84174 100644 --- a/docs/auditor/10.7/auditor/addon/siemcefexport/deployment.md +++ b/docs/auditor/10.7/auditor/addon/siemcefexport/deployment.md @@ -3,7 +3,7 @@ Netwrix Auditor Netwrix Risk Insights runs on any computer in your environment. For example, you can run the add-on on the computer where Netwrix Auditor is installed or on a remote server. Depending on the execution scenario you choose, you have to define a different set of parameters. See the -[Define Parameters](parameters.md) topic for additional information. +[Define Parameters](/docs/auditor/10.7/auditor/addon/siemcefexport/parameters.md) topic for additional information. Netwrix suggests the following execution scenarios: diff --git a/docs/auditor/10.7/auditor/addon/siemcefexport/overview.md b/docs/auditor/10.7/auditor/addon/siemcefexport/overview.md index 80e7946a90..b7260c80ec 100644 --- a/docs/auditor/10.7/auditor/addon/siemcefexport/overview.md +++ b/docs/auditor/10.7/auditor/addon/siemcefexport/overview.md @@ -25,7 +25,7 @@ On a high level, the add-on works as follows: 3. The add-on creates a special Windows event log named **Netwrix_Auditor_Integration** and stores events there. These events are structured and ready for integration with the SIEM solution. -See the [Integration API](../../api/overview.md) topic for additional information on the structure +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the Netwrix Auditor Integration API. ## Prerequisites @@ -35,7 +35,7 @@ follows: | On... | Ensure that... | | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](../../api/prerequisites.md) and [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | +| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | | The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. | ## Compatibility Notice diff --git a/docs/auditor/10.7/auditor/addon/siemeventlogexport/deployment.md b/docs/auditor/10.7/auditor/addon/siemeventlogexport/deployment.md index 8cd069a70e..14307e24bb 100644 --- a/docs/auditor/10.7/auditor/addon/siemeventlogexport/deployment.md +++ b/docs/auditor/10.7/auditor/addon/siemeventlogexport/deployment.md @@ -3,7 +3,7 @@ Auditor Add-on for the SIEM solution runs on any computer in your environment. For example, you can run the add-on on the computer where Auditor is installed or on a remote server. Depending on the execution scenario you choose, you have to define a different set of parameters. See the -[Define Parameters](parameters.md) topic for additional information. +[Define Parameters](/docs/auditor/10.7/auditor/addon/siemeventlogexport/parameters.md) topic for additional information. Netwrix suggests the following execution scenarios: diff --git a/docs/auditor/10.7/auditor/addon/siemeventlogexport/overview.md b/docs/auditor/10.7/auditor/addon/siemeventlogexport/overview.md index 1d974b60e3..6105b222a9 100644 --- a/docs/auditor/10.7/auditor/addon/siemeventlogexport/overview.md +++ b/docs/auditor/10.7/auditor/addon/siemeventlogexport/overview.md @@ -22,7 +22,7 @@ On a high level, the add-on works as follows: there. These events are structured and ready for integration with SIEM. For more information on the structure of the Activity Record and the capabilities of the Integration -API, refer to the [Integration API](../../api/overview.md) topic. +API, refer to the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic. ## Prerequisites @@ -31,11 +31,11 @@ follows: | On... | Ensure that... | | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](../../api/prerequisites.md) and [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | +| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | | The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. | ## Compatibility Notice Make sure to check your product version, and then review and update your add-ons and scripts leveraging the Integration API. Download the latest add- on version in the Add- on Store. See the -[Integration API](../../api/overview.md) topic for additional information about schema updates. +[Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information about schema updates. diff --git a/docs/auditor/10.7/auditor/addon/siemeventlogexport/parameters.md b/docs/auditor/10.7/auditor/addon/siemeventlogexport/parameters.md index 6fbeb39cc6..e90b5e8533 100644 --- a/docs/auditor/10.7/auditor/addon/siemeventlogexport/parameters.md +++ b/docs/auditor/10.7/auditor/addon/siemeventlogexport/parameters.md @@ -3,7 +3,7 @@ Before running or scheduling the add-on, you must define connection details: Auditor Server host, user credentials, etc. Most parameters are optional, the script uses the default values unless parameters are explicitly defined. You can skip or define parameters depending on your execution -scenario and security policies. See [Choose Appropriate Execution Scenario](deployment.md) for +scenario and security policies. See [Choose Appropriate Execution Scenario](/docs/auditor/10.7/auditor/addon/siemeventlogexport/deployment.md) for additional information. First provide a path to your add-on followed by script parameters with their values. Each parameter diff --git a/docs/auditor/10.7/auditor/addon/solarwinds/collecteddata.md b/docs/auditor/10.7/auditor/addon/solarwinds/collecteddata.md index 4b47413dba..f6c2bdb74a 100644 --- a/docs/auditor/10.7/auditor/addon/solarwinds/collecteddata.md +++ b/docs/auditor/10.7/auditor/addon/solarwinds/collecteddata.md @@ -10,6 +10,6 @@ Services Logs** >Netwrix Auditor Integration log. **Step 3 –** Review events. -![EventLog_Export_Example](../../../../../../static/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexportexample_thumb_0_0.webp) +![EventLog_Export_Example](/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexportexample_thumb_0_0.webp) Now you can augment Windows event log with data collected by the Auditor. diff --git a/docs/auditor/10.7/auditor/addon/solarwinds/deployment.md b/docs/auditor/10.7/auditor/addon/solarwinds/deployment.md index 4779f97011..73d7c34e23 100644 --- a/docs/auditor/10.7/auditor/addon/solarwinds/deployment.md +++ b/docs/auditor/10.7/auditor/addon/solarwinds/deployment.md @@ -3,7 +3,7 @@ Auditor Add-on for the SIEM solution runs on any computer in your environment. For example, you can run the add-on on the computer where Auditor is installed or on a remote server. Depending on the execution scenario you choose, you have to define a different set of parameters. See the -[Define Parameters](parameters.md) topic for additional information. +[Define Parameters](/docs/auditor/10.7/auditor/addon/solarwinds/parameters.md) topic for additional information. Netwrix suggests the following execution scenarios: diff --git a/docs/auditor/10.7/auditor/addon/solarwinds/integrationeventlog.md b/docs/auditor/10.7/auditor/addon/solarwinds/integrationeventlog.md index f0980f37fd..83d69de1e4 100644 --- a/docs/auditor/10.7/auditor/addon/solarwinds/integrationeventlog.md +++ b/docs/auditor/10.7/auditor/addon/solarwinds/integrationeventlog.md @@ -4,7 +4,7 @@ This section describes how the add-on fills in the Netwrix Auditor **Integration with data retrieved from Activity Records. The Activity Record structure is described in the -[Reference for Creating Activity Records](../../api/activityrecordreference.md)topic. +[Reference for Creating Activity Records](/docs/auditor/10.7/auditor/api/activityrecordreference.md)topic. | Event log field name | Filled in with value | Details | | -------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -12,7 +12,7 @@ The Activity Record structure is described in the | EventID | **`{Calculated by add-on}`** -OR- **0** | Depending on _GenerateEventId_ in-script parameter (calculation result also depends on _IncludeDataSourceToMakeEventId_ parameter — if _GenerateEventId_ = _True_). | | Task Category | **`{DataSource ID}`** -OR- **1** | Depending on _SetDataSourceAsEventCategory_ in-script parameter. | -See the [Define Parameters](parameters.md) topic for additional information. +See the [Define Parameters](/docs/auditor/10.7/auditor/addon/solarwinds/parameters.md) topic for additional information. EventData is filled in with data from the Activity Record fields as follows: @@ -31,4 +31,4 @@ EventData is filled in with data from the Activity Record fields as follows: Details are filled in only if this Activity Record field is not empty. -![eventlogexample_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexample_thumb_0_0.webp) +![eventlogexample_thumb_0_0](/img/product_docs/auditor/auditor/addon/solarwinds/eventlogexample_thumb_0_0.webp) diff --git a/docs/auditor/10.7/auditor/addon/solarwinds/overview.md b/docs/auditor/10.7/auditor/addon/solarwinds/overview.md index 900facf5f6..ee791b9771 100644 --- a/docs/auditor/10.7/auditor/addon/solarwinds/overview.md +++ b/docs/auditor/10.7/auditor/addon/solarwinds/overview.md @@ -25,7 +25,7 @@ On a high level, the add-on works as follows: 3. The add-on creates a special Windows event log named **Netwrix_Auditor_Integration** and stores events there. These events are structured and ready for integration with the SIEM solution. -See the [Integration API](../../api/overview.md) topic for additional information on the structure +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on the structure of the Activity Record and the capabilities of the Netwrix Auditor Integration API. ## Prerequisites @@ -35,7 +35,7 @@ follows: | On... | Ensure that... | | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](../../api/prerequisites.md) and [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | +| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | | The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. | ## Compatibility Notice diff --git a/docs/auditor/10.7/auditor/addon/solarwinds/parameters.md b/docs/auditor/10.7/auditor/addon/solarwinds/parameters.md index dff17cf0ac..dc6877f30b 100644 --- a/docs/auditor/10.7/auditor/addon/solarwinds/parameters.md +++ b/docs/auditor/10.7/auditor/addon/solarwinds/parameters.md @@ -3,7 +3,7 @@ Before running or scheduling the add-on, you must define connection details: Auditor Server host, user credentials, etc. Most parameters are optional, the script uses the default values unless parameters are explicitly defined. You can skip or define parameters depending on your execution -scenario and security policies. See the [Choose Appropriate Execution Scenario](deployment.md) topic +scenario and security policies. See the [Choose Appropriate Execution Scenario](/docs/auditor/10.7/auditor/addon/solarwinds/deployment.md) topic for additional information. | Parameter | Default value | Description | diff --git a/docs/auditor/10.7/auditor/addon/solarwinds/powershell.md b/docs/auditor/10.7/auditor/addon/solarwinds/powershell.md index 14c08d1d05..c103add7c5 100644 --- a/docs/auditor/10.7/auditor/addon/solarwinds/powershell.md +++ b/docs/auditor/10.7/auditor/addon/solarwinds/powershell.md @@ -31,7 +31,7 @@ take a while. Ensure the script execution completed successfully. The Netwrix Au **Integration** event log will be created and filled with events. By default, the Netwrix Auditor **Integration** event log size is set to 1GB, and retention is set -to "_Overwrite events as needed_". See the [Integration Event Log Fields](integrationeventlog.md) +to "_Overwrite events as needed_". See the [Integration Event Log Fields](/docs/auditor/10.7/auditor/addon/solarwinds/integrationeventlog.md) topic for additional information. **NOTE:** Event records with more than 30,000 characters length will be trimmed. diff --git a/docs/auditor/10.7/auditor/addon/splunk/deployment.md b/docs/auditor/10.7/auditor/addon/splunk/deployment.md index 98374a9bbb..d591c0494b 100644 --- a/docs/auditor/10.7/auditor/addon/splunk/deployment.md +++ b/docs/auditor/10.7/auditor/addon/splunk/deployment.md @@ -8,7 +8,7 @@ In the Netwrix Auditor client, go to the Integrations section and verify Integra 2. Check the TCP communication port number – default is 9699. See the -[Configure Integration API Settings](../../api/prerequisites.md#configure-integration-api-settings)[Audit Database](../../admin/settings/auditdatabase.md)topic +[Configure Integration API Settings](/docs/auditor/10.7/auditor/api/prerequisites.md#configure-integration-api-settings)[Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md)topic for additional information. ## Download the Add-on @@ -32,23 +32,23 @@ Follow the steps to install the add-on. - On the main Explore Splunk Enterprise screen, click the gear icon at the top of the left **Apps** panel: -![config](../../../../../../static/img/product_docs/auditor/auditor/addon/splunk/config.webp) +![config](/img/product_docs/auditor/auditor/addon/splunk/config.webp) - When on any other screen, you can expand the drop-down list at the top panel and choose Manage Apps: - ![searchreporting](../../../../../../static/img/product_docs/auditor/auditor/addon/splunk/searchreporting.webp) + ![searchreporting](/img/product_docs/auditor/auditor/addon/splunk/searchreporting.webp) **Step 3 –** On the **Apps** screen, click Install app from file: -![installapp](../../../../../../static/img/product_docs/auditor/auditor/addon/splunk/installapp.webp) +![installapp](/img/product_docs/auditor/auditor/addon/splunk/installapp.webp) **Step 4 –** Click Choose File, navigate to the folder where you unpacked the add-on package, select the "TA-netwrix-auditor-add-on-for-splunk-1.6.1.spl" file and click Open. **Step 5 –** Click Upload. -![uploadapp](../../../../../../static/img/product_docs/auditor/auditor/addon/splunk/uploadapp.webp) +![uploadapp](/img/product_docs/auditor/auditor/addon/splunk/uploadapp.webp) The **Upload** button text will change to "_Processing…_". When the installation is complete, you will see an invitation to reboot Splunk. This is optional unless you plan to create index @@ -56,7 +56,7 @@ configuration in the add-on folder. In addition, Splunk might not display add-on The installed add-on should appear in the Apps list in Splunk. -![searchreportingapp](../../../../../../static/img/product_docs/auditor/auditor/addon/splunk/searchreportingapp.webp) +![searchreportingapp](/img/product_docs/auditor/auditor/addon/splunk/searchreportingapp.webp) ## Prepare for Using Netwrix Auditor Integration API @@ -74,13 +74,13 @@ Follow the steps to configure the add-on. **Step 1 –** From the Explore Splunk Enterprise or from the drop-down list on the top Splunk panel, open Netwrix Auditor add-on for Splunk and navigate to the Configuration page: -![configuration](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configuration.webp) +![configuration](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configuration.webp) **Step 2 –** Configure the account: 1. On the Configuration page, open the Account section. - ![addaccount](../../../../../../static/img/product_docs/auditor/auditor/addon/splunk/addaccount.webp) + ![addaccount](/img/product_docs/auditor/auditor/addon/splunk/addaccount.webp) 2. Click **Add** and populate the fields: @@ -93,13 +93,13 @@ open Netwrix Auditor add-on for Splunk and navigate to the Configuration page: 3. Click the Add button. The added account should appear in the list: - ![configurationaccount](../../../../../../static/img/product_docs/auditor/auditor/addon/splunk/configurationaccount.webp) + ![configurationaccount](/img/product_docs/auditor/auditor/addon/splunk/configurationaccount.webp) **Step 3 –** Configure the Netwrix Auditor Integration API location: 1. On the Configuration page open the Add-on Settings section: - ![configurationaddonsettings](../../../../../../static/img/product_docs/auditor/auditor/addon/splunk/configurationaddonsettings.webp) + ![configurationaddonsettings](/img/product_docs/auditor/auditor/addon/splunk/configurationaddonsettings.webp) 2. In the Netwrix Auditor API location field provide the host name or IP address of your Netwrix Auditor Integration API host (Netwrix Auditor server). @@ -142,11 +142,11 @@ Follow the steps to configure data input. 1. Open Netwrix Auditor add-on for Splunk and go to the **Inputs** section. - ![inputs](../../../../../../static/img/product_docs/auditor/auditor/addon/splunk/inputs.webp) + ![inputs](/img/product_docs/auditor/auditor/addon/splunk/inputs.webp) 2. Click Create New Input. - ![addapi](../../../../../../static/img/product_docs/auditor/auditor/addon/splunk/addapi.webp) + ![addapi](/img/product_docs/auditor/auditor/addon/splunk/addapi.webp) 3. Provide the new data input parameters: diff --git a/docs/auditor/10.7/auditor/addon/splunk/overview.md b/docs/auditor/10.7/auditor/addon/splunk/overview.md index 703453295a..5bc36e387c 100644 --- a/docs/auditor/10.7/auditor/addon/splunk/overview.md +++ b/docs/auditor/10.7/auditor/addon/splunk/overview.md @@ -46,7 +46,7 @@ Netwrix Auditor data sources: | VMware | Authentication Change | | Windows Server | Change | -See [CIM Data Model Mapping](datamodelmap.md) for details. +See [CIM Data Model Mapping](/docs/auditor/10.7/auditor/addon/splunk/datamodelmap.md) for details. ## How It Works @@ -54,10 +54,10 @@ Netwrix Auditor add-on for Splunk allows pulling activity records data from the its Integration API. Data is retrieved in JSON format, transferred over HTTPS and stored to Splunk index. -![diagram](../../../../../../static/img/product_docs/auditor/auditor/addon/splunk/diagram.webp) +![diagram](/img/product_docs/auditor/auditor/addon/splunk/diagram.webp) To learn more about Netwrix Auditor activity records, see the -[Activity Records](../../api/postdata/activityrecords.md) topic for additional information. +[Activity Records](/docs/auditor/10.7/auditor/api/postdata/activityrecords.md) topic for additional information. For this data to be provided to Splunk, it adds a new Splunk source type, performing additional data parsing and field extraction. The audit data is also mapped into the Common Information Model (CIM) @@ -105,7 +105,7 @@ follows: | On... | Ensure that... | | ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Auditor Server side | - Auditor version is 9.8 or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](../../api/prerequisites.md) and [Audit Database](../../admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | +| Auditor Server side | - Auditor version is 9.8 or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.7/auditor/api/prerequisites.md) and [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. | | Splunk Enterprise | - Splunk version is 8.0.6 or higher. - Splunk Common Information Model add-on version 4.17.0 or higher. - Splunk Administrator or any other account with permissions to add add-ons, create indexes and data inputs. - The TCP 9699 port must be open on firewalls between Splunk and Netwrix Auditor server. | ### Considerations and limitations diff --git a/docs/auditor/10.7/auditor/admin/alertsettings/create.md b/docs/auditor/10.7/auditor/admin/alertsettings/create.md index aff63ed48a..3ead1d01ea 100644 --- a/docs/auditor/10.7/auditor/admin/alertsettings/create.md +++ b/docs/auditor/10.7/auditor/admin/alertsettings/create.md @@ -7,7 +7,7 @@ To set up a response action, this account must also be a member of the local _Ad on Auditor Server. See the -[](https://helpcenter.netwrix.com/Roles/Role_Based_Access.html)[Role-Based Access and Delegation](../monitoringplans/delegation.md) +[](https://helpcenter.netwrix.com/Roles/Role_Based_Access.html)[Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. ## Create a Custom Alert @@ -17,9 +17,9 @@ Follow the steps to create a custom alert. **Step 1 –** On the main Auditor page, click the Alert settings link under the Configuration section on the left: -![configuration_tile](../../../../../../static/img/product_docs/auditor/auditor/admin/alertsettings/configuration_tile.webp) +![configuration_tile](/img/product_docs/auditor/auditor/admin/alertsettings/configuration_tile.webp) -See the [Navigation](../navigation/overview.md) topic for additional information. +See the [Navigation](/docs/auditor/10.7/auditor/admin/navigation/overview.md) topic for additional information. **Step 2 –** In the All Alerts window, click Add. Configure the following: @@ -27,7 +27,7 @@ See the [Navigation](../navigation/overview.md) topic for additional information | --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | General | - Specify a name and enter the description for the new alert. **NOTE:** Make sure that the Send alert when the action occurs option is enabled. Otherwise, the new alert will be disabled. - Email subject — Specify the subject of the email. It is possible to insert variables into the subject line. You can choose between "_Who_", "_What_" and"_Where_" variables. Consider the following: - Only one variable of each type can be added - You need to cut off the full path from the object names in "_What_" alert and leave only the actual name. For example, "_\com\Corp\Users\Departments\IT\Username_" should be just "_Username_". If you want to get back to the default Email subject line, click the **Restore Default** button. - Apply tags — Create a set of tags to more efficiently identify and sort your alerts. Select Edit under Apply tags to associate tags with your alert. Later, you can quickly find an alert of interest using Filter by tags in the upper part of the All Alerts window. To see a full list of alerts ever created in the product, navigate to Settings > Tags. | | Recipients | Select alert recipients. Click Add Recipient and select alert delivery type: - Email — Specify the email address where notifications will be delivered. You can add as many recipients as necessary. **_RECOMMENDED:_** click **Send Test Email**. The system will send a test message to the specified email address and inform you if any problems are detected. - SMS-enabled email — Netwrix uses the sms gateway technology to deliver notifications to a phone number assigned to a dedicated email address. Specify email address to receive SMS notifications. Make sure that your carrier supports sms to email gateway technology. | -| Filters | Apply a set of filters to narrow events that trigger a new alert. Alerts use the same interface and logic as search. - Filter — Select general type of filter (e.g., "Who", "Data Source", "Monitoring plan", etc.) - Operator — Configure match types for selected filter (e.g., "Equals", "Does not contain", etc.) - Value — Specify filter value. See the [View and Search Collected Data](../search/overview.md) topic for additional information on how to create and modify filters. The Filters section contains required fields highlighted with red. Once you completed all filters, click Preview on the right pane to see search-based list of events that will trigger your alert. ![preview_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/alertsettings/preview_thumb_0_0.webp) | +| Filters | Apply a set of filters to narrow events that trigger a new alert. Alerts use the same interface and logic as search. - Filter — Select general type of filter (e.g., "Who", "Data Source", "Monitoring plan", etc.) - Operator — Configure match types for selected filter (e.g., "Equals", "Does not contain", etc.) - Value — Specify filter value. See the [View and Search Collected Data](/docs/auditor/10.7/auditor/admin/search/overview.md) topic for additional information on how to create and modify filters. The Filters section contains required fields highlighted with red. Once you completed all filters, click Preview on the right pane to see search-based list of events that will trigger your alert. ![preview_thumb_0_0](/img/product_docs/auditor/auditor/admin/alertsettings/preview_thumb_0_0.webp) | | Thresholds | If necessary, enable threshold to trigger the new alert. In this case, a single alert will be sent instead of many alerts. This can be helpful when Auditor detects many activity records matching the filters you specified. Slide the switch under the Send alert when the threshold is exceeded option and configure the following: - Limit alerting to activity records with the same... — Select a filter in the drop-down list (e.g., who). Note that, Auditor will search for activity records with the same value in the filter you selected. Only alerts grouped by the Who parameter can be included in the Behavior Anomalies list. Mind that in this case, the product does not summarize risk scores and shows the value you associated with this alert. This may significantly reduce risk score accuracy. - Send alert for `<...>` activity records within `<...>` seconds — Select a number of changes that occurred in a given period (in seconds). For example, you want to receive an alert on suspicious activity. You select "_Action_" in the Limit alerting to activity records with the same list and specify a number of actions to be considered an unexpected behavior: _1000_ changes in _60_ seconds. When the selected threshold exceeded, an alert will be delivered to the specified recipients: one for every 1000 removals in 60 seconds, one for every 1000 failed removals in 60 seconds. So you can easily discover what is going on in your IT infrastructure. | -| Risk Score | - Slide the switch to On under Include this alert in Behavior Anomalies assessment. See the [Behavior Anomalies](../behavioranomalies/overview.md) topic for additional information. - Associate a risk score with the alert — Assign a risk score based on the type of anomaly and the severity of the deviation from the normal behavior. An action's risk score is a numerical value from 1 (Low) to 100 (High) that designates the level of risk with 100 being the riskiest and 1 the least risky. These are general guidelines you can adopt when setting a risk score: - High score — Assign to an action that requires your immediate response (e.g., adding account to a privileged group). Configure a non-threshold alert with email recipients. - Above medium score — Assign to a repetitive action occurring during a short period of time. While a standalone action is not suspicious, multiple actions merit your attention (e.g., mass deletions from a SharePoint site). Configure a threshold-based alert with email recipients. - Low score — Assign to an infrequent action. While a single action is safe, multiple occurrences aggregated over a long period of time may indicate a potential in-house bad actor (e.g., creation of potentially harmful files on a file share). Configure a non-threshold alert, email recipients are optional but make sure to regularly review the Behavior Anomalies dashboard. - Low score — Assign to a repetitive action that does not occur too often (e.g., rapid logons). Multiple occurrences of action sets may indicate a potential in-house bad actor or account compromise. Configure a threshold-based alert, email recipients are optional but make sure to regularly review the Behavior Anomalies dashboard. | -| Response Action | You can instruct Auditor to perform a response action when the alert occurs — for example, start an executable file (command, batch file, or other) that will remediate the issue, or open a ticket with the help desk, and so on. For that, you will need an executable file stored locally on the Auditor server. Slide the switch to turn the feature **ON**, and see the [Configure a Response Action for Alert](responseaction.md) topic for additional information. | +| Risk Score | - Slide the switch to On under Include this alert in Behavior Anomalies assessment. See the [Behavior Anomalies](/docs/auditor/10.7/auditor/admin/behavioranomalies/overview.md) topic for additional information. - Associate a risk score with the alert — Assign a risk score based on the type of anomaly and the severity of the deviation from the normal behavior. An action's risk score is a numerical value from 1 (Low) to 100 (High) that designates the level of risk with 100 being the riskiest and 1 the least risky. These are general guidelines you can adopt when setting a risk score: - High score — Assign to an action that requires your immediate response (e.g., adding account to a privileged group). Configure a non-threshold alert with email recipients. - Above medium score — Assign to a repetitive action occurring during a short period of time. While a standalone action is not suspicious, multiple actions merit your attention (e.g., mass deletions from a SharePoint site). Configure a threshold-based alert with email recipients. - Low score — Assign to an infrequent action. While a single action is safe, multiple occurrences aggregated over a long period of time may indicate a potential in-house bad actor (e.g., creation of potentially harmful files on a file share). Configure a non-threshold alert, email recipients are optional but make sure to regularly review the Behavior Anomalies dashboard. - Low score — Assign to a repetitive action that does not occur too often (e.g., rapid logons). Multiple occurrences of action sets may indicate a potential in-house bad actor or account compromise. Configure a threshold-based alert, email recipients are optional but make sure to regularly review the Behavior Anomalies dashboard. | +| Response Action | You can instruct Auditor to perform a response action when the alert occurs — for example, start an executable file (command, batch file, or other) that will remediate the issue, or open a ticket with the help desk, and so on. For that, you will need an executable file stored locally on the Auditor server. Slide the switch to turn the feature **ON**, and see the [Configure a Response Action for Alert](/docs/auditor/10.7/auditor/admin/alertsettings/responseaction.md) topic for additional information. | diff --git a/docs/auditor/10.7/auditor/admin/alertsettings/createeventlog.md b/docs/auditor/10.7/auditor/admin/alertsettings/createeventlog.md index bfcaf877d7..484de231ea 100644 --- a/docs/auditor/10.7/auditor/admin/alertsettings/createeventlog.md +++ b/docs/auditor/10.7/auditor/admin/alertsettings/createeventlog.md @@ -42,7 +42,7 @@ The %ManagedObjectName% variable will be replaced with your monitoring plan name | Source | Specify this parameter if you want to be alerted on the events from a specific source. If you need to specify several users, you can define a mask for this parameter in the same way as described above. | | Category | Specify this parameter if you want to be alerted on a specific event category. | - ![eventfilters](../../../../../../static/img/product_docs/auditor/auditor/admin/alertsettings/eventfilters.webp) + ![eventfilters](/img/product_docs/auditor/auditor/admin/alertsettings/eventfilters.webp) - In the Insertion Strings tab: diff --git a/docs/auditor/10.7/auditor/admin/alertsettings/createhealthstatus.md b/docs/auditor/10.7/auditor/admin/alertsettings/createhealthstatus.md index b7f97c5c4d..891dfd9ae3 100644 --- a/docs/auditor/10.7/auditor/admin/alertsettings/createhealthstatus.md +++ b/docs/auditor/10.7/auditor/admin/alertsettings/createhealthstatus.md @@ -48,7 +48,7 @@ inclusive filter. **Step 12 –** Click Save to save your changes. -![emailhealthstatusevent](../../../../../../static/img/product_docs/auditor/auditor/admin/alertsettings/emailhealthstatusevent.webp) +![emailhealthstatusevent](/img/product_docs/auditor/auditor/admin/alertsettings/emailhealthstatusevent.webp) If an event occurs that triggers an alert, an email notification will be sent immediately to the specified recipients. diff --git a/docs/auditor/10.7/auditor/admin/alertsettings/createmailboxaccess.md b/docs/auditor/10.7/auditor/admin/alertsettings/createmailboxaccess.md index 12d3dd73ad..67d3a4b79f 100644 --- a/docs/auditor/10.7/auditor/admin/alertsettings/createmailboxaccess.md +++ b/docs/auditor/10.7/auditor/admin/alertsettings/createmailboxaccess.md @@ -9,7 +9,7 @@ need to create a monitoring plan for auditing event logs. The procedure below describes the basic steps, required for creation of a monitoring plan that will be used to collect data on non-owner mailbox access events. See -[Event Log Manager](../../tools/eventlogmanager.md) topic for additional information. +[Event Log Manager](/docs/auditor/10.7/auditor/tools/eventlogmanager.md) topic for additional information. Follow the steps to create alert for non-owner mailbox access events. @@ -87,7 +87,7 @@ sent immediately to the specified recipients. Review the example of the MessageOpened event in the XML view: -![eventmessageopen](../../../../../../static/img/product_docs/auditor/auditor/admin/alertsettings/eventmessageopen.webp) +![eventmessageopen](/img/product_docs/auditor/auditor/admin/alertsettings/eventmessageopen.webp) Depending on the event, the strings in the description may vary. The first eight strings are common for all events: @@ -145,4 +145,4 @@ In the example below, the following information has been added: - String 8 with the description - String 9 with the description -![editnotificationtemplate](../../../../../../static/img/product_docs/auditor/auditor/admin/alertsettings/editnotificationtemplate.webp) +![editnotificationtemplate](/img/product_docs/auditor/auditor/admin/alertsettings/editnotificationtemplate.webp) diff --git a/docs/auditor/10.7/auditor/admin/alertsettings/dashboard.md b/docs/auditor/10.7/auditor/admin/alertsettings/dashboard.md index 2b9ed2ae30..b932f62fdf 100644 --- a/docs/auditor/10.7/auditor/admin/alertsettings/dashboard.md +++ b/docs/auditor/10.7/auditor/admin/alertsettings/dashboard.md @@ -13,20 +13,20 @@ The dashboard includes the following widgets: by default). - Risk score by top 5 users – Shows potentially harmful users for the selected time period (7 days by default). Clicking the tile opens the Behavior Anomalies dashboard. See the - [Behavior Anomalies](../behavioranomalies/overview.md) topic for additional information. + [Behavior Anomalies](/docs/auditor/10.7/auditor/admin/behavioranomalies/overview.md) topic for additional information. - Alerts timeline – Shows the number of alerts triggered at the specific day. - Recent alerts – Shows all the triggered alerts in chronological order. -![alerts_overview_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/alertsettings/alerts_overview_thumb_0_0.webp) +![alerts_overview_thumb_0_0](/img/product_docs/auditor/auditor/admin/alertsettings/alerts_overview_thumb_0_0.webp) Clicking any tile except for Risk score by top 5 users drills down to the Alert history dashboard that provides users with the detailed information about the latest alerts triggered in their IT infrastructure enriched with the actionable chart and timeline. -![alerts_history_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/alertsettings/alerts_history_thumb_0_0.webp) +![alerts_history_thumb_0_0](/img/product_docs/auditor/auditor/admin/alertsettings/alerts_history_thumb_0_0.webp) Review detailed information about the triggered alerts and change anomaly status. See the -[Review User Profiles and Process Anomalies](../behavioranomalies/userprofile.md) topic for +[Review User Profiles and Process Anomalies](/docs/auditor/10.7/auditor/admin/behavioranomalies/userprofile.md) topic for additional information. On the Details pane, you can review alert details and manage your alerts: @@ -36,12 +36,12 @@ On the Details pane, you can review alert details and manage your alerts: - Mark all as reviewed – Click to mark all alerts in the list as reviewed. Netwrix recommends doing this only if you are completely sure that there are no critical alerts in your infrastructure. - Edit alerts settings – Click to modify settings of the selected alert. See the - [Create Alerts](create.md) topic for additional information. + [Create Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/create.md) topic for additional information. - Show activity record in new window – Click to view more information about the activity record that triggered an alert. See the - [Activity Records Statistics](../healthstatus/dashboard/activityrecordstatistics.md) topic for + [Activity Records Statistics](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/activityrecordstatistics.md) topic for additional information. You can also refresh the alerts information by clicking the Refresh button at the bottom or go to -the general alerts settings page clicking the Alert settings. See the [Manage Alerts](manage.md) +the general alerts settings page clicking the Alert settings. See the [Manage Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/manage.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/alertsettings/manage.md b/docs/auditor/10.7/auditor/admin/alertsettings/manage.md index 1f9a9b2704..ed9e9f7319 100644 --- a/docs/auditor/10.7/auditor/admin/alertsettings/manage.md +++ b/docs/auditor/10.7/auditor/admin/alertsettings/manage.md @@ -7,13 +7,13 @@ pre-configured filters and in most cases you only need to enable an alert and se receive notifications. You can add any elements (a dashboard, report, alert, risk, etc.) to the Auditor Home screen to -access them instantly. See the [Navigation](../navigation/overview.md) and -[Customize Home Screen](../navigation/customizehome.md) topics for additional information. +access them instantly. See the [Navigation](/docs/auditor/10.7/auditor/admin/navigation/overview.md) and +[Customize Home Screen](/docs/auditor/10.7/auditor/admin/navigation/customizehome.md) topics for additional information. | To... | Follow the steps... | | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Enable / disable an existing alert | **Step 1 –** Select an alert from the list and enable it using the slider in the Mode column. **Step 2 –** Double-click the selected alert and specify alert recipients or set a risk score want to include an alert in Behavior Anomalies assessment. You can go on with a score suggested by Netwrix industry experts or fine-tune it to fit your organization's priorities. See the [Risk Score](create.md) topic for additional information on how to configure scoring settings. **Step 3 –** Review and update filters. For some alerts you should provide filter values, such as group name or user. | +| Enable / disable an existing alert | **Step 1 –** Select an alert from the list and enable it using the slider in the Mode column. **Step 2 –** Double-click the selected alert and specify alert recipients or set a risk score want to include an alert in Behavior Anomalies assessment. You can go on with a score suggested by Netwrix industry experts or fine-tune it to fit your organization's priorities. See the [Risk Score](/docs/auditor/10.7/auditor/admin/alertsettings/create.md) topic for additional information on how to configure scoring settings. **Step 3 –** Review and update filters. For some alerts you should provide filter values, such as group name or user. | | Modify an existing alert | Select an alert from the list and click Edit. | | Create a new alert from existing | Select an alert from the list and click Duplicate at the bottom of the window. | -| Remove an alert | Select an alert from the list and click ![delete](../../../../../../static/img/product_docs/strongpointfornetsuite/integrations/delete.webp) in the right pane. | +| Remove an alert | Select an alert from the list and click ![delete](/img/product_docs/strongpointfornetsuite/integrations/delete.webp) in the right pane. | | Find an alert | Use the Filter by tags option to find an alert by tags associated with this alert. _OR_ Use a search bar in the upper part of All Alerts window to find an alert by its name or tag. | diff --git a/docs/auditor/10.7/auditor/admin/alertsettings/overview.md b/docs/auditor/10.7/auditor/admin/alertsettings/overview.md index 646a414a54..330e57b325 100644 --- a/docs/auditor/10.7/auditor/admin/alertsettings/overview.md +++ b/docs/auditor/10.7/auditor/admin/alertsettings/overview.md @@ -7,28 +7,28 @@ to mitigate risks once the suspicious action occurs. Review the following to take advantage of the Alerts functionality: -- See the[Manage Alerts](manage.md) topic for additional information on how to edit and enable +- See the[Manage Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/manage.md) topic for additional information on how to edit and enable existing predefined alerts, and create new alerts based on the predefined ones. -- See the [Create Alerts](create.md) topic for additional information on how to create custom alerts +- See the [Create Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/create.md) topic for additional information on how to create custom alerts with your personal filters. - If you need to be alerted on specific events in your Event Logs or non-owner mailbox access - attempts, see the [Create Alerts for Event Log](createeventlog.md) and - [Create Alerts for Non-Owner Mailbox Access Events](createmailboxaccess.md) topics for additional + attempts, see the [Create Alerts for Event Log](/docs/auditor/10.7/auditor/admin/alertsettings/createeventlog.md) and + [Create Alerts for Non-Owner Mailbox Access Events](/docs/auditor/10.7/auditor/admin/alertsettings/createmailboxaccess.md) topics for additional information. The example alert is triggered when a new user is created in the monitored domain. -![ad_alert](../../../../../../static/img/product_docs/auditor/auditor/admin/alertsettings/ad_alert.webp) +![ad_alert](/img/product_docs/auditor/auditor/admin/alertsettings/ad_alert.webp) ## Tags Netwrix Auditor allows you to apply tags when creating an alert. Applying tags to alerts allows you to distinguish one alert from another or create groups of similar alerts. -![Manage tags list](../../../../../../static/img/product_docs/auditor/auditor/admin/alertsettings/managetags.webp) +![Manage tags list](/img/product_docs/auditor/auditor/admin/alertsettings/managetags.webp) The Tags page contains a complete list of alerts that were created in the product. Currently, you cannot assign or create tags on this page. To apply tags to an alert, navigate to alert settings and locate the Apply tags section on the -General tab. See the [Create Alerts](create.md) topic to receive information about tags applying. +General tab. See the [Create Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/create.md) topic to receive information about tags applying. diff --git a/docs/auditor/10.7/auditor/admin/alertsettings/responseaction.md b/docs/auditor/10.7/auditor/admin/alertsettings/responseaction.md index 75650df616..d5825142e8 100644 --- a/docs/auditor/10.7/auditor/admin/alertsettings/responseaction.md +++ b/docs/auditor/10.7/auditor/admin/alertsettings/responseaction.md @@ -4,7 +4,7 @@ Upon the alert triggering, you can instruct Auditor to perform several actions s command, a script or other executable file that will perform a remediation action, open a ticket with the organization help desk, etc. -![passwordreset_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/alertsettings/passwordreset_thumb_0_0.webp) +![passwordreset_thumb_0_0](/img/product_docs/auditor/auditor/admin/alertsettings/passwordreset_thumb_0_0.webp) Response Action settings contain the following configuration options: @@ -37,7 +37,7 @@ Use space character as a separator. **Step 4 –** To run _.exe_, _.cmd_ and _.bat_ files, you can enter the path to your command-line or batch file directly in the Run field, for example: -![command_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/alertsettings/command_thumb_0_0.webp) +![command_thumb_0_0](/img/product_docs/auditor/auditor/admin/alertsettings/command_thumb_0_0.webp) To run the ._ps1_ files, you will need to enter the path to _powershell.exe_ and path to your script. For example: @@ -45,7 +45,7 @@ script. For example: - In the Run field, enter _C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe_ - In the With parameters field, enter `–File ` -![powershell_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/alertsettings/powershell_thumb_0_0.webp) +![powershell_thumb_0_0](/img/product_docs/auditor/auditor/admin/alertsettings/powershell_thumb_0_0.webp) Unless you select to Write data to CSV file, Auditor will also pass the following parameters to the command line: @@ -124,7 +124,7 @@ the fields and their values in a structured way to a CSV file. Here is an example of a CSV file structure: -![csvfile_thumb_0_48](../../../../../../static/img/product_docs/auditor/auditor/admin/alertsettings/csvfile_thumb_0_48.webp) +![csvfile_thumb_0_48](/img/product_docs/auditor/auditor/admin/alertsettings/csvfile_thumb_0_48.webp) The number of activity records retrieved per every response action launch will be only limited by user (see below for details). If the number of records associated with the alert exceeds this limit, diff --git a/docs/auditor/10.7/auditor/admin/behavioranomalies/dashboard.md b/docs/auditor/10.7/auditor/admin/behavioranomalies/dashboard.md index 2a9ef59db4..9f8b2db7a9 100644 --- a/docs/auditor/10.7/auditor/admin/behavioranomalies/dashboard.md +++ b/docs/auditor/10.7/auditor/admin/behavioranomalies/dashboard.md @@ -2,20 +2,20 @@ To review the Behavior Anomalies dashboard, process and filter anomalies in user profiles, you must be assigned the Global administrator or Global reviewer role in the product. See the -[Role-Based Access and Delegation](../monitoringplans/delegation.md) topic for additional +[Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. You can add any elements (a dashboard, report, alert, risk, etc.) to the Auditor Home screen to -access them instantly. See the [Navigation](../navigation/overview.md) and -[Customize Home Screen](../navigation/customizehome.md) topics for additional information. +access them instantly. See the [Navigation](/docs/auditor/10.7/auditor/admin/navigation/overview.md) and +[Customize Home Screen](/docs/auditor/10.7/auditor/admin/navigation/customizehome.md) topics for additional information. To review the Behavior Anomalies dashboard: On the main Auditor page, click -![ba_tile](../../../../../../static/img/product_docs/auditor/auditor/admin/behavioranomalies/ba_tile.webp) +![ba_tile](/img/product_docs/auditor/auditor/admin/behavioranomalies/ba_tile.webp) on the left. -![dashboard_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/dashboard_thumb_0_0.webp) +![dashboard_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/dashboard_thumb_0_0.webp) The dashboards includes the following sections: @@ -27,6 +27,6 @@ The dashboards includes the following sections: Once you reviewed the general anomaly trend and identified users that merit your special attention, review their profiles and process anomalies. Click View Profile next to a user name to dive into user activity and investigate each action in details. -[Review User Profiles and Process Anomalies](userprofile.md) +[Review User Profiles and Process Anomalies](/docs/auditor/10.7/auditor/admin/behavioranomalies/userprofile.md) -[Review User Profiles and Process Anomalies](userprofile.md) +[Review User Profiles and Process Anomalies](/docs/auditor/10.7/auditor/admin/behavioranomalies/userprofile.md) diff --git a/docs/auditor/10.7/auditor/admin/behavioranomalies/overview.md b/docs/auditor/10.7/auditor/admin/behavioranomalies/overview.md index 2775718b0a..e0ebb546ac 100644 --- a/docs/auditor/10.7/auditor/admin/behavioranomalies/overview.md +++ b/docs/auditor/10.7/auditor/admin/behavioranomalies/overview.md @@ -17,7 +17,7 @@ On a high level, your behavior anomalies assessment workflow can be described as 1. You create alerts on threat patterns specific to your company. You include these alerts in Behavior Anomalies assessment and associate a risk score with each alert. The score, that is between 1 and 100 points, reflects how critical the action is for your organization. - [Risk Score](../alertsettings/create.md)how to set a risk score for an alert. + [Risk Score](/docs/auditor/10.7/auditor/admin/alertsettings/create.md)how to set a risk score for an alert. Although Netwrix industry experts suggest risk scores for alerts that are provided out-of-the-box, you can easily tailor these scores to your organization needs and priorities. @@ -29,10 +29,10 @@ On a high level, your behavior anomalies assessment workflow can be described as 3. Every now and then, you review the Behavior Anomalies dashboard—the risk score timeline with anomaly surges, and the most active users. The general rule of thumb is: the more risk score points the user has the more he or she merits your attention. - [Review Behavior Anomalies Dashboard](dashboard.md) + [Review Behavior Anomalies Dashboard](/docs/auditor/10.7/auditor/admin/behavioranomalies/dashboard.md) 4. To learn more about user activity, you can drill-down to a user profile to review all alerts provoked by this user. As you review anomalies and mitigate risks, the user's total score - reduces. [Review User Profiles and Process Anomalies](userprofile.md) + reduces. [Review User Profiles and Process Anomalies](/docs/auditor/10.7/auditor/admin/behavioranomalies/userprofile.md) The purpose of the dashboard is to keep risks low and help you spot and address issues as they occur. The risk score assigned to a user does not qualify him or her as a bad actor but rather diff --git a/docs/auditor/10.7/auditor/admin/behavioranomalies/userprofile.md b/docs/auditor/10.7/auditor/admin/behavioranomalies/userprofile.md index d32c89fde8..59ff352b7c 100644 --- a/docs/auditor/10.7/auditor/admin/behavioranomalies/userprofile.md +++ b/docs/auditor/10.7/auditor/admin/behavioranomalies/userprofile.md @@ -7,7 +7,7 @@ To view a user profile - On the Behavior Anomalies assessment dashboard, locate a user and click View Profile next to his or her name. -![userprofile_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/behavioranomalies/userprofile_thumb_0_0.webp) +![userprofile_thumb_0_0](/img/product_docs/auditor/auditor/admin/behavioranomalies/userprofile_thumb_0_0.webp) The user profile page contains the following sections: @@ -42,7 +42,7 @@ To change an anomaly status You can add comments without changing a status. This might be helpful if the anomaly remains active for a long period of time and you need even more time to examine it closely. -![changestatus_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/behavioranomalies/changestatus_thumb_0_0.webp) +![changestatus_thumb_0_0](/img/product_docs/auditor/auditor/admin/behavioranomalies/changestatus_thumb_0_0.webp) Once the anomaly is reviewed, it disappears from the timeline and chart, and its associated risk score is taken from user's total score. The reviewed anomalies supplement the status with the diff --git a/docs/auditor/10.7/auditor/admin/compliancemappings.md b/docs/auditor/10.7/auditor/admin/compliancemappings.md index 607215f8c5..838396d523 100644 --- a/docs/auditor/10.7/auditor/admin/compliancemappings.md +++ b/docs/auditor/10.7/auditor/admin/compliancemappings.md @@ -7,4 +7,4 @@ opens the page on the Netwrix website. Here you can review a brief description o standard supported by the product and download E book containing detailed requirements for the standards. -![compliance_mappings](../../../../../static/img/product_docs/auditor/auditor/admin/compliance_mappings.webp) +![compliance_mappings](/img/product_docs/auditor/auditor/admin/compliance_mappings.webp) diff --git a/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/activityrecordstatistics.md b/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/activityrecordstatistics.md index 17811e69f8..1b8b4470bf 100644 --- a/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/activityrecordstatistics.md +++ b/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/activityrecordstatistics.md @@ -7,7 +7,7 @@ generation intensity in your IT infrastructure, and product load. After you click View details, the Activity Records Statistics window will be displayed. -![activityrecordsdetails_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/activityrecordsdetails_thumb_0_0.webp) +![activityrecordsdetails_thumb_0_0](/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/activityrecordsdetails_thumb_0_0.webp) By default, statistics on activity records processing is grouped by Monitoring plan and presented for the Last 7 days. To modify the timeframe, use the drop-down list in the upper right corner. diff --git a/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/databasestatistics.md b/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/databasestatistics.md index bbe14d90f7..30a6dc5d7c 100644 --- a/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/databasestatistics.md +++ b/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/databasestatistics.md @@ -11,7 +11,7 @@ Transaction logs size is not included in the calculations. After you click View details, the following information will be displayed for the specified SQL Server instance: -![dbstats_overview_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/dbstats_overview_thumb_0_0.webp) +![dbstats_overview_thumb_0_0](/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/dbstats_overview_thumb_0_0.webp) The Database name column contains the list of Netwrix Auditor databases hosted by the specified instance of the SQL Server: @@ -33,7 +33,7 @@ The following capacity metrics are displayed for each database: After you expand the database node, the detailed database properties will be shown: -![dbstatistics_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/dbstatistics_thumb_0_0.webp) +![dbstatistics_thumb_0_0](/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/dbstatistics_thumb_0_0.webp) These properties are as follows: diff --git a/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/healthlog.md b/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/healthlog.md index 3226d4e998..6cf19bd501 100644 --- a/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/healthlog.md +++ b/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/healthlog.md @@ -11,7 +11,7 @@ System Health log**. Then, follow the instructions provided by Microsoft. See th for additional information on [How to Clear Event Logs](https://learn.microsoft.com/en-us/host-integration-server/core/how-to-clear-event-logs1). -![healthlog](../../../../../../../static/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/healthlog.webp) +![healthlog](/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/healthlog.webp) ## Netwrix Auditor System Health Log @@ -48,7 +48,7 @@ If you want to monitor Auditor health status in more depth, you can do the follo - Create a monitoring plan for this log using Event Log Manager to collect activity data. See the Health Status overview for additional information. - Configure alerts triggered by specific events in the product's health log. - [Create Alerts on Health Status](../../alertsettings/createhealthstatus.md) + [Create Alerts on Health Status](/docs/auditor/10.7/auditor/admin/alertsettings/createhealthstatus.md) ## Inspect Events in Health Log @@ -81,6 +81,6 @@ Follow the steps to filter events. | Item name | Select to display events from the certain item(s) you need. | | Event ID | Enter event ID number or range of event IDs separated by commas. For example, 1, 3, 5-99. You can also exclude unwanted event IDs from being displayed. Type the minus sign before selected event ID. For example, -76. | -![healthlogfilters_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/healthlogfilters_thumb_0_0.webp) +![healthlogfilters_thumb_0_0](/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/healthlogfilters_thumb_0_0.webp) The applied filters will be listed on the top of the screen under the window title. diff --git a/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/monitoringoverview.md b/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/monitoringoverview.md index 6d84fe2e7e..cf24485939 100644 --- a/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/monitoringoverview.md +++ b/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/monitoringoverview.md @@ -13,7 +13,7 @@ displays current statuses of all monitoring plans: After you click View details, the Monitoring Overview window will be displayed. -![monitoringoverview_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/monitoringoverview_thumb_0_0.webp) +![monitoringoverview_thumb_0_0](/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/monitoringoverview_thumb_0_0.webp) It provides the hierarchical list of monitoring plans, processed data sources and corresponding items with their current status and date/time of the last data processing session. For data sources diff --git a/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/overview.md b/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/overview.md index bce46b8bd7..205c69679a 100644 --- a/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/overview.md +++ b/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/overview.md @@ -13,28 +13,28 @@ The dashboard includes the following widgets: - The Activity records by date chart—Shows the number of activity records produced by your data sources, collected and saved by Netwrix Auditor during the last 7 days. See the - [Activity Records Statistics](activityrecordstatistics.md) topic for additional information. + [Activity Records Statistics](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/activityrecordstatistics.md) topic for additional information. - The Monitoring overview widget—Shows aggregated statistics on the statuses of all monitoring plans - configured in Netwrix Auditor at the moment. See the [Monitoring Overview](monitoringoverview.md) + configured in Netwrix Auditor at the moment. See the [Monitoring Overview](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/monitoringoverview.md) topic for additional information. - The Health log chart—Shows the statistics on the events written in the Netwrix Auditor health log in the last 24 hours. Click the link in this widget to view the log. See the - [Netwrix Auditor Health Log](healthlog.md) topic for additional information. + [Netwrix Auditor Health Log](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/healthlog.md) topic for additional information. - The Database statistics widget—Helps you to estimate database capacity on the default SQL Server - instance that hosts the product databases. See the [Database Statistics](databasestatistics.md) + instance that hosts the product databases. See the [Database Statistics](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/databasestatistics.md) topic for additional information. - The Long-Term Archive widget—Helps you to estimate the capacity of the Long-Term Archive file-based storage. To modify its settings, including location and retention, click the link in - this widget. See the [System Health](../../../requirements/longtermarchive.md#system-health) topic + this widget. See the [System Health](/docs/auditor/10.7/auditor/requirements/longtermarchive.md#system-health) topic for additional information. - The Working Folder widget—Helps you to estimate the capacity of the Auditor working folder used to keep operational information (configuration files of the product components, log files, and other data) on the Auditor Server. See the - [System Health](../../../requirements/longtermarchive.md#system-health) topic for additional + [System Health](/docs/auditor/10.7/auditor/requirements/longtermarchive.md#system-health) topic for additional information. -![healthstatusdashboard_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/healthstatusdashboard_thumb_0_0.webp) +![healthstatusdashboard_thumb_0_0](/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/healthstatusdashboard_thumb_0_0.webp) You can also instruct Netwrix Auditor to forward similar statistics as a health summary email to personnel in charge. For that, click Notification settings, then follow the steps described in the -[Notifications](../../settings/notifications.md) topic. +[Notifications](/docs/auditor/10.7/auditor/admin/settings/notifications.md) topic. diff --git a/docs/auditor/10.7/auditor/admin/healthstatus/networktrafficcompression.md b/docs/auditor/10.7/auditor/admin/healthstatus/networktrafficcompression.md index 047ec3c1da..097866844d 100644 --- a/docs/auditor/10.7/auditor/admin/healthstatus/networktrafficcompression.md +++ b/docs/auditor/10.7/auditor/admin/healthstatus/networktrafficcompression.md @@ -34,4 +34,4 @@ Network traffic compression is available for the following data sources: - User Activity To learn how to enable this feature, refer to the -[Create a New Monitoring Plan](../monitoringplans/create.md) topic for additional information. +[Create a New Monitoring Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/healthstatus/overview.md b/docs/auditor/10.7/auditor/admin/healthstatus/overview.md index 6d6eb085bf..9aabe98726 100644 --- a/docs/auditor/10.7/auditor/admin/healthstatus/overview.md +++ b/docs/auditor/10.7/auditor/admin/healthstatus/overview.md @@ -3,7 +3,7 @@ This topic describes how you can monitor Auditor operations, health and resource usage. See the following topics for additional information: -- [Health Status Dashboard](dashboard/overview.md) -- [Self-Audit](selfaudit.md) -- [Health Summary Email](summaryemail.md) -- [Netwrix Auditor Health Log](dashboard/healthlog.md) +- [Health Status Dashboard](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/overview.md) +- [Self-Audit](/docs/auditor/10.7/auditor/admin/healthstatus/selfaudit.md) +- [Health Summary Email](/docs/auditor/10.7/auditor/admin/healthstatus/summaryemail.md) +- [Netwrix Auditor Health Log](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/healthlog.md) diff --git a/docs/auditor/10.7/auditor/admin/healthstatus/selfaudit.md b/docs/auditor/10.7/auditor/admin/healthstatus/selfaudit.md index 3fe6a2f020..34532e850c 100644 --- a/docs/auditor/10.7/auditor/admin/healthstatus/selfaudit.md +++ b/docs/auditor/10.7/auditor/admin/healthstatus/selfaudit.md @@ -8,7 +8,7 @@ workflows adopted by our organization. The corresponding option is available on the General tab of Netwrix AuditorSettings. By default, the **Collect data for self-audit checkbox** is selected (enabled). -![selfaudit_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/healthstatus/selfaudit_thumb_0_0.webp) +![selfaudit_thumb_0_0](/img/product_docs/auditor/auditor/admin/healthstatus/selfaudit_thumb_0_0.webp) ### Search for Self-audit Results @@ -22,13 +22,13 @@ Follow the steps to search for self-audit results. **Step 3 –** Click Search to review results: -![selfaudit_search_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/healthstatus/selfaudit_search_thumb_0_0.webp) +![selfaudit_search_thumb_0_0](/img/product_docs/auditor/auditor/admin/healthstatus/selfaudit_search_thumb_0_0.webp) **NOTE:** After reviewing your search results, apply filters to narrow your data. See the -[View Reports](../reports/view.md) topic for additional information. +[View Reports](/docs/auditor/10.7/auditor/admin/reports/view.md) topic for additional information. **Step 4 –** After browsing your data, navigate to Tools to use the search results as intended. See -the [View and Search Collected Data](../search/overview.md) topic for additional information. +the [View and Search Collected Data](/docs/auditor/10.7/auditor/admin/search/overview.md) topic for additional information. ### Review Auditor Self-Audit Report @@ -42,7 +42,7 @@ Follow the steps to review the Self-audit report. **Step 2 –** Select the Netwrix Auditor Self-Audit report and click View. -![selfaudit_report](../../../../../../static/img/product_docs/auditor/auditor/admin/healthstatus/selfaudit_report.webp) +![selfaudit_report](/img/product_docs/auditor/auditor/admin/healthstatus/selfaudit_report.webp) ## Netwrix Auditor Self-Audit Scope diff --git a/docs/auditor/10.7/auditor/admin/healthstatus/summaryemail.md b/docs/auditor/10.7/auditor/admin/healthstatus/summaryemail.md index 4caca6c231..7830c0b217 100644 --- a/docs/auditor/10.7/auditor/admin/healthstatus/summaryemail.md +++ b/docs/auditor/10.7/auditor/admin/healthstatus/summaryemail.md @@ -3,8 +3,8 @@ Auditor Health Summary email includes all statistics on the product operations and health for the last 24 hours; it also notifies you about license status. By default, this email is generated daily at 7:00 AM and delivered to the recipient specified in the -[Notifications](../settings/notifications.md) settings. Email content is very similar to data -presented in the [Health Status Dashboard](dashboard/overview.md). +[Notifications](/docs/auditor/10.7/auditor/admin/settings/notifications.md) settings. Email content is very similar to data +presented in the [Health Status Dashboard](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/overview.md). For greater usability, to depict overall product health state, the email includes a color indicator in the topmost section: green means Auditor had no issues while auditing your IT infrastructure, and @@ -12,7 +12,7 @@ red means there were some problems that require your attention. The email looks like shown below: -![email_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/healthstatus/email_thumb_0_0.webp) +![email_thumb_0_0](/img/product_docs/auditor/auditor/admin/healthstatus/email_thumb_0_0.webp) The Monitoring Overview section of the email provides detail information only for the monitoring plans with issues. Successfully completed monitoring plans are not included. diff --git a/docs/auditor/10.7/auditor/admin/healthstatus/troubleshooting.md b/docs/auditor/10.7/auditor/admin/healthstatus/troubleshooting.md index ebeebef7cc..ac42b95b0e 100644 --- a/docs/auditor/10.7/auditor/admin/healthstatus/troubleshooting.md +++ b/docs/auditor/10.7/auditor/admin/healthstatus/troubleshooting.md @@ -25,9 +25,9 @@ portal as described in the Creating a ticket with Customer portal section. 2. You can search or browse through the Knowledge Base articles here, or click **Create New Ticket**: - ![support_ticket_customer_portal_fixed](../../../../../../static/img/product_docs/auditor/auditor/admin/healthstatus/support_ticket_customer_portal_fixed.webp) + ![support_ticket_customer_portal_fixed](/img/product_docs/auditor/auditor/admin/healthstatus/support_ticket_customer_portal_fixed.webp) 3. Fill in the form, describing the issue, and click **Open a ticket**. 4. After that, you will be able to attach the files you need (screenshots, emails, reports, etc.). -![support_ticket_customer_portal](../../../../../../static/img/product_docs/auditor/auditor/admin/healthstatus/support_ticket_customer_portal.webp) +![support_ticket_customer_portal](/img/product_docs/auditor/auditor/admin/healthstatus/support_ticket_customer_portal.webp) diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/overview.md b/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/overview.md index 82349ff096..b22cbb1425 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/overview.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/overview.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [Active Directory](../../../configuration/activedirectory/overview.md) – Configure data source as +- [Active Directory](/docs/auditor/10.7/auditor/configuration/activedirectory/overview.md) – Configure data source as required to be monitored Complete the following fields: @@ -21,14 +21,14 @@ Complete the following fields: | Monitor Active Directory partitions | Select which of your Active Directory environment partitions you want to audit. By default, Auditor only tracks changes to the Domain partition and the Configuration partition of the audited domain. If you also want to audit changes to the Schema partition, or to disable auditing of changes to the Configuration partition, select one of the following: - Domain—Stores users, computers, groups and other objects. Updates to this partition are replicated only to domain controllers within the domain. - Configuration—Stores configuration objects for the entire forest. Updates to this partition are replicated to all domain controllers in the forest. Configuration objects store the information on sites, services, directory partitions, etc. - Schema—Stores class and attribute definitions for all existing and possible Active Directory objects. Updates to this partition are replicated to all domain controllers in the forest. You cannot disable auditing the Domain partition for changes. | | Detect additional details | Specify additional information to include in reports and activity summaries. Select Group membershipif you want to include Group membership of the account under which the change was made. | | Specify data collection method | You can enable **network traffic compression.** If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. | -| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Active Directory](../../../configuration/activedirectory/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. | -| Collect data for state-in-time reports | Configure Auditor to store daily snapshots of your Active Directory domain configuration required for further state-in-time reports generation. See the [State–In–Time Reports](../../reports/types/stateintime/overview.md) topic for additional information. The product updates the latest snapshot on the regular basis to keep users up-to-date on actual system state. Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. For that, in the Manage historical snapshots section, click **Manage** and select the snapshots that you want to import. To import snapshots, you must be assigned the Global administrator or the Global reviewer role . Move the selected snapshots to the Snapshots available for reporting list using the arrow button. When finished, click **OK**. | +| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Active Directory](/docs/auditor/10.7/auditor/configuration/activedirectory/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. | +| Collect data for state-in-time reports | Configure Auditor to store daily snapshots of your Active Directory domain configuration required for further state-in-time reports generation. See the [State–In–Time Reports](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md) topic for additional information. The product updates the latest snapshot on the regular basis to keep users up-to-date on actual system state. Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. For that, in the Manage historical snapshots section, click **Manage** and select the snapshots that you want to import. To import snapshots, you must be assigned the Global administrator or the Global reviewer role . Move the selected snapshots to the Snapshots available for reporting list using the arrow button. When finished, click **OK**. | | Users | | -| Specify monitoring restrictions | Specify user accounts to exclude from data collection (and, therefore, search results, reports and Activity Summaries). To add a user to the exclusion list, click Add, then provide the user name in the _domain\user_ format. Consider the following: - Use NetBIOS format for domain name: _mydomain_ - Some audit data (events) may contain _System_ as the user (initiator) account name. To exclude such data, specify "_System_" when adding a user name here. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](../overview.md)topic for additional information. | +| Specify monitoring restrictions | Specify user accounts to exclude from data collection (and, therefore, search results, reports and Activity Summaries). To add a user to the exclusion list, click Add, then provide the user name in the _domain\user_ format. Consider the following: - Use NetBIOS format for domain name: _mydomain_ - Some audit data (events) may contain _System_ as the user (initiator) account name. To exclude such data, specify "_System_" when adding a user name here. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. | | Objects | | | Specify monitoring restrictions | Specify restrictions for the objects to monitor in your Active Directory. Use them to create the lists of specific objects to include and / or exclude from the monitoring scope (and, therefore, search results, reports and Activity Summaries). The following options are available: - Monitor all objects - **Include these objects** - **Exclude these objects** To create a list of inclusions / exclusions, click Add and enter object path using one of the following formats: - Canonical name, for example: _mydomain.local/Computers/filesrv01_ OR - Object path as shown in the "_What_" column of reports and search results, for example: _\local\mydomain\Computers\filesrv01_ You can use a wildcard (\*) to replace any number of characters in the path. See the examples below for more information. | -![Specify monitoring restrictions](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/activedirectory/mp_data_source_ad_omit_example.webp) +![Specify monitoring restrictions](/img/product_docs/auditor/auditor/admin/monitoringplans/activedirectory/mp_data_source_ad_omit_example.webp) Examples @@ -47,7 +47,7 @@ however, will not be monitored, meaning that, for example, its renaming will not In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous -exclusion settings configured in the \*.txt files. See the [Monitoring Plans](../overview.md)topic +exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. ## Enable Auditing of Active Directory Partitions @@ -88,10 +88,10 @@ Complete the following fields: | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | General | | | Specify AD container | Specify a whole AD domain, OU or container. Click **Browse** to select from the list of containers in your network. You can also: - Select a particular computer type to be audited within the chosen AD container: **Domain controllers, Servers (excluding domain controllers)**, or **Workstations**. - Click **Exclude** to specify AD domains, OUs, and containers you do not want to audit. In the Exclude Containers dialog, click Add and specify an object. The list of containers does not include child domains of trusted domains. Use other options **(Computer, IP range** to specify the target computers. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. If using a group Managed Service Account (gMSA), you can specify only the account name in the _domain\account$_ format. Password field can be empty. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information. Refer to the [Permissions for Active Directory Auditing](../../../configuration/activedirectory/permissions.md) topic for more information on using Netwrix Privilege Secure as an account for data collection. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the[Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. If using a group Managed Service Account (gMSA), you can specify only the account name in the _domain\account$_ format. Password field can be empty. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information. Refer to the [Permissions for Active Directory Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md) topic for more information on using Netwrix Privilege Secure as an account for data collection. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the[Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | | Containers and Computers | | | Monitor hidden shares | By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). Select **Monitor user-defined hidden shares** if necessary. Even when this option is selected, the product will not collect data from administrative hidden shares such as: default system root or Windows directory (ADMIN$), default drive shares (D$, E$, etc.), shares used by printers to enable remote administration (PRINT$), etc. | -| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. Depending on the type of the object you want to exclude, select one of the following: - Add AD Container – Browse for a container to be excluded from being audited. You can select a whole AD domain, OU or container. - Add Computer – Provide the name of the computer you want to exclude as shown in the "_Where_" column of reports and Activity Summaries. For example, _backupsrv01.mydomain.local_. Wildcards (\*) are not supported. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](../overview.md)topic for additional information. | +| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. Depending on the type of the object you want to exclude, select one of the following: - Add AD Container – Browse for a container to be excluded from being audited. You can select a whole AD domain, OU or container. - Add Computer – Provide the name of the computer you want to exclude as shown in the "_Where_" column of reports and Activity Summaries. For example, _backupsrv01.mydomain.local_. Wildcards (\*) are not supported. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. | ## Domain @@ -100,17 +100,17 @@ Complete the following fields: | Option | Description | | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Specify Active Directory domain | Specify the audited domain name in the FQDN format. For example, "_company.local_". | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](../../../requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information. | Refer to the -[Permissions for Active Directory Auditing](../../../configuration/activedirectory/permissions.md) +[Permissions for Active Directory Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md) topic for more information on using Netwrix Privilege Secure as an account for data collection. ## Use Netwrix Privilege Secure as a Data Collecting Account Starting with version 10.7, you can use Netwrix Privilege Secure to manage the account for collecting data, after configuring the integration. See the -[Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information about +[Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information about integration and supported data sources. In this case, the credentials will not be stored by Netwrix Auditor. Instead, they will be managed by Netwrix Privilege Secure and provided on demand, ensuring password rotation or using temporary accounts for data collection. @@ -122,7 +122,7 @@ Follow the steps to use Netwrix Privilege Secure as an account for data collect **Step 2 –** In the item configuration menu, select Netwrix Privilege Secure as an option for data collection. -![npsdatacollectingaccount](../../../../../../../static/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccount.webp) +![npsdatacollectingaccount](/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccount.webp) **Step 3 –** Select the type of the Access Policy you want to use in Netwrix Privilege Secure. Credential-based is the default option. Refer to the @@ -135,7 +135,7 @@ and to which Netwrix Auditor has the access through a Credential-based access po **NOTE:** Netwrix recommends using different credentials for different monitoring plans and data sources. -![npsdatacollectingaccountresourced](../../../../../../../static/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccountresourced.webp) +![npsdatacollectingaccountresourced](/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccountresourced.webp) The second option is Resource-based. To use this option, you need to provide the Activity and Resource names, assigned to Netwrix Auditor in the corresponding Resource-based policy. Make sure diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/scope.md b/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/scope.md index fe61d86bf3..898639d6c9 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/scope.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/scope.md @@ -2,10 +2,10 @@ You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the Active Directory monitoring scope. You can apply restrictions to monitoring scope via the UI. See the -[Objects](overview.md) topic for additional information. +[Objects](/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/overview.md) topic for additional information. **_RECOMMENDED:_** Configure monitoring scope restrictions on the Active Directory monitoring plan -page. See the [Active Directory](overview.md) topic for additional information. +page. See the [Active Directory](/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/overview.md) topic for additional information. Follow the steps to exclude data from the Active Directory monitoring scope: diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/activitysummaryemail.md b/docs/auditor/10.7/auditor/admin/monitoringplans/activitysummaryemail.md index 1ccd5d3f40..9a415602d2 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/activitysummaryemail.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/activitysummaryemail.md @@ -11,7 +11,7 @@ different and do not show changes. The following Activity Summary example applies to Active Directory. Other Activity Summaries generated and delivered by Netwrix Auditor will vary slightly depending on the data source. -![ad_activitity_summary_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/ad_activitity_summary_thumb_0_0.webp) +![ad_activitity_summary_thumb_0_0](/img/product_docs/auditor/auditor/admin/monitoringplans/ad_activitity_summary_thumb_0_0.webp) The example Activity Summary provides the following information on Active Directory changes: @@ -32,4 +32,4 @@ a plan, click Edit, and then select Update. A summary will be delivered to the s listing all activity that occurred since the last data collection. To disable Activity Summary Emails, you need to disable notifications in the settings. See the -[Notifications](../settings/notifications.md) topic for additional information. +[Notifications](/docs/auditor/10.7/auditor/admin/settings/notifications.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/adfs.md b/docs/auditor/10.7/auditor/admin/monitoringplans/adfs.md index 13bc1a8439..ff928765a9 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/adfs.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/adfs.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../requirements/ports.md) – To ensure successful data collection +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [AD FS](../../configuration/activedirectoryfederatedservices/overview.md) – Configure data source +- [AD FS](/docs/auditor/10.7/auditor/configuration/activedirectoryfederatedservices/overview.md) – Configure data source as required to be monitored Complete the following fields: @@ -19,7 +19,7 @@ Complete the following fields: | Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. | | Schedule AD FS logons collection | Specify period for AD FS logons collection. | | Specify data collection method | You can enable network traffic compression. If enabled, a Compression Service will be automatically launched on the audited computer, collecting and pre-filtering data. This significantly improves data transfer and minimizes the impact on the target computer performance. | -| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. For a full list of audit settings required to collect comprehensive audit data and instructions on how to configure them, refer to [AD FS](../../configuration/activedirectoryfederatedservices/overview.md). | +| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. For a full list of audit settings required to collect comprehensive audit data and instructions on how to configure them, refer to [AD FS](/docs/auditor/10.7/auditor/configuration/activedirectoryfederatedservices/overview.md). | Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the **Data source** list. As a next step, click **Add item** to specify an @@ -37,4 +37,4 @@ Complete the following fields: | Option | Description | | --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Specify AD FS federation server | Provide a server name by entering its FQDN, NETBIOS or IPv4 address. You can click Browse to select a computer from the list of computers in your network. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/create.md b/docs/auditor/10.7/auditor/admin/monitoringplans/create.md index eeae03d990..a3a8899ef9 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/create.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/create.md @@ -2,7 +2,7 @@ To create monitoring plans, user account must be assigned the _Global administrator_ in Auditor. Users with the _Configurator_ role can create plans only within a delegated folder. See the -[Role-Based Access and Delegation](delegation.md) topic for additional information. +[Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. To start creating a plan, do any of the following: @@ -29,20 +29,20 @@ data. ## Settings for Data Collection -![mp_wizard_step1](../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/mp_wizard_step1.webp) +![mp_wizard_step1](/img/product_docs/auditor/auditor/admin/monitoringplans/mp_wizard_step1.webp) At this step of the wizard, specify the account that Auditor will use to access the data source, and general settings for data collection. -![mp_wizard_step2](../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/mp_wizard_step2.webp) +![mp_wizard_step2](/img/product_docs/auditor/auditor/admin/monitoringplans/mp_wizard_step2.webp) | Option | Description | | --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Specify the account for collecting data | If applicable, you can create a data collecting account in the following ways: - Not specified – Select this option if you want to choose the Netwrix Privilege Secure as the data collecting account for the Monitoring Plan. See the [Netwrix Privilege Secure](../settings/privilegesecure.md) topic for additional information. - User/password – Provide a username and password for the account that Auditor will use to collect data. By default, the user name is prepopulated with your account name. - gMSA – Use the group Managed Service Account (gMSA) as data collecting account. For more details about gMSA usage, see the [Use Group Managed Service Account (gMSA)](../../requirements/gmsa.md) topic. **NOTE:** If you want to audit network devices or Microsoft Entra ID (formerly Azure AD)/Office 365 infrastructure, you need to use _not specified_ account. Make sure the account has sufficient permissions to collect data. For a full list of the rights and permissions, and instructions on how to configure them, refer to the[Data Collecting Account](dataaccounts.md). Netwrix recommends creating a special service account with extended permissions. When you configure a monitoring plan for the first time, the account you specify for data collection will be set as default. | -| Enable network traffic compression | If selected, this option instructs Auditor to deploy a special utility that will run on the audited computers and do the following: - Collect and pre-filter audit data - Compress data and forward it to Auditor Server. This approach helps to optimize load balance and reduce network traffic. So, using this option can be recommended especially for distributed networks with remote locations that have limited bandwidth. See the [Network Traffic Compression](../healthstatus/networktrafficcompression.md) topic for additional information. | -| Adjust audit settings automatically | Auditor can configure audit settings in your environment automatically. Select Adjust audit settings automatically. In this case, Auditor will continually check and enforce the relevant audit policies. For some data sources (currently, Active Directory and Logon Activity) you will be offered to launch a special utility that will detect current audit settings, check them against requirements and then adjust them automatically. See the [Audit Configuration Assistant](../../tools/auditconfigurationassistant.md) topic for additional information. You may also want to apply audit settings via GPO (for example, for Windows Servers). Auditor has certain limitations when configuring audit settings for NetApp and Dell Data Storage. See the [File Servers](fileservers/overview.md) topic for additional information. If any conflicts are detected with your current settings, automatic audit configuration will not be performed. Select this option if you want to audit file shares on NetApp Data ONTAP 7 and 8 in 7-mode. For NetApp Clustered Data ONTAP 8 and ONTAP 9, only audit settings for file shares can be configured automatically, other settings must be applied manually. If you plan to monitor EMC Isilon, clear the checkbox. Currently, Auditor cannot configure audit on Dell Isilon appliances automatically. If you want to audit Dell VNX/VNXe, select Adjust audit settings automatically, but only audit settings for file shares will configured, the rest of settings must be configured manually. For a full list of audit settings and instructions on how to configure them manually, see the [Supported Data Sources](../../requirements/supporteddatasources.md) for additional information. | -| Launch Audit Configuration Assistant | Click to launch a specially intended utility that will assess your environment readiness for monitoring and adjust audit settings, if necessary. The tool will be launched in a new window. See the [Audit Configuration Assistant](../../tools/auditconfigurationassistant.md) topic for additional information. | -| Collect data for state-in-time reports | State-in-time reports are based on the daily configuration snapshots of your audited systems; they help you to analyze particular aspects of the environment. State-in-time configuration snapshots are also used for IT risks assessment metrics and reports. This data collection option is available if you are creating a monitoring plan for any of the following data sources: - Active Directory - File Servers - Windows Server - Group Policy - SharePoint - SharePoint Online - Exchange Online - SQL Server - VMware See the [State–In–Time Reports](../reports/types/stateintime/overview.md) and [IT Risk Assessment Overview ](../riskassessment/overview.md) topics for additional information. | +| Specify the account for collecting data | If applicable, you can create a data collecting account in the following ways: - Not specified – Select this option if you want to choose the Netwrix Privilege Secure as the data collecting account for the Monitoring Plan. See the [Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information. - User/password – Provide a username and password for the account that Auditor will use to collect data. By default, the user name is prepopulated with your account name. - gMSA – Use the group Managed Service Account (gMSA) as data collecting account. For more details about gMSA usage, see the [Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md) topic. **NOTE:** If you want to audit network devices or Microsoft Entra ID (formerly Azure AD)/Office 365 infrastructure, you need to use _not specified_ account. Make sure the account has sufficient permissions to collect data. For a full list of the rights and permissions, and instructions on how to configure them, refer to the[Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md). Netwrix recommends creating a special service account with extended permissions. When you configure a monitoring plan for the first time, the account you specify for data collection will be set as default. | +| Enable network traffic compression | If selected, this option instructs Auditor to deploy a special utility that will run on the audited computers and do the following: - Collect and pre-filter audit data - Compress data and forward it to Auditor Server. This approach helps to optimize load balance and reduce network traffic. So, using this option can be recommended especially for distributed networks with remote locations that have limited bandwidth. See the [Network Traffic Compression](/docs/auditor/10.7/auditor/admin/healthstatus/networktrafficcompression.md) topic for additional information. | +| Adjust audit settings automatically | Auditor can configure audit settings in your environment automatically. Select Adjust audit settings automatically. In this case, Auditor will continually check and enforce the relevant audit policies. For some data sources (currently, Active Directory and Logon Activity) you will be offered to launch a special utility that will detect current audit settings, check them against requirements and then adjust them automatically. See the [Audit Configuration Assistant](/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md) topic for additional information. You may also want to apply audit settings via GPO (for example, for Windows Servers). Auditor has certain limitations when configuring audit settings for NetApp and Dell Data Storage. See the [File Servers](/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md) topic for additional information. If any conflicts are detected with your current settings, automatic audit configuration will not be performed. Select this option if you want to audit file shares on NetApp Data ONTAP 7 and 8 in 7-mode. For NetApp Clustered Data ONTAP 8 and ONTAP 9, only audit settings for file shares can be configured automatically, other settings must be applied manually. If you plan to monitor EMC Isilon, clear the checkbox. Currently, Auditor cannot configure audit on Dell Isilon appliances automatically. If you want to audit Dell VNX/VNXe, select Adjust audit settings automatically, but only audit settings for file shares will configured, the rest of settings must be configured manually. For a full list of audit settings and instructions on how to configure them manually, see the [Supported Data Sources](/docs/auditor/10.7/auditor/requirements/supporteddatasources.md) for additional information. | +| Launch Audit Configuration Assistant | Click to launch a specially intended utility that will assess your environment readiness for monitoring and adjust audit settings, if necessary. The tool will be launched in a new window. See the [Audit Configuration Assistant](/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md) topic for additional information. | +| Collect data for state-in-time reports | State-in-time reports are based on the daily configuration snapshots of your audited systems; they help you to analyze particular aspects of the environment. State-in-time configuration snapshots are also used for IT risks assessment metrics and reports. This data collection option is available if you are creating a monitoring plan for any of the following data sources: - Active Directory - File Servers - Windows Server - Group Policy - SharePoint - SharePoint Online - Exchange Online - SQL Server - VMware See the [State–In–Time Reports](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md) and [IT Risk Assessment Overview ](/docs/auditor/10.7/auditor/admin/riskassessment/overview.md) topics for additional information. | ## Default SQL Server Instance @@ -50,7 +50,7 @@ To provide searching, alerting and reporting capabilities, Auditor needs an SQL data will be stored in the databases. To store data from the data sources included in the monitoring plan, the wizard creates an Audit Database for each plan. At this step, you should specify the default SQL Server instance that will host Auditor databases. See the -[Requirements for SQL Server to Store Audit Data](../../requirements/sqlserver.md) topic for +[Requirements for SQL Server to Store Audit Data](/docs/auditor/10.7/auditor/requirements/sqlserver.md) topic for additional information. Alternatively, you can instruct Auditor not to store data to the databases but only to the @@ -75,7 +75,7 @@ Select one of the following options: Services on the local machine. This SQL Server will be used as default host for Auditor databases. It is strongly recommended that you plan for your databases first, as described in - [Requirements for SQL Server to Store Audit Data](../../requirements/sqlserver.md) section. + [Requirements for SQL Server to Store Audit Data](/docs/auditor/10.7/auditor/requirements/sqlserver.md) section. Remember that database size in SQL Server Express edition may be insufficient for your audited infrastructure. @@ -107,9 +107,9 @@ It is strongly recommended to target each monitoring plan at a separate database You can use default settings for your SQL Server instance or modify them (e.g., use a different authentication method or user). You can also change these settings later. See the -[Audit Database](../settings/auditdatabase.md) topic for additional information. +[Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topic for additional information. -![mp_wizard_step_db_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/mp_wizard_step_db_thumb_0_0.webp) +![mp_wizard_step_db_thumb_0_0](/img/product_docs/auditor/auditor/admin/monitoringplans/mp_wizard_step_db_thumb_0_0.webp) Configure the following: @@ -125,14 +125,14 @@ name on it. Global settings that apply to all databases with audit data (including retention period and SSRS server used for reporting) are available on the Audit Database page of Auditor settings. See the -[Audit Database](../settings/auditdatabase.md) topic for additional information. +[Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topic for additional information. ## SMTP Server Settings When you create the first monitoring plan, you are prompted to specify the email settings that will be used for activity and health summaries, reports and alerts delivery. For the monitoring plans that follow, Netwrix Auditor will automatically detect SMTP settings; however, for your first plan -you should provide them manually. See the [Notifications](../settings/notifications.md) topic for +you should provide them manually. See the [Notifications](/docs/auditor/10.7/auditor/admin/settings/notifications.md) topic for additional information. You can skip this step if you do not want to receive email notifications, or configure SMTP settings @@ -140,8 +140,8 @@ later, as described in the related section. ## Email Notification Recipients -Specify who will receive daily emails: [Activity Summary Email](activitysummaryemail.md) on changes -in the monitored infrastructure, and [Health Summary Email](../healthstatus/summaryemail.md) on +Specify who will receive daily emails: [Activity Summary Email](/docs/auditor/10.7/auditor/admin/monitoringplans/activitysummaryemail.md) on changes +in the monitored infrastructure, and [Health Summary Email](/docs/auditor/10.7/auditor/admin/healthstatus/summaryemail.md) on Auditor operations and health. Click Add Recipient and provide email address. diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md b/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md index fff3ea7c3d..2cf25c85f2 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md @@ -14,11 +14,11 @@ want to use and enter credentials. The following choices are available: information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the - [Use Group Managed Service Account (gMSA)](../../requirements/gmsa.md) topic for additional + [Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the - [Netwrix Privilege Secure](../settings/privilegesecure.md) topic for additional information. + [Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information. - Application and secret for Microsoft 365 with modern authentication. @@ -27,30 +27,30 @@ data source. | Data source | Required rights and permissions: | | ------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Active Directory | [Permissions for Active Directory Auditing](../../configuration/activedirectory/permissions.md) | -| Active Directory Federation Services | [Permissions for AD FS Auditing](../../configuration/activedirectoryfederatedservices/permissions.md) | -| Microsoft Entra ID (formerly Azure AD), Exchange Online, SharePoint Online, MS Teams | [Permissions for Microsoft Entra ID Auditing](../../configuration/microsoft365/microsoftentraid/permissions.md) [Permissions for Exchange Online Auditing](../../configuration/microsoft365/exchangeonline/permissions.md) [Permissions for SharePoint Online Auditing ](../../configuration/microsoft365/sharepointonline/permissions.md) [Permissions for Teams Auditing](../../configuration/microsoft365/teams/permissions.md) | -| Exchange | [Permissions for Exchange Auditing](../../configuration/exchange/permissions.md) | -| Windows File Servers | [Permissions for Windows File Server Auditing](../../configuration/fileservers/windows/permissions.md) | -| Dell Isilon | [Permissions for Dell Isilon/PowerScale Auditing](../../configuration/fileservers/dellisilon/permissions.md) | -| Dell VNX/VNXe/Unity | [Permissions for Dell Data Storage Auditing](../../configuration/fileservers/delldatastorage/permissions.md) | -| NetApp | [Permissions for NetApp Auditing](../../configuration/fileservers/netappcmode/permissions.md) | -| Nutanix Files | [Permissions for Nutanix Files Auditing](../../configuration/fileservers/nutanix/permissions.md) | -| Qumulo | [Permissions for Qumulo Auditing](../../configuration/fileservers/qumulo/permissions.md) | -| Synology | [Permissions for Synology Auditing](../../configuration/fileservers/synology/permissions.md) | -| Network Devices | [Permissions for Network Devices Auditing](../../configuration/networkdevices/permissions.md) | -| Oracle Database | [Permissions for Oracle Database Auditing](../../configuration/oracle/permissions.md) | -| SharePoint | [Permissions for SharePoint Auditing](../../configuration/sharepoint/permissions.md) | -| SQL Server | [Permissions for SQL Server Auditing ](../../configuration/sqlserver/permissions.md) | -| VMware | [Permissions for VMware Server Auditing ](../../configuration/vmware/permissions.md) | -| Windows Server (including DNS and DHCP) | [Permissions for Windows Server Auditing ](../../configuration/windowsserver/permissions.md) | -| Event Log (including IIS)—collected with Event Log Manager | [Permissions for Windows Server Auditing ](../../configuration/windowsserver/permissions.md) | -| Group Policy | [Permissions for Group Policy Auditing ](../../configuration/grouppolicy/permissions.md) | -| Logon Activity | [Permissions for Logon Activity Auditing ](../../configuration/logonactivity/permissions.md) | +| Active Directory | [Permissions for Active Directory Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md) | +| Active Directory Federation Services | [Permissions for AD FS Auditing](/docs/auditor/10.7/auditor/configuration/activedirectoryfederatedservices/permissions.md) | +| Microsoft Entra ID (formerly Azure AD), Exchange Online, SharePoint Online, MS Teams | [Permissions for Microsoft Entra ID Auditing](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/permissions.md) [Permissions for Exchange Online Auditing](/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/permissions.md) [Permissions for SharePoint Online Auditing ](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/permissions.md) [Permissions for Teams Auditing](/docs/auditor/10.7/auditor/configuration/microsoft365/teams/permissions.md) | +| Exchange | [Permissions for Exchange Auditing](/docs/auditor/10.7/auditor/configuration/exchange/permissions.md) | +| Windows File Servers | [Permissions for Windows File Server Auditing](/docs/auditor/10.7/auditor/configuration/fileservers/windows/permissions.md) | +| Dell Isilon | [Permissions for Dell Isilon/PowerScale Auditing](/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/permissions.md) | +| Dell VNX/VNXe/Unity | [Permissions for Dell Data Storage Auditing](/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/permissions.md) | +| NetApp | [Permissions for NetApp Auditing](/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/permissions.md) | +| Nutanix Files | [Permissions for Nutanix Files Auditing](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/permissions.md) | +| Qumulo | [Permissions for Qumulo Auditing](/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/permissions.md) | +| Synology | [Permissions for Synology Auditing](/docs/auditor/10.7/auditor/configuration/fileservers/synology/permissions.md) | +| Network Devices | [Permissions for Network Devices Auditing](/docs/auditor/10.7/auditor/configuration/networkdevices/permissions.md) | +| Oracle Database | [Permissions for Oracle Database Auditing](/docs/auditor/10.7/auditor/configuration/oracle/permissions.md) | +| SharePoint | [Permissions for SharePoint Auditing](/docs/auditor/10.7/auditor/configuration/sharepoint/permissions.md) | +| SQL Server | [Permissions for SQL Server Auditing ](/docs/auditor/10.7/auditor/configuration/sqlserver/permissions.md) | +| VMware | [Permissions for VMware Server Auditing ](/docs/auditor/10.7/auditor/configuration/vmware/permissions.md) | +| Windows Server (including DNS and DHCP) | [Permissions for Windows Server Auditing ](/docs/auditor/10.7/auditor/configuration/windowsserver/permissions.md) | +| Event Log (including IIS)—collected with Event Log Manager | [Permissions for Windows Server Auditing ](/docs/auditor/10.7/auditor/configuration/windowsserver/permissions.md) | +| Group Policy | [Permissions for Group Policy Auditing ](/docs/auditor/10.7/auditor/configuration/grouppolicy/permissions.md) | +| Logon Activity | [Permissions for Logon Activity Auditing ](/docs/auditor/10.7/auditor/configuration/logonactivity/permissions.md) | | Inactive Users in Active Directory—collected with Inactive User Tracker | In the target domain - A member of the Domain Admins group | | Password Expiration in Active Directory—collected with Password Expiration Notifier | In the target domain - A member of the Domain Users group | | User Activity | On the target server - A member of the local Administrators group | -| Sensitive Data Discovery | [Sensitive Data Discovery ](../settings/sensitivedatadiscovery.md) | +| Sensitive Data Discovery | [Sensitive Data Discovery ](/docs/auditor/10.7/auditor/admin/settings/sensitivedatadiscovery.md) | ## Update Credentials for Account @@ -70,8 +70,8 @@ Follow the steps to update credentials for the accounts used by Auditor: **Step 5 –** Review the account configuration scope and click **Update password** next to this account. -![Password Management](../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/updatecredentials.webp) +![Password Management](/img/product_docs/auditor/auditor/admin/monitoringplans/updatecredentials.webp) **Step 6 –** Save your edits. -See the [General](../settings/general.md) topic for additional information. +See the [General](/docs/auditor/10.7/auditor/admin/settings/general.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md b/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md index b0d557a4f6..783290a2c6 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md @@ -10,7 +10,7 @@ can, for example: To add, modify and remove data sources, enable or disable monitoring, you must be assigned the Global administrator role in the product or the Configurator role on the plan. See the -[Role-Based Access and Delegation](delegation.md) topic for additional information. +[Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. ## Modify Data Source Settings @@ -21,7 +21,7 @@ Follow the steps to modify data source settings. **Step 2 –** Within the monitoring plan window, highlight the data source (the first one is the row right under the blue table header) and click Edit data source on the right: -![Data source settings](../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/mp_edit_data_source_thumb_0_0.webp) +![Data source settings](/img/product_docs/auditor/auditor/admin/monitoringplans/mp_edit_data_source_thumb_0_0.webp) **Step 3 –** Modify data source settings as you need. @@ -29,22 +29,22 @@ right under the blue table header) and click Edit data source on the right: Review the following for additional information: -- [Active Directory](activedirectory/overview.md) -- [Active Directory Federation Services ](adfs.md) -- [Microsoft Entra ID](microsoftentraid/overview.md) -- [Exchange](exchange/overview.md) -- [Exchange Online](exchangeonline/overview.md) -- [File Servers](fileservers/overview.md) -- [Group Policy](grouppolicy/overview.md) -- [Logon Activity](logonactivity/overview.md) -- [MS Teams](msteams.md) -- [Network Devices](networkdevices.md) -- [Oracle Database](oracle/overview.md) -- [SharePoint](sharepoint/overview.md) -- [SharePoint Online](sharepointonline/overview.md) -- [SQL Server](sqlserver/overview.md) -- [User Activity](useractivity/overview.md) -- [VMware](vmware/overview.md) +- [Active Directory](/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/overview.md) +- [Active Directory Federation Services ](/docs/auditor/10.7/auditor/admin/monitoringplans/adfs.md) +- [Microsoft Entra ID](/docs/auditor/10.7/auditor/admin/monitoringplans/microsoftentraid/overview.md) +- [Exchange](/docs/auditor/10.7/auditor/admin/monitoringplans/exchange/overview.md) +- [Exchange Online](/docs/auditor/10.7/auditor/admin/monitoringplans/exchangeonline/overview.md) +- [File Servers](/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md) +- [Group Policy](/docs/auditor/10.7/auditor/admin/monitoringplans/grouppolicy/overview.md) +- [Logon Activity](/docs/auditor/10.7/auditor/admin/monitoringplans/logonactivity/overview.md) +- [MS Teams](/docs/auditor/10.7/auditor/admin/monitoringplans/msteams.md) +- [Network Devices](/docs/auditor/10.7/auditor/admin/monitoringplans/networkdevices.md) +- [Oracle Database](/docs/auditor/10.7/auditor/admin/monitoringplans/oracle/overview.md) +- [SharePoint](/docs/auditor/10.7/auditor/admin/monitoringplans/sharepoint/overview.md) +- [SharePoint Online](/docs/auditor/10.7/auditor/admin/monitoringplans/sharepointonline/overview.md) +- [SQL Server](/docs/auditor/10.7/auditor/admin/monitoringplans/sqlserver/overview.md) +- [User Activity](/docs/auditor/10.7/auditor/admin/monitoringplans/useractivity/overview.md) +- [VMware](/docs/auditor/10.7/auditor/admin/monitoringplans/vmware/overview.md) - [Windows File Share](fileservers/scope.md#windows-file-share) Also, you can add a data source to the monitoring plan, or remove a data source that is no longer @@ -77,19 +77,19 @@ associated with your data source. | ----------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Active Directory Group Policy Exchange Logon Activity | [Domain](activedirectory/overview.md#domain) | | Active Directory Federation Services | [Federation Server](adfs.md#federation-server) | -| Microsoft Entra ID Exchange Online SharePoint Online Microsoft Teams | [Microsoft Entra ID](microsoftentraid/overview.md) | -| File Servers (including Windows file server, Dell, NetApp, Nutanix File server, Synology, and Qumulo) | [AD Container](activedirectory/overview.md#ad-container) [File Servers](fileservers/overview.md) [Dell Isilon](fileservers/overview.md#dell-isilon) [Dell VNX VNXe](fileservers/overview.md#dell-vnx-vnxe) [File Servers](fileservers/overview.md) [NetApp](fileservers/overview.md#netapp) [Windows File Share](fileservers/scope.md#windows-file-share) [Nutanix SMB Shares](fileservers/overview.md#nutanix-smb-shares) [Qumulo](fileservers/overview.md#qumulo) [Synology](fileservers/overview.md#synology) By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). If you want to monitor user-defined hidden shares, select the related option in the monitored item settings. Remember that administrative hidden shares like default system root or Windows directory (ADMIN$), default drive shares (D$, E$), etc. will not be monitored. See the topics on the monitored items for details. | +| Microsoft Entra ID Exchange Online SharePoint Online Microsoft Teams | [Microsoft Entra ID](/docs/auditor/10.7/auditor/admin/monitoringplans/microsoftentraid/overview.md) | +| File Servers (including Windows file server, Dell, NetApp, Nutanix File server, Synology, and Qumulo) | [AD Container](activedirectory/overview.md#ad-container) [File Servers](/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md) [Dell Isilon](fileservers/overview.md#dell-isilon) [Dell VNX VNXe](fileservers/overview.md#dell-vnx-vnxe) [File Servers](/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md) [NetApp](fileservers/overview.md#netapp) [Windows File Share](fileservers/scope.md#windows-file-share) [Nutanix SMB Shares](fileservers/overview.md#nutanix-smb-shares) [Qumulo](fileservers/overview.md#qumulo) [Synology](fileservers/overview.md#synology) By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). If you want to monitor user-defined hidden shares, select the related option in the monitored item settings. Remember that administrative hidden shares like default system root or Windows directory (ADMIN$), default drive shares (D$, E$), etc. will not be monitored. See the topics on the monitored items for details. | | Network Devices | [Syslog Device](networkdevices.md#syslog-device) [Cisco Meraki Dashboard](networkdevices.md#cisco-meraki-dashboard) | | Oracle Database | [Oracle Database Instance](oracle/overview.md#oracle-database-instance) | | SharePoint | [SharePoint Farm](sharepoint/overview.md#sharepoint-farm) | | SQL Server | [SQL Server Instance](sqlserver/items.md#sql-server-instance) [SQL Server Availability Group](sqlserver/items.md#sql-server-availability-group) | | VMware | [VMware ESX/ESXi/vCenter](vmware/overview.md#vmware-esxesxivcenter) | -| Windows Server User Activity | [File Servers](fileservers/overview.md) [AD Container](activedirectory/overview.md#ad-container) [File Servers](fileservers/overview.md) | -| Netwrix API | [Integration API](../../api/overview.md) | +| Windows Server User Activity | [File Servers](/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md) [AD Container](activedirectory/overview.md#ad-container) [File Servers](/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md) | +| Netwrix API | [Integration API](/docs/auditor/10.7/auditor/api/overview.md) | To add, modify and remove items, you must be assigned the Global administrator role in the product or the **Configurator** role on the plan. See the -[Role-Based Access and Delegation](delegation.md)topic for additional information. +[Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md)topic for additional information. Follow the steps to add a new item to a data source: @@ -113,22 +113,22 @@ examples on how to use omit functionality in Auditor. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous -exclusion settings configured in the \*.txt files. See the [Monitoring Plans](overview.md)topic for +exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. | Use case | Related documentation | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Active Directory** | | -| I want to omit all activity by a specific service account or service accounts with specific naming pattern. | [Active Directory](activedirectory/overview.md) | -| If Netwrix user is responsible just for a limited scope within corporate AD, s/he needs to omit everything else. | [Active Directory](activedirectory/overview.md) - Always both activity and state in time data are omitted. - In group/Not in group filters don't not process groups from omitted OUs. | +| I want to omit all activity by a specific service account or service accounts with specific naming pattern. | [Active Directory](/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/overview.md) | +| If Netwrix user is responsible just for a limited scope within corporate AD, s/he needs to omit everything else. | [Active Directory](/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/overview.md) - Always both activity and state in time data are omitted. - In group/Not in group filters don't not process groups from omitted OUs. | | **Logon Activity** | | -| I want to omit domain logons by a specific service account or service accounts with specific naming pattern. | [Logon Activity](logonactivity/overview.md) | +| I want to omit domain logons by a specific service account or service accounts with specific naming pattern. | [Logon Activity](/docs/auditor/10.7/auditor/admin/monitoringplans/logonactivity/overview.md) | | **File Servers** (including Windows file server, Dell, NetApp, Nutanix File server) | | | I have a server named _StationWin16_ where I can't install .Net 4.5 in OU where I keep all member servers. I want to suppress errors from this server by excluding it from the Netwrix auditing scope. | [AD Container](activedirectory/overview.md#ad-container) | -| A Security Officer wants to monitor a file share but s/he does not have access to a certain folder on this share. Then, s/he does not want the product to monitor this folder at all. | [File Servers](fileservers/overview.md) [Dell Isilon](fileservers/overview.md#dell-isilon) [Dell VNX VNXe](fileservers/overview.md#dell-vnx-vnxe) [NetApp](fileservers/overview.md#netapp) [Windows File Share](fileservers/scope.md#windows-file-share) [Nutanix SMB Shares](fileservers/overview.md#nutanix-smb-shares) | -| A Security Officer wants to monitor a file share but s/he does not have access to a certain folder on this share. Then, s/he does not want the product to monitor this folder at all. | [File Servers](fileservers/overview.md) [Dell Isilon](fileservers/overview.md#dell-isilon) [Dell VNX VNXe](fileservers/overview.md#dell-vnx-vnxe) [NetApp](fileservers/overview.md#netapp) [Windows File Share](fileservers/scope.md#windows-file-share) [Nutanix SMB Shares](fileservers/overview.md#nutanix-smb-shares) | -| A Security Officer wants to monitor a file share, but it contains a folder with a huge amount of objects, so s/he does not want Netwrix Auditor to collect State-in-Time data for this folder. | [File Servers](fileservers/overview.md) [Dell Isilon](fileservers/overview.md#dell-isilon) [Dell VNX VNXe](fileservers/overview.md#dell-vnx-vnxe) [NetApp](fileservers/overview.md#netapp) [Windows File Share](fileservers/scope.md#windows-file-share) [Nutanix SMB Shares](fileservers/overview.md#nutanix-smb-shares) | -| I want to exclude specific computers within an IP range from the Netwrix auditing scope. | [File Servers](fileservers/overview.md) | +| A Security Officer wants to monitor a file share but s/he does not have access to a certain folder on this share. Then, s/he does not want the product to monitor this folder at all. | [File Servers](/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md) [Dell Isilon](fileservers/overview.md#dell-isilon) [Dell VNX VNXe](fileservers/overview.md#dell-vnx-vnxe) [NetApp](fileservers/overview.md#netapp) [Windows File Share](fileservers/scope.md#windows-file-share) [Nutanix SMB Shares](fileservers/overview.md#nutanix-smb-shares) | +| A Security Officer wants to monitor a file share but s/he does not have access to a certain folder on this share. Then, s/he does not want the product to monitor this folder at all. | [File Servers](/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md) [Dell Isilon](fileservers/overview.md#dell-isilon) [Dell VNX VNXe](fileservers/overview.md#dell-vnx-vnxe) [NetApp](fileservers/overview.md#netapp) [Windows File Share](fileservers/scope.md#windows-file-share) [Nutanix SMB Shares](fileservers/overview.md#nutanix-smb-shares) | +| A Security Officer wants to monitor a file share, but it contains a folder with a huge amount of objects, so s/he does not want Netwrix Auditor to collect State-in-Time data for this folder. | [File Servers](/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md) [Dell Isilon](fileservers/overview.md#dell-isilon) [Dell VNX VNXe](fileservers/overview.md#dell-vnx-vnxe) [NetApp](fileservers/overview.md#netapp) [Windows File Share](fileservers/scope.md#windows-file-share) [Nutanix SMB Shares](fileservers/overview.md#nutanix-smb-shares) | +| I want to exclude specific computers within an IP range from the Netwrix auditing scope. | [File Servers](/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md) | | **SQL Server** | | | I want to know if _corp\administrator_ user is messing with SQL data. | [SQL Server Instance](sqlserver/items.md#sql-server-instance) | | As a Auditor administrator I want to exclude the _domain\nwxserviceaccount_ service account activity from SQL server audit so that I get reports without changes made by automatic systems. | [SQL Server Instance](sqlserver/items.md#sql-server-instance) | @@ -138,6 +138,6 @@ additional information. | As a Auditor Administrator I want to exclude shared _PublicList_ from read audit. | [SharePoint Farm](sharepoint/overview.md#sharepoint-farm) | | Windows Server | | | I have a server named StationWin16 where I can't install .Net 4.5 in OU where I keep all member servers. I want to suppress errors from this server by excluding it from the Netwrix auditing scope. | [AD Container](activedirectory/overview.md#ad-container) | -| I want to exclude specific computers within an IP range from the Netwrix auditing scope. | [File Servers](fileservers/overview.md) | +| I want to exclude specific computers within an IP range from the Netwrix auditing scope. | [File Servers](/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md) | | VMware | | | I have a virtual machine named "testvm" I use for testing purposes, so I want to exclude it from being monitored. | [VMware ESX/ESXi/vCenter](vmware/overview.md#vmware-esxesxivcenter) | diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md b/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md index 2c8bcae298..b1d941d85f 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md @@ -8,7 +8,7 @@ To keep the monitoring process secure, Netwrix suggests configuring role-based a control ensures that only appropriate users can modify the product configuration or view audit data, based on your company policies and the user's job responsibilities. -![rbac-01](../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/rbac-01.webp) +![rbac-01](/img/product_docs/auditor/auditor/admin/monitoringplans/rbac-01.webp) Roles are described briefly in the table below and explained in detail in the next topic. @@ -95,7 +95,7 @@ Do one of the following: | To... | Do... | | ------------------------ | --------------------------------------------------------------------------------------------------------------------------- | | Assign a role | 1. Select Add User. 2. In the dialog that opens, specify a user (or a group) and a role. | -| Revoke a role assignment | - Click ![delete](../../../../../../static/img/product_docs/strongpointfornetsuite/integrations/delete.webp) next to the user. | +| Revoke a role assignment | - Click ![delete](/img/product_docs/strongpointfornetsuite/integrations/delete.webp) next to the user. | **Step 4 –** Click **Save** or **Save&Close**. @@ -108,7 +108,7 @@ The Browser role is required to generate reports. It is granted on all reports delegated scope. If for some reason Auditor is unable to grant the Browser role, configure it manually. See the -[SQL Server Reporting Services](../../requirements/sqlserverreportingservice.md) topic for +[SQL Server Reporting Services](/docs/auditor/10.7/auditor/requirements/sqlserverreportingservice.md) topic for additional information. ### Default Role Assignments @@ -143,10 +143,10 @@ Netwrix Auditor Client Users group. Specify users you want to be included in this group. -![Roles_Groups](../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/roles_groups.webp) +![Roles_Groups](/img/product_docs/auditor/auditor/admin/monitoringplans/roles_groups.webp) **NOTE:** For additional information about User Activity video access management, see the -[Configure Video Recordings Playback Settings](../../configuration/useractivity/videorecordings.md) +[Configure Video Recordings Playback Settings](/docs/auditor/10.7/auditor/configuration/useractivity/videorecordings.md) topic. ## Provide Access to a Limited Set of Data diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/exchange/overview.md b/docs/auditor/10.7/auditor/admin/monitoringplans/exchange/overview.md index 981f71bd21..d43ece3e65 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/exchange/overview.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/exchange/overview.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [Exchange](../../../configuration/exchange/overview.md) – Configure data source as required to be +- [Exchange](/docs/auditor/10.7/auditor/configuration/exchange/overview.md) – Configure data source as required to be monitored Complete the following fields: @@ -19,13 +19,13 @@ Complete the following fields: | Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. | | Detect additional details | Specify additional information to include in reports and activity summaries. Select Group membershipif you want to include Group membership of the account under which the change was made. | | Specify data collection method | You can enable **network traffic compression.** If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. | -| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Exchange](../../../configuration/exchange/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. | -| Collect data on non-owner access to mailboxes | Enable monitoring of unauthorized access to mailboxes within your Exchange Online organization. Configure the following: - Notify users if someone gained access to their mailboxes — Select this checkbox if you want to notify users on non-owner access events to their mailboxes. - Notify only specific users — Select this checkbox and click Add Recipient to specify the list of users who will receive notifications on non-owner access to their mailboxes. Users not included in this list will not be notified. - Enable automatic audit configuration— If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. See the [Exchange](../../../configuration/exchange/overview.md) and [Exchange Online](../../../configuration/microsoft365/exchangeonline/overview.md) topics for additional information about the audit settings required for Auditor to collect comprehensive audit data and instructions on how to configure them. If you select to automatically configure audit in the target environment, your current audit settings will be checked on each data collection and adjusted if necessary. | +| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Exchange](/docs/auditor/10.7/auditor/configuration/exchange/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. | +| Collect data on non-owner access to mailboxes | Enable monitoring of unauthorized access to mailboxes within your Exchange Online organization. Configure the following: - Notify users if someone gained access to their mailboxes — Select this checkbox if you want to notify users on non-owner access events to their mailboxes. - Notify only specific users — Select this checkbox and click Add Recipient to specify the list of users who will receive notifications on non-owner access to their mailboxes. Users not included in this list will not be notified. - Enable automatic audit configuration— If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. See the [Exchange](/docs/auditor/10.7/auditor/configuration/exchange/overview.md) and [Exchange Online](/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/overview.md) topics for additional information about the audit settings required for Auditor to collect comprehensive audit data and instructions on how to configure them. If you select to automatically configure audit in the target environment, your current audit settings will be checked on each data collection and adjusted if necessary. | Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the **Data source** list. As a next step, click **Add item** to specify an object for monitoring. See the -[Add Items for Monitoring](../datasources.md#add-items-for-monitoring) topic for additional +[Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information. ## Domain @@ -35,7 +35,7 @@ Complete the following fields: | Option | Description | | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Specify Active Directory domain | Specify the audited domain name in the FQDN format. For example, "_company.local_". | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](../../../requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information. | -See the [Permissions for Exchange Auditing](../../../configuration/exchange/permissions.md) topic +See the [Permissions for Exchange Auditing](/docs/auditor/10.7/auditor/configuration/exchange/permissions.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/exchangeonline/overview.md b/docs/auditor/10.7/auditor/admin/monitoringplans/exchangeonline/overview.md index 3401a3ec5d..f03f28ff71 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/exchangeonline/overview.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/exchangeonline/overview.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [Exchange Online](../../../configuration/microsoft365/exchangeonline/overview.md) – Configure data +- [Exchange Online](/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/overview.md) – Configure data source as required to be monitored ## How to add Exchange Online Monitoring Plan @@ -17,7 +17,7 @@ the following topics: This instruction shows how to collect audit data from the Microsoft 365 tenant. If you plan to use modern authentication, see the -[Configuring Microsoft Entra ID App for Auditing Microsoft Entra ID](../../../configuration/microsoft365/microsoftentraid/modernauth.md#configuring-microsoft-entra-id-app-for-auditing-microsoft-entra-id) +[Configuring Microsoft Entra ID App for Auditing Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/modernauth.md#configuring-microsoft-entra-id-app-for-auditing-microsoft-entra-id) topic for additional information on how to prepare Microsoft Entra ID app with required permissions. Make sure you have the following at hand: @@ -41,10 +41,10 @@ Follow the steps to configure Office 365 tenant as a monitored item. ID monitoring. - If you are going to use **Modern authentication**, paste the obtained name. See the - [Using Modern Authentication with Microsoft Entra ID](../../../configuration/microsoft365/microsoftentraid/modernauth.md) + [Using Modern Authentication with Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/modernauth.md) topic for additional information. -![tenantenvironment](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/tenantenvironment.webp) +![tenantenvironment](/img/product_docs/auditor/auditor/admin/monitoringplans/tenantenvironment.webp) If you are using a government tenant, please click the **Tenant Environment** tab and select the desired tenant environment. @@ -58,7 +58,7 @@ desired tenant environment. _user@domain.onmicrosoft.com_. - The **Tenant name** field then will be filled in automatically. - Make sure this user account has sufficient access rights. See - [Using Basic Authentication with Microsoft Entra ID](../../../configuration/microsoft365/microsoftentraid/basicauth.md) + [Using Basic Authentication with Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/basicauth.md) topic for additional information. - Modern authentication: @@ -71,12 +71,12 @@ desired tenant environment. - **Application secret**. - See the - [Using Modern Authentication with Microsoft Entra ID](../../../configuration/microsoft365/microsoftentraid/modernauth.md) + [Using Modern Authentication with Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/modernauth.md) for additional information. **Step 3 –** Click the **Add** button. -![Add Office 365 Item window](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/item_o365_basic_auth_thumb_0_0.webp) +![Add Office 365 Item window](/img/product_docs/auditor/auditor/admin/monitoringplans/item_o365_basic_auth_thumb_0_0.webp) You can use a single account to collect audit data for different Office 365 services (Microsoft Entra ID, Exchange Online, SharePoint Online); however, Netwrix recommends that you specify @@ -101,15 +101,15 @@ in UPN format (unlike the earlier Netwrix Auditor versions). This refers to the | Option | Description | | -------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Monitor this data source and collect activity data | | -| Configure audit settings | See the [Exchange Online](../../../configuration/microsoft365/exchangeonline/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. | -| Collect data for state-in-time reports | Configure Netwrix Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](../../reports/types/stateintime/overview.md) topic for additional information. | +| Configure audit settings | See the [Exchange Online](/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. | +| Collect data for state-in-time reports | Configure Netwrix Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md) topic for additional information. | | Collect data on non-owner access to mailboxes | | Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the **Data source** list. As a next step, click **Add item** to specify an object for monitoring. See the -[Add Items for Monitoring](../datasources.md#add-items-for-monitoring) topic for additional +[Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information. -See the [Microsoft 365](../../../configuration/microsoft365/overview.md) topic for additional +See the [Microsoft 365](/docs/auditor/10.7/auditor/configuration/microsoft365/overview.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md b/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md index 822cc4be82..ccda16e1db 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [File Servers](../../../configuration/fileservers/overview.md) – Configure data source as required +- [File Servers](/docs/auditor/10.7/auditor/configuration/fileservers/overview.md) – Configure data source as required to be monitored Complete the following fields: @@ -19,11 +19,11 @@ Complete the following fields: | General | | | Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. | | Specify actions for monitoring | Specify actions you want to track and auditing mode. | | | | --- | --- | | Changes | | | Successful | Use this option to track changes to your data. Helps find out who made changes to your files, including their creation and deletion. | | Failed | Use this option to detect suspicious activity on your file server. Helps identify potential intruders who tried to modify or delete files, etc., but failed to do it. | | Read access | | | Successful | Use this option to supervise access to files containing confidential data intended for privileged users. Helps identify who accessed important files besides your trusted users. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. | | Failed | Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. | Actions reported by Auditor vary depending on the file server type and the audited object (file, folder, or share). The changes include creation, modification, deletion, moving, etc. To track the copy action, enable successful read access and change auditing. | -| Specify data collection method | You can enable **network traffic compression.** If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. To collect data from 32-bit operating systems, network traffic compression must be **disabled**. To collect data from Windows Failover Cluster, network traffic compression must be **enabled**. See the [File Servers](../../../configuration/fileservers/overview.md) topic for additional information. | -| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Supported Data Sources](../../../requirements/supporteddatasources.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. Some settings cannot be configured automatically. The product has the following limitations depending on your file server type. | File Server | SACL Check | SACL Adjust | Policy Check | Policy Adjust | Log Check | Log Adjust | | --- | --- | --- | --- | --- | --- | --- | | Windows | + | + | + | + | + | + | | Dell Celerra\VNX\Unity | + | + | + | — | + | — | | Dell Isilon | n/a | n/a | + | — | n/a | n/a | | NetApp Data ONTAP 7 and 8 in 7-mode | + | + | + | + | + | + | | NetApp Clustered Data ONTAP 8 and ONTAP 9 | + | + | + | + | + | — | | Nutanix Files | n/a | n/a | + | + | n/a | n/a | | -| Collect data for state-in-time reports | Configure Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](../../reports/types/stateintime/overview.md) topic for additional information. When auditing file servers, changes to effective access permissions can be tracked in addition to audit permissions. By default, Combination of file and share permissions is tracked. File permissions define who has access to local files and folders. Share permissions provide or deny access to the same resources over the network. The combination of both determines the final access permissions for a shared folder—the more restrictive permissions are applied. Upon selecting Combination of file and share permissions only the resultant set will be written to the Audit Database. Select File permissions option too if you want to see difference between permissions applied locally and the effective file and share permissions set. To disable auditing of effective access, unselect all checkboxes under Include details on effective permissions. In the Schedule state-in-time data collection section, you can select a custom weekly interval for snapshots collection. Click Modify and select day(s) of week you want your snapshot to be collected. In the Manage historical snapshots section, you can click **Manage** and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past. You must be assigned the Global administrator or the Global reviewer role to import snapshots. Move the selected snapshots to the Snapshots available for reporting list using the arrow button. The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Users can also configure Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. | +| Specify data collection method | You can enable **network traffic compression.** If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. To collect data from 32-bit operating systems, network traffic compression must be **disabled**. To collect data from Windows Failover Cluster, network traffic compression must be **enabled**. See the [File Servers](/docs/auditor/10.7/auditor/configuration/fileservers/overview.md) topic for additional information. | +| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Supported Data Sources](/docs/auditor/10.7/auditor/requirements/supporteddatasources.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. Some settings cannot be configured automatically. The product has the following limitations depending on your file server type. | File Server | SACL Check | SACL Adjust | Policy Check | Policy Adjust | Log Check | Log Adjust | | --- | --- | --- | --- | --- | --- | --- | | Windows | + | + | + | + | + | + | | Dell Celerra\VNX\Unity | + | + | + | — | + | — | | Dell Isilon | n/a | n/a | + | — | n/a | n/a | | NetApp Data ONTAP 7 and 8 in 7-mode | + | + | + | + | + | + | | NetApp Clustered Data ONTAP 8 and ONTAP 9 | + | + | + | + | + | — | | Nutanix Files | n/a | n/a | + | + | n/a | n/a | | +| Collect data for state-in-time reports | Configure Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md) topic for additional information. When auditing file servers, changes to effective access permissions can be tracked in addition to audit permissions. By default, Combination of file and share permissions is tracked. File permissions define who has access to local files and folders. Share permissions provide or deny access to the same resources over the network. The combination of both determines the final access permissions for a shared folder—the more restrictive permissions are applied. Upon selecting Combination of file and share permissions only the resultant set will be written to the Audit Database. Select File permissions option too if you want to see difference between permissions applied locally and the effective file and share permissions set. To disable auditing of effective access, unselect all checkboxes under Include details on effective permissions. In the Schedule state-in-time data collection section, you can select a custom weekly interval for snapshots collection. Click Modify and select day(s) of week you want your snapshot to be collected. In the Manage historical snapshots section, you can click **Manage** and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past. You must be assigned the Global administrator or the Global reviewer role to import snapshots. Move the selected snapshots to the Snapshots available for reporting list using the arrow button. The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Users can also configure Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. | | Users | | -| Specify monitoring restrictions | Select the users to be excluded from search results, reports and Activity Summaries. To add users to the list, click Add and provide user name in the domain\user format: _mydomain\user1_. - Use NetBIOS domain name format. - To exclude events containing "_System_" instead of initiator's account name in the "_Who_" column, enter "_System_" value to the list. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](../overview.md)topic for additional information. | +| Specify monitoring restrictions | Select the users to be excluded from search results, reports and Activity Summaries. To add users to the list, click Add and provide user name in the domain\user format: _mydomain\user1_. - Use NetBIOS domain name format. - To exclude events containing "_System_" instead of initiator's account name in the "_Who_" column, enter "_System_" value to the list. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. | Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the Data source list. As a next step, click Add item to specify an object for @@ -42,16 +42,16 @@ the related option in the monitored item settings. Administrative hidden shares like default system root or Windows directory (_ADMIN$_), default drive shares (_D$, E$_), etc. will not be monitored. See the -[Add Items for Monitoring](../datasources.md#add-items-for-monitoring) topic for additional +[Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information. _Remember,_ before adding your monitored items, examine the considerations, limitations and recommendations provided in the following sections: -- [DFS-Related Constraints](../../../configuration/fileservers/windows/overview.md#dfs-related-constraints) -- [Supported File Servers and Devices](../../../configuration/fileservers/overview.md#supported-file-servers-and-devices) -- [State-in-Time Data](../../../configuration/fileservers/overview.md#state-in-time-data) -- [Sensitive Data](../../../configuration/fileservers/overview.md#sensitive-data) +- [DFS-Related Constraints](/docs/auditor/10.7/auditor/configuration/fileservers/windows/overview.md#dfs-related-constraints) +- [Supported File Servers and Devices](/docs/auditor/10.7/auditor/configuration/fileservers/overview.md#supported-file-servers-and-devices) +- [State-in-Time Data](/docs/auditor/10.7/auditor/configuration/fileservers/overview.md#state-in-time-data) +- [Sensitive Data](/docs/auditor/10.7/auditor/configuration/fileservers/overview.md#sensitive-data) ## Dell VNX VNXe @@ -63,17 +63,17 @@ Complete the following fields: | ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | General | | | Specify Dell VNX/VNXe, Celerra or Unity storage array | Provide a server name by entering its FQDN, NETBIOS or IPv4 address. You can click Browse to select a computer from the list of computers in your network. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | | Scope | | | Monitor hidden shares | By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). Select **Monitor user-defined hidden shares** if necessary. Even when this option is selected, the product will not collect data from administrative hidden shares such as: default system root or Windows directory (ADMIN$), default drive shares (D$, E$, etc.), shares used by printers to enable remote administration (PRINT$), etc. | -| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. See the Fine-tune Monitoring Scope for additional information on how to narrow your monitoring scope. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](../overview.md)topic for additional information. | +| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. See the Fine-tune Monitoring Scope for additional information on how to narrow your monitoring scope. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. | ### Fine-tune Monitoring Scope To audit all file shares, under Specify monitoring restrictions, select Monitor all file shares in the array. -![item_emc_scope_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_emc_scope_thumb_0_0.webp) +![item_emc_scope_thumb_0_0](/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_emc_scope_thumb_0_0.webp) You can also create lists of specific file shares to include and/or exclude from being audited. @@ -125,7 +125,7 @@ to the specified shared folder, its subfolders and files. - All actions — Exclude all actions of the selected users - These actions — Use the drop-down list to select the actions to exclude, e.g. _Added_ and _Moved_. -![Specify Filters](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclude_users_thumb_0_0.webp) +![Specify Filters](/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclude_users_thumb_0_0.webp) **Step 3 –** After configuring all filters, click **Add** to save them and return to the item settings. @@ -141,9 +141,9 @@ Complete the following fields: | Access Zone | Enter the name of access zone partition within your EMC Isilon cluster. For example, _zone_account_ | | OneFS web administration interface URL | Enter Dell Isilon web administration URL (e.g., _https://isiloncluster.corp.lab:8080_). This URL is used to get configuration details about your Isilon cluster via OneFS API. | | File Share UNC path to audit logs | Path to the file share located on a Dell Isilon with event log files (e.g., _\\srv\netwrix_audit$\logs_). | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | | Scope | | -| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. See the Fine-tune Monitoring ScopeFine-tune Monitoring Scopetopic for additional information about how to narrow your monitoring scope. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](../overview.md)topic for additional information. | +| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. See the Fine-tune Monitoring ScopeFine-tune Monitoring Scopetopic for additional information about how to narrow your monitoring scope. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. | ### Configure the Scope @@ -203,7 +203,7 @@ to the specified shared folder, its subfolders and files. - All actions — Exclude all actions of the selected users - These actions — Use the drop-down list to select the actions to exclude, e.g. _Added_ and _Moved_. -![Specify Filters](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclude_users_thumb_0_0.webp) +![Specify Filters](/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclude_users_thumb_0_0.webp) **Step 3 –** After configuring all filters, click **Add** to save them and return to the item settings. @@ -217,14 +217,14 @@ Complete the following fields: | General | | | Specify NetApp file server | Provide a server name by entering its FQDN, NETBIOS or IPv4 address. You can click Browse to select a computer from the list of computers in your network. | | File share UNC path to audit logs | Select one of the following: - Detect automatically—If selected, a shared resource will be detected automatically. - Use this path—UNC path to the file share located on a NetApp Filer with event log files (e.g., _\\CORP\ETC$\log_). | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | | ONTAPI/ONTAP REST API | | | Specify protocol for accessing ONTAPI/ONTAP REST API | Select one of the following: - Detect automatically—If selected, a connection protocol will be detected automatically. - HTTP - HTTPS Refer to [Netwrix Auditor Installation and Configuration Guide](https://www.netwrix.com/download/documents/Netwrix_Auditor_Installation_Configuration_Guide.pdf) for detailed instructions on how to enable HTTP or HTTPS admin access. NOTE: ONTAP REST API works only over HTTPS protocol | | Specify management interface | Select management interface to connect to ONTAPI/ONTAP REST API. If you want to use custom management interface for ONTAPI/ONTAP REST API, select Custom and provide a server name by entering its FQDN, NETBIOS or IP address. | -| Specify account for connecting to ONTAPI/ONTAP REST API | Select an account to connect to NetApp and collect data through ONTAPI/ONTAP REST API. If you want to use a specific account (other than the one you specified on the General tab), select **Custom** and enter credentials. The credentials are case sensitive. Take into consideration that even if a custom account is specified, the account selected on the General tab must be a member of the Builtin\Administrators group and have sufficient permissions to access audit logs shared folder and audited shares. [Data Collecting Account](../dataaccounts.md) | +| Specify account for connecting to ONTAPI/ONTAP REST API | Select an account to connect to NetApp and collect data through ONTAPI/ONTAP REST API. If you want to use a specific account (other than the one you specified on the General tab), select **Custom** and enter credentials. The credentials are case sensitive. Take into consideration that even if a custom account is specified, the account selected on the General tab must be a member of the Builtin\Administrators group and have sufficient permissions to access audit logs shared folder and audited shares. [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) | | Scope | | | Monitor hidden shares | By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). Select **Monitor user-defined hidden shares** if necessary. Even when this option is selected, the product will not collect data from administrative hidden shares such as: default system root or Windows directory (ADMIN$), default drive shares (D$, E$, etc.), shares used by printers to enable remote administration (PRINT$), etc. **CAUTION:** Monitoring of non-default hidden shares is not supported for NetApp servers in 7-mode. | -| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. Configure Scope how to narrow your monitoring scope. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](../overview.md)topic for additional information. | +| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. Configure Scope how to narrow your monitoring scope. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. | ### Configure Scope @@ -281,7 +281,7 @@ to the specified shared folder, its subfolders and files. - All actions — Exclude all actions of the selected users - These actions — Use the drop-down list to select the actions to exclude, e.g. _Added_ and _Moved_. -![Specify Filters](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclude_users_thumb_0_0.webp) +![Specify Filters](/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclude_users_thumb_0_0.webp) **Step 3 –** After configuring all filters, click **Add** to save them and return to the item settings. @@ -291,10 +291,10 @@ settings. **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems Complete the following fields: @@ -304,13 +304,13 @@ Complete the following fields: | Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. | | Specify actions for monitoring | Specify actions you want to track and auditing mode. | | | | --- | --- | | Changes | | | Successful | Use this option to track changes to your data. Helps find out who made changes to your files, including their creation and deletion. | | Failed | Use this option to detect suspicious activity on your file server. Helps identify potential intruders who tried to modify or delete files, etc., but failed to do it. | | Read access | | | Successful | Use this option to supervise access to files containing confidential data intended for privileged users. Helps identify who accessed important files besides your trusted users. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. | | Failed | Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. | Actions reported by Auditor vary depending on the file server type and the audited object (file, folder, or share). The changes include creation, modification, deletion, moving, etc. To track the copy action, enable successful read access and change auditing. | | Specify data collection method | You can enable **network traffic compression.** If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. | -| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Supported Data Sources](../../../requirements/supporteddatasources.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. Netwrix Auditor can configure the following settings: - Policy Check - Policy Adjust | -| Collect data for state-in-time reports | Configure Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](../../reports/types/stateintime/overview.md) topic for additional information. When auditing file servers, changes to effective access permissions can be tracked in addition to audit permissions. By default, Combination of file and share permissions is tracked. File permissions define who has access to local files and folders. Share permissions provide or deny access to the same resources over the network. The combination of both determines the final access permissions for a shared folder—the more restrictive permissions are applied. Upon selecting Combination of file and share permissions only the resultant set will be written to the Audit Database. Select File permissions option too if you want to see difference between permissions applied locally and the effective file and share permissions set. To disable auditing of effective access, unselect all checkboxes under Include details on effective permissions. In the Schedule state-in-time data collection section, you can select a custom weekly interval for snapshots collection. Click Modify and select day(s) of week you want your snapshot to be collected. In the Manage historical snapshots section, you can click **Manage** and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past. You must be assigned the Global administrator or the Global reviewer role to import snapshots. Move the selected snapshots to the Snapshots available for reporting list using the arrow button. The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Users can also configure Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. | +| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Supported Data Sources](/docs/auditor/10.7/auditor/requirements/supporteddatasources.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. Netwrix Auditor can configure the following settings: - Policy Check - Policy Adjust | +| Collect data for state-in-time reports | Configure Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md) topic for additional information. When auditing file servers, changes to effective access permissions can be tracked in addition to audit permissions. By default, Combination of file and share permissions is tracked. File permissions define who has access to local files and folders. Share permissions provide or deny access to the same resources over the network. The combination of both determines the final access permissions for a shared folder—the more restrictive permissions are applied. Upon selecting Combination of file and share permissions only the resultant set will be written to the Audit Database. Select File permissions option too if you want to see difference between permissions applied locally and the effective file and share permissions set. To disable auditing of effective access, unselect all checkboxes under Include details on effective permissions. In the Schedule state-in-time data collection section, you can select a custom weekly interval for snapshots collection. Click Modify and select day(s) of week you want your snapshot to be collected. In the Manage historical snapshots section, you can click **Manage** and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past. You must be assigned the Global administrator or the Global reviewer role to import snapshots. Move the selected snapshots to the Snapshots available for reporting list using the arrow button. The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Users can also configure Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. | Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the **Data source** list. As a next step, click **Add item** to specify an object for monitoring. See the -[Add Items for Monitoring](../datasources.md#add-items-for-monitoring) topic for additional +[Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information. ## Nutanix SMB Shares @@ -321,10 +321,10 @@ Complete the following fields: | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **General** | | | Specify Nutanix File Server | Provide a server name by entering its FQDN, NETBIOS or IPv4 address. You can click Browse to select a computer from the list of computers in your network. If you need to audit a 3-node cluster, it is recommended to use FQDN or NETBIOS name. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for more information. | -| Specify listening port for incoming connections | Provide the name of the TCP port to listen to notifications on the operations with Nutanix file shares. Default is **9898**. For details on how to open the port, refer to the [Nutanix Ports](../../../configuration/fileservers/nutanix/ports.md) topic. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for more information. | +| Specify listening port for incoming connections | Provide the name of the TCP port to listen to notifications on the operations with Nutanix file shares. Default is **9898**. For details on how to open the port, refer to the [Nutanix Ports](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/ports.md) topic. | | **Nutanix File Server REST API** | | -| Specify account for connecting to Nutanix File Server REST API | Specify the account that will be used to connect to Nutanix REST API. This account should have sufficient privileges on the Nutanix File Server. For details, refer to [Create User Account to Access Nutanix REST API](../../../configuration/fileservers/nutanix/useraccount.md). | +| Specify account for connecting to Nutanix File Server REST API | Specify the account that will be used to connect to Nutanix REST API. This account should have sufficient privileges on the Nutanix File Server. For details, refer to [Create User Account to Access Nutanix REST API](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/useraccount.md). | | **Scope** | | | Monitor hidden shares | By default, Netwrix Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). Select **Monitor user-defined hidden shares** if necessary. Even when this option is selected, the product will not collect data from administrative hidden shares such as: default system root or Windows directory (ADMIN$), default drive shares (D$, E$, etc.), shares used by printers to enable remote administration (PRINT$), etc. | | Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. Refer to Configure Scope for detailed instructions on how to configure your monitoring scope. Currently, auditing is available for SMB shares only. Auditing of NFS shares is not supported due to known limitations. | @@ -384,7 +384,7 @@ to the specified shared folder, its subfolders and files. - All actions — Exclude all actions of the selected users - These actions — Use the drop-down list to select the actions to exclude, e.g. _Added_ and _Moved_. -![Specify Filters](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclude_users_thumb_0_0.webp) +![Specify Filters](/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclude_users_thumb_0_0.webp) **Step 3 –** After configuring all filters, click **Add** to save them and return to the item settings. @@ -397,7 +397,7 @@ Complete the following fields: | -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | General | | | Specify a file server | Provide UNC path to a file server. See the section below for special considerations. Do not specify a default file share mapped to a local drive (e.g., \\Server\e$). | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | | Event Collection | | | Specify a host or network resource | Provide UNC path to a file server or an IP range of servers you want to get activity events from. You can select to collect event data from the same server or provide a custom server or IP range. | | Specify port and protocol for incoming connections | Use **Port** and **Protocol** to provide the port required for incoming connections (default is **UDP port 514**). | @@ -412,7 +412,7 @@ Complete the following fields: | -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | General | | | Specify a file server | Provide UNC path to a file server. See the section below for special considerations. Do not specify a default file share mapped to a local drive (e.g., \\Server\e$). | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | | Event Collection | | | Specify a host or network resource | Provide UNC path to a file server or an IP range of servers you want to get activity events from. You can select to collect event data from the same server or provide a custom server or IP range. | | Specify port and protocol for incoming connections | Use **Port** and **Protocol** to provide the port required for incoming connections (default is **UDP port 514**). | diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/scope.md b/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/scope.md index 7c15f56bdf..c1060ffb20 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/scope.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/scope.md @@ -4,7 +4,7 @@ You can specify data that you want to include into / exclude from the Windows Fi Filer, and Dell Data Storage (formerly EMC) monitoring scope. For that, you can configure monitoring scope in Auditor client UI, as explained in the related section: -- [File Servers](overview.md) +- [File Servers](/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md) - Windows File Share Besides, you can configure exclusions for file servers audit using the special txt files (omit @@ -79,7 +79,7 @@ to the specified shared folder, its subfolders and files. - All actions — Exclude all actions of the selected users - These actions — Use the drop-down list to select the actions to exclude, e.g. _Added_ and _Moved_. -![Specify Filters](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclude_users_thumb_0_0.webp) +![Specify Filters](/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclude_users_thumb_0_0.webp) **Step 3 –** After configuring all filters, click **Add** to save them and return to the item settings. diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/windowsfileserver.md b/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/windowsfileserver.md index 54b98878ef..005ebe565f 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/windowsfileserver.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/windowsfileserver.md @@ -3,10 +3,10 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems ## Windows File Share @@ -17,9 +17,9 @@ Complete the following fields: | --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | General | | | Specify Windows file share | Provide UNC path to a shared resource. See the section below for special considerations. Do not specify a default file share mapped to a local drive (e.g., \\Server\e$). | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information. | | Scope | | -| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. See the Configure Scope topic for additional information on how to narrow your monitoring scope. By default, Netwrix Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). If you want to monitor user-defined hidden shares, select the related option in the monitored item settings. Remember that administrative hidden shares like default system root or Windows directory (ADMIN$), default drive shares (D$, E$), etc. will not be monitored. See the topics on the monitored items for details. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](../overview.md)topic for additional information. | +| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. See the Configure Scope topic for additional information on how to narrow your monitoring scope. By default, Netwrix Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). If you want to monitor user-defined hidden shares, select the related option in the monitored item settings. Remember that administrative hidden shares like default system root or Windows directory (ADMIN$), default drive shares (D$, E$), etc. will not be monitored. See the topics on the monitored items for details. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. | ### Configure Scope @@ -57,7 +57,7 @@ to the specified shared folder, its subfolders and files. - All actions — Exclude all actions of the selected users - These actions — Use the drop-down list to select the actions to exclude, e.g. _Added_ and _Moved_. -![Specify Filters](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclude_users_thumb_0_0.webp) +![Specify Filters](/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclude_users_thumb_0_0.webp) **Step 3 –** After configuring all filters, click **Add** to save them and return to the item settings. @@ -96,10 +96,10 @@ Complete the following fields: | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | General | | | Specify AD container | Specify a whole AD domain, OU or container. Click **Browse** to select from the list of containers in your network. You can also: - Select a particular computer type to be audited within the chosen AD container: **Domain controllers, Servers (excluding domain controllers)**, or **Workstations**. - Click **Exclude** to specify AD domains, OUs, and containers you do not want to audit. In the Exclude Containers dialog, click Add and specify an object. The list of containers does not include child domains of trusted domains. Use other options **(Computer, IP range** to specify the target computers. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. If using a group Managed Service Account (gMSA), you can specify only the account name in the _domain\account$_ format. Password field can be empty. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information. Refer to the [Permissions for Active Directory Auditing](../../../configuration/activedirectory/permissions.md) topic for more information on using Netwrix Privilege Secure as an account for data collection. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the[Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. If using a group Managed Service Account (gMSA), you can specify only the account name in the _domain\account$_ format. Password field can be empty. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information. Refer to the [Permissions for Active Directory Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md) topic for more information on using Netwrix Privilege Secure as an account for data collection. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the[Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | | Containers and Computers | | | Monitor hidden shares | By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). Select **Monitor user-defined hidden shares** if necessary. Even when this option is selected, the product will not collect data from administrative hidden shares such as: default system root or Windows directory (ADMIN$), default drive shares (D$, E$, etc.), shares used by printers to enable remote administration (PRINT$), etc. | -| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. Depending on the type of the object you want to exclude, select one of the following: - Add AD Container – Browse for a container to be excluded from being audited. You can select a whole AD domain, OU or container. - Add Computer – Provide the name of the computer you want to exclude as shown in the "_Where_" column of reports and Activity Summaries. For example, _backupsrv01.mydomain.local_. Wildcards (\*) are not supported. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](../overview.md)topic for additional information. | +| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. Depending on the type of the object you want to exclude, select one of the following: - Add AD Container – Browse for a container to be excluded from being audited. You can select a whole AD domain, OU or container. - Add Computer – Provide the name of the computer you want to exclude as shown in the "_Where_" column of reports and Activity Summaries. For example, _backupsrv01.mydomain.local_. Wildcards (\*) are not supported. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. | ## IP Range @@ -109,7 +109,7 @@ Complete the following fields: | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | General | | | Specify IP range | Specify an IP range for the audited computers. To exclude computers from within the specified range, click **Exclude**. Enter the IP subrange you want to exclude, and click **Add**. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | | Scope | | | Monitor hidden shares | By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). Select **Monitor user-defined hidden shares** if necessary. Even when this option is selected, the product will not collect data from administrative hidden shares such as: default system root or Windows directory (ADMIN$), default drive shares (D$, E$, etc.), shares used by printers to enable remote administration (PRINT$), etc. | @@ -126,7 +126,7 @@ Complete the following fields: | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | General | | | Specify a computer | Provide a server name by entering its FQDN, NETBIOS or IPv4 address. You can click Browse to select a computer from the list of computers in your network. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](../../../requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information. | | Scope | | | Monitor hidden shares | By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). Select **Monitor user-defined hidden shares** if necessary. Even when this option is selected, the product will not collect data from administrative hidden shares such as: default system root or Windows directory (ADMIN$), default drive shares (D$, E$, etc.), shares used by printers to enable remote administration (PRINT$), etc. | | Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. | @@ -137,7 +137,7 @@ By default, both user activity and state-in-time data will be collected for the However, you can narrow your monitoring scope by specifying certain locations, user accounts or actions to exclude . -![Add Item (Computer)](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclusions_thumb_0_0.webp) +![Add Item (Computer)](/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclusions_thumb_0_0.webp) Click Add Exclusion, then follow the steps in the Specify Filters dialog: @@ -171,7 +171,7 @@ Follow the steps to exclude specific user activity. - All actions — Exclude all actions of the selected users - These actions — Use the drop-down list to select the actions to exclude, e.g. _Added_ and _Moved_ -![Specify Filters](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclude_users.webp) +![Specify Filters](/img/product_docs/auditor/auditor/admin/monitoringplans/fileservers/item_computer_exclude_users.webp) After configuring all filters, click **Add** to save them and return to the item settings. @@ -179,7 +179,7 @@ After configuring all filters, click **Add** to save them and return to the item Starting with version 10.7, you can use Netwrix Privilege Secure to manage the account for collecting data, after configuring the integration. See the -[Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information about +[Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information about integration and supported data sources. In this case, the credentials will not be stored by Netwrix Auditor. Instead, they will be managed by Netwrix Privilege Secure and provided on demand, ensuring password rotation or using temporary accounts for data collection. @@ -191,7 +191,7 @@ Follow the steps to use Netwrix Privilege Secure as an account for data collect **Step 2 –** In the item configuration menu, select Netwrix Privilege Secure as an option for data collection. -![npsdatacollectingaccount](../../../../../../../static/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccount.webp) +![npsdatacollectingaccount](/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccount.webp) **Step 3 –** Select the type of the Access Policy you want to use in Netwrix Privilege Secure. Credential-based is the default option. Refer to the @@ -204,7 +204,7 @@ and to which Netwrix Auditor has the access through a Credential-based access po **NOTE:** Netwrix recommends using different credentials for different monitoring plans and data sources. -![npsdatacollectingaccountresourced](../../../../../../../static/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccountresourced.webp) +![npsdatacollectingaccountresourced](/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccountresourced.webp) The second option is Resource-based. To use this option, you need to provide the Activity and Resource names, assigned to Netwrix Auditor in the corresponding Resource-based policy. Make sure diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/finetune.md b/docs/auditor/10.7/auditor/admin/monitoringplans/finetune.md index 3796bbd1bd..174e1fe0ae 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/finetune.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/finetune.md @@ -5,7 +5,7 @@ collection settings. To modify most plan settings, you must be assigned the Global administrator role in the product or the Configurator role on the plan. The Global reviewer or this plan's Reviewer can modify Activity -Summary recipients. See the [Role-Based Access and Delegation](delegation.md) topic for additional +Summary recipients. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. Follow the steps to edit your plan settings: @@ -21,10 +21,10 @@ Follow the steps to edit your plan settings: | General | | | Name Description | Update a plan name or its description. | | Data Collection | | -| Specify the account for collecting data - Not specified - User/Password - gMSA | Specify a new user name and a password for the account that Auditor  will use to collect data. Make sure the account has sufficient permissions to collect data. See the [Data Collecting Account](dataaccounts.md) topic for additional information about the rights and permissions, and instructions on how to configure them. | +| Specify the account for collecting data - Not specified - User/Password - gMSA | Specify a new user name and a password for the account that Auditor  will use to collect data. Make sure the account has sufficient permissions to collect data. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information about the rights and permissions, and instructions on how to configure them. | | Audit Database | | | Disable security intelligence and make data available only in activity summaries | Keep this checkbox cleared if you want Auditor to write data to the Audit Database. | -| Use default SQL Server settings | Select this checkbox to write data to a SQL Server instance with connection parameters as shown in **Settings** > **Audit Database**. See the [Audit Database](../settings/auditdatabase.md) topic for additional information. | +| Use default SQL Server settings | Select this checkbox to write data to a SQL Server instance with connection parameters as shown in **Settings** > **Audit Database**. See the [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topic for additional information. | | Specify custom connection parameters | Specify this option to use non-default settings (e.g., use a different authentication method or user). Make sure to store data on the same SQL Server instance. Otherwise some data may become unavailable for search and reporting. | | Notifications | | | Specify Activity Summary delivery schedule | Configure how often you want to receive an Activity Summary. By default, it is delivered once a day, at 3 AM. You can specify custom delivery time and frequency (e.g., every 6 hours starting 12 AM — at 12 AM, 6 AM, 12 PM, 6 PM). | diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/grouppolicy/overview.md b/docs/auditor/10.7/auditor/admin/monitoringplans/grouppolicy/overview.md index 090a908579..209a89c764 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/grouppolicy/overview.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/grouppolicy/overview.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [Group Policy](../../../configuration/grouppolicy/overview.md) – Configure data source as required +- [Group Policy](/docs/auditor/10.7/auditor/configuration/grouppolicy/overview.md) – Configure data source as required to be monitored Complete the following fields: @@ -17,15 +17,15 @@ Complete the following fields: | Option | Description | | -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. | -| Prerequisites | Netwrix Auditor will automatically look up additional system components and prompt you to install those that are missing. In case all required components have been already installed, this section will be omitted. See the [Other Components](../../../requirements/software.md#other-components) topic for additional information. | +| Prerequisites | Netwrix Auditor will automatically look up additional system components and prompt you to install those that are missing. In case all required components have been already installed, this section will be omitted. See the [Other Components](/docs/auditor/10.7/auditor/requirements/software.md#other-components) topic for additional information. | | Detect additional details | Specify additional information to include in reports and activity summaries. Select Group membershipif you want to include Group membership of the account under which the change was made. | | Specify data collection method | You can enable **network traffic compression.** If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. | -| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Group Policy](../../../configuration/grouppolicy/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. | +| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Group Policy](/docs/auditor/10.7/auditor/configuration/grouppolicy/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. | Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the **Data source** list. As a next step, click **Add item** to specify an object for monitoring. See the -[Add Items for Monitoring](../datasources.md#add-items-for-monitoring) topic for additional +[Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information. ## Domain @@ -35,13 +35,13 @@ Complete the following fields: | Option | Description | | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Specify Active Directory domain | Specify the audited domain name in the FQDN format. For example, "_company.local_". | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](../../../requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information. | ## Use Netwrix Privilege Secure as a Data Collecting Account Starting with version 10.7, you can use Netwrix Privilege Secure to manage the account for collecting data, after configuring the integration. See the -[Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information about +[Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information about integration and supported data sources. In this case, the credentials will not be stored by Netwrix Auditor. Instead, they will be managed by Netwrix Privilege Secure and provided on demand, ensuring password rotation or using temporary accounts for data collection. @@ -53,7 +53,7 @@ Follow the steps to use Netwrix Privilege Secure as an account for data collect **Step 2 –** In the item configuration menu, select Netwrix Privilege Secure as an option for data collection. -![npsdatacollectingaccount](../../../../../../../static/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccount.webp) +![npsdatacollectingaccount](/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccount.webp) **Step 3 –** Select the type of the Access Policy you want to use in Netwrix Privilege Secure. Credential-based is the default option. Refer to the @@ -66,7 +66,7 @@ and to which Netwrix Auditor has the access through a Credential-based access po **NOTE:** Netwrix recommends using different credentials for different monitoring plans and data sources. -![npsdatacollectingaccountresourced](../../../../../../../static/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccountresourced.webp) +![npsdatacollectingaccountresourced](/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccountresourced.webp) The second option is Resource-based. To use this option, you need to provide the Activity and Resource names, assigned to Netwrix Auditor in the corresponding Resource-based policy. Make sure diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/logonactivity/overview.md b/docs/auditor/10.7/auditor/admin/monitoringplans/logonactivity/overview.md index 746a2651f1..895e94e916 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/logonactivity/overview.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/logonactivity/overview.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [Logon Activity](../../../configuration/logonactivity/overview.md) – Configure data source as +- [Logon Activity](/docs/auditor/10.7/auditor/configuration/logonactivity/overview.md) – Configure data source as required to be monitored Complete the following fields: @@ -20,14 +20,14 @@ Complete the following fields: | Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. | | Fine-tune logon activity monitoring | Specify interval for Netwrix Auditor to collect data on logon activity and add successful non-interactive logons to your auditing scope, if necessary. | | Specify data collection method | You can enable **network traffic compression.** If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. | -| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Logon Activity](../../../configuration/logonactivity/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. | +| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Logon Activity](/docs/auditor/10.7/auditor/configuration/logonactivity/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. | | Users | | -| Specify monitoring restrictions | Select the users to be excluded from search results, reports and Activity Summaries. To add users to the list, click Add. Then, provide the user name in the domain\user format. For example: _mydomain\user1_. Consider the following: - Use NetBIOS domain name format. - You can provide the "_System_" value to exclude events containing the “_System_” instead of an account name in the “_Who_” column. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](../overview.md)topic for additional information. | +| Specify monitoring restrictions | Select the users to be excluded from search results, reports and Activity Summaries. To add users to the list, click Add. Then, provide the user name in the domain\user format. For example: _mydomain\user1_. Consider the following: - Use NetBIOS domain name format. - You can provide the "_System_" value to exclude events containing the “_System_” instead of an account name in the “_Who_” column. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. | Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the **Data source** list. As a next step, click **Add item** to specify an object for monitoring. See the -[Add Items for Monitoring](../datasources.md#add-items-for-monitoring) topic for additional +[Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information. ## Domain @@ -37,13 +37,13 @@ Complete the following fields: | Option | Description | | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Specify Active Directory domain | Specify the audited domain name in the FQDN format. For example, "_company.local_". | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](../../../requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information. | ## Use Netwrix Privilege Secure as a Data Collecting Account Starting with version 10.7, you can use Netwrix Privilege Secure to manage the account for collecting data, after configuring the integration. See the -[Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information about +[Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information about integration and supported data sources. In this case, the credentials will not be stored by Netwrix Auditor. Instead, they will be managed by Netwrix Privilege Secure and provided on demand, ensuring password rotation or using temporary accounts for data collection. @@ -55,7 +55,7 @@ Follow the steps to use Netwrix Privilege Secure as an account for data collect **Step 2 –** In the item configuration menu, select Netwrix Privilege Secure as an option for data collection. -![npsdatacollectingaccount](../../../../../../../static/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccount.webp) +![npsdatacollectingaccount](/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccount.webp) **Step 3 –** Select the type of the Access Policy you want to use in Netwrix Privilege Secure. Credential-based is the default option. Refer to the @@ -68,7 +68,7 @@ and to which Netwrix Auditor has the access through a Credential-based access po **NOTE:** Netwrix recommends using different credentials for different monitoring plans and data sources. -![npsdatacollectingaccountresourced](../../../../../../../static/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccountresourced.webp) +![npsdatacollectingaccountresourced](/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccountresourced.webp) The second option is Resource-based. To use this option, you need to provide the Activity and Resource names, assigned to Netwrix Auditor in the corresponding Resource-based policy. Make sure diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/microsoftentraid/overview.md b/docs/auditor/10.7/auditor/admin/monitoringplans/microsoftentraid/overview.md index 1f0f08e617..d724e4983e 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/microsoftentraid/overview.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/microsoftentraid/overview.md @@ -3,20 +3,20 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [Microsoft Entra ID](../../../configuration/microsoft365/microsoftentraid/overview.md) – Configure +- [Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/overview.md) – Configure data source as required to be monitored You can use the following data collecting account options: - Username and password. - Integration with the Netwrix Privilege Secure. See the - [Netwrix Privilege Secure](../../settings/privilegesecure.md) and How to Add Microsoft Entra ID + [Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) and How to Add Microsoft Entra ID Monitoring Plan Using Netwrix Privilege Secure topics for additional information. - Application and secret for Microsoft 365 with modern authentication. @@ -35,18 +35,18 @@ Complete the following fields: | -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. | | Monitor Microsoft Entra ID logon activity | Specify what types of logon events you want to monitor: successful or failed, performed through Windows and SQL authentication. - Failed logons - Successful logons | -| Collect data for state-in-time reports | Configure Netwrix Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](../../reports/types/stateintime/overview.md) topic for additional information. | +| Collect data for state-in-time reports | Configure Netwrix Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md) topic for additional information. | Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the **Data source** list. As a next step, click **Add item** to specify an object for monitoring. See the -[Add Items for Monitoring](../datasources.md#add-items-for-monitoring) topic for additional +[Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information. This instruction shows how to collect audit data from the Microsoft 365 tenant. If you plan to use modern authentication, see the -[Configuring Microsoft Entra ID App for Auditing Microsoft Entra ID](../../../configuration/microsoft365/microsoftentraid/modernauth.md#configuring-microsoft-entra-id-app-for-auditing-microsoft-entra-id) +[Configuring Microsoft Entra ID App for Auditing Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/modernauth.md#configuring-microsoft-entra-id-app-for-auditing-microsoft-entra-id) topic for additional information on how to prepare Microsoft Entra ID app with required permissions. Make sure you have the following at hand: @@ -70,10 +70,10 @@ Follow the steps to configure Office 365 tenant as a monitored item. ID monitoring. - If you are going to use **Modern authentication**, paste the obtained name. See the - [Using Modern Authentication with Microsoft Entra ID](../../../configuration/microsoft365/microsoftentraid/modernauth.md) + [Using Modern Authentication with Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/modernauth.md) topic for additional information. -![tenantenvironment](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/tenantenvironment.webp) +![tenantenvironment](/img/product_docs/auditor/auditor/admin/monitoringplans/tenantenvironment.webp) If you are using a government tenant, please click the **Tenant Environment** tab and select the desired tenant environment. @@ -87,7 +87,7 @@ desired tenant environment. _user@domain.onmicrosoft.com_. - The **Tenant name** field then will be filled in automatically. - Make sure this user account has sufficient access rights. See - [Using Basic Authentication with Microsoft Entra ID](../../../configuration/microsoft365/microsoftentraid/basicauth.md) + [Using Basic Authentication with Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/basicauth.md) topic for additional information. - Modern authentication: @@ -100,12 +100,12 @@ desired tenant environment. - **Application secret**. - See the - [Using Modern Authentication with Microsoft Entra ID](../../../configuration/microsoft365/microsoftentraid/modernauth.md) + [Using Modern Authentication with Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/modernauth.md) for additional information. **Step 3 –** Click the **Add** button. -![Add Office 365 Item window](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/item_o365_basic_auth_thumb_0_0.webp) +![Add Office 365 Item window](/img/product_docs/auditor/auditor/admin/monitoringplans/item_o365_basic_auth_thumb_0_0.webp) You can use a single account to collect audit data for different Office 365 services (Microsoft Entra ID, Exchange Online, SharePoint Online); however, Netwrix recommends that you specify @@ -121,7 +121,7 @@ provide the Application ID instead of the user name. Starting with version 10.7, you can use Netwrix Privilege Secure to manage the account for collecting data, after configuring the integration. See the -[Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information about +[Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information about integration and supported data sources. In this case, the credentials will not be stored by Netwrix Auditor. Instead, they will be managed by Netwrix Privilege Secure and provided on demand, ensuring password rotation or using temporary accounts for data collection. @@ -133,7 +133,7 @@ Follow the steps to use Netwrix Privilege Secure as an account for data collect **Step 2 –** In the item configuration menu, select Netwrix Privilege Secure as an option for data collection. -![npsdatacollectingaccount](../../../../../../../static/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccount.webp) +![npsdatacollectingaccount](/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccount.webp) **Step 3 –** Select the type of the Access Policy you want to use in Netwrix Privilege Secure. Credential-based is the default option. Refer to the @@ -146,7 +146,7 @@ and to which Netwrix Auditor has the access through a Credential-based access po **NOTE:** Netwrix recommends using different credentials for different monitoring plans and data sources. -![npsdatacollectingaccountresourced](../../../../../../../static/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccountresourced.webp) +![npsdatacollectingaccountresourced](/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccountresourced.webp) The second option is Resource-based. To use this option, you need to provide the Activity and Resource names, assigned to Netwrix Auditor in the corresponding Resource-based policy. Make sure diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/msteams.md b/docs/auditor/10.7/auditor/admin/monitoringplans/msteams.md index 2b398614e9..4afd97808d 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/msteams.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/msteams.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../requirements/ports.md) – To ensure successful data collection +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [MS Teams](../../configuration/microsoft365/teams/overview.md) – Configure data source as required +- [MS Teams](/docs/auditor/10.7/auditor/configuration/microsoft365/teams/overview.md) – Configure data source as required to be monitored ## How to Add Office365 Item @@ -17,7 +17,7 @@ the following topics: This instruction shows how to collect audit data from the Microsoft 365 tenant. If you plan to use modern authentication, see the -[Configuring Microsoft Entra ID App for Auditing Microsoft Entra ID](../../configuration/microsoft365/microsoftentraid/modernauth.md#configuring-microsoft-entra-id-app-for-auditing-microsoft-entra-id) +[Configuring Microsoft Entra ID App for Auditing Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/modernauth.md#configuring-microsoft-entra-id-app-for-auditing-microsoft-entra-id) topic for additional information on how to prepare Microsoft Entra ID app with required permissions. Make sure you have the following at hand: @@ -41,10 +41,10 @@ Follow the steps to configure Office 365 tenant as a monitored item. ID monitoring. - If you are going to use **Modern authentication**, paste the obtained name. See the - [Using Modern Authentication with Microsoft Entra ID](../../configuration/microsoft365/microsoftentraid/modernauth.md) + [Using Modern Authentication with Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/modernauth.md) topic for additional information. -![tenantenvironment](../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/tenantenvironment.webp) +![tenantenvironment](/img/product_docs/auditor/auditor/admin/monitoringplans/tenantenvironment.webp) If you are using a government tenant, please click the **Tenant Environment** tab and select the desired tenant environment. @@ -58,7 +58,7 @@ desired tenant environment. _user@domain.onmicrosoft.com_. - The **Tenant name** field then will be filled in automatically. - Make sure this user account has sufficient access rights. See - [Using Basic Authentication with Microsoft Entra ID](../../configuration/microsoft365/microsoftentraid/basicauth.md) + [Using Basic Authentication with Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/basicauth.md) topic for additional information. - Modern authentication: @@ -71,12 +71,12 @@ desired tenant environment. - **Application secret**. - See the - [Using Modern Authentication with Microsoft Entra ID](../../configuration/microsoft365/microsoftentraid/modernauth.md) + [Using Modern Authentication with Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/modernauth.md) for additional information. **Step 3 –** Click the **Add** button. -![Add Office 365 Item window](../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/item_o365_basic_auth_thumb_0_0.webp) +![Add Office 365 Item window](/img/product_docs/auditor/auditor/admin/monitoringplans/item_o365_basic_auth_thumb_0_0.webp) You can use a single account to collect audit data for different Office 365 services (Microsoft Entra ID, Exchange Online, SharePoint Online); however, Netwrix recommends that you specify @@ -87,7 +87,7 @@ individual credentials for each of them. | Option | Description | | -------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. | -| Collect data for state-in-time reports | Configure Netwrix Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](../reports/types/stateintime/overview.md) topic for additional information. | +| Collect data for state-in-time reports | Configure Netwrix Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md) topic for additional information. | After that, you can use the Microsoft Entra ID management portal to revoke this privileged role and assign one of the non-privileged roles instead (for example, _Security Reader_). diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/networkdevices.md b/docs/auditor/10.7/auditor/admin/monitoringplans/networkdevices.md index f747ef4963..103e45f36f 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/networkdevices.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/networkdevices.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../requirements/ports.md) – To ensure successful data collection +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [Network Devices](../../configuration/networkdevices/overview.md) – Configure data source as +- [Network Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/overview.md) – Configure data source as required to be monitored Complete the following fields: diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/oracle/overview.md b/docs/auditor/10.7/auditor/admin/monitoringplans/oracle/overview.md index 5f1df21120..49494ec36e 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/oracle/overview.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/oracle/overview.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [Oracle Database](../../../configuration/oracle/overview.md) – Configure data source as required +- [Oracle Database](/docs/auditor/10.7/auditor/configuration/oracle/overview.md) – Configure data source as required to be monitored Complete the following fields: @@ -27,7 +27,7 @@ Complete the following fields: Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the **Data source** list. As a next step, click **Add item** to specify an object for monitoring. See the -[Add Items for Monitoring](../datasources.md#add-items-for-monitoring) topic for additional +[Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information. ## Oracle Database Instance @@ -38,18 +38,18 @@ Complete the following fields: | ------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Connection type | Select how the product connects to Oracle Database: - Oracle Database instance – select if you want to connect to a database by instance name. - Oracle Wallet – select if you want to use Oracle Wallet – password-protected container used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. | | Instance name | Provide connection details in the following format: _host:port/service_name._ Make sure audit settings are configured for your Oracle Database instance. | -| Wallet alias | Provide the alias you set while creating wallet. For example, "_MyOracle_". Alias name in Netwrix Auditor should exactly match the alias in the `tnsnames.ora` file. [Configure Oracle Instant Client for HTTP Proxy Connections](../../../configuration/oracle/wallet.md#configure-oracle-instant-client-for-http-proxy-connections) | -| Specify the account for collecting data For Oracle Database instance connection type only. | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Wallet alias | Provide the alias you set while creating wallet. For example, "_MyOracle_". Alias name in Netwrix Auditor should exactly match the alias in the `tnsnames.ora` file. [Configure Oracle Instant Client for HTTP Proxy Connections](/docs/auditor/10.7/auditor/configuration/oracle/wallet.md#configure-oracle-instant-client-for-http-proxy-connections) | +| Specify the account for collecting data For Oracle Database instance connection type only. | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | ## Data Collection from Oracle Database On a high level, data collection process for Oracle databases works as follows: -![hiw_diagram_oracle](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/oracle/hiw_diagram_oracle.webp) +![hiw_diagram_oracle](/img/product_docs/auditor/auditor/admin/monitoringplans/oracle/hiw_diagram_oracle.webp) 1. Oracle administrator prepares a dedicated service account with sufficient permissions to collect data from Oracle Database. See the - [Permissions for Oracle Database Auditing](../../../configuration/oracle/permissions.md) topic + [Permissions for Oracle Database Auditing](/docs/auditor/10.7/auditor/configuration/oracle/permissions.md) topic for additional information. 2. Netwrix administrator does the following: @@ -57,7 +57,7 @@ On a high level, data collection process for Oracle databases works as follows: step 1) as a data collecting account in the Monitoring Plan wizard. Then s/he adds items to the monitoring plan – these are Oracle Databases to collect data from. - Configures alerts related to Oracle data source. Current version does not include predefined - alerts for that data source, so follow the [Create Alerts](../../alertsettings/create.md) + alerts for that data source, so follow the [Create Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/create.md) section to create and configure the necessary alerts. Remember to set the filter to “Data Source*equals* Oracle”. diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md b/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md index a5405a3108..a1b8bae276 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../requirements/ports.md) – To ensure successful data collection +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [Supported Data Sources](../../requirements/supporteddatasources.md) – Configure data source as +- [Supported Data Sources](/docs/auditor/10.7/auditor/requirements/supporteddatasources.md) – Configure data source as required to be monitored To start auditing your environment and analyzing user behavior with Netwrix Auditor, create a @@ -23,7 +23,7 @@ Follow the steps to collect data from your environment. **Step 1 –** Create a monitoring plan with the wizard. Select the data source when you start the monitoring plan wizard, and its initial settings are configured at the wizard steps. See the -[Create a New Monitoring Plan](create.md) topic for additional information. +[Create a New Monitoring Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) topic for additional information. **Step 2 –** Fine-tune data source settings, if necessary: use the data source properties to modify data collection settings, customize the monitoring scope, and more. @@ -42,14 +42,14 @@ tile, then expand the All Monitoring Plans tree. | See how data collection goes on | Click on a plan name. You will see all data sources included in the plan and data collection status for each data source. | | Start data collection manually | 1. Select a plan and click Edit. 2. In the monitoring plan window, click Update in the right pane. Data collection will be started (status for the data sources will be displayed as _Working_). Do the same if you need to generate Activity Summary with the latest changes. | | View collected data | 1. Select a plan and click Edit. 2. In the right pane, go to the Intelligence section (in the bottom) and click Search. The search page will appear, displaying the collected data filtered out accordingly (i.e. provided by this monitoring plan). | -| Modify plan settings, add or delete data sources, add or delete items | Select a plan and click Edit. On the page that opens, review your plan settings. Then follow the instructions described in these sections: - [Add Items for Monitoring](datasources.md) - [Fine-Tune Your Plan and Edit Settings](finetune.md) | -| Assign roles | Click Delegate to review current delegations and assign roles. You can delegate control over a monitoring plan to another administrator, or grant read access—Reviewer role—to the data collected by this plan. To simplify delegation, you can further organize the monitoring plans into folders. See the [Role-Based Access and Delegation](delegation.md) topic for additional information. | +| Modify plan settings, add or delete data sources, add or delete items | Select a plan and click Edit. On the page that opens, review your plan settings. Then follow the instructions described in these sections: - [Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md) - [Fine-Tune Your Plan and Edit Settings](/docs/auditor/10.7/auditor/admin/monitoringplans/finetune.md) | +| Assign roles | Click Delegate to review current delegations and assign roles. You can delegate control over a monitoring plan to another administrator, or grant read access—Reviewer role—to the data collected by this plan. To simplify delegation, you can further organize the monitoring plans into folders. See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. | ## Using historical data For many data sources, you can instruct Netwrix Auditor to collect state-in-time data along with event data. For that, Netwrix Auditor uses state-in-time snapshots of the relevant system (for -example, see [VMware](vmware/overview.md)). +example, see [VMware](/docs/auditor/10.7/auditor/admin/monitoringplans/vmware/overview.md)). To keep users up-to-date on actual system state, Auditor updates the latest snapshot on the regular basis. Thus, only the latest snapshot is available for ongoing reporting in the product. @@ -74,4 +74,4 @@ properties. the arrows to move the selected snapshots to the **Snapshots available for reporting** list. When finished, click **OK**. -See the [Role-Based Access and Delegation](delegation.md) topic for additional information. +See the [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/sharepoint/overview.md b/docs/auditor/10.7/auditor/admin/monitoringplans/sharepoint/overview.md index 1d543aca01..08f9a005cd 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/sharepoint/overview.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/sharepoint/overview.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [SharePoint](../../../configuration/sharepoint/overview.md) – Configure data source as required to +- [SharePoint](/docs/auditor/10.7/auditor/configuration/sharepoint/overview.md) – Configure data source as required to be monitored Complete the following fields: @@ -18,13 +18,13 @@ Complete the following fields: | -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. | | Detect additional details | Specify additional information to include in reports and activity summaries. Select Group membershipif you want to include Group membership of the account under which the change was made. | -| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [SharePoint](../../../configuration/sharepoint/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. | -| Collect data for state-in-time reports | Configure Netwrix Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](../../reports/types/stateintime/overview.md) topic for additional information. In the **Manage historical snapshots** section, you can click **Manage** and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past. You must be assigned the **Global administrator** or the **Global reviewer** role to import snapshots. Move the selected snapshots to the Snapshots available for reporting list using the arrow button. The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Users can also configure Only the latest snapshot is available for reporting in Auditor . If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. | +| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [SharePoint](/docs/auditor/10.7/auditor/configuration/sharepoint/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. | +| Collect data for state-in-time reports | Configure Netwrix Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md) topic for additional information. In the **Manage historical snapshots** section, you can click **Manage** and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past. You must be assigned the **Global administrator** or the **Global reviewer** role to import snapshots. Move the selected snapshots to the Snapshots available for reporting list using the arrow button. The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Users can also configure Only the latest snapshot is available for reporting in Auditor . If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. | Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the **Data source** list. As a next step, click **Add item** to specify an object for monitoring. See the -[Add Items for Monitoring](../datasources.md#add-items-for-monitoring) topic for additional +[Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information. ## Troubleshoot SharePoint Auditing @@ -41,13 +41,13 @@ Complete the following fields: | -------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | General | | | Specify SharePoint farm for monitoring | Enter the SharePoint Central Administration website URL. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | | Core Service | | -| Deploy Netwrix Auditor for SharePoint Core Service | Select deployment method for the Core Service. Select one of the following: - Automatically—The installation will run under the account used to collect data on the SharePoint farm wizard completion. Prior to the Netwrix Auditor for SharePoint Core Service installation, review the following prerequisites and make sure that: - Netwrix Auditor for SharePoint Core Service is going to be installed on the computer that hosts SharePoint Central Administration in the audited SharePoint farm. - [.Net Framework 3.5 SP1](http://www.microsoft.com/en-us/download/details.aspx?id=22) is installed on the computer that hosts SharePoint Central Administration in the audited SharePoint farm. - The SharePoint Administration (SPAdminV4) service is started on the target computer. See [SharePoint](../../../configuration/sharepoint/overview.md) for more information. - The user that is going to run the Core Service installation: - Is a member of the local Administrators group on SharePoint server, where the Core Service will be deployed. - Is granted the SharePoint_Shell_Access role on SharePoint SQL Server configuration database. See [Permissions for SharePoint Auditing](../../../configuration/sharepoint/permissions.md) topic for more information. - Manually—See the [Netwrix Auditor Installation and Configuration Guide](https://www.netwrix.com/download/documents/Netwrix_Auditor_Installation_Configuration_Guide.pdf) for more information. During the Netwrix Auditor for SharePoint Core Service installation / uninstallation your SharePoint sites may be unavailable. | +| Deploy Netwrix Auditor for SharePoint Core Service | Select deployment method for the Core Service. Select one of the following: - Automatically—The installation will run under the account used to collect data on the SharePoint farm wizard completion. Prior to the Netwrix Auditor for SharePoint Core Service installation, review the following prerequisites and make sure that: - Netwrix Auditor for SharePoint Core Service is going to be installed on the computer that hosts SharePoint Central Administration in the audited SharePoint farm. - [.Net Framework 3.5 SP1](http://www.microsoft.com/en-us/download/details.aspx?id=22) is installed on the computer that hosts SharePoint Central Administration in the audited SharePoint farm. - The SharePoint Administration (SPAdminV4) service is started on the target computer. See [SharePoint](/docs/auditor/10.7/auditor/configuration/sharepoint/overview.md) for more information. - The user that is going to run the Core Service installation: - Is a member of the local Administrators group on SharePoint server, where the Core Service will be deployed. - Is granted the SharePoint_Shell_Access role on SharePoint SQL Server configuration database. See [Permissions for SharePoint Auditing](/docs/auditor/10.7/auditor/configuration/sharepoint/permissions.md) topic for more information. - Manually—See the [Netwrix Auditor Installation and Configuration Guide](https://www.netwrix.com/download/documents/Netwrix_Auditor_Installation_Configuration_Guide.pdf) for more information. During the Netwrix Auditor for SharePoint Core Service installation / uninstallation your SharePoint sites may be unavailable. | | Changes | | | Audit SharePoint farm configuration changes | Configuration changes are always audited. | | Audit SharePoint permissions and content changes | Select change types to be audited with Netwrix Auditor. Netwrix Auditor allows auditing the entire SharePoint farm. Alternatively, you can limit the auditing scope to separate web applications and site collections. To do it, select Specific SharePoint objects and do one of the following: - Click Add, provide the URL to web application or site collection and select object type (Web application or Site collection). - Click Import, select object type (Web application or Site collection), encoding type, and browse for a file that contains a list of web applications and sites. Netwrix Auditor ignores changes to system data (e.g., hidden and system lists or items are not audited). Netwrix Auditor also ignores the content changes to sites and objects on the site collections located on Central Administration web application, but the security changes that occurred there are tracked and reported anyway. | | Activity | | -| Specify monitoring restrictions | Specify restriction filters to narrow your SharePoint monitoring scope (search results, reports and Activity Summaries). For example, you can exclude site collections document libraries and lists from being audited as they contain public non sensitive data. All filters are applied using AND logic. Click Add and complete the following fields: - User – provide the name of the user as shown in the "_Who_" column of reports and Activity Summaries. Example: _mydomain\user1_. - Object URL – provide URL of the objects as shown in the "_What_" column of reports and Activity Summaries. Example: _http://sitecollection/list/document.docx_. - Action Type – select what types of actions performed by selected users under the object you want to monitor. Available values: _All_, _Changes_, _Reads_. You can use a wildcard (\*) to replace any number of characters in filters. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](../overview.md)topic for additional information. | +| Specify monitoring restrictions | Specify restriction filters to narrow your SharePoint monitoring scope (search results, reports and Activity Summaries). For example, you can exclude site collections document libraries and lists from being audited as they contain public non sensitive data. All filters are applied using AND logic. Click Add and complete the following fields: - User – provide the name of the user as shown in the "_Who_" column of reports and Activity Summaries. Example: _mydomain\user1_. - Object URL – provide URL of the objects as shown in the "_What_" column of reports and Activity Summaries. Example: _http://sitecollection/list/document.docx_. - Action Type – select what types of actions performed by selected users under the object you want to monitor. Available values: _All_, _Changes_, _Reads_. You can use a wildcard (\*) to replace any number of characters in filters. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. | | Read Access | | | Audit SharePoint read access | Configure Netwrix Auditor to track read access to lists and list items within your SharePoint farm except for Central Administration web sites. Select Sites only if you want to enable read access auditing on SharePoint sites only. Enable Sites and subsites to track read access on each subsite. Then, do one of the following: - Click Add and provide URL to a SharePoint site. - Click Import, select encoding type, and browse for a file that contains a list of sites. Read access auditing significantly increases the number of events generated on your SharePoint and the amount of data written to the AuditArchive. | diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/sharepointonline/overview.md b/docs/auditor/10.7/auditor/admin/monitoringplans/sharepointonline/overview.md index 5cdcccace0..471df64929 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/sharepointonline/overview.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/sharepointonline/overview.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [SharePoint Online](../../../configuration/microsoft365/sharepointonline/overview.md) – Configure +- [SharePoint Online](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/overview.md) – Configure data source as required to be monitored ## How to Add Office365 Item @@ -17,7 +17,7 @@ the following topics: This instruction shows how to collect audit data from the Microsoft 365 tenant. If you plan to use modern authentication, see the -[Configuring Microsoft Entra ID App for Auditing Microsoft Entra ID](../../../configuration/microsoft365/microsoftentraid/modernauth.md#configuring-microsoft-entra-id-app-for-auditing-microsoft-entra-id) +[Configuring Microsoft Entra ID App for Auditing Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/modernauth.md#configuring-microsoft-entra-id-app-for-auditing-microsoft-entra-id) topic for additional information on how to prepare Microsoft Entra ID app with required permissions. Make sure you have the following at hand: @@ -41,10 +41,10 @@ Follow the steps to configure Office 365 tenant as a monitored item. ID monitoring. - If you are going to use **Modern authentication**, paste the obtained name. See the - [Using Modern Authentication with Microsoft Entra ID](../../../configuration/microsoft365/microsoftentraid/modernauth.md) + [Using Modern Authentication with Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/modernauth.md) topic for additional information. -![tenantenvironment](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/tenantenvironment.webp) +![tenantenvironment](/img/product_docs/auditor/auditor/admin/monitoringplans/tenantenvironment.webp) If you are using a government tenant, please click the **Tenant Environment** tab and select the desired tenant environment. @@ -58,7 +58,7 @@ desired tenant environment. _user@domain.onmicrosoft.com_. - The **Tenant name** field then will be filled in automatically. - Make sure this user account has sufficient access rights. See - [Using Basic Authentication with Microsoft Entra ID](../../../configuration/microsoft365/microsoftentraid/basicauth.md) + [Using Basic Authentication with Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/basicauth.md) topic for additional information. - Modern authentication: @@ -71,12 +71,12 @@ desired tenant environment. - **Application secret**. - See the - [Using Modern Authentication with Microsoft Entra ID](../../../configuration/microsoft365/microsoftentraid/modernauth.md) + [Using Modern Authentication with Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/modernauth.md) for additional information. **Step 3 –** Click the **Add** button. -![Add Office 365 Item window](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/item_o365_basic_auth_thumb_0_0.webp) +![Add Office 365 Item window](/img/product_docs/auditor/auditor/admin/monitoringplans/item_o365_basic_auth_thumb_0_0.webp) You can use a single account to collect audit data for different Office 365 services (Microsoft Entra ID, Exchange Online, SharePoint Online); however, Netwrix recommends that you specify @@ -89,14 +89,14 @@ individual credentials for each of them. | Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. | | Audit SharePoint Online configuration and content changes | Configuration and content changes are always audited. | | Audit SharePoint Online read access | Configure Auditor to monitor SharePoint Online read access. | -| Collect data for state-in-time reports | Configure Netwrix Auditor to store daily snapshots of your SharePoint Online configuration required for further state-in-time reports generation. See the [State–In–Time Reports](../../reports/types/stateintime/overview.md) topic for additional information. The product updates the latest snapshot on the regular basis to keep users up-to-date on actual system state. Only the latest snapshot is available for reporting in Netwrix Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. For that, in the Manage historical snapshots section, click **Manage** and select the snapshots that you want to import. To import snapshots, you must be assigned the Global administrator or the Global reviewer role . Move the selected snapshots to the Snapshots available for reporting list using the arrow button. When finished, click **OK**. | +| Collect data for state-in-time reports | Configure Netwrix Auditor to store daily snapshots of your SharePoint Online configuration required for further state-in-time reports generation. See the [State–In–Time Reports](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md) topic for additional information. The product updates the latest snapshot on the regular basis to keep users up-to-date on actual system state. Only the latest snapshot is available for reporting in Netwrix Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. For that, in the Manage historical snapshots section, click **Manage** and select the snapshots that you want to import. To import snapshots, you must be assigned the Global administrator or the Global reviewer role . Move the selected snapshots to the Snapshots available for reporting list using the arrow button. When finished, click **OK**. | Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the **Data source** list. As a next step, click **Add item** to specify an object for monitoring. See the -[Add Items for Monitoring](../datasources.md#add-items-for-monitoring) topic for additional +[Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information. See the -[Permissions for SharePoint Online Auditing ](../../../configuration/microsoft365/sharepointonline/permissions.md)topic +[Permissions for SharePoint Online Auditing ](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/permissions.md)topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/sqlserver/items.md b/docs/auditor/10.7/auditor/admin/monitoringplans/sqlserver/items.md index bac843778c..8f470f0ad0 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/sqlserver/items.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/sqlserver/items.md @@ -24,7 +24,7 @@ Complete the following fields: | Option | Description | | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Specify SQL Server instance | Specify the name of the SQL Server instance. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | Use a combination of server role, environment, instance name (including "DEFAULT" for default instances), and a unique identifier. @@ -47,7 +47,7 @@ Complete the following fields: | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Availability group listener | Provide a name of an availability group listener in FQDN or NetBIOS format. The listener is a virtual network name (VNN) that you can connect to in order to access a database in a primary or secondary replica of an Always On availability group. A listener allows you to connect to a replica without having to know the physical instance name of the SQL Server. Ensure that the requirements to the DNS name and Windows permissions requirements are met. See [Configure a listener for an Always On availability group](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/create-or-configure-an-availability-group-listener-sql-server?view=sql-server-ver15) for additional information. | | Availability group name | Enter a name of your SQL Server availability group. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | Extend the SQL Server instance name with a replica role (Primary/Secondary), AG identifier, and a unique identifier. diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/sqlserver/overview.md b/docs/auditor/10.7/auditor/admin/monitoringplans/sqlserver/overview.md index ec988e7303..9ebef5a27f 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/sqlserver/overview.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/sqlserver/overview.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [SQL Server](../../../configuration/sqlserver/overview.md) – Configure data source as required to +- [SQL Server](/docs/auditor/10.7/auditor/configuration/sqlserver/overview.md) – Configure data source as required to be monitored To configure SQL Server data source settings, use the following property tabs: @@ -23,7 +23,7 @@ When finished, review your data source settings and click **Add** to go back to created data source will appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See the -[Add Item to the SQL Server](items.md) topic for additional information. +[Add Item to the SQL Server](/docs/auditor/10.7/auditor/admin/monitoringplans/sqlserver/items.md) topic for additional information. ## General settings @@ -35,17 +35,17 @@ On the **General** tab, you can configure the following settings for SQL Server | Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. | | Monitor SQL Server configuration changes | Always enabled, as SQL Server configuration changes are always monitored. | | Monitor SQL Server logon activity | Specify what types of logon events you want to monitor: successful or failed, performed through Windows and SQL authentication. - Failed logons - Successfullogons | -| Collect data for state-in-time reports | Configure Netwrix Auditor to store the snapshots of your SQL Server instance configuration — you will require them for state-in-time reports generation. See [State–In–Time Reports](../../reports/types/stateintime/overview.md) for more information. **CAUTION:** The State-in-Time functionality is not available for SQL Server Availability Groups. The product updates the latest snapshot on the regular basis to keep users up-to-date on actual system state. Only the latest snapshot is available for reporting in Netwrix Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. To import snapshots, you must be assigned the Global administrator or the Global reviewer role in Netwrix Auditor. 1. In the Manage historical snapshots section, click **Manage** and select the snapshots that you want to import. 2. Move the selected snapshots to the Snapshots available for reporting list using the arrow button. 3. When finished, click **OK**. See also [Using historical data](../overview.md#using-historical-data). | +| Collect data for state-in-time reports | Configure Netwrix Auditor to store the snapshots of your SQL Server instance configuration — you will require them for state-in-time reports generation. See [State–In–Time Reports](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md) for more information. **CAUTION:** The State-in-Time functionality is not available for SQL Server Availability Groups. The product updates the latest snapshot on the regular basis to keep users up-to-date on actual system state. Only the latest snapshot is available for reporting in Netwrix Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. To import snapshots, you must be assigned the Global administrator or the Global reviewer role in Netwrix Auditor. 1. In the Manage historical snapshots section, click **Manage** and select the snapshots that you want to import. 2. Move the selected snapshots to the Snapshots available for reporting list using the arrow button. 3. When finished, click **OK**. See also [Using historical data](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md#using-historical-data). | ## Users On the **Users** tab, you can configure the following settings for SQL Server data source: -![data_source_sql_users_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/sqlserver/data_source_sql_users_thumb_0_0.webp) +![data_source_sql_users_thumb_0_0](/img/product_docs/auditor/auditor/admin/monitoringplans/sqlserver/data_source_sql_users_thumb_0_0.webp) | Options | Description | | ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Specify users to track their activity | Select the option you need to fine-tune your SQL Server monitoring scope. - **Monitor all users** - **Include only users matching these criteria** - **Exclude users matching these criteria** For example, you may need to track only actions performed by administrative accounts, or exclude the activity initiated by ordinary applications. If so, data should be filtered accordingly before it appears in search results, reports and Activity Summaries. You can create either inclusion or exclusion lists. All filters are applied using AND logic. To create a filter for user activity monitoring, select the related option and click the button on the right. Specify the following: - User — enter the initiator's account as it appears in the "_Who_" column of reports and Activity Summaries, for example: _mydomain\user1_. For events containing “_System_” in the “_Who_” column you can enter "_System_" . - Workstation where activity was initiated — enter the workstation name as it is shown in the "_Workstation_" column of reports and Activity Summaries, for example: _StationWin2016_. - Application that initiated the activity — enter the application name as shown next to "_Application name_" in details of reports and Activity Summaries. You can use a wildcard (\*) to replace any number of characters in filters. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](../overview.md)topic for additional information. | +| Specify users to track their activity | Select the option you need to fine-tune your SQL Server monitoring scope. - **Monitor all users** - **Include only users matching these criteria** - **Exclude users matching these criteria** For example, you may need to track only actions performed by administrative accounts, or exclude the activity initiated by ordinary applications. If so, data should be filtered accordingly before it appears in search results, reports and Activity Summaries. You can create either inclusion or exclusion lists. All filters are applied using AND logic. To create a filter for user activity monitoring, select the related option and click the button on the right. Specify the following: - User — enter the initiator's account as it appears in the "_Who_" column of reports and Activity Summaries, for example: _mydomain\user1_. For events containing “_System_” in the “_Who_” column you can enter "_System_" . - Workstation where activity was initiated — enter the workstation name as it is shown in the "_Workstation_" column of reports and Activity Summaries, for example: _StationWin2016_. - Application that initiated the activity — enter the application name as shown next to "_Application name_" in details of reports and Activity Summaries. You can use a wildcard (\*) to replace any number of characters in filters. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. | ## Data @@ -63,18 +63,18 @@ is the 'Do not use triggers' mode. | Do not use triggers | Default mode for a new installation of Netwrix Auditor. Data will be collected using the SQL Server traces. This mode allows you to get a sufficient level of detail in the reports and search results without producing additional load on your SQL Server instance. Thus, it is recommended for highly-transactional servers. When using this mode, consider that the "_What_" field of the Activity Record with "_Object type_" = "_Data_" may show incorrect data. The issues occur because the product applies data categories to an entire SQL Server table and not to rows. | | Use triggers for detailed monitoring | However, if you require a very detailed reporting on the data changes, you can select this mode. It will be also selected by default if you are upgrading your Netwrix Auditor deployment. Data will be collected using a set of triggers. For more information on this technology, see [https://kb.netwrix.com/728](https://kb.netwrix.com/728) . It is recommended to use this setting carefully, as collecting large amount of details from a highly-transactional server may affect its performance. Using this mode may lead to issues when altering databases on the monitored SQL Server instances. The issues occur only if the SQL Server service account does not have _Read_ permissions in the Active Directory domain (e.g., a local user account). When using this mode, consider that the "_What_" field of the Activity Record with "_Object type_" = "_Data_" may show incorrect data. The issues occur because the product applies data categories to an entire SQL Server table and not to rows. Switching from the configured triggerless mode may lead to a data loss. The workaround is to force data collection right after enabling the triggers. | | Changes (per transaction) to collect and report: | Specify how many changes per a database transaction you want to be collected. For example, you can limit this number to 10 changes per transaction, or collect all changes. It is recommended to adjust this setting carefully, as collecting large number of changes from a highly-transactional server may affect its performance. | -| Monitoring rules | To specify what data changes must be monitored, create at least one **inclusion rule**. Exclusion rules are optional. Click **Add Rule** and configure the following: ![data_source_sql_data_rule_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/sqlserver/data_source_sql_data_rule_thumb_0_0.webp) - Type — Select rule type: include or exclude. - Server — Specify a name of the monitored SQL Server instance where the required database resides. Use the _server_name\instance_name_ format, for example, _SQLsrv11\SQLExpress2016_. **NOTE:** If you are going to configure monitoring rules for SQL Server Availability Groups, provide the name of your Availability Group item in this field. - Database — Specify the database whose data changes you want to monitor. - Table — Specify database table to monitor. - Column—Specify table column name. The following column types are currently not supported: `text, ntext, image, binary, varbinary, timestamp, sql_variant`. These filters will be applied using AND logic. Wildcard (\*) is supported and can be used to replace any number of characters. | +| Monitoring rules | To specify what data changes must be monitored, create at least one **inclusion rule**. Exclusion rules are optional. Click **Add Rule** and configure the following: ![data_source_sql_data_rule_thumb_0_0](/img/product_docs/auditor/auditor/admin/monitoringplans/sqlserver/data_source_sql_data_rule_thumb_0_0.webp) - Type — Select rule type: include or exclude. - Server — Specify a name of the monitored SQL Server instance where the required database resides. Use the _server_name\instance_name_ format, for example, _SQLsrv11\SQLExpress2016_. **NOTE:** If you are going to configure monitoring rules for SQL Server Availability Groups, provide the name of your Availability Group item in this field. - Database — Specify the database whose data changes you want to monitor. - Table — Specify database table to monitor. - Column—Specify table column name. The following column types are currently not supported: `text, ntext, image, binary, varbinary, timestamp, sql_variant`. These filters will be applied using AND logic. Wildcard (\*) is supported and can be used to replace any number of characters. | ## Audit SELECT Use the settings in this section to configure how the successful SELECT statements should be audited. -![data_source_sql_audit_select_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/sqlserver/data_source_sql_audit_select_thumb_0_0.webp) +![data_source_sql_audit_select_thumb_0_0](/img/product_docs/auditor/auditor/admin/monitoringplans/sqlserver/data_source_sql_audit_select_thumb_0_0.webp) | Option | Description | | ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | --- | --- | | --- | --- | | Audit successful SELECT statements | Enable monitoring of successful SELECT statements for the database tables. Successful SELECT statement execution will be reported as Read operation on the database table. Auditing SELECT statements will increase the amount of data collected from the SQL Server instance and stored to long-term archive and audit database. Plan for your resources accordingly. | -| Monitoring rules | To specify what data changes will be monitored, you must create at least one **inclusion rule**. Exclusion rules are optional. Click **Add Inclusion** and specify the following: ![data_source_sql_audit_select_rule_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/sqlserver/data_source_sql_audit_select_rule_thumb_0_0.webp) - Server — specify target SQL Server instance in the server\instance format. **NOTE:** If you are going to configure monitoring rules for SQL Server Availability Groups, provide the name of your Availability Group item in this field. - Database — specify target database - Schema — specify database schema - Table — specify database table you will monitor Wildcard (\*) is supported and can be used to replace any number of characters. Filters will be applied using AND logic, that is, only SELECT statements matching all specified criteria will be monitored. So, in the example above, the program will track and report only the successful SELECT statements executed against the _Applicants_ table of the _HR2019_ database with _Custom_ schema, hosted on the _SQLsrv02\TestInstance_. When finished, click **Add**. If needed, configure the exclusion rules in a similar way. | +| Monitoring rules | To specify what data changes will be monitored, you must create at least one **inclusion rule**. Exclusion rules are optional. Click **Add Inclusion** and specify the following: ![data_source_sql_audit_select_rule_thumb_0_0](/img/product_docs/auditor/auditor/admin/monitoringplans/sqlserver/data_source_sql_audit_select_rule_thumb_0_0.webp) - Server — specify target SQL Server instance in the server\instance format. **NOTE:** If you are going to configure monitoring rules for SQL Server Availability Groups, provide the name of your Availability Group item in this field. - Database — specify target database - Schema — specify database schema - Table — specify database table you will monitor Wildcard (\*) is supported and can be used to replace any number of characters. Filters will be applied using AND logic, that is, only SELECT statements matching all specified criteria will be monitored. So, in the example above, the program will track and report only the successful SELECT statements executed against the _Applicants_ table of the _HR2019_ database with _Custom_ schema, hosted on the _SQLsrv02\TestInstance_. When finished, click **Add**. If needed, configure the exclusion rules in a similar way. | diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/useractivity/overview.md b/docs/auditor/10.7/auditor/admin/monitoringplans/useractivity/overview.md index e44e358c1d..a6868e287a 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/useractivity/overview.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/useractivity/overview.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [User Activity](../../../configuration/useractivity/overview.md) – Configure data source as +- [User Activity](/docs/auditor/10.7/auditor/configuration/useractivity/overview.md) – Configure data source as required to be monitored Complete the following fields: @@ -29,12 +29,12 @@ Complete the following fields: | Applications | | | Specify applications you want to track | Select the applications that you want to monitor. You can select All applications or create a list of Specific applications. Certain applications can also be added to Exceptions list. | | Monitored Computers | | -| For a newly created monitoring plan for User Activity, the list of monitored computers is empty. Add items to your monitoring plan and wait until Netwrix Auditor retrieves all computers within these items. See [Add Items for Monitoring](../datasources.md#add-items-for-monitoring)for more information. The list contains computer name, its current status and last activity time. | | +| For a newly created monitoring plan for User Activity, the list of monitored computers is empty. Add items to your monitoring plan and wait until Netwrix Auditor retrieves all computers within these items. See [Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring)for more information. The list contains computer name, its current status and last activity time. | | Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the **Data source** list. As a next step, click **Add item** to specify an object for monitoring. See the -[Add Items for Monitoring](../datasources.md#add-items-for-monitoring) topic for additional +[Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information. ## How to Include/Exclude Applications @@ -73,11 +73,11 @@ To exclude the Notepad application window with "_Document1_" open, add the follo - In the Title filter enter "_Document1.txt - Notepad_": - ![uavr_source_example_1](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/useractivity/uavr_source_example_1.webp) + ![uavr_source_example_1](/img/product_docs/auditor/auditor/admin/monitoringplans/useractivity/uavr_source_example_1.webp) - In the Description filter, enter the corresponding value, here it will be "_Notepad_". -![uavr_source_example_2_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/useractivity/uavr_source_example_2_thumb_0_0.webp) +![uavr_source_example_2_thumb_0_0](/img/product_docs/auditor/auditor/admin/monitoringplans/useractivity/uavr_source_example_2_thumb_0_0.webp) ## Computer @@ -92,7 +92,7 @@ Complete the following fields: | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | General | | | Specify a computer | Provide a server name by entering its FQDN, NETBIOS or IPv4 address. You can click Browse to select a computer from the list of computers in your network. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](../../../requirements/gmsa.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md) topic for additional information. | ## IP Range @@ -102,7 +102,7 @@ Complete the following fields: | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | General | | | Specify IP range | Specify an IP range for the audited computers. To exclude computers from within the specified range, click **Exclude**. Enter the IP subrange you want to exclude, and click **Add**. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | ## AD Container @@ -112,4 +112,4 @@ Complete the following fields: | --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | General | | | Specify AD container | Specify a whole AD domain, OU or container. Click **Browse** to select from the list of containers in your network. You can also: - Select a particular computer type to be audited within the chosen AD container: **Domain controllers, Servers (excluding domain controllers)**, or **Workstations**. - Click **Exclude** to specify AD domains, OUs, and containers you do not want to audit. In the Exclude Containers dialog, click Add and specify an object. The list of containers does not include child domains of trusted domains. Use other options **(Computer, IP range** to specify the target computers. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. If using a group Managed Service Account (gMSA), you can specify only the account name in the _domain\account$_ format. Password field can be empty. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the[Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. If using a group Managed Service Account (gMSA), you can specify only the account name in the _domain\account$_ format. Password field can be empty. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the[Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/vmware/overview.md b/docs/auditor/10.7/auditor/admin/monitoringplans/vmware/overview.md index 6a14bfc222..035c84bc52 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/vmware/overview.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/vmware/overview.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [VMware](../../../configuration/vmware/overview.md) – Configure data source as required to be +- [VMware](/docs/auditor/10.7/auditor/configuration/vmware/overview.md) – Configure data source as required to be monitored For this data source, specify the options you need: @@ -19,20 +19,20 @@ For this data source, specify the options you need: | Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. | | Monitor VMware configuration changes | Configuration changes are always monitored for VMware data source. See the Data Collection from VMware Servers topic  for additional information. | | Monitor VMware logon activity | Specify what types of logon events you want to monitor for VMware infrastructure. | -| Monitor SSO users/groups on vCenter and Local users on ESXi sever | Select Enable monitoring if you want to audit the following users and groups: - vCenter Single Sign-On (SSO) Users. The product collects data from vCenter. - Localos users. For these users, the product collects data from ESXi and vCenter. - VMware groups. The product collects data from vCenter. To audit users and groups, vCenter 6.5 and above required. Check that your data collecting account has all required rights and permissions. See the [Permissions for VMware Server Auditing ](../../../configuration/vmware/permissions.md) topic for additional information. | +| Monitor SSO users/groups on vCenter and Local users on ESXi sever | Select Enable monitoring if you want to audit the following users and groups: - vCenter Single Sign-On (SSO) Users. The product collects data from vCenter. - Localos users. For these users, the product collects data from ESXi and vCenter. - VMware groups. The product collects data from vCenter. To audit users and groups, vCenter 6.5 and above required. Check that your data collecting account has all required rights and permissions. See the [Permissions for VMware Server Auditing ](/docs/auditor/10.7/auditor/configuration/vmware/permissions.md) topic for additional information. | | Collect data for state-in-time reports | Configure Auditor to store daily snapshots of your VMware system configuration required for further state-in-time reports generation. The product updates the latest snapshot on the regular basis to keep users up-to-date on actual system state. Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. To import snapshots, you must be assigned the Global administrator or the Global reviewer role . Follow the steps to import snapshots. **Step 1 –** In the Manage historical snapshots section, click Manage. **Step 2 –** Select the snapshots that you want to import. **Step 3 –** Move the selected snapshots to the Snapshots available for reporting list using the arrow button. **Step 4 –** When finished, click OK. | Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the **Data source** list. As a next step, click **Add item** to specify an object for monitoring. See the -[Add Items for Monitoring](../datasources.md#add-items-for-monitoring) topic for additional +[Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information. ## Data Collection from VMware Servers On a high level, data collection process for VMware servers works as follows: -![hiw_diagram_vma_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/monitoringplans/vmware/hiw_diagram_vma_thumb_0_0.webp) +![hiw_diagram_vma_thumb_0_0](/img/product_docs/auditor/auditor/admin/monitoringplans/vmware/hiw_diagram_vma_thumb_0_0.webp) VMware administrator prepares a dedicated service account with sufficient permissions to collect data from VMware servers. This account must have at least **Read Only role** on those servers. For @@ -45,7 +45,7 @@ Netwrix administrator does the following: as a data collecting account in the **Monitoring Plan wizard**. Then s/he adds items to the monitoring plan – these are VMware servers to collect data from. - Configures alerts related to VMware data source. Current version does not include predefined - alerts for that data source, so follow the [Create Alerts](../../alertsettings/create.md) to + alerts for that data source, so follow the [Create Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/create.md) to create and configure the necessary alerts. - Remember to set the filter to “**Data Source\_**equals**\_VMware**”. @@ -86,6 +86,6 @@ Complete the following fields: | --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **General** | | | Specify VMware ESX, ESXi, or vCenter for monitoring | Specify the ESX or ESXi host URL, or vCenter Server URL. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See [Permissions for VMware Server Auditing ](../../../configuration/vmware/permissions.md)topic for more information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See [Permissions for VMware Server Auditing ](/docs/auditor/10.7/auditor/configuration/vmware/permissions.md)topic for more information. | | **Virtual Machines** | | -| Specify monitoring restrictions | Select the virtual machines to be excluded from search results, reports and Activity Summaries. To add VMs to the list, click Add. Then provide the full path of the machine to exclude. Consider the following: - To exclude a single VM, provide its full path as shown in the "_What_" column of reports and Activity Summary, for example: _Vcenters\VCenterServer021\VMs\vm01_. - To exclude several VMs, you can define a mask using a wildcard, for example: - _\*\TestVM\*_ — exclude VMs with names starting with _TestVM_ (e.g., _TestVM01, TestVM_new_), located anywhere. - _\*TestVM\*_ — exclude VMs with names containing _TestVM_ (e.g., _MyTestVM02_). In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](../overview.md)topic for additional information. | +| Specify monitoring restrictions | Select the virtual machines to be excluded from search results, reports and Activity Summaries. To add VMs to the list, click Add. Then provide the full path of the machine to exclude. Consider the following: - To exclude a single VM, provide its full path as shown in the "_What_" column of reports and Activity Summary, for example: _Vcenters\VCenterServer021\VMs\vm01_. - To exclude several VMs, you can define a mask using a wildcard, for example: - _\*\TestVM\*_ — exclude VMs with names starting with _TestVM_ (e.g., _TestVM01, TestVM_new_), located anywhere. - _\*TestVM\*_ — exclude VMs with names containing _TestVM_ (e.g., _MyTestVM02_). In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. | diff --git a/docs/auditor/10.7/auditor/admin/monitoringplans/windows/overview.md b/docs/auditor/10.7/auditor/admin/monitoringplans/windows/overview.md index 08718dbebd..2cb6fbbecc 100644 --- a/docs/auditor/10.7/auditor/admin/monitoringplans/windows/overview.md +++ b/docs/auditor/10.7/auditor/admin/monitoringplans/windows/overview.md @@ -3,13 +3,13 @@ **NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in the following topics: -- [Protocols and Ports Required](../../../requirements/ports.md) – To ensure successful data +- [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) – To ensure successful data collection and activity monitoring configure necessary protocols and ports for inbound and outbound connections -- [Data Collecting Account](../dataaccounts.md) – Configure data collecting accounts as required to +- [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to audit your IT systems -- [Windows Server](../../../configuration/windowsserver/overview.md) – Configure data source as +- [Windows Server](/docs/auditor/10.7/auditor/configuration/windowsserver/overview.md) – Configure data source as required to be monitored Complete the following fields: @@ -20,15 +20,15 @@ Complete the following fields: | Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. | | Monitor changes to system components | Select the system components that you want to audit for changes. Review the following for additional information: - General computer settings—Enables auditing of general computer settings. For example, computer name or workgroup changes. - Hardware—Enables auditing of hardware devices configuration. For example, your network adapter configuration changes. - Add/Remove programs—Enables auditing of installed and removed programs. For example, Microsoft Office package has been removed from the audited Windows Server. - Services—Enables auditing of started/stopped services. For example, the Windows Firewall service stopped. - Audit policies—Enables auditing of local advanced audit policies configuration. For example, the Audit User Account Management advanced audit policy is set to "_Failure_". - DHCP configuration—Enables auditing of DHCP configuration changes. - Scheduled tasks—Enables auditing of enabled / disabled / modified scheduled tasks. For example, the GoogleUpdateTaskMachineUA scheduled task trigger changes. - Local users and groups—Enables auditing of local users and groups. For example, an unknown user was added to the Administrators group. - DNS configuration—Enables auditing of your DNS configuration changes. For example, your DNS security parameters' changes. - DNS resource records—Enables auditing of all types of DNS resource records. For example, A-type resource records (Address record) changes. - File shares—Enables auditing of created / removed / modified file shares and their properties. For example, a new file share was created on the audited Windows Server. - Removable media—Enables auditing of USB thumb drives insertion. | | Specify data collection method | You can enable **network traffic compression.** If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. | -| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Windows Server](../../../configuration/windowsserver/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. | -| Collect data for state-in-time reports | Configure Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](../../reports/types/stateintime/overview.md) topic for additional information. When auditing file servers, changes to effective access permissions can be tracked in addition to audit permissions. By default, Combination of file and share permissions is tracked. File permissions define who has access to local files and folders. Share permissions provide or deny access to the same resources over the network. The combination of both determines the final access permissions for a shared folder—the more restrictive permissions are applied. Upon selecting Combination of file and share permissions only the resultant set will be written to the Audit Database. Select File permissions option too if you want to see difference between permissions applied locally and the effective file and share permissions set. To disable auditing of effective access, unselect all checkboxes under Include details on effective permissions. In the Schedule state-in-time data collection section, you can select a custom weekly interval for snapshots collection. Click Modify and select day(s) of week you want your snapshot to be collected. In the Manage historical snapshots section, you can click **Manage** and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past. You must be assigned the Global administrator or the Global reviewer role to import snapshots. Move the selected snapshots to the Snapshots available for reporting list using the arrow button. The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Users can also configure Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. | +| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Windows Server](/docs/auditor/10.7/auditor/configuration/windowsserver/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. | +| Collect data for state-in-time reports | Configure Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md) topic for additional information. When auditing file servers, changes to effective access permissions can be tracked in addition to audit permissions. By default, Combination of file and share permissions is tracked. File permissions define who has access to local files and folders. Share permissions provide or deny access to the same resources over the network. The combination of both determines the final access permissions for a shared folder—the more restrictive permissions are applied. Upon selecting Combination of file and share permissions only the resultant set will be written to the Audit Database. Select File permissions option too if you want to see difference between permissions applied locally and the effective file and share permissions set. To disable auditing of effective access, unselect all checkboxes under Include details on effective permissions. In the Schedule state-in-time data collection section, you can select a custom weekly interval for snapshots collection. Click Modify and select day(s) of week you want your snapshot to be collected. In the Manage historical snapshots section, you can click **Manage** and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past. You must be assigned the Global administrator or the Global reviewer role to import snapshots. Move the selected snapshots to the Snapshots available for reporting list using the arrow button. The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Users can also configure Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. | | Activity | | -| Specify monitoring restrictions | Specify restriction filters to narrow your Windows Server monitoring scope (search results, reports and Activity Summaries). For example, you can exclude system activity on a particular objects on all computers. All filters are applied using AND logic. Click Add and complete the following fields: - User who initiated the change: – provide the name of the user whose changes you want to ignore as shown in the "_Who_" column of reports and Activity Summaries. Example: _mydomain\user1_. You can provide the "_System_" value to exclude events containing the “_System_” instead of an account name in the “_Who_” column. - Windows Server which setting was changed: – provide the name of the server in your IT infrastructure whose changes you want to ignore as shown in the "_What_" column of reports and Activity Summaries. Example: _winsrv2016-01.mydomain.local_. - Setting changed: – provide the name for unwanted settings as shown in the "_What_" column in reports and Activity Summaries. Example: _System Properties\*_. You can use a wildcard (\*) to replace any number of characters in filters. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](../overview.md)topic for additional information. | +| Specify monitoring restrictions | Specify restriction filters to narrow your Windows Server monitoring scope (search results, reports and Activity Summaries). For example, you can exclude system activity on a particular objects on all computers. All filters are applied using AND logic. Click Add and complete the following fields: - User who initiated the change: – provide the name of the user whose changes you want to ignore as shown in the "_Who_" column of reports and Activity Summaries. Example: _mydomain\user1_. You can provide the "_System_" value to exclude events containing the “_System_” instead of an account name in the “_Who_” column. - Windows Server which setting was changed: – provide the name of the server in your IT infrastructure whose changes you want to ignore as shown in the "_What_" column of reports and Activity Summaries. Example: _winsrv2016-01.mydomain.local_. - Setting changed: – provide the name for unwanted settings as shown in the "_What_" column in reports and Activity Summaries. Example: _System Properties\*_. You can use a wildcard (\*) to replace any number of characters in filters. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. | Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the **Data source** list. As a next step, click **Add item** to specify an object for monitoring. See the -[Add Items for Monitoring](../datasources.md#add-items-for-monitoring) topic for additional +[Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information. ## Computer @@ -38,15 +38,15 @@ account (other than the one you specified during monitoring plan creation), sele want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default - account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for + account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the - [Use Group Managed Service Account (gMSA)](../../../requirements/gmsa.md) topic for additional + [Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the - [Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information. + [Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information. ## IP Range @@ -56,7 +56,7 @@ Complete the following fields: | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | General | | | Specify IP range | Specify an IP range for the audited computers. To exclude computers from within the specified range, click **Exclude**. Enter the IP subrange you want to exclude, and click **Add**. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | ## AD Container @@ -66,16 +66,16 @@ Complete the following fields: | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | General | | | Specify AD container | Specify a whole AD domain, OU or container. Click **Browse** to select from the list of containers in your network. You can also: - Select a particular computer type to be audited within the chosen AD container: **Domain controllers, Servers (excluding domain controllers)**, or **Workstations**. - Click **Exclude** to specify AD domains, OUs, and containers you do not want to audit. In the Exclude Containers dialog, click Add and specify an object. The list of containers does not include child domains of trusted domains. Use other options **(Computer, IP range** to specify the target computers. | -| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. If using a group Managed Service Account (gMSA), you can specify only the account name in the _domain\account$_ format. Password field can be empty. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information. Refer to the [Permissions for Active Directory Auditing](../../../configuration/activedirectory/permissions.md) topic for more information on using Netwrix Privilege Secure as an account for data collection. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the[Data Collecting Account](../dataaccounts.md) topic for additional information. | +| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. If using a group Managed Service Account (gMSA), you can specify only the account name in the _domain\account$_ format. Password field can be empty. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information. Refer to the [Permissions for Active Directory Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md) topic for more information on using Netwrix Privilege Secure as an account for data collection. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the[Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. | | Containers and Computers | | | Monitor hidden shares | By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). Select **Monitor user-defined hidden shares** if necessary. Even when this option is selected, the product will not collect data from administrative hidden shares such as: default system root or Windows directory (ADMIN$), default drive shares (D$, E$, etc.), shares used by printers to enable remote administration (PRINT$), etc. | -| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. Depending on the type of the object you want to exclude, select one of the following: - Add AD Container – Browse for a container to be excluded from being audited. You can select a whole AD domain, OU or container. - Add Computer – Provide the name of the computer you want to exclude as shown in the "_Where_" column of reports and Activity Summaries. For example, _backupsrv01.mydomain.local_. Wildcards (\*) are not supported. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](../overview.md)topic for additional information. | +| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. Depending on the type of the object you want to exclude, select one of the following: - Add AD Container – Browse for a container to be excluded from being audited. You can select a whole AD domain, OU or container. - Add Computer – Provide the name of the computer you want to exclude as shown in the "_Where_" column of reports and Activity Summaries. For example, _backupsrv01.mydomain.local_. Wildcards (\*) are not supported. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md)topic for additional information. | ## Use Netwrix Privilege Secure as a Data Collecting Account Starting with version 10.7, you can use Netwrix Privilege Secure to manage the account for collecting data, after configuring the integration. See the -[Netwrix Privilege Secure](../../settings/privilegesecure.md) topic for additional information about +[Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information about integration and supported data sources. In this case, the credentials will not be stored by Netwrix Auditor. Instead, they will be managed by Netwrix Privilege Secure and provided on demand, ensuring password rotation or using temporary accounts for data collection. @@ -87,7 +87,7 @@ Follow the steps to use Netwrix Privilege Secure as an account for data collect **Step 2 –** In the item configuration menu, select Netwrix Privilege Secure as an option for data collection. -![npsdatacollectingaccount](../../../../../../../static/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccount.webp) +![npsdatacollectingaccount](/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccount.webp) **Step 3 –** Select the type of the Access Policy you want to use in Netwrix Privilege Secure. Credential-based is the default option. Refer to the @@ -100,7 +100,7 @@ and to which Netwrix Auditor has the access through a Credential-based access po **NOTE:** Netwrix recommends using different credentials for different monitoring plans and data sources. -![npsdatacollectingaccountresourced](../../../../../../../static/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccountresourced.webp) +![npsdatacollectingaccountresourced](/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccountresourced.webp) The second option is Resource-based. To use this option, you need to provide the Activity and Resource names, assigned to Netwrix Auditor in the corresponding Resource-based policy. Make sure diff --git a/docs/auditor/10.7/auditor/admin/navigation/customizeexamples.md b/docs/auditor/10.7/auditor/admin/navigation/customizeexamples.md index d9e99df1e5..b7733b0bcb 100644 --- a/docs/auditor/10.7/auditor/admin/navigation/customizeexamples.md +++ b/docs/auditor/10.7/auditor/admin/navigation/customizeexamples.md @@ -11,14 +11,14 @@ Follow the steps to view a report and add it to the list of Favorites. **Step 2 –** Open a report you are interested in; for example, Account Permissions in Active Directory: -![scenario_reports_1](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/scenario_reports_1.webp) +![scenario_reports_1](/img/product_docs/auditor/auditor/admin/navigation/scenario_reports_1.webp) **Step 3 –** Click the report menu (three dots) to the right and select Add to favorites. (Alternatively, click the star icon in the upper right corner of the report description.) The report is added to the Favorite reports section on the home page and you can run it instantly. -![scenario_reports_2](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/scenario_reports_2.webp) +![scenario_reports_2](/img/product_docs/auditor/auditor/admin/navigation/scenario_reports_2.webp) ## Run Search and Create Alert @@ -27,7 +27,7 @@ Follow the steps to run search and create the alert based on the search filters. **Step 1 –** On the main Auditor page, click the Search Activity Records tile. **Step 2 –** Specify search filters to narrow your search results. See the -[Use Filters in Simple Mode](../search/filtersimple.md) topic for additional information. +[Use Filters in Simple Mode](/docs/auditor/10.7/auditor/admin/search/filtersimple.md) topic for additional information. **Step 3 –** Click Search. @@ -37,7 +37,7 @@ Follow the steps to run search and create the alert based on the search filters. suspicious activity that matches your current search criteria. **Step 6 –** Specify a name for the new alert. See the -[Create Alerts](../alertsettings/create.md)topic for additional information. +[Create Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/create.md)topic for additional information. Now, whenever there is activity that matches your search criteria, the appropriate people will receive a notification. You can also review the list of triggered alerts by clicking the Alerts tile @@ -51,7 +51,7 @@ Follow the steps to review risks and pin important ones to the Home Screen. **Step 2 –** Review the Risk Assessment Overview dashbord and select the risk you are interested in, such as "_User Accounts with administrative permissions_". See the -[IT Risk Assessment Overview ](../riskassessment/overview.md) topic for additional information. +[IT Risk Assessment Overview ](/docs/auditor/10.7/auditor/admin/riskassessment/overview.md) topic for additional information. **Step 3 –** To access this risk quickly, pin it to the home page, as follows: @@ -60,7 +60,7 @@ such as "_User Accounts with administrative permissions_". See the 3. Search the group of risks you want to pin to the home page (in this case, the "_Permissions_" risks group): - ![scenario_risks_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/scenario_risks_thumb_0_0.webp) + ![scenario_risks_thumb_0_0](/img/product_docs/auditor/auditor/admin/navigation/scenario_risks_thumb_0_0.webp) **Step 4 –** Click Add. @@ -70,4 +70,4 @@ The selected risks group is added to the home screen. Personalize the home page of the product depending on your business needs. Review the customization settings and collect only required tiles for quick access on the Auditor home page. See the -[Customize Home Screen](customizehome.md) topic for additional information. +[Customize Home Screen](/docs/auditor/10.7/auditor/admin/navigation/customizehome.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/navigation/customizefavorite.md b/docs/auditor/10.7/auditor/admin/navigation/customizefavorite.md index c7f28e102c..41e30a46cf 100644 --- a/docs/auditor/10.7/auditor/admin/navigation/customizefavorite.md +++ b/docs/auditor/10.7/auditor/admin/navigation/customizefavorite.md @@ -6,7 +6,7 @@ update the full list, click View all. The Home > Reports page opens. This page includes several folders: Favorites, Predefined, Compliance and Custom. Favorite reports are located in the Favorites folder. -![reportsfavorites](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/reportsfavorites.webp) +![reportsfavorites](/img/product_docs/auditor/auditor/admin/navigation/reportsfavorites.webp) Follow the steps to add or remove a Favorite report @@ -17,7 +17,7 @@ Follow the steps to add or remove a Favorite report **Step 3 –** To change whether the report is a favorite, click the star icon in the upper right-hand corner of the report description. -![reportsummary](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/reportsummary.webp) +![reportsummary](/img/product_docs/auditor/auditor/admin/navigation/reportsummary.webp) Report Summary with Star icon unchecked @@ -27,14 +27,14 @@ The options on the Reports page for Favorite reports are show below: | | | | -------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![favoritesrestorerefresh](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/favoritesrestorerefresh.webp) | ![reportsoptions](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/reportsoptions.webp) | +| ![favoritesrestorerefresh](/img/product_docs/auditor/auditor/admin/navigation/favoritesrestorerefresh.webp) | ![reportsoptions](/img/product_docs/auditor/auditor/admin/navigation/reportsoptions.webp) | | _Favorites Sub-Folder Options_ | _Favorites > [Report] Options_ | | Option Name | Description | | --- | --- | | Restore Default | Repopulates the Favorites sub-folder with all reports that have been marked Favorite. When using Role-Based Access in Netwrix Auditor, if several users mark the same report as **Favorite**, then that report will be removed from the Favorites list if a user removes the report from the Favorites list. Using the **Restore Default** option will re-add the report to the Favorites list for all users that have not removed the Favorite mark. | | Refresh | Runs the reports in the Favorites folder to display the most recent information. | -| View | Opens the Preview Report page. There, you can modify report options (such as the timeframe) if desired, and then click View Report to see the resulting report. See the [View Reports](../reports/view.md) topic for additional information. | -| Subscribe | Opens the Add Subscription to Report page. See the [Create Subscriptions](../subscriptions/create.md) topic for additional information. | +| View | Opens the Preview Report page. There, you can modify report options (such as the timeframe) if desired, and then click View Report to see the resulting report. See the [View Reports](/docs/auditor/10.7/auditor/admin/reports/view.md) topic for additional information. | +| Subscribe | Opens the Add Subscription to Report page. See the [Create Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/create.md) topic for additional information. | | Add to Favorites | This option is greyed out when viewing the Favorites list, since all the reports shown have already been added to Favorites. | | Remove from Favorites | Removes a report from the Favorites list. This option provides the same function as removing a report as a favorite using the **Star** icon. | | Go to Original | Expands the sub-folder in which the report is originally located. For example, clicking **Go to Original** for the Enterprise Overview report will expand the **Predefined > Organization Level Reports** sub-folder. | diff --git a/docs/auditor/10.7/auditor/admin/navigation/customizehome.md b/docs/auditor/10.7/auditor/admin/navigation/customizehome.md index 46ff66333f..09a33f2a60 100644 --- a/docs/auditor/10.7/auditor/admin/navigation/customizehome.md +++ b/docs/auditor/10.7/auditor/admin/navigation/customizehome.md @@ -33,7 +33,7 @@ Follow the steps to remove a tile from the Home Screen. **Step 3 –** Click **close (x)**: -![remove_tile](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/remove_tile.webp) +![remove_tile](/img/product_docs/auditor/auditor/admin/navigation/remove_tile.webp) **Step 4 –** Click Apply. @@ -55,7 +55,7 @@ Follow the steps to resizea tile. **Step 3 –** Click the **resize** button: -![homescreenresizetile](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/homescreenresizetile.webp) +![homescreenresizetile](/img/product_docs/auditor/auditor/admin/navigation/homescreenresizetile.webp) **Step 4 –** Select the preferred size from the drop-down list. diff --git a/docs/auditor/10.7/auditor/admin/navigation/overview.md b/docs/auditor/10.7/auditor/admin/navigation/overview.md index cf763550d2..e0c29e70b2 100644 --- a/docs/auditor/10.7/auditor/admin/navigation/overview.md +++ b/docs/auditor/10.7/auditor/admin/navigation/overview.md @@ -19,38 +19,38 @@ information. The following tiles are displayed on the initially configured Home The Welcome to Netwrix Auditor Tile tile provides a checklist you can use to get started collecting and viewing data about your IT ecosystem. -![welcome_section](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/welcome_section.webp) +![welcome_section](/img/product_docs/auditor/auditor/admin/navigation/welcome_section.webp) - The "Create a monitoring plan" link prompts you to create a monitoring plan for at least one data source (such as Active Directory, Exchange Online or network devices). For detailed instructions - on how to create a monitoring plan, see the [Monitoring Plans](../monitoringplans/overview.md) + on how to create a monitoring plan, see the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md) topic for additional information. Wait until the initial data collection completes. - Clicking the second link opens a dashboard that lists all the monitoring plans you’ve created, along with the status and last activity time for each. Review this list and address any errors or - warnings. See the [Monitoring Overview](../healthstatus/dashboard/monitoringoverview.md) topic for + warnings. See the [Monitoring Overview](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/monitoringoverview.md) topic for additional information. - Once have created a monitoring plan and verified that it is properly configured, run one or more searches to get insights into your IT infrastructure. See the - [View and Search Collected Data](../search/overview.md) topic for additional information. + [View and Search Collected Data](/docs/auditor/10.7/auditor/admin/search/overview.md) topic for additional information. When you have completed these three steps, you can close this tile by clicking the "Close" link at the bottom. The checklist will be replaced by statistics across your audited systems. See the -[Customize Home Screen](customizehome.md) topic for additional information. +[Customize Home Screen](/docs/auditor/10.7/auditor/admin/navigation/customizehome.md) topic for additional information. ### Audit Intelligence Tiles This section contains four tiles for getting security intelligence about your IT infrastructure: -![section_left](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/section_left.webp) +![section_left](/img/product_docs/auditor/auditor/admin/navigation/section_left.webp) | Tile | Description | | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| NEW MONITORING PLAN | Create a new monitoring plan for a particular data source. See the [Create a New Monitoring Plan](../monitoringplans/create.md) topic for additional information. | -| SEARCH ACTIVITY RECORDS | Investigate incidents by running interactive searches using data collected across the entire IT infrastructure. See the [View and Search Collected Data](../search/overview.md) topic for additional information. | -| REPORTS | Access the predefined reports for each data source and create custom reports. See the [Reports](../reports/overview.md) topic for additional information. | -| BEHAVIOR ANOMALIES | Detect and investigate unusual behavior in your IT environment. See the [Behavior Anomalies](../behavioranomalies/overview.md) topic for additional information. | +| NEW MONITORING PLAN | Create a new monitoring plan for a particular data source. See the [Create a New Monitoring Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) topic for additional information. | +| SEARCH ACTIVITY RECORDS | Investigate incidents by running interactive searches using data collected across the entire IT infrastructure. See the [View and Search Collected Data](/docs/auditor/10.7/auditor/admin/search/overview.md) topic for additional information. | +| REPORTS | Access the predefined reports for each data source and create custom reports. See the [Reports](/docs/auditor/10.7/auditor/admin/reports/overview.md) topic for additional information. | +| BEHAVIOR ANOMALIES | Detect and investigate unusual behavior in your IT environment. See the [Behavior Anomalies](/docs/auditor/10.7/auditor/admin/behavioranomalies/overview.md) topic for additional information. | ### Configuration Tile @@ -59,35 +59,35 @@ following links: | Option | Description | | ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Monitoring plans | Opens the Monitoring plans wizard, where you can add, edit and delete monitoring plans, as well as group them into folders. See the [Monitoring Plans](../monitoringplans/overview.md) topic for additional information. | -| Subscriptions | Opens the Subscriptions wizard, which enables you to subscribe to Auditor reports and searches, so you can easily stay informed about what is going on in your infrastructure. See the [Subscriptions](../subscriptions/overview.md) topic for additional information. | -| Alert settings | Opens the All Alerts wizard, where you can create, edit, and enable or disable alerts on critical events in your environment. See the [Alerts](../alertsettings/overview.md)topic for additional information. | +| Monitoring plans | Opens the Monitoring plans wizard, where you can add, edit and delete monitoring plans, as well as group them into folders. See the [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md) topic for additional information. | +| Subscriptions | Opens the Subscriptions wizard, which enables you to subscribe to Auditor reports and searches, so you can easily stay informed about what is going on in your infrastructure. See the [Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) topic for additional information. | +| Alert settings | Opens the All Alerts wizard, where you can create, edit, and enable or disable alerts on critical events in your environment. See the [Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/overview.md)topic for additional information. | ## Risk Assessment, Compliance Mapping, Live News, and Health Tiles | Tile | Description | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| RISK ASSESSMENT | Opens the Risk Assessment Overview dashboard, which identifies possible configuration issues in your environment that could impact security. See the [IT Risk Assessment Overview ](../riskassessment/overview.md) topic for additional information. | -| COMPLIANCE MAPPING | Enables you to review how Auditor can help you comply common standards and regulations. See the [Compliance Mappings](../compliancemappings.md) topic for additional information. | +| RISK ASSESSMENT | Opens the Risk Assessment Overview dashboard, which identifies possible configuration issues in your environment that could impact security. See the [IT Risk Assessment Overview ](/docs/auditor/10.7/auditor/admin/riskassessment/overview.md) topic for additional information. | +| COMPLIANCE MAPPING | Enables you to review how Auditor can help you comply common standards and regulations. See the [Compliance Mappings](/docs/auditor/10.7/auditor/admin/compliancemappings.md) topic for additional information. | | LIVE NEWS | Shows the latest Netwrix news, including product updates. | -| HEALTH STATUS | Opens the Health Status dashboard, which provides at-a-glance insight into product health, data collection, storage and more. See the [Health Status Dashboard](../healthstatus/dashboard/overview.md) topic for additional information. | -| ALERTS HISTORY | Clicking this tile opens the Alerts History dashboard, which provides detailed information about the latest alerts triggered in your IT infrastructure, enriched with actionable charts and timelines. See the [Alerts Overview Dashboard](../alertsettings/dashboard.md) topic for additional information. | +| HEALTH STATUS | Opens the Health Status dashboard, which provides at-a-glance insight into product health, data collection, storage and more. See the [Health Status Dashboard](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/overview.md) topic for additional information. | +| ALERTS HISTORY | Clicking this tile opens the Alerts History dashboard, which provides detailed information about the latest alerts triggered in your IT infrastructure, enriched with actionable charts and timelines. See the [Alerts Overview Dashboard](/docs/auditor/10.7/auditor/admin/alertsettings/dashboard.md) topic for additional information. | ## Favorite Reports Initially, the Favorite Reports tile lists the reports that our customers use most frequently. You can add and remove reports to reflect your needs and interests. If you have more favorite reports than can fit in the tile, simply click **View all** to see the complete list. See the -[Customizing Favorite Reports](customizefavorite.md) topic for additional information. +[Customizing Favorite Reports](/docs/auditor/10.7/auditor/admin/navigation/customizefavorite.md) topic for additional information. ## Other | | | | -------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![alerts_triggered](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/alerts_triggered.webp) | Opens the Alerts Overview dashboard, which lists the latest alerts triggered in your IT infrastructure, enriched with actionable charts and timelines. See the [Alerts Overview Dashboard](../alertsettings/dashboard.md) topic for additional information. | -| ![environment_stats](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/environment_stats.webp) | This tile shows the current number of users, groups, and files and folders in your IT infrastructure in one place. Clicking the link opens the corresponding report: - Users — User Accounts state-in-time report for Active Directory - Groups — Groups state-in-time report for Active Directory - Files and Folders — Folder Tree View state-in-time report for File Servers Click Recalculate to update values. | -| ![monitroing_plans_overview](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/monitroing_plans_overview.webp) | Clicking the tile opens the Monitoring Overview dashboard, which shows the current status of each of your monitoring plans. See the [Monitoring Overview](../healthstatus/dashboard/monitoringoverview.md) topic for additional information. | -| ![activity_records](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/activity_records.webp) | Clicking the tile opens the Activity Record Statistics dashboard which shows the number of activity records that were collected from your data sources during the last 7 days. See the [Activity Records Statistics](../healthstatus/dashboard/activityrecordstatistics.md) topic for additional information. | -| ![hs_screen_default_report_1](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/hs_screen_default_report_1.webp) | Opens the listed Auditor report. See the [Custom Search-Based Reports](../reports/types/custom.md) topic for additional information. | -| ![hs_screen_default_report_2](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/hs_screen_default_report_2.webp) | Opens the listed Auditor report. See the [Predefined Reports](../reports/types/overview.md) topic for additional information. | -| ![recommendations_tile](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/recommendations_tile.webp) | Opens the list of the configuration recommendations provided by Netwrix industry experts to take advantage of the Auditor functionality. See the [Recommendations](recommendations.md) topic for additional information. | +| ![alerts_triggered](/img/product_docs/auditor/auditor/admin/navigation/alerts_triggered.webp) | Opens the Alerts Overview dashboard, which lists the latest alerts triggered in your IT infrastructure, enriched with actionable charts and timelines. See the [Alerts Overview Dashboard](/docs/auditor/10.7/auditor/admin/alertsettings/dashboard.md) topic for additional information. | +| ![environment_stats](/img/product_docs/auditor/auditor/admin/navigation/environment_stats.webp) | This tile shows the current number of users, groups, and files and folders in your IT infrastructure in one place. Clicking the link opens the corresponding report: - Users — User Accounts state-in-time report for Active Directory - Groups — Groups state-in-time report for Active Directory - Files and Folders — Folder Tree View state-in-time report for File Servers Click Recalculate to update values. | +| ![monitroing_plans_overview](/img/product_docs/auditor/auditor/admin/navigation/monitroing_plans_overview.webp) | Clicking the tile opens the Monitoring Overview dashboard, which shows the current status of each of your monitoring plans. See the [Monitoring Overview](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/monitoringoverview.md) topic for additional information. | +| ![activity_records](/img/product_docs/auditor/auditor/admin/navigation/activity_records.webp) | Clicking the tile opens the Activity Record Statistics dashboard which shows the number of activity records that were collected from your data sources during the last 7 days. See the [Activity Records Statistics](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/activityrecordstatistics.md) topic for additional information. | +| ![hs_screen_default_report_1](/img/product_docs/auditor/auditor/admin/navigation/hs_screen_default_report_1.webp) | Opens the listed Auditor report. See the [Custom Search-Based Reports](/docs/auditor/10.7/auditor/admin/reports/types/custom.md) topic for additional information. | +| ![hs_screen_default_report_2](/img/product_docs/auditor/auditor/admin/navigation/hs_screen_default_report_2.webp) | Opens the listed Auditor report. See the [Predefined Reports](/docs/auditor/10.7/auditor/admin/reports/types/overview.md) topic for additional information. | +| ![recommendations_tile](/img/product_docs/auditor/auditor/admin/navigation/recommendations_tile.webp) | Opens the list of the configuration recommendations provided by Netwrix industry experts to take advantage of the Auditor functionality. See the [Recommendations](/docs/auditor/10.7/auditor/admin/navigation/recommendations.md) topic for additional information. | diff --git a/docs/auditor/10.7/auditor/admin/navigation/recommendations.md b/docs/auditor/10.7/auditor/admin/navigation/recommendations.md index d24a4ad75e..c11729c2a1 100644 --- a/docs/auditor/10.7/auditor/admin/navigation/recommendations.md +++ b/docs/auditor/10.7/auditor/admin/navigation/recommendations.md @@ -6,7 +6,7 @@ Netwrix Service Accounts, you can start collecting data and review it with Netwr recommendations are based on your current product configuration and help you to experience the Auditor capabilities in earnest. -![recommendations](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/recommendations.webp) +![recommendations](/img/product_docs/auditor/auditor/admin/navigation/recommendations.webp) Follow the steps to review the recommendations provided by Netwrix industry experts. @@ -28,7 +28,7 @@ To start collecting data with Netwrix Auditor, you need to create a monitoring p data collection, notification, and storage settings and add a source-specific item. This recommendation will appear if you don't have any monitoring plans configured. Clicking the **Add plan** button opens the New Monitoring Plan wizard. See the -[Create a New Plan](../monitoringplans/create.md) topic for additional information about plans +[Create a New Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) topic for additional information about plans configuration. Once completed, you will be prompted to add an item to your plan, otherwise the configuration will be incomplete and the product will not be able to collect data. Auditor automatically suggests item types associated with your data source. @@ -38,7 +38,7 @@ automatically suggests item types associated with your data source. If you have a license for several applications, Netwrix suggests enabling each undeployed data source for each purchased application if they were never deployed before. Clicking the **Add plan** button opens the New Monitoring Plan wizard. Select the data source you want to monitor with Netwrix -Auditor and see the [Create a New Plan](../monitoringplans/create.md) topic for additional +Auditor and see the [Create a New Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) topic for additional information about further configuration. ### Enable State-in-Time Data Collection @@ -46,10 +46,10 @@ information about further configuration. If you want to review the state of your system configuration at a specific moment in time, for example, account permissions or group membership, you need to enable the State-in-Time data collection for your data source. See the -[State–in–Time Reports](../reports/types/stateintime/overview.md) topic for additional information +[State–in–Time Reports](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md) topic for additional information about the available reports. Clicking the **Go to data source** button opens the settings page of the data source to which this recommendation applies to. See the -[Manage Data Sources](../monitoringplans/datasources.md) topic for additional information. +[Manage Data Sources](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md) topic for additional information. **NOTE:** This recommendation will not be shown for to the File Servers data sources (Windows-based file shares, NetApp Filers, Dell Data Storage, etc.). Navigate to your file server data source and @@ -61,10 +61,10 @@ The Health Summary email includes all statistics on the product operations and h 24 hours; it also notifies you about license status. If you have configured monitoring plans with data sources and items, Netwrix recommends subscribing to Health Summary emails to be notified on the problems that need your attention. See the -[Health Summary Email](../healthstatus/summaryemail.md) topic for additional information. +[Health Summary Email](/docs/auditor/10.7/auditor/admin/healthstatus/summaryemail.md) topic for additional information. Clicking the **Go to Notifications** button opens the Netwrix Auditor notifications settings page. -See the [Notifications](../settings/notifications.md) topic for additional information. +See the [Notifications](/docs/auditor/10.7/auditor/admin/settings/notifications.md) topic for additional information. ### Logon Activity: Start Auditing Item @@ -73,7 +73,7 @@ Netwrix recommends creating a new monitoring plan for the Logon Activity data so details around interactive and non-interactive logons, including failed logon attempts, and users logon and logoff activity on domain controllers in the audited domain. Clicking the **Add plan** button opens the New Monitoring Plan wizard with the Logon Activity as a selected data source. See -the [Create a New Plan](../monitoringplans/create.md) topic for additional information about further +the [Create a New Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) topic for additional information about further configuration. ### Enable Alerts @@ -82,7 +82,7 @@ For the configured monitoring plans, Netwrix recommends enabling alerts to be im on the suspicious activity. You can enable predefined alerts or create your custom ones. Clicking the **Open** settings button opens the All Alerts wizard. See the -[Manage Alerts](../alertsettings/overview.md) topic for additional information. +[Manage Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/overview.md) topic for additional information. ## Manage Recommendations @@ -99,7 +99,7 @@ Follow the steps to manage recommendations: **Step 2 –** Click **Settings** at the bottom. -![managerecommendations](../../../../../../static/img/product_docs/auditor/auditor/admin/navigation/managerecommendations.webp) +![managerecommendations](/img/product_docs/auditor/auditor/admin/navigation/managerecommendations.webp) **Step 3 –** In the Manage recommendations dialog, do the following: diff --git a/docs/auditor/10.7/auditor/admin/reports/overview.md b/docs/auditor/10.7/auditor/admin/reports/overview.md index 1ec89cf89b..8e690ba119 100644 --- a/docs/auditor/10.7/auditor/admin/reports/overview.md +++ b/docs/auditor/10.7/auditor/admin/reports/overview.md @@ -8,15 +8,15 @@ Search technology. To review intelligence data, you must be assigned the Global administrator or Global reviewer role in the product. The users assigned the Reviewer role on a certain plan or folder have a limited access to data—only within a delegated scope. See the -[Role-Based Access and Delegation](../monitoringplans/delegation.md) topic for additional +[Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional informatuion. -![allactivedirectorychanges_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/reports/allactivedirectorychanges_thumb_0_0.webp) +![allactivedirectorychanges_thumb_0_0](/img/product_docs/auditor/auditor/admin/reports/allactivedirectorychanges_thumb_0_0.webp) Review general report types available in Netwrix Auditor to meet your specific business needs: | Report type | Description | | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Predefined reports | Predefined reports pack contains over a hundred SSRS-based reports grouped by business categories and data sources. Predefined reports are helpful if you are looking for a ready-to-use template for your business needs. See the [Predefined Reports](types/overview.md) topic for additional information. | -| Compliance reports | For your convenience, specific reports are grouped into folders by corresponding international standards and regulations such as security controls, information security, etc. See the [Compliance Reports](types/compliance.md) topic for additional information. | -| Custom reports | For your convenience, the Reports section has been enhanced with Custom reports. Initially, the product provides templates for the best common workflows within Auditor. Later, you can always create custom report from interactive search and find them here. See the [Custom Search-Based Reports](types/custom.md) topic for additional information. | +| Predefined reports | Predefined reports pack contains over a hundred SSRS-based reports grouped by business categories and data sources. Predefined reports are helpful if you are looking for a ready-to-use template for your business needs. See the [Predefined Reports](/docs/auditor/10.7/auditor/admin/reports/types/overview.md) topic for additional information. | +| Compliance reports | For your convenience, specific reports are grouped into folders by corresponding international standards and regulations such as security controls, information security, etc. See the [Compliance Reports](/docs/auditor/10.7/auditor/admin/reports/types/compliance.md) topic for additional information. | +| Custom reports | For your convenience, the Reports section has been enhanced with Custom reports. Initially, the product provides templates for the best common workflows within Auditor. Later, you can always create custom report from interactive search and find them here. See the [Custom Search-Based Reports](/docs/auditor/10.7/auditor/admin/reports/types/custom.md) topic for additional information. | diff --git a/docs/auditor/10.7/auditor/admin/reports/reviewstatus.md b/docs/auditor/10.7/auditor/admin/reports/reviewstatus.md index 8ca252606a..e6efba7b64 100644 --- a/docs/auditor/10.7/auditor/admin/reports/reviewstatus.md +++ b/docs/auditor/10.7/auditor/admin/reports/reviewstatus.md @@ -12,7 +12,7 @@ issues through the following automated course of action: 1. The reported changes to the monitored environment are assigned the New status by default. 2. If a change seems unauthorized, or requires further analysis, you can click the Click to update status link next to the change detailed data: - ![reviewstatus_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/reports/reviewstatus_thumb_0_0.webp)3. + ![reviewstatus_thumb_0_0](/img/product_docs/auditor/auditor/admin/reports/reviewstatus_thumb_0_0.webp)3. In the **Review status** dialog for selected change, set its status to In Review and provide a reason. 3. Once the change has been approved of, or rolled back, you can set its status to Resolved. @@ -34,6 +34,6 @@ sources and items included in each plan, navigate to the Monitoring Plans sectio They list Each report has a set of filters which help organize audit data in the most convenient way. See the -[View Reports](view.md) topic for additional information. You can also create a subscription to any -report you want to receive on a regular basis. See the [Subscriptions](../subscriptions/overview.md) +[View Reports](/docs/auditor/10.7/auditor/admin/reports/view.md) topic for additional information. You can also create a subscription to any +report you want to receive on a regular basis. See the [Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/reports/types/activity.md b/docs/auditor/10.7/auditor/admin/reports/types/activity.md index 61b73ae5e1..e5af47e460 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/activity.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/activity.md @@ -28,9 +28,9 @@ search field to look for the keywords you need: In the report filters, select a monitoring plan you want to generate a report for. To review data sources and items included in each plan, navigate to the Monitoring Plans section. -![allactivedirectorychanges_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/reports/allactivedirectorychanges_thumb_0_0.webp) +![allactivedirectorychanges_thumb_0_0](/img/product_docs/auditor/auditor/admin/reports/allactivedirectorychanges_thumb_0_0.webp) Each report has a set of filters which help organize audit data in the most convenient way. See the -[View Reports](../view.md) topic for additional information. You can also create a subscription to +[View Reports](/docs/auditor/10.7/auditor/admin/reports/view.md) topic for additional information. You can also create a subscription to any report you want to receive on a regular basis. See the -[Subscriptions](../../subscriptions/overview.md) topic for additional information. +[Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/reports/types/compliance.md b/docs/auditor/10.7/auditor/admin/reports/types/compliance.md index b5f864218b..e28bd2336b 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/compliance.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/compliance.md @@ -23,5 +23,5 @@ sources and items included in each plan, navigate to the Monitoring Plans sectio Review the following for additional information: -- See the [View Reports](../view.md) topic for additional information on how to find the report you +- See the [View Reports](/docs/auditor/10.7/auditor/admin/reports/view.md) topic for additional information on how to find the report you need and view reports in a web browser. diff --git a/docs/auditor/10.7/auditor/admin/reports/types/custom.md b/docs/auditor/10.7/auditor/admin/reports/types/custom.md index dfaa8c3727..cf8af63632 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/custom.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/custom.md @@ -14,7 +14,7 @@ move it to the new folder. The example custom report results apply to AD or Group Policy modifications by administrator. -![customreport_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/reports/types/customreport_thumb_0_0.webp) +![customreport_thumb_0_0](/img/product_docs/auditor/auditor/admin/reports/types/customreport_thumb_0_0.webp) Review the following for additional information: @@ -28,7 +28,7 @@ Review the following for additional information: 1. On the main Netwrix Auditor page, navigate to Search. 2. Apply filters and click Search. - [View and Search Collected Data](../../search/overview.md) how to apply filters when searching + [View and Search Collected Data](/docs/auditor/10.7/auditor/admin/search/overview.md) how to apply filters when searching audit data. 3. Navigate to Tools and select Save as report. @@ -42,7 +42,7 @@ Review the following for additional information: 3. Click View to open search. 4. Modify filters and click Search. - [View and Search Collected Data](../../search/overview.md) how to apply filters when searching + [View and Search Collected Data](/docs/auditor/10.7/auditor/admin/search/overview.md) how to apply filters when searching audit data. 5. Navigate to Tools and select Save as report. diff --git a/docs/auditor/10.7/auditor/admin/reports/types/datadiscoveryclassification.md b/docs/auditor/10.7/auditor/admin/reports/types/datadiscoveryclassification.md index 5ad75b5afc..e40069ac15 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/datadiscoveryclassification.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/datadiscoveryclassification.md @@ -68,5 +68,5 @@ Applicable for: In addition to reviewing reports, you can customize them with filters and create report subscriptions. Review the following for additional information: -- [View Reports](../view.md) -- [Create Subscriptions](../../subscriptions/create.md) +- [View Reports](/docs/auditor/10.7/auditor/admin/reports/view.md) +- [Create Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/create.md) diff --git a/docs/auditor/10.7/auditor/admin/reports/types/enterprise.md b/docs/auditor/10.7/auditor/admin/reports/types/enterprise.md index df69bf5c9c..e73793c510 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/enterprise.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/enterprise.md @@ -49,9 +49,9 @@ Follow the steps to review a diagram: The example below applies to Enterprise. -![dashboard](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/general/dashboard.webp) +![dashboard](/img/product_docs/groupid/groupid/admincenter/general/dashboard.webp) Each report has a set of filters which help organize audit data in the most convenient way. See the -[View Reports](../view.md) topic for additional information. You can also create a subscription to +[View Reports](/docs/auditor/10.7/auditor/admin/reports/view.md) topic for additional information. You can also create a subscription to any report you want to receive on a regular basis. See the -[Subscriptions](../../subscriptions/overview.md) topic for additional information. +[Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/reports/types/organizationlevel.md b/docs/auditor/10.7/auditor/admin/reports/types/organizationlevel.md index 1cf72972ed..ca1457ff05 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/organizationlevel.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/organizationlevel.md @@ -11,8 +11,8 @@ This folder includes: | Report | Details | | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| Enterprise Overview | Dashboard report with diagrams showing all activities and changes across the monitored data sources. See also: [Enterprise Overview Dashboard](enterprise.md) | -| All Activity with Review Status | Shows all activity across the entire IT infrastructure, including changes, read access and logons. Features interactive review status to supplement your change management workflow. See also: [Interactive Reports for Change Management Workflow](../reviewstatus.md). | +| Enterprise Overview | Dashboard report with diagrams showing all activities and changes across the monitored data sources. See also: [Enterprise Overview Dashboard](/docs/auditor/10.7/auditor/admin/reports/types/enterprise.md) | +| All Activity with Review Status | Shows all activity across the entire IT infrastructure, including changes, read access and logons. Features interactive review status to supplement your change management workflow. See also: [Interactive Reports for Change Management Workflow](/docs/auditor/10.7/auditor/admin/reports/reviewstatus.md). | | All Changes by Data Source | Shows all changes across your IT infrastructure, grouped by data source. | | All Changes by Server | Shows all changes across the entire IT infrastructure, grouped by the server where the change was made. | | All Changes by User | Shows all changes across your IT infrastructure, grouped by the user who made the change. | @@ -20,6 +20,6 @@ This folder includes: | Self-Audit | Help to ensure that the scope of data to be audited is complete and all changes are in line with the workflows adopted by your organization. | Each report has a set of filters which help organize audit data in the most convenient way. See the -[View Reports](../view.md) topic for additional information. You can also create a subscription to +[View Reports](/docs/auditor/10.7/auditor/admin/reports/view.md) topic for additional information. You can also create a subscription to any report you want to receive on a regular basis. See the -[Subscriptions](../../subscriptions/overview.md) topic for additional information. +[Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/reports/types/overview.md b/docs/auditor/10.7/auditor/admin/reports/types/overview.md index 956f5cdd6a..290ddb03d7 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/overview.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/overview.md @@ -9,11 +9,11 @@ find a report that is right for you, check out the predefined report types avail further analysis. The Enterprise Overview dashboard aggregates the information on changes from all data sources and provides a centralized overview. System-specific dashboards reflect all changes across all monitoring plans where audit of this target system is enabled. See the - [Enterprise Overview Dashboard](enterprise.md) topic for additional information. + [Enterprise Overview Dashboard](/docs/auditor/10.7/auditor/admin/reports/types/enterprise.md) topic for additional information. - Organization level reports—High-level reports that aggregate data from all data sources and monitoring plans. They list all activity that occurred across the audited IT infrastructure. Enterprise Overview provides bird's eye view of changes and activity from all data sources and - provides a centralized overview. See the [ Organization Level Reports](organizationlevel.md) topic + provides a centralized overview. See the [ Organization Level Reports](/docs/auditor/10.7/auditor/admin/reports/types/organizationlevel.md) topic for additional information. - Overview diagrams—System-specific diagram reports that aggregate audit data for an auditing system. They provide a high-level overview of changes within a selected time period. Overviews @@ -23,25 +23,25 @@ find a report that is right for you, check out the predefined report types avail source within specified monitoring plans. These reports show detailed data on changes and activity and provide grouping, sorting and filtering capabilities. Each report has a different set of filters allowing you to manage collected data in the most convenient way. See the - [Change and Activity Reports](activity.md) topic for additional information. + [Change and Activity Reports](/docs/auditor/10.7/auditor/admin/reports/types/activity.md) topic for additional information. - State-in-time reports—System-specific reports that aggregate data for a specific data source within a specified individual monitoring plan and allow reviewing the point-in-time state of the data source. These reports are based on daily snapshots and help you paint a picture of your system configuration at a specific moment in time. Currently, the Windows Server State-in-Time report set provides baselining functionality that help identify aberrant servers. See the - [State–In–Time Reports](stateintime/overview.md) topic for additional information. + [State–In–Time Reports](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md) topic for additional information. - Changes with video reports—Windows server-based reports that provide video recordings of user - activity on audited computers. See the [Reports with Video](../video.md) topic for additional + activity on audited computers. See the [Reports with Video](/docs/auditor/10.7/auditor/admin/reports/video.md) topic for additional information. - Changes with review status reports—Both system-specific and overview reports that can be used in the basic change management process. These reports allow setting a review status for each change and providing comments. See the - [Interactive Reports for Change Management Workflow](../reviewstatus.md) topic for additional + [Interactive Reports for Change Management Workflow](/docs/auditor/10.7/auditor/admin/reports/reviewstatus.md) topic for additional information. Review the following for additional information: -- See the [View Reports](../view.md) topic for additional information on how to find the report you +- See the [View Reports](/docs/auditor/10.7/auditor/admin/reports/view.md) topic for additional information on how to find the report you need and view reports in a web browser. -- See the [View Reports](../view.md) topic for additional information on how to apply filters to +- See the [View Reports](/docs/auditor/10.7/auditor/admin/reports/view.md) topic for additional information on how to apply filters to reports. diff --git a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/activedirectory.md b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/activedirectory.md index 91004b32bc..9f798ad51f 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/activedirectory.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/activedirectory.md @@ -6,7 +6,7 @@ Examine the Active Directory state-in-time data on the user account attributes: To instruct Netwrix Auditor to collect data needed for the report, make sure that **Collect data for state-in-time reports** option is selected in the corresponding monitoring plan properties. See the -[Settings for Data Collection](../../../monitoringplans/create.md#settings-for-data-collection) +[Settings for Data Collection](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md#settings-for-data-collection) topic for additional information. ## User Accounts - Attributes @@ -16,11 +16,11 @@ criteria. Use this report to discover user accounts with settings that violate c applicable compliance standards. Supported object types and attributes are listed in the -[Active Directory](../../../../configuration/activedirectory/overview.md) topic. +[Active Directory](/docs/auditor/10.7/auditor/configuration/activedirectory/overview.md) topic. For this report to function properly, you must enable the **Collect data for state-in-time reports** option for the data source in the monitoring plan settings. See the -[Settings for Data Collection](../../../monitoringplans/create.md#settings-for-data-collection) +[Settings for Data Collection](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md#settings-for-data-collection) topic for additional information. ### Tips to Work with Report diff --git a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/microsoftentraid.md b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/microsoftentraid.md index 351ee7f505..73e7ba1630 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/microsoftentraid.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/microsoftentraid.md @@ -2,7 +2,7 @@ To instruct Netwrix Auditor to collect data needed for the report, make sure that Collect data for state-in-time reports option is selected in the corresponding monitoring plan properties. See -[Create a New Monitoring Plan](../../../monitoringplans/create.md). +[Create a New Monitoring Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md). **NOTE:** For Microsoft Entra ID, only the current date snapshot can be used for Reports. @@ -14,7 +14,7 @@ settings that violate company policies or applicable compliance standards. For this report to function properly, you must enable the Collect data for state-in-time reports option for the data source in the monitoring plan settings. See the -[Settings for Data Collection](../../../monitoringplans/create.md#settings-for-data-collection) +[Settings for Data Collection](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md#settings-for-data-collection) topic for more information. ### Tips to Work with Report diff --git a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md index 2e2af7e68b..e8d861ae4f 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/overview.md @@ -22,7 +22,7 @@ This functionality is currently available for the following data sources: To provide data for state-in-time reports, remember to select the **Collect data for state-in-time reports** option when you configure a monitoring plan for the selected data source. See the -[Settings for Data Collection](../../../monitoringplans/create.md#settings-for-data-collection) +[Settings for Data Collection](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md#settings-for-data-collection) topic for additional information. The state-in-time reports are available under the Reports node. Depending on the data source, @@ -32,12 +32,12 @@ Directory\_\_**>_**\_Active Directory\_\_**>\_**\_State-in-Time**. In the report filters, select a monitoring plan you want to generate a report for. To review data sources and items included in each plan, navigate to the Monitoring Plans section. -![fileshareswindowsservers](../../../../../../../../static/img/product_docs/auditor/auditor/admin/reports/types/stateintime/fileshareswindowsservers.webp) +![fileshareswindowsservers](/img/product_docs/auditor/auditor/admin/reports/types/stateintime/fileshareswindowsservers.webp) Each report has a set of filters which help organize audit data in the most convenient way. See the -[View Reports](../../view.md) topic for additional information. You can also create a subscription +[View Reports](/docs/auditor/10.7/auditor/admin/reports/view.md) topic for additional information. You can also create a subscription to any report you want to receive on a regular basis. See the -[Subscriptions](../../../subscriptions/overview.md) topic for additional information. +[Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) topic for additional information. By default, state-in-time reports reflect the current state of the data source. If you want to generate a report to assess your system at a particular moment in the past, you can select the @@ -61,7 +61,7 @@ threat or at least merits your special attention. With baselines specified right you can easily identify servers that are different from your corporate policies or best practices. Risks are marked with red color and are easy to spot in the report. -![windowsserverinventory_thumb_0_0](../../../../../../../../static/img/product_docs/auditor/auditor/admin/reports/types/stateintime/windowsserverinventory_thumb_0_0.webp) +![windowsserverinventory_thumb_0_0](/img/product_docs/auditor/auditor/admin/reports/types/stateintime/windowsserverinventory_thumb_0_0.webp) You can specify baseline values specific to your organization in one of the following ways: diff --git a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlaccountpermissions.md b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlaccountpermissions.md index 1ee5ea00d1..becff7900b 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlaccountpermissions.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlaccountpermissions.md @@ -4,7 +4,7 @@ Details the effective permissions that the specified account has on the SQL Serv selected type. Use this report to review the permissions granted to users through your SQL Server objects. -![accountpermissionssqlserver_thumb_0_0](../../../../../../../../static/img/product_docs/auditor/auditor/admin/reports/types/stateintime/accountpermissionssqlserver_thumb_0_0.webp) +![accountpermissionssqlserver_thumb_0_0](/img/product_docs/auditor/auditor/admin/reports/types/stateintime/accountpermissionssqlserver_thumb_0_0.webp) ## Reported data @@ -29,7 +29,7 @@ The detailed information under summary includes: reporting on the database hosted on selected SQL Server, the path will be as follows: _Databases\database_name_. - **Object type** — monitored object type; for the full list of supported object types, refer to - [SQL Server](../../../../configuration/sqlserver/overview.md) topic. + [SQL Server](/docs/auditor/10.7/auditor/configuration/sqlserver/overview.md) topic. - **Means granted** —how access permissions were granted to this account, e.g., _Direct permissions_ or _Server role permissions_. - **Effective grant** —the effective set of permissions granted to this account on the selected @@ -47,7 +47,7 @@ This report has the following filters: the report includes data obtained during the latest data collection session (_Current Session_). To report on other snapshots, make sure they are available through import. For details, see **Manage historical snapshots** option description in - [SQL Server](../../../monitoringplans/sqlserver/overview.md) + [SQL Server](/docs/auditor/10.7/auditor/admin/monitoringplans/sqlserver/overview.md) - **Item**— name of the SQL Server instance monitored with selected monitoring plan. - **Object path** — path to the monitored object, as formatted by Netwrix Auditor in the activity records (see '_What_' field in the reports, search results and activity summaries). Wildcard (\*) @@ -78,8 +78,8 @@ This report has the following filters: ## Related reports - Clicking a Object permissions link opens the - [Object Permissions in SQL Server](sqlobjectpermissions.md) report. -- Clicking a Means granted link opens the **[SQL Server Means Granted](sqlmeansgranted.md)** report. + [Object Permissions in SQL Server](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlobjectpermissions.md) report. +- Clicking a Means granted link opens the **[SQL Server Means Granted](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlmeansgranted.md)** report. ## Usage example diff --git a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqldatabases.md b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqldatabases.md index 8b39f264d2..c65f915932 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqldatabases.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqldatabases.md @@ -3,7 +3,7 @@ This report lists the properties of databases and database snapshots hosted on the selected SQL Server instance. Use this report for your SQL Server database inventory. -![sqlserverdatabases_thumb_0_0](../../../../../../../../static/img/product_docs/auditor/auditor/admin/reports/types/stateintime/sqlserverdatabases_thumb_0_0.webp) +![sqlserverdatabases_thumb_0_0](/img/product_docs/auditor/auditor/admin/reports/types/stateintime/sqlserverdatabases_thumb_0_0.webp) ## Reported data diff --git a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlmeansgranted.md b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlmeansgranted.md index 19e5651989..3fc7e29a0d 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlmeansgranted.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlmeansgranted.md @@ -5,12 +5,12 @@ and how those permissions were granted (directly, through role membership, etc.) investigate how permissions are granted. Supported object types and attributes are listed in the -[SQL Server](../../../../configuration/sqlserver/overview.md) section. +[SQL Server](/docs/auditor/10.7/auditor/configuration/sqlserver/overview.md) section. To instruct Netwrix Auditor to collect data needed for this report, make sure that **Collect data for state-in-time reports** option is selected in the monitoring plan properties. -![sqlservermeansgranted](../../../../../../../../static/img/product_docs/auditor/auditor/admin/reports/types/stateintime/sqlservermeansgranted.webp) +![sqlservermeansgranted](/img/product_docs/auditor/auditor/admin/reports/types/stateintime/sqlservermeansgranted.webp) ## Reported data @@ -32,7 +32,7 @@ The summary section shows: when reporting on the database hosted on selected SQL Server, the path will be as follows: _Databases\database_name_. - **Object type** — monitored object type; for the full list of supported object types, refer to - [SQL Server](../../../../configuration/sqlserver/overview.md). + [SQL Server](/docs/auditor/10.7/auditor/configuration/sqlserver/overview.md). The detailed information under summary includes: @@ -93,4 +93,4 @@ _Corp_ organization discovered that the accounts with Contractor job title has a **SQL Server Means Granted** report for that account by clicking the link in the **Means granted** field for that account. -![sqlservermeansgranteddetails](../../../../../../../../static/img/product_docs/auditor/auditor/admin/reports/types/stateintime/sqlservermeansgranteddetails.webp) +![sqlservermeansgranteddetails](/img/product_docs/auditor/auditor/admin/reports/types/stateintime/sqlservermeansgranteddetails.webp) diff --git a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlobjectpermissions.md b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlobjectpermissions.md index e5c37972ce..1f39202605 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlobjectpermissions.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlobjectpermissions.md @@ -4,9 +4,9 @@ This report shows a detailed list of the effective permissions that accounts hav object. Use this report to review who has access to your SQL Server objects. Supported object types and attributes are listed in the -[SQL Server](../../../../configuration/sqlserver/overview.md) section. +[SQL Server](/docs/auditor/10.7/auditor/configuration/sqlserver/overview.md) section. -![objectpermissionssqlserver_thumb_0_0](../../../../../../../../static/img/product_docs/auditor/auditor/admin/reports/types/stateintime/objectpermissionssqlserver_thumb_0_0.webp) +![objectpermissionssqlserver_thumb_0_0](/img/product_docs/auditor/auditor/admin/reports/types/stateintime/objectpermissionssqlserver_thumb_0_0.webp) ## Reported data @@ -20,7 +20,7 @@ The summary section shows: reporting on the database hosted on selected SQL Server, the path will be as follows: _Databases\database_name_. - **Object type** — monitored object type; for the full list of supported object types, refer to - [SQL Server](../../../../configuration/sqlserver/overview.md) topic. + [SQL Server](/docs/auditor/10.7/auditor/configuration/sqlserver/overview.md) topic. - **Total account count** — total number of accounts that have access to this object. The detailed information under summary includes: @@ -52,7 +52,7 @@ This report has the following filters: the report includes data obtained during the latest data collection session (_Current Session_). To report on other snapshots, make sure they are available through import. For details, see **Manage historical snapshots** option description in the - [SQL Server](../../../monitoringplans/sqlserver/overview.md) topic. + [SQL Server](/docs/auditor/10.7/auditor/admin/monitoringplans/sqlserver/overview.md) topic. - **Item**—name of the SQL Server instance monitored with selected monitoring plan. - **Object path** —path to the monitored object, as formatted by Netwrix Auditor in the activity records (see '_What_' field in the reports, search results and activity summaries). Wildcard (\*) @@ -85,8 +85,8 @@ This report has the following filters: ## Related reports - Clicking a User account link opens the - [Account Permissions in SQL Server](sqlaccountpermissions.md) report. -- Clicking a Means granted link opens the[SQL Server Means Granted](sqlmeansgranted.md) report. + [Account Permissions in SQL Server](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlaccountpermissions.md) report. +- Clicking a Means granted link opens the[SQL Server Means Granted](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlmeansgranted.md) report. ## Usage example diff --git a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlroles.md b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlroles.md index aa0d0f304b..168ae343b6 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlroles.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlroles.md @@ -11,7 +11,7 @@ To instruct Netwrix Auditor to collect data needed for this report, make sure th for state-in-time reports** option is selected in the monitoring plan properties. See Settings for Data Collection in the monitoring plan documentation. -![sqlserverlevelroles](../../../../../../../../static/img/product_docs/auditor/auditor/admin/reports/types/stateintime/sqlserverlevelroles.webp) +![sqlserverlevelroles](/img/product_docs/auditor/auditor/admin/reports/types/stateintime/sqlserverlevelroles.webp) ## Reported data @@ -57,7 +57,7 @@ This report has the following filters: ## Related reports - Clicking a role member (account) link opens the - [Account Permissions in SQL Server](sqlaccountpermissions.md) report. + [Account Permissions in SQL Server](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlaccountpermissions.md) report. ## Usage example diff --git a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlserveroverview.md b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlserveroverview.md index 474247685a..1fb4f80031 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlserveroverview.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlserveroverview.md @@ -3,13 +3,13 @@ These are reports on the SQL Server state-in-time data, including roles, permissions and other configuration settings: -- [Account Permissions in SQL Server](sqlaccountpermissions.md) -- [Object Permissions in SQL Server](sqlobjectpermissions.md) -- [SQL Server Databases](sqldatabases.md) -- [SQL Server Means Granted](sqlmeansgranted.md) -- [SQL Server-Level Roles](sqlroles.md) +- [Account Permissions in SQL Server](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlaccountpermissions.md) +- [Object Permissions in SQL Server](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlobjectpermissions.md) +- [SQL Server Databases](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqldatabases.md) +- [SQL Server Means Granted](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlmeansgranted.md) +- [SQL Server-Level Roles](/docs/auditor/10.7/auditor/admin/reports/types/stateintime/sqlroles.md) To instruct Netwrix Auditor to collect data needed for these reports, make sure that **Collect data for state-in-time reports** option is selected in the corresponding monitoring plan properties. See -the [Settings for Data Collection](../../../monitoringplans/create.md#settings-for-data-collection) +the [Settings for Data Collection](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md#settings-for-data-collection) topic for additional information. By default, data collection will run daily at 4 AM. diff --git a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/vmware.md b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/vmware.md index 2dd2cfcb76..7c32b9a503 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/stateintime/vmware.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/stateintime/vmware.md @@ -9,7 +9,7 @@ permissions: To instruct Netwrix Auditor to collect data needed for these reports, make sure that **Collect data for state-in-time reports** option is selected in the corresponding monitoring plan properties. See -the [Settings for Data Collection](../../../monitoringplans/create.md#settings-for-data-collection) +the [Settings for Data Collection](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md#settings-for-data-collection) topic for more information. ## Account Permissions in vCenter @@ -19,11 +19,11 @@ directly or through group membership). Use this report to see who has permission prevent rights elevation. Supported object types and attributes are listed in the -[VMware](../../../../configuration/vmware/overview.md) topic. +[VMware](/docs/auditor/10.7/auditor/configuration/vmware/overview.md) topic. For this report to function properly, you must enable the **Collect data for state-in-time reports** option for the data source in the monitoring plan settings. See the -[Settings for Data Collection](../../../monitoringplans/create.md#settings-for-data-collection) +[Settings for Data Collection](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md#settings-for-data-collection) topic for more information. ### Filters @@ -37,7 +37,7 @@ filters and values: the report includes data obtained during the latest data collection session (_Current Session_). To report on other snapshots, make sure they are available through import. For details, see **Manage historical snapshots** option description in - [VMware](../../../monitoringplans/vmware/overview.md) + [VMware](/docs/auditor/10.7/auditor/admin/monitoringplans/vmware/overview.md) - Item — name of the item within your monitoring plan. - Inherited — select whether to show inherited permissions or not. - Role – select the name of the VMware role you want to see in the report. @@ -55,11 +55,11 @@ Shows detailed list of privileges that the specified account has on the VMware o report to prevent unnecessary privileges assigned to custom roles. Supported object types and attributes are listed in the -[VMware](../../../../configuration/vmware/overview.md) topic. +[VMware](/docs/auditor/10.7/auditor/configuration/vmware/overview.md) topic. For this report to function properly, you must enable the **Collect data for state-in-time reports** option for the data source in the monitoring plan settings. See the -[Settings for Data Collection](../../../monitoringplans/create.md#settings-for-data-collection) +[Settings for Data Collection](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md#settings-for-data-collection) topic for more information. ### Filters @@ -73,7 +73,7 @@ filters and values: the report includes data obtained during the latest data collection session (_Current Session_). To report on other snapshots, make sure they are available through import. For details, see **Manage historical snapshots** option description in - [VMware](../../../monitoringplans/vmware/overview.md) + [VMware](/docs/auditor/10.7/auditor/admin/monitoringplans/vmware/overview.md) - Item — name of the item within your monitoring plan. - Role – select the name of the VMware role you want to see in the report. - Object path — path to the monitored object, as formatted by Netwrix Auditor in the activity @@ -88,11 +88,11 @@ granted directly or through group membership). Use this report to see who has pe and prevent rights elevation. Supported object types and attributes are listed in the -[VMware](../../../../configuration/vmware/overview.md) topic. +[VMware](/docs/auditor/10.7/auditor/configuration/vmware/overview.md) topic. For this report to function properly, you must enable the **Collect data for state-in-time reports** option for the data source in the monitoring plan settings. See the -[Settings for Data Collection](../../../monitoringplans/create.md#settings-for-data-collection) +[Settings for Data Collection](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md#settings-for-data-collection) topic for more information. ### Filters @@ -106,7 +106,7 @@ filters and values: the report includes data obtained during the latest data collection session (_Current Session_). To report on other snapshots, make sure they are available through import. For details, see **Manage historical snapshots** option description in - [VMware](../../../monitoringplans/vmware/overview.md) + [VMware](/docs/auditor/10.7/auditor/admin/monitoringplans/vmware/overview.md) - Item — name of the item within your monitoring plan. - Role – select the name of the VMware role you want to see in the report. - **Object path** —path to the monitored object, as formatted by Netwrix Auditor in the activity diff --git a/docs/auditor/10.7/auditor/admin/reports/types/userbehavior.md b/docs/auditor/10.7/auditor/admin/reports/types/userbehavior.md index 1d53048c51..cce2aa682c 100644 --- a/docs/auditor/10.7/auditor/admin/reports/types/userbehavior.md +++ b/docs/auditor/10.7/auditor/admin/reports/types/userbehavior.md @@ -14,7 +14,7 @@ identify vulnerabilities and easily answer questions such as: Analytics reports can be found in the User Behavior and Blind Spot Analysis folder under the Predefined node. -![userbehaviorblindspotanalysis_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/reports/types/userbehaviorblindspotanalysis_thumb_0_0.webp) +![userbehaviorblindspotanalysis_thumb_0_0](/img/product_docs/auditor/auditor/admin/reports/types/userbehaviorblindspotanalysis_thumb_0_0.webp) If you are sure that some audit data is missing (e.g., you do not see information on your file servers in reports and search results), verify that the Audit Database settings are configured and @@ -24,9 +24,9 @@ By default, Auditor allows generating reports and running interactive searches o the last 180 days. If you want to investigate incidents that occurred more than 180 days ago, ask your Auditor Global administrator to import that data from the Long-Term Archive. -![failedactivitytrend_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/admin/reports/types/failedactivitytrend_thumb_0_0.webp) +![failedactivitytrend_thumb_0_0](/img/product_docs/auditor/auditor/admin/reports/types/failedactivitytrend_thumb_0_0.webp) Each report has a set of filters which help organize audit data in the most convenient way. See the -[View Reports](../view.md) topic for additional information. You can also create a subscription to +[View Reports](/docs/auditor/10.7/auditor/admin/reports/view.md) topic for additional information. You can also create a subscription to any report you want to receive on a regular basis. See the -[Subscriptions](../../subscriptions/overview.md) topic for additional information. +[Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/reports/video.md b/docs/auditor/10.7/auditor/admin/reports/video.md index e6537264ab..17a2ca01a7 100644 --- a/docs/auditor/10.7/auditor/admin/reports/video.md +++ b/docs/auditor/10.7/auditor/admin/reports/video.md @@ -9,11 +9,11 @@ To view reports with video, navigate to Reports → User Activity. In the report filters, select a monitoring plan you want to generate a report for. To review data sources and items included in each plan, navigate to the Monitoring Plans section. -![ReportsWithVideo](../../../../../../static/img/product_docs/auditor/auditor/admin/reports/alluseractivityvideo_thumb_0_0.webp) +![ReportsWithVideo](/img/product_docs/auditor/auditor/admin/reports/alluseractivityvideo_thumb_0_0.webp) Each report has a set of filters which help organize audit data in the most convenient way. See the -[View Reports](view.md) topic for additional information. You can also create a subscription to any -report you want to receive on a regular basis. See the [Subscriptions](../subscriptions/overview.md) +[View Reports](/docs/auditor/10.7/auditor/admin/reports/view.md) topic for additional information. You can also create a subscription to any +report you want to receive on a regular basis. See the [Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) topic for additional information. Follow the steps to play a video: diff --git a/docs/auditor/10.7/auditor/admin/reports/view.md b/docs/auditor/10.7/auditor/admin/reports/view.md index 579e24f365..2d60b39e5a 100644 --- a/docs/auditor/10.7/auditor/admin/reports/view.md +++ b/docs/auditor/10.7/auditor/admin/reports/view.md @@ -10,26 +10,26 @@ To view reports, users need the following: reports. 2. The Browser role on the SSRS Report Server. See the - [SQL Server Reporting Services](../../requirements/sqlserverreportingservice.md) topic for + [SQL Server Reporting Services](/docs/auditor/10.7/auditor/requirements/sqlserverreportingservice.md) topic for additional information. To view a report You can add any elements (a dashboard, report, alert, risk, etc.) to the Auditor Home screen to -access them instantly. See the [Navigation](../navigation/overview.md) and -[Customize Home Screen](../navigation/customizehome.md) topics for additional information. +access them instantly. See the [Navigation](/docs/auditor/10.7/auditor/admin/navigation/overview.md) and +[Customize Home Screen](/docs/auditor/10.7/auditor/admin/navigation/customizehome.md) topics for additional information. 1. In Netwrix Auditor Home screen, click - ![reports_tile](../../../../../../static/img/product_docs/auditor/auditor/admin/reports/reports_tile.webp)on + ![reports_tile](/img/product_docs/auditor/auditor/admin/reports/reports_tile.webp)on the left, and in the tree on the left select the report you need. To speed up the process, you can use the **Search** field, entering the keyword to search by. -![searchreports_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/reports/searchreports_thumb_0_0.webp) +![searchreports_thumb_0_0](/img/product_docs/auditor/auditor/admin/reports/searchreports_thumb_0_0.webp) 2. Click View button in the right pane. -To learn how to subscribe to a report, see [Create Subscriptions](../subscriptions/create.md). +To learn how to subscribe to a report, see [Create Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/create.md). ## Troubleshooting @@ -37,13 +37,13 @@ If no data is displayed in the report, you may need to do the following: 1. Make sure that the Audit Database settings are configured properly in the monitoring plan, and that data is written to databases that reside on the default SQL Server instance. See the - [Audit Database](../settings/auditdatabase.md) topic for additional information. + [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topic for additional information. 2. For SSRS-based reports - verify that SSRS (SQL Server Reporting Services) settings are configured - properly. See the [Audit Database](../settings/auditdatabase.md) topic for additional + properly. See the [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topic for additional information. 3. For state-in-time reports - verify that the monitoring plan that provides data for the report has the corresponding option selected. See the - [Create a New Monitoring Plan](../monitoringplans/create.md) topic for additional information. + [Create a New Monitoring Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) topic for additional information. ## Customize Report with Filters @@ -71,9 +71,9 @@ of the report. The filters may vary slightly depending on the audited system and The report without filtering: -![allchangesserver](../../../../../../static/img/product_docs/auditor/auditor/admin/reports/allchangesserver.webp) +![allchangesserver](/img/product_docs/auditor/auditor/admin/reports/allchangesserver.webp) The report below displays changes for all audited systems made by the CORP\Administrator user on the ROOTDC2 domain controller for a month sorted by the action type. -![allchangesserverfiltered](../../../../../../static/img/product_docs/auditor/auditor/admin/reports/allchangesserverfiltered.webp) +![allchangesserverfiltered](/img/product_docs/auditor/auditor/admin/reports/allchangesserverfiltered.webp) diff --git a/docs/auditor/10.7/auditor/admin/riskassessment/dashboard.md b/docs/auditor/10.7/auditor/admin/riskassessment/dashboard.md index 31d47d440e..001bba7c99 100644 --- a/docs/auditor/10.7/auditor/admin/riskassessment/dashboard.md +++ b/docs/auditor/10.7/auditor/admin/riskassessment/dashboard.md @@ -3,8 +3,8 @@ To access the Risk Assessment dashboard, click the corresponding tile in the main window. You can add any elements (a dashboard, report, alert, risk, etc.) to the Auditor Home screen to -access them instantly. See the [Navigation](../navigation/overview.md) and -[Customize Home Screen](../navigation/customizehome.md) topics for additional information. +access them instantly. See the [Navigation](/docs/auditor/10.7/auditor/admin/navigation/overview.md) and +[Customize Home Screen](/docs/auditor/10.7/auditor/admin/navigation/customizehome.md) topics for additional information. The IT risks are grouped into the following categories: @@ -21,7 +21,7 @@ displayed with the color indicators in accordance with the level: - Medium — yellow - Low — green -![dashboard_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/dashboard_thumb_0_0.webp) +![dashboard_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/dashboard_thumb_0_0.webp) After reviewing general risks assessment results in each category, you can drill-down to details covered in the underlying report. To do so, double-click the selected metric or use the View Report @@ -30,7 +30,7 @@ button. ## Customizing Metrics for Your Organization Default threshold values for risk levels are set in accordance with recommendations of -Netwrixindustry experts, as described in the [How Risk Levels Are Estimated ](levels.md) topic. They +Netwrixindustry experts, as described in the [How Risk Levels Are Estimated ](/docs/auditor/10.7/auditor/admin/riskassessment/levels.md) topic. They can be, however, easily customized to reflect your organization's internal security policies and standards. Follow the steps to customize the metrics. @@ -41,7 +41,7 @@ right click Modify thresholds. **Step 3 –** Click OK to save the settings and close the dialog. -![modify_thresholds_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/riskassessment/modify_thresholds_thumb_0_0.webp) +![modify_thresholds_thumb_0_0](/img/product_docs/auditor/auditor/admin/riskassessment/modify_thresholds_thumb_0_0.webp) Also, for several metrics the Customize risk indicators command is available. @@ -60,6 +60,6 @@ session. You can create a subscription to periodically receive IT risk assessment results by email or using a file share. For that, in the dashboard window click Subscribe and configure the necessary settings. -See the [Create Subscriptions](../subscriptions/create.md) topic for additional information. +See the [Create Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/create.md) topic for additional information. You can also save current results to a PDF file by using the Export button in the dashboard window. diff --git a/docs/auditor/10.7/auditor/admin/riskassessment/overview.md b/docs/auditor/10.7/auditor/admin/riskassessment/overview.md index 93ef15480f..4ff9f30bd3 100644 --- a/docs/auditor/10.7/auditor/admin/riskassessment/overview.md +++ b/docs/auditor/10.7/auditor/admin/riskassessment/overview.md @@ -8,9 +8,9 @@ you to take corrective measures in the required area, ensuring the IT risks stay Risk assessment dashboard can be accessed by clicking the Risk assessment tile in the main window of Netwrix Auditor. For details about using the dashboard, see -[IT Risk Assessment Dashboard](dashboard.md). +[IT Risk Assessment Dashboard](/docs/auditor/10.7/auditor/admin/riskassessment/dashboard.md). -For details about metrics calculation, see [How Risk Levels Are Estimated ](levels.md). +For details about metrics calculation, see [How Risk Levels Are Estimated ](/docs/auditor/10.7/auditor/admin/riskassessment/levels.md). ## Providing Data for Risk Assessment @@ -52,7 +52,7 @@ have at least one item added. See the following table for the certain reports: **NOTE:** Risks marked with (\*) require both pre-configured NDC SQL database connection and NDC API connection. To check configuration status, go to Settings > Sensitive Data Discovery. See -[Sensitive Data Discovery ](../settings/sensitivedatadiscovery.md)for more information. +[Sensitive Data Discovery ](/docs/auditor/10.7/auditor/admin/settings/sensitivedatadiscovery.md)for more information. **NOTE:** Right after setting up the integration the drill down reports might be empty, while the risk indicator is already completed. Please wait until Auditor gets all the information from Netwrix @@ -65,7 +65,7 @@ to the audit database. Also, consider that all risk metrics and related reports require state-in-time data to be collected. You can select the relevant option when creating a new monitoring plan, as described in the -[Create a New Monitoring Plan](../monitoringplans/create.md) section. For the exising plan, refer to +[Create a New Monitoring Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) section. For the exising plan, refer to the procedure below. To verify the necessary settings of the existing plan @@ -75,15 +75,15 @@ To verify the necessary settings of the existing plan 3. Go to the Audit Database section and make sure that Disable security intelligence ... checkbox is cleared. This will instruct Netwrix Auditor to store data to both Long-Term Archive and audit database: - ![edit_mp_store_data_to_db_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/riskassessment/edit_mp_store_data_to_db_thumb_0_0.webp) + ![edit_mp_store_data_to_db_thumb_0_0](/img/product_docs/auditor/auditor/admin/riskassessment/edit_mp_store_data_to_db_thumb_0_0.webp) 4. Save the settings and return to the window with the monitoring plan details. Make sure you have at least one monitored item in the plan. If necessary, add an item. 5. Select the data source you need (for example, Active Directory) and click Edit data source from the Data source section on the right. - ![edit_mp_open_ds_settings_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/riskassessment/edit_mp_open_ds_settings_thumb_0_0.webp) + ![edit_mp_open_ds_settings_thumb_0_0](/img/product_docs/auditor/auditor/admin/riskassessment/edit_mp_open_ds_settings_thumb_0_0.webp) 6. Make sure that: 1. Monitor this data source and collect activity data is switched ON. 2. Collect data for state-in-time reports is switched ON. 7. Save the settings and close the dialog. -![edit_data_source_sit](../../../../../../static/img/product_docs/auditor/auditor/admin/riskassessment/edit_data_source_sit.webp) +![edit_data_source_sit](/img/product_docs/auditor/auditor/admin/riskassessment/edit_data_source_sit.webp) diff --git a/docs/auditor/10.7/auditor/admin/search/filteradvanced.md b/docs/auditor/10.7/auditor/admin/search/filteradvanced.md index b9b771b43e..47be535d96 100644 --- a/docs/auditor/10.7/auditor/admin/search/filteradvanced.md +++ b/docs/auditor/10.7/auditor/admin/search/filteradvanced.md @@ -14,7 +14,7 @@ Review the following for additional information: ## Apply Additional Filters Expand the Filter list to find additional filters or filter values. The most commonly used filters -are described in [Use Filters in Simple Mode](filtersimple.md). Review the following for additional +are described in [Use Filters in Simple Mode](/docs/auditor/10.7/auditor/admin/search/filtersimple.md). Review the following for additional information: | Filter | Description | Example | @@ -45,7 +45,7 @@ When you apply filters at search, you can specify operators that should be used data you want to retrieve and compare with the certain filter value. A condition can be, for example, Contains, Starts with, and so on. -![advancedfilters_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/search/advancedfilters_thumb_0_0.webp) +![advancedfilters_thumb_0_0](/img/product_docs/auditor/auditor/admin/search/advancedfilters_thumb_0_0.webp) The following operators can be used to specify search conditions: @@ -65,9 +65,9 @@ When you add a new search filter, the Contains operator is used by default. To modify conditions for the selected filters, make sure you have switched to the Advanced search mode. -![advanced_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/search/advanced_thumb_0_0.webp) +![advanced_thumb_0_0](/img/product_docs/auditor/auditor/admin/search/advanced_thumb_0_0.webp) The image below represents the same search filters as they are shown in the Search field in the Simple mode. -![advancedexample_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/search/advancedexample_thumb_0_0.webp) +![advancedexample_thumb_0_0](/img/product_docs/auditor/auditor/admin/search/advancedexample_thumb_0_0.webp) diff --git a/docs/auditor/10.7/auditor/admin/search/filtersimple.md b/docs/auditor/10.7/auditor/admin/search/filtersimple.md index 89aff3680d..aeacea9fd7 100644 --- a/docs/auditor/10.7/auditor/admin/search/filtersimple.md +++ b/docs/auditor/10.7/auditor/admin/search/filtersimple.md @@ -16,7 +16,7 @@ Filters are used to narrow your search results. To create a unique set of filter | Filter | Description | | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Who | Filter data by user (initiator) account. Specify an account name (e.g., John) to find all entries containing it (e.g., `Domain1\John`, `Domain1\Johnson`, `Domain2\Johnny`, `John@domain.com`). For exact match, use quotation marks and provide a user name in Domain\User or UPN format (e.g., `Domain1\John` or `John@domain.com`) . | -| Action | Filter data by action type (Added, Removed, etc.) Select an action type from the list (Added, Removed, Modified, Read). For additional actions, navigate to the Advanced mode. See the [Use Filters in Advanced Mode](filteradvanced.md) topic for additional information. | +| Action | Filter data by action type (Added, Removed, etc.) Select an action type from the list (Added, Removed, Modified, Read). For additional actions, navigate to the Advanced mode. See the [Use Filters in Advanced Mode](/docs/auditor/10.7/auditor/admin/search/filteradvanced.md) topic for additional information. | | What | Specify an object name (e.g., _Policy_) to find all entries containing it (e.g., _HiSecPolicy_, `\\FileSserver\Share\NewFolder\NewPolicy.docx`, `http://sharepoint/sites/collection1/Lists/Policy`). Netwrix Auditor searches across all data sources. For an exact match, use quotation marks and provide an object name in the format that is typical for your data source (e.g., `HiSecPolicy`). | | When | Filter data by the time interval when the change occurred. Specify a timeframe or provide a custom date range. Netwrix Auditor allows you to see changes that occurred today, yesterday, in the last 7 or 30 days, or within the specified date range. | | Where | Specify a resource name (e.g., _Enterprise_) to find all entries containing it (e.g., `Enterprise-SQL`, `FileStorage.enterprise.local`). The resource name can be a FQDN or NETBIOS server name, Active Directory domain or container, SQL Server instance, SharePoint farm, VMware host, etc. Netwrix Auditor searches across all data sources. For an exact match, use quotation marks and provide a resource name in the format that is typical for your data source (e.g., `Enterprise-SQL`). | @@ -25,7 +25,7 @@ Follow the steps to add a filter to your search. **Step 1 –** Click a filter type icon. Enter a value you want to search for. -![Account specification](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/add.webp) +![Account specification](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/add.webp) Alternatively, you can type a value directly into the Search field. @@ -34,7 +34,7 @@ Alternatively, you can type a value directly into the Search field. To search across all columns in the results view (everywhere—Who, What, Where, Action, etc.), leave it as is. -![Filter](../../../../../../static/img/product_docs/auditor/auditor/admin/search/addsuggestions.webp) +![Filter](/img/product_docs/auditor/auditor/admin/search/addsuggestions.webp) **Step 2 –** Click Search to apply your filters. By default, all entries that contain the filter value are shown. @@ -43,7 +43,7 @@ value are shown. | To... | Do... | | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| Modify filter | Double-click the filter and type a new value. ![Filter new value](../../../../../../static/img/product_docs/auditor/auditor/admin/search/search_modify_filter.webp) If you need to modify the When filter, delete it and add a new value, or navigate to the Advanced mode (Simple mode does not support its modification). | +| Modify filter | Double-click the filter and type a new value. ![Filter new value](/img/product_docs/auditor/auditor/admin/search/search_modify_filter.webp) If you need to modify the When filter, delete it and add a new value, or navigate to the Advanced mode (Simple mode does not support its modification). | | Remove filter | Click the **Close** icon next to it. | ## Exporting and Importing Filters diff --git a/docs/auditor/10.7/auditor/admin/search/overview.md b/docs/auditor/10.7/auditor/admin/search/overview.md index 738cbb97bd..8fbe6806cf 100644 --- a/docs/auditor/10.7/auditor/admin/search/overview.md +++ b/docs/auditor/10.7/auditor/admin/search/overview.md @@ -9,7 +9,7 @@ _what_, and _when_ and _where_ each change was made. To review collected data, you must be assigned the **Global administrator** or **Global reviewer** Netwrix Auditor role. Users with the **Reviewer** role on a certain plan or folder have limited access to data—only within their delegated scope. See the -[Role-Based Access and Delegation](../monitoringplans/delegation.md) topic for additional +[Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. This functionality is currently available for the following data sources: @@ -33,22 +33,22 @@ This functionality is currently available for the following data sources: Integration API - Netwrix Auditor Self-Audit - Netwrix Data Classification. See - [Sensitive Data Discovery ](../settings/sensitivedatadiscovery.md)for more information. + [Sensitive Data Discovery ](/docs/auditor/10.7/auditor/admin/settings/sensitivedatadiscovery.md)for more information. Netwrix Auditor executes interactive search queries against data stored in the audit databases, that is, on data collected in the last 180 days (default retention period). If you want to investigate incidents that occurred more than 180 days ago, then you should import that data from the Long-Term -Archive. See [Investigations](../settings/investigations.md) topic for additional information. +Archive. See [Investigations](/docs/auditor/10.7/auditor/admin/settings/investigations.md) topic for additional information. ## Browsing Your Audit Data On the main Netwrix Auditor page, click -![search_tile](../../../../../../static/img/product_docs/auditor/auditor/admin/search/search_tile.webp) +![search_tile](/img/product_docs/auditor/auditor/admin/search/search_tile.webp) on the left. You can add any elements (a dashboard, report, alert, risk, etc.) to the Auditor Home screen to -access them instantly. See the [Navigation](../navigation/overview.md) and -[Customize Home Screen](../navigation/customizehome.md) topics for additional information. +access them instantly. See the [Navigation](/docs/auditor/10.7/auditor/admin/navigation/overview.md) and +[Customize Home Screen](/docs/auditor/10.7/auditor/admin/navigation/customizehome.md) topics for additional information. There you can use the UI controls to run the variety of search queries that will fecth you exactly the data you need. @@ -64,13 +64,13 @@ the data you need. - To pre-configure your search query before you click Search, you can add filters. Then the search query will return only data matching your filtering criteria. See - [Use Filters in Simple Mode](filtersimple.md) for details. + [Use Filters in Simple Mode](/docs/auditor/10.7/auditor/admin/search/filtersimple.md) for details. You can also use advanced filtering capabilities based on regular expressions (they involve - filter fields and conditions). See [Use Filters in Advanced Mode](filteradvanced.md) for + filter fields and conditions). See [Use Filters in Advanced Mode](/docs/auditor/10.7/auditor/admin/search/filteradvanced.md) for details. - ![search_filter](../../../../../../static/img/product_docs/auditor/auditor/admin/search/search_filter.webp) + ![search_filter](/img/product_docs/auditor/auditor/admin/search/search_filter.webp) - By default, search results are open in the same window, so the subsequent search results will overwrite the previous search results. To view them in different windows, click Open in new @@ -81,7 +81,7 @@ Use search results for your own needs: save, share, create search-based alerts, periodic delivery of search query results, etc. See Make Search Results Actionnable for more information. -![search_nofilter_1](../../../../../../static/img/product_docs/auditor/auditor/admin/search/search_nofilter_1.webp) +![search_nofilter_1](/img/product_docs/auditor/auditor/admin/search/search_nofilter_1.webp) You can also use the **Search** window to examine details for the selected activity record, or watch a video recording (for User Ativity data). @@ -159,4 +159,4 @@ If you do not see the expected information in search results, try the following: See next: -- [Use Filters in Advanced Mode](filteradvanced.md) +- [Use Filters in Advanced Mode](/docs/auditor/10.7/auditor/admin/search/filteradvanced.md) diff --git a/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md b/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md index 5fe99cf0d7..63401355f8 100644 --- a/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md +++ b/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md @@ -17,7 +17,7 @@ will use a dedicated database to store data. So, there are two types of database - Specific settings for each dedicated database. You can configure specific database storage settings for each monitoring plan individually. For that, use the **Monitoring Plan** wizard or navigate to the settings. (Global settings appear as default values there, and you can modify them - if needed.) See the [Fine-Tune Your Plan and Edit Settings](../monitoringplans/finetune.md)  topic + if needed.) See the [Fine-Tune Your Plan and Edit Settings](/docs/auditor/10.7/auditor/admin/monitoringplans/finetune.md)  topic for additional information. Follow the steps to review and update global Audit Database settings: @@ -26,7 +26,7 @@ Follow the steps to review and update global Audit Database settings: **Step 2 –** Click **Modify** to edit the settings. -![audit_db_settings_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/settings/audit_db_settings_thumb_0_0.webp) +![audit_db_settings_thumb_0_0](/img/product_docs/auditor/auditor/admin/settings/audit_db_settings_thumb_0_0.webp) **Step 3 –** Specify the following database storage settings: @@ -74,5 +74,5 @@ Reporting Services settings section. | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Report Server URL | Specify the Report Server URL. Make sure that the resource is reachable. | | Report Manager URL | Specify the Report Manager URL. Make sure that the resource is reachable. | -| User name | Specify the account to connect to SSRS. Use the following format: _domain\username_ or _hostname\username_ Workgroup format (_.\username_) is not supported. Use _hostname\username_ instead. Make sure this account is granted the Content Manager role on the Report Server. See the [SQL Server Reporting Services](../../requirements/sqlserverreportingservice.md) topic for additional information. | +| User name | Specify the account to connect to SSRS. Use the following format: _domain\username_ or _hostname\username_ Workgroup format (_.\username_) is not supported. Use _hostname\username_ instead. Make sure this account is granted the Content Manager role on the Report Server. See the [SQL Server Reporting Services](/docs/auditor/10.7/auditor/requirements/sqlserverreportingservice.md) topic for additional information. | | Password | Enter a password. | diff --git a/docs/auditor/10.7/auditor/admin/settings/custombrand.md b/docs/auditor/10.7/auditor/admin/settings/custombrand.md index 8f4e9d8778..efa1c8642b 100644 --- a/docs/auditor/10.7/auditor/admin/settings/custombrand.md +++ b/docs/auditor/10.7/auditor/admin/settings/custombrand.md @@ -64,7 +64,7 @@ To restore original look and feel, run the script and replace"_True_" with "_Fal By default, Netwrix Auditor reports look as follows: -![All Logon Activity](../../../../../../static/img/product_docs/auditor/auditor/admin/settings/report_rebranding_thumb_0_0.webp) +![All Logon Activity](/img/product_docs/auditor/auditor/admin/settings/report_rebranding_thumb_0_0.webp) Report branding is customized on Netwrix Auditor Server side that means that all clients connected to this server will have the same look and feel for reports. @@ -97,7 +97,7 @@ db_owner role on the Netwrix_CommonDB database. After running the script, start the Netwrix Auditor client and generate a report. The branding will be updated. -![report_rebranding_result_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/settings/report_rebranding_result_thumb_0_0.webp) +![report_rebranding_result_thumb_0_0](/img/product_docs/auditor/auditor/admin/settings/report_rebranding_result_thumb_0_0.webp) Follow the steps to restore original look. diff --git a/docs/auditor/10.7/auditor/admin/settings/general.md b/docs/auditor/10.7/auditor/admin/settings/general.md index ff45d61341..6cc977caad 100644 --- a/docs/auditor/10.7/auditor/admin/settings/general.md +++ b/docs/auditor/10.7/auditor/admin/settings/general.md @@ -7,8 +7,8 @@ Review the following for additional information: | Option | Description | | --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Self-audit | Select to enable data collection for product self-auditing. Self-audit allows tracking every change to monitoring plan, data source, and audit scope and details about it (before-after values) so that you know that scope of data to be audited is complete and changed only in line with workflows adopted by our organization. Review the following for additional information: - [Netwrix Auditor Operations and Health](../healthstatus/overview.md) | +| Self-audit | Select to enable data collection for product self-auditing. Self-audit allows tracking every change to monitoring plan, data source, and audit scope and details about it (before-after values) so that you know that scope of data to be audited is complete and changed only in line with workflows adopted by our organization. Review the following for additional information: - [Netwrix Auditor Operations and Health](/docs/auditor/10.7/auditor/admin/healthstatus/overview.md) | | Netwrix Auditor  usage statistics | It is optional on your part to help Netwrix improve the quality, reliability, and performance of Netwrix products and services. If selected, Netwrix collects statistical information on how the Licensee uses the product in accordance with applicable law. Visit [Netwrix Corporation Software License Agreement](https://www.netwrix.com/eula.html) for additional information about the program. You can review a sample piece of data if you are interested in data acquired by Netwrix. | -| Tags | Netwrix Auditor  allows you to apply tags when creating an alert. With alerts, you can distinguish one alert from another, create groups of similar alerts, etc. The Tags page contains a complete list of alerts that were ever created in the product. See the [Alerts](../alertsettings/overview.md) topic for additional information. Currently, you cannot assign or create tags on this page. To apply tags to an alert, navigate to alert settings and locate the Apply tags section on the General tab. See the [Create Alerts](../alertsettings/create.md) topic for additional information. | +| Tags | Netwrix Auditor  allows you to apply tags when creating an alert. With alerts, you can distinguish one alert from another, create groups of similar alerts, etc. The Tags page contains a complete list of alerts that were ever created in the product. See the [Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/overview.md) topic for additional information. Currently, you cannot assign or create tags on this page. To apply tags to an alert, navigate to alert settings and locate the Apply tags section on the General tab. See the [Create Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/create.md) topic for additional information. | | Account and passwords | Netwrix Auditor  allows you to assign different accounts for monitoring plans. Click **Manage** to review the full list of accounts and associated auditing scope. You can also change accounts' password if necessary. | -| Access Reviews | Netwrix Auditor supports integration with Netwrix Auditor Access Reviews, which enables business owners to conduct resource and group reviews and recommend changes. See the [Access Reviews](../../accessreviews.md) topic for additional information. | +| Access Reviews | Netwrix Auditor supports integration with Netwrix Auditor Access Reviews, which enables business owners to conduct resource and group reviews and recommend changes. See the [Access Reviews](/docs/auditor/10.7/auditor/accessreviews.md) topic for additional information. | diff --git a/docs/auditor/10.7/auditor/admin/settings/integrations.md b/docs/auditor/10.7/auditor/admin/settings/integrations.md index 3ca31b3459..b0bdcf10cc 100644 --- a/docs/auditor/10.7/auditor/admin/settings/integrations.md +++ b/docs/auditor/10.7/auditor/admin/settings/integrations.md @@ -18,7 +18,7 @@ integrations. Netwrix recommends adding a special data source to your monitoring plan—Netwrix API. In Netwrix Auditor 9.0, Netwrix has updated API schemas. See the -[Compatibility Notice](../../api/compatibility.md) topic for additional information. +[Compatibility Notice](/docs/auditor/10.7/auditor/api/compatibility.md) topic for additional information. To learn more about Integration API capabilities, refer to the -[Integration API](../../api/overview.md). +[Integration API](/docs/auditor/10.7/auditor/api/overview.md). diff --git a/docs/auditor/10.7/auditor/admin/settings/investigations.md b/docs/auditor/10.7/auditor/admin/settings/investigations.md index df98044cca..c1f2874c07 100644 --- a/docs/auditor/10.7/auditor/admin/settings/investigations.md +++ b/docs/auditor/10.7/auditor/admin/settings/investigations.md @@ -8,20 +8,20 @@ data stored in the Long-Term Archive. Netwrix Auditor allows importing data from Archive to a special "investigation" database. Having imported data there, you can run searches and generate reports with your past data. -![investigate](../../../../../../static/img/product_docs/auditor/auditor/admin/settings/investigate.webp) +![investigate](/img/product_docs/auditor/auditor/admin/settings/investigate.webp) To import audit data with the Archive Data Investigation wizard **NOTE:** You must be assigned the Global administrator role to import investigation data. To view investigation data, you must be assigned the Global administrator or Global reviewer role. See -[Assign Roles](../monitoringplans/delegation.md#assign-roles) topic for more information. +[Assign Roles](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md#assign-roles) topic for more information. 1. Navigate to Settings → Investigations. 2. Complete your SQL Server settings. | Option | Description | | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | - | SQL Server Instance | Specify the name of the SQL Server instance to import your audit data to. If you want to run searches and generate reports, select the same SQL Server instance as the one specified on Settings → Audit Database page. See [Audit Database](auditdatabase.md) topic for more information. | + | SQL Server Instance | Specify the name of the SQL Server instance to import your audit data to. If you want to run searches and generate reports, select the same SQL Server instance as the one specified on Settings → Audit Database page. See [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topic for more information. | | Database | Select import database name. By default, data is imported to a specially created the Netwrix_ImportDB database but you can select any other. Do not select databases that already contain data. Selecting such databases leads to data overwrites and loss. | | Authentication | Select the authentication type you want to use to connect to the SQL Server instance: - Windows authentication - SQL Server authentication | | User name | Specify the account to be used to connect to the SQL Server instance. This account must be granted the **database owner (db_owner)** role and the dbcreator server role. | diff --git a/docs/auditor/10.7/auditor/admin/settings/licenses.md b/docs/auditor/10.7/auditor/admin/settings/licenses.md index 6d1e3d44bd..c9c930b875 100644 --- a/docs/auditor/10.7/auditor/admin/settings/licenses.md +++ b/docs/auditor/10.7/auditor/admin/settings/licenses.md @@ -52,7 +52,7 @@ folder\Netwrix Auditor\Administrative Console_ and locate MSP.xml. For example: -![msp](../../../../../../static/img/product_docs/auditor/auditor/admin/settings/msp.webp) +![msp](/img/product_docs/auditor/auditor/admin/settings/msp.webp) **NOTE:** MSP.xml file must be formatted in accordance with XML standard. If company name (used as identifier) or service account path includes & (ampersand), " (double quotes) or ' (single quotes), diff --git a/docs/auditor/10.7/auditor/admin/settings/longtermarchive.md b/docs/auditor/10.7/auditor/admin/settings/longtermarchive.md index 2ca36eaab2..220311af98 100644 --- a/docs/auditor/10.7/auditor/admin/settings/longtermarchive.md +++ b/docs/auditor/10.7/auditor/admin/settings/longtermarchive.md @@ -4,7 +4,7 @@ The Long-Term Archive is configured by default, irrespective of your subscriptio you specified when configuring a monitoring plan. To review and update your Long-Term Archive settings, navigate to **Settings** > **Long-Term Archive** and click Modify. -![lta_settings_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/admin/settings/lta_settings_thumb_0_0.webp) +![lta_settings_thumb_0_0](/img/product_docs/auditor/auditor/admin/settings/lta_settings_thumb_0_0.webp) Review the following for additional information: @@ -13,16 +13,16 @@ Review the following for additional information: | Long-Term Archive settings | | | Write audit data to | Specify the path to a local or shared folder where your audit data will be stored. By default, it is set to _"C:\ProgramData\Netwrix Auditor\Data"_. By default, the LocalSystem account is used to write data to the local-based Long-Term Archive and computer account is used for the file share-based storage. Subscriptions created in the Auditor client are uploaded to file servers under the Long-Term Archive service account as well. It is not recommended to store your Long-Term Archive on a system disk. If you want to move the Long-Term Archive to another location, refer to the following Netwrix Knowledge base article: [How to move Long-Term Archive to a new location](https://helpcenter.netwrix.com/bundle/z-kb-articles-salesforce/page/kA00g000000H9SSCA0.html). | | Keep audit data for (in months) | Specify how long data will be stored. By default, it is set to 120 months. | -| Use custom credentials (for the file share-based Long-Term Archive only) | Select the checkbox and provide user name and password for the Long-Term Archive service account. You can specify a custom account only for the Long-Term Archive stored on a file share. The custom Long-Term Archive service account can be granted the following rights and permissions: - Advanced permissions on the folder where the Long-term Archive is stored: - List folder / read data - Read attributes - Read extended attributes - Create files / write data - Create folders / append data - Write attributes - Write extended attributes - Delete subfolders and files - Read permissions - On the file shares where report subscriptions are saved: - Change share permission - Create files / write data folder permission Subscriptions created in the Auditor client  are uploaded to file servers under the Long-Term Archive service account as well. See the [Subscriptions](../subscriptions/overview.md) topic for additional information. | +| Use custom credentials (for the file share-based Long-Term Archive only) | Select the checkbox and provide user name and password for the Long-Term Archive service account. You can specify a custom account only for the Long-Term Archive stored on a file share. The custom Long-Term Archive service account can be granted the following rights and permissions: - Advanced permissions on the folder where the Long-term Archive is stored: - List folder / read data - Read attributes - Read extended attributes - Create files / write data - Create folders / append data - Write attributes - Write extended attributes - Delete subfolders and files - Read permissions - On the file shares where report subscriptions are saved: - Change share permission - Create files / write data folder permission Subscriptions created in the Auditor client  are uploaded to file servers under the Long-Term Archive service account as well. See the [Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) topic for additional information. | Setting Recording Settings -![usersessions_storage](../../../../../../static/img/product_docs/auditor/auditor/admin/settings/usersessions_storage.webp) +![usersessions_storage](/img/product_docs/auditor/auditor/admin/settings/usersessions_storage.webp) | | | | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Configure custom location of session recordings | Default location for storing session recordings is set to _"\\``\Netwrix_UAVR$"_. However, storing extra files on the Auditor  Server may produce additional load on it, so consider using this option to specify another location where session recordings will be stored. | -| Enter UNC path to shared folder: | Specify UNC path to the shared folder where user session video recordings will be stored. You can use server name or IP address, for example: _\\172.28.6.33\NA_UserSessions_ Using a local folder for that purpose is not recommended, as storing extra files on the Auditor  Server will produce additional load on it. Make sure the specified shared folder has enough capacity to store the video files. Retention period for the video files can be adjusted in the related monitoring plan settings (targeted at User Activity data source); default retention is 7 days. See the [User Activity](../monitoringplans/useractivity/overview.md) topic for additional information. After you specify and save settings for session recordings, it is recommended that you leave them unchanged. Otherwise — if you change the storage location while using Netwrix Auditor for User Activity — please be aware of possible data loss, as Auditor  will not automatically move session recordings to a new location. | +| Enter UNC path to shared folder: | Specify UNC path to the shared folder where user session video recordings will be stored. You can use server name or IP address, for example: _\\172.28.6.33\NA_UserSessions_ Using a local folder for that purpose is not recommended, as storing extra files on the Auditor  Server will produce additional load on it. Make sure the specified shared folder has enough capacity to store the video files. Retention period for the video files can be adjusted in the related monitoring plan settings (targeted at User Activity data source); default retention is 7 days. See the [User Activity](/docs/auditor/10.7/auditor/admin/monitoringplans/useractivity/overview.md) topic for additional information. After you specify and save settings for session recordings, it is recommended that you leave them unchanged. Otherwise — if you change the storage location while using Netwrix Auditor for User Activity — please be aware of possible data loss, as Auditor  will not automatically move session recordings to a new location. | | User name / Password | Provide user name and password for the account that will be used to store session recordings to the specified shared folder. Make sure the account has at least the Write permission for that folder. | Auditor  informs you if you are running out of space on a system disk where the Long-Term Archive is diff --git a/docs/auditor/10.7/auditor/admin/settings/notifications.md b/docs/auditor/10.7/auditor/admin/settings/notifications.md index 5cf06b11c7..996618693c 100644 --- a/docs/auditor/10.7/auditor/admin/settings/notifications.md +++ b/docs/auditor/10.7/auditor/admin/settings/notifications.md @@ -126,7 +126,7 @@ and click Modify to adjust them if necessary. | Enforce certificate validation to ensure security | Select this checkbox if you want to verify security certificate on every email transmission. The option is not available for auditing User Activity as well Netwrix Auditor tools. | You can configure Activity Summary frequency, format and delivery time for each monitoring plan -individually. See the [Fine-Tune Your Plan and Edit Settings](../monitoringplans/finetune.md) topic +individually. See the [Fine-Tune Your Plan and Edit Settings](/docs/auditor/10.7/auditor/admin/monitoringplans/finetune.md) topic for more information. After that, you can specify the recipient who will receive product activity and health summary @@ -147,4 +147,4 @@ Follow the steps to send summary emails and notifications about critical events. To learn more about product health, you can also navigate to the Health status tile in the main window. It will take you to the Health Status dashboard that contains information on the product activity and system health state. See the -[Health Status Dashboard](../healthstatus/dashboard/overview.md) topic for additional information. +[Health Status Dashboard](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/overview.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/settings/overview.md b/docs/auditor/10.7/auditor/admin/settings/overview.md index 63df950b7b..9b340145b4 100644 --- a/docs/auditor/10.7/auditor/admin/settings/overview.md +++ b/docs/auditor/10.7/auditor/admin/settings/overview.md @@ -4,14 +4,14 @@ In the Settings section, you can configure product settings, such as default SQL Audit Database, the Long-Term Archive location and retention period, etc. You can also review information about the product version and your licenses. See the following sections: -- [General](general.md) -- [Audit Database](auditdatabase.md) -- [Long-Term Archive](longtermarchive.md) -- [Investigations](investigations.md) -- [Notifications](notifications.md) -- [Integrations](integrations.md) -- [Licenses](licenses.md) -- [About Netwrix Auditor](about.md) +- [General](/docs/auditor/10.7/auditor/admin/settings/general.md) +- [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) +- [Long-Term Archive](/docs/auditor/10.7/auditor/admin/settings/longtermarchive.md) +- [Investigations](/docs/auditor/10.7/auditor/admin/settings/investigations.md) +- [Notifications](/docs/auditor/10.7/auditor/admin/settings/notifications.md) +- [Integrations](/docs/auditor/10.7/auditor/admin/settings/integrations.md) +- [Licenses](/docs/auditor/10.7/auditor/admin/settings/licenses.md) +- [About Netwrix Auditor](/docs/auditor/10.7/auditor/admin/settings/about.md) To modify Netwrix Auditor settings, you must be assigned the _Global administrator_ role. See -[Role-Based Access and Delegation](../monitoringplans/delegation.md) for more information. +[Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) for more information. diff --git a/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md b/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md index cc680cfd84..1ad697dcd6 100644 --- a/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md +++ b/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md @@ -8,37 +8,37 @@ The integration can be configured for the following Auditor data sources: - Active Directory. See the - [Use Netwrix Privilege Secure as a Data Collecting Account](../monitoringplans/activedirectory/overview.md#use-netwrix-privilege-secure-as-a-data-collecting-account) + [Use Netwrix Privilege Secure as a Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/overview.md#use-netwrix-privilege-secure-as-a-data-collecting-account) topic for additional information. - Group Policy. See the - [Use Netwrix Privilege Secure as a Data Collecting Account](../monitoringplans/grouppolicy/overview.md#use-netwrix-privilege-secure-as-a-data-collecting-account) + [Use Netwrix Privilege Secure as a Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/grouppolicy/overview.md#use-netwrix-privilege-secure-as-a-data-collecting-account) topic for additional information. - Logon Activity. See the - [Use Netwrix Privilege Secure as a Data Collecting Account](../monitoringplans/logonactivity/overview.md#use-netwrix-privilege-secure-as-a-data-collecting-account) + [Use Netwrix Privilege Secure as a Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/logonactivity/overview.md#use-netwrix-privilege-secure-as-a-data-collecting-account) topic for additional information. - Microsoft Entra ID. See the - [How to Add Microsoft Entra ID Monitoring Plan Using Netwrix Privilege Secure](../monitoringplans/microsoftentraid/overview.md#how-to-add-microsoft-entra-id-monitoring-plan-using-netwrix-privilege-secure) + [How to Add Microsoft Entra ID Monitoring Plan Using Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/monitoringplans/microsoftentraid/overview.md#how-to-add-microsoft-entra-id-monitoring-plan-using-netwrix-privilege-secure) topic for additional information. - Windows File Server. See the - [Use Netwrix Privilege Secure as a Data Collecting Account](../monitoringplans/fileservers/windowsfileserver.md#use-netwrix-privilege-secure-as-a-data-collecting-account) + [Use Netwrix Privilege Secure as a Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/windowsfileserver.md#use-netwrix-privilege-secure-as-a-data-collecting-account) topic for additional information. - Windows Server. See the - [Use Netwrix Privilege Secure as a Data Collecting Account](../monitoringplans/windows/overview.md#use-netwrix-privilege-secure-as-a-data-collecting-account) + [Use Netwrix Privilege Secure as a Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/windows/overview.md#use-netwrix-privilege-secure-as-a-data-collecting-account) topic for additional information. ## Software Requirements @@ -66,7 +66,7 @@ options are available: - New/Generate certificate – Create a new certificate. - Select an existing certificate – Select an available certificate from the drop-down list. -![npsclientcertificate](../../../../../../static/img/product_docs/auditor/auditor/admin/settings/npsclientcertificate.webp) +![npsclientcertificate](/img/product_docs/auditor/auditor/admin/settings/npsclientcertificate.webp) **Step 6 –** Click **Next**. @@ -102,11 +102,11 @@ documentation for additional instructions. **Step 10 –** Provide the security key you got in Netwrix Privilege Secure. -![npsintegrationparameters](../../../../../../static/img/product_docs/auditor/auditor/admin/settings/npsintegrationparameters.webp) +![npsintegrationparameters](/img/product_docs/auditor/auditor/admin/settings/npsintegrationparameters.webp) **Step 11 –** Click **Next**. -![npsintegrationfinished](../../../../../../static/img/product_docs/auditor/auditor/admin/settings/npsintegrationfinished.webp) +![npsintegrationfinished](/img/product_docs/auditor/auditor/admin/settings/npsintegrationfinished.webp) **Step 12 –** After the validation, click **Finish**. diff --git a/docs/auditor/10.7/auditor/admin/settings/sensitivedatadiscovery.md b/docs/auditor/10.7/auditor/admin/settings/sensitivedatadiscovery.md index 83711777a7..0757d50c6e 100644 --- a/docs/auditor/10.7/auditor/admin/settings/sensitivedatadiscovery.md +++ b/docs/auditor/10.7/auditor/admin/settings/sensitivedatadiscovery.md @@ -152,7 +152,7 @@ For NDC SQL Database Provider: Review your sensitive data in Data Discovery and Classification reports. Refer to the following Netwrix Auditor help center article for more information about these reports: -[Data Discovery and Classification Reports](../reports/types/datadiscoveryclassification.md). +[Data Discovery and Classification Reports](/docs/auditor/10.7/auditor/admin/reports/types/datadiscoveryclassification.md). ForNDC Endpoint Provider: @@ -171,10 +171,10 @@ ForNDC Endpoint Provider: - Click the **Select** column in the Tools menu and review data categories (taxonomies) of your sensitive documents. - Use filtering capabilities to narrow your search results. See the - [Use Filters in Advanced Mode](../search/filteradvanced.md) topic for additional information. + [Use Filters in Advanced Mode](/docs/auditor/10.7/auditor/admin/search/filteradvanced.md) topic for additional information. - Create an alert triggered by specific actions with your sensitive data. **_RECOMMENDED:_** Netwrix recommends enable threshold to trigger the new alert. In this case, a single alert will be sent instead of many alerts. This can be helpful when Netwrix Auditor detects many activity records matching the filters you specified. See the -[Alerts](../alertsettings/overview.md) topic for additional information. +[Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/overview.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/admin/subscriptions/create.md b/docs/auditor/10.7/auditor/admin/subscriptions/create.md index bd5e9bb09a..a59cd53b22 100644 --- a/docs/auditor/10.7/auditor/admin/subscriptions/create.md +++ b/docs/auditor/10.7/auditor/admin/subscriptions/create.md @@ -2,7 +2,7 @@ To create new subscriptions and manage existing subscriptions, you must be assigned the Global administrator or Global reviewer role in the product. See the -[Role-Based Access and Delegation](../monitoringplans/delegation.md) topic for additional +[Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) topic for additional information. 1. Do one of the following depending on subscription type: @@ -11,7 +11,7 @@ information. | ------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Subscribe to a report | On the main Auditor page, navigate to Reports. Specify the report that you want to subscribe to and click Subscribe. | | Subscribe to Behavior anomalies dashboard report | On the main Auditor page, navigate to Behavior anomalies, then in the dashboard window click Subscribe. | - | Subscribe to search | 1. Navigate to Search and set appropriate search criteria. See the [Use Filters in Simple Mode](../search/filtersimple.md) topic for additional information. Click Search. 2. Navigate to Tools and select Subscribe. | + | Subscribe to search | 1. Navigate to Search and set appropriate search criteria. See the [Use Filters in Simple Mode](/docs/auditor/10.7/auditor/admin/search/filtersimple.md) topic for additional information. Click Search. 2. Navigate to Tools and select Subscribe. | | Subscribe to risk assessment overview | On the main Auditor page, navigate to Risk assessment and in the dashboard window click Subscribe. | 2. On the Add Subscription page, complete the following fields: @@ -22,9 +22,9 @@ information. | Subscription name | Enter the name for the subscription. | | Report name _OR_ Email subject | For report subscription—You cannot edit report name. For subscription to search and risk assessment overview—Specify email subject to identify subscription emails from Auditor. For example, "_Successful read attempts on important file shares_". | | Send empty subscriptions when no activity occurred Available for report and search subscriptions only. | Slide the switch to Yes if you want to receive a report even if no changes occurred. | - | Specify delivery options | - File format—Configure reports to be delivered as the pdf or csv files for search subscriptions; and pdf, docx, csv or xls files for report subscriptions. Available for report and search subscriptions only. - File delivery—Select delivery method: - Attach to email—Select this option to receive data as email attachments. The maximum size of the attachment file is 50 MB. Attachments larger than 50MB will be uploaded to _\\``\Netwrix_Auditor_Subscriptions$\LostAndFound_ folder on Netwrix Auditor server. They will be available for 7 days. Check the subscription email to get the files. - Upload to a file share—Select this option to save data on the selected file share. Click Browse to select a folder on the computer that hosts Auditor Server or specify a UNC path to a shared network resource. Make sure that the recipients have sufficient rights to access it and the Long-Term Archive service account has sufficient rights to upload reports. See the [File-Based Repository for Long-Term Archive](../../requirements/longtermarchive.md) topic for additional information. **NOTE:** Make sure that the AD Computer account for the Auditor host server also has read access on the file share where the Subscriptions are being uploaded. | + | Specify delivery options | - File format—Configure reports to be delivered as the pdf or csv files for search subscriptions; and pdf, docx, csv or xls files for report subscriptions. Available for report and search subscriptions only. - File delivery—Select delivery method: - Attach to email—Select this option to receive data as email attachments. The maximum size of the attachment file is 50 MB. Attachments larger than 50MB will be uploaded to _\\``\Netwrix_Auditor_Subscriptions$\LostAndFound_ folder on Netwrix Auditor server. They will be available for 7 days. Check the subscription email to get the files. - Upload to a file share—Select this option to save data on the selected file share. Click Browse to select a folder on the computer that hosts Auditor Server or specify a UNC path to a shared network resource. Make sure that the recipients have sufficient rights to access it and the Long-Term Archive service account has sufficient rights to upload reports. See the [File-Based Repository for Long-Term Archive](/docs/auditor/10.7/auditor/requirements/longtermarchive.md) topic for additional information. **NOTE:** Make sure that the AD Computer account for the Auditor host server also has read access on the file share where the Subscriptions are being uploaded. | | Other tabs | | | Recipients | Shows the number of recipients selected and allows specifying emails where reports are to be sent. Expand the Recipients list and click Add to add more recipients. | | Schedule | Allows specifying report delivery schedule (daily, certain days of week, a certain day of a certain month). By default, risk assessment overview and search subscription delivery is scheduled to 7.00 am daily, report subscription delivery - to 8.00 am daily. | - | Filters | - For report subscription—Specify the report filters, which vary depending on the selected report. - For subscription to risk assessment overview—Select one or several monitoring plans and risk categories whose data you want to be included. By default, you will receive data on all risk categories, provided by all monitoring plans configured for risk assessment. - For search subscription—Specify filters in the same way as for search. See the [Use Filters in Advanced Mode](../search/filteradvanced.md) topic for additional information. For search subscription, you can also select a parameter to sort actions by and the sorting order. | + | Filters | - For report subscription—Specify the report filters, which vary depending on the selected report. - For subscription to risk assessment overview—Select one or several monitoring plans and risk categories whose data you want to be included. By default, you will receive data on all risk categories, provided by all monitoring plans configured for risk assessment. - For search subscription—Specify filters in the same way as for search. See the [Use Filters in Advanced Mode](/docs/auditor/10.7/auditor/admin/search/filteradvanced.md) topic for additional information. For search subscription, you can also select a parameter to sort actions by and the sorting order. | | History For search and risk assessment subscriptions only. | - Contains subscription generation details (intervals, status, last run time, start type). If the subscription failed, expand its details to understand and resolve error, then click the Try again link. - Allows for on-demand subscription delivery—for that, click Run Now. On successful subscription generation you will receive the results that match your criteria for the scheduled period. | diff --git a/docs/auditor/10.7/auditor/admin/subscriptions/manage.md b/docs/auditor/10.7/auditor/admin/subscriptions/manage.md index 4f78f3776d..f21865dbb5 100644 --- a/docs/auditor/10.7/auditor/admin/subscriptions/manage.md +++ b/docs/auditor/10.7/auditor/admin/subscriptions/manage.md @@ -2,7 +2,7 @@ On the main Netwrix Auditor page, navigate to Subscriptions to review a list of your subscriptions. -![subscription](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/subscription.webp) +![subscription](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/subscription.webp) The table below provides instructions on how to manage your subscriptions. @@ -11,4 +11,4 @@ The table below provides instructions on how to manage your subscriptions. | Browse subscriptions | Type the target subscription name in the search bar in the upper part of the Subscriptions window and click the Search icon to review results. | | Enable or disable subscriptions | Pick a subscription and select On or Off in the Mode column. | | Modify subscriptions | Select the subscription that you want to modify and click Edit at the bottom of the Subscriptions window. Update the subscription and save your changes. | -| Remove subscriptions | Click ![delete](../../../../../../static/img/product_docs/strongpointfornetsuite/integrations/delete.webp) icon next to the selected subscription. | +| Remove subscriptions | Click ![delete](/img/product_docs/strongpointfornetsuite/integrations/delete.webp) icon next to the selected subscription. | diff --git a/docs/auditor/10.7/auditor/admin/subscriptions/overview.md b/docs/auditor/10.7/auditor/admin/subscriptions/overview.md index e0acdfde1a..dffa5455f1 100644 --- a/docs/auditor/10.7/auditor/admin/subscriptions/overview.md +++ b/docs/auditor/10.7/auditor/admin/subscriptions/overview.md @@ -9,8 +9,8 @@ You can configure subscriptions to reports (including dashboards) risk assessmen interactive search. You can add any elements (a dashboard, report, alert, risk, etc.) to the Auditor Home screen to -access them instantly. See the [Navigation](../navigation/overview.md) and -[Customize Home Screen](../navigation/customizehome.md) topics for additional information. +access them instantly. See the [Navigation](/docs/auditor/10.7/auditor/admin/navigation/overview.md) and +[Customize Home Screen](/docs/auditor/10.7/auditor/admin/navigation/customizehome.md) topics for additional information. ## Subscription to Reports @@ -56,5 +56,5 @@ This subscription type is similar to the predefined reports. Review the following for additional information: -- [Create Subscriptions](create.md)how to create new subscriptions. -- [Review and Manage Subscriptions](manage.md)how to manage subscriptions. +- [Create Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/create.md)how to create new subscriptions. +- [Review and Manage Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/manage.md)how to manage subscriptions. diff --git a/docs/auditor/10.7/auditor/api/compatibility.md b/docs/auditor/10.7/auditor/api/compatibility.md index d5479c97bd..c694d80e19 100644 --- a/docs/auditor/10.7/auditor/api/compatibility.md +++ b/docs/auditor/10.7/auditor/api/compatibility.md @@ -10,4 +10,4 @@ leveraging Netwrix Auditor Integration API. Download the latest add-on version i | — | - XML: ` `````` Item name `````` ` - JSON: `"Item": {"Name": "Item name"}` | To learn more about input and output Activity Record structure, refer to -[Activity Records](postdata/activityrecords.md). +[Activity Records](/docs/auditor/10.7/auditor/api/postdata/activityrecords.md). diff --git a/docs/auditor/10.7/auditor/api/endpoints.md b/docs/auditor/10.7/auditor/api/endpoints.md index 65eb3de718..ee5ade607e 100644 --- a/docs/auditor/10.7/auditor/api/endpoints.md +++ b/docs/auditor/10.7/auditor/api/endpoints.md @@ -2,10 +2,10 @@ | Method | Endpoint | POST Data | Description | | ------ | --------------------------------------- | ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -| GET | /netwrix/api/v1/activity_records/enum | — | Returns Activity Records. [Retrieve Activity Records](retrieveactivityrecords.md) | -| POST | /netwrix/api/v1/activity_records/enum | [Continuation Mark](postdata/continuationmark.md) | Returns next 1,000 Activity Records. [Continuation Mark](postdata/continuationmark.md) | -| POST | /netwrix/api/v1/activity_records/search | [Search Parameters](postdata/searchparameters.md) | Returns Activity Records matching a criteria defined in search parameters. [Search Activity Records](searchactivityrecords.md) | -| POST | /netwrix/api/v1/activity_records/ | [Activity Records](postdata/activityrecords.md) | Writes data to the Audit Database. [Write Activity Records](writeactivityrecords.md) | +| GET | /netwrix/api/v1/activity_records/enum | — | Returns Activity Records. [Retrieve Activity Records](/docs/auditor/10.7/auditor/api/retrieveactivityrecords.md) | +| POST | /netwrix/api/v1/activity_records/enum | [Continuation Mark](/docs/auditor/10.7/auditor/api/postdata/continuationmark.md) | Returns next 1,000 Activity Records. [Continuation Mark](/docs/auditor/10.7/auditor/api/postdata/continuationmark.md) | +| POST | /netwrix/api/v1/activity_records/search | [Search Parameters](/docs/auditor/10.7/auditor/api/postdata/searchparameters.md) | Returns Activity Records matching a criteria defined in search parameters. [Search Activity Records](/docs/auditor/10.7/auditor/api/searchactivityrecords.md) | +| POST | /netwrix/api/v1/activity_records/ | [Activity Records](/docs/auditor/10.7/auditor/api/postdata/activityrecords.md) | Writes data to the Audit Database. [Write Activity Records](/docs/auditor/10.7/auditor/api/writeactivityrecords.md) | ### Authentication @@ -26,7 +26,7 @@ Netwrix Auditor restricts control to its configuration and data collected by the access system ensures that only relevant employees and services can access the exact amount of data they need. To be able to retrieve activity records or supply data to the Audit Database, an account must be assigned a role in the product. -[Role-Based Access and Delegation](../admin/monitoringplans/delegation.md) +[Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) | To... | Required role | | ------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | diff --git a/docs/auditor/10.7/auditor/api/errordetails.md b/docs/auditor/10.7/auditor/api/errordetails.md index 158a2df33f..4713ccb219 100644 --- a/docs/auditor/10.7/auditor/api/errordetails.md +++ b/docs/auditor/10.7/auditor/api/errordetails.md @@ -1,7 +1,7 @@ # Error Details On error, most requests contain an error description in the response body (except some requests with -empty body, e.g., 404, 405). [Response Status Codes](responsestatuscodes.md) +empty body, e.g., 404, 405). [Response Status Codes](/docs/auditor/10.7/auditor/api/responsestatuscodes.md) The error details include: diff --git a/docs/auditor/10.7/auditor/api/filterreference.md b/docs/auditor/10.7/auditor/api/filterreference.md index 786798fea5..21560f8a88 100644 --- a/docs/auditor/10.7/auditor/api/filterreference.md +++ b/docs/auditor/10.7/auditor/api/filterreference.md @@ -25,8 +25,8 @@ to create a unique search. You can: Review the following for additional information: -- [Filters](filters.md) -- [Operators](filteroperators.md) +- [Filters](/docs/auditor/10.7/auditor/api/filters.md) +- [Operators](/docs/auditor/10.7/auditor/api/filteroperators.md) The table below shows filters and Activity Records matching them. diff --git a/docs/auditor/10.7/auditor/api/overview.md b/docs/auditor/10.7/auditor/api/overview.md index 143cdaac05..f1b126707e 100644 --- a/docs/auditor/10.7/auditor/api/overview.md +++ b/docs/auditor/10.7/auditor/api/overview.md @@ -16,7 +16,7 @@ Integration API provides the following capabilities: - Data out: Further automate your business processes, IT security and operations workflows by enriching third-party solutions with actionable audit data. -![diagram_thumb_0_0](../../../../../static/img/product_docs/auditor/auditor/addon/cyberark/diagram_thumb_0_0.webp) +![diagram_thumb_0_0](/img/product_docs/auditor/auditor/addon/cyberark/diagram_thumb_0_0.webp) Netwrix Auditor Integration API operates with XML- and JSON-formatted Activity Records—minimal chunks of audit data containing information on _who_ changed _what_, _when_ and _where_ this change @@ -48,6 +48,6 @@ Complete the following fields: | Specify a name for your integration | Specify the add-on name or provide any other name that distinguishes this custom source from any other. This name will be listed in the Item filter in the interactive search. | Make sure Integration API is enabled. To check it, navigate to Settings → Integrations tab. See -[Integrations](../admin/settings/integrations.md) for more information. +[Integrations](/docs/auditor/10.7/auditor/admin/settings/integrations.md) for more information. Make sure to provide a monitoring plan name and item name in activity records before importing data. diff --git a/docs/auditor/10.7/auditor/api/postdata/activityrecords.md b/docs/auditor/10.7/auditor/api/postdata/activityrecords.md index 8976a2b802..c86f0bf61a 100644 --- a/docs/auditor/10.7/auditor/api/postdata/activityrecords.md +++ b/docs/auditor/10.7/auditor/api/postdata/activityrecords.md @@ -10,7 +10,7 @@ similar to the following—the exact schema depends on operation (input or outpu | JSON | `[ `````` { `````` "Action": "Action", `````` "MonitoringPlan": { `````` "ID": "Unique ID", `````` "Name": "Name" `````` }, `````` "DataSource": "Data source", `````` "Item": {"Name": "Item name (Item type)"}, `````` "DetailList": [ `````` { `````` "Before": "Before Value", `````` "After": "After Value", `````` "PropertyName": "Property", `````` "Message": "Text" `````` } `````` ], `````` "ObjectType": "Object Type", `````` "What": "What", `````` "When": "When", `````` "Where": "Where", `````` "Who": "Who" `````` }, `````` {...} `````` ]` | To feed data from a custom audit source to Netwrix Auditor, send a POST request containing Activity -Records. [Write Activity Records](../writeactivityrecords.md) +Records. [Write Activity Records](/docs/auditor/10.7/auditor/api/writeactivityrecords.md) ## Schema diff --git a/docs/auditor/10.7/auditor/api/postdata/continuationmark.md b/docs/auditor/10.7/auditor/api/postdata/continuationmark.md index a939b6ab94..603c3e42f7 100644 --- a/docs/auditor/10.7/auditor/api/postdata/continuationmark.md +++ b/docs/auditor/10.7/auditor/api/postdata/continuationmark.md @@ -11,8 +11,8 @@ Send a POST request containing Continuation mark to the following endpoints: | Method | Endpoint | Description | | ------ | ----------------------------------------------------------------------- | --------------------------------------------------------- | -| POST | [/netwrix/api/v1/activity_records/enum ](../retrieveactivityrecords.md) | Returns next Activity Records. | -| POST | [/netwrix/api/v1/activity_records/search](../searchactivityrecords.md) | Returns next Activity Records matching a filter criteria. | +| POST | [/netwrix/api/v1/activity_records/enum ](/docs/auditor/10.7/auditor/api/retrieveactivityrecords.md) | Returns next Activity Records. | +| POST | [/netwrix/api/v1/activity_records/search](/docs/auditor/10.7/auditor/api/searchactivityrecords.md) | Returns next Activity Records matching a filter criteria. | Ensure to pass information about transferred data, including `Content-Type:application/xml` or `application/json `and encoding. The syntax greatly depends on the tool you use. @@ -32,19 +32,19 @@ Copy the contents of `ContinuationMark` to a separate XML or JSON file (e.g., Co | JSON | JSON-formatted Continuation mark includes the field value in quotes. | If you want to retrieve next Activity Records for your search, include the Continuation mark to your -Search parameters file. [Search Parameters](searchparameters.md) +Search parameters file. [Search Parameters](/docs/auditor/10.7/auditor/api/postdata/searchparameters.md) ## Example | | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | XML | -| [Retrieve Activity Records](../retrieveactivityrecords.md) | +| [Retrieve Activity Records](/docs/auditor/10.7/auditor/api/retrieveactivityrecords.md) | | ` `````` `````` PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A `````` ` | -| [Search Activity Records](../searchactivityrecords.md) | +| [Search Activity Records](/docs/auditor/10.7/auditor/api/searchactivityrecords.md) | | ` `````` `````` PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A `````` `````` Administrator `````` Active Directory `````` Added `````` Group `````` `````` 2016-09-16T16:30:00+11:00 `````` 2017-03-16T00:00:00Z `````` `````` `````` ` | | JSON | -| [Retrieve Activity Records](../retrieveactivityrecords.md) | +| [Retrieve Activity Records](/docs/auditor/10.7/auditor/api/retrieveactivityrecords.md) | | `"PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A"` | -| [Search Activity Records](../searchactivityrecords.md) | +| [Search Activity Records](/docs/auditor/10.7/auditor/api/searchactivityrecords.md) | | `{ `````` "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A", `````` "FilterList": { `````` "Who": "Administrator", `````` "DataSource": "Active Directory", `````` "Action": "Added", `````` "ObjectType": { "DoesNotContain": "Group"}, `````` "When": { `````` "From": "2016-09-16T16:30:00+11:00", `````` "To": "2017-03-16T00:00:00Z" `````` } `````` } `````` }` | diff --git a/docs/auditor/10.7/auditor/api/postdata/overview.md b/docs/auditor/10.7/auditor/api/postdata/overview.md index 94261858d5..fd76a4049b 100644 --- a/docs/auditor/10.7/auditor/api/postdata/overview.md +++ b/docs/auditor/10.7/auditor/api/postdata/overview.md @@ -7,7 +7,7 @@ Database. Data is sent in the request body and must be formatted according to XM compatible with Netwrix-provided XSD schemas. In Netwrix Auditor 9.0, Netwrix has updated API schemas. Make sure to check and update your custom -scripts and add-ons. [Compatibility Notice](../compatibility.md) +scripts and add-ons. [Compatibility Notice](/docs/auditor/10.7/auditor/api/compatibility.md) The file must be formatted in accordance with XML standard. The following symbols must be replaced with corresponding XML entities: & (ampersand), " (double quotes), ' (single quotes), < (less than), @@ -28,6 +28,6 @@ preceded with the \ character: " (double quotes), / (slash), \ (backslash). E.g. Review the following for additional information: -- [Continuation Mark](continuationmark.md) -- [Search Parameters](searchparameters.md) -- [Activity Records](activityrecords.md) +- [Continuation Mark](/docs/auditor/10.7/auditor/api/postdata/continuationmark.md) +- [Search Parameters](/docs/auditor/10.7/auditor/api/postdata/searchparameters.md) +- [Activity Records](/docs/auditor/10.7/auditor/api/postdata/activityrecords.md) diff --git a/docs/auditor/10.7/auditor/api/postdata/searchparameters.md b/docs/auditor/10.7/auditor/api/postdata/searchparameters.md index 245f10215e..81bd21122e 100644 --- a/docs/auditor/10.7/auditor/api/postdata/searchparameters.md +++ b/docs/auditor/10.7/auditor/api/postdata/searchparameters.md @@ -1,9 +1,9 @@ # Search Parameters Send the search parameters in the POST request body to narrow down the search results returned by -the [/netwrix/api/v1/activity_records/search](../searchactivityrecords.md) endpoint. The Search +the [/netwrix/api/v1/activity_records/search](/docs/auditor/10.7/auditor/api/searchactivityrecords.md) endpoint. The Search parameters file includes one or more filters with operators and values (e.g., to find entries where -_data source_ is _SharePoint_); it may also contain a [Continuation Mark](continuationmark.md). +_data source_ is _SharePoint_); it may also contain a [Continuation Mark](/docs/auditor/10.7/auditor/api/postdata/continuationmark.md). Generally, the Search parameters file looks similar to the following: | | @@ -20,13 +20,13 @@ Ensure to pass information about transferred data, including `Content-Type:appli | Format | Schema description | | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| XML | The file must be compatible with the XML schema. On the computer where Auditor Server resides, you can find XSD file under _Netwrix_Auditor_installation_folder\Audit Core\API Schemas_. The `ActivityRecordSearch` root element includes the `FilterList `element with one or more `Filter `elements inside. The root element may contain a `ContinuationMark `element. Each `Filter `specified within the `FilterList `must have a value to search for. The element may also include a modifier—a match type operator. minOccurs="0" indicates that element is optional and may be absent in the Search parameters. ![filterschema](../../../../../../static/img/product_docs/auditor/auditor/api/postdata/filterschema.webp) | +| XML | The file must be compatible with the XML schema. On the computer where Auditor Server resides, you can find XSD file under _Netwrix_Auditor_installation_folder\Audit Core\API Schemas_. The `ActivityRecordSearch` root element includes the `FilterList `element with one or more `Filter `elements inside. The root element may contain a `ContinuationMark `element. Each `Filter `specified within the `FilterList `must have a value to search for. The element may also include a modifier—a match type operator. minOccurs="0" indicates that element is optional and may be absent in the Search parameters. ![filterschema](/img/product_docs/auditor/auditor/api/postdata/filterschema.webp) | | JSON | The `FilterList `object includes with one or more `Filter `entries inside. JSON may contain a `ContinuationMark `object. Each `Filter `specified within the `FilterList `must have a value to search for. The entry may also include a modifier—a match type operator. | Review the following for additional information: -- [Filters](../filters.md) -- [Operators](../filteroperators.md) +- [Filters](/docs/auditor/10.7/auditor/api/filters.md) +- [Operators](/docs/auditor/10.7/auditor/api/filteroperators.md) ## Example diff --git a/docs/auditor/10.7/auditor/api/prerequisites.md b/docs/auditor/10.7/auditor/api/prerequisites.md index 8077763b73..c177217699 100644 --- a/docs/auditor/10.7/auditor/api/prerequisites.md +++ b/docs/auditor/10.7/auditor/api/prerequisites.md @@ -3,7 +3,7 @@ Netwrix Auditor Integration API uses HTTPS for communication with the automatically generated certificate. The default communication port is 9699. -Refer to the [Security](security.md) topic for detailed instructions on how to disable HTTPS and +Refer to the [Security](/docs/auditor/10.7/auditor/api/security.md) topic for detailed instructions on how to disable HTTPS and manage other API settings. ## Configure Integration API Settings @@ -20,7 +20,7 @@ rule will be automatically created. **Step 4 –** If you use a third-party firewall, you must create a rule for inbound connections manually. -![Integration API Settings](../../../../../static/img/product_docs/auditor/auditor/addon/connectwise/integrations_thumb_0_0.webp) +![Integration API Settings](/img/product_docs/auditor/auditor/addon/connectwise/integrations_thumb_0_0.webp) ## Configure Audit Database Settings @@ -33,5 +33,5 @@ these settings, navigate to the **Settings > Audit Database**. You cannot use Netwrix Auditor Integration API without configuring the Audit Database. -Refer to the [Audit Database](../admin/settings/auditdatabase.md) topic for detailed instructions on +Refer to the [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) topic for detailed instructions on how to configure SQL Server settings. diff --git a/docs/auditor/10.7/auditor/api/responsestatuscodes.md b/docs/auditor/10.7/auditor/api/responsestatuscodes.md index 48fb5f5928..43bbb7f0bb 100644 --- a/docs/auditor/10.7/auditor/api/responsestatuscodes.md +++ b/docs/auditor/10.7/auditor/api/responsestatuscodes.md @@ -4,7 +4,7 @@ | ---------------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 200 OK | Success | Success. The body is empty. Activity Records were written to the Audit Database and the Long-Term Archive. | Success. The body contains Activity Records. Activity Records were retrieved from the Audit Database. | | 400 Bad Request | Error | Error validating Activity Records. Make sure the Activity Records are compatible with the [Schema](postdata/activityrecords.md#schema). | Error validating request parameters or post data. Make sure the post data files (Continuation mark, Search parameters) are compatible with their schemas and the `?count=` parameter is valid. | -| 401 Unauthorized | Error | The request is unauthorized and the body is empty. See for [API Endpoints](endpoints.md) more information. | | +| 401 Unauthorized | Error | The request is unauthorized and the body is empty. See for [API Endpoints](/docs/auditor/10.7/auditor/api/endpoints.md) more information. | | | 404 Not Found | Error | Error addressing the endpoint. The body is empty. The requested endpoint does not exist (e.g., /netwrix/api/v1/mynewendpoint/). | | | 405 Method Not Allowed | Error | Error addressing the endpoint. The body is empty. Wrong HTTP request was sent (any except POST). | Error addressing the endpoint. The body is empty. Wrong HTTP request was sent (any except GET or POST). | | 413 Request Entity Too Large | Error | Error transferring files. The body is empty. The posted file exceeds supported size. | | @@ -12,4 +12,4 @@ | 503 Service Unavailable | Error | The Netwrix Auditor Archive Service is busy or unreachable. Try restarting the service on the computer that hosts Netwrix Auditor Server. | — | Most failed requests contain error in the response body (except those with empty body, e.g., 404, -405). [Error Details](errordetails.md) +405). [Error Details](/docs/auditor/10.7/auditor/api/errordetails.md) diff --git a/docs/auditor/10.7/auditor/api/retrieveactivityrecords.md b/docs/auditor/10.7/auditor/api/retrieveactivityrecords.md index d49b1dd760..2e5f2b9c4c 100644 --- a/docs/auditor/10.7/auditor/api/retrieveactivityrecords.md +++ b/docs/auditor/10.7/auditor/api/retrieveactivityrecords.md @@ -9,7 +9,7 @@ mark. | Method | Endpoint | POST Data | | ------ | --------------------------------------------------------------------------------------- | ------------------------------------------------- | | GET | `https://{host:port}/netwrix/api/v1/activity_records/enum{?format=json}{&count=Number}` | — | -| POST | `https://{host:port}/netwrix/api/v1/activity_records/enum{?format=json}{&count=Number}` | [Continuation Mark](postdata/continuationmark.md) | +| POST | `https://{host:port}/netwrix/api/v1/activity_records/enum{?format=json}{&count=Number}` | [Continuation Mark](/docs/auditor/10.7/auditor/api/postdata/continuationmark.md) | ## Request Parameters @@ -54,7 +54,7 @@ Activity Records collected in braces {} and a Continuation mark. | `{ `````` "ActivityRecordList": [ `````` { `````` "Action": "Added", `````` "MonitoringPlan" : { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "AD Monitoring" `````` }, `````` "DataSource": "Active Directory", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType": "user", `````` "RID": "20160215110503420B9451771F5964A9EAC0A5F35307EA155", `````` "What": "\\local\\enterprise\\Users\\Jason Smith", `````` "When": "2017-02-14T15:42:34Z", `````` "Where": "EnterpriseDC1.enterprise.local", `````` "Who": "ENTERPRISE\\Administrator", `````` "Workstation": "EnterpriseDC1.enterprise.local" `````` }, `````` {...}, `````` {...} `````` ], `````` "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A" `````` }` | **Step 3 –** Continue retrieving Activity Records. Send a POST request containing this Continuation -mark to the same endpoint. See the [Continuation Mark](postdata/continuationmark.md) topic for more +mark to the same endpoint. See the [Continuation Mark](/docs/auditor/10.7/auditor/api/postdata/continuationmark.md) topic for more information. For example: | | diff --git a/docs/auditor/10.7/auditor/api/searchactivityrecords.md b/docs/auditor/10.7/auditor/api/searchactivityrecords.md index c475a12bf2..33e01777a8 100644 --- a/docs/auditor/10.7/auditor/api/searchactivityrecords.md +++ b/docs/auditor/10.7/auditor/api/searchactivityrecords.md @@ -3,23 +3,23 @@ The search functionality in the Netwrix Auditor Integration API reproduces interactive search available in the Netwrix Auditor client. See the [Netwrix Auditor Intelligence Guide](https://www.netwrix.com/download/documents/Netwrix_Auditor_User_Guide.pdf) -and [View and Search Collected Data](../admin/search/overview.md) topic for detailed instruction on +and [View and Search Collected Data](/docs/auditor/10.7/auditor/admin/search/overview.md) topic for detailed instruction on how to search and filter audit data. As the interactive search in the Netwrix Auditor client, this REST API endpoint allows you to retrieve Activity Records matching a certain criteria. You can create your own set of filters in the -Search parameters file. See the [Search Parameters](postdata/searchparameters.md) topic for more +Search parameters file. See the [Search Parameters](/docs/auditor/10.7/auditor/api/postdata/searchparameters.md) topic for more information. Activity Records are retrieved according to the account's delegated scope. ## Endpoint To retrieve Activity Records matching a certain criteria, send a POST request containing search parameters (also may include a Continuation mark). See the -[Search Parameters](postdata/searchparameters.md) topic for more information. +[Search Parameters](/docs/auditor/10.7/auditor/api/postdata/searchparameters.md) topic for more information. | Method | Endpoint | POST Data | | ------ | ----------------------------------------------------------------------------------------- | ------------------------------------------------- | -| `POST` | `https://{host:port}/netwrix/api/v1/activity_records/search{?format=json}{&count=Number}` | [Search Parameters](postdata/searchparameters.md) | +| `POST` | `https://{host:port}/netwrix/api/v1/activity_records/search{?format=json}{&count=Number}` | [Search Parameters](/docs/auditor/10.7/auditor/api/postdata/searchparameters.md) | ## Request Parameters @@ -44,7 +44,7 @@ with ?, others are joined with &, no spaces required (e.g., `?format=json&count= Follow the steps- to retrieve all Activity Records matching search criteria. **Step 1 –** Send a POST request containing search parameters. See the -[Search Parameters](postdata/searchparameters.md) topic for more information. +[Search Parameters](/docs/auditor/10.7/auditor/api/postdata/searchparameters.md) topic for more information. As an example, this request retrieves Activity Records where administrator added new objects to the Active Directory domain. Groups and group policies are not taken into account. Changes could only @@ -69,7 +69,7 @@ mark. **Step 3 –** Continue retrieving Activity Records. Send a POST request containing your search parameters and this Continuation mark to the same endpoint. -[Continuation Mark](postdata/continuationmark.md) +[Continuation Mark](/docs/auditor/10.7/auditor/api/postdata/continuationmark.md) | | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | diff --git a/docs/auditor/10.7/auditor/api/security.md b/docs/auditor/10.7/auditor/api/security.md index 8119988240..5eb73a4535 100644 --- a/docs/auditor/10.7/auditor/api/security.md +++ b/docs/auditor/10.7/auditor/api/security.md @@ -8,7 +8,7 @@ The automatically generated Netwrix API certificate is located in the Personal s trust on remote computers, install this certificate in the Trusted Root Certification Authorities store. -![certificatestore_thumb_0_0](../../../../../static/img/product_docs/auditor/auditor/api/certificatestore_thumb_0_0.webp) +![certificatestore_thumb_0_0](/img/product_docs/auditor/auditor/api/certificatestore_thumb_0_0.webp) To manage API security settings with APIAdminTool.exe diff --git a/docs/auditor/10.7/auditor/api/writeactivityrecords.md b/docs/auditor/10.7/auditor/api/writeactivityrecords.md index 2072ca2b90..ecb0e62525 100644 --- a/docs/auditor/10.7/auditor/api/writeactivityrecords.md +++ b/docs/auditor/10.7/auditor/api/writeactivityrecords.md @@ -12,12 +12,12 @@ the plan and enabled for monitoring. To feed data, send a POST request containing Activity Records. The user sending a request must be assigned the Contributor role in Netwrix Auditor. After feeding data to the Audit Database it will become available for search in the Netwrix Auditor client and through -[/netwrix/api/v1/activity_records/search](searchactivityrecords.md) and -[/netwrix/api/v1/activity_records/enum](retrieveactivityrecords.md) endpoints. +[/netwrix/api/v1/activity_records/search](/docs/auditor/10.7/auditor/api/searchactivityrecords.md) and +[/netwrix/api/v1/activity_records/enum](/docs/auditor/10.7/auditor/api/retrieveactivityrecords.md) endpoints. | Method | Endpoint | POST Data | | ------ | -------------------------------------------------------------------- | ----------------------------------------------- | -| `POST` | `https://{host:port}/netwrix/api/v1/activity_records/{?format=json}` | [Activity Records](postdata/activityrecords.md) | +| `POST` | `https://{host:port}/netwrix/api/v1/activity_records/{?format=json}` | [Activity Records](/docs/auditor/10.7/auditor/api/postdata/activityrecords.md) | Netwrix recommends limiting the input Activity Records file to 50MB and maximum 1,000 Activity Records. @@ -34,14 +34,14 @@ Records. | Request Status | Response | | -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Success | The HTTP status code in the response header is 200 OK and the body is empty. `HTTP/1.1 200 OK `````` Server: Microsoft-HTTPAPI/2.0 `````` Content-Length: 0 `````` Content-Type: text/plain `````` Date: Fri, 08 Apr 2017 13:56:22 GMT` | -| Error | The header status code is an error code. Depending on the error code, the response body may contain an error object. [See Response Status Codes for more information.](responsestatuscodes.md) | +| Error | The header status code is an error code. Depending on the error code, the response body may contain an error object. [See Response Status Codes for more information.](/docs/auditor/10.7/auditor/api/responsestatuscodes.md) | ## Usage Example—Write Data This example describes how to feed Activity Records to the Audit Database. **Step 1 –** Send a POST request containing Activity Records. -[Activity Records](postdata/activityrecords.md) For example: +[Activity Records](/docs/auditor/10.7/auditor/api/postdata/activityrecords.md) For example: | | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | @@ -74,11 +74,11 @@ Date: Fri, 08 Apr 2017 13:56:22 GMT __Step 3 –__ Send more POST requests containing Activity Records if necessary. -__Step 4 –__ Check that posted data is now available in the Audit Database. Run a search request to [/netwrix/api/v1/activity_records/search](searchactivityrecords.md) endpoint or use interactive search in the Netwrix Auditor client. For example: +__Step 4 –__ Check that posted data is now available in the Audit Database. Run a search request to [/netwrix/api/v1/activity_records/search](/docs/auditor/10.7/auditor/api/searchactivityrecords.md) endpoint or use interactive search in the Netwrix Auditor client. For example: -![apiactivity_thumb_0_0](../../../../../static/img/product_docs/auditor/auditor/api/apiactivity_thumb_0_0.webp) +![apiactivity_thumb_0_0](/img/product_docs/auditor/auditor/api/apiactivity_thumb_0_0.webp) __Step 5 –__ For input Activity Records, the data source is set to Netwrix API. -![apiactivitydetails](../../../../../static/img/product_docs/auditor/auditor/api/apiactivitydetails.webp) +![apiactivitydetails](/img/product_docs/auditor/auditor/api/apiactivitydetails.webp) ```` diff --git a/docs/auditor/10.7/auditor/configuration/activedirectory/additional.md b/docs/auditor/10.7/auditor/configuration/activedirectory/additional.md index 36b72054ff..8e3ab614ce 100644 --- a/docs/auditor/10.7/auditor/configuration/activedirectory/additional.md +++ b/docs/auditor/10.7/auditor/configuration/activedirectory/additional.md @@ -10,11 +10,11 @@ requirements: OR - The Audit Logs management role (see the - [Assign Management Roles](../exchange/permissions.md#assign-management-roles) topic for additional + [Assign Management Roles](/docs/auditor/10.7/auditor/configuration/exchange/permissions.md#assign-management-roles) topic for additional information) You will also need to configure Exchange Administrator Audit Logging (AAL) settings. See the -[Exchange Administrator Audit Logging Settings](../exchange/auditlog.md) topic for additional +[Exchange Administrator Audit Logging Settings](/docs/auditor/10.7/auditor/configuration/exchange/auditlog.md) topic for additional information. ## Additional Configuration for Domain Controller's Event Logs Auto-backup @@ -122,7 +122,7 @@ navigate to Start > Windows Administrative Tools and select Local Security Polic **Step 2 –** In the Local Security Policy snap-in, navigate to **Security Settings** > **Local Policies > User Rights Assignment** and locate the **Log on as a batch job** policy. -![manualconfig_ws_logonasbatch](../../../../../../static/img/product_docs/1secure/admin/datacollection/activedirectory/manualconfig_ws_logonasbatch.webp) +![manualconfig_ws_logonasbatch](/img/product_docs/1secure/admin/datacollection/activedirectory/manualconfig_ws_logonasbatch.webp) **Step 3 –** Double-click the **Log on as a batch job** policy, and click **Add User or Group**. Specify the account that you want to define this policy for. @@ -166,7 +166,7 @@ Domain Admins group. This permission should be assigned on each domain controller in the audited domain, so if your domain contains multiple domain controllers, it is recommended to assign permissions through Group Policy, or automatically using -[Audit Configuration Assistant](../../tools/auditconfigurationassistant.md). +[Audit Configuration Assistant](/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md). To assign permissions manually, use the Registry Editor snap-in or the Group Policy Management console. diff --git a/docs/auditor/10.7/auditor/configuration/activedirectory/advancedpolicy.md b/docs/auditor/10.7/auditor/configuration/activedirectory/advancedpolicy.md index 359aa30a88..2550858bfa 100644 --- a/docs/auditor/10.7/auditor/configuration/activedirectory/advancedpolicy.md +++ b/docs/auditor/10.7/auditor/configuration/activedirectory/advancedpolicy.md @@ -29,7 +29,7 @@ To do it, perform the following steps: 4. Locate the Audit: Force audit policy subcategory settings to override audit policy category settings and make sure that policy setting is set to _"Enabled"_. - ![manualconfig_ad_nla_audit_force_winserver2016](../../../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_ad_nla_audit_force_winserver2016.webp) + ![manualconfig_ad_nla_audit_force_winserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_ad_nla_audit_force_winserver2016.webp) 5. Run the following command to update group policy: @@ -54,7 +54,7 @@ To do it, perform the following steps: | DS Access | Audit Directory Service Access | _"Success"_ | | Logon/Logoff | - Audit Logoff - Audit Logon These policies are only required to collect the information on the originating workstation, i.e., the computer from which a change was made. | _"Success"_ | - ![manualconfig_ad_advpol_winserver2016](../../../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_ad_advpol_winserver2016.webp) + ![manualconfig_ad_advpol_winserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_ad_advpol_winserver2016.webp) 5. Run the following command to update group policy: diff --git a/docs/auditor/10.7/auditor/configuration/activedirectory/automatic.md b/docs/auditor/10.7/auditor/configuration/activedirectory/automatic.md index da7fa4925c..71e6708dab 100644 --- a/docs/auditor/10.7/auditor/configuration/activedirectory/automatic.md +++ b/docs/auditor/10.7/auditor/configuration/activedirectory/automatic.md @@ -8,29 +8,29 @@ To adjust audit settings automatically, do any of the following: - When creating a new monitoring plan, at the first step of the wizard select the **Adjust audit settings automatically** option. See the - [Create a New Monitoring Plan](../../admin/monitoringplans/create.md) topic for additional + [Create a New Monitoring Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) topic for additional information. -![mp_wizard_step1_ad_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/configuration/activedirectory/mp_wizard_step1_ad_thumb_0_0.webp) +![mp_wizard_step1_ad_thumb_0_0](/img/product_docs/auditor/auditor/configuration/activedirectory/mp_wizard_step1_ad_thumb_0_0.webp) - For the existing monitoring plan, modify data collection settings for Active Directory data source, selecting **Adjust audit settings automatically** option. - See the [Manage Data Sources](../../admin/monitoringplans/datasources.md) and - [Active Directory](../../admin/monitoringplans/activedirectory/overview.md) topics for additional + See the [Manage Data Sources](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md) and + [Active Directory](/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/overview.md) topics for additional information. - For both new and existing monitoring plans, you can click **Launch Audit Configuration Assistant** (in the wizard step or in the plan settings, respectively) to launch a special tool that can detect current infrastructure settings and adjust them as needed for monitoring. See the - [Audit Configuration Assistant](../../tools/auditconfigurationassistant.md) topic for additional + [Audit Configuration Assistant](/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md) topic for additional information. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. For a full list of audit settings required for Netwrix Auditor to collect comprehensive audit data and instructions on how to configure them, refer to the -[Active Directory](overview.md) topic. +[Active Directory](/docs/auditor/10.7/auditor/configuration/activedirectory/overview.md) topic. See also: -- [Active Directory](overview.md) -- [Audit Configuration Assistant](../../tools/auditconfigurationassistant.md) -- [Active Directory: Manual Configuration](manual.md) +- [Active Directory](/docs/auditor/10.7/auditor/configuration/activedirectory/overview.md) +- [Audit Configuration Assistant](/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md) +- [Active Directory: Manual Configuration](/docs/auditor/10.7/auditor/configuration/activedirectory/manual.md) diff --git a/docs/auditor/10.7/auditor/configuration/activedirectory/basicpolicy.md b/docs/auditor/10.7/auditor/configuration/activedirectory/basicpolicy.md index 1b67fd461c..07d5470276 100644 --- a/docs/auditor/10.7/auditor/configuration/activedirectory/basicpolicy.md +++ b/docs/auditor/10.7/auditor/configuration/activedirectory/basicpolicy.md @@ -2,7 +2,7 @@ Basic audit policies allow tracking changes to user accounts and groups and identifying originating workstations. You can configure advanced audit policies for the same purpose too. See the -[Configure Advanced Audit Policies](advancedpolicy.md)topic for additional information. +[Configure Advanced Audit Policies](/docs/auditor/10.7/auditor/configuration/activedirectory/advancedpolicy.md)topic for additional information. 1. Open the **Group Policy Management** console on any domain controller in the target domain: navigate to Start > Windows Administrative Tools (Windows Server 2016 and higher) or @@ -21,7 +21,7 @@ workstations. You can configure advanced audit policies for the same purpose too | **Audit directory service access** | _"Success"_ | | **Audit logon events** | _"Success"_ | - ![manualconfig_ad_localpolicy_winserver2016](../../../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_ad_localpolicy_winserver2016.webp) + ![manualconfig_ad_localpolicy_winserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_ad_localpolicy_winserver2016.webp) The Audit logon events policy is only required to collect the information on the originating workstation, i.e., the computer from which a change was made. This functionality is optional and diff --git a/docs/auditor/10.7/auditor/configuration/activedirectory/manual.md b/docs/auditor/10.7/auditor/configuration/activedirectory/manual.md index 87bfc51224..f11b8b9128 100644 --- a/docs/auditor/10.7/auditor/configuration/activedirectory/manual.md +++ b/docs/auditor/10.7/auditor/configuration/activedirectory/manual.md @@ -12,37 +12,37 @@ To configure your domain for monitoring manually, you will need: **NOTE:** If these tools are not installed, refer to the following Microsoft articles: -- [Group Policy Management Console]() -- [ADSI Edit]() +- [Group Policy Management Console](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11)) +- [ADSI Edit](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773354(v=ws.10)?redirectedfrom=MSDN) Follow the steps to configure your domain for monitoring. **Step 1 –** Configure effective domain controllers policy (by default, Default Domain Controllers -Policy). See the [Configure Basic Domain Audit Policies](basicpolicy.md) or -[Configure Advanced Audit Policies](advancedpolicy.md) topics for additional information. +Policy). See the [Configure Basic Domain Audit Policies](/docs/auditor/10.7/auditor/configuration/activedirectory/basicpolicy.md) or +[Configure Advanced Audit Policies](/docs/auditor/10.7/auditor/configuration/activedirectory/advancedpolicy.md) topics for additional information. **Step 2 –** Configure object-level auditing. See the -[Configure Object-Level Auditing](objectlevel.md) topic for additional information. +[Configure Object-Level Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/objectlevel.md) topic for additional information. **Step 3 –** Adjust the security event log size and retention settings. See the -[Adjust Security Event Log Size and Retention](securitylog.md)topic for additional information. +[Adjust Security Event Log Size and Retention](/docs/auditor/10.7/auditor/configuration/activedirectory/securitylog.md)topic for additional information. **Step 4 –** If you have an on-premises Exchange server in your Active Directory domain, consider that some changes to AD can be made via that Exchange server. To be able to audit and report who made those changes, perform configuration steps as described in the -[Exchange Administrator Audit Logging Settings](../exchange/auditlog.md) topic. +[Exchange Administrator Audit Logging Settings](/docs/auditor/10.7/auditor/configuration/exchange/auditlog.md) topic. Optionally, you can adjust the Active Directory Tombstone Lifetime. See the -[Adjust Active Directory Tombstone Lifetime (optional)](tombstone.md) topic for additional +[Adjust Active Directory Tombstone Lifetime (optional)](/docs/auditor/10.7/auditor/configuration/activedirectory/tombstone.md) topic for additional information. Also, remember to perform the following steps for AD auditing: **Step 1 –** Configure Data Collecting Account, as described in the -[Additional Configuration to Review Changes Made via Exchange Server](additional.md) topic. +[Additional Configuration to Review Changes Made via Exchange Server](/docs/auditor/10.7/auditor/configuration/activedirectory/additional.md) topic. **Step 2 –** Configure required protocols and ports, as described in the -[Active Directory Ports](ports.md) topic. +[Active Directory Ports](/docs/auditor/10.7/auditor/configuration/activedirectory/ports.md) topic. **Step 3 –** Enable Secondary Logon Service on the computer where Netwrix Auditor Server resides. diff --git a/docs/auditor/10.7/auditor/configuration/activedirectory/objectlevel.md b/docs/auditor/10.7/auditor/configuration/activedirectory/objectlevel.md index fe533007f8..62963d4c5d 100644 --- a/docs/auditor/10.7/auditor/configuration/activedirectory/objectlevel.md +++ b/docs/auditor/10.7/auditor/configuration/activedirectory/objectlevel.md @@ -5,7 +5,7 @@ information on user activity in the domain. If you also want to audit changes to and schema, you must enable object-level auditing for **Configuration** and **Schema** partitions. Auditing of the Configuration partition is enabled by default. See the -[Active Directory](../../admin/monitoringplans/activedirectory/overview.md) topic for detailed +[Active Directory](/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/overview.md) topic for detailed instructions on how to enable monitoring of changes to the Schema partition in the target AD domain. Perform the following procedures to configure object-level auditing for the Domain, Configuration @@ -23,13 +23,13 @@ Computers**. **Step 2 –** In the **Active Directory Users and Computers** dialog, click **View** in the main menu and ensure that the **Advanced Features** are enabled. -![manualconfig_aduc_advsecwinserver2016](../../../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_aduc_advsecwinserver2016.webp) +![manualconfig_aduc_advsecwinserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_aduc_advsecwinserver2016.webp) **Step 3 –** Right-click the **``** node and select **Properties.** Select the **Security** tab and click **Advanced**. In the **Advanced Security Settings for ``** dialog, select the **Auditing** tab. -![manualconfig_aduc_advauditing_winserver2016](../../../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_aduc_advauditing_winserver2016.webp) +![manualconfig_aduc_advauditing_winserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_aduc_advauditing_winserver2016.webp) **Step 4 –** Perform the following actions on the Windows Server 2012 and above: @@ -42,12 +42,12 @@ dialog, select the **Auditing** tab. 5. Scroll to the bottom of the list and make sure that the **Only apply these auditing settings to objects and/or containers within this container** checkbox is cleared. - ![manualconfig_objectlevel_winserver2016](../../../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_objectlevel_winserver2016.webp) + ![manualconfig_objectlevel_winserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_objectlevel_winserver2016.webp) ## Enabling object-level auditing for the Configuration and Schema partitions To perform this procedure, you will need the -[ADSI Edit]() utility. Follow the +[ADSI Edit](http://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspx) utility. Follow the steps to enable object-level auditing for the Configuration and Schema partitions. **Step 1 –** On any domain controller in the target domain, navigate to Start > Windows @@ -57,7 +57,7 @@ Administrative Tools **> ADSI Edit**. Settings** dialog, enable **Select a well-known Naming Context** and select **Configuration** from the drop-down list. -![manualconfig_adsi_connectionwinserver2016](../../../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_adsi_connectionwinserver2016.webp) +![manualconfig_adsi_connectionwinserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_adsi_connectionwinserver2016.webp) **Step 3 –** Expand the **Configuration ``** node. Right-click the **CN=Configuration, DC=``,DC=``…** node and select **Properties.** @@ -77,6 +77,6 @@ dialog, open the **Auditing** tab. 5. Scroll to the bottom of the list and make sure that the **Only apply these auditing settings to objects and/or containers within this container** checkbox is cleared. - ![manualconfig_objectlevel_winserver2016](../../../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_objectlevel_winserver2016.webp) + ![manualconfig_objectlevel_winserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_objectlevel_winserver2016.webp) Repeat these steps for the Schema container if necessary. diff --git a/docs/auditor/10.7/auditor/configuration/activedirectory/overview.md b/docs/auditor/10.7/auditor/configuration/activedirectory/overview.md index cb53560ac4..83033742a7 100644 --- a/docs/auditor/10.7/auditor/configuration/activedirectory/overview.md +++ b/docs/auditor/10.7/auditor/configuration/activedirectory/overview.md @@ -21,17 +21,17 @@ You can configure your IT Infrastructure for monitoring in one of the following configure them manually: - Configure the domain for auditing. See the - [Audit Configuration Assistant](../../tools/auditconfigurationassistant.md) topic for + [Audit Configuration Assistant](/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md) topic for information on configuring the domain. - On the Auditor console computer: - If you have enabled automatic log backup for the Security log of your domain controller, you can instruct Auditor to clear the old backups automatically. For that, use the **CleanAutoBackupLogs** registry key, as described in the - [Active Directory Registry Key Configuration](registrykey.md) topic. + [Active Directory Registry Key Configuration](/docs/auditor/10.7/auditor/configuration/activedirectory/registrykey.md) topic. **_RECOMMENDED:_** Adjust retention period for the backup files accordingly (default is - **50** hours). See the [Adjust Security Event Log Size and Retention](securitylog.md) + **50** hours). See the [Adjust Security Event Log Size and Retention](/docs/auditor/10.7/auditor/configuration/activedirectory/securitylog.md) topic. - To provide for event data collection, the Secondary Logon service must be up and running . @@ -46,8 +46,8 @@ Domain, Configuration and Schema partitions. It also tracks changes to new objec attributes added due to the Active Directory Schema extension. For detailed information, refer to Microsoft articles: -- [A full list of Active Directory object classes]() -- [A full list of Active Directory object attributes]() +- [A full list of Active Directory object classes](http://msdn.microsoft.com/en-us/library/ms680938(v=vs.85).aspx) +- [A full list of Active Directory object attributes](http://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx) Review the following limitations: @@ -78,9 +78,9 @@ Effective domain controllers policy settings must be configured as listed in the You can configure either **Basic domain audit policies**, or **Advanced domain audit policies**. - To configure these settings automatically using Netwrix Auditor, refer to the - [Active Directory: Automatic Configuration](automatic.md) topic. -- To configure them manually, refer to the [Configure Basic Domain Audit Policies](basicpolicy.md) - or [Configure Advanced Audit Policies](advancedpolicy.md) topics. + [Active Directory: Automatic Configuration](/docs/auditor/10.7/auditor/configuration/activedirectory/automatic.md) topic. +- To configure them manually, refer to the [Configure Basic Domain Audit Policies](/docs/auditor/10.7/auditor/configuration/activedirectory/basicpolicy.md) + or [Configure Advanced Audit Policies](/docs/auditor/10.7/auditor/configuration/activedirectory/advancedpolicy.md) topics. ## Audit Settings for AD Partitions @@ -97,8 +97,8 @@ These settings must be configured for **Everyone** security principal and applie and all descendant objects**. - You can configure these settings automatically using Netwrix Auditor, as described in the - [Active Directory: Automatic Configuration](automatic.md) topic. -- To configure them manually, refer o the [Configure Object-Level Auditing](objectlevel.md) topic. + [Active Directory: Automatic Configuration](/docs/auditor/10.7/auditor/configuration/activedirectory/automatic.md) topic. +- To configure them manually, refer o the [Configure Object-Level Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/objectlevel.md) topic. ### Configuration and Schema Partitions @@ -110,8 +110,8 @@ These settings must be configured for **Everyone** security principal and applie and its descendant objects**. - You can configure these settings automatically using Netwrix Auditor, as described in the - [Active Directory: Automatic Configuration](automatic.md) topic. -- To configure them manually, refer to the [Configure Object-Level Auditing](objectlevel.md) topic. + [Active Directory: Automatic Configuration](/docs/auditor/10.7/auditor/configuration/activedirectory/automatic.md) topic. +- To configure them manually, refer to the [Configure Object-Level Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/objectlevel.md) topic. ## Security Event Log Settings @@ -124,9 +124,9 @@ and its descendant objects**. | Auto-archiving | Enabled | - You can configure these settings automatically using Netwrix Auditor, as described in the - [Active Directory: Automatic Configuration](automatic.md) topic. + [Active Directory: Automatic Configuration](/docs/auditor/10.7/auditor/configuration/activedirectory/automatic.md) topic. - To configure them manually, refer to the - [Adjust Security Event Log Size and Retention](securitylog.md) topic. + [Adjust Security Event Log Size and Retention](/docs/auditor/10.7/auditor/configuration/activedirectory/securitylog.md) topic. ## Exchange Settings @@ -135,7 +135,7 @@ changes can be made via that Exchange server. To be able to audit and report who you should: - Configure the Exchange Administrator Audit Logging (AAL) settings, as described the - [Exchange Administrator Audit Logging Settings](../exchange/auditlog.md) topic. + [Exchange Administrator Audit Logging Settings](/docs/auditor/10.7/auditor/configuration/exchange/auditlog.md) topic. - Make sure that the account used for data collection has the following: - Membership in the Organization Management or Records Management group @@ -147,11 +147,11 @@ you should: ### Next Steps - Configure Data Collecting Account, as described in the - [Additional Configuration to Review Changes Made via Exchange Server](additional.md) topic. -- Configure required protocols and ports, as described in the [Active Directory Ports](ports.md) + [Additional Configuration to Review Changes Made via Exchange Server](/docs/auditor/10.7/auditor/configuration/activedirectory/additional.md) topic. +- Configure required protocols and ports, as described in the [Active Directory Ports](/docs/auditor/10.7/auditor/configuration/activedirectory/ports.md) topic. - If you plan to restore deleted Active Directory objects and their attributes using the Netwrix Auditor Object Restore for Active Directory tool (shipped with Netwrix Auditor,) it is recommended to set the **Active Directory tombstone lifetime** property to 730 days (default is 180 days). See - the [Adjust Active Directory Tombstone Lifetime (optional)](tombstone.md) topic for additional + the [Adjust Active Directory Tombstone Lifetime (optional)](/docs/auditor/10.7/auditor/configuration/activedirectory/tombstone.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md b/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md index c96bb462fa..594a606259 100644 --- a/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md @@ -26,7 +26,7 @@ The account used for data collection must meet the following requirements: additional information. If the account selected for data collection is not a member of the Domain Admins group, see the -[Assign Permission To Read the Registry Key](../windowsserver/permissions.md) topic. +[Assign Permission To Read the Registry Key](/docs/auditor/10.7/auditor/configuration/windowsserver/permissions.md) topic. ## Additional Configuration to Review Changes Made via Exchange Server @@ -37,11 +37,11 @@ you should make sure that the account used for data collection has any of the fo - Membership in the **Organization Management** or **Records Management** group. - The **Audit Logs** management role (see the - [Assigning Management Roles](../exchange/permissions.md#assign-management-roles) topic for + [Assigning Management Roles](/docs/auditor/10.7/auditor/configuration/exchange/permissions.md#assign-management-roles) topic for additional information). You will also need to configure Exchange Administrator Audit Logging (AAL) settings. See the -[Exchange Administrator Audit Logging Settings](../exchange/auditlog.md) topic for additional +[Exchange Administrator Audit Logging Settings](/docs/auditor/10.7/auditor/configuration/exchange/auditlog.md) topic for additional information. ## Additional Configuration for Domain Controller's Event Logs Auto-backup @@ -50,7 +50,7 @@ The following is required if auto-backup is enabled for the domain controller ev - Permissions to access the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security registry key on the domain controllers in the target domain. See the - [Assign Permission To Read the Registry Key](../windowsserver/permissions.md) topic for additional + [Assign Permission To Read the Registry Key](/docs/auditor/10.7/auditor/configuration/windowsserver/permissions.md) topic for additional information. - Membership in one of the following groups: **Administrators**, **Print Operators**, **Server Operators**. @@ -87,7 +87,7 @@ If auto-backup is _enabled_ for the domain controller event logs: - Permissions to access the _HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security_ registry key on the domain controllers in the target domain. See the - [Assign Permission To Read the Registry Key](../windowsserver/permissions.md) topic for additional + [Assign Permission To Read the Registry Key](/docs/auditor/10.7/auditor/configuration/windowsserver/permissions.md) topic for additional information. - Membership in any of the following groups: Administrators, Print Operators, Server Operators - Read/Write share permission and Full control security permission on the logs backup folder. @@ -101,11 +101,11 @@ you should make sure that the account used for data collection has any of the fo - Membership in the **Organization Management** or **Records Management** group. - The **Audit Logs** management role (see the - [Assigning Management Roles](../exchange/permissions.md#assign-management-roles) topic for + [Assigning Management Roles](/docs/auditor/10.7/auditor/configuration/exchange/permissions.md#assign-management-roles) topic for additional information). You will also need to configure Exchange Administrator Audit Logging (AAL) settings. See the -[Exchange Administrator Audit Logging Settings](../exchange/auditlog.md) topic for additional +[Exchange Administrator Audit Logging Settings](/docs/auditor/10.7/auditor/configuration/exchange/auditlog.md) topic for additional information. If you are using gMSA for data collection, consider that AAL event data collection from your @@ -226,7 +226,7 @@ snap-in: navigate to Start > Windows Administrative Tools and select Local Secur **Step 2 –** In the **Local Security Policy** snap-in, navigate to **Security Settings** > **Local Policies > User Rights Assignment** and locate the **Log on as a batch job** policy. -![manualconfig_ws_logonasbatch](../../../../../../static/img/product_docs/1secure/admin/datacollection/activedirectory/manualconfig_ws_logonasbatch.webp) +![manualconfig_ws_logonasbatch](/img/product_docs/1secure/admin/datacollection/activedirectory/manualconfig_ws_logonasbatch.webp) **Step 3 –** Double-click the **Log on as a batch job** policy, and click **Add User or Group**. Specify the account that you want to define this policy for. diff --git a/docs/auditor/10.7/auditor/configuration/activedirectory/permissionsregistrykeys.md b/docs/auditor/10.7/auditor/configuration/activedirectory/permissionsregistrykeys.md index 83062c381e..8bedc9d10e 100644 --- a/docs/auditor/10.7/auditor/configuration/activedirectory/permissionsregistrykeys.md +++ b/docs/auditor/10.7/auditor/configuration/activedirectory/permissionsregistrykeys.md @@ -4,9 +4,9 @@ This permission is required only if the account selected for data collection is Domain Admins group. This permission should be assigned on each domain controller in the audited domain, so if your domain contains multiple domain controllers, it is recommended to assign permissions through Group Policy, or automatically using -[Audit Configuration Assistant](../../tools/auditconfigurationassistant.md). To assign permissions +[Audit Configuration Assistant](/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md). To assign permissions manually, use the Registry Editor snap-in or the Group Policy Management console. See the -[Permissions for Group Policy Auditing ](../grouppolicy/permissions.md)topic for additional +[Permissions for Group Policy Auditing ](/docs/auditor/10.7/auditor/configuration/grouppolicy/permissions.md)topic for additional information. ## Assign Permission Via the Registry Editor Snap-in diff --git a/docs/auditor/10.7/auditor/configuration/activedirectory/securitylog.md b/docs/auditor/10.7/auditor/configuration/activedirectory/securitylog.md index f36bb71c06..9929e67dff 100644 --- a/docs/auditor/10.7/auditor/configuration/activedirectory/securitylog.md +++ b/docs/auditor/10.7/auditor/configuration/activedirectory/securitylog.md @@ -23,7 +23,7 @@ To increase the maximum size of the Security event log and set its retention met 3. Navigate to **Computer Configuration > Policies > Windows Settings > Security Settings > Event Log** and double-click the **Maximum security log size** policy. - ![manualconfig_grouppolicymaxsecuritysizewinserver2016](../../../../../../static/img/product_docs/1secure/configuration/logonactivity/manualconfig_grouppolicymaxsecuritysizewinserver2016.webp) + ![manualconfig_grouppolicymaxsecuritysizewinserver2016](/img/product_docs/1secure/configuration/logonactivity/manualconfig_grouppolicymaxsecuritysizewinserver2016.webp) 4. In the Maximum security log size Properties dialog, select **Define this policy setting** and set maximum security log size to **4194240** kilobytes (4GB). diff --git a/docs/auditor/10.7/auditor/configuration/activedirectory/tombstone.md b/docs/auditor/10.7/auditor/configuration/activedirectory/tombstone.md index 4a3cc1da67..4614bc2f7f 100644 --- a/docs/auditor/10.7/auditor/configuration/activedirectory/tombstone.md +++ b/docs/auditor/10.7/auditor/configuration/activedirectory/tombstone.md @@ -14,7 +14,7 @@ Take into consideration that increasing tombstone lifetime may affect Active Dir and operability. To perform this procedure, you will need the -[ADSI Edit]() utility.utility. +[ADSI Edit](http://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspx) utility.utility. Follow the steps to change the tombstone lifetime attribute. @@ -25,7 +25,7 @@ Administrative Tools **> ADSI Edit**. Settings** dialog, enable **Select a well-known Naming Context** and select **Configuration** from the drop-down list. -![manualconfig_adsi_connectionwinserver2016](../../../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_adsi_connectionwinserver2016.webp) +![manualconfig_adsi_connectionwinserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_adsi_connectionwinserver2016.webp) **Step 3 –** Navigate to **Configuration `` → CN=Configuration,DC=``,DC=`` → CN=Services → CN=Windows NT → CN=Directory Service**. @@ -34,6 +34,6 @@ Right-click it and select **Properties** from the pop-up menu. **Step 4 –** In the **CN=Directory Service Properties** dialog, locate the **tombstoneLifetime** attribute in the **Attribute Editor** tab. -![manualconfig_adsi_tombstone_winserver2016](../../../../../../static/img/product_docs/auditor/auditor/configuration/activedirectory/manualconfig_adsi_tombstone_winserver2016.webp) +![manualconfig_adsi_tombstone_winserver2016](/img/product_docs/auditor/auditor/configuration/activedirectory/manualconfig_adsi_tombstone_winserver2016.webp) **Step 5 –** Click **Edit**. Set the value to _"730"_ (which equals 2 years). diff --git a/docs/auditor/10.7/auditor/configuration/activedirectoryfederatedservices/overview.md b/docs/auditor/10.7/auditor/configuration/activedirectoryfederatedservices/overview.md index 817de96cf4..3d6b9aa488 100644 --- a/docs/auditor/10.7/auditor/configuration/activedirectoryfederatedservices/overview.md +++ b/docs/auditor/10.7/auditor/configuration/activedirectoryfederatedservices/overview.md @@ -22,7 +22,7 @@ becomes the **primary** server. Other federation servers you add to the farm wil **secondary** servers. Make sure you have Windows Remote Management properly configured on your Auditor console computer. -See the [Software Requirements](../../requirements/software.md) topic for additional information. +See the [Software Requirements](/docs/auditor/10.7/auditor/requirements/software.md) topic for additional information. You can configure your IT Infrastructure for monitoring in one of the following ways: @@ -59,7 +59,7 @@ You can configure your IT Infrastructure for monitoring in one of the following - Adjust log size and retention settings for **Security** log and for **AD FS Admin** log (under **Applications and Service logs**). See - [Adjusting Event Log Size and Retention Settings](../windowsserver/eventlog.md) for details. + [Adjusting Event Log Size and Retention Settings](/docs/auditor/10.7/auditor/configuration/windowsserver/eventlog.md) for details. - If AD FS Admin logging is disabled, you should enable it. - See the Configure AD FS farm manually topic for additional information. @@ -72,12 +72,12 @@ need to configure audit settings manually, as described later in this section. **Step 1 –** Select the AD FS data source in this monitoring plan (top row under the header), click **Edit data source** to open its settings. -![mp_adfs_listing_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/configuration/activedirectoryfederatedservices/mp_adfs_listing_thumb_0_0.webp) +![mp_adfs_listing_thumb_0_0](/img/product_docs/auditor/auditor/configuration/activedirectoryfederatedservices/mp_adfs_listing_thumb_0_0.webp) **Step 2 –** In the **Configure audit settings** section, select **Adjust audit settings automatically** check box. -![mp_data_source_ad_fs_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/configuration/activedirectoryfederatedservices/mp_data_source_ad_fs_thumb_0_0.webp) +![mp_data_source_ad_fs_thumb_0_0](/img/product_docs/auditor/auditor/configuration/activedirectoryfederatedservices/mp_data_source_ad_fs_thumb_0_0.webp) **Step 3 –** Save the settings. @@ -113,7 +113,7 @@ server versions **Step 3 –** Adjust log size and retention settings for **Security** log and for **AD FS Admin** log (under **Applications and Service logs**). See the -[Adjusting Event Log Size and Retention Settings](../windowsserver/eventlog.md) topic for additional +[Adjusting Event Log Size and Retention Settings](/docs/auditor/10.7/auditor/configuration/windowsserver/eventlog.md) topic for additional information. If AD FS Admin logging is disabled, you should enable it. @@ -121,8 +121,8 @@ If AD FS Admin logging is disabled, you should enable it. _Remember,_ do the following: - Configure Data Collecting Account as described in the - [Permissions for AD FS Auditing](permissions.md) topic. -- Configure ports as described in the [AD FS Ports](ports.md) topic. + [Permissions for AD FS Auditing](/docs/auditor/10.7/auditor/configuration/activedirectoryfederatedservices/permissions.md) topic. +- Configure ports as described in the [AD FS Ports](/docs/auditor/10.7/auditor/configuration/activedirectoryfederatedservices/ports.md) topic. ## AD FS Servers Data Collection diff --git a/docs/auditor/10.7/auditor/configuration/exchange/auditlog.md b/docs/auditor/10.7/auditor/configuration/exchange/auditlog.md index 97a88cd7cf..f9b092e4e8 100644 --- a/docs/auditor/10.7/auditor/configuration/exchange/auditlog.md +++ b/docs/auditor/10.7/auditor/configuration/exchange/auditlog.md @@ -13,7 +13,7 @@ Logging (AAL) settings are configured as follows: | ExcludedCmdlets | \*-InboxRule, \*-MailboxAutoReplyConfiguration, Set-MailboxAuditBypassAssociation, Set-MailboxAutoReplyConfiguration, Set-MailboxCalendarConfiguration, Set-MailboxCalendarFolder, Set-MailboxFolderPermission, Set-MailboxJunkEmailConfiguration, Set-MailboxMessageConfiguration, Set-MailboxRegionalConfiguration, Set-MailboxSpellingConfiguration | This list of exclusions is set up as explained in step 3 of the procedure below. | You can configure these settings automatically using Netwrix Auditor, as described in the -[Active Directory: Automatic Configuration](../activedirectory/automatic.md) topic. +[Active Directory: Automatic Configuration](/docs/auditor/10.7/auditor/configuration/activedirectory/automatic.md) topic. To configure them manually, refer to the procedure described below. diff --git a/docs/auditor/10.7/auditor/configuration/exchange/mailboxacccess.md b/docs/auditor/10.7/auditor/configuration/exchange/mailboxacccess.md index 4afc4e6f2c..71ea93754e 100644 --- a/docs/auditor/10.7/auditor/configuration/exchange/mailboxacccess.md +++ b/docs/auditor/10.7/auditor/configuration/exchange/mailboxacccess.md @@ -4,7 +4,7 @@ Netwrix Auditor allows tracking non-owner mailbox access in your Exchange organi It is recommended to select **Adjust audit settings automatically** option when setting up Exchange monitoring in Netwrix Auditor. See the -[Create a New Monitoring Plan](../../admin/monitoringplans/create.md) topic for additional +[Create a New Monitoring Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) topic for additional information. However, in some scenarios users may need to apply required audit settings manually. For that, diff --git a/docs/auditor/10.7/auditor/configuration/exchange/overview.md b/docs/auditor/10.7/auditor/configuration/exchange/overview.md index a75cad34d8..64918f11d3 100644 --- a/docs/auditor/10.7/auditor/configuration/exchange/overview.md +++ b/docs/auditor/10.7/auditor/configuration/exchange/overview.md @@ -43,10 +43,10 @@ You can configure your IT Infrastructure for monitoring in one of the following Directory domain, consider that some changes can be made via that Exchange server. To be able to audit and report who made those changes, you should configure the Exchange Administrator Audit Logging (AAL) settings, as described in the - [Exchange Administrator Audit Logging Settings](auditlog.md) topic. + [Exchange Administrator Audit Logging Settings](/docs/auditor/10.7/auditor/configuration/exchange/auditlog.md) topic. - The Administrator Audit Logging settings must be configured (only required for Exchange 2019, 2016, 2013 or 2010). See the - [Exchange Administrator Audit Logging Settings](auditlog.md) topic for additional + [Exchange Administrator Audit Logging Settings](/docs/auditor/10.7/auditor/configuration/exchange/auditlog.md) topic for additional information. - In order to audit mailbox access, native audit logging must be enabled for user, shared, equipment, linked, and room mailboxes: @@ -56,7 +56,7 @@ You can configure your IT Infrastructure for monitoring in one of the following SendOnBehalf, Create - If you want to track non-owner access, configure mailbox monitoring. See the - [Configure Exchange for Monitoring Mailbox Access](mailboxacccess.md) topic for additional + [Configure Exchange for Monitoring Mailbox Access](/docs/auditor/10.7/auditor/configuration/exchange/mailboxacccess.md) topic for additional information. - On the Auditor console computer: @@ -64,11 +64,11 @@ You can configure your IT Infrastructure for monitoring in one of the following - If you have enabled automatic log backup for the Security log of your domain controller, you can instruct Auditor to clear the old backups automatically. For that, use the **CleanAutoBackupLogs** registry key, as described in the - [Active Directory Registry Key Configuration](../activedirectory/registrykey.md) topic. + [Active Directory Registry Key Configuration](/docs/auditor/10.7/auditor/configuration/activedirectory/registrykey.md) topic. **_RECOMMENDED:_** Adjust retention period for the backup files accordingly (default is **50** hours). See the - [Adjust Security Event Log Size and Retention](../activedirectory/securitylog.md) topic. + [Adjust Security Event Log Size and Retention](/docs/auditor/10.7/auditor/configuration/activedirectory/securitylog.md) topic. - To provide for event data collection, the Secondary Logon service must be up and running . Open **Administrative Tools** > **Services**, right-click the **Secondary Logon** service @@ -78,8 +78,8 @@ You can configure your IT Infrastructure for monitoring in one of the following _Remember,_ for Exchange auditing, do the following: 1. Configure Data Collecting Account, as described in the - [Data Collecting Account](../../admin/monitoringplans/dataaccounts.md) topic. -2. Configure required protocols and ports, as described in the [Exchange Ports](ports.md) topic. + [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic. +2. Configure required protocols and ports, as described in the [Exchange Ports](/docs/auditor/10.7/auditor/configuration/exchange/ports.md) topic. ## Monitored Object Types, Actions, and Attributes diff --git a/docs/auditor/10.7/auditor/configuration/exchange/permissions.md b/docs/auditor/10.7/auditor/configuration/exchange/permissions.md index 5b25bc7edb..fd9e33e38d 100644 --- a/docs/auditor/10.7/auditor/configuration/exchange/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/exchange/permissions.md @@ -20,11 +20,11 @@ The account used for data collection must meet the following requirements: Domain Admins group: - The Manage auditing and security log policy must be defined for this account. See the - [Permissions for Active Directory Auditing](../activedirectory/permissions.md) topic for + [Permissions for Active Directory Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md) topic for additional information. - If you plan to process the Active Directory Deleted Objects container, Read permission on this container is required. See the - [Permissions for Active Directory Auditing](../activedirectory/permissions.md) topic for + [Permissions for Active Directory Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md) topic for additional information. - The account must belong to the Organization Management or Records Management group. See the Add Account to the Organization Management Group topic for additional information. @@ -58,7 +58,7 @@ in the root domain of the forest where Microsoft Exchange 2019, 2016, or 2013 is **Step 4 –** In the **Organization Management Properties** dialog that opens, select the **Members** tab and click **Add**. -![manualconfig_orgmanagement2016](../../../../../../static/img/product_docs/auditor/auditor/configuration/exchange/manualconfig_orgmanagement2016.webp) +![manualconfig_orgmanagement2016](/img/product_docs/auditor/auditor/configuration/exchange/manualconfig_orgmanagement2016.webp) If for some reason you do not want this account to belong to the Organization Management group, you can add it to the Records Management group in the same way. The Records Management group is less @@ -93,7 +93,7 @@ Domain Admins group. This permission should be assigned on each domain controller in the audited domain, so if your domain contains multiple domain controllers, it is recommended to assign permissions through Group Policy, or automatically using -[Audit Configuration Assistant](../../tools/auditconfigurationassistant.md). +[Audit Configuration Assistant](/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md). To assign permissions manually, use the Registry Editor snap-in or the Group Policy Management console. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/cifss.md b/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/cifss.md index 2b2ac7937c..bd9c725368 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/cifss.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/cifss.md @@ -14,7 +14,7 @@ you want to track: Actions reported by Auditor vary depending on the file server type and the audited object (file, folder, or share). The changes include creation, modification, deletion, moving, renaming, and -copying. See the [Dell Data Storage](overview.md) topic for additional information. +copying. See the [Dell Data Storage](/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/overview.md) topic for additional information. ## Configure Audit Settings for the CIFS File Shares Pre-Windows Server 2012 @@ -71,7 +71,7 @@ Follow the steps to configure audit settings. **Step 9 –** In the **Advanced Security Settings for ``** dialog, navigate to the **Auditing** tab. -![auditing_entries_netapp_2016](../../../../../../../static/img/product_docs/1secure/configuration/computer/auditing_entries_netapp_2016.webp) +![auditing_entries_netapp_2016](/img/product_docs/1secure/configuration/computer/auditing_entries_netapp_2016.webp) **Step 10 –** Click Add to add a new principal. You can select Everyone (or another user-defined group containing users that are granted special permissions) and click Edit. @@ -97,10 +97,10 @@ additional information: | Auditing Entry | | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | ------------------------ | -------------------- | ----------------------------- | --- | --- | --- | --- | --- | --- | ---------- | --- | --- | --- | --- | ---------- | --------------------------------- | --------------------------------- | --------------------------------- | --- | ---- | --- | --- | --- | --- | ------- | ------- | ---- | ---- | --- | -------------------- | --- | --- | --- | --- | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --- | | **Successful reads** | | -| The Auditing Entry below shows Advanced Permissions for auditing successful reads only: ![manualconfig_fileserver_auditingentry_1_2016](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_1_2016.webp) - Type—Set to _"Success"_. - Applies to—Set to _"Files only"_. - Advanced permissions—Select List folder / read data. - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | +| The Auditing Entry below shows Advanced Permissions for auditing successful reads only: ![manualconfig_fileserver_auditingentry_1_2016](/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_1_2016.webp) - Type—Set to _"Success"_. - Applies to—Set to _"Files only"_. - Advanced permissions—Select List folder / read data. - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | | **Successful changes** | | -| The Auditing Entry below shows Advanced Permissions for auditing successful changes only: ![manualconfig_fileserver_emc_auditingentry](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/delldatastorage/manualconfig_fileserver_emc_auditingentry.webp) - Type—Set to _"Success"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions: - Create files / write data - Create folders / append data - Write attributes - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | +| The Auditing Entry below shows Advanced Permissions for auditing successful changes only: ![manualconfig_fileserver_emc_auditingentry](/img/product_docs/auditor/auditor/configuration/fileservers/delldatastorage/manualconfig_fileserver_emc_auditingentry.webp) - Type—Set to _"Success"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions: - Create files / write data - Create folders / append data - Write attributes - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | | **Failed read attempts** | | -| The Auditing Entry below shows Advanced Permissions for auditing failed read attempts: ![manualconfig_fileserver_auditingentry_3_2016](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_3_2016.webp) - Type—Set to _"Fail"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions—Select List folder / read data. - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | +| The Auditing Entry below shows Advanced Permissions for auditing failed read attempts: ![manualconfig_fileserver_auditingentry_3_2016](/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_3_2016.webp) - Type—Set to _"Fail"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions—Select List folder / read data. - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | | **Failed change attempts** | | -| The Auditing Entry below shows Advanced Permissions for auditing failed change attempts: ![manualconfig_fileserver_emc_auditingentry_fail](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/delldatastorage/manualconfig_fileserver_emc_auditingentry_fail.webp) - Type—Set to _"Fail"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions: - Create files / write data - Create folders / append data - Write attributes - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | Successful reads | Successful modifications | Failed read attempts | Failed modifications attempts | | --- | --- | --- | --- | | Applies to | | | | | Files only | This folder, subfolders and files | This folder, subfolders and files | This folder, subfolders and files | | Type | | | | | Success | Success | Fail | Fail | | Advanced permissions | | | | | - List Folder / Read Data | - Create Files / Write Data - Create Folders / Append Data - Write Attributes - Write Extended Attributes - Delete Subfolders and Files - Delete - Change Permissions - Take Ownership | - List Folder / Read Data | - Create Files / Write Data - Create Folders / Append Data - Write Attributes - Write Extended Attributes - Delete Subfolders and Files - Delete - Change Permissions - Take Ownership | | | +| The Auditing Entry below shows Advanced Permissions for auditing failed change attempts: ![manualconfig_fileserver_emc_auditingentry_fail](/img/product_docs/auditor/auditor/configuration/fileservers/delldatastorage/manualconfig_fileserver_emc_auditingentry_fail.webp) - Type—Set to _"Fail"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions: - Create files / write data - Create folders / append data - Write attributes - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | Successful reads | Successful modifications | Failed read attempts | Failed modifications attempts | | --- | --- | --- | --- | | Applies to | | | | | Files only | This folder, subfolders and files | This folder, subfolders and files | This folder, subfolders and files | | Type | | | | | Success | Success | Fail | Fail | | Advanced permissions | | | | | - List Folder / Read Data | - Create Files / Write Data - Create Folders / Append Data - Write Attributes - Write Extended Attributes - Delete Subfolders and Files - Delete - Change Permissions - Take Ownership | - List Folder / Read Data | - Create Files / Write Data - Create Folders / Append Data - Write Attributes - Write Extended Attributes - Delete Subfolders and Files - Delete - Change Permissions - Take Ownership | | | diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/objectaccess.md b/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/objectaccess.md index a59d03a5e7..2169ddff86 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/objectaccess.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/objectaccess.md @@ -27,7 +27,7 @@ node on the left and navigate to **Policies → Windows Settings → Security Se | -------------- | ----------------------- | --------------------------- | | Audit Policy | **Audit object access** | _"Success"_ and _"Failure"_ | -![manualconfig_fileserver_auditpolicy2016](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/delldatastorage/manualconfig_fileserver_auditpolicy2016.webp) +![manualconfig_fileserver_auditpolicy2016](/img/product_docs/auditor/auditor/configuration/fileservers/delldatastorage/manualconfig_fileserver_auditpolicy2016.webp) **Step 6 –** To update the group policies, execute the following command: @@ -47,4 +47,4 @@ node on the left and navigate to **Policies → Windows Settings → Security Se You can configure advanced audit policy to narrow the range of events tracked and recorded by the product, thus preventing your AuditArchive and the Security event log from overfilling. See the -[Configure Security Event Log Maximum Size](securityeventlog.md) topic for additional information. +[Configure Security Event Log Maximum Size](/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/securityeventlog.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/overview.md b/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/overview.md index d2551da3d9..c9abb97bb3 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/overview.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/overview.md @@ -54,7 +54,7 @@ First, you should decide on the objects and actions you want to track. Consider - Actions reported by Auditor vary depending on the file server type and the audited object (file, folder, or share). - Besides, monitoring and reporting of the Dell Data Storage systems may not provide the results you - expect — due to native Dell audit peculiarities. See the [File Servers](../overview.md) topic for + expect — due to native Dell audit peculiarities. See the [File Servers](/docs/auditor/10.7/auditor/configuration/fileservers/overview.md) topic for additional information. For example, the _change_ operation (in Auditor terminology) includes creation, modification, and @@ -65,7 +65,7 @@ deletion. To collect comprehensive audit data, you must configure your file shares for monitoring. Consider the following: -**Step 1 –** [Configure Security Event Log Maximum Size](securityeventlog.md) to avoid overwriting +**Step 1 –** [Configure Security Event Log Maximum Size](/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/securityeventlog.md) to avoid overwriting of the security logs; it is recommended to set security log size to a maximum (4GB). Auditor does not clean Dell Unity logs automatically, the log will start overwriting when it goes beyond the limit. See the @@ -77,9 +77,9 @@ and its size is set to 512 KB. The default location for the security.evt log is which corresponds to the root partition of the Data Mover. To be able to increase the security log size, you must move it from the Data Mover root folder. -**Step 3 –** [Configure Audit Object Access Policy](objectaccess.md). Set the Audit object access +**Step 3 –** [Configure Audit Object Access Policy](/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/objectaccess.md). Set the Audit object access policy to "Success" and "Failure" in the Group Policy of the OU where your Dell VNX/VNXe/Unity/Celerra appliance belongs to. For more information on VNX/VNXe/Unity/Celerra GPO support, refer to documentation provided by Dell. -**Step 4 –** [Configure Audit Settings for CIFS File Shares on Dell Data Storage](cifss.md) +**Step 4 –** [Configure Audit Settings for CIFS File Shares on Dell Data Storage](/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/cifss.md) diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/overview.md b/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/overview.md index f4e5a72bf0..5c0046a6e9 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/overview.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/overview.md @@ -40,8 +40,8 @@ You can configure your IT Infrastructure for monitoring in one of the following To configure your Dell Isilon/PowerScale appliance for monitoring perform the following procedures: -- [Normal and Enterprise Modes for Clusters](normal.md) -- [Compliance Mode](compliance.md) +- [Normal and Enterprise Modes for Clusters](/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/normal.md) +- [Compliance Mode](/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/compliance.md) If your file shares contain symbolic links and you want to collect state-in-time data for these shares, the local-to-local, local-to-remote, remote-to-local, and remote-to-remote symbolic link diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/permissions.md b/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/permissions.md index 0cb2f0534e..fe8d4e8965 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/permissions.md @@ -55,4 +55,4 @@ To grant the necessary permissions to Isilon/PowerScale data collecting account to perform all steps for manual audit configuration, otherwise the product will not function properly. -See the [Normal and Enterprise Modes for Clusters](normal.md) topic for additional information. +See the [Normal and Enterprise Modes for Clusters](/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/normal.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/cifs.md b/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/cifs.md index 23965f52a1..3e9c6b5668 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/cifs.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/cifs.md @@ -13,7 +13,7 @@ options that you want to track: Actions reported by Netwrix Auditor vary depending on the file server type and the audited object (file, folder, or share). The changes include creation, modification, deletion, moving, renaming, and copying. To track the copy action, enable successful read access and change auditing. See the -[File Servers](../overview.md) topic for additional information. +[File Servers](/docs/auditor/10.7/auditor/configuration/fileservers/overview.md) topic for additional information. Do one of the following depending on the OS: @@ -33,7 +33,7 @@ Do one of the following depending on the OS: 3. In the **Advanced Security Settings for ``** dialog, navigate to the **Auditing** tab, click Edit. - ![auditing_entries_netapp](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/auditing_entries_netapp.webp) + ![auditing_entries_netapp](/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/auditing_entries_netapp.webp) 4. In a separate **Advanced Security Settings for ``** dialog, click Add to add a principal. You can also select **Everyone** (or another user-defined group containing users that @@ -70,7 +70,7 @@ Do one of the following depending on the OS: 3. In the **Advanced Security Settings for ``** dialog, navigate to the **Auditing** tab, click Edit. - ![auditing_entries_netapp_2016](../../../../../../../static/img/product_docs/1secure/configuration/computer/auditing_entries_netapp_2016.webp) + ![auditing_entries_netapp_2016](/img/product_docs/1secure/configuration/computer/auditing_entries_netapp_2016.webp) 4. Click Add to add a new principal. You can also select Everyone (or another user-defined group containing users that are granted special permissions) and click Edit. @@ -91,25 +91,25 @@ Do one of the following depending on the OS: - Failed read attempts - Failed change attempts | Auditing Entry | | | --- | --- | | Successful reads | | | The Auditing Entry below shows Advanced Permissions for auditing successful reads only: - ![manualconfig_fileserver_auditingentry_1_2016](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_1_2016.webp) - + ![manualconfig_fileserver_auditingentry_1_2016](/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_1_2016.webp) - Type—Set to*"Success"*. - Applies to—Set to*"Files only"*. - Advanced permissions—SelectList folder / read data. - Make sure that theOnly apply these auditing settings to objects and/or containers within this containercheckbox is cleared. | | | Successful changes | | | The Auditing Entry below shows Advanced Permissions for auditing successful changes only: - ![manualconfig_fileserver_auditingentry_2_2016](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_2_2016.webp) - + ![manualconfig_fileserver_auditingentry_2_2016](/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_2_2016.webp) - Type—Set to*"Success"*. - Applies to—Set to*"This folder, subfolders and files"*. - Advanced permissions: - Create files / write data - Create folders / append data - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that theOnly apply these auditing settings to objects and/or containers within this containercheckbox is cleared. | | | Failed read attempts | | | The Auditing Entry below shows Advanced Permissions for auditing failed read attempts: - ![manualconfig_fileserver_auditingentry_3_2016](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_3_2016.webp) - + ![manualconfig_fileserver_auditingentry_3_2016](/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_3_2016.webp) - Type—Set to*"Fail"*. - Applies to—Set to*"This folder, subfolders and files"*. - Advanced permissions—SelectList folder / read data. - Make sure that theOnly apply these auditing settings to objects and/or containers within this containercheckbox is cleared. | | | Failed change attempts | | | The Auditing Entry below shows Advanced Permissions for auditing failed change attempts: - ![manualconfig_fileserver_auditingentry_4_2016](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_4_2016.webp) - + ![manualconfig_fileserver_auditingentry_4_2016](/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_4_2016.webp) - Type—Set to*"Fail"*. - Applies to—Set to*"This folder, subfolders and files"*. - Advanced permissions: - Create files / write data - Create folders / append data - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/eventcategories.md b/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/eventcategories.md index d77ddecac0..e39dd811d7 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/eventcategories.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/eventcategories.md @@ -105,14 +105,14 @@ To configure logs retention period For the backup logs retention functionality to work properly, you need to specify the CleanAutoBackupLogs name for the newly created registry value. - ![manualconfig_fileserver_netapp_createregistryvalue_2016](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_netapp_createregistryvalue_2016.webp) + ![manualconfig_fileserver_netapp_createregistryvalue_2016](/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_netapp_createregistryvalue_2016.webp) 4. Double-click **CleanAutoBackupLogs**. The **Edit DWORD Value** dialog will open. 5. This value defines the time period (in hours) after which security event logs archives will be automatically deleted. By default, it is set to _"0"_ (decimal). Modify this value, if necessary, and click **OK** to save the changes. - ![manualconfig_retentionperiodbackuplog_winserver2016](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_retentionperiodbackuplog_winserver2016.webp) + ![manualconfig_retentionperiodbackuplog_winserver2016](/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_retentionperiodbackuplog_winserver2016.webp) 6. **NOTE:** If the **CleanAutoBackupLogs** registry value is set to _"0"_, you will have to remove the old logs manually, or you may run out of space on your hard drive. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/overview.md b/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/overview.md index f40b24ea0a..f2b076a7e6 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/overview.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/overview.md @@ -86,7 +86,7 @@ You can configure your IT Infrastructure for monitoring in one of the following See the following topics for additional information: - Configure NetApp Clustered Data ONTAP 8 and ONTAP 9 for Monitoring -- [Configure Audit Settings for CIFS File Shares](cifs.md) +- [Configure Audit Settings for CIFS File Shares](/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/cifs.md) The following table lists the actions that can be performed on NetApp: @@ -114,10 +114,10 @@ only. To configure Clustered Data ONTAP 8 and ONTAP 9 for monitoring, perform the following procedures: - Prerequisites -- [Configure ONTAPI\RESTAPI Web Access](webaccess.md) -- [Configure System Service Firewall Policies](ports.md) -- [Configure Service Policy](servicepolicy.md) -- [Configure Event Categories and Log](eventcategories.md) +- [Configure ONTAPI\RESTAPI Web Access](/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/webaccess.md) +- [Configure System Service Firewall Policies](/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/ports.md) +- [Configure Service Policy](/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/servicepolicy.md) +- [Configure Event Categories and Log](/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/eventcategories.md) ### Prerequisites @@ -137,7 +137,7 @@ Perform the following steps before proceeding with the audit configuration. **NOTE**: NFS file shares are not supported. **Step 2 –** Configure System Access Control List (SACL) on your file share. See -[Configure Audit Settings for CIFS File Shares](cifs.md) topic for additional information. +[Configure Audit Settings for CIFS File Shares](/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/cifs.md) topic for additional information. **Step 3 –** Set the Security Style for Volume or Qtree where the audited file shares are located to the _"ntfs"_ or _"mixed"_. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/webaccess.md b/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/webaccess.md index 4dbde2ff5f..ed79c74ebd 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/webaccess.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/webaccess.md @@ -50,7 +50,7 @@ To display the current settings of web services for SVM svm1, use the following cluster1::> vserver services web show -vserver svm1 ``` -**Step 4 –** Review the [Permissions for NetApp Auditing](permissions.md) topic for additional +**Step 4 –** Review the [Permissions for NetApp Auditing](/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/permissions.md) topic for additional information on how to create the role and enable AD user access. **Step 5 –** Enable HTTP/HTTPS access. For example: @@ -83,7 +83,7 @@ cluster1::> vserver services web modify -vserver svm1 -name rest -enabled true - **Step 7 –** Make sure that the custom role (e.g., netwrix_role for ONTAPI or netwrix_rest_role for RESTAPI) assigned to your account specified for data collection can access ONTAPI or RESTAPI. See -[Permissions for NetApp Auditing](permissions.md) topic for additional information. +[Permissions for NetApp Auditing](/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/permissions.md) topic for additional information. ``` cluster1::> vserver services web access show -name ontapi -vserver svm1 diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/notificationpolicy.md b/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/notificationpolicy.md index 87c2a7eea1..de28ac5d69 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/notificationpolicy.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/notificationpolicy.md @@ -37,7 +37,7 @@ If you select to launch the RestAPI Explorer from the Prism menu, the **RestAPI client will be opened. 2. In the **username** and **password** fields, enter the credentials of the - [Create User Account to Access Nutanix REST API](useraccount.md) you have created. + [Create User Account to Access Nutanix REST API](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/useraccount.md) you have created. 3. Click **Explore**. 4. In the **File Server REST API Explorer** REST API client, locate the POST request for `notification_policies` : @@ -94,7 +94,7 @@ _"protocol_type_list" : ["SMB"]_ - instructs to track SMB shares (the only curre _``_ – enter the name of notification policy you want to create -_``_ - enter the `uuid` of [Configure Partner Server](partnerserver.md) +_``_ - enter the `uuid` of [Configure Partner Server](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/partnerserver.md) _``_ - enter the list of operations to be audited. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/overview.md b/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/overview.md index 1a4c35e844..1a574e83c2 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/overview.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/overview.md @@ -35,9 +35,9 @@ You can configure your IT Infrastructure for monitoring in one of the following To configure your Nutanix File Server for monitoring SMB shares, you will need to do the following: **Step 1 –** Create a user account to access the Nutanix REST API. See the -[Create User Account to Access Nutanix REST API](useraccount.md) topic for additional information. +[Create User Account to Access Nutanix REST API](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/useraccount.md) topic for additional information. -**Step 2 –** Open a port for inbound connections. See the [Nutanix Ports](ports.md) topic for +**Step 2 –** Open a port for inbound connections. See the [Nutanix Ports](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/ports.md) topic for additional information. In addition, configure the Auditor console server as a partner server for Nutanix Files, and create @@ -46,11 +46,11 @@ performed in any of the following ways: - Automatically when creating a monitoring plan. For that, you should select the **Adjust audit settings automatically** option in the monitoring plan wizard. See the - [Settings for Data Collection](../../../admin/monitoringplans/create.md#settings-for-data-collection) + [Settings for Data Collection](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md#settings-for-data-collection) topic for additional information. - Manually, as described in the corresponding topics: - - [Configure Partner Server](partnerserver.md) - - [Create a Notification Policy](notificationpolicy.md) + - [Configure Partner Server](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/partnerserver.md) + - [Create a Notification Policy](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/notificationpolicy.md) Remember that in both cases (automatic or manual configuration) you will need to complete the steps above to ensure that the user account for accessing REST API is created and the listening port on diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/partnerserver.md b/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/partnerserver.md index cf114e0d89..407378bf0a 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/partnerserver.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/partnerserver.md @@ -20,13 +20,13 @@ If you select to launch the RestAPI Explorer from the Prism menu, the **RestAPI server will be opened. 2. In the **username** and **password** fields, enter the credentials of the - [Create User Account to Access Nutanix REST API](useraccount.md) you have created. + [Create User Account to Access Nutanix REST API](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/useraccount.md) you have created. 3. Click **Explore**. 4. Locate the POST request for **partner_servers** endpoint: `POST /partner_servers` -![api_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/nutanix/api_thumb_0_0.webp) +![api_thumb_0_0](/img/product_docs/auditor/auditor/configuration/fileservers/nutanix/api_thumb_0_0.webp) 5. In the request body, enter the following JSON-formatted structure: @@ -91,7 +91,7 @@ This address must be visible from the Nutanix File Server network. The request body must be empty - for that, enter empty brackets as the **value** for _get_entities_request_ parameter: `{ }` -![api_partner_server_resquest_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/nutanix/api_partner_server_resquest_thumb_0_0.webp) +![api_partner_server_resquest_thumb_0_0](/img/product_docs/auditor/auditor/configuration/fileservers/nutanix/api_partner_server_resquest_thumb_0_0.webp) 9. The response body should contain the list of servers, including new partner server name and other settings. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/permissions.md b/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/permissions.md index fe4e25202f..9bf640ebdf 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/permissions.md @@ -9,10 +9,10 @@ First, you need an account that Netwrix Auditor will use to access Nutanix File requires at least _Read_ permission for the target SMB shares on the Nutanix File Server. This is the account you will provide in the monitoring plan wizard at the -[Create a New Monitoring Plan](../../../admin/monitoringplans/create.md) step; it can be modified in +[Create a New Monitoring Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) step; it can be modified in the **General** tab of the monitored item settings. -![nutanix_item_mp_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/nutanix/nutanix_item_mp_thumb_0_0.webp) +![nutanix_item_mp_thumb_0_0](/img/product_docs/auditor/auditor/configuration/fileservers/nutanix/nutanix_item_mp_thumb_0_0.webp) This account must have a role with sufficient privileges on that server: **File Server Admin** (recommended) or **Backup Admin** role. @@ -24,7 +24,7 @@ You will also need an account that will be used to connect to Nutanix File Serve This account should be provided in the **Nutanix File Server REST API** tab of the monitored item (_Nutanix SMB shares_) settings. -![nutanix_item_restapi_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/nutanix/nutanix_item_restapi_thumb_0_0.webp) +![nutanix_item_restapi_thumb_0_0](/img/product_docs/auditor/auditor/configuration/fileservers/nutanix/nutanix_item_restapi_thumb_0_0.webp) This account must be assigned the **REST API access users** role for Nutanix File Server you want to audit. @@ -58,11 +58,11 @@ format and select the **File Server Admin** or **Backup Admin** role to assign **Step 8 –** Enter the local user account and password, then click **Save** next to these cells to save the settings. -![nutanix_user_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/nutanix/nutanix_user_thumb_0_0.webp) +![nutanix_user_thumb_0_0](/img/product_docs/auditor/auditor/configuration/fileservers/nutanix/nutanix_user_thumb_0_0.webp) **Step 9 –** When finished, click **Close**. See the following topics for additional information. -- [Add Items for Monitoring](../../../admin/monitoringplans/datasources.md#add-items-for-monitoring) -- [Create User Account to Access Nutanix REST API](useraccount.md). +- [Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring) +- [Create User Account to Access Nutanix REST API](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/useraccount.md). diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/ports.md b/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/ports.md index b3638e7fa1..51efbc3636 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/ports.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/ports.md @@ -44,5 +44,5 @@ Tip for reading the table: For example, on the computer where Netwrix Auditor Se **NOTE:** You need to open the 9898 TCP port for inbound connections manually. Later, you can specify any custom TCP port when editing your Nutanix Files monitoring plan. See the -[File Servers](../../../admin/monitoringplans/fileservers/overview.md) (Nutanix section) for more +[File Servers](/docs/auditor/10.7/auditor/admin/monitoringplans/fileservers/overview.md) (Nutanix section) for more information. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/useraccount.md b/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/useraccount.md index b498dc07e8..02f9f8d95e 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/useraccount.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/useraccount.md @@ -38,7 +38,7 @@ To create a new user account with Nutanix Prism: 4. In the **Manage roles** dialog locate the **REST API access user** section and click **+New user**. - ![nutanix_user_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/nutanix/nutanix_user_thumb_0_0.webp) + ![nutanix_user_thumb_0_0](/img/product_docs/auditor/auditor/configuration/fileservers/nutanix/nutanix_user_thumb_0_0.webp) 5. Enter local user account name and password, then click **Save** next to them to save the settings. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/overview.md b/docs/auditor/10.7/auditor/configuration/fileservers/overview.md index a864cbc1f1..8770963bd7 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/overview.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/overview.md @@ -14,13 +14,13 @@ knowledge base article for additional information. The following topics list the operations with files and folders that can be monitored and reported by Auditor on these supported storage systems.: -- [Dell Data Storage](delldatastorage/overview.md) -- [Dell Isilon/PowerScale](dellisilon/overview.md) -- [NetApp Data ONTAP](netappcmode/overview.md) -- [Nutanix](nutanix/overview.md) -- [Qumulo](qumulo/overview.md) -- [Synology](synology/overview.md) -- [Windows File Servers](windows/overview.md) +- [Dell Data Storage](/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/overview.md) +- [Dell Isilon/PowerScale](/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/overview.md) +- [NetApp Data ONTAP](/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/overview.md) +- [Nutanix](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/overview.md) +- [Qumulo](/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/overview.md) +- [Synology](/docs/auditor/10.7/auditor/configuration/fileservers/synology/overview.md) +- [Windows File Servers](/docs/auditor/10.7/auditor/configuration/fileservers/windows/overview.md) ## State-in-Time Data @@ -33,7 +33,7 @@ corresponding option in the data source settings within the monitoring plan. Starting with the version 10, the product is able to report about sensitive data in your IT infrastructure. Pay attention to the "_Data categories_" column in search and reports (for the "_File_" object types only). See the -[Sensitive Data Discovery ](../../admin/settings/sensitivedatadiscovery.md) topic for additional +[Sensitive Data Discovery ](/docs/auditor/10.7/auditor/admin/settings/sensitivedatadiscovery.md) topic for additional information on how to enable monitoring of sensitive data in Auditor. ## Monitored Object Attributes @@ -41,7 +41,7 @@ information on how to enable monitoring of sensitive data in Auditor. The table below lists the object types and attributes that can be monitored by Auditor. For more information on the attributes marked with (\*) , refer to the following Microsoft article: -[File Attribute Constants](). +[File Attribute Constants](https://msdn.microsoft.com/en-us/library/windows/desktop/gg258117(v=vs.85).aspx). | Object type | Attributes | | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/configure.md b/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/configure.md index 739acf1a58..d542c02d88 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/configure.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/configure.md @@ -14,7 +14,7 @@ To configure Core Audit for Qumulo file servers be a third-party Syslog forward service or the machine where Netwrix Auditor is installed. - Port Number – use the default value (_514_). - ![qumulo_web_ui](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/qumulo/qumulo_web_ui.webp) + ![qumulo_web_ui](/img/product_docs/auditor/auditor/configuration/fileservers/qumulo/qumulo_web_ui.webp) When you see the green line “_Connected_”, the environment is ready. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/overview.md b/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/overview.md index dc9da68fad..210801f746 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/overview.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/overview.md @@ -21,7 +21,7 @@ You can configure your IT Infrastructure for monitoring in one of the following configure them manually: - The Remote Syslog Address and port number must be configured as described in the - [Configure Core Audit for Qumulo File Servers](configure.md) topic. + [Configure Core Audit for Qumulo File Servers](/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/configure.md) topic. Review a full list of object types Netwrix Auditor can collect on Qumulo network devices. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/permissions.md b/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/permissions.md index 41bb64b698..f617c6d2aa 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/permissions.md @@ -7,7 +7,7 @@ Then you will provide this account in the monitoring plan wizard (or monitored i Starting with version 9.96, you can use group Managed Service Accounts (gMSA) as data collecting accounts. -See the [Use Group Managed Service Account (gMSA)](../../../requirements/gmsa.md) topic and the +See the [Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md) topic and the [Group Managed Service Accounts Overview](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) Microsoft article for additional information. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/synology/overview.md b/docs/auditor/10.7/auditor/configuration/fileservers/synology/overview.md index ca3fb69553..6bf5f7e3aa 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/synology/overview.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/synology/overview.md @@ -21,7 +21,7 @@ You can configure your IT Infrastructure for monitoring in one of the following configure them manually: - The log sending must be configured as described in the - [Configure Synology File Servers for Audit](configure.md) topic. + [Configure Synology File Servers for Audit](/docs/auditor/10.7/auditor/configuration/fileservers/synology/configure.md) topic. Review a full list of object types Netwrix Auditor can collect on Synology NAS network devices. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/synology/permissions.md b/docs/auditor/10.7/auditor/configuration/fileservers/synology/permissions.md index b5666e88aa..8b317cb7f1 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/synology/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/synology/permissions.md @@ -7,7 +7,7 @@ Then you will provide this account in the monitoring plan wizard (or monitored i Starting with version 9.96, you can use group Managed Service Accounts (gMSA) as data collecting accounts. -See the [Use Group Managed Service Account (gMSA)](../../../requirements/gmsa.md) topic and the +See the [Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md) topic and the [Group Managed Service Accounts Overview](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) Microsoft article for additional information. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/windows/advancedpolicy.md b/docs/auditor/10.7/auditor/configuration/fileservers/windows/advancedpolicy.md index f65353ef55..5fe8603a3a 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/windows/advancedpolicy.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/windows/advancedpolicy.md @@ -2,7 +2,7 @@ Configure advanced audit policies to limit the range of events tracked and recorded by the product, thus preventing your AuditArchive and the Security event log from overfilling. Perform procedures -below instead of the [Configure Local Audit Policies](localpolicy.md). +below instead of the [Configure Local Audit Policies](/docs/auditor/10.7/auditor/configuration/fileservers/windows/localpolicy.md). ## Configure Security Options @@ -18,7 +18,7 @@ Windows Administrative Tools > Local Security Policy. **Step 2 –** Navigate to Security Settings > Local Policies > Security Options and locate the Audit: Force audit policy subcategory settings policy. -![Local Security Policy snap-in ](../../../../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_fileserver_graudit_secpol2016.webp) +![Local Security Policy snap-in ](/img/product_docs/1secure/configuration/computer/manualconfig_fileserver_graudit_secpol2016.webp) **Step 3 –** Double-click the policy and enable it. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/windows/eventlog.md b/docs/auditor/10.7/auditor/configuration/fileservers/windows/eventlog.md index c66b0bb37e..d0768e6101 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/windows/eventlog.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/windows/eventlog.md @@ -13,7 +13,7 @@ Follow the steps to configure Event Log Size and Retention Settings. **Step 2 –** Navigate to Event Viewer tree > Windows Logs, right-click **Security** and select **Properties**. -![Log Properties dialog box](../../../../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_ws_eventviewerpr2016_thumb_0_0.webp) +![Log Properties dialog box](/img/product_docs/1secure/configuration/computer/manualconfig_ws_eventviewerpr2016_thumb_0_0.webp) **Step 3 –** Make sure Enable logging is selected. diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/windows/localpolicy.md b/docs/auditor/10.7/auditor/configuration/fileservers/windows/localpolicy.md index d437b68faa..b95e1debd5 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/windows/localpolicy.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/windows/localpolicy.md @@ -1,7 +1,7 @@ # Configure Local Audit Policies You can choose to configure local audit policies or advanced audit policies.See the -[Configure Advanced Audit Policies](advancedpolicy.md) topic for more information. +[Configure Advanced Audit Policies](/docs/auditor/10.7/auditor/configuration/fileservers/windows/advancedpolicy.md) topic for more information. Follow the steps to configure local audit policies. @@ -20,4 +20,4 @@ Windows Administrative Tools > Local Security Policy. Local audit policy is configured. -![Local Security Policy snap-in](../../../../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_ws_local_audit_policies2016.webp) +![Local Security Policy snap-in](/img/product_docs/1secure/configuration/computer/manualconfig_ws_local_audit_policies2016.webp) diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/windows/objectlevel.md b/docs/auditor/10.7/auditor/configuration/fileservers/windows/objectlevel.md index 130c3709cf..77c66455a7 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/windows/objectlevel.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/windows/objectlevel.md @@ -13,7 +13,7 @@ options that you want to track: Actions reported by Netwrix Auditor vary depending on the file server type and the audited object (file, folder, or share). The changes include creation, modification, deletion, moving, renaming, and copying. To track the copy action, enable successful read access and change auditing. See the -[File Servers](../overview.md) topic for additional information. +[File Servers](/docs/auditor/10.7/auditor/configuration/fileservers/overview.md) topic for additional information. Perform one of the following procedures depending on the OS version you are using: @@ -32,7 +32,7 @@ Follow the steps to configure Object-level access auditing on Windows Server 201 **Step 3 –** In the Advanced Security Settings for `` dialog box, navigate to the Auditing tab. -![Advanced Security Settings for Share_Name dialog box](../../../../../../../static/img/product_docs/1secure/configuration/computer/auditing_entries_netapp_2016.webp) +![Advanced Security Settings for Share_Name dialog box](/img/product_docs/1secure/configuration/computer/auditing_entries_netapp_2016.webp) **Step 4 –** Click **Add** to add a new principal. You can select **Everyone** (or another user-defined group containing users that are granted special permissions) and click **Edit**. @@ -54,13 +54,13 @@ Review the following for additional information: | Auditing Entry | | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | | Successful reads | | -| The Auditing Entry below shows Advanced Permissions for auditing successful reads only: ![manualconfig_fileserver_auditingentry_1_2016](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_1_2016.webp) - Type—Set to _"Success"_. - Applies to—Set to _"Files only"_. - Advanced permissions—Select List folder / read data. - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | +| The Auditing Entry below shows Advanced Permissions for auditing successful reads only: ![manualconfig_fileserver_auditingentry_1_2016](/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_1_2016.webp) - Type—Set to _"Success"_. - Applies to—Set to _"Files only"_. - Advanced permissions—Select List folder / read data. - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | | Successful changes | | -| The Auditing Entry below shows Advanced Permissions for auditing successful changes only: ![manualconfig_fileserver_auditingentry_2_2016](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_2_2016.webp) - Type—Set to _"Success"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions: - Create files / write data - Create folders / append data - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | +| The Auditing Entry below shows Advanced Permissions for auditing successful changes only: ![manualconfig_fileserver_auditingentry_2_2016](/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_2_2016.webp) - Type—Set to _"Success"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions: - Create files / write data - Create folders / append data - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | | Failed read attempts | | -| The Auditing Entry below shows Advanced Permissions for auditing failed read attempts: ![manualconfig_fileserver_auditingentry_3_2016](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_3_2016.webp) - Type—Set to _"Fail"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions—Select List folder / read data. - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | +| The Auditing Entry below shows Advanced Permissions for auditing failed read attempts: ![manualconfig_fileserver_auditingentry_3_2016](/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_3_2016.webp) - Type—Set to _"Fail"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions—Select List folder / read data. - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | | Failed change attempts | | -| The Auditing Entry below shows Advanced Permissions for auditing failed change attempts: ![manualconfig_fileserver_auditingentry_4_2016](../../../../../../../static/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_4_2016.webp) - Type—Set to _"Fail"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions: - Create files / write data - Create folders / append data - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | +| The Auditing Entry below shows Advanced Permissions for auditing failed change attempts: ![manualconfig_fileserver_auditingentry_4_2016](/img/product_docs/auditor/auditor/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_4_2016.webp) - Type—Set to _"Fail"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions: - Create files / write data - Create folders / append data - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | ## Configure Object-level access auditing on pre-Windows Server 2012 versions diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/windows/overview.md b/docs/auditor/10.7/auditor/configuration/fileservers/windows/overview.md index 5dad7b0c6b..975315f8de 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/windows/overview.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/windows/overview.md @@ -118,7 +118,7 @@ requirements. **Step 2 –** Decide on audit data to collect. - Review the list of objects and attributes that can be monitored by Auditor: See the - [File Servers](../overview.md)topic for additional information. + [File Servers](/docs/auditor/10.7/auditor/configuration/fileservers/overview.md)topic for additional information. - Plan for the file servers and shares you want to audit: - - If you have multiple file shares frequently accessed by a significant number of users, it is reasonable to audit object changes only. Tracking all events may result in too much data @@ -150,14 +150,14 @@ requirements. event occurred but data collection time. - Auditor may report on several unexpected changes with _who_ (initiator's account) reported as _system_ due to the native Windows File Servers audit peculiarities. If you do not want to see - these changes, exclude them from the audit. See the [File Servers](../overview.md) topic for + these changes, exclude them from the audit. See the [File Servers](/docs/auditor/10.7/auditor/configuration/fileservers/overview.md) topic for additional information. For example - mass file removals, when target Windows server generates too many events at a time and the product is unable to parse their sequences correctly. - Due to Windows limitations, the _copy/rename/move_ actions on remote file shares may be reported as two sequential actions: copying – as adding a new file and reading the initial file; renaming/moving – as removing the initial file and adding a new file with the same name. - To report on _copy_ actions on remote file shares, make sure that audit of successful read - operations is enabled. See the [Configure Object-Level Access Auditing](objectlevel.md) topic for + operations is enabled. See the [Configure Object-Level Access Auditing](/docs/auditor/10.7/auditor/configuration/fileservers/windows/objectlevel.md) topic for additional information. **Step 4 –** Apply required audit settings. @@ -182,29 +182,29 @@ You can apply required audit settings to your Windows file servers in one of the In this case, the audit settings will be applied automatically, then they will be periodically checked and adjusted if necessary. See the - [Create a New Monitoring Plan](../../../admin/monitoringplans/create.md) topic for additional + [Create a New Monitoring Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) topic for additional information. - **Manually.** To configure your Windows File Servers for monitoring manually, perform the following procedures: - - [Configure Object-Level Access Auditing](objectlevel.md) - - [Configure Local Audit Policies](localpolicy.md) or - [Configure Advanced Audit Policies](advancedpolicy.md) - - [Configure Event Log Size and Retention Settings](eventlog.md) - - [Enable Remote Registry Service](remoteregistryservice.md) - - [Windows File Server Ports](ports.md) + - [Configure Object-Level Access Auditing](/docs/auditor/10.7/auditor/configuration/fileservers/windows/objectlevel.md) + - [Configure Local Audit Policies](/docs/auditor/10.7/auditor/configuration/fileservers/windows/localpolicy.md) or + [Configure Advanced Audit Policies](/docs/auditor/10.7/auditor/configuration/fileservers/windows/advancedpolicy.md) + - [Configure Event Log Size and Retention Settings](/docs/auditor/10.7/auditor/configuration/fileservers/windows/eventlog.md) + - [Enable Remote Registry Service](/docs/auditor/10.7/auditor/configuration/fileservers/windows/remoteregistryservice.md) + - [Windows File Server Ports](/docs/auditor/10.7/auditor/configuration/fileservers/windows/ports.md) With automatically applied settings, initial SACL configuration for DFS replication links may take longer than with manual configuration — however, automatic configuration will help to minimize the impact on the DFS backlog and replication process in general. **Step 5 –** Configure Data Collecting Account. See the -[Data Collecting Account](../../../admin/monitoringplans/dataaccounts.md) topic for additional +[Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. **Step 6 –** Configure required protocols and ports. Set up protocols and ports. See the -[Dell Data Storage Ports](../delldatastorage/ports.md) topic for additional information. +[Dell Data Storage Ports](/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/ports.md) topic for additional information. ## DFS-Related Constraints diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/windows/permissions.md b/docs/auditor/10.7/auditor/configuration/fileservers/windows/permissions.md index fe0ba197d0..fbb1721c75 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/windows/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/windows/permissions.md @@ -9,7 +9,7 @@ Data Collection Accounts should meet the following policies and permissions: - Data collecting account on the target server must be a member of the local Administrators group. - The **Manage auditing and security log** and Backup files and directories policies must be defined for this account. See the - [Permissions for Active Directory Auditing](../../activedirectory/permissions.md) and topics for + [Permissions for Active Directory Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md) and topics for additional more information. - The **Read** share permission on the audited shared folders. - The Read NTFS permission on all objects in the audited folders. @@ -23,7 +23,7 @@ Administrators group. For more information on gMSA, see the following: -- [Use Group Managed Service Account (gMSA)](../../../requirements/gmsa.md) +- [Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md) - Microsoft article: [Group Managed Service Accounts Overview](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/windows/ports.md b/docs/auditor/10.7/auditor/configuration/fileservers/windows/ports.md index aae10b3e77..29ed829164 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/windows/ports.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/windows/ports.md @@ -40,7 +40,7 @@ settings** on the left. **Step 3 –** In the Windows Firewall with Advanced Security dialog, select **Inbound Rules** on the left. -![manualconfig_nla_inbound_connections2016](../../../../../../../static/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_inbound_connections2016.webp) +![manualconfig_nla_inbound_connections2016](/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_inbound_connections2016.webp) **Step 4 –** Enable the following inbound connection rules: diff --git a/docs/auditor/10.7/auditor/configuration/fileservers/windows/remoteregistryservice.md b/docs/auditor/10.7/auditor/configuration/fileservers/windows/remoteregistryservice.md index c367179903..2d4389db27 100644 --- a/docs/auditor/10.7/auditor/configuration/fileservers/windows/remoteregistryservice.md +++ b/docs/auditor/10.7/auditor/configuration/fileservers/windows/remoteregistryservice.md @@ -4,7 +4,7 @@ Follow the steps to enable the Remote Registry service. **Step 1 –** Navigate to Start > Windows Administrative Tools > Services. -![Services Console](../../../../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry2016.webp) +![Services Console](/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry2016.webp) **Step 2 –** In the Services window, locate the Remote Registry service, right-click it and select **Properties**. @@ -12,7 +12,7 @@ Follow the steps to enable the Remote Registry service. **Step 3 –** In the Remote Registry Properties dialog box, make sure the Startup type parameter is set to _Automatic_ and click **Start**. -![Remote Registry Properties dialog box](../../../../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry_start2016.webp) +![Remote Registry Properties dialog box](/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry_start2016.webp) **Step 4 –** In the Services window, ensure that the Remote Registry service has the _Running_ status on Windows Server 2012 and above. diff --git a/docs/auditor/10.7/auditor/configuration/grouppolicy/overview.md b/docs/auditor/10.7/auditor/configuration/grouppolicy/overview.md index 66ac83312f..ac6965acdf 100644 --- a/docs/auditor/10.7/auditor/configuration/grouppolicy/overview.md +++ b/docs/auditor/10.7/auditor/configuration/grouppolicy/overview.md @@ -21,18 +21,18 @@ You can configure your IT Infrastructure for monitoring in one of the following configure them manually: - Configure the domain for auditing. See the - [Audit Configuration Assistant](../../tools/auditconfigurationassistant.md) topic for + [Audit Configuration Assistant](/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md) topic for information on configuring the domain. - On the Auditor console computer: - If you have enabled automatic log backup for the Security log of your domain controller, you can instruct Auditor to clear the old backups automatically. For that, use the **CleanAutoBackupLogs** registry key, as described in the - [Active Directory Registry Key Configuration](../activedirectory/registrykey.md) topic. + [Active Directory Registry Key Configuration](/docs/auditor/10.7/auditor/configuration/activedirectory/registrykey.md) topic. **_RECOMMENDED:_** Adjust retention period for the backup files accordingly (default is **50** hours). See the - [Adjust Security Event Log Size and Retention](../activedirectory/securitylog.md) topic. + [Adjust Security Event Log Size and Retention](/docs/auditor/10.7/auditor/configuration/activedirectory/securitylog.md) topic. - To provide for event data collection, the Secondary Logon service must be up and running . Open **Administrative Tools** > **Services**, right-click the **Secondary Logon** service diff --git a/docs/auditor/10.7/auditor/configuration/grouppolicy/permissions.md b/docs/auditor/10.7/auditor/configuration/grouppolicy/permissions.md index 52f31244c6..f531054d71 100644 --- a/docs/auditor/10.7/auditor/configuration/grouppolicy/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/grouppolicy/permissions.md @@ -6,7 +6,7 @@ you will provide this account in the monitoring plan wizard (or in the monitored You can use group Managed Service Accounts (gMSA) as data collecting accounts. -See the [Use Group Managed Service Account (gMSA)](../../requirements/gmsa.md) topic and the +See the [Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md) topic and the following Microsoft article: [Group Managed Service Accounts Overview](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) for additional information about gMSA. @@ -14,7 +14,7 @@ for additional information about gMSA. ## Account Requirements **NOTE:** These group Managed Service Accounts should also meet the related requirements. See the -[Use Group Managed Service Account (gMSA)](../../requirements/gmsa.md) topic and the following +[Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md) topic and the following Microsoft article: [Group Managed Service Accounts Overview](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) for additional information about gMSA. @@ -34,11 +34,11 @@ The account used for data collection must meet the following requirements: **Domain Admins** group: - **Manage auditing and security log** policy must be defined for this account. - See the [Permissions for Active Directory Auditing](../activedirectory/permissions.md) topic + See the [Permissions for Active Directory Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md) topic for additional information. - If you plan to process Active Directory **Deleted Objects** container, **Read** permission on this container is required. See the - [Permissions for Active Directory Auditing](../activedirectory/permissions.md) topic for + [Permissions for Active Directory Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md) topic for additional information. ## Additional Configuration for Domain Controller's Event Logs Auto-backup @@ -60,7 +60,7 @@ Domain Admins group. This permission should be assigned on each domain controller in the audited domain, so if your domain contains multiple domain controllers, it is recommended to assign permissions through Group Policy, or automatically using -[Audit Configuration Assistant](../../tools/auditconfigurationassistant.md). +[Audit Configuration Assistant](/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md). To assign permissions manually, use the Registry Editor snap-in or the Group Policy Management console. @@ -132,7 +132,7 @@ domain controllers. Starting with version 10.7, you can use Netwrix Privilege Secure to manage the account for collecting data, after configuring the integration. See the -[Netwrix Privilege Secure](../../admin/settings/privilegesecure.md) topic for additional information +[Netwrix Privilege Secure](/docs/auditor/10.7/auditor/admin/settings/privilegesecure.md) topic for additional information about integration and supported data sources. In this case, the credentials will not be stored by Netwrix Auditor. Instead, they will be managed by Netwrix Privilege Secure and provided on demand, ensuring password rotation or using temporary accounts for data collection. @@ -144,7 +144,7 @@ Follow the steps to use Netwrix Privilege Secure as an account for data collect **Step 2 –** In the item configuration menu, select Netwrix Privilege Secure as an option for data collection. -![npsdatacollectingaccount](../../../../../../static/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccount.webp) +![npsdatacollectingaccount](/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccount.webp) **Step 3 –** Select the type of the Access Policy you want to use in Netwrix Privilege Secure. Credential-based is the default option. Refer to the @@ -157,7 +157,7 @@ and to which Netwrix Auditor has the access through a Credential-based access po **NOTE:** Netwrix recommends using different credentials for different monitoring plans and data sources. -![npsdatacollectingaccountresourced](../../../../../../static/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccountresourced.webp) +![npsdatacollectingaccountresourced](/img/product_docs/auditor/auditor/configuration/grouppolicy/npsdatacollectingaccountresourced.webp) The second option is Resource-based. To use this option, you need to provide the Activity and Resource names, assigned to Netwrix Auditor in the corresponding Resource-based policy. Make sure diff --git a/docs/auditor/10.7/auditor/configuration/logonactivity/advancedpolicy.md b/docs/auditor/10.7/auditor/configuration/logonactivity/advancedpolicy.md index bee529360a..027aeab8c0 100644 --- a/docs/auditor/10.7/auditor/configuration/logonactivity/advancedpolicy.md +++ b/docs/auditor/10.7/auditor/configuration/logonactivity/advancedpolicy.md @@ -28,7 +28,7 @@ To do it, perform the following steps: 4. Locate the Audit: Force audit policy subcategory settings to override audit policy category settings and make sure that policy setting is set to _"Enabled"_. - ![manualconfig_ad_nla_audit_force_winserver2016](../../../../../../static/img/product_docs/1secure/configuration/ad/manualconfig_ad_nla_audit_force_winserver2016.webp) + ![manualconfig_ad_nla_audit_force_winserver2016](/img/product_docs/1secure/configuration/ad/manualconfig_ad_nla_audit_force_winserver2016.webp) 5. Run the following command to update group policy: @@ -55,7 +55,7 @@ To do it, perform the following steps: | - Audit Logon | _"Success"_ and _"Failure"_ | | | System | - Audit Security State Change | _"Success"_ | - ![manualconfig_nla_advpol2016](../../../../../../static/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_advpol2016.webp) + ![manualconfig_nla_advpol2016](/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_advpol2016.webp) 5. Run the following command to update group policy: diff --git a/docs/auditor/10.7/auditor/configuration/logonactivity/basicpolicy.md b/docs/auditor/10.7/auditor/configuration/logonactivity/basicpolicy.md index 33f3bc4dcc..a9e73ce510 100644 --- a/docs/auditor/10.7/auditor/configuration/logonactivity/basicpolicy.md +++ b/docs/auditor/10.7/auditor/configuration/logonactivity/basicpolicy.md @@ -2,7 +2,7 @@ Basic local audit policies allow tracking changes to user accounts and groups and identifying originating workstations. You can configure advanced audit policies for the same purpose too. See -the [Configure Advanced Audit Policies](advancedpolicy.md) topic for additional information. +the [Configure Advanced Audit Policies](/docs/auditor/10.7/auditor/configuration/logonactivity/advancedpolicy.md) topic for additional information. 1. Open the **Group Policy Management** console on any domain controller in the target domain: navigate to Start > Windows Administrative Tools (Windows Server 2016 and higher) or @@ -21,7 +21,7 @@ the [Configure Advanced Audit Policies](advancedpolicy.md) topic for additional | Audit account logon events | _"Success"_ and _"Failure"_ | | Audit system events | _"Success"_ | - ![manualconfig_nla_auditpolicies2016](../../../../../../static/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_auditpolicies2016.webp) + ![manualconfig_nla_auditpolicies2016](/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_auditpolicies2016.webp) 5. Run the following command to update group policy: diff --git a/docs/auditor/10.7/auditor/configuration/logonactivity/overview.md b/docs/auditor/10.7/auditor/configuration/logonactivity/overview.md index fd3b6b1521..21ee23edcc 100644 --- a/docs/auditor/10.7/auditor/configuration/logonactivity/overview.md +++ b/docs/auditor/10.7/auditor/configuration/logonactivity/overview.md @@ -20,7 +20,7 @@ You can configure your IT Infrastructure for monitoring in one of the following - For both new and existing monitoring plans, you can click **Launch Audit Configuration Assistant** (in the wizard step or in the plan settings, respectively) to launch a special tool that can detect current infrastructure settings and adjust them as needed for monitoring. - See the [Audit Configuration Assistant](../../tools/auditconfigurationassistant.md) topic for + See the [Audit Configuration Assistant](/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md) topic for additional information. - Manually – Native audit settings must be adjusted manually to ensure collecting comprehensive and @@ -46,10 +46,10 @@ You can configure your IT Infrastructure for monitoring in one of the following See the following topics for additional information: -- [Configure Basic Domain Audit Policies](basicpolicy.md) -- [Configure Advanced Audit Policies](advancedpolicy.md) -- [Configure Security Event Log Size and Retention Settings](securityeventlog.md) -- [ Logon Activity Ports](ports.md) +- [Configure Basic Domain Audit Policies](/docs/auditor/10.7/auditor/configuration/logonactivity/basicpolicy.md) +- [Configure Advanced Audit Policies](/docs/auditor/10.7/auditor/configuration/logonactivity/advancedpolicy.md) +- [Configure Security Event Log Size and Retention Settings](/docs/auditor/10.7/auditor/configuration/logonactivity/securityeventlog.md) +- [ Logon Activity Ports](/docs/auditor/10.7/auditor/configuration/logonactivity/ports.md) ## Logon Activity Actions diff --git a/docs/auditor/10.7/auditor/configuration/logonactivity/permissions.md b/docs/auditor/10.7/auditor/configuration/logonactivity/permissions.md index 9675af58b3..0e5df3c265 100644 --- a/docs/auditor/10.7/auditor/configuration/logonactivity/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/logonactivity/permissions.md @@ -37,13 +37,13 @@ Follow the steps to configure non-administrative account to collect logon activi **Step 1 –** Create a domain user with the following privileges: - Back up files and directories. See the -  [Configure the Back up Files and Directories Policy](../fileservers/windows/configuration.md) +  [Configure the Back up Files and Directories Policy](/docs/auditor/10.7/auditor/configuration/fileservers/windows/configuration.md) topic for additional information. - Log on as a batch job. See the - [Permissions for Active Directory Auditing](../activedirectory/permissions.md) topic for + [Permissions for Active Directory Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md) topic for additional information. - Manage auditing and security log. See the - [Configure the Manage Auditing and Security Log Policy](../activedirectory/permissions.md#configure-the-manage-auditing-and-security-log-policy) + [Configure the Manage Auditing and Security Log Policy](/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md#configure-the-manage-auditing-and-security-log-policy) topic for additional information. **Step 2 –** Grant the _Read_ permission on the following registry keys to this user: @@ -53,5 +53,5 @@ Follow the steps to configure non-administrative account to collect logon activi - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security` See the -[Assign Permission To Read the Registry Key](../windowsserver/permissions.md#assign-permission-to-read-the-registry-key) +[Assign Permission To Read the Registry Key](/docs/auditor/10.7/auditor/configuration/windowsserver/permissions.md#assign-permission-to-read-the-registry-key) topic for additional information on how to do it using Registry Editor. diff --git a/docs/auditor/10.7/auditor/configuration/logonactivity/ports.md b/docs/auditor/10.7/auditor/configuration/logonactivity/ports.md index 89e8186e44..e309b3d20b 100644 --- a/docs/auditor/10.7/auditor/configuration/logonactivity/ports.md +++ b/docs/auditor/10.7/auditor/configuration/logonactivity/ports.md @@ -36,7 +36,7 @@ settings** on the left. **Step 3 –** In the Windows Firewall with Advanced Security dialog, select Inbound Rules on the left. -![manualconfig_nla_inbound_connections2016](../../../../../../static/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_inbound_connections2016.webp) +![manualconfig_nla_inbound_connections2016](/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_inbound_connections2016.webp) **Step 4 –** Enable the following inbound connection rules: diff --git a/docs/auditor/10.7/auditor/configuration/logonactivity/securityeventlog.md b/docs/auditor/10.7/auditor/configuration/logonactivity/securityeventlog.md index 314a6a1098..53724345af 100644 --- a/docs/auditor/10.7/auditor/configuration/logonactivity/securityeventlog.md +++ b/docs/auditor/10.7/auditor/configuration/logonactivity/securityeventlog.md @@ -13,7 +13,7 @@ Administrative Tools (Windows 2012) **Group Policy Management.** **Step 3 –** Navigate to **Computer Configuration > Policies > Windows Settings > Security Settings > Event Log** and double-click the **Maximum security log size** policy. -![manualconfig_grouppolicymaxsecuritysizewinserver2016](../../../../../../static/img/product_docs/1secure/configuration/logonactivity/manualconfig_grouppolicymaxsecuritysizewinserver2016.webp) +![manualconfig_grouppolicymaxsecuritysizewinserver2016](/img/product_docs/1secure/configuration/logonactivity/manualconfig_grouppolicymaxsecuritysizewinserver2016.webp) **Step 4 –** In the Maximum security log size Properties dialog, select **Define this policy setting** and set maximum security log size to **4194240** kilobytes (4GB). diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/modernauth.md b/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/modernauth.md index af0d3b4530..09aaa6342c 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/modernauth.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/modernauth.md @@ -169,5 +169,5 @@ See the following Microsoft article for additional information on how to obtain [Locate important IDs for a user](https://learn.microsoft.com/en-us/partner-center/find-ids-and-domain-names). Then, create a corresponding monitoring plan in Netwrix Auditor and add an item (Office 365 tenant) -to it. See the [Microsoft Entra ID](../../../admin/monitoringplans/microsoftentraid/overview.md) +to it. See the [Microsoft Entra ID](/docs/auditor/10.7/auditor/admin/monitoringplans/microsoftentraid/overview.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/overview.md b/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/overview.md index 2a4a3cbf7a..7bc3975eb4 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/overview.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/overview.md @@ -34,8 +34,8 @@ logging must be enabled for user, shared, equipment, linked, and room mailboxes: Perform the following configuration procedures: - Prepare a Data Collecting Account as described in the - [Permissions for Exchange Online Auditing](permissions.md) topic -- Configure required protocols and ports, as described in the [Exchange Online Ports](ports.md) + [Permissions for Exchange Online Auditing](/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/permissions.md) topic +- Configure required protocols and ports, as described in the [Exchange Online Ports](/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/ports.md) topic ## Monitored Object Types and Attributes diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/permissions.md b/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/permissions.md index 4052776a7f..c087f16977 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/permissions.md @@ -98,7 +98,7 @@ where: **Step 11 –** Go to **Manage > Certificates & secrets**, click **Upload certificate** and upload the*.crt* file you have just created. -![certificates_secrets_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/configuration/microsoft365/exchangeonline/certificates_secrets_thumb_0_0.webp) +![certificates_secrets_thumb_0_0](/img/product_docs/auditor/auditor/configuration/microsoft365/exchangeonline/certificates_secrets_thumb_0_0.webp) **Step 12 –** To create Exchange Online connection session, you can provide certificate file path or thumbprint. If you want to use a file path, run the following command: @@ -110,7 +110,7 @@ Connect-ExchangeOnline -CertificateFilePath "full_path_to_certificate" Application (client ID) can be found in the **Overview** page. -![tenant_id_thumb_0_0](../../../../../../../static/img/product_docs/auditor/auditor/configuration/microsoft365/exchangeonline/tenant_id_thumb_0_0.webp) +![tenant_id_thumb_0_0](/img/product_docs/auditor/auditor/configuration/microsoft365/exchangeonline/tenant_id_thumb_0_0.webp) For example: diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/basicauth.md b/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/basicauth.md index 71e7250ec6..f3f243aaad 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/basicauth.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/basicauth.md @@ -19,7 +19,7 @@ Further permission assignment will depend on the data you plan to collect: | To... | Requirement | Comment | | --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Create Microsoft Entra ID application, run initial data collection, and perform Auditor upgrade from previous version | Any of the following role combinations: - Application Administrator & Privileged Role Administrator OR - Cloud Application Administrator & Privileged Role Administrator OR - _Global Admin_ | Prepare a user account and specify it in the monitored item properties. See the and [Microsoft Entra ID](overview.md) topics for additional information. | +| Create Microsoft Entra ID application, run initial data collection, and perform Auditor upgrade from previous version | Any of the following role combinations: - Application Administrator & Privileged Role Administrator OR - Cloud Application Administrator & Privileged Role Administrator OR - _Global Admin_ | Prepare a user account and specify it in the monitored item properties. See the and [Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/overview.md) topics for additional information. | | Collect audit data, including _Successful Logons_ and/or _Failed Logons_ | - _Security Reader_ OR - _Security Administrator_ OR - _Application Administrator_ OR - _Cloud Application Administrator_ OR - _Global Administrator_ | To assign the non-privileged role, see | | Collect audit data (without logons) | Any of the following roles: - _Security Reader_ OR - _Application Administrator_ OR - _Cloud Application Administrator_ OR - _Global Admin_ | Assign the role you need, as explained above. | diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/overview.md b/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/overview.md index f50faeefeb..ff95358f7c 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/overview.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/overview.md @@ -26,9 +26,9 @@ You can configure your IT Infrastructure for monitoring in one of the following - While no special settings are required. Remember to do the following: - Prepare a Data Collecting Account as described in - [Permissions for Microsoft Entra ID Auditing](permissions.md) topic + [Permissions for Microsoft Entra ID Auditing](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/permissions.md) topic - Configure required protocols and ports, as described in the - [Microsoft Entra ID Ports](ports.md) topic + [Microsoft Entra ID Ports](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/ports.md) topic ## Monitored Object Types and Attributes diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/permissions.md b/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/permissions.md index 49b4d0f8af..7beb20154e 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/permissions.md @@ -25,10 +25,10 @@ required: administrative role in Microsoft Entra ID —to create an app and perform initial data collection. - Provide this user name and password in the monitored item properties. See the - [Microsoft Entra ID](../../../admin/monitoringplans/microsoftentraid/overview.md) topic for + [Microsoft Entra ID](/docs/auditor/10.7/auditor/admin/monitoringplans/microsoftentraid/overview.md) topic for additional information. -See the [Using Basic Authentication with Microsoft Entra ID](basicauth.md) topic for additional +See the [Using Basic Authentication with Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/basicauth.md) topic for additional information. - If Modern Authentication is used: @@ -38,10 +38,10 @@ information. topic for additional information. - You will need to provide the Microsoft Entra ID app settings in the monitored item (Office 365 tenant) properties. See the - [Microsoft Entra ID](../../../admin/monitoringplans/microsoftentraid/overview.md) topic for + [Microsoft Entra ID](/docs/auditor/10.7/auditor/admin/monitoringplans/microsoftentraid/overview.md) topic for additional information. -See the [Using Modern Authentication with Microsoft Entra ID](modernauth.md) topic for additional +See the [Using Modern Authentication with Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/modernauth.md) topic for additional information. Permissions for ongoing data collection will depend on data you plan to collect: diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/overview.md b/docs/auditor/10.7/auditor/configuration/microsoft365/overview.md index ac74354c01..5ec42bff77 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/overview.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/overview.md @@ -2,7 +2,7 @@ Microsoft 365 audit configuration will cover the following components: -- [Exchange Online](exchangeonline/overview.md) -- [Microsoft Entra ID](microsoftentraid/overview.md) -- [MS Teams](teams/overview.md) -- [SharePoint Online](sharepointonline/overview.md) +- [Exchange Online](/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/overview.md) +- [Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/overview.md) +- [MS Teams](/docs/auditor/10.7/auditor/configuration/microsoft365/teams/overview.md) +- [SharePoint Online](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/overview.md) diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/basicauth.md b/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/basicauth.md index 95b1719125..2d8b61e0be 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/basicauth.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/basicauth.md @@ -18,7 +18,7 @@ Further permission assignment will depend on the data you plan to collect: | To... | Requirement | Comment | | --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Collect activity and state-in-time data | Any of the following role combinations: - Application Administrator & Privileged Role Administrator OR - Cloud Application Administrator & Privileged Role Administrator OR - _Global Admin_ (_Company Administrator_ in Microsoft Entra ID PowerShell terms) | Prepare a **Cloud-only** user account and specify it in the monitored item properties. See the [SharePoint Online](overview.md) topic for additional information. | +| Collect activity and state-in-time data | Any of the following role combinations: - Application Administrator & Privileged Role Administrator OR - Cloud Application Administrator & Privileged Role Administrator OR - _Global Admin_ (_Company Administrator_ in Microsoft Entra ID PowerShell terms) | Prepare a **Cloud-only** user account and specify it in the monitored item properties. See the [SharePoint Online](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/overview.md) topic for additional information. | | Collect activity data only | 1. For initial connection to SharePoint Online, initial data collection, and Netwrix Auditor upgrade from previous version — any of the role combinations listed above. 2. After the initial data collection, the privileged roles can be revoked from this account. | | ## Assigning a Privileged Role for SharePoint and Office 365 diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/manifest.md b/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/manifest.md index e4f3840854..a1ba5f2e79 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/manifest.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/manifest.md @@ -15,7 +15,7 @@ it to your application. Do one of the following: - For the clear installation of Netwrix Auditor, add roles as described in the - [Using Modern Authentication with SharePoint Online](modernauth.md) topic. + [Using Modern Authentication with SharePoint Online](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/modernauth.md) topic. - If you upgraded Netwrix Auditor from the version 10.0, replace all existing content under the **requiredResourceAccess** property. diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/modernauth.md b/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/modernauth.md index 93c0f2701d..8090ece3eb 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/modernauth.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/modernauth.md @@ -143,5 +143,5 @@ See the following Microsoft article for additional information on how to obtain [Locate important IDs for a user](https://learn.microsoft.com/en-us/partner-center/find-ids-and-domain-names). Then, create a corresponding monitoring plan in Netwrix Auditor and add an item (Office 365 tenant) -to it. See the [Microsoft Entra ID](../../../admin/monitoringplans/microsoftentraid/overview.md) +to it. See the [Microsoft Entra ID](/docs/auditor/10.7/auditor/admin/monitoringplans/microsoftentraid/overview.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/overview.md b/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/overview.md index 83b76f5cc0..f034d0cabc 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/overview.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/overview.md @@ -21,9 +21,9 @@ You can configure your IT Infrastructure for monitoring in the following way: [Turn auditing on or off](https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide) article for additional information. - Prepare a Data Collecting Account as described in the - [Permissions for SharePoint Online Auditing ](permissions.md) topic. + [Permissions for SharePoint Online Auditing ](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/permissions.md) topic. - Configure required protocols and ports, as described in the - [SharePoint Online Ports](ports.md) topic. + [SharePoint Online Ports](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/ports.md) topic. Review a full list of object types and attributes Netwrix Auditor can collect on SharePoint Online. OneDrive for Business changes are reported as SharePoint Online. @@ -45,5 +45,5 @@ OneDrive for Business changes are reported as SharePoint Online. Starting with the version 10, Netwrix Auditor is able to report about sensitive data in your IT infrastructure. Pay attention to the "_Data categories_" column in search and reports (for the "_Document_" object types only). See the -[Sensitive Data Discovery ](../../../admin/settings/sensitivedatadiscovery.md)topic for additional +[Sensitive Data Discovery ](/docs/auditor/10.7/auditor/admin/settings/sensitivedatadiscovery.md)topic for additional information on how to enable monitoring of sensitive data in Netwrix Auditor. diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/permissions.md b/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/permissions.md index c6460431ff..c73393d859 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/permissions.md @@ -26,10 +26,10 @@ administrative role will be required: section for additional information. - You will need to provide the Microsoft Entra ID app settings in the monitored item (Office 365 tenant) properties. See the - [Microsoft Entra ID](../../../admin/monitoringplans/microsoftentraid/overview.md) topic for + [Microsoft Entra ID](/docs/auditor/10.7/auditor/admin/monitoringplans/microsoftentraid/overview.md) topic for additional information. -See the [Using Modern Authentication with SharePoint Online](modernauth.md) topic for additional +See the [Using Modern Authentication with SharePoint Online](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/modernauth.md) topic for additional information. - If Basic Authentication is used: @@ -40,7 +40,7 @@ information. administrative role in Microsoft Entra ID — to create an app and perform initial data collection. - Provide this user name and password in the monitored item properties. See the - [Microsoft Entra ID](../../../admin/monitoringplans/microsoftentraid/overview.md) topic for + [Microsoft Entra ID](/docs/auditor/10.7/auditor/admin/monitoringplans/microsoftentraid/overview.md) topic for additional information. - Permissions for ongoing data collection will depend on data you plan to collect: @@ -49,5 +49,5 @@ information. - To collect activity data only, the privileged role can be revoked from the specified account after the initial data collection. -See the [Using Basic Authentication with SharePoint Online](basicauth.md) topic for additional +See the [Using Basic Authentication with SharePoint Online](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/basicauth.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/teams/basicauth.md b/docs/auditor/10.7/auditor/configuration/microsoft365/teams/basicauth.md index c6fea096b6..015e8e270b 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/teams/basicauth.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/teams/basicauth.md @@ -10,7 +10,7 @@ user account will need an administrative role in the cloud-based infrastructure. | To... | Requirement | Comment | | --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | -| Create Microsoft Entra ID application, run initial data collection, and perform Auditor upgrade from previous version | Any of the following role combinations: - Application Administrator & Privileged Role Administrator & _Teams Administrator_ OR - Cloud Application Administrator & Privileged Role Administrator & _Teams Administrator_ OR - _Global Admin_ | Prepare a user account and specify it in the monitored item properties. See the [MS Teams](overview.md) topic for additional information. | +| Create Microsoft Entra ID application, run initial data collection, and perform Auditor upgrade from previous version | Any of the following role combinations: - Application Administrator & Privileged Role Administrator & _Teams Administrator_ OR - Cloud Application Administrator & Privileged Role Administrator & _Teams Administrator_ OR - _Global Admin_ | Prepare a user account and specify it in the monitored item properties. See the [MS Teams](/docs/auditor/10.7/auditor/configuration/microsoft365/teams/overview.md) topic for additional information. | | Collect activity data | Any of the following roles: _Application Administrator_ & _Teams Administrator_ OR _Cloud Application Administrator_ & _Teams Administrator_ OR _Global Admin_ | | ## Assigning a Privileged Role for Microsoft Entra ID and Office 365 @@ -63,5 +63,5 @@ account with this privileged role on the Specify the account for collecting data A less privileged role has now been assigned to the account. -See the [Permissions for Microsoft Entra ID Auditing](../microsoftentraid/permissions.md) topic for +See the [Permissions for Microsoft Entra ID Auditing](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/permissions.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/teams/modernauth.md b/docs/auditor/10.7/auditor/configuration/microsoft365/teams/modernauth.md index 64a5e94f14..70a3ab8c38 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/teams/modernauth.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/teams/modernauth.md @@ -163,5 +163,5 @@ See the following Microsoft article for additional information on how to obtain [Locate important IDs for a user](https://learn.microsoft.com/en-us/partner-center/find-ids-and-domain-names). Then, create a corresponding monitoring plan in Netwrix Auditor and add an item (Office 365 tenant) -to it. See the [Microsoft Entra ID](../../../admin/monitoringplans/microsoftentraid/overview.md) +to it. See the [Microsoft Entra ID](/docs/auditor/10.7/auditor/admin/monitoringplans/microsoftentraid/overview.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/teams/overview.md b/docs/auditor/10.7/auditor/configuration/microsoft365/teams/overview.md index 3a6bb3d710..d85bd690bd 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/teams/overview.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/teams/overview.md @@ -24,8 +24,8 @@ You can configure your IT Infrastructure for monitoring in one of the following [Turn auditing on or off](https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide) article for additional information. - Prepare a Data Collecting Account as described in the - [Permissions for Teams Auditing](permissions.md) topic. - - Configure required protocols and ports, as described in the [Teams Ports](ports.md) topic. + [Permissions for Teams Auditing](/docs/auditor/10.7/auditor/configuration/microsoft365/teams/permissions.md) topic. + - Configure required protocols and ports, as described in the [Teams Ports](/docs/auditor/10.7/auditor/configuration/microsoft365/teams/ports.md) topic. Auditor can monitor for operations with MS Teams entities, collect state-in-time snapshots and track changes to the object attributes. This section provides detailed information on these activities. @@ -33,7 +33,7 @@ changes to the object attributes. This section provides detailed information on Starting with the version 10.5, Auditor is able to report about sensitive data in your IT infrastructure. Pay attention to the "_Data categories_" column in search and reports (for the "_Document_" object types only). Refer to -[Sensitive Data Discovery ](../../../admin/settings/sensitivedatadiscovery.md) for detailed +[Sensitive Data Discovery ](/docs/auditor/10.7/auditor/admin/settings/sensitivedatadiscovery.md) for detailed instructions on how to enable monitoring of sensitive data in Auditor. Review a full list of object types and attributes Auditor can collect on SharePoint Online. OneDrive diff --git a/docs/auditor/10.7/auditor/configuration/microsoft365/teams/permissions.md b/docs/auditor/10.7/auditor/configuration/microsoft365/teams/permissions.md index 199f96247f..78b1142743 100644 --- a/docs/auditor/10.7/auditor/configuration/microsoft365/teams/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/microsoft365/teams/permissions.md @@ -23,5 +23,5 @@ you will provide this account in the monitoring plan wizard (or in the monitored Refer to the following topics to access Microsoft teams: -- [Using Basic Authentication with MS Teams](basicauth.md) -- [Using Modern Authentication with MS Teams](modernauth.md) +- [Using Basic Authentication with MS Teams](/docs/auditor/10.7/auditor/configuration/microsoft365/teams/basicauth.md) +- [Using Modern Authentication with MS Teams](/docs/auditor/10.7/auditor/configuration/microsoft365/teams/modernauth.md) diff --git a/docs/auditor/10.7/auditor/configuration/networkdevices/ciscomerakidashboard.md b/docs/auditor/10.7/auditor/configuration/networkdevices/ciscomerakidashboard.md index 6d9bdcc33c..0e9a580661 100644 --- a/docs/auditor/10.7/auditor/configuration/networkdevices/ciscomerakidashboard.md +++ b/docs/auditor/10.7/auditor/configuration/networkdevices/ciscomerakidashboard.md @@ -2,7 +2,7 @@ Before creating a monitoring plan to audit your Cisco Meraki devices, plan for the account that will be used for data collection. See the -[Data Collecting Account](../../admin/monitoringplans/dataaccounts.md) topic for additional +[Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information. You will provide this account in the monitoring plan wizard. Changes that are collected with the basic authorization: diff --git a/docs/auditor/10.7/auditor/configuration/networkdevices/ciscomerakidevices.md b/docs/auditor/10.7/auditor/configuration/networkdevices/ciscomerakidevices.md index 590cc5dda4..56dd4bbbe2 100644 --- a/docs/auditor/10.7/auditor/configuration/networkdevices/ciscomerakidevices.md +++ b/docs/auditor/10.7/auditor/configuration/networkdevices/ciscomerakidevices.md @@ -12,18 +12,18 @@ Follow the steps to configure the Syslog server. **Step 2 –** Navigate to **Network wide** > **Configure** > **General**. -![nand_meraki_network](../../../../../../static/img/product_docs/auditor/auditor/configuration/networkdevices/nand_meraki_network.webp) +![nand_meraki_network](/img/product_docs/auditor/auditor/configuration/networkdevices/nand_meraki_network.webp) **Step 3 –** Locate the Reporting section and click Add a syslog server. -![nand_meraki_server](../../../../../../static/img/product_docs/auditor/auditor/configuration/networkdevices/nand_meraki_server.webp) +![nand_meraki_server](/img/product_docs/auditor/auditor/configuration/networkdevices/nand_meraki_server.webp) **Step 4 –** In the dialog that opens, complete the following fields: | Option | Description | | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Server IP | Provide the IP address of the computer that hosts your Netwrix Auditor Server. | -| Port | Provide the port configured in your monitoring plan for Network Devices (514 by default). See the[Network Devices](../../admin/monitoringplans/networkdevices.md) topic for additional information. | +| Port | Provide the port configured in your monitoring plan for Network Devices (514 by default). See the[Network Devices](/docs/auditor/10.7/auditor/admin/monitoringplans/networkdevices.md) topic for additional information. | | Roles | Select the following roles: - Appliance event log - Switch event log - Wireless event log | ### Cisco Meraki Devices Configuration diff --git a/docs/auditor/10.7/auditor/configuration/networkdevices/hpearuba.md b/docs/auditor/10.7/auditor/configuration/networkdevices/hpearuba.md index c6e1a7a293..b416edf0a8 100644 --- a/docs/auditor/10.7/auditor/configuration/networkdevices/hpearuba.md +++ b/docs/auditor/10.7/auditor/configuration/networkdevices/hpearuba.md @@ -41,7 +41,7 @@ To configure HPE Aruba devices through the Management Console Netwrix Auditor. 3. Navigate to Configuration → System → Logging and click + to add a new Syslog Server. - ![nand_aruba_logging](../../../../../../static/img/product_docs/auditor/auditor/configuration/networkdevices/nand_aruba_logging.webp) + ![nand_aruba_logging](/img/product_docs/auditor/auditor/configuration/networkdevices/nand_aruba_logging.webp) 4. In the Add New Syslog Servers dialog, complete the following fields: @@ -60,7 +60,7 @@ To configure HPE Aruba devices through the Management Console 8. Click Deploy Changes. 9. If the configuration is correct, you will see the following wizard: - ![nand_aruba_status](../../../../../../static/img/product_docs/auditor/auditor/configuration/networkdevices/nand_aruba_status.webp) + ![nand_aruba_status](/img/product_docs/auditor/auditor/configuration/networkdevices/nand_aruba_status.webp) 10. Navigate to Configuration → System → Logging and expand the Logging Levels. 11. Select the Informational value for the following parameters: diff --git a/docs/auditor/10.7/auditor/configuration/networkdevices/juniper.md b/docs/auditor/10.7/auditor/configuration/networkdevices/juniper.md index 62e6542a17..2c82c73e55 100644 --- a/docs/auditor/10.7/auditor/configuration/networkdevices/juniper.md +++ b/docs/auditor/10.7/auditor/configuration/networkdevices/juniper.md @@ -44,7 +44,7 @@ To configure you Juniper devices, do the following: AND `` is the name of the UDP port used to listen to network devices (514 port used by - default). [Network Devices](../../admin/monitoringplans/networkdevices.md) + default). [Network Devices](/docs/auditor/10.7/auditor/admin/monitoringplans/networkdevices.md) # set system syslog time-format `` diff --git a/docs/auditor/10.7/auditor/configuration/networkdevices/overview.md b/docs/auditor/10.7/auditor/configuration/networkdevices/overview.md index 18c2bfc770..915b7ef015 100644 --- a/docs/auditor/10.7/auditor/configuration/networkdevices/overview.md +++ b/docs/auditor/10.7/auditor/configuration/networkdevices/overview.md @@ -3,16 +3,16 @@ To configure your network devices for monitoring perform the following procedures, depending on your device: -- [Configure Cisco ASA Devices](ciscoasa.md) -- [Configure Cisco IOS Devices](ciscoios.md) -- [Cisco Meraki Dashboard ](ciscomerakidashboard.md) -- [Configure Cisco Meraki Devices](ciscomerakidevices.md) -- [Configure Fortinet FortiGate Devices](fortinetfortigate.md) -- [Configure PaloAlto Devices](paloalto.md) -- [Configure Juniper Devices](juniper.md) -- [Configure SonicWall Devices](sonicwall.md) -- [Configure HPE Aruba Devices](hpearuba.md) -- [Configure Pulse Secure Devices](pulsesecure.md) +- [Configure Cisco ASA Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/ciscoasa.md) +- [Configure Cisco IOS Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/ciscoios.md) +- [Cisco Meraki Dashboard ](/docs/auditor/10.7/auditor/configuration/networkdevices/ciscomerakidashboard.md) +- [Configure Cisco Meraki Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/ciscomerakidevices.md) +- [Configure Fortinet FortiGate Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/fortinetfortigate.md) +- [Configure PaloAlto Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/paloalto.md) +- [Configure Juniper Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/juniper.md) +- [Configure SonicWall Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/sonicwall.md) +- [Configure HPE Aruba Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/hpearuba.md) +- [Configure Pulse Secure Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/pulsesecure.md) **CAUTION:** Folder associated with Netwrix Auditor must be excluded from antivirus scanning. See the diff --git a/docs/auditor/10.7/auditor/configuration/networkdevices/pulsesecure.md b/docs/auditor/10.7/auditor/configuration/networkdevices/pulsesecure.md index 222cbac45e..f84a6b5d6d 100644 --- a/docs/auditor/10.7/auditor/configuration/networkdevices/pulsesecure.md +++ b/docs/auditor/10.7/auditor/configuration/networkdevices/pulsesecure.md @@ -11,7 +11,7 @@ - Login/Logout - VPN Tunneling - ![manual_config_pulse_1](../../../../../../static/img/product_docs/auditor/auditor/configuration/networkdevices/manual_config_pulse_1.webp) + ![manual_config_pulse_1](/img/product_docs/auditor/auditor/configuration/networkdevices/manual_config_pulse_1.webp) 6. Under the Syslog Servers, complete the following fields: @@ -42,10 +42,10 @@ 15. Save your changes. 16. Start Netwrix Auditor. 17. Navigate to your monitoring plan for Network Devices. See - [Monitoring Plans](../../admin/monitoringplans/overview.md) + [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md) 18. Provide the IP address of the interface you specified on the step 14 as the Computer item for your monitoring plan. See - [Active Directory](../../admin/monitoringplans/activedirectory/overview.md) + [Active Directory](/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/overview.md) ## Pulse Secure Devices diff --git a/docs/auditor/10.7/auditor/configuration/oracle/database.md b/docs/auditor/10.7/auditor/configuration/oracle/database.md index f28ef56ac2..2c33092bb6 100644 --- a/docs/auditor/10.7/auditor/configuration/oracle/database.md +++ b/docs/auditor/10.7/auditor/configuration/oracle/database.md @@ -82,8 +82,8 @@ Netwrix Auditor, these conflicts will be listed in the Netwrix Auditor System He Also, remember to do the following: - Configure Data Collecting Account as described in - [Permissions for Oracle Database Auditing](permissions.md) topic. -- Configure ports as described in [Oracle Database Ports](ports.md) topic. + [Permissions for Oracle Database Auditing](/docs/auditor/10.7/auditor/configuration/oracle/permissions.md) topic. +- Configure ports as described in [Oracle Database Ports](/docs/auditor/10.7/auditor/configuration/oracle/ports.md) topic. **NOTE:** Traditional auditing is deprecated in Oracle Database 21c. Oracle recommends using Unified Auditing, which enables selective and more effective auditing within Oracle Database. See the @@ -185,6 +185,6 @@ successful logon session. Also, remember to do the following: - Configure Data Collecting Account. See the - [Permissions for Oracle Database Auditing](permissions.md) topic for additional information. -- Configure ports. See the [Oracle Database Ports](ports.md) topic for additional information about + [Permissions for Oracle Database Auditing](/docs/auditor/10.7/auditor/configuration/oracle/permissions.md) topic for additional information. +- Configure ports. See the [Oracle Database Ports](/docs/auditor/10.7/auditor/configuration/oracle/ports.md) topic for additional information about ports and protocols required for auditing. diff --git a/docs/auditor/10.7/auditor/configuration/oracle/overview.md b/docs/auditor/10.7/auditor/configuration/oracle/overview.md index 8c356dd1e0..43634c7f71 100644 --- a/docs/auditor/10.7/auditor/configuration/oracle/overview.md +++ b/docs/auditor/10.7/auditor/configuration/oracle/overview.md @@ -23,10 +23,10 @@ You can configure your IT Infrastructure for monitoring in one of the following - On the Oracle server, configure the required settings described below. - On the Auditor console computer, verify that Oracle Data Provider for .NET and Oracle Instant Client are installed and properly configured. See the - [Permissions for Oracle Database Auditing](permissions.md) topic of system requirements. + [Permissions for Oracle Database Auditing](/docs/auditor/10.7/auditor/configuration/oracle/permissions.md) topic of system requirements. Ensure that you have met all software requirements on the Oracle Database side. See the -[Software Requirements](../../requirements/software.md) topic for additional information. +[Software Requirements](/docs/auditor/10.7/auditor/requirements/software.md) topic for additional information. Before you start monitoring your Oracle Database with Netwrix Auditor, you should configure it to provide audit trails. Depending on your current database version and edition, Oracle supports @@ -34,8 +34,8 @@ different auditing types: | Auditing type | Oracle version | Details | | --------------------------------------- | --------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Unified Auditing | Oracle Database 23c, 21c, 19c, 18c, 12c | Consolidates all auditing into a single repository and view. This provides a two-fold simplification: audit data can now be found in a single location and all audit data is in a single format. See [Configure Oracle Database for Auditing](database.md) topic for more information. | -| Fine Grained Auditing | Oracle Database 23c, 21c, 19c, 18c, 12c, 11g Available for **Enterprise Edition** only. | Supports auditing of actions associated with columns in application tables — along with conditions necessary for an audit record to be generated. Helps to focus on security-relevant columns and rows, ignoring areas that are less important. See [Configure Fine Grained Auditing](finegained.md) topic for more information. | +| Unified Auditing | Oracle Database 23c, 21c, 19c, 18c, 12c | Consolidates all auditing into a single repository and view. This provides a two-fold simplification: audit data can now be found in a single location and all audit data is in a single format. See [Configure Oracle Database for Auditing](/docs/auditor/10.7/auditor/configuration/oracle/database.md) topic for more information. | +| Fine Grained Auditing | Oracle Database 23c, 21c, 19c, 18c, 12c, 11g Available for **Enterprise Edition** only. | Supports auditing of actions associated with columns in application tables — along with conditions necessary for an audit record to be generated. Helps to focus on security-relevant columns and rows, ignoring areas that are less important. See [Configure Fine Grained Auditing](/docs/auditor/10.7/auditor/configuration/oracle/finegained.md) topic for more information. | | Standard Auditing (trail auditing mode) | Oracle Database 11g | See topic for more information. Use initialization parameters and the `AUDIT` and `NOAUDIT` SQL statements to audit: - SQL statements - privileges - schema objects - network and multitier activities See [Oracle documentation](https://docs.oracle.com/cd/E11882_01/server.112/e10575/tdpsg_auditing.htm#oracle-documentation) for more information. Starting with version 10.5, Netwrix Auditor provides limited support of Oracle Database 11g and trail auditing mode, in particular: Netwrix Auditor client UI does not display any warnings and / or errors related to Standard Auditing mode operation. | **CAUTION:** Folder associated with Netwrix Auditor must be excluded from antivirus scanning. See @@ -62,26 +62,26 @@ dates set by the vendor. So, when planning your Netwrix Auditor deployment, cons Oracle Database 11g support expiration dates. If you are using Oracle Database 12c or later, make sure you have Unified auditing mode enabled. -Otherwise, Netwrix Auditor may not operate properly. See the [Migrate to Unified Audit](unified.md) +Otherwise, Netwrix Auditor may not operate properly. See the [Migrate to Unified Audit](/docs/auditor/10.7/auditor/configuration/oracle/unified.md) topic for additional information. -See the [Software Requirements](../../requirements/software.md) topic for additional information. +See the [Software Requirements](/docs/auditor/10.7/auditor/requirements/software.md) topic for additional information. ## Configuration If you are using Oracle Wallet to connect to your database, see the -[Create and Configure Oracle Wallet](wallet.md) topic for configuration details. +[Create and Configure Oracle Wallet](/docs/auditor/10.7/auditor/configuration/oracle/wallet.md) topic for configuration details. Oracle Wallet is not supported for Oracle 11g. If you are unsure of your audit settings, refer to -the [Verify Your Oracle Database Audit Settings](verifysettings.md) +the [Verify Your Oracle Database Audit Settings](/docs/auditor/10.7/auditor/configuration/oracle/verifysettings.md) Follow the steps for proper configuration. **Step 1 –** Configure Data Collecting Account, as described in the -[Permissions for Oracle Database Auditing](permissions.md) topic. +[Permissions for Oracle Database Auditing](/docs/auditor/10.7/auditor/configuration/oracle/permissions.md) topic. **Step 2 –** Configure required protocols and ports, as described in the -[Oracle Database Ports](ports.md) topic. +[Oracle Database Ports](/docs/auditor/10.7/auditor/configuration/oracle/ports.md) topic. ## Oracle Database objects diff --git a/docs/auditor/10.7/auditor/configuration/oracle/wallet.md b/docs/auditor/10.7/auditor/configuration/oracle/wallet.md index 198f4b1fe5..9d50474ed3 100644 --- a/docs/auditor/10.7/auditor/configuration/oracle/wallet.md +++ b/docs/auditor/10.7/auditor/configuration/oracle/wallet.md @@ -48,7 +48,7 @@ credentials. For example: Windows-based platforms: WALLET_LOCATION = (SOURCE = (METHOD = file) (METHOD_DATA = -(DIRECTORY="D:\\myapp\\atp_credentials"))) +(DIRECTORY="D:\\myapp\\atp_credentials") SSL_SERVER_DN_MATCH=yes @@ -135,7 +135,7 @@ Do the following: 1. Update your sqlnet.ora file. Example: WALLET_LOCATION = (SOURCE = (METHOD = file) (METHOD_DATA = - (DIRECTORY="/home/atpc_credentials"))) + (DIRECTORY="/home/atpc_credentials") 2. Copy the entries in the `tnsnames.ora` file provided in the Autonomous Transaction Processing wallet to your existing `tnsnames.ora` file. @@ -143,4 +143,4 @@ Do the following: See also: - For information about using Oracle Wallet with monitoring plans, see the - [Oracle monitoring plan documentation](../../admin/monitoringplans/oracle/overview.md). + [Oracle monitoring plan documentation](/docs/auditor/10.7/auditor/admin/monitoringplans/oracle/overview.md). diff --git a/docs/auditor/10.7/auditor/configuration/overview.md b/docs/auditor/10.7/auditor/configuration/overview.md index 7305c7ca0a..38dc67627b 100644 --- a/docs/auditor/10.7/auditor/configuration/overview.md +++ b/docs/auditor/10.7/auditor/configuration/overview.md @@ -2,32 +2,32 @@ With the Netwrix Auditor, the following Data Sources can be monitored: -- [Active Directory](activedirectory/overview.md) -- [AD FS](activedirectoryfederatedservices/overview.md) -- [Exchange](exchange/overview.md) -- [File Servers](fileservers/overview.md) +- [Active Directory](/docs/auditor/10.7/auditor/configuration/activedirectory/overview.md) +- [AD FS](/docs/auditor/10.7/auditor/configuration/activedirectoryfederatedservices/overview.md) +- [Exchange](/docs/auditor/10.7/auditor/configuration/exchange/overview.md) +- [File Servers](/docs/auditor/10.7/auditor/configuration/fileservers/overview.md) - - [Dell Data Storage](fileservers/delldatastorage/overview.md) - - [Dell Isilon/PowerScale](fileservers/dellisilon/overview.md) - - [NetApp Data ONTAP](fileservers/netappcmode/overview.md) - - [Nutanix](fileservers/nutanix/overview.md) - - [Qumulo](fileservers/qumulo/overview.md) - - [Synology](fileservers/synology/overview.md) - - [Windows File Servers](fileservers/windows/overview.md) + - [Dell Data Storage](/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/overview.md) + - [Dell Isilon/PowerScale](/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/overview.md) + - [NetApp Data ONTAP](/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/overview.md) + - [Nutanix](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/overview.md) + - [Qumulo](/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/overview.md) + - [Synology](/docs/auditor/10.7/auditor/configuration/fileservers/synology/overview.md) + - [Windows File Servers](/docs/auditor/10.7/auditor/configuration/fileservers/windows/overview.md) -- [Group Policy](grouppolicy/overview.md) -- [Logon Activity](logonactivity/overview.md) -- [Microsoft 365](microsoft365/overview.md) +- [Group Policy](/docs/auditor/10.7/auditor/configuration/grouppolicy/overview.md) +- [Logon Activity](/docs/auditor/10.7/auditor/configuration/logonactivity/overview.md) +- [Microsoft 365](/docs/auditor/10.7/auditor/configuration/microsoft365/overview.md) - - [Exchange Online](microsoft365/exchangeonline/overview.md) - - [Microsoft Entra ID](microsoft365/microsoftentraid/overview.md) - - [SharePoint Online](microsoft365/sharepointonline/overview.md) - - [MS Teams](microsoft365/teams/overview.md) + - [Exchange Online](/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/overview.md) + - [Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/overview.md) + - [SharePoint Online](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/overview.md) + - [MS Teams](/docs/auditor/10.7/auditor/configuration/microsoft365/teams/overview.md) -- [Network Devices](networkdevices/overview.md) -- [Oracle Database](oracle/overview.md) -- [SharePoint](sharepoint/overview.md) -- [SQL Server](sqlserver/overview.md) -- [User Activity](useractivity/overview.md) -- [VMware](vmware/overview.md) -- [Windows Server](windowsserver/overview.md) +- [Network Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/overview.md) +- [Oracle Database](/docs/auditor/10.7/auditor/configuration/oracle/overview.md) +- [SharePoint](/docs/auditor/10.7/auditor/configuration/sharepoint/overview.md) +- [SQL Server](/docs/auditor/10.7/auditor/configuration/sqlserver/overview.md) +- [User Activity](/docs/auditor/10.7/auditor/configuration/useractivity/overview.md) +- [VMware](/docs/auditor/10.7/auditor/configuration/vmware/overview.md) +- [Windows Server](/docs/auditor/10.7/auditor/configuration/windowsserver/overview.md) diff --git a/docs/auditor/10.7/auditor/configuration/sharepoint/overview.md b/docs/auditor/10.7/auditor/configuration/sharepoint/overview.md index baa8fe3b52..0dbf1f1a57 100644 --- a/docs/auditor/10.7/auditor/configuration/sharepoint/overview.md +++ b/docs/auditor/10.7/auditor/configuration/sharepoint/overview.md @@ -82,14 +82,14 @@ properties for read access auditing. If you are using SharePoint 2019 or SharePoint Subscription Edition, it is recommended to adjust audit settings automatically with Auditor to enable this option. See the -[Create a New Monitoring Plan](../../admin/monitoringplans/create.md) topic for additional +[Create a New Monitoring Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) topic for additional information. ## Enable SharePoint Administration Service This service is must be started to ensure the Netwrix Auditor for SharePoint Core Service successful installation. Perform the procedure below, prior to the Core Service installation. See the -[Install for SharePoint Core Service](../../install/sharepointcoreservice.md) topic for additional +[Install for SharePoint Core Service](/docs/auditor/10.7/auditor/install/sharepointcoreservice.md) topic for additional information. Follow the steps to enable SharePoint Administration Service. diff --git a/docs/auditor/10.7/auditor/configuration/sharepoint/permissions.md b/docs/auditor/10.7/auditor/configuration/sharepoint/permissions.md index e29eada03b..828d8c3049 100644 --- a/docs/auditor/10.7/auditor/configuration/sharepoint/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/sharepoint/permissions.md @@ -8,7 +8,7 @@ Starting with version 9.96, you can use group Managed Service Accounts (gMSA) as accounts. For more information on gMSA, refer to -[Use Group Managed Service Account (gMSA)](../../requirements/gmsa.md)[Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview). +[Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md)[Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview). These group Managed Service Accounts should meet the related requirements. @@ -17,7 +17,7 @@ These group Managed Service Accounts should meet the related requirements. 1. On the SharePoint server where the Netwrix Auditor Core Service will be deployed: the account must be a member of the local Administrators group. To learn more about Netwrix Auditor Core Services, refer to - [Installation](../../install/overview.md) topic. + [Installation](/docs/auditor/10.7/auditor/install/overview.md) topic. 2. On the SQL Server hosting SharePoint database: the SharePoint_Shell_Access role. See the Assigning 'SharePoint_Shell_Access' Role topic for additional information. 3. If you plan to collect state-in-time data from a SharePoint farm, the account should also meet diff --git a/docs/auditor/10.7/auditor/configuration/sqlserver/overview.md b/docs/auditor/10.7/auditor/configuration/sqlserver/overview.md index 5f532d8caa..b604e35d98 100644 --- a/docs/auditor/10.7/auditor/configuration/sqlserver/overview.md +++ b/docs/auditor/10.7/auditor/configuration/sqlserver/overview.md @@ -85,5 +85,5 @@ The following list contains the names of all data types monitored by Netwrix Aud Also remember to do the following: - Configure Data Collecting Account as described in - [Permissions for SQL Server Auditing ](permissions.md)section. -- Configure ports as described in the [SQL Server Ports](ports.md) section. + [Permissions for SQL Server Auditing ](/docs/auditor/10.7/auditor/configuration/sqlserver/permissions.md)section. +- Configure ports as described in the [SQL Server Ports](/docs/auditor/10.7/auditor/configuration/sqlserver/ports.md) section. diff --git a/docs/auditor/10.7/auditor/configuration/sqlserver/permissions.md b/docs/auditor/10.7/auditor/configuration/sqlserver/permissions.md index 14ae000b7d..775914b3c6 100644 --- a/docs/auditor/10.7/auditor/configuration/sqlserver/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/sqlserver/permissions.md @@ -30,7 +30,7 @@ You can use group Managed Service Accounts (gMSA) as data collecting accounts. 3. In the left pane, expand the **Security** node. Right-click the **Logins** node and select **New Login** from the pop-up menu. - ![manualconfig_ssms_newlogin2016](../../../../../../static/img/product_docs/1secure/configuration/sqlserver/manualconfig_ssms_newlogin2016.webp) + ![manualconfig_ssms_newlogin2016](/img/product_docs/1secure/configuration/sqlserver/manualconfig_ssms_newlogin2016.webp) 4. Click **Search** next to **Login Name** and specify the user that you want to assign the **sysadmin** role to. diff --git a/docs/auditor/10.7/auditor/configuration/useractivity/overview.md b/docs/auditor/10.7/auditor/configuration/useractivity/overview.md index a9a2ca1cfb..7352e67430 100644 --- a/docs/auditor/10.7/auditor/configuration/useractivity/overview.md +++ b/docs/auditor/10.7/auditor/configuration/useractivity/overview.md @@ -45,8 +45,8 @@ You can configure your IT Infrastructure for monitoring in one of the following See the following topics for additional information: -- [Configure Data Collection Settings](datacollection.md) -- [Configure Video Recordings Playback Settings](videorecordings.md) +- [Configure Data Collection Settings](/docs/auditor/10.7/auditor/configuration/useractivity/datacollection.md) +- [Configure Video Recordings Playback Settings](/docs/auditor/10.7/auditor/configuration/useractivity/videorecordings.md) ## User Sessions diff --git a/docs/auditor/10.7/auditor/configuration/useractivity/videorecordings.md b/docs/auditor/10.7/auditor/configuration/useractivity/videorecordings.md index 70f095d6ae..14d2cacbe9 100644 --- a/docs/auditor/10.7/auditor/configuration/useractivity/videorecordings.md +++ b/docs/auditor/10.7/auditor/configuration/useractivity/videorecordings.md @@ -58,7 +58,7 @@ verify that **File download** is set to **Enable**. **Step 5 –** Local Security and select the **Allow active content to run in files on My Computer** checkbox. -![manualconfig_uavr_ie2016](../../../../../../static/img/product_docs/auditor/auditor/configuration/useractivity/manualconfig_uavr_ie2016.webp) +![manualconfig_uavr_ie2016](/img/product_docs/auditor/auditor/configuration/useractivity/manualconfig_uavr_ie2016.webp) ## To Enable JavaScript diff --git a/docs/auditor/10.7/auditor/configuration/vmware/permissions.md b/docs/auditor/10.7/auditor/configuration/vmware/permissions.md index dbd8267bf0..a35f8cdc35 100644 --- a/docs/auditor/10.7/auditor/configuration/vmware/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/vmware/permissions.md @@ -21,5 +21,5 @@ configuring a corresponding monitored item. See also: -- [Create a New Monitoring Plan](../../admin/monitoringplans/create.md) step of the monitoring plan +- [Create a New Monitoring Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) step of the monitoring plan wizard diff --git a/docs/auditor/10.7/auditor/configuration/windowsserver/advancedpolicy.md b/docs/auditor/10.7/auditor/configuration/windowsserver/advancedpolicy.md index 5ca5d69267..5dfdcc518a 100644 --- a/docs/auditor/10.7/auditor/configuration/windowsserver/advancedpolicy.md +++ b/docs/auditor/10.7/auditor/configuration/windowsserver/advancedpolicy.md @@ -28,7 +28,7 @@ Windows Administrative Tools > Local Security Policy. **Step 2 –** Navigate to Security Settings > Local Policies > Security Options and locate the Audit: Force audit policy subcategory settings policy. -![Local Security Policy snap-in ](../../../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_fileserver_graudit_secpol2016.webp) +![Local Security Policy snap-in ](/img/product_docs/1secure/configuration/computer/manualconfig_fileserver_graudit_secpol2016.webp) **Step 3 –** Double-click the policy and enable it. diff --git a/docs/auditor/10.7/auditor/configuration/windowsserver/dhcp.md b/docs/auditor/10.7/auditor/configuration/windowsserver/dhcp.md index 38db0bef2f..7be7a5d264 100644 --- a/docs/auditor/10.7/auditor/configuration/windowsserver/dhcp.md +++ b/docs/auditor/10.7/auditor/configuration/windowsserver/dhcp.md @@ -8,7 +8,7 @@ settings (size and retention method). For that, take the steps described below. the DHCP-Server node. 3. Right-click the Operational log and select Properties. - ![manual_config_dhcp_log](../../../../../../static/img/product_docs/auditor/auditor/configuration/windowsserver/manual_config_dhcp_log.webp) + ![manual_config_dhcp_log](/img/product_docs/auditor/auditor/configuration/windowsserver/manual_config_dhcp_log.webp) 4. Make sure the **Enable logging** option is selected. 5. Set **Maximum log size** to **4 GB**. diff --git a/docs/auditor/10.7/auditor/configuration/windowsserver/eventlog.md b/docs/auditor/10.7/auditor/configuration/windowsserver/eventlog.md index fe2d7f2e8a..45baef0164 100644 --- a/docs/auditor/10.7/auditor/configuration/windowsserver/eventlog.md +++ b/docs/auditor/10.7/auditor/configuration/windowsserver/eventlog.md @@ -31,7 +31,7 @@ Follow the steps to configure Event Log Size and Retention Settings. **Step 2 –** Navigate to Event Viewer tree > Windows Logs, right-click **Security** and select **Properties**. -![Log Properties dialog box](../../../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_ws_eventviewerpr2016_thumb_0_0.webp) +![Log Properties dialog box](/img/product_docs/1secure/configuration/computer/manualconfig_ws_eventviewerpr2016_thumb_0_0.webp) **Step 3 –** Make sure Enable logging is selected. @@ -87,7 +87,7 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Directory Service **Step 2 –** Set the MaxSize to the required decimal value (in bytes). -![gpo_eventlog_regedit_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/configuration/windowsserver/gpo_eventlog_regedit_thumb_0_0.webp) +![gpo_eventlog_regedit_thumb_0_0](/img/product_docs/auditor/auditor/configuration/windowsserver/gpo_eventlog_regedit_thumb_0_0.webp) You can configure Group Policy Preferences to push registry changes to the target domain computers. For the example above (Directory Service Log), perform the following steps. @@ -103,7 +103,7 @@ Preferences > Windows Settings > Registry**. - Hive > HKEY_LOCAL_MACHINE - Key Path – browse to MaxSize value at the SYSTEM\CurrentControlSet\Services\EventLog\Directory Service - ![gpo_eventlog_gpmc_thumb_0_0](../../../../../../static/img/product_docs/auditor/auditor/configuration/windowsserver/gpo_eventlog_gpmc_thumb_0_0.webp) + ![gpo_eventlog_gpmc_thumb_0_0](/img/product_docs/auditor/auditor/configuration/windowsserver/gpo_eventlog_gpmc_thumb_0_0.webp) **Step 4 –** Change the MaxSize REG_DWORD to the required decimal value (in bytes). diff --git a/docs/auditor/10.7/auditor/configuration/windowsserver/iis.md b/docs/auditor/10.7/auditor/configuration/windowsserver/iis.md index bbd051431d..24db846967 100644 --- a/docs/auditor/10.7/auditor/configuration/windowsserver/iis.md +++ b/docs/auditor/10.7/auditor/configuration/windowsserver/iis.md @@ -1,7 +1,7 @@ # Internet Information Services (IIS) To be able to process Internet Information Services (IIS) events, you must enable the Remote -Registry service on the target computers. [Windows Server](overview.md) +Registry service on the target computers. [Windows Server](/docs/auditor/10.7/auditor/configuration/windowsserver/overview.md) To configure the Operational log size and retention method @@ -11,7 +11,7 @@ To configure the Operational log size and retention method the IIS-Configuration node. 3. Right-click the Operational log and select Properties. - ![manualconfig_iis2016](../../../../../../static/img/product_docs/auditor/auditor/configuration/windowsserver/manualconfig_iis2016.webp) + ![manualconfig_iis2016](/img/product_docs/auditor/auditor/configuration/windowsserver/manualconfig_iis2016.webp) 4. Make sure **Enable logging** is enabled. 5. Set **Maximum log size** to 4 GB. diff --git a/docs/auditor/10.7/auditor/configuration/windowsserver/localpolicy.md b/docs/auditor/10.7/auditor/configuration/windowsserver/localpolicy.md index cf32ced382..d320d7938a 100644 --- a/docs/auditor/10.7/auditor/configuration/windowsserver/localpolicy.md +++ b/docs/auditor/10.7/auditor/configuration/windowsserver/localpolicy.md @@ -14,7 +14,7 @@ the changes to the following monitored system components: - Removable media You can also configure advanced audit policies for same purpose. See the -[Configure Advanced Audit Policies](advancedpolicy.md) topic for more information. +[Configure Advanced Audit Policies](/docs/auditor/10.7/auditor/configuration/windowsserver/advancedpolicy.md) topic for more information. ## Manual Configuration @@ -39,4 +39,4 @@ Windows Administrative Tools > Local Security Policy. Local audit policy is configured. -![Local Security Policy snap-in](../../../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_ws_local_audit_policies2016.webp) +![Local Security Policy snap-in](/img/product_docs/1secure/configuration/computer/manualconfig_ws_local_audit_policies2016.webp) diff --git a/docs/auditor/10.7/auditor/configuration/windowsserver/overview.md b/docs/auditor/10.7/auditor/configuration/windowsserver/overview.md index f3aacc9b3e..1737ed3fba 100644 --- a/docs/auditor/10.7/auditor/configuration/windowsserver/overview.md +++ b/docs/auditor/10.7/auditor/configuration/windowsserver/overview.md @@ -22,8 +22,8 @@ You can configure your IT Infrastructure for monitoring in one of the following - The Remote Registry and the Windows Management Instrumentation (WMI) service must be started. See the - [Enable Remote Registry and Windows Management Instrumentation Services](remoteregistry.md) - topic and the [Configure Windows Registry Audit Settings](windowsregistry.md) topic for + [Enable Remote Registry and Windows Management Instrumentation Services](/docs/auditor/10.7/auditor/configuration/windowsserver/remoteregistry.md) + topic and the [Configure Windows Registry Audit Settings](/docs/auditor/10.7/auditor/configuration/windowsserver/windowsregistry.md) topic for additional information. - The following advanced audit policy settings must be configured: @@ -37,25 +37,25 @@ You can configure your IT Infrastructure for monitoring in one of the following User Account Management, Audit Handle Manipulation, Audit Other Object Access Events, Audit Registry, Audit File Share, and Audit Audit Policy Changeadvanced audit policies must be set to _"Success"_. - - See the [Configure Local Audit Policies](localpolicy.md) topic and the - [Configure Advanced Audit Policies](advancedpolicy.md) topic for additional information. + - See the [Configure Local Audit Policies](/docs/auditor/10.7/auditor/configuration/windowsserver/localpolicy.md) topic and the + [Configure Advanced Audit Policies](/docs/auditor/10.7/auditor/configuration/windowsserver/advancedpolicy.md) topic for additional information. - The following legacy audit policies can be configured instead of advanced: Audit object access, Audit policy change, and **Audit account management** must be set to _"Success"_. - The Enable Persistent Time Stamp local group policy must be enabled. This policy should be configured manually since Auditor does not enable it automatically. See the - [Configure Enable Persistent Time Stamp Policy](persistenttimestamp.md) topic for additional + [Configure Enable Persistent Time Stamp Policy](/docs/auditor/10.7/auditor/configuration/windowsserver/persistenttimestamp.md) topic for additional information. - The Application, Security, and System event log maximum size must be set to 4 GB. The retention method must be set to _“Overwrite events as needed”_. See the - [Adjusting Event Log Size and Retention Settings](eventlog.md) topic for additional + [Adjusting Event Log Size and Retention Settings](/docs/auditor/10.7/auditor/configuration/windowsserver/eventlog.md) topic for additional information. - For auditing scheduled tasks, the Microsoft-Windows-TaskScheduler/Operational event log must be enabled and its maximum size must be set to 4 GB. The retention method of the log must be set to _“Overwrite events as needed”_. - For auditing DHCP, the Microsoft-Windows-Dhcp-Server/Operational event log must be enabled and its maximum size must be set to 4 GB. The retention method of the log must be set to - _“Overwrite events as needed”_. See the [Adjust DHCP Server Operational Log Settings](dhcp.md) + _“Overwrite events as needed”_. See the [Adjust DHCP Server Operational Log Settings](/docs/auditor/10.7/auditor/configuration/windowsserver/dhcp.md) topic for additional information. - For auditing DNS, the Microsoft-Windows-DNS-Server/Audit event log must be enabled and its maximum size must be set to 4 GB. The retention method of the log must be set to _“Overwrite @@ -78,9 +78,9 @@ You can configure your IT Infrastructure for monitoring in one of the following - If the audited servers are behind the Firewall, review the list of protocols and ports required for Netwrix Auditor and make sure that these ports are opened. See the - [Windows Server Ports](ports.md) topic for additional information. + [Windows Server Ports](/docs/auditor/10.7/auditor/configuration/windowsserver/ports.md) topic for additional information. - For auditing removable storage media, two Event Trace Session objects must be created. See the - [Configure Removable Storage Media for Monitoring](removablestorage.md) topic for additional + [Configure Removable Storage Media for Monitoring](/docs/auditor/10.7/auditor/configuration/windowsserver/removablestorage.md) topic for additional information. - If you want to use Network traffic compression, make sure that the Auditor console computer is accessible by its FQDN name. @@ -96,8 +96,8 @@ Whatever method you choose to configure Windows Server for auditing (manual or a remember to do the following: 1. Configure Data Collecting Account, as described in the - [Data Collecting Account](../../admin/monitoringplans/dataaccounts.md) topic. -2. Configure required protocols and ports, as described in the [Windows Server Ports](ports.md) + [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic. +2. Configure required protocols and ports, as described in the [Windows Server Ports](/docs/auditor/10.7/auditor/configuration/windowsserver/ports.md) topic. ## Exclude Monitored Objects @@ -274,7 +274,7 @@ reports, alerts or search results, as it is only used as one of the sources for formation. - You can configure these settings automatically using Netwrix Auditor, as described in the - [Settings for Data Collection](../../admin/monitoringplans/create.md#settings-for-data-collection) + [Settings for Data Collection](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md#settings-for-data-collection) topic. Corresponding audit settings will be also applied automatically after you select a checkbox under **Monitor changes to system components** on the **General** tab in the Windows Server data source properties. @@ -288,7 +288,7 @@ will adjust the audit settings for the following subkeys: - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services(|\\.\*) - To configure the audit settings manually, refer to the - [Configure Windows Registry Audit Settings](windowsregistry.md) topic for additional information. + [Configure Windows Registry Audit Settings](/docs/auditor/10.7/auditor/configuration/windowsserver/windowsregistry.md) topic for additional information. #### Monitoring Custom Registry Keys @@ -297,7 +297,7 @@ Follow the steps to monitor custom registry keys. **Step 1 –** On the computer where Auditor Server resides, navigate to _%Netwrix Auditor installation folder%\Windows Server Auditing._ -![customregistrykeyentry](../../../../../../static/img/product_docs/auditor/auditor/configuration/windowsserver/customregistrykeyentry.webp) +![customregistrykeyentry](/img/product_docs/auditor/auditor/configuration/windowsserver/customregistrykeyentry.webp) **Step 2 –** Edit the following parameters of the customregistrykeys.txt file: @@ -314,7 +314,7 @@ For example: must be put in front of (\*), (?), (,), and (\) if they are a part of an entry value. - Lines that start with the # sign are treated as comments and are ignored. -![customregistrykey](../../../../../../static/img/product_docs/auditor/auditor/configuration/windowsserver/customregistrykey.webp) +![customregistrykey](/img/product_docs/auditor/auditor/configuration/windowsserver/customregistrykey.webp) **NOTE:** In some cases, **Who** will be the system and **When** will be collection time, because there is no necessary event in the Security log with this path. diff --git a/docs/auditor/10.7/auditor/configuration/windowsserver/permissions.md b/docs/auditor/10.7/auditor/configuration/windowsserver/permissions.md index 8147370040..f43e1efdaf 100644 --- a/docs/auditor/10.7/auditor/configuration/windowsserver/permissions.md +++ b/docs/auditor/10.7/auditor/configuration/windowsserver/permissions.md @@ -8,7 +8,7 @@ the monitored item settings). The account used for data collection must meet the following requirements on the target servers: - The "Manage auditing and security log" policy must be defined for this account. See the - [Permissions for Active Directory Auditing](../activedirectory/permissions.md) topic for + [Permissions for Active Directory Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md) topic for additional information. - This account must be a member of the local Administrators group. diff --git a/docs/auditor/10.7/auditor/configuration/windowsserver/ports.md b/docs/auditor/10.7/auditor/configuration/windowsserver/ports.md index 4ecea7a694..06c22dc0bf 100644 --- a/docs/auditor/10.7/auditor/configuration/windowsserver/ports.md +++ b/docs/auditor/10.7/auditor/configuration/windowsserver/ports.md @@ -37,7 +37,7 @@ settings** on the left. **Step 3 –** In the Windows Firewall with Advanced Security dialog, select **Inbound Rules** on the left. -![manualconfig_nla_inbound_connections2016](../../../../../../static/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_inbound_connections2016.webp) +![manualconfig_nla_inbound_connections2016](/img/product_docs/1secure/configuration/logonactivity/manualconfig_nla_inbound_connections2016.webp) **Step 4 –** Enable the following inbound connection rules: diff --git a/docs/auditor/10.7/auditor/configuration/windowsserver/remoteregistry.md b/docs/auditor/10.7/auditor/configuration/windowsserver/remoteregistry.md index 1da9f3444b..53b1f506bf 100644 --- a/docs/auditor/10.7/auditor/configuration/windowsserver/remoteregistry.md +++ b/docs/auditor/10.7/auditor/configuration/windowsserver/remoteregistry.md @@ -4,7 +4,7 @@ Follow the steps to enable the Remote Registry service. **Step 1 –** Navigate to Start > Windows Administrative Tools > Services. -![Services Console](../../../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry2016.webp) +![Services Console](/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry2016.webp) **Step 2 –** In the Services window, locate the Remote Registry service, right-click it and select **Properties**. @@ -12,7 +12,7 @@ Follow the steps to enable the Remote Registry service. **Step 3 –** In the Remote Registry Properties dialog box, make sure the Startup type parameter is set to _Automatic_ and click **Start**. -![Remote Registry Properties dialog box](../../../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry_start2016.webp) +![Remote Registry Properties dialog box](/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry_start2016.webp) **Step 4 –** In the Services window, ensure that the Remote Registry service has the _Running_ status on Windows Server 2012 and above. diff --git a/docs/auditor/10.7/auditor/configuration/windowsserver/windowsregistry.md b/docs/auditor/10.7/auditor/configuration/windowsserver/windowsregistry.md index 563ea853fd..3efb6f126e 100644 --- a/docs/auditor/10.7/auditor/configuration/windowsserver/windowsregistry.md +++ b/docs/auditor/10.7/auditor/configuration/windowsserver/windowsregistry.md @@ -43,7 +43,7 @@ access types: - **Write DAC** - **Write Owner** -![ManualConfig_WS_AuditingEntry2008](../../../../../../static/img/product_docs/auditor/auditor/configuration/windowsserver/manualconfig_ws_auditenrty2008.webp) +![ManualConfig_WS_AuditingEntry2008](/img/product_docs/auditor/auditor/configuration/windowsserver/manualconfig_ws_auditenrty2008.webp) Repeat the same steps for the `HKEY_LOCAL_MACHINE\SYSTEM` key. @@ -73,7 +73,7 @@ object name to select** field. - Write DAC - Write Owner -![Config_WS_AuditingEntry_2016](../../../../../../static/img/product_docs/auditor/auditor/configuration/windowsserver/manualconfig_ws_auditenrty_2016.webp) +![Config_WS_AuditingEntry_2016](/img/product_docs/auditor/auditor/configuration/windowsserver/manualconfig_ws_auditenrty_2016.webp) Repeat the same steps for the `HKEY_LOCAL_MACHINE\SYSTEM` key. diff --git a/docs/auditor/10.7/auditor/gettingstarted.md b/docs/auditor/10.7/auditor/gettingstarted.md index 3e177a57ef..645ba28f9d 100644 --- a/docs/auditor/10.7/auditor/gettingstarted.md +++ b/docs/auditor/10.7/auditor/gettingstarted.md @@ -14,34 +14,34 @@ In this section, we will cover: | | | | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ | | Pre-installation procedures | | -| Review recommendations and considerations for Netwrix Auditor deployment planning. | - [Requirements](requirements/overview.md) | -| Make sure the data source you are going to audit is supported. | - [Supported Data Sources](requirements/supporteddatasources.md) | -| Open the required ports for connections. | - [Protocols and Ports Required](requirements/ports.md) | -| Review system requirements. | - [Requirements](requirements/overview.md) | +| Review recommendations and considerations for Netwrix Auditor deployment planning. | - [Requirements](/docs/auditor/10.7/auditor/requirements/overview.md) | +| Make sure the data source you are going to audit is supported. | - [Supported Data Sources](/docs/auditor/10.7/auditor/requirements/supporteddatasources.md) | +| Open the required ports for connections. | - [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md) | +| Review system requirements. | - [Requirements](/docs/auditor/10.7/auditor/requirements/overview.md) | | Installation | | -| If you are using previous version of the product, upgrade to the latest version then. | - [Upgrade to the Latest Version](install/upgrade.md) | -| Install the product and review additional installation scenarios. | - [Installation](install/overview.md) | +| If you are using previous version of the product, upgrade to the latest version then. | - [Upgrade to the Latest Version](/docs/auditor/10.7/auditor/install/upgrade.md) | +| Install the product and review additional installation scenarios. | - [Installation](/docs/auditor/10.7/auditor/install/overview.md) | | IT infrastructure configuration | | -| Configure target IT infrastructure depending on your data source. | - [Supported Data Sources](requirements/supporteddatasources.md) | -| Configure Auditor service accounts. | - [Software Requirements](requirements/software.md) | -| If you are going to use Group Managed Service Account (gMSA) for data collection and storage, refer to the following article for more information. | - [Use Group Managed Service Account (gMSA)](requirements/gmsa.md) | +| Configure target IT infrastructure depending on your data source. | - [Supported Data Sources](/docs/auditor/10.7/auditor/requirements/supporteddatasources.md) | +| Configure Auditor service accounts. | - [Software Requirements](/docs/auditor/10.7/auditor/requirements/software.md) | +| If you are going to use Group Managed Service Account (gMSA) for data collection and storage, refer to the following article for more information. | - [Use Group Managed Service Account (gMSA)](/docs/auditor/10.7/auditor/requirements/gmsa.md) | | Product configuration | | -| Configure role-based access and delegation. | - [Role-Based Access and Delegation](admin/monitoringplans/delegation.md) | -| Configure general product settings. | - [Netwrix Auditor Settings](admin/settings/overview.md) | -| Create monitoring plans to start collecting data from your IT infrastructure. | - [Monitoring Plans](admin/monitoringplans/overview.md) | +| Configure role-based access and delegation. | - [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) | +| Configure general product settings. | - [Netwrix Auditor Settings](/docs/auditor/10.7/auditor/admin/settings/overview.md) | +| Create monitoring plans to start collecting data from your IT infrastructure. | - [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md) | | Start data collection | | -| Understand how the product collects data. | - [Data Collecting Account](admin/monitoringplans/dataaccounts.md) | -| Start data collection. | - [Configure Data Collection Settings](configuration/useractivity/datacollection.md) | +| Understand how the product collects data. | - [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) | +| Start data collection. | - [Configure Data Collection Settings](/docs/auditor/10.7/auditor/configuration/useractivity/datacollection.md) | | Make collected data actionable | | -| View data and perform search. | - [View and Search Collected Data](admin/search/overview.md) | -| Review reports. | - [View Reports](admin/reports/view.md) | -| Create alerts to be notified about suspicious activity. | - [Create Alerts](admin/alertsettings/create.md) | -| Identify configuration gaps in your environment and understand their impact on overall security with Netwrix Risk Assessment dashboard. | - [IT Risk Assessment Overview ](admin/riskassessment/overview.md) | -| Detect behavior anomalies in your IT environment with NetwrixBehavior Anomalies dashboard. | - [Behavior Anomalies](admin/behavioranomalies/overview.md) | -| Schedule email delivery of a variety of reports or set of specific search criteria with subscriptions/ | - [Create Subscriptions](admin/subscriptions/create.md) | +| View data and perform search. | - [View and Search Collected Data](/docs/auditor/10.7/auditor/admin/search/overview.md) | +| Review reports. | - [View Reports](/docs/auditor/10.7/auditor/admin/reports/view.md) | +| Create alerts to be notified about suspicious activity. | - [Create Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/create.md) | +| Identify configuration gaps in your environment and understand their impact on overall security with Netwrix Risk Assessment dashboard. | - [IT Risk Assessment Overview ](/docs/auditor/10.7/auditor/admin/riskassessment/overview.md) | +| Detect behavior anomalies in your IT environment with NetwrixBehavior Anomalies dashboard. | - [Behavior Anomalies](/docs/auditor/10.7/auditor/admin/behavioranomalies/overview.md) | +| Schedule email delivery of a variety of reports or set of specific search criteria with subscriptions/ | - [Create Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/create.md) | | Operations and health | | -| Track changes to the product configuration with Netwrix  self-audit. | - [Self-Audit](admin/healthstatus/selfaudit.md) | -| Review Netwrix Auditor System Health event log. | - [Netwrix Auditor Health Log](admin/healthstatus/dashboard/healthlog.md) | -| Review Health status dashboard. | - [Health Status Dashboard](admin/healthstatus/dashboard/overview.md) | -| Schedule Health Summary email delivery. | - [Health Summary Email](admin/healthstatus/summaryemail.md) | -| If some issues encountered while using the product, review the troubleshooting instructions. | - [Troubleshooting](admin/healthstatus/troubleshooting.md) | +| Track changes to the product configuration with Netwrix  self-audit. | - [Self-Audit](/docs/auditor/10.7/auditor/admin/healthstatus/selfaudit.md) | +| Review Netwrix Auditor System Health event log. | - [Netwrix Auditor Health Log](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/healthlog.md) | +| Review Health status dashboard. | - [Health Status Dashboard](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/overview.md) | +| Schedule Health Summary email delivery. | - [Health Summary Email](/docs/auditor/10.7/auditor/admin/healthstatus/summaryemail.md) | +| If some issues encountered while using the product, review the troubleshooting instructions. | - [Troubleshooting](/docs/auditor/10.7/auditor/admin/healthstatus/troubleshooting.md) | diff --git a/docs/auditor/10.7/auditor/install/firstlaunch.md b/docs/auditor/10.7/auditor/install/firstlaunch.md index 0e30a1f33f..0ea9b5e511 100644 --- a/docs/auditor/10.7/auditor/install/firstlaunch.md +++ b/docs/auditor/10.7/auditor/install/firstlaunch.md @@ -21,11 +21,11 @@ To start using Netwrix Auditor After logging into Netwrix Auditor, you will see the following window: -![welcome_screen_thumb_0_0](../../../../../static/img/product_docs/auditor/auditor/install/welcome_screen_thumb_0_0.webp) +![welcome_screen_thumb_0_0](/img/product_docs/auditor/auditor/install/welcome_screen_thumb_0_0.webp) Take a closer look at the Home page. It contains everything you need to enable complete visibility in your environment. See next: -- [Navigation](../admin/navigation/overview.md) +- [Navigation](/docs/auditor/10.7/auditor/admin/navigation/overview.md) diff --git a/docs/auditor/10.7/auditor/install/overview.md b/docs/auditor/10.7/auditor/install/overview.md index 6184bd93d1..31a9776dd0 100644 --- a/docs/auditor/10.7/auditor/install/overview.md +++ b/docs/auditor/10.7/auditor/install/overview.md @@ -8,12 +8,12 @@ Compression Services. Refer to the following sections for detailed information: It also includes advanced scenarios such as: -- [Install Client via Group Policy](viagrouppolicy.md) -- [Install in Silent Mode](silentmode.md) +- [Install Client via Group Policy](/docs/auditor/10.7/auditor/install/viagrouppolicy.md) +- [Install in Silent Mode](/docs/auditor/10.7/auditor/install/silentmode.md) ## Install Netwrix Auditor -For instructions on upgrade procedures, refer to [Upgrade to the Latest Version](upgrade.md). +For instructions on upgrade procedures, refer to [Upgrade to the Latest Version](/docs/auditor/10.7/auditor/install/upgrade.md). **CAUTION:** To keep your systems safe, Netwrix Auditor should not be exposed to inbound access from the internet. @@ -24,13 +24,13 @@ Follow these steps to install Netwrix Auditor [Netwrix website](https://www.netwrix.com/auditor.html). NOTE: Before installing Netwrix Auditor, make sure that the Windows Firewall service is started. If -you use a third-party firewall, see [Protocols and Ports Required](../requirements/ports.md). Also, +you use a third-party firewall, see [Protocols and Ports Required](/docs/auditor/10.7/auditor/requirements/ports.md). Also, you must be a member of the local Administrators group to run the Netwrix Auditor installation. **Step 2 –** Unpack the installation package. The following window will be displayed on successful operation completion: -![installationscreen](../../../../../static/img/product_docs/auditor/auditor/install/installationscreen.webp) +![installationscreen](/img/product_docs/auditor/auditor/install/installationscreen.webp) **Step 3 –** Follow the instructions of the setup wizard. When prompted, accept the license agreement. @@ -53,15 +53,15 @@ collects statistical information on how the Licensee uses the product in accorda law. Select Skip if you do not want to participate in the program. You can always opt-out of the Netwrix Customer Experience Program later. See the -[About Netwrix Auditor](../admin/settings/about.md) topic for additional information. +[About Netwrix Auditor](/docs/auditor/10.7/auditor/admin/settings/about.md) topic for additional information. **Step 7 –** Click Install. After a successful installation, Auditor shortcut will be added to the **Start** menu and screen and -the product will start. See the [First Launch](firstlaunch.md) topic for additional information on +the product will start. See the [First Launch](/docs/auditor/10.7/auditor/install/firstlaunch.md) topic for additional information on the product navigation. -![welcome_screen](../../../../../static/img/product_docs/auditor/auditor/install/welcome_screen.webp) +![welcome_screen](/img/product_docs/auditor/auditor/install/welcome_screen.webp) Netwrix looks beyond the traditional on-premises installation and provides Auditor for cloud and virtual environments. For example, you can deploy Auditor on a pre-configured Microsoft Azure @@ -77,5 +77,5 @@ either automatically when setting up auditing in Netwrix Auditor, or manually. Refer to the following sections below for manual installation instructions: -- [Install for SharePoint Core Service](sharepointcoreservice.md) -- [Install for User Activity Core Service](useractivitycoreservice.md) +- [Install for SharePoint Core Service](/docs/auditor/10.7/auditor/install/sharepointcoreservice.md) +- [Install for User Activity Core Service](/docs/auditor/10.7/auditor/install/useractivitycoreservice.md) diff --git a/docs/auditor/10.7/auditor/install/sharepointcoreservice.md b/docs/auditor/10.7/auditor/install/sharepointcoreservice.md index 19af01110b..8c4c610497 100644 --- a/docs/auditor/10.7/auditor/install/sharepointcoreservice.md +++ b/docs/auditor/10.7/auditor/install/sharepointcoreservice.md @@ -13,12 +13,12 @@ prerequisites and make sure that: - [.Net Framework 3.5 SP1](http://www.microsoft.com/en-us/download/details.aspx?id=22) is installed on the computer that hosts SharePoint Central Administration in the audited SharePoint farm. - The SharePoint Administration (SPAdminV4) service is started on the target computer. See - [SharePoint](../configuration/sharepoint/overview.md) for more information. + [SharePoint](/docs/auditor/10.7/auditor/configuration/sharepoint/overview.md) for more information. - The user that is going to run the Core Service installation: - Is a member of the local Administrators group on SharePoint server, where the Core Service will be deployed. - Is granted the SharePoint_Shell_Access role on SharePoint SQL Server configuration database. - See [Permissions for SharePoint Auditing](../configuration/sharepoint/permissions.md) topic + See [Permissions for SharePoint Auditing](/docs/auditor/10.7/auditor/configuration/sharepoint/permissions.md) topic for more information. Follow the steps to install Netwrix Auditor for SharePoint Core Service manually. diff --git a/docs/auditor/10.7/auditor/install/upgrade.md b/docs/auditor/10.7/auditor/install/upgrade.md index 34f509f3e2..bdf79a14f5 100644 --- a/docs/auditor/10.7/auditor/install/upgrade.md +++ b/docs/auditor/10.7/auditor/install/upgrade.md @@ -60,26 +60,26 @@ operation. The issues listed below apply to upgrade from 9.96 and 10. rights and permissions to perform initial data collection and upgrade. Review the following for more information about required rights and permissions: - - [Permissions for Microsoft Entra ID Auditing](../configuration/microsoft365/microsoftentraid/permissions.md) - - [Permissions for Exchange Online Auditing](../configuration/microsoft365/exchangeonline/permissions.md) - - [Permissions for SharePoint Online Auditing ](../configuration/microsoft365/sharepointonline/permissions.md) - - [Permissions for Teams Auditing](../configuration/microsoft365/teams/permissions.md) + - [Permissions for Microsoft Entra ID Auditing](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/permissions.md) + - [Permissions for Exchange Online Auditing](/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/permissions.md) + - [Permissions for SharePoint Online Auditing ](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/permissions.md) + - [Permissions for Teams Auditing](/docs/auditor/10.7/auditor/configuration/microsoft365/teams/permissions.md) - For auditing cloud-based applications (Microsoft Entra ID, Exchange Online, SharePoint Online, and MS Teams) with Netwrix Auditor using modern authentication: additional configuration of the Azure AD app permissions is required. Review the following for more information about required rights and permissions: - - [Permissions for Microsoft Entra ID Auditing](../configuration/microsoft365/microsoftentraid/permissions.md) - - [Permissions for Exchange Online Auditing](../configuration/microsoft365/exchangeonline/permissions.md) - - [Permissions for SharePoint Online Auditing ](../configuration/microsoft365/sharepointonline/permissions.md) - - [Permissions for Teams Auditing](../configuration/microsoft365/teams/permissions.md) + - [Permissions for Microsoft Entra ID Auditing](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/permissions.md) + - [Permissions for Exchange Online Auditing](/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/permissions.md) + - [Permissions for SharePoint Online Auditing ](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/permissions.md) + - [Permissions for Teams Auditing](/docs/auditor/10.7/auditor/configuration/microsoft365/teams/permissions.md) - Netwrix Auditor for Oracle Database. If you use the following combination of the audit settings: Mixed Mode + Fine Grained Auditing, please check your configuration. You may need to re-configure your audit since the Oracle Database data collection mechanism was changed. See the - [Supported Data Sources](../requirements/supporteddatasources.md) and - [Verify Your Oracle Database Audit Settings](../configuration/oracle/verifysettings.md) topics for + [Supported Data Sources](/docs/auditor/10.7/auditor/requirements/supporteddatasources.md) and + [Verify Your Oracle Database Audit Settings](/docs/auditor/10.7/auditor/configuration/oracle/verifysettings.md) topics for additional information. - During the initial data collection, the product automatically upgrades services responsible for Windows Server and SharePoint network traffic compression. Consider the following: @@ -121,7 +121,7 @@ Follow the steps to perform the upgrade. **Step 1 –** Make sure you have completed the preparatory steps above. **Step 2 –** Run the setup on the computer where the Auditor  Server resides. See the -[Installation](overview.md) topic for additional information. +[Installation](/docs/auditor/10.7/auditor/install/overview.md) topic for additional information. **Step 3 –** If you have a client-server deployment, then after upgrading the server run the setup on all remote machines where the Auditor Client resides. diff --git a/docs/auditor/10.7/auditor/install/viagrouppolicy.md b/docs/auditor/10.7/auditor/install/viagrouppolicy.md index 6625032553..63fec724d5 100644 --- a/docs/auditor/10.7/auditor/install/viagrouppolicy.md +++ b/docs/auditor/10.7/auditor/install/viagrouppolicy.md @@ -46,7 +46,7 @@ Administrative Tools (Windows 2012) **Group Policy Management.** **Step 2 –** In the left pane, navigate to **Forest: `` → Domain →** **``, right-click ``** and select **Create a GPO in this domain and Link it here**. -![winserver2016_ou_gpo_for_deploy](../../../../../static/img/product_docs/auditor/auditor/install/winserver2016_ou_gpo_for_deploy.webp) +![winserver2016_ou_gpo_for_deploy](/img/product_docs/auditor/auditor/install/winserver2016_ou_gpo_for_deploy.webp) **Step 3 –** Right-click the newly created GPO and select **Edit** from the pop-up menu. @@ -59,14 +59,14 @@ node on the left and navigate to **Policies → Software Settings → Software i **Step 7 –** In the Deploy Software dialog, select Advanced. -![add_msi](../../../../../static/img/product_docs/auditor/auditor/install/add_msi.webp) +![add_msi](/img/product_docs/auditor/auditor/install/add_msi.webp) **Step 8 –** In the Netwrix Auditor Properties dialog, select the Deployment tab and click Advanced. **Step 9 –** In the Advanced Deployment Options dialog, select the Ignore language when deploying this package checkbox. -![winserver2016_advanced_deployment_options](../../../../../static/img/product_docs/auditor/auditor/install/winserver2016_advanced_deployment_options.webp) +![winserver2016_advanced_deployment_options](/img/product_docs/auditor/auditor/install/winserver2016_advanced_deployment_options.webp) **Step 10 –** Close the Netwrix Auditor Properties dialog. diff --git a/docs/auditor/10.7/auditor/install/virtualappliance/configure.md b/docs/auditor/10.7/auditor/install/virtualappliance/configure.md index b76af8b781..d433d12aeb 100644 --- a/docs/auditor/10.7/auditor/install/virtualappliance/configure.md +++ b/docs/auditor/10.7/auditor/install/virtualappliance/configure.md @@ -20,12 +20,12 @@ the license agreement and then press `Y` to accept it. | Rename virtual machine | Specify a new name for the virtual machine (e.g., _`NA-Server`_). The computer name must be properly formatted. It may contain letters (a-z, A-Z), numbers (0-9), and hyphens (-), but no spaces and periods (.). The name may not consist entirely of digits and may not be longer than 15 characters. | | Add additional input languages | Select `Y` if you want to specify additional input languages. Select `N` to proceed with English. | | Configure network | - Select `Y` to use DHCP server to configure network settings automatically. - Select `N` to configure required parameters manually. In this case, you will be prompted to set up IP settings manually. | -| Join computer to the domain or workgroup | **To join a domain** Select `Y`. Specify the fully qualified domain name to join (e.g., `corp.local`). Then specify domain administrator name and password. For your convenience, the account specified will be added to the local Administrators group and set as account for collecting data from the target systems. Domain Users group will be removed from the local Users group after the machine with the appliance joins the domain. The script is starting to test your domain controller: by NETBIOS name first, then by DNS name and finally, using an IP address. If at least one of the tests is successful, the computer will be added to a domain. In case of failure, you will be prompted to do one of the following: - Re-try to joint to the selected domain. In this case, the script uses the DNS name of your domain controller. The name must be resolved. - Continue with Workgroup. See the procedure below on how to join the computer to a workgroup. - Cancel and **Return to Main Menu**. Select if you want to cancel the domain join and re-configure the machine. Press Enter and repeat menu section. You will return to step 5. **To join a workgroup** Select `N`. Specify the local administrator name and credentials. For your convenience, the account specified will be set as account for collecting data from the target systems. Netwrix Auditor is unable to work in a workgroup. Please confirm if you want to proceed. Otherwise, you will not be able to run reviews on data collected by Auditor. See the [Access Reviews](../../accessreviews.md) topic for additional information about integration with Access Reviews. | +| Join computer to the domain or workgroup | **To join a domain** Select `Y`. Specify the fully qualified domain name to join (e.g., `corp.local`). Then specify domain administrator name and password. For your convenience, the account specified will be added to the local Administrators group and set as account for collecting data from the target systems. Domain Users group will be removed from the local Users group after the machine with the appliance joins the domain. The script is starting to test your domain controller: by NETBIOS name first, then by DNS name and finally, using an IP address. If at least one of the tests is successful, the computer will be added to a domain. In case of failure, you will be prompted to do one of the following: - Re-try to joint to the selected domain. In this case, the script uses the DNS name of your domain controller. The name must be resolved. - Continue with Workgroup. See the procedure below on how to join the computer to a workgroup. - Cancel and **Return to Main Menu**. Select if you want to cancel the domain join and re-configure the machine. Press Enter and repeat menu section. You will return to step 5. **To join a workgroup** Select `N`. Specify the local administrator name and credentials. For your convenience, the account specified will be set as account for collecting data from the target systems. Netwrix Auditor is unable to work in a workgroup. Please confirm if you want to proceed. Otherwise, you will not be able to run reviews on data collected by Auditor. See the [Access Reviews](/docs/auditor/10.7/auditor/accessreviews.md) topic for additional information about integration with Access Reviews. | | Configure SQL Server | The shell script automatically configures SQL Server instance. The sysadmin server role on SQL Server instance is granted automatically to the BUILTIN\Administrators group. | In the example below, review how the shell script configures the new VM: -![appliance_script](../../../../../../static/img/product_docs/auditor/auditor/install/virtualappliance/appliance_script.webp) +![appliance_script](/img/product_docs/auditor/auditor/install/virtualappliance/appliance_script.webp) **Step 6 –** When the script execution completes, you will be prompted to reboot the virtual machine for the changes to take effect. @@ -45,10 +45,10 @@ Now you can evaluate Auditor functionality. Review the table below for more info | To... | Run... | Get more info | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| - See a list of audit settings - See a list of rights and permissions required for data collecting account | — | - [Supported Data Sources](../../requirements/supporteddatasources.md) - [Data Collecting Account](../../admin/monitoringplans/dataaccounts.md) | -| - Create a monitoring plan - Review data collection status - Configure the Long-Term Archive and the Audit Database settings - Assign roles and delegate control | Auditor Client | - [Monitoring Plans](../../admin/monitoringplans/overview.md) - [Netwrix Auditor Settings](../../admin/settings/overview.md) - [Role-Based Access and Delegation](../../admin/monitoringplans/delegation.md) | -| - Browse data with interactive search - Review diagrams - Generate reports - Configure report subscriptions - Create alerts | Auditor Client | - [Reports](../../admin/reports/overview.md) - [Subscriptions](../../admin/subscriptions/overview.md) - [Alerts](../../admin/alertsettings/overview.md) | -| See the data collected by Auditor | Auditor Client | - [Access Reviews](../../accessreviews.md) | +| - See a list of audit settings - See a list of rights and permissions required for data collecting account | — | - [Supported Data Sources](/docs/auditor/10.7/auditor/requirements/supporteddatasources.md) - [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) | +| - Create a monitoring plan - Review data collection status - Configure the Long-Term Archive and the Audit Database settings - Assign roles and delegate control | Auditor Client | - [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md) - [Netwrix Auditor Settings](/docs/auditor/10.7/auditor/admin/settings/overview.md) - [Role-Based Access and Delegation](/docs/auditor/10.7/auditor/admin/monitoringplans/delegation.md) | +| - Browse data with interactive search - Review diagrams - Generate reports - Configure report subscriptions - Create alerts | Auditor Client | - [Reports](/docs/auditor/10.7/auditor/admin/reports/overview.md) - [Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) - [Alerts](/docs/auditor/10.7/auditor/admin/alertsettings/overview.md) | +| See the data collected by Auditor | Auditor Client | - [Access Reviews](/docs/auditor/10.7/auditor/accessreviews.md) | **NOTE:** If any errors occur, please contact [Netwrix technical support](https://www.netwrix.com/support.html). diff --git a/docs/auditor/10.7/auditor/install/virtualappliance/overview.md b/docs/auditor/10.7/auditor/install/virtualappliance/overview.md index 6f3208fdb1..322a3a14b8 100644 --- a/docs/auditor/10.7/auditor/install/virtualappliance/overview.md +++ b/docs/auditor/10.7/auditor/install/virtualappliance/overview.md @@ -24,8 +24,8 @@ environment. Review the following for additional information: - Requirements to Deploy Virtual Appliance -- [Import Virtual Machine from Image to VMware](importvmware.md) -- [Import Virtual Machine from Image to Hyper-V ](importhyperv.md) +- [Import Virtual Machine from Image to VMware](/docs/auditor/10.7/auditor/install/virtualappliance/importvmware.md) +- [Import Virtual Machine from Image to Hyper-V ](/docs/auditor/10.7/auditor/install/virtualappliance/importhyperv.md) ## Available Configurations @@ -59,7 +59,7 @@ The virtual appliance also contains Access Information Center for Auditor versio - Microsoft SQL Server Express Edition is only recommended for evaluation, PoC or small deployments. For production deployment planning in bigger environments, refer to requirements and recommendations listed in the - [Requirements for SQL Server to Store Audit Data](../../requirements/sqlserver.md) section. + [Requirements for SQL Server to Store Audit Data](/docs/auditor/10.7/auditor/requirements/sqlserver.md) section. ## Requirements to Deploy Virtual Appliance @@ -67,7 +67,7 @@ This section lists supported virtualization platforms and default hardware confi for the virtual machine where Auditor virtual appliance will be deployed. The requirements below are sufficient for evaluation purposes only. See the -[Requirements](../../requirements/overview.md) topic for additional information. +[Requirements](/docs/auditor/10.7/auditor/requirements/overview.md) topic for additional information. ### Supported Platforms diff --git a/docs/auditor/10.7/auditor/requirements/console.md b/docs/auditor/10.7/auditor/requirements/console.md index 23ef0d9a56..282daaebef 100644 --- a/docs/auditor/10.7/auditor/requirements/console.md +++ b/docs/auditor/10.7/auditor/requirements/console.md @@ -27,7 +27,7 @@ virtualization platform, in particular: - Microsoft Hyper-V - Nutanix AHV -Auditor supports only Windows OS versions listed in the [Software Requirements](software.md) topic. +Auditor supports only Windows OS versions listed in the [Software Requirements](/docs/auditor/10.7/auditor/requirements/software.md) topic. Netwrix Auditor and SQL Server instance will be deployed on different servers. @@ -41,7 +41,7 @@ Requirements below apply to Netwrix Auditor server. | Others | — | — | Network capacity 1 Gbit | Network capacity 1 Gbit | \* — ARs stands for Activity Records, that is, Netwrix-compatible format for the audit data. See -[Activity Records](../api/postdata/activityrecords.md)[Activity Records](../api/postdata/activityrecords.md) +[Activity Records](/docs/auditor/10.7/auditor/api/postdata/activityrecords.md)[Activity Records](/docs/auditor/10.7/auditor/api/postdata/activityrecords.md) for more details. \*\* — By default, the Long-Term Archive and working folder are stored on a system drive. To reduce @@ -49,8 +49,8 @@ the impact on the system drive in large and xlarge environments, Netwrix recomme Long-Term Archive and working folder on a data drive and plan for their capacity accordingly. For details, see: -- [File-Based Repository for Long-Term Archive](longtermarchive.md) -- [Working Folder](workingfolder.md) +- [File-Based Repository for Long-Term Archive](/docs/auditor/10.7/auditor/requirements/longtermarchive.md) +- [Working Folder](/docs/auditor/10.7/auditor/requirements/workingfolder.md) Netwrix Auditor informs you if you are running out of space on a system disk where the Long-Term Archive is stored by default. You will see related events in the Health log once the free disk space @@ -62,7 +62,7 @@ following Microsoft article: [SQL Server: Hardware and software requirements](https://learn.microsoft.com/en-us/sql/sql-server/install/hardware-and-software-requirements-for-installing-sql-server-2019?view=sql-server-ver16) **NOTE:** In larger environments, SQL Server may become underprovisioned on resources. For -troubleshooting such cases, refer to the [Sample Deployment Scenarios](deploymentscenarios.md) +troubleshooting such cases, refer to the [Sample Deployment Scenarios](/docs/auditor/10.7/auditor/requirements/deploymentscenarios.md) topic. Additional Sizing Information for File Data Source diff --git a/docs/auditor/10.7/auditor/requirements/deploymentscenarios.md b/docs/auditor/10.7/auditor/requirements/deploymentscenarios.md index 45fbc1198a..08e9854612 100644 --- a/docs/auditor/10.7/auditor/requirements/deploymentscenarios.md +++ b/docs/auditor/10.7/auditor/requirements/deploymentscenarios.md @@ -40,7 +40,7 @@ users): server and client components. 3. When prompted to configure the Audit database settings, proceed with installing SQL Server Express Edition with Advanced Services on the same VM. See the - [SQL Server Reporting Services](sqlserverreportingservice.md) topic for additional information. + [SQL Server Reporting Services](/docs/auditor/10.7/auditor/requirements/sqlserverreportingservice.md) topic for additional information. Alternatively, you can install Netwrix Auditor as a virtual appliance on your VMware vSphere or Hyper-V virtualization server. For more information on this deployment option, refer to the @@ -70,11 +70,11 @@ users, approximately up to 1 million of activity records generated per day): Auditor clients on the remote Windows machines. Client-server connection requires user sign-in. You can automate this process, as described in - [Automate Sign-in to the Client](../install/automatelogin.md) of Online Help. + [Automate Sign-in to the Client](/docs/auditor/10.7/auditor/install/automatelogin.md) of Online Help. 3. When prompted to configure the Audit database settings, proceed with installing SQL Server Express Edition with Advanced Services. See the - [SQL Server Reporting Services](sqlserverreportingservice.md) topic for additional information. + [SQL Server Reporting Services](/docs/auditor/10.7/auditor/requirements/sqlserverreportingservice.md) topic for additional information. Alternatively, you can install Netwrix Auditor as a virtual appliance on your VMware vSphere or Hyper-V virtualization server. For more information on this deployment option, refer to the @@ -93,7 +93,7 @@ approximately 1+ million of activity records generated per day): Auditor clients on the remote Windows machines. Client-server connection requires user sign-in. You can automate this process, as described in - the [Automate Sign-in to the Client](../install/automatelogin.md) section of Online Help. + the [Automate Sign-in to the Client](/docs/auditor/10.7/auditor/install/automatelogin.md) section of Online Help. 3. Prepare Microsoft SQL Server meeting the following requirements: | Hardware component | Requirement | | --- | --- | | Processor | 2-4 cores | | RAM | 16-32 GB | | Disk space | - 100 GB @@ -117,7 +117,7 @@ more than 20 000 users (10+ million of activity records generated per day): Auditor clients on the remote Windows machines. Client-server connection requires user sign-in. You can automate this process, as described in - the [Automate Sign-in to the Client](../install/automatelogin.md) section. + the [Automate Sign-in to the Client](/docs/auditor/10.7/auditor/install/automatelogin.md) section. 3. Prepare a machine for Microsoft SQL Server meeting the following requirements: | Hardware component | Requirement | | --- | --- | | Processor | 4 cores | | RAM | 32 - 64 GB | | Disk space diff --git a/docs/auditor/10.7/auditor/requirements/gmsa.md b/docs/auditor/10.7/auditor/requirements/gmsa.md index f548c079d5..b70274dc64 100644 --- a/docs/auditor/10.7/auditor/requirements/gmsa.md +++ b/docs/auditor/10.7/auditor/requirements/gmsa.md @@ -23,17 +23,17 @@ Currently, gMSA is supported: - User Activity (including User Activity Video Recording) - Windows Server - See the [Data Collecting Account](../admin/monitoringplans/dataaccounts.md) topic for additional + See the [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information about supported data sources. **NOTE:** If you are using a gMSA account for Active Directory collection consider that the Active Directory Object Restore tool will not work. - As an account for accessing Long-Term archive. See the - [File-Based Repository for Long-Term Archive](longtermarchive.md) topic for additional + [File-Based Repository for Long-Term Archive](/docs/auditor/10.7/auditor/requirements/longtermarchive.md) topic for additional information. - As an account for accessing Audit Databases. See - [Requirements for SQL Server to Store Audit Data](sqlserver.md) topic for additional information. + [Requirements for SQL Server to Store Audit Data](/docs/auditor/10.7/auditor/requirements/sqlserver.md) topic for additional information. **CAUTION:** In case of accessing Audit Databases using gMSA account, SSRS-based reports will not work. @@ -159,36 +159,36 @@ account, depending on what purpose a gMSA account will be used for. Local Admins group on the Auditor Server and assign the following rights and permissions, depending on the data source you want to collect data from: - - [Permissions for Active Directory Auditing](../configuration/activedirectory/permissions.md) - - [Permissions for Group Policy Auditing ](../configuration/grouppolicy/permissions.md) - - [Permissions for Logon Activity Auditing ](../configuration/logonactivity/permissions.md) - - [Permissions for Windows File Server Auditing](../configuration/fileservers/windows/permissions.md) - - [Permissions for SharePoint Auditing](../configuration/sharepoint/permissions.md) - - [Permissions for SQL Server Auditing ](../configuration/sqlserver/permissions.md) - - [Permissions for Windows Server Auditing ](../configuration/windowsserver/permissions.md) + - [Permissions for Active Directory Auditing](/docs/auditor/10.7/auditor/configuration/activedirectory/permissions.md) + - [Permissions for Group Policy Auditing ](/docs/auditor/10.7/auditor/configuration/grouppolicy/permissions.md) + - [Permissions for Logon Activity Auditing ](/docs/auditor/10.7/auditor/configuration/logonactivity/permissions.md) + - [Permissions for Windows File Server Auditing](/docs/auditor/10.7/auditor/configuration/fileservers/windows/permissions.md) + - [Permissions for SharePoint Auditing](/docs/auditor/10.7/auditor/configuration/sharepoint/permissions.md) + - [Permissions for SQL Server Auditing ](/docs/auditor/10.7/auditor/configuration/sqlserver/permissions.md) + - [Permissions for Windows Server Auditing ](/docs/auditor/10.7/auditor/configuration/windowsserver/permissions.md) _Remember,_ - [Permissions for Windows Server Auditing ](../configuration/windowsserver/permissions.md) + [Permissions for Windows Server Auditing ](/docs/auditor/10.7/auditor/configuration/windowsserver/permissions.md) - If you are going to use a gMSA to access Long-Term archive, assign the roles and permissions required for a custom account: - - [File-Based Repository for Long-Term Archive](longtermarchive.md) + - [File-Based Repository for Long-Term Archive](/docs/auditor/10.7/auditor/requirements/longtermarchive.md) _Remember,_ that you can use custom (gMSA) account only if your Long-Term archive stored on a file share. - If you are going to use a gMSA to access Audit Database, assign the required roles: - - [Requirements for SQL Server to Store Audit Data](sqlserver.md) + - [Requirements for SQL Server to Store Audit Data](/docs/auditor/10.7/auditor/requirements/sqlserver.md) _Remember,_ that a gMSA account cannot access SSRS due to Microsoft restrictions. - If you are going to use a gMSA as a data collection accoun for User Activity or User Activity Video Recording, refer to the following topics: - - [User Activity](../configuration/useractivity/overview.md) - - [Configure Video Recordings Playback Settings](../configuration/useractivity/videorecordings.md) + - [User Activity](/docs/auditor/10.7/auditor/configuration/useractivity/overview.md) + - [Configure Video Recordings Playback Settings](/docs/auditor/10.7/auditor/configuration/useractivity/videorecordings.md) Now you can use a gMSA account as one of the Auditor Service Account. @@ -204,7 +204,7 @@ This topic contains instructions on how to apply a gMSA as one of the Auditor Se To process the corresponding monitored items using gMSA, you can specify this account in the monitored plan properties. See the -[Create a New Monitoring Plan](../admin/monitoringplans/create.md) topic for additional information. +[Create a New Monitoring Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) topic for additional information. Follow the steps to set a custom account in the monitored item properties. @@ -213,17 +213,17 @@ Follow the steps to set a custom account in the monitored item properties. **Step 2 –** On the **General** tab, under **Specify account for collecting data**, select **gMSA** option. -![Monitored Item Properties page](../../../../../static/img/product_docs/auditor/auditor/requirements/gmsa.webp) +![Monitored Item Properties page](/img/product_docs/auditor/auditor/requirements/gmsa.webp) See the -[Add Items for Monitoring](../admin/monitoringplans/datasources.md#add-items-for-monitoring) topic +[Add Items for Monitoring](/docs/auditor/10.7/auditor/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information. ### Apply gMSA to Access Long-Term Archive To write data to the Long-Term Archive and upload report subscriptions to shared folders, you can specify this account as a custom account in the Long-Term Archive settings. See the -[Long-Term Archive](../admin/settings/longtermarchive.md) topic for additional information. +[Long-Term Archive](/docs/auditor/10.7/auditor/admin/settings/longtermarchive.md) topic for additional information. **NOTE:** For a custom account or a gMSA one, consider that you can use the account for the Long-Term Archive based on a file share @@ -232,5 +232,5 @@ Long-Term Archive based on a file share To access Audit Database, generate reports and run interactive search queries, you can specify this account under the 'Specify custom connection parameters in your common database plan settings. See -the [Fine-Tune Your Plan and Edit Settings](../admin/monitoringplans/finetune.md) topic for +the [Fine-Tune Your Plan and Edit Settings](/docs/auditor/10.7/auditor/admin/monitoringplans/finetune.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/requirements/longtermarchive.md b/docs/auditor/10.7/auditor/requirements/longtermarchive.md index 2706084369..31f8ab138b 100644 --- a/docs/auditor/10.7/auditor/requirements/longtermarchive.md +++ b/docs/auditor/10.7/auditor/requirements/longtermarchive.md @@ -23,7 +23,7 @@ viewing the Long-Term Archive widget of the Health Status dashboard, click Open **Step 2 –** Click Modify. -![archive_modify_settings_thumb_0_0](../../../../../static/img/product_docs/auditor/auditor/requirements/archive_modify_settings_thumb_0_0.webp) +![archive_modify_settings_thumb_0_0](/img/product_docs/auditor/auditor/requirements/archive_modify_settings_thumb_0_0.webp) **Step 3 –** Enter new path or browse for the required folder. @@ -56,10 +56,10 @@ If the retention period is set to **0**, the following logic will be applied: To examine the repository capacity and daily growth, use the Long-Term Archive Capacity of the Health Status dashboard. -![healthstatusdashboard_thumb_0_0](../../../../../static/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/healthstatusdashboard_thumb_0_0.webp) +![healthstatusdashboard_thumb_0_0](/img/product_docs/auditor/auditor/admin/healthstatus/dashboard/healthstatusdashboard_thumb_0_0.webp) To estimate the amount of activity records collected and stored to the repository day by day, use -the [Activity Records Statistics](../admin/healthstatus/dashboard/activityrecordstatistics.md) +the [Activity Records Statistics](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/activityrecordstatistics.md) widget. Click View details to see how many activity records were produced by each data source, collected and saved to the Long-Term Archive and to the database. @@ -100,7 +100,7 @@ The custom account must be granted the following rights and permissions: - Create files / write data folder permission Subscriptions created in the Auditor client  are uploaded to file servers under the Long-Term - Archive service account as well. See the [Subscriptions](../admin/subscriptions/overview.md) + Archive service account as well. See the [Subscriptions](/docs/auditor/10.7/auditor/admin/subscriptions/overview.md) topic for additional information. ### Assign Permissions on the Long-Term Archive Folder @@ -183,5 +183,5 @@ Archive capacity. The widget displays the current size and daily increase of the and the remaining free space on the target drive. To open the Long-Term Archive settings, click the corresponding link. Then you will be able to -adjust the settings as necessary. See the [Long-Term Archive](../admin/settings/longtermarchive.md) +adjust the settings as necessary. See the [Long-Term Archive](/docs/auditor/10.7/auditor/admin/settings/longtermarchive.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/requirements/monitoredobjecttypes.md b/docs/auditor/10.7/auditor/requirements/monitoredobjecttypes.md index cfebbf6156..fe9909f124 100644 --- a/docs/auditor/10.7/auditor/requirements/monitoredobjecttypes.md +++ b/docs/auditor/10.7/auditor/requirements/monitoredobjecttypes.md @@ -3,35 +3,35 @@ Netwrix Auditor monitored object types, actions, attributes and components for each data source are located in the following topics: -- [Active Directory](../configuration/activedirectory/overview.md) -- [AD FS](../configuration/activedirectoryfederatedservices/overview.md) -- [Exchange](../configuration/exchange/overview.md) -- [File Servers](../configuration/fileservers/overview.md) +- [Active Directory](/docs/auditor/10.7/auditor/configuration/activedirectory/overview.md) +- [AD FS](/docs/auditor/10.7/auditor/configuration/activedirectoryfederatedservices/overview.md) +- [Exchange](/docs/auditor/10.7/auditor/configuration/exchange/overview.md) +- [File Servers](/docs/auditor/10.7/auditor/configuration/fileservers/overview.md) - - [Dell Data Storage](../configuration/fileservers/delldatastorage/overview.md) - - [Dell Isilon/PowerScale](../configuration/fileservers/dellisilon/overview.md) - - [NetApp Data ONTAP](../configuration/fileservers/netappcmode/overview.md) - - [Nutanix](../configuration/fileservers/nutanix/overview.md) - - [Qumulo](../configuration/fileservers/qumulo/overview.md) - - [Synology](../configuration/fileservers/synology/overview.md) - - [Windows File Servers](../configuration/fileservers/windows/overview.md) + - [Dell Data Storage](/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/overview.md) + - [Dell Isilon/PowerScale](/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/overview.md) + - [NetApp Data ONTAP](/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/overview.md) + - [Nutanix](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/overview.md) + - [Qumulo](/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/overview.md) + - [Synology](/docs/auditor/10.7/auditor/configuration/fileservers/synology/overview.md) + - [Windows File Servers](/docs/auditor/10.7/auditor/configuration/fileservers/windows/overview.md) -- [Group Policy](../configuration/grouppolicy/overview.md) -- [Logon Activity](../configuration/logonactivity/overview.md) -- [Microsoft 365](../configuration/microsoft365/overview.md) +- [Group Policy](/docs/auditor/10.7/auditor/configuration/grouppolicy/overview.md) +- [Logon Activity](/docs/auditor/10.7/auditor/configuration/logonactivity/overview.md) +- [Microsoft 365](/docs/auditor/10.7/auditor/configuration/microsoft365/overview.md) - - [Exchange Online](../configuration/microsoft365/exchangeonline/overview.md) - - [Microsoft Entra ID](../configuration/microsoft365/microsoftentraid/overview.md) - - [SharePoint Online](../configuration/microsoft365/sharepointonline/overview.md) - - [MS Teams](../configuration/microsoft365/teams/overview.md) + - [Exchange Online](/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/overview.md) + - [Microsoft Entra ID](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/overview.md) + - [SharePoint Online](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/overview.md) + - [MS Teams](/docs/auditor/10.7/auditor/configuration/microsoft365/teams/overview.md) -- [Network Devices](../configuration/networkdevices/overview.md) -- [Oracle Database](../configuration/oracle/overview.md) -- [SharePoint](../configuration/sharepoint/overview.md) -- [SQL Server](../configuration/sqlserver/overview.md) -- [User Activity](../configuration/useractivity/overview.md) -- [VMware](../configuration/vmware/overview.md) -- [Windows Server](../configuration/windowsserver/overview.md) +- [Network Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/overview.md) +- [Oracle Database](/docs/auditor/10.7/auditor/configuration/oracle/overview.md) +- [SharePoint](/docs/auditor/10.7/auditor/configuration/sharepoint/overview.md) +- [SQL Server](/docs/auditor/10.7/auditor/configuration/sqlserver/overview.md) +- [User Activity](/docs/auditor/10.7/auditor/configuration/useractivity/overview.md) +- [VMware](/docs/auditor/10.7/auditor/configuration/vmware/overview.md) +- [Windows Server](/docs/auditor/10.7/auditor/configuration/windowsserver/overview.md) Review the list of actions audited and reported by Netwrix Auditor. Actions vary depending on the data source and the object type. diff --git a/docs/auditor/10.7/auditor/requirements/overview.md b/docs/auditor/10.7/auditor/requirements/overview.md index 85d66a6d09..829c6ad9c7 100644 --- a/docs/auditor/10.7/auditor/requirements/overview.md +++ b/docs/auditor/10.7/auditor/requirements/overview.md @@ -3,17 +3,17 @@ This topic provides the requirements for the server where Netwrix Auditor will be installed. See the following topics for additional information: -- [Supported Data Sources](supporteddatasources.md) -- [Hardware Requirements](console.md) -- [Software Requirements](software.md) -- [Requirements for SQL Server to Store Audit Data](sqlserver.md) +- [Supported Data Sources](/docs/auditor/10.7/auditor/requirements/supporteddatasources.md) +- [Hardware Requirements](/docs/auditor/10.7/auditor/requirements/console.md) +- [Software Requirements](/docs/auditor/10.7/auditor/requirements/software.md) +- [Requirements for SQL Server to Store Audit Data](/docs/auditor/10.7/auditor/requirements/sqlserver.md) ## Architecture Overview Netwrix Auditor provides comprehensive auditing of applications, platforms and storage systems. The product architecture and components interactions are shown in the figure below. -![auditorarchitecture_thumb_0_0](../../../../../static/img/product_docs/auditor/auditor/requirements/auditorarchitecture_thumb_0_0.webp) +![auditorarchitecture_thumb_0_0](/img/product_docs/auditor/auditor/requirements/auditorarchitecture_thumb_0_0.webp) - Netwrix Auditor Server — the central component that handles the collection, transfer and processing of audit data from the various data sources (audited systems). Data from the sources @@ -55,7 +55,7 @@ The general workflow stages are as follows: consolidate data from multiple independent sources (event logs, configuration snapshots, change history records, etc.). This capability is implemented with Netwrix Auditor Server and Integration API. - - See the [Integration API](../api/overview.md) topic for additional information on custom data + - See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information on custom data source processing workflow. - Audit data is stored to the Audit databases and the repository (Long-Term Archive) and preserved diff --git a/docs/auditor/10.7/auditor/requirements/ports.md b/docs/auditor/10.7/auditor/requirements/ports.md index 64b414c912..843088fe7f 100644 --- a/docs/auditor/10.7/auditor/requirements/ports.md +++ b/docs/auditor/10.7/auditor/requirements/ports.md @@ -40,27 +40,27 @@ your organization policy requires you to provide a justification for each partic the following for a full list of ports to be opened on the computer where Auditor Server is going to be installed and on your target servers. -- [Active Directory Ports](../configuration/activedirectory/ports.md) -- [AD FS Ports](../configuration/activedirectoryfederatedservices/ports.md) -- [Microsoft Entra ID Ports](../configuration/microsoft365/microsoftentraid/ports.md) -- [Dell Data Storage Ports](../configuration/fileservers/delldatastorage/ports.md) -- [Exchange Ports](../configuration/exchange/ports.md) -- [Exchange Online Ports](../configuration/microsoft365/exchangeonline/ports.md) -- [Group Policy Ports](../configuration/grouppolicy/ports.md) -- [Integration API Ports](../api/ports.md) -- [ Logon Activity Ports](../configuration/logonactivity/ports.md) -- [Nutanix Ports](../configuration/fileservers/nutanix/ports.md) -- [Oracle Database Ports](../configuration/oracle/ports.md) -- [Qumulo Ports](../configuration/fileservers/qumulo/ports.md) -- [SharePoint Ports](../configuration/sharepoint/ports.md) -- [SharePoint Online Ports](../configuration/microsoft365/sharepointonline/ports.md) -- [SQL Server Ports](../configuration/sqlserver/ports.md) -- [Synology Ports](../configuration/fileservers/synology/ports.md) -- [Teams Ports](../configuration/microsoft365/teams/ports.md) -- [User Activity Ports](../configuration/useractivity/ports.md) -- [VMware Ports](../configuration/vmware/ports.md) -- [Windows File Server Ports](../configuration/fileservers/windows/ports.md) -- [Windows Server Ports](../configuration/windowsserver/ports.md) +- [Active Directory Ports](/docs/auditor/10.7/auditor/configuration/activedirectory/ports.md) +- [AD FS Ports](/docs/auditor/10.7/auditor/configuration/activedirectoryfederatedservices/ports.md) +- [Microsoft Entra ID Ports](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/ports.md) +- [Dell Data Storage Ports](/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/ports.md) +- [Exchange Ports](/docs/auditor/10.7/auditor/configuration/exchange/ports.md) +- [Exchange Online Ports](/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/ports.md) +- [Group Policy Ports](/docs/auditor/10.7/auditor/configuration/grouppolicy/ports.md) +- [Integration API Ports](/docs/auditor/10.7/auditor/api/ports.md) +- [ Logon Activity Ports](/docs/auditor/10.7/auditor/configuration/logonactivity/ports.md) +- [Nutanix Ports](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/ports.md) +- [Oracle Database Ports](/docs/auditor/10.7/auditor/configuration/oracle/ports.md) +- [Qumulo Ports](/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/ports.md) +- [SharePoint Ports](/docs/auditor/10.7/auditor/configuration/sharepoint/ports.md) +- [SharePoint Online Ports](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/ports.md) +- [SQL Server Ports](/docs/auditor/10.7/auditor/configuration/sqlserver/ports.md) +- [Synology Ports](/docs/auditor/10.7/auditor/configuration/fileservers/synology/ports.md) +- [Teams Ports](/docs/auditor/10.7/auditor/configuration/microsoft365/teams/ports.md) +- [User Activity Ports](/docs/auditor/10.7/auditor/configuration/useractivity/ports.md) +- [VMware Ports](/docs/auditor/10.7/auditor/configuration/vmware/ports.md) +- [Windows File Server Ports](/docs/auditor/10.7/auditor/configuration/fileservers/windows/ports.md) +- [Windows Server Ports](/docs/auditor/10.7/auditor/configuration/windowsserver/ports.md) ## Netwrix Auditor Server diff --git a/docs/auditor/10.7/auditor/requirements/serviceaccount.md b/docs/auditor/10.7/auditor/requirements/serviceaccount.md index 8ef1e10da5..96fc71c1d5 100644 --- a/docs/auditor/10.7/auditor/requirements/serviceaccount.md +++ b/docs/auditor/10.7/auditor/requirements/serviceaccount.md @@ -4,7 +4,7 @@ Netwrix Auditor uses the following service accounts: | Service account | Description | | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Account for data collection | An account used by Netwrix Auditor to collect audit data from the target systems. **NOTE:** For the data collecting account, you should use a different account than the one Auditor is using to access the database. See [Data Collecting Account](../admin/monitoringplans/dataaccounts.md) for additional information. | -| Audit Database service account | An account used by Netwrix Auditor to write collected audit data to the Audit Database. See [Requirements for SQL Server to Store Audit Data](sqlserver.md) for additional information. | -| SSRS service account | An account used by Netwrix Auditor to upload data to the Report Server. See [SQL Server Reporting Services](sqlserverreportingservice.md) for additional information. | -| Long-Term Archive service account | An account used to write data to the Long-Term Archive and upload report subscriptions to shared folders. The LocalSystem account is selected by default. See [File-Based Repository for Long-Term Archive](longtermarchive.md) for additional information. | +| Account for data collection | An account used by Netwrix Auditor to collect audit data from the target systems. **NOTE:** For the data collecting account, you should use a different account than the one Auditor is using to access the database. See [Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) for additional information. | +| Audit Database service account | An account used by Netwrix Auditor to write collected audit data to the Audit Database. See [Requirements for SQL Server to Store Audit Data](/docs/auditor/10.7/auditor/requirements/sqlserver.md) for additional information. | +| SSRS service account | An account used by Netwrix Auditor to upload data to the Report Server. See [SQL Server Reporting Services](/docs/auditor/10.7/auditor/requirements/sqlserverreportingservice.md) for additional information. | +| Long-Term Archive service account | An account used to write data to the Long-Term Archive and upload report subscriptions to shared folders. The LocalSystem account is selected by default. See [File-Based Repository for Long-Term Archive](/docs/auditor/10.7/auditor/requirements/longtermarchive.md) for additional information. | diff --git a/docs/auditor/10.7/auditor/requirements/software.md b/docs/auditor/10.7/auditor/requirements/software.md index 4b8b413680..f08a3c2e70 100644 --- a/docs/auditor/10.7/auditor/requirements/software.md +++ b/docs/auditor/10.7/auditor/requirements/software.md @@ -19,13 +19,13 @@ Server, in the monitored environment, or in both locations. | - AD FS | _On the computer where_ Auditor _Server_ _is installed:_ - Windows Remote Management must be configured to allow remote PowerShell usage. For that, set up the **TrustedHosts** list: - to include all AD FS servers, use the following cmdlet: `Set-Item wsman:\localhost\Client\TrustedHosts -value '*' -Force;` - to include specific AD FS servers (monitored items), do the following: 1. Use Get cmdlet to obtain the existing **TrustedHosts** list. 2. If necessary, add the IP addresses of required AD FS servers to existing list (use comma as a separator). 3. Provide the updated list to the cmdlet as a parameter. For example: `Set-Item wsman:\localhost\Client\TrustedHosts -value '172.28.57.240,172.28.57.127' -Force;` See the following Microsoft article [Installation and configuration for Windows Remote Management](https://docs.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management) for additional information about TrustedHosts. | | - Windows Server (with enabled network traffic compression) - User Activity | _In the monitored environment:_ - .NET Framework 4.8 and above. See the following Microsoft article for additional information about .Net Framework installer redistributable: [Microsoft .NET Framework 4.8 offline installer for Windows.](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-8-offline-installer-for-windows-9d23f658-3b97-68ab-d013-aa3c3e7495e0) | | - Microsoft Entra ID Ports - SharePoint Online | Usually, there is no need in any additional components for data collection. | -| - Oracle Database | Oracle Database 12c and above: _On the computer where_ Auditor _Server_ _is installed:_ - Oracle Instant Client. - Download the appropriate package from Oracle website: [Instant Client Packages](https://www.oracle.com/database/technologies/instant-client.html). Netwrix recommends installing the latest available version (Netwrix Auditor is compatible with version 12 and above). - Install, following the instructions, for example,[ Instant Client Installation for Microsoft Windows 64-bit](https://www.oracle.com/database/technologies/instant-client/winx64-64-downloads.html#instant-client-installation-for-microsoft-windows-64-bit). Check your Visual Studio Redistributable version. Applicable packages for each Oracle Database version with downloading links are listed in the installation instructions: [Instant Client Installation for Microsoft Windows 64-bit](https://www.oracle.com/database/technologies/instant-client/winx64-64-downloads.html#instant-client-installation-for-microsoft-windows-64-bit). Oracle Database 11g: Auditor provides limited support of Oracle Database 11g. See the [Considerations for Oracle Database 11g](../configuration/oracle/overview.md#considerations-for-oracle-database-11g) topic for additional information. _On the computer where_ Auditor _Server_ _is installed:_ - [Microsoft Visual C++ 2010 Redistributable Package](https://www.microsoft.com/en-us/download/details.aspx?id=14632)—can be installed automatically during the monitoring plan creation. - Oracle Data Provider for .NET and Oracle Instant Client Netwrix recommends the following setup steps: 1. Download the [64-bit Oracle Data Access Components 12c Release 4 (12.1.0.2.4) for Windows x64 (ODAC121024_x64.zip)](http://www.oracle.com/technetwork/database/windows/downloads/index-090165.html) package. 2. Run the setup and select the Data Provider for .NET checkbox. Oracle Instant Client will be installed, too. 3. On the ODP.NET (Oracle Data Provider) step make sure the Configure ODP.NET and/or Oracle Providers for ASP.Net at machine-wide level checkbox is selected . | +| - Oracle Database | Oracle Database 12c and above: _On the computer where_ Auditor _Server_ _is installed:_ - Oracle Instant Client. - Download the appropriate package from Oracle website: [Instant Client Packages](https://www.oracle.com/database/technologies/instant-client.html). Netwrix recommends installing the latest available version (Netwrix Auditor is compatible with version 12 and above). - Install, following the instructions, for example,[ Instant Client Installation for Microsoft Windows 64-bit](https://www.oracle.com/database/technologies/instant-client/winx64-64-downloads.html#instant-client-installation-for-microsoft-windows-64-bit). Check your Visual Studio Redistributable version. Applicable packages for each Oracle Database version with downloading links are listed in the installation instructions: [Instant Client Installation for Microsoft Windows 64-bit](https://www.oracle.com/database/technologies/instant-client/winx64-64-downloads.html#instant-client-installation-for-microsoft-windows-64-bit). Oracle Database 11g: Auditor provides limited support of Oracle Database 11g. See the [Considerations for Oracle Database 11g](/docs/auditor/10.7/auditor/configuration/oracle/overview.md#considerations-for-oracle-database-11g) topic for additional information. _On the computer where_ Auditor _Server_ _is installed:_ - [Microsoft Visual C++ 2010 Redistributable Package](https://www.microsoft.com/en-us/download/details.aspx?id=14632)—can be installed automatically during the monitoring plan creation. - Oracle Data Provider for .NET and Oracle Instant Client Netwrix recommends the following setup steps: 1. Download the [64-bit Oracle Data Access Components 12c Release 4 (12.1.0.2.4) for Windows x64 (ODAC121024_x64.zip)](http://www.oracle.com/technetwork/database/windows/downloads/index-090165.html) package. 2. Run the setup and select the Data Provider for .NET checkbox. Oracle Instant Client will be installed, too. 3. On the ODP.NET (Oracle Data Provider) step make sure the Configure ODP.NET and/or Oracle Providers for ASP.Net at machine-wide level checkbox is selected . | | - Group Policy | _On the computer where_ Auditor _Server_ _is installed:_ - Group Policy Management Console. Download Remote Server Administration Tools that include GPMC for: - [Windows 8.1](http://www.microsoft.com/en-us/download/details.aspx?id=39296) - [Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=45520) - For Windows Server 2012 R2/2016, Group Policy Management is turned on as a Windows feature. | ## Using SSRS-based Reports SQL Server Reporting Services are needed for this kind of reports. See the -[Requirements for SQL Server to Store Audit Data](sqlserver.md) topic for additional information. If +[Requirements for SQL Server to Store Audit Data](/docs/auditor/10.7/auditor/requirements/sqlserver.md) topic for additional information. If you plan to export or print such reports, check the requirements below. **NOTE:** Please note that if you are going to use SQL Express plan, do not install SSRS and Auditor @@ -76,7 +76,7 @@ You can deploy Netwrix Auditor on the VM running on any of the following hypervi - Microsoft Hyper-V - Nutanix AHV (Acropolis Hypervisor Virtualization) 20180425.199 -See the [Virtual Deployment Overview](../install/virtualappliance/overview.md) topic for additional +See the [Virtual Deployment Overview](/docs/auditor/10.7/auditor/install/virtualappliance/overview.md) topic for additional information. ### Domains and Trusts @@ -111,7 +111,7 @@ small infrastructures, producing only several thousands of activity records per scenario, you only deploy Auditor Server and default client, selecting Full installation option during the product setup. -![na_setup_select_type_thumb_0_0](../../../../../static/img/product_docs/auditor/auditor/requirements/na_setup_select_type_thumb_0_0.webp) +![na_setup_select_type_thumb_0_0](/img/product_docs/auditor/auditor/requirements/na_setup_select_type_thumb_0_0.webp) If you plan to implement this scenario in bigger environments, consider hardware requirements listed in the Auditor documentation. @@ -127,7 +127,7 @@ product setup. **Step 2 –** Then install as many clients as you need, running the setup on the remote machines and selecting Client installation during the setup. Alternatively, you can install Auditor client using -Group Policy. See the [Install Client via Group Policy](../install/viagrouppolicy.md) topic for +Group Policy. See the [Install Client via Group Policy](/docs/auditor/10.7/auditor/install/viagrouppolicy.md) topic for additional information. Default local client will be always installed together with the Auditor in all scenarios. diff --git a/docs/auditor/10.7/auditor/requirements/sqlserver.md b/docs/auditor/10.7/auditor/requirements/sqlserver.md index 8eee32d795..52257a3cc2 100644 --- a/docs/auditor/10.7/auditor/requirements/sqlserver.md +++ b/docs/auditor/10.7/auditor/requirements/sqlserver.md @@ -50,7 +50,7 @@ versions should be 2012 R2 or later). - You will be prompted to configure the default SQL Server instance when you create the first monitoring plan; also, you can specify it Netwrix Auditor settings. - You can configure Netwrix Auditor to use an existing instance of SQL Server, or deploy a new - instance, as described in the [Create a New Monitoring Plan](../admin/monitoringplans/create.md) + instance, as described in the [Create a New Monitoring Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) topic. For evaluation and PoC projects you can deploy Microsoft SQL Server 2016 SP2 Express Edition with @@ -67,7 +67,7 @@ produced, so plan for SQL Server Standard or Enterprise edition (Express edition Netwrix Auditor supports automated size calculation for all its databases in total, displaying the result, in particular, in the -[Database Statistics](../admin/healthstatus/dashboard/databasestatistics.md) of the Health Status +[Database Statistics](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/databasestatistics.md) of the Health Status dashboard. This feature, however, is supported only for SQL Server 2012 SP3 and later. ### Databases @@ -117,7 +117,7 @@ Consider the following: By the way of example, this section provides instructions on how to: -- [SQL Server Reporting Services](sqlserverreportingservice.md) +- [SQL Server Reporting Services](/docs/auditor/10.7/auditor/requirements/sqlserverreportingservice.md) For detailed information on installing other versions/editions, refer to Microsoft website. @@ -148,7 +148,7 @@ When planning for SQL Server that will host Auditor databases, consider the foll instance. Such instances may have a lot of maintenance plans or scripts running that may affect data uploaded by the product. The product databases are designed for reporting and searching and do not require maintenance or backup. For the long-term data storage, Netwrix Auditor uses Long-Term -Archive. See [File-Based Repository for Long-Term Archive](longtermarchive.md) for additional +Archive. See [File-Based Repository for Long-Term Archive](/docs/auditor/10.7/auditor/requirements/longtermarchive.md) for additional information. If you select to set up a new SQL Server instance, the current user account (this should be a member @@ -168,7 +168,7 @@ specify the data drive for that purpose (by default, system drive is used). 2. dbcreator server-level role This account can be specified when you configure the - [Audit Database](../admin/settings/auditdatabase.md) settings. + [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) settings. ## Database Sizing @@ -182,13 +182,13 @@ For database sizing, it is recommended to estimate: To estimate the number of the activity records produced by your data sources, collected and saved by Auditor during the week, you can use the Activity records by date widget of the Health Status dashboard. See the -[Activity Records Statistics](../admin/healthstatus/dashboard/activityrecordstatistics.md) topic for +[Activity Records Statistics](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/activityrecordstatistics.md) topic for additional information. Auditor supports automated size calculation for all its databases in total, displaying the result, in particular, in the Database Statistics widget of the Health Status dashboard. To estimate current capacity and daily growth for each database, you can click View details and examine information in -the table. See the [Database Statistics](../admin/healthstatus/dashboard/databasestatistics.md) +the table. See the [Database Statistics](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/databasestatistics.md) topic for additional information. This feature is supported only for SQL Server 2012 SP3 and later. @@ -240,7 +240,7 @@ Follow the steps to change database retention after the product deployment. **Step 1 –** In the Auditor main screen, select Settings > Audit Database. -![audit_db_settings](../../../../../static/img/product_docs/auditor/auditor/requirements/audit_db_settings.webp) +![audit_db_settings](/img/product_docs/auditor/auditor/requirements/audit_db_settings.webp) **Step 2 –** In the dialog displayed, make sure the Clear stale data when a database retention period is exceeded: is set to ON, then click Modify to specify the required retention period (in @@ -254,7 +254,7 @@ This is the account that Auditor uses to write the collected audit data to the a Starting with version 9.96, you can use Group Managed Service Account (gMSA) for that purpose. _Remember,_ gMSA cannot be used to access SSRS. Use a standard account for that. See the -[SQL Server Reporting Services](sqlserverreportingservice.md) topic for additional information. +[SQL Server Reporting Services](/docs/auditor/10.7/auditor/requirements/sqlserverreportingservice.md) topic for additional information. This account must be granted the **Database owner (`db_owner`)** role and the **dbcreator** server role on the SQL Server instance hosting your audit databases. @@ -269,7 +269,7 @@ Follow the steps to assign the **dbcreator** and **`db_owner`** roles. **Step 5 –** In the left pane, expand the **Security** node. Right-click the **Logins** node and select **New Login** from the pop-up menu. -![manualconfig_ssms_newlogin2016](../../../../../static/img/product_docs/1secure/configuration/sqlserver/manualconfig_ssms_newlogin2016.webp) +![manualconfig_ssms_newlogin2016](/img/product_docs/1secure/configuration/sqlserver/manualconfig_ssms_newlogin2016.webp) **Step 6 –** Click **Search** next to **Login Name** and specify the user that you want to assign the **`db_owner`** role to. diff --git a/docs/auditor/10.7/auditor/requirements/supporteddatasources.md b/docs/auditor/10.7/auditor/requirements/supporteddatasources.md index b00066ae86..26bcf9be39 100644 --- a/docs/auditor/10.7/auditor/requirements/supporteddatasources.md +++ b/docs/auditor/10.7/auditor/requirements/supporteddatasources.md @@ -13,7 +13,7 @@ Auditor supports monitoring the following domain controller operating system ver - Windows Server 2012 R2 - Windows Server 2012 -See the [Active Directory](../configuration/activedirectory/overview.md) topic for additional +See the [Active Directory](/docs/auditor/10.7/auditor/configuration/activedirectory/overview.md) topic for additional information. ## Active Directory Federation Services (AD FS) @@ -24,7 +24,7 @@ Auditor supports monitoring the following AD FS operating system versions: - AD FS 4.0 – Windows Server 2016 - AD FS 3.0 – Windows Server 2012 R2 -See the [AD FS](../configuration/activedirectoryfederatedservices/overview.md) topic for additional +See the [AD FS](/docs/auditor/10.7/auditor/configuration/activedirectoryfederatedservices/overview.md) topic for additional information. ## Exchange @@ -35,7 +35,7 @@ Auditor supports monitoring the following Exchange Server versions: - Microsoft Exchange Server 2016 - Microsoft Exchange Server 2013 -See the [Exchange](../configuration/exchange/overview.md) topic for additional information. +See the [Exchange](/docs/auditor/10.7/auditor/configuration/exchange/overview.md) topic for additional information. ## File Servers @@ -57,7 +57,7 @@ Auditor supports monitoring the following device versions: **NOTE:** Only CIFS configuration is supported. -See the [Dell Data Storage](../configuration/fileservers/delldatastorage/overview.md) topic for +See the [Dell Data Storage](/docs/auditor/10.7/auditor/configuration/fileservers/delldatastorage/overview.md) topic for additional information. Dell Isilon/PowerScale @@ -73,7 +73,7 @@ configuration access only. Current data should be stored in other access zones. [Isilon OneFS 8.2.1 CLI Administration Guide](https://www.dellemc.com/en-us/collaterals/unauth/technical-guides-support-information/2019/09/docu95372.pdf) for additional information. -See the [Dell Isilon/PowerScale](../configuration/fileservers/dellisilon/overview.md) topic for +See the [Dell Isilon/PowerScale](/docs/auditor/10.7/auditor/configuration/fileservers/dellisilon/overview.md) topic for additional information. NetApp Data ONTAP @@ -87,7 +87,7 @@ Auditor supports monitoring the following device versions: **NOTE:** Only CIFS configuration is supported. -See the [NetApp Data ONTAP](../configuration/fileservers/netappcmode/overview.md) topic for +See the [NetApp Data ONTAP](/docs/auditor/10.7/auditor/configuration/fileservers/netappcmode/overview.md) topic for additional information. Nutanix @@ -96,7 +96,7 @@ Auditor supports monitoring the following device versions: - Files 3.6 - 4.3.0 -See the [Nutanix](../configuration/fileservers/nutanix/overview.md) topic for additional +See the [Nutanix](/docs/auditor/10.7/auditor/configuration/fileservers/nutanix/overview.md) topic for additional information. Qumulo @@ -105,7 +105,7 @@ Auditor supports monitoring the following device versions: - Core 3.3.5 - 6.x.x -See the [Qumulo](../configuration/fileservers/qumulo/overview.md) topic for additional information. +See the [Qumulo](/docs/auditor/10.7/auditor/configuration/fileservers/qumulo/overview.md) topic for additional information. Synology @@ -116,7 +116,7 @@ Auditor supports monitoring the following device versions: - DSM 7.0 - DSM 6.2.3 -See the [Synology](../configuration/fileservers/synology/overview.md) topic for additional +See the [Synology](/docs/auditor/10.7/auditor/configuration/fileservers/synology/overview.md) topic for additional information. Windows File Servers @@ -135,7 +135,7 @@ Auditor supports monitoring the following operating system versions: - Windows 8.1 (32 and 64-bit) - Windows 7 (32 and 64-bit) -See the [Windows File Servers](../configuration/fileservers/windows/overview.md) topic for +See the [Windows File Servers](/docs/auditor/10.7/auditor/configuration/fileservers/windows/overview.md) topic for additional information. ## Group Policy @@ -149,7 +149,7 @@ Auditor supports monitoring the following domain controller operating system ver - Windows Server 2012 R2 - Windows Server 2012 -See the [Group Policy](../configuration/grouppolicy/overview.md) topic for additional information. +See the [Group Policy](/docs/auditor/10.7/auditor/configuration/grouppolicy/overview.md) topic for additional information. ## Logon Activity @@ -162,7 +162,7 @@ Auditor supports monitoring the following domain controller operating system ver - Windows Server 2012 R2 - Windows Server 2012 -See the [Logon Activity](../configuration/logonactivity/overview.md) topic for additional +See the [Logon Activity](/docs/auditor/10.7/auditor/configuration/logonactivity/overview.md) topic for additional information. ## Microsoft 365 @@ -176,7 +176,7 @@ Auditor supports monitoring the following versions: **NOTE:** DoD tenant types are not supported. -See the [Exchange Online](../configuration/microsoft365/exchangeonline/overview.md) topic for +See the [Exchange Online](/docs/auditor/10.7/auditor/configuration/microsoft365/exchangeonline/overview.md) topic for additional information. Microsoft Entra ID (formerly Azure AD) @@ -189,7 +189,7 @@ Auditor supports monitoring the following versions: **NOTE:** DoD tenant types are not supported. See the -[Microsoft Entra ID (formerly Azure AD)](../configuration/microsoft365/microsoftentraid/overview.md) +[Microsoft Entra ID (formerly Azure AD)](/docs/auditor/10.7/auditor/configuration/microsoft365/microsoftentraid/overview.md) topic for additional information. Microsoft Teams (MS Teams) @@ -201,7 +201,7 @@ Auditor supports monitoring the following versions: **NOTE:** DoD tenant types are not supported. -See the [MS Teams](../configuration/microsoft365/teams/overview.md) topic for additional +See the [MS Teams](/docs/auditor/10.7/auditor/configuration/microsoft365/teams/overview.md) topic for additional information. SharePoint Online @@ -213,7 +213,7 @@ Auditor supports monitoring the following versions: **NOTE:** DoD tenant types are not supported. -See the [SharePoint Online](../configuration/microsoft365/sharepointonline/overview.md) topic for +See the [SharePoint Online](/docs/auditor/10.7/auditor/configuration/microsoft365/sharepointonline/overview.md) topic for additional information. ## Network Devices @@ -224,7 +224,7 @@ Auditor supports monitoring the following device versions: - ASA (Adaptive Security Appliance) 8 and above -See the [Configure Cisco ASA Devices](../configuration/networkdevices/ciscoasa.md) topic for +See the [Configure Cisco ASA Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/ciscoasa.md) topic for additional information. Cisco IOS Devices @@ -233,7 +233,7 @@ Auditor supports monitoring the following device versions: - IOS (Internetwork Operating System) 12, 15, 16, and 17 -See the [Configure Cisco IOS Devices](../configuration/networkdevices/ciscoios.md) topic for +See the [Configure Cisco IOS Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/ciscoios.md) topic for additional information. Cisco Meraki Dashboard @@ -242,7 +242,7 @@ Auditor supports monitoring the following device versions: - Netwrix recommends the latest version of the Meraki Dashboard -See the [Cisco Meraki Dashboard ](../configuration/networkdevices/ciscomerakidashboard.md) topic for +See the [Cisco Meraki Dashboard ](/docs/auditor/10.7/auditor/configuration/networkdevices/ciscomerakidashboard.md) topic for additional information. Cisco FTD @@ -257,7 +257,7 @@ Auditor supports monitoring the following device versions: - FortiOS 5.6 and above -See the [Configure Fortinet FortiGate Devices](../configuration/networkdevices/fortinetfortigate.md) +See the [Configure Fortinet FortiGate Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/fortinetfortigate.md) topic for additional information. HPE Aruba Devices @@ -266,7 +266,7 @@ Auditor supports monitoring the following device versions: - Aruba OS 6.46.4.x – 8.6.0.x (Mobility Master, Mobility Controller) -See the [Configure Pulse Secure Devices](../configuration/networkdevices/pulsesecure.md) topic for +See the [Configure Pulse Secure Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/pulsesecure.md) topic for additional information. Juniper Devices @@ -276,7 +276,7 @@ Auditor supports monitoring the following device versions: - vSRX with Junos OS 12.1, Junos OS 18.1, Junos OS 20.4R2 - vMX with Junos OS 17.1 -See the [Configure Juniper Devices](../configuration/networkdevices/juniper.md) topic for additional +See the [Configure Juniper Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/juniper.md) topic for additional information. PaloAlto Devices @@ -285,7 +285,7 @@ Auditor supports monitoring the following device versions: - PAN-OS 7.0, 8.0, 9.0, 10.0 -See the [Configure PaloAlto Devices](../configuration/networkdevices/paloalto.md) topic for +See the [Configure PaloAlto Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/paloalto.md) topic for additional information. Pulse Secure Devices @@ -294,7 +294,7 @@ Auditor supports monitoring the following device versions: - 9.1R3 and above -See the [Configure Pulse Secure Devices](../configuration/networkdevices/pulsesecure.md) topic for +See the [Configure Pulse Secure Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/pulsesecure.md) topic for additional information. SonicWall Devices @@ -305,7 +305,7 @@ Auditor supports monitoring the following device versions: - NS 6.5.х.х with SonicOS 6.5.х and 7.0.x - SMA 12.2 -See the [Configure SonicWall Devices](../configuration/networkdevices/sonicwall.md) topic for +See the [Configure SonicWall Devices](/docs/auditor/10.7/auditor/configuration/networkdevices/sonicwall.md) topic for additional information. ## Oracle @@ -320,12 +320,12 @@ Auditor supports monitoring the following versions: - Database 11g, limited support **NOTE:** See the - [Considerations for Oracle Database 11g](../configuration/oracle/overview.md#considerations-for-oracle-database-11g) + [Considerations for Oracle Database 11g](/docs/auditor/10.7/auditor/configuration/oracle/overview.md#considerations-for-oracle-database-11g) topic for additional information. - Oracle Database Cloud Service (Enterprise Edition) -See the [Oracle Database](../configuration/oracle/overview.md) topic for additional information. +See the [Oracle Database](/docs/auditor/10.7/auditor/configuration/oracle/overview.md) topic for additional information. ## SharePoint @@ -337,7 +337,7 @@ Auditor supports monitoring the following versions: - Microsoft SharePoint Foundation 2013 and SharePoint Server 2013 - Microsoft SharePoint Foundation 2010 and SharePoint Server 2010 -See the [SharePoint](../configuration/sharepoint/overview.md) topic for additional information. +See the [SharePoint](/docs/auditor/10.7/auditor/configuration/sharepoint/overview.md) topic for additional information. ## SQL Server @@ -352,7 +352,7 @@ Auditor supports monitoring the following versions: **NOTE:** Linux-based versions are not supported. -See the [SQL Server](../configuration/sqlserver/overview.md) topic for additional information. +See the [SQL Server](/docs/auditor/10.7/auditor/configuration/sqlserver/overview.md) topic for additional information. ## User Activity @@ -386,7 +386,7 @@ example: - Servers with sensitive information - Sessions with elevated privileges -See the [User Activity](../configuration/useractivity/overview.md) topic for additional information. +See the [User Activity](/docs/auditor/10.7/auditor/configuration/useractivity/overview.md) topic for additional information. ## VMware Servers @@ -395,7 +395,7 @@ Auditor supports monitoring the following versions: - VMware ESX/ESXi: 6.0 – 6.7, 7.0, 8.0 - VMware vCenter Server: 6.0 – 6.7, 7.0, 8.0 -See the [VMware](../configuration/vmware/overview.md) topic for additional information. +See the [VMware](/docs/auditor/10.7/auditor/configuration/vmware/overview.md) topic for additional information. ## Windows Servers @@ -435,7 +435,7 @@ Auditor supports monitoring the following operating system versions: - IIS 7.0 and above. -See the [Windows Server](../configuration/windowsserver/overview.md) topic for additional +See the [Windows Server](/docs/auditor/10.7/auditor/configuration/windowsserver/overview.md) topic for additional information. ## Netwrix Integration API @@ -448,4 +448,4 @@ trails with activity from the following systems and applications. Also, there are even add-ons that can export data collected by Auditor to other systems (e.g., ArcSight and ServiceNow). -See the [Integration API](../api/overview.md) topic for additional information. +See the [Integration API](/docs/auditor/10.7/auditor/api/overview.md) topic for additional information. diff --git a/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md b/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md index 226c1e8a64..74d5c68ed0 100644 --- a/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md +++ b/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md @@ -70,10 +70,10 @@ will be taken to the **Welcome** step. Alternatively, you can launch this utility by clicking the corresponding link: -- From [Create a New Monitoring Plan](../admin/monitoringplans/create.md) for Active Directory data +- From [Create a New Monitoring Plan](/docs/auditor/10.7/auditor/admin/monitoringplans/create.md) for Active Directory data source. -- From the [Active Directory](../admin/monitoringplans/activedirectory/overview.md) within the plan. -- From the [Logon Activity](../admin/monitoringplans/logonactivity/overview.md) source properties. +- From the [Active Directory](/docs/auditor/10.7/auditor/admin/monitoringplans/activedirectory/overview.md) within the plan. +- From the [Logon Activity](/docs/auditor/10.7/auditor/admin/monitoringplans/logonactivity/overview.md) source properties. ## Start Assessment @@ -82,7 +82,7 @@ Follow the steps to start assessment. **Step 1 –** Specify the monitoring scope —select what you plan to monitor with Netwrix Auditor. You can select both **Active Directory** and **Logon Activity**, or any of them. -![audit_cfg_assist_creds](../../../../../static/img/product_docs/auditor/auditor/tools/audit_cfg_assist_creds.webp) +![audit_cfg_assist_creds](/img/product_docs/auditor/auditor/tools/audit_cfg_assist_creds.webp) **Step 2 –** If you launched **Audit Configuration Assistant** from the **Start** menu (not from the monitoring plan settings), enter the name of Active Directory domain you want to assess. @@ -104,7 +104,7 @@ At this step, you will be presented the results of the environment readiness ass - the list of current and required settings for each entity - the list of issues (if any) that occurred during the assessment -![assessment_results_thumb_0_0](../../../../../static/img/product_docs/auditor/auditor/tools/assessment_results_thumb_0_0.webp) +![assessment_results_thumb_0_0](/img/product_docs/auditor/auditor/tools/assessment_results_thumb_0_0.webp) Follow the steps to view results. diff --git a/docs/auditor/10.7/auditor/tools/eventlogmanager.md b/docs/auditor/10.7/auditor/tools/eventlogmanager.md index 1882b474e4..c7c2913bd2 100644 --- a/docs/auditor/10.7/auditor/tools/eventlogmanager.md +++ b/docs/auditor/10.7/auditor/tools/eventlogmanager.md @@ -35,8 +35,8 @@ Review the following for additional information: - Create Monitoring Plan for System Health Log - Review Past Event Log Entries - Import Audit Data with the Database Importer -- [Create Alerts for Event Log](../admin/alertsettings/createeventlog.md) -- [Create Alerts for Non-Owner Mailbox Access Events](../admin/alertsettings/createmailboxaccess.md) +- [Create Alerts for Event Log](/docs/auditor/10.7/auditor/admin/alertsettings/createeventlog.md) +- [Create Alerts for Non-Owner Mailbox Access Events](/docs/auditor/10.7/auditor/admin/alertsettings/createmailboxaccess.md) ## Create Monitoring Plans for Event Logs @@ -73,7 +73,7 @@ whether to import the list once, or to update it on every data collection. | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | User name Password | Enter the account that will be used by Netwrix Auditor Event Log Manager for data collection. For a full list of the rights and permissions required for the account, and instructions on how to configure them, refer to the Permissions for Event Log Auditing section. | | Audit archiving filters | Define what events will be saved to the Long-Term Archive or the Audit Database. Refer to for detailed instructions on how to configure audit archiving filters. | -| Alerts | Configure alerts that will be triggered by specific events. Refer to [Create Alerts for Event Log](../admin/alertsettings/createeventlog.md) for detailed instructions on how to configure Netwrix Auditor Event Log Manager alerts. | +| Alerts | Configure alerts that will be triggered by specific events. Refer to [Create Alerts for Event Log](/docs/auditor/10.7/auditor/admin/alertsettings/createeventlog.md) for detailed instructions on how to configure Netwrix Auditor Event Log Manager alerts. | **Step 6 –** Navigate to the Notifications tab and complete the following fields: @@ -93,7 +93,7 @@ whether to import the list once, or to update it on every data collection. settings. Netwrix Auditor Event Log Manager synchronizes Audit Database and reports settings with the default Audit Database configuration from Netwrix Auditor Server. If this option is disabled, contact your Netwrix Auditor Global administrator and make sure that these settings are properly -configured in Netwrix Auditor Server. Refer to [Audit Database](../admin/settings/auditdatabase.md) +configured in Netwrix Auditor Server. Refer to [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) for detailed instructions on how to configure the Audit Database settings. **Step 8 –** Complete the following fields: @@ -117,7 +117,7 @@ If you want to review the Event Log Collection Status email, the Event Log Colle shows whether data collection for your monitoring plan completed successfully or with warnings and errors. -![changesummary_eventlog](../../../../../static/img/product_docs/auditor/auditor/tools/changesummary_eventlog.webp) +![changesummary_eventlog](/img/product_docs/auditor/auditor/tools/changesummary_eventlog.webp) ## Configure Audit Archiving Filters for Event Log @@ -169,7 +169,7 @@ health events, you need to create a dedicated monitoring plan for this log with Event Log Manager standalone tool. You can also review and filter Netwrix Auditor health events right in the product. See -[Netwrix Auditor Health Log](../admin/healthstatus/dashboard/healthlog.md) for addditional +[Netwrix Auditor Health Log](/docs/auditor/10.7/auditor/admin/healthstatus/dashboard/healthlog.md) for addditional information Follow the steps to configure the Netwrix Auditor System Health log monitoring. @@ -184,7 +184,7 @@ Server resides. **Step 4 –** Navigate to the Audit Database tab and select Write event descriptions to Audit Database if you want to see the exact error or warning text. Make sure that Audit Database settings -are configured properly, follow the [Audit Database](../admin/settings/auditdatabase.md) +are configured properly, follow the [Audit Database](/docs/auditor/10.7/auditor/admin/settings/auditdatabase.md) **Step 5 –** Click Configure next to Audit archiving filters and select the Netwrix Auditor System Health Log filter in the Inclusive Filters list. diff --git a/docs/auditor/10.7/auditor/tools/inactiveusertracker.md b/docs/auditor/10.7/auditor/tools/inactiveusertracker.md index aa6def24be..87e19c7046 100644 --- a/docs/auditor/10.7/auditor/tools/inactiveusertracker.md +++ b/docs/auditor/10.7/auditor/tools/inactiveusertracker.md @@ -42,7 +42,7 @@ new monitoring plan. | Option | Description | | -------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Specify account which will be used to collect data: - User name - Password | Enter the account which will be used for data collection. See the[Data Collecting Account](../admin/monitoringplans/dataaccounts.md) topic for additional information about the full list of the rights and permissions for the account. | +| Specify account which will be used to collect data: - User name - Password | Enter the account which will be used for data collection. See the[Data Collecting Account](/docs/auditor/10.7/auditor/admin/monitoringplans/dataaccounts.md) topic for additional information about the full list of the rights and permissions for the account. | | Consider user inactive after | Specify account inactivity period, after which a user is considered to be inactive. | | Customize the report template | Click Edit to edit the notification template, for example, modify the text of the message. You can use HTML tags when editing a template. | | Attach report as a CSV files | Select this option to receive reports attached to emails as CSV files. | @@ -66,7 +66,7 @@ The following variables can be used in the Inactive User Tracker message templat | Notify manager after | Specify account inactivity period, after which the account owner's manager must be notified. | | Set random password after | Specify account inactivity period, after which a random password will be set for this account. | | Disable accounts after | Specify account inactivity period, after which the account will be disabled. | -| Move to a specific OU after | - Specify account inactivity period, after which the account will be moved to a specified organizational unit. - OU name—Specify OU name or select an AD container using ![select_button](../../../../../static/img/product_docs/auditor/auditor/tools/select_button.webp) button. | +| Move to a specific OU after | - Specify account inactivity period, after which the account will be moved to a specified organizational unit. - OU name—Specify OU name or select an AD container using ![select_button](/img/product_docs/auditor/auditor/tools/select_button.webp) button. | | Delete accounts after | Specify account inactivity period, after which the account will be removed. | | Delete account with all its subnodes | Select this checkbox to delete an account that is a container for objects. | | Notify managers only once | If this checkbox is selected, managers receive one notification on account inactivity and one on every action on accounts. Managers will receive a notification in the day when the account inactivity time will be the same as specified in the inactivity period settings. By default, managers receive notifications every day after the time interval of inactivity specified in the Notify managers after entry field. | @@ -104,7 +104,7 @@ Follow the steps to review report on inactive users. **Step 1 –** Click Generate next to Generate report on inactive users to view report immediately. -![inactiveusersactivedirectory](../../../../../static/img/product_docs/auditor/auditor/tools/inactiveusersactivedirectory.webp) +![inactiveusersactivedirectory](/img/product_docs/auditor/auditor/tools/inactiveusersactivedirectory.webp) ## Registry Keys diff --git a/docs/auditor/10.7/auditor/tools/objectrestoread.md b/docs/auditor/10.7/auditor/tools/objectrestoread.md index a093ed9d99..a25678959f 100644 --- a/docs/auditor/10.7/auditor/tools/objectrestoread.md +++ b/docs/auditor/10.7/auditor/tools/objectrestoread.md @@ -29,7 +29,7 @@ their passwords preserved, you must modify the Schema container settings so that are retained when accounts are being deleted. To perform this procedure, you will need the -[ADSI Edit]() utility.utility. +[ADSI Edit](http://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspx) utility.utility. Follow the steps to modify schema container settings. @@ -42,11 +42,11 @@ drop-down list. **Step 3 –** Expand the Schema your_Root_Domain_name node. Right-click the CN=Unicode-Pwd attribute and select Properties. -![ad_object_restore_1](../../../../../static/img/product_docs/auditor/auditor/tools/ad_object_restore_1.webp) +![ad_object_restore_1](/img/product_docs/auditor/auditor/tools/ad_object_restore_1.webp) **Step 4 –** Double-click the searchFlags attribute and set its value to _"8"_. -![ad_object_restore_2](../../../../../static/img/product_docs/auditor/auditor/tools/ad_object_restore_2.webp) +![ad_object_restore_2](/img/product_docs/auditor/auditor/tools/ad_object_restore_2.webp) Now you will be able to restore deleted accounts with their passwords preserved. diff --git a/docs/auditor/10.7/auditor/tools/overview.md b/docs/auditor/10.7/auditor/tools/overview.md index 65e8880b76..f258db3d2d 100644 --- a/docs/auditor/10.7/auditor/tools/overview.md +++ b/docs/auditor/10.7/auditor/tools/overview.md @@ -2,8 +2,8 @@ There are several tools available with Netwrix Auditor: -- [Audit Configuration Assistant](auditconfigurationassistant.md) -- [Event Log Manager](eventlogmanager.md) -- [Inactive User Tracker](inactiveusertracker.md) -- [Object Restore for Active Directory](objectrestoread.md) -- [Password Expiration Notifier ](passwordexpirationnotifier/overview.md) +- [Audit Configuration Assistant](/docs/auditor/10.7/auditor/tools/auditconfigurationassistant.md) +- [Event Log Manager](/docs/auditor/10.7/auditor/tools/eventlogmanager.md) +- [Inactive User Tracker](/docs/auditor/10.7/auditor/tools/inactiveusertracker.md) +- [Object Restore for Active Directory](/docs/auditor/10.7/auditor/tools/objectrestoread.md) +- [Password Expiration Notifier ](/docs/auditor/10.7/auditor/tools/passwordexpirationnotifier/overview.md) diff --git a/docs/auditor/10.7/auditor/tools/passwordexpirationnotifier/overview.md b/docs/auditor/10.7/auditor/tools/passwordexpirationnotifier/overview.md index ffe00ba5be..0ebebf067c 100644 --- a/docs/auditor/10.7/auditor/tools/passwordexpirationnotifier/overview.md +++ b/docs/auditor/10.7/auditor/tools/passwordexpirationnotifier/overview.md @@ -17,8 +17,8 @@ Review the following for additional information: - Configure Password Expiration Alerting - Registry Key Configuration -- [Password Expiration Notifier Ports](ports.md) -- [Password Expiration Monitoring Scope](monitoringscope.md) +- [Password Expiration Notifier Ports](/docs/auditor/10.7/auditor/tools/passwordexpirationnotifier/ports.md) +- [Password Expiration Monitoring Scope](/docs/auditor/10.7/auditor/tools/passwordexpirationnotifier/monitoringscope.md) ## Configure Password Expiration Alerting @@ -41,7 +41,7 @@ new monitoring plan. | Option | Description | | -------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| Specify account which will be used to collect data: - User name - Password | Enter the account which will be used for data collection. For a full list of the rights and permissions of this account, and instructions on how to configure them, refer to [Monitoring Plans](../../admin/monitoringplans/overview.md). | +| Specify account which will be used to collect data: - User name - Password | Enter the account which will be used for data collection. For a full list of the rights and permissions of this account, and instructions on how to configure them, refer to [Monitoring Plans](/docs/auditor/10.7/auditor/admin/monitoringplans/overview.md). | | Filter users by organizational unit | To audit users for expiring accounts/passwords that belong to certain organizational units within your Active Directory domain, select this option and click Select OUs. In the dialog that opens, specify the OUs that you want to audit. Only users belonging to these OUs will be notified and included in the administrators and managers reports. | | Filter users by group | To audit users for expiring accounts/passwords that belong to certain groups within your Active Directory domain, select this option and click Select Groups. In the dialog that opens, specify the groups that you want to audit. Only users belonging to these groups will be notified and included in the administrators and managers reports. | | Filter by account name | Specify one or several user account names (e.g., \*John\*). Use semicolon to separate several names. Only user accounts that contain selected name will be notified and included in the administrators and managers reports. | @@ -97,7 +97,7 @@ Click Generate next to Generate report on users with expired account or password users passwords immediately. In the Maximum Password Age Setting dialog that opens, select domain policy settings or specify the maximum password age in days. -![passwordexpiration](../../../../../../static/img/product_docs/auditor/auditor/tools/passwordexpirationnotifier/passwordexpiration.webp) +![passwordexpiration](/img/product_docs/auditor/auditor/tools/passwordexpirationnotifier/passwordexpiration.webp) ## Registry Key Configuration diff --git a/docs/auditor/10.7/auditor/tools/windowseventlogs.md b/docs/auditor/10.7/auditor/tools/windowseventlogs.md index 8b67674e32..9bb7fe02d1 100644 --- a/docs/auditor/10.7/auditor/tools/windowseventlogs.md +++ b/docs/auditor/10.7/auditor/tools/windowseventlogs.md @@ -6,7 +6,7 @@ Follow the steps to enable the Remote Registry service. **Step 1 –** Navigate to Start > Windows Administrative Tools > Services. -![Services Console](../../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry2016.webp) +![Services Console](/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry2016.webp) **Step 2 –** In the Services window, locate the Remote Registry service, right-click it and select **Properties**. @@ -14,7 +14,7 @@ Follow the steps to enable the Remote Registry service. **Step 3 –** In the Remote Registry Properties dialog box, make sure the Startup type parameter is set to _Automatic_ and click **Start**. -![Remote Registry Properties dialog box](../../../../../static/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry_start2016.webp) +![Remote Registry Properties dialog box](/img/product_docs/1secure/configuration/computer/manualconfig_genevents_remoteregistry_start2016.webp) **Step 4 –** In the Services window, ensure that the Remote Registry service has the _Running_ status on Windows Server 2012 and above. diff --git a/docs/changetracker/8.0/changetracker/admin/settings/agentupdates.md b/docs/changetracker/8.0/changetracker/admin/settings/agentupdates.md index 837d370759..946d9f7354 100644 --- a/docs/changetracker/8.0/changetracker/admin/settings/agentupdates.md +++ b/docs/changetracker/8.0/changetracker/admin/settings/agentupdates.md @@ -21,7 +21,7 @@ The resulting dialog facilitates the upload of the agent update files. ![agentupdateschedule](/img/versioned_docs/changetracker_8.0/changetracker/admin/settings/agentupdateschedule.webp) The deployment schedule for a new update can be controlled via the Agent Software Updates tab on a -per Device Groups basis – See the [Device Groups](devicegroups.md) topic for additional information. +per Device Groups basis – See the [Device Groups](/docs/changetracker/8.0/changetracker/admin/settings/devicegroups.md) topic for additional information. ![devices](/img/versioned_docs/changetracker_8.0/changetracker/admin/settings/devices.webp) diff --git a/docs/changetracker/8.0/changetracker/admin/settings/devicegroups.md b/docs/changetracker/8.0/changetracker/admin/settings/devicegroups.md index a7ac188661..b539766524 100644 --- a/docs/changetracker/8.0/changetracker/admin/settings/devicegroups.md +++ b/docs/changetracker/8.0/changetracker/admin/settings/devicegroups.md @@ -19,7 +19,7 @@ Click on a Device Group name to configure further attributes for the Group, such - Device Tracking Policy - Compliance Report(s) - Group Members, with the option to export a list of group Members -- Define the schedule for [Agent Updates](agentupdates.md) +- Define the schedule for [Agent Updates](/docs/changetracker/8.0/changetracker/admin/settings/agentupdates.md) ![page_guide_28](/img/versioned_docs/changetracker_8.0/changetracker/admin/settings/page_guide_28.webp) @@ -44,7 +44,7 @@ The key tags within the file are as follows: ![page_guide_29](/img/versioned_docs/changetracker_8.0/changetracker/admin/settings/page_guide_29.webp) \*The **Thumbprint** uniquely identifies the Web Server certificate, see the -[How to: Retrieve the Thumbprint of a Certificate]() +[How to: Retrieve the Thumbprint of a Certificate](https://msdn.microsoft.com/en-us/library/ms734695(v=vs.110).aspx) Microsoft article for additional information. **NOTE:** Agent also supports additional nodes – **NamePrefix** and **NameSuffix**. diff --git a/docs/changetracker/8.0/changetracker/admin/settings/settingstab.md b/docs/changetracker/8.0/changetracker/admin/settings/settingstab.md index c0aef91703..d7b2a7676a 100644 --- a/docs/changetracker/8.0/changetracker/admin/settings/settingstab.md +++ b/docs/changetracker/8.0/changetracker/admin/settings/settingstab.md @@ -4,37 +4,37 @@ Configuration of all administrative and user settings is performed here. Select the left for specific settings – contact [Netwrix Support](https://www.netwrix.com/support.html) for additional information. -- [Agents and Devices](./agentsanddevices.md) – Edit Device attributes such as Group, Type and +- [Agents and Devices](/docs/changetracker/8.0/changetracker/admin/settings/agentsanddevices.md) – Edit Device attributes such as Group, Type and Credentials, or Delete Devices -- [Device Groups](./devicegroups.md) – Administer Device Group names. Click on a Device Group to +- [Device Groups](/docs/changetracker/8.0/changetracker/admin/settings/devicegroups.md) – Administer Device Group names. Click on a Device Group to edit the assigned Device Tracking template and Compliance Report, and to set the reporting schedule -- [Scheduling, Creating and Editing Intelligent Planned Change Rules](../tabs/plannedchangeadministration.md#scheduling-creating-and-editing-intelligent-planned-change-rules) +- [Scheduling, Creating and Editing Intelligent Planned Change Rules](/docs/changetracker/8.0/changetracker/admin/tabs/plannedchangeadministration.md#scheduling-creating-and-editing-intelligent-planned-change-rules) – Edit the Schedule, Device Group assignment and Rules for Planned Changes -- [Policy Templates](./policytemplates/overview.md) – Edit and upload/download configuration policy +- [Policy Templates](/docs/changetracker/8.0/changetracker/admin/settings/policytemplates/overview.md) – Edit and upload/download configuration policy templates -- [Template Management](../compliancereportstemplates.md) - Edit and upload/download compliance +- [Template Management](/docs/changetracker/8.0/changetracker/admin/compliancereportstemplates.md) - Edit and upload/download compliance report templates -- [Reports Layout Templates Administration](../compliancereportstemplates.md#reports-layout-templates-administration) +- [Reports Layout Templates Administration](/docs/changetracker/8.0/changetracker/admin/compliancereportstemplates.md#reports-layout-templates-administration) – Administration of report templates and versions - [Template Management](../compliancereportstemplates.md). -- [Credentials Administration](../credentials/overview.md) – Define User Credentials for Agentless + [Template Management](/docs/changetracker/8.0/changetracker/admin/compliancereportstemplates.md). +- [Credentials Administration](/docs/changetracker/8.0/changetracker/admin/credentials/overview.md) – Define User Credentials for Agentless monitoring and reporting including Database Systems. - Users: User Administration – Edit User attributes such as username, assigned system privileges, email address and to assign users to Notification Groups for Alerts and Scheduled Reports. -- [Notification Messages Explained](../credentials/notificationmessages.md) – Alert routing +- [Notification Messages Explained](/docs/changetracker/8.0/changetracker/admin/credentials/notificationmessages.md) – Alert routing settings. -- [Agent Updates](./agentupdates.md) – Upload new agent versions. -- [Agent Updates](./agentupdates.md) – Administer templates and rules for Agent registration and +- [Agent Updates](/docs/changetracker/8.0/changetracker/admin/settings/agentupdates.md) – Upload new agent versions. +- [Agent Updates](/docs/changetracker/8.0/changetracker/admin/settings/agentupdates.md) – Administer templates and rules for Agent registration and Group assignment. -- [Allowed Commands](./allowedcommands.md) – Administer list of commands used in trackers/reports. -- [System Settings](./systemsettings.md) – Edit settings such as SMTP details and to reset the UI to +- [Allowed Commands](/docs/changetracker/8.0/changetracker/admin/settings/allowedcommands.md) – Administer list of commands used in trackers/reports. +- [System Settings](/docs/changetracker/8.0/changetracker/admin/settings/systemsettings.md) – Edit settings such as SMTP details and to reset the UI to Default. -- [System Settings](./systemsettings.md) – Schedule system backups, and exports for Support and +- [System Settings](/docs/changetracker/8.0/changetracker/admin/settings/systemsettings.md) – Schedule system backups, and exports for Support and Planned Change archiving. -- [System Settings](./systemsettings.md) – Displays health of Netwrix Change Tracker system and +- [System Settings](/docs/changetracker/8.0/changetracker/admin/settings/systemsettings.md) – Displays health of Netwrix Change Tracker system and Event Queue performance. -- [System Settings](./systemsettings.md) – Upload new license key. +- [System Settings](/docs/changetracker/8.0/changetracker/admin/settings/systemsettings.md) – Upload new license key. ![Graphical user interface, website diff --git a/docs/changetracker/8.0/changetracker/admin/tabs/dashboardoverview.md b/docs/changetracker/8.0/changetracker/admin/tabs/dashboardoverview.md index 3b104ad1d3..7edc6fd4d2 100644 --- a/docs/changetracker/8.0/changetracker/admin/tabs/dashboardoverview.md +++ b/docs/changetracker/8.0/changetracker/admin/tabs/dashboardoverview.md @@ -29,10 +29,10 @@ The **Dashboard** shows recent System Events including: The local agent installed on the Netwrix Change Tracker host server will already be running and will have registered with the **Change Tracker Hub**. See the -[Netwrix Change Tracker v8.0 Documentation](../../overview.md) topic for additional information. +[Netwrix Change Tracker v8.0 Documentation](/docs/changetracker/8.0/changetracker/overview.md) topic for additional information. The auto-enrollment, or registration, process is described in more depth in the -[Agent Updates](../settings/agentupdates.md) topic. but depending on server speed the Local Agent +[Agent Updates](/docs/changetracker/8.0/changetracker/admin/settings/agentupdates.md) topic. but depending on server speed the Local Agent may be found in an ‘Awaiting Registration’ state or already registered in the system. If you do not see an Agent at all then please contact diff --git a/docs/changetracker/8.0/changetracker/admin/tabs/reportstab.md b/docs/changetracker/8.0/changetracker/admin/tabs/reportstab.md index e10a649833..a4d62e6708 100644 --- a/docs/changetracker/8.0/changetracker/admin/tabs/reportstab.md +++ b/docs/changetracker/8.0/changetracker/admin/tabs/reportstab.md @@ -25,13 +25,13 @@ Change** tabs. ![ReportsAndQuesriesTab](/img/versioned_docs/changetracker_8.0/changetracker/admin/tabs/reportsandquesriestab.webp) **NOTE:** Report formatting is controlled by the built-in Compliance reports templates. See the -[Template Management](../compliancereportstemplates.md) topic for additional information. You will +[Template Management](/docs/changetracker/8.0/changetracker/admin/compliancereportstemplates.md) topic for additional information. You will see that any report has a ‘Results available until xx yy zz – this retention period is in place to ensure that reports are not stored forever and using storage resource unnecessarily. Most reports will be emailed at the time of production and either consumed or stored externally, removing the need to store reports long term at the Change Tracker Hub. Don’t worry, the events are retained as long as needed, governed by the separate DaysToKeepEventsFor system setting. See the -[System Settings](../settings/systemsettings.md) topic for additional information. Reports can be +[System Settings](/docs/changetracker/8.0/changetracker/admin/settings/systemsettings.md) topic for additional information. Reports can be regenerated at any time if needed at a subsequent future date. ![ReportsReportViewerDialog](/img/versioned_docs/changetracker_8.0/changetracker/admin/tabs/reportsreportviewerdialog.webp) @@ -72,4 +72,4 @@ The **Report** view shows all rules and results. Report results can also export Excel, or CSV format. The **Template** selector alongside the **Export** button provides options for either summarized pass/fail format or full results details format. -See the [Overview Tab](complianceoverviewtab.md) topic for additional information. +See the [Overview Tab](/docs/changetracker/8.0/changetracker/admin/tabs/complianceoverviewtab.md) topic for additional information. diff --git a/docs/changetracker/8.0/changetracker/baseline/managetab.md b/docs/changetracker/8.0/changetracker/baseline/managetab.md index fdea5880d2..93c9a55386 100644 --- a/docs/changetracker/8.0/changetracker/baseline/managetab.md +++ b/docs/changetracker/8.0/changetracker/baseline/managetab.md @@ -52,7 +52,7 @@ Baseline Exceptions Exceptions include any failures according the Baseline Policy used in the report, together with any new changes affecting the Baseline Policy referenced from the Source device (or if you have chosen to include changes from Member Devices too, these will also appear here – see the -[Baseline Policy Wizard](policywizard.md) regarding the Baseline Setup Wizard and the step where you +[Baseline Policy Wizard](/docs/changetracker/8.0/changetracker/baseline/policywizard.md) regarding the Baseline Setup Wizard and the step where you are asked to 'Specify Source'. In this example we are using the default operation of only including changes originating from the diff --git a/docs/changetracker/8.0/changetracker/install/agent/commandlinescript.md b/docs/changetracker/8.0/changetracker/install/agent/commandlinescript.md index 5fc35d7426..1e2a75d462 100644 --- a/docs/changetracker/8.0/changetracker/install/agent/commandlinescript.md +++ b/docs/changetracker/8.0/changetracker/install/agent/commandlinescript.md @@ -44,5 +44,5 @@ ProxyUser, ProxyPassword. **NOTE:** These parameters are not case sensitive. For more information on the **HubDetails.xml** nodes and settings see the -[First Run – HubDetails.xml File](../../admin/settings/devicegroups.md#first-run--hubdetailsxml-file) +[First Run – HubDetails.xml File](/docs/changetracker/8.0/changetracker/admin/settings/devicegroups.md#first-run--hubdetailsxml-file) topic for additional information. diff --git a/docs/changetracker/8.0/changetracker/install/agent/hubdetailsfile.md b/docs/changetracker/8.0/changetracker/install/agent/hubdetailsfile.md index 4a3753493d..98c9d1d4a1 100644 --- a/docs/changetracker/8.0/changetracker/install/agent/hubdetailsfile.md +++ b/docs/changetracker/8.0/changetracker/install/agent/hubdetailsfile.md @@ -16,7 +16,7 @@ Linux/Solaris requires the latest NNT Mono runtime. Gen 7 Agent also supports ad NamePrefix, NameSuffix. \*The Thumbprint uniquely identifies the Web Server certificate, see the Microsoft -[How to: Retrieve the Thumbprint of a Certificate]() +[How to: Retrieve the Thumbprint of a Certificate](https://msdn.microsoft.com/en-us/library/ms734695(v=vs.110).aspx) article for more information. **Step 1 –** Open **IIS**. diff --git a/docs/changetracker/8.0/changetracker/install/agent/windows.md b/docs/changetracker/8.0/changetracker/install/agent/windows.md index 18bc3c6435..00f5d2f5ec 100644 --- a/docs/changetracker/8.0/changetracker/install/agent/windows.md +++ b/docs/changetracker/8.0/changetracker/install/agent/windows.md @@ -9,7 +9,7 @@ the Users: User Administration topic for additional information. By default the Agent will register using the Name of the server but there is an opportunity to customize this during installation or post-installation via an edit of the Hub Details file. See the -[First Run – HubDetails.xml File](../../admin/settings/devicegroups.md#first-run--hubdetailsxml-file) +[First Run – HubDetails.xml File](/docs/changetracker/8.0/changetracker/admin/settings/devicegroups.md#first-run--hubdetailsxml-file) topic for additional information. **_RECOMMENDED:_** During installation, this can also be performed on the **Advanced Configuration** @@ -23,7 +23,7 @@ step of the installation, and there is also an option to test agent connectivity _%PROGRAMDATA%\NNT\gen7agent.service_, similarly if you are ever required to provide the **rolling-log.txt** file to [Netwrix Support](https://www.netwrix.com/support.html) this is where it is located. See the -[First Run – HubDetails.xml File](../../admin/settings/devicegroups.md#first-run--hubdetailsxml-file) +[First Run – HubDetails.xml File](/docs/changetracker/8.0/changetracker/admin/settings/devicegroups.md#first-run--hubdetailsxml-file) topic for additional information on downloading the .xml file for agents. ![InstallAgentOperationFiles](/img/versioned_docs/changetracker_8.0/changetracker/install/agent/installagentoperationfiles.webp) diff --git a/docs/changetracker/8.0/changetracker/install/overview.md b/docs/changetracker/8.0/changetracker/install/overview.md index eb1c2287b0..8d6c88ecb6 100644 --- a/docs/changetracker/8.0/changetracker/install/overview.md +++ b/docs/changetracker/8.0/changetracker/install/overview.md @@ -2,8 +2,8 @@ (missing or bad snippet) -- [Requirements](../requirements/overview.md) -- [Hub Installation for Windows](../requirements/windowsserver.md) -- [Installing Gen 7 Agent for Windows](agent/windows.md) -- [Installing Gen 7 Agent for Linux](agent/linuxos.md) -- [Scripted/Command Line Use of Gen 7 Agent EXE Installer](agent/commandlinescript.md) +- [Requirements](/docs/changetracker/8.0/changetracker/requirements/overview.md) +- [Hub Installation for Windows](/docs/changetracker/8.0/changetracker/requirements/windowsserver.md) +- [Installing Gen 7 Agent for Windows](/docs/changetracker/8.0/changetracker/install/agent/windows.md) +- [Installing Gen 7 Agent for Linux](/docs/changetracker/8.0/changetracker/install/agent/linuxos.md) +- [Scripted/Command Line Use of Gen 7 Agent EXE Installer](/docs/changetracker/8.0/changetracker/install/agent/commandlinescript.md) diff --git a/docs/changetracker/8.0/changetracker/integration/api/agents.md b/docs/changetracker/8.0/changetracker/integration/api/agents.md index c2f271e566..1057bfd7ae 100644 --- a/docs/changetracker/8.0/changetracker/integration/api/agents.md +++ b/docs/changetracker/8.0/changetracker/integration/api/agents.md @@ -204,7 +204,7 @@ Try { Catch [Net.WebException] {     $resp = $_.Exception.Response;     If ( $resp.StatusCode -eq [Net.HttpStatusCode]::BadRequest ) { -        $result = (New-Object IO.StreamReader($resp.GetResponseStream())).ReadToEnd() | ConvertFrom-Json; +        $result = (New-Object IO.StreamReader($resp.GetResponseStream().ReadToEnd() | ConvertFrom-Json;         # Handle errors         Write-Output $_.Exception     } diff --git a/docs/changetracker/8.0/changetracker/integration/itsm/syncserviceadmin.md b/docs/changetracker/8.0/changetracker/integration/itsm/syncserviceadmin.md index 42dbb902ea..5e4c0a7913 100644 --- a/docs/changetracker/8.0/changetracker/integration/itsm/syncserviceadmin.md +++ b/docs/changetracker/8.0/changetracker/integration/itsm/syncserviceadmin.md @@ -98,7 +98,7 @@ notification Method. | changeTrackerRestSyncProvider.password | String (e.g., “password”) The password of the account used to connect to Change Tracker. Note: This setting is encrypted by the service and written back to the config file under the key “E. changeTrackerRestSyncProvider.password” | | serviceNow.deviceClassNames | String (e.g., “cmdb_ci_win_server,cmdb_ci_linux_server”, default: “”) Optional comma-separated whitelist of Configuration Item class names (sourced from the cmdb_ci.sys_class_name property) which restricts which CIs can be mapped to a Device in Change Tracker. | | serviceNow.groupClassNames | String (default: “”) Optional comma-separated whitelist of Configuration Item class names (sourced from the cmdb_ci.sys_class_name property) which restricts which CIs can be mapped to a Group in Change Tracker. A value of DO_NOT_MATCH disables the group lookup if the device name is not found. | -| serviceNow.timeZone | String (e.g., “Eastern Standard Time”, default: “”) Optional time zone taken from this [list](), which should match the time zone of the account used to connect to ServiceNow. Note: this should be used where it’s not possible to set the account to use GMT. | +| serviceNow.timeZone | String (e.g., “Eastern Standard Time”, default: “”) Optional time zone taken from this [list](https://learn.microsoft.com/en-us/previous-versions/windows/embedded/ms912391(v=winembedded.11)), which should match the time zone of the account used to connect to ServiceNow. Note: this should be used where it’s not possible to set the account to use GMT. | | serviceNowChangeRequest.createplannedchangepertask | Boolean (default: false) When true, any RFC in ServiceNow that has tasks against it will result in a planned change for each task. If start or end times are missing on the tasks they will be taken from the parent RFC. | | serviceNowChangeRequestRestSyncAdapter.changesUrl | String (e.g., “https://site.service-now.com/api/now/table/change_request”, default: “”) Optional absolute URL for the REST API endpoint from which to retrieve Change Requests. | | serviceNowChangeRequestRestSyncAdapter.taskCiUrl | String (e.g., “https://site.service-now.com/api/now/table/task_ci”, default: “”) Optional absolute URL for the REST API endpoint from which to retrieve Configuration Items linked to Change Requests. | diff --git a/docs/changetracker/8.0/changetracker/requirements/windowsserver.md b/docs/changetracker/8.0/changetracker/requirements/windowsserver.md index a364037cc0..2d38fe9b88 100644 --- a/docs/changetracker/8.0/changetracker/requirements/windowsserver.md +++ b/docs/changetracker/8.0/changetracker/requirements/windowsserver.md @@ -4,7 +4,7 @@ This topic lists the hardware requirements and software requirements for Netwrix ## Hardware Requirements -| | Standard Install (< 100 devices) | Large Install (~ 1k devices) | +| | Standard Install ( 100 devices) | Large Install (~ 1k devices) | | ---- | -------------------------------- | ---------------------------- | | CPU | 4 cores | 16 cores | | RAM | 8 GB | 32 GB | diff --git a/docs/changetracker/8.1/changetracker/admin/agentlesscis/agentlesscis.md b/docs/changetracker/8.1/changetracker/admin/agentlesscis/agentlesscis.md index 7b1db832c8..8e4a0a4bd7 100644 --- a/docs/changetracker/8.1/changetracker/admin/agentlesscis/agentlesscis.md +++ b/docs/changetracker/8.1/changetracker/admin/agentlesscis/agentlesscis.md @@ -50,7 +50,7 @@ Administration page. **Step 1 –** Click the **Add Shell Credential (SSH/Telnet/Windows)** button to open the credential creation form. -![credential_creation](../../../../../../static/img/product_docs/changetracker/changetracker/admin/agentlesscis/credential_creation.webp) +![credential_creation](/img/product_docs/changetracker/changetracker/admin/agentlesscis/credential_creation.webp) **Step 2 –** Name the credential. **Remote Windows Test1** has been used in this example. @@ -59,7 +59,7 @@ for proxied devices. The credential will now be listed in the grid. -![credential_grid](../../../../../../static/img/product_docs/changetracker/changetracker/admin/agentlesscis/credential_grid.webp) +![credential_grid](/img/product_docs/changetracker/changetracker/admin/agentlesscis/credential_grid.webp) ### Configure the Proxied Windows Device @@ -77,11 +77,11 @@ the proxied devices. **Step 5 –** Add the RemoteTest group to the group list. -![proxide_device_configuration](../../../../../../static/img/product_docs/changetracker/changetracker/admin/agentlesscis/proxide_device_configuration.webp) +![proxide_device_configuration](/img/product_docs/changetracker/changetracker/admin/agentlesscis/proxide_device_configuration.webp) The proxied Windows device will now be present in the detail grid of the master proxy device. -![device_grid](../../../../../../static/img/product_docs/changetracker/changetracker/admin/agentlesscis/device_grid.webp) +![device_grid](/img/product_docs/changetracker/changetracker/admin/agentlesscis/device_grid.webp) ### Windows Compliance Reports @@ -89,18 +89,18 @@ The steps to create or configure a compliance report is out of scope for this gu report must be configured to run against the RemoteTest group to ensure the proxied device, created in the previous step, is included in the report. -![compliance_report_configuration](../../../../../../static/img/product_docs/changetracker/changetracker/admin/agentlesscis/compliance_report_configuration.webp) +![compliance_report_configuration](/img/product_docs/changetracker/changetracker/admin/agentlesscis/compliance_report_configuration.webp) Execute the compliance report in the standard way. -![running_compliance_report](../../../../../../static/img/product_docs/changetracker/changetracker/admin/agentlesscis/running_compliance_report.webp) +![running_compliance_report](/img/product_docs/changetracker/changetracker/admin/agentlesscis/running_compliance_report.webp) Completed compliance report: -![completed_compliance_report](../../../../../../static/img/product_docs/changetracker/changetracker/admin/agentlesscis/completed_compliance_report.webp) +![completed_compliance_report](/img/product_docs/changetracker/changetracker/admin/agentlesscis/completed_compliance_report.webp) The Windows compliance report will look the just the same as a report executed on Windows devices with agents. The details of the report will contain all passed and failed checks for the proxied Windows device. -![compliance_report](../../../../../../static/img/product_docs/changetracker/changetracker/admin/agentlesscis/compliance_report.webp) +![compliance_report](/img/product_docs/changetracker/changetracker/admin/agentlesscis/compliance_report.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/agentlessscript/advancedconfiguration.md b/docs/changetracker/8.1/changetracker/admin/agentlessscript/advancedconfiguration.md index b3cd9a0023..76512abdc3 100644 --- a/docs/changetracker/8.1/changetracker/admin/agentlessscript/advancedconfiguration.md +++ b/docs/changetracker/8.1/changetracker/admin/agentlessscript/advancedconfiguration.md @@ -11,7 +11,7 @@ prompt and to more precisely define the Prompt with a new line prefix for instan prompt (e.g. a single > or $) may appear elsewhere in the data being tracked, triggering an early termination of the tracking operation. -![AgentlessScriptAdvConfigRegEx](../../../../../../static/img/product_docs/changetracker/changetracker/admin/agentlessscript/agentlessscriptadvconfigregex.webp) +![AgentlessScriptAdvConfigRegEx](/img/product_docs/changetracker/changetracker/admin/agentlessscript/agentlessscriptadvconfigregex.webp) This prompt definition matches a sequence of ‘new line’’any characters’’-1700>’. Please contact [Netwrix Support](https://www.netwrix.com/support.html) if you have any challenging prompt or logon diff --git a/docs/changetracker/8.1/changetracker/admin/agentlessscript/advancedconfigurationsamplescripts.md b/docs/changetracker/8.1/changetracker/admin/agentlessscript/advancedconfigurationsamplescripts.md index 4cd8bf16ed..0b05b6bcb1 100644 --- a/docs/changetracker/8.1/changetracker/admin/agentlessscript/advancedconfigurationsamplescripts.md +++ b/docs/changetracker/8.1/changetracker/admin/agentlessscript/advancedconfigurationsamplescripts.md @@ -9,4 +9,4 @@ The sample scripts provided in this section all include a Main Script and a Logo however, for Production Agentless Tracker’s, the Logon script only is used within the Credentials key with the Main Script commands being configured with the relevant Configuration Template. -![AgentlessScriptSamples.](../../../../../../static/img/product_docs/changetracker/changetracker/admin/agentlessscript/agentlessscriptsamples.webp) +![AgentlessScriptSamples.](/img/product_docs/changetracker/changetracker/admin/agentlessscript/agentlessscriptsamples.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/agentlessscript/overview.md b/docs/changetracker/8.1/changetracker/admin/agentlessscript/overview.md index 7e07c997a4..4ac1adf7f1 100644 --- a/docs/changetracker/8.1/changetracker/admin/agentlessscript/overview.md +++ b/docs/changetracker/8.1/changetracker/admin/agentlessscript/overview.md @@ -2,5 +2,5 @@ Review the following for additional information: -- [Predefined Script Variables](predefinedscriptvariables.md) -- [Advanced Configuration](advancedconfiguration.md) +- [Predefined Script Variables](/docs/changetracker/8.1/changetracker/admin/agentlessscript/predefinedscriptvariables.md) +- [Advanced Configuration](/docs/changetracker/8.1/changetracker/admin/agentlessscript/advancedconfiguration.md) diff --git a/docs/changetracker/8.1/changetracker/admin/agents/livetracking.md b/docs/changetracker/8.1/changetracker/admin/agents/livetracking.md index e6d87742cd..0e04c72e25 100644 --- a/docs/changetracker/8.1/changetracker/admin/agents/livetracking.md +++ b/docs/changetracker/8.1/changetracker/admin/agents/livetracking.md @@ -2,7 +2,7 @@ Live Tracking is a style of tracking to capture all changes in real-time that can be set when configuring a tracking policy. See the -[Policy Templates: FIM File Integrity](../settings/policytemplates/fimfiles.md) topic for additional +[Policy Templates: FIM File Integrity](/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/fimfiles.md) topic for additional information. ## Windows @@ -38,7 +38,7 @@ empties it every 100 milliseconds. Neither the server nor the agent requires a restart after live tracking has been enabled. -![minifilter_767x740](../../../../../../static/img/product_docs/changetracker/changetracker/admin/agents/minifilter_767x740.webp) +![minifilter_767x740](/img/product_docs/changetracker/changetracker/admin/agents/minifilter_767x740.webp) The Change Tracker minifilter doesn't make any alterations to user requests, it only monitors I/O activity. diff --git a/docs/changetracker/8.1/changetracker/admin/alerts.md b/docs/changetracker/8.1/changetracker/admin/alerts.md index e41514eebc..d702897dc6 100644 --- a/docs/changetracker/8.1/changetracker/admin/alerts.md +++ b/docs/changetracker/8.1/changetracker/admin/alerts.md @@ -12,4 +12,4 @@ select a user, then dial in **Notification Types** for the selected Device Group **NOTE:** Core system settings such as the Syslog Server and SMTP details will also need to be defined via **Settings** -> **System Settings** in the Change Tracker . See the -[System Settings](settings/systemsettings.md) topic for additional information. +[System Settings](/docs/changetracker/8.1/changetracker/admin/settings/systemsettings.md) topic for additional information. diff --git a/docs/changetracker/8.1/changetracker/admin/fim/fim.md b/docs/changetracker/8.1/changetracker/admin/fim/fim.md index dc409f8fe1..a0c312ba77 100644 --- a/docs/changetracker/8.1/changetracker/admin/fim/fim.md +++ b/docs/changetracker/8.1/changetracker/admin/fim/fim.md @@ -11,8 +11,8 @@ to monitoring is necessary, i.e. where the endpoint is a firewall, router, switc preferred to using an agent i.e. to monitor Windows or Linux where a quick, software-free implementation is desirable, Netwrix Change Tracker can also operate using Agentless FIM. -File change events can be viewed from the [Events Tab](../tabs/events.md). See the -[Dashboard Tab](../tabs/dashboardoverview.md) topic for additional information on how to view FIM +File change events can be viewed from the [Events Tab](/docs/changetracker/8.1/changetracker/admin/tabs/events.md). See the +[Dashboard Tab](/docs/changetracker/8.1/changetracker/admin/tabs/dashboardoverview.md) topic for additional information on how to view FIM change events. **NOTE:** The Events tab is designed to handle large enterprise estates with potentially thousands diff --git a/docs/changetracker/8.1/changetracker/admin/gettingstarted.md b/docs/changetracker/8.1/changetracker/admin/gettingstarted.md index f8b1453d50..9a8e559ce4 100644 --- a/docs/changetracker/8.1/changetracker/admin/gettingstarted.md +++ b/docs/changetracker/8.1/changetracker/admin/gettingstarted.md @@ -5,16 +5,16 @@ Once you have successfully installed Netwrix Change Tracker, and logged in for t reports with or without agents. By default, an agent is installed on the Change Tracker machine, so you can quickly check the data collection and reports using that agent. Alternatively, you can collect data from other devices in your network. Either way, your starting point will be the -[Device Tab](tabs/devices.md). +[Device Tab](/docs/changetracker/8.1/changetracker/admin/tabs/devices.md). Once you have established data collection, use the Reports tab to view reports on you device's configuration. -Next, use the [Planned Changes Tab](tabs/plannedchanges.md) manage change events and filter any +Next, use the [Planned Changes Tab](/docs/changetracker/8.1/changetracker/admin/tabs/plannedchanges.md) manage change events and filter any changes that are considered as noise. To add another user, manage licenses, set the planned change intervals, and otherwise configure -Change Tracker, review the [Settings Tab](settings/settingstab.md). +Change Tracker, review the [Settings Tab](/docs/changetracker/8.1/changetracker/admin/settings/settingstab.md). ## Two Factor Authentication @@ -39,7 +39,7 @@ security > auth > twoFactor > "registerAdmin": "false" security > auth > twoFactor > "fallbackEnabled": "true" (default setting) -![2faconfiguration](../../../../../static/img/product_docs/changetracker/changetracker/admin/2faconfiguration.webp) +![2faconfiguration](/img/product_docs/changetracker/changetracker/admin/2faconfiguration.webp) A One-Time Passcode (OTP) may be required when attempting certain actions within Change Tracker for the first time during a session. Without 2FA or an authenticator app, this OTP will be written to diff --git a/docs/changetracker/8.1/changetracker/admin/matchrules/filefolderrules.md b/docs/changetracker/8.1/changetracker/admin/matchrules/filefolderrules.md index f6d628734c..4a80e70bec 100644 --- a/docs/changetracker/8.1/changetracker/admin/matchrules/filefolderrules.md +++ b/docs/changetracker/8.1/changetracker/admin/matchrules/filefolderrules.md @@ -15,7 +15,7 @@ built-in Pathmatch Definition for this provided 'Linux temp files in folder'. However, by way of example, the example **Custom Pathmatch Definition** below provides this policy: -![CustomPathmatchDefinition](../../../../../../static/img/product_docs/changetracker/changetracker/admin/matchrules/custompathmatchdefinition.webp) +![CustomPathmatchDefinition](/img/product_docs/changetracker/changetracker/admin/matchrules/custompathmatchdefinition.webp) **Step 1 –** **FolderMatchType** - Available options are: diff --git a/docs/changetracker/8.1/changetracker/admin/matchrules/matchrulesoverview.md b/docs/changetracker/8.1/changetracker/admin/matchrules/matchrulesoverview.md index 739ea7c6f6..7c365001f2 100644 --- a/docs/changetracker/8.1/changetracker/admin/matchrules/matchrulesoverview.md +++ b/docs/changetracker/8.1/changetracker/admin/matchrules/matchrulesoverview.md @@ -2,5 +2,5 @@ Review the following for additional information: -- [File and Folder Match Filters for Inclusion and Exclusion Rules ](filefolderrules.md) -- [Registry Inclusion/Exclusion Match Rules ](registryrules.md) +- [File and Folder Match Filters for Inclusion and Exclusion Rules ](/docs/changetracker/8.1/changetracker/admin/matchrules/filefolderrules.md) +- [Registry Inclusion/Exclusion Match Rules ](/docs/changetracker/8.1/changetracker/admin/matchrules/registryrules.md) diff --git a/docs/changetracker/8.1/changetracker/admin/matchrules/registryrules.md b/docs/changetracker/8.1/changetracker/admin/matchrules/registryrules.md index bfe187e297..688e7ff73d 100644 --- a/docs/changetracker/8.1/changetracker/admin/matchrules/registryrules.md +++ b/docs/changetracker/8.1/changetracker/admin/matchrules/registryrules.md @@ -13,7 +13,7 @@ Winlogon key, but exclude DCacheUpdate changes may be desirable. The '**All Registry Values**' Match Rule is available by default but to define the 'Isolate DCacheUpdate Value Changes' exclusion, the following Custom PathMatch Definition would be added: -![RegistryInclusion](../../../../../../static/img/product_docs/changetracker/changetracker/admin/matchrules/registryinclusion.webp) +![RegistryInclusion](/img/product_docs/changetracker/changetracker/admin/matchrules/registryinclusion.webp) **Step 1 –** **KeyMatchType** - Available options are: diff --git a/docs/changetracker/8.1/changetracker/admin/overview.md b/docs/changetracker/8.1/changetracker/admin/overview.md index 03addc0890..27afa64fc2 100644 --- a/docs/changetracker/8.1/changetracker/admin/overview.md +++ b/docs/changetracker/8.1/changetracker/admin/overview.md @@ -3,9 +3,9 @@ The Change Tracker console contains several pages that can be selected from the tabs at the top: - Dashboard Tab -- [Events Tab](tabs/events.md) -- [Device Tab](tabs/devices.md) -- [Overview Tab](tabs/complianceoverviewtab.md) -- [Planned Changes Tab](tabs/plannedchanges.md) -- [Reports Tab](tabs/reportstab.md) -- [Settings Tab](settings/settingstab.md) +- [Events Tab](/docs/changetracker/8.1/changetracker/admin/tabs/events.md) +- [Device Tab](/docs/changetracker/8.1/changetracker/admin/tabs/devices.md) +- [Overview Tab](/docs/changetracker/8.1/changetracker/admin/tabs/complianceoverviewtab.md) +- [Planned Changes Tab](/docs/changetracker/8.1/changetracker/admin/tabs/plannedchanges.md) +- [Reports Tab](/docs/changetracker/8.1/changetracker/admin/tabs/reportstab.md) +- [Settings Tab](/docs/changetracker/8.1/changetracker/admin/settings/settingstab.md) diff --git a/docs/changetracker/8.1/changetracker/admin/settings/agentconfiguration.md b/docs/changetracker/8.1/changetracker/admin/settings/agentconfiguration.md index a2e43d3e03..34faff44a0 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/agentconfiguration.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/agentconfiguration.md @@ -3,7 +3,7 @@ There are multiple ways to set values in an agent's configuration file on installation. Once an agent has been configured and has successfully registered with the Hub, its configuration can be managed remotely with the Agent Updates tab.See the -[Agent Installation](../../install/agent/overview.md) topic for additional information. +[Agent Installation](/docs/changetracker/8.1/changetracker/install/agent/overview.md) topic for additional information. Follow these steps to update the agent hub configuration. @@ -11,11 +11,11 @@ Follow these steps to update the agent hub configuration. that loads to display the options for Upload an Agent Update andUpdateHubDetails. HubDetails is the name of the config file used for agents. -![remoteagentconfig](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/remoteagentconfig.webp) +![remoteagentconfig](/img/product_docs/changetracker/changetracker/admin/settings/remoteagentconfig.webp) **Step 2 –** Select **Update HubDetails** to open the Update agent hub details window. -![remoteagentconfigsettings](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/remoteagentconfigsettings.webp) +![remoteagentconfigsettings](/img/product_docs/changetracker/changetracker/admin/settings/remoteagentconfigsettings.webp) **Step 3 –** Select the devices or groups of devices to configure and then enter the desired values. @@ -36,6 +36,6 @@ remove any existing prefix for the target devices. **Step 4 –** Click **OK** to broadcast the new configuration to the agents on the target devices. -![broadcastagentconfig](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/broadcastagentconfig.webp) +![broadcastagentconfig](/img/product_docs/changetracker/changetracker/admin/settings/broadcastagentconfig.webp) This should take less than a minute to apply. diff --git a/docs/changetracker/8.1/changetracker/admin/settings/agentcredentialrotation.md b/docs/changetracker/8.1/changetracker/admin/settings/agentcredentialrotation.md index f41f10fb2a..e1921317e4 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/agentcredentialrotation.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/agentcredentialrotation.md @@ -6,7 +6,7 @@ described in this document. If authentication details are being rotated as part of a routine process, then the in band alternative is to set all agents to use new credentials from within the Hub's web console. See the -[Agent Configuration](agentconfiguration.md) topic for additional information. +[Agent Configuration](/docs/changetracker/8.1/changetracker/admin/settings/agentconfiguration.md) topic for additional information. The scripts at the bottom of this page can be used to update authentication details on devices. These scripts can be rolled out to all devices with an IT automation system. These scripts stop the @@ -24,7 +24,7 @@ other roles, it can only be used by agents to authenticate. The existing agent account can be seen in the Users section of the Hub. -![agentaccountmanagement](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/agentaccountmanagement.webp) +![agentaccountmanagement](/img/product_docs/changetracker/changetracker/admin/settings/agentaccountmanagement.webp) **CAUTION:** Changing the password of an account used by agents to authenticate will cause the agents to go offline as they will be attempting to authenticate with the old password. @@ -38,7 +38,7 @@ Follow the steps to create the new agent account. **Step 1 –** Click **Create New User**, give it a user name and just the Agent role. -![newpassword](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/newpassword.webp) +![newpassword](/img/product_docs/changetracker/changetracker/admin/settings/newpassword.webp) **Step 2 –** Click **Update**, and the User Password dialog opens with a complex password. This is only shown once. It is recommended that this be saved in a password management system for future @@ -55,7 +55,7 @@ match the new agent account. Running the script will set the new authentication details and restart the agent while producing the output below. -![newagentscript_1049x168](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/newagentscript_1049x168.webp) +![newagentscript_1049x168](/img/product_docs/changetracker/changetracker/admin/settings/newagentscript_1049x168.webp) ChangePasswordOOB.ps1 @@ -113,7 +113,7 @@ the new agent account. Running the script will set the password and restart the agent while producing the output below. -![agentpasswordscript_1028x217](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/agentpasswordscript_1028x217.webp) +![agentpasswordscript_1028x217](/img/product_docs/changetracker/changetracker/admin/settings/agentpasswordscript_1028x217.webp) UpdatePasswordOOB.sh diff --git a/docs/changetracker/8.1/changetracker/admin/settings/agentsanddevices.md b/docs/changetracker/8.1/changetracker/admin/settings/agentsanddevices.md index 0febba66e3..aefdea8fc9 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/agentsanddevices.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/agentsanddevices.md @@ -19,7 +19,7 @@ can be edited below. ![Graphical user interface, application Description automatically -generated](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/page_guide_24.webp) +generated](/img/product_docs/changetracker/changetracker/admin/settings/page_guide_24.webp) **NOTE:** Click on the ‘burger’ icon alongside any column heading to get a full list of column options. @@ -27,6 +27,6 @@ options. ![Graphical user interface, text, application, email Description automatically -generated](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/page_guide_25.webp) +generated](/img/product_docs/changetracker/changetracker/admin/settings/page_guide_25.webp) -![page_guide_26](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/page_guide_26.webp) +![page_guide_26](/img/product_docs/changetracker/changetracker/admin/settings/page_guide_26.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/settings/agentupdates.md b/docs/changetracker/8.1/changetracker/admin/settings/agentupdates.md index dcb64d197e..ed22bafff0 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/agentupdates.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/agentupdates.md @@ -4,25 +4,25 @@ When a new agent version is released and downloaded from the customer portal, it the Hub. It is then possible deploy the agent update to all (or specific) devices from within the console. The deployment can be instant or scheduled. -![agentupdatefiles](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/agentupdatefiles.webp) +![agentupdatefiles](/img/product_docs/changetracker/changetracker/admin/settings/agentupdatefiles.webp) An agent update is comprised of two zip files. One is a new set of program files, the other is a upd file, which signs the update to confirm its integrity. -![uploadagentupdate](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/uploadagentupdate.webp) +![uploadagentupdate](/img/product_docs/changetracker/changetracker/admin/settings/uploadagentupdate.webp) The Agent Updates page can be found in the Settings menu. The Actions button on this page has an option to Upload an Agent Update. -![agentupdateuploadscreen](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/agentupdateuploadscreen.webp) +![agentupdateuploadscreen](/img/product_docs/changetracker/changetracker/admin/settings/agentupdateuploadscreen.webp) The resulting dialog facilitates the upload of the agent update files. -![agentupdateschedule](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/agentupdateschedule.webp) +![agentupdateschedule](/img/product_docs/changetracker/changetracker/admin/settings/agentupdateschedule.webp) The deployment schedule for a new update can be controlled via the Agent Software Updates tab on a -per Device Groups basis – See the [Device Groups](devicegroups.md) topic for additional information. +per Device Groups basis – See the [Device Groups](/docs/changetracker/8.1/changetracker/admin/settings/devicegroups.md) topic for additional information. -![devices](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/devices.webp) +![devices](/img/product_docs/changetracker/changetracker/admin/settings/devices.webp) Check the Devices tab to ensure that updates have been deployed as expected. diff --git a/docs/changetracker/8.1/changetracker/admin/settings/allowedcommands.md b/docs/changetracker/8.1/changetracker/admin/settings/allowedcommands.md index 3d51aae0c7..81215f8a24 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/allowedcommands.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/allowedcommands.md @@ -10,24 +10,24 @@ all commands used are approved. If a new command is encountered, this will be flagged as such: -![allowedcommands](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/allowedcommands.webp) +![allowedcommands](/img/product_docs/changetracker/changetracker/admin/settings/allowedcommands.webp) You can either immediately click the warning to access the approvals workflow and you can show a listing of all reports/policy templates with Untrusted commands using the filter on the **Policy Admin** page. -![AllowedCommandsCategories](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/allowedcommandscategories.webp) +![AllowedCommandsCategories](/img/product_docs/changetracker/changetracker/admin/settings/allowedcommandscategories.webp) Clicking on the **Not Trusted** link, you will be invited to enter a code generated by the 2FA resource linked to the Change Tracker instance during initial setup. -![AllowedCommandsTrustStatus](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/allowedcommandstruststatus.webp) +![AllowedCommandsTrustStatus](/img/product_docs/changetracker/changetracker/admin/settings/allowedcommandstruststatus.webp) ## Using the Allowed Commands Page Navigate to **Settings** – **Allowed Commands**: -![AllowedCommandsPage](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/allowedcommandspage.webp) +![AllowedCommandsPage](/img/product_docs/changetracker/changetracker/admin/settings/allowedcommandspage.webp) - **Filters for Trusted Commands** - Allows selection of the commands, templates or reports to work with; diff --git a/docs/changetracker/8.1/changetracker/admin/settings/credentials.md b/docs/changetracker/8.1/changetracker/admin/settings/credentials.md index 5c5ab57a6b..be19fb4105 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/credentials.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/credentials.md @@ -22,39 +22,39 @@ delete specific credentials. These credentials are used to connect to an ITSM and discover devices to scan from the ITSM's configuration item catalog. -![ITSM System Credentials](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/itsm_system_credentials.webp) +![ITSM System Credentials](/img/product_docs/changetracker/changetracker/admin/settings/itsm_system_credentials.webp) ## Cloud System Credentials These credentials are used by the Cloud Tracker feature to track changes to cloud platform configuration. -![Cloud System Credentials](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/cloud_system_credentials_1120x365.webp) +![Cloud System Credentials](/img/product_docs/changetracker/changetracker/admin/settings/cloud_system_credentials_1120x365.webp) ## SSH / Telnet Credentials These credentials are used for agentless connections to devices (Linux, switches, routers, etc.) via SSH or Telnet. Credentials for Windows agentless connections are also stored here. -![SSH Telnet Credentials](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/ssh_telnet_credentials_1118x372.webp) +![SSH Telnet Credentials](/img/product_docs/changetracker/changetracker/admin/settings/ssh_telnet_credentials_1118x372.webp) ## Splunk Credentials These credentials are used to connect to the API of a Splunk instance and pull specific logs into Change Tracker as change events. -![Splunk Credentials](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/splunk_credentials_1122x369.webp) +![Splunk Credentials](/img/product_docs/changetracker/changetracker/admin/settings/splunk_credentials_1122x369.webp) ## ESXi / vCenter Credentials These credentials are used to connect to ESXi devices or to connect to a vSphere and discover all of it's ESXi nodes. -![EXsi Credentials](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/esxi_credentials.webp) +![EXsi Credentials](/img/product_docs/changetracker/changetracker/admin/settings/esxi_credentials.webp) ## Database Credentials These credentials are used by database compliance reports to connect directly to a database instance. -![Database Credentials](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/database_credentials_1113x358.webp) +![Database Credentials](/img/product_docs/changetracker/changetracker/admin/settings/database_credentials_1113x358.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/settings/devicegroups.md b/docs/changetracker/8.1/changetracker/admin/settings/devicegroups.md index 7d9ea3b4c6..b5eace37e7 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/devicegroups.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/devicegroups.md @@ -12,16 +12,16 @@ more help button; - Use the ‘Group Name’ box to search and filter Device Groups shown. -![page_guide_27](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/page_guide_27.webp) +![page_guide_27](/img/product_docs/changetracker/changetracker/admin/settings/page_guide_27.webp) Click on a Device Group name to configure further attributes for the Group, such as: - Device Tracking Policy - Compliance Report(s) - Group Members, with the option to export a list of group Members -- Define the schedule for [Agent Updates](agentupdates.md) +- Define the schedule for [Agent Updates](/docs/changetracker/8.1/changetracker/admin/settings/agentupdates.md) -![page_guide_28](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/page_guide_28.webp) +![page_guide_28](/img/product_docs/changetracker/changetracker/admin/settings/page_guide_28.webp) ## Agent Discovery/Registration Process @@ -41,10 +41,10 @@ Tracker , hence it requiring your intervention to make sure settings are as need The key tags within the file are as follows: -![page_guide_29](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/page_guide_29.webp) +![page_guide_29](/img/product_docs/changetracker/changetracker/admin/settings/page_guide_29.webp) \*The **Thumbprint** uniquely identifies the Web Server certificate, see the -[How to: Retrieve the Thumbprint of a Certificate]() +[How to: Retrieve the Thumbprint of a Certificate](https://msdn.microsoft.com/en-us/library/ms734695(v=vs.110).aspx) Microsoft article for additional information. **NOTE:** Agent also supports additional nodes – **NamePrefix** and **NameSuffix**. @@ -84,7 +84,7 @@ possible match (in other words, there must be a group already defined with the G referenced). This substituted name is then used as the initial group to register the agent into. Note: if there s no match they ll end up in the default New Devices . -![page_guide_30](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/page_guide_30.webp) +![page_guide_30](/img/product_docs/changetracker/changetracker/admin/settings/page_guide_30.webp) You can view and edit the Default Registration Report from the **System** page. In conjunction with the Registration Report, the optional Registration Script parameters can be used, providing a GUI @@ -94,4 +94,4 @@ value from the registry, and the custom code reads this value and appends it to So, if the registry value contained **WebServer**, the device would be placed in the **CustomWebServer** group if it exists, falling back on New Devices if it doesn t. -![page_guide_31](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/page_guide_31.webp) +![page_guide_31](/img/product_docs/changetracker/changetracker/admin/settings/page_guide_31.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/settings/license.md b/docs/changetracker/8.1/changetracker/admin/settings/license.md index 919c3ff2bc..1ce3e80657 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/license.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/license.md @@ -4,4 +4,4 @@ Inspect details for the current license and upload a new license key if required license key, just paste the code provided into the **Add New License** field and click **Upload License**. -![SystemSettingsLicense](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/systemsettingslicense.webp) +![SystemSettingsLicense](/img/product_docs/changetracker/changetracker/admin/settings/systemsettingslicense.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/filescontents.md b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/filescontents.md index 0388187490..c45a7adf87 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/filescontents.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/filescontents.md @@ -6,7 +6,7 @@ notifications of any changes, or via a periodically scheduled poll. Netwrix Chan a regular expression-based data-extraction operation to precisely focus the tracking on salient entries only. -![PolicyTemplateFileContents](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplatefilecontents.webp) +![PolicyTemplateFileContents](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplatefilecontents.webp) **Step 1 –** **Polling Frequency**. The default setting is to run a full poll (effectively a new baseline operation) only when the Agent has been restarted e.g., after a reboot but the Agent may be diff --git a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/fimfiles.md b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/fimfiles.md index 6aecdf6352..d77f35a122 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/fimfiles.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/fimfiles.md @@ -5,7 +5,7 @@ PCI DSS, mandate use of this control. Netwrix Change Tracker will monitor and al folder change – a new file appearing, such as a Trojan being added to the System 32 folder, or an application hack/modification will be detected and alerted. -![ConfigTemplatesFIMFiles](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/configtemplatesfimfiles.webp) +![ConfigTemplatesFIMFiles](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/configtemplatesfimfiles.webp) - **Polling Frequency** – The default setting is to run a full poll (effectively a new baseline operation) only when the Agent has been restarted e.g. after a reboot but the Agent may be run in @@ -65,5 +65,5 @@ will still be identified as being a changed file. Exclusions are configured in a similar manner to the inclusive tracking above. -**NOTE:** For Advanced Options: see [Appendix B](../../matchrules/filefolderrules.md) for more +**NOTE:** For Advanced Options: see [Appendix B](/docs/changetracker/8.1/changetracker/admin/matchrules/filefolderrules.md) for more information. diff --git a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/fimfileslegacy.md b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/fimfileslegacy.md index 4bbc895243..6d5a0d9055 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/fimfileslegacy.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/fimfileslegacy.md @@ -6,6 +6,6 @@ provide various Agentless FIM options. All Agentless monitoring is performed via a Master Proxy Agent – the Proxy function is supported by any Netwrix Change Tracker Agent and the dedicated Netwrix Agent App Proxy Agent. See the later -section on [Agentless FIM](../../matchrules/registryrules.md) for more information. +section on [Agentless FIM](/docs/changetracker/8.1/changetracker/admin/matchrules/registryrules.md) for more information. -![PolicyTeplatesAgentlessDiagram](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policyteplatesagentlessdiagram.webp) +![PolicyTeplatesAgentlessDiagram](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policyteplatesagentlessdiagram.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/installedsoftware.md b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/installedsoftware.md index 99a3eafe4a..a376da6de3 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/installedsoftware.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/installedsoftware.md @@ -11,4 +11,4 @@ the settings to the device. Changes will be detected on a scheduled, polled basi frequency governed by the **Repeat** setting. A **No Repeat** setting will ensure a poll only occurs on a server re-boot which may be appropriate for a host with tightly governed resources. -![PolicyTemplateInstalledSoftware](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplateinstalledsoftware.webp) +![PolicyTemplateInstalledSoftware](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplateinstalledsoftware.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/localuserordctracker.md b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/localuserordctracker.md index ecdf1f2365..faefcc5217 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/localuserordctracker.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/localuserordctracker.md @@ -16,4 +16,4 @@ There is minimal configuration required to activate the Change Tracker – just local user account settings in this template** box and define the poll period then save settings to the Template. Any changes to the initial baseline will be alerted and reported. -![PolicyTemplatesAccountsTracker](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplatesaccountstracker.webp) +![PolicyTemplatesAccountsTracker](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplatesaccountstracker.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/networkporttracker.md b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/networkporttracker.md index f8303c801c..5a0933ab80 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/networkporttracker.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/networkporttracker.md @@ -23,7 +23,7 @@ This means that there are three scanning options available: The **NMAP** package must be installed to a default program file location (Windows: Program Files(x86)\Nmap), Linux: /usr/bin/) -![PolicyTemplatesNetworkPortTrackerDiagram](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplatesnetworkporttrackerdiagram.webp) +![PolicyTemplatesNetworkPortTrackerDiagram](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplatesnetworkporttrackerdiagram.webp) The **Network Port Tracker** is configured by specifying port ranges to include and exclude from the scan. In addition, the protocol used for each range can also be selected, either TCP, UDP or both. @@ -31,4 +31,4 @@ scan. In addition, the protocol used for each range can also be selected, either **NOTE:** As with any UDP scan, the non-acknowledged nature of UDP requires a more intensive, slower approach which may result in scan times exceeding 24 hours. -![PolicyTemplatesNetworkPortTrackerTab](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplatesnetworkporttrackertab.webp) +![PolicyTemplatesNetworkPortTrackerTab](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplatesnetworkporttrackertab.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/networkscan.md b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/networkscan.md index beb9d70a19..607fef999c 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/networkscan.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/networkscan.md @@ -2,20 +2,20 @@ There are several steps required to configure and define a multi-device network scan. -![NetworkScan](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/networkscan.webp) +![NetworkScan](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/networkscan.webp) **Step 1 –** Define The Network device. Select the agent from which you would like the scan to run, usually the Agent installed on the Hub server, but any remote Agent or Agents can be used to run scans to their local subnet, thereby simplifying routing/firewall rules. -![EditNetwork](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/editnetwork.webp) +![EditNetwork](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/editnetwork.webp) - **Host/Database Name** - Define the individual addresses and/or address range; use a space to separate multiple entries; use a 1-20 notation for an inclusive range. - **Credentials** - For a multiple device/address port scan range, no credentials are required so a simple **No-Connection-Required** credential key is needed. -![EditNetworkCredentialName](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/editnetworkcredentialname.webp) +![EditNetworkCredentialName](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/editnetworkcredentialname.webp) - **Credential Name** - Create a ‘No-Connection-Required’ credential key – a username and password will be required but these can be entered as dummy credentials. @@ -25,16 +25,16 @@ although due to the typically prolonged time needed to complete each scan, espec are included, we would advise that the Tracker is set to **Polling frequency: run at** ‘agent startup’ and repeat ‘No repeat’. -![page_guide_53](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/page_guide_53.webp) +![page_guide_53](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/page_guide_53.webp) **Step 3 –** Once the initial poll has completed the duration will be required as a communications Event. -![page_guide_54](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/page_guide_54.webp) +![page_guide_54](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/page_guide_54.webp) **Step 4 –** Provided you have specified within the Tracker template to **Send Baseline Events** then you will also be able to see both the full baseline/status for the Tracker results, as well as the usual change events. Similarly, you can also report on these, export the events, and receive alerts for any Planned and Unplanned changes. -![EventDetailsNetwork](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/eventdetailsnetwork.webp) +![EventDetailsNetwork](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/eventdetailsnetwork.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/overview.md b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/overview.md index ff4995cfbf..a0cbb4ab8d 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/overview.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/overview.md @@ -2,14 +2,14 @@ Review the following for additional information: -- [Create/Edit a Configuration Monitoring Policy](createeditmonitoringpolicy.md) -- [Policy Templates: FIM File Integrity](fimfiles.md) -- [Policy Templates: File Contents](filescontents.md) -- [Policy Templates: Installed Software and Updates](installedsoftware.md) -- [Policy Templates: Registry](registry.md) -- [Policy Templates: Processes and Services](processesservices.md) -- [Policy Templates: Security and Audit Policy Tracker ](securityandauditpoltracker.md) -- [Policy Templates: Local User/Domain Controller Account Tracker](localuserordctracker.md) -- [Policy Templates: Process/Command Output ](processcommandoutput.md) -- [Policy Templates: Network Port Tracker ](networkporttracker.md) -- [Network Scan ](networkscan.md) +- [Create/Edit a Configuration Monitoring Policy](/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/createeditmonitoringpolicy.md) +- [Policy Templates: FIM File Integrity](/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/fimfiles.md) +- [Policy Templates: File Contents](/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/filescontents.md) +- [Policy Templates: Installed Software and Updates](/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/installedsoftware.md) +- [Policy Templates: Registry](/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/registry.md) +- [Policy Templates: Processes and Services](/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/processesservices.md) +- [Policy Templates: Security and Audit Policy Tracker ](/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/securityandauditpoltracker.md) +- [Policy Templates: Local User/Domain Controller Account Tracker](/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/localuserordctracker.md) +- [Policy Templates: Process/Command Output ](/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/processcommandoutput.md) +- [Policy Templates: Network Port Tracker ](/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/networkporttracker.md) +- [Network Scan ](/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/networkscan.md) diff --git a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/policytemplateadministration.md b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/policytemplateadministration.md index a3b63a3dcf..eae52827e2 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/policytemplateadministration.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/policytemplateadministration.md @@ -9,4 +9,4 @@ changed together with the make-up of the Configuration Monitoring policy To configure additional File/Folder/Registry Match Pattern definitions, click on the **Show Advanced Options** button. -![PolicyTemplatesAdministration](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplatesadministration.webp) +![PolicyTemplatesAdministration](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplatesadministration.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/processcommandoutput.md b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/processcommandoutput.md index 988aa620b0..3bbe6c379f 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/processcommandoutput.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/processcommandoutput.md @@ -3,7 +3,7 @@ Where required, Netwrix Change Tracker can also execute commands on the endpoint device. Note that commands must be pre-approved for usage. All standard commands employed within Change Tracker Compliance Reports and the built-in Policy Templates are pre-approved but if you add any new -commands these may require Admin approval. See the [Allowed Commands](../allowedcommands.md) topic +commands these may require Admin approval. See the [Allowed Commands](/docs/changetracker/8.1/changetracker/admin/settings/allowedcommands.md) topic for additional information. - **Agent-Based Monitoring** – Where an Agent is being used for monitoring the commands will be @@ -15,14 +15,14 @@ for additional information. cmd /C %systemroot%\system32\inetsrv\appcmd list VDIR /text:VDIR.NAME -![ProcessCommandOutput](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/processcommandoutput.webp) +![ProcessCommandOutput](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/processcommandoutput.webp) - Commands will be executed indirectly by the **Master Proxy Agent** being used and the initial baseline stored in the **Proxy Agent** database, with any subsequent changes detected being reported back to the Hub. The commands will be run using whichever service account has been used in the assigned **Credentials**. -![ProcessCommandOutputCredentials](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/processcommandoutputcredentials.webp) +![ProcessCommandOutputCredentials](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/processcommandoutputcredentials.webp) - **Use of RegEx** – Whether using Agent-based or Agentless Command Output Trackers, a Regular Expression can be applied to the command output to filter/match specific keywords/patterns. Note diff --git a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/processesservices.md b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/processesservices.md index cf01de6918..57936ffcc0 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/processesservices.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/processesservices.md @@ -11,7 +11,7 @@ services and their states. Any non-necessary Services or Services you are generally unconcerned about should be marked as **Ignore State**. -![PolicyTemplatesProcessesServices](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplatesprocessesservices2.webp) +![PolicyTemplatesProcessesServices](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplatesprocessesservices2.webp) - \_**\_Uncategorized Process/Service Action\_\_** - Use this option if you want to be alerted to the presence of any new, uncategorized processes or services. This is an option as in some diff --git a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/registry.md b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/registry.md index 72a3e99471..3251bd5de7 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/registry.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/registry.md @@ -14,14 +14,14 @@ can then paste the key name into the **Compliance Hub** field. Click **Add new registry key** and type or paste the Key into monitor. Once you have added a Key to monitor, click **Insert** then **Save Settings to Device**. -![PolicyTemplateRegistry](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplateregistry.webp) +![PolicyTemplateRegistry](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplateregistry.webp) Like the **File Integrity** settings covered earlier, exclusion rules can be used, and Registry Trackers can also be filtered using a **Registry Key/Value Match Rule** and a **Tracked Attributes** dimension. Use the **Advanced Options** to create and edit new Definitions. See -the[Registry Inclusion/Exclusion Match Rules ](../../matchrules/registryrules.md) topic for +the[Registry Inclusion/Exclusion Match Rules ](/docs/changetracker/8.1/changetracker/admin/matchrules/registryrules.md) topic for additional information. -![PolicyTemplateRegistryExclude](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplateregistryexclude.webp) +![PolicyTemplateRegistryExclude](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplateregistryexclude.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/securityandauditpoltracker.md b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/securityandauditpoltracker.md index 3eff717453..dca9d888c9 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/securityandauditpoltracker.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/securityandauditpoltracker.md @@ -12,4 +12,4 @@ There is minimal configuration required to activate the Tracker – just check t and audit policy settings in this template** box and define the poll period then save settings to the Template. Any changes to the initial baseline will be alerted and reported. -![PolicyTemplateSecurityAuditPol](../../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplatesecurityauditpol.webp) +![PolicyTemplateSecurityAuditPol](/img/product_docs/changetracker/changetracker/admin/settings/policytemplates/policytemplatesecurityauditpol.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/settings/settingstab.md b/docs/changetracker/8.1/changetracker/admin/settings/settingstab.md index a8c0c2efea..af0c533797 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/settingstab.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/settingstab.md @@ -4,14 +4,14 @@ Configuration of all administrative and user settings is performed here. Select the left for specific settings – contact [Netwrix Support](https://www.netwrix.com/support.html) for additional information. -- [Agents and Devices](agentsanddevices.md) – Edit Device attributes such as Group, Type and +- [Agents and Devices](/docs/changetracker/8.1/changetracker/admin/settings/agentsanddevices.md) – Edit Device attributes such as Group, Type and Credentials, or Delete Devices -- [](#)[Device Groups](devicegroups.md) – Administer Device Group names. Click on a Device Group to +- [](#)[Device Groups](/docs/changetracker/8.1/changetracker/admin/settings/devicegroups.md) – Administer Device Group names. Click on a Device Group to edit the assigned Device Tracking template and Compliance Report, and to set the reporting schedule -- [Scheduling, Creating and Editing Intelligent Planned Change Rules](../tabs/plannedchangeadministration.md#scheduling-creating-and-editing-intelligent-planned-change-rules) +- [Scheduling, Creating and Editing Intelligent Planned Change Rules](/docs/changetracker/8.1/changetracker/admin/tabs/plannedchangeadministration.md#scheduling-creating-and-editing-intelligent-planned-change-rules) – Edit the Schedule, Device Group assignment and Rules for Planned Changes -- [Policy Templates](policytemplates/overview.md) – Edit and upload/download configuration policy +- [Policy Templates](/docs/changetracker/8.1/changetracker/admin/settings/policytemplates/overview.md) – Edit and upload/download configuration policy templates - Edit and upload/download compliance report templates @@ -20,21 +20,21 @@ additional information. - Users: User Administration – Edit User attributes such as username, assigned system privileges, email address and to assign users to Notification Groups for Alerts and Scheduled Reports. -- [Notification Messages Explained](../credentials/notificationmessages.md) – Alert routing +- [Notification Messages Explained](/docs/changetracker/8.1/changetracker/admin/credentials/notificationmessages.md) – Alert routing settings. -- [Agent Updates](agentupdates.md) – Upload new agent versions. -- [Agent Updates](agentupdates.md) – Administer templates and rules for Agent registration and Group +- [Agent Updates](/docs/changetracker/8.1/changetracker/admin/settings/agentupdates.md) – Upload new agent versions. +- [Agent Updates](/docs/changetracker/8.1/changetracker/admin/settings/agentupdates.md) – Administer templates and rules for Agent registration and Group assignment. -- [Allowed Commands](allowedcommands.md) – Administer list of commands used in trackers/reports. -- [System Settings](systemsettings.md) – Edit settings such as SMTP details and to reset the UI to +- [Allowed Commands](/docs/changetracker/8.1/changetracker/admin/settings/allowedcommands.md) – Administer list of commands used in trackers/reports. +- [System Settings](/docs/changetracker/8.1/changetracker/admin/settings/systemsettings.md) – Edit settings such as SMTP details and to reset the UI to Default. -- [System Settings](systemsettings.md) – Schedule system backups, and exports for Support and +- [System Settings](/docs/changetracker/8.1/changetracker/admin/settings/systemsettings.md) – Schedule system backups, and exports for Support and Planned Change archiving. -- [System Settings](systemsettings.md) – Displays health of Netwrix Change Tracker system and Event +- [System Settings](/docs/changetracker/8.1/changetracker/admin/settings/systemsettings.md) – Displays health of Netwrix Change Tracker system and Event Queue performance. -- [System Settings](systemsettings.md) – Upload new license key. +- [System Settings](/docs/changetracker/8.1/changetracker/admin/settings/systemsettings.md) – Upload new license key. ![Graphical user interface, website Description automatically -generated](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/page_guide_23.webp) +generated](/img/product_docs/changetracker/changetracker/admin/settings/page_guide_23.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/settings/systemsettings.md b/docs/changetracker/8.1/changetracker/admin/settings/systemsettings.md index dc23c258ce..baf0ec8894 100644 --- a/docs/changetracker/8.1/changetracker/admin/settings/systemsettings.md +++ b/docs/changetracker/8.1/changetracker/admin/settings/systemsettings.md @@ -7,9 +7,9 @@ being used. After entering SMTP and/or Syslog Host details, test that emails/messages are being sent OK by using the **Test** button. -![SystemSettings](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/systemsettings.webp) +![SystemSettings](/img/product_docs/changetracker/changetracker/admin/settings/systemsettings.webp) Clicking **Advanced Options** presents other System Settings, including a library of NNT_FILEHASH binaries to use in conjunction with any Agentless FIM. -![SystemSettingsAdvanced](../../../../../../static/img/product_docs/changetracker/changetracker/admin/settings/systemsettingsadvanced.webp) +![SystemSettingsAdvanced](/img/product_docs/changetracker/changetracker/admin/settings/systemsettingsadvanced.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/tabs/compliancedetails.md b/docs/changetracker/8.1/changetracker/admin/tabs/compliancedetails.md index cfb2b20c07..6dac5afc01 100644 --- a/docs/changetracker/8.1/changetracker/admin/tabs/compliancedetails.md +++ b/docs/changetracker/8.1/changetracker/admin/tabs/compliancedetails.md @@ -2,7 +2,7 @@ Description -![ComplianceDetailsTab](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/compliancedetailstab.webp) +![ComplianceDetailsTab](/img/product_docs/changetracker/changetracker/admin/tabs/compliancedetailstab.webp) **Step 1 –** Adjust Score Filters to view other score ranges. @@ -12,8 +12,8 @@ Description ## Compare View -![CompliancePolicyRunChangeDetails](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/compliancepolicyrunchangedetails.webp) +![CompliancePolicyRunChangeDetails](/img/product_docs/changetracker/changetracker/admin/tabs/compliancepolicyrunchangedetails.webp) ## Full Report -![ComplianceFullReport](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/compliancefullreport.webp) +![ComplianceFullReport](/img/product_docs/changetracker/changetracker/admin/tabs/compliancefullreport.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/tabs/complianceoverviewtab.md b/docs/changetracker/8.1/changetracker/admin/tabs/complianceoverviewtab.md index e21c8639b9..4ccbb6baab 100644 --- a/docs/changetracker/8.1/changetracker/admin/tabs/complianceoverviewtab.md +++ b/docs/changetracker/8.1/changetracker/admin/tabs/complianceoverviewtab.md @@ -6,7 +6,7 @@ hardened build standard – is it being maintained or improved or in decline? Device compliance is displayed in the **Compliance Report** – all devices assigned the report selected will be displayed. -![ComplianceOverviewTab](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/complianceoverviewtab.webp) +![ComplianceOverviewTab](/img/product_docs/changetracker/changetracker/admin/tabs/complianceoverviewtab.webp) - Device/Time Filters – Content is controlled by your Device/Group/Time filters. - **Dashboardlets per policy/grouping** – For each group and report, an additional Dashboardlet will @@ -14,7 +14,7 @@ selected will be displayed. systems, for example, PCI and NIST 800-53. - **Risk by Group** – A Risk score can be assigned via the **Settings** -> **Groups** page, this provides an added dimension to prioritize focus on groups. See the - [Device Groups](../settings/devicegroups.md) topic for additional information. + [Device Groups](/docs/changetracker/8.1/changetracker/admin/settings/devicegroups.md) topic for additional information. ## Template Management @@ -28,7 +28,7 @@ produced for new or updated platforms. To import a new template or update an existing one, just upload the template: select the **Overwrite** checkbox option if updating. -![ComplianceReportsTemplates](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/compliancereportstemplates.webp) +![ComplianceReportsTemplates](/img/product_docs/changetracker/changetracker/admin/tabs/compliancereportstemplates.webp) ## Reports Layout Templates Administration @@ -38,7 +38,7 @@ added to the system here. The Version and Change Date details for each report ar a new version is available, either after a Gen 7 version upgrade or by manually uploading a new template through the UI, this can be updated, or the current format preserved if necessary. -![ComplianceReportsLayout](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/compliancereportslayout.webp) +![ComplianceReportsLayout](/img/product_docs/changetracker/changetracker/admin/tabs/compliancereportslayout.webp) For report template modifications or new formats, please contact [Netwrix Support](https://www.netwrix.com/support.html). diff --git a/docs/changetracker/8.1/changetracker/admin/tabs/compliancepolicy.md b/docs/changetracker/8.1/changetracker/admin/tabs/compliancepolicy.md index 60a89575bb..17481aa431 100644 --- a/docs/changetracker/8.1/changetracker/admin/tabs/compliancepolicy.md +++ b/docs/changetracker/8.1/changetracker/admin/tabs/compliancepolicy.md @@ -3,7 +3,7 @@ Detail on current and previous compliance assessments can be seen here with details of failures where they exist. -![compliancepolicytab](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/compliancepolicytab.webp) +![compliancepolicytab](/img/product_docs/changetracker/changetracker/admin/tabs/compliancepolicytab.webp) - **Timeline**– Click to see the detail for previous compliance assessments. - **Group Performance** – An overall comparison for all systems within the group, current and diff --git a/docs/changetracker/8.1/changetracker/admin/tabs/dashboardoverview.md b/docs/changetracker/8.1/changetracker/admin/tabs/dashboardoverview.md index 8091ac13d0..cc356ba61b 100644 --- a/docs/changetracker/8.1/changetracker/admin/tabs/dashboardoverview.md +++ b/docs/changetracker/8.1/changetracker/admin/tabs/dashboardoverview.md @@ -29,10 +29,10 @@ The **Dashboard** shows recent System Events including: The local agent installed on the Netwrix Change Tracker host server will already be running and will have registered with the **Change Tracker Hub**. See the -[Netwrix Change Tracker v8.1 Documentation](../../overview.md) topic for additional information. +[Netwrix Change Tracker v8.1 Documentation](/docs/changetracker/8.1/changetracker/overview.md) topic for additional information. The auto-enrollment, or registration, process is described in more depth in the -[Agent Updates](../settings/agentupdates.md) topic. but depending on server speed the Local Agent +[Agent Updates](/docs/changetracker/8.1/changetracker/admin/settings/agentupdates.md) topic. but depending on server speed the Local Agent may be found in an ‘Awaiting Registration’ state or already registered in the system. If you do not see an Agent at all then please contact diff --git a/docs/changetracker/8.1/changetracker/admin/tabs/devices.md b/docs/changetracker/8.1/changetracker/admin/tabs/devices.md index 2534c5dd8b..0832854354 100644 --- a/docs/changetracker/8.1/changetracker/admin/tabs/devices.md +++ b/docs/changetracker/8.1/changetracker/admin/tabs/devices.md @@ -14,7 +14,7 @@ collated into a single screen. report**’ button. - Device inventory information and group membership. -![DevicesTab](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/devicestab.webp) +![DevicesTab](/img/product_docs/changetracker/changetracker/admin/tabs/devicestab.webp) **NOTE:** Go to **Tracking Configuration** tab to see a ‘read-only’ representation of the tracking template assigned, note that this will be a merged version of all Policy Templates inherited by the diff --git a/docs/changetracker/8.1/changetracker/admin/tabs/events.md b/docs/changetracker/8.1/changetracker/admin/tabs/events.md index 570bb93dfc..4fae79eac9 100644 --- a/docs/changetracker/8.1/changetracker/admin/tabs/events.md +++ b/docs/changetracker/8.1/changetracker/admin/tabs/events.md @@ -12,7 +12,7 @@ screen shows ‘All Devices’ and check the ‘**Automatically refresh page** attribute type, change type and keywords. **Step 4 –** The **Query/Report** button can be used to specify events to include in a scheduled -report or re-useable query for users. See the [Reports Tab](reportstab.md) topic for additional +report or re-useable query for users. See the [Reports Tab](/docs/changetracker/8.1/changetracker/admin/tabs/reportstab.md) topic for additional information. **Step 5 –** Select **Events** of interest then use **Actions** to either acknowledge or diff --git a/docs/changetracker/8.1/changetracker/admin/tabs/eventsexportreports.md b/docs/changetracker/8.1/changetracker/admin/tabs/eventsexportreports.md index 715932bdae..0268a02dd3 100644 --- a/docs/changetracker/8.1/changetracker/admin/tabs/eventsexportreports.md +++ b/docs/changetracker/8.1/changetracker/admin/tabs/eventsexportreports.md @@ -3,13 +3,13 @@ In order to export filtered events, just use the **Report/Export** button and menu presented. Most fields and settings are self-explanatory but those most likely to need explaining are covered below. -![ReportsExportDisplayOptions](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/reportsexportdisplayoptions.webp) +![ReportsExportDisplayOptions](/img/product_docs/changetracker/changetracker/admin/tabs/reportsexportdisplayoptions.webp) These options provide control over the report display options. Where a condensed and simplified report is needed, these options can be unchecked, but generally the tables and analysis charts are useful for identifying sources of change noise. -![ReportsExportScheduleAndEmail](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/reportsexportscheduleandemail.webp) +![ReportsExportScheduleAndEmail](/img/product_docs/changetracker/changetracker/admin/tabs/reportsexportscheduleandemail.webp) Set schedule for start and end time for reporting schedule, with frequency for repeating report delivery. @@ -26,7 +26,7 @@ Press the **OK** button at the bottom of the window when done. ## Permission and Storage Settings Offered by the Event/Report Settings -![ReportsExportPermissionsAndStorage](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/reportsexportpermissionsandstorage.webp) +![ReportsExportPermissionsAndStorage](/img/product_docs/changetracker/changetracker/admin/tabs/reportsexportpermissionsandstorage.webp) Netwrix Change Tracker gives greater control over storage usage. By default, reports generated are retained for a finite period after which they are removed. Typically reports are delivered by email @@ -40,4 +40,4 @@ required, reports can be made visible and/or editable by others. Press the **OK** button at the bottom of the window when done! Report settings, schedules and results can all be seen and edited on the **Reports** tab. See the -[Report Options](reportsquerysettingstab.md) topic for additional information. +[Report Options](/docs/changetracker/8.1/changetracker/admin/tabs/reportsquerysettingstab.md) topic for additional information. diff --git a/docs/changetracker/8.1/changetracker/admin/tabs/eventsfilters.md b/docs/changetracker/8.1/changetracker/admin/tabs/eventsfilters.md index 5ac354464a..53c500c283 100644 --- a/docs/changetracker/8.1/changetracker/admin/tabs/eventsfilters.md +++ b/docs/changetracker/8.1/changetracker/admin/tabs/eventsfilters.md @@ -3,7 +3,7 @@ The **Filter** panel is extremely powerful for focusing attention on events of interest, even in large and complex estates with thousands of change/report events to manage. -![EventsReportsFiltersGroupsDevices](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/eventsreportsfiltersgroupsdevices.webp) +![EventsReportsFiltersGroupsDevices](/img/product_docs/changetracker/changetracker/admin/tabs/eventsreportsfiltersgroupsdevices.webp) The new Event Filter in has several key improvements: @@ -24,4 +24,4 @@ shown. Filter parameters set will also be shown at the top of the Events page even when the Filter Control panel is hidden. -![page_guide_3](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/page_guide_3.webp) +![page_guide_3](/img/product_docs/changetracker/changetracker/admin/tabs/page_guide_3.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/tabs/eventsschedulingautomaticreports.md b/docs/changetracker/8.1/changetracker/admin/tabs/eventsschedulingautomaticreports.md index bfb7ae8307..9b723a3e5f 100644 --- a/docs/changetracker/8.1/changetracker/admin/tabs/eventsschedulingautomaticreports.md +++ b/docs/changetracker/8.1/changetracker/admin/tabs/eventsschedulingautomaticreports.md @@ -7,17 +7,17 @@ recipient for the notification/results email, but additional recipients can be a Use the on-screen Query/Report dropdown menu to adjust query filters and to export items, either on-demand or as a scheduled, regular report. -![page_guide_5](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/page_guide_5.webp) +![page_guide_5](/img/product_docs/changetracker/changetracker/admin/tabs/page_guide_5.webp) Query Settings The Query option gives you an on-screen filter control panel like the pop-out Filter Panel. -![page_guide_6](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/page_guide_6.webp) +![page_guide_6](/img/product_docs/changetracker/changetracker/admin/tabs/page_guide_6.webp) 1. **NOTE:** Note: Press the OK button at the bottom of the window when done! Load Query and Save Query work together – once you have your filters set-up as you want them, you can save these for re-use in the future. -![page_guide_7](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/page_guide_7.webp) +![page_guide_7](/img/product_docs/changetracker/changetracker/admin/tabs/page_guide_7.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/tabs/plannedchangeadministration.md b/docs/changetracker/8.1/changetracker/admin/tabs/plannedchangeadministration.md index 4adbf225be..370ab36d6e 100644 --- a/docs/changetracker/8.1/changetracker/admin/tabs/plannedchangeadministration.md +++ b/docs/changetracker/8.1/changetracker/admin/tabs/plannedchangeadministration.md @@ -24,8 +24,8 @@ Any Planned Change comprises the following elements: Change Schedule and Rule Set. **NOTE:** Rules can also be created directly from an observed event using the Actions button on the -[Events Tab](events.md), or by recording events directly from a device group. Note that an +[Events Tab](/docs/changetracker/8.1/changetracker/admin/tabs/events.md), or by recording events directly from a device group. Note that an additional Planned Change Schedule filter is available in the **Filter Control** panel. Planned Change Schedules can be re-used – use the Clone button to create a copy. -![PlannedChangesRules](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/plannedchangesrules.webp) +![PlannedChangesRules](/img/product_docs/changetracker/changetracker/admin/tabs/plannedchangesrules.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/tabs/plannedchanges.md b/docs/changetracker/8.1/changetracker/admin/tabs/plannedchanges.md index 7fdfbfc84e..21f6e3cbce 100644 --- a/docs/changetracker/8.1/changetracker/admin/tabs/plannedchanges.md +++ b/docs/changetracker/8.1/changetracker/admin/tabs/plannedchanges.md @@ -27,7 +27,7 @@ updates, any unplanned changes - which may be breach activity - are exposed and Click alongside any Planned Change Schedule Name to display a graphical view of changes and a full list of devices with changes below. -![PlannedChangesTab](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/plannedchangestab.webp) +![PlannedChangesTab](/img/product_docs/changetracker/changetracker/admin/tabs/plannedchangestab.webp) For more detail on Planned Change Schedule and Rule setup, see the -[Planned Changes Administration](plannedchangeadministration.md) topic for additional information. +[Planned Changes Administration](/docs/changetracker/8.1/changetracker/admin/tabs/plannedchangeadministration.md) topic for additional information. diff --git a/docs/changetracker/8.1/changetracker/admin/tabs/quickexport.md b/docs/changetracker/8.1/changetracker/admin/tabs/quickexport.md index d75f548754..d5dd23c0b2 100644 --- a/docs/changetracker/8.1/changetracker/admin/tabs/quickexport.md +++ b/docs/changetracker/8.1/changetracker/admin/tabs/quickexport.md @@ -6,4 +6,4 @@ To export the events displayed, use the Export button – choices of PDF, Excel the screen nor selected using the checkboxes against events. To export a subset of displayed events, apply further filter controls then export. -![page_guide_4](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/page_guide_4.webp) +![page_guide_4](/img/product_docs/changetracker/changetracker/admin/tabs/page_guide_4.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/tabs/reportsquerysettingstab.md b/docs/changetracker/8.1/changetracker/admin/tabs/reportsquerysettingstab.md index a545bdc0de..39a07462a3 100644 --- a/docs/changetracker/8.1/changetracker/admin/tabs/reportsquerysettingstab.md +++ b/docs/changetracker/8.1/changetracker/admin/tabs/reportsquerysettingstab.md @@ -7,16 +7,16 @@ For any of the built-in reports, the **Query Settings** are available for: - Planned Changes Report - Configuration Templates Report -See the [Export Reports](eventsexportreports.md) topic for additional information. +See the [Export Reports](/docs/changetracker/8.1/changetracker/admin/tabs/eventsexportreports.md) topic for additional information. **NOTE:** The **Configuration Template** report has a context-sensitive option for Query Settings, allowing selection of all Policy Templates to include in the report. Often an auditor will request details of configuration attributes being tracked and this report provides a convenient way to extract these on a scheduled basis. -![ReportTemplateQuerySettings](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/reporttemplatequerysettings.webp) +![ReportTemplateQuerySettings](/img/product_docs/changetracker/changetracker/admin/tabs/reporttemplatequerysettings.webp) **NOTE:** The **Table of Contents** treatment for the output. Links to sections are only supported in the exported PDF, not the Web Browser-rendered report. -![ReportTemplateTOC](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/reporttemplatetoc.webp) +![ReportTemplateTOC](/img/product_docs/changetracker/changetracker/admin/tabs/reporttemplatetoc.webp) diff --git a/docs/changetracker/8.1/changetracker/admin/tabs/reportstab.md b/docs/changetracker/8.1/changetracker/admin/tabs/reportstab.md index de936db109..0bd30384a2 100644 --- a/docs/changetracker/8.1/changetracker/admin/tabs/reportstab.md +++ b/docs/changetracker/8.1/changetracker/admin/tabs/reportstab.md @@ -20,9 +20,9 @@ New reports can be added using the dropdown selector and **+Add** button in the corner of the page, or by using the Query/Report button found on the **Events** and **Planned Change** tabs. -![QueryReportButton](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/queryreportbutton.webp) +![QueryReportButton](/img/product_docs/changetracker/changetracker/admin/tabs/queryreportbutton.webp) -![ReportsAndQuesriesTab](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/reportsandquesriestab.webp) +![ReportsAndQuesriesTab](/img/product_docs/changetracker/changetracker/admin/tabs/reportsandquesriestab.webp) **NOTE:** Report formatting is controlled by the built-in Compliance reports templates. See the topic for additional information. You will see that any report has a ‘Results available until xx yy @@ -30,11 +30,11 @@ zz – this retention period is in place to ensure that reports are not stored f storage resource unnecessarily. Most reports will be emailed at the time of production and either consumed or stored externally, removing the need to store reports long term at the Change Tracker Hub. Don’t worry, the events are retained as long as needed, governed by the separate -DaysToKeepEventsFor system setting. See the [System Settings](../settings/systemsettings.md) topic +DaysToKeepEventsFor system setting. See the [System Settings](/docs/changetracker/8.1/changetracker/admin/settings/systemsettings.md) topic for additional information. Reports can be regenerated at any time if needed at a subsequent future date. -![ReportsReportViewerDialog](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/reportsreportviewerdialog.webp) +![ReportsReportViewerDialog](/img/product_docs/changetracker/changetracker/admin/tabs/reportsreportviewerdialog.webp) ## Executive Summary Report @@ -72,4 +72,4 @@ The **Report** view shows all rules and results. Report results can also export Excel, or CSV format. The **Template** selector alongside the **Export** button provides options for either summarized pass/fail format or full results details format. -See the [Overview Tab](complianceoverviewtab.md) topic for additional information. +See the [Overview Tab](/docs/changetracker/8.1/changetracker/admin/tabs/complianceoverviewtab.md) topic for additional information. diff --git a/docs/changetracker/8.1/changetracker/admin/wizards/compliance.md b/docs/changetracker/8.1/changetracker/admin/wizards/compliance.md index 274e05b75d..94761230d9 100644 --- a/docs/changetracker/8.1/changetracker/admin/wizards/compliance.md +++ b/docs/changetracker/8.1/changetracker/admin/wizards/compliance.md @@ -3,7 +3,7 @@ The **Compliance** tab provides an overview of compliance scores for all devices within any selected group. -![complianceoverviewtab](../../../../../../static/img/product_docs/changetracker/changetracker/admin/tabs/complianceoverviewtab.webp) +![complianceoverviewtab](/img/product_docs/changetracker/changetracker/admin/tabs/complianceoverviewtab.webp) The screen shows the previous 7 compliance report results to track any drift against your selected hardened build standard and whether scores are improving or worsening. @@ -19,9 +19,9 @@ detailed results. Review the following for additional information: -- [Overview Tab](../tabs/complianceoverviewtab.md) -- [Policy Tab](../tabs/compliancepolicy.md) -- [Details Tab ](../tabs/compliancedetails.md) +- [Overview Tab](/docs/changetracker/8.1/changetracker/admin/tabs/complianceoverviewtab.md) +- [Policy Tab](/docs/changetracker/8.1/changetracker/admin/tabs/compliancepolicy.md) +- [Details Tab ](/docs/changetracker/8.1/changetracker/admin/tabs/compliancedetails.md) ## Comparing Results diff --git a/docs/changetracker/8.1/changetracker/admin/wizards/plannedchange.md b/docs/changetracker/8.1/changetracker/admin/wizards/plannedchange.md index 674bd97763..ec4338dda9 100644 --- a/docs/changetracker/8.1/changetracker/admin/wizards/plannedchange.md +++ b/docs/changetracker/8.1/changetracker/admin/wizards/plannedchange.md @@ -14,10 +14,10 @@ can be created manually in Step 3 or again selected from the list of available r In Step 4, the **Edit Schedule** button allows Groups and/or Devices to be added to the schedule. -![PlannedChangeRulesExample](../../../../../../static/img/product_docs/changetracker/changetracker/admin/wizards/plannedchangerulesexample.webp) +![PlannedChangeRulesExample](/img/product_docs/changetracker/changetracker/admin/wizards/plannedchangerulesexample.webp) **NOTE:** If you want to let Netwrix Change Tracker self-learn rules by recording change activity during the schedule, check the **In Event Recording Mode** box. -![PlannedChangeEventRecordingMode](../../../../../../static/img/product_docs/changetracker/changetracker/admin/wizards/plannedchangeeventrecordingmode.webp) -![page_guide_35](../../../../../../static/img/product_docs/changetracker/changetracker/admin/wizards/page_guide_35.webp) +![PlannedChangeEventRecordingMode](/img/product_docs/changetracker/changetracker/admin/wizards/plannedchangeeventrecordingmode.webp) +![page_guide_35](/img/product_docs/changetracker/changetracker/admin/wizards/page_guide_35.webp) diff --git a/docs/changetracker/8.1/changetracker/baseline/baselintab.md b/docs/changetracker/8.1/changetracker/baseline/baselintab.md index 58dcd175fb..72b03c1808 100644 --- a/docs/changetracker/8.1/changetracker/baseline/baselintab.md +++ b/docs/changetracker/8.1/changetracker/baseline/baselintab.md @@ -1,6 +1,6 @@ # Baseline Tab -![baselinetab](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselinetab.webp) +![baselinetab](/img/product_docs/changetracker/changetracker/baseline/baselinetab.webp) Actions button: @@ -8,7 +8,7 @@ To create a new Baseline Policy, use the Actions button in the top-right hand co Baselines Tab. This will prompt for a name to be assigned to the new Baseline Policy and the Baseline Wizard process will kick in. -![baselineactionsbutton](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselineactionsbutton.webp) +![baselineactionsbutton](/img/product_docs/changetracker/changetracker/baseline/baselineactionsbutton.webp) Baseline Wizard Progress Bar: diff --git a/docs/changetracker/8.1/changetracker/baseline/detailtab.md b/docs/changetracker/8.1/changetracker/baseline/detailtab.md index 69118017e5..73e228c714 100644 --- a/docs/changetracker/8.1/changetracker/baseline/detailtab.md +++ b/docs/changetracker/8.1/changetracker/baseline/detailtab.md @@ -4,4 +4,4 @@ This provides the detail behind individual report runs and specifically shows th decile or percentile selected. See the Reports topic for the additional information about passes and failures. -![baselinedetailstab](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselinedetailstab.webp) +![baselinedetailstab](/img/product_docs/changetracker/changetracker/baseline/baselinedetailstab.webp) diff --git a/docs/changetracker/8.1/changetracker/baseline/managetab.md b/docs/changetracker/8.1/changetracker/baseline/managetab.md index 6477aa906d..2f45c654f7 100644 --- a/docs/changetracker/8.1/changetracker/baseline/managetab.md +++ b/docs/changetracker/8.1/changetracker/baseline/managetab.md @@ -30,7 +30,7 @@ These failures would be remediated by installing or updating the software on the devices. However, there was also a third failure – Google Chrome has been reported on the same two devices at a later version than required. -![baselinefailureanalysis](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselinefailureanalysis.webp) +![baselinefailureanalysis](/img/product_docs/changetracker/changetracker/baseline/baselinefailureanalysis.webp) There are two paths to take from this: The two devices showing failures should be downgraded to match the required version, alternatively, it may be preferable to update the Baseline Configuration @@ -45,14 +45,14 @@ The Manage tab will show any exceptions identified from the last report run. **Note:** The Date and Time filters will be fixed and set according to the time window for the last Baseline Report run. -![baselinemanagetab](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselinemanagetab.webp) +![baselinemanagetab](/img/product_docs/changetracker/changetracker/baseline/baselinemanagetab.webp) Baseline Exceptions Exceptions include any failures according the Baseline Policy used in the report, together with any new changes affecting the Baseline Policy referenced from the Source device (or if you have chosen to include changes from Member Devices too, these will also appear here – -[see earlier section](policywizard.md) regarding the Baseline Setup Wizard and the step where you +[see earlier section](/docs/changetracker/8.1/changetracker/baseline/policywizard.md) regarding the Baseline Setup Wizard and the step where you are asked to 'Specify Source'. In this example we are using the default operation of only including changes originating from the @@ -63,11 +63,11 @@ need to be promoted to the Baseline Policy. Rule Operations: There are three choices for modifying a Baseline Policy, Extend, Add and Delete. You can also use -the [Rule Edit function](policywizard.md) back in the Setup tab if you want to remove an existing +the [Rule Edit function](/docs/changetracker/8.1/changetracker/baseline/policywizard.md) back in the Setup tab if you want to remove an existing rule entirely. The functions are largely self-explanatory, but tips are provided if you hover over each button. -![baselineruleoperations](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselineruleoperations.webp) +![baselineruleoperations](/img/product_docs/changetracker/changetracker/baseline/baselineruleoperations.webp) - Extend – Extend the existing baseline rules for this exception, in other words, promote this item as a 'valid' configuration @@ -81,7 +81,7 @@ each button. Once you have decided how you would like to handle the exceptions, you need to apply any changes required using the Apply Changes Now button. -![baselineapplychangesnow](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselineapplychangesnow.webp) +![baselineapplychangesnow](/img/product_docs/changetracker/changetracker/baseline/baselineapplychangesnow.webp) You will be prompted to enter the Business Justification for the changes as when creating the Baseline Policy originally. @@ -92,10 +92,10 @@ To get a ‘hard copy of the Baseline Policy, you can create a Tracking Policy r Baseline Policy. Go to the Reports Center and use the **Actions button**, then select **Add Tracking Template Report**. -![baselinereportsandqueries](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselinereportsandqueries.webp) +![baselinereportsandqueries](/img/product_docs/changetracker/changetracker/baseline/baselinereportsandqueries.webp) An Auditor will often ask to see what the Baseline Policy comprises, when and why changes have been made and by whom. This report provides a complete audit trail of changes as well as the breakdown of rules included in the policy. -![baselinetest](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselinetest.webp) +![baselinetest](/img/product_docs/changetracker/changetracker/baseline/baselinetest.webp) diff --git a/docs/changetracker/8.1/changetracker/baseline/overview.md b/docs/changetracker/8.1/changetracker/baseline/overview.md index 1a2995cc37..48aa6f3482 100644 --- a/docs/changetracker/8.1/changetracker/baseline/overview.md +++ b/docs/changetracker/8.1/changetracker/baseline/overview.md @@ -25,4 +25,4 @@ Standard blueprint. A simple Wizard UI walks you through the process so anyone can be building their own personalized baseline configuration and comparing other devices within a few minutes. -![baselineoverview](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselineoverview.webp) +![baselineoverview](/img/product_docs/changetracker/changetracker/baseline/baselineoverview.webp) diff --git a/docs/changetracker/8.1/changetracker/baseline/overviewtab.md b/docs/changetracker/8.1/changetracker/baseline/overviewtab.md index fdfdffb697..7462a04944 100644 --- a/docs/changetracker/8.1/changetracker/baseline/overviewtab.md +++ b/docs/changetracker/8.1/changetracker/baseline/overviewtab.md @@ -4,7 +4,7 @@ Once you have built your Baseline Policy and set-up the Baseline Report to run o then switch to the other Baseline Center tabs for general routine operation. You are ready to enforce compliance with your Baseline Configuration Standard! -![baselineoverviewtab](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselineoverviewtab.webp) +![baselineoverviewtab](/img/product_docs/changetracker/changetracker/baseline/baselineoverviewtab.webp) The Timeline: diff --git a/docs/changetracker/8.1/changetracker/baseline/policyruleoptions.md b/docs/changetracker/8.1/changetracker/baseline/policyruleoptions.md index f997aefa4f..8301107a81 100644 --- a/docs/changetracker/8.1/changetracker/baseline/policyruleoptions.md +++ b/docs/changetracker/8.1/changetracker/baseline/policyruleoptions.md @@ -1,6 +1,6 @@ # Baseline Policy Rule Options: Rule Creation Options -![baselineeditrulecreationoptions](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselineeditrulecreationoptions.webp) +![baselineeditrulecreationoptions](/img/product_docs/changetracker/changetracker/baseline/baselineeditrulecreationoptions.webp) - **Extend Selected Rules** — Indicates whether to extend the rule to check for the old and new values, or replace the rule with one checking for the new value only @@ -30,14 +30,14 @@ each, but organizations then must be prepared to manage multiple baselines." ## Baseline Policy Rule Options: Review and Edit Rules -![baselinereviewandeditrules](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselinereviewandeditrules.webp) +![baselinereviewandeditrules](/img/product_docs/changetracker/changetracker/baseline/baselinereviewandeditrules.webp) Edit Rules provides a means to edit or remove rules before incorporating into your baseline policy, or for managing an existing Policy. It is important to understand that during the Setup phase you are selecting items with rule logic in order to build a Netwrix policy, in effect, another Compliance Report like the hundreds of other reports Netwrix provide for CIS, NIST. PCI etc. -![baselineeditrules](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselineeditrules.webp) +![baselineeditrules](/img/product_docs/changetracker/changetracker/baseline/baselineeditrules.webp) The Edit Rules function provides an opportunity to add a description and justification for the attribute and its inclusion in the policy. @@ -52,7 +52,7 @@ Complete: Baseline Policy creation is now complete, and you can run your first Baseline Policy report using the Run Report button -![baselinerunreport](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselinerunreport.webp) +![baselinerunreport](/img/product_docs/changetracker/changetracker/baseline/baselinerunreport.webp) Running the report will take you to the regular Reports tab, filtered to your new Baseline Policy. You can see more about scheduling and controlling reports in the main Reports section. @@ -60,4 +60,4 @@ You can see more about scheduling and controlling reports in the main Reports se You can now either add more devices to the Baseline Members Group or just assign the Baseline Policy to an existing group of devices, then choose your schedule and results delivery options. -![baselinereportsandqueryschedules](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselinereportsandqueryschedules.webp) +![baselinereportsandqueryschedules](/img/product_docs/changetracker/changetracker/baseline/baselinereportsandqueryschedules.webp) diff --git a/docs/changetracker/8.1/changetracker/baseline/policywizard.md b/docs/changetracker/8.1/changetracker/baseline/policywizard.md index 3ab6d1ec87..adec58ffa9 100644 --- a/docs/changetracker/8.1/changetracker/baseline/policywizard.md +++ b/docs/changetracker/8.1/changetracker/baseline/policywizard.md @@ -6,7 +6,7 @@ Start a new Baseline Policy Wizard and provide a name for your new Policy. Data Collection: -![baselinedatacollection](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselinedatacollection.webp) +![baselinedatacollection](/img/product_docs/changetracker/changetracker/baseline/baselinedatacollection.webp) Define the Data Collection template to be used for gathering baseline configuration data. This can be a new template, or an existing template can be re-used. The following configuration elements to @@ -27,7 +27,7 @@ Settings > Agent and Device screen, select the required Device click **Edit**. T reasons why this is disabled by default; in the interests of storage and performance efficiency, it is not desirable to have every Device sending Baseline Events to the Hub unless needed. -![baselinesource](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselinesource.webp) +![baselinesource](/img/product_docs/changetracker/changetracker/baseline/baselinesource.webp) Another important decision is whether you want to include changes from Member Devices when you come to make future changes to your Baseline Policy. By default, the Source device is the single source @@ -36,7 +36,7 @@ changes needed to the Baseline, for example, after patching when versions of sof to be updated. In certain situations, it may be convenient to also include changes to Member Group devices too, in which case you can check this box. -![baselinespecifymembers](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselinespecifymembers.webp) +![baselinespecifymembers](/img/product_docs/changetracker/changetracker/baseline/baselinespecifymembers.webp) Specify Member: @@ -56,7 +56,7 @@ Gathering the Baseline configuration data will take anything from 90 seconds to depending on the nature or resources of the Source Device and the scope of the Data Collection template defined. Be patient, but you can check progress using the **Check Now** button. -![baselinechecknow](../../../../../static/img/product_docs/changetracker/changetracker/baseline/baselinechecknow.webp) +![baselinechecknow](/img/product_docs/changetracker/changetracker/baseline/baselinechecknow.webp) Add Rules: diff --git a/docs/changetracker/8.1/changetracker/baseline/securitychangecontrol.md b/docs/changetracker/8.1/changetracker/baseline/securitychangecontrol.md index 4c8ee3f4c2..2cfbb00a49 100644 --- a/docs/changetracker/8.1/changetracker/baseline/securitychangecontrol.md +++ b/docs/changetracker/8.1/changetracker/baseline/securitychangecontrol.md @@ -9,7 +9,7 @@ security. Without a consistent build how else can you expect security to be maxi The NERC CIP 010 process is shown in the diagram below and the Netwrix Baseline Configuration management process allows you to follow this cycle: -![nerc_cip_010_lifecycle](../../../../../static/img/product_docs/changetracker/changetracker/baseline/nerc_cip_010_lifecycle.webp) +![nerc_cip_010_lifecycle](/img/product_docs/changetracker/changetracker/baseline/nerc_cip_010_lifecycle.webp) Every configuration item that is included within the Baseline Policy must be essential and justified, since every decision regarding configuration will potentially increase your attack diff --git a/docs/changetracker/8.1/changetracker/cloud/cloudtrackerreports.md b/docs/changetracker/8.1/changetracker/cloud/cloudtrackerreports.md index 6b9d407e44..ce5d6c5fcd 100644 --- a/docs/changetracker/8.1/changetracker/cloud/cloudtrackerreports.md +++ b/docs/changetracker/8.1/changetracker/cloud/cloudtrackerreports.md @@ -5,4 +5,4 @@ detail in the Change Tracker Admin Guide. An example of the Cloud Tracker Certified CIS Compliance Report: -![cloudtrackerreports](../../../../../static/img/product_docs/changetracker/changetracker/cloud/cloudtrackerreports.webp) +![cloudtrackerreports](/img/product_docs/changetracker/changetracker/cloud/cloudtrackerreports.webp) diff --git a/docs/changetracker/8.1/changetracker/cloud/detailtab.md b/docs/changetracker/8.1/changetracker/cloud/detailtab.md index 83c9e936f0..89c528ad15 100644 --- a/docs/changetracker/8.1/changetracker/cloud/detailtab.md +++ b/docs/changetracker/8.1/changetracker/cloud/detailtab.md @@ -1,6 +1,6 @@ # Detail Tab -![clouddetailtab](../../../../../static/img/product_docs/changetracker/changetracker/cloud/clouddetailtab.webp) +![clouddetailtab](/img/product_docs/changetracker/changetracker/cloud/clouddetailtab.webp) Compliance Score Report: diff --git a/docs/changetracker/8.1/changetracker/cloud/overview.md b/docs/changetracker/8.1/changetracker/cloud/overview.md index 31ffa0f5a4..46f0c82ffe 100644 --- a/docs/changetracker/8.1/changetracker/cloud/overview.md +++ b/docs/changetracker/8.1/changetracker/cloud/overview.md @@ -14,7 +14,7 @@ secure. Despite all this, it is encouraging that the security controls mandated by NIST, PCI and the CIS among others are still fit for purpose. -![cloudtrackeroverview](../../../../../static/img/product_docs/changetracker/changetracker/cloud/cloudtrackeroverview.webp) +![cloudtrackeroverview](/img/product_docs/changetracker/changetracker/cloud/cloudtrackeroverview.webp) But operating them to keep pace let alone get out in front of IT operations is where automation and technology can play a part. The most critical of all in terms of giving most bang for buck is NNT's diff --git a/docs/changetracker/8.1/changetracker/cloud/overviewtab.md b/docs/changetracker/8.1/changetracker/cloud/overviewtab.md index a0986c01e0..6ceaa451a5 100644 --- a/docs/changetracker/8.1/changetracker/cloud/overviewtab.md +++ b/docs/changetracker/8.1/changetracker/cloud/overviewtab.md @@ -1,6 +1,6 @@ # Cloud Overview Tab -![cloudoverviewtab](../../../../../static/img/product_docs/changetracker/changetracker/cloud/cloudoverviewtab.webp) +![cloudoverviewtab](/img/product_docs/changetracker/changetracker/cloud/cloudoverviewtab.webp) Actions Button: diff --git a/docs/changetracker/8.1/changetracker/cloud/policytab.md b/docs/changetracker/8.1/changetracker/cloud/policytab.md index e806b8955a..7227b4eb40 100644 --- a/docs/changetracker/8.1/changetracker/cloud/policytab.md +++ b/docs/changetracker/8.1/changetracker/cloud/policytab.md @@ -1,6 +1,6 @@ # Cloud Policy Tab -![cloudpolicytab](../../../../../static/img/product_docs/changetracker/changetracker/cloud/cloudpolicytab.webp) +![cloudpolicytab](/img/product_docs/changetracker/changetracker/cloud/cloudpolicytab.webp) ## Cloud Tab: Key Points diff --git a/docs/changetracker/8.1/changetracker/cloud/setupwizard.md b/docs/changetracker/8.1/changetracker/cloud/setupwizard.md index 6abc41db6f..afa182434d 100644 --- a/docs/changetracker/8.1/changetracker/cloud/setupwizard.md +++ b/docs/changetracker/8.1/changetracker/cloud/setupwizard.md @@ -5,7 +5,7 @@ **Step 2 –** Cloud Report Template: Templates presented here will be filtered to show all Cloud reports available in your system. -![cloudsystemsetup](../../../../../static/img/product_docs/changetracker/changetracker/cloud/cloudsystemsetup.webp) +![cloudsystemsetup](/img/product_docs/changetracker/changetracker/cloud/cloudsystemsetup.webp) **Step 3 –** Create a new Cloud System and Credentials: The Cloud Set-Up Wizard is context-sensitive so depending on which Cloud Platform you select will determine the Credentials dialogue you will be @@ -16,7 +16,7 @@ Google Cloud Platform Credentials example: ![Graphical user interface, text, application, email Description automatically -generated](../../../../../static/img/product_docs/changetracker/changetracker/cloud/cloudgoogleplatformcredentials.webp) +generated](/img/product_docs/changetracker/changetracker/cloud/cloudgoogleplatformcredentials.webp) **NOTE:** Just click the Query icon to get a quick tip on what the Credential field requires. @@ -38,14 +38,14 @@ them and verify they have been entered correctly. Cloud security is higher and more complex than standard access credentials for regular servers and hypervisors so please ask for help if needed! -![cloudcompletedsetup](../../../../../static/img/product_docs/changetracker/changetracker/cloud/cloudcompletedsetup.webp) +![cloudcompletedsetup](/img/product_docs/changetracker/changetracker/cloud/cloudcompletedsetup.webp) At this point you are ready to run your first Cloud Compliance Report – just hit the Run Report button! AWS Platform Credentials Example: -![cloudaws-credentials](../../../../../static/img/product_docs/changetracker/changetracker/cloud/cloudaws-credentials.webp) +![cloudaws-credentials](/img/product_docs/changetracker/changetracker/cloud/cloudaws-credentials.webp) - Credential Name – Enter a name to uniquely identify these credentials Cloud - Platform – Select from the drop-down options presented @@ -88,7 +88,7 @@ Azure Platform Credentials Example: ![Graphical user interface, text, application Description automatically -generated](../../../../../static/img/product_docs/changetracker/changetracker/cloud/cloudazure-credentials.webp) +generated](/img/product_docs/changetracker/changetracker/cloud/cloudazure-credentials.webp) - Credential Name – Enter a name to uniquely identify these credentials - Cloud Platform – Select from the drop-down options presented diff --git a/docs/changetracker/8.1/changetracker/install/agent/aix.md b/docs/changetracker/8.1/changetracker/install/agent/aix.md index a2c8a645c9..49d0b292d3 100644 --- a/docs/changetracker/8.1/changetracker/install/agent/aix.md +++ b/docs/changetracker/8.1/changetracker/install/agent/aix.md @@ -79,4 +79,4 @@ As with all other agents, the installation process can be scripted. # bash /opt/nnt/expressagent/configure-expressagent.sh https://IPADDRESS-SERVERNAME:PORT/api/ agent passWord121 /var/nnt/expressagent ``` -Run the Agent UI. See the[ Agent First Run](firstrun.md) topic for additional information. +Run the Agent UI. See the[ Agent First Run](/docs/changetracker/8.1/changetracker/install/agent/firstrun.md) topic for additional information. diff --git a/docs/changetracker/8.1/changetracker/install/agent/commandlinescript.md b/docs/changetracker/8.1/changetracker/install/agent/commandlinescript.md index 74e123379f..605e2c1cf8 100644 --- a/docs/changetracker/8.1/changetracker/install/agent/commandlinescript.md +++ b/docs/changetracker/8.1/changetracker/install/agent/commandlinescript.md @@ -44,5 +44,5 @@ ProxyUser, ProxyPassword. **NOTE:** These parameters are not case sensitive. For more information on the **HubDetails.xml** nodes and settings see the -[First Run – HubDetails.xml File](../../admin/settings/devicegroups.md) topic for additional +[First Run – HubDetails.xml File](/docs/changetracker/8.1/changetracker/admin/settings/devicegroups.md) topic for additional information. diff --git a/docs/changetracker/8.1/changetracker/install/agent/firstrun.md b/docs/changetracker/8.1/changetracker/install/agent/firstrun.md index a13361e5a3..f072561faf 100644 --- a/docs/changetracker/8.1/changetracker/install/agent/firstrun.md +++ b/docs/changetracker/8.1/changetracker/install/agent/firstrun.md @@ -4,4 +4,4 @@ A local UI for the **Gen 7 Agent** provides visibility of operation for troubles is available from the hosting platform e.g. **http://localhost:8096** and requires credentials of username 'admin' and password 'password'. -![AgentFirstRun](../../../../../../static/img/product_docs/changetracker/changetracker/install/agent/agentfirstrun.webp) +![AgentFirstRun](/img/product_docs/changetracker/changetracker/install/agent/agentfirstrun.webp) diff --git a/docs/changetracker/8.1/changetracker/install/agent/hubdetailsfile.md b/docs/changetracker/8.1/changetracker/install/agent/hubdetailsfile.md index 1eb50b544c..ec87b8f938 100644 --- a/docs/changetracker/8.1/changetracker/install/agent/hubdetailsfile.md +++ b/docs/changetracker/8.1/changetracker/install/agent/hubdetailsfile.md @@ -8,7 +8,7 @@ hence it requiring your intervention to make sure settings are as needed. The key tags within the file are as follows: -![AgentHubDetailsFile](../../../../../../static/img/product_docs/changetracker/changetracker/install/agent/agenthubdetailsfile.webp) +![AgentHubDetailsFile](/img/product_docs/changetracker/changetracker/install/agent/agenthubdetailsfile.webp) _Remember,_ an unencrypted password means the Agent didn’t initialize and suggests a bad installation or .NET Framework issue – remember the Agent on Windows requires .NET Framework V3.5, @@ -16,7 +16,7 @@ Linux/Solaris requires the latest NNT Mono runtime. Gen 7 Agent also supports ad NamePrefix, NameSuffix. \*The Thumbprint uniquely identifies the Web Server certificate, see the Microsoft -[How to: Retrieve the Thumbprint of a Certificate]() +[How to: Retrieve the Thumbprint of a Certificate](https://msdn.microsoft.com/en-us/library/ms734695(v=vs.110).aspx) article for more information. **Step 1 –** Open **IIS**. diff --git a/docs/changetracker/8.1/changetracker/install/agent/linuxos.md b/docs/changetracker/8.1/changetracker/install/agent/linuxos.md index d34887bf68..3ca9f2c5e9 100644 --- a/docs/changetracker/8.1/changetracker/install/agent/linuxos.md +++ b/docs/changetracker/8.1/changetracker/install/agent/linuxos.md @@ -96,4 +96,4 @@ You’ll then want to remove the Gen 7 Agent files which will be found at: # rm -fr /opt/nnt -Run the Agent UI. See the [ Agent First Run](firstrun.md) topic for additional information. +Run the Agent UI. See the [ Agent First Run](/docs/changetracker/8.1/changetracker/install/agent/firstrun.md) topic for additional information. diff --git a/docs/changetracker/8.1/changetracker/install/agent/overview.md b/docs/changetracker/8.1/changetracker/install/agent/overview.md index bd0be48377..969f865641 100644 --- a/docs/changetracker/8.1/changetracker/install/agent/overview.md +++ b/docs/changetracker/8.1/changetracker/install/agent/overview.md @@ -2,12 +2,12 @@ Review the following for additional information: -- [Installing Gen 7 Agent for Windows](windows.md) -- [Scripted/Command Line Use of Gen 7 Agent EXE Installer](commandlinescript.md) -- [Installing Gen 7 Agent for Linux](linuxos.md) -- [Installing Express Agent for Solaris (SPARC and Intel) ](solaris.md) -- [Installing Express Agent for AIX](aix.md) -- [ Agent First Run](firstrun.md) -- [Express Agent Troubleshooting](troubleshooting.md) -- [HubDetails.xml File](hubdetailsfile.md) -- [Rolling Log File](rollinglogfile.md) +- [Installing Gen 7 Agent for Windows](/docs/changetracker/8.1/changetracker/install/agent/windows.md) +- [Scripted/Command Line Use of Gen 7 Agent EXE Installer](/docs/changetracker/8.1/changetracker/install/agent/commandlinescript.md) +- [Installing Gen 7 Agent for Linux](/docs/changetracker/8.1/changetracker/install/agent/linuxos.md) +- [Installing Express Agent for Solaris (SPARC and Intel) ](/docs/changetracker/8.1/changetracker/install/agent/solaris.md) +- [Installing Express Agent for AIX](/docs/changetracker/8.1/changetracker/install/agent/aix.md) +- [ Agent First Run](/docs/changetracker/8.1/changetracker/install/agent/firstrun.md) +- [Express Agent Troubleshooting](/docs/changetracker/8.1/changetracker/install/agent/troubleshooting.md) +- [HubDetails.xml File](/docs/changetracker/8.1/changetracker/install/agent/hubdetailsfile.md) +- [Rolling Log File](/docs/changetracker/8.1/changetracker/install/agent/rollinglogfile.md) diff --git a/docs/changetracker/8.1/changetracker/install/agent/solaris.md b/docs/changetracker/8.1/changetracker/install/agent/solaris.md index 80f758896b..e3b1cde852 100644 --- a/docs/changetracker/8.1/changetracker/install/agent/solaris.md +++ b/docs/changetracker/8.1/changetracker/install/agent/solaris.md @@ -58,4 +58,4 @@ As with all other agents, the installation process can be scripted. /opt/nnt/expressagent/configure-expressagent.sh `https://IPADDRESS-SERVERNAME:PORT/api/` agent passWord121 /var/nnt/expressagent ``` -Run the Agent UI. See the [ Agent First Run](firstrun.md) topic for additional information. +Run the Agent UI. See the [ Agent First Run](/docs/changetracker/8.1/changetracker/install/agent/firstrun.md) topic for additional information. diff --git a/docs/changetracker/8.1/changetracker/install/agent/upgrade.md b/docs/changetracker/8.1/changetracker/install/agent/upgrade.md index 61c2c9f865..59c45c0963 100644 --- a/docs/changetracker/8.1/changetracker/install/agent/upgrade.md +++ b/docs/changetracker/8.1/changetracker/install/agent/upgrade.md @@ -25,16 +25,16 @@ already do this in step 1). - **For Windows** – Either use the MS Services Console Run > services.msc or use Command Line as Administrator: `sc stop NNTAgentService` -![UpgradeAgentWindowsCommandPrompt](../../../../../../static/img/product_docs/changetracker/changetracker/install/agent/upgradeagentwindowscommandprompt.webp) +![UpgradeAgentWindowsCommandPrompt](/img/product_docs/changetracker/changetracker/install/agent/upgradeagentwindowscommandprompt.webp) - **For Linux** – Use: `service nntagent stop` **Step 5 –** Install Gen 7 Agent. Review the following for additional information: -- **Windows** – See the [Gen 7 Agent for Windows](../../requirements/gen7agentwindows.md) topic for +- **Windows** – See the [Gen 7 Agent for Windows](/docs/changetracker/8.1/changetracker/requirements/gen7agentwindows.md) topic for additional information. -- **Linux** – See the [Installing Gen 7 Agent for Linux](linuxos.md) topic for additional +- **Linux** – See the [Installing Gen 7 Agent for Linux](/docs/changetracker/8.1/changetracker/install/agent/linuxos.md) topic for additional information. **Step 6 –** Uninstall old Agent App. diff --git a/docs/changetracker/8.1/changetracker/install/agent/windows.md b/docs/changetracker/8.1/changetracker/install/agent/windows.md index a14f794d23..dc6dbb53fe 100644 --- a/docs/changetracker/8.1/changetracker/install/agent/windows.md +++ b/docs/changetracker/8.1/changetracker/install/agent/windows.md @@ -5,26 +5,26 @@ The **Hub API** page must be entered together with **Access Credentials**. By default the Agent username is ‘agent’ with password ‘passWord121’ but these can be changed. See the Users: User Administration topic for additional information. -![InstallAgent](../../../../../../static/img/product_docs/threatprevention/threatprevention/install/installagent.webp) +![InstallAgent](/img/product_docs/threatprevention/threatprevention/install/installagent.webp) By default the Agent will register using the Name of the server but there is an opportunity to customize this during installation or post-installation via an edit of the Hub Details file. See the -[First Run – HubDetails.xml File](../../admin/settings/devicegroups.md) topic for additional +[First Run – HubDetails.xml File](/docs/changetracker/8.1/changetracker/admin/settings/devicegroups.md) topic for additional information. **_RECOMMENDED:_** During installation, this can also be performed on the **Advanced Configuration** step of the installation, and there is also an option to test agent connectivity. -![InstallAgentAdvancedConfiguration](../../../../../../static/img/product_docs/changetracker/changetracker/install/agent/installagentadvancedconfiguration.webp) +![InstallAgentAdvancedConfiguration](/img/product_docs/changetracker/changetracker/install/agent/installagentadvancedconfiguration.webp) -![InstallAgentTestConnectivity](../../../../../../static/img/product_docs/changetracker/changetracker/install/agent/installagenttestconnectivity.webp) +![InstallAgentTestConnectivity](/img/product_docs/changetracker/changetracker/install/agent/installagenttestconnectivity.webp) **NOTE:** In order to maximize performance, Gen 7 Agent operational files are located in _%PROGRAMDATA%\NNT\gen7agent.service_, similarly if you are ever required to provide the **rolling-log.txt** file to [Netwrix Support](https://www.netwrix.com/support.html) this is where it -is located. See the [First Run – HubDetails.xml File](../../admin/settings/devicegroups.md) topic +is located. See the [First Run – HubDetails.xml File](/docs/changetracker/8.1/changetracker/admin/settings/devicegroups.md) topic for additional information on downloading the .xml file for agents. -![InstallAgentOperationFiles](../../../../../../static/img/product_docs/changetracker/changetracker/install/agent/installagentoperationfiles.webp) +![InstallAgentOperationFiles](/img/product_docs/changetracker/changetracker/install/agent/installagentoperationfiles.webp) -Run the Agent UI. See the [ Agent First Run](firstrun.md) topic for additional information. +Run the Agent UI. See the [ Agent First Run](/docs/changetracker/8.1/changetracker/install/agent/firstrun.md) topic for additional information. diff --git a/docs/changetracker/8.1/changetracker/install/deployment/databasecustompathoverview.md b/docs/changetracker/8.1/changetracker/install/deployment/databasecustompathoverview.md index d13602ca53..f9ded2fa63 100644 --- a/docs/changetracker/8.1/changetracker/install/deployment/databasecustompathoverview.md +++ b/docs/changetracker/8.1/changetracker/install/deployment/databasecustompathoverview.md @@ -2,5 +2,5 @@ Review the following for additional information: -- [Linux](databasecustompathlinux.md) -- [Windows](databasecustompathwindows.md) +- [Linux](/docs/changetracker/8.1/changetracker/install/deployment/databasecustompathlinux.md) +- [Windows](/docs/changetracker/8.1/changetracker/install/deployment/databasecustompathwindows.md) diff --git a/docs/changetracker/8.1/changetracker/install/deployment/databasecustompathwindows.md b/docs/changetracker/8.1/changetracker/install/deployment/databasecustompathwindows.md index 2dd72bf2c7..4525347680 100644 --- a/docs/changetracker/8.1/changetracker/install/deployment/databasecustompathwindows.md +++ b/docs/changetracker/8.1/changetracker/install/deployment/databasecustompathwindows.md @@ -13,6 +13,6 @@ Suite\Gen7\MongoDB\conf **Step 4 –** Edit the parameters for `dbpath `to change the location for DB files. If you prefer to invoke ‘**smallfiles**’ operation then add the config line as below. -![CustomDatabasePathWindows](../../../../../../static/img/product_docs/changetracker/changetracker/install/deployment/customdatabasepathwindows.webp) +![CustomDatabasePathWindows](/img/product_docs/changetracker/changetracker/install/deployment/customdatabasepathwindows.webp) 5. Then start the **Mongod** service, followed by an `iisreset /start`. diff --git a/docs/changetracker/8.1/changetracker/install/hub.md b/docs/changetracker/8.1/changetracker/install/hub.md index a5f660c41e..897d6abab1 100644 --- a/docs/changetracker/8.1/changetracker/install/hub.md +++ b/docs/changetracker/8.1/changetracker/install/hub.md @@ -1,7 +1,7 @@ # Hub **NOTE:** Ensure the Hub's requirements are met and that the server has had any OS updates applied -and has been restarted. See the [Hub Installation for Windows](../requirements/windowsserver.md) +and has been restarted. See the [Hub Installation for Windows](/docs/changetracker/8.1/changetracker/requirements/windowsserver.md) topic for additional information. A crucial decision to make before installing Change Tracker is how to have Change Tracker store it's @@ -29,39 +29,39 @@ The installer can be downloaded from the customer portal. The installer employes configuration of the installation. Running a later version of the installer on a server that already has a Change Tracker Hub installed will update the installation. -![eula](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) +![eula](/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) **Step 1 –** Accept the End User License Agreement to start the installation. -![ports](../../../../../static/img/product_docs/changetracker/changetracker/install/ports.webp) +![ports](/img/product_docs/changetracker/changetracker/install/ports.webp) **Step 2 –** Enter the web server ports. -![sslcertificate](../../../../../static/img/product_docs/changetracker/changetracker/install/sslcertificate.webp) +![sslcertificate](/img/product_docs/changetracker/changetracker/install/sslcertificate.webp) **Step 3 –** Enter a password for the SSL certificate's private key. -![mongodb](../../../../../static/img/product_docs/changetracker/changetracker/install/mongodb.webp) +![mongodb](/img/product_docs/changetracker/changetracker/install/mongodb.webp) **Step 4 –** Define an existing MongoDB instance to use or leave the MongoDB server field as localhost to have the installer deploy it's built-in version of MongoDB Community edition. -![mongodblogpath](../../../../../static/img/product_docs/changetracker/changetracker/install/mongodblogpath.webp) +![mongodblogpath](/img/product_docs/changetracker/changetracker/install/mongodblogpath.webp) **Step 5 –** Define the path to store the MongoDB log. -![redis](../../../../../static/img/product_docs/changetracker/changetracker/install/redis.webp) +![redis](/img/product_docs/changetracker/changetracker/install/redis.webp) **Step 6 –** Most installations can leave this blank, but if a clustered installation is planned, enter the address of the required Redis server. -![installationpath](../../../../../static/img/product_docs/changetracker/changetracker/install/installationpath.webp) +![installationpath](/img/product_docs/changetracker/changetracker/install/installationpath.webp) **Step 7 –** Select the installation path for Change Tracker. **CAUTION:** Changing this is only recommended for advanced installations. -![adminuserpassword](../../../../../static/img/product_docs/changetracker/changetracker/install/adminuserpassword.webp) +![adminuserpassword](/img/product_docs/changetracker/changetracker/install/adminuserpassword.webp) **Step 8 –** Once the installation is complete set a strong password for the Admin user. diff --git a/docs/changetracker/8.1/changetracker/install/overview.md b/docs/changetracker/8.1/changetracker/install/overview.md index 852c18b51e..c300469ea3 100644 --- a/docs/changetracker/8.1/changetracker/install/overview.md +++ b/docs/changetracker/8.1/changetracker/install/overview.md @@ -2,8 +2,8 @@ Review the following for additional information: -- [Requirements](../requirements/overview.md) -- [Hub Installation for Windows](../requirements/windowsserver.md) -- [Installing Gen 7 Agent for Windows](agent/windows.md) -- [Installing Gen 7 Agent for Linux](agent/linuxos.md) -- [Scripted/Command Line Use of Gen 7 Agent EXE Installer](agent/commandlinescript.md) +- [Requirements](/docs/changetracker/8.1/changetracker/requirements/overview.md) +- [Hub Installation for Windows](/docs/changetracker/8.1/changetracker/requirements/windowsserver.md) +- [Installing Gen 7 Agent for Windows](/docs/changetracker/8.1/changetracker/install/agent/windows.md) +- [Installing Gen 7 Agent for Linux](/docs/changetracker/8.1/changetracker/install/agent/linuxos.md) +- [Scripted/Command Line Use of Gen 7 Agent EXE Installer](/docs/changetracker/8.1/changetracker/install/agent/commandlinescript.md) diff --git a/docs/changetracker/8.1/changetracker/integration/api/agents.md b/docs/changetracker/8.1/changetracker/integration/api/agents.md index c2f271e566..1057bfd7ae 100644 --- a/docs/changetracker/8.1/changetracker/integration/api/agents.md +++ b/docs/changetracker/8.1/changetracker/integration/api/agents.md @@ -204,7 +204,7 @@ Try { Catch [Net.WebException] {     $resp = $_.Exception.Response;     If ( $resp.StatusCode -eq [Net.HttpStatusCode]::BadRequest ) { -        $result = (New-Object IO.StreamReader($resp.GetResponseStream())).ReadToEnd() | ConvertFrom-Json; +        $result = (New-Object IO.StreamReader($resp.GetResponseStream().ReadToEnd() | ConvertFrom-Json;         # Handle errors         Write-Output $_.Exception     } diff --git a/docs/changetracker/8.1/changetracker/integration/api/overview.md b/docs/changetracker/8.1/changetracker/integration/api/overview.md index 26e0eafe48..e4345d5b7d 100644 --- a/docs/changetracker/8.1/changetracker/integration/api/overview.md +++ b/docs/changetracker/8.1/changetracker/integration/api/overview.md @@ -4,5 +4,5 @@ Customers who run multiple instances of Netwrix Change Tracker in multiple regio to pull data from each instance and use that data build global reports containing data from all instances. -- [Agents](agents.md) – To pull data on agent statuses, configurations and group memberships, use +- [Agents](/docs/changetracker/8.1/changetracker/integration/api/agents.md) – To pull data on agent statuses, configurations and group memberships, use the agentsRanked endpoint. diff --git a/docs/changetracker/8.1/changetracker/integration/itsm/overview.md b/docs/changetracker/8.1/changetracker/integration/itsm/overview.md index 922015ea3d..9d7755fe4c 100644 --- a/docs/changetracker/8.1/changetracker/integration/itsm/overview.md +++ b/docs/changetracker/8.1/changetracker/integration/itsm/overview.md @@ -18,7 +18,7 @@ Change Tracker. Change Tracker will attempt to link existing Devices and Groups to a Planned Change where similar names are found to Configuration Items (CMDB items) in the ITSM system. See the -[Planned Changes Tab](../../admin/tabs/plannedchanges.md) topic for additional information. +[Planned Changes Tab](/docs/changetracker/8.1/changetracker/admin/tabs/plannedchanges.md) topic for additional information. The service works by periodically polling the source ITSM system for Change Requests which have been modified since the most recent poll. A new Planned Change is created in Change Tracker if a new CR diff --git a/docs/changetracker/8.1/changetracker/integration/itsm/syncserviceadmin.md b/docs/changetracker/8.1/changetracker/integration/itsm/syncserviceadmin.md index cc4daa032a..539c95bf83 100644 --- a/docs/changetracker/8.1/changetracker/integration/itsm/syncserviceadmin.md +++ b/docs/changetracker/8.1/changetracker/integration/itsm/syncserviceadmin.md @@ -23,12 +23,12 @@ devices for change events to be linked to. Device discovery removes this manual Follow the steps to configure Device Discovery. -![additsmcredential](../../../../../../static/img/product_docs/changetracker/changetracker/integration/itsm/additsmcredential.webp) +![additsmcredential](/img/product_docs/changetracker/changetracker/integration/itsm/additsmcredential.webp) **Step 1 –** From the Settings menu, select **Credentials**, scroll to the ITSM System Credentials section and click **Add ITSM Credential**. -![itsmconnection](../../../../../../static/img/product_docs/changetracker/changetracker/integration/itsm/itsmconnection.webp) +![itsmconnection](/img/product_docs/changetracker/changetracker/integration/itsm/itsmconnection.webp) **Step 2 –** Select **ServiceNow** from the initial drop down and enter the details of the ServiceNow instance to connect to. @@ -45,7 +45,7 @@ The Device Discovery Name Regex Replacement fields defines the value to replace in the field above. Leaving this empty will cause the pattern matched by the regex above to be trimmed from device names created in Change Tracker. -![devicediscovery](../../../../../../static/img/product_docs/changetracker/changetracker/integration/itsm/devicediscovery.webp) +![devicediscovery](/img/product_docs/changetracker/changetracker/integration/itsm/devicediscovery.webp) **Step 3 –** Select a device to act as the proxy for the calls made to ServiceNow. The agent on the same host as the Hub is often a good choice here. @@ -54,11 +54,11 @@ same host as the Hub is often a good choice here. **Step 5 –** Select the group to put the discovered devices into. -![systemdiscovery](../../../../../../static/img/product_docs/changetracker/changetracker/integration/itsm/systemdiscovery.webp) +![systemdiscovery](/img/product_docs/changetracker/changetracker/integration/itsm/systemdiscovery.webp) **Step 6 –** Click **OK**. A discovery task will start and create the devices. -![discoverytask](../../../../../../static/img/product_docs/changetracker/changetracker/integration/itsm/discoverytask.webp) +![discoverytask](/img/product_docs/changetracker/changetracker/integration/itsm/discoverytask.webp) ## Raise a ServiceNow Incident @@ -71,13 +71,13 @@ situation. Follow the steps to raise a ServiceNow incident. -![integrationsettings](../../../../../../static/img/product_docs/changetracker/changetracker/integration/itsm/integrationsettings.webp) +![integrationsettings](/img/product_docs/changetracker/changetracker/integration/itsm/integrationsettings.webp) **Step 1 –** From the Settings menu, select System Settings and scroll to the ServiceNow Integration section. Insert the URL and credentials of the ServiceNow instance to raise incidents to. The test button will raise a test incident to prove connectivity. -![editdevice](../../../../../../static/img/product_docs/changetracker/changetracker/integration/itsm/editdevice.webp) +![editdevice](/img/product_docs/changetracker/changetracker/integration/itsm/editdevice.webp) **Step 2 –** Select the device group you want to raise incidents for (All devices is the common choice), select the **Un-planned Change Notification** Type and select **ServiceNow** as the @@ -98,7 +98,7 @@ notification Method. | changeTrackerRestSyncProvider.password | String (e.g., “password”) The password of the account used to connect to Change Tracker. Note: This setting is encrypted by the service and written back to the config file under the key “E. changeTrackerRestSyncProvider.password” | | serviceNow.deviceClassNames | String (e.g., “cmdb_ci_win_server,cmdb_ci_linux_server”, default: “”) Optional comma-separated whitelist of Configuration Item class names (sourced from the cmdb_ci.sys_class_name property) which restricts which CIs can be mapped to a Device in Change Tracker. | | serviceNow.groupClassNames | String (default: “”) Optional comma-separated whitelist of Configuration Item class names (sourced from the cmdb_ci.sys_class_name property) which restricts which CIs can be mapped to a Group in Change Tracker. A value of DO_NOT_MATCH disables the group lookup if the device name is not found. | -| serviceNow.timeZone | String (e.g., “Eastern Standard Time”, default: “”) Optional time zone taken from this [list](), which should match the time zone of the account used to connect to ServiceNow. Note: this should be used where it’s not possible to set the account to use GMT. | +| serviceNow.timeZone | String (e.g., “Eastern Standard Time”, default: “”) Optional time zone taken from this [list](https://learn.microsoft.com/en-us/previous-versions/windows/embedded/ms912391(v=winembedded.11)), which should match the time zone of the account used to connect to ServiceNow. Note: this should be used where it’s not possible to set the account to use GMT. | | serviceNowChangeRequest.createplannedchangepertask | Boolean (default: false) When true, any RFC in ServiceNow that has tasks against it will result in a planned change for each task. If start or end times are missing on the tasks they will be taken from the parent RFC. | | serviceNowChangeRequestRestSyncAdapter.changesUrl | String (e.g., “https://site.service-now.com/api/now/table/change_request”, default: “”) Optional absolute URL for the REST API endpoint from which to retrieve Change Requests. | | serviceNowChangeRequestRestSyncAdapter.taskCiUrl | String (e.g., “https://site.service-now.com/api/now/table/task_ci”, default: “”) Optional absolute URL for the REST API endpoint from which to retrieve Configuration Items linked to Change Requests. | diff --git a/docs/changetracker/8.1/changetracker/integration/itsm/syncserviceinstall.md b/docs/changetracker/8.1/changetracker/integration/itsm/syncserviceinstall.md index 0e0787c47e..e3a002c013 100644 --- a/docs/changetracker/8.1/changetracker/integration/itsm/syncserviceinstall.md +++ b/docs/changetracker/8.1/changetracker/integration/itsm/syncserviceinstall.md @@ -36,13 +36,13 @@ backed up earlier. If no backup is available then enter new configuration during Under the “ITSM Integration” option, select one ITSM system to integrate with. For brevity this document describes the steps for a ServiceNow setup, but the steps vary little between ITSMs. -![selectitsm](../../../../../../static/img/product_docs/changetracker/changetracker/integration/itsm/selectitsm.webp) +![selectitsm](/img/product_docs/changetracker/changetracker/integration/itsm/selectitsm.webp) ## Change Tracker Hub Connection Enter the required configuration values: -![itsmurl](../../../../../../static/img/product_docs/changetracker/changetracker/integration/itsm/itsmurl.webp) +![itsmurl](/img/product_docs/changetracker/changetracker/integration/itsm/itsmurl.webp) - In the “Hub Server URL” field, specify the URL for your Change Tracker REST API endpoint, e.g. https://changetracker-server/api @@ -55,7 +55,7 @@ Enter the required configuration values: Select which type of authorization to use: -![authenticationtype](../../../../../../static/img/product_docs/changetracker/changetracker/integration/itsm/authenticationtype.webp) +![authenticationtype](/img/product_docs/changetracker/changetracker/integration/itsm/authenticationtype.webp) - Basic (provide Username / Password of a ServiceNow user account only). Use when OAuth authorization is not available. The encoded credentials are sent in the headers of every HTTP @@ -70,7 +70,7 @@ Select which type of authorization to use: Enter the require configuration values: -![servicenowconnection](../../../../../../static/img/product_docs/changetracker/changetracker/integration/itsm/servicenowconnection.webp) +![servicenowconnection](/img/product_docs/changetracker/changetracker/integration/itsm/servicenowconnection.webp) - In the “ServiceNow ITSM Server URL” field, specify the URL for your ServiceNow REST API endpoint, e.g. https://service-now-server/api @@ -87,7 +87,7 @@ ServiceNow user, but it is possible to configure the Sync Service to use a diffe setting the serviceNow.timeZone element in the Sync Service configuration file (see the administration page for instructions). -![servicenowcredentials](../../../../../../static/img/product_docs/changetracker/changetracker/integration/itsm/servicenowcredentials.webp) +![servicenowcredentials](/img/product_docs/changetracker/changetracker/integration/itsm/servicenowcredentials.webp) - In the “ServiceNow ITSM username” and “ServiceNow ITSM password” fields (not applicable if using OAuth2 Client Credentials), enter the credentials for the ServiceNow user account which the diff --git a/docs/changetracker/8.1/changetracker/integration/netwrixproducts/netwrixauditor.md b/docs/changetracker/8.1/changetracker/integration/netwrixproducts/netwrixauditor.md index 3fa3ba7c8d..a981570cd3 100644 --- a/docs/changetracker/8.1/changetracker/integration/netwrixproducts/netwrixauditor.md +++ b/docs/changetracker/8.1/changetracker/integration/netwrixproducts/netwrixauditor.md @@ -4,7 +4,7 @@ The integration between Netwrix Change Tracker and Netwrix Auditor allows for an Tracker collects to be forwarded to Auditor. The type of event forwarded is controlled by the Change Tracker notification profile. -![usernotifications_1122x481](../../../../../../static/img/product_docs/changetracker/changetracker/integration/netwrixproducts/usernotifications_1122x481.webp) +![usernotifications_1122x481](/img/product_docs/changetracker/changetracker/integration/netwrixproducts/usernotifications_1122x481.webp) In this example notification profile, unplanned changes for systems in the Windows 2019 Auditor group and compliance reports which are run against the Windows 2019 group will generate @@ -14,13 +14,13 @@ Change events are pushed to Auditor via the it's API. Once in Auditor, these eve with the search functionality. Using the search option, information gathered by Change Tracker can be used to create reports and alerts or it can be merged with data natively gathered by Auditor. -![auditorsearch_1117x430](../../../../../../static/img/product_docs/changetracker/changetracker/integration/netwrixproducts/auditorsearch_1117x430.webp) +![auditorsearch_1117x430](/img/product_docs/changetracker/changetracker/integration/netwrixproducts/auditorsearch_1117x430.webp) This integration allows Auditor to gather information on the monitored environment that it would not natively be able to collect. For example, monitoring the files of a website for change activity. -![auditoroperator_1115x182](../../../../../../static/img/product_docs/changetracker/changetracker/integration/netwrixproducts/auditoroperator_1115x182.webp) +![auditoroperator_1115x182](/img/product_docs/changetracker/changetracker/integration/netwrixproducts/auditoroperator_1115x182.webp) Search criteria, like the one above, can be saved to generate reports or alerts. -![auditorsearchresults_1090x638](../../../../../../static/img/product_docs/changetracker/changetracker/integration/netwrixproducts/auditorsearchresults_1090x638.webp) +![auditorsearchresults_1090x638](/img/product_docs/changetracker/changetracker/integration/netwrixproducts/auditorsearchresults_1090x638.webp) diff --git a/docs/changetracker/8.1/changetracker/integration/netwrixproducts/overview.md b/docs/changetracker/8.1/changetracker/integration/netwrixproducts/overview.md index e9fa42255b..04a9508737 100644 --- a/docs/changetracker/8.1/changetracker/integration/netwrixproducts/overview.md +++ b/docs/changetracker/8.1/changetracker/integration/netwrixproducts/overview.md @@ -2,5 +2,5 @@ Netwrix Change Tracker can be configured to sent event data to the following products: -- [Netwrix Auditor Integration](netwrixauditor.md) – Netwrix Change Tracker can be configured to +- [Netwrix Auditor Integration](/docs/changetracker/8.1/changetracker/integration/netwrixproducts/netwrixauditor.md) – Netwrix Change Tracker can be configured to send event data collected by Change Tracker to Netwrix Auditor. diff --git a/docs/changetracker/8.1/changetracker/integration/overview.md b/docs/changetracker/8.1/changetracker/integration/overview.md index 1fa933c873..0cf08ccc38 100644 --- a/docs/changetracker/8.1/changetracker/integration/overview.md +++ b/docs/changetracker/8.1/changetracker/integration/overview.md @@ -2,8 +2,8 @@ Netwrix Change Tracker supports the following integrations: -- [Netwrix Products](netwrixproducts/overview.md) -- [API](api/overview.md) -- [IT Service Management](itsm/overview.md) -- [Splunk](splunk/overview.md) -- [VMWare](vmware/overview.md) +- [Netwrix Products](/docs/changetracker/8.1/changetracker/integration/netwrixproducts/overview.md) +- [API](/docs/changetracker/8.1/changetracker/integration/api/overview.md) +- [IT Service Management](/docs/changetracker/8.1/changetracker/integration/itsm/overview.md) +- [Splunk](/docs/changetracker/8.1/changetracker/integration/splunk/overview.md) +- [VMWare](/docs/changetracker/8.1/changetracker/integration/vmware/overview.md) diff --git a/docs/changetracker/8.1/changetracker/integration/splunk/overview.md b/docs/changetracker/8.1/changetracker/integration/splunk/overview.md index 5412f1e547..e62a817ae3 100644 --- a/docs/changetracker/8.1/changetracker/integration/splunk/overview.md +++ b/docs/changetracker/8.1/changetracker/integration/splunk/overview.md @@ -22,7 +22,7 @@ Follow the steps to configure Splunk credentials. **Step 1 –** From the Settings menu select **Credentials** and scroll to the Splunk Credentials section. -![splunkcredentials](../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/splunkcredentials.webp) +![splunkcredentials](/img/product_docs/changetracker/changetracker/integration/splunk/splunkcredentials.webp) **Step 2 –** Click the **Add** button and enter the details of the Splunk instance to connect to. @@ -54,7 +54,7 @@ be used to format date time fields accordingly: strftime(MyDateTimeField,"%Y-%m- Any further fields added will be included in the body of the events when the reach Change Tracker. Sourcetype is an example of such a field in the test query below. -![splunksearch](../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/splunksearch.webp) +![splunksearch](/img/product_docs/changetracker/changetracker/integration/splunk/splunksearch.webp) Below is the test query used in this document. This query pulls internal Splunk data that any instance will have while meeting Change Tracker's requirements. The "head 50" clause at the end of @@ -72,26 +72,26 @@ Follow the steps to create a policy template. **Step 2 –** Click **Actions** and **Add a Blank Policy Template**. -![addsplunkpolicy](../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/addsplunkpolicy.webp) +![addsplunkpolicy](/img/product_docs/changetracker/changetracker/integration/splunk/addsplunkpolicy.webp) **Step 3 –** Name it **Splunk**, set the Usage column to **Tracking**, and click **update**. -![tracking](../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/tracking.webp) +![tracking](/img/product_docs/changetracker/changetracker/integration/splunk/tracking.webp) **Step 4 –** Click the **tracking** button on the new Splunk policy and then scroll right to the Splunk Search Queries tab. -![splquery](../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/splquery.webp) +![splquery](/img/product_docs/changetracker/changetracker/integration/splunk/splquery.webp) **Step 5 –** Click the **tick box** to add a query and then click **Add a Splunk Query**. -![splqueryconfiguration](../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/splqueryconfiguration.webp) +![splqueryconfiguration](/img/product_docs/changetracker/changetracker/integration/splunk/splqueryconfiguration.webp) Paste the query, give it a description and click Update. The query will now be listed in the policy. **NOTE:** Ensure the desired polling frequency is set. -![templatecomplete](../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/templatecomplete.webp) +![templatecomplete](/img/product_docs/changetracker/changetracker/integration/splunk/templatecomplete.webp) ### Devices and Groups @@ -105,11 +105,11 @@ and click **Add an Existing Template**. **Step 3 –** Add the Splunk policy template to the Splunk Tracker group. -![group2](../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/group2.webp) +![group2](/img/product_docs/changetracker/changetracker/integration/splunk/group2.webp) Any device in this group of the type Splunk will execute the Splunk tracking policy created above. -![group](../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/group.webp) +![group](/img/product_docs/changetracker/changetracker/integration/splunk/group.webp) **Step 4 –** Ensure the Splunk Tracker group is selected and click **Add** to add a sub group to the Splunk Tracker group named Splunk devices. This group will hold the proxied devices that Splunk @@ -122,7 +122,7 @@ device must be created with the connection details. Follow the steps to manually create a proxied device to represent the target instance of Splunk. -![manualdevicecreation](../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/manualdevicecreation.webp) +![manualdevicecreation](/img/product_docs/changetracker/changetracker/integration/splunk/manualdevicecreation.webp) **Step 1 –** Select a device to be a proxy device and click **Add Proxied Device**. The agent on the same machine as the Hub is often a good choice for the proxy if it can communicate with the Splunk @@ -138,7 +138,7 @@ instance. **Step 6 –** Add the Splunk Tracker group to the Groups field. -![addsplunkdevice](../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/addsplunkdevice.webp) +![addsplunkdevice](/img/product_docs/changetracker/changetracker/integration/splunk/addsplunkdevice.webp) **NOTE:** Change events coming into Change Tracker (from Splunk or any agentless monitoring) must match a device in Change Tracker. Events without a matching device will be ignored @@ -151,8 +151,8 @@ Sync Service is configured to integrate with ServiceNow. Both will result in pro registered to a proxy device with an agent. To discover devices to match change events from Splunk, see the -[Configure Device Discovery](../itsm/syncserviceadmin.md#configure-device-discovery) section in -[Sync Service Administration](../itsm/syncserviceadmin.md) topic for additional information. +[Configure Device Discovery](/docs/changetracker/8.1/changetracker/integration/itsm/syncserviceadmin.md#configure-device-discovery) section in +[Sync Service Administration](/docs/changetracker/8.1/changetracker/integration/itsm/syncserviceadmin.md) topic for additional information. To manually create proxied devices, select a device to be a proxy device (the Hub's agent is often a good choice here) and click Add Proxied Device. Ensure the new devices are added to the Splunk @@ -169,16 +169,16 @@ for it's Device column. If everything has been configured correctly and communication with the Splunk instance is possible, Splunk logs should start arriving as events. -![splunkevents](../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/splunkevents.webp) +![splunkevents](/img/product_docs/changetracker/changetracker/integration/splunk/splunkevents.webp) In the body of a Splunk event it's possible to see the required firled from the SPL query. Any field in the results other than the required fields is added to the additional info section at the bottom of the event body. This flexible field can list multiple non required fields from the SPL query. This enables full control of what is logged into the events. -![splunkeventbody](../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/splunkeventbody.webp) +![splunkeventbody](/img/product_docs/changetracker/changetracker/integration/splunk/splunkeventbody.webp) Manual runs of the tracking policy can be executed from the Splunk device by clicking Start Tracker Poll. -![starttrackerpoll](../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/starttrackerpoll.webp) +![starttrackerpoll](/img/product_docs/changetracker/changetracker/integration/splunk/starttrackerpoll.webp) diff --git a/docs/changetracker/8.1/changetracker/integration/vmware/overview.md b/docs/changetracker/8.1/changetracker/integration/vmware/overview.md index 79c202e280..431a5697f7 100644 --- a/docs/changetracker/8.1/changetracker/integration/vmware/overview.md +++ b/docs/changetracker/8.1/changetracker/integration/vmware/overview.md @@ -45,13 +45,13 @@ Follow the steps to configure ESXi/vCenter credentials: **Step 1 –** From the Settings menu, select Credentials and scroll down to the ESXi / vCenter Credentials section. -![esxicredentials](../../../../../../static/img/product_docs/changetracker/changetracker/integration/vmware/esxicredentials.webp) +![esxicredentials](/img/product_docs/changetracker/changetracker/integration/vmware/esxicredentials.webp) **Step 2 –** Click the Add button and enter the credential information. For vCenter / ESXi monitoring, it is recommended to use vCenter as the Host Type as it allows for ESXi node discovery, The ESXi Host Type option enables connections to stand alone ESXi servers. -![esxicredentialform](../../../../../../static/img/product_docs/changetracker/changetracker/integration/vmware/esxicredentialform.webp) +![esxicredentialform](/img/product_docs/changetracker/changetracker/integration/vmware/esxicredentialform.webp) ## Device Discovery @@ -64,7 +64,7 @@ frequently created, removed or even migrated between clusters. From the Settings menu, select Device Discovery. Select ESXi / vCenter Discovery from the drop down to configure the discovery job. -![devicediscoverygrid](../../../../../../static/img/product_docs/changetracker/changetracker/integration/vmware/devicediscoverygrid.webp) +![devicediscoverygrid](/img/product_docs/changetracker/changetracker/integration/vmware/devicediscoverygrid.webp) Discovery Device is the device running the agent that will execute the commands to discover the ESXi nodes. @@ -77,20 +77,20 @@ their discovered nodes under one proxy agent. The "Assign to Group" drop down is the group the discovered ESXi nodes will be assigned to. There is no automatic registration so a group must be chosen. -![devicediscoveryform](../../../../../../static/img/product_docs/changetracker/changetracker/integration/vmware/devicediscoveryform.webp) +![devicediscoveryform](/img/product_docs/changetracker/changetracker/integration/vmware/devicediscoveryform.webp) Once configured a discovery job will automatically run and if successful, the devices will be visible in the grid. -![devicediscoverystarted](../../../../../../static/img/product_docs/changetracker/changetracker/integration/vmware/devicediscoverystarted.webp) +![devicediscoverystarted](/img/product_docs/changetracker/changetracker/integration/vmware/devicediscoverystarted.webp) -![devicediscoveryrunning](../../../../../../static/img/product_docs/changetracker/changetracker/integration/vmware/devicediscoveryrunning.webp) +![devicediscoveryrunning](/img/product_docs/changetracker/changetracker/integration/vmware/devicediscoveryrunning.webp) -![devicediscoverycompleted](../../../../../../static/img/product_docs/changetracker/changetracker/integration/vmware/devicediscoverycompleted.webp) +![devicediscoverycompleted](/img/product_docs/changetracker/changetracker/integration/vmware/devicediscoverycompleted.webp) ## Compliance Reporting Under the Reports tab, it is now possible to configure and run the appropriate compliance report against the group that contains the ESXi devices. -![esxicompliancereport](../../../../../../static/img/product_docs/changetracker/changetracker/integration/vmware/esxicompliancereport.webp) +![esxicompliancereport](/img/product_docs/changetracker/changetracker/integration/vmware/esxicompliancereport.webp) diff --git a/docs/changetracker/8.1/changetracker/overview.md b/docs/changetracker/8.1/changetracker/overview.md index af98da9a5f..83088797a7 100644 --- a/docs/changetracker/8.1/changetracker/overview.md +++ b/docs/changetracker/8.1/changetracker/overview.md @@ -15,7 +15,7 @@ manufacturer such as Microsoft, Red Hat, Oracle or Cisco, for example. Complianc supported by Change Tracker include PCI DSS, DISA STIG, NERC CIP, ISO 27001, GLBA), FISMA), HIPAA HITECH, S-OX, NIST 800-53/171 and GPG 13. -![TechnicalOverview](../../../../static/img/product_docs/changetracker/changetracker/technicaloverview.webp) +![TechnicalOverview](/img/product_docs/changetracker/changetracker/technicaloverview.webp) Devices are then monitored continuously using either a Change Tracker Agent installed directly onto the device, or using a periodically scheduled agentless interaction with the device. Any changes @@ -49,13 +49,13 @@ Netwrix Change Tracker is delivered as a 100% software solution. The central ser installed on either a Windows or Linux platform. A virtual host is supported but resources, and in particular disk I/O performance, are critical. For more information please see: -- [Installing Gen 7 Agent for Windows](install/agent/windows.md) -- [Installing Gen 7 Agent for Linux](install/agent/linuxos.md) +- [Installing Gen 7 Agent for Windows](/docs/changetracker/8.1/changetracker/install/agent/windows.md) +- [Installing Gen 7 Agent for Linux](/docs/changetracker/8.1/changetracker/install/agent/linuxos.md) -![Architecture](../../../../static/img/product_docs/changetracker/changetracker/architecture.webp) +![Architecture](/img/product_docs/changetracker/changetracker/architecture.webp) For a full list of supported operating systems see -[OS Support Matrix](requirements/ossupportmatrix.md). +[OS Support Matrix](/docs/changetracker/8.1/changetracker/requirements/ossupportmatrix.md). Administration and everyday usage for reporting on the change history of a device and managing planned changes is all provided via the secure web interface. Integration options include alert diff --git a/docs/changetracker/8.1/changetracker/requirements/overview.md b/docs/changetracker/8.1/changetracker/requirements/overview.md index 6b552bc06f..2d5902304b 100644 --- a/docs/changetracker/8.1/changetracker/requirements/overview.md +++ b/docs/changetracker/8.1/changetracker/requirements/overview.md @@ -2,9 +2,9 @@ Review the following for additional information: -- [OS Support Matrix](ossupportmatrix.md) -- [Agent and Device Ports](agentdeviceports.md) -- [Hub Installation for Windows](windowsserver.md) -- [Gen 7 Agent for Windows](gen7agentwindows.md) -- [Gen 7 Agent for Linux](gen7agentlinux.md) -- [Express Agent ](expressagent.md) +- [OS Support Matrix](/docs/changetracker/8.1/changetracker/requirements/ossupportmatrix.md) +- [Agent and Device Ports](/docs/changetracker/8.1/changetracker/requirements/agentdeviceports.md) +- [Hub Installation for Windows](/docs/changetracker/8.1/changetracker/requirements/windowsserver.md) +- [Gen 7 Agent for Windows](/docs/changetracker/8.1/changetracker/requirements/gen7agentwindows.md) +- [Gen 7 Agent for Linux](/docs/changetracker/8.1/changetracker/requirements/gen7agentlinux.md) +- [Express Agent ](/docs/changetracker/8.1/changetracker/requirements/expressagent.md) diff --git a/docs/changetracker/8.1/changetracker/requirements/windowsserver.md b/docs/changetracker/8.1/changetracker/requirements/windowsserver.md index 692e805344..2edcf70842 100644 --- a/docs/changetracker/8.1/changetracker/requirements/windowsserver.md +++ b/docs/changetracker/8.1/changetracker/requirements/windowsserver.md @@ -4,7 +4,7 @@ This topic lists the hardware requirements and software requirements for Netwrix ## Hardware Requirements -| | Standard Install (< 100 devices) | Large Install (~ 1k devices) | +| | Standard Install ( 100 devices) | Large Install (~ 1k devices) | | ---- | -------------------------------- | ---------------------------- | | CPU | 4 cores | 16 cores | | RAM | 8 GB | 32 GB | @@ -18,7 +18,7 @@ This topic lists the hardware requirements and software requirements for Netwrix - Server roles: -![Software Requirements](../../../../../static/img/product_docs/changetracker/changetracker/requirements/performancecheckbox.webp) +![Software Requirements](/img/product_docs/changetracker/changetracker/requirements/performancecheckbox.webp) - .NET Hosting Bundle – v8.0 - Redis @@ -43,7 +43,7 @@ Disk space based on limited trial implementations only. For production, we size of 4GB per device, per annum, based on typical change event and report volumes (4 Compliance Reports per month, 200 change events per month) -- See the [Installation](../install/overview.md) topic for additional information on the +- See the [Installation](/docs/changetracker/8.1/changetracker/install/overview.md) topic for additional information on the installation process. Please run a Windows Update to ensure all above components are fully up to date. diff --git a/docs/dataclassification/5.6.2/ndc/config_infrastructure/config_nfs_fs.md b/docs/dataclassification/5.6.2/ndc/config_infrastructure/config_nfs_fs.md index 4aa1f6bbc6..05173b3f84 100644 --- a/docs/dataclassification/5.6.2/ndc/config_infrastructure/config_nfs_fs.md +++ b/docs/dataclassification/5.6.2/ndc/config_infrastructure/config_nfs_fs.md @@ -17,7 +17,7 @@ Add the Folder source as described in the File System section. **NOTE:** Do not specify username and password while adding data source. -[]()[To configure Windows Server 2012 Onward]() +[](javascript:void(0))[To configure Windows Server 2012 Onward](javascript:void(0)) 1. On the Windows desktop, start Server Manager. 2. On the Manage menu, click Add Roles and Features. @@ -25,7 +25,7 @@ Add the Folder source as described in the File System section. 4. Ensure that Client for NFS option enabled. 5. Complete the wizard. -[]()[To configure Windows 10]() +[](javascript:void(0))[To configure Windows 10](javascript:void(0)) 1. Navigate to Control Panel and select Programs. 2. Select Turn Windows features on or off. diff --git a/docs/dataclassification/5.6.2/ndc/sources/manage_configuring_subsite_and_list_processing.md b/docs/dataclassification/5.6.2/ndc/sources/manage_configuring_subsite_and_list_processing.md index d463129f8d..d296028a07 100644 --- a/docs/dataclassification/5.6.2/ndc/sources/manage_configuring_subsite_and_list_processing.md +++ b/docs/dataclassification/5.6.2/ndc/sources/manage_configuring_subsite_and_list_processing.md @@ -21,7 +21,7 @@ When new content is defined for crawling (i.e. included), a re-index operation s - The **Edit** link allows you to modify settings for the selected list or subsite. See below for details. -[List Configuration]() +[List Configuration](javascript:void(0)) 1. To modify list/library settings, select it and click Edit. 2. In the properties window, configure **Content Fields** and **Special Field mapping** as needed. @@ -35,7 +35,7 @@ Consider the following: - In the absence of a list level configuration the appropriate source defaults will automatically be used. -[Subsite Configuration]() +[Subsite Configuration](javascript:void(0)) 1. To modify subsite settings, select the subsite and click Edit. 2. In the properties window, configure **Content Fields** and **Special Field mapping** as needed. diff --git a/docs/dataclassification/5.6.2/ndc/taxonomies/clues_types.md b/docs/dataclassification/5.6.2/ndc/taxonomies/clues_types.md index a44c8249fb..a3694b4518 100644 --- a/docs/dataclassification/5.6.2/ndc/taxonomies/clues_types.md +++ b/docs/dataclassification/5.6.2/ndc/taxonomies/clues_types.md @@ -279,7 +279,7 @@ the "Case-Insensitive Regex Processing" mode, this setting can be found in Confi Definitions of the required syntax for regular expressions can be found in many places, including Microsoft: -[Regular Expression Syntax](). +[Regular Expression Syntax](https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2010/ae5bf541(v=vs.100)). The following example clue matches US Social Security Numbers found anywhere in the document text: diff --git a/docs/dataclassification/5.6.2/ndc/taxonomies/standalone_taxonomies.md b/docs/dataclassification/5.6.2/ndc/taxonomies/standalone_taxonomies.md index eb331b42fd..c5720e3ccc 100644 --- a/docs/dataclassification/5.6.2/ndc/taxonomies/standalone_taxonomies.md +++ b/docs/dataclassification/5.6.2/ndc/taxonomies/standalone_taxonomies.md @@ -20,13 +20,13 @@ for more information on users' permissions. ## Core Taxonomies -[Financial Records]() +[Financial Records](javascript:void(0)) - ABA routing numbers - IBAN/SWIFT codes - Bank account numbers -[Personally Identifiable Information (PII)]() +[Personally Identifiable Information (PII)](javascript:void(0)) - Personal information (full name, home address, date of birth) in the following languages: - Danish @@ -81,7 +81,7 @@ for more information on users' permissions. - United Kingdom - USA -[Payment Card Industry Data Security Standard (PCI DSS)]() +[Payment Card Industry Data Security Standard (PCI DSS)](javascript:void(0)) Cardholder data (holder name, card number, expiration and security code) for the major payment systems: @@ -94,14 +94,14 @@ systems: - UnionPay - Visa -[Patient Health Information (PHI)]() +[Patient Health Information (PHI)](javascript:void(0)) Medical forms, treatment records, prescription drugs, decease names/codes, allergies, social and insurance numbers. ## Derived Taxonomies -[General Data Protection Regulation (GDPR)]() +[General Data Protection Regulation (GDPR)](javascript:void(0)) A subset of the PII taxonomy relating to the personal information of EU residents: @@ -163,7 +163,7 @@ A subset of the PII taxonomy relating to the personal information of EU resident - Sweden - United Kingdom -[GDPR Restricted]() +[GDPR Restricted](javascript:void(0)) Personal data (same as in PII) accompanied by the following special categories of personal information (GDPR Article 9): @@ -172,11 +172,11 @@ information (GDPR Article 9): - Political views - Religious beliefs -[Gramm-Leach-Bliley Act (GLBA)]() +[Gramm-Leach-Bliley Act (GLBA)](javascript:void(0)) Combines the Financial Records, PCI DSS and PII (US social security numbers) taxonomies. -[Health Insurance Portability and Accountability Act (HIPAA)]() +[Health Insurance Portability and Accountability Act (HIPAA)](javascript:void(0)) Combines the PHI and PII (US social security numbers) taxonomies. diff --git a/docs/dataclassification/5.6.2/ndc/workflows/actions/workflows_migration.md b/docs/dataclassification/5.6.2/ndc/workflows/actions/workflows_migration.md index 6d67c4f90a..79a537ea63 100644 --- a/docs/dataclassification/5.6.2/ndc/workflows/actions/workflows_migration.md +++ b/docs/dataclassification/5.6.2/ndc/workflows/actions/workflows_migration.md @@ -19,7 +19,7 @@ migration destinations. See Configuring Destinations for Migration Action. When running the Workflow wizard and having selected **Migration** as action, you will be prompted to configure related settings. -[]()[To configure migration using Workflow wizard:]() +[](javascript:void(0))[To configure migration using Workflow wizard:](javascript:void(0)) On the What do you want to do step, select Migrate Document action. do the following: diff --git a/docs/dataclassification/5.6.2/ndc/workflows/advanced_window/advanced_actions_classification.md b/docs/dataclassification/5.6.2/ndc/workflows/advanced_window/advanced_actions_classification.md index 2436bd41ea..1364317f54 100644 --- a/docs/dataclassification/5.6.2/ndc/workflows/advanced_window/advanced_actions_classification.md +++ b/docs/dataclassification/5.6.2/ndc/workflows/advanced_window/advanced_actions_classification.md @@ -21,7 +21,7 @@ To remove all classifications: In the **Add Action** dialog, from the **Action Type** list select **Remove Classifications** under **Classification**. -[To configure terms]() +[To configure terms](javascript:void(0)) 1. In the **Select Term** field, click the tag icon. 2. In the **Details** dialog, specify filter settings to use when filtering out the documents: diff --git a/docs/dataclassification/5.6.2/ndc/workflows/step_3_specify_conditions.md b/docs/dataclassification/5.6.2/ndc/workflows/step_3_specify_conditions.md index 75889e58ee..310298c42f 100644 --- a/docs/dataclassification/5.6.2/ndc/workflows/step_3_specify_conditions.md +++ b/docs/dataclassification/5.6.2/ndc/workflows/step_3_specify_conditions.md @@ -21,7 +21,7 @@ The following options are available: If you have selected any of the **Specific Classification** variants, you should then specify taxonomy terms that will be applied to filter out the documents for your workflow. -[To configure terms]() +[To configure terms](javascript:void(0)) 1. In the **Select Term** field, click the tag icon. 2. In the **Details** dialog, specify filter settings to use when filtering out the documents: diff --git a/docs/dataclassification/5.7/ndc/admin/dsar/crestesearchrequests.md b/docs/dataclassification/5.7/ndc/admin/dsar/crestesearchrequests.md index f5adec4010..6b066db0c8 100644 --- a/docs/dataclassification/5.7/ndc/admin/dsar/crestesearchrequests.md +++ b/docs/dataclassification/5.7/ndc/admin/dsar/crestesearchrequests.md @@ -45,5 +45,5 @@ A search for First name(s) _John Richard_ with the Last name _Smith_ will be sea See also: -- [View Search Query Results](viewsearchresults.md) -- [Manage Search Requests](searches.md) +- [View Search Query Results](/docs/dataclassification/5.7/ndc/admin/dsar/viewsearchresults.md) +- [Manage Search Requests](/docs/dataclassification/5.7/ndc/admin/dsar/searches.md) diff --git a/docs/dataclassification/5.7/ndc/admin/dsar/overview.md b/docs/dataclassification/5.7/ndc/admin/dsar/overview.md index 73d1b126b2..21461206ce 100644 --- a/docs/dataclassification/5.7/ndc/admin/dsar/overview.md +++ b/docs/dataclassification/5.7/ndc/admin/dsar/overview.md @@ -9,11 +9,11 @@ ensure reliable results and simplify the process of searching the IT estate for All search requests are run by the scheduled time set by a Super User. If you have one or more pending searches and for some reason want to run them immediately, you can use the Run now option. -For more information, see [DSAR Settings](settings.md). +For more information, see [DSAR Settings](/docs/dataclassification/5.7/ndc/admin/dsar/settings.md). See next: -- [DSAR Roles](roles.md) -- [DSAR Settings](settings.md) -- [Create Search Requests](crestesearchrequests.md) -- [View Search Query Results](viewsearchresults.md) +- [DSAR Roles](/docs/dataclassification/5.7/ndc/admin/dsar/roles.md) +- [DSAR Settings](/docs/dataclassification/5.7/ndc/admin/dsar/settings.md) +- [Create Search Requests](/docs/dataclassification/5.7/ndc/admin/dsar/crestesearchrequests.md) +- [View Search Query Results](/docs/dataclassification/5.7/ndc/admin/dsar/viewsearchresults.md) diff --git a/docs/dataclassification/5.7/ndc/admin/dsar/roles.md b/docs/dataclassification/5.7/ndc/admin/dsar/roles.md index ea273f78bc..48d4ddafac 100644 --- a/docs/dataclassification/5.7/ndc/admin/dsar/roles.md +++ b/docs/dataclassification/5.7/ndc/admin/dsar/roles.md @@ -27,4 +27,4 @@ DSAR roles are described briefly in the table below: which runs the queued batch. DSAR Roles can be configured under Users → Permissions Management. For more information on how to -configure roles, refer to [User Management](../../security/usermanagement.md) section. +configure roles, refer to [User Management](/docs/dataclassification/5.7/ndc/security/usermanagement.md) section. diff --git a/docs/dataclassification/5.7/ndc/admin/dsar/searches.md b/docs/dataclassification/5.7/ndc/admin/dsar/searches.md index 39eba2064b..4a38ffa990 100644 --- a/docs/dataclassification/5.7/ndc/admin/dsar/searches.md +++ b/docs/dataclassification/5.7/ndc/admin/dsar/searches.md @@ -4,7 +4,7 @@ The **Searches** interface may contain multiple requests. This section contains to work with searches to address specific tasks. **NOTE:** To manage the search requests, users require sufficient access rights that are assigned by -the **Super User** (DSAR Administrator). See [DSAR Roles](roles.md) for details on the available +the **Super User** (DSAR Administrator). See [DSAR Roles](/docs/dataclassification/5.7/ndc/admin/dsar/roles.md) for details on the available roles, their rights and permissions. ## Customize View @@ -13,7 +13,7 @@ You can filter your requests by status. Select one of the following under Displa - Active – shows all requests with "_Processed_" status (default view). - Completed – shows all completed requests. Review the - [View Search Query Results](viewsearchresults.md) section for instructions on how to complete your + [View Search Query Results](/docs/dataclassification/5.7/ndc/admin/dsar/viewsearchresults.md) section for instructions on how to complete your request. - Canceled – shows all canceled requests. See Cancel Search for more information. - All – shows all search requests. diff --git a/docs/dataclassification/5.7/ndc/admin/dsar/settings.md b/docs/dataclassification/5.7/ndc/admin/dsar/settings.md index 2de611cfb6..1fc84a249d 100644 --- a/docs/dataclassification/5.7/ndc/admin/dsar/settings.md +++ b/docs/dataclassification/5.7/ndc/admin/dsar/settings.md @@ -4,7 +4,7 @@ This section describes Netwrix Data Classification configuration required to run Requests (DSAR). **NOTE:** Only users with 'Super User' permissions are able to configure DSAR. -[See DSAR Roles for more information.](roles.md) +[See DSAR Roles for more information.](/docs/dataclassification/5.7/ndc/admin/dsar/roles.md) 1. In administrative web console , navigate to Data Analysis → DSAR. 2. Locate the Settings tab. @@ -35,5 +35,5 @@ degrading. See also: -- [DSAR Roles](roles.md) -- [Create Search Requests](crestesearchrequests.md) +- [DSAR Roles](/docs/dataclassification/5.7/ndc/admin/dsar/roles.md) +- [Create Search Requests](/docs/dataclassification/5.7/ndc/admin/dsar/crestesearchrequests.md) diff --git a/docs/dataclassification/5.7/ndc/admin/dsar/viewsearchresults.md b/docs/dataclassification/5.7/ndc/admin/dsar/viewsearchresults.md index 0a36859f77..47b5df9cee 100644 --- a/docs/dataclassification/5.7/ndc/admin/dsar/viewsearchresults.md +++ b/docs/dataclassification/5.7/ndc/admin/dsar/viewsearchresults.md @@ -10,7 +10,7 @@ following: The following window appears: - ![dsar_view_results](../../../../../../static/img/product_docs/dataclassification/ndc/admin/dsar/dsar_view_results.webp) + ![dsar_view_results](/img/product_docs/dataclassification/ndc/admin/dsar/dsar_view_results.webp) Review the following for additional information: @@ -25,4 +25,4 @@ following: See also: -- [Manage Search Requests](searches.md) +- [Manage Search Requests](/docs/dataclassification/5.7/ndc/admin/dsar/searches.md) diff --git a/docs/dataclassification/5.7/ndc/admin/howitworks.md b/docs/dataclassification/5.7/ndc/admin/howitworks.md index cb9f31746a..bd6e3acdbf 100644 --- a/docs/dataclassification/5.7/ndc/admin/howitworks.md +++ b/docs/dataclassification/5.7/ndc/admin/howitworks.md @@ -6,12 +6,12 @@ compliance requirements with less effort and expense. You can view the app architecture and components in the figure below. -![how_it_works_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/admin/how_it_works_thumb_0_0.webp) +![how_it_works_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/how_it_works_thumb_0_0.webp) 1. The user adds data sources using the NDC Management web console (Netwrix Data Classification program). - ![addsource](../../../../../static/img/product_docs/dataclassification/ndc/admin/addsource.webp) + ![addsource](/img/product_docs/dataclassification/ndc/admin/addsource.webp) 2. The configured data sources are saved in the NDC SQL database (SQL Server Collector Database). 3. The NDC Collector service crawls data files in each data source, converts documents into plain diff --git a/docs/dataclassification/5.7/ndc/admin/reporting/builtinreportsreview.md b/docs/dataclassification/5.7/ndc/admin/reporting/builtinreportsreview.md index f7991cacca..289035e276 100644 --- a/docs/dataclassification/5.7/ndc/admin/reporting/builtinreportsreview.md +++ b/docs/dataclassification/5.7/ndc/admin/reporting/builtinreportsreview.md @@ -2,7 +2,7 @@ Netwrix Data Classification offers a number of built-in reports and charts that refer to indexing and classification process and results, as well to the system operation. They can be run in browser, -as well as exported to Excel or CSV files. [See Manage Reports for more information.](manage.md) +as well as exported to Excel or CSV files. [See Manage Reports for more information.](/docs/dataclassification/5.7/ndc/admin/reporting/manage.md) **NOTE:** For some reports, **Auto-classification change logging** must be enabled to supply the reports with the required data. @@ -16,8 +16,8 @@ To enable Auto-Classification change logging Review the following for additional information: -- [Top Reports and Charts](topreportscharts.md) -- [Classification Reports](classificationreports.md) -- [Clue Building Reports](cluebuildingreports.md) -- [Document Reports](documentreports.md) -- [System Reports](systemreports.md) +- [Top Reports and Charts](/docs/dataclassification/5.7/ndc/admin/reporting/topreportscharts.md) +- [Classification Reports](/docs/dataclassification/5.7/ndc/admin/reporting/classificationreports.md) +- [Clue Building Reports](/docs/dataclassification/5.7/ndc/admin/reporting/cluebuildingreports.md) +- [Document Reports](/docs/dataclassification/5.7/ndc/admin/reporting/documentreports.md) +- [System Reports](/docs/dataclassification/5.7/ndc/admin/reporting/systemreports.md) diff --git a/docs/dataclassification/5.7/ndc/admin/reporting/capabilities.md b/docs/dataclassification/5.7/ndc/admin/reporting/capabilities.md index 5bde795cd5..9304af2e19 100644 --- a/docs/dataclassification/5.7/ndc/admin/reporting/capabilities.md +++ b/docs/dataclassification/5.7/ndc/admin/reporting/capabilities.md @@ -16,5 +16,5 @@ amount of documents tagged with a particular term, or to only review specific co Reporting capabilities also include the following: -- [Content Distribution Map](contentdistributionmap.md) -- [Built-in Reports](builtinreportsoverview.md) +- [Content Distribution Map](/docs/dataclassification/5.7/ndc/admin/reporting/contentdistributionmap.md) +- [Built-in Reports](/docs/dataclassification/5.7/ndc/admin/reporting/builtinreportsoverview.md) diff --git a/docs/dataclassification/5.7/ndc/admin/reporting/classificationreports.md b/docs/dataclassification/5.7/ndc/admin/reporting/classificationreports.md index 086e2ab132..2642f32637 100644 --- a/docs/dataclassification/5.7/ndc/admin/reporting/classificationreports.md +++ b/docs/dataclassification/5.7/ndc/admin/reporting/classificationreports.md @@ -4,7 +4,7 @@ Review the list of the built-in classification reports: - **Auto Classification Log** —Reports on changes to the classifications applied to documents, specifically tags added/removed. To log classification changes, enable the related option in the - product configuration; see [Manage Reports](manage.md) for details. + product configuration; see [Manage Reports](/docs/dataclassification/5.7/ndc/admin/reporting/manage.md) for details. - Classification Coverage—Provides a list of documents that have been tagged with X or fewer classifications. Assists in locating documents that have a low number of auto classifications and diff --git a/docs/dataclassification/5.7/ndc/admin/reporting/contentdistributionmap.md b/docs/dataclassification/5.7/ndc/admin/reporting/contentdistributionmap.md index bd95461686..4a8b1f8bfe 100644 --- a/docs/dataclassification/5.7/ndc/admin/reporting/contentdistributionmap.md +++ b/docs/dataclassification/5.7/ndc/admin/reporting/contentdistributionmap.md @@ -16,7 +16,7 @@ The Content Distribution treemap allows you to interrogate your data in two diff It is possible to filter and refine this display, either selecting specific sources / source-groups or excluding specific sources / source-groups. -![contentdistribution_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/contentdistribution_thumb_0_0.webp) +![contentdistribution_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/contentdistribution_thumb_0_0.webp) You can zoom in to a particular area of the chart by left-clicking in that area; left clicking on the title will allow exporting of that specific node. Right-clicking will zoom back out again. diff --git a/docs/dataclassification/5.7/ndc/admin/reporting/dashboards.md b/docs/dataclassification/5.7/ndc/admin/reporting/dashboards.md index f17113ced8..854aa11766 100644 --- a/docs/dataclassification/5.7/ndc/admin/reporting/dashboards.md +++ b/docs/dataclassification/5.7/ndc/admin/reporting/dashboards.md @@ -35,7 +35,7 @@ following meanings: - Deleted Automatically—Items that have been detected as removed from the source system - Deleted Manually—Items removed manually by an end-user via the administration console - ![dashboard_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/dashboard_thumb_0_0.webp) + ![dashboard_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/dashboard_thumb_0_0.webp) ## System Health @@ -51,7 +51,7 @@ outstanding system issues. 1. Click Dismiss at the bottom. - ![health_config_notifications](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/health_config_notifications.webp) + ![health_config_notifications](/img/product_docs/dataclassification/ndc/admin/reporting/health_config_notifications.webp) 2. Select Only dismiss health notifications that are older than one week, if you do not want to be notified on outdated issues. diff --git a/docs/dataclassification/5.7/ndc/admin/reporting/dataanalysisoverview.md b/docs/dataclassification/5.7/ndc/admin/reporting/dataanalysisoverview.md index 32b30194e5..8032ab00a3 100644 --- a/docs/dataclassification/5.7/ndc/admin/reporting/dataanalysisoverview.md +++ b/docs/dataclassification/5.7/ndc/admin/reporting/dataanalysisoverview.md @@ -6,9 +6,9 @@ DSAR areas: - To view reports on product operation, indexing and classification results, click Reports. - To use DSAR search capabilities, click **DSAR**. -![data_analysis_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/data_analysis_thumb_0_0.webp) +![data_analysis_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/data_analysis_thumb_0_0.webp) See next: -- [Reporting](reportingintroduction.md) -- [Data Subject Access Requests ](../dsar/overview.md) +- [Reporting](/docs/dataclassification/5.7/ndc/admin/reporting/reportingintroduction.md) +- [Data Subject Access Requests ](/docs/dataclassification/5.7/ndc/admin/dsar/overview.md) diff --git a/docs/dataclassification/5.7/ndc/admin/reporting/documentreports.md b/docs/dataclassification/5.7/ndc/admin/reporting/documentreports.md index 5fed98d7ab..ccba203da5 100644 --- a/docs/dataclassification/5.7/ndc/admin/reporting/documentreports.md +++ b/docs/dataclassification/5.7/ndc/admin/reporting/documentreports.md @@ -22,7 +22,7 @@ Review the list of the built-in document reports: - Near Duplicate Detection—Details near duplicate documents across the index. Near duplicates are detected as a background process, to enable the background processing simply enable the option ‘Near Duplicate Detection’ within the NDC Indexer Settings and rebuild the necessary sources. See - the [Core Configuration](../../configuration/coreconfiguration.md) topic for configuration + the [Core Configuration](/docs/dataclassification/5.7/ndc/configuration/coreconfiguration.md) topic for configuration information. Supports filtering by URL, source group and excluding content types (comma delimited list of content types such as: “css,pdf”). - Page Statuses—Provides a list of documents at a given status within the index. Supports filtering diff --git a/docs/dataclassification/5.7/ndc/admin/reporting/manage.md b/docs/dataclassification/5.7/ndc/admin/reporting/manage.md index 459e42cee4..5ada73f503 100644 --- a/docs/dataclassification/5.7/ndc/admin/reporting/manage.md +++ b/docs/dataclassification/5.7/ndc/admin/reporting/manage.md @@ -16,7 +16,7 @@ Auto-Classification. - **Source** 4. Finally, click **Generate**. -![reports_doctagging_thumb_0_48](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/reports_doctagging_thumb_0_48.webp) +![reports_doctagging_thumb_0_48](/img/product_docs/dataclassification/ndc/admin/reporting/reports_doctagging_thumb_0_48.webp) The report will be displayed in the preview pane. @@ -36,7 +36,7 @@ Document, and System reports). To view all templates available to you, open the Reports tab and select **Report Templates** on the left. -![report_templates_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/report_templates_thumb_0_0.webp) +![report_templates_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/report_templates_thumb_0_0.webp) To save a report configuration template @@ -45,7 +45,7 @@ To save a report configuration template include data from the specific source). 3. Click the Save Report Configuration button. -![save_report_config](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/report_template.webp) +![save_report_config](/img/product_docs/dataclassification/ndc/admin/reporting/report_template.webp) **NOTE:** Report configuration templates are saved per user. diff --git a/docs/dataclassification/5.7/ndc/admin/reporting/overviewdashboard.md b/docs/dataclassification/5.7/ndc/admin/reporting/overviewdashboard.md index f3725a9ab0..b35fd6f81d 100644 --- a/docs/dataclassification/5.7/ndc/admin/reporting/overviewdashboard.md +++ b/docs/dataclassification/5.7/ndc/admin/reporting/overviewdashboard.md @@ -8,12 +8,12 @@ customize it for their needs. See Customize Dashboard for more information. **NOTE:** To review the dashboard a user requires the Access Reports permission and must have at least one Netwrix built-in taxonomy downloaded. See the following sections for more information: -- [User Management](../../security/usermanagement.md) -- [Built-in Taxonomies Overview ](../taxonomies/builtintaxonomies.md) +- [User Management](/docs/dataclassification/5.7/ndc/security/usermanagement.md) +- [Built-in Taxonomies Overview ](/docs/dataclassification/5.7/ndc/admin/taxonomies/builtintaxonomies.md) The dashboard is the home page for the administrative web console. -![sensitive_dashboard_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/sensitive_dashboard_thumb_0_0.webp) +![sensitive_dashboard_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/sensitive_dashboard_thumb_0_0.webp) If you want to switch to the dashboard page after doing any other tasks in the administrative web console, do the following: @@ -24,7 +24,7 @@ console, do the following: - Locate the Data Analysis top level menu and select Reports: - ![switch_dashboard](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/switch_dashboard.webp) + ![switch_dashboard](/img/product_docs/dataclassification/ndc/admin/reporting/switch_dashboard.webp) - Select the Dashboard tab on the left. @@ -41,7 +41,7 @@ The dashboard includes the following sections: - Sensitive Files – helps you identify how many files have been tagged at least once in any of Netwrix built-in sensitive taxonomies except for the following: File Type, File Size, Language. - Review the [Built-in Taxonomies Overview ](../taxonomies/builtintaxonomies.md) section for the + Review the [Built-in Taxonomies Overview ](/docs/dataclassification/5.7/ndc/admin/taxonomies/builtintaxonomies.md) section for the full list of predefined taxonomies. **NOTE:** Custom taxonomies are not counted. @@ -76,7 +76,7 @@ To apply filters 1. Select Custom view in the upper left corner of the dashboard. - ![dashboard_filters_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/dashboard_filters_thumb_0_0.webp) + ![dashboard_filters_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/dashboard_filters_thumb_0_0.webp) 2. Select a taxonomy(-ies) and/or a source group(s) you want to see real-time data for. 3. Click Apply Filters to immediately review classified data matching your filtering criteria. @@ -89,7 +89,7 @@ later. 1. Apply custom filters as described above. - ![dashboard_filters_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/dashboard_filters_thumb_0_0.webp) + ![dashboard_filters_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/dashboard_filters_thumb_0_0.webp) 2. Click Save Configuration. diff --git a/docs/dataclassification/5.7/ndc/admin/reporting/queuedandcustomreports.md b/docs/dataclassification/5.7/ndc/admin/reporting/queuedandcustomreports.md index 7232932f3f..97bfeceb84 100644 --- a/docs/dataclassification/5.7/ndc/admin/reporting/queuedandcustomreports.md +++ b/docs/dataclassification/5.7/ndc/admin/reporting/queuedandcustomreports.md @@ -7,7 +7,7 @@ background processes create the report and make it available for download via th dashboard. Reports can be deleted prior to, or after, processing as well as downloaded as many times as necessary. -![queuedreportresult_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/queuedreportresult_thumb_0_0.webp) +![queuedreportresult_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/queuedreportresult_thumb_0_0.webp) ## Plugins for Custom Reports diff --git a/docs/dataclassification/5.7/ndc/admin/reporting/reportingintroduction.md b/docs/dataclassification/5.7/ndc/admin/reporting/reportingintroduction.md index 38ad063daf..0c7de6a273 100644 --- a/docs/dataclassification/5.7/ndc/admin/reporting/reportingintroduction.md +++ b/docs/dataclassification/5.7/ndc/admin/reporting/reportingintroduction.md @@ -11,7 +11,7 @@ The main dashboard has three high level graphs highlighting the current state of - Classification Coverage – Shows the percentage of classified content, broken down by type, and the percentage of content that has not received any auto-classifications: -![reportsdashboard](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/reportsdashboard.webp) +![reportsdashboard](/img/product_docs/dataclassification/ndc/admin/reporting/reportsdashboard.webp) The Classification Distribution graph highlights areas of classification overlap. In the example below the classification “Communications” has been found to be the most highly scoring term that diff --git a/docs/dataclassification/5.7/ndc/admin/reporting/reportsubscriptionsmanage.md b/docs/dataclassification/5.7/ndc/admin/reporting/reportsubscriptionsmanage.md index 9e14cfa26e..208812a30b 100644 --- a/docs/dataclassification/5.7/ndc/admin/reporting/reportsubscriptionsmanage.md +++ b/docs/dataclassification/5.7/ndc/admin/reporting/reportsubscriptionsmanage.md @@ -18,7 +18,7 @@ Auto-Classification. 4. Finally, click **Generate**. -![reports_doctagging_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/reports_doctagging_thumb_0_0.webp) +![reports_doctagging_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/reports_doctagging_thumb_0_0.webp) The report will be displayed in the preview pane. @@ -38,7 +38,7 @@ and System reports). To view all templates available to you, open the **Reports** tab and select **Report Templates** on the left. -![reporttemplates](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/reporttemplates.webp) +![reporttemplates](/img/product_docs/dataclassification/ndc/admin/reporting/reporttemplates.webp) To save a report configuration template @@ -47,7 +47,7 @@ To save a report configuration template include data from the specific source). 3. Click the **Save Report Configuration** button. - ![report_template](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/report_template.webp) + ![report_template](/img/product_docs/dataclassification/ndc/admin/reporting/report_template.webp) NOTE: Report configuration templates are saved per user. @@ -71,12 +71,12 @@ Subscriptions for report templates enable you to schedule email delivery of a va set of specific search criteria. Subscriptions are helpful if you are a rare guest of Netwrix Data Classification and you only need to get statistics based on individual criteria. For example, an IT manager can easily provide auditors with weekly reports to prove compliance with regulations. -[See Report Subscriptions for more information.](reportsuscriptions.md) +[See Report Subscriptions for more information.](/docs/dataclassification/5.7/ndc/admin/reporting/reportsuscriptions.md) To view existing subscriptions for reports, navigate to the **Report Templates** page on the left and click **View Subscriptions** next to an existing template to view and edit subscriptions. -![managesubscription](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/managesubscription.webp) +![managesubscription](/img/product_docs/dataclassification/ndc/admin/reporting/managesubscription.webp) Checking the **Create a Subscription** box when saving a new report configuration will enable users to create a new subscription. The following options are configured on the **Manage Subscriptions** diff --git a/docs/dataclassification/5.7/ndc/admin/reporting/reportsuscriptions.md b/docs/dataclassification/5.7/ndc/admin/reporting/reportsuscriptions.md index ca98dcfad7..244caa7103 100644 --- a/docs/dataclassification/5.7/ndc/admin/reporting/reportsuscriptions.md +++ b/docs/dataclassification/5.7/ndc/admin/reporting/reportsuscriptions.md @@ -8,7 +8,7 @@ manager can easily provide auditors with weekly reports to prove compliance with To view existing subscriptions for reports, navigate to the **Report Templates** page on the left and click **View Subscriptions** next to an existing template to view and edit subscriptions. -![managesubscription](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/managesubscription.webp) +![managesubscription](/img/product_docs/dataclassification/ndc/admin/reporting/managesubscription.webp) Checking the **Create a Subscription** box when saving a new report configuration will enable users to create a new subscription. The following options are configured on the **Manage Subscriptions** diff --git a/docs/dataclassification/5.7/ndc/admin/reporting/review.md b/docs/dataclassification/5.7/ndc/admin/reporting/review.md index ade2b22214..5ef6ff6c8d 100644 --- a/docs/dataclassification/5.7/ndc/admin/reporting/review.md +++ b/docs/dataclassification/5.7/ndc/admin/reporting/review.md @@ -15,10 +15,10 @@ To browse classification results 2. Select Taxonomy in the dropdown on the left and then expand specific term you are interested in. 3. Switch to Browse tab: - ![browsetab_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/browsetab_thumb_0_0.webp) + ![browsetab_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/browsetab_thumb_0_0.webp) 4. Click Filter to start browsing your documents. - [See Browse for more information.](../taxonomies/browse.md) + [See Browse for more information.](/docs/dataclassification/5.7/ndc/admin/taxonomies/browse.md) To review the Document Tagging report diff --git a/docs/dataclassification/5.7/ndc/admin/reporting/topreportscharts.md b/docs/dataclassification/5.7/ndc/admin/reporting/topreportscharts.md index 1b486e36a4..3b2875b600 100644 --- a/docs/dataclassification/5.7/ndc/admin/reporting/topreportscharts.md +++ b/docs/dataclassification/5.7/ndc/admin/reporting/topreportscharts.md @@ -5,18 +5,18 @@ the most frequently requested information: - **Dashboard**—Shows a high level overview of Netwrix Data Classification operations statistics. -![reports_main_dashboard_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/reports_main_dashboard_thumb_0_0.webp) +![reports_main_dashboard_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/reports_main_dashboard_thumb_0_0.webp) - **Content Distribution** —Allows you to view the distribution of your content in several formats: grouping by source, grouping by taxonomy, or grouping by term. See - [Content Distribution Map](contentdistributionmap.md) for details. + [Content Distribution Map](/docs/dataclassification/5.7/ndc/admin/reporting/contentdistributionmap.md) for details. - **Recent Tagging**—Displays statistics on the tagging results according to the specified filters. To view this data, make sure the "**Auto-Classification Change Log**" feature is enabled, as described above, - **Recent Document Processing**—Displays statistics on the document processing results for the last 7 days. This includes collection, indexing and classification of data in the content sources. -![recent_document_processing_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/recent_document_processing_thumb_0_0.webp) +![recent_document_processing_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/recent_document_processing_thumb_0_0.webp) - Index Analysis—Provides the ability to manually queue items for background index analysis, initially scoped to assist in identifying fuzzy matched duplicate documents. diff --git a/docs/dataclassification/5.7/ndc/admin/sources/addsource.md b/docs/dataclassification/5.7/ndc/admin/sources/addsource.md index 769489f3d3..dfaf249c32 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/addsource.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/addsource.md @@ -8,20 +8,20 @@ Follow the steps to add a content source. **Step 1 –** In administrative web console, navigate to **Content** →Sources → General and click **Add** to launch the Add source wizard. -![add_source_wizard_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/add_source_wizard_thumb_0_0.webp) +![add_source_wizard_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/add_source_wizard_thumb_0_0.webp) **Step 2 –** Select the source you need and configure its settings. See detailed instructions for the sources: -- [Box](box/addbox.md) -- [Add Single Database](database/addsingledatabase.md) (Microsoft SQL Server or Oracle database) -- [Dropbox](dropbox/adddropbox.md) -- [Exchange Server](exchangemailbox/exchangeserver.md) or - [Exchange Mailbox](exchangemailbox/exchangemailbox.md) -- [File System](filesystem/overview.md) (includes Folder and File) -- [Google Drive Source](googledrive/addgdsource.md) -- [Outlook Mail Archive](exchangemailbox/outlookmailarchive.md) -- [SharePoint](sharepoint/overview.md) or [SharePoint Online](sharepoint/sharepointonline.md) +- [Box](/docs/dataclassification/5.7/ndc/admin/sources/box/addbox.md) +- [Add Single Database](/docs/dataclassification/5.7/ndc/admin/sources/database/addsingledatabase.md) (Microsoft SQL Server or Oracle database) +- [Dropbox](/docs/dataclassification/5.7/ndc/admin/sources/dropbox/adddropbox.md) +- [Exchange Server](/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/exchangeserver.md) or + [Exchange Mailbox](/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/exchangemailbox.md) +- [File System](/docs/dataclassification/5.7/ndc/admin/sources/filesystem/overview.md) (includes Folder and File) +- [Google Drive Source](/docs/dataclassification/5.7/ndc/admin/sources/googledrive/addgdsource.md) +- [Outlook Mail Archive](/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/outlookmailarchive.md) +- [SharePoint](/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/overview.md) or [SharePoint Online](/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/sharepointonline.md) All your content sources will be listed in the **Sources** section. @@ -29,4 +29,4 @@ All your content sources will be listed in the **Sources** section. settings are displayed by default. However, some source types have additional configuration options that can be displayed by clicking the Advanced Settings ("wrench" icon). You can allow these advanced settings to be always shown to authorized users. -[Users and Security Settings](../../security/users.md) +[Users and Security Settings](/docs/dataclassification/5.7/ndc/security/users.md) diff --git a/docs/dataclassification/5.7/ndc/admin/sources/box/addbox.md b/docs/dataclassification/5.7/ndc/admin/sources/box/addbox.md index 72001550d4..6a29abf3e9 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/box/addbox.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/box/addbox.md @@ -7,21 +7,21 @@ By default, configuration window displays basic configuration settings only. It you click the "wrench" icon in the bottom left corner to configure advanced settings. **NOTE:** To configure advanced settings, your user account may need advanced privileges. -[See Users and Security Settings for more information.](../../../security/users.md) +[See Users and Security Settings for more information.](/docs/dataclassification/5.7/ndc/security/users.md) -![addbox_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/box/addbox_thumb_0_0.webp) +![addbox_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/box/addbox_thumb_0_0.webp) Configure the following: | Setting | Description | | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Basic settings** | | -| JSON Import | Drag and drop the JSON file with Box app configuration settings that you downloaded at [Step 1. Create the App](../../../configuration/configinfrastructure/box.md#step-1-create-the-app) (see #12). The program then parses this file so that many settings are filled in automatically. | +| JSON Import | Drag and drop the JSON file with Box app configuration settings that you downloaded at [Step 1. Create the App](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/box.md#step-1-create-the-app) (see #12). The program then parses this file so that many settings are filled in automatically. | | Enterprise ID | Specifies the internal unique identifier for your Box account (filled in automatically). | -| API Key | _Client ID_ of the Box app created at [Step 1. Create the App](../../../configuration/configinfrastructure/box.md#step-1-create-the-app)(Filled in automatically.) | +| API Key | _Client ID_ of the Box app created at [Step 1. Create the App](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/box.md#step-1-create-the-app)(Filled in automatically.) | | Client Secret | Will be generated when allowing access to the Netwrix Data Classification app. Is also known as the “App Key”. | | Public Key ID Private Key Private Key Password | Created when generating the trust between your Box account, and the Netwrix Data Classification app – these should be kept secret and secure. | -| Write Classifications | Identifies whether classifications should be written back to the Box source documents. Classification results can either be written to classification templates or to the generic ‘tags’ property. This is specified using the **Write Configuration** setting of the source. For more information, see [Use Tagging](../tagging.md) | +| Write Classifications | Identifies whether classifications should be written back to the Box source documents. Classification results can either be written to classification templates or to the generic ‘tags’ property. This is specified using the **Write Configuration** setting of the source. For more information, see [Use Tagging](/docs/dataclassification/5.7/ndc/admin/sources/tagging.md) | | Source Group | Select the source group (if any). | | Pause source on creation | Select if you want to make other configuration changes before collection of the source occurs. | | **Advanced settings** | | @@ -32,5 +32,5 @@ Configure the following: See also: -- [Configure Box for Crawling](../../../configuration/configinfrastructure/box.md) -- [Manage Sources and Control Data Processing](../manage.md) +- [Configure Box for Crawling](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/box.md) +- [Manage Sources and Control Data Processing](/docs/dataclassification/5.7/ndc/admin/sources/manage.md) diff --git a/docs/dataclassification/5.7/ndc/admin/sources/box/managebox.md b/docs/dataclassification/5.7/ndc/admin/sources/box/managebox.md index 168c4b1453..c331f72db8 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/box/managebox.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/box/managebox.md @@ -12,7 +12,7 @@ excluded from processing. For that, do the following: Exclusions. 2. Click **Add**. -![boxexclusions](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/database/boxexclusions.webp) +![boxexclusions](/img/product_docs/dataclassification/ndc/admin/sources/database/boxexclusions.webp) 3. Click **Filter** and in the **Filter** field specify the objects (files or folders) to exclude: @@ -43,7 +43,7 @@ excluded from processing. For that, do the following: | Has any value | Exclude the document if its metadata field has any value. With this criteria selected, specify **Field Name**. | | Has no values | Exclude the document if metadata field value is not specified. With this criteria selected, specify **Field Name**. | - ![gdrive_exclusion_condition_2_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/box/gdrive_exclusion_condition_2_thumb_0_0.webp) + ![gdrive_exclusion_condition_2_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/box/gdrive_exclusion_condition_2_thumb_0_0.webp) When finished, click **Add**. @@ -89,6 +89,6 @@ To configure tagging | **Name/ID** or **Class** | Depending on the format, take the term labels, IDs or a combination of both | The corresponding Delimiter must be a string or array type with a maximum length of 3. | | **Prefix/** **Suffix** | Will be appended to the formatted string of classifications. | | -![box_tagging_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/box/box_tagging_thumb_0_0.webp) +![box_tagging_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/box/box_tagging_thumb_0_0.webp) Finally, click **Save**. diff --git a/docs/dataclassification/5.7/ndc/admin/sources/contentconfigurationoverview.md b/docs/dataclassification/5.7/ndc/admin/sources/contentconfigurationoverview.md index 112e09b345..e2f31d4a78 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/contentconfigurationoverview.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/contentconfigurationoverview.md @@ -9,12 +9,12 @@ following areas **Workflows**. **IMPORTANT!** To access the **Sources** area, users require sufficient rights. See the -[User Management](../../security/usermanagement.md) section for more information. +[User Management](/docs/dataclassification/5.7/ndc/security/usermanagement.md) section for more information. -![content_config_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/content_config_thumb_0_0.webp) +![content_config_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/content_config_thumb_0_0.webp) See next: -- [Content Sources](introduction.md) -- [Taxonomies](../taxonomies/introduction.md) -- [Understanding Workflows](../workflows/overview.md) +- [Content Sources](/docs/dataclassification/5.7/ndc/admin/sources/introduction.md) +- [Taxonomies](/docs/dataclassification/5.7/ndc/admin/taxonomies/introduction.md) +- [Understanding Workflows](/docs/dataclassification/5.7/ndc/admin/workflows/overview.md) diff --git a/docs/dataclassification/5.7/ndc/admin/sources/database/addsingledatabase.md b/docs/dataclassification/5.7/ndc/admin/sources/database/addsingledatabase.md index 12cf44db9c..21410b8cdd 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/database/addsingledatabase.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/database/addsingledatabase.md @@ -11,12 +11,12 @@ are supported only with Latin alphabet. Once connected it is possible to create an intelligent content mapping, crawling certain fields as unstructured index text, and other fields as mapped metadata. For more information please see the -[Database Configuration Wizard](databaseconfigwizard.md) section. +[Database Configuration Wizard](/docs/dataclassification/5.7/ndc/admin/sources/database/databaseconfigwizard.md) section. If you wish to make other configuration changes before collection of the source occurs ensure you tick the checkbox "_Pause source on creation_". -![add_database_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/database/add_database_thumb_0_0.webp) +![add_database_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/database/add_database_thumb_0_0.webp) Complete the following fields: @@ -32,4 +32,4 @@ Complete the following fields: After the source configuration is completed, you will be prompted to lauch SQL crawling configuration wizard. -[See Database Configuration Wizard for more information.](databaseconfigwizard.md) +[See Database Configuration Wizard for more information.](/docs/dataclassification/5.7/ndc/admin/sources/database/databaseconfigwizard.md) diff --git a/docs/dataclassification/5.7/ndc/admin/sources/database/databaseconfigwizard.md b/docs/dataclassification/5.7/ndc/admin/sources/database/databaseconfigwizard.md index 045b41c2c9..6517ca50cf 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/database/databaseconfigwizard.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/database/databaseconfigwizard.md @@ -65,4 +65,4 @@ At this step, review your database configuration. When the database configuration has been completed you will be redirected to the Advanced Source Configuration, this allows you to define how the database will be crawled. It is possible to crawl either specific tables, or crawl custom queries (defined select statements, which may use JOIN -statements across multiple tables). [See Database for more information.](managedatabase.md) +statements across multiple tables). [See Database for more information.](/docs/dataclassification/5.7/ndc/admin/sources/database/managedatabase.md) diff --git a/docs/dataclassification/5.7/ndc/admin/sources/database/exchangemailbox.md b/docs/dataclassification/5.7/ndc/admin/sources/database/exchangemailbox.md index 0975e0efb2..d6fdf11f0a 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/database/exchangemailbox.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/database/exchangemailbox.md @@ -6,7 +6,7 @@ processing. Do the following: 1. In the management console, click **Sources** →**Exchange Mailbox**, then Collection Exclusion will be displayed. 2. To create an exclusion, click **Add**. -3. ![boxexclusions](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/database/boxexclusions.webp) +3. ![boxexclusions](/img/product_docs/dataclassification/ndc/admin/sources/database/boxexclusions.webp) 4. In the **Details** window, on the **Filter** tab enter the name of the entity to exclude. Consider the following: diff --git a/docs/dataclassification/5.7/ndc/admin/sources/database/managedatabase.md b/docs/dataclassification/5.7/ndc/admin/sources/database/managedatabase.md index 748c8589ca..f3603452bf 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/database/managedatabase.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/database/managedatabase.md @@ -55,17 +55,17 @@ The following options are available: You can access the Source Configuration screen by selecting the multi-cog (Advanced Configuration) icon from the sources -grid:![advancedsourceconfiguration](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/database/advancedsourceconfiguration.webp). +grid:![advancedsourceconfiguration](/img/product_docs/dataclassification/ndc/admin/sources/database/advancedsourceconfiguration.webp). Selecting Edit for one of the tables / queries on the list will redirect you to the entity level configuration, which identifies how content will be mapped into the core index. -![sqlsourceconfiguration_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/database/sqlsourceconfiguration_thumb_0_0.webp) +![sqlsourceconfiguration_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/database/sqlsourceconfiguration_thumb_0_0.webp) Selecting the Add Query option will present a popup allowing you to select a unique name for the query, as well as the queries to be used for crawling: -![addsqlquery](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/database/addsqlquery.webp) +![addsqlquery](/img/product_docs/dataclassification/ndc/admin/sources/database/addsqlquery.webp) ### Primary Key Query @@ -90,7 +90,7 @@ Adding the query will take you to the custom query configuration. Here you can u key query and the content query, all other configuration options are described in the Table Configuration section: -![setsqlquery](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/database/setsqlquery.webp) +![setsqlquery](/img/product_docs/dataclassification/ndc/admin/sources/database/setsqlquery.webp) ### Table Configuration @@ -107,4 +107,4 @@ The table configuration allows you to choose how each specific entity will be cr | Modified Filter (Incremental Crawls) | This should be set to a field that defines when a row has changed (the modified date for the row). When set the collection process will automatically filter the re-indexing process to rows that have a modified date that is larger than the last crawl time. | | Re-Index Period | This value is the number of days/hours/minutes that will pass between Re-Indexing. The Re-Indexing process involves querying the table(s) to find new and changed records. | -![sqltableconfiguration_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/database/sqltableconfiguration_thumb_0_0.webp) +![sqltableconfiguration_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/database/sqltableconfiguration_thumb_0_0.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/sources/dropbox/adddropbox.md b/docs/dataclassification/5.7/ndc/admin/sources/dropbox/adddropbox.md index 2fc39c4541..04a7e88f42 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/dropbox/adddropbox.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/dropbox/adddropbox.md @@ -4,9 +4,9 @@ The Dropbox source configuration screen allows you to enable the crawling and cl content stored in Dropbox cloud storage. **IMPORTANT!** Make sure you created App for Dropbox crawling before start adding the source. -[See Configure Dropbox for Crawling for more information.](../../../configuration/configinfrastructure/dropbox.md) +[See Configure Dropbox for Crawling for more information.](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/dropbox.md) -![source_dropbox_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/dropbox/source_dropbox_thumb_0_0.webp) +![source_dropbox_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/dropbox/source_dropbox_thumb_0_0.webp) Complete the following fields: diff --git a/docs/dataclassification/5.7/ndc/admin/sources/dropbox/managedropbox.md b/docs/dataclassification/5.7/ndc/admin/sources/dropbox/managedropbox.md index 074f1edcad..64a0d35352 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/dropbox/managedropbox.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/dropbox/managedropbox.md @@ -16,7 +16,7 @@ To configure exclusions, do the following: left pane click Collection Exclusions. 2. Click **Add**. - ![boxexclusions_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/dropbox/boxexclusions_thumb_0_0.webp) + ![boxexclusions_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/dropbox/boxexclusions_thumb_0_0.webp) 3. Click **Filter** and in the **Filter** field specify the objects (files or folders) to exclude: diff --git a/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/exchangemailbox.md b/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/exchangemailbox.md index 678e00e2a3..e6adb985d5 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/exchangemailbox.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/exchangemailbox.md @@ -18,11 +18,11 @@ specify the following: | ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Authentication type | Select **Modern (Exchange Online)** | | Admin Username | Specify the administrative account for the required Exchange Online organization. The user must have a mailbox connected to it in order to crawl Exchange. | -| Tenant ID | Enter the **Tenant ID** you obtained at [Step 5: Obtain Tenant ID](../../../configuration/configinfrastructure/azureappexchangeonlinemfa#step-5-obtain-tenant-id). | -| Certificate thumbprint | Enter the certificate thumbprint you prepared at [Step 4: Configure Certificates & secrets](../../../configuration/configinfrastructure/azureappexchangeonlinemfa#step-4-configure-certificates--secrets). | -| Application ID | Enter the app ID you got at application registration at [Step 2: Create and Register a new app in Azure AD](../../../configuration/configinfrastructure/azureappexchangeonlinemfa#step-2-create-and-register-a-new-app-in-azure-ad) (it can be found in the Azure AD app properties >**Overview**). | +| Tenant ID | Enter the **Tenant ID** you obtained at [Step 5: Obtain Tenant ID](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/azureappexchangeonlinemfa#step-5-obtain-tenant-id). | +| Certificate thumbprint | Enter the certificate thumbprint you prepared at [Step 4: Configure Certificates & secrets](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/azureappexchangeonlinemfa#step-4-configure-certificates--secrets). | +| Application ID | Enter the app ID you got at application registration at [Step 2: Create and Register a new app in Azure AD](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/azureappexchangeonlinemfa#step-2-create-and-register-a-new-app-in-azure-ad) (it can be found in the Azure AD app properties >**Overview**). | -![exchangeonline_cfg_modern_auth_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/exchangemailbox/exchangeonline_cfg_modern_auth_thumb_0_0.webp) +![exchangeonline_cfg_modern_auth_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/exchangemailbox/exchangeonline_cfg_modern_auth_thumb_0_0.webp) ## Authentication type: Basic @@ -30,7 +30,7 @@ If you plan to use this authentication type, you will need to specify the follow | Option | Description | Comments | | ------------------------ | ------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Email Address / Password | **Administrator** account that has been assigned both: 1. **Impersonation** right 2. **Discovery Management** role | See [Configure Microsoft Exchange for Crawling and Classification](../../../configuration/configinfrastructure/exchange.md) for details on the rights assignment. | +| Email Address / Password | **Administrator** account that has been assigned both: 1. **Impersonation** right 2. **Discovery Management** role | See [Configure Microsoft Exchange for Crawling and Classification](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/exchange.md) for details on the rights assignment. | ## Other configuration settings diff --git a/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/exchangeserver.md b/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/exchangeserver.md index bc7b8e5517..a0a368ca05 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/exchangeserver.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/exchangeserver.md @@ -33,11 +33,11 @@ If you plan to use this authentication type, specify the following: | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Authentication type | Select **Modern (Exchange Online)** | | Admin Username | Specify the administrative account for the required Exchange Online organization. The user must have a mailbox connected to it in order to crawl Exchange. | -| Tenant ID | Enter the **Tenant ID** you obtained at [Step 5: Obtain Tenant ID](../../../configuration/configinfrastructure/azureappexchangeonlinemfa.md#step-5-obtain-tenant-id). | -| Certificate thumbprint | Enter the certificate thumbprint you prepared at [Step 4: Configure Certificates & secrets](../../../configuration/configinfrastructure/azureappexchangeonlinemfa.md). | -| Application ID | Enter the app ID you got at application registration at [Step 2: Create and Register a new app in Azure AD](../../../configuration/configinfrastructure/azureappexchangeonlinemfa.md#step-2-create-and-register-a-new-app-in-azure-ad) (it can be found in the Azure AD app properties >**Overview**). | +| Tenant ID | Enter the **Tenant ID** you obtained at [Step 5: Obtain Tenant ID](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/azureappexchangeonlinemfa.md#step-5-obtain-tenant-id). | +| Certificate thumbprint | Enter the certificate thumbprint you prepared at [Step 4: Configure Certificates & secrets](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/azureappexchangeonlinemfa.md). | +| Application ID | Enter the app ID you got at application registration at [Step 2: Create and Register a new app in Azure AD](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/azureappexchangeonlinemfa.md#step-2-create-and-register-a-new-app-in-azure-ad) (it can be found in the Azure AD app properties >**Overview**). | -![exchangeonline_cfg_modern_auth_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/exchangemailbox/exchangeonline_cfg_modern_auth_thumb_0_0.webp) +![exchangeonline_cfg_modern_auth_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/exchangemailbox/exchangeonline_cfg_modern_auth_thumb_0_0.webp) ## Authentication type: Basic @@ -45,7 +45,7 @@ If you plan to use this authentication type, you will need to specify the follow | Option | Description | | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Email Address / Password | Administrator account that has been assigned the right of Impersonation as well as the Discovery Management role. See [Configure Microsoft Exchange for Crawling and Classification](../../../configuration/configinfrastructure/exchange.md) for details on the rights assignment. | +| Email Address / Password | Administrator account that has been assigned the right of Impersonation as well as the Discovery Management role. See [Configure Microsoft Exchange for Crawling and Classification](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/exchange.md) for details on the rights assignment. | ## Other configuration settings diff --git a/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/outlookmailarchive.md b/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/outlookmailarchive.md index a2c8e160e1..64f98d58bb 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/outlookmailarchive.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/outlookmailarchive.md @@ -6,7 +6,7 @@ classification of content stored in PST files: **NOTE:** If you wish to make other configuration changes before collection of the source occurs ensure you tick the checkbox Pause source on creation. -![add_outlook](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/exchangemailbox/add_outlook.webp) +![add_outlook](/img/product_docs/dataclassification/ndc/admin/sources/exchangemailbox/add_outlook.webp) Multiple mailboxes can be added at one time via the "+" button. Collection will process all folders / emails / attachments within the mailbox - associating the attachment text with the respective diff --git a/docs/dataclassification/5.7/ndc/admin/sources/filesystem/contentsource.md b/docs/dataclassification/5.7/ndc/admin/sources/filesystem/contentsource.md index d70a862d8d..d0a346c078 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/filesystem/contentsource.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/filesystem/contentsource.md @@ -26,7 +26,7 @@ Complete the following fields: | Allow anonymous access | This option is used to disable security filtering for selected sources. If unselected, the indexing processes will collect Windows Access Control Lists (ACLs) for the files and search results will be filtered based upon the end user's Windows identity. | | Enable duplicate detection | Select to exclude documents that contain the same text content from the index. | | Write classifications | Select if you wish to write classifications directly into the document properties (DOC/DOCX/XLS/XLSX/PPT/PPTX/PDF). The configuration of which classifications are to be written, as well as the write format, is detailed in the Manage File System section. | -| Text patterns | [See Text Processing for more information.](../../../configuration/texthandling.md) | +| Text patterns | [See Text Processing for more information.](/docs/dataclassification/5.7/ndc/configuration/texthandling.md) | | Re-Index Period | Specifies how often the source should be checked for changes. Netwrix recommends using default values. | | Priority | Netwrix recommends using default values. | | Max Collector Retries | Specify how many retries are attempted before automatically removing items from the index when incremental collection indicates that the file has been deleted. | @@ -37,7 +37,7 @@ Complete the following fields: Alternatively, individual files can be added by using the Files section: -![addfile](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/filesystem/addfile.webp) +![addfile](/img/product_docs/dataclassification/ndc/admin/sources/filesystem/addfile.webp) When Upload Files is selected the file will be uploaded into the SQL database. This allows an application to present the file to users even if they do not have access to the original file diff --git a/docs/dataclassification/5.7/ndc/admin/sources/filesystem/managefilesystem.md b/docs/dataclassification/5.7/ndc/admin/sources/filesystem/managefilesystem.md index f37a55b3ae..c02f02a043 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/filesystem/managefilesystem.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/filesystem/managefilesystem.md @@ -31,7 +31,7 @@ To configure tagging on a global level 3. In the taxonomy properties, enable writing classification attributes (tags) and specify other settings: -![filewriteconfig](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/filesystem/filewriteconfig.webp) +![filewriteconfig](/img/product_docs/dataclassification/ndc/admin/sources/filesystem/filewriteconfig.webp) | Setting | Description | Note | | ------------------------ | -------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | @@ -63,7 +63,7 @@ To configure tagging on a source level 4. In the taxonomy properties, select the **Enabled** checkbox and specify the settings described in the table above. -![file_source_write_cfg_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/filesystem/file_source_write_cfg_thumb_0_0.webp) +![file_source_write_cfg_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/filesystem/file_source_write_cfg_thumb_0_0.webp) ## Configure Inclusions @@ -82,7 +82,7 @@ To specify inclusions, do the following: **NOTE:** Inclusions are case-insensitive. A wildcard (\*) is supported. -![nfs_inclusions_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/filesystem/nfs_inclusions_thumb_0_0.webp) +![nfs_inclusions_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/filesystem/nfs_inclusions_thumb_0_0.webp) ## Configure Exclusions @@ -106,7 +106,7 @@ You can also configure the list of file locations to exclude from processing. **NOTE:** Exclusions are case-insensitive. -![file_exclusion_filter_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/filesystem/file_exclusion_filter_thumb_0_0.webp) +![file_exclusion_filter_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/filesystem/file_exclusion_filter_thumb_0_0.webp) 3. Optionally, enter a test path to verify the settings and click **Test**. 4. If needed, you can use metadata conditions to restrict when an exclusion filter should be diff --git a/docs/dataclassification/5.7/ndc/admin/sources/filesystem/overview.md b/docs/dataclassification/5.7/ndc/admin/sources/filesystem/overview.md index 00e6c30320..6fa0ba7b63 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/filesystem/overview.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/filesystem/overview.md @@ -4,7 +4,7 @@ Use the Source configuration screen to set up the crawling and classification op stored in your file server. Netwrix Data Classification can process individual files or folders. Select, respectively, **File** or **Folder** at the first screen of the Add content source wizard. -![add_source_wizard_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/add_source_wizard_thumb_0_0.webp) +![add_source_wizard_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/add_source_wizard_thumb_0_0.webp) ## Add Folder source @@ -15,13 +15,13 @@ Use Folder to add the following content sources: - NFS shares **IMPORTANT!** To add an NFS share, make sure you have configured it for crawling as described in -[Configure NFS File Share for Crawling](../../../configuration/configinfrastructure/nfsfs.md) +[Configure NFS File Share for Crawling](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/nfsfs.md) By default, configuration window displays basic configuration settings only. To configure advanced settings, click the "wrench" icon in the bottom left corner. **NOTE:** To configure advanced settings, your user account will need advanced privileges. -[See Users and Security Settings for more information.](../../../security/users.md) +[See Users and Security Settings for more information.](/docs/dataclassification/5.7/ndc/security/users.md) Complete the following fields: @@ -30,13 +30,13 @@ Complete the following fields: | **Basic settings** | | | Folder | Enter the UNC path of the root folder where collection is to start. | | Depth Limit | Specify how many levels the indexing should process. Possible options: - **Exclude Subfolders** - **All Subfolders** (default setting) - **Limit Subfolders** - if selected, specify the required subfolders depth (from 2 to 99) | -| Write classifications | Select if you wish to write classifications directly into the document properties, i.e. use tagging. This applies to DOC/DOCX/XLS/XLSX/PPT/PPTX/PDF. See also [Manage File System](managefilesystem.md). | +| Write classifications | Select if you wish to write classifications directly into the document properties, i.e. use tagging. This applies to DOC/DOCX/XLS/XLSX/PPT/PPTX/PDF. See also [Manage File System](/docs/dataclassification/5.7/ndc/admin/sources/filesystem/managefilesystem.md). | | Source Group | Default value recommended. | | Pause source on creation | Select if you want to make other configuration changes before collection of the source occurs. | | **Advanced settings** | | | Username | Specify the account used to process the folder. | | Password | Provide a password for the account specified above. | -| Text Patterns | [See Text Processing for more information.](../../../configuration/texthandling.md) | +| Text Patterns | [See Text Processing for more information.](/docs/dataclassification/5.7/ndc/configuration/texthandling.md) | | Date Filter | Use this calendar control to instruct the program to only crawl the content that has been modified since the specified date. This can be useful for targeting data that is current - in situations where there is a huge volume of content (assuming that the most recent content has the highest risk). | | Anonymous Access Allowed | Select this option to disable security filtering for the content source. If cleared, the indexing processes will collect Windows Access Control Lists (ACLs) for the files, and search results will be filtered based upon the end user's Windows identity. | | Duplicate Detection Enabled | Select to exclude duplicates (i.e. documents that contain the same text content) from the index. | @@ -50,13 +50,13 @@ When finished, click **Save**. Use the File section to crawl individual files. -![addfile](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/filesystem/addfile.webp) +![addfile](/img/product_docs/dataclassification/ndc/admin/sources/filesystem/addfile.webp) By default, configuration window displays basic configuration settings only. To configure advanced settings, click the "wrench" icon in the bottom left corner. **NOTE:** To configure advanced settings, your user account will need advanced privileges. -[See Users and Security Settings for more information.](../../../security/users.md) +[See Users and Security Settings for more information.](/docs/dataclassification/5.7/ndc/security/users.md) | Option | Description | | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -68,7 +68,7 @@ settings, click the "wrench" icon in the bottom left corner. | Password | Provide a password for the account specified above. | | Anonymous Access Allowed | Select this option to disable security filtering for the content source. If cleared, the indexing processes will collect Windows Access Control Lists (ACLs) for the files, and search results will be filtered based upon the end user's Windows identity. | | Upload | If selected, the file will be uploaded into the NDC SQL database. This will allow the program to present the file to users even if they do not have access to the original file location. | -| Text Patterns | [See Text Processing for more information.](../../../configuration/texthandling.md) | +| Text Patterns | [See Text Processing for more information.](/docs/dataclassification/5.7/ndc/configuration/texthandling.md) | | Max Collector Retries | Specify how many retries are attempted before automatically removing items from the index when incremental collection indicates that the file has been deleted. Default is **3** retries. | | Re-Index Period | Specifies how often the source should be checked for changes. Netwrix recommends using default values. Default is **7 days**. | | Priority | Netwrix recommends using default values. | diff --git a/docs/dataclassification/5.7/ndc/admin/sources/googledrive/addgdsource.md b/docs/dataclassification/5.7/ndc/admin/sources/googledrive/addgdsource.md index e04a8938c6..a564d949a9 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/googledrive/addgdsource.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/googledrive/addgdsource.md @@ -4,9 +4,9 @@ The Google Drive source configuration screen allows you to enable the crawling a content stored in both G-Suite repositories and Google Drive personal accounts. **IMPORTANT!** Make sure you created App for GDrive crawling prior to start adding the source. -[See Configure G Suite and Google Drive for Crawling for more information.](../../../configuration/configinfrastructure/gdrive.md) +[See Configure G Suite and Google Drive for Crawling for more information.](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/gdrive.md) -![add_gdrive_source_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/googledrive/add_gdrive_source_thumb_0_0.webp) +![add_gdrive_source_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/googledrive/add_gdrive_source_thumb_0_0.webp) Complete the following fields: @@ -21,6 +21,6 @@ Complete the following fields: | Project ID | Open the JSON connection file and copy file contents to Project ID field. | | Write Classifications | Select to enable the writing of classifications back to the Google Drive repository. **NOTE:** Any classifications written to Google Drive are stored in custom properties which are not visible to an end user - they are only accessible via the Google Drive APIs. | | OCR Processing Mode | Select documents' images processing mode: - Disabled – documents' images will not be processed. - Default – defaults to the source settings if configuring a path or the global setting if configured on a source. - Normal – images are processed with normal quality settings. - Enhanced – upscale images further to allow more. | -| Advanced Settings | Click the "wrench" icon in the Settings area (![gdrive_advanced_settings](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/googledrive/gdrive_advanced_settings.webp)) at the bottom of the screen to expand the following advanced settings: - Re-Index Period — specifies how often the source should be checked for changes. The number specifies the period in days. - Priority — specifies the priority of content source processing in the service queues. - Document Type — can be used to specify a value which can be used to restrict queries when utilizing the core search index. | +| Advanced Settings | Click the "wrench" icon in the Settings area (![gdrive_advanced_settings](/img/product_docs/dataclassification/ndc/admin/sources/googledrive/gdrive_advanced_settings.webp)) at the bottom of the screen to expand the following advanced settings: - Re-Index Period — specifies how often the source should be checked for changes. The number specifies the period in days. - Priority — specifies the priority of content source processing in the service queues. - Document Type — can be used to specify a value which can be used to restrict queries when utilizing the core search index. | | Source Group | Netwrix recommends creating a dedicated source group for Google Drive. | | Pause source on creation | Select if you want to make other configuration changes before collection of the source occurs. | diff --git a/docs/dataclassification/5.7/ndc/admin/sources/googledrive/managegoogledrive.md b/docs/dataclassification/5.7/ndc/admin/sources/googledrive/managegoogledrive.md index 328207d98e..18725ae460 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/googledrive/managegoogledrive.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/googledrive/managegoogledrive.md @@ -51,7 +51,7 @@ To configure tagging on a global level | **Name/ID** or **Class** | Depending on the format, take the term labels, IDs or a combination of both | The corresponding Delimiter must be a string or array type with a maximum length of 3. | | **Prefix/** **Suffix** | Will be appended to the formatted string of classifications. | | -![googledrivewriteconfiguration_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/googledrive/googledrivewriteconfiguration_thumb_0_0.webp) +![googledrivewriteconfiguration_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/googledrive/googledrivewriteconfiguration_thumb_0_0.webp) ## Configure Exclusions @@ -66,7 +66,7 @@ In the management console, click **Sources** →**Google Drive**, then in the le 1. Click **Filter** tab and in the **Filter** field specify the file locations to exclude from crawling. -![gdrive_exclusion_filter_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/googledrive/gdrive_exclusion_filter_thumb_0_0.webp) +![gdrive_exclusion_filter_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/googledrive/gdrive_exclusion_filter_thumb_0_0.webp) 2. Wildcards can be used anywhere in the exclusion pattern definition as follows: - The asterisk character (\*) - matches any sequence of characters @@ -89,7 +89,7 @@ _gdrive://corp/Year2020/\*.xlsx_ | Has any value | Exclude the document if its metadata field has any value. With this criteria selected, specify **Field Name**. | | Has no values | Exclude the document if metadata field value is not specified. With this criteria selected, specify **Field Name**. | - ![gdrive_exclusion_condition_2_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/box/gdrive_exclusion_condition_2_thumb_0_0.webp) + ![gdrive_exclusion_condition_2_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/box/gdrive_exclusion_condition_2_thumb_0_0.webp) When finished, click **Add**. diff --git a/docs/dataclassification/5.7/ndc/admin/sources/introduction.md b/docs/dataclassification/5.7/ndc/admin/sources/introduction.md index 8d9ae1fb99..c86e1f9772 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/introduction.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/introduction.md @@ -7,7 +7,7 @@ For adding and managing content sources, use the **Content Configuration**→Sou Netwrix Data Classification management console. **IMPORTANT!** To access the **Sources** area, users require sufficient rights. See the -[User Management](../../security/usermanagement.md) section for more information. +[User Management](/docs/dataclassification/5.7/ndc/security/usermanagement.md) section for more information. You can manage the individual content sources or organize them into source groups, which are used as logical containers. @@ -16,5 +16,5 @@ logical containers. See next: -- [Add a Content Source](addsource.md) -- [Manage Sources and Control Data Processing](manage.md) +- [Add a Content Source](/docs/dataclassification/5.7/ndc/admin/sources/addsource.md) +- [Manage Sources and Control Data Processing](/docs/dataclassification/5.7/ndc/admin/sources/manage.md) diff --git a/docs/dataclassification/5.7/ndc/admin/sources/manage.md b/docs/dataclassification/5.7/ndc/admin/sources/manage.md index de760698e8..e8c00bdc8d 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/manage.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/manage.md @@ -20,7 +20,7 @@ The following commands are available on the **General** tab of the **Sources** s - Re-Classify—Queues a source or item to be re-classified against the latest configured classification rules -**NOTE:** See [Index Maintenance](../utilities/indexmaintenance.md) for more information on these +**NOTE:** See [Index Maintenance](/docs/dataclassification/5.7/ndc/admin/utilities/indexmaintenance.md) for more information on these operations. - Pause—Temporarily pauses source content processing @@ -30,31 +30,31 @@ operations. Besides, in the source list on the **General** tab you can do the following for selected source: -- [View Results](viewcontent.md) +- [View Results](/docs/dataclassification/5.7/ndc/admin/sources/viewcontent.md) - **Edit** the source details by clicking on the "gear" icon - **View source-specific statistics** by clicking on the "chart" icon - **View detailed information** by clicking on the “i” icon - **Navigate to the source** by clicking on the “link” icon -![sources](../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sources.webp) +![sources](/img/product_docs/dataclassification/ndc/admin/sources/sources.webp) **NOTE:** When adding a source or managing source configuration, the most commonly used source settings are displayed by default. However, some source types have additional configuration options that can be displayed by clicking the Advanced Settings ("wrench" icon). You can allow these advanced settings to be always shown to authorized users. -[See Users and Security Settings for more information.](../../security/users.md) +[See Users and Security Settings for more information.](/docs/dataclassification/5.7/ndc/security/users.md) ## Modify Source Settings To edit configuration settings for the certain source, select the source and go to the corresponding tab, e.g. **Box** or **SharePoint**. Then you can, in particular, specify **Write configuration** -(i.e. "tagging") settings and apply source-specific parameters. See [Use Tagging](tagging.md) for +(i.e. "tagging") settings and apply source-specific parameters. See [Use Tagging](/docs/dataclassification/5.7/ndc/admin/sources/tagging.md) for more information. See also: -- [Database](database/managedatabase.md) -- [Exchange Mailbox](database/exchangemailbox.md) -- [Manage File System](filesystem/managefilesystem.md) -- [ Google Drive](googledrive/managegoogledrive.md) -- [SharePoint](sharepoint/introduction.md) +- [Database](/docs/dataclassification/5.7/ndc/admin/sources/database/managedatabase.md) +- [Exchange Mailbox](/docs/dataclassification/5.7/ndc/admin/sources/database/exchangemailbox.md) +- [Manage File System](/docs/dataclassification/5.7/ndc/admin/sources/filesystem/managefilesystem.md) +- [ Google Drive](/docs/dataclassification/5.7/ndc/admin/sources/googledrive/managegoogledrive.md) +- [SharePoint](/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/introduction.md) diff --git a/docs/dataclassification/5.7/ndc/admin/sources/narrowdatacollectionsource.md b/docs/dataclassification/5.7/ndc/admin/sources/narrowdatacollectionsource.md index ff85d9284e..6b961b8a6c 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/narrowdatacollectionsource.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/narrowdatacollectionsource.md @@ -11,8 +11,8 @@ This functionality is currently supported for the following source types: See next: -[Exchange Mailbox](database/exchangemailbox.md) +[Exchange Mailbox](/docs/dataclassification/5.7/ndc/admin/sources/database/exchangemailbox.md) -[Manage File System](filesystem/managefilesystem.md) +[Manage File System](/docs/dataclassification/5.7/ndc/admin/sources/filesystem/managefilesystem.md) -[ Google Drive](googledrive/managegoogledrive.md) +[ Google Drive](/docs/dataclassification/5.7/ndc/admin/sources/googledrive/managegoogledrive.md) diff --git a/docs/dataclassification/5.7/ndc/admin/sources/settingadvancedconfiguration.md b/docs/dataclassification/5.7/ndc/admin/sources/settingadvancedconfiguration.md index 2af41aaeee..6c8b61aac1 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/settingadvancedconfiguration.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/settingadvancedconfiguration.md @@ -16,7 +16,7 @@ The following option tabs are available: - Source Defaults—Allow you to specify the default custom metadata mapping for the site collection. - Configuration Viewer—Use this simple XML view to examine the raw configuration. -![sharepointadvancedsourceconfiguration_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/sharepointadvancedsourceconfiguration_thumb_0_0.webp) +![sharepointadvancedsourceconfiguration_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/sharepointadvancedsourceconfiguration_thumb_0_0.webp) ### Understanding custom metadata mappings diff --git a/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/introduction.md b/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/introduction.md index c41e5624ef..240a734ca3 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/introduction.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/introduction.md @@ -6,10 +6,10 @@ procedures. In this article, we will cover: -- [Configuring Tagging](../../../configuration/configinfrastructure/spotagging.md) -- [Setting advanced configuration](../settingadvancedconfiguration.md) -- [Configuring subsite and list processing ](../../../configuration/configinfrastructure/sposubsiteandlistprocessing.md) -- [Configuring defaults](../../../configuration/configinfrastructure/spodefaults.md) -- [Managing list of exclusions](managinglistofexclusions.md) -- [Reviewing SharePoint Dashboard](reviewdashboard.md) -- [Working with SharePoint templates](workwithtemplates.md) +- [Configuring Tagging](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spotagging.md) +- [Setting advanced configuration](/docs/dataclassification/5.7/ndc/admin/sources/settingadvancedconfiguration.md) +- [Configuring subsite and list processing ](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/sposubsiteandlistprocessing.md) +- [Configuring defaults](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spodefaults.md) +- [Managing list of exclusions](/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/managinglistofexclusions.md) +- [Reviewing SharePoint Dashboard](/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/reviewdashboard.md) +- [Working with SharePoint templates](/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/workwithtemplates.md) diff --git a/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/managinglistofexclusions.md b/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/managinglistofexclusions.md index 5fd627ee77..4c19153b4e 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/managinglistofexclusions.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/managinglistofexclusions.md @@ -9,7 +9,7 @@ on the left, and click **Add**. To exclude a certain document, enter the page URL with no wildcard indicators (e.g. _http://test.sharepoint.com/sites/documents/excluded%20document.docx_ - ![manage_managing_list_of_exclusions](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sharepoint/manage_managing_list_of_exclusions.webp) + ![manage_managing_list_of_exclusions](/img/product_docs/dataclassification/ndc/admin/sources/sharepoint/manage_managing_list_of_exclusions.webp) You can use wildcards anywhere in the exclusion pattern definition as follows: @@ -35,7 +35,7 @@ on the left, and click **Add**. | Has any value | Exclude the document if its metadata field has any value. With this criteria selected, specify **Field Name**. | | Has no values | Exclude the document if metadata field value is not specified. With this criteria selected, specify **Field Name**. | - ![gdrive_exclusion_condition_2_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/box/gdrive_exclusion_condition_2_thumb_0_0.webp) + ![gdrive_exclusion_condition_2_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/box/gdrive_exclusion_condition_2_thumb_0_0.webp) When finished, click **Add**. diff --git a/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/overview.md b/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/overview.md index 0d75dea142..93f6ec5157 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/overview.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/overview.md @@ -8,7 +8,7 @@ The following versions of SharePoint are supported: 2010, 2013, 2016, 2019 and S If you wish to make other configuration changes before collection of the source occurs ensure you tick the checkbox Pause source on creation. -![addsharepoint](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sharepoint/addsharepoint.webp) +![addsharepoint](/img/product_docs/dataclassification/ndc/admin/sources/sharepoint/addsharepoint.webp) Complete the following fields: @@ -18,5 +18,5 @@ Complete the following fields: | Username | Enter username in the following formats: DOMAIN\USERNAME and USERNAME@DOMAIN. | | Write Classifications | Enables synchronization of classifications back to the SharePoint managed metadata fields. The written classifications will be subject to the classification configuration for the site collection. | | OCR Processing Mode | Select documents' images processing mode: - Disabled – documents' images will not be processed. - Default – defaults to the source settings if configuring a path or the global setting if configured on a source. - Normal – images are processed with normal quality settings. - Enhanced – upscale images further to allow more. | -| Re-Index Period | Specifies how often the source should be checked for changes. The number specifies the period in days. **NOTE:** Netwrix Data Classification monitors site collections to detect when a document is added/modified. These will then be queued for reprocessing. The source will still be checked for changes based on the re-index period in case any updates are not received. [See Manage Sources and Control Data Processing for more information.](../manage.md) | +| Re-Index Period | Specifies how often the source should be checked for changes. The number specifies the period in days. **NOTE:** Netwrix Data Classification monitors site collections to detect when a document is added/modified. These will then be queued for reprocessing. The source will still be checked for changes based on the re-index period in case any updates are not received. [See Manage Sources and Control Data Processing for more information.](/docs/dataclassification/5.7/ndc/admin/sources/manage.md) | | Document Type | Specify a value which can be used to restrict queries when utilizing the Netwrix Data Classification search index. | diff --git a/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/remoteeventreceivers.md b/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/remoteeventreceivers.md index 15be5ca1eb..54bbe3d33a 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/remoteeventreceivers.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/remoteeventreceivers.md @@ -13,11 +13,11 @@ To deploy Remote Event Receivers: 1. Navigate to **Sources**→SharePoint→Settings→Deploy Remote Event Receivers. - ![deployingremoteevents__thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sharepoint/deployingremoteevents__thumb_0_0.webp) + ![deployingremoteevents__thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/sharepoint/deployingremoteevents__thumb_0_0.webp) 2. Select **Add** to add the path. The **Details** panel displays. - ![deployingremoteevents_2_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sharepoint/deployingremoteevents_2_thumb_0_0.webp) + ![deployingremoteevents_2_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/sharepoint/deployingremoteevents_2_thumb_0_0.webp) 3. Select **Save**. diff --git a/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/reviewdashboard.md b/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/reviewdashboard.md index 1364a5904f..26eba15e8c 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/reviewdashboard.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/reviewdashboard.md @@ -1,7 +1,7 @@ # Reviewing SharePoint Dashboard The SharePoint dashboard is similar to the main reporting dashboard, with the results filtered to -SharePoint types. See [Operations and Health Dashboards](../../reporting/dashboards.md) for more +SharePoint types. See [Operations and Health Dashboards](/docs/dataclassification/5.7/ndc/admin/reporting/dashboards.md) for more information on the reporting dashboard. To open the SharePoint dashboard: @@ -15,4 +15,4 @@ Here you can examine: - **Classification coverage** diagram that identifies the percentage of content that has had classifications applied, and the percentage that has not. -![sharepointdashboard_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sharepoint/sharepointdashboard_thumb_0_0.webp) +![sharepointdashboard_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/sharepoint/sharepointdashboard_thumb_0_0.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/sharepointonline.md b/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/sharepointonline.md index 5d0f7f9a03..bb12ec9d21 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/sharepointonline.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/sharepointonline.md @@ -13,9 +13,9 @@ information please review the associated templating guide. To crawl the data within SharePoint Online, you need to enable Multi-Factor Authentication: -- [Accessing SharePoint Online Using Modern Authentication](../../../configuration/configinfrastructure/spomodernauth.md) +- [Accessing SharePoint Online Using Modern Authentication](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spomodernauth.md) -![addsharepointonline_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sharepoint/addsharepointonline_thumb_0_0.webp) +![addsharepointonline_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/sharepoint/addsharepointonline_thumb_0_0.webp) Complete the following fields: @@ -25,7 +25,7 @@ Complete the following fields: | Username | Enter username in the following formats: DOMAIN\USERNAME and USERNAME@DOMAIN. | | Password | Enter you password for SharePoint Online. | | Match Rules | Enter the site collections' path for crawling the documents. At least one match rule must be included. Match rules are regular expressions, for example, https:\/\/example.sharepoint.com\/sites\/. | -| Classification template | Specify the required Classification template for writing classifications. See the [Enable Write Classifications](../../taxonomies/enablewriteclassifications.md) and [Working with SharePoint templates](workwithtemplates.md) topics for more information. | +| Classification template | Specify the required Classification template for writing classifications. See the [Enable Write Classifications](/docs/dataclassification/5.7/ndc/admin/taxonomies/enablewriteclassifications.md) and [Working with SharePoint templates](/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/workwithtemplates.md) topics for more information. | | Detection Period | Specify how often you will detect new site collections. Default period is 1 day and 0 hour(s). | After configuring the settings, click the **Save** button. diff --git a/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/workwithtemplates.md b/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/workwithtemplates.md index c6a04889d8..ff11abffd3 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/workwithtemplates.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/workwithtemplates.md @@ -10,7 +10,7 @@ source onto others. First you manually configure one source. Then you save that you apply that template to other sources. To get more details about the tagging function, review the -[Configuring Tagging](../../../configuration/configinfrastructure/spotagging.md) article. +[Configuring Tagging](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spotagging.md) article. In this article, we will cover: @@ -23,7 +23,7 @@ In this article, we will cover: ## Setting up prerequisites As part of configuring tagging, make sure you have set the prerequisites, specified in the -[Configuring Tagging](../../../configuration/configinfrastructure/spotagging.md) article. +[Configuring Tagging](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spotagging.md) article. ## Using SharePoint API diff --git a/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/exchange.md b/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/exchange.md index c2d5f80ee6..ca41818f7c 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/exchange.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/exchange.md @@ -4,7 +4,7 @@ This section contains information on how to configure Exchange and Exchange Onli groups. Toggle between Basic and Advanced configuration settings by clicking the icons in the Settings button in the bottom left corner of the page. -![dynamicsourcegroupex](../../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/dynamicsourcegroups/dynamicsourcegroupex.webp) +![dynamicsourcegroupex](/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/dynamicsourcegroups/dynamicsourcegroupex.webp) The following options can be configured for Exchange Dynamic Source Groups: diff --git a/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/file.md b/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/file.md index 05c2b9e2da..c2ec2148b9 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/file.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/file.md @@ -4,7 +4,7 @@ This section contains information on how to configure File Servers dynamic sourc between Basic and Advanced configuration settings by clicking the icons in the Settings button in the bottom left corner of the page. -![dynamicsourcegroupfs](../../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/dynamicsourcegroups/dynamicsourcegroupfs.webp) +![dynamicsourcegroupfs](/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/dynamicsourcegroups/dynamicsourcegroupfs.webp) The following options can be configured for File Servers Dynamic Source Groups: diff --git a/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/googledrive.md b/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/googledrive.md index 7e0e450049..451a804b0a 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/googledrive.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/googledrive.md @@ -4,7 +4,7 @@ This section contains information on how to configure Google Drive dynamic sourc between Basic and Advanced configuration settings by clicking the icons in the Settings button in the bottom left corner of the page. -![dynamicsourcegroupgd](../../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/dynamicsourcegroups/dynamicsourcegroupgd.webp) +![dynamicsourcegroupgd](/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/dynamicsourcegroups/dynamicsourcegroupgd.webp) The following options can be configured for File Servers Dynamic Source Groups: diff --git a/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/sharepoint.md b/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/sharepoint.md index cdbf745bb6..6a4d0b685a 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/sharepoint.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/sharepoint.md @@ -4,7 +4,7 @@ This section contains information on how to configure SharePoint Online dynamic Toggle between Basic and Advanced configuration settings by clicking the icons in the Settings button in the bottom left corner of the page. -![dynamicsourcegroupspo](../../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/dynamicsourcegroups/dynamicsourcegroupspo.webp) +![dynamicsourcegroupspo](/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/dynamicsourcegroups/dynamicsourcegroupspo.webp) The following options can be configured for SharePoint Online Dynamic Source Groups: diff --git a/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/overview.md b/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/overview.md index 325eb7363b..fe132aa9fe 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/overview.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/overview.md @@ -4,7 +4,7 @@ Source groups provide a way of logically grouping specific sources, perhaps by t an internal business specification. Selecting the option Add to Group on the main sources grid screen will present the following pop-up: -![addtogroup](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/addtogroup.webp) +![addtogroup](/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/addtogroup.webp) A group can either be "mixed", which allows it to contain all source types, or source specific. In the example above a group would be created entitled "Demo Content", which only supports the addition @@ -14,7 +14,7 @@ drop-down list provided. See Dynamic Source Groups for more information. Selecting the cog icon on the main sources grid screen for a source group allows you to amend the group settings: -![editgroup](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/editgroup.webp) +![editgroup](/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/editgroup.webp) Here you can: @@ -32,7 +32,7 @@ Here you can: entire document. After this you can run a workflow to remove the old data, using **Document Age** option. Unlike Discovery Mode, you can still run workflows if the workflow is triggered solely by metadata. To learn more, go - to[Step 3. Specify Conditions for Processing](../../workflows/step3specifyconditions.md) article. + to[Step 3. Specify Conditions for Processing](/docs/dataclassification/5.7/ndc/admin/workflows/step3specifyconditions.md) article. Deleting a group will remove all existing items from the group leaving them unassigned. You can also remove a specific source(s) from a group by selecting the source group in the grid and then @@ -48,7 +48,7 @@ By going to the Settings of the Source Group, you can: **NOTE:** The Apply changes to all sources in Source Group option is available when you have more than one source in a source group. - ![source_groups_settings](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/source_groups_settings.webp) + ![source_groups_settings](/img/product_docs/dataclassification/ndc/admin/sources/sourcegroups/source_groups_settings.webp) ## Dynamic Source Groups @@ -57,7 +57,7 @@ accessed through the Add page in the Auto-Detect a Set of Sources section. Each will have different options depending on which one is being configured. The Dynamic Source Groups are: -- [Dynamic Source Groups — Exchange](dynamicsourcegroups/exchange.md) -- [Dynamic Source Groups — File Servers](dynamicsourcegroups/file.md) -- [Dynamic Source Groups — Google Drive Organization](dynamicsourcegroups/googledrive.md) -- [Dynamic Source Groups — SharePoint Online](dynamicsourcegroups/sharepoint.md) +- [Dynamic Source Groups — Exchange](/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/exchange.md) +- [Dynamic Source Groups — File Servers](/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/file.md) +- [Dynamic Source Groups — Google Drive Organization](/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/googledrive.md) +- [Dynamic Source Groups — SharePoint Online](/docs/dataclassification/5.7/ndc/admin/sources/sourcegroups/dynamicsourcegroups/sharepoint.md) diff --git a/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/addsqlserversource.md b/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/addsqlserversource.md index 9a816d9e69..10c1ea0e10 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/addsqlserversource.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/addsqlserversource.md @@ -11,13 +11,13 @@ To crawl SQL server: 1. Go to **Content → Sources** and select **Add**. 2. Select **SQL Server**. -3. Specify [MS SQL Server](mssqlserver.md) or [Oracle Server](oracleserver.md). +3. Specify [MS SQL Server](/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/mssqlserver.md) or [Oracle Server](/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/oracleserver.md). - ![sqlserver_source](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sqlserver/sqlserver_source.webp) + ![sqlserver_source](/img/product_docs/dataclassification/ndc/admin/sources/sqlserver/sqlserver_source.webp) 4. Select Save. You can then review summary, text, metadata, classifications, and properties of your crawling by selecting information icon against your server. You can also build the report for more details. -![sqlserver_source2](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sqlserver/sqlserver_source2.webp) +![sqlserver_source2](/img/product_docs/dataclassification/ndc/admin/sources/sqlserver/sqlserver_source2.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/mssqlserver.md b/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/mssqlserver.md index 4becdf61ec..75fc6bed01 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/mssqlserver.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/mssqlserver.md @@ -1,14 +1,14 @@ # MS SQL Server Once you choose to add SQL server source, you opt to add MS SQL server as a source. For more -information, go to the main article[SQL Server ](addsqlserversource.md). +information, go to the main article[SQL Server ](/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/addsqlserversource.md). To connect to a MS SQL server: 1. On the **Source Configuration** screen, select **MS SQL**. 2. Specify MS SQL server. - ![sqlserver_source3](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sqlserver/sqlserver_source3.webp) + ![sqlserver_source3](/img/product_docs/dataclassification/ndc/admin/sources/sqlserver/sqlserver_source3.webp) 3. Specify Authentication method: diff --git a/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/oracleserver.md b/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/oracleserver.md index 3c9dbc1d4f..1d25ca8084 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/oracleserver.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/oracleserver.md @@ -1,13 +1,13 @@ # Oracle Server Once you choose to add SQL server source, you opt to add Oracle server as a source. For more -information, go to the main article[SQL Server ](addsqlserversource.md). +information, go to the main article[SQL Server ](/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/addsqlserversource.md). To connect to an Oracle server: 1. On the **Source Configuration** screen, select **Oracle**. 2. Specify Oracle server, username, Container DB Service Name, and Oracle password. - ![sqlserver_source](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/sqlserver/sqlserver_source.webp) + ![sqlserver_source](/img/product_docs/dataclassification/ndc/admin/sources/sqlserver/sqlserver_source.webp) 3. Select Save. diff --git a/docs/dataclassification/5.7/ndc/admin/sources/tagging.md b/docs/dataclassification/5.7/ndc/admin/sources/tagging.md index 10697b6cd4..9eb6431d23 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/tagging.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/tagging.md @@ -37,8 +37,8 @@ tagging will occur with partial/incorrect configuration settings. To learn how to set up tagging for the certain content sources, refer to related sections of these chapters: -- [Box](box/managebox.md) -- [Database](database/managedatabase.md) -- [Manage File System](filesystem/managefilesystem.md) -- [ Google Drive](googledrive/managegoogledrive.md) -- [SharePoint](sharepoint/introduction.md) +- [Box](/docs/dataclassification/5.7/ndc/admin/sources/box/managebox.md) +- [Database](/docs/dataclassification/5.7/ndc/admin/sources/database/managedatabase.md) +- [Manage File System](/docs/dataclassification/5.7/ndc/admin/sources/filesystem/managefilesystem.md) +- [ Google Drive](/docs/dataclassification/5.7/ndc/admin/sources/googledrive/managegoogledrive.md) +- [SharePoint](/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/introduction.md) diff --git a/docs/dataclassification/5.7/ndc/admin/sources/viewcontent.md b/docs/dataclassification/5.7/ndc/admin/sources/viewcontent.md index dc4685c957..0254300c29 100644 --- a/docs/dataclassification/5.7/ndc/admin/sources/viewcontent.md +++ b/docs/dataclassification/5.7/ndc/admin/sources/viewcontent.md @@ -14,17 +14,17 @@ content (_Size_), status, etc. To browse the whole structure of the crawled content, click on the items in the list. It is also possible to filter the list by any field. -![pages_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/pages_thumb_0_0.webp) +![pages_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/sources/pages_thumb_0_0.webp) - Each document has an associated status (shown as the ID). Click the numeric ID to read the status description: -![status](../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/status.webp) +![status](/img/product_docs/dataclassification/ndc/admin/sources/status.webp) - Click the "Info" icon for the document/item to view its **Properties**, including summary, classifications (if any), etc.: -![classifications](../../../../../../static/img/product_docs/dataclassification/ndc/admin/sources/classifications.webp) +![classifications](/img/product_docs/dataclassification/ndc/admin/sources/classifications.webp) - For content sources that support writing the classifications back to the source system, i.e. "_tagging_" (e.g. such as writing classifications to SharePoint managed metadata fields): diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/add.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/add.md index 1dfbdafc5b..6864374330 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/add.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/add.md @@ -3,7 +3,7 @@ ## Uploading Default Taxonomy For the full list of supported taxonomies, refer to -[Built-in Taxonomies Overview ](builtintaxonomies.md). +[Built-in Taxonomies Overview ](/docs/dataclassification/5.7/ndc/admin/taxonomies/builtintaxonomies.md). 1. In administrative web console, navigate to Taxonomies > Global Settings. 2. Navigate to Loaded Taxonomies, select Add Taxonomies. diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/addclue.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/addclue.md index ae3ec8f168..711cd8619a 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/addclue.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/addclue.md @@ -10,7 +10,7 @@ below: When ready, click **Insert** on the right. -![doccounts_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/doccounts_thumb_0_0.webp) +![doccounts_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/doccounts_thumb_0_0.webp) ## Clue Body @@ -46,7 +46,7 @@ Example: A class called _Global Warming_ may have the following clues: - CO2 Emissions - Pollution -![clueterminfo](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/clueterminfo.webp) +![clueterminfo](/img/product_docs/dataclassification/ndc/admin/taxonomies/clueterminfo.webp) To disable stemming, use double quotes around single words. @@ -82,7 +82,7 @@ classified against a category unless it matches all of the mandatory clues. The mandatory clue selector is denoted by the \* icon: -![mandatoryclue](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/mandatoryclue.webp) +![mandatoryclue](/img/product_docs/dataclassification/ndc/admin/taxonomies/mandatoryclue.webp) ## Using the Local Option @@ -91,7 +91,7 @@ user to restrict a clue purely to the current Term Set. **NOTE:** This option is only available for reused terms (SharePoint Term Sets). -![localclue](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/localclue.webp) +![localclue](/img/product_docs/dataclassification/ndc/admin/taxonomies/localclue.webp) - Once this option is selected, it will not be possible to amend the clue from any other Term Set that contains the re-used Term. diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/additionalconfiguration.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/additionalconfiguration.md index 51ba98b8a9..d7fbfee19d 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/additionalconfiguration.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/additionalconfiguration.md @@ -5,8 +5,8 @@ additional information: | Tab | Description | | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| Graph | The Graph tab shows a graphical representation of classification intersection points. ![taxonomygraph_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomygraph_thumb_0_0.webp) In the example above 6721 documents are tagged with "Medium (100kb-1Mb)", 1254 of these documents are also tagged with "HTML". It's also possible to see that there are 3517 documents that are tagged with both "HTML" and "English" (highlighted by the dashed links). | +| Graph | The Graph tab shows a graphical representation of classification intersection points. ![taxonomygraph_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomygraph_thumb_0_0.webp) In the example above 6721 documents are tagged with "Medium (100kb-1Mb)", 1254 of these documents are also tagged with "HTML". It's also possible to see that there are 3517 documents that are tagged with both "HTML" and "English" (highlighted by the dashed links). | | Info | The Info tab displays the term description (aka Scope Notes) for each preferred term. The Description field is often populated automatically when an external taxonomy is imported automatically using the Scope Notes. | -| Logs | All changes made to a term are recorded. The change history may be viewed from the Logs Tab: ![termlogs](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/termlogs.webp) | -| User Edits | When auto-classifications are amended in SharePoint the user edits are recorded in the SQL database, these can later be reviewed to identify terms that require review: ![useredits](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/useredits.webp) | -| User Suggestions | An optional interface can be enabled to allow users to suggest new terms for the termset hierarchy (http://netwrixdataclassificationserver/conceptQS/Taxonomies/TermSuggest.aspx). Suggestions can trigger automatic notifications to taxonomy administrators, as well as being recorded in the database for later review on the "User Suggestions" tab: ![usersuggestions_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/usersuggestions_thumb_0_0.webp) | +| Logs | All changes made to a term are recorded. The change history may be viewed from the Logs Tab: ![termlogs](/img/product_docs/dataclassification/ndc/admin/taxonomies/termlogs.webp) | +| User Edits | When auto-classifications are amended in SharePoint the user edits are recorded in the SQL database, these can later be reviewed to identify terms that require review: ![useredits](/img/product_docs/dataclassification/ndc/admin/taxonomies/useredits.webp) | +| User Suggestions | An optional interface can be enabled to allow users to suggest new terms for the termset hierarchy (http://netwrixdataclassificationserver/conceptQS/Taxonomies/TermSuggest.aspx). Suggestions can trigger automatic notifications to taxonomy administrators, as well as being recorded in the database for later review on the "User Suggestions" tab: ![usersuggestions_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/usersuggestions_thumb_0_0.webp) | diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/browse.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/browse.md index c5d95b41c3..9fc525e337 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/browse.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/browse.md @@ -2,7 +2,7 @@ To view the documents classified for each term, click on the Browse tab. This will display a list of documents achieving the minimum score set for classification in the term. -[See Classification Rules (Clues) for more information.](clues.md) +[See Classification Rules (Clues) for more information.](/docs/dataclassification/5.7/ndc/admin/taxonomies/clues.md) **NOTE:** This list will include the current classification status of each document and any changes made to the class, since the last classification, are not taken into account. @@ -24,8 +24,8 @@ You can use the Browse function to: example, changing the mode to "Low Scoring Documents `<20%`" for a term with a threshold of 50 will find any documents that scored between 50 and 60. -![browsetab_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/browsetab_thumb_0_0.webp) +![browsetab_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/browsetab_thumb_0_0.webp) To restrict the browsing scope, you can either add a URL filter, or add a custom filter, as well as select to show document movements. These options are configured in the same way as for -[Search Documents by Clue](search.md). +[Search Documents by Clue](/docs/dataclassification/5.7/ndc/admin/taxonomies/search.md). diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/builtintaxonomies.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/builtintaxonomies.md index 56d48d1195..9eb1a82952 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/builtintaxonomies.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/builtintaxonomies.md @@ -14,7 +14,7 @@ requirements of specific data protection regulations: This section contains the full list of built-in taxonomies supported by Netwrix Data Classification. **NOTE:** Netwrix Data Classification users can see only the taxonomies they have permissions to -use. See the [User Management](../../security/usermanagement.md) section for more information on +use. See the [User Management](/docs/dataclassification/5.7/ndc/security/usermanagement.md) section for more information on users' permissions. ## Core Taxonomies @@ -173,16 +173,16 @@ the sensitivity settings for the pre-defined taxonomies. Follow the steps to specify sensitive taxonomy. -**Step 1 –** Add a new taxonomy. See the [Add a Taxonomy](add.md) topic for additional information. +**Step 1 –** Add a new taxonomy. See the [Add a Taxonomy](/docs/dataclassification/5.7/ndc/admin/taxonomies/add.md) topic for additional information. **Step 2 –** Navigate to Taxonomies > Global Settings > Edit. The **Edit** panel displays. **Step 3 –** Select Sensitive Taxonomy. -![standalonetaxonomies_sensitive](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/standalonetaxonomies_sensitive.webp) +![standalonetaxonomies_sensitive](/img/product_docs/dataclassification/ndc/admin/taxonomies/standalonetaxonomies_sensitive.webp) **Step 4 –** Click **Save**. To view the results of the classification and generate sensitivity reports, go to Analysis > Reports > Classification Reports > Sensitive Documents. See the -[Classification Reports](../reporting/classificationreports.md) topic for additional information. +[Classification Reports](/docs/dataclassification/5.7/ndc/admin/reporting/classificationreports.md) topic for additional information. diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/bulkedit.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/bulkedit.md index 1552ec1c4e..f21fb26b25 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/bulkedit.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/bulkedit.md @@ -2,7 +2,7 @@ The Bulk Edit link can be used to make changes to several clues at one time: -![bulkedit](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkedit.webp) +![bulkedit](/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkedit.webp) When this link is used the form changes into a grid editor and many values can be changes and saved in a single operation. To alter the Mandatory or Is Local settings for all terms quickly simply @@ -11,4 +11,4 @@ click the header text to toggle all checkboxes between enabled / disabled. It is also possible to preview the changes made whilst in the bulk editor. The Preview functionality provides an indication of the number of documents affected, and the resultant score change: -![bulkeditpreview](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkeditpreview.webp) +![bulkeditpreview](/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkeditpreview.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/bulkimport.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/bulkimport.md index a337775050..133f334b3c 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/bulkimport.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/bulkimport.md @@ -4,6 +4,6 @@ Clues can also be imported in bulk from an Excel Spreadsheet (or input in bulk m spreadsheet should contain 3 columns: Type (Standard, Case-Sensitive, Wildcard Phrasematch or Metadata), Clue Text and Score: -![cluesbulkimport](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/cluesbulkimport.webp) +![cluesbulkimport](/img/product_docs/dataclassification/ndc/admin/taxonomies/cluesbulkimport.webp) The Bulk Insert link is available on the Clues tab below the main entry grid. diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/calculations.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/calculations.md index a78465f7c2..f9697705e0 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/calculations.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/calculations.md @@ -6,12 +6,12 @@ Follow the steps to review the calculations for taxonomy: 2. Choose the required taxonomy. 3. Select Browse. - ![calculationscalculatoricon](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/calculationscalculatoricon.webp) + ![calculationscalculatoricon](/img/product_docs/dataclassification/ndc/admin/taxonomies/calculationscalculatoricon.webp) 4. On the classified file, click the Calculator icon. You shall see how the classification scores are calculated. - ![calculations](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/calculations.webp) + ![calculations](/img/product_docs/dataclassification/ndc/admin/taxonomies/calculations.webp) This will show the classification calculation using the latest clues definition. diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/classifications.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/classifications.md index 1370222c76..d26f9acc17 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/classifications.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/classifications.md @@ -5,7 +5,7 @@ type, and language. To see the current classifications for a selected document click the Classification link: -![classifications_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/classifications_thumb_0_0.webp) +![classifications_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/classifications_thumb_0_0.webp) Classifications are clickable – clicking the link will select the relevant term in the taxonomy tree view. diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/clues.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/clues.md index 65b0f9d4a5..2c7792ad96 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/clues.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/clues.md @@ -15,7 +15,7 @@ the following languages: - German - Spanish - ![predefined_clues](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/predefined_clues.webp) + ![predefined_clues](/img/product_docs/dataclassification/ndc/admin/taxonomies/predefined_clues.webp) Users can easily extend the out-of-the-box classification rules by adding relevant keywords and terms in other languages. @@ -24,7 +24,7 @@ In addition, there are predefined classification rules for various national iden registration numbers. These rules typically look for ID patterns supplemented by related keywords for better classification precision. -![clues_1](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/clues_1.webp) +![clues_1](/img/product_docs/dataclassification/ndc/admin/taxonomies/clues_1.webp) These rules are provided for the following countries (coverage varies): @@ -51,7 +51,7 @@ These rules are provided for the following countries (coverage varies): To work with the clues, select the required subnode (terms set) under the taxonomy tree on the left and then select Clues on the right: -![taxonomyclues_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomyclues_thumb_0_0.webp) +![taxonomyclues_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomyclues_thumb_0_0.webp) - For each clue in the list, you can view and manage its type, score, and other properties. - To add a new clue, go to the topmost row in the list and specify its properties. @@ -61,7 +61,7 @@ and then select Clues on the right: Click the Doc Counts link in the top right corner to get the number of documents that match the word / phrase used within the clue: -![doccounts](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/doccounts.webp) +![doccounts](/img/product_docs/dataclassification/ndc/admin/taxonomies/doccounts.webp) ## Suggested Clues @@ -88,6 +88,6 @@ support for stemming and/or stop-word analysis: See also: -[Types of Clues](cluestypes.md) +[Types of Clues](/docs/dataclassification/5.7/ndc/admin/taxonomies/cluestypes.md) -[Manage Clues](manageclues.md) +[Manage Clues](/docs/dataclassification/5.7/ndc/admin/taxonomies/manageclues.md) diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/cluestypes.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/cluestypes.md index 2e5626e872..c714bc1299 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/cluestypes.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/cluestypes.md @@ -38,11 +38,11 @@ A clue based on document metadata, with matching based on: Helpers are provided to format metadata clues, to activate the helper simply select the appropriate icon for the desired clue type (numeric, date, and basic): -![metadatacluehelpers](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/metadatacluehelpers.webp) +![metadatacluehelpers](/img/product_docs/dataclassification/ndc/admin/taxonomies/metadatacluehelpers.webp) The date helper supports assisting in the creation of both static and dynamic date clues: -![createdateclue](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/createdateclue.webp) +![createdateclue](/img/product_docs/dataclassification/ndc/admin/taxonomies/createdateclue.webp) Both field and value are case-insensitive for metadata matches. Wildcard matches must included a \* character before the equals sign (as shown in the example above). @@ -181,7 +181,7 @@ the "Case-Insensitive Regex Processing" mode, this setting can be found in Confi Definitions of the required syntax for regular expressions can be found in many places, including Microsoft: -[Regular Expression Syntax](). +[Regular Expression Syntax](https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2010/ae5bf541(v=vs.100)). The following example clue matches US Social Security Numbers found anywhere in the document text: @@ -250,7 +250,7 @@ _Follow the steps to add a validation check._ 3. Select the desired check **Type** from the drop-down list, and specify other settings depending on the type. - ![clues_regexp_validationcheck](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/clues_regexp_validationcheck.webp) + ![clues_regexp_validationcheck](/img/product_docs/dataclassification/ndc/admin/taxonomies/clues_regexp_validationcheck.webp) 4. Click Save. @@ -295,7 +295,7 @@ Follow the steps to use **Proximity Match** feature. **NOTE:** This option applies directly to the term/clue and cannot be used for the Term Boost calculation. - ![clues_regex_proximity](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/clues_regex_proximity.webp) + ![clues_regex_proximity](/img/product_docs/dataclassification/ndc/admin/taxonomies/clues_regex_proximity.webp) ## Required Terms clue @@ -311,7 +311,7 @@ The valid entries for this type of clue are: A tree view control makes selecting the required class easy: -![requiredterm](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/requiredterm.webp) +![requiredterm](/img/product_docs/dataclassification/ndc/admin/taxonomies/requiredterm.webp) For example, suppose that we have a topic _Pensions_ with two children: @@ -331,14 +331,14 @@ This is most often used when a complex class is implemented using several child classes. Basically, you would want to apply these clues to refer to the other term or taxonomy and review the score for each term, not drilling down to each term. Review the example: -![termboostclue_int](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/termboostclue_int.webp) +![termboostclue_int](/img/product_docs/dataclassification/ndc/admin/taxonomies/termboostclue_int.webp) In a tree view you can find the list of terms, which are displayed in the Term boost list to the right. This way you can review or edit the average score for each term. Use the tree view control below to select boosting classes easy. -![termboost](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/termboost.webp) +![termboost](/img/product_docs/dataclassification/ndc/admin/taxonomies/termboost.webp) The score may be entered as a number (if a fixed boost is required regardless of the source term’s score) or as a percentage (if the boost score is to be calculated as a percentage of the source @@ -347,7 +347,7 @@ term’s score). When referencing a specific node it is also possible to include all of the levels of that nodes descendants at once. -![termboostclue_allterms](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/termboostclue_allterms.webp) +![termboostclue_allterms](/img/product_docs/dataclassification/ndc/admin/taxonomies/termboostclue_allterms.webp) At classification time if the referenced node or any of its descendants (up to the configured level) reach their threshold then the term boost will be applied. @@ -358,7 +358,7 @@ tagging for your taxonomy. For example, you have UK ZIP code, which was tagged a Tagging** before. It doesn't qualify as sensitive for your Confidential term. Therefore, you can apply this feature. -![termboostclue_exludenotavailablefortagging_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/termboostclue_exludenotavailablefortagging_thumb_0_0.webp) +![termboostclue_exludenotavailablefortagging_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/termboostclue_exludenotavailablefortagging_thumb_0_0.webp) ## Language Clues @@ -368,7 +368,7 @@ language as a filter on classification. For example, if you create a new class and want documents to be classified only if they are written in a Scandinavian language then you would create a Language clue, like this: -![languageclue](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/languageclue.webp) +![languageclue](/img/product_docs/dataclassification/ndc/admin/taxonomies/languageclue.webp) ## Static Clues diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/create.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/create.md index cc7ce5c791..aa8c6cc04f 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/create.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/create.md @@ -11,7 +11,7 @@ To create an SQL taxonomy **NOTE:** Taxonomy name should be unique among all SQL taxonomies. -![createsqltaxonomy_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/createsqltaxonomy_thumb_0_0.webp) +![createsqltaxonomy_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/createsqltaxonomy_thumb_0_0.webp) [](#)Importing Taxonomies @@ -26,35 +26,35 @@ import options: - Load—Certain taxonomies are provided out-of-the-box these can be fully used as part of the product or simply used as a reference for regular expression and metadata clues. -![addtaxonomies](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/addtaxonomies.webp) +![addtaxonomies](/img/product_docs/dataclassification/ndc/admin/taxonomies/addtaxonomies.webp) [](#)Merge SQL Taxonomies SQL taxonomies also be easily merged / updated from the Global Settings page. Select the Update link for the taxonomy that you wish to update to load the taxonomy merge wizard: -![mergesqltaxonomyupdatelink](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomyupdatelink.webp) +![mergesqltaxonomyupdatelink](/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomyupdatelink.webp) Predefined taxonomies can be updated from the latest built-in definition or from an XML file in the standard taxonomy format: -![mergesqltaxonomystage1_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomystage1_thumb_0_0.webp) +![mergesqltaxonomystage1_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomystage1_thumb_0_0.webp) The merge operation will automatically add any new terms, update the clues of existing terms, and when enabled delete terms that no longer exist in the new taxonomy definition. -![mergesqltaxonomystage2_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomystage2_thumb_0_0.webp) +![mergesqltaxonomystage2_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomystage2_thumb_0_0.webp) Custom clues can be retained by selecting the option Retain custom clues. When enabled any clues not defined as Predefined will be retained. The Predefined flag can be viewed by selecting the "i" icon for a clue to display the following dialog: -![cluelabelreference](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/cluelabelreference.webp) +![cluelabelreference](/img/product_docs/dataclassification/ndc/admin/taxonomies/cluelabelreference.webp) Any predefined taxonomies that have been previously loaded will show an asterisk indicator when an update is available (post upgrade): -![mergesqltaxonomypredefinedindicator](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomypredefinedindicator.webp) +![mergesqltaxonomypredefinedindicator](/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomypredefinedindicator.webp) **NOTE:** The merge operation relies on matching the source definition to the destination definition - utilising the Term Id (GUID). If there are no matching ids then the merge operation @@ -69,7 +69,7 @@ associated user guide available via documentation downloads). Existing taxonomies can be managed via the Global Settings tab: -![taxonomyglobalsettings_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomyglobalsettings_thumb_0_0.webp) +![taxonomyglobalsettings_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomyglobalsettings_thumb_0_0.webp) Taxonomies can be exported as XML regardless of the taxonomy type, as well as removed. When removing SharePoint Term Set registrations the source Term Set remains intact - all that is removed is a link @@ -107,7 +107,7 @@ The wizard is started run by right-clicking a node within the treeview and selec Update". Updates can be performed across the whole taxonomy by right-clicking the root node or scoped to a particular branch by right-clicking the top node of the intended branch: -![bulkupdatetreeview](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkupdatetreeview.webp) +![bulkupdatetreeview](/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkupdatetreeview.webp) The wizard will then walk you through performing the update. Each update will allow you to restrict the scope of your change by specifying: @@ -120,7 +120,7 @@ The update can either be performed immediately or in "report-only" mode. When re used the scope of changes will be specified to the end-user—the end-user can then choose to commit the update which will perform the changes (or, leave the update if the scope was incorrect). -![bulkupdate_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkupdate_thumb_0_0.webp) +![bulkupdate_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkupdate_thumb_0_0.webp) All updates, report-only or otherwise, can be found under the "Bulk Updates" tab. Updates are queued and processed in the background with the results exposed through this interface. @@ -130,11 +130,11 @@ and processed in the background with the results exposed through this interface. To manage the term set, select the taxonomy you need, then in the taxonomy tree browse to the required term set and click the **Term Management** tab on the right. -![term_management_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/term_management_thumb_0_0.webp) +![term_management_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/term_management_thumb_0_0.webp) Then you can work with the tabs you need, including Search, Browse and Working Set tabs. Review the following for additional information: -- [Classifications](classifications.md) -- [Calculations](calculations.md) +- [Classifications](/docs/dataclassification/5.7/ndc/admin/taxonomies/classifications.md) +- [Calculations](/docs/dataclassification/5.7/ndc/admin/taxonomies/calculations.md) diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/enablewriteclassifications.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/enablewriteclassifications.md index 3687d000dd..2e8743831f 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/enablewriteclassifications.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/enablewriteclassifications.md @@ -38,7 +38,7 @@ To configure tagging on a global level: 4. In the taxonomy properties, enable writing classification attributes (tags) and specify other settings: - ![enablewriteclassifications_agriculture](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/enablewriteclassifications_agriculture.webp) + ![enablewriteclassifications_agriculture](/img/product_docs/dataclassification/ndc/admin/taxonomies/enablewriteclassifications_agriculture.webp) | | | | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/exportsearchresults.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/exportsearchresults.md index a9c7676de1..815e18b172 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/exportsearchresults.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/exportsearchresults.md @@ -3,7 +3,7 @@ Search / Browse results can be exported quickly and easily by selecting the either of the export options below the search results: -![browsetabexportmodes](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/browsetabexportmodes.webp) +![browsetabexportmodes](/img/product_docs/dataclassification/ndc/admin/taxonomies/browsetabexportmodes.webp) If there are less than 1000 results, or you wish to have access to the results immediately, you can select the Quick Export option (light icon). @@ -12,4 +12,4 @@ Alternatively the export results will be created in the background, and made ava the Queued Reports area. A notification can be sent to an email group upon the completion of report processing, when selected: -![browsetabexport](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/browsetabexport.webp) +![browsetabexport](/img/product_docs/dataclassification/ndc/admin/taxonomies/browsetabexport.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/globalsettings.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/globalsettings.md index f84d5b0efb..d0ac30a7f4 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/globalsettings.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/globalsettings.md @@ -1,7 +1,7 @@ # Global Settings The **Content** > **Taxonomies** > **Global Settings** panel allows you to update, compare, back up, -export, edit or delete your taxonomies. See the [Manage Taxonomies](manage.md) topic for additional +export, edit or delete your taxonomies. See the [Manage Taxonomies](/docs/dataclassification/5.7/ndc/admin/taxonomies/manage.md) topic for additional information. -![globalsettings](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/globalsettings.webp) +![globalsettings](/img/product_docs/dataclassification/ndc/admin/taxonomies/globalsettings.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/import.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/import.md index e8c6b295cd..2bf9a998a2 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/import.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/import.md @@ -11,35 +11,35 @@ import options: - Load—Certain taxonomies are provided out-of-the-box these can be fully used as part of the product or simply used as a reference for regular expression and metadata clues. -![addtaxonomies](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/addtaxonomies.webp) +![addtaxonomies](/img/product_docs/dataclassification/ndc/admin/taxonomies/addtaxonomies.webp) [](#)Merge SQL Taxonomies SQL taxonomies also be easily merged / updated from the Global Settings page. Select the Update link for the taxonomy that you wish to update to load the taxonomy merge wizard: -![mergesqltaxonomyupdatelink](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomyupdatelink.webp) +![mergesqltaxonomyupdatelink](/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomyupdatelink.webp) Predefined taxonomies can be updated from the latest built-in definition or from an XML file in the standard taxonomy format: -![mergesqltaxonomystage1_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomystage1_thumb_0_0.webp) +![mergesqltaxonomystage1_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomystage1_thumb_0_0.webp) The merge operation will automatically add any new terms, update the clues of existing terms, and when enabled delete terms that no longer exist in the new taxonomy definition. -![mergesqltaxonomystage2_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomystage2_thumb_0_0.webp) +![mergesqltaxonomystage2_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomystage2_thumb_0_0.webp) Custom clues can be retained by selecting the option Retain custom clues. When enabled any clues not defined as Predefined will be retained. The Predefined flag can be viewed by selecting the "i" icon for a clue to display the following dialog: -![cluelabelreference](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/cluelabelreference.webp) +![cluelabelreference](/img/product_docs/dataclassification/ndc/admin/taxonomies/cluelabelreference.webp) Any predefined taxonomies that have been previously loaded will show an asterisk indicator when an update is available (post upgrade): -![mergesqltaxonomypredefinedindicator](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomypredefinedindicator.webp) +![mergesqltaxonomypredefinedindicator](/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomypredefinedindicator.webp) **NOTE:** The merge operation relies on matching the source definition to the destination definition - utilising the Term Id (GUID). If there are no matching ids then the merge operation @@ -54,7 +54,7 @@ associated user guide available via documentation downloads). Existing taxonomies can be managed via the Global Settings tab: -![taxonomyglobalsettings_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomyglobalsettings_thumb_0_0.webp) +![taxonomyglobalsettings_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomyglobalsettings_thumb_0_0.webp) Taxonomies can be exported as XML regardless of the taxonomy type, as well as removed. When removing SharePoint Term Set registrations the source Term Set remains intact - all that is removed is a link @@ -92,7 +92,7 @@ The wizard is started run by right-clicking a node within the treeview and selec Update". Updates can be performed across the whole taxonomy by right-clicking the root node or scoped to a particular branch by right-clicking the top node of the intended branch: -![bulkupdatetreeview](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkupdatetreeview.webp) +![bulkupdatetreeview](/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkupdatetreeview.webp) The wizard will then walk you through performing the update. Each update will allow you to restrict the scope of your change by specifying: @@ -105,7 +105,7 @@ The update can either be performed immediately or in "report-only" mode. When re used the scope of changes will be specified to the end-user—the end-user can then choose to commit the update which will perform the changes (or, leave the update if the scope was incorrect). -![bulkupdate_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkupdate_thumb_0_0.webp) +![bulkupdate_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkupdate_thumb_0_0.webp) All updates, report-only or otherwise, can be found under the "Bulk Updates" tab. Updates are queued and processed in the background with the results exposed through this interface. @@ -115,11 +115,11 @@ and processed in the background with the results exposed through this interface. To manage the term set, select the taxonomy you need, then in the taxonomy tree browse to the required term set and click the **Term Management** tab on the right. -![term_management_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/term_management_thumb_0_0.webp) +![term_management_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/term_management_thumb_0_0.webp) Then you can work with the tabs you need, including Search, Browse and Working Set tabs. Review the following for additional information: -- [Classifications](classifications.md) -- [Calculations](calculations.md) +- [Classifications](/docs/dataclassification/5.7/ndc/admin/taxonomies/classifications.md) +- [Calculations](/docs/dataclassification/5.7/ndc/admin/taxonomies/calculations.md) diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/introduction.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/introduction.md index 95a394ae62..d10f5d1976 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/introduction.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/introduction.md @@ -6,19 +6,19 @@ Netwrix Data Classification comes with several built-in **taxonomies** with hund classification rules out-of-the-box. The taxonomies cover a broad range of sensitive personal, financial, and health-related information. Each taxonomy contains a set of terms. **Terms** are defined by set of configuration **rules** (also called **clues**). See -[Classification Rules (Clues)](clues.md) for details. +[Classification Rules (Clues)](/docs/dataclassification/5.7/ndc/admin/taxonomies/clues.md) for details. - To create a taxonomy, go to the **Taxonomies** area of the web-based management console and follow - the procedures described in [Add a Taxonomy](add.md) section. -- To manage the taxonomies, follow the procedures described in [Manage Taxonomies](manage.md) + the procedures described in [Add a Taxonomy](/docs/dataclassification/5.7/ndc/admin/taxonomies/add.md) section. +- To manage the taxonomies, follow the procedures described in [Manage Taxonomies](/docs/dataclassification/5.7/ndc/admin/taxonomies/manage.md) section. **IMPORTANT!** To access the **Taxonomies** area, users require sufficient rights. See the -[User Management](../../security/usermanagement.md) section for more information. +[User Management](/docs/dataclassification/5.7/ndc/security/usermanagement.md) section for more information. -![taxonomyclues_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomyclues_thumb_0_0.webp) +![taxonomyclues_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomyclues_thumb_0_0.webp) See also: -- [Built-in Taxonomies Overview ](builtintaxonomies.md) -- [Taxonomy Settings](settings.md) +- [Built-in Taxonomies Overview ](/docs/dataclassification/5.7/ndc/admin/taxonomies/builtintaxonomies.md) +- [Taxonomy Settings](/docs/dataclassification/5.7/ndc/admin/taxonomies/settings.md) diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/labels.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/labels.md index a1906916ad..5a1172fec4 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/labels.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/labels.md @@ -25,7 +25,7 @@ available on a limited set of site collections. Simply select Add and choose the label you wish to assign from the drop down list: -![o365labels_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/o365labels_thumb_0_0.webp) +![o365labels_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/o365labels_thumb_0_0.webp) **NOTE:** If the site collection has only recently been added then the label may not yet have been synchronized down. diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/languagesforclue.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/languagesforclue.md index d3a5e1022f..a5a7653b83 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/languagesforclue.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/languagesforclue.md @@ -6,4 +6,4 @@ useful if a word in one language also appears in another language but has a diff In this case you can click the Languages link beside each clue and select any subset of the available languages: -![cluelanguages](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/cluelanguages.webp) +![cluelanguages](/img/product_docs/dataclassification/ndc/admin/taxonomies/cluelanguages.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/languagesupport.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/languagesupport.md index 3a60a14af0..e02651fd33 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/languagesupport.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/languagesupport.md @@ -10,7 +10,7 @@ useful is a word in one language also appears in another language but has a diff this case you can click the Languages link beside each clue and select any subset of the available languages: -![cluelanguages](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/cluelanguages.webp) +![cluelanguages](/img/product_docs/dataclassification/ndc/admin/taxonomies/cluelanguages.webp) ## Indexing and Classification @@ -65,7 +65,7 @@ languages: - German - Spanish - ![predefined_clues](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/predefined_clues.webp) + ![predefined_clues](/img/product_docs/dataclassification/ndc/admin/taxonomies/predefined_clues.webp) Users can easily extend the out-of-the-box classification rules by adding relevant keywords and terms in other languages. @@ -74,7 +74,7 @@ In addition, there are predefined classification rules for various national iden registration numbers. These rules typically look for ID patterns supplemented by related keywords for better classification precision. -![clues_1_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/clues_1_thumb_0_0.webp) +![clues_1_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/clues_1_thumb_0_0.webp) The rules are provided for the following countries (coverage varies): diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/manage.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/manage.md index 013ea81cc4..fc69e73ffe 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/manage.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/manage.md @@ -12,7 +12,7 @@ Follow the steps to add a SQL taxonomy. 1. Navigate to the Global Settings tab 2. Select the Add button, and finally select the New tile. -![createsqltaxonomy](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/createsqltaxonomy.webp) +![createsqltaxonomy](/img/product_docs/dataclassification/ndc/admin/taxonomies/createsqltaxonomy.webp) ## Import Taxonomies @@ -27,30 +27,30 @@ the import options: - Load —Certain taxonomies are provided out-of-the-box these can be fully used as part of the product or simply used as a reference for regular expression and metadata clues. -![addtaxonomies](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/addtaxonomies.webp) +![addtaxonomies](/img/product_docs/dataclassification/ndc/admin/taxonomies/addtaxonomies.webp) ## Merge SQL Taxonomies SQL taxonomies also be easily merged / updated from the Global Settings page. Select the **Update** link for the taxonomy that you wish to update to load the taxonomy merge wizard: -![mergesqltaxonomyupdatelink](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomyupdatelink.webp) +![mergesqltaxonomyupdatelink](/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomyupdatelink.webp) Predefined taxonomies can be updated from the latest built-in definition or from an XML file in the standard taxonomy format: -![mergesqltaxonomystage1](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomystage1.webp) +![mergesqltaxonomystage1](/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomystage1.webp) Custom clues can be retained by selecting the option **Retain custom clues**. When enabled, any clues not defined as Predefined will be retained. The Predefined flag can be viewed by selecting the **i** (information) icon for a clue to display the following dialog: -![cluelabelreference](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/cluelabelreference.webp) +![cluelabelreference](/img/product_docs/dataclassification/ndc/admin/taxonomies/cluelabelreference.webp) Any predefined taxonomies that have been previously loaded will show an asterisk indicator when an update is available (post upgrade): -![mergesqltaxonomypredefinedindicator](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomypredefinedindicator.webp) +![mergesqltaxonomypredefinedindicator](/img/product_docs/dataclassification/ndc/admin/taxonomies/mergesqltaxonomypredefinedindicator.webp) **NOTE:** The merge operation relies on matching the source definition to the destination definition. utilising the Term Id (GUID). If there are no matching ids then the merge operation will @@ -65,7 +65,7 @@ associated user guide available via documentation downloads. Existing taxonomies can be managed via the Global Settings tab: -![taxonomyglobalsettings](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomyglobalsettings.webp) +![taxonomyglobalsettings](/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomyglobalsettings.webp) Taxonomies can be exported as XML regardless of the taxonomy type, as well as removed. When removing SharePoint Term Set registrations the source Term Set remains intact - all that is removed is a link @@ -102,7 +102,7 @@ The wizard is started run by right-clicking a node within the treeview and selec Update". Updates can be performed across the whole taxonomy by right-clicking the root node or scoped to a particular branch by right-clicking the top node of the intended branch: -![bulkupdatetreeview](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkupdatetreeview.webp) +![bulkupdatetreeview](/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkupdatetreeview.webp) The wizard will then walk you through performing the update. Each update will allow you to restrict the scope of your change by specifying: @@ -115,7 +115,7 @@ The update can either be performed immediately or in "report-only" mode. When re used the scope of changes will be specified to the end-user—the end-user can then choose to commit the update which will perform the changes (or, leave the update if the scope was incorrect). -![bulkupdate_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkupdate_thumb_0_0.webp) +![bulkupdate_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkupdate_thumb_0_0.webp) All updates, report-only or otherwise, can be found under the "Bulk Updates" tab. Updates are queued and processed in the background with the results exposed through this interface. @@ -125,11 +125,11 @@ and processed in the background with the results exposed through this interface. To manage the term set, select the taxonomy you need, then in the taxonomy tree browse to the required term set and click the **Term Management** tab on the right. -![term_management_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/term_management_thumb_0_0.webp) +![term_management_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/term_management_thumb_0_0.webp) Then you can work with the tabs you need, including Search, Browse and Working Set tabs. See the following topics for additional information: -- [Classifications](classifications.md) -- [Calculations](calculations.md) +- [Classifications](/docs/dataclassification/5.7/ndc/admin/taxonomies/classifications.md) +- [Calculations](/docs/dataclassification/5.7/ndc/admin/taxonomies/calculations.md) diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/manageclues.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/manageclues.md index 8d082c081a..b655bfa620 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/manageclues.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/manageclues.md @@ -5,16 +5,16 @@ term set. - To delete a clue, select the checkbox next to it and click **Delete**. - To edit a clue, select it from the list and click **Edit** link on the right. Then you can modify - clue type and provide the appropriate settings. See [Types of Clues](cluestypes.md) for details. + clue type and provide the appropriate settings. See [Types of Clues](/docs/dataclassification/5.7/ndc/admin/taxonomies/cluestypes.md) for details. To see how the edits will take effect, click **Preview** on the right. To apply edits, click **Update**. -- To modify all selected clues, see [Bulk Edit](bulkedit.md) +- To modify all selected clues, see [Bulk Edit](/docs/dataclassification/5.7/ndc/admin/taxonomies/bulkedit.md) - For bulk import of clues from an Excel Spreadsheet, click **Bulk Insert**. See - [Bulk Import](bulkimport.md). + [Bulk Import](/docs/dataclassification/5.7/ndc/admin/taxonomies/bulkimport.md). - To move or copy the clue to another term, select it from the list and click **Copy/Move**. Then select the destination term and click the button you need (**Move** or **Copy**). See also: -- [Types of Clues](cluestypes.md) -- [Adding a Clue](addclue.md) +- [Types of Clues](/docs/dataclassification/5.7/ndc/admin/taxonomies/cluestypes.md) +- [Adding a Clue](/docs/dataclassification/5.7/ndc/admin/taxonomies/addclue.md) diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/multiuserenvironments.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/multiuserenvironments.md index 4467fbea26..852bfad7a7 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/multiuserenvironments.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/multiuserenvironments.md @@ -18,12 +18,12 @@ locking purposes. When this facility has been enabled then you will see a Lock Class button in the treeview context menu for all classes: -![lockterm](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/lockterm.webp) +![lockterm](/img/product_docs/dataclassification/ndc/admin/taxonomies/lockterm.webp) You can also optionally lock all of its children in a single operation. Once a term is locked the context menu items will change to allow unlocking the selected term, and its children. -![unlockterm](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/unlockterm.webp) +![unlockterm](/img/product_docs/dataclassification/ndc/admin/taxonomies/unlockterm.webp) Other users will see a closed padlock symbol to indicate the status of the term. diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/related.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/related.md index 25f77cd21c..2e7c8ad347 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/related.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/related.md @@ -4,7 +4,7 @@ The Related tab allows you to view and modify the non-hierarchical relationships terms. This tab will only appear if the taxonomy is in SQL, as the SharePoint Term Store does not support this functionality. -![relatedtermstab](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/relatedtermstab.webp) +![relatedtermstab](/img/product_docs/dataclassification/ndc/admin/taxonomies/relatedtermstab.webp) When a term is located in multiple branches of the taxonomy (a polyhierarchical taxonomy) – the Related tab will also display each of the locations to allow you to jump to the specific branch. diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/search.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/search.md index c5d9f3eb1b..c262fb3aa0 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/search.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/search.md @@ -4,14 +4,14 @@ You can search for documents based on the class clues. For that, click on the na clue in the clue list in the management console (or even any suggested clue), go to the **Search** tab and configure search settings. -![searchtab](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/searchtab.webp) +![searchtab](/img/product_docs/dataclassification/ndc/admin/taxonomies/searchtab.webp) 1. Set up the following properties that will be considered a basis for the search: - Clue type - select the required value from the **Type** list. - Clue itself (clue body) - enter the required keyword or phrase in the **Find** field. - **NOTE:** [See Classification Rules (Clues) for more information.](clues.md) + **NOTE:** [See Classification Rules (Clues) for more information.](/docs/dataclassification/5.7/ndc/admin/taxonomies/clues.md) 2. To restrict the search further, you can either add a **URL** filter, or add a custom filter by clicking **Add custom filter** link. This can be helpful when evaluating the usefulness of a clue @@ -26,8 +26,8 @@ tab and configure search settings. document movements. As a result, the “movement” of the document since the last classification will be shown. Possible scenarios are: -![movementskey](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/movementskey.webp) +![movementskey](/img/product_docs/dataclassification/ndc/admin/taxonomies/movementskey.webp) OR -![documentmovements_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/documentmovements_thumb_0_0.webp) +![documentmovements_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/taxonomies/documentmovements_thumb_0_0.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/searchandfiltertaxonomies.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/searchandfiltertaxonomies.md index d6c86ca36e..b0fe11b7e3 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/searchandfiltertaxonomies.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/searchandfiltertaxonomies.md @@ -5,7 +5,7 @@ for specific terms to be selected and managed. The dropdown list shows all avail **NOTE:** For the SharePoint Terms, they will be grouped by the SharePoint Term Group. -![treeview](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/treeview.webp) +![treeview](/img/product_docs/dataclassification/ndc/admin/taxonomies/treeview.webp) Right-clicking the tree view nodes provides a number of management options at both the term and termset level including: @@ -40,7 +40,7 @@ A search facility is provided to locate terms that contains specified text: Click the magnifying glass icon to the right of the taxonomy dropdown and a new edit box appears where search text may be entered: -![taxonomysearch](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomysearch.webp) +![taxonomysearch](/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomysearch.webp) [](#)"Sync Enabled" Treeview Filter @@ -49,15 +49,15 @@ for synchronisation (configured on the term Settings screen). This setting is session specific and applicable only to the current user: -![treeviewsyncfilter](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/treeviewsyncfilter.webp) +![treeviewsyncfilter](/img/product_docs/dataclassification/ndc/admin/taxonomies/treeviewsyncfilter.webp) -[See Taxonomy Settings for more information.](settings.md) +[See Taxonomy Settings for more information.](/docs/dataclassification/5.7/ndc/admin/taxonomies/settings.md) [](#)Source Filter A filter facility is also provided to restrict all search/browse results to a specific source. Click the source filter link in the top right of the display, then, select a source: -![sourcefilter](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/sourcefilter.webp) +![sourcefilter](/img/product_docs/dataclassification/ndc/admin/taxonomies/sourcefilter.webp) The filter setting can be stored for the session, or just maintained for the browser window. diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/settings.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/settings.md index 4daeb8bd1a..8f6d4873ae 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/settings.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/settings.md @@ -3,6 +3,6 @@ This section contains information about taxonomies settings. Review the following for additional information: -- [Taxonomy Settings Panel](settingspanel.md) -- [Global Settings](globalsettings.md) -- [Term Settings](termsettings.md) +- [Taxonomy Settings Panel](/docs/dataclassification/5.7/ndc/admin/taxonomies/settingspanel.md) +- [Global Settings](/docs/dataclassification/5.7/ndc/admin/taxonomies/globalsettings.md) +- [Term Settings](/docs/dataclassification/5.7/ndc/admin/taxonomies/termsettings.md) diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/settingspanel.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/settingspanel.md index 2d913e85c1..04d820c447 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/settingspanel.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/settingspanel.md @@ -3,7 +3,7 @@ The Taxonomy Settings panel displays the parameters of the top-level taxonomy selected in the Search (for example, File Size). -![taxonomysettings](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomysettings.webp) +![taxonomysettings](/img/product_docs/dataclassification/ndc/admin/taxonomies/taxonomysettings.webp) | Option | Description | | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/suggestions.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/suggestions.md index c9a7558045..843f9e6000 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/suggestions.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/suggestions.md @@ -3,7 +3,7 @@ Clues can be used to statistically produce a list of suggested clues that can be assigned to the term. -![bulkedit](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkedit.webp) +![bulkedit](/img/product_docs/dataclassification/ndc/admin/taxonomies/bulkedit.webp) Clues can be suggested for a term via the following methods: diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/termsettings.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/termsettings.md index d624518d0f..c6b71de4be 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/termsettings.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/termsettings.md @@ -3,11 +3,11 @@ When a child node is selected in the tree view, you will be redirected to the Term Management panel. The Settings tab will display settings for the selected term: -![termsettings](../../../../../../static/img/product_docs/dataclassification/ndc/admin/taxonomies/termsettings.webp) +![termsettings](/img/product_docs/dataclassification/ndc/admin/taxonomies/termsettings.webp) | Option | Description | | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Available for Tagging | Use to prevent any documents getting classified against a class. This would normally only be set to “No” when a class is being used to boost another class – see [Types of Clues](cluestypes.md) topic for information on terms that use the “Term Boost” type clues. | +| Available for Tagging | Use to prevent any documents getting classified against a class. This would normally only be set to “No” when a class is being used to boost another class – see [Types of Clues](/docs/dataclassification/5.7/ndc/admin/taxonomies/cluestypes.md) topic for information on terms that use the “Term Boost” type clues. | | Synchronise Term | Enables / Disables automatic synchronization through the TermStoreManager tool for the term and its children. | | Relevance Threshold | The threshold for each Class defaults to 50 – but can be raised (to reduce the number of documents that get classified) or lowered (to increase the number of documents that get classified). | | Boosts | The Weighting Boosts can also be adjusted for each Class. Based on the values above you would expect a 10% score boost if one of its child terms was classified. It is possible to set the _“Child”_ boost to 100%, doing so will in effect enable the parent to always be tagged if the child is tagged. An example for this would be a taxonomy containing regions, if a document was tagged as _“England”_ it should also be tagged as _“Europe”_. | diff --git a/docs/dataclassification/5.7/ndc/admin/taxonomies/workingset.md b/docs/dataclassification/5.7/ndc/admin/taxonomies/workingset.md index 7e59b2507c..b1705c5204 100644 --- a/docs/dataclassification/5.7/ndc/admin/taxonomies/workingset.md +++ b/docs/dataclassification/5.7/ndc/admin/taxonomies/workingset.md @@ -10,9 +10,9 @@ Level is selected then the same Working Set will be used for all classes. Documents can be added to the Working Set from the Search or Browse tabs by using the Add to Working Set links: -![browsetab_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/reporting/browsetab_thumb_0_0.webp) +![browsetab_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/reporting/browsetab_thumb_0_0.webp) The following facilities are available: -- [Classifications](classifications.md) -- [Calculations](calculations.md) +- [Classifications](/docs/dataclassification/5.7/ndc/admin/taxonomies/classifications.md) +- [Calculations](/docs/dataclassification/5.7/ndc/admin/taxonomies/calculations.md) diff --git a/docs/dataclassification/5.7/ndc/admin/utilities/configurationbackup.md b/docs/dataclassification/5.7/ndc/admin/utilities/configurationbackup.md index dd15fd039e..118f22a44c 100644 --- a/docs/dataclassification/5.7/ndc/admin/utilities/configurationbackup.md +++ b/docs/dataclassification/5.7/ndc/admin/utilities/configurationbackup.md @@ -31,7 +31,7 @@ Follow the steps to create configuration backup. **Step 1 –** Go to **Settings** > **Config** > **Utilities**. -![utilitiesbackup](../../../../../../static/img/product_docs/dataclassification/ndc/admin/utilities/utilitiesbackup.webp) +![utilitiesbackup](/img/product_docs/dataclassification/ndc/admin/utilities/utilitiesbackup.webp) **Step 2 –** From the navigation menu on the left, click **Backup/Restore.** diff --git a/docs/dataclassification/5.7/ndc/admin/utilities/indexmaintenance.md b/docs/dataclassification/5.7/ndc/admin/utilities/indexmaintenance.md index 0172b9c192..9082bff1e1 100644 --- a/docs/dataclassification/5.7/ndc/admin/utilities/indexmaintenance.md +++ b/docs/dataclassification/5.7/ndc/admin/utilities/indexmaintenance.md @@ -13,11 +13,11 @@ Follow the steps to launch the Cleaner tool. 2. Navigate to **Settings** > **Config** and click **Run Cleaner**. 3. Then follow the steps of **Index Maintenance** wizard. -![run_cleaner_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/utilities/run_cleaner_thumb_0_0.webp) +![run_cleaner_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/utilities/run_cleaner_thumb_0_0.webp) See next: -- [Step 1: Maintenance Operation](step1.md) -- [Step 2: Maintenance Options](step2.md) -- [Step 3: Summary](step3.md) -- [Step 4: Process](step4.md) +- [Step 1: Maintenance Operation](/docs/dataclassification/5.7/ndc/admin/utilities/step1.md) +- [Step 2: Maintenance Options](/docs/dataclassification/5.7/ndc/admin/utilities/step2.md) +- [Step 3: Summary](/docs/dataclassification/5.7/ndc/admin/utilities/step3.md) +- [Step 4: Process](/docs/dataclassification/5.7/ndc/admin/utilities/step4.md) diff --git a/docs/dataclassification/5.7/ndc/admin/utilities/step1.md b/docs/dataclassification/5.7/ndc/admin/utilities/step1.md index 2ddd8076d9..6faff89332 100644 --- a/docs/dataclassification/5.7/ndc/admin/utilities/step1.md +++ b/docs/dataclassification/5.7/ndc/admin/utilities/step1.md @@ -15,4 +15,4 @@ Select the operation you want to perform: - Delete Index—Delete all content from both the search index and the NDC SQL database. -![cleaner_step_1](../../../../../../static/img/product_docs/dataclassification/ndc/admin/utilities/cleaner_step_1.webp) +![cleaner_step_1](/img/product_docs/dataclassification/ndc/admin/utilities/cleaner_step_1.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/utilities/step2.md b/docs/dataclassification/5.7/ndc/admin/utilities/step2.md index ca6f7a3a99..1ff2d2a5e3 100644 --- a/docs/dataclassification/5.7/ndc/admin/utilities/step2.md +++ b/docs/dataclassification/5.7/ndc/admin/utilities/step2.md @@ -7,4 +7,4 @@ Specify options for the operation you have selected. | **Rebuild Index** | **Shrink the "text.cse" file?** - **Shrink** - **Don't Shrink** (default) | Selecting **Shrink** will rebuild the _Text.cse_ file, removing any fragmentation. **Shrink** will require sufficient disk space to process (up to the existing size of _Text.cse_) and may take some time to complete. | | All operations | **Would you like to re-run the product configuration wizard?** - **Run** - **Don't Run** (default) | Select **Run** if you want to re-configure this instance by going through the initial steps of the product configuration. Note that this will pause all sources. | -![cleaner_step_2_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/utilities/cleaner_step_2_thumb_0_0.webp) +![cleaner_step_2_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/utilities/cleaner_step_2_thumb_0_0.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/utilities/step3.md b/docs/dataclassification/5.7/ndc/admin/utilities/step3.md index 0238628add..a028812123 100644 --- a/docs/dataclassification/5.7/ndc/admin/utilities/step3.md +++ b/docs/dataclassification/5.7/ndc/admin/utilities/step3.md @@ -4,4 +4,4 @@ Review the selected operation (action) and its options you have specified. Clicking **Next** will confirm and start the maintenance operation. -![cleaner_step_3_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/utilities/cleaner_step_3_thumb_0_0.webp) +![cleaner_step_3_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/utilities/cleaner_step_3_thumb_0_0.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/actions/actions.md b/docs/dataclassification/5.7/ndc/admin/workflows/actions/actions.md index 82e3f359cc..0564d415e9 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/actions/actions.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/actions/actions.md @@ -5,9 +5,9 @@ triggered. There are two types of workflow actions: - Generic actions available for any type of document. These are: - - [Email Alert](emailalert.md) + - [Email Alert](/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md) - Migration - - [Apply Additional Classification](../advancedwindow/classification.md) + - [Apply Additional Classification](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/classification.md) - Source-specific actions @@ -19,10 +19,10 @@ This table lists workflow actions available for the certain content source types | Content source type | Available actions | | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Exchange | [Email Alert](emailalert.md) [Migrate Document](migratedocument.md) [Apply Additional Classification](../advancedwindow/classification.md) [Advanced Actions for Exchange](../advancedwindow/exchange.md)\*: delete email, move email | -| File System | [Email Alert](emailalert.md) [Migrate Document](migratedocument.md) [Apply Additional Classification](../advancedwindow/classification.md) [Advanced Actions for File System](../advancedwindow/files.md)\*: update permissions, add/remove MIP label | -| Google Drive | [Email Alert](emailalert.md) [Migrate Document](migratedocument.md) [Apply Additional Classification](../advancedwindow/classification.md) | -| SharePoint | [Email Alert](emailalert.md) [Migrate Document](migratedocument.md) [Apply Additional Classification](../advancedwindow/classification.md) [Advanced Actions for SharePoint](../advancedwindow/sharepoint.md)\*: send classification value, filtered targeted meta update, write/remove O365 label, copy/move document | -| SQL and other databases | [Email Alert](emailalert.md) [Migrate Document](migratedocument.md) [Apply Additional Classification](../advancedwindow/classification.md) | +| Exchange | [Email Alert](/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md) [Migrate Document](/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md) [Apply Additional Classification](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/classification.md) [Advanced Actions for Exchange](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/exchange.md)\*: delete email, move email | +| File System | [Email Alert](/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md) [Migrate Document](/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md) [Apply Additional Classification](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/classification.md) [Advanced Actions for File System](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/files.md)\*: update permissions, add/remove MIP label | +| Google Drive | [Email Alert](/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md) [Migrate Document](/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md) [Apply Additional Classification](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/classification.md) | +| SharePoint | [Email Alert](/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md) [Migrate Document](/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md) [Apply Additional Classification](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/classification.md) [Advanced Actions for SharePoint](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/sharepoint.md)\*: send classification value, filtered targeted meta update, write/remove O365 label, copy/move document | +| SQL and other databases | [Email Alert](/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md) [Migrate Document](/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md) [Apply Additional Classification](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/classification.md) | \* — these actions can be only configured using the Advanced UI dialog window. diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/actions/availableactions.md b/docs/dataclassification/5.7/ndc/admin/workflows/actions/availableactions.md index e994a2bca3..7cccdbf1a5 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/actions/availableactions.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/actions/availableactions.md @@ -4,10 +4,10 @@ This section lists workflow actions available for the certain content source typ | Content source type | Available actions | | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Exchange | [Email Alert](emailalert.md) [Migrate Document](migratedocument.md) [Apply Additional Classification](../advancedwindow/classification.md) [Advanced Actions for Exchange](../advancedwindow/exchange.md)\*: delete email, move email | -| File System | [Email Alert](emailalert.md) [Migrate Document](migratedocument.md) [Apply Additional Classification](../advancedwindow/classification.md) [Advanced Actions for File System](../advancedwindow/files.md)\*: update permissions, add/remove MIP label | -| Google Drive | [Email Alert](emailalert.md) [Migrate Document](migratedocument.md) [Apply Additional Classification](../advancedwindow/classification.md) | -| SharePoint | [Email Alert](emailalert.md) [Migrate Document](migratedocument.md) [Apply Additional Classification](../advancedwindow/classification.md) [Advanced Actions for SharePoint](../advancedwindow/sharepoint.md)\*: send classification value, filtered targeted meta update, write/remove O365 label, copy/move document | -| SQL and other databases | [Email Alert](emailalert.md) [Migrate Document](migratedocument.md) [Apply Additional Classification](../advancedwindow/classification.md) | +| Exchange | [Email Alert](/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md) [Migrate Document](/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md) [Apply Additional Classification](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/classification.md) [Advanced Actions for Exchange](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/exchange.md)\*: delete email, move email | +| File System | [Email Alert](/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md) [Migrate Document](/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md) [Apply Additional Classification](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/classification.md) [Advanced Actions for File System](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/files.md)\*: update permissions, add/remove MIP label | +| Google Drive | [Email Alert](/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md) [Migrate Document](/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md) [Apply Additional Classification](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/classification.md) | +| SharePoint | [Email Alert](/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md) [Migrate Document](/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md) [Apply Additional Classification](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/classification.md) [Advanced Actions for SharePoint](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/sharepoint.md)\*: send classification value, filtered targeted meta update, write/remove O365 label, copy/move document | +| SQL and other databases | [Email Alert](/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md) [Migrate Document](/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md) [Apply Additional Classification](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/classification.md) | \* — these actions can be only configured using the Advanced UI dialog window. diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md b/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md index f0bd41a8cc..a803c8fa91 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md @@ -4,7 +4,7 @@ This action sends an email to the list of provided email address(es). When runni wizard and having selected **Email Alert** as an action, you will be prompted to configure the related settings. -![wizard_action_email_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/actions/wizard_action_email_thumb_0_0.webp) +![wizard_action_email_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/actions/wizard_action_email_thumb_0_0.webp) In the case where the Workflow is configured against a SharePoint source / group (or, the generic “All Sources” for SharePoint) the action will optionally support a dynamic recipient selection @@ -18,7 +18,7 @@ Specify the following: | Specific recipients | Specify email address to send the alert to. To enter multiple recipient, click **+** on the right. | | Who should the email be sent from? | Specify email sender and SMTP server settings. You can select a pre-configured SMTP server (if any), or specify new connection parameters by clicking the + on the right — then in the **Email Server Details** dialog enter the following: - Host—Enter your SMTP server address. It can be your company's Exchange server or any public mail server (e.g., Gmail, Yahoo). - Port—Specify your SMTP server port number. - Use SSL—Select this checkbox if your SMTP server requires SSL to be enabled. - From Email—Enter the address that will appear in the From field. - Username—Enter a user name for the SMTP authentication. - Password—Enter a password for the SMTP authentication. **NOTE:** It is recommended to use Test Configuration Settings option. The system will send a test message to the specified email address and inform you if any problems are detected. | -![action_email_smtp_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/actions/action_email_smtp_thumb_0_0.webp) +![action_email_smtp_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/actions/action_email_smtp_thumb_0_0.webp) When finished, slick **Save** to close the dialog and return to email action settings. @@ -29,4 +29,4 @@ When finished, slick **Save** to close the dialog and return to email action set To modify action settings for the certain workflow, select the workflow and use the Advanced UI window, as described in the -[Modify Email Alert action settings](../advancedwindow/modifyemailalertaction.md) section. +[Modify Email Alert action settings](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/modifyemailalertaction.md) section. diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md b/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md index da34bd5729..9db3ad55a4 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md @@ -15,7 +15,7 @@ listed in the table below. **IMPORTANT!** Before you add the **Migration** action to your workflow, you should configure migration destinations. See -[Configure destinations for Migration action](../migrationdestinations.md). +[Configure destinations for Migration action](/docs/dataclassification/5.7/ndc/admin/workflows/migrationdestinations.md). When running the Workflow wizard and having selected **Migration** as action, you will be prompted to configure related settings. @@ -29,7 +29,7 @@ On the What do you want to do step, select Migrate Document action. do the follo - Select migration destination under Which type of repository should the document be migrated to?. You can add migration destination directly from wizard: - ![migration_destination_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/actions/migration_destination_thumb_0_0.webp) + ![migration_destination_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/actions/migration_destination_thumb_0_0.webp) - If you created several sources for migration destinations, select on one in the under Where should the document be migrated to? @@ -57,7 +57,7 @@ While creating a stub file, you can leave a message where the document is migrat reasons. You can use the drop-down list to add metadata from the document to the stub file message. Please see below: -![workflow_stubfile](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/actions/workflow_stubfile.webp) +![workflow_stubfile](/img/product_docs/dataclassification/ndc/admin/workflows/actions/workflow_stubfile.webp) ## Applying the redaction @@ -69,10 +69,10 @@ To use redaction in a workflow, you need to set up one or more redaction plans. redact the predefined entities by selecting the plans from the drop-down list on the screenshot below or create custom groups of entities first. -![workflow_redaction](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/actions/workflow_redaction.webp) +![workflow_redaction](/img/product_docs/dataclassification/ndc/admin/workflows/actions/workflow_redaction.webp) If the redaction has failed for such files as PDF, that had OCR with images and cannot be fully recognized, these files will get quarantined, leaving a stub file, instead of a redacted file. To modify action settings for the certain workflow, select the workflow and use the Advanced UI -window. See [Modify Migration action settings](../advancedwindow/migration.md) for more information. +window. See [Modify Migration action settings](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/migration.md) for more information. diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/actions/modifymiplabels.md b/docs/dataclassification/5.7/ndc/admin/workflows/actions/modifymiplabels.md index 5466e0ae26..86a5db429a 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/actions/modifymiplabels.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/actions/modifymiplabels.md @@ -10,4 +10,4 @@ prompted to configure related settings When finished, click **Next** to proceed with the wizard. To configure advanced actions or modify action settings, select the workflow and use the Advanced UI -window. See [Advanced Actions for File System](../advancedwindow/files.md). +window. See [Advanced Actions for File System](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/files.md). diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/actions/updatepermissions.md b/docs/dataclassification/5.7/ndc/admin/workflows/actions/updatepermissions.md index 730aada385..9c457b72a6 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/actions/updatepermissions.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/actions/updatepermissions.md @@ -4,7 +4,7 @@ This action updates the file system permissions for the classified document. You approach to automatically restrict access to sensitive documents or provide access permissions, based upon the document's classifications. -![workflow_wizard_actions_update_permissions_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/actions/workflow_wizard_actions_update_permissions_thumb_0_0.webp) +![workflow_wizard_actions_update_permissions_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/actions/workflow_wizard_actions_update_permissions_thumb_0_0.webp) Specify the following: @@ -21,4 +21,4 @@ Specify the following: When finished, click **Next** to proceed with the wizard. To configure advanced actions or modify action settings, select the workflow and use the Advanced UI -window. See [Advanced Actions for SharePoint](../advancedwindow/sharepoint.md). +window. See [Advanced Actions for SharePoint](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/sharepoint.md). diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/addworkflowwizard.md b/docs/dataclassification/5.7/ndc/admin/workflows/addworkflowwizard.md index d7eaf50d31..6584de033b 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/addworkflowwizard.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/addworkflowwizard.md @@ -10,16 +10,16 @@ To launch the Add Workflow wizard: 3. Click the Add button in the upper right corner. 4. In the dialog displayed, click the Launch Wizard button. -![workflow_start_wizard_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflow_start_wizard_thumb_0_0.webp) +![workflow_start_wizard_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflow_start_wizard_thumb_0_0.webp) See next: -- [Step 1. Select Content Type](step1selectcontenttype.md) -- [Step 2. Select Action](step2selectautomatedaction.md) -- [Step 3. Specify Conditions for Processing](step3specifyconditions.md) -- [Step 4. Enter Name and Review Settings](step4setnameandenable.md) +- [Step 1. Select Content Type](/docs/dataclassification/5.7/ndc/admin/workflows/step1selectcontenttype.md) +- [Step 2. Select Action](/docs/dataclassification/5.7/ndc/admin/workflows/step2selectautomatedaction.md) +- [Step 3. Specify Conditions for Processing](/docs/dataclassification/5.7/ndc/admin/workflows/step3specifyconditions.md) +- [Step 4. Enter Name and Review Settings](/docs/dataclassification/5.7/ndc/admin/workflows/step4setnameandenable.md) **NOTE:** Once created you will be able to modify the workflow using the **Advanced** dialog. Alternatively, take steps 1-3 from the procedure above, then in the **Add Workflow** dialog click -**Advanced**. See [Configure a Workflow using Advanced dialog](advancedwindow/createworkflow.md) +**Advanced**. See [Configure a Workflow using Advanced dialog](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/createworkflow.md) diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/classification.md b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/classification.md index 824596f0a4..02422a3d9e 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/classification.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/classification.md @@ -7,7 +7,7 @@ document. This workflow action is called **Manual Classification** and can be co Alternatively, you can configure a workflow action that permanently removes all existing classifications on a document and disables future auto-classification for it. -![workflow_actions_man_classify_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/workflow_actions_man_classify_thumb_0_0.webp) +![workflow_actions_man_classify_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/workflow_actions_man_classify_thumb_0_0.webp) To apply additional classification: @@ -39,4 +39,4 @@ To configure terms 3. Finally, click **OK** to save the settings and close the dialog. **NOTE:** The additional classification will not trigger other workflows or affect the source -item[See Classifications for more information.](../../taxonomies/classifications.md) +item[See Classifications for more information.](/docs/dataclassification/5.7/ndc/admin/taxonomies/classifications.md) diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/contentserver.md b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/contentserver.md index 3ae40b6088..c4463e26d0 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/contentserver.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/contentserver.md @@ -19,4 +19,4 @@ Then specify the following action parameters | **Field Name** | Provide the internal name or ID of the document property field (metadata) that should be updated. | This can be, for example, DocType, URL, Last modified date, etc. | | **Value** | Select where the new field value should be obtained from. | You can use static or crawled value, similarly to SharePoint (as described in the Update Field section). | -![action_advanced_cs_update_field_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/action_advanced_cs_update_field_thumb_0_0.webp) +![action_advanced_cs_update_field_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/action_advanced_cs_update_field_thumb_0_0.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/createworkflow.md b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/createworkflow.md index 0bb60eadfc..efdd27d0e1 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/createworkflow.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/createworkflow.md @@ -10,7 +10,7 @@ To configure a workflow: 3. From the **Type** drop-down list, select the type of content your workflow will apply to. 4. Click **Add**. - ![add_workflows_advanced_name_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/add_workflows_advanced_name_thumb_0_0.webp) + ![add_workflows_advanced_name_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/add_workflows_advanced_name_thumb_0_0.webp) 5. Then you need to configure document processing rules. For each rule, you should set up rule conditions and rule actions. Also, specify how the workflow should be processed with regards to @@ -31,7 +31,7 @@ To configure a workflow: Conditions** dialog will be displayed. 2. From the **Mode** list, select how the conditions should be applied. -![add_workflows_rule_conditions_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/add_workflows_rule_conditions_thumb_0_0.webp) +![add_workflows_rule_conditions_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/add_workflows_rule_conditions_thumb_0_0.webp) The following options are available: @@ -77,7 +77,7 @@ To configure terms The configured rule condition will appear in the **Rule Conditions** section on the **Rule** tab. -![add_workflows_rules_list_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/add_workflows_rules_list_thumb_0_0.webp) +![add_workflows_rules_list_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/add_workflows_rules_list_thumb_0_0.webp) Example @@ -90,7 +90,7 @@ taxonomy, configure the rule condition as follows: 4. In the **Details** window, from the **Taxonomy** list select **PCI DSS**. 5. In the tags hierarchy, select **Visa** and click **OK**. -![add_workflows_advanced_details_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/add_workflows_advanced_details_thumb_0_0.webp) +![add_workflows_advanced_details_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/add_workflows_advanced_details_thumb_0_0.webp) Make sure the filtering term is displayed in the Edit Rule Conditions window with blue color. Click **Save**. @@ -102,10 +102,10 @@ The configured rule condition will appear in the **Rule Condtions** section on t 1. In the corresponding section on the **Rule** tab, click **Add** on the right. The **Add Action** dialog will be displayed. 2. From the **Action Type** list, select the action you want to apply to the documents that match - rule conditions. For details, see [Workflow Actions](../actions/actions.md). + rule conditions. For details, see [Workflow Actions](/docs/dataclassification/5.7/ndc/admin/workflows/actions/actions.md). 3. Click **Save**. -![add_workflows_advanced_action_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/add_workflows_advanced_action_thumb_0_0.webp) +![add_workflows_advanced_action_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/add_workflows_advanced_action_thumb_0_0.webp) ## Other Rule Settings @@ -125,7 +125,7 @@ On the **Rule** tab, you can also manage the rule, as follows: If multiple rule actions have been configured, they will be processed in the order listed. Use the red down arrow or green up-arrow to change the processing sequence as required: -![workflowsreorderactions_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/workflowsreorderactions_thumb_0_0.webp) +![workflowsreorderactions_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/workflowsreorderactions_thumb_0_0.webp) ## Specifying Workflow Conditions @@ -136,7 +136,7 @@ match to be processed by the workflow. is, current workflow will consider any document; actual filtering conditions will be applied by the rule (rule conditions). -![add_workflows_advanced_wf_conditions_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/add_workflows_advanced_wf_conditions_thumb_0_0.webp) +![add_workflows_advanced_wf_conditions_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/add_workflows_advanced_wf_conditions_thumb_0_0.webp) 1. Click **Edit** to open **Edit Workflow Conditions** dialog. 2. Select the option you need from the **Mode** list. The next steps are similar to those described diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/exchange.md b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/exchange.md index f92a695eba..9b1c47ca85 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/exchange.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/exchange.md @@ -7,13 +7,13 @@ following actions are available for the **Exchange** content source type: - **Move email** To configure these actions, use the Advanced UI dialog window. See -[Configure a Workflow using Advanced dialog](createworkflow.md) for details on how to invoke it. +[Configure a Workflow using Advanced dialog](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/createworkflow.md) for details on how to invoke it. ## Delete Email This action will remove an email from Exchange mailbox. -![action_exchange_delete_email_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/action_exchange_delete_email_thumb_0_0.webp) +![action_exchange_delete_email_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/action_exchange_delete_email_thumb_0_0.webp) Specify the following action parameters: diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/files.md b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/files.md index 28cca00039..6842a0aec8 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/files.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/files.md @@ -4,7 +4,7 @@ In addition to the **Email Alert** ,**Migrate Document** and additional classifi following actions are available for the **File system** content source type: - **Update Permissions** — this action updates the file system permissions for the classified - document. See [Update Permissions](../actions/updatepermissions.md) for details. + document. See [Update Permissions](/docs/dataclassification/5.7/ndc/admin/workflows/actions/updatepermissions.md) for details. - **Apply MIP Label**, **Remove MIP Label** — these actions, respectively, apply and remove sensitivity label to/from a document stored on a file system, using Microsoft Information Protection (MIP). This helps to automate protection policies application. See Modify MIP Label for @@ -17,4 +17,4 @@ To configure actions for file systems using the Advanced interface: 3. In the Add Action dialog, select the action you need from the **File System** section in the Action Type list. -![action_advanced_file_update_mip_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/action_advanced_file_update_mip_thumb_0_0.webp) +![action_advanced_file_update_mip_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/action_advanced_file_update_mip_thumb_0_0.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/migration.md b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/migration.md index 57a8cbf4f8..81c6b525ac 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/migration.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/migration.md @@ -13,7 +13,7 @@ There are common and content-specific settings that you need to specify. These settings are the same for all supported sources. -![action_migration_common_settings_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/action_migration_common_settings_thumb_0_0.webp) +![action_migration_common_settings_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/action_migration_common_settings_thumb_0_0.webp) | Setting | Description | Comments | | ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -22,7 +22,7 @@ These settings are the same for all supported sources. | **Maintain Folder Structure** | If selected, subfolders will be created in the migration destination to match the relative path in the source. | Applies if this capability is supported by the source system. For Exchange, the path will also include a folder for the mailbox name (e.g. _\\MigrationDestination\User@domain.com\Inbox\HR_). | | **Delete Original Item** | If selected, the original item will be deleted after it is successfully copied to the destination. | Applies if this capability is supported by the source system. | | **Mark Original item as Read Only** | If selected, the original item will be marked as _read-only_. | Applies if this capability is supported by the source system. | -| **Redaction Plan** | If redaction plans have been configured, specify the redaction plan to be applied to the document. See [Redaction](../../../configuration/redaction.md). | By default, this will be applied to the document at the destination. | +| **Redaction Plan** | If redaction plans have been configured, specify the redaction plan to be applied to the document. See [Redaction](/docs/dataclassification/5.7/ndc/configuration/redaction.md). | By default, this will be applied to the document at the destination. | | **Redact Original** | If updating the source item is supported by the source system, then checking this box will cause the redaction plan to be applied to the source document after being successfully migrated. | Note that this option is not available when performing a move (deleting the original item). | ## Source-specific settings diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/modifyemailalertaction.md b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/modifyemailalertaction.md index d0239b61f3..b7ab17bf98 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/modifyemailalertaction.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/modifyemailalertaction.md @@ -12,6 +12,6 @@ Specify the following settings: | Field | Setting to specify | | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Email Address** | Specify email recipients. You can enter multiple static email addresses. **NOTE:** Dynamic configurations will use the '_Document Modified/Created By_' metadata value, looking up the user's email address from Active Directory where appropriate. | -| **SMTP Config** | Choose a preconfigured SMTP server to use when sending the email. This also defines who the email will show as being sent from. For more information, see [Email Alert](../actions/emailalert.md) section. | +| **SMTP Config** | Choose a preconfigured SMTP server to use when sending the email. This also defines who the email will show as being sent from. For more information, see [Email Alert](/docs/dataclassification/5.7/ndc/admin/workflows/actions/emailalert.md) section. | | **Subject** | Specify the template for email subject. The template can contain dynamic values that will be obtained from the crawled content (e.g. _[cs:PageUrl]_). **TIP:** To get the list of available fields, click the **details** link. | | **Email Body Template** | Specify the template for email body. The template can contain dynamic values that will be obtained from the crawled content (e.g. _[cs:PageUrl]_). **TIP:** To get the list of available fields, click the **details** link. | diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/sharepoint.md b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/sharepoint.md index 0518ad97c1..b8120395f4 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/sharepoint.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/sharepoint.md @@ -3,7 +3,7 @@ In addition to the **Email Alert**, **Migrate Document** and additional classification, the following actions are available for the **SharePoint** content source type: -- [Migrate Document](../actions/migratedocument.md) including copy and move operations +- [Migrate Document](/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md) including copy and move operations - Document property field (metadata) update, including: - **Send fixed value**, **send crawled value** — these actions apply new metadata value entered @@ -36,4 +36,4 @@ To configure actions for SharePoint documents using the Advanced interface: 3. In the Add Action dialog, select the action you need from the **SharePoint** section in the Action Type list. -![action_advanced_sp_update_field_thumb_0_0](../../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/action_advanced_sp_update_field_thumb_0_0.webp) +![action_advanced_sp_update_field_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/advancedwindow/action_advanced_sp_update_field_thumb_0_0.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/delete.md b/docs/dataclassification/5.7/ndc/admin/workflows/delete.md index 6e2e8d15b5..04898139f7 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/delete.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/delete.md @@ -13,9 +13,9 @@ You can delete a single workflow or a group of workflows within the scope (Globa 2. Click the link in the **Name** column for the required workflow (Global for Google Drive in the figure below): - ![workflow_delete_single_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflow_delete_single_thumb_0_0.webp) + ![workflow_delete_single_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflow_delete_single_thumb_0_0.webp) 3. This will open the list of workflows for selected scope. Select the workflow you need and click **Delete**. - ![workflows_category_list_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflows_category_list_thumb_0_0.webp) + ![workflows_category_list_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflows_category_list_thumb_0_0.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/editsettings.md b/docs/dataclassification/5.7/ndc/admin/workflows/editsettings.md index 6374346dd8..b39e5bd73b 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/editsettings.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/editsettings.md @@ -6,6 +6,6 @@ Follow the steps to edit the workflow settings. 2. In the list of workflows displayed, click the one you need. 3. You will be forwarded to the configuration window where you can modify workflow conditions, rule conditions, and actions, as described in the - [Configure a Workflow using Advanced dialog](advancedwindow/createworkflow.md) topic. + [Configure a Workflow using Advanced dialog](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/createworkflow.md) topic. -![add_workflows_rules_list_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/add_workflows_rules_list_thumb_0_0.webp) +![add_workflows_rules_list_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/add_workflows_rules_list_thumb_0_0.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/manage.md b/docs/dataclassification/5.7/ndc/admin/workflows/manage.md index dae57ffbd8..8b126f1b32 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/manage.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/manage.md @@ -4,7 +4,7 @@ Authorized users can create, modify or delete automated workflows that apply to For that, in the administrative web console select Content from the top menu and go to the **Workflows** tab. -![workflows_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflows_thumb_0_0.webp) +![workflows_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflows_thumb_0_0.webp) **NOTE:** To manage the automated workflows, users require sufficient access rights that are assigned based on either their Windows identity or using non-Windows based access controls. See @@ -24,22 +24,22 @@ or **Advanced** dialogs. See next: -- [Create a Workflow using Add Workflow Wizard](addworkflowwizard.md) -- [Configure a Workflow using Advanced dialog](advancedwindow/createworkflow.md) +- [Create a Workflow using Add Workflow Wizard](/docs/dataclassification/5.7/ndc/admin/workflows/addworkflowwizard.md) +- [Configure a Workflow using Advanced dialog](/docs/dataclassification/5.7/ndc/admin/workflows/advancedwindow/createworkflow.md) ## Modifying or Deleting a Workflow -To modify a workflow, follow the steps described in the [Edit Workflow settings](editsettings.md) +To modify a workflow, follow the steps described in the [Edit Workflow settings](/docs/dataclassification/5.7/ndc/admin/workflows/editsettings.md) section. -To delete a workflow, follow the steps described in the [Delete Workflow](delete.md)section. +To delete a workflow, follow the steps described in the [Delete Workflow](/docs/dataclassification/5.7/ndc/admin/workflows/delete.md)section. ## Cloning, Enabling or Renaming a Workflow 1. Click the link in the **Name** column for the required workflow ( e.g. Global for Google Drive in the figure below): -![workflow_delete_single_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflow_delete_single_thumb_0_0.webp) +![workflow_delete_single_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflow_delete_single_thumb_0_0.webp) 2. This will open the list of workflows for selected scope. You can sort the list by **Details** (workflow action) or by **Active** (workflow state) field. @@ -53,7 +53,7 @@ To delete a workflow, follow the steps described in the [Delete Workflow](delete workflows can be copied within any groups of the same type. The clone workflow will be disabled by default. -![workflows_category_list_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflows_category_list_thumb_0_0.webp) +![workflows_category_list_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflows_category_list_thumb_0_0.webp) To provide another name to a workflow, select it from the list and click **Rename**. diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/migrationdestinations.md b/docs/dataclassification/5.7/ndc/admin/workflows/migrationdestinations.md index 867ce6e342..afdc58781f 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/migrationdestinations.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/migrationdestinations.md @@ -45,7 +45,7 @@ Under the **Workflows** menu click **Configs**, then click **Migration Configs** Migration providers that already have contain configured destinations are indicated with the three-gears icon in the tab header: -![migration_destination_ready_thumb_0_48](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/migration_destination_ready_thumb_0_48.webp) +![migration_destination_ready_thumb_0_48](/img/product_docs/dataclassification/ndc/admin/workflows/migration_destination_ready_thumb_0_48.webp) Click the tab for the migration destination you need. diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/miplabels/configurendc.md b/docs/dataclassification/5.7/ndc/admin/workflows/miplabels/configurendc.md index 3bb94d6b18..90da7d85e9 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/miplabels/configurendc.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/miplabels/configurendc.md @@ -12,7 +12,7 @@ the following steps to enable MIP labels: | Client ID | Application (client) ID | | Application Name | Display name | | Tenant | Directory (tenant) ID | - | Certificate Thumbprint | Provide certificate thumbprint you copied and stored on this step: [Upload the .CER file to Azure](configureinfrastructure.md). | + | Certificate Thumbprint | Provide certificate thumbprint you copied and stored on this step: [Upload the .CER file to Azure](/docs/dataclassification/5.7/ndc/admin/workflows/miplabels/configureinfrastructure.md). | **NOTE:** Any labels and policies in API should be migrated / synced with O365 Security & Compliance. Review the following Microsoft article for more information: diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/miplabels/introduction.md b/docs/dataclassification/5.7/ndc/admin/workflows/miplabels/introduction.md index b8139d9bb0..f4aea726b1 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/miplabels/introduction.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/miplabels/introduction.md @@ -17,9 +17,9 @@ example, you use the protection label to be available by the person from the dom this case, it will require authentication, such as password. You can apply the MIP labels to the file share and SharePoint sources. Specify this information -using the [Create a Workflow using Add Workflow Wizard](../addworkflowwizard.md). Review the +using the [Create a Workflow using Add Workflow Wizard](/docs/dataclassification/5.7/ndc/admin/workflows/addworkflowwizard.md). Review the following for additional information: -- [Set Up MIP Integration](configureinfrastructure.md) -- [MIP Labels Configuration](configurendc.md) +- [Set Up MIP Integration](/docs/dataclassification/5.7/ndc/admin/workflows/miplabels/configureinfrastructure.md) +- [MIP Labels Configuration](/docs/dataclassification/5.7/ndc/admin/workflows/miplabels/configurendc.md) - Modify MIP Label diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/overview.md b/docs/dataclassification/5.7/ndc/admin/workflows/overview.md index c0a89bb257..af9396b315 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/overview.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/overview.md @@ -19,5 +19,5 @@ can easily reduce the exposure of your sensitive data. See next: -- [Managing Workflows](manage.md) -- [Workflow Actions](actions/actions.md) +- [Managing Workflows](/docs/dataclassification/5.7/ndc/admin/workflows/manage.md) +- [Workflow Actions](/docs/dataclassification/5.7/ndc/admin/workflows/actions/actions.md) diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/plugin.md b/docs/dataclassification/5.7/ndc/admin/workflows/plugin.md index bc72328fd1..fede55bdc0 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/plugin.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/plugin.md @@ -17,7 +17,7 @@ Plugins. Click the Enable link to enable selected plugins. -![workflowplugins_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflowplugins_thumb_0_0.webp) +![workflowplugins_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflowplugins_thumb_0_0.webp) To modify workflow action implemented by a plugin, go to the **Configs** tab and click **Action Configs** on the left. diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/runlog.md b/docs/dataclassification/5.7/ndc/admin/workflows/runlog.md index 3452309ff2..6c733612b4 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/runlog.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/runlog.md @@ -6,7 +6,7 @@ file. Click the Logs tab to view the corresponding audit trails. Here you can change the display period or the number of logs displayed, sort the list or copy its content, or clear the logs you do not need. -![workflowlogs_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflowlogs_thumb_0_0.webp) +![workflowlogs_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflowlogs_thumb_0_0.webp) # Workflow Plugins diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/spacontenthubs.md b/docs/dataclassification/5.7/ndc/admin/workflows/spacontenthubs.md index 366598c24e..fa7b8b00f6 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/spacontenthubs.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/spacontenthubs.md @@ -8,7 +8,7 @@ to define SharePoint workflow actions at the SharePoint Content Type Hub site. A Content Type Update may be run on the site collection itself however they may also be run on consuming SharePoint Site collections. -![content_type_hubs_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/content_type_hubs_thumb_0_0.webp) +![content_type_hubs_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/content_type_hubs_thumb_0_0.webp) To configure a Workflow to run against all sites that consume a Content Type Hub please follow the below steps: diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/step1selectcontenttype.md b/docs/dataclassification/5.7/ndc/admin/workflows/step1selectcontenttype.md index d36bc3b9f9..f5a6725124 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/step1selectcontenttype.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/step1selectcontenttype.md @@ -13,8 +13,8 @@ which content sources of that type should be included in processing. 2. Then specify which source of content you want to process. You can select All sources, or select the one you need. -![workflow_step1_doc_type_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step1_doc_type_thumb_0_0.webp) +![workflow_step1_doc_type_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step1_doc_type_thumb_0_0.webp) Click Next to proceed. -See also: [Content Sources](../sources/introduction.md). +See also: [Content Sources](/docs/dataclassification/5.7/ndc/admin/sources/introduction.md). diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/step2selectautomatedaction.md b/docs/dataclassification/5.7/ndc/admin/workflows/step2selectautomatedaction.md index ad791ee216..6a06f6e2c0 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/step2selectautomatedaction.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/step2selectautomatedaction.md @@ -5,8 +5,8 @@ actions available for such content, for example, send an alert by email or updat etc. Click the action you need and configure the necessary settings. For details, see -[Available Actions](actions/availableactions.md). +[Available Actions](/docs/dataclassification/5.7/ndc/admin/workflows/actions/availableactions.md). -![workflow_step2_action_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step2_action_thumb_0_0.webp) +![workflow_step2_action_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step2_action_thumb_0_0.webp) When finished, proceed to the next step. diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/step3specifyconditions.md b/docs/dataclassification/5.7/ndc/admin/workflows/step3specifyconditions.md index 0c7991570b..522b2d17b6 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/step3specifyconditions.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/step3specifyconditions.md @@ -3,7 +3,7 @@ At this step, you can specify whether workflow actions should be performed with the classified documents only, or with any documents from the content source, etc. -![workflow_step3_condition](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step3_condition.webp) +![workflow_step3_condition](/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step3_condition.webp) The following options are available: @@ -58,12 +58,12 @@ Then verify that configured filters are displayed properly: - Including filters (i.e. instructing to include documents with classification tag you selected) are colored blue: -![workflow_step3_filter_blue_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step3_filter_blue_thumb_0_0.webp) +![workflow_step3_filter_blue_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step3_filter_blue_thumb_0_0.webp) - Excluding filters (i.e. instructing to include documents without classification tag you selected) are colored red: -![workflow_step3_filter_red_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step3_filter_red_thumb_0_0.webp) +![workflow_step3_filter_red_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step3_filter_red_thumb_0_0.webp) If you have selected more than one filter, you will be prompted what logic should be used when applying the filters: @@ -82,7 +82,7 @@ the following: 4. In the **Details** dialog, from the **Taxonomy** list select **File Type**. 5. Then from the list of file types select **PDF** and click **OK**. -![workflow_step3_example_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step3_example_thumb_0_0.webp) +![workflow_step3_example_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step3_example_thumb_0_0.webp) After you get back to the wizard, the PDF filter will appear under the **Classified** option, colored blue (indicating this filter is including). @@ -105,4 +105,4 @@ source, except HTML and XML files. Do the following: files not classified as HTML or XML). 9. Finally, click **Next** to proceed. -![workflow_step3_example2_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step3_example2_thumb_0_0.webp) +![workflow_step3_example2_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step3_example2_thumb_0_0.webp) diff --git a/docs/dataclassification/5.7/ndc/admin/workflows/step4setnameandenable.md b/docs/dataclassification/5.7/ndc/admin/workflows/step4setnameandenable.md index 4f31fa7d97..53c86e780d 100644 --- a/docs/dataclassification/5.7/ndc/admin/workflows/step4setnameandenable.md +++ b/docs/dataclassification/5.7/ndc/admin/workflows/step4setnameandenable.md @@ -12,11 +12,11 @@ workflow (to start immediate processing). Do the following: **NOTE:** Documents that have already been classified will be re-classified before applying this automated workflow. - ![workflow_step4_name_settings_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step4_name_settings_thumb_0_0.webp) + ![workflow_step4_name_settings_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflow_step4_name_settings_thumb_0_0.webp) 4. When finished, click **Add** to close the wizard. Your new workflow will be added to the list on the **Workflows** tab: - ![workflow_list_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/admin/workflows/workflow_list_thumb_0_0.webp) + ![workflow_list_thumb_0_0](/img/product_docs/dataclassification/ndc/admin/workflows/workflow_list_thumb_0_0.webp) 5. Navigate to Content → Sources and select Re-classify for the selected sources in the workflow. diff --git a/docs/dataclassification/5.7/ndc/administration.md b/docs/dataclassification/5.7/ndc/administration.md index 66b23a5951..2398849d20 100644 --- a/docs/dataclassification/5.7/ndc/administration.md +++ b/docs/dataclassification/5.7/ndc/administration.md @@ -3,5 +3,5 @@ This section describes the operations that you can perform when administering your Netwrix Data Classification using the management console, in particular: -- [Index Maintenance](admin/utilities/indexmaintenance.md) -- [Configuration Backup](admin/utilities/configurationbackup.md) +- [Index Maintenance](/docs/dataclassification/5.7/ndc/admin/utilities/indexmaintenance.md) +- [Configuration Backup](/docs/dataclassification/5.7/ndc/admin/utilities/configurationbackup.md) diff --git a/docs/dataclassification/5.7/ndc/configuration/communicationsettings.md b/docs/dataclassification/5.7/ndc/configuration/communicationsettings.md index 32ab0ee67e..e6ba9b2619 100644 --- a/docs/dataclassification/5.7/ndc/configuration/communicationsettings.md +++ b/docs/dataclassification/5.7/ndc/configuration/communicationsettings.md @@ -15,7 +15,7 @@ service identifies an issue. Servers can be amended post configuration by selecting Edit, or, new SMTP servers can be added by selecting Add Email Server Configuration. -![configemailservers](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configemailservers.webp) +![configemailservers](/img/product_docs/dataclassification/ndc/configuration/configemailservers.webp) The SMTP details should be entered based on the values provided by your network team. Each configuration supports both SSL enabled SMTP servers, and those without SSL enabled. @@ -23,7 +23,7 @@ configuration supports both SSL enabled SMTP servers, and those without SSL enab It is also possible to supply a test email address which will be used to test the configuration settings. -![configemailserveradd](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configemailserveradd.webp) +![configemailserveradd](/img/product_docs/dataclassification/ndc/configuration/configemailserveradd.webp) [](#)Email Groups @@ -35,7 +35,7 @@ configure your Email Servers. To add a new group, select Add Email Server Group, or select Edit on each row to configure the group members. -![configaddemailgroup](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configaddemailgroup.webp) +![configaddemailgroup](/img/product_docs/dataclassification/ndc/configuration/configaddemailgroup.webp) Each group can have one or more members, and can be assigned a friendly name, which will be displayed when selecting an email group. @@ -49,7 +49,7 @@ before configuring notifications, you must configure your Email Groups. To add a new notification configuration select Add Notification Configuration, or select Edit on each row to change the configuration. -![confighealthnotifications_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/configuration/confighealthnotifications_thumb_0_0.webp) +![confighealthnotifications_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/confighealthnotifications_thumb_0_0.webp) Notifications can be set to trigger on warnings, or just on errors – by default problems of any level will be reported. @@ -57,4 +57,4 @@ level will be reported. The Daily Summary can also be disabled / enabled, this functionality sends out a summary email of outstanding problems each morning. -![configaddhealthnotification](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configaddhealthnotification.webp) +![configaddhealthnotification](/img/product_docs/dataclassification/ndc/configuration/configaddhealthnotification.webp) diff --git a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/azureappexchangeonlinemfa.md b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/azureappexchangeonlinemfa.md index 92922acf5f..1829caf5ef 100644 --- a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/azureappexchangeonlinemfa.md +++ b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/azureappexchangeonlinemfa.md @@ -33,7 +33,7 @@ To register a new Azure AD application, do the following: 3. Under the Azure Directory select the **App registrations** section. 4. Select **New registration**: -![mfa_o365_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/mfa_o365_thumb_0_0.webp) +![mfa_o365_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/mfa_o365_thumb_0_0.webp) 5. In the **Name** field, enter the application name. 6. In the **Supported account types** select who can use this application – use the **Accounts in diff --git a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/box.md b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/box.md index bfa9a49197..754b0010fe 100644 --- a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/box.md +++ b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/box.md @@ -15,7 +15,7 @@ Box management portal. click **Show more features** in the bottom and examine the information on **API calls per month** supported by each plan. -![box_lic_plans_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/box_lic_plans_thumb_0_0.webp) +![box_lic_plans_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/box_lic_plans_thumb_0_0.webp) 2. Make sure you have configured a valid Google account (with multi-factor authentication supported) and registered it as a _Box Developer Account_. This account is needed to create an app that @@ -38,7 +38,7 @@ There are four key stages in this procedure: This section describes steps 1 and 2 that are performed on the Box side. Steps 3 and 4 are performed on the Netwrix Data Classification side and described in the -[Box](../../admin/sources/box/addbox.md)section. +[Box](/docs/dataclassification/5.7/ndc/admin/sources/box/addbox.md)section. ### Step 1. Create the App @@ -46,7 +46,7 @@ on the Netwrix Data Classification side and described in the 2. Open the Box developer's console endpoint: `https://app.box.com/developers/console`. 3. If you have not created an app before, you will see a screen similar to the one below: - ![box_app](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/box_app.webp) + ![box_app](/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/box_app.webp) 4. Click **Create New App**. 5. Select Custom App. @@ -70,7 +70,7 @@ on the Netwrix Data Classification side and described in the verification. When finished, get back to the **Configuration** section, clicking the related item in the left pane. - ![box_keys](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/box_keys.webp) + ![box_keys](/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/box_keys.webp) 12. You will be notified about downloading a JSON file with all configuration settings of your app. diff --git a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/dropbox.md b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/dropbox.md index b36b035959..304cf3fdca 100644 --- a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/dropbox.md +++ b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/dropbox.md @@ -43,4 +43,4 @@ To authorize your app - files.team_metadata.write - members.read -![dropbox_authorize_app](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/dropbox_authorize_app.webp) +![dropbox_authorize_app](/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/dropbox_authorize_app.webp) diff --git a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/exchange.md b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/exchange.md index 1531a9534e..dfb4a449eb 100644 --- a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/exchange.md +++ b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/exchange.md @@ -80,6 +80,6 @@ mailboxes that you wish to crawl. This requires the setup of two permissions: If you plan to implement the scenario that involves modern authentication, you should do the following: -1. [Create Azure AD app for Modern Authentication](azureappexchangeonlinemfa.md) -2. Configure [Exchange Server](../../admin/sources/exchangemailbox/exchangeserver.md) source +1. [Create Azure AD app for Modern Authentication](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/azureappexchangeonlinemfa.md) +2. Configure [Exchange Server](/docs/dataclassification/5.7/ndc/admin/sources/exchangemailbox/exchangeserver.md) source settings. diff --git a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/gdrive.md b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/gdrive.md index 4bd37ac50a..617a95639b 100644 --- a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/gdrive.md +++ b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/gdrive.md @@ -37,7 +37,7 @@ Review the following for additional information: | Create a new project | 1. Navigate to https://console.developers.google.com (Google Cloud Platform web console) while logged in as a G-Suite administrator within the domain to be crawled (if the user is not added within the correct domain then the correct data will not be identified). 2. Create a new project. | | Select Application type | 1. Once a new project has been created, navigate to APIs&Services → OAuth consent screen. 2. Set User type to "_Internal_". 3. Provide the name for new application. 4. Click Save. | | Create a new service account | 1. In Google Cloud Platform web console, navigate to Credentials and click Create Credentials. 2. Then, click Service account. 3. Create service account as described in Google official [article](https://developers.google.com/identity/protocols/OAuth2ServiceAccount#article). 4. On the Grant this service account access to project (optional) step, do not select any roles. 5. On the Grant users access to this service account (optional) step, do not grant any user access. Click Done. | -| Create a service account key | 1. On the Service accounts section, click edit on the account you want to create a key for. 2. Click ![add_key_icon](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/add_key_icon.webp) icon under Actions and select Create key. 3. In the Create private key for `` dialog, select JSON format, and download the file to a known location as it will be required later. **NOTE:** Your new public / private keypair is generated and downloaded to your machine; it serves as the only copy of this key. You are responsible for storing it securely. If you lose this keypair, you will need to generate a new one. | +| Create a service account key | 1. On the Service accounts section, click edit on the account you want to create a key for. 2. Click ![add_key_icon](/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/add_key_icon.webp) icon under Actions and select Create key. 3. In the Create private key for `` dialog, select JSON format, and download the file to a known location as it will be required later. **NOTE:** Your new public / private keypair is generated and downloaded to your machine; it serves as the only copy of this key. You are responsible for storing it securely. If you lose this keypair, you will need to generate a new one. | | Delegate domain-wide authority to the service account | 1. On the Service accounts section, select your service account and click Edit. 2. Click the Show Domain-Wide Delegation link and tick the Enable G Suite Domain-wide Delegation checkbox. 3. Click Save. 4. Once completed, review the "_Domain wide delegation_" column for this account and make sure that the delegation enabled. 5. Click the View Client ID link. 6. Copy your Client ID, you will need it later. | | Enable Google Drive API | 1. In Google Cloud Platform web console, navigate to the API Dashboard and select Enable APIs and Services (if APIs have not previously been enabled). 2. Search for Google Drive API and click Enable (or Manage). 3. Search for Admin SDK API and click Enable (or Manage). 4. Switch to G Suite Admin Console. 5. Navigate to Security → API Controls → Manage Domain-wide Delegation within the Google admin portal. 6. Set the client name to the Client ID you copied on the previous step. 7. Set the API scopes and select Authorize: - https://www.googleapis.com/auth/drive - https://www.googleapis.com/auth/admin.directory.user | @@ -62,6 +62,6 @@ Review the following for additional information: | Create a new project | 1. Navigate to https://console.developers.google.com Google Cloud Platform web console) while logged in as a G-Suite administrator within the domain to be crawled (if the user is not added within the correct domain then the correct data will not be identified). 2. Create a new project. | | Select Application type | 1. Once a new project has been created, navigate to APIs&Services → OAuth consent screen. 2. Set User type to "_Internal_". 3. Provide the name for new application. 4. Click Save. | | Create a new service account | 1. In Google Cloud Platform web console, navigate to IAM & Admin→Service Accounts. 2. Create service account as described in Google official [article](https://developers.google.com/identity/protocols/OAuth2ServiceAccount#article). 3. On the Grant this service account access to project (optional) step, do not select any roles. 4. On the Grant users access to this service account (optional) step, do not grant any user access. Click Done. | -| Create a service account key | 1. On the Service accounts page, select the account you want to create a key for. 2. Click ![add_key_icon](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/add_key_icon.webp) icon under Actions and select Create key. 3. In the Create private key for `` dialog, select JSON format, and download the file to a known location as it will be required later. **NOTE:** Your new public/private keypair is generated and downloaded to your machine; it serves as the only copy of this key. You are responsible for storing it securely. If you lose this keypair, you will need to generate a new one. | +| Create a service account key | 1. On the Service accounts page, select the account you want to create a key for. 2. Click ![add_key_icon](/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/add_key_icon.webp) icon under Actions and select Create key. 3. In the Create private key for `` dialog, select JSON format, and download the file to a known location as it will be required later. **NOTE:** Your new public/private keypair is generated and downloaded to your machine; it serves as the only copy of this key. You are responsible for storing it securely. If you lose this keypair, you will need to generate a new one. | | Enable Google Drive API | 1. In Google Cloud Platform web console, navigate to the API Dashboard and select Enable APIs and Services (if APIs have not previously been enabled). 2. Search for Google Drive API and click Enable (or Manage). | | Allow sharing for your files and folders | 1. Navigate to each Google Drive account that you wish to crawl 2. Right click each file / folder you wish to crawl and select Share… 3. Enter email address of the service account you created on the Create a new service account step. To view email address, do the following: - In Google API console, navigate to IAM & Admin → Service Accounts. - Select your service account and click Edit. - Review email address in the Email field. 4. If you wish to write classifications or apply workflows, ensure that Can organize, add, &edit option is selected (expand the menu to the right of People field). | diff --git a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/introduction.md b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/introduction.md index ca9f82b7a5..d442f2cf2d 100644 --- a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/introduction.md +++ b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/introduction.md @@ -6,9 +6,9 @@ of infrastructure for crawling these sources. See the following topics for additional information: -- [Configure Box for Crawling](box.md) -- [Configure Dropbox for Crawling](dropbox.md) -- [Configure Microsoft Exchange for Crawling and Classification](exchange.md) -- [Configure NFS File Share for Crawling](nfsfs.md) -- [Configure G Suite and Google Drive for Crawling](gdrive.md) -- [Set Up MIP Integration](../../admin/workflows/miplabels/configureinfrastructure.md) +- [Configure Box for Crawling](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/box.md) +- [Configure Dropbox for Crawling](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/dropbox.md) +- [Configure Microsoft Exchange for Crawling and Classification](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/exchange.md) +- [Configure NFS File Share for Crawling](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/nfsfs.md) +- [Configure G Suite and Google Drive for Crawling](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/gdrive.md) +- [Set Up MIP Integration](/docs/dataclassification/5.7/ndc/admin/workflows/miplabels/configureinfrastructure.md) diff --git a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/nfsfs.md b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/nfsfs.md index 96327e56b1..1a112cdb83 100644 --- a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/nfsfs.md +++ b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/nfsfs.md @@ -13,7 +13,7 @@ computer where Netwrix Data Classification is installed. - Changes made to files (including adding new files) will not be automatically detected until the source is re-indexed—Netwrix recommends setting the re-index period for NFS file shares to 1 day. -Add the Folder source as described in the [File System](../../admin/sources/filesystem/overview.md) +Add the Folder source as described in the [File System](/docs/dataclassification/5.7/ndc/admin/sources/filesystem/overview.md) topic. **NOTE:** Do not specify username and password while adding data source. diff --git a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spodefaults.md b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spodefaults.md index 03304a052c..2c68c3aa38 100644 --- a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spodefaults.md +++ b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spodefaults.md @@ -19,8 +19,8 @@ subsite configurations. Available options are listed in the table below. | **Content Field Mappings** | | | | The values configured for each of the default content mappings will be assigned based on the base template of the list (Document Library, Generic List etc). | | | -![sharepointadvancedsourceconfiguration_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/sharepointadvancedsourceconfiguration_thumb_0_0.webp) +![sharepointadvancedsourceconfiguration_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/sharepointadvancedsourceconfiguration_thumb_0_0.webp) -![sharepointadvancedspecialfieldmappings_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/sharepointadvancedspecialfieldmappings_thumb_0_0.webp) +![sharepointadvancedspecialfieldmappings_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/sharepointadvancedspecialfieldmappings_thumb_0_0.webp) -![sharepointadvancedsourcecontentmappings_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/sharepointadvancedsourcecontentmappings_thumb_0_0.webp) +![sharepointadvancedsourcecontentmappings_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/sharepointadvancedsourcecontentmappings_thumb_0_0.webp) diff --git a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/sposubsiteandlistprocessing.md b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/sposubsiteandlistprocessing.md index fd9f847e1f..c10874971f 100644 --- a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/sposubsiteandlistprocessing.md +++ b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/sposubsiteandlistprocessing.md @@ -3,7 +3,7 @@ The **Entity Configuration** tab displays configuration for the site collection. You can navigate to the subsites/lists to configure their settings. -![sharepointadvancedentities_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/sharepointadvancedentities_thumb_0_0.webp) +![sharepointadvancedentities_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/sharepointadvancedentities_thumb_0_0.webp) - The Include column for each entity contains an indicator (tick or cross) showing whether the container is configured for crawling. diff --git a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spotagging.md b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spotagging.md index 74befb175a..a096d60d81 100644 --- a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spotagging.md +++ b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spotagging.md @@ -30,12 +30,12 @@ To configure tagging using the wizard 1. Click on the app to start the **SharePoint Tagging wizard**. -![sharepoint_tagging_wizard_1_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/sharepoint_tagging_wizard_1_thumb_0_0.webp) +![sharepoint_tagging_wizard_1_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/sharepoint_tagging_wizard_1_thumb_0_0.webp) 2. Configure the Term Sets that you wish to auto-classify. For that, click the **Add** button and then select the required Term Sets or fields: - ![sharepoint_tagging_wizard_2_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/sharepoint_tagging_wizard_2_thumb_0_0.webp) + ![sharepoint_tagging_wizard_2_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configinfrastructure/sharepoint_tagging_wizard_2_thumb_0_0.webp) 3. If needed, select the specific site/list columns you wish to restrict auto-classification to. 4. Confirm the selection. diff --git a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spotenancy.md b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spotenancy.md index 17c0ea16a8..dd736678aa 100644 --- a/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spotenancy.md +++ b/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/spotenancy.md @@ -5,7 +5,7 @@ there is a need to crawl an entire SharePoint Online tenancy. The following guid step-by-step instructions in order to configure a whole tenancy for collection. 1. Add SharePoint Online source as described in the - [SharePoint Online](../../admin/sources/sharepoint/sharepointonline.md) section. + [SharePoint Online](/docs/dataclassification/5.7/ndc/admin/sources/sharepoint/sharepointonline.md) section. **NOTE:** If this option is not available within the source type selection then it would suggest that the source type is not currently licensed, please contact support for more details. diff --git a/docs/dataclassification/5.7/ndc/configuration/configmetadata.md b/docs/dataclassification/5.7/ndc/configuration/configmetadata.md index 94bda11b03..eb10877bb1 100644 --- a/docs/dataclassification/5.7/ndc/configuration/configmetadata.md +++ b/docs/dataclassification/5.7/ndc/configuration/configmetadata.md @@ -12,20 +12,20 @@ following for additional information: This list specifies which internally generated fields are to be used: -![configdocumentmetadatafields_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configdocumentmetadatafields_thumb_0_0.webp) +![configdocumentmetadatafields_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configdocumentmetadatafields_thumb_0_0.webp) ## Metadata Field Mappings This table allows additional metadata fields to be generated by mapping an already existing field name to a new name. -![configmetadatafieldmappings_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configmetadatafieldmappings_thumb_0_0.webp) +![configmetadatafieldmappings_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configmetadatafieldmappings_thumb_0_0.webp) ## Metadata Value Mappings This list allows metadata values to be mapped from a source value to a new target value. -![configmetadatavaluemappings_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configmetadatavaluemappings_thumb_0_0.webp) +![configmetadatavaluemappings_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configmetadatavaluemappings_thumb_0_0.webp) For example, if we create an entry for the field “Modified By”, with Source=”Cheryl Tweedy” and Target=”Cheryl Cole”, then a document with this metadata: @@ -45,12 +45,12 @@ This feature applies to the CSE-owner function for a workflow. Suppose, you want documents after the classification to the CSE owner. Then you may need to specify what is the role you stand for these documents: Owner, Author, Creator, etc. You can prioritise any of these roles by clicking -the![arrowup](../../../../../static/img/product_docs/dataclassification/ndc/configuration/arrowup.webp) +the![arrowup](/img/product_docs/dataclassification/ndc/configuration/arrowup.webp) or -![arrowadown](../../../../../static/img/product_docs/dataclassification/ndc/configuration/arrowadown.webp) +![arrowadown](/img/product_docs/dataclassification/ndc/configuration/arrowadown.webp) arrows. For example, if your document is owned or authored by you, but not modified or created, you may choose this priority: -![owner_mapping_priorities_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/configuration/owner_mapping_priorities_thumb_0_0.webp) +![owner_mapping_priorities_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/owner_mapping_priorities_thumb_0_0.webp) diff --git a/docs/dataclassification/5.7/ndc/configuration/configuration.md b/docs/dataclassification/5.7/ndc/configuration/configuration.md index 5b901fa109..ae2515c7f7 100644 --- a/docs/dataclassification/5.7/ndc/configuration/configuration.md +++ b/docs/dataclassification/5.7/ndc/configuration/configuration.md @@ -3,19 +3,19 @@ The Config administration area allows you to specify global system configuration settings. The default screen shows the most commonly amended settings. -![core_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/configuration/core_thumb_0_0.webp) +![core_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/core_thumb_0_0.webp) The most frequently used settings are displayed by default. Some configuration options are hidden and can be shown by selecting the Advanced Settings ("wrench" icon). Note that they will be only -available [See Users and Security Settings for more information.](../security/users.md) +available [See Users and Security Settings for more information.](/docs/dataclassification/5.7/ndc/security/users.md) See next: - Core Configuration -- [Communication Settings](communicationsettings.md) -- [Metadata Configuration](configmetadata.md) -- [Redaction](redaction.md) -- [System Configuration Settings](systemconfiguration.md) -- [Text Processing](texthandling.md) -- [MIP Labels Configuration](../admin/workflows/miplabels/configurendc.md) -- [Language Stemming](languagestemming.md) +- [Communication Settings](/docs/dataclassification/5.7/ndc/configuration/communicationsettings.md) +- [Metadata Configuration](/docs/dataclassification/5.7/ndc/configuration/configmetadata.md) +- [Redaction](/docs/dataclassification/5.7/ndc/configuration/redaction.md) +- [System Configuration Settings](/docs/dataclassification/5.7/ndc/configuration/systemconfiguration.md) +- [Text Processing](/docs/dataclassification/5.7/ndc/configuration/texthandling.md) +- [MIP Labels Configuration](/docs/dataclassification/5.7/ndc/admin/workflows/miplabels/configurendc.md) +- [Language Stemming](/docs/dataclassification/5.7/ndc/configuration/languagestemming.md) diff --git a/docs/dataclassification/5.7/ndc/configuration/core/administration.md b/docs/dataclassification/5.7/ndc/configuration/core/administration.md index 3348512a8c..00f66676f6 100644 --- a/docs/dataclassification/5.7/ndc/configuration/core/administration.md +++ b/docs/dataclassification/5.7/ndc/configuration/core/administration.md @@ -6,7 +6,7 @@ click the "wrench" icon at **Settings** in the bottom-right corner. Nearly each configuration option has an associated “i” which describes the nature of the setting. -![core_admin_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/core/core_admin_thumb_0_0.webp) +![core_admin_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/core/core_admin_thumb_0_0.webp) ## General Options @@ -19,7 +19,7 @@ Nearly each configuration option has an associated “i” which describes the n | **Advanced settings** | | | | Instance name | Name of the NDC Server instance | | | Administration URL | URL of the web-based management console. Default URL is _http://localhost/conceptQS_. | If necessary, specify another Netwrix standalone server or cluster server instead of local host. You can use server name or IP address. | -| AD Groups Lookup Enabled | Allows you to enable/disable the use of AD groups in User Manager. This option is disabled by default. | It is recommended to keep this option disabled unless AD group support is specifically required. To learn more about User Manager in Netwrix Data Classification, see [User Management](../../security/usermanagement.md) | +| AD Groups Lookup Enabled | Allows you to enable/disable the use of AD groups in User Manager. This option is disabled by default. | It is recommended to keep this option disabled unless AD group support is specifically required. To learn more about User Manager in Netwrix Data Classification, see [User Management](/docs/dataclassification/5.7/ndc/security/usermanagement.md) | ## Taxonomies diff --git a/docs/dataclassification/5.7/ndc/configuration/core/classifier.md b/docs/dataclassification/5.7/ndc/configuration/core/classifier.md index f913a5860a..efc10986b5 100644 --- a/docs/dataclassification/5.7/ndc/configuration/core/classifier.md +++ b/docs/dataclassification/5.7/ndc/configuration/core/classifier.md @@ -6,21 +6,21 @@ the bottom-right corner. Each option has an associated “**i**” which describes the nature of the setting. -![core_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/core_thumb_0_0.webp) +![core_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/core_thumb_0_0.webp) **NOTE:** To view a complete list of the **Config** settings, click the Details tab. The list also has an indication of the values that have been changed from the default setting. The following options can be configured for Classifier: -- [General Options](generaloptions.md) -- [You can decrease the Classifier load, targeting it at monitored content only. This means that you can schedule content to be automatically re-classified only when a specific condition or set of conditions are met, or with a minimum time period between runs.](monitoredcontent.md) -- [conceptClassifier App Options](conceptclassifier.md) (advanced settings) -- [Engine Options](engineoptions.md) +- [General Options](/docs/dataclassification/5.7/ndc/configuration/core/generaloptions.md) +- [You can decrease the Classifier load, targeting it at monitored content only. This means that you can schedule content to be automatically re-classified only when a specific condition or set of conditions are met, or with a minimum time period between runs.](/docs/dataclassification/5.7/ndc/configuration/core/monitoredcontent.md) +- [conceptClassifier App Options](/docs/dataclassification/5.7/ndc/configuration/core/conceptclassifier.md) (advanced settings) +- [Engine Options](/docs/dataclassification/5.7/ndc/configuration/core/engineoptions.md) You can also use the following option buttons: - Start Product Tour—Run a product tour taking you around the key areas of the product. - Run Cleaner—Run built-in tool to automate maintenance operations. - [See Index Maintenance for more information.](../../admin/utilities/indexmaintenance.md) + [See Index Maintenance for more information.](/docs/dataclassification/5.7/ndc/admin/utilities/indexmaintenance.md) - Reset Cache—Force the QS caches to be reset. diff --git a/docs/dataclassification/5.7/ndc/configuration/core/collector.md b/docs/dataclassification/5.7/ndc/configuration/core/collector.md index 31298d1162..e8d3a3159a 100644 --- a/docs/dataclassification/5.7/ndc/configuration/core/collector.md +++ b/docs/dataclassification/5.7/ndc/configuration/core/collector.md @@ -3,7 +3,7 @@ This configuration tab contains the classification engine settings. Each configuration option has an associated “i” which describes the nature of the setting. -![core_collector](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/core/core_collector.webp) +![core_collector](/img/product_docs/dataclassification/ndc/configuration/core/core_collector.webp) | Option | Description | Comment | | ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | diff --git a/docs/dataclassification/5.7/ndc/configuration/core/conceptclassifier.md b/docs/dataclassification/5.7/ndc/configuration/core/conceptclassifier.md index d4deffb778..97470c97fa 100644 --- a/docs/dataclassification/5.7/ndc/configuration/core/conceptclassifier.md +++ b/docs/dataclassification/5.7/ndc/configuration/core/conceptclassifier.md @@ -6,7 +6,7 @@ them. Each option has an associated “**i**” which describes the nature of the setting. -![core_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/core_thumb_0_0.webp) +![core_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/core_thumb_0_0.webp) **NOTE:** To view a complete list of the **Config** settings, click the Details tab. The list also has an indication of the values that have been changed from the default setting. diff --git a/docs/dataclassification/5.7/ndc/configuration/core/details.md b/docs/dataclassification/5.7/ndc/configuration/core/details.md index 116cc46ef0..f22b11801b 100644 --- a/docs/dataclassification/5.7/ndc/configuration/core/details.md +++ b/docs/dataclassification/5.7/ndc/configuration/core/details.md @@ -4,7 +4,7 @@ This **Details** tab provides a complete list of the Config settings, as well as the values that have been changed from the default settings. The list of properties is provided from the SQL database. -![core_details_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/core/core_details_thumb_0_0.webp) +![core_details_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/core/core_details_thumb_0_0.webp) To look for a particular property or value, use the search field. diff --git a/docs/dataclassification/5.7/ndc/configuration/core/engineoptions.md b/docs/dataclassification/5.7/ndc/configuration/core/engineoptions.md index 8aee475bd2..89692fcade 100644 --- a/docs/dataclassification/5.7/ndc/configuration/core/engineoptions.md +++ b/docs/dataclassification/5.7/ndc/configuration/core/engineoptions.md @@ -5,7 +5,7 @@ By default, only basic options are displayed. To view advanced options, click th Each option has an associated “**i**” which describes the nature of the setting. -![core_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/core_thumb_0_0.webp) +![core_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/core_thumb_0_0.webp) **NOTE:** To view a complete list of the **Config** settings, click the Details tab. The list also has an indication of the values that have been changed from the default setting. @@ -17,7 +17,7 @@ has an indication of the values that have been changed from the default setting. | Boosted Regex Scoring | Automatically boosts the score of Regex clues when the regular expression matches multiple occurrences in the same document. | Selecting this option is not recommended when using the Netwrix compliance taxonomies. | | Case-insensitive Regex Processing | Processes any regex or metadata regex rules in a case-insensitive manner. | | | **Advanced settings** | | | -| Redis Caching | Use _redis_ module to enable Classifier data caching between the core Windows services and NDC Servers. | This module can be downloaded from [https://github/MicrosoftArchive/redis/releases.](https://github/MicrosoftArchive/redis/releases) Install it locally and open port **6379** required for its operation. For details on servers cluster, see [Configuring NDC Servers Cluster and Load Balancing with DQS Mode](../../requirements/dqsmode.md) | +| Redis Caching | Use _redis_ module to enable Classifier data caching between the core Windows services and NDC Servers. | This module can be downloaded from [https://github/MicrosoftArchive/redis/releases.](https://github/MicrosoftArchive/redis/releases) Install it locally and open port **6379** required for its operation. For details on servers cluster, see [Configuring NDC Servers Cluster and Load Balancing with DQS Mode](/docs/dataclassification/5.7/ndc/requirements/dqsmode.md) | | Store Trimmed Classification | Enables storing trimmed classifications in SQL (due to max category settings at the global or subset level). | When enabled, classification performance will be improved —however, this will result in additional data within the SQL database. | | Enable Standard Clue Metadata Matching | By default, standard clues are matched against the extracted text, index text, summary, and title. Use this option if you want to match standard clues also on values found in the document's metadata. | To ensure accurate classification results, we recommend running an index rebuild operation after enabling this mode (use Run Cleaner button). | | Disable Unclassified Regex Extraction | By default, any regular expression clue will result in additional metadata being added to a document, based on the extracted value(s). Use this option if you want to only extract values for clues on nodes that have achieved their threshold for classification. | | diff --git a/docs/dataclassification/5.7/ndc/configuration/core/generaloptions.md b/docs/dataclassification/5.7/ndc/configuration/core/generaloptions.md index bb56f00472..99652e9e1d 100644 --- a/docs/dataclassification/5.7/ndc/configuration/core/generaloptions.md +++ b/docs/dataclassification/5.7/ndc/configuration/core/generaloptions.md @@ -6,7 +6,7 @@ in the bottom-right corner. Each option has an associated “**i**” which describes the nature of the setting. -![core_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/core_thumb_0_0.webp) +![core_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/core_thumb_0_0.webp) **NOTE:** To view a complete list of the **Config** settings, click the Details tab. The list also has an indication of the values that have been changed from the default setting. @@ -18,11 +18,11 @@ has an indication of the values that have been changed from the default setting. | **Standard settings** | | | | Max Categories | Sets the maximum number of classifications to be allocated to each document. Possible values: - up to **256** — for 32-bit Windows - up to **1024** — for 64-bit Windows | If a document matches so many categories that the specified value would be exceeded, then the classification service will select the required number of categories based on those that have the highest score. **NOTE:** Higher value causes the engine to use more RAM, so it is recommended to use the default setting (unless it is essential that more categories are allocated to each document). | | Retain Existing Metadata Mode | Specifies how the classification engine should process already existing classification (managed metadata fields). Possible options: - **Retain if not classified** — leave existing classification in place if no auto-classification has been generated - **Overwrite** — clear managed metadata fields | Applies to SharePoint source. | -| Auto-Classification Change Logs | Enables a change log for auto-classification: each "Addition"/"Removal" of a classification against a document will be stored in the database as its classifications change. | Inactive by default. See also [Manage Reports](../../admin/reporting/manage.md) | +| Auto-Classification Change Logs | Enables a change log for auto-classification: each "Addition"/"Removal" of a classification against a document will be stored in the database as its classifications change. | Inactive by default. See also [Manage Reports](/docs/dataclassification/5.7/ndc/admin/reporting/manage.md) | | Classifier Threads | The number of background threads used for classification. Default is **0 (auto)**. | We recommend leaving this setting on its default value. For more information, see this Knowledge Base article: [https://kb.netwrix.com/3863](https://kb.netwrix.com/3863) | | Classifier Write Threads | The number of threads to be utilised by the Classifier to update source systems during "tagging" operations (i.e. writing classification back to source system). | Each thread can be considered a "user" when considering load on the source system. For more information, see this Knowledge Base article: [https://kb.netwrix.com/3863](https://kb.netwrix.com/3863) | | **Advanced settings** | | | -| ![core_classifier_general_tab_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/core/core_classifier_general_tab_thumb_0_0.webp) | | | +| ![core_classifier_general_tab_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/core/core_classifier_general_tab_thumb_0_0.webp) | | | | Classifier Enabled | Enables / disables the Classifier core component. By default, it is enabled. | | | SharePoint EMM No Classify Mode | Possible values: - **Do not update Deprecated** (default) — use if you do not want to alter the **Deprecated** setting in SharePoint EMM - **Update Deprecated** — select if you want Deprecated setting to be updated | | | Subset Trimming Enabled | This setting applies where both primary (single value) and secondary (multi value) fields are added to a document library for the same taxonomy. - **Off** (default) — the highest scoring term will be shown in both primary and secondary fields. - **On** — the highest scoring term will be shown only in the primary field. | | diff --git a/docs/dataclassification/5.7/ndc/configuration/core/indexer.md b/docs/dataclassification/5.7/ndc/configuration/core/indexer.md index a985c57284..46ad811d5f 100644 --- a/docs/dataclassification/5.7/ndc/configuration/core/indexer.md +++ b/docs/dataclassification/5.7/ndc/configuration/core/indexer.md @@ -4,7 +4,7 @@ This configuration tab contains the indexing engine settings. Each configuration associated “**i**” which describes the nature of the setting. To view advanced options, click the screwdriver icon at **Settings** on the right. -![core_indexer_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/core/core_indexer_thumb_0_0.webp) +![core_indexer_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/core/core_indexer_thumb_0_0.webp) | Option | Description | Comment | | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | diff --git a/docs/dataclassification/5.7/ndc/configuration/core/monitoredcontent.md b/docs/dataclassification/5.7/ndc/configuration/core/monitoredcontent.md index 7d7fb6be32..ade138a5c9 100644 --- a/docs/dataclassification/5.7/ndc/configuration/core/monitoredcontent.md +++ b/docs/dataclassification/5.7/ndc/configuration/core/monitoredcontent.md @@ -4,7 +4,7 @@ You can decrease the Classifier load, targeting it at _monitored content_ only. can schedule content to be automatically re-classified only when a specific condition or set of conditions are met, or with a minimum time period between runs. -![core_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/core_thumb_0_0.webp) +![core_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/core_thumb_0_0.webp) **NOTE:** Each option in this section has an associated “**i**” which describes the nature of the setting. @@ -22,7 +22,7 @@ To re-classify content that meets specific conditions: **Monitored Document Indicator**. 3. Click on the tag icon, and in the **Select Term** dialog specify the term that should be used to identify monitored content: - ![core_classifier_mc_terms_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/core/core_classifier_mc_terms_thumb_0_0.webp)4. + ![core_classifier_mc_terms_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/core/core_classifier_mc_terms_thumb_0_0.webp)4. When finished, click **Select**, then in the Classifier settings window click **Save**, To re-classify content with a minimum time period between runs: diff --git a/docs/dataclassification/5.7/ndc/configuration/core/system.md b/docs/dataclassification/5.7/ndc/configuration/core/system.md index 53b0e9f39d..e2536b92f5 100644 --- a/docs/dataclassification/5.7/ndc/configuration/core/system.md +++ b/docs/dataclassification/5.7/ndc/configuration/core/system.md @@ -3,7 +3,7 @@ This configuration tab contains the settings related to system health, operation and logging. Each configuration option has an associated “i” which describes the nature of the setting. -![core_system_thumb_0_0](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/core/core_system_thumb_0_0.webp) +![core_system_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/core/core_system_thumb_0_0.webp) ## Health diff --git a/docs/dataclassification/5.7/ndc/configuration/coreconfiguration.md b/docs/dataclassification/5.7/ndc/configuration/coreconfiguration.md index 0776ea053e..71b64c892b 100644 --- a/docs/dataclassification/5.7/ndc/configuration/coreconfiguration.md +++ b/docs/dataclassification/5.7/ndc/configuration/coreconfiguration.md @@ -8,5 +8,5 @@ You can also: - Start Product Tour—Runs a product tour, taking you around the key areas of the product. - Run Cleaner—Runs built-in tool to automate maintenance operations. - [See Index Maintenance for more information.](../admin/utilities/indexmaintenance.md) + [See Index Maintenance for more information.](/docs/dataclassification/5.7/ndc/admin/utilities/indexmaintenance.md) - Reset Cache—Force the QS caches to be reset. diff --git a/docs/dataclassification/5.7/ndc/configuration/licensing.md b/docs/dataclassification/5.7/ndc/configuration/licensing.md index 95cac7b5d4..2ee39e18c2 100644 --- a/docs/dataclassification/5.7/ndc/configuration/licensing.md +++ b/docs/dataclassification/5.7/ndc/configuration/licensing.md @@ -22,7 +22,7 @@ Follow the steps to add a license. **Step 1 –** Go to **Settings** > **Licensing**. The Licensing Summary page opens. -![licensing](../../../../../static/img/product_docs/dataclassification/ndc/configuration/licensing.webp) +![licensing](/img/product_docs/dataclassification/ndc/configuration/licensing.webp) In the Source Licensing and Feature Licensing columns, you can view the available licenses for your sources and features. You can review the following details: @@ -35,7 +35,7 @@ sources and features. You can review the following details: **Step 2 –** Click **Add Licence**. -![licencedetails](../../../../../static/img/product_docs/dataclassification/ndc/configuration/licencedetails.webp) +![licencedetails](/img/product_docs/dataclassification/ndc/configuration/licencedetails.webp) **Step 3 –** Specify Name of the licence and the Licence details. @@ -44,4 +44,4 @@ sources and features. You can review the following details: **NOTE:** You can view the list of your licence names, its type, and valid status on the Licences page. -![licencenames](../../../../../static/img/product_docs/dataclassification/ndc/configuration/licencenames.webp) +![licencenames](/img/product_docs/dataclassification/ndc/configuration/licencenames.webp) diff --git a/docs/dataclassification/5.7/ndc/configuration/redaction.md b/docs/dataclassification/5.7/ndc/configuration/redaction.md index 86057360ad..32dd1a89e7 100644 --- a/docs/dataclassification/5.7/ndc/configuration/redaction.md +++ b/docs/dataclassification/5.7/ndc/configuration/redaction.md @@ -23,17 +23,17 @@ types (depending on the configuration): Masking based redaction will ensure that a specified number of start / end characters will be retained from each redacted value. -![configredactionplans](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configredactionplans.webp) +![configredactionplans](/img/product_docs/dataclassification/ndc/configuration/configredactionplans.webp) ## Redaction Entity Groups Entity Groups can be used to add redaction entities to specific groups. -![redactionentitygroups](../../../../../static/img/product_docs/dataclassification/ndc/configuration/redactionentitygroups.webp) +![redactionentitygroups](/img/product_docs/dataclassification/ndc/configuration/redactionentitygroups.webp) ## Redaction Entities Entities can be used to specify any custom words or phrases that should be removed by a redaction plan. -![configredactionentities](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configredactionentities.webp) +![configredactionentities](/img/product_docs/dataclassification/ndc/configuration/configredactionentities.webp) diff --git a/docs/dataclassification/5.7/ndc/configuration/systemconfiguration.md b/docs/dataclassification/5.7/ndc/configuration/systemconfiguration.md index 3c8c0157fe..5c8a1b268e 100644 --- a/docs/dataclassification/5.7/ndc/configuration/systemconfiguration.md +++ b/docs/dataclassification/5.7/ndc/configuration/systemconfiguration.md @@ -15,7 +15,7 @@ The AD Domains Excluded list is used to disable Active Directory expansion for c This is useful in a multi-Domain forest, where the Netwrix Data Classification server does not have access to all domains within the forest. -![configaddomainsexcluded](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configaddomainsexcluded.webp) +![configaddomainsexcluded](/img/product_docs/dataclassification/ndc/configuration/configaddomainsexcluded.webp) Attachments Excluded @@ -23,7 +23,7 @@ When indexing files from that potentially contain attachments (SharePoint List I file locations that will be ignored is defined by the Attachments Excluded list. The definitions in this list may be viewed and modified via the Attachments Excluded form: -![configattachementsexcluded](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configattachementsexcluded.webp) +![configattachementsexcluded](/img/product_docs/dataclassification/ndc/configuration/configattachementsexcluded.webp) Any file with a path that matches one of these patterns will be ignored. Wildcards may be used anywhere in the pattern definition, with: @@ -36,7 +36,7 @@ No Index Sometimes an application may wish to remove selected documents from all search results. This may be implemented by specifying No Index entries. -![confignoindex](../../../../../static/img/product_docs/dataclassification/ndc/configuration/confignoindex.webp) +![confignoindex](/img/product_docs/dataclassification/ndc/configuration/confignoindex.webp) Any number of URLs (or Filenames) may be entered and none of these will ever appear in search results. Wildcards may be used anywhere in the pattern definition, with: @@ -49,7 +49,7 @@ Proxy Server The Proxy Server form may be used to define a proxy server to be used when crawling websites, the proxy server is not used for SharePoint crawling. -![configproxyserver](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configproxyserver.webp) +![configproxyserver](/img/product_docs/dataclassification/ndc/configuration/configproxyserver.webp) Set Bypass Local to Yes to bypass the proxy server for local addresses (localhost etc). @@ -65,7 +65,7 @@ It can be useful to suspend these services from running so that they do not impa during the peak hours of the working day. Sometimes it may be useful to suspend these services for some lower priority sources but have them continue to process higher priority sources. -![configsuspendservices](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configsuspendservices.webp) +![configsuspendservices](/img/product_docs/dataclassification/ndc/configuration/configsuspendservices.webp) Service suspensions can be configured in the following ways: diff --git a/docs/dataclassification/5.7/ndc/configuration/systemconfigurationoverview.md b/docs/dataclassification/5.7/ndc/configuration/systemconfigurationoverview.md index be9cc51288..5c389c61b1 100644 --- a/docs/dataclassification/5.7/ndc/configuration/systemconfigurationoverview.md +++ b/docs/dataclassification/5.7/ndc/configuration/systemconfigurationoverview.md @@ -6,9 +6,9 @@ - To specify Netwrix Data Classification settings and manage licenses, click Config. - To set up user roles and security privileges, click **Users**. -![system_config_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/configuration/system_config_thumb_0_0.webp) +![system_config_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/system_config_thumb_0_0.webp) See next: -- [Configuration Options](configuration.md) -- [Users and Security Settings](../security/users.md) +- [Configuration Options](/docs/dataclassification/5.7/ndc/configuration/configuration.md) +- [Users and Security Settings](/docs/dataclassification/5.7/ndc/security/users.md) diff --git a/docs/dataclassification/5.7/ndc/configuration/texthandling.md b/docs/dataclassification/5.7/ndc/configuration/texthandling.md index 855fc562b3..39c93621c5 100644 --- a/docs/dataclassification/5.7/ndc/configuration/texthandling.md +++ b/docs/dataclassification/5.7/ndc/configuration/texthandling.md @@ -16,7 +16,7 @@ This section contains information on how to configure text processing. Related o Sometimes an application may wish to push selected documents to the top of a hitlist for specific queries. This may be implemented by specifying Best Bets for specific query text. -![configbestbets_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configbestbets_thumb_0_0.webp) +![configbestbets_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configbestbets_thumb_0_0.webp) First, enter the search term that you wish to match and then click the Add button. @@ -31,7 +31,7 @@ identified. In this case the example has a .rpt file being treated as a text file, as such the file will be copied to a temporary location as a .txt file and processed as if it were any other text file. -![configcontenttypeextensionmappings](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configcontenttypeextensionmappings.webp) +![configcontenttypeextensionmappings](/img/product_docs/dataclassification/ndc/configuration/configcontenttypeextensionmappings.webp) [](#)Content Type Extraction Methods @@ -48,13 +48,13 @@ If you have updated the extraction method we recommend re-processing any documen been processed to ensure consistency. Selecting Re-index from the grid for the affected content type will re-process the necessary records. -![configcontenttypeextractionmethods_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configcontenttypeextractionmethods_thumb_0_0.webp) +![configcontenttypeextractionmethods_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configcontenttypeextractionmethods_thumb_0_0.webp) [](#)Language Detection The language detection list specifies which languages will be considered for auto-detection. -![configlanguages_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configlanguages_thumb_0_0.webp) +![configlanguages_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configlanguages_thumb_0_0.webp) If a language is excluded then it cannot be used to identify the language of a document and it will be removed from the language options in Taxonomy Manager. @@ -69,21 +69,21 @@ The No Stem list offers the ability to disable language stemming for a particula this supports the ability to always apply a phrasematch when a particular term is used as either a clue – or a search term. -![confignostem_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/configuration/confignostem_thumb_0_0.webp) +![confignostem_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/confignostem_thumb_0_0.webp) [](#)OCR Language Mapping The OCR language mapping configuration screen can be used if you wish to OCR non-English images via Tesseract. File paths (including parts of paths) can be mapped to specific Tesseract language packs. -![configocrlanguagemapping](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configocrlanguagemapping.webp) +![configocrlanguagemapping](/img/product_docs/dataclassification/ndc/configuration/configocrlanguagemapping.webp) [](#)Synonyms Often it is important to submit a query and have synonyms automatically included. A generic set of synonyms may be configured by using the Synonyms form. -![configsynonyms](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configsynonyms.webp) +![configsynonyms](/img/product_docs/dataclassification/ndc/configuration/configsynonyms.webp) [](#)Text Patterns @@ -95,7 +95,7 @@ to an entry in a standard page navigation area. The Text Patterns feature is provided to assist with the cleanup of HTML documents. TextPatterns can also be used to index terms that would normally be discarded. -![configtextpatterns_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/configuration/configtextpatterns_thumb_0_0.webp) +![configtextpatterns_thumb_0_0](/img/product_docs/dataclassification/ndc/configuration/configtextpatterns_thumb_0_0.webp) The StartTag and EndTag values are case sensitive strings used to identify the content to be managed, the content is then managed based on the filter type. diff --git a/docs/dataclassification/5.7/ndc/install/deployment/checklist.md b/docs/dataclassification/5.7/ndc/install/deployment/checklist.md index c1992d7814..3e160b7bcd 100644 --- a/docs/dataclassification/5.7/ndc/install/deployment/checklist.md +++ b/docs/dataclassification/5.7/ndc/install/deployment/checklist.md @@ -6,20 +6,20 @@ post-installation tasks. Review these steps to plan and deploy Netwrix Data Clas | | | | | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | | Prepare evaluation server and test data | | | -| 1 | Prepare your test data set and ensure it is accessible over the network from the Netwrix evaluation server using your test account. | - [Supported Data Sources](../../requirements/supportedsources.md) | -| 2 | Make sure your evaluation server is suitable for running all the Netwrix Data Classification components including a standalone SQL Server instance for. | - [Hardware Requirements](../../requirements/hardwarerequirements.md) | -| 3 | Make sure your evaluation account meets security requirements. | - [Accounts and Required Permissions](../../requirements/accountreqs.md) | -| 4 | Deploy prerequisite Windows features and additional software. | - [Software Requirements](../../requirements/softwarerequirements.md) | +| 1 | Prepare your test data set and ensure it is accessible over the network from the Netwrix evaluation server using your test account. | - [Supported Data Sources](/docs/dataclassification/5.7/ndc/requirements/supportedsources.md) | +| 2 | Make sure your evaluation server is suitable for running all the Netwrix Data Classification components including a standalone SQL Server instance for. | - [Hardware Requirements](/docs/dataclassification/5.7/ndc/requirements/hardwarerequirements.md) | +| 3 | Make sure your evaluation account meets security requirements. | - [Accounts and Required Permissions](/docs/dataclassification/5.7/ndc/requirements/accountreqs.md) | +| 4 | Deploy prerequisite Windows features and additional software. | - [Software Requirements](/docs/dataclassification/5.7/ndc/requirements/softwarerequirements.md) | | Deploy Netwrix Data Classification | | | -| 5 | Prepare IT infrastructure. | - [Configure IT Infrastructure](../../configuration/configinfrastructure/introduction.md) | -| 6 | Install Netwrix Data Classification. | - [Install Netwrix Data Classification](../overview.md) | +| 5 | Prepare IT infrastructure. | - [Configure IT Infrastructure](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/introduction.md) | +| 6 | Install Netwrix Data Classification. | - [Install Netwrix Data Classification](/docs/dataclassification/5.7/ndc/install/overview.md) | | Configure Netwrix Data Classification | | | -| 7 | Provide a name for new instance | - [Initial Product Configuration](../initialconfiguration/overview.md) | -| 8 | Select processing (indexing) mode. | - [Select Processing Mode](../initialconfiguration/modes.md) | -| 9 | Configure global processing settings. | - [Processing Settings](../initialconfiguration/processingsettings.md) | -| 9 | Add built-in taxonomies. | - [Add a Taxonomy](../../admin/taxonomies/add.md) | -| 10 | Review your configuration. | - [Review Your Configuration](../initialconfiguration/reviewconfig.md) | -| 11 | Configure NDC SQL database. | - [Configure NDC SQL database](../../requirements/ndcsqldatabase.md) | -| 12 | Add a source. | - [Add a Content Source](../../admin/sources/addsource.md) | +| 7 | Provide a name for new instance | - [Initial Product Configuration](/docs/dataclassification/5.7/ndc/install/initialconfiguration/overview.md) | +| 8 | Select processing (indexing) mode. | - [Select Processing Mode](/docs/dataclassification/5.7/ndc/install/initialconfiguration/modes.md) | +| 9 | Configure global processing settings. | - [Processing Settings](/docs/dataclassification/5.7/ndc/install/initialconfiguration/processingsettings.md) | +| 9 | Add built-in taxonomies. | - [Add a Taxonomy](/docs/dataclassification/5.7/ndc/admin/taxonomies/add.md) | +| 10 | Review your configuration. | - [Review Your Configuration](/docs/dataclassification/5.7/ndc/install/initialconfiguration/reviewconfig.md) | +| 11 | Configure NDC SQL database. | - [Configure NDC SQL database](/docs/dataclassification/5.7/ndc/requirements/ndcsqldatabase.md) | +| 12 | Add a source. | - [Add a Content Source](/docs/dataclassification/5.7/ndc/admin/sources/addsource.md) | | Review classification results | | | -| 13 | Start by reviewing the Document Tagging report and browsing classification results. | - [Review Reports and Browse Classified Documents](../../admin/reporting/review.md) | +| 13 | Start by reviewing the Document Tagging report and browsing classification results. | - [Review Reports and Browse Classified Documents](/docs/dataclassification/5.7/ndc/admin/reporting/review.md) | diff --git a/docs/dataclassification/5.7/ndc/install/deployment/clouddeployment.md b/docs/dataclassification/5.7/ndc/install/deployment/clouddeployment.md index efe97cd4bd..3065019005 100644 --- a/docs/dataclassification/5.7/ndc/install/deployment/clouddeployment.md +++ b/docs/dataclassification/5.7/ndc/install/deployment/clouddeployment.md @@ -52,5 +52,5 @@ environments can be ranged as follows: Again, consider that for the large-size and extra-large environments, it is strongly recommended to configure a cluster of several NDC Servers and apply DQS mode to these clustered servers. See -[Configuring NDC Servers Cluster and Load Balancing with DQS Mode](../../requirements/dqsmode.md) +[Configuring NDC Servers Cluster and Load Balancing with DQS Mode](/docs/dataclassification/5.7/ndc/requirements/dqsmode.md) for details. diff --git a/docs/dataclassification/5.7/ndc/install/deployment/introduction.md b/docs/dataclassification/5.7/ndc/install/deployment/introduction.md index a968b1a888..40729bc6c7 100644 --- a/docs/dataclassification/5.7/ndc/install/deployment/introduction.md +++ b/docs/dataclassification/5.7/ndc/install/deployment/introduction.md @@ -4,9 +4,9 @@ This section lists all information to flawlessly install Netwrix Data Classifica Review the following for additional information: -- [Supported Data Sources](../../requirements/supportedsources.md) -- [Deployment Checklist](checklist.md) -- [Requirements to Install Netwrix Data Classification](../../requirements/overview.md) -- [Accounts and Required Permissions](../../requirements/accountreqs.md) -- [Install Netwrix Data Classification](../overview.md) -- [Licensing](../../configuration/licensing.md) +- [Supported Data Sources](/docs/dataclassification/5.7/ndc/requirements/supportedsources.md) +- [Deployment Checklist](/docs/dataclassification/5.7/ndc/install/deployment/checklist.md) +- [Requirements to Install Netwrix Data Classification](/docs/dataclassification/5.7/ndc/requirements/overview.md) +- [Accounts and Required Permissions](/docs/dataclassification/5.7/ndc/requirements/accountreqs.md) +- [Install Netwrix Data Classification](/docs/dataclassification/5.7/ndc/install/overview.md) +- [Licensing](/docs/dataclassification/5.7/ndc/configuration/licensing.md) diff --git a/docs/dataclassification/5.7/ndc/install/deployment/ndcserverandclient.md b/docs/dataclassification/5.7/ndc/install/deployment/ndcserverandclient.md index 4327c2405d..308b495c38 100644 --- a/docs/dataclassification/5.7/ndc/install/deployment/ndcserverandclient.md +++ b/docs/dataclassification/5.7/ndc/install/deployment/ndcserverandclient.md @@ -5,22 +5,22 @@ in the virtualized environment on VMware or Microsoft Hyper-V platform. When planning for NDC Server, consider a significant CPU load during data processing. Thus, installing NDC Server on a highly-loaded production machine is not recommended. For more -information, refer to [Hardware Requirements](../../requirements/hardwarerequirements.md). +information, refer to [Hardware Requirements](/docs/dataclassification/5.7/ndc/requirements/hardwarerequirements.md). **Web-based client** (management console) is always installed together with the NDC Server, so the IIS server role must be enabled on the target machine. For more information, refer to -[Software Requirements](../../requirements/softwarerequirements.md). +[Software Requirements](/docs/dataclassification/5.7/ndc/requirements/softwarerequirements.md). **NOTE:** For evaluation and PoC purposes, Netwrix provides a _virtual appliance_ — a virtual machine image with pre-installed Netwrix Data Classification on Generalized Windows Server 2016 (180-day evaluation version) and Microsoft SQL Server 2017 Express. For details, see -[Requirements to Deploy Virtual Appliance](../../virtualappliance/systemrequirements.md). +[Requirements to Deploy Virtual Appliance](/docs/dataclassification/5.7/ndc/virtualappliance/systemrequirements.md). Remember that for production environments, your NDC Server and database server must meet the -[Requirements to Install Netwrix Data Classification](../../requirements/overview.md). Virtual +[Requirements to Install Netwrix Data Classification](/docs/dataclassification/5.7/ndc/requirements/overview.md). Virtual appliance configuration is insufficient for production and is not recommended for that purpose. To balance the load while indexing and classifying data in the large-size and extra-large environments (i.e. with over ≥ 16 mln objects to process), it is strongly recommended to deploy several NDC Servers and configure **Distributed Query Server** mode for them. -[See Configuring NDC Servers Cluster and Load Balancing with DQS Mode for more information.](../../requirements/dqsmode.md) +[See Configuring NDC Servers Cluster and Load Balancing with DQS Mode for more information.](/docs/dataclassification/5.7/ndc/requirements/dqsmode.md) diff --git a/docs/dataclassification/5.7/ndc/install/deployment/overview.md b/docs/dataclassification/5.7/ndc/install/deployment/overview.md index 8e0482cd5e..d4d671c23c 100644 --- a/docs/dataclassification/5.7/ndc/install/deployment/overview.md +++ b/docs/dataclassification/5.7/ndc/install/deployment/overview.md @@ -6,6 +6,6 @@ options depending on the IT infrastructure and data sources you are going to pro In this section: -- [NDC Server](ndcserverandclient.md) -- [Scalability and Performance](scalabilityandperformance.md) -- [Data Storages and Sizing](clouddeployment.md) +- [NDC Server](/docs/dataclassification/5.7/ndc/install/deployment/ndcserverandclient.md) +- [Scalability and Performance](/docs/dataclassification/5.7/ndc/install/deployment/scalabilityandperformance.md) +- [Data Storages and Sizing](/docs/dataclassification/5.7/ndc/install/deployment/clouddeployment.md) diff --git a/docs/dataclassification/5.7/ndc/install/deployment/scalabilityandperformance.md b/docs/dataclassification/5.7/ndc/install/deployment/scalabilityandperformance.md index fc2031afe3..0b9f7ed612 100644 --- a/docs/dataclassification/5.7/ndc/install/deployment/scalabilityandperformance.md +++ b/docs/dataclassification/5.7/ndc/install/deployment/scalabilityandperformance.md @@ -12,5 +12,5 @@ environments can be ranged as follows: **IMPORTANT!** For the large-size and extra-large environments, it is strongly recommended to configure a cluster of several NDC Servers and apply DQS mode to these clustered servers. See -[Configuring NDC Servers Cluster and Load Balancing with DQS Mode](../../requirements/dqsmode.md) +[Configuring NDC Servers Cluster and Load Balancing with DQS Mode](/docs/dataclassification/5.7/ndc/requirements/dqsmode.md) for details. diff --git a/docs/dataclassification/5.7/ndc/install/initialconfiguration/healthalert.md b/docs/dataclassification/5.7/ndc/install/initialconfiguration/healthalert.md index 1409aeb3aa..a01c1097dd 100644 --- a/docs/dataclassification/5.7/ndc/install/initialconfiguration/healthalert.md +++ b/docs/dataclassification/5.7/ndc/install/initialconfiguration/healthalert.md @@ -3,13 +3,13 @@ On this step, you will be prompted to email settings for health reporting and select immediate health alerts. -![initial_config_health](../../../../../../static/img/product_docs/dataclassification/ndc/install/initialconfiguration/initial_config_health.webp) +![initial_config_health](/img/product_docs/dataclassification/ndc/install/initialconfiguration/initial_config_health.webp) Complete the following fields: | Setting | Description | | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Would you like to configure Health Reporting? | Select Setup now if you want to receive health alerts. You can do it later in the communication settings area. [See System Health for more information.](../../admin/reporting/dashboards.md) | +| Would you like to configure Health Reporting? | Select Setup now if you want to receive health alerts. You can do it later in the communication settings area. [See System Health for more information.](/docs/dataclassification/5.7/ndc/admin/reporting/dashboards.md) | | Who should the email be sent from? | Select a user registered in Netwrix Data Classificationadministrative web console in the field or go to the Specific recipients below and specify one or more email addresses outside your organization. | -| What sort of immediate alerts should be sent? | Select the appropriate alerting level: do not receive any alerts at all, receive errors only, or get both: emails for errors and warnings. [See System Health for more information.](../../admin/reporting/dashboards.md) | +| What sort of immediate alerts should be sent? | Select the appropriate alerting level: do not receive any alerts at all, receive errors only, or get both: emails for errors and warnings. [See System Health for more information.](/docs/dataclassification/5.7/ndc/admin/reporting/dashboards.md) | | Should a daily health summary be sent? | Select whether you want to receive daily summary on the product health. | diff --git a/docs/dataclassification/5.7/ndc/install/initialconfiguration/modes.md b/docs/dataclassification/5.7/ndc/install/initialconfiguration/modes.md index 422e6ecf4d..d109e13031 100644 --- a/docs/dataclassification/5.7/ndc/install/initialconfiguration/modes.md +++ b/docs/dataclassification/5.7/ndc/install/initialconfiguration/modes.md @@ -2,7 +2,7 @@ At this step of the wizard, select processing (indexing) mode for your environment. -![processing_modes](../../../../../../static/img/product_docs/dataclassification/ndc/install/initialconfiguration/processing_modes.webp) +![processing_modes](/img/product_docs/dataclassification/ndc/install/initialconfiguration/processing_modes.webp) For starter and evaluation purposes, select Keyword mode. @@ -29,4 +29,4 @@ that data storage will require more space, and overall throughput may decrease ( Keyword mode). Recommended for knowledge management, data storage optimization, legal search, other content services. -Proceed with configuring processing settings. See [Processing Settings](processingsettings.md) next. +Proceed with configuring processing settings. See [Processing Settings](/docs/dataclassification/5.7/ndc/install/initialconfiguration/processingsettings.md) next. diff --git a/docs/dataclassification/5.7/ndc/install/initialconfiguration/overview.md b/docs/dataclassification/5.7/ndc/install/initialconfiguration/overview.md index 4ad911a4da..89dd1cf76d 100644 --- a/docs/dataclassification/5.7/ndc/install/initialconfiguration/overview.md +++ b/docs/dataclassification/5.7/ndc/install/initialconfiguration/overview.md @@ -10,13 +10,13 @@ initial configuration steps. On the Instance step, provide the unique name for your Netwrix Data Classification instance. For example, _"Production"_. -![initial_config](../../../../../../static/img/product_docs/dataclassification/ndc/install/initialconfiguration/initial_config.webp) +![initial_config](/img/product_docs/dataclassification/ndc/install/initialconfiguration/initial_config.webp) Click Next to proceed. See also: -- [Select Processing Mode](modes.md) -- [Processing Settings](processingsettings.md) -- [Add Taxonomy](taxonomies.md) -- [Security](security.md) -- [Configure Health Alerting](healthalert.md) -- [Review Your Configuration](reviewconfig.md) +- [Select Processing Mode](/docs/dataclassification/5.7/ndc/install/initialconfiguration/modes.md) +- [Processing Settings](/docs/dataclassification/5.7/ndc/install/initialconfiguration/processingsettings.md) +- [Add Taxonomy](/docs/dataclassification/5.7/ndc/install/initialconfiguration/taxonomies.md) +- [Security](/docs/dataclassification/5.7/ndc/install/initialconfiguration/security.md) +- [Configure Health Alerting](/docs/dataclassification/5.7/ndc/install/initialconfiguration/healthalert.md) +- [Review Your Configuration](/docs/dataclassification/5.7/ndc/install/initialconfiguration/reviewconfig.md) diff --git a/docs/dataclassification/5.7/ndc/install/initialconfiguration/processingsettings.md b/docs/dataclassification/5.7/ndc/install/initialconfiguration/processingsettings.md index 7e2e810418..18d2395776 100644 --- a/docs/dataclassification/5.7/ndc/install/initialconfiguration/processingsettings.md +++ b/docs/dataclassification/5.7/ndc/install/initialconfiguration/processingsettings.md @@ -2,7 +2,7 @@ On the Processing Settings step, select options for data processing and classification. -![processing_settings](../../../../../../static/img/product_docs/dataclassification/ndc/install/initialconfiguration/processing_settings.webp) +![processing_settings](/img/product_docs/dataclassification/ndc/install/initialconfiguration/processing_settings.webp) Review the following for additional information: @@ -13,7 +13,7 @@ Review the following for additional information: | Should images embedded in documents be processed? | Enable this option to recognize documents with integrated images. | | Should the collection process optimise text storage by re-using text offsets? | Enable this option to use text offsets. | | Classification Configuration | | -| Should default clues be automatically created? | Enable if you want a clue to be created automatically when a registering taxonomy from SharePoint or term creation. The created clue is standard and matches the term name or a metadata clue depending on the configuration specified at the taxonomy level settings. [See Classification Rules (Clues) for more information.](../../admin/taxonomies/clues.md) | +| Should default clues be automatically created? | Enable if you want a clue to be created automatically when a registering taxonomy from SharePoint or term creation. The created clue is standard and matches the term name or a metadata clue depending on the configuration specified at the taxonomy level settings. [See Classification Rules (Clues) for more information.](/docs/dataclassification/5.7/ndc/admin/taxonomies/clues.md) | | Should boosted phrasematch scoring be enabled? | Enable to boost the score of any phrasematch clues if the phrase appears multiple times in the document. | | Should boosted regex scoring be enabled? | Enable to boost the score of any regex clues if the regular expression appears multiple times in the document. | | How should regular expressions be processed? | Enables and disables case sensitivity when processing regular expressions. | diff --git a/docs/dataclassification/5.7/ndc/install/initialconfiguration/security.md b/docs/dataclassification/5.7/ndc/install/initialconfiguration/security.md index 0509444f95..b30922177c 100644 --- a/docs/dataclassification/5.7/ndc/install/initialconfiguration/security.md +++ b/docs/dataclassification/5.7/ndc/install/initialconfiguration/security.md @@ -2,7 +2,7 @@ On this step, you are prompted to restrict access to administrative web console by adding users. -![initial_config_users](../../../../../../static/img/product_docs/dataclassification/ndc/install/initialconfiguration/initial_config_users.webp) +![initial_config_users](/img/product_docs/dataclassification/ndc/install/initialconfiguration/initial_config_users.webp) - Enable user management – select to add super users and prevent unauthorized access to administrative web console. By default, any authenticated users have access to the console. diff --git a/docs/dataclassification/5.7/ndc/install/initialconfiguration/taxonomies.md b/docs/dataclassification/5.7/ndc/install/initialconfiguration/taxonomies.md index 5a05e2db26..bd6633741b 100644 --- a/docs/dataclassification/5.7/ndc/install/initialconfiguration/taxonomies.md +++ b/docs/dataclassification/5.7/ndc/install/initialconfiguration/taxonomies.md @@ -2,8 +2,8 @@ On this step, you are prompted to load predefined taxonomies. -![processing_settings_taxonomies](../../../../../../static/img/product_docs/dataclassification/ndc/install/initialconfiguration/processing_settings_taxonomies.webp) +![processing_settings_taxonomies](/img/product_docs/dataclassification/ndc/install/initialconfiguration/processing_settings_taxonomies.webp) Click the search bar and select one or several taxonomies you want to add. See -[Built-in Taxonomies Overview ](../../admin/taxonomies/builtintaxonomies.md) for the full list of +[Built-in Taxonomies Overview ](/docs/dataclassification/5.7/ndc/admin/taxonomies/builtintaxonomies.md) for the full list of built-in taxonomies supported by Netwrix Data Classification. diff --git a/docs/dataclassification/5.7/ndc/install/overview.md b/docs/dataclassification/5.7/ndc/install/overview.md index 461c769553..5c633c767f 100644 --- a/docs/dataclassification/5.7/ndc/install/overview.md +++ b/docs/dataclassification/5.7/ndc/install/overview.md @@ -21,7 +21,7 @@ **NOTE:** The database is created automatically in basic configuration mode. For recommended configuration (required for crawling optimization in large and extra-large environments), refer - to [Configure NDC SQL database](../requirements/ndcsqldatabase.md) section. + to [Configure NDC SQL database](/docs/dataclassification/5.7/ndc/requirements/ndcsqldatabase.md) section. 7. On the Licensing step, add license. You can add license as follows: diff --git a/docs/dataclassification/5.7/ndc/releasenotes/whatsnew.md b/docs/dataclassification/5.7/ndc/releasenotes/whatsnew.md index a8d59d2c08..01505b68cd 100644 --- a/docs/dataclassification/5.7/ndc/releasenotes/whatsnew.md +++ b/docs/dataclassification/5.7/ndc/releasenotes/whatsnew.md @@ -16,7 +16,7 @@ New: Ability to crawl all tables in all databases on SQL server with a single co New: Automatically locate sensitive data across your SQL databases so you can implement the appropriate security controls around it. See the -[SQL Server ](../admin/sources/sqlserver/addsqlserversource.md) topic for additional information. +[SQL Server ](/docs/dataclassification/5.7/ndc/admin/sources/sqlserver/addsqlserversource.md) topic for additional information. ## Other Improvements @@ -24,26 +24,26 @@ Improved: Wizard for ROT data removal Avoid the headache of manually setting up the workflow for the removal of outdated records with the new wizard. See the -[Step 3. Specify Conditions for Processing](../admin/workflows/step3specifyconditions.md) topic for +[Step 3. Specify Conditions for Processing](/docs/dataclassification/5.7/ndc/admin/workflows/step3specifyconditions.md) topic for additional information. Improved: Improved Regex proximity Further reduce the chance of false positives with improved Regex proximity so you can focus your security efforts on truly sensitive data. See the -[Types of Clues](../admin/taxonomies/cluestypes.md) topic for additional information. +[Types of Clues](/docs/dataclassification/5.7/ndc/admin/taxonomies/cluestypes.md) topic for additional information. Improved: Improved data remediation Reduce the risk of exposure of sensitive OCR data (images or pdfs) that failed to be redacted by automatically moving it to a dedicated location. See the -[Migrate Document](../admin/workflows/actions/migratedocument.md) topic for additional information. +[Migrate Document](/docs/dataclassification/5.7/ndc/admin/workflows/actions/migratedocument.md) topic for additional information. Improved: Ability to scan metadata Speed classification of large amounts of data by first scanning the metadata associated with the files so you can take action on it. See the -[Enable Write Classifications](../admin/taxonomies/enablewriteclassifications.md) topic for +[Enable Write Classifications](/docs/dataclassification/5.7/ndc/admin/taxonomies/enablewriteclassifications.md) topic for additional information. ## Bug Fix List diff --git a/docs/dataclassification/5.7/ndc/requirements/accountreqs.md b/docs/dataclassification/5.7/ndc/requirements/accountreqs.md index 49e16a3371..d423643297 100644 --- a/docs/dataclassification/5.7/ndc/requirements/accountreqs.md +++ b/docs/dataclassification/5.7/ndc/requirements/accountreqs.md @@ -5,5 +5,5 @@ Netwrix Data Classification uses the following accounts: | Account | Description | | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Service Account** | This account is specified during the product setup. Windows domain account that you plan to use as a service account will need the following: - Local Administrator rights on the server where Netwrix Data Classification will be installed. - Permissions to run the Windows Services and IIS Application pool. - SQL Server DBO permissions to the NDC SQL database (if using Windows Authentication to access SQL Server). After installation, this account will be automatically granted the **Logon as a service privilege** on the Netwrix Data Classification server. | -| Crawl content | Ensure the availability of accounts with sufficient permissions to access your content sources: - SharePoint, SharePoint Online site collection— Site Collection Administrator role. - Exchange mailboxes: 1. **ApplicationImpersonation** —allows the crawling account to impersonate each of the mailboxes / users configured for collection. 2. **Mailbox Search** —allows the crawling account to enumerate mailboxes, i.e. automatic discovery of mailboxes. See [Configure Microsoft Exchange for Crawling and Classification](../configuration/configinfrastructure/exchange.md) for detailed information on configuring these permissions. - Outlook Mail Archive (PST file)— **Read** permission. - File System (SMB, NFS) — **Read** permission for the folders and files you need to crawl. - G Suite and Google Drive —service account needs permissions to read data in the individual and shared Drives on behalf of users using the Google Drive API. See [Configure G Suite and Google Drive for Crawling](../configuration/configinfrastructure/gdrive.md) for detailed information. - Database— **Read** permission for the database schema and data. | +| Crawl content | Ensure the availability of accounts with sufficient permissions to access your content sources: - SharePoint, SharePoint Online site collection— Site Collection Administrator role. - Exchange mailboxes: 1. **ApplicationImpersonation** —allows the crawling account to impersonate each of the mailboxes / users configured for collection. 2. **Mailbox Search** —allows the crawling account to enumerate mailboxes, i.e. automatic discovery of mailboxes. See [Configure Microsoft Exchange for Crawling and Classification](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/exchange.md) for detailed information on configuring these permissions. - Outlook Mail Archive (PST file)— **Read** permission. - File System (SMB, NFS) — **Read** permission for the folders and files you need to crawl. - G Suite and Google Drive —service account needs permissions to read data in the individual and shared Drives on behalf of users using the Google Drive API. See [Configure G Suite and Google Drive for Crawling](/docs/dataclassification/5.7/ndc/configuration/configinfrastructure/gdrive.md) for detailed information. - Database— **Read** permission for the database schema and data. | | Apply tagging | To use tagging, i.e. to write classification attributes back to the content file, crawling account will need the appropriate **Modify** permissions on the content source. | diff --git a/docs/dataclassification/5.7/ndc/requirements/dqsmode.md b/docs/dataclassification/5.7/ndc/requirements/dqsmode.md index 349e0e9f7a..e08b066f08 100644 --- a/docs/dataclassification/5.7/ndc/requirements/dqsmode.md +++ b/docs/dataclassification/5.7/ndc/requirements/dqsmode.md @@ -35,7 +35,7 @@ To be able to configure the DQS mode, current account requires a **Superuser** r To arrange NDC Servers cluster and apply DQS mode 1. Install and configure the first Netwrix Data Classification Server as described in the - [Install Netwrix Data Classification](../install/overview.md) section. + [Install Netwrix Data Classification](/docs/dataclassification/5.7/ndc/install/overview.md) section. 2. Open administrative web console. 3. Navigate to Settings → Utilities → DQS. 4. Select Enable DQS. @@ -46,7 +46,7 @@ To arrange NDC Servers cluster and apply DQS mode 5. On the DQS tab, click Add to add servers you prepared, one by one. - ![dqs_mode_page_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/requirements/dqs_mode_page_thumb_0_0.webp) + ![dqs_mode_page_thumb_0_0](/img/product_docs/dataclassification/ndc/requirements/dqs_mode_page_thumb_0_0.webp) Complete the following fields: @@ -61,10 +61,10 @@ To arrange NDC Servers cluster and apply DQS mode 6. Click **Save** to close the dialog. 7. Prepare to install other Netwrix Data Classification Server instances, assuming each server requires a dedicated machine. Make sure they meet the - [Hardware Requirements](hardwarerequirements.md) and general - [Software Requirements](softwarerequirements.md) + [Hardware Requirements](/docs/dataclassification/5.7/ndc/requirements/hardwarerequirements.md) and general + [Software Requirements](/docs/dataclassification/5.7/ndc/requirements/softwarerequirements.md) 8. On each server, follow the installation steps as described in the - [Install Netwrix Data Classification](../install/overview.md) section until SQL Database + [Install Netwrix Data Classification](/docs/dataclassification/5.7/ndc/install/overview.md) section until SQL Database configuration. 9. On the SQL Database step, provide the name of the SQL Server instance that hosts NDC SQL database you configured for the first NDC Server. @@ -75,7 +75,7 @@ To arrange NDC Servers cluster and apply DQS mode 11. Repeat steps 2 - 6 for every NDC Server, then review the list of servers to make sure the new server was included. -![dqs_servers_list_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/requirements/dqs_servers_list_thumb_0_0.webp) +![dqs_servers_list_thumb_0_0](/img/product_docs/dataclassification/ndc/requirements/dqs_servers_list_thumb_0_0.webp) 12. If you were configuring the DQS mode for the existing NDC deployment, you will be prompted to re-collect data from the data sources —in order to re-distribute the content index across all @@ -85,4 +85,4 @@ To arrange NDC Servers cluster and apply DQS mode after clicking **Run Cleaner** button on the **Settings > Core > Collector** tab. To review system health and check your configuration, use the product dashboards. -[See Operations and Health Dashboards for more information.](../admin/reporting/dashboards.md) +[See Operations and Health Dashboards for more information.](/docs/dataclassification/5.7/ndc/admin/reporting/dashboards.md) diff --git a/docs/dataclassification/5.7/ndc/requirements/hardwarerequirements.md b/docs/dataclassification/5.7/ndc/requirements/hardwarerequirements.md index 44a599ffd6..c415cf84d9 100644 --- a/docs/dataclassification/5.7/ndc/requirements/hardwarerequirements.md +++ b/docs/dataclassification/5.7/ndc/requirements/hardwarerequirements.md @@ -11,7 +11,7 @@ on the corresponding virtualization platform, in particular: - Nutanix AHV Note that Netwrix Data Classification supports only Windows OS versions listed in the -[Software Requirements](softwarerequirements.md) section. +[Software Requirements](/docs/dataclassification/5.7/ndc/requirements/softwarerequirements.md) section. ## Netwrix Data Classification Server @@ -20,8 +20,8 @@ The requirements in this section apply to a single Netwrix Data Classification s To deploy a server cluster, make sure all planned cluster nodes meet the requirements listed below. Consider deploying 1 Netwrix Data Classification Server per approx. 16, 000, 000 objects to process. -See [Deployment Planning](../install/deployment/overview.md) and -[Configuring NDC Servers Cluster and Load Balancing with DQS Mode](dqsmode.md) for more information. +See [Deployment Planning](/docs/dataclassification/5.7/ndc/install/deployment/overview.md) and +[Configuring NDC Servers Cluster and Load Balancing with DQS Mode](/docs/dataclassification/5.7/ndc/requirements/dqsmode.md) for more information. | Hardware Component | 1 Server per 16 M objects | | ------------------ | ------------------------------ | @@ -39,7 +39,7 @@ will be deployed. | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------- | -------------------------------------------------------- | | Processor | 8 cores | 8 cores | 8 cores | | RAM | 32 GB | 64 GB | 128 GB | -| Hard disk | Estimate required disk space assuming _10 - 12 KB_ per indexed object. For example, for _5, 000, 000_ objects, the database size will be approximately _50 GB_. See also [Deployment Planning](../install/deployment/overview.md). | | | +| Hard disk | Estimate required disk space assuming _10 - 12 KB_ per indexed object. For example, for _5, 000, 000_ objects, the database size will be approximately _50 GB_. See also [Deployment Planning](/docs/dataclassification/5.7/ndc/install/deployment/overview.md). | | | | Hard disk type | SSD storage (recommended) | | | ## Network Access diff --git a/docs/dataclassification/5.7/ndc/requirements/overview.md b/docs/dataclassification/5.7/ndc/requirements/overview.md index d358baa6de..a82146ecfb 100644 --- a/docs/dataclassification/5.7/ndc/requirements/overview.md +++ b/docs/dataclassification/5.7/ndc/requirements/overview.md @@ -3,6 +3,6 @@ This section contains the hardware and software requirements and other prerequisites needed to deploy Netwrix Data Classification. -- [Hardware Requirements](hardwarerequirements.md) -- [Software Requirements](softwarerequirements.md) -- [Accounts and Required Permissions](accountreqs.md) +- [Hardware Requirements](/docs/dataclassification/5.7/ndc/requirements/hardwarerequirements.md) +- [Software Requirements](/docs/dataclassification/5.7/ndc/requirements/softwarerequirements.md) +- [Accounts and Required Permissions](/docs/dataclassification/5.7/ndc/requirements/accountreqs.md) diff --git a/docs/dataclassification/5.7/ndc/requirements/softwarerequirements.md b/docs/dataclassification/5.7/ndc/requirements/softwarerequirements.md index c8735d24fc..1265a3af72 100644 --- a/docs/dataclassification/5.7/ndc/requirements/softwarerequirements.md +++ b/docs/dataclassification/5.7/ndc/requirements/softwarerequirements.md @@ -6,7 +6,7 @@ The table below lists the software requirements for Netwrix Data Classification | ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | --- | --- | --- | -------- | --- | --- | ----------------------- | -------------------------------- | --- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --- | --- | --- | --- | --- | --- | --- | --------------------- | --- | --- | -------------------- | -------------------------------------------------------------------- | --- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | ----------------------- | ---------------------------------- | --- | | Operating system | Windows 2012 R2 and above Server Operating System Software. | | Windows Features | | | | | --- | --- | | Features | | | .NET Framework Features | - .NET Framework 4.7.2 - ASP.NET | | WCF Services | - HTTP Activation - Named Pipe Activation **NOTE:** To activate these features, select them under **.Net Framework Advanced Services** - **WCF Services** from **Windows Features**. | | | | | --- | --- | | Web Server Role (IIS) | | | Common HTTP Features | - Default Document - HTTP Errors - Static Content - HTTP Redirection | | Security | - Windows Authentication - Anonymous Authentication **NOTE:** The Anonymous Authentication element is included in the default installation of IIS 7. Make sure you use IIS 7 and above. | | Application Development | - ISAPI Extensions - ISAPI Filters | | -| SQL Server | - [SQL Server 2008 R2 Standard Edition](https://www.microsoft.com/en-us/download/details.aspx?id=26113) (or later). - SQL Server 2016 SP2 recommended (for better performance). **NOTE:** For large environments, SQL Server Enterprise edition may be needed; see needed. See [Deployment Planning](../install/deployment/overview.md). | +| SQL Server | - [SQL Server 2008 R2 Standard Edition](https://www.microsoft.com/en-us/download/details.aspx?id=26113) (or later). - SQL Server 2016 SP2 recommended (for better performance). **NOTE:** For large environments, SQL Server Enterprise edition may be needed; see needed. See [Deployment Planning](/docs/dataclassification/5.7/ndc/install/deployment/overview.md). | | Visual Studio | - [Visual C++ Redistributable Packages for Visual Studio 2015](https://www.microsoft.com/en-us/download/details.aspx?id=48145) and above. | | Other software | | | --- | --- | diff --git a/docs/dataclassification/5.7/ndc/requirements/upgrade.md b/docs/dataclassification/5.7/ndc/requirements/upgrade.md index 7ca7f6b850..2e5217928d 100644 --- a/docs/dataclassification/5.7/ndc/requirements/upgrade.md +++ b/docs/dataclassification/5.7/ndc/requirements/upgrade.md @@ -51,6 +51,6 @@ Settings**.Settings. **Step 2 –** Click **Update** in the right corner next to each taxonomy. -![update_taxonomy](../../../../../static/img/product_docs/dataclassification/ndc/requirements/update_taxonomy.webp) +![update_taxonomy](/img/product_docs/dataclassification/ndc/requirements/update_taxonomy.webp) The upgrade is now complete. diff --git a/docs/dataclassification/5.7/ndc/security/passwordmanager.md b/docs/dataclassification/5.7/ndc/security/passwordmanager.md index 3cbbcf06c5..668a51cdf2 100644 --- a/docs/dataclassification/5.7/ndc/security/passwordmanager.md +++ b/docs/dataclassification/5.7/ndc/security/passwordmanager.md @@ -4,7 +4,7 @@ Password manager can be used to automatically schedule password changes, for ser are being used to access external systems. This is particularly useful when there are business policies in place to change passwords on a rolling basis. -![passwordmanager_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/security/passwordmanager_thumb_0_0.webp) +![passwordmanager_thumb_0_0](/img/product_docs/dataclassification/ndc/security/passwordmanager_thumb_0_0.webp) To amend the passwords for a username record first select Passwords from the main display. Then either click Edit on a particular password row, or, click Add Password to add a new password for the diff --git a/docs/dataclassification/5.7/ndc/security/usermanagement.md b/docs/dataclassification/5.7/ndc/security/usermanagement.md index 0f3276024a..89b7542793 100644 --- a/docs/dataclassification/5.7/ndc/security/usermanagement.md +++ b/docs/dataclassification/5.7/ndc/security/usermanagement.md @@ -26,7 +26,7 @@ The conceptQS web application should have these authentication methods enabled: All other authentication methods should be disabled. -![iis_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/security/iis_thumb_0_0.webp) +![iis_thumb_0_0](/img/product_docs/dataclassification/ndc/security/iis_thumb_0_0.webp) **Step 3 –** If you wish to allow anonymous access to the conceptQS, edit the conceptQS web.config file and delete (or comment out) three lines: @@ -73,7 +73,7 @@ Classification via Microsoft Entra ID authentication: More users can be added at any time from the default Users screen, as well as allowing for users to be removed. -![adduser](../../../../../static/img/product_docs/dataclassification/ndc/security/adduser.webp) +![adduser](/img/product_docs/dataclassification/ndc/security/adduser.webp) Additional Windows users can be validated using Integrated Windows Authentication. Additional non-Windows users can only be added if the Non-Windows Authentication mode is enabled. @@ -102,26 +102,26 @@ When an area is enabled there are typically more granular permissions that can b - Within the Sources area it is possible to restrict a user’s access to specific source groups, as shown below. -![userpermissions_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/security/userpermissions_thumb_0_0.webp) +![userpermissions_thumb_0_0](/img/product_docs/dataclassification/ndc/security/userpermissions_thumb_0_0.webp) ### Taxonomy Permissions Summary The Permissions window lets you restruct permissions for a user. -![viewtaxonomypermissionssummary_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/security/viewtaxonomypermissionssummary_thumb_0_0.webp) +![viewtaxonomypermissionssummary_thumb_0_0](/img/product_docs/dataclassification/ndc/security/viewtaxonomypermissionssummary_thumb_0_0.webp) You can restrict permissions for a user to the following areas: -- Sources. See [Content Sources](../admin/sources/introduction.md) for additional information. -- Taxonomies. See [Taxonomies](../admin/taxonomies/introduction.md) for additional information. -- Workflows. See [Understanding Workflows](../admin/workflows/overview.md) for additional +- Sources. See [Content Sources](/docs/dataclassification/5.7/ndc/admin/sources/introduction.md) for additional information. +- Taxonomies. See [Taxonomies](/docs/dataclassification/5.7/ndc/admin/taxonomies/introduction.md) for additional information. +- Workflows. See [Understanding Workflows](/docs/dataclassification/5.7/ndc/admin/workflows/overview.md) for additional information. -- Configuration options. See [Configuration Options](../configuration/configuration.md) for +- Configuration options. See [Configuration Options](/docs/dataclassification/5.7/ndc/configuration/configuration.md) for additional information. -- Users. See [Users and Security Settings](users.md) for additional information. -- Reports. See [Reporting Capabilities](../admin/reporting/capabilities.md) for additional +- Users. See [Users and Security Settings](/docs/dataclassification/5.7/ndc/security/users.md) for additional information. +- Reports. See [Reporting Capabilities](/docs/dataclassification/5.7/ndc/admin/reporting/capabilities.md) for additional information. -- DSARs. See [Data Subject Access Requests ](../admin/dsar/overview.md) for additional information. +- DSARs. See [Data Subject Access Requests ](/docs/dataclassification/5.7/ndc/admin/dsar/overview.md) for additional information. ## Super Users diff --git a/docs/dataclassification/5.7/ndc/security/users.md b/docs/dataclassification/5.7/ndc/security/users.md index 5726fff325..50f6d1e50d 100644 --- a/docs/dataclassification/5.7/ndc/security/users.md +++ b/docs/dataclassification/5.7/ndc/security/users.md @@ -9,11 +9,11 @@ You must add at least one user in order to restrict access to the administrative The following types of authentication mechanisms are supported: Windows, ADFS, Azure AD and Forms. -![users_main_page_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/security/users_main_page_thumb_0_0.webp) +![users_main_page_thumb_0_0](/img/product_docs/dataclassification/ndc/security/users_main_page_thumb_0_0.webp) Review the following for additional information: -- [Secure Netwrix Data Classification](securendc.md) -- [User Management](usermanagement.md) -- [Password Manager](passwordmanager.md) -- [Web Service Security](webservicesecurity.md) +- [Secure Netwrix Data Classification](/docs/dataclassification/5.7/ndc/security/securendc.md) +- [User Management](/docs/dataclassification/5.7/ndc/security/usermanagement.md) +- [Password Manager](/docs/dataclassification/5.7/ndc/security/passwordmanager.md) +- [Web Service Security](/docs/dataclassification/5.7/ndc/security/webservicesecurity.md) diff --git a/docs/dataclassification/5.7/ndc/security/webservicesecurity.md b/docs/dataclassification/5.7/ndc/security/webservicesecurity.md index 526b457a75..f1de529c46 100644 --- a/docs/dataclassification/5.7/ndc/security/webservicesecurity.md +++ b/docs/dataclassification/5.7/ndc/security/webservicesecurity.md @@ -17,4 +17,4 @@ There are three modes available: Each mode is assigned to a specific grouping of service methods, you can see which API functions are affected by clicking the “View Methods” link and edit the security mode by clicking the Edit link. -![webservicesecurity_thumb_0_0](../../../../../static/img/product_docs/dataclassification/ndc/security/webservicesecurity_thumb_0_0.webp) +![webservicesecurity_thumb_0_0](/img/product_docs/dataclassification/ndc/security/webservicesecurity_thumb_0_0.webp) diff --git a/docs/dataclassification/5.7/ndc/virtualappliance/overview.md b/docs/dataclassification/5.7/ndc/virtualappliance/overview.md index 0ca377894c..66760c9ef3 100644 --- a/docs/dataclassification/5.7/ndc/virtualappliance/overview.md +++ b/docs/dataclassification/5.7/ndc/virtualappliance/overview.md @@ -24,6 +24,6 @@ for more information. Review the following for additional information: -- [Requirements to Deploy Virtual Appliance](systemrequirements.md) -- [Import Virtual Machine from Image to VMware](importvmfromimagetovmware.md) -- [Import Virtual Machine from Image to Hyper-V ](importvmfromimagetohyperv.md) +- [Requirements to Deploy Virtual Appliance](/docs/dataclassification/5.7/ndc/virtualappliance/systemrequirements.md) +- [Import Virtual Machine from Image to VMware](/docs/dataclassification/5.7/ndc/virtualappliance/importvmfromimagetovmware.md) +- [Import Virtual Machine from Image to Hyper-V ](/docs/dataclassification/5.7/ndc/virtualappliance/importvmfromimagetohyperv.md) diff --git a/docs/dataclassification/5.7/ndc/virtualappliance/systemrequirements.md b/docs/dataclassification/5.7/ndc/virtualappliance/systemrequirements.md index 7172fb401a..eaf2eea19f 100644 --- a/docs/dataclassification/5.7/ndc/virtualappliance/systemrequirements.md +++ b/docs/dataclassification/5.7/ndc/virtualappliance/systemrequirements.md @@ -8,7 +8,7 @@ Refer to the following sections for detailed information: - Hardware Configuration **NOTE:** The requirements below are sufficient for evaluation purposes only. Refer to the -[Requirements to Install Netwrix Data Classification](../requirements/overview.md) topic for +[Requirements to Install Netwrix Data Classification](/docs/dataclassification/5.7/ndc/requirements/overview.md) topic for complete information on the requirements for installing Netwrix Data Classification in production environments. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/alerts/overview.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/alerts/overview.md index 83ae3cd2c8..785dfd6477 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/alerts/overview.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/alerts/overview.md @@ -10,14 +10,14 @@ these settings by sending a test E-mail. For each Administrator to appear in the list of recipients for the Alerts, this has to be provided under the Administrator details from the System Configuration, System Administrators section. -![ Endpoint Protector E-mail Server Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/alerts/emailserversettings.webp) +![ Endpoint Protector E-mail Server Settings](/img/product_docs/endpointprotector/endpointprotector/admin/alerts/emailserversettings.webp) ## System Alerts From this section, you can create system alerts, including APNS certificate expiry, updates and support expiry, endpoint licenses used, etc. -![System Alerts Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/alerts/systemalerts.webp) +![System Alerts Settings](/img/product_docs/endpointprotector/endpointprotector/admin/alerts/systemalerts.webp) ### Creating a System Alert @@ -61,21 +61,21 @@ options. **Step 4 –** Administrators - Select the Administrators that will receive the alerts. -![Creating a System Alert](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/alerts/creatsystemalert.webp) +![Creating a System Alert](/img/product_docs/endpointprotector/endpointprotector/admin/alerts/creatsystemalert.webp) ### System Alerts History From this section, you can view a history of the System Alerts. Alerts that are no longer needed for auditing purposes can later be deleted. -![System Alerts History](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/alerts/systemalertshistory.webp) +![System Alerts History](/img/product_docs/endpointprotector/endpointprotector/admin/alerts/systemalertshistory.webp) ## Device Control Alerts From this section, you can create Device Control alerts, for events such as Connected, File Read, File Write, Enforced Encryption – successfully deployed, etc. -![Device Control Alerts](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/alerts/dcalerts.webp) +![Device Control Alerts](/img/product_docs/endpointprotector/endpointprotector/admin/alerts/dcalerts.webp) ### Creating a Device Control Alert @@ -89,21 +89,21 @@ click **Save**. - Monitored Entities – select the Groups, Computers, or Users that generate the event; - Administrators – select the Administrators that will receive the alerts. -![Creating a Device Control Alert](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/alerts/creatingdcalert.webp) +![Creating a Device Control Alert](/img/product_docs/endpointprotector/endpointprotector/admin/alerts/creatingdcalert.webp) ### Device Control Alerts History From this section, you can view a history of the Device Control Alerts. Alerts that are no longer needed for auditing purposes can later be deleted. -![Device Control Alerts History](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/alerts/dcalertshistory.webp) +![Device Control Alerts History](/img/product_docs/endpointprotector/endpointprotector/admin/alerts/dcalertshistory.webp) ## Content Aware Alerts From this section, you can create Content Aware alerts, for events such as Content Threat Detected or Content Threat Blocked. -![Content Aware Alerts](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/alerts/contentawarealerts.webp) +![Content Aware Alerts](/img/product_docs/endpointprotector/endpointprotector/admin/alerts/contentawarealerts.webp) ### Creating a Content Aware Alert @@ -133,23 +133,23 @@ The alert sent on the email will also include a CSV file with a report of the t **NOTE:** Before creating the alert, ensure the selected Content Aware Policy is enabled on the chosen Computer, User, Group, or Department. -![Creating a Content Aware Alert](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/alerts/creatingcontentawarealertinfo.webp) +![Creating a Content Aware Alert](/img/product_docs/endpointprotector/endpointprotector/admin/alerts/creatingcontentawarealertinfo.webp) -![Creating a Content Aware Alert](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/alerts/creatingcontentawarealert.webp) +![Creating a Content Aware Alert](/img/product_docs/endpointprotector/endpointprotector/admin/alerts/creatingcontentawarealert.webp) ### Content Aware Alerts History From this section, you can view a history of the Content Aware Alerts. Alerts that are no longer needed for auditing purposes can later be deleted. -![Content Aware Alerts History](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/alerts/contentawarealertshistory.webp) +![Content Aware Alerts History](/img/product_docs/endpointprotector/endpointprotector/admin/alerts/contentawarealertshistory.webp) ## Enforced Encryption Alert From this section, you can create Enforced Encryption alerts, for events such as password changes, messages sent, etc. -![Enforced Encryption Alert](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/alerts/enforcedencryptionalert.webp) +![Enforced Encryption Alert](/img/product_docs/endpointprotector/endpointprotector/admin/alerts/enforcedencryptionalert.webp) ### Creating an Enforced Encryption Alert @@ -174,11 +174,11 @@ Follow the steps to create an enforced encryption alert. **Step 2 –** Click **Save**. -![Creating an Enforced Encryption Alert ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/alerts/createeealert.webp) +![Creating an Enforced Encryption Alert ](/img/product_docs/endpointprotector/endpointprotector/admin/alerts/createeealert.webp) ### Enforced Encryption Alert History From this section, you can view the history of the Enforced Encryption Alerts. Alerts that are no longer needed for auditing purposes can later be deleted. -![Enforced Encryption Alert History ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/alerts/eealerthistory.webp) +![Enforced Encryption Alert History ](/img/product_docs/endpointprotector/endpointprotector/admin/alerts/eealerthistory.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/appliance/overview.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/appliance/overview.md index 4d2a110f2d..48cb0be07d 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/appliance/overview.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/appliance/overview.md @@ -5,7 +5,7 @@ From this section you can view general information about the Server, the System Fail/Over status, information on Disk Space usage and Database, and the Server Uptime. -![View general information about the Server](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/appliance/serverinformation.webp) +![View general information about the Server](/img/product_docs/endpointprotector/endpointprotector/admin/appliance/serverinformation.webp) ## Server Maintenance @@ -13,7 +13,7 @@ In this section, you can set up a preferential time zone and NTP synchronization the IP and DNS, register the client certificate, set up a self-signing certificate, perform routine operations and manage the SSH access. -![ Set up a preferential time zone and NTP synchronization server](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/appliance/servermaintenance.webp) +![ Set up a preferential time zone and NTP synchronization server](/img/product_docs/endpointprotector/endpointprotector/admin/appliance/servermaintenance.webp) ### Time Zone @@ -33,7 +33,7 @@ In this section you can set a preferential time zone and/or sync the appliance t Alerts and Logs will be reported after the 5 minutes in a format of your choice - Click Refresh Current Time to update the Current server time field -![Set a preferential time zone and/or sync the appliance to an NTP source](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/appliance/timezone.webp) +![Set a preferential time zone and/or sync the appliance to an NTP source](/img/product_docs/endpointprotector/endpointprotector/admin/appliance/timezone.webp) ### IP Configuration @@ -43,13 +43,13 @@ your network. **NOTE:** Once you change the IP address, close and open again the Internet browser and then access the Endpoint Protector Administration and Reporting Tool with the new IP address. -![ Change the network settings for the appliance to communicate correctly in your network](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/appliance/ipconfg.webp) +![ Change the network settings for the appliance to communicate correctly in your network](/img/product_docs/endpointprotector/endpointprotector/admin/appliance/ipconfg.webp) ### DNS Configuration In this section you can modify or add a DNS server address and then Save your changes. -![Modify or add a DNS server address and then Save your changes](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/appliance/dnsconfg.webp) +![Modify or add a DNS server address and then Save your changes](/img/product_docs/endpointprotector/endpointprotector/admin/appliance/dnsconfg.webp) ### Client Registration Certificate @@ -88,7 +88,7 @@ the endpoints. - On Windows they should be placed in the Certificate Manager's Local Computer\Certificates\Personal section -![Register and then verify the Endpoint Protector Client certificate signature](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/appliance/clientregcert.webp) +![Register and then verify the Endpoint Protector Client certificate signature](/img/product_docs/endpointprotector/endpointprotector/admin/appliance/clientregcert.webp) ### Server Certificate Validation @@ -111,7 +111,7 @@ ensuring trusted and valid certificates are used. In this section you can perform appliance operations such as Reboot or Shutdown. -![Perform appliance operations such as Reboot or Shutdown](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/appliance/applianceoperations.webp) +![Perform appliance operations such as Reboot or Shutdown](/img/product_docs/endpointprotector/endpointprotector/admin/appliance/applianceoperations.webp) ### SSH Server @@ -119,7 +119,7 @@ In this section you can manage user access to the Appliance through the SSH prot **_RECOMMENDED:_** Set this option to **Enable** before requesting Support access. -![Manage user access to the Appliance through the SSH protocol](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/appliance/sshserver.webp) +![Manage user access to the Appliance through the SSH protocol](/img/product_docs/endpointprotector/endpointprotector/admin/appliance/sshserver.webp) ## SIEM Integration @@ -132,7 +132,7 @@ a SIEM Server you need to select an available SIEM server integration. **CAUTION:** You can configure a maximum number of 4 SIEM Server integrations. -![Add, edit or delete an existing SIEM Server integration](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/appliance/siemserverintegration.webp) +![Add, edit or delete an existing SIEM Server integration](/img/product_docs/endpointprotector/endpointprotector/admin/appliance/siemserverintegration.webp) To create a SIEM Server, click **Add New** and provide the following information: @@ -156,7 +156,7 @@ To create a SIEM Server, click **Add New** and provide the following information - Log Types – select from the available options the logs to send to the SIEM Server -![SIEM Intergration - Adding a New Server](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/appliance/siemintegrationnewserver.webp) +![SIEM Intergration - Adding a New Server](/img/product_docs/endpointprotector/endpointprotector/admin/appliance/siemintegrationnewserver.webp) **CAUTION:** Please be aware that the SIEM integration feature in Endpoint Protector comes with certain limitations. To make use of the latest features of this SIEM integration, your environment diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/cappolicies.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/cappolicies.md index 63be6593cc..9f43f1f93c 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/cappolicies.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/cappolicies.md @@ -40,7 +40,7 @@ To manage Content Aware Protection policies, you can: - Switch views between Grid or Widget mode using the controls in the top-right corner - Edit policy priority by double-clicking on a policy listed in the Priority column -![Manage the Content Aware Protection policies](../../../../../../static/img/versioned_docs/enterpriseauditor_11.6/enterpriseauditor/requirements/target/config/policies.webp) +![Manage the Content Aware Protection policies](/img/versioned_docs/enterpriseauditor_11.6/enterpriseauditor/requirements/target/config/policies.webp) ## Policy Information @@ -75,7 +75,7 @@ enable the setting on the specific device from Device Control, Global settings, - Policy Template – select a custom notification from the drop-down list or create one from System Parameters, Device Types and Notification, - [Custom Content Aware Protection Notifications](../systemparameters/overview.md#custom-content-aware-protection-notifications) + [Custom Content Aware Protection Notifications](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemparameters/overview.md#custom-content-aware-protection-notifications) section - Policy Status – enable to set policy status to active - Client Notifications – enable this setting to send notifications to clients @@ -115,7 +115,7 @@ numbers, emphasizing the distinctions between Regular and Global Thresholds. - Regular Threshold: Does not block two threats (SSN + phone number) - Global Threshold: Blocks two SSNs or any combination of two threats -![Block & Report policies to handle Social Security Numbers (SSN) and phone numbers](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyinformation.webp) +![Block & Report policies to handle Social Security Numbers (SSN) and phone numbers](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyinformation.webp) ## Policy Exit Points @@ -140,7 +140,7 @@ Flash Active X. **NOTE:** To distinguish OneDrive for Business from OneDrive, enable Deep Packet Inspection (DPI). -![Monitor transfers from the following exit points](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyexistpoints.webp) +![Monitor transfers from the following exit points](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyexistpoints.webp) ### Storage Devices @@ -155,7 +155,7 @@ From the storage devices tab, you can select to monitor transfers: **CAUTION:** On Linux the paste functionality only works when the default gnome session is Xorg. On other gnome sessions the paste functionality is disabled (ex: wayland). -![From the storage devices tab, you can select to monitor transfers](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyexitstoragedevices.webp) +![From the storage devices tab, you can select to monitor transfers](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyexitstoragedevices.webp) **NOTE:** The **Block CD/DVD Burning** feature is only available for Windows, built-in or third-party burning features. @@ -269,7 +269,7 @@ On-demand, Endpoint Protector can add other applications. control is limited due to Wayland's lack of support for detecting the focused window. To ensure security, content blocking occurs during the copy operation. -![The Clipboard functionality enables you to monitor all content captured through Copy & Paste or Cut & Paste operations](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyexitclipboard.webp) +![The Clipboard functionality enables you to monitor all content captured through Copy & Paste or Cut & Paste operations](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyexitclipboard.webp) Newer Linux Ubuntu versions have 'snap'-based applications installed by default, affecting Endpoint Protector Client functionality. This may result in missing file-related events in Content Aware diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/contentdetection.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/contentdetection.md index 4dd230e934..d7ffd104e7 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/contentdetection.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/contentdetection.md @@ -28,7 +28,7 @@ the following information: Use the up and down arrows or drag and drop an entry from the list to change the order from the operation. -![Content Detection Summary](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/contentdetectionsummary.webp) +![Content Detection Summary](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/contentdetectionsummary.webp) To Restrict Content Detection, select from the drop-down list the file types you want to apply the Content Detection Rule to. @@ -61,7 +61,7 @@ To create a new Context Detection Rules click **Add**, fill in the following an **NOTE:** You can create a maximum number of 15 Context Detection Rules. -![Creating new Context Detection Rules ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/contentdetectionrules.webp) +![Creating new Context Detection Rules ](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/contentdetectionrules.webp) **CAUTION:** To address conflicts between per-policy and Global Contextual Rules, Endpoint Protector clients no longer receive Global Contextual Rules if at least one policy has its individual @@ -134,7 +134,7 @@ The new Endpoint Protector agent versions will report on both Italian ID and SSN - HIPAA - Domain and URL -![Policy Denylists](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policydenylists.webp) +![Policy Denylists](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policydenylists.webp) ### HIPAA Compliance @@ -143,7 +143,7 @@ HIPAA tab are selected. The available options refer to FDA-approved lists and IC automatically report or block transfer files containing PII like Health Insurance Numbers, Social Security Numbers, Addresses, and much more. -![HIPAA Compliance](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/hipaacompliance.webp) +![HIPAA Compliance](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/hipaacompliance.webp) **NOTE:** For a HIPAA policy to be effective and more accurate, it is recommended to utilize Contextual Detection Rules in conjunction with Predefined Content and Custom Content filters. To @@ -166,24 +166,24 @@ You can use the following Allowlists: - Deep Packet Inspection **NOTE:** For detailed information on Denylists and Allowlist, refer to the -[Denylists and Allowlists](../denylistsallowlists/overview.md) topic. +[Denylists and Allowlists](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/overview.md) topic. **CAUTION:** The Content Aware Protection Policies continue to report and/or block sensitive data transfers from protected computers even after they are disconnected from the company network. Logs will be saved within the Endpoint Protector Client and will be sent to the Server once the connection has been reestablished. -![Policy Allowlists](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyallowlists.webp) +![Policy Allowlists](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyallowlists.webp) ## DPI Monitored URL Categories You can define the monitored URL categories the Deep Packet Inspection will filter. If none is selected, Deep Packet Inspection will filter all content uploaded for any URL. -You can add, delete and edit [Denylists and Allowlists](../denylistsallowlists/overview.md) from the +You can add, delete and edit [Denylists and Allowlists](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/overview.md) from the Denylists and Allowlists section. -![Define the monitored URL categories the Deep Packet Inspection](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/dpimonitored.webp) +![Define the monitored URL categories the Deep Packet Inspection](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/dpimonitored.webp) ## Policy Entities @@ -201,7 +201,7 @@ when clicking on it, the corresponding network entities on which it was applied You can also define a list of entities that will be excluded from the policy by selecting from the Excluded section. -![Policy Entities](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyentities.webp) +![Policy Entities](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyentities.webp) ## Block and Remediate Policies @@ -222,7 +222,7 @@ To remediate the threat, the user has to follow these steps: **Step 2 –** Select the file for remediation and click Self **Remediate**. -![Block and Remediate Policies](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/blockremediateclient.webp) +![Block and Remediate Policies](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/blockremediateclient.webp) **Step 3 –** On the Self Remediate section: @@ -236,7 +236,7 @@ To remediate the threat, the user has to follow these steps: - click **Authorize** **NOTE:** You can manage more settings for the Self Remediate feature from System Preferences and -[User Remediation](../systemparameters/overview.md#user-remediation) sections. +[User Remediation](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemparameters/overview.md#user-remediation) sections. User Remediation for Content Aware Protection can remediate file transfers via web domains. @@ -248,7 +248,7 @@ To enable Deep Packet Inspection for other applications, navigate to the **Conte Protection** module, specifically the **Deep Packet Inspection** section, and manually activate it in the **Actions** column. -![Configuring Self Remediate ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/selfremediate.webp) +![Configuring Self Remediate ](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/selfremediate.webp) - When Deep Packet Inspection is enabled – you can apply User Remediation for files transferred on a specific web domain. @@ -262,12 +262,12 @@ in the **Actions** column. For example; If you upload a file on Chrome and apply User Remediation, you can upload the file on any URL from Chrome. -![Deep Packet Inspection Applications](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/dpiapplications.webp) +![Deep Packet Inspection Applications](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/dpiapplications.webp) You can view the web domains used for the User Remediation in the Endpoint Protector Client, the Content Aware Protection tab on the Web Domains column. -![selfremediatetwo](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/selfremediatetwo.webp) +![selfremediatetwo](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/selfremediatetwo.webp) ## Applying multiple Content Aware Policies @@ -312,7 +312,7 @@ Endpoint Protector and not as Allowed. The deep packet inspection feature has been expanded to email scanning based on domain allowing. -![Applying multiple Content Aware Policies](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/capeditpolicy.webp) +![Applying multiple Content Aware Policies](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/capeditpolicy.webp) **_RECOMMENDED:_** HIPAA should be considered a Content Aware Policy that, besides the options in the HIPAA tab, also has the below configuration: @@ -327,4 +327,4 @@ HIPAA policies can be created and used on their own or in combination with regul better control of the data inside the network. These policies are available for Windows, Mac OS X, or Linux computers. -![HIPAA policies can be created and used on their own or in combination with regular policies](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/hipaapolicies.webp) +![HIPAA policies can be created and used on their own or in combination with regular policies](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/hipaapolicies.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/deeppacket.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/deeppacket.md index ef4fd2aa03..bcdda3bdcc 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/deeppacket.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/deeppacket.md @@ -42,7 +42,7 @@ generated. **NOTE:** Issuing the Deep Packet Inspection Certificate on Windows is handled automatically and transparently by the Endpoint Protector Client. No additional steps are required. -![Configuring the Deep Packet Inspection - Auto-refresh Certificate feature](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/autorefreshcert.webp) +![Configuring the Deep Packet Inspection - Auto-refresh Certificate feature](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/autorefreshcert.webp) ## Deep Packet Inspection Certificate on macOS @@ -63,22 +63,22 @@ Certificate**, and download the **CA Certificate**. -![Deep Packet Inspection Certificate on macOS](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/dpicertificate.webp) +![Deep Packet Inspection Certificate on macOS](/img/product_docs/endpointprotector/endpointprotector/install/agent/dpicertificate.webp) **Step 2 –** Open the **Keychain Access** application from your macOS and select **System**. -![Keychain Access application settings on MacOs](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/keychainaccess.webp) +![Keychain Access application settings on MacOs](/img/product_docs/endpointprotector/endpointprotector/install/agent/keychainaccess.webp) **Step 3 –** Decompress the downloaded **ClientCerts** file. **Step 4 –** Select **cacert.pem** file and drag and drop it on **System** > **Keychain Access**. -![Configuring Client Certificate on MacOs](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/clientcerts.webp) +![Configuring Client Certificate on MacOs](/img/product_docs/endpointprotector/endpointprotector/install/agent/clientcerts.webp) **Step 5 –** Double click the **X** from the newly added certificate and from the Trust section, select **Always Trust**. -![Keychain Access application settings on MacOs](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/keychainaccesstwo.webp) +![Keychain Access application settings on MacOs](/img/product_docs/endpointprotector/endpointprotector/install/agent/keychainaccesstwo.webp) **Step 6 –** **Save** the changes. @@ -152,7 +152,7 @@ By default, the Deep Packet Inspection functionality comes with a list of prede particularly by one of the monitored applications defined as an Exit Point within a Content Aware Protection Policy. -![Deep Packet Inspection Ports and Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/dpiports.webp) +![Deep Packet Inspection Ports and Settings](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/dpiports.webp) In this section you can also manage the following settings: @@ -206,7 +206,7 @@ In this section you can also manage the following settings: used for Gmail, Google Drive, Google Docs, etc. that are not listed here. If the list remains empty, no Google domain will be blocked. -![Allowed domains for Google Business accounts](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/alloweddomainsgoogle.webp) +![Allowed domains for Google Business accounts](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/alloweddomainsgoogle.webp) ### Monitor Webmail JSON Format Parser Usage @@ -245,7 +245,7 @@ Endpoint Protector Server UI: - The subject here is located at a specific path inside nested arrays without having to go through all elements of a specific array and use \[:] -![Monitor Webmail JSON Format Parser Usage](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/webmailjson.webp) +![Monitor Webmail JSON Format Parser Usage](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/webmailjson.webp) **_RECOMMENDED:_** It is advised, that due to recent changes applied by cloud providers, to not apply any changes in the JSON parser, unless Monitor Webmail is not working @@ -272,11 +272,11 @@ application that is subject to this functionality. **NOTE:** Only the applications that support Deep Packet Inspection are available in the list below. -![Deep Packet Inspection Applications](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/dpiapplications.webp) +![Deep Packet Inspection Applications](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/dpiapplications.webp) **NOTE:** The Deep Packet Inspection functionality needs to be first enabled from **Device Control** > **Settings** (Global, Groups, Computers, etc.). For detailed information on, refer to -the [Device Control](../devicecontrol/module.md) topic. +the [Device Control](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/module.md) topic. ## Certificate status matrix diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/module.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/module.md index 796e2e1e4b..fbc8033dea 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/module.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/module.md @@ -36,7 +36,7 @@ If not previously provided, the contact details of the Main Administrator will b **NOTE:** Any details provided will only be used to ensure the Live Update Server is configured correctly and that the Content Aware Protection module was enabled successfully. -![The module is displayed but requires a simple activation by pressing the Enable button](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/ediscovery/activation.webp) +![The module is displayed but requires a simple activation by pressing the Enable button](/img/product_docs/endpointprotector/endpointprotector/admin/ediscovery/activation.webp) **NOTE:** The Content Aware Protection module is separate from Device Control or eDiscovery modules, and requires separate licensing. @@ -46,4 +46,4 @@ and requires separate licensing. This section offers a quick overview in the form of graphics and charts related to the Content Aware Protection module. -![A quick overview in the form of graphics and charts related to the Content Aware Protection module](../../../../../../static/img/versioned_docs/privilegesecure_4.1/privilegesecure/accessmanagement/enduser/dashboard.webp) +![A quick overview in the form of graphics and charts related to the Content Aware Protection module](/img/versioned_docs/privilegesecure_4.1/privilegesecure/accessmanagement/enduser/dashboard.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/usecases.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/usecases.md index 8b6cdd8e89..9690eb026c 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/usecases.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/usecases.md @@ -14,7 +14,7 @@ block the transfer of this data through common Windows desktop applications. Since the data is organized by patient profile, the administrator can create a HIPAA-compliant policy as shown below. -![Content Aware Edit Policy](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/capeditpolicytwo.webp) +![Content Aware Edit Policy](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/capeditpolicytwo.webp) This policy is set to Block & Report, with a Global Threshold of 4. It scans the following: @@ -38,11 +38,11 @@ the transfer of files containing 3 PII items. You can create a policy to block the transfer of files containing 10 or more PIIs by setting the Global Threshold to 10, as shown in the policy example below. -![Applying multiple Content Aware Policies](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyinformationtwo.webp) +![Applying multiple Content Aware Policies](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyinformationtwo.webp) Another HIPAA-compliant policy can be configured to report the transfer of files containing 3 PII items by setting the Regular Threshold to 3, as shown in the example below. -![Applying multiple Content Aware Policies](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyinformationthree.webp) +![Applying multiple Content Aware Policies](/img/product_docs/endpointprotector/endpointprotector/admin/contentawareprotection/policyinformationthree.webp) The Block & Report policy takes priority, while the Report Only policy is secondary. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/dashboard/systemdashboard.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/dashboard/systemdashboard.md index e7baaefd66..bf9db09c3d 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/dashboard/systemdashboard.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/dashboard/systemdashboard.md @@ -12,9 +12,9 @@ ticket through the [Netwrix Customer Portal](https://www.netwrix.com/sign_in.html?rf=my_products.html). For detailed information on settings change or creating additional administrators, refer to the -[System Configuration](../systemconfiguration/overview.md) topic. +[System Configuration](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/overview.md) topic. -![Page for default login credentials for the root account](../../../../../../static/img/versioned_docs/threatprevention_7.4/threatprevention/eperestsite/login.webp) +![Page for default login credentials for the root account](/img/versioned_docs/threatprevention_7.4/threatprevention/eperestsite/login.webp) ## Configuration Wizard @@ -31,9 +31,9 @@ inactivity. If you are not active for this amount of time, you are notified the and logged out unless you select to continue the session. **NOTE:** You can customize the session timeout and timeout counter from the -[System Configuration](../systemconfiguration/overview.md) topic. +[System Configuration](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/overview.md) topic. -![The Configuration Wizard provides you with several steps to define basic settings](../../../../../../static/img/versioned_docs/auditor_10.6/auditor/addon/privilegeduserlinux/configwizard.webp) +![The Configuration Wizard provides you with several steps to define basic settings](/img/versioned_docs/auditor_10.6/auditor/addon/privilegeduserlinux/configwizard.webp) ## General Dashboard @@ -43,35 +43,35 @@ important activities logged by Endpoint Protector. You will view more specific dashboards on the Device Control, Content Aware Protection and eDiscovery sections. -![View general information as graphics and charts related to the most important activities](../../../../../../static/img/versioned_docs/activitymonitor_7.1/activitymonitor/admin/search/query/general.webp) +![View general information as graphics and charts related to the most important activities](/img/versioned_docs/activitymonitor_7.1/activitymonitor/admin/search/query/general.webp) ## System Status In this section you can view general information of the system’s functionality, alerts, and backup status. -![View general information of the system’s functionality, alerts, and backup status](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/systemstatus.webp) +![View general information of the system’s functionality, alerts, and backup status](/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/systemstatus.webp) From the System Functionality section, you can enable Endpoint Protector, as well as just specific modules (Device Control, Content Aware Protection, or eDiscovery). -![Enable EPP , as well as just specific modules](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/systemfunctionality.webp) +![Enable EPP , as well as just specific modules](/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/systemfunctionality.webp) From the System Status subsection, you can enable the HDD Disk Space and Log Rotation. **NOTE:** If this setting is enabled, when the Server’s disk space reaches a certain percentage (starting from 50% up to 90%), old logs will be automatically overwritten by the new ones. -![Enable the HDD Disk Space and Log Rotation.](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/diskspace.webp) +![Enable the HDD Disk Space and Log Rotation.](/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/diskspace.webp) From the System Alerts subsection, you can enable important alerts notifying the expiration of the APNS Certificate, Updates, and Support or Passwords. -![Enable important alerts ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/alerts/systemalerts.webp) +![Enable important alerts ](/img/product_docs/endpointprotector/endpointprotector/admin/alerts/systemalerts.webp) From the System Backup subsection, you can enable the System Backup. -![Enable the System Backup](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/systembackup.webp) +![Enable the System Backup](/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/systembackup.webp) ## Live Update @@ -81,16 +81,16 @@ updates. **NOTE:** This feature communicates through port 80. Whitelist the liveupdate.endpointprotector.com (IP: 178.63.3.86) domain. -![Check and apply the latest security and Server updates](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/liveupdate.webp) +![Check and apply the latest security and Server updates](/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/liveupdate.webp) ### Software Update -![Management of software updates](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/softwareupdate.webp) +![Management of software updates](/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/softwareupdate.webp) Click **Configure Live Update** to select manual or automatic live updates check, the number of retries, and manage the Automatic Reporting to the LiveUpdate Server. -![Configuring Live Updates](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/configliveupdate.webp) +![Configuring Live Updates](/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/configliveupdate.webp) Click **Check Now** to search for the Endpoint Protector Server updates displayed in the Available Updates section. You can select and install an update with **Apply Updates**, or all updates with @@ -99,7 +99,7 @@ Updates section. You can select and install an update with **Apply Updates**, or You can also schedule an update. Select an entry from the available updates, click **Schedule update** and then use the calendar to select the date and confirm your selection. -![Checking for available EPP server Updates](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/availableupdates.webp) +![Checking for available EPP server Updates](/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/availableupdates.webp) Use the Offline Patch upload option to select the offline patches from your computer and successively install them to the latest Endpoint Protector version. @@ -107,7 +107,7 @@ install them to the latest Endpoint Protector version. **NOTE:** To request the Offline Patch, submit a support ticket through the [Netwrix Customer Portal](https://www.netwrix.com/sign_in.html?rf=my_products.html). -![Select the offline patches from your computer and successively install them to the latest](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/offlinepatch.webp) +![Select the offline patches from your computer and successively install them to the latest](/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/offlinepatch.webp) **CAUTION:** Before upgrading your Endpoint Protector server to the 5.7.0.0 server version from a pre-5206 version and adjacent OS image, you need to enable database partitions. For assistance, @@ -139,7 +139,7 @@ Select one of the security updates type available and then click **Check Updates If there are updates available, click **Apply Updates**. -![Applying Backend Security Updates](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/backendsecurityupdates.webp) +![Applying Backend Security Updates](/img/product_docs/endpointprotector/endpointprotector/admin/dashboard/backendsecurityupdates.webp) **NOTE:** For history of applied Backend Updates go to admin action report and choose **Apply Updates** under Activity filter. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/allowlists.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/allowlists.md index 198a6b7d56..b6f386da96 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/allowlists.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/allowlists.md @@ -23,14 +23,14 @@ recommend only doing so after gaining a deeper understanding of the type of data or stored by the users in your system, and the subsequent logs increase in the Endpoint Protector Server. -![MIME Type Allowlists ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/mimetypeallowlists.webp) +![MIME Type Allowlists ](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/mimetypeallowlists.webp) ## Allowed Files Allowed Files Allowlists are custom groups of files you exclude from Endpoint Protector sensitive content detection, available for both Content Aware Protection and eDiscovery modules. -![Allowed Files Allowlists ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/allowedfilesallowlists.webp) +![Allowed Files Allowlists ](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/allowedfilesallowlists.webp) You can add a new allowlist or edit and delete from the Actions column. @@ -41,7 +41,7 @@ allowlists. Once the allowlist is created, it will be displayed on the Allowed File list and will be available when creating or editing a Content Aware Protection or eDiscovery policy. -![New Allowed Files Allowlists ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/newallowedfilesallowlists.webp) +![New Allowed Files Allowlists ](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/newallowedfilesallowlists.webp) ## File Location @@ -69,7 +69,7 @@ Wildcards Usage Examples for File Location | Implicit | \\file-share\public | \\file-share\public\jdoe\file.txt \\file-share\public\user512\file2.txt | \\file-share\c$\file.txt \\file-server\public\jdoe\file.txt | | Explicit | \\\*\public\\\* | \\localhost\public\payslip.xlsx \\192.168.20.2\public\Windows\system32\notepad.exe | \\localhost\c$\system32\notepad.exe C:\Windows.old\system32\notepad.exe | -![File Location Allowlists](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/filelocationallowlists.webp) +![File Location Allowlists](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/filelocationallowlists.webp) You can add a new allowlist or edit, delete or export from the Actions column. @@ -83,7 +83,7 @@ and **description**, add the items separated by a new line, comma, or semicolon File Location Allowlists will not apply to groups of users, only to groups of computers. File Location Allowlists will only apply for the selected computer groups after 15 minutes. -![New File Location Allowlists ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/filelocationnewdenylists.webp) +![New File Location Allowlists ](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/filelocationnewdenylists.webp) ## Network Share @@ -99,7 +99,7 @@ when wildcard patterns are used. **CAUTION:** The Network Share must be set to Allow Access and Scan Network Share must be checked inside a Content Aware Protection Policy. -![Network Share Allowlists ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/networkshareallowlists.webp) +![Network Share Allowlists ](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/networkshareallowlists.webp) You can add a new allowlist or edit, delete or export from the Actions column. @@ -113,7 +113,7 @@ Share Allowlists will only apply for the selected computer groups after 15 minut **CAUTION:** Do not type the network share path with backslashes (\\) 192.168.0.1\public\users\test; fileserver\documents\example -![New Network Share Allowlists](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/newnetworkshareallowlists.webp) +![New Network Share Allowlists](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/newnetworkshareallowlists.webp) ## E-mail Domain @@ -122,7 +122,7 @@ information will be allowed by Endpoint Protector. **NOTE:** E-mail Domain Allowlists are available only for the Content Aware Protection module. -![E-mail Domain Allowlists](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/emaildomainallowlists.webp) +![E-mail Domain Allowlists](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/emaildomainallowlists.webp) You can add a new allowlist or edit, delete or export from the Actions column. @@ -133,7 +133,7 @@ comma, or semicolon. You can import content using the sample file provided on t Once the allowlist is created, it will be displayed on the E-mail Domain list and will be available when creating or editing a Content Aware Protection policy. -![New E-mail Domain Allowlists ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/newemaildomainallowlists.webp) +![New E-mail Domain Allowlists ](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/newemaildomainallowlists.webp) You can use wildcard patterns in the e-mail domain to specify wildcard matching as displayed in the following example. @@ -150,7 +150,7 @@ Available only for the Content Aware Protection module, Deep Packet Inspection A custom-defined lists or dictionaries with web domains Endpoint Protector will allow confidential information uploads. -![Deep Packet Inspection Allowlists ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/dpiallowlists.webp) +![Deep Packet Inspection Allowlists ](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/dpiallowlists.webp) You can add a new allowlist or edit, delete or export from the Actions column. @@ -177,7 +177,7 @@ Example: example.endpointprotector, \*example.com, \*example\*, https://website. Once the allowlist is created, it will be displayed on the Deep Packet Inspection list and will be available when creating or editing a Content Aware Protection policy. -![New Deep Packet Inspection Allowlists](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/newdpiallowlists.webp) +![New Deep Packet Inspection Allowlists](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/newdpiallowlists.webp) Wildcards Usage Examples for Deep Packet Inspection diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/denylists.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/denylists.md index 70a6bf8290..d7faa6a777 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/denylists.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/denylists.md @@ -5,7 +5,7 @@ Custom Content denylists are custom-defined lists of terms and expressions detected as sensitive content by Endpoint Protector, available for both Content Aware Protection and eDiscovery modules. -![Denylists Custom Content configuration](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/customecontent.webp) +![Denylists Custom Content configuration](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/customecontent.webp) From this section, you can view and add e-mail custom content denylists and from the Actions column, you can edit, delete or export an existing denylist. @@ -21,7 +21,7 @@ uploaded again. Once the denylist is created, it will be displayed on the Custom Content list and will be available when creating or editing a Content Aware Protection or eDiscovery policy. -![Creating a new denylist](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/newdenylist.webp) +![Creating a new denylist](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/newdenylist.webp) ## File Name @@ -53,7 +53,7 @@ creating or editing a Content Aware Protection or eDiscovery policy. **CAUTION:** For Content Aware Protection, the File Name Denylists work only for Block & Report type Policies. The Case Sensitive and Whole Words Only features do not apply. -![File Name Denylists ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/filename.webp) +![File Name Denylists ](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/filename.webp) ## File Location @@ -63,7 +63,7 @@ or permissions defined in various Policies. File Location Denylists are available for both Content Aware Protection and eDiscovery modules. -![File Location Denylists](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/filelocation.webp) +![File Location Denylists](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/filelocation.webp) Enabling the option to Include subfolders for File Location Denylists will affect all other File Location Denylists and Allowlists throughout the system. By default, the File Location Denylists @@ -83,7 +83,7 @@ and **description**, add the items separated by a new line, comma, or semicolon **NOTE:** File Location Denylist will not apply to groups of users, only to groups of computers. File Location Denylist will only apply for the selected computer groups after 15 minutes. -![File Location New Denylist](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/filelocationnewdenylists.webp) +![File Location New Denylist](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/filelocationnewdenylists.webp) You can use wildcard patterns in the File Location Denylists to specify wildcard matching. To match a desktop folder on Windows, use the pattern "?:\Users\\\*\Desktop\". @@ -101,7 +101,7 @@ Scan Location Denylists are custom-defined lists of locations identified by th Data at rest within this location are automatically inspected for content, depending on the rules defined in various Policies. -![Scan Location Denylists are custom-defined lists of locations identified by the eDiscovery module](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/scanlocation.webp) +![Scan Location Denylists are custom-defined lists of locations identified by the eDiscovery module](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/scanlocation.webp) From this section, you can view and add scan location denylists and from the Actions column, you can edit or delete an existing denylist. @@ -115,7 +115,7 @@ When defining a Scan Location, use these special characters to define the path - \* - to replace any word - ? - to replace any character -![Scan Location New Denylist](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/scanlocationnewdenylist.webp) +![Scan Location New Denylist](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/scanlocationnewdenylist.webp) ## Regex @@ -137,7 +137,7 @@ or delete an existing denylist. To create a new denylist, under the list of available denylists, click **Ad**d, provide a **name** and **description** and then add the regex expression. -![You can view and add regex expressions and from the Actions column](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/regexdenylists.webp) +![You can view and add regex expressions and from the Actions column](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/regexdenylists.webp) You can test a regular expression for accuracy using the right-side option. Add the content and then click Test. If the Regular Expression has no errors, then the same content should appear into the @@ -151,7 +151,7 @@ Matched content box, as shown below: syntax. No direct support is offered and it is the responsibility of the customers to learn and implement regular expressions and to thoroughly test. -![You can test a regular expression for accuracy using the right-side option](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/regexnewdenylist.webp) +![You can test a regular expression for accuracy using the right-side option](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/regexnewdenylist.webp) ## Domain and URL @@ -160,7 +160,7 @@ Access to domains and URLs from these lists will be denied. **NOTE:** Domain and URL Denylists are available only for the Content Aware Protection module. -![Domain and URL Denylists ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/domainurldenylists.webp) +![Domain and URL Denylists ](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/domainurldenylists.webp) From this section, you can view and add domain and URL denylists and from the Actions column, you can edit, delete or export an existing denylist. @@ -182,7 +182,7 @@ https://website.com Once the denylist is created, it will be displayed on the Domain and URL list and will be available when creating or editing a Content Aware Protection policy. -![Creating a New Domain URL denylists](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/domainurlnewdenylists.webp) +![Creating a New Domain URL denylists](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/domainurlnewdenylists.webp) ## E-mail Domain @@ -197,7 +197,7 @@ select that have Report Only or Block and Remediate policies with no remediation enabled and only impacts applications that retrieve the email recipients and are selected on Content Aware Protection Policy. -![E-mail Domain Denylists](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/e-maildomaindenylists.webp) +![E-mail Domain Denylists](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/e-maildomaindenylists.webp) From this section, you can view and add e-mail domain denylists and from the Actions column, you can edit, delete or export an existing e-mail domain denylist. @@ -206,7 +206,7 @@ To create a new denylist, under the list of available denylists, click **Add**, and **description**, add the items separated by a new line, comma, or semicolon and then select the **groups** and **computers**. You can import content using the sample file provided on the form. -![E-mail Domain New Denylists](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/e-maildomainnewdenylists.webp) +![E-mail Domain New Denylists](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/e-maildomainnewdenylists.webp) ## Microsoft Information Protection @@ -240,7 +240,7 @@ these files is not yet supported. unnecessary. Endpoint Protector relies on information with labeled files. This might change in future releases. -![Confguration for Microsoft Information Protection (MIP) ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/mipclassification.webp) +![Confguration for Microsoft Information Protection (MIP) ](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/mipclassification.webp) ## Applications @@ -275,7 +275,7 @@ want to control. **Step 3 –** Incorporate these criteria into your CAP policies as arguments to ensure precise control and monitoring of application usage. -![Configuring Applications Denylists](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/applicationsdenylists.webp) +![Configuring Applications Denylists](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/applicationsdenylists.webp) Follow these steps and leverage CLI commands denylists to enhance your organization's security posture and ensure that applications are used in compliance with your policies and regulations. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/urlcategories.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/urlcategories.md index 946c4755d3..7af3ac20a4 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/urlcategories.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/urlcategories.md @@ -11,7 +11,7 @@ Blocking content based on URL categories can lead to data loss if not used corre restrict a policy to a few domain names. Policies must be constantly updated as new URLs need to be added to the categories lists. -![URL Categories](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/urlcategories.webp) +![URL Categories](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/urlcategories.webp) You can add a new URL category or edit, delete or export from the Actions column. @@ -23,4 +23,4 @@ then select the option based on the number of uploaded items. Once the URL category is created, it will be displayed on the URL category list and will be available when creating or editing a Content Aware Protection policy. -![ Creating a new URL category](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/newurlcategory.webp) +![ Creating a new URL category](/img/product_docs/endpointprotector/endpointprotector/admin/denylistsallowlists/newurlcategory.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/customclasses.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/customclasses.md index af8b770e33..a2b0f7df30 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/customclasses.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/customclasses.md @@ -9,7 +9,7 @@ double-clicking on it. You can edit, duplicate or delete a policy after selecting the policy. -![Provides you with the option to create new classes of devices for easier management](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/customclasses.webp) +![Provides you with the option to create new classes of devices for easier management](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/customclasses.webp) Before adding devices to a Custom Class, the Name, Description, Device Type (USB Storage Devices, Cameras, etc.), Device Right (Allow Access, Block Access, etc.) must be provided. Once this is done, @@ -18,18 +18,18 @@ there are multiple ways of adding devices to a Custom Class: - New Device (VID, PID, Serial Number) – will allow at Step 2 to add new devices based on Vendor ID, Product ID, and Serial Number. -![Multiple ways of adding devices to a Custom Class](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/newdevice.webp) +![Multiple ways of adding devices to a Custom Class](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/newdevice.webp) - Existing Device (Wizard) – will allow at Step 2 to add devices previously connected to protected computers and already in the Endpoint Protector database. -![Add devices previously connected to protected computers](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/existingdevice.webp) +![Add devices previously connected to protected computers](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/existingdevice.webp) - Device Serial Number Range – will allow at Step 2 to add multiple devices at the same time, by specifying the first and last Serial Number in the range. The recommended use for this feature is for devices that have a consecutive range, with a clear, noticeable pattern. -![Add multiple devices at the same time, by specifying the first and last Serial Number in the range](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/multipledevices.webp) +![Add multiple devices at the same time, by specifying the first and last Serial Number in the range](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/multipledevices.webp) > **NOTE:** Although this feature can work in situations where the Serial Number range does not > follow a noticeable pattern, this is not recommended. In this type of situation, some devices will @@ -38,7 +38,7 @@ there are multiple ways of adding devices to a Custom Class: - Bulk List of Devices – will allow at Step 2 to add up to 1000 devices at the same time. There are two methods to choose from, either importing a list or simply pasting the information. -![Allow at Step 2 to add up to 1000 devices at the same time](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/bulkdevices.webp) +![Allow at Step 2 to add up to 1000 devices at the same time](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/bulkdevices.webp) - Device Class (Device Type) – will allow at Step 2 to add a specific right to a Device Type. This option is intended to be used in scenarios when a very fast way to change all device types in the @@ -63,7 +63,7 @@ The user rights are on the same level as the computer rights. The priority can b System Settings section. **NOTE:** For detailed information, refer to the -[System Configuration](../systemconfiguration/overview.md) topic. +[System Configuration](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/overview.md) topic. Select an option to grant access for clients based on the Department Code. You can also view the Default Department code – defdep. @@ -73,9 +73,9 @@ Select an option to grant access for clients based on the Department Code. You can also view the Default Department code - defdep. **NOTE:** For detailed information, refer to the -[System Configuration](../systemconfiguration/overview.md) topic. +[System Configuration](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/overview.md) topic. -![Select an option to grant access for clients based on the Department Code](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/departmentusage.webp) +![Select an option to grant access for clients based on the Department Code](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/departmentusage.webp) ### Session Settings @@ -90,18 +90,18 @@ For example; If you define the Session Timeout to 5 minutes and the Timeout cou then after 4 minutes of inactivity you will be notified by the pop-up window that in 60 seconds you will be logged out. -![Modify session timeout settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/sessionsettings.webp) +![Modify session timeout settings](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/sessionsettings.webp) If you remain idle for the defined amount of time, then Endpoint Protector stops responding and displays a message that indicates the session will expire in the predefined countdown. You can choose to log out or continue your session, resetting the session timeout interval. -![Choose to log out or continue your session, resetting the session timeout interval](../../../../../../static/img/versioned_docs/privilegesecure_4.1/privilegesecure/accessmanagement/enduser/sessiontimeout.webp) +![Choose to log out or continue your session, resetting the session timeout interval](/img/versioned_docs/privilegesecure_4.1/privilegesecure/accessmanagement/enduser/sessiontimeout.webp) Endpoint Protector Rights Functionality -![Rights Functionality ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/rightsfunctionality.webp) +![Rights Functionality ](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/rightsfunctionality.webp) For example; Device X is allowed from Global Rights. If in the Computer Rights section, the same device does not have permission to be used, the device will not be usable. Same applies vice-versa: @@ -123,4 +123,4 @@ Custom Classes rights. The Offline Temporary Password rights allow the creation of exceptions from applied rules. These rights surpass all others. -![Priorities for Device Control Policies](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/prioritiesdevicecontrol.webp) +![Priorities for Device Control Policies](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/prioritiesdevicecontrol.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/devicesandcomputers.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/devicesandcomputers.md index 0b3cbf8137..7603840ec9 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/devicesandcomputers.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/devicesandcomputers.md @@ -15,7 +15,7 @@ You can view the right for each device based on the color code from the Status c **NOTE:** Any new device connected to a protected computer is automatically added to the database and assigned to its first user which can be changed later. -![View, sort, and export in Excel, PDF or CSV format any devices from the system](../../../../../../static/img/versioned_docs/changetracker_8.0/changetracker/admin/settings/devices.webp) +![View, sort, and export in Excel, PDF or CSV format any devices from the system](/img/versioned_docs/changetracker_8.0/changetracker/admin/settings/devices.webp) Click **Create** to manually add a new device on the list by providing device information: name, friendly name, type PID, department, description, friendly description, VID, serial number and @@ -35,7 +35,7 @@ Endpoint Protector Server to another and aims to correlate the device rights and You can also import the devices directly from Active Directory. **NOTE:** For detailed information on Active Directory, refer to the -[Directory Services](../directoryservices/overview.md) topic. +[Directory Services](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/directoryservices/overview.md) topic. ### Priority order @@ -44,12 +44,12 @@ set per Device Types (USB Storage Device, Digital Camera, iPod, Thunderbolt, Chi etc.). **NOTE:** For detailed information, refer to the -[Directory Services](../directoryservices/overview.md) topic. +[Directory Services](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/directoryservices/overview.md) topic. If you configure device rights granularly for all entities, the priority order will be the following, starting with the highest: -![Priority order whech configuring device rights](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/priortyorder.webp) +![Priority order whech configuring device rights](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/priortyorder.webp) For example, If global rights indicate that no computer on the system has access to a specific device, and for one computer that device has been authorized, then that computer will have access to @@ -60,27 +60,27 @@ that device. To manage device rights for specific computers, groups, or users, select **Manage Rights** from the Actions column. -![Manage device rights for specific computers, groups, or users](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/effectiverights.webp) +![Manage device rights for specific computers, groups, or users](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/effectiverights.webp) -![Managing device rights](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/devicerights.webp) +![Managing device rights](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/devicerights.webp) After selecting a device and assigning rights to specific users, computers or groups follow these steps: **Step 1 –** Select the **Entity** and the **Device** right. -![Selecting the Entity and the Device right](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/entintydeviceright.webp) +![Selecting the Entity and the Device right](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/entintydeviceright.webp) **Step 2 –** Select the **Entities** (Computers, Groups, or Users). -![Selecting the Entities (Computers, Groups, or Users)](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/entitiesrights.webp) +![Selecting the Entities (Computers, Groups, or Users)](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/entitiesrights.webp) ### Device History From this section, you can view the device history by selecting the View Device History action. This will display the Logs Report page filtered for the respective device. -![ Logs Report page filtered for the respective device](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/logsreport.webp) +![ Logs Report page filtered for the respective device](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/logsreport.webp) ## Computers @@ -88,14 +88,14 @@ From this section, you can filter, create, uninstall or delete a computer and u option to create a Settings Report, Export List of Computers and Schedule Export list. You can download the Settings Report from System Maintenance, the -[Exported Entities](../systemmaintenance/overview.md#exported-entities) topic to view the Deep +[Exported Entities](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemmaintenance/overview.md#exported-entities) topic to view the Deep Packet Inspection status for each entity (Computer/User/Group) and the entity from which Deep Packet Inspection is used. Any new computer that has the Endpoint Protector Client deployed will be automatically added to the database, thus making it manageable. -![Filter, create, uninstall or delete a computer ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/computers.webp) +![Filter, create, uninstall or delete a computer ](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/computers.webp) The Endpoint Protector Client has a self-registration mechanism. This process is run once after the Client software is installed on a client computer. The Client will then communicate to the Server @@ -107,7 +107,7 @@ made, and also each time the application Client is reinstalled. The owner of the saved in the process of self-registration. For more details about Licensing, go to the -[System Configuration](../systemconfiguration/overview.md) topic. +[System Configuration](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/overview.md) topic. A Computer is identified by the computer parameters (Main IP, IP List, MAC, Domain, Workgroup, Computer Serial Number or MachineUUID, OS version) but information like Name and Description is also @@ -122,11 +122,11 @@ You can manually create a new computer at any time by providing the computer par information mentioned above or import computers from Active Directory. For more details about Active Directory, go to the -[Directory Services](../directoryservices/overview.md) topic. You can also assign the computers to +[Directory Services](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/directoryservices/overview.md) topic. You can also assign the computers to the following for a better organization: - Devices and Computers e.g., several computers within the same office -- [System Configuration](../systemconfiguration/overview.md) an alternative organization to Groups +- [System Configuration](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/overview.md) an alternative organization to Groups ### Computer Rights @@ -134,7 +134,7 @@ You can manage computer rights from the Actions column for a specific computer Rights**. This section is built around the computers, allowing you to specify which Device Types and Specific Devices can be accessible. -![Specifies which Device Types and Specific Devices can be accessible](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/computerrights.webp) +![Specifies which Device Types and Specific Devices can be accessible](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/computerrights.webp) The Standard device control rights include the Device Types and Already Existing Devices sections. These are generally the only device rights used. @@ -162,14 +162,14 @@ It will do this by either inheriting the settings from the group it belongs to o the global settings, which are mandatory and exist in the system with default values from installation. -![Editing the settings for each computer](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/computersettings.webp) +![Editing the settings for each computer](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/computersettings.webp) ### Computer History From this section, you can view the computer history by selecting the View Computer History action. This will display the Logs Report page filtered for the respective computer. -![This will display the Logs Report page filtered for the respective computer](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/logsreport.webp) +![This will display the Logs Report page filtered for the respective computer](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/logsreport.webp) ### Terminal Servers and Thin Clients @@ -180,13 +180,13 @@ Servers can be enforced through Endpoint Protector, as detailed below. The process starts with the menu view from Device Control > Computers, namely the action to Mark as Terminal Server -![Mark as Terminal Server Action](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/terminalserver_19x14.webp) +![Mark as Terminal Server Action](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/terminalserver_19x14.webp) . After you selected the computer in the system as a Terminal Server, “Yes” will be displayed for ease of identification, as seen below: -![Displays List of computers](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/computers.webp) +![Displays List of computers](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/computers.webp) **NOTE:** The computers that can be targeted by this action are strictly Windows Servers with Terminal Server roles properly configured @@ -198,7 +198,7 @@ appear when choosing to Edit it under Device Control, Computers, Computer Rights The settings for the Terminal Server-specific Device Types are: Preserve Global Settings, Allow Access, Deny Access, and Read-Only Access. -![ Preserves Global Settings, Allow Access, Deny Access, and Read-Only Access.](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/rdpstorage.webp) +![ Preserves Global Settings, Allow Access, Deny Access, and Read-Only Access.](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/rdpstorage.webp) An Allow Access right set to the RDP Storage device type will enable all users that connect to the Terminal Server by RDP to transfer files to and from their local disk volume or shared storage @@ -214,15 +214,15 @@ Endpoint Rights Functionality for the rights policy to apply on user logins with Secondly, the menu from Device Control > Users > Rights will present an additional device type for all the users in Endpoint Protector, namely Thin Client Storage (RDP Storage). -![Thin Client Storage (RDP Storage) device type](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/thinclientstorage.webp) +![Thin Client Storage (RDP Storage) device type](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/thinclientstorage.webp) Multiple users can be recognized as active users on any given Terminal Server, and so, the setting of this right can be used as a powerful tool to create access policies for specific users, as detailed in the use case below. -![Illustrate tool to create access policies for specific users](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/thingrouptools.webp) +![Illustrate tool to create access policies for specific users](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/thingrouptools.webp) On a Windows Terminal Server, the Endpoint Protector Client will display RDP Storage disks shared by one or multiple Thin Clients as seen below. -![Client version displays RDP Storage disks shared by one or multiple Thin Clients](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/clientversiondc.webp) +![Client version displays RDP Storage disks shared by one or multiple Thin Clients](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/clientversiondc.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/globalrights.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/globalrights.md index e3366b6044..4cdf3c8db8 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/globalrights.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/globalrights.md @@ -6,7 +6,7 @@ globally, to all Endpoint Protector entities. **NOTE:** If device rights or other settings will be configured granularly for entities, the priority order, starting with the highest, will be as follows: -![priortyorder](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/priortyorder.webp) +![priortyorder](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/priortyorder.webp) This section relates to the entire system, allowing you to specify what Device Types and Specific Devices can be accessible. While Standard Rights Policies are the default ones, Outside Hours or @@ -20,7 +20,7 @@ breaches. These devices can be authorized, which makes it possible for the users modify their content and for administrators to view the data transferred to and from the authorized devices. -![Standard supported Devices](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/standarddevices.webp) +![Standard supported Devices](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/standarddevices.webp) - Removable Storage Devices - Normal USB Flash Drives, U3 and Autorun Drives, Disk on Key, etc. @@ -56,7 +56,7 @@ levels, depending on the degree of protection offered by a device (trusted devic Encryption are TD level 1). For detailed information on Trusted Device™ and Enforced Encryption, refer to the -[Trusted Device™](../enforcedencryption/module.md#trusted-device) topic. +[Trusted Device™](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/enforcedencryption/module.md#trusted-device) topic. **NOTE:** With the WiFi – Block if wired network is present option you can disable the WiFi connection, while a wired network connection is present. The WiFi connection will be available when @@ -65,13 +65,13 @@ the wired network is not present. **NOTE:** On macOS version 14 (Sonoma) and higher, Bluetooth devices are managed only when the device is connected and visible under ‘My Devices’ in the Bluetooth section of ‘System settings’. -![Bluetooth Device Management on Mac](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/macbluetooth.webp) +![Bluetooth Device Management on Mac](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/macbluetooth.webp) By default, the majority of device types are blocked. However, as a working internet connection or wireless keyboards are needed during the configuration process, several devices are set to Allow Access. These include Wi-Fi, Bluetooth, Network Share, Additional Keyboard, and USB Modem. -![Device Type configuration](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/devicetypes.webp) +![Device Type configuration](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/devicetypes.webp) ### VM USB Device Usage @@ -90,7 +90,7 @@ different VID, PID and device code, but they all have the same serial number. **NOTE:** The Endpoint Protector Client does not distinguish between USB devices (e.g. USB hard drive vs USB Webcam) by Device name/VID/PID. -![Manage USB access through the virtual environment.](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/vmusb.webp) +![Manage USB access through the virtual environment.](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/vmusb.webp) ## Specific Devices (Standard) @@ -99,7 +99,7 @@ From this section, you can manage access rights for a specific device. Device rights can be set either Globally or, per Group, User, or Computer, by using the Manage Rights action from each section/entity. -![Manage access rights for a specific device.](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/specificdevices.webp) +![Manage access rights for a specific device.](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/specificdevices.webp) To add a new device click **Add** and provide the mandatory information. There are multiple ways of adding devices: @@ -107,18 +107,18 @@ adding devices: - New Device (VID, PID, Serial Number) – will allow at Step 2 to add new devices based on Vendor ID, Product ID, and Serial Number. -![Device Wizard - Adding New Device](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/newdevicestep.webp) +![Device Wizard - Adding New Device](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/newdevicestep.webp) - Existing Device (Wizard) – will allow at Step 2 to add devices previously connected to protected computers and already in the Endpoint Protector database. -![Add devices previously connected to protected computers and already in the database.](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/existingdevice.webp) +![Add devices previously connected to protected computers and already in the database.](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/existingdevice.webp) - Device Serial Number Range – will allow at Step 2 to add multiple devices at the same time, by specifying the first and last Serial Number in the range. The recommended use for this feature is for devices that have a consecutive range, with a clear, noticeable pattern. -![ Add multiple devices at the same time.](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/multipledevices.webp) +![ Add multiple devices at the same time.](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/multipledevices.webp) **NOTE:** Although this feature can work in situations where the Serial Number range does not follow a noticeable pattern, this is not recommended. In this type of situation, some devices will be @@ -127,11 +127,11 @@ ignored by Endpoint Protector and will not have the expected effect. - Bulk List of Devices – will allow at Step 2 to add up to 1000 devices at the same time. There are two methods to choose from, either importing a list or simply pasting the information. -![Add up to 1000 devices at the same time](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/bulkdevices.webp) +![Add up to 1000 devices at the same time](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/bulkdevices.webp) The File Allowlist feature is also available for USB storage devices that have allowed access. For detailed information on using the File Allowlist, refer to the File -[Denylists and Allowlists](../denylistsallowlists/overview.md) topic. +[Denylists and Allowlists](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/overview.md) topic. ## Outside Network @@ -140,7 +140,7 @@ detailed information on using the File Allowlist, refer to the File From this section, you can define fallback policies that will apply when outside the network. All of the functionalities are identical to the Standard section. -![Define fallback policies that will apply when outside the network](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/outsidenetwork.webp) +![Define fallback policies that will apply when outside the network](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/outsidenetwork.webp) ## Outside Hours @@ -149,4 +149,4 @@ the functionalities are identical to the Standard section. From this section, you can define fallback policies that will apply when outside working hours. All of the functionalities are identical to the Standard section. -![ Define fallback policies that will apply when outside working hours](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/outsidehours.webp) +![ Define fallback policies that will apply when outside working hours](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/outsidehours.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/globalsettings.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/globalsettings.md index 4fe4d0492f..7eb00b900a 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/globalsettings.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/globalsettings.md @@ -9,7 +9,7 @@ From this section, you can apply settings globally to all Endpoint Protector ent **NOTE:** Several settings from this section also relate to other modules apart from the Device Control module (Content Aware Protection, eDiscovery, etc.). -![Apply settings globally to all Netwrix Endpoint Protector entities](../../../../../../static/img/versioned_docs/enterpriseauditor_11.6/enterpriseauditor/admin/settings/globalsettings.webp) +![Apply settings globally to all Netwrix Endpoint Protector entities](/img/versioned_docs/enterpriseauditor_11.6/enterpriseauditor/admin/settings/globalsettings.webp) ## Client Settings @@ -81,7 +81,7 @@ the Client’s behavior for each specific entity (Global, Groups, and Computers Maximum size for the quarantine folder. If the value is reached, new files will overwrite the oldest ones. -![Manage settings that relate directly to the Netwrix Endpoint Protector Client](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/clentsettings.webp) +![Manage settings that relate directly to the Netwrix Endpoint Protector Client](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/clentsettings.webp) - Custom Client Notifications - if enabled, the Client Notifications can be customized. - Mandatory OTP Justification - if enabled, the Justification a User has to provide when requesting or @@ -106,7 +106,7 @@ the Client’s behavior for each specific entity (Global, Groups, and Computers operator for a Report Only Content Aware Protection policy, to no longer be logged. This considerably reduces the number of logs, therefore, optimizing the allocated storage space. -![Manage settings that relate directly to the Netwrix Endpoint Protector Client](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/clientsettingstwo.webp) +![Manage settings that relate directly to the Netwrix Endpoint Protector Client](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/clientsettingstwo.webp) - Disable Bluetooth File Transfer – if enabled, this setting will block transfers to Bluetooth Devices, without considering if they are paired or not to the endpoint. This only applies to @@ -118,7 +118,7 @@ the Client’s behavior for each specific entity (Global, Groups, and Computers **NOTE:** For this setting to work successfully, enable the Minifilter Driver setting. - User Remediation Pop-up – this setting is available when the - [User Remediation](../systemparameters/overview.md#user-remediation) feature is active and enables + [User Remediation](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemparameters/overview.md#user-remediation) feature is active and enables User Remediation pop-up notifications for end-users. - Enforce User Remediation Pop-up - this setting is available only if the User Remediation Pop-up setting is enabled. When this setting is enabled, end-users cannot disable User Remediation Pop-up @@ -135,13 +135,13 @@ the Client’s behavior for each specific entity (Global, Groups, and Computers - Show Authorize section in Endpoint Protector Client – disable this setting to hide the Authorize action from Endpoint Protector Client -![Manage settings that relate directly to the Netwrix Endpoint Protector Client](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/clientsettingsthree.webp) +![Manage settings that relate directly to the Netwrix Endpoint Protector Client](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/clientsettingsthree.webp) ### Client Mode Select from the drop-down list a client mode to define the Endpoint Protector Client behavior. -![Select from the drop-down list a client mode to define the Endpoint Protector Client behavior.](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/clientmode.webp) +![Select from the drop-down list a client mode to define the Endpoint Protector Client behavior.](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/clientmode.webp) 1. Normal – this is the default and recommended setting to use before being fully aware of what the other modes imply. Normal mode does not apply to Content Aware Protection; all other client @@ -352,7 +352,7 @@ In this section, you can manage the following settings: **NOTE:** Learn more about [Bypass Log Reporting Frequency](#bypass-log-reporting-frequency). -![If enabled, network and browser traffic can be inspected for content](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/dpiconfiguration.webp) +![If enabled, network and browser traffic can be inspected for content](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/dpiconfiguration.webp) ### Intercept VPN Traffic @@ -383,39 +383,39 @@ To use this feature, follow these steps: **Step 5 –** On the pop-up window informing the user that a System Extension is blocked, click **OK** to allow. -![Pop-up window informing the user that a System Extension is blocked](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/systemextensionblocked.webp) +![Pop-up window informing the user that a System Extension is blocked](/img/product_docs/endpointprotector/endpointprotector/install/agent/systemextensionblocked.webp) **Step 6 –** Go to **System Preferences** >**Security and Privacy** > **General**, and then **allow** the Endpoint Protector Client Extension. -![Security and private settings on Mac](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/generaltabios.webp) +![Security and private settings on Mac](/img/product_docs/endpointprotector/endpointprotector/install/agent/generaltabios.webp) **Step 7 –** On the Endpoint Protector Proxy Configuration pop-up window, click **Allow**. -![Proxy Configuration pop-up window](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/proxypop-up.webp) +![Proxy Configuration pop-up window](/img/product_docs/endpointprotector/endpointprotector/install/agent/proxypop-up.webp) **NOTE:** When network extension is successfully enabled, a Client Integrity OK log is generated. **Step 8 –** Go to **System Configuration** > **System Settings** > **Deep Packet Inspection Certificate**, and then download the CA Certificate. -![Downloading a DPI Certificate](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/dpicertificate.webp) +![Downloading a DPI Certificate](/img/product_docs/endpointprotector/endpointprotector/install/agent/dpicertificate.webp) **Step 9 –** On your macOS, open the **Keychain Access** application and go to **System**. -![Keychain Access application settings on MacOs](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/keychainaccess.webp) +![Keychain Access application settings on MacOs](/img/product_docs/endpointprotector/endpointprotector/install/agent/keychainaccess.webp) **Step 10 –** Decompress the ClientCerts file. **Step 11 –** Select the **cacert.pem** file and drag and drop it under **System** > **Keychain Access**. -![Configuring Client Certificate on MacOs](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/clientcerts.webp) +![Configuring Client Certificate on MacOs](/img/product_docs/endpointprotector/endpointprotector/install/agent/clientcerts.webp) **Step 12 –** Double click the **X** from the newly added certificate and select **Always Trust** from the Trust section. -![Keychain Access application settings on MacOs](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/keychainaccesstwo.webp) +![Keychain Access application settings on MacOs](/img/product_docs/endpointprotector/endpointprotector/install/agent/keychainaccesstwo.webp) **Step 13 –** **Save** the changes. @@ -426,7 +426,7 @@ improvement provides you with a configuration option to filter out non-relevan in a more accurate log that focuses on true false positives and reduces unnecessary noise saving database storage. -![Enable this setting to address the number of excessive false positives for URL Denylists](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/smartdpi.webp) +![Enable this setting to address the number of excessive false positives for URL Denylists](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/smartdpi.webp) ### Bypass Log Reporting Frequency @@ -527,7 +527,7 @@ for recommended settings. - Block Time Machine – if you enable this setting, you will block Time Machine backups on macOS. -![File Tracing and Shadowing Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/filetracingshadowing.webp) +![File Tracing and Shadowing Settings](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/filetracingshadowing.webp) - Metadata Scanning - if you disable this setting, metadata will not be scanned for PDFs, ZIPs, and Office Files DOCX, XLSX, PPTX, DOC, XLX, PPT). @@ -559,7 +559,7 @@ for recommended settings. - Scan Printed Document – select if you want to be notified a threat was restricted on the whole document or on the specific page. -![File Tracing and Shadowing Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/blockprintone.webp) +![File Tracing and Shadowing Settings](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/blockprintone.webp) **CAUTION:** Newer Linux Ubuntu versions have 'snap'-based applications installed by default, affecting Endpoint Protector Client functionality. This may result in missing file-related events in @@ -590,7 +590,7 @@ changes to take effect. **CAUTION:** Upgrading the Endpoint Protector Client with the browser plug-in enabled will require a full computer restart. -![blockprinttwo](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/blockprinttwo.webp) +![blockprinttwo](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/blockprinttwo.webp) Users printing from Google Chrome and Microsoft Edge can utilize content-aware detection by enforcing a Content Aware Policy that includes Printers from the Policy Exit Points section. For @@ -630,7 +630,7 @@ users from removing it, follow these steps: - Endpoint Protector Browser Connector ID: nnnaeanocbmnnjjlcfhcbpefmlgbcgoi -![Configuring GPO for Browser Extensions](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/grouppolicyeditor.webp) +![Configuring GPO for Browser Extensions](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/grouppolicyeditor.webp) 1. Microsoft Edge @@ -645,7 +645,7 @@ users from removing it, follow these steps: - Endpoint Protector Browser Connector ID: nnnaeanocbmnnjjlcfhcbpefmlgbcgoi -![Configuring GPO for Browser Extensions](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/grouppolicyeditortwo.webp) +![Configuring GPO for Browser Extensions](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/grouppolicyeditortwo.webp) **CAUTION:** Make sure to thoroughly test the configuration in a controlled environment to ensure the intended behavior. Always keep endpoint security policies updated and aligned with organizational @@ -680,7 +680,7 @@ do not respond promptly. Linux currently operates without a specific time-out l **NOTE:** This setting only applies to Content Aware Protection policies and does not affect eDiscovery Policies and Max File Size for File Shadows. -![ Tailor Content Aware Protection scanner’s file size settings according to their specific needs. ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/maxfileconfg.webp) +![ Tailor Content Aware Protection scanner’s file size settings according to their specific needs. ](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/maxfileconfg.webp) ## Outside Hours and Outside Network @@ -698,10 +698,10 @@ Users, or Computers. **CAUTION:** When triggered, fallback policies supersede the standard device rights. Regarding fallback policies, the Outside Network Policies supersede the Outside Hours Policies. -**NOTE:** For [Content Aware Protection](../contentawareprotection/module.md), the Outside Network +**NOTE:** For [Content Aware Protection](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/module.md), the Outside Network and Outside Hours Policy Type also needs to be selected. -![Manage Outside Network and Outside Hours Policies, for both Device Control and Content Aware modules](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/outsidehoursnetwork.webp) +![Manage Outside Network and Outside Hours Policies, for both Device Control and Content Aware modules](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/outsidehoursnetwork.webp) ## Transfer Limit @@ -711,7 +711,7 @@ the limit is reached, file transfers to storage devices (Device Control) to con is reset. Similarly, file transfers through Network Shares can also be included in the Transfer Limit. -![Set the transfer limit, within a specific time interval (hours)](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/transferlimit.webp) +![Set the transfer limit, within a specific time interval (hours)](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/transferlimit.webp) The mechanism that checks when the Transfer Limit is reached has been designed in such a way that it does not impact the performance of the computer. @@ -735,7 +735,7 @@ refer to the Offline Temporary Password chapter. You can enable a Transfer Limit Reached Alert and schedule a Transfer Limit Reached Report on a daily, weekly, or monthly basis. -![Enable a Transfer Limit Reached Alert and schedule a Transfer Limit Reached Report on a daily, weekly, or monthly basis](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/transferlimitreached.webp) +![Enable a Transfer Limit Reached Alert and schedule a Transfer Limit Reached Report on a daily, weekly, or monthly basis](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/transferlimitreached.webp) ## Debug Logging @@ -749,7 +749,7 @@ along with sslsplit logs. **NOTE:** We recommend using the Debug level mode as it contains more than error and warning type information. -![Use this feature to collect logs for a specific issue](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/debuglogging.webp) +![Use this feature to collect logs for a specific issue](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/debuglogging.webp) ### Debug Logging Usage @@ -771,7 +771,7 @@ data**. **NOTE:** Read the [Data Obfuscation Rules](#data-obfuscation-rules) section for more information. -![Used to debug feature and collect logs](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/debugloggingtwo.webp) +![Used to debug feature and collect logs](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/debugloggingtwo.webp) **Step 5 –** Right-click the **Endpoint Protector Client icon** and select **Update Policies Now**. @@ -783,7 +783,7 @@ data**. **Step 9 –** Go to the **Global Settings** page and disable **Debug Mode**. -![Netwrix Endpoint Protector Client Debug Mode](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/clientdebugmode.webp) +![Netwrix Endpoint Protector Client Debug Mode](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/clientdebugmode.webp) Automatic Logging @@ -802,29 +802,29 @@ are registered when diagnostic data are received. To view the log actions, go to the **Device Control** module, on the **Computer**s page and click the **Actions** column. -![Debug Logging Actions](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/debugloggingactions.webp) +![Debug Logging Actions](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/debugloggingactions.webp) - Collect Diagnostics - registers an event when diagnostic data are requested (Artifact requested event) -![Registers an event when diagnostic data are requested](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/collectdiagnostics.webp) +![Registers an event when diagnostic data are requested](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/collectdiagnostics.webp) - Go to Diagnostic data - this option redirects the user to the Reports and Analysis module on the Logs Report page to Artifact received type events with debug mode logs -![Redirects the user to the Reports and Analysis module on the Logs Report page to Artifact received type events with debug mode logs](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/logsreport.webp) +![Redirects the user to the Reports and Analysis module on the Logs Report page to Artifact received type events with debug mode logs](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/logsreport.webp) - Terminate Client - this option terminates the Endpoint Protector Client -![Terminates the Netwrix Endpoint Protector Client](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/terminateclient.webp) +![Terminates the Netwrix Endpoint Protector Client](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/terminateclient.webp) - Forced Restart Computer - this option sends a force reboot command to the computer, restarting it in 10 minutes after using the command. The user receives a message warning to avoid losing unsaved documents. -![A message warning to avoid losing unsaved documents](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/forcedrestart.webp) +![A message warning to avoid losing unsaved documents](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/forcedrestart.webp) -![Forced Restart Computer - this option sends a force reboot command to the computer](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/forcedrestarttwo.webp) +![Forced Restart Computer - this option sends a force reboot command to the computer](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/forcedrestarttwo.webp) ### Data Obfuscation Rules @@ -841,27 +841,27 @@ Specific use cases: **NOTE:** Data is not obfuscated for the file-type threat, file-size threat, and date threat. -![Data Obfuscation Example](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/dataobfuscationone.webp) +![Data Obfuscation Example](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/dataobfuscationone.webp) -![Data Obfuscation Example](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/dataobfuscationtwo.webp) +![Data Obfuscation Example](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/dataobfuscationtwo.webp) -![Data Obfuscation Example](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/dataobfuscationthree.webp) +![Data Obfuscation Example](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/dataobfuscationthree.webp) -![Data Obfuscation Example](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/dataobfuscationfour.webp) +![Data Obfuscation Example](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/dataobfuscationfour.webp) ## EasyLock Settings From this section you can allow EasyLock to be installed and run only on computers that have Endpoint Protector installed or in relation to a list of trusted Endpoint Protector Servers. -![Allow EasyLock to be installed](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/easylocksettings.webp) +![Allow EasyLock to be installed](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/easylocksettings.webp) ## Additional Information From this section you can restore global settings to default and view the name and date when the action was performed. -![Restore global settings to default and view the name and date when the action was performed](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/additionalinformation.webp) +![Restore global settings to default and view the name and date when the action was performed](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/additionalinformation.webp) ## Display Settings @@ -874,4 +874,4 @@ using filters. **NOTE:** The information you set on this setting will also be applied for eDiscovery. -![Set the maximum number of logs that can be displayed](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/displaysettings.webp) +![Set the maximum number of logs that can be displayed](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/displaysettings.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/module.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/module.md index b56e63c862..c3f3588936 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/module.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/module.md @@ -15,4 +15,4 @@ This section offers an overview in the form of graphics and charts related to th Entities. You can select the start and end date for the data used in these visual representations from the top-right calendars and view the data in real time. -![Overview in the form of graphics and charts ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/dcdashboard.webp) +![Overview in the form of graphics and charts ](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/dcdashboard.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/usersandgroups.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/usersandgroups.md index 7136c9edea..9e8886e3ba 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/usersandgroups.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/usersandgroups.md @@ -6,7 +6,7 @@ From this section, you can manage all the users in the system. Users are define are logged on a computer on which the Endpoint Protector Client software is installed. Any new user will be automatically added to the database, thus making them manageable. -![Managing all the users in the system](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/listofusers.webp) +![Managing all the users in the system](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/listofusers.webp) A user is identified by information like Name (Username, First Name, Last Name), Department, Contact Details (Phone, E-mail), and others and is also automatically assigned to a computer. @@ -16,7 +16,7 @@ information mentioned above. Users can also be imported into Endpoint Protector Directory. For detailed information on Active Directory, refer to the -[Directory Services](../directoryservices/overview.md) chapter. +[Directory Services](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/directoryservices/overview.md) chapter. There are two users created by default during the installation process of Endpoint Protector: @@ -56,13 +56,13 @@ system will use the next level of rights. All Existing Devices that were added on that level will be deleted when the restore is used. -![ Allows Administrator to specify what Device Types and also what Specific Devices can be accessible](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/userrights.webp) +![ Allows Administrator to specify what Device Types and also what Specific Devices can be accessible](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/userrights.webp) ### User Settings From this section, you can edit the settings for each user. -![You can edit the settings for each user.](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/groupsettings.webp) +![You can edit the settings for each user.](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/groupsettings.webp) Defining custom settings for all users is not necessary since a user is perfectly capable of functioning correctly without any manual settings defined. It will do this by either inheriting the @@ -74,14 +74,14 @@ and exist in the system with default values from installation. From this section, you can view the user history by selecting the View User History action. This will display the Logs Report page filtered for the respective user. -![Displays the Logs Report page filtered for the respective user](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/logsreport.webp) +![Displays the Logs Report page filtered for the respective user](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/logsreport.webp) ## Groups From this section, you can manage all the groups in the system. Grouping computers and users will help the Administrator manage rights or settings for these entities in a more efficient way. -![Manages the list of groups](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/listofgroups.webp) +![Manages the list of groups](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/listofgroups.webp) A group is identified by information like Name and Description, as well as based on the entities (Computers and Users). @@ -90,7 +90,7 @@ You can manually create a new group at any time by providing the group informati Groups can also be imported into Endpoint Protector from Active Directory. **NOTE:** For detailed information on Active Directory, refer to the -[Directory Services](../directoryservices/overview.md) topic. +[Directory Services](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/directoryservices/overview.md) topic. The Actions column offers multiple options related to the group’s management like Edit, Manage Rights, Manage Settings, History, and Delete. @@ -115,7 +115,7 @@ section, scroll to the bottom of the page and click **Save**. **NOTE:** By enabling the Smart Group feature, Computers and Users will not be automatically assigned to the Default Group unless you create a Smart Group. -![ Membership can be defined based on element name patterns](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/smartgroups.webp) +![ Membership can be defined based on element name patterns](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/smartgroups.webp) **Step 2 –** Create a Smart Groups from Device Control, Groups section. Click **Create**, provide the following and then click **Save**: @@ -132,7 +132,7 @@ XYZ\*, \*XYZ\*,\*XYZ. **NOTE:** Once created, you can manage the group's priority by drag and drop actions. -![Adding users to smart groups](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/groupinformation.webp) +![Adding users to smart groups](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/groupinformation.webp) **Step 3 –** Synchronize entities to the Smart Groups. @@ -148,12 +148,12 @@ assigned to that Group. If the new Computer does not match the rule, it will be added to the Default Group, if Default Groups are enabled from System Configuration, System Settings, and the Smart Groups section. -![Editing Group Information](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/groupinfoedit.webp) +![Editing Group Information](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/groupinfoedit.webp) **Step 4 –** Delete a Smart Group from the Actions column or select the group from the list and then click **Delete**. -![Deleting A smart group](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/smartgroupdelete.webp) +![Deleting A smart group](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/smartgroupdelete.webp) Smart Groups have the following limitations: @@ -185,18 +185,18 @@ follow these steps: **Step 1 –** Enable Default Groups for Computers and Users from System Configuration > System Settings > on the Smart Groups section, scroll to the bottom of the page and click **Save**. -![Enabling Default Groups for Computers and Users from System Configuration](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/enablesmartgroups.webp) +![Enabling Default Groups for Computers and Users from System Configuration](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/enablesmartgroups.webp) **CAUTION:** You are not required to manually create Default Groups – by enabling them, the Default Groups for Users and Computers will be automatically created. -![Manage all the groups in the system](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/listofgroups.webp) +![Manage all the groups in the system](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/listofgroups.webp) **Step 2 –** Synchronize entities to the Default Groups. To assign Computers and Users to the Default Groups, navigate to the Device Control section and locate the Groups section. In the List of Groups section, find the Actions column, select **Edit**, and then click **Sync**. -![Managing information about groups](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/syncgroupinformation.webp) +![Managing information about groups](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/syncgroupinformation.webp) Default Groups have the following limitations: @@ -210,7 +210,7 @@ Default Groups have the following limitations: File Location, Network Share Allowlists, and File Location Denylist can be set for groups of Computers. -![Allowlists on Computer Groups](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/allowlist.webp) +![Allowlists on Computer Groups](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/allowlist.webp) In the Groups select section, all groups will be displayed. @@ -248,13 +248,13 @@ rights. **NOTE:** All Existing Devices that were added on that level will be deleted when the restore is used. -![Specify what Device Types and also what Specific Devices can be accessible.](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/devicetypes.webp) +![Specify what Device Types and also what Specific Devices can be accessible.](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/devicetypes.webp) ### Group Settings From this section, you can edit the settings for each group. -![groupsettings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/groupsettings.webp) +![groupsettings](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/groupsettings.webp) Computers and users can be grouped to make editing the settings easier and more logical. Defining custom settings for all groups is not necessary since a computer is perfectly capable of functioning diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/directoryservices/overview.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/directoryservices/overview.md index fbb56c850d..f15945f0e8 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/directoryservices/overview.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/directoryservices/overview.md @@ -3,7 +3,7 @@ From this section, you can import and synchronize the entities (Users, Computers, and Groups) from the company’s Active Directories. -![Import and synchronize the entities (Users, Computers, and Groups) from the company’s Active Directories](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/directoryservices.webp) +![Import and synchronize the entities (Users, Computers, and Groups) from the company’s Active Directories](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/directoryservices.webp) ## Microsoft Active Directory @@ -11,7 +11,7 @@ You can create and manage connections from the Directory Services, Microsoft Act section. The required information includes the Connection Type, Server, Port, Username, and Password. -![Manage connections from the Directory Services](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/newconnection.webp) +![Manage connections from the Directory Services](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/newconnection.webp) **NOTE:** When having to import a very large number of entities, we recommend using the Base Search Path to get only the relevant information displayed. Due to browser limitations, importing the whole @@ -26,7 +26,7 @@ further edited, to include the required entities. For the defined connections, several synchronization options are available. From this section, the connection credentials and synchronization interval can also be changed. -![Change connection credentials and synchronization interval](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/testsync.webp) +![Change connection credentials and synchronization interval](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/testsync.webp) The Advanced Groups Filter can be used to import and synchronize only specific groups, ignoring all other entities. @@ -35,11 +35,11 @@ From the Directory Browser section, you can select the entities that need to be **NOTE:** You can view only Organizational units (OU) and Groups in the Directory Browser. -![From the Directory Browser section, you can select the entities that need to be synced.](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/directorybrowser.webp) +![From the Directory Browser section, you can select the entities that need to be synced.](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/directorybrowser.webp) Once the entities have been selected, they can be saved to sync. -![Synchronization Filters](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/synchfilters.webp) +![Synchronization Filters](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/synchfilters.webp) ## Microsoft Entra ID @@ -75,7 +75,7 @@ Follow the steps to create the application on Microsoft Entra ID. **Step 3 –** Click App Registrations from the Manage section on the Active Directory menu on the left side, then on New Registration. -![Create the application on Microsoft Entra ID](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/appregmsentraid.webp) +![Create the application on Microsoft Entra ID](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/appregmsentraid.webp) **Step 4 –** On the Registration page enter your **Name**. @@ -85,7 +85,7 @@ left side, then on New Registration. **Step 6 –** Click **Register**. -![Create the application on Microsoft Entra ID](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/appregmsentraidtwo.webp) +![Create the application on Microsoft Entra ID](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/appregmsentraidtwo.webp) **Step 7 –** On the Essentials section save the following information: @@ -94,7 +94,7 @@ left side, then on New Registration. - Directory (tenant) ID will be needed for adding it in the Tenant ID field on the Endpoint ProtectorEndpoint Protector Server -![Create the Application on Azure Active Directory](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/testapplication.webp) +![Create the Application on Azure Active Directory](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/testapplication.webp) #### Create a Secret ID for the Application @@ -103,26 +103,26 @@ API. **Step 1 –** Click **Certificates & Secrets** on the side menu from the Manage section. -![Create a Secret ID for the Application](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/certsecrets.webp) +![Create a Secret ID for the Application](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/certsecrets.webp) **Step 2 –** Click **New client secret** on the Certificates & secrets page. -![Create a Secret ID for the Application](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/certsecretestwo.webp) +![Create a Secret ID for the Application](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/certsecretestwo.webp) **Step 3 –** Enter a **Description** for the secret ID. -![Create a Secret ID for the Application](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/certsecretsthree.webp) +![Create a Secret ID for the Application](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/certsecretsthree.webp) **Step 4 –** Click **Add** and **Add a client** secret section. -![Create a Secret ID for the Application](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/certsecretsfour.webp) +![Create a Secret ID for the Application](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/certsecretsfour.webp) **Step 5 –** Take note of the Secret ID value and make sure to copy it to the clipboard and also to store it safely because it will be needed further on. **NOTE:** Notice that when navigating back, the secret ID will be hidden. -![Create a Secret ID for the Application](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/certsecretsfive.webp) +![Create a Secret ID for the Application](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/certsecretsfive.webp) #### Create Users/Groups Using Graph API @@ -130,17 +130,17 @@ Follow the steps to create users/groups using Graph API. **Step 1 –** Click **Home** and then Microsoft Entra ID. -![Create Users/Groups Using Graph API](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/certsecretsfivesix.webp) +![Create Users/Groups Using Graph API](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/certsecretsfivesix.webp) -![Azure Home Page](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azurehome.webp) +![Azure Home Page](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azurehome.webp) **Step 2 –** Click **Add** from the Default Directory| Overview page -![Default Directory| Overview page](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadoverview.webp) +![Default Directory| Overview page](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadoverview.webp) **Step 3 –** Click **Add User**. -![Overview Add User ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/overviewadduser.webp) +![Overview Add User ](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/overviewadduser.webp) - Select **Create User**. - Enter the **Username** and select the **Domain**. @@ -149,7 +149,7 @@ Follow the steps to create users/groups using Graph API. - Add the **Department**. - Click **Create**. -![Azure Active Director Create User](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadnewuser.webp) +![Azure Active Director Create User](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadnewuser.webp) **Step 4 –** Repeat Steps 1 and 2, then click **Group**. @@ -158,7 +158,7 @@ Follow the steps to create users/groups using Graph API. - Click **No members selected** to add membership. - Search for the newly created user and click **Select**. -![ Default Directory| New Group](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadnewgroup.webp) +![ Default Directory| New Group](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadnewgroup.webp) #### Add Permissions to the Application @@ -172,32 +172,32 @@ Make sure the created application is open then: **Step 1 –** Click **API Permissions**. -![Add Permissions to the Application](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadapipermissionone.webp) +![Add Permissions to the Application](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadapipermissionone.webp) **Step 2 –** Click **Add a Permission**. -![Add Permissions to the Application](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadapipermissiontwo.webp) +![Add Permissions to the Application](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadapipermissiontwo.webp) **Step 3 –** Click **Microsoft Graph**. -![Add Permissions to the Application](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadapipermissionthree.webp) +![Add Permissions to the Application](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadapipermissionthree.webp) **Step 4 –** Click **Application Permissions**. -![Add Permissions to the Application](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadapipermissionfour.webp) +![Add Permissions to the Application](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadapipermissionfour.webp) **Step 5 –** Search for the permissions mentioned above and check each of the permissions. (Directory.Read.All, Group.Read.All, User.Read.All) -![Add Permissions to the Application](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadapipermissionfive.webp) +![Add Permissions to the Application](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadapipermissionfive.webp) **Step 6 –** Click **Add Permissions**. -![Add Permissions to the Application](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadapipermissionsix.webp) +![Add Permissions to the Application](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadapipermissionsix.webp) **Step 7 –** Click **Grant admin consent for Default Directory** from the API Permission page. -![Add Permissions to the Application](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadapipermissionseven.webp) +![Add Permissions to the Application](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadapipermissionseven.webp) #### Add Graph Application to Server @@ -209,7 +209,7 @@ Entra ID**. **Step 2 –** Click **Add** to add an API Consumer – One API Consumer can be used for multiple synchronization jobs. -![Add Graph Application to Endpoint Protector Server](../../../../../../static/img/versioned_docs/activitymonitor_7.1/activitymonitor/admin/outputs/azuread.webp) +![Add Graph Application to Endpoint Protector Server](/img/versioned_docs/activitymonitor_7.1/activitymonitor/admin/outputs/azuread.webp) **Step 3 –** Provide the following details: @@ -219,11 +219,11 @@ synchronization jobs. - Application (client) ID saved earlier on the Application (Client) ID field - Secret ID saved earlier in the Client Secret Value field -![Add Graph Application to Endpoint Protector Server](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadtwo.webp) +![Add Graph Application to Endpoint Protector Server](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadtwo.webp) **Step 4 –** Click **Test** and then **Save**. -![Add Graph Application to Endpoint Protector Server](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadthree.webp) +![Add Graph Application to Endpoint Protector Server](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/azureadthree.webp) #### Create a Synchronization Job on the Server @@ -231,7 +231,7 @@ Follow the steps to create a synchronization job on the Endpoint Protector serve **Step 1 –** Click **Create Sync Job**. -![Create a Synchronization Job on the Endpoint Protector Server](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/createsynchjob.webp) +![Create a Synchronization Job on the Endpoint Protector Server](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/createsynchjob.webp) **Step 2 –** Provide Synchronization information: @@ -242,7 +242,7 @@ Follow the steps to create a synchronization job on the Endpoint Protector serve **Step 3 –** Click **Save**. -![Create a Synchronization Job on the Endpoint Protector Server](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/mapon-premisesusers.webp) +![Create a Synchronization Job on the Endpoint Protector Server](/img/product_docs/endpointprotector/endpointprotector/admin/directoryservices/mapon-premisesusers.webp) The **Map on-premises users** switch in the Microsoft Entra ID connector controls how Endpoint Protector retrieves user names in hybrid environments with both a local Active Directory and diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/ediscovery/module.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/ediscovery/module.md index f5abeb90ea..e153a026d8 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/ediscovery/module.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/ediscovery/module.md @@ -24,14 +24,14 @@ correctly and that the eDiscovery module was enabled successfully. **CAUTION:** The eDiscovery module is separate from Device Control or Content Aware Protection modules, and requires separate licensing. -![eDiscovery Activation](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/ediscovery/activation.webp) +![eDiscovery Activation](/img/product_docs/endpointprotector/endpointprotector/admin/ediscovery/activation.webp) ## Dashboard This section offers a quick overview in the form of graphics and charts related to the eDiscovery module. -![A quick overview in the form of graphics and charts related to the eDiscovery module](../../../../../../static/img/versioned_docs/privilegesecure_4.1/privilegesecure/accessmanagement/enduser/dashboard.webp) +![A quick overview in the form of graphics and charts related to the eDiscovery module](/img/versioned_docs/privilegesecure_4.1/privilegesecure/accessmanagement/enduser/dashboard.webp) ## eDiscovery Policies and Scans @@ -60,7 +60,7 @@ eDiscovery Automatic Scanning is also available, allowing you to set an Incremen - Weekly – a scan will run every 7 days, from the set date and time - Monthly – a scan will run every 30 days, from the set date and time -![eDiscovery Automatic Scanning](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/ediscovery/automaticscanning.webp) +![eDiscovery Automatic Scanning](/img/product_docs/endpointprotector/endpointprotector/admin/ediscovery/automaticscanning.webp) An eDiscovery Scan can be stopped at any time as results can also be automatically cleared. This can be done by using: @@ -76,12 +76,12 @@ and all the Logs cleared. You can easily create and manage eDiscovery Policies and Scans from the eDiscovery, Policies and Scans section. -![Creating an eDiscovery Policy and Scan](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/ediscovery/policiesscans.webp) +![Creating an eDiscovery Policy and Scan](/img/product_docs/endpointprotector/endpointprotector/admin/ediscovery/policiesscans.webp) To create a new policy click **Create Custom Policy** and to edit an available policy, double-click it. You need to select a policy to edit, duplicate or delete a policy. -![Creating a new Policy](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/newpolicy.webp) +![Creating a new Policy](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/newpolicy.webp) When creating a new policy, select the following: @@ -99,7 +99,7 @@ You can use the following thresholds: You can find more details about Thresholds directly in the Endpoint Protector User Interface. For detailed information on Denylists and Allowlist, refer to the -[Denylists and Allowlists](../denylistsallowlists/overview.md) chapter. +[Denylists and Allowlists](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/overview.md) chapter. After the eDiscovery Policy has been created, Scanning Actions can be assigned. These include Start clean scan, Start incremental scan, Stop scan, and Clear logs. @@ -115,21 +115,21 @@ After an eDiscovery Scan starts, you can inspect the items found and apply actio (e.g., delete on target, encrypt on target, decrypt on target, etc.). All results are displayed in the eDiscovery, Scan Results, and Actions section. -![eDiscovery Scan Result and Actions](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/ediscovery/scanresults.webp) +![eDiscovery Scan Result and Actions](/img/product_docs/endpointprotector/endpointprotector/admin/ediscovery/scanresults.webp) You can also access the Scan Results and Actions section directly from eDiscovery > Policies and Scans by selecting a computer from the eDiscovery Scans list and choosing the Inspect found items action. This will automatically filter the Scan Results list and display the items only for that specific computer. -![eDiscovery Scan Result and Actions](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/ediscovery/ediscoveryscans.webp) +![eDiscovery Scan Result and Actions](/img/product_docs/endpointprotector/endpointprotector/admin/ediscovery/ediscoveryscans.webp) ### Viewing Scan Results and Taking Actions From this section, you can manage the scan results. A list of all the computers that were scanned can be viewed and actions such as deleting, encrypting or decrypting files can be taken. -![Viewing Scan Results and Taking Actions](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/ediscovery/ediscoveryactions.webp) +![Viewing Scan Results and Taking Actions](/img/product_docs/endpointprotector/endpointprotector/admin/ediscovery/ediscoveryactions.webp) You can apply an action to each item individually or, can select multiple items and apply the action simultaneously by using the Choose action button. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/enforcedencryption/module.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/enforcedencryption/module.md index 65cafcd893..b601bfa7a0 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/enforcedencryption/module.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/enforcedencryption/module.md @@ -5,7 +5,7 @@ with government-approved 256 bit AES CBC-mode encryption. For USB devices, it ne on the root of the device. With the intuitive Drag & Drop interface, files can be quickly copied to and from the device. -![Enforced Encryption, Formerly known as EasyLock](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/enforcedencryption.webp) +![Enforced Encryption, Formerly known as EasyLock](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/enforcedencryption.webp) Used in combination with Endpoint Protector, Enforced Encryption allows USB storage devices to be identified as Trusted Device™ Level 1. This can ensure that USB Enforced Encryption is used on @@ -31,7 +31,7 @@ decrypted, except for NTFS due to incompatibility with Enforced Encryption. Enforced Encryption is supported for both Mac and Windows computers. -![Enforced Encryption is supported for both Mac and Windows computers](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/enforcedencryption/deployment.webp) +![Enforced Encryption is supported for both Mac and Windows computers](/img/product_docs/endpointprotector/endpointprotector/admin/enforcedencryption/deployment.webp) Deployment can be done automatically if **Allow Access if Trusted Device™ Level 1+** is selected for the USB Storage Devices. This can be done by going to Device Control, Global Rights section, or @@ -58,7 +58,7 @@ Encryption and Trusted Device™ Level 1. This section allows you to remotely manage Enforced Encryption encrypted devices. Before being able to take advantage of these features, you must configure a Master Password. -![Enforced Encryption Settings](../../../../../../static/img/versioned_docs/activitymonitor_7.1/config/dellpowerscale/settings.webp) +![Enforced Encryption Settings](/img/versioned_docs/activitymonitor_7.1/config/dellpowerscale/settings.webp) In the Settings section, the Master Password can be configured, the Enforced Encryption File Tracing enabled, as well as defining the installation and execution of Enforced Encryption only on computers @@ -67,13 +67,13 @@ where the Endpoint Protector Client is present. For both the Master Password and the User Password, complex rules can be enforced. If these are enabled, the password lengths, minimum characters, validity, history, and other settings can be set. -![ Master Password Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/enforcedencryption/masterpasswordsettings.webp) +![ Master Password Settings](/img/product_docs/endpointprotector/endpointprotector/admin/enforcedencryption/masterpasswordsettings.webp) Endpoint Protector allows tracing of files copied and encrypted on portable devices using Enforced Encryption. This option can be activated from inside the Settings windows located under the Enforced Encryption tab. -![File Tracing Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/enforcedencryption/filetracing.webp) +![File Tracing Settings](/img/product_docs/endpointprotector/endpointprotector/admin/enforcedencryption/filetracing.webp) By checking the File Tracing option, all data transferred to and from devices using Enforced Encryption is recorded and logged for later auditing. The logged information is automatically sent @@ -105,7 +105,7 @@ Manage Client Action a list of Actions History is displayed, as well as the opti sending a message, changing the user’s password, resetting the device, resending the master password, and more. -![Enforced Encryption Clients](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/enforcedencryption/clientslist.webp) +![Enforced Encryption Clients](/img/product_docs/endpointprotector/endpointprotector/admin/enforcedencryption/clientslist.webp) ### Trusted Device™ diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/offlinetemporarypassword/overview.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/offlinetemporarypassword/overview.md index 1a5e144a4c..da089bc95c 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/offlinetemporarypassword/overview.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/offlinetemporarypassword/overview.md @@ -61,7 +61,7 @@ Server-Client communication before the Transfer Limit Reset Time Interval has ex Depending on the options selected from the drop-down menus, the Offline Temporary Password (or OTP) can be generated for an exact device, all devices, or all file transfers. -![Generating the Offline Temporary Password](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/offlinetemporarypassword/offlinetemporarypassword.webp) +![Generating the Offline Temporary Password](/img/product_docs/endpointprotector/endpointprotector/admin/offlinetemporarypassword/offlinetemporarypassword.webp) When generating an Offline Temporary Password for a Device, you can either introduce the Device Code communicated by the user or search the Endpoint Protector database for an existing device. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/reportsanalysis/overview.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/reportsanalysis/overview.md index 52ee9c2a73..ca06fd5335 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/reportsanalysis/overview.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/reportsanalysis/overview.md @@ -15,7 +15,7 @@ From this section, you can view, sort, and export the main logs in the system. T event types such as User Login, User Logout, AD Import, AD Synchronization, Uninstall Attempt, etc., included in this section. Additionally, the main Device Control logs can be viewed in this section. -![Logs Report Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/logsreport.webp) +![Logs Report Settings](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/logsreport.webp) **NOTE:** Use the Filters option to view and sort different log types and then export the result list. @@ -32,7 +32,7 @@ coming from changing the file content is ensured. You can export the search results (as an Excel, PDF, or CSV) or Create and Export containing the entire log report as a .CSV file. -![File Tracing Reports](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/filetracingreports.webp) +![File Tracing Reports](/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/filetracingreports.webp) ### File Tracing Events by Direction @@ -78,7 +78,7 @@ Legend: From this section, you can view Content Aware Logs in the system and detect data incidents corresponding to the Content Aware Policies applied. -![Content Aware Reports](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/capreports.webp) +![Content Aware Reports](/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/capreports.webp) When using the latestEndpoint Protector client, you can view log details structured per file scanned. @@ -92,17 +92,17 @@ following information: - Matched type – the Policy Denylist type selected - Matched items – click the link to view a pop-up window with the list of matched items -![A pop-up window with the list of matched items](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/capmatcheditems.webp) +![A pop-up window with the list of matched items](/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/capmatcheditems.webp) - Count – the number of matched items -![Count – the number of matched items](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/matcheditemscount.webp) +![Count – the number of matched items](/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/matcheditemscount.webp) From the Filters section, check the **Include old logs prior to 5.7** upgrade option from the filter section to include all logs in your searches. If the option is not selected, the filters will apply only to the new structure of logs. -![Content Aware Protection Filters](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/capfilters.webp) +![Content Aware Protection Filters](/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/capfilters.webp) For Mac users, when the Deep Packet Inspection feature is enabled on the Endpoint Protector agent for Mac, there might be certain scenarios where the agent does not provide full destination details @@ -122,27 +122,27 @@ report as a CSV or XLSX file. Excel/PDF/CSV – situated above the Content Aware Reports list, this will export only the default columns -![Export Content Aware Reports](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/exportreports.webp) +![Export Content Aware Reports](/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/exportreports.webp) Create Export – situated below the Content Aware Reports list, this will create an export containing all data, including the expanded Logs Details section with columns Policy Type, Policy Name, Item type, Matched type, Matched items and Count. -![Creating Export ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/createexport.webp) +![Creating Export ](/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/createexport.webp) After the message that is displayed that A new export has been made and is available on Export List, click View Export List to open the list of Reports, where you can download or delete a report. -![Viewing Export List ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/viewexportlist.webp) +![Viewing Export List ](/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/viewexportlist.webp) -![Export List Results ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/exportlistresults.webp) +![Export List Results ](/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/exportlistresults.webp) ## Admin Actions This section offers an overview of every important action performed in the interface. From the Action column, you can view additional information. -![ An overview of every important action performed in the interface](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/adminactions.webp) +![ An overview of every important action performed in the interface](/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/adminactions.webp) ## Online Computers @@ -150,21 +150,21 @@ This section offers an overview of computers registered on the system which have connection with the server. If the Refresh Interval for computer X is 1 minute, then computer X was communicating with the server in the last 1 minute. -![Overview of computers registered on the system](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/onlinecomputers.webp) +![Overview of computers registered on the system](/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/onlinecomputers.webp) ## Online Users This section offers an overview of users registered on the system which have an established connection with the server. -![An overview of users registered on the system](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/onlineusers.webp) +![An overview of users registered on the system](/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/onlineusers.webp) ## Online Devices This section provides an overview of devices registered on the system which have an established connection with the server. -![An overview of devices registered on the system](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/onlinedevices.webp) +![An overview of devices registered on the system](/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/onlinedevices.webp) ## Statistics @@ -172,4 +172,4 @@ The Statistics module lets you view system activity related to data traffic and The integrated filter makes generating reports quick and easy; simply select the field of interest and click **Apply Filter**. -![View system activity regarding data traffic and device connections](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/statistics.webp) +![View system activity regarding data traffic and device connections](/img/product_docs/endpointprotector/endpointprotector/admin/reportsanalysis/statistics.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/serverlogin.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/serverlogin.md index 04f47080ef..9cb41ace5f 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/serverlogin.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/serverlogin.md @@ -15,7 +15,7 @@ password. If you are logging in for the first time, use the default credentials: **NOTE:** Please ensure to update your login credentials after the first login to enhance security. -![ Input your assigned username and password to log in to the Server](../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/serverlogin.webp) +![ Input your assigned username and password to log in to the Server](/img/product_docs/endpointprotector/endpointprotector/admin/serverlogin.webp) Upon successful log in, the **Dashboard** > **General Dashboard** window will be displayed (see below image). This window is intended to provide a high-level overview of endpoints under management @@ -25,7 +25,7 @@ Your available modules are displayed in the left-side navigation pane. These can further manage module-specific policies. Ultimately, policies define the actions allowed / disallowed on the endpoint. -![High-level overview of endpoints under management as well as activity](../../../../../static/img/versioned_docs/privilegesecure_4.1/privilegesecure/accessmanagement/enduser/dashboard.webp) +![High-level overview of endpoints under management as well as activity](/img/versioned_docs/privilegesecure_4.1/privilegesecure/accessmanagement/enduser/dashboard.webp) Before deploying any agents, each module’s policy should be reviewed. If agents have already been delivered to systems, a review of the configuration(s) can be accomplished by verifying active diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/support/overview.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/support/overview.md index 318dadf38b..82deb37bcf 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/support/overview.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/support/overview.md @@ -8,4 +8,4 @@ You can contact our technical support team by submitting a ticket through the [Netwrix Customer Portal](https://www.netwrix.com/sign_in.html?rf=my_products.html). A team member will respond to your inquiry as soon as possible. -![Support Details](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/support/support.webp) +![Support Details](/img/product_docs/endpointprotector/endpointprotector/admin/support/support.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/adminandaccess.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/adminandaccess.md index 11957a6e26..2c499495a9 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/adminandaccess.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/adminandaccess.md @@ -9,7 +9,7 @@ access control and system security. From this section you can view, create, manage and delete administrators. -![System Administrators](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/clientuninstall.webp) +![System Administrators](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/clientuninstall.webp) To create a new Administrator, under the table with existing administrators, click Create and then provide the following information: @@ -50,7 +50,7 @@ Super Administrator Details - Managed Departments – assign the Administrator to one or more departments - Managed Administrators Groups – assign the Administrator to one or more Administrators Group -![Super Administrator Details](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/superadministratordetails.webp) +![Super Administrator Details](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/superadministratordetails.webp) ## Administrator Types @@ -124,7 +124,7 @@ Configuration, Systems Administrators section, on the Managed Administrators Gr **NOTE:** The Support section will always be available in Endpoint Protector regardless of the role you assign to the Administrator Group. -![Administrators Groups](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/administratorsgroups.webp) +![Administrators Groups](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/administratorsgroups.webp) ### User Role Matrix @@ -133,7 +133,7 @@ Administrators have based on their role. This matrix ensures that users only hav features they need to fulfill their duties, boosting security and lowering the chance of unintentional changes or data breaches. -![User Role Matrix](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/userrolematrix.webp) +![User Role Matrix](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/userrolematrix.webp) Within the Endpoint Protector, there are several different user roles, each with their own set of permissions. The Super Administrator role is the most powerful and has access to all features, @@ -150,13 +150,13 @@ temporary code generated via the Google Authenticator app. With the Two Factor A once the user creation or edit is saved, the administrator will be redirected to a verification screen. -![Two Factor Authentication](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/twofactorauthentication.webp) +![Two Factor Authentication](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/twofactorauthentication.webp) The Google Authenticator app will ask you to register using a unique code or QR Code. Following the registration process, your account will be added to the list with a validity timer for the unique code that will be used for the second authentication factor. -![Google Authenticator app](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/googleauthenticator.webp) +![Google Authenticator app](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/googleauthenticator.webp) ## System Departments @@ -173,14 +173,14 @@ can be created, allowing each Normal Administrators to only manage their own ent **CAUTION:** This functionality should not be confused with Groups of computers and users, nor with administrators’ roles. -![System Departments](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/systemdepartments.webp) +![System Departments](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/systemdepartments.webp) To create a new department click Create and then provide a name, description and unique code. **NOTE:** If you provide a wrong department code or none at all, the department code is considered invalid and that computer will be assigned to the default department (defdep). -![Create a new department click Create and then provide a name, description and unique code](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/newdepartment.webp) +![Create a new department click Create and then provide a name, description and unique code](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/newdepartment.webp) In terms of terminology, a similarity between Endpoint Protector and Active Directory (or any other Director Service software) would make the Department equivalent to an Organization Unit. Of course, diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/overview.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/overview.md index 5b5a6a17a8..cc51356a57 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/overview.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/overview.md @@ -35,7 +35,7 @@ Use the following commands: **NOTE:** Contact Customer Support to provide the tool as well as assistance. -![Download and install the Endpoint Protector Client corresponding to your operating system](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/clientsoftware.webp) +![Download and install the Endpoint Protector Client corresponding to your operating system](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/clientsoftware.webp) **NOTE:** Endpoint Protector Client versions are displayed in the format X.X.X.XXXX on endpoints. This version will be saved in the Endpoint Protector Server database, although the web console will @@ -138,7 +138,7 @@ eppsslsplit.log will be deleted from private/var/log. **CAUTION:** The feature is not compatible for Endpoint Protector instances that are running on 32-bit versions of Windows. -![Client Software Upgrade](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/clientsoftwareupgrade.webp) +![Client Software Upgrade](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/clientsoftwareupgrade.webp) **NOTE:** Endpoint Protector Client versions are displayed in the format X.X.X.XXXX on endpoints. This version will be saved in the Endpoint Protector Server database, although the web console will @@ -153,7 +153,7 @@ steps: **Step 1 –** Select the OS version from the drop-down list and then click **Next**. -![Create New Upgrade Job](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/createnewupgradejob.webp) +![Create New Upgrade Job](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/createnewupgradejob.webp) **Step 2 –** Select the groups and/or computers to perform or exclude from the upgrade and then click **Next**. You will view a summary of your selection above the table with endpoints. @@ -163,7 +163,7 @@ you selected a group that has an endpoint using a different operating system, it upgraded. If you selected a mixed group, with both computers and users, only the computers will be upgraded. -![Select the groups and/or computers to perform or exclude from the upgrade](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/selectendpointsupgrade.webp) +![Select the groups and/or computers to perform or exclude from the upgrade](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/selectendpointsupgrade.webp) **Step 3 –** Edit the default job title, add a description and confirm the upgrade job details by clicking **Start Upgrade job**. You will view the upgrade as an entry on the Upgrade jobs section. @@ -172,7 +172,7 @@ clicking **Start Upgrade job**. You will view the upgrade as an entry on the Upg Running every 5 minutes, the cron sets the upgrade process status to Pending and every 15 minutes checks and updates process status to Completed or Completed with failures. -![Edit the default job title, add a description and confirm the upgrade job details](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/upgradejobdetails.webp) +![Edit the default job title, add a description and confirm the upgrade job details](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/upgradejobdetails.webp) ### Manage Upgrade Jobs @@ -185,7 +185,7 @@ column. **NOTE:** If you deleted or archived a Client Upgrade job, then the endpoints become available for selection in other jobs. -![Manage Upgrade Jobs](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/manageupgradejobs.webp) +![Manage Upgrade Jobs](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/manageupgradejobs.webp) ## Client Uninstall @@ -199,7 +199,7 @@ performed. The uninstall command can be canceled if it was not already executed. -![Client Uninstall](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/clientuninstall.webp) +![Client Uninstall](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/clientuninstall.webp) **NOTE:** If the server and Endpoint Protector client can't communicate due to missing server certification validation (when the certification validation setting is enabled), uninstall commands diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/singlesignon/singlesignon.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/singlesignon/singlesignon.md index 8d6619ea56..bdf3deb991 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/singlesignon/singlesignon.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/singlesignon/singlesignon.md @@ -4,7 +4,7 @@ Single Sign On (SSO) allows you to log in the Endpoint Protector Server with Azu integration simplifies authentication, enhancing security and user convenience by enabling access with existing organizational credentials. -![Allows you to log in the Endpoint Protector Server with Azure AD and OKTA](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/singlesignonpage.webp) +![Allows you to log in the Endpoint Protector Server with Azure AD and OKTA](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/singlesignonpage.webp) The Single Sign On section includes the following: diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/singlesignon/ssoazuread.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/singlesignon/ssoazuread.md index c0898a6319..99d7d48cc1 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/singlesignon/ssoazuread.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/singlesignon/ssoazuread.md @@ -18,7 +18,7 @@ steps below to activate Single Sign-On with Azure AD. **Step 2 –** Upon the activation, select a **Failover Login User** from the drop-down; root user will be selected by default. -![Single Sign On Configuration with Microsoft Entra ID ](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/ssomicrosoftentraid.webp) +![Single Sign On Configuration with Microsoft Entra ID ](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/ssomicrosoftentraid.webp) After the above steps have been completed, a Single Sign On subsection is displayed in the System Configuration section. @@ -28,7 +28,7 @@ while it is selected. Single Sign On cannot be activated without a Failover Logi **Step 3 –** Select the **Provider** to view Single Sign On subsections. -![Single Sign On Configuration with Microsoft Entra ID](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/ssomicrosoftentraidtwo.webp) +![Single Sign On Configuration with Microsoft Entra ID](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/ssomicrosoftentraidtwo.webp) **Step 4 –** Navigate to portal.azure.com and login. @@ -36,32 +36,32 @@ while it is selected. Single Sign On cannot be activated without a Failover Logi **Step 6 –** Create a **New Enterprise Application**: -![Microsoft Entra ID](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidenterpriseapplication.webp) +![Microsoft Entra ID](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidenterpriseapplication.webp) - Click **Create your own application** to add an new application. -![Create Your Own Application](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidcreateapplication.webp) +![Create Your Own Application](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidcreateapplication.webp) - Give the application a name. - Select **Integrate any other application you don’t find in the gallery**. - Click **Create**. -![Integrate any other application you don’t find in the gallery](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidintergrateapplication.webp) +![Integrate any other application you don’t find in the gallery](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidintergrateapplication.webp) **Step 7 –** From the left-hand menu Navigate to Single sign-on and then select the **SAML** method. -![Entra ID Single Sign On](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidsso.webp) +![Entra ID Single Sign On](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidsso.webp) **Step 8 –** To edit Basic SAML Configuration, open the Single Sign On page from the Endpoint Protector Server and copy/paste the data from the Single Sign On page on the **Basic SAML Configuration** page. -![Entra ID SAML](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidsaml.webp) +![Entra ID SAML](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidsaml.webp) **Step 9 –** On the Basic SAML Configuration page, delete the data that is by default completed for Identifier (Entity Edit). -![Basic SAML Configuration page](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidbasicsamlconf.webp) +![Basic SAML Configuration page](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidbasicsamlconf.webp) **Step 10 –** From the Single Sign On page on the Endpoint Protector Server: @@ -69,38 +69,38 @@ Identifier (Entity Edit). (Entity ID) and Reply URL (Assertion Consumer Service URL) fields on the Basic SAML Configuration page in Microsoft Azure. Finally, set it as Default. -![On the Endpoint Protector Server Copy the data from Endpoint Protector Service Provider](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidbasicsamlconftwo.webp) +![On the Endpoint Protector Server Copy the data from Endpoint Protector Service Provider](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidbasicsamlconftwo.webp) - Copy the Login URL from the Single Sign-On and paste it into the Sign-On URL field on the Basic SAML Configuration page in Microsoft Azure. -![On the Endpoint Protector Server Copy the data from Endpoint Protector Service Provider](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidbasicsamlconfthree.webp) +![On the Endpoint Protector Server Copy the data from Endpoint Protector Service Provider](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidbasicsamlconfthree.webp) - Copy the Logout URL from the Single Sign-On and paste it into the Logout URL field on the Basic SAML Configuration page in Microsoft Azure. -![On the Endpoint Protector Server Copy the data from Endpoint Protector Service Provider](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidbasicsamlconffour.webp) +![On the Endpoint Protector Server Copy the data from Endpoint Protector Service Provider](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidbasicsamlconffour.webp) **Step 11 –** Click **Save** to save the settings without testing Single Sign On yet. **Step 12 –** Navigate to Step 3 on the SAML Signing Certificate page and click **Edit**. -![Edit SAML Signing Certificate](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/editsamlsigningcert.webp) +![Edit SAML Signing Certificate](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/editsamlsigningcert.webp) **Step 13 –** Change the Signing Algorithm to SHA-1 and click **Save**. -![Edit SAML Signing Certificate](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/editsamlsigningcerttwo.webp) +![Edit SAML Signing Certificate](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/editsamlsigningcerttwo.webp) **Step 14 –** In Step 3 of the SAML Signing Certificate, download the **Certificate (Base64)**. -![Download Certificate (Base64).](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidownloadcert.webp) +![Download Certificate (Base64).](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidownloadcert.webp) **Step 15 –** Open the downloaded certificate with a text editor and copy the content inside it. **Step 16 –** Paste the content into the **Security Certificate** field under the Single Sign-On section in the System Configuration of the Endpoint Protector Server. -![Open the downloaded certificate with a text editor and copy the content inside it](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/pastesecuritycert.webp) +![Open the downloaded certificate with a text editor and copy the content inside it](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/pastesecuritycert.webp) **Step 17 –** Return to the Azure **SAML-based Sign-On** page, proceed to Step 4 ("Set up your application"), and copy the Azure AD Identifier. @@ -108,7 +108,7 @@ application"), and copy the Azure AD Identifier. **Step 18 –** Navigate to the Endpoint Protector Server **System Configuration > Single Sign On > Identity Provider, Azure AD Identifier** and paste the data from the previous step. -![Microsoft Entra ID Identifier](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidindetifier.webp) +![Microsoft Entra ID Identifier](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidindetifier.webp) **Step 19 –** Return to Azure SAML-based Sign On page and reach Step 4, Set up “your application” and copy Login URL. @@ -116,31 +116,31 @@ and copy Login URL. **Step 20 –** Switch to the Endpoint Protector Server, **System Configuration** > **Single Sign On** > **Identity Provider** > Login URL and paste the data from the previous step. -![ Login URL](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidloginurl.webp) +![ Login URL](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidloginurl.webp) -![Logout URL](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidlogouturl.webp) +![Logout URL](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidlogouturl.webp) **Step 21 –** Generate the Failover Login URL from Endpoint Protector Server **System Configuration** > **Single Sign-On** > **Failover Login URL** and **Save** it. -![Failover Login URL](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/failoverloginurl.webp) +![Failover Login URL](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/failoverloginurl.webp) **Step 22 –** **Save** the settings on the Single Sign On page from the Endpoint Protector Server. **Step 23 –** Switch to Azure, Select **Users and groups** from the left menu. -![Users and groups](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidusergroups.webp) +![Users and groups](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidusergroups.webp) **Step 24 –** Go to **Add user/group** > **none Selected**, search for the Azure User, then **Select**, and **Assign**. -![Add user/group](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidaddusergroup.webp) +![Add user/group](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidaddusergroup.webp) -![Add user/group](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidusergroupstwo.webp) +![Add user/group](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidusergroupstwo.webp) -![Add user/group](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidusergroupsthree.webp) +![Add user/group](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidusergroupsthree.webp) -![Add user/group](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidusergroupsfour.webp) +![Add user/group](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/entraidusergroupsfour.webp) **Step 25 –** The user is assigned to the application, and logging into Endpoint Protector with Azure is now possible. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/singlesignon/ssookta.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/singlesignon/ssookta.md index de1e755a47..5eeeb1eea5 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/singlesignon/ssookta.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/singlesignon/ssookta.md @@ -18,71 +18,71 @@ between your server and Okta. Follow the steps below to ensure a successful setu Settings** > **Single Sign-On**. Once activated, select a Failover Login User from the drop-down menu. The Root user is selected by default. -![Single Sign On Configuration with OKTA](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/ssookta.webp) +![Single Sign On Configuration with OKTA](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/ssookta.webp) After completing the above steps, a Single Sign-On subsection will appear in the System Configuration section. **Step 2 –** Select the **Provider** in order for Single Sign On subsection to be displayed. -![ssoprovider](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/ssoprovider.webp) +![ssoprovider](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/ssoprovider.webp) **Step 3 –** Go to yourcompany.okta.com, select **Applications**, and then click **Create App Integration**. -![Create App Integration.](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktaapplications.webp) +![Create App Integration.](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktaapplications.webp) **Step 4 –** On the next screen, select **SAML 2.0** and click **Next**. -![Create App Integration](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktanewappintergration.webp) +![Create App Integration](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktanewappintergration.webp) **Step 5 –** Set a **Name** for the Application and click **Next**. -![Create SAML Intergration](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktacreatesamlintergration.webp) +![Create SAML Intergration](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktacreatesamlintergration.webp) **Step 6 –** Open the **Configure SAML** tab. **Step 7 –** Go to your Endpoint Protector **Server**, **System Configuration**, Single Sign On. -![Endpoint Protector Server Single Sign On coffiguration ](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/ssoconfiguration.webp) +![Endpoint Protector Server Single Sign On coffiguration ](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/ssoconfiguration.webp) **Step 8 –** Copy the information from: - Audience URI (SP Entity ID) and paste it on the field with the same name from OKTA, Configure SAML. - Login URL OKTA and paste it on the field Single sign on URL from OKTA page, Configure SAML. -![Copy Audience URI (SP Entity ID) and paste it on the field with the same name from OKTA, Configure SAML](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/audienceuriokta.webp) +![Copy Audience URI (SP Entity ID) and paste it on the field with the same name from OKTA, Configure SAML](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/audienceuriokta.webp) **Step 9 –** On the OKTA page, click **Show Advanced Settings**. -![Show Advanced Setting](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktaadvancedsetting.webp) +![Show Advanced Setting](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktaadvancedsetting.webp) **Step 10 –** Edit the following fields: - Signature Algorithm, select **RSA-SHA1** - Digest Algorithm, select **SHA1** -![Edit Signature Algorithm](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktaeditsignaturealgorithm.webp) +![Edit Signature Algorithm](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktaeditsignaturealgorithm.webp) **Step 11 –** Hide Advanced Settings and click **Next**. **Step 12 –** At step 3, select an answer for each question and click **Finish**. -![Select an answer for each question](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktacreatesamlintergrationtwo.webp) +![Select an answer for each question](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktacreatesamlintergrationtwo.webp) **Step 13 –** Navigate to **Applications**, select the Endpoint Protector application, go to Assignments, and assign people to the application. -![Assign Application to People](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktaassignapplication.webp) +![Assign Application to People](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktaassignapplication.webp) **Step 14 –** After assigning the accounts, click **Done**. -![Assign Application to People](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktaassignapplicationtwo.webp) +![Assign Application to People](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktaassignapplicationtwo.webp) **Step 15 –** Navigate to Applications, open the created app and click **Sign On**, **View Setup Instructions**. -![View Setup Instructions](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktaviewsetupinstructions.webp) +![View Setup Instructions](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/oktaviewsetupinstructions.webp) **Step 16 –** From the new opened section, copy the needed information and paste it on your Endpoint Protector Server: @@ -94,7 +94,7 @@ Protector Server: - X.509 Certificate to Endpoint Protector Server, System configuration, Single Sign On, X.509 Certificate -![Copy the needed information and paste it on your Endpoint Protector Server](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/ssoconfigurationtwo.webp) +![Copy the needed information and paste it on your Endpoint Protector Server](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon/ssoconfigurationtwo.webp) **Step 17 –** **Save** the settings on your Endpoint Protector Server and click **Test** to confirm configuration settings are correct. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/systemlicensing.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/systemlicensing.md index 06ba296b12..9bf176d9ee 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/systemlicensing.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/systemlicensing.md @@ -5,7 +5,7 @@ for Modules, such as Content Aware Protection and eDiscovery, as well as Endpoin you protect. You can import licenses, view details, and handle free trials, ensuring efficient and flexible license management. -![System Licensing](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/systemlicensing.webp) +![System Licensing](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/systemlicensing.webp) **NOTE:** As of Endpoint Protector Version 5.9.0.0, a new subscription-based licensing system has been introduced. This change removes the licensing restrictions on Premium features, granting @@ -44,7 +44,7 @@ Click **Import Licenses** to allow browsing for the license file. It contains a information in a single file (modules, number of endpoints, expiry date, type of Support, etc.). Click **View Licenses** to allow the management of the endpoint licenses. -![Import and Manage Licenses](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/importmanagelicenses.webp) +![Import and Manage Licenses](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/importmanagelicenses.webp) If one or more licensed endpoints become inactive and need to be reassigned, you can release those licenses, which will automatically be reassigned to other online computers. @@ -53,7 +53,7 @@ By using the Automatic Release Licenses functionality, licenses will be released endpoints that have not been seen online in a specific number of days (15 days, 30 days, 90 days, etc. or a custom value). -![Automatic Release Licenses ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/autoreleaselicenses.webp) +![Automatic Release Licenses ](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/autoreleaselicenses.webp) To streamline license management within System Configuration, navigate to **System Licensing** and discover the Serial Number field under the **View Licenses** section. In the licensing table, you @@ -65,4 +65,4 @@ by MachineUUIDs. **NOTE:** If a computer's Serial Number is absent, it will be substituted with MachineUUID to ensure endpoint machine reliability, now featuring in the license page column across all OS platforms. -![Licensing Table](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/licensingtable.webp) +![Licensing Table](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/licensingtable.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/systemsecurity.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/systemsecurity.md index 166c304d4c..95c351f185 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/systemsecurity.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/systemsecurity.md @@ -5,7 +5,7 @@ passwords, restricted access to sensitive information (limited to super administ protection, and enforcement of password security for all administrators at the next login. Additionally, you can set password expiration policies. -![System Security Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/systemsecurity.webp) +![System Security Settings](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/systemsecurity.webp) ## Security Password for Uninstall Protection @@ -15,18 +15,18 @@ Protector Client uninstall action. **NOTE:** At the top of the page, you will view a message informing you if a password is set for this action. -![Security Password for Uninstall Protection](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/uninstallprotectionone.webp) +![Security Password for Uninstall Protection](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/uninstallprotectionone.webp) Define the security password for uninstall protection in the Password box. -![Security Password for Uninstall Protection](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/uninstallprotectiontwo.webp) +![Security Password for Uninstall Protection](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/uninstallprotectiontwo.webp) ## Data Security Privileges From this section, you can allow access to sensitive data only to super administrators by selecting the **Restrict Sensitive Data Access only to super administrators** checkbox. -![Data Security Privileges](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/datasecurityprivileges.webp) +![Data Security Privileges](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/datasecurityprivileges.webp) ## Additional Security Password for Sensitive Data Protection @@ -35,12 +35,12 @@ From this section, you can set a password for sensitive data to provide addition **NOTE:** At the top of the page, you will view a message informing you if a password is set for this action. -![Additional Security Password for Sensitive Data Protection](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/passwordsensitivedataprotectionone.webp) +![Additional Security Password for Sensitive Data Protection](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/passwordsensitivedataprotectionone.webp) Reset the security password for sensitive data protection password by filling in the current password and then the new password. -![Additional Security Password for Sensitive Data Protection](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/passwordsensitivedataprotectiontwo.webp) +![Additional Security Password for Sensitive Data Protection](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/passwordsensitivedataprotectiontwo.webp) ## Backend Console Setup Password @@ -49,7 +49,7 @@ the Backend Console. To activate this safeguard, navigate to Security Configura Security, and enable Backend Console Setup Password under the Backend Console Setup section. Save your changes to add an extra layer of security, for a more secure and controlled environment. -![Backend Console Setup Password](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/backendconsolesetuppassword.webp) +![Backend Console Setup Password](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/backendconsolesetuppassword.webp) **CAUTION:** This feature is designed for Ubuntu 22. With backend password settings enabled and applied: @@ -81,7 +81,7 @@ If enabled, only complex passwords can be defined, complying with the below rul priority over Advanced User Password Settings as this setting also applies to non-admin, such as Reporter, Read-only users, etc. -![Security Password for System Administrator](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/securitypasswordsystemadministrator.webp) +![Security Password for System Administrator](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/securitypasswordsystemadministrator.webp) ## Advanced User Password Settings @@ -106,4 +106,4 @@ section. **CAUTION:** After you provide all information for the Advanced User Password Settings section, all users are required to change their passwords at the next login, not only admins. -![Advanced User Password Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/advanceduserpasswordsettings.webp) +![Advanced User Password Settings](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/advanceduserpasswordsettings.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/systemsettings.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/systemsettings.md index 005bef7814..7ad096463a 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/systemsettings.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/systemsettings.md @@ -12,7 +12,7 @@ Default Department code - defdep. **NOTE:** See the System Settings topic for additional information. -![Department Usage](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/departmentusage.webp) +![Department Usage](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/departmentusage.webp) ## Session Settings @@ -27,21 +27,21 @@ Example: If you define the Session Timeout to 5 minutes and the Timeout counter after 4 minutes of inactivity you will be notified by the pop-up window that in 60 seconds you will be logged out. -![Session Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/sessionsettings.webp) +![Session Settings](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/sessionsettings.webp) If you remain idle for the defined amount of time, then Endpoint Protector stops responding and displays a message that indicates the session will expire in the predefined countdown. You can choose to log out or continue your session, resetting the session timeout interval. -![Session timeout interval](../../../../../../static/img/versioned_docs/privilegesecure_4.1/privilegesecure/accessmanagement/enduser/sessiontimeout.webp) +![Session timeout interval](/img/versioned_docs/privilegesecure_4.1/privilegesecure/accessmanagement/enduser/sessiontimeout.webp) ## Endpoint Protector Rights Functionality Set functionality rights for computer, user, or both, in which case you can prioritize user rights or computer rights. -![Endpoint Protector Rights Functionality](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/rightsfunctionality.webp) +![Endpoint Protector Rights Functionality](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/rightsfunctionality.webp) ## Smart Groups @@ -63,7 +63,7 @@ pattern. **NOTE:** By disabling this setting, you will delete the Default Group for Users. -![Smart Groups](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/smartgroups.webp) +![Smart Groups](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/smartgroups.webp) ## Client Update Mechanism @@ -77,7 +77,7 @@ and port. **NOTE:** Note: Ensure that your specified hostname and port settings comply with your network policies and any security requirements. -![Client Update Mechanism](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/clientupdatemechanism.webp) +![Client Update Mechanism](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/clientupdatemechanism.webp) ## Custom Settings @@ -89,7 +89,7 @@ To display more information in Endpoint Protector, enable the following: - MAC Address Priority - Show Universal Offline Temporary Password only to Super Admins -![Custom Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/customsettings.webp) +![Custom Settings](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/customsettings.webp) ## Log Settings @@ -116,7 +116,7 @@ The structure enabled by this setting will also be reflected in SIEM. **NOTE:** You can set a number of reported threats between 100 and 1000. -![Log Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/logsettings.webp) +![Log Settings](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/logsettings.webp) ### Log Settings Use Case and Terminology @@ -168,7 +168,7 @@ The maximum number of reported threats will be automatically modified as follow | | | | | | -![Content Aware Protection – Ignore Thresholds ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/capignorethresholds.webp) +![Content Aware Protection – Ignore Thresholds ](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/capignorethresholds.webp) Limit Reporting Content Aware Protection refers to Report Only policies. @@ -369,14 +369,14 @@ reported threats’ under ‘Ignore Thresholds’ is reached. Enable the Virtual Desktop Clones Support setting to allow the Endpoint Protector server to identify the virtual desktop clone and interact accordingly with the Endpoint Protector client. -![Virtual Desktop Clones](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/virtualdesktopclones.webp) +![Virtual Desktop Clones](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/virtualdesktopclones.webp) ## Deep Packet Inspection Certificate Disable the Deep Packet Inspection certificate download to require the Endpoint Protector clients to use the legacy certificate. You can also download the **Client CA Certificate**. -![Deep Packet Inspection Certificate ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/dpinspectioncert.webp) +![Deep Packet Inspection Certificate ](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/dpinspectioncert.webp) ## Server Certificate Stack @@ -404,16 +404,16 @@ as to Linux systems. **CAUTION:** Do not use this setting if no instance of macOS 12.0 (or higher) is registered on the Endpoint Protector server. -![Server Certificate Stack](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/servercertstack.webp) +![Server Certificate Stack](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/servercertstack.webp) ## Single Sign On Enable the Single Sign On Login setting to log into Endpoint Protector and then select a **Failover Login User** to use when single sign on is not functional. -![Single Sign On](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon.webp) +![Single Sign On](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/singlesignon.webp) -**NOTE:** See the [Single Sign On](singlesignon/singlesignon.md) topic for additional information. +**NOTE:** See the [Single Sign On](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/singlesignon/singlesignon.md) topic for additional information. ## Active Directory Authentication @@ -444,11 +444,11 @@ part of this AD group will be synced and imported as Super Administrators for En Any additional administrators (with different access control levels) can be created manually from the System Administrators section. -![Active Directory Authentication](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/activedirectoryauthentication.webp) +![Active Directory Authentication](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/activedirectoryauthentication.webp) ## E-mail Server Settings -![E-mail Server Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/mailserversettings.webp) +![E-mail Server Settings](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/mailserversettings.webp) Manage Email server settings based on the email type you use - native or SMTP. @@ -456,9 +456,9 @@ Manage Email server settings based on the email type you use - native or SMTP. Manage email server settings based on your email type—native or SMTP, with support for TLS 1.3. -![E-mail Server Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/mailserversettingstwo.webp) +![E-mail Server Settings](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/mailserversettingstwo.webp) -![E-mail Server Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/mailserversettingsthree.webp) +![E-mail Server Settings](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/mailserversettingsthree.webp) ### Proxy Server Settings @@ -474,13 +474,13 @@ Once you provide all the information, click Test to confirm the settings are wo **NOTE:** If a Proxy Server is not configured, Endpoint Protector will connect directly to liveupdate.endpointprotector.com. -![Proxy Server Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/proxyserversettings.webp) +![Proxy Server Settings](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/proxyserversettings.webp) ## Main Administrator Contact Details Edit contact details for the main administrator and then click Save to keep all modifications. -![Main Administrator Contact Details](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/mainadministratorcontact.webp) +![Main Administrator Contact Details](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/mainadministratorcontact.webp) ### Server Display Name @@ -490,4 +490,4 @@ Protector logo on the login page and alongside the logo in the Endpoint Protecto customize text and upload a custom logo for further personalization. These visual cues are designed to prevent incidents like unintentional modifications on the wrong environment -![EPP Server Display Name](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/serverdisplayname.webp) +![EPP Server Display Name](/img/product_docs/endpointprotector/endpointprotector/admin/systemconfiguration/serverdisplayname.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemmaintenance/backup.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemmaintenance/backup.md index 82a17cc896..30110cbd20 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemmaintenance/backup.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemmaintenance/backup.md @@ -14,7 +14,7 @@ versions, and set up automatic routines to ensure your data is consistently prot This module allows you to make complete system backups. -![Allows you to make complete system backups](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/listofsystembackups.webp) +![Allows you to make complete system backups](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/listofsystembackups.webp) To view the list of current backups, go to **System Maintenance** > **System Backup v2**. @@ -29,7 +29,7 @@ recommended to keep a good record of where these files are saved. **CAUTION:** When using the Restore Backup feature, we recommend requesting assistance from customer support. -![Allows you to make complete system backups](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/createsystembackup.webp) +![Allows you to make complete system backups](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/createsystembackup.webp) On the Make Backup section, you have the following options: @@ -44,7 +44,7 @@ the Temporary Logs Files. The second section, Status, returns the state of the system. If a backup creation is in progress, it will be reported as seen below. -![System Backup Status](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/systembackupstatus.webp) +![System Backup Status](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/systembackupstatus.webp) If the system is idle, the button will return the last known status, which by default is set at 100% done. @@ -56,7 +56,7 @@ The next menu, Upload, allows you to populate the backup list with .eppb files from the console of the appliance. We recommend that you contact Customer Support when a created .eppb file exceeds this 200 MB limit. -![Upload System Backup](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/uploadsystembackup.webp) +![Upload System Backup](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/uploadsystembackup.webp) From this section, you can schedule an automatic backup routine by setting a trigger condition, the System Backup time interval. The routine can be set to run daily, weekly, monthly and so forth. The @@ -64,14 +64,14 @@ Scheduler will also prompt the administrator with the Last Automatic System Back **_RECOMMENDED:_** A scheduled routine is recommended in order to prevent unwanted loss. -![Schedule an automatic backup routine](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/availablebackups.webp) +![Schedule an automatic backup routine](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/availablebackups.webp) ### From the Console Endpoint Protector offers the option to revert the system to a previous state from the administrative console on which the initial configuration occurs. -![Endpoint Protector offers the option to revert the system to a previous state from the administrative console on which the initial configuration occurs.](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/administrativeconsole.webp) +![Endpoint Protector offers the option to revert the system to a previous state from the administrative console on which the initial configuration occurs.](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/administrativeconsole.webp) The Number 2 (System Backup) menu presents you with the following options: @@ -85,7 +85,7 @@ FTP IP address and the path inside its filesystem to the .eppb file. An example is shown below: -![An administrator will need to provide the system a valid FTP IP address and the path inside its filesystem to the .eppb file](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/ftpconnectiondetails.webp) +![An administrator will need to provide the system a valid FTP IP address and the path inside its filesystem to the .eppb file](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/ftpconnectiondetails.webp) ## System Backup v2 @@ -113,18 +113,18 @@ OS version (e.g.: the appliance is still running on Ubuntu 14.04 LTS). As Ubuntu 14.04 no longer receives security patches since 2019, those that want to migrate to a Server running on the latest Ubuntu LTS version should take advantage of this functionality. -![Migrate the database (entities, rights, settings, policies, configurations, etc.) from an older Endpoint Protector Server to a newer one.](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/listofsystembackups.webp) +![Migrate the database (entities, rights, settings, policies, configurations, etc.) from an older Endpoint Protector Server to a newer one.](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/listofsystembackups.webp) ### Creating a System Backup v2 (Migration) You can create a new migration backup from the System Maintenance, System Backup v2 section. -![Creating a System Backup v2 (Migration)](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/createsystembackupone.webp) +![Creating a System Backup v2 (Migration)](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/createsystembackupone.webp) **NOTE:** For security purposes, the System Backup Key will not be stored by the Endpoint Protector. Before proceeding, make sure it is properly saved. -![Creating a System Backup v2 (Migration)](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/createsystembackuptwo.webp) +![Creating a System Backup v2 (Migration)](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/createsystembackuptwo.webp) ### Importing and Restore (Migrate) @@ -141,4 +141,4 @@ After the Import and Restore (Migration) has been made to the new Appliance, the should be turned off. Its IP would then have to be reassigned to the new Appliance in order for the deployed Endpoint Protector Clients to start communicating with the new Appliance. -![Importing and Restore (Migrate)](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/importingrestore.webp) +![Importing and Restore (Migrate)](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/importingrestore.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemmaintenance/overview.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemmaintenance/overview.md index 8292d5249c..f49027d255 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemmaintenance/overview.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemmaintenance/overview.md @@ -10,7 +10,7 @@ maintain a well-organized system, facilitate recovery, and ensure data integrity This module allows you to retrieve, organize and clean-up files used by the Endpoint Protector Server. -![Retrieve, organize and clean-up files used by the Endpoint Protector Server](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/filemaintenance.webp) +![Retrieve, organize and clean-up files used by the Endpoint Protector Server](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/filemaintenance.webp) You have the following options: @@ -25,14 +25,14 @@ of files from theEndpoint Protector Server click **Delete**. From this section, you can view the list of exported entities, download or delete them, and view the scheduled export in the system and reschedule them accordingly. -![View the list of exported entities, download or delete them, and view the scheduled export in the system and reschedule them accordingly](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/listofentities.webp) +![View the list of exported entities, download or delete them, and view the scheduled export in the system and reschedule them accordingly](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/listofentities.webp) You can initiate the manual generation of the scheduled export from the Device Control, List of Devices / List of Computers / List of Users / List of Groups sections. -![Initiate the manual generation of the scheduled export from the Device Control](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/listofdevices.webp) +![Initiate the manual generation of the scheduled export from the Device Control](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/listofdevices.webp) -![Manual generation of the scheduled export from the Device Control](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/dcscheduleexport.webp) +![Manual generation of the scheduled export from the Device Control](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/dcscheduleexport.webp) The scheduled exports can be sent automatically via e-mail to all the Administrators that have the **Scheduled Export Alert** setting enabled. @@ -60,7 +60,7 @@ Follow the steps to create a system snapshot. **Step 1 –** Go to System Configuration and click **Make Snapshot**. -![The System Snapshots module allows you to save all device control rights and settings in the system and restore them later if needed](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/systemsnapshots.webp) +![The System Snapshots module allows you to save all device control rights and settings in the system and restore them later if needed](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/systemsnapshots.webp) **Step 2 –** Enter a name for the snapshot and a description. Select the items to store in the snapshot, **Only Rights**, **Only Settings**, or **Both** and then click **Save**. @@ -70,7 +70,7 @@ The snapshot will appear in the list of System Snapshots. **Step 3 –** To restore a previously created snapshot, click **Restore** next to the snapshot, and then confirm your action. -![Restore a previously created snapshot](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/restoresnapshot.webp) +![Restore a previously created snapshot](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/restoresnapshot.webp) ## Audit Log Backup @@ -82,7 +82,7 @@ Both the Audit Log Backup and Audit Backup Scheduler offer several options like backup, how old should the included logs be, to keep or delete them from the server, to include file shadows or not, etc. -![Allows old logs to be saved and exported](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/auditlogbackup.webp) +![Allows old logs to be saved and exported](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/auditlogbackup.webp) However, the main difference comes from the fact that the exported logs come in an improved visual model, making things easier to audit or to create reports for executives. @@ -99,7 +99,7 @@ While the Audit Log Backup starts the backup instantly, the Audit Log Backup Sch option to set the procedure for a specific time and the frequency of the backup (every day, every week, every month, every year, etc.). -![Audit Log Backup Scheduler](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/scheduledbackup.webp) +![Audit Log Backup Scheduler](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/scheduledbackup.webp) ## External Storage @@ -110,7 +110,7 @@ an FTP, SFTP or Samba / Network Share server. You can enable the option to keep a copy of the files on the Endpoint Protector Server for all External Storage Types. -![Externalize files generated by Endpoint Protector to a particular storage disk from the network](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/externalstorage.webp) +![Externalize files generated by Endpoint Protector to a particular storage disk from the network](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/externalstorage.webp) ### FTP Server @@ -126,7 +126,7 @@ To configure an FTP Server, provide the following information: - Passive Connection - Anonymous Login -![Configure an FTP Server](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/ftpserver.webp) +![Configure an FTP Server](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/ftpserver.webp) ### SFTP Server @@ -140,7 +140,7 @@ To configure an SFTP Server, provide the following information: - Password – the associated password - Enable storage -![Configure an SFTP Server](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/sftpserver.webp) +![Configure an SFTP Server](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/sftpserver.webp) ### Samba / Network Share Server @@ -159,4 +159,4 @@ To configure a Samba / Network Share Server, provide the following information: - Username – the username of the external server - Password – the associated password -![Configure a Samba / Network Share Server](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/sambastorage.webp) +![Configure a Samba / Network Share Server](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/sambastorage.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemmaintenance/shadowrepository.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemmaintenance/shadowrepository.md index 3fcf7cadf8..b75ac40076 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemmaintenance/shadowrepository.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemmaintenance/shadowrepository.md @@ -46,7 +46,7 @@ the Group has only Read and Execute). **NOTE:** If you are using the Samba V1 protocol for File Shadows on Mac, make sure that NTLMv1 authorization is set on the Samba server. -![Enable the Endpoint Protector Client to send File Shadows directly](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/fileshadowrepository.webp) +![Enable the Endpoint Protector Client to send File Shadows directly](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/fileshadowrepository.webp) ## Test Connection @@ -136,7 +136,7 @@ When a file is uploaded, an External Repository Upload log will be displayed. **CAUTION:** File shadows contained in the S3 Bucket (File Shadow Repository) will not be included in the Audit. -![S3 Bucket File Shadow Repository](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/fileshadowrepositorytwo.webp) +![S3 Bucket File Shadow Repository](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/fileshadowrepositorytwo.webp) **NOTE:** In the scenario where there may be an unreliable network, the Client will attempt to upload the artifact 10 times before the guard-rail will stop upload attempts. This will delete the @@ -151,12 +151,12 @@ To add the Endpoint Protector Server IP to the S3 Bucket whitelist, follow these **Step 2 –** Click on an entry from the **S3 Bucket list**. -![Adding the Netwrix Endpoint Protector Server IP to the S3 Bucket whitelist](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/amazons3one.webp) +![Adding the Netwrix Endpoint Protector Server IP to the S3 Bucket whitelist](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/amazons3one.webp) **Step 3 –** On the S3 Bucket, select the **Permission** tab, scroll down to the Bucket policy section, and then click **Edit**. -![Adding the Netwrix Endpoint Protector Server IP to the S3 Bucket whitelist](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/amazons3two.webp) +![Adding the Netwrix Endpoint Protector Server IP to the S3 Bucket whitelist](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/amazons3two.webp) **Step 4 –** On the Bucket Policy, add the following IPs: @@ -166,7 +166,7 @@ section, and then click **Edit**. **Step 5 –** Use the Policy generator from the top-right corner to help you edit or create a new Bucket policy. This will open a new page with the AWS Policy Generator. -![Adding the Netwrix Endpoint Protector Server IP to the S3 Bucket whitelist](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/amazons3three.webp) +![Adding the Netwrix Endpoint Protector Server IP to the S3 Bucket whitelist](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/amazons3three.webp) On the AWS Policy Generator, provide the following information: @@ -184,7 +184,7 @@ Add the Statement, click **Generate Policy**, and then use the **Bucket Policy** For more information on this procedure, read the [AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html). -![ AWS Policy Generator](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/awspolicygenerator.webp) +![ AWS Policy Generator](/img/product_docs/endpointprotector/endpointprotector/admin/systemmaintenance/awspolicygenerator.webp) ``` Example: S3 Bucket Policy (JSON) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemparameters/overview.md b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemparameters/overview.md index c02dba99f5..1589582928 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemparameters/overview.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemparameters/overview.md @@ -6,7 +6,7 @@ From this section you can view and manage device types and notifications, view notifications and their translations and define custom notifications for Content Aware Protection policies and Device Control User Remediation. -![Manage device types and notifications](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/devicetypesnotif.webp) +![Manage device types and notifications](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/devicetypesnotif.webp) ### List of Device Types and Notifications @@ -17,7 +17,7 @@ Content Aware Protection module. You can enable and edit the notification messages that appear on the Endpoint Protector Client from the Actions column. -![List of Device Types and Notifications](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/devicetypesnotiftwo.webp) +![List of Device Types and Notifications](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/devicetypesnotiftwo.webp) You can enable or disable messages from the Default Notifications list and edit custom notification translations. @@ -25,7 +25,7 @@ translations. **NOTE:** You can enable Custom Client Notifications globally from Device Control, Global Settings or individually for computers or groups, from their specific Settings sections. -![Enable/disable a message from the list of Default Notifications or edit the custom notifications translations](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/listdefaultnotif.webp) +![Enable/disable a message from the list of Default Notifications or edit the custom notifications translations](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/listdefaultnotif.webp) ### Custom Content Aware Protection Notifications @@ -58,7 +58,7 @@ Follow the steps to create notifications. **Step 5 –** Click **Save** to finalize your custom notification. -![Custom Content Aware Protection Notifications](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/capnotifications.webp) +![Custom Content Aware Protection Notifications](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/capnotifications.webp) For example, the file named 'financial_report.xlsx' (`\{fileName\}`) was classified as 'Confidential' (`\{type\}`) because it contains confidential data. @@ -121,7 +121,7 @@ Once the notification was created, you can select the custom notification from Notification Template drop-down located in the Device Control section, Global Setting, Users, Computers and Groups. -![Custom Device Control User Remediation Notifications](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/userremediationnotif.webp) +![Custom Device Control User Remediation Notifications](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/userremediationnotif.webp) ## Contextual Detection @@ -160,9 +160,9 @@ prioritization of individual policy configurations. This method is recommended for general use as it is the easiest method and it can cover most use cases. -![Creating the XML](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/contextualdetectionone.webp) +![Creating the XML](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/contextualdetectionone.webp) -![Creating the XML](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/contextualdetectiontwo.webp) +![Creating the XML](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/contextualdetectiontwo.webp) For each category of Predefined Content (e.g.: Credit Cards, IDs, Passports, Driving Licenses, etc.), contextual detection can be configured by clicking on the **Add** button and selecting options such @@ -282,13 +282,13 @@ interactions with Endpoint Protector. **NOTE:** This feature applies at a global level for all Windows endpoints with the Advanced Printing and MTP Scanning features enabled. -![Advanced Scanning Detection](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/advancedscanningexceptions.webp) +![Advanced Scanning Detection](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/advancedscanningexceptions.webp) ## Rights This subsection displays a list with all access rights that can be assigned to devices. -![Displays a list with all access rights that can be assigned to devices](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/rights.webp) +![Displays a list with all access rights that can be assigned to devices](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/rights.webp) ## Events @@ -296,7 +296,7 @@ In this section you can view, manage and export the events list logged by Endpoi can also edit event names and descriptions or enable/disable logging for specific events from the Actions column. -![View, manage and export the events list logged by Netwrix Endpoint Protector](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/listofevents.webp) +![View, manage and export the events list logged by Netwrix Endpoint Protector](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/listofevents.webp) ### Events Types and Descriptions @@ -369,7 +369,7 @@ For a detailed view of all events and their descriptions, please see the table b User remediation is a feature that allows the end-users to apply a justification and self-remediate a policy violation or a restricted-access device. -![Allows the end-users to apply a justification and self-remediate a policy violation or a restricted-access device](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/userremediation.webp) +![Allows the end-users to apply a justification and self-remediate a policy violation or a restricted-access device](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/userremediation.webp) ### User Remediation Settings @@ -411,7 +411,7 @@ Remediation for Device Control. enabling this feature, all the settings regarding User Remediation will be applied to both Content Aware Protection and Device Control modules. -![User Remediation Settings](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/userremediationsettings.webp) +![User Remediation Settings](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/userremediationsettings.webp) ### Justifications List @@ -423,9 +423,9 @@ can add up to a maximum of 10 justifications. By default, several justificatio but make sure that at least one justification is enabled all the time. To enable and enforce the end-user to view User Remediation pop-up notifications, manage the option -from Device Control, Global Settings, [Device Control](../devicecontrol/module.md). +from Device Control, Global Settings, [Device Control](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/module.md). -![Justifications List](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/justflist.webp) +![Justifications List](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/justflist.webp) ### Enabling User Remediation @@ -434,7 +434,7 @@ Follow the steps to use User Remediation for Device Control. **Step 1 –** Enable the User Remediation for Device Control feature from [User Remediation Settings](#user-remediation-settings) -![Enabling User Remediation](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/dcuserremediation.webp) +![Enabling User Remediation](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/dcuserremediation.webp) **Step 2 –** Customize the User Remediation notifications for Device Control. @@ -442,22 +442,22 @@ To do so, go to the Devices Types and Notifications, [Custom Device Control User Remediation Notifications](#custom-device-control-user-remediation-notifications) section, click **Create**, fill in the mandatory fields and **Save**. -![Custom Device Control User Remediation Notifications](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/customdcuserremediationnotif.webp) +![Custom Device Control User Remediation Notifications](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/customdcuserremediationnotif.webp) **Step 3 –** Enable the **User Remediation Pop-up** setting from the -[Device Control](../devicecontrol/module.md) topic and then select the **customized notification** +[Device Control](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/module.md) topic and then select the **customized notification** from the User Remediation Notification Template drop-down list; -![User Remediation Pop-up](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/userremediationpopup.webp) +![User Remediation Pop-up](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/userremediationpopup.webp) -**Step 4 –** Navigate to [Device Control](../devicecontrol/module.md), Device Types section and +**Step 4 –** Navigate to [Device Control](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/module.md), Device Types section and enable **User Remediation** for devices with limited access – devices that have full access permission cannot benefit from the User Remediation feature. **NOTE:** For built-in devices, such as Webcam and Network share, the User Remediation feature is not available. -![These are device types that apply in General](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/devicetypes.webp) +![These are device types that apply in General](/img/product_docs/endpointprotector/endpointprotector/admin/devicecontrol/devicetypes.webp) ### User Remediation Usage @@ -467,7 +467,7 @@ Follow these steps to remediate the device. **Step 2 –** Select the device for remediation and click Self Remediate. -![User Remediation Usage](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/dcselfremediate.webp) +![User Remediation Usage](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/dcselfremediate.webp) **Step 3 –** On the Self Remediate section: @@ -488,9 +488,9 @@ Follow these steps to remediate the device. **NOTE:** You can manage more settings for the Self Remediate feature from System Preferences and User Remediation sections. -![Self Remediate section](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/selfremediatesection.webp) +![Self Remediate section](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/selfremediatesection.webp) To stop the device remediation session at any time during the time interval, select the device from the Device Control tab in the Endpoint Protector notifier and then click **Revoke Remediation**. -![ Stopping the device remediation session](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/revokeremediation.webp) +![ Stopping the device remediation session](/img/product_docs/endpointprotector/endpointprotector/admin/systemparameters/revokeremediation.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/creatingfilters.md b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/creatingfilters.md index 076bcaafe8..90d6cc7851 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/creatingfilters.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/creatingfilters.md @@ -4,26 +4,26 @@ To create the Windows Management Instrumentation (WMI) filters, follow these ste **Step 1 –** Open the Group Policy Management console, expand Domains and then the domain tree; -![Group Policy Management Window](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/grouppolicywindow_198x327.webp) +![Group Policy Management Window](/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/grouppolicywindow_198x327.webp) **Step 2 –** Right-click WMI Filters and select New – this will open the New WMI Filter window; -![New Windows Management Instrumentation Filter Window](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/newwmifilter_624x202.webp) +![New Windows Management Instrumentation Filter Window](/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/newwmifilter_624x202.webp) **Step 3 –** On the New WMI Filter window, add entries for 32-bit and 64-bit WMI filters by providing the name, description, and queries; 32-bit WMI Filters: -![32-bit Windows Management Instrumentation Filters Wizard](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/32bitwmi_filter_624x224.webp) +![32-bit Windows Management Instrumentation Filters Wizard](/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/32bitwmi_filter_624x224.webp) 64-bit WMI Filters: -![64-bit Windows Management Instrumentation Filters](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/64bitwmi_filter_624x193.webp) +![64-bit Windows Management Instrumentation Filters](/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/64bitwmi_filter_624x193.webp) **Step 4 –** The new filters will be displayed in the WMI Filters folder. -![Newly Created Windows Management Instrumentation Filters](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/createdwmifilters_118x25.webp) +![Newly Created Windows Management Instrumentation Filters](/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/createdwmifilters_118x25.webp) Selecting the 32-bit and 64-bit operating systems: diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/deployment.md b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/deployment.md index 6ce4baaeb4..d6d4121625 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/deployment.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/deployment.md @@ -9,7 +9,7 @@ New; **Step 3 –** Right-click the new GPO and click Edit; -![Creating the Deployment Group Policy Objects](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/gpoeditor.webp) +![Creating the Deployment Group Policy Objects](/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/gpoeditor.webp) **Step 4 –** Expand Computer Configuration / Software Settings and right-click Software Installation, and then select New/Package; @@ -17,7 +17,7 @@ Installation, and then select New/Package; **NOTE:** When browsing the ‘msi’ file, ensure it is located in a folder shared over your network and accessible by the computers on your Active Directory. -![Configuring Deployment for Group Policy Objects](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/gpoconfiguration.webp) +![Configuring Deployment for Group Policy Objects](/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/gpoconfiguration.webp) **Step 5 –** Close the Group Policy Object Editor console and repeat this step for the Endpoint Protector 64-bit GPO. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/linkinggpotoou.md b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/linkinggpotoou.md index 1830245328..4cae2dfac0 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/linkinggpotoou.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/linkinggpotoou.md @@ -11,4 +11,4 @@ these steps: **NOTE:** The new policies will be applied only when the target computers are rebooted. -![Linking Group Policy Objects to Organization Units ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/gpotooulinking.webp) +![Linking Group Policy Objects to Organization Units ](/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/gpotooulinking.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/linkingwmitogpo.md b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/linkingwmitogpo.md index 8939d7730b..cf9670494f 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/linkingwmitogpo.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/activedirectory/linkingwmitogpo.md @@ -7,4 +7,4 @@ and on the WMI Filtering section, select 32-bit Windows filter; **Step 2 –** Repeat this step for Endpoint Protector 64-bit GPO. -![Linking the Windows Management Instrument filters to Group Policy Objects](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/wmitogpolinking.webp) +![Linking the Windows Management Instrument filters to Group Policy Objects](/img/product_docs/endpointprotector/endpointprotector/configuration/activedirectory/wmitogpolinking.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/amazonwebservices/amazon.md b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/amazonwebservices/amazon.md index a6f8b49d2f..9c2f65f77e 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/amazonwebservices/amazon.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/amazonwebservices/amazon.md @@ -16,4 +16,4 @@ number, region, and availability zone. You will receive a reply from an Endpoint representative, notifying you when the Endpoint Protector Amazon Machine Image has been shared with your account. -![Obtaining Amazon Machine Image (AMI)](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/obtainingami.webp) +![Obtaining Amazon Machine Image (AMI)](/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/obtainingami.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/amazonwebservices/awsdeployment.md b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/amazonwebservices/awsdeployment.md index a0d2faf9b2..39368dcc5f 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/amazonwebservices/awsdeployment.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/amazonwebservices/awsdeployment.md @@ -10,11 +10,11 @@ Follow the steps to launch the EC2 image. **Step 2 –** Go to Images: AMIs and select the type of the Private image and search for Endpoint Protector. -![Launching AMISs](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/imagesamis.webp) +![Launching AMISs](/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/imagesamis.webp) **Step 3 –** Right-click and select **Launch Instance from AMI**. -![Launching Private Image](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/privateimage.webp) +![Launching Private Image](/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/privateimage.webp) **Step 4 –** Enter the Name and Create tags as per your policies. @@ -30,11 +30,11 @@ If you choose to use a key pair, you may need to share it with our Support Team requests. Ensure that the key pair is used exclusively for this instance to maintain security. We recommend selecting **Proceed without a Key Pair** and then clicking **Launch Instances**. -![Launching AMI instances ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/launchinstance.webp) +![Launching AMI instances ](/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/launchinstance.webp) **Step 7 –** Configure the Network section. -![Configuring the Network section](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/networksettings.webp) +![Configuring the Network section](/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/networksettings.webp) **Step 8 –** Edit Network Section and provide the following information: @@ -47,17 +47,17 @@ recommend selecting **Proceed without a Key Pair** and then clicking **Launch In - Type HTTPS, Protocol TCP, Port range 443, Source type Custom, Source 0.0.0.0/0 (mandatory) - Type HTTP, Protocol TCP, Port range 80, Source type Custom, Source 0.0.0.0/0 (optional) -![Editing the Network Section ](../../../../../../static/img/versioned_docs/changetracker_8.0/changetracker/admin/settings/policytemplates/editnetwork.webp) +![Editing the Network Section ](/img/versioned_docs/changetracker_8.0/changetracker/admin/settings/policytemplates/editnetwork.webp) **Step 9 –** The Storage section does not require any changes. -![Configuring the storage section](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/configurestorage.webp) +![Configuring the storage section](/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/configurestorage.webp) **Step 10 –** On the Summary section click **Launch Instance**. -![Summary section ](../../../../../../static/img/versioned_docs/enterpriseauditor_11.6/enterpriseauditor/admin/datacollector/adinventory/summary.webp) +![Summary section ](/img/versioned_docs/enterpriseauditor_11.6/enterpriseauditor/admin/datacollector/adinventory/summary.webp) **Step 11 –** Wait for the instance to start; this might take a few minutes while the Status Checks appear as Initializing. -![Initiating Instance](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/instancestarting.webp) +![Initiating Instance](/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/instancestarting.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/amazonwebservices/awselasticip.md b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/amazonwebservices/awselasticip.md index 3f7d6933df..eee7ddd604 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/amazonwebservices/awselasticip.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/amazonwebservices/awselasticip.md @@ -7,16 +7,16 @@ address every time it is restarted and the Endpoint Protector Clients have to be To request an Elastic IP, go in the AWS Management Console to the option Network & Security, Elastic IPs, and click Allocate New Address. -![ Allocate Elastic IP Address](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/allocateelasticip.webp) +![ Allocate Elastic IP Address](/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/allocateelasticip.webp) **Step 1 –** Associate the Elastic IP with your Endpoint Protector Instance. -![Associating the Elastic IP with your Instance.](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/allocationsuccessful.webp) +![Associating the Elastic IP with your Instance.](/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/allocationsuccessful.webp) **Step 2 –** Select the Endpoint Protector Instance from the dropdown list, the Private IP address, and then click Associate; -![Associating Elastic IP Address](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/associateelasticip.webp) +![Associating Elastic IP Address](/img/product_docs/endpointprotector/endpointprotector/configuration/amazonwebservices/associateelasticip.webp) The Elastic IP is now associated with your Endpoint Protector Instance. After a few minutes, the Endpoint Protector Instance will be running associated with the Elastic IP. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/azure/azuredeployment.md b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/azure/azuredeployment.md index b85cbb51ed..f8a3a6e70d 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/azure/azuredeployment.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/azure/azuredeployment.md @@ -32,7 +32,7 @@ account / Container, following these steps: **Step 4 –** Click Review + create; -![ Creating a storage account](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/azure/createstorage.webp) +![ Creating a storage account](/img/product_docs/endpointprotector/endpointprotector/configuration/azure/createstorage.webp) **Step 5 –** Go to Storage accounts and click the newly created account; @@ -41,7 +41,7 @@ account / Container, following these steps: **Step 7 –** Give the container the same name as you did to the storage account and for the Public access level select Container (anonymous read access for containers and blobs); -![Naming the container ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/azure/createcontainer.webp) +![Naming the container ](/img/product_docs/endpointprotector/endpointprotector/configuration/azure/createcontainer.webp) **Step 8 –** Select the container you created, and then click Shared access tokens. @@ -50,7 +50,7 @@ access level select Container (anonymous read access for containers and blobs); **Step 9 –** Configure the SAS token with Create, Write and Add Permissions with a 5-day window to allow the Netwrix team to copy the image; -![Configuring the SAS token](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/azure/accesstokens.webp) +![Configuring the SAS token](/img/product_docs/endpointprotector/endpointprotector/configuration/azure/accesstokens.webp) **Step 10 –** Copy the Blob SAS URL and send it to Netwrix. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/azure/creatingdisk.md b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/azure/creatingdisk.md index 01fcbf8060..f9d6341913 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/azure/creatingdisk.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/azure/creatingdisk.md @@ -5,15 +5,15 @@ Machine. To create a disk, follow these steps. **Step 1 –** From the top right side of the page, go to All resources and click +Create; -![createdisk](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/azure/createdisk.webp) +![createdisk](/img/product_docs/endpointprotector/endpointprotector/configuration/azure/createdisk.webp) **Step 2 –** Search the marketplace for Managed Disks; -![marketplace](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/azure/marketplace.webp) +![marketplace](/img/product_docs/endpointprotector/endpointprotector/configuration/azure/marketplace.webp) **Step 3 –** Go to Managed Disks and select Create; -![manageddisk](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/azure/manageddisk.webp) +![manageddisk](/img/product_docs/endpointprotector/endpointprotector/configuration/azure/manageddisk.webp) **Step 4 –** To create a managed disk, provide the following information @@ -37,7 +37,7 @@ displayed. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/azure/createmanageddisk.webp) +generated](/img/product_docs/endpointprotector/endpointprotector/configuration/azure/createmanageddisk.webp) ## Creating the Virtual Machine @@ -45,7 +45,7 @@ To start the Endpoint Protector Virtual Machine in Azure, follow these steps: **Step 6 –** Go to the All resources page, select the newly created disks and then click Create VM -![createvm](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/azure/createvm.webp) +![createvm](/img/product_docs/endpointprotector/endpointprotector/configuration/azure/createvm.webp) **Step 7 –** To create the Virtual Machine, provide the following information: @@ -60,7 +60,7 @@ To start the Endpoint Protector Virtual Machine in Azure, follow these steps: ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/azure/newvm.webp) +generated](/img/product_docs/endpointprotector/endpointprotector/configuration/azure/newvm.webp) - On the Networking tab, fill in the following: @@ -75,12 +75,12 @@ payments for an unused SSD attached to the Virtual Machine. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/azure/publicip.webp) +generated](/img/product_docs/endpointprotector/endpointprotector/configuration/azure/publicip.webp) **Step 9 –** Once the deployment has finished, go to Virtual Machines on the right side and select the Endpoint Protector image. -![connetctip](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/azure/connetctip.webp) +![connetctip](/img/product_docs/endpointprotector/endpointprotector/configuration/azure/connetctip.webp) **Step 10 –** Open a web browser and connect to the Public IP address assigned to the Endpoint Protector image. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/azure/virtualmachine.md b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/azure/virtualmachine.md index b5a0fafd83..73a341eb1b 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/azure/virtualmachine.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/azure/virtualmachine.md @@ -4,7 +4,7 @@ To start the Endpoint Protector Virtual Machine in Azure, follow these steps: **Step 1 –** Go to the All resources page, select the newly created disks and then click Create VM -![Creating the Virtual Machine ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/azure/createvm.webp) +![Creating the Virtual Machine ](/img/product_docs/endpointprotector/endpointprotector/configuration/azure/createvm.webp) **Step 2 –** To create the Virtual Machine, provide the following information: @@ -16,7 +16,7 @@ To start the Endpoint Protector Virtual Machine in Azure, follow these steps: - Size - select a virtual machine profile based closest to the recommended requirements for the disk file used -![Information tab for creating a new Virtual Machine. ](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/azure/newvm.webp) +![Information tab for creating a new Virtual Machine. ](/img/product_docs/endpointprotector/endpointprotector/configuration/azure/newvm.webp) - On the Networking tab, fill in the following: @@ -28,12 +28,12 @@ To start the Endpoint Protector Virtual Machine in Azure, follow these steps: **NOTE:** For Additional Features, we recommend selecting HDD instead of SSD to avoid unnecessary payments for an unused SSD attached to the Virtual Machine. -![Information tab for creating a public IP](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/azure/publicip.webp) +![Information tab for creating a public IP](/img/product_docs/endpointprotector/endpointprotector/configuration/azure/publicip.webp) **Step 4 –** Once the deployment has finished, go to Virtual Machines on the right side and select the Endpoint Protector image. -![Connecting the IP to the Endpoint Protector Image](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/azure/connetctip.webp) +![Connecting the IP to the Endpoint Protector Image](/img/product_docs/endpointprotector/endpointprotector/configuration/azure/connetctip.webp) **Step 5 –** Open a web browser and connect to the Public IP address assigned to the Endpoint Protector image. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/googlecloudplatform/gcpdeployment.md b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/googlecloudplatform/gcpdeployment.md index 2bee6c8c48..17262f6ee3 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/googlecloudplatform/gcpdeployment.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/googlecloudplatform/gcpdeployment.md @@ -6,7 +6,7 @@ proceed to create a new Virtual Machine Instance: **Step 1 –** In the Google Cloud Platform Console, go to the VM Instances page and click Create instance. -![Creating Virtual Machine instance.](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/createinstance.webp) +![Creating Virtual Machine instance.](/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/createinstance.webp) **Step 2 –** In the Boot disk section, click Change to begin configuring your boot disk and on the Custom Images tab, fill in the following: @@ -16,12 +16,12 @@ Custom Images tab, fill in the following: - Size – add a size larger than the Endpoint Protector image size received - Click Select to confirm the boot disk configuration. -![Boot disk Configuration](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/bootdisk.webp) +![Boot disk Configuration](/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/bootdisk.webp) **Step 3 –** On the Firewall section, select Allow HTTP traffic and Allow HTTPS traffic, and then click Create. -![Firewall configuration](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/firewall.webp) +![Firewall configuration](/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/firewall.webp) ## Requesting a Static IP @@ -33,7 +33,7 @@ restarted and the Endpoint Protector Clients have to be reinstalled. To request a Static IP, go to IP addresses and select the External IP addresses tab. -![Requesting a static IP](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/externalip.webp) +![Requesting a static IP](/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/externalip.webp) ## Create Firewall Rules @@ -41,11 +41,11 @@ To create a Firewall rule, on the Google Cloud Platform Console, follow these st **Step 4 –** Go to the Firewall page and select default-allow-ssh; -![Creating firewall rules](../../../../../../static/img/versioned_docs/threatprevention_7.4/threatprevention/install/reportingmodule/firewallrules.webp) +![Creating firewall rules](/img/versioned_docs/threatprevention_7.4/threatprevention/install/reportingmodule/firewallrules.webp) **Step 5 –** Click Edit and on the Protocols and ports section provide the following information: - select Specified protocols and ports - check the tcp box and enter 64848 -![Editing firewall rules](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/editrules.webp) +![Editing firewall rules](/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/editrules.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/googlecloudplatform/googlecloudplatform.md b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/googlecloudplatform/googlecloudplatform.md index 4069594e8f..1d27f1531d 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/googlecloudplatform/googlecloudplatform.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/googlecloudplatform/googlecloudplatform.md @@ -19,12 +19,12 @@ Representative. If this image has already been obtained, you can skip this step. [Cloud Storage Browser page](https://console.cloud.google.com/projectselector2/storage/browser?pli=1&supportedpurview=project) on the Google Cloud Platform Console and create a bucket. -![Creating a bucket](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/createbucket.webp) +![Creating a bucket](/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/createbucket.webp) **Step 3 –** Provide the necessary information (i.e., Name, Storage Class, Location), then click **Create**. -![Naming the bucket](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/namebucket.webp) +![Naming the bucket](/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/namebucket.webp) **Step 4 –** Once the bucket is created, upload the Endpoint Protector image file received from Endpoint Protector. @@ -32,14 +32,14 @@ Endpoint Protector. **NOTE:** The upload can take several hours, depending on the size of the compressed image and the speed of the network connection. -![Uploading Endpoint Protector image to the bucket](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/uploadimage.webp) +![Uploading Endpoint Protector image to the bucket](/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/uploadimage.webp) **Step 5 –** After the Endpoint Protector image has been uploaded to Google Cloud Storage, navigate to the Images page on the Google Cloud Platform Console. **Step 6 –** Set the Source to **Virtual disk (VMDK, VHD)** and select **Go to new image import**. -![New Image Import](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/newimageimport.webp) +![New Image Import](/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/newimageimport.webp) **Step 7 –** When prompted, enable the required API. @@ -47,11 +47,11 @@ to the Images page on the Google Cloud Platform Console. **Step 9 –** Go to the Targets tab and click **Add a target project**. -![Add a target project](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/targetproject.webp) +![Add a target project](/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/targetproject.webp) **Step 10 –** Select the project and Click **Add**. -![Selecting Target Project](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/addtargetprojects.webp) +![Selecting Target Project](/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/addtargetprojects.webp) **Step 11 –** Navigate to the **Image Imports** tab and click **Create image**. @@ -61,12 +61,12 @@ to the Images page on the Google Cloud Platform Console. - Enable **Skip OS adaptation**. - Click **Create**. -![Creating an Image](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/createanimage.webp) +![Creating an Image](/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/createanimage.webp) **Step 12 –** Once the process is complete, navigate to the **Images** page and locate the newly created disk image. Click on it to view its details. -![Create Instance](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/images.webp) +![Create Instance](/img/product_docs/endpointprotector/endpointprotector/configuration/googlecloudplatform/images.webp) **Step 13 –** Click **Create Instance** and select the newly created disk image as the boot disk. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/gettingstarted.md b/docs/endpointprotector/5.9.4.2/endpointprotector/gettingstarted.md index e6beceeb52..05145bda24 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/gettingstarted.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/gettingstarted.md @@ -16,7 +16,7 @@ Before starting, ensure that your environment meets the following requirements: - Disk Space: Sufficient for agent installation - Network: Access to Endpoint Protector Server -See the [Requirements](requirements/overview.md) topic for additional information. +See the [Requirements](/docs/endpointprotector/5.9.4.2/endpointprotector/requirements/overview.md) topic for additional information. ## Staging the Server @@ -26,7 +26,7 @@ See the [Requirements](requirements/overview.md) topic for additional informatio also visible on the backend console. - Log in using your administrator credentials. -See the [Server Functionality](admin/dashboard/systemdashboard.md) topic for additional information. +See the [Server Functionality](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/dashboard/systemdashboard.md) topic for additional information. ## Managing Administrators @@ -35,7 +35,7 @@ See the [Server Functionality](admin/dashboard/systemdashboard.md) topic for add - Create and manage administrator accounts with appropriate permissions under System Configuration > System Administrators. -See the [System Configuration](admin/systemconfiguration/overview.md) topic for additional +See the [System Configuration](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/overview.md) topic for additional Information. ## Configuring Device Control @@ -46,7 +46,7 @@ Information. - Create Custom Policies to configure device access rules. - Customize policies based on device types and access requirements. -See the [Device Control](admin/devicecontrol/module.md) topic for additional information. +See the [Device Control](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/module.md) topic for additional information. ## Configuring Content Aware Protection @@ -56,7 +56,7 @@ See the [Device Control](admin/devicecontrol/module.md) topic for additional inf - Create Custom Policies to define file monitoring and protection rules. - Specify Denylists, Predefined Content, or Custom Content to identify sensitive data. -See the [Content Aware Protection](admin/contentawareprotection/module.md) topic for more +See the [Content Aware Protection](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/module.md) topic for more information. ## Configuring an eDiscovery Scan @@ -67,7 +67,7 @@ information. - Create custom scan policies to identify sensitive data at rest on endpoint systems. - Configure scan options and remediation actions (Encrypt, Decrypt, Delete). -See the [eDiscovery](admin/ediscovery/module.md) topic for additional more information. +See the [eDiscovery](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/ediscovery/module.md) topic for additional more information. ## Configuring the User Experience @@ -76,7 +76,7 @@ See the [eDiscovery](admin/ediscovery/module.md) topic for additional more infor - Navigate to Device Control > Client Settings. - Configure Client Modes (Normal, Transparent, Stealth, etc.) and Notification Preferences. -See the [Device Control](admin/devicecontrol/module.md) topic for more information. +See the [Device Control](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/devicecontrol/module.md) topic for more information. ### Configuring User Remediation Settings @@ -86,7 +86,7 @@ See the [Device Control](admin/devicecontrol/module.md) topic for more informati - Configure settings such as Time Interval for user actions and User Remediation Pop-up notifications. -See the [System Parameters](admin/systemparameters/overview.md) topic for more information. +See the [System Parameters](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemparameters/overview.md) topic for more information. ### Setting Up Offline Temporary Password @@ -95,7 +95,7 @@ See the [System Parameters](admin/systemparameters/overview.md) topic for more i - Navigate to Offline Temporary Passwords. - Generate passwords to provide temporary access rights when User Remediation is unavailable. -See the [Offline Temporary Password](admin/offlinetemporarypassword/overview.md) topic for more +See the [Offline Temporary Password](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/offlinetemporarypassword/overview.md) topic for more information. ## Deploying Agents @@ -106,7 +106,7 @@ information. - Download and deploy Endpoint Protector Client packages for Windows, macOS, and Linux systems. - Utilize MDM software or other deployment tools for efficient agent deployment. -See the [System Configuration](admin/systemconfiguration/overview.md) topic for more information. +See the [System Configuration](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/overview.md) topic for more information. ## Blocking Content Aware Protection Policies @@ -115,7 +115,7 @@ See the [System Configuration](admin/systemconfiguration/overview.md) topic for - Duplicate "Report Only" CAP policies and modify them to enforce restrictions. - Activate blocking policies to prevent unauthorized data movements. -See the [Content Aware Protection](admin/contentawareprotection/module.md) topic for more +See the [Content Aware Protection](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/contentawareprotection/module.md) topic for more information. ## Performing Remediation within eDiscovery @@ -151,4 +151,4 @@ topic for more information. - Monitoring Devices: - Manage Enforced Encryption devices in Clients list section. -See the [Enforced Encryption](admin/enforcedencryption/module.md) topic for more information. +See the [Enforced Encryption](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/enforcedencryption/module.md) topic for more information. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/intune/macosdeployment.md b/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/intune/macosdeployment.md index 4bc3ea6312..ea5316b3ed 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/intune/macosdeployment.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/intune/macosdeployment.md @@ -7,7 +7,7 @@ To deploy the Endpoint Protector package for macOS using Intune, follow these st **Step 2 –** Go to the System Configuration, Client Software and download the macOS Endpoint Protector package. -![Downloading the macOS Endpoint Protector package](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/packagedownload.webp) +![Downloading the macOS Endpoint Protector package](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/packagedownload.webp) **Step 3 –** Convert the Endpoint Protector client to an .intunemac file – for more information and procedure, visit the Microsoft Docs portal; @@ -20,12 +20,12 @@ macOS platform; **Step 6 –** On the macOS apps page, click Add, select the Line of business app type, and then click **Select**. -![macOS configurations on the Apps Overview page](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/macappsoverview.webp) +![macOS configurations on the Apps Overview page](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/macappsoverview.webp) **Step 7 –** Click Select app package file and from the right-hand side, select the Endpoint Protector intunemac file, Upload and click **OK.** -![Information about the app package file](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/macaddapp.webp) +![Information about the app package file](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/macaddapp.webp) **Step 8 –** On the App information page, fill in the mandatory fields and then click **Next**. @@ -33,44 +33,44 @@ Protector intunemac file, Upload and click **OK.** - Description – add Endpoint Protector Client - Publisher – add Netwrix Ltd. -![Completing Mandatory Fileds under App inforamtion page](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/appinformation.webp) +![Completing Mandatory Fileds under App inforamtion page](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/appinformation.webp) **Step 9 –** On the Assignments page, in the Required section, select the group for which you want to deploy the Endpoint Protector client and then click **Next**. -![Selecting the group for which you want to deploy the Endpoint Protector client](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/macassignments.webp) +![Selecting the group for which you want to deploy the Endpoint Protector client](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/macassignments.webp) **Step 10 –** On the Review + create page, click Create - this will start the Endpoint Protector package upload. -![Inititating the Endpoint Protector package Download](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/macreviewpage.webp) +![Inititating the Endpoint Protector package Download](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/macreviewpage.webp) **Step 11 –** Go to Devices from the left-hand menu, select macOS, Shell scripts and then click **Add**. **NOTE:** Please contact the Customer Support department to provide the script. -![Adding scripts on shell scripts page](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/shellscripts.webp) +![Adding scripts on shell scripts page](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/shellscripts.webp) **Step 12 –** On the Add script page, fill in the mandatory information and then click **Next**. - Name (mandatory) – add a name for the script (Post install script) - Description – add a description for the script -![Completing mandatory inforamtion for Shell Scripts](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/addscript.webp) +![Completing mandatory inforamtion for Shell Scripts](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/addscript.webp) **Step 13 –** On the Script settings tab, add the following information and then click Next: - Upload and select the New Jamf PostInstall script from your computer - Set the Run script as sign-in user setting to No -![Adding inforamtion on the script settings page](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/scriptsettings.webp) +![Adding inforamtion on the script settings page](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/scriptsettings.webp) **Step 14 –** On the Assignments tab, include the groups you prefer (Add groups, all users, or all devices) and then click **Next**. -![Including the groups you prefer](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/includegroups.webp) +![Including the groups you prefer](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/includegroups.webp) **Step 15 –** On the Review + add tab, you can view the script information and click **Add**. -![Viewing the script information](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/scriptinformation.webp) +![Viewing the script information](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/scriptinformation.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/intune/windowsdeployment.md b/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/intune/windowsdeployment.md index 8fb2558ae6..9557534006 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/intune/windowsdeployment.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/intune/windowsdeployment.md @@ -7,7 +7,7 @@ To deploy the Endpoint Protector MSI package for Windows using Intune, follow th **Step 2 –** Go to the System Configuration, Client Software and download the Windows Endpoint Protector MSI package; -![Downloading the Windows Endpoint Protector MSI Package](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/msipackagedownload.webp) +![Downloading the Windows Endpoint Protector MSI Package](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/msipackagedownload.webp) **CAUTION:** When deploying the .msi package, delete the information contained in the brackets as well as the underscore that precedes it - EPPClientSetup.5.6.3.1_x86_64.msi @@ -15,24 +15,24 @@ well as the underscore that precedes it - EPPClientSetup.5.6.3.1_x86_64.msi ![A black text on a white background Description automatically -generated](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/msipackage.webp) +generated](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/msipackage.webp) **Step 3 –** Go to the Microsoft Endpoint Manager admin center and sign in; **Step 4 –** Go to Apps from the left-hand side menu, and on the Apps Overview page, select the Windows platform; -![Apps Overview Page](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/appsoverview.webp) +![Apps Overview Page](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/appsoverview.webp) **Step 5 –** On the Windows App page, click Add, select the Line of business app type, and then click Select; -![Selecting the Line of business app type](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/apptype.webp) +![Selecting the Line of business app type](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/apptype.webp) **Step 6 –** Click Select app package file and from the right-hand side, select the Endpoint Protector MSI file and click OK; -![Selecting Endpoint Protector Package file ](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/apppackagefile.webp) +![Selecting Endpoint Protector Package file ](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/apppackagefile.webp) **Step 7 –** On the App information page, fill in the mandatory fields and then click Next: @@ -43,14 +43,14 @@ Protector MSI file and click OK; - WSIP="EPP_server_IP" WSPORT="443" /q REBOOT=ReallySuppress -![App information page to add information. ](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/addapp.webp) +![App information page to add information. ](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/addapp.webp) **Step 8 –** On the Assignments page, in the Requirement section, select the group for which you want to deploy the Endpoint Protector client and then click Next; -![Selecting the group for which you want to deploy the Endpoint Protector Client](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/assignmentspage.webp) +![Selecting the group for which you want to deploy the Endpoint Protector Client](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/assignmentspage.webp) **Step 9 –** On the Review + create page, click Create - this will start the Endpoint Protector MSI package upload. -![Initiating the Endpoint Protector Package MSI upload](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/reviewpage.webp) +![Initiating the Endpoint Protector Package MSI upload](/img/product_docs/endpointprotector/endpointprotector/install/agent/intune/reviewpage.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/jamf/configuration.md b/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/jamf/configuration.md index a984f3a195..98b28b30e7 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/jamf/configuration.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/jamf/configuration.md @@ -11,7 +11,7 @@ the left sidebar menu, select **Configuration Profiles**. **Step 3 –** To create a new configuration profile, in the upper right, above the table with available configuration profiles, click **+New**. -![Creating a New configuration Profile](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/configurationprofile.webp) +![Creating a New configuration Profile](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/configurationprofile.webp) On the New macOS Configuration Profile section, you can manage profile settings and select the devices and users to which you want to deploy the profile. @@ -27,7 +27,7 @@ On the default General section, enter the following information: You can continue with the default settings for the category, level, and distribution method fields. -![Completing information on the general section](../../../../../../../static/img/versioned_docs/auditor_10.6/auditor/addon/azurefiles/generalsettings.webp) +![Completing information on the general section](/img/versioned_docs/auditor_10.6/auditor/addon/azurefiles/generalsettings.webp) ## Certificate Settings @@ -43,14 +43,14 @@ select **System Settings**. then download Client CA Certificate – the downloaded .zip file contains the .cer and .crt client certifications. -![Enabling Deep Packet Inspection Certificate and then downloading Client CA Certificate](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/dpicertificate.webp) +![Enabling Deep Packet Inspection Certificate and then downloading Client CA Certificate](/img/product_docs/endpointprotector/endpointprotector/install/agent/dpicertificate.webp) **Step 3 –** Go to Jamf, the Certificate section, and click **Configure**. **Step 4 –** Enter a Certificate name and then select and upload the downloaded Client CA Certificate in .cer format. -![Entering the required information on New macOS Configuration Profile](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/macosconfiguration.webp) +![Entering the required information on New macOS Configuration Profile](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/macosconfiguration.webp) ## Privacy Preferences Policy Control Settings @@ -69,7 +69,7 @@ this command line. - Select the **Validate the Static Code Requirement** check-box. - Click **Add** and **Save** to allow access to SystemPolicyAllFiles and Accessibility services. -![Configuring Privacy Peferences Policy Control](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/privacypreferences.webp) +![Configuring Privacy Peferences Policy Control](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/privacypreferences.webp) ## Allow EppNotifier Settings @@ -90,7 +90,7 @@ this command line. - Select the **Validate the Static Code Requirement** check-box. - Click **Add** and then **Save** to allow access to Accessibility services. -![Configuring EPPNotifier Settings](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/eppnotifer.webp) +![Configuring EPPNotifier Settings](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/eppnotifer.webp) ## Enforced Encryption Settings @@ -112,7 +112,7 @@ this command line. - Click **Add** and then **Save** to allow access to SystemPolicyAllFiles and Accessibility services. -![Configuring Enforced Encryption settings](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/enforcedencryption.webp) +![Configuring Enforced Encryption settings](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/enforcedencryption.webp) ## System Extension Settings @@ -126,7 +126,7 @@ On the System Extension section, click **Configure** and then enter the followin - Allowed System Extensions – click **Add**, enter `com.cososys.eppclient`, and then **Save** the changes. -![Allowing System Extensions ](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/systemextensions.webp) +![Allowing System Extensions ](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/systemextensions.webp) **NOTE:** For operating systems lower than macOS 11 (Big Sur), manage settings from the Approved Kernel Extensions section instead of System Extensions. Define the Team ID (enter TV3T7A76P4) and @@ -145,7 +145,7 @@ system extensions without a pop-up, and then enter the following information: **NOTE:** This setting will be applied starting with MacOS 12 version (Monterey). -![Adding a new policy that will allow the removing of system extensions](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/removeableextensions.webp) +![Adding a new policy that will allow the removing of system extensions](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/removeableextensions.webp) ### Managed Login Items @@ -194,9 +194,9 @@ this command line. - Select the **Prohibit users from disabling on-demand VPN settings** check-box. -![First section to configuring VPN settings](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/vpnsettings.webp) +![First section to configuring VPN settings](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/vpnsettings.webp) -![Second section to configuring VPN settings](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/vpnconfiguration.webp) +![Second section to configuring VPN settings](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/vpnconfiguration.webp) ## Notifications Settings @@ -209,7 +209,7 @@ On the Notifications section, click **Configure** and then enter the following i - Toggle the switch to include the settings type and then disable/enable to manage each notification option. -![Optional Notifiaction Settings](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/notificationsettings.webp) +![Optional Notifiaction Settings](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/notificationsettings.webp) ## Scope @@ -221,4 +221,4 @@ Click **Save** to apply all settings to the new configuration profile. **NOTE:** To confirm that the new configuration profile is saved successfully, reboot your computer at this point. -![Selecting Devices and Users to deploy to the new profile.](../../../../../../../static/img/versioned_docs/activitymonitor_7.1/config/activedirectory/scope.webp) +![Selecting Devices and Users to deploy to the new profile.](/img/versioned_docs/activitymonitor_7.1/config/activedirectory/scope.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/jamf/creatingpolicy.md b/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/jamf/creatingpolicy.md index cd13e433e8..8446a8644c 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/jamf/creatingpolicy.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/jamf/creatingpolicy.md @@ -6,32 +6,32 @@ create the new policy, follow these steps: **Step 1 –** In your Jamf account, from the main navigation bar, click **Computer**, from the left sidebar menu, select **Policies**, and then click **+ New**. -![Creating a New Policy](../../../../../../../static/img/versioned_docs/enterpriseauditor_11.6/enterpriseauditor/requirements/target/config/policies.webp) +![Creating a New Policy](/img/versioned_docs/enterpriseauditor_11.6/enterpriseauditor/requirements/target/config/policies.webp) **Step 2 –** On the default General section, enter the following information: - Display Name – enter the name to use for this policy. - Select the **Recurring Check-in** check-box. -![Configuring information on new policy](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/newpolicy.webp) +![Configuring information on new policy](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/newpolicy.webp) **Step 3 –** On the Scripts section, click **Configure** and then enter the following information: - Add the epp_change_ip.sh script. - Priority – set priority to Before, as the script needs to be installed before the next step. -![Configuring Script under Policies](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/scripts.webp) +![Configuring Script under Policies](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/scripts.webp) **Step 4 –** On the Packages section, click **Configure** and then add the package EndpointProtector.pkg. -![Adding the Endpoint Protector package to policy](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/addingpackage.webp) +![Adding the Endpoint Protector package to policy](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/addingpackage.webp) **Step 5 –** Go to the Scope tab and add the devices and users to apply the new policy. **Step 6 –** Click **Save** to apply all settings to the new policy. -![Adding Devices and users to apply to the scope](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/policyscope.webp) +![Adding Devices and users to apply to the scope](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/policyscope.webp) To confirm that the Endpoint Protector Client has been successfully deployed and the Server- Client communication and policies work as expected, you can view the endpoint in the List of Computers from diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/jamf/scriptandpackage.md b/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/jamf/scriptandpackage.md index 42ac9e36fe..399dcfc536 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/jamf/scriptandpackage.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/jamf/scriptandpackage.md @@ -22,11 +22,11 @@ and add the `epp_change_ip.sh` script. **NOTE:** You can edit the EPP_DEPARTMET CODE and EPP_SERVER_PORT fields to deploy the Endpoint Protector Client on specific departments or custom ports. -![Uploading the new Script.](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/newscript.webp) +![Uploading the new Script.](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/newscript.webp) **Step 5 –** From the Computer Management section, select **Package** and then, in the upper right, click **+ New**. **Step 6 –** On the General tab, add a name and then upload the package `EndpointProtector.pkg`. -![Uploading the new Package](../../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/newpackage.webp) +![Uploading the new Package](/img/product_docs/endpointprotector/endpointprotector/install/agent/jamf/newpackage.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/overview.md b/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/overview.md index 492c87ab95..eed94f3768 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/overview.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/install/agent/overview.md @@ -5,7 +5,7 @@ Server on the protected endpoints (Windows, Mac, and Linux). You can download the Endpoint Protector Agent directly from the Endpoint Protector UI. For detailed information about downloading the Endpoint Protector Agent, refer to the -[Client Software](../../admin/systemconfiguration/overview.md#client-software) topic. +[Client Software](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/systemconfiguration/overview.md#client-software) topic. **NOTE:** You can use tools like Active Directory or JAMF to deploy the Endpoint Protector Agent in large networks. @@ -35,9 +35,9 @@ The following are several examples of supported distributions: - Fedora 29 - OpenSUSE 42.2 and 42.3 -![The Agent enforces the Rights and Settings received from the Endpoint Protector Server on the protected endpoints (Windows, Mac, and Linux)](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/setupagent.webp) +![The Agent enforces the Rights and Settings received from the Endpoint Protector Server on the protected endpoints (Windows, Mac, and Linux)](/img/product_docs/endpointprotector/endpointprotector/install/agent/setupagent.webp) -![The Agent enforces the Rights and Settings received from the Endpoint Protector Server on the protected endpoints (Windows, Mac, and Linux)](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/setupagenttwo.webp) +![The Agent enforces the Rights and Settings received from the Endpoint Protector Server on the protected endpoints (Windows, Mac, and Linux)](/img/product_docs/endpointprotector/endpointprotector/install/agent/setupagenttwo.webp) ### Installation on macOS with Deep Packet Inspection and VPN Traffic Intercept Active @@ -50,7 +50,7 @@ the macOS Endpoint Protector Agent. **Step 3 –** Decompress the downloaded file. -![Installation on macOS with Deep Packet Inspection and VPN Traffic Intercept Active](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/clientinstallationios.webp) +![Installation on macOS with Deep Packet Inspection and VPN Traffic Intercept Active](/img/product_docs/endpointprotector/endpointprotector/install/agent/clientinstallationios.webp) **Step 4 –** Open the **.pkg** file and follow the installation steps and give the requested permissions. @@ -59,33 +59,33 @@ permissions. Privacy** > **Privacy tab** > **Full Disk Access**. Search for Endpoint Protector Client, select the checkbox, and then **save** the changes. -![Grant permission to the Endpoint Protector Client](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/eppagentpermisions.webp) +![Grant permission to the Endpoint Protector Client](/img/product_docs/endpointprotector/endpointprotector/install/agent/eppagentpermisions.webp) **Step 6 –** Open the Endpoint Protector Server and activate Deep Packet Inspection by navigating to **Device Control** > **Users/Computer/Group/Global Settings** > **Manage Settings** > **Endpoint Protector Client** > **Deep Packet Inspection**. -![Activating Deep Packet Inspection](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/dpion.webp) +![Activating Deep Packet Inspection](/img/product_docs/endpointprotector/endpointprotector/install/agent/dpion.webp) **Step 7 –** Go to the **System Configuration** section, then **System Settings** > **Deep Packet Inspection Certificate**, and download the **CA Certificate**. -![Download the Client CA Certificates](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/dpicertificate.webp) +![Download the Client CA Certificates](/img/product_docs/endpointprotector/endpointprotector/install/agent/dpicertificate.webp) **Step 8 –** Open the **Keychain Access** application from your macOS and select **System**. -![Open the Keychain Access application from your macOS and select System](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/keychainaccess.webp) +![Open the Keychain Access application from your macOS and select System](/img/product_docs/endpointprotector/endpointprotector/install/agent/keychainaccess.webp) **Step 9 –** Decompress the downloaded **ClientCerts** file. **Step 10 –** Select **cacert.pem** file and drag and drop it on **System > Keychain Access**. -![Select cacert.pem file and drag and drop it on Keychain Access, System](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/clientcerts.webp) +![Select cacert.pem file and drag and drop it on Keychain Access, System](/img/product_docs/endpointprotector/endpointprotector/install/agent/clientcerts.webp) **Step 11 –** Double-click the **X** on the newly added certificate and on the Trust section, select **Always Trust**. -![On the newly added certificate and on the Trust section, select Always Trust.](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/keychainaccesstwo.webp) +![On the newly added certificate and on the Trust section, select Always Trust.](/img/product_docs/endpointprotector/endpointprotector/install/agent/keychainaccesstwo.webp) **Step 12 –** **Save** the changes. @@ -98,23 +98,23 @@ Inspection Certificate**, and download the **CA Certificate**. - Block Internet Access – this option will end the Internet connection until the end-user approves the Endpoint Protector Proxy Configuration once the computer is rebooted. -![Activate Intercept VPN Traffic](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/interceptvpntraffic.webp) +![Activate Intercept VPN Traffic](/img/product_docs/endpointprotector/endpointprotector/install/agent/interceptvpntraffic.webp) **Step 15 –** **Save** the changes. **Step 16 –** The following pop-up will be displayed informing the end-user that a System Extension is blocked and needs to be allowed. -![System Extension is blocked and needs to be allowed](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/systemextensionblocked.webp) +![System Extension is blocked and needs to be allowed](/img/product_docs/endpointprotector/endpointprotector/install/agent/systemextensionblocked.webp) **Step 17 –** Go to **System Preferences** > **Security and Privacy** > select the **General tab** and **allow** the Endpoint Protector Client Extension. -![select the General tab and allow the Endpoint Protector Client Extension](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/generaltabios.webp) +![select the General tab and allow the Endpoint Protector Client Extension](/img/product_docs/endpointprotector/endpointprotector/install/agent/generaltabios.webp) **Step 18 –** **Allow** the Endpoint Protector Proxy Configuration from the pop-up window. -![proxypop-up](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/proxypop-up.webp) +![proxypop-up](/img/product_docs/endpointprotector/endpointprotector/install/agent/proxypop-up.webp) At this point, the macOS Endpoint Protector Client installation is completed. @@ -144,7 +144,7 @@ The following are several examples of supported distributions: - LinuxMint - Debian -![Debian Based Distributions](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/debianbaseddistributions.webp) +![Debian Based Distributions](/img/product_docs/endpointprotector/endpointprotector/install/agent/debianbaseddistributions.webp) ### RedHat based distributions @@ -158,7 +158,7 @@ The following are several examples of supported distributions: - Fedora 32, 33, 34, 35 - AWS Linux 2 -![RedHat based distributions](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/redhatbaseddistributions.webp) +![RedHat based distributions](/img/product_docs/endpointprotector/endpointprotector/install/agent/redhatbaseddistributions.webp) - OpenSuse 15.2 - SUSE 15+ @@ -166,7 +166,7 @@ The following are several examples of supported distributions: - SLED Linux Enterprise Server 15 SP2 - SLED Linux Enterprise Server 15 SP3 -![RedHat based distributions](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/redhatbaseddistributionstwo.webp) +![RedHat based distributions](/img/product_docs/endpointprotector/endpointprotector/install/agent/redhatbaseddistributionstwo.webp) ### Setting the Server IP @@ -175,9 +175,9 @@ commands in order to set the Endpoint Protector Server IP. Based on each distribution, follow the corresponding method: -![Setting the Endpoint Protector Server IP](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/setserverip.webp) +![Setting the Endpoint Protector Server IP](/img/product_docs/endpointprotector/endpointprotector/install/agent/setserverip.webp) -![Setting the Endpoint Protector Server IP](../../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/agent/setserveriptwo.webp) +![Setting the Endpoint Protector Server IP](/img/product_docs/endpointprotector/endpointprotector/install/agent/setserveriptwo.webp) ### The Windows Subsystem for Linux @@ -191,7 +191,7 @@ define specific applications or processes associated with WSL that you want to r Follow the steps to use use Denylists to control WSL applications. -**Step 1 –** Navigate to the [Denylists and Allowlists](../../admin/denylistsallowlists/overview.md) +**Step 1 –** Navigate to the [Denylists and Allowlists](/docs/endpointprotector/5.9.4.2/endpointprotector/admin/denylistsallowlists/overview.md) section within the Endpoint Protector Console. **Step 2 –** Create a new **Denylist entry**. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/install/citrixxenserver.md b/docs/endpointprotector/5.9.4.2/endpointprotector/install/citrixxenserver.md index bcf527bc94..6595456b13 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/install/citrixxenserver.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/install/citrixxenserver.md @@ -13,41 +13,41 @@ Follow the steps to get started with your deployment process. **Step 2 –** Start XenCenter. -![Starting XenCenter](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/startingxencenter.webp) +![Starting XenCenter](/img/product_docs/endpointprotector/endpointprotector/install/startingxencenter.webp) **Step 3 –** Go to File and select **Appliance Import**. -![Selecting Appliance Import under files](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/fileapplianceimport.webp) +![Selecting Appliance Import under files](/img/product_docs/endpointprotector/endpointprotector/install/fileapplianceimport.webp) **Step 4 –** Select the OVF file and then click **Next**. -![Selecting the OVF file for import](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/xenapplianceimport.webp) +![Selecting the OVF file for import](/img/product_docs/endpointprotector/endpointprotector/install/xenapplianceimport.webp) **Step 5 –** Read and accept the EULA, then click **Next**. **Step 6 –** Select the target for the Virtual Appliance. -![Select the target for the Virtual Appliance.](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/xenselecttarget.webp) +![Select the target for the Virtual Appliance.](/img/product_docs/endpointprotector/endpointprotector/install/xenselecttarget.webp) **Step 7 –** Select the storage location. -![Select the storage location](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/xenselectstorage.webp) +![Select the storage location](/img/product_docs/endpointprotector/endpointprotector/install/xenselectstorage.webp) **Step 8 –** Select the network (keep default values). -![Selecting the network](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/xenselectnetwork.webp) +![Selecting the network](/img/product_docs/endpointprotector/endpointprotector/install/xenselectnetwork.webp) **Step 9 –** On the Security screen, click **Next**. -![Selecting Import Security Settings](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/xensecuritysettings.webp) +![Selecting Import Security Settings](/img/product_docs/endpointprotector/endpointprotector/install/xensecuritysettings.webp) **Step 10 –** On the Advanced Options screen, click **Next**. -![Advanced setting for Appliance Import](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/xenadnvancedoptions.webp) +![Advanced setting for Appliance Import](/img/product_docs/endpointprotector/endpointprotector/install/xenadnvancedoptions.webp) **Step 11 –** On the Finish screen, review the configuration, click **Finish** and wait for the import to be completed. -![ Reviewing the configuration and Import progress](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/xenimportprogress.webp) +![ Reviewing the configuration and Import progress](/img/product_docs/endpointprotector/endpointprotector/install/xenimportprogress.webp) The virtual machine is ready to be started. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/install/hypervtools.md b/docs/endpointprotector/5.9.4.2/endpointprotector/install/hypervtools.md index e1eaf53005..71da1eed92 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/install/hypervtools.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/install/hypervtools.md @@ -13,7 +13,7 @@ Follow the steps below to get started with your implementation. **Step 3 –** From the panel on the right, select the **Import Virtual Machine** option. -![hypervmanager](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/hypervmanager.webp) +![hypervmanager](/img/product_docs/endpointprotector/endpointprotector/install/hypervmanager.webp) **Step 4 –** Click **Next**. @@ -23,50 +23,50 @@ Follow the steps below to get started with your implementation. - Virtual Hard Disks - Virtual Machines -![Virtual Appliance folder](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/appliancefolder.webp) +![Virtual Appliance folder](/img/product_docs/endpointprotector/endpointprotector/install/appliancefolder.webp) -![Specifying the Folder containg the VM import](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/locatefolder.webp) +![Specifying the Folder containg the VM import](/img/product_docs/endpointprotector/endpointprotector/install/locatefolder.webp) **Step 6 –** Click **Next**. **Step 7 –** On the Select Virtual Machine section, select the Endpoint Protector Virtual Appliance, then click **Next**. -![Selecting the Endpoint Protector Virtual Appliance](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/selectvirtualmachine.webp) +![Selecting the Endpoint Protector Virtual Appliance](/img/product_docs/endpointprotector/endpointprotector/install/selectvirtualmachine.webp) **Step 8 –** On the Choose Import Type section, select the **Copy the virtual machine (create a new unique ID) option**. Click **Next**. -![Choosing Import Type](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/importtype.webp) +![Choosing Import Type](/img/product_docs/endpointprotector/endpointprotector/install/importtype.webp) **Step 9 –** In the 'Choose Folders for Virtual Machine Files' section, select **Store the virtual machine in a different location**, then specify the desired paths in the three input fields. Click **Next** to proceed. -![ Choosing Folders for Virtual Machine Files ](../../../../../static/img/versioned_docs/enterpriseauditor_11.6/enterpriseauditor/install/filesystemproxy/destination.webp) +![ Choosing Folders for Virtual Machine Files ](/img/versioned_docs/enterpriseauditor_11.6/enterpriseauditor/install/filesystemproxy/destination.webp) **Step 10 –** On the Choose Folders to Store Virtual Hard Disks section, set the desired path for storing imported virtual hard disk. Click **Next**. -![ Setting the desired path for storing the imported virtual hard disk](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/storagefolders.webp) +![ Setting the desired path for storing the imported virtual hard disk](/img/product_docs/endpointprotector/endpointprotector/install/storagefolders.webp) **CAUTION:** If you get to the Get Memory step, it means you have insufficient memory on the Hyper-V Host. Please abort the process here and either increase memory on the Host or choose another Host to import the Endpoint Protector Virtual Appliance on. -![Insufficient memory on the Hyper-V Host](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/configurememory.webp) +![Insufficient memory on the Hyper-V Host](/img/product_docs/endpointprotector/endpointprotector/install/configurememory.webp) **Step 11 –** On the first Connect Network step, please mention the virtual switch you want to use for the first virtual network interface, changing it from ‘Not Connected’ to desired one. Click **Next**. -![Connect network settings](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/connectnetwork.webp) +![Connect network settings](/img/product_docs/endpointprotector/endpointprotector/install/connectnetwork.webp) **Step 12 –** On the second Connect Network step, please mention the virtual switch you want to use for the second virtual network interface. You may use the same one you have used at the previous step. Click **Next**. -![Connect network settings](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/networkconnect.webp) +![Connect network settings](/img/product_docs/endpointprotector/endpointprotector/install/networkconnect.webp) **Step 13 –** On the Completing Import Wizard step, check that the settings are the ones wanted. Click **Finish**. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/install/oraclevm.md b/docs/endpointprotector/5.9.4.2/endpointprotector/install/oraclevm.md index a6ba875b24..fce3986480 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/install/oraclevm.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/install/oraclevm.md @@ -13,29 +13,29 @@ Follow the steps to get started with the import process. **Step 2 –** Open VirtualBox. -![Opening Oracle VM Virtual Box Manager](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/openoraclevm.webp) +![Opening Oracle VM Virtual Box Manager](/img/product_docs/endpointprotector/endpointprotector/install/openoraclevm.webp) **Step 3 –** Go to File and select **Import Appliance**. -![Importing Appliances](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/importappliance.webp) +![Importing Appliances](/img/product_docs/endpointprotector/endpointprotector/install/importappliance.webp) **Step 4 –** On the Appliance to import page, click the **File icon**, browse and select the OVF file from the extracted zip. -![ Selecting the OVF file from the extracted zip](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/selectsource.webp) +![ Selecting the OVF file from the extracted zip](/img/product_docs/endpointprotector/endpointprotector/install/selectsource.webp) **Step 5 –** Click **Open**. -![Selecting the Virtual Appliance to Import](../../../../../static/img/versioned_docs/enterpriseauditor_11.6/enterpriseauditor/admin/hostdiscovery/wizard/fileimport.webp) +![Selecting the Virtual Appliance to Import](/img/versioned_docs/enterpriseauditor_11.6/enterpriseauditor/admin/hostdiscovery/wizard/fileimport.webp) **Step 6 –** Click **Import**. -![Importing the Virtual Appliance](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/appliancesettings.webp) +![Importing the Virtual Appliance](/img/product_docs/endpointprotector/endpointprotector/install/appliancesettings.webp) **Step 7 –** Wait for the import displayed by the progress bar. -![ Import displayed by the progress bar](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/importprogress.webp) +![ Import displayed by the progress bar](/img/product_docs/endpointprotector/endpointprotector/install/importprogress.webp) The virtual machine is now ready for use. -![ Oracle virtual machine ready for use](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/machineready.webp) +![ Oracle virtual machine ready for use](/img/product_docs/endpointprotector/endpointprotector/install/machineready.webp) diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/install/overview.md b/docs/endpointprotector/5.9.4.2/endpointprotector/install/overview.md index fdc611c2e2..cc81eaa9cc 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/install/overview.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/install/overview.md @@ -26,8 +26,8 @@ The On-Premise option for a Customer-Managed instance allows for a virtualized i a customer’s LAN setting. Virtualization options include, but are not limited to: VMware and Hyper-V. The Hosted-Cloud method of deployment allows for use of a customer’s Amazon Web Services (AWS), Azure, or Google Cloud Platform (GCP) instance. To obtain more specific information for each -of these options, see the [Virtual Appliance Formats](../requirements/formats.md) topic and the -[Cloud Services](../configuration/overview.md) topic. +of these options, see the [Virtual Appliance Formats](/docs/endpointprotector/5.9.4.2/endpointprotector/requirements/formats.md) topic and the +[Cloud Services](/docs/endpointprotector/5.9.4.2/endpointprotector/configuration/overview.md) topic. Alternatively, if a Provider-Managed setup is required, an instance of Endpoint Protector can be spun up in an isolated cloud environment. To obtain more details on the Provider- Managed option, diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/install/setupwizard.md b/docs/endpointprotector/5.9.4.2/endpointprotector/install/setupwizard.md index 78f24aaad5..e9731dd51d 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/install/setupwizard.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/install/setupwizard.md @@ -11,21 +11,21 @@ Follow the steps to configure the Endpoint Protector Appliance for the first t **Step 1 –** Select **Continue** when finished reading the End User License Agreement. -![End User License Agreement](../../../../../static/img/versioned_docs/threatprevention_7.4/threatprevention/install/licenseagreement.webp) +![End User License Agreement](/img/versioned_docs/threatprevention_7.4/threatprevention/install/licenseagreement.webp) **Step 2 –** Select **Accept**. -![Accepting the term of the license](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/acceptagreement.webp) +![Accepting the term of the license](/img/product_docs/endpointprotector/endpointprotector/install/acceptagreement.webp) **Step 3 –** Select **Networking**. -![Selecting Networking](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/networking.webp) +![Selecting Networking](/img/product_docs/endpointprotector/endpointprotector/install/networking.webp) **Step 4 –** The configuration methods are now available. **CAUTION:** We recommend a manual configuration of the network settings. -![Automatic Network configuration for Endpoint Protector Appliance](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/autonetworkconfig.webp) +![Automatic Network configuration for Endpoint Protector Appliance](/img/product_docs/endpointprotector/endpointprotector/install/autonetworkconfig.webp) ## Manual Configuration @@ -34,26 +34,26 @@ the appliance is correctly set up and accessible. **Step 1 –** Select **Configure Network manually** (recommended). -![Manual Network configuration for Endpoint Protector Appliance](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/manualnetworkconfig.webp) +![Manual Network configuration for Endpoint Protector Appliance](/img/product_docs/endpointprotector/endpointprotector/install/manualnetworkconfig.webp) **Step 2 –** Set the IP Address, and Default Gateway (in our example we set the IP Address as 192.168.7.94 and the Default Gateway as 192.168.7.1). -![Setting IP and default GateAway](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/setip.webp) +![Setting IP and default GateAway](/img/product_docs/endpointprotector/endpointprotector/install/setip.webp) **Step 3 –** Press **Tab**. -![Select tab to move to the apply button](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/netmask.webp) +![Select tab to move to the apply button](/img/product_docs/endpointprotector/endpointprotector/install/netmask.webp) **Step 4 –** Select **Apply**. The virtual appliance is now accessible from the configured IP Address. (e.g., https:// 192.168.7.94). -![Virtual appliance is now accessible from the configured IP Address](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/dhcpmethod.webp) +![Virtual appliance is now accessible from the configured IP Address](/img/product_docs/endpointprotector/endpointprotector/install/dhcpmethod.webp) ## Automatic Configuration Select **configure network automatically**, and click **Enter**. -![ IP Address and Default Gateway configured automatically](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/staticipmethod.webp) +![ IP Address and Default Gateway configured automatically](/img/product_docs/endpointprotector/endpointprotector/install/staticipmethod.webp) The IP Address and Default Gateway will be configured automatically. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/install/vmwaretools.md b/docs/endpointprotector/5.9.4.2/endpointprotector/install/vmwaretools.md index 061d7f96e4..ac9d05ba5c 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/install/vmwaretools.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/install/vmwaretools.md @@ -19,39 +19,39 @@ Follow the steps to set up your virtual machine. **Step 2 –** Start vSphere. -![Using the VMware vShpere](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/startvsphere.webp) +![Using the VMware vShpere](/img/product_docs/endpointprotector/endpointprotector/install/startvsphere.webp) **Step 3 –** Go to File and select **Deploy OVF Template**. -![Selecting Deploy OVF Template.](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/ovftemplate.webp) +![Selecting Deploy OVF Template.](/img/product_docs/endpointprotector/endpointprotector/install/ovftemplate.webp) **Step 4 –** Click **Browse**. -![Browsing the location of the tenplate](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/sourcelocation.webp) +![Browsing the location of the tenplate](/img/product_docs/endpointprotector/endpointprotector/install/sourcelocation.webp) **Step 5 –** Select the OVF file from the extracted zip file. -![Selecting the OVF file from the extracted zip file](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/selectovffile.webp) +![Selecting the OVF file from the extracted zip file](/img/product_docs/endpointprotector/endpointprotector/install/selectovffile.webp) **Step 6 –** Click **Next**. -![Selecting the Source Location](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/ofvsourceselect.webp) +![Selecting the Source Location](/img/product_docs/endpointprotector/endpointprotector/install/ofvsourceselect.webp) **Step 7 –** Check the OVF Template Details and then click **Next**. -![Checking the OVF Template Details ](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/ovftemplatedetails.webp) +![Checking the OVF Template Details ](/img/product_docs/endpointprotector/endpointprotector/install/ovftemplatedetails.webp) **Step 8 –** Specify the name of the OVF template and click **Next**. -![Specifying the name of the OVF template ](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/templatenaming.webp) +![Specifying the name of the OVF template ](/img/product_docs/endpointprotector/endpointprotector/install/templatenaming.webp) **Step 9 –** Select the Thin provision Disk Format option and click **Next**. -![Selecting the Thin provision Disk Format](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/diskformat.webp) +![Selecting the Thin provision Disk Format](/img/product_docs/endpointprotector/endpointprotector/install/diskformat.webp) **Step 10 –** Click **Finish** to complete the installation. -![Completing the installation](../../../../../static/img/versioned_docs/enterpriseauditor_11.6/enterpriseauditor/admin/jobs/instantjobs/installationcomplete.webp) +![Completing the installation](/img/versioned_docs/enterpriseauditor_11.6/enterpriseauditor/admin/jobs/instantjobs/installationcomplete.webp) ### VMware Workstation @@ -65,20 +65,20 @@ to the path where your virtual machines are stored. **Step 2 –** Open VMWare Workstation. -![Opening VMWare Workstation](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/vmwareworkstation.webp) +![Opening VMWare Workstation](/img/product_docs/endpointprotector/endpointprotector/install/vmwareworkstation.webp) **Step 3 –** Select **Open Existing VM** or **Team**. -![ Opening Existing VM or Team](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/vmorteam.webp) +![ Opening Existing VM or Team](/img/product_docs/endpointprotector/endpointprotector/install/vmorteam.webp) **Step 4 –** After the Virtual Appliance is in your inventory power on the Virtual Appliance. -![ Powering on the Virtual Appliance](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/poweron.webp) +![ Powering on the Virtual Appliance](/img/product_docs/endpointprotector/endpointprotector/install/poweron.webp) **Step 5 –** If asked if the Virtual Machine was copied or moved, select **I moved it** (if it is the only Endpoint Protector Virtual Appliance in your network). -![Select I moved it](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/vmwaremoved.webp) +![Select I moved it](/img/product_docs/endpointprotector/endpointprotector/install/vmwaremoved.webp) The Virtual Machine is started and ready for use. @@ -96,16 +96,16 @@ to the path where your virtual machines are stored. **Step 2 –** Open your VMware Server web interface and log in. -![Opening VMware Server web interface](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/vmwareserver.webp) +![Opening VMware Server web interface](/img/product_docs/endpointprotector/endpointprotector/install/vmwareserver.webp) **Step 3 –** Select **Add Virtual Machine to inventory**. -![Adding Virtual Machine to inventory](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/vmwaretoinventory.webp) +![Adding Virtual Machine to inventory](/img/product_docs/endpointprotector/endpointprotector/install/vmwaretoinventory.webp) **Step 4 –** Browse in the inventory for Endpoint Protector Virtual Appliance and select the **VMX file** and click **OK**. -![Adding Existing Virtual Machine](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/addexistingvm.webp) +![Adding Existing Virtual Machine](/img/product_docs/endpointprotector/endpointprotector/install/addexistingvm.webp) At this point, the Virtual Machine is ready to be started. @@ -119,21 +119,21 @@ to the path where your virtual machines are stored. **Step 2 –** Open VMware Player. -![Opening VMware Player](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/vmwareplayer.webp) +![Opening VMware Player](/img/product_docs/endpointprotector/endpointprotector/install/vmwareplayer.webp) **Step 3 –** Select **Open a Virtual Machine** and select the VMX file from the location where you extracted it and then click **Open**. -![Selecting the VMX file from the location where it was extracted](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/vmwareopenvm.webp) +![Selecting the VMX file from the location where it was extracted](/img/product_docs/endpointprotector/endpointprotector/install/vmwareopenvm.webp) **Step 4 –** After the Virtual Machine is in your inventory click **Play Virtual Machine**. -![Initiating VM Play on VMware Player](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/vmwareplaymachine.webp) +![Initiating VM Play on VMware Player](/img/product_docs/endpointprotector/endpointprotector/install/vmwareplaymachine.webp) **Step 5 –** If asked if the Virtual Machine was copied or moved, select **I moved it** (if it is the only Endpoint Protector Virtual Appliance in your network). -![Select I moved it](../../../../../static/img/product_docs/endpointprotector/endpointprotector/install/vmwaremoved.webp) +![Select I moved it](/img/product_docs/endpointprotector/endpointprotector/install/vmwaremoved.webp) At this point, the Virtual Machine is ready to be started. diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/requirements/components.md b/docs/endpointprotector/5.9.4.2/endpointprotector/requirements/components.md index 8768b98c6c..1b52f497e7 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/requirements/components.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/requirements/components.md @@ -24,7 +24,7 @@ The Client-side of Endpoint Protector has two different components: - Enforced Encryption Client – enforcing 256 AES encryption on USB storage devices as specified from the Server; it is a stand-alone application compatible with Windows and Mac computers. -![Main Components](../../../../../static/img/product_docs/endpointprotector/endpointprotector/requirements/maincomponents.webp) +![Main Components](/img/product_docs/endpointprotector/endpointprotector/requirements/maincomponents.webp) ## Architecture Overview @@ -32,7 +32,7 @@ The diagram below illustrates the network architecture for the Endpoint Protecto enables comprehensive Data Loss Prevention (DLP) across both local and remote users, securing sensitive information and ensuring compliance with security policies. -![Architecture Overview](../../../../../static/img/product_docs/endpointprotector/endpointprotector/requirements/networkarchitecture.webp) +![Architecture Overview](/img/product_docs/endpointprotector/endpointprotector/requirements/networkarchitecture.webp) ### Key Components and Data Flow diff --git a/docs/endpointprotector/5.9.4.2/endpointprotector/whatsnew.md b/docs/endpointprotector/5.9.4.2/endpointprotector/whatsnew.md index 5efaa7d047..775fb1653a 100644 --- a/docs/endpointprotector/5.9.4.2/endpointprotector/whatsnew.md +++ b/docs/endpointprotector/5.9.4.2/endpointprotector/whatsnew.md @@ -36,7 +36,7 @@ New branding cover: • CoSoSys Endpoint Protector is now Netwrix Endpoint Protector -![eppnetwrixbranding](../../../../static/img/product_docs/endpointprotector/endpointprotector/eppnetwrixbranding.webp) +![eppnetwrixbranding](/img/product_docs/endpointprotector/endpointprotector/eppnetwrixbranding.webp) **NOTE:** All hardcoded e-mail addresses are not changed from CoSoSys.com domain to avoid misconfiguration issues of any existing firewall filtering configuration. diff --git a/docs/groupid/11.0/groupid/admincenter/identitystore/configure/directoryservice/messagingprovider.md b/docs/groupid/11.0/groupid/admincenter/identitystore/configure/directoryservice/messagingprovider.md index cac8b06ea2..8936fa3e13 100644 --- a/docs/groupid/11.0/groupid/admincenter/identitystore/configure/directoryservice/messagingprovider.md +++ b/docs/groupid/11.0/groupid/admincenter/identitystore/configure/directoryservice/messagingprovider.md @@ -170,7 +170,7 @@ Step 7 – Enter a regular expression in the Email Alias Regular Expression box; created in the external provider must satisfy this regular expression. Follow these links for information about regular expressions and their syntax: -- [Introduction to Regular Expressions]() +- [Introduction to Regular Expressions](https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2010/28hw3sce(v%3dvs.100)) - [Regular Expression Syntax Reference](https://msdn.microsoft.com/en-us/library/ms840427.aspx) Step 8 – In the Enter Example to Validate Regular Expression box, enter an email alias as an diff --git a/docs/groupid/11.0/groupid/admincenter/portal/create.md b/docs/groupid/11.0/groupid/admincenter/portal/create.md index efa0f058c2..5122617d70 100644 --- a/docs/groupid/11.0/groupid/admincenter/portal/create.md +++ b/docs/groupid/11.0/groupid/admincenter/portal/create.md @@ -12,7 +12,7 @@ A portal is hosted on a web server, with native IIS, remote IIS, and Docker as t servers. - **IIS deployment** - Your GroupID portal is hosted within a site in IIS. To launch IIS, - see [Opening IIS Manager](). + see [Opening IIS Manager](https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525920(v=vs.90)). ![in_iis](/img/versioned_docs/groupid_11.0/groupid/admincenter/portal/in_iis.webp) diff --git a/docs/groupid/11.0/groupid/admincenter/portal/displaytype/textbox.md b/docs/groupid/11.0/groupid/admincenter/portal/displaytype/textbox.md index cec2095270..4ad7fce9e1 100644 --- a/docs/groupid/11.0/groupid/admincenter/portal/displaytype/textbox.md +++ b/docs/groupid/11.0/groupid/admincenter/portal/displaytype/textbox.md @@ -17,7 +17,7 @@ regular expression for a US phone number of the pattern: (555) 123-4567 will be: To learn about regular expressions and their syntax, see -- [Introduction to Regular Expressions]() +- [Introduction to Regular Expressions](https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2010/28hw3sce(v%3dvs.100)) - [Regular Expression Syntax Reference](https://msdn.microsoft.com/en-us/library/ms840427.aspx) ## Predefined Text Box Display Types diff --git a/docs/groupid/11.0/groupid/admincenter/portal/remoteiisprerequisites.md b/docs/groupid/11.0/groupid/admincenter/portal/remoteiisprerequisites.md index d8fea096cb..9ddd8c3b4b 100644 --- a/docs/groupid/11.0/groupid/admincenter/portal/remoteiisprerequisites.md +++ b/docs/groupid/11.0/groupid/admincenter/portal/remoteiisprerequisites.md @@ -32,7 +32,7 @@ site. **To create a site in remote IIS:** 1. Launch Internet Information Services (IIS) Manager (see - [Opening IIS Manager]()). + [Opening IIS Manager](https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525920(v=vs.90). 2. In the left pane, right-click **Sites** and select **Add Website**. ![Add a website in IIS](/img/versioned_docs/groupid_11.0/groupid/admincenter/portal/addsite.webp) diff --git a/docs/groupid/11.0/groupid/admincenter/service/overview.md b/docs/groupid/11.0/groupid/admincenter/service/overview.md index a9d737a869..edd5637ef2 100644 --- a/docs/groupid/11.0/groupid/admincenter/service/overview.md +++ b/docs/groupid/11.0/groupid/admincenter/service/overview.md @@ -33,7 +33,7 @@ different web servers. For example, you can host one Data service in native IIS Docker. To launch IIS on a machine, see -[Opening IIS Manager](). +[Opening IIS Manager](https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525920(v=vs.90)). ![in_iis](/img/versioned_docs/groupid_11.0/groupid/admincenter/portal/in_iis.webp) diff --git a/docs/groupid/11.0/groupid/admincenter/smsgateway/custom/userid.md b/docs/groupid/11.0/groupid/admincenter/smsgateway/custom/userid.md index 86c2349220..58097657fc 100644 --- a/docs/groupid/11.0/groupid/admincenter/smsgateway/custom/userid.md +++ b/docs/groupid/11.0/groupid/admincenter/smsgateway/custom/userid.md @@ -8,7 +8,7 @@ Gets or sets the user name of the account registered with the SMS gateway provid **Syntax** -[Copy]() +[Copy](javascript:void(0);) ``` string UserId { get; set; } diff --git a/docs/groupid/11.0/groupid/api/datasource/dsodbc.md b/docs/groupid/11.0/groupid/api/datasource/dsodbc.md index 106ecbe073..1214d389a2 100644 --- a/docs/groupid/11.0/groupid/api/datasource/dsodbc.md +++ b/docs/groupid/11.0/groupid/api/datasource/dsodbc.md @@ -45,7 +45,7 @@ an ODBC-compatible provider. #### Sample Request Syntax -[Copy]() +[Copy](javascript:void(0);) ``` { diff --git a/docs/groupid/11.0/groupid/authenticate/asserviceprovider/adfs/overview.md b/docs/groupid/11.0/groupid/authenticate/asserviceprovider/adfs/overview.md index abef122e2f..0659cbd86f 100644 --- a/docs/groupid/11.0/groupid/authenticate/asserviceprovider/adfs/overview.md +++ b/docs/groupid/11.0/groupid/authenticate/asserviceprovider/adfs/overview.md @@ -22,7 +22,7 @@ server. - Configure the types of claims that are supported by AD FS. To learn more about the AD FS console, see -[AD FS Console](). +[AD FS Console](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/gg557729(v=ws.10)?redirectedfrom=MSDN). ## Configuration Steps diff --git a/docs/groupid/11.0/groupid/install/backuprestore.md b/docs/groupid/11.0/groupid/install/backuprestore.md index 6c781da0f1..2194184e4c 100644 --- a/docs/groupid/11.0/groupid/install/backuprestore.md +++ b/docs/groupid/11.0/groupid/install/backuprestore.md @@ -26,7 +26,7 @@ default folder location is: C:/ProgramData/Imanami/GroupID 10.0/Replication/data/ ``` -ldifde -f c:\groupinfobeforeGroupID.ldf -r "(&(objectClass=group)(objectCategory=group)(|(extensionData=*)(extensionAttribute15=*)(extensionAttribute14=*)(extensionAttribute13=*)(extensionAttribute12=*)))" -p Subtree -l extensionData,extensionAttribute15,extensionAttribute14,extensionAttribute13,extensionAttribute12 +ldifde -f c:\groupinfobeforeGroupID.ldf -r "(&(objectClass=group)(objectCategory=group)(|(extensionData=*)(extensionAttribute15=*)(extensionAttribute14=*)(extensionAttribute13=*)(extensionAttribute12=*)" -p Subtree -l extensionData,extensionAttribute15,extensionAttribute14,extensionAttribute13,extensionAttribute12 ``` ## GroupID Self-Service Portals diff --git a/docs/groupid/11.0/groupid/install/database.md b/docs/groupid/11.0/groupid/install/database.md index 240e30d44c..ea8b52d0ec 100644 --- a/docs/groupid/11.0/groupid/install/database.md +++ b/docs/groupid/11.0/groupid/install/database.md @@ -19,7 +19,7 @@ that case, you have to type the server name in the **SQL Server** box to select manually. To enable the SQL Server Browser service, see -[How to: Start and Stop the SQL Server Browser Service](). +[How to: Start and Stop the SQL Server Browser Service](http://technet.microsoft.com/en-us/library/ms189093(v=sql.105).aspx). See Also diff --git a/docs/groupid/11.0/groupid/portal/synchronize/job/mappingfield.md b/docs/groupid/11.0/groupid/portal/synchronize/job/mappingfield.md index d985983d5d..8e4404935a 100644 --- a/docs/groupid/11.0/groupid/portal/synchronize/job/mappingfield.md +++ b/docs/groupid/11.0/groupid/portal/synchronize/job/mappingfield.md @@ -33,7 +33,7 @@ Mandatory attributes for User: | directoryrole | Every user is assigned a role in Microsoft Entra ID. In static transformation, it will auto-generate all roles in the tenant. Select the one you want to choose. | | | displayname | Given the name that appears on Microsoft Entra ID. You can map it with the first name. | | | givenname | First name of the user in Microsoft Entra ID. | | -| userprincipalname | You need to amend the domain name to give the userprincipalname. It is the mandatory key value and is unique for every user. In static transformation, select join to modify the name. Then go to the script transformation and you will see the updated script. [Copy]() `DTM.Source("First") & "." & DTM.Source("Last") & "@001wrc.onmicrosoft.com"` In the script, add the domain name and generate new userprincipal names for each user based on the join and script transform. | | +| userprincipalname | You need to amend the domain name to give the userprincipalname. It is the mandatory key value and is unique for every user. In static transformation, select join to modify the name. Then go to the script transformation and you will see the updated script. [Copy](javascript:void(0);) `DTM.Source("First") & "." & DTM.Source("Last") & "@001wrc.onmicrosoft.com"` In the script, add the domain name and generate new userprincipal names for each user based on the join and script transform. | | | password | Generate passwords for the users. | | Mandatory attributes for Mail-enabled User: diff --git a/docs/groupid/11.0/groupid/portal/synchronize/script/visualbasicnetbasic.md b/docs/groupid/11.0/groupid/portal/synchronize/script/visualbasicnetbasic.md index ee8787bbd0..4894b96c05 100644 --- a/docs/groupid/11.0/groupid/portal/synchronize/script/visualbasicnetbasic.md +++ b/docs/groupid/11.0/groupid/portal/synchronize/script/visualbasicnetbasic.md @@ -8,9 +8,9 @@ article for additional information. Visual Basic .NET is largely a superset of Visual Basic 6. If you are familiar with Visual Basic before the advent of .NET technology, you may wish to refer to -[Language Changes in Visual Basic](), +[Language Changes in Visual Basic](https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2008/skw8dhdd(v%3dvs.90)), and particularly to -[Programming Element Support Changes Summary](). +[Programming Element Support Changes Summary](https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2008/kaf4ssya(v%3dvs.90)). For the most part, statements and constructs that worked in Visual Basic 6, Visual BasicScript, and Visual BasicA continue to work in Visual Basic .NET. @@ -96,7 +96,7 @@ the first character occupies position 0) instead of 1-based (the first character ``` For a list of such string methods, see -[.NET String Methods](). +[.NET String Methods](https://msdn.microsoft.com/en-us/library/system.string_methods(v%3dvs.110).aspx). ## Line Continuation diff --git a/docs/groupid/11.1/groupid/admincenter/authenticate.md b/docs/groupid/11.1/groupid/admincenter/authenticate.md index 541eddb093..f016998861 100644 --- a/docs/groupid/11.1/groupid/admincenter/authenticate.md +++ b/docs/groupid/11.1/groupid/admincenter/authenticate.md @@ -1,7 +1,7 @@ # Authenticate your Identity Store Account To authenticate your identity store account in Directory Manager for multifactor authentication or -[Second Factor Authentication](../portal/user/authentication/secondfactorauthentication.md), you +[Second Factor Authentication](/docs/groupid/11.1/groupid/portal/user/authentication/secondfactorauthentication.md), you must use one or more authentication types that you enrolled your account with. ## Authenticate your identity store account diff --git a/docs/groupid/11.1/groupid/admincenter/datasource/create.md b/docs/groupid/11.1/groupid/admincenter/datasource/create.md index a857feb9ab..60ae74a435 100644 --- a/docs/groupid/11.1/groupid/admincenter/datasource/create.md +++ b/docs/groupid/11.1/groupid/admincenter/datasource/create.md @@ -94,7 +94,7 @@ Center. NOTE: The registered app must have the following API permissions to access files on OneDrive: -![API permissions](../../../../../../static/img/product_docs/groupid/groupid/admincenter/datasource/apipermissions.webp) +![API permissions](/img/product_docs/groupid/groupid/admincenter/datasource/apipermissions.webp) Step 8 – In the Registered Tenant ID on Azure Active Directory box, enter the tenant ID assigned to the Directory Manager application when you registered it in Microsoft Entra Admin Center. @@ -182,7 +182,7 @@ Center. NOTE: The registered app must have the following API permissions to access files on OneDrive: -![API permissions](../../../../../../static/img/product_docs/groupid/groupid/admincenter/datasource/apipermissions.webp) +![API permissions](/img/product_docs/groupid/groupid/admincenter/datasource/apipermissions.webp) Step 9 – In the Registered Tenant ID on Azure Active Directory box, enter the tenant ID assigned to the Directory Manager application when you registered it in Microsoft Entra Admin Center. @@ -344,7 +344,7 @@ Center. NOTE: The registered app must have the following API permissions to access files on OneDrive: -![API permissions](../../../../../../static/img/product_docs/groupid/groupid/admincenter/datasource/apipermissions.webp) +![API permissions](/img/product_docs/groupid/groupid/admincenter/datasource/apipermissions.webp) Step 9 – In the Registered Tenant ID on Azure Active Directory box, enter the tenant ID assigned to the Directory Manager application when you registered it in Microsoft Entra Admin Center. diff --git a/docs/groupid/11.1/groupid/admincenter/datasource/manage.md b/docs/groupid/11.1/groupid/admincenter/datasource/manage.md index 670e30579d..c6d7e5e10f 100644 --- a/docs/groupid/11.1/groupid/admincenter/datasource/manage.md +++ b/docs/groupid/11.1/groupid/admincenter/datasource/manage.md @@ -30,7 +30,7 @@ Step 2 – On the Data Sources page, click the tab for the provider the data sou Step 3 – Click **Edit** for a data source. The **Update Data Source** page is displayed, that differs by provider. Refer to the steps for creating the respective data source in the -[Create a Data Source](create.md) topic to modify the info. +[Create a Data Source](/docs/groupid/11.1/groupid/admincenter/datasource/create.md) topic to modify the info. Step 4 – Click **Update Data Source**. diff --git a/docs/groupid/11.1/groupid/admincenter/datasource/overview.md b/docs/groupid/11.1/groupid/admincenter/datasource/overview.md index e57a0b10ce..7cefede67c 100644 --- a/docs/groupid/11.1/groupid/admincenter/datasource/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/datasource/overview.md @@ -18,26 +18,26 @@ Data sources are used in the Directory Manager portal in the following ways: As source and destination in Synchronize jobs Synchronize jobs enable you to provision objects, deprovision objects, and sync data from one data -source to another. See the [Synchronize](../../portal/synchronize/overview.md) topic for additional +source to another. See the [Synchronize](/docs/groupid/11.1/groupid/portal/synchronize/overview.md) topic for additional information. As external data source for query-based searches A Query Designer is used to perform targeted searches in the directory. While creating a search query, you can combine a data source with the directory to search for specific objects. See the -[Query Based Advanced Search](../../portal/search/querysearch.md) topic for additional information. +[Query Based Advanced Search](/docs/groupid/11.1/groupid/portal/search/querysearch.md) topic for additional information. As external data source for membership queries A Query Designer enables you to specify membership queries for Smart Groups and Dynasties. When you specify a data source in the Query Designer, Directory Manager reads records from it and fetches similar objects from the directory to add to a group's membership. See the -[Query Designer - Database tab](../../portal/group/querydesigner/database.md) topic for additional +[Query Designer - Database tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/database.md) topic for additional information. As external data source for query-based searches Another Query Designer is used to perform targeted searches in the directory. While creating a search query, you can combine a data source with the directory to search for specific objects. See -the [Query Based Advanced Search](../../portal/search/querysearch.md) topic for additional +the [Query Based Advanced Search](/docs/groupid/11.1/groupid/portal/search/querysearch.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/admincenter/enroll.md b/docs/groupid/11.1/groupid/admincenter/enroll.md index f6e1f9872e..d40de4e666 100644 --- a/docs/groupid/11.1/groupid/admincenter/enroll.md +++ b/docs/groupid/11.1/groupid/admincenter/enroll.md @@ -7,7 +7,7 @@ enrolling, they will not be able to sign into Directory Manager. To enroll, a user must register his or her identity store account in Directory Manager using one or more authentication types. When a user enrolls for multifactor authentication, it also suffices for second factor authentication, and vice versa. See the -[Authentication Policy](identitystore/configure/authpolicy.md) topic for a list of supported +[Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) topic for a list of supported authentication types. - For second factor authentication, a user must enroll his or her account with any one diff --git a/docs/groupid/11.1/groupid/admincenter/entitlement/ad/manage.md b/docs/groupid/11.1/groupid/admincenter/entitlement/ad/manage.md index d82a038162..2eba8c299d 100644 --- a/docs/groupid/11.1/groupid/admincenter/entitlement/ad/manage.md +++ b/docs/groupid/11.1/groupid/admincenter/entitlement/ad/manage.md @@ -75,17 +75,17 @@ The following information is displayed for a file server in the **Included File performed by the GroupID Entitlement schedule. Different statuses are: - **Request - ![rc_request](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/entitlement/ad/rc_request.webp):** + ![rc_request](/img/product_docs/groupid/groupid/admincenter/entitlement/ad/rc_request.webp):** permission data for the file server has never been replicated to Elasticsearch. - **Success - ![rc_success](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/entitlement/ad/rc_success.webp):** + ![rc_success](/img/product_docs/groupid/groupid/admincenter/entitlement/ad/rc_success.webp):** permission data for the file server was successfully replicated when the GroupID Entitlement schedule last ran. - **Fail - ![rc_fail](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/entitlement/ad/rc_fail.webp):** + ![rc_fail](/img/product_docs/groupid/groupid/admincenter/entitlement/ad/rc_fail.webp):** replication failed for the server due to an error. - **Running - ![rc_running](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/entitlement/ad/rc_running.webp):** + ![rc_running](/img/product_docs/groupid/groupid/admincenter/entitlement/ad/rc_running.webp):** the GroupID Entitlement schedule is running and replication is in progress. - **Last Replicated**: the date and time the GroupID Entitlement schedule last replicated @@ -175,7 +175,7 @@ for entitlement management. a server and select **Edit**. On the **Edit Server** dialog box: - The **Server Shares** area displays the shared folders on the server. - - The name of the [GroupID Entitlement Schedule](../../schedule/entitlement.md) that computes + - The name of the [GroupID Entitlement Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlement.md) that computes the permissions on shared files and folders residing on the server and replicates them to Elasticsearch, is displayed next to **Job**. @@ -215,9 +215,9 @@ can designate a different account for this activity. a server and select **Edit**. 5. On the **Edit Server** dialog box, you can change the service account used to connect to the server for reading and updating permissions. The - [GroupID Entitlement Schedule](../../schedule/entitlement.md), - [Entitlement Scope Schedule](../../schedule/entitlementscope.md), and - [Entitlement Temporary Permissions Schedule](../../schedule/entitlementtemporarypermissions.md) + [GroupID Entitlement Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlement.md), + [Entitlement Scope Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlementscope.md), and + [Entitlement Temporary Permissions Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlementtemporarypermissions.md) run in the context of the account specified here. - The **Use Identity Store Service Account** check box is selected by default, indicating that @@ -237,7 +237,7 @@ can designate a different account for this activity. After adding a file server for entitlement management, it is essential to replicate object permissions from the file server to Elasticsearch. -The [GroupID Entitlement Schedule](../../schedule/entitlement.md) runs on a set frequency to +The [GroupID Entitlement Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlement.md) runs on a set frequency to replicate the effective NTFS permission for the file servers. You can also run this schedule any time manually for a specific file server or all file servers listed in the **Included File Servers** section on the **Entitlement** page. @@ -256,7 +256,7 @@ section on the **Entitlement** page. select the check boxes for the servers you want to replicate. To replicate all servers, select the check box in the header row. This displays the following icons: - **![replicate_permissions](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/entitlement/ad/replicate_permissions.webp)** + **![replicate_permissions](/img/product_docs/groupid/groupid/admincenter/entitlement/ad/replicate_permissions.webp)** Either click the **Replicate** icon or the **Replicate** button. @@ -288,7 +288,7 @@ You can exclude a file server in the identity store from replication and entitle want to replicate. To exclude all servers, select the check box in the header row. This displays the following icons: - ![replicate_permissions](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/entitlement/ad/replicate_permissions.webp) + ![replicate_permissions](/img/product_docs/groupid/groupid/admincenter/entitlement/ad/replicate_permissions.webp) Click **Remove**. The servers are moved to the **Excluded File Servers** area. @@ -311,5 +311,5 @@ You can restore an excluded server in the identity store for replication and ent See Also -- [Entitlement](../overview.md) -- [Manage SharePoint Sites](../entraid/manage.md) +- [Entitlement](/docs/groupid/11.1/groupid/admincenter/entitlement/overview.md) +- [Manage SharePoint Sites](/docs/groupid/11.1/groupid/admincenter/entitlement/entraid/manage.md) diff --git a/docs/groupid/11.1/groupid/admincenter/entitlement/entraid/manage.md b/docs/groupid/11.1/groupid/admincenter/entitlement/entraid/manage.md index bd9a98ba73..19ba0fc0a0 100644 --- a/docs/groupid/11.1/groupid/admincenter/entitlement/entraid/manage.md +++ b/docs/groupid/11.1/groupid/admincenter/entitlement/entraid/manage.md @@ -59,7 +59,7 @@ Step 5 – Click **Save**. The information displayed for a site in the Included SharePoint Sites area is the same as displayed for a file server in an Active Directory identity store. Refer to the -[File Server Details ](../ad/manage.md#file-server-details) topic for more info. Though in this +[File Server Details ](/docs/groupid/11.1/groupid/admincenter/entitlement/ad/manage.md#file-server-details) topic for more info. Though in this case, the User namecolumn displays the username of the account used to connect to the site, and it is not blank. @@ -67,7 +67,7 @@ is not blank. Use the _Search Filters_ option in the Included SharePoint Sites area to search for a site in the listing. The filters are the same as displayed for a file server in an Active Directory identity -store. Refer to the [Search File Servers ](../ad/manage.md#search-file-servers) topic for performing +store. Refer to the [Search File Servers ](/docs/groupid/11.1/groupid/admincenter/entitlement/ad/manage.md#search-file-servers) topic for performing a search. ## Include Future Sites for Entitlement Management @@ -102,7 +102,7 @@ Step 4 – In the Included SharePoint Sites area on the **Entitlement** page, cl button for a site and select **Edit**. On the **Edit Site** dialog box: - The Site Libraries area displays the document libraries in the site. -- The name of the [GroupID Entitlement Schedule](../../schedule/entitlement.md) that computes the +- The name of the [GroupID Entitlement Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlement.md) that computes the permissions on document libraries in the site and replicates them to Elasticsearch, is displayed next to **Job**. @@ -152,9 +152,9 @@ button for a site and select **Edit**. Step 5 – On the **Edit Site** dialog box, you can change the service account used to connect to the site for reading and updating permissions. The -[GroupID Entitlement Schedule](../../schedule/entitlement.md), -[Entitlement Scope Schedule](../../schedule/entitlementscope.md), and -[Entitlement Temporary Permissions Schedule](../../schedule/entitlementtemporarypermissions.md) run +[GroupID Entitlement Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlement.md), +[Entitlement Scope Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlementscope.md), and +[Entitlement Temporary Permissions Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlementtemporarypermissions.md) run in the context of the account specified here. - The User name and Password boxes display the credentials of the account used to connect to the @@ -179,7 +179,7 @@ Step 2 – Click **Save** on the Entitlement page. After adding the SharePoint admin URL to manage entitlements for document libraries in the sites, it is essential to replicate object permissions from the SharePoint server to Elasticsearch. -The [GroupID Entitlement Schedule](../../schedule/entitlement.md) runs on a set frequency to +The [GroupID Entitlement Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlement.md) runs on a set frequency to replicate the effective permissions on document libraries in the sites. You can also run this schedule any time manually for a site listed in the Included SharePoint sites area on the Entitlementpage. @@ -201,7 +201,7 @@ Step 4 – On the Entitlement page, you can manually replicate permissions for o replicate. To replicate all sites, select the check box in the header row. This displays the following icons: - ![replicate_permissions](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/entitlement/ad/replicate_permissions.webp) + ![replicate_permissions](/img/product_docs/groupid/groupid/admincenter/entitlement/ad/replicate_permissions.webp) Either click the **Replicate** icon or the **Replicate** button. @@ -235,7 +235,7 @@ Step 4 – On the **Entitlement** page, you can exclude one or more sites. Select the check boxes for the sites you do not want to replicate. To exclude all sites, select the check box in the header row. This displays the following icons: - ![replicate_permissions](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/entitlement/ad/replicate_permissions.webp) + ![replicate_permissions](/img/product_docs/groupid/groupid/admincenter/entitlement/ad/replicate_permissions.webp) Click **Remove**. The sites are moved to the **Excluded SharePoint Sites** area. @@ -262,5 +262,5 @@ Step 5 – Click **Save**. See Also -- [Entitlement](../overview.md) -- [Manage File Servers](../ad/manage.md) +- [Entitlement](/docs/groupid/11.1/groupid/admincenter/entitlement/overview.md) +- [Manage File Servers](/docs/groupid/11.1/groupid/admincenter/entitlement/ad/manage.md) diff --git a/docs/groupid/11.1/groupid/admincenter/entitlement/overview.md b/docs/groupid/11.1/groupid/admincenter/entitlement/overview.md index c7f793d758..053de5710b 100644 --- a/docs/groupid/11.1/groupid/admincenter/entitlement/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/entitlement/overview.md @@ -27,7 +27,7 @@ the following: file server(s), and replicate those permissions to Elasticsearch. - View and manage entitlements in the Entitlement section of the Directory Manager portal. -See the [Manage File Servers](ad/manage.md) topic for additional information. +See the [Manage File Servers](/docs/groupid/11.1/groupid/admincenter/entitlement/ad/manage.md) topic for additional information. ## Entitlement for SharePoint @@ -53,7 +53,7 @@ do the following: and replicate those permissions to Elasticsearch. - View and manage entitlements in the Entitlement section of the Directory Manager portal. -See the [Manage SharePoint Sites](entraid/manage.md) topic for additional information. +See the [Manage SharePoint Sites](/docs/groupid/11.1/groupid/admincenter/entitlement/entraid/manage.md) topic for additional information. ## Perpetual Entitlements vs Temporary Entitlements @@ -72,12 +72,12 @@ Using Directory Manager, you can manage entitlements in the following ways: When you add the first server or site for entitlement management, the following three schedules are automatically created in the identity store: -- [GroupID Entitlement Schedule](../schedule/entitlement.md) - replicates object permissions on file +- [GroupID Entitlement Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlement.md) - replicates object permissions on file servers and SharePoint sites for an Active Directory and Microsoft Entra ID identity store respectively. It performs a complete replication. -- [Entitlement Scope Schedule](../schedule/entitlementscope.md) - replicates changes made to object +- [Entitlement Scope Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlementscope.md) - replicates changes made to object permissions on file servers and SharePoint sites using Directory Manager. -- [Entitlement Temporary Permissions Schedule](../schedule/entitlementtemporarypermissions.md) - +- [Entitlement Temporary Permissions Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlementtemporarypermissions.md) - updates the temporary permissions for objects on file servers and SharePoint sites. ## What is Replication? @@ -104,4 +104,4 @@ such as navigate file servers and SharePoint sites, grant permissions to objects resources, revoke permissions, and more. Entitlement-related permissions for a security role are discussed in the -[Entitlement](../securityrole/permissions.md#entitlement) topic. +[Entitlement](/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md#entitlement) topic. diff --git a/docs/groupid/11.1/groupid/admincenter/general/accessapplications.md b/docs/groupid/11.1/groupid/admincenter/general/accessapplications.md index a23111ebfd..047b29eab9 100644 --- a/docs/groupid/11.1/groupid/admincenter/general/accessapplications.md +++ b/docs/groupid/11.1/groupid/admincenter/general/accessapplications.md @@ -33,7 +33,7 @@ To add a third-party application: 2. Click **Add Apps** on the **GroupID Applications** page to add a third-party application. You are redirected to the **Create Application** page, where you can provide the details of the application you want to add as a service provider in Directory Manager. See the - [Register an Application (Service Provider) in Directory Manager](../../authenticate/asidentityprovider/register.md) + [Register an Application (Service Provider) in Directory Manager](/docs/groupid/11.1/groupid/authenticate/asidentityprovider/register.md) topic. ## Enroll your Account @@ -41,4 +41,4 @@ To add a third-party application: 1. In Admin Center, click your name in the top right corner and select **My Applications**. 2. Click **Enroll your account** on the **GroupID Applications** page to enroll the identity store account with which you are signed into Admin Center. See the - [Enroll your Identity Store Account](../enroll.md) topic for enrollment details. + [Enroll your Identity Store Account](/docs/groupid/11.1/groupid/admincenter/enroll.md) topic for enrollment details. diff --git a/docs/groupid/11.1/groupid/admincenter/general/changepassword.md b/docs/groupid/11.1/groupid/admincenter/general/changepassword.md index b7f44757d1..34720056c1 100644 --- a/docs/groupid/11.1/groupid/admincenter/general/changepassword.md +++ b/docs/groupid/11.1/groupid/admincenter/general/changepassword.md @@ -5,7 +5,7 @@ to sign into Directory Manager and other applications that use your domain accou You can change password according to the password policy the administrator has enabled for the identity store. The administrator can either enable -[Directory Manage Password Policy ](../securityrole/policy/password.md) or Netwrix Password Policy +[Directory Manage Password Policy ](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/password.md) or Netwrix Password Policy Enforcer policies for the identity store. ## Change your Password @@ -26,7 +26,7 @@ Step 4 – Click **Change Password**. NOTE: MFA enabled Microsoft Entra ID users cannot change their passwords in Directory Manager. If they try to use the option, the following message is displayed:. -![Admin Center Change Password error message for an Entra ID user](../../../../../../static/img/product_docs/groupid/groupid/admincenter/general/changepassword.webp) +![Admin Center Change Password error message for an Entra ID user](/img/product_docs/groupid/groupid/admincenter/general/changepassword.webp) If the user's account is a master account, password of its child accounts also cannot be changed in Directory Manager. diff --git a/docs/groupid/11.1/groupid/admincenter/general/dashboard.md b/docs/groupid/11.1/groupid/admincenter/general/dashboard.md index f1acf6dddf..f979cc8bfe 100644 --- a/docs/groupid/11.1/groupid/admincenter/general/dashboard.md +++ b/docs/groupid/11.1/groupid/admincenter/general/dashboard.md @@ -7,7 +7,7 @@ In Admin Center, click **Dashboard** in the left pane. The dashboard displays th with aggregated data from all identity stores built on Active Directory, Microsoft Entra ID, Google Workspace, and Generic LDAP, as well as individual identity stores. -![dashboard](../../../../../../static/img/product_docs/groupid/groupid/admincenter/general/dashboard.webp) +![dashboard](/img/product_docs/groupid/groupid/admincenter/general/dashboard.webp) The dashboard displays the following information: @@ -57,7 +57,7 @@ notifications that could not be delivered for any reason, such as when the SMTP the recipient’s address is incorrect. Click **View All** to go to the **Notification Queue** page, where you can view the failed -notifications in detail. See the [Manage the Notification Queue](../notification/queue.md) topic. +notifications in detail. See the [Manage the Notification Queue](/docs/groupid/11.1/groupid/admincenter/notification/queue.md) topic. ## Upcoming Schedules @@ -76,7 +76,7 @@ or select _All Identity Stores_ to view the upcoming schedules for all identity Click **View All** to view a list of the upcoming schedules with their names, the next date and time of schedule run, and the identity store they belong to. -![image38](../../../../../../static/img/product_docs/groupid/groupid/admincenter/general/image38.webp) +![image38](/img/product_docs/groupid/groupid/admincenter/general/image38.webp) ## Replication Status of Identity Stores @@ -103,7 +103,7 @@ Consider the following: - Hover the mouse over a bar to view the number of users enrolled with the specific authentication type. Click a bar to launch the **Helpdesk** page, that displays a list of users enrolled with that authentication type. See the - [View Users' Information](../helpdesk/operation/search.md#view-users-information) topic for + [View Users' Information](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/search.md#view-users-information) topic for details on the information displayed for a user. (Notice that the **Filter(s)** dialog box displays the selected authentication type in the **Enrolled With** box.) - By default, data is displayed for the last one month. You can view enrollment data for any @@ -127,7 +127,7 @@ The pie chart is highly interactive. You can: for each authentication type. Another pie chart appears to display the authentication types used in the authentication attempt. Click this chart to navigate to the **History** tab of the **Helpdesk** page to view the logged history for the authentication attempts with the respective - authentication type. See the [History in Helpdesk](../helpdesk/history.md) topic. + authentication type. See the [History in Helpdesk](/docs/groupid/11.1/groupid/admincenter/helpdesk/history.md) topic. Consider the following: @@ -139,7 +139,7 @@ Consider the following: specific period. Click the tile showing the time period to launch the calendar. Use it to specify a date range to view the data. -See the [Authentication Policy](../identitystore/configure/authpolicy.md) topic for a list of +See the [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) topic for a list of supported authentication types. ## Activity Summary @@ -162,7 +162,7 @@ Consider the following: all identity stores. - To view a list of users who used a function on a particular date, click the relevant data point on the function line. A list of users is displayed on the **History** tab of the **Helpdesk** page. - See the [History in Helpdesk](../helpdesk/history.md) topic. (Notice that the **Filter(s)** dialog + See the [History in Helpdesk](/docs/groupid/11.1/groupid/admincenter/helpdesk/history.md) topic. (Notice that the **Filter(s)** dialog box displays the selected function in the **Action Type** box.) - By default, data is displayed for the last one week. You can view activity summary for any specific period. Click the tile showing the time period to launch the calendar. Use it to specify @@ -173,4 +173,4 @@ Consider the following: **See Also** -- [Navigation](navigation.md) +- [Navigation](/docs/groupid/11.1/groupid/admincenter/general/navigation.md) diff --git a/docs/groupid/11.1/groupid/admincenter/general/globalpool.md b/docs/groupid/11.1/groupid/admincenter/general/globalpool.md index 0510c723f8..eaf8a70782 100644 --- a/docs/groupid/11.1/groupid/admincenter/general/globalpool.md +++ b/docs/groupid/11.1/groupid/admincenter/general/globalpool.md @@ -35,6 +35,6 @@ To search for a security question in the list, enter a search string in the sear **See Also** -- [Set up Authentication via Security Questions](../setupauth/securityquestions.md) -- [Directory Manage Password Policy ](../securityrole/policy/password.md) -- [Manage the Local Question Pool](../identitystore/configure/security/securityquestions.md) +- [Set up Authentication via Security Questions](/docs/groupid/11.1/groupid/admincenter/setupauth/securityquestions.md) +- [Directory Manage Password Policy ](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/password.md) +- [Manage the Local Question Pool](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/securityquestions.md) diff --git a/docs/groupid/11.1/groupid/admincenter/general/history.md b/docs/groupid/11.1/groupid/admincenter/general/history.md index 2ff48c6bf3..7838773c69 100644 --- a/docs/groupid/11.1/groupid/admincenter/general/history.md +++ b/docs/groupid/11.1/groupid/admincenter/general/history.md @@ -18,8 +18,8 @@ History can be viewed using the **History** node in Admin Center. You can: - Narrow down the history items using filters. - Export history data to Microsoft Excel, CSV, and XML formats. -See the [History in Directory Manager](../history.md) and -[Event Logging](../identitystore/history/eventlogging.md) topics for additional information. +See the [History in Directory Manager](/docs/groupid/11.1/groupid/admincenter/history.md) and +[Event Logging](/docs/groupid/11.1/groupid/admincenter/identitystore/history/eventlogging.md) topics for additional information. What do you want to do? @@ -48,28 +48,28 @@ To view history: - **Removed Item(s):** This box is displayed for actions showing deletion. It displays a short description of the action. 3. The **Add Note** button is available if you performed this action. See - [Annotate History Items](../identitystore/history/details.md#annotate-history-items) to manage + [Annotate History Items](/docs/groupid/11.1/groupid/admincenter/identitystore/history/details.md#annotate-history-items) to manage notes. 4. Click **Close**. ### Filter History Data Filters on the **Admin Center History** page are similar to those on the **Identity Store History** -page. Refer to the [Filter History Data](../identitystore/history/view.md#filter-history-data) topic +page. Refer to the [Filter History Data](/docs/groupid/11.1/groupid/admincenter/identitystore/history/view.md#filter-history-data) topic to apply the filters. ### Navigate the History Data Navigation options on the **Admin Center History** page are similar to those on the **Identity Store History** page. Refer to the -[Navigate Through History Items](../identitystore/history/view.md#navigate-through-history-items) +[Navigate Through History Items](/docs/groupid/11.1/groupid/admincenter/identitystore/history/view.md#navigate-through-history-items) topic for help. ## Annotate History Items 1. In Admin Center, click **History** in the left pane. 2. On the **Admin Center History** page, click a history item and proceed to add a note. See the - [Annotate History Items](../identitystore/history/details.md#annotate-history-items) topic for + [Annotate History Items](/docs/groupid/11.1/groupid/admincenter/identitystore/history/details.md#annotate-history-items) topic for details. ## Export Admin Center History diff --git a/docs/groupid/11.1/groupid/admincenter/general/logs.md b/docs/groupid/11.1/groupid/admincenter/general/logs.md index a78122f1ab..3707e5b3cb 100644 --- a/docs/groupid/11.1/groupid/admincenter/general/logs.md +++ b/docs/groupid/11.1/groupid/admincenter/general/logs.md @@ -41,5 +41,5 @@ What do you want to do? **See Also** -- [Event Logging](../identitystore/history/eventlogging.md) -- For a Portal - [Manage Log Settings](../portal/server/log.md) +- [Event Logging](/docs/groupid/11.1/groupid/admincenter/identitystore/history/eventlogging.md) +- For a Portal - [Manage Log Settings](/docs/groupid/11.1/groupid/admincenter/portal/server/log.md) diff --git a/docs/groupid/11.1/groupid/admincenter/general/navigation.md b/docs/groupid/11.1/groupid/admincenter/general/navigation.md index 002f08f6df..38ed4f6300 100644 --- a/docs/groupid/11.1/groupid/admincenter/general/navigation.md +++ b/docs/groupid/11.1/groupid/admincenter/general/navigation.md @@ -1,6 +1,6 @@ # Navigation -On signing into Admin Center, you land on the [Dashboard](dashboard.md). +On signing into Admin Center, you land on the [Dashboard](/docs/groupid/11.1/groupid/admincenter/general/dashboard.md). The following options help you to navigate the application: @@ -29,7 +29,7 @@ When you perform a search, it looks up the following in Admin Center: 1. In Admin Center, enter a search string in the Search box at the top of the page. A list of matched items is displayed as you type. For example, as you type ‘ta’, it shows: - ![quick_search](../../../../../../static/img/product_docs/groupid/groupid/admincenter/general/quick_search.webp) + ![quick_search](/img/product_docs/groupid/groupid/admincenter/general/quick_search.webp) 2. On clicking **Quick Actions** for an identity store, it displays the settings available for the identity store. Click an option to navigate to it. @@ -41,7 +41,7 @@ The top right corner of the application displays the following: | Icon | Description | | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Help icon | Click it to launch Admin Center help. | -| Manage SAML icon | Click it to launch the Authenticate panel, where you can: - Set up Directory Manager as a service provider. Directory Manager can integrate with several single sign-on (SSO) solutions that support the SAML 2.0 standard. - Set up Directory Manager as an identity provider. See the [Authenticate](../../authenticate/overview.md) topic. | +| Manage SAML icon | Click it to launch the Authenticate panel, where you can: - Set up Directory Manager as a service provider. Directory Manager can integrate with several single sign-on (SSO) solutions that support the SAML 2.0 standard. - Set up Directory Manager as an identity provider. See the [Authenticate](/docs/groupid/11.1/groupid/authenticate/overview.md) topic. | | Profile icon | Displays your profile picture with your name and the identity store that Admin Center is connected to. Click it to launch a menu that displays the Directory Manager version and the security role assigned to you in Directory Manager. The menu also displays options to change your password, access your applications, and sign out of Admin Center. | ## Menu Pane @@ -64,6 +64,6 @@ The menu pane in the left enables you to navigate to different functions in Admi **See Also** -- [Change your Password](changepassword.md) -- [Switch Accounts](switchaccount.md) -- [Access your Applications](accessapplications.md) +- [Change your Password](/docs/groupid/11.1/groupid/admincenter/general/changepassword.md) +- [Switch Accounts](/docs/groupid/11.1/groupid/admincenter/general/switchaccount.md) +- [Access your Applications](/docs/groupid/11.1/groupid/admincenter/general/accessapplications.md) diff --git a/docs/groupid/11.1/groupid/admincenter/helpdesk/history.md b/docs/groupid/11.1/groupid/admincenter/helpdesk/history.md index 2b9ed135c9..8c23b75ef1 100644 --- a/docs/groupid/11.1/groupid/admincenter/helpdesk/history.md +++ b/docs/groupid/11.1/groupid/admincenter/helpdesk/history.md @@ -158,6 +158,6 @@ To perform a search: **See Also** -- [Dashboard](../general/dashboard.md) -- [Search Users](operation/search.md) -- [History in Directory Manager](../history.md) +- [Dashboard](/docs/groupid/11.1/groupid/admincenter/general/dashboard.md) +- [Search Users](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/search.md) +- [History in Directory Manager](/docs/groupid/11.1/groupid/admincenter/history.md) diff --git a/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/asktoenroll.md b/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/asktoenroll.md index ea68652955..0ee482c917 100644 --- a/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/asktoenroll.md +++ b/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/asktoenroll.md @@ -22,7 +22,7 @@ What do you want to do? - To send enrollment notifications to all users in all identity stores in Directory Manager, make sure _All_ is selected in the **Identity store** box. Then click **Notify All Users**. - To send the notification to specific recipients, search for the required users and click - **Notify All Users**. See the [Search Users](search.md) topic to perform a search. + **Notify All Users**. See the [Search Users](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/search.md) topic to perform a search. Notifications are sent to all users listed on the **Helpdesk Operations** tab, including those on other pages (use the navigation options at the bottom of the listing to view the pages). To @@ -44,5 +44,5 @@ What do you want to do? **See Also** -- [Helpdesk](../overview.md) -- [Helpdesk Operations](overview.md) +- [Helpdesk](/docs/groupid/11.1/groupid/admincenter/helpdesk/overview.md) +- [Helpdesk Operations](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/export.md b/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/export.md index 79e12bcf08..b38f8dcc4c 100644 --- a/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/export.md +++ b/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/export.md @@ -11,7 +11,7 @@ What do you want to do? 1. In Admin Center, click **Helpdesk** in the left pane. 2. The **Helpdesk** page opens to the **Helpdesk Operations** tab. You can export all users in all identity stores to a file or filter the listing to export specific users only. To filter the - list, see the [Search Users](search.md) topic. + list, see the [Search Users](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/search.md) topic. 3. Select the check boxes for the users you want to export or click the check box in the header row to select all users. Then click **Export**. 4. Select a file format in the list. The file is saved to the download location specified in your @@ -19,5 +19,5 @@ What do you want to do? **See Also** -- [Helpdesk](../overview.md) -- [Helpdesk Operations](overview.md) +- [Helpdesk](/docs/groupid/11.1/groupid/admincenter/helpdesk/overview.md) +- [Helpdesk Operations](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/overview.md b/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/overview.md index 30fd704ec0..7759fd8528 100644 --- a/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/overview.md @@ -2,9 +2,9 @@ Helpdesk users can perform the following actions in Admin Center: -- [Reset Passwords](resetpassword.md) -- [Unlock Accounts](unlockaccount.md) -- [Notify Users to Enroll](asktoenroll.md) -- [Unenroll a User](unenroll.md) -- [Search Users](search.md) -- [Export Users' List to a File](export.md) +- [Reset Passwords](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/resetpassword.md) +- [Unlock Accounts](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/unlockaccount.md) +- [Notify Users to Enroll](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/asktoenroll.md) +- [Unenroll a User](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/unenroll.md) +- [Search Users](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/search.md) +- [Export Users' List to a File](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/export.md) diff --git a/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/resetpassword.md b/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/resetpassword.md index fd4604884f..670262fc65 100644 --- a/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/resetpassword.md +++ b/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/resetpassword.md @@ -7,7 +7,7 @@ NOTE: You can reset passwords of unenrolled users if (a) the **Reset Any Passwor been granted to your role and (b) the Helpdesk policy for your role is set to the unrestricted mode. Helpdesk users may have to authenticate end users before resetting their passwords. See the -[Helpdesk Policy ](../overview.md#helpdesk-policy) topic. +[Helpdesk Policy ](/docs/groupid/11.1/groupid/admincenter/helpdesk/overview.md#helpdesk-policy) topic. What do you want to do? @@ -18,14 +18,14 @@ What do you want to do? 1. In Admin Center, click **Helpdesk** in the left pane. 2. The **Helpdesk** page opens to the **Helpdesk Operations** tab. Locate your required user. To - search for a user, see the[Search Users](search.md) topic. + search for a user, see the[Search Users](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/search.md) topic. 3. Click the ellipsis button for the user and select **Reset Password**. For enrolled users, the **Reset Password** dialog box has two pages: **Authenticate** and **Reset**. Under the unrestricted mode, you can skip the former and move to the **Reset** page. For unenrolled users, only the **Reset** page is available. Use the **History** button to view user history, i.e., the actions performed on the user and by the user. This history is specific to helpdesk functions, as listed in the - [History in Helpdesk](../history.md) topic. + [History in Helpdesk](/docs/groupid/11.1/groupid/admincenter/helpdesk/history.md) topic. 4. The **Reset** page displays the user name, the identity store where this user resides, the last time the user changed his or her password, and the lock status of the account. In case the user has linked his or her accounts that exist in different identity stores, this page displays all @@ -64,18 +64,18 @@ could be restricted to: - Authenticate enrolled users through the multifactor authentication policy applicable to the user before resetting their passwords. The Security Questions authentication type may be mandatory. -See the [Helpdesk Policy](../../securityrole/policy/helpdesk.md) topic. +See the [Helpdesk Policy](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/helpdesk.md) topic. **To reset a password in restricted mode:** 1. In Admin Center, click **Helpdesk** in the left pane. 2. The **Helpdesk** page opens to the **Helpdesk Operations** tab. Locate your required user. To - search for a user, see the[Search Users](search.md) topic. + search for a user, see the[Search Users](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/search.md) topic. 3. Click the ellipsis button for the user and select **Reset Password**. The **Reset Password** dialog box has two pages: **Authenticate** and **Reset**. Use the **History** button to view user history, i.e., the actions performed on the user and by the user. This history is specific to helpdesk functions, as listed in the - [History in Helpdesk](../history.md) topic. + [History in Helpdesk](/docs/groupid/11.1/groupid/admincenter/helpdesk/history.md) topic. 4. The **Authenticate** page displays the authentication type(s) the user's account is enrolled with. You could be restricted to authenticate the user according to the authentication policy that applies to the user. @@ -115,5 +115,5 @@ See the [Helpdesk Policy](../../securityrole/policy/helpdesk.md) topic. **See Also** -- [Helpdesk](../overview.md) -- [Helpdesk Operations](overview.md) +- [Helpdesk](/docs/groupid/11.1/groupid/admincenter/helpdesk/overview.md) +- [Helpdesk Operations](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/search.md b/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/search.md index a253a346e0..f6f62eaae1 100644 --- a/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/search.md +++ b/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/search.md @@ -54,5 +54,5 @@ Click the ellipsis button for a user to perform any of these actions: **See Also** -- [Helpdesk](../overview.md) -- [Helpdesk Operations](overview.md) +- [Helpdesk](/docs/groupid/11.1/groupid/admincenter/helpdesk/overview.md) +- [Helpdesk Operations](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/unenroll.md b/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/unenroll.md index 04a4a58a97..7fd203d3f9 100644 --- a/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/unenroll.md +++ b/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/unenroll.md @@ -15,7 +15,7 @@ What do you want to do? 1. In Admin Center, click **Helpdesk** in the left pane. 2. The **Helpdesk** page opens to the **Helpdesk Operations** tab. Locate your required user. To - search for a user, see the[Search Users](search.md) topic. + search for a user, see the[Search Users](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/search.md) topic. 3. Click the ellipsis button for the user and select **Unenroll Account**. The **Unenroll Account** dialog box displays the authentication types the user account is enrolled with. @@ -24,5 +24,5 @@ What do you want to do? **See Also** -- [Helpdesk](../overview.md) -- [Helpdesk Operations](overview.md) +- [Helpdesk](/docs/groupid/11.1/groupid/admincenter/helpdesk/overview.md) +- [Helpdesk Operations](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/unlockaccount.md b/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/unlockaccount.md index 703b03c98f..1e7fe4567f 100644 --- a/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/unlockaccount.md +++ b/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/unlockaccount.md @@ -8,7 +8,7 @@ password correctly. In such a situation as this, helpdesk users can unlock user accounts in an identity store. Helpdesk may have to authenticate users before unlocking their accounts. See the -[Helpdesk Policy ](../overview.md#helpdesk-policy) topic. +[Helpdesk Policy ](/docs/groupid/11.1/groupid/admincenter/helpdesk/overview.md#helpdesk-policy) topic. NOTE: You can unlock the account of unenrolled users if (a) the **Unlock Any Account** permission has been granted to your role and (b) the Helpdesk policy for your role is set to the unrestricted @@ -19,7 +19,7 @@ mode. Step 1 – In Admin Center, click **Helpdesk** in the left pane. Step 2 – The Helpdesk page opens to the Helpdesk Operations tab. Locate your required user. To -search for a user, see the[Search Users](search.md) topic. +search for a user, see the[Search Users](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/search.md) topic. Step 3 – Click the ellipsis button for the user and select **Unlock Account**. For enrolled users, the Unlock Account dialog box has two pages: Authenticate and Unlock. Under the unrestricted mode, @@ -27,7 +27,7 @@ you can skip the former and move to the **Unlock** page. For unenrolled users, o is available. Use the **History** button to view user history, i.e., the actions performed on the user and by the user. This history is specific to helpdesk functions, as listed in the -[History in Helpdesk](../history.md) topic. +[History in Helpdesk](/docs/groupid/11.1/groupid/admincenter/helpdesk/history.md) topic. Step 4 – The Unlock page displays the user name, the identity store where this user resides, the last time the user changed his or her password, and the lock status of the account. In case the user @@ -40,13 +40,13 @@ To unlock an account, select the check box for it and click **Unlock**. Step 1 – In Admin Center, click **Helpdesk** in the left pane. Step 2 – The Helpdesk page opens to the Helpdesk Operations tab. Locate your required user. To -search for a user, see the[Search Users](search.md) topic. +search for a user, see the[Search Users](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/search.md) topic. Step 3 – Click the ellipsis button for the user and select **Unlock Account**. The Unlock Account dialog box has two pages: Authenticate and Unlock. Use the **History** button to view user history, i.e., the actions performed on the user and by the user. This history is specific to helpdesk functions, as listed in the -[History in Helpdesk](../history.md) topic. +[History in Helpdesk](/docs/groupid/11.1/groupid/admincenter/helpdesk/history.md) topic. Step 4 – The Authenticate page displays the authentication type(s) the user's account is enrolled with. to authenticate the user, follow step 4 in the diff --git a/docs/groupid/11.1/groupid/admincenter/helpdesk/overview.md b/docs/groupid/11.1/groupid/admincenter/helpdesk/overview.md index 06b7e7b329..f13eb82903 100644 --- a/docs/groupid/11.1/groupid/admincenter/helpdesk/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/helpdesk/overview.md @@ -8,12 +8,12 @@ helpdesk-specific tasks, such as: - Unenroll user accounts from identity stores. - View users' activities, such as enrollment, authentication, account unlock, and password-related functions. Toast notifications and history tracking are also enabled for these actions. See the - [Helpdesk Operations](operation/overview.md) topic for additional information. + [Helpdesk Operations](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/overview.md) topic for additional information. NOTE: The Admin Center for helpdesk role is available in Helpdesk mode only. By default, only the Helpdesk node of Admin Center is visible to the Helpdesk role members. The administrator can also restrict access of a security role by selecting the Helpdesk Role check box on the Security Role -page. See the [Create a Security Role](../securityrole/create.md) topic for additional information. +page. See the [Create a Security Role](/docs/groupid/11.1/groupid/admincenter/securityrole/create.md) topic for additional information. ## Helpdesk Permissions @@ -24,8 +24,8 @@ helpdesk-specific functions: - Unlock Any Account - Unenroll -See [Password Management](../securityrole/permissions.md#password-management) in the -[Security Role – Permissions](../securityrole/permissions.md) topic. +See [Password Management](/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md#password-management) in the +[Security Role – Permissions](/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md) topic. ## Helpdesk Policy @@ -36,7 +36,7 @@ mode to perform the account unlock and reset password functions. NOTE: In unrestricted mode, helpdesk can unlock accounts and reset passwords of both enrolled and unenrolled users. In restricted mode, helpdesk can perform these functions for enrolled users only. -See the [Helpdesk Policy](../securityrole/policy/helpdesk.md) topic. +See the [Helpdesk Policy](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/helpdesk.md) topic. ## Helpdesk Analytics @@ -45,11 +45,11 @@ users' activities (such as enrollment, account unlock, and password reset) in an The dashboard displays the following helpdesk-specific cards: -- [Enrollment Summary](../general/dashboard.md#enrollment-summary): displays the number of enrolled +- [Enrollment Summary](/docs/groupid/11.1/groupid/admincenter/general/dashboard.md#enrollment-summary): displays the number of enrolled users in an identity store. -- [Auth Summary](../general/dashboard.md#auth-summary): displays information about failed and +- [Auth Summary](/docs/groupid/11.1/groupid/admincenter/general/dashboard.md#auth-summary): displays information about failed and successful authentication attempts for each authentication type. -- [Activity Summary](../general/dashboard.md#activity-summary): displays a summary of users' +- [Activity Summary](/docs/groupid/11.1/groupid/admincenter/general/dashboard.md#activity-summary): displays a summary of users' activities related to password change, password reset, account unlock, and enrollment. ## Desktop Notifications @@ -66,5 +66,5 @@ end-user performs any of the following actions in the Directory Manager portal: - Enrolls account - Authenticates with password, authentication types, or any other medium -These actions are also logged in helpdesk history. See the [History in Helpdesk](history.md) topic +These actions are also logged in helpdesk history. See the [History in Helpdesk](/docs/groupid/11.1/groupid/admincenter/helpdesk/history.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/admincenter/history.md b/docs/groupid/11.1/groupid/admincenter/history.md index 670515fd63..6e9350b47e 100644 --- a/docs/groupid/11.1/groupid/admincenter/history.md +++ b/docs/groupid/11.1/groupid/admincenter/history.md @@ -4,11 +4,11 @@ In Directory Manager, history is tracked for: - Admin Center - Actions performed in Admin Center, such as creating identity stores, SMS gateway accounts, changes to notification templates, and more. See the - [Admin Center History](general/history.md) topic to view the history. + [Admin Center History](/docs/groupid/11.1/groupid/admincenter/general/history.md) topic to view the history. - Helpdesk - Helpdesk-specific actions, such as account unlock and enrollment. See the - [History in Helpdesk](helpdesk/history.md) topic to view the history. + [History in Helpdesk](/docs/groupid/11.1/groupid/admincenter/helpdesk/history.md) topic to view the history. - Identity store configurations - Changes made to identity store configurations, including changes - to security roles and workflows. See the [Identity Store History](identitystore/history/view.md) + to security roles and workflows. See the [Identity Store History](/docs/groupid/11.1/groupid/admincenter/identitystore/history/view.md) topic to view the history. - Identity store objects - Modifications made to objects in an identity store, such as creating objects, updating attributes for an object, etc. It includes modifications made through: @@ -19,7 +19,7 @@ In Directory Manager, history is tracked for: - Admin Center (actions performed by schedules only) - Directory Manager APIs - See the [History](../portal/history/overview.md) topic to view this history. + See the [History](/docs/groupid/11.1/groupid/portal/history/overview.md) topic to view this history. Enable History Tracking @@ -27,7 +27,7 @@ History for Admin Center and helpdesk is tracked by default and you cannot disab However, history for identity store configurations and objects is disabled by default. You can enable it for an identity store as well as choose to track all or specific actions. See the -[Configure History Tracking](identitystore/configure/directoryservice/historytracking.md) topic. +[Configure History Tracking](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/historytracking.md) topic. Where is History Displayed? @@ -58,4 +58,4 @@ Event Logging In addition to history tracking, Directory Manager provides event logging, which includes file logging and Windows logging for Directory Manager clients and services. See the -[Event Logging](identitystore/history/eventlogging.md) topic. +[Event Logging](/docs/groupid/11.1/groupid/admincenter/identitystore/history/eventlogging.md) topic. diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/advsentraid.md b/docs/groupid/11.1/groupid/admincenter/identitystore/advsentraid.md index a3e5ac02f0..891698b6a4 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/advsentraid.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/advsentraid.md @@ -7,7 +7,7 @@ store in Directory Manager. Microsoft Entra ID offers limited options to define a default expiry policy for groups whereas Directory Manager provides a comprehensive Group Life Cycle policy. See the -[Manage Group Lifecycle Settings](configure/directoryservice/grouplifecycle.md) topic. +[Manage Group Lifecycle Settings](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/grouplifecycle.md) topic. Since these policies are not integrated; you should either useMicrosoft Entra ID’s or Directory Manager’s expiration policy settings for groups in an Microsoft Entra ID identity store. @@ -23,7 +23,7 @@ policy in Directory Manager. As a result: To use the same prefixes for group names as are defined in Microsoft Entra Admin Center, the administrator should define the same prefixes in Directory Manager. See the -[Group Name Prefixes](configure/directoryservice/prefixes.md) topic. +[Group Name Prefixes](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/prefixes.md) topic. ## Dynamic Groups in Microsoft Entra ID @@ -73,7 +73,7 @@ discretion. - The nesting option in the _Out of Bounds_ settings for an identity store will empty the membership of a Smart Group of the Office 365 type, because nested groups cannot be added as group members. See the - [Manage Group Membership Settings](configure/directoryservice/outofbounds.md)topic. + [Manage Group Membership Settings](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/outofbounds.md)topic. - A Dynasty cannot be created as an Office 365 group. - You can create and manage distribution groups. diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure.md index 4ee732f4ff..7bc8be7566 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure.md @@ -22,39 +22,39 @@ Various configurations can be defined for an identity store. The following configurations have to be defined for an identity store: - An SMTP server for sending email notifications. See the - [Configure an SMTP Server](configure/smtpserver.md) topic. -- Authentication types and policies. See the [Authentication Policy](configure/authpolicy.md) topic. + [Configure an SMTP Server](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md) topic. +- Authentication types and policies. See the [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) topic. - A group life cycle policy that controls the expiry and deletion of groups in the identity store. - See the [Manage Group Lifecycle Settings](configure/directoryservice/grouplifecycle.md) topic. + See the [Manage Group Lifecycle Settings](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/grouplifecycle.md) topic. - Membership life cycle policies for static groups. See the - [Manage Membership Life Cycle Policies](configure/directoryservice/membershiplifecycle.md) topic. + [Manage Membership Life Cycle Policies](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/membershiplifecycle.md) topic. - Inheritance settings for Dynasties. See the - [Manage Dynasty Settings](configure/directoryservice/dynastysettings.md) topic. + [Manage Dynasty Settings](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/dynastysettings.md) topic. - Group update and membership settings. See the - [Manage Group Membership Settings](configure/directoryservice/outofbounds.md) topic. + [Manage Group Membership Settings](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/outofbounds.md) topic. - Group name prefixes, which are used to append group names. See the - [Group Name Prefixes](configure/directoryservice/prefixes.md) topic. + [Group Name Prefixes](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/prefixes.md) topic. - Settings for history tracking. See the - [Configure History Tracking](configure/directoryservice/historytracking.md) topic. + [Configure History Tracking](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/historytracking.md) topic. - A messaging provider so that mail-enabled objects can be created in the identity store. See the - [Configure a Messaging Provider](configure/directoryservice/messagingprovider.md) topic. + [Configure a Messaging Provider](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/messagingprovider.md) topic. - Profile validation settings to ensure the accuracy of users’ information in the directory. See the - [Configure User Profile Validation](configure/directoryservice/profilevalidation.md) topic. + [Configure User Profile Validation](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/profilevalidation.md) topic. - Circular reference settings for object update. See the - [Manage Circular Reference ](configure/directoryservice/circularreference.md)topic. + [Manage Circular Reference ](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/circularreference.md)topic. - Password restrictions and rules for setting identity store passwords. See the - [Configure Password Options](configure/security/passwordoptions.md) topic. + [Configure Password Options](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/passwordoptions.md) topic. ## Security Roles An identity store has security roles defined for it, and only role members can access Directory -Manager. See the [Security Roles](../securityrole/overview.md) topic. +Manager. See the [Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md) topic. You can specify the following configurations for a role: - Assign permissions on different Directory Manager functions. See the - [Security Role – Permissions](../securityrole/permissions.md) topic. -- Specify policies for roles. See the [Security Role Policies](../securityrole/policy/overview.md) + [Security Role – Permissions](/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md) topic. +- Specify policies for roles. See the [Security Role Policies](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/overview.md) topic. ## Replication Settings @@ -63,12 +63,12 @@ The Replication service is responsible for replicating objects that are created on the directory server, to the Elasticsearch repository. You can specify the attributes for the Replication Service to replicate from the provider to the Elasticsearch repository. -See the [Manage Local Replication Settings](replication.md) topic for details. +See the [Manage Local Replication Settings](/docs/groupid/11.1/groupid/admincenter/identitystore/replication.md) topic for details. ## Identity Store History You can view the changes made to an identity store’s configurations, workflows, and security roles -in an identity store. See the [Identity Store History](history/view.md) topic. +in an identity store. See the [Identity Store History](/docs/groupid/11.1/groupid/admincenter/identitystore/history/view.md) topic. ## Workflows @@ -77,19 +77,19 @@ approved by an authorized user before they are committed to the directory. You can define different workflows for an identity store. For example, you can define a workflow that triggers when a user creates a group in the directory using Directory Manager. See the -[Workflows](../workflow/overview.md) topic for details. +[Workflows](/docs/groupid/11.1/groupid/admincenter/workflow/overview.md) topic for details. ## Entitlements Specify file servers in Active Directory and SharePoint sites to view and update the permissions -assigned to objects on shared resources. See the [Entitlement](../entitlement/overview.md) topic. +assigned to objects on shared resources. See the [Entitlement](/docs/groupid/11.1/groupid/admincenter/entitlement/overview.md) topic. ## Schedules Define schedules to auto execute different Directory Manager functions, such as group expiry and deletion, Smart Group membership update, temporary additional manager assignment to users, and more. -See the [Schedules](../schedule/overview.md) topic. +See the [Schedules](/docs/groupid/11.1/groupid/admincenter/schedule/overview.md) topic. **See Also** -- [Manage an Identity Store](manage.md) +- [Manage an Identity Store](/docs/groupid/11.1/groupid/admincenter/identitystore/manage.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authtypes.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authtypes.md index 7c0a38ec78..9402c8ecf1 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authtypes.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authtypes.md @@ -46,7 +46,7 @@ will prevent them from using Directory Manager. **See Also** -- [Authentication Policy](authpolicy.md) -- [Configure Second Factor Authentication](../../setupauth/sfa.md) -- [Configure Multifactor Authentication](../../setupauth/mfa.md) -- [Set Up Authentication Types](../../setupauth/overview.md) +- [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) +- [Configure Second Factor Authentication](/docs/groupid/11.1/groupid/admincenter/setupauth/sfa.md) +- [Configure Multifactor Authentication](/docs/groupid/11.1/groupid/admincenter/setupauth/mfa.md) +- [Set Up Authentication Types](/docs/groupid/11.1/groupid/admincenter/setupauth/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/dynastysettings.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/dynastysettings.md index 67de457a58..89487da1f0 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/dynastysettings.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/dynastysettings.md @@ -6,7 +6,7 @@ their respective parent Dynasties. A Dynasty retrieves data from the directory on the same pattern as a Smart Group does, but it has its own mechanism of dividing the query results into child groups. To learn more about Dynasties, -see the [Dynasties](../../../general/concepts.md#dynasties) topic. +see the [Dynasties](/docs/groupid/11.1/groupid/admincenter/general/concepts.md#dynasties) topic. You can control how Directory Manager processes Dynasties through the following settings: @@ -24,7 +24,7 @@ The Directory Manager portal provides two methods to update Smart Groups and Dyn - Manual update - You can manually execute the query for a Dynasty and Smart Group any time. - Scheduled update - Scheduled updates, powered by a Smart Group Update schedule, auto run at a specified frequency to update the target groups and Dynasties. See the - [Smart Group Update Schedule](../../../schedule/smartgroupupdate.md) topic. + [Smart Group Update Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/smartgroupupdate.md) topic. **What happens on Dynasty update?** diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/groupexpirydeletion.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/groupexpirydeletion.md index cfb7c0fad5..6100b13a8c 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/groupexpirydeletion.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/groupexpirydeletion.md @@ -105,10 +105,10 @@ deleted. When the Group Life Cycle schedule deletes a group, it notifies the group owners or, if there is no owner, the default approver. The job does not delete a group that neither has an owner nor a default approver. See the -[Specify a Default Approver](../../../workflow/advancedsettings.md#specify-a-default-approver) +[Specify a Default Approver](/docs/groupid/11.1/groupid/admincenter/workflow/advancedsettings.md#specify-a-default-approver) topic. **See Also** -- [Manage Group Lifecycle Settings](grouplifecycle.md) -- [Group Life Cycle Schedule](../../../schedule/grouplifecycle.md)[Specify a Default Approver](../../../workflow/advancedsettings.md#specify-a-default-approver) +- [Manage Group Lifecycle Settings](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/grouplifecycle.md) +- [Group Life Cycle Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/grouplifecycle.md)[Specify a Default Approver](/docs/groupid/11.1/groupid/admincenter/workflow/advancedsettings.md#specify-a-default-approver) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/grouplifecycle.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/grouplifecycle.md index 218fbcb582..8c4af32999 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/grouplifecycle.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/grouplifecycle.md @@ -20,11 +20,11 @@ The Group Life Cycle schedule defined for the identity store is responsible for life cycle settings to groups. This schedule runs on containers you specify as its targets, to process the groups that reside therein. Groups that reside outside of the target containers will not be processed by the schedule; hence, the group life cycle policy is not applied to them. See the -[Group Life Cycle Schedule](../../../schedule/grouplifecycle.md) topic. +[Group Life Cycle Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/grouplifecycle.md) topic. NOTE: Before you specify a group life cycle policy for a Microsoft Entra ID identity store, see the -[Group Expiration Policy](../../advsentraid.md#group-expiration-policy) section in the -[Microsoft Entra ID vs. Active Directory Identity Stores](../../advsentraid.md) topic. +[Group Expiration Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/advsentraid.md#group-expiration-policy) section in the +[Microsoft Entra ID vs. Active Directory Identity Stores](/docs/groupid/11.1/groupid/admincenter/identitystore/advsentraid.md) topic. What do you want to do? @@ -194,7 +194,7 @@ information. Group Life Cycle schedule will reduce the life of such groups to 7 days and send an email notification to the group owner or the default approver (for groups without owners), informing them of the approaching expiry. See the - [Specify a Default Approver](../../../workflow/advancedsettings.md#specify-a-default-approver) + [Specify a Default Approver](/docs/groupid/11.1/groupid/admincenter/workflow/advancedsettings.md#specify-a-default-approver) topic. 6. Click **Save**. @@ -288,5 +288,5 @@ The Group Life Cycle schedule handles group expiry notifications as follows: **See Also** -- [Schedules](../../../schedule/overview.md) -- [ Group Expiry and Deletion](groupexpirydeletion.md) +- [Schedules](/docs/groupid/11.1/groupid/admincenter/schedule/overview.md) +- [ Group Expiry and Deletion](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/groupexpirydeletion.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/historytracking.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/historytracking.md index 2690bf3ab6..ae40c53bc0 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/historytracking.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/historytracking.md @@ -26,7 +26,7 @@ In Directory Manager, history for an identity store is tracked at two levels: - workflows - security roles - See the [Identity Store History](../../history/view.md) topic to view the tracked history data. + See the [Identity Store History](/docs/groupid/11.1/groupid/admincenter/identitystore/history/view.md) topic to view the tracked history data. By default, history tracking is disabled. You can: @@ -39,8 +39,8 @@ RECOMMENDED: History tracking can slow down system performance. For optimal perf recommended that you track only specific, more important actions and limit Directory Manager history data storage to the most recent records. -See the [History in Directory Manager](../../../history.md) and -[Event Logging](../../history/eventlogging.md) topics for additional information. +See the [History in Directory Manager](/docs/groupid/11.1/groupid/admincenter/history.md) and +[Event Logging](/docs/groupid/11.1/groupid/admincenter/identitystore/history/eventlogging.md) topics for additional information. What do you want to do? @@ -132,7 +132,7 @@ database forever. You can set Directory Manager to retain an identity store's history data for a specified length of time in the database. When the retention period is over, the History Retention schedule archives this data by moving it from the database to CSV files. See the -[History Retention Schedule](../../../schedule/historyretention.md) topic. +[History Retention Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/historyretention.md) topic. **To retain history data for a specific period:** diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/membershiplifecycle.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/membershiplifecycle.md index cbb6efd747..5374e384d3 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/membershiplifecycle.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/membershiplifecycle.md @@ -44,7 +44,7 @@ Some main features of the membership lifecycle policies are: be effective. - **Notifications** - Directory Manager generates notifications when users are temporarily added or removed from a group’s membership. See the - [Manage Membership Life Cycle Notifications](../smtpserver.md#manage-membership-life-cycle-notifications) + [Manage Membership Life Cycle Notifications](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md#manage-membership-life-cycle-notifications) topic. What do you want to do? @@ -268,4 +268,4 @@ To delete a policy: **See Also** -- [Membership Life Cycle Schedule](../../../schedule/membershiplifecycle.md) +- [Membership Life Cycle Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/membershiplifecycle.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/messagingprovider.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/messagingprovider.md index 9f8d88c7ec..f8a526a0f9 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/messagingprovider.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/messagingprovider.md @@ -172,7 +172,7 @@ Step 7 – Enter a regular expression in the Email Alias Regular Expression box; created in the external provider must satisfy this regular expression. Follow these links for information about regular expressions and their syntax: -- [Introduction to Regular Expressions]() +- [Introduction to Regular Expressions](https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2010/28hw3sce(v%3dvs.100)) - [Regular Expression Syntax Reference](https://msdn.microsoft.com/en-us/library/ms840427.aspx) Step 8 – In the Enter Example to Validate Regular Expression box, enter an email alias as an @@ -199,4 +199,4 @@ Step 5 – Click **Save**. **See Also** -- [Configure an SMTP Server](../smtpserver.md) +- [Configure an SMTP Server](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/outofbounds.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/outofbounds.md index fc7fdaa790..5d69e6076c 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/outofbounds.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/outofbounds.md @@ -157,5 +157,5 @@ Smart Group Update schedule responsible for updating the respective group. **See Also** -- [Manage Dynasty Settings](dynastysettings.md) -- [Smart Group Update Schedule](../../../schedule/smartgroupupdate.md) +- [Manage Dynasty Settings](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/dynastysettings.md) +- [Smart Group Update Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/smartgroupupdate.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/overview.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/overview.md index 2957d6ef41..2db50d4c24 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/overview.md @@ -19,7 +19,7 @@ policies to users, groups, and containers (Organizational Units). You can also: Directory Manager also has its Password policy which can be defined at an identity store level and for a particular security role in that identity store. At one point in time, you can either apply Directory Manager Password policy or PPE policies. See the -[Directory Manage Password Policy ](../../../../securityrole/policy/password.md)for additional +[Directory Manage Password Policy ](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/password.md)for additional information. In Directory Manager, you can @@ -66,7 +66,7 @@ After the selection of a policy template, the Add Policy page is displayed. Step 7 – Click **Add**. The policy gets listed on PPE Policies page by the name of the template selected while adding the -policy. See the [Set up policy properties](policyproperties.md) topic for additional information on +policy. See the [Set up policy properties](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/policyproperties.md) topic for additional information on renaming a policy. ## Edit a PPE Policy @@ -89,11 +89,11 @@ Step 4 – Click the **three vertical dots** icon next to the policy , you want Step 5 – The Edit Policy page displays, while editing you can -- [Set up Rules](rules/overview.md) -- [Assign Policies to Users, Groups & Containers](usersgroups.md) -- [Enable the use of an optional passphrase](passphrases.md) -- [Set up policy properties](policyproperties.md) -- [Set up messages for your users](messages.md) +- [Set up Rules](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/overview.md) +- [Assign Policies to Users, Groups & Containers](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/usersgroups.md) +- [Enable the use of an optional passphrase](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/passphrases.md) +- [Set up policy properties](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/policyproperties.md) +- [Set up messages for your users](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/messages.md) Step 6 – After setting up the policy, click **Update**. diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/policyproperties.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/policyproperties.md index 91c3c4ce4b..fe0dc2ad9a 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/policyproperties.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/policyproperties.md @@ -42,12 +42,12 @@ Step 5 – Open the **Properties** tab. drop-down list to specify the required compliance level for this policy. The default value **(all the rules**) requires users to comply with all enabled rules. Choose an alternative option if Password Policy Enforcer should enforce a more lenient password policy. The - [Age (Min) Rule](rules/minimum_age_rule.md) and [Age (Max) Rule](rules/maximum_age_rule.md) rules - are excluded from compliance level calculations. See the [Set up Rules](rules/overview.md) topic + [Age (Min) Rule](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/minimum_age_rule.md) and [Age (Max) Rule](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/maximum_age_rule.md) rules + are excluded from compliance level calculations. See the [Set up Rules](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/overview.md) topic for additional information. When setting the compliance level, consider that some rules may be disabled when a user enters a - passphrase. See the [Enable the use of an optional passphrase](passphrases.md) topic for + passphrase. See the [Enable the use of an optional passphrase](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/passphrases.md) topic for additional information. Password Policy Enforcer accepts passphrases that comply with all enabled rules, irrespective of the compliance level. This ensures that passphrases can be used, even if they do not meet the compliance level when Password Policy Enforcer is configured to diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/overview.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/overview.md index 3312b6fa6a..d3633c6a82 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/overview.md @@ -7,18 +7,18 @@ Follow the steps to define rules a PPE policy Step 1 – The Rules tab opens by default and the following rules are listed in the left pane. -- [Age (Max) Rule](maximum_age_rule.md) -- [Age (Min) Rule](minimum_age_rule.md) -- [Characters (Complexity) Rule](complexityrule.md) -- [Character (Granular) Rules](characterrules.md) -- [Compromised Rule](compromisedrule.md) -- [Dictionary Rule](dictionaryrule.md) -- [History Rule](historyrule.md) -- [Length Rule](lengthrule.md) -- [Patterns Rule](patternsrule.md) -- [Repetition Rule](repetitionrule.md) -- [Similarity Rule](similarityrule.md) -- [Unique Characters Rule](uniquecharacters.md) +- [Age (Max) Rule](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/maximum_age_rule.md) +- [Age (Min) Rule](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/minimum_age_rule.md) +- [Characters (Complexity) Rule](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/complexityrule.md) +- [Character (Granular) Rules](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/characterrules.md) +- [Compromised Rule](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/compromisedrule.md) +- [Dictionary Rule](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/dictionaryrule.md) +- [History Rule](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/historyrule.md) +- [Length Rule](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/lengthrule.md) +- [Patterns Rule](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/patternsrule.md) +- [Repetition Rule](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/repetitionrule.md) +- [Similarity Rule](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/similarityrule.md) +- [Unique Characters Rule](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/rules/uniquecharacters.md) A button beside a rule indicates that the rule is enabled (being enforced) or not. Click a rule to set the rule's properties and save it. diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/prefixes.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/prefixes.md index 685ead2800..53ddad2565 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/prefixes.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/prefixes.md @@ -36,7 +36,7 @@ Consider the following: and cannot be changed or removed later. A group naming policy defined in Microsoft Entra Admin Center has no impact in Directory Manager. -For details, see the [Group Naming Policy](../../advsentraid.md#group-naming-policy) topic. +For details, see the [Group Naming Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/advsentraid.md#group-naming-policy) topic. What do you want to do? @@ -86,5 +86,5 @@ Delete a Prefix **See Also** -- [Security Roles](../../../securityrole/overview.md) -- [Security Role Policies](../../../securityrole/policy/overview.md) +- [Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md) +- [Security Role Policies](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/profilevalidation.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/profilevalidation.md index 121b6a8283..7921fdb122 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/profilevalidation.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/profilevalidation.md @@ -14,7 +14,7 @@ applies. By default, a few attributes (fields) are available in the Directory Manager portal for profile validation. You can add and remove fields as required. See the -[Manage Property Validation Attributes](../../../portal/design/propertyvalidation.md) topic. +[Manage Property Validation Attributes](/docs/groupid/11.1/groupid/admincenter/portal/design/propertyvalidation.md) topic. ## What can Users do While Validating their Profiles? @@ -43,7 +43,7 @@ When performing profile validation, a user can: rejects it, the direct report remains with the manager. For workflows in an identity store, see the -[System Workflows](../../../workflow/overview.md#system-workflows) topic. +[System Workflows](/docs/groupid/11.1/groupid/admincenter/workflow/overview.md#system-workflows) topic. ## What Happens When Users do not Validate their Profiles? @@ -61,7 +61,7 @@ Accounts Expired due to Non-Profile Validation topic. ## The User Life Cycle Schedule -The [User Life Cycle Schedule](../../../schedule/userlifecycle.md) monitors the profile validation +The [User Life Cycle Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/userlifecycle.md) monitors the profile validation function in Directory Manager. It: - Monitors the profile validation dates for users. @@ -198,7 +198,7 @@ You can change the number of reminders to be sent along with their _Before # of User Life Cycle schedule sends reminder notifications to users according to the specified settings. For email notifications, an SMTP Server must be configured for the identity store. See the an -[Configure an SMTP Server](../smtpserver.md) topic. +[Configure an SMTP Server](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md) topic. **To set a new reminder:** diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/passwordoptions.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/passwordoptions.md index 6758e26c78..69072950f4 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/passwordoptions.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/passwordoptions.md @@ -16,7 +16,7 @@ configurations for the master account apply. In addition to these password restrictions, you can define a password policy for a security role in an identity store. See the -[Directory Manage Password Policy ](../../../securityrole/policy/password.md) topic. +[Directory Manage Password Policy ](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/password.md) topic. What do you want to do? @@ -51,7 +51,7 @@ expression. not allowed. - **Regular Expression:** passwords that satisfy the regular expression you specify in the **Exception Value** box are not allowed. See the - [What are Regular Expressions?](../../../portal/displaytype/textbox.md#what-are-regular-expressions) + [What are Regular Expressions?](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/textbox.md#what-are-regular-expressions) topic to learn about regular expressions and their syntax. 6. Type a value for the selected operator in the **Exception Value** box. @@ -80,7 +80,7 @@ users follow certain rules and patterns. 4. In the **Password Rules** area on the **Password Options** page, click **Add Password Rule**. 5. On the **Add Rules** dialog box, type a regular expression in the **Regular Expression** box. See the - [What are Regular Expressions?](../../../portal/displaytype/textbox.md#what-are-regular-expressions) + [What are Regular Expressions?](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/textbox.md#what-are-regular-expressions) topic to learn about regular expressions and their syntax. 6. Click **OK**. The regular expression is displayed in the In the **Password Rules** area. 7. Follow steps 4 to 6 to define as many regular expressions as required. Passwords that satisfy any @@ -114,4 +114,4 @@ importing another file will replace the existing one. **See Also** -- [Directory Manage Password Policy ](../../../securityrole/policy/password.md) +- [Directory Manage Password Policy ](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/password.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/secondwayauthentication.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/secondwayauthentication.md index a226ea1f9a..6f1859b531 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/secondwayauthentication.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/secondwayauthentication.md @@ -89,7 +89,7 @@ it, you must enable one or more authentication types. NOTE: If an SMTP server is not defined for the identity store, **Configure Now** is displayed in place of the toggle button. Click it to go to the **Notifications** page for configuring an SMTP - server. See the [Configure an SMTP Server](../smtpserver.md) topic. + server. See the [Configure an SMTP Server](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md) topic. 5. In the **Email Attribute** drop-down list, select an attribute that stores email addresses in the directory. @@ -119,6 +119,6 @@ type(s) they want to use for authentication. **See Also** -- [Authentication Policy](../authpolicy.md) -- [Configure an SMTP Server](../smtpserver.md) -- [SMS Gateway](../../../smsgateway/overview.md) +- [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) +- [Configure an SMTP Server](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md) +- [SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/securityquestions.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/securityquestions.md index 40b95e9bfd..cc97ab9f3b 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/securityquestions.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/securityquestions.md @@ -50,5 +50,5 @@ What do you want to do? **See Also** -- [Manage the Global Question Pool ](../../../general/globalpool.md) -- [Set up Authentication via Security Questions](../../../setupauth/securityquestions.md) +- [Manage the Global Question Pool ](/docs/groupid/11.1/groupid/admincenter/general/globalpool.md) +- [Set up Authentication via Security Questions](/docs/groupid/11.1/groupid/admincenter/setupauth/securityquestions.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/smsauthentication.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/smsauthentication.md index a78f5ba96b..fbdf72f6fe 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/smsauthentication.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/smsauthentication.md @@ -4,7 +4,7 @@ To enable users to enroll and authenticate their identity store accounts using S sure that an SMS gateway account is linked with the identity store. Using this gateway account, Directory Manager sends confirmation codes to the users' mobile phone numbers for verification. -See the [Manage SMS Gateway Accounts](../../../smsgateway/manage.md) topic for creating and managing +See the [Manage SMS Gateway Accounts](/docs/groupid/11.1/groupid/admincenter/smsgateway/manage.md) topic for creating and managing SMS gateway accounts. What do you want to do? @@ -18,7 +18,7 @@ What do you want to do? The SMS authentication type must be enabled for an identity store before users can use it for second factor authentication and multi-factor authentication. -To enable it, see the [Enable Authentication Types](../authtypes.md) topic. +To enable it, see the [Enable Authentication Types](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authtypes.md) topic. ## Link an SMS Gateway Account to an Identity Store @@ -39,7 +39,7 @@ To enable it, see the [Enable Authentication Types](../authtypes.md) topic. ## Enforce SMS Authentication for a Security Role To enforce an authentication type, see the -[Authentication Policy for Security Roles](../../../securityrole/policy/authentication.md) topic. +[Authentication Policy for Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/authentication.md) topic. Role members must use an enforced authentication type for multifactor authentication. When an authentication type is enabled but not enforced, role members can choose to use it for enrollment @@ -47,5 +47,5 @@ and authentication. **See Also** -- [Authentication Policy](../authpolicy.md) -- [Manage SMS Gateway Accounts](../../../smsgateway/manage.md) +- [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) +- [Manage SMS Gateway Accounts](/docs/groupid/11.1/groupid/admincenter/smsgateway/manage.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md index 16a58a9401..efd715be0c 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md @@ -140,7 +140,7 @@ the **Also Notify** area, select the required check boxes. from the membership of a group. - Public group owner for membership – To send email notifications to the primary and additional owners of a public group on membership change. See the - [Group Security Types](../../general/concepts.md#group-security-types) topic. + [Group Security Types](/docs/groupid/11.1/groupid/admincenter/general/concepts.md#group-security-types) topic. Step 6 – Click **Save** on the **Notifications** page. @@ -186,7 +186,7 @@ Membership lifecycle notifications are triggered on the following events: or removes him or her from group membership. - Users are also notified when they are temporarily added or removed from group membership according to membership lifecycle policies. See the - [Manage Membership Life Cycle Policies](directoryservice/membershiplifecycle.md) topic. + [Manage Membership Life Cycle Policies](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/membershiplifecycle.md) topic. You can choose to send notification when users are temporarily added to groups, removed from groups, or on both events. @@ -255,6 +255,6 @@ Step 5 – Click **Save** on the Notifications page. **See Also** -- [Notifications](../../notification/overview.md) -- [Membership Life Cycle Schedule](../../schedule/membershiplifecycle.md) -- [Managed By Life Cycle Schedule](../../schedule/managedbylifecycle.md) +- [Notifications](/docs/groupid/11.1/groupid/admincenter/notification/overview.md) +- [Membership Life Cycle Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/membershiplifecycle.md) +- [Managed By Life Cycle Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/managedbylifecycle.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/create.md b/docs/groupid/11.1/groupid/admincenter/identitystore/create.md index 26ce3eb358..4d28e32421 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/create.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/create.md @@ -13,7 +13,7 @@ You can create identity stores for the following providers: To create an identity store, you have to specify an identity provider and its connection details. After creating an identity store, you must configure certain settings for it. These configurations -are discussed in the [Configure an Identity Store](configure.md) topic. +are discussed in the [Configure an Identity Store](/docs/groupid/11.1/groupid/admincenter/identitystore/configure.md) topic. ## Create an Identity Store for Active Directory @@ -39,13 +39,13 @@ service account (gMSA) to connect to Active Directory. - For a service account – The service account must have sufficient privileges on the provider to facilitate group and identity management operations using Directory Manager. The minimum permissions the service account requires for Active Directory are discussed in the - [Service Account for Active Directory and Exchange](../../requirements/permissions/adserviceaccount.md) + [Service Account for Active Directory and Exchange](/docs/groupid/11.1/groupid/requirements/permissions/adserviceaccount.md) topic. - For a gMSA – If you provide a service account with ‘$’ as its last character (as in MyAdminAccounts$), Directory Manager entertains it as a Group Managed Service Account (gMSA). To use a gMSA to connect an identity store to Active Directory, make sure the gMSA is configured properly and has sufficient permissions. See the - [gMSA for Active Directory](../../requirements/permissions/gmsarequirements.md) topic. + [gMSA for Active Directory](/docs/groupid/11.1/groupid/requirements/permissions/gmsarequirements.md) topic. Step 7 – In the **Service Account Password** box, enter the service account password. Skip this box for a gMSA. @@ -87,7 +87,7 @@ want to create the identity store for. Step 6 – Specify the path to the .pfx certificate in the PFX Certificate box. For that, click **Choose File** and browse for the file. Select it and click **Open**. As a prerequisite, the .pfx certificate must be generated on the Directory Manager machine. See the -[Certificate for Entra ID Authentication ](../../configureentraid/register/modauth.md)topic for +[Certificate for Entra ID Authentication ](/docs/groupid/11.1/groupid/configureentraid/register/modauth.md)topic for information on generating a certificate and then converting it into the .pfx format. Step 7 – In the PFX Certificate Password box, enter the password that was created while exporting diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/history/details.md b/docs/groupid/11.1/groupid/admincenter/identitystore/history/details.md index dae6ae2975..1b942dbd34 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/history/details.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/history/details.md @@ -65,5 +65,5 @@ On the **History Details** dialog box, the **Note** box displays your note. Remo **See Also** -- [Identity Store History](view.md) -- [Admin Center History](../../general/history.md) +- [Identity Store History](/docs/groupid/11.1/groupid/admincenter/identitystore/history/view.md) +- [Admin Center History](/docs/groupid/11.1/groupid/admincenter/general/history.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/history/eventlogging.md b/docs/groupid/11.1/groupid/admincenter/identitystore/history/eventlogging.md index 2487fed3ea..49585afe51 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/history/eventlogging.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/history/eventlogging.md @@ -45,5 +45,5 @@ application log. **See Also** -- [Directory Manage Applications](../../portal/applications.md) -- [Get Logs](../../general/logs.md) +- [Directory Manage Applications](/docs/groupid/11.1/groupid/admincenter/portal/applications.md) +- [Get Logs](/docs/groupid/11.1/groupid/admincenter/general/logs.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/history/view.md b/docs/groupid/11.1/groupid/admincenter/identitystore/history/view.md index 95d26511dc..feddff872c 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/history/view.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/history/view.md @@ -34,7 +34,7 @@ viewed in Admin Center. The **Identity Store History** page displays history data in a descriptive and concise manner. Items are sorted according to the date and time they were last updated, with the most recent at the top. - Click a history item to view its details. See the [History Item Details](details.md) topic. + Click a history item to view its details. See the [History Item Details](/docs/groupid/11.1/groupid/admincenter/identitystore/history/details.md) topic. ## Filter History Data @@ -156,6 +156,6 @@ You can export identity store history to Microsoft Excel, CSV, and XML formats. **See Also** -- [Configure History Tracking](../configure/directoryservice/historytracking.md) -- [History in Directory Manager](../../history.md) -- [Event Logging](eventlogging.md) +- [Configure History Tracking](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/historytracking.md) +- [History in Directory Manager](/docs/groupid/11.1/groupid/admincenter/history.md) +- [Event Logging](/docs/groupid/11.1/groupid/admincenter/identitystore/history/eventlogging.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/link/manage.md b/docs/groupid/11.1/groupid/admincenter/identitystore/link/manage.md index c00235c6bc..1389f6ee4b 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/link/manage.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/link/manage.md @@ -225,4 +225,4 @@ linked anymore in the Directory Manager portal. **See Also** -- [Link Identity Stores](overview.md) +- [Link Identity Stores](/docs/groupid/11.1/groupid/admincenter/identitystore/link/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/link/overview.md b/docs/groupid/11.1/groupid/admincenter/identitystore/link/overview.md index 9c6ebe08f9..3a7b76a087 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/link/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/link/overview.md @@ -120,5 +120,5 @@ In this way, you can create a chain of links between identity stores. **See Also** -- [Identity Stores](../overview.md) -- [Manage Identity Store Links](manage.md) +- [Identity Stores](/docs/groupid/11.1/groupid/admincenter/identitystore/overview.md) +- [Manage Identity Store Links](/docs/groupid/11.1/groupid/admincenter/identitystore/link/manage.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/manage.md b/docs/groupid/11.1/groupid/admincenter/identitystore/manage.md index a41c65aa46..cd47c47c8e 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/manage.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/manage.md @@ -23,10 +23,10 @@ The card for an identity store displays the following information: | ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Basic info | The display name of the identity store and the identity provider it is built on, such as Active Directory. | | Identity store status | The status is displayed on the top right corner of the card. An identity store has one of the following statuses: - **Healthy:** Indicates that the identity store is fully functional. Hover the mouse over the status to view the factors used to determine health. - **Errors:** Indicates that the identity store has run into one or both of the following errors: - It cannot connect to the identity provider using the service account provided on the **Identity Store Details** page. - Data from the provider is not replicated to Elasticsearch within the required time interval. The last replication time and date is displayed at the bottom of the card. Hover the mouse over the status to view the reason for the _Errors_ status. | -| History | Indicates whether history tracking for the identity store is enabled or disabled. See the [Configure History Tracking](configure/directoryservice/historytracking.md) topic to enable or disable history tracking. | -| MFA | Indicates whether second factor authentication is enabled for security roles in the identity store. See the [Configure Second Factor Authentication](../setupauth/sfa.md) topic. One of the following is displayed for MFA: - **Available for x/x roles:** Indicates the number of security roles that second factor authentication is enabled for, out of the total security roles in the identity store. For example, 1/3 indicates that there are 3 security roles defined for the identity store and second factor authentication is enabled for one of those roles. - **Not Available:** Indicates that second factor authentication is not enabled for any security role in the identity store. | +| History | Indicates whether history tracking for the identity store is enabled or disabled. See the [Configure History Tracking](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/historytracking.md) topic to enable or disable history tracking. | +| MFA | Indicates whether second factor authentication is enabled for security roles in the identity store. See the [Configure Second Factor Authentication](/docs/groupid/11.1/groupid/admincenter/setupauth/sfa.md) topic. One of the following is displayed for MFA: - **Available for x/x roles:** Indicates the number of security roles that second factor authentication is enabled for, out of the total security roles in the identity store. For example, 1/3 indicates that there are 3 security roles defined for the identity store and second factor authentication is enabled for one of those roles. - **Not Available:** Indicates that second factor authentication is not enabled for any security role in the identity store. | | Last replication date and time | The last run date and time of the Replication service. If the service does not run at the specified interval, the identity store status changes to **Errors**. | -| Ellipsis | Click it to launch a shortcut menu with the following options: - **Edit:** launches the identity store properties page, where you can manage identity store settings, workflows, security roles, replication attributes, and more. See the [Configure an Identity Store](configure.md) topic. - **Disable:** disables the identity store. - **Replicate Objects:** runs the Replication service to replicate object data in the identity store. See the [Force Run the Replication Service (for Object Replication)](replication.md#force-run-the-replication-service-for-object-replication) topic. - **Replicate Deleted Objects:** runs the Replication service to remove those objects from Elasticsearch that have been deleted from the identity provider. See the [Force Run the Replication Service (for Deleting Objects)](replication.md#force-run-the-replication-service-for-deleting-objects) topic. - **Delete:** deletes the identity store from Directory Manager. | +| Ellipsis | Click it to launch a shortcut menu with the following options: - **Edit:** launches the identity store properties page, where you can manage identity store settings, workflows, security roles, replication attributes, and more. See the [Configure an Identity Store](/docs/groupid/11.1/groupid/admincenter/identitystore/configure.md) topic. - **Disable:** disables the identity store. - **Replicate Objects:** runs the Replication service to replicate object data in the identity store. See the [Force Run the Replication Service (for Object Replication)](replication.md#force-run-the-replication-service-for-object-replication) topic. - **Replicate Deleted Objects:** runs the Replication service to remove those objects from Elasticsearch that have been deleted from the identity provider. See the [Force Run the Replication Service (for Deleting Objects)](replication.md#force-run-the-replication-service-for-deleting-objects) topic. - **Delete:** deletes the identity store from Directory Manager. | ## Enable or Disable an Identity Store @@ -64,14 +64,14 @@ provided while creating it. **Edit**. 3. On the **Identity Store Details** page, update the required information on the **General** tab. This page differs by provider. Refer to the steps for creating the respective provider in the - [Create an Identity Store](create.md) topic for more information. + [Create an Identity Store](/docs/groupid/11.1/groupid/admincenter/identitystore/create.md) topic for more information. 4. Click **Save**. ## Exclude an Active Directory Domain from Replication By default, Directory Manager replicates the domain specified for the identity store and its child domains. You can exclude a domain or a child domain from replication, in which case the Replication -service will not replicate it. See the [Elasticsearch and Replication ](../replication/overview.md) +service will not replicate it. See the [Elasticsearch and Replication ](/docs/groupid/11.1/groupid/admincenter/replication/overview.md) topic. You can still create and manage objects in an excluded domain using Directory Manager. @@ -220,6 +220,6 @@ first delete the link(s) before deleting the identity store. **See Also** -- [Identity Stores](overview.md) -- [Configure an Identity Store](configure.md) -- [Replication Service](../service/replicationservice.md) +- [Identity Stores](/docs/groupid/11.1/groupid/admincenter/identitystore/overview.md) +- [Configure an Identity Store](/docs/groupid/11.1/groupid/admincenter/identitystore/configure.md) +- [Replication Service](/docs/groupid/11.1/groupid/admincenter/service/replicationservice.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/overview.md b/docs/groupid/11.1/groupid/admincenter/identitystore/overview.md index 2b1bc1ea9a..f37bf56f70 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/overview.md @@ -31,7 +31,7 @@ Manager. Contact Netwrix Client Services for support. **See Also** -- [Create an Identity Store](create.md) -- [Manage an Identity Store](manage.md) -- [Configure an Identity Store](configure.md) -- [Link Identity Stores](link/overview.md) +- [Create an Identity Store](/docs/groupid/11.1/groupid/admincenter/identitystore/create.md) +- [Manage an Identity Store](/docs/groupid/11.1/groupid/admincenter/identitystore/manage.md) +- [Configure an Identity Store](/docs/groupid/11.1/groupid/admincenter/identitystore/configure.md) +- [Link Identity Stores](/docs/groupid/11.1/groupid/admincenter/identitystore/link/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/identitystore/replication.md b/docs/groupid/11.1/groupid/admincenter/identitystore/replication.md index 64c5905e3b..fd6fa812ae 100644 --- a/docs/groupid/11.1/groupid/admincenter/identitystore/replication.md +++ b/docs/groupid/11.1/groupid/admincenter/identitystore/replication.md @@ -41,7 +41,7 @@ and click **Save**. The attributes are added to the Attribute Name column on the NOTE: If in a Microsoft Entra ID based identity store extension attributes are added, Directory Manager Schema Replication schedule fetches the latest schema at its next run and add the newly added extension attributes to the Select Replication Attributes list. See the -[Schema Replication Schedule](../schedule/schemareplication.md) for additional information. +[Schema Replication Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/schemareplication.md) for additional information. Select the required extension attributes from the Select Replication Attributes list and add them to the attribute to replicate list. See the Specify Object Attributes to Replicate section of the Manage Local Replication Settings topic. @@ -89,7 +89,7 @@ for an identity store to replicate object attributes to Elasticsearch. Force-starting the service has no impact on the interval set for triggering the service on the Replication page. See the -[Specify a Replication Interval for Objects](../replication/settings.md#specify-a-replication-interval-for-objects)topic. +[Specify a Replication Interval for Objects](/docs/groupid/11.1/groupid/admincenter/replication/settings.md#specify-a-replication-interval-for-objects)topic. You can force run the Replication service for an identity store in any of the following ways: @@ -124,7 +124,7 @@ force run the Replication service for an identity store any time to remove delet Force-starting the service has no impact on the interval set for triggering the service on the **Replication** page. See the -[Specify Interval for Deleting Tombstone Objects](../replication/settings.md#specify-interval-for-deleting-tombstone-objects) +[Specify Interval for Deleting Tombstone Objects](/docs/groupid/11.1/groupid/admincenter/replication/settings.md#specify-interval-for-deleting-tombstone-objects) topic. For an identity store, you can force run the Replication service (for deleting objects) in any of diff --git a/docs/groupid/11.1/groupid/admincenter/notification/customize.md b/docs/groupid/11.1/groupid/admincenter/notification/customize.md index 6a59760f4d..ebba74940b 100644 --- a/docs/groupid/11.1/groupid/admincenter/notification/customize.md +++ b/docs/groupid/11.1/groupid/admincenter/notification/customize.md @@ -3,7 +3,7 @@ Directory Manager generates a variety of notifications for different events, such as when changes are made to a group, when workflows are triggered, and when profile validation is due for users. Supported languages for notifications are listed in the -[Localization](../../gettingstarted.md#localization) topic. +[Localization](/docs/groupid/11.1/groupid/gettingstarted.md#localization) topic. Templates for all Directory Manager notifications are available in these languages. You can customize a notification template for the following in each of the supported languages: @@ -101,7 +101,7 @@ will show the email address of the requester, and so on. 1. In the Source Code view, click the **Dictionary** tile to view the recommended tags to replace the default tags with. - ![tagdictionary](../../../../../../static/img/product_docs/groupid/groupid/admincenter/notification/tagdictionary.webp) + ![tagdictionary](/img/product_docs/groupid/groupid/admincenter/notification/tagdictionary.webp) Each notification template has its own set of recommended tags. diff --git a/docs/groupid/11.1/groupid/admincenter/notification/queue.md b/docs/groupid/11.1/groupid/admincenter/notification/queue.md index bb8687cda0..8e725136cb 100644 --- a/docs/groupid/11.1/groupid/admincenter/notification/queue.md +++ b/docs/groupid/11.1/groupid/admincenter/notification/queue.md @@ -13,7 +13,7 @@ notifications as well as delete notifications. Both actions are tracked in Admin Directory Manager also features a Notification Editor that lists the notification templates for all notifications that Directory Manager generates on various events. See the -[Customize Notifications](customize.md) topic for details. +[Customize Notifications](/docs/groupid/11.1/groupid/admincenter/notification/customize.md) topic for details. What do you want to do? @@ -61,7 +61,7 @@ In the **Categories** list on the **Filter** dialog box, select one of the follo - Click **Delete** for a notification in the **Actions** column to delete it. - Click **Refresh** to refresh the notification queue. - Click **Notification Editor** to launch the Notification Editor, where you can view and modify - notification templates. See the [Customize Notifications](customize.md) topic for details. + notification templates. See the [Customize Notifications](/docs/groupid/11.1/groupid/admincenter/notification/customize.md) topic for details. ## Send a Notification Urgently @@ -74,7 +74,7 @@ In the **Categories** list on the **Filter** dialog box, select one of the follo - To send multiple notifications, select the check boxes for those notifications. To select all notifications, select the check box in the header row. This displays the following icons: - ![send_refresh](../../../../../../static/img/product_docs/groupid/groupid/admincenter/notification/send_refresh.webp) + ![send_refresh](/img/product_docs/groupid/groupid/admincenter/notification/send_refresh.webp) Click the **Send** icon to send the selected notifications urgently. @@ -93,12 +93,12 @@ To delete a notification: - To delete multiple notifications, select the check boxes for those notifications. To select all notifications, select the check box in the header row. This displays the following icons: - ![send_refresh](../../../../../../static/img/product_docs/groupid/groupid/admincenter/notification/send_refresh.webp) + ![send_refresh](/img/product_docs/groupid/groupid/admincenter/notification/send_refresh.webp) Click the **Delete** icon to delete the selected notifications. **See Also** -- [Notifications](overview.md) -- [Email Service](../service/emailservice.md) -- [Admin Center History](../general/history.md) +- [Notifications](/docs/groupid/11.1/groupid/admincenter/notification/overview.md) +- [Email Service](/docs/groupid/11.1/groupid/admincenter/service/emailservice.md) +- [Admin Center History](/docs/groupid/11.1/groupid/admincenter/general/history.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/applications.md b/docs/groupid/11.1/groupid/admincenter/portal/applications.md index 62eb151369..1f49e9727b 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/applications.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/applications.md @@ -2,15 +2,15 @@ Using Admin Center, you can create and manage the following Directory Manager applications: -- [ Directory Manager Portal](overview.md) -- [Data Service](../service/dataservice/overview.md) -- [Security Service](../service/securityservice/overview.md) +- [ Directory Manager Portal](/docs/groupid/11.1/groupid/admincenter/portal/overview.md) +- [Data Service](/docs/groupid/11.1/groupid/admincenter/service/dataservice/overview.md) +- [Security Service](/docs/groupid/11.1/groupid/admincenter/service/securityservice/overview.md) Moreover, you can manage some basic deployment and log settings for the following applications: -- [Admin Center](../service/admincenter.md) -- [Replication Service](../service/replicationservice.md) -- [Email Service](../service/emailservice.md) -- [Scheduler Service](../service/schedulerservice.md) +- [Admin Center](/docs/groupid/11.1/groupid/admincenter/service/admincenter.md) +- [Replication Service](/docs/groupid/11.1/groupid/admincenter/service/replicationservice.md) +- [Email Service](/docs/groupid/11.1/groupid/admincenter/service/emailservice.md) +- [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) -See the [Services](../service/overview.md) topic for additional information. +See the [Services](/docs/groupid/11.1/groupid/admincenter/service/overview.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/admincenter/portal/create.md b/docs/groupid/11.1/groupid/admincenter/portal/create.md index e4ffa80cff..dc07580fea 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/create.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/create.md @@ -15,9 +15,9 @@ A portal is hosted on a web server, with native IIS, remote IIS, and Docker as t servers. - IIS Deployment - Your Directory Manager portal is hosted within a site in IIS. To launch IIS, see - [Opening IIS Manager](). + [Opening IIS Manager](https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525920(v=vs.90)). - ![in_iis](../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/in_iis.webp) + ![in_iis](/img/product_docs/groupid/groupid/admincenter/portal/in_iis.webp) - Docker Deployment - For a Docker deployment, make sure you have a running instance of Docker daemon in your environment. A portal runs within a container in Docker. @@ -76,7 +76,7 @@ located on disk. The application name and deployment name are displayed on the portal card on the **GroupID Portal** tab. - ![portal_card](../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/portal_card.webp) + ![portal_card](/img/product_docs/groupid/groupid/admincenter/portal/portal_card.webp) 7. In the **IIS Application Name** box, enter an IIS deployment name for the portal. This name should be unique for each portal deployed in IIS. @@ -139,18 +139,18 @@ located on disk. to manage directory objects, their directory profiles, and more. While associating identity store(s), you may get the following message: - ![linked_message](../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/linked_message.webp) + ![linked_message](/img/product_docs/groupid/groupid/admincenter/portal/linked_message.webp) This relates to the scenario when identity stores in Directory Manager have been linked, as discussed in the - [Linked Identity Stores and the Directory Manager Portal](../identitystore/link/overview.md#linked-identity-stores-and-the-directory-manager-portal) + [Linked Identity Stores and the Directory Manager Portal](/docs/groupid/11.1/groupid/admincenter/identitystore/link/overview.md#linked-identity-stores-and-the-directory-manager-portal) topic. Hence, when two identity stores, IdentityStoreA and IdentityStoreB, are linked and you associate IdentityStoreA with the portal, this message is displayed. It alerts you to associate the second identity store in the linked pair (dentityStoreB) with the portal too, in order to benefit from the linking. 13. Each identity store associated with a portal has its own set of design settings, as listed in - the [Design a Portal with Display Types](displaytype/overview.md) topic. + the [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) topic. If you are upgrading to Directory Manager 11 from GroupID 9 or GroupID 10, you can import the design settings for an identity store from a Self-Service portal in a previous version - as an @@ -197,7 +197,7 @@ located on disk. combos defined in the design settings. 14. A portal has certain advanced settings defined for it, as discussed in the - [Manage Advanced Settings](server/advanced.md) topic. + [Manage Advanced Settings](/docs/groupid/11.1/groupid/admincenter/portal/server/advanced.md) topic. If you are upgrading to Directory Manager 11 from GroupID 9 or GroupID 10, you can import the advanced settings of a Self-Service portal from a previous version as an alternate to defining settings from scratch. Following are the details of the file containing advanced settings for a @@ -239,7 +239,7 @@ The portal runs within a virtual directory in remote IIS while the portal files located on disk. To learn about the remote IIS settings and configurations before hosting a portal, see -the[Prerequisites for Deployments in Remote IIS](remoteiisprerequisites.md) topic. +the[Prerequisites for Deployments in Remote IIS](/docs/groupid/11.1/groupid/admincenter/portal/remoteiisprerequisites.md) topic. **To create a portal:** @@ -291,7 +291,7 @@ running on a Docker deamon in your environment, so that Directory Manager can cr the portal there and run the portal from within that container. For an overview on application deployment in Docker, see the -[Prerequisites for Deployments in Docker](dockerprerequisites.md) topic. +[Prerequisites for Deployments in Docker](/docs/groupid/11.1/groupid/admincenter/portal/dockerprerequisites.md) topic. NOTE: To host the portal, Docker daemon should be configured to run Windows containers. @@ -422,7 +422,7 @@ can choose to deploy the new portal in any of the supported web servers. Conside You may notice a portal with an orange card and an orange icon on the card. On hovering the mouse over the icon, the tooltip says that _linked mode will not be allowed_. This relates to the scenario when identity stores in Directory Manager have been linked, as discussed in the -[Linked Identity Stores and the Directory Manager Portal](../identitystore/link/overview.md#linked-identity-stores-and-the-directory-manager-portal) +[Linked Identity Stores and the Directory Manager Portal](/docs/groupid/11.1/groupid/admincenter/identitystore/link/overview.md#linked-identity-stores-and-the-directory-manager-portal) topic. Hence, when two identity stores, IdentityStoreA and IdentityStoreB, are linked and you associate IdentityStoreA with the portal, the portal card appears in orange. It informs you to associate the second identity store in the linked pair (dentityStoreB) with the portal too, in order @@ -443,5 +443,5 @@ to benefit from the linking. **See Also** -- [Directory Manage Applications](applications.md) -- [ Directory Manager Portal](overview.md) +- [Directory Manage Applications](/docs/groupid/11.1/groupid/admincenter/portal/applications.md) +- [ Directory Manager Portal](/docs/groupid/11.1/groupid/admincenter/portal/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/delete.md b/docs/groupid/11.1/groupid/admincenter/portal/delete.md index 7b4efa6b80..7b099b0b22 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/delete.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/delete.md @@ -58,5 +58,5 @@ Deleting a portal removes all its deployments and configurations from Directory **See Also** -- [Directory Manage Applications](applications.md) -- [ Directory Manager Portal](overview.md) +- [Directory Manage Applications](/docs/groupid/11.1/groupid/admincenter/portal/applications.md) +- [ Directory Manager Portal](/docs/groupid/11.1/groupid/admincenter/portal/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/design/badwords.md b/docs/groupid/11.1/groupid/admincenter/portal/design/badwords.md index e3ebfb9220..1ce2231991 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/design/badwords.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/design/badwords.md @@ -68,4 +68,4 @@ The bad words check applies to the following: See Also -- [Design a Portal with Display Types](../displaytype/overview.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/design/createobject.md b/docs/groupid/11.1/groupid/admincenter/portal/design/createobject.md index 995a65ab98..234575e6c5 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/design/createobject.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/design/createobject.md @@ -18,13 +18,13 @@ as needed. NOTE: In the portal, the _Create Group_ wizard starts with the _Group Type_ page, where users can select the type of group they want to create. Options on this page vary, depending on the permissions assigned to the user in the identity store. (See the -[Security Role – Permissions](../../securityrole/permissions.md) topic.) +[Security Role – Permissions](/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md) topic.) - If a user has the _Create Static Group_ permission and is denied the _Create Smart Group_ permission, only the _Static Group_ option is displayed on the _Group Type_ page. - If a user has the _Create Smart Group_ permission and is denied the _Create Static Group_ permission, all options except _Static Group_ are displayed on the _Group Type_ page. - ![group_type](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/design/group_type.webp) + ![group_type](/img/product_docs/groupid/groupid/admincenter/portal/design/group_type.webp) NOTE: You can customize the _Group Type_ page individually for static group, Smart Group, and each of the Dynasty types. However: @@ -62,7 +62,7 @@ What do you want to do? this name. 8. In the **Visibility Level** drop-down list, select a security role. The page would be visible to users of this role and roles with a priority value higher than this role. See - [Priority](../../securityrole/manage.md). + [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). Select _Never_ to hide the page from all users. 9. To add fields to the page, see the Add a Field to a Wizard Page topic. 10. Click **OK**. @@ -141,10 +141,10 @@ You can update the following for a page: 10. In the **Display Type** drop-down list, select a display type to use for rendering this field on the wizard. The list contains basic display types and custom display types defined on the **Custom Display - Types** page. See the [Display Type Categories](../displaytype/categories.md) topic. + Types** page. See the [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) topic. 11. In the **Visibility Level** drop-down list, select a security role. The field would be visible to users of the selected role and roles with a priority value higher than the selected role. See - [Priority](../../securityrole/manage.md). + [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). Select _Never_ to hide the field from all users. 12. As mentioned for visibility level, the field is visible to members of the selected role and roles with a priority value higher than the selected role. @@ -180,7 +180,7 @@ You can update the following for a page: 19. Select the **Filter Bad Words** check box to ensure that users do not enter any bad word in this field. A value entered for the field is checked against the words listed on the **Bad Words List** - page. Matched values cannot be saved. See the [Manage the Bad Words List](badwords.md) topic. + page. Matched values cannot be saved. See the [Manage the Bad Words List](/docs/groupid/11.1/groupid/admincenter/portal/design/badwords.md) topic. 20. Click **OK**. The field is displayed in the **Fields** area on the **Edit Category** pane. You can rearrange the fields, update field properties, and even remove a field from the wizard page. 21. Click **OK**. @@ -262,4 +262,4 @@ The following field properties vary from field to field. You can: See Also -- [Design a Portal with Display Types](../displaytype/overview.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/design/form/quicksearch.md b/docs/groupid/11.1/groupid/admincenter/portal/design/form/quicksearch.md index d28d5fa6f3..89d909fa98 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/design/form/quicksearch.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/design/form/quicksearch.md @@ -71,5 +71,5 @@ What do you want to do? **See Also** -- [Customize Search Forms](searchforms.md) -- [Customize Search Results](searchresults.md) +- [Customize Search Forms](/docs/groupid/11.1/groupid/admincenter/portal/design/form/searchforms.md) +- [Customize Search Results](/docs/groupid/11.1/groupid/admincenter/portal/design/form/searchresults.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/design/form/searchforms.md b/docs/groupid/11.1/groupid/admincenter/portal/design/form/searchforms.md index e51a0b63a5..a9ee599ae7 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/design/form/searchforms.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/design/form/searchforms.md @@ -47,7 +47,7 @@ What do you want to do? 10. In the **Display Type** drop-down list, select the display type to use to render this field in the portal. The list contains basic display types and custom display types defined on the **Custom Display Types** page. See the - [Display Type Categories](../../displaytype/categories.md) topic. + [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) topic. 11. Click **OK.** The field is displayed in the **Fields** area on the **Edit Search Form** pane. To rearrange the fields on the search form, click the plus sign for a field and drag to change its position. @@ -94,7 +94,7 @@ You can change the following for a field on a search form: **See Also** -- [Design a Portal with Display Types](../../displaytype/overview.md) -- [Display Type Categories](../../displaytype/categories.md) -- [Customize Search Results](searchresults.md) -- [Customize Quick Search](quicksearch.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) +- [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) +- [Customize Search Results](/docs/groupid/11.1/groupid/admincenter/portal/design/form/searchresults.md) +- [Customize Quick Search](/docs/groupid/11.1/groupid/admincenter/portal/design/form/quicksearch.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/design/form/searchresults.md b/docs/groupid/11.1/groupid/admincenter/portal/design/form/searchresults.md index a18bc29bde..d0a6708d3e 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/design/form/searchresults.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/design/form/searchresults.md @@ -45,7 +45,7 @@ The following table lists the search results pages that you can customize: 9. In the **Tooltip** box, enter the text to appear when a user hovers the mouse over the field. 10. In the **Display Type** drop-down list, select the display type to use to render this field in the portal. Available options are limited to textbox, DN, DNs, and Link, which are basic display - Types. See the [Basic Display Types](../../displaytype/categories.md#basic-display-types) topic. + Types. See the [Basic Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md#basic-display-types) topic. 11. Click **OK.** The field is displayed in the **Fields** area on the **Edit Search Results** pane. To rearrange the fields on the search form, click the equal sign for a field and drag to change @@ -92,7 +92,7 @@ You can change the following for a field on a search results page: **See Also** -- [Design a Portal with Display Types](../../displaytype/overview.md) -- [Display Type Categories](../../displaytype/categories.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) +- [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) - Customize Search Results -- [Customize Quick Search](quicksearch.md) +- [Customize Quick Search](/docs/groupid/11.1/groupid/admincenter/portal/design/form/quicksearch.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/design/importexport.md b/docs/groupid/11.1/groupid/admincenter/portal/design/importexport.md index a1aa1a0373..39264dbc73 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/design/importexport.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/design/importexport.md @@ -87,4 +87,4 @@ What do you want to do? See Also -- [Design a Portal with Display Types](../displaytype/overview.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/design/navigationbar.md b/docs/groupid/11.1/groupid/admincenter/portal/design/navigationbar.md index ed26c34300..cf77d6f869 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/design/navigationbar.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/design/navigationbar.md @@ -16,7 +16,7 @@ nodes are: On expanding a node, its sub-nodes are displayed. On clicking a sub-node, users are redirected to a page that contains tabs under that sub-node. It is as: -![navigation_bar](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/design/navigation_bar.webp) +![navigation_bar](/img/product_docs/groupid/groupid/admincenter/portal/design/navigation_bar.webp) Directory Manager enables you to customize the nodes, sub-nodes, and their respective tabs. @@ -82,7 +82,7 @@ Note the following: navigation bar. 8. In the **Access Level** drop-down list, select a security role. The node would be visible to users of this role and roles with a priority value higher than this role. For all other users, - the node would be hidden. See [Priority](../../securityrole/manage.md). + the node would be hidden. See [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). Select _Never_ to hide the node for all users. 9. In the **Tooltip Text** box, enter the text to appear when a user hovers the mouse over the node. 10. Use the **Icon Class** box to upload the image (icon) to be displayed with the node name. @@ -200,7 +200,7 @@ that: the browser’s back button to return to the previous page. 13. In the **Access Level** drop-down list, select a security role. The sub-node would be visible for users of this role and roles with a priority value higher than this role. For all other - users, the sub-node would be hidden. See [Priority](../../securityrole/manage.md). + users, the sub-node would be hidden. See [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). Select _Never_ to hide the sub-node for all users. 14. Click **OK**. 15. Click **Save** on the **Navigation Bar** page. @@ -298,7 +298,7 @@ You can modify the following for a tab: 4. **URL** – The address of the webpage to display when a user clicks the tab. 5. **Access Level** – Select a security role. The tab would be visible to users of this role and roles with a priority value higher than this role. For all other users, the tab would be - hidden. See [Priority](../../securityrole/manage.md). + hidden. See [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). Select _Never_ to hide the tab for all users. 9. Click **OK** twice on the **Edit Link** pane. @@ -343,4 +343,4 @@ You can modify the following for a tab: See Also -- [Design a Portal with Display Types](../displaytype/overview.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/design/objectcard.md b/docs/groupid/11.1/groupid/admincenter/portal/design/objectcard.md index 073822b3b2..9e71127e87 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/design/objectcard.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/design/objectcard.md @@ -4,12 +4,12 @@ In the portal, the names of directory objects are displayed as links. When a use over this link, a card is displayed, showcasing information about the object. For a user object, for example, the card displays the name, email address and phone number. It is as: -![usercard](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/design/usercard.webp) +![usercard](/img/product_docs/groupid/groupid/admincenter/portal/design/usercard.webp) For each object type, you can specify a different set of attributes to display on this card. For a group, the card is as: -![groupcard](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/design/groupcard.webp) +![groupcard](/img/product_docs/groupid/groupid/admincenter/portal/design/groupcard.webp) Notice that the card has three sections, namely: @@ -141,5 +141,5 @@ You can remove an attribute from the body of an object card. **See Also** -- [Design a Portal with Display Types](../displaytype/overview.md) -- [Specify Attributes for Object List View](objectlist.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) +- [Specify Attributes for Object List View](/docs/groupid/11.1/groupid/admincenter/portal/design/objectlist.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/design/objectlist.md b/docs/groupid/11.1/groupid/admincenter/portal/design/objectlist.md index 6aef71eca2..dc3fcf1676 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/design/objectlist.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/design/objectlist.md @@ -7,7 +7,7 @@ Let’s assume you want to view the groups that are similar to Group A. On the * in Group A’s properties, six groups that bear the most similarity to Group A will be displayed, with the strongest match at the top. It is as: -![similar_groups](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/design/similar_groups.webp) +![similar_groups](/img/product_docs/groupid/groupid/admincenter/portal/design/similar_groups.webp) For a similar group, three attributes are displayed: @@ -45,5 +45,5 @@ What do you want to do? **See Also** -- [Design a Portal with Display Types](../displaytype/overview.md) -- [Specify Attributes for the Object Card](objectcard.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) +- [Specify Attributes for the Object Card](/docs/groupid/11.1/groupid/admincenter/portal/design/objectcard.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/design/objectproperties.md b/docs/groupid/11.1/groupid/admincenter/portal/design/objectproperties.md index d5471604bb..2d3371425f 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/design/objectproperties.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/design/objectproperties.md @@ -64,7 +64,7 @@ What do you want to do? 8. In the **Visibility Level** drop-down list, select a security role. The tab would be visible to users of this role and roles with a priority value higher than this role. The tab would not be visible to group owners (for their respective groups) and user managers (for their direct - reports) if they fall in a lower priority role. See [Priority](../../securityrole/manage.md). + reports) if they fall in a lower priority role. See [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). - Select _Never_ to hide the tab from all users. - Select _Manager and Owner_ to make the tab visible only to the owner (in case of a group) or @@ -92,7 +92,7 @@ What do you want to do? 9. In the **Access Level** drop-down list, select a security role. Users of this role and roles with a priority value higher than it can add and update the values of fields on this tab. If group owners/user managers fall in a lower priority role, they cannot update the fields on the tab for - their respective groups/direct reports. See [Priority](../../securityrole/manage.md). + their respective groups/direct reports. See [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). - Select _Never_ to make the tab and its fields read-only for all users. - Select _Manager and Owner_ to enable the owner (in case of a group) or manager (in case of a @@ -179,11 +179,11 @@ You can change the following for a tab: 10. In the **Display Type** drop-down list, select the display type to use for rendering this field on the tab. The list contains basic display types and custom display types defined on the **Custom Display - Types** page. See the [Display Type Categories](../displaytype/categories.md) topic. + Types** page. See the [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) topic. 11. In the **Visibility Level** drop-down list, select a security role. The tab would be visible to users of this role and roles with a priority value higher than this role. It would not be visible to group owners (for their respective groups) and user managers (for their direct - reports) if they fall under a lower priority role. See [Priority](../../securityrole/manage.md). + reports) if they fall under a lower priority role. See [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). - Select _Never_ to hide the field from all users. - Select _Manager and Owner_ to make the field visible only to the owner (in case of a group) or @@ -213,7 +213,7 @@ You can change the following for a tab: 12. In the **Access Level** drop-down list, select a security role. Users of this role and roles with a priority value higher than this role can add and update the value of this field. If group owners/user managers fall in a lower priority role, they cannot able to update the value of the - field for their respective groups/direct reports. See [Priority](../../securityrole/manage.md). + field for their respective groups/direct reports. See [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). - Select _Never_ to make this field read-only for all users. - Select _Manager and Owner_ to enable only the owner (in case of a group) or manager (in case @@ -275,7 +275,7 @@ You can change the following for a tab: 20. Select the **Filter Bad Words** check box to ensure that users do not enter any bad word in this field. A value entered for the field is checked against the words listed on the **Bad Words List** - page. Matched values cannot be saved. See the [Manage the Bad Words List](badwords.md) topic. + page. Matched values cannot be saved. See the [Manage the Bad Words List](/docs/groupid/11.1/groupid/admincenter/portal/design/badwords.md) topic. 21. The **Image Attribute** list is available when ‘DN’ is selected as the display type. This list supports ‘thumbnailPhoto’ as its value. @@ -364,4 +364,4 @@ The following field properties vary from field to field. You can: See Also -- [Design a Portal with Display Types](../displaytype/overview.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/design/organizationalhierarchy.md b/docs/groupid/11.1/groupid/admincenter/portal/design/organizationalhierarchy.md index 18a01137ea..53e75be8fd 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/design/organizationalhierarchy.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/design/organizationalhierarchy.md @@ -35,10 +35,10 @@ What do you want to do? attribute on the organizational hierarchy chart. The display type must match the attribute. For example, the ‘TreePicture’ display type matches the ‘thumbnailPhoto’ attribute. This list contains basic display types and custom display types defined on the **Custom Display - Types** page. See the [Display Type Categories](../displaytype/categories.md) topic. + Types** page. See the [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) topic. 9. Click **OK**. 10. Click **Save** on the **Organizational Hierarchy** page. **See Also** -- [Design a Portal with Display Types](../displaytype/overview.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/design/propertyvalidation.md b/docs/groupid/11.1/groupid/admincenter/portal/design/propertyvalidation.md index eaa9ed1a8c..7816437947 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/design/propertyvalidation.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/design/propertyvalidation.md @@ -31,7 +31,7 @@ neither be edited nor removed. The Directory Manager administrator can enforce group owners to review and validate the attributes and membership of an expiring group before renewing it. See the -[Enable Group Attestation](../../identitystore/configure/directoryservice/grouplifecycle.md#enable-group-attestation) +[Enable Group Attestation](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/grouplifecycle.md#enable-group-attestation) topic. While attesting a group in the portal, the owner can: @@ -82,10 +82,10 @@ What do you want to do? 9. Use the **Display Type** drop-down list to specify the display type to use for rendering the attribute in the portal. The list contains basic display types and custom display types defined on the **Custom Display Types** page. See the - [Display Type Categories](../displaytype/categories.md) topic. + [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) topic. 10. In the **Visibility Level** drop-down list, select a security role. The field would be visible to users of this role and roles with a priority value higher than this role. See - [Priority](../../securityrole/manage.md). + [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). Select _Never_ to hide the field from all users. 11. As mentioned for visibility level, the field is visible to members of the selected role and roles with a priority value higher than the selected role. @@ -102,7 +102,7 @@ What do you want to do? 16. Select the **Filter Bad Words** check box to ensure that users do not enter any bad word in this field. A value entered for the field is checked against the words listed on the **Bad Words List** - page. Matched values cannot be saved. See the [Manage the Bad Words List](badwords.md) topic. + page. Matched values cannot be saved. See the [Manage the Bad Words List](/docs/groupid/11.1/groupid/admincenter/portal/design/badwords.md) topic. 17. The **Image Attribute** list is available when ‘DN’ is selected as the display type. This list supports ‘thumbnailPhoto’ as its value. @@ -177,5 +177,5 @@ The following field properties vary from field to field. You can: **See Also** -- [Design a Portal with Display Types](../displaytype/overview.md) -- [Configure User Profile Validation](../../identitystore/configure/directoryservice/profilevalidation.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) +- [Configure User Profile Validation](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/profilevalidation.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/design/queryattributes.md b/docs/groupid/11.1/groupid/admincenter/portal/design/queryattributes.md index 60eb40e408..1ae578d4ff 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/design/queryattributes.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/design/queryattributes.md @@ -13,26 +13,26 @@ on the following pages in the portal: The schema attributes you specify would be available to portal users on the Filter Criteria tab of the Query Designer for building Smart Group/Dynasty queries. - ![filter_criteria_tab](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/design/filter_criteria_tab.webp) + ![filter_criteria_tab](/img/product_docs/groupid/groupid/admincenter/portal/design/filter_criteria_tab.webp) - The Sub-Manager Query Designer for a Recursive Managerial Dynasty, where you can specify a query for sub-manager selection. - ![submanagerquery](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/design/submanagerquery.webp) + ![submanagerquery](/img/product_docs/groupid/groupid/admincenter/portal/design/submanagerquery.webp) - The **Add Attributes** dialog box for Dynasties. The schema attributes you specify would be available in the _Group Items By_ field, which is used to divide the query results into groups. Directory Manager creates a new child group for each unique value of the attribute that users select in the _Group Items By_ field. - ![addattributes](../../../../../../../static/img/product_docs/accessanalyzer/admin/datacollector/addattributes.webp) + ![addattributes](/img/product_docs/accessanalyzer/admin/datacollector/addattributes.webp) - The Query Designer for importing members to a group using an external data source. The specified schema attributes would be available on the Filter Criteria tab of the Query Designer for building membership import queries. You can launch this Query Designer using the **Import** button on the **Members** tab in group properties (for static groups, Smart Groups and Dynasties). - ![importmembers](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/design/importmembers.webp) + ![importmembers](/img/product_docs/groupid/groupid/admincenter/portal/design/importmembers.webp) - The Query Designer for query-based search, where users can define a query to search the directory. The schema attributes you specify would be available to portal users on the Filter Criteria tab of @@ -86,14 +86,14 @@ You can also specify the following for an attribute: This box is not available when multiple attributes have been selected. 9. Select a security role in the **Visibility Level** drop-down list. The attribute(s) would be visible to users of the selected role and roles with a priority value higher than the selected - role. See [Priority](../../securityrole/manage.md). + role. See [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). Select _Never_ to hide the attribute(s) from all users. 10. Use the **Display Type** drop-down list to specify the display type to use for enabling users to provide a value for the attribute(s) in the portal. For example, you can select a text box, drop-down list, or DN as display type. In case of DN, users can search and select a directory object as value for the attribute. The list contains basic display types and custom display types defined on the **Custom Display - Types** page. See the [Display Type Categories](../displaytype/categories.md) topic. + Types** page. See the [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) topic. When multiple attributes are selected in the **Fields** box, this display type applies to each of them. You can edit an attribute later to apply a different display type. 11. In the **ToolTip Text** box, enter the text to display when a user hovers the mouse over the @@ -156,4 +156,4 @@ You can change the following for an attribute: See Also -- [Design a Portal with Display Types](../displaytype/overview.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/design/sendasonbehalf.md b/docs/groupid/11.1/groupid/admincenter/portal/design/sendasonbehalf.md index c069d32324..7032138cea 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/design/sendasonbehalf.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/design/sendasonbehalf.md @@ -71,7 +71,7 @@ would enable the object to delegate the Send As permission to users. visible to users of this role and roles with a priority value higher than this role. It would not even be visible to group owners (for their respective groups) and user managers (for their direct reports) if they fall in a lower priority role. See - [Priority](../../securityrole/manage.md). + [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). - Select _Never_ to hide the field from all users. - Select _Manager and Owner_ to make the field visible only to the owner (in case of a group) or @@ -136,7 +136,7 @@ would enable the object to delegate the Send As permission to users. Launch the portal and go to the properties of the target object (group or mailbox) you defined the Send As field for, then click the respective tab. The Send As field is displayed as follows: -![sendas](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/design/sendas.webp) +![sendas](/img/product_docs/groupid/groupid/admincenter/portal/design/sendas.webp) Use the **Add** and **Remove** buttons to add and remove objects in the Send As list. The added objects can send email for the target object in accordance with the Send As functionality. @@ -167,7 +167,7 @@ This would enable the object to delegate the Send on Behalf permission to users. 11. In the **Visibility Level** drop-down list, select a security role. The Send on Behalf field would be visible to users of this role and roles with a priority value higher than this role. It would not be visible to group owners (for their groups) and user managers (for their direct - reports) if they fall in a lower priority role. See [Priority](../../securityrole/manage.md). + reports) if they fall in a lower priority role. See [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). - Select _Never_ to hide the field from all users. - Select _Manager and Owner_ to make the field visible only to the owner (in case of a group) or @@ -231,7 +231,7 @@ Launch the portal and go to the properties of the target object (group or mailbo Send on Behalf field for, then click the respective tab. The Send on Behalf field is displayed as follows: -![sendonbehalf](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/design/sendonbehalf.webp) +![sendonbehalf](/img/product_docs/groupid/groupid/admincenter/portal/design/sendonbehalf.webp) Use the **Add** and **Remove** buttons to add and remove objects in the Send on Behalf list. The added objects can send email on behalf of the target object in accordance with the Send on Behalf diff --git a/docs/groupid/11.1/groupid/admincenter/portal/design/toolbars.md b/docs/groupid/11.1/groupid/admincenter/portal/design/toolbars.md index 5b5a6ff330..b51a493d33 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/design/toolbars.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/design/toolbars.md @@ -81,7 +81,7 @@ can update a few details for a button, such as its name and image. 8. **Visibility Level** – Select a security role. The toolbar button would be visible to users of this role and roles with a priority value higher than this role. See - [Priority](../../securityrole/manage.md). + [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). Select _Never_ to hide the button from all users. 8. Click **OK**. @@ -104,4 +104,4 @@ can update a few details for a button, such as its name and image. See Also -- [Design a Portal with Display Types](../displaytype/overview.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md index 153a7f8ff6..0ef3899c76 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md @@ -6,7 +6,7 @@ A field can be anything from a text box to a drop-down list to a check box, depe type linked to it. You must also link each field to a schema attribute in the directory. Users can use the fields in a portal to add and update values for the respective attributes. -See the [Design a Portal with Display Types](overview.md) topic fr additional information. +See the [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) topic fr additional information. ## Schema Attributes and Display Types @@ -45,7 +45,7 @@ You can link a basic display type to a schema attribute straight away. Basic dis Use it to collect and display a single value for an attribute. You can link it directly to a schema attribute. However, to apply additional rules to it, such as assigning a default value or implementing a regular expression to validate the data entered, you must create a custom display - type from this basic type. See the [Text Box Display Type](textbox.md) topic. + type from this basic type. See the [Text Box Display Type](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/textbox.md) topic. - **Password** @@ -58,7 +58,7 @@ You can link a basic display type to a schema attribute straight away. Basic dis Use it for schema attributes that can accept multiple string values. A multi-value display type is displayed in the portal as: - ![multi-value_display_type](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/displaytype/multi-value_display_type.webp) + ![multi-value_display_type](/img/product_docs/groupid/groupid/admincenter/portal/displaytype/multi-value_display_type.webp) Clicking **Add** launches a dialog box where users can add new values. @@ -74,7 +74,7 @@ You can link a basic display type to a schema attribute straight away. Basic dis this display type appears as a button that launches the **Find** dialog box, where users can search and select objects. It is as: - ![dn](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/displaytype/dn.webp) + ![dn](/img/product_docs/groupid/groupid/admincenter/portal/displaytype/dn.webp) - **DNs** @@ -82,7 +82,7 @@ You can link a basic display type to a schema attribute straight away. Basic dis Directory attributes _member_ and _memberOf_. The user interface element for this display type is as follows: - ![multi-value_display_type](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/displaytype/multi-value_display_type.webp) + ![multi-value_display_type](/img/product_docs/groupid/groupid/admincenter/portal/displaytype/multi-value_display_type.webp) Clicking **Add** displays a quick search field along with an option to launch the **Find** dialog box where users can search and select the desired objects. @@ -114,7 +114,7 @@ Some applications of display type are: phone number and fax number. The default portal template uses several predefined custom display types. See the -[Define Custom Display Types](custom.md) topic to add more display types as needed. +[Define Custom Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/custom.md) topic to add more display types as needed. The **Custom Display Types** page in a portal’s design settings lists all the predefined custom display types and any custom display types you may have added. diff --git a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/custom.md b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/custom.md index fb277a4678..32ce921492 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/custom.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/custom.md @@ -4,15 +4,15 @@ In Directory Manager, several predefined custom display types are used in the de template. To customize the portal, you can use the predefined custom display types as well as define new ones. -- [Text Box Display Type](textbox.md) -- [Drop-down List Display Type](dropdownlist.md) -- [Linked Field Drop-down List Display Type](linkeddropdown.md) -- [Image Display Type](image.md) -- [Grid Display Type](grid.md) -- [Radio Button Display Type](radio.md) -- [Multiline Textbox Display Type](multilinetextbox.md) -- [Multi-Valued Control Display Type](multivaluedcontrol.md) -- [Linked Combo Display Type](../linkedcombo/overview.md) +- [Text Box Display Type](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/textbox.md) +- [Drop-down List Display Type](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/dropdownlist.md) +- [Linked Field Drop-down List Display Type](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/linkeddropdown.md) +- [Image Display Type](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/image.md) +- [Grid Display Type](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/grid.md) +- [Radio Button Display Type](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/radio.md) +- [Multiline Textbox Display Type](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/multilinetextbox.md) +- [Multi-Valued Control Display Type](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/multivaluedcontrol.md) +- [Linked Combo Display Type](/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/overview.md) ## How to Implement Display Types @@ -45,5 +45,5 @@ To delete a custom display type: **See Also** -- [Design a Portal with Display Types](overview.md) -- [Display Type Categories](categories.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) +- [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/dropdownlist.md b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/dropdownlist.md index a40e560f37..95fa133e54 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/dropdownlist.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/dropdownlist.md @@ -46,7 +46,7 @@ A few drop-down list display types used in the default portal template are: database attribute.) 3. In the **Visibility** drop-down list, select a security role. The value in the drop-down list will be visible to users of this role and roles with a priority value higher than this role. - See [Priority](../../securityrole/manage.md). + See [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). Select _Never_ to hide the value from all users. 4. Click **OK**. The value is listed in the **Values** area, represented by its display text. @@ -63,6 +63,6 @@ A few drop-down list display types used in the default portal template are: **See Also** -- [Design a Portal with Display Types](overview.md) -- [Display Type Categories](categories.md) -- [Define Custom Display Types](custom.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) +- [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) +- [Define Custom Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/custom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/grid.md b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/grid.md index d9cb06a402..cbdc7aa00b 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/grid.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/grid.md @@ -95,7 +95,7 @@ A few grid display types used in the default portal template are: 12. Select the **Show Search Filters** check box to add a row to the grid that serves as a search bar. This row appears in the grid, as shown below: - ![search_row_in_grid](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/displaytype/search_row_in_grid.webp) + ![search_row_in_grid](/img/product_docs/groupid/groupid/admincenter/portal/displaytype/search_row_in_grid.webp) 13. Select the **Editable** check box to make the rows in the grid available for editing. Else, the grid will be read-only. @@ -104,6 +104,6 @@ A few grid display types used in the default portal template are: **See Also** -- [Design a Portal with Display Types](overview.md) -- [Display Type Categories](categories.md) -- [Define Custom Display Types](custom.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) +- [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) +- [Define Custom Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/custom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/image.md b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/image.md index 486237d71b..3f572d4d8d 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/image.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/image.md @@ -16,7 +16,7 @@ can be uploaded for this display type. A custom image display type is rendered on a portal page as: -![photo_placeholder](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/displaytype/photo_placeholder.webp) +![photo_placeholder](/img/product_docs/groupid/groupid/admincenter/portal/displaytype/photo_placeholder.webp) Click **Edit** to launch the **Manage Photo** dialog box for uploading a photo. The dialog box also provides many image editing options, including rotate, crop, flip, and re-size. @@ -50,6 +50,6 @@ photos. **See Also** -- [Design a Portal with Display Types](overview.md) -- [Display Type Categories](categories.md) -- [Define Custom Display Types](custom.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) +- [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) +- [Define Custom Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/custom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/linkeddropdown.md b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/linkeddropdown.md index 8c952ab186..a6bed608ba 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/linkeddropdown.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/linkeddropdown.md @@ -62,13 +62,13 @@ A linked field drop-down list is displayed in the portal as a drop-down list. Wh selects a value and saves it, the isolated linked fields are auto populated with the predefined values and a message, similar to the following, is displayed. -![linked_field_message](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/displaytype/linked_field_message.webp) +![linked_field_message](/img/product_docs/groupid/groupid/admincenter/portal/displaytype/linked_field_message.webp) Here, **Department** is the key value. Selecting it in the drop-down list populates the **Company** field with the predefined value. **See Also** -- [Design a Portal with Display Types](overview.md) -- [Display Type Categories](categories.md) -- [Define Custom Display Types](custom.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) +- [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) +- [Define Custom Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/custom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/multilinetextbox.md b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/multilinetextbox.md index 3be2b7390f..e75c8ec73a 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/multilinetextbox.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/multilinetextbox.md @@ -13,7 +13,7 @@ characters of the entered value on screen as compared to a textbox. In the portal’s default template, the _Description_ field on the _Create New Group_ page uses the multiline textbox display type. It is as: -![multiline textbox in the portal](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/displaytype/multiline_textbox.webp) +![multiline textbox in the portal](/img/product_docs/groupid/groupid/admincenter/portal/displaytype/multiline_textbox.webp) To define a multiline textbox display type, provide a name for it and specify the on-screen width by giving the number of rows to be displayed for it. Portal users can use the _Enter_ key to add as @@ -40,6 +40,6 @@ many rows as required while entering data. **See Also** -- [Design a Portal with Display Types](overview.md) -- [Display Type Categories](categories.md) -- [Define Custom Display Types](custom.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) +- [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) +- [Define Custom Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/custom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/multivaluedcontrol.md b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/multivaluedcontrol.md index 593035675f..61cc5fb0b0 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/multivaluedcontrol.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/multivaluedcontrol.md @@ -77,6 +77,6 @@ schema attribute you link this display type with. **See Also** -- [Design a Portal with Display Types](overview.md) -- [Display Type Categories](categories.md) -- [Define Custom Display Types](custom.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) +- [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) +- [Define Custom Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/custom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md index 3cfc0b2ac3..142d8a6e33 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md @@ -11,44 +11,44 @@ functionality for each associated identity store. You can customize the following for a portal: - **Search Forms:** control the fields to be displayed on different search forms and search result - pages in a portal. See the [Customize Search Forms](../design/form/searchforms.md) and - [Customize Search Results](../design/form/searchresults.md) topics. + pages in a portal. See the [Customize Search Forms](/docs/groupid/11.1/groupid/admincenter/portal/design/form/searchforms.md) and + [Customize Search Results](/docs/groupid/11.1/groupid/admincenter/portal/design/form/searchresults.md) topics. - **Quick Search:** control the schema attributes for quick search to run on. See the - [Customize Quick Search](../design/form/quicksearch.md) topic. + [Customize Quick Search](/docs/groupid/11.1/groupid/admincenter/portal/design/form/quicksearch.md) topic. - **Properties:** control what properties of directory objects you want to display in a portal. See - the [Customize Properties Pages](../design/objectproperties.md) topic. + the [Customize Properties Pages](/docs/groupid/11.1/groupid/admincenter/portal/design/objectproperties.md) topic. - **Toolbars:** customize the buttons on the portal toolbars. See the - [Customize the Toolbars](../design/toolbars.md) topic. + [Customize the Toolbars](/docs/groupid/11.1/groupid/admincenter/portal/design/toolbars.md) topic. - **Navigation Bar:** customize the left navigation bar in a portal. See the - [Customize the Navigation Bar](../design/navigationbar.md) topic. + [Customize the Navigation Bar](/docs/groupid/11.1/groupid/admincenter/portal/design/navigationbar.md) topic. - **Bad Words List:** restrict users from entering bad or offensive words while using a portal. See - the [Manage the Bad Words List](../design/badwords.md) topic. + the [Manage the Bad Words List](/docs/groupid/11.1/groupid/admincenter/portal/design/badwords.md) topic. - **Import/Export Attributes:** specify schema attributes to be used for importing/exporting members and additional owners for groups. See the - [Specify Attributes for Import/Export of Group Owners and Members](../design/importexport.md): + [Specify Attributes for Import/Export of Group Owners and Members](/docs/groupid/11.1/groupid/admincenter/portal/design/importexport.md): topic. - **Create Object Wizards:** control the schema attributes displayed in the portal for creating different object types. See the - [Customize the Create Object Wizards](../design/createobject.md) topic. + [Customize the Create Object Wizards](/docs/groupid/11.1/groupid/admincenter/portal/design/createobject.md) topic. - **Query Attributes:** control which schema attributes to display in the portal for creating queries for Smart Groups ad Dynasties. See the - [ Specify Smart Group Query Attributes](../design/queryattributes.md) topic. + [ Specify Smart Group Query Attributes](/docs/groupid/11.1/groupid/admincenter/portal/design/queryattributes.md) topic. - **Property Validation:** manage the schema attributes for user profile validation and group - attestation. See the [Manage Property Validation Attributes](../design/propertyvalidation.md) + attestation. See the [Manage Property Validation Attributes](/docs/groupid/11.1/groupid/admincenter/portal/design/propertyvalidation.md) topic. - **Organizational Hierarchy:** specify user attributes for display on the organizational hierarchy chart. See the - [Specify Attributes for Organizational Hierarchy](../design/organizationalhierarchy.md) topic. + [Specify Attributes for Organizational Hierarchy](/docs/groupid/11.1/groupid/admincenter/portal/design/organizationalhierarchy.md) topic. - **Card View:** specify the attributes to be displayed on an object card. See the - [Specify Attributes for the Object Card](../design/objectcard.md) topic. + [Specify Attributes for the Object Card](/docs/groupid/11.1/groupid/admincenter/portal/design/objectcard.md) topic. - **Object List View:** specify the attributes to be displayed for similar groups on the **Similar Groups** tab in group properties. See the - [Specify Attributes for Object List View](../design/objectlist.md) topic. + [Specify Attributes for Object List View](/docs/groupid/11.1/groupid/admincenter/portal/design/objectlist.md) topic. NOTE: Design settings are available for a standard Directory Manager portal, and not for a Self-Service Password Reset portal. **See Also** -- [Display Type Categories](categories.md) -- [Define Custom Display Types](custom.md) +- [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) +- [Define Custom Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/custom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/radio.md b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/radio.md index e3a7e10201..f3cd368ed6 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/radio.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/radio.md @@ -42,7 +42,7 @@ A few radio display types used in the default portal template are: 4. Enter a description for the radio button in the **Description** box. 5. Select a security role in the **Visibility** drop-down list. The radio button will be visible to users of this role and roles with a priority value higher than this role. See - [Priority](../../securityrole/manage.md). + [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). Select _Never_ to hide the radio button from all users. 6. Click **OK**. The radio button is listed in the **Values** area on the **New Display Type** pane. @@ -62,6 +62,6 @@ A few radio display types used in the default portal template are: **See Also** -- [Design a Portal with Display Types](overview.md) -- [Display Type Categories](categories.md) -- [Define Custom Display Types](custom.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) +- [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) +- [Define Custom Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/custom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/textbox.md b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/textbox.md index ccff5b04c3..be29e20171 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/displaytype/textbox.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/displaytype/textbox.md @@ -17,7 +17,7 @@ regular expression for a US phone number of the pattern: (555) 123-4567 will be: To learn about regular expressions and their syntax, see -- [Introduction to Regular Expressions]() +- [Introduction to Regular Expressions](https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2010/28hw3sce(v%3dvs.100)) - [Regular Expression Syntax Reference](https://msdn.microsoft.com/en-us/library/ms840427.aspx) ## Predefined Text Box Display Types @@ -98,6 +98,6 @@ NOTE: Data should be in JSON format. **See Also** -- [Design a Portal with Display Types](overview.md) -- [Display Type Categories](categories.md) -- [Define Custom Display Types](custom.md) +- [Design a Portal with Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/overview.md) +- [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) +- [Define Custom Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/custom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/dockerprerequisites.md b/docs/groupid/11.1/groupid/admincenter/portal/dockerprerequisites.md index 8ff25acb48..949ac334d3 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/dockerprerequisites.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/dockerprerequisites.md @@ -59,7 +59,7 @@ images that you have pulled, and the containers created (the applications runnin Launch Docker Desktop and click **Images** in the left pane. -![images_-_local_tab](../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/images_-_local_tab.webp) +![images_-_local_tab](/img/product_docs/groupid/groupid/admincenter/portal/images_-_local_tab.webp) The Images page (Local tab) shows all images that you have pulled from different repositories. Notice the first image is from Directory Manager. Here: @@ -71,7 +71,7 @@ Notice the first image is from Directory Manager. Here: Click **Remote Repositories** to go to the remote server, where you will find all Directory Manager-specific images under _Imanami_. -![images_-_remote_repositories](../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/images_-_remote_repositories.webp) +![images_-_remote_repositories](/img/product_docs/groupid/groupid/admincenter/portal/images_-_remote_repositories.webp) Directory Manager application images for different Directory Manager versions are listed here. For example, three Data service images are available for three distinct Directory Manager versions. @@ -87,13 +87,13 @@ deploying the application. Click **Containers/Apps** in the left pane to view the containers. -![apps_page](../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/apps_page.webp) +![apps_page](/img/product_docs/groupid/groupid/admincenter/portal/apps_page.webp) Select a container and click **Inspect** to view its details. -![container_details](../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/container_details.webp) +![container_details](/img/product_docs/groupid/groupid/admincenter/portal/container_details.webp) **See Also** -- [Directory Manage Applications](applications.md) -- [ Directory Manager Portal](overview.md) +- [Directory Manage Applications](/docs/groupid/11.1/groupid/admincenter/portal/applications.md) +- [ Directory Manager Portal](/docs/groupid/11.1/groupid/admincenter/portal/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/details.md b/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/details.md index 461a2cc8cc..32b0aa93bb 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/details.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/details.md @@ -21,10 +21,10 @@ Display Type** wozard: If the source file is a Microsoft Excel (.xls or .xlsx) file, Directory Manager automatically creates its XML version to process it. To learn about the Excel file format, see the - [Excel Data File Format](fileformat.md) topic. + [Excel Data File Format](/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/fileformat.md) topic. 3. Click **Next**. See Also -- [Linked Combo Display Type](overview.md) +- [Linked Combo Display Type](/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/fileformat.md b/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/fileformat.md index abebec81bd..fe8b5ff7e2 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/fileformat.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/fileformat.md @@ -5,11 +5,11 @@ display type: | | Rule for | Description | | --- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| 1. | Worksheet names | The worksheet names should follow the format: **Number-Name** Where: - _Number_ is the serial number based on the order of the worksheet and it should start from zero. This means that the number for the first worksheet should be 0, the second should be 1, the third should be 2, and so on. - _Name_ is the name of the worksheet that identifies the data it contains. It can be anything you want. ![image](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/linkedcombo/image.webp) | -| 2. | Identity column | Each worksheet should have an identity _(ID)_ column that contains a unique value for every record entered in the sheet. ![image1](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/image1.webp) | +| 1. | Worksheet names | The worksheet names should follow the format: **Number-Name** Where: - _Number_ is the serial number based on the order of the worksheet and it should start from zero. This means that the number for the first worksheet should be 0, the second should be 1, the third should be 2, and so on. - _Name_ is the name of the worksheet that identifies the data it contains. It can be anything you want. ![image](/img/product_docs/groupid/groupid/admincenter/portal/linkedcombo/image.webp) | +| 2. | Identity column | Each worksheet should have an identity _(ID)_ column that contains a unique value for every record entered in the sheet. ![image1](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/image1.webp) | | 3. | Name column | Each worksheet should have a _Name_ column. This column contains the values to be displayed in the linked combo. For example, the _Name_ column in the 0-Company worksheet contains the company name for every record in the sheet. | -| 4. | Foreign Key column | Each worksheet that contains data related to that on the previous sheet, should have a foreign key identity column (_FK_). This column contains the ID of the record (from the immediately previous sheet) that the current record relates to. ![image2](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/checklist/image2.webp) | +| 4. | Foreign Key column | Each worksheet that contains data related to that on the previous sheet, should have a foreign key identity column (_FK_). This column contains the ID of the record (from the immediately previous sheet) that the current record relates to. ![image2](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/checklist/image2.webp) | See Also -- [Linked Combo Display Type](overview.md) +- [Linked Combo Display Type](/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/overview.md b/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/overview.md index 047c0ab685..4a562995d7 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/overview.md @@ -38,7 +38,7 @@ other display types that will be linked to it. Directory Manager also supports t file format (.xls or .xlsx), that it automatically converts to XML. The data in the Excel file must be in a specific format for Directory Manager to process it. -For information about the Excel file format, see the [Excel Data File Format](fileformat.md) topic. +For information about the Excel file format, see the [Excel Data File Format](/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/fileformat.md) topic. NOTE: If data in the source file is updated, you must reload the file for changes to take effect. @@ -56,9 +56,9 @@ NOTE: If data in the source file is updated, you must reload the file for change 7. Complete the pages of the **Linked Combo Display Type** wizard. 1. On the **Details** page, provide the source data file. See the - [Linked Combo Type - Details](details.md) topic for more info. + [Linked Combo Type - Details](/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/details.md) topic for more info. 2. On the **Schema** page, define the parent-child relationship between fields. See the - [Linked Combo Type - Schema](schema.md) topic for details. + [Linked Combo Type - Schema](/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/schema.md) topic for details. 8. Click **OK**. 9. Click **Save** on the **Custom Display Types** page. @@ -164,10 +164,10 @@ When you update data in the source file, you must also reload the file for chang Display Type** wizard is displayed. 7. On the **Details** page, click **Browse** to select the file to load. Then click **Next**. 8. On the **Schema** page, make changes to the relationships, if required, and click **OK**. - See the [Linked Combo Type - Schema](schema.md) topic for details. + See the [Linked Combo Type - Schema](/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/schema.md) topic for details. 9. Click **Save** on the **Custom Display Types** page. **See Also** -- [Display Type Categories](../displaytype/categories.md) -- [Define Custom Display Types](../displaytype/custom.md) +- [Display Type Categories](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/categories.md) +- [Define Custom Display Types](/docs/groupid/11.1/groupid/admincenter/portal/displaytype/custom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/schema.md b/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/schema.md index 086c29b40e..144b8e5149 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/schema.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/schema.md @@ -14,7 +14,7 @@ Do the following: Expressions in the **Type binding expression** list are auto generated with respect to the number of sheets in the source Excel workbook and the number of columns in a sheet. It is as: - ![binding_expressions_examples](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/linkedcombo/binding_expressions_examples.webp) + ![binding_expressions_examples](/img/product_docs/groupid/groupid/admincenter/portal/linkedcombo/binding_expressions_examples.webp) In an expression, worksheet names are enclosed in brackets while the names of the data columns in the worksheets are without brackets. The expressions in the figure above indicate that the @@ -29,7 +29,7 @@ Do the following: 1. Click **Add** to add a row. - ![child_fields](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/linkedcombo/child_fields.webp) + ![child_fields](/img/product_docs/groupid/groupid/admincenter/portal/linkedcombo/child_fields.webp) 2. In the **Linked Field** drop-down list, select a field (for example, Country). This field will be linked to the data column represented by the binding expression you select in the @@ -50,7 +50,7 @@ Do the following: 0-Company, 1-Country, and 2-City. (You can also create two linked combos to manage the relationship between these three fields.) - ![schema](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/linkedcombo/schema.webp) + ![schema](/img/product_docs/groupid/groupid/admincenter/portal/linkedcombo/schema.webp) The relationship formed between fields can be explained as: @@ -84,4 +84,4 @@ Do the following: See Also -- [Linked Combo Display Type](overview.md) +- [Linked Combo Display Type](/docs/groupid/11.1/groupid/admincenter/portal/linkedcombo/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/overview.md b/docs/groupid/11.1/groupid/admincenter/portal/overview.md index fa36e62e6c..ca65cd03c1 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/overview.md @@ -49,14 +49,14 @@ linking, the identity stores must be built on Active Directory or Microsoft Entr purpose is to link identical objects in different domains. To learn about linked identity stores and how they work in a Directory Manager portal, see the -[Linked Identity Stores and the Directory Manager Portal](../identitystore/link/overview.md#linked-identity-stores-and-the-directory-manager-portal) +[Linked Identity Stores and the Directory Manager Portal](/docs/groupid/11.1/groupid/admincenter/identitystore/link/overview.md#linked-identity-stores-and-the-directory-manager-portal) topic. ## Notifications in the Portal A Directory Manager portal can send email notifications to designated recipients when a user makes a change to objects in an identity store. To specify notification recipients, see the -[Specify Notification Recipients](../identitystore/configure/smtpserver.md#specify-notification-recipients) +[Specify Notification Recipients](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md#specify-notification-recipients) topic. By default, notifications are sent to users in the English language. However, a user can opt to @@ -65,6 +65,6 @@ receive notifications in a supported language by personalizing the language sett **See Also** -- [Directory Manage Applications](applications.md) -- [Create a Portal](create.md) -- [Delete a Portal](delete.md) +- [Directory Manage Applications](/docs/groupid/11.1/groupid/admincenter/portal/applications.md) +- [Create a Portal](/docs/groupid/11.1/groupid/admincenter/portal/create.md) +- [Delete a Portal](/docs/groupid/11.1/groupid/admincenter/portal/delete.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/remoteiisprerequisites.md b/docs/groupid/11.1/groupid/admincenter/portal/remoteiisprerequisites.md index f4fd54fbd3..f75259a7b3 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/remoteiisprerequisites.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/remoteiisprerequisites.md @@ -33,14 +33,14 @@ be created within this site. **To create a site in remote IIS:** 1. Launch Internet Information Services (IIS) Manager (see - [Opening IIS Manager]()). + [Opening IIS Manager](https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525920(v=vs.90). 2. In the left pane, right-click **Sites** and select **Add Website**. - ![Add a website in IIS](../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/addsite.webp) + ![Add a website in IIS](/img/product_docs/groupid/groupid/admincenter/portal/addsite.webp) 3. Enter the information as shown below and click **OK**: - ![Add Website window](../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/addwebsite.webp) + ![Add Website window](/img/product_docs/groupid/groupid/admincenter/portal/addwebsite.webp) 1. Enter a name for the site in the **Site name** box. 2. Create a new folder on the remote machine and bind this site to that folder. Provide the @@ -90,7 +90,7 @@ The next step is to assign permissions on the physical folder that binds to your 3. Open the **appsettings.json** file and add the highlighted script at the end of the file: - ![Script for appsettings.json file](../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/appsettings-full.webp) + ![Script for appsettings.json file](/img/product_docs/groupid/groupid/admincenter/portal/appsettings-full.webp) 4. The script to be added is given below: @@ -129,12 +129,12 @@ To connect to the API, an access key is required. Follow the steps below to gene used. 2. Click **ACCESS KEYS**. - ![Access Keys](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/accesskeys.webp) + ![Access Keys](/img/product_docs/accessanalyzer/requirements/target/config/accesskeys.webp) 3. Click **Create Access Key** to generate an access key and provide the following information: - ![Access Key Purpose window](../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/accesskeyspurpose.webp) + ![Access Key Purpose window](/img/product_docs/groupid/groupid/admincenter/portal/accesskeyspurpose.webp) 4. On clicking **Create**, the access key is generated. - ![Access Token window](../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/accesstoken.webp) + ![Access Token window](/img/product_docs/groupid/groupid/admincenter/portal/accesstoken.webp) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/server/advanced.md b/docs/groupid/11.1/groupid/admincenter/portal/server/advanced.md index e3cd2e8e39..eae068a9cd 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/server/advanced.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/server/advanced.md @@ -10,7 +10,7 @@ Self-Service Password Reset portal. Default values for all advanced settings are specified for a portal. You can update any setting as required. You can also import these advanced settings for a portal from a previous Directory Manager version. See step 14 in the -[Create a Portal in Native IIS](../create.md#create-a-portal-in-native-iis) topic. +[Create a Portal in Native IIS](/docs/groupid/11.1/groupid/admincenter/portal/create.md#create-a-portal-in-native-iis) topic. You can manage the following advanced settings for a portal: diff --git a/docs/groupid/11.1/groupid/admincenter/portal/server/docker.md b/docs/groupid/11.1/groupid/admincenter/portal/server/docker.md index 6cd013f1ee..b198dee417 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/server/docker.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/server/docker.md @@ -34,10 +34,10 @@ After instance creation, this info cannot be changed. ## Set File Logging and Windows Logging for an Instance To set file logging and Windows logging levels for a deployment instance, see the -[Manage Log Settings](log.md) topic. +[Manage Log Settings](/docs/groupid/11.1/groupid/admincenter/portal/server/log.md) topic. ## Delete an Instance To delete a portal’s deployment instance, see the -[Delete a Deployment Instance for a Portal](../delete.md#delete-a-deployment-instance-for-a-portal) +[Delete a Deployment Instance for a Portal](/docs/groupid/11.1/groupid/admincenter/portal/delete.md#delete-a-deployment-instance-for-a-portal) topic. diff --git a/docs/groupid/11.1/groupid/admincenter/portal/server/general.md b/docs/groupid/11.1/groupid/admincenter/portal/server/general.md index ee563d1074..946aaa7713 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/server/general.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/server/general.md @@ -46,11 +46,11 @@ a user must select an identity store to connect to, for performing password mana NOTE: You may observe the following message on the **Server Settings – General** page: -![linked_message](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/linked_message.webp) +![linked_message](/img/product_docs/groupid/groupid/admincenter/portal/linked_message.webp) It relates to the scenario when identity stores in Directory Manager have been linked, as discussed in the -[Linked Identity Stores and the Directory Manager Portal](../../identitystore/link/overview.md#linked-identity-stores-and-the-directory-manager-portal) +[Linked Identity Stores and the Directory Manager Portal](/docs/groupid/11.1/groupid/admincenter/identitystore/link/overview.md#linked-identity-stores-and-the-directory-manager-portal) topic. Hence, when two identity stores, IdentityStoreA and IdentityStoreB, are linked and you associate IdentityStoreA with the portal, this message is displayed. It alerts you to associate the second identity store in the linked pair (dentityStoreB) with the portal too, in order to benefit @@ -76,13 +76,13 @@ settings for each deployment instance of a portal. Select an instance to view the name of the instance directory in IIS, the IIS site that hosts the instance, the URL for the instance, the Data service and Security service associated with the instance, and logging levels. See the - [Manage Settings for a Native IIS Deployment](nativeiis.md) topic for details. + [Manage Settings for a Native IIS Deployment](/docs/groupid/11.1/groupid/admincenter/portal/server/nativeiis.md) topic for details. - The **Remote IIS** tab is available when one or more portal instances are deployed in remote IIS. Select an instance to view the Microsoft IIS Administration API URL and access token that Directory Manager uses to communicate with the remote IIS server, the credentials used to communicate with the API, the site that hosts the instance, the Data service and Security service associated with the instance, and logging levels. See the - [Manage Settings for a Remote IIS Deployment](remoteiis.md) topic for details. + [Manage Settings for a Remote IIS Deployment](/docs/groupid/11.1/groupid/admincenter/portal/server/remoteiis.md) topic for details. - The **Docker** tab is available when one or more portal instances are deployed in Docker. Select an instance to view the port and Service URL used for deployment. See the - [Manage Settings for a Docker Deployment](docker.md) topic for details. + [Manage Settings for a Docker Deployment](/docs/groupid/11.1/groupid/admincenter/portal/server/docker.md) topic for details. diff --git a/docs/groupid/11.1/groupid/admincenter/portal/server/log.md b/docs/groupid/11.1/groupid/admincenter/portal/server/log.md index 35b670dbf8..ae1f70e4e0 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/server/log.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/server/log.md @@ -5,7 +5,7 @@ the logging level for a deployment instance of a portal to track a specific set it. To dump the log files to a desired location for easy access, see the -[Get Logs](../../general/logs.md) topic. +[Get Logs](/docs/groupid/11.1/groupid/admincenter/general/logs.md) topic. ## File Logging diff --git a/docs/groupid/11.1/groupid/admincenter/portal/server/nativeiis.md b/docs/groupid/11.1/groupid/admincenter/portal/server/nativeiis.md index 83b2f9f152..bd9dbf9625 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/server/nativeiis.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/server/nativeiis.md @@ -54,7 +54,7 @@ the portal instance. For example: When you change the name, it propagates to the instance’s IIS directory, physical directory, and launch URL. You must provide the updated URL to users to enable them to access the portal. See the -[Launch a Portal](../create.md#launch-a-portal) topic. +[Launch a Portal](/docs/groupid/11.1/groupid/admincenter/portal/create.md#launch-a-portal) topic. **To change the IIS application name:** @@ -74,7 +74,7 @@ launch URL. You must provide the updated URL to users to enable them to access t You can change the IIS site that hosts a deployment instance of a portal. In doing so, the URL of the deployment instance also changes. You must provide the updated URL to your users to enable them -to access the instance. See the [Launch a Portal](../create.md#launch-a-portal) topic. +to access the instance. See the [Launch a Portal](/docs/groupid/11.1/groupid/admincenter/portal/create.md#launch-a-portal) topic. **To change the site:** @@ -127,10 +127,10 @@ Use the URL for a portal's deployment instance to launch the respective instance ## Set File Logging and Windows Logging for an Instance To set file logging and Windows logging levels for a deployment instance, see the -[Manage Log Settings](log.md) topic. +[Manage Log Settings](/docs/groupid/11.1/groupid/admincenter/portal/server/log.md) topic. ## Delete an Instance To delete a portal’s deployment instance, see the -[Delete a Deployment Instance for a Portal](../delete.md#delete-a-deployment-instance-for-a-portal) +[Delete a Deployment Instance for a Portal](/docs/groupid/11.1/groupid/admincenter/portal/delete.md#delete-a-deployment-instance-for-a-portal) topic. diff --git a/docs/groupid/11.1/groupid/admincenter/portal/server/overview.md b/docs/groupid/11.1/groupid/admincenter/portal/server/overview.md index 1a2970365f..27044d3c10 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/server/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/server/overview.md @@ -24,11 +24,11 @@ logged out. When accessed again, the portal runs under the new configurations. **See Also** -- [Create a Portal](../create.md) -- [Manage General Server Settings](general.md) -- [Manage Settings for a Native IIS Deployment](nativeiis.md) -- [Manage Settings for a Remote IIS Deployment](remoteiis.md) -- [Manage Settings for a Docker Deployment](docker.md) -- [Manage Log Settings](log.md) -- [Add Support for a Portal](support.md) -- [Manage Advanced Settings](advanced.md) +- [Create a Portal](/docs/groupid/11.1/groupid/admincenter/portal/create.md) +- [Manage General Server Settings](/docs/groupid/11.1/groupid/admincenter/portal/server/general.md) +- [Manage Settings for a Native IIS Deployment](/docs/groupid/11.1/groupid/admincenter/portal/server/nativeiis.md) +- [Manage Settings for a Remote IIS Deployment](/docs/groupid/11.1/groupid/admincenter/portal/server/remoteiis.md) +- [Manage Settings for a Docker Deployment](/docs/groupid/11.1/groupid/admincenter/portal/server/docker.md) +- [Manage Log Settings](/docs/groupid/11.1/groupid/admincenter/portal/server/log.md) +- [Add Support for a Portal](/docs/groupid/11.1/groupid/admincenter/portal/server/support.md) +- [Manage Advanced Settings](/docs/groupid/11.1/groupid/admincenter/portal/server/advanced.md) diff --git a/docs/groupid/11.1/groupid/admincenter/portal/server/remoteiis.md b/docs/groupid/11.1/groupid/admincenter/portal/server/remoteiis.md index 2cfe76429d..a8746b996a 100644 --- a/docs/groupid/11.1/groupid/admincenter/portal/server/remoteiis.md +++ b/docs/groupid/11.1/groupid/admincenter/portal/server/remoteiis.md @@ -38,16 +38,16 @@ To view deployment settings: credentials. You can also view the name of the portal application in remote IIS, the site where it is hosted, the URL to launch the instance, and the Data service and Security service the instance uses. Refer to steps 7-12 in the - [Create a Portal in Remote IIS](../create.md#create-a-portal-in-remote-iis) topic for a + [Create a Portal in Remote IIS](/docs/groupid/11.1/groupid/admincenter/portal/create.md#create-a-portal-in-remote-iis) topic for a description of these fields. ## Set File Logging and Windows Logging for an Instance To set file logging and Windows logging levels for a deployment instance, see the -[Manage Log Settings](log.md) topic. +[Manage Log Settings](/docs/groupid/11.1/groupid/admincenter/portal/server/log.md) topic. ## Delete an Instance To delete a portal’s deployment instance, see the -[Delete a Deployment Instance for a Portal](../delete.md#delete-a-deployment-instance-for-a-portal) +[Delete a Deployment Instance for a Portal](/docs/groupid/11.1/groupid/admincenter/portal/delete.md#delete-a-deployment-instance-for-a-portal) topic. diff --git a/docs/groupid/11.1/groupid/admincenter/replication/overview.md b/docs/groupid/11.1/groupid/admincenter/replication/overview.md index 6168450a7a..b998749014 100644 --- a/docs/groupid/11.1/groupid/admincenter/replication/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/replication/overview.md @@ -16,11 +16,11 @@ Elasticsearch relies on two services: - Computers - Organizational Unit -The [Replication Service](../service/replicationservice.md) only replicates changes that are made to +The [Replication Service](/docs/groupid/11.1/groupid/admincenter/service/replicationservice.md) only replicates changes that are made to these objects on the directory server. Changes made to these objects using Admin Center, Directory Manager portal, or Management Shell, are directly saved in the Elasticsearch repository and replicated to the Directory Manager database by the Data service. See the -[Data Service](../service/dataservice/overview.md) topic. +[Data Service](/docs/groupid/11.1/groupid/admincenter/service/dataservice/overview.md) topic. Synchronize directly updates objects in the directory. As soon as objects are provisioned, de-provisioned, or updated in the directory using Synchronize, the Replication service replicates @@ -41,12 +41,12 @@ specific to an identity store. - At the global level, you can schedule the service to run every x minutes to replicate object attributes to Elasticsearch. You can also manually restore object data to Elasticsearch. See the - [Manage Global Replication Settings](settings.md) topic. + [Manage Global Replication Settings](/docs/groupid/11.1/groupid/admincenter/replication/settings.md) topic. - For an identity store, you can specify the object attributes the service should replicate to - Elasticsearch. See the [Manage Local Replication Settings](../identitystore/replication.md) topic. + Elasticsearch. See the [Manage Local Replication Settings](/docs/groupid/11.1/groupid/admincenter/identitystore/replication.md) topic. NOTE: The Replication service does not replicate excluded domains for an identity store. See the -[Exclude an Active Directory Domain from Replication](../identitystore/manage.md#exclude-an-active-directory-domain-from-replication) +[Exclude an Active Directory Domain from Replication](/docs/groupid/11.1/groupid/admincenter/identitystore/manage.md#exclude-an-active-directory-domain-from-replication) topic. ## Replication Service Logs diff --git a/docs/groupid/11.1/groupid/admincenter/replication/settings.md b/docs/groupid/11.1/groupid/admincenter/replication/settings.md index 0c3f71f73f..30faafca5e 100644 --- a/docs/groupid/11.1/groupid/admincenter/replication/settings.md +++ b/docs/groupid/11.1/groupid/admincenter/replication/settings.md @@ -13,7 +13,7 @@ status of object types for each domain in an identity store and alerts you to an have occurred during the replication process. NOTE: The Replication service does not replicate excluded domains for an identity store. See the -[Exclude an Active Directory Domain from Replication](../identitystore/manage.md#exclude-an-active-directory-domain-from-replication) +[Exclude an Active Directory Domain from Replication](/docs/groupid/11.1/groupid/admincenter/identitystore/manage.md#exclude-an-active-directory-domain-from-replication) topic. ### How to Resolve Replication Errors @@ -45,7 +45,7 @@ What do you want to do? Directory Manager enables you to monitor the Elasticsearch service for the following: - The status of the Elasticsearch service. See the - [Elasticsearch Service](../general/dashboard.md#elasticsearch-service) card on the Admin Center + [Elasticsearch Service](/docs/groupid/11.1/groupid/admincenter/general/dashboard.md#elasticsearch-service) card on the Admin Center dashboard. - Elasticsearch cluster health stats, which include: @@ -60,7 +60,7 @@ the cluster is intact. It also checks the health of each index. 1. In Admin Center, click **Replication** in the left pane. 2. On the **Replication** page, click **Elasticsearch Health Monitor**. - ![es_health_monitor](../../../../../../static/img/product_docs/groupid/groupid/admincenter/replication/es_health_monitor.webp) + ![es_health_monitor](/img/product_docs/groupid/groupid/admincenter/replication/es_health_monitor.webp) This dialog box lists the Elasticsearch clusters in your environment, with the following information for each cluster: @@ -81,7 +81,7 @@ the cluster is intact. It also checks the health of each index. 3. To refresh the information displayed, click the **Refresh** icon. 4. Click a cluster name to view it in detail. - ![cluster_info](../../../../../../static/img/product_docs/groupid/groupid/admincenter/replication/cluster_info.webp) + ![cluster_info](/img/product_docs/groupid/groupid/admincenter/replication/cluster_info.webp) This dialog box displays the total number of nodes in the cluster. Each node is represented by a card, that displays the following for the node: @@ -112,7 +112,7 @@ the cluster is intact. It also checks the health of each index. The Replication service interval applies to all identity stores defined in Admin Center. Object attributes to be replicated are specified in the respective identity store settings. See the -[Manage Local Replication Settings](../identitystore/replication.md) topic. +[Manage Local Replication Settings](/docs/groupid/11.1/groupid/admincenter/identitystore/replication.md) topic. **To set global replication interval:** @@ -170,7 +170,7 @@ and which ones failed to replicate. yet. Similarly, a child domain that is not being used will have its status marked in red. To avoid these recurring errors, set the dates for these objects to a distant future date in the Directory Manager database. Or you can exclude a domain from replication. See the - [Exclude an Active Directory Domain from Replication](../identitystore/manage.md#exclude-an-active-directory-domain-from-replication) + [Exclude an Active Directory Domain from Replication](/docs/groupid/11.1/groupid/admincenter/identitystore/manage.md#exclude-an-active-directory-domain-from-replication) topic. ## Specify Interval for Deleting Tombstone Objects @@ -279,7 +279,7 @@ value as required. Replication error notifications are sent to recipients whose email addresses are specified in the _To_ and _CC_ boxes on the **Notifications** page. See the -[Specify Notification Recipients](../identitystore/configure/smtpserver.md#specify-notification-recipients) +[Specify Notification Recipients](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md#specify-notification-recipients) topic. **To set a triggering threshold:** @@ -295,6 +295,6 @@ topic. **See Also** -- [Elasticsearch and Replication ](overview.md) -- [Manage Local Replication Settings](../identitystore/replication.md) -- [Replication Service](../service/replicationservice.md) +- [Elasticsearch and Replication ](/docs/groupid/11.1/groupid/admincenter/replication/overview.md) +- [Manage Local Replication Settings](/docs/groupid/11.1/groupid/admincenter/identitystore/replication.md) +- [Replication Service](/docs/groupid/11.1/groupid/admincenter/service/replicationservice.md) diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/entitlement.md b/docs/groupid/11.1/groupid/admincenter/schedule/entitlement.md index 813dfc20d6..cf17622b5b 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/entitlement.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/entitlement.md @@ -3,13 +3,13 @@ An Entitlement schedule is automatically created for an identity store when: - A server is added for permission analysis on the Entitlement page in an Active Directory identity - store. See the [Manage File Servers](../entitlement/ad/manage.md) for additional information on + store. See the [Manage File Servers](/docs/groupid/11.1/groupid/admincenter/entitlement/ad/manage.md) for additional information on adding a server. Or - A SharePoint site is added for permission analysis on the Entitlement page in a Microsoft Entra ID - identity store. See the [Manage SharePoint Sites](../entitlement/entraid/manage.md) topic for + identity store. See the [Manage SharePoint Sites](/docs/groupid/11.1/groupid/admincenter/entitlement/entraid/manage.md) topic for additional information on adding a SharePoint site. By default, the schedule runs weekly to compute permissions on shared files and folders residing on @@ -33,12 +33,12 @@ The GroupID Entitlement schedule runs in the context of the following accounts: - For file servers, the schedule runs in the context of the service account defined for the identity store. In case you specify a different account for a file server, the schedule runs in the context of the changed account. See the - [Connect to a File Server Using a Different Account](../entitlement/ad/manage.md#connect-to-a-file-server-using-a-different-account) + [Connect to a File Server Using a Different Account](/docs/groupid/11.1/groupid/admincenter/entitlement/ad/manage.md#connect-to-a-file-server-using-a-different-account) topic. - For a SharePoint site, the schedule runs in the context of the account you specified to connect to the SharePoint admin site. In case you specify a different account for a site, the schedule runs in the context of the changed account. See the - [Connect to a Site Using a Different Account](../entitlement/entraid/manage.md#connect-to-a-site-using-a-different-account) + [Connect to a Site Using a Different Account](/docs/groupid/11.1/groupid/admincenter/entitlement/entraid/manage.md#connect-to-a-site-using-a-different-account) topic. You cannot create or delete a GroupID Entitlement schedule; only edit the existing schedule. @@ -64,7 +64,7 @@ schedule as read-only. The name format is Step 6 – In the Scheduler Service Name drop-down list, select a Scheduler service that would be responsible for triggering this schedule. The number of services displayed in the list depend on the number of nodes in all Elasticsearch clusters in the environment, as each node has its own Scheduler -service. See the [Scheduler Service](../service/schedulerservice.md) topic for additional +service. See the [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) topic for additional information. Please note the following while selecting a Scheduler service: diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/entitlementscope.md b/docs/groupid/11.1/groupid/admincenter/schedule/entitlementscope.md index a7e85e337b..43703a46ee 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/entitlementscope.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/entitlementscope.md @@ -3,13 +3,13 @@ An Entitlement Scope schedule is automatically created for an identity store when: - A server is added for permission analysis on the Entitlement page in an Active Directory identity - store. See the [Manage File Servers](../entitlement/ad/manage.md) for additional information on + store. See the [Manage File Servers](/docs/groupid/11.1/groupid/admincenter/entitlement/ad/manage.md) for additional information on adding a server. Or - A SharePoint site is added for permission analysis on the Entitlement page in a Microsoft Entra ID - identity store. See the [Manage SharePoint Sites](../entitlement/entraid/manage.md) topic for + identity store. See the [Manage SharePoint Sites](/docs/groupid/11.1/groupid/admincenter/entitlement/entraid/manage.md) topic for additional information on adding a SharePoint site. Using the Directory Manager portal, users can update the permissions on files and folders residing @@ -24,7 +24,7 @@ sub-trees, till the nth level. Changes made to permissions outside of Directory the scope of this schedule. Permissions replicated by the Entitlement Scope schedule are also replicated by the -[GroupID Entitlement Schedule](entitlement.md), as the latter replicates permissions from scratch. +[GroupID Entitlement Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlement.md), as the latter replicates permissions from scratch. However, the default triggering frequency for the Directory Manager Entitlement schedule (i.e., weekly) necessitates a separate Entitlement Scope schedule. @@ -33,12 +33,12 @@ The Entitlement Scope schedule runs in the context of the following accounts: - For file servers, the schedule runs in the context of the service account defined for the identity store. In case you specify a different account for a file server, the schedule runs in the context of the changed account. See the - [Connect to a File Server Using a Different Account](../entitlement/ad/manage.md#connect-to-a-file-server-using-a-different-account) + [Connect to a File Server Using a Different Account](/docs/groupid/11.1/groupid/admincenter/entitlement/ad/manage.md#connect-to-a-file-server-using-a-different-account) topic for additional information. - For a SharePoint site, the schedule runs in the context of the account you specified to connect to the SharePoint admin site. In case you specify a different account for a site, the schedule runs in the context of the changed account. See the - [Connect to a Site Using a Different Account](../entitlement/entraid/manage.md#connect-to-a-site-using-a-different-account) + [Connect to a Site Using a Different Account](/docs/groupid/11.1/groupid/admincenter/entitlement/entraid/manage.md#connect-to-a-site-using-a-different-account) topic for additional information. You cannot create or delete an Entitlement Scope schedule; only edit the existing schedule. @@ -64,7 +64,7 @@ _Entitlement_``_Scope_. Step 6 – In the **Scheduler Service Name** drop-down list, select a Scheduler service that would be responsible for triggering this schedule. The number of services displayed in the list depend on the number of nodes in all Elasticsearch clusters in the environment, as each node has its own Scheduler -service. See the [Scheduler Service](../service/schedulerservice.md) topic for additional +service. See the [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) topic for additional information. Please note the following while selecting a Scheduler service: diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/entitlementtemporarypermissions.md b/docs/groupid/11.1/groupid/admincenter/schedule/entitlementtemporarypermissions.md index b9cbe648d3..e585bea0f9 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/entitlementtemporarypermissions.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/entitlementtemporarypermissions.md @@ -3,13 +3,13 @@ An Entitlement Temporary Permissions schedule is automatically created for an identity store when: - A server is added for permission analysis on the Entitlement page in an Active Directory identity - store. See the [Manage File Servers](../entitlement/ad/manage.md) for additional information on + store. See the [Manage File Servers](/docs/groupid/11.1/groupid/admincenter/entitlement/ad/manage.md) for additional information on adding a server. Or - A SharePoint site is added for permission analysis on the **Entitlement** page in a Microsoft - Entra ID identity store. See the [Manage SharePoint Sites](../entitlement/entraid/manage.md) topic + Entra ID identity store. See the [Manage SharePoint Sites](/docs/groupid/11.1/groupid/admincenter/entitlement/entraid/manage.md) topic for additional information on adding a SharePoint site. The Entitlement Temporary Permissions schedule updates the temporary permissions granted to objects @@ -35,12 +35,12 @@ The Entitlement Temporary Permissions schedule runs in the context of the follow - For file servers, the schedule runs in the context of the service account defined for the identity store. In case you specify a different account for a file server, the schedule runs in the context of the changed account. See the - [Connect to a File Server Using a Different Account](../entitlement/ad/manage.md#connect-to-a-file-server-using-a-different-account) + [Connect to a File Server Using a Different Account](/docs/groupid/11.1/groupid/admincenter/entitlement/ad/manage.md#connect-to-a-file-server-using-a-different-account) topic. - For a SharePoint site, the schedule runs in the context of the account you specified to connect to the SharePoint admin site. In case you specify a different account for a site, the schedule runs in the context of the changed account. See the - [Connect to a Site Using a Different Account](../entitlement/entraid/manage.md#connect-to-a-site-using-a-different-account) + [Connect to a Site Using a Different Account](/docs/groupid/11.1/groupid/admincenter/entitlement/entraid/manage.md#connect-to-a-site-using-a-different-account) topic. You cannot create or delete an Entitlement Temporary Permissions schedule; only edit the existing @@ -67,7 +67,7 @@ _Entitlement_``_ TemporaryPe Step 6 – In the Scheduler Service Name drop-down list, select a Scheduler service that would be responsible for triggering this schedule. The number of services displayed in the list depend on the number of nodes in all Elasticsearch clusters in the environment, as each node has its own Scheduler -service. See the [Scheduler Service](../service/schedulerservice.md) topic for additional +service. See the [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) topic for additional information. Please note the following while selecting a Scheduler service: diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/grouplifecycle.md b/docs/groupid/11.1/groupid/admincenter/schedule/grouplifecycle.md index b7a19a8006..05a4c11e80 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/grouplifecycle.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/grouplifecycle.md @@ -1,7 +1,7 @@ # Group Life Cycle Schedule Directory Manager enables you to define group lifecycle settings for an identity store. See the -[Manage Group Lifecycle Settings](../identitystore/configure/directoryservice/grouplifecycle.md) +[Manage Group Lifecycle Settings](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/grouplifecycle.md) topic for additional information. Based on these settings, the Group Lifecycle schedule expires and logically deletes groups in the identity store on a scheduled basis, keeping your directory clean and preventing group glut. @@ -12,7 +12,7 @@ containers the job will process, and notification options. The Group Lifecycle schedule performs the following main functions: - Expires and logically delete groups according to their respective expiry policies. See the - [ Group Expiry and Deletion](../identitystore/configure/directoryservice/groupexpirydeletion.md) + [ Group Expiry and Deletion](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/groupexpirydeletion.md) topic for additional information. - Sends email notifications to relevant personnel before expiring a group. Also initiates notifications for group attestation. @@ -43,7 +43,7 @@ necessary action. Step 8 – In the Scheduler Service Name drop-down list, select a Scheduler service that would be responsible for triggering this schedule. The number of services displayed in the list depend on the number of nodes in all Elasticsearch clusters in the environment, as each node has its own Scheduler -service. See the [Scheduler Service](../service/schedulerservice.md) topic for additional +service. See the [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) topic for additional information. Please note the following while selecting a Scheduler service: @@ -67,7 +67,7 @@ Target(s) area in keeping with the Group Lifecycle settings for the identity sto NOTE: In Group Lifecycle settings, the administrator can specify container(s) for exclusively applying or not applying the Group Life cycle policy. See the -[Apply Policy on Specific Containers](../identitystore/configure/directoryservice/grouplifecycle.md#apply-policy-on-specific-containers) +[Apply Policy on Specific Containers](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/grouplifecycle.md#apply-policy-on-specific-containers) topic. With containers specified in the Target(s) area, there may be a conflict or overlapping of containers, in which case, the Group Lifecycle settings take precedence. @@ -87,7 +87,7 @@ Step 12 – To set notifications for the schedule, click **Notifications**. to send email notifications to a group’s primary and additional owners when the job extends the life of a group, based on group usage settings in the Group Lifecycle policy. For group usage settings, see the - [Enable Group Usage Lifecycle](../identitystore/configure/directoryservice/grouplifecycle.md#enable-group-usage-lifecycle) + [Enable Group Usage Lifecycle](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/grouplifecycle.md#enable-group-usage-lifecycle) topic for additional information. 2. Click **Save**. diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/groupusageservice.md b/docs/groupid/11.1/groupid/admincenter/schedule/groupusageservice.md index 22fae7344f..0a275a983b 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/groupusageservice.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/groupusageservice.md @@ -7,9 +7,9 @@ An expansion event occurs when an Exchange Server expands a distribution list fo The event is recorded in the Exchange Server's message tracking log, which the Group Usage Service schedule reads, parsing for the timestamp that indicates when the distribution list was last used. -The timestamp is then used by the [Group Life Cycle Schedule](grouplifecycle.md) to extend or reduce +The timestamp is then used by the [Group Life Cycle Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/grouplifecycle.md) to extend or reduce the life of mail-enabled distribution groups based on their usage. See the -[Enable Group Usage Lifecycle](../identitystore/configure/directoryservice/grouplifecycle.md#enable-group-usage-lifecycle) +[Enable Group Usage Lifecycle](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/grouplifecycle.md#enable-group-usage-lifecycle) topic. While creating a Group Usage Service schedule, you have to specify a job triggering criterion, the @@ -39,7 +39,7 @@ necessary action. Step 8 – In the Scheduler Service Name drop-down list, select a Scheduler service that would be responsible for triggering this schedule. The number of services displayed in the list depend on the number of nodes in all Elasticsearch clusters in the environment, as each node has its own Scheduler -service. See the [Scheduler Service](../service/schedulerservice.md) topic for additional +service. See the [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) topic for additional information. Please note the following while selecting a Scheduler service: @@ -85,7 +85,7 @@ these servers. 3. Click **Add**. The messaging server(s) are displayed in the Messaging Server area. Step 11 – Click **Add Triggers** in the Triggers area to specify a triggering criterion for the -schedule, that, when met, starts the execution of the schedule. See the [Triggers](triggers.md) +schedule, that, when met, starts the execution of the schedule. See the [Triggers](/docs/groupid/11.1/groupid/admincenter/schedule/triggers.md) topic for information on the triggering criterion setting. Step 12 – After specifying the settings for triggers, click **Add**. The trigger is displayed in the @@ -109,7 +109,7 @@ in the identity store (for example, Administrator). NOTE: If you are creating this schedule in a Microsoft Entra ID identity store, you can only specify the logged-in user's account. See the [Schedules for Microsoft Entra ID Identity Store](overview.md#schedules-for-microsoft-entra-id-identity-store) -section of the [Schedules](overview.md) topic for additional information. +section of the [Schedules](/docs/groupid/11.1/groupid/admincenter/schedule/overview.md) topic for additional information. Step 14 – On the Create Schedule page, click **Create Schedule**. diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/historyretention.md b/docs/groupid/11.1/groupid/admincenter/schedule/historyretention.md index 1a450ef911..6f4b729dd7 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/historyretention.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/historyretention.md @@ -2,7 +2,7 @@ While configuring history tracking for an identity store, you can choose to keep history records forever in the Directory Manager database or retain history for a specific period. See the -[Configure History Tracking](../identitystore/configure/directoryservice/historytracking.md) topic +[Configure History Tracking](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/historytracking.md) topic for additional information. In case you select the latter option, the History Retention schedule is auto created for the identity store. This schedule runs on a specified frequency to check if the retention period is over for any history records, and if so, move them from the Directory Manager @@ -12,13 +12,13 @@ database to the following .csv files: Management Shell, and scheduled jobs. It also contains history data for the identity store, security roles, and workflow configurations. - AuditingHistory – Contains history data of all authentication actions performed in Directory - Manager, as logged in Helpdek history. See the [History in Helpdesk](../helpdesk/history.md) topic + Manager, as logged in Helpdek history. See the [History in Helpdesk](/docs/groupid/11.1/groupid/admincenter/helpdesk/history.md) topic for additional information. - PasswordCenterHistory – Contains history data of all actions tracked in Helpdesk, except the - authentication action. See the [History in Helpdesk](../helpdesk/history.md) topic for additional + authentication action. See the [History in Helpdesk](/docs/groupid/11.1/groupid/admincenter/helpdesk/history.md) topic for additional information. - AdminCenterHistory – Contains Admin Center history data. See the - [Admin Center History](../general/history.md) topic for additional information. + [Admin Center History](/docs/groupid/11.1/groupid/admincenter/general/history.md) topic for additional information. These files are available at the following location on the Directory Manager server: @@ -36,7 +36,7 @@ identity store that user belongs to. After the History Retention schedule runs, the following information is displayed on the **History** page in identity store configurations: -![History Retension Information ](../../../../../../static/img/product_docs/groupid/groupid/admincenter/schedule/historyretention.webp) +![History Retension Information ](/img/product_docs/groupid/groupid/admincenter/schedule/historyretention.webp) You cannot create or delete a History Retention schedule; only update the existing one. @@ -62,7 +62,7 @@ displayed with this name in email notifications. Step 7 – In the Scheduler Service Name drop-down list, select a Scheduler service that would be responsible for triggering this schedule. The number of services displayed in the list depend on the number of nodes in all Elasticsearch clusters in the environment, as each node has its own Scheduler -service. See the [Scheduler Service](../service/schedulerservice.md) topic for additional +service. See the [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) topic for additional information. Please note the following while selecting a Scheduler service: diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/manage.md b/docs/groupid/11.1/groupid/admincenter/schedule/manage.md index d6846b6b98..06f6f274e9 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/manage.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/manage.md @@ -112,7 +112,7 @@ Step 6 – On the Edit Schedule page, the Triggers area displays the trigger(s) - To add a new trigger, click **Add Trigger**. - To remove a trigger, click **Remove** for it. -Follow step 11 in the [Group Usage Service Schedule](groupusageservice.md) topic to manage triggers. +Follow step 11 in the [Group Usage Service Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/groupusageservice.md) topic to manage triggers. Step 7 – Click **Update Schedule**. diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/managedbylifecycle.md b/docs/groupid/11.1/groupid/admincenter/schedule/managedbylifecycle.md index 2360f58d61..943b5f970b 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/managedbylifecycle.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/managedbylifecycle.md @@ -29,7 +29,7 @@ frequency that meets your temporary ownership requirements. Directory Manager generates notifications when the Managed By Life Cycle schedule adds or removes temporary additional owners/managers. See the -[Manage Managed by Life Cycle Notifications](../identitystore/configure/smtpserver.md#manage-managed-by-life-cycle-notifications) +[Manage Managed by Life Cycle Notifications](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md#manage-managed-by-life-cycle-notifications) topic for additional information. ## Create a Managed By Life Cycle Schedule @@ -58,7 +58,7 @@ necessary action. Step 8 – In the Scheduler Service Name drop-down list, select a Scheduler service that would be responsible for triggering this schedule. The number of services displayed in the list depend on the number of nodes in all Elasticsearch clusters in the environment, as each node has its own Scheduler -service. See the [Scheduler Service](../service/schedulerservice.md) topic for additional +service. See the [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) topic for additional information. Step 9 – You can specify containers as targets for the schedule. The schedule will process all diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/membershiplifecycle.md b/docs/groupid/11.1/groupid/admincenter/schedule/membershiplifecycle.md index ed08746de1..8feeb28d59 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/membershiplifecycle.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/membershiplifecycle.md @@ -17,11 +17,11 @@ It performs the following functions: specified dates. - The Membership Life Cycle schedule executes the Membership Life Cycle policy for the identity store. See the - [Manage Membership Life Cycle Policies](../identitystore/configure/directoryservice/membershiplifecycle.md) + [Manage Membership Life Cycle Policies](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/membershiplifecycle.md) topic. - The schedule also removes members when group owners inactivate them during group attestation. See the - [Enable Group Attestation](../identitystore/configure/directoryservice/grouplifecycle.md#enable-group-attestation) + [Enable Group Attestation](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/grouplifecycle.md#enable-group-attestation) topic. Let’s assume that the Membership Life Cycle schedule is scheduled to run once a week, say Mondays. @@ -32,7 +32,7 @@ your temporary membership requirements. Directory Manager generates notifications when the Membership Life Cycle schedule adds or removes users from group membership. See the -[Manage Membership Life Cycle Notifications](../identitystore/configure/smtpserver.md#manage-membership-life-cycle-notifications) +[Manage Membership Life Cycle Notifications](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md#manage-membership-life-cycle-notifications) topic. ## Create a Membership Life Cycle Schedule @@ -61,7 +61,7 @@ necessary action. Step 8 – In the Scheduler Service Name drop-down list, select a Scheduler service that would be responsible for triggering this schedule. The number of services displayed in the list depend on the number of nodes in all Elasticsearch clusters in the environment, as each node has its own Scheduler -service. See the [Scheduler Service](../service/schedulerservice.md) topic for additional +service. See the [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) topic for additional information. Please note the following while selecting a Scheduler service: diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/orphangroupupdate.md b/docs/groupid/11.1/groupid/admincenter/schedule/orphangroupupdate.md index b7bccebac4..7ba23045b6 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/orphangroupupdate.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/orphangroupupdate.md @@ -22,11 +22,11 @@ sent to the promoted owner. Note the following: The promotion of an additional owner to primary owner may violate the Group Owners policy for the minimum number of additional owners required. A notification is sent to the promoted owner to add an additional owner to comply with the policy. See the -[Group Owners Policy](../securityrole/policy/groupowners.md) topic. +[Group Owners Policy](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/groupowners.md) topic. With history tracking enabled, history is logged at the group level and at the promoted owner’s level. See the -[Configure History Tracking](../identitystore/configure/directoryservice/historytracking.md) topic. +[Configure History Tracking](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/historytracking.md) topic. ## Create an Orphan Group Update Schedule @@ -54,7 +54,7 @@ necessary action. Step 8 – In the Scheduler Service Name drop-down list, select a Scheduler service that would be responsible for triggering this schedule. The number of services displayed in the list depend on the number of nodes in all Elasticsearch clusters in the environment, as each node has its own Scheduler -service. See the [Scheduler Service](../service/schedulerservice.md) topic for additional +service. See the [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) topic for additional information. Please note the following while selecting a Scheduler service: diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/overview.md b/docs/groupid/11.1/groupid/admincenter/schedule/overview.md index 870504ee5d..feaa663057 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/overview.md @@ -8,39 +8,39 @@ frequency. You can define the following schedules for an identity store: -- A [Group Usage Service Schedule](groupusageservice.md) monitors group usage and time stamps groups +- A [Group Usage Service Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/groupusageservice.md) monitors group usage and time stamps groups with the date and time they were last used. -- A [Group Life Cycle Schedule](grouplifecycle.md) expires and deletes groups according to their +- A [Group Life Cycle Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/grouplifecycle.md) expires and deletes groups according to their expiry policy. It executes the Group Lifecycle policy for the identity store. -- A [History Retention Schedule](historyretention.md) archives identity store history data in +- A [History Retention Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/historyretention.md) archives identity store history data in Directory Manager. -- A [GroupID Entitlement Schedule](entitlement.md) replicates object permissions on file servers and +- A [GroupID Entitlement Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlement.md) replicates object permissions on file servers and SharePoint sites for an Active Directory and Microsoft Entra ID identity store respectively. -- An [Entitlement Scope Schedule](entitlementscope.md) replicates changes made to object permissions +- An [Entitlement Scope Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlementscope.md) replicates changes made to object permissions on file servers and SharePoint sites using Directory Manager. -- An [Entitlement Temporary Permissions Schedule](entitlementtemporarypermissions.md) updates the +- An [Entitlement Temporary Permissions Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlementtemporarypermissions.md) updates the temporary permissions for objects on file servers and SharePoint sites. -- A [Managed By Life Cycle Schedule](managedbylifecycle.md) manages the temporary additional owners +- A [Managed By Life Cycle Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/managedbylifecycle.md) manages the temporary additional owners for groups and temporary additional managers for users. -- A [Membership Life Cycle Schedule](membershiplifecycle.md) updates the temporary membership of +- A [Membership Life Cycle Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/membershiplifecycle.md) updates the temporary membership of groups. -- An [Orphan Group Update Schedule](orphangroupupdate.md) sets the primary owner for an orphan +- An [Orphan Group Update Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/orphangroupupdate.md) sets the primary owner for an orphan group. -- A [Reports Schedule](reports.md)can automatically generate reports that you link with the +- A [Reports Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/reports.md)can automatically generate reports that you link with the schedule. -- A [Schema Replication Schedule](schemareplication.md) replicates the schema of an identity +- A [Schema Replication Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/schemareplication.md) replicates the schema of an identity provider to the Directory Manager database. -- A [Smart Group Update Schedule](smartgroupupdate.md)updates Smart Groups and Dynasties. -- A [Synchronize Schedule](synchronize.md) can execute Synchronize jobs and job groups at a set +- A [Smart Group Update Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/smartgroupupdate.md)updates Smart Groups and Dynasties. +- A [Synchronize Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/synchronize.md) can execute Synchronize jobs and job groups at a set frequency. -- A [User Life Cycle Schedule](userlifecycle.md) disables users who do not validate their profiles +- A [User Life Cycle Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/userlifecycle.md) disables users who do not validate their profiles within a given period, based on the settings defined for user profile validation. -- A [Workflow Acceleration Schedule](workflowacceleration.md) forwards workflow requests to +- A [Workflow Acceleration Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/workflowacceleration.md) forwards workflow requests to approvers and auto approves requests according to workflow approver acceleration rules. NOTE: Role members with the _Manage Scheduling_ permission in an identity store can create and manage scheduled jobs. See the -[Modify Role Permissions](../securityrole/manage.md#modify-role-permissions) topic for additional +[Modify Role Permissions](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md#modify-role-permissions) topic for additional information. Schedules are saved in the Directory Manager database. The GroupIDSchedulerService, created in the @@ -51,19 +51,19 @@ GroupIDSite11 site in native IIS is responsible for initiating schedule runs. The following schedules are automatically created when their associated configurations are done in an identity store. -- Entitlement ([GroupID Entitlement Schedule](entitlement.md), - [Entitlement Scope Schedule](entitlementscope.md), - [Entitlement Temporary Permissions Schedule](entitlementtemporarypermissions.md)) -- [User Life Cycle Schedule](userlifecycle.md) -- [History Retention Schedule](historyretention.md) -- [Workflow Acceleration Schedule](workflowacceleration.md) +- Entitlement ([GroupID Entitlement Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlement.md), + [Entitlement Scope Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlementscope.md), + [Entitlement Temporary Permissions Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/entitlementtemporarypermissions.md)) +- [User Life Cycle Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/userlifecycle.md) +- [History Retention Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/historyretention.md) +- [Workflow Acceleration Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/workflowacceleration.md) In a Microsoft Entra ID identity provider, the Entra ID user must be logged into the Admin Center while making configurations of these schedules. The schedules are then run in the context of the logged in user. The following dialog box displays the username of the logged-in user when you configure a schedule: -![entraidscheduleauthenticate](../../../../../../static/img/product_docs/groupid/groupid/admincenter/schedule/entraidscheduleauthenticate.webp) +![entraidscheduleauthenticate](/img/product_docs/groupid/groupid/admincenter/schedule/entraidscheduleauthenticate.webp) Use the Login with a different user option to provide the credentials of another account to run the schedule in the identity store is not available for a Microsoft Entra ID identity store. diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/reports.md b/docs/groupid/11.1/groupid/admincenter/schedule/reports.md index 5b37532866..211bc2e1e3 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/reports.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/reports.md @@ -28,7 +28,7 @@ schedule is displayed with this name in email notifications. Step 7 – In the Scheduler Service Name drop-down list, select a Scheduler service that would be responsible for triggering this schedule. The number of services displayed in the list depend on the number of nodes in all Elasticsearch clusters in the environment, as each node has its own Scheduler -service. See the [Scheduler Service](../service/schedulerservice.md) topic for additional +service. See the [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) topic for additional information. Please note the following while selecting a Scheduler service: diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/schemareplication.md b/docs/groupid/11.1/groupid/admincenter/schedule/schemareplication.md index 5804da3bfb..678722cd89 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/schemareplication.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/schemareplication.md @@ -15,7 +15,7 @@ manually or according to its triggers. When the Schema Replication schedule runs for the first time, it replicates schema from scratch. In all subsequent runs, it replicates any changes made to the schema. Of this replicated schema, you can choose the object attributes you actually want to use in an identity store. See the -[Specify Object Attributes to Replicate](../identitystore/replication.md#specify-object-attributes-to-replicate) +[Specify Object Attributes to Replicate](/docs/groupid/11.1/groupid/admincenter/identitystore/replication.md#specify-object-attributes-to-replicate) topic for details. NOTE: For Microsoft Entra ID, schema is replicated from the schema file for Graph API v 3.26.0. @@ -42,7 +42,7 @@ schedule as read-only. Step 6 – In the Scheduler Service Name drop-down list, select a Scheduler service that would be responsible for triggering this schedule. The number of services displayed in the list depend on the number of nodes in all Elasticsearch clusters in the environment, as each node has its own Scheduler -service. See the [Scheduler Service](../service/schedulerservice.md) topic for additional +service. See the [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) topic for additional information. Please note the following while selecting a Scheduler service: diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/smartgroupupdate.md b/docs/groupid/11.1/groupid/admincenter/schedule/smartgroupupdate.md index ac426921ab..037be1bae5 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/smartgroupupdate.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/smartgroupupdate.md @@ -41,7 +41,7 @@ necessary action. Step 8 – In the Scheduler Service Name drop-down list, select a Scheduler service that would be responsible for triggering this schedule. The number of services displayed in the list depend on the number of nodes in all Elasticsearch clusters in the environment, as each node has its own Scheduler -service. See the [Scheduler Service](../service/schedulerservice.md) topic for additional +service. See the [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) topic for additional information. Please note the following while selecting a Scheduler service: diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/synchronize.md b/docs/groupid/11.1/groupid/admincenter/schedule/synchronize.md index 17a1de746a..3eac7e24e5 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/synchronize.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/synchronize.md @@ -26,7 +26,7 @@ schedule is displayed with this name in email notifications. Step 7 – In the Scheduler Service Name drop-down list, select a Scheduler service that would be responsible for triggering this schedule. The number of services displayed in the list depend on the number of nodes in all Elasticsearch clusters in the environment, as each node has its own Scheduler -service. See the [Scheduler Service](../service/schedulerservice.md) topic for additional +service. See the [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) topic for additional information. Please note the following while selecting a Scheduler service: diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/userlifecycle.md b/docs/groupid/11.1/groupid/admincenter/schedule/userlifecycle.md index 57d5ff1fc3..2308818076 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/userlifecycle.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/userlifecycle.md @@ -34,7 +34,7 @@ necessary action. Step 8 – In the Scheduler Service Name drop-down list, select a Scheduler service that would be responsible for triggering this schedule. The number of services displayed in the list depend on the number of nodes in all Elasticsearch clusters in the environment, as each node has its own Scheduler -service. See the [Scheduler Service](../service/schedulerservice.md) topic for additional +service. See the [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) topic for additional information. Please note the following while selecting a Scheduler service: diff --git a/docs/groupid/11.1/groupid/admincenter/schedule/workflowacceleration.md b/docs/groupid/11.1/groupid/admincenter/schedule/workflowacceleration.md index 47e9b7a3da..c4a805a75a 100644 --- a/docs/groupid/11.1/groupid/admincenter/schedule/workflowacceleration.md +++ b/docs/groupid/11.1/groupid/admincenter/schedule/workflowacceleration.md @@ -2,7 +2,7 @@ A Workflow Acceleration schedule facilitates the workflow approver acceleration process for workflow requests. This schedule is auto created when approver acceleration is enabled for the identity -store. See the [Workflow Approver Acceleration](../workflow/approveracceleration.md) topic for +store. See the [Workflow Approver Acceleration](/docs/groupid/11.1/groupid/admincenter/workflow/approveracceleration.md) topic for additional information. By default, the schedule runs daily to accelerate workflow requests to approvers, according to @@ -32,7 +32,7 @@ notifications Step 6 – In the Scheduler Service Name drop-down list, select a Scheduler service that would be responsible for triggering this schedule. The number of services displayed in the list depend on the number of nodes in all Elasticsearch clusters in the environment, as each node has its own Scheduler -service. See the [Scheduler Service](../service/schedulerservice.md) topic for additional +service. See the [Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md) topic for additional information. Please note the following while selecting a Scheduler service: diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/checkrole.md b/docs/groupid/11.1/groupid/admincenter/securityrole/checkrole.md index a31fa76ee3..b03e0a9f29 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/checkrole.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/checkrole.md @@ -5,7 +5,7 @@ As discussed in the topic, a user in an identity store can have different security roles assigned to it in different Directory Manager clients. Moreover, a user can also have multiple roles in a client, in which case the highest priority role takes precedence when the user logs into that specific client. See -[Priority](manage.md). +[Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). Directory Manager enables you to view the highest priority role of a user in a client. This role identifies the access level of that user in the client. Select a client and specify a user. @@ -47,5 +47,5 @@ Directory Manager fetches the highest priority role of the user with respect to See Also -- [Security Roles](overview.md) -- [Manage Security Roles](manage.md) +- [Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md) +- [Manage Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md) diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/create.md b/docs/groupid/11.1/groupid/admincenter/securityrole/create.md index 4dd53c6539..f65dbffa9a 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/create.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/create.md @@ -2,8 +2,8 @@ To create a security role for an identity store, you have to specify the following: -- Criteria - See [Criteria ](manage.md). -- Priority - See [Priority](manage.md). +- Criteria - See [Criteria ](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). +- Priority - See [Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). - Permissions - Permissions refer to the different actions that role members can perform using Directory Manager, for example, creating directory objects, managing groups, managing scheduled jobs, managing user profiles, and more. @@ -11,7 +11,7 @@ To create a security role for an identity store, you have to specify the followi limits role members to search for objects in a particular container. You can create a role from scratch or by copying an existing role. See the -[Security Roles](overview.md) topic for additional information on security roles. +[Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md) topic for additional information on security roles. NOTE: You can disable a role to prevent its members from accessing Directory Manager. To prevent an individual role member from accessing Directory Manager, you must remove him or her from the group @@ -44,17 +44,17 @@ Step 7 – In the **Priority** box, type or select a value in the range, 1-99, t priority. This should be a unique value for each role in an identity store. Step 8 – In the **Criteria** area, specify a criterion to determine role members. For details, see -the [Security Role – Criteria](criteria.md) topic. +the [Security Role – Criteria](/docs/groupid/11.1/groupid/admincenter/securityrole/criteria.md) topic. Step 9 – Next, assign group management, user management, and other permissions to the security role. -For details, see the [Security Role – Permissions](permissions.md) topic. +For details, see the [Security Role – Permissions](/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md) topic. Step 10 – Select the **HelpDesk Role** checkbox if you want to restrict role members to the Helpdesk node of Admin Center. Step 11 – Click **Create Security Role**. -Step 12 – Click **Save** on the **Security Roles** page. See the [Manage Security Roles](manage.md) +Step 12 – Click **Save** on the **Security Roles** page. See the [Manage Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md) topic. ## Create a Role by Copying an Existing Role @@ -80,4 +80,4 @@ click **Update Security Role**. Step 6 – On the Security Roles page, click **Save**. Step 7 – To update the policies for the new role, see the -[Security Role Policies](policy/overview.md) topic. +[Security Role Policies](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/overview.md) topic. diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/criteria.md b/docs/groupid/11.1/groupid/admincenter/securityrole/criteria.md index 45f1167548..2d4ff0a386 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/criteria.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/criteria.md @@ -86,6 +86,6 @@ you may want role members to access Portal A only. See Also -- [Security Roles](overview.md) -- [Create a Security Role](create.md) -- [Manage Security Roles](manage.md) +- [Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md) +- [Create a Security Role](/docs/groupid/11.1/groupid/admincenter/securityrole/create.md) +- [Manage Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md) diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md b/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md index d6a7ed7ab3..f6f734e3aa 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md @@ -94,7 +94,7 @@ By changing role criteria , you can specify a different set of users as members 4. On the **Security Roles** page, click **Edit** for a security role. 5. On the **Edit Security Role** page, the **Criteria** area displays the role criteria. Click **Add Criteria** to change it. On the **Add Criteria** dialog box, update the criteria. See the - [Security Role – Criteria](criteria.md) topic for details. + [Security Role – Criteria](/docs/groupid/11.1/groupid/admincenter/securityrole/criteria.md) topic for details. 6. Click **Update Security Role**. 7. On the **Security Roles** page, click **Save**. @@ -113,14 +113,14 @@ You can update the permissions assigned to a role. area to change role permissions. 6. On the **Add Permissions** dialog box, select **Allow** for a permission to assign it to the role. Select **Deny** for a permission to deny it to the role. To learn about the available - permissions, see the [Security Role – Permissions](permissions.md) topic. + permissions, see the [Security Role – Permissions](/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md) topic. 7. After assigning the required permissions, click **OK**. 8. Click **Update Security Role**. 9. On the **Security Roles** page, click **Save**. ## Define Policies for a Role -To define policies for a security role, see the [Security Role Policies](policy/overview.md) topic. +To define policies for a security role, see the [Security Role Policies](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/overview.md) topic. ## Delete a Role @@ -138,5 +138,5 @@ When you delete a security role, role members will not be able to access Directo See Also -- [Security Roles](overview.md) -- [Create a Security Role](create.md) +- [Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md) +- [Create a Security Role](/docs/groupid/11.1/groupid/admincenter/securityrole/create.md) diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md b/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md index db8108c422..91ba5aa97a 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md @@ -16,7 +16,7 @@ store in Directory Manager has the following built-in roles that you can assign These roles are highly customizable. You can modify their display name, priority level, permissions, policies, and more. If the built-in roles do not meet your specific needs, you can create custom -security roles. See the [Manage Security Roles](manage.md) and [Create a Security Role](create.md) +security roles. See the [Manage Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md) and [Create a Security Role](/docs/groupid/11.1/groupid/admincenter/securityrole/create.md) topics for additional information. **View security role info** @@ -28,14 +28,14 @@ To view information about a security role, see the Settings defined for an identity store apply to all users while role-based permissions and policies only apply to members of a role. See the -[Configure an Identity Store](../identitystore/configure.md)topic for additional information. +[Configure an Identity Store](/docs/groupid/11.1/groupid/admincenter/identitystore/configure.md)topic for additional information. ## Assign Distinct Roles to a User in Directory Manager Clients You can assign different roles to a user in different Directory Manager clients. For example, a user can have the administrator role in Directory Manager Management Shell and the role of a standard user in a Directory Manager portal. This flexibility is built into security roles using client-based -criteria. See the [Security Role – Criteria](criteria.md) topic. +criteria. See the [Security Role – Criteria](/docs/groupid/11.1/groupid/admincenter/securityrole/criteria.md) topic. Directory Manager clients include: @@ -55,7 +55,7 @@ As a result, User A has two different roles in two Directory Manager clients. Not only that, a user can also have multiple roles in a Directory Manager client, in which case role priority is used to determine the access level of the user on the specific client. See -[Priority](manage.md). +[Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md). To view the highest priority role of a user with respect to a Directory Manager client, see the -[Check the Roles of a User](checkrole.md) topic. +[Check the Roles of a User](/docs/groupid/11.1/groupid/admincenter/securityrole/checkrole.md) topic. diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md b/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md index 51902fa288..07a2a60a98 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md @@ -190,5 +190,5 @@ Permissions are discussed in the following table: | 5. | Remove user / group | Enables role members to remove users and groups from the permission list of document libraries in the site. Removed users and groups will not be able to access the respective document library in the site. | NOTE: For more information on role permissions, see the -[User Roles in Microsoft Entra ID and Directory Manager ](../identitystore/advsentraid.md#user-roles-in-microsoft-entra-id-and-directory-manager) +[User Roles in Microsoft Entra ID and Directory Manager ](/docs/groupid/11.1/groupid/admincenter/identitystore/advsentraid.md#user-roles-in-microsoft-entra-id-and-directory-manager) topic. diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/authentication.md b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/authentication.md index a1e7f9d106..ab42b619dc 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/authentication.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/authentication.md @@ -9,7 +9,7 @@ Having enabled and configured authentication types for an identity store, you ca - Enable second factor authentication (SFA) for a security role in an identity store. NOTE: For MFA and SFA to work for an identity store, make sure you enable enrollment for it. See the -[Enable Enrollment](../../identitystore/configure/authtypes.md#enable-enrollment) topic. +[Enable Enrollment](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authtypes.md#enable-enrollment) topic. What do you want to do? @@ -81,5 +81,5 @@ Manager portal. **See Also** -- [Authentication Policy](../../identitystore/configure/authpolicy.md) -- [Security Role Policies](overview.md) +- [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) +- [Security Role Policies](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/groupowners.md b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/groupowners.md index 6f87c2bfac..e951d2cdc2 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/groupowners.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/groupowners.md @@ -81,5 +81,5 @@ additional owners cannot be added. **See Also** -- [Security Roles](../overview.md) -- [Security Role Policies](overview.md) +- [Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md) +- [Security Role Policies](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/helpdesk.md b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/helpdesk.md index a2ee985289..5c157c30b9 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/helpdesk.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/helpdesk.md @@ -17,8 +17,8 @@ them to perform their job: If these permissions are denied, the Helpdesk policy would have no impact, as role members would not be authorized to perform the respective operations. See -[Password Management](../permissions.md#password-management) in the -[Security Role – Permissions](../permissions.md) topic. +[Password Management](/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md#password-management) in the +[Security Role – Permissions](/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md) topic. The Helpdesk policy defines: @@ -152,7 +152,7 @@ authenticate end-users before unlocking their identity store accounts or resetti RECOMMENDED: As a prerequisite to applying this setting, make sure that the Security Questions authentication type is enabled and configured for the identity store, as well as enforced as an account enrollment method for security roles. See the -[Set up Authentication via Security Questions](../../setupauth/securityquestions.md) topic. +[Set up Authentication via Security Questions](/docs/groupid/11.1/groupid/admincenter/setupauth/securityquestions.md) topic. Follow the steps to enforce security questions for authentication. @@ -283,10 +283,10 @@ Step 10 – On the Security Roles page, click **Save**. NOTE: (1) An SMS gateway account must be linked with the identity store for an SMS to be sent on the end-users’ mobile phones. See the -[Link an SMS Gateway Account to an Identity Store](../../identitystore/configure/security/smsauthentication.md#link-an-sms-gateway-account-to-an-identity-store) +[Link an SMS Gateway Account to an Identity Store](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/smsauthentication.md#link-an-sms-gateway-account-to-an-identity-store) topic. (2) An SMTP server must be configured for the identity store for email to be sent to end-users. See -the [Configure an SMTP Server](../../identitystore/configure/smtpserver.md) topic. +the [Configure an SMTP Server](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md) topic. ### Force Users to Change Password on Next Logon diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/membershipobjecttypeenforcement.md b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/membershipobjecttypeenforcement.md index 62b4959374..87e961f31c 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/membershipobjecttypeenforcement.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/membershipobjecttypeenforcement.md @@ -28,7 +28,7 @@ Limitations domain controllers and computers). Therefore, even if the policy allows these objects to be added to group membership, they will not show up in search results when users search for objects for adding to group membership. -- The Membership Object Type Enforcement policy may conflict with the [Search Policy](search.md) you +- The Membership Object Type Enforcement policy may conflict with the [Search Policy](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/search.md) you define for the same user role in an identity store. An example of a conflict is: the Search policy prevents a security role from searching for user objects in the portal while the Membership Object Type Enforcement policy allows that same role to add only user objects to group membership. To @@ -37,7 +37,7 @@ Limitations specify on the Properties page under the Design node for a portal. For example, for the Members tab in group properties, you can allow/disallow object types that can be searched for adding to group membership (see step 17 in the - [Add a Field to a Tab](../../portal/design/objectproperties.md#add-a-field-to-a-tab)topic). If the + [Add a Field to a Tab](/docs/groupid/11.1/groupid/admincenter/portal/design/objectproperties.md#add-a-field-to-a-tab)topic). If the design settings prevent users from searching for user objects to set as members while the Membership Object Type Enforcement policy allows role members to add only user objects to group membership, a conflict may arise. To avoid these, make sure the settings in the policy and the @@ -91,10 +91,10 @@ What do you want to do? groups, or to groups that reside in the specified container(s) and their sub-containers. 1. To specific containers as target, follow step 9 in the - [Create a Group Usage Service Schedule](../../schedule/groupusageservice.md#create-a-group-usage-service-schedule) + [Create a Group Usage Service Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/groupusageservice.md#create-a-group-usage-service-schedule) topic. 2. To add groups as target, follow step 9b in the - [Create a Smart Group Update Schedule](../../schedule/smartgroupupdate.md#create-a-smart-group-update-schedule) + [Create a Smart Group Update Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/smartgroupupdate.md#create-a-smart-group-update-schedule) topic, replacing Smart Groups and Dynasties with static groups. 3. To remove a container or group in the **Target(s)** area, click **Remove** for it. To remove all target objects, click **Remove All**. diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/newobject.md b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/newobject.md index b244481be9..a2a863c11c 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/newobject.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/newobject.md @@ -108,5 +108,5 @@ the directory. **See Also** -- [Security Roles](../overview.md) -- [Security Role Policies](overview.md) +- [Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md) +- [Security Role Policies](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/overview.md b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/overview.md index 8c1cc365f5..5db72ac150 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/overview.md @@ -5,24 +5,24 @@ what role members can do in Directory Manager. You can define the following policies for a role: -- [Group Owners Policy](groupowners.md) -- [Group Name Prefixes](../../identitystore/configure/directoryservice/prefixes.md) -- [New Object Policy](newobject.md) -- [Search Policy](search.md) -- [Authentication Policy for Security Roles](authentication.md) -- [Directory Manage Password Policy ](password.md) -- [Netwrix Password Policy Enforcer Policies](../../identitystore/configure/directoryservice/ppe/overview.md) -- [Helpdesk Policy](helpdesk.md) -- [Synchronize Policy](synchronize.md) -- [Membership Object Type Enforcement Policy](membershipobjecttypeenforcement.md) +- [Group Owners Policy](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/groupowners.md) +- [Group Name Prefixes](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/prefixes.md) +- [New Object Policy](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/newobject.md) +- [Search Policy](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/search.md) +- [Authentication Policy for Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/authentication.md) +- [Directory Manage Password Policy ](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/password.md) +- [Netwrix Password Policy Enforcer Policies](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/ppe/overview.md) +- [Helpdesk Policy](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/helpdesk.md) +- [Synchronize Policy](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/synchronize.md) +- [Membership Object Type Enforcement Policy](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/membershipobjecttypeenforcement.md) NOTE: For users with multiple roles, the policies specified for the highest priority role apply (see -[Priority](../manage.md)). The _[Search Policy](search.md)_, _[New Object Policy](newobject.md)_, -and _[Group Name Prefixes](../../identitystore/configure/directoryservice/prefixes.md)_ policy, +[Priority](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md)). The _[Search Policy](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/search.md)_, _[New Object Policy](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/newobject.md)_, +and _[Group Name Prefixes](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/prefixes.md)_ policy, however, apply with respect to all assigned roles. For example, if different search containers are specified for two different roles of a user, that user can search and view objects in both containers. See the following topics for additional information on security roles: -- [Security Roles](../overview.md) -- [Create a Security Role](../create.md) -- [Manage Security Roles](../manage.md) +- [Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md) +- [Create a Security Role](/docs/groupid/11.1/groupid/admincenter/securityrole/create.md) +- [Manage Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/manage.md) diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/password.md b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/password.md index 5b72063da8..2d701708a4 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/password.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/password.md @@ -21,7 +21,7 @@ What do you want to do? ## Set Password Restrictions and Rules for an Identity Store -See the [Configure Password Options](../../identitystore/configure/security/passwordoptions.md) +See the [Configure Password Options](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/passwordoptions.md) topic. ## Define Security Question Settings for a Security Role @@ -134,5 +134,5 @@ properties in the Directory Manager portal. **See Also** -- [Security Roles](../overview.md) -- [Security Role Policies](overview.md) +- [Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md) +- [Security Role Policies](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/querydesigner.md b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/querydesigner.md index 355e5966fc..bf8701db65 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/querydesigner.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/querydesigner.md @@ -2,7 +2,7 @@ You can define a role-based access policy for the Query Designer. Using the Query Designer, users can create queries for various purposes, as discussed in the -[ Specify Smart Group Query Attributes](../../portal/design/queryattributes.md) topic. +[ Specify Smart Group Query Attributes](/docs/groupid/11.1/groupid/admincenter/portal/design/queryattributes.md) topic. The Query Designer policy enables you to restrict the following Query Designer features for a security role: @@ -20,7 +20,7 @@ security role: members for building queries for Smart Groups and Dynasties. For each attribute, you can also specify the operators that role members can apply to it. -![querydesigner](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/securityrole/policy/querydesigner.webp) +![querydesigner](/img/product_docs/groupid/groupid/admincenter/securityrole/policy/querydesigner.webp) You can also specify a default filter criterion, involving an attribute, an operator, and a value, that will be displayed to users on the Filter Criteria tab of the Query Designer. Role members can @@ -134,7 +134,7 @@ By default, several object types are available to users on the Query Designer fo queries. Users select an object type from the **Find** drop-down list and then select its sub-types on the _General_ tab of the Query Designer. The query returns the specified object types to include in group membership. The object types and their sub-types are discussed in the -[Query Designer - General tab](../../../portal/group/querydesigner/general.md) topic. +[Query Designer - General tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/general.md) topic. You can limit the object types available to role members for use in queries. You can also enforce the object types so that role members cannot exclude an allowed object type from queries. @@ -246,7 +246,7 @@ the query (see the **Filter Criteria** tab of the Query Designer). You can: NOTE: This schema attribute setting will override the schema attribute setting specified on the Smart Group Attribute page in portal's design settings. See the - [ Specify Smart Group Query Attributes](../../portal/design/queryattributes.md) topic. + [ Specify Smart Group Query Attributes](/docs/groupid/11.1/groupid/admincenter/portal/design/queryattributes.md) topic. 9. Click **Save Selection** on the **Allowed Attributes** dialog box. The **Attributes** area displays the allowed attributes count. @@ -295,7 +295,7 @@ attributes and operators are available to create a default filter criteria. can change it as required. 8. You can also create an advanced query by adding more rows and applying the **AND** or **OR** - operator to group them. See steps 1-2 in the[Advanced Filter](search.md) section of the + operator to group them. See steps 1-2 in the[Advanced Filter](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/search.md) section of the [Designate a Criterion for the Search Scope](search.md#designate-a-criterion-for-the-search-scope) topic. After creating a query, you can: @@ -311,5 +311,5 @@ attributes and operators are available to create a default filter criteria. **See Also** -- [Security Roles](../overview.md) -- [Security Role Policies](overview.md) +- [Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md) +- [Security Role Policies](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/search.md b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/search.md index 9a7d1be261..9185d0dad2 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/search.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/search.md @@ -60,7 +60,7 @@ What do you want to do? NOTE: An advanced setting for the Directory Manager portal, _Search Default_, controls the search scope of the portal. If its value is "Global Catalog", the container specified here is ignored and the portal shows objects from the entire directory. See the -[Manage Advanced Settings](../../portal/server/advanced.md) topic. +[Manage Advanced Settings](/docs/groupid/11.1/groupid/admincenter/portal/server/advanced.md) topic. ## Set the Search Scope to all Containers in the Identity Store @@ -119,7 +119,7 @@ them. - **AND:** to display the objects having the specified values for all attributes. - **OR:** to display objects having the specified value for any one of the attributes. - ![search_query](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/securityrole/policy/search_query.webp) + ![search_query](/img/product_docs/groupid/groupid/admincenter/securityrole/policy/search_query.webp) 2. Click the ellipsis button for an applied operator to display the context menu, which has the following options: @@ -143,5 +143,5 @@ them. **See Also** -- [Security Roles](../overview.md) -- [Security Role Policies](overview.md) +- [Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md) +- [Security Role Policies](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/synchronize.md b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/synchronize.md index c0f1121d00..f7041161d5 100644 --- a/docs/groupid/11.1/groupid/admincenter/securityrole/policy/synchronize.md +++ b/docs/groupid/11.1/groupid/admincenter/securityrole/policy/synchronize.md @@ -233,5 +233,5 @@ attributes: **See Also** -- [Security Roles](../overview.md) -- [Security Role Policies](overview.md) +- [Security Roles](/docs/groupid/11.1/groupid/admincenter/securityrole/overview.md) +- [Security Role Policies](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/service/dataservice/create.md b/docs/groupid/11.1/groupid/admincenter/service/dataservice/create.md index e8930580ed..bd03a4de56 100644 --- a/docs/groupid/11.1/groupid/admincenter/service/dataservice/create.md +++ b/docs/groupid/11.1/groupid/admincenter/service/dataservice/create.md @@ -35,7 +35,7 @@ The service is displayed with this name in Directory Manager. Step 6 – In the Deployment Name box, enter a deployment name for the service. The application name and deployment name are displayed on the service card. It is as: -![Data Service Card](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/service/dataservice/dataservicecard.webp) +![Data Service Card](/img/product_docs/groupid/groupid/admincenter/service/dataservice/dataservicecard.webp) Step 7 – In the IIS Application Name box, enter an IIS deployment name for the service. The name should be unique for each Data service deployed in IIS. @@ -85,7 +85,7 @@ The Data service runs within a virtual directory in remote IIS while the service physically located on disk. To learn about the remote IIS settings and configurations before deploying a service there, see the -[Prerequisites for Deployments in Remote IIS](../../portal/remoteiisprerequisites.md) topic. +[Prerequisites for Deployments in Remote IIS](/docs/groupid/11.1/groupid/admincenter/portal/remoteiisprerequisites.md) topic. Follow the steps to create a Data service. @@ -105,7 +105,7 @@ and deployment name are displayed on the service card. Step 7 – To enter information for API URL, Access Token, Username, Password, IIS Application Name, and Website, refer to steps 7-11 in the -[Create a Portal in Remote IIS](../../portal/create.md#create-a-portal-in-remote-iis) topic. Replace +[Create a Portal in Remote IIS](/docs/groupid/11.1/groupid/admincenter/portal/create.md#create-a-portal-in-remote-iis) topic. Replace any reference to the portal with the Data service. Step 8 – For entering information in the Service Endpoints area, follow steps 9 in the Create a Data @@ -121,7 +121,7 @@ the API running on a Docker deamon in your environment, so that Directory Manage container for the service there and run the service from within that container. For an overview on application deployment in Docker, see the -[Prerequisites for Deployments in Docker](../../portal/dockerprerequisites.md) topic. +[Prerequisites for Deployments in Docker](/docs/groupid/11.1/groupid/admincenter/portal/dockerprerequisites.md) topic. NOTE: To host the Data service, Docker daemon should be configured to run Windows containers. @@ -142,7 +142,7 @@ Step 6 – In the Deployment Name box, enter a deployment name for the service. and deployment name are displayed on the service card. Step 7 – To enter information for Port, Service URL, and Container Name, refer to steps 7-9 in the -[Create a Portal in Docker](../../portal/create.md#create-a-portal-in-docker) topic. Replace any +[Create a Portal in Docker](/docs/groupid/11.1/groupid/admincenter/portal/create.md#create-a-portal-in-docker) topic. Replace any reference to the portal with the Data service. Step 8 – For entering information in the Service Endpoints area, follow step 9 in the Create a Data diff --git a/docs/groupid/11.1/groupid/admincenter/service/dataservice/manage.md b/docs/groupid/11.1/groupid/admincenter/service/dataservice/manage.md index 79089b7380..99fb56e3e8 100644 --- a/docs/groupid/11.1/groupid/admincenter/service/dataservice/manage.md +++ b/docs/groupid/11.1/groupid/admincenter/service/dataservice/manage.md @@ -22,7 +22,7 @@ other Data service that you have created. When multiple Directory Manager instances have been deployed, you will find multiple default Data services on this tab page, as each instance has its own default Data service. See the -[Elasticsearch Clusters, Nodes, and Directory Manager](../overview.md#elasticsearch-clusters-nodes-and-directory-manager) +[Elasticsearch Clusters, Nodes, and Directory Manager](/docs/groupid/11.1/groupid/admincenter/service/overview.md#elasticsearch-clusters-nodes-and-directory-manager) topic. Step 3 – The card for a Data service displays the following information: @@ -32,7 +32,7 @@ Step 3 – The card for a Data service displays the following information: | Name | The name given to the service. | | Deployment Instances | Displays the deployment name of the service and the web server where it is deployed. | | Status | A service has one of the following statuses: - Running – Indicates that the service is up and running. - Stopped – Indicates that Directory Manager is unable to communicate with the service. To troubleshoot, go to the web server where the service is deployed (IIS, remote IIS, or Docker) and make sure the service is running. - Error – Any issue other than _stopped_ is categorized as _error_. Contact your system administrator to resolve it. | -| Launch Application | Click it to launch the service page. - For a Data service, Replication service, Email service, and Scheduler service, a page is displayed that simply shows the status of the service as _running_, _stopped_, or _error_. - For a Security service, the **GroupID Applications** page is displayed. Performing an action on this page will be carried out through the respective Security service. See the [Access your Applications](../../general/accessapplications.md) topic. - For Admin Center, this link launches the Admin Center application. | +| Launch Application | Click it to launch the service page. - For a Data service, Replication service, Email service, and Scheduler service, a page is displayed that simply shows the status of the service as _running_, _stopped_, or _error_. - For a Security service, the **GroupID Applications** page is displayed. Performing an action on this page will be carried out through the respective Security service. See the [Access your Applications](/docs/groupid/11.1/groupid/admincenter/general/accessapplications.md) topic. - For Admin Center, this link launches the Admin Center application. | | Ellipsis | Click it to launch a shortcut menu with the following options: - Settings – launches the service settings page, where you can manage deployment settings and log settings. - Delete – deletes the service. This option is not available for the default services. | ## Change a Service’s Display Name @@ -136,8 +136,8 @@ Directory Manager uses file logging and Windows logging to monitor events from a set the logging level for a service to track a specific set of information for it. For details on file logging and Windows logging, see the -[File Logging](../../portal/server/log.md#file-logging) and -[Windows Logging](../../portal/server/log.md#windows-logging) topics. Replace references to the +[File Logging](/docs/groupid/11.1/groupid/admincenter/portal/server/log.md#file-logging) and +[Windows Logging](/docs/groupid/11.1/groupid/admincenter/portal/server/log.md#windows-logging) topics. Replace references to the portal with the respective service. NOTE: Windows logging is not available for Data service and Security service. @@ -164,7 +164,7 @@ Step 6 – In the File Logging area, select a logging level for the service in t drop-down list. File logging groups events into different levels, based on the type of information captured. See the table in the -[Change the File Logging Level for a Portal Instance](../../portal/server/log.md#change-the-file-logging-level-for-a-portal-instance)topic +[Change the File Logging Level for a Portal Instance](/docs/groupid/11.1/groupid/admincenter/portal/server/log.md#change-the-file-logging-level-for-a-portal-instance)topic for information on the logging levels. Replace references to the portal with the respective service. Step 7 – Click **Save**. @@ -213,7 +213,7 @@ Step 6 – In the Windows Logging area, select a logging level for the service i drop-down list. Windows logging groups events into different levels, based on the type of information captured. See the table in the -[Change the File Logging Level for a Portal Instance](../../portal/server/log.md#change-the-file-logging-level-for-a-portal-instance)topic +[Change the File Logging Level for a Portal Instance](/docs/groupid/11.1/groupid/admincenter/portal/server/log.md#change-the-file-logging-level-for-a-portal-instance)topic for information on the logging levels. Replace references to the portal with the respective service. Step 7 – Click **Save**. diff --git a/docs/groupid/11.1/groupid/admincenter/service/emailservice.md b/docs/groupid/11.1/groupid/admincenter/service/emailservice.md index 220d1e38c9..5ddac6c13a 100644 --- a/docs/groupid/11.1/groupid/admincenter/service/emailservice.md +++ b/docs/groupid/11.1/groupid/admincenter/service/emailservice.md @@ -8,7 +8,7 @@ When the SMTP server for an identity store is down, notifications stay in the qu delivered when the server is up again. Successfully delivered emails are removed from the queue. For more on the notification queue, see the -[Manage the Notification Queue](../notification/queue.md) topic. +[Manage the Notification Queue](/docs/groupid/11.1/groupid/admincenter/notification/queue.md) topic. ## View Email Service Details diff --git a/docs/groupid/11.1/groupid/admincenter/service/overview.md b/docs/groupid/11.1/groupid/admincenter/service/overview.md index 1f6a8ad1c1..9c57b87012 100644 --- a/docs/groupid/11.1/groupid/admincenter/service/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/service/overview.md @@ -32,14 +32,14 @@ You can create multiple Data services and Security services while hosting them o servers. For example, you can host one Data service in native IIS and another in Docker. - To launch IIS on a machine, see - [Opening IIS Manager](). + [Opening IIS Manager](https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525920(v=vs.90)). -![in_iis](../../../../../../static/img/product_docs/groupid/groupid/admincenter/portal/in_iis.webp) +![in_iis](/img/product_docs/groupid/groupid/admincenter/portal/in_iis.webp) - To open Docker Desktop on Windows, search for Docker and select Docker Desktop in the search results. -![indocker](../../../../../../static/img/product_docs/groupid/groupid/admincenter/service/indocker.webp) +![indocker](/img/product_docs/groupid/groupid/admincenter/service/indocker.webp) ## Third-party Services @@ -58,7 +58,7 @@ Third-party services are created as Windows services in Windows Services Manager To launch the Services Manager, type ‘ services.msc’ in the Run dialog box and click OK. Here is an example of services in Windows Services Manager. You can start, stop, disable, and delay a service. -![inwindowsservicesmanager](../../../../../../static/img/product_docs/groupid/groupid/admincenter/service/inwindowsservicesmanager.webp) +![inwindowsservicesmanager](/img/product_docs/groupid/groupid/admincenter/service/inwindowsservicesmanager.webp) ## Accounts to Run the Services diff --git a/docs/groupid/11.1/groupid/admincenter/service/replicationservice.md b/docs/groupid/11.1/groupid/admincenter/service/replicationservice.md index 160c31ebca..f2e11e9e44 100644 --- a/docs/groupid/11.1/groupid/admincenter/service/replicationservice.md +++ b/docs/groupid/11.1/groupid/admincenter/service/replicationservice.md @@ -10,7 +10,7 @@ as Active Directory) to the Elasticsearch repository. - Organizational Unit For more on the Replication service, see the -[Elasticsearch and Replication ](../replication/overview.md)topic for additional information. +[Elasticsearch and Replication ](/docs/groupid/11.1/groupid/admincenter/replication/overview.md)topic for additional information. The service is also responsible for syncing data between the Elasticsearch clusters in your environment. diff --git a/docs/groupid/11.1/groupid/admincenter/service/securityservice/create.md b/docs/groupid/11.1/groupid/admincenter/service/securityservice/create.md index 978e57a6c6..b8b299bb2c 100644 --- a/docs/groupid/11.1/groupid/admincenter/service/securityservice/create.md +++ b/docs/groupid/11.1/groupid/admincenter/service/securityservice/create.md @@ -34,7 +34,7 @@ located on disk. 6. In the **Deployment Name** box, enter a deployment name for the service. The application name and deployment name are displayed on the service card, as shown below: - ![securityservicecard](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/service/securityservice/securityservicecard.webp) + ![securityservicecard](/img/product_docs/groupid/groupid/admincenter/service/securityservice/securityservicecard.webp) 7. In the **IIS Application Name** box, enter an IIS deployment name for the service. This name is used to name the service’s directory in IIS and its physical directory under X:\Program @@ -65,7 +65,7 @@ The Security service runs within a virtual directory in remote IIS while the ser physically located on disk. To learn about the remote IIS settings and configurations before deploying a service there, see the -[Prerequisites for Deployments in Remote IIS](../../portal/remoteiisprerequisites.md) topic. +[Prerequisites for Deployments in Remote IIS](/docs/groupid/11.1/groupid/admincenter/portal/remoteiisprerequisites.md) topic. **To create a Security service:** @@ -79,7 +79,7 @@ To learn about the remote IIS settings and configurations before deploying a ser deployment name are displayed on the service card. 7. To enter information for **API URL**, **Access Token**, **Username**, **Password**, **IIS Application Name**, and **Website**, refer to steps 7-11 in the - [Create a Portal in Remote IIS](../../portal/create.md#create-a-portal-in-remote-iis) topic. + [Create a Portal in Remote IIS](/docs/groupid/11.1/groupid/admincenter/portal/create.md#create-a-portal-in-remote-iis) topic. Replace any reference to the portal with the Security service. 8. In the **Data Service** drop-down list, select a Data service to bind to this Security service. A Security service needs a Data service to perform various tasks, such as authentication and @@ -94,7 +94,7 @@ with the API running on a Docker deamon in your environment, so that Directory M container for the service there and run the service from within that container. For an overview on application deployment in Docker, see the -[Prerequisites for Deployments in Docker](../../portal/dockerprerequisites.md) topic. +[Prerequisites for Deployments in Docker](/docs/groupid/11.1/groupid/admincenter/portal/dockerprerequisites.md) topic. NOTE: To host the Security service, Docker daemon should be configured to run Windows containers. @@ -109,7 +109,7 @@ NOTE: To host the Security service, Docker daemon should be configured to run Wi 6. In the **Deployment Name** box, enter a deployment name for the service. The application name and deployment name are displayed on the service card. 7. To enter information for **Port**, **Service URL**, and **Container Name**, refer to steps 7-9 in - the [Create a Portal in Docker](../../portal/create.md#create-a-portal-in-docker) topic. Replace + the [Create a Portal in Docker](/docs/groupid/11.1/groupid/admincenter/portal/create.md#create-a-portal-in-docker) topic. Replace any reference to the portal with the Security service. 8. In the **Data Service** drop-down list, select a Data service to bind to this Security service. A Security service needs a Data service to perform various tasks, such as authentication and @@ -122,11 +122,11 @@ NOTE: To host the Security service, Docker daemon should be configured to run Wi 1. In Admin Center, select **Applications** in the left pane. 2. On the **Security Service** tab, click **Launch Application** for a service. The **GroupID Applications** page is displayed. Options on this page are discussed in the - [Access your Applications](../../general/accessapplications.md) topic. Any actions you perform + [Access your Applications](/docs/groupid/11.1/groupid/admincenter/general/accessapplications.md) topic. Any actions you perform will be carried out through the respective Security service. **See Also** -- [Directory Manage Applications](../../portal/applications.md) -- [Services](../overview.md) -- [Manage Security Service Settings](manage.md) +- [Directory Manage Applications](/docs/groupid/11.1/groupid/admincenter/portal/applications.md) +- [Services](/docs/groupid/11.1/groupid/admincenter/service/overview.md) +- [Manage Security Service Settings](/docs/groupid/11.1/groupid/admincenter/service/securityservice/manage.md) diff --git a/docs/groupid/11.1/groupid/admincenter/service/securityservice/manage.md b/docs/groupid/11.1/groupid/admincenter/service/securityservice/manage.md index 128f834856..5055d55a6b 100644 --- a/docs/groupid/11.1/groupid/admincenter/service/securityservice/manage.md +++ b/docs/groupid/11.1/groupid/admincenter/service/securityservice/manage.md @@ -21,14 +21,14 @@ The tab displays the default Security service created while configuring Director other Security service that you have created. When multiple Directory Manager instances have been deployed, you will find multiple default Security services on this tab page, as each instance has its own default Security service. See the -[Elasticsearch Clusters, Nodes, and Directory Manager](../overview.md#elasticsearch-clusters-nodes-and-directory-manager) +[Elasticsearch Clusters, Nodes, and Directory Manager](/docs/groupid/11.1/groupid/admincenter/service/overview.md#elasticsearch-clusters-nodes-and-directory-manager) topic for additional information. For details displayed on a service card, see the table in the -[View Data Service Details](../dataservice/manage.md#view-data-service-details) topic. +[View Data Service Details](/docs/groupid/11.1/groupid/admincenter/service/dataservice/manage.md#view-data-service-details) topic. ## Manage Security Service Settings -See the [Manage Data Service Settings](../dataservice/manage.md) topic to manage settings for a +See the [Manage Data Service Settings](/docs/groupid/11.1/groupid/admincenter/service/dataservice/manage.md) topic to manage settings for a Security service, such as deployment and log settings. ## Manage Advanced Settings @@ -45,10 +45,10 @@ The tab displays the default Security service created while configuring Director other Security service that you have created. When multiple Directory Manager instances have been deployed, you will find multiple default Security services on this tab page, as each instance has its own default Security service. See the -[Elasticsearch Clusters, Nodes, and Directory Manager](../overview.md#elasticsearch-clusters-nodes-and-directory-manager) +[Elasticsearch Clusters, Nodes, and Directory Manager](/docs/groupid/11.1/groupid/admincenter/service/overview.md#elasticsearch-clusters-nodes-and-directory-manager) topics for additional information. For details displayed on a service card, see the table in the -[View Data Service Details](../dataservice/manage.md#view-data-service-details) topic for additional +[View Data Service Details](/docs/groupid/11.1/groupid/admincenter/service/dataservice/manage.md#view-data-service-details) topic for additional information. Step 3 – Click the **ellipsis button** for a Security service and select **Settings**. diff --git a/docs/groupid/11.1/groupid/admincenter/service/securityservice/overview.md b/docs/groupid/11.1/groupid/admincenter/service/securityservice/overview.md index 1daf3367ab..7c9220a26f 100644 --- a/docs/groupid/11.1/groupid/admincenter/service/securityservice/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/service/securityservice/overview.md @@ -11,20 +11,20 @@ Directory Manager. ## The Default Security Service -See [The Default Data Service](../dataservice/overview.md#the-default-data-service) topic. +See [The Default Data Service](/docs/groupid/11.1/groupid/admincenter/service/dataservice/overview.md#the-default-data-service) topic. At the time of Directory Manager installation, a generic signing key is assigned to the Directory Manager Security Service. For security reasons, it is recommended that a unique signing key is used which is specific to your environment. Using Netwrix Directory Manager (formerly GroupID) Signing Key Utility you can replace the old signing key with a new key. See the -[Signing Key Utility](signkeyutility.md) topic for additional information. +[Signing Key Utility](/docs/groupid/11.1/groupid/admincenter/service/securityservice/signkeyutility.md) topic for additional information. ## Why Create Multiple Security Services? See the -[Why Create Multiple Data Services?](../dataservice/overview.md#why-create-multiple-data-services) +[Why Create Multiple Data Services?](/docs/groupid/11.1/groupid/admincenter/service/dataservice/overview.md#why-create-multiple-data-services) topic while replacing references to Data service with Security service. After defining multiple Security services, you can enable communication between them. As a result of their communication, logged in session-related information persists across multiple Directory Manager clients. See the [Manage Advanced Settings](manage.md#manage-advanced-settings) section of the -[Manage Security Service Settings](manage.md) topics for additional information. +[Manage Security Service Settings](/docs/groupid/11.1/groupid/admincenter/service/securityservice/manage.md) topics for additional information. diff --git a/docs/groupid/11.1/groupid/admincenter/setupauth/authenticator.md b/docs/groupid/11.1/groupid/admincenter/setupauth/authenticator.md index 632018f44e..fad1d7beea 100644 --- a/docs/groupid/11.1/groupid/admincenter/setupauth/authenticator.md +++ b/docs/groupid/11.1/groupid/admincenter/setupauth/authenticator.md @@ -14,12 +14,12 @@ What do you want to do? The Authenticator authentication type must be enabled for an identity store before it can be used for second factor authentication and multifactor authentication. -To enable it, see the [Enable Authentication Types](../identitystore/configure/authtypes.md) topic. +To enable it, see the [Enable Authentication Types](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authtypes.md) topic. ## Enforce Authentication by Authenticator for a Role in an Identity Store To enforce an authentication type, see the -[Enforce Authentication Types for Multifactor Authentication](../securityrole/policy/authentication.md#enforce-authentication-types-for-multifactor-authentication) +[Enforce Authentication Types for Multifactor Authentication](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/authentication.md#enforce-authentication-types-for-multifactor-authentication) topic. Role members must use an enforced authentication type for multifactor authentication. When an @@ -28,4 +28,4 @@ and authentication. **See Also** -- [Authentication Policy](../identitystore/configure/authpolicy.md) +- [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) diff --git a/docs/groupid/11.1/groupid/admincenter/setupauth/email.md b/docs/groupid/11.1/groupid/admincenter/setupauth/email.md index aaf06c717d..e113805351 100644 --- a/docs/groupid/11.1/groupid/admincenter/setupauth/email.md +++ b/docs/groupid/11.1/groupid/admincenter/setupauth/email.md @@ -9,7 +9,7 @@ in various languages. You can change the subject line and the body text in the t these languages. NOTE: Before configuring Email authentication, make sure that an SMTP server is configured for the -identity store. See the [Configure an SMTP Server](../identitystore/configure/smtpserver.md) topic. +identity store. See the [Configure an SMTP Server](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md) topic. What do you want to do? @@ -22,7 +22,7 @@ What do you want to do? The email authentication type must be enabled for an identity store before users can use it for second factor authentication and multifactor authentication. -To enable it, see the [Enable Authentication Types](../identitystore/configure/authtypes.md) topic. +To enable it, see the [Enable Authentication Types](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authtypes.md) topic. ## Modify the Email Template @@ -44,7 +44,7 @@ accounts. 3. Search for _AccessCodeEmail_ and click **Edit** in the **Actions** column to open it. - ![accesscode](../../../../../../static/img/product_docs/groupid/groupid/admincenter/setupauth/accesscode.webp) + ![accesscode](/img/product_docs/groupid/groupid/admincenter/setupauth/accesscode.webp) 4. You can view the notification content in two distinct modes: @@ -64,7 +64,7 @@ accounts. ## Enforce Email Authentication for a Role in an Identity Store To enforce an authentication type, see the -[Enforce Authentication Types for Multifactor Authentication](../securityrole/policy/authentication.md#enforce-authentication-types-for-multifactor-authentication) +[Enforce Authentication Types for Multifactor Authentication](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/authentication.md#enforce-authentication-types-for-multifactor-authentication) topic. Role members must use an enforced authentication type for multifactor authentication. When an @@ -73,5 +73,5 @@ and authentication. **See Also** -- [Authentication Policy](../identitystore/configure/authpolicy.md) -- [Customize Notifications](../notification/customize.md) +- [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) +- [Customize Notifications](/docs/groupid/11.1/groupid/admincenter/notification/customize.md) diff --git a/docs/groupid/11.1/groupid/admincenter/setupauth/linkedaccount.md b/docs/groupid/11.1/groupid/admincenter/setupauth/linkedaccount.md index cb1b0b0134..1b2a27be9e 100644 --- a/docs/groupid/11.1/groupid/admincenter/setupauth/linkedaccount.md +++ b/docs/groupid/11.1/groupid/admincenter/setupauth/linkedaccount.md @@ -21,12 +21,12 @@ What do you want to do? The Linked Account authentication type must be enabled for an identity store before it can be used for multifactor authentication. -To enable it, see the [Enable Authentication Types](../identitystore/configure/authtypes.md) topic. +To enable it, see the [Enable Authentication Types](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authtypes.md) topic. ## Enforce Linked Account Authentication for a Security Role To enforce an authentication type, see the -[Enforce Authentication Types for Multifactor Authentication](../securityrole/policy/authentication.md#enforce-authentication-types-for-multifactor-authentication) +[Enforce Authentication Types for Multifactor Authentication](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/authentication.md#enforce-authentication-types-for-multifactor-authentication) topic. Role members must use an enforced authentication type for multifactor authentication. When an @@ -35,4 +35,4 @@ and authentication. See Also -- [Authentication Policy](../identitystore/configure/authpolicy.md) +- [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) diff --git a/docs/groupid/11.1/groupid/admincenter/setupauth/mfa.md b/docs/groupid/11.1/groupid/admincenter/setupauth/mfa.md index a0e1327419..653cd4005d 100644 --- a/docs/groupid/11.1/groupid/admincenter/setupauth/mfa.md +++ b/docs/groupid/11.1/groupid/admincenter/setupauth/mfa.md @@ -3,7 +3,7 @@ You can define a multifactor authentication (MFA) policy for an identity store. This policy enforces users to enroll their identity store accounts in Directory Manager using one or more authentication types. Supported authentication types are discussed in the -[Authentication Policies - A Comparison](../identitystore/configure/authpolicy.md) topic. +[Authentication Policies - A Comparison](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) topic. Once enrolled, users must authenticate their identity store accounts using the authentication types they enrolled with, when they perform any of the following actions in the Directory Manager portal: @@ -13,11 +13,11 @@ they enrolled with, when they perform any of the following actions in the Direct Helpdesk users with restricted access also use authentication type(s) to authenticate end-users before resetting their password or unlocking their identity store account. See the -[Set Restricted Mode](../securityrole/policy/helpdesk.md#set-restricted-mode) topic. +[Set Restricted Mode](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/helpdesk.md#set-restricted-mode) topic. NOTE: Multifactor authentication defined in Microsoft Entra Admin Center does not integrate with MFA in Directory Manager. See the -[Multifactor Authentication Policy](../identitystore/advsentraid.md#multifactor-authentication-policy) +[Multifactor Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/advsentraid.md#multifactor-authentication-policy) topic. What do you want to do? @@ -29,13 +29,13 @@ What do you want to do? To configure multifactor authentication for a security role in an identity store, do the following: 1. Enable one or more authentication types for the identity store. - See the [Enable Authentication Types](../identitystore/configure/authtypes.md) topic for details. + See the [Enable Authentication Types](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authtypes.md) topic for details. 2. Enforce role members to use specific authentication types for multifactor authentication. See the - [Enforce Authentication Types for Multifactor Authentication](../securityrole/policy/authentication.md#enforce-authentication-types-for-multifactor-authentication) + [Enforce Authentication Types for Multifactor Authentication](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/authentication.md#enforce-authentication-types-for-multifactor-authentication) topic for details. See Also -- [Authentication Policy](../identitystore/configure/authpolicy.md) -- [Configure Second Factor Authentication](sfa.md) +- [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) +- [Configure Second Factor Authentication](/docs/groupid/11.1/groupid/admincenter/setupauth/sfa.md) diff --git a/docs/groupid/11.1/groupid/admincenter/setupauth/overview.md b/docs/groupid/11.1/groupid/admincenter/setupauth/overview.md index c0eaf07638..c9e3807431 100644 --- a/docs/groupid/11.1/groupid/admincenter/setupauth/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/setupauth/overview.md @@ -3,14 +3,14 @@ The following topics guide you on how to set up different authentication types for an identity store and enforce them for a security role. -- [Set up Authentication via Security Questions](securityquestions.md) -- [SMS Authentication](../identitystore/configure/security/smsauthentication.md) -- [Set up Authentication via Email](email.md) -- [Set up Authentication via Authenticator](authenticator.md) -- [Set up Authentication via Linked Account](linkedaccount.md) -- [Set up Authentication via YubiKey](yubikey.md) -- [Set up Authentication via Windows Hello](windowshello.md) +- [Set up Authentication via Security Questions](/docs/groupid/11.1/groupid/admincenter/setupauth/securityquestions.md) +- [SMS Authentication](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/smsauthentication.md) +- [Set up Authentication via Email](/docs/groupid/11.1/groupid/admincenter/setupauth/email.md) +- [Set up Authentication via Authenticator](/docs/groupid/11.1/groupid/admincenter/setupauth/authenticator.md) +- [Set up Authentication via Linked Account](/docs/groupid/11.1/groupid/admincenter/setupauth/linkedaccount.md) +- [Set up Authentication via YubiKey](/docs/groupid/11.1/groupid/admincenter/setupauth/yubikey.md) +- [Set up Authentication via Windows Hello](/docs/groupid/11.1/groupid/admincenter/setupauth/windowshello.md) **See Also** -- [Authentication Policy](../identitystore/configure/authpolicy.md) +- [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) diff --git a/docs/groupid/11.1/groupid/admincenter/setupauth/securityquestions.md b/docs/groupid/11.1/groupid/admincenter/setupauth/securityquestions.md index d652818845..e0885fb40c 100644 --- a/docs/groupid/11.1/groupid/admincenter/setupauth/securityquestions.md +++ b/docs/groupid/11.1/groupid/admincenter/setupauth/securityquestions.md @@ -23,11 +23,11 @@ What do you want to do? ## Modify the Global Question Pool -See the [Manage the Global Question Pool ](../general/globalpool.md)topic. +See the [Manage the Global Question Pool ](/docs/groupid/11.1/groupid/admincenter/general/globalpool.md)topic. ## Modify the Local Question Pool -See the [Manage the Local Question Pool](../identitystore/configure/security/securityquestions.md) +See the [Manage the Local Question Pool](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/securityquestions.md) topic. ## Enable Security Question Authentication for an Identity Store @@ -35,12 +35,12 @@ topic. The security question authentication type must be enabled for an identity store before users can use it for second factor authentication and multifactor authentication. -To enable it, see the [Enable Authentication Types](../identitystore/configure/authtypes.md) topic. +To enable it, see the [Enable Authentication Types](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authtypes.md) topic. ## Enforce Security Question Authentication for a Role in an Identity Store To enforce an authentication type, see the -[Enforce Authentication Types for Multifactor Authentication](../securityrole/policy/authentication.md#enforce-authentication-types-for-multifactor-authentication) +[Enforce Authentication Types for Multifactor Authentication](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/authentication.md#enforce-authentication-types-for-multifactor-authentication) topic. Role members must use an enforced authentication type for multifactor authentication. When an @@ -50,9 +50,9 @@ and authentication. ## Specify Policies for Security Question Authentication See the -[Define Security Question Settings for a Security Role](../securityrole/policy/password.md#define-security-question-settings-for-a-security-role) topic. +[Define Security Question Settings for a Security Role](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/password.md#define-security-question-settings-for-a-security-role) topic. See Also -- [Authentication Policy](../identitystore/configure/authpolicy.md) -- [Manage the Local Question Pool](../identitystore/configure/security/securityquestions.md) +- [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) +- [Manage the Local Question Pool](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/securityquestions.md) diff --git a/docs/groupid/11.1/groupid/admincenter/setupauth/sfa.md b/docs/groupid/11.1/groupid/admincenter/setupauth/sfa.md index 9fad51a138..2f1ee38c0c 100644 --- a/docs/groupid/11.1/groupid/admincenter/setupauth/sfa.md +++ b/docs/groupid/11.1/groupid/admincenter/setupauth/sfa.md @@ -3,7 +3,7 @@ You can enable second factor authentication (SFA) for a user role in an identity store. This policy enforces role members to enroll their identity store accounts in Directory Manager using one or more authentication types. Supported authentication types are discussed in the -[Authentication Policies - A Comparison](../identitystore/configure/authpolicy.md) topic. +[Authentication Policies - A Comparison](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) topic. Once enrolled, role members must authenticate their accounts using an authentication type they enrolled with, while signing into Admin Center or theDirectory Manager portal. Users enrolled with @@ -22,15 +22,15 @@ following: Step 1 – Enable one or more authentication types for the identity store. -See the [Enable Authentication Types](../identitystore/configure/authtypes.md) topic for details. +See the [Enable Authentication Types](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authtypes.md) topic for details. Step 2 – Enable second factor authentication for a security role in an identity store. See the -[Enable Second Factor Authentication](../securityrole/policy/authentication.md#enable-second-factor-authentication) +[Enable Second Factor Authentication](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/authentication.md#enable-second-factor-authentication) topic for details. See Also -- [Authentication Policy](../identitystore/configure/authpolicy.md) -- [Configure Multifactor Authentication](mfa.md) +- [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) +- [Configure Multifactor Authentication](/docs/groupid/11.1/groupid/admincenter/setupauth/mfa.md) diff --git a/docs/groupid/11.1/groupid/admincenter/setupauth/windowshello.md b/docs/groupid/11.1/groupid/admincenter/setupauth/windowshello.md index dafbf85975..d1c2a4ff57 100644 --- a/docs/groupid/11.1/groupid/admincenter/setupauth/windowshello.md +++ b/docs/groupid/11.1/groupid/admincenter/setupauth/windowshello.md @@ -25,12 +25,12 @@ What do you want to do? The Windows Hello authentication type must be enabled for an identity store before it can be used for second factor authentication and multifactor authentication. -To enable it, see the [Enable Authentication Types](../identitystore/configure/authtypes.md) topic. +To enable it, see the [Enable Authentication Types](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authtypes.md) topic. ## Enforce Windows Hello Authentication for a Role in an Identity Store To enforce an authentication type, see the -[Enforce Authentication Types for Multifactor Authentication](../securityrole/policy/authentication.md#enforce-authentication-types-for-multifactor-authentication) +[Enforce Authentication Types for Multifactor Authentication](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/authentication.md#enforce-authentication-types-for-multifactor-authentication) topic. Role members must use an enforced authentication type for multifactor authentication. When an @@ -39,4 +39,4 @@ and authentication. See Also -- [Authentication Policy](../identitystore/configure/authpolicy.md) +- [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) diff --git a/docs/groupid/11.1/groupid/admincenter/setupauth/yubikey.md b/docs/groupid/11.1/groupid/admincenter/setupauth/yubikey.md index 22208503df..00b8180405 100644 --- a/docs/groupid/11.1/groupid/admincenter/setupauth/yubikey.md +++ b/docs/groupid/11.1/groupid/admincenter/setupauth/yubikey.md @@ -22,12 +22,12 @@ What do you want to do? You must enable the YubiKey authentication type for an identity store for users to use it for second factor authentication and multifactor authentication. -To enable it, see the [Enable Authentication Types](../identitystore/configure/authtypes.md) topic. +To enable it, see the [Enable Authentication Types](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authtypes.md) topic. ## Enforce YubiKey Authentication for a Security Role in an Identity Store To enforce an authentication type, see the -[Enforce Authentication Types for Multifactor Authentication](../securityrole/policy/authentication.md#enforce-authentication-types-for-multifactor-authentication) +[Enforce Authentication Types for Multifactor Authentication](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/authentication.md#enforce-authentication-types-for-multifactor-authentication) topic. Role members must use an enforced authentication type for multifactor authentication. When an @@ -36,4 +36,4 @@ and authentication. See Also -- [Authentication Policy](../identitystore/configure/authpolicy.md) +- [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) diff --git a/docs/groupid/11.1/groupid/admincenter/signin.md b/docs/groupid/11.1/groupid/admincenter/signin.md index 5e95b7929f..59c81b8572 100644 --- a/docs/groupid/11.1/groupid/admincenter/signin.md +++ b/docs/groupid/11.1/groupid/admincenter/signin.md @@ -17,7 +17,7 @@ Use any of the following methods to connect and sign in: NOTE: To sign in using the Directory Manager provider, enter the username and password you provided for the _GroupID administrator_ on the Service Account Settings page of the Configuration Tool. See the - [Configure a New Directory Manager Server with a New or an Existing Database](../install/configure/gidserver.md) + [Configure a New Directory Manager Server with a New or an Existing Database](/docs/groupid/11.1/groupid/install/configure/gidserver.md) topic. - Select an identity store and sign in using a SAML provider. This option is available if a SAML @@ -64,8 +64,8 @@ You can opt for single sign-on across all Directory Manager clients, provided th is configured with Directory Manager. See the following topics for additional information on the SAML provider configuration: -- [Configure Directory Manager in Microsoft Entra ID for SSO](../authenticate/asserviceprovider/entrasso/configureinentra.md) -- [Configure the Microsoft Entra SSO Application in Directory Manager](../authenticate/asserviceprovider/entrasso/configureprovideringroupid.md) +- [Configure Directory Manager in Microsoft Entra ID for SSO](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/configureinentra.md) +- [Configure the Microsoft Entra SSO Application in Directory Manager](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/configureprovideringroupid.md) On the **GroupID Authenticate** page, click the button or image for the provider and proceed to sign in. @@ -84,11 +84,11 @@ For second factor authentication, one of the following applies: - If you have not enrolled your identity store account in Directory Manager, the Enroll Account page is displayed. You must enroll using at least one authentication type. See the - [Enroll your Identity Store Account](enroll.md) topic. + [Enroll your Identity Store Account](/docs/groupid/11.1/groupid/admincenter/enroll.md) topic. - If you have already enrolled your identity store account in Directory Manager, the Authenticate page is displayed. It lists the authentication type(s) your account is enrolled with. Select an authentication type to authenticate. See the - [Authenticate your Identity Store Account](authenticate.md) topic. + [Authenticate your Identity Store Account](/docs/groupid/11.1/groupid/admincenter/authenticate.md) topic. ## Sign Out @@ -103,6 +103,6 @@ Directory Manager version. See Also -- [Getting Started](../gettingstarted.md) -- [Dashboard](general/dashboard.md) -- [Navigation](general/navigation.md) +- [Getting Started](/docs/groupid/11.1/groupid/gettingstarted.md) +- [Dashboard](/docs/groupid/11.1/groupid/admincenter/general/dashboard.md) +- [Navigation](/docs/groupid/11.1/groupid/admincenter/general/navigation.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/accountid.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/accountid.md index e044ae99bd..c5b6a052da 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/accountid.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/accountid.md @@ -26,4 +26,4 @@ gateway needs for authenticating a connection. **See Also** -- [Implement and Deploy a Custom SMS Gateway](../implementcustom.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/clone.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/clone.md index ca74aa6365..207a7c34d8 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/clone.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/clone.md @@ -20,4 +20,4 @@ The clone object. **See Also** -- [Implement and Deploy a Custom SMS Gateway](../implementcustom.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/overview.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/overview.md index ec51f5a0f1..46aa72d259 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/overview.md @@ -2,35 +2,35 @@ To define a custom gateway, a list of ISMSGateway members that you must implement are listed below: -- [ISmsGateway.AccountId](accountid.md) -- [ISmsGateway.Clone](clone.md) -- [ISmsGateway.Password](password.md) -- [ISmsGateway.ProxyDomain](proxydomain.md) -- [ISmsGateway.ProxyHostName](proxyhostname.md) -- [ISmsGateway.ProxyPassword](proxypassword.md) -- [ISmsGateway.ProxyPort](proxyport.md) -- [ISmsGateway.ProxyUsername](proxyusername.md) -- [ISmsGateway.SendShortMessage](sendshortmessage.md) -- [ISmsGateway.TestConnection](testconnection.md) -- [ISmsGateway.TestCredentials](testcredentials.md) -- [ISmsGateway.TestProxy](testproxy.md) -- [ISmsGateway.Url](url.md) -- [ISmsGateway.UserId](userid.md) +- [ISmsGateway.AccountId](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/accountid.md) +- [ISmsGateway.Clone](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/clone.md) +- [ISmsGateway.Password](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/password.md) +- [ISmsGateway.ProxyDomain](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxydomain.md) +- [ISmsGateway.ProxyHostName](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyhostname.md) +- [ISmsGateway.ProxyPassword](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxypassword.md) +- [ISmsGateway.ProxyPort](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyport.md) +- [ISmsGateway.ProxyUsername](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyusername.md) +- [ISmsGateway.SendShortMessage](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendshortmessage.md) +- [ISmsGateway.TestConnection](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testconnection.md) +- [ISmsGateway.TestCredentials](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testcredentials.md) +- [ISmsGateway.TestProxy](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testproxy.md) +- [ISmsGateway.Url](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/url.md) +- [ISmsGateway.UserId](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/userid.md) -- ShortMessage ([ShortMessage class](shortmessage/class.md)) +- ShortMessage ([ShortMessage class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md)) - - [ShortMessage.AccessCode](shortmessage/accesscode.md) - - [ShortMessage.MaxLength](shortmessage/maxlength.md) - - [ShortMessage.Message](shortmessage/message.md) - - [ShortMessage.PhoneNumbers](shortmessage/phonenumbers.md) - - [ShortMessage.ReferenceId](shortmessage/referenceid.md) - - [ShortMessage.Validate](shortmessage/validate.md) + - [ShortMessage.AccessCode](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/accesscode.md) + - [ShortMessage.MaxLength](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/maxlength.md) + - [ShortMessage.Message](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/message.md) + - [ShortMessage.PhoneNumbers](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/phonenumbers.md) + - [ShortMessage.ReferenceId](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/referenceid.md) + - [ShortMessage.Validate](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/validate.md) -- SendSmsMessageResult ([SendSmsMessageResult class](sendsmsmessageresult/class.md)) - - [SendSmsMessageResult.ExceptionMessage](sendsmsmessageresult/exceptionmessage.md) - - [SendSmsMessageResult.Message](sendsmsmessageresult/message.md) - - [SendSmsMessageResult.Success](sendsmsmessageresult/success.md) +- SendSmsMessageResult ([SendSmsMessageResult class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/class.md)) + - [SendSmsMessageResult.ExceptionMessage](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/exceptionmessage.md) + - [SendSmsMessageResult.Message](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/message.md) + - [SendSmsMessageResult.Success](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/success.md) **See Also** -- [Implement and Deploy a Custom SMS Gateway](../implementcustom.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/password.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/password.md index 065a65f96f..95e55158c3 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/password.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/password.md @@ -20,4 +20,4 @@ The value of the password. **See Also** -- [Implement and Deploy a Custom SMS Gateway](../implementcustom.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxydomain.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxydomain.md index a3db19feca..979c24945e 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxydomain.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxydomain.md @@ -25,4 +25,4 @@ the domain name or IP address of that proxy server. **See Also** -- [Implement and Deploy a Custom SMS Gateway](../implementcustom.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyhostname.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyhostname.md index 160440b341..4a6989ccdd 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyhostname.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyhostname.md @@ -25,4 +25,4 @@ provide the host name of the proxy server. **See Also** -- [Implement and Deploy a Custom SMS Gateway](../implementcustom.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxypassword.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxypassword.md index e699f8e71c..81be26c247 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxypassword.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxypassword.md @@ -24,4 +24,4 @@ Use this property if your proxy server requires a user name and password for con **See Also** -- [Implement and Deploy a Custom SMS Gateway](../implementcustom.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyport.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyport.md index 76d3bfe610..5c0fb65bca 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyport.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyport.md @@ -25,4 +25,4 @@ the port number the proxy server uses. **See Also** -- [Implement and Deploy a Custom SMS Gateway](../implementcustom.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyusername.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyusername.md index 0403b0c2dc..40769427d4 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyusername.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyusername.md @@ -24,4 +24,4 @@ Use this property if your proxy server requires a user name and password for con **See Also** -- [Implement and Deploy a Custom SMS Gateway](../implementcustom.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendshortmessage.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendshortmessage.md index 9ec3e1140e..50e42bfd76 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendshortmessage.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendshortmessage.md @@ -28,6 +28,6 @@ The object containing the message delivery status and exception details. See Also -- [ShortMessage class](shortmessage/class.md) -- [SendSmsMessageResult class](sendsmsmessageresult/class.md) -- [Implement and Deploy a Custom SMS Gateway](../implementcustom.md) +- [ShortMessage class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md) +- [SendSmsMessageResult class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/class.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/class.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/class.md index 126f55ec06..7fd3e07935 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/class.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/class.md @@ -5,16 +5,16 @@ sending the text message to the target mobile phone numbers. Following is a list of its members with description: -- [SendSmsMessageResult.ExceptionMessage](exceptionmessage.md) -- [SendSmsMessageResult.Message](message.md) -- [SendSmsMessageResult.Success](success.md) +- [SendSmsMessageResult.ExceptionMessage](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/exceptionmessage.md) +- [SendSmsMessageResult.Message](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/message.md) +- [SendSmsMessageResult.Success](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/success.md) | Member | Description | | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | ExceptionMessage property | Gets the exception message if one occurs while sending the text message. | -| Message property | Returns the [ShortMessage class](../shortmessage/class.md) object processed by the [ISmsGateway.SendShortMessage](../sendshortmessage.md) method. | +| Message property | Returns the [ShortMessage class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md) object processed by the [ISmsGateway.SendShortMessage](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendshortmessage.md) method. | | Success property | Returns a boolean value indicating whether the text message is successfully sent to the target mobile phone numbers. | **See Also** -- [ISMSGateway Members](../overview.md) +- [ISMSGateway Members](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/exceptionmessage.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/exceptionmessage.md index c038d6fc84..d99814b8f6 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/exceptionmessage.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/exceptionmessage.md @@ -20,4 +20,4 @@ The exception details. See Also -- [SendSmsMessageResult class](class.md) +- [SendSmsMessageResult class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/class.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/message.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/message.md index 076b8fee7d..9b23106f7a 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/message.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/message.md @@ -1,7 +1,7 @@ # SendSmsMessageResult.Message -Returns the [ShortMessage class](../shortmessage/class.md) object processed by the -[ISmsGateway.SendShortMessage](../sendshortmessage.md) method. +Returns the [ShortMessage class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md) object processed by the +[ISmsGateway.SendShortMessage](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendshortmessage.md) method. **Namespace:** Imanami.GroupID.DataTransferObjects.DataContracts.SMS @@ -21,6 +21,6 @@ Object containing elements of the text message. See Also -- [SendSmsMessageResult class](class.md) -- [ShortMessage class](../shortmessage/class.md) -- [Implement and Deploy a Custom SMS Gateway](../../implementcustom.md) +- [SendSmsMessageResult class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/class.md) +- [ShortMessage class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/success.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/success.md index ea9c2cc75a..bc827960b9 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/success.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/success.md @@ -21,4 +21,4 @@ True if the message is delivered successfully. See Also -- [SendSmsMessageResult class](class.md) +- [SendSmsMessageResult class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/class.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/accesscode.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/accesscode.md index 0d5f0dd892..3957304c5a 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/accesscode.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/accesscode.md @@ -20,4 +20,4 @@ The confirmation code. See Also -- [ShortMessage class](class.md) +- [ShortMessage class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md index f281d9193e..8b53fdc64a 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md @@ -4,22 +4,22 @@ ShortMessage is a DTO (Data Transfer Object) class that defines the elements of Following is a list of its members with description: -- [ShortMessage.AccessCode](accesscode.md) -- [ShortMessage.MaxLength](maxlength.md) -- [ShortMessage.Message](message.md) -- [ShortMessage.PhoneNumbers](phonenumbers.md) -- [ShortMessage.ReferenceId](referenceid.md) -- [ShortMessage.Validate](validate.md) +- [ShortMessage.AccessCode](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/accesscode.md) +- [ShortMessage.MaxLength](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/maxlength.md) +- [ShortMessage.Message](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/message.md) +- [ShortMessage.PhoneNumbers](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/phonenumbers.md) +- [ShortMessage.ReferenceId](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/referenceid.md) +- [ShortMessage.Validate](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/validate.md) | Member | Description | | ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -| [ShortMessage.AccessCode](accesscode.md) property | Gets or sets the confirmation code that will be sent to registered mobile phone users. | -| [ShortMessage.MaxLength](maxlength.md) property | Defines the maximum length of an SMS message. | -| [ShortMessage.Message](message.md) property | Gets or sets the supporting message text that will be sent to registered mobile phone users along with the confirmation code. | -| [ShortMessage.PhoneNumbers](phonenumbers.md) property | Gets or sets the list of phone numbers to send the message to. | -| [ShortMessage.ReferenceId](referenceid.md) property | Gets or sets the reference ID for the text message. | -| [ShortMessage.Validate](validate.md) method | Validates various elements in an SMS message, such as message length and phone number. | +| [ShortMessage.AccessCode](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/accesscode.md) property | Gets or sets the confirmation code that will be sent to registered mobile phone users. | +| [ShortMessage.MaxLength](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/maxlength.md) property | Defines the maximum length of an SMS message. | +| [ShortMessage.Message](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/message.md) property | Gets or sets the supporting message text that will be sent to registered mobile phone users along with the confirmation code. | +| [ShortMessage.PhoneNumbers](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/phonenumbers.md) property | Gets or sets the list of phone numbers to send the message to. | +| [ShortMessage.ReferenceId](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/referenceid.md) property | Gets or sets the reference ID for the text message. | +| [ShortMessage.Validate](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/validate.md) method | Validates various elements in an SMS message, such as message length and phone number. | **See Also** -- [ISMSGateway Members](../overview.md) +- [ISMSGateway Members](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/maxlength.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/maxlength.md index 35934b6fc6..95b74de4f7 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/maxlength.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/maxlength.md @@ -27,4 +27,4 @@ more from the gateway. See Also -- [ShortMessage class](class.md) +- [ShortMessage class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/message.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/message.md index 35100349aa..16be23f615 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/message.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/message.md @@ -21,4 +21,4 @@ The message text. See Also -- [ShortMessage class](class.md) +- [ShortMessage class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/phonenumbers.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/phonenumbers.md index 529e41e713..1c6aaf2056 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/phonenumbers.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/phonenumbers.md @@ -21,4 +21,4 @@ A list of mobile phone numbers. See Also -- [ShortMessage class](class.md) +- [ShortMessage class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/referenceid.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/referenceid.md index 116f8d91fd..e7b1c74718 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/referenceid.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/referenceid.md @@ -20,4 +20,4 @@ The reference ID for the text message. See Also -- [ShortMessage class](class.md) +- [ShortMessage class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/validate.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/validate.md index 7b93206aea..b30407729a 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/validate.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/validate.md @@ -25,4 +25,4 @@ True if all validation checks are passed. See Also -- [ShortMessage class](class.md) +- [ShortMessage class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testconnection.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testconnection.md index 4010cdc41a..3d88aa4827 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testconnection.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testconnection.md @@ -20,4 +20,4 @@ True if a connection is established with the SMS gateway. **See Also** -- [Implement and Deploy a Custom SMS Gateway](../implementcustom.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testcredentials.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testcredentials.md index 2bb344972b..c3d541bdb3 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testcredentials.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testcredentials.md @@ -20,4 +20,4 @@ True if the credentials are valid. **See Also** -- [Implement and Deploy a Custom SMS Gateway](../implementcustom.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testproxy.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testproxy.md index 022f53e946..9f4f53ac30 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testproxy.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testproxy.md @@ -20,4 +20,4 @@ True if the proxy settings are valid. **See Also** -- [Implement and Deploy a Custom SMS Gateway](../implementcustom.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/url.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/url.md index 17494d481e..64112c8da9 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/url.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/url.md @@ -26,4 +26,4 @@ is the case with your SMS gateway provider, you can use this property to specify **See Also** -- [Implement and Deploy a Custom SMS Gateway](../implementcustom.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/userid.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/userid.md index 6250b9f7c9..34dfe48415 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/userid.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/userid.md @@ -8,7 +8,7 @@ Gets or sets the user name of the account registered with the SMS gateway provid **Syntax** -[Copy]() +[Copy](javascript:void(0);) ``` string UserId { get; set; } @@ -22,4 +22,4 @@ The value of the user name. **See Also** -- [Implement and Deploy a Custom SMS Gateway](../implementcustom.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md index 7195c8779e..02e8aac1df 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md @@ -21,20 +21,20 @@ What do you want to do? | Member | Description | | ----------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | - | [ISmsGateway.SendShortMessage](custom/sendshortmessage.md) method | Takes as input the [ShortMessage class](custom/shortmessage/class.md) object, which defines elements of the text message, sends messages to the target recipients, and returns the [SendSmsMessageResult class](custom/sendsmsmessageresult/class.md) object, which contains  message delivery status and exception details | - | [ISmsGateway.TestCredentials](custom/testcredentials.md) method | Returns a boolean value indicating whether the credentials for communicating with the SMS gateway are valid. | - | [ISmsGateway.TestConnection](custom/testconnection.md) method | Returns a boolean value indicating whether the connection with the SMS gateway is established successfully. | - | [ISmsGateway.TestProxy](custom/testproxy.md) method | Returns a boolean value informing whether the given proxy setting are valid. | - | [ISmsGateway.Clone](custom/clone.md) method | Returns the member-wise clone of the ISMSGateway interface. | - | [ISmsGateway.AccountId](custom/accountid.md) property | Gets or sets the account ID for connecting to the SMS gateway. | - | [ISmsGateway.Password](custom/password.md) property | Gets or sets the password of the user name assigned by the SMS gateway provider. | - | [ISmsGateway.Url](custom/url.md) property | Gets or sets the URL that the SMS gateway provides for sending messages. | - | [ISmsGateway.UserId](custom/userid.md) property | Gets or sets the user name assigned to you by the SMS gateway provider. | - | [ISmsGateway.ProxyHostName](custom/proxyhostname.md) property | Gets or sets the host name of the proxy server. | - | [ISmsGateway.ProxyPort](custom/proxyport.md) property | Gets or sets the port number used by the proxy server. | - | [ISmsGateway.ProxyUsername](custom/proxyusername.md) property | Gets or set the user name for connecting to the proxy server. | - | [ISmsGateway.ProxyPassword](custom/proxypassword.md) property | Gets or sets the password of the user account that will be used for connecting to the proxy server. | - | [ISmsGateway.ProxyDomain](custom/proxydomain.md) property | Gets or sets the domain name or IP address of the proxy server. | + | [ISmsGateway.SendShortMessage](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendshortmessage.md) method | Takes as input the [ShortMessage class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/shortmessage/class.md) object, which defines elements of the text message, sends messages to the target recipients, and returns the [SendSmsMessageResult class](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/sendsmsmessageresult/class.md) object, which contains  message delivery status and exception details | + | [ISmsGateway.TestCredentials](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testcredentials.md) method | Returns a boolean value indicating whether the credentials for communicating with the SMS gateway are valid. | + | [ISmsGateway.TestConnection](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testconnection.md) method | Returns a boolean value indicating whether the connection with the SMS gateway is established successfully. | + | [ISmsGateway.TestProxy](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/testproxy.md) method | Returns a boolean value informing whether the given proxy setting are valid. | + | [ISmsGateway.Clone](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/clone.md) method | Returns the member-wise clone of the ISMSGateway interface. | + | [ISmsGateway.AccountId](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/accountid.md) property | Gets or sets the account ID for connecting to the SMS gateway. | + | [ISmsGateway.Password](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/password.md) property | Gets or sets the password of the user name assigned by the SMS gateway provider. | + | [ISmsGateway.Url](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/url.md) property | Gets or sets the URL that the SMS gateway provides for sending messages. | + | [ISmsGateway.UserId](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/userid.md) property | Gets or sets the user name assigned to you by the SMS gateway provider. | + | [ISmsGateway.ProxyHostName](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyhostname.md) property | Gets or sets the host name of the proxy server. | + | [ISmsGateway.ProxyPort](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyport.md) property | Gets or sets the port number used by the proxy server. | + | [ISmsGateway.ProxyUsername](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxyusername.md) property | Gets or set the user name for connecting to the proxy server. | + | [ISmsGateway.ProxyPassword](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxypassword.md) property | Gets or sets the password of the user account that will be used for connecting to the proxy server. | + | [ISmsGateway.ProxyDomain](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/proxydomain.md) property | Gets or sets the domain name or IP address of the proxy server. | 2. Reference **System.ComponentModel.Composition** (_System.ComponentModel.Composition.dll_). @@ -100,5 +100,5 @@ the **Create SMS Gateway** page) for selection when creating an SMS gateway acco **See Also** -- [SMS Gateway](overview.md) -- [ISMSGateway Members](custom/overview.md) +- [SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/overview.md) +- [ISMSGateway Members](/docs/groupid/11.1/groupid/admincenter/smsgateway/custom/overview.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/manage.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/manage.md index 8a44c590b5..38e3146e62 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/manage.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/manage.md @@ -98,7 +98,7 @@ connect to the gateway. ## Link an SMS Gateway Account to an Identity Store See the -[Link an SMS Gateway Account to an Identity Store](../identitystore/configure/security/smsauthentication.md#link-an-sms-gateway-account-to-an-identity-store) +[Link an SMS Gateway Account to an Identity Store](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/security/smsauthentication.md#link-an-sms-gateway-account-to-an-identity-store) topic. ## Delete an SMS Gateway Account @@ -118,5 +118,5 @@ You can delete an SMS gateway account that is not linked with any identity store See Also -- [SMS Gateway](overview.md) -- [Implement and Deploy a Custom SMS Gateway](implementcustom.md) +- [SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/overview.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) diff --git a/docs/groupid/11.1/groupid/admincenter/smsgateway/overview.md b/docs/groupid/11.1/groupid/admincenter/smsgateway/overview.md index 6e787763da..e258ebc48a 100644 --- a/docs/groupid/11.1/groupid/admincenter/smsgateway/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/smsgateway/overview.md @@ -25,6 +25,6 @@ to an identity store. **See Also** -- [Manage SMS Gateway Accounts](manage.md) -- [Implement and Deploy a Custom SMS Gateway](implementcustom.md) -- [Authentication Policy](../identitystore/configure/authpolicy.md) +- [Manage SMS Gateway Accounts](/docs/groupid/11.1/groupid/admincenter/smsgateway/manage.md) +- [Implement and Deploy a Custom SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/implementcustom.md) +- [Authentication Policy](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/authpolicy.md) diff --git a/docs/groupid/11.1/groupid/admincenter/workflow/advancedsettings.md b/docs/groupid/11.1/groupid/admincenter/workflow/advancedsettings.md index 30312bd6aa..0d0f96a945 100644 --- a/docs/groupid/11.1/groupid/admincenter/workflow/advancedsettings.md +++ b/docs/groupid/11.1/groupid/admincenter/workflow/advancedsettings.md @@ -4,7 +4,7 @@ You can specify advanced settings for workflow, such as set a default approver f and define approver acceleration settings. NOTE: Functions discussed in this topic are licensed under different add-ons. See the -[ Licensing ](../general/licensing.md) topic. +[ Licensing ](/docs/groupid/11.1/groupid/admincenter/general/licensing.md) topic. ## Specify a Default Approver @@ -53,7 +53,7 @@ owners. The workflow approver acceleration feature ensures that no workflow request remains undecided. To apply setting related to approver acceleration, see the -[Workflow Approver Acceleration](approveracceleration.md) topic. +[Workflow Approver Acceleration](/docs/groupid/11.1/groupid/admincenter/workflow/approveracceleration.md) topic. ## Delete Workflow Requests @@ -83,4 +83,4 @@ example, you can delete the ‘denied’ requests that are old by 30 days or mor ## Integrate with Microsoft Power Automate You can also link your Power Automate flows to Directory Manager workflows. For details, see the -[Integrate with Power Automate](integrate.md) topic. +[Integrate with Power Automate](/docs/groupid/11.1/groupid/admincenter/workflow/integrate.md) topic. diff --git a/docs/groupid/11.1/groupid/admincenter/workflow/approveracceleration.md b/docs/groupid/11.1/groupid/admincenter/workflow/approveracceleration.md index a1c104b737..f067b795e6 100644 --- a/docs/groupid/11.1/groupid/admincenter/workflow/approveracceleration.md +++ b/docs/groupid/11.1/groupid/admincenter/workflow/approveracceleration.md @@ -26,7 +26,7 @@ To configure approver acceleration for an identity store, you have to: A scheduled job, Workflow Acceleration, is responsible for accelerating requests to the next level, auto approve requests, and send notifications. See the -[Workflow Acceleration Schedule](../schedule/workflowacceleration.md) topic. +[Workflow Acceleration Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/workflowacceleration.md) topic. **To apply approver acceleration:** diff --git a/docs/groupid/11.1/groupid/admincenter/workflow/implement.md b/docs/groupid/11.1/groupid/admincenter/workflow/implement.md index e6f209ee16..c09e24e2a1 100644 --- a/docs/groupid/11.1/groupid/admincenter/workflow/implement.md +++ b/docs/groupid/11.1/groupid/admincenter/workflow/implement.md @@ -199,7 +199,7 @@ approver acceleration, and link it to a Power Automate flow. update the required information. 6. To link this workflow to a Power Automate flow, click **Power Automate Settings** in the top right corner; the **Power Automate Settings** dialog box is displayed. Follow step - [6](integrate.md) and onwards in the + [6](/docs/groupid/11.1/groupid/admincenter/workflow/integrate.md) and onwards in the [Link an Identity Store Workflow to a Flow](integrate.md#link-an-identity-store-workflow-to-a-flow) topic to complete the task. 7. After making the required changes, click **Update Workflow** on the **Edit Workflow** page to diff --git a/docs/groupid/11.1/groupid/admincenter/workflow/integrate.md b/docs/groupid/11.1/groupid/admincenter/workflow/integrate.md index 08ee5731c5..3c0d888630 100644 --- a/docs/groupid/11.1/groupid/admincenter/workflow/integrate.md +++ b/docs/groupid/11.1/groupid/admincenter/workflow/integrate.md @@ -56,7 +56,7 @@ requests. Power Automate cannot communicate with a server deployed on a machine NOTE: The Directory Manager application in Microsoft Entra Admin Center must have the following permissions for Power Automate: - ![pa_permissions](../../../../../../static/img/product_docs/groupid/groupid/admincenter/workflow/pa_permissions.webp) + ![pa_permissions](/img/product_docs/groupid/groupid/admincenter/workflow/pa_permissions.webp) 7. Click **Save** on the **Advanced Workflow Settings** page. @@ -79,12 +79,12 @@ triggered, the linked flow is auto triggered. Entra ID account for managing flows in the Microsoft Power Automate portal. This account must have the following permissions on the Entra tenant: - ![pa_permissions](../../../../../../static/img/product_docs/groupid/groupid/admincenter/workflow/pa_permissions.webp) + ![pa_permissions](/img/product_docs/groupid/groupid/admincenter/workflow/pa_permissions.webp) 7. Click **Create Template**. Directory Manager creates a basic flow in Power Automate with the same name as the workflow, and displays the following message: - ![pa_template_message](../../../../../../static/img/product_docs/groupid/groupid/admincenter/workflow/pa_template_message.webp) + ![pa_template_message](/img/product_docs/groupid/groupid/admincenter/workflow/pa_template_message.webp) 8. The next step is to copy the flow URL from Power Automate and provide it here. To copy the URL, do the following: @@ -94,7 +94,7 @@ triggered, the linked flow is auto triggered. 2. Hover the mouse over the flow to display the ellipsis button. Click it and select **Edit**. 3. Expand the **Connections** area. - ![connections_area](../../../../../../static/img/product_docs/groupid/groupid/admincenter/workflow/connections_area.webp) + ![connections_area](/img/product_docs/groupid/groupid/admincenter/workflow/connections_area.webp) 4. Click **Approvals** in the **Connections** area. The approver of the Directory Manager workflow is auto added here. Click **Save**. diff --git a/docs/groupid/11.1/groupid/admincenter/workflow/overview.md b/docs/groupid/11.1/groupid/admincenter/workflow/overview.md index 52361a4374..1b83f1fa60 100644 --- a/docs/groupid/11.1/groupid/admincenter/workflow/overview.md +++ b/docs/groupid/11.1/groupid/admincenter/workflow/overview.md @@ -12,7 +12,7 @@ that workflow. Designated users can approve or deny workflow requests using the portal. NOTE: Workflows require an SMTP server to be configured for the identity store. See the -[Configure an SMTP Server](../identitystore/configure/smtpserver.md) topic. +[Configure an SMTP Server](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/smtpserver.md) topic. ## System Workflows diff --git a/docs/groupid/11.1/groupid/api/contact/contactapis.md b/docs/groupid/11.1/groupid/api/contact/contactapis.md index ee4fa0dc9d..6351eacf03 100644 --- a/docs/groupid/11.1/groupid/api/contact/contactapis.md +++ b/docs/groupid/11.1/groupid/api/contact/contactapis.md @@ -2,11 +2,11 @@ Directory Manager provides the following APIs to perform contact-specific functions: -- [Create a Contact](createcontact.md) -- [Delete a Contact](deletecontact.md) -- [Delete Contacts](deletecontacts.md) -- [Get a Contact](getcontact.md) -- [Get Contacts](getcontacts.md) -- [Update a Contact](updatecontact.md) +- [Create a Contact](/docs/groupid/11.1/groupid/api/contact/createcontact.md) +- [Delete a Contact](/docs/groupid/11.1/groupid/api/contact/deletecontact.md) +- [Delete Contacts](/docs/groupid/11.1/groupid/api/contact/deletecontacts.md) +- [Get a Contact](/docs/groupid/11.1/groupid/api/contact/getcontact.md) +- [Get Contacts](/docs/groupid/11.1/groupid/api/contact/getcontacts.md) +- [Update a Contact](/docs/groupid/11.1/groupid/api/contact/updatecontact.md) NOTE: The contact object type is not supported in a Microsoft Entra ID based identity store. diff --git a/docs/groupid/11.1/groupid/api/datasource/createds.md b/docs/groupid/11.1/groupid/api/datasource/createds.md index 1ca8521f6b..ea2be2cfd6 100644 --- a/docs/groupid/11.1/groupid/api/datasource/createds.md +++ b/docs/groupid/11.1/groupid/api/datasource/createds.md @@ -4,9 +4,9 @@ Using this API, you can create data sources for the supported providers. The dat primarily used in Synchronize jobs, but you can also use them in queries to search for directory objects and in queries for group membership update. -- [Create a Data Source for a Text/CSV File](dstext.md) -- [Create a Data Source for MS Access](dsaccess.md) -- [Create a Data Source for MS Excel](dsexcel.md) -- [Create a Data Source for ODBC](dsodbc.md) -- [Create a Data Source for Oracle](dsoracle.md) -- [Create a Data Source for SQL Server](dssql.md) +- [Create a Data Source for a Text/CSV File](/docs/groupid/11.1/groupid/api/datasource/dstext.md) +- [Create a Data Source for MS Access](/docs/groupid/11.1/groupid/api/datasource/dsaccess.md) +- [Create a Data Source for MS Excel](/docs/groupid/11.1/groupid/api/datasource/dsexcel.md) +- [Create a Data Source for ODBC](/docs/groupid/11.1/groupid/api/datasource/dsodbc.md) +- [Create a Data Source for Oracle](/docs/groupid/11.1/groupid/api/datasource/dsoracle.md) +- [Create a Data Source for SQL Server](/docs/groupid/11.1/groupid/api/datasource/dssql.md) diff --git a/docs/groupid/11.1/groupid/api/datasource/datasourceapis.md b/docs/groupid/11.1/groupid/api/datasource/datasourceapis.md index f1e0c38fa6..e5e1e2516b 100644 --- a/docs/groupid/11.1/groupid/api/datasource/datasourceapis.md +++ b/docs/groupid/11.1/groupid/api/datasource/datasourceapis.md @@ -2,31 +2,31 @@ Directory Manager provides the following APIs to perform functions related to data sources: -- [Create a Data Source](createds.md) +- [Create a Data Source](/docs/groupid/11.1/groupid/api/datasource/createds.md) - - [Create a Data Source for a Text/CSV File](dstext.md) - - [Create a Data Source for MS Access](dsaccess.md) - - [Create a Data Source for MS Excel](dsexcel.md) - - [Create a Data Source for ODBC](dsodbc.md) - - [Create a Data Source for Oracle](dsoracle.md) - - [Create a Data Source for SQL Server](dssql.md) + - [Create a Data Source for a Text/CSV File](/docs/groupid/11.1/groupid/api/datasource/dstext.md) + - [Create a Data Source for MS Access](/docs/groupid/11.1/groupid/api/datasource/dsaccess.md) + - [Create a Data Source for MS Excel](/docs/groupid/11.1/groupid/api/datasource/dsexcel.md) + - [Create a Data Source for ODBC](/docs/groupid/11.1/groupid/api/datasource/dsodbc.md) + - [Create a Data Source for Oracle](/docs/groupid/11.1/groupid/api/datasource/dsoracle.md) + - [Create a Data Source for SQL Server](/docs/groupid/11.1/groupid/api/datasource/dssql.md) -- [Delete a Data Source](deleteds.md) -- [Get a Data Source](getds.md) -- [Get a Data Source by Type and Name](getdstypename.md) -- [Get a Data Source by Type and with ID](getdstypeid.md) -- [Get All Data Sources](getallds.md) -- [Get All Data Sources by Type](getalldstype.md) -- [Get Filenames by Type](getfntype.md) -- [ Get Filtered Data Sources by isSource](getfilterds.md) -- [Get Parameters of a Data Source](getdsparameter.md) -- [Get File Server Metadata by Type ](gefsmdtype.md) -- [ Get Metadata of Data Source by Server Type and ID ](getmdtypest.md) -- [Get Metadata of Data Sources](getmd.md) -- [Get Provider Options of a Data Source](getdspo.md) -- [Parse a Connection String](parsecs.md) -- [Update a Data Source](updateds.md) -- [Validate Data Connectivity of a Data Source](validatedc.md) +- [Delete a Data Source](/docs/groupid/11.1/groupid/api/datasource/deleteds.md) +- [Get a Data Source](/docs/groupid/11.1/groupid/api/datasource/getds.md) +- [Get a Data Source by Type and Name](/docs/groupid/11.1/groupid/api/datasource/getdstypename.md) +- [Get a Data Source by Type and with ID](/docs/groupid/11.1/groupid/api/datasource/getdstypeid.md) +- [Get All Data Sources](/docs/groupid/11.1/groupid/api/datasource/getallds.md) +- [Get All Data Sources by Type](/docs/groupid/11.1/groupid/api/datasource/getalldstype.md) +- [Get Filenames by Type](/docs/groupid/11.1/groupid/api/datasource/getfntype.md) +- [ Get Filtered Data Sources by isSource](/docs/groupid/11.1/groupid/api/datasource/getfilterds.md) +- [Get Parameters of a Data Source](/docs/groupid/11.1/groupid/api/datasource/getdsparameter.md) +- [Get File Server Metadata by Type ](/docs/groupid/11.1/groupid/api/datasource/gefsmdtype.md) +- [ Get Metadata of Data Source by Server Type and ID ](/docs/groupid/11.1/groupid/api/datasource/getmdtypest.md) +- [Get Metadata of Data Sources](/docs/groupid/11.1/groupid/api/datasource/getmd.md) +- [Get Provider Options of a Data Source](/docs/groupid/11.1/groupid/api/datasource/getdspo.md) +- [Parse a Connection String](/docs/groupid/11.1/groupid/api/datasource/parsecs.md) +- [Update a Data Source](/docs/groupid/11.1/groupid/api/datasource/updateds.md) +- [Validate Data Connectivity of a Data Source](/docs/groupid/11.1/groupid/api/datasource/validatedc.md) -See the[ Data Sources](../../admincenter/datasource/overview.md) topic for additional information on +See the[ Data Sources](/docs/groupid/11.1/groupid/admincenter/datasource/overview.md) topic for additional information on data sources. diff --git a/docs/groupid/11.1/groupid/api/datasource/dsaccess.md b/docs/groupid/11.1/groupid/api/datasource/dsaccess.md index e606354086..2c557469f4 100644 --- a/docs/groupid/11.1/groupid/api/datasource/dsaccess.md +++ b/docs/groupid/11.1/groupid/api/datasource/dsaccess.md @@ -3,8 +3,8 @@ Use this API to create a new data source. See the -[Create a Data Source for MS Access](../../admincenter/datasource/create.md#create-a-data-source-for-ms-access) -section of the [Create a Data Source](../../admincenter/datasource/create.md) topic to create an +[Create a Data Source for MS Access](/docs/groupid/11.1/groupid/admincenter/datasource/create.md#create-a-data-source-for-ms-access) +section of the [Create a Data Source](/docs/groupid/11.1/groupid/admincenter/datasource/create.md) topic to create an MS Access data source using Directory Manager . ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/datasource/dsexcel.md b/docs/groupid/11.1/groupid/api/datasource/dsexcel.md index 5cd6ec65f7..803ac238b0 100644 --- a/docs/groupid/11.1/groupid/api/datasource/dsexcel.md +++ b/docs/groupid/11.1/groupid/api/datasource/dsexcel.md @@ -3,8 +3,8 @@ Use this API to create a new data source. See the -[Create a Data Source for MS Excel](../../admincenter/datasource/create.md#create-a-data-source-for-ms-excel) -section of the [Create a Data Source](../../admincenter/datasource/create.md) topic for additional +[Create a Data Source for MS Excel](/docs/groupid/11.1/groupid/admincenter/datasource/create.md#create-a-data-source-for-ms-excel) +section of the [Create a Data Source](/docs/groupid/11.1/groupid/admincenter/datasource/create.md) topic for additional information on creating an Excel data source using Directory Manager. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/datasource/dsodbc.md b/docs/groupid/11.1/groupid/api/datasource/dsodbc.md index 9f2d72c3c4..47a34bff20 100644 --- a/docs/groupid/11.1/groupid/api/datasource/dsodbc.md +++ b/docs/groupid/11.1/groupid/api/datasource/dsodbc.md @@ -3,8 +3,8 @@ Use this APi to create a new data source. See the -[Create a Data Source for ODBC](../../admincenter/datasource/create.md#create-a-data-source-for-odbc) -section of the [Create a Data Source](../../admincenter/datasource/create.md) topic to create an +[Create a Data Source for ODBC](/docs/groupid/11.1/groupid/admincenter/datasource/create.md#create-a-data-source-for-odbc) +section of the [Create a Data Source](/docs/groupid/11.1/groupid/admincenter/datasource/create.md) topic to create an ODBC data source using Directory Manager. ## Endpoint @@ -44,7 +44,7 @@ an ODBC-compatible provider. #### Sample Request Syntax -[Copy]() +[Copy](javascript:void(0);) ``` { diff --git a/docs/groupid/11.1/groupid/api/datasource/dsoracle.md b/docs/groupid/11.1/groupid/api/datasource/dsoracle.md index 9b1b9f5de6..a792be1c91 100644 --- a/docs/groupid/11.1/groupid/api/datasource/dsoracle.md +++ b/docs/groupid/11.1/groupid/api/datasource/dsoracle.md @@ -3,8 +3,8 @@ Use this API to create a new data source. See the -[Create a Data Source for Oracle](../../admincenter/datasource/create.md#create-a-data-source-for-oracle) -section of the [Create a Data Source](../../admincenter/datasource/create.md) topic to create an +[Create a Data Source for Oracle](/docs/groupid/11.1/groupid/admincenter/datasource/create.md#create-a-data-source-for-oracle) +section of the [Create a Data Source](/docs/groupid/11.1/groupid/admincenter/datasource/create.md) topic to create an MS Access data source using Directory Manager. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/datasource/dssql.md b/docs/groupid/11.1/groupid/api/datasource/dssql.md index a11974ac74..3139a7b9e4 100644 --- a/docs/groupid/11.1/groupid/api/datasource/dssql.md +++ b/docs/groupid/11.1/groupid/api/datasource/dssql.md @@ -3,8 +3,8 @@ Use this API to create a new data source. See the -[Create a Data Source for SQL Server](../../admincenter/datasource/create.md#create-a-data-source-for-sql-server) -section of the [Create a Data Source](../../admincenter/datasource/create.md) topic for creating an +[Create a Data Source for SQL Server](/docs/groupid/11.1/groupid/admincenter/datasource/create.md#create-a-data-source-for-sql-server) +section of the [Create a Data Source](/docs/groupid/11.1/groupid/admincenter/datasource/create.md) topic for creating an SQL data source using Directory Manager. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/datasource/dstext.md b/docs/groupid/11.1/groupid/api/datasource/dstext.md index 027837119e..b104dad019 100644 --- a/docs/groupid/11.1/groupid/api/datasource/dstext.md +++ b/docs/groupid/11.1/groupid/api/datasource/dstext.md @@ -3,8 +3,8 @@ Use this API to create a new data source. See the -[Create a Data Source for a Text/CSV File](../../admincenter/datasource/create.md#create-a-data-source-for-a-textcsv-file) -section of the [Create a Data Source](../../admincenter/datasource/create.md) topic to create a +[Create a Data Source for a Text/CSV File](/docs/groupid/11.1/groupid/admincenter/datasource/create.md#create-a-data-source-for-a-textcsv-file) +section of the [Create a Data Source](/docs/groupid/11.1/groupid/admincenter/datasource/create.md) topic to create a Text/CSV data source using Directory Manager. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/datasource/getmd.md b/docs/groupid/11.1/groupid/api/datasource/getmd.md index 927a2f57cb..8c07985d6f 100644 --- a/docs/groupid/11.1/groupid/api/datasource/getmd.md +++ b/docs/groupid/11.1/groupid/api/datasource/getmd.md @@ -3,7 +3,7 @@ Using this API, you can get metadata information of data sources defined so far in Directory Manager. -See the [Create a Data Source](../../admincenter/datasource/create.md) topic for creating a data +See the [Create a Data Source](/docs/groupid/11.1/groupid/admincenter/datasource/create.md) topic for creating a data source using Directory Manager. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/group/groupapis.md b/docs/groupid/11.1/groupid/api/group/groupapis.md index e454634212..ac48b343d3 100644 --- a/docs/groupid/11.1/groupid/api/group/groupapis.md +++ b/docs/groupid/11.1/groupid/api/group/groupapis.md @@ -2,24 +2,24 @@ Directory Manager provides the following APIs for performing group-specific functions: -- [Create a Static Group](createstaticgroup.md) -- [Create an Entra ID Static Group](createstaticgroupentraid.md) -- [Create a Smart Group](createsmartgroup.md) -- [Create an Entra ID Smart Group](createsmartgroupentraid.md) -- [Delete a Group](deletegroup.md) -- [Delete Groups](deletegroups.md) -- [Expire a Group](expiregroup.md) -- [Expire Groups](expiregroups.md) -- [Get a Group](getgroup.md) -- [Get Groups](getgroups.md) -- [Join a Group](joingroup.md) -- [Join a Group on behalf of another user](joingrouponbehalf.md) -- [Leave a Group](leavegroup.md) -- [Leave a Group on behalf of another user](leavegrouponbehalf.md) -- [Get Preview of a Smart Group Membership](previewmembership.md) -- [Renew a Group](renewgroup.md) -- [Renew Groups](renewgroups.md) -- [Update a Group](updategroup.md) -- [Update Groups](updategroups.md) -- [Update a Smart Group](updatesmartgroup.md) -- [Update Smart Groups](updatesmartgroups.md) +- [Create a Static Group](/docs/groupid/11.1/groupid/api/group/createstaticgroup.md) +- [Create an Entra ID Static Group](/docs/groupid/11.1/groupid/api/group/createstaticgroupentraid.md) +- [Create a Smart Group](/docs/groupid/11.1/groupid/api/group/createsmartgroup.md) +- [Create an Entra ID Smart Group](/docs/groupid/11.1/groupid/api/group/createsmartgroupentraid.md) +- [Delete a Group](/docs/groupid/11.1/groupid/api/group/deletegroup.md) +- [Delete Groups](/docs/groupid/11.1/groupid/api/group/deletegroups.md) +- [Expire a Group](/docs/groupid/11.1/groupid/api/group/expiregroup.md) +- [Expire Groups](/docs/groupid/11.1/groupid/api/group/expiregroups.md) +- [Get a Group](/docs/groupid/11.1/groupid/api/group/getgroup.md) +- [Get Groups](/docs/groupid/11.1/groupid/api/group/getgroups.md) +- [Join a Group](/docs/groupid/11.1/groupid/api/group/joingroup.md) +- [Join a Group on behalf of another user](/docs/groupid/11.1/groupid/api/group/joingrouponbehalf.md) +- [Leave a Group](/docs/groupid/11.1/groupid/api/group/leavegroup.md) +- [Leave a Group on behalf of another user](/docs/groupid/11.1/groupid/api/group/leavegrouponbehalf.md) +- [Get Preview of a Smart Group Membership](/docs/groupid/11.1/groupid/api/group/previewmembership.md) +- [Renew a Group](/docs/groupid/11.1/groupid/api/group/renewgroup.md) +- [Renew Groups](/docs/groupid/11.1/groupid/api/group/renewgroups.md) +- [Update a Group](/docs/groupid/11.1/groupid/api/group/updategroup.md) +- [Update Groups](/docs/groupid/11.1/groupid/api/group/updategroups.md) +- [Update a Smart Group](/docs/groupid/11.1/groupid/api/group/updatesmartgroup.md) +- [Update Smart Groups](/docs/groupid/11.1/groupid/api/group/updatesmartgroups.md) diff --git a/docs/groupid/11.1/groupid/api/logs/admincenter.md b/docs/groupid/11.1/groupid/api/logs/admincenter.md index 88943c80e4..342ab40cec 100644 --- a/docs/groupid/11.1/groupid/api/logs/admincenter.md +++ b/docs/groupid/11.1/groupid/api/logs/admincenter.md @@ -1,6 +1,6 @@ # Admin Center Logs -Use this API to get Admin Center logs. See the [Get Logs](../../admincenter/general/logs.md) topic +Use this API to get Admin Center logs. See the [Get Logs](/docs/groupid/11.1/groupid/admincenter/general/logs.md) topic for additional information. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/logs/dataservice.md b/docs/groupid/11.1/groupid/api/logs/dataservice.md index 70715c3918..568fceccfc 100644 --- a/docs/groupid/11.1/groupid/api/logs/dataservice.md +++ b/docs/groupid/11.1/groupid/api/logs/dataservice.md @@ -1,7 +1,7 @@ # Data Service Logs Use this API to get Directory Manager Data service log. See the -[Data Service](../../admincenter/service/dataservice/overview.md) for additional information on Data +[Data Service](/docs/groupid/11.1/groupid/admincenter/service/dataservice/overview.md) for additional information on Data service. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/logs/emailservice.md b/docs/groupid/11.1/groupid/api/logs/emailservice.md index 075c6c6ced..252c98f20e 100644 --- a/docs/groupid/11.1/groupid/api/logs/emailservice.md +++ b/docs/groupid/11.1/groupid/api/logs/emailservice.md @@ -1,7 +1,7 @@ # Email Service Logs Use this API to get Email service logs. See the -[Email Service](../../admincenter/service/emailservice.md) topic for additional on Email service. +[Email Service](/docs/groupid/11.1/groupid/admincenter/service/emailservice.md) topic for additional on Email service. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/logs/logsapis.md b/docs/groupid/11.1/groupid/api/logs/logsapis.md index 4b38e7522c..394e933123 100644 --- a/docs/groupid/11.1/groupid/api/logs/logsapis.md +++ b/docs/groupid/11.1/groupid/api/logs/logsapis.md @@ -3,12 +3,12 @@ Directory Manager generates logs for its services, clients, and Windows events. Using the following APIs, you can collect and dump your required logs to a desired location. -See the [Get Logs](../../admincenter/general/logs.md) topic for additional information on logs. +See the [Get Logs](/docs/groupid/11.1/groupid/admincenter/general/logs.md) topic for additional information on logs. -- [Admin Center Logs](admincenter.md) -- [Data Service Logs](dataservice.md) -- [Email Service Logs](emailservice.md) -- [Portal Logs](portal.md) -- [Replication Service Logs](replicationservice.md) -- [Scheduler Service Logs](schedulerservice.md) -- [Security Service Logs](securityservice.md) +- [Admin Center Logs](/docs/groupid/11.1/groupid/api/logs/admincenter.md) +- [Data Service Logs](/docs/groupid/11.1/groupid/api/logs/dataservice.md) +- [Email Service Logs](/docs/groupid/11.1/groupid/api/logs/emailservice.md) +- [Portal Logs](/docs/groupid/11.1/groupid/api/logs/portal.md) +- [Replication Service Logs](/docs/groupid/11.1/groupid/api/logs/replicationservice.md) +- [Scheduler Service Logs](/docs/groupid/11.1/groupid/api/logs/schedulerservice.md) +- [Security Service Logs](/docs/groupid/11.1/groupid/api/logs/securityservice.md) diff --git a/docs/groupid/11.1/groupid/api/logs/portal.md b/docs/groupid/11.1/groupid/api/logs/portal.md index fe9087b867..3eb7732726 100644 --- a/docs/groupid/11.1/groupid/api/logs/portal.md +++ b/docs/groupid/11.1/groupid/api/logs/portal.md @@ -1,7 +1,7 @@ # Portal Logs Use this API to get Directory Manager portal logs. See the -[History](../../portal/history/overview.md) topic for additional information on Portal history. +[History](/docs/groupid/11.1/groupid/portal/history/overview.md) topic for additional information on Portal history. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/logs/replicationservice.md b/docs/groupid/11.1/groupid/api/logs/replicationservice.md index 4e8ed0a8d4..f6dd566265 100644 --- a/docs/groupid/11.1/groupid/api/logs/replicationservice.md +++ b/docs/groupid/11.1/groupid/api/logs/replicationservice.md @@ -1,7 +1,7 @@ # Replication Service Logs Use this API to get Replication Service logs. See the -[Replication Service](../../admincenter/service/replicationservice.md) topic for additional +[Replication Service](/docs/groupid/11.1/groupid/admincenter/service/replicationservice.md) topic for additional information on Replication service. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/logs/schedulerservice.md b/docs/groupid/11.1/groupid/api/logs/schedulerservice.md index a6e2dcc7b4..2c858dfec1 100644 --- a/docs/groupid/11.1/groupid/api/logs/schedulerservice.md +++ b/docs/groupid/11.1/groupid/api/logs/schedulerservice.md @@ -1,7 +1,7 @@ # Scheduler Service Logs Using this API you can get Scheduler Service logs. See the -[Scheduler Service](../../admincenter/service/schedulerservice.md)topic for additional information +[Scheduler Service](/docs/groupid/11.1/groupid/admincenter/service/schedulerservice.md)topic for additional information on Scheduler service. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/logs/securityservice.md b/docs/groupid/11.1/groupid/api/logs/securityservice.md index b8521f5cfb..04026b2a63 100644 --- a/docs/groupid/11.1/groupid/api/logs/securityservice.md +++ b/docs/groupid/11.1/groupid/api/logs/securityservice.md @@ -1,7 +1,7 @@ # Security Service Logs This API fetches Directory Manager Security service logs. See the -[Security Service](../../admincenter/service/securityservice/overview.md) topic for additional +[Security Service](/docs/groupid/11.1/groupid/admincenter/service/securityservice/overview.md) topic for additional information on Security service. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/search/searchapis.md b/docs/groupid/11.1/groupid/api/search/searchapis.md index c282544a29..986dd9f67a 100644 --- a/docs/groupid/11.1/groupid/api/search/searchapis.md +++ b/docs/groupid/11.1/groupid/api/search/searchapis.md @@ -3,5 +3,5 @@ Directory Manager provides the following APIs to search directory objects based on a single or a multi-valued attribute.: -- [Search an Object By a Single Value Attribute](byattribute.md) -- [Search Group Members](groupmembers.md) +- [Search an Object By a Single Value Attribute](/docs/groupid/11.1/groupid/api/search/byattribute.md) +- [Search Group Members](/docs/groupid/11.1/groupid/api/search/groupmembers.md) diff --git a/docs/groupid/11.1/groupid/api/syncjobs/createjob.md b/docs/groupid/11.1/groupid/api/syncjobs/createjob.md index 028dc09222..69f6c111df 100644 --- a/docs/groupid/11.1/groupid/api/syncjobs/createjob.md +++ b/docs/groupid/11.1/groupid/api/syncjobs/createjob.md @@ -3,7 +3,7 @@ Use this API to create a new Synchronize job which is a set of sequential commands that run in the background to move data from one data source to another data source. -See the [Create a Job](../../portal/synchronize/job/create.md) topic for more information about +See the [Create a Job](/docs/groupid/11.1/groupid/portal/synchronize/job/create.md) topic for more information about creating a job. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/syncjobs/createnewjobcollection.md b/docs/groupid/11.1/groupid/api/syncjobs/createnewjobcollection.md index 1eab94c119..b80170e0eb 100644 --- a/docs/groupid/11.1/groupid/api/syncjobs/createnewjobcollection.md +++ b/docs/groupid/11.1/groupid/api/syncjobs/createnewjobcollection.md @@ -3,7 +3,7 @@ Using this API you can create a new job collection which is a group of individual jobs that run in a particular order. -See the [Create a Job Collection ](../../portal/synchronize/collection/create.md)topic for +See the [Create a Job Collection ](/docs/groupid/11.1/groupid/portal/synchronize/collection/create.md)topic for additional information on the Job collection. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/syncjobs/deletejob.md b/docs/groupid/11.1/groupid/api/syncjobs/deletejob.md index dd292c29e9..c62f89fc11 100644 --- a/docs/groupid/11.1/groupid/api/syncjobs/deletejob.md +++ b/docs/groupid/11.1/groupid/api/syncjobs/deletejob.md @@ -3,8 +3,8 @@ After creating job, you can modify a job or even delete a job if it is no more required. Use this API to delete job(s) specified in the end point URL. -See the [Deleting a Job](../../portal/synchronize/manage/job.md#deleting-a-job) section of the -[Manage a Job](../../portal/synchronize/manage/job.md) topic for additional information. +See the [Deleting a Job](/docs/groupid/11.1/groupid/portal/synchronize/manage/job.md#deleting-a-job) section of the +[Manage a Job](/docs/groupid/11.1/groupid/portal/synchronize/manage/job.md) topic for additional information. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/syncjobs/deletejobcollections.md b/docs/groupid/11.1/groupid/api/syncjobs/deletejobcollections.md index 6470f94ad1..976b36410e 100644 --- a/docs/groupid/11.1/groupid/api/syncjobs/deletejobcollections.md +++ b/docs/groupid/11.1/groupid/api/syncjobs/deletejobcollections.md @@ -3,8 +3,8 @@ Use this API to delete job collections specified in the end point URL. See the -[Delete a Job Collection](../../portal/synchronize/manage/jobcollection.md#delete-a-job-collection) -section of the [Manage a Job Collection ](../../portal/synchronize/manage/jobcollection.md) topic +[Delete a Job Collection](/docs/groupid/11.1/groupid/portal/synchronize/manage/jobcollection.md#delete-a-job-collection) +section of the [Manage a Job Collection ](/docs/groupid/11.1/groupid/portal/synchronize/manage/jobcollection.md) topic for additional information on job collection. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/syncjobs/getcollectionsdetails.md b/docs/groupid/11.1/groupid/api/syncjobs/getcollectionsdetails.md index 274fe96aac..2345f3f6f7 100644 --- a/docs/groupid/11.1/groupid/api/syncjobs/getcollectionsdetails.md +++ b/docs/groupid/11.1/groupid/api/syncjobs/getcollectionsdetails.md @@ -3,7 +3,7 @@ Use this API to retrieve information about jobs within a job collection based on the criteria provided in the request syntax. -See the [Create a Job Collection ](../../portal/synchronize/collection/create.md)topic for +See the [Create a Job Collection ](/docs/groupid/11.1/groupid/portal/synchronize/collection/create.md)topic for additional information on Job Collections. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/syncjobs/getjcdetailsbyjcid.md b/docs/groupid/11.1/groupid/api/syncjobs/getjcdetailsbyjcid.md index 64d6c5b266..1526a14ea8 100644 --- a/docs/groupid/11.1/groupid/api/syncjobs/getjcdetailsbyjcid.md +++ b/docs/groupid/11.1/groupid/api/syncjobs/getjcdetailsbyjcid.md @@ -3,7 +3,7 @@ Using this API you can retrieve information about a job collection ID of which is given in the endpoint URL. -See the [Create a Job Collection ](../../portal/synchronize/collection/create.md)topic for +See the [Create a Job Collection ](/docs/groupid/11.1/groupid/portal/synchronize/collection/create.md)topic for additional information. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/syncjobs/getjobcollections.md b/docs/groupid/11.1/groupid/api/syncjobs/getjobcollections.md index 0b9dc4cc17..8d99ead3cb 100644 --- a/docs/groupid/11.1/groupid/api/syncjobs/getjobcollections.md +++ b/docs/groupid/11.1/groupid/api/syncjobs/getjobcollections.md @@ -3,7 +3,7 @@ Use this API to retrieve information of job collection(s) based on filters provided in the request syntax. -See the [Create a Job Collection ](../../portal/synchronize/collection/create.md)topic for +See the [Create a Job Collection ](/docs/groupid/11.1/groupid/portal/synchronize/collection/create.md)topic for additional information on job collections. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/syncjobs/jobsapis.md b/docs/groupid/11.1/groupid/api/syncjobs/jobsapis.md index ee10c799d9..c044c2ea3d 100644 --- a/docs/groupid/11.1/groupid/api/syncjobs/jobsapis.md +++ b/docs/groupid/11.1/groupid/api/syncjobs/jobsapis.md @@ -4,14 +4,14 @@ Directory Manager Synchronize is used for transferring data from one data source data sources may include directory servers, databases or files. The following APIs can be used for performing Synchronize jobs-specific functions: -- [Create a New Job](createjob.md) -- [Create a New Job Collection](createnewjobcollection.md) -- [Delete Jobs](deletejob.md) -- [Delete Job Collections](deletejobcollections.md) -- [Get Job Collections Details](getcollectionsdetails.md) -- [Get Job Collection Details By Job Collection ID](getjcdetailsbyjcid.md) -- [Get Jobs](getjobs.md) -- [Get Job Collections](getjobcollections.md) -- [Get a Job Details](getjobsdetails.md) -- [Get Jobs Names ](getjobsname.md) -- [Update a Job Collection](updatjobcollection.md) +- [Create a New Job](/docs/groupid/11.1/groupid/api/syncjobs/createjob.md) +- [Create a New Job Collection](/docs/groupid/11.1/groupid/api/syncjobs/createnewjobcollection.md) +- [Delete Jobs](/docs/groupid/11.1/groupid/api/syncjobs/deletejob.md) +- [Delete Job Collections](/docs/groupid/11.1/groupid/api/syncjobs/deletejobcollections.md) +- [Get Job Collections Details](/docs/groupid/11.1/groupid/api/syncjobs/getcollectionsdetails.md) +- [Get Job Collection Details By Job Collection ID](/docs/groupid/11.1/groupid/api/syncjobs/getjcdetailsbyjcid.md) +- [Get Jobs](/docs/groupid/11.1/groupid/api/syncjobs/getjobs.md) +- [Get Job Collections](/docs/groupid/11.1/groupid/api/syncjobs/getjobcollections.md) +- [Get a Job Details](/docs/groupid/11.1/groupid/api/syncjobs/getjobsdetails.md) +- [Get Jobs Names ](/docs/groupid/11.1/groupid/api/syncjobs/getjobsname.md) +- [Update a Job Collection](/docs/groupid/11.1/groupid/api/syncjobs/updatjobcollection.md) diff --git a/docs/groupid/11.1/groupid/api/user/userapis.md b/docs/groupid/11.1/groupid/api/user/userapis.md index 77d020471b..e8488e4051 100644 --- a/docs/groupid/11.1/groupid/api/user/userapis.md +++ b/docs/groupid/11.1/groupid/api/user/userapis.md @@ -2,19 +2,19 @@ Directory Manager provides the following APIs to perform user-specific functions: -- [Create a User](createuser.md) -- [Create an Entra ID User](createuserentraid.md) -- [Delete a User](deleteuser.md) -- [Delete Users](deleteusers.md) -- [Get All Groups](getallgroups.md) -- [Get My Dynasties](getmydynasties.md) -- [Get My Expired Groups](getmyexpiredgroups.md) -- [Get My Expiring Groups](getmyexpiringgroups.md) -- [Get My Expiring Groups Count](getmyexpiringgroupscount.md) -- [Get My Groups](getmygroups.md) -- [Get My Groups Count](getmygroupscount.md) -- [Get My Membership](getmymemberships.md) -- [Get My Membership Count](getmymemebershipcount.md) -- [Get My Smart Groups](getmysmartgroups.md) -- [Get a User](getuser.md) -- [Get Users](getusers.md) +- [Create a User](/docs/groupid/11.1/groupid/api/user/createuser.md) +- [Create an Entra ID User](/docs/groupid/11.1/groupid/api/user/createuserentraid.md) +- [Delete a User](/docs/groupid/11.1/groupid/api/user/deleteuser.md) +- [Delete Users](/docs/groupid/11.1/groupid/api/user/deleteusers.md) +- [Get All Groups](/docs/groupid/11.1/groupid/api/user/getallgroups.md) +- [Get My Dynasties](/docs/groupid/11.1/groupid/api/user/getmydynasties.md) +- [Get My Expired Groups](/docs/groupid/11.1/groupid/api/user/getmyexpiredgroups.md) +- [Get My Expiring Groups](/docs/groupid/11.1/groupid/api/user/getmyexpiringgroups.md) +- [Get My Expiring Groups Count](/docs/groupid/11.1/groupid/api/user/getmyexpiringgroupscount.md) +- [Get My Groups](/docs/groupid/11.1/groupid/api/user/getmygroups.md) +- [Get My Groups Count](/docs/groupid/11.1/groupid/api/user/getmygroupscount.md) +- [Get My Membership](/docs/groupid/11.1/groupid/api/user/getmymemberships.md) +- [Get My Membership Count](/docs/groupid/11.1/groupid/api/user/getmymemebershipcount.md) +- [Get My Smart Groups](/docs/groupid/11.1/groupid/api/user/getmysmartgroups.md) +- [Get a User](/docs/groupid/11.1/groupid/api/user/getuser.md) +- [Get Users](/docs/groupid/11.1/groupid/api/user/getusers.md) diff --git a/docs/groupid/11.1/groupid/api/workflow/createroute.md b/docs/groupid/11.1/groupid/api/workflow/createroute.md index d8a5cc714f..907beae662 100644 --- a/docs/groupid/11.1/groupid/api/workflow/createroute.md +++ b/docs/groupid/11.1/groupid/api/workflow/createroute.md @@ -14,8 +14,8 @@ following: field criterion is met. - Approver – The object to send the workflow request for approval. -See the [Create a New Workflow](../../admincenter/workflow/implement.md#create-a-new-workflow) -section of the [Implement Workflows](../../admincenter/workflow/implement.md) topic for additional +See the [Create a New Workflow](/docs/groupid/11.1/groupid/admincenter/workflow/implement.md#create-a-new-workflow) +section of the [Implement Workflows](/docs/groupid/11.1/groupid/admincenter/workflow/implement.md) topic for additional information. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/workflow/getdefroute.md b/docs/groupid/11.1/groupid/api/workflow/getdefroute.md index bfd61bebf3..8adff943e7 100644 --- a/docs/groupid/11.1/groupid/api/workflow/getdefroute.md +++ b/docs/groupid/11.1/groupid/api/workflow/getdefroute.md @@ -3,8 +3,8 @@ Use this API to retrieve information about Directory Manager default workflows. These workflows are predefine in Directory Manager that trigger when their associated events occur. -See the [System Workflows](../../admincenter/workflow/overview.md#system-workflows) section of the -[Workflows](../../admincenter/workflow/overview.md) topic for additional information. +See the [System Workflows](/docs/groupid/11.1/groupid/admincenter/workflow/overview.md#system-workflows) section of the +[Workflows](/docs/groupid/11.1/groupid/admincenter/workflow/overview.md) topic for additional information. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/workflow/getpendingreq.md b/docs/groupid/11.1/groupid/api/workflow/getpendingreq.md index b3a12f4415..fd1d938737 100644 --- a/docs/groupid/11.1/groupid/api/workflow/getpendingreq.md +++ b/docs/groupid/11.1/groupid/api/workflow/getpendingreq.md @@ -2,8 +2,8 @@ Use this API to retrieve information about all those requests with pending status provided you have the required permissions to manage all requests. See the -[Miscellaneous](../../admincenter/securityrole/permissions.md#miscellaneous) section of the -[Security Role – Permissions](../../admincenter/securityrole/permissions.md) topic. +[Miscellaneous](/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md#miscellaneous) section of the +[Security Role – Permissions](/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md) topic. ## Endpoint diff --git a/docs/groupid/11.1/groupid/api/workflow/workflowapis.md b/docs/groupid/11.1/groupid/api/workflow/workflowapis.md index 42e875d9db..85cc33e45b 100644 --- a/docs/groupid/11.1/groupid/api/workflow/workflowapis.md +++ b/docs/groupid/11.1/groupid/api/workflow/workflowapis.md @@ -3,20 +3,20 @@ Directory Manager provides the following APIs to perform functions related to Directory Manager workflows: -- [All Workflow Routes](allwfroutes.md) -- [Approve a Request](approvereq.md) -- [Configure Power Automate](configurepowerautomate.md) -- [Create a Route](createroute.md) -- [Delete a Route](deleteroute.md) -- [Delete a Workflow Request](deletewfreq.md) -- [Delete Request Status](deletereqstatus.md) -- [Deny a Request](denyreq.md) -- [Get a Workflow Route](getwfroute.md) -- [Get Approvers](getapprovers.md) -- [Get Default Routes](getdefroute.md) -- [Get My Requests](getmyreq.md) -- [Get Pending Requests](getpendingreq.md) -- [Get Power Automate Settings](getpowerautomatesettings.md) -- [Get Workflow Requests](getwfreq.md) -- [Update a Route](updateroute.md) -- [Update Power Automate Settings](updatepowerautomatesettings.md) +- [All Workflow Routes](/docs/groupid/11.1/groupid/api/workflow/allwfroutes.md) +- [Approve a Request](/docs/groupid/11.1/groupid/api/workflow/approvereq.md) +- [Configure Power Automate](/docs/groupid/11.1/groupid/api/workflow/configurepowerautomate.md) +- [Create a Route](/docs/groupid/11.1/groupid/api/workflow/createroute.md) +- [Delete a Route](/docs/groupid/11.1/groupid/api/workflow/deleteroute.md) +- [Delete a Workflow Request](/docs/groupid/11.1/groupid/api/workflow/deletewfreq.md) +- [Delete Request Status](/docs/groupid/11.1/groupid/api/workflow/deletereqstatus.md) +- [Deny a Request](/docs/groupid/11.1/groupid/api/workflow/denyreq.md) +- [Get a Workflow Route](/docs/groupid/11.1/groupid/api/workflow/getwfroute.md) +- [Get Approvers](/docs/groupid/11.1/groupid/api/workflow/getapprovers.md) +- [Get Default Routes](/docs/groupid/11.1/groupid/api/workflow/getdefroute.md) +- [Get My Requests](/docs/groupid/11.1/groupid/api/workflow/getmyreq.md) +- [Get Pending Requests](/docs/groupid/11.1/groupid/api/workflow/getpendingreq.md) +- [Get Power Automate Settings](/docs/groupid/11.1/groupid/api/workflow/getpowerautomatesettings.md) +- [Get Workflow Requests](/docs/groupid/11.1/groupid/api/workflow/getwfreq.md) +- [Update a Route](/docs/groupid/11.1/groupid/api/workflow/updateroute.md) +- [Update Power Automate Settings](/docs/groupid/11.1/groupid/api/workflow/updatepowerautomatesettings.md) diff --git a/docs/groupid/11.1/groupid/authenticate/asidentityprovider/overview.md b/docs/groupid/11.1/groupid/authenticate/asidentityprovider/overview.md index aa9257d6df..e3aefa8b88 100644 --- a/docs/groupid/11.1/groupid/authenticate/asidentityprovider/overview.md +++ b/docs/groupid/11.1/groupid/authenticate/asidentityprovider/overview.md @@ -6,11 +6,11 @@ through Directory Manager. To use Directory Manager as an identity provider, you have to: register an application (service provider) in Directory Manager. See the -[Register an Application (Service Provider) in Directory Manager](register.md) topic for additional +[Register an Application (Service Provider) in Directory Manager](/docs/groupid/11.1/groupid/authenticate/asidentityprovider/register.md) topic for additional information. You can also specify default values for the issuer URL and signing certificate, that are used to configure Directory Manager in the service provider. See the -[Specify Default Metadata Values](metadata.md) topic for additional information. +[Specify Default Metadata Values](/docs/groupid/11.1/groupid/authenticate/asidentityprovider/metadata.md) topic for additional information. -To sign in using Directory Manager, see the [Sign In Using Directory Manager](signin.md) topic. +To sign in using Directory Manager, see the [Sign In Using Directory Manager](/docs/groupid/11.1/groupid/authenticate/asidentityprovider/signin.md) topic. diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configureadfsingroupid.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configureadfsingroupid.md index a21a20da9d..be6b18b141 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configureadfsingroupid.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configureadfsingroupid.md @@ -118,7 +118,7 @@ To verify that you have selected the correct binding type, do the following: Step 4 – In AD FS, we configured an Active Directory attribute that the identity provider will use for authenticating users (see step 16 in the -[Configure Relaying Party Trust in AD FS](configurerelayingpartytrust.md) topic). In our example, we +[Configure Relaying Party Trust in AD FS](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configurerelayingpartytrust.md) topic). In our example, we used the UPN attribute that stores the user principal name. Now in the Advanced section, we have to refer to this attribute. In the Identity Location list, select the _Identity is an attribute element_ option. diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configurerelayingpartytrust.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configurerelayingpartytrust.md index 8f8451f446..537c20396b 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configurerelayingpartytrust.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configurerelayingpartytrust.md @@ -76,4 +76,4 @@ Step 19 – Click the **Delegation Authorization Rules** tab. We do not need to **Apply** and then **OK**. The AD FS console is displayed with the new relying party trust added. The next step is to configure the AD FS provider in Directory Manager. See the -[Configure the AD FS Provider In Directory Manager](configureadfsingroupid.md) topic. +[Configure the AD FS Provider In Directory Manager](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configureadfsingroupid.md) topic. diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/generateurls.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/generateurls.md index 59c6c1b0e4..129877816e 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/generateurls.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/generateurls.md @@ -18,8 +18,8 @@ available as separate clients. Follow the steps to generate the consumer URL for a Directory Managerclient. Step 1 – In Authenticate, click the **Generate URL's** tab. The Generate URL's page is displayed. -See the [Launch Authenticate](../../overview.md#launch-authenticate) section of the -[Authenticate](../../overview.md) topic for additional information. +See the [Launch Authenticate](/docs/groupid/11.1/groupid/authenticate/overview.md#launch-authenticate) section of the +[Authenticate](/docs/groupid/11.1/groupid/authenticate/overview.md) topic for additional information. Step 2 – In the Select Client to Generate Consumer URL drop-down list, select a Directory Manager client to set up AD FS with it. Let’s suppose you select the Directory Manager portal named @@ -37,8 +37,8 @@ Manager client configured with AD FS, and update it in AD FS. Follow the steps to generate Entity ID/Audience URL. Step 1 – In Authenticate, click the **SAML Providers** tab. The SAML Providers page is displayed. -See the [Launch Authenticate](../../overview.md#launch-authenticate) section of the -[Authenticate](../../overview.md) topic for additional information. +See the [Launch Authenticate](/docs/groupid/11.1/groupid/authenticate/overview.md#launch-authenticate) section of the +[Authenticate](/docs/groupid/11.1/groupid/authenticate/overview.md) topic for additional information. Step 2 – Click **New Provider**. diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/overview.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/overview.md index 372d9c9837..4cd71042f5 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/overview.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/overview.md @@ -22,7 +22,7 @@ server. - Configure the types of claims that are supported by AD FS. To learn more about the AD FS console, see the -[AD FS Console]() +[AD FS Console](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/gg557729(v=ws.10)?redirectedfrom=MSDN) Microsoft article. ## Configuration Steps @@ -30,12 +30,12 @@ Microsoft article. Follow these steps to set up AD FS as an SSO solution for Directory Manager: - Generate the consumer URL and audience URL for the Directory Manager client with which you want to - configure AD FS. See the [Generate URLs](generateurls.md) topic for additional information. + configure AD FS. See the [Generate URLs](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/generateurls.md) topic for additional information. - Configure relaying party trust in AD FS. As part of the process, provide the consumer URL and audience URL in AD FS. You must also specify the claim rules for authentication. See the - [Configure Relaying Party Trust in AD FS](configurerelayingpartytrust.md) topic for additional + [Configure Relaying Party Trust in AD FS](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configurerelayingpartytrust.md) topic for additional information. -- [Configure the AD FS Provider In Directory Manager](configureadfsingroupid.md) +- [Configure the AD FS Provider In Directory Manager](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configureadfsingroupid.md) -That done, you can sign into Directory Manager using AD FS. See the [Sign In Using AD FS](signin.md) +That done, you can sign into Directory Manager using AD FS. See the [Sign In Using AD FS](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/signin.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/configureinentra.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/configureinentra.md index c5b22f7c78..1c4782c892 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/configureinentra.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/configureinentra.md @@ -62,7 +62,7 @@ Manager. Step 14 – On the Basic SAML Configuration card, click **Edit**. Step 15 – On the Basic SAML Configuration pane, provide the Entity ID and Consumer URL that you -copied earlier. See the [Generate URLs](generateurls.md) topic. +copied earlier. See the [Generate URLs](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/generateurls.md) topic. After adding the information, click **Save**. Step 16 – Back on the SAML-based sign-on page, the Attributes & Claims card displays the attributes diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/generateurls.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/generateurls.md index 76b9891038..05b7af6f67 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/generateurls.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/generateurls.md @@ -1,4 +1,4 @@ # Generate URLs -To generate the consumer URL and audience URL, see the [Generate URLs](../adfs/generateurls.md) +To generate the consumer URL and audience URL, see the [Generate URLs](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/generateurls.md) topic. Replace references to AD FS with Microsoft Entra ID SSO. diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/overview.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/overview.md index 3a352812b3..d0415016b0 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/overview.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/overview.md @@ -8,10 +8,10 @@ Here are the steps to configure single sign-on in Directory Manager using Micros provider: - Generate the consumer URL and audience URL for the Directory Manager client with which you want to - configure Microsoft Entra ID SSO. See the[Generate URLs](generateurls.md) topic for additional + configure Microsoft Entra ID SSO. See the[Generate URLs](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/generateurls.md) topic for additional information. -- [Configure Directory Manager in Microsoft Entra ID for SSO](configureinentra.md) -- [Configure the Microsoft Entra SSO Application in Directory Manager](configureprovideringroupid.md) +- [Configure Directory Manager in Microsoft Entra ID for SSO](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/configureinentra.md) +- [Configure the Microsoft Entra SSO Application in Directory Manager](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/configureprovideringroupid.md) That done, you can sign into Directory Manager using Microsoft Entra ID SSO. See the -[Sign In Using Microsoft Entra ID SSO](signin.md) topic for additional information. +[Sign In Using Microsoft Entra ID SSO](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/signin.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/configureinokta.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/configureinokta.md index 686df551ba..1eed526ae3 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/configureinokta.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/configureinokta.md @@ -26,7 +26,7 @@ To configure Directory Manager in Okta, follow these steps: 10. On the **Configure SAML** tab of the **Create SAML Integration** page, provide the consumer URL and audience URL that you generated for the Directory Manager client In the **Single sign on URL** and **Audience URI (SP Entity ID)** boxes respectively. See the - [Generate URLs](generateurls.md) topic. + [Generate URLs](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/generateurls.md) topic. 11. We will not specify any default relay state, so leave the **Default Relay State** field blank. 12. Leave the **Name ID format** field selected to _Unspecified_. 13. In the **Application username** list, make sure _Okta username_ is selected. This implies that @@ -65,7 +65,7 @@ Okta provider in Directory Manager. ### Configure Users in Okta You must define users in Okta. Only these users can authenticate on the Directory Manager portal -_Wizard_ using Okta. See the [Sign In Using Okta](signin.md) topic. +_Wizard_ using Okta. See the [Sign In Using Okta](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/signin.md) topic. There are multiple ways to define users in Okta, such as: diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/configureoktaingroupid.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/configureoktaingroupid.md index 26537be105..b9d22f8ec7 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/configureoktaingroupid.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/configureoktaingroupid.md @@ -20,12 +20,12 @@ file to configure all settings for this identity provider. 7. When Okta is configured with a Directory Manager client, it will be available on the login page of that client (the Wizard portal in our example) for single sign-on. You can choose to display the Okta authentication option as an image or a button. See the - [Upload an Image for the Identity Provider](../adfs/configureadfsingroupid.md#upload-an-image-for-the-identity-provider) + [Upload an Image for the Identity Provider](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configureadfsingroupid.md#upload-an-image-for-the-identity-provider) topic for details, replacing references to AD FS with Okta. 8. Expand the **Advanced** section on the **Create New Provider** page. View the settings and leave them to defaults. 9. For _Disable GroupID Authentication_, see step 2 in the - [Specify Advanced Configurations](../adfs/configureadfsingroupid.md#specify-advanced-configurations) + [Specify Advanced Configurations](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configureadfsingroupid.md#specify-advanced-configurations) topic. Replace references to AD FS with the Okta provider. 10. Click the **Create Provider** button. The identity provider is created and displayed on the **SAML Providers** page. diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/generateurls.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/generateurls.md index baca40cbe1..54d38dd5df 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/generateurls.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/generateurls.md @@ -1,4 +1,4 @@ # Generate URLs -To generate the consumer URL and audience URL, see the [Generate URLs](../adfs/generateurls.md) +To generate the consumer URL and audience URL, see the [Generate URLs](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/generateurls.md) topic. Replace references to AD FS with Okta. diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/overview.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/overview.md index 160eb5d332..73e70e1271 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/overview.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/overview.md @@ -6,9 +6,9 @@ cloud, on-premises or on a mobile device for the employees in an organization. Here are the steps to configure single sign-on in Directory Manager using Okta as a provider: - Generate the consumer URL and audience URL for the Directory Manager client with which you want to - configure Okta. See the [Generate URLs](generateurls.md) topic for additional information. -- [Configure Directory Manager In Okta](configureinokta.md) -- [Configure the Okta Provider In Directory Manager](configureoktaingroupid.md) + configure Okta. See the [Generate URLs](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/generateurls.md) topic for additional information. +- [Configure Directory Manager In Okta](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/configureinokta.md) +- [Configure the Okta Provider In Directory Manager](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/configureoktaingroupid.md) -That done, you can sign into Directory Manager using Okta. See the [Sign In Using Okta](signin.md) +That done, you can sign into Directory Manager using Okta. See the [Sign In Using Okta](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/okta/signin.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/configureinonelogin.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/configureinonelogin.md index 09651dbe8e..418e5791ba 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/configureinonelogin.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/configureinonelogin.md @@ -38,7 +38,7 @@ You also have to: 8. Click the **Configurations** link. The **Configurations** page for the new app is displayed. 9. In the **ACS (Consumer) URL Validator** and **ACS (Consumer) URL** boxes, provide the consumer URL that you generated for the Directory Manager client _Wizard_. See the - [Generate URLs](generateurls.md) topic. + [Generate URLs](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/generateurls.md) topic. 10. In the **Audience** box. provide the audience URL that you generated for the Directory Manager client _Wizard_. @@ -83,7 +83,7 @@ OneLogin provider in Directory Manager. ### Define Users in OneLogin You must define users in OneLogin. Only these users can authenticate on the Directory Manager portal -_Wizard_ using OneLogin. See the [Sign In Using OneLogin](signin.md) topic. +_Wizard_ using OneLogin. See the [Sign In Using OneLogin](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/signin.md) topic. **To define a user:** diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/configureoneloginingroupid.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/configureoneloginingroupid.md index f349298040..ff578289be 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/configureoneloginingroupid.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/configureoneloginingroupid.md @@ -9,7 +9,7 @@ metadata file to configure all settings for it. 2. On the **SAML Providers** page, click **New Provider**. 3. On the **Create New Provider** page, enter a name for the provider in the **Name** box. 4. Make sure the **Client** box displays the name of the Directory Manager client for which you - generated the consumer URL and audience URL (see the [Generate URLs](generateurls.md) topic). + generated the consumer URL and audience URL (see the [Generate URLs](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/generateurls.md) topic). To continue with the example, select the Directory Manager portal named _Wizard_. **Import the OneLogin metadata file:** @@ -39,14 +39,14 @@ metadata file to configure all settings for it. 9. When OneLogin is configured with a Directory Manager client, it will be available on the login page of that client (the Wizard portal in our example) for single sign-on. You can choose to display the OneLogin authentication option as an image or a button. See the - [Upload an Image for the Identity Provider](../adfs/configureadfsingroupid.md#upload-an-image-for-the-identity-provider) + [Upload an Image for the Identity Provider](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configureadfsingroupid.md#upload-an-image-for-the-identity-provider) topic for details, replacing references to AD FS with OneLogin. **Specify advanced settings:** 10. Expand the **Advanced** section on the **Create New Provider** page. 11. For _Disable GroupID Authentication_, see step 2 in the - [Specify Advanced Configurations](../adfs/configureadfsingroupid.md#specify-advanced-configurations) + [Specify Advanced Configurations](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configureadfsingroupid.md#specify-advanced-configurations) topic. Replace references to AD FS with the OneLogin provider. 12. In the **Request Binding** drop-down list, select _POST_, since we used the endpoint URL for the post method in the **IDP Login URL** box. diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/generateurls.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/generateurls.md index 5c40cd9621..552b350a70 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/generateurls.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/generateurls.md @@ -1,4 +1,4 @@ # Generate URLs -To generate the consumer URL and audience URL, see the [Generate URLs](../adfs/generateurls.md) +To generate the consumer URL and audience URL, see the [Generate URLs](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/generateurls.md) topic. Replace references to AD FS with OneLogin. diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/overview.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/overview.md index 656b797fa2..5bf6dfef5d 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/overview.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/overview.md @@ -6,9 +6,9 @@ computing. Here are the steps to configure single sign-on in Directory Manager using OneLogin as a provider: - Generate the consumer URL and audience URL for the Directory Manager client with which you want to - configure OneLogin. See the [Generate URLs](generateurls.md) topic for additional information. -- [Configure Directory Manager In OneLogin](configureinonelogin.md) -- [Configure the OneLogin Provider in Directory Manager](configureoneloginingroupid.md) + configure OneLogin. See the [Generate URLs](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/generateurls.md) topic for additional information. +- [Configure Directory Manager In OneLogin](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/configureinonelogin.md) +- [Configure the OneLogin Provider in Directory Manager](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/configureoneloginingroupid.md) That done, you can sign into Directory Manager using OneLogin. See the -[Sign In Using OneLogin](signin.md) topic for additional information. +[Sign In Using OneLogin](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/onelogin/signin.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/configureinpingone.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/configureinpingone.md index 359f66f624..3bf8ea46db 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/configureinpingone.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/configureinpingone.md @@ -84,7 +84,7 @@ You must define users in PingOne. These users are authenticated in Directory Man an attribute, as discussed in the Attribute Mapping in PingOne topic. Only the users you define here can authenticate on the Directory Manager portal _Wizard_ using -PingOne. See the [Sign In Using PingOne](signin.md) topic. +PingOne. See the [Sign In Using PingOne](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/signin.md) topic. **To configure users:** diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/configurepingoneingroupid.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/configurepingoneingroupid.md index f1d77e400e..5596f79b61 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/configurepingoneingroupid.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/configurepingoneingroupid.md @@ -10,7 +10,7 @@ metadata file to configure all settings for this identity provider. 3. On the **Create New Provider** page, enter a name for the provider in the **Name** box. 4. Make sure the **Client** box displays the name of the Directory Manager client for which you generated the consumer URL and the Directory Manager metadata file (see the - [Generate the Consumer URL and Metadata File](generatemetadata.md) topic). + [Generate the Consumer URL and Metadata File](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/generatemetadata.md) topic). To continue with the example, select the Directory Manager portal named _Wizard_. 5. Click the **Import from Metadata** button under the **Advanced** section to import the PingOne metadata file. @@ -20,13 +20,13 @@ metadata file to configure all settings for this identity provider. 7. When PingOne is configured with a Directory Manager client, it will be available on the login page of that client (the Wizard portal in our example) for single sign-on. You can choose to display the PingOne authentication option as an image or a button. See the - [Upload an Image for the Identity Provider](../adfs/configureadfsingroupid.md#upload-an-image-for-the-identity-provider) + [Upload an Image for the Identity Provider](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configureadfsingroupid.md#upload-an-image-for-the-identity-provider) topic for details, replacing references to AD FS with PingOne. 8. Expand the **Advanced** section on the **Create New Provider** page. 9. The **Response Signing Method** box displays _RSA-SHA-256_ as the signing method type. We configured this method as the signing algorithm in PingOne. 10. For _Disable GroupID Authentication_, see step 2 in the - [Specify Advanced Configurations](../adfs/configureadfsingroupid.md#specify-advanced-configurations) + [Specify Advanced Configurations](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/configureadfsingroupid.md#specify-advanced-configurations) topic. Replace references to AD FS with the PingOne provider. 11. In the **Request Binding** list, select _POST_, since the **Single Logout Binding Type** is set to _Post_ in PingOne. diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/generatemetadata.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/generatemetadata.md index a17497f916..d5e6246807 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/generatemetadata.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/generatemetadata.md @@ -14,7 +14,7 @@ In Authenticate, you have to: ## Generate Consumer URL -To generate the consumer URL, see the [Generate URLs](../adfs/generateurls.md) topic. Replace +To generate the consumer URL, see the [Generate URLs](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/adfs/generateurls.md) topic. Replace references to AD FS with PingOne. ## Generate the Metadata File diff --git a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/overview.md b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/overview.md index 73e5cac0d2..d17558d965 100644 --- a/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/overview.md +++ b/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/overview.md @@ -7,10 +7,10 @@ Here are the steps to configure single sign-on in Directory Manager using PingOn - Generate the consumer URL andDirectory Manager metadata file for the Directory Manager client with which you want to configure PingOne. See the - [Generate the Consumer URL and Metadata File](generatemetadata.md) topic for additional + [Generate the Consumer URL and Metadata File](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/generatemetadata.md) topic for additional information. -- [Configure Directory Manager In PingOne](configureinpingone.md) -- [Configure the PingOne Provider In Directory Manager](configurepingoneingroupid.md) +- [Configure Directory Manager In PingOne](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/configureinpingone.md) +- [Configure the PingOne Provider In Directory Manager](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/configurepingoneingroupid.md) That done, you can sign into Directory Manager using PingOne. See the -[Sign In Using PingOne](signin.md) topic for additional information. +[Sign In Using PingOne](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/pingone/signin.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/authenticate/overview.md b/docs/groupid/11.1/groupid/authenticate/overview.md index bebf528add..e352b5a7e7 100644 --- a/docs/groupid/11.1/groupid/authenticate/overview.md +++ b/docs/groupid/11.1/groupid/authenticate/overview.md @@ -21,7 +21,7 @@ standard. Supported identity providers include: You can also implement multifactor authentication in `Directory Manager using a third-party single sign-on solution or with the options available in Directory Manager. -See the [Directory Manager as a Service Provider](asserviceprovider/overview.md) topic for +See the [Directory Manager as a Service Provider](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/overview.md) topic for additional information. #### As an Identity Provider @@ -29,7 +29,7 @@ additional information. Directory Manager can be implemented as an identity provider in your organization. The administrator can configure third-party applications (service providers) with Directory Manager, in which case Directory Manager authenticates and authorizes users for those applications. See the -[Directory Manager as an Identity Provider](asidentityprovider/overview.md) topic for additional +[Directory Manager as an Identity Provider](/docs/groupid/11.1/groupid/authenticate/asidentityprovider/overview.md) topic for additional information. ## Launch Authenticate diff --git a/docs/groupid/11.1/groupid/configureentraid/create.md b/docs/groupid/11.1/groupid/configureentraid/create.md index d63c9c31d7..a894363506 100644 --- a/docs/groupid/11.1/groupid/configureentraid/create.md +++ b/docs/groupid/11.1/groupid/configureentraid/create.md @@ -8,7 +8,7 @@ Microsoft Entra ID user in Directory Manager. ## To create a Microsoft Entra ID Identity Store See the -[Create an Identity Store for Microsoft Entra ID](../admincenter/identitystore/create.md#create-an-identity-store-for-microsoft-entra-id) +[Create an Identity Store for Microsoft Entra ID](/docs/groupid/11.1/groupid/admincenter/identitystore/create.md#create-an-identity-store-for-microsoft-entra-id) topic for creating an Microsoft Entra ID identity store. NOTE: If you intend to use a service account user with Global Administrator directory role, then no diff --git a/docs/groupid/11.1/groupid/configureentraid/register/apppermissions.md b/docs/groupid/11.1/groupid/configureentraid/register/apppermissions.md index 4a5b8718af..acb7d3d998 100644 --- a/docs/groupid/11.1/groupid/configureentraid/register/apppermissions.md +++ b/docs/groupid/11.1/groupid/configureentraid/register/apppermissions.md @@ -6,31 +6,31 @@ role assignments and application permissions on the registered app in Microsoft This topic lists those roles and permissions Directory Manager needs to perform operations in a Microsoft Entra ID provider. -See the [ Licensing ](../../admincenter/general/licensing.md) topic for additional information on +See the [ Licensing ](/docs/groupid/11.1/groupid/admincenter/general/licensing.md) topic for additional information on Directory Manager licensing. ## Graph API Application Permissions The following application permissions are required. -![Microsoft Entra ID Application Permissions - Channel](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/channel.webp) +![Microsoft Entra ID Application Permissions - Channel](/img/product_docs/groupid/groupid/configureentraid/register/channel.webp) -![Microsoft Entra ID Application Permissions - Directory](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/directory.webp) +![Microsoft Entra ID Application Permissions - Directory](/img/product_docs/groupid/groupid/configureentraid/register/directory.webp) -![Microsoft Entra ID Application Permissions - Group](../../../../../../static/img/product_docs/changetracker/changetracker/integration/splunk/group.webp) +![Microsoft Entra ID Application Permissions - Group](/img/product_docs/changetracker/changetracker/integration/splunk/group.webp) -![Microsoft Entra ID Application Permissions - Mail](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/mail.webp) +![Microsoft Entra ID Application Permissions - Mail](/img/product_docs/groupid/groupid/configureentraid/register/mail.webp) -![Microsoft Entra ID Application Permissions - Mail](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/role.webp) +![Microsoft Entra ID Application Permissions - Mail](/img/product_docs/groupid/groupid/configureentraid/register/role.webp) -![Microsoft Entra ID Application Permissions - User](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/query/user.webp) +![Microsoft Entra ID Application Permissions - User](/img/product_docs/activitymonitor/activitymonitor/admin/search/query/user.webp) -![Microsoft Entra ID Application Permissions - User Password and Phone](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/user-pw-phone.webp) +![Microsoft Entra ID Application Permissions - User Password and Phone](/img/product_docs/groupid/groupid/configureentraid/register/user-pw-phone.webp) ## Office 365 Exchange Online Permissions -![Microsoft Entra ID Office 365 Exchange Online Permissions - ExchangeManageAsApp](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/exchange.webp) +![Microsoft Entra ID Office 365 Exchange Online Permissions - ExchangeManageAsApp](/img/product_docs/accessanalyzer/admin/settings/exchange.webp) ## SharePoint Delegated Permissions -![allsites](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/allsites.webp) +![allsites](/img/product_docs/groupid/groupid/configureentraid/register/allsites.webp) diff --git a/docs/groupid/11.1/groupid/configureentraid/register/appregister.md b/docs/groupid/11.1/groupid/configureentraid/register/appregister.md index 9b1acba9b0..c5aae3eedf 100644 --- a/docs/groupid/11.1/groupid/configureentraid/register/appregister.md +++ b/docs/groupid/11.1/groupid/configureentraid/register/appregister.md @@ -11,30 +11,30 @@ in the application. Step 2 – In the Microsoft Entra Admin Center, go to Microsoft Entra ID > **App registration** and click **New registration**. -![App registeration page](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/app_registeration.webp) +![App registeration page](/img/product_docs/groupid/groupid/configureentraid/register/app_registeration.webp) Step 3 – On the **Register an application** page, specify a name for the app. Select **Supported account types** as _Accounts in any organizational directory (Any Microsoft Entra ID – Multitenant_). Leave the Redirect URI as is and click **Register**. -![Register an application](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/register_an_application.webp) +![Register an application](/img/product_docs/groupid/groupid/configureentraid/register/register_an_application.webp) Step 4 – The **Overview** page is displayed. Copy the Application (client) ID and keep it safe. -![Overview page](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/app_registeration_overview.webp) +![Overview page](/img/product_docs/groupid/groupid/configureentraid/register/app_registeration_overview.webp) Step 5 – Go to the **Authentication** node and set it as follows: -![Authenticate node](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/authenticate_node.webp) +![Authenticate node](/img/product_docs/groupid/groupid/configureentraid/register/authenticate_node.webp) Step 6 – Click **Save**. Step 7 – Select the **Certificates & secrets** node in the left pane to uploaded a certificate for secure authentication in Microsoft Entra ID. See the [Generate a certificate](modauth.md#generate-a-certificate) section of the -[Certificate for Entra ID Authentication ](modauth.md)topic for additional information. +[Certificate for Entra ID Authentication ](/docs/groupid/11.1/groupid/configureentraid/register/modauth.md)topic for additional information. -![Certificate & secrets page](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/pfxcertifupload.webp) +![Certificate & secrets page](/img/product_docs/groupid/groupid/configureentraid/register/pfxcertifupload.webp) Step 8 – To upload the certificate: @@ -46,19 +46,19 @@ Step 8 – To upload the certificate: Step 9 – Click **Roles and administrators** node. -![Roles and Administration page](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/roles_and_administration.webp) +![Roles and Administration page](/img/product_docs/groupid/groupid/configureentraid/register/roles_and_administration.webp) Step 10 – On the **All roles** page, add your registered application to a directory role. - **Global administrator**: For Global administrator, type global to filter out the Global administrator role. Click **Global administrator**. - ![All roles page](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/all_roles.webp) + ![All roles page](/img/product_docs/groupid/groupid/configureentraid/register/all_roles.webp) Click **Add assignments**. On the Add assignment page, search your application and select it. Click the **Add** button. The application will be listed on the Assignments page. - ![Add assignment page](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/add_assignment.webp) + ![Add assignment page](/img/product_docs/groupid/groupid/configureentraid/register/add_assignment.webp) - For any role other than Global administrator, add the registered application to the following two directory roles: @@ -80,17 +80,17 @@ Step 11 – Click **Add**. Step 12 – Go to the **API permissions** node and select **Add a permission**. -![API Permission page](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/add_a_permission.webp) +![API Permission page](/img/product_docs/groupid/groupid/configureentraid/register/add_a_permission.webp) Step 13 – The Request API permissions page opens. Click the **Microsoft Graph** API tab. -![Request API permissions page](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/request_api_permissions.webp) +![Request API permissions page](/img/product_docs/groupid/groupid/configureentraid/register/request_api_permissions.webp) Step 14 – Click the **Application permissions** tab: -![Application permissions tab](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/application_permission.webp) +![Application permissions tab](/img/product_docs/groupid/groupid/configureentraid/register/application_permission.webp) -Permissions get listed on the page. See the [Microsoft Entra ID Permissions](apppermissions.md) +Permissions get listed on the page. See the [Microsoft Entra ID Permissions](/docs/groupid/11.1/groupid/configureentraid/register/apppermissions.md) topic for the mandatory permissions that are required for creating the desired directory object. Step 15 – [Optional] To add a permission from Office 365 Exchange Online API, click the **Add a @@ -99,19 +99,19 @@ point # 14. Follow the steps shown on the following snapshot: -![Office 365 Exchange Online API](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/office365_permission.webp) +![Office 365 Exchange Online API](/img/product_docs/groupid/groupid/configureentraid/register/office365_permission.webp) Step 16 – [Optional] To access the SharePoint API for Entitlement management, click the **Add a permission** button (before the Grant admin consent for `username` button in the snapshot given in point # 14). Select the SharePoint API: -![SharePoint API card](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/sharepoint_api_card.webp) +![SharePoint API card](/img/product_docs/groupid/groupid/configureentraid/register/sharepoint_api_card.webp) Step 17 – Select the **Delegated permissions** tab: -![SharePoint Delegated permissions](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/sharepoint_delegated_permissions.webp) +![SharePoint Delegated permissions](/img/product_docs/groupid/groupid/configureentraid/register/sharepoint_delegated_permissions.webp) See [SharePoint Delegated Permissions](apppermissions.md#sharepoint-delegated-permissions) section -of the [Microsoft Entra ID Permissions](apppermissions.md) topic for the required permission name. +of the [Microsoft Entra ID Permissions](/docs/groupid/11.1/groupid/configureentraid/register/apppermissions.md) topic for the required permission name. This completes the registration process of Directory Manager in Microsoft Entra ID. diff --git a/docs/groupid/11.1/groupid/configureentraid/register/create.md b/docs/groupid/11.1/groupid/configureentraid/register/create.md index 1b521d2f27..f13728b6d0 100644 --- a/docs/groupid/11.1/groupid/configureentraid/register/create.md +++ b/docs/groupid/11.1/groupid/configureentraid/register/create.md @@ -9,11 +9,11 @@ Follow the steps to create a user in Microsoft Entra ID: Step 1 – In the Microsoft Entra Admin Center, go to Microsoft Entra ID> Users and click **New User** > **Create new user**. -![create_user](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/create_user.webp) +![create_user](/img/product_docs/groupid/groupid/configureentraid/register/create_user.webp) Step 2 – On the User page: -![create_new_user_page](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/create_new_user_page.webp) +![create_new_user_page](/img/product_docs/groupid/groupid/configureentraid/register/create_new_user_page.webp) - The **Basics** tab contains the core fields required to create a new user. diff --git a/docs/groupid/11.1/groupid/configureentraid/register/modauth.md b/docs/groupid/11.1/groupid/configureentraid/register/modauth.md index 961d4b3772..99d9a500d0 100644 --- a/docs/groupid/11.1/groupid/configureentraid/register/modauth.md +++ b/docs/groupid/11.1/groupid/configureentraid/register/modauth.md @@ -16,7 +16,7 @@ $mycert | Export-Certificate -FilePath c:\mycert.cer The generated certificate will be saved at the root level of drive C: in .cer format. Upload this certificate while registering the Microsoft Entra ID application. See the step 7 of the -[Registration and Permissions Assignment](appregister.md) topic. +[Registration and Permissions Assignment](/docs/groupid/11.1/groupid/configureentraid/register/appregister.md) topic. ## Export the certificate @@ -24,8 +24,8 @@ The generated certificate in .pfx format will be used: - While creating a Microsoft Entra ID identity store (on the Identity Store Details page of new identity store creation wizard). See the point # 6 the - [Create an Identity Store for Microsoft Entra ID](../../admincenter/identitystore/create.md#create-an-identity-store-for-microsoft-entra-id) - section of the [Create an Identity Store](../../admincenter/identitystore/create.md) topic. + [Create an Identity Store for Microsoft Entra ID](/docs/groupid/11.1/groupid/admincenter/identitystore/create.md#create-an-identity-store-for-microsoft-entra-id) + section of the [Create an Identity Store](/docs/groupid/11.1/groupid/admincenter/identitystore/create.md) topic. - On the Messaging System page in identity store properties when Exchange Online/Office 365 is set as a messaging provider. diff --git a/docs/groupid/11.1/groupid/gettingstarted.md b/docs/groupid/11.1/groupid/gettingstarted.md index d52af4bb28..c3e6226c08 100644 --- a/docs/groupid/11.1/groupid/gettingstarted.md +++ b/docs/groupid/11.1/groupid/gettingstarted.md @@ -43,7 +43,7 @@ management functions. ## Initial Admin Center Configurations After installing and configuring Directory Manager, the Super Admin is the only user who can sign -into Admin Center (see the [Access Admin Center](admincenter/signin.md) topic for additional +into Admin Center (see the [Access Admin Center](/docs/groupid/11.1/groupid/admincenter/signin.md) topic for additional information). This user must create an identity store and configure security roles, so that other users can sign in and use the application. The Super Admin can choose to configure further settings or let another admin user in an identity store do so. @@ -53,17 +53,17 @@ perform identity and access management tasks using Directory Manager: - Create and configure identity stores - An identity store is built on an identity provider and enables you to manage objects and object permissions in the provider. See the - [Identity Stores](admincenter/identitystore/overview.md) topic for additional information. + [Identity Stores](/docs/groupid/11.1/groupid/admincenter/identitystore/overview.md) topic for additional information. - Create data sources - A data source is built on a provider, such as directories, databases and files. Data sources are used as source and destination in Synchronize jobs, in query-based searches, and in group membership queries. See the - [ Data Sources](admincenter/datasource/overview.md) topic for additional information. + [ Data Sources](/docs/groupid/11.1/groupid/admincenter/datasource/overview.md) topic for additional information. - Create a portal - Create a web-based Directory Manager portal and link it to an identity store, so that users can carry out user, group, and entitlement management tasks. See the - [ Directory Manager Portal](admincenter/portal/overview.md) topic for additional information. + [ Directory Manager Portal](/docs/groupid/11.1/groupid/admincenter/portal/overview.md) topic for additional information. - Create an SMS gateway account - Using an SMS gateway account, Directory Manager sends text messages to users’ mobile numbers, which may include verification codes and password reset links. - See the [SMS Gateway](admincenter/smsgateway/overview.md) topic for additional information. + See the [SMS Gateway](/docs/groupid/11.1/groupid/admincenter/smsgateway/overview.md) topic for additional information. ## Compatibility diff --git a/docs/groupid/11.1/groupid/install/backuprestore.md b/docs/groupid/11.1/groupid/install/backuprestore.md index 7ad2b604ca..ac49aea7f1 100644 --- a/docs/groupid/11.1/groupid/install/backuprestore.md +++ b/docs/groupid/11.1/groupid/install/backuprestore.md @@ -26,7 +26,7 @@ data folder. The default folder location is: `C:/ProgramData/Imanami/GroupID 10.0/Replication/data/` ``` -ldifde -f c:\groupinfobeforeGroupID.ldf -r "(&(objectClass=group)(objectCategory=group)(|(extensionData=*)(extensionAttribute15=*)(extensionAttribute14=*)(extensionAttribute13=*)(extensionAttribute12=*)))" -p Subtree -l extensionData,extensionAttribute15,extensionAttribute14,extensionAttribute13,extensionAttribute12 +ldifde -f c:\groupinfobeforeGroupID.ldf -r "(&(objectClass=group)(objectCategory=group)(|(extensionData=*)(extensionAttribute15=*)(extensionAttribute14=*)(extensionAttribute13=*)(extensionAttribute12=*)" -p Subtree -l extensionData,extensionAttribute15,extensionAttribute14,extensionAttribute13,extensionAttribute12 ``` ## GroupID Self-Service Portals diff --git a/docs/groupid/11.1/groupid/install/configure/configure.md b/docs/groupid/11.1/groupid/install/configure/configure.md index 07b05425b6..e77001300b 100644 --- a/docs/groupid/11.1/groupid/install/configure/configure.md +++ b/docs/groupid/11.1/groupid/install/configure/configure.md @@ -5,18 +5,18 @@ You can configure Directory Managerimmediately after installing it. Step 1 – Run the Configuration Tool in one of the following ways: - To configure Directory Managerright after installation, click **Next** on the **Run Configuration - Tool** page. See the [Installation Tool](../installer/install.md) topic. + Tool** page. See the [Installation Tool](/docs/groupid/11.1/groupid/install/installer/install.md) topic. - When Directory Manager is installed, the Configuration Tool is also installed as a separate program on the machine. Launch the Directory Manager Configuration Tool from the Windows Start screen. In either case, the tool opens to the **Introduction** page. -![Introduction page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/intro.webp) +![Introduction page](/img/product_docs/groupid/groupid/install/configure/intro.webp) Step 2 – Read the welcome message and click **Next**. -![Create new server page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/select_to_create_a_new_server-new.webp) +![Create new server page](/img/product_docs/groupid/groupid/install/configure/select_to_create_a_new_server-new.webp) Step 3 – To configure a Directory Manager server or a Directory Manager client, select the relevant option. @@ -27,7 +27,7 @@ option. It also configures the Directory Manager Elasticsearch Service as a master node for the Elasticsearch service cluster to support load balancing. See the - [Configure a New Directory Manager Server with a New or an Existing Database](gidserver.md) + [Configure a New Directory Manager Server with a New or an Existing Database](/docs/groupid/11.1/groupid/install/configure/gidserver.md) topic for additional information. - **Configure a new GroupID 11 server to add it into an existing GroupID 11 cluster with an existing @@ -38,5 +38,5 @@ option. This option also configures the Directory Manager Elasticsearch Service as a slave node to the master node for the Elasticsearch Service cluster configured on the Directory Manager server. See the - [Configure a new Directory Manager server to add it to an existing Directory Manager 11 cluster with an existing database](database.md) + [Configure a new Directory Manager server to add it to an existing Directory Manager 11 cluster with an existing database](/docs/groupid/11.1/groupid/install/configure/database.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/install/configure/database.md b/docs/groupid/11.1/groupid/install/configure/database.md index 365350fbe9..f6f0211ee4 100644 --- a/docs/groupid/11.1/groupid/install/configure/database.md +++ b/docs/groupid/11.1/groupid/install/configure/database.md @@ -10,12 +10,12 @@ master node for the Elasticsearch Service cluster configured on the Directory Ma To configure a Directory Manager server with existing database: Step 1 – On the Select to create new server or use existing server page of the Configuration Tool, -select [Configure a New Directory Manager Server with a New or an Existing Database](gidserver.md) -option. See Step 3 on the [Configuration Tool](configure.md) topic. +select [Configure a New Directory Manager Server with a New or an Existing Database](/docs/groupid/11.1/groupid/install/configure/gidserver.md) +option. See Step 3 on the [Configuration Tool](/docs/groupid/11.1/groupid/install/configure/configure.md) topic. Step 2 – Click **Next**. -![database_settings](../../../../../../static/img/product_docs/groupid/groupid/install/configure/databasesettings.webp) +![database_settings](/img/product_docs/groupid/groupid/install/configure/databasesettings.webp) Step 3 – In the SQL Server list, select the SQL Server to use with this new Directory Manager Server. The SQL Server must be the same used with the master node of Directory Manager. @@ -27,10 +27,10 @@ Step 4 – In the Authentication list, select an authentication mode to be used SQL Server database. Modes are: - SQL Server Authentication - To set SQL Server to work with Directory Manager using an SQL Server - account. See the [Authentication Modes](../../requirements/setupauthentication.md) topic for + account. See the [Authentication Modes](/docs/groupid/11.1/groupid/requirements/setupauthentication.md) topic for additional information. - Windows Authentication - To set SQL Server to work with Directory Manager using a Windows user - account. See the [Authentication Modes](../../requirements/setupauthentication.md) topic for + account. See the [Authentication Modes](/docs/groupid/11.1/groupid/requirements/setupauthentication.md) topic for additional details. Step 5 – Depending on the authentication mode selected, do the following: @@ -48,7 +48,7 @@ Database button has no relevance here. Step 7 – Click **Next**. -![License page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/license_w_existing_db_option.webp) +![License page](/img/product_docs/groupid/groupid/install/configure/license_w_existing_db_option.webp) Step 8 – On the License page, license information of Directory Manager installed on the master node is displayed. A valid license and key enable the Next button. If the Next button remains disabled, @@ -56,7 +56,7 @@ check your entries for errors. Step 9 – Click **Next**. -![GroupID Service Configurations](../../../../../../static/img/product_docs/groupid/groupid/install/configure/servicesconfiguration.webp) +![GroupID Service Configurations](/img/product_docs/groupid/groupid/install/configure/servicesconfiguration.webp) Step 10 – Directory Manager requires two services: @@ -85,7 +85,7 @@ NOTE: This Directory Manager instance will use Email and Scheduler services of t Step 11 – Click **Next**. -![Elasticsearch Settings page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/elasticsearchsettings.webp) +![Elasticsearch Settings page](/img/product_docs/groupid/groupid/install/configure/elasticsearchsettings.webp) Step 12 – Directory Manager provides the following two options for Elasticsearch configuration. Select the relevant option: @@ -94,7 +94,7 @@ Select the relevant option: Manager Configuration Tool will install Elasticsearch. It presents you default configuration of Elasticsearch cluster it will create: - ![Select Elastic Cluster page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/select_cluster_w_existing_db_option.webp) + ![Select Elastic Cluster page](/img/product_docs/groupid/groupid/install/configure/select_cluster_w_existing_db_option.webp) 1. Cluster Name: lists all the clusters defined so far. Select one to create an Elasticsearch node within the selected cluster. @@ -108,7 +108,7 @@ Select the relevant option: I will install and manage Elasticsearch myself: If you select this option, the following page is displayed: - ![Elasticsearch settings page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/elasticsearchsettings-2.webp) + ![Elasticsearch settings page](/img/product_docs/groupid/groupid/install/configure/elasticsearchsettings-2.webp) Provide configurations of Elasticsearch you want to use with Directory Manager: @@ -118,7 +118,7 @@ Select the relevant option: Step 13 – Click **Next**. -![Service Account Settings page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/service_account_settings_w_existing_db.webp) +![Service Account Settings page](/img/product_docs/groupid/groupid/install/configure/service_account_settings_w_existing_db.webp) NOTE: If you configure a Group Managed Service Account (gMSA) as an App Pool service account then the Directory ManagerConfiguration tool will add this account in the local administrators and @@ -154,13 +154,13 @@ Step 15 – You can specify a service accounts for the app pool in any of the fo - Use an existing account: Click **Browse**. - ![Find Service Account page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/findserviceaccount.webp) + ![Find Service Account page](/img/product_docs/groupid/groupid/install/configure/findserviceaccount.webp) On the Find Service Account dialog box, search and select the required account and click **OK**. - Create a new service account: Click the **Create New** button on the Service Account Setting page. - ![Create a new service account page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/createserviceaccount.webp) + ![Create a new service account page](/img/product_docs/groupid/groupid/install/configure/createserviceaccount.webp) On the Create Service Account dialog box, select the kind of account you want to create. Enter a name, container and password for the account. Click **Create**. @@ -175,18 +175,18 @@ Account) in the Password box. Step 17 – Click **Configure**. -![Configuring GroupID ](../../../../../../static/img/product_docs/groupid/groupid/install/configure/configuring.webp) +![Configuring GroupID ](/img/product_docs/groupid/groupid/install/configure/configuring.webp) Step 18 – The next page displays the progress while a Directory Manager server is configured on the machine. While configuring the machine, the Configuration Tool checks the application’s signing key status and update it according to your Directory Manager environment. See the -[Update Signing Key](signingkeyinfo.md) topic for information how Configuration Tool will update +[Update Signing Key](/docs/groupid/11.1/groupid/install/configure/signingkeyinfo.md) topic for information how Configuration Tool will update Directory Manager's Signing Key. Step 19 – This completes the configuration of Directory Manager as a slave node on your machine. Click **Launch GroupID** to start using Directory Manager. The Sign In pa ge opens: -![GroupID Sign In page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/launchgid.webp) +![GroupID Sign In page](/img/product_docs/groupid/groupid/install/configure/launchgid.webp) To login in to Directory Manager Admin Center for the first time, provide Directory Manager Administrator user name and password. diff --git a/docs/groupid/11.1/groupid/install/configure/gidserver.md b/docs/groupid/11.1/groupid/install/configure/gidserver.md index 32629655ba..8809553e63 100644 --- a/docs/groupid/11.1/groupid/install/configure/gidserver.md +++ b/docs/groupid/11.1/groupid/install/configure/gidserver.md @@ -11,7 +11,7 @@ Step 1 – Select the **Configure a new GroupID server with new or existing data Select to create new server or use existing server page of the Configuration Tool and select **Next**. -![Database Settings page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/databasesettings.webp) +![Database Settings page](/img/product_docs/groupid/groupid/install/configure/databasesettings.webp) Step 2 – In the SQL Server list, select the **SQL Server** to use with Directory Manager. If the required server does not appear in the list, make sure that the SQL Server Browser service is @@ -22,10 +22,10 @@ SQL Server database. Modes are: - SQL Server Authentication - To set SQL Server to work with Directory Managerusing an SQL Server account. See SQL Authentication in - [Authentication Modes](../../requirements/setupauthentication.md) topic. + [Authentication Modes](/docs/groupid/11.1/groupid/requirements/setupauthentication.md) topic. - Windows Authentication - To set SQL Server to work with Directory Managerusing a Windows user account. See Windows Authentication in in - [Authentication Modes](../../requirements/setupauthentication.md) topic. + [Authentication Modes](/docs/groupid/11.1/groupid/requirements/setupauthentication.md) topic. Step 4 – Depending on the authentication mode selected, do the following: @@ -40,7 +40,7 @@ Manager or continue using your existing database. Step 6 – Click **Next**. -![Security Settings page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/securitysettings.webp) +![Security Settings page](/img/product_docs/groupid/groupid/install/configure/securitysettings.webp) Step 7 – On the Security Settings page, enter an encryption key in the **Passphrase** and **Confirm Passphrase** boxes to secure Directory Manager data. @@ -54,7 +54,7 @@ retrieves from, the SQL Server database. Step 8 – Click **Next**. -![License page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/license.webp) +![License page](/img/product_docs/groupid/groupid/install/configure/license.webp) Step 9 – On the License page, enter a valid license number and key in the respective boxes. A valid license and key enable the **Next** button. If the **Next** button remains disabled, check your @@ -62,7 +62,7 @@ entries for errors. Step 10 – Click **Next**. -![Elasticsearch setting page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/elasticsearchsettings.webp) +![Elasticsearch setting page](/img/product_docs/groupid/groupid/install/configure/elasticsearchsettings.webp) Step 11 – Directory Manager provides the following two options for Elasticsearch configuration. Select the relevant option: @@ -71,7 +71,7 @@ Select the relevant option: Configuration Tool will install Elasticsearch. It presents you default configuration of Elasticsearch cluster it will create: - ![Select Elastic Cluster page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/selectelasticcluster.webp) + ![Select Elastic Cluster page](/img/product_docs/groupid/groupid/install/configure/selectelasticcluster.webp) 1. Cluster Name: for Elasticsearch node(s) within the cluster. You can modify the name. 2. Port: the default port for Elasticsearch API communication. Modify the port number if the @@ -84,7 +84,7 @@ Select the relevant option: I will install and manage Elasticsearch myself: If you select this option, the following page is displayed: - ![Elasticsearch settings page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/elasticsearchsettings-2.webp) + ![Elasticsearch settings page](/img/product_docs/groupid/groupid/install/configure/elasticsearchsettings-2.webp) Provide configurations of Elasticsearch you want to use with Directory Manager: @@ -94,7 +94,7 @@ Select the relevant option: Step 12 – Click **Next**. - ![Services Configuration page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/servicesconfiguration.webp) + ![Services Configuration page](/img/product_docs/groupid/groupid/install/configure/servicesconfiguration.webp) Step 13 – At this point, Directory Manager configures the following: @@ -125,7 +125,7 @@ Select the relevant option: Step 14 – Click **Next**. - ![Service Account Setting page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/serviceaccount.webp) + ![Service Account Setting page](/img/product_docs/groupid/groupid/install/configure/serviceaccount.webp) NOTE: If you configure a Group Managed Service Account (gMSA) as an App Pool service account then the Directory Manager Configuration tool will add this account in the local administrators @@ -156,14 +156,14 @@ Select the relevant option: - Use an existing account: Click **Browse**. - ![Find Service Account page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/findserviceaccount.webp) + ![Find Service Account page](/img/product_docs/groupid/groupid/install/configure/findserviceaccount.webp) On the Find Service Account dialog box, search and select the required account and click **OK**. Create a new service account: Click the **Create New** button on the Service Account Setting page. -![Create a new service account page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/createserviceaccount.webp) +![Create a new service account page](/img/product_docs/groupid/groupid/install/configure/createserviceaccount.webp) On the Create Service Account dialog box, select the kind of account you want to create. Enter a name, container and password for the account. Click **Create**. @@ -180,14 +180,14 @@ Step 18 – Provide password for the Directory Manager Administrator account in Step 19 – Click **Configure**. -![Configuring GroupID page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/configuring.webp) +![Configuring GroupID page](/img/product_docs/groupid/groupid/install/configure/configuring.webp) We are configuring Directory Manager page displays the progress while a Directory Manager server is configured on the machine. While configuring the machine, the Configuration Tool checks the application’s signing key status and update it according to your Directory Manager environment. See the -[Update Signing Key](signingkeyinfo.md) topic for information how Configuration Tool will update +[Update Signing Key](/docs/groupid/11.1/groupid/install/configure/signingkeyinfo.md) topic for information how Configuration Tool will update Directory Manager's Signing Key. On successful configuration, the Directory Manager is successfully configured page is displayed and @@ -196,7 +196,7 @@ Directory Manager is configured on your machine. Step 20 – Click **Launch GroupID** on the Directory Manager is successfully configured page to start using Directory Manager. The Sign In page opens: -![GroupID Sign In page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/launchgid.webp) +![GroupID Sign In page](/img/product_docs/groupid/groupid/install/configure/launchgid.webp) To login in to Directory Manager Admin Center for the first time, provide Directory Manager Administrator user name and password. diff --git a/docs/groupid/11.1/groupid/install/configure/signingkeyinfo.md b/docs/groupid/11.1/groupid/install/configure/signingkeyinfo.md index af73e34fd0..99388b5e94 100644 --- a/docs/groupid/11.1/groupid/install/configure/signingkeyinfo.md +++ b/docs/groupid/11.1/groupid/install/configure/signingkeyinfo.md @@ -14,7 +14,7 @@ and the Signing Key utility is not applied on that Directory Manager on that mac Configuration Tool will change the Signing Key and displays a disclaimer message on the Directory Manager is successfully configured page as follows: -![GroupID is successfully configured page with Signing Key Disclaimer](../../../../../../static/img/product_docs/groupid/groupid/install/configure/signkeydisclaimer.webp) +![GroupID is successfully configured page with Signing Key Disclaimer](/img/product_docs/groupid/groupid/install/configure/signkeydisclaimer.webp) Remember, after the Signing Key update, your existing schedules will not work as their authentication mechanism will no longer be considered valid. Therefore, the authentication mechanism @@ -38,8 +38,8 @@ configured page as shown in the Single Directory Manager instance section. Step 2 – Export the Signing Key so that the slave node also has the same Signing Key as of the master node. See the -[Export a Signing Key ](../../admincenter/service/securityservice/signkeyutility.md#export-a-signing-key)section -of the [Signing Key Utility](../../admincenter/service/securityservice/signkeyutility.md) topic for +[Export a Signing Key ](/docs/groupid/11.1/groupid/admincenter/service/securityservice/signkeyutility.md#export-a-signing-key)section +of the [Signing Key Utility](/docs/groupid/11.1/groupid/admincenter/service/securityservice/signkeyutility.md) topic for information on how to export the Signing Key. Step 3 – On the slave node copy the exported Signing Key file into a folder. @@ -47,7 +47,7 @@ Step 3 – On the slave node copy the exported Signing Key file into a folder. Step 4 – Run the Configuration Tool on the slave node until you reach the Import Signing Key page of the wizard: -![Import Signing Key page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/importkey.webp) +![Import Signing Key page](/img/product_docs/groupid/groupid/install/configure/importkey.webp) 1. Click **Browse** next to the Select file box to browse to the folder where you have copied the Signing Key file. @@ -57,7 +57,7 @@ the wizard: Step 5 – The Configuration Tool displays the Directory Manager is successfully configured page without the disclaimer. -![GroupID is successfully configured page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/success.webp) +![GroupID is successfully configured page](/img/product_docs/groupid/groupid/install/configure/success.webp) Remember, after the Signing Key update, your existing schedules will not work as their authentication mechanism will no longer be considered valid. Therefore, the authentication mechanism @@ -85,8 +85,8 @@ is successfully configured page as shown in the Single Directory Manager instanc Step 2 – Export the Signing Key so that the slave nodes of both the clusters also have the same Signing Key as of the master node of cluster A. See the -[Export a Signing Key ](../../admincenter/service/securityservice/signkeyutility.md#export-a-signing-key)section -of the [Signing Key Utility](../../admincenter/service/securityservice/signkeyutility.md) topic for +[Export a Signing Key ](/docs/groupid/11.1/groupid/admincenter/service/securityservice/signkeyutility.md#export-a-signing-key)section +of the [Signing Key Utility](/docs/groupid/11.1/groupid/admincenter/service/securityservice/signkeyutility.md) topic for information on how to export the Signing Key file. Step 3 – On the slave nodes of Cluster A and Cluster B (_i.e. instances 2 and 4_) copy the exported @@ -95,7 +95,7 @@ Signing Key file into a folder. Step 4 – Run the Configuration Tool on instance 2 and 4 until you reach the Import Signing Key page of the wizard. -![Import Signing Key page](../../../../../../static/img/product_docs/groupid/groupid/install/configure/importkey.webp) +![Import Signing Key page](/img/product_docs/groupid/groupid/install/configure/importkey.webp) 1. Click **Browse** next to the Select file box to browse to the folder where you have copied the Signing Key file. @@ -110,10 +110,10 @@ Configuration Tool displays the Directory Manager is successfully configured pag disclaimer as shown in the Single Directory Manager instance section. Step 7 – On the master node of Cluster B (_i.e. instance 3_), run the -[Signing Key Utility](../../admincenter/service/securityservice/signkeyutility.md) and import the +[Signing Key Utility](/docs/groupid/11.1/groupid/admincenter/service/securityservice/signkeyutility.md) and import the copied Signing Key file using the commandlet given in the -[Import a Signing Key ](../../admincenter/service/securityservice/signkeyutility.md#import-a-signing-key)section -of the [Signing Key Utility](../../admincenter/service/securityservice/signkeyutility.md) topic for +[Import a Signing Key ](/docs/groupid/11.1/groupid/admincenter/service/securityservice/signkeyutility.md#import-a-signing-key)section +of the [Signing Key Utility](/docs/groupid/11.1/groupid/admincenter/service/securityservice/signkeyutility.md) topic for information on how to import the Signing Key. Remember, after the Signing Key update, your existing schedules will not work as their diff --git a/docs/groupid/11.1/groupid/install/installer/install.md b/docs/groupid/11.1/groupid/install/installer/install.md index 3348afcf16..a60a8fbe1f 100644 --- a/docs/groupid/11.1/groupid/install/installer/install.md +++ b/docs/groupid/11.1/groupid/install/installer/install.md @@ -12,26 +12,26 @@ To install Directory Manager: Step 1 – Run `_GroupIDInstallTool.exe_` from the Directory Manager`<_version #_>` folder in the Directory ManagerInstallation package. It launches the Installation Tool. -![Welcome page](../../../../../../static/img/product_docs/groupid/groupid/install/installer/introduction.webp) +![Welcome page](/img/product_docs/groupid/groupid/install/installer/introduction.webp) Step 2 – Read the welcome message and click **Next**. -![End User License Agreement](../../../../../../static/img/product_docs/groupid/groupid/install/installer/eula.webp) +![End User License Agreement](/img/product_docs/groupid/groupid/install/installer/eula.webp) Step 3 – On the End User License Agreement page, review and accept the licensing agreement and click **Next**. -![installpath](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/installpath.webp) +![installpath](/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/installpath.webp) Step 4 – In the Installation Folder box, specify the location where you want to install Directory Manageror accept the one suggested by the Installer. Click **Install**. -![installationprogress](../../../../../../static/img/product_docs/groupid/groupid/install/installer/installationprogress.webp) +![installationprogress](/img/product_docs/groupid/groupid/install/installer/installationprogress.webp) Step 5 – The progress bar shows the installation progress while all files are copied and Directory Manageris installed. On successful installation, the Run Configuration Tool page is displayed. -![Run Configuration Tool](../../../../../../static/img/product_docs/groupid/groupid/install/installer/runconfigurationtool.webp) +![Run Configuration Tool](/img/product_docs/groupid/groupid/install/installer/runconfigurationtool.webp) Step 6 – Click **Next** to proceed with configuring Directory Manager. @@ -40,5 +40,5 @@ or Click **Close** on the title bar to close the Directory ManagerInstaller and configure Directory Managerlater. -See the [Configuration Tool](../configure/configure.md) topic for additional information on +See the [Configuration Tool](/docs/groupid/11.1/groupid/install/configure/configure.md) topic for additional information on configuring Directory Manager. diff --git a/docs/groupid/11.1/groupid/install/installer/installer.md b/docs/groupid/11.1/groupid/install/installer/installer.md index 5c82ee5e28..3561cda9b9 100644 --- a/docs/groupid/11.1/groupid/install/installer/installer.md +++ b/docs/groupid/11.1/groupid/install/installer/installer.md @@ -2,12 +2,12 @@ To install Directory Manager, you have to run the following tools in the given order: -- **[Preparation Tool](preparationtool.md)** - Detects and instals the prerequisite software and +- **[Preparation Tool](/docs/groupid/11.1/groupid/install/installer/preparationtool.md)** - Detects and instals the prerequisite software and Windows features that Directory Manager requires. -- **[Installation Tool](install.md)** - Installs Directory Manager. +- **[Installation Tool](/docs/groupid/11.1/groupid/install/installer/install.md)** - Installs Directory Manager. -- **[Configuration Tool](../configure/configure.md)** - Configures Directory Manager services, +- **[Configuration Tool](/docs/groupid/11.1/groupid/install/configure/configure.md)** - Configures Directory Manager services, database, and other components. ## Installation Package diff --git a/docs/groupid/11.1/groupid/install/installer/preparationtool.md b/docs/groupid/11.1/groupid/install/installer/preparationtool.md index e2d31f1e6c..85b7dde85d 100644 --- a/docs/groupid/11.1/groupid/install/installer/preparationtool.md +++ b/docs/groupid/11.1/groupid/install/installer/preparationtool.md @@ -17,21 +17,21 @@ Installation package. Step 2 – Run GroupIDPrereqTool.exe file. It launches the Preparation Tool. -![Preparation Tool Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Preparation Tool Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) Step 3 – Read the welcome message and click **Next**. -![Ready to Begin page](../../../../../../static/img/product_docs/groupid/groupid/install/installer/readytobegin.webp) +![Ready to Begin page](/img/product_docs/groupid/groupid/install/installer/readytobegin.webp) Step 4 – The Ready to begin page lists the required software and Windows features that the Preparation Tool has identified for Directory Manager. Click **Install** to begin. -![We are preparing page](../../../../../../static/img/product_docs/groupid/groupid/install/installer/wearepreparing.webp) +![We are preparing page](/img/product_docs/groupid/groupid/install/installer/wearepreparing.webp) Step 5 – On the We are preparing this machine for Directory Manager... page the progress bar shows the installation progress while prerequisites are installed. -![Ready to install](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/readytoinstall.webp) +![Ready to install](/img/product_docs/activitymonitor/activitymonitor/install/agent/readytoinstall.webp) The You are ready to install GroupID! page displays the status of each prerequisite software and Windows feature as Passed or Failed. diff --git a/docs/groupid/11.1/groupid/install/installer/whatprepinstall.md b/docs/groupid/11.1/groupid/install/installer/whatprepinstall.md index ac2b27cb46..6cff9dd900 100644 --- a/docs/groupid/11.1/groupid/install/installer/whatprepinstall.md +++ b/docs/groupid/11.1/groupid/install/installer/whatprepinstall.md @@ -1,6 +1,6 @@ # What does the Preparation Tool Install -When the [Preparation Tool](preparationtool.md) runs, it installs the following software and Windows +When the [Preparation Tool](/docs/groupid/11.1/groupid/install/installer/preparationtool.md) runs, it installs the following software and Windows features: | Software | Comments | diff --git a/docs/groupid/11.1/groupid/install/securityutility.md b/docs/groupid/11.1/groupid/install/securityutility.md index 1b3669535d..6c51d0f757 100644 --- a/docs/groupid/11.1/groupid/install/securityutility.md +++ b/docs/groupid/11.1/groupid/install/securityutility.md @@ -49,14 +49,14 @@ accesses GroupIDDataService. If yes, provide the IP of that machine. Press Enter In case of multiple machines, use a comma to separate the IP addresses with no space after the comma. -![Restrict IP Addresses](../../../../../static/img/product_docs/groupid/groupid/install/iprestrict.webp) +![Restrict IP Addresses](/img/product_docs/groupid/groupid/install/iprestrict.webp) RECOMMENDED: Use a static IP address for the Directory Manager server and the additional IP addresses you specify here to include in the IP security rules. Step 3 – After successful configuration, the following message is displayed. -![Success message](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/success.webp) +![Success message](/img/product_docs/activitymonitor/activitymonitor/install/agent/success.webp) In the event of a Directory Manager multi-instance deployment, execute the above steps on each Directory Manager server in your environment. @@ -85,7 +85,7 @@ environment: Step 4 – You will be asked to provide the database connection password. On doing so, the password for the GroupID user account will be updated with the generated password. -![Password generation and update message](../../../../../static/img/product_docs/groupid/groupid/install/passwordgeneration.webp) +![Password generation and update message](/img/product_docs/groupid/groupid/install/passwordgeneration.webp) ## Export/Import the New Password @@ -122,4 +122,4 @@ GroupID user account on all servers. You must delete the GroupIDSSUser account from each Directory Manager server. Go to the Computer Management console to delete the account. -![Computer Management console](../../../../../static/img/product_docs/groupid/groupid/install/computermanagement.webp) +![Computer Management console](/img/product_docs/groupid/groupid/install/computermanagement.webp) diff --git a/docs/groupid/11.1/groupid/install/upgrade/notes.md b/docs/groupid/11.1/groupid/install/upgrade/notes.md index ce6e3268e9..6468ad97b0 100644 --- a/docs/groupid/11.1/groupid/install/upgrade/notes.md +++ b/docs/groupid/11.1/groupid/install/upgrade/notes.md @@ -17,7 +17,7 @@ The source version file system is required for the following: - When you create a new portal in Directory Manager 11, you can import the advanced settings and design settings of a Self-Service portal from the source version. See step 13 in the - [Create a Portal in Native IIS](../../admincenter/portal/create.md#create-a-portal-in-native-iis) + [Create a Portal in Native IIS](/docs/groupid/11.1/groupid/admincenter/portal/create.md#create-a-portal-in-native-iis) topic. - In the source version, you specified a list of attributes to replicate for an identity store. These attributes are saved to a file on the file system. @@ -85,14 +85,14 @@ Step 9 – In the source version, Replication service logs were captured under t no user interface to change this setting. On upgrade to Directory Manager 11, the file logging and Windows logging mode is set to default, i.e., ‘Error’. After upgrade, it is recommended that you go to Replication service settings and change file logging to the ‘Debug’ mode (if required). See the -[Specify Log Settings for a Service](../../admincenter/service/dataservice/manage.md#specify-log-settings-for-a-service) +[Specify Log Settings for a Service](/docs/groupid/11.1/groupid/admincenter/service/dataservice/manage.md#specify-log-settings-for-a-service) topic. Step 10 – In the source version, log settings for an identity store inherently applied to Date service logs. On upgrade to Directory Manager 11, these log settings are moved to the Data service, with the file logging mode set to default, i.e., ‘Error’. To change the mode in Directory Manager 11, go to Data service settings and change it as required. See the -[Specify Log Settings for a Service](../../admincenter/service/dataservice/manage.md#specify-log-settings-for-a-service) +[Specify Log Settings for a Service](/docs/groupid/11.1/groupid/admincenter/service/dataservice/manage.md#specify-log-settings-for-a-service) topic. Step 11 – The following applies in case of upgrade from GroupID 10 SR1. diff --git a/docs/groupid/11.1/groupid/install/upgrade/overview.md b/docs/groupid/11.1/groupid/install/upgrade/overview.md index 7046a103f3..db3639be6f 100644 --- a/docs/groupid/11.1/groupid/install/upgrade/overview.md +++ b/docs/groupid/11.1/groupid/install/upgrade/overview.md @@ -29,7 +29,7 @@ Step 2 – The following applies to upgrade on a different box. If a gMSA is used as the service account for an identity store in the source version, you must configure that gMSA on the Directory Manager 11 server before you upgrade. To configure a gMSA, see the -[gMSA for Active Directory](../../requirements/permissions/gmsarequirements.md) topic. +[gMSA for Active Directory](/docs/groupid/11.1/groupid/requirements/permissions/gmsarequirements.md) topic. Step 3 – A disabled identity store in the source version will not be upgraded to Directory Manager 11. diff --git a/docs/groupid/11.1/groupid/install/upgrade/upgrade.md b/docs/groupid/11.1/groupid/install/upgrade/upgrade.md index 06f4d61906..53190a6415 100644 --- a/docs/groupid/11.1/groupid/install/upgrade/upgrade.md +++ b/docs/groupid/11.1/groupid/install/upgrade/upgrade.md @@ -11,11 +11,11 @@ OR Click **Start** > **Imanami** > **GroupID Upgrade Tool 11.0**. -![Welcome page](../../../../../../static/img/product_docs/groupid/groupid/install/upgrade/1-welcome.webp) +![Welcome page](/img/product_docs/groupid/groupid/install/upgrade/1-welcome.webp) Step 2 – Read the welcome message and click **Next**. -![2-select_source_version](../../../../../../static/img/product_docs/groupid/groupid/install/upgrade/2-select_source_version.webp) +![2-select_source_version](/img/product_docs/groupid/groupid/install/upgrade/2-select_source_version.webp) Step 3 – From the Select the previous version to upgrade list, select the Directory Manager version to upgrade from. @@ -25,7 +25,7 @@ version. The process may vary for different source versions. Step 4 – Click **Next**. -![Select modules to upgrade](../../../../../../static/img/product_docs/groupid/groupid/install/upgrade/3-select_modules.webp) +![Select modules to upgrade](/img/product_docs/groupid/groupid/install/upgrade/3-select_modules.webp) On the Select Modules to upgrade page, select the type of Directory Manager data for upgrade. You can choose to upgrade all or selective data of the previous version. Options are: @@ -34,14 +34,14 @@ can choose to upgrade all or selective data of the previous version. Options are - Custom – choose what data you want to upgrade. On selecting it, the following options are listed, from where you can choose the data to upgrade. - ![3-select_modules-custom](../../../../../../static/img/product_docs/groupid/groupid/install/upgrade/3-select_modules-custom.webp) + ![3-select_modules-custom](/img/product_docs/groupid/groupid/install/upgrade/3-select_modules-custom.webp) NOTE: If later on, you wish to upgrade specific groups and their history via the Upgrade-Group commandlet, then you must upgrade the Configuration and History in the first upgrade run. This will upgrade the history in the database as per Directory Manager 11.1 format and replicates it to Elasticsearch. Later on, when you upgrade specific groups and their history using the Upgrade-Group commandlet, that will be done successfully. See the - [Upgrade-Group](../../managementshell/smartgroup/upgradegroup.md) commandlet for additional + [Upgrade-Group](/docs/groupid/11.1/groupid/managementshell/smartgroup/upgradegroup.md) commandlet for additional information. If you want to upgrade configurations, history and all groups using the Directory Manager @@ -52,7 +52,7 @@ Step 5 – Click **Next**. Step 6 – If you have an Microsoft Entra ID based identity store in Directory Manager 10, the following page appears. -![Microsoft Entra ID Store Upgrade page](../../../../../../static/img/product_docs/groupid/groupid/install/upgrade/entraidstore.webp) +![Microsoft Entra ID Store Upgrade page](/img/product_docs/groupid/groupid/install/upgrade/entraidstore.webp) Provide the following information: @@ -70,7 +70,7 @@ Step 8 – If in the Directory Manager source version, Office 365 messaging prov a Microsoft Entra ID based identity store or in an AD identity store, the Upgrade wizard displays the following page. -![ Upgrade wizard Microsoft Entra ID Messaging System page](../../../../../../static/img/product_docs/groupid/groupid/install/upgrade/entraidmessagingsystem.webp) +![ Upgrade wizard Microsoft Entra ID Messaging System page](/img/product_docs/groupid/groupid/install/upgrade/entraidmessagingsystem.webp) Provide the following information: @@ -95,7 +95,7 @@ messaging providers. will be auto populated but you can change them.) All jobs with destination provider for that forest domain or any of its child domains will be moved to the new identity store. - ![synchronize_upgrade](../../../../../../static/img/product_docs/groupid/groupid/install/upgrade/synchronize_upgrade.webp) + ![synchronize_upgrade](/img/product_docs/groupid/groupid/install/upgrade/synchronize_upgrade.webp) NOTE: The service account you provide here should have at least _read_ permission in the entire forest, so that all objects from the forest can be replicated to Elasticsearch. @@ -109,7 +109,7 @@ the wizard would require you to provide the PFX certificate. All Synchronize job 365 as messaging provider will be listed on the wizard page. Expand each job and provide the PFX certificate along with its password. -![Upgrade wizard Synchronize Messaging System page](../../../../../../static/img/product_docs/groupid/groupid/install/upgrade/entraidsynmessagingsystem.webp) +![Upgrade wizard Synchronize Messaging System page](/img/product_docs/groupid/groupid/install/upgrade/entraidsynmessagingsystem.webp) Provide the following information: @@ -132,7 +132,7 @@ for that domain exists or not. it. It must essentially be an Active Directory identity store. The wizard will bind the reports generated in Directory Manager 10 to the identity store, so you will be able to view them in Directory Manager 11.1. - ![reports_upgrade](../../../../../../static/img/product_docs/groupid/groupid/install/upgrade/reports_upgrade.webp) + ![reports_upgrade](/img/product_docs/groupid/groupid/install/upgrade/reports_upgrade.webp) NOTE: If no report has been generated in Directory Manager 10, the page related to reports upgrade will not be displayed. @@ -153,13 +153,13 @@ Consider the following: wizard will display the following page that will list all such schedules. Select an identity store for each schedule, so that the schedule moves to that identity store. - ![store_selection_for_schedules](../../../../../../static/img/product_docs/groupid/groupid/install/upgrade/store_selection_for_schedules.webp) + ![store_selection_for_schedules](/img/product_docs/groupid/groupid/install/upgrade/store_selection_for_schedules.webp) The rules stated above also apply to schedules with job collections added to them. Step 14 – Click **Next**. -![Summary page](../../../../../../static/img/product_docs/groupid/groupid/install/upgrade/5-summary.webp) +![Summary page](/img/product_docs/groupid/groupid/install/upgrade/5-summary.webp) This page displays a complete summary of the data to be copied/upgraded for your selected options. These options were selected on the Select modules to upgrade page.. @@ -170,14 +170,14 @@ remain intact in the source Directory Manager version. Step 15 – Review the summary and click **Next**. -![Upgrade Progress page](../../../../../../static/img/product_docs/groupid/groupid/install/upgrade/6-upgrade_process_complete.webp) +![Upgrade Progress page](/img/product_docs/groupid/groupid/install/upgrade/6-upgrade_process_complete.webp) Directory Manager is upgraded while the Upgrade Process displays the upgrade progress. On successful upgrade, the Upgradce Completed message above the progress bar is displayed. Step 16 – Click **Next**. -![Upgrade Completed page](../../../../../../static/img/product_docs/groupid/groupid/install/upgrade/7-upgrade_complete.webp) +![Upgrade Completed page](/img/product_docs/groupid/groupid/install/upgrade/7-upgrade_complete.webp) The Upgrade Completed page displays the status of features selected for upgrade. diff --git a/docs/groupid/11.1/groupid/managementshell/commands.md b/docs/groupid/11.1/groupid/managementshell/commands.md index 5bd8cdfc03..e24c53e3af 100644 --- a/docs/groupid/11.1/groupid/managementshell/commands.md +++ b/docs/groupid/11.1/groupid/managementshell/commands.md @@ -5,121 +5,121 @@ cmdlet. ## Contact Cmdlets -- [Get-Contact](contact/getcontact.md) -- [New-Contact](contact/newcontact.md) -- [Remove-Contact](contact/removecontact.md) -- [Set-Contact](contact/setcontact.md) +- [Get-Contact](/docs/groupid/11.1/groupid/managementshell/contact/getcontact.md) +- [New-Contact](/docs/groupid/11.1/groupid/managementshell/contact/newcontact.md) +- [Remove-Contact](/docs/groupid/11.1/groupid/managementshell/contact/removecontact.md) +- [Set-Contact](/docs/groupid/11.1/groupid/managementshell/contact/setcontact.md) ## Dynasty Cmdlets -- [New-Dynasty](dynasty/newdynasty.md) -- [Set-Dynasty](dynasty/setdynasty.md) +- [New-Dynasty](/docs/groupid/11.1/groupid/managementshell/dynasty/newdynasty.md) +- [Set-Dynasty](/docs/groupid/11.1/groupid/managementshell/dynasty/setdynasty.md) ## General Cmdlets -- [Get-Computer](general/getcomputer.md) -- [Get-ConnectedStoreInformation](general/getconnectedstoreinformation.md) -- [Get-ConnectedUser](general/getconnecteduser.md) -- [Get-GroupIdInformation](general/getgroupidinformation.md) -- [Get-ImanamiCommand](general/getimanamicommand.md) -- [Get-ReplicationStatus](general/getreplicationstatus.md) -- [Get-TombStoneObject](general/gettombstoneobject.md) -- [Invoke-Replication](general/invokereplication.md) -- [New-Container](general/newcontainer.md) -- [Remove-Container](general/removecontainer.md) -- [Restore-TombStoneObject](general/restoretombstoneobject.md) -- [Send-Notification](general/sendnotification.md) +- [Get-Computer](/docs/groupid/11.1/groupid/managementshell/general/getcomputer.md) +- [Get-ConnectedStoreInformation](/docs/groupid/11.1/groupid/managementshell/general/getconnectedstoreinformation.md) +- [Get-ConnectedUser](/docs/groupid/11.1/groupid/managementshell/general/getconnecteduser.md) +- [Get-GroupIdInformation](/docs/groupid/11.1/groupid/managementshell/general/getgroupidinformation.md) +- [Get-ImanamiCommand](/docs/groupid/11.1/groupid/managementshell/general/getimanamicommand.md) +- [Get-ReplicationStatus](/docs/groupid/11.1/groupid/managementshell/general/getreplicationstatus.md) +- [Get-TombStoneObject](/docs/groupid/11.1/groupid/managementshell/general/gettombstoneobject.md) +- [Invoke-Replication](/docs/groupid/11.1/groupid/managementshell/general/invokereplication.md) +- [New-Container](/docs/groupid/11.1/groupid/managementshell/general/newcontainer.md) +- [Remove-Container](/docs/groupid/11.1/groupid/managementshell/general/removecontainer.md) +- [Restore-TombStoneObject](/docs/groupid/11.1/groupid/managementshell/general/restoretombstoneobject.md) +- [Send-Notification](/docs/groupid/11.1/groupid/managementshell/general/sendnotification.md) ## Group Cmdlets -- [Convert-Group](group/convertgroup.md) -- [Expire-Group](group/expiregroup.md) -- [Get-Group](group/getgroup.md) -- [Move-Group](group/movegroup.md) -- [New-Group](group/newgroup.md) -- [Remove-Group](group/remove-group.md) -- [Renew-Group](group/renewgroup.md) -- [Set-Group](group/setgroup.md) +- [Convert-Group](/docs/groupid/11.1/groupid/managementshell/group/convertgroup.md) +- [Expire-Group](/docs/groupid/11.1/groupid/managementshell/group/expiregroup.md) +- [Get-Group](/docs/groupid/11.1/groupid/managementshell/group/getgroup.md) +- [Move-Group](/docs/groupid/11.1/groupid/managementshell/group/movegroup.md) +- [New-Group](/docs/groupid/11.1/groupid/managementshell/group/newgroup.md) +- [Remove-Group](/docs/groupid/11.1/groupid/managementshell/group/remove-group.md) +- [Renew-Group](/docs/groupid/11.1/groupid/managementshell/group/renewgroup.md) +- [Set-Group](/docs/groupid/11.1/groupid/managementshell/group/setgroup.md) ## Identity Store Cmdlets -- [Clear-MessagingServer](identitystore/clearmessagingserver.md) -- [Clear-Notifications](identitystore/clearnotifications.md) -- [Clear-SmtpServer](identitystore/clearsmtpserver.md) -- [Get-AvailableMessagingServers](identitystore/getavailablemessagingservers.md) -- [Get-Client](identitystore/getclient.md) -- [Get-IdentityStore](identitystore/getidentitystore.md) -- [Get-IdentityStoreRoles](identitystore/getidentitystoreroles.md) -- [Get-LogSettings](identitystore/getlogsettings.md) -- [Get-RolePermissionNames](identitystore/getrolepermissionnames.md) -- [Get-SchemaAttributes](identitystore/getschemaattributes.md) -- [Get-SmsGateways](identitystore/getsmsgateways.md) -- [Get-UserRole](identitystore/getuserrole.md) -- [New-IdentityStore](identitystore/newidentitystore.md) -- [Remove-IdentityStore](identitystore/removeidentitystore.md) -- [Send-TestNotification](identitystore/sendtestnotification.md) -- [Set-IdentityStore](identitystore/setidentitystore.md) -- [Set-IdentityStoreRole](identitystore/setidentitystorerole.md) -- [Set-MessagingServer](identitystore/setmessagingserver.md) -- [Set-Notifications](identitystore/setnotifications.md) -- [Set-SmtpServer](identitystore/setsmtpserver.md) +- [Clear-MessagingServer](/docs/groupid/11.1/groupid/managementshell/identitystore/clearmessagingserver.md) +- [Clear-Notifications](/docs/groupid/11.1/groupid/managementshell/identitystore/clearnotifications.md) +- [Clear-SmtpServer](/docs/groupid/11.1/groupid/managementshell/identitystore/clearsmtpserver.md) +- [Get-AvailableMessagingServers](/docs/groupid/11.1/groupid/managementshell/identitystore/getavailablemessagingservers.md) +- [Get-Client](/docs/groupid/11.1/groupid/managementshell/identitystore/getclient.md) +- [Get-IdentityStore](/docs/groupid/11.1/groupid/managementshell/identitystore/getidentitystore.md) +- [Get-IdentityStoreRoles](/docs/groupid/11.1/groupid/managementshell/identitystore/getidentitystoreroles.md) +- [Get-LogSettings](/docs/groupid/11.1/groupid/managementshell/identitystore/getlogsettings.md) +- [Get-RolePermissionNames](/docs/groupid/11.1/groupid/managementshell/identitystore/getrolepermissionnames.md) +- [Get-SchemaAttributes](/docs/groupid/11.1/groupid/managementshell/identitystore/getschemaattributes.md) +- [Get-SmsGateways](/docs/groupid/11.1/groupid/managementshell/identitystore/getsmsgateways.md) +- [Get-UserRole](/docs/groupid/11.1/groupid/managementshell/identitystore/getuserrole.md) +- [New-IdentityStore](/docs/groupid/11.1/groupid/managementshell/identitystore/newidentitystore.md) +- [Remove-IdentityStore](/docs/groupid/11.1/groupid/managementshell/identitystore/removeidentitystore.md) +- [Send-TestNotification](/docs/groupid/11.1/groupid/managementshell/identitystore/sendtestnotification.md) +- [Set-IdentityStore](/docs/groupid/11.1/groupid/managementshell/identitystore/setidentitystore.md) +- [Set-IdentityStoreRole](/docs/groupid/11.1/groupid/managementshell/identitystore/setidentitystorerole.md) +- [Set-MessagingServer](/docs/groupid/11.1/groupid/managementshell/identitystore/setmessagingserver.md) +- [Set-Notifications](/docs/groupid/11.1/groupid/managementshell/identitystore/setnotifications.md) +- [Set-SmtpServer](/docs/groupid/11.1/groupid/managementshell/identitystore/setsmtpserver.md) ## Identity Store Connection Cmdlets -- [Connect-IdentityStore](identitystoreconnection/connectidentitystore.md) -- [Get-Token](identitystoreconnection/gettoken.md) +- [Connect-IdentityStore](/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/connectidentitystore.md) +- [Get-Token](/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/gettoken.md) ## Mailbox Cmdlets -- [Get-Mailbox](mailbox/getmailbox.md) -- [New-Mailbox](mailbox/newmailbox.md) -- [Remove-Mailbox](mailbox/removemailbox.md) -- [Set-Mailbox](mailbox/setmailbox.md) +- [Get-Mailbox](/docs/groupid/11.1/groupid/managementshell/mailbox/getmailbox.md) +- [New-Mailbox](/docs/groupid/11.1/groupid/managementshell/mailbox/newmailbox.md) +- [Remove-Mailbox](/docs/groupid/11.1/groupid/managementshell/mailbox/removemailbox.md) +- [Set-Mailbox](/docs/groupid/11.1/groupid/managementshell/mailbox/setmailbox.md) ## Mail-Enable/Disable Groups Cmdlets -- [Disable-DistributionGroup](mailenableddisabledgroups/disabledistributiongroup.md) -- [Enable-DistributionGroup](mailenableddisabledgroups/enabledistributiongroup.md) +- [Disable-DistributionGroup](/docs/groupid/11.1/groupid/managementshell/mailenableddisabledgroups/disabledistributiongroup.md) +- [Enable-DistributionGroup](/docs/groupid/11.1/groupid/managementshell/mailenableddisabledgroups/enabledistributiongroup.md) ## Membership Cmdlets -- [Add-GroupMember](membership/addgroupmember.md) -- [Get-GroupMember](membership/getgroupmember.md) -- [Get-Object](membership/getobject.md) -- [Remove-GroupMember](membership/removegroupmember.md) -- [Set-Object](membership/setobject.md) +- [Add-GroupMember](/docs/groupid/11.1/groupid/managementshell/membership/addgroupmember.md) +- [Get-GroupMember](/docs/groupid/11.1/groupid/managementshell/membership/getgroupmember.md) +- [Get-Object](/docs/groupid/11.1/groupid/managementshell/membership/getobject.md) +- [Remove-GroupMember](/docs/groupid/11.1/groupid/managementshell/membership/removegroupmember.md) +- [Set-Object](/docs/groupid/11.1/groupid/managementshell/membership/setobject.md) ## Scheduling Cmdlets -- [Get-Schedule](scheduling/getschedule.md) -- [Get-TargetSchedules](scheduling/gettargetschedule.md) -- [ Invoke-Schedule](scheduling/invokeschedule.md) -- [New-Schedule](scheduling/newschedule.md) -- [Remove-Schedule](scheduling/removeschedule.md) -- [Set-Schedule](scheduling/setschedule.md) -- [Stop-Schedule](scheduling/stopschedule.md) +- [Get-Schedule](/docs/groupid/11.1/groupid/managementshell/scheduling/getschedule.md) +- [Get-TargetSchedules](/docs/groupid/11.1/groupid/managementshell/scheduling/gettargetschedule.md) +- [ Invoke-Schedule](/docs/groupid/11.1/groupid/managementshell/scheduling/invokeschedule.md) +- [New-Schedule](/docs/groupid/11.1/groupid/managementshell/scheduling/newschedule.md) +- [Remove-Schedule](/docs/groupid/11.1/groupid/managementshell/scheduling/removeschedule.md) +- [Set-Schedule](/docs/groupid/11.1/groupid/managementshell/scheduling/setschedule.md) +- [Stop-Schedule](/docs/groupid/11.1/groupid/managementshell/scheduling/stopschedule.md) ## Smart Group Cmdlets -- [ConvertTo-StaticGroup](smartgroup/converttostaticgroup.md) -- [Get-SmartGroup](smartgroup/getsmartgroup.md) -- [New-SmartGroup](smartgroup/newsmartgroup.md) -- [Set-SmartGroup](smartgroup/setsmartgroup.md) -- [Update-Group](smartgroup/updategroup.md) -- [Upgrade-Group](smartgroup/upgradegroup.md) +- [ConvertTo-StaticGroup](/docs/groupid/11.1/groupid/managementshell/smartgroup/converttostaticgroup.md) +- [Get-SmartGroup](/docs/groupid/11.1/groupid/managementshell/smartgroup/getsmartgroup.md) +- [New-SmartGroup](/docs/groupid/11.1/groupid/managementshell/smartgroup/newsmartgroup.md) +- [Set-SmartGroup](/docs/groupid/11.1/groupid/managementshell/smartgroup/setsmartgroup.md) +- [Update-Group](/docs/groupid/11.1/groupid/managementshell/smartgroup/updategroup.md) +- [Upgrade-Group](/docs/groupid/11.1/groupid/managementshell/smartgroup/upgradegroup.md) ## User Cmdlets -- [Get-User](user/getuser.md) -- [Get-UserEnrollment](user/getuserenrollment.md) -- [New-User](user/newuser.md) -- [Remove-User](user/removeuser.md) -- [Set-User ](user/setuser.md) +- [Get-User](/docs/groupid/11.1/groupid/managementshell/user/getuser.md) +- [Get-UserEnrollment](/docs/groupid/11.1/groupid/managementshell/user/getuserenrollment.md) +- [New-User](/docs/groupid/11.1/groupid/managementshell/user/newuser.md) +- [Remove-User](/docs/groupid/11.1/groupid/managementshell/user/removeuser.md) +- [Set-User ](/docs/groupid/11.1/groupid/managementshell/user/setuser.md) ## User Lifecycle Cmdlets -- [Extend-User](userlifecycle/extenduser.md) -- [Get-Status](userlifecycle/getstatus.md) -- [Reinstate-User](userlifecycle/reinstateuser.md) -- [Terminate-DirectReports](userlifecycle/terminatedirectreports.md) -- [Transfer-DirectReports ](userlifecycle/transferdirectreports.md) +- [Extend-User](/docs/groupid/11.1/groupid/managementshell/userlifecycle/extenduser.md) +- [Get-Status](/docs/groupid/11.1/groupid/managementshell/userlifecycle/getstatus.md) +- [Reinstate-User](/docs/groupid/11.1/groupid/managementshell/userlifecycle/reinstateuser.md) +- [Terminate-DirectReports](/docs/groupid/11.1/groupid/managementshell/userlifecycle/terminatedirectreports.md) +- [Transfer-DirectReports ](/docs/groupid/11.1/groupid/managementshell/userlifecycle/transferdirectreports.md) diff --git a/docs/groupid/11.1/groupid/managementshell/contact/overview.md b/docs/groupid/11.1/groupid/managementshell/contact/overview.md index 9682b4e615..38df2b2770 100644 --- a/docs/groupid/11.1/groupid/managementshell/contact/overview.md +++ b/docs/groupid/11.1/groupid/managementshell/contact/overview.md @@ -2,7 +2,7 @@ Directory Manager provides the following cmdlets to perform contact-related tasks, such as: -- [Get-Contact](getcontact.md) – Retrieves a contact that matches the given criteria. -- [New-Contact](newcontact.md) – Creates a new contact. -- [Remove-Contact](removecontact.md) – Removes a contact from the directory. -- [Set-Contact](setcontact.md) – Modifies a contact in the directory. +- [Get-Contact](/docs/groupid/11.1/groupid/managementshell/contact/getcontact.md) – Retrieves a contact that matches the given criteria. +- [New-Contact](/docs/groupid/11.1/groupid/managementshell/contact/newcontact.md) – Creates a new contact. +- [Remove-Contact](/docs/groupid/11.1/groupid/managementshell/contact/removecontact.md) – Removes a contact from the directory. +- [Set-Contact](/docs/groupid/11.1/groupid/managementshell/contact/setcontact.md) – Modifies a contact in the directory. diff --git a/docs/groupid/11.1/groupid/managementshell/dynasty/newdynasty.md b/docs/groupid/11.1/groupid/managementshell/dynasty/newdynasty.md index 49a427c4f1..7e9d843c37 100644 --- a/docs/groupid/11.1/groupid/managementshell/dynasty/newdynasty.md +++ b/docs/groupid/11.1/groupid/managementshell/dynasty/newdynasty.md @@ -101,7 +101,7 @@ Example 2: The following command creates a new mail-enabled, universal, distribution, multi-level Dynasty with the group-by attributes Country, State and City based on the specified filters and separator, using the credentials set in the $Credentials environment variable. See the -[Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for setting +[Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/dynasty/overview.md b/docs/groupid/11.1/groupid/managementshell/dynasty/overview.md index 3ed0f686d6..54ce23f1d8 100644 --- a/docs/groupid/11.1/groupid/managementshell/dynasty/overview.md +++ b/docs/groupid/11.1/groupid/managementshell/dynasty/overview.md @@ -2,5 +2,5 @@ This section covers the following cmdlets for managing Dynasties. -- [New-Dynasty](newdynasty.md) – Creates a new Dynasty. -- [Set-Dynasty](setdynasty.md) – Modifies a Dynasty or its children. +- [New-Dynasty](/docs/groupid/11.1/groupid/managementshell/dynasty/newdynasty.md) – Creates a new Dynasty. +- [Set-Dynasty](/docs/groupid/11.1/groupid/managementshell/dynasty/setdynasty.md) – Modifies a Dynasty or its children. diff --git a/docs/groupid/11.1/groupid/managementshell/dynasty/setdynasty.md b/docs/groupid/11.1/groupid/managementshell/dynasty/setdynasty.md index d6dfafcfb0..e0b2464173 100644 --- a/docs/groupid/11.1/groupid/managementshell/dynasty/setdynasty.md +++ b/docs/groupid/11.1/groupid/managementshell/dynasty/setdynasty.md @@ -140,7 +140,7 @@ The command below modifies the Top Manager of a Managerial Dynasty, changes the display name templates for the Dynasty children, sets the scope to search Dynasty children in the containers specified in the Add parameter excluding sub-containers using the credentials set in the $Credentials environment variable. See the -[Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for setting +[Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/general/newcontainer.md b/docs/groupid/11.1/groupid/managementshell/general/newcontainer.md index d679afdf39..99dacee429 100644 --- a/docs/groupid/11.1/groupid/managementshell/general/newcontainer.md +++ b/docs/groupid/11.1/groupid/managementshell/general/newcontainer.md @@ -35,7 +35,7 @@ Example 2: The following command creates the organizational unit _Local Recruiting_ inside the _Recruiting_ container in Directory using the credentials set in the $Credentials environment variable. See the -[Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for setting +[Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/general/overview.md b/docs/groupid/11.1/groupid/managementshell/general/overview.md index 7b66d83f1d..7d4b746a21 100644 --- a/docs/groupid/11.1/groupid/managementshell/general/overview.md +++ b/docs/groupid/11.1/groupid/managementshell/general/overview.md @@ -2,20 +2,20 @@ You can use the following Management Shell cmdlets to perform tasks such as: -- [Get-Computer](getcomputer.md) – Provides information about a computer object. -- [Get-ConnectedStoreInformation](getconnectedstoreinformation.md) – Provides information about the +- [Get-Computer](/docs/groupid/11.1/groupid/managementshell/general/getcomputer.md) – Provides information about a computer object. +- [Get-ConnectedStoreInformation](/docs/groupid/11.1/groupid/managementshell/general/getconnectedstoreinformation.md) – Provides information about the connected identity store. -- [Get-ConnectedUser](getconnecteduser.md) – Provides information about the connected user. -- [Get-GroupIdInformation](getgroupidinformation.md) – Provides information about GroupID. -- [Get-ImanamiCommand](getimanamicommand.md) – Provides basic information about GroupID Management +- [Get-ConnectedUser](/docs/groupid/11.1/groupid/managementshell/general/getconnecteduser.md) – Provides information about the connected user. +- [Get-GroupIdInformation](/docs/groupid/11.1/groupid/managementshell/general/getgroupidinformation.md) – Provides information about GroupID. +- [Get-ImanamiCommand](/docs/groupid/11.1/groupid/managementshell/general/getimanamicommand.md) – Provides basic information about GroupID Management Shell cmdlets. -- [Get-ReplicationStatus](getreplicationstatus.md) – Provides the replication status of objects in +- [Get-ReplicationStatus](/docs/groupid/11.1/groupid/managementshell/general/getreplicationstatus.md) – Provides the replication status of objects in an identity store. -- [Get-TombStoneObject](gettombstoneobject.md) – Displays information about tombstone objects. -- [Invoke-Replication](invokereplication.md) – Starts the replication process for all the identity +- [Get-TombStoneObject](/docs/groupid/11.1/groupid/managementshell/general/gettombstoneobject.md) – Displays information about tombstone objects. +- [Invoke-Replication](/docs/groupid/11.1/groupid/managementshell/general/invokereplication.md) – Starts the replication process for all the identity stores or for a specific identity store. -- [New-Container](newcontainer.md) – Creates a new organizational unit. -- [Remove-Container](removecontainer.md) – Removes an empty organizational unit. -- [Restore-TombStoneObject](restoretombstoneobject.md) – Restores tombstone objects from the +- [New-Container](/docs/groupid/11.1/groupid/managementshell/general/newcontainer.md) – Creates a new organizational unit. +- [Remove-Container](/docs/groupid/11.1/groupid/managementshell/general/removecontainer.md) – Removes an empty organizational unit. +- [Restore-TombStoneObject](/docs/groupid/11.1/groupid/managementshell/general/restoretombstoneobject.md) – Restores tombstone objects from the directory. -- [Send-Notification](sendnotification.md) – Sends notifications to a group or a user. +- [Send-Notification](/docs/groupid/11.1/groupid/managementshell/general/sendnotification.md) – Sends notifications to a group or a user. diff --git a/docs/groupid/11.1/groupid/managementshell/general/removecontainer.md b/docs/groupid/11.1/groupid/managementshell/general/removecontainer.md index dc6d0bb9a4..a2c9e21528 100644 --- a/docs/groupid/11.1/groupid/managementshell/general/removecontainer.md +++ b/docs/groupid/11.1/groupid/managementshell/general/removecontainer.md @@ -32,7 +32,7 @@ Example 2: The following command first shows the changes that result from executing the command. The command uses the credentials set in the $Credentials environment variable to perform the deletion. See the -[Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for setting +[Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in the environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/general/restoretombstoneobject.md b/docs/groupid/11.1/groupid/managementshell/general/restoretombstoneobject.md index 3030dad481..ef61cf3795 100644 --- a/docs/groupid/11.1/groupid/managementshell/general/restoretombstoneobject.md +++ b/docs/groupid/11.1/groupid/managementshell/general/restoretombstoneobject.md @@ -23,7 +23,7 @@ Example: The following command restores the tombstone group Event Management, using the credentials set in the $Creds environment variable. See the -[Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for setting +[Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/general/sendnotification.md b/docs/groupid/11.1/groupid/managementshell/general/sendnotification.md index 0c6f19ab1d..87fda4c45a 100644 --- a/docs/groupid/11.1/groupid/managementshell/general/sendnotification.md +++ b/docs/groupid/11.1/groupid/managementshell/general/sendnotification.md @@ -57,7 +57,7 @@ Example 2: The following command sends a notification to the New Arrivals group. It uses a custom template with an in-line image and uses the credentials of the user set in the $Credentials environment variable. -See the [Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for +See the [Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/group/convertgroup.md b/docs/groupid/11.1/groupid/managementshell/group/convertgroup.md index 17fdccb05a..0db42563c5 100644 --- a/docs/groupid/11.1/groupid/managementshell/group/convertgroup.md +++ b/docs/groupid/11.1/groupid/managementshell/group/convertgroup.md @@ -6,7 +6,7 @@ Directory Manager Management Shell prompts for the identity of the unmanaged gro convert into a Smart Group. After executing, the commandlet displays the status that update is successful as shown in the following snapshot: -![managementshell](../../../../../../static/img/product_docs/groupid/groupid/managementshell/group/managementshell.webp) +![managementshell](/img/product_docs/groupid/groupid/managementshell/group/managementshell.webp) The converted Smart Group will not have an LDAP query attached to it. You have to define it manually. diff --git a/docs/groupid/11.1/groupid/managementshell/group/getgroup.md b/docs/groupid/11.1/groupid/managementshell/group/getgroup.md index 87d2c07e4b..e6ba643480 100644 --- a/docs/groupid/11.1/groupid/managementshell/group/getgroup.md +++ b/docs/groupid/11.1/groupid/managementshell/group/getgroup.md @@ -42,7 +42,7 @@ The following command retrieves all groups with a display name beginning with S containers specified by the SearchContainer parameter including sub-containers of the first base container and excluding sub-containers of the second one using the credentials set in the $Credentials environment variable. See the -[Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for setting +[Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/group/movegroup.md b/docs/groupid/11.1/groupid/managementshell/group/movegroup.md index 4976e2d402..c147cb8426 100644 --- a/docs/groupid/11.1/groupid/managementshell/group/movegroup.md +++ b/docs/groupid/11.1/groupid/managementshell/group/movegroup.md @@ -36,7 +36,7 @@ Example 2: The following command moves the group _Training_ to the _OffShore Recruiting_ organizational unit. The command uses the credentials set in the $Credentials environment variable for moving a group. -See the [Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for +See the [Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/group/newgroup.md b/docs/groupid/11.1/groupid/managementshell/group/newgroup.md index ad1ceadf03..ff988a0175 100644 --- a/docs/groupid/11.1/groupid/managementshell/group/newgroup.md +++ b/docs/groupid/11.1/groupid/managementshell/group/newgroup.md @@ -53,7 +53,7 @@ Example 2: The command below creates a new mail-enabled, domain-local, semi-private, security group in the container specified by the **OrganizationalUnit** parameter, using the credentials set in the **$Credentials** environment variable. See the -[Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for setting +[Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/group/overview.md b/docs/groupid/11.1/groupid/managementshell/group/overview.md index a1d0d10b80..9fee5f523c 100644 --- a/docs/groupid/11.1/groupid/managementshell/group/overview.md +++ b/docs/groupid/11.1/groupid/managementshell/group/overview.md @@ -2,13 +2,13 @@ This section covers cmdlets for performing tasks related to managed and unmanaged groups. -- [Convert-Group](convertgroup.md) – Converts an unmanaged group to a Smart Group. -- [Expire-Group](expiregroup.md) – Expires a group temporarily. -- [Get-Group](getgroup.md) – Retrieves groups from one or more containers. -- [Move-Group](movegroup.md) – Moves a group to a different container in the same domain or in a +- [Convert-Group](/docs/groupid/11.1/groupid/managementshell/group/convertgroup.md) – Converts an unmanaged group to a Smart Group. +- [Expire-Group](/docs/groupid/11.1/groupid/managementshell/group/expiregroup.md) – Expires a group temporarily. +- [Get-Group](/docs/groupid/11.1/groupid/managementshell/group/getgroup.md) – Retrieves groups from one or more containers. +- [Move-Group](/docs/groupid/11.1/groupid/managementshell/group/movegroup.md) – Moves a group to a different container in the same domain or in a different domain. -- [New-Group](newgroup.md) – Creates an unmanaged group. -- [Remove-Group](remove-group.md) – Deletes a managed group, unmanaged group, or Dynasty in the +- [New-Group](/docs/groupid/11.1/groupid/managementshell/group/newgroup.md) – Creates an unmanaged group. +- [Remove-Group](/docs/groupid/11.1/groupid/managementshell/group/remove-group.md) – Deletes a managed group, unmanaged group, or Dynasty in the directory. -- [Renew-Group](renewgroup.md) – Reactivates an expired group. -- [Set-Group](setgroup.md) – Modifies an unmanaged group in the directory. +- [Renew-Group](/docs/groupid/11.1/groupid/managementshell/group/renewgroup.md) – Reactivates an expired group. +- [Set-Group](/docs/groupid/11.1/groupid/managementshell/group/setgroup.md) – Modifies an unmanaged group in the directory. diff --git a/docs/groupid/11.1/groupid/managementshell/group/remove-group.md b/docs/groupid/11.1/groupid/managementshell/group/remove-group.md index d5aa93943c..6a0e397657 100644 --- a/docs/groupid/11.1/groupid/managementshell/group/remove-group.md +++ b/docs/groupid/11.1/groupid/managementshell/group/remove-group.md @@ -34,7 +34,7 @@ Example 2: The following command first shows the changes that will be made by executing the command (a deletion). The command uses the credentials set in the $Credentials environment variable to perform -the deletion. See the [Set the $Credentials Environment Variable](../parameters/setthecredential.md) +the deletion. See the [Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/group/setgroup.md b/docs/groupid/11.1/groupid/managementshell/group/setgroup.md index 9bd0f25b90..3b381f58d5 100644 --- a/docs/groupid/11.1/groupid/managementshell/group/setgroup.md +++ b/docs/groupid/11.1/groupid/managementshell/group/setgroup.md @@ -3,7 +3,7 @@ The Set-Group commandlet modifies an unmanaged group in directory. However, you can use this commandlet to modify those parameters of a Smart Group that are native attributes of an unmanaged group in Directory. For modifying Smart Group-specific attributes, you can use the -[Set-SmartGroup](../smartgroup/setsmartgroup.md) commandlet. +[Set-SmartGroup](/docs/groupid/11.1/groupid/managementshell/smartgroup/setsmartgroup.md) commandlet. You can view events related to this commandlet in Directory Manager portal, against the History node in the left panel. @@ -92,7 +92,7 @@ Example 2: The following command expires the group Training, using the credentials set in the $Credentials environment variable. See the -[Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for setting +[Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/identitystore/overview.md b/docs/groupid/11.1/groupid/managementshell/identitystore/overview.md index 63d61a76d7..3cff09d3dc 100644 --- a/docs/groupid/11.1/groupid/managementshell/identitystore/overview.md +++ b/docs/groupid/11.1/groupid/managementshell/identitystore/overview.md @@ -2,35 +2,35 @@ This section covers cmdlets for performing identity store-related tasks such as: -- [Clear-MessagingServer](clearmessagingserver.md) – Removes a configured messaging server. -- [Clear-Notifications](clearnotifications.md) – Removes notification settings of an identity store. -- [Clear-SmtpServer](clearsmtpserver.md) – Removes a configured SMTP server of an identity store. -- [Get-AvailableMessagingServers](getavailablemessagingservers.md) – Retrieves messaging servers for +- [Clear-MessagingServer](/docs/groupid/11.1/groupid/managementshell/identitystore/clearmessagingserver.md) – Removes a configured messaging server. +- [Clear-Notifications](/docs/groupid/11.1/groupid/managementshell/identitystore/clearnotifications.md) – Removes notification settings of an identity store. +- [Clear-SmtpServer](/docs/groupid/11.1/groupid/managementshell/identitystore/clearsmtpserver.md) – Removes a configured SMTP server of an identity store. +- [Get-AvailableMessagingServers](/docs/groupid/11.1/groupid/managementshell/identitystore/getavailablemessagingservers.md) – Retrieves messaging servers for the configured messaging provider. -- [Get-Client](getclient.md) – Lists information about the Directory Manager clients. -- [Get-IdentityStore](getidentitystore.md) – Retrieves information about an identity store. -- [Get-IdentityStoreRoles](getidentitystoreroles.md) – Retrieves information about the security +- [Get-Client](/docs/groupid/11.1/groupid/managementshell/identitystore/getclient.md) – Lists information about the Directory Manager clients. +- [Get-IdentityStore](/docs/groupid/11.1/groupid/managementshell/identitystore/getidentitystore.md) – Retrieves information about an identity store. +- [Get-IdentityStoreRoles](/docs/groupid/11.1/groupid/managementshell/identitystore/getidentitystoreroles.md) – Retrieves information about the security roles in an identity store -- [Get-LogSettings](getlogsettings.md) – Provides information about the global log settings of an +- [Get-LogSettings](/docs/groupid/11.1/groupid/managementshell/identitystore/getlogsettings.md) – Provides information about the global log settings of an identity store. -- [Get-RolePermissionNames](getrolepermissionnames.md) – Lists the permissions assigned to the +- [Get-RolePermissionNames](/docs/groupid/11.1/groupid/managementshell/identitystore/getrolepermissionnames.md) – Lists the permissions assigned to the logged-in user. -- [Get-SchemaAttributes](getschemaattributes.md) – Lists schema attributes available for an identity +- [Get-SchemaAttributes](/docs/groupid/11.1/groupid/managementshell/identitystore/getschemaattributes.md) – Lists schema attributes available for an identity store. -- [Get-SmsGateways](getsmsgateways.md) – Provides information of the configured SMS gateways. -- [Get-UserRole](getuserrole.md) – Displays role information of a user in an identity store. -- [New-IdentityStore](newidentitystore.md) – Creates a new identity store. -- [Remove-IdentityStore](removeidentitystore.md) – Removes an identity store from Directory Manager. -- [Send-TestNotification](sendtestnotification.md) – Sends a test notification. -- [Set-IdentityStore](setidentitystore.md) – Modifies an identity store configuration. -- [Set-IdentityStoreRole](setidentitystorerole.md) – Modifies properties of a security role in an +- [Get-SmsGateways](/docs/groupid/11.1/groupid/managementshell/identitystore/getsmsgateways.md) – Provides information of the configured SMS gateways. +- [Get-UserRole](/docs/groupid/11.1/groupid/managementshell/identitystore/getuserrole.md) – Displays role information of a user in an identity store. +- [New-IdentityStore](/docs/groupid/11.1/groupid/managementshell/identitystore/newidentitystore.md) – Creates a new identity store. +- [Remove-IdentityStore](/docs/groupid/11.1/groupid/managementshell/identitystore/removeidentitystore.md) – Removes an identity store from Directory Manager. +- [Send-TestNotification](/docs/groupid/11.1/groupid/managementshell/identitystore/sendtestnotification.md) – Sends a test notification. +- [Set-IdentityStore](/docs/groupid/11.1/groupid/managementshell/identitystore/setidentitystore.md) – Modifies an identity store configuration. +- [Set-IdentityStoreRole](/docs/groupid/11.1/groupid/managementshell/identitystore/setidentitystorerole.md) – Modifies properties of a security role in an identity store. -- [Set-MessagingServer](setmessagingserver.md) – Configures a messaging server in an identity store. -- [Set-Notifications](setnotifications.md) – Modifies notification settings of an identity store. -- [Set-SmtpServer](setsmtpserver.md) – Configures an SMTP server of an identity store. +- [Set-MessagingServer](/docs/groupid/11.1/groupid/managementshell/identitystore/setmessagingserver.md) – Configures a messaging server in an identity store. +- [Set-Notifications](/docs/groupid/11.1/groupid/managementshell/identitystore/setnotifications.md) – Modifies notification settings of an identity store. +- [Set-SmtpServer](/docs/groupid/11.1/groupid/managementshell/identitystore/setsmtpserver.md) – Configures an SMTP server of an identity store. See Also -- [Directory Manager Management Shell](../overview.md) -- [All Commands](../commands.md) -- [Parameters](../parameters/parameters.md) +- [Directory Manager Management Shell](/docs/groupid/11.1/groupid/managementshell/overview.md) +- [All Commands](/docs/groupid/11.1/groupid/managementshell/commands.md) +- [Parameters](/docs/groupid/11.1/groupid/managementshell/parameters/parameters.md) diff --git a/docs/groupid/11.1/groupid/managementshell/identitystore/setmessagingserver.md b/docs/groupid/11.1/groupid/managementshell/identitystore/setmessagingserver.md index cadcaf37bd..7fe3369dd7 100644 --- a/docs/groupid/11.1/groupid/managementshell/identitystore/setmessagingserver.md +++ b/docs/groupid/11.1/groupid/managementshell/identitystore/setmessagingserver.md @@ -2,7 +2,7 @@ The commandlet Set-MessagingServer configures a messaging system in identity store. The SmtpServer parameter requires the server name of the messaging system to be specified. -[Get-AvailableMessagingServers](getavailablemessagingservers.md) commandlet can be used to retrieve +[Get-AvailableMessagingServers](/docs/groupid/11.1/groupid/managementshell/identitystore/getavailablemessagingservers.md) commandlet can be used to retrieve the server names of the messaging systems. This commandlet also has some parameters that appear depending on the value of the Provider diff --git a/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/connectidentitystore.md b/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/connectidentitystore.md index 4ae152f711..96d36f5179 100644 --- a/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/connectidentitystore.md +++ b/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/connectidentitystore.md @@ -26,7 +26,7 @@ Example: The following command connects you to the identity store specified by the IdentityStoreId parameter using the specified authentication mode and credentials that you set in the $Credentials environment -variable. See the [Set the $Credentials Environment Variable](../parameters/setthecredential.md) +variable. See the [Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/gettoken.md b/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/gettoken.md index ddd1fb4e85..8ce4d87359 100644 --- a/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/gettoken.md +++ b/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/gettoken.md @@ -30,7 +30,7 @@ Example: The following command returns a token for the identity store specified by the **IdentityStoreId** parameter using the specified authentication mode and credentials that you set in the **$Credentials** environment variable. See the -[Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for setting +[Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/overview.md b/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/overview.md index c7718a03cd..cb600c600f 100644 --- a/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/overview.md +++ b/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/overview.md @@ -2,6 +2,6 @@ This section covers cmdlets for establishing a connection with an identity store. -- [Connect-IdentityStore](connectidentitystore.md) – Connects to an identity store using the +- [Connect-IdentityStore](/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/connectidentitystore.md) – Connects to an identity store using the authentication mode mentioned. -- [Get-Token](gettoken.md) – Gets a token from the Directory Manager Security service. +- [Get-Token](/docs/groupid/11.1/groupid/managementshell/identitystoreconnection/gettoken.md) – Gets a token from the Directory Manager Security service. diff --git a/docs/groupid/11.1/groupid/managementshell/mailbox/getmailbox.md b/docs/groupid/11.1/groupid/managementshell/mailbox/getmailbox.md index 195fdbfa39..7c08f67e0f 100644 --- a/docs/groupid/11.1/groupid/managementshell/mailbox/getmailbox.md +++ b/docs/groupid/11.1/groupid/managementshell/mailbox/getmailbox.md @@ -38,6 +38,6 @@ Get-MailBox -Identity "OsamaMailBox" See Also -- [All Commands](../commands.md) -- [Mailbox Commands](overview.md) -- [Parameters](../parameters/parameters.md) +- [All Commands](/docs/groupid/11.1/groupid/managementshell/commands.md) +- [Mailbox Commands](/docs/groupid/11.1/groupid/managementshell/mailbox/overview.md) +- [Parameters](/docs/groupid/11.1/groupid/managementshell/parameters/parameters.md) diff --git a/docs/groupid/11.1/groupid/managementshell/mailbox/overview.md b/docs/groupid/11.1/groupid/managementshell/mailbox/overview.md index c14f4408be..26d626d341 100644 --- a/docs/groupid/11.1/groupid/managementshell/mailbox/overview.md +++ b/docs/groupid/11.1/groupid/managementshell/mailbox/overview.md @@ -2,7 +2,7 @@ This section covers cmdlets for performing mailbox-specific tasks such as: -- [Get-Mailbox](getmailbox.md) – Retrieves a mailbox. -- [New-Mailbox](newmailbox.md) – Creates a new mailbox. -- [Remove-Mailbox](removemailbox.md) – Deletes a mailbox. -- [Set-Mailbox](setmailbox.md) – Modifies a mailbox. +- [Get-Mailbox](/docs/groupid/11.1/groupid/managementshell/mailbox/getmailbox.md) – Retrieves a mailbox. +- [New-Mailbox](/docs/groupid/11.1/groupid/managementshell/mailbox/newmailbox.md) – Creates a new mailbox. +- [Remove-Mailbox](/docs/groupid/11.1/groupid/managementshell/mailbox/removemailbox.md) – Deletes a mailbox. +- [Set-Mailbox](/docs/groupid/11.1/groupid/managementshell/mailbox/setmailbox.md) – Modifies a mailbox. diff --git a/docs/groupid/11.1/groupid/managementshell/mailenableddisabledgroups/overview.md b/docs/groupid/11.1/groupid/managementshell/mailenableddisabledgroups/overview.md index 55539b21f3..45b985ea9e 100644 --- a/docs/groupid/11.1/groupid/managementshell/mailenableddisabledgroups/overview.md +++ b/docs/groupid/11.1/groupid/managementshell/mailenableddisabledgroups/overview.md @@ -2,5 +2,5 @@ This section covers cmdlets for enabling and disabling groups for email. -- [Disable-DistributionGroup](disabledistributiongroup.md) – disables a group's email capability. -- [Enable-DistributionGroup](enabledistributiongroup.md) – enable a group's email capability. +- [Disable-DistributionGroup](/docs/groupid/11.1/groupid/managementshell/mailenableddisabledgroups/disabledistributiongroup.md) – disables a group's email capability. +- [Enable-DistributionGroup](/docs/groupid/11.1/groupid/managementshell/mailenableddisabledgroups/enabledistributiongroup.md) – enable a group's email capability. diff --git a/docs/groupid/11.1/groupid/managementshell/membership/addgroupmember.md b/docs/groupid/11.1/groupid/managementshell/membership/addgroupmember.md index afd67d2497..d04fe30ba3 100644 --- a/docs/groupid/11.1/groupid/managementshell/membership/addgroupmember.md +++ b/docs/groupid/11.1/groupid/managementshell/membership/addgroupmember.md @@ -36,7 +36,7 @@ Example 1: The following command adds the user Brian Regan to the membership of the Event Management group using the credentials set in the $Credentials environment variable. See the -[Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for setting +[Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` @@ -47,7 +47,7 @@ Example 2: The following command gets all users from the Local Recruiting container and adds them to the membership of the Event Management group. For detailed information about the Get-Object commandlet, -see [Get-Object](getobject.md). The OUT-NULL commandlet is used here to restrict the retrieved users +see [Get-Object](/docs/groupid/11.1/groupid/managementshell/membership/getobject.md). The OUT-NULL commandlet is used here to restrict the retrieved users information from appearing on the console. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/membership/getgroupmember.md b/docs/groupid/11.1/groupid/managementshell/membership/getgroupmember.md index 71a02be2c5..401bd0f4b0 100644 --- a/docs/groupid/11.1/groupid/managementshell/membership/getgroupmember.md +++ b/docs/groupid/11.1/groupid/managementshell/membership/getgroupmember.md @@ -24,7 +24,7 @@ Example 1: The following command retrieves all members of the Password_Expiry group using the credentials set in the $Credentials environment variable. See the -[Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for setting +[Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/membership/getobject.md b/docs/groupid/11.1/groupid/managementshell/membership/getobject.md index 4a0afb6b3f..1292e2c8b8 100644 --- a/docs/groupid/11.1/groupid/managementshell/membership/getobject.md +++ b/docs/groupid/11.1/groupid/managementshell/membership/getobject.md @@ -39,7 +39,7 @@ Example 2: The command below retrieves the object Event Management starting from the container Recruiting excluding its sub-containers using the credentials set in the $Credentials environment variable. See -the [Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for setting +the [Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/membership/overview.md b/docs/groupid/11.1/groupid/managementshell/membership/overview.md index a2a8ffc49f..912f5b0746 100644 --- a/docs/groupid/11.1/groupid/managementshell/membership/overview.md +++ b/docs/groupid/11.1/groupid/managementshell/membership/overview.md @@ -2,8 +2,8 @@ This section covers cmdlets for managing the memberships of both managed and unmanaged groups. -- [Add-GroupMember](addgroupmember.md) – adds objects to the membership of a group. -- [Get-GroupMember](getgroupmember.md) – retrieves members of a group. -- [Get-Object](getobject.md) – retrieves objects. -- [Remove-GroupMember](removegroupmember.md) – removes recipients from a group's membership. -- [Set-Object](setobject.md) – modifies an object. +- [Add-GroupMember](/docs/groupid/11.1/groupid/managementshell/membership/addgroupmember.md) – adds objects to the membership of a group. +- [Get-GroupMember](/docs/groupid/11.1/groupid/managementshell/membership/getgroupmember.md) – retrieves members of a group. +- [Get-Object](/docs/groupid/11.1/groupid/managementshell/membership/getobject.md) – retrieves objects. +- [Remove-GroupMember](/docs/groupid/11.1/groupid/managementshell/membership/removegroupmember.md) – removes recipients from a group's membership. +- [Set-Object](/docs/groupid/11.1/groupid/managementshell/membership/setobject.md) – modifies an object. diff --git a/docs/groupid/11.1/groupid/managementshell/membership/removegroupmember.md b/docs/groupid/11.1/groupid/managementshell/membership/removegroupmember.md index bdb8194c09..fe7b4bc5a4 100644 --- a/docs/groupid/11.1/groupid/managementshell/membership/removegroupmember.md +++ b/docs/groupid/11.1/groupid/managementshell/membership/removegroupmember.md @@ -29,7 +29,7 @@ Example: The following command removes the user Brian Regan from the membership of the group Event Management using the credentials set in the $Credentials environment variable. See the -[Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for setting +[Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/overview.md b/docs/groupid/11.1/groupid/managementshell/overview.md index e5a016542f..86361641e6 100644 --- a/docs/groupid/11.1/groupid/managementshell/overview.md +++ b/docs/groupid/11.1/groupid/managementshell/overview.md @@ -40,20 +40,20 @@ to launch Directory Manager Management Shell 11.1. Step 2 – On the Netwrix Netwrix Directory Manager Authenticate page, select an identity store to connect to. -![Login page](../../../../../static/img/product_docs/groupid/groupid/managementshell/login.webp) +![Login page](/img/product_docs/groupid/groupid/managementshell/login.webp) NOTE: If your required identity store is not listed, contact the Directory Manager administrator. Step 3 – In the **Username** and **Password** boxes, provide the user name and password of your identity store account and click **Sign In**. -![Login page](../../../../../static/img/product_docs/groupid/groupid/managementshell/login-2.webp) +![Login page](/img/product_docs/groupid/groupid/managementshell/login-2.webp) NOTE: Click the **Edit** icon if you want to select another identity store to connect to. The Management Shell window appears as follows: -![GroupID Management Shell 11.0](../../../../../static/img/product_docs/groupid/groupid/managementshell/shell.webp) +![GroupID Management Shell 11.0](/img/product_docs/groupid/groupid/managementshell/shell.webp) It displays information about the connected identity store. @@ -92,7 +92,7 @@ Step 2 – At the command prompt, type: enable-psremoting ``` -![powershellwindow](../../../../../static/img/product_docs/groupid/groupid/managementshell/powershellwindow.webp) +![powershellwindow](/img/product_docs/groupid/groupid/managementshell/powershellwindow.webp) NOTE: By default, on Windows Server 2016, Windows PowerShell remoting is enabled. Use this command to re-enable remoting on Windows Server 2016 if it becomes disabled. @@ -110,7 +110,7 @@ new-PSSession –ComputerName This command creates a remote session on the local computer and returns an object that represents the session. The output should look as shown in the following snapshot: -![Management Shell Remote session](../../../../../static/img/product_docs/groupid/groupid/managementshell/pssessioncommand.webp) +![Management Shell Remote session](/img/product_docs/groupid/groupid/managementshell/pssessioncommand.webp) ### Access Directory Manager Management Shell Remotely @@ -145,7 +145,7 @@ desired identity store exists: 1. Login to SQL server (having Directory Manager database) with account having read permissions. 2. View the table “Svc.Identitystore” top 100 rows. See the following snapshot for details: - ![groupiddatabase](../../../../../static/img/product_docs/groupid/groupid/managementshell/groupiddatabase.webp) + ![groupiddatabase](/img/product_docs/groupid/groupid/managementshell/groupiddatabase.webp) Once the script has run, a remote session will be created. You can now run all Directory Manager cmdlets through PowerShell 7.4.6 without the need of signing into the Directory Manager server. diff --git a/docs/groupid/11.1/groupid/managementshell/scheduling/overview.md b/docs/groupid/11.1/groupid/managementshell/scheduling/overview.md index 78783fa3b0..b811f8d62e 100644 --- a/docs/groupid/11.1/groupid/managementshell/scheduling/overview.md +++ b/docs/groupid/11.1/groupid/managementshell/scheduling/overview.md @@ -2,11 +2,11 @@ This section covers the cmdlets that perform scheduling-related operations. -- [Get-Schedule](getschedule.md) – retrieves scheduled jobs. -- [Get-TargetSchedules](gettargetschedule.md) – retrieves the scheduled jobs operating on a group or +- [Get-Schedule](/docs/groupid/11.1/groupid/managementshell/scheduling/getschedule.md) – retrieves scheduled jobs. +- [Get-TargetSchedules](/docs/groupid/11.1/groupid/managementshell/scheduling/gettargetschedule.md) – retrieves the scheduled jobs operating on a group or OU. -- [ Invoke-Schedule](invokeschedule.md) – executes a scheduled job. -- [New-Schedule](newschedule.md) – creates a new schedule. -- [Remove-Schedule](removeschedule.md) – removes a schedule from an identity store. -- [Set-Schedule](setschedule.md) – modifies a schedule. -- [Stop-Schedule](stopschedule.md) – stops a running schedule. +- [ Invoke-Schedule](/docs/groupid/11.1/groupid/managementshell/scheduling/invokeschedule.md) – executes a scheduled job. +- [New-Schedule](/docs/groupid/11.1/groupid/managementshell/scheduling/newschedule.md) – creates a new schedule. +- [Remove-Schedule](/docs/groupid/11.1/groupid/managementshell/scheduling/removeschedule.md) – removes a schedule from an identity store. +- [Set-Schedule](/docs/groupid/11.1/groupid/managementshell/scheduling/setschedule.md) – modifies a schedule. +- [Stop-Schedule](/docs/groupid/11.1/groupid/managementshell/scheduling/stopschedule.md) – stops a running schedule. diff --git a/docs/groupid/11.1/groupid/managementshell/smartgroup/newsmartgroup.md b/docs/groupid/11.1/groupid/managementshell/smartgroup/newsmartgroup.md index 3f46b6adcc..1229b432ce 100644 --- a/docs/groupid/11.1/groupid/managementshell/smartgroup/newsmartgroup.md +++ b/docs/groupid/11.1/groupid/managementshell/smartgroup/newsmartgroup.md @@ -6,10 +6,10 @@ rules applied by a user-defined LDAP query. A Smart Group can also be defined as a Password Expiry group. A Password Expiry group is a dynamic group whose membership is based on password policy conditions defined by the administrator. The LDAP -query defined for a Smart Group can be updated any time using the [Set-SmartGroup](setsmartgroup.md) +query defined for a Smart Group can be updated any time using the [Set-SmartGroup](/docs/groupid/11.1/groupid/managementshell/smartgroup/setsmartgroup.md) commandlet. When the LDAP query is changed, you must update the group once to modify its membership according to the changes made to the query. For information about updating a group, see -[Update-Group](updategroup.md). +[Update-Group](/docs/groupid/11.1/groupid/managementshell/smartgroup/updategroup.md). You can view events related to this commandlet in Directory Manager portal, against the History node in the left panel. diff --git a/docs/groupid/11.1/groupid/managementshell/smartgroup/overview.md b/docs/groupid/11.1/groupid/managementshell/smartgroup/overview.md index 154606b0a1..29e169b7b3 100644 --- a/docs/groupid/11.1/groupid/managementshell/smartgroup/overview.md +++ b/docs/groupid/11.1/groupid/managementshell/smartgroup/overview.md @@ -2,13 +2,13 @@ This section covers cmdlets for managing Smart Groups. -- [ConvertTo-StaticGroup](converttostaticgroup.md) – Converts a Smart Group or a Dynasty to a static +- [ConvertTo-StaticGroup](/docs/groupid/11.1/groupid/managementshell/smartgroup/converttostaticgroup.md) – Converts a Smart Group or a Dynasty to a static group. -- [Get-SmartGroup](getsmartgroup.md) – Retrieves Smart Groups and Dynasties that match the given +- [Get-SmartGroup](/docs/groupid/11.1/groupid/managementshell/smartgroup/getsmartgroup.md) – Retrieves Smart Groups and Dynasties that match the given criteria. -- [New-SmartGroup](newsmartgroup.md) – Creates a new Smart Group (managed group) in the directory. -- [Set-SmartGroup](setsmartgroup.md) – Modifies a Smart Group in the directory. -- [Update-Group](updategroup.md) – Modifies the membership of a Smart Group or Dynasty according to +- [New-SmartGroup](/docs/groupid/11.1/groupid/managementshell/smartgroup/newsmartgroup.md) – Creates a new Smart Group (managed group) in the directory. +- [Set-SmartGroup](/docs/groupid/11.1/groupid/managementshell/smartgroup/setsmartgroup.md) – Modifies a Smart Group in the directory. +- [Update-Group](/docs/groupid/11.1/groupid/managementshell/smartgroup/updategroup.md) – Modifies the membership of a Smart Group or Dynasty according to the results returned by the LDAP query. -- [Upgrade-Group](upgradegroup.md) – Upgrades managed (Smart Groups and Dynasties) and non-managed +- [Upgrade-Group](/docs/groupid/11.1/groupid/managementshell/smartgroup/upgradegroup.md) – Upgrades managed (Smart Groups and Dynasties) and non-managed groups from GroupID 9 and 10 to GroupID 11. diff --git a/docs/groupid/11.1/groupid/managementshell/smartgroup/setsmartgroup.md b/docs/groupid/11.1/groupid/managementshell/smartgroup/setsmartgroup.md index 8e82e6439d..542d19de3c 100644 --- a/docs/groupid/11.1/groupid/managementshell/smartgroup/setsmartgroup.md +++ b/docs/groupid/11.1/groupid/managementshell/smartgroup/setsmartgroup.md @@ -2,7 +2,7 @@ The Set-SmartGroup commandlet modifies a Smart Group in Directory. Attributes that are common to both Smart Groups and unmanaged groups can also be modified using the -[Set-Group](../group/setgroup.md) commandlet. +[Set-Group](/docs/groupid/11.1/groupid/managementshell/group/setgroup.md) commandlet. You can view events related to this commandlet in Directory Manager portal, against the History node in the left panel. diff --git a/docs/groupid/11.1/groupid/managementshell/smartgroup/updategroup.md b/docs/groupid/11.1/groupid/managementshell/smartgroup/updategroup.md index f9a0ee2f00..3be574da50 100644 --- a/docs/groupid/11.1/groupid/managementshell/smartgroup/updategroup.md +++ b/docs/groupid/11.1/groupid/managementshell/smartgroup/updategroup.md @@ -38,7 +38,7 @@ Example 2: The following command updates all Smart Groups and Dynasties present in the container Training, using the credentials set in the $Credentials environment variable. See the -[Set the $Credentials Environment Variable](../parameters/setthecredential.md) topic for setting +[Set the $Credentials Environment Variable](/docs/groupid/11.1/groupid/managementshell/parameters/setthecredential.md) topic for setting credentials in an environment variable. ``` diff --git a/docs/groupid/11.1/groupid/managementshell/smartgroup/upgradegroup.md b/docs/groupid/11.1/groupid/managementshell/smartgroup/upgradegroup.md index e7854ec863..0ffee14fab 100644 --- a/docs/groupid/11.1/groupid/managementshell/smartgroup/upgradegroup.md +++ b/docs/groupid/11.1/groupid/managementshell/smartgroup/upgradegroup.md @@ -4,7 +4,7 @@ The Upgrade-Group commandlet upgrades managed (Smart Groups and Dynasties) and n GroupID 10 to Directory Manager 11.1 version. Before running this commandlet, make sure the configurations and history have been upgraded through the Directory Manager Upgrade wizard, only then this commandlet will upgrade the specified groups and their history successfully. See the -[Upgrade to Directory Manager 11](../../install/upgrade/upgrade.md) topic for additional information +[Upgrade to Directory Manager 11](/docs/groupid/11.1/groupid/install/upgrade/upgrade.md) topic for additional information on upgrade. ## Syntax @@ -54,6 +54,6 @@ Upgrade-Group -SearchContainerScopeList "1" -SearchContainer "GIDsmart1""OU=Jobs ``` NOTE: The group types 4 and 5 which are for middle and leaf dynasties are not supported in this -commandlet. See the [Parameters](../parameters/parameters.md) topic for additional information on -the supported parameters. See the [Parameters](../parameters/parameters.md) topic to get information +commandlet. See the [Parameters](/docs/groupid/11.1/groupid/managementshell/parameters/parameters.md) topic for additional information on +the supported parameters. See the [Parameters](/docs/groupid/11.1/groupid/managementshell/parameters/parameters.md) topic to get information about the parameters which you can use in the Directory Manager Management Shell commandlets. diff --git a/docs/groupid/11.1/groupid/managementshell/user/overview.md b/docs/groupid/11.1/groupid/managementshell/user/overview.md index 57798dc188..48947012e3 100644 --- a/docs/groupid/11.1/groupid/managementshell/user/overview.md +++ b/docs/groupid/11.1/groupid/managementshell/user/overview.md @@ -2,9 +2,9 @@ This section covers cmdlets for performing user-related tasks such as: -- [Get-User](getuser.md) – Retrieves a user. -- [Get-UserEnrollment](getuserenrollment.md) – Displays information about the status of user +- [Get-User](/docs/groupid/11.1/groupid/managementshell/user/getuser.md) – Retrieves a user. +- [Get-UserEnrollment](/docs/groupid/11.1/groupid/managementshell/user/getuserenrollment.md) – Displays information about the status of user enrollment. -- [New-User](newuser.md) – Creates a new user. -- [Remove-User](removeuser.md) – Removes a user from the directory. -- [Set-User ](setuser.md) – Modifies a user in the directory +- [New-User](/docs/groupid/11.1/groupid/managementshell/user/newuser.md) – Creates a new user. +- [Remove-User](/docs/groupid/11.1/groupid/managementshell/user/removeuser.md) – Removes a user from the directory. +- [Set-User ](/docs/groupid/11.1/groupid/managementshell/user/setuser.md) – Modifies a user in the directory diff --git a/docs/groupid/11.1/groupid/managementshell/userlifecycle/overview.md b/docs/groupid/11.1/groupid/managementshell/userlifecycle/overview.md index 1b687764cf..85add5086b 100644 --- a/docs/groupid/11.1/groupid/managementshell/userlifecycle/overview.md +++ b/docs/groupid/11.1/groupid/managementshell/userlifecycle/overview.md @@ -2,8 +2,8 @@ This section covers the cmdlets for performing user lifecycle tasks such as: -- [Extend-User](extenduser.md) – Activates a user account for a specific number of days -- [Get-Status](getstatus.md) – Provides the status of a user as per the profile validation criteria. -- [Reinstate-User](reinstateuser.md) – Activates or disables a user. -- [Terminate-DirectReports](terminatedirectreports.md) – Terminates direct reports of a user. -- [Transfer-DirectReports ](transferdirectreports.md) – Transfers direct reports of a user. +- [Extend-User](/docs/groupid/11.1/groupid/managementshell/userlifecycle/extenduser.md) – Activates a user account for a specific number of days +- [Get-Status](/docs/groupid/11.1/groupid/managementshell/userlifecycle/getstatus.md) – Provides the status of a user as per the profile validation criteria. +- [Reinstate-User](/docs/groupid/11.1/groupid/managementshell/userlifecycle/reinstateuser.md) – Activates or disables a user. +- [Terminate-DirectReports](/docs/groupid/11.1/groupid/managementshell/userlifecycle/terminatedirectreports.md) – Terminates direct reports of a user. +- [Transfer-DirectReports ](/docs/groupid/11.1/groupid/managementshell/userlifecycle/transferdirectreports.md) – Transfers direct reports of a user. diff --git a/docs/groupid/11.1/groupid/portal/dashboard.md b/docs/groupid/11.1/groupid/portal/dashboard.md index 5464c6aa43..0519775926 100644 --- a/docs/groupid/11.1/groupid/portal/dashboard.md +++ b/docs/groupid/11.1/groupid/portal/dashboard.md @@ -5,7 +5,7 @@ of the portal. These functions are available as links on the top and left naviga On logging into Directory Manager portal, you land on the dashboard. -![dashboard](../../../../../static/img/product_docs/groupid/groupid/portal/dashboard.webp) +![dashboard](/img/product_docs/groupid/groupid/portal/dashboard.webp) Use the following to navigate within the application: @@ -17,7 +17,7 @@ Use the following to navigate within the application: ## Quick Search Look on the top of the page for **Search**. This element appears on every page. Use it to locate and -display information for objects. See the [Directory Search](search/search.md) topic. +display information for objects. See the [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) topic. - Use Quick Search to locate an object by its name. - Use Advanced Search to search an object using a range of attributes. @@ -31,7 +31,7 @@ The top right corner of the application displays: | Background tasks icon | View the status of Smart Group update jobs. A Smart Group Update job updates the membership of a Smart Group on the basis of a query. | | Portal Settings | Personalize the portal | | Help icon | Launch the portal help | -| User profile icon | Displays your profile picture with your name and the identity store that Directory Manager portal is connected to. Click it to launch the menu that displays the following: - Directory Manager version you’re using - The security role assigned to you in Directory Manager. The menu also displays the following options: - See full profile. See the [Object properties - General tab](user/properties/activedirectory/general.md) topic. - My Applications. See the [Access your Applications](../admincenter/general/accessapplications.md) topic. - Enroll your identity store account. See the [Enroll your Identity Store Account](../admincenter/enroll.md) topic. - Change Password. See the [Change your Password](../admincenter/general/changepassword.md) topic. - Switch account. See the [Switch Accounts](../admincenter/general/switchaccount.md) topic. - Sign Out | +| User profile icon | Displays your profile picture with your name and the identity store that Directory Manager portal is connected to. Click it to launch the menu that displays the following: - Directory Manager version you’re using - The security role assigned to you in Directory Manager. The menu also displays the following options: - See full profile. See the [Object properties - General tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/general.md) topic. - My Applications. See the [Access your Applications](/docs/groupid/11.1/groupid/admincenter/general/accessapplications.md) topic. - Enroll your identity store account. See the [Enroll your Identity Store Account](/docs/groupid/11.1/groupid/admincenter/enroll.md) topic. - Change Password. See the [Change your Password](/docs/groupid/11.1/groupid/admincenter/general/changepassword.md) topic. - Switch account. See the [Switch Accounts](/docs/groupid/11.1/groupid/admincenter/general/switchaccount.md) topic. - Sign Out | ## Menu pane diff --git a/docs/groupid/11.1/groupid/portal/entitlement/fileservers.md b/docs/groupid/11.1/groupid/portal/entitlement/fileservers.md index 10c2555db2..bd2404456e 100644 --- a/docs/groupid/11.1/groupid/portal/entitlement/fileservers.md +++ b/docs/groupid/11.1/groupid/portal/entitlement/fileservers.md @@ -1,12 +1,12 @@ # File Servers -The [ Entitlement](overview.md) page lists the servers specified for permission analysis in the +The [ Entitlement](/docs/groupid/11.1/groupid/portal/entitlement/overview.md) page lists the servers specified for permission analysis in the identity store, displaying granular level permission granted to objects on shared files and folders. This data is subject to the date and time the permissions were last replicated. You can view all active servers as enabled and not replicated servers as disabled. It is as: -![disabledfileserver](../../../../../../static/img/product_docs/groupid/groupid/portal/entitlement/disabledfileserver.webp) +![disabledfileserver](/img/product_docs/groupid/groupid/portal/entitlement/disabledfileserver.webp) Here, the second server is disabled while the first one is enabled. A disabled server indicates that the Entitlement job has not run to replicate permission data for it. Once permissions are @@ -32,13 +32,13 @@ displayed, showcasing the following information: - The date and time the file/folder was last created. - Owner of the file/folder. - ![fileservercard](../../../../../../static/img/product_docs/groupid/groupid/portal/entitlement/fileservercard.webp) + ![fileservercard](/img/product_docs/groupid/groupid/portal/entitlement/fileservercard.webp) NOTE: Date format: mm/dd/yyyy - For child folders, the path is as: servername.parentsharedfoldername. - ![fileserverpath](../../../../../../static/img/product_docs/groupid/groupid/portal/entitlement/fileserverpath.webp) + ![fileserverpath](/img/product_docs/groupid/groupid/portal/entitlement/fileserverpath.webp) - You can view the child files and folders within a shared folder till the nth level. Double-click a folder card to view its direct child files and folders. Continue till the nth level. @@ -48,7 +48,7 @@ NOTE: Date format: mm/dd/yyyy On clicking a file/folder card, all users and groups with effective NTFS permission on it are listed in the right pane. -![fileserverpermissions](../../../../../../static/img/product_docs/groupid/groupid/portal/entitlement/fileserverpermissions.webp) +![fileserverpermissions](/img/product_docs/groupid/groupid/portal/entitlement/fileserverpermissions.webp) Information includes: @@ -77,7 +77,7 @@ Information includes: You can allow and deny access and inherited access and click **Save** icon. - ![filespermissions](../../../../../../static/img/product_docs/groupid/groupid/portal/entitlement/filespermissions.webp) + ![filespermissions](/img/product_docs/groupid/groupid/portal/entitlement/filespermissions.webp) Permissions are displayed as **Explicit permissions** which list the effective permissions set the user/group has on the file/folder. @@ -90,7 +90,7 @@ properties as well as collapse the permissions view. You can search for specific files and folders (shared) on the server. You can also search for a file or folder in a particular folder. -![filefolderssearch](../../../../../../static/img/product_docs/groupid/groupid/portal/entitlement/filefolderssearch.webp) +![filefolderssearch](/img/product_docs/groupid/groupid/portal/entitlement/filefolderssearch.webp) **Search filter** diff --git a/docs/groupid/11.1/groupid/portal/entitlement/overview.md b/docs/groupid/11.1/groupid/portal/entitlement/overview.md index f5d38a6600..116d05472c 100644 --- a/docs/groupid/11.1/groupid/portal/entitlement/overview.md +++ b/docs/groupid/11.1/groupid/portal/entitlement/overview.md @@ -3,5 +3,5 @@ Directory Manager Entitlement enables you to stay informed on the permissions assigned to objects residing on your Active Directory servers and SharePoint sites. -See the [Entitlement](../../admincenter/entitlement/overview.md) topic for detailed information on +See the [Entitlement](/docs/groupid/11.1/groupid/admincenter/entitlement/overview.md) topic for detailed information on Entitlement. diff --git a/docs/groupid/11.1/groupid/portal/entitlement/sharepointsites.md b/docs/groupid/11.1/groupid/portal/entitlement/sharepointsites.md index d965b0037b..0aabfe40a9 100644 --- a/docs/groupid/11.1/groupid/portal/entitlement/sharepointsites.md +++ b/docs/groupid/11.1/groupid/portal/entitlement/sharepointsites.md @@ -6,7 +6,7 @@ subject to the date and time the permissions were last replicated. You can view all active sites as enabled and inactive sites as disabled. It is as: -![disabledsites](../../../../../../static/img/product_docs/groupid/groupid/portal/entitlement/disabledsites.webp) +![disabledsites](/img/product_docs/groupid/groupid/portal/entitlement/disabledsites.webp) A disabled site indicates that the Insights job has not run to replicate permission data for it. Once permissions are replicated, the site is enabled. @@ -35,14 +35,14 @@ showcasing the following information: - You can view the files and folders within a document library till the nth level. Double-click a folder card to view its direct child files and folders. Continue till the nth level. - ![sitesfolders](../../../../../../static/img/product_docs/groupid/groupid/portal/entitlement/sitesfolders.webp) + ![sitesfolders](/img/product_docs/groupid/groupid/portal/entitlement/sitesfolders.webp) ## View levels and permissions on a library On clicking a library card or even a file/folder card, all users and groups with permission on it are listed in the right pane. -![sitesrightpane](../../../../../../static/img/product_docs/groupid/groupid/portal/entitlement/sitesrightpane.webp) +![sitesrightpane](/img/product_docs/groupid/groupid/portal/entitlement/sitesrightpane.webp) Information includes: @@ -74,7 +74,7 @@ Information includes: You can update the permissions and click **Save** icon. - ![sitespermissions](../../../../../../static/img/product_docs/groupid/groupid/portal/entitlement/sitespermissions.webp) + ![sitespermissions](/img/product_docs/groupid/groupid/portal/entitlement/sitespermissions.webp) Permissions are displayed as **Explicit permissions** which list the effective permissions set the user/group has on the file/folder. @@ -85,7 +85,7 @@ Use the search bar to search for specific files and folders in the site. You can file or folder in a particular folder. Click the card for that folder and search for the required child file/folder. -![sitessearch](../../../../../../static/img/product_docs/groupid/groupid/portal/entitlement/sitessearch.webp) +![sitessearch](/img/product_docs/groupid/groupid/portal/entitlement/sitessearch.webp) **Search filter** diff --git a/docs/groupid/11.1/groupid/portal/generalfeatures.md b/docs/groupid/11.1/groupid/portal/generalfeatures.md index 49bff79db3..ee27775424 100644 --- a/docs/groupid/11.1/groupid/portal/generalfeatures.md +++ b/docs/groupid/11.1/groupid/portal/generalfeatures.md @@ -15,7 +15,7 @@ manage various directory objects within their identity store. These objects incl users, groups, and contacts. Once a search is performed, the results are displayed on the Search Results page. -See the [Directory Search](search/search.md) topic for additional information. +See the [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) topic for additional information. ## Find Dialog Box @@ -23,25 +23,25 @@ The Find dialog box enables you to search User, Group, and Contact objects in th store. The object types av ailable for search may vary, depending on the page you launch the **Find** dialog box from. -See the [Find Dialog Box](search/find.md) topic for additional information. +See the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) topic for additional information. ## Portal Settings Directory Manager portal offers flexible portal settings to customize the user experience and personalize the portal for each user. -See the [Portal Settings](setting/portal.md) topic for additional information. +See the [Portal Settings](/docs/groupid/11.1/groupid/portal/setting/portal.md) topic for additional information. ## User Account Settings Users can manage their own profile information and perform various account-related actions through the User Settings. -See the [User Account Settings](setting/user.md) topic for additional information. +See the [User Account Settings](/docs/groupid/11.1/groupid/portal/setting/user.md) topic for additional information. ## Toolbars The portal provides toolbars with diverse options that users can use on the objects. These actions include editing properties, managing membership, viewing history, and more. -See the [Toolbar](toolbar.md) topic for additional information. +See the [Toolbar](/docs/groupid/11.1/groupid/portal/toolbar.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/portal/group/alldynasties.md b/docs/groupid/11.1/groupid/portal/group/alldynasties.md index 7628277d56..803559aaa5 100644 --- a/docs/groupid/11.1/groupid/portal/group/alldynasties.md +++ b/docs/groupid/11.1/groupid/portal/group/alldynasties.md @@ -1,6 +1,6 @@ # Dynasties -A [Dynasty](dynasty/overview.md)is a Smart Group that creates and manages other Smart Groups using +A [Dynasty](/docs/groupid/11.1/groupid/portal/group/dynasty/overview.md)is a Smart Group that creates and manages other Smart Groups using information in the directory. This view lists only the Dynasties created in Directory Manager in the connected identity store, and does not include expired and deleted Dynasties. diff --git a/docs/groupid/11.1/groupid/portal/group/allgroups.md b/docs/groupid/11.1/groupid/portal/group/allgroups.md index 292a22cfd5..7fa73f74a2 100644 --- a/docs/groupid/11.1/groupid/portal/group/allgroups.md +++ b/docs/groupid/11.1/groupid/portal/group/allgroups.md @@ -2,15 +2,15 @@ This tab lists all groups defined in the identity store including all active groups: -- [Private Groups](privategroups.md) -- [Semi Private Groups](semiprivategroups.md) -- [Public Groups](publicgroups.md) -- [Expired Groups](allexpiredgroups.md) -- [Expiring Groups](allexpiringgroups.md) -- [Smart Groups](allsmartgroups.md) -- [Dynasties](alldynasties.md) -- [Password Expiry Groups](passwordexpirygroups.md) -- [Teams](teams.md) (for Microsoft Entra ID based identity store) +- [Private Groups](/docs/groupid/11.1/groupid/portal/group/privategroups.md) +- [Semi Private Groups](/docs/groupid/11.1/groupid/portal/group/semiprivategroups.md) +- [Public Groups](/docs/groupid/11.1/groupid/portal/group/publicgroups.md) +- [Expired Groups](/docs/groupid/11.1/groupid/portal/group/allexpiredgroups.md) +- [Expiring Groups](/docs/groupid/11.1/groupid/portal/group/allexpiringgroups.md) +- [Smart Groups](/docs/groupid/11.1/groupid/portal/group/allsmartgroups.md) +- [Dynasties](/docs/groupid/11.1/groupid/portal/group/alldynasties.md) +- [Password Expiry Groups](/docs/groupid/11.1/groupid/portal/group/passwordexpirygroups.md) +- [Teams](/docs/groupid/11.1/groupid/portal/group/teams.md) (for Microsoft Entra ID based identity store) Viewing all groups from the directory source may slow down the loading of groups in the view, especially when there are more than 100 groups. @@ -23,7 +23,7 @@ especially when there are more than 100 groups. If you click **Background**, the update runs in the background and will show in the **Background Tasks** tab. -- View and modify the [Group Properties](properties/overview.md) of a group. +- View and modify the [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) of a group. - [Expire a group manually ](manage/groupexpiryfunction.md#expire-a-group-manually). After expiring the group, it will be listed in **Expired Group** list. - Select a smart group and click **Renew** on the toolbar; this re-applies the expiry policy of the @@ -90,7 +90,7 @@ especially when there are more than 100 groups. Use the page numbers under the group listing to page through all groups. You can also control the number of records to be displayed per page by modifying the **Search -results per page** setting on the [Portal Settings](../setting/portal.md) panel. +results per page** setting on the [Portal Settings](/docs/groupid/11.1/groupid/portal/setting/portal.md) panel. ## Modify Search Directory @@ -99,7 +99,7 @@ a domain to search active groups from. ## Transfer Ownership -You can find [Transfer Ownership](transferownership.md) option on the top right corner. Transfer +You can find [Transfer Ownership](/docs/groupid/11.1/groupid/portal/group/transferownership.md) option on the top right corner. Transfer Ownership enables you to: - Assign owners to orphan groups. diff --git a/docs/groupid/11.1/groupid/portal/group/allsmartgroups.md b/docs/groupid/11.1/groupid/portal/group/allsmartgroups.md index 3271f3f70c..faf8499103 100644 --- a/docs/groupid/11.1/groupid/portal/group/allsmartgroups.md +++ b/docs/groupid/11.1/groupid/portal/group/allsmartgroups.md @@ -2,7 +2,7 @@ This view lists only the Smart Groups created using Directory Manager in the connected identity store. It does not list expired or deleted Smart Groups. To view the expired or deleted groups, -select the [Expired Groups](allexpiredgroups.md) or [Deleted Groups](recyclebin/overview.md) +select the [Expired Groups](/docs/groupid/11.1/groupid/portal/group/allexpiredgroups.md) or [Deleted Groups](/docs/groupid/11.1/groupid/portal/group/recyclebin/overview.md) respectively. You can [Modify Search Directory](allgroups.md#modify-search-directory) to search smart groups and diff --git a/docs/groupid/11.1/groupid/portal/group/create/activedirectory/group.md b/docs/groupid/11.1/groupid/portal/group/create/activedirectory/group.md index 6a58155080..fcf9aaba90 100644 --- a/docs/groupid/11.1/groupid/portal/group/create/activedirectory/group.md +++ b/docs/groupid/11.1/groupid/portal/group/create/activedirectory/group.md @@ -5,7 +5,7 @@ identity store. NOTE: If the Directory Manager administrator has specified the group creation action for review, the new group will be created after it is verified by an approver. See the -[Requests](../../../request/overview.md)topic for additional information. +[Requests](/docs/groupid/11.1/groupid/portal/request/overview.md)topic for additional information. ## Create a Static Group @@ -19,12 +19,12 @@ Follow the steps to create a static group. Pages and fields on the Create Group wizard may vary, since the administrator can customize the wizard by adding or removing pages and fields. -2. On the [Group Type page](../grouptype.md), select the **Static Group** option button and click +2. On the [Group Type page](/docs/groupid/11.1/groupid/portal/group/create/grouptype.md), select the **Static Group** option button and click **Next**. -3. On the [General page](general.md), specify basic information about the group. -4. On the [Members page](members.md), specify members for the group. -5. On the [Owners page](owners.md), specify primary and additional owners for the group. -6. On the [Summary Page](../../../user/create/activedirectory/summary.md), review the settings and +3. On the [General page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/general.md), specify basic information about the group. +4. On the [Members page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/members.md), specify members for the group. +5. On the [Owners page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/owners.md), specify primary and additional owners for the group. +6. On the [Summary Page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/summary.md), review the settings and then click Finish to complete the wizard. ## Create a Smart Group @@ -46,19 +46,19 @@ Follow the steps to create a Smart Group: Pages and fields on the Create Group wizard may vary, since the administrator can customize the wizard by adding or removing tabs and fields. -2. On the [Group Type page](../grouptype.md), select the **Smart Group** option button and click +2. On the [Group Type page](/docs/groupid/11.1/groupid/portal/group/create/grouptype.md), select the **Smart Group** option button and click **Next**. -3. On the [General page](general.md), specify basic information about the group. -4. On the [ Smart Group page](smartgroup.md), review and modify the query for updating group +3. On the [General page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/general.md), specify basic information about the group. +4. On the [ Smart Group page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/smartgroup.md), review and modify the query for updating group membership. -5. On the [Owners page](owners.md), specify primary and additional owners for the group. +5. On the [Owners page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/owners.md), specify primary and additional owners for the group. When a Smart Group Update job runs on a group, the notification behavior is as follows: Even when the **Do not Notify** check box is selected, the additional owner will receive the notifications if the administrator has included its email address for job-specific notifications. -6. On the [1](../../../user/create/activedirectory/summary.md), review the settings and then click +6. On the [1](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/summary.md), review the settings and then click Finish to complete the wizard. ## Create a Password Expiry Group @@ -79,17 +79,17 @@ Follow the steps to create a Password Expiry Group: Pages and fields on the Create Group wizard may vary, since the administrator can customize the wizard by adding or removing tabs and fields. -2. On the [Group Type page](../grouptype.md), select the **Password Expiry Group** option button and +2. On the [Group Type page](/docs/groupid/11.1/groupid/portal/group/create/grouptype.md), select the **Password Expiry Group** option button and click **Next**. -3. On the [General page](general.md), specify basic information about the group. -4. On the [ Smart Group page](smartgroup.md), review and modify the query for updating group +3. On the [General page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/general.md), specify basic information about the group. +4. On the [ Smart Group page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/smartgroup.md), review and modify the query for updating group membership. -5. On the [Owners page](owners.md), specify primary and additional owners for the group. +5. On the [Owners page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/owners.md), specify primary and additional owners for the group. When a Smart Group Update job runs on a group, the notification behavior is as follows: Even when the **Do not Notify** check box is selected, the additional owner will receive the notifications if the administrator has included its email address for job-specific notifications. -6. On the [Summary Page](../../../user/create/activedirectory/summary.md), review the settings and +6. On the [Summary Page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/summary.md), review the settings and then click Finish to complete the wizard. diff --git a/docs/groupid/11.1/groupid/portal/group/create/activedirectory/members.md b/docs/groupid/11.1/groupid/portal/group/create/activedirectory/members.md index 2e0fe8f7f7..8dc9be9588 100644 --- a/docs/groupid/11.1/groupid/portal/group/create/activedirectory/members.md +++ b/docs/groupid/11.1/groupid/portal/group/create/activedirectory/members.md @@ -4,7 +4,7 @@ You can add members to the group. You can also remove members. By default, you a group. - To add member(s), click **Add**. Enter a search string to locate the object to add as a group - member, or click **Advance** to use the [Find Dialog Box](../../../search/find.md) for performing + member, or click **Advance** to use the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. The selected members get listed in the grid on the **Members** page. @@ -13,7 +13,7 @@ group. members of an existing group or groups to the membership of this group. Click **Import** to launch the **Import Members** wizard for importing group members. See - [Import Group Members](../../properties/importmembers.md) for information. + [Import Group Members](/docs/groupid/11.1/groupid/portal/group/properties/importmembers.md) for information. - To remove an object from the members list, select it and click **Remove**. @@ -22,7 +22,7 @@ The **Members** table displays the following information: | Column Name | Description | | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Type | The object type of the member object, such as user or group. | -| Display Name | The name of the member object. You can view the memberships of groups that are members of this group. For example, when you add a group (Group B) as a member of this group (Group A), you can view the membership of Group B. You can continue to view memberships of groups that are members of Group B, and so on. This enables the owner of a distribution group to view all users who will receive the messages sent to the distribution group. Click the plus sign (![plus](../../../../../../../../static/img/product_docs/groupid/groupid/portal/group/create/activedirectory/plus.webp)) next to a member group to view its members. Group membership can be viewed up to the nth level. However, you cannot modify membership of nested groups here. For a parent Dynasty, all child Dynasties are listed as members. NOTE: For an expired security group and Office 365 group, the members list would be empty. | +| Display Name | The name of the member object. You can view the memberships of groups that are members of this group. For example, when you add a group (Group B) as a member of this group (Group A), you can view the membership of Group B. You can continue to view memberships of groups that are members of Group B, and so on. This enables the owner of a distribution group to view all users who will receive the messages sent to the distribution group. Click the plus sign (![plus](/img/product_docs/groupid/groupid/portal/group/create/activedirectory/plus.webp)) next to a member group to view its members. Group membership can be viewed up to the nth level. However, you cannot modify membership of nested groups here. For a parent Dynasty, all child Dynasties are listed as members. NOTE: For an expired security group and Office 365 group, the members list would be empty. | | Membership | Indicates whether the object is a temporary or permanent member of this group. The available membership types are: - Perpetual – To make the object a permanent member of the group. - Temporary Member – To make the object a temporary member of the group for the period you specify in the Beginning and Ending boxes. At the end of the period, the object is removed from the group membership. - Addition Pending – Indicates that the object will be a temporary member of the group for a period in the future. Use the Beginning and Ending boxes to set a period. Before the beginning date, the object’s membership type is displayed as ‘Addition Pending’. On the beginning date, the membership type changes to ‘Temporary Member’. Example. You add Smith as a temporary member to Group A on May 15 for future dates, May 20-30. Smith will be displayed in Group A’s membership with ‘Addition Pending’ as its membership type from May 15 to 19. However, Smith would not be added to group membership in the provider. On May 20, Smith will become a temporary member of Group A and its membership type will change to ‘Temporary Member’ from May 20 to 30. Smith will also be added to group membership in the provider. After May 30, Smith will be removed from Group A as a member in Directory Manager and in the provider. - Removal Pending - Indicates that the object will be temporarily removed from group membership for a period in the future. Use the Beginning and Ending boxes to set a period. Before the beginning date, the object’s membership type is displayed as ‘Removal Pending’. On the beginning date, the membership type will change to ‘Temporary Removed’. Example. You remove Smith from Group A on May 15 for future dates, May 20-30. Smith will be displayed in Group A’s membership with ‘Removal Pending’ as membership type from May 15 to 19. On May 20, Smith’s membership type in Directory Manager will change to ‘Temporary Removed’; lasting till May 30. However, Smith will be removed from Group A’s membership in the provider. After May 30, Smith will be added back to Group A as a permanent member in Directory Manager and in the provider. - Temporary Removed – Indicates that the object is temporarily removed from group membership for the period specified in the Beginning and Ending boxes. At the end of the period, the object is added back to the group membership as a permanent member. When the object is a perpetual member, the Membership column is blank. Click anywhere in the row to make it editable for changing the membership type of the group member. NOTE: You cannot change the membership type when the member object is a group. | | Beginning | Displays the beginning date of the temporary addition or removal. | | Ending | Shows the ending date of the temporary addition or removal. | diff --git a/docs/groupid/11.1/groupid/portal/group/create/activedirectory/owners.md b/docs/groupid/11.1/groupid/portal/group/create/activedirectory/owners.md index 9f672f51db..4f28fb173f 100644 --- a/docs/groupid/11.1/groupid/portal/group/create/activedirectory/owners.md +++ b/docs/groupid/11.1/groupid/portal/group/create/activedirectory/owners.md @@ -9,7 +9,7 @@ group, all its members are considered as owners. - The **Owner** box displays your name as the primary owner of the group. To change the primary owner, click **Browse** next to the **Owner** box to launch the - [Find Dialog Box](../../../search/find.md), where you can search and select a primary owner. + [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md), where you can search and select a primary owner. - If the administrator has not enforced the selection of a primary owner (see Role policies), you can also remove the primary owner. Click the **Remove** button next to the **Owner** box to remove @@ -17,11 +17,11 @@ group, all its members are considered as owners. - To specify additional owner(s) for the group, click **Add**. Enter a search string to locate the object to add as an additional owner, or click **Advance** - to use the [Find Dialog Box](../../../search/find.md) for performing a search. + to use the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. - You can also specify additional owners for the group using an external file. Click **Import** to launch the **Import Additional Owners** wizard for importing additional owners. See - [Import Additional Owners](../../properties/importadditionalowners.md) for further information and + [Import Additional Owners](/docs/groupid/11.1/groupid/portal/group/properties/importadditionalowners.md) for further information and instructions. - To remove an object from the additional owners list, select it and click **Remove**. diff --git a/docs/groupid/11.1/groupid/portal/group/create/activedirectory/smartgroup.md b/docs/groupid/11.1/groupid/portal/group/create/activedirectory/smartgroup.md index b093699356..6320a12e41 100644 --- a/docs/groupid/11.1/groupid/portal/group/create/activedirectory/smartgroup.md +++ b/docs/groupid/11.1/groupid/portal/group/create/activedirectory/smartgroup.md @@ -26,7 +26,7 @@ In a Microsoft Entra ID identity store, the default query returns the following: You can do the following: Step 1 – To modify the query, click the **Query Designer** button. This launches the -[Query Designer](../../querydesigner/overview.md) dialog box, where you can modify the query. +[Query Designer](/docs/groupid/11.1/groupid/portal/group/querydesigner/overview.md) dialog box, where you can modify the query. Step 2 – You can also associate a Smart Group Update job with the group; this is a scheduled job that updates the group’s membership when it runs. diff --git a/docs/groupid/11.1/groupid/portal/group/create/azure/general.md b/docs/groupid/11.1/groupid/portal/group/create/azure/general.md index c6c4e7f40c..684be14b7c 100644 --- a/docs/groupid/11.1/groupid/portal/group/create/azure/general.md +++ b/docs/groupid/11.1/groupid/portal/group/create/azure/general.md @@ -12,7 +12,7 @@ Use this page to specify basic information about the group. name for the group. NOTE: The prefix box is displayed if the administrator has defined the prefixes. See the - [Group Name Prefixes](../../../../admincenter/identitystore/configure/directoryservice/prefixes.md) + [Group Name Prefixes](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/prefixes.md) topic for additional information. These prefixes, when appended to group names, help standardize the group naming convention across the enterprise. diff --git a/docs/groupid/11.1/groupid/portal/group/create/azure/group.md b/docs/groupid/11.1/groupid/portal/group/create/azure/group.md index d62724d63b..bbca4bced6 100644 --- a/docs/groupid/11.1/groupid/portal/group/create/azure/group.md +++ b/docs/groupid/11.1/groupid/portal/group/create/azure/group.md @@ -5,7 +5,7 @@ ID identity store. NOTE: If the Directory Manager administrator has specified the group creation action for review, the new group will be created after it is verified by an approver. See the -[Requests](../../../request/overview.md) topic for additional information. +[Requests](/docs/groupid/11.1/groupid/portal/request/overview.md) topic for additional information. ## Create a Static Group @@ -19,20 +19,20 @@ Follow the steps to create a static group. NOTE: Pages and fields on the Create Group wizard may vary, since the administrator can customize the wizard by adding or removing tabs and fields. -2. On the [Group Type page](../grouptype.md), select the **Static Group** option button and click +2. On the [Group Type page](/docs/groupid/11.1/groupid/portal/group/create/grouptype.md), select the **Static Group** option button and click **Next**. -3. On the [General page](general.md), specify basic information about the group. -4. On the [Members page](../activedirectory/members.md), add objects to group membership. +3. On the [General page](/docs/groupid/11.1/groupid/portal/group/create/azure/general.md), specify basic information about the group. +4. On the [Members page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/members.md), add objects to group membership. Only user objects can be added as members of an Office 365 group. -5. On the [Owners page](../activedirectory/owners.md), specify primary and additional owners for the +5. On the [Owners page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/owners.md), specify primary and additional owners for the group. Only users can be set as primary owners. You can specify multiple primary owners for a group. At least one primary owner is mandatory. -6. On the [Summary Page](../../../user/create/activedirectory/summary.md), review the settings and +6. On the [Summary Page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/summary.md), review the settings and then click Finish to complete the wizard. ## Create a Smart Group @@ -47,17 +47,17 @@ Follow the steps to create a Smart Group. Remember, pages and fields on the Create Group wizard may vary, since the administrator can customize the wizard by adding or removing tabs and fields. -2. On the [Group Type page](../grouptype.md) page, select the **Smart Group** option button and +2. On the [Group Type page](/docs/groupid/11.1/groupid/portal/group/create/grouptype.md) page, select the **Smart Group** option button and click **Next**. -3. On the [General page](general.md) page, specify basic information about the group. -4. On the [ Smart Group page](../activedirectory/smartgroup.md) page, review and modify the query +3. On the [General page](/docs/groupid/11.1/groupid/portal/group/create/azure/general.md) page, specify basic information about the group. +4. On the [ Smart Group page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/smartgroup.md) page, review and modify the query for updating group membership. Smart Groups in an Microsoft Entra ID based identity store use a device structured query language to update group membership. You should either apply a query to a group in the Microsoft Entra ID portal or in Directory Manager. -5. On the [Owners page](../activedirectory/owners.md), specify primary and additional owners for the +5. On the [Owners page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/owners.md), specify primary and additional owners for the group. - Only users can be set as primary owners. @@ -68,5 +68,5 @@ Follow the steps to create a Smart Group. notifications if the administrator has included its email address for job-specific notifications. -6. On the [Summary Page](../../../user/create/activedirectory/summary.md), review the settings and +6. On the [Summary Page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/summary.md), review the settings and then click **Finish** to complete the wizard. diff --git a/docs/groupid/11.1/groupid/portal/group/create/grouptype.md b/docs/groupid/11.1/groupid/portal/group/create/grouptype.md index 15c95a9c37..5a2ee80e82 100644 --- a/docs/groupid/11.1/groupid/portal/group/create/grouptype.md +++ b/docs/groupid/11.1/groupid/portal/group/create/grouptype.md @@ -6,6 +6,6 @@ Select the type of group you want to create and click **Next**. Options are: - [Create a Smart Group](activedirectory/group.md#create-a-smart-group) - [Create a Password Expiry Group](activedirectory/group.md#create-a-password-expiry-group) (not supported in Microsoft Entra ID) -- [Create a Dynasty using the Organizational/Geographical/Custom template](../dynasty/activedirectory/createdynasty.md#create-a-dynasty-using-the-organizationalgeographicalcustom-template) -- [Create a Dynasty using the Managerial template](../dynasty/activedirectory/createdynasty.md#create-a-dynasty-using-the-managerial-template) -- [Create Teams](../teams/create.md) (for Microsoft Entra ID only) +- [Create a Dynasty using the Organizational/Geographical/Custom template](/docs/groupid/11.1/groupid/portal/group/dynasty/activedirectory/createdynasty.md#create-a-dynasty-using-the-organizationalgeographicalcustom-template) +- [Create a Dynasty using the Managerial template](/docs/groupid/11.1/groupid/portal/group/dynasty/activedirectory/createdynasty.md#create-a-dynasty-using-the-managerial-template) +- [Create Teams](/docs/groupid/11.1/groupid/portal/group/teams/create.md) (for Microsoft Entra ID only) diff --git a/docs/groupid/11.1/groupid/portal/group/dynasty/activedirectory/createdynasty.md b/docs/groupid/11.1/groupid/portal/group/dynasty/activedirectory/createdynasty.md index 30cbaa082e..f99eeb2822 100644 --- a/docs/groupid/11.1/groupid/portal/group/dynasty/activedirectory/createdynasty.md +++ b/docs/groupid/11.1/groupid/portal/group/dynasty/activedirectory/createdynasty.md @@ -39,7 +39,7 @@ Dynasty names help you group a parent Dynasty with its respective child Dynastie `manager`". To modify the display name template for child Dynasties, see -[Modify alias and display name templates](../../manage/dynastyfunction.md#modify-alias-and-display-name-templates). +[Modify alias and display name templates](/docs/groupid/11.1/groupid/portal/group/manage/dynastyfunction.md#modify-alias-and-display-name-templates). NOTE: In the Dynasty creation/update process, a child Dynasty will not be created if it bears the same name as that of an existing object in the directory. For example, when you create a custom @@ -60,11 +60,11 @@ Follow the steps to create a dynasty using the the Organizational/Geographical/C NOTE: Pages and fields on the wizard may vary, since the administrator can customize the wizard by adding or removing pages and fields. -2. On the [Group Type page](../../create/grouptype.md), select the **Organizational Dynasty**, +2. On the [Group Type page](/docs/groupid/11.1/groupid/portal/group/create/grouptype.md), select the **Organizational Dynasty**, **Geographical Dynasty**, or **Custom Dynasty** option button and click **Next**. -3. On the [General page](../../create/activedirectory/general.md), specify basic information about +3. On the [General page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/general.md), specify basic information about the Dynasty. -4. On the [Dynasty Options page](../dynastyoptionsorggeocus.md), view or change the attributes in +4. On the [Dynasty Options page](/docs/groupid/11.1/groupid/portal/group/dynasty/dynastyoptionsorggeocus.md), view or change the attributes in the **Attributes** area and click **Next**. Dynasties create Smart Groups for each distinct value of each listed attribute. Depending on the @@ -72,16 +72,16 @@ Follow the steps to create a dynasty using the the Organizational/Geographical/C the template; however, you can add and remove attributes. For the Custom template, no attribute is displayed. -5. The [Query Designer](../../querydesigner/overview.md) page displays the default query that +5. The [Query Designer](/docs/groupid/11.1/groupid/portal/group/querydesigner/overview.md) page displays the default query that Directory Manager will use to determine the Dynasty membership. The default query returns all users with Exchange mailboxes, along with users and contacts with external email addresses, which are then grouped by the specified group-by attributes. Review the query for selecting the group members, then click **Next**. - For details, see the [ Smart Group page](../../create/activedirectory/smartgroup.md). + For details, see the [ Smart Group page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/smartgroup.md). -6. On the [Owners page](../../create/activedirectory/owners.md), specify primary and additional +6. On the [Owners page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/owners.md), specify primary and additional owners for the Dynasty. NOTE: (1) Additional owners are only set for the parent and are not inherited by child Dynasties @@ -91,7 +91,7 @@ Follow the steps to create a dynasty using the the Organizational/Geographical/C notifications if the administrator has included its email address for job-specific notifications. -7. On the [Summary Page](../../../user/create/activedirectory/summary.md), review the settings and +7. On the [Summary Page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/summary.md), review the settings and then click Finish to complete the wizard. ## Create a Dynasty using the Managerial template @@ -106,11 +106,11 @@ Follow the steps to create a Dynasty using the Managerial template. NOTE: Pages and fields on the wizard may vary, since the administrator can customize the wizard by adding or removing pages and fields. -2. On the [Group Type page](../../create/grouptype.md), select the **Managerial Dynasty** option +2. On the [Group Type page](/docs/groupid/11.1/groupid/portal/group/create/grouptype.md), select the **Managerial Dynasty** option button and click **Next**. -3. On the [General page](../../create/activedirectory/general.md), specify basic information about +3. On the [General page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/general.md), specify basic information about the Dynasty. -4. On the [Dynasty Options page (Managerial Dynasty)](../dynastyoptionsmanagerial.md), specify a +4. On the [Dynasty Options page (Managerial Dynasty)](/docs/groupid/11.1/groupid/portal/group/dynasty/dynastyoptionsmanagerial.md), specify a structure for the Dynasty and click **Next**. By default, Directory Manager constructs a managerial Dynasty structure by first creating a @@ -119,16 +119,16 @@ Follow the steps to create a Dynasty using the Managerial template. manager. However, you can choose to create a single Smart Group for the direct reports of all levels of managers rather than creating separate groups. -5. The [Query Designer](../../querydesigner/overview.md) page displays the default query that +5. The [Query Designer](/docs/groupid/11.1/groupid/portal/group/querydesigner/overview.md) page displays the default query that Directory Manager will use to determine the Dynasty membership. This query returns all users with Exchange mailboxes, along with users and contacts with external email addresses, which are then grouped as per the managerial Dynasty structure. Review the query for selecting the group members, then click **Next.** - For details, see the [ Smart Group page](../../create/activedirectory/smartgroup.md). + For details, see the [ Smart Group page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/smartgroup.md). -6. On the [Owners page](../../create/activedirectory/owners.md), specify primary and additional +6. On the [Owners page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/owners.md), specify primary and additional owners for the Dynasty. NOTE: (1) Additional owners are only set for the parent and are not inherited by child Dynasties @@ -142,5 +142,5 @@ Follow the steps to create a Dynasty using the Managerial template. In case you change the owner, the new recipient would be the Dynasty’s primary owner even if the **Set Manager as owner** check box is selected. -7. On the [Summary Page](../../../user/create/activedirectory/summary.md), review the settings and +7. On the [Summary Page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/summary.md), review the settings and then click Finish to complete the wizard. diff --git a/docs/groupid/11.1/groupid/portal/group/dynasty/azure/createdynasty.md b/docs/groupid/11.1/groupid/portal/group/dynasty/azure/createdynasty.md index 5efd50b2d0..0d7d29795b 100644 --- a/docs/groupid/11.1/groupid/portal/group/dynasty/azure/createdynasty.md +++ b/docs/groupid/11.1/groupid/portal/group/dynasty/azure/createdynasty.md @@ -39,7 +39,7 @@ Dynasty names help you group a parent Dynasty with its respective child Dynastie `manager`". To modify the display name template for child Dynasties, see -[Modify alias and display name templates](../../manage/dynastyfunction.md#modify-alias-and-display-name-templates)topic +[Modify alias and display name templates](/docs/groupid/11.1/groupid/portal/group/manage/dynastyfunction.md#modify-alias-and-display-name-templates)topic for additional information. NOTE: In the Dynasty creation/update process, a child Dynasty will not be created if it bears the @@ -61,11 +61,11 @@ Follow the steps to create a dynasty using the Organization/Geographical/Custom NOTE: Pages and fields on the wizard may vary, since the administrator can customize the wizard by adding or removing pages and fields. -2. On the [Group Type page](../../create/grouptype.md), select the **Organizational Dynasty**, +2. On the [Group Type page](/docs/groupid/11.1/groupid/portal/group/create/grouptype.md), select the **Organizational Dynasty**, **Geographical Dynasty**, or **Custom Dynasty** option button and click **Next**. -3. On the [General - Microsoft Entra ID](general.md)page, specify basic information about the +3. On the [General - Microsoft Entra ID](/docs/groupid/11.1/groupid/portal/group/dynasty/azure/general.md)page, specify basic information about the Dynasty. -4. On the [Dynasty Options page](../dynastyoptionsorggeocus.md), view or change the attributes in +4. On the [Dynasty Options page](/docs/groupid/11.1/groupid/portal/group/dynasty/dynastyoptionsorggeocus.md), view or change the attributes in the **Attributes** area and click **Next**. Dynasties create Smart Groups for each distinct value of each listed attribute. Depending on the @@ -73,16 +73,16 @@ Follow the steps to create a dynasty using the Organization/Geographical/Custom the template; however, you can add and remove attributes. For the Custom template, no attribute is displayed. -5. The [Query Designer](../../querydesigner/overview.md) page displays the default query that +5. The [Query Designer](/docs/groupid/11.1/groupid/portal/group/querydesigner/overview.md) page displays the default query that Directory Manager will use to determine the Dynasty membership. The default query returns all users with Exchange mailboxes, along with users and contacts with external email addresses, which are then grouped by the specified group-by attributes. Review the query for selecting the group members, then click **Next**. - For details, see the [ Smart Group page](../../create/activedirectory/smartgroup.md). + For details, see the [ Smart Group page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/smartgroup.md). -6. On the [Owners page](../../create/activedirectory/owners.md), specify primary and additional +6. On the [Owners page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/owners.md), specify primary and additional owners for the Dynasty. NOTE: (1) Additional owners are only set for the parent and are not inherited by child Dynasties @@ -92,7 +92,7 @@ Follow the steps to create a dynasty using the Organization/Geographical/Custom notifications if the administrator has included its email address for job-specific notifications. -7. On the [Summary Page](../../../user/create/activedirectory/summary.md), review the settings and +7. On the [Summary Page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/summary.md), review the settings and then click **Finish** to complete the wizard. ## Create a Dynasty using the Managerial template @@ -107,11 +107,11 @@ Follow the steps to create a dynasty using the Managerial template. NOTE: Pages and fields on the wizard may vary, since the administrator can customize the wizard by adding or removing pages and fields. -2. On the [Group Type page](../../create/grouptype.md), select the **Managerial Dynasty** option +2. On the [Group Type page](/docs/groupid/11.1/groupid/portal/group/create/grouptype.md), select the **Managerial Dynasty** option button and click **Next**. -3. On the [General - Microsoft Entra ID](general.md)page, specify basic information about the +3. On the [General - Microsoft Entra ID](/docs/groupid/11.1/groupid/portal/group/dynasty/azure/general.md)page, specify basic information about the Dynasty. -4. On the [Dynasty Options page (Managerial Dynasty)](../dynastyoptionsmanagerial.md), specify a +4. On the [Dynasty Options page (Managerial Dynasty)](/docs/groupid/11.1/groupid/portal/group/dynasty/dynastyoptionsmanagerial.md), specify a structure for the Dynasty and click **Next**. By default, Directory Manager constructs a managerial Dynasty structure by first creating a @@ -120,17 +120,17 @@ Follow the steps to create a dynasty using the Managerial template. manager. However, you can choose to create a single Smart Group for the direct reports of all levels of managers rather than creating separate groups. -5. The [Query Designer](../../querydesigner/overview.md) page displays the default query that +5. The [Query Designer](/docs/groupid/11.1/groupid/portal/group/querydesigner/overview.md) page displays the default query that Directory Manager will use to determine the Dynasty membership. This query returns all users with Exchange mailboxes, along with users and contacts with external email addresses, which are then grouped as per the managerial Dynasty structure. Review the query for selecting the group members, then click **Next**. - For details, see the [ Smart Group page](../../create/activedirectory/smartgroup.md) topic for + For details, see the [ Smart Group page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/smartgroup.md) topic for additional information. -6. On the [Owners page](../../create/activedirectory/owners.md), specify primary and additional +6. On the [Owners page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/owners.md), specify primary and additional owners for the Dynasty. NOTE: (1) Additional owners are only set for the parent and are not inherited by child Dynasties @@ -144,5 +144,5 @@ Follow the steps to create a dynasty using the Managerial template. In case you change the owner, the new recipient would be the Dynasty’s primary owner even if the **Set Manager as owner** check box is selected. -7. On the [Summary Page](../../../user/create/activedirectory/summary.md), review the settings and +7. On the [Summary Page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/summary.md), review the settings and then click **Finish** to complete the wizard. diff --git a/docs/groupid/11.1/groupid/portal/group/dynasty/azure/general.md b/docs/groupid/11.1/groupid/portal/group/dynasty/azure/general.md index af5d57f37d..500f6d74f0 100644 --- a/docs/groupid/11.1/groupid/portal/group/dynasty/azure/general.md +++ b/docs/groupid/11.1/groupid/portal/group/dynasty/azure/general.md @@ -15,7 +15,7 @@ Use this page to specify basic information about the group. name for the group. NOTE: The prefix box is displayed if the administrator has defined the prefixes. See the - [Group Name Prefixes](../../../../admincenter/identitystore/configure/directoryservice/prefixes.md) + [Group Name Prefixes](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/prefixes.md) topic. These prefixes, when appended to group names, help standardize the group naming convention across the enterprise. diff --git a/docs/groupid/11.1/groupid/portal/group/dynasty/dynastyoptionsmanagerial.md b/docs/groupid/11.1/groupid/portal/group/dynasty/dynastyoptionsmanagerial.md index 80ee00b265..0cac2ef749 100644 --- a/docs/groupid/11.1/groupid/portal/group/dynasty/dynastyoptionsmanagerial.md +++ b/docs/groupid/11.1/groupid/portal/group/dynasty/dynastyoptionsmanagerial.md @@ -10,7 +10,7 @@ On the Dynasty Options page: 1. Use the **Top Manager** field to specify the top-level manager, and thus, the start location for the Dynasty. - Click the ellipsis button and use the [Find Dialog Box](../../search/find.md) to select a top + Click the ellipsis button and use the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) to select a top manager. 2. Select an option from **Dynasty Type** to specify the type of managerial Dynasty you want to @@ -89,7 +89,7 @@ On the Dynasty Options page: Members: April - On the [Query Designer](../querydesigner/overview.md) page, you can also specify a criterion + On the [Query Designer](/docs/groupid/11.1/groupid/portal/group/querydesigner/overview.md) page, you can also specify a criterion to filter the managers for whom you want to create child groups in the Dynasty. 3. Select the **Include manager as member** check box to include the manager as a member of their diff --git a/docs/groupid/11.1/groupid/portal/group/dynasty/overview.md b/docs/groupid/11.1/groupid/portal/group/dynasty/overview.md index c96694c38e..e8463aff56 100644 --- a/docs/groupid/11.1/groupid/portal/group/dynasty/overview.md +++ b/docs/groupid/11.1/groupid/portal/group/dynasty/overview.md @@ -45,7 +45,7 @@ Dynasties always inherit the expiry policy from the parent Dynasty and it can on the parent level. Depending on the inheritance option selected for the parent Dynasty on the -[Group properties - Dynasty Options tab](../properties/dynastyoptions.md) in group properties, the +[Group properties - Dynasty Options tab](/docs/groupid/11.1/groupid/portal/group/properties/dynastyoptions.md) in group properties, the modified values of inherited attributes may or may not persist. ## Multi-level Structure diff --git a/docs/groupid/11.1/groupid/portal/group/manage/attestation.md b/docs/groupid/11.1/groupid/portal/group/manage/attestation.md index a645edd336..2feacf51d4 100644 --- a/docs/groupid/11.1/groupid/portal/group/manage/attestation.md +++ b/docs/groupid/11.1/groupid/portal/group/manage/attestation.md @@ -16,7 +16,7 @@ A group expires when it is not attested and renewed during its expiring days. **History Logging** Directory Manager tracks and maintains history for group attestation. On the -[Object properties - History tab](../properties/history.md) in group properties, the following is +[Object properties - History tab](/docs/groupid/11.1/groupid/portal/group/properties/history.md) in group properties, the following is logged: - The date the group was attested on. diff --git a/docs/groupid/11.1/groupid/portal/group/manage/dynastyfunction.md b/docs/groupid/11.1/groupid/portal/group/manage/dynastyfunction.md index 7badc4d291..97349cd8b9 100644 --- a/docs/groupid/11.1/groupid/portal/group/manage/dynastyfunction.md +++ b/docs/groupid/11.1/groupid/portal/group/manage/dynastyfunction.md @@ -11,17 +11,17 @@ country, then for each state within a country, and finally for each city within 1. On the left navigation bar, click **Groups** and then select the **My Groups** tab. - You can also [Directory Search](../../search/search.md) the Organizational, Organizational, or + You can also [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the Organizational, Organizational, or custom Dynasty you want to change the attributes for. 2. Select the required Dynasty and click **Properties** on the toolbar. - The Dynasty's [Group Properties](../properties/overview.md) page is displayed with the + The Dynasty's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed with the **General** tab in view. 3. On the **Dynasty Options** tab, update the attributes in the **Attributes** area. - Refer to the [Dynasty Options page](../dynasty/dynastyoptionsorggeocus.md) for details. + Refer to the [Dynasty Options page](/docs/groupid/11.1/groupid/portal/group/dynasty/dynastyoptionsorggeocus.md) for details. 4. Click **Save**. @@ -31,17 +31,17 @@ Follow the steps to manage structure of a Managerial Dynasty. 1. On the left navigation bar, click **Groups** and then select the **My Groups** tab. - You can also [Directory Search](../../search/search.md) the Managerial Dynasty you want to + You can also [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the Managerial Dynasty you want to restructure. 2. Select the required Dynasty and click **Properties** on the toolbar. - The Dynasty's [Group Properties](../properties/overview.md) page is displayed with the + The Dynasty's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed with the **General** tab in view. 3. On the **Dynasty Options** tab, modify the options related to the Dynasty structure. - Refer to the [Dynasty Options page (Managerial Dynasty)](../dynasty/dynastyoptionsmanagerial.md) + Refer to the [Dynasty Options page (Managerial Dynasty)](/docs/groupid/11.1/groupid/portal/group/dynasty/dynastyoptionsmanagerial.md) for details. 4. Click **Save**. @@ -52,18 +52,18 @@ Follow the steps to set attribute inheritance of a dynasty. 1. On the left navigation bar, click **Groups** and then select the **My Groups** tab. - You can also [Directory Search](../../search/search.md) the Dynasty you want to change the + You can also [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the Dynasty you want to change the inheritance option for. 2. Select the required Dynasty and click **Properties** on the toolbar. - The Dynasty's [Group Properties](../properties/overview.md) page is displayed with the + The Dynasty's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed with the **General** tab in view. 3. On the **Dynasty Options** tab, select the required option from the **Inheritance** drop-down list. - See [Inheritance](../properties/dynastyoptions.md). + See [Inheritance](/docs/groupid/11.1/groupid/portal/group/properties/dynastyoptions.md). 4. Click **Save**. @@ -73,20 +73,20 @@ Follow the steps to modify alias of an Organizational/Geographical/Custom dynast 1. On the left navigation bar, click **Groups** and then select the **My Groups** tab. - You can also [Directory Search](../../search/search.md) the Dynasty you want to change the alias + You can also [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the Dynasty you want to change the alias or display name template for. 2. Select the required Organizational/Geographical/Custom Dynasty and click **Properties** on the toolbar. - The Dynasty's [Group Properties](../properties/overview.md) page is displayed with the + The Dynasty's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed with the **General** tab in view. 3. On the **Dynasty Options** tab, use the **Alias Template** and **Display Name Template** boxes to modify the respective templates. - For details, see [Alias Template](../properties/dynastyoptions.md) and - [Display Name Template](../properties/dynastyoptions.md) for an + For details, see [Alias Template](/docs/groupid/11.1/groupid/portal/group/properties/dynastyoptions.md) and + [Display Name Template](/docs/groupid/11.1/groupid/portal/group/properties/dynastyoptions.md) for an Organizational/Geographical/Custom Dynasty. 4. Click **Save**. @@ -95,18 +95,18 @@ Follow the steps to modify aloas of a Managerial dynasty. 1. On the left navigation bar, click **Groups** and then select the **My Groups** tab. - You can also [Directory Search](../../search/search.md) the Dynasty you want to change the alias + You can also [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the Dynasty you want to change the alias or display name template for. 2. Select the required Managerial Dynasty and click **Properties** on the toolbar. - The Dynasty's [Group Properties](../properties/overview.md) page is displayed with the + The Dynasty's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed with the **General** tab in view. 3. On the **Dynasty Options** tab, use the **Alias Template** and **Display Name Template** boxes to modify the respective templates. - For details, see [Alias Template](../properties/dynastyoptions.md) and - [Display Name Template](../properties/dynastyoptions.md) for a Managerial Dynasty. + For details, see [Alias Template](/docs/groupid/11.1/groupid/portal/group/properties/dynastyoptions.md) and + [Display Name Template](/docs/groupid/11.1/groupid/portal/group/properties/dynastyoptions.md) for a Managerial Dynasty. 4. Click **Save**. diff --git a/docs/groupid/11.1/groupid/portal/group/manage/generalfunction.md b/docs/groupid/11.1/groupid/portal/group/manage/generalfunction.md index 573d1e06bd..a139a5d01e 100644 --- a/docs/groupid/11.1/groupid/portal/group/manage/generalfunction.md +++ b/docs/groupid/11.1/groupid/portal/group/manage/generalfunction.md @@ -4,23 +4,23 @@ You can perform the following general functions on your directory groups. ## Search for groups -See [Directory Search](../../search/search.md). +See [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md). ## View object properties You can view and modify the properties of a mailbox, group, user and contact. -1. [Directory Search](../../search/search.md) the required object. +1. [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the required object. 2. Select this object on the **Search Results** page and click **Properties** on the toolbar. - The object's [Group Properties](../properties/overview.md) page is displayed. + The object's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed. ## View groups managed by an object You can get a list of all groups managed by a particular object (i.e., all groups for which the selected object is a primary or additional owner). -1. [Directory Search](../../search/search.md) the required object. +1. [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the required object. 2. Select this object on the **Search Results** page and click **Owner** on the toolbar. ## Manage group access @@ -36,7 +36,7 @@ required. 2. Select a group and click **Properties** on the toolbar. - The group's [Group Properties](../properties/overview.md) page is displayed with the **General** + The group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed with the **General** tab in view. 3. Select a different security type for the group from the **Security** list. @@ -54,17 +54,17 @@ NOTE: This feature is not available for groups in a Microsoft Entra ID based ide 2. Select the required group and click **Properties** on the toolbar. - The group's [Group Properties](../properties/overview.md) page is displayed. + The group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed. 3. Click the **Delivery Restrictions** tab. 4. Specify the senders that the group can receive emails from: 1. Click the **Add** button in the **Accept from** area. 2. Enter a search string to locate the required object, or click **Advanced** to use the - [Find Dialog Box](../../search/find.md) for performing a search. + [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. 5. Select the senders that the group cannot accept emails from: 1. Click the **Add** button in the **Reject from** area. 2. Enter a search string to locate the required object, or click **Advanced** to use the - [Find Dialog Box](../../search/find.md) for performing a search. + [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. 6. Save the changes. diff --git a/docs/groupid/11.1/groupid/portal/group/manage/groupdeletion.md b/docs/groupid/11.1/groupid/portal/group/manage/groupdeletion.md index a3dce0f842..9c3ad02a80 100644 --- a/docs/groupid/11.1/groupid/portal/group/manage/groupdeletion.md +++ b/docs/groupid/11.1/groupid/portal/group/manage/groupdeletion.md @@ -31,12 +31,12 @@ To renew a physically deleted group, contact the Directory Manager administrator Groups that are deleted by the Group Life Cycle job are considered to be logically deleted. This job deletes expired groups automatically based on the Group Life Cycle policy for the identity store. -Logically deleted groups are moved to the [My Deleted Groups](../mydeletedgroups.md) page with the +Logically deleted groups are moved to the [My Deleted Groups](/docs/groupid/11.1/groupid/portal/group/mydeletedgroups.md) page with the 'Deleted\_' prefix added to their names. Such groups have all their attributes intact. As a result, a logically deleted group, when renewed, returns to the state it had at the time of deletion. See the -[What Happens When a Group is Deleted](../../../admincenter/identitystore/configure/directoryservice/groupexpirydeletion.md#what-happens-when-a-group-is-deleted) +[What Happens When a Group is Deleted](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/groupexpirydeletion.md#what-happens-when-a-group-is-deleted) topic for additional information on group deletion. ## Group Deletion Notifications diff --git a/docs/groupid/11.1/groupid/portal/group/manage/groupexpiry.md b/docs/groupid/11.1/groupid/portal/group/manage/groupexpiry.md index c73885f3ee..de2cd67a8a 100644 --- a/docs/groupid/11.1/groupid/portal/group/manage/groupexpiry.md +++ b/docs/groupid/11.1/groupid/portal/group/manage/groupexpiry.md @@ -70,7 +70,7 @@ to all groups in the identity store and cannot be changed for individual groups. When the Group Lifeycle job executes the Group Lifecycle policy, it monitors group expiry dates as determined by each group’s expiration period. See the -[Set a Default Expiry Policy for Groups](../../../admincenter/identitystore/configure/directoryservice/grouplifecycle.md#set-a-default-expiry-policy-for-groups) +[Set a Default Expiry Policy for Groups](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/grouplifecycle.md#set-a-default-expiry-policy-for-groups) topic. ## Group Expiry Notifications @@ -92,5 +92,5 @@ expiry, the job does the following: Directory Manager will extend the group’s expiration date by 7 days. Notifications are sent if an SMTP server is configured for the identity store. See the -[Set Group Expiry Notifications](../../../admincenter/identitystore/configure/directoryservice/grouplifecycle.md#set-group-expiry-notifications) +[Set Group Expiry Notifications](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/grouplifecycle.md#set-group-expiry-notifications) topic for additional information. diff --git a/docs/groupid/11.1/groupid/portal/group/manage/groupexpiryfunction.md b/docs/groupid/11.1/groupid/portal/group/manage/groupexpiryfunction.md index 17ae811ef6..ec69580982 100644 --- a/docs/groupid/11.1/groupid/portal/group/manage/groupexpiryfunction.md +++ b/docs/groupid/11.1/groupid/portal/group/manage/groupexpiryfunction.md @@ -10,7 +10,7 @@ Follow the steps to expire a group manually. 1. On the left navigation bar, click **Groups** and then select the **My Groups**, **My Memberships**, or **My Expiring Groups** tab. - You can also [Directory Search](../../search/search.md) the group you want to expire. + You can also [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the group you want to expire. 2. On the page displayed, select the required group and click **Expire** on the toolbar. @@ -19,7 +19,7 @@ NOTE: Note the following: - When you try to manually expire a group with the expiry policy set to ‘Never Expire’, an error message is displayed, informing you that the group cannot be expired. - When you manually expire a group with an expiry policy other than ‘Never Expire’, the group - expires and is moved it to the [My Expired Groups](../myexpiredgroups.md) page. + expires and is moved it to the [My Expired Groups](/docs/groupid/11.1/groupid/portal/group/myexpiredgroups.md) page. - A group without an expiry policy will not expire. Directory groups that are created outside of Directory Manager do not have an expiry policy. @@ -32,7 +32,7 @@ If expired groups are not renewed within a specific period (set by the Directory administrator in the Group Lifecycle policy for the identity store), they are logically deleted when the period ends. See Group life cycle job. -Logically deleted groups are moved to the [My Deleted Groups](../mydeletedgroups.md) page with the +Logically deleted groups are moved to the [My Deleted Groups](/docs/groupid/11.1/groupid/portal/group/mydeletedgroups.md) page with the “Deleted\_” prefix added to their names. ## Change the expiry policy for a group @@ -41,12 +41,12 @@ When a group is created, it has its expiry policy set to 'Never Expire'. You can as required. The Group Life Cycle job expires groups according to their respective expiry policies and moves them -to the [My Expired Groups](../myexpiredgroups.md) page. +to the [My Expired Groups](/docs/groupid/11.1/groupid/portal/group/myexpiredgroups.md) page. -1. [Directory Search](../../search/search.md) the group you want to change the expiry policy for. +1. [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the group you want to change the expiry policy for. 2. Select this group on the **Search Results** page and click **Properties** on the toolbar. - The group's [Group Properties](../properties/overview.md) page is displayed with the **General** + The group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed with the **General** tab in view. 3. From the **Expiration Policy** list, select the duration that the group would remain active for, @@ -62,11 +62,11 @@ to the [My Expired Groups](../myexpiredgroups.md) page. 4. Click **Save**. NOTE: If the Directory Manager administrator has specified this action for review, your changes will -not take effect until verified by an approver. See [Requests](../../request/overview.md). +not take effect until verified by an approver. See [Requests](/docs/groupid/11.1/groupid/portal/request/overview.md). ## Attest an expiring group -See [Attest an Expiring Group](attestation.md). +See [Attest an Expiring Group](/docs/groupid/11.1/groupid/portal/group/manage/attestation.md). ## Renew an expired group diff --git a/docs/groupid/11.1/groupid/portal/group/manage/groupjoinleave.md b/docs/groupid/11.1/groupid/portal/group/manage/groupjoinleave.md index 3ebaee7508..f036ff2115 100644 --- a/docs/groupid/11.1/groupid/portal/group/manage/groupjoinleave.md +++ b/docs/groupid/11.1/groupid/portal/group/manage/groupjoinleave.md @@ -7,26 +7,26 @@ specified period of time. You can join a semi-private or public group as a permanent member. -1. [Directory Search](../../search/search.md) the group(s) you want to join. +1. [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the group(s) you want to join. 2. On the page displayed, select the group(s) to join. 3. Point to the **Join** button on the toolbar, make sure that the **Join Perpetually** option is selected, and click **Join**. - You can also join a group on the group's [Group Properties](../properties/overview.md) page by + You can also join a group on the group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page by using the **Join** button on the toolbar. When a user joins a Smart Group or Dynasty, he or she is added to the **Include** list on the -[Query Designer - Include/Exclude tab](../querydesigner/includeexclude.md) of the Query Designer. As +[Query Designer - Include/Exclude tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/includeexclude.md) of the Query Designer. As a result, the user remains a group member even when it does not fall in the scope of the query. NOTE: For a semi-private group, the group owner must approve your _join_ request before you are -added to group membership. See [Requests](../../request/overview.md). +added to group membership. See [Requests](/docs/groupid/11.1/groupid/portal/request/overview.md). ## Join a group temporarily The logged-in user can join a semi-private or public group as a temporary member. -1. [Directory Search](../../search/search.md) the group(s) you want to join. +1. [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the group(s) you want to join. 2. On the page displayed, select the group(s) to join. 3. Point to the **Join** button on the toolbar and select the **Join Temporarily** option. 4. In the **Duration** list, select one of the following options: @@ -41,15 +41,15 @@ The logged-in user can join a semi-private or public group as a temporary member 5. Click **Join**. - You can also join a group on the group's [Group Properties](../properties/overview.md) page by + You can also join a group on the group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page by using the **Join** button on the toolbar. When a user joins a Smart Group or Dynasty, he or she is added to the **Include** list on the -[Query Designer - Include/Exclude tab](../querydesigner/includeexclude.md) of the Query Designer. As +[Query Designer - Include/Exclude tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/includeexclude.md) of the Query Designer. As a result, the user remains a group member even when it does not fall in the scope of the query. NOTE: For a semi-private group, the group owner must approve your _join_ request before you are -added to group membership. See [Requests](../../request/overview.md). +added to group membership. See [Requests](/docs/groupid/11.1/groupid/portal/request/overview.md). ## Leave a group permanently @@ -61,21 +61,21 @@ The logged-in user can permanently leave the membership of a semi-private or pub Or - [Directory Search](../../search/search.md) the group(s) you want to leave. + [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the group(s) you want to leave. 2. On the page displayed, select the required group(s). 3. Point to the **Leave** button on the toolbar, make sure that the **Leave Perpetually** option is selected, and click **Leave**. - You can also leave a group on the group's [Group Properties](../properties/overview.md) page by + You can also leave a group on the group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page by using the **Leave** button on the toolbar. When a user leaves a Smart Group or Dynasty, he or she is added to the **Exclude** list on the -[Query Designer - Include/Exclude tab](../querydesigner/includeexclude.md) of the Query Designer. As +[Query Designer - Include/Exclude tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/includeexclude.md) of the Query Designer. As a result, the user is not added to group membership even when it falls in the scope of the query. NOTE: For a semi-private group, the group owner must approve your _leave_ request before you are -removed from group membership. See [Requests](../../request/overview.md). +removed from group membership. See [Requests](/docs/groupid/11.1/groupid/portal/request/overview.md). ## Leave a group temporarily @@ -87,7 +87,7 @@ The logged-in user can leave the membership of a semi-private or public group on Or - [Directory Search](../../search/search.md) the group(s) you want to leave. + [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the group(s) you want to leave. 2. On the page displayed, select the required group(s). 3. Point to the **Leave** button on the toolbar and select the **Leave Temporarily** option. @@ -103,15 +103,15 @@ The logged-in user can leave the membership of a semi-private or public group on 5. Click **Leave**. - You can also leave a group on the group's [Group Properties](../properties/overview.md) page by + You can also leave a group on the group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page by using the **Leave** button on the toolbar. When a user leaves a Smart Group or Dynasty, he or she is added to the **Exclude** list on the -[Query Designer - Include/Exclude tab](../querydesigner/includeexclude.md) of the Query Designer. As +[Query Designer - Include/Exclude tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/includeexclude.md) of the Query Designer. As a result, the user is not added to group membership even when it falls in the scope of the query. NOTE: For a semi-private group, the group owner must approve your _leave_ request before you are -removed from group membership. See [Requests](../../request/overview.md). +removed from group membership. See [Requests](/docs/groupid/11.1/groupid/portal/request/overview.md). ## Join or leave a group on behalf of a direct report or peer @@ -137,7 +137,7 @@ The logged-in user can join a group on behalf of a direct report or peer. 1. On the left navigation bar, click **Groups** and then select the **My Groups**, **My Memberships**, or **My Expiring Groups** tab. - You can also [Directory Search](../../search/search.md) the group you want to join on behalf of + You can also [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the group you want to join on behalf of a direct report or peer. 2. On the page displayed, select the group to join. @@ -157,7 +157,7 @@ The logged-in user can join a group on behalf of a direct report or peer. period, and click **Join**. When a user is joined on behalf to a Smart Group or Dynasty, he or she is added to the **Include** -list on the [Query Designer - Include/Exclude tab](../querydesigner/includeexclude.md) of the Query +list on the [Query Designer - Include/Exclude tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/includeexclude.md) of the Query Designer. As a result, the user remains a group member even when it does not fall in the scope of the query. @@ -168,7 +168,7 @@ The logged-in user can leave a group on behalf of a direct report or peer. 1. On the left navigation bar, click **Groups** and then select the **My Groups**, **My Memberships**, or **My Expiring Groups** tab. - You can also [Directory Search](../../search/search.md) the group you want to leave on behalf of + You can also [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the group you want to leave on behalf of a direct report or peer. 2. On the page displayed, select the group to leave. @@ -188,7 +188,7 @@ The logged-in user can leave a group on behalf of a direct report or peer. period, and click **Leave**. When a user is removed on behalf from a Smart Group or Dynasty, he or she is added to the -**Exclude** list on the [Query Designer - Include/Exclude tab](../querydesigner/includeexclude.md) +**Exclude** list on the [Query Designer - Include/Exclude tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/includeexclude.md) of the Query Designer. As a result, the user is not added to group membership even when it falls in the scope of the query. diff --git a/docs/groupid/11.1/groupid/portal/group/manage/groupmembershipfunction.md b/docs/groupid/11.1/groupid/portal/group/manage/groupmembershipfunction.md index 7b6b6aadf4..74bbbdec62 100644 --- a/docs/groupid/11.1/groupid/portal/group/manage/groupmembershipfunction.md +++ b/docs/groupid/11.1/groupid/portal/group/manage/groupmembershipfunction.md @@ -40,7 +40,7 @@ will exist but without any link to Group A. Hence, Group A’s membership will b You can add one or more objects to the membership of one or more groups. These objects would be added as permanent members. You will find them listed as members on the Members tab in -[Group Properties](../properties/overview.md). +[Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md). NOTE: In a Microsoft Entra ID based identity store, only user objects can be added as members of an Office 365 group. @@ -49,21 +49,21 @@ Use any of the following methods to add members to groups. ### Method 1: -1. [Directory Search](../../search/search.md) the required objects. +1. [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the required objects. 2. Select these objects on the **Search Results** page and click **Add to Group** on the toolbar. -3. The [Find Dialog Box](../../search/find.md) is displayed, where you can search and select the +3. The [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) is displayed, where you can search and select the group(s) to add the objects to. ### Method 2: -1. [Directory Search](../../search/search.md) the group you want to add members to. +1. [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the group you want to add members to. 2. Select this group on the **Search Results** page and click **Properties** on the toolbar. - The group's [Group Properties](../properties/overview.md) page is displayed. + The group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed. 3. On the **Members** tab, click **Add**. 4. Enter a search string to locate the objects to add as members, or click **Advanced** to use the - [Find Dialog Box](../../search/find.md) for performing a search. + [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. 5. Save the changes. NOTE: These methods for adding members are recommended for static (unmanaged) groups only. For Smart @@ -79,11 +79,11 @@ membership type of an object from permanent to temporary and vice versa. You can also add or remove an object from a group's membership for a temporary period. -1. [Directory Search](../../search/search.md) a group to change the membership type of its +1. [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) a group to change the membership type of its member(s). 2. Select this group on the **Search Results** page and click **Properties** on the toolbar. - The group's [Group Properties](../properties/overview.md) page is displayed, where the + The group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed, where the **Members** tab lists the group members. 3. To change the membership type of a member, click anywhere in the respective row to make it @@ -150,10 +150,10 @@ days for temporary membership update. Follow the steps to remove members permanently from a group. -1. [Directory Search](../../search/search.md) the group you want to remove member(s) from. +1. [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the group you want to remove member(s) from. 2. Select this group on the **Search Results** page and click **Properties** on the toolbar. - The group's [Group Properties](../properties/overview.md) page is displayed. + The group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed. 3. On the **Members** tab, select the group members you want to remove and click **Remove**. 4. Save the changes. @@ -172,7 +172,7 @@ Follow the steps to add a group to the membership of another group (nesting). 2. Select the My Groups, **My Memberships**, or **My Expiring Groups** tab. 3. Select the group(s) to add to the membership of another group and click **Add to Group** on the toolbar. -4. On the [Find Dialog Box](../../search/find.md), search and select the group to add members to it, +4. On the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md), search and select the group to add members to it, and click **OK**. ## Import members to a group @@ -188,11 +188,11 @@ Office 365 group. 2. Select the group you want to import members to, and click **Properties** on the toolbar. - The group's [Group Properties](../properties/overview.md) page is displayed. + The group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed. -3. On the [Group properties - Members tab](../properties/members.md), click **Import** to launch the +3. On the [Group properties - Members tab](/docs/groupid/11.1/groupid/portal/group/properties/members.md), click **Import** to launch the **Import Members** wizard. -4. See [Import Group Members](../properties/importmembers.md) for further information and +4. See [Import Group Members](/docs/groupid/11.1/groupid/portal/group/properties/importmembers.md) for further information and instructions. 5. Save the changes. @@ -200,10 +200,10 @@ Office 365 group. You can export members of a group to an external file. -1. [Directory Search](../../search/search.md) a group to export its members to an external file. +1. [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) a group to export its members to an external file. 2. Select this group on the **Search Results** page and click **Properties** on the toolbar. - The group's [Group Properties](../properties/overview.md) page is displayed. + The group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed. 3. On the **Members** tab, click **Export** to launch the **Export Members** wizard. 4. On the **Attributes** page: @@ -236,10 +236,10 @@ Microsoft Entra ID tenant to the membership of a group in your domain. Or - [Directory Search](../../search/search.md) the group you want to invite a guest user to. + [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the group you want to invite a guest user to. 2. Select the required group from the list and click **Properties** on the toolbar. The group's - [Group Properties](../properties/overview.md) page is displayed. + [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed. 3. On the **Members** tab, click the **Invite User** button. 4. On the **Invite User** dialog box, provide the following information: diff --git a/docs/groupid/11.1/groupid/portal/group/manage/groupownershipfunction.md b/docs/groupid/11.1/groupid/portal/group/manage/groupownershipfunction.md index 6e3945c57b..b47610b014 100644 --- a/docs/groupid/11.1/groupid/portal/group/manage/groupownershipfunction.md +++ b/docs/groupid/11.1/groupid/portal/group/manage/groupownershipfunction.md @@ -60,11 +60,11 @@ Follow the steps to change a group's primary owner. 2. Select the required group and click **Properties** on the toolbar. 3. The group's properties page is displayed. -4. On the [Group properties - Owner tab](../properties/owner.md), the **Owner** box displays the +4. On the [Group properties - Owner tab](/docs/groupid/11.1/groupid/portal/group/properties/owner.md), the **Owner** box displays the group's primary owner. To change the primary owner, click **Browse** to launch the - [Find Dialog Box](../../search/find.md), where you can search and select another owner. + [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md), where you can search and select another owner. 5. Save the changes. @@ -87,11 +87,11 @@ impact on the number of additional owners the group can have. The Groups page is displayed with the **My Groups** tab in view. 2. Select the required group and click **Properties** on the toolbar. -3. The group's [Group Properties](../properties/overview.md) page is displayed. -4. On the [Group properties - Owner tab](../properties/owner.md), click **Add** in the **Additional +3. The group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed. +4. On the [Group properties - Owner tab](/docs/groupid/11.1/groupid/portal/group/properties/owner.md), click **Add** in the **Additional Owners** area. 5. Enter a search string to locate the object to add as an additional owner, or click **Advanced** - to use the [Find Dialog Box](../../search/find.md) for performing a search. + to use the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. 6. By default, all group-related notifications (such as group expiry, deletion, and renewal notifications) are sent to the primary owner and all additional owners. To exclude an additional owner from receiving notifications, select the **Do not notify** check box. @@ -114,16 +114,16 @@ Follow the steps to import additional owners for a group. Or - [Directory Search](../../search/search.md) a group to import its additional owners from an + [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) a group to import its additional owners from an external file. 2. Select the required from the list. and click **Properties** on the toolbar. - The group's [Group Properties](../properties/overview.md) page is displayed. + The group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed. -3. On the [Group properties - Owner tab](../properties/owner.md), click **Import** to launch the +3. On the [Group properties - Owner tab](/docs/groupid/11.1/groupid/portal/group/properties/owner.md), click **Import** to launch the **Import Additional Owners** wizard. -4. See [Import Additional Owners](../properties/importadditionalowners.md) for further information +4. See [Import Additional Owners](/docs/groupid/11.1/groupid/portal/group/properties/importadditionalowners.md) for further information and instructions. 5. Save the changes. @@ -137,12 +137,12 @@ You can export additional owners of a group to an external file. Or - [Directory Search](../../search/search.md) a group to export its additional owners to an + [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) a group to export its additional owners to an external file. 2. Select the group and click **Properties** on the toolbar. - The group's [Group Properties](../properties/overview.md) page is displayed. + The group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed. 3. On the **Owner** tab, click **Export** to launch the **Export Additional Owners** wizard. 4. On the **Attributes** page: @@ -169,10 +169,10 @@ You can export additional owners of a group to an external file. Ownership type indicates whether an object is a temporary or permanent additional owner of a group. You can change the ownership type of an additional owner from temporary to permanent and vice versa. -1. [Directory Search](../../search/search.md) a group to change the ownership type of its additional +1. [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) a group to change the ownership type of its additional owner(s). 2. Select this group on the Search Results page and click **Properties** on the toolbar. -3. On the group's [Group Properties](../properties/overview.md) page, click the **Owner** tab. +3. On the group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page, click the **Owner** tab. 4. To change the ownership type of an additional owner, click anywhere in the respective row to make it editable, and select an option from the **Ownership** list: @@ -246,10 +246,10 @@ Exchange additional group owners. The Groups page is displayed with the **My Groups** tab in view. 2. Select the required group and click **Properties** on the toolbar. -3. The group's [Group Properties](../properties/overview.md) page is displayed. +3. The group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed. 4. On the **Email** tab, click **Add** in the **Managed By** area. 5. Enter a search string to locate the object to add as an Exchange additional owner, or click - **Advance** to use the [Find Dialog Box](../../search/find.md) for performing a search. + **Advance** to use the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. NOTE: Only mail-enabled users can be set as Exchange additional owners. diff --git a/docs/groupid/11.1/groupid/portal/group/manage/scheduleupdate.md b/docs/groupid/11.1/groupid/portal/group/manage/scheduleupdate.md index 0799b8722c..c4e75ad86c 100644 --- a/docs/groupid/11.1/groupid/portal/group/manage/scheduleupdate.md +++ b/docs/groupid/11.1/groupid/portal/group/manage/scheduleupdate.md @@ -7,7 +7,7 @@ When a Smart Group or Dynasty is updated using a scheduled job, it involves the If the administrator has defined a Query Designer policy for your role, group membership is updated as per the defined policy. See the - [ Query Designer Policy](../../../admincenter/securityrole/policy/querydesigner.md)topic for + [ Query Designer Policy](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/querydesigner.md)topic for additional information. NOTE: Whatever the records returned by the query, the membership of an Office 365 group is @@ -46,10 +46,10 @@ In Directory Manager portal, you can perform the following functions for Smart G Or - [Directory Search](../../search/search.md) the group you want to modify the query for. + [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the group you want to modify the query for. 2. Select the required Smart Group or Dynasty and click **Properties** on the toolbar. -3. Use the [Group properties - Smart Group/Query Designer tab](../properties/smartgroup.md) to view +3. Use the [Group properties - Smart Group/Query Designer tab](/docs/groupid/11.1/groupid/portal/group/properties/smartgroup.md) to view the query defined for the group. Click the **Query Designer** button to launch the **Query Designer** dialog box, where you can @@ -75,12 +75,12 @@ membership update. Or - [Directory Search](../../search/search.md) the group you want to associate a Smart Group Update + [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) the group you want to associate a Smart Group Update job with. 2. Select the required Smart Group or Dynasty and click **Properties** on the toolbar. - The group's [Group Properties](../properties/overview.md) page is displayed. + The group's [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) page is displayed. 3. On the **Smart Group/Query Designer** tab, select a Smart Group Update job from the **Scheduled Job** list. diff --git a/docs/groupid/11.1/groupid/portal/group/manage/sendassendonbehalf.md b/docs/groupid/11.1/groupid/portal/group/manage/sendassendonbehalf.md index 9e7963964b..03d39787b9 100644 --- a/docs/groupid/11.1/groupid/portal/group/manage/sendassendonbehalf.md +++ b/docs/groupid/11.1/groupid/portal/group/manage/sendassendonbehalf.md @@ -16,9 +16,9 @@ when User B sends a message using User A’s address, the ‘From’ address wil `` on behalf of Mailbox ``. The administrator can provide the Send As and Send on Behalf features on any tab in -[Group Properties](../properties/overview.md). They are displayed as: +[Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md). They are displayed as: -![sendassendon](../../../../../../../static/img/product_docs/groupid/groupid/portal/group/manage/sendassendon.webp) +![sendassendon](/img/product_docs/groupid/groupid/portal/group/manage/sendassendon.webp) Use the **Add** and **Remove** buttons to add and remove objects in the Send As and Send on Behalf lists. diff --git a/docs/groupid/11.1/groupid/portal/group/manage/workingwithgroups.md b/docs/groupid/11.1/groupid/portal/group/manage/workingwithgroups.md index 94f0589c28..63cec150d9 100644 --- a/docs/groupid/11.1/groupid/portal/group/manage/workingwithgroups.md +++ b/docs/groupid/11.1/groupid/portal/group/manage/workingwithgroups.md @@ -15,7 +15,7 @@ General - [View groups managed by an object](generalfunction.md#view-groups-managed-by-an-object) - [Manage group access](generalfunction.md#manage-group-access) - [Set email delivery restrictions](generalfunction.md#set-email-delivery-restrictions) -- [The Send As and Send on Behalf features](sendassendonbehalf.md) +- [The Send As and Send on Behalf features](/docs/groupid/11.1/groupid/portal/group/manage/sendassendonbehalf.md) Group Membership @@ -60,12 +60,12 @@ Dynasties Group Expiry and Deletion -- [Group Expiry](groupexpiry.md) +- [Group Expiry](/docs/groupid/11.1/groupid/portal/group/manage/groupexpiry.md) - [Expire a group manually ](groupexpiryfunction.md#expire-a-group-manually) - [Change the expiry policy for a group](groupexpiryfunction.md#change-the-expiry-policy-for-a-group) - [Attest an expiring group](groupexpiryfunction.md#attest-an-expiring-group) - [Renew an expired group](groupexpiryfunction.md#renew-an-expired-group) -- [ Group Deletion](groupdeletion.md) +- [ Group Deletion](/docs/groupid/11.1/groupid/portal/group/manage/groupdeletion.md) Query Designer Policy for Groups diff --git a/docs/groupid/11.1/groupid/portal/group/mydeletedgroups.md b/docs/groupid/11.1/groupid/portal/group/mydeletedgroups.md index c2848db78e..475a7b3e97 100644 --- a/docs/groupid/11.1/groupid/portal/group/mydeletedgroups.md +++ b/docs/groupid/11.1/groupid/portal/group/mydeletedgroups.md @@ -5,7 +5,7 @@ Groups**. On the My Groups page, click the **My Deleted Groups** tab. The **My Deleted Groups** tab lists the deleted groups that you are the primary owner for. To include the groups for which you are an additional owner, select the **Display additional group -ownership in My Deleted Groups** check box on the [Portal Settings](../setting/portal.md) panel. +ownership in My Deleted Groups** check box on the [Portal Settings](/docs/groupid/11.1/groupid/portal/setting/portal.md) panel. You can [Modify Search Directory](allgroups.md#modify-search-directory) to search deleted groups and add [Filter All Groups](allgroups.md#filter-all-groups)by clicking **My Deleted Groups Grid diff --git a/docs/groupid/11.1/groupid/portal/group/mydynasties.md b/docs/groupid/11.1/groupid/portal/group/mydynasties.md index 54cf7ed070..6feb7b003d 100644 --- a/docs/groupid/11.1/groupid/portal/group/mydynasties.md +++ b/docs/groupid/11.1/groupid/portal/group/mydynasties.md @@ -2,7 +2,7 @@ This page lists the Dynasties you are the primary owner of. To include the groups for which you are an additional owner, select the **Display additional group ownership in My Dynasties** check box on -the [Portal Settings](../setting/portal.md) panel. +the [Portal Settings](/docs/groupid/11.1/groupid/portal/setting/portal.md) panel. You can [Modify Search Directory](allgroups.md#modify-search-directory) to search dynasties and add [Filter All Groups](allgroups.md#filter-all-groups)by clicking **My Dynasties Grid Filters**. All diff --git a/docs/groupid/11.1/groupid/portal/group/myexpiredgroups.md b/docs/groupid/11.1/groupid/portal/group/myexpiredgroups.md index 6a0fa316e9..109e5c3d9b 100644 --- a/docs/groupid/11.1/groupid/portal/group/myexpiredgroups.md +++ b/docs/groupid/11.1/groupid/portal/group/myexpiredgroups.md @@ -18,12 +18,12 @@ page. Moreover, when you manually expire a group that has an expiry policy other expire’, it is also moved to this page. The Group Lifecycle job is responsible for logically deleting expired groups, but you can also -physically delete a group. See the [ Group Deletion](manage/groupdeletion.md) topic for additional +physically delete a group. See the [ Group Deletion](/docs/groupid/11.1/groupid/portal/group/manage/groupdeletion.md) topic for additional information. By default, the **My Expired Groups** tab lists the groups that you are the primary owner for. To include the groups for which you are an additional owner, select the **Display additional group -ownership in My Expired Groups** check box on the [Portal Settings](../setting/portal.md) panel. +ownership in My Expired Groups** check box on the [Portal Settings](/docs/groupid/11.1/groupid/portal/setting/portal.md) panel. You can [Modify Search Directory](allgroups.md#modify-search-directory) to search expired groups and add [Filter All Groups](allgroups.md#filter-all-groups)by clicking **My Expired Group Grid diff --git a/docs/groupid/11.1/groupid/portal/group/myexpiringgroups.md b/docs/groupid/11.1/groupid/portal/group/myexpiringgroups.md index a9db160c1c..a1e9ae5103 100644 --- a/docs/groupid/11.1/groupid/portal/group/myexpiringgroups.md +++ b/docs/groupid/11.1/groupid/portal/group/myexpiringgroups.md @@ -10,7 +10,7 @@ reaches the expiry date. By default, the tab lists the groups that you are the primary owner for. To include the groups for which you are an additional owner, select the **Display additional group ownership in My Expiring -Groups** check box on the [Portal Settings](../setting/portal.md) panel. +Groups** check box on the [Portal Settings](/docs/groupid/11.1/groupid/portal/setting/portal.md) panel. You can [Modify Search Directory](allgroups.md#modify-search-directory) to search expiring groups and add [Filter All Groups](allgroups.md#filter-all-groups)by clicking **My Expiring Group Grid diff --git a/docs/groupid/11.1/groupid/portal/group/mygroups.md b/docs/groupid/11.1/groupid/portal/group/mygroups.md index 186f82317a..63ae2cfe41 100644 --- a/docs/groupid/11.1/groupid/portal/group/mygroups.md +++ b/docs/groupid/11.1/groupid/portal/group/mygroups.md @@ -3,17 +3,17 @@ To view and manage the groups that you own in the identity store, click **Groups** on the left navigation pane and select **My Groups**. This page lists all your active groups: -- [My Memberships](mymemberships.md) -- [My Expired Groups](myexpiredgroups.md) -- [My Expiring Groups](myexpiringgroups.md) -- [My Deleted Groups](mydeletedgroups.md) -- [My Smart Groups](mysmartgroups.md) -- [My Dynasties](mydynasties.md) -- [My Teams](myteams.md) (for Microsoft Entra ID based identity store) +- [My Memberships](/docs/groupid/11.1/groupid/portal/group/mymemberships.md) +- [My Expired Groups](/docs/groupid/11.1/groupid/portal/group/myexpiredgroups.md) +- [My Expiring Groups](/docs/groupid/11.1/groupid/portal/group/myexpiringgroups.md) +- [My Deleted Groups](/docs/groupid/11.1/groupid/portal/group/mydeletedgroups.md) +- [My Smart Groups](/docs/groupid/11.1/groupid/portal/group/mysmartgroups.md) +- [My Dynasties](/docs/groupid/11.1/groupid/portal/group/mydynasties.md) +- [My Teams](/docs/groupid/11.1/groupid/portal/group/myteams.md) (for Microsoft Entra ID based identity store) By default, the **My Groups** tab displays the groups that you are the primary owner for. To include the groups for which you are an additional owner, select the **Display additional group ownership in -My Groups** check box on the [Portal Settings](../setting/portal.md) panel. This tab lists active +My Groups** check box on the [Portal Settings](/docs/groupid/11.1/groupid/portal/setting/portal.md) panel. This tab lists active groups only; expired and deleted groups are not displayed. You can [Modify Search Directory](allgroups.md#modify-search-directory) to search your groups and @@ -25,7 +25,7 @@ your groups matching the filters will be displayed. - Manually update the membership of a Smart Group using the **Update** command. You can also view update details on **Processing Object (s)** wizard. Click **OK** once done. If you click **Background**, the update runs in the background and will show in the **Background Tasks** tab. -- View and modify the [Group Properties](properties/overview.md) of a group. +- View and modify the [Group Properties](/docs/groupid/11.1/groupid/portal/group/properties/overview.md) of a group. - Manually expire your groups. After expiring the group, it will be listed in **My Expired Groups** list. - Select a smart group and click **Renew** on the toolbar; this re-applies the expiry policy of the @@ -63,7 +63,7 @@ your groups matching the filters will be displayed. - **Me:** You can set yourself as the Owner - **Other:** You can select some other user as the owner. -- Manually [ Group Deletion](manage/groupdeletion.md) any of your group. +- Manually [ Group Deletion](/docs/groupid/11.1/groupid/portal/group/manage/groupdeletion.md) any of your group. - Get a list of all groups managed by s particular group (i.e., all groups for which the selected group is a primary or additional owner) @@ -77,7 +77,7 @@ your groups matching the filters will be displayed. Use the page numbers under the group listing to page through all groups. You can control the number of records to be displayed per page by modifying the **Search results per -page** setting on the [Portal Settings](../setting/portal.md) panel. +page** setting on the [Portal Settings](/docs/groupid/11.1/groupid/portal/setting/portal.md) panel. ## Modify Search Directory @@ -86,7 +86,7 @@ a domain to search active groups from. ## Transfer Ownership -You can find [Transfer Ownership](transferownership.md) option on the top right corner. Transfer +You can find [Transfer Ownership](/docs/groupid/11.1/groupid/portal/group/transferownership.md) option on the top right corner. Transfer Ownership enables you to: - Assign owners to orphan groups. diff --git a/docs/groupid/11.1/groupid/portal/group/mysmartgroups.md b/docs/groupid/11.1/groupid/portal/group/mysmartgroups.md index 6778921ec2..49be47f37c 100644 --- a/docs/groupid/11.1/groupid/portal/group/mysmartgroups.md +++ b/docs/groupid/11.1/groupid/portal/group/mysmartgroups.md @@ -2,7 +2,7 @@ This page lists only the Smart Groups that you are primary owner of. To include the groups for which you are an additional owner, select the **Display additional group ownership in My Smart Groups** -check box on the [Portal Settings](../setting/portal.md) panel. +check box on the [Portal Settings](/docs/groupid/11.1/groupid/portal/setting/portal.md) panel. You can [Modify Search Directory](allgroups.md#modify-search-directory) to search your smart groups and add [Filter All Groups](allgroups.md#filter-all-groups)by clicking **Smart Group Grid Filters**. diff --git a/docs/groupid/11.1/groupid/portal/group/overview.md b/docs/groupid/11.1/groupid/portal/group/overview.md index 6050c85ccf..cc52e61993 100644 --- a/docs/groupid/11.1/groupid/portal/group/overview.md +++ b/docs/groupid/11.1/groupid/portal/group/overview.md @@ -19,7 +19,7 @@ groups, thus ensuring that groups are never out of date. This allows administrators to easily maintain large groups without having to manually add and remove members. -NOTE: You must [Log in](../login.md#log-in) before using it for group management. +NOTE: You must [Log in](/docs/groupid/11.1/groupid/portal/login.md#log-in) before using it for group management. NOTE: When two identity stores (say, ID1 and ID2) are connected to the same domain (for example, demo1.com), then objects in demo1.com would have a distinct state in ID1 and ID2. For example, an diff --git a/docs/groupid/11.1/groupid/portal/group/privategroups.md b/docs/groupid/11.1/groupid/portal/group/privategroups.md index ed74ed3792..cc7847e6e8 100644 --- a/docs/groupid/11.1/groupid/portal/group/privategroups.md +++ b/docs/groupid/11.1/groupid/portal/group/privategroups.md @@ -2,7 +2,7 @@ This view lists only the private groups created using Directory Manager in the connected identity store. It does not list expired or deleted private groups. To view the expired or deleted groups, -select the [Expired Groups](allexpiredgroups.md) or [Deleted Groups](recyclebin/overview.md) +select the [Expired Groups](/docs/groupid/11.1/groupid/portal/group/allexpiredgroups.md) or [Deleted Groups](/docs/groupid/11.1/groupid/portal/group/recyclebin/overview.md) respectively. You can [Modify Search Directory](allgroups.md#modify-search-directory) to search private groups and diff --git a/docs/groupid/11.1/groupid/portal/group/properties/channels.md b/docs/groupid/11.1/groupid/portal/group/properties/channels.md index 5e68a74c84..ab54e97ade 100644 --- a/docs/groupid/11.1/groupid/portal/group/properties/channels.md +++ b/docs/groupid/11.1/groupid/portal/group/properties/channels.md @@ -29,7 +29,7 @@ Add the information for the following: It is displayed only if you select Private from the Privacy drop-down list. Click **Add** and enter a search string to locate the user to add as a member, or click - **Advance** to use the [Find Dialog Box](../../search/find.md) for performing a search. + **Advance** to use the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. Click **Remove** if you want to remove any member. diff --git a/docs/groupid/11.1/groupid/portal/group/properties/deliveryrestrictions.md b/docs/groupid/11.1/groupid/portal/group/properties/deliveryrestrictions.md index 8427c5619f..2b02ce595b 100644 --- a/docs/groupid/11.1/groupid/portal/group/properties/deliveryrestrictions.md +++ b/docs/groupid/11.1/groupid/portal/group/properties/deliveryrestrictions.md @@ -23,7 +23,7 @@ Shows the objects whose emails will not be delivered to the group. **Add** To add an object to a list, click **Add** in the respective area. Enter a search string to locate -the required object, or click **Advance** to use the [Find Dialog Box](../../search/find.md) for +the required object, or click **Advance** to use the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. **Remove** diff --git a/docs/groupid/11.1/groupid/portal/group/properties/dynastyoptions.md b/docs/groupid/11.1/groupid/portal/group/properties/dynastyoptions.md index 710a4298d8..87cc6748e8 100644 --- a/docs/groupid/11.1/groupid/portal/group/properties/dynastyoptions.md +++ b/docs/groupid/11.1/groupid/portal/group/properties/dynastyoptions.md @@ -48,7 +48,7 @@ You can view and change the attributes for parent and middle Dynasties. - Select an attribute and click **Edit** to modify it. - Click **Remove** to remove the selected attribute. -See the [Dynasty Options page](../dynasty/dynastyoptionsorggeocus.md) for details. +See the [Dynasty Options page](/docs/groupid/11.1/groupid/portal/group/dynasty/dynastyoptionsorggeocus.md) for details. **Inheritance** @@ -89,7 +89,7 @@ the top manager and sub-level managers, or add all direct reports of the top man managers as members of a single group. You can view and change these structure options for parent and middle Dynasties. For details, see -the [Dynasty Options page (Managerial Dynasty)](../dynasty/dynastyoptionsmanagerial.md). +the [Dynasty Options page (Managerial Dynasty)](/docs/groupid/11.1/groupid/portal/group/dynasty/dynastyoptionsmanagerial.md). NOTE: (1) If the **Set manager as owner** check box is selected, the **Always inherit** option is set for Inheritance, and the managedBy attribute is specified for inheritance, the **Set manager as @@ -106,7 +106,7 @@ Dynasties, replacing their respective primary owners. Set a custom attribute to create a managerial lineage in the context of this attribute. -See the [Dynasty Options page (Managerial Dynasty)](../dynasty/dynastyoptionsmanagerial.md)for a +See the [Dynasty Options page (Managerial Dynasty)](/docs/groupid/11.1/groupid/portal/group/dynasty/dynastyoptionsmanagerial.md)for a discussion on attributes. In addition to the scenarios discussed, the following also apply on Dynasty update: diff --git a/docs/groupid/11.1/groupid/portal/group/properties/email.md b/docs/groupid/11.1/groupid/portal/group/properties/email.md index e31640dbc4..e76bd43e8e 100644 --- a/docs/groupid/11.1/groupid/portal/group/properties/email.md +++ b/docs/groupid/11.1/groupid/portal/group/properties/email.md @@ -22,10 +22,10 @@ additional owners specified for the group. GroupID sends group expiry, deletion, and renewal notifications to all Exchange additional owners along with the group’s primary owner and additional owners. See -[Group properties - Owner tab](owner.md) in group properties. +[Group properties - Owner tab](/docs/groupid/11.1/groupid/portal/group/properties/owner.md) in group properties. - Click **Add** to add an Exchange additional owner. Enter a search string to locate the required - object, or click **Advance** to use the [Find Dialog Box](../../search/find.md) for performing a + object, or click **Advance** to use the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. - To remove an Exchange additional owner, select it and click **Remove**. diff --git a/docs/groupid/11.1/groupid/portal/group/properties/history.md b/docs/groupid/11.1/groupid/portal/group/properties/history.md index 3e986ae6eb..67ee7bf878 100644 --- a/docs/groupid/11.1/groupid/portal/group/properties/history.md +++ b/docs/groupid/11.1/groupid/portal/group/properties/history.md @@ -3,7 +3,7 @@ This tab displays the object's history, which includes all changes to the object since its creation. History is available if the administrator has enabled history tracking for the identity store. See -[History](../../history/overview.md). +[History](/docs/groupid/11.1/groupid/portal/history/overview.md). ## View History @@ -52,9 +52,9 @@ edit or add comments. ### Add a note The option to add a note is available on the My Account History card on Dashboard, and all History -pages i.e.[My History](../../history/myhistory.md), -[My Direct Reports' History](../../history/mydirectreport.md) and -[My Groups' History](../../history/mydirectorygroup.md) pages. +pages i.e.[My History](/docs/groupid/11.1/groupid/portal/history/myhistory.md), +[My Direct Reports' History](/docs/groupid/11.1/groupid/portal/history/mydirectreport.md) and +[My Groups' History](/docs/groupid/11.1/groupid/portal/history/mydirectorygroup.md) pages. Step 1 – Click the **Add Note** button next to a history item to add a note to it. diff --git a/docs/groupid/11.1/groupid/portal/group/properties/importmembers.md b/docs/groupid/11.1/groupid/portal/group/properties/importmembers.md index d1e892e71b..7bf827e9be 100644 --- a/docs/groupid/11.1/groupid/portal/group/properties/importmembers.md +++ b/docs/groupid/11.1/groupid/portal/group/properties/importmembers.md @@ -52,7 +52,7 @@ launch the **Import Members** wizard. - **External Data Source** - 1. On the **Providers** page, select [Query Designer](../querydesigner/overview.md) to + 1. On the **Providers** page, select [Query Designer](/docs/groupid/11.1/groupid/portal/group/querydesigner/overview.md) to create a query. The query will fetch all those members that match the set criteria. The Query Designer is not working. After adding provider in the data source, it is @@ -110,7 +110,7 @@ launch the **Import Members** wizard. 1. On the **Lifecycle** page, select the **Import Members From Group(s)** option to add all members of another group or groups to the membership of this group. -2. Click the **Search Groups** button; the [Find Dialog Box](../../search/find.md) is displayed, +2. Click the **Search Groups** button; the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) is displayed, where you can search and select the group(s) whose members you want to import into the membership of this group. 3. Click **Next**. diff --git a/docs/groupid/11.1/groupid/portal/group/properties/memberof.md b/docs/groupid/11.1/groupid/portal/group/properties/memberof.md index 4023b2bd61..6a64b93765 100644 --- a/docs/groupid/11.1/groupid/portal/group/properties/memberof.md +++ b/docs/groupid/11.1/groupid/portal/group/properties/memberof.md @@ -16,7 +16,7 @@ based on a particular criterion. For example; to show groups whose display names | Column Name | Description | | ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Display Name | Displays the names of the groups this user is a member of. | -| Membership | Indicates whether the user is a temporary or permanent member of the group. - Perpetual – To make the object a permanent member of the group. - Temporary Member – To make the object a temporary member of the group for the period you specify in the Beginning and Ending boxes. At the end of the period, the object is removed from the group membership. - Addition Pending – Indicates that the object will be a temporary member of the group for a period in the future. Use the Beginning and Ending boxes to set a period. Before the beginning date, the object’s membership type is displayed as ‘Addition Pending’. On the beginning date, the membership type changes to ‘Temporary Member’. Example. You add Smith as a temporary member to Group A on May 15 for future dates, May 20-30. Smith will be displayed in Group A’s membership with ‘Addition Pending’ as its membership type from May 15 to 19. However, Smith would not be added to group membership in the provider. On May 20, Smith will become a temporary member of Group A and its membership type will change to ‘Temporary Member’ from May 20 to 30. Smith will also be added to group membership in the provider. After May 30, Smith will be removed from Group A as a member in Directory Manager and in the provider. - Removal Pending - Indicates that the object will be temporarily removed from group membership for a period in the future. Use the Beginning and Ending boxes to set a period. Before the beginning date, the object’s membership type is displayed as ‘Removal Pending’. On the beginning date, the membership type will change to ‘Temporary Removed’. Example. You remove Smith from Group A on May 15 for future dates, May 20-30. Smith will be displayed in Group A’s membership with ‘Removal Pending’ as membership type from May 15 to 19. On May 20, Smith’s membership type in Directory Manager will change to ‘Temporary Removed’; lasting till May 30. However, Smith will be removed from Group A’s membership in the provider. After May 30, Smith will be added back to Group A as a permanent member in Directory Manager and in the provider. - Temporary Removed – Indicates that the object is temporarily removed from group membership for the period specified in the Beginning and Ending boxes. At the end of the period, the object is added back to the group membership as a permanent member. When the user is a perpetual member, the **Membership** column is blank. You cannot change the membership type of the user for any group on the **Member Of** tab. Rather, go to the properties of the specific group and change the user's membership type on the [Group properties - Members tab](members.md). | +| Membership | Indicates whether the user is a temporary or permanent member of the group. - Perpetual – To make the object a permanent member of the group. - Temporary Member – To make the object a temporary member of the group for the period you specify in the Beginning and Ending boxes. At the end of the period, the object is removed from the group membership. - Addition Pending – Indicates that the object will be a temporary member of the group for a period in the future. Use the Beginning and Ending boxes to set a period. Before the beginning date, the object’s membership type is displayed as ‘Addition Pending’. On the beginning date, the membership type changes to ‘Temporary Member’. Example. You add Smith as a temporary member to Group A on May 15 for future dates, May 20-30. Smith will be displayed in Group A’s membership with ‘Addition Pending’ as its membership type from May 15 to 19. However, Smith would not be added to group membership in the provider. On May 20, Smith will become a temporary member of Group A and its membership type will change to ‘Temporary Member’ from May 20 to 30. Smith will also be added to group membership in the provider. After May 30, Smith will be removed from Group A as a member in Directory Manager and in the provider. - Removal Pending - Indicates that the object will be temporarily removed from group membership for a period in the future. Use the Beginning and Ending boxes to set a period. Before the beginning date, the object’s membership type is displayed as ‘Removal Pending’. On the beginning date, the membership type will change to ‘Temporary Removed’. Example. You remove Smith from Group A on May 15 for future dates, May 20-30. Smith will be displayed in Group A’s membership with ‘Removal Pending’ as membership type from May 15 to 19. On May 20, Smith’s membership type in Directory Manager will change to ‘Temporary Removed’; lasting till May 30. However, Smith will be removed from Group A’s membership in the provider. After May 30, Smith will be added back to Group A as a permanent member in Directory Manager and in the provider. - Temporary Removed – Indicates that the object is temporarily removed from group membership for the period specified in the Beginning and Ending boxes. At the end of the period, the object is added back to the group membership as a permanent member. When the user is a perpetual member, the **Membership** column is blank. You cannot change the membership type of the user for any group on the **Member Of** tab. Rather, go to the properties of the specific group and change the user's membership type on the [Group properties - Members tab](/docs/groupid/11.1/groupid/portal/group/properties/members.md). | | Beginning | Displays the beginning date of the temporary addition or removal. | | Ending | Displays the ending date of the temporary addition or removal. | @@ -25,7 +25,7 @@ based on a particular criterion. For example; to show groups whose display names Click it to add this group to the memberships of another group (for example, Group A). Enter a search string to locate the required group (Group A), or click **Advance** to use the -[Find Dialog Box](../../search/find.md) for performing a search +[Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search The selected group(s) get listed in the **Member Of** grid. diff --git a/docs/groupid/11.1/groupid/portal/group/properties/members.md b/docs/groupid/11.1/groupid/portal/group/properties/members.md index eaf1876ad8..7d5b6d5b9a 100644 --- a/docs/groupid/11.1/groupid/portal/group/properties/members.md +++ b/docs/groupid/11.1/groupid/portal/group/properties/members.md @@ -34,15 +34,15 @@ days for temporary membership update. **Add** To add member(s) to the group, click **Add**. Enter a search string to locate the object to add as a -member, or click **Advance** to use the [Find Dialog Box](../../search/find.md) for performing a +member, or click **Advance** to use the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. The selected members get listed in the **Members** grid. NOTE: This button is disabled for Smart Groups and Dynasties since their memberships is determined -by the query set on the [Group properties - Smart Group/Query Designer tab](smartgroup.md). +by the query set on the [Group properties - Smart Group/Query Designer tab](/docs/groupid/11.1/groupid/portal/group/properties/smartgroup.md). See -[Schedule periodic membership updates for Smart Groups/Dynasties](../manage/scheduleupdate.md#schedule-periodic-membership-updates-for-smart-groupsdynasties). +[Schedule periodic membership updates for Smart Groups/Dynasties](/docs/groupid/11.1/groupid/portal/group/manage/scheduleupdate.md#schedule-periodic-membership-updates-for-smart-groupsdynasties). **Import** @@ -52,7 +52,7 @@ You can also choose to import all members of an existing group or groups to the group. Click **Import** to launch the **Import Members** wizard for importing group members. See -[Import Group Members](importmembers.md) for information and instructions. +[Import Group Members](/docs/groupid/11.1/groupid/portal/group/properties/importmembers.md) for information and instructions. **Export** @@ -61,7 +61,7 @@ You can export the list of members to an external file. Supported file formats a Click **Export** to launch the **Export Members** wizard for exporting group members. Select the attributes you want to export. For information and instructions, see -[Export group members](../manage/groupmembershipfunction.md#export-group-members). +[Export group members](/docs/groupid/11.1/groupid/portal/group/manage/groupmembershipfunction.md#export-group-members). **Remove All** diff --git a/docs/groupid/11.1/groupid/portal/group/properties/overview.md b/docs/groupid/11.1/groupid/portal/group/properties/overview.md index 5f9aedec4b..9c97576a0e 100644 --- a/docs/groupid/11.1/groupid/portal/group/properties/overview.md +++ b/docs/groupid/11.1/groupid/portal/group/properties/overview.md @@ -11,14 +11,14 @@ displayed. 1. Save the changes made in the properties by clicking **Save**. 2. Click **Delete** to delete the group. 3. **Join** a group as a - [Join a group temporarily](../manage/groupjoinleave.md#join-a-group-temporarily) or - [Join a group permanently](../manage/groupjoinleave.md#join-a-group-permanently) + [Join a group temporarily](/docs/groupid/11.1/groupid/portal/group/manage/groupjoinleave.md#join-a-group-temporarily) or + [Join a group permanently](/docs/groupid/11.1/groupid/portal/group/manage/groupjoinleave.md#join-a-group-permanently) Select **Other** to add other users to the group. 4. **Leave** a group’s membership - [Leave a group temporarily](../manage/groupjoinleave.md#leave-a-group-temporarily) or - [Leave a group permanently](../manage/groupjoinleave.md#leave-a-group-permanently). + [Leave a group temporarily](/docs/groupid/11.1/groupid/portal/group/manage/groupjoinleave.md#leave-a-group-temporarily) or + [Leave a group permanently](/docs/groupid/11.1/groupid/portal/group/manage/groupjoinleave.md#leave-a-group-permanently). Select **Other** to remove other users from the group. @@ -45,22 +45,22 @@ displayed. ## Group Properties -- [Group properties - General tab](general.md) -- [Group properties - Owner tab](owner.md) -- [Group properties - Members tab](members.md) -- [properties - Member Of tab](memberof.md) -- [Group properties - Delivery Restrictions tab](deliveryrestrictions.md) -- [Object properties - Attributes tab](attributes.md) -- [Group properties - Email tab](email.md) -- [Group properties - Advanced tab](advanced.md) -- [Group properties - Tree View](treeview.md) -- [Group Properties - Entitlement tab](entitlements.md) -- [Group properties - Similar Groups tab](similargroups.md) -- [Object properties - History tab](history.md) -- [Teams Properties - Channels](channels.md) (For Teams only) -- [Group properties - Smart Group/Query Designer tab](smartgroup.md) (for Smart Groups and Dynasties +- [Group properties - General tab](/docs/groupid/11.1/groupid/portal/group/properties/general.md) +- [Group properties - Owner tab](/docs/groupid/11.1/groupid/portal/group/properties/owner.md) +- [Group properties - Members tab](/docs/groupid/11.1/groupid/portal/group/properties/members.md) +- [properties - Member Of tab](/docs/groupid/11.1/groupid/portal/group/properties/memberof.md) +- [Group properties - Delivery Restrictions tab](/docs/groupid/11.1/groupid/portal/group/properties/deliveryrestrictions.md) +- [Object properties - Attributes tab](/docs/groupid/11.1/groupid/portal/group/properties/attributes.md) +- [Group properties - Email tab](/docs/groupid/11.1/groupid/portal/group/properties/email.md) +- [Group properties - Advanced tab](/docs/groupid/11.1/groupid/portal/group/properties/advanced.md) +- [Group properties - Tree View](/docs/groupid/11.1/groupid/portal/group/properties/treeview.md) +- [Group Properties - Entitlement tab](/docs/groupid/11.1/groupid/portal/group/properties/entitlements.md) +- [Group properties - Similar Groups tab](/docs/groupid/11.1/groupid/portal/group/properties/similargroups.md) +- [Object properties - History tab](/docs/groupid/11.1/groupid/portal/group/properties/history.md) +- [Teams Properties - Channels](/docs/groupid/11.1/groupid/portal/group/properties/channels.md) (For Teams only) +- [Group properties - Smart Group/Query Designer tab](/docs/groupid/11.1/groupid/portal/group/properties/smartgroup.md) (for Smart Groups and Dynasties only) -- [Group properties - Dynasty Options tab](dynastyoptions.md) (for Dynasties only) +- [Group properties - Dynasty Options tab](/docs/groupid/11.1/groupid/portal/group/properties/dynastyoptions.md) (for Dynasties only) NOTE: The **Delivery Restrictions**, **Attributes**, **Email**, and **Advanced** tabs are not available for groups in a Microsoft Entra IDbased identity store. diff --git a/docs/groupid/11.1/groupid/portal/group/properties/owner.md b/docs/groupid/11.1/groupid/portal/group/properties/owner.md index 68481b1bdc..3dec5fd970 100644 --- a/docs/groupid/11.1/groupid/portal/group/properties/owner.md +++ b/docs/groupid/11.1/groupid/portal/group/properties/owner.md @@ -13,7 +13,7 @@ group. If you specify a group, all its members are considered additional owners. You can also specify Exchange additional owners for the group. See the -[Group properties - Email tab](email.md) in group properties. +[Group properties - Email tab](/docs/groupid/11.1/groupid/portal/group/properties/email.md) in group properties. NOTE: 1. For groups in an Microsoft Entra ID based identity store, only users can be set as primary owners. Moreover, Microsoft Entra ID supports multiple primary owners for a group. Exchange @@ -25,7 +25,7 @@ additional owners are not supported. The primary owner of the group. To change the primary owner, click **Browse** next to the **Owner** box to launch the -[Find Dialog Box](../../search/find.md), where you can search and select a primary owner. +[Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md), where you can search and select a primary owner. If the administrator has not enforced the selection of a primary owner in the Group Owner policy, you can also remove the primary owner. Click the **Remove** button next to the **Owner** box to @@ -81,13 +81,13 @@ not run on the particular days for temporary ownership update. To specify additional owner(s) for the group, click **Add**. Enter a search string to locate the object to add as an additional owner, or click **Advance** to -use the [Find Dialog Box](../../search/find.md) for performing a search. +use the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. **Import** You can also specify additional owners for the group using an external file. Click **Import** to launch the **Import Additional Owners** wizard for importing additional owners. See -[Import Additional Owners](importadditionalowners.md) for further information and instructions. +[Import Additional Owners](/docs/groupid/11.1/groupid/portal/group/properties/importadditionalowners.md) for further information and instructions. **Export** @@ -96,7 +96,7 @@ You can export the list of additional owners to an external file. Supported file Click **Export** to launch the **Export Additional Owners** wizard for exporting additional owners. Select the attributes you want to export. For information and instructions, see -[Export additional owners](../manage/groupownershipfunction.md#export-additional-owners). +[Export additional owners](/docs/groupid/11.1/groupid/portal/group/manage/groupownershipfunction.md#export-additional-owners). **Remove** diff --git a/docs/groupid/11.1/groupid/portal/group/properties/smartgroup.md b/docs/groupid/11.1/groupid/portal/group/properties/smartgroup.md index 0403c85dd9..56679b077b 100644 --- a/docs/groupid/11.1/groupid/portal/group/properties/smartgroup.md +++ b/docs/groupid/11.1/groupid/portal/group/properties/smartgroup.md @@ -27,7 +27,7 @@ server and storage for the query to fetch the records from. **Query Designer** To modify the query, click the **Query Designer** button. This launches the -[Query Designer](../querydesigner/overview.md) dialog box, where you can modify the query. +[Query Designer](/docs/groupid/11.1/groupid/portal/group/querydesigner/overview.md) dialog box, where you can modify the query. Smart Groups and Dynasties in a Microsoft Entra IDbased identity store use a device structured query language while those in an Active Directory based identity store use LDAP queries to update group diff --git a/docs/groupid/11.1/groupid/portal/group/publicgroups.md b/docs/groupid/11.1/groupid/portal/group/publicgroups.md index 1f0e9e7926..dbb15b4225 100644 --- a/docs/groupid/11.1/groupid/portal/group/publicgroups.md +++ b/docs/groupid/11.1/groupid/portal/group/publicgroups.md @@ -2,7 +2,7 @@ This view lists only the public groups created using Directory Manager in the connected identity store. It does not list expired or deleted public groups. To view the expired or deleted groups, -select the [Expired Groups](allexpiredgroups.md) or [Deleted Groups](recyclebin/overview.md) +select the [Expired Groups](/docs/groupid/11.1/groupid/portal/group/allexpiredgroups.md) or [Deleted Groups](/docs/groupid/11.1/groupid/portal/group/recyclebin/overview.md) respectively. You can [Modify Search Directory](allgroups.md#modify-search-directory) to search private groups and diff --git a/docs/groupid/11.1/groupid/portal/group/querydesigner/database.md b/docs/groupid/11.1/groupid/portal/group/querydesigner/database.md index 1f9adf8716..651f6e7ff8 100644 --- a/docs/groupid/11.1/groupid/portal/group/querydesigner/database.md +++ b/docs/groupid/11.1/groupid/portal/group/querydesigner/database.md @@ -13,7 +13,7 @@ The supported external data providers are: - SCIM Before using any of the above external data providers, a data source for the provider must be -defined in Admin Center. See the [Create a Data Source](../../../admincenter/datasource/create.md) +defined in Admin Center. See the [Create a Data Source](/docs/groupid/11.1/groupid/admincenter/datasource/create.md) topic. A connection is configured in a data source, Directory Manager portal connects to the external diff --git a/docs/groupid/11.1/groupid/portal/group/querydesigner/filtercriteria.md b/docs/groupid/11.1/groupid/portal/group/querydesigner/filtercriteria.md index 003e69a9f9..83f8628bfb 100644 --- a/docs/groupid/11.1/groupid/portal/group/querydesigner/filtercriteria.md +++ b/docs/groupid/11.1/groupid/portal/group/querydesigner/filtercriteria.md @@ -8,8 +8,8 @@ directory users who live in Houston and have a fax number. You can also apply lo If the administrator in your role's Query Designer policy has defined a default filter criteria, that filter criteria is displayed on this tab. You can view and copy the query using the **View Query** button. See the -[Specify a Default Filter Criteria](../../../admincenter/securityrole/policy/querydesigner.md#specify-a-default-filter-criteria) -section of the [ Query Designer Policy](../../../admincenter/securityrole/policy/querydesigner.md) +[Specify a Default Filter Criteria](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/querydesigner.md#specify-a-default-filter-criteria) +section of the [ Query Designer Policy](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/querydesigner.md) topic. The default criteria is part of the policy; therefore, in Directory Manager portal it is visible to diff --git a/docs/groupid/11.1/groupid/portal/group/querydesigner/overview.md b/docs/groupid/11.1/groupid/portal/group/querydesigner/overview.md index ef1bf11fd2..4fb1f0aa8c 100644 --- a/docs/groupid/11.1/groupid/portal/group/querydesigner/overview.md +++ b/docs/groupid/11.1/groupid/portal/group/querydesigner/overview.md @@ -10,7 +10,7 @@ Microsoft SQL Server. If the administrator has defined a Query Designer access policy for your role, you can create queries as per the defined policy. A banner is displayed on the Query Designer dialog box indicating that the administrator has implemented a policy for your role. See the -[ Query Designer Policy](../../../admincenter/securityrole/policy/querydesigner.md) topic. +[ Query Designer Policy](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/querydesigner.md) topic. The query language depends on the identity store type. @@ -85,13 +85,13 @@ View the provider query in the LDAP Query box. The Query Designer has the following tabs: -- [Query Designer - General tab](general.md) -- [Query Designer - Storage tab](storage.md) -- [Query Designer - Filter Criteria tab](filtercriteria.md) -- [Query Designer - Include/Exclude tab](includeexclude.md) -- [Query Designer - Database tab](database.md) -- [Query Designer - Script tab](script.md) -- [Query Designer - Password Expiry Options tab](passwordexpiryoptions.md)[Query Designer - Password Expiry Options tab](passwordexpiryoptions.md) +- [Query Designer - General tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/general.md) +- [Query Designer - Storage tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/storage.md) +- [Query Designer - Filter Criteria tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/filtercriteria.md) +- [Query Designer - Include/Exclude tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/includeexclude.md) +- [Query Designer - Database tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/database.md) +- [Query Designer - Script tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/script.md) +- [Query Designer - Password Expiry Options tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/passwordexpiryoptions.md)[Query Designer - Password Expiry Options tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/passwordexpiryoptions.md) (only available for Smart Groups with a password expiry condition) NOTE: The **Storage** and **Script** tabs are not available for groups in a Microsoft Entra ID diff --git a/docs/groupid/11.1/groupid/portal/group/querydesigner/passwordexpiryoptions.md b/docs/groupid/11.1/groupid/portal/group/querydesigner/passwordexpiryoptions.md index e8d0588f1b..97e9169d86 100644 --- a/docs/groupid/11.1/groupid/portal/group/querydesigner/passwordexpiryoptions.md +++ b/docs/groupid/11.1/groupid/portal/group/querydesigner/passwordexpiryoptions.md @@ -53,7 +53,7 @@ The **Send email after update** options is enabled after the group is created. Warning emails are not sent to group members (users) whose passwords are set to 'never expire'. Such users are included in group membership when you select the **Include users whose password never expires** check box or add such users to the **Include** list on the -[Query Designer - Include/Exclude tab](includeexclude.md). +[Query Designer - Include/Exclude tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/includeexclude.md). For warning emails to be sent, you must have an SMTP server configured for the identity store. diff --git a/docs/groupid/11.1/groupid/portal/group/semiprivategroups.md b/docs/groupid/11.1/groupid/portal/group/semiprivategroups.md index 7237b8b79d..301b6ad845 100644 --- a/docs/groupid/11.1/groupid/portal/group/semiprivategroups.md +++ b/docs/groupid/11.1/groupid/portal/group/semiprivategroups.md @@ -2,8 +2,8 @@ This view lists only the semi-private groups created using Directory Manager in the connected identity store. It does not list expired or deleted semi private groups. To view the expired or -deleted groups, select the [Expired Groups](allexpiredgroups.md) or -[Deleted Groups](recyclebin/overview.md) respectively. +deleted groups, select the [Expired Groups](/docs/groupid/11.1/groupid/portal/group/allexpiredgroups.md) or +[Deleted Groups](/docs/groupid/11.1/groupid/portal/group/recyclebin/overview.md) respectively. You can [Modify Search Directory](allgroups.md#modify-search-directory) to search semi private groups and add [Filter All Groups](allgroups.md#filter-all-groups) by clicking **Private Group Grid diff --git a/docs/groupid/11.1/groupid/portal/group/teams/create.md b/docs/groupid/11.1/groupid/portal/group/teams/create.md index 2d409b2833..b147ac9ee2 100644 --- a/docs/groupid/11.1/groupid/portal/group/teams/create.md +++ b/docs/groupid/11.1/groupid/portal/group/teams/create.md @@ -13,19 +13,19 @@ Step 2 – The **Create Group** wizard opens to the **Group Type** page. Step 3 – Pages and fields on the Create Group wizard may vary, since the administrator can customize the wizard by adding or removing pages and fields. -Step 4 – On the [Group Type page](../create/grouptype.md), select the required group type and click +Step 4 – On the [Group Type page](/docs/groupid/11.1/groupid/portal/group/create/grouptype.md), select the required group type and click **Next**. Step 5 – On the General page, specify basic information about the group. Step 6 – If you select Static Group, specify members for the group on the -[Members page](../create/activedirectory/members.md). +[Members page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/members.md). Step 7 – If you select Smart Group or a Dynasty, review and modify the query for updating group -membership on the [ Smart Group page](../create/activedirectory/smartgroup.md). +membership on the [ Smart Group page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/smartgroup.md). -Step 8 – On the [Owners page](../create/activedirectory/owners.md), specify primary and additional +Step 8 – On the [Owners page](/docs/groupid/11.1/groupid/portal/group/create/activedirectory/owners.md), specify primary and additional owners for the group. -Step 9 – On the [Summary Page](../../user/create/activedirectory/summary.md), review the settings +Step 9 – On the [Summary Page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/summary.md), review the settings and then click Finish to complete the wizard. diff --git a/docs/groupid/11.1/groupid/portal/history/mydirectorygroup.md b/docs/groupid/11.1/groupid/portal/history/mydirectorygroup.md index 46a580b82f..10956c9aa0 100644 --- a/docs/groupid/11.1/groupid/portal/history/mydirectorygroup.md +++ b/docs/groupid/11.1/groupid/portal/history/mydirectorygroup.md @@ -80,7 +80,7 @@ edit or add comments. ### Add a note The option to add a note is available on the My Account History card on Dashboard, and all History -pages i.e.[My History](myhistory.md), [My Direct Reports' History](mydirectreport.md) and My Groups' +pages i.e.[My History](/docs/groupid/11.1/groupid/portal/history/myhistory.md), [My Direct Reports' History](/docs/groupid/11.1/groupid/portal/history/mydirectreport.md) and My Groups' History pages. Step 8 – Click the **Add Note** button next to a history item to add a note to it. diff --git a/docs/groupid/11.1/groupid/portal/history/mydirectreport.md b/docs/groupid/11.1/groupid/portal/history/mydirectreport.md index 6f1e46d42b..872f08c579 100644 --- a/docs/groupid/11.1/groupid/portal/history/mydirectreport.md +++ b/docs/groupid/11.1/groupid/portal/history/mydirectreport.md @@ -81,8 +81,8 @@ edit or add comments. ### Add a note The option to add a note is available on the My Account History card on Dashboard, and all History -pages i.e.[My History](myhistory.md), My Direct Reports' History and -[My Groups' History](mydirectorygroup.md) pages. +pages i.e.[My History](/docs/groupid/11.1/groupid/portal/history/myhistory.md), My Direct Reports' History and +[My Groups' History](/docs/groupid/11.1/groupid/portal/history/mydirectorygroup.md) pages. Step 8 – Click the **Add Note** button next to a history item to add a note to it. diff --git a/docs/groupid/11.1/groupid/portal/history/myhistory.md b/docs/groupid/11.1/groupid/portal/history/myhistory.md index 771d094f77..fc7aabc8e9 100644 --- a/docs/groupid/11.1/groupid/portal/history/myhistory.md +++ b/docs/groupid/11.1/groupid/portal/history/myhistory.md @@ -69,8 +69,8 @@ edit or add comments. ### Add a note The option to add a note is available on the My Account History card on Dashboard, and all History -pages i.e.My History, [My Direct Reports' History](mydirectreport.md) and -[My Groups' History](mydirectorygroup.md) pages. +pages i.e.My History, [My Direct Reports' History](/docs/groupid/11.1/groupid/portal/history/mydirectreport.md) and +[My Groups' History](/docs/groupid/11.1/groupid/portal/history/mydirectorygroup.md) pages. Step 7 – Click the **Add Note** button next to a history item to add a note to it. diff --git a/docs/groupid/11.1/groupid/portal/history/overview.md b/docs/groupid/11.1/groupid/portal/history/overview.md index eaae20c1da..83f5508fe0 100644 --- a/docs/groupid/11.1/groupid/portal/history/overview.md +++ b/docs/groupid/11.1/groupid/portal/history/overview.md @@ -20,7 +20,7 @@ history-tracking was turned off. A user can add a note to a history action that he/she performed. Other users can just view that note. This note may explain the reason for performing that action. See the -[Configure History Tracking](../../admincenter/identitystore/configure/directoryservice/historytracking.md) +[Configure History Tracking](/docs/groupid/11.1/groupid/admincenter/identitystore/configure/directoryservice/historytracking.md) topic. ## History views in the portal @@ -31,13 +31,13 @@ The Directory Manager Portal displays history as below: Displays a list of actions performed by the logged-on user. - The **History** tab in group / user / mailbox / contact properties. Displays the actions performed on the object by different users. -- The [My History](myhistory.md) page. +- The [My History](/docs/groupid/11.1/groupid/portal/history/myhistory.md) page. Displays the actions performed by the logged-on user and any changes made to this user's profile by another user. -- The [My Direct Reports' History](mydirectreport.md) page. +- The [My Direct Reports' History](/docs/groupid/11.1/groupid/portal/history/mydirectreport.md) page. Displays the changes made to the logged-on user's direct reports by this user or by any other user. -- The [My Groups' History](mydirectorygroup.md) page. +- The [My Groups' History](/docs/groupid/11.1/groupid/portal/history/mydirectorygroup.md) page. Displays the changes made by the logged-on user to a group that they own. Use the **History items to display on home page** setting on the User Settings panel to specify the diff --git a/docs/groupid/11.1/groupid/portal/login.md b/docs/groupid/11.1/groupid/portal/login.md index 4902b84e95..74e99384b1 100644 --- a/docs/groupid/11.1/groupid/portal/login.md +++ b/docs/groupid/11.1/groupid/portal/login.md @@ -5,10 +5,10 @@ Welcome to Directory Manager page is displayed, where you can: - Log in - Reset forgotten or lost passwords - See the [Reset Passwords](user/authentication/passwordreset.md) topic for additional information + See the [Reset Passwords](/docs/groupid/11.1/groupid/portal/user/authentication/passwordreset.md) topic for additional information on how to reset password. - Unlock your identity store account - See the [Unlock your accounts](user/manage/unlockaccount.md) topic for additional information on + See the [Unlock your accounts](/docs/groupid/11.1/groupid/portal/user/manage/unlockaccount.md) topic for additional information on how to unlock account. To manage access in Directory Manager, security roles are defined for an identity store. Each role @@ -60,8 +60,8 @@ You can opt for single sign-on across all Directory Manager clients by configuri but for an Microsoft Entra ID identity store you must configure a SAML provider. See the following topics for additional information on configuring a SAML provider: -- [Configure Directory Manager in Microsoft Entra ID for SSO](../authenticate/asserviceprovider/entrasso/configureinentra.md) -- [Configure the Microsoft Entra SSO Application in Directory Manager](../authenticate/asserviceprovider/entrasso/configureprovideringroupid.md) +- [Configure Directory Manager in Microsoft Entra ID for SSO](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/configureinentra.md) +- [Configure the Microsoft Entra SSO Application in Directory Manager](/docs/groupid/11.1/groupid/authenticate/asserviceprovider/entrasso/configureprovideringroupid.md) Follow the steps to log in with a SAML provider @@ -72,17 +72,17 @@ proceed to sign in. ### Second Factor Authentication -When [Second Factor Authentication](user/authentication/secondfactorauthentication.md) is enabled +When [Second Factor Authentication](/docs/groupid/11.1/groupid/portal/user/authentication/secondfactorauthentication.md) is enabled for your role in the selected identity store, one of the following applies: - If you have not enrolled your identity store account in Directory Manager, the Enroll Account window is displayed, where you must enroll your identity store account using at least one - authentication type. See the [Enroll your Identity Store Account](../admincenter/enroll.md) topic + authentication type. See the [Enroll your Identity Store Account](/docs/groupid/11.1/groupid/admincenter/enroll.md) topic for additional information. - If you have already enrolled your identity store account in Directory Manager, the Authenticate window is displayed. It lists the authentication types that you enrolled your account with. You must authenticate your identity store account with one authentication type. See the - [Authenticate your Identity Store Account](../admincenter/authenticate.md) topic for additional + [Authenticate your Identity Store Account](/docs/groupid/11.1/groupid/admincenter/authenticate.md) topic for additional information. ## Sign Out diff --git a/docs/groupid/11.1/groupid/portal/report/computer.md b/docs/groupid/11.1/groupid/portal/report/computer.md index b760f95874..c8cc53abe5 100644 --- a/docs/groupid/11.1/groupid/portal/report/computer.md +++ b/docs/groupid/11.1/groupid/portal/report/computer.md @@ -3,7 +3,7 @@ Computer Reports contains reports for the Computer objects in the directory. Search a specific report by typing its name in the **Search Reports** box. -Click any of the report template from the list to [Generate Reports](generate.md). +Click any of the report template from the list to [Generate Reports](/docs/groupid/11.1/groupid/portal/report/generate.md). Following is the list of reports for this category: diff --git a/docs/groupid/11.1/groupid/portal/report/contact.md b/docs/groupid/11.1/groupid/portal/report/contact.md index 312f823963..7259bd3497 100644 --- a/docs/groupid/11.1/groupid/portal/report/contact.md +++ b/docs/groupid/11.1/groupid/portal/report/contact.md @@ -3,7 +3,7 @@ Contact Reports contains reports for the Contact objects in the directory. Search a specific report by typing its name in the **Search Reports** box. -Click any of the report template from the list to [Generate Reports](generate.md). +Click any of the report template from the list to [Generate Reports](/docs/groupid/11.1/groupid/portal/report/generate.md). Following is the list of reports for this category: diff --git a/docs/groupid/11.1/groupid/portal/report/dashboard.md b/docs/groupid/11.1/groupid/portal/report/dashboard.md index 7082debb5f..22d48b5d0b 100644 --- a/docs/groupid/11.1/groupid/portal/report/dashboard.md +++ b/docs/groupid/11.1/groupid/portal/report/dashboard.md @@ -5,10 +5,10 @@ offers a wizard guided report generation process that accounts for quick and eas Directory Manager reports are organized into four categories: -- [User Reports](user.md) -- [Group Reports](group.md) -- [Computer Reports](computer.md) -- [Contact Reports](contact.md) +- [User Reports](/docs/groupid/11.1/groupid/portal/report/user.md) +- [Group Reports](/docs/groupid/11.1/groupid/portal/report/group.md) +- [Computer Reports](/docs/groupid/11.1/groupid/portal/report/computer.md) +- [Contact Reports](/docs/groupid/11.1/groupid/portal/report/contact.md) NOTE: A Microsoft Entra ID based identity store does not support the computer and contact object types. @@ -18,7 +18,7 @@ formats. The user interface of Reports Dashboard is as follows: -![reportsdashboard](../../../../../../static/img/product_docs/groupid/groupid/portal/report/reportsdashboard.webp) +![reportsdashboard](/img/product_docs/groupid/groupid/portal/report/reportsdashboard.webp) Different elements of the Dashboard are described below: @@ -61,7 +61,7 @@ Different elements of the Dashboard are described below: - Look on the left side of the page for the navigation pane, which lists links to the following: - Dashboard - - [User Reports](user.md) - - [Group Reports](group.md) - - [Computer Reports](computer.md) - - [Contact Reports](contact.md) + - [User Reports](/docs/groupid/11.1/groupid/portal/report/user.md) + - [Group Reports](/docs/groupid/11.1/groupid/portal/report/group.md) + - [Computer Reports](/docs/groupid/11.1/groupid/portal/report/computer.md) + - [Contact Reports](/docs/groupid/11.1/groupid/portal/report/contact.md) diff --git a/docs/groupid/11.1/groupid/portal/report/generate.md b/docs/groupid/11.1/groupid/portal/report/generate.md index b0fe17416b..97aa368dbf 100644 --- a/docs/groupid/11.1/groupid/portal/report/generate.md +++ b/docs/groupid/11.1/groupid/portal/report/generate.md @@ -74,4 +74,4 @@ is joined to a domain, techwr5.local, reports would display data for techwr5.loc ## Scheduled Report job You can create a **Scheduled Report job** on Directory Manager Admin Center. See -[Reports Schedule](../../admincenter/schedule/reports.md) +[Reports Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/reports.md) diff --git a/docs/groupid/11.1/groupid/portal/report/group.md b/docs/groupid/11.1/groupid/portal/report/group.md index e8b73bb0b5..190744091d 100644 --- a/docs/groupid/11.1/groupid/portal/report/group.md +++ b/docs/groupid/11.1/groupid/portal/report/group.md @@ -3,7 +3,7 @@ Directory Manager Reports contains reports for the Group objects in the directory. Search a specific report by typing its name in the **Search Reports** box. -Click any of the report template from the list to [Generate Reports](generate.md). +Click any of the report template from the list to [Generate Reports](/docs/groupid/11.1/groupid/portal/report/generate.md). Following is the list of reports for this category: @@ -64,7 +64,7 @@ Following is the list of reports for this category: | Mail-enabled groups with no members (Exchange) | Provides a list of all mail-enabled groups having no members. | | Mail-enabled groups with no owner (Exchange) | Provides a list of mail-enabled groups having no owner. | | Mail enabled Security Groups (Exchange) | Provides a list of mail-enabled groups in the domain. | -| Owners and objects they own Listed in [User Reports](user.md) category as well. | Provides a list of managers and their direct reports. | +| Owners and objects they own Listed in [User Reports](/docs/groupid/11.1/groupid/portal/report/user.md) category as well. | Provides a list of managers and their direct reports. | | Security Groups managed by GroupID | Provides a list of the security groups that are managed by Directory Manager. | | Smart Groups/Dynasties with their update status | Provides a list of Smart Groups and Dynasties with their update status information. | | Smart Groups and Included members | Provides a list of Smart Group members that are mentioned in the Include list on the Include/Exclude tab of the Query Designer window. | @@ -75,8 +75,8 @@ Following is the list of reports for this category: **See Also:** -- [Generate Reports](generate.md) -- [Manage Reports](manage.md) -- [User Reports](user.md) -- [Computer Reports](computer.md) -- [Contact Reports](contact.md) +- [Generate Reports](/docs/groupid/11.1/groupid/portal/report/generate.md) +- [Manage Reports](/docs/groupid/11.1/groupid/portal/report/manage.md) +- [User Reports](/docs/groupid/11.1/groupid/portal/report/user.md) +- [Computer Reports](/docs/groupid/11.1/groupid/portal/report/computer.md) +- [Contact Reports](/docs/groupid/11.1/groupid/portal/report/contact.md) diff --git a/docs/groupid/11.1/groupid/portal/report/manage.md b/docs/groupid/11.1/groupid/portal/report/manage.md index de2faa7bb1..4f10343ea5 100644 --- a/docs/groupid/11.1/groupid/portal/report/manage.md +++ b/docs/groupid/11.1/groupid/portal/report/manage.md @@ -38,7 +38,7 @@ report you generated and click on the template that you used. The template page will list the generated report. Step 3 – Click the **Edit** icon next to the report and follow -[In Step 1 of generating a report:](generate.md). Make the relevant changes and click Finish to +[In Step 1 of generating a report:](/docs/groupid/11.1/groupid/portal/report/generate.md). Make the relevant changes and click Finish to generate the report. ## Download a Report diff --git a/docs/groupid/11.1/groupid/portal/report/user.md b/docs/groupid/11.1/groupid/portal/report/user.md index 691ed3dbb5..23d97b251a 100644 --- a/docs/groupid/11.1/groupid/portal/report/user.md +++ b/docs/groupid/11.1/groupid/portal/report/user.md @@ -3,7 +3,7 @@ User Reports contains reports for the User objects in the directory. Search a specific report by typing its name in the **Search Reports** box. -Click any of the report template from the list to [Generate Reports](generate.md). +Click any of the report template from the list to [Generate Reports](/docs/groupid/11.1/groupid/portal/report/generate.md). Following is the list of reports for this category: @@ -36,7 +36,7 @@ Following is the list of reports for this category: | Non expiring user accounts | Provides a list of users account that will never expire. | | OUs created in X days | Provides a list of organization units (OUs) that are created in specified number of days. | | OUs modified in X days | Provides a list of organization units (OUs) modified in specified number of days. | -| Owners and objects they own Listed in [Group Reports](group.md) category as well. | Provides a list of owners and their direct reports. | +| Owners and objects they own Listed in [Group Reports](/docs/groupid/11.1/groupid/portal/report/group.md) category as well. | Provides a list of owners and their direct reports. | | Pending Terminate Users | Provides a list of users that have been terminated by their managers, but their termination request is pending for approval/rejection by an approver. | | Recently expired users | Provides a list of users expired in one day, seven days or one month. | | Recipients and the groups they are a member of | Provides a list of users and each group that they are a member of. | @@ -48,7 +48,7 @@ Following is the list of reports for this category: | User Life Cycle – Transfer Pending Users | Provides a list of direct reports that have been transferred but the transfer has to be accepted or rejected yet. | | User Life Cycle – Transferred Users | Provides a list of transferred users in the selected container. | | User Life Cycle – Verified Users | Provides a list of users who have validated their directory profiles. | -| Users and contacts with a phone number Listed in [Contact Reports](contact.md) category as well. | Provides a phone list of accounts within an organization. | +| Users and contacts with a phone number Listed in [Contact Reports](/docs/groupid/11.1/groupid/portal/report/contact.md) category as well. | Provides a phone list of accounts within an organization. | | Users changed in X days | Provides a list of users modified in one day, seven days or one month. | | Users created in X days | Provides a list of users created in one day, seven days or one month. | | Users member of Built in Security Groups | Provides a list of users that are member of default security groups, such as the Domain Admins group. | diff --git a/docs/groupid/11.1/groupid/portal/request/overview.md b/docs/groupid/11.1/groupid/portal/request/overview.md index 81b6ed15a9..08f785ee07 100644 --- a/docs/groupid/11.1/groupid/portal/request/overview.md +++ b/docs/groupid/11.1/groupid/portal/request/overview.md @@ -31,11 +31,11 @@ is executed. The job will run when the request is approved. On Directory Manager portal, use the **Requests** node to view and manage workflow requests for the connected identity store. Expanding this node displays the following tabs: -- [My Requests](myrequest.md) lists workflow requests that you have generated. It displays both +- [My Requests](/docs/groupid/11.1/groupid/portal/request/myrequest.md) lists workflow requests that you have generated. It displays both pending and processed requests. -- [Request Inbox](pending.md) lists the workflow requests for which you are the approver. You can +- [Request Inbox](/docs/groupid/11.1/groupid/portal/request/pending.md) lists the workflow requests for which you are the approver. You can view, approve, deny, or reroute these requests. -- [All Requests](allrequest.md) lists all pending workflow requests generated by enterprise users. +- [All Requests](/docs/groupid/11.1/groupid/portal/request/allrequest.md) lists all pending workflow requests generated by enterprise users. NOTE: If the user is high priority such as _Administrator_, only then they will see the _All Requests_ tab. @@ -73,7 +73,7 @@ workflow approver acceleration settings are not applied: default approver is not specified or disabled, the request is auto approved. See the - [Specify a Default Approver](../../admincenter/workflow/advancedsettings.md#specify-a-default-approver) + [Specify a Default Approver](/docs/groupid/11.1/groupid/admincenter/workflow/advancedsettings.md#specify-a-default-approver) topic. - If the requester is also the approver for that workflow, the request is auto-approved. @@ -94,4 +94,4 @@ another approver if the current approver does not act on it for a certain number The administrator can enable and configure workflow approver acceleration for an identity store in Directory Manager Admin Center. -See [Workflow Approver Acceleration](../../admincenter/workflow/approveracceleration.md) +See [Workflow Approver Acceleration](/docs/groupid/11.1/groupid/admincenter/workflow/approveracceleration.md) diff --git a/docs/groupid/11.1/groupid/portal/search/querysearch.md b/docs/groupid/11.1/groupid/portal/search/querysearch.md index e709ee5578..ea8fec9b19 100644 --- a/docs/groupid/11.1/groupid/portal/search/querysearch.md +++ b/docs/groupid/11.1/groupid/portal/search/querysearch.md @@ -5,7 +5,7 @@ groups) in the identity store based on a query. You can create queries and save directory objects searches. The Query Designer option on the Advanced Search page is available which presents you the -[Query Designer](../group/querydesigner/overview.md) dialog box similar to the query designer dialog +[Query Designer](/docs/groupid/11.1/groupid/portal/group/querydesigner/overview.md) dialog box similar to the query designer dialog box used for creating queries for Smart Groups and Dynasties. In Linked mode – Query based searches cannot be performed. @@ -25,7 +25,7 @@ automatically. Step 3 – Click **Query Designer** to create queries to search directory objects. -Step 4 – Select an option from the [Query Designer - General tab](../group/querydesigner/general.md) +Step 4 – Select an option from the [Query Designer - General tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/general.md) list to specify the type of object the query should fetch. Step 5 – You must specify the containers that the query should search for retrieving the directory @@ -38,26 +38,26 @@ Step 6 – The **Query Designer** dialog box groups similar query options by tab 1. **General tab**: lets you select object categories that you want the query to search in. The available options vary according to the object type selected in the **Find** list. See the - [Query Designer - General tab](../group/querydesigner/general.md) topic for additional + [Query Designer - General tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/general.md) topic for additional information. 2. **Storage tab**: lets you filter the mailboxes to return. See the - [Query Designer - Storage tab](../group/querydesigner/storage.md) topic for additional + [Query Designer - Storage tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/storage.md) topic for additional information. 3. **Filter Criteria tab**: lets you add additional filter criteria. For example, you can add criteria to retrieve all directory users who live in Houston and have a fax number. You can also apply logical operators (AND, OR) to your custom query to achieve the most accurate results. The condition list may vary while creating queries for object searches. See the - [Query Designer - Filter Criteria tab](../group/querydesigner/filtercriteria.md) topic for + [Query Designer - Filter Criteria tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/filtercriteria.md) topic for additional information. 4. **Include/Exclude tab:** lets you include or exclude objects regardless of whether they are returned by the query or not. Use the Add and Remove buttons to add and remove objects in the Include and Exclude sections respectively. See the - [Query Designer - Include/Exclude tab](../group/querydesigner/includeexclude.md) topic for + [Query Designer - Include/Exclude tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/includeexclude.md) topic for additional information. 5. **Database tab**: enables you to combine an external data source with the directory to search - directory objects. See the [Query Designer - Database tab](../group/querydesigner/database.md) + directory objects. See the [Query Designer - Database tab](/docs/groupid/11.1/groupid/portal/group/querydesigner/database.md) topic for additional information. Step 7 – Click the **LDAP Query** button to view the query generated from the settings you have diff --git a/docs/groupid/11.1/groupid/portal/search/search.md b/docs/groupid/11.1/groupid/portal/search/search.md index ff82f44eac..4ca17898d5 100644 --- a/docs/groupid/11.1/groupid/portal/search/search.md +++ b/docs/groupid/11.1/groupid/portal/search/search.md @@ -69,7 +69,7 @@ Objects matching the search criteria are displayed on the **Search Results** pag Directory Manager portal enables you to search directory objects (users, mailboxes, contacts, groups) in the identity store based on a query. See the -[Query Based Advanced Search](querysearch.md) topic. +[Query Based Advanced Search](/docs/groupid/11.1/groupid/portal/search/querysearch.md) topic. NOTE: In portal's linked mode, you cannot search contacts in linked Azure / Google Workspace / Generic LDAP store as contact object is not available in these providers. @@ -111,7 +111,7 @@ that customized portal fields, which are used while creating filter expressions objects, are bind with similar attributes of stores. Otherwise, Directory Manager will not be able to linked identities. -You can perform multiple actions on objects. See the [Toolbar](../toolbar.md) topic for additional +You can perform multiple actions on objects. See the [Toolbar](/docs/groupid/11.1/groupid/portal/toolbar.md) topic for additional information. To move through search results, use the page numbers given at the bottom of the listing. You can diff --git a/docs/groupid/11.1/groupid/portal/setting/portal.md b/docs/groupid/11.1/groupid/portal/setting/portal.md index a823ef628a..2de22d0f3e 100644 --- a/docs/groupid/11.1/groupid/portal/setting/portal.md +++ b/docs/groupid/11.1/groupid/portal/setting/portal.md @@ -31,7 +31,7 @@ language. However, a user can opt to receive notifications in a different langua the language settings from the **User Settings** panel in the portal. However, there are a few exceptions to it. See the -[Notifications](../../admincenter/notification/overview.md) topic for more information. +[Notifications](/docs/groupid/11.1/groupid/admincenter/notification/overview.md) topic for more information. Step 1 – Click the **Settings** icon at the top of the page. @@ -77,8 +77,8 @@ Set the number of history items to display on the History tab. This tab is displ the properties for a User, Group, Contact or Mailbox. This setting also controls the number of history items displayed on the -[My History](../history/myhistory.md), [My Direct Reports' History](../history/mydirectreport.md), -and [My Groups' History](../history/mydirectorygroup.md) pages. +[My History](/docs/groupid/11.1/groupid/portal/history/myhistory.md), [My Direct Reports' History](/docs/groupid/11.1/groupid/portal/history/mydirectreport.md), +and [My Groups' History](/docs/groupid/11.1/groupid/portal/history/mydirectorygroup.md) pages. Step 1 – Click the **Settings** icon at the top of the page. diff --git a/docs/groupid/11.1/groupid/portal/synchronize/collection/create.md b/docs/groupid/11.1/groupid/portal/synchronize/collection/create.md index 7093c8fc13..3b314e95d7 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/collection/create.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/collection/create.md @@ -7,7 +7,7 @@ directories, and then combine them in a job collection. Then you can execute the instead of executing each job one by one. To understand how workflows work with Synchronize jobs, see the -[Synchronize Jobs and Workflows](../../../admincenter/workflow/overview.md#synchronize-jobs-and-workflows) +[Synchronize Jobs and Workflows](/docs/groupid/11.1/groupid/admincenter/workflow/overview.md#synchronize-jobs-and-workflows) topic. ## Create a job Collection @@ -16,16 +16,16 @@ Step 1 – On Directory Manager portal, select **Synchronize** on left pane. Step 2 – On the Synchronize portal, click **Create New** and then click **Job Collection.** -Step 3 – On the [Choose your Job Template](chooseyourjobcollectiontemplate.md) page, enter job +Step 3 – On the [Choose your Job Template](/docs/groupid/11.1/groupid/portal/synchronize/collection/chooseyourjobcollectiontemplate.md) page, enter job collection details and select whether to use a job collection template or create the job collection from scratch. Step 4 – Click **Next Step** -Step 5 – On the [Synchronized Job Collection](synchronizedjobcollection.md) page, add jobs to the +Step 5 – On the [Synchronized Job Collection](/docs/groupid/11.1/groupid/portal/synchronize/collection/synchronizedjobcollection.md) page, add jobs to the collection. You can either add existing jobs or create new jobs to add them to the job collection. -Step 6 – On the [Scheduling and Notifications](schedulingandnotification.md) page, choose a schedule +Step 6 – On the [Scheduling and Notifications](/docs/groupid/11.1/groupid/portal/synchronize/collection/schedulingandnotification.md) page, choose a schedule for a job collection and set up notification settings. NOTE: After creating the job collection, you can modify the schedule for the job collection and you @@ -44,7 +44,7 @@ for which workflow is not configured. If workflow is configured for any job, the generated against that specific job. Step 11 – Generated workflow request will be displayed in the -“[Requests](../../request/overview.md)” section for the workflow approver(s). If the approver +“[Requests](/docs/groupid/11.1/groupid/portal/request/overview.md)” section for the workflow approver(s). If the approver approves the workflow request, the job will execute the results. Step 12 – **Run Job Collection** dialog box displays overall collection statistics for the run, diff --git a/docs/groupid/11.1/groupid/portal/synchronize/collection/schedulingandnotification.md b/docs/groupid/11.1/groupid/portal/synchronize/collection/schedulingandnotification.md index 43e719023a..10dde0ff34 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/collection/schedulingandnotification.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/collection/schedulingandnotification.md @@ -14,7 +14,7 @@ Step 1 – On the **Scheduling and Notifications** page: Synchronize job scheduler. If you are modifying an existing job collection, you can also a new schedule for the job - collection. Visit [Synchronize Schedule](../../../admincenter/schedule/synchronize.md) + collection. Visit [Synchronize Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/synchronize.md) Step 2 – On the **Notifications** section, set up email notification of job collection run results. This feature requires Microsoft Exchange. Notifications are disabled by default and can be enabled @@ -43,6 +43,6 @@ Step 7 – Click **Finish** to exit the wizard and create the job collection. Step 8 – Once you run the job collection, a workflow request is triggered. -Step 9 – Generated workflow request will be displayed in the [Requests](../../request/overview.md) +Step 9 – Generated workflow request will be displayed in the [Requests](/docs/groupid/11.1/groupid/portal/request/overview.md) section for the workflow approver(s). If the approver approves the workflow request, the job will execute the results. diff --git a/docs/groupid/11.1/groupid/portal/synchronize/collection/synchronizedjobcollection.md b/docs/groupid/11.1/groupid/portal/synchronize/collection/synchronizedjobcollection.md index 9a9803740c..f74d8a0e1a 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/collection/synchronizedjobcollection.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/collection/synchronizedjobcollection.md @@ -9,7 +9,7 @@ Step 1 – On the **Synchronized Jobs Collection** page, add jobs to the collect - To add an existing job to the collection, select **Add Existing Job(s)** dialog box. Select the check box next to the name of each job to be added and click **Add in Collection**. - To add a new job to the collection, select **Add New Job** dialog box. Follow the steps from - [Create a Job](../job/create.md). + [Create a Job](/docs/groupid/11.1/groupid/portal/synchronize/job/create.md). Step 2 – Rename the jobs in the job collection by clicking the **three vertical dots** button and click **Rename**. diff --git a/docs/groupid/11.1/groupid/portal/synchronize/dashboard.md b/docs/groupid/11.1/groupid/portal/synchronize/dashboard.md index 0da0569e3f..ecd11066e4 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/dashboard.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/dashboard.md @@ -3,7 +3,7 @@ After signing into the Directory Manager portal, from the left pane select **Synchronize** to land on the dashboard. -![synchronizedashboard](../../../../../../static/img/product_docs/groupid/groupid/portal/synchronize/synchronizedashboard.webp) +![synchronizedashboard](/img/product_docs/groupid/groupid/portal/synchronize/synchronizedashboard.webp) The interface has intuitive navigation options: @@ -25,18 +25,18 @@ The top right corner of the application displays: | -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Background jobs icon | View the status of jobs and job collections that are running in the background. It displays: - Jobs - Completed Jobs: Jobs that have been completed. - In Progress Jobs: Jobs that are still in running. - Job Collections - Completed Jobs: Job collections that have been completed. - In Progress Jobs: Job collections that are still in running. | | Help icon | Launch the synchronize portal help. | -| User profile icon | Displays your profile picture with your name and the identity store that Directory Manager portal is connected to. Click it to launch the menu that displays the option to [Sign Out](../login.md#sign-out) of the portal. | +| User profile icon | Displays your profile picture with your name and the identity store that Directory Manager portal is connected to. Click it to launch the menu that displays the option to [Sign Out](/docs/groupid/11.1/groupid/portal/login.md#sign-out) of the portal. | ## Menu Pane Look on the left side of the page for the navigation pane, which lists links to: -- Create New ([Create a Job](job/create.md) and [Create a Job Collection ](collection/create.md)) +- Create New ([Create a Job](/docs/groupid/11.1/groupid/portal/synchronize/job/create.md) and [Create a Job Collection ](/docs/groupid/11.1/groupid/portal/synchronize/collection/create.md)) - Dashboard -- [Manage a Job](manage/job.md) -- [Manage a Job Collection ](manage/jobcollection.md) -- [Job Templates](manage/jobtemplate.md) -- [Job Collection Template](manage/jobcollectiontemplate.md) +- [Manage a Job](/docs/groupid/11.1/groupid/portal/synchronize/manage/job.md) +- [Manage a Job Collection ](/docs/groupid/11.1/groupid/portal/synchronize/manage/jobcollection.md) +- [Job Templates](/docs/groupid/11.1/groupid/portal/synchronize/manage/jobtemplate.md) +- [Job Collection Template](/docs/groupid/11.1/groupid/portal/synchronize/manage/jobcollectiontemplate.md) ## Dashboard diff --git a/docs/groupid/11.1/groupid/portal/synchronize/job/create.md b/docs/groupid/11.1/groupid/portal/synchronize/job/create.md index 8453a29b79..a6d02c6c80 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/job/create.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/job/create.md @@ -28,7 +28,7 @@ Once you create a job, you can either run it manually or schedule it to run peri You can create templates from existing jobs on-the-fly and reuse their settings in new jobs. To understand how workflows work with Synchronize jobs, see the -[Synchronize Jobs and Workflows](../../../admincenter/workflow/overview.md#synchronize-jobs-and-workflows) +[Synchronize Jobs and Workflows](/docs/groupid/11.1/groupid/admincenter/workflow/overview.md#synchronize-jobs-and-workflows) topic. ## Create a new job @@ -37,20 +37,20 @@ Step 1 – On Directory Manager portal, select **Synchronize**on left pane. Step 2 – On the Synchronize portal, click **Create New** and then click **Job**. -Step 3 – On the [Choose Your Job Template](chooseyourjobtemplate.md) page, enter the job details and +Step 3 – On the [Choose Your Job Template](/docs/groupid/11.1/groupid/portal/synchronize/job/chooseyourjobtemplate.md) page, enter the job details and select whether to use a job template or create the job from scratch. Step 4 – Click **Next Step**. -Step 5 – On the [Select Your Source and Destination](sourceanddestination.md) page, specify the +Step 5 – On the [Select Your Source and Destination](/docs/groupid/11.1/groupid/portal/synchronize/job/sourceanddestination.md) page, specify the source and destination providers. Step 6 – Click **Next Step**. -Step 7 – On the [Objects, Fields and Mapping ](objectfieldsandmapping.md) page, map the source and +Step 7 – On the [Objects, Fields and Mapping ](/docs/groupid/11.1/groupid/portal/synchronize/job/objectfieldsandmapping.md) page, map the source and destination fields and apply transformations. -Step 8 – On the [Schedule Job and Notifications](scheduleandnotification.md) page, choose a schedule +Step 8 – On the [Schedule Job and Notifications](/docs/groupid/11.1/groupid/portal/synchronize/job/scheduleandnotification.md) page, choose a schedule for a job and set up notification settings. NOTE: After creating the job, you can modify the schedule for the job and you can also create a new @@ -65,7 +65,7 @@ Step 11 – Click **Finish** and create the job. Step 12 – Once you run the job, the job runs if workflow is not configured. If workflow is configured, the request gets generated. -Step 13 – Generated workflow request will be displayed in the [Requests](../../request/overview.md) +Step 13 – Generated workflow request will be displayed in the [Requests](/docs/groupid/11.1/groupid/portal/request/overview.md) section for the workflow approver(s). If the approver approves the workflow request, the job will execute the results. diff --git a/docs/groupid/11.1/groupid/portal/synchronize/job/mappingfield.md b/docs/groupid/11.1/groupid/portal/synchronize/job/mappingfield.md index 14f955e968..2632336e3d 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/job/mappingfield.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/job/mappingfield.md @@ -33,7 +33,7 @@ Mandatory attributes for User: | directoryrole | Every user is assigned a role in Microsoft Entra ID. In static transformation, it will auto-generate all roles in the tenant. Select the one you want to choose. | | | displayname | Given the name that appears on Microsoft Entra ID. You can map it with the first name. | | | givenname | First name of the user in Microsoft Entra ID. | | -| userprincipalname | You need to amend the domain name to give the userprincipalname. It is the mandatory key value and is unique for every user. In static transformation, select join to modify the name. Then go to the script transformation and you will see the updated script. [Copy]() `DTM.Source("First") & "." & DTM.Source("Last") & "@001wrc.onmicrosoft.com"` In the script, add the domain name and generate new userprincipal names for each user based on the join and script transform. | | +| userprincipalname | You need to amend the domain name to give the userprincipalname. It is the mandatory key value and is unique for every user. In static transformation, select join to modify the name. Then go to the script transformation and you will see the updated script. [Copy](javascript:void(0);) `DTM.Source("First") & "." & DTM.Source("Last") & "@001wrc.onmicrosoft.com"` In the script, add the domain name and generate new userprincipal names for each user based on the join and script transform. | | | password | Generate passwords for the users. | | Mandatory attributes for Mail-enabled User: diff --git a/docs/groupid/11.1/groupid/portal/synchronize/job/messagingsystemoverview.md b/docs/groupid/11.1/groupid/portal/synchronize/job/messagingsystemoverview.md index 301f9dfc2c..40324901c2 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/job/messagingsystemoverview.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/job/messagingsystemoverview.md @@ -4,6 +4,6 @@ Directory Manager enables users to configure messaging systems to efficiently cr enabled objects through a Synchronize job. Users can sync or deprovision subscriptions from the following messaging systems: -- [Exchange Subscription](exchange.md) -- [Google Workspace Subscription](googleapp.md) -- [Office 365 Subscription](office365.md) +- [Exchange Subscription](/docs/groupid/11.1/groupid/portal/synchronize/job/exchange.md) +- [Google Workspace Subscription](/docs/groupid/11.1/groupid/portal/synchronize/job/googleapp.md) +- [Office 365 Subscription](/docs/groupid/11.1/groupid/portal/synchronize/job/office365.md) diff --git a/docs/groupid/11.1/groupid/portal/synchronize/job/objectfieldsandmapping.md b/docs/groupid/11.1/groupid/portal/synchronize/job/objectfieldsandmapping.md index e0c3a927f1..b1db10b1ee 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/job/objectfieldsandmapping.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/job/objectfieldsandmapping.md @@ -34,15 +34,15 @@ On the **Object, Fields and Mappings** page, map the a attributes with source fi It displays the following list of new providers that you can use to create a job. - - [Google Workspace Subscription](googleapp.md) + - [Google Workspace Subscription](/docs/groupid/11.1/groupid/portal/synchronize/job/googleapp.md) Add connection details for Google Workspace. - - [Office 365 Subscription](office365.md) + - [Office 365 Subscription](/docs/groupid/11.1/groupid/portal/synchronize/job/office365.md) Add Connection details for Office 365. - - [Exchange Subscription](exchange.md) + - [Exchange Subscription](/docs/groupid/11.1/groupid/portal/synchronize/job/exchange.md) Add connection details for Exchange. @@ -57,7 +57,7 @@ On the **Object, Fields and Mappings** page, map the a attributes with source fi 3. In the **Script Language** section, specify the scripting language you want to use. Select one of the following language: - - [Visual Basic .NET for Directory Manager (formerly GroupID)](../script/visualbasicnetbasic.md) + - [Visual Basic .NET for Directory Manager (formerly GroupID)](/docs/groupid/11.1/groupid/portal/synchronize/script/visualbasicnetbasic.md) - Python for Directory Manager (formerly GroupID) 4. The Global Script Editor allows the script author to extend the functionality of Synchronize by @@ -98,21 +98,21 @@ On the **Object, Fields and Mappings** page, map the a attributes with source fi | Icon | Description | | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | - | ![undo](../../../../../../../static/img/product_docs/groupid/groupid/portal/synchronize/job/undo.webp) | Reverses the last change. | - | ![redo](../../../../../../../static/img/product_docs/groupid/groupid/portal/synchronize/job/redo.webp) | Re-applies a change reversed using the Undo action. | - | ![indent](../../../../../../../static/img/product_docs/groupid/groupid/portal/synchronize/job/indent.webp) | Increases the indenting of the current text selection. | - | ![outdent](../../../../../../../static/img/product_docs/groupid/groupid/portal/synchronize/job/outdent.webp) | Decreases the indenting of the current text selection. | - | ![comment](../../../../../../../static/img/product_docs/groupid/groupid/portal/synchronize/job/comment.webp) | Comments the current text selection. | - | ![uncomment](../../../../../../../static/img/product_docs/groupid/groupid/portal/synchronize/job/uncomment.webp) | Uncomments the current text selection. | - | ![uppercase](../../../../../../../static/img/product_docs/groupid/groupid/portal/synchronize/job/uppercase.webp) | Converts the current text selection to uppercase. | - | ![lowercase](../../../../../../../static/img/product_docs/groupid/groupid/portal/synchronize/job/lowercase.webp) | Converts the current text selection to lowercase. | - | ![darktheme](../../../../../../../static/img/product_docs/groupid/groupid/portal/synchronize/job/darktheme.webp) | Switch the theme of the script editor to dark. | - | ![lighttheme](../../../../../../../static/img/product_docs/groupid/groupid/portal/synchronize/job/lighttheme.webp) | Switch the theme of the script editor to light. | - | ![selectall](../../../../../../../static/img/product_docs/groupid/groupid/portal/synchronize/job/selectall.webp) | Selects all the text in the editor. | + | ![undo](/img/product_docs/groupid/groupid/portal/synchronize/job/undo.webp) | Reverses the last change. | + | ![redo](/img/product_docs/groupid/groupid/portal/synchronize/job/redo.webp) | Re-applies a change reversed using the Undo action. | + | ![indent](/img/product_docs/groupid/groupid/portal/synchronize/job/indent.webp) | Increases the indenting of the current text selection. | + | ![outdent](/img/product_docs/groupid/groupid/portal/synchronize/job/outdent.webp) | Decreases the indenting of the current text selection. | + | ![comment](/img/product_docs/groupid/groupid/portal/synchronize/job/comment.webp) | Comments the current text selection. | + | ![uncomment](/img/product_docs/groupid/groupid/portal/synchronize/job/uncomment.webp) | Uncomments the current text selection. | + | ![uppercase](/img/product_docs/groupid/groupid/portal/synchronize/job/uppercase.webp) | Converts the current text selection to uppercase. | + | ![lowercase](/img/product_docs/groupid/groupid/portal/synchronize/job/lowercase.webp) | Converts the current text selection to lowercase. | + | ![darktheme](/img/product_docs/groupid/groupid/portal/synchronize/job/darktheme.webp) | Switch the theme of the script editor to dark. | + | ![lighttheme](/img/product_docs/groupid/groupid/portal/synchronize/job/lighttheme.webp) | Switch the theme of the script editor to light. | + | ![selectall](/img/product_docs/groupid/groupid/portal/synchronize/job/selectall.webp) | Selects all the text in the editor. | 8. Click **Save** to save the changes made to the script. -5. On the [Selected Fields for object types](selectedfield.md) type section, click **Add/Edit +5. On the [Selected Fields for object types](/docs/groupid/11.1/groupid/portal/synchronize/job/selectedfield.md) type section, click **Add/Edit Fields**. You can specify the action to take if the data or object being exported from the source does not exist at the destination. 6. Use the **Map Field** section to map the source and destination fields and to apply @@ -122,12 +122,12 @@ On the **Object, Fields and Mappings** page, map the a attributes with source fi Do one of the following: - - [Map Fields](mappingfield.md) + - [Map Fields](/docs/groupid/11.1/groupid/portal/synchronize/job/mappingfield.md) In the Source column of each destination item, select the source fields that contribute the data for the destination. - - **Apply a [Transform](../transformation/overview.md)** + - **Apply a [Transform](/docs/groupid/11.1/groupid/portal/synchronize/transformation/overview.md)** In the **Transform** column, click the **More Options** button to open the **Transform** [ _field_] dialog box and apply a transformation to the field value before it is saved diff --git a/docs/groupid/11.1/groupid/portal/synchronize/job/office365.md b/docs/groupid/11.1/groupid/portal/synchronize/job/office365.md index 08760dc1c9..7b719a2c04 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/job/office365.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/job/office365.md @@ -91,7 +91,7 @@ On the **Object, Fields and Mapping** page: 1. On the **Transform** dialog box, select _Static - assign a static value_ from the **Set the destination field to** box. 2. Click - [Auto-Generate Unique, Complex Passwords](../transformation/autogenerateuniquepassword.md). + [Auto-Generate Unique, Complex Passwords](/docs/groupid/11.1/groupid/portal/synchronize/transformation/autogenerateuniquepassword.md). 3. On the Password Complexity Options dialog box, enter 10 in the **Password Length** box. 4. Clear the **Special symbols** check box. 5. Click **Transform.** diff --git a/docs/groupid/11.1/groupid/portal/synchronize/job/scheduleandnotification.md b/docs/groupid/11.1/groupid/portal/synchronize/job/scheduleandnotification.md index e59c5fead6..9b77a7ec08 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/job/scheduleandnotification.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/job/scheduleandnotification.md @@ -13,7 +13,7 @@ run in future and set the notifications settings for the job. manually or from the Synchronize job scheduler. If you are modifying an existing job, you can also a new schedule for the job. Visit - [Synchronize Schedule](../../../admincenter/schedule/synchronize.md) + [Synchronize Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/synchronize.md) 2. Set up email notification of job run results: @@ -83,6 +83,6 @@ run in future and set the notifications settings for the job. 9. **Review your Changes** before finishing the job. 10. Click **Finish** and create the job. 11. Once you run the job, a workflow request is triggered. -12. Generated workflow request will be displayed in the [Requests](../../request/overview.md) +12. Generated workflow request will be displayed in the [Requests](/docs/groupid/11.1/groupid/portal/request/overview.md) section for the workflow approver(s). If the approver approves the workflow request, the job will execute the results. diff --git a/docs/groupid/11.1/groupid/portal/synchronize/manage/job.md b/docs/groupid/11.1/groupid/portal/synchronize/manage/job.md index 5d62b8f12d..05eaf1339f 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/manage/job.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/manage/job.md @@ -37,7 +37,7 @@ All the jobs that match the specified criterion are displayed. ## Open a Job When you open a job to view or change its settings, the **Edit Job** wizard opens, which is -virtually identical to the [Create a Job](../job/create.md) wizard. +virtually identical to the [Create a Job](/docs/groupid/11.1/groupid/portal/synchronize/job/create.md) wizard. Step 1 – On Directory Manager portal, select **Synchronize** on left pane. @@ -57,7 +57,7 @@ Step 1 – On Directory Manager portal, select **Synchronize** on left pane. Step 2 – On the **Synchronize** portal, click **All Jobs**. Step 3 – In the jobs list, click -![option](../../../../../../../static/img/product_docs/groupid/groupid/portal/synchronize/manage/option.webp) +![option](/img/product_docs/groupid/groupid/portal/synchronize/manage/option.webp) on the job that you want to run and click **Run**. Step 4 – If workflow requests are enabled, the request for running the job will go to the approver. @@ -116,12 +116,12 @@ Step 2 – On Synchronize portal, click **All Jobs**. Step 3 – Click the **three vertical dots** icon of the job and select **Schedule** from the menu. -It will take you to the **Schedule and Job Notifications** page of [Create a Job](../job/create.md). +It will take you to the **Schedule and Job Notifications** page of [Create a Job](/docs/groupid/11.1/groupid/portal/synchronize/job/create.md). Update the schedule and click **Finish** to save the changes. ## Pin a Job -To pin a job to the [Dashboard](../dashboard.md) under the pinned job card: +To pin a job to the [Dashboard](/docs/groupid/11.1/groupid/portal/synchronize/dashboard.md) under the pinned job card: Step 1 – On Directory Manager portal, select **Synchronize** on left pane. @@ -129,7 +129,7 @@ Step 2 – On Synchronize portal, click **All Jobs**. Step 3 – Click the **three vertical dots** icon of the job and select **Pin Item** from the menu. -Step 4 – The job is displayed on **My Pinned Jobs** card on the [Dashboard](../dashboard.md). +Step 4 – The job is displayed on **My Pinned Jobs** card on the [Dashboard](/docs/groupid/11.1/groupid/portal/synchronize/dashboard.md). ## Save as Template diff --git a/docs/groupid/11.1/groupid/portal/synchronize/manage/jobcollection.md b/docs/groupid/11.1/groupid/portal/synchronize/manage/jobcollection.md index 90334e543c..94e15319bf 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/manage/jobcollection.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/manage/jobcollection.md @@ -170,7 +170,7 @@ reports. ## Pin a Job Collection -Follow the steps to pin a job to the [Dashboard](../dashboard.md) under the pinned job card. +Follow the steps to pin a job to the [Dashboard](/docs/groupid/11.1/groupid/portal/synchronize/dashboard.md) under the pinned job card. Step 1 – On Directory Manager portal, select **Synchronize** on left pane. @@ -180,7 +180,7 @@ Step 3 – Click the three vertical dots icon of the job collection and select * menu. Step 4 – The job collection is displayed on My Pinned Job Collections section on the -[Dashboard](../dashboard.md). +[Dashboard](/docs/groupid/11.1/groupid/portal/synchronize/dashboard.md). ## Save as Template diff --git a/docs/groupid/11.1/groupid/portal/synchronize/manage/jobcollectiontemplate.md b/docs/groupid/11.1/groupid/portal/synchronize/manage/jobcollectiontemplate.md index 3557728237..7606bbf8e7 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/manage/jobcollectiontemplate.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/manage/jobcollectiontemplate.md @@ -22,7 +22,7 @@ Step 1 – On Directory Manager portal, select **Synchronize** on left pane. Step 2 – On the Synchronize portal, click **Job Collections**. Step 3 – In the Job Collections view, click -![option](../../../../../../../static/img/product_docs/groupid/groupid/portal/synchronize/manage/option.webp) +![option](/img/product_docs/groupid/groupid/portal/synchronize/manage/option.webp) on the job collection you want to save as a template and click **Save As Template**. Step 4 – Now click **Job Collection Templates** and refresh the page. The newly created job group @@ -92,7 +92,7 @@ OR Double-click the job collection template you want to use for the new job collection. -Step 4 – This will launch [Create a Job Collection ](../collection/create.md) wizard starting from +Step 4 – This will launch [Create a Job Collection ](/docs/groupid/11.1/groupid/portal/synchronize/collection/create.md) wizard starting from the Job Collection(s) page. Proceed to map the settings stored in the template on to the new job collection. diff --git a/docs/groupid/11.1/groupid/portal/synchronize/manage/jobtemplate.md b/docs/groupid/11.1/groupid/portal/synchronize/manage/jobtemplate.md index cf6ff73b27..93916a9338 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/manage/jobtemplate.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/manage/jobtemplate.md @@ -82,7 +82,7 @@ OR Click the job template you want to use for the new job. -This will launch [Create a Job](../job/create.md) wizard. Proceed to map the settings stored in the +This will launch [Create a Job](/docs/groupid/11.1/groupid/portal/synchronize/job/create.md) wizard. Proceed to map the settings stored in the template on to the new job. ## Rename a Job Template diff --git a/docs/groupid/11.1/groupid/portal/synchronize/manage/schedule.md b/docs/groupid/11.1/groupid/portal/synchronize/manage/schedule.md index d03459dcdc..6676731453 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/manage/schedule.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/manage/schedule.md @@ -5,4 +5,4 @@ to run automatically. Create a Synchronize schedule and add Synchronize jobs and targets. When the schedule runs, the target jobs and job collections are executed. To create a Synchronize schedule, see the -[Synchronize Schedule](../../../admincenter/schedule/synchronize.md) topic. +[Synchronize Schedule](/docs/groupid/11.1/groupid/admincenter/schedule/synchronize.md) topic. diff --git a/docs/groupid/11.1/groupid/portal/synchronize/overview.md b/docs/groupid/11.1/groupid/portal/synchronize/overview.md index e87db5fa68..f0fc96c4be 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/overview.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/overview.md @@ -16,7 +16,7 @@ Using Directory Manager, you can create identity stores for several identity pro Active Directory and Microsoft Entra ID) as well as create data sources for providers such as files and databases. Directory Manager Synchronize uses user-defined identity stores (as source and destination) built on databases, files and other applications such as Oracle, SQL and so on. To view -the list of supported Synchronize providers, see the [Synchronize Providers](provider.md) topic. +the list of supported Synchronize providers, see the [Synchronize Providers](/docs/groupid/11.1/groupid/portal/synchronize/provider.md) topic. The following must be defined before you can use Synchronize: @@ -57,9 +57,9 @@ The following must be defined before you can use Synchronize: Synchronize dashboard displays performance widgets and cards displaying the data about your jobs and job collections. On the navigation pane on the left side, you will see the following tabs: -- Create New ([Create a Job](job/create.md) and [Create a Job Collection ](collection/create.md)) -- [Dashboard](dashboard.md) -- [Manage a Job](manage/job.md) -- [Manage a Job Collection ](manage/jobcollection.md) -- [Job Templates](manage/jobtemplate.md) -- [Job Collection Template](manage/jobcollectiontemplate.md) +- Create New ([Create a Job](/docs/groupid/11.1/groupid/portal/synchronize/job/create.md) and [Create a Job Collection ](/docs/groupid/11.1/groupid/portal/synchronize/collection/create.md)) +- [Dashboard](/docs/groupid/11.1/groupid/portal/synchronize/dashboard.md) +- [Manage a Job](/docs/groupid/11.1/groupid/portal/synchronize/manage/job.md) +- [Manage a Job Collection ](/docs/groupid/11.1/groupid/portal/synchronize/manage/jobcollection.md) +- [Job Templates](/docs/groupid/11.1/groupid/portal/synchronize/manage/jobtemplate.md) +- [Job Collection Template](/docs/groupid/11.1/groupid/portal/synchronize/manage/jobcollectiontemplate.md) diff --git a/docs/groupid/11.1/groupid/portal/synchronize/provider.md b/docs/groupid/11.1/groupid/portal/synchronize/provider.md index 1325935526..bbbdf3fe2d 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/provider.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/provider.md @@ -45,7 +45,7 @@ source and destination. Use Google Workspace to connect to Google Workspace plans. You can use it as a source and destination provider. -See the [Identity Stores](../../admincenter/identitystore/overview.md) topic for additional +See the [Identity Stores](/docs/groupid/11.1/groupid/admincenter/identitystore/overview.md) topic for additional information on identity stores. ## Data Sources @@ -115,5 +115,5 @@ External data sources must be created first in Data Sources tab in Admin Center. files or tab-separated value (TSV) text files. This provider supports automatic schema detection if a header row is included in the file. -See the [ Data Sources](../../admincenter/datasource/overview.md) topic for additional information +See the [ Data Sources](/docs/groupid/11.1/groupid/admincenter/datasource/overview.md) topic for additional information on Data Sources. diff --git a/docs/groupid/11.1/groupid/portal/synchronize/script/dtmscript.md b/docs/groupid/11.1/groupid/portal/synchronize/script/dtmscript.md index 6ad8e1cf47..de0d165ee8 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/script/dtmscript.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/script/dtmscript.md @@ -11,12 +11,12 @@ The type of script determines the nature of the script result: ## Examples and Language Overview -- For examples of transform scripts, see the [Sample Transform Scripts](sampletransformscript.md) +- For examples of transform scripts, see the [Sample Transform Scripts](/docs/groupid/11.1/groupid/portal/synchronize/script/sampletransformscript.md) topic -- For examples of container scripts, see the [Sample Container Scripts](samplecontainerscript.md) +- For examples of container scripts, see the [Sample Container Scripts](/docs/groupid/11.1/groupid/portal/synchronize/script/samplecontainerscript.md) topic - For general information, see - [Visual Basic .NET for Directory Manager (formerly GroupID)](visualbasicnetbasic.md) topic + [Visual Basic .NET for Directory Manager (formerly GroupID)](/docs/groupid/11.1/groupid/portal/synchronize/script/visualbasicnetbasic.md) topic - For general information, see Python for GroupID topic ## DTM keywords diff --git a/docs/groupid/11.1/groupid/portal/synchronize/script/visualbasicnetbasic.md b/docs/groupid/11.1/groupid/portal/synchronize/script/visualbasicnetbasic.md index a1f3b1ef9b..95f9ec45d5 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/script/visualbasicnetbasic.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/script/visualbasicnetbasic.md @@ -8,9 +8,9 @@ article for additional information. Visual Basic .NET is largely a superset of Visual Basic 6. If you are familiar with Visual Basic before the advent of .NET technology, you may wish to refer to -[Language Changes in Visual Basic](), +[Language Changes in Visual Basic](https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2008/skw8dhdd(v%3dvs.90)), and particularly to -[Programming Element Support Changes Summary](). +[Programming Element Support Changes Summary](https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2008/kaf4ssya(v%3dvs.90)). For the most part, statements and constructs that worked in Visual Basic 6, Visual BasicScript, and Visual BasicA continue to work in Visual Basic .NET. @@ -96,7 +96,7 @@ the first character occupies position 0) instead of 1-based (the first character ``` For a list of such string methods, see -[.NET String Methods](). +[.NET String Methods](https://msdn.microsoft.com/en-us/library/system.string_methods(v%3dvs.110).aspx). ## Line Continuation diff --git a/docs/groupid/11.1/groupid/portal/synchronize/transformation/overview.md b/docs/groupid/11.1/groupid/portal/synchronize/transformation/overview.md index 82f843da94..72a1a7b6f1 100644 --- a/docs/groupid/11.1/groupid/portal/synchronize/transformation/overview.md +++ b/docs/groupid/11.1/groupid/portal/synchronize/transformation/overview.md @@ -49,7 +49,7 @@ ignores the value in the source field mapped to it. environment variables, determine that they are supported by the Windows installed on your host machine -- [Auto-Generate Unique, Complex Passwords](autogenerateuniquepassword.md) based on complexity rules +- [Auto-Generate Unique, Complex Passwords](/docs/groupid/11.1/groupid/portal/synchronize/transformation/autogenerateuniquepassword.md) based on complexity rules You can assign a single password to all synced objects or generate individual passwords for each object. diff --git a/docs/groupid/11.1/groupid/portal/toolbar.md b/docs/groupid/11.1/groupid/portal/toolbar.md index a7535006d0..46fe63490a 100644 --- a/docs/groupid/11.1/groupid/portal/toolbar.md +++ b/docs/groupid/11.1/groupid/portal/toolbar.md @@ -5,28 +5,28 @@ depending on the page you are on. Toolbar buttons are listed in the following ta | Button | Description | | ------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![expire](../../../../../static/img/product_docs/groupid/groupid/portal/expire.webp) | The behavior of this button depends on the expiry policy of the selected group. - When the group has its expiry policy set to ‘never expire’, clicking this button displays an error message that the group cannot be expired. - When the group has an expiry policy other than ‘never expire’, clicking this button expires the group and moves it to the My Expired Groups page. - A group without an expiry policy will not expire. Directory groups that are created outside of Directory Manager do not have an expiry policy. | -| ![properties](../../../../../static/img/product_docs/groupid/groupid/portal/properties.webp) | View the properties of the selected object. | -| ![update](../../../../../static/img/product_docs/groupid/groupid/portal/update.webp) | Use this button to manually update a Smart Group. On clicking it, a dialog box is displayed, that shows the progress of the Smart Group Update job. To run this job in the background, click the **Run in Background** buttons. Use the **Background Tasks** icon in the top right corner to view the status of the Smart Group Update jobs. | -| ![join](../../../../../static/img/product_docs/groupid/groupid/portal/join.webp) | The logged-on user can use this button to join group(s). 1. Click the arrow and select one of the following: - **Join perpetually**- to join the selected group(s) permanently. - **Join temporarily** - to join the selected group(s) for a specified period. At the end of the period, you are automatically removed from the group membership. 2. Click the **Join** button. The **Other** option is visible to users who have the ‘Manage my Direct Reports’ or ‘Join/Leave on behalf of Peer’ permission or both in the identity store. It enables the logged-on user to join a group permanently or temporarily on behalf of a direct report or peer. | -| ![leave](../../../../../static/img/product_docs/groupid/groupid/portal/leave.webp) | The logged-on user can use this button to leave group(s). 1. Click the arrow and select one of the following: - **Leave perpetually**- to leave the selected group(s) permanently. - **Leave temporarily** - to leave the selected group(s) for a specified period. At the end of the period, you are automatically added back to the group membership. 2. Click the **Leave** button. The **Other** option is visible to users who have the ‘Manage my Direct Reports’ or ‘Join/Leave on behalf of Peer’ permission or both in the identity store. It enables the logged-on user to leave a group permanently or temporarily on behalf of a direct report or peer. | -| ![managedby](../../../../../static/img/product_docs/groupid/groupid/portal/managedby.webp) | View the groups managed by the selected object, i.e., the groups for which the selected object is a primary or additional owner. | -| ![addtogroup](../../../../../static/img/product_docs/groupid/groupid/portal/addtogroup.webp) | Adds the selected objects to the membership of one or more groups. Click the button to search for groups to add the selected objects to. | -| ![exportresult](../../../../../static/img/product_docs/groupid/groupid/portal/exportresult.webp) | Exports the displayed object list to a Microsoft Excel file. | -| ![addtocontacts](../../../../../static/img/product_docs/groupid/groupid/portal/addtocontacts.webp) | Creates a vCard file for the selected object and prompts you to save it on your machine. You can then use it to add the group's email address to your email contact list. This feature requires a program registered for the vCard MIME type, such as Microsoft Outlook or Microsoft Outlook Express. | -| ![sendemail](../../../../../static/img/product_docs/groupid/groupid/portal/sendemail.webp) | Sends an email to the selected object(s). Clicking this button launches the default Windows email application for sending email. | -| ![renew](../../../../../static/img/product_docs/groupid/groupid/portal/renew.webp) | Renews the selected groups by re-applying the expiration policy of the group, starting from today. | -| ![attesticon](../../../../../static/img/product_docs/groupid/groupid/portal/attesticon.webp) | Verify and validate a group's attributes and membership; then renew the group by re-applying its expiration policy, starting from today. | -| ![delete](../../../../../static/img/product_docs/groupid/groupid/portal/delete.webp) | Deletes the selected users and contacts. For groups, it physically deletes expired and logically deleted groups. Physically deleted groups are not available in the portal anymore. It does not delete groups with a valid expiry policy. | -| ![save](../../../../../static/img/product_docs/groupid/groupid/portal/save.webp) | Saves your changes. | -| ![import](../../../../../static/img/product_docs/threatprevention/threatprevention/admin/tools/import.webp) | Add members or additional owners to a group using an external file. | -| ![export](../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/export.webp) | Export members or additional owners of a group to an external file. | -| ![movegroup](../../../../../static/img/product_docs/groupid/groupid/portal/movegroup.webp) | Move groups from one container to another. | -| ![setowner](../../../../../static/img/product_docs/groupid/groupid/portal/setowner.webp) | Set owner for a group. | -| ![securitytype](../../../../../static/img/product_docs/groupid/groupid/portal/securitytype.webp) | Set security type of a group. | -| ![expiration](../../../../../static/img/product_docs/groupid/groupid/portal/expiration.webp) | Set the expiration policy of a group. | -| ![resetpassword](../../../../../static/img/product_docs/groupid/groupid/portal/resetpassword.webp) | Reset password for a user. | -| ![heirarchy](../../../../../static/img/product_docs/groupid/groupid/portal/heirarchy.webp) | View the organizational hierarchy chart of a user. | -| ![validate](../../../../../static/img/product_docs/groupid/groupid/portal/validate.webp) | Verify and update your profile information. | -| ![subscribe](../../../../../static/img/product_docs/groupid/groupid/portal/subscribe.webp) | Subscribe to the Teams channel. Only non MFA Microsoft Entra ID users can subscribe to the Teams channel. | -| ![unsubscribe](../../../../../static/img/product_docs/groupid/groupid/portal/unsubscribe.webp) | Unsubscribe from the Team channel. | +| ![expire](/img/product_docs/groupid/groupid/portal/expire.webp) | The behavior of this button depends on the expiry policy of the selected group. - When the group has its expiry policy set to ‘never expire’, clicking this button displays an error message that the group cannot be expired. - When the group has an expiry policy other than ‘never expire’, clicking this button expires the group and moves it to the My Expired Groups page. - A group without an expiry policy will not expire. Directory groups that are created outside of Directory Manager do not have an expiry policy. | +| ![properties](/img/product_docs/groupid/groupid/portal/properties.webp) | View the properties of the selected object. | +| ![update](/img/product_docs/groupid/groupid/portal/update.webp) | Use this button to manually update a Smart Group. On clicking it, a dialog box is displayed, that shows the progress of the Smart Group Update job. To run this job in the background, click the **Run in Background** buttons. Use the **Background Tasks** icon in the top right corner to view the status of the Smart Group Update jobs. | +| ![join](/img/product_docs/groupid/groupid/portal/join.webp) | The logged-on user can use this button to join group(s). 1. Click the arrow and select one of the following: - **Join perpetually**- to join the selected group(s) permanently. - **Join temporarily** - to join the selected group(s) for a specified period. At the end of the period, you are automatically removed from the group membership. 2. Click the **Join** button. The **Other** option is visible to users who have the ‘Manage my Direct Reports’ or ‘Join/Leave on behalf of Peer’ permission or both in the identity store. It enables the logged-on user to join a group permanently or temporarily on behalf of a direct report or peer. | +| ![leave](/img/product_docs/groupid/groupid/portal/leave.webp) | The logged-on user can use this button to leave group(s). 1. Click the arrow and select one of the following: - **Leave perpetually**- to leave the selected group(s) permanently. - **Leave temporarily** - to leave the selected group(s) for a specified period. At the end of the period, you are automatically added back to the group membership. 2. Click the **Leave** button. The **Other** option is visible to users who have the ‘Manage my Direct Reports’ or ‘Join/Leave on behalf of Peer’ permission or both in the identity store. It enables the logged-on user to leave a group permanently or temporarily on behalf of a direct report or peer. | +| ![managedby](/img/product_docs/groupid/groupid/portal/managedby.webp) | View the groups managed by the selected object, i.e., the groups for which the selected object is a primary or additional owner. | +| ![addtogroup](/img/product_docs/groupid/groupid/portal/addtogroup.webp) | Adds the selected objects to the membership of one or more groups. Click the button to search for groups to add the selected objects to. | +| ![exportresult](/img/product_docs/groupid/groupid/portal/exportresult.webp) | Exports the displayed object list to a Microsoft Excel file. | +| ![addtocontacts](/img/product_docs/groupid/groupid/portal/addtocontacts.webp) | Creates a vCard file for the selected object and prompts you to save it on your machine. You can then use it to add the group's email address to your email contact list. This feature requires a program registered for the vCard MIME type, such as Microsoft Outlook or Microsoft Outlook Express. | +| ![sendemail](/img/product_docs/groupid/groupid/portal/sendemail.webp) | Sends an email to the selected object(s). Clicking this button launches the default Windows email application for sending email. | +| ![renew](/img/product_docs/groupid/groupid/portal/renew.webp) | Renews the selected groups by re-applying the expiration policy of the group, starting from today. | +| ![attesticon](/img/product_docs/groupid/groupid/portal/attesticon.webp) | Verify and validate a group's attributes and membership; then renew the group by re-applying its expiration policy, starting from today. | +| ![delete](/img/product_docs/groupid/groupid/portal/delete.webp) | Deletes the selected users and contacts. For groups, it physically deletes expired and logically deleted groups. Physically deleted groups are not available in the portal anymore. It does not delete groups with a valid expiry policy. | +| ![save](/img/product_docs/groupid/groupid/portal/save.webp) | Saves your changes. | +| ![import](/img/product_docs/threatprevention/threatprevention/admin/tools/import.webp) | Add members or additional owners to a group using an external file. | +| ![export](/img/product_docs/threatprevention/threatprevention/admin/navigation/export.webp) | Export members or additional owners of a group to an external file. | +| ![movegroup](/img/product_docs/groupid/groupid/portal/movegroup.webp) | Move groups from one container to another. | +| ![setowner](/img/product_docs/groupid/groupid/portal/setowner.webp) | Set owner for a group. | +| ![securitytype](/img/product_docs/groupid/groupid/portal/securitytype.webp) | Set security type of a group. | +| ![expiration](/img/product_docs/groupid/groupid/portal/expiration.webp) | Set the expiration policy of a group. | +| ![resetpassword](/img/product_docs/groupid/groupid/portal/resetpassword.webp) | Reset password for a user. | +| ![heirarchy](/img/product_docs/groupid/groupid/portal/heirarchy.webp) | View the organizational hierarchy chart of a user. | +| ![validate](/img/product_docs/groupid/groupid/portal/validate.webp) | Verify and update your profile information. | +| ![subscribe](/img/product_docs/groupid/groupid/portal/subscribe.webp) | Subscribe to the Teams channel. Only non MFA Microsoft Entra ID users can subscribe to the Teams channel. | +| ![unsubscribe](/img/product_docs/groupid/groupid/portal/unsubscribe.webp) | Unsubscribe from the Team channel. | diff --git a/docs/groupid/11.1/groupid/portal/user/authentication/secondfactorauthentication.md b/docs/groupid/11.1/groupid/portal/user/authentication/secondfactorauthentication.md index 095179a7d5..b1073a5f82 100644 --- a/docs/groupid/11.1/groupid/portal/user/authentication/secondfactorauthentication.md +++ b/docs/groupid/11.1/groupid/portal/user/authentication/secondfactorauthentication.md @@ -9,11 +9,11 @@ an identity store, role members must authenticate themselves using an authentica Second factor authentication works as follows: - An unenrolled user must enroll his or her identity store account in Directory Manager. See the - [Enroll your Identity Store Account](../../../admincenter/enroll.md) topic. Enrollment is a + [Enroll your Identity Store Account](/docs/groupid/11.1/groupid/admincenter/enroll.md) topic. Enrollment is a one-time process. - An enrolled user has to authenticate on the Directory Manager portal using the authentication type he or she used to enroll his or her identity store account with. See the - [Authenticate your Identity Store Account](../../../admincenter/authenticate.md) topic. + [Authenticate your Identity Store Account](/docs/groupid/11.1/groupid/admincenter/authenticate.md) topic. Authentication is required every time the user logs into the portal. diff --git a/docs/groupid/11.1/groupid/portal/user/create/activedirectory/contact/contact.md b/docs/groupid/11.1/groupid/portal/user/create/activedirectory/contact/contact.md index 60d346c8f1..141cf0843f 100644 --- a/docs/groupid/11.1/groupid/portal/user/create/activedirectory/contact/contact.md +++ b/docs/groupid/11.1/groupid/portal/user/create/activedirectory/contact/contact.md @@ -35,4 +35,4 @@ Step 5 – On the Summary page, review the settings and then click Finish to com NOTE: If the Directory Manager administrator has specified the contact creation action for review, your changes will not take effect until verified by an approver. See the -[Requests](../../../../request/overview.md) topic for additional information. +[Requests](/docs/groupid/11.1/groupid/portal/request/overview.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/portal/user/create/activedirectory/mailbox/mailbox.md b/docs/groupid/11.1/groupid/portal/user/create/activedirectory/mailbox/mailbox.md index 4af17c4658..dbb80182d8 100644 --- a/docs/groupid/11.1/groupid/portal/user/create/activedirectory/mailbox/mailbox.md +++ b/docs/groupid/11.1/groupid/portal/user/create/activedirectory/mailbox/mailbox.md @@ -15,17 +15,17 @@ select **Mailbox**. The Create Mailbox wizard opens to the Account page. -Step 2 – On the [Account page](../account.md), specify basic account info, such as the object's +Step 2 – On the [Account page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/account.md), specify basic account info, such as the object's first name, last name, login ID and the UPN suffix. -Step 3 – On the [Password page](../password.md), provide a password for the mailbox account and set +Step 3 – On the [Password page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/password.md), provide a password for the mailbox account and set other password-specific options. -Step 4 – On the [Exchange page](exchange.md), set the alias and Office 365 subscriptions. +Step 4 – On the [Exchange page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/mailbox/exchange.md), set the alias and Office 365 subscriptions. -Step 5 – On the [Summary Page](../summary.md), review the settings and then click **Finish** to +Step 5 – On the [Summary Page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/summary.md), review the settings and then click **Finish** to complete the wizard. NOTE: If the Directory Manager administrator has specified the mailbox creation action for review, your changes will not take effect until verified by an approver. See the -[Requests](../../../../request/overview.md) topic for additional information. +[Requests](/docs/groupid/11.1/groupid/portal/request/overview.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/portal/user/create/activedirectory/overview.md b/docs/groupid/11.1/groupid/portal/user/create/activedirectory/overview.md index 253e61fad5..5cf73b3d19 100644 --- a/docs/groupid/11.1/groupid/portal/user/create/activedirectory/overview.md +++ b/docs/groupid/11.1/groupid/portal/user/create/activedirectory/overview.md @@ -2,6 +2,6 @@ In an Active Directory identity stores, you can create the following types of users: -- User – See the [Create an AD User](user.md) topic for additional information. -- Mailbox – See the [Create an AD Mailbox](mailbox/mailbox.md) topic for additional information. -- Contact – See the [Create an AD Contact](contact/contact.md) topic for additional information. +- User – See the [Create an AD User](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/user.md) topic for additional information. +- Mailbox – See the [Create an AD Mailbox](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/mailbox/mailbox.md) topic for additional information. +- Contact – See the [Create an AD Contact](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/contact/contact.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/portal/user/create/activedirectory/user.md b/docs/groupid/11.1/groupid/portal/user/create/activedirectory/user.md index 69d415028e..52cf1749a7 100644 --- a/docs/groupid/11.1/groupid/portal/user/create/activedirectory/user.md +++ b/docs/groupid/11.1/groupid/portal/user/create/activedirectory/user.md @@ -15,20 +15,20 @@ select **User**. The Create User wizard opens to the Account page. -Step 2 – On the [Account page](account.md), specify basic account info, such as the user's first +Step 2 – On the [Account page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/account.md), specify basic account info, such as the user's first name, last name, login ID and the UPN suffix. -Step 3 – On the [Password page](password.md), provide a password for the user account and set other +Step 3 – On the [Password page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/password.md), provide a password for the user account and set other password-specific options. -Step 4 – Use the [Exchange page](messaging.md), to create the user as mail-enabled. +Step 4 – Use the [Exchange page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/messaging.md), to create the user as mail-enabled. -Step 5 – On the [Summary Page](summary.md), review the settings and then click Finish to complete +Step 5 – On the [Summary Page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/summary.md), review the settings and then click Finish to complete the wizard. NOTE: If the Directory Manager administrator has specified the user creation action for review, your changes will not take effect until verified by an approver. See the -[Requests](../../../request/overview.md) topic for additional information. +[Requests](/docs/groupid/11.1/groupid/portal/request/overview.md) topic for additional information. ## Create a non mail-enabled user in Active Directory @@ -37,20 +37,20 @@ select **User**. The Create User wizard opens to the Account page. -Step 2 – On the [Account page](account.md), specify basic account info, such as the user's first +Step 2 – On the [Account page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/account.md), specify basic account info, such as the user's first name, last name, login ID and the UPN suffix. -Step 3 – On the [Password page](password.md), provide a password for the user account and set other +Step 3 – On the [Password page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/password.md), provide a password for the user account and set other password-specific options. -Step 4 – On the [Exchange page](messaging.md), clear the **Mail-Enabled** check box to create the +Step 4 – On the [Exchange page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/messaging.md), clear the **Mail-Enabled** check box to create the user as non mail-enabled. This disables the remaining fields on the page. A non mail-enabled user does not have an email address. -Step 5 – On the [Summary Page](summary.md), review the settings and then click Finish to complete +Step 5 – On the [Summary Page](/docs/groupid/11.1/groupid/portal/user/create/activedirectory/summary.md), review the settings and then click Finish to complete the wizard. NOTE: If the Directory Manager administrator has specified the user creation action for review, your changes will not take effect until verified by an approver. See the -[Requests](../../../request/overview.md) topic for additional information. +[Requests](/docs/groupid/11.1/groupid/portal/request/overview.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/portal/user/create/azure/mailbox/mailbox.md b/docs/groupid/11.1/groupid/portal/user/create/azure/mailbox/mailbox.md index 23f93981e7..37006802d0 100644 --- a/docs/groupid/11.1/groupid/portal/user/create/azure/mailbox/mailbox.md +++ b/docs/groupid/11.1/groupid/portal/user/create/azure/mailbox/mailbox.md @@ -28,4 +28,4 @@ Step 5 – On the Summary page, review the settings and then click **Finish** to NOTE: If the Directory Manager administrator has specified the mailbox creation action for review, your changes will not take effect until verified by an approver. See the -[Requests](../../../../request/overview.md) topic for additional information. +[Requests](/docs/groupid/11.1/groupid/portal/request/overview.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/portal/user/create/azure/overview.md b/docs/groupid/11.1/groupid/portal/user/create/azure/overview.md index 45937a6be1..583b951a57 100644 --- a/docs/groupid/11.1/groupid/portal/user/create/azure/overview.md +++ b/docs/groupid/11.1/groupid/portal/user/create/azure/overview.md @@ -2,7 +2,7 @@ In a Microsoft Entra ID identity stores, you can create the following types of users: -- User – See the [Create a Microsoft Entra ID User](user.md) topic for additional information on how +- User – See the [Create a Microsoft Entra ID User](/docs/groupid/11.1/groupid/portal/user/create/azure/user.md) topic for additional information on how to create a user in an Microsoft Entra ID identity store. -- Mailbox – See the [Create a Microsoft Entra ID Mailbox](mailbox/mailbox.md) topic for additional +- Mailbox – See the [Create a Microsoft Entra ID Mailbox](/docs/groupid/11.1/groupid/portal/user/create/azure/mailbox/mailbox.md) topic for additional information on how to create a mailbox in an Microsoft Entra ID identity store. diff --git a/docs/groupid/11.1/groupid/portal/user/create/azure/user.md b/docs/groupid/11.1/groupid/portal/user/create/azure/user.md index 0961e1ce97..7e73be1db9 100644 --- a/docs/groupid/11.1/groupid/portal/user/create/azure/user.md +++ b/docs/groupid/11.1/groupid/portal/user/create/azure/user.md @@ -16,17 +16,17 @@ select **User**. The Create User wizard opens to the Account page. Step 2 – On the Account page, specify basic account info, such as the user's first name, last name, -login ID and the UPN suffix. See the [Account page ](account.md)topic for additional information. +login ID and the UPN suffix. See the [Account page ](/docs/groupid/11.1/groupid/portal/user/create/azure/account.md)topic for additional information. Step 3 – On the Password page, provide a password for the user account and set other -password-specific options. See the [Password page ](password.md)topic for additional information. +password-specific options. See the [Password page ](/docs/groupid/11.1/groupid/portal/user/create/azure/password.md)topic for additional information. Step 4 – Use the Directory Roles page to assign a role and role privileges to the user on the -Microsoft Entra Admin Center portal. See the [Directory Roles page](directoryrole.md) for additional +Microsoft Entra Admin Center portal. See the [Directory Roles page](/docs/groupid/11.1/groupid/portal/user/create/azure/directoryrole.md) for additional information. Step 5 – On the Summary page, review the settings and then click **Finish** to complete the wizard. NOTE: If the Directory Manager administrator has specified the user creation action for review, your changes will not take effect until verified by an approver. See the -[Requests](../../../request/overview.md) topic for additional information. +[Requests](/docs/groupid/11.1/groupid/portal/request/overview.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/portal/user/disableduser.md b/docs/groupid/11.1/groupid/portal/user/disableduser.md index 17ae43cbc8..fb7077c32c 100644 --- a/docs/groupid/11.1/groupid/portal/user/disableduser.md +++ b/docs/groupid/11.1/groupid/portal/user/disableduser.md @@ -26,7 +26,7 @@ To view and modify the properties of a disabled or expired user, select it and c on the toolbar. Refer to the information for user properties to manage the properties of a disabled/expired user. -See the [User Properties](properties/overview.md) topic for additional information. +See the [User Properties](/docs/groupid/11.1/groupid/portal/user/properties/overview.md) topic for additional information. ## Reinstate a Disabled User diff --git a/docs/groupid/11.1/groupid/portal/user/linkedaccounts.md b/docs/groupid/11.1/groupid/portal/user/linkedaccounts.md index 74dbd15eba..7f5ae49f4f 100644 --- a/docs/groupid/11.1/groupid/portal/user/linkedaccounts.md +++ b/docs/groupid/11.1/groupid/portal/user/linkedaccounts.md @@ -63,7 +63,7 @@ The Microsoft Entra ID account that you want to link with must be logged into th portal in the same browser. Use the Sign in with a different account option in the Microsoft Entra ID portal for logging into multiple accounts. -![Entra ID Sign In with a different account option](../../../../../../static/img/product_docs/groupid/groupid/portal/user/linkntraidacc.webp) +![Entra ID Sign In with a different account option](/img/product_docs/groupid/groupid/portal/user/linkntraidacc.webp) Step 1 – In the Directory Manager portal, click **Users** in the left pane and select **Linked Account**. @@ -78,7 +78,7 @@ and click **Link Account**. Step 3 – On the Directory Manager Authenticate window, click the SAML button or image for the configured SAML provider in Directory Manager. The following window is displayed: -![Multiple Signed in users in Entra ID portal](../../../../../../static/img/product_docs/groupid/groupid/portal/user/entraidsigninusers.webp) +![Multiple Signed in users in Entra ID portal](/img/product_docs/groupid/groupid/portal/user/entraidsigninusers.webp) Step 4 – Select the account you want to link to. You will be redirected back to the Directory Manager portal’s My Linked Account page and a message **Account has been successfully linked** is diff --git a/docs/groupid/11.1/groupid/portal/user/manage/changepassword.md b/docs/groupid/11.1/groupid/portal/user/manage/changepassword.md index 6b64286554..96339b94b4 100644 --- a/docs/groupid/11.1/groupid/portal/user/manage/changepassword.md +++ b/docs/groupid/11.1/groupid/portal/user/manage/changepassword.md @@ -6,13 +6,13 @@ to sign into Directory Manager and any other application that uses your domain a To do this, provide the existing password and then a new password to replace it. The new password must conform to the password policy the administrator has defined for the identity store. Administrator can either enable -[Directory Manage Password Policy ](../../../admincenter/securityrole/policy/password.md) or Netwrix +[Directory Manage Password Policy ](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/password.md) or Netwrix Password Policy Enforcer policies for the identity store. NOTE: MFA enabled Microsoft Entra ID users cannot change their passwords in Directory Manager. If they try to do so, the following message is displayed: -![Change Password error message for Entra ID user](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/changepasswordentraiduser.webp) +![Change Password error message for Entra ID user](/img/product_docs/groupid/groupid/portal/user/manage/changepasswordentraiduser.webp) If the user's account is a master account, password of its child accounts also cannot be changed in Directory Manager. diff --git a/docs/groupid/11.1/groupid/portal/user/manage/directreport.md b/docs/groupid/11.1/groupid/portal/user/manage/directreport.md index 4392356446..befb598881 100644 --- a/docs/groupid/11.1/groupid/portal/user/manage/directreport.md +++ b/docs/groupid/11.1/groupid/portal/user/manage/directreport.md @@ -22,7 +22,7 @@ Reports** check box on the User Settings panel. report's vCard and prompts you to save it on your machine. You can then use it to add the direct report's email address to your email contact list. - Select a direct report and click **Add to Group** on the toolbar to the direct report to the - membership of a group. The [Find Dialog Box](../../search/find.md) is displayed, where you can + membership of a group. The [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) is displayed, where you can search and select the group(s) to add the direct report as a member. - Select a direct report and click **Send email** on the toolbar to send an email to the direct report. This launches the default Windows email application for sending an email to the direct @@ -41,4 +41,4 @@ to add or remove your direct reports. You can also transfer and terminate your direct reports while you validate your Profile. To view any changes made to your direct reports, see the -[My Direct Reports' History](../../history/mydirectreport.md) topic for additional information. +[My Direct Reports' History](/docs/groupid/11.1/groupid/portal/history/mydirectreport.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/portal/user/manage/installcp.md b/docs/groupid/11.1/groupid/portal/user/manage/installcp.md index ab2786578e..536ed24e39 100644 --- a/docs/groupid/11.1/groupid/portal/user/manage/installcp.md +++ b/docs/groupid/11.1/groupid/portal/user/manage/installcp.md @@ -14,7 +14,7 @@ Browse to the folder where you have copied the package: 2. After the installation, it asks you to restart your machine. 3. After the restart, the Windows logon screen appears as follows: - ![Windows Logon screen](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/windows_screen.webp) + ![Windows Logon screen](/img/product_docs/groupid/groupid/portal/user/manage/windows_screen.webp) The **Forgot Password** and **Unlock Account** options are now available on the Windows logon screen. They route you to the URLs provided for these options in the _CPSettings.xml_ file. You @@ -71,21 +71,21 @@ Before Credential Provider’s installation via GPO, Orca software is to be inst 1. Browse to the folder where you have copied the Credential Provider package. 2. Go to the MST Guide folder and run the _Orca-x86_en-us.msi_ application. The Orca console opens: - ![Orca console](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/orca_console.webp) + ![Orca console](/img/product_docs/groupid/groupid/portal/user/manage/orca_console.webp) 3. In Orca, click **File** > **Open**. Browse to the Credential Provider folder and load the _NetwrixGroupIDCredentialprovider.msi_ in Orca. - ![Credential Provider in Orca](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/cp_loaded.webp) + ![Credential Provider in Orca](/img/product_docs/groupid/groupid/portal/user/manage/cp_loaded.webp) 4. From the menu, select **Transform** > **New Transform**: - ![New Transform option](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/new_transform.webp) + ![New Transform option](/img/product_docs/groupid/groupid/portal/user/manage/new_transform.webp) 5. Click **Property** in the left pane, list of the properties are displayed in the **Property** main window: - ![Property page](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/property.webp) + ![Property page](/img/product_docs/groupid/groupid/portal/user/manage/property.webp) 6. On your machine, create a new folder and copy the following files to it: @@ -95,11 +95,11 @@ Before Credential Provider’s installation via GPO, Orca software is to be inst 7. Share the folder with the Everyone group with Read permission. 8. Provide the path of this newly created folder in the **SOURCEPATH** box. - ![Property path](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/property_path.webp) + ![Property path](/img/product_docs/groupid/groupid/portal/user/manage/property_path.webp) 9. From the menu, select **Transform** > **Generate Transform**: - ![Generate Transform option](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/generate_transform.webp) + ![Generate Transform option](/img/product_docs/groupid/groupid/portal/user/manage/generate_transform.webp) 10. Type a filename for the generated .mst file and save it into the shared folder you just created. 11. Close **Orca**. @@ -111,7 +111,7 @@ Having Orca successfully installed, follow these steps to deploy Credential Prov 1. Launch **Group Policy Management** console by typing _gpmc.msc_ in the **Run** box and clicking **OK**. The Group Policy Management Editor opens. - ![Group Policy Management console](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/gp_policy.webp) + ![Group Policy Management console](/img/product_docs/groupid/groupid/portal/user/manage/gp_policy.webp) NOTE: Group Policy Management console is available if the Group Policy Management feature has been installed. @@ -119,18 +119,18 @@ Having Orca successfully installed, follow these steps to deploy Credential Prov 2. Right-click the domain or organizational unit for the computers that you want the Credential Provider installed on. Select **Create a GPO in this domain, and link it here...**: - ![CCreate a GPO in this domain and link it here option](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/new_gpo.webp) + ![CCreate a GPO in this domain and link it here option](/img/product_docs/groupid/groupid/portal/user/manage/new_gpo.webp) Or Right-click the Select **Default Domain Policy** and select **Edit**: - ![Edit Default Domain Policy option](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/edit_gpo.webp) + ![Edit Default Domain Policy option](/img/product_docs/groupid/groupid/portal/user/manage/edit_gpo.webp) 3. In the **Group Policy Management Editor**, click **Computer Configuration** > **Policies** > **Software Settings** > **Software installation** > **New** > **Package**. - ![New Package option](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/software_installation.webp) + ![New Package option](/img/product_docs/groupid/groupid/portal/user/manage/software_installation.webp) NOTE: This documentation describes steps for editing the default policy. @@ -142,11 +142,11 @@ Having Orca successfully installed, follow these steps to deploy Credential Prov Select the _Netwrixgroupidcredentialprovider.msi_ and click **Ok**. - ![Deploy Software ](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/deploy_cp.webp) + ![Deploy Software ](/img/product_docs/groupid/groupid/portal/user/manage/deploy_cp.webp) 5. Select **Advanced** and click **Ok**. The following window opens: - ![Modifications tab](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/modification_tab.webp) + ![Modifications tab](/img/product_docs/groupid/groupid/portal/user/manage/modification_tab.webp) 6. Select the **Modifications** tab. Click **Add**. 7. Browse to the shared folder where you saved the generated .mst file. Select that file and click @@ -167,4 +167,4 @@ The Credential provider is deployed on your machine via the default domain polic The modified domain policy will be installed on the client machines, which are in the scope of the Group Policy Object, upon their next restart. The Windows logon screen appear as follows: -![Windows Logon screen](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/windows_screen.webp) +![Windows Logon screen](/img/product_docs/groupid/groupid/portal/user/manage/windows_screen.webp) diff --git a/docs/groupid/11.1/groupid/portal/user/manage/organizationalheirarchy.md b/docs/groupid/11.1/groupid/portal/user/manage/organizationalheirarchy.md index ac70f13518..2007c48db9 100644 --- a/docs/groupid/11.1/groupid/portal/user/manage/organizationalheirarchy.md +++ b/docs/groupid/11.1/groupid/portal/user/manage/organizationalheirarchy.md @@ -11,7 +11,7 @@ user can view it for any user in the organization. ## View the direct reports of a user Step 1 – In the Directory Manager portal, go to **My Profile** or search for the user whose -organizational hierarchy you want to view on the [Directory Search](../../search/search.md) dialog +organizational hierarchy you want to view on the [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) dialog box. Step 2 – On the toolbar tab of the user profile's page, select **Organizational Hierarchy**. The @@ -20,7 +20,7 @@ the nth level. Step 3 – To view the chart for another user, click the ellipsis button next to **Select User**. -On the [Find Dialog Box](../../search/find.md), search and select the required user and click +On the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md), search and select the required user and click **OK**. This displays the organizational hierarchy chart for the selected user. Step 4 – You can: diff --git a/docs/groupid/11.1/groupid/portal/user/manage/overview.md b/docs/groupid/11.1/groupid/portal/user/manage/overview.md index a29a8a127c..41a9fa3667 100644 --- a/docs/groupid/11.1/groupid/portal/user/manage/overview.md +++ b/docs/groupid/11.1/groupid/portal/user/manage/overview.md @@ -2,8 +2,8 @@ Using Directory Manager portal, you can perform the following actions: -- [Update your Direct Reports](directreport.md) -- [Validate your profile](validateprofile.md) -- [Reset your password](resetpassword.md) -- [ Change your password](changepassword.md) -- [Unlock your accounts](unlockaccount.md) +- [Update your Direct Reports](/docs/groupid/11.1/groupid/portal/user/manage/directreport.md) +- [Validate your profile](/docs/groupid/11.1/groupid/portal/user/manage/validateprofile.md) +- [Reset your password](/docs/groupid/11.1/groupid/portal/user/manage/resetpassword.md) +- [ Change your password](/docs/groupid/11.1/groupid/portal/user/manage/changepassword.md) +- [Unlock your accounts](/docs/groupid/11.1/groupid/portal/user/manage/unlockaccount.md) diff --git a/docs/groupid/11.1/groupid/portal/user/manage/passwordmanagement.md b/docs/groupid/11.1/groupid/portal/user/manage/passwordmanagement.md index 4e8e92afe9..757b36231b 100644 --- a/docs/groupid/11.1/groupid/portal/user/manage/passwordmanagement.md +++ b/docs/groupid/11.1/groupid/portal/user/manage/passwordmanagement.md @@ -6,7 +6,7 @@ reset their password at an exorbitant cost or have a self-service tool. Director both these functions. Using it: - Helpdesk – Can reset passwords and unlock accounts for users after authentication. See the - [Reset Passwords](../../../admincenter/helpdesk/operation/resetpassword.md) topic for detailed + [Reset Passwords](/docs/groupid/11.1/groupid/admincenter/helpdesk/operation/resetpassword.md) topic for detailed information. - Users – Can reset their own passwords and their own accounts after passing multifactor authentication. They can perform these password related functions through various mediums, such @@ -15,21 +15,21 @@ both these functions. Using it: - Directory Manager portal – Using it, they can: - reset their forgotten passwords. See the - [Reset Passwords](../authentication/passwordreset.md) topic for further information on how + [Reset Passwords](/docs/groupid/11.1/groupid/portal/user/authentication/passwordreset.md) topic for further information on how to reset forgotten passwords. - - change their account passwords. See the [ Change your password](changepassword.md) topic + - change their account passwords. See the [ Change your password](/docs/groupid/11.1/groupid/portal/user/manage/changepassword.md) topic for further information on how to change their account passwords. - reset their own password or password of any other user. See the - [Reset your password](resetpassword.md) topic for additional information. - - unlock their identity store account. See the [Unlock your accounts](unlockaccount.md) + [Reset your password](/docs/groupid/11.1/groupid/portal/user/manage/resetpassword.md) topic for additional information. + - unlock their identity store account. See the [Unlock your accounts](/docs/groupid/11.1/groupid/portal/user/manage/unlockaccount.md) topic for detailed information on how to unlock their identity store accounts. - Client Software and Web Access The client software to install on user workstations is called - [ Credential Provider](credentialprovider.md) and available for distribution using various + [ Credential Provider](/docs/groupid/11.1/groupid/portal/user/manage/credentialprovider.md) and available for distribution using various IT enabled distribution methods such as group policy and Microsoft System Center - Configuration Manager (SCCM). See the [Install Credential Provider](installcp.md) topic for + Configuration Manager (SCCM). See the [Install Credential Provider](/docs/groupid/11.1/groupid/portal/user/manage/installcp.md) topic for additional information. The distributed client enables the **Forgot Password?** and **Unlock Account** links on the diff --git a/docs/groupid/11.1/groupid/portal/user/manage/resetpassword.md b/docs/groupid/11.1/groupid/portal/user/manage/resetpassword.md index aeb23b3661..ce0d609a54 100644 --- a/docs/groupid/11.1/groupid/portal/user/manage/resetpassword.md +++ b/docs/groupid/11.1/groupid/portal/user/manage/resetpassword.md @@ -4,13 +4,13 @@ Directory Manager portal enables you to reset password for user accounts. You ca identity store password, and even the account passwords of other users in the connected identity store, provided you have the rights. The new password must conform to the password policy the administrator has defined for the identity store. Administrator can either enable -[Directory Manage Password Policy ](../../../admincenter/securityrole/policy/password.md) or Netwrix +[Directory Manage Password Policy ](/docs/groupid/11.1/groupid/admincenter/securityrole/policy/password.md) or Netwrix Password Policy Enforcer policies for the identity store. Follow the steps to reset password. Step 1 – On the My Dashboard page of Directory Manager portal, search for the user whose password -you need to reset. See the [Directory Search](../../search/search.md) topic for additional +you need to reset. See the [Directory Search](/docs/groupid/11.1/groupid/portal/search/search.md) topic for additional information. Step 2 – Select the account from the list whose password you want to reset. diff --git a/docs/groupid/11.1/groupid/portal/user/manage/unlockaccount.md b/docs/groupid/11.1/groupid/portal/user/manage/unlockaccount.md index bf4c4d78da..ce66ec31cb 100644 --- a/docs/groupid/11.1/groupid/portal/user/manage/unlockaccount.md +++ b/docs/groupid/11.1/groupid/portal/user/manage/unlockaccount.md @@ -26,7 +26,7 @@ your identity store accounts or reset your passwords. While logging on Directory Manager, you provide wrong password on the Directory Manager Authenticate window for the specified number of times, the following message appears: -![GroupID Authenticate](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/locked.webp) +![GroupID Authenticate](/img/product_docs/groupid/groupid/portal/user/manage/locked.webp) Now you cannot login to portal unless you unlock your identity store account. Follow the instructions given below to unlock your account: @@ -189,7 +189,7 @@ Step 7 – You can now log in to portal with your account and perform the requir While authenticating on the portal, if enrolled or unenrolled users provide a wrong answer for the specified number of times, their account gets locked and the following message is displayed: -![accountlockout](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/accountlockout.webp) +![accountlockout](/img/product_docs/groupid/groupid/portal/user/manage/accountlockout.webp) This type of account unlock can be resolved in one of the following two ways: diff --git a/docs/groupid/11.1/groupid/portal/user/manage/validateprofile.md b/docs/groupid/11.1/groupid/portal/user/manage/validateprofile.md index 8d5275d278..5ad0f7a6be 100644 --- a/docs/groupid/11.1/groupid/portal/user/manage/validateprofile.md +++ b/docs/groupid/11.1/groupid/portal/user/manage/validateprofile.md @@ -24,7 +24,7 @@ an extension period. If they do not validate their profile information within th either, Directory Manager expires them again and their managers are informed by email. To reactivate these accounts, users’ managers must send a request to the administrator or Helpdesk. The administrator or Helpdesk user can extend the profile validation period on the -[Disabled Users](../disableduser.md) page of the portal. +[Disabled Users](/docs/groupid/11.1/groupid/portal/user/disableduser.md) page of the portal. NOTE: For notifications to be sent, an SMTP server must be configured for the identity store. @@ -51,7 +51,7 @@ a scheduled job that runs on a set frequency and does the following: If profile validation applies to you, then you will see the following message displayed on the **My Account** panel: -![validateprofile](../../../../../../../static/img/product_docs/groupid/groupid/portal/user/manage/validateprofile.webp) +![validateprofile](/img/product_docs/groupid/groupid/portal/user/manage/validateprofile.webp) The message displays the number of days left to validate your profile. @@ -81,7 +81,7 @@ window. The **Manager** field displays the name of your primary manager (if you have one); else it is blank. To add or change your primary manager, click the ellipsis button next to the field. This launches -the [Find Dialog Box](../../search/find.md), where you can search and select your primary manager. +the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md), where you can search and select your primary manager. When you change your primary manager (Manager A), then Manager A is notified by email to accept or reject the request. If Manager A accepts, your manager is changed. If Manager A rejects the request, @@ -89,7 +89,7 @@ you remain with Manager A and a notification is sent to you and Manager A. NOTE: This is the default flow of the ‘Workflow to Change Manager’ workflow. If the administrator disables the workflow or changes the approver, the flow changes accordingly. See -[Requests](../../request/overview.md). +[Requests](/docs/groupid/11.1/groupid/portal/request/overview.md). ## Transfer your direct report @@ -100,7 +100,7 @@ back to the old manager, i.e., you. NOTE: This is the default flow of the ‘Workflow to Transfer a User’ workflow, with the direct report set as the workflow approver. If the administrator disables the workflow or changes the approver, -the flow changes accordingly. See [Requests](../../request/overview.md). +the flow changes accordingly. See [Requests](/docs/groupid/11.1/groupid/portal/request/overview.md). ## Terminate your direct report diff --git a/docs/groupid/11.1/groupid/portal/user/manage/viewprofile.md b/docs/groupid/11.1/groupid/portal/user/manage/viewprofile.md index f08c714814..b29427867c 100644 --- a/docs/groupid/11.1/groupid/portal/user/manage/viewprofile.md +++ b/docs/groupid/11.1/groupid/portal/user/manage/viewprofile.md @@ -4,7 +4,7 @@ To view and update your profile information in the directory, click your profile right corner and select **See full profile**. The profile page has the same tabs as the user properties page. Refer to the information for -[User Properties](../properties/overview.md) to manage your profile. +[User Properties](/docs/groupid/11.1/groupid/portal/user/properties/overview.md) to manage your profile. ## User profile validation diff --git a/docs/groupid/11.1/groupid/portal/user/overview.md b/docs/groupid/11.1/groupid/portal/user/overview.md index 92de8cb4ab..e95d8be77a 100644 --- a/docs/groupid/11.1/groupid/portal/user/overview.md +++ b/docs/groupid/11.1/groupid/portal/user/overview.md @@ -3,22 +3,22 @@ With Directory Manager, you can: - Automate user provisioning and deprovisioning in bulk. See the - [Synchronize](../synchronize/overview.md) section. + [Synchronize](/docs/groupid/11.1/groupid/portal/synchronize/overview.md) section. - Establish ownership by defining a clear managerial hierarchy with dotted line management. See the [Dotted line management](properties/activedirectory/organization.md#dotted-line-management) - section of the [Object properties - Organization tab](properties/activedirectory/organization.md) + section of the [Object properties - Organization tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/organization.md) topic. - Delegate user management to end users by enabling them to: - Create and manage users, contacts, and mailboxes in the directory. See the - [ Create User Objects](create/overview.md) topic. - - Manage their direct reports. See the [Update your Direct Reports](manage/directreport.md) + [ Create User Objects](/docs/groupid/11.1/groupid/portal/user/create/overview.md) topic. + - Manage their direct reports. See the [Update your Direct Reports](/docs/groupid/11.1/groupid/portal/user/manage/directreport.md) topic. - Update their profiles in the directory. See the - [Validate your profile](manage/validateprofile.md) topic. + [Validate your profile](/docs/groupid/11.1/groupid/portal/user/manage/validateprofile.md) topic. - Link identical users in different directory services, such as Active Directory and Microsoft Entra - ID. See the [Linked Accounts](linkedaccounts.md) topic. + ID. See the [Linked Accounts](/docs/groupid/11.1/groupid/portal/user/linkedaccounts.md) topic. The table below displays the major functions that users can perform in Directory Manager portal. diff --git a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/advanced.md b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/advanced.md index 6b4864a629..5621282137 100644 --- a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/advanced.md +++ b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/advanced.md @@ -40,7 +40,7 @@ Recipient An email address or mailbox object that should receive the emails sent to the particular mailbox. Enter a search string to locate the object to add as a recipient, or click the ellipsis button to -use the [Find Dialog Box](../../../search/find.md) for performing a search. +use the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. Deliver messages to both forwarding address and mailbox diff --git a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/contact/memberof.md b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/contact/memberof.md index 40b24a0f84..4f882954c5 100644 --- a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/contact/memberof.md +++ b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/contact/memberof.md @@ -12,7 +12,7 @@ Add Click it to add the contact to the memberships of one or more groups. Enter a search string to locate the required group, or click **Advance** to use the -[Find Dialog Box](../../../../search/find.md) for performing a search. +[Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. Remove diff --git a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/contact/overview.md b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/contact/overview.md index a3b0c6c81a..badbdacd32 100644 --- a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/contact/overview.md +++ b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/contact/overview.md @@ -7,11 +7,11 @@ You can view and manipulate the properties of contacts in Active Directory. Following is the list of all the properties that Contacts have in Active Directory based identity store. -- [Object properties - General tab](../general.md) -- [Object properties - Organization tab](../organization.md) -- [Contact properties - Member Of tab](memberof.md) -- [Object properties - Phone / Notes tab](../phonenote.md) -- [Object properties - Attributes tab](../../../../group/properties/attributes.md) -- [Object properties - Email tab](../email.md) -- [Contact properties - Advanced tab](advanced.md) -- [Object properties - History tab](../../../../group/properties/history.md) +- [Object properties - General tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/general.md) +- [Object properties - Organization tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/organization.md) +- [Contact properties - Member Of tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/contact/memberof.md) +- [Object properties - Phone / Notes tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/phonenote.md) +- [Object properties - Attributes tab](/docs/groupid/11.1/groupid/portal/group/properties/attributes.md) +- [Object properties - Email tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/email.md) +- [Contact properties - Advanced tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/contact/advanced.md) +- [Object properties - History tab](/docs/groupid/11.1/groupid/portal/group/properties/history.md) diff --git a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/entitlement.md b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/entitlement.md index 82af06a1f4..ac64d5d896 100644 --- a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/entitlement.md +++ b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/entitlement.md @@ -40,4 +40,4 @@ section, such as navigate file servers and SharePoint sites, grant permissions t resources, revoke permissions, and more. Entitlement-related permissions for a security role in an identity store are discussed in the -[Entitlement](../../../../admincenter/securityrole/permissions.md#entitlement) section. +[Entitlement](/docs/groupid/11.1/groupid/admincenter/securityrole/permissions.md#entitlement) section. diff --git a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/general.md b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/general.md index b5b15da6fe..f95f48f481 100644 --- a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/general.md +++ b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/general.md @@ -74,7 +74,7 @@ The name of the Exchange assistant for the mailbox/contact. Any email sent to th also forwarded to this assistant. Enter a search string to locate the object to add as an Exchange assistant, or click **Browse** to -use the [Find Dialog Box](../../../search/find.md) for performing a search. +use the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. This field is not available for a user. diff --git a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/advanced.md b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/advanced.md index 23027edad2..6181a92247 100644 --- a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/advanced.md +++ b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/advanced.md @@ -24,7 +24,7 @@ Recipient Specify an alternate recipient to receive the emails sent to this user. -Click the ellipsis button to launch the [Find Dialog Box](../../../../search/find.md), where you can +Click the ellipsis button to launch the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md), where you can search and select the required recipient. To remove the alternate recipient, click the **Remove** button. diff --git a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/overview.md b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/overview.md index 80dc8bc477..2ffa89b81f 100644 --- a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/overview.md +++ b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/overview.md @@ -7,15 +7,15 @@ You can view and manipulate the properties of mailboxes in Active Directory. Following is the list of all the properties that Users and Mailbox Users have in Active Directory based identity store. -- [Object properties - General tab](../general.md) -- [Object properties - Organization tab](../organization.md) -- [User properties - Member Of tab](../memberof.md) -- [Object properties - Phone / Notes tab](../phonenote.md) -- [Object properties - Attributes tab](../../../../group/properties/attributes.md) -- [Object properties - Email tab](../email.md) -- [Mailbox properties - Limits tab](limits.md) -- [Mailbox properties - Advanced tab](advanced.md) -- [User properties - Account tab](../account.md) -- [Mailbox properties - Auto Reply tab](autoreply.md) -- [Object Properties - Entitlements tab](../entitlement.md) -- [Object properties - History tab](../../../../group/properties/history.md) +- [Object properties - General tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/general.md) +- [Object properties - Organization tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/organization.md) +- [User properties - Member Of tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/memberof.md) +- [Object properties - Phone / Notes tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/phonenote.md) +- [Object properties - Attributes tab](/docs/groupid/11.1/groupid/portal/group/properties/attributes.md) +- [Object properties - Email tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/email.md) +- [Mailbox properties - Limits tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/limits.md) +- [Mailbox properties - Advanced tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/advanced.md) +- [User properties - Account tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/account.md) +- [Mailbox properties - Auto Reply tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/autoreply.md) +- [Object Properties - Entitlements tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/entitlement.md) +- [Object properties - History tab](/docs/groupid/11.1/groupid/portal/group/properties/history.md) diff --git a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/memberof.md b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/memberof.md index 92b68c85b6..2a53d48d14 100644 --- a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/memberof.md +++ b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/memberof.md @@ -8,7 +8,7 @@ The tab displays a list of all groups this user is a member of. | Column Name | Description | | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Display Name | Displays the names of the groups this user is a member of. | -| Membership | Indicates whether the user is a temporary or permanent member of the group. - Perpetual – To make the object a permanent member of the group. - Temporary Member – To make the object a temporary member of the group for the period you specify in the Beginning and Ending boxes. At the end of the period, the object is removed from the group membership. - Addition Pending – Indicates that the object will be a temporary member of the group for a period in the future. Use the Beginning and Ending boxes to set a period. Before the beginning date, the object’s membership type is displayed as ‘Addition Pending’. On the beginning date, the membership type changes to ‘Temporary Member’. Example. You add Smith as a temporary member to Group A on May 15 for future dates, May 20-30. Smith will be displayed in Group A’s membership with ‘Addition Pending’ as its membership type from May 15 to 19. However, Smith would not be added to group membership in the provider. On May 20, Smith will become a temporary member of Group A and its membership type will change to ‘Temporary Member’ from May 20 to 30. Smith will also be added to group membership in the provider. After May 30, Smith will be removed from Group A as a member in Directory Manager and in the provider. - Removal Pending - Indicates that the object will be temporarily removed from group membership for a period in the future. Use the Beginning and Ending boxes to set a period. Before the beginning date, the object’s membership type is displayed as ‘Removal Pending’. On the beginning date, the membership type will change to ‘Temporary Removed’. Example. You remove Smith from Group A on May 15 for future dates, May 20-30. Smith will be displayed in Group A’s membership with ‘Removal Pending’ as membership type from May 15 to 19. On May 20, Smith’s membership type in Directory Manager will change to ‘Temporary Removed’; lasting till May 30. However, Smith will be removed from Group A’s membership in the provider. After May 30, Smith will be added back to Group A as a permanent member in Directory Manager and in the provider. - Temporary Removed – Indicates that the object is temporarily removed from group membership for the period specified in the Beginning and Ending boxes. At the end of the period, the object is added back to the group membership as a permanent member. When the user is a perpetual member, the **Membership** column is blank. You cannot change the membership type of the user for any group on the **Member Of** tab. Rather, go to the properties of the specific group and change the user's membership type on the [Group properties - Members tab](../../../group/properties/members.md). | +| Membership | Indicates whether the user is a temporary or permanent member of the group. - Perpetual – To make the object a permanent member of the group. - Temporary Member – To make the object a temporary member of the group for the period you specify in the Beginning and Ending boxes. At the end of the period, the object is removed from the group membership. - Addition Pending – Indicates that the object will be a temporary member of the group for a period in the future. Use the Beginning and Ending boxes to set a period. Before the beginning date, the object’s membership type is displayed as ‘Addition Pending’. On the beginning date, the membership type changes to ‘Temporary Member’. Example. You add Smith as a temporary member to Group A on May 15 for future dates, May 20-30. Smith will be displayed in Group A’s membership with ‘Addition Pending’ as its membership type from May 15 to 19. However, Smith would not be added to group membership in the provider. On May 20, Smith will become a temporary member of Group A and its membership type will change to ‘Temporary Member’ from May 20 to 30. Smith will also be added to group membership in the provider. After May 30, Smith will be removed from Group A as a member in Directory Manager and in the provider. - Removal Pending - Indicates that the object will be temporarily removed from group membership for a period in the future. Use the Beginning and Ending boxes to set a period. Before the beginning date, the object’s membership type is displayed as ‘Removal Pending’. On the beginning date, the membership type will change to ‘Temporary Removed’. Example. You remove Smith from Group A on May 15 for future dates, May 20-30. Smith will be displayed in Group A’s membership with ‘Removal Pending’ as membership type from May 15 to 19. On May 20, Smith’s membership type in Directory Manager will change to ‘Temporary Removed’; lasting till May 30. However, Smith will be removed from Group A’s membership in the provider. After May 30, Smith will be added back to Group A as a permanent member in Directory Manager and in the provider. - Temporary Removed – Indicates that the object is temporarily removed from group membership for the period specified in the Beginning and Ending boxes. At the end of the period, the object is added back to the group membership as a permanent member. When the user is a perpetual member, the **Membership** column is blank. You cannot change the membership type of the user for any group on the **Member Of** tab. Rather, go to the properties of the specific group and change the user's membership type on the [Group properties - Members tab](/docs/groupid/11.1/groupid/portal/group/properties/members.md). | | Beginning | Displays the beginning date of the temporary addition or removal. | | Ending | Displays the ending date of the temporary addition or removal. | @@ -21,7 +21,7 @@ Add Click it to add the user to the memberships of one or more groups. Enter a search string to locate the required group, or click **Advance** to use the -[Find Dialog Box](../../../search/find.md) for performing a search. +[Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. The selected group(s) get listed in the Member Of grid. diff --git a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/organization.md b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/organization.md index 39acb52741..fefd6a5b48 100644 --- a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/organization.md +++ b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/organization.md @@ -12,7 +12,7 @@ transfer or terminate a direct report. NOTE: A user can also manage his/her direct reports and change his/her primary manager while validating his/her profile in the portal. See the -[Validate your profile](../../manage/validateprofile.md) topic. +[Validate your profile](/docs/groupid/11.1/groupid/portal/user/manage/validateprofile.md) topic. ## Dotted line management @@ -26,14 +26,14 @@ changed. If the primary manager rejects the request, the user remains with the m NOTE: This is the default flow for the ‘Workflow to Change Manager’ workflow, with the primary manager set as the approver. If the administrator disables the workflow or changes the workflow -approver, the flow changes accordingly. See the [Requests](../../../request/overview.md) topic. +approver, the flow changes accordingly. See the [Requests](/docs/groupid/11.1/groupid/portal/request/overview.md) topic. Manager Displays the contact/user's primary manager, if specified. The user/contact can change his or her primary manager. -Click the ellipsis button to launch the [Find Dialog Box](../../../search/find.md), where you can +Click the ellipsis button to launch the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md), where you can search and select a user to set as the manager. Reports @@ -42,7 +42,7 @@ Displays a list of objects that report directly to this user or contact. These m groups and contacts. - To add a direct report, click **Add**. Enter a search string to locate the object to add as a - direct report, or click **Advance** to use the [Find Dialog Box](../../../search/find.md) for + direct report, or click **Advance** to use the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. - To transfer a direct report, select it and click **Transfer**. @@ -53,7 +53,7 @@ groups and contacts. NOTE: This is the default flow for the ‘Workflow to Transfer a User’ workflow, with the direct report set as the approver. If the administrator disables the workflow or changes the approver, - the flow changes accordingly. See the [Requests](../../../request/overview.md) topic. + the flow changes accordingly. See the [Requests](/docs/groupid/11.1/groupid/portal/request/overview.md) topic. - To terminate a direct report, select it and click **Terminate**. @@ -65,7 +65,7 @@ groups and contacts. Additional Manager To add a manager, click **Add**. Enter a search string to locate the object to add as an additional -manager, or click **Advance** to use the [Find Dialog Box](../../../search/find.md) for performing a +manager, or click **Advance** to use the [Find Dialog Box](/docs/groupid/11.1/groupid/portal/search/find.md) for performing a search. To remove an additional manager, select it and click **Remove**. diff --git a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/overview.md b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/overview.md index 8f696ed55d..350293b967 100644 --- a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/overview.md +++ b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/overview.md @@ -8,30 +8,30 @@ Active Directory, depending on the permissions the GroupID administrator has gra Following is the list of all the properties that Users and Mailbox Users have in Active Directory based identity store. -- [Object properties - General tab](general.md) -- [Object properties - Organization tab](organization.md) -- [User properties - Member Of tab](memberof.md) -- [Object properties - Phone / Notes tab](phonenote.md) -- [Object properties - Attributes tab](../../../group/properties/attributes.md) -- [Object properties - Email tab](email.md) -- [Mailbox properties - Limits tab](mailbox/limits.md) (for mailbox only) -- [Mailbox properties - Advanced tab](mailbox/advanced.md) (for mailbox only) -- [Object properties - Advanced tab](advanced.md) -- [User properties - Account tab](account.md) -- [Mailbox properties - Auto Reply tab](mailbox/autoreply.md) (for mailbox only) -- [Object Properties - Entitlements tab](entitlement.md) -- [Object properties - History tab](../../../group/properties/history.md) +- [Object properties - General tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/general.md) +- [Object properties - Organization tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/organization.md) +- [User properties - Member Of tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/memberof.md) +- [Object properties - Phone / Notes tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/phonenote.md) +- [Object properties - Attributes tab](/docs/groupid/11.1/groupid/portal/group/properties/attributes.md) +- [Object properties - Email tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/email.md) +- [Mailbox properties - Limits tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/limits.md) (for mailbox only) +- [Mailbox properties - Advanced tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/advanced.md) (for mailbox only) +- [Object properties - Advanced tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/advanced.md) +- [User properties - Account tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/account.md) +- [Mailbox properties - Auto Reply tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/autoreply.md) (for mailbox only) +- [Object Properties - Entitlements tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/entitlement.md) +- [Object properties - History tab](/docs/groupid/11.1/groupid/portal/group/properties/history.md) ## Contact properties Following is the list of all the properties that Contacts have in Active Directory based identity store. -- [Object properties - General tab](general.md) -- [Object properties - Organization tab](organization.md) -- [Contact properties - Member Of tab](contact/memberof.md) -- [Object properties - Phone / Notes tab](phonenote.md) -- [Object properties - Attributes tab](../../../group/properties/attributes.md) -- [Object properties - Email tab](email.md) -- [Contact properties - Advanced tab](contact/advanced.md) -- [Object properties - History tab](../../../group/properties/history.md) +- [Object properties - General tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/general.md) +- [Object properties - Organization tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/organization.md) +- [Contact properties - Member Of tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/contact/memberof.md) +- [Object properties - Phone / Notes tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/phonenote.md) +- [Object properties - Attributes tab](/docs/groupid/11.1/groupid/portal/group/properties/attributes.md) +- [Object properties - Email tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/email.md) +- [Contact properties - Advanced tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/contact/advanced.md) +- [Object properties - History tab](/docs/groupid/11.1/groupid/portal/group/properties/history.md) diff --git a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/useroverview.md b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/useroverview.md index c5dc4faeff..46fc61f598 100644 --- a/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/useroverview.md +++ b/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/useroverview.md @@ -7,13 +7,13 @@ You can view and manipulate the properties of users in Active Directory. Following is the list of all the properties that Users and Mailbox Users have in Active Directory based identity store. -- [Object properties - General tab](general.md) -- [Object properties - Organization tab](organization.md) -- [User properties - Member Of tab](memberof.md) -- [Object properties - Phone / Notes tab](phonenote.md) -- [Object properties - Attributes tab](../../../group/properties/attributes.md) -- [Object properties - Email tab](email.md) -- [Object properties - Advanced tab](advanced.md) -- [User properties - Account tab](account.md) -- [Object Properties - Entitlements tab](entitlement.md) -- [Object properties - History tab](../../../group/properties/history.md) +- [Object properties - General tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/general.md) +- [Object properties - Organization tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/organization.md) +- [User properties - Member Of tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/memberof.md) +- [Object properties - Phone / Notes tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/phonenote.md) +- [Object properties - Attributes tab](/docs/groupid/11.1/groupid/portal/group/properties/attributes.md) +- [Object properties - Email tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/email.md) +- [Object properties - Advanced tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/advanced.md) +- [User properties - Account tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/account.md) +- [Object Properties - Entitlements tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/entitlement.md) +- [Object properties - History tab](/docs/groupid/11.1/groupid/portal/group/properties/history.md) diff --git a/docs/groupid/11.1/groupid/portal/user/properties/azure/jobinfo.md b/docs/groupid/11.1/groupid/portal/user/properties/azure/jobinfo.md index 608ede4ee7..7fb276ce82 100644 --- a/docs/groupid/11.1/groupid/portal/user/properties/azure/jobinfo.md +++ b/docs/groupid/11.1/groupid/portal/user/properties/azure/jobinfo.md @@ -1,7 +1,7 @@ # User properties - Job Info tab The Job Info tab is similar to the -[Object properties - Organization tab](../activedirectory/organization.md) in user properties, with +[Object properties - Organization tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/organization.md) in user properties, with the addition of two fields: Title and Department. Title diff --git a/docs/groupid/11.1/groupid/portal/user/properties/azure/overview.md b/docs/groupid/11.1/groupid/portal/user/properties/azure/overview.md index 011a4a21af..23b4c213a5 100644 --- a/docs/groupid/11.1/groupid/portal/user/properties/azure/overview.md +++ b/docs/groupid/11.1/groupid/portal/user/properties/azure/overview.md @@ -8,10 +8,10 @@ Entra ID, depending on the permissions the Directory Manager administrator has g Following is the list of all the properties that Users and Mailbox Users have in an Microsoft Entra ID based identity store. -- [User properties - Identity tab](identity.md) -- [User properties - Directory Role tab](directoryrole.md) -- [User properties - Job Info tab](jobinfo.md) -- [User properties - Member Of tab](../activedirectory/memberof.md) -- [Object properties - Email tab](../activedirectory/email.md) (for mailbox only) -- [Mailbox properties - Auto Reply tab](../activedirectory/mailbox/autoreply.md) (for mailbox only) -- [Object properties - History tab](../../../group/properties/history.md) +- [User properties - Identity tab](/docs/groupid/11.1/groupid/portal/user/properties/azure/identity.md) +- [User properties - Directory Role tab](/docs/groupid/11.1/groupid/portal/user/properties/azure/directoryrole.md) +- [User properties - Job Info tab](/docs/groupid/11.1/groupid/portal/user/properties/azure/jobinfo.md) +- [User properties - Member Of tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/memberof.md) +- [Object properties - Email tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/email.md) (for mailbox only) +- [Mailbox properties - Auto Reply tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/autoreply.md) (for mailbox only) +- [Object properties - History tab](/docs/groupid/11.1/groupid/portal/group/properties/history.md) diff --git a/docs/groupid/11.1/groupid/portal/user/properties/overview.md b/docs/groupid/11.1/groupid/portal/user/properties/overview.md index eea066a802..e52ee16aa9 100644 --- a/docs/groupid/11.1/groupid/portal/user/properties/overview.md +++ b/docs/groupid/11.1/groupid/portal/user/properties/overview.md @@ -23,33 +23,33 @@ you. Following is the list of all the properties that Users and Mailbox Users have in Active Directory based identity store. -- [Object properties - General tab](activedirectory/general.md) -- [Object properties - Organization tab](activedirectory/organization.md) -- [User properties - Member Of tab](activedirectory/memberof.md) -- [Object properties - Phone / Notes tab](activedirectory/phonenote.md) -- [Object properties - Attributes tab](../../group/properties/attributes.md) -- [Object properties - Email tab](activedirectory/email.md) -- [Mailbox properties - Limits tab](activedirectory/mailbox/limits.md) (for mailbox only) -- [Mailbox properties - Advanced tab](activedirectory/mailbox/advanced.md) (for mailbox only) -- [Object properties - Advanced tab](activedirectory/advanced.md) -- [User properties - Account tab](activedirectory/account.md) -- [Mailbox properties - Auto Reply tab](activedirectory/mailbox/autoreply.md) (for mailbox only) -- [Object Properties - Entitlements tab](activedirectory/entitlement.md) -- [Object properties - History tab](../../group/properties/history.md) +- [Object properties - General tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/general.md) +- [Object properties - Organization tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/organization.md) +- [User properties - Member Of tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/memberof.md) +- [Object properties - Phone / Notes tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/phonenote.md) +- [Object properties - Attributes tab](/docs/groupid/11.1/groupid/portal/group/properties/attributes.md) +- [Object properties - Email tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/email.md) +- [Mailbox properties - Limits tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/limits.md) (for mailbox only) +- [Mailbox properties - Advanced tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/advanced.md) (for mailbox only) +- [Object properties - Advanced tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/advanced.md) +- [User properties - Account tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/account.md) +- [Mailbox properties - Auto Reply tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/autoreply.md) (for mailbox only) +- [Object Properties - Entitlements tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/entitlement.md) +- [Object properties - History tab](/docs/groupid/11.1/groupid/portal/group/properties/history.md) ## User and Mailbox properties in Microsoft Entra ID Following is the list of all the properties that Users and Mailbox Users have in an Microsoft Entra ID based identity store. -- [User properties - Identity tab](azure/identity.md) -- [User properties - Directory Role tab](azure/directoryrole.md) -- [User properties - Job Info tab](azure/jobinfo.md) -- [User properties - Contact Info tab](azure/contactinfo.md) -- [User properties - Member Of tab](activedirectory/memberof.md) -- [Object properties - Email tab](activedirectory/email.md) (for mailbox only) -- [Mailbox properties - Auto Reply tab](activedirectory/mailbox/autoreply.md) (for mailbox only) -- [Object properties - History tab](../../group/properties/history.md) +- [User properties - Identity tab](/docs/groupid/11.1/groupid/portal/user/properties/azure/identity.md) +- [User properties - Directory Role tab](/docs/groupid/11.1/groupid/portal/user/properties/azure/directoryrole.md) +- [User properties - Job Info tab](/docs/groupid/11.1/groupid/portal/user/properties/azure/jobinfo.md) +- [User properties - Contact Info tab](/docs/groupid/11.1/groupid/portal/user/properties/azure/contactinfo.md) +- [User properties - Member Of tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/memberof.md) +- [Object properties - Email tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/email.md) (for mailbox only) +- [Mailbox properties - Auto Reply tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/mailbox/autoreply.md) (for mailbox only) +- [Object properties - History tab](/docs/groupid/11.1/groupid/portal/group/properties/history.md) ## Contact properties @@ -58,11 +58,11 @@ store. NOTE: Contact object is not supported in Microsoft Entra ID. -- [Object properties - General tab](activedirectory/general.md) -- [Object properties - Organization tab](activedirectory/organization.md) -- [Contact properties - Member Of tab](activedirectory/contact/memberof.md) -- [Object properties - Phone / Notes tab](activedirectory/phonenote.md) -- [Object properties - Attributes tab](../../group/properties/attributes.md) -- [Object properties - Email tab](activedirectory/email.md) -- [Contact properties - Advanced tab](activedirectory/contact/advanced.md) -- [Object properties - History tab](../../group/properties/history.md) +- [Object properties - General tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/general.md) +- [Object properties - Organization tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/organization.md) +- [Contact properties - Member Of tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/contact/memberof.md) +- [Object properties - Phone / Notes tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/phonenote.md) +- [Object properties - Attributes tab](/docs/groupid/11.1/groupid/portal/group/properties/attributes.md) +- [Object properties - Email tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/email.md) +- [Contact properties - Advanced tab](/docs/groupid/11.1/groupid/portal/user/properties/activedirectory/contact/advanced.md) +- [Object properties - History tab](/docs/groupid/11.1/groupid/portal/group/properties/history.md) diff --git a/docs/groupid/11.1/groupid/requirements/database.md b/docs/groupid/11.1/groupid/requirements/database.md index 060b4670a5..fc8486b089 100644 --- a/docs/groupid/11.1/groupid/requirements/database.md +++ b/docs/groupid/11.1/groupid/requirements/database.md @@ -19,10 +19,10 @@ case, you have to type the server name in the **SQL Server** box to select the r manually. To enable the SQL Server Browser service, see -[How to: Start and Stop the SQL Server Browser Service](). +[How to: Start and Stop the SQL Server Browser Service](http://technet.microsoft.com/en-us/library/ms189093(v=sql.105).aspx). NOTE: Directory Manager now uses .NetCore 8 and it requires a SQL certificate to access database using Windows Authentication. Therefore, if you want to access the Directory Manager database using Windows Authentication, then a SQL certificate must be added to the Trusted Root Certification Authorities certificate store on connecting clients or servers such as Directory Manager. See the -[SQL Certificate for Windows Authentication](sqlcertificate.md) topic for additional information. +[SQL Certificate for Windows Authentication](/docs/groupid/11.1/groupid/requirements/sqlcertificate.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/requirements/overview.md b/docs/groupid/11.1/groupid/requirements/overview.md index ad4699b65e..d0f75023ea 100644 --- a/docs/groupid/11.1/groupid/requirements/overview.md +++ b/docs/groupid/11.1/groupid/requirements/overview.md @@ -3,12 +3,12 @@ This page lists the hardware, operating system, MS Exchange, and database required to run Directory Manager 11.1. The prerequisites may vary depending on your environment. -- [Hardware Requirements](hardware.md) -- [Microsoft Windows Servers Requirements ](windowsserver.md) -- [Supported Microsoft Exchange Servers](exchangeservers.md) -- [Database Requirements](database.md) +- [Hardware Requirements](/docs/groupid/11.1/groupid/requirements/hardware.md) +- [Microsoft Windows Servers Requirements ](/docs/groupid/11.1/groupid/requirements/windowsserver.md) +- [Supported Microsoft Exchange Servers](/docs/groupid/11.1/groupid/requirements/exchangeservers.md) +- [Database Requirements](/docs/groupid/11.1/groupid/requirements/database.md) -Prior to installation, the [Preparation Tool](../install/installer/preparationtool.md) installs the +Prior to installation, the [Preparation Tool](/docs/groupid/11.1/groupid/install/installer/preparationtool.md) installs the required software and Windows features. See the -[What does the Preparation Tool Install](../install/installer/whatprepinstall.md) topic for the list +[What does the Preparation Tool Install](/docs/groupid/11.1/groupid/install/installer/whatprepinstall.md) topic for the list of components the tool installs. diff --git a/docs/groupid/11.1/groupid/requirements/permissions/adserviceaccount.md b/docs/groupid/11.1/groupid/requirements/permissions/adserviceaccount.md index 460ef55318..5230670780 100644 --- a/docs/groupid/11.1/groupid/requirements/permissions/adserviceaccount.md +++ b/docs/groupid/11.1/groupid/requirements/permissions/adserviceaccount.md @@ -73,20 +73,20 @@ In the **Active Directory Users and Computers** console: 2. In the left pane, right-click the domain name or organizational unit and select the **Properties** option. On the Properties window, select the **Security** tab. - ![security_tab](../../../../../../static/img/product_docs/groupid/groupid/requirements/permissions/security_tab.webp) + ![security_tab](/img/product_docs/groupid/groupid/requirements/permissions/security_tab.webp) 3. Click the **Advanced** button; the **Advanced Security Settings** window is displayed. - ![advsecsettings](../../../../../../static/img/product_docs/groupid/groupid/requirements/permissions/advsecsettings.webp) + ![advsecsettings](/img/product_docs/groupid/groupid/requirements/permissions/advsecsettings.webp) 4. Click the **Add** button. The **Permission Entry** window is displayed. - ![permissionentry](../../../../../../static/img/product_docs/groupid/groupid/requirements/permissions/permissionentry.webp) + ![permissionentry](/img/product_docs/groupid/groupid/requirements/permissions/permissionentry.webp) 5. Click the **Select a principal** link next to **Principal**. The Select User, Computer, Service Account, or Group dialog box is displayed. - ![select_user](../../../../../../static/img/product_docs/groupid/groupid/requirements/permissions/select_user.webp) + ![select_user](/img/product_docs/groupid/groupid/requirements/permissions/select_user.webp) Type the name of the service account in the **Enter the object name to select** box. Click **OK**. The **Permissions Entry** window is displayed with all fields enabled (see step 4). @@ -97,12 +97,12 @@ In the **Active Directory Users and Computers** console: 1. Scroll down the list of permissions in the **Permissions** box and select the check boxes for the options shown below: - ![permissions_list](../../../../../../static/img/product_docs/groupid/groupid/requirements/permissions/permissions_list.webp) + ![permissions_list](/img/product_docs/groupid/groupid/requirements/permissions/permissions_list.webp) 2. Click **OK**. The granted permissions appear in the **Advanced Security Settings** window as shown below: - ![advsecsettingsgrantedpermissions](../../../../../../static/img/product_docs/groupid/groupid/requirements/permissions/advsecsettingsgrantedpermissions.webp) + ![advsecsettingsgrantedpermissions](/img/product_docs/groupid/groupid/requirements/permissions/advsecsettingsgrantedpermissions.webp) 8. Grant permissions to modify users, contacts, and groups. @@ -115,19 +115,19 @@ In the **Active Directory Users and Computers** console: 3. In the **Applies to** box, select the **Descendant Contact objects** option and select the **Full control** check box in the _Permissions_ area. It is as follows: - ![fullcontrolcontact](../../../../../../static/img/product_docs/groupid/groupid/requirements/permissions/fullcontrolcontact.webp) + ![fullcontrolcontact](/img/product_docs/groupid/groupid/requirements/permissions/fullcontrolcontact.webp) 4. Click **OK**. The granted permissions appear in the **Advanced Security Settings** window as shown below: - ![advsecsettingsfullcontrolcontact](../../../../../../static/img/product_docs/groupid/groupid/requirements/permissions/advsecsettingsfullcontrolcontact.webp) + ![advsecsettingsfullcontrolcontact](/img/product_docs/groupid/groupid/requirements/permissions/advsecsettingsfullcontrolcontact.webp) 5. Repeat steps a – d for **Descendant Group objects** and **Descendant User objects** on the Permission Entry window. The service account now has permissions to modify users, contacts, and groups. These permissions appear in the **Advanced Security Settings** window. It is as shown below: - ![advsecsettingsreqpermissions](../../../../../../static/img/product_docs/groupid/groupid/requirements/permissions/advsecsettingsreqpermissions.webp) + ![advsecsettingsreqpermissions](/img/product_docs/groupid/groupid/requirements/permissions/advsecsettingsreqpermissions.webp) 9. Click **OK**. @@ -148,12 +148,12 @@ Add-RoleGroupMember "Recipient Management" -Member domain name\user ## SQL Server Account and Database Permissions -See the [Authentication Modes](../setupauthentication.md) topic for information about the roles and +See the [Authentication Modes](/docs/groupid/11.1/groupid/requirements/setupauthentication.md) topic for information about the roles and permissions the SQL server and database accounts must have for -[SQL Server Authentication](../setupauthentication.md#sql-server-authentication) mode and for -[Windows Authentication](../setupauthentication.md#windows-authentication) mode. +[SQL Server Authentication](/docs/groupid/11.1/groupid/requirements/setupauthentication.md#sql-server-authentication) mode and for +[Windows Authentication](/docs/groupid/11.1/groupid/requirements/setupauthentication.md#windows-authentication) mode. **See Also** -- [Create an Identity Store](../../admincenter/identitystore/create.md) -- [Manage an Identity Store](../../admincenter/identitystore/manage.md) +- [Create an Identity Store](/docs/groupid/11.1/groupid/admincenter/identitystore/create.md) +- [Manage an Identity Store](/docs/groupid/11.1/groupid/admincenter/identitystore/manage.md) diff --git a/docs/groupid/11.1/groupid/requirements/permissions/gmsarequirements.md b/docs/groupid/11.1/groupid/requirements/permissions/gmsarequirements.md index 6e3989ff40..994cf5baa6 100644 --- a/docs/groupid/11.1/groupid/requirements/permissions/gmsarequirements.md +++ b/docs/groupid/11.1/groupid/requirements/permissions/gmsarequirements.md @@ -53,4 +53,4 @@ NOTE: Restart the Directory Manager server if you apply any of the above. **See Also** -- [Manage an Identity Store](../../admincenter/identitystore/manage.md) +- [Manage an Identity Store](/docs/groupid/11.1/groupid/admincenter/identitystore/manage.md) diff --git a/docs/groupid/11.1/groupid/requirements/permissions/overview.md b/docs/groupid/11.1/groupid/requirements/permissions/overview.md index de5bd8f83d..d0a7765bac 100644 --- a/docs/groupid/11.1/groupid/requirements/permissions/overview.md +++ b/docs/groupid/11.1/groupid/requirements/permissions/overview.md @@ -5,5 +5,5 @@ elevated privileges. You can also use a Group Managed Service Account (gMSA) for See the following topics for details on these accounts: -- [Service Account for Active Directory and Exchange](adserviceaccount.md) -- [gMSA for Active Directory](gmsarequirements.md) +- [Service Account for Active Directory and Exchange](/docs/groupid/11.1/groupid/requirements/permissions/adserviceaccount.md) +- [gMSA for Active Directory](/docs/groupid/11.1/groupid/requirements/permissions/gmsarequirements.md) diff --git a/docs/groupid/11.1/groupid/requirements/sqlcertificate.md b/docs/groupid/11.1/groupid/requirements/sqlcertificate.md index 4a07ce9134..bdaa9f062b 100644 --- a/docs/groupid/11.1/groupid/requirements/sqlcertificate.md +++ b/docs/groupid/11.1/groupid/requirements/sqlcertificate.md @@ -22,12 +22,12 @@ left pane. Step 2 – Right-click **Protocols for ``**, and then select **Properties**. -![SQL Configuration Manager Properties dialog box](../../../../../static/img/product_docs/groupid/groupid/requirements/sqlconfigmgr.webp) +![SQL Configuration Manager Properties dialog box](/img/product_docs/groupid/groupid/requirements/sqlconfigmgr.webp) Step 3 – On the Certificate tab, select the **certificate** you created from theCertificate drop-down. -![SQL Configuration Manager Properties Flag tab](../../../../../static/img/product_docs/groupid/groupid/requirements/flagstab.webp) +![SQL Configuration Manager Properties Flag tab](/img/product_docs/groupid/groupid/requirements/flagstab.webp) Step 4 – On the Flags tab, check the **Force Encryption** option to **Yes**. diff --git a/docs/groupid/11.1/groupid/ssprportal/functions.md b/docs/groupid/11.1/groupid/ssprportal/functions.md index 2fd3631eee..62cfb82516 100644 --- a/docs/groupid/11.1/groupid/ssprportal/functions.md +++ b/docs/groupid/11.1/groupid/ssprportal/functions.md @@ -33,24 +33,24 @@ in. The Your Enrollments page opens, where you can enroll the identity store account you used to sign into the portal. Tabs on this page represent the different authentication types the administrator -has enabled for enrollment. See the [Enroll your identity store account](../admincenter/enroll.md) +has enabled for enrollment. See the [Enroll your identity store account](/docs/groupid/11.1/groupid/admincenter/enroll.md) topic for enrollment details, starting at step 3. ## Unlock your Account Click the **Unlock** tile to unlock your account. See the -[Unlock your accounts](../portal/user/manage/unlockaccount.md) topic for additional information. +[Unlock your accounts](/docs/groupid/11.1/groupid/portal/user/manage/unlockaccount.md) topic for additional information. ## Reset your Account Password Click the **Reset Password** tile to reset your identity store account password. See the -[Reset Passwords](../portal/user/authentication/passwordreset.md) topic for additional information. +[Reset Passwords](/docs/groupid/11.1/groupid/portal/user/authentication/passwordreset.md) topic for additional information. ## Change your Account Password You can change the password of any of your identity store accounts. Click the **Change Password** tile. Then sign into the portal, if not signed in. See -the[ Change your password](../portal/user/manage/changepassword.md) topic for additional +the[ Change your password](/docs/groupid/11.1/groupid/portal/user/manage/changepassword.md) topic for additional information. ## Link your Identity Store Accounts @@ -63,4 +63,4 @@ Active Directory and another in Microsoft Entra ID. This has multiple benefits, - A user can then unlock or reset the password of any linked account through the master account. After signing into the portal, click the **Linked Accounts** tile. See the -[Linked Accounts](../portal/user/linkedaccounts.md) topic for additional information. +[Linked Accounts](/docs/groupid/11.1/groupid/portal/user/linkedaccounts.md) topic for additional information. diff --git a/docs/groupid/11.1/groupid/ssprportal/navigation.md b/docs/groupid/11.1/groupid/ssprportal/navigation.md index 2eb799935a..6ee2a9e42f 100644 --- a/docs/groupid/11.1/groupid/ssprportal/navigation.md +++ b/docs/groupid/11.1/groupid/ssprportal/navigation.md @@ -10,7 +10,7 @@ The top right corner of the application displays the following: | Icon | Description | | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Help icon | Click it to launch the help pages for the SSPR portal. | -| Profile icon | Displays your profile picture with your name and the identity store the portal is connected to. Click it to launch a menu that displays the Directory Manager version and the security role assigned to you in Directory Manager. The menu also displays the following options: - My Applcations – Opens the GroupID Applications page, that displays the Directory Manager clients that you have access to. See the [Access your Applications](../admincenter/general/accessapplications.md) topic for additional information. - Enroll your account – The Your Enrollments page opens, where you can enroll the identity store account you used to sign into the portal. Tabs on this page represent the different authentication types the administrator has enabled for enrollment. See the [Enroll your identity store account](../admincenter/enroll.md) topic for enrollment details, starting at step 3. - Change password – Enables you to change your identity store account password. See the[ Change your password](../portal/user/manage/changepassword.md) topic for additional information. - Switch Account – Enables you to switch the account so as to access the portal with a different account. See the [Switch Accounts](../admincenter/general/switchaccount.md) topic for additional information. - Sign Out – Click it to sign out of the SSPR portal. | +| Profile icon | Displays your profile picture with your name and the identity store the portal is connected to. Click it to launch a menu that displays the Directory Manager version and the security role assigned to you in Directory Manager. The menu also displays the following options: - My Applcations – Opens the GroupID Applications page, that displays the Directory Manager clients that you have access to. See the [Access your Applications](/docs/groupid/11.1/groupid/admincenter/general/accessapplications.md) topic for additional information. - Enroll your account – The Your Enrollments page opens, where you can enroll the identity store account you used to sign into the portal. Tabs on this page represent the different authentication types the administrator has enabled for enrollment. See the [Enroll your identity store account](/docs/groupid/11.1/groupid/admincenter/enroll.md) topic for enrollment details, starting at step 3. - Change password – Enables you to change your identity store account password. See the[ Change your password](/docs/groupid/11.1/groupid/portal/user/manage/changepassword.md) topic for additional information. - Switch Account – Enables you to switch the account so as to access the portal with a different account. See the [Switch Accounts](/docs/groupid/11.1/groupid/admincenter/general/switchaccount.md) topic for additional information. - Sign Out – Click it to sign out of the SSPR portal. | ## Portal Functions @@ -20,5 +20,5 @@ The main portal page displays three tiles: - Change Password - Linked Accounts -See the [Manage your Identity Store Accounts](functions.md) topic for a discussion of these +See the [Manage your Identity Store Accounts](/docs/groupid/11.1/groupid/ssprportal/functions.md) topic for a discussion of these functions. diff --git a/docs/groupid/11.1/groupid/ssprportal/overview.md b/docs/groupid/11.1/groupid/ssprportal/overview.md index f1ea314fce..df38ebece4 100644 --- a/docs/groupid/11.1/groupid/ssprportal/overview.md +++ b/docs/groupid/11.1/groupid/ssprportal/overview.md @@ -13,8 +13,8 @@ Using the portal, users can: - Unlock their identity store (directory) accounts - Link their accounts in different identity stores -See the [Compatibility](../gettingstarted.md#compatibility) and -[Localization](../gettingstarted.md#localization) topics for information on the devices, browsers, +See the [Compatibility](/docs/groupid/11.1/groupid/gettingstarted.md#compatibility) and +[Localization](/docs/groupid/11.1/groupid/gettingstarted.md#localization) topics for information on the devices, browsers, and languages that Directory Manager supports. ## Launch the Portal @@ -31,10 +31,10 @@ You can either click a function and then sign in to perform that function or fir select a function. - Click a link to perform the specific function. Since you are not signed in, you will be redirected - to the GroupID Authenticate page. See the [Log in](../portal/login.md#log-in) topic for signing + to the GroupID Authenticate page. See the [Log in](/docs/groupid/11.1/groupid/portal/login.md#log-in) topic for signing into the portal. Then you can proceed to perform the specific function. See the - [Manage your Identity Store Accounts](functions.md) topic for a discussion of these functions. + [Manage your Identity Store Accounts](/docs/groupid/11.1/groupid/ssprportal/functions.md) topic for a discussion of these functions. - To sign in before accessing any function, click the Login link in the top right corner. You will - be redirected to the GroupID Authenticate page. See the [Log in](../portal/login.md#log-in) topic + be redirected to the GroupID Authenticate page. See the [Log in](/docs/groupid/11.1/groupid/portal/login.md#log-in) topic for signing into the portal. On signing in, the main portal page is displayed. See the - [Navigation](navigation.md) topic for additional information. + [Navigation](/docs/groupid/11.1/groupid/ssprportal/navigation.md) topic for additional information. diff --git a/docs/identitymanager/6.1/identitymanager/index.md b/docs/identitymanager/6.1/identitymanager/index.md new file mode 100644 index 0000000000..383ef30cff --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/index.md @@ -0,0 +1,20 @@ +# A software solution to match your IGA needs + +To learn about Netwrix Usercube and build the solution you need, explore our guides. + +The present documentation mentions the Netwrix Usercube application as simply Usercube. + +**Usercube's guides** include: + +- An [Introduction Guide](/docs/identitymanager/6.1/identitymanager/introduction-guide/index.md) if you + are new to Usercube. +- A [User Guide](/docs/identitymanager/6.1/identitymanager/user-guide/index.md) to configure Usercube + from scratch via the UI. +- An [Integration Guide](/docs/identitymanager/6.1/identitymanager/integration-guide/index.md) to + complete Usercube's configuration in XML according to your needs. +- An [Installation Guide](/docs/identitymanager/6.1/identitymanager/installation-guide/index.md) to + install Usercube in a production environment. +- A [Migration Guide](/docs/identitymanager/6.1/identitymanager/migration-guide/index.md) to upgrade to + a new version of Usercube. +- [Release Notes](/docs/identitymanager/6.1/identitymanager/whatsnew/index.md) to get details about + specific changes in Usercube's updates. diff --git a/docs/identitymanager/6.1/identitymanager/installation-guide/index.md b/docs/identitymanager/6.1/identitymanager/installation-guide/index.md new file mode 100644 index 0000000000..30a70df8f4 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/installation-guide/index.md @@ -0,0 +1,19 @@ +# Installation Guide + +This guide is designed to help you install Usercube in a production environment. + +## Target Audience + +This guide is intended for **system administrators** and **system architects**. + +Required knowledge includes: + +- Windows Server administration +- Internet Information Services (IIS) administration +- SQL Server administration + +## Overview + +The installation of Usercube requires architectural decisions to be made. An +[overview](/docs/identitymanager/6.1/identitymanager/installation-guide/overview/index.md) of the +architecture and available configurations will help you make informed decisions. diff --git a/docs/identitymanager/6.1/identitymanager/installation-guide/overview/index.md b/docs/identitymanager/6.1/identitymanager/installation-guide/overview/index.md new file mode 100644 index 0000000000..65d99930e9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/installation-guide/overview/index.md @@ -0,0 +1,120 @@ +# Overview + +This section will give you an overview of Usercube's components, their requirements and constraints, +and possible interconnection schemes. At the end of this section, you should be able to choose the +installation setup that fits best your organization's needs. + +## Usercube Components and Data Flow + +![Components & Data Flow](/img/versioned_docs/identitymanager_6.1/identitymanager/installation-guide/overview/components_data_flow.webp) + +### Components + +Usercube's solution includes at least three components. + +#### **1.** Usercube server + +One server handles all of Usercube's computing needs, internal database management and serves the UI +as a web application accessible through a browser. + +The SaaS offering hosts the Usercube Server in the **Cloud**. This means that the server needs not +be installed within a Usercube SaaS installation. + +#### **2.** Usercube database + +One database stores Usercube's data. + +With the SaaS offering, the Usercube Database is hosted in the **Cloud** and needs not be installed. + +The port used to access the database depends on the +[database configuration](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/server-network-configuration?view=sql-server-ver15#database-configuration) +and the +[connectionString](https://learn.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlconnection.connectionstring?view=dotnet-plat-ext-8.0) +set in the +[technical configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/index.md). + +#### **3.** Usercube agents + +One or several agents perform synchronization and provisioning to/from the managed systems. + +### Data flow + +Usercube needs the following data flows to be enabled: + +- The **Server** requires opening connections to the **Database**. +- The **Agents** require opening HTTPS connections to the **Server**. +- The **Agents** require accessing **managed systems**. +- All end-users' **browsers** require opening HTTPS connections to the **Server**. +- All end-users' **browsers** require accessing the + [authentication providers](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md#set-up-end-user-authentication). +- Some end-users' **browsers** require opening HTTPS connections to the **Agents**. + + These connections are used to launch `Jobs` or use the `Reset Password` capabilities of some + connectors. This requirement only applies to a few specific **administrator type profiles**. + +- The **Server** and the **Agent** both need to access an **SMTP server** to send + [email notifications](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/email-server/index.md). + +## SaaS vs. On-Premise + +Usercube comes in two flavors: SaaS and On-Premise. + +- The **SaaS** offering only requires the + [Agent](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/agent/index.md) + to be installed on your organization network. +- The **On-Premise** offering requires the + [Agent](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/agent/index.md), + the + [Server](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md), + and the + [Database](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/database/index.md) + to be installed. + +## Hosting Hardware + +Depending on the existing network infrastructure and constraints, Usercube's components can be +organized in several ways. + +### Database & servers + +The Usercube Database can be installed on the same workstation as the Usercube Server or run on a +separate machine. The second approach is recommended. + +### Server & agents + +The +[Usercube Server](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md) +and +[Agents](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/agent/index.md) +can be spread between several workstations. Two scenarios unfold: + +#### **1.** The server and agents are installed on separate workstations + +This approach is useful when managed systems need to run on separate and isolated networks. + +![Server & Agents isolated](/img/versioned_docs/identitymanager_6.1/identitymanager/installation-guide/overview/distribution_1.webp) + +#### **2.** The Server and one Agent are installed on the same workstation + +In that case, the Usercube Agent can run directly within the Usercube Server process. The hosting +workstation would **only host a Usercube Server process** (with the integrated agent) and no +separate agent needs to be installed. The database could be installed on the same workstation or on +a separate one. + +![Server & Agent together](/img/versioned_docs/identitymanager_6.1/identitymanager/installation-guide/overview/distribution_2.webp) + +## Authentication + +End-users will be able to access Usercube after authentication. Several +[authentication methods](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md#set-up-end-user-authentication) +are available. + +## Email Server + +Usercube sends notifications to users by email. An +[email server](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/email-server/index.md) +will have to be set up for the Agent and the Server. + +Before you check out the installation steps, make sure that all the +[requirements](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/index.md) are +met. diff --git a/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/agent/index.md b/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/agent/index.md new file mode 100644 index 0000000000..b60fabfdb1 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/agent/index.md @@ -0,0 +1,494 @@ +# Install the Agents + +Most on-premises installations use an agent integrated with Usercube's server. If this is your case, +and the server is already installed, no need to go further. If, on the other hand, you need separate +agents, or if you are installing Usercube's agents within Usercube's SaaS offering, this is the way +to go. + +Please make sure that +[Usercube's agent requirements](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/agent-requirements/index.md) +are met before going further. + +## Agent Working Directory + +The agent runtime content should be extracted from the runtime archive following the instructions +provided in +[Create a Working Directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md). + +In the separate agent setup, the agent is usually installed on a different workstation from the +server. + +The agent is configured thanks to the +[appsettings.agent.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +file. + +## Create an IIS Website + +It is recommended to run the Usercube agent as an IIS website. + +To install Usercube's agent as a Windows service, please jump to +[Install the agent As a Windows Service](#install-the-agent-as-a-windows-service). + +Adding Usercube's agent as an IIS website can be achieved with the +[Internet Information Services (IIS) Manager](https://www.iis.net) which can be launched with the +`INETMGR.MSC` command. You need to have an IIS 10.0 or greater. + +The Microsoft Documentation provides the +[prerequisites](https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-8.0) +and the procedure to +[create a new IIS site](https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-8.0#create-a-new-iis-site). + +The information needed to go through the creation process are the following: + +- Usercube's agent uses an in-process hosting model. +- Usercube's agent uses .Net. +- Usercube agent's `web.config` dwells in the `runtime` directory. + + It might require a few modifications to target the agent instead of the server: + + **1.** Open `web.config` with a text editor. + + **2.** Change the `arguments` and `stdoutLogFile` attributes of the `` element as + indicated below: + +``` + +``` + +- When creating the website, enter the following data: + + **1.** Site name: `UsercubeAgent` is the recommended naming convention. + + **2.** Physical path: `//Runtime` + + **3.** Type: `http` + + **4.** IP address: `All unassigned` + + **5.** Port & Hostname: To access Usercube's agent. Use the hostname and port that has been + reserved for Usercube. + +After creation, the following settings are recommended: + +- **Application Pool** > `Usercube` > **Advanced Settings** > **General** > Start Mode + set to `AlwaysRunning`; +- **Application Pool** > `Usercube` > **Advanced Settings** > **Process Model** > Idle + Time-out (minutes) set to `0` and Load User Profile set to `True`; +- **Application Pool** > `Usercube` > **Recycling** > Regular time intervals set to + `0`. + + Recycling the application pool creates a discontinuation in the connection between server and + agent, which can disrupt some of Usercube's features such as the job scheduler. IIS already + recycles the application pool at each setting change, thus NETWRIX recommends not using periodic + recycling. + +The following is +[mandatory](https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-8.0#mandatory): + +- **Application Pool** > `Usercube` > **Advanced Settings** > **General** > .NET CLR + Version > `No Managed Code` + +To sum up IIS settings: + +![IIS Settings](/img/versioned_docs/identitymanager_6.1/identitymanager/installation-guide/production-ready/server/iis_settings.webp) + +## Hosting Bundle + +You need to install the +[dotnet hosting bundle](https://dotnet.microsoft.com/en-us/download/dotnet/8.0) (version 8.0 or +higher) to be able to run dotnet application. + +## Select an Agent Identity + +The Usercube Agent, through the IIS Website, should be assigned a +[service account with the relevant permissions](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/agent-requirements/index.md). + +You can either: + +- Use the _built-in application pool identity_ (see + [Check default behavior](#check-default-behavior)) and grant this identity the right permissions. +- Use a _custom Windows service account_ with the right permissions and use it as an IIS identity + for Usercube's agent IIS Website. + +### Check default behavior + +Usually, creating an IIS application pool, such as the one within which Usercube's server website +runs, triggers the creation of a service account `IIS APPPOOL/` (where +` ` is the application pool name) known as an **application pool identity**. It is +associated with the IIS website. This account is granted basic group membership that should enable +it to access what it needs. + +For more information about IIS identities, visit the +[Microsoft Documentation](https://support.microsoft.com/en-us/help/4466942/understanding-identities-in-iis). + +Building on this default behavior, the default Application Pool Identity is usually granted the +necessary permissions for Usercube's server to operate. + +Before going further, you should check the following points: + +1. Find the group membership of `IIS APPPOOL\`. +2. Check the permissions on the working directory. Right-click the working directory and select + **Security**. The group section should contain one of the `IIS APPPOOL/` groups, + namely `Users`. + +From there: + +- If the _built-in application pool identity_ has been created but does not have the right + permissions, you can use [Set the Agent Permissions](#set-the-agent-permissions) to fix it. Go + back to [Set an IIS Identity](#set-an-iis-identity) to make sure that the _built-in application + pool identity_ is effectively used by Usercube's server IIS Website. +- If you would rather use a custom service account instead of the _built-in application pool + identity_, start with [Set an IIS Identity](#set-an-iis-identity). +- If you're not sure what to do, follow the procedure below, starting with + [Set an IIS Identity](#set-an-iis-identity). + +### Set an IIS Identity + +If you want to use the **built-in application pool identity** created with the application pool, you +can use the +[Microsoft documentation](https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities). + +If you'd rather use a **custom service account** created for Usercube's agent, follow the procedure +below. + +The following implies that a +[custom service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts) +has already been created for Usercube's agent. This can be achieved by following the +[same steps as for the server](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md#create-the-service-account): + +1. Open the IIS Manager (`INETMGR.MSC`). +2. Open the **Application Pools** node underneath the machine node. +3. Select the `UsercubeAgent/` application pool. +4. Right-click and select **Advanced Settings**. +5. In the **Process Model** section, on the **Identity** list item, click on the three dots to open + the **Application Pool Identity** dialog. +6. Select the **Custom Account** radio button and click on **Set**. +7. Enter the Service Account credentials. +8. Click **OK**. You're all set. + +Usercube's server IIS site will now use this identity to access the database and the working +directory. + +## Set the Agent Permissions + +### Permissions + +Usercube's agent needs +[specific permissions](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/server-requirements/index.md) +on its **working directory** to run, write synchronization output and read provisioning orders. + +Up to four folders have to be considered: + +- The + [working directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md) +- The + [runtime](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md) + directory, usually `C:/identitymanager/Runtime` +- The + [data collection](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) + directory, usually `C:/identitymanager/Temp` +- The + [provisioning orders](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) + directory, usually `C:/identitymanager/Temp` (same as for the data collection directory). + +### Steps + +The following steps can be performed for each of the relevant directories. + +First, let's check what permissions the service account already has. + +1. Go to the working directory parent folder. +2. Right-click the working directory. +3. Select **Properties**. +4. Select **Security**. + +From there, you have two choices. + +The agent service account that was chosen in the previous step: + +1. Already has or belongs to a group that already has the needed permissions. There is nothing more + to do. +2. Is missing one of the needed permissions: + + 1. Click on **Edit**. + 2. Click on **Add**. + 3. In the **Enter the object names to select** textbox, enter the service account name in the + down-level logon format. For example, if you chose the _built-in application pool identity_, + this would be `IIS APPPOOL/identitymanagerAgent`. + 4. Click on **OK**. + 5. Select the newly added user name in the **Group or user names** panel at the top of the + window. + + ![Object Names](/img/versioned_docs/identitymanager_6.1/identitymanager/installation-guide/production-ready/server/enter-the-object-names-to-select.webp) + + 6. Check the `Allow` column for the + [relevant permissions](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/server-requirements/index.md). + Check the `Deny` column for the others. + 7. Apply **OK**. + +The working directory permissions are all set. + +The same steps have to be performed on the +[runtime](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md), +the +[data collection](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +and the +[provisioning orders](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +directories. + +## Name the Agent + +Every agent is assigned a name. This name will be used in the UI to differentiate agents for the +end-user, and in the XML configuration to assign connectors to specific agents. + +In the `appsettings.agent.json` file, **OpenId** > **AgentIdentifier** can be set to any string +except for `Local` which is already taken by Usercube's inner workings. Then the agent set in the +XML configuration must have the same string as identifier. + +> For example: +> +> ``` +> +> appsettings.agent.json +> +> "OpenId": { +> "AgentIdentifier": "MyAgent" +> } +> +> ``` +> +> With the following configuration: +> +> ``` +> +> +> +> ``` + +## Connect the Agent to the Managed Systems + +The `Runtime/appsettings.agent.json` file is a +[technical configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +file that will enable you set up the connection between the agent and the target managed systems. + +Every agent is associated with an `appsettings.agent.json` file. + +The integration team should communicate the list of the managed systems to be connected to the +agent, together with their configuration. + +Here is an example of `appsettings.agent.json` connecting an agent to an Active Directory and an SAP +server. + +``` +appsettings.agent.json +{ + ... + "Connections": { + "ADExport": { + "Servers": [ + { + "Server": "paris.contoso.com", + "BaseDN": "DC=paris,DC=com" + } + ], + "AuthType": "Basic", + "Login": "Login", + "Password": "Password", + "Filter": "(objectclass=*)", + "EnableSSL": "true" + } + "SAPExportFulfillment": { + "Server": "serverUrl", + "Login": "login", + "Password": "password" + } + } +} +``` + +Storing sensitive managed system data in configuration files, such as login/password pairs, is +strongly discouraged. Sensitive data should be protected by one of the +[Credentials Protection](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/index.md) +methods. + +## Encryption Key Pair + +Usercube's agent needs an [RSA key pair](https://en.wikipedia.org/wiki/Public-key_cryptography) to +perform various encryption operations, such as source, configuration, or log file encryptions. + +An RSA key pair, as in an [X.509](https://fr.wikipedia.org/wiki/X.509) public key certificate and a +private key, can be stored one of two ways: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or `.pfx` file) stored in the server's host file system. The file contains both the public key + certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains + both the public key certificate and the private key. This is the recommended method. + +The key pair can be generated with tools such as +[OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) or Microsoft's +[New-SelfSignedCertificate](https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps)and[pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +Here's an example showing how to generate a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) +archive (`UsercubeContoso.pfx`) bundling a public key certificate (`usercubecontoso.cert`) and a +private key (`usercubecontoso.key`) with OpenSSL, with a 50-year expiration date: + +``` + +openssl req -x509 -newkey rsa:1024 -keyout usercubecontoso.key -out usercubecontoso.cert -days 18250 + +``` + +``` + +openssl pkcs12 -export -out UsercubeContoso.pfx -inkey usercubecontoso.key -in usercubecontoso.cert + +``` + +Public key certificates can also be bought from trusted certificate providers and bundled with a +private key into a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive using step **2** in the +frame above. + +The certificate has to be linked to Usercube via `EncryptionCertificate` in the +`appsettings.agent.json` file. + +For more information about configuration parameters, see +[EncryptionCertificate](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md). + +### Certificate as a plain file + +The following parameters are used to link the file to Usercube in `EncryptionCertificate`. + +[PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive can be +[password protected](https://www.openssl.org/docs/man1.1.0/man1/openssl.html#password-protected), +hence the `X509KeyFilePassword` attribute. + +Storing a `.pfx` file password in plain text in a production environment is strongly discouraged. It +should always be encrypted using the +[Usercube-Protect-CertificatePassword tool](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md). + +``` +appsettings.agent.json +{ + ... + "EncryptionCertificate": { + "File": "./identitymanagerContoso.pfx", + "X509KeyFilePassword": "adefe$/izih" + } + ... +} + +``` + +### Certificate in the certificate store + +The certificate can be stored in the certificate store instead of the file system. This is the +recommended method. + +``` +appsettings.agent.json +{ + ... + "EncryptionCertificate": { + "DistinguishedName":"UsercubeContoso", + "StoreLocation": "LocalMachine", + "StoreName": "AuthRoot" + } + ... +} + +``` + +## Connect the Agent to Usercube's Server + +The connection to Usercube's server is configured through: + +**1.** The `applicationUri` attribute in the `Runtime/appsettings.agent.json` file has to be set to +Usercube's server URL. + +**2.**[OpenIdClients](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +and +[DefaultOpenIdClient](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +must be used to set the agent's credentials to connect to the server. + +Their content should be provided by the integration team, in relation to the +[_OpenIdClient_ tag](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) +in the applicative configuration. + +The following example shows an `appsettings.agent.json` file that sets an agent to connect to +Usercube's server (`https://identitymanagerserver.contoso.com`) with the OpenId client identifier `Job` and +the password `secret`, stored in the `OpenIdClients` list which also contains the "admin/secret" +login/password pair. + +``` + +{ + .... + "ApplicationUri": "https://identitymanagerserver.contoso.com", + "OpenIdClients": { + "Job": "secret", + "Admin": "secret" + }, + "DefaultOpenIdClient": "Job" +} + +``` + +Storing plain text passwords in configuration files is strongly discouraged. Sensitive passwords +should be +[encrypted](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md). + +## Install the Agent as a Windows Service + +Installing Usercube's agent as a Windows service instead of an IIS website is mostly useful when +using IIS is rendered moot by another system. For example, using a reverse proxy in front of +Usercube's agent. + +To install Usercube's agent as a service in Windows server, use the following command: + +``` + +sc.exe create Usercube binpath= "Usercube-Agent.exe --service" displayname= "Usercube Agent" start= auto obj= "DOMAIN\USER" password= "PASSWORD" + +``` + +Make sure to include a space between each parameter's equal sign `=` and the parameter value. + +## Configure the Starting Mode in IIS (optional) + +This step is important if the scheduler is enabled. IIS starts Usercube's agent only if an incoming +http request is made on the server and the scheduler is not launched until Usercube's agent is +started. Because of that, you need to carefully set up the starting mode of IIS to force the +starting of Usercube's agent. + +Usercube's agent warm up is done using the `` element in the web.config +file, the configuration is described here: +[https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization](https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization) + +You need to: + +- Enable the **Application Initialization** feature +- Modify the **applicationHost.config** file to set the _startMode_ of the application pool as + _AlwaysRunning_. You also need to set the _preloadEnabled_ of your application set to _true_. It + is advised to backup the **applicationHost.config** file when doing this step to prevent mistakes +- Double check that the following section is set in your _web.config_ file, in the section + _system.webServer_: + +``` + + +``` + +Once done, you need to check that the configured jobs are launched via the Usercube's scheduler +without having to manually issue a request on Usercube's agent. + +If this is not correctly configured, any restart of your IIS or application pool could prevent jobs +from being launched. + +## What's Next? + +The last step in the installation process is setting up an +[Email server](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/email-server/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/database/index.md b/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/database/index.md new file mode 100644 index 0000000000..ce1d932dbc --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/database/index.md @@ -0,0 +1,68 @@ +# Install the Database + +The Usercube Database can be installed on the Server workstation or on a separate machine. + +Please make sure that the +[database requirements](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/database-requirements/index.md) +are met before going further. + +## Steps + +### 1. Install SQL server + +Microsoft's extensive documentation can be used to get help +[installing a SQL Server 2016 or later](https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server). + +### 2. Create the Usercube database + +The recommended naming convention is `Usercube`, where `` is the name of +the organization targeted by this installation. + +> **FAQ**: +> [How to create a database in SQL Server?](https://docs.microsoft.com/en-us/sql/relational-databases/databases/create-a-database?view=sql-server-ver15) + +The database name is of no technical importance, but following the naming convention will make it +easier to read the guide. + +### 3. Initialize the Usercube database + +The database scheme can be initialized by running the `Usercube.sql` script (found in the +`SQL_.zip` archive) on the newly created database. + +Preferred methods include +[SQL Server Management Studio](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15) +and +[command line](https://docs.microsoft.com/en-us/sql/ssms/scripting/sqlcmd-use-the-utility?view=sql-server-ver15). + +#### Example of procedure for SQL Server Management Studio 2019 + +- Open SQL Server Management Studio. +- Connect to your SQL Server instance. +- In the top left corner, select **File** > **Open** > **File**. +- Select the `Usercube.sql` file. +- Open the file. The file is now open in the main SQL Server Management Studio window. +- Locate the database name dropdown, next to the **Execute** button in the top left section of the + screen. + +![Execute Query](/img/versioned_docs/identitymanager_6.1/identitymanager/installation-guide/production-ready/database/execute_query.webp) + +- From the dropdown, select the newly created database. +- Click **Execute**. + +#### Example using the sqlcmd CLI + +``` +sqlcmd -S \ -d Usercube -i +``` + +## What's Next? + +The [next step](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md) +will consist in: + +- Setting up the Usercube Server as an IIS website. +- Creating a custom service account. +- Granting the necessary database permissions for this account. + +It will also show how to +[test the Usercube Database connection](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/email-server/index.md b/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/email-server/index.md new file mode 100644 index 0000000000..e9090f75f7 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/email-server/index.md @@ -0,0 +1,101 @@ +# Send Notifications + +An SMTP server is used by the **Usercube Server** to send notification emails to its users, and by +the **Usercube Agent** to send Reset Password emails. + +## Email Delivery + +### Via a local SMTP server and the pickup directory + +Both the Agent and the Server can send emails using a **local SMTP server** with Microsoft's +**Pickup Directory** feature. + +**Pickup Directory** is a feature offered by most of Microsoft's SMTP services, such as IIS SMTP +service or Microsoft Exchange Server. + +The pickup directory helps reducing network overhead by eliminating SMTP traffic between +applications, such as the Usercube Server or Usercube Agent, and SMTP servers. It is particularly +useful when using emails as notifications. + +To send an email, an application usually communicates with an SMTP server via the SMTP protocol. In +the real world, email notifications generate a lot of traffic on the organization network. This +extra traffic can be avoided by having applications (such as the Usercube Server or Usercube Agent) +write emails as local files in a local directory instead of sending SMTP packets. + +The SMTP server will then periodically check the directory and send any email found in it. The SMTP +exchange between the applications and the SMTP server is replaced by file writing and reading. + +The directory where clients write emails as files is called the **pickup directory**. + +### Via an external SMTP server + +Both the Agent and the Server can get their emails delivered through an **external** SMTP server. + +## Usercube Server Emails + +The SMTP server used by the Usercube Server is configured in the +[Applicative configuration settings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md). + +Here is an example with an external SMTP server. + +``` + +appsettings.json + +{ + ... + "MailSettings": { + "Host": "smtp.contoso.com", + "FromAddress": "no-reply@contoso.com" + } +} + +``` + +The **Host** attribute is the hostname or IP address of an external SMTP server. You can also +specify a directory path instead, that would be the **pickup directory** of your **local** SMTP +server. + +You can also input a **UserName** and **Password** if the SMTP server requires Usercube to +authenticate to send emails. + +## Usercube Agent Emails + +From the agent side, the email settings dwell in the +[Agent's appsetting](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +file. + +Here is a classic example that enables Usercube to send emails through the _smtp.contoso.com_ server +using _[no-reply@contoso.com](mailto:no-reply@contoso.com)_ as the sender address. The Usercube +Agent will authenticate to the SMTP server with the _contosousercube_ login. + +``` + +"MailSettings": { + "FromAddress": "no-reply@contoso.com", + "Host":"smtp.contoso.com", + "Port":993, + "Username": "contosousercube", + "Password": "secret" + } + +``` + +If you'd rather use a **local** SMTP server with **pickup directory**, _Host_, _Port_, _Username_ +and _Password_ won't be needed. + +``` + +"MailSettings": { + "FromAddress": "no-reply@contoso.com", + "UseSpecifiedPickupDirectory": true, + "PickupDirectory": "C:/Temp/identitymanagerContosoPickup", + } + +``` + +## That's It! + +Now, you're all set to start using Usercube. + +Enjoy the benefits of your new Identity and Access Management solution. diff --git a/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/index.md b/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/index.md new file mode 100644 index 0000000000..3c5817ddcd --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/index.md @@ -0,0 +1,38 @@ +# Production-Ready Installation + +This guide leads the reader through the steps to install Usercube for production purposes. + +**1.__**Before proceeding__, you should go through the +[Overview](/docs/identitymanager/6.1/identitymanager/installation-guide/overview/index.md) and +[Requirements](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/index.md) +sections to make fundamental decisions about Usercube setup, including: + +- Whether to install the database within the Usercube Server or on a separated workstation. +- How many Agents will be installed? +- If only one Agent is installed, whether to install it as an integrated agent or a separate agent. +- What end-user authentication methods are to be used? +- What hosting environment is used for the Agent and the Server? + +**2.** You should **get the following archives ready**: + +- Usercube runtime: `runtime_.zip` +- Usercube database scheme: `Usercube.sql` from the `SQL_.zip` + +**3.** This guide is **based on the following choices**: + +- Usercube Server running with IIS +- Usercube Database connection with Windows authentication + +This guide will allow you to **extrapolate** less common configurations and will provide links to +the relevant +[Technical Configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/index.md) +sections. + +Our examples use the fabled +[Contoso Corporation](https://docs.microsoft.com/en-us/microsoft-365/enterprise/contoso-overview?view=o365-worldwide) +as target organization. + +## What's Next? + +The first step consists in creating a +[Working Directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md b/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md new file mode 100644 index 0000000000..f93be8c157 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md @@ -0,0 +1,542 @@ +# Install the Server + +Usercube Server can be installed on the same workstation as the database or on a separate +workstation. If you are installing Usercube within the SaaS offering, this section is moot. You can +skip directly to [Set up End-User Authentication](#set-up-end-user-authentication). + +Please make sure that the +[server requirements](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/server-requirements/index.md) +are met before going further. + +## Server Working Directory + +In +[Create a Working Directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md), +the server executable has been extracted to the +[working directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md) +as `Usercube-Server.exe` and `Usercube-Server.dll` and will enable a user or IIS to run the Usercube +Server. + +## Set up the License Key + +The license key provided by Usercube must be set up in the +[appsetting.json > License](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +attribute. + +## Create an IIS Website + +It is recommended to run the Usercube Server as an IIS website. + +To install the Usercube Server as a Windows service, please jump to [Install the Server as a Windows +Service]. + +Adding the Usercube Server as an IIS website can be achieved with the +[Internet Information Services (IIS) Manager](https://www.iis.net) which can be launched with the +`INETMGR.MSC` command. You need to have an IIS 10.0 or greater. + +An IIS website must be created using the +[Microsoft guide](https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-8.0) +and the following parameters: + +**1.** Site name: `Usercube` is the recommended naming convention. + +**2.** Physical path: `//Runtime` + +**3.** Type: `http` + +**4.** IP address: `All unassigned` + +**5.** Port & Hostname: To access the Usercube Server and the UI. Use the hostname and port that has +been reserved for Usercube. + +During installation, the following information guides some of your choices: + +- The Usercube Server uses an in-process hosting model. +- Usercube Server's `web.config` can be found in the `Runtime` folder. +- The Usercube Server uses .Net. + +After creation, the following settings are recommended: + +- **Application Pool** > `Usercube` > **Advanced Settings** > **General** > Start Mode + set to `AlwaysRunning`; +- **Application Pool** > `Usercube` > **Advanced Settings** > **Process Model** > Idle + Time-out (minutes) set to `0` and Load User Profile set to `True`; +- **Application Pool** > `Usercube` > **Recycling** > Regular time intervals set to + `0`. + + Recycling the application pool creates a discontinuation in the connection between server and + agent, which can disrupt some of Usercube's features such as the job scheduler. IIS already + recycles the application pool at each setting change, thus NETWRIX recommends not using periodic + recycling. + +The following is +[mandatory](https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-8.0#mandatory): + +- **Application Pool** > `Usercube` > **Advanced Settings** > **General** > .NET CLR + Version > `No Managed Code` + +To sum up IIS settings: + +![IIS Settings](/img/versioned_docs/identitymanager_6.1/identitymanager/installation-guide/production-ready/server/iis_settings.webp) + +An SSL Certificate should also be +[set to the IIS Server](https://docs.microsoft.com/en-US/iis/manage/configuring-security/how-to-set-up-ssl-on-iis) +to perform HTTPS communication with end-users. + +## Hosting Bundle + +You need to install the +[dotnet hosting bundle](https://dotnet.microsoft.com/en-us/download/dotnet/8.0) (version 8.0 or +higher) to be able to run dotnet application. + +## Select a Server Identity + +The Usercube Server, through the IIS Website, should be assigned a +[service account with the relevant permissions](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/server-requirements/index.md). + +### Create the service account + +This section requires using an Active Directory account with sufficient privileges to create service +accounts on the domain. + +1. Log on to a Windows server in the target domain environment. You should use an account with the + necessary permissions to create new domain accounts. + + The target domain is the domain where SQL Server is installed. + +2. Access the _Active Directory User and Computers_ tool with the command `dsa.mc`. +3. Select the target domain. +4. Click **Users**. +5. From the users list, right-click to select **New** > **User**. +6. Choose a mnemonic _First Name_ for the Usercube Server. Example: `UsercubeContosoServer`. +7. Remember for later, the down-level logon name in the format `DOMAIN/userName`. Example: + `CONTOSO/identitymanagerContosoServer`. +8. Click **Next**. +9. Choose a password. Remember it for later. +10. Check **User cannot change password**. +11. Check **Password never expires**. + +This newly created service account is a domain account and will be used as an IIS identity. + +You can go further and use +[Managed Service Account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts) +to avoid dealing with the service account password update yourself and let Windows worry about it. +This feature requires installing Usercube on Windows Server 2016 or later, and using an Active +Directory with a forest level set to Windows Server 2016 or later. + +### Set an IIS identity + +The following implies that a +[custom service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts) +has already been created for the Usercube Server. + +1. Open the IIS Manager (`INETMGR.MSC`). +2. Open the **Application Pools** node underneath the machine node. +3. Select the `Usercube/` application pool. +4. Right-click and select **Advanced Settings**. +5. In the **Process Model** section, on the **Identity** list item, click on the three dots to open + the **Application Pool Identity** dialog. +6. Select the **Custom Account** radio button and click on **Set**. +7. Enter the previously created Service Account credentials: + - User name in the format `DOMAIN/userName` that you have previously written down. + - Password, previously remembered. +8. Click **OK**. You're all set. + +The Usercube Server IIS site will now use this identity to access the database and the working +directory. + +## Set the Server Permissions + +### Set the database permissions + +The service account used by the Server to access the database needs the following database-level +roles in SQL Server: + +- `public` +- `dbowner` + +And the following server-level role: + +- `Administer bulk operations` + +This guide will show you how to perform these operations using SQL Server Management Studio. + +1. Open SQL Server Management Studio (SSMS). +2. Log in to access the server on which runs the Usercube Database with an account member of the + **sysadmin** or **securityadmin** server-level role. +3. Expand the **Security** node. +4. Expand the **Login** node. +5. Look for the Usercube service account in the list. +6. If you cannot find the service account: + + - From the **Login** node, right-click and select **New** > **Login**. + + ![New Login](/img/versioned_docs/enterpriseauditor_11.6/enterpriseauditor/install/application/newlogin.webp) + + - On the **General** page, enter the service account login name in the down-level logon format, + such as `CONTOSO/identitymanagerContosoServer`. If you're not sure about the correct spelling of your + service account or domain, you can search for it using the search window. From the **Login** + node, right-click and select **New login** > **Login name** > **Search**. + - Then, choose either**Windows authentication** if you chose to connect the server to the + database with a Windows service account (Integrated Security=SSPI in the connection string) or + a **SQL Server authentication** for a SQL Server account (if you set up the connection string + with a login/password). In the SQL case, fill in the same password in the form as in the + connection string. You should now see the newly created login in the Login list. + +7. From the **Login** node, right-click the newly created login and select **Properties**. +8. Go to the **Server Roles** page on the left. +9. Make sure **public** is checked. +10. Go to **User Mapping**. +11. Make sure `Usercube/` is checked (top panel), as well as **db_owner** and + **public** (bottom panel). +12. Right-click the **Server** root node and select **Properties**. +13. In the **Permissions** tab, select the service account or group name set up or found in Step + **6** or **7**. +14. Grant the **Administer bulk operations** permission. + + ![Bulk](/img/versioned_docs/identitymanager_6.1/identitymanager/installation-guide/production-ready/server/bulk.webp) + +15. Confirm with **OK**. + +Usercube Server now has the required permissions to access the database. + +### Set the working directory permissions + +The Usercube Server needs +[specific permissions](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/server-requirements/index.md) +on the working directory to run, read synchronization output, and write provisioning orders. + +Up to four folders have to be considered: + +- The + [working directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md) +- The + [runtime](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md) + directory, usually `C:/identitymanager/Runtime` +- The + [data collection](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) + directory, usually `C:/identitymanager/Temp` +- The + [provisioning orders](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) + directory, usually `C:/identitymanager/Temp` (same as for the data collection directory). + +The following steps can be performed for each of the relevant directories. + +First, let's check what permissions the service account already has. + +1. Go to the working directory parent folder. +2. Right-click the working directory. +3. Select **Properties**. +4. Select **Security**. + +From there, you have two choices. + +The Usercube Server service account that was chosen in the previous step: + +- Already has or belongs to a group that already has the needed permissions. There is nothing more + to do. +- Is missing one of the needed permissions: + + 1. Click on **Edit**. + 2. Click on **Add**. + 3. In the **Enter the object names to select** textbox, enter the service account name in the + down-level logon format, such as `CONTOSO/identitymanagerContosoServer`. + 4. Click **OK**. + 5. Select the newly added user name in the **Group or user names** panel at the top of the + window. + + ![Object Names](/img/versioned_docs/identitymanager_6.1/identitymanager/installation-guide/production-ready/server/enter-the-object-names-to-select.webp) + + 6. Check the `Allow` column for the + [relevant permissions](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/server-requirements/index.md). + Check the `Deny` column for the others. + 7. Apply **OK**. + +The working directory permissions are all set. + +The same steps have to be performed on the +[runtime](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md), +the +[data collection](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +and the +[provisioning orders](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +directories. + +## Encryption and Authentication Key Pairs + +The Usercube Server requires an +[RSA-2048 encryption key pair](https://en.wikipedia.org/wiki/Public-key_cryptography) to perform +various encryption operations, such as source, configuration, or log file encryptions. Usercube's +Identity Server also needs an +[RSA-2048 authentication key pair](https://en.wikipedia.org/wiki/Public-key_cryptography) for +end-user authentication purposes. + +These certificates don't need to be integrated into the target organization's Public Key +Infrastructure (PKI) and don't require an expiration date. They're only relevant to specific +Usercube temporary data and can be changed at any time. + +Each RSA key pair, as in an [X.509](https://en.wikipedia.org/wiki/X.509) public key certificate and +a private key, can be stored one of two ways: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or `.pfx` file) stored in the Server's host file system. The file contains both the public key + certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains + both the public key certificate and the private key. This is the recommended method. + +The key pairs can be generated with tools such as +[OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) or Microsoft's +[New-SelfSignedCertificate](https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps)and[pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +Here's an example showing how to generate a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) +archive (`UsercubeContoso.pfx`) bundling a public key certificate (`usercubecontoso.cert`) and an +RSA-2048 private key (`usercubecontoso.key`) with OpenSSL, with a 50-year expiration date: + + ``` + +openssl req -x509 -newkey rsa:2048 -keyout usercubecontoso.key -out usercubecontoso.cert -days 18250 + +```` + + + ``` + +openssl pkcs12 -export -out UsercubeContoso.pfx -inkey usercubecontoso.key -in usercubecontoso.cert + +```` + +Public key certificates can also be bought from trusted certificate providers and bundled with a +private key into a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive using step **2** in the +frame above. + +### Generate and use an encryption key pair + +This is the key pair used to perform various encryption operations, such as source, configuration, +or log file encryptions. + +1. Generate a key pair using the OpenSSL method. +2. Store the key pair as a `.pfx` file or use the Windows + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in#certificate-store) + (recommended) . +3. Link the generated certificate to Usercube (see + [`appsettings.json > EncryptionCertificate`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md)). + +### Generate and use an identity server key pair + +This is the key pair used by the Identity Server for end-user authentication purposes. + +1. Generate a key pair using the OpenSSL method. +2. Store the key pair as a .`pfx` file or use the Windows + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in#certificate-store) + (recommended). +3. Link the generated certificate to Usercube (see + [`appsettings.json > IdentityServer`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md)). + +#### Certificate as a plain file + +The following parameters are used to link the file to Usercube in the `IdentityServer` section. + +[PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive can be +[password protected](https://www.openssl.org/docs/man1.1.0/man1/openssl.html#password-protected), +hence the `X509KeyFilePassword` attribute. + +Storing a `.pfx` file password in plain text in a production environment is strongly discouraged. +The password should always be encrypted using the +[Usercube-Protect-CertificatePassword tool](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md). + + ``` + + appsettings.json + +{ ... "IdentityServer": { "X509KeyFilePath": "./identitymanagerContoso.pfx", "X509KeyFilePassword": +"eff@�%fmel/" } ... } + +```` + + +#### Certificate in the certificate store + +The certificate can be stored in the certificate store instead of the file system. This is the recommended method. + + ``` + + appsettings.json +{ + ... + "IdentityServer": { + "X509SubjectDistinguishedName":"UsercubeContoso", + "X509StoreLocation": "LocalMachine", + "X509StoreName": "AuthRoot" + } + ... +} +```` + +## Connect the Server to the Database + +Now that the Usercube Server has been provided with a service account with the right permissions, +let's finalize the setup. + +The connection between the Server and the Database requires choosing an +[authentication method](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md): +[Windows Authentication](https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver15#windows-authentication) +or +[SQL Server authentication](https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver15#sql-server-authentication). +Windows authentication will require the IIS identity to be set to the custom Windows service account +used to log in to the Usercube's Windows Server session. SQL authentication will work with both the +_built-in_ app pool identity and a custom service account. This authentication method will write the +login and password directly in the connection string. + +`Runtime/appsettings.json` is a +[technical configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/index.md) +file that enables you to set up the connection between the Server and the Database through the +[ConnectionString](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md) +attribute. + +The connection string is set up in the `Runtime/appsettings.json` configuration file which can be +edited with any text editor, such as [Notepad++](https://notepad-plus-plus.org/downloads/). + +If the SQL Server is hosted on Azure, you should use the +[AzureCredentials](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md#azurecredentials) +setting before going further. + +In the`Runtime/appsettings.json` file, find or write the `ConnectionString` attributes following the +examples shown below: + +The **first example** sets a connection string using the Windows authentication +(`Integrated Security=SSPI`) to connect, on a local SQL Server system (`source=.`), to the +`UsercubeContoso` database created in +[Install the Database](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/database/index.md). + +The service account used by the Server to access the Database is either: + +- A Windows account if the connection string was set up using `Integrated Security=SSPI`. +- A SQL Server account if the connection string was set up with a login/password. + +appsettings.json + +``` + +{ +... +"ConnectionString": "data source=.;Database=UsercubeContoso;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +... +} + +``` + +The **second example** sets a connection string using the SQL Server authentication. +`CONTOSO/identitymanagerContosoServer` has been set as the Usercube Server IIS website identity. + +appsettings.json + +``` + +{ +... +"ConnectionString": "data source=.;Database=Usercube;User Id=CONTOSO/identitymanagerContosoServer;Password=myPassword;Min Pool Size=10;encrypt=false;" +... +} + +``` + +**SQL Server authentication** stores plain text credentials in the configuration file. This is +strongly discouraged. To avoid storing plain text credentials, you should always strive to use +**Windows authentication** or encrypt sensitive setting values such as the connection string. + +## SSL Certificate + +The Usercube Server requires the use of an SSL Certificate trusted by all the target end-users' +browsers. The standard setup is to use a certificate signed by the target organization's PKI root +Certificate Authority and import the certificate into the end-user's Windows Store. + +This can be achieved using the +[Microsoft Management Console (MMC)](https://en.wikipedia.org/wiki/Microsoft_Management_Console). + +1. Open the MMC (**Start** > **Run** > **MMC**). +2. Click on **File** > **Add/Remove Snap In**. +3. Double-click on **Certificates**. +4. Click on **Computer Account.** +5. Click on **Local Computer** > **Finish**. +6. Click **OK**. + + The Snap-in window closes. + +7. Go to **Certificates** > **Personal** > **Certificates**. +8. Click **`+`**. +9. Right-click **Certificates**. +10. Go to **All Tasks** > **Import**. +11. Click **Next**. +12. Click **Browse**. +13. Browse to the SSL Certificate you want to use and click **Next**. +14. Select **Automatically select the certificate store based on the type of certificate.** +15. Click **Finish** and **OK**. + + The certificate is now visible in **IIS** > **Server Certificates**. + +## DNS + +Your organization's DNS needs to be updated according to the requirements indicated in +[Hostname and DNS](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/server-requirements/index.md#hostname-and-dns). + +## Test Your Installation + +1. Make sure the IIS site is running. +2. Go to the following URL with a browser: `:/hc` with the hostname and port set up + in [Create an IIS website](#create-an-iis-website). +3. The Usercube Server is trying to access the Database. If it succeeds, the message "_Healthy_" + should be displayed in the browser. + +## Configure the Starting Mode in IIS (optional) + +This step is important if the scheduler is enabled. IIS starts the Usercube Server only if an +incoming http request is made on the server and the scheduler is not launched until the Usercube +Server is started. Because of that, you need to carefully set up the starting mode of IIS to force +the starting of the Usercube Server. + +The Usercube Server warm up is done using the `` element in the +web.config file, the configuration is described here: +[https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization](https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization) + +You need to: + +- Enable the **Application Initialization** feature +- Modify the **applicationHost.config** file to set the _startMode_ of the application pool as + _AlwaysRunning_. You also need to set the _preloadEnabled_ of your application set to _true_. It + is advised to backup the **applicationHost.config** file when doing this step to prevent mistakes +- Double check that the following section is set in your _web.config_ file, in the section + _system.webServer_: + +```xml + + + +``` + +Once done, you need to check that the configured jobs are launched via the Usercube's scheduler +without having to manually issue a request on the Usercube Server. + +If this is not correctly configured, any restart of your IIS or application pool could prevent jobs +from being launched. + +## Set up End-User Authentication + +The next step consists in setting up one or more authentication methods for end-users. You may +choose one or several external authentication providers among the following: + +- [OpenIdConnect](https://openid.net/connect/) +- [WS-Federation](http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.html) +- [OAuth](https://tools.ietf.org/html/rfc6749) +- [SAML2](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) +- [Integrated Windows Authentication (IWA)](https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/integrated-windows-authentication) + +Everything you need to know about setting up authentication is provided in the +[Technical Configuration Guide](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md). + +## What's Next? + +[Install the Agent](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/agent/index.md) +is the next step of the process. diff --git a/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md b/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md new file mode 100644 index 0000000000..1acd1c8800 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md @@ -0,0 +1,57 @@ +# Create a Working Directory + +The working directory is a simple Windows directory where Usercube's Server and/or Agent +executable(s) and dependencies are stored on the workstation. This section shows how to set up the +directory for the rest of the installation and Usercube's lifespan. + +The following steps are to be performed on the Server workstation. They will also have to be +executed on the Agent workstation if a separate Agent setup has been chosen. + +## Steps + +### 1. Create the working directory + +The recommended naming convention is `C:/identitymanager`, where `` is the name +of the organization targeted by this installation. + +### 2. Extract the content of the runtime archive + +Extract the content of the `Runtime` archive into a `Runtime` folder in the newly created working +directory. + +### 3. Create a new empty folder in the working directory + +The folder will be used by the Server and Agent to write and read synchronization files and +provisioning orders. Job logs are usually found here. It is usually named `Temp` and is referenced +in the technical configuration files. + +The working directory structure should now resemble the following: + +``` +??UsercubeXXX + ? ??Temp + ? ??Runtime + ? ? ??wwwroot + ? ? ... + ? ? ??Usercube-Server.exe + ? ? ??Usercube-Agent.exe + ? ? ... + ? ? ??appsettings.agent.json + ? ? ??appsettings.cyberArk.agent.json + ? ? ??appsettings.encrypted.agent.json + ? ? ??appsettings.json + +``` + +`Runtime` contains Usercube executables and configuration files, including: + +- `Usercube-Server.exe`: the Usercube Server executable, which also contains an Agent. +- `Usercube-Agent.exe`: the separate Usercube Agent executable, that will be used only if you choose + to install a separate agent. +- `appsettings.*.json`: + [technical configuration files](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/index.md). + +## What's Next? + +Next section shows how to +[install the Usercube Database](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/database/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/installation-guide/quick-start/index.md b/docs/identitymanager/6.1/identitymanager/installation-guide/quick-start/index.md new file mode 100644 index 0000000000..3e958a6991 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/installation-guide/quick-start/index.md @@ -0,0 +1,90 @@ +# Quick Start Guide + +This guide leads the reader through the steps to quickly install Usercube's bootstrap version. + +## Prerequisites + +The installation of Usercube requires: + +- a certificate named Usercube.pfx + ([see the Microsoft tool to create a self-signed certificate](https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2022-ps)) + + If the certificate is named something other than Usercube.pfx, remember to change the name in + the Runtime/appsettings.json file too. + +- [Database](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/database-requirements/index.md)-related + specifications + +## Install the Bootstrap Version + +**Step 1 –** Go on the [Netwrix portal](https://www.netwrix.com/sign_in.html?rf=my_products.html) +and download the artifacts of the expected version. + +![Extranet Artifacts](/img/versioned_docs/identitymanager_6.1/identitymanager/migration-guide/extranet_v601.webp) + +**Step 2 –** Extract from SDK the folder UsercubeBootstrap anywhere on the computer. + +**Step 3 –** Extract the content of Runtime to UsercubeBootstrap. + +When extracting UsercubeBootstrap to the root of the computer, it looks like: + +![Project Directory](/img/versioned_docs/identitymanager_6.1/identitymanager/installation-guide/quick-start/directory_v602.webp) + +**Step 4 –** Move or copy your certificate inside the Runtime folder. + +**Step 5 –** Create a Sources folder in UsercubeBootstrap. + +_Remember,_ if you don't have the UsercubeBootstrap folder or if you don't create the Sources +folder, the Path in the Directory connection in the Runtime/appsettings.agent.json must be adapted. +Note that you don't need to have a Directory.xlsx file at the location described by this Path for +now. + +**Step 6 –** Create a database named Usercube, using the default options. + +**NOTE:** When using a database server other than Microsoft SQL Server or a different database name, +remember to change the connection string accordingly, in the Runtime/appsettings.json file and in +the future command lines. + +**Step 7 –** Execute the Runtime/identitymanager.sql file in the database. + +**Step 8 –** Open a command prompt and deploy the configuration. See +the[ Usercube-Deploy-Configuration ](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/deploy-configuration/index.md)topic +for additional information. + +In our example, the command would be, in the Runtime folder: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Deploy-Configuration.exe -s "" -d "" +``` + +**Step 9 –** Launch the server. See +the[ Usercube-Server ](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/server/index.md)topic +for additional information. + +In our example, the command would be, still in the Runtime folder: + +``` +./identitymanager-Server.exe +``` + +**Step 10 –** Open a browser and navigate to http://localhost:5000. Authenticate with administrator +as a username and the password specified in the Runtime/appsettings.json file, in the Authentication +section. + +![Authentication Dialog](/img/versioned_docs/identitymanager_6.1/identitymanager/installation-guide/quick-start/authentication_v601.webp) + +Now you can start using the application. + +## Next Steps + +From there, you can start setting up Usercube via the **Settings** page which is accessible from the +**Configuration** section of the home page. + +![Home Page - Settings](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +Then, Netwrix recommends following the user guide to start the configuration of your IGA project +from scratch. See the [User Guide](/docs/identitymanager/6.1/identitymanager/user-guide/index.md) +topic for additional information. diff --git a/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/agent-requirements/index.md b/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/agent-requirements/index.md new file mode 100644 index 0000000000..e4a619d02e --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/agent-requirements/index.md @@ -0,0 +1,148 @@ +# Agent + +This section identifies the requirements for a Usercube agent. + +## Software + +The agent is a .NET application. + +Running an agent requires installing the +[ASP.NET 8.0 Runtime](https://dotnet.microsoft.com/download/dotnet/8.0/runtime). + +## Hosting + +When used separated from the server, the agent can be run as: + +- an [Internet Information Services (IIS)](https://www.iis.net/) website from the minimal version + IIS 10.0 (recommended); +- a + [Windows service](https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications); +- a stand-alone executable for tests or debugging purposes. + +### Integrated agent + +Some installations require multiple separate agents, but most of them use a single integrated agent +that runs within the Usercube server process. In that case, the server executable contains the +agents and no agent executable needs to be executed. It means that if a Usercube server is already +installed, no further installation is required. + +In this case, the agent working directory is the same as the server working directory, and both the +agent's and server's +[`appsettings`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +share the same configuration. The `appsettings.agent` configuration set is still configured through +environment variables or via a separate +[`appsettings.agent.json`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +file stored next to the `Usercube-Server.exe` executable, in the common working directory. + +## Service Accounts + +The agent should be assigned a +[Windows Server service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts). + +The installation of the server as part of an Active Directory domain requires the use of an account +with sufficient privileges to create a service account on the domain. + +It can be either the IIS built-in +[application pool identity](https://support.microsoft.com/en-us/help/4466942/understanding-identities-in-iis), +or a custom +[Windows Server service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts). + +### Working directory permissions + +The agent's service account needs specific permissions on the +[working directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md): + +- _Read_ and _List folder contents_ on the working directory; +- _Read & Execute_ and _List folder contents_ on the + [`Runtime` directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md), + usually `C:/identitymanager/Runtime`, in order to run the agent executable; +- _Read_ and _List folder contents_ on the directory for provisioning orders, whose path depends on + the + [`Work` folder's path](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md); +- _Read_, _List folder contents_, and _Write_ on the directory for data collection, whose path + depends on the + [`Work` folder's path](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md). + +Other permissions should be denied. + +> **FAQ**: +> [How to set up directory permissions in Windows Server?](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md) + +### Managed systems' permissions + +Every Usercube agent needs one or several service accounts on the target managed systems, able to +read and write to said managed systems. + +> For example, using Usercube with an Active Directory instance requires the agent to be assigned an +> Active Directory service account that can read, write, change users' passwords, update group +> memberships, and synchronize the whole Active Directory. + +Before going further, make sure the integration team has provided: + +- The list of all managed systems; +- service accounts with the necessary permissions for the agent to perform _Read_ and/or _Write_ + operations on the systems associated with a connector allowing respectively + [synchronization and/or provisioning](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/index.md); +- service accounts' credentials. + +Managed systems credentials are stored in the +[`appsettings.agent` configuration set](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +and can be [protected](/docs/identitymanager/6.1/identitymanager/integration-guide/modules/index.md). + +### Database permissions + +The agent needs a service account that can authenticate to SQL Server. + +## Hostname and DNS + +The agent needs to be assigned a hostname within the organization's domain. End-user browsers must +be able to resolve the agent's hostname. + +The associated DNS zone needs to be +[updated accordingly](https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/create-an-alias-cname-record-in-dns-for-web1). + +The DNS alias should be written in lowercase in order to comply with as many security rules as +possible. + +## SSL Certificate + +The agent requires the use of HTTPS ports and an SSL certificate in order to perform HTTPS +communication with the server. + +## Emails + +The agent needs access to an SMTP server to send +[email notifications](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/email-server/index.md). + +## Encryption Key Pair + +An [RSA-2048 encryption key pair](https://en.wikipedia.org/wiki/Public-key_cryptography) is required +for the agent in order to perform various encryption operations, such as source, configuration, or +log file encryptions; + +Such a certificate does not need to be integrated into the target organization's Public Key +Infrastructure and does not require an expiration date. They are only relevant to internal and +temporary Usercube data and can be changed at any time. + +An RSA key pair, as in an [X.509](https://fr.wikipedia.org/wiki/X.509) public key certificate and a +private key, can be stored either: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or `.pfx` file) stored in the _server_'s host file system. The archive contains both the public + key certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains + both the public key certificate and the private key. This is the recommended method. + +The key pair can be generated with tools such as +[OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) or Microsoft's +[New-SelfSignedCertificate](https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps)and[pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +## What's Next? + +To start the installation, follow either the +[quick start guide](/docs/identitymanager/6.1/identitymanager/installation-guide/quick-start/index.md) +or the +[production-ready installation guide](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/database-requirements/index.md b/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/database-requirements/index.md new file mode 100644 index 0000000000..e130b1bc6e --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/database-requirements/index.md @@ -0,0 +1,120 @@ +# Database + +This section identifies hardware and software requirements for Usercube's database. + +## Hardware + +The database disk storage requirements depend on multiple factors as the database lifespan and the +number of entries, for example 100,000 users can take up appropriately 10 GB of storage + +**NOTE:** The maximum SQL Express database is 10 GB. + +## Software + +Usercube uses a [SQL Server database](https://www.microsoft.com/en-us/sql-server/sql-server-2019) +and supports SQL Server 2016 or later. + +The +[database requirements](https://docs.microsoft.com/en-us/sql/sql-server/install/hardware-and-software-requirements-for-installing-sql-server?view=sql-server-ver15) +may depend on the chosen SQL Server edition and version. + +### Recommended features + +The following features are also highly recommended: + +- [Always On availability groups](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/always-on-availability-groups-sql-server): + only available in the Enterprise edition of SQL Server 2016 or later + + > **FAQ**: + > [How to enable Always On availability groups in SQL Server?](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/enable-and-disable-always-on-availability-groups-sql-server?view=sql-server-ver15) + +- [Database Mirroring](https://docs.microsoft.com/en-us//sql/database-engine/database-mirroring/database-mirroring-sql-server?view=sqlallproducts-allversions): + available in all editions of SQL Server 2016 or later + + > **FAQ**: + > [How to enable database mirroring in SQL Server?](https://docs.microsoft.com/en-us/sql/database-engine/database-mirroring/setting-up-database-mirroring-sql-server?view=sql-server-ver15) + +- [Table Partitioning](https://docs.microsoft.com/en-us/sql/relational-databases/partitions/partitioned-tables-and-indexes?view=sql-server-ver15) + + The data history feature introduced in Usercube v5.1.0, might cause some tables to grow + significantly. + + Database performance is greatly improved by enabling the + [Table Partitioning](https://docs.microsoft.com/en-us/sql/relational-databases/partitions/partitioned-tables-and-indexes?view=sql-server-ver15) + feature for the `UR_Resource` and `UP_Assigned*` tables: + + | `UP_Assigned*` Tables | + | -------------------------- | + | UP_AssignedResourceTypes | + | UP_AssignedSingleRoles | + | UP_AssignedCompositeRoles | + | UP_AssignedNavigationRules | + | UP_AssignedScalarRules | + + This feature is available and enabled by default in SQL Server 2016 or later. + + > **FAQ**: + > [How to create partitioned tables and indexes?](https://docs.microsoft.com/en-us/sql/relational-databases/partitions/create-partitioned-tables-and-indexes?view=sql-server-ver15) + +### Additional tools + +The installation and setup of the database require using either +[SQL server Management Studio](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15) +or the +[`sqlcmd` command line tool](https://docs.microsoft.com/en-us/sql/ssms/scripting/sqlcmd-use-the-utility?view=sql-server-ver15). + +## SQL Server Authentication + +Usercube can authenticate to SQL Server using either a SQL Server authentication login or a Windows +authentication login. + +Netwrix recommends using the +[Windows authentication login](https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver15) +to avoid storing a plain text password in the technical configuration files. + +## SQL Server Roles + +The database administrator must be able to assign the following roles to the service account used by +Usercube to access the SQL Server database: + +- `db_owner` which is a + [database-level role](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver15). + This role grants its owner the authorization to perform all configuration and maintenance + activities on the database, and to drop the database in SQL Server. +- `bulkadmin` which is a + [server-level role](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles?view=sql-server-ver15). + This role grants its owner the authorization to perform bulk operations on the database. + + Although `bulkadmin` is a server-level role, it still requires Usercube to have database-level + permissions granted by the `db_owner` role. It means that bulk operations can be performed on + the database only if Usercube has been granted the `db_owner` role. + + Granting `bulkadmin` role to the server's service account requires access to an account member + of the `sysadmin` or `securityadmin` server-level role on the target SQL Server. See the + [ Install the Server ](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md) + topic for additional information. + +For more information about identity and permission management in SQL Server, see +[Microsoft's documentation](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/getting-started-with-database-engine-permissions?view=sql-server-ver15). + +## Shared SQL Server and Dedicated Database + +Usercube's SQL Server installation can be used to host other database applications. + +Usercube's database itself must be used exclusively for Usercube. + +## Connection to the Server + +SQL feed must be open from Usercube's server to SQL Server. + +## Optimization + +The +[max degree of parallelism (MAXDOP)](https://learn.microsoft.com/en-us/azure/azure-sql/database/configure-max-degree-of-parallelism?view=azuresql-db) +must be set to 1 in the SQL database. + +## What's Next? + +Let's move on to the requirements for Usercube's server. See the +[ Server ](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/server-requirements/index.md) +topic for additional information. diff --git a/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/device-requirements/index.md b/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/device-requirements/index.md new file mode 100644 index 0000000000..ddab32a96e --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/device-requirements/index.md @@ -0,0 +1,65 @@ +# Integration Device + +This section identifies the requirements for the local device used for the installation: either the +integrator can log in onto the local network, or a station must be available. + +## Hardware + +No matter whether the machine is virtual or physical, running a Usercube server or agent requires at +least 8 GB of RAM, 20 GB of disk storage, and a dual-core CPU. + +NETWRIX even recommends a 4-core CPU if SQL server is installed on this device. + +## Operating System + +Both server and agent must run on [Windows Server](https://www.microsoft.com/en-us/windows-server). + +Supported versions are: + +- Windows Server 2022 + - Full Server + - Server Core + - Nano Server +- Windows Server 2019 + - Full Server + - Server Core + - Nano Server +- Windows Server 2016 + - Full Server + - Server Core + - Nano Server + +> **FAQ**: +> [What version of Windows server am I currently running?](https://docs.microsoft.com/en-us/windows/client-management/windows-version-search) + +## Access + +The device must have access to the Virtual Machines of Usercube's server, and to the database. + +## Software + +Microsoft Excel must be installed. + +A web browser must be accessible to test the future installation. Usercube's UI supports all popular +browsers: + +- Google Chrome (latest 2 versions); +- Mozilla Firefox (latest 2 versions); +- Apple Safari (latest 2 versions); +- Microsoft Edge Chromium. + +## Administrator Account + +A Windows local administrator account is required to install the server and agent on the target +Windows Server workstation. + +## Additional Recommendations + +A not-so-minimalist text editor such as [Notepad++](https://notepad-plus-plus.org/downloads/) can be +useful to comfortably edit +[network configuration files](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/index.md). + +## What's Next? + +Let's move on to the requirements for +[Usercube's database](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/database-requirements/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/index.md b/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/index.md new file mode 100644 index 0000000000..1734e7c113 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/index.md @@ -0,0 +1,8 @@ +# Requirements + +This section identifies hardware and software requirements for each Usercube component: + +- #### [Integration Device](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/device-requirements/index.md) +- #### [Database](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/database-requirements/index.md) +- #### [Server](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/server-requirements/index.md) +- #### [Agent](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/agent-requirements/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/server-requirements/index.md b/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/server-requirements/index.md new file mode 100644 index 0000000000..f51a22b5d6 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/server-requirements/index.md @@ -0,0 +1,143 @@ +# Server + +This section identifies hardware and software requirements for Usercube's server. + +## License Key + +The server requires a +[license key](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +provided by NETWRIX. + +## Software + +The server is a .NET application. + +Running the server requires installing the +[ASP.Net hosting bundle in version 8.0](https://dotnet.microsoft.com/en-us/download/dotnet/8.0). + +## Hosting + +The server can be run as: + +- an [Internet Information Services (IIS)](https://www.iis.net/) website from the minimal version + IIS 10.0 (recommended); +- a + [Windows service](https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications); +- a stand-alone executable for tests or debugging purposes. + +It is recommended to enable the following +[Internet Information Services (IIS)](https://www.iis.net/) features to host Usercube: + +- [Windows Authentication](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/#windows-authentication); +- [Anonymous Authentication](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/anonymousauthentication#anonymous-authentication). + +## Service Accounts + +The installation of the server as part of an Active Directory domain requires the use of an account +with sufficient privileges to create a service account on the domain. + +The server should be assigned a +[custom Windows service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts). + +The IIS built-in +[application pool identity](https://support.microsoft.com/en-us/help/4466942/understanding-identities-in-iis) +should not be used, because it will prevent the custom account from connecting to a distant SQL +Server. Hence NETWRIX recommends using a domain account. + +### Working directory permissions + +The agent's service account needs specific permissions on the +[working directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md): + +- _Read_ and _List folder contents_ on the working directory; +- _Read & Execute_ and _List folder contents_ on the + [`Runtime` directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md), + usually `C:/identitymanager/Runtime`, in order to run the agent executable; +- _Read_ and _List folder contents_ on the directory for provisioning orders, whose path depends on + the + [`Work` folder's path](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md); +- _Read_, _List folder contents_, and _Write_ on the directory for data collection, whose path + depends on the + [`Work` folder's path](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md). + +Other permissions should be denied. + +> **FAQ**: +> [How to set up directory permissions in Windows Server?](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md) + +### Database permissions + +If Windows' authentication is used for SQL Server, then the server should be able to authenticate to +SQL Server with its assigned service account. It means that the server's service account needs to be +assigned an SQL Server login with the relevant +[roles](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/database-requirements/index.md), +including necessarily either `sysadmin` or `securityadmin`. + +For more information, see the +[server installation procedure](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md). + +## Hostname and DNS + +In the case of an on-premises installation, the server needs to be assigned a hostname within the +organization's domain. Agents must be able to resolve the server's hostname. + +The associated DNS zone needs to be +[updated accordingly](https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/create-an-alias-cname-record-in-dns-for-web1). + +The DNS alias should be written in lowercase in order to comply with as many security rules as +possible. + +## SSL Certificate + +The server requires the use of an SSL certificate in order to perform HTTPS communication with +end-users' browsers. + +Usercube SaaS offering comes with an SSL certificate signed by a trusted certificate authority for +the `*.usercube.com` domains. This certificate allows end-users to access the server through the +Internet without any further configuration. Using another domain name for the SaaS installation +requires providing NETWRIX with the corresponding SSL certificate signed by a trusted certificate +Authority. + +Usercube on-premises offering requires the use of an SSL certificate trusted by all the target +end-users' browsers. Standard practices use a certificate signed by the target organization's Public +Key Infrastructure (PKI) root certificate authority. +[The on-premise SSL certificate must be set up in IIS](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md). + +## Emails + +The server needs access to an SMTP server to send +[email notifications](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/email-server/index.md). + +## Encryption and Identity Server Key Pairs + +An [RSA-2048 encryption key pair](https://en.wikipedia.org/wiki/Public-key_cryptography) is required +for: + +- Usercube's server in order to perform various encryption operations, such as source, + configuration, or log file encryptions; +- Usercube's Identity Server for end-user authentication purposes. + +Such a certificate does not need to be integrated into the target organization's Public Key +Infrastructure and does not require an expiration date. They are only relevant to internal and +temporary Usercube data and can be changed at any time. + +An RSA key pair, as in an [X.509](https://fr.wikipedia.org/wiki/X.509) public key certificate and a +private key, can be stored either: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or `.pfx` file) stored in the _server_'s host file system. The archive contains both the public + key certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains + both the public key certificate and the private key. This is the recommended method. + +The key pair can be generated with tools such as +[OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) or Microsoft's +[New-SelfSignedCertificate](https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps)and[pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +## What's Next? + +Let's move on to +[Usercube's agent requirements](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/agent-requirements/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/installation-guide/reverse-proxy/index.md b/docs/identitymanager/6.1/identitymanager/installation-guide/reverse-proxy/index.md new file mode 100644 index 0000000000..ecf411844f --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/installation-guide/reverse-proxy/index.md @@ -0,0 +1,190 @@ +# Reverse Proxy + +Usercube can be installed behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) that +acts as an intermediate server between users and Usercube's server, in order to process users' +requests and redirect them to the right server(s), for performance and security purposes. + +## Overview + +A reverse proxy is usually used when: + +- needing to encrypt the requests from/to end-users on the one hand, and on the other hand to be + able to monitor plain text requests from/to Usercube's server; + + ![Proxy Purposes: Encryption](/img/versioned_docs/identitymanager_6.1/identitymanager/installation-guide/reverse-proxy/proxy_purpose_encryption.webp) + +- installing Usercube with an integrated agent on a network isolated from the users' browsers, in + order to be able to access sensitive systems which are protected by being set up on a network + isolated from the Internet; + + ![Proxy Installation Example](/img/versioned_docs/identitymanager_6.1/identitymanager/installation-guide/reverse-proxy/proxy_example.webp) + + This installation will be used for the configuration examples below. + +- using several Usercube's server instances for load-balancing purposes. + + ![Proxy Purposes: Load Balancing](/img/versioned_docs/identitymanager_6.1/identitymanager/installation-guide/reverse-proxy/proxy_purpose_loadbalancing.webp) + +As Usercube is session-less, working with several servers does not imply the need to synchronize +sessions between servers, nor the need to guarantee that a particular IP will be processed by a +particular server. + +### Nginx + +For these tasks, [nginx](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/#nginx) +is a relevant choice of reverse proxy. There are several versions of nginx available, suitable for +several Linux-based environments. +[Installation instructions](https://docs.nginx.com/nginx/admin-guide/installing-nginx/) can be found +directly on the nginx website. + +At its core, Usercube is an ASP.Net application with a Kestrel server. We can configure a nginx +reverse proxy accordingly by following +[Microsoft's guidelines](https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-nginx?view=aspnetcore-8.0&tabs=linux-ubuntu#microsofts-guidelines). + +Nginx +[configuration files](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/) +are usually located in `/etc/nginx`. + +### Load balancing + +Nginx offers several +[load balancing methods](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#load-balancing-methods) +which are all compatible with Usercube. + +Then, in order for servers to be able to properly schedule and coordinate synchronization and +provisioning, the following file locations must be shared by all Usercube servers: + +- [TempFolderPath](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +- [WorkFolderPath](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) + +All Usercube servers also share a database. + +## Basic Configuration + +The following is a basic configuration, in the `nginx.conf` file, with one virtual host, that +directs incoming requests on `` from network 1 to a Usercube server instance at +`` on network 2. + + ``` + +nginx.conf + +worker_processes auto; + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /nginx-1.19.7/logs/access.log; + error_log /nginx-1.19.7/logs/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + ## + # Virtual Host Configs + ## + + server { + listen default_server; + server_name ; + + location / { + proxy_pass http://; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection keep-alive; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + } + } + +} + +```` + + +Where: + +- `````` is the port that nginx listens to on network 1 for incoming HTTP requests. It should be set to ```80```, except if you have another web server listening for port 80 requests and passing them to your nginx server. +- `````` is the URL used by end-users to request Usercube's server, such as ```contoso.usercube.com```. It is the content of the host header in the incoming HTTP request. +- `````` is Usercube's server URL on network 2. + +With this configuration, SSL is enabled between the nginx proxy and the client, but not between the proxy and Usercube's server. ```gzip``` is used to compress files to be sent over the network. + +### Static files + +Performance can be enhanced for static file serving. This requires extracting static files such as the UI JavaScript application and the logo and pictures, and storing them on the nginx server directly. [See more information about static file serving with nginx](https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content/). + +## Load Balancing Configuration + +Load balancing involves at least two Usercube servers to which [nginx, acting as a load balancer](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/), distributes the load of incoming requests. + +Then, in addition to the configuration from the previous example, a group of servers must be declared, using the ```upstream``` directive in the ```http``` section. + +The following configuration defines a group named ```usercubegroup``` which contains two server configurations, each one resolving to an actual Usercube's server instance: + + ``` + +... +http { + upstream usercubegroup { + server usercube1.contoso.com; + server usercube2.contoso.com; + } + ... +} +... + +```` + +Then, the name of the group takes the place of `` in the virtual host +definition: + + ``` + +server { listen default_server; server_name ; + + location / { + proxy_pass http://identitymanagergroup; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection keep-alive; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + } + + } + +``` + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/api/agent/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/agent/index.md new file mode 100644 index 0000000000..d110efe014 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/api/agent/index.md @@ -0,0 +1,3 @@ +# Agent API + +- #### [Job](/docs/identitymanager/6.1/identitymanager/integration-guide/api/agent/job/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/api/agent/job/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/agent/job/index.md new file mode 100644 index 0000000000..044285f699 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/api/agent/job/index.md @@ -0,0 +1,23 @@ +# Job + +### /api/Job/Job/RunJob/`{id}` + +#### Post + +##### Summary: + +Run Job. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | --------------------------------------- | -------- | ---- | -------------------------------------------------------------------------------------- | +| id | Identifier of the Job to run automaton. | True | | | +| jobLogLevel | Override the serilog LogLevel. | False | | [LogLevel](/docs/identitymanager/6.1/identitymanager/integration-guide/api/agent/index.md) | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | --------------------------------------- | --------- | +| 200 | The result of the job to run automaton. | | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/api/authentication/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/authentication/index.md new file mode 100644 index 0000000000..eb5db8ce51 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/api/authentication/index.md @@ -0,0 +1,26 @@ +# Authentication + +Usercube API authentication is based on the [OpenIdConnect protocol](https://openid.net/connect/). +Configuration informations are accessible on: +`[Usercube application URL]/.well-known/openid-configuration`. + +An OpenId client must be previously defined using an +[OpenIdClient](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) +configuration element. + +The `client_id` parameter to use in calls to the OpenIdConnect protocol endpoints must be the +concatenation of `clientId`, `@` and the domain of the application. + +For example, client defined by + +``` + + + +``` + +for the Usercube application hosted on `usercube.mycompany.com` must use +`MyApplication@usercube.mycompany.com` as `client_id` parameter in any call to the OpenIdConnect +endpoints. + +The scope to access to the Usercube API is `usercube_api`. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/api/how-tos/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/how-tos/index.md new file mode 100644 index 0000000000..538e257b63 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/api/how-tos/index.md @@ -0,0 +1,6 @@ +# How-Tos + +These guides will help you use Usercube's API with practical step-by-step procedures. + +- #### [Request Usercube's API via Postman](/docs/identitymanager/6.1/identitymanager/integration-guide/api/how-tos/request-postman/index.md) + Configure Postman to be able to request Usercube's API. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/api/how-tos/request-postman/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/how-tos/request-postman/index.md new file mode 100644 index 0000000000..0e44dcdc56 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/api/how-tos/request-postman/index.md @@ -0,0 +1,89 @@ +# Request Usercube's API via Postman + +This guide shows how to configure Postman to be able to request Usercube's API. + +## Get an Access Token + +Get an access token by proceeding as follows: + +1. Launch Postman. +2. Create a new request by clicking on **+ New** then **Request**. + + ![Postman: New Request](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/api/how-tos/request-postman/postman_newrequest.webp) + +3. Fill in the fields and click on **Save to Usercube**. + + ![Postman: New Request Fields](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/api/how-tos/request-postman/postman_requestfields.webp) + +4. Fill in the authentication information as follows: + + ![Postman: Authentication](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/api/how-tos/request-postman/postman_authentication.webp) + + - **Method**: POST + - **URL**: ``/connect/token + - **Body**: + - **client_id**: ``@`` + - **client_secret**: `` + - **scope**: usercube_api + - **grant_type**: client_credentials + +5. Click on **Send** and get the access token from the response body. + + ![Postman: Access Token](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstoken.webp) + +## Use an Access Token + +Use an access token by proceeding as follows: + +1. Create a new request in Postman. +2. Fill in the authorization information as follows: + + ![Postman: Authorization](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/api/how-tos/request-postman/postman_authorization.webp) + + - **Method**: GET + - **URL**: ``/``?api-version=1.0 + - **Authorization**: + - **TYPE**: Bearer Token + - **Token**: `` + +3. Click on **Send** and get the result from the response body. + + ![Postman: Access Token Result](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstokenresult.webp) + +## Create a Combined Request + +Create a combined request by proceeding as follows: + +1. Create a new request in Postman. +2. Fill in the authorization information as follows: + + ![Postman: Authorization (Combined Request)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/api/how-tos/request-postman/postman_authorizationcombined.webp) + + - **Method**: GET + - **URL**: ``/``?api-version=1.0 + - **Authorization**: + - **TYPE**: OAuth 2.0 + - **Header Prefix**: Bearer + +3. Click on **Get New Access Token** and fill in the fields as follows: + + ![Postman: New Access Token Fields (Combined Request)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/api/how-tos/request-postman/postman_newaccesstokencombined.webp) + + - **Token Name**: `` + - **Grant Type**: Client Credentials + - **Access Token URL**: ``/connect/token + - **Client ID**: ``@`` + + Do not replace `@` with its encoding. + + - **Client Secret**: `` + - **Scope**: usercube_api + - **Client Authentication**: Send client credentials in body + +4. Click on **Request Token** to get the token. + + ![Postman: Get Token (Combined Request)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/api/how-tos/request-postman/postman_gettokencombined.webp) + +5. Click on **Use Token** and **Send** and get the result from the response body. + + ![Postman: Access Token Result (Combined Request)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstokenresult.webp) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/api/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/index.md new file mode 100644 index 0000000000..ada623241d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/api/index.md @@ -0,0 +1,25 @@ +# API + +Agent and server expose a REST API. + +## OpenAPI Definition + +This feature is optional and must be activated by the +[Swagger settings section](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) + +The page `[Usercube application's URL]/swagger` can be used to explore and test the API. + +This page is built by the [Swagger UI tool](https://swagger.io/tools/swagger-ui/) from the Usercube +[OpenAPI](https://swagger.io/specification/) definition. + +![Usercube server swagger page](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/api/swagger.webp) + +A function can have several versions. This is why the API description is split into several OpenAPI +definition files. + +Each definition file is accessible in JSON format on URL +`[Usercube application's URL]/swagger/{version}/swagger.json`. + +The Swagger UI page is accessible anonymously but each call from this page to the API must have an +authenticated context. To do so, you only need to be logged to the application from the same browser +instance (Authentication is carried by a cookie). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/api/pagination/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/pagination/index.md new file mode 100644 index 0000000000..04c49ddfe5 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/api/pagination/index.md @@ -0,0 +1,12 @@ +# Pagination + +Each function returning a list of items supports pagination. This pagination is based on the +`PageSize` and `ContinuationToken` parameters. + +The principle is to call the function with the `ContinuationToken` obtained from the previous call. + +![Pagination sequence diagram](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/api/pagination/pagination.webp) + +Pagination is optional. If `PageSize` is not specified, the function will return all items or use +the limit specified in the `squery` parameter. If `PageSize` is specified, no limit must be +specified in the `squery` parameter. diff --git a/docs/usercube/6.1/usercube/integration-guide/api/server/accesscertification/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/accesscertification/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/api/server/accesscertification/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/api/server/accesscertification/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/api/server/accesscontrol/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/accesscontrol/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/api/server/accesscontrol/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/api/server/accesscontrol/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/api/server/connectors/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/connectors/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/api/server/connectors/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/api/server/connectors/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/api/server/files/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/files/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/api/server/files/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/api/server/files/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/index.md new file mode 100644 index 0000000000..eee9edf358 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/index.md @@ -0,0 +1,18 @@ +# Server API + +- #### [AccessCertification](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/accesscertification/index.md) +- #### [AccessControl](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/accesscontrol/index.md) +- #### [Connectors](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/connectors/index.md) +- #### [Files](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/files/index.md) +- #### [Job](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/job/index.md) +- #### [Metadata](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/metadata/index.md) +- #### [ProvisioningEntityInstance](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/provisioningentityinstance/index.md) +- #### [ProvisioningPolicy](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/provisioningpolicy/index.md) +- #### [Report](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/report/index.md) +- #### [Resource](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resource/index.md) +- #### [ResourceChange](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resourcechange/index.md) +- #### [ResourceFileChange](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resourcefilechange/index.md) +- #### [ResourceLink](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resourcelink/index.md) +- #### [ResourceLinkChange](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resourcelinkchange/index.md) +- #### [Universes](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/universes/index.md) +- #### [Workflows](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/workflows/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/job/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/job/index.md new file mode 100644 index 0000000000..1bc0f3afd2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/job/index.md @@ -0,0 +1,822 @@ +# Job + +### /api/Job/Job/RunJob/`{id}` + +#### Post + +##### Summary: + +Runs Job. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | --------------------------------------- | -------- | ---- | --------------------------------------------------------------------------------------- | +| id | Identifier of the Job to run automaton. | True | | | +| jobLogLevel | Override the serilog LogLevel. | False | | [LogLevel](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/index.md) | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | --------------------------------------- | --------- | +| 200 | The result of the job to run automaton. | | + +### /api/Job/Job + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ---------------------------------------------------- | -------- | ---- | --------- | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Post + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/Job/`{id}` + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ----------------------------------- | -------- | ---- | --------- | +| id | | True | | | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Put + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Delete + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/Job/Notification + +#### Put + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/JobInstance + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ---------------------------------------------------- | -------- | ---- | --------- | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Post + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/JobInstance/`{id}` + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ----------------------------------- | -------- | ---- | --------- | +| id | | True | | | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Put + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Delete + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/JobStep + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ---------------------------------------------------- | -------- | ---- | --------- | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Post + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/JobStep/`{id}` + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ----------------------------------- | -------- | ---- | --------- | +| id | | True | | | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Put + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Delete + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/Task + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ---------------------------------------------------- | -------- | ---- | --------- | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Post + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/Task/`{id}` + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ----------------------------------- | -------- | ---- | --------- | +| id | | True | | | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Put + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Delete + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/TaskDependOnTask + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ---------------------------------------------------- | -------- | ---- | --------- | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Post + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/TaskDependOnTask/`{id}` + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ----------------------------------- | -------- | ---- | --------- | +| id | | True | | | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Put + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Delete + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/TaskDimension + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ---------------------------------------------------- | -------- | ---- | --------- | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Post + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/TaskDimension/`{id}` + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ----------------------------------- | -------- | ---- | --------- | +| id | | True | | | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Put + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Delete + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/TaskEntityType + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ---------------------------------------------------- | -------- | ---- | --------- | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Post + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/TaskEntityType/`{id}` + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ----------------------------------- | -------- | ---- | --------- | +| id | | True | | | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Put + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Delete + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/TaskInstance + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ---------------------------------------------------- | -------- | ---- | --------- | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Post + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/TaskInstance/`{id}` + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ----------------------------------- | -------- | ---- | --------- | +| id | | True | | | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Put + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Delete + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/TaskResourceType + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ---------------------------------------------------- | -------- | ---- | --------- | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Post + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +### /api/Job/TaskResourceType/`{id}` + +#### Get + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ----------------------------------- | -------- | ---- | --------- | +| id | | True | | | +| squery | | False | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Put + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | + +#### Delete + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ----------- | ------------------------- | -------- | ---- | --------- | +| id | | True | | | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ----------- | --------- | +| 200 | Success | | diff --git a/docs/usercube/6.1/usercube/integration-guide/api/server/metadata/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/metadata/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/api/server/metadata/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/api/server/metadata/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/api/server/provisioningentityinstance/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/provisioningentityinstance/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/api/server/provisioningentityinstance/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/api/server/provisioningentityinstance/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/api/server/provisioningpolicy/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/provisioningpolicy/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/api/server/provisioningpolicy/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/api/server/provisioningpolicy/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/api/server/report/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/report/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/api/server/report/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/api/server/report/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/api/server/resource/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resource/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/api/server/resource/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resource/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resourcechange/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resourcechange/index.md new file mode 100644 index 0000000000..34cbbe42a0 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resourcechange/index.md @@ -0,0 +1,30 @@ +# ResourceChange + +### /api/ResourceChange/`{type}`/`{id}` + +#### Get + +##### Summary: + +Returns all the resource changes according to the provided query. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ---------------------------------------------------- | -------- | ---- | ---------------------------------------------------------------------------------------------- | +| type | Entity type identifier. | True | | | +| id | Identifier of the job instance. | True | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| primaryKeyFilter | Filter on primary key value. | False | | | +| changeOperationType | Filter on change operation type. | False | | [ChangeOperation](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/index.md) | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | -------------------------- | --------- | +| 200 | The resource changes list. | | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resourcefilechange/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resourcefilechange/index.md new file mode 100644 index 0000000000..e6759fdef0 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resourcefilechange/index.md @@ -0,0 +1,29 @@ +# ResourceFileChange + +### /api/ResourceFileChange/`{type}`/`{id}` + +#### Get + +##### Summary: + +Returns all the resource file changes according to the provided job instance id. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ---------------------------------------------------- | -------- | ---- | ---------------------------------------------------------------------------------------------- | +| type | Entity type identifier. | True | | | +| id | Identifier of the job instance. | True | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| changeOperationType | Filter on change operation type. | False | | [ChangeOperation](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/index.md) | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | ------------------------- | --------- | +| 200 | The resource file change. | | diff --git a/docs/usercube/6.1/usercube/integration-guide/api/server/resourcelink/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resourcelink/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/api/server/resourcelink/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resourcelink/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resourcelinkchange/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resourcelinkchange/index.md new file mode 100644 index 0000000000..dfba8a5584 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/resourcelinkchange/index.md @@ -0,0 +1,30 @@ +# ResourceLinkChange + +### /api/ResourceLinkChange/`{type}`/`{property}`/`{id}` + +#### Get + +##### Summary: + +Returns all the resource link changes according to the provided job instance id. + +##### Parameters: + +| Name | Description | Required | Type | Reference | +| ------------------- | ---------------------------------------------------- | -------- | ---- | ---------------------------------------------------------------------------------------------- | +| type | Entity type identifier. | True | | | +| property | Navigation property identifier. | True | | | +| id | Identifier of the job instance. | True | | | +| Path | Represents the permission path. | False | | | +| QueryRootEntityType | Defines the query root entity type. | False | | | +| QueryBinding | Defines the query binding. | False | | | +| PageSize | Page size. | False | | | +| ContinuationToken | ContinuationToken returned by previous page request. | False | | | +| changeOperationType | Filter on change operation type. | False | | [ChangeOperation](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/index.md) | +| api-version | The requested API version | True | | | + +##### Responses: + +| Code | Description | Reference | +| ---- | -------------------------- | --------- | +| 200 | The resource link changes. | | diff --git a/docs/usercube/6.1/usercube/integration-guide/api/server/universes/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/universes/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/api/server/universes/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/api/server/universes/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/api/server/workflows/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/workflows/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/api/server/workflows/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/api/server/workflows/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/api/squery/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/api/squery/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/api/squery/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/api/squery/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/how-tos/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/how-tos/index.md new file mode 100644 index 0000000000..995a78b2bf --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/how-tos/index.md @@ -0,0 +1,6 @@ +# How-Tos + +These guides will help you set up Usercube's architecture with practical step-by-step procedures. + +- #### [Protect Agent/Server Communication](/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/index.md) + Set up a secured authentication system between Usercube's agent and server. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/index.md new file mode 100644 index 0000000000..62033596c2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/index.md @@ -0,0 +1,111 @@ +# Protect Agent/Server Communication + +This guide shows how to set up a secured authentication system between Usercube's agent and server. + +## Overview + +Usercube provides a simple way to protect the communication between agent and server, using OpenID +Connect. + +First, make sure to understand the OpenID protocol. For example, +[see Microsoft's documentation on the matter](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc). + +The idea, when sending data from the agent to the server, is the following: + +1. the agent decrypts its own data which was encrypted with the agent-side certificate; +2. the agent calls the server, and sends its HTTPS-encrypted message; +3. the server receives and decrypts the message, before encrypting it again with its own encryption + certificate configured by Usercube. + +![Schema: Agent/Server Communication](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/agent-server-communication.webp) + +### Configuration details + +The server must be configured, in its `appsettings.json`, with: + +- an encryption certificate with the private and public keys, in order to be able to send signed + tokens. + +The agent must be configured, in its `appsettings.json`, with: + +- an encryption certificate with at least the server's public key, in order to be able to verify the + tokens sent by the server; +- another encryption certificate meant to encrypt specific files such as logs or temporary files; +- an SSL encryption certificate for the HTTPS connection. + + The SSL certificate is required when working in an on-premises environment. In a SaaS + environment, Usercube provides it. + +In order to give to the agent the right permissions, the XML configuration must specify an +[OpenIdClient](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) +linked to its hashed secret, and to a Usercube profile. + +## Protect Agent/Server Communication + +Protect agent/server communication by proceeding as follows: + +1. Make sure that both the agent and server configurations specify an encryption certificate. + [See more details](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md). + + > For example: + > + > ```json + > appsettings.json + > + > { + > "IdentityServer": { + > "X509KeyFilePath": "./identitymanager.pfx", + > "X509KeyFilePassword": "secret" + > }, + > ... + > } + > ``` + +2. Make sure that the agent is also configured with its own encryption certificate. + [See more details](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md). + + > For example: + > + > ```json + > appsettings.json + > + > { + > "EncryptionCertificate": { + > "File": "./identitymanager-Files.pfx", + > "Password": "secret", + > "EncryptFile": true + > }, + > ... + > } + > ``` + +3. Configure an OpenIdClient, both on agent side in `appsettings.agent.json` with the non-hashed + secret and on server side in the XML configuration with the secret hashed by the + [`Usercube-New-OpenIDSecret` executable](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/new-openidsecret/index.md). + [See more details](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md). + + > For example on agent side: + > + > ```json + > appsettings.agent.json + > + > { + > "OpenId": { + > "OpenIdClients": { + > "Job": "newSecret" + > }, + > ... + > } + > ... + > } + > ``` + > + > And on server side: + > + > ```bash + > ./identitymanager-New-OpenIDSecret.exe --client-secret secret + > ``` + > + > ```xml + > + > ``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/index.md new file mode 100644 index 0000000000..3ec64fd650 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/index.md @@ -0,0 +1,62 @@ +# Architecture + +This article dives deeper into Usercube's design principles. Security and flexibility are the main +concerns of the architecture. + +## A Two-Tier Architecture + +Usercube is made of two parts: + +- The Usercube server operates the main process. It uses a dedicated database, serves the client + side part of the web application and exposes its API. +- The Usercube agent operates data exchange with the information system. It implements a specific + API called by the web client application. + +Agent and server are [ASP.Net](https://docs.microsoft.com/en-us/aspnet/core/) applications running +on Windows. Usercube's database is a +[Microsoft SQLServer](https://www.microsoft.com/en-us/sql-server) relational database. + +![Architecture](/img/versioned_docs/changetracker_8.0/changetracker/architecture.webp) + +[See more details on NETWRIX' recommended architecture when working in a SaaS environment](/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/saas/index.md). + +[See more details on NETWRIX' recommended architecture when working in an on-premises environment.](/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/on-prem/index.md) + +[See how to protect the communication between agent and server](/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/index.md). + +## Isolation Principle + +Usercube server has no direct access to the information system of the organization. It can be +installed on an isolated network (typically in the cloud). Only the agent can read or write the +information system. All exchanges between agent and server are operated through the HTTP protocol +(HTTPS recommended in production). + +## Unidirectional Command Flow + +All reading or writing actions in the information system are initiated by the agent. Usercube server +will never call the agent. The Agent periodically polls the server to gather the actions to process. + +Tasks can run on the Server side or on the Agent side. + +Tasks that run on the Server side are still executed by an _Agent_. This is the application of the +one-way data flow principle. _Agents_ can send _commands_ to the _Server_ to execute a Task through +an HTTP request but the _Server_ cannot _command_ an Agent, hence isolating the sensitive _Agents_ +from the exposed _Server_. + +As a result, each set of planned Tasks is assigned to a specific Agent, depending on the managed +systems its Tasks relate to. + +_Agents_ also receive HTTP/HTTPS requests from the browser to allow authenticated end-users to +launch jobs from the UI. + +## Authentication + +Usercube can authenticate users within an Active Directory domain or using an OpenID identity +server. For development mode, Usercube implements a form-based authentication using a unique +password for all users (see +[Server settings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md)). + +## Multi-Agent Capability + +Multiple agents can be installed. This allows Usercube to operate in a context where the information +system is partitioned over several networks. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/on-prem/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/on-prem/index.md new file mode 100644 index 0000000000..c47a80ed09 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/on-prem/index.md @@ -0,0 +1,29 @@ +# On-Premises Environment + +When working in an on-premises environment, Usercube needs a specific architecture. + +## Overview + +NETWRIX recommends the following architecture: + +![On-Premises Recommended Architecture](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/architecture/on-prem/architecture_onprem.webp) + +Most situations do not need Usercube so much that they need a fail-over system, i.e. installing +several Usercube instances in order to prevent breakdowns. In most situations, a single Usercube +instance is enough. + +### Server + +The server should be stateless, i.e. it should store only temporary files. + +### Agent(s) + +One or several additional agents can be needed only when using a sensitive network, for example an +administration network separated from the main network. + +### Database + +The database is a critical item, and thus should be set up with a mirror. The database mirror can +have lower CPU and RAM and be on a different location. + +NETWRIX recommends using an incremental backup. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/saas/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/saas/index.md new file mode 100644 index 0000000000..9d3072f765 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/saas/index.md @@ -0,0 +1,14 @@ +# SaaS Environment + +When working in a SaaS environment, Usercube needs a specific architecture. + +## Overview + +NETWRIX recommends the following architecture: + +![SaaS Recommended Architecture](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/architecture/saas/architecture_saas.webp) + +### Agent(s) + +One or several additional agents can be needed only when using a sensitive network, for example an +administration network separated from the main network. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/configuration-details/connections/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/configuration-details/connections/index.md new file mode 100644 index 0000000000..d26fa24472 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/configuration-details/connections/index.md @@ -0,0 +1,103 @@ +# Connections + +This page gathers useful information concerning the possible uses of connections, used by connectors +in order to extract and/or fulfill data from/to external systems. + +## Connection Configuration + +A connector needs at least one +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +which needs to be declared both in the XML configuration and in the +[`appsettings.agent.json`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +file to be used. The connection settings must be set in `appsettings.agent.json` > `Connections` > +``, where `` is the identifier specified for the +connection in the XML configuration. + +[See more details about the XML configuration of a connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md). + +The information stored in the connection depends on the export and/or fulfill technologies used by +the connection's package. + +[See connectors documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/index.md) +for more information about the attributes for each connector. + +## Connection Tables + +A +[connection table](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md) +represents the potential output of the connection's +[export task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md), +when the connection's package allows export. The export process generates CSV files (our connection +tables) whose names start with the connection's identifier. The files' suffixes depend on the +connector. +[See connectors' documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/index.md) +for more information about these suffixes. + +The name of these files are used to specify the connection tables of the +[entity type mappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +and +[entity association mappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md), +in order to link the connectors' properties to the source files and columns from the managed +systems. + +A connection table is used in the definition of an entity type as `Source`, while the available +columns of the selected table are used for the mapping as `Source Columns`. + +![connectiontables_ui_v60](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/configuration-details/connections/connectiontables_ui_v60.webp) + +## Refresh Schema + +A schema is a snapshot of the data structure (metadata) retrieved by a connection. It needs to be +refreshed to enable the configuration of entity types and resource types. + +Usercube refreshes a connection's schema: + +- after the connection creation; +- when clicking on **Refresh Schema** on the connection's page: only the schema of the current + connection is refreshed; + + ![Refresh Schema of One Connection](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshschema_v522.webp) + +- when clicking on **Refresh all schemas** on the connector's page: all schemas of the connector are + refreshed. + + ![Refresh all Schemas](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshall_v602.webp) + +In the **Connections** frame, either the last successful schema update is indicated or an icon is +shown if the refresh schema failed. + +![Failed Refresh Schemas](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_failedindicator_v602.webp) + +Some packages don't generate a schema. For these packages, the **Refresh Schema** button isn't +displayed on the connection's page. On the connector's page, a connection without schema is +indicated by the sentence "_There is no schema for this connection_". + +![No Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_noschema_v522.webp) + +The connections' schemas must be refreshed before editing the connector's entity types via the UI, +whether the connections were created via the UI or XML configuration. Otherwise, there will be no +connection table available in the `Source` dropdown, so you will not be able to save anything. + +## Export/Fulfill Tasks and Resource Type Mappings + +Connections are given to `ExportTasks` through the `Connection` attribute, which is mandatory as the +`ExportTask` needs this information to use the right technology and search the information in the +`appsettings.agent.json`. + +It can also be given to `FulfillTasks` the same way but must not be if the `FulfillTask` has +`TaskResourceTypes`. + +`ResourceTypeMappings` have the `Connection` attribute as well, which is mandatory. If a +`FulfillTask` has `TaskResourceTypes`, it will use the given connections to provision the different +`ResourceTypes`. + +## Secured Options + +A connection's parameters fall into two categories: regular or secured options. + +The particularity of secured options is that, once set, they will never again be shown to users. +Hence, extra care should be taken while specifying them. + +There are several types of secured options: a simple field or multiple key-value fields. + +[See how to configure secured options](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/configuration-details/credential-protection/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/configuration-details/credential-protection/index.md new file mode 100644 index 0000000000..7e7ed19a90 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/configuration-details/credential-protection/index.md @@ -0,0 +1,9 @@ +# Credential Protection + +The credentials of any managed system can be protected using +[RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), +a +[CyberArk](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) +vault or an +[Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) +safe. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/configuration-details/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/configuration-details/index.md new file mode 100644 index 0000000000..675c569257 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/configuration-details/index.md @@ -0,0 +1,9 @@ +# Configuration Details + +This part gathers information about connector configuration. + +NETWRIX recommends +[creating and configuring a connector via the UI](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md). + +- #### [Connections](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/configuration-details/connections/index.md) +- #### [Credential Protection](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/configuration-details/credential-protection/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md new file mode 100644 index 0000000000..efdea33bf6 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md @@ -0,0 +1,152 @@ +# References: Format for the EntityPropertyMapping + +This page lists all available formats for entity properties, in order to help you manage said +formats when exporting and fulfilling resources from/to external systems. + +The attribute `Format` can be defined in an EntityPropertyMapping to indicate the format of the data +in the external system. It will allow Usercube to correctly convert the data to its own format +during the export and fulfillment processes. + +## Available Formats + +### Active Directory / LDAP / OpenLDAP + +| Format | Corresponding Property Type | Note | +| ------------------------------------ | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| _Bit:``:``_ | String/Int16/Int32/Int64 | When provisioning a bitmask property, for example `userAccountControl`, the format must contain the identifier of the property and the bit to be provisioned, for example `bit:userAccountControl:2`. See more details. | +| _Bool_ | Bool | | +| _Byte_ | Byte | | +| _Bytes/Binary_ | Bytes/Binary | | +| _Concat:separator_ | String | Mono-valued attribute that may contain multiple values separated by a `` (example: `extensionAttribute15` which requires using `concat:;`) | +| _DateTime/1601Date_ | DateTime | [Classic LDAP Dates](https://www.epochconverter.com/ldap) and [Generalized DateTimes](https://ldapwiki.com/wiki/GeneralizedTime) | +| _Double_ | Double | | +| _Guid_ | Guid | 32 digits Guid (example: c076e361fa5f428e833939a449ce2db3) | +| _Int16_ | Int16 | | +| _Int32_ | Int32 | | +| _Int64_ | Int64/ForeignKey/Option | Some attributes are stored as long integers (_Int64_) even though their name implies that they hold dates, like `accountExpires` and `pwdLastSet` attributes. | +| _MultivaluedText_ | String | Multi-valued attribute flattened to a string containing values separated by a `\n`. Its provisioning with a scalar rule requires a specific sorting, see the focus under this table. See more details. | +| _RDN_ | String | [Relative Distinguished Name](https://ldap.com/ldap-dns-and-rdns/) | +| _SID_ | String | [Security Identifiers](https://ldapwiki.com/wiki/ObjectSID) | + +#### Focus on Bit + +Some systems use bitmask properties, i.e. properties containing a set of boolean flags represented +by individual bits. + +Scalar properties are provisioned by scalar rules, usually changing the whole value of the property. +For bitmask properties, changing the whole value often requires an unnecessarily complex expression. +Hence, a bitmask property should be modified one bit at a time (bit provisioning). In order to +change only one flag without altering the others, a bitmask property must be completed by one +fictitious property for each bit to be modified. + +Then scalar rules can be created for each single-bit property individually. + +In a given resource type, there should be scalar rules either for the bitmask property, or for the +single-bit "sub-properties", not both. + +> For example, we choose to create a property `bit_userAccountControl_2` to represent the second bit +> of `userAccountControl`. +> +> ![New Property for Bit Provisioning](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/entitypropertymapping-format/bitprov_property_v603.webp) +> +> XML configuration looks like the following: +> +> ```xml +> +> +> +> +> ... +> +> +> +> +> ... +> +> ``` + +When creating a property of bit format: + +- through the UI, there is no need filling the connection column field, because it will be filled + automatically once the format fields are filled. A manual value for connection column would be + overridden. +- through XML configuration, the connection column must be specified manually but there are no + additional requirements. + +#### Focus on MultivaluedText + +To provision a `MultivaluedText` property, the associated scalar rule's source object must return a +`string`, where the values are separated by a `\n`. Most of the time, the value of the source object +is computed with an expression. + +The order of the values within the property is important, because Usercube will use the results of +the synchronization and of the computation of the scalar rule's expression. Usercube compares both +results to compute the `Verified` provisioning state if they are found equal. Regarding that fact, +if the scalar rule's expression does not compute the `MultivaluedText` with the values in the same +order as Usercube's synchronization, the property will never be `Verified`. + +NETWRIX recommends, in the scalar rule's expression, ordering the elements before joining them into +a `string` with `myList.OrderBy(e => e, StringComparer.OrdinalIgnoreCase)`, where `myList` is the +list of values. + +> For example, the scalar rule's C# expression for a `MultivaluedText` can look like: +> +> ``` +> +> +> +> ``` + +### ServiceNow + +| Format | Corresponding Property Type | Description | +| ------------------ | --------------------------- | ---------------------------------------------------------- | +| _Bool_ | Bool | | +| _Byte_ | Byte | | +| _Bytes/Binary_ | Bytes/Binary | | +| _DateTime or Date_ | DateTime | Date in ServiceNow format | +| _Double_ | Double | | +| _Guid_ | Guid | 32 digits Guid (example: c076e361fa5f428e833939a449ce2db3) | +| _Int16_ | Int16 | | +| _Int32_ | Int32 | | +| _Int64_ | Int64/ForeignKey/Option | | + +#### Example + +In this example, we will export and fulfill the start date of an employee in a ServiceNow instance. + +We define an +[EntityProperty](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md) +called `u_startdate` with the **Type**`DateTime` to display it as a date in the UI. + +``` +ServiceNow Connector.xml +... + ... + +``` + +To correctly export the start date from ServiceNow, we transform the string received into a string +that is readable as a date by Usercube. To do so, we must declare in the EntityTypeMapping that we +will not receive a simple string, but a string formatted as a `DateTime`. + +``` +ServiceNow Connector.xml +... + ... + +``` + +This allows the export of the attribute `u_startdate` as a date in Usercube's format. + +The fulfillment will use the same format defined in the EntityTypeMapping through the **Binding** +declared in the ResourceType. + +![Export and Fulfill Data transformation](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/entitypropertymapping-format/entitypropertymapping-format-flowchart.webp) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/azuread-register/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/azuread-register/index.md new file mode 100644 index 0000000000..cbb5c25faa --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/azuread-register/index.md @@ -0,0 +1,122 @@ +# Register for Microsoft Entra ID + +This guide shows how to +[register](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) +Usercube as an application, i.e. grant Usercube a service account, with Microsoft Identity Platform +to authenticate to a Microsoft Entra ID (formerly Microsoft Azure AD), and how to grant Usercube the +[directory permissions](https://docs.microsoft.com/en-us/graph/permissions-reference) for reading +the data to be exported via the +[Microsoft Graph API](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api). + +## Create a New Registration + +Create a new registration for Usercube with Microsoft Identity Platform by proceeding as follows: + +1. Go to [Azure portal](https://portal.azure.com). +2. Log in using the organization's credentials. +3. Find the **Microsoft Entra ID** menu on the left panel. +4. Go to **App Registrations** in the left panel. +5. Click the **+ New Registration** button in the top menu. + + ![Azure AD Export - Add New Registration](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportregistration.webp) + + A new registration form is displayed: + + - `Name`: display name of your application for the currently created registration. It is used to + identify this registration within Microsoft Entra ID. In the case at hand, it won't be + displayed to the end-user since Usercube doesn't access the Microsoft Entra ID using end-user + identity but [its own](https://docs.microsoft.com/en-us/graph/auth-v2-service). + + NETWRIX recommends using a mnemonic name resembling `Usercube` in order to + remember it as the registration of Usercube within the target Microsoft Entra ID, for + example `UsercubeContoso`. + + - [`Supported account types`](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-supported-account-types): + select **Accounts in this organizational directory only (� - Single tenant)**. + + Usercube uses its own identity to access the API. It doesn't access the data on behalf of a + user. To authenticate, it uses credentials of a service account granted by this + registration, in the form of an `ApplicationId` and a secret `Client Secret`. + + See how to get `ApplicationId` and `ApplicationKey`. + + This service account is stored in the organizational directory, and hence using the + [Principle of Least Privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), + only **Accounts in this organizational directory** are supported for authentication within + this registration scope. + + - `Redirect URI`: + + - The left combo box represents the type of application. It influences the authorization + protocol exchanges. Usercube is of type `Web`. + - The right line edit isn't applicable to our case and should be left blank. It is used for + end-user authentication, but doesn't apply to Usercube. + +6. Confirm the registration with the **Register** button at the bottom of the page. + +### Get the application's identifier + +`ApplicationId` is available in the registration overview. Get it by proceeding as follows: + +1. Go to **App Registrations** in the left panel. +2. Select **Owned applications** > **Usercube**. +3. Go to **Overview** in the left panel. + + The **Essentials** top panel displays the **Application (client) ID** required by the Usercube + Agent. The same page also displays the **Directory (tenant) ID** that will also be needed by the + Usercube Agent. + + ![Azure AD Export - New ApplicationId](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportapplicationid.webp) + +### Get the application's secret key + +A `Client Secret` key needs to be generated. Get it by proceeding as follows: + +1. Go to **App Registrations** in the left panel. +2. Select **Owned applications** > **Usercube**. +3. Go to **Certificate & Secrets** in the left panel. +4. Click the **+ New client secret** button in the bottom panel **Client Secrets**. +5. Input a mnemonic name such as `UsercubeSecret`. +6. It is recommended to use a short **expiration period** such as 1 year. +7. Confirm the creation with the **Add** button. + + The `Client Secret` is now listed in the bottom panel **Client Secrets**. The `Client Secret` + value is needed by the Usercube Agent settings file. + + ![Azure AD Export - New Client Secret](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportsecret.webp) + + The `Client Secret` value is only displayed in the UI in plain text at first. After a while, it + is only displayed as `**************`. It should hence be stored in the `appsettings.agent.json` + file or an environment variable as soon as it is created, to be used subsequently by Usercube. + If the key is lost, a new key can be created to replace the lost one. + +## Grant Directory Permissions + +Grant Usercube directory permissions by proceeding as follows: + +1. Go to **App Registrations** in the left panel. +2. Select **Owned applications** > **Usercube**. +3. Go to **API Permissions** in the left panel. +4. Click on the **+ Add a permission** button. + + ![Azure AD Export - Add Permission](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportpermissions.webp) + +5. Go to **Microsoft graph** > **Application permissions**. +6. Search and open the `Directory` category. +7. Check the `Directory.Read.All` permission. + + If you plan on configuring fulfillment too, you must only check the `Directory.ReadWrite.All` + permission. + + ![Azure AD Export - Directory Permission](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportdirectorypermission.webp) + +8. Confirm with the **Add permissions** button at the bottom of the page. + + You now see the `Directory.Read.All` or `Directory.ReadWrite.All` permission in the **Configured + permissions** list with a **? Not granted for �** status. + +9. Grant admin consent by clicking on **? Grant admin consent for ``**. + + ![Azure AD Export - Grant Admin Consent](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportadminconsent.webp) + + You should now see the status displayed as **? Granted for ``**. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/index.md new file mode 100644 index 0000000000..19643f883e --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/index.md @@ -0,0 +1,57 @@ +# Configure Secured Options + +This guide shows how to configure secured options to ensure data security in a connection's +parameters. + +## Overview + +A connection's parameters fall into two categories: regular or secured options. + +The particularity of secured options is that, once set, they will never again be shown to users. +Hence, extra care should be taken while specifying them. + +There are several types of secured options: a simple field or multiple key-value fields. + +## Configure a Secured Option + +Configure a secured option by proceeding as follows: + +1. Among a connection's parameters, identify the secured option: + + - for a simple field: + + ![AD creation](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adlogin_v603.webp) + + - for multiple key-value fields: + + ![SQL connection string](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_keyvalue_v603.webp) + + Contrary to simple fields, multiple-key-value secured options are not restricted to a given + property. They are arbitrary and can be set to anything. + +2. Fill the field(s) and, if needed, click on the eye icon to make the content visible. + + ![Eye Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg) + + > For example, for a simple field in an AD connection, the `Login` and `Password` are by default + > hidden with ??????: + > + > ![Login Secured Options Hidden](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adexample_v603.webp) + > + > ![Login Secured Options Revealed](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adexamplevisible_v603.webp) + + > For example, for multiple key-value fields in an SQL connection, some elements of the + > connection string might be sensitive and need to be hidden: + > + > ![SQL connection string](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_sqlexample1_v603.webp) + > + > In this example, the database name and the minimal pool size are secured options: + > + > ![SQL Secured option filled](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_sqlexample2_v603.webp) + + > Another example of multiple key-value fields in a Powershell connection: + > + > ![Powershell Secured option hidden](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_powershellexample_v603.webp) + +3. Once saved, any secured option's value can no longer be seen. However, it can still be modified + by deleting the value and re-specifying it. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/index.md new file mode 100644 index 0000000000..e9c7c04e32 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/index.md @@ -0,0 +1,59 @@ +# Run the Banking Demo Application + +This guide shows how to set up and run the Banking demo application. + +## Banking Application Description + +The Banking application is a demo application that represents a web based external system. The +Banking application contains: + +- A main page. +- A list of users, accessible by clicking on **Users** at the top of the page. It is possible to add + a user by clicking on **Create New User**. + + ![Users list](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/demoapps_banking_userslist.webp) + +- A list of groups, accessible by clicking on **Groups** at the top of the page. Clicking on + **Details** on a group shows the users belonging to that group. +- A user's details page for each user, accessible by clicking on **Details** on a user in the users + list. + + ![User details](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/demoapps_banking_userdetails.webp) + +The most interesting part of the Banking application is a user's page. On a user's page, it is +possible to: + +- Edit the user's information +- Delete the user +- Add the user to a group +- Remove the user from a group +- Set the user's password + +The Banking application uses a database named `BankingSystem` as a data source. The changes made to +a user are applied to the database, and will be saved. + +## Running the Banking Application + +The Banking Application is part of the Usercube SDK, and comes with prefilled sources. To run the +Banking application: + +- Download the Usercube SDK. +- Download the Usercube runtime. +- Create a database named `BankingSystem`. +- Go to the `Runtime` folder. +- Run + `./identitymanager-FillBankingDatabase.exe --connection-string {connection string} --sources-path {sources path} --banking-sql-path {banking sql path}`, + replacing `{connection string}` with the `BankingSystem` database connection string, + `{sources path}` with the path to `SDK/DemoApps/Sources`, and `{banking sql path}` with the path + to `SDK/DemoApps/Banking`. +- Go to the `SDK/DemoApps/Banking` folder. +- Run `./Banking.exe` in a command prompt. +- In a web browser, enter the URL `localhost:5000`. + +The Banking application is running, and the web browser is on the Banking home page. + +To set the Banking application to another port, run +`./Banking.exe --urls http://localhost:{port number}`. To access the application, enter the URL +`localhost:{port number}` in a web browser. + +Some ports are not recognized by web browsers, or may already be used. Choose a port wisely. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/index.md new file mode 100644 index 0000000000..765fe8cca3 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/index.md @@ -0,0 +1,36 @@ +# Run the HR Demo Application + +This guide shows how to set up and run the HR demo application. + +## HR Application Description + +The HR application is a demo application that represents a web based external system. The HR +application contains an employee list. + +![Users list](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/demoapps_hr_userslist.webp) + +Each employee also has their own page, with the possibility to edit their profile or delete them. It +is also possible to add a new employee. + +![User details](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/demoapps_hr_userdetails.webp) + +The HR application uses csv files as data sources. When a user is added, deleted, or edited, the csv +file will be modified, and the changes will be saved. + +## Running the HR Application + +The HR Application is part of the Usercube SDK, and comes with prefilled sources. To run the HR +application: + +- Download the Usercube SDK. +- Go to `SDK/DemoApps/HR`. +- Modify **appsettings.json** > **CSVPath** to `"..\\Sources"`. +- Run `./HR.exe` in a command prompt. +- In a web browser, enter the URL `localhost:5000`. + +The HR application is running, and the web browser is on the HR application employee list. + +To set the HR application to another port, run `./HR.exe --urls http://localhost:{port number}`. To +access the application, enter the URL `localhost:{port number}` in a web browser. + +Some ports are not recognized by web browsers, or may already be used. Choose a port wisely. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/index.md new file mode 100644 index 0000000000..f10fdc95b4 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/index.md @@ -0,0 +1,42 @@ +# How-Tos + +These guides will help you set up connectors with practical step-by-step procedures. + +- #### [Run the Banking Demo Application](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/index.md) + Set up the Banking demo application in order to test a connector with a web based external + system.- #### + [Run the HR Demo Application](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/index.md) + Set up the HR demo application in order to test a connector with a web based external + system.- #### Create a Connector How to implement a connector via XML to connect Usercube to an + external system.- #### + [Register for Microsoft Entra ID](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/azuread-register/index.md) + Grant Usercube a service account with Microsoft Identity Platform with the right permissions to + authenticate to Microsoft Entra ID.- #### + [Configure Secured Options](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/index.md) + Configure secured options to ensure data security in a connection's parameters.- #### Set Up + Incremental Synchronization How to implement an incremental synchronization job for a given + connector via XML, to upload the related system's resources to Usercube.- #### + [Write a Template for a Ticket Connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-ticket-template/index.md) + Write a template that will be used by a Ticket connector to complete the title and the + description of the ticket.- #### + [Write a PowerShell Script for Synchronization](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-sync-powershell-script/index.md) + Write a PowerShell script used by a PowerShellSync connector.- #### + [Write a PowerShell Script for Provisioning](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md) + Write a PowerShell script used by a PowerShellProv connector.- #### + [Fulfill Microsoft Exchange via PowerShell](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md) + Set up a PowerShell connector to fulfill data in a PowerShell-compliant system, here Microsoft + Exchange Server.- #### + [Write a Robot Framework Script](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md) + Write a Robot Framework script that will be used by the Robot Framework connector.- #### + [Interact with a Web Page via Robot Framework](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/index.md) + Write a Robot Framework script that interacts with a web based external system.- #### + [Interact with a GUI Application via Robot Framework](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/index.md) + Write a Robot Framework script which interacts with an external application.- #### + [Export CyberArk Data via SCIM](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/index.md) + Set up a SCIM connector to extract data from your CyberArk instance into CSV source files that + will in turn be fed to the synchronization task and to Usercube's resource repository.- #### + [Provision Salesforce Users' Profiles via SCIM](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md) + Provision a user's account profile in a Salesforce system with the SCIM connector.- #### + [Set up SharePoint's Export and Synchronization](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/index.md) + Set up a SharePoint connector to extract data from your SharePoint instance into CSV source + files that will be fed to the synchronization task and to Usercube's resource repository. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/index.md new file mode 100644 index 0000000000..6699d55986 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/index.md @@ -0,0 +1,268 @@ +# Interact with a GUI Application via Robot Framework + +This guide shows how to write a Robot Framework script which interacts with an external application. + +## Example: Interacting with an application via a GUI + +Consider an external system that is accessible through a GUI program, and that does not offer an +API. In this situation, we can either interact manually with the external system , or with a Robot +Framework connection. + +## Prerequisites + +This guide will focus only on how to interact with a GUI application. The +[guide on how to write a Robot Framework script](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md) +explains the basics of Robot Framework. The basic prerequisites can be found on the +[Robot Framework](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md) +connector page. + +The requirements specific to the Robot Framework FlaUI library are as follows: + +- Python 3.7 or 3.8. For Python 3.9, using `pip install wheel` in the command prompt may solve + installation errors. +- Robot Framework FlaUI library: use `pip install --upgrade robotframework-flaui` in the command + prompt. +- The application with the GUI. + +Other Robot Framework libraries can interact with applications. The [desktop part of the zoomba +library] can also interact with a program, but requires an appium server. + +While not strictly required, it is highly recommended that the +[Robot Framework FlaUI library documentation](https://gdatasoftwareag.github.io/robotframework-flaui/keywords/1.6.6.html) +be consulted. + +## Inspecting tools + +Most FlaUI keywords require an XPath locator. These XPaths can be found using the FlaUI inspection +tool. Download the +[FlaUI inspection tool zip archive](https://github.com/FlaUI/FlaUInspect/releases), then extract the +files to a folder. The inspection tool can be launched simply by running `FlaUIInspect.exe`. + +This tool lets you choose the UIA (UI Automation) version. Picking UIA3 should work in most use +cases. + +The FlaUI inspection tool shows each window that is open on the computer. To find the element the +script is supposed to interact with, it is possible to manually search through the windows, and +through the elements. However, the easiest way is to use the Hover Mode, which is accessible in the +tool bar by clicking on **Mode** > **Hover Mode (use Ctrl)**. To see the XPath, click on **Mode** > +**Show XPath**. + +![Show XPath](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/robotframeworkflaui_flauishowxpath.webp) + +To see the XPath of an element, hover over the element, and press control. A red box should appear +around the element, and the FlaUI inspection tool should show the element's information. The XPath +should be at the bottom left of the FlaUI element. + +![Highlight Element](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/robotframeworkflaui_flauixpathexample.webp) + +As an example, imagine an application showing a list of files and folders. Targeting a specific file +would produce an XPath in the shape of `/Window/Pane[3]/Pane/Pane[2]/List/Group[1]/ListItem[1]`. The +important parts of this path are the beginning and the end. The beginning of the XPath specifies the +window. The middle part of the XPath, in most cases, is irrelevant. + +The last part of the XPath however, `/Group[1]/ListItem[1]`, is what should be modified to find the +right file. `Group[1]` means the element is in the first file group. `ListItem[1]` means the element +is the first file of the group. Depending on the file explorer view mode, the XPath may end with +`Edit[1]`, which means the targeted element is the name section of the file. + +As the Window's number may change, it should be specified by name. For the Downloads folder, +`Window[@Name='Downloads']` specifies the window. The file may not always be at the same position, +so it should also be specified. If the file is `FlaUInspect.exe`, it can be specified with +`ListItem[@Name='FlaUInspect.exe']`. The Group may also change. It is not easy to find the right +group, so the best method is to remove the groups, by right clicking, then selecting **Group by** > +**(None)**. + +## Use Case: Set a file to read-only + +Consider an HR system that creates a file for each employee. When an employee retires, it may be +interesting to set the file to read-only, so that it is not modified by accident. It is possible to +set the file to read-only by provisioning it with the Robot Framework. + +### Define settings + +As with every other Robot Framework script, the Usercube Robot Framework resource needs to be +imported to launch the provisioning. The FlaUI library also needs to be imported to use its +keywords. + +``` + +*** Settings *** +Resource C:/identitymanagerDemo/Runtime/identitymanagerRobotFramework.resource +Library FlaUILibrary + +``` + +### Define variables + +The `Variables` section contains variables that are used in the rest of the script. As the section +is at the start of the script, the variables are easy to update. In this case, the folder's name and +path are important variables that may be changed. + +``` + +*** Variables *** +${FOLDERNAME} RobotFrameworkIdentity +${FOLDERPATH} C:/identitymanagerDemo/${FOLDERNAME} + +``` + +### Define custom keywords + +To modify a file's properties, the script needs custom keywords that allow the desired actions to be +accomplished. In this case, to navigate through the explorer program. These keywords were written +with the Windows 10 File Explorer in mind. + +| Keyword | Details | +| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Open Explorer | Opens and attaches the explorer program to FlaUI. A program can be attached to FlaUI by its name or by its `Pid`, which stands for process identifier. The `Launch Application` keyword returns a `Pid`, however the program may launch multiple processes. In the case of the explorer, it is almost always running, even if no explorer windows are open. The `Pid` returned may not be the correct one. Attaching by the program name seems to work in this case. | +| Open Folder | Opens the folder specified in the `Variables` section. Accessing the address bar is not trivial, as it is not a text field until it is clicked. However, clicking on most elements of the address bar does not open the text field. In this keyword, the icon in the address bar is clicked, which opens the text field. | +| Get File Name | Returns the file's name. This allows the computation of the file's name through a keyword instead of an expression, which can make syntax easier. | +| Set File To Read Only | Sets the file corresponding to the user to read only. This keyword calls the other keywords in the right order, and is used to simplify the readability of the script. | +| Open File Properties | Right clicks on a file, then opens the file's properties. The right click is on the file's image, but it could be changed to any of the file's fields. Note that changing the folder's view mode or ordering may alter the file's XPath. | +| Select Read Only | Selects the read only option. This keyword simply clicks on the radio button, then clicks on the `Ok` button. If the radio button is already ticked, the file will no longer be in read only mode. The script clicks on the `Ok` button as it automatically closes the properties window, unlike the `Apply` button. | +| Close Explorer | Clicks on the cross to close the explorer window. It is also possible to close the program with the `Close Application` keyword, however that also closes the background explorer process, so closing only the window is better. | + +``` + +Open Explorer + Launch Application explorer + Attach Application By Name explorer + Open Folder + +Open Folder + Click /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/Pane/ToolBar/SplitButton + Set Text To Textbox /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/ComboBox/Edit[@Name='Address'] ${FOLDERPATH} + Press Key s'ENTER' + +Get File Name + [Arguments] ${order} + [return] ${order['Changes']['Identifier']}.txt + +Set File To Read Only + [Arguments] ${order} + ${FileName}= Get File Name ${order} + Open File Properties ${FileName} + Select ReadOnly ${FileName} + +Open File Properties + [Arguments] ${filename} + Right Click /Window[@Name='${FOLDERNAME}']/Pane[3]/Pane/Pane[2]/List/ListItem[@Name='${filename}']/Image + Click /Menu[@Name='Context']/MenuItem[@Name='Properties'] + +Select Read Only + [Arguments] ${filename} + Click /Window[@Name='${filename} Properties']/CheckBox[@Name='Read-only'] + Click /Window[@Name='${filename} Properties']/Button[@Name='OK'] + +Close Explorer + Click /Window[@Name='${FOLDERNAME}']/TitleBar/Button[@Name='Close'] + +``` + +### Define mandatory keywords + +To provision the system, the script must contain the three mandatory keywords: `ExecuteAdd`, +`ExecuteDelete`, and `ExecuteModify`. In this case, only ExecuteDelete is implemented. (It is +considered, perhaps foolishly, that employees will not come out of retirement!) + +``` + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Set File To Read Only ${order} + +ExecuteModify + [Arguments] ${order} + Log To Console ExecuteModify is not implemented + +``` + +### Define test cases + +Although the Robot Framework is used for provisioning in Usercube, it is most often used for +testing, which is why the `Test Cases` section defines what should happen when Usercube starts the +Robot Framework task. The `Launch Provisioning` keyword is the one that will fetch the provisioning +orders. + +``` + +*** Test Cases *** +Run Provisioning + Open Explorer + Launch Provisioning + Close Explorer + +``` + +### Read the full script + +The full script is as follows: + +``` + +*** Settings *** +Resource C:/identitymanagerDemo/Runtime/identitymanagerRobotFramework.resource +Library FlaUILibrary + +*** Variables *** +${FOLDERNAME} RobotFrameworkIdentity +${FOLDERPATH} C:/identitymanagerDemo/${FOLDERNAME} + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Set File To Read Only ${order} + +ExecuteModify + [Arguments] ${order} + Log To Console ExecuteModify is not implemented + +Open Explorer + Launch Application explorer + Attach Application By Name explorer + Open Folder + +Open Folder + Click /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/Pane/ToolBar/SplitButton + Set Text To Textbox /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/ComboBox/Edit[@Name='Address'] ${FOLDERPATH} + Press Key s'ENTER' + +Get File Name + [Arguments] ${order} + [return] ${order['Changes']['Identifier']}.txt + +Set File To Read Only + [Arguments] ${order} + ${FileName}= Get File Name ${order} + Open File Properties ${FileName} + Select ReadOnly ${FileName} + +Open File Properties + [Arguments] ${filename} + Right Click /Window[@Name='${FOLDERNAME}']/Pane[3]/Pane/Pane[2]/List/ListItem[@Name='${filename}']/Image + Click /Menu[@Name='Context']/MenuItem[@Name='Properties'] + +Select Read Only + [Arguments] ${filename} + Click /Window[@Name='${filename} Properties']/CheckBox[@Name='Read-only'] + Click /Window[@Name='${filename} Properties']/Button[@Name='OK'] + +Close Explorer + Click /Window[@Name='${FOLDERNAME}']/TitleBar/Button[@Name='Close'] + +*** Test Cases *** +Run Provisioning + Open Explorer + Launch Provisioning + Close Explorer + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/index.md new file mode 100644 index 0000000000..ef9ce5bf86 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/index.md @@ -0,0 +1,408 @@ +# Interact with a Web Page via Robot Framework + +This guide explains how to write a Robot Framework script that interacts with a web based external +system. + +## Example: Interacting with a web-based application + +Consider an external system that is accessible through a web interface, and that does not offer an +API. In this situation, we can either interact manually with the external system , or with a Robot +Framework connection. + +## Prerequisites + +This guide will focus only on how to interact with a web-based application. The +[guide on how to write a Robot Framework script](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md) +explains the basics of Robot Framework. The basic prerequisites can be found on the +[Robot Framework](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md) +connector page. + +The prerequisites are explained in detail at the +[Robot Framework selenium pypi](https://pypi.org/project/robotframework-seleniumlibrary/) page. + +The requirements specific to the Robot Framework Selenium library are as follows: + +- Robot Framework selenium library: use `pip install --upgrade robotframework-seleniumlibrary` in + the command prompt. +- A web browser. +- A web driver that corresponds to the web browser and its version. Webdrivers can be found in the + [Selenium website](https://www.selenium.dev/selenium/docs/api/py/index.html#selenium-website). + This web driver should be in your path. To check that the web driver is in your path, use + `gcm {webdriver_name}`. As an example for Edge, use `gcm MicrosoftWebDriver`. + +The web driver for Edge is called `msedgedriver.exe`, but the Robot Framework may expect it to be +called `MicrosoftWebDriver.exe` depending on the python version. Renaming the web driver from +`msedgedriver.exe` to `MicrosoftWebDriver.exe` should fix this issue. + +If the browser is updated, the web driver should also be updated. + +While not strictly required, it is highly reccomended to look at the +[Robot Framework selenium library documentation](https://robotframework.org/SeleniumLibrary/SeleniumLibrary.html). + +## Selenium basics + +Selenium is a web browser automation tool. Selenium can automatically perform scripted actions in a +web browser. Selenium is not easy to use on its own, and it is easier to use Selenium via the Robot +Framework. However, the basics are still the same. + +The basic structure of a web page is defined with HTML. It is accessible with the inspect tool, +which can be opened by pressing the F12 key on most browsers. For Selenium, we want to find +information on specific parts of the page. Inspecting an element can be done by right clicking the +element, and clicking **Inspect**. + +![Inspect Tool](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/robotframeworkselenium_inspecttool.webp) + +Suppose the goal of the script is to copy the content of the code block, and paste it to a file, to +ensure that the file is up to date with the documentation. To do this, the Robot Framework has to +click on the **copy to clipboard** button with the keyword +[`Click Element`](https://robotframework.org/SeleniumLibrary/SeleniumLibrary.html#click-element). + +## Locating elements + +As stated in the Robot Framework SeleniumLibrary documentation, the keyword `Click Element` requires +an element locator. The element locator identifies which element the Robot Framework should click. +To ensure the right element is clicked, the element locator should only match the one element which +should be clicked. + +In the HTML, the button has a class `class="copy-to-clipboard"`. The element locator +`class:copy-to-clipboard` matches the button. However, there are other buttons with the same class +on the page. The easiest way to click the right button is with an XPath element locator. + +### XPath element locators + +Each element on the web page has an XPath, and each XPath uniquely identifies an element. This means +that we can always use an XPath locator. To get the XPath of an element, inspect the element, then +right click it in the HTML, and click on **Copy** > **Full XPath**. + +![Copy Full XPath](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/robotframeworkselenium_copyfullxpath.webp) + +For the `copy to clipboard` button, the XPath is +`/html/body/section/div[2]/div[3]/div[1]/pre[4]/span`. + +XPaths change as the page is updated. Using a location strategy other than the XPath strategy should +reduce the maintenance needs of the script. + +### Hypertext references and API calls + +Some elements have links to other websites or pages of the same website. In the HTML inspection, +these elements are likely to have a `href` attribute containing the link. `Href` stands for +hypertext reference. By going directly to the linked URL instead of clicking the link, the script +does not need to specify an element locator for the link. + +In some cases, an API can be called simply by going to the right URL. This URL may be used as a +shortcut to avoid having to fill in text fields. The `href` attributes may show the format of the +API calls. + +## Use Case: Fulfill groups in a Banking system + +The Banking system is a Usercube demo application that represents an external system. The Banking +system stores basic information on its users such as their names, mail addresses� The most +interesting part of the Banking system is the groups functionality, as users can belong to multiple +groups, and groups can have multiple users. + +The goal of this use case is to extract the existing associations between groups and users from the +Banking system into Usercube, then provide a way to add users to a group and remove users from a +group. To showcase the password generation, the script will generate a password for the provisioned +users' accounts. + +### Connector configuration + +As stated in the previous part, the Banking connector is supposed to link the users and their +groups. This means that the connector has a user entity type, and a group entity type, with an +entity association between them. + +The Banking connector has to be able to extract the data, and fulfill the Banking system. The +fulfillment of the Banking system can only be done through its web application, which means the +Robot Framework Selenium library will be used. The extraction of the data will be performed through +an SQL connection. + +For simplicity's sake, only the user's `Login` is kept. + +``` + + + + +``` + +The notion of groups in the Banking system is replaced by the notion of single roles in Usercube. A +user belonging to the accountant group in the Banking system has the accountant single role in +Usercube. To automate the correspondance, the connector's configuration requires a rule between the +group resource and the single role. This can be done with a navigation rule for each single role and +corresponding group. + +For simplicity's sake, only three roles are kept. + +``` + + + +``` + +### Define settings + +As with every other Robot Framework script, the resource needs to be imported to launch the +provisioning. The SeleniumLibrary also needs to be imported to use its keywords. + +``` + +*** Settings *** +Resource C:/identitymanagerDemo/Runtime/identitymanagerRobotFramework.resource +Library SeleniumLibrary + +``` + +### Define variables + +The variables in the `Variables` section can serve two purposes. + +- Values that should be modified easily: The browser and the Banking web application URL change with + the provisioning environment. +- Values that are used multiple times: The Banking web application URL is used three times in the + script. This avoids editing mistakes that happen when only one of the instances is modified. + +``` + +*** Variables *** +${BROWSER} edge +${BANKINGURL} http://localhost:5011 + +``` + +### Define custom keywords + +The script defines several custom keywords. As the element locators may not be easily +understandable, it is important that the keywords are not long, and have descriptive names. + +| Keyword | Details | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Modify User | Sets a password for the user, then applies the provisioning order. This keyword does everything the `Execute Modify` keyword should do, so that it can be used for error handling. As the provisioned resource type may not have password reset settings, the password generation could fail, which is why it is called by the `Try Keyword` keyword. | +| Restart Banking And Fail | Restarts the Banking Application, then fails the keyword execution. This keyword should be used when the Banking application is in an unknown state. | +| Launch Banking App | Launches the Banking web application. To check that the web browser is on the right page, the title of the page is verified with the `Title Should Be` keyword. | +| Set Password | Generates a password for the provisioned user, sets their Banking password to that password, then sends a notification. This keyword attempts to send the notification as soon as the password is set. First, this ensures that the notification is sent even if the rest of the script would crash. Second, this keeps the password in memory for the least amount of time possible, which reduces security risks. | +| Add Group To User | Selects the group that should be added, and clicks the **Save** button. This keyword also verifies that the web browser has the expected title. The `Click Element At Coordinates` keyword is used to reset the state of the page, as selecting the group hides the **Save** button. | +| Search User And Add Group | Goes to the page to add groups to the right user, and calls `Add Group To User`. This keyword also verifies that the web page has the expected title. | +| Add Groups | Calls `Search User And Add Group` for each group in the provisioning order. | +| Add All Groups | Computes the number of groups to add, and if there is at least one, calls `Add Groups`. The only way to find the number of groups to add is in the **Changes** > **groups_add** section of the provisioning order. This section does not exist if there are no groups to add, so the `Run Keyword And Ignore Error` is called to avoid propagating the error. | +| Remove Group From User | Goes to the URL corresponding to the API call to remove the group from the user. | +| Remove Groups | Calls `Remove Group From User` for each group in the provisioning order. | +| Remove All Groups | Computes the number of groups to remove, and if there is at least one, calls `Remove Groups`. The only way to find the number of groups to remove is in the **Changes** > **groups_remove** section of the provisioning order. This section does not exist if there are no groups to remove, so the `Run Keyword And Ignore Error` is called to avoid propagating the error. | + +``` + +*** Keywords *** +Modify User + [Arguments] ${order} + Try Keyword Set Password ${order} + Catch Keyword Go To ${BANKINGURL}/User + Title Should Be All Users - Banking System + Add All Groups ${order} + Remove All Groups ${order} + +Restart Banking And Fail + Close Browser + Launch Banking App + Fail ${Provisioning failed, restarting the browser} + +Launch Banking App + Open Browser ${BANKINGURL} ${BROWSER} + Title Should Be Home Page - Banking System + +Set Password + [Arguments] ${order} + Go To ${BANKINGURL}/User/SetPassword/${login} + Title Should Be Edit ${login} - Banking System + ${password}= Generate Password + Input Text id:Password ${password} + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Send Password Notification + +Add Group To User + [Arguments] ${groupName} + Select From List By Value name:group ${groupName} + Click Element at Coordinates name:group 250 0 + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Title Should Be All Users - Banking System + +Search User And Add Group + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/AddGroup/${login} + Title Should Be Add Group to ${login} - Banking System + Add Group To User ${groupName} + +Add Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Search User And Add Group ${order['Resource']['login']} ${order['Changes']['groups_add'][${i}]['name']} + END + +Add All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_add']} + Run Keyword If '${status}' == 'PASS' Add Groups ${order} ${length} + +Remove Group From User + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/RemoveGroup/${login}?groupId=${groupName} + +Remove Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Remove Group From User ${order['Resource']['login']} ${order['Changes']['groups_remove'][${i}]['name']} + END + +Remove All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_remove']} + Run Keyword If '${status}' == 'PASS' Remove Groups ${order} ${length} + +``` + +### Define mandatory keywords + +To be able to provision the system, the script must contain the `ExecuteAdd`, `ExecuteDelete`, and +`ExecuteModify` keyword. As the Banking system is only able to modify existing accounts, only the +`Execute Modify` keyword is implemented. + +To simplify error handling, the `Execute Modify` keyword only calls the `Modify User` keyword. As +only a single keyword is needed, it can be called within the `Try Keyword` keyword. This means that +the error handling can be handled with the `Catch Keyword` keyword. + +``` + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Log To Console ExecuteDelete is not implemented + +ExecuteModify + [Arguments] ${order} + Try Keyword Modify User ${order} + Catch Keyword Restart Banking And Fail + +``` + +### Define test cases + +Although the Robot Framework is used for provisioning in Usercube, it is most often used for +testing, which is why the `Test Cases` section defines what should happen when Usercube starts the +Robot Framework task. Note that the `Launch Provisioning` keyword is mandatory for the provisioning +to happen. + +As the browser should always be closed after the tests, a teardown is used to ensure that regardless +of the script's execution state, the browser is closed. + +``` + +*** Test Cases *** +Run Provisioning + Launch Banking App + Launch Provisioning + [Teardown] Close Browser + +``` + +### Read the full script + +The full script is as follows: + +``` + +*** Settings *** +Resource C:/identitymanagerDemo/Runtime/identitymanagerRobotFramework.resource +Library SeleniumLibrary + +*** Variables *** +${BROWSER} edge +${BANKINGURL} http://localhost:5011 + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Log To Console ExecuteDelete is not implemented + +ExecuteModify + [Arguments] ${order} + Try Keyword Modify User ${order} + Catch Keyword Restart Banking And Fail + +Modify User + [Arguments] ${order} + Try Keyword Set Password ${order} + Catch Keyword Go To ${BANKINGURL}/User + Title Should Be All Users - Banking System + Add All Groups ${order} + Remove All Groups ${order} + +Restart Banking And Fail + Close Browser + Launch Banking App + Fail ${Provisioning failed, restarting the browser} + +Launch Banking App + Open Browser ${BANKINGURL} ${BROWSER} + Title Should Be Home Page - Banking System + +Set Password + [Arguments] ${order} + Go To ${BANKINGURL}/User/SetPassword/${login} + Title Should Be Edit ${login} - Banking System + ${password}= Generate Password + Input Text id:Password ${password} + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Send Password Notification + +Add Group To User + [Arguments] ${groupName} + Select From List By Value name:group ${groupName} + Click Element at Coordinates name:group 250 0 + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Title Should Be All Users - Banking System + +Search User And Add Group + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/AddGroup/${login} + Title Should Be Add Group to ${login} - Banking System + Add Group To User ${groupName} + +Add Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Search User And Add Group ${order['Resource']['login']} ${order['Changes']['groups_add'][${i}]['name']} + END + +Add All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_add']} + Run Keyword If '${status}' == 'PASS' Add Groups ${order} ${length} + +Remove Group From User + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/RemoveGroup/${login}?groupId=${groupName} + +Remove Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Remove Group From User ${order['Resource']['login']} ${order['Changes']['groups_remove'][${i}]['name']} + END + +Remove All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_remove']} + Run Keyword If '${status}' == 'PASS' Remove Groups ${order} ${length} + +*** Test Cases *** +Run Provisioning + Launch Banking App + Launch Provisioning + [Teardown] Close Browser + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md new file mode 100644 index 0000000000..b98c8e1eff --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md @@ -0,0 +1,671 @@ +# Fulfill Microsoft Exchange via PowerShell + +This guide shows how to set up a +[PowerShell connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) +to fulfill data in Microsoft Exchange Server. It will focus on registering Usercube within the +target Microsoft Exchange instance, configuring the connector, and building the job to perform a +regularly scheduled fulfillment. Of course, any other system compatible with PowerShell can be +chosen. + +## Prerequisites + +### External system configuration + +Check the following prerequisites: + +- [PowerShell](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) +- [Microsoft Exchange](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md) +- [Active Directory](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) + +Let's consider a simplified system, including three parts: + +1. Usercube +2. Microsoft Exchange Server +3. Active Directory + +For more details on the complete system, see +[Exchange architecture](https://docs.microsoft.com/en-us/exchange/network-configuration/architecture?view=exchserver-2016). + +Usercube can: + +- export and fulfill AD entries independently of Microsoft Exchange. +- export mailboxes from Microsoft Exchange independently of AD. +- fulfill a mailbox but Usercube needs first to fulfill an AD entry and then, launch the Microsoft + Exchange Fulfill. + +### Usercube configuration + +This step sets up the Usercube Agent to use the `Active Directory` and `PowerShell` connectors in +order to fulfill the Microsoft Exchange mailboxes. + +The settings must be entered in `appsettings.agent.json > Connections`. For more details, see the +[Active Directory](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) +and +[PowerShell](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) +sections. + +#### Add sections + +As explained previously, the simplified system consists of Usercube and two other systems. It means +that settings are required in `appsettings.agent.json` to connect with the systems. The settings +required are +[Export Microsoft Exchange](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md), +[Fulfill PowerShell](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md), +[Export Active Directory](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) +and +[Fulfill Active Directory](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md). + +> This example contains export and fulfillment settings for the Active Directory and for Microsoft +> Exchange: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> ... +> "ADFulfillment": { +> "Servers": [ +> { +> "Server": "...", +> "BaseDN": "..." +> }, +> { +> "Server": "paris.contoso.com", +> "BaseDN": "DC=defense,DC=paris,DC=com" +> } +> ], +> "AuthType": "Basic", +> "Login": "...", +> "Password": "...", +> "Filter": "(objectclass=*)", +> "EnableSSL": true, +> } +> "MicrosoftExchangeExportFulfillment": { +> // Export Microsoft Exchange settings +> ... +> // Fulfillment Microsoft Exchange settings +> "PowerShellScriptPath": "C:/identitymanagerDemo/Scripts/Fulfill-Exchange.ps1", +> "Options": { +> "AuthType": "Basic", +> "Server": "http://ex-server1/powershell", +> "Login": "PIXELABS\\Administrateur", +> "Password": "Secret123" +> } +> }, +> } +> } +> ``` + +As this guide focuses on the fulfillment of an external system, export settings will be omitted. + +The Fulfill-PowerShell needs a script whose path is defined by the attribute +**PowerShellScriptPath**. Usercube provides a script in the SDK in +`Usercube.Demo/Scripts/Fulfill-Exchange.ps1`. For more details on how to write a customized script, +see +[Write a Script for Fulfill-PowerShell](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md). + +To define and apply additional settings when authenticating to an external system, we can set the +attribute +[Options](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) +and add required parameters for authentication. + +In the example above, the `Basic` AuthType was chosen to show how to fill the credentials, but it +isn't mandatory to use this +[AuthType](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md). + +For pedagogical reasons, this guide focuses on the simplest way to set up the fulfillment, but it's +not the most secure. Hence, it is strongly recommended to use `Kerberos` AuthType or +[credentials protection](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) +via Azure Key Vault or CyberArk in a production environment. +NETWRIX recommends completing this guide once, testing the configuration, and only then, switching +to a more secure way of storing credentials. + +## Build the Connector + +To be used for export tasks, a connector must be declared in the +[applicative configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/index.md) +and linked to an Agent. + +It is strongly recommended that the applicative configuration be stored in the +[working directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md)`Conf` +folder as a set of `xml` files organized by connector. To follow this structure, create a +`MicrosoftExchange` directory in the `Conf` folder. + +### Declare a connector + +In the `MicrosoftExchange` directory, create a `MicrosoftExchange Connector.xml` file. This file +contains the declaration of the connector and the associated +[Entity Model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md). + +> This example declares the +> `MicrosoftExchange`[connector](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +> on the `Local` agent, and the +> [connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +> linked to the previously defined `MicrosoftExchangeExportFulfillment` JSON section (see the +> [example](#example) above): +> +> ``` +> Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +> ... +> ... +> +> +> ``` + +### Write entity types + +The [Entity Model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md) +should match as closely as possible the structure of the Microsoft Exchange data relevant for +Usercube. It is designed by analyzing the Microsoft Exchange data structure, and describing said +data with +[Entity Types](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md#entity-types) +and +[Entity Associations](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +Eventually, it is up to the integration team to design the +[Entity Model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md) that +best serves the Role Model needs. It will most likely be refined iteratively throughout the project +integration. + +A good starting point for the Entity Model is to mirror the shape of the Microsoft Exchange +mailboxes and databases. + +##### Example + +This example defines the entity types named `MicrosoftExchange_Database` and +`MicrosoftExchange_Mailbox`. + +Notice the omitted **TargetColumnIndex** attribute and the presence of `Type="ForeignKey"` for the +`Mailboxes` and `Database` properties. If omitted, this attribute indicates that the properties are +navigation properties. + +``` +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... + ... + +``` + +### Write the entity type mapping + +The entity type must be mapped, on a property by property basis, to the exported attributes of +Microsoft Exchange mailboxes and databases (namely, the columns of the CSV source files generated by +the export). The +[EntityTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +element maps scalar properties from a CSV source file to an EntityType. + +##### Example + +In this example, the CSV source files are `microsoftexchange_databases.csv` and +`microsoftexchange_mailboxes.csv` located in the +[ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder. + +``` +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... + ... + +``` + +### Write entity associations + +Entity types are associated through their navigation properties with +[Entity Association](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +elements. + +##### Example + +The following example declares a `1:n` (`'one-to-many'`) association. One +`MicrosoftExchange_Database` may be referenced by any number of `MicrosoftExchange_Mailbox`_(es)_, +but each `MicrosoftExchange_Mailbox` can only reference one `MicrosoftExchange_Database`. + +The properties used for the association must be `Primary` or `Unique` keys. + +``` +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... +... + +``` + +### Write the entity association mapping + +The +[EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +element maps column values from a CSV source file to an EntityType navigation property. + +##### Example + +This example describes the mailbox/database associations between `MicrosoftExchange_Mailbox` and +`MicrosoftExchange_Database`. Thanks to the **Export** Microsoft Exchange job, the file +`microsoftexchange_mailboxes.csv` is generated. This file looks like: + +``` + +Command;Property_1;Property_2;...;Property_N +Add;value1;value2;...;valueN + +``` + +Each line of the CSV file corresponds to a `MicrosoftExchange_Mailbox`. The properties used in the +association are: + +- `Guid`: the Guid of the `MicrosoftExchange_Mailbox`. +- `Name`: the name of the `MicrosoftExchange_Database` referencing the `MicrosoftExchange_Mailbox` + (name is unique among the databases). + +The following table can be extracted from the CSV file: + +| Guid | Name | +| ------------------------------------ | --------------------------- | +| 4ecbdba7-e984-409a-a9ac-6027ac81fa42 | Mailbox Database 1882404652 | +| 1d3e67a2-7d44-46f1-a300-afa73ae120f4 | DB1 | +| aab57e15-847b-4e16-96f1-82ebc54c01e2 | DB1 | +| ea513604-3758-463f-9b72-6c42ea949260 | DB2 | + +It means that the `MicrosoftExchange_Mailbox` with `Guid` ? `4ecbdba7-e984-409a-a9ac-6027ac81fa42` +is contained in the `MicrosoftExchange_Database` with `Name` ? `Mailbox Database 1882404652`. This +association is created for every line in the CSV file, and therefore also for every line in the +table above. + +This can be enabled with an **EntityAssociationMapping** like in the following XML: + +``` +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... +... + +``` + +The CSV file `microsoftexchange_mailboxes.csv` must be exported to the +[ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder. + +## Build the Role Model + +A +[Role Model](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md) +must be created with the following elements: + +- `ResourceType` +- `ResourceTypeMapping` +- `ResourceCorrelationRule` +- `SingleRole` (optional) + +### Resource type + +A +[ResourceType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +is a conceptual model of an information system object, here a mailbox. + +The resource type contains several rules: + +- [TypeRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) + which assigns a resource to a user. +- [ScalarRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) + which specifies the value to be set to an assigned resource scalar property. +- [NavigationRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) + which specifies a value to be set to an assigned resource multi-valued navigation property. + +#### Example + +``` +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml" +... + ... + +``` + +The TargetEntityType is `MicrosoftExchange_Mailbox` and the SourceEntityType is `Directory_User`. + +This ResourceType allows Usercube to compute the values used when fulfilling the external system. + +Finally, the NavigationRule sets the property `Database` of the entity `MicrosoftExchange_Mailbox`. +For more details, see Writing single role. + +### Resource type mapping + +A +[ResourceTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) +element contains all the resource types (sharing the same Identifier) that can be provisioned into +targeted platforms, applications, and systems. + +#### Example + +``` +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml" +... +... + +``` + +In this example, `Fulfill-PowerShell` requires only a simple `ResourceTypeMapping` (including only +one `Identifier` and one `Connection`): + +- The **Identifier** attribute is `MicrosoftExchange_Mailbox_NominativeUser` which corresponds to + the identifier of the resource type defined earlier. +- The **Connection** attribute is `MicrosoftExchangeExportFulfillment` which corresponds to the + section in `appsettings.agent.json` containing the parameters used to provision the external + system. + +### Resource correlation rule + +A +[ResourceCorrelationRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) +is used to correlate the resource `MicrosoftExchange_Mailbox_NominativeUser` with the +`Directory_User`. + +#### Example + +``` +Conf/MicrosoftExchange/NotImplementInAutoTest/Directory User Role Model MicrosoftExchange.xml" +... +... + +``` + +This rule means if the `SamAccountName` (`MicrosoftExchange_Mailbox`) is equal to the `Login` +(`Directory_User`) then, the `ResourceType` can be linked to the `User` with a confidence rate of +100%. + +### Single role (optional) + +A +[SingleRole](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) +encapsulates system entitlements. + +#### Example + +``` +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml" +... +... + +``` + +This single role was previously used in one of the navigation rules defined in the `ResourceType`. + +``` +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml" +... +... + +``` + +If a `Directory_User` is assigned the SingleRole `DB1` then, the `NavigationRule` indicates that the +property `Database` (in `MicrosoftExchange_Mailbox`) will have the value +`9c512155-d912-4fcb-9448-0755fbaf1b96` (unique id of a `MicrosoftExchange_Database`). + +## Display + +This step focuses on configuring a nice display for the synchronized list of resources in the UI. + +### Navigation + +A +[MenuItem](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) +can be added to include a link to the resources list in the left menu on the UI home screen. + +It is strongly recommended that you gather synchronized resources menu items under parent menu +items. This is usually declared in the `Nav.xml` file in the configuration root folder. + +NETWRIX also advises to use a new `MicrosoftExchange Nav.xml` file in the `MicrosoftExchange` +connector's folder to add a `mailboxes` and `databases` menu item. + +#### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange Nav.xml +... + ... + +``` + +This example adds a new menu item under the `Nav_Connectors` menu item declared in the root +`Conf/Nav.xml` file. This new menu item gives access to the list of synchronized Microsoft Exchange +entities. + +![Microsoft Exchange Menu Items](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_menu_item_5.1.7.webp) + +### Configuration + +It is strongly recommended that the display configuration be written to a new +`MicrosoftExchange UI.xml` file in the `MicrosoftExchange` connector's folder. + +#### All-in-one scaffolding + +The +[ViewTargetResourceTemplate](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md) +generates all the required elements to be seen by the user. + +##### Example + +The documentation explains what is generated by the following scaffolding: + +``` +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... +... + +``` + +The following sections show how to override the elements generated by this scaffolding in order to +provide a more precise display. + +#### Display entity type + +The +[DisplayEntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) +describes how a single resource should be displayed. + +##### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... + ... + +``` + +This example configures the following display for +[wolfgang.abendroth@acme.com](mailto:wolfgang.abendroth@acme.com). + +![Microsoft Exchange Display Entity Type](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) + +The scalar properties require no configuration: they are automatically displayed. The only +information that the +[DisplayEntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) +adds here, is that the property `BasicCollection` is a navigation property. An eye icon will be +displayed to take you directly to the matching page. + +#### Display table + +The +[DisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +elements describe how a list of resources should be displayed. + +The +[DisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +contains a list of +[DisplayTableColumn](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +elements that identify which properties should be included in the list display. + +##### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... + ... + +``` + +This example configures the following list display: + +![Microsoft Exchange Display Table](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_table_5.1.7.webp) + +#### Internal display name + +An `InternalDisplayName` can also be declared as an +[EntityPropertyExpression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). +The `InternalDisplayName` is used in several UI screens to identify a resource for the user. + +With no custom `InternalDisplayName`, a default value is used (instead of the first property of the +identity) containing the string _"name"_. If no such property is found, the first declared property +of the entity type is used. + +##### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... +... + +``` + +This example adds the `InternalDisplayName` to the `MicrosoftExchange_Mailbox` entity type to be +used by the UI. + +### Permissions + +This step focuses on setting up permissions for Usercube's end-users granting them access to the +connector. + +The +[AccessControlRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +and +[AccessControlEntry](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +elements define +[permissions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md) +for end-user profiles to read and write the connector's data (such as resources of a given entity +type). It is used by the UI when displaying data such as resources and available roles. + +It is strongly recommended that permissions be written to a new file. For example, the administrator +profile permissions can be written to the `MicrosoftExchange Profile Administrator.xml` file. + +#### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange Profile Administrator.xml +... +... + +``` + +This example sets permissions for the `Administrator` profile. + +It entitles an administrator to display Microsoft Exchange resources (`mailboxes` and `databases`) +and role categories from the UI. + +## Jobs + +### Construction + +This step focuses on writing a `Complete` Synchronization Job. + +NETWRIX recommends writing Jobs associated with the `MicrosoftExchange` connector to the +`Conf/MicrosoftExchange/MicrosoftExchange Jobs.xml` file. + +#### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange Jobs.xml +... + ... + +``` + +This job will be executed on Microsoft Exchange's connector agent. + +Notice the **Identifier** attribute with the value `Job` in the `OpenIdIdentifier` tag. It refers to +the `ClientId` written to the +[appsettings.agent](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +technical configuration. The Tasks will authenticate with the profile associated with this +`ClientId` in the `` xml configuration element. + +There is also the tag `` which means that the export will not be executed. +Removing the tag will launch export-related tasks before fulfillment-related tasks. Export tasks +need the same XML configuration and additional settings in appsettings.agent.json. + +All the job steps generated by the scaffolding can be found in the +`CreateConnectorSynchroComplete`[scaffolding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md). + +Check +[CreateConnectorSynchroIncremental](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) +for incremental synchronization. + +### Permissions + +The execution of a Job entails the execution of Tasks, reading/writing to the Database and sending +files over to the Server. These operations are protected by an authorization mechanism. + +A +[Profile](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) +is required and must have the proper permissions for the associated Job or Task to perform. + +Here, jobs use the default `OpenId`. + +### Job launch + +Scheduling the job execution can rely either on Usercube's scheduler or an external scheduler. + +#### With Usercube's scheduler + +Use the Job +[`CronTabExpression`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) +attribute. + +#### With an external scheduler + +An external scheduler would rely on the +[Usercube-Invoke-Job tool](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/invoke-job/index.md). + +## Validation + +### Deploy configuration + +The configuration is written to the database using the +[Deploy Configuration tool](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md). + +### Test + +#### ADMicrosoftExchange prerequisites + +An Active Directory configuration is required for Microsoft Exchange to work. Fill the +ADMicrosoftExchangeExportFulfillment settings in accordance with the configuration. + +To reset the password, if **AuthType** is `Basic`, then **EnableSSL** must be `true`. +Otherwise, if **AuthType** is `Kerberos`, then **EnableSSL** is not required. + +#### Mailbox creation + +To create a new mailbox, apply the following procedure: + +1. Select a user and validate both resource types `ADMicrosoftExchange_Entry_NominativeUser` and + `MicrosoftExchange_Mailbox_NominativeUser`. +2. In the Provisioning Review, confirm both resource types. +3. First, launch the job AD Microsoft Exchange Synchronization. +4. Then, launch the job Microsoft Exchange Synchronization. + +In fact, an `ADMicrosoftExchange_Entry` is required to create a mailbox. To update or delete an +existing mailbox, the Active Directory part can be skipped. + +#### Interface display + +The Synchronization job should be found in the UI, under the **Job Execution** menu, with the name +input in the Job's **DisplayName_Li** attribute. + +![Microsoft Exchange Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_jobs_5.1.7.webp) + +From there, the Synchronization job can be launched and debugged (if needed). + +After execution, Microsoft Exchange resources and databases should be in the `UR_Resources` table of +the SQL Server database. + +The results can also be viewed on the UI: + +![Microsoft Exchange Menu Items](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_menu_item_5.1.7.webp) + +![Microsoft Exchange Display Entity Type](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) + +![Microsoft Exchange Display Table](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_table_5.1.7.webp) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/index.md new file mode 100644 index 0000000000..36c03417b9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/index.md @@ -0,0 +1,937 @@ +# Export CyberArk Data via SCIM + +This guide shows how to set up a +[SCIM connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/scim/index.md) +to extract data from your CyberArk instance into CSV source files that will in turn be fed to the +[Synchronization task](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) +and to your Usercube resource repository. It will focus on registering Usercube within the target +CyberArk instance, configuring the connector, and building the job to perform regularly scheduled +synchronization. + +## Prerequisites + +### External system configuration + +Usually CyberArk provides the environment to use AAM (_Application Access Manager_) and SCIM +(_System for Cross-domain Identity Management_). For example, PrivateArk Server, PrivateArk and +other tools can be found on a VM-based environment. + +It is strongly recommended that you follow the official **CyberArk SCIM Server Implementation +Guide** (the CyberArk team can provide this document) in order to set up the environment. When +you've completed the installation or if CyberArk has already installed it, you can verify the +installation: + +1. Log into **PrivateArk Client**, locate and open the **SCIM Config** safe. +2. Check the presence of the following objects: + + - `Encryption-key`: The SCIM Server uses a local cache to store objects retrieved from the + Vault. Although no credentials (other than the ones in the SCIM Config safe, which are not + stored on the cache) are retrieved, we encrypt the cache with this encryption key. The key is + randomly generated, and not exposed by the installer, but can be changed if desired. + - `GlobalConfig.yml`: This is the configuration file for the overall SCIM server settings. It is + responsible for the setting of performance parameters and additional added features. + - `Usercube-account`: This is a privileged account to allow Usercube to authenticate its REST + API requests to the SCIM Server. The password for this account must be the same as the + Usercube-user (Usercube can be replaced by any other name like �Client'). + - `SCIM-account`: This is a privileged account, managed by the Central Policy Manager (CPM is + the module of the PAM tool that is responsible for managing the passwords and any + policies/exceptions configured), which allows the SCIM server to retrieve the password for + SCIM-user through an Application Identity Manager (AIM) Credential Provider call. + +3. Verify that the following **Users** were created in the PrivateArk Client: + + - Go to **Tools** > **Administrative Tools**. + - Select **Users and Groups**. + - Ensure the following users have been created: + + - `SCIM-user`: This is a CyberArk user with full privileges for creating and managing Safes, + Accounts, Permissions, and Users. This user is required by the CyberArk's Command Line + Interface (PACLI, used to perform quick Vault-level functions without logging in to the + PrivateArk client) on the SCIM server for logging into the Vault and managing objects on + behalf of client applications such as Usercube. + - `Client-user`: This is a CyberArk user for authenticating requests made to the SCIM server + using the REST API. (The name �Client-user' can change and be replaced by �Usercube-user' + for example.) + + Now we can consider that the installation is correct, the login is `Usercube-user` and the + password `CyberArk1`. + +### Usercube configuration + +This step sets up the Usercube Agent to use the SCIM connector and access the CyberArk data. + +The settings must be entered in the +[appsettings.agent > Connections](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/scim/index.md) +section. + +#### Connect to the target CyberArk instance + +In the `Connections` section, add one new subsection that will contain the credentials for the +target CyberArk. Use a meaningful name to remember which CyberArk is accessed via this section. + +> This example connects via the `SCIMCyberArkExport` connection to the CyberArk system: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SCIMCyberArkExport": { +> ... +> } +> } +> } +> +> ``` + +#### Input credentials + +In the newly created subsection, fill in: + +- The **Server** attribute with the CyberArk's address. It has the form: + `https://host:port/CyberArk/scim`. +- The **Login** attribute with the User's login value (in our example, `Usercube-user`). +- The **Password** attribute with the User's login value (in our example, `Cyberark1`). + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SCIMCyberArkExport": { +> "Server": "https://host:port/CyberArk/scim", +> "Login": "Usercube-user", +> "Password": "Cyberark1" +> } +> } +> } +> ``` + +For pedagogical reasons, this guide focuses on the simplest way to set up the export, but it's not +the most secure. Hence it is strongly recommended that you +[protect credentials using Azure Key Vault or CyberArk](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/scim/index.md) +in a production environment. + NETWRIX recommends completing this guide once, testing the configuration, and only then, switching +to a more secure way of storing credentials. + +#### Set exported objects, exported attributes and export files + +This step focuses on choosing and setting up the list of SCIM objects and attributes to be exported. + +The **Filter** attribute defines what is exported. It is located in the +`appsettings.agent > Connections > SCIMCyberArkExport` subsection previously created. + +##### Choose objects to export + +The list of objects to export depends on the Role Model requirements. The list will evolve +iteratively as the project's needs become clearer. + +The SCIM entities available in a CyberArk implementation are: + +- **Users**: CyberArk Users. +- **Containers**: Containers/CyberArk Safes. +- **ContainerPermissions**: Permissions on CyberArk Safes. +- **Privileged Data**: Privileged Data/CyberArk Accounts. +- **Groups**: CyberArk Groups. + +Filters are defined in the next part. + +##### Filtering + +An exhaustive list of entities and attributes provided by CyberArk is available in their +[technical documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/Applications/AppsOvw/SCIM-Provisioning.htm) +or the SCIM `Swagger UI`. + +The `Filter` and `FilterGroup` setting syntax is detailed in the +[SCIM optional attributes](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/scim/index.md). + +`SCIMSyntax` must also be set to `CyberArk` because the CyberArk system doesn't strictly follow all +the SCIM rules at the moment. + +##### Example + +The following example sets up the **Users**, **ContainerPermissions**, **Containers** and **Groups** +for export. + +For **Users**, we give an example for each type of attribute: + +- **userName** is an attribute of the base schema. +- **ldapFullDN** is an attribute of the `urn:ietf:params:scim:schemas:cyberark:1.0:User` schema + because it is separated by `�`. +- **givenName** is a sub-attribute of the attribute `name` because it is separated by `:`. + +Notice the `*` that separates the entities. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "SCIMCyberArkExport": { + "Server": "https://host:port/CyberArk/scim", + "Login": "Usercube-user", + "Password": "Cyberark1", + "Filter": "Users;urn:ietf:params:scim:schemas:cyberark:1.0:User�ldapFullDN|ldapDirectory id userName active name:givenName|middleName|familyName emails:value phoneNumbers:value title profileUrl source nativeIdentifier*ContainerPermissions;id user:value group:value container:value rights*Containers;id displayName type name", + "FilterGroup": "Groups;id displayName", + "SCIMSyntax": "CyberArk" + } + } +} +``` + +##### Set up export files + +The export generates CSV source files that will be fed to the +[Synchronization task](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md). + +The SCIM connector generates one file per entity, the name is generated as: `EntryFile` + `'_'` + +`FilterEntity` or `MembersFile` + `'_'` + `FilterGroupEntity`. + +Moreover, `SyncCookiesFile` can be specified to indicate the location of the cookie file for an +incremental export. + +For more details, see +[SCIM optional attributes](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/scim/index.md). + +The target directory and file name are chosen freely. However, NETWRIX strongly recommends using the +[working directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md)`Temp/ExportOutput` +folder and choosing file names that start with the `CyberArk_` prefix. + +##### Example + +With the following example, the resulting files are: + +- `C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_Users.csv` +- `C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_ContainerPermissions.csv` +- `C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_Containers.csv` +- `C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_members_Groups.csv` + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "SCIMCyberArkExport": { + "Server": "https://host:port/CyberArk/scim", + "Login": "Usercube-user", + "Password": "Cyberark1", + "Filter": "Users;urn:ietf:params:scim:schemas:cyberark:1.0:User�ldapFullDN|ldapDirectory id userName active name:givenName|middleName|familyName emails:value phoneNumbers:value title profileUrl source nativeIdentifier*ContainerPermissions;id user:value group:value container:value rights*Containers;id displayName type name", + "FilterGroup": "Groups;id displayName", + "EntryFile": "C:/identitymanagerDemo/Temp/ExportOutput/CyberArk", + "MembersFile": "C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_members", + "SCIMSyntax": "CyberArk" + } + } +} +``` + +Every file contains the data as CSV, with one column per attribute. + +## Build the Connector + +### Declare a connector + +To be used for export tasks, a connector must be declared in the +[applicative configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/index.md) +and linked to an Agent. + +It is strongly recommended that the applicative configuration be stored in the +[working directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md)`Conf` +folder as a set of `xml` files organized by connector. + +- In the `Conf` folder, create a `SCIMCyberArk` directory. +- In the `SCIMCyberArk` directory create a `CyberArk Connector.xml` file. + + This file contains the declaration of the connector and the associated + [Entity Model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md). + +- Use the + [``](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) + element to declare the connector with the following attributes: + + - **Identifier** identifies this connector in the + [applicative configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/index.md). + We recommend using a meaningful name such as `CyberArk`. If several connections to several + CyberArk targets are possible, only one CyberArk Connector per Agent is used. + - **DisplayName_Li, i ? [1..16]** are used in the UI. + - **Agent** is the identifier of the Agent that will run this connector's export task. The + Agent's identifier can be found in the agent's + [`appsettings.agent` > OpenId > AgentIdentifier](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +- Don't forget the `` and `` elements (see example below). + +> This example declares the `CyberArk` connector on the `Local` agent: +> +> ``` +> Conf/SCIMCyberArk/CyberArk Connector.xml +> +> ... +> ... +> +> +> ``` + +### Build the entity model + +The exported data to be written to the +[resource repository](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/identity-management/index.md) +must be aligned with the +[Entity Model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md). + +The [Entity Model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md) +should match as closely as possible the structure of the CyberArk data relevant for Usercube. It is +designed by analyzing the CyberArk data structure, and describing said data with +[Entity Types](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md#entity-types) +and +[Entity Associations](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). +Eventually, it is up to the integration team to design the +[Entity Model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md) that +best serves the Role Model needs. It will most likely be refined iteratively throughout the project +integration. + +A good starting point for the Entity Model is to mirror the shape of the exported CyberArk SCIM +objects. This guide provides a few examples that can serve this purpose. Thus, CyberArk SCIM objects +such as **Users** and **Groups** can be described by +[Entity Types](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md#entity-types), +and group membership by +[Entity Associations](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +The [Entity Model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md) +for the CyberArk connector is written in the +[applicative configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/index.md). +It is strongly recommended to write the entity model to the newly created +`Conf/SCIMCyberArk/CyberArk Connector.xml` file. + +#### Write entity types + +Declaring an +[Entity Type](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md) is +achieved with the `` tag and the following attributes: + +- **Identifier** is the entity type's name. It must be unique among the entity types. It is strongly + recommended to prefix this name with the connector's name. An example for CyberArk is + `CyberArk_User`. +- **DisplayName_Li, i ? [1..16]** are used in the UI to identify this + [Entity Type](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md) for + the end-user. **DisplayName_L1** is the name of the entity type in _language number one_. If this + language is _English_, a good example value would be `CyberArk - User`. + +##### Example + +``` +Conf/SCIMCyberArk/CyberArk Connector.xml +... + ... +... + +``` + +The CyberArk SCIM objects attributes are modeled by +[Entity Properties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md), +with the `` tags declared as children of the ``. + +Remember that there are several kinds of +[properties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md#properties) +(determined by the `TargetColumnIndex`): scalar and navigation. + +- Scalar properties can be defined to represent scalar attributes such as `userName`, `active` or + `givenName`. +- Navigation properties represent associations such as group memberships. + +Finally, the main attributes of the `` tag are the following: + +- **Identifier** identifies the property with a mandatory unique name. It must be unique among the + entity properties for this entity type. +- **DisplayName_Li, i ? [1..16]** are used in the UI. +- **Type** defines the type of property. A scalar property type can be: `String`, `Bytes`, `Int16`, + `Int32`, `Int64`, `DateTime`, `Bool`, `Guid`, `Double`, `Binary`, `Byte`, or `Option`. The + navigation property type is `ForeignKey`. +- **TargetColumnIndex** defines in which column of the resource table the property is stored. See + more details at + [`TargetColumnIndex`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +##### Example + +This example defines an entity type named `CyberArk_User` to match the attributes selected for +extraction from CyberArk in the previous example. + +Notice the omitted **TargetColumnIndex** attribute and the presence of `Type="ForeignKey"` for the +`groups` and `containers` properties. If omitted, this attribute indicates that the properties are +navigation properties. + +``` +Conf/SCIMCyberArk/CyberArk Connector.xml +... + ... + +``` + +#### Write entity associations + +[Entity Types](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md#entity-types) +are associated through their navigation properties with +[Entity Association](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +elements. + +##### Example + +The following example declares an `n-n` association between a `CyberArk_User` and `CyberArk_Group`. + +The `groups` property of a `CyberArk_User` is a collection of **Group** IDs (modeled as an +`CyberArk_Group` EntityType) of which this `CyberArk_User` is a member. + +The `Users` property of a `CyberArk_Group` is a collection of `CyberArk_User`IDs which are members +of this **Group**. + +``` +Conf/SCIMCyberArk/CyberArk Connector.xml +... +... + +``` + +The exact nature of the IDs are described by the associated +[EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). + +Notice the format of the **Property1** and **Property2** xml attributes: the name of the entity type +followed by `:` and the name of an entity property. It is a +[binding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) +that describes in one expression both the target entity type and property. + +### Create mapping + +The entity type must be mapped property by property to the exported attributes of CyberArk SCIM +objects (namely, the columns of the CSV source files generated by the export). + +The +[EntityTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), +[EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md), +and +[EntityPropertyMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +elements serve this purpose. + +#### Write the entity type mapping + +The +[EntityTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +element maps scalar properties from the CSV source file to an entity type. + +The CSV source file path is written to the **ConnectionTable** xml attribute. The target entity type +name is written to the **Identifier** xml attribute. + +``` +Conf/SCIMCyberArk/CyberArk Connector.xml +... + ... +... + +``` + +To do so, the entity type mapping uses the +[EntityPropertyMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +element with the `` tag. This maps the CSV column from `ConnectionColumn` to the target +EntityType property which is written to the **Identifier** attribute. + +##### Example + +``` +Conf/SCIMCyberArk/CyberArk Connector.xml +... + ... + +``` + +As a result, after synchronization, the `UR_Resource` table will be updated from the CSV source +files data. + +Let's take the example of a new `CyberArk_User` which has never been synchronized. The `UR_Resource` +table receives a new line for which the _6th_ column (`userName`) is filled in with the `userName` +column from the `C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_Users.csv` file. + +#### Write the entity association mapping + +The +[EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +element maps navigation properties, used in +[EntityAssociation](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +An +[EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +element refers to an +[EntityAssociation](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +written to the **Identifier** xml attribute. Then, just as the +[EntityTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +element, it maps columns values from a CSV source file to an EntityType property. + +##### Example + +The following example describes the actual user/group associations between `CyberArk_User` and +`CyberArk_Group`. These associations are exported from the CyberArk system into the +`C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_members_Groups.csv` file. Each line of the file +associates a value (property `CyberArk_id` from `CyberArk_Group`) and a MemberId (property +`CyberArk_id` from `CyberArk_User`). + +| value | MemberId | +| ----- | -------- | +| 1 | 100 | +| 1 | 101 | +| 2 | 102 | +| 2 | 103 | +| 3 | 104 | + +The following +[EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +describes the mapping for the `CyberArk_Group_Members` EntityAssociation: + +``` +Conf/SCIMCyberArk/CyberArk Connector.xml +... +... + +``` + +Here are a few explanations: + +###### Users/_CyberArk_Group_ + +The `Users` property in the `CyberArk_Group` entity: + +- is written to the **Property1** attribute of the + `CyberArk_Group_Members`[EntityAssociation](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) + element. +- is filled in by values from the `MemberId` column (written to the **Column2** attribute of the + `CyberArk_Group_Members`[EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) + element) in the `C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_members_Groups.csv` file. + +These values identify resources of type `CyberArk_User` by their `CyberArk_id` property (written to +the **EntityPropertyMapping2** attribute of the +[EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +element. + +###### Groups/_CyberArk_User_ + +The `Groups` property in the `CyberArk_User` entity: + +- is written to the **Property2** attribute of the + `CyberArk_Group_Members`[EntityAssociation](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) + element). +- is filled in by values from the _value_ column (written to the **Column1** attribute of the + `CyberArk_Group_Members`[EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) + element) in the `C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_members_Groups.csv` file. + +These values identify resources of type `CyberArk_Group` by their `CyberArk_id` property (written to +the **EntityPropertyMapping1** attribute of the +[EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +element). + +## Display + +This step focuses on configuring a nice display for the synchronized list of resources in the UI. + +### Navigation + +A +[MenuItem](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) +can be added to include a link to the resources list in the left menu in the UI home screen. + +#### Parent menu item + +It strongly recommended to gather synchronized resources menu items under parent menu items. This is +usually declared in the configuration root folder `Nav.xml` file. + +##### Example + +``` +Conf/Nav.xml +... +... + +``` + +#### Child menu item + +It is strongly recommended to use a new `CyberArk Nav.xml` file in the `SCIMCyberArk` connector's +folder in order to add the CyberArk SCIM objects menu item. + +##### Example + +``` +Conf/SCIMCyberArk/CyberArk Nav.xml +... + ... + +``` + +Adds a new menu item under the `Nav_Connectors` menu item declared in the root `Nav.xml` file. This +new menu item gives access to the list of synchronized CyberArk SCIM objects. + +![SCIM CyberArk Menu Items](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_menu_item_5.1.6.webp) + +### Configuration + +It is strongly recommended that the display configuration be written to a new `CyberArk UI.xml` file +in the `SCIMCyberArk` connector's folder. + +#### Display entity type + +The +[DisplayEntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) +describes how a single resource should be displayed. + +##### Example + +``` +Conf/SCIMCyberArk/CyberArk UI.xml +... + ... + +``` + +This configuration configures that display for +[christian.adam@acme.com](mailto:christian.adam@acme.com): + +![SCIM CyberArk Display Entity Type](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_display_entity_type_5.1.6.webp) + +The scalar properties don't need to be configured: they are automatically displayed. The only +information that the +[DisplayEntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) +adds here, is that the property `BasicCollection` is a navigation property. An eye icon will be +displayed to take you directly to the matching page. + +#### Display table + +The +[DisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +elements describe how a list of resources should be displayed. + +The +[DisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +contains a list of +[DisplayTableColumn](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +elements that identify which properties should be included in the list display. + +##### Example + +``` +Conf/SCIMCyberArk/CyberArk UI.xml +... + ... + +``` + +configures the following list display: + +![SCIM CyberArk Display Table](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_display_table_5.1.6.webp) + +#### Internal display name + +An `InternalDisplayName` can also be declared as an +[EntityPropertyExpression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). +The `InternalDisplayName` is used in several UI screens to identify a resource for the user. + +With no custom `InternalDisplayName`, a default value is used (instead of the first property of the +identity) containing the string _"name"_. If no such property is found, the first declared property +of the entity type is used. + +##### Example + +``` +Conf/SCIMCyberArk/CyberArk UI.xml +... +... + +``` + +adds the `InternalDisplayName` to the CyberArk_User entity type to be used by the UI. + +### Permissions + +This step focuses on setting up permissions for Usercube's end-users granting them access to the +connector. + +The +[AccessControlRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +and +[AccessControlEntry](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +elements define +[permissions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md) +for end-user profiles to read and write the connector's data (such as resources of a given entity +type). It used by the UI when displaying data such as resources and available roles. + +It is strongly recommended that permissions be written to a new file. For example, the administrator +profile permissions can be written to the `CyberArk Profile Administrator.xml` file. + +#### Example + +The following example sets permissions for the `Administrator` profile. + +It entitles an administrator to display `CyberArk SCIM` resource and role categories from the UI. + +``` +Conf/MicrosoftEntraID/MicrosoftEntraID Profile Administrator.xml +... + ... + +``` + +## Jobs + +### Construction + +This step focuses on writing a `Complete` Synchronization job. + +It is strongly recommended to write Jobs associated with the `CyberArk` connector to the +`Conf/SCIMCyberArk/SCIM CyberArk Jobs.xml` file. + +### Components + +All the job steps can be found in the +[`CreateConnectorSynchroComplete` scaffolding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md). + +#### Example + +``` +Conf/SCIMCyberArk/SCIM CyberArk Jobs.xml +... + ... + +``` + +This job will be executed on CyberArk's connector agent. + +Notice the **Identifier** attribute with the value `Job` in the `OpenIdIdentifier` tag. It refers to +the `ClientId` written to the +[appsettings.agent](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +technical configuration. The Tasks will authenticate with the profile associated with this +`ClientId` in the `` xml configuration element. + +_Incremental_ synchronization can be configured with the following +[scaffolding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md). + +### Permissions + +The execution of a Job entails execution of Tasks, reading/writing to the Database and sending files +over to the Server. These operations are protected by an authorization mechanism. + +To complete a Job, the Agent, via the +[Usercube-Invoke-Job tool](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/invoke-job/index.md), +uses: + +- a + [Profile](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) + associated with the Job itself to read/write: + - `UJ_Jobs` and `UJ_Tasks` tables in a list of tasks + - `UJ_JobInstances` tables in the progress report +- a Profile for each Task, to read/write `UJ_TaskInstances` tables (Progress Report) and perform + other operations such as sending export files over to the Server. + +Each Profile must be assigned the right permissions for the associated Job or Task to perform. + +Every request from Agent to Server within the execution of a Job needs to be authenticated with an +[Open Id Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), +linked to a Profile. + +#### Create a profile + +Here, we focus on creating one profile, used by the Job and every Task of the Job. + +``` +Conf/Profile AgentJob.xml +... +... + +``` + +As the Principle of Least Privilege states, NETWRIX strongly recommends that you create a +[Profile](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) +to be used during the Synchronization jobs which will be different from the one used during the +Provisioning job. This contributes to separating access rights. +The same principle applied even more rigorously would make Usercube create one profile per Task. It +isn't necessary as most Synchronization tasks require the same permissions. + +#### Grant synchronization access rights to the profile + +For an Agent to launch server-side Tasks from the Job via the +[Usercube-Invoke-Job tool](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/invoke-job/index.md), +the profile linked to these tasks and used by the tool should be authorized to execute said tasks. + +Server-side Tasks for a simple Synchronization job usually are: + +- Prepare-Synchronization +- Synchronization + +Required permissions are: + +**View Tasks** + +- `/Jobs/Task/Query` + +**Progress Report** + +- `/Jobs/JobInstance/Query` +- `/Jobs/JobInstance/Update` +- `/Jobs/TaskInstance/Query` +- `/Jobs/TaskInstance/update` + +**Synchronization and Prepare-Synchronization** + +- `/Connectors/Connector/Query` +- `/Connectors/SynchronizeSession` + +Granting access can be done via the +[Synchronization AccessControlRules scaffolding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md) +and the +[JobViewAccessControlRules scaffolding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md). + +The following examples (or similar) should be written to `Conf/Profile AgentSychro.xml`. + +> This example entitles the administrator profile to run any synchronization job: +> +> ``` +> Conf/Profile AgentSychro.xml +> ... +> ... +> +> ``` + +#### Grant end-users permissions to run jobs from the UI + +In addition, for end-users to be able to launch a job from the UI, they must be assigned a profile +with the following access rights: + +- `/Jobs/RunJob/Launch` + +This can be done via the +[JobExecutionAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md) +scaffolding. + +##### Example + +``` +Conf/Profile AgentSychro.xml +... +... + +``` + +#### Declare usable ClientId/Secret pairs in the configuration + +An Agent's +[Profile](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) +is associated with a `ClientId/Secret` pair used by the Agent to authenticate to the Server. + +Usable `ClientId/Secret` pairs are written to the database from the xml configuration using the +[`` xml element](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md). + +It is strongly recommended that you write the `` xml element to a new or existing +`OpenIdClients.xml` file in the configuration root folder. + +The `ClientId/Secret` pair hence created must be associated with the profile created or updated in +the previous step, via the **Profile** attribute. + +##### **Example** + +The following example creates a `ClientId/Secret` pair to be used by the Agent to authenticate to +the Server and complete Jobs. The secret is hashed with the +[Usercube-New-OpenIDSecret](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/new-openidsecret/index.md) +tool. + +``` +Conf/OpenIdClients.xml +... + +... + +``` + +#### Set up the Agent to use ClientId/Secret pairs + +The `ClientId/Secret` pairs that the Agent may use are written to the Agent's +[appsettings.agent](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +technical configuration set. + +The `ClientId` of such `ClientId/Secret` pairs can then be used as a value in a Task +**OpenIdClient** attribute. + +Pairs written in the `OpenIdClient` section may be used by Tasks. + +The Job itself uses the `DefaultOpenIdClient` value. + +> This example sets the "Job/secret" pair to be used by tasks and jobs: +> +> ``` +> appsettings.agent.json +> { +> ... +> "OpenId":{ +> "OpenIdClients": { +> "Job": "secret" +> }, +> "DefaultOpenIdClient": "Job" +> } +> } +> +> ``` + +### Job launch + +Scheduling the job execution can rely either on Usercube's scheduler or an external scheduler. + +#### With Usercube's scheduler + +Use the Job +[`CronTabExpression`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) +attribute. + +> This example uses Usercube's scheduler to execute the `CyberArk_Synchronize_Complete_Manually` job +> every fifteen minutes: +> +> ``` +> Conf/SCIMCyberArk/SCIM CyberArk Jobs.xml +> ... +> +> +> ``` + +For more details about checking Crontab expressions, see the +[crontab.guru](https://crontab.guru/every-15-minutes) website. + +#### With an external scheduler + +An external scheduler would rely on the +[Usercube-Invoke-Job tool](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/invoke-job/index.md). + +##### Example + +The following command can be scheduled. It executes the `CyberArk_Synchronize_Complete_Manually` +using the "Job/secret" authentication pair to connect to the Usercube Server at +`http://identitymanager.contoso.com`. + +``` + +./identitymanager-Invoke-Job.exe -j "CyberArk_Synchronize_Complete_Manually" --api-secret secret --api-client-id Job --api-url "http://identitymanager.contoso.com" + +``` + +## Validation + +### Deploy configuration + +The configuration is written to the database using the +[Deploy Configuration tool](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md). + +### Test + +The Synchronization job should be found in the UI, under the **Job Execution** menu, with the name +input in the Job's **DisplayName_Li** attribute. + +From there, it can be launched and debugged (if needed). + +After execution, CyberArk SCIM Objects resources should be in the `UR_Resources` table of the SQL +Server database. diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/index.md new file mode 100644 index 0000000000..13e3c01ea9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/index.md @@ -0,0 +1,812 @@ +# Set up SharePoint's Export and Synchronization + +This guide shows how to set up a +[SharePoint connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md) +to extract data from your SharePoint instance into CSV source files that will be fed to the +Synchronization task and to your Usercube resource repository. It will focus on registering Usercube +within the target SharePoint, configuring the connector, and building the job to perform a regularly +scheduled synchronization. + +## Prerequisites + +### External system configuration + +This step is designed to grant Usercube a service account to authenticate with the target SharePoint +sites. It includes the following substeps: + +- Create a service account for Usercube in your Microsoft Entra ID (formerly Microsoft Azure AD). +- Go the SharePoint sites which need to be scanned. +- Log in using the organization credentials. +- Go to the **Members List** in the right corner. +- Click on the **Add members** button. +- Enter the name of the Usercube service account or its email address. + +![SharePoint Export Add Member](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/sharepoint_export_add_member.webp) + +The service account is now a member of the site. However, to scan the site, the service account +needs to be owner of the site. + +- Go to the **Members List** in the right corner. +- Under the name of the Usercube service account, click on the arrow. +- Choose **Owner**. + +![SharePoint Export Role Owner](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/sharepoint_export_role_owner.webp) + +### Usercube configuration + +This step sets up the Usercube Agent in order to use the SharePoint connector and access the +SharePoint data. + +This guide focuses on the +[Configuration Files](/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/index.md) +method. Remember that settings can also be input through +[Environment Variables](/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/index.md). + +#### Connect to the SharePoint instance + +In this `Connections` section, add one new subsection that will contain the credentials for the +target SharePoint. + +> This example connects via the `SharePointExportContoso` connection to the Contoso SharePoint site: +> +> ``` +> +> appsettings.agent.json +> +> { ... "Connections": { ... "SharePointExportContoso": { ... } } } +> +> ``` +> +> ``` + +#### Input credentials + +In the newly created subsection, fill in: + +- The **Server** attribute with the address of the root SharePoint site to scan. +- The **Login** attribute with the login of the service account created. +- The **Password** attribute with the password of the service account created. + +> For example: +> +> ``` +> +> appsettings.agent.json +> +> { ... "Connections": { ... "SharePointExportContoso": { "Server": +> "https://contoso.sharepoint.com/", "Login": "usercube.service@contoso.com", "Password": +> "19f23f48379d50a9a50b8c" } } } +> +> ``` +> +> ``` + +For pedagogical reasons, this guide focuses on the simplest way to set up the export, but it's not +the most secure. Hence it is strongly recommended that you +[protect credentials using Azure Key Vault or Cyber Ark](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md) +in a production environment. +NETWRIX recommends completing this guide once, testing the configuration, and only then, switching +to a more secure way of storing credentials. + +##### Set up export files + +The export generates CSV source files that will be fed to the +[Synchronization task](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md). + +The target path for these files can be set up using the following settings: + +- `appsetings.agent > Connections > SharePointExportContoso > OutputDir` +- `appsetings.agent > Connections > SharePointExportContoso > FileNamePrefix` + +###### Example + + ``` + + appsettings.agent.json + +{ ... "Connections": { ... "SharePointExportContoso": { "Server": "https://contoso.sharepoint.com/", +"Login": "usercube.service@contoso.com", "Password": "19f23f48379d50a9a50b8c" } } } + +```` + + +### SharePoint sites + +Different kinds of SharePoint sites exist. We will describe here the different cases that the integration team might encounter and how to handle them. + +#### Root site with subsites + +A root site has a URL like ```https://contoso.sharepoint.com``` and can have subsites. For example, the subsite ```Finance``` has a URL like ```https://contoso.sharepoint.com/Finance```. Subsites can also have subsites. +To scan the root site and the subsite tree, the root site must be specified in the __Server__ attribute. +Retrieved users can be assigned to/removed from all groups found, but cannot be created. To create a user account, you need to create it in the associated Microsoft Entra ID: it will automatically create a SharePoint user account. + +#### Multiple sites + +A SharePoint can also have other sites which are not subsites of the root site. For example, the site ProjectTeam has a URL like ```https://contoso.sharepoint.com/sites/ProjectTeam```. +These sites can't be scanned from the root site by using the __Server__ attribute. + +To scan these sites, you have to export their URL from SharePoint in a CSV file and use the __CsvUrls__ attribute in the settings. + +###### Example + + ``` + + appsettings.agent.json +{ + ... + "Connections": { + ... + "SharePointExportContoso": { + "Server": "https://contoso.sharepoint.com/", + "Login": "usercube.service@contoso.com", + "Password": "19f23f48379d50a9a50b8c" + "CsvUrls": "C:/identitymanager/Temp/ExportOutput/SP_otherSites.csv�URL�," + } + } +} +```` + +In this example, `C:/identitymanager/Temp/ExportOutput/SP_otherSites.csv` is the path of the exported CSV +file, `URL` is the column name of the URLs, and `,` is the separator used in the file. The character +`�` is used to separate the three data items. + +The CSV file containing the URLS can be generated with two methods: + +- Go to `https://contoso-admin.sharepoint.com` of your SharePoint site, in the menu **Sites** > + **Active sites** and click on the **Export** button above the table. +- Use a script with the + [SharePointOnlinePowerShell commands](https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/?view=sharepoint-ps), + specifically + [Get-SPOSite](https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/get-sposite?view=sharepoint-ps). + +These sites are not synchronized with the root site. Users present in a site are not necessarily +present in the others. You can only assign users to a SharePoint group, on condition that they are +already members of this site. You can't use the SharePoint connector to make a user a member of this +kind of site. Depending on the system you are working on, you could achieve this by using the +associated Microsoft Entra ID or the system generating these SharePoint sites (for example, +Microsoft Teams can create an associated SharePoint site for each Teams Group). + +## Build the Connector + +### Declare a connector + +To be used for export and fulfill tasks, a connector has to be declared in the +[applicative configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/index.md) +and linked to an Agent. + +It is strongly recommended that the applicative configuration be stored in the +[working directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md)`Conf` +folder as a set of `xml` files organized by connector. + +- In the `Conf` folder, create a `SharePoint` directory. +- In the `SharePoint` directory, create a `SharePoint Connector.xml` file. + + This file should contain the declaration of the connector and the associated + [Entity Model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md). + +- Use the + [``](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) + element to declare the connector with the following attributes: + + - **Identifier** identifies this connector in the + [applicative configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/index.md). + It is strongly recommended to use a meaningful name such as `SharePoint`. If several + connections to several SharePoint targets are possible, only one SharePoint Connector per + Agent is used. + - **DisplayName_Li, i ? [1..16]** are used in the UI. + - **Agent** is the identifier of the Agent that runs this connector's export task. The Agent's + identifier can be found in the agent's + [`appsettings.agent` configuration set > OpenId > AgentIdentifier setting attribute](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +- Don't forget the `` and `` elements (see example below). + +> This example declares the `SharePoint` connector on the `Local` agent: +> +> ``` +> +> Conf/SharePoint/SharePoint Connector.xml +> +> ... +> +> ... +> +> +> +> ``` +> +> ``` + +### Build the entity model + +The exported data to be written to the +[resource repository](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/identity-management/index.md) +must be aligned with the +[Entity Model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md). + +The [Entity Model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md) +should match as closely as possible the structure of the SharePoint data relevant for Usercube. It +is designed by analyzing the SharePoint data structure, and describing said data with +[Entity Types](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md#entity-types) +and +[Entity Associations](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +Eventually, it is up to the integration team to design the +[Entity Model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md) that +best serves the Role Model needs. It will be refined iteratively throughout the project phase. + +A good starting point for the Entity Model is to mirror the shape of the exported SharePoint +objects. This guide provides a few examples that can serve this purpose. + +#### Write the entity model + +The [Entity Model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md) +for the SharePoint connector is written in the +[applicative configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/index.md). +It is strongly recommended to write the connector to the newly created +`Conf/SharePoint/SharePoint Connector.xml` file. + +#### Write entity types + +Declaring an +[Entity Type](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md) is +achieved with the `` tag and the following attributes: + +- **Identifier** is the entity type's name. It must be unique among the entity types. It is strongly + recommended to prefix this name with the connector's name. An example for SharePoint is + `SharePoint_directoryObject`. +- **DisplayName_Li, i ? [1..16]** are used in the UI to identify this + [Entity Type](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md) for + the end-user. **DisplayName_L1** is the name of the entity type in _language number one_. If this + language is _English_, a good example of value is `SharePoint - Object`. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + +... ... + +```` + + +The SharePoint object attributes are modeled by [Entity Properties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md), with the `````` tags declared as children of the ``````. + +Remember that there are [several kinds of properties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md): scalar and navigation. [Scalar properties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) can be defined to represent scalar attributes such as ```city```, ```country``` or ```companyName```. [Navigation Properties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) represent associations such as group memberships. + +The main attributes of the `````` tag are the following: + +- __Identifier__ identifies the property with a mandatory unique name. It must be unique among the entity properties for this entity type. +- __DisplayName_Li, i ? [1..16]__ are used in the UI. +- __Type__ defines the type of the property. A [Scalar property](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) type is chosen among ```String```, ```Bytes```, ```Int16```, ```Int32```, ```Int64```, ```DateTime```, ```Bool```, ```Guid```, ```Double```, ```Binary```, ```Byte```, and ```Option```. The navigation property type is ```ForeignKey```. +- __TargetColumnIndex__ defines in which column of the resource table the property is stored. See more details about [```TargetColumnIndex```](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml +... + ... + +```` + +In this example, we have created four entity types, each one corresponding to a notion in +SharePoint. + +#### Write entity associations + +[Entity Types](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md#entity-types) +are associated through their navigation properties with +[Entity Association](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +elements. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + +... + + + + + + +... + +```` + + +The exact nature of the IDs are described by the associated [EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). + +Notice the format of the __Property1__ and __Property2__ xml attributes: the name of the entity type is followed by ```:``` and the name of an entity property. It is a [binding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) describing in one expression, the target entity type and property. + +### Create mapping + +The entity type must be mapped property by property to the exported attributes of SharePoint objects (namely, the columns of the CSV source files generated by the export). + +The [EntityTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), [EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md), and [EntityPropertyMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) elements serve this purpose. + +#### Entity type mapping + +The [EntityTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) element maps the scalar properties from the CSV source file to an entity type. + +The CSV source file path is written to the ```ConnectionTable``` xml attribute. The target entity type name is written to the ```Identifier``` xml attribute. + + ``` + + Conf/SharePoint/SharePoint Connector.xml + ... + ... + ... + +```` + +To do so, the entity type mapping element uses the +[EntityPropertyMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +element with the `` tag. This maps the CSV column from `ConnectionColumn` to the target +EntityType property which is written to the **Identifier** attribute. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + +... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ... + +```` + + +As a result, after synchronization, the ```UR_Resource``` table will be updated from the CSV source file data. + +#### Entity association mapping + +The [EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) element maps the navigation properties used in [EntityAssociation](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +An [EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) element refers to an [EntityAssociation](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) written to the ```Identifier``` xml attribute. Then, like [EntityTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), it maps column values from a CSV source file to an EntityType property. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + ... + ... + +```` + +## Display + +This step focuses on configuring a nice display for the synchronized list of resources in the UI. + +### Nav + +A +[MenuItem](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) +can be added to include a link to the resources list in the left menu on the UI home screen. + +#### Parent menu item + +It is strongly recommended that you gather synchronized resources menu items under parent menu +items. This is usually declared in the `Nav.xml` file in the configuration root folder. + +##### Example + + ``` + + Conf/Nav.xml + +... + +... + +```` + + +#### Child menu item + +It is strongly recommended to use a new ```SharePoint Nav.xml``` file in the ```SharePoint``` connector's folder to add the SharePoint objects menu item. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Nav.xml +... +... + +```` + +This example adds a new menu item under the `Nav_Connectors` menu item declared in the root +`Nav.xml` file. This new menu item gives access to the list of synchronized SharePoint entities. + +### Display + +It is strongly recommended that the display configuration be written to a new `SharePoint UI.xml` +file in the `SharePoint` connector's folder. + +#### Display entity type + +The +[DisplayEntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) +describes how a single resource should be displayed. + +##### Example + + ``` + + Conf/SharePoint/SharePoint UI.xml + +... + + + + + + + + + + + +... + +```` + + +The scalar properties require no configuration: they are automatically displayed. The only information that the [DisplayEntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) adds here, is that the property ```BasicCollection``` is a navigation property. An eye icon will be displayed to take you directly to the matching page. + +#### Display table + +[DisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) elements describe how a list of resources should be displayed. + +The [DisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) contains a list of [DisplayTableColumn](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) elements that identify which properties should be included in the list display. + +##### Example + + ``` + + Conf/SharePoint/SharePoint UI.xml +... + ... + +```` + +#### Internal display name + +An `InternalDisplayName` can also be declared as an +[EntityPropertyExpression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). +The `InternalDisplayName` is used in several UI screens to identify a resource for the user. + +With no custom `InternalDisplayName`, a default value is used (instead of the first property of the +identity) containing the string _"name"_. If no such property is found, the first declared property +of the entity type is used. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + +... + + + + ... + +```` + + +This example adds the ```InternalDisplayName``` to the ```SharePoint_Entity```, ```SharePoint_Role```, ```SharePoint_Object``` and ```SharePoint_RoleAssignment``` entity types to be used by the UI. + +### Permissions + +This step focuses on setting up permissions for Usercube's end-users granting them access to the connector. + +The [AccessControlRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) and [AccessControlEntry](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) elements define [permissions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md) for end-user profiles to read and write the connector's data (such as resources of a given entity type). It is used by the UI when displaying data such as resources and available roles. + +It is strongly recommended that permissions be written to a new file. For example, the administrator profile permissions can be written to the ```SharePoint Profile Administrator.xml``` file. + +#### Example + + ``` + + Conf/SharePoint/SharePoint Profile Administrator.xml +... + ... + +```` + +This example sets permissions for the `Administrator` profile. + +It entitles an administrator to display `SharePoint_Entity` resource and role categories from the +UI. + +## Jobs + +### Construction + +It is strongly recommended to write Jobs associated with the `SharePoint` connector to the +`Conf/SharePoint/SharePoint Jobs.xml` file. + +A job is declared with the `` xml element. It contains Tasks that perform the main steps and +other related operations. + +#### Example + + ``` + + Conf/SharePoint/SharePoint Jobs.xml + +... + +... ... + +```` + + +Notice the __Agent__ attribute that contains the [name](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) of the Agent which executes the Job. This attribute is mandatory for a Job containing Tasks executed agent-side, even if a unique local Agent exists. + +### Components + +The Synchronization job includes [three steps](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md): + +- Export +- Prepare-Synchro +- Synchro + +These three steps are all contained in a [scaffolding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) which allows the generation of the Incremental Synchronization configuration. + +#### Example + + ``` + + Conf/SharePoint/SharePoint Jobs.xml +... + ... + +```` + +### Permissions + +The execution of a Job entails execution of Tasks, reading/writing to the Database and sending files +over to the Server. These operations are protected by an authorization mechanism. + +To complete a Job, the Agent, via the +[Usercube-Invoke-Job tool](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/invoke-job/index.md), +uses: + +- a + [Profile](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) + associated with the Job itself, to read/write: + - `UJ_Jobs` and `UJ_Tasks` tables in a list of tasks + - `UJ_JobInstances` tables in the progress report +- a Profile for each Task, to read/write `UJ_TaskInstances` tables (Progress Report) and perform + other operations such as sending export files over to the Server. + +Each Profile must be assigned the right permissions for the associated Job or Task to perform. + +Every request from Agent to Server within the execution of a Job needs to be authenticated with an +[Open Id Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), +linked to a Profile. + +#### Create a profile + +Here, we focus on creating one profile, used by the Job and every Task of the Job. + + ``` + + Conf/Profile AgentJob.xml + +... ... + +```` + + +As the Principle of Least Privilege states, NETWRIX strongly recommends that you create a [Profile](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) to be used during the Synchronization jobs which will be different from the one used during the Provisioning job. This contributes to separating access rights. +The same principle applied even more rigorously would make Usercube create one profile per Task. It isn't necessary as most Synchronization tasks require the same permissions. + +#### Grant synchronization access rights to the profile + +For an Agent to launch server-side Tasks from the Job via the [Usercube-Invoke-Job tool](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/invoke-job/index.md), the profile linked to these tasks and used by the tool should be authorized to execute said tasks. + +Server-side Tasks for a simple Synchronization job usually are: + +- Prepare-Synchronization +- Synchronization + +Required permissions are: + +__View Tasks__ + +- ```/Jobs/Task/Query``` + +__Progress Report__ + +- ```/Jobs/JobInstance/Query``` +- ```/Jobs/JobInstance/Update``` +- ```/Jobs/TaskInstance/Query``` +- ```/Jobs/TaskInstance/Update``` + +__Synchronization and Prepare-Synchronization__ + +- ```/Connectors/Connector/Query``` +- ```/Connectors/SynchronizeSession``` + +Granting access can be done via the [Synchronization AccessControlRules scaffolding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md) and the [JobViewAccessControlRules scaffolding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md). + +The following examples should be written to ```Conf/Profile AgentSychro.xml```. + +##### Example + +The following example entitles the administrator to run any Synchronization job: + + ``` + +```` + +#### Grant end-users permissions to run jobs from the UI + +In addition, for end-users to be able to launch a job from the UI, they must be assigned a profile +with the following access rights: + +- `/Jobs/RunJob/Launch` + +This can be done via the +[JobExecutionAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md) +scaffolding. + +##### Example + + ``` + +```` + + +#### Declare usable ClientId/Secret pairs in the configuration + +An Agent's [Profile](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) is associated with a ```ClientId/Secret``` pair used by the Agent to authenticate to the Server. + +Usable ```ClientId/Secret``` pairs are written to the database from the xml configuration using the [`````` xml element](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md). + +It is strongly recommended to write the `````` xml element to a new or existing ```OpenIdClients.xml``` file in the configuration root folder. + +The ```ClientId/Secret``` pair hence created must be associated with the profile created or updated in the previous step, via the __Profile__ attribute. + +##### __Example__ + +The following example creates a ```ClientId/Secret``` pair to be used by the Agent to authenticate to the Server and complete Jobs. The secret is hashed with the [Usercube-New-OpenIDSecret](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/new-openidsecret/index.md) tool. + + ``` + + Conf/OpenIdClients.xml +... + +... + +```` + + ``` + + Conf/OpenIdClients.xml + +... + +... + +```` + + +#### Set up the Agent to use ClientId/Secret pairs + +The ```ClientId/Secret``` pairs that the Agent may use are written to the Agent's [appsettings.agent](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) technical configuration set. + +The ```ClientId``` of such ```ClientId/Secret``` pairs can then be used as a value in a Task __OpenIdClient__ attribute. + +Pairs written in the ```OpenIdClient``` section may be used by Tasks. + +The Job itself uses the ```DefaultOpenIdClient``` value. + +> This example sets the "Job/secret" pair to be used by tasks and jobs: +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "OpenId":{ +> "OpenIdClients": { +> "Job": "secret" +> }, +> "DefaultOpenIdClient": "Job" +> } +> } +> +> ``` + +### Job launch + +Scheduling the job execution can rely either on Usercube's scheduler or an external scheduler. + +#### With Usercube's scheduler + +Use the Job [```CronTabExpression```](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) attribute. + +> This example uses Usercube's scheduler to execute the ```SharePoint_Synchronization_Delta``` job every fifteen minutes: +> +> ``` +> +> Conf/SharePoint/SharePoint Jobs.xml +> ... +> +> +> ``` + +For more details about checking Crontab expressions, see the [crontab.guru](https://crontab.guru/every-15-minutes) website. + +#### With an external scheduler + +An external scheduler would rely on the [Usercube-Invoke-Job tool](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/invoke-job/index.md). + +##### Example + +The following command can be scheduled. It executes the ```SharePoint_Synchronization_Delta``` job using the "Job/Secret" authentication pair to connect to the Usercube Server at ```http://identitymanager.contoso.com```. + + ``` + +./identitymanager-Invoke-Job.exe -j "SharePoint_Synchronization_Delta" --api-secret secret --api-client-id Job --api-url "http://identitymanager.contoso.com" + +```` + +## Validation + +### Deploy configuration + +The configuration is written to the database using the +[Deploy Configuration tool](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md). + +### Test + +The Synchronization job should be found in the UI, under the **Job Execution** menu, with the name +input in the Job's **DisplayName_Li** attribute. + +From there, it can be launched and debugged (if needed). + +After execution, SharePoint Objects resources should be in the `UR_Resources` table of the SQL +Server database. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md new file mode 100644 index 0000000000..72be2211cc --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md @@ -0,0 +1,337 @@ +# Write a PowerShell Script for Provisioning + +This guide shows how to write a PowerShell script used by the +[PowerShellProv connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md). + +## Structure of a PowerShell Script + +The goal of the script is to append, for each provisioning order, a line in a CSV file. + +Let's consider the following `ResourceType`: + +``` + +... + ... + +``` + +The end of the CSV file must look like: + +``` + +command;identifier;firstName;lastName +... +insert;007;James;Bond +... + +``` + +### Define the common part of every script + +The goal of the common part is to get all required variables needed by the script. + +Two parameters are required at the top of the script: + +``` + +param( + [Parameter(Mandatory = $true)][string]$resultsFilePath, + [Parameter(Mandatory = $true)][string]$ordersPath +) + +``` + +- `resultsFilePath` is the agent-side path of the result file containing the summary of the executed + and errored orders. +- `ordersPath` is the agent-side folder path containing the JSON provisioning orders. + +It is important for these settings to be defined at the top of the script and keep these names +because they are filled by the `Fulfill-PowerShell` connector. + +The `Fulfill-CSV.ps1` script must be placed in the script folder of Usercube containing the +`Environment.ps1` script. Thanks to this, environment variables (such as `$runtimePath`) are loaded +and can be used in the script: + +``` + +. (Join-Path -Path $PSScriptRoot -ChildPath "Environment.ps1") +. (Join-Path -Path $runtimePath -ChildPath "Usercube-Visit-Orders.ps1") + +``` + +### Define the specific function + +A function which is called for each provisioning order must be defined. + +#### Define the header + +The header is always the same. Only the name of the function can change: + +``` + +function Fulfill-CSV { + param ([parameter(Mandatory = $true)] $order) + +``` + +The previous parameter `$order` is an object corresponding to the following provisioning order +(JSON): + +``` + +{ + "ProvisioningOrdersList": [ + { + "AssignedResourceTypeId": "3930001", + "ChangeType": "Added", + "WorkflowInstanceId": "81", + "Owner": { + "Id": "21511", + "InternalDisplayName": "007 - Bond James", + "Identifier": "007", + "EmployeeId": "007", + "PhotoTag": -3065, + "MainFirstName": "James", + "MainLastName": "Bond", + ... + }, + "ResourceType": { + "Id": "-41", + "SourceEntityType": { + "Id": "51", + "Identifier": "Directory_User" + }, + "TargetEntityType": { + "Id": "70", + "Identifier": "PowerShellCsv_User" + }, + "Identifier": "PowerShellCsv_User_NominativeUser" + }, + "Changes": { + "identifier": "007", + "firstName": "James", + "lastName": "Bond" + } + } + ] +} +``` + +There can be more sections and attributes. + +#### Define mandatory parameters + +The `ChangeType` parameter (`Added`, `Deleted` or `Modified`) is always mandatory and must be +checked. + +Depending on the function requirements, other parameters should be checked. For example, the +function below always needs an identifier to work properly, therefore you should check its presence. + +``` + + $changeType = $order.ChangeType + # if the change type is not recognized, we throw an error + if ($changeType -ne 'Added' -and $changeType -ne 'Deleted' -and $changeType -ne 'Modified') { + $artId = $order.AssignedResourceTypeId + throw "Order ChangeType: $changeType not recognized in AssignedResourceTypeId: '$artId'" + } + + # if the section is Changes, we want to create/update the identifier + $identifier = $order.Changes.identifier + if(!$identifier){ + # if the section is Resources, we want to keep the same identifier + $identifier = $order.Resource.identifier + if(!$identifier){ + throw "identifier is the primary key and must not be null." + } + } + +``` + +#### Define order processing + +This is the last part of the function: + +- Parameters from the provisioning order are stored in variables. +- A specific treatment is applied if `ChangeType` is `Added`, `Deleted` or `Modified`. + +``` + + # firstName and lastName are the two other properties of the ResourceType + $firstName = $order.Changes.firstName + $lastName = $order.Changes.lastName + + # change type defines what is written in the 'command' column + if ($changeType -eq 'Added') { + $command = "Insert" + } + elseif ($changeType -eq 'Deleted') { + $command = "Delete" + } + elseif ($changeType -eq 'Modified') { + $command = "Update" + } + + # CSV columns are command, identifier, firstName and lastName + $script:powershellResults += New-Object -TypeName psobject -Property @{Command = "$command"; identifier = "$identifier"; firstName = "$firstName"; lastName = "$lastName" } +} + +``` + +#### Define how to send logs to Usercube + +The three methods to log in Usercube are: + +- **Write-Host**: writes Information in the log. +- **Throw**: raises an exception (which stops the script), and writes the Error in the log (the + provisioning order will be errored too). +- **Write-Error**: writes Error in the log (the provisioning order will be errored too). It is not + recommended because the script continues its execution. + +Now that the function has been defined, the main code of the script can be written. + +### Write the main code of the script + +#### Read the `options` parameter from the standard input + +The +[`options` parameter](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) +isn't mandatory in the JSON file. If it isn't provided, don't perform this step. + +``` + +# Just to show how to read the options in the script +$options = [System.Console]::ReadLine() +$options = ConvertFrom-Json $options +$options.Message # -> Hello + +``` + +#### Rest of the main script + +In general, this part contains the code to connect to the external system and executes the +`Usercube-Visit-Orders` script. + +``` + +# The goal of the script is to write the users in the following CSV file +$powershellResultFilePath = Join-Path -Path "$demoPath" -ChildPath "Temp/ExportOutput/powershellcsv_users.csv" + +# powershellResults has a larger scope and is used in the last line of the Fulfill-CSV function +$powershellResults = @() + +# Usercube-Visit-Orders is provided by Usercube, it must not be modified +# It loops on the provisioning orders and calls Fulfill-CSV on each of them +Usercube-Visit-Orders $resultsFilePath $ordersPath Fulfill-CSV + +# We write the results in $powershellResultFilePath +if ($powershellResults.Length -gt 0){ + $powershellResults | ConvertTo-Csv -Delimiter ";" -NoTypeInformation | & (Join-Path -Path "$runtimePath" -ChildPath "Usercube-Encrypt-File.exe") -o $powershellResultFilePath +} + +``` + +Never modify `Usercube-Visit-Orders.ps1`. + +## Synthesis + +### Skeleton + +To sum up the previous part, the script can be written as follows: + +``` + +# Common part + +# Specific function + # Header of the function + # Check mandatory parameters + # Order processing (treatment for Added, Deleted or Modified) + +# Main script + # Read standard input (Optional) + # Rest of the main script (Connection, Usercube-Visit-Order...) + +``` + +### Full script + +The full script is as follows: + +``` + +# Common part + +param( + [Parameter(Mandatory = $true)][string]$resultsFilePath, + [Parameter(Mandatory = $true)][string]$ordersPath +) + +. (Join-Path -Path $PSScriptRoot -ChildPath "Environment.ps1") +. (Join-Path -Path $runtimePath -ChildPath "Usercube-Visit-Orders.ps1") + +# Specific function + +function Fulfill-CSV { + param ([parameter(Mandatory = $true)] $order) + + $changeType = $order.ChangeType + # if the change type is not recognized, we throw an error + if ($changeType -ne 'Added' -and $changeType -ne 'Deleted' -and $changeType -ne 'Modified') { + $artId = $order.AssignedResourceTypeId + throw "Order ChangeType: $changeType not recognized in AssignedResourceTypeId: '$artId'" + } + + # if the section is Changes, we want to create/update the identifier + $identifier = $order.Changes.identifier + if(!$identifier){ + # if the section is Resources, we want to keep the same identifier + $identifier = $order.Resource.identifier + if(!$identifier){ + throw "identifier is the primary key and must not be null." + } + } + + # firstName and lastName are the two other properties of the ResourceType + $firstName = $order.Changes.firstName + $lastName = $order.Changes.lastName + + # change type defines what is written in the 'command' column + if ($changeType -eq 'Added') { + $command = "Insert" + } + elseif ($changeType -eq 'Deleted') { + $command = "Delete" + } + elseif ($changeType -eq 'Modified') { + $command = "Update" + } + + # CSV columns are command, identifier, firstName and lastName + $script:powershellResults += New-Object -TypeName psobject -Property @{Command = "$command"; identifier = "$identifier"; firstName = "$firstName"; lastName = "$lastName" } +} + +# Main script + +# Just to show how to read the options in the script +$options = [System.Console]::ReadLine() +$options = ConvertFrom-Json $options +$options.Message # -> Hello + +# The goal of the script is to write the users in the following CSV file +$powershellResultFilePath = Join-Path -Path "$demoPath" -ChildPath "Temp/ExportOutput/powershellcsv_users.csv" + +# powershellResults has a larger scope and is used in the last line of the Fulfill-CSV function +$powershellResults = @() + +# Usercube-Visit-Orders is provided by Usercube, it must not be modified +# It loops on the provisioning orders and calls Fulfill-CSV on each of them +Usercube-Visit-Orders $resultsFilePath $ordersPath Fulfill-CSV + +# We write the results in $powershellResultFilePath +if ($powershellResults.Length -gt 0){ + $powershellResults | ConvertTo-Csv -Delimiter ";" -NoTypeInformation | & (Join-Path -Path "$runtimePath" -ChildPath "Usercube-Encrypt-File.exe") -o $powershellResultFilePath +} + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md new file mode 100644 index 0000000000..30855c0961 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md @@ -0,0 +1,512 @@ +# Write a Robot Framework Script + +This guide shows how to write a Robot Framework script that will be used by +[Fulfill-RobotFramework](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md). + +## Structure of a Robot Framework Script + +### Build the skeleton + +A Robot Framework script is divided into four main parts: + +1. **Settings**: contains the instructions to import library or external resource files. +2. **Variables**: contains the global variables shared by all the functions in the script. +3. **Keywords**: contains all the functions defined by the user. +4. **Test Cases**: contains the functions which will be run when the script is launched. + +#### Example + +``` + +*** Settings *** +Library Telnet + +*** Variables *** +${IPADDRESS} 192.168.1.22 + +*** Keywords *** +Open Telnet Connection + Open Connection ${IPADDRESS} prompt=$ + +*** Test Cases *** +Run Provisioning + Open Telnet Connection + +``` + +Let's analyze the four parts of this example: + +- **Settings**: we import here the Telnet library to use the functions defined in it. +- **Variables**: we define the variable `IPADDRESS` to use it later. +- **Keywords**: we define a custom function called `Open Telnet Connection`. It will use a function + defined in the Telnet library (called `Open Connection`) and the variable `IPADDRESS` which has + been defined before in the `Variables` section. +- **Test Cases**: we define here the main function which we choose to call `Run Provisioning` (it + can be named anything), and which will be run when launching the script. It will use the function + `Open Telnet Connection`. + +Robot Framework needs two spaces between two different instructions to parse them correctly. +For example, `Open Connection` consists of only one instruction. Only one space is thus needed +between the two words. But, `Open Connection ${IPADDRESS}` consists of two instructions, the +function and the parameter. Two spaces are then required to separate `Connection` from +`${IPADDRESS}`. +To read your script more easily, you could also use the pipe character (`|`) between instructions, +like this: `Open Connection | ${IPADDRESS}`. + +For more details, see +[Robot Framework Libraries](https://robotframework.org/#robot-framework-libraries). + +### Define specific functions + +To use a Robot Framework script for provisioning external systems with Usercube, the following +elements are required in the script: + +- The import of a resource file written by Usercube called `UsercubeRobotFramework.resource`. +- The definition of three functions which will be called by Usercube to perform three required + actions: `ExecuteAdd`, `ExecuteDelete` and `ExecuteModify`. These functions are where you will + write the actions to perform on the external system. +- The use of one function to start the provisioning called `Launch Provisioning`. + +Never modify the resource file `UsercubeRobotFramework.resource`. + +#### Example + +The resource file defined at the beginning of the script is located in Usercube's `Runtime` folder. +Therefore, you will have to change the path accordingly. + +``` + +*** Settings *** +Resource C:/identitymanagerContoso/Runtime/identitymanagerRobotFramework.resource + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + ... + +ExecuteDelete + [Arguments] ${order} + ... + +ExecuteModify + [Arguments] ${order} + ... + +... + +*** Test Cases *** +Run Provisioning + ... + Launch Provisioning + ... + +``` + +The parameter `${order}` is mandatory only for the three functions: `ExecuteAdd`, `ExecuteDelete` +and `ExecuteModify`. It is an object corresponding to the following sample provisioning order +(JSON): + +``` + +{ + "AssignedResourceTypeId": "3930001", + "ChangeType": "Added", + "WorkflowInstanceId": "81", + "Owner": { + "Id": "21511", + "InternalDisplayName": "007 - Bond James", + "Identifier": "007", + "EmployeeId": "007", + "PhotoTag": -3065, + "MainFirstName": "James", + "MainLastName": "Bond", + ... + }, + "ResourceType": { + "Id": "-41", + "SourceEntityType": { + "Id": "51", + "Identifier": "Directory_User" + }, + "TargetEntityType": { + "Id": "70", + "Identifier": "RobotFramework_User" + }, + "Identifier": "RobotFramework_User_NominativeUser" + }, + "Changes": { + "identifier": "007", + "firstName": "James", + "lastName": "Bond" + } +} +``` + +The elements of `${order}`can be accessed like this: `${order['Changes']['identifier']}`. + +For more details about the handling of Robot Framework objects, see the +[Robot Framework User Guide](https://robotframework.org/robotframework/latest/RobotFrameworkUserGuide.html). + +## Usercube Keywords + +| Keyword | Details | +| -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | ------- | +| Catch Keyword | **Arguments** `Keyword`: Keyword `*args` **Description** Launches `Keyword` with the given arguments `*args` if the keyword launched by `Try Keyword` failed. If `Try Keyword` was not called, this keyword will not do anything. `Catch Keyword` should always be called right after `Try Keyword`. **Example** Try to connect to `Usercube.com`. If the connection fails, restart the browser and try to connect to `Usercube.com`: `Connect to URL Try Keyword Go To Usercube.com Catch Keyword Restart Browser At URL Usercube.com` | +| Generate Password | **Description** Generates a password based on the [password reset settings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md) associated to the [resource type mapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) being provisioned `Send Password Notification` should always be called after `Generate Password`, preferably right after the password is used. If `Send Password Notification` is not called before the provisioning of the resource is over, it will automatically be called. If multiple passwords should be generated, `Send Password Notification` should be called after each password generation. **Returns** `Password`: string | +| Get Secure Data | **Arguments** `Attribute`: string `Erase Data`: boolean **Description** Retrieves the secured option `Attribute` from the connector configuration. If `Erase Data` is set to true, the secured option is deleted once it is read. **Example** Get Login option and erase it: ```Get Secure Data | Login | True``` | +| Launch Provisioning | **Description** Launches the provisioning defined by the provisioning orders. This keyword is required for any provisioning to happen. | +| Log Debug | **Arguments** `Message`: string **Description** Logs `Message` at the `Debug` log level. **Example** Log a keyword failure message: `Log Debug The keyword has failed` | +| Log Error | **Arguments** `Message`: string **Description** Logs `Message` at the `Error` log level. **Example** Log a keyword failure message: `Log Error The keyword has failed` | +| Send Password Notification | **Description** Sends a notification containing the last password generated. If `Generate Password` is called and `Send Password Notification` is not called before the provisioning of the resource is over, `Send Password Notification` will automatically be called. | +| Try Keyword | **Arguments** `Keyword`: Keyword `*args` **Description** Launches `Keyword` with the given arguments `*args`, and ignores its errors. If `Keyword` fails, the keyword sent to `Catch Keyword` will run. `Try Keyword` should always be called right before `Catch Keyword`. **Example** Try to connect to `Usercube.com`. If the connection fails, restart the browser and try to connect to `Usercube.com`: `Connect to URL Try Keyword Go To Usercube.com Catch Keyword Restart Browser At URL Usercube.com` | + +## Error handling + +Consider a web application that contains user information. Suppose a user is missing from the web +application. When the script attempts to reach the user's information page, it will reach an error +page, and fail. The next user's provisioning starts, but the web browser is still on the error page, +so the script keeps failing. + +In this example, if a user's provisioning fails, each subsequent provisioning will fail. This +failure issue can be solved with the error handling custom keywords. + +Consider the following example using the Robot Framework Selenium library: + +``` + +Open Usercube Website + Open Browser + Connect To Usercube + [Teardown] Close Browser + +Restart Browser + [Arguments] ${url} + Log Debug An error has occured, restarting the browser + Close Browser + Open Browser ${url} + +Connect To Usercube + Try Keyword Go To Usercube.com + Catch Keyword Restart Browser Usercube.com + Page Should Contain Usercube + +``` + +In this example, the keyword `Open Usercube Website` opens a browser, then calls +`Connect To Usercube`. To ensure that the browser is closed regardless of the script's success, the +`Close Browser` keyword is used in a teardown. A keyword in a teardown is always executed regardless +of what happens in the script or in the teardown. + +The `Restart Browser` keyword logs a debug message before restarting the browser to help debug the +script. The `Connect To Usercube` tries to use the `Go To` keyword to connect to the `Usercube.com` +web page. As `Go To` is used with `Try Keyword`, if the execution fails, `Restart Browser` is called +by `Catch Keyword`. This means that if the browser fails to load `Usercube.com`, the browser +restarts. Last, `Connect To Usercube` verifies that the page contains the word `Usercube`. + +### Error Handling for `ExecuteAdd`, `ExecuteDelete`, and `ExecuteModify` + +The `ExecuteAdd`, `ExecuteDelete`, and `ExecuteModify` methods are harder to interact with. First, +it is not possible to get their execution status within the script. Second, if the execution failed, +it should be kept as a failure in order to log the failure. + +To simplify error handling, consider the following structure: + +``` + +Execute Add + [Arguments] ${order} + Try Keyword Add User ${order} + Catch Keyword Restart Program And Fail Add User failed. + +Add User + [Arguments] ${order} + Click New User + Fill In Information ${order} + Click Add User + +Restart Program And Fail + [Arguments] ${failmessage} + Close Program + Start Program + Fail ${failmessage} + +``` + +In this example, `ExecuteAdd` does not call the custom keywords to add a new user directly, and only +calls `Add User` instead. This means that it is possible to call `Add User` from the `Try Keyword` +keyword. If `Add User` fails, then `Execute Add` fails. Therefore it is possible to catch a failure +with this structure. + +Note that `Restart Program And Fail` fails. This failure is necessary as the provisioning order +would be counted as a success otherwise. + +## Testing a RobotFramework script + +In order to write a RobotFramework script, we need to test that it works. It is possible to test the +script by running a fulfillment job from the Usercube interface. While this kind of test proves that +everything works as expected, it can take a long time. There is a faster method to check that the +script runs. + +Suppose the RobotFramework script's path is `RobotFramework/script.robot`. + +We need the following elements : + +- A provisioning order, in folder `RobotFrameworkScript/Order`. The provisioning order can be + encrypted or unencrypted. The script will write the encrypted results to + `RobotFrameworkScript/Order/results.csv`. +- The path to the `Runtime` folder. In our example, we will consider this path as + `C:/identitymanagerDemo/Runtime`. + +The `RobotFramework/script.robot` script may be run from the command prompt. + +``` +cd RobotFramework + +robot --variable ORDERPATH:./Order --variable RUNTIMEPATH:C:/identitymanagerDemo/Runtime --variable RESULTPATH:./Order/results.csv ./script.robot +``` + +This command will generate an output file, a log file, and a report file in the `RobotFramework` +folder. This command will also write information to the command prompt. + +For most testing cases, we only care about the command prompt information and the log file, written +at `RobotFramework/log.html`. The other outputs can be removed. + +``` +cd RobotFramework + +robot --loglevel NONE --report NONE --variable ORDERPATH:./Order --variable RUNTIMEPATH:C:/identitymanagerDemo/Runtime --variable RESULTPATH:./Order/results.csv ./script.robot +``` + +### `Get Secure Data` and `Generate Password` + +Most keywords are not different when a script is launched manually. The keywords `Get Secure Data` +and `Generate Password` are exceptions. + +- `Get Secure Data`: This keyword expects the Robot Framework process to receive a json list of + attributes in the stdin stream. This can be provided manually by writing the data in the command + prompt. As an example, if the script requires a `Login` and `Password` attribute : + `{"Login":"login","Password":"password"}` +- `Generate Password`: This keyword expects a file that contains the + [password reset settings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md) + associated to the provisioned + [resource type mapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md). + The easiest way to enable the `Generate Password` keyword is as follow: + - Launch the Robot Framework fulfillment through the Usercube web application with a blank + script. + - Copy the `PasswordResetSettings` folder generated in the most recent subfolder of + `Work/FulfillRobotFramework`. + - Paste the folder in the same folder as the provisioning order. + +## Use Case: Write a Script to Fulfill a CSV File + +The goal of the script is to append, for each provisioning order, a line in a CSV file located on an +external system which we will access through a Telnet connection. + +Let's consider the following `ResourceType`: + +``` + +... + ... + +``` + +The end of the CSV file must look like: + +``` + +command;identifier;firstName;lastName +... +Insert;007;James;Bond +... + +``` + +### Define settings + +In every Robot Framework script, we need to import the resource file +`UsercubeRobotFramework.resource`. In this example, we also need to import the Telnet library to use +its functions. + +``` + +*** Settings *** +Resource C:/identitymanagerContoso/Runtime/identitymanagerRobotFramework.resource +Library Telnet + +``` + +### Define variables + +To connect to the external system through Telnet, we need an IP address corresponding to the +external system. We will store the IP address in the global variable `${IPADDRESS}`. We also use the +global variable `${CSVFILEPATH}` to define the CSV file where the data will be written in the +external system. + +``` + +*** Variables *** +${CSVFILEPATH} /home/contoso/robotframework_users.csv +${IPADDRESS} 192.168.1.22 + +``` + +### Define custom keywords + +We define all the custom functions which we will use to provision the external system: + +- `Delete CSV File`: removes a possible pre-existing CSV file. +- `Write In CSV`: executes a command to write the line in the CSV file in the external system. +- `Write Data`: formats the line to write in the CSV and calls `Write In CSV` to write it. +- `Write Header`: defines the header to write in the CSV and calls `Write Data` to write it. +- `Open Telnet Connection`: opens the Telnet connection to the external system using the login and + the password defined in the + [**Options**](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md) + attribute in `appsettings.agent.json`, as well as the IP address defined in the `Variables` + section. + +``` + +*** Keywords *** +Delete CSV File + Execute Command rm ${CSVFILEPATH} + +Write In CSV + [Arguments] ${line} + Execute Command echo ${line} >> ${CSVFILEPATH} + +Write Data + [Arguments] ${command} ${identifier} ${firstName} ${lastName} + Write In CSV '"${command}","${identifier}","${firstName}","${lastName}"' + +Write Header + Write Data Command identifier firstName lastName + +Open Telnet Connection + Open Connection ${IPADDRESS} prompt=$ + Read Until login + ${LOGIN}= Get Secure Data Login False + Write ${LOGIN} + Read Until Password + ${PASSWORD}= Get Secure Data Password True + Write ${PASSWORD} + +``` + +The method `Get Secure Data` will retrieve the value of the attributes filled in +[Options](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md) +in `appsettings.agent.json`. This is the method strongly recommended by Usercube. However, you could +also enter the value directly into the script (example: `${LOGIN}= UserName`). This may be easier +for initial testing purposes. + +### Define mandatory keywords + +To be able to provision the external system, we need the three required functions: `ExecuteAdd`, +`ExecuteDelete` and `ExecuteModify`. These methods are called by the connector depending on the +action to perform on the external system. + +``` + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Write Data Insert ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteDelete + [Arguments] ${order} + Write Data Delete ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteModify + [Arguments] ${order} + Write Data Update ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +``` + +Here, for each action, we use the function `Write Data` defined in the previous section to write the +changes to the CSV file with a corresponding word `Insert`, `Delete` or `Update`. + +### Define test cases + +The function launched by the Robot Framework script will be written in the section `Test Cases` and +will be called `Run Provisioning`. + +``` + +*** Test Cases *** +Run Provisioning + Open Telnet Connection + Delete CSV File + Write Header + Launch Provisioning + Close All Connections + +``` + +In our test case, we will perform the following operations in `Run Provisioning`: + +- Open the Telnet connection with the external system. +- Remove a possible pre-existing CSV file. +- Write the header to the new CSV file. +- Launch the Usercube provisioning. The method `Launch Provisioning` is mandatory when using the + Robot Framework connector. +- Close the Telnet connection with the external system. + +### Read the full script + +The full script is as follows: + +``` + +*** Settings *** +Resource C:/identitymanagerContoso/Runtime/identitymanagerRobotFramework.resource +Library Telnet + +*** Variables *** +${CSVFILEPATH} /home/contoso/robotframework_users.csv +${IPADDRESS} 192.168.1.22 + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Write Data Insert ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteDelete + [Arguments] ${order} + Write Data Delete ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteModify + [Arguments] ${order} + Write Data Update ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +Delete CSV File + Execute Command rm ${CSVFILEPATH} + +Write In CSV + [Arguments] ${line} + Execute Command echo ${line} >> ${CSVFILEPATH} + +Write Data + [Arguments] ${command} ${identifier} ${firstName} ${lastName} + Write In CSV '"${command}","${identifier}","${firstName}","${lastName}"' + +Write Header + Write Data Command identifier firstName lastName + +Open Telnet Connection + Open Connection ${IPADDRESS} prompt=$ + Read Until login + ${LOGIN}= Get Secure Data Login False + Write ${LOGIN} + Read Until Password + ${PASSWORD}= Get Secure Data Password True + Write ${PASSWORD} + +*** Test Cases *** +Run Provisioning + Open Telnet Connection + Delete CSV File + Write Header + Launch Provisioning + Close All Connections + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-sync-powershell-script/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-sync-powershell-script/index.md new file mode 100644 index 0000000000..3b5820d6d2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-sync-powershell-script/index.md @@ -0,0 +1,6 @@ +# Write a PowerShell Script for Synchronization + +This guide shows how to write a PowerShell script used by the +[PowerShellSync connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellsync/index.md). + +The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/how-tos/write-ticket-template/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-ticket-template/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/how-tos/write-ticket-template/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-ticket-template/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/index.md new file mode 100644 index 0000000000..cc2c31d184 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/index.md @@ -0,0 +1,168 @@ +# Connectors + +[Connectors](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +are Usercube's links to the managed systems, the technical representation of the +[entity model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md). A +connector is used to export data as CSV source files for Usercube's +[synchronization process](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) +and to fulfill entitlement assignments to a given managed system. + +## Overview + +Connectors are the mechanisms that enable Usercube to read and write data to/from your +organization's systems. The +[feedback](/docs/identitymanager/6.1/identitymanager/introduction-guide/more-info/index.md) mechanism +ensures Usercube's reliability. + +In this documentation, we talk about managed systems (sometimes called external systems) to refer to +third-party applications, i.e. the applications used in your organization, such as Active Directory, +ServiceNow, EasyVista, SAP, SharePoint, etc. + +A connector, therefore, acts as an interface between Usercube and a managed system. + +![Connector Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp) + +NETWRIX strongly recommends the creation of one connector for one application. + +> For example, integrators may create an `AD` connector with the goal of importing an Active +> Directory's data into Usercube, and writing to the Active Directory from Usercube, either manually +> for administration accounts, or automatically for basic accounts. +> +> Integrators may create a `SharePoint` connector in order to manage read and write entitlements for +> users in SharePoint. + +### Data Flows + +In the early steps of a project, we'll consider most of our connectors to be outbound, i.e. Usercube +will feed data into connected managed systems. + +![Outbound System=](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connectorcreation_outbound.webp) + +In this case, data flows between Usercube and the managed system are also called: + +- [synchronization](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/index.md) + in the "managed system-to-Usercube" direction; +- [provisioning](/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/index.md) in + the "Usercube-to-managed system" direction. + +For a connector's synchronization, Usercube provides tools to perform a basic extraction of the +system's data in the form of CSV files. These files are cleaned and loaded into Usercube. In other +words, synchronizing means taking a snapshot of the managed system's data and loading into Usercube. + +For provisioning, Usercube generates provisioning orders and the connector provides tools to either +automatically write these orders to the managed system or to create a ticket for manual +provisioning. + +> For example, we can use the data from Usercube's +> [identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) +> to fill in later the AD's fields, such as users' display names based on their first names and last +> names from the repository. + +Usercube can also benefit from inbound connectors, that will write data to Usercube's central +identity repository. While both inbound and outbound connectors allow data to flow both ways, they +do not work in the same manner. +[See more details about this advanced topic](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/hr-connector-creation/index.md). + +### Technical principles + +Usercube's connectors all operate on the same basic principles. Technically speaking: + +> For example, let's say that we want to connect Usercube to our Active Directory, or AD. + +- a + [connector](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) + must be created, first as a named container which will include the connections and entity types + related to one managed system; + + > We create a connector named `AD` (so far, an empty shell). + +- a connector is linked to an + [agent](/docs/identitymanager/6.1/identitymanager/introduction-guide/architecture/index.md) which acts + as the go-between for Usercube's server and the managed system; + + > Our `AD` connector uses the provided SaaS agent. + +- a + [connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) + describes the technology used that enables data to flow back and forth between Usercube and the + managed system; + + > We want to use a connection `Directory/Active Directory` to perform synchronization and + > automated provisioning, and a second connection `Ticket/identitymanager` to perform manual + > provisioning through Usercube. + + You can find standard connections dedicated to one application (AD, Microsoft Entra ID, etc.), + and generic connections to communicate with any application (CSV, Powershell, RobotFramework, + SQL, etc.). + +- the shape of the extracted managed system's data is modeled by + [entity types](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + (we will use the term resource to refer to an entity type that has been instantiated); + + > We create a single entity type `AD - Entry` which contains all the attributes that will + > describe its resources, i.e. AD groups and users. The attributes include the department, the + > employee identifier, the manager, the group membership (`member`/`memberOf`), the dn, the + > parent dn, etc. + +- the intent of resources within the managed system is made clear by categorizing resources into + [resource types](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). + More details are given when tackling + [categorization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md). + + > We categorize AD resources into distinct resource types: `AD User (nominative)` for basic + > accounts, which we want Usercube to provision automatically; `AD User (administration)` for + > sensitive administration accounts, which we want to provision manually through Usercube. + +![Connector Technical Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectortechnicalschema.webp) + +A connector requires at least one connection and one entity type. + +When provisioning a managed system, the corresponding connector also needs at least one resource +type. + +**Local vs. Saas agents:** To simplify things, Usercube has made it possible to start configuring +connectors without installing a local +[agent](/docs/identitymanager/6.1/identitymanager/introduction-guide/architecture/index.md) in your +organization's network. Instead, you can use the agent integrated with Usercube's server in the +Cloud (SaaS agent). + +## Configure a Connector + +NETWRIX recommends +[creating and configuring a connector via the UI](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md). + +## Supported Systems + +| | | +| ---------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Active Directory** | Exports and fulfills data from/to an Active Directory instance. [Active Directory References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) | +| **Azure** | Exports Azure resources, role definitions and role assignments. [Azure References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/azure/index.md) | +| **Microsoft Entra ID** (formerly Microsoft Azure AD) | Exports and fulfills data from/to a Microsoft Entra ID instance. [Microsoft Entra ID References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/azuread/index.md) How to create a Microsoft Entra ID connector How to set up incremental synchronization for Entra ID | +| **CSV** | Exports data from a CSV file. [CSV References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/csv/index.md) | +| **EasyVista** | Exports data from an EasyVista-compliant system. [EasyVista References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md) | +| **EasyVista Ticket** | Creates tickets in an EasyVista instance. [EasyVista Ticket References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md) [How to Write a Template for a Ticket Connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-ticket-template/index.md) | +| **Google Workspace** | Exports and fulfills users and groups from/to a Google Workspace instance. [Google Workspace References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/index.md) | +| **Home Folder** | Export home folders from input directories. [Home Folder References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/homefolder/index.md) | +| **InternalResources** | Opens manual provisioning tickets in Usercube. [InternalResources References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/internalresources/index.md) | +| **InternalWorkflow** | Retrieves provisioning order files from a connector or a resource type list, and starts a workflow accordingly. [InternalWorkflow References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md) | +| **Json** | Generates JSON files for each provisioning order. [ToFile References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/json/index.md) | +| **LDAP** | Exports and fulfills data from/to an LDAP-compliant system. [LDAP References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md) | +| **LDIF** | Generates CSV source files from an LDIF file. [LDIF References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/ldif/index.md) | +| **Microsoft Excel** | Exports data from an XLSX file. [Microsoft Excel References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/excel/index.md) | +| **Microsoft Exchange** | Exports data from a Microsoft Exchange instance. [Microsoft Exchange References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md) | +| **OData** | Exports entities from an OData instance. [OData References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/odata/index.md) | +| **OpenLDAP** | Exports and fulfills from/to an OpenLDAP directory. [OpenLDAP References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/openldap/index.md) | +| **PowerShell** | Executes PowerShell scripts to generate CSV source files from otherwise unsupported sources. [PowerShell References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) [How to Write a Powershell Script](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md) [How to Fulfill a PowerShell-compliant system via PowerShell](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md) | +| **RACF** | Exports data from a RACF file. [RACF References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/racf/index.md) | +| **Robot Framework** | Executes Robot Framework scripts to fulfill data to external systems. [Robot Framework References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md) [How to Write a Robot Framework Script](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md) [How to Interact with a Web Page via Robot Framework](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/index.md) [How to Interact with a GUI application via Robot Framework](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/index.md) | +| **SAP** | Exports and fulfills data from/to an SAP system. [SAP References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/saphana/index.md) | +| **SAP ERP 6.0** | Exports and fulfills data from/to an SAP ERP 6.0 system. [SAP ERP 6.0 References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md) | +| **SCIM** | Exports and fulfills data from/to a SCIM-compliant web application. [SCIM References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/scim/index.md) [How to Export CyberArk Data via SCIM](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/index.md) [How to Provision Salesforce Users' Profiles via SCIM](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md) | +| **ServiceNow Entity Management** | Manages ServiceNow entities. [ServiceNow Entity Management References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md) | +| **ServiceNow Ticket** | Creates tickets in ServiceNow. [ServiceNow Ticket References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md) [How to Write a Template for a Ticket Connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-ticket-template/index.md) | +| **SharedFolder** | Scans a Windows file directory and exports a list of folders, files, users and their associated permissions. [SharedFolder References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/index.md) | +| **SharePoint** | Exports a SharePoint's list of objects, users, groups, roles and their relationships. [SharePoint References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md) [How to Set up SharePoint's Export and Synchronization](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/index.md) | +| **SQL** | Exports data from various Database Management Systems. [SQL References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sql/index.md) | +| **SQL Server Entitlements** | Exports server and database principals from Microsoft SQL Server. [SQL Server Entitlements References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md) | +| **Top Secret** | Exports the Top Secret (TSS) users and profiles. [TSS References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/topsecret/index.md) | +| **Workday** | Exports data from a Workday instance. [Workday References](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/workday/index.md) | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md new file mode 100644 index 0000000000..6e980b5284 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md @@ -0,0 +1,386 @@ +# Active Directory + +This connector exports and fulfills users and groups from/to an +[Active Directory](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-domain-services) +instance. + +This page is about +[Directory/Active Directory](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/active-directory/index.md). + +![Package: Directory/Active Directory](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/packages_ad_v603.webp) + +## Overview + +Active Directory is a directory service developed by Microsoft for Windows domain networks. The +Active Directory connector exports Active Directory (AD) entries to Usercube's resource repository. +This connector also enables automated provisioning from the resource repository to the AD. + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md); +- opening the LDAP feed from Usercube's server to the Active Directory, with the ports 389 for LDAP + and 636 for LDAPS; +- a service account with reading and writing permissions on the target Active Directory instance. It + means that the Replicating Directory Changes rights are required for the service account, but also + for the Active Directory root and the AD children. See the instructions below; +- enabling rights inheritance in the **Advanced Security Settings**. + +### Enable Active Directory Permissions + +To enable permissions, the Active Directory administrator must open the **Advanced Security +Settings** dialog box for the domain root and select the **Replicating Directory Changes** check box +from the list. + +![Enable Permissions - Step 1](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_01.webp) + +![Enable Permissions - Step 2](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_02.webp) + +![Enable Permissions - Step 3](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_03.webp) + +Also, in order to change groups' membership, in the `Applies` field, select +`Descendent Group object` and select the **Read Members** and **Write Members** check boxes from the +list. + +![Read/Write Members](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_04.webp) + +If you want the Reset Password capabilities, in the `Applies` field, select `Descendent User object` +and select the **Read lockoutTime** and **Write lockoutTime** check boxes from the list. + +![Read/Write Lockout Times](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_05.webp) + +Administrator rights must not be granted to the service account. Doing otherwise would create a +security breach. Administrator rights must only be granted to the target perimeter. + +## Export + +For a configured set of Active Directory entries, this connector exports all attributes from the +connector's configuration to CSV files. + +The export is executed by a job from the UI, or via `Usercube-Export-ActiveDirectory.exe` in the +command prompt. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example configures a connection to the Active Directory Domain Controller +> `contoso.server.com` using Basic Authentication with **BaseDN**, **Login**, **Password** with +> `EnableSSL` for all entries ( `"Filter": "(objectclass=*)"`): +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> "ADExport": { +> "Filter": "(objectclass=*)", +> "Servers": [ +> { +> "Server": "contoso.server.com", +> "BaseDN": "DC=contoso,DC=com" +> } +> ], +> "AuthType": "Basic", +> "AsAdLds": false, +> "EnableSSL": true, +> "Login": "Contoso", +> "NoSigning": false, +> "Password": "ContOso$123456789", +> "RetryDelay": 10 +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Servers required | **Type** Server List **Description** List of pairs that define the target servers, made of: - **Server**: domain controller URL. - **BaseDN**: base Distinguished Name used to connect to the related server. | +| AsAdLds optional | **Type** Boolean **Description** `True` to state the managed system as an AD LDS. **Info:** used for extracting the schema through the connection screen. | +| | | +| --- | --- | +| EnableSSL optional | **Type** Boolean **Description** `True` to enable SSL protocol for authentication requests. **Note:** recommended when using `AuthType` set to `Basic` because basic authentication packets are not encrypted by default. **Info:** SSL is not available on Linux. | +| NoSigning optional | **Type** Boolean **Description** `True` to disable Kerberos encryption. | +| | | +| --- | --- | +| AuthType default value: Negotiate | **Type** String **Description** Authentication method used by Usercube to authenticate to the server. Access is granted to the target domain controller: `Anonymous` - without any login/password; `Basic` - via the `BaseDN`, `Login` and `Password` attributes; `Negotiate` - via GSS-API negotiations with the Kerberos mechanism used for authentication. | +| Login optional | **Type** String **Description** Login used by Usercube for basic authentication. **Note:** required when `AuthType` is set to `Basic`. | +| Password optional | **Type** String **Description** Password used by Usercube for basic authentication. **Note:** required when `AuthType` is set to `Basic`. | +| | | +| --- | --- | +| Filter required | **Type** String **Description** Value that filters out the corresponding entries from the AD instance which will not be exported. Only non-filtered entries are exported. The filter value complies with Microsoft's [search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | +| RetryDelay optional | **Type** Int32 **Description** Time (in milliseconds) after which Usercube retries a timeout request. | +| RequestTimeout optional | **Type** Int32 **Description** Time (in seconds) after which a request faces a timeout. | +| ConnectionTimeout optional | **Type** Int32 **Description** Time (in seconds) after which a connection faces a timeout. | + +### Output details + +This connector is meant to generate: + +- a file named `_entries.csv`, with one column for each property having a + `ConnectionColumn` and each property without it but used in an entity association; + + Any property can be exported in a specific format when specified. + [See more details](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md). + +- an additional file for each related table other than entries; +- a cookie file named `_cookie.bin`, containing the time of the last export in + order to perform incremental exports. + + Most exports can be run in complete mode, where the CSV files will contain all entries, or in + incremental mode, where CSV files will contain only the entries which have been modified since + the last synchronization. + + A task can use the `IgnoreCookieFile` boolean property, and a command line (with an executable) + can use the option `--ignore-cookies`. + +The CSV files are stored in the +[ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder, and the cookie file in the +[ExportCookies](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder. + +> For example, with the following configuration example: +> +> ``` +> +> +> +> ``` +> +> We would have `C:/identitymanagerContoso/Temp/ExportOutput/ADExport_entries.csv` with a column for each +> [scalar property](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md): +> +> ``` +> ADExport_entries.csv +> command,dn,objectCategory,objectGuid,objectSid,pwdLastSet,thumbnailPhoto,parentdn +> ... +> ``` +> +> Also, `ADExport_member` as `ConnectionTable` in a mapping will trigger the generation of the file +> `C:/identitymanagerContoso/Temp/ExportOutput/ADExport_member.csv` with `member` as link attribute: +> +> ``` +> ADExport_member.csv +> command,dn,member +> ... +> ``` +> +> And `C:/identitymanagerContoso/Work/ExportCookies/ADExport_cookie.bin`. + +### Synchronize multiple forests + +This connector can export resources from multiple forests trusted by the same AD domain. + +It requires specifying the **Server** and **BaseDN** pairs in **Servers** for all the forests used +as source for the export. + +Each **BaseDN** will generate a cookie file, but the entries from all **BaseDN** properties will be +written to the same CSV file. + +> The following example exports data from two sources: both on the same **Server** +> (`contoso.server.com`), but on two different **BaseDN**s (`DC=contoso,DC=com` and +> `DC=defense,DC=contoso,DC=com`). +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> "ADExport": { +> "Servers": [ +> { +> "Server": "contoso.server.com", +> "BaseDN": "DC=contoso,DC=com" +> }, +> { +> "Server": "contoso.server.com", +> "BaseDN": "DC=defense,DC=contoso,DC=com" +> } +> ], +> "AuthType": "Basic", +> "Login": "Contoso", +> "Password": "ContOso$123456789", +> "Filter": "(objectclass=*)", +> "EnableSSL": "true" +> } +> } +> } +> ``` +> +> The export creates two cookie files: `ADExport_cookie_0.bin` for the first **BaseDN**, and +> `ADExport_cookie_1.bin` for the second **BaseDN**, but the entries of both **BaseDN** properties +> will be written in `ADExport_entries.csv`. + +## Fulfill + +This connector writes to the Active Directory, to create, update and delete entries, initiated +manually through the UI or automatically by +[enforcing the policy](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md). + +### Configuration + +Same as for export, fulfill is configured through connections. + +> The following example connects to an AD LDS system located at `contoso.server.com`. +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ADFulfillment": { +> "Servers": [ +> { +> "Server": "contoso.server.com", +> "BaseDN": "DC=contoso,DC=com" +> } +> ], +> "AuthType": "Basic", +> "AsAdLds": "true", +> "EnableSSL": true, +> "Login": "Contoso", +> "NoSigning": false, +> "Password": "ContOso$123456789", +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Servers required | **Type** Server List **Description** List of pairs that define the target servers, made of: - **Server**: domain controller URL. - **BaseDN**: base Distinguished Name used to connect to the related server. | +| AsAdLds optional | **Type** Boolean **Description** `True` to state the managed system as an AD LDS. **Info:** used for extracting the schema through the connection screen. | +| | | +| --- | --- | +| EnableSSL optional | **Type** Boolean **Description** `True` to enable SSL protocol for authentication requests. **Note:** recommended when using `AuthType` set to `Basic` because basic authentication packets are not encrypted by default. **Info:** SSL is not available on Linux. | +| NoSigning optional | **Type** Boolean **Description** `True` to disable Kerberos encryption. | +| | | +| --- | --- | +| AuthType default value: Negotiate | **Type** String **Description** Authentication method used by Usercube to authenticate to the server. Access is granted to the target domain controller: `Anonymous` - without any login/password; `Basic` - via the `BaseDN`, `Login` and `Password` attributes; `Negotiate` - via GSS-API negotiations with the Kerberos mechanism used for authentication. | +| Login optional | **Type** String **Description** Login used by Usercube for basic authentication. **Note:** required when `AuthType` is set to `Basic`. | +| Password optional | **Type** String **Description** Password used by Usercube for basic authentication. **Note:** required when `AuthType` is set to `Basic`. | + +### Output details + +This connector can create a new resource, and update and delete an existing resource via the UI. + +A new resource is created with the state `disabled`, corresponding to the **useraccountcontrol** +value `514`. When it is approved, its `disabled` state is removed and the **useraccountcontrol** +value becomes `512`. + +### Provision multiple forests + +Same as for export, this connector can fulfill resources to multiple forests trusted by the same AD +domain, by specifying the **Server** and **BaseDN** pairs in **Servers** for all forests. + +> The following example fulfills data to two targets: both on the same **Server** +> (`contoso.server.com`), but on two different **BaseDN**s (`DC=contoso,DC=com` and +> `DC=defense,DC=contoso,DC=com`). +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ADFulfillment": { +> "Servers": [ +> { +> "Server": "contoso.server.com", +> "BaseDN": "DC=contoso,DC=com" +> }, +> { +> "Server": "contoso.server.com", +> "BaseDN": "DC=defense,DC=contoso,DC=com" +> } +> ], +> "AuthType": "Basic", +> "Login": "Contoso", +> "Password": "ContOso$123456789", +> "AsAdLds": "true" +> } +> } +> } +> ``` + +### Add attributes to the requests + +Some systems using the LDAP protocol require additional attributes in the creation and/or update +requests. + +If these attributes are not synchronized in Usercube, then they cannot be computed and provided by +scalar rules or navigation rules. In this case, they can be given as arguments in the provisioning +order, through the `ResourceType`'s `ArgumentsExpression`. + +> The following example adds the attribute `description` with a value depending on what is modified: +> +> ``` +> +> ArgumentsExpression="C#:resource: +> var arguments = new System.Collections.Generic.Dictionary(); +> +> if (provisioningOrder.HasChanged("cn")) { +> arguments.Add("description", "This entry's login has been modified by Usercube."); +> } +> else if (provisioningOrder.HasChanged("mail")) { +> arguments.Add("description", "This entry's email has been modified by Usercube."); +> } +> else { +> arguments.Add("description", "This entry has been modified by Usercube."); +> } +> +> return arguments;"> +> +> +> +> ``` + +## Authentication + +### Password reset + +[See how to configure password reset settings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +- a + [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store Active Directory's `Login`, `Password` and `Server`. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/azure/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/azure/index.md new file mode 100644 index 0000000000..b1cc08bf26 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/azure/index.md @@ -0,0 +1,130 @@ +# Azure + +This connector exports +[Azure](https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-azure) +resources, role definitions and assignments. + +This page is about +[Cloud/Azure](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/azure/index.md). + +![Package: Cloud/Azure](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/azure/packages_azure_v603.webp) + +## Prerequisites + +Implementing this connector requires at least the `Security Reader` role, because Usercube does not +access the [Azure API](https://docs.microsoft.com/en-us/rest/api/azure/) on behalf of a user but +with [its own identity](https://docs.microsoft.com/en-us/rest/api/azure/). + +## Export + +For a given Azure tenant with resources, this connector exports Azure resources, role definitions +and role assignments to CSV files. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + + ``` + + appsettings.agent.json + +{ ... "Connections": { ... "": { ... } } } + +```` + + +The identifier of the connection and thus the name of the subsection must: + +- be unique. + +- not begin with a digit. + +- not contain ```<```, ```>```, ```:```, ```"```, ```/```, ```\```, ```|```, ```?```, ```*``` and ```_```. + +> The following example +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "AzureExport": { +> "ApplicationId": "contosoAzure897", +> "ApplicationKey": "25d408a1925d4c081925b\d40819", +> "SubscriptionId": "Contoso", +> "TenantId": "25d40819-f23f-4837-9d50-a9a52da50b8c", +> "AzurePath": "https://management.azure.com/.default", +> "AzurePathApi": "https://management.azure.com", +> "ResponseUri": "https://agent.usercubecontoso.com" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --- | --- | +| ApplicationId required | __Type__ String __Description__ GUID that uniquely identifies the application registration in the Azure tenant. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Usercube__ > __Overview__ > __Application (client) ID__ | +| ApplicationKey required | __Type__ String __Description__ Secret associated with the ```ApplicationId```. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Usercube__ > __Certificate & secrets__ > __Client secrets__ > __Client Secret__ | +| TenantId required | __Type__ String __Description__ GUID that uniquely identifies the Azure tenant. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Usercube__ > __Overview__ > __Application (tenant) ID__ | +| ResponseUri default value: ```http://localhost``` | __Type__ String __Description__ URI used by Azure to contact back the application with the tokens. This response Uri needs to be registered in the [app registration](https://aka.ms/msal-net-register-app). | +| | | +| --- | --- | +| SubscriptionId required | __Type__ String __Description__ GUID that uniquely identifies the subscription associated to the ```ApplicationId```. [See how to find it](https://www.youtube.com/watch?v=6b1J03fDnOg&t=3s). | +| AzurePath default value: ```https://management.azure.com/.default``` | __Type__ String __Description__ Scope requested to access a protected API. For this flow (client credentials), the scope should be of the form __`{ResourceIdUri/.default}`__. [See Microsoft's documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#see-microsofts-documentation). | +| AzurePathApi default value: ```https://management.azure.com``` | __Type__ String __Description__ Azure Uri API. | + +### Output details + +This connector is meant to generate to the [ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) folder the following CSV files: + +```_RoleDefinition.csv``` with the following columns: + +- __id__: role definition's Azure id; +- __name__: role definition's id; +- __roleName__: role definition's name; +- __type__: role definition's type, for example it can describe if it is a built-in role or a customized one; +- __description__: role definition's description. + +```_Resource.csv``` with the following columns: + +- __id__: resource's Azure id; +- __name__: resource's name; +- __type__: resource's type; +- __location__: resource's geographical location; +- __managedBy__: GUID or Azure id of the resource's manager; +- __principalId__: resource's identity PrincipalId; +- __ResourceIdentitytype__: resource's identity type. + +```_RoleAssignment.csv``` with the following columns: + +- __id__: role assignment's Azure id; +- __name__: role assignment's id; +- __roleDefinitionId__: role definition's Azure id; +- __principalId__: Microsoft Entra ID (formerly Microsoft Azure AD)'s object GUID; +- __scope__: resource's Azure id. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), configured in the ```appsettings.encrypted.agent.json``` file; +- an [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) safe; + +- a [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) able to store Azure's ```ApplicationId``` and ```ApplicationKey```. +```` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/azuread/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/azuread/index.md new file mode 100644 index 0000000000..f12987b90c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/azuread/index.md @@ -0,0 +1,211 @@ +# Microsoft Entra ID + +This connector exports and fulfills user and groups from/to an +[Microsoft Entra ID](https://www.microsoft.com/fr-fr/security/business/identity-access/microsoft-entra-id) +(formerly Microsoft Azure AD) instance. + +This page is about +[Directory/Microsoft Entra ID](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/azure-active-directory/index.md). + +![Package: Directory/Microsoft Entra ID](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/azuread/packages_azuread_v603.webp) + +## Overview + +Microsoft Entra ID is Microsoft's cloud-based identity and access management service which helps +your employees sign in and access resources in: + +- external resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS + applications; +- internal resources, such as apps on your corporate network and intranet, along with any cloud apps + developed by your own organization. + +## Prerequisites + +Implementing this connector requires giving Usercube +[application permissions](https://docs.microsoft.com/en-us/graph/auth/auth-concepts#application-permissions), +because Usercube does not access the +[Microsoft Graph API](https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-1.0) on behalf +of a user but with [its own identity](https://docs.microsoft.com/en-us/graph/auth-v2-service), and +delegated permissions are not enough. These application permissions require the consent of an +administrator of the target Microsoft Entra ID tenant. + +[See how to register Usercube as an application with the Microsoft Identity Platform](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/azuread-register/index.md) +in order to grant Usercube a service account which authenticates with the target Microsoft Entra ID. + +## Export + +For a configured set of directory objects on an Microsoft Entra ID instance, this connector exports +the list of configured attributes in the associated entity type mapping to a CSV file. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + + ``` + + appsettings.agent.json + +{ ... "Connections": { ... "": { ... } } } + +```` + + +The identifier of the connection and thus the name of the subsection must: + +- be unique. + +- not begin with a digit. + +- not contain ```<```, ```>```, ```:```, ```"```, ```/```, ```\```, ```|```, ```?```, ```*``` and ```_```. + +> For example: +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "MicrosoftEntraIDExport": { +> "ApplicationId": "contosoAzure897", +> "ApplicationKey": "25d408a1925d4c081925b\d40819", +> "TenantId": "25d40819-f23f-4837-9d50-a9a52da50b8c", +> "MicrosoftGraphPathApi": "https://graph.microsoft.com/beta/", +> "ResponseUri": "https://agent.usercubecontoso.com" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --- | --- | +| ApplicationId required | __Type__ String __Description__ GUID that uniquely identifies the application registration in the Azure tenant. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Usercube__ > __Overview__ > __Application (client) ID__ | +| ApplicationKey required | __Type__ String __Description__ Secret associated with the ```ApplicationId```. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Usercube__ > __Certificate & secrets__ > __Client secrets__ > __Client Secret__ | +| TenantId required | __Type__ String __Description__ GUID that uniquely identifies the Azure tenant. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Usercube__ > __Overview__ > __Application (tenant) ID__ | +| ResponseUri default value: ```http://localhost``` | __Type__ String __Description__ URI used by Azure to contact back the application with the tokens. This response Uri needs to be registered in the [app registration](https://aka.ms/msal-net-register-app). | +| | | +| --- | --- | +| MicrosoftAuthorityPath optional | __Type__ String __Description__ Pattern for Microsoft Authority Path. | +| MicrosoftGraphPath default value: ```https://graph.microsoft.com/.default``` | __Type__ String __Description__ Scope requested to access a protected API. __Note:__ for this flow (client credentials), the scope should be of the form __`{ResourceIdUri/.default}`__. [See Microsoft's documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#see-microsofts-documentation). | +| MicrosoftGraphPathApi default value: ```https://graph.microsoft.com/v1.0/``` | __Type__ String __Description__ Microsoft Graph Uri API. | + +### Output details + +This connector is meant to generate the following files: + +- ```_directoryobjects.csv``` containing the property values from the entity type mapping associated with the connection. + + The values are exported from the entities listed in the attribute ```C0``` of the ```EntityTypeMapping```. + + > For example, with the following configuration example: + > + > ``` + > + > + > + > ``` + > + > + > Four entities are exported (```user```; ```group```; ```directoryRole```; ```servicePrincipal```) and whose names are to be found in the column ```@odata.type```. Then ```MicrosoftEntraIDExport_directoryobjects.csv``` looks like: + > + > ``` + > + > MicrosoftEntraIDExport_directoryobjects.csv + > Command,@odata.type,accountEnabled,id,mail + > ... + > ``` + + Attributes described as "Supported only on the Get `` API" in the [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-1.0) documentation cannot be retrieved through this connector. The export task will raise an error if these attributes are used in your ```EntityTypeMapping```. + + This connector supports [Microsoft Entra ID Schema Extensions](https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions) but does not support [Microsoft Graph Schema Extensions](https://docs.microsoft.com/en-us/graph/extensibility-schema-groups). +- ```__.csv``` describing the navigation property from one entity to another. + + > For example ```MicrosoftEntraIDExport_members_group.csv``` would look like: + > + > ``` + > + > MicrosoftEntraIDExport_members_group.csv + > Command,groupId,id + > ... + > ``` + > + > + > Where __command__ can be ```insert```, ```update``` or ```delete```; __groupId__ is the id of the group; __id__ is the id of the group member (in this context). + + Only the navigation properties ```members``` and ```owners``` are exported. These navigation properties are automatically detected according to the data exported. +- one file ```_cookie_.bin``` per entity, containing an URL with a ```delta token``` useful for incremental export. + + > For example ```MicrosoftEntraIDExport_cookie_user.bin``` + + Most exports can be run in complete mode, where the CSV files will contain all entries, or in incremental mode, where CSV files will contain only the entries which have been modified since the last synchronization. + + A task can use the ```IgnoreCookieFile``` boolean property, and a command line (with an executable) can use the option ```--ignore-cookies```. + +The CSV files are stored in the [ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) folder, and the cookie file in the [ExportCookies](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) folder. + +For more details, [see Microsoft's documentation on columns and attributes synchronized to Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized). + +## Fulfill + +This connector writes to the Microsoft Entra ID, to create, update and delete Microsoft Entra ID objects, initiated manually through the UI or automatically by [enforcing the policy](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md). + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "MicrosoftEntraIDFulfillment": { +> "ApplicationId": "contosoAzure897", +> "ApplicationKey": "84468d65324ghj\de9864d3d7e89026", +> "TenantId": "25d40819-f23f-4837-9d50-a9a52da50b8c", +> "MicrosoftGraphPathApi": "https://graph.microsoft.com/beta/", +> "ResponseUri": "https://agent.usercube.com" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --- | --- | +| ApplicationId required | __Type__ String __Description__ GUID that uniquely identifies the application registration in the Azure tenant. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Usercube__ > __Overview__ > __Application (client) ID__ | +| ApplicationKey required | __Type__ String __Description__ Secret associated with the ```ApplicationId```. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Usercube__ > __Certificate & secrets__ > __Client secrets__ > __Client Secret__ | +| TenantId required | __Type__ String __Description__ GUID that uniquely identifies the Azure tenant. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Usercube__ > __Overview__ > __Application (tenant) ID__ | +| ResponseUri default value: ```http://localhost``` | __Type__ String __Description__ URI used by Azure to contact back the application with the tokens. This response Uri needs to be registered in the [app registration](https://aka.ms/msal-net-register-app). | +| | | +| --- | --- | +| MicrosoftGraphPathApi default value: ```https://graph.microsoft.com/v1.0/``` | __Type__ String __Description__ Microsoft Graph Uri API. | + +### Output details + +This connector can create a new resource, and update and delete any Microsoft Entra ID objects and groups' memberships via the UI. + +## Authentication + +### Password reset + +[See how to configure password reset settings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), configured in the ```appsettings.encrypted.agent.json``` file; +- an [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) safe; + +- a [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) able to store Microsoft Entra ID's ```ApplicationId``` and ```ApplicationKey```. +```` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/csv/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/csv/index.md new file mode 100644 index 0000000000..878cf6f6be --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/csv/index.md @@ -0,0 +1,127 @@ +# CSV + +This connector exports data from a [CSV file](https://en.wikipedia.org/wiki/Comma-separated_values). + +This page is about +[File/CSV](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/csv/index.md). + +![Package: File/CSV](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/csv/packages_csv_v603.webp) + +## Overview + +Files in CSV format are commonly used to store information. + +## Prerequisites + +Implementing this connector requires the source file to be in CSV format. + +## Export + +This export copies the information found in a CSV file and transforms it into a new CSV file in the +Usercube's format. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "HRContoso": { +> "Path": "C:/identitymanagerContoso/Contoso/hr_conto(.*?).csv", +> "PathIncremental": "C:/identitymanagerContoso/Contoso/hr_delta_conto(.*?).csv", +> "Encoding": "UTF-16", +> "Separator": ";", +> "IsFileNameRegex": true, +> "NumberOfLinesToSkip": 1, +> "ValuesToTrim": [ +> "*", +> "%" +> ] +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Path Required if PathIncremental is not defined. | **Type** String **Description** Path of the input file to be used for complete synchronization. | +| PathIncremental Required if Path is not defined. | **Type** String **Description** Path of the input file to be used for incremental synchronization. | +| IsFileNameRegex optional | **Type** Boolean **Description** `True` to enter a regex instead of a normal string for `Path` and `PathIncremental`. **Note:** if several files correspond to the regex, then the export will use the last created file. **Info:** useful when the filename is only partially known, for example when using a generated file. | +| ValuesToTrim optional | **Type** String List **Description** Ordered list of the characters to trim at the beginning and at the end of the headers and values of the input file. **Note:** the second value will be trimmed after the first, the order is important. **Example** When writing `$` first and then `%` in `ValuesToTrim`, then "$%I am an example$%" becomes "I am an example$". | +| | | +| --- | --- | +| Encoding default value: UTF-8 | **Type** String **Description** Encoding of the input file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | + +| Separator +default value: , | **Type** +String +**Description** + +Separator used in the input file. + +| | | | | --- | --- | | NumberOfLinesToSkip default value: 0 | **Type** Int32 **Description** Number +of lines to skip in order to reach the line used as data header. | + +### Output details + +This connector is meant to generate a CSV file, named `.csv`, to the +[`ExportOutput`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder. + +> For example, when exporting a connection named `HRCountries`, the output file will be named +> `HRCountries.csv`. + +The file's columns come from the header line from the input CSV file. + +All columns with headers, even empty ones, will be written to the output. However, columns without +headers will not be written. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use +[RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), +nor a +[CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md). + +Still, data protection can be ensured through an +[Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) +safe. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md new file mode 100644 index 0000000000..dc65990321 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md @@ -0,0 +1,220 @@ +# EasyVista + +This connector exports and fulfills users from/to an +[EasyVista](https://wiki.easyvista.com/xwiki/bin/view/Documentation/?language=en)-compliant system. + +This page is about +[ITSM/EasyVista](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/easyvista/index.md). + +![Package: ITSM/EasyVista](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/easyvista/packages_easyvista_v603.webp) + +## Overview + +EasyVista is an IT Service Manager that provides a service to organize IT resources in a company by +using tickets. This allows users to manage projects, materials and teams through a customizable +interface. + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md); +- an EasyVista account with reading/writing permissions on the target instance; +- a view to be created in EasyVista for each type of entity to export. + +## Export + +This connector exports a list of users, with their attributes specified in the connector's +configuration, to CSV files. + +It can also export any custom entity, provided that a view exists for it in EasyVista. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> ... +> "ExportEasyVista": { +> "Server": "https://easy-vista.instance.com/", +> "Account": "11111", +> "Login": "username", +> "Password": "userPassword", +> "ExportSettingsOptions": { +> "Profiles": "https://easy-vista.instance.com/api/v1/11111/internalqueries?queryguid={019B0523-F1C4-4G84-AA04-47BA16F16EB2}&filterguid={Z8A61D04-EZEC-42F1-A3E1-E9E09654BE68}&viewguid={2740V37A-A0ZC-4E50-A1F1-CF0987B9EFEA}" +> } +> } +> } +> } +> ``` + +The `ExportSettingsOptions` attribute is necessary only if custom entities are exported. It is not +required if only the users are exported. +Besides, `"Profiles"` is used here as an example and corresponds to a name to identify the exported +entities. + +#### Setting attributes + +| Name | Details | +| ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URI of the server to connect to. | +| Account required | **Type** String **Description** Account to use to connect to the EasyVista instance. | +| Login required | **Type** String **Description** Username to use to connect to the EasyVista instance. | +| Password required | **Type** String **Description** Password to use to connect to the EasyVista instance. | +| | | +| --- | --- | +| ExportSettingsOptions optional | **Type** List **Description** List of entities to retrieve from the EasyVista instance. **Note:** for any customized entity to be exported, this argument must contain its REST API URL. **Get REST API URLs** Access the relevant view in EasyVista and click on **�** > **Rest API Url** to copy the URL. For example: ![EasyVista Profiles View](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/easyvista/easyvista_view_v523.webp) | + +### Output details + +This connector is meant to generate to the +[`ExportOutput`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder: + +- a CSV file, named `_Employees.csv`, with one column for each property having + a `ConnectionColumn` and each property without it but used in an entity association; +- a CSV file for each customized entity, named `_.csv`. + +> For example, with the following entity type mapping for employees: +> +> ``` +> +> +> +> ``` +> +> And the following entity type mapping for profiles: +> +> ``` +> +> EntityType Identifier="EasyVista_Profiles" DisplayName_L1="EasyVista Profiles" Property Identifier="NAME_EN" DisplayName_L1="NAME_EN" TargetColumnIndex="23" Type="String" Type="String" IsKey="true" //EntityTypeEntityTypeMapping Identifier="EVProfiles" Connector="ExportEasyVista" ConnectionTable="EasyVistaExport_Profiles" Property Identifier="PROFILE_GUID">>>> ><<<<< +> +> ``` +> +> Then we will have `C:/identitymanagerContoso/Sources/EasyVistaExport_Employees.csv` as follows: +> +> ``` +> EasyVistaExport_Employees.csv +> last_name +> Talma Bart +> Tanner Carol +> Taverner David +> Taylor Eric +> Telemann Franck +> Thomson Georges +> ... +> +> ``` +> +> Then we will have `C:/identitymanagerContoso/Sources/EasyVistaExport_Profiles.csv` as follows: +> +> ``` +> EasyVistaExport_Profiles.csv +> NAME_EN, PROFILE_GUID +> Administration {value of the PROFILE_GUID} +> LOB Manager {value of the PROFILE_GUID} +> Product Team {value of the PROFILE_GUID} +> Project Manager {value of the PROFILE_GUID} +> ... +> +> ``` + +Users created from the API are retrieved by Usercube only after a complete synchronization. + +## Fulfill + +The EasyVista connector writes to EasyVista to create, archive (delete from Usercube's point of +view) and update employees, initiated manually through the UI or automatically by +[enforcing the policy](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md). + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "FulfillEasyVista": { +> "Server": "https://easy-vista.instance.com/", +> "Account": "11111", +> "Login": "username", +> "Password": "userPassword" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ----------------- | ------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URI of the server to connect to. | +| Account required | **Type** String **Description** Account to use to connect to the EasyVista instance. | +| Login required | **Type** String **Description** Username to use to connect to the EasyVista instance. | +| Password required | **Type** String **Description** Password to use to connect to the EasyVista instance. | + +### Output details + +This connector can: + +- create and update employees and their profiles, but is limited by + [API limitations](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Integration/WebService%20REST/REST%20API%20-%20Create%20an%20employee/); + + In particular, this connector cannot set dates nor the `employee_id` property. + +- archive employees, i.e. set the `CONTRACT_END_DATE` to the date of the fulfill execution. + + This action is performed when Usercube fulfills a provisioning order with a `Deleted` change + type. + +## Authentication + +### Password reset + +[See how to configure password reset settings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +- a + [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store EasyVista's `Login`, `Password`, `Account` and `Server`. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md new file mode 100644 index 0000000000..951cfe0afe --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md @@ -0,0 +1,79 @@ +# EasyVista Ticket + +This connector opens tickets in +[EasyVista](https://wiki.easyvista.com/xwiki/bin/view/Documentation/?language=en) for manual +provisioning. + +This page is about +[Ticket/EasyVista](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/easyvistaticket/index.md). + +![Package: Ticket/EasyVista](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/packages_easyvistaticket_v603.webp) + +## Overview + +EasyVista is an IT Service Manager that provides a service to organize IT resources in a company by +using tickets. This allows users to manage projects, materials and teams through a customizable +interface. + +This connector focuses on the creation of EasyVista tickets for editing manually EasyVista +resources. + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md); +- an EasyVista account with reading/writing permissions on the target instance. + +## Export + +This connector exports some of EasyVista entities, +[see the export capabilities of the EasyVista connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md). +Some entities cannot be exported. + +## Fulfill + +This connector writes to EasyVista to create incident and request tickets containing information to +create, update or delete a resource. It does not create a resource directly. + +Once created, the ticket is managed in EasyVista, not in Usercube. + +When the ticket is closed or canceled, Usercube updates the +[provisioning state](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +of the resource accordingly. + +[See the fulfill capabilities of the EasyVista connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md). + +> For example: +> +> ``` +> appsettings.agent.json +> "EasyVistaManual": { +> "Server": "https://example.easyvista.com/", +> "Login": "username", +> "Password": "password", +> "Account": "11111" +> }, +> +> ``` + +## Authentication + +### Password reset + +[See how to configure password reset settings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +- a + [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store EasyVista's `Login`, `Password`, `Account` and `Server`. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/excel/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/excel/index.md new file mode 100644 index 0000000000..c1a1c40590 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/excel/index.md @@ -0,0 +1,137 @@ +# Microsoft Excel + +This connector exports datasheets from a +[Microsoft Excel](https://www.microsoft.com/en-us/microsoft-365/excel) (XLSX) file. + +This page is about +[File/Microsoft Excel](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/excel/index.md). + +![Package: File/Microsoft Excel](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/excel/packages_excel_v603.webp) + +## Overview + +Microsoft Excel files using the XLSX file format are commonly used to store information. + +## Prerequisites + +Implementing this connector requires the input file to be in the XLSX format. + +## Export + +This connector copies the information from an XLSX file into CSV files, one per spreadsheet, while +filtering out spreadsheets and trimming values if needed. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "HRContoso": { +> "Path": "C:/identitymanagerContoso/Contoso/hr_conto(.*?).xlsx", +> "PathIncremental": "C:/identitymanagerContoso/Contoso/hr_delta_conto(.*?).xlsx", +> "IsFileNameRegex": "true", +> "SheetOptions": [ +> { +> "SheetIgnored": "false", +> "NumberOfLinesToSkip": 1 +> }, +> { +> "SheetIgnored": "true" +> } +> ], +> "ValuesToTrim": [ +> "$", +> "%" +> ] +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Path Required if PathIncremental is not defined. | **Type** String **Description** Path of the input file to be used for complete synchronization. | +| PathIncremental Required if Path is not defined. | **Type** String **Description** Path of the input file to be used for incremental synchronization. | +| IsFileNameRegex optional | **Type** Boolean **Description** `True` to enter a regex instead of a normal string for `Path` and `PathIncremental`. **Note:** if several files correspond to the regex, then the export will use the last created file. **Info:** useful when the filename is only partially known, for example when using a generated file. | +| ValuesToTrim optional | **Type** String List **Description** Ordered list of the characters to trim at the beginning and at the end of the headers and values of the input file. **Note:** the second value will be trimmed after the first, the order is important. **Example** When writing `$` first and then `%` in `ValuesToTrim`, then "$%I am an example$%" becomes "I am an example$". | +| | | +| --- | --- | +| SheetOptions optional | **Type** SheetOption List **Description** List of options for each sheet of the input file. The first element of the list sets the options for the first sheet, the second element for the second sheet, etc. | + +##### SheetOptions + +| Name | Details | +| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | +| SheetIgnored required | **Type** Boolean **Description** `True` to exclude the sheet from export. | +| | | +| --- | --- | +| NumberOfLinesToSkip default value: 0 | **Type** Int32 **Description** Number of lines to skip in order to reach the line used as data header. | + +### Output details + +This connector is meant to generate to the +[`ExportOutput`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder a CSV file per spreadsheet included in the export, named `_.csv` +where `` is the spreadsheet's index. + +Note that `0` is the first index, not `1`. + +> For example, when exporting the content of a 2-sheet Excel file with a connection named +> `HRContoso`, the output files will be named `HRContoso_0.csv` for the first spreadsheet, and +> `HRContoso_1.csv` for the second. + +The file's columns come from the header line from the input Excel file. + +All columns with headers, even empty ones, will be written to the output. However, columns without +headers will not be written. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use +[RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), +nor a +[CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md). + +Still, data protection can be ensured through an +[Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) +safe. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/index.md new file mode 100644 index 0000000000..328a8b1f69 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/index.md @@ -0,0 +1,168 @@ +# Google Workspace + +This connector exports and fulfills users and groups from/to a +[Google Workspace](https://developers.google.com/workspace) instance. + +This page is about +[Directory/Google Workspace](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/googleworkspace/index.md). + +![Package: Directory/Google Workspace](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/packages_workspace_v603.webp) + +## Overview + +Google Workspace provides a set of softwares and products developed by Google. The Google Workspace +connector exports and fulfills users and groups from/to a Google Workspace instance. It exports +user-group memberships too. + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md); +- a service account impersonating the following permission scopes: + [https://www.googleapis.com/auth/admin.directory.user](https://www.googleapis.com/auth/admin.directory.user) + and + [https://www.googleapis.com/auth/admin.directory.group](https://www.googleapis.com/auth/admin.directory.group). + + [See Google's documentation to create the service account with the right impersonation](https://developers.google.com/workspace/guides/create-credentials#see-googles-documentation-to-create-the-service-account-with-the-right-impersonation). + + **Caution:** Google's documentation describes this procedure as optional, while the Google + Workspace connector requires it. + +## Export + +This connector extracts users, groups and user-group memberships from a Google Workspace instance, +and write the output to CSV files. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "GoogleExportFulfillment": { +> "CredentialsFilePath": "C:/identitymanagerDemo/GoogleCredentials.json", +> "User": "B29607@acme.internal", +> "PageSize": "100" +> } +> } +> } +> +> ``` + +#### Setting attributes + +| Name | Details | +| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CredentialsFilePath required | **Type** String **Description** Path of Google Workspace's JSON credentials file. [See Google's documentation to create these credentials](https://developers.google.com/workspace/guides/create-credentials#see-googles-documentation-to-create-these-credentials). | +| User required | **Type** String **Description** Email address of the service account mentioned in the [prerequisites](#prerequisites) section. | +| | | +| --- | --- | +| PageSize default value: 50 | **Type** Int32 **Description** Number of items, i.e. users and/or groups and/or memberships, retrievable from Google Workspace by each API call (from 1 to 500). | + +### Output details + +This connector is meant to generate to the +[ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder the following CSV files: + +- `GoogleExportFulfillment_Users.csv` and `GoogleExportFulfillment_Groups.csv` whose headers come + from the entity type mapping's `ConnectionColumn` and from the entity association mappings' + columns which are not _members_ columns; +- `GoogleExportFulfillment_Members.csv` with the following columns: + - **value**: ID of the group; + - **MemberId**: ID of the group member. + +If the connection column describes a sub-property, then the name should have the following pattern: +`{property}:{sub-property}`. The character `":"` should not be used in other situations. + +> For example: +> +> ``` +> +> +> +> ``` +> +> Note that we have here `AgreedToTerms` which is a single property, and `FamilyName` which is a +> sub-property of `Name`, hence the name `Name:FamilyName` as the `ConnectionColumn`. + +## Fulfill + +This connector can write to Google Workspace to create, update, and/or delete users and user-group +memberships. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "GoogleExportFulfillment": { +> "CredentialsFilePath": "C:/identitymanagerDemo/GoogleCredentials.json", +> "User": "B29607@acme.internal" +> } +> } +> } +> +> ``` + +#### Setting attributes + +| Name | Details | +| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CredentialsFilePath required | **Type** String **Description** Path of Google Workspace's JSON credentials file. [See Google's documentation to create these credentials](https://developers.google.com/workspace/guides/create-credentials#see-googles-documentation-to-create-these-credentials). | +| User required | **Type** String **Description** Email address of the service account mentioned in the [prerequisites](#prerequisites) section. | + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use +[RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), +nor a +[CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md). + +Still, data protection can be ensured through an +[Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) +safe. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/homefolder/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/homefolder/index.md new file mode 100644 index 0000000000..6ea82a137e --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/homefolder/index.md @@ -0,0 +1,134 @@ +# Home Folder + +This connector exports [home folders](https://en.wikipedia.org/wiki/Home_directory)' content. + +This page is about +[Storage/Home Folders](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/home-folders/index.md). + +![Package: Storage/Home Folders](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/homefolder/packages_homefolders_v603.webp) + +## Overview + +Home Folders, also called Home Directory, is a user-dedicated storage area where users' personal +files can be accessed. In general, a home folder is private so only its owner and administrators can +access it. Moreover, the folders are often centralized because they are located on a network server. +It allows making backups regularly and easily accessing the folders. + +## Prerequisites + +Implementing this connector requires: + +- reading first how to + [Set, View, Change, or Remove Special Permissions](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc772196(v=ws.10)) + and check the + [File and Folder Permissions](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732880(v=ws.10)) + list; +- an account with at least the special permission **Read** on all home folders in order to be able + to export them. + +## Export + +This connector exports all the home folders to a CSV file. + +This connector performs only complete export, not incremental. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "HomeFolderExport": { +> "InputDirectories": [ +> "C:/ContosoFolder", +> "C:/ContosoFolder2", +> ], +> "Domain": "Windows", +> "Interactive": true, +> "Login": "Contoso", +> "Password": "ContOso$123456789" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| InputDirectories required | **Type** String List **Description** List of the directories that contain the home folders to be exported. | +| Domain optional | **Type** String **Description** Domain of the account used to access the home folders. | +| Interactive default value: False | **Type** Boolean **Description** `True` to set the authentication as interactive. `False` to set it batch. [See Microsoft's documentation for more details](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonusera#see-microsofts-documentation-for-more-details). | +| | | +| --- | --- | +| Login optional | **Type** String **Description** Login of the account used to access the files and folders. **Note:** when not specified and `Password` neither, then the account running Usercube will be used. **Note:** if `Domain` is null, then `Login` must be set in the User Principal Name (UPN) format. | +| Password optional | **Type** String **Description** Password of the account used to access the files and folders. **Note:** when not specified and `Login` neither, then the account running Usercube will be used. | + +### Output details + +This connector is meant to generate a CSV file, named `.csv`, to the +[`ExportOutput`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder, with the following columns: + +- **Command**: empty for now, as the connector performs only complete export. +- **Name**: name of the home folder. + +> For example, when exporting with a connection named `HomeFolderExport`, then the output file will +> be named `HomeFolderExport.csv` and will look like: +> +> ``` +> HomeFolderExport.csv +> Command,Name +> ... +> ``` + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +- a + [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store Home Folder's `Login` and `Password`. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/index.md new file mode 100644 index 0000000000..0cfba56f7e --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/index.md @@ -0,0 +1,136 @@ +# References: Connectors + +Connectors are the mechanisms that enable Usercube to read and write data to/from your +organization's systems. Here is a list of reference connectors: + +- [ Active Directory ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) + + Exports and fulfills users and groups from/to an Active Directory instance. + +- [ Azure ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/azure/index.md) + + Exports Azure resources, role definitions and assignments. + +- [ CSV ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/csv/index.md) + + Exports data from a CSV file. + +- [ EasyVista ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md) + + Exports and fulfills users from/to an EasyVista-compliant system. + +- [ EasyVista Ticket ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md) + + Opens tickets in EasyVista for manual provisioning. + +- [ Google Workspace ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/index.md) + + Exports and fulfills users and groups from/to a Google Workspace instance. + +- [ Home Folder ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/homefolder/index.md) + + Exports home folders' content. + +- [InternalWorkflow](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md) + + Triggers workflows in Usercube for a system's provisioning orders. + +- [Internal Resources](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/internalresources/index.md) + + Opens manual provisioning tickets in Usercube. + +- [ JSON ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/json/index.md) + + Generates JSON files for each provisioning order. + +- [ LDAP ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md) + + Exports and fulfills entries from/to a LDAP-compliant system. + +- [ LDIF ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/ldif/index.md) + + Exports entries from a LDIF file. + +- Microsoft Entra ID + + Exports and fulfills user and groups from/to a Microsoft Entra ID instance. + +- [ Microsoft Excel ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/excel/index.md) + + Exports datasheets from a Microsoft Excel (XLSX) file. + +- [ Microsoft Exchange ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md) + + Exports mailboxes from a Microsoft Exchange instance. + +- [ OData ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/odata/index.md) + + Exports and fulfills entries from/to an OData instance. + +- [Okta](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/okta/index.md) + + Exports and fulfills entries from/to an Okta instance. + +- [ OpenLDAP ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/openldap/index.md) + + Exports and fulfills entries from/to an OpenLDAP directory. + +- [ PowerShellProv ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) + + Writes to an external system via a PowerShell script. + +- [ PowerShellSync ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellsync/index.md) + + Exports data from an external system via a Powershell script. + +- [ RACF ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/racf/index.md) + + Exports users and profiles from a RACF file. + +- [ Robot Framework ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md) + + Writes to an external system via a Robot Framework script. + +- [SAP ERP 6.0 and SAP S4/HANA](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md) + + Exports and fulfills users and roles from/to a SAP ERP 6.0 or SAP S4/HANA instance. + +- [ SAP Netweaver ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/saphana/index.md) + + Exports and fulfills users and roles from/to a SAP Netweaver instance. + +- [SCIM](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/scim/index.md) + + Exports and fulfills entities from/to a SCIM-compliant application. + +- [ ServiceNow ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md) + + Exports and fulfills any data from/to a ServiceNow CMDB. + +- [ ServiceNowTicket ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md) + + Opens tickets in ServiceNow for manual provisioning. + +- [ SharedFolders ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/index.md) + + Exports users and permissions from Windows shared folders. + +- [SharePoint](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md) + + Exports sites, folders, groups and permissions from a SharePoint instance. + +- [ Sql ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sql/index.md) + + Exports data from one of various Database Management Systems. + +- [ Sql Server Entitlements ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md) + + Exports entitlements from Microsoft SQL Server. + +- [ Top Secret ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/topsecret/index.md) + + Exports users and profiles from a Top Secret (TSS) instance. + +- [ Workday ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/workday/index.md) + + Exports users and groups from a Workday instance. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/internalresources/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/internalresources/index.md new file mode 100644 index 0000000000..7eb5492ee6 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/internalresources/index.md @@ -0,0 +1,22 @@ +# Internal Resources + +This connector opens manual provisioning tickets in Usercube. + +This page is about: + +- Ticket/identitymanager +- Ticket/identitymanager And Create/Update/Delete resources + +See the +[ Manual Ticket ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md) +and +[ Manual Ticket and CUD Resources ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md) +topics for additional information. + +![Package: Ticket/identitymanager](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/internalresources/packages_identitymanagerticket_v603.webp) + +![Package: Ticket/identitymanager And Create/Update/Delete resources](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/internalresources/packages_identitymanagerticketcud_v603.webp) + +See the +[ Provision Manually ](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md) +topic for additional information. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md new file mode 100644 index 0000000000..77a35e7e2c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md @@ -0,0 +1,214 @@ +# InternalWorkflow + +This connector triggers workflows in Usercube for a system's provisioning orders. + +This page is about Usercube/Workflow. See the +[ Workflow ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/workflow/index.md) +topic for additional information. + +![Package: Usercube/Workflow](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/packages_workflow_v603.webp) + +## Overview + +This connector is singular because it does not connect Usercube to an external system. + +Instead, it is made to read the provisioning orders of a given connector or resource type, and +launch specific workflows still within Usercube, depending on each order's type (creation, update, +deletion). + +It works via a JSON file used to set the workflow to launch along with its arguments such as its +message and body. + +## Prerequisites + +Implementing this connector requires: + +- Knowledge of the basic principles of Usercube's workflows. See the + [ Workflow ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/workflow/index.md) + topic for additional information. +- Configuring in Usercube the workflows for the arrival of a new user, the update of a pre-existing + user, and for the departure of a user + +## Export + +There are no export capabilities for this connector. + +## Fulfill + +This connector retrieves the files containing provisioning orders that correspond to a given list of +connectors or resource types, and then starts workflows according to the type of the provisioning +orders (Added, Modified, Deleted) found in the JSON files. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +appsettings.agent.json > **Connections** section: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} +``` + +**NOTE:** The identifier of the connection and thus the name of the subsection must: + +- be unique +- not begin with a digit +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "HR_Person_To_Directory_UserRecord": { +        "WorkflowJsonPath": "" +    } +  } +} +``` + +The configuration setting must have the following attributes: + +| Name | Type | Description | +| ------------------------- | ------ | ------------------------------------------------------- | +| WorkflowJsonPath required | String | Path of the JSON file used to configure this connector. | + +WorkflowJsonPath + +The file specified in WorkflowJsonPath must have a specific structure. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +FulfillInternalWorkflow.json +{ +  "SourceEntityIdentifier": "Directory_UserRecord", +  "NavigationToTargetEntity": "User", +  "NavigationTargetToSource": "Records", +  "TargetEntityTypeIdentifier": "Directory_User", +  "FulfillInternalWorkflowConfigurations": [ +    { +      "ChangeType": "Added", +      "Model": { +        "WorkflowIdentifier": "Directory_User_StartInternal", +        "TransitionIdentifier": "ActionWithRefine-ActionPending-Execute", +        "Message": "workflow start: $Changes:LastName$ - $Changes:FirstName$, EmployeeId: $Changes:EmployeeId$", +        "Body": "body of workflow $Changes:EmployeeId$ - $Changes:Site.Label$" +      }, +      "ScalarProperties": [ +        "LastName", +        "FirstName", +        "ContractStartDate", +        "ContractEndDate" +      ], +      "NavigationProperties": [ +        "Category", +        "Service", +        "Site" +      ] +    }, +    { +      "ChangeType": "Modified", +      "Model": { +        "WorkflowIdentifier": "Directory_User_ChangeName", +        "TransitionIdentifier": "ActionWithRefine-ActionPending-Execute", +        "Message": "workflow Update: $Resource:LastName$ - $Resource:FirstName$, EmployeeId: $Resource:EmployeeId$", +        "Body": "body of workflow Update for  $Resource:EmployeeId$ " +      }, +      "ScalarProperties": [ +        "FirstName", +        "LastName" +      ] +    }, +    { +      "ChangeType": "Deleted", +      "Model": { +        "WorkflowIdentifier": "Directory_User_End", +        "TransitionIdentifier": "ActionWithRefine-ActionPending-Execute", +        "Message": "workflow end Directory_Person for $Resource:LastName$ - $Resource:FirstName$", +        "Body": "body if workflow end for $Resource:LastName$ - $Resource:FirstName$" +      }, +      "DateProperties": [ +        "ContractEndDate" +      ] +    } +  ] +} + +``` + +_Remember,_ as workflows' aspects are computed during the fulfill process, all the required +properties must be present in the provisioning order and in this JSON file. + +Setting attributes + +The table below summarizes the setting attributes. + +| Name | Type | Description | +| ----------------------------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Body required | String | Body of the message transmitted by the workflow. | +| ChangeType required | String | Type of the provisioning order: Added; Modified; Deleted. | +| DateProperties optional | DateTime List | List of the properties corresponding to the dates that the workflow is to fill in. **NOTE:** When not specified and ChangeType is set to Deleted, then the dates are filled with the workflow's execution date. | +| Message required | String | Message sent to the accounts impacted by the workflow. | +| NavigationProperties optional | String List | List of the navigation properties to get from the provisioning orders in order to complete the workflow. | +| NavigationTargetToSource optional | String | Navigation property that makes the link from the target entity type to the source entity type. **NOTE:** Required when using records. For example, it's not required when working with departments or sites. See the[ Position Change via Records ](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md) topic for additional information.[ Position Change via Records ](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md) | +| NavigationToTargetEntity optional | String | Navigation property that makes the link from the source entity type to the target entity type. **NOTE:** Required when using records. For example, it's not required when working with departments or sites. See the[ Position Change via Records ](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md) topic for additional information. | +| ScalarProperties optional | String List | List of the scalar properties to get from the provisioning orders in order to complete the workflow. | +| SourceEntityIdentifier required | String | Identifier of the source entity type of the workflow. | +| TransitionIdentifier required | String | Identifier of the workflow's transition after execution. | +| TargetEntityTypeIdentifier required | String | Identifier of the target entity type of the workflow. | +| WorkflowIdentifier optional | String | Identifier of the workflow to be started. **NOTE:** Optional but recommended because it acts as default value when there is no related ArgumentsExpression or it does not return a valid identifier. See the[Resource Type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md)topic for additional information.[Resource Type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) | + +The table below summarizes the variables for messages and bodies. + +| Name | Type | Description | +| -------- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Changes | String List | Prefix used to get data from the **Changes** section of the provisioning order. Example **Changes:LastName** retrieves the value of the **LastName** property from the order's changes. | +| Resource | String List | Prefix used to get data from Usercube's database. Example **Resource:LastName** retrieves the value of the **LastName** property from the database. | + +### Output details + +All three types of workflows (onboarding, update and off-boarding) can be completed with the fulfill +Internal Workflow. + +## Authentication + +See the following to figure out authentication. + +Password reset + +This connector does not reset passwords. + +Credential protection + +This connector has no credential attributes, and therefore does not use RSA encryption, nor a +CyberArk Vault. See the +[ RSA Encryption ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) +and +[ CyberArk's AAM Credential Providers ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) +topics for additional information. + +Still, data protection can be ensured through an Azure Key Vault safe. See the +[ Azure Key Vault ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md)topic +for additional +information.[ Azure Key Vault ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/json/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/json/index.md new file mode 100644 index 0000000000..c9d0944034 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/json/index.md @@ -0,0 +1,11 @@ +# JSON + +This connector generates [JSON](https://www.json.org/json-en.html) files for each provisioning +order. + +This page is about +[Custom/JSON](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/json/index.md). + +![Package: Custom/JSON](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/json/packages_json_v603.webp) + +The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md new file mode 100644 index 0000000000..652a76a7fc --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md @@ -0,0 +1,286 @@ +# LDAP + +This connector exports and fulfills entries from/to an [LDAP](https://ldap.com/)-compliant system. + +This page is about: + +- [Directory/Generic LDAP](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/generic-ldap/index.md); +- [Directory/Oracle LDAP](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/oracle-ldap/index.md); +- [Directory/Apache Directory](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/apache-directory/index.md); +- [Directory/Red Hat Directory Server](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/red-hat-directory-server/index.md). + +![Package: Directory/Generic LDAP](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapgeneric_v603.webp) + +![Package: Directory/Oracle LDAP](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldaporacle_v603.webp) + +![Package: Directory/Apache Directory](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapapache_v603.webp) + +![Package: Directory/Red Hat Directory Server](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapredhat_v603.webp) + +## Overview + +The Lightweight Directory Access Protocol (LDAP) is a flexible and well supported standards-based +mechanism for interacting with directory servers. + +## Prerequisites + +Implementing this connector requires reading first the +[appsettings documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +## Export + +For a configured set of LDAP entries, this connector exports the list of all attributes from the +connector's configuration. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> ... +> "LDAPExport": { +> "Servers": [ +> { +> "Server": "contoso.server.com", +> "AuthType": "Basic", +> "Login": "Contoso", +> "Password": "ContOso$123456789", +> "Controls": [ +> "PagedResult", +> "DomainScope" +> ], +> "NoSigning": false, +> "EnableSSL": true +> } +> ], +> "Tables": [ +> { +> "Table": "entries", +> "BaseDN": "DC=contoso,DC=com", +> "Filter": "(objectclass=*)", +> "Scope": "Subtree" +> }, +> { +> "Table": "member", +> "BaseDN": "DC=contoso,DC=com", +> "Filter": "(&(member=*)(objectclass=groupOfEntries))", +> "Scope": "Subtree" +> } +> ], +> "SizeLimit": 5000, +> "TimeLimit": 5, +> "TimeOut": 30 +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Servers required | **Type** Server List **Description** List of servers to connect to. | +| Tables required | **Type** Table List **Description** List of specific setting attributes to retrieve entries and links. **Note:** having a table named `entries` is mandatory. | +| SizeLimit optional | **Type** Int32 **Description** Maximum number of objects returned in the search request. **Note:** ignored when using `Servers`:`Controls`. | +| TimeLimit optional | **Type** Int32 **Description** Maximum duration (in seconds) of the request. | +| TimeOut optional | **Type** Int32 **Description** Time period (in seconds) before the connection to the LDAP is closed. | + +##### Servers + +| Name | Details | +| --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the target domain controller. | +| Controls optional | **Type** String List **Description** List of the controls that will be applied to the request. Possible values are: `PagedResult` to limit the number of returned queries. Results will be returned in smaller and limited packets. `DomainScope` to enable domain control, i.e. the LDAP server won't generate any referrals when completing a request, and the search is restricted to a single name context. **Note:**`PagedResult` is required when using `DomainScope`. [See more details in Microsoft's documentation](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/ldap-server-domain-scope-oid). | +| | | +| --- | --- | +| EnableSSL optional | **Type** Boolean **Description** `True` to enable SSL protocol for authentication requests. **Note:** recommended when using `AuthType` set to `Basic` because basic authentication packets are not encrypted by default. **Info:** SSL is not available on Linux. | +| NoSigning optional | **Type** Boolean **Description** `True` to disable Kerberos encryption. | +| | | +| --- | --- | +| AuthType default value: Negotiate | **Type** String **Description** Authentication method used by Usercube to authenticate to the server. Access is granted to the target domain controller: `Anonymous` - without any login/password; `Basic` - via the `BaseDN`, `Login` and `Password` attributes; `Negotiate` - via GSS-API negotiations with the Kerberos mechanism used for authentication. | +| Login optional | **Type** String **Description** Login used by Usercube for basic authentication. **Note:** required when `AuthType` is set to `Basic`. | +| Password optional | **Type** String **Description** Password used by Usercube for basic authentication. **Note:** required when `AuthType` is set to `Basic`. | + +##### Tables + +| Name | Details | +| --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| BaseDN required | **Type** String **Description** Base Distinguished Name to be used to connect to the server. | +| Table required | **Type** String **Description** Name of the table: it should be `entries` for the main entries, and the name of the LDAP's link attribute otherwise. | +| | | +| --- | --- | +| Filter required | **Type** String **Description** Entries to be excluded from export among all entries from the LDAP instance. Only non-filtered entries are exported. The filter must use [Microsoft's search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | +| Scope optional | **Type** String **Description** Search scope to be applied to the request. The result will be limited to: `Base` - the base of the object; `OneLevel` - the immediate children of the object; `Subtree` - the entire subtree from the base object down. | + +### Output details + +This connector is meant to generate to the +[ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder one file per element in **Tables**, named `_.csv`, with one +column for each property having a `ConnectionColumn` and each property without it but used in an +entity association. + +Any property can be exported in a specific format when specified. +[See more details](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md). + +> With the previous example and the following entity type mapping: +> +> ``` +> +> +> +> ``` +> +> We would have `C:/identitymanagerContoso/Temp/ExportOutput/LDAPExport_entries.csv` like: +> +> ``` +> LDAPExport_entries.csv +> displayName,dn,entryUuid,objectClass,ou,parentdn +> ... +> +> ``` +> +> And we would also have `C:/identitymanagerContoso/Temp/ExportOutput/LDAPExport_member.csv` like: +> +> ``` +> LDAPExport_member.csv +> dn,member +> ... +> +> ``` + +## Fulfill + +The LDAP connector fulfills the creation, deletion and update of LDAP entries, initiated through the +Usercube UI or by +[assignment policy enforcement](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md). + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "LDAPFulfillment": { +> "Servers": [ +> { +> "Server": "contoso.server.com", +> "AuthType": "Basic", +> "Login": "Contoso", +> "Password": "ContOso$123456789" +> } +> ], +> "Tables": [ +> { +> "Table": "entries", +> "BaseDN": "DC=contoso,DC=com" +> } +> ], +> "IsLdapPasswordReset": true, +> "AsAdLds": false +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Servers required | **Type** Server List **Description** List of servers to connect to. | +| Tables required | **Type** Table List **Description** List of specific setting attributes to retrieve the entries and the links. **Note:** having a table named `entries` is mandatory. | +| AsAdLds required | **Type** Boolean **Description** `True` to state the managed system as an AD LDS. | +| IsLdapPasswordReset optional | **Type** Boolean **Description** `True` to state the managed system as an LDAP-compliant system supporting password reset. | + +### Output details + +This connector can create a new resource, and update and delete an existing resource via the UI. + +A new resource is created with the state `disabled`, corresponding to the **useraccountcontrol** +value `514`. When it is approved, its `disabled` state is removed and the **useraccountcontrol** +value becomes `512`. + +### Add attributes to the requests + +Some systems using the LDAP protocol require additional attributes in the creation and/or update +requests. + +If these attributes are not synchronized in Usercube, then they cannot be computed and provided by +scalar rules or navigation rules. In this case, they can be given as arguments in the provisioning +order, through the `ResourceType`'s `ArgumentsExpression`. + +> The following example adds the attribute `description` with a value depending on what is modified: +> +> ``` +> +> ArgumentsExpression="C#:resource: +> var arguments = new System.Collections.Generic.Dictionary(); +> +> if (provisioningOrder.HasChanged("cn")) { +> arguments.Add("description", "This entry's login has been modified by Usercube."); +> } +> else if (provisioningOrder.HasChanged("mail")) { +> arguments.Add("description", "This entry's email has been modified by Usercube."); +> } +> else { +> arguments.Add("description", "This entry has been modified by Usercube."); +> } +> +> return arguments;"> +> +> +> +> ``` + +## Authentication + +### Password reset + +[See how to configure password reset settings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +- a + [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store LDAP's `Login`, `Password` and `Server`. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/ldif/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/ldif/index.md new file mode 100644 index 0000000000..3f1e952f3a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/ldif/index.md @@ -0,0 +1,108 @@ +# LDIF + +This connector exports entries from an +[LDIF](https://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format) file. + +This page is about +[Directory/LDIF](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/ldif/index.md). + +![Package: Directory/LDIF](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/ldif/packages_ldif_v603.webp) + +## Overview + +The LDAP Data Interchange Format (LDIF) is a standard plain text data interchange format for +representing LDAP (Lightweight Directory Access Protocol) directory content and update requests. +LDIF conveys directory content as a set of records, one record for each object (or entry). It also +represents update requests, such as Add, Modify, Delete, and Rename, as a set of records, one record +for each update request. + +## Prerequisites + +Implementing this connector requires no particular prerequisites. + +## Export + +This connector generates a CSV file from an input LDIF file containing entries to be exported. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "LdifExport": { +> "LDIFFile": "C:/identitymanagerContoso/Contoso/contoso.ldif", +> "FilterAttribute": "objectClass", +> "FilterValues": "user organizationalUnit", +> "Attributes": [ "dn", "objectClass", "cn", "SAMAccountName", "Name", "userprincipalname" ], +> "LdifEncoding": "UTF-8", +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| LDIFFile required | **Type** String **Description** Path of the LDIF input file. | +| FilterAttribute required | **Type** String **Description** Property from the connector's configuration whose value is to be compared with the values from `FilterValues`, in order to filter the entries to export. | +| FilterValues required | **Type** String **Description** List of values to be compared with the value of `FilterAttribute`, in order to filter the entries to export. Usercube will export only the entries matching the filter. **Note:** multiple values must be separated by white spaces. | +| Attributes required | **Type** String List **Description** List of properties from the connector's configuration to be exported. | +| LdifEncoding default value: UTF-8 | Encoding of the file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | + +### Output details + +This connector is meant to generate to the +[ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder a CSV file named `LdifExport.csv`, with the following columns: + +``` +LdifExport.csv +Command,dn,objectClass,cn,SAMAccountName,Name,userprincipalname +Insert,value1,value2,...,valueN +``` + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Credential protection + +This connector has no credential attributes, and therefore does not use +[RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), +nor a +[CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md). + +Still, data protection can be ensured through an +[Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) +safe. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md new file mode 100644 index 0000000000..ca1d07174c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md @@ -0,0 +1,169 @@ +# Microsoft Exchange + +This connector exports mailboxes from a +[Microsoft Exchange](https://support.microsoft.com/en-us/office/what-is-a-microsoft-exchange-account-47f000aa-c2bf-48ac-9bc2-83e5c6036793) +instance. + +This page is about +[Server/Microsoft Exchange](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/microsoft-exchange/index.md). + +![Package: Server/Microsoft Exchange](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/packages_exchange_v603.webp) + +## Overview + +Microsoft Exchange Server is Microsoft's email, calendar, contact, scheduling and collaboration +platform. It is deployed on the Windows Server operating system (OS) for business use. This +connector uses +[Exchange Server PowerShell (Exchange Management Shell)](https://docs.microsoft.com/en-us/powershell/exchange/exchange-management-shell?view=exchange-ps) +to export databases and mailboxes. + +## Prerequisites + +Implementing this connector requires: + +- a Microsoft Exchange Server 2010, or later. + [See here Exchange Server 2016's requirements](https://docs.microsoft.com/en-us/exchange/plan-and-deploy/system-requirements?view=exchserver-2016); +- installing Windows PowerShell. + [See how to connect to Exchange servers using remote PowerShell](https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-servers-using-remote-powershell?view=exchange-ps). + +## Export + +This connector exports +[mailboxes](https://docs.microsoft.com/en-us/powershell/module/exchange/get-mailbox?view=exchange-ps) +and +[mailbox databases](https://docs.microsoft.com/en-us/powershell/module/exchange/get-mailboxdatabase?view=exchange-ps). +Two CSV files are generated, one with the +[mailbox properties](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328629(v=exchg.140)) +(like `Database`, `EmailAddresses`, `ServerName` , etc.) and the other with +[mailbox database properties](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328150(v=exchg.140)) +(like `Name`, `Server`, `Mounted`, etc.). These properties are explicitly part of the PowerShell +script used by Usercube. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "MicrosoftExchangeExport": { +> "AuthType": "Kerberos", +> "Server": "http://mailbox01.contoso.com/PowerShell/" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| -------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** Address of the Exchange Server used by the remote PowerShell: `http:///PowerShell/` where `` is the fully qualified domain name of the Exchange server, like `mailbox01.contoso.com`. | +| PowerShellScriptPath default value: `{your usercube path}/Runtime/Export-Exchange.ps1` | **Type** String **Description** Path of the export script file. | + +### Output details + +This connector is meant to generate the following files: + +- `_mailboxes.csv` with the following columns: + + ``` + _databases.csv + Command,Database,EmailAddresses,UseDatabaseRetentionDefaults,RetainDeletedItemsUntilBackup,DeliverToMailboxAndForward,ExchangeGuid,ExchangeUserAccountControl,ForwardingAddress,ForwardingSmtpAddress,IsMailboxEnabled,ProhibitSendQuota,ProhibitSendReceiveQuota,RecoverableItemsQuota,RecoverableItemsWarningQuota,CalendarLoggingQuota,IsResource,IsLinked,IsShared,SamAccountName,AntispamBypassEnabled,ServerName,UseDatabaseQuotaDefaults,UserPrincipalName,WhenMailboxCreated,IsInactiveMailbox,AccountDisabledIsDirSynced,Alias,OrganizationalUnit,DisplayName,MaxSendSize,MaxReceiveSize,PrimarySmtpAddress,RecipientType,RecipientTypeDetails,Identity,IsValid,Name,DistinguishedName,Guid,ObjectCategory,WhenChangedUTC,WhenCreatedUTC,ObjectState + Insert,value1,value2,...,valueN + ``` + + > For example, we could have + > `C:/identitymanagerContoso/Temp/ExportOutput/MicrosoftExchangeExport_mailboxes.csv`. + + [See more details on mailbox properties in Microsoft's documentation](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328629(v=exchg.140)). + +- `_databases.csv` with the following columns: + + ``` + _databases.csv + Command,Name,Server,Mounted,ObjectCategory,Guid,WhenChangedUTC,WhenCreatedUTC,ObjectState + Insert,value1,value2,...,valueN + ``` + + [See more details on mailbox database properties in Microsoft's documentation](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328150(v=exchg.140)). + +- `_cookie.bin` which stores the time of the last successful export, thus + allowing incremental processes. + +The CSV files are stored in the +[ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder, and the cookie file in the +[ExportCookies](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder. + +## Fulfill + +This connector can create, update or +delete[mailboxes](https://docs.microsoft.com/en-us/powershell/module/exchange/get-mailbox?view=exchange-ps)' +addresses (PrimarySmtpAddress, ProxyAddress) and mailbox databases. + +As it works via a PowerShell script, +[find more instructions in the PowerShell connector's documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md). + +Usercube's PowerShell script can be found in the SDK in +`Usercube.Demo/Scripts/Fulfill-Exchange.ps1`. + +See +[PowerShell credential protection](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) +to protect this fulfill. + +## Authentication + +### Authentication Type + +This connector uses Kerberos authentication when trying to connect with the Exchange Server. + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +- a + [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store Microsoft Exchange's `Server`. + +This kind of credential protection can be used only for the export process. + +The fulfill process' credentials can be protected by following the +[instructions for the PowerShellProv connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/odata/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/odata/index.md new file mode 100644 index 0000000000..a3260f7c26 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/odata/index.md @@ -0,0 +1,135 @@ +# OData + +This connector exports and fulfills data from/to an [OData](https://www.odata.org/) instance. + +This page is about +[Custom/OData](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/odata/index.md). + +![Package: Custom/OData](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/odata/packages_odata_v603.webp) + +## Overview + +OData (Open Data Protocol) comply with ISO/IEC and OASIS standards. This protocol defines the best +approaches for using RESTful APIs. OData helps you focus on your business logic while building +RESTful APIs without having to worry about the various approaches to define request and response +headers, status codes, HTTP methods, URL conventions, media types, payload formats, query options, +etc. + +## Prerequisites + +Implementing this connector requires reading first the +[appsettings documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +Usercube's service is based on +[OData RFC](https://docs.oasis-open.org/odata/odata/v4.0/odata-v4.0-part1-protocol.html). + +## Export + +This connector extracts all entity sets with all the information needed to rebuild them. This is +based on the connector's metadata. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ODataExport": { +> "Server": "https://YourODataService.com/", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> +> ``` + +#### Setting attributes + +| Name | Details | +| -------------------------- | ----------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the data system. | +| Login optional | **Type** String **Description** Login to connect to the system. | +| Password optional | **Type** String **Description** Password to connect to the system. | +| BearerToken optional | **Type** String **Description** Token to authenticate to the system. | +| ClientId optional | **Type** String **Description** Id to connect to the system via OpenId. | +| ClientSecret optional | **Type** String **Description** Password to connect to the system via OpenId. | +| AuthenticationUrl optional | **Type** String **Description** URL to request the authentication via OpenId. | + +#### XML configuration requirements + +This connector requires from the XML configuration: + +- an + [entity type mapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md): + - with the same identifier as the related entity type; + - related to the right connector; + - related to a connection table named `_`; + - with properties whose connection columns represent the property's path in the entity, see the + configuration example below; +- an + [entity association mapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md): + - with the same identifier as the related entity association; + - with its `Column1` in the format `UsercubeNav_:` for the + related property in the association; + - with its `Column2` in the format `Of:` for the related + property in the association; + - related to a connection table named `__`. + +The information contained in the entity types and entity associations does not impact the export. + +### Output details + +This connector is meant to generate to the +[ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder one CSV file for each entity set provided in the connector's configuration. + +The files' column headers come from the entity type mapping's `ConnectionColumn` properties. + +If the connection column describes a sub-property, then the name should have the following pattern: +`{property}:{sub-property}`. The character `:` should not be used in other situations. + +> For example: +> +> ```xml +> +> +> +> +> +> +> +> +> +> ``` +> +> Note that we have here `UserName` which is a single property, and `FamilyName` which is a +> sub-property of `Name`, hence the name `Name:FamilyName` as the `ConnectionColumn`. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/okta/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/okta/index.md new file mode 100644 index 0000000000..8cd43ef118 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/okta/index.md @@ -0,0 +1,273 @@ +# Okta + +This connector exports and fulfills entries from/to Okta application. + +![okta](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/okta/okta.webp) + +## Overview + +Okta is an access management solution that provides SSO and federation capabilities for single +sign-on, multi-factor authentication, and API access management. Okta's platform is widely used by +organizations to protect accesses for digital identities in an increasingly complex and +interconnected digital world. + +### Prerequisites + +Implementing this connector requires: + +- Reading first the appsettings documentation +- An Okta Token with specific permissions on the target instance + +See the +[ appsettings.agent ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information. + +### Configuration + +To configure the Okta connector it is necessary to: + +**Step 1 –** Create a new user for Netwrix Usercube. + +In order to do so you must connect to the Okta administration console +`https://myexample-admin.okta.com` and create a new Netwrix Usercube user. + +**NOTE:** For some Okta deployments it is possible to create a service account or to Manage an Okta +user account as a service account. + +**Step 2 –** Assign administrator role and permissions to the Netwrix Usercube user. + +**Step 3 –** Generate a Token for the Netwrix Usercube user. + +See the +[Okta documentation](https://help.okta.com/en-us/content/topics/users-groups-profiles/service-accounts/service-accounts-overview.htm) +for additional information. + +### Export + +This connector exports a list of users, groups, applications with their attributes specified in the +connector's configuration, to CSV files. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +appsettings.agent.json > Connections section. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} + +``` + +The identifier of the connection and thus the name of the subsection must: + +- Be unique +- Not begin with a digit +- Not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +    "Connections": { +        ... +        "OktaExportFulfillment": { +            "Server": " https://.okta.com", +            "ApiKey": "", +        } +    } +} + +``` + +### Setting attributes + +| Name | Type | Description | +| --------------- | ------ | ----------------------- | +| Server required | String | URI of the data system. | +| ApiKey required | String | User token value. | + +### Output details + +This connector can create, delete and update users, groups and applications, and is meant to +generate the following to the ExportOutput folder : + +- A CSV file, named `_users.csv`, with one column for each property either + having a ConnectionColumn or which is used in an entity association; +- A CSV file, named `_groups.csv`, with one column for each property either + having a ConnectionColumn or which is used in an entity association; +- A CSV file, named `_apps.csv`, with one column for each property either + having a ConnectionColumn or which is used in an entity association; +- A CSV file, named `_groupsapps.csv`, with one column for each property + either having a ConnectionColumn or which is used in an entity association; +- A CSV file, named `_groupsusers.csv`, with one column for each property + either having a ConnectionColumn or which is used in an entity association; + +For example, with the following entity type mapping for users: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     +     +     +     +     +     +     +     +     +     +     +     +….   + +   +     +     +     +     +     +     +     +     +     +     +     +   + +``` + +And the following entity type mapping for groups: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +   +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +   + +``` + +And the following entity type mapping for applications: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +  +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +   + +``` + +Then we will have `C:/identitymanagerContoso/Sources/OktaExportFulfillment_users.csv` as follows: + +``` +id, status, created, activated, statusChanged, lastLogin, lastUpdated, passwordChanged, type.id, profile.city, profile.costCenter, profile.countryCode, profile.department, profile.displayName +``` + +And `C:/identitymanagerContoso/Sources/OktaExportFulfillment_groups.csv` as follows: + +``` +id, created, lastUpdated, lastMemberShipUpdated, type, profile.description, profile.name +``` + +And `C:/identitymanagerContoso/Sources/OktaExportFulfillment_apps.csv` as follows: + +``` +id, created, lastUpdated, status, name, label +``` + +### Fulfill + +The Okta connector writes to Okta to create, update and delete entries, initiated manually through +the UI or automatically by enforcing the policy. See the +[Evaluate Policy](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) +topic for additional information. + +### Configuration + +Same as for export, fulfill is configured through connections. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +    "Connections": { +        ... +        "OktaExportFulfillment": { +            "Server": " https://.okta.com", +            "ApiKey": "", +        } +    } +} + +``` + +### Password reset + +The password reset settings configuration is described in the appsettings.agent.json file. See the +[ appsettings.agent ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the appsettings.encrypted.agent.json file +- An Azure Key Vault safe +- A CyberArk Vault able to store Okta Login, Password, Account and Server. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/openldap/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/openldap/index.md new file mode 100644 index 0000000000..0e8222be05 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/openldap/index.md @@ -0,0 +1,250 @@ +# OpenLDAP + +This connector exports and fulfills entries from/to an [OpenLDAP](https://www.openldap.org/) +directory. + +This page is about +[Directory/Open LDAP](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/open-ldap/index.md). + +![Package: Directory/Open LDAP](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/openldap/packages_ldapopen_v603.webp) + +## Overview + +OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol (LDAP). + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md); +- a service account with reading and writing permissions on the target OpenLDAP server; +- enabling SyncProv Overlay for the OpenLDAP server. + + To perform a complete export without the SyncProv Overlay enabled, use rather the + [LDAP connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md). + +## Export + +This connector exports to CSV files the content of an OpenLDAP Directory. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections":{ +> ... +> "OpenLDAPExport": { +> "Server": "contoso.server.com", +> "DistinguishedName": "DC=contoso,DC=com", +> "Login": "Contoso", +> "Password": "ContOso$123456789", +> "Filter": "(|(objectclass=person)(objectclass=ou))", +> "Scope": "SubTree", +> "SSL": "true" +> } +> ... +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** IP address and port of the OpenLDAP server. | +| DistinguishedName required | **Type** String **Description** Distinguished Name of the domain controller. | +| Login required | **Type** String **Description** OpenLDAP server's login. | +| Password required | **Type** String **Description** OpenLDAP server's password. | +| SSL optional | **Type** Boolean **Description** `True` to enable SSL (Secure Socket Layer) protocol for authentication requests. | +| | | +| --- | --- | +| TimeFormat default value: 60 | **Type** Int32 **Description** Timeout (in seconds) for the export's requests to the targeted server. | +| WaitingTimeInSeconds default value: 30 | **Type** Int32 **Description** Time period (in seconds) during which pulling for changes is not allowed during the persistent phase. | +| | | +| --- | --- | +| Filter required | **Type** String **Description** Entries to be excluded from export among all entries from the LDAP instance. Only non-filtered entries are exported. The filter must use [Microsoft's search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | +| Scope optional | **Type** String **Description** Search scope to be applied to the request. The result will be limited to: `Base` - the base of the object; `OneLevel` - the immediate children of the object; `Subtree` - the entire subtree from the base object down. | + +### Output details + +This connector is meant to generate to the +[`ExportOutput`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder: + +- a CSV file, named `_entry.csv`, with one column for each property having a + `ConnectionColumn` and each property without it but used in an entity association; + + Any property can be exported in a specific format when specified. + [See more details](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md). + +- a CSV file for each `ConnectionTable` in a related `EntityTypeMapping` or + `EntityAssociationMapping`, and which is not an `entry`, named + `_.csv`; + + > For example, `OpenLDAPExport_member` as `ConnectionTable` in a mapping will generate the file + > `OpenLDAPExport_member.csv` with `member` as link attribute. + +- `_cookie.bin` which stores the time of the last successful export, thus + allowing incremental processes. + + Most exports can be run in complete mode, where the CSV files will contain all entries, or in + incremental mode, where CSV files will contain only the entries which have been modified since + the last synchronization. + + A task can use the `IgnoreCookieFile` boolean property, and a command line (with an executable) + can use the option `--ignore-cookies`. + +The CSV files are stored in the +[ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder, and the cookie file in the +[ExportCookies](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder. + +> For example, with the following configuration: +> +> ``` +> +> +> +> ``` +> +> We would have `C:/identitymanagerContoso/Temp/ExportOutput/OpenLDAPExport.csv` like: +> +> ``` +> entry.csv +> Command,entryUUID,dn,cn,objectClass,parentdn +> Insert,value1,value2,...,valueN +> ``` +> +> And we would also have `C:/identitymanagerContoso/Temp/ExportOutput/OpenLDAPExport_member.csv` like: +> +> ``` +> LDAPExport_member.csv +> Command,entryUUID,member +> Insert,value1,value2,...,valueN +> ``` + +## Fulfill + +This connector fulfills via the LDAP connector's fulfill process. + +The LDAP connector fulfills the creation, deletion and update of LDAP entries, initiated through the +Usercube UI or by +[assignment policy enforcement](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md). + +### Configuration + +Same as for export, fulfill is configured through connections. + +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "OpenLDAPFulfillment": { +> "Server": "contoso.server.com", +> "DistinguishedName": "DC=contoso,DC=com", +> "Login": "Contoso", +> "Password": "ContOso$123456789", +> "SSL": "true", +> "IsLdapPasswordReset": "true" +> } +> } +> } +> ``` + +#### Setting attributes + +| | | +| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Filter required | **Type** String **Description** Entries to be excluded from export among all entries from the LDAP instance. Only non-filtered entries are exported. The filter must use [Microsoft's search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | +| Scope optional | **Type** String **Description** Search scope to be applied to the request. The result will be limited to: `Base` - the base of the object; `OneLevel` - the immediate children of the object; `Subtree` - the entire subtree from the base object down. | +| | | +| --- | --- | +| IsLdapPasswordReset optional | **Type** Boolean **Description** `True` to state the managed system as an LDAP-compliant system supporting password reset. | + +### Output details + +This connector can create a new resource, and update and delete an existing resource via the UI. + +A new resource is created with the state `disabled`, corresponding to the **useraccountcontrol** +value `514`. When it is approved, its `disabled` state is removed and the **useraccountcontrol** +value becomes `512`. + +### Add attributes to the requests + +Some systems using the LDAP protocol require additional attributes in the creation and/or update +requests. + +If these attributes are not synchronized in Usercube, then they cannot be computed and provided by +scalar rules or navigation rules. In this case, they can be given as arguments in the provisioning +order, through the `ResourceType`'s `ArgumentsExpression`. + +> The following example adds the attribute `description` with a value depending on what is modified: +> +> ``` +> +> ArgumentsExpression="C#:resource: +> var arguments = new System.Collections.Generic.Dictionary(); +> +> if (provisioningOrder.HasChanged("cn")) { +> arguments.Add("description", "This entry's login has been modified by Usercube."); +> } +> else if (provisioningOrder.HasChanged("mail")) { +> arguments.Add("description", "This entry's email has been modified by Usercube."); +> } +> else { +> arguments.Add("description", "This entry has been modified by Usercube."); +> } +> +> return arguments;"> +> +> +> +> ``` + +## Authentication + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +- a + [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store OpenLDAP's `Login`, `Password` and `Server`. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md new file mode 100644 index 0000000000..e6abdeb868 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md @@ -0,0 +1,147 @@ +# PowerShellProv + +This connector writes to an external system via a +[PowerShell](https://learn.microsoft.com/en-us/powershell/scripting/overview) script. + +This page is about +[Custom/PowerShellProv](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/powershellprov/index.md). + +![Package: Custom/PowerShellProv](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/powershellprov/packages_powershellprov_v603.webp) + +## Overview + +PowerShell is a cross-platform task automation and configuration management framework, consisting of +a command-line shell and scripting language. Unlike most shells which accept and return text, +PowerShell is built on top of the .NET Common Language Runtime (CLR), and accepts and returns .NET +objects. This fundamental change brings entirely new tools and methods for automation. + +## Prerequisites + +Implementing this connector requires: + +- making sure that the command `powershell.exe`, inside the command prompt (`cmd.exe`), does execute + a PowerShell terminal; +- knowledge of scripting in PowerShell 5.1 or later, + [see here PowerShell's requirements](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/install/windows-powershell-system-requirements); +- making sure that the device hosting the agent has its execution policy properly configured to + execute the given PowerShell script; +- checking the targeted system's requirements (environment, libraries, etc.), as this connector is + meant to connect Usercube to a PowerShell-compatible system; +- writing and testing a PowerShell script (`.ps1`) according to NETWRIX' guidelines below. + +## Export + +There are no export capabilities for this connector. + +## Fulfill + +This connector executes a PowerShell script for the creation, deletion and update of any entity +linked to the managed system. + +> For example, it can fulfill the `mailboxes` entity from Microsoft Exchange. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example fills a CSV file through the script `Fulfill-CSV.ps1`, for a single target +> managed system identified by the `PowerShellCsvFulfillment` subsection: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "PowerShellCsvFulfillment": { +> "PowerShellScriptPath": "C:/identitymanagerDemo/Scripts/Fulfill-CSV.ps1", +> "Options": { +> "Message": "Hello", +> "Login": "admin", +> "Password": "secret" +> } +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| PowerShellScriptPath required | **Type** String **Description** Path of the executed PowerShell script (.ps1). | +| Options optional | **Type** String Pair List **Description** List of key-value pairs for all the variables required by the PowerShell script. **Example**` "Options": { "Login": "admin", "Password": "secret" }` In order for the script to access these options, the following two lines of code must be included in the script: `$options = [System.Console]::ReadLine() $options = ConvertFrom-Json $options` Afterwards, any one of these variables can be easily accessed: `$options.Login$options.Password # -> admin and secret` | + +### Write a script + +See how to +[write a Powershell script](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md) +to allow provisioning with this connector. + +## Authentication + +### Password reset + +The PowerShell script manages password reset. + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| -------------------- | ------------------------------------------------- | +| Login (optional) | `Connections----Options--Login` | +| Password (optional) | `Connections----Options--Password` | +| PowerShellScriptPath | `Connections----PowerShellScriptPath` | + +- a + [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store the attributes from the `Options` section that are + [compatible with CyberArk](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md). + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Usercube from `appsettings.cyberark.agent.json`. + +> For example, consider `Login` and `Password` values stored in the `PowerShellCsv_Account` account: +> +> ``` +> appsettings.cyberark.agent.json +> { +> "Connections": { +> ... +> "PowerShellCsvFulfillment": { +> "Options": { +> "Login": "PowerShellCsv_Account", +> "Password": "PowerShellCsv_Account" +> } +> } +> } +> } +> ``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellsync/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellsync/index.md new file mode 100644 index 0000000000..fd07fe596b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/powershellsync/index.md @@ -0,0 +1,108 @@ +# PowerShellSync + +This connector exports data from an external system via a +[PowerShell](https://learn.microsoft.com/en-us/powershell/scripting/overview) script. + +This page is about +[Custom/PowerShellSync](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/powershellsync/index.md). + +![Package: Custom/PowerShellSync](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/powershellsync/packages_powershellsync_v603.webp) + +## Overview + +PowerShell is a cross-platform task automation and configuration management framework, consisting of +a command-line shell and scripting language. Unlike most shells which accept and return text, +PowerShell is built on top of the .NET Common Language Runtime (CLR), and accepts and returns .NET +objects. This fundamental change brings entirely new tools and methods for automation. + +Data can be synchronized from any managed system by writing a PowerShell script that generates the +relevant CSV files for Usercube. The PowerShellSync connector provides all the necessary tools for +an easy integration of the script with Usercube's synchronization mechanisms. + +When Usercube provides a native connector for a given system, for example the Active Directory +connector, NETWRIX highly recommends using the native connector rather than this PowerShell +connector. + +## Prerequisites + +Implementing this connector requires: + +- making sure that the command `powershell.exe`, inside the command prompt (`cmd.exe`), does execute + a PowerShell terminal; +- knowledge of scripting in PowerShell 5.1 or later, + [see here PowerShell's requirements](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/install/windows-powershell-system-requirements); +- making sure that the device hosting the agent has its execution policy properly configured to + execute the given PowerShell script; +- checking the targeted system's requirements (environment, libraries, etc.), as this connector is + meant to connect Usercube to a PowerShell-compatible system; +- writing and testing a PowerShell script (`.ps1`) according to NETWRIX' guidelines below. + +## Export + +This connector executes a PowerShell script that generates one or several CSV files. These files are +to be used during the synchronization of the data from the managed system targeted by the +PowerShellSync connector. + +The CSV files must be written to the `$OutputPath`. See below. + +The export is executed by a job from the UI, or via `Usercube-Export-Powershell.exe` in the command +prompt. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "PowerShellExport": { +> "PowerShellScriptPath": "C:/identitymanagerDemo/Scripts/Export-CSV.ps1", +> } +> } +> } +> ``` + +##### Setting attributes + +| Name | Details | +| ----------------------------- | ------------------------------------------------------------------------------------ | +| PowerShellScriptPath required | **Type** String **Description** Path of the PowerShell script (.ps1) to be executed. | + +### Write a script + +Usercube provides a few variables to be used in the PowerShell script. + +| Name | Details | +| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | +| OutputPath | **Type** String **Description** Prefix of the path of the generated CSV file. **Info:** the synchronization process requires the generated CSV file to be located in a very specific location, with a specific name prefix. Hence the need for this predefined variable. **Value** [``](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)`/ExportOutput/_` **Example** In this example, if the temp folder is named `Temp` and the connection `PowerShellExport`, then the generated file is: `Temp/ExportOutput/PowerShellExport_users.csv`. ``` generateCSV | Export-CSV ($OutputPath + "users.csv") `where`generateCSV``` is a generic PowerShell method that generates CSV files. | +| IsIncremental | **Type** Boolean **Description** Variable to be used to provide a different behavior for complete and incremental synchronization. | + +## Fulfill + +There are no fulfill capabilities for this connector. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/racf/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/racf/index.md new file mode 100644 index 0000000000..8cc080aa6c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/racf/index.md @@ -0,0 +1,115 @@ +# RACF + +This connector exports users and profiles from a +[RACF](https://www.ibm.com/docs/en/zos-basic-skills?topic=zos-what-is-racf) file. + +This page is about +[MainFrame/RACF](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/racf/index.md). + +![Package: MainFrame/RACF](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/racf/packages_racf_v603.webp) + +## Overview + +Resource Access Control Facility (RACF) is a security program from IBM OS/390 used to protect users' +resources by controlling their accesses. The RACF connector exports the information saved by RACF +about users, groups and access authorities. + +## Prerequisites + +Implementing this connector requires the input file to be in the RACF format, but it can have any +extension. + +## Export + +This connector extracts the information found in a RACF file and transforms it into CSV files in +Usercube format. + +Be aware that Usercube supports only the RACF records represented by the following codes: + +- [0100; 0120; 0101; 0102](https://www.ibm.com/docs/en/zos/2.1.0?topic=records-record-formats-produced-by-database-unload-utility#0100-0120-0101-0102) + (groups); +- [0200; 0203](https://www.ibm.com/docs/en/zos/2.1.0?topic=utility-user-record-formats) (users); +- [0500; 0503](https://www.ibm.com/docs/en/zos/2.1.0?topic=utility-general-resource-record-formats) + (general resources). + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example reads RACF data from the `C:/identitymanagerContoso/RacfFile.csv` iso-8859-1 file +> and exports it to CSV files in Usercube format: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "RACF": { +> "Path": "C:/identitymanagerContoso/RacfFile.csv", +> "Encoding": "iso-8859-1", +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Path required | **Type** String **Description** Path of the RACF file to be exported. | +| | | +| --- | --- | +| Encoding default value: UTF-8 | **Type** String **Description** Encoding of the input file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | + +### Output details + +This connector is meant to generate to the +[`ExportOutput`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder one CSV file per record type (0100, 0200, etc.), named `_.csv`. + +> For example, consider an export with a connection named `ExportRacf`, and a source file containing +> the record types 0100, 0120, 0203. Then we will have three output files named +> `ExportRacf_0100.csv`, `ExportRacf_0120.csv` and `ExportRacf_0203.csv`. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use +[RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), +nor a +[CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md). + +Still, data protection can be ensured through an +[Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) +safe. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md new file mode 100644 index 0000000000..b6a0ac2ae7 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md @@ -0,0 +1,140 @@ +# Robot Framework + +This connector writes to an external system via a [Robot Framework](https://robotframework.org) +script. + +This page is about +[Custom/Robot Framework](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/robot-framework/index.md). + +![Package: Custom/Robot Framework](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/robotframework/packages_robot_v603.webp) + +## Overview + +Robot Framework is an open-source automation framework which can be used for robotic process +automation (RPA). This framework is easy to use thanks to its human-readable syntax. +It has a modular architecture that can be extended by +[libraries](https://robotframework.org/#libraries) implemented with Python or Java. These libraries +provide various tools to interact with a managed system. + +## Prerequisites + +Implementing this connector requires the agent to include the following elements: + +- [Python](https://www.python.org/downloads/) 3.7 or above. Specific Robot Framework libraries may + require a specific Python version; +- Python folder location in the `PATH` environment variable list and the location of its subfolder + `Scripts`; +- Robot Framework: use `pip install robotframework` in the command prompt. If the installation ran + correctly, `robot.exe` should be in your path. You can confirm this by running `gcm robot` in a + powershell console. + +## Export + +There are no export capabilities for this connector. + +## Fulfill + +This connector can create, update and/or delete any entity linked to the managed system. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example fills in a CSV file by using the script `FulfillRobotFramework.robot`: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> ... +> "RobotFrameworkFulfillment": { +> "RobotFrameworkScriptPath": "C:/identitymanagerDemo/Scripts/FulfillRobotFramework.robot", +> "Options": { +> "Message": "Hello" +> } +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| RobotFrameworkScriptPath required | **Type** String **Description** Path to the executed Robot Framework script (.robot). | +| Options optional | **Type** String Pair List **Description** List of key-value pairs for all the variables required by the PowerShell script. **Example**` "Options": { "Login": "admin", "Password": "secret" }` Access these options in the script using the following method: `${login}= Get Secure Data Login False ${password}= Get Secure Data Password True` **Info:** when the boolean argument from `Get Secure Data` is set to `True`, then the value is stored in the variable and erased from memory, hence not retrievable on next call. This enables control over sensitive data like passwords by defining the lifetime of the variable containing sensitive data. **Warning:** never use `Get Secure Data` when `Options` is empty. | + +### Write a script + +See how to +[write a RobotFramework script](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md) +to allow provisioning with this connector. + +## Authentication + +### Password reset + +The script manages password reset. + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ------------------------ | ----------------------------------------------------- | +| Login (optional) | `Connections----Options--Login` | +| Password (optional) | `Connections----Options--Password` | +| RobotFrameworkScriptPath | `Connections----RobotFrameworkScriptPath` | + +- a + [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store the attributes from the `Options` section that are + [compatible with CyberArk](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md). + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Usercube from `appsettings.cyberark.agent.json`. + +> For example, consider `Login` and `Password` values stored in the `RobotFramework_Account` +> account: +> +> ``` +> appsettings.cyberark.agent.json +> { +> "Connections": { +> ... +> "RobotFrameworkFulfillment": { +> "Options": { +> "Login": "RobotFramework_Account", +> "Password": "RobotFramework_Account" +> } +> } +> } +> } +> ``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md new file mode 100644 index 0000000000..85ab3fea06 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md @@ -0,0 +1,310 @@ +# SAP ERP 6.0 and SAP S4/HANA + +This connector exports and fulfills users and roles from/to an +[SAP ERP 6.0](https://www.sap.com/products/erp/what-is-sap-erp.html) or +[SAP HANA](https://www.sap.com/products/technology-platform/hana/what-is-sap-hana.html) instance. + +This page is about ERP/SAP ERP 6.0. + +![Package: ERP/SAP ERP 6.0](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/saperp6/packages_saperp6_v603.webp) + +## Overview + +The SAP Enterprise Resource Planning (SAP ERP) software incorporates the core business processes of +an organization, such as finance, production, supply chain services, procurements, human resources +(HR), etc. The SAP ERP connector exports and fulfills data from/to an SAP ERP 6.0 system. + +## Prerequisites + +Implementing this connector requires: + +- Reading first the appsettings documentation; See the + [ appsettings.agent ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) topic + for additional information. +- An ASE or HANA database with a service account, as a database administrator +- A service account, as a SAP user with at least the roles for user management +- The prerequisites for reading should be set up +- The prerequisites for writing should be set up + +ASE or HANA database with a service account, as a database administrator + +To connect to the SAP database using SSH, use the following commands: + +Code attributes enclosed with `< >` need to be replaced with a custom value before entering the +script in the command line. + +``` +su sybaba +isql -S -U -P -X +``` + +For example: + +Code attributes enclosed with `< >` need to be replaced with a custom value before entering the +script in the command line. + +``` +isql -S ABA -Usapsso -PV1H#M$4JIgU$qd -X +``` + +Service account, as a SAP user with at least the roles for user management + +Create a login for Usercube's service account with at least reading access on user management tables +by using a command from the table below: + +| Table | Usage | +| ----------------- | --------------------------------------- | +| USR02 | Users table | +| AGR_USERS | Links between Users and Roles | +| AGR_TEXTS | Roles labels according to the language | +| USER_ADDR | | +| AGR_1016 AGR_PROF | Links between Profiles and Roles | +| USR10 | Profiles tables | +| USR11 | Profiles labels | +| AGR_DEFINE | Roles table | +| AGR_AGRS | Composition links | +| USGRP | Groups table | +| USGRPT | Groups labels | +| UST04 | Links between Users and Profiles | +| UST10C | Links between Profiles and Sub-profiles | +| AGR_TCODES | Links between Roles and Transactions | +| T002 | Languages codes | + +For example: + +Code attributes enclosed with `< >` need to be replaced with a custom value before entering the +script in the command line. + +execute sp_addlogin ``, ``, ``go use ABA go +execute sp_adduser ``go grant select on ABA.SAPSR3.USR02 to usercube grant select on +ABA.SAPSR3.AGR_USERS to usercube grant select on ABA.SAPSR3.USER_ADDR to usercube grant select on +ABA.SAPSR3.AGR_1016 to usercube grant select on ABA.SAPSR3.USR10 to usercube grant select on +ABA.SAPSR3.USR11 to usercube grant select on ABA.SAPSR3.AGR_AGRS to usercube grant select on +ABA.SAPSR3.USGRP to usercube grant select on ABA.SAPSR3.UST04 to usercube grant select on +ABA.SAPSR3.AGR_TCODES to user grant select on ABA.SAPSR3.T002 to usercube Go + +Set up the prerequisites for reading + +To set up the prerequisites for reading follow the steps below. + +**Step 1 –** Copy the DLL `Sap.Data.Hana.Core.v2.1.dll` into the Runtime of Usercube. + +![connectorreadprerequisites1](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorreadprerequisites1.webp) + +**Step 2 –** Unzip the “hdbclient.zip” archive to C: drive and add the path to the Path environment +variables. + +![connectorreadprerequisites2](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorreadprerequisites2.webp) + +**Step 3 –** Create environment variables: `HDBADOTNET=C:\hdbclient\ado.net` and +`HDBADOTNETCORE=C:\hdbclient\dotnetcore`. + +Set up the prerequisites for writing + +**NOTE:** Make sure the Read prerequisites are configured first. + +**Step 1 –** Copy the provided DLL `sapnwrfc.dl` into the Runtime of Usercube. + +**Step 2 –** Unzip the `dotnet86.zip` archive to `C:\dotnetx86`. + +**Step 3 –** Copy the DLLs icudt50.dll, `icuin50.dll` and icuuc50.dll into the Runtime of Usercube. + +![connectorwriteprerequisites](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorwriteprerequisites.webp) + +**Step 4 –** Disable DLLs search by adding the environment variable `NLSUI_7BIT_FALLBACK=YES`. + +![connectorwriteprerequisites2](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorwriteprerequisites2.webp) + +**Step 5 –** Add new environment variable `USERCUBE_DOTNET32` containing the path to dotnetx86 +(e.g.: `C: \donetx86\dotnet.exe`). + +## Export + +This connector extracts users, roles, profiles, profile memberships, role memberships and groups +from an SAP ERP instance, and writes the output to CSV files. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +**appsettings.agent.json** > **Connections** section. See the +[ Connection ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +topic for additional information. + +Code attributes enclosed with `< >` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} +``` + +_Remember,_ the identifier of the connection and thus the name of the subsection must: + +- Be unique +- Not begin with a digit. +- Not contain `<`, `>`, `:`, `/`, `\`, `|`, `?`, `*`, and `_`. + +For example: + +Code attributes enclosed with `< >` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +    ... +    "Connections": { +        ... +        "SAPExportFulfillment": { +            "Server": "serverUrl", +            "AseLogin": "login", +            "AsePassword": "password", +            "Instance": "sapInstance", +            "Port": "4242", +            "Client": "123", +            "Language": "fr" +        } +    } +} + +``` + +| Name | Type | Description | +| --------------------------- | ------- | -------------------------------------------------------------- | +| IsHana default value: false | Boolean | True to connect to an S/4 HANA instance instead of an ERP 6.0. | +| AseLogin required | String | Login to connect to SAP ASE. | +| AsePassword required | String | Password to connect to SAP ASE. | +| Client required | String | Client id of SAP. | +| Instance required | String | Instance of the SAP database. | +| Language required | String | SAP language. | +| Port required | String | Port of the SAP ERP server. | +| Server required | String | URL of the SAP ERP server. | + +### Output details + +This connector is meant to generate to the ExportOutput folder the following files: + +- SAPExportFulfillment_users.csv; +- SAPExportFulfillment_roles.csv; +- SAPExportFulfillment_usersroles.csv; +- SAPExportFulfillment_profiles.csv; +- SAPExportFulfillment_profilesprofiles.csv; +- SAPExportFulfillment_rolesprofiles.csv; +- SAPExportFulfillment_usersprofiles.csv; +- SAPExportFulfillment_rolesroles.csv; +- SAPExportFulfillment_groups.csv; +- SAPExportFulfillment_rolestransactions.csv. + +See the +[Application Settings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topic for additional information. + +## Fulfill + +This connector can provision users, role memberships and group memberships to SAP ERP. + +### Configuration + +Same as for export, fulfill is configured through connections. See the SAP ERP 6.0 and SAP +S4/HANAtopic for additional information. + +For example: + +Code attributes enclosed with `< >` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +    ... +    "Connections": { +        ... +        "SAPExportFulfillment": { +            "Server": "", +            "BapiLogin": "", +            "BapiPassword": "" +        } +    } +} + +``` + +#### Setting attributes + +| Name | Type | Description | +| --------------------------- | ------- | -------------------------------------------------------------- | +| IsHana default value: false | Boolean | True to connect to an S/4 HANA instance instead of an ERP 6.0. | +| Server required | String | URL of the SAP ERP server. | +| BapiLogin required | String | Login to connect to the specified server. | +| BapiPassword required | String | Password to connect to the specified server. | + +### Password reset + +See the +[ appsettings.agent ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information on how to configure password reset settings. + +When setting a password for an SAP ERP user, the password attribute is defined by the password +specified in the corresponding RessourceTypeMapping. See the +[ SapResourceTypeMapping ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md) +topic for additional information. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the `appsettings.encrypted.agent.json` file +- An Azure Key Vault safe + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ------------ | ------------------------------------------------ | +| Server | Connections--``--Server | +| AseLogin | Connections--``--AseLogin | +| AsePassword | Connections--``--AsePassword | +| Instance | Connections--``--Instance | +| Port | Connections--``--Port | +| Client | Connections--``--Client | +| Language | Connections--``--Language | +| BapiLogin | Connections--``--BapiLogin | +| BapiPassword | Connections--``--BapiPassword | +| SystemNumber | Connections--``--SystemNumber | + +- A CyberArk Vault able to store Active Directory's Login, Password, and Server. + +See the +[ RSA Encryption ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), +[ Azure Key Vault ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md), +and +[ CyberArk's AAM Credential Providers ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)topics +for additional information. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Usercube from `appsettings.cyberark.agent.json`. + +For example: + +Code attributes enclosed with `< >` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.cyberark.agent.json +{ +  ... +  "Connections": { +    ... +    "SAPExportFulfillment": { +        "Login": "SAPExportFulfillment_CyberArkKey", +        "Password": "SAPExportFulfillment_CyberArkKey", +        "Server": "SAPExportFulfillment_CyberArkKey" +    } +  } +} +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/saphana/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/saphana/index.md new file mode 100644 index 0000000000..61a52958b7 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/saphana/index.md @@ -0,0 +1,200 @@ +# SAP Netweaver + +This connector exports and fulfills users and roles from/to an +[SAP Netweaver](https://www.sap.com/france/products/technology-platform/hana/what-is-sap-hana.html) +instance. + +This page is about +[ERP/SAP S/4 HANA](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/saphana/index.md). + +![Package: ERP/SAP S/4 HANA](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/saphana/packages_sap_v603.webp) + +## Overview + +SAP ERP is an enterprise resource planning software developed by the German company SAP SE. The +software incorporates the key business functions of an organization. ERP software includes programs +in all core business areas, such as procurement, production, materials management, sales, marketing, +finance, and human resources (HR). + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md); +- a service account with reading and writing permissions on the SAP server. + +## Export + +This connector exports users, roles, role memberships and groups from an SAP instance and writes the +output to CSV files. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SAPExportFulfillment": { +> "Server": "serverUrl", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ----------------- | --------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the SAP server. | +| Login required | **Type** String **Description** Login to authenticate to the specified server. | +| Password required | **Type** String **Description** Password to authenticate to the specified server. | + +### Output details + +This connector is meant to generate to the +[ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder the following CSV files: + +- `sap_users.csv` with the following columns: + + ``` + sap_users.csv + Command,logonname,isserviceuser,firstname,lastname,salutation,title,jobtitle,mobile,displayname,description,email,fax,locale,timezone,validfrom,validto,lastmodifydate,islocked,isaccountlocked,ispasswordlocked,ispassworddisabled,telephone,department,id,securitypolicy,datasource,company,streetaddress,city,zip,pobox,country,state,orgunit,accessibilitylevel,passwordchangerequired + Insert,value1,value2,...,valueN + ``` + +- `sap_groups.csv` with the following columns: + + ``` + sap_groups.csv + Command,uniquename,displayname,description,lastmodifydate,id,datasource,distinguishedname + Insert,value1,value2,...,valueN + ``` + +- `sap_roles.csv` with the following columns: + + ``` + sap_roles.csv + Command,uniquename,displayname,description,lastmodifydate,id,datasource,scopes,actions + Insert,value1,value2,...,valueN + ``` + +- `sap_roles_member.csv` with the following columns: + + ``` + sap_roles_member.csv + Command,id,member + Insert,value1,value2,...,valueN + ``` + +## Fulfill + +This connector writes to SAP to create, update, and/or delete users, groups, roles and group +memberships. + +### Configuration + +Same as for export, fulfill is configured through connections. + +#### Setting attributes + +| Name | Details | +| ----------------- | --------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the SAP server. | +| Login required | **Type** String **Description** Login to authenticate to the specified server. | +| Password required | **Type** String **Description** Password to authenticate to the specified server. | + +> For example: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> "SAPExportFulfillment": { +> "Server": "serverUrl", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` + +## Authentication + +### Password reset + +[See how to configure password reset settings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +When setting a password for an SAP user, the password attribute is defined by the password specified +in the corresponding +[`RessourceTypeMapping`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md). + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| --------- | ------------------------------------------------ | +| Server | `Connections----Server` | +| Login | `Connections----Login` | +| Password | `Connections----Password` | + +- a + [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store Active Directory's `Login`, `Password` and `Server`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Usercube from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "SAPExportFulfillment": { +> "Login": "SAPExportFulfillment_CyberArkKey", +> "Password": "SAPExportFulfillment_CyberArkKey", +> "Server": "SAPExportFulfillment_CyberArkKey" +> } +> } +> } +> ``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/scim/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/scim/index.md new file mode 100644 index 0000000000..a4b33fc94a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/scim/index.md @@ -0,0 +1,372 @@ +# SCIM + +This connector exports and fulfills entities from/to a +[SCIM](https://www.okta.com/blog/2017/01/what-is-scim/) compliant application. + +This page is about: + +- Custom/SCIM +- CRM/Salesforce +- Messaging/Slack +- PAM/CyberArk + +![Package: Custom/SCIM](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/packages_scim_v603.webp) + +![Package: CRM/Salesforce](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/packages_salesforce_v603.webp) + +![Package: Messaging/Slack](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/packages_slack_v603.webp) + +![Package: PAM/CyberArk](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/packages_cyberark_v603.webp) + +## Overview + +Simple Cloud Identity Management (SCIM) is a Request for Comments (RFC) standard. It describes a +REST API with specific endpoints to get and set data in a web application for IGA purposes. It +allows an identity provider to manage the web application's accounts. For more details about SCIM +and RFC, see the [IETF document](https://tools.ietf.org/html/rfc7644). + +**NOTE:** Similarly to the Salesforce REST-based API, SCIM for Salesforce enables reading and +writing attributes, but writes to a smaller subset. For example, the following properties are +manageable by the Salesforce REST-based API but not SCIM: `PermissionSetGroup`, +`PermissionSetLicense`, `UserPermissionsKnowledgeUser`, `UserPermissionsInteractionUser`, +`UserPermissionsSupportUser`, `CallCenterId`, `SenderEmail`. + +See the +[Salesforce's documentation](https://help.salesforce.com/s/articleView?id=sf.identity_scim_rest_api.htm&type=5) +for additional information. + +## Prerequisites + +Implementing this connector requires the web application that you want to synchronize to implement +SCIM Version 2.0 or later. + +The implementation of the Salesforce connector requires the completion of the following steps: + +- Connect the application +- Enable OAuth authentication +- Reset the user token +- Configure the Salesforce connection + +Connect the application + +To connect to the Salesforce application do the following: + +**Step 1 –** Log into Salesforce using an admin account. + +![salesforce-advancesetup](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-advancesetup.webp) + +**Step 2 –** Go to **Advanced Setup**. + +![salesforce-newconnectedapp](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-newconnectedapp.webp) + +**Step 3 –** Go to **App Manager** and **Create a Connected App**. + +![salesforce-enableoauth](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-enableoauth.webp) + +**Step 4 –** Fill in the details of the application: Application Name, API Name, Contact Email, +select **Enable OAuth Settings**, and complete the mandatory information as callback URL and OAuth +Scopes. + +**Step 5 –** Save the Application. + +![salesforce-manageconnectedapps](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-manageconnectedapps.webp) + +**Step 6 –** Go to **Manage Connected Apps** and click on the newly created application. + +![salesforce-manageconsumerdetails](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-manageconsumerdetails.webp) + +**Step 7 –** Click on **Manage Consumer Details**. + +![salesforce-consumerkey](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-consumerkey.webp) + +**Step 8 –** Copy the Consumer Key and Consumer Secret in your Keypass. + +Enable OAuth authentication + +To enable the OAuth authentication do the following: + +**Step 1 –** Log into Salesforce using an admin account. + +![salesforce-advancesetup](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-advancesetup.webp) + +**Step 2 –** Go to **Advanced Setup**. + +![oauthauthentication](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/oauthauthentication.webp) + +**Step 3 –** Go to **OAuth** and **OpenID Connect Settings** in the **Identity** drop-down menu, +enable the option to **Allow OAuth Username-Password Flows**. + +Reset the user token + +To reset the user token do the following: + +**Step 1 –** Log into Salesforce using an admin account. + +![salesforce-usertoken-settings](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-usertoken-settings.webp) + +**Step 2 –** Click on **Settings** under the profile details. + +![salesforce-resetseuritytoken](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-resetseuritytoken.webp) + +**Step 3 –** Click on **Reset My Security Token**. + +![salesforce-checkemail](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-checkemail.webp) + +**Step 4 –** An email containing the new token will be sent. + +Configure the Salesforce connection + +To configure the Salesforce connection do the following: + +**Step 1 –** Log into Usercube using an admin account. + +![salesforce-connector](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-connector.webp) + +**Step 2 –** Create a new Salesforce connector. + +![salesforce-connection](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-connection.webp) + +**Step 3 –** Add a new Salesforce connection. + +![salesforce-agent-settings](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-agent-settings.webp) + +**Step 4 –** Fill the fields in the **Connection Settings** and choose the **Filter**. + +The configuration of the Salesforce connector is completed. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +**appsettings.agent.json** > **Connections** section. +See the +[ Connection ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md): +topic for additional information. + +Code attributes enclosed with `< >` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} +``` + +_Remember,_ the identifier of the connection and thus the name of the subsection must: + +- Be unique +- Not begin with a digit +- Not contain `<`, `>`, `:`, `/`, `\`, `|`, `?`, `*`, and `_`. + +The following example gets information via SCIM on a web application whose URL base is +`https://example.for.doc.com`: + +Code attributes enclosed with `< >` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "SCIMExport": { +        "ApplicationId": "", +        "Server": "", +        "ApplicationKey": "", +        "Login": "", +        "Password": "", +        "Filter": "" +    } +  } +} +``` + +Here we use an account's credentials (login and password) with our application's credentials +(ApplicationId and ApplicationKey). + +The filter `?filter=active eq \"true\"` retrieves active Users from the external system. + +#### Setting attributes + +| Name | Type | Description | +| ----------------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Filter optional | String | Filters applied in the SCIM request retrieving the entities. You should write the filters as you would write them in the URL (including the "?"). For more details on the syntax, see the [RFC document](https://tools.ietf.org/html/rfc7644#rfc-document). Syntax:EntityNameInSCIM1|scimFilter1\*EntityNameInSCIM2|scimFilter2\*EntityNameInSCIM3|scimFilter3 | +| OAuth2Url optional | String | URL which get tokens for the requests. The system can usually find this information, but sometimes the system gets it wrong, like Salesforce for example. | +| PageSize default value: 200 | String | Maximum number of elements returned by one request. | +| Server required | String | URL of the SCIM endpoints of your application, excluding /v2. | +| ApplicationId optional | String | Login of the application or of the application's Id provider. | +| Login optional | String | Login of the account. | +| OAuthToken optional | String | Generated OAuth token to connect to the application. | +| Password optional | String | Password of the account. | +| ScimSyntax default value: RFC | String | Type of SCIM implementation: RFC - used for the systems that follow SCIM's rules; Salesforce - required when this connector targets Salesforce; CyberArk - required when this connector targets CyberArk. | + +The credential attributes (ApplicationId, ApplicationKey, Login and Password) are used to obtain a +token from the application for our requests. + +### Output details + +This connector is meant to generate to the ExportOutput folder the following CSV files: + +- One file for each SCIM entity, coming from entity type mappings's connection tables, named + `_.csv`, with one column for each property having a ConnectionColumn + and each property without it but used in an entity association; +- One file for each membership, coming from entity association mappings's connection tables, + named` _members_.csv`, with the following columns: + - Value — ID of the group + - MemberId — ID of the group member +- One file for each entity named Containers such as CyberArk's privileged data, named + `_privilegedData_Containers.csv`. + +See the +[Application Settings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +and +[ EntityTypeMapping ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +topics for additional information. + +For the connector to work properly, the connection tables must follow the naming conventions too: +`_ for entities and _members_` for links. + +If the connection column describes a sub-property, then the name should have the following pattern: +`{property}:{sub-property}`. The character ":" should not be used in other situations. + +For example, if we want to retrieve information about Users, Groups and Groups' members, we should +have the following configuration: + +Code attributes enclosed with `< >` need to be replaced with a custom value before entering the +script in the command line. + +``` +           +``` + +We would have SCIMExport_Users.csv with the column headers id, `name:givenName` and `emails:value`, +`SCIMExport_Groups.csv` with the column headers id and `displayName`, and +`SCIMExport_members_Groups.csv` with the column headers value and `MemberId`. + +Each column contains the value of the corresponding attribute. SCIM attributes are described in the +[RFC document](https://tools.ietf.org/html/rfc7643). + +### Limitations + +The incremental mode only works for User entities and not for the others like Groups or Roles. It +means that entities like Groups or Roles are always handled with the complete mode. + +## Fulfill + +This connector writes to the managed web application to create, update, and/or delete users with +their attributes and group memberships, but no group or other entities. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> The following example writes information to SCIM on a web application whose URL base is +> `https://example.for.doc.com`. +> +> Code attributes enclosed with `< >` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> appsettings.agent.json +> { +>   ... +>   "Connections": { +>     ... +>     "SCIMFulfillment": { +>         "ApplicationId": "", +>         "Server": "", +>         "ApplicationKey": "", +>         "Login": "", +>         "Password": "", +>         "ServiceSupportBulk": true, +>         "BulkMaxOperation": 10 +>     } +>   } +> } +> ``` +> +> Here we use an account's credentials (login and password) with our application's credentials +> (ApplicationId and ApplicationKey). +> +> We specify that bulk requests are supported with a maximum of 10 operations per request. + +#### Setting attributes + +| Name | Type | Description | +| ----------------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| BulkMaxOperation optional | Int32 | Maximum number of operations which can be sent in one bulk request. | +| ServiceSupportBulk optional | Boolean | True to allow bulk requests. **NOTE:** depends on the web application's SCIM implementation. See the [RFC document](https://tools.ietf.org/html/rfc7644#rfc-document) for additional information. | +| Server required | String | URL of the SCIM endpoints of your application, excluding /v2. | +| ApplicationId optional | String | Login of the application or of the application's Id provider. | +| ApplicationKey optional | String | Password of the application or of the application's Id provider. | +| Login optional | String | Login of the account. | +| OAuthToken optional | String | Generated OAuth token to connect to the application. | +| Password optional | String | Password of the account. | +| ScimSyntax default value: RFC | String | Type of SCIM implementation: RFC - used for the systems that follow SCIM's rules; Salesforce - required when this connector targets Salesforce; CyberArk - required when this connector targets CyberArk. | + +The credential attributes (ApplicationId, ApplicationKey, Login, and Password) are used to obtain a +token from the application for our requests. + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the `appsettings.encrypted.agent.json` file +- An Azure Key Vault safe + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ------------------ | ------------------------------------------------ | +| ApplicationId | Connections--``--ApplicationId | +| ApplicationKey | Connections--``--ApplicationKey | +| BulkMaxOperation | Connections--``--BulkMaxOperation | +| Login | Connections--``--Login | +| Password | Connections--``--Password | +| ServiceSupportBulk | Connections--``--ServiceSupportBulk | +| Server | Connections--``--Server | + +- A CyberArk Vault able to store Active Directory's Login, Password, and Server. + +See the +[ RSA Encryption ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), +[ Azure Key Vault ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md), +and +[ CyberArk's AAM Credential Providers ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)topics +for additional information. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Usercube from `appsettings.cyberark.agent.json`. + +For example: + +Code attributes enclosed with `< >` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.cyberark.agent.json +{ + ... + "Connections": { + ... + "SAPExportFulfillment": { + "Login": "SAPExportFulfillment_CyberArkKey", + "Password": "SAPExportFulfillment_CyberArkKey", + "Server": "SAPExportFulfillment_CyberArkKey" + } + } +} +``` + +``` + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md new file mode 100644 index 0000000000..752f2fc72b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md @@ -0,0 +1,280 @@ +# ServiceNow + +This connector exports and fulfills any data, including users and roles, from/to a +[ServiceNow CMDB](https://www.servicenow.com/products/servicenow-platform/configuration-management-database.html). + +This page is about +[ITSM/ServiceNow](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow/index.md). + +![Package: ITSM/ServiceNow](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/packages_servicenow_v603.webp) + +## Overview + +ServiceNow is a cloud-based company that provides software as a service (SaaS) for technical +management support. The company specializes in IT service management (ITSM), IT operations +management (ITOM) and IT business management (ITBM), allowing users to manage projects, teams and +customer interactions via a variety of apps and plugins. +This section focuses on ServiceNow Entity Management. To learn about how to use this connector to +create tickets for other resources, see +[ServiceNow Ticket](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md). + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md); +- a service account with the **snc_platform_rest_api_access** role, as well as reading and writing + permissions on the target ServiceNow instance; +- the version ServiceNow London or later; +- the appropriate configuration in ServiceNow of authentication, Basic or OAuth. + +## Export + +This connector exports to CSV files ServiceNow's tables (Users, Groups, Group Memberships). + +An incremental search is possible to retrieve added and updated records but a full delta (including +deleted items) can't be performed. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example retrieves from users only those that are active, and no filter is applied to +> the other tables. A single request can retrieve up to 5,000 entries, no more. This means that if +> there are 6,000 `sys_user` to retrieve, then all of them will be retrieved but with two requests. +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password", +> "ResponseSizeLimit":"5000", +> "Filter":"sys_user#active=true" +> } +> } +> } +> ``` +> +> The following example is the same as above, but using OAuth Authentication: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password", +> "ClientId": "ClientId", +> "ClientSecret": "ClientSecret", +> "OAuth2Url": "https://instance.service-now.com/oauth_token.do", +> "ResponseSizeLimit":"5000", +> "Filter":"sys_user#active=true" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the ServiceNow Server Table API endpoint. [See ServiceNow Official API Reference](https://developer.servicenow.com/dev.do#see-servicenow-official-api-reference). **Info:** the URL must start with `https`. | +| Login required | **Type** String **Description** Username of the service account used to connect to the server. | +| Password required | **Type** String **Description** Password of the service account used to connect to the server. | +| ClientId optional | **Type** String **Description** Client Id used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| ClientSecret optional | **Type** String **Description** Client Secret used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| OAuth2Url optional | **Type** String **Description** Application endpoint used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| | | +| --- | --- | +| Server required | **Type** String **Description** URL of the ServiceNow Server Table API endpoint. [See ServiceNow Official API Reference](https://developer.servicenow.com/dev.do#see-servicenow-official-api-reference). **Info:** the URL must start with `https`. | +| Login required | **Type** String **Description** Username of the service account used to connect to the server. | +| Password required | **Type** String **Description** Password of the service account used to connect to the server. | +| ClientId optional | **Type** String **Description** Client Id used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| ClientSecret optional | **Type** String **Description** Client Secret used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| OAuth2Url optional | **Type** String **Description** Application endpoint used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | + +### Output details + +This connector is meant to generate to the +[ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder one CSV file for each table, named `_.csv`. + +Usercube lists the tables to retrieve based on +[entity type mappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)'s +and +[entity association mappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md)'s +connection tables. + +For the connector to work properly, the connection tables must follow the naming convention too: +`_`. + +> For example, with the following configuration: +> +> ``` +> +> /> +> +> ``` +> +> We would have: +> +> ``` +> ServiceNowExportFulfillment_sys_user.csv +> sys_id,active,name,user_name,email +> ... +> +> ``` +> +> ServiceNowExportFulfillment_sys_group.csv sys_id,name,description ... +> +> ```` +> ServiceNowExportFulfillment_sys_user_grmember.csv +> user,group +> ... +> +> ``` +> ```` + +## Fulfill + +This connector writes to ServiceNow to create, update, and/or delete any data. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` +> +> The following example is the same as above, but using OAuth Authentication: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password", +> "ClientId": "ClientId", +> "ClientSecret": "ClientSecret", +> "OAuth2Url": "https://instance.service-now.com/oauth_token.do" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the ServiceNow Server Table API endpoint. [See ServiceNow Official API Reference](https://developer.servicenow.com/dev.do#see-servicenow-official-api-reference). **Info:** the URL must start with `https`. | +| Login required | **Type** String **Description** Username of the service account used to connect to the server. | +| Password required | **Type** String **Description** Password of the service account used to connect to the server. | +| ClientId optional | **Type** String **Description** Client Id used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| ClientSecret optional | **Type** String **Description** Client Secret used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| OAuth2Url optional | **Type** String **Description** Application endpoint used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | + +## Authentication + +### Password reset + +[See how to configure password reset settings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +When setting a password for an ServiceNow user, the password attribute is defined by the password +specified in the corresponding +[`RessourceTypeMapping`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md). + +### Credentials protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ----------------- | ------------------------------------------------ | +| Server | `Connections----Server` | +| Login | `Connections----Login` | +| Password | `Connections----Password` | +| ClientId | `Connections----ClientId` | +| ClientSecret | `Connections----ClientSecret` | +| OAuth2Url | `Connections----OAuth2Url` | +| Filter | `Connections----Filter` | +| ResponseSizeLimit | `Connections----ResponseSizeLimit` | + +- a + [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store Active Directory's `Login`, `Password`, `Server`, `ClientId` and `ClientSecret`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Usercube from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Login": "ServiceNowExportFulfillment_CyberArkKey", +> "Password": "ServiceNowExportFulfillment_CyberArkKey", +> "Server": "ServiceNowExportFulfillment_CyberArkKey", +> "ClientId": "ServiceNowExportFulfillment_CyberArkKey", +> "ClientSecret": "ServiceNowExportFulfillment_CyberArkKey" +> } +> } +> } +> ``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md new file mode 100644 index 0000000000..72d67ff49f --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md @@ -0,0 +1,121 @@ +# ServiceNowTicket + +This connector opens tickets in [ServiceNow](https://www.servicenow.com/) for manual provisioning. + +This page is about +[Ticket/ServiceNow](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md). + +![Package: Ticket/ServiceNow](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/packages_servicenowticket_v603.webp) + +## Overview + +ServiceNow is a cloud-based company that provides software as a service (SaaS) for technical +management support. The company specializes in IT service management (ITSM), IT operations +management (ITOM) and IT business management (ITBM), allowing users to manage projects, teams and +customer interactions via a variety of apps and plugins. +This section focuses on ServiceNow ticket creation for the fulfillment of resources that can't or +shouldn't be performed with an existing fulfill. To learn about how to manage entities, see +[ServiceNow Entity Management](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md). + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md); +- a service account with the **snc_platform_rest_api_access** role, as well as reading and writing + permissions on the target ServiceNow instance; +- the version ServiceNow London or later; +- the appropriate configuration in ServiceNow of authentication, Basic or OAuth. + +## Export + +This connector exports some of ServiceNow entities, +[see the export capabilities of the ServiceNow connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md). +Some entities cannot be exported. + +## Fulfill + +This connector writes to ServiceNow to create incident and request tickets containing information to +create, update or delete a resource. It does not create nor update a resource directly. + +Once created, the ticket is managed in ServiceNow, not in Usercube. + +When the ticket is closed or canceled, Usercube updates the +[provisioning state](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +of the resource accordingly. + +[See the fulfill capabilities of the ServiceNow connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md). + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowFulfillManual": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` + +## Authentication + +### Password reset + +[See how to configure password reset settings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +When setting a password for a ServiceNow user, the password attribute is set to the chosen value and +the user's **password_needs_reset** attribute is set to `true`. + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ------------------------- | ------------------------------------------------------ | +| Server | `Connections----Server` | +| Login | `Connections----Login` | +| Password | `Connections----Password` | +| ClientId | `Connections----ClientId` | +| ClientSecret | `Connections----ClientSecret` | +| OAuth2Url | `Connections----OAuth2Url` | +| TicketCookieDirectoryPath | `Connections----TicketCookieDirectoryPath` | +| ResponseSizeLimit | `Connections----ResponseSizeLimit` | + +- a + [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store Active Directory's `Login`, `Password`, `Server`, `ClientId` and `ClientSecret`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Usercube from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowFulfillManual": { +> "Login": "ServiceNowFulfillManual_CyberArkKey", +> "Password": "ServiceNowFulfillManual_CyberArkKey", +> "Server": "ServiceNowFulfillManual_CyberArkKey", +> "ClientId": "ServiceNowFulfillManual_CyberArkKey", +> "ClientSecret": "ServiceNowFulfillManual_CyberArkKey" +> } +> } +> } +> ``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/index.md new file mode 100644 index 0000000000..b74ed773c4 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/index.md @@ -0,0 +1,173 @@ +# SharedFolders + +This connector exports users and permissions from Windows shared folders. + +This page is about +[Storage/Shared Folders](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/shared-folders/index.md). + +![Package: Storage/Shared Folders](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/packages_sharedfolders_v603.webp) + +## Overview + +Also known as UFA (_Usercube Folder Access_), this connector can be used to scan the access rights +assigned to folders and files in computers and networks which comply with the +[Windows File Security and Access Rights systems](https://docs.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights). + +## Prerequisites + +Implementing this connector requires an account with the permissions: + +- to access all relevant folders and files and read their entitlements; +- **Log on as a batch job** in the local group policy, when the connector's authentication mode is + batch. + + ![SharedFolder - Permission for Batch Authentication](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/sharedfolder_permission.webp) + +## Export + +This connector scans shared folders in order to export their content to CSV files. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example reads `12` levels of folders in the folders `R&D_Projects` and `Management` +> in the network `OfficeNetwork` and in `C:/`. We only read entitlements about folders and we don't +> have access rights to the entitlements associated with the SIDs `S-1-3-2-4` and `S-5-7-6-8`. We +> use the service account [account@example.com](mailto:account@example.com) with its related +> password and domain, and interactive connection: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SharedFolderExport": { +> "InputDirectories": [ "OfficeNetwork/R&D_Projects", "OfficeNetwork/Management", "C:/" ], +> "OnlyDirectoryScan": "true", +> "LevelOfScan": "12", +> "ListOfSIDToAvoid": [ "S-1-3-2-4", "S-5-7-6-8" ], +> "Login": "account@example.com", +> "Password": "accountexamplepassword", +> "Domain": "Example", +> "Interactive": true +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| InputDirectories required | **Type** String List **Description** Paths of the folders to be scanned. | +| Domain optional | **Type** String **Description** Domain of the account used to access files and read their access rights. | +| Interactive default value: False | **Type** Boolean **Description** `True` to set authentication as interactive, `False` to set it as batch. | +| LevelOfScan optional | **Type** Int32 **Description** Number of file and folder levels to be scanned. By default, it scans the whole folder tree for each input directory. | +| ListOfSIDToAvoid optional | **Type** String List **Description** SIDs (users or groups) to exclude from the scan. | +| OnlyDirectoryScan default value: False | **Type** Boolean **Description** `True` to scan only folders' entitlements and not files', `False` to scan all. | +| | | +| --- | --- | +| Login optional | **Type** String **Description** Login of the account used to access the files and folders. **Note:** when not specified and `Password` neither, then the account running Usercube will be used. **Note:** if `Domain` is null, then `Login` must be set in the User Principal Name (UPN) format. | +| Password optional | **Type** String **Description** Password of the account used to access the files and folders. **Note:** when not specified and `Login` neither, then the account running Usercube will be used. | + +### Output details + +This connector is meant to generate to the +[ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder the following CSV files: + +- `_ACE.csv`, with the following columns: + - **key**: concatenation of `Right`, `Path` and `OwnerSID`; + - **Path**: path of the folder or file; + - **Right**: entitlement among the following, listed from weakest to strongest: + ListDirectory / ReadData / CreateFiles / WriteData / AppendData / CreateDirectories / + ReadExtendedAttributes / WriteExtendedAttributes / ExecuteFile / Traverse / + DeleteSubdirectoriesAndFiles / ReadAttributes / WriteAttributes / Write / Delete / + ReadPermissions / Read / ReadAndExecute / Modify / ChangePermissions / TakeOwnership / + Synchronize / FullControl + - **AllowOrDeny**: `0` (or `false`) if the entitlement is allowed, `1` (or `true`) if it is + denied; + - **OwnerSID**: SID of the entitlement's owner. +- `_PathInformations.csv`, with the following columns: + - **Path**; + - **ParentPath**: path of the file's or folder's parent folder; + - **BlockInheritance**: `true` if the file or folder blocks entitlement inheritance in the tree; + - **Hierarchy**: hierarchy in the scanned tree. +- `_SID.csv`, with only one column **SID**. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ----------------- | ------------------------------------------------ | +| Domain | `Connections----Domain` | +| Interactive | `Connections----Interactive` | +| LevelOfScan | `Connections----MembersFile` | +| ListOfSIDToAvoid | `Connections----ListOfSIDToAvoid` | +| Login | `Connections----Login` | +| OnlyDirectoryScan | `Connections----OnlyDirectoryScan` | +| Password | `Connections----Password` | +| InputDirectories | `Connections----InputDirectories` | + +- a + [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store Active Directory's `Login` and `Password`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Usercube from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "SharedFolderExport": { +> "Login": "SharedFolderSettings", +> "Password": "SharedFolderSettings" +> } +> } +> } +> ``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md new file mode 100644 index 0000000000..93134db92c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md @@ -0,0 +1,275 @@ +# SharePoint + +This connector exports sites, folders, groups and permissions from a +[SharePoint](https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration) instance. + +This page is about Storage/SharePoint. + +![Package: Storage/SharePoint](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/sharepoint/packages_sharepoint_v603.webp) + +## Overview + +SharePoint is a system used by organizations to store, organize, share and access information. + +## Prerequisites + +Implementing this connector requires an account with the permissions to access all items and read +their entitlements. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +`appsettings.agent.json > Connections` section: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                  +                        appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} +                 +``` + +The identifier of the connection and thus the name of the subsection must: + +- Be unique. +- Not begin with a digit. +- Not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +The following example scans the example.sharepoint.com SharePoint at the more detailed level +(ListItem) with the account [account.example@usercube.com](mailto:account.example@usercube.com): + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "SharePointExport": { +        "Server": "https://example.sharepoint.com/", +        "Scanlevel": "ListItem", +        "Login": "account.example@usercube.com", +        "Password": "account'sexamplepassword", +        "CsvUrls": "C:/identitymanager/source/SP_others.csv¤URL¤," +    } +  } +} +``` + +#### Setting attributes + +| Name | Type | Description | +| --------------------------------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Login required | String | Login of the account used to access files and read their entitlements. | +| Password required | String | Password of the account used to access files and read their entitlements. | +| Server required | String | URL of the SharePoint website to scan. | +| Domain optional | String | Domain, sometimes needed in addition to Login to make the connection to the SharePoint server. | +| TimeOut default value: 300000 | Int32 | Timeout (in milliseconds) for requests. | +| Scanlevel default value: ListItem | Scanlevel | Level of scan to be performed, from less to more detailed: Site; List; and ListItem. | +| CsvUrls optional | String | Path, column and separator (split by ¤) of the CSV file containing the other sites to be scanned. Useful when scanning a SharePoint with a root site (https://example.sharepoint.com) with other sites (https://example.sharepoint.com/sites/OtherSite) which are not sub-sites (https://example.sharepoint.com/SubSite). Sub-sites don't need to be provided through a CSV file because they are found from the root site. | + +### Limitations + +Synchronization in incremental mode does not retrieve user account changes, because SharePoint is +not able to provide this information through its API. + +To avoid unnecessary scanning and to increase performance, the connector in incremental mode does +not scan user accounts from the sites given through CsvUrls. However, it still retrieves the +folders, groups, permissions and the links between users and these elements. + +When needing to retrieve all of user account information, then go through complete synchronization +instead of incremental. + +### Output details + +This connector is meant to generate to the Export Output folder the following CSV files: + +`_Entity.csv`, with the following columns: + +- **command**— empty for complete synchronization, and `merge` for incremental; +- **Collection**— SharePoint server's URL where the information was found; +- **Id**— Identifier of the entity; +- **SharePointId**— Identifier of the entity in the scanned site; +- **Name**— name of the entity; +- **Description**— description of the entity; +- **PrincipalType**— type of the entity, for example `User`, `SecurityGroup` or `SharePointGroup`, + etc.; +- **Email**— email of the user; +- **IsEmailAuthenticationGuestUser**— `true` if the email is for the authentication of a guest user; +- **IsSiteAdmin**— `true` if the user is a site administrator; +- **IsShareByEmailGuestUser**— `true` if the user is a guest invited by email; +- **AadObjectId**— Microsoft Entra ID (formerly Microsoft Azure AD)'s identifier of the entity; + +`_GroupMember.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Group_Id**: Identifier of the group; +- **Entity_Id**: Identifier of the entity related to the group member; + +`_GroupMemberScanFail.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Id**; +- **Name**; +- **Description**; +- **PrincipalType**; + +`_Role.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Id**; +- **Name**; +- **Description**; +- **Permissions**: permissions concatenated together with line breaks; + +`_RoleAssignment.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Key**— concatenation (with `-`) of the `Role_Id`, the `Entity_Id` and the `SecurableObject_Key`; +- **Role_Id**— Identifier of the role; +- **Entity_Id**— Identifier of the entity related to the role; +- **Entity_Name**— name of the group member; +- **SecurableObject_Key**— concatenation (with `|`) of the `Collection` and the relative URLs where + the object was found; + +`_SecurableObject.csv`, with the following columns: + +- **command**; +- **Key**— concatenation (with `|`) of the `Collection` and the relative URLs where the object was + found; +- **Collection**; +- **Level**— level where the securable object was found, among: `Site`; `List`; `ListItem`; +- **Label**— title or display name of the securable object; +- **ParentKey**— key of the securable object's parent; +- **ScanStatus**— status of the scan (success or fail); +- **HasUniqueRoleAssignments**— `true` if entitlement inheritance is blocked for this securable + object; + +`_SecurableObjectRightInheritance.csv`, with the following columns: + +- **command**; +- **Collection**; +- **SecurableObject_Key**; +- **Inheritance_Key**— key of the ancestor object that the securable object gets its inherited + rights from; + +`_SecurableObjectScanFail.csv`, with the following columns: + +- **command**; +- **Key**: concatenation (with `|`) of the `Collection` and the relative URLs where the object was + found; +- **Collection**; +- **Level**; +- **Label**; +- **ParentKey**; +- **HasUniqueRoleAssignments**. + +## Fulfill + +Usercube's fulfill functionality can add and remove members from existing SharePoint groups. + +### Configuration + +Same as for export, fulfill is configured through connections. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "SharePointFulfillment": { +        "Server": "https://example.sharepoint.com/", +        "Scanlevel": "ListItem", +        "Login": "account.example@usercube.com", +        "Password": "account'sexamplepassword", +        "CsvUrls": "C:/identitymanager/source/SP_others.csv¤URL¤," +    } +  } +} +``` + +#### Setting attributes + +| Name | Type | Description | +| ----------------------------- | ------ | ---------------------------------------------------------------------------------------------- | +| Login required | String | Login of the account used to access files and read their entitlements. | +| Password required | String | Password of the account used to access files and read their entitlements. | +| Server required | String | URL of the SharePoint website to scan. | +| Domain optional | String | Domain, sometimes needed in addition to Login to make the connection to the SharePoint server. | +| TimeOut default value: 300000 | Int32 | Timeout (in milliseconds) for requests. | + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the `appsettings.encrypted.agent.json` file; +- An Azure Key Vault safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| --------- | ------------------------------------------------ | +| Domain | `Connections----Domain` | +| Login | `Connections----Login` | +| Password | `Connections----Password` | +| Scanlevel | `Connections----Scanlevel` | +| TimeOut | `Connections----TimeOut` | +| Server | `Connections----Server` | +| CsvUrls | `Connections----CsvUrls` | + +- A CyberArk Vault able to store SharePoint's `Login` and `Password`. + +See the +[ RSA Encryption ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), +[ Azure Key Vault ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md), +and +[ CyberArk's AAM Credential Providers ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)topics +for additional information. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Usercube from `appsettings.cyberark.agent.json`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                         +                            appsettings.cyberark.agent.json +{ +  ... +  "Connections": { +    ... +    "SharePointFulfill": { +        "Login": "SharePointSettings", +        "Password": "SharePointSettings" +    } +  } +} +                     +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sql/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sql/index.md new file mode 100644 index 0000000000..74a564393f --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sql/index.md @@ -0,0 +1,224 @@ +# Sql + +This connector exports data from one of various +[Database Management Systems](https://en.wikipedia.org/wiki/Database#database-management-systems). + +This page is about: + +- [Database/Generic SQL](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/generic-sql/index.md); +- [Database/Microsoft SQL Server](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/sql-server/index.md); +- [Database/MySQL](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/mysql/index.md); +- [Database/ODBC](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/odbc/index.md); +- [Database/Oracle](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/oracle-database/index.md); +- [Database/PostgreSQL](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/postgresql/index.md); +- [Database/SAP ASE](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/sapase/index.md). + +![Package: Directory/Database/Generic SQL](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlgeneric_v603.webp) + +![Package: Directory/Database/Microsoft SQL Server](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlserver_v603.webp) + +![Package: Directory/Database/MySQL](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlmy_v603.webp) + +![Package: Directory/Database/ODBC](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlodbc_v603.webp) + +![Package: Directory/Database/Oracle](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqloracle_v603.webp) + +![Package: Directory/Database/PostgreSQL](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlpostgre_v603.webp) + +![Package: Directory/Database/SAP ASE](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlsap_v603.webp) + +## Overview + +A database is a collection of relational data which represents some aspects of the real world. A +database system is designed to be built and populated with data for a specific task. + +A Database Management System (DBMS) is a software for storing and retrieving users' data while +considering appropriate security measures. + +> Some popular DBMS systems are Microsoft SQL Server, MySQL, Oracle, PostgreSQL, etc. + +The goal of this connector is to connect to a DBMS and execute a query in order to export a table. + +## Prerequisites + +Implementing this connector requires: + +- the configuration of a DBMS system; + > For example for Microsoft SQL Server 2017, see Microsoft's documentation for + > [planning a SQL Server installation](https://docs.microsoft.com/en-us/sql/sql-server/install/planning-a-sql-server-installation?view=sql-server-2017), + > the + > [SQL Server installation guide](https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server?view=sql-server-2017) + > and (optionally) + > [downloading SQL Server Management Studio (SSMS)](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15). +- creating a database `MyDb` with several tables and data so the user can query on the database, for + testing purposes. + +## Export + +This connector exports the content of any table from an SQL database and writes it to a CSV file. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example configures the connection to Microsoft SQL Server and exports the table +> `UC_Connectors` from the database `MyDb`: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SqlExport": { +> "ConnectionString" : "data source=.;Database=MyDb;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;", +> "SqlCommand": "SELECT * FROM [MyDb].[dbo].[UC_Connectors]" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectionString required | **Type** String **Description** Connection string of the database. See the [specific syntax](https://docs.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlconnection.connectionstring?view=dotnet-plat-ext-5.0). | +| Timeout optional | **Type** Int32 **Description** Time period (in seconds) after which the request attempt is terminated and an error is generated. | +| | | +| --- | --- | +| SqlCommand optional | **Type** String **Description** SQL request to be executed. **Note:** when not specified and `SqlFile` neither, then all the [entity type mappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) of this connector will be exported. | +| SqlFile optional | **Type** String **Description** Path of the file containing the SQL request to be executed. **Note:** ignored when `SqlCommand` is specified. **Note:** when not specified and `SqlFile` neither, then all the [entity type mappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) of this connector will be exported. | +| CsvEncoding default value: UTF-8 | **Type** String **Description** Encoding of the file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | +| ProviderClassFullName optional | **Type** String **Description** Invariant name to register the provider. **Note:** required when querying a DBMS other than Microsoft SQL Server. | +| ProviderDllName optional | **Type** String **Description** DLL, i.e. name and extension, to be loaded by the connector. **Note:** the DLL must be in the `Runtime` folder. **Note:** required when querying a DBMS other than Microsoft SQL Server. | +| IsolationLevel default value: ReadUncommitted | **Type** String **Description** Locking behavior of the transaction: `ReadUncommitted`; `ReadCommitted` - used for the databases that do not support the ReadUncommitted level, like Oracle databases. | + +### Connect to other DBMS + +Connect to a DBMS other than Microsoft SQL Server by proceeding as follows: + +1. Download and extract the package. + > For MySQL, download the package from [MySql.Data](https://www.nuget.org/packages/MySql.Data/). + > + > ![MySQL: Download Package](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/sql/sql_downloadpackage.webp) +2. Copy the DLL file (corresponding to the correct .Net version) to the `Runtime` folder. + > For MySQL, the DLL is `MySql.Data.dll`. +3. Get the value required for `ProviderClassFullName` and `ProviderDllName`: + + - for a DBMS handled by Usercube's packages, by accessing the + [package page](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/index.md); + + > For MySQL: + > + > ![Package Characteristics Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/sql/sql_packagecharacteristics.webp) + + - for another DBMS, by accessing the DBMS' documentation for .Net and finding a class with + **Factory** in its name. + + > If MySQL were not part of Usercube's packages, you would see + > [MySqlClientFactory](https://dev.mysql.com/doc/dev/connector-net/8.0/html/T_MySql_Data_MySqlClient_MySqlClientFactory.htm). + + The **Factory** class must derive from **DbProviderFactory**. After verification, the + `ProviderClassFullName` can be found in the **Inheritance Hierarchy** of the class. + + > For MySQL, here `ProviderDllName` is **MySql.Data.dll** and `ProviderClassFullName` is + > **MySql.Data.MySqlClient.MySqlClientFactory**. + > + > Then the following example configures the connection to MySQL and exports the table + > `UC_Connectors` from the database `MyDb` (the SQL command is inside `mySql.sql`): + > + > ``` + > appsettings.agent.json + > { + > ... + > "Connections": { + > ... + > "SqlExport": { + > "ConnectionString" : "Server=localhost;Database=MyDb;Uid=root;Pwd=secret", + > "SqlFile": "C:/identitymanagerDemo/Conf/Sql/mySql.sql", + > "ProviderClassFullName": "MySql.Data.MySqlClient.MySqlClientFactory", + > "ProviderDllName": "MySql.Data.dll" + > } + > } + > } + > ``` + > + > Another example for ODBC: + > + > ``` + > appsettings.agent.json + > { + > ... + > "Connections": { + > ... + > "SqlExport": { + > "ConnectionString": "Driver=ODBC Driver 17 for SQL Server;Server={YOUR-PC}\\SQLEXPRESS;Database={Database Name};Hostname=Localhost;DBALIAS={Database Alias};trusted_connection=Yes", + > "ProviderClassFullName": "System.Data.Odbc.OdbcFactory", + > "ProviderDllName": "System.Data.Odbc.dll", + > "SqlCommand": "SELECT * FROM {Table Name}", + > "IsolationLevel": null + > } + > } + > } + > ``` + +### Output details + +This connector is meant to generate to the +[ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder one CSV file, named `.csv` whose columns correspond to the columns +returned by the SQL query. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| --------------------- | -------------------------------------------------- | +| ConnectionString | `Connections----ConnectionString` | +| SqlCommand | `Connections----SqlCommand` | +| SqlFile | `Connections----SqlFile` | +| CsvEncoding | `Connections----CsvEncoding` | +| ProviderClassFullName | `Connections----ProviderClassFullName` | +| ProviderDllName | `Connections----ProviderDllName` | +| Timeout | `Connections----Timeout` | + +[CyberArk](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) +is not available for this connector. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md new file mode 100644 index 0000000000..86b060a200 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md @@ -0,0 +1,172 @@ +# Sql Server Entitlements + +This connector exports entitlements from +[Microsoft SQL Server](https://www.microsoft.com/en-us/sql-server/). + +This page is about +[Database/Microsoft SQL Server Entitlements](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/sql-server-entitlements/index.md). + +![Package: Database/Microsoft SQL Server Entitlements](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/packages_sqlservermanagement_v603.webp) + +## Overview + +Usercube can manage permissions within Microsoft SQL Server, by exporting the server's and +databases' principals, i.e. entities that can request Microsoft SQL Server's resources. + +SQL Server supports three types of principals: + +- logins at the server level; +- users at the database level; +- roles (if any) at either level. + +Every principal includes a security identifier (SID). + +## Prerequisites + +Implementing this connector requires: + +- the configuration of a Microsoft SQL Server system; + + > For example, for Microsoft SQL Server 2017, see Microsoft's documentation for + > [planning a SQL Server installation](https://docs.microsoft.com/en-us/sql/sql-server/install/planning-a-sql-server-installation?view=sql-server-2017), + > the + > [SQL Server installation guide](https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server?view=sql-server-2017) + > and (optionally) + > [downloading SQL Server Management Studio (SSMS)](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15); + +- understanding the concept of principals, roles and permissions; + + > A little help on that with: + > + > > [Principals (Database Engine)](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/principals-database-engine?view=sql-server-2017); + > + > > [Create a Login](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/create-a-login?view=sql-server-2017); + > + > > [Server-Level Roles](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles?view=sql-server-2017); + > + > > [Create a Database User](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/create-a-database-user?view=sql-server-2017); + > + > > [Database-Level Roles](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-2017); + > + > > [Permissions (Database Engine)](https://docs.microsoft.com/en-us/sql/relational-databases/security/permissions-database-engine?view=sql-server-2017); + > + > > [Permissions Hierarchy (Database Engine)](https://docs.microsoft.com/en-us/sql/relational-databases/security/permissions-hierarchy-database-engine?view=sql-server-2017). + +- a `ConnectionString` with a `Login` to connect to the SQL Server, where either the login has the + **sysadmin** role, or: + + - the login has the **securityadmin** role, in order to export server principals; + - each database to export has a database user attached to the login with at least one role among + **db_accessadmin**, **db_owner** and **db_securityadmin**, in order to export database + principals. + + [Securables](https://docs.microsoft.com/en-us/sql/relational-databases/security/securables?view=sql-server-2017) + can also be defined manually for both the server and database principals, but this is more + complicated and hence not recommended. + +## Export + +This connector exports from one or several databases to CSV files the following tables: + +- `sys.server_principals`; +- `sys.server_role_members`; +- `sys.database_principals`; +- `sys.database_role_members`. + +This connector exports only in complete mode. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example connects Usercube to Microsoft SQL Server and exports the principals from +> the databases `UsercubeDemo` and `AdventureWorks2017`: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SqlServerEntitlementsExport": { +> "ConnectionString": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;", +> "Databases": [ "UsercubeDemo", "AdventureWorks2017" ] +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ConnectionString required | **Type** String **Description** Connection string of the database. See the [specific syntax](https://docs.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlconnection.connectionstring?view=dotnet-plat-ext-5.0). | +| Timeout optional | **Type** Int32 **Description** Time period (in seconds) after which the request attempt is terminated and an error is generated. | +| | | +| --- | --- | +| Databases optional | **Type** String List **Description** List of databases to be exported. **Note:** when not specified, all databases from the SQL Server are exported. | + +### Output details + +This connector is meant to generate to the +[ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder the following CSV files: + +- `_serverPrincipals.csv`; +- `_serverRoleMembers.csv`; +- `_databasePrincipals.csv`; +- `_databaseRoleMembers.csv`. + +> For example, if the connection identifier is **SqlServerEntitlementsExport**, then the file names +> are `SqlServerEntitlementsExport_serverPrincipals.csv`, etc. + +The output files' columns are the columns returned by the SQL query. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ---------------- | ------------------------------------------------ | +| ConnectionString | `Connections----ConnectionString` | +| Timeout | `Connections----Timeout` | + +[CyberArk](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) +is not available for this connector. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/topsecret/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/topsecret/index.md new file mode 100644 index 0000000000..1d482c038b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/topsecret/index.md @@ -0,0 +1,11 @@ +# Top Secret + +This connector exports users and profiles from a +[Top Secret](https://www.ibm.com/docs/en/szs/2.2?topic=audit-top-secret) (TSS) instance. + +This page is about +[Mainframe/Top Secret](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/tss/index.md). + +![Package: Mainframe/Top Secret](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/topsecret/packages_tss_v603.webp) + +The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/workday/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/workday/index.md new file mode 100644 index 0000000000..698acbc5aa --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/workday/index.md @@ -0,0 +1,205 @@ +# Workday + +This connector exports users and groups from a +[Workday](https://www.workday.com/en-us/products/talent-management/overview.html) instance. + +This page is about +[ERP/Workday](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/workday/index.md). + +![Package: ERP/Workday](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/references-connectors/workday/packages_workday_v603.webp) + +## Prerequisites + +Implementing this connector requires: + +- using Workday Web Services (WWS) Directory + [v34.2](https://community.workday.com/sites/default/files/file-hosting/productionapi/versions/v34.2/index.html) + or later; + + > For example, the + > [Human Resources](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/Human_Resources.html) + > Web Service contains operations that expose Workday Human Capital Management Business Services + > data, including Employee, Contingent Worker and Organization information. + +- access to the Web Services that are to be used; +- the [XPath](https://www.w3.org/TR/1999/REC-xpath-19991116/) syntax to configure and select the + attributes to export. + +## Export + +This connector exports any entity available in WWS. + +### Configuration + +This process is configured through a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example connects Usercube to Workday and exports `Worker_ID` and `User_ID` from the +> entity Workers returned in +> [Get_Workers_Response](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/samples/Get_Workers_Response.xml): +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "WorkdayExport": { +> "InputFilePath": "C:/identitymanagerContoso/Temp/bodies.json", +> "Login": "USERCUBE@contoso", +> "Password": "contoso1996", +> "Server": "https://workday.com/ccx/service/contoso" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| InputFilePath required | **Type** String **Description** Path of the JSON file defining which entities and attributes are to be exported. See more details below. | +| Login required | **Type** String **Description** Login used to authenticate to Workday. | +| Password required | **Type** String **Description** Password used to authenticate to Workday. | +| Server required | **Type** String **Description** URL of the targeted Workday instance. **Syntax:**`https://####.workday.com/ccx/service/tenantName` (without the Web Service part). | + +##### InputFilePath + +The file specified in `InputFilePath` must have a specific structure, with a section for each entity +to be exported. + +> For example: +> +> ``` +> bodies.json +> { +> "Requests": [ +> { +> "XmlBody": " ", +> "EntityName": "workers", +> "IncrementalTag": "Transaction_Log_Criteria_Data", +> "WebService": "Human_Resources/v34.2" +> } +> ] +> } +> ``` + +| Name | Details | +| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| XmlBody required | **Type** String **Description** Request to send to the Web Service. **Syntax:** `"XmlBody": " "` - the request body must begin with `` and end with ``; - inside the body, the entity request must use the namespace `bsvc`; - the body must fit on a single line. **Tip:** write the body in a separate XML file and use [TextFixer](https://www.textfixer.com/tools/remove-line-breaks.php) to remove line breaks. **Tip:**[see an example](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/samples/Get_Workers_Request.xml). | +| XPaths optional | **Type** String Pair List **Description** One or several key-value pairs, where: - the key is the attribute name that will be the column name in the output CSV file; - the value is the XPath used in the response to get the attribute value. **Info:** useless most of the time because the information is provided by entity type mappings and entity association mappings. Still useful when using the exe directly. **Note:** NETWRIX recommends using an **XPath** to the property `WID`, because it helps logs (in Trace mode) find entities with multi-valued properties. **Syntax:** `"XPaths": { "Attribute_1_Name": "XPath 1", � "Attribute_N_Name": "XPath N" }` | +| EntityName required | **Type** String **Description** Name of the entity, which conditions the name of the output file. See more details. | +| IncrementalTag optional | **Type** String **Description** XML tag associated with the incremental request. **Note:** in the xml request, `` must be the parent of `` which is the parent of `` and ``. **Note:** when not specified, this entity is always exported in complete mode. **Warning:** the `IncrementalTag` part must not be added manually in `XmlBody` because the connector adds it automatically when exporting in incremental mode. | +| WebService required | **Type** String **Description** Name and version of the Web Service. | + +### Output details + +This connector is meant to generate to the +[ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder: + +- one CSV file for each entity, named `_.csv`, with the following + columns: + + - **Command**: used for + [PrepareSynchronizationTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md); + - one column for each XPath found in the + [entity type mappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)' + connection columns and + [entity association mappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md)' + columns. + [See Workday's documentation to compute XPaths](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/samples/Get_Workers_Response.xml). + + ``` + _.csv + + Command,Key_XPath_1,Key_XPath_2,...,Key_XPath_N + Add,value1,value2,...,valueN + ``` + +- a cookie file named `workday__cookie.bin`, containing the time of the last + export in order to perform an incremental export. + + Most exports can be run in complete mode, where the CSV files will contain all entries, or in + incremental mode, where CSV files will contain only the entries which have been modified since + the last synchronization. + + A task can use the `IgnoreCookieFile` boolean property, and a command line (with an executable) + can use the option `--ignore-cookies`. + +> For example, with the following configuration: +> +> ``` +> +> +> +> ``` +> +> We choose to export only the entity `workers`, so the output is generated to +> `WorkdayExport_workers.csv` in the directory +> [ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md). +> +> The CSV file will include three columns: `Command`; `bsvc:Worker_Data/bsvc:Worker_ID` and +> `bsvc:Worker_Data/bsvc:User_ID`. + +## Authentication + +### Credential protection + +Data protection can be ensured through: + +- [RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ------------- | ------------------------------------------------ | +| InputFilePath | `Connections----InputFilePath` | +| Login | `Connections----Login` | +| Password | `Connections----Password` | +| Server | `Connections----Server` | + +- a + [CyberArk Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store Workday's `Login`, `Password` and `Server`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Usercube from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "WorkdayExport": { +> "Login": "WorkdayExport_Account", +> "Password": "WorkdayExport_Account" +> } +> } +> } +> ``` diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/active-directory/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/active-directory/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/active-directory/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/active-directory/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/apache-directory/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/apache-directory/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/apache-directory/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/apache-directory/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/azure-active-directory/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/azure-active-directory/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/azure-active-directory/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/azure-active-directory/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/azure/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/azure/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/azure/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/azure/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/csv/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/csv/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/csv/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/csv/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/cyberark/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/cyberark/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/cyberark/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/cyberark/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/easyvista/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/easyvista/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/easyvista/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/easyvista/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/easyvistaticket/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/easyvistaticket/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/easyvistaticket/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/easyvistaticket/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/excel/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/excel/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/excel/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/excel/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/generic-ldap/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/generic-ldap/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/generic-ldap/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/generic-ldap/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/generic-scim/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/generic-scim/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/generic-scim/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/generic-scim/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/generic-sql/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/generic-sql/index.md new file mode 100644 index 0000000000..bfbc8437eb --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/generic-sql/index.md @@ -0,0 +1,16 @@ +# Generic SQL + +Exports data from a SQL database. + +| Package Characteristics | Value | +| ----------------------- | ----------------------- | +| Display Name | Database/Generic SQL | +| Identifier | Usercube.SQL@0000001 | +| Export | Usercube-Export-Sql.dll | +| Fulfill | NONE | +| Has Incremental Mode | False | +| Publisher | Usercube | + +When creating a connection to a database which is not handled by Usercube's packages, you'll need to +fill in the `ProviderDllName` and `ProviderClassFullName` properties of the +[SQL connector using the procedure given in the example](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/sql/index.md). diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/googleworkspace/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/googleworkspace/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/googleworkspace/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/googleworkspace/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/home-folders/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/home-folders/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/home-folders/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/home-folders/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/usercube-database/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/identitymanager-database/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/usercube-database/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/identitymanager-database/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/index.md new file mode 100644 index 0000000000..3c311ac233 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/index.md @@ -0,0 +1,111 @@ +# References: Packages + +If you are looking for the dll of a given package, be aware that you can often find it in the +[nuget catalog](https://www.nuget.org/packages). Then you can follow the procedure: + +1. Download and extract the package. + +2. Copy the dll file (corresponding to the appropriate .Net version) to the `Runtime` folder. + +- #### [Active Directory](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/active-directory/index.md) + Manages users and groups in Active Directory. This package supports incremental synchronization + with the DirSync mechanism.- #### + [Apache Directory](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/apache-directory/index.md) + Manages users and groups in Apache Directory.- #### + [Azure](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/azure/index.md) + Exports Azure resources, role definitions and role assignments.- #### + [CSV](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/csv/index.md) + Exports CSV to prepare synchronization.- #### + [CyberArk](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/cyberark/index.md) + Manages CyberArk entities, including user and group assignments.- #### + [EasyVista](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/easyvista/index.md) + Manages users inside an EasyVista instance. This package supports incremental + synchronization.- #### + [EasyVista Ticket](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/easyvistaticket/index.md) + Creates tickets inside an EasyVista instance. This package supports incremental + synchronization.- #### + [Excel ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/excel/index.md) + Exports Excel data sheets.- #### + [Generic LDAP](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/generic-ldap/index.md) + Manages entries in an LDAP compliant directory.- #### + [Generic SCIM](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/generic-scim/index.md) + Manages entities in SCIM compatible application.- #### + [Generic SQL](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/generic-sql/index.md) + Exports data from a SQL database.- #### + [Google Workspace](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/googleworkspace/index.md) + Manages Google Workspace entities.- #### + [Home Folders](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/home-folders/index.md) + Manages Home Folders.- #### + [JSON](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/json/index.md) + Generate JSON files for each provisioning order. These JSON can then be used by custom + scripts.- #### + [LDIF](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/ldif/index.md) + Exports entries from a LDIF file.- #### + [Manual Ticket](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md) + Opens manual provisioning tickets in Usercube.- #### + [Manual Ticket and CUD Resources](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md) + Opens manual provisioning tickets in Usercube.- #### + [Microsoft Entra ID](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/azure-active-directory/index.md) + Manages users and groups in Microsoft Entra ID (formerly Microsoft Azure AD). This package + supports incremental synchronization with the delta API.- #### + [Microsoft Exchange](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/microsoft-exchange/index.md) + Manages Microsoft Exchange mailboxes. This package supports incremental synchronization.- #### + [MySQL](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/mysql/index.md) + Export data from a MySQL database.- #### + [OData](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/odata/index.md) + Manages OData entities.- #### + [ODBC](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/odbc/index.md) + Exports data from a generic ODBC compatible database.- #### + [Open LDAP](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/open-ldap/index.md) + Manages entries in Open LDAP. This package supports incremental synchronization with the sysrepl + mechanism.- #### + [Oracle Database](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/oracle-database/index.md) + Export data from an Oracle database.- #### + [Oracle LDAP](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/oracle-ldap/index.md) + Manages entries in Oracle Internet Directory.- #### + [PostgreSQL](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/postgresql/index.md) + Export data from a PostgreSQL database.- #### + [PowerShellProv](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/powershellprov/index.md) + Fulfills an external system with a custom PowerShell script.- #### + [PowerShellSync](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/powershellsync/index.md) + Create a CSV export from a Powershell Script.- #### + [RACF](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/racf/index.md) + Exports the RACF users and profiles.- #### + [Red Hat Directory Server](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/red-hat-directory-server/index.md) + Manages entries in a Red Hat Directory Server.- #### + [Robot Framework](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/robot-framework/index.md) + Fulfills an external system using a Robot Framework script.- #### + [Salesforce](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/salesforce/index.md) + Manages Salesforce entities.- #### + [SAP ASE](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/sapase/index.md) + Exports data from a SAP ASE database.- #### + [SAP ERP 6.0](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/saperp6/index.md) + Manages users and roles in SAP ERP 6.0.- #### + [SAP S/4 HANA](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/saphana/index.md) + Manages users and roles in SAP S/4 HANA.- #### + [ServiceNow](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow/index.md) + Manages any data in the CMDB, including users and roles. This package supports incremental + synchronization.- #### + [ServiceNow Ticket](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) + Opens tickets in ServiceNow for the manual provisioning.- #### + [Shared Folders](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/shared-folders/index.md) + Manages users and permissions in Shared Folders.- #### + [SharePoint](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/sharepoint/index.md) + Exports sites, folders, SharePoint groups and permissions.- #### + [Slack](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/slack/index.md) + Manages Slack entities.- #### + [SQL Server](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/sql-server/index.md) + Export data from a SQL Server database.- #### + [SQL Server Entitlements](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/sql-server-entitlements/index.md) + Exports SQL Server Entitlements- #### + [TSS](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/tss/index.md) + Exports the Top Secret users and profiles.- #### + [Unplugged](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/unplugged/index.md) + Manages an unplugged system with a completely custom data model.- #### + [Usercube Database](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/identitymanager-database/index.md) + Updates the Usercube database for each provisioning order. This package is used for HR systems, + authoritative systems or other Usercube instances.- #### + [Workday](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/workday/index.md) + Manages users and groups in Workday.- #### + [Workflow](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/workflow/index.md) + Triggers workflows in Usercube for each provisioning order. diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/json/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/json/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/json/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/json/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/ldif/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/ldif/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/ldif/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/ldif/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md new file mode 100644 index 0000000000..c7ceb84ed7 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md @@ -0,0 +1,40 @@ +# Manual Ticket and CUD Resources + +Opens manual provisioning tickets in Usercube. + +| Package Characteristics | Value | +| ----------------------- | ------------------------------------------------------------------------------------- | +| Display Name | Ticket/identitymanager And Create/Update/Delete resources | +| Identifier | Usercube.UpdateManualProvisioningTicket@0000001 | +| Export | NONE | +| Fulfill | Usercube-UpdateManualProvisioningTicket.dll and Usercube-Update-FulfillmentStates.dll | +| Has Incremental Mode | False | +| Publisher | Usercube | + +## Virtual Resources + +This package allows to create tickets in the Manual Provisioning screen. + +After the validation of the ticket, the state of the resource will be `Executed`. +If a synchronization is available for the system manually fulfilled, the state could change to +`Verified` if the synchronized data are the ones expected. +If the external system cannot be synchronized, Usercube offers the possibility to create virtual +resources. It means that the data is not provided by a synchronization, but we trust the validation +of the ticket in the manual provisioning screen. The resources are created accordingly as if they +were coming from an external system. + +## Rights for CUD Resources + +If this package is used from the interface, the necessary rights will be automatically added. +If this package is used from the XML configuration, some rights will need to be added to allow the +creation, update or deletion of virtual resources. + +### Example + +Here is an example for an entity type called `MyTicketEntity`: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md new file mode 100644 index 0000000000..f4442ffba8 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md @@ -0,0 +1,12 @@ +# Manual Ticket + +Opens manual provisioning tickets in Usercube. + +| Package Characteristics | Value | +| ----------------------- | ------------------------------------- | +| Display Name | Ticket/identitymanager | +| Identifier | Usercube.Manual@0000001 | +| Export | NONE | +| Fulfill | Usercube-Update-FulfillmentStates.dll | +| Has Incremental Mode | False | +| Publisher | Usercube | diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/microsoft-exchange/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/microsoft-exchange/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/microsoft-exchange/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/microsoft-exchange/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/mysql/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/mysql/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/mysql/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/mysql/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/odata/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/odata/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/odata/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/odata/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/odbc/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/odbc/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/odbc/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/odbc/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/open-ldap/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/open-ldap/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/open-ldap/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/open-ldap/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/oracle-database/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/oracle-database/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/oracle-database/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/oracle-database/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/oracle-ldap/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/oracle-ldap/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/oracle-ldap/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/oracle-ldap/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/postgresql/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/postgresql/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/postgresql/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/postgresql/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/powershellprov/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/powershellprov/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/powershellprov/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/powershellprov/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/powershellsync/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/powershellsync/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/powershellsync/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/powershellsync/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/racf/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/racf/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/racf/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/racf/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/red-hat-directory-server/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/red-hat-directory-server/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/red-hat-directory-server/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/red-hat-directory-server/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/robot-framework/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/robot-framework/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/robot-framework/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/robot-framework/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/salesforce/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/salesforce/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/salesforce/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/salesforce/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/sapase/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/sapase/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/sapase/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/sapase/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/saperp6/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/saperp6/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/saperp6/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/saperp6/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/saphana/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/saphana/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/saphana/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/saphana/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/servicenow-ticket/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/servicenow-ticket/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/servicenow/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/servicenow/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/shared-folders/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/shared-folders/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/shared-folders/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/shared-folders/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/sharepoint/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/sharepoint/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/sharepoint/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/sharepoint/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/slack/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/slack/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/slack/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/slack/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/sql-server-entitlements/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/sql-server-entitlements/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/sql-server-entitlements/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/sql-server-entitlements/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/sql-server/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/sql-server/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/sql-server/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/sql-server/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/tss/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/tss/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/tss/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/tss/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/unplugged/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/unplugged/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/unplugged/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/unplugged/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/workday/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/workday/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/workday/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/workday/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/workflow/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/workflow/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/connectors/references-packages/workflow/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/workflow/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md new file mode 100644 index 0000000000..93c68cd26c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md @@ -0,0 +1,268 @@ +# Entity Model + +At the heart of any successful IGA project, dwells an efficient data model. + +The data involved in the project, be it reference data, identities, or from the managed systems', +needs to be modeled in a way that is both relevant to the organization and to Usercube. + +Usercube allows integrators to adapt the data model to the target organization, instead of forcing +the organization to fit in a pre-conceived hardwired model. This philosophy has proven successful by +Usercube's field experience and project feedback. + +## Entity-Relationship model + +The model for all resources (that means data from the managed system, reference data and identities) +is written in the +[applicative configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/index.md) +in the form of an +[Entity-Relationship model](https://en.wikipedia.org/wiki/Entity%E2%80%93relationship_model), called +the **entity model**. + +The model is organized into cohesive **connectors**, one for each managed system, and one for the +reference data/identity repository. + +An **entity model** describes the shape of resources (the **metadata**) and how they are built from +real world sources of truth (the **mapping**). + +### Metadata + +The **metadata** of a resource is the description of the resources' shape. Using the +_Entity-Relationship_ vocabulary, it's a list of property names and types for a resource. + +The metadata is written using +[EntityTypes](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md), +[EntityProperties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +and +[EntityAssociations](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +#### Entity types + +Every resource is assigned an +[EntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +that describes its shape. + +It's a description of the resource: it can be a managed system's resource or a real world entity +such as an identity or a department. + +An +[EntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +includes: + +- one or more + [EntityProperties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +- zero or more + [EntityAssociations](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) + +#### Entity properties + +Properties are key-value pairs, with a name and type that describes the nature of the value held by +the property. They are described by +[EntityProperties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +There are two kind of properties: **Scalar Properties** and **Navigation Properties**. + +**Scalar Properties** simply hold a value: a string, a number, a date for example. + +Available types include: + +- `String` +- `Bytes` +- `Int32` (32 bits integer) +- `Int64` (64 bits integer) +- `DateTime` +- `Bool` (boolean) +- `Guid` +- `Double` +- `Binary` (binary file like an image) + +For these types, the UI and binding system transforms the value retrieved from the database into the +corresponding type for display. + +**Navigation Properties** properties hold links between the parent resource and another resource. + +**Navigation Properties** type is `ForeignKey`. + +**Navigation Properties** are completed by an +[EntityAssociation](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +that explicitly describe the nature of the link. + +#### Entity association + +An +[Entity Association](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +describes a link between entity types. It connects a pair of navigation properties, from two +**Entity Types**. + +There are two types of navigational properties: + +- _mono-valued_, that link to a [single](https://en.wikipedia.org/wiki/One-to-one_(data_model)) + entity; +- _multi-valued_, that link to a + [collection](https://en.wikipedia.org/wiki/many-to-many_(data_model)) of entities. + +Given a navigation property A of EntityType 1, linking EntityType 1 to navigation properties B of +EntityType 2, then navigation property B is called the reverse property of navigation property A and +navigation property A is called the reverse property of navigation property B. + +For example, + +- The _User_ entity type has the navigational property _Positions_ (a link to **zero or + more_**Position_ entities); +- The _Position_ entity type has the navigational property _Person_ (a link to **zero or + one_**User_ entity); +- The navigational property _Person_ is the reverse link of the navigational property _Positions;_ +- The _User_ entity type has the navigational property _Manager_ (a link to **zero or one_**User_ + entity); +- The _User_ entity type has the navigational property _Subordinates_ (a link to **zero or + more_**User_ entities); +- The navigational property _Subordinates_ is the reverse link of the navigational property + _Manager_. + +#### Locatable property + +Some property values must be available in several languages. In this case, we define a **neutral +property** and as many corresponding properties as languages. + +The built-in _InternalDisplayName_ property is a neutral property. Its associated properties are +named _InternalDisplayName_L`{Index}`_ where _Index_ reference the +[languages list](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/languages/index.md). + +#### Computed property + +A property can be calculated from other properties. The +[EntityPropertyExpression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +element allows the expression of a computed property. It references the property (specifying the +entity type's identifier and the property's identifier) and expresses the calculation based on a +given entity using the +[calculation expression syntax](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). + +An element `` can be used to calculate a scalar property or a mono-valued +navigation property. In the latter case, the expression must return an integer that corresponds to +the primary key of the target entity. + +#### Display name + +Every declared **EntityType** automatically has the `InternalDisplayName` property even if it is not +explicitly declared in the applicative configuration. + +It represents a user-friendly name for **EntityType** that is used in the UI if needed. + +Its value can be explicitly computed by an +[EntityPropertyExpression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). +Otherwise, a default value is automatically computed by Usercube using the first property of the +**EntityType** where `identifier` contains the string _"name"_. If no such property is found, the +first declared property of the **EntityType** is used instead. + +The _InternalDisplayName_ property will be used as a default label of the entity in the UI. + +#### Database mapping + +Resources from the **resource repository** are stored in the generic UR_Resources table. + +This table has: + +- 128 columns to store scalar properties (index 0 to 127). The first four are reserved for big + scalar properties values (as many as 4000 unicode char). he other columns are limited to 442 + unicode char. These columns are named C0 to C3V following a base-32 convention for naming. + +- 25 columns to store mono-valued navigational properties values (index 128 to 152). These columns + are named `I0` to `I4N` following a base-32 convention for naming. + +_Multi-valued navigation property_ values are stored in the UR_ResourceLinks junction table. + +Binary property values (such as pictures or files) are stored in the UR_ResourceFiles table. + +### Mapping + +Usercube's Entity Model also contains **a mapping** between the external data and +[EntityProperties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +or +[EntityAssociations](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). +That's why entity types are organized into **connectors**. The **mapping_**connects_ entity types +to external sources of truth. + +This information is provided by the +[EntityTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), +their +[EntityPropertyMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +and +[EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) + +To build Usercube resources from external data found in the managed system, the entity model +provides a mapping between the external data (often in the form of CSV files, see +[Synchronization](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md)) +and entity properties. This information is provided by the +[EntityTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), +their +[EntityPropertyMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +and +[EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). + +Every +[EntityPropertyMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +maps a CSV column to a scalar +[EntityProperty](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +Every +[EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +maps a CSV column to a navigation +[EntityProperty](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +#### Format + +When exporting entries from an external system, the results are usually retrieved as simple strings, +written in a CSV file, and imported into the Usercube Database as-is. But an external system will +rarely uses the same format as Usercube to store objects such as dates. + +Let's take, for example, a case where we want to store an employee's start date: + +- In the external system, the date is stored as a string with the format `2020-09-29 22:00:00`. +- In Usercube, dates are stored as strings in the format `20200929220000` + +We need to transform the input data, from the export, into something readable by Usercube and, when +writing to the external system, transform Usercube's data back into something readable by the +external system. + +![Export and Fulfill Data transformation](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/connectors/entitypropertymapping-format/entitypropertymapping-format-flowchart.webp) + +The format used in the external system can be provided through the +[EntityPropertyMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +using the +[Format attribute](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md) +to help Usercube to convert data appropriately. + +If the field in the external system is not forced to a specific value type, but is free-form +(example: a string field in which date values are stored but which can sometimes hold other values), +we strongly recommend not using the `Format` attribute to prevent inconsistent user input in the +external system. + +#### Primary key + +When writing an +[EntityTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), +one of the _scalar properties_ should be chosen as +[primary key](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md). +This property will be used by Usercube to +[uniquely identify a resource](https://en.wikipedia.org/wiki/Primary_key). It is hence crucial to +choose carefully as many of Usercube's processes and optimizations depend on this choice. + +### SQL views + +The `UR_Resource` table contains resources from all the connectors, for all the Entity Types. +Columns names are not semantically meaningful because they have generic I\*/C\* names. For this +reason, Usercube provides SQL views to help the user explore the resource repository from the +database. The views are useful to understand how Usercube works or to debug a faulty configuration. + +SQL Views are built by the +[CreateDatabaseViews tool](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md). + +SQL Views created by this tool are identified in the database by a `zz_` prefix. + +Created views are not used by the Usercube engine directly. Usercube's engine always creates, reads, +updates and deletes from the `UR_*` tables. + +## Records + +The **entity model** is enhanced with **records** to handle positions and movements of staff. +Details can be found +[here](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/index.md new file mode 100644 index 0000000000..badef25066 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/index.md @@ -0,0 +1,5 @@ +# Executables + +The documentation is not yet available for this page and will be completed in the near future. + +[See the list of available executables](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/agent/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/agent/index.md new file mode 100644 index 0000000000..3e1c4354f3 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/agent/index.md @@ -0,0 +1,28 @@ +# Usercube-Agent + +This tool runs the Agent on a seperate server instance. The Agent is able to communicate with the +[Usercube-Server](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/server/index.md). + +## Examples + +With a properly configured environment, the following command runs the agent. It listens on two +different ports: + +``` +./identitymanager-Agent.exe --urls "http://localhost:6001;http://localhost:6002" +``` + +When the Agent starts, the following log should be displayed (if the log level is set to +_Information_): + +``` +[xx:xx:xx INF] Now listening on: http://localhost:6001 +[xx:xx:xx INF] Now listening on: http://localhost:6002 + +``` + +## Arguments + +| Argument Name | Details | +| --------------- | ---------------------------------------------------------------------- | +| --urls required | **Type** String **Description** URL(s) that the agent is listening to. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/anonymize/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/anonymize/index.md new file mode 100644 index 0000000000..2fcab9a4c2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/anonymize/index.md @@ -0,0 +1,116 @@ +# Usercube-Anonymize + +This tool anonymizes data based on a certain knowledge of the database and the data structure. + +## Overview + +Anonymizing data helps unlock situations where it is necessary to send data to varied teams while +guaranteeing the privacy of the data owners. + +> For example, it can be necessary to transmit data to an integration team that needs to set up +> tests or a development environment to work on the applicative configuration. For example, users +> sometimes need to send data to Usercube's support team to reproduce a bug and get it corrected. + +## Technical Principles + +Anonymizing can be performed on data: + +- from a CSV file, with the output written to a new CSV file; +- directly inside a SQL database, overwriting existing data with the anonymized data. + + In this case, the plain data is lost. So make sure to work on a copy of the original database. + +Several types of data can be anonymized, according to distinct substitution methods that are +deterministic and non-reversible: + +- strings have each alphabetical character substituted for another alphabetical character; + + > For example, `John Doe` becomes `Xert Okl`. + + Diacritical characters are replaced by a non-diacritical equivalent. + +- numbers have each digit substituted for another digit; + + > For example, `54689` becomes `32016`. + +- emails have the username anonymized, while leaving the domain name as is; + + > For example, `johndoe@contoso.com` becomes `xertoekl@contoso.com`. + +- Active Directory's RDN properties (Relative Distinguished Names), in the _attribute=value_ format, + are anonymized via the string method on the value, leaving the attribute as is. + + > For example, `CN=John Doe` becomes `CN=Xert Okl`. + +## Examples + +### Anonymizing a CSV file + +The following example anonymizes the `first_name`, `last_name`, `email` and `phone` column of the +following CSV file: + +``` + +id,first_name,last_name,email,gender,phone +1,Darrin,Crumpe,dcrumpe0@nifty.com,Male,2666420820 +2,Lyon,Boddam,lboddam1@eepurl.com,Male,5927617041 +3,Roxana,Prose,rprose2@statcounter.com,Female,5134883113 +4,Vladimir,Grisedale,vgrisedale3@blogtalkradio.com,Male,1338476916 +5,Jaquith,Pendrich,jpendrich4@merriam-webster.com,Female,1894520819 +6,Art,Sweatland,asweatland5@boston.com,Male,5066492715 +7,Lynelle,Klammt,lklammt6@stumbleupon.com,Female,5653774981 +8,Chicky,Blatherwick,cblatherwick7@walmart.com,Male,4095068397 +9,Delilah,Kauscher,dkauscher8@de.vu,Female,9324858513 +10,Estelle,Melmeth,emelmeth9@dot.gov,Female,2176715812 + +``` + +The following command outputs the anonymized data in STDOUT. + +``` + +./identitymanager-Anonymize.exe -n C:/Projects/identitymanager/Documentation/exampleSources/Anonymizer/users.csv -s "," --columns first_name,last_name,mail:email,number:phone + +``` + +The output is: + +``` + +id,first_name,last_name,email,gender,phone +1,Afccrp,Icqesl,aicqesl0@nifty.com,Male,6111065265 +2,Mdhp,Qhaafe,mqhaafe1@eepurl.com,Male,4665125502 +3,Chlfpf,Schnl,cschnl2@statcounter.com,Female,4230223223 +4,Imfarerc,Ocrnlafml,iocrnlafml3@blogtalkradio.com,Male,2332051621 +5,Jfkqrfg,Slpacrig,jslpacrig4@merriam-webster.com,Female,2260465226 +6,Fcf,Nalffmfpa,fnalffmfpa5@boston.com,Male,4511066524 +7,Mdplmml,Bmfeef,mbmfeef6@stumbleupon.com,Female,4143550622 +8,Igribd,Qmffglcarib,iqmffglcarib7@walmart.com,Male,0564512365 +9,Almrmfg,Bfqniglc,abfqniglc8@de.vu,Female,6360242423 +10,Lnflmml,Elmelfg,lelmelfg9@dot.gov,Female,6251524226 + +``` + +### Anonymizing a SQL Server table + +The following example overwrites the `UR_Resources` table of Usercube's database with anonymized +data for the `C3`, `C8`, `CA`, `CB`, `CC` and `CD` columns for all resources whose `Type` is `17`. + +``` + +.\Usercube-Anonymize.exe --connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" --table UR_Resources --columns "number:C3,C8,number:CA,mail:CB,number:CC,number:CD" --select-query "select * FROM UR_Resources WHERE Type = 17" + +``` + +## Arguments + +| Argument Name | Details | +| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --columns required | **Type** Strings **Description** Columns from the CSV or SQL database that need anonymizing. **Usage** The value is a string sequence in the form `type:columname`, separated by a coma `,`, where `type` is used to choose the anonymize algorithm from among the following formats: `string` (default value); `mail`; `number`; `rdn`, and where `columnname` is the actual name, not case-sensitive, of the column to anonymize. See more details on formats in the previous section. | +| --connection-string optional | **Type** String **Description** Connection string to the SQL Server database to be anonymized. **Note:** required when anonymizing a database. | +| --csv-separator (-s) default value: ; | **Type** String **Description** Separator of the input CSV file, provided between simple quotes. **Note:** used only when anonymizing a CSV file. | +| --entry-file (-n) optional | **Type** String **Description** Path to the input CSV file to anonymize. **Note:** required when anonymizing a CSV file. | +| --no-transaction optional | **Type** No Value **Description** Disables the SQL transaction for the request made by the anonymizing tool to the target SQL Server database. **Warning:** NETWRIX recommends using this option only when using transactions leads to a failure (exceeded RAM usage, exceeded CPU usage), because it could corrupt the data from the database. Make sure to prepare a backup of the database before using this option. **Note:** used only when anonymizing a database. | +| --output (-o) default value: STDOUT | **Type** String **Description** Path of the output CSV file to write the anonymized data. **Note:** used only when anonymizing a CSV file. | +| --select-query (-q) optional | **Type** String **Description** SQL query to filter the rows to be anonymized. **Note:** used only when anonymizing a database, and useful only when the query includes a "WHERE" condition, otherwise the `--table` and `--columns` arguments are enough. **Usage** The table targeted by the query must be on the table specified in `--table`. **Examples** `SELECT Id, name, firstName FROM Resources WHERE resourceType = 'Person'` is a query with a simple condition. `SELECT * FROM Persons WHERE resourceType = 'Person' AND specialFlag = 'TopSecret'` selects all columns, and adds a specific condition. | +| --table (-t) optional | **Type** String **Description** Name of the table from the SQL Server database to be anonymized. **Note:** required when anonymizing a database. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/compute-correlationkeys/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/compute-correlationkeys/index.md new file mode 100644 index 0000000000..ab8db49c90 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/compute-correlationkeys/index.md @@ -0,0 +1,33 @@ +# Usercube-Compute-CorrelationKeys + +This tool is used to compute the values of all correlation keys. + +## Examples + +The following example computes the correlation keys of the database defined by the connection +string, for all entity types. + +``` + +./identitymanager-Compute-CorrelationKeys.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" -a + +``` + +## Arguments + +| Argument Name | Details | +| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --batch-size (-q) default value: 5000 | **Type** Int32 **Description** Batch size for queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | +| | | +| --- | --- | +| --database-connection-string required | **Type** String **Description** Connection string of the database. | +| | | +| --- | --- | +| --all-entityType (-a) optional | **Type** No Value **Description** Applies the tool to all entity types. | +| --batch-size (-q) default value: 5000 | **Type** Int32 **Description** Batch size for queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | +| --dirty optional | **Type** No Value **Description** Applies the tool incrementally by applying it only to resources marked as dirty, i.e. recently modified. | +| --entitytype-list optional | **Type** String List **Description** List of entity types that the tool is to be applied to. **Note:** required when `--all-entityType` is not specified. | +| --resource-identity-property optional | **Type** String **Description** Property used to override the resource identity property set in [`SelectUserByIdentityQueryHandler`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md). | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/configuration-transform/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/configuration-transform/index.md new file mode 100644 index 0000000000..1ecfb99fd0 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/configuration-transform/index.md @@ -0,0 +1,43 @@ +# Usercube-Configuration-Transform + +This tool applies a series of transformations specified in a JSON file, on the content of a given +directory. + +## Example + +The following example searches all occurrences of `Directory_User` in the files inside +`C:/identitymanagerDemo/Conf` whose names: + +- contain `guest` to replace all occurrences with `Directory_Guest`; +- contain `bot` to replace all occurrences with `Directory_Bot`. + +The resulting files are saved in `C:/identitymanagerDemo/ConfTransformed`. + +``` + +./identitymanager-Configuration-Transform.exe --input "C:/identitymanagerDemo/Conf" --output "C:/identitymanagerDemo/ConfTransformed" --transformation-file "C:/identitymanagerDemo/transformations.json" + +``` + +transformations.json + +```json +{ + "*guest*": { + "Directory_User": "Directory_Guest" + }, + "*bot*": { + "Directory_User": "Directory_Bot" + } +} +``` + +## Arguments + +| Argument Name | Details | +| ------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --input required | **Type** String **Description** Path of the directory on which the transformations are to be applied. | +| --transformation-file required | **Type** String **Description** Path of the JSON file that contains the transformations to be applied. The first half of the following JSON transformation file intends to search all files in the input directory whose names are `filename` (case-insensitively). In those files, any occurrence of `ToBeReplaced` (case-sensitively) is replaced with `Replacement`. `{ "filename": { "ToBeReplaced": "Replacement" }, "partialfilename*": { "ToBeReplaced2": "Replacement2" } }` **Note:** instead of a specific file name, Usercube can search for files whose names contain a specific string, using the character `*`. | +| | | +| --- | --- | +| --output required | **Type** String **Description** Path of the folder where the result will be saved. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/create-databaseviews/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/create-databaseviews/index.md new file mode 100644 index 0000000000..378a5c738e --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/create-databaseviews/index.md @@ -0,0 +1,38 @@ +# Usercube-Create-DatabaseViews + +Generates entity model SQL views in the Usercube database. All views are prefixed by `zz_`. This +tool deletes all views starting by `zz_` and creates views from the entity model described in the +running configuration. + +For every **EntityType**, a matching SQL view is created from the UR_Resource table. + +## Example + +The following example allows the user to connect to Usercube server at +`http://identitymanager.contoso.com`, using the ClientId `Job` and Secret `secret`, to generate views for +Usercube's database. + +``` +./identitymanager-Create-DatabaseViews.exe --api-secret secret --api-client-id Job --api-url "http://identitymanager.contoso.com" --log-level Debug +``` + +## Arguments + +| Argument Name | Details | +| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --progress-use-database optional | **Type** String **Description** Update progress in the SQL database. | +| --progress-use-database-child-instance optional | **Type** String **Description** Initiate child task instance. | +| --progress-use-api optional | **Type** String **Description** Update progress with the API. | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Usercube server. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | + +You can explore created views in the Usercube database's Views folder in SQL Server Management +Studio + +![SSMS Views](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/executables/references/create-databaseviews/identitymanager-create-databaseviews_ssms.webp) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/csv-transform/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/csv-transform/index.md new file mode 100644 index 0000000000..9200ca0491 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/csv-transform/index.md @@ -0,0 +1,68 @@ +# Usercube-CSV-Transform + +## Examples + +### Define a primary key + +Consider the file `C:/identitymanagerContoso/Sources/hr_example.csv` with the following headers line: + +`Login,Company,Email,FirstName,LastName` + +To avoid having too much duplicated information on each line in a CSV file, we need to define a +primary key for the file which will allow the pooling of common information. We choose to +concatenate the values of the columns `Login` and `Company ` with a `-` as separator in an `Id` +column, which will be defined as key for our file. + +`--input-file C:/identitymanagerContoso/Sources/hr_example.csv --columns-concat "Login Company - ID"` +`--columns-key ID` + +### Handle multi-valued columns in a generated file + +Consider the file `C:/identitymanagerContoso/Sources/hr_example123.csv` with the following headers line +separated by a `;`: + +`GroupAzure;Members;GroupSharePoint;Members` + +This file is automatically generated by a script and the suffix (`123`here) is incremented on each +generation. Thus, we need to use a regex to avoid changing the command line for each new generated +file. + +`--input-file C:/identitymanagerContoso/Sources/hr_example(.*?).csv --regex --separator ;` + +The file contains two headers with the same name, each related to one kind of group. Thus, we need +to rename one of these headers. + +`--input-file C:/identitymanagerContoso/Sources/hr_example(.*?).csv --regex --separator ; --headers-edit-name "Members MembersAzure"` + +In this example, we will consider that the two Members columns contain all members for each group +separated by a `,` for the first Members column, and by a `*` for the second one. We need to +transform these columns in Usercube's format for multi-valued attributes. + +`--input-file C:/identitymanagerContoso/Sources/hr_example(.*?).csv --regex --separator ; --headers-edit-name "Members MembersAzure" --columns-multivalued "MembersAzure ," "Members *"` + +## Arguments + +| Argument Name | Details | +| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| --input-path required | **Type** String **Description** Specifies the CSV file to modify. **Example** Define `C:/identitymanagerContoso/Sources/hr_example.csv` as input file: `--input-file C:/identitymanagerContoso/Sources/hr_example.csv`. | +| --output-path optional | **Type** String **Description** Specifies the output path, which is the exports' output path by default. **Example** Define `C:/identitymanagerContoso/Test` as output folder: `--output-path "C:/identitymanagerContoso/Test"`. | +| --new-name optional, required **if** --regex is true | **Type** String **Description** Specifies the new name for the output file. **Example** Define new name `hr_transformed.csv`: `--new-name hr_transformed.csv`. | +| --input-file-encoding default value: UTF-8 | **Type** String **Description** Encoding of the input file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). **Example** `--input-file-encoding UTF-16`. | +| --headers-edit-index optional | **Type** String List **Description** Specifies the headers to edit by index, which is particularly useful to rename empty headers. Each member of the list is written like `index newHeader`. **Example** Add or replace header at index 1 with `ExampleHeader` : `--headers-edit-index "1 ExampleHeader"`. | +| --headers-edit-name optional | **Type** String List **Description** Specifies the headers to rename (first found) with the new name. Each member of the list is written like `currentHeader newHeader`. **Example** Rename headers `CompanyId` into `Company` and `int32_1` into `int32`: `--headers-edit-name "CompanyId Company" "int32_1 int32"`. | +| --headers-remove-index optional | **Type** Integer **Description** Specifies the headers to remove by index. This command can be used to remove the second occurrence of a duplicate header by specifying its index. **Example** Remove header located at index 5: `--headers-remove-index 5`. | +| --headers-remove-name optional | **Type** String List **Description** Specifies the headers to remove by name (first found). **Example** Remove first occurrences of headers `date1` and `bool1`: `--headers-remove-name date1 bool1`. | +| --new-headers optional | **Type** String List **Description** **ONLY** for files without headers, specifies the new headers **except** the ones created by the concatenation of columns. **Example** Defines `header1` and `header2` as headers of the file: `--new-headers header1 header2`. | +| --columns-concat optional | **Type** String List **Description** Specifies the columns to concatenate and how. Each member of the list is written like `column1Header column2Header`. If you want to specify characters between the column values, you can write `column1Header column2Header charactersBetween`. This operation creates a new column where it puts the result of the concatenation. This column header is the concatenation of the headers, but you can change it by writing the member like `column1Header column2Header charactersBetween newColumnHeader`. **Example** Concatenate columns: - `Company` and `Employee` with a `-` between them. `ID` will be the new column header. - `guid1` and `bytes1` with `_` between them. - `int32_2` and `int64_2` with nothing in between. `--columns-concat "Company Employee - ID" "guid1 bytes1 _" "int32_2 int64_2"` . | +| --columns-multivalued optional | **Type** String List **Description** Specifies the columns with multi-valued values not splittable with breaks. Each member of the list is written like `columnHeader separator`. **Example** Handle columns `multivalued1`, using separator `,`, and `multivalued2`, using separator `*`: `--columns-multivalued "multivalued1 ," "multivalued2 *"`. | +| --columns-date optional | **Type** String List **Description** Specifies the columns with date values, and their date format, to format them into Usercube's format. Each member of the list is written like `columnHeader dateFormat`. **Example** Format date columns `date1` and `date2`, using the format `yyyyddMMHHmmss`: `--columns-date "date1 yyyyddMMHHmmss" "date2 yyyyddMMHHmmss"`. | +| --columns-bool optional | **Type** String List **Description** Specifies the columns with Boolean values to convert them into Usercube's format. **Example** Format Boolean columns `bool1` and `bool2`: `--columns-bool bool1 bool2`. | +| --columns-int32 optional | **Type** String List **Description** Specifies the columns with Int32 values to convert them into Usercube's format. **Example** Format Int32 columns `int32_1` and `int32_2 `: `--columns-int32 int32_1 int32_2`. | +| --columns-int64 optional | **Type** String List **Description** Specifies the columns with Int64 values to convert them into Usercube's format. **Example** Format Int64 columns `int64_1`and `int64_2`: `--columns-int64 int64_1 int64_2`. | +| --columns-guid optional | **Type** String List **Description** Specifies the columns with Guid values to convert them into Usercube's format. **Example** Format Guid columns `guid1`and `guid2`: `--columns-guid guid1 guid2`. | +| --columns-bytes optional | **Type** String List **Description** Specifies the columns with Bytes values to convert them into Usercube's format. **Example** Format Bytes columns `bytes1` and `bytes2`: `--columns-bytes bytes1 bytes2`. | +| --columns-key optional | **Type** String List **Description** Specifies the columns key to delete duplicates (the first line found is the one we keep). A column created by this tool can be specified as a key column through this argument, like the columns created by the `--columns-concat` for example. **Example** Define columns `RawId` and `ID` as keys: `--columns-key RawId ID`. | +| | | +| --- | --- | +| --regex optional | **Type** No Value **Description** The file name is a regex so we find the last generated corresponding file. | +| --separator optional | **Type** String **Description** Defines the separator if different than `,`. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/decrypt-file/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/decrypt-file/index.md new file mode 100644 index 0000000000..7d9ba7180b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/decrypt-file/index.md @@ -0,0 +1,29 @@ +# Usercube-Decrypt-File + +In Usercube, files are encrypted by default. This tool decrypts an input file to save it into an +output file or an OutPutConsole that can be used in Powershell scripts or programs. + +## Examples + +### Result loaded in OutPutConsole (PowerShell Script) + +The following example, used in a Powershell script, saves in the variable `decryptFile` the string +obtained by decrypting the files specified by the `ordersFile` variable. The decryption is made +using the agent side certificate defined in the agent's `appsettings.json`. + +``` + +$decryptFile = & ./identitymanager-Decrypt-File.exe --files $ordersFile + +``` + +## Arguments + +| Argument Name | Details | +| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --files (-f) required | **Type** String **Description** List of all the files to decrypt. | +| --encoding (-e) default value: UTF-8 | **Type** String **Description** Encoding used for any encryption/decryption. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | +| --output-path (-o) optional | **Type** String **Description** Output path to save all decrypted files. **Note:** used only when the result is saved in a file. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/deploy-configuration/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/deploy-configuration/index.md new file mode 100644 index 0000000000..917ff20bd0 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/deploy-configuration/index.md @@ -0,0 +1,67 @@ +# Usercube-Deploy-Configuration + +Retrieves all XML configuration files from a given folder, in order to calculate the configuration +items to insert, update or delete in the application. + +## Examples + +### Locally + +The following example deploys an on-premise configuration via a direct connection to the database +through its connection string: + +``` + +./identitymanager-Deploy-Configuration.exe -d "C:/identitymanager/Conf" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +### Remotely + +The following example deploys a SaaS configuration via an HTTP POST request to the server of the +remote configuration: + +``` + +./identitymanager-Deploy-Configuration.exe -d "C:/identitymanager/Conf" --api-url https://my_usercube_instance.com + +``` + +To be able to deploy a SaaS configuration, you must first provide your Usercube administrator with +identity information. +[See how to deploy a SaaS configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md) +for the first time. + +## Arguments + +| Argument Name | Details | +| ----------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --configuration-directory (-d) required | **Type** String **Description** Path to the configuration folder. | +| --continuous-deployment (-a) optional | **Type** No Value **Description** Enables automatic deployment when saving an XML file. | +| --deployment-slot optional | **Type** DeploymentSlot **Description** Type of the targeted server among the slot names provided by NETWRIX' SaaS team. For example: `Development`, `Staging`, `Production`. **Note:** required when working in a SaaS production environment. | +| --dump-changes-directory optional | **Type** String **Description** Path to a directory that will receive the logs of all modifications made to the database. **Note:** can be used with `--simulate-only` for an additional security before deploying to production. | +| --enable-saas-checks optional | **Type** No Value **Description** Enables the checks necessary to deploy in a SaaS environment. **Note:** enabled automatically when working in SaaS. This argument can be used when deploying locally in order to anticipate a future SaaS deployment. | +| --force-bindings (-bi) optional | **Type** No Value **Description** Forces the recomputation of binding paths in the database. | +| --force-cascade-delete optional | **Type** No Value **Description** Enables the deletion or archiving of XML configuration items that require extra care and/or approval, usually for dependency issues. **Warning:** NETWRIX recommends using this option only when prompted by the deployment tool. | +| --force-categories (-c) optional | **Type** No Value **Description** Forces the recomputation of the counters for role categories in the database. | +| --force-expressions (-e) optional | **Type** No Value **Description** Forces the recomputation of C# expressions in the database. | +| --force-permissions (-p) optional | **Type** No Value **Description** Forces the recomputation of access permissions in the database. | +| --force-translations optional | **Type** No Value **Description** Forces the recomputation of the translations for the activity template states and the internal display name properties in the database. | +| --http-client-timeout-supplement optional | **Type** Int32 **Description** Duration (in minutes) after which the deployment command times out, in addition to the default 30 minutes. | +| --no-create-index optional | **Type** No Value **Description** Disables the creation of indexes related to the configuration. **Warning:** NETWRIX recommends using this option only when advised by the support team. | +| --reset-database optional | **Type** No Value **Description** Deletes the whole database and creates an empty one before deploying. | +| --resource-identity-property optional | **Type** String **Description** Overrides the resource identity property used by the `SelectUserByIdentityQueryHandler` settings. | +| --simulate-only optional | **Type** No Value **Description** Computes and previews on the screen all the changes to be made, but without editing the database. | +| | | +| --- | --- | +| --api-client-id optional | **Type** String **Description** Login of the account authorized by NETWRIX for configuration export/deployment in a SaaS environment. **Note:** soon deprecated, rather contact the support team. | +| --api-secret optional | **Type** String **Description** Password of the account authorized by NETWRIX for configuration export/deployment in a SaaS environment. **Note:** soon deprecated, rather contact the support team. | +| --api-url optional | **Type** String **Description** URL of the server to export/deploy the configuration to, for remote changes. **Note:** required when `--database-connection-string` is not specified. | +| | | +| --- | --- | +| --database-connection-string optional | **Type** String **Description** Connection string of the database. **Note:** required when `--api-url` is not specified. | +| --product-translation optional | **Type** No Value **Description** Path of the JSON file that contains the application's translations. [See more details on how to import the product's translations](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/producttranslations/index.md). | +| --scope optional | **Type** String **Description** Path of a folder or file to export/deploy, instead of exporting/deploying the whole configuration. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate/index.md new file mode 100644 index 0000000000..8300213a34 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate/index.md @@ -0,0 +1,61 @@ +# Usercube-EasyVistaTicket-UpdateFulfillmentState + +The use of this executable supposes a previous use of the `Usercube-Fulfill-ToEasyVistaTicket` +executable. + +`Usercube-Fulfill-ToEasyVistaTicket` creates tickets in an EasyVista instance: +`Usercube-EasyVistaTicket-UpdateFulfillmentState` sets the fulfillment state of the corresponding +assigned resource types in Usercube for tickets that are closed (`Executed`) or canceled (`Error`). + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "EasyVista" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +In this example, for all resource types that have a target entity type of the connector `EasyVista`, +we set the fulfillment state of the corresponding assigned resource types. + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "EasyVista_NominativeUser" "EasyVista_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +In this example, for the resource types `EasyVista_NominativeUser` and `EasyVista_Administrator`, we +set the fulfillment state of the corresponding assigned resource types. + +## Arguments + +| Argument Name | Details | +| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Usercube server. | +| | | +| --- | --- | +| --url required | **Type** String **Description** EasyVista API Endpoint URL. | +| --account required | **Type** String **Description** EasyVista account. | +| --login required | **Type** String **Description** Path of the file used for complete synchronization. | +| --password required | **Type** String **Description** EasyVista server password. | +| | | +| --- | --- | +| --connector required if --resource-typesis not given | **Type** String **Description** Id or Identifier of the resource types' connector we want to update the fulfillment state. | +| --resource-types required if --connectoris not given | **Type** String List **Description** Id or Identifier of the resource types we want to update the fulfillment state. | +| --certificate-identifier optional | **Type** String **Description** Unique key used to retrieve the certificate in Azure Key Vault. | +| --vault optional | **Type** String **Description** Vault uri. | +| --vault-connection-string optional | **Type** String **Description** Connection string to connect to Azure Key Vault. | +| --batch-size default value: 1000 | **Type** Int32 **Description** Number of provisioning orders to wait between each progress report. | +| --task-instance-id optional | **Type** String **Description** Id of the task instance which have launch the exe in a job context (for log purposes). | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/encrypt-file/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/encrypt-file/index.md new file mode 100644 index 0000000000..06ee28c381 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/encrypt-file/index.md @@ -0,0 +1,37 @@ +# Usercube-Encrypt-File + +In Usercube, files are encrypted by default. This tool encrypts an input file or the InputConsole of +a Powershell program or file to save it as an encrypted output file. This task cannot be configured +in the configuration. + +## Examples + +### Launch the tools with input console (powershell script) + +The following example, used in a Powershell script, decrypts the file(s) specified by the +`csvResult` variable and saves the result in the location specified in `resultsFile`. The encryption +is made using the certificate's thumbprint, store location and store name. + +``` + +$csvResult | & ./identitymanager-Encrypt-File.exe --file-cert-thumbprint $certificateThumbprint --file-cert-store-location $certificateStoreLocation --file-cert-store-name $certificateStoreName --output-path $resultsFile + +``` + +## Arguments + +| Argument Name | Details | +| ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | +| --files (-f) optional | **Type** String **Description** List of all the files to encrypt. **Note:** required when the entry is made of files. | +| --output-path (-o) optional | **Type** String **Description** Output path to save the encrypted files or input console. | +| | | +| --- | --- | +| --file-cert-thumbprint optional | **Type** String **Description** Thumbprint of the certificate when the certificate is in the store. | +| --file-cert-dn optional | **Type** String **Description** Subject Distinguished Name of the certificate when the certificate is in the store. | +| --file-cert-store-location optional | **Type** String **Description** Store location of the certificate when the certificate is in the store. | +| --file-cert-store-name optional | **Type** String **Description** Store name of the certificate when the certificate is in the store. | +| --file-cert-file optional | **Type** String **Description** File path of the certificate when the certificate is in a PFX file. | +| --file-cert-password optional | **Type** String **Description** Password of the certificate when the certificate is in a PFX file. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-bacpac/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-bacpac/index.md new file mode 100644 index 0000000000..2961484d00 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-bacpac/index.md @@ -0,0 +1,35 @@ +# Usercube-Export-Bacpac + +This tool exports the database to a bacpac file, as a backup. + +## Examples + +The following example generates to `` a bacpac file from the Usercube database with +the given connection string and based on the bacpac template from the SQL folder. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Export-Bacpac.exe --database "" -s "" --bacpac-path 0 --template-bacpac-path "" + +``` + +## Arguments + +The list of arguments: + +| Argument Name | Type | Description | +| ------------------------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --database-connection-string (-s) required | String | Connection string of the database. | +| --database required | String | String Name of the database. | +| --template-bacpac-path required | String | Path of the empty bacpac file containing the database schema. **NOTE:** The template is provided among Usercube's artifacts, and can be generated manually by exporting an empty Usercube database as a bacpac file. | +| --temp-bacpac-path optional | String | String Path of the temporary folder storing the database's data. | +| --bacpac-path required | String | String Path of the generated bacpac file. | +| --without-history default value: false | Boolean | `true` to exclude history data. | +| --without-job-instances default value: false | Boolean | Boolean `true` to exclude job and task instances. | +| --without-workflow-instances default value: false | Boolean | Boolean `true` to exclude workflow instances. | +| --without-campaign-instances default value: false | Boolean | Boolean `true` to exclude access certification campaign items. | +| --without-temp default value: false | Boolean | Boolean `true` to exclude the data of temporary tables. | +| --without-all default value: false | Boolean | Boolean `true` to exclude history data, job and task instances, workflow instances and access certification campaign items. _Remember,_ this option represents the usual use-case. | +| --log-level optional | LogLevel | Level of log information among: Verbose; Debug; Information; Warning; Error; Fatal. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-configuration/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-configuration/index.md new file mode 100644 index 0000000000..9cb79e9574 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-configuration/index.md @@ -0,0 +1,187 @@ +# Usercube-Export-Configuration + +Generates in a folder the files of the configuration found in the database. + +While the deployment process is about taking the configuration elements from the XML files to insert +them in the database, the export process is about taking the configuration elements from the +database to generate XML files: + +- a basic export will export the XML configuration that was latest deployed to the database, + including images like logos and favicons; +- a marked export will export the whole configuration as XML files, including the configuration + elements created via the UI; + + As Usercube can be configured by writing manually in XML files and/or using the UI, the marked + export helps combining both. + + NETWRIX recommends configuring Usercube via the UI as much as possible, and completing the + configuration via XML files when needed. + +- a translation export will export the translation JSON files; +- a scaffolding export will export the XML configuration generated by scaffoldings. + +![Schema - Export Process](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/executables/references/export-configuration/identitymanager-export-configuration.webp) + +For all export types, NETWRIX recommends using as output directory a folder other than the one +containing the old XML configuration. This way, the exported configuration does not overwrite the +old one, and: + +- the changes can be clearly viewed in a file comparison tool; +- the interesting changes can be selected individually and inserted in the old configuration, to + update the configuration while keeping any manual changes such as comments. + +### Focus on the marked export + +By default, the configuration elements created via the UI are stored in the database just like the +rest of the configuration, but they are not included in deployment and export processes. + +While UI elements are not marked, they are not included in the XML/database comparison performed +during the configuration deployment process. It means that deploying any configuration will not +affect UI elements. + +On the other hand, once UI elements are marked, they will be included in the XML/database comparison +performed during the next configuration deployment process. Then, if these UI elements are not in +the deployed XML files, they will be removed from the database. + +**Be careful about what configuration to deploy and export**. + +When configuring through both the UI and XML files, make sure to: + +- export all UI modifications before making changes in XML files and deploying the configuration + again; +- deploy all XML modifications before making changes in the UI and exporting the configuration + again. + +## Examples + +### Locally vs. remotely + +The following example exports an on-premise configuration via a direct connection to the database +through its connection string: + +``` + +./identitymanager-Export-Configuration.exe -d "C:/identitymanager/ExportedConf" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +The following example exports a SaaS configuration via an HTTP POST request to the server of the +remote configuration: + +``` + +./identitymanager-Export-Configuration.exe -d "C:/identitymanager/ExportedConf" --api-url https://my_usercube_instance.com + +``` + +To be able to export a SaaS configuration, you must first provide your Usercube administrator with +identity information. +[See how to export a SaaS configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md) +for the first time. + +### Basic export for a change of environment + +The following example exports all configuration elements of the database as a set of XML files, to +the `C:/identitymanager/ExportedConf` folder, for example to move from the pre-production environment to +the production environment. + +``` + +./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" + +``` + +All XML files from `C:/identitymanager/ExportedConf` are removed and replaced with the new set of XML +files, generated based on the configuration elements from the database. + +The default behavior of this tool exports all XML files, from the configuration elements stored in +the database and the XML/database relationships, as well as logos and favicons. Translations are not +exported. + +Most modifications made in the UI will be ignored too. + +### Export UI configuration elements outside the role model + +The following example exports all configuration elements as a set of XML files, including the +configuration modifications made through the UI, except any elements linked to the role model. + +``` + +./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" --mark-for-export + +``` + +All XML files from `C:/identitymanager/ExportedConf` are removed and replaced with the new set of XML +files, generated based on the configuration elements from the database, including UI elements (not +role-model-related) that are now marked for export. + +### Export all UI configuration elements + +The following example exports all configuration elements as a set of XML files, including all +configuration modifications made through the UI, especially role-model-related elements. + +``` + +./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" --mark-for-export --mark-rolemodel-for-export + +``` + +All XML files from `C:/identitymanager/ExportedConf` are removed and replaced with the new set of XML +files, generated based on the configuration elements from the database, including all UI elements +that are now marked for export. + +### Export translation files + +The following example exports to `C:/identitymanager/ExportedConf` the JSON translation files stored in the +database, one per language, replacing the ancient versions potentially pre-existing in the output +directory. + +``` + +./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" --export-translation + +``` + +### Export scaffoldings for debug + +The following example exports XML files containing the configuration generated by all scaffoldings. +It exports one folder per scaffolding type, and in each folder one XML file per scaffolding, +containing the configuration generated by the scaffolding. + +``` + +./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ConfScaffoldings" --export-scaffolding + +``` + +All XML files from `C:/identitymanager/ConfScaffoldings` are removed and replaced with the new set of XML +files, generated based on the scaffoldings from the configuration. + +The scaffolding export's output is meant only for viewing in debug situations and must not be +inserted in the configuration. + +## Arguments + +| Argument Name | Details | +| --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --configuration-directory (-d) required | **Type** String **Description** Path of a directory that will receive the exported configuration. | +| --default-file optional | **Type** String **Description** Path of the file where configuration items are stored by default, when they are not related to a predefined storing file. **Note:** when not specified, these items are not exported. | +| --export-scaffolding optional | **Type** No Value **Description** Exports all scaffoldings and the scaffolded items, i.e. all items generated by scaffoldings. | +| --export-translation optional | **Type** No Value **Description** Exports the JSON files containing all translations, by language. | +| --format-configuration optional | **Type** No Value **Description** Formats the configuration from the folder specified in `--configuration-directory`, in order to correspond to the export result. | +| --mark-for-export optional | **Type** No Value **Description** Exports all configuration elements that were created via the UI, except for those linked to the role model, i.e. the elements exported by the `--mark-rolemodel-for-export` option. | +| --mark-rolemodel-for-export optional | **Type** No Value **Description** Exports all the configuration elements linked to the role model: `SingleRole`; `CompositeRole`; `SingleRoleRule`; `CompositeRoleRule`; and the following rules when they are linked to a role: `PendingApprovalRule`; `ResourceNavigationRule`; `ResourceScalarRule`; `ResourceTypeRule`; `ResourceBinaryRule`. **Warning:** this argument cannot be used without the `--mark-for-export` option. | +| --marked-paths optional | **Type** String List **Description** Identifiers of the elements configured through the UI that need to be exported and thus marked for export. **Note:** used to export specific elements, while the `--mark-*-for-export` options are meant to export whole packages of elements. | +| | | +| --- | --- | +| --api-client-id optional | **Type** String **Description** Login of the account authorized by NETWRIX for configuration export/deployment in a SaaS environment. **Note:** soon deprecated, rather contact the support team. | +| --api-secret optional | **Type** String **Description** Password of the account authorized by NETWRIX for configuration export/deployment in a SaaS environment. **Note:** soon deprecated, rather contact the support team. | +| --api-url optional | **Type** String **Description** URL of the server to export/deploy the configuration to, for remote changes. **Note:** required when `--database-connection-string` is not specified. | +| | | +| --- | --- | +| --database-connection-string optional | **Type** String **Description** Connection string of the database. **Note:** required when `--api-url` is not specified. | +| --product-translation optional | **Type** No Value **Description** Path of the JSON file that contains the application's translations. [See more details on how to import the product's translations](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/producttranslations/index.md). | +| --scope optional | **Type** String **Description** Path of a folder or file to export/deploy, instead of exporting/deploying the whole configuration. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-csv/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-csv/index.md new file mode 100644 index 0000000000..32428a389e --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-csv/index.md @@ -0,0 +1,67 @@ +# Usercube-Export-Csv + +## Examples + +### Exporting a file respecting the default parameters + +Consider the file `C:/identitymanagerContoso/Sources/hr_example.csv` with `,` as separator and `UTF8` +encoding, it can be exported with the command: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.csv --ignore-cookies --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput` + +The output file will be located in `C:/identitymanagerContoso/Temp/ExportOutput/HREXAMPLE.csv` and the +content will be a copy of `hr_example.csv`'s one and an `UTF8` encoding. + +### Define a separator + +Consider the file `C:/identitymanagerContoso/Sources/hr_example.csv` with `;` as separator. + +As `,` is considered to be the default separator, we must set it: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.csv --ignore-cookies --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --separator ;` + +The result's content will be the same but with `,` as separator. + +### Use a regex file name + +Consider that you deal with a generated file that follows the regex: +`C:/identitymanagerContoso/Sources/hr_example(.*?).csv`, for example +`C:/identitymanagerContoso/Sources/hr_example5fH8g1.csv`. If several files match with the regex, the +executable uses the last one that was generated. + +You can put your regex and precise that it is one with the `--regex` argument: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example(.*?).csv --ignore-cookies --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --regex` + +## Use the Path Duality and the Not-Launch-Export System + +In a larger context, the export might be used for complete or incremental synchronization. That is +why it has two paths: `--raw-files-path` for complete synchronizations, `--path-incremental` for +incremental ones. + +In the export's scope, it only means one thing, what path must be used depends on +`--ignore-cookies`: its presence meaning that we are in a complete synchronization context and we +use `--raw-files-path`; its absence that we are in an incremental one and we use +`--path-incremental`. + +It means that if the user gives `--ignore-cookies` and not `--raw-files-path`, or if they give +neither `--ignore-cookies` nor `--path-incremental`, the export will not be launched to prevent any +problem (complete data for an incremental synchronization for example). The `--force-complete` +argument bypasses this security: in the product, it is used for the initialization job, where we +want to perform a complete synchronization, even for CSV connections with only an incremental path. + +## Arguments + +| Argument Name | Details | +| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | +| | | +| --- | --- | +| --connection-identifier optional | **Type** String **Description** Connector's connection identifier. The output file will have this identifier as name. | +| --output-path required | **Type** String **Description** Output path for the files generated by the export. | +| | | +| --- | --- | +| --ignore-cookies optional | **Type** No Value **Description** Specifies the synchronization mode, its presence meaning complete, its absence incremental. | +| | | +| --- | --- | +| --regex optional | **Type** No Value **Description** The file name is a regex so we find the last generated corresponding file. | +| --separator optional | **Type** String **Description** Defines the separator if different than `,`. | diff --git a/docs/usercube/6.1/usercube/integration-guide/executables/references/export-easyvista/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-easyvista/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/executables/references/export-easyvista/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-easyvista/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-excel/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-excel/index.md new file mode 100644 index 0000000000..f19e3a6b65 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-excel/index.md @@ -0,0 +1,84 @@ +# Usercube-Export-Excel + +## Examples + +### Exporting a file respecting the default parameters + +Consider the file `C:/identitymanagerContoso/Sources/hr_example.xlsx` with `UTF8` encoding, it can be +exported using these command's arguments: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.xlsx --not-incremental --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput` + +The output file(s) will be located in `C:/identitymanagerContoso/Temp/ExportOutput/`. Their number +corresponds to the number of sheets in the XLSX file and they would be labeled: `HREXAMPLE_0.csv`, +`HREXAMPLE_1.csv`, � `HREXAMPLE_n-1.csv` where n corresponds to the amount of spread sheets of the +XLSX file. The encoding is `UTF8` and the separator is `,`. + +### Skipping some file's lines + +The possibility to skip lines is made available using the `--lines-to-skip` argument: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.xlsx --not-incremental --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --lines-to-skip 10` + +As a consequence, the exported file would include the content of the XLSX file without the ten first +lines. + +### Regex in file name + +Considering a generated file following the regex: `C:/identitymanagerContoso/Sources/hr_example(.*?).xlsx`, +for instance `C:/identitymanagerContoso/Sources/hr_example5fH8g1.xlsx`, if several files match with the +regex, the executable would use the most recent one. + +The regex can be included in the filename and would need to be precised using the `--is-regex` +argument: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example(.*?).xlsx --not-incremental --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --is-regex` + +### Choosing value to trim + +It's possible to precise characters to trim using the `--values-to-trim` argument: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.xlsx --not-incremental --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --values-to-trim e` + +The CSV output file will see every words beginning and ending by "e" (lower-case, this process is +case sensitive) removed of this letter. + +### Ignoring particular sheets + +The `--sheets-ignored` argument allows the user to specify for each sheet if it should be ignored +during the export. More precisely, a list of true or false arguments should be specified +respectively to the sheets. Let's say the `C:/identitymanagerContoso/Sources/hr_example.xlsx` file +possesses three sheets, in order to export the first and the last ones the arguments would be: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.xlsx --not-incremental --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --sheets-ignored false true true false` + +Thus, two CSV files would be created corresponding to the the chosen ones: `HREXAMPLE_0.csv` and +`HREXAMPLE_3.csv`. + +## Path Duality and the Not-Launch-Export System + +The export executable might be used for a complete or an incremental synchronization. Thus, it +possesses two paths that could be precised - depending on the case - with the `--raw-files-path` for +complete synchronizations argument or the `--path-incremental` for incremental ones. + +At the end of the day, the `--not-incremental` argument defines the export behavior: if present it +means a complete synchronization should be performed and the `--raw-files-path` argument must be +precised; if missing an incremental synchronization would be performed using `--path-incremental`. + +It means that if the user provide the `--not-incremental` argument and no `--raw-files-path`, or if +the user doesn't provide `--not-incremental` nor `--path-incremental`, the export will not be +launched to prevent any issue (complete data for an incremental synchronization for instance). The +`--force-complete` argument bypasses this safeguard: during the initialization job for example, +where we want to perform a complete synchronization, even for Excel connections with only an +incremental path. + +## Arguments + +| Argument Name | Details | +| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | +| --not-incremental optional | **Type** No Value **Description** Specifies the synchronization mode, its presence meaning complete, its absence incremental. | +| --is-regex optional | **Type** No Value **Description** The file's name is a regex so we find the last generated corresponding file. | +| | | +| --- | --- | +| --connection-identifier optional | **Type** String **Description** Connector's connection identifier. The output file will have this identifier as name. | +| --output-path required | **Type** String **Description** Output path for the files generated by the export. | diff --git a/docs/usercube/6.1/usercube/integration-guide/executables/references/export-scim/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-scim/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/executables/references/export-scim/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-scim/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/executables/references/fillbankingdatabase/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/fillbankingdatabase/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/executables/references/fillbankingdatabase/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/fillbankingdatabase/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/fulfill-easyvista/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/fulfill-easyvista/index.md new file mode 100644 index 0000000000..17bee629f5 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/fulfill-easyvista/index.md @@ -0,0 +1,50 @@ +# Usercube-Fulfill-EasyVista + +This executable creates, updates and archives employees in an EasyVista instance. + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "EasyVista" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "EasyVista_NominativeUser" "EasyVista_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +## Arguments + +| Argument Name | Details | +| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Usercube server. | +| | | +| --- | --- | +| --url required | **Type** String **Description** EasyVista API Endpoint URL. | +| --account required | **Type** String **Description** EasyVista account. | +| --login required | **Type** String **Description** Path of the file used for complete synchronization. | +| --password required | **Type** String **Description** EasyVista server password. | +| | | +| --- | --- | +| --connector required if --resource-typesis not given | **Type** String **Description** Id or Identifier of the resource types' connector we want to update the fulfillment state. | +| --resource-types required if --connectoris not given | **Type** String List **Description** Id or Identifier of the resource types we want to update the fulfillment state. | +| --certificate-identifier optional | **Type** String **Description** Unique key used to retrieve the certificate in Azure Key Vault. | +| --vault optional | **Type** String **Description** Vault uri. | +| --vault-connection-string optional | **Type** String **Description** Connection string to connect to Azure Key Vault. | +| --batch-size default value: 1000 | **Type** Int32 **Description** Number of provisioning orders to wait between each progress report. | +| --task-instance-id optional | **Type** String **Description** Id of the task instance which have launch the exe in a job context (for log purposes). | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/fulfill-scim/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/fulfill-scim/index.md new file mode 100644 index 0000000000..a910ae80c5 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/fulfill-scim/index.md @@ -0,0 +1,45 @@ +# Usercube-Fulfill-Scim + +This executable creates, updates and deleles entries in an application using the SCIM API. + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "SCIM" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "SCIM_NominativeUser" "SCIM_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +## Arguments + +| Argument Name | Details | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Usercube server. | +| | | +| --- | --- | +| --server required | **Type** String **Description** URL of the SCIM endpoints of your application, not including the v2. | +| --login optional | **Type** String **Description** Specifies the login of the account you may need. | +| --password optional | **Type** String **Description** Specifies the password of the account you may need. | +| --application-id optional | **Type** String **Description** Specifies the application connection login or the login of your application's id provider. | +| --application-key optional | **Type** String **Description** Specifies the application connection password or the password of your application's id provider. | +| --oauth-url optional | **Type** String **Description** The server's url when using OAuth2 authentication. | +| --oauth-token optional | **Type** String **Description** Specifies the OAuth token to connect to the application. | +| --scim-syntax optional | **Type** Enum **Description** Specifies the syntax used for requests body. Has to be one of those values: Salesforce (default value) or CyberArk | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/fulfill-toeasyvistaticket/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/fulfill-toeasyvistaticket/index.md new file mode 100644 index 0000000000..bacfb2f887 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/fulfill-toeasyvistaticket/index.md @@ -0,0 +1,50 @@ +# Usercube-Fulfill-ToEasyVistaTicket + +This executable creates tickets in an EasyVista instance. + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "EasyVista" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "EasyVista_NominativeUser" "EasyVista_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +## Arguments + +| Argument Name | Details | +| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Usercube server. | +| | | +| --- | --- | +| --url required | **Type** String **Description** EasyVista API Endpoint URL. | +| --account required | **Type** String **Description** EasyVista account. | +| --login required | **Type** String **Description** Path of the file used for complete synchronization. | +| --password required | **Type** String **Description** EasyVista server password. | +| | | +| --- | --- | +| --connector required if --resource-typesis not given | **Type** String **Description** Id or Identifier of the resource types' connector we want to update the fulfillment state. | +| --resource-types required if --connectoris not given | **Type** String List **Description** Id or Identifier of the resource types we want to update the fulfillment state. | +| --certificate-identifier optional | **Type** String **Description** Unique key used to retrieve the certificate in Azure Key Vault. | +| --vault optional | **Type** String **Description** Vault uri. | +| --vault-connection-string optional | **Type** String **Description** Connection string to connect to Azure Key Vault. | +| --batch-size default value: 1000 | **Type** Int32 **Description** Number of provisioning orders to wait between each progress report. | +| --task-instance-id optional | **Type** String **Description** Id of the task instance which have launch the exe in a job context (for log purposes). | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/generate-configuration/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/generate-configuration/index.md new file mode 100644 index 0000000000..156289abce --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/generate-configuration/index.md @@ -0,0 +1,84 @@ +# Usercube-Generate-Configuration + +Generates from a CSV file the configuration of a connector with these entities. + +## Overview + +Two subcommands are possible for generation. + +- simpleconnector +- complexconnector + +The simple connector allows you to generate the configuration for a CSV file and create the +connector. The complex connector allows you to generate the configuration for a list of CSV files +and create the connector. + +### 1. Simple connector + +From a CSV file, generates the configuration of the entity representing the CSV file. + +**The subcommand** **_simpleconnector_** **must precede the arguments.** + +### 2. Complex connector + +From a list of CSV files, generates the configuration of the entities representing each file. The +complex connector requires as an argument an xml file containing all the CSV files to be processed +as well as the primary keys of these files. + +Example of xml file + +``` + + + +``` + +- Path: CSV file path. +- File: Name of the files to be processed. +- PrimaryKey: Fills in the primary key of the CSV file. +- Header: Column name in the CSV file. +- EntityTypeName: Indicates the name of the entity to be created. +- Name: name of the connector to be created. + +**The subcommand** **_complexconnector_** **must precede the arguments.** + +## Examples + +### Simple connector + +``` + +./identitymanager-Generate-Configuration.exe simpleconnector -g "C:/GeneratedFile/file" -f "C:/SourceFile/confFile.csv" + +``` + +### Complex connector + +``` + +./identitymanager-Generate-Configuration.exe complexconnector -g "C:/GeneratedFile/file" "C:/SourceFile/confFile.xml" + +``` + +## Arguments + +| Argument Name | Details | +| ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --generated-file (-g) required | **Type** String **Description** Path to the generated file. | +| --csv-path (-h) optional | **Type** String **Description** Path to the CSV file. **Note:** used only for a simple connector. | +| --encoding (-e) optional | **Type** String **Description** Encoding of the CSV file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). **Note:** used only for a simple connector. | +| --csv-separator (-t) optional | **Type** String **Description** Column separator of the CSV file. **Note:** used only for a simple connector. | +| --generated-connector (-r) optional | **Type** String **Description** Name of the generated connector. **Note:** used only for a simple connector. | +| --keep-all-columns (-k) optional | **Type** No Value **Description** Keeps all the columns. | +| --connector-description optional | **Type** String **Description** XML file that describes the CSV files and their primary key columns. | +| | | +| --- | --- | +| --file-cert-thumbprint optional | **Type** String **Description** Thumbprint of the certificate when the certificate is in the store. | +| --file-cert-dn optional | **Type** String **Description** Subject Distinguished Name of the certificate when the certificate is in the store. | +| --file-cert-store-location optional | **Type** String **Description** Store location of the certificate when the certificate is in the store. | +| --file-cert-store-name optional | **Type** String **Description** Store name of the certificate when the certificate is in the store. | +| --file-cert-file optional | **Type** String **Description** File path of the certificate when the certificate is in a PFX file. | +| --file-cert-password optional | **Type** String **Description** Password of the certificate when the certificate is in a PFX file. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/usercube/6.1/usercube/integration-guide/executables/references/get-jobsteps/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/get-jobsteps/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/executables/references/get-jobsteps/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/get-jobsteps/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/index.md new file mode 100644 index 0000000000..004a8732b1 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/index.md @@ -0,0 +1,88 @@ +# References: Executables + +- #### [Usercube-Agent](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/agent/index.md) + Runs the Agent.- #### + [Usercube-Anonymize](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/anonymize/index.md) + Transforms strings to anonymize given data.- #### + [Usercube-Compute-CorrelationKeys](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/compute-correlationkeys/index.md) + Computes the values of all correlation keys.- #### + [Usercube-Configuration-Transform](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/configuration-transform/index.md) + Applies a series of transformation.- #### + [Usercube-Create-DatabaseViews](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/create-databaseviews/index.md) + Generates entity model SQL views in the Usercube database.- #### + [Usercube-CSV-Transform](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/csv-transform/index.md) + Modifies a CSV file by performing operations on its headers and/or columns.- #### + [Usercube-Decrypt-File](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/decrypt-file/index.md) + Decrypts an input file to save it into an output file or an OutPutConsole that can be used in + Powershell scripts or programs.- #### + [Usercube-Deploy-Configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/deploy-configuration/index.md) + Retrieves all XML configuration files from a given folder, in order to calculate the + configuration items to insert, update or delete in the application.- #### + [Usercube-EasyVistaTicket-UpdateFulfillmentState](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate/index.md) + Updates the assigned resource types according to EasyVista tickets state.- #### + [Usercube-Encrypt-File](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/encrypt-file/index.md) + Encrypts an input file or the InputConsole of a Powershell program or file to save it as an + encrypted output file.- #### + [Usercube-Export-Bacpac](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-bacpac/index.md) + Exports the database to a bacpac file.- #### + [Usercube-Export-Configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-configuration/index.md) + Generates in a folder the files of the configuration found in the database.- #### + [Usercube-Export-Csv](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-csv/index.md) + Exports CSV files.- #### + [Usercube-Export-EasyVista](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-easyvista/index.md) + Exports EasyVista entities to CSV files.- #### + [Usercube-Export-Excel](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-excel/index.md) + Exports Excel files.- #### + [Usercube-Export-Scim](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-scim/index.md) + Exports SCIM entries to a CSV file.- #### + [Usercube-FillBankingDatabase](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/fillbankingdatabase/index.md) + Fills the `BankingSystem` database for the Banking demo application.- #### + [Usercube-Fulfill-EasyVista](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/fulfill-easyvista/index.md) + Creates, updates and archives employees in an EasyVista instance.- #### + [Usercube-Fulfill-Scim](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/fulfill-scim/index.md) + Creates, updates and deleles entries in an application using the SCIM API.- #### + [Usercube-Fulfill-ToEasyVistaTicket](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/fulfill-toeasyvistaticket/index.md) + Creates ticket in an EasyVista instance.- #### + [Usercube-Generate-Configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/generate-configuration/index.md) + Generates from a CSV file the configuration of a connector with these entities.- #### + [Usercube-Get-JobSteps](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/get-jobsteps/index.md) + Returns the list of all tasks present in a given job.- #### + [Usercube-Invoke-Job](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/invoke-job/index.md) + Launches a job on the agent side.- #### + [Usercube-Invoke-ServerJob](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/invoke-serverjob/index.md) + Launches jobs on the server side.- #### + [Usercube-Login](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/login/index.md) + Provides an authentication token needed for SaaS configuration deployment/export.- #### + [Usercube-Manage-ConfigurationDependantIndexes](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/manage-configurationdependantindexes/index.md) + Creates the necessary indexes based on the latest deployed configuration to optimize + performances- #### + [Usercube-Manage-History](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/manage-history/index.md) + Manages the data history stored in the database. It can purge old data or consolidate the + history.- #### + [Usercube-New-OpenIDSecret](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/new-openidsecret/index.md) + Allows to generate the hashed password of the secret to connect to the given client for agent + side job Usercube.- #### + [Usercube-PasswordGenerator](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/passwordgenerator/index.md) + Generates a password.- #### + [Usercube-Prepare-Synchronization](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/prepare-synchronization/index.md) + Cleanses exported CSV files.- #### + [Usercube-Protect-CertificatePassword](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) + Encrypts a .pfx archive password using a Usercube provided RSA key.- #### + [Usercube-Protect-X509JsonFile](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md) + Encrypts sensitive data from a given JSON file.- #### + [Usercube-Protect-X509JsonValue](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md) + Encrypts the values of sensitive data.- #### + [Usercube-RefreshSchema](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/refreshschema/index.md) + Refreshes the schema of a given connection. Takes as input a connection, and refreshes its + schema. The result of the update is stored into the database.- #### + [Usercube-Send-PasswordNotification](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/send-passwordnotification/index.md) + Sends a mail notification for a password initialization or change.- #### + [Usercube-Server](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/server/index.md) + Runs the Server.- #### + [Usercube-Update-EntityPropertyExpressions](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/update-entitypropertyexpressions/index.md) + Recomputes the values of all properties defined via expressions.- #### + [Usercube-Upgrade-ConfigurationVersion](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/upgrade-configurationversion/index.md) + Upgrades your configuration from your current version entered in settings to the latest + version.- #### + [Usercube-Upgrade-DatabaseVersion](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/upgrade-databaseversion/index.md) + Runs all the migration scripts to upgrade the database. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/invoke-job/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/invoke-job/index.md new file mode 100644 index 0000000000..20d4dbfeba --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/invoke-job/index.md @@ -0,0 +1,96 @@ +# Usercube-Invoke-Job + +This tool launches a job on the agent side. + +## Behavior Details + +The +[Usercube-Invoke-Job.exe](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/index.md) +tool is a state machine. + +![Schematization](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/executables/references/invoke-job/job_operation.webp) + +When a job is launched, the state machine starts by computing all the tasks that must be launched in +the job. + +Each task is assigned a launch order which can be +[configured in job steps](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md). +All the job's tasks are grouped together according to their launch order, and they are launched by +group. Such task grouping allows the job to be faster executed. + +The launch orders of all the tasks of a job can be listed by using the +[`Usercube-Get-JobSteps`](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/get-jobsteps/index.md) +executable. + +Before any task is launched, the state machine checks the task's parent tasks in order to verify +whether the task must be launched or not. + +If the task must be launched, then the state machine checks whether the task should be started +server- or agent-side. + +Then the task is launched, and then: + +- if the task completes successfully, then the next task is loaded and started, or if this was the + last task then the job ends successfully; +- if the task exits in error, then the whole job exits in error and stops; +- if the job is requested to stop from the UI, then the job's state switches to `cancelled` and is + transmitted to the current task in order to not launch the next task; + + A canceled job is not stopped straight away, as the current task first needs to be finished. + +- if the task exits in error while the warning mode is active, then the next job is loaded. + + Only export tasks can have this warning mode. + +- if the task exits blocked, then the whole job stops and can be restarted manually at its + breakpoint; + + Only synchronization and provisioning tasks can exit blocked. + +In the case where the job is blocked and restarted: + +- if the blocked task is a + [`SynchronizeTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md), + then the state machine runs a synchronization validation on the related connector, and uses the id + of the blocked task instance to synchronize the related tables; +- if the blocked task is a + [`GenerateProvisioningOrdersTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md), + then the state machine forces the same provisioning on the related connector. + + Both the synchronization validation and the forced provisioning are virtual jobs that do not + exist in the database. However, they will be visible in the UI which keeps track of any launched + task. + +In both cases, the state machine resumes the job with the tasks that were not started due to the +blockage. + +Any task launched by the state machine is linked to a job instance in order to keep track of the +launch group. + +## Example + +``` + +./identitymanager-Invoke-Job.exe -j "AccessCertificationEnd" --api-secret secret --api-client-id Job --api-url "http://localhost:5000" + +``` + +## Arguments + +| Argument Name | Details | +| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| | | +| --- | --- | +| --job-identifier (-j) required | **Type** String **Description** Job's identifier to be launched. | +| --repair-job (-r) optional | **Type** No Value **Description** Bool to Decide launch Synchronization Validation or Provisioning with force. | +| --begin-job-step (-b) optional | **Type** String **Description** The step from which the job starts. | +| --end-job-step (-e) optional | **Type** String **Description** The step at which the job stops. | +| --task-identifier (-t) optional | **Type** String **Description** Specify the identification of the task to be started in the job (only this task will be started). | +| --force-synchronization-provisioning (-f) optional | **Type** Int64 **Description** Forces execution when the threshold is reached or exceeded. | +| --task-type (-c) optional | **Type** String **Description** The first task found with this type is launched. | +| --task-string-contains (-s) optional | **Type** String **Description** Launches all tasks with an identifier containing the given value. | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Usercube server. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/invoke-serverjob/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/invoke-serverjob/index.md new file mode 100644 index 0000000000..9a880db43d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/invoke-serverjob/index.md @@ -0,0 +1,32 @@ +# Usercube-Invoke-ServerJob + +## Invoke a Job (Server Side) + +To launch the job in the Server side only you need to run the executable +Usercube-Invoke-ServerJob.exe. + +To know the task launch orders in job use the following exe: +[Usercube-Get-JobSteps.exe](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/get-jobsteps/index.md) + +## Examples + +``` + +.\Usercube-Invoke-ServerJob.exe -g "CleanDatabase" -s secret + +``` + +## Arguments + +| Argument Name | Details | +| -------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | +| | | +| --- | --- | +| --job-identifier (-j) required | **Type** String **Description** Job's identifier to be launched. | +| --repair-job (-r) optional | **Type** No Value **Description** Bool to Decide launch Synchronization Validation or Provisioning with force. | +| --begin-job-step (-b) optional | **Type** String **Description** The step from which the job starts. | +| --end-job-step (-e) optional | **Type** String **Description** The step at which the job stops. | +| --task-identifier (-t) optional | **Type** String **Description** Specify the identification of the task to be started in the job (only this task will be started). | +| --force-synchronization-provisioning (-f) optional | **Type** Int64 **Description** Forces execution when the threshold is reached or exceeded. | +| --task-type (-c) optional | **Type** String **Description** The first task found with this type is launched. | +| --task-string-contains (-s) optional | **Type** String **Description** Launches all tasks with an identifier containing the given value. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/login/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/login/index.md new file mode 100644 index 0000000000..615b11ce24 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/login/index.md @@ -0,0 +1,47 @@ +# Usercube-Login + +Delegates the authentication process to a third-party Identity Provider which will provide an +authentication token required to allow the remote deployment/export of Usercube configuration. + +The provided authentication token is meant to be sent to the Usercube administrator. + +## Examples + +The following example launches the authentication to Usercube's in-house Identity Provider (IDP). It +will open your default browser to `http://localhost:5005` where you will be redirected to Usercube's +IDP that will provide you with the authentication token. + +``` + +./identitymanager-Login.exe + +``` + +The following example launches the authentication to a specific Identity Provider whose +authentication URL and Client Id are respectively `https://my_oidc_authentication_server.com` and +`34b3c-fb45da-3ed32`. It will open your default browser to `http://localhost:5005` where you will be +redirected to the IDP that will provide you with the authentication token. + +``` + +./identitymanager-Login.exe --authority https://my_oidc_authentication_server.com --client-id 34b3c-fb45da-3ed32 + +``` + +The following example launches the authentication to Usercube's Identity Provider, but using a +specific port `5050`. It will open your default browser to `http://localhost:5050` where you will be +redirected to Usercube's IDP. that will provide you with the authentication token. + +``` + +./identitymanager-Login.exe --port 5050 + +``` + +## Arguments + +| Argument Name | Details | +| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --authority optional | **Type** String **Description** Base URL of the Identity Provider used for authentication. When not specified, Usercube provides an in-house Identity Provider. | +| --client-id optional | **Type** String **Description** Client Id of the application authorized to delegate the authentication to the specified Identity Provider. When not specified, Usercube provides the Client Id for the in-house Identity Provider. **Note:** ask for this id to your internal administrator. | +| --port default value: 5005 | **Type** Int64 **Description** Port used to run the local web page. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/manage-configurationdependantindexes/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/manage-configurationdependantindexes/index.md new file mode 100644 index 0000000000..bd0db93b28 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/manage-configurationdependantindexes/index.md @@ -0,0 +1,38 @@ +# Usercube-Manage-ConfigurationDependantIndexes + +This tool creates the necessary SQL indexes based on the latest deployed configuration to optimize +certain queries performances. + +## Available optimizations: + +- Creates SQL indexes and statistics to optimize searches on specific entity types +- Creates SQL indexes to optimize joins between records and main entity types +- Creates SQL indexed views used to compute dashboard counters + +## Examples + +``` + +./identitymanager-Manage-ConfigurationDependantIndexes.exe -e "Directory_User" -r "Directory_UserRecord" "Directory_Guest" -dc -s "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" -a + +``` + +./identitymanager-Manage-ConfigurationDependantIndexes.exe -auto -dc -s "data +source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" -a + +``` + +## Arguments + +| Argument Name | Details | +| --- | --- | +| --entityTypes (-e) optional | __Type__ String List __Description__ Sets the list of entity types for which optimization indexes will be created/updated. | +| --recordEntityTypes (-r) optional | __Type__ String List __Description__ Sets the list of record entity types for which optimization indexes will be created/updated. | +| --userProperties (-p) optional | __Type__ String List __Description__ Sets the list of �User' properties that link the records and the users. (the order of the given �userProperties' must match the order of the given �recordEntityTypes'). | +| --dashboardCounter (-dc) optional | __Type__ No Value __Description__ Adjusts the indexed views for the dashboard counters appropriately. | +| --auto optional | __Type__ No Value __Description__ The entity types, record entity types and user properties are deduced automatically from the provisioning rules configured in the database. | +| --apply-to-database (-a) optional | __Type__ No Value __Description__ Directly applies the resulting SQL script to the database. | +| | | +| --- | --- | +| --database-connection-string required | __Type__ String __Description__ Connection string of the database. | +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/manage-history/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/manage-history/index.md new file mode 100644 index 0000000000..c43e430b46 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/manage-history/index.md @@ -0,0 +1,132 @@ +# Usercube-Manage-History + +This tool optimizes the data history stored in the database, reducing its size and enhancing +database performance. + +The inner workings of this executable are based on the `ValidFrom` and `ValidTo` attributes that +specify the validity period of a given assignment. These attributes are inside the following tables +which are the tables actually purged: `ur_resources`; `ur_resourcelinks`; +`up_assignedcompositeroles`; `up_assignedsingleroles`; `up_assignedresourcenavigations`; +`up_assignedresourcetypes`. + +## Examples + +Purge before a period + +To clean the database periodically, it can be purged of all the history older than a given period of +time. + +The following example deletes all the history from the database that is more than 12-month old: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Manage-History.exe --purge-before-months 12 --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +``` + +Purge before a date + +The database can be purged of all history older than a given date. + +The following example deletes all the history from the database older than May 26th 1993: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Manage-History.exe --purge-before-date 19930526 --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +``` + +Optimize + +The database's history can be optimized by removing intermediate versions based on their age, for +example keeping only one version the last week, one per month the last 6 months and then one per +year for 3 years. + +The following example reduces the history from the database, keeping at most one history version per +interval. Here we keep one version per day (1440 minutes) in the last 7 days, then one version per +month (43920 minutes) in the last 6 months before the previously defined period, then one version +per year (525960 minutes) in the last 2 years before the previously defined periods. + +![Schema - Optimize](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/executables/references/manage-history/tools_managehistory_schema.webp) + +For each period, if there is more than one version (i.e. `ValidFrom` is inside the interval), the +versions are merged in the following way: + +- The latest version is kept +- The oldest date is kept (that is, in the database, the `ValidFor` is equal to the one of the + oldest version in the considered period). + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +./identitymanager-Manage-History.exe --optimize "1440:7 43920:6 525960:2" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +If you want to configure a time period when there is no purge and all history is kept as is, then +you can specify a short duration that allows a single change, for example only one minute. The +following example copies the previous one, in addition we want to keep all changes of the last 6 +hours (360 minutes): `--optimize 1:360 1440:7 43920:6 525960:2`. + +Clean duplicates + +As given data can have several versions in the database, redundant rows can be deleted and replaced +with one row that covers the consolidated time range. + +The following example remove all duplicates in the database. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +./identitymanager-Manage-History.exe --clean-duplicates --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +The following example remove all duplicates induced by the `pwdLastSet` property. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +./identitymanager-Manage-History.exe --clean-duplicates --excluded-resource-columns "pwdLastSet" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +Solicit memory rather than the database + +To reduce the database load, the tool's optimizations can be made via the local device's memory. + +The following example deletes all the history from the database that is more than 12-month old, the +optimizations being computed in memory instead of in the database: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +./identitymanager-Manage-History.exe --purge-before-months 12 --in-memory --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +## Arguments + +| Argument Name | Type | Description | +| ------------------------------------------------------------ | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| --clean-duplicates optional | No Value | Removes duplicate historical data. | +| --entity-type required if --excluded-resource-columns is set | String | When using `--clean-duplicates` option, defines the entity type (Id or Identifier) that should have its duplicates removed from the `UR_Resources` table. | +| --excluded-resource-columns required if --entity-type is set | String list | When using `--clean-duplicates` option, defines the list of column names (the name of the columns in the `UR_Resources` table, or the Identifier of the corresponding um_entityproperty) to exclude when comparing rows of `UR_Resources` table. | +| --in-memory default value: False | No value | Performs optimizations in memory instead of the database. It implies heavy memory consumption but light SQL load. | +| --optimize optional | String list | Reduces the history and optimizes the versions that are kept based on the precision given through ranges in the argument. A range is specified by a duration in minutes followed by the number of occurrences. For example 60:10 defines a range of 60 minutes repeated 10 times, or 10 snapshots repeated at 60 minute intervals. For each interval, at most one version is kept in the history. The intervals are evaluated in the given order from now, backwards. In the previous example, it means the more recent versions are kept with a high precision (one per day initially), then with lesser and lesser precision (one per month and then one per year). If the data has not changed over an interval, no optimization can be done. | +| --purge-before-date optional | String | Deletes all the history older than the given date in the yyyyMMdd format. | +| --purge-before-months optional | String | Deletes all the history older than the given number of months. | +| --database-connection-string required | String | Connection string of the database. | + +The available actions (clean duplicates; purge; optimize) are all optional, but at least one must be +used in the executable command. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/new-openidsecret/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/new-openidsecret/index.md new file mode 100644 index 0000000000..8df87c4060 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/new-openidsecret/index.md @@ -0,0 +1,27 @@ +# Usercube-New-OpenIDSecret + +This tools generates an hash. In practice, we hash a client secret but the tool can generate +randomly a hash without an input string. The name of the executable is: +�Usercube-New-OpenIDSecret.exe'. + +## Examples + +``` + + ./identitymanager-New-OpenIDSecret.exe --client-secret + Shared secret for 'secret' is 'K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=' + +``` + +The output shows the client secret and its hashed version. It must be entered in the +[OpenIdClient](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) +configuration. + +## Arguments + +| Argument Name | Details | +| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | +| --client-secret optional | **Type** String **Description** Open id client secret that will be hashed by the program. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/usercube/6.1/usercube/integration-guide/executables/references/passwordgenerator/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/passwordgenerator/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/executables/references/passwordgenerator/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/passwordgenerator/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/prepare-synchronization/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/prepare-synchronization/index.md new file mode 100644 index 0000000000..14a72e7b26 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/prepare-synchronization/index.md @@ -0,0 +1,133 @@ +# Usercube-Prepare-Synchronization + +`Usercube-Prepare-Synchronization` is used as the second step of the +[synchronization process](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/index.md). +It cleanses exported CSV files before sending them to the server for database loading. It is +performed on the _Agent_ side. + +## Behavior Details + +The task reads files from the source directory, usually the +[temp folder > ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +folder. + +### Cleanse data + +The following actions are performed on the _CSV source files_: + +1. Remove columns that are not used in + [``](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) + or + [``](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). +2. Remove entries that have a null primary key. +3. Remove duplicates. +4. Sort entries according to the primary key. + +The result of the _Prepare-Synchronization_ is stored in the +[_export directory_](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +as three files: + +- For every entity type of the relevant _Connector_ involved in an + [``](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) + or an + [``](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) + , a `.sorted.csv` file is generated, containing the final, cleansed and sorted result. +- Duplicates are kept in a separate `.duplicates.csv` file. +- Null primary key entries are kept in a separate `.nullpk.csv` file. + +All files produced by the task are in the +[work folder > Collect](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +directory. + +### Compute changes + +In _incremental_ mode, changes might need to be computed by the _Agent_: + +- If the Export step has provided computed changes, no further process is required. The changes will + be sent as-is to the server. +- If the Export step has provided a full extract of the managed systems, the + _Prepare-Synchronization_ step computes changes. This computation is based on the result of the + last data cleansing, generated by the previous _Prepare-Synchronization_, and stored in the + `previous` folder in the + [_export directory_](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md). + +For _incremental_ mode, it is recommended, whenever possible, to use managed systems to compute +changes. Dedicated workstations and knowledge of the inner data organization allow managed systems +to compute changes with performance that Usercube can't match. Using managed systems for these +operations avoids generating heavy files and alleviates Usercube's processing load. + +The result is a set of clean lists of changes stored as a `.sorted.delta` file containing a +_command_ column. The _command_ column can take the following values: + +- _insert_ +- _update_ +- _delete_ +- _merge_ + +These values are instructions for the _Synchronization_ step to apply the changes to the database. + +The `.sorted` file (that is, the **original** clean export file, **not** the changes) is stored in +the `previous` folder inside the +[_export directory_](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md). +It will be used as a reference for the next _incremental_ Prepare-Synchronization to compute the +changes, if needed. + +Tampering with the `previous` folder content would result in false changes leading to false +computation. It would result in data corruption in the Usercube database. To restore the Usercube +database and reflect the managed system data updates, a _complete__Sync Up_ would be required. + +### Prepare the server + +At the beginning of every _Prepare-Synchronization_ process, the _Server_ is notified via HTTP. + +Upon receiving the notification, the server creates a directory on its host environment, identified +by a unique GUID, to contain `.sorted` or `.sorted.delta` files that will be sent by the agent. + +This is designed to prevent network errors that would cause an _incremental_ database update to +happen more than once. + +This means that several _Export_ and _Prepare-Synchronization_ tasks can be executed simultaneously. +These tasks will be processed by the server one at a time, in the right order. + +Any notification of a _complete_ Prepare-Synchronization would cancel the previous non-processed +_incremental_ Prepare-Synchronizations. As a _complete_ Prepare-Synchronization reloads the whole +database, it renders _incremental_ changes computation moot. + +### Send clean exports + +`.sorted` or `.sorted.delta` files are sent over HTTP to the _Server_ for the last step. + +### Example + +The figure models the complete _Prepare-Synchronization_ steps applied to an Active Directory +export. The matching _Connector_ defines an Entity Type _AD Entry_ and two associations (_members_ +and _manager_). + +![Active Directory Prepare-Synchronization Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/synchronization/upward-data-sync/ad_preparesynchro_example.webp) + +## Examples + +`Usercube-Prepare-Synchronization` can be used as an executable file as follows: + +``` +./identitymanager-Prepare-Synchronization --api-url myserver.usercube.com --api-client-id myclientid --api-secret myclient secret --connector --agent myagent --synchronization-mode complete + +``` + +## Arguments + +| Name | Details | +| ----------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --agent required | **Type** [Agent](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md) **Description** Identifier of the [agent](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md) where the task runs. | +| --connector required | **Type** [Connector](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) **Description** Identifier of the linked connector. The task is linked to a connector whose entity types are synchronized. | +| --synchronization-mode required | **Type** [SynchronizationMode](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) **Description** Synchronization mode for this task can be one of the following: - Initial - Complete - Incremental This must be the same as the associated Export and Synchronize tasks. Use _initial_ if this is the first time the target managed system is synchronized. Use _complete_ to load the data from the managed system as a whole. Use _incremental_ to consider only incremental changes from the last synchronization. In _incremental_ mode, the Prepare-Synchronization task computes changes in the source managed system since the last _Prepare-Synchronization_. | +| --sources-directory default value: ExportOutput | **Type** String **Description** Directory path, relative to [temp folder](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md), from which export files to cleanse are read. | +| --working-directory default value: Collect | **Type** String **Description** The directory path, relative to [work folder](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md), to which intermediary and cleansed files are stored. | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Usercube server. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md new file mode 100644 index 0000000000..30deb86ee7 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md @@ -0,0 +1,46 @@ +# Usercube-Protect-CertificatePassword + +This tool helps protecting `.pfx` archives passwords. Given a plain text password, it generates an +encrypted version, that can be stored in a configuration file in place of the plain text one. The +tool uses a hard-coded secret RSA key to generate the encrypted password. Usercube uses the same key +to retrieve the plain text password and read the `.pfx` archive. + +## Examples + +Given a `.pfx` archive protected by the `secret` password, an encrypted version can be generated +with the following command: + +``` +./identitymanager-Protect-CertificatePassword.exe --pfx-password "secret" +``` + +The output is the following : + +``` + +ep4BsLtg5RVFVI1kEIMZbV1q7Bg2eAFzeD73YX5fV7eklSIqcJcxHsCQbyY2zKLppXSX+Zpwm7xU5QY6DTAJleFbWsP/p0fjXUn1agy1tQ6l6t6wvURBZcePEgu+ivNjpUENbDIBotPdzbpISLJIjQbISzHDWnHuWPk/l8h0wXU=@WrAj9YdcNK8cQvfopZa5g1QFc1hk6nPolkwQAkU2ORfXupgV7kaWgKF4W/UmC0XXg4zuaqpVui6ivB0jbLTiXgQ62o+bG9ZSEJLaur4d20TMRNadqnWTWPWhVJF6XiS4jX7sDvVrZO3sKQJMNzZSeTKmsl0w0boCBEkuHsWDA24=@0oLLKxcTJGxSx1uGvhexEA== + +``` + +This encrypted password can now be copied to the relevant location in a configuration file. For +example : + +``` +appsettings.json + +{ +... + "EncryptionCertificate": { + "File": "C:/identitymanagerAgentContoso/contoso.pfx", + "Password": "ep4BsLtg5RVFVI1kEIMZbV1q7Bg2eAFzeD73YX5fV7eklSIqcJcxHsCQbyY2zKLppXSX+Zpwm7xU5QY6DTAJleFbWsP/p0fjXUn1agy1tQ6l6t6wvURBZcePEgu+ivNjpUENbDIBotPdzbpISLJIjQbISzHDWnHuWPk/l8h0wXU=@WrAj9YdcNK8cQvfopZa5g1QFc1hk6nPolkwQAkU2ORfXupgV7kaWgKF4W/UmC0XXg4zuaqpVui6ivB0jbLTiXgQ62o+bG9ZSEJLaur4d20TMRNadqnWTWPWhVJF6XiS4jX7sDvVrZO3sKQJMNzZSeTKmsl0w0boCBEkuHsWDA24=@0oLLKxcTJGxSx1uGvhexEA==" + } +... +} + +``` + +## Arguments + +| Name | Details | +| ----------------------- | ---------------------------------------------------------------------------- | +| --pfx-password required | **Type** String **Description** Password of the `.pfx` archive's to encrypt. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md new file mode 100644 index 0000000000..2d48fa9284 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md @@ -0,0 +1,131 @@ +# Usercube-Protect-X509JsonFile + +This tool is used to encrypt a JSON file containing sensitive connection data, for example the +`appsettings-agent.json` file, with +[RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md). +The encryption is based on the information given in your `appsettings.json` file about either a PFX +file or the location of the +[encryption certificate](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md#encryption-certificate) +in the Microsoft store. + +This tool `Usercube-Protect-X509JsonFile` is used to encrypt a whole file, in comparison to the +[`Usercube-Protect-X509JsonValue`](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md) +tool that encrypts only a given value. This tool is more appropriate than +`Usercube-Protect-X509JsonValue` when you have many lines to encrypt. + +## Examples + +The command below encrypts the `appsettings.agent.json` file from the `C:/identitymanagerTraining` folder +and creates the `appsettings.encrypted.agent.json` file in the same folder. + +``` + +./identitymanager-Protect-X509JsonFile.exe --input-json-file-path "C:/identitymanagerTraining/appsettings.agent.json" --output-json-file-path "C:/identitymanagerTraining/appsettings.encrypted.agent.json" + +``` + +For example it takes this : + +``` +appsettings.agent.json + +{ + "TaskAgentConfiguration": { + "HttpClientTimeoutSupplement": 0 + }, + "OpenId": { + "OpenIdClients": { + "Job": "secret" + }, + "DefaultOpenIdClient": "Job" + }, + + "PasswordResetSettings": { + "TwoFactorSettings": { + "ApplicationUri": "http://localhost:3000" + }, + "NotificationSettings": { + "Cultures": [ + "en" + ] + } + }, + ... +} + +``` + +And it returns this : + +``` +appsettings.encrypted.agent.json + +{ + "TaskAgentConfiguration": { + "HttpClientTimeoutSupplement": "kxABAEh6CpUOAOMBNPNLKazx9I0vqummv24acN292gonFiK4ov81bjqE2ic+n+HqastXU2aTQcl3IefhEXn9KA2dhnIbDTXB4GhOn9lL9AzUfwKXBr5EBmVy7ggruG2ewpWGK1c3LBJ35km9XvCnzSHLfolZwHNPwM/8b/C6XqSzieoFcO5H92IGJ1lFRboacvp0rO+SkkUv63Ewsk+1MrVLa63oBgWfY6PhMeJvNpWGqCD+I614hB6jE2Li/recwQIPd10XEgFM1OEkZ5ZiO+URxX7MCBe1o20rTaczKR7e7lLQGa/e3Y3i1sFnCm+yRm/lzw0qtDvOtCXlPT13EsHsUunxnR3uH4R6lRBXT30OKobaX7MTQjGkLRChss/GVGCK5w==" + }, + "OpenId": { + "OpenIdClients": { + "Job": "kxABAOkh0BF2GdMedpzmKZZWVWc8IYaiZO2dofmt7lLBP3vMYgLLZYNDyR3x7Ah7tA1r6oSL5gBT3mSFyXB63NJk+QmZqNW1LWdzh+3U+DvNdQw4OfDfFlC5F+nH3/L5iqWc+h1jMlaQBpkqf42Vr8HwFKtqMXLJVXEIyeHSPgHRp1iOjGkNSRNrRQGJ4pVyo0xKmcWsz3qGYf0SnJIzRJ++PcYh/dJgxHAZFsDnV55X3zg72J8teoIEG82GdNjmCV/W4S4edNCYa1gL3KpgDGQq1GEed71Ht1tVYlHlJ4hckE++otQqTgRA2p4nFvo3LmlMag6k4EQRzEk6TOHUlGjUtYgpzMuPqei8/3CRXy5o8YW5R0wVFJJ/jSfYrvR3M9SwJw==" + }, + "DefaultOpenIdClient": "kxABANLI/Qx7X8L1VtIl+FM4RtYlTLLpUUBCp2pucY+jzjlwhbF9fjJhhTP/KmeCj8M2yB4AA1V3AQgcEBvg92I1vCAWXIBgCjz6LUD2yf4FCpACaxNgiBZVAaCELNCgbKDgy9UB1j4sCozpEzReLVtYdOX+KFbGU6zJ808jnrLFMz+YHT4LXMyF94A5Zl86DFT9br6PwR75qImvjDlIUt+7/I8WrT1Nnqn2hXxqzAd1J2W5Xv8Bt9sXFmskSZN9PyOo9EY9t5lVGq++IqjGPWh4vQAXCzIsfRgUfU7PfHKVuSKSHbME1EZwG/FjzOe8B4bO2q/a/qLtGgygyX5ExEkZ/IcrtSZnTdqC83AfyexlEv9Z3wWFAoKGDtI3zhmCZYnuZQ==" + }, + "PasswordResetSettings": { + "TwoFactorSettings": { + "ApplicationUri": "kxABAFAEx4fWwG/ANPVTf/WGyccDxoR2xCy+x+U3Ny1KkqnOFw+SizePTgINTzBaYHLTHABQD0GWW6U+4qiG6DpcIcdAD0VVnddqB5a+YIE0reufXYhZTrDU/9yeG6aUWIHkLl9UudC/nnW6zMrjChiJhJvT7csFKdgbqUazZT56hR0i6XS36a5h2/tTWhbZTkk1Dil5JP7xUcu5CMWyXMUvGvK8gfQozYxo/DJTOiLrWjg5ION1yx+ZqPhcIUxgYaBjxSpfT6U9YMy5mE9JGqf7W76baS9fOVr3H1DAL02icX29uJAcsw1r9k1rJQIKEhAuqTNeuqF6C6iPHJAsail+iteOJEYgBSACRz7Te4t6Hp7PBs0FfP0WY1oL+1T+p7X+HaO1jAJhE50J2AKhGNXTZfE=" + }, + "NotificationSettings": { + "Cultures": [ + "kxABAPwTbpFUbP9xT9HyqtTuMLKT9sVD0Qq1kCsI44d12vJEcW2MMy9K5vKakwTPeJpvY6SafELoHc7AjKnh8ZJi0/Yu4dieE5W+5uXY1uaghYJ/2VjimzIsDhvRhm90xUlaMjdFBjx4HAnxBAtEbEjifdGHxZ0L9F305hXSTORj53u76ctCE5D9HPTN3AgLmyIGv5NExwhD4sgppbf6PWjTEZ7yNcoUpkkS4pJ6BMz+PaQo26A2rMP710zQgG72an4XvxSoR3SwSm0fhLCASgYi8YOZw0j/cfxl/LrW1EQ7gyW0/Mw9v1YRNH3DkbWSeHZ3odhDWdaWkzR6yOEt5hO60eM0w8Tjoed30Jwf+enf1rJFStDe/dhg6vjUIaTn6tt1Gw==" + ] + } + }, + ... +} + +``` + +The previous command can be useful to encrypt, for example, an Active Directory's login used by the +agent during the synchronization process. + +The login to encrypt is stored in the following format, compliant with the +[appsettings.agent.json structure](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md): + +appsettings.beforeEncryption.json + +``` + +{ + ... + "Connections": { + ... + "ADExport": { + "Login": "Administrator" + } + } +} +``` + +This command writes encrypted values from `appsettings.agent.json` to +`C:/identitymanagerTraining/appsettings.encrypted.agent.json` following the +[appsettings.agent.json structure](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md): + +``` +appsettings.encrypted.agent.json +{ + ... + "Connections": { + ... + "ADExport": { + "Login": "kxABAM9LW6vyx3TpDXoU5mKKQAwxxNcH9Q2z+dk+E7BNzrI346fUUiPmnJlOJZNX8bA1sokpDHTJBJngdF8LqVuWhk0t+IBpHE+iRJZ4q6i/CzX/OnpoGEHLSL5gZUixIqn9kul5AbxI38d/aGkCGIeAGY73rf0eQRizB2uR/ObR/H9jm3dHGt3TUNyOH4WqdwrXL0WTeMyfme6O+2PMoGvmjVF04keicuisjj/jROxTcDKe69qjPuCJZabR69CA2qP1TPMDMy/zlg8bzRZKepw8VxI4OpIKrbwhaUTauJMR6URPsOZ54fdocKi3oEyvpm2AhX4YF8GpOw7fBQrPWte/JJFOxgIzH1Kh0d0YhC2ZpMCXexfOlB2Y9afWG/t7rdi4VDsEf8gwj+IJ3HbE0dtIPLw=" + } + } +} +``` + +## Arguments + +| Name | Details | +| -------------------------------- | ---------------------------------------------------------------------------- | +| --input-json-file-path required | **Type** String **Description** Path of the input to-be-encrypted json file. | +| --output-json-file-path required | **Type** String **Description** Path of the output encrypted json file. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md new file mode 100644 index 0000000000..81839b8b71 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md @@ -0,0 +1,93 @@ +# Usercube-Protect-X509JsonValue + +This tool is used to encrypt sensitive connection data, for example data from the +`appsettings.agent.json` file, with +[RSA encryption](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md). +The encryption is based on the information given in your `appsettings.json` file about either a PFX +file or the location of the +[encryption certificate](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md#encryption-certificate) +in the Microsoft store. + +This tool `Usercube-Protect-X509JsonValue` is used to encrypt only given values, in comparison to +the +[`Usercube-Protect-X509JsonFile`](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md) +tool that encrypts a whole file. This tool is more appropriate than `Usercube-Protect-X509JsonFile` +when you have only a few lines to encrypt. + +## Examples + +The command below encrypts the task agent configuration `0` and the OpenId Client `secret` used in +the `appsettings.agent.json` file. + +``` + +./identitymanager-Protect-X509JsonValue.exe --values "0" "secret" + +``` + +As a response, the powershell returns one string per given value. + +``` + +PS C:/identitymanagerTraining/Runtime> ./identitymanager-Protect-X509JsonValue.exe --values "0" "secret" +kxABACJhXxJwnGJSug/nE6ODGGYwnzhX1WeYUHmS7gkMLpF15K7POOZAVWsl93zuYaVStPK0sV+U6mOE4h5IzbT083Uac+/NKic+qNZLYi4PRum+G17pIeSMBu3z7GQJxGGkAeX7dwf0kc/oDW5yAQ1BtFN+k27UHZkUrz0fe/eOZwTHbgV5sSUM+6pXW6IQd2VnVRRKLyWij0MAKsCNlHtv6QE73b8P8u7liRdzWOueqE2blAZk0rm0JzFxZlUQKgIMBTk2cuFWph7rp8dp8h8mDKJl9xbYzAtmM/rgXuhcMYryIrlqFeBWt1J65cfL7HNQb6OX7Imb2LQZmZMI2xc1gFyiXjeINeMriYm3zecnSBMiYEGW6RddE6doJOtrTyznrg== +kxABAJT+2u1C1r0JI8criUz15QkI71x6/BPeNMlPWEL5ZHkTvZWVnMLG/zNJz9PvnjfecROC4fkxPRI5U+sF8W1caH8DtxnzM0ctYD0QtRcpS9z48y2mUzOzl3pU68BQyosyZGZW0ifXVI9UJVGMzMTfWloCw+R+xfZHviYLVGT8y2PKkCBdNp7IcZN4qT6mq8AmTIMSgwagR854n1EHn8lT5nUUFmhZ7iIJ/sonEVG4uyTAjND9YXSsfL9dm2ipTzXrybruIkVU051aczdohreMRsfeSB6TDAYa3GEMNeAb3CzI5I/6NpKYEzZEoYu4JXAzE6bqHeK2oVJyrmTL11kwq4m9fTMwlwmB0GaPeJtbQoih6TIX2qlOPfQdsrZt0dl5qw== + +``` + +Then you just need to copy and paste them. + +The following example shows how to update the OpenId ClientSecret matching the "ContosoCharlotte" +OpenId ClientId in the `appsettings.encrypted.agent.json` file. + +The initial `appsettings.encrypted.agent.json` file resembles the following: + +``` +appsettings.encrypted.agent.json before update +{ + ... + "OpenId": { + "OpenIdClients": { + "ContosoCharlotte": "dKIHkloXG6i1LkxkhjkKoVKS9gFO7Hx8VUm" + } + } +} +``` + +The new ClientSecret to encrypt is _charlotte2028_. + +Using the `Usercube-Protect-X509JsonValue.exe`: + +``` +./identitymanager-Protect-X509JsonValue.exe --values charlotte2028 +``` + +The `--values` parameter also accepts multiple white-space-separated values for encryption. + +The output, in the console, shows the encrypted value for the _charlotte2028_ string. + +``` + +kxABABJR7wYaQIqNjHT/rhYVMp5Vmsao7/eBLb7JCIiHMOKbi2sC0dY0SAJgj50NQ0kEH5LS3Y3TYso98+IdnxAzpURrtNu/LUWCJo1kTLM/taygebc0MK4XbkFmWzEgzLcVhAIy8GyFgEWqgNhOx7vwSPXFRrhQTVqIjwO0QNqxlZ5s6uyQm5fk9es2o6aLL0xwbvqspReFxZwuHrguAoIvkBnaKSsDfTLSuheP6VN7yOglLHvZ8Sn9R42M2BpG/dKIHXG6i1LkxkKoVKS9gFO7Hx8VUmYgxG+qIKTRVHdpMctqWKNUJTsQkmRKs+S3qiA2mgK/iC/dp923TfigAnBLWtyXw8eKDJjZ+s6n878BIf55iEjpgOrbm5FLzj8dfqPhQw== + +``` + +The last step is to update the `appsettings.encrypted.agent.json` file by copy/pasting this new +encrypted value to replace the old one. It results in: + +``` +appsettings.encrypted.agent.json after update +{ + "OpenId": { + "OpenIdClients": { + "ContosoCharlotte": "kxABABJR7wYaQIqNjHT/rhYVMp5Vmsao7/eBLb7JCIiHMOKbi2sC0dY0SAJgj50NQ0kEH5LS3Y3TYso98+IdnxAzpURrtNu/LUWCJo1kTLM/taygebc0MK4XbkFmWzEgzLcVhAIy8GyFgEWqgNhOx7vwSPXFRrhQTVqIjwO0QNqxlZ5s6uyQm5fk9es2o6aLL0xwbvqspReFxZwuHrguAoIvkBnaKSsDfTLSuheP6VN7yOglLHvZ8Sn9R42M2BpG/dKIHXG6i1LkxkKoVKS9gFO7Hx8VUmYgxG+qIKTRVHdpMctqWKNUJTsQkmRKs+S3qiA2mgK/iC/dp923TfigAnBLWtyXw8eKDJjZ+s6n878BIf55iEjpgOrbm5FLzj8dfqPhQw==" + } + } +} +``` + +## Arguments + +| Name | Details | +| ----------------- | ---------------------------------------------------------- | +| --values required | **Type** String **Description** List of values to encrypt. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/refreshschema/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/refreshschema/index.md new file mode 100644 index 0000000000..da97a04c3c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/refreshschema/index.md @@ -0,0 +1,27 @@ +# Usercube-RefreshSchema + +## Examples + +`Usercube-RefreshSchema` can be used as an executable file as follows: + +``` +dotnet Usercube-RefreshSchema.dll --api-url myserver.usercube.com --api-client-id myclientid --api-secret myclient secret --connection-id -2 + +``` + +The credentials used to connect to the connection come from the +[Agent Appsettings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +## Arguments + +| Name | Details | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --connection-id \*required | **Type** Integer **Description** Id of a connection whose schemas are updated. See [Connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md). | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [OpenID Connect ClientId/Secret pair](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md), linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Usercube server. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/send-passwordnotification/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/send-passwordnotification/index.md new file mode 100644 index 0000000000..8ea3fe3b7a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/send-passwordnotification/index.md @@ -0,0 +1,38 @@ +# Usercube-Send-PasswordNotification + +## Examples + +### Manually send a password initialisation mail notification + +Consider a user who needs an account in an external system. Consider that this account requires a +password. + +As an example, we will consider that the id of the +[resource type mapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) +associated with the external system is 10, and the id of the assigned resource type associated with +the user is 1000. + +Once the password is set, we need to communicate this password to the user. We send a mail +notification to inform the user. + +`--password true --assigned-resource-type 1000 --resource-type-mapping 10` + +For the notification to be sent, the server set at **appsettings** > **ApplicationUri** should be +running. +The [resource type mapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) +should have an associated +[password reset setting](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md). +For +the notification to be sent, the password reset settings should at least contain a notified email +binding. +For the notification to make sense, the password reset settings should at least contain a beneficary +full name binding. + +## Arguments + +| Argument Name | Details | +| --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| --assigned-resource-type required | **Type** String **Description** Specifies the id of the assigned resource type corresponding to the user and the external system that is being fulfilled with a new password. This can be found in the provisioning order at **ProvisioningOrdersList** > **AssignedResourceTypeId**. **Example** Send a notification for the assigned resource type with id 1000: `--assigned-resource-type 1000`. | +| --password required | **Type** String **Description** Specifies the new password that will be sent by mail. **Example** Send a notification for the password NewPassword: `--password NewPassword`. | +| --resource-type-mapping required | **Type** String **Description** Specifies the id of the [resource type mapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) corresponding to the external system that is being fulfilled with a new password. This can be found in the provisioning order at **ProvisioningOrdersList** > **ResourceType** > **Id**, as the resource type and its corresponding resource type mapping share the same id. **Example** Send a notification for the resource type mapping with id 10: `--resource-type-mapping 10`. | +| --notification-cc optional | **Type** Integer **Description** Specifies an address that should also receive the notification. **Example** Add [admin@acme.admin](mailto:admin@acme.admin) to the mail CC: `--notification-cc admin@acme.admin`. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/server/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/server/index.md new file mode 100644 index 0000000000..a8e7f573bd --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/server/index.md @@ -0,0 +1,27 @@ +# Usercube-Server + +This tool runs the main Usercube Server. + +## Examples + +With a properly configured environment, the following command runs the server. It listens on two +different ports: + +``` +./identitymanager-Server.exe --urls "http://localhost:5000;http://localhost:5001" +``` + +When the Server starts, the following log should be displayed (if the log level is set to +_Information_): + +``` +[xx:xx:xx INF] Now listening on: http://localhost:5000 +[xx:xx:xx INF] Now listening on: http://localhost:5001 + +``` + +## Arguments + +| Argument Name | Details | +| --------------- | ----------------------------------------------------------------------- | +| --urls required | **Type** String **Description** URL(s) that the server is listening to. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/update-entitypropertyexpressions/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/update-entitypropertyexpressions/index.md new file mode 100644 index 0000000000..a1ce21937c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/update-entitypropertyexpressions/index.md @@ -0,0 +1,35 @@ +# Usercube-Update-EntityPropertyExpressions + +This tool is used to recompute the values of all properties defined via expressions (C#, etc.), +usually to prepare for a connector's synchronization. + +## Examples + +The following example updates the property expressions of the database defined by the connection +string, for all entity types. + +``` + +./identitymanager-Update-EntityPropertyExpressions.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" -a + +``` + +## Arguments + +| Argument Name | Details | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --batch-select-size (-q) default value: 10000 | **Type** Int32 **Description** Batch size for SELECT queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | +| --batch-update-size (-c) default value: 20000 | **Type** Int32 **Description** Batch size for UPDATE queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | +| | | +| --- | --- | +| --database-connection-string required | **Type** String **Description** Connection string of the database. | +| | | +| --- | --- | +| --all-entityType (-a) optional | **Type** No Value **Description** Applies the tool to all entity types. | +| --batch-size (-q) default value: 5000 | **Type** Int32 **Description** Batch size for queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | +| --dirty optional | **Type** No Value **Description** Applies the tool incrementally by applying it only to resources marked as dirty, i.e. recently modified. | +| --entitytype-list optional | **Type** String List **Description** List of entity types that the tool is to be applied to. **Note:** required when `--all-entityType` is not specified. | +| --resource-identity-property optional | **Type** String **Description** Property used to override the resource identity property set in [`SelectUserByIdentityQueryHandler`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md). | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/upgrade-configurationversion/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/upgrade-configurationversion/index.md new file mode 100644 index 0000000000..9de88048a8 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/upgrade-configurationversion/index.md @@ -0,0 +1,29 @@ +# Usercube-Upgrade-ConfigurationVersion + +This tool is used to upgrade your configuration from your current version entered in settings to the +latest version. + +## Examples + +``` + +./identitymanager-Upgrade-ConfigurationVersion.exe --version "5.1.0" --xml-path "C:/identitymanagerDemo/Conf" --output "C:/identitymanagerDemo/Conf2" + +``` + +In this example, the configuration files are in the folder "C:/identitymanagerDemo/Conf" and at version +"5.1.0". This tools will upgrade all the xml files to the latest version and save them in the folder +"C:/identitymanagerDemo/Conf2". + +## Arguments + +| Argument Name | Details | +| -------------------- | --------------------------------------------------------------------------------------------------------------------------------- | +| --version required | **Type** String **Description** Current version. | +| --xml-path required | **Type** String **Description** Current xml configuration folder to migrate. | +| | | +| --- | --- | +| --output required | **Type** String **Description** Path of the folder where the result will be saved. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/upgrade-databaseversion/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/upgrade-databaseversion/index.md new file mode 100644 index 0000000000..ee937b4060 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/upgrade-databaseversion/index.md @@ -0,0 +1,50 @@ +# Usercube-Upgrade-DatabaseVersion + +This tool is used to run the necessary migration scripts in order to upgrade the database structure +from its current version to the most recent version. + +## Examples + +To upgrade a database with the connection string `databaseConnectionString`, go to the Runtime +folder of the newest version and launch the tool with the following argument: + +``` + +./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "databaseConnectionString" + +``` + +If the database has been correctly upgraded, the following message should appear: +`Database has been upgraded to version X.X.X`, with "X.X.X" being the newest version to which the +migration was made. + +### With a Mode + +The following example runs the database upgrade tool only for backward compatible changes. + +``` + +./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "databaseConnectionString" --mode BackwardCompatibleChanges + +``` + +### With the Execute Predefined + +The following example runs the database upgrade tool only for backward compatible changes and the +predefined script. As the predefined script is always executed in the other modes, this option is +useful only when specifying `--mode BackwardCompatibleChanges`. + +``` + +./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "databaseConnectionString" --mode BackwardCompatibleChanges --execute-predefined + +``` + +## Arguments + +| Argument Name | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --connection-string (-s) required | **Type** String **Description** Connection string to the database. **Example** `--connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;"` | +| --execute-predefined optional | **Type** No Value **Description** Indicates that the predefined SQL file must be executed, when using the `BackwardCompatibleChanges` mode. | +| --mode default value: All | **Type** Enum **Description** `All` - run all the script types. `BackwardCompatibleChanges` - only execute backward compatible scripts. **Note:** the previous runtime can still work. `BreakingChanges` - only execute breaking scripts. **Note:** the server must be stopped. `CleanupChanges` - only execute cleanup scripts, to cleanup the database after the server restarted with the new runtime. **Example** `--mode BreakingChanges` | +| --force-version optional | **Type** String **Description** Forces the database version instead of using the current one to replay the migration scripts. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/governance/accesscertification/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/accesscertification/index.md new file mode 100644 index 0000000000..9e8a6ec5ef --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/accesscertification/index.md @@ -0,0 +1,240 @@ +# Access Certification + +The Access Certification module enables chosen end-users to carry out assignment certification +campaigns, which aim to certify assignments of entitlements. + +## Overview + +The aim of an access certification campaign is to review specific entitlement assignments for +specific identities, in order to certify them and express an audit opinion that justifies their +necessity. So, for all relevant permissions, the idea is to specify if these assignments ought to be +deleted or not. + +There are several ways to arrange an access certification campaign. Among others, through filters +you can choose to focus on: + +- a certain category of roles; +- a certain type of assignment; +- assignments not certified since a certain date; +- assignments presenting a certain level of + [risk](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/risk-management/index.md). + +Usercube uses an access certification campaign to define the campaign's scope including: + +- the start and end date of the campaign; +- the group of entitlement assignments to be certified during the campaign. + +Every entitlement assignment to be certified is represented in the database by an access +certification item, created along with a new campaign, according to +[access certification data filters](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md) +and +[access certification owner filters](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md). + +The relevant database tables are prefixed with `US_`. + +### Job for access certification + +After the campaign's creation, access certification items are assigned to reviewers (Usercube +end-users) by the +[`CreateAccessCertificationJob`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md), +composed of the following tasks: + +1. [`Usercube-Update-AccessCertificationCampaign`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md) + simply applies the campaign's scope, determines which permissions are to be certified, by + computing certification orders; +2. [`Usercube-Set-AccessCertificationReviewer`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md) + assigns one review for each access certification item to end-users whose profile's scope of + responsibility matches the entitlement to be certified; +3. [`Usercube-Send-AccessCertificationNotification`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md) + sends notifications to concerned reviewers. +4. [`Usercube-Process-AccessCertificationItems`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md) + processes the access certification item decisions and generates the corresponding deprovisioning + orders. + +## Set up the Configuration + +Configuring the Access Certification module entails: + +- setting up profiles to carry out the certification; +- configuring their scope of responsibility; +- enabling automatic and forwarded assignments of access certification items to end-users. + +### Campaign creation + +At least one Usercube profile needs permissions to create campaigns. + +Such permission can be granted using the +[`AccessReviewAdministrationAccessControlRules`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md) +scaffolding. + +The administrator profile, created with +[`CreateAdministratorProfile`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md) +scaffolding, already has these permissions. + +If you are not using the +[`AccessReviewAdministrationAccessControlRules`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md) +scaffolding, the user cannot query on dimensions when editing the +[owner filters](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md), +so you need to give the permissions on the correct contexts: + +``` + + + +``` + +### Profile scope of responsibility + +The scope of responsibility of a profile is a set of criteria that defines which assignment of +entitlements this profile will certify. For example, the `Manager` profile is responsible for +reviewing entitlement assignments of identities working in their department. + +A profile's scope of responsibility is configured by giving access, with +[access control rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md), +to a specific set of access certification items that match the profile's scope of responsibility +criteria. + +##### Example + +This example shows how to set the scope of responsibility for the `Manager` profile. + +``` + + ... + + +``` + +The filter indicates that a review with the `Manager` profile can only access items for which the +binding `Owner.Directory_User:MainRecord.Organization.Id` matches their dimension `organization0`'s +value. + +This example needs to be completed with either automatic assignment or manual assignment +capabilities. + +For certification items to be assigned to a profile, a permission context has to be added to the +access control rule. + +### Access certification item assignments + +Access certification items can be assigned to end-users via: + +- Automatic assignments, computed by the reviewer-setting task when a given profile's scope of + responsibility matches the entitlement to be certified; +- Forwarded assignments, automatically assigned to an end-user, but then manually forwarded to + another user from the UI. + +#### Automatic assignments + +For a profile to be the target of an automatic assignment of an access certification item, it needs +the `/Custom/AccessCertification/AutoAssigned/{entityTypeName}` permission. + +##### Example + +This example completes the previous one by adding the automatic assignment capabilities. + +``` + + + +``` + +This example enables automatic assignments of access certification items that match the filter to +end-users with the `Manager` profile. + +If the filter criterion is matched for several end-users, only one is assigned the certification +item, and this assignment is made randomly. Therefore, in order to have a cleaner reviewing +architecture, it is recommended to carefully set the `Filter` attributes in the +[access control rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +so that no two end-users' scope of responsibility overlap. + +#### Forwarded assignments + +The target profiles need the following `/Custom/AccessCertification/ManualAssigned/{entityTypeName}` +permission. + +##### Example + +``` + + + +``` + +This example allows the `Manager` profile to be the target of forwarded assignments. + +There is no filter so the `Manager` profile can certify all forwarded certification orders for the +`Directory_User` entity type, regardless of his previously configured scope of responsibility. + +It is recommended to have a larger scope for forwarded certification orders than for automatically +assigned ones. + +### Certification policy + +Scopes of responsibility can also be defined in terms of +[access certification campaign policy](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md). + +Assigning an access certification campaign policy to an access certification campaign allows the +creation of campaigns dedicated specifically to one set of reviewers. + +The following example creates a new policy named `Manager`. + +``` + + + +``` + +It automatically appears on the campaign creation screen, and binds itself to the created campaign: + +![Campaign creation screen with policies](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/governance/accesscertification/creation_5.1.6.webp) + +To use it, modify the +[access control rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +by adding a filter on the campaign policy. + +##### Example + +``` + + + +``` + +In this example, the `Manager` profile is only able to certify items for a campaign defined with the +`Manager` policy. + +A default policy is already defined. If no filter is set when giving the permission, the policy is +not considered. + +### Access certification item processing + +Once entitlement assignments have been reviewed (accepted or rejected), the final step is to apply +these decisions with the processing task, eventually denying assignments. This is done through the +UI. + +The user needs to have the correct permission to launch the item processing: + +``` + + + +``` + +It is also possible to add +[access control filters](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +when creating the permission set so that users can only access certain type of campaigns. + +This permission also is given by the +[`AccessReviewAdministrationAccessControlRules`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md) +scaffolding. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/governance/how-tos/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/how-tos/index.md new file mode 100644 index 0000000000..acfd2559fa --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/how-tos/index.md @@ -0,0 +1,7 @@ +# How-Tos + +These guides will help you perform various governance actions with practical step-by-step +procedures. + +- #### [Review Prolonged Entitlements](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/how-tos/review-prolonged-entitlements/index.md) + Allow a manager to review the permissions prolonged by a grace period. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/governance/how-tos/review-prolonged-entitlements/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/how-tos/review-prolonged-entitlements/index.md new file mode 100644 index 0000000000..e4ae690134 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/how-tos/review-prolonged-entitlements/index.md @@ -0,0 +1,27 @@ +# Review Prolonged Entitlements + +This guide shows how to allow a manager to review the permissions prolonged by a grace period. + +## Overview + +Consider an entitlement given via a role which is defined with a grace period. Consider that this +role is assigned automatically to some users by a rule of the role model. If this rule changes and +the users are supposed to lose the role, then they keep it for the time defined by the +[grace period](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md), +and the role's workflow state switches from `Automatic` to `Prolonged`. Then a manager must access +these entitlements in the **Role Review** screen, to either approve or decline the role +prolongation. + +## Assign the Right to Review Prolonged Entitlements + +The right to review prolonged entitlements is given by adding the appropriate `AccessControlRule` on +a profile. A profile should get the right to review prolonged entitlements given for both single and +composite roles. Technically speaking, we need to create one access control rule for assigned single +roles, and another one for assigned composite roles. In this case we give access to the workflow +state 27 which is the workfow state `Prolonged` linked with the grace period. + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/governance/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/index.md new file mode 100644 index 0000000000..833516b8ce --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/index.md @@ -0,0 +1,44 @@ +# Governance + +Usercube's governance features intend to provide tools that control assignments of entitlements and +measure IGA policies efficiency. Control over the assignments is achieved by designing a role model, +automating assignments, using the risk management module, and performing certification campaigns. +Measuring policies efficiency is enabled by reporting and auditing capabilities. + +Reporting, access certification campaigns and risk management are three important tools that +complete the governance arsenal. + +## Reporting + +With reporting features, stakeholders can measure the effect of IGA policies on the assignment +landscape and adjust if needed. Governance also helps produce audit-ready reports. You can start to +set up governance features relatively early in your Usercube journey and measure your progress from +the very start. + +Usercube puts users in control of their reporting. Rich features, such as the query module, help +produce custom reports that can be used to check the assignment policy results, or gather +information for an audit. + +## Access Certification Campaigns + +A certification campaign is a recurring event, scheduled for example every week, month or year, +during which managers review their team members' entitlements. Sensitive assignments are then kept +or removed. + +Certification campaigns are the best way to make sure past assignment decisions are still in the +best interest of the organization. They can be a good way to mitigate a lack of automation in your +assignment decisions concerning, for example, movers or leavers. + +Usercube's certification module also helps managers produce accurate reports that they can present +to an auditor. + +[Learn how to configure certification campaigns](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/accesscertification/index.md). + +## Risk Management + +The risk management module provides tools for identifying entitlement assignments that pose a +security risk. The module facilitates the analysis and mitigation of different kinds of risks such +as Segregation of Duties (SoD) or High Privilege. Risks can be used to identify sensitive +assignments that should be reviewed first during a certification campaign. + +[Learn how to configure risks](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/risks/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/index.md new file mode 100644 index 0000000000..78b546d03a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/index.md @@ -0,0 +1,125 @@ +# Analyze Usercube's Data with Power BI + +This topic explains how to prepare Usercube's data and use it in Power BI, with the final goal to +generate user-friendly reports. + +## Overview + +[Power BI](https://powerbi.microsoft.com/en-us/why-power-bi/) is used with Usercube to generate +user-friendly reports in an interactive way, based on Usercube's database. + +The SaaS edition [Power BI Service](https://www.microsoft.com/en-US/download/details.aspx?id=58494) +contains an integrated Usercube connector, so we simply need to make Usercube's data usable by +configuring a particular data model. + +As this new model is to be organized into XML elements called universes, we will call the new data +model the universe model. + +Based on this model, Power BI will be able to: + +- query the database +- generate a model containing the data that we want to include in reports +- transform data if needed +- generate customized graphic reports +- publish the reports with Power BI Service (SaaS) or Power BI Report Server (on premises) + +![Process Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/powerbi_process.webp) + +## Prerequisites + +Usercube's licenses for Power BI as well as Usercube Data are required to operate. + +Integrators need to know: + +- Usercube's data model, i.e. the entity names, the associations between the entities to display, + etc. from both Usercube-hard-coded and customized parts +- what data needs to be displayed in the end + +**NOTE:** Power BI is able to analyze all Usercube's data, hard-coded and customized, but only +current data, i.e. nothing from the history. + +## Analyze Usercube's Data with Power BI + +Build the universe model by proceeding as follows: + +**Step 1 –** Define the appropriate universes using scaffoldings. See +the[ queries ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md) + +_Remember,_ in order to understand business intelligence, with its universes, entity instances and +association instances. See +the[ Universe ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md)topic +for additional information. +Also note that XML objects that automatically generate XML snippets that would be complex and/or +tedious to write manually. See +the[ Scaffoldings ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md)topic +for additional information. + +Netwrix recommends creating no more than one universe to generate one report, to prevent issues +about name uniqueness. + +**Step 2 –** Connect Power BI to Usercube to visualize the output model. See +the[ Connect Power BI to Usercube ](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md) +topic for additional information. + +The Power BI applications **Desktop**, **Service** and **Report Server** all offer the Usercube +plugin to access Usercube's database. + +**Step 3 –** Remember to clear the cache in Power BI when modifying universes, to ensure that all +changes are considered. + +**Step 4 –** Customize the queries in Power BI, if needed, with the +[M language](https://docs.microsoft.com/en-us/powerquery-m). + +You can see in Power BI queries that Usercube must be specified as a source via the expression +`Source = Usercube.Universes("")`. + +Integrators may need to customize the model to make it more understandable and easily usable by +end-users. + +For example, the following M query removes the column Company Id from the table +Directory_User_Records, considering that we do not need it for future reports. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +let +    Source = Usercube.Universes(""}) +in +    Directory_User_Records_WithoutCompany +``` + +Another common use for manual queries is the denormalization of the model, when it simplifies the +future queries and reports for end-users. + +**Step 5 –** Generate reports and publish them for end-users by following the steps listed in the +[Power BI documentation.](https://docs.microsoft.com/en-us/power-bi/create-reports/) + +This is how you analyze Usercube data through Power BI. + +## Maintain the Model + +In order to maintain the model you must remenber the ones listed below. + +Refresh data + +You must define, in Power BI Service or Report Server, a frequency for data refresh so that reports +display up-to-date data. See +[Power BI documentation](https://docs.microsoft.com/en-us/power-bi/connect-data/refresh-data) for +additional information. + +Data is often refreshed once a day. Define the refresh frequency according to your needs. + +Foresee the Impact of Model Modifications + +A change inside an existing entity, for example adding a scalar field, does not require any +particular actions on the universe model. + +A change in an association requires making the corresponding change in the universe model, as +association instances (in the universe model) are based on entity associations in Usercube's data +model. See +the[ EntityAssociation ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +topic for additional information. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md new file mode 100644 index 0000000000..7ea93b6ca5 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md @@ -0,0 +1,66 @@ +# Connect Power BI to Usercube + +This guide shows how to connect Power BI to Usercube. + +## Overview + +When facing a periodic need for producing specific reports, especially when a visual presentation is +required, Usercube offers the possibility to connect to the +[Power BI](https://powerbi.microsoft.com/en-us/what-is-power-bi) application. This application will +allow you to create customized reports with a vast range of display options (such as graphs, charts, +matrixes, etc.) using Usercube's universes. + +## Prerequisites + +- Power BI Desktop must be installed on your device. +- Usercube's server must be running. + +## Connect Power BI to Usercube + +Connect Power BI to Usercube by proceeding as follows: + +1. Open Power BI Desktop. +2. Click on **Get data** either in the welcome window or in the home menu. + + ![Get Data](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdata.webp) + +3. In the opening window, search for **Usercube**, click on its plugin in the right menu, and click + on **Connect**. + + ![Get Data Window](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdatawindow.webp) + +4. Enter Usercube's server URL in the opening window. + + ![Server URL](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_url.webp) + +5. In the opening window, enter the + [OpenIdClient](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) + of the `Administrator` profile. The `Client Id` expects the concatenation of the identifier of + `OpenIdClient` with `@` and Usercube's domain name. See the following example. + + ![Client Id / Client Secret](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clientid.webp) + +6. You can now access in the left panel the + [universes](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) + from Usercube configuration. You can click on the desired universe to expand it, and view and + pick the desired tables. + + ![Universe Panel](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_universes.webp) + + **Power BI tip:** to view a table, click on its name. To select a table, check the box next to + the table's name. + +7. Once you've selected all the tables you need, click on **Load** to import data to the Power BI + report. You can also click on **Transform data** to open the query editor and make other changes + in your tables, rows and columns. + +## Clear the Cache + +Remember to clear the cache in Power BI to ensure that all changes are considered. + +Clear the cache by proceeding as follows: + +1. In Power BI, click on **File** > **Options and settings** > **Options**. +2. In the **Data Load** tab, click on **Clear Cache**. + + ![Clear Cache](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clearcache.webp) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/index.md new file mode 100644 index 0000000000..6349c49e40 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/index.md @@ -0,0 +1,8 @@ +# How-Tos + +These guides will help you perform reporting with practical step-by-step procedures. + +- #### [Connect Power BI to Usercube](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md) +- #### [Analyze Usercube's Data with Power BI](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/index.md) + Prepare Usercube's data and use it in Power BI, with the final goal to generate user-friendly + reports. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/index.md new file mode 100644 index 0000000000..03c7f81004 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/index.md @@ -0,0 +1,8 @@ +# Reporting + +The Reporting module is used to generate basic reports in CSV using +[SQuery](/docs/identitymanager/6.1/identitymanager/integration-guide/api/squery/index.md), or advanced +reports using the +[Business Intelligence module](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md). + +[See more information about generating reports](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/governance/risks/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/risks/index.md new file mode 100644 index 0000000000..d0a24796c2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/governance/risks/index.md @@ -0,0 +1,180 @@ +# Risk Management + +The Risk Management module provides tools for identifying assignments of entitlement that pose a +security risk. The module helps analyze and mitigate different kinds of risks such as _Segregation +of Duties_ or _High Privilege_. This is the basis for auditing and performing access certifications +with a risk-based method. + +## Overview + +A +[risk](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) +describes a sensitive situation of entitlement assignments that needs to be monitored. + +Risk management is essential to auditing. End-users can define models of risks, assigned to +identities based on their entitlement assignments. This action identifies identities whose +entitlement landscape might pose a threat or a surface of attack. The identitied risks for a given +identity inform the auditor about the exact nature of the threat to help making decisions and +finding methods of remediation. + +To identify the identities that represent the highest risk, Usercube computes a risk score for all +identities, based on both the roles already assigned and the roles that are subject of the current +request. The higher the score, the higher the threat. The identities with the highest risk scores +are the priority of the next +[access certification campaign](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/accesscertification/index.md). + +[See more information about how to use the risk management module](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/risk-management/index.md) +to identify entitlement assignments that pose a security risk. + +## Risk Definition + +A +[risk](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) +is an object that describes a sensitive situation of assignments of entitlements. + +The assignment of a risk to an identity highlights, for a potential auditor, the need to closely +reconsider said the assignments of said identity. + +A risk is always: + +- part of a + [policy](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md); +- assigned to identities belonging to a specific entity type that was decided during the risk + creation; +- organized inside a type; +- linked to an exemption policy. + +## Risk Type + +The type of a risk informs the auditor about the exact nature of the situation that the risk +describes. It helps understand the possible causes, the importance of the security threat and +methods of remediation. + +Usercube supports two types of risks: + +- a segregation-of-duties risk identifies a threat due to the conjunction of two or more + fine-grained entitlements for the same identity, for example if an identity requests an + entitlement and is also the validator for said entitlement; +- a high-privilege risk identifies a threat due to the assignment of one or more highly sensitive + entitlements, for example the `Domain User` group in an Active Directory. + +## Risk Exemption Policy + +All risks are assigned an exemption policy that defines the behavior of Usercube regarding risks +when entitlements are manually requested. + +### Blocking + +Risk-triggering permission requests can be forbidden with the blocking exemption policy. If at least +one of the detected risks in the requested entitlement set has the blocking exemption policy, then +Usercube does not allow the set to be requested at all. A message is displayed and the request must +be cancelled: + +![Exemption Policy - Blocking](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/governance/risks/risks_blocking_v522.webp) + +### Approval Required + +Yet, instead of being unilaterally forbidden, risk-triggering permission requests can be authorized +with an additional role review approval with the approval required exemption policy. If at least one +of the detected risks in the requested entitlement set has the approval required exemption policy, +then Usercube adds a step where this new set must be reviewed by a knowledgeable user like a +security officer. A message is displayed and the request can be continued or cancelled: + +![Exemption Policy - Approval Required](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/governance/risks/risks_requiredapproval_v522.webp) + +If the request is performed, then a line appears on the **Role Review** screen. + +The workflow state of said request is `Manual`, `Pending approval (risks)` and shows the following +risk icon. + +![Home Page - Role Review](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/governance/risks/risks_riskicon_v522.svg) + +### Warning + +Risk-triggering permissions can also be allowed with only a warning with the warning exemption +policy. If all detected risks in the requested entitlement set has the warning exemption policy, +then Usercube displays a message and the request can be continued or cancelled: + +![Exemption Policy - Warning](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/governance/risks/risks_warning_v522.webp) + +### Upon Profile + +The blocking and approval required exemption policies can be ignored according to the profile of the +user and their scope of responsibility, with respectively the blocking upon profile and approval +required upon profile exemption policies. Then they can be assimilated to the warning policy if the +user has the right permission, respectively **/ProvisioningPolicy/Risk/OverrideBlocking** and +**/ProvisioningPolicy/Risk/OverrideApproval**, otherwise they behave like the blocking and approval +required policies. + +Like in the example below, the two permissions can be chained together. For the connected user, a +risk that would have been blocking otherwise, is just a warning. + +``` + + <AccessControlRule Profile="Administrator" EntityType="Risk" Identifier="Administrator_Risk_Override" DisplayName_L1="Administrator_Risk_Override"> <Entry Permission="/ProvisioningPolicy/Risk/OverrideBlocking" CanExecute="true" /> <Entry Permission="/ProvisioningPolicy/Risk/OverrideApproval" CanExecute="true" /> + +``` + +## Risk Assignment + +### Risk Rules + +[Risks](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) +are assigned to resources manually by a knowledgeable user or automatically, by the +[Evaluate Policy](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) +algorithm. + +When a risk is assigned to a resource, a new identified risk is created under the +`UP_IdentifiedRisks` table. + +Automatic assignment of risks is based on +[risk rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md). +For each new fine-grained assignment on a resource, risk rules are applied. If one of the rules +matches the resource state, the related risks are assigned to the resource. Those rules are +themselves based on fine-grained entitlements, such as an Active Directory account or group +membership, modeled by the +[navigation rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +within Usercube. + +A risk rule states that a risk is assigned to a resource if the resource has one or several specific +fine-grained entitlements. The number of triggering entitlements depends on the risk type. For +example, the segregation-of-duties risks depends on at least two entitlements. The other types of +risk depend on one or more entitlements. + +### Fine-grained entitlement + +A fine-grained entitlement assigned to a resource-identity in Usercube is modeled by navigation +property values of the resources owned by the identity. + +To write a risk rule, the end-user has to describe a fine-grained entitlement for a +resource-identity. + +This is the way: + +1. Choose an + [entity type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + of which the resource-identity could be owner. +2. Choose a navigation property of that entity type. +3. Choose a value for that navigation property. The value would be a resource from the unified + resource repository. + +This final value is a fine-grained entitlement, linked to the owner resource-identity through the +navigation property and the ownership relationship. + +## Risk Score + +Once +[risks](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) +are assigned to identities, Usercube computes a risk score for each relevant identity. + +This score allows an auditor to prioritize the +[access certification campaign](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/accesscertification/index.md). +The identity with the highest risk score poses a more serious security threat and has to be handled +first. + +During access certification, assignments that are responsible for triggering the risk will be +examined and then, kept or discarded. + +The risk score computation is performed by the risk score task. + +![Compute Risk Score Task](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/governance/risks/risks_riskcomputetask_v522.webp) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/identity-repository/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/identity-repository/index.md new file mode 100644 index 0000000000..a32aad9d23 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/identity-repository/index.md @@ -0,0 +1,62 @@ +# Identity Repository + +One of the main purposes of an IGA tool is to build a comprehensive repository containing all +identities in the organization. This repository is essential in order to set up the features for +identity lifecycle management, and manage entitlement assignments. + +## Overview + +The identity repository is supposed to contain the list of all kinds of identities in the company. +Each identity will be represented by a set of properties that are to be used in the calculations for +entitlement assignments. + +> For example, a user can be represented by an identifier and linked to their position which +> includes the user's employee id, last name and first name, email, user type, organization, etc. +> +> ![Identity Repository Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-example.webp) + +> In Usercube, the identity repository can look like the following: +> +> ![Identity Repository Result](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository_v602.webp) +> +> ![Identity Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-person_v602.webp) + +The identity repository can be created and updated by: + +- uploading an Excel file provided by Usercube with the right model; +- using Usercube's workflows; +- synchronizing HR files to Usercube via a specific connector. + +NETWRIX recommends creating the identity repository by downloading the provided Excel file, filling +it with HR information, and uploading it back. +[See how to create the workforce repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md). + +Then +[perform mass updates](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md) +with the same kind of process, and +[individual updates](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md) +via Usercube's workflows. + +### Useful data + +Not all data is useful for identity governance and administration. Thus, to start designing the +repository, you must be aware of which data is necessary and which is unhelpful. Useful data is the +data that: + +- needs to be provisioned to the managed applications; + + > For example, if you need to provision users' phone numbers in a given application, then you + > should fill in the workforce repository's `Phone Number` property. + +- is needed to manage identities' lifecycles; + + > For example, consider that internal employees must be managed by HR officers only, then you'll + > need to identify whether users are internal employees or external contractors. Then you should + > make sure that you fill an `Employee Type` property with at least two values: one for internal + > employees, and one for external contractors. + +- is needed to automatically grant permissions. + + > For example, if a user's position title ("manager" for instance), defines what users currently + > do, and thus what permissions they need, then you should make sure to fill in a property + > storing the position's title in the workforce repository. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/index.md new file mode 100644 index 0000000000..4f0514b81c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/index.md @@ -0,0 +1,31 @@ +# Identity Management + +Identity management is about creating a repository of identities (all kinds of identities) along +with the entitlements that they need to work. One of the main purposes of an IGA tool is to help +create the identity repository, and to keep it up-to-date with identities' lifecycles within the +company. + +"Identities' lifecycles" mean any Joiners, Movers and Leavers (JML) process, i.e. staff changes, +i.e. any user's onboarding, position modification and offboarding. + +[See more information on the identity repository](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/identity-repository/index.md). +[See how Usercube handles the Joiners, Movers and Leavers (JML) process](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md). + +Identities in Usercube are mostly humans, both internal and external workers, but can also be +applications, bots, service accounts, or anything. + +Identities are stored in the database as +[resources](/docs/identitymanager/6.1/identitymanager/integration-guide/resources/index.md), which helps +with Usercube's internal mechanisms, for example to +[modelize identities with entity types](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md). + +Additional interesting parts of identity management are: + +- the synchronization of identity changes through several repositories, for example both Usercube + and the AD; +- the provisioning of identity properties directly to the connected systems, based on the + computation of the + [role model](/docs/identitymanager/6.1/identitymanager/integration-guide/role-model/index.md). + +[See more information about synchronization](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/index.md). +[See more information about provisioning](/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md new file mode 100644 index 0000000000..af8814a7c0 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md @@ -0,0 +1,9 @@ +# Identity Lifecycle: Joiners, Movers and Leavers + +Identities' Joiners, Movers and Leavers (JML) process can be made easy by using the adequate model: +records. + +In Usercube, the JML process is done through workflows or through synchronization to the HR system. + +[Learn about onboarding and offboarding](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md). +[Learn about position changes via records](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md new file mode 100644 index 0000000000..5b3bb24e59 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md @@ -0,0 +1,65 @@ +# Onboarding and Offboarding + +In Usercube, onboarding and offboarding are done through workflows or through synchronization to the +HR system. + +## Onboarding + +The onboarding process for a new employee or contractor is materialized by the creation of a new +resource in the identity repository. This creation triggers the fulfillment of the entitlements +required by the user to perform their duties and be productive on day one. + +The entitlement fulfillment can be performed in different ways: + +- Usercube suggests the entitlements needed by the new user, prepares the provisioning procedures, + and wait for the manual trigger of a manager or security officer. +- Usercube automatically triggers the provisioning of the entitlements needed by the new user, + without any more human input. + +[See more information about entitlement assignment](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/index.md). + +The automation of the entitlement assignment processes can be really helpful. However, you should +not be looking for a full automation, but rather the smart automation of basic assignments such as +"birthrights", while the sensitive ones keep a manual process. + +[See more information about assignment automation](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/index.md). + +## Offboarding + +The offboarding process doesn't necessarily mean the deletion of the resource from the identity +repository because, for legal and/or security purposes, the company may need to be able to access a +person's history in the company for a certain time, even after their departure. + +This is why the departure triggers the removal of all entitlements for the departing identity. +Hence, Usercube knows all the past and present entitlements of any identity. + +## Period of Validity + +The joining and leaving of an identity are materialized by the identity's period of validity. This +way, the resource is valid from the start date until the end date. + +These start and end dates can be configured to be different from the actual start and end dates of +the user's contract in the company. + +These dates should then be part of entity types' properties (for example as `StartDate` and +`EndDate`), in order to be used in +[record sections](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) +and +[context rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md). + +![Identities - Validity Period](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/validityperiod.webp) + +At the start date, the resource is created and a few entitlements are assigned to the identity. + +Between the start and end dates, the identity is part of all of Usercube's calculations +([role model](/docs/identitymanager/6.1/identitymanager/integration-guide/role-model/index.md), etc.). + +At the end date, all the entitlements previously assigned to the identity are removed. + +After the end date and until its explicit deletion, the resource is still in the identity +repository, but it is not part of any calculation anymore. + +Keeping track of former employees usually helps solve issues involving orphan accounts. + +A resource is deleted either via a resource-deletion workflow, or via the synchronization of HR +files if the user was removed from HR lists. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md new file mode 100644 index 0000000000..2699518c4a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md @@ -0,0 +1,201 @@ +# Position Change via Records + +Identities' Joiners, Movers and Leavers (JML) process can be made easy by using the adequate model: +records and contexts. + +In Usercube, position changes are made through workflows or through synchronization to the HR +system. + +## Overview + +The entitlements of a user must be updated with the user's position changes: the entitlements needed +for the previous position are removed, and the entitlements needed for the next position are added. +This is essential to prevent users from cumulating entitlements when moving. + +Just like onboarding, the entitlement fulfillment can be performed either by using Usercube's +suggestions for the needed entitlements and adjusting them, or trusting Usercube with an automated +fulfillment. + +Usercube's calculations for entitlement assignments rely on heuristics, through identities' key +properties called +[dimensions](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md). + +> For example, consider an entity type modeling identities with their job title, department and +> location. +> +> Then a user working as a accountant in Paris will receive different entitlements from another user +> working as a marketing specialist in Scranton. + +Hence entitlement assignment is usually based on identities' positions. + +Within the company, an identity can hold one or several positions, sometimes several positions +simultaneously. + +## A Model for Identity Changes + +Any change in an identity's lifecycle, such as a position change, usually entails a change in a +given set of properties simultaneously. + +> For example, a position change can typically trigger a change at least in the job title and +> location, together with the position start and end dates. + +It seems natural to model identities by splitting their properties into three entities: one for +users' personal data, one for their contract(s) and one for their position(s): + +![Records Origin - Three-Entity Model](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_firstmodel.webp) + +A user can have several positions over time, even simultaneously. A user's contract can change over +time too. Even personal data is subject to change. This is why we can have several sets of personal +data (and/or several contracts and/or several positions) for a single user, and also why the `User` +entity is meant to contain only users' unique identifiers. + +> For example, in personal data a marriage can imply a name change, a user can start with a +> fixed-term contract and change to a permanent one, and position change is obvious. + +Even without allowing simultaneous positions, contracts or personal data sets, this model helps +anticipate upcoming changes. + +### Contexts + +The model is supposed to facilitate the +[provisioning](/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/index.md) of +user data and entitlements, yet this first model does not meet all expectations. In case of multiple +personal data sets for a single user over time, or multiple contracts, or multiple positions, which +values should be used to apply the rules of the role model? How to combine all start and end dates +to make sure that all rules are applied based on the right input? These issues imply complex C# +expressions in provisioning rules. + +> For example, let's write a C# expression to compute users' display names based only on their first +> and last names. To make sure that display names are computed using valid input, we write the +> following: +> +> ``` +> +> C#:user:return user.PersonalDatas.Where(personalData => personalData.Start < DateTime.Now && personalData.End > DateTime.Now).Select(personalData => personalData.FirstName + ' ' + personalData.LastName).FirstOrDefault(); +> +> ``` +> +> Now a more complex example: let's write a C# expression to compute users' departments based on +> their organization's display names, but also their employee identifiers in parenthesis: +> +> ``` +> +> C#:user:return user.Positions.Where(position => position.Start < DateTime.Now && position.End > DateTime.Now).Select(position => position.Organization.DisplayName).FirstOrDefault() + " (" + user.PersonalDatas.Where(personalData => personalData.Start < DateTime.Now && personalData.End > DateTime.Now).Select(personalData => personalData.EmployeeId).FirstOrDefault() + ")"; +> +> ``` + +To simplify the expressions, the model needs to be "flattened" in order to provide all the data of a +given user, valid at a given date. Hence users must be modeled by a set datasheets generated by +Usercube, where all values in one datasheet are valid on a given time period. + +> For example, consider the following situation: Mark Barn is a user who has, at day D0, a given set +> of personal data, a given contract and a given position. At day D1, his contract changes from +> fixed-term to permanent. At day D2, he starts an additional position. The two positions overlap +> from day D2 to day D3 when the first position ends. +> +> ![User Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_userexample.webp) +> +> Over time, the three entities are as follows: +> +> ![Example - Timelines](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_timelines.webp) +> +> From this, Usercube is able to combine the start and end dates of all entities at all times to +> generate the following datasheets, named contexts: +> +> ![Example - Contexts](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_contexts.webp) + +Contexts are the result of the combination of all entities (personal data, contract and position) so +that all values contained in a given context are valid on a given period of time. + +Users can be modeled by up to n\*n\*n contexts, and even more when elements overlap (positions in +this example). + +The complexity that comes from the combination of all start and end dates is tackled by Usercube's +engine when it generates users' contexts. As the start and end dates of each value are pre-computed +by Usercube, this user model highly simplifies provisioning rules. + +> The C# expressions from the previous example can be written, for the same result, as the +> following, first for users' display names, then departments: +> +> ``` +> +> C#:record:return record.FirstName + ' ' + record.LastName; +> +> ``` +> +> C#:record:return record.Organization.DisplayName + " (" + record.EmployeeId + ")"; +> +> ``` +> +> ``` + +### Records + +The final step to a viable model is to find a way to store optimally this context model in the +database, in order to be able to perform fast requests. Hence, the final model gathers all entities +(personal data, contracts and positions), including their respective start and end dates, into a +single entity named records, where a context is a record instance: + +![Records Origin - Final Model](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_thirdmodel.webp) + +While there are as many contexts for a user as the number of changes in the user's datasheet, there +are only as many records as needed to store each value at least once. + +> With the example used for the explanation of contexts with `PD`, `C1`, `C2`, `P1` and `P2`, we +> generate 5 contexts but store only 2 records: `{PD; C1; P1}` and `{PD; C2; P2}`. +> +> From these 2 records, we can rebuild the 5 contexts. + +Contexts can be considered as the conversion tool between the two user models. + +This way, the model stores only Max(n) records instead of n\*n\*n. + +Plus, Usercube does not need to archive old data, because records and contexts are used only to +simplify the application of provisioning rules. As only valid values are provisioned, there is no +need to keep track. + +This means that a change to be effective immediately will not trigger the creation of a new record +nor a new context. The record containing the old data will simply be updated. + +A change to be effective in future can trigger the creation of a new record. + +### Configuration + +This identity model can be implemented by configuring a +[context rule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) +and +[record sections](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md): + +``` + + + +Personal data section (default section): + + +Contract section: + + +Position section: + + +``` + +## Position Change + +The position change process for an existing worker is materialized by the assignment/update/removal +of a record to/from an identity. This assignment/update/removal triggers the fulfillment of the +entitlements required by the user based on the properties of a valid record. + +When several contexts are valid at the same time for a given identity, conflicts can arise during +entitlement assignment. They are solved by Usercube's engine that establishes a priority between +valid contexts. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/index.md new file mode 100644 index 0000000000..b0d574ffd6 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/index.md @@ -0,0 +1,38 @@ +# Integration Guide + +This guide is designed to provide the tools and knowledge to fully understand and configure Usercube +to match your project's needs. + +## Target Audience + +This guide is meant to be read by integrators who configure Usercube to match their project's needs. + +## Prior Knowledge + +A basic knowledge of Identity and Access Management (IAM) and more precisely of Identity and +Governance Administration (IGA) is required to really understand, implement and use Usercube's +features. + +NETWRIX strongly recommends starting from the +[Introduction Guide](/docs/identitymanager/6.1/identitymanager/introduction-guide/index.md) to fully +benefit from the Integration Guide's content. + +### Technical skills + +As Usercube is a web application, some classic devops skills are needed: + +- Web servers, especially IIS: declare a web site; configure an application pool. +- SQL Server: query data in the database with SQL, including with joins; insert/update data with + SQL; for advanced use, an understanding of database indexes. +- Coding: very basic C# skills; PowerShell scripts. +- XML and JSON syntax for configuration files. +- Git or other source control tools. + +The other technical skills greatly depend on the connectors needed for your projects. The most +frequent ones are: + +- Excel and CSV +- LDAP and Active Directory: understanding of LDAP attributes and of group membership. +- Microsoft Entra ID (formerly Microsoft Azure AD) +- Exchange +- REST API programming diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/modules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/modules/index.md new file mode 100644 index 0000000000..aa3d3036d5 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/modules/index.md @@ -0,0 +1,14 @@ +# Modules + +Usercube can integrate with other software for issues such as credential protection and logging. To +use these integration modules, they just need to be configured in Usercube's `appsettings.json` +file. Below is more module-specific information. + +## Credentials Protection + +- ### [Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) +- ### [CyberArk Application Access Manager](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + +## Logging + +- ### [QRadar](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/how-tos/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/how-tos/index.md new file mode 100644 index 0000000000..ac82fc989f --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/how-tos/index.md @@ -0,0 +1,6 @@ +# How-Tos + +These guides will help you manage logs with practical step-by-step procedures. + +- #### [Export Logs to a Log Management System](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md) + Use the logging configuration to send Usercube's logs to a log management system. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md new file mode 100644 index 0000000000..297eff2658 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md @@ -0,0 +1,365 @@ +# Export Logs to a Log Management System + +This guide shows how to use the logging configuration (Serilog) to send Usercube's logs into a log +management system, potentially using specific plug-ins to parse the logs. + +Supported log management systems are: + +- [QRadar](https://www.ibm.com/fr-fr/products/qradar-siem); +- [Splunk](https://docs.splunk.com/Documentation/Splunk); +- DataDog. + +## Overview + +Typically, a Serilog configuration includes three parts: **MinimumLevel**, **Using** and +**WriteTo**. For more details, see +[Monitoring](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md). + +### Usercube's DSM in QRadar + +Usercube's Device Support Module is a plug-in that allows your QRadar system to parse Usercube's +logs, when producing a JSON output. + +Logs can be sent into QRadar without using Usercube's DSM in QRadar, but the logs just won't be +parsed. Not all Usercube's logs can be sent to QRadar, +[see which logs can be sent](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/references/index.md). + +In order to get Usercube's DSM, import from QRadar the `Usercube_1.0.0.zip` file, accessible in the +`Runtime` folder. Usercube's DSM is set to automatically detect the source. This means that, once +Serilog is configured to send logs to QRadar, performing a few actions in Usercube should make the +detection possible. + +## Export Logs to a Log Management System + +Export logs to a log management system by proceeding as follows: + +1. In + [`appsettings.json`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md), + make sure to have a **Serilog** section: + + ``` + + appsettings.json + + { + ... + "Serilog": { + ... + } + ... + } + + ``` + +2. In the **Serilog** section, add a **Using** section to contain the used sink which depends on the + logs' destination, output format, etc. + [See the list of supported sinks](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md). + + Concerning QRadar, NETWRIX strongly recommends using the JSON format, as it can be parsed by + Usercube's DSM or easily by a homemade parser. + + > For example, to produce a JSON output for QRadar: + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > ... + > } + > ... + > } + > + > ``` + + > For example, to produce an output for Splunk: + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Console", + > "Serilog.Sinks.Splunk.Durable" + > ], + > ... + > } + > ... + > } + > + > ``` + +3. Add a **MinimumLevel** section to define which logs are to be sent to the log management system. + [See more details](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md). + + In order to be sent to any system, Usercube's logs must be configured with **MinimumLevel** set + to `Information`, or lower. + + > For example, we can define the logs' minimum level to `Information`. This way, all logs from + > the + > [log references](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/references/index.md) + > with `Information` level or higher are sent. + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > ... + > } + > ... + > } + > + > ``` + +4. Add a **WriteTo** section to specify the expected output. + + While **uri**/**host**/**splunkHost** specifies the IP address of the machine hosting your log + management system, the rest of **Args** configuration must be set just like the examples below. + + > For example, to produce a JSON output for QRadar: + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > "WriteTo": [ + > { + > "Name": "UDPSink", + > "Args": { + > "uri": "192.168.13.110", + > "port": "514", + > "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + > } + > } + > ] + > } + > } + > + > ``` + + > For example, to produce an RFC5424 output for QRadar + > ([see more information about UdpSyslog attributes](https://github.com/IonxSolutions/serilog-sinks-syslog#see-more-information-about-udpsyslog-attributes)): + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > "WriteTo": [ + > { + > "Name": "UdpSyslog", + > "Args": { + > "host": "192.168.13.110", + > "port": "514", + > "appName": "Usercube", + > "format": "RFC5424", + > "facility": "Local0", + > "secureProtocols": "SecureProtocols.None", + > "outputTemplate": "[{Timestamp:HH:mm:ss} {Level:u3}] {Message:lj} {NewLine}{Exception}" + > } + > } + > ] + > } + > } + > + > ``` + + > For example, to produce an output for Splunk: + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > "WriteTo": [ + > { + > "Name": "SplunkEventCollector", + > "Args": { + > "splunkHost": , + > "eventCollectorToken": "", + > "bufferFileFullName": "log-buffer.txt" + > } + > } + > ] + > } + > } + > + > ``` + +5. When needing to restrict the logs sent to the system, add a filter and wrap all **WriteTo** + configuration into a sub-logger, in which case the **Name** at **WriteTo**'s root must be + `Logger`. + [See more details](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md). + + For all formats, in order to send only the right logs using the specified filter, the + **WriteTo** part must contain a sub-logger with its own filter. Otherwise, the filter will be + applied to all sinks. + + For example, among Usercube's logs, only the logs described in the + [log references](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/references/index.md) + can be parsed by QRadar's DSM and should be used by a SIEM system. Hence the importance of + having a filter and a sub-logger. + + Never include logs with event ids inferior to 500, in order not to be overwhelmed with logs + improper to be used by SIEM systems like QRadar. + + > The following example filters out any log whose event id is lower than 500. + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > "WriteTo": [ + > { + > "Name": "Logger", + > "Args": { + > "configureLogger": { + > "WriteTo": [ + > { + > "Name": "UDPSink", + > "Args": { + > "uri": "192.168.13.110", + > "port": "514", + > "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + > } + > } + > ], + > "Filter": [ + > { + > "Name": "ByIncludingOnly", + > "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + > } + > ] + > } + > } + > } + > ... + > ] + > } + > } + > + > ``` + > + > You could want to filter out the logs whose event ids are 500 too, by replacing + > `EventId.Id >= 500` with `EventId.Id >= 501` in the filter. Or you could want to filter out + > only the logs whose event ids are 502, by replacing `EventId.Id >= 500` with + > `EventId.Id >= 500 and EventId.Id <> 502` in the filter. + +6. When needing to override the log level for this particular sub-logger, add an additional + **MinimalLevel** section in the **WriteTo** section. + + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > "WriteTo": [ + > { + > "Name": "Logger", + > "Args": { + > "configureLogger": { + > "MinimumLevel": { + > "Default": "Warning" + > }, + > "WriteTo": [ + > { + > "Name": "UDPSink", + > "Args": { + > "uri": "192.168.13.110", + > "port": "514", + > "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + > } + > } + > ], + > "Filter": [ + > { + > "Name": "ByIncludingOnly", + > "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + > } + > ] + > } + > } + > } + > ... + > ] + > } + > } + > + > ``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md new file mode 100644 index 0000000000..451bc77fb9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md @@ -0,0 +1,579 @@ +# Monitoring + +Usercube uses [Serilog](https://github.com/serilog/), a highly customizable logging tool, to provide +monitoring capabilities. + +[See the list of existing logs](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/references/index.md). + +## Introduction + +Serilog configuration is written to both _Agent_'s and _Server_'s `appsettings` sets. The relevant +top-level section is `Serilog`. + +A full description of Serilog's configuration capabilities is available in +[Serilog's official documentation](https://github.com/serilog/serilog-settings-configuration#serilogs-official-documentation). + +Usercube-specific configuration is detailed here. + +## Log Level and Namespaces + +### Priority + +Logs can be filtered according to a _log level_. + +A priority order between the log levels is established. + +From low priority to high priority, available log levels are: + +- `Verbose` +- `Debug` +- `Information` +- `Warning` +- `Error` +- `Fatal` + +Every log message is associated with a log level and a user-defined _namespace_. Usercube provides +the _Usercube_ namespace, associated with logs relevant to the user. + +### MinimumLevel + +The `MinimumLevel` section sets the lowest priority log level that will be displayed. Every log +message associated with a log level of priority strictly lower than the minimum level is ignored. + +`MinimumLevel` value can either be a log level or an object with the following attributes and +subsections: + +- **Default** sets the minimum log level. +- `Override` allows the user to set a different minimum log level for logs from a specific namespace + (see [Custom namespaces](#custom-namespaces)). + + Within Usercube, the following example is a good practice: default logs with a priority lower + than `Error` are filtered out, except for log messages from the _Usercube_ namespace. + +``` +appsettings.json +{ + ... + "Serilog": { + ... + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + } + } +} +``` + +### Custom namespaces + +Here is a table giving some namespace that you could add in the `Override` section, in order to +monitor the associated module. + +| Module | Namespace | +| ----------------------- | ------------------------------ | +| Usercube | Usercube | +| Scheduler (server side) | Usercube.Jobs.Scheduler.Server | +| Scheduler (agent side) | Usercube.Jobs.Scheduler | + +## Log Properties + +Each log has a specific set of log properties, defined using the context of the server when +generating the log (see +[Formatting](https://github.com/serilog/serilog/wiki/Formatting-Output#formatting)). + +It is possible to modify the format message of the log displayed by overriding the `outputTemplate` +of the logs: + +``` +appsettings.json +{ + ... + "Serilog": { + "MinimumLevel": { + "Default": "Verbose", + }, + "WriteTo": [ + { + "Name": "Console", + "Args": { + "outputTemplate": "[{Timestamp:HH:mm:ss} {Level:u3}] ClientId:{ClientId} {Message:lj}{NewLine}{Exception}" + } + } + ] + } +} +``` + +Among all default properties, Usercube adds the ClientId log property which can be displayed when +using the previous `outputTemplate` format. + +## Filters + +In addition to the Microsoft log levels, Serilog provides a +[Filters](https://github.com/serilog/serilog-filters-expressions) feature to build more advanced +filter queries on log messages. + +## Sinks + +Serilog allows the user to route log messages to a variety of logging destinations. Every +destination is referred to as a sink. +[Sinks](https://github.com/serilog/serilog/wiki/Provided-Sinks) allows logs to be routed to +destination such as standard consoles, files and logging services. + +Usercube's supported sinks are: + +- `Serilog.Sinks.ApplicationInsights`; +- `Serilog.Sinks.Async`; +- `Serilog.Sinks.Console` to write to the console; +- `Serilog.Sinks.Datadog.Logs`; +- `Serilog.Sinks.File` to write to a file; +- `Serilog.Sinks.Map`; +- `Serilog.Sinks.Network` to write to another network; + + > For example, this sink can be used when producing a JSON output for QRadar. + +- `Serilog.Sinks.PeriodicBatching`; +- `Serilog.Sinks.Splunk.Durable` to send logs to Splunk; +- `Serilog.Sinks.Syslog`. + + > For example, this sink can be used when producing an + > [RFC3164](https://tools.ietf.org/html/rfc3164) or + > [RFC5424](https://tools.ietf.org/html/rfc5424) output for QRadar. + +The log messages can be routed to several logging destinations simultaneously. These destinations +are described in the **WriteTo** attribute. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": [ + "Serilog.Sinks.Network" + ], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "Destination1", + "Args": { + "uri": "192.168.13.110", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + }, + { + "Name": "Destination2", + "Args": { + "uri": "192.168.13.227", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + } + ], + "Filter": [ + { + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + } + ] + } +} +``` + +There can only be one **Filter** attribute associated with a **WriteTo** attribute. Therefore, the +filter defined in the **Filter** attribute is applied to all the destinations contained in the +**WriteTo** attribute. To filter only one destination at a time, sub-loggers can be used. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": [ + "Serilog.Sinks.Network" + ], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "Logger1", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [ + { + "Name": "Destination1", + "Args": { + "uri": "192.168.13.127", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + } + ], + "Filter": [ + { + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + } + ] + } + } + }, + { + "Name": "Logger2", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [ + { + "Name": "Destination2", + "Args": { + "uri": "192.168.13.100", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + }, + { + "Name": "Destination3", + "Args": { + "uri": "192.168.13.408", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + } + ], + "Filter": [ + { + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Test') and EventId.Id >= 800" } + } + ] + } + } + } + ] + } +} +``` + +In the example above, the filter defined in **Logger1** will only apply to **Destination1**, and the +filter defined in **Logger2** will only apply to **Destination2** and **Destination3**. + +When using `Serilog.Sinks.File`, the setting `shared` should be set to `true` in the `Args` section +to enable Usercube's **Monitoring** screen functionality. + +As this `shared` setting allows several systems to interact with the log file simultaneously, so we +can have both Serilog writing to the log file and Usercube reading it to display its content on the +**Monitoring** screen. + +``` + +{ + ... + "Serilog": { + "WriteTo": [ + { + "Name": "File", + "Args": { + "path": "../Temp/Server/identitymanager-log.txt", + "shared": true, + } + } + ] + } +} +``` + +## QRadar + +QRadar is a supported destination for Usercube's logs. + +To learn how to send Usercube's logs to your QRadar system, see +[dedicated How To page](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md) +. + +Three output formats are available for QRadar-routed logs: + +- JSON +- RFC3164 +- RFC5424 + +#### JSON output + +JSON output uses _Serilog.Sinks.Network_ sink. + +The following configures a QRadar JSON output for a QRadar server located at `192.168.13.110`. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": [ + "Serilog.Sinks.Network" + ], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "Logger", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [ + { + "Name": "UDPSink", + "Args": { + "uri": "192.168.13.110", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + } + ], + "Filter": [ + { + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + } + ] + } + } + } + ] + } +} +``` + +#### RFC3164 or RFC5424 output + +Using `Serilog.Sinks.SyslogMessages`_Sink_, the **Serilog.writeTo.configureLogger.Args.format** +attribute is set to `RFC3164` or `RFC5424`. + +The following configures a QRadar RFC5424 output for a QRadar server located at `192.168.13.110`. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": [ + "Serilog.Sinks.Syslog" + ], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "Logger", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [ + { + "Name": "UdpSyslog", + "Args": { + "host": "192.168.13.110", + "port": "514", + "appName": "Usercube", + "format": "RFC5424", + "facility": "Local0", + "secureProtocols": "SecureProtocols.None", + "outputTemplate": "[{Timestamp:HH:mm:ss} {Level:u3}] {Message:lj} +``` + +## Application Insights + +Usercube supports the +[Application Insights](https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview) +integration. It means that you can monitor the lifecycle of the application through a dedicated +interface, which can be useful to measure performance, observe how the application is used or detect +performance anomalies. + +### Configuration + +Both the server and the agent support the Application Insights integration. To set it up, you need +to create your own Application Insights instance (see +[Create New Resource](https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-new-resource)). +Once done, you should have an instrumentation key. To plug the server or the agent into the +Application Insights instance, you simply have to set the key at the root of the appsettings file: + +``` +appsettings.json +{ + ... + "ApplicationInsights": { + "InstrumentationKey": "YOUR-INSTRUMENTATION-KEY" + } +} +``` + +This configuration will automatically add a `Serilog.Sinks.ApplicationInsights` to the Serilog +configuration. Thus, declaring explicitly an ApplicationInsights _sink_ in the Serilog configuration +is useless. The `ApplicationInsights` section does not only affect the logging system, but also +sends metrics periodically such as the percentage of CPU usage. + +## Logs Monitoring via User Interface + +Usercube offers the ability to download the application logs directly through the User Interface +(UI) via the **Monitoring** screen in the **Administration** section on the Dashboard. + +SaaS installations support this feature automatically while on-premises installations support this +in two ways. The first one is to leverage the path to the logs from the Serilog configuration when +writing application logs into a single file. See the example below. The second option is described +in the following subsection. + +``` +appsettings.json +{ + ... + "Serilog": { + "WriteTo": [ + { + "Name": "File", + "Args": { + "path": "../Temp/Server/identitymanager-log.txt", + "shared": true, + } + } + ] + } +} +``` + +### `LogsPath` + +if you store Usercube logs thanks to an external mechanism (the web server, etc�), then you have to +use the second option in order to enable this feature which is via an ad hoc parameter at the root +of the appsettings called `LogsPath` indicating the path where the application logs are located: + +``` +appsettings.json +{ + ... + "Serilog": { + "WriteTo": [ "Console" ], + }, + "LogsPath": "C:/inetpub/logs/LogFiles" +} +``` + +If logs are all stored in one file, provide the path to the file. If they are stored in multiple +separate files within a directory, provide the path to the directory and Usercube will handle +providing the most recent logs. + +## Default Configuration + +``` +appsettings.json +{ + ... +"Serilog": { + "WriteTo": [ "Console" ], + "Using": [ "Serilog.Sinks.File" ], + "MinimumLevel": "Error", + "WriteTo": [ + { + "Name": "File", + "Args": { + "path": "../Temp/Server/identitymanager-log.txt", + "shared": true + } + } + ] +} +} +``` + +## Configuration Examples + +### Write log messages + +This example configures _Serilog_ to write log messages to the `../Temp/Server/identitymanager-log.txt` +file. + +``` +appsettings.json +{ + ... +"Serilog": { + "WriteTo": [ "Console" ], + "Using": [ "Serilog.Sinks.File" ], + "MinimumLevel": "Error", + "WriteTo": [ + { + "Name": "File", + "Args": { + "path": "../Temp/Server/identitymanager-log.txt", + "shared": true + } + } + ] +} +} +``` + +### Reduce logging process overhead + +This example shows how to reduce the overhead of the logging process for Usercube's main thread by +delegating work to a background thread, using the _Async__Sink_. + +``` +appsettings.json +{ + ... +"Serilog": { + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Debug" + } + }, + "WriteTo": [ + { + "Name": "Async", + "Args": { + "configure": [ + { + "Name": "File", + "Args": { + "path": "C:/Projects/LogTest/identitymanager-test.txt", + "shared: true, + "buffered": "true" + } + } + ] + } + }, + { + "Name": "Console" + } + ] + } +} +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/references/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/references/index.md new file mode 100644 index 0000000000..2a323ef498 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/references/index.md @@ -0,0 +1,84 @@ +# References: Logs + +## Definition + +This section provides descriptions for logs which are meant to be sent to other systems like SIEMs, +for example QRadar. + +The description will use this template for each log: + +EventId id: int + +EventId name: string + +LogLevel: Trace||Verbose||Debug||Information||Warning||Error||Critical + +Arguments: + +- argument1 (string): description1 (string) +- argument2 (string): description2 (string) +- argument3 (string): description3 (string) + +The EventId id must be unique so we could use it to filter the logs we send, see +[QRadar's example](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md) + +#### 500 + +EventId id: 500 + +EventId name: Workflow.StartWorkflowInstance + +LogLevel: Information + +Arguments: + +- WorkflowId: Request number, which includes the workflow instance's id +- Transition: Activity template name +- Perfomer: Usercube's login or id of the performer +- WorkflowIdentifier: Workflow's identifier +- Subject: Action performed, with the person's name in modifying permission case + +#### 501 + +EventId id: 501 + +EventId name: Workflow.ResumeWorkflowInstance + +LogLevel: Information + +Arguments: + +- WorkflowId: Request number, which includes the workflow instance's id +- Transition: Activity template name +- Perfomer: Usercube's login or id of the performer +- WorkflowIdentifier: Workflow's identifier +- Subject: Action performed, with the person's name in modifying permission case + +#### 502 + +EventId id: 502 + +EventId name: SelectEntityByIdQueryHandler.Handle + +LogLevel: Information + +Arguments: + +- Perfomer: Usercube's login or id of the performer +- Subject: Usercube's id of the readed resource +- EntityType: Usercube's type of the readed resource + +#### 503 + +EventId id: 503 + +EventId name: SelectEntityByIdQueryHandler.Handle + +LogLevel: Error + +Arguments: + +- Perfomer: Usercube's login or id of the performer +- Subject: Usercube's id of the readed resource +- EntityType: Usercube's type of the readed resource +- ExceptionMessage: Exception's message diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md new file mode 100644 index 0000000000..91e838bb8d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md @@ -0,0 +1,131 @@ +# appsettings.agent + +The `appsettings.agent.json` file is meant to contain configuration data to be used by the agent to +run Usercube. + +It includes: + +- connections to the managed systems; +- password reset settings; +- connections to potential additional databases; +- OpenId information; +- specific task configuration. + +JSON files can contain any additional information that you might find useful. See the example below. + +> For example, in order to store the agent's address, we can add: +> +> ``` +> +> appsettings.json +> +> "UsercubeAgent": { +> "Url": "http://localhost:1234" +> } +> +> ``` +> +> As Usercube does not know any object named `UsercubeAgent`, its content will be ignored, but it +> can still be used to store information for human use. + +## Supported Sections + +| Name | Details | +| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Connections optional | **Type** List of Connections **Description** Connection information of all the systems managed by this agent, for synchronization and fulfillment configuration. This section contains a subsection for each connection containing the connection's agent settings. `{ � "Connections": { � "": { "": "": � } } }`**Example**`{ � "Connections": { � "Directory": { "Path": "C:\UsercubeDemo\Sources\Directory.xlsx" }, "ServiceNowExportFulfillment": { "Server": "https://INSTANCE.service-now.com/api/now/table", "Login": "LOGIN", "Password": "PASSWORD" } } }` [See how to configure connections' agent settings via the UI](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md). [See more technical details on connections](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md). | +| Databases optional | **Type** List of Databases **Description** Names and connection strings of all databases used by the agent through [`InvokeSqlCommandTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md), other than Usercube's database and other than the databases provided in Usercube's available packages. This subsection contains a subsection for each additional database. `{ � "Databases": { "": "" } }`**Example**`{ � "Databases": { "UsercubeContoso": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" } }` | +| OpenId optional | **Type** [OpenId](#openid) **Description** OpenId information, i.e. the ClientIds and related ClientSecrets that the agent may use to authenticate to the server in order to launch jobs and tasks. In order to launch jobs and tasks, the profiles related to these OpenId credentials must possess the required permissions. See examples below. | +| PasswordResetSettings optional | **Type** [PasswordResetSettings](#passwordresetsettings) **Description** Parameters which configure the reset password process for the managed systems that support it. See examples below. | +| SourcesRootPaths optional | **Type** String Array **Description** List of folder paths from which Usercube is allowed to read. This option is used to validate the sources files defined in file-based connections. These paths are case sensitive. **Example**`{ � "SourcesRootPaths": [ "C:/identitymanagerContoso/SourceHR", "C:/identitymanagerContoso/SourcesPhone" ] }` | +| TaskAgentConfiguration optional | **Type** [TaskAgentConfiguration](#taskagentconfiguration) **Description** Various settings to customize the behavior of some agent tasks. See examples below. | + +## OpenId + +| Name | Details | +| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AgentIdentifier required | **Type** String **Description** Identifier of the agent, as it is named in the XML configuration. **Example** With the following configuration: `` We could have the following setting in the agent's `appsettings.agent.json`: `{ � "OpenId":{ � "AgentIdentifier": "MyAgent" } }` | +| DefaultOpenIdClient required | **Type** String **Description** ClientId that defines the default OpenId pair, from the `OpenIdClients` section, used by the agent to authenticate to the server. **Example**`{ � "OpenId":{ "OpenIdClients": { "Job": "secret1", "Admin": "secret2", "Agent": "secret3" }, "DefaultOpenIdClient": "Agent" } }` | +| OpenIdClients required | **Type** List of OpenIdClients **Description** Pairs of ClientIds and non-hashed ClientSecrets, to override the corresponding secrets specified in the XML configuration. **Example**` { � "OpenId":{ "OpenIdClients": { "Job": "secret", "Admin": "secret2" } } }` | + +## PasswordResetSettings + +| Name | Details | +| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| EncryptionCertificate required | **Type** [EncryptionCertificate] **Description** Location of the public key certificate and the private key used to handle input and output files' encryption. | +| MailSettings optional | **Type** [MailSettings](#mailsettings) **Description** Settings for configuring the SMTP server, used to send password reset email notifications. | +| NotificationSettings optional | **Type** [NotificationSettings](#notificationsettings) **Description** Settings to configure password reset notifications. | +| TokenBuildingSettings optional | **Type** [TokenBuildingSettings](#tokenbuildingsettings) **Description** Settings to build the confirmation token used by the password reset's two-Way mode. The confirmation token is a base-64 encoded JSON Web Token (JWT) token that contains the information required to complete password reset when in two-way mode. It is appended to the confirmation Uri. | +| TwoFactorSettings optional | **Type** [TwoFactorSettings](#twofactorsettings) **Description** Settings to configure the password reset's two-way mode, i.e. the process where Usercube sends emails containing links to users for them to click on it and reset their passwords. | + +### EncryptionCertificate + +If you are using the certificate provided in the SDK, the agent will be unable to launch. You must +create your own certificate. + +Encryption certificate information can be set in one of two ways: + +- as a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or `.pfx` file) stored in the agent's host file system. The archive contains both the public key + certificate and the private key; + + | Name | Details | + | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | + | File required | **Type** String **Description** [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the agent's host file system. **Example**`{ � "PasswordResetSettings": { "File": "C:/identitymanagerAgentContoso/contoso.pfx" } }` | + | Password optional | **Type** String **Description** [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. **Example**`{ � "PasswordResetSettings": { "File": "C:/identitymanagerAgentContoso/contoso.pfx", "Password": "oarjr6r9f00" } }` | + +- as a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store), + identified by its subject distinguished name or its thumbprint. The Windows certificate also + contains both the public key certificate and the private key. + + | Name | Details | + | ---------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | DistinguishedName required**if** Thumbprint is empty | **Type** String **Description** Subject distinguished name of the certificate. **Example**`{ � "PasswordResetSettings": { "DistinguishedName": "UsercubeContoso" � } }` | + | StoreLocation required | **Type** String **Description** Location of the relevant Windows certificate. **Example**`{ � "PasswordResetSettings": { � "StoreLocation": "LocalMachine" } }` | + | StoreName required | **Type** String **Description** Name of the relevant Windows certificate. **Example**`{ � "PasswordResetSettings": { � "StoreName": "AuthRoot" } }` | + | Thumbprint required**if** DistinguishedName is empty | **Type** String **Description** Thumbprint of the certificate. **Example**`{ � "PasswordResetSettings": { "Thumbprint": "6261A70E599642A21A57A605A73B6D2AE7C5C450" � } }` | + +### MailSettings + +| Name | Details | +| --------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| FromAddress required**if** PickupDirectory is empty | **Type** String **Description** Email address used by Usercube to send notifications. **Example**`{ � "PasswordResetSettings": { � "MailSettings": { "FromAddress": "no-reply@acme.com", � } } }` | +| Host required**if** PickupDirectory is empty | **Type** String **Description** SMTP server domain name or an IP address. **Note:** to be used only when `UseSpecifiedPickupDirectory` is set to `false`. | +| Password required | **Type** String **Description** Password that Usercube will use to login to the SMTP server. **Note:** used only when the SMTP server is password-protected and `UseSpecifiedPickupDirectory` is set to `false`. | +| PickupDirectory required**if** FromAddress/Host are empty | **Type** String **Description** Path to the pickup directory. [See more details on the pickup directory feature](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/email-server/index.md). **Note:** to be used only when `UseSpecifiedPickupDirectory` is set to `true`. **Example**`{ � "PasswordResetSettings": { � "MailSettings": { "PickupDirectory": "../Mails", � } } }` | +| Username required | **Type** String **Description** Username for Usercube to login to the SMTP server. **Note:** used only when the SMTP server is password-protected and `UseSpecifiedPickupDirectory` is set to `false`. | +| AllowedDomains optional | **Type** String **Description** List of domains to which the SMTP server is authorized to send emails. Domain names must be separated with `;`. | +| CatchAllAddress optional | **Type** String **Description** Catch-all address that will receive all of Usercube's emails instead of usual users. **Note:** this is helpful for testing before going live. **Example**`{ � "PasswordResetSettings": { � "MailSettings": { "CatchAllAddress": "administrator@acme.com", � } } }` | +| CatchAllCCAddress optional | **Type** String **Description** Catch-all address that will receive all of Usercube's emails as cc (carbon copied). **Example**`{ � "PasswordResetSettings": { � "MailSettings": { "CatchAllCCAddress": "administratorcc@acme.com", � } } }` | +| Enabled default value: True | **Type** Boolean **Description** `True` to enable email sending. When set to `false`, no email is sent by Usercube. | +| EnableSsl default value: False | **Type** Boolean **`DEPRECATED`**: EnableSsl won't be supported in the future. Please specify a `SecureSocketOption` instead. To keep the same behavior as EnableSsl: `True`, use the setting `SecureSocketOption`: `StartTls`. **Description** `True` to encrypt communication with the SMTP server. **Note:** to be used only when `UseSpecifiedPickupDirectory` is set to `false`. | +| SecureSocketOption default value: Auto | **Type** String **Description** Specifies the encryption strategy to connect to the SMTP server. _If set, this takes priority over `EnableSsl`_. `None`: No SSL or TLS encryption should be used. `Auto`: Allow the mail service to decide which SSL or TLS options to use (default). If the server does not support SSL or TLS, then the connection will not be encrypted. `SslOnConnect`: The connection should use SSL or TLS encryption immediately. `StartTls`: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server. If the server does not support the STARTTLS extension, then the connection will fail and a NotSupportedException will be thrown. `StartTlsWhenAvailable`: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server, but only if the server supports the STARTTLS extension. **Note:** to be used only when `UseSpecifiedPickupDirectory` is set to `false`. | +| Port default value: 0 | **Type** String **Description** SMTP server port. **Note:** to be used only when `UseSpecifiedPickupDirectory` is set to `false`. | +| UseDefaultCredentials default value: False | **Type** Boolean **Description** `True` to use the default username/password pair to login to the SMTP server. When set to `false`, Windows authentication is used. **Note:** to be used only when `UseSpecifiedPickupDirectory` is set to `false`. | +| UseSpecifiedPickupDirectory default value: False | **Type** Boolean **Description** `True` to write emails as local files in the specified `PickupDirectory` instead of sending them as SMTP packets. [See more details on the pickup directory feature](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/email-server/index.md). **Example**`{ � "PasswordResetSettings": { � "MailSettings": { "UseSpecifiedPickupDirectory": true, � } } }` | + +### NotificationSettings + +| Name | Details | +| ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Cultures default value: ["en"] | **Type** String Array **Description** List of languages in which reset-password email notifications will be sent, among: `fr`; `en`. **Example**`{ � "PasswordResetSettings": { � "NotificationSettings": { "Cultures": ["fr", "en"] } } }` | + +### TokenBuildingSettings + +| Name | Details | +| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ValidFor default value: 03:00:00 | **Type** String **Description** Validity period of the issued token, and thus of the password reset link. The format must be `HH:mm:ss`. **Example**`{ � "PasswordResetSettings": { � "TokenBuildingSettings": { "ValidFor": "03:00:00" } } }` | + +### TwoFactorSettings + +| Name | Details | +| ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApplicationUri required | **Type** String **Description** URI of the Usercube application. **Note:** this helps create the links in the emails for two-way password reset. **Example**`{ � "PasswordResetSettings": { � "TwoFactorSettings": { "ApplicationUri": "http://localhost:5000" � } } }` | +| ResetConfirmationUri required | **Type** String **Description** Base URI for the password reset link that is sent to the user. The password reset confirmation token is appended to the `ResetConfirmationUri`. The resulting URI is sent to the user. **Example**`{ � "PasswordResetSettings": { � "TwoFactorSettings": { � "ResetConfirmationUri": "http://localhost:5000/PasswordReset/Activate/?activationCode=" } } }` | + +## TaskAgentConfiguration + +| Name | Details | +| -------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| HttpClientTimeoutSupplement default value: 0 | **Type** Integer **Description** Additional minutes that extend the default timeout (30 minutes) of the HttpClient instance used to send requests to the server. **Example** Here the total timeout will be 50 minutes: `{ � "TaskAgentConfiguration": { � "HttpClientAdditionalTimeout": 20 } }` | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md new file mode 100644 index 0000000000..0dc0a8c18c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md @@ -0,0 +1,340 @@ +# Application Settings + +This section describes the settings available in the agent's appsettings.json file, located in the +agent's working directory or in environment variables. + +**NOTE:** JSON files can contain any additional information that you might find useful. See the +example below. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +For example, in order to store the agent's address, we can add: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +appsettings.json +"UsercubeAgent": { +  "Url": "" +} +``` + +As Usercube does not know any object named UsercubeAgent, its content will be ignored, but it can +still be used to store information for human use. + +The appsettings set allows the following attributes and sections: + +| Name | Type | Description | +| --------------------------------------------------------------------- | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApplicationUri (required) | Uri | Server's listening URI. Used by the agent to send requests to the server. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {  "ApplicationUri": " " }` | +| Jobs (optional) | Job | Settings to configure all jobs with common values. | +| Scheduler (optional) | Scheduler | Settings to configure Usercube's scheduler. | +| TaskTimeoutSupplement default value: 0 | Int32 | Additional time (in minutes) for the Invoke-Job tool's Timeout property. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {     "TaskTimeoutSupplement": 10 }` | +| InstallationDirectoryPath default value: Usercube-agent.exe directory | String | Path of the installation directory. It is used to read other configuration files. | +| EncryptionCertificate (required) | EncryptionCertificate | Settings to configure the encryption of specific files. | +| IdentityServer (required) | IdentityServer | Settings to configure the agent's encrypted network communication, for example with the server or a browser. | +| Authentication (required) | Authentication | Settings to configure end-user authentication, for example for users to launch a job from the UI. | +| Serilog (optional) | Logger setting | Settings to configure the logging service, complying to the Logger properties and structure. See the [ Monitoring ](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md) topic for additional information. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {   "Serilog": {     "WriteTo": [ "Console" ],     "MinimumLevel": {       "Default": "Error",       "Override": {         "Usercube": "Information"         }       }     } }                         ` | +| Cors (optional) | Cors | Settings to configure the agent's [CORS policy](https://developer.mozilla.org/fr/docs/Web/HTTP/CORS), which is useful when using non-integrated agents. | +| ApplicationInsights (optional) | ApplicationInsights | Settings to plug to and configure the [AppInsights](https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview) monitoring tool. | +| TempFolderPath (optional) | String | Path to the temporary folder which contains: - ExportOutput: directory storing data exported from connectors. - JobLogs: directory storing task instance logs. - Reports: directory storing generated reports. - Packages: directory storing the downloaded package logos. - PolicySimulations: directory storing the files generated by policy simulations. - ProvisioningCache.txt: file storing the clustered provisioning cache. When enabled, this file can be used to coordinate the API cache among clusters. - CorrelationCache.txt - RiskCache.txt - ExpressionCache.txt - scheduler.lock - connector.txt - container.reset.txt: file acting as a reset command for Usercube's server, i.e. any change to this file triggers the reset service, thus reloading all the services instantiated by the server. Note that this path can be overridden by **ResetSettings** > **FilepathResetService**. - Mails: directory storing the email messages. Note that this path can be overridden by **ResetSettings** > **PickupDirectory**. - Deployment these elements can be removed, but make sure to restart the server after doing so. Example: `appsettings.json {   "TempFolderPath": "../Temp" }` | +| WorkFolderPath (optional) | String | Path of the work folder which contains: - Collect: directory storing the CSV source files exported by connectors. - ProvisioningOrders: directory storing the orders generated by the server. - FulfillPowerShell: PowerShell provisioner's working directory. - FulfillRobotFramework: Robot Framework's provisioner working directory. - ExportCookies: directory storing the cookies used for incremental export. - Synchronization: directory storing the agent's data collection results. - Upload: directory storing the uploaded media like uploaded pictures, before they are inserted into the database. - appsettings.connection.json These elements must not be removed, because doing so may disrupt Usercube's execution after restarting. Example: `appsettings.json {   "WorkFolderPath": "../Work" }` | +| JobLaunchTimeout default value: 7500 | String | Time period (in milliseconds) after which, if a launched job has not started, it is considered in error. Example: `appsettings.json {   "JobLaunchTimeout": 9000 }` | +| InvokeSqlCommands default value: null | String | List of parameter sets used to override InvokeSqlCommandTasks' SQLInputFile and OutputPath parameters from the XML configuration. See the [ InvokeSqlCommandTask ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md) topic for additional information. For each task to override, the key must be the task's identifier. Example: `appsettings.json  {        "InvokeSqlCommands": {         "InvokeSqlCommandTask_Identifier": {           "SQLInputFile": "YourInputFilePath",           "OutputPath": "YourOutputFilePath"  },         } }` | + +## Jobs + +Below is an example of job that can be executed by the agent. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +{ +  ... +  "Jobs": { +    "MaxTaskBatchSize": "2" +  } +} +``` + +| Name | Type | Description | +| --------------------------------- | ----- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| MaxTaskBatchSize default value: 5 | Int64 | Maximum number of tasks that can be launched simultaneously, thus avoiding timeout issues. When executing a job, Usercube launches simultaneously the tasks of a same Level. See the [ Job ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) topic for additional information. If the number of same-level tasks exceeds MaxTaskBatchSize, then Usercube inserts new levels. These effective levels can be seen in the job's logs or with the Usercube-Get-JobSteps executable. See the [ Usercube-Get-JobSteps ](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/get-jobsteps/index.md) topic for additional information. | + +## Scheduler + +Below is an example of scheduling and a list of attributes. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +{ +  ... +  "Scheduler": { +    "Enabled": "true", +    "MaxLockWatchTime": 3600 + } +} +``` + +| Name | Type | Description | +| ------------------------------------ | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Enabled (optional) | Boolean | True to activate Usercube's scheduler. | +| MaxLockWatchTime default value: 1800 | Int32 | Time period (in seconds) to spend watching for the scheduler's lock file before launching it. When set to 0 the duration is infinite, and when set to a negative value the scheduler launch fails if the lock file already exists. This parameter prevents a failure if Usercube's scheduler has already been launched from another source. | + +## Encryption Certificate + +This information can be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive + (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or .pfx file) stored in the Agent's host file system. The archive contains both the public key + certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains + both the public key certificate and the private key. + + **NOTE:** Netwrix recommends using Windows' certificate store. + + On the other hand, the PFX file takes priority over Windows' certificate, which means that when + File is specified then the PFX certificate is used, even if the options for Windows' certificate + are specified too. + In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +As a PFX file + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    ... +    "EncryptionCertificate": { +        "File": "", +        "Password": "" +     } + } + +``` + +The archive is set using the following attributes: + +| Name | Type | Description | +| ------------------- | ------ | --------------------------------------------------------------------------------------- | +| File (required) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password (optional) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +**NOTE:** Storing a .pfx file password in plain text in a production environment is strongly +discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword tool. See +[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topic for additional information. + +The archive is set using the following attributes: + +| Name | Type | Description | +| ------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| File (required) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password (optional) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. storing a .pfx file's password in plain text in a production environment is strongly discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword.exe tool. See the [ Usercube-Protect-CertificatePassword ](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) topic for additional information. | + +As a Certificate in the Windows Store + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + { +    ... +    "EncryptionCertificate": { +         "DistinguishedName":"", +         "StoreLocation": "", +         "StoreName": "" +     } + } + +``` + +The Windows certificate is set using these attributes: + +| Name | Type | Details | +| ---------------------------- | ------ | --------------------------------------------------------------------------------------------------- | +| DistinguishedName (optional) | String | SubjectDistinguishedName of the store certificate. It is required when Thumbprint is not specified. | +| Thumbprint (optional) | String | Thumbprint of the store certificate. It is required when DistinguishedName is not specified. | +| StoreLocation (required) | String | Location of the relevant Windows certificate store: LocalMachine or CurrentUser. | +| StoreName (required) | String | Name of the relevant Windows certificate store. | + +Using Azure Key Vault + +If the certificate is saved in Azure Key Vault, we must define the certificate identifier and the +Vault connection. See the +[ Azure Key Vault ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) +topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +"": { +    "CertificateAzureKeyVault": "" +} +``` + +## Identity Server + +Just like the Encryption Certificate, this information can be set one of two ways. + +As a PFX file + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +appsettings.json +"": { +  "X509KeyFilePath": "<./identitymanager.pfx>", +  "X509KeyFilePassword": "" +} +``` + +The archive is set using the following attributes: + +| Name | Type | Description | +| ------------------------------ | ------ | ----------------------------------------------------------------------------------------------- | +| X509KeyFilePath (required) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the agent's host file system. | +| X509KeyFilePassword (optional) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +**NOTE:** Storing a .pfx file password in plain text in a production environment is strongly +discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword tool. See +the +[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topic for additional information. + +As a Certificate in the Windows Store + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +"": { +  "X509SubjectDistinguishedName":"", +  "X509StoreLocation": "", +  "X509StoreName": "" +} +``` + +The certificate is set using these attributes: + +| Name | Type | Description | +| --------------------------------------- | ------ | ----------------------------------------------------------------------------------------------- | +| X509StoreLocation (required) | String | Location of the relevant Windows certificate store: LocalMachine or CurrentUser. | +| X509StoreName (required) | String | Name of the relevant Windows certificate store. | +| X509SubjectDistinguishedName (optional) | String | SubjectDistinguishedName of the certificate. It is required when X509Thumbprint is not defined. | +| X509Thumbprint (optional) | String | Thumbprint of the certificate. It is required when X509SubjectDistinguishedName is not defined. | + +**NOTE:** If you are using the certificate provided in the SDK, the agent will fail when launching. +You must create your own certificate. + +You can get the DistinguishedName of the certificate using OpenSSL: + +``` + +openssl x509 -noout -in {certificate file name with full path} -subject + +``` + +## Authentication + +An example of authentication and a list of attributes. + +``` +appsettings.json +{ +  ... +  "Authentication": { +    "Enabled": true, +    "RequireHttpsMetadata": true +  } +} +``` + +| Name | Type | Description | +| ---------------------------------------- | ------- | ------------------------------------------------------ | +| Enabled default value: true | Boolean | True to enable authentication. | +| RequireHttpsMetadata default value: true | Boolean | True to set HTTPS required for the discovery endpoint. | + +## Cors + +An example of cors and a list of attributes. + +``` +appsettings.json +{ +  ... +  "Cors": { +    "AllowAnyHeader": true, +    "AllowAnyMethod": false, +    "AllowCredentials": true +  } +} +``` + +| Name | Type | Description | +| ------------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AllowAnyHeader default value: false | Boolean | True to enable the [Access-Control-Allow-Headers: \*](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers) header in the agent's response to a [preflight request](https://developer.mozilla.org/en-US/docs/Glossary/preflight_request). | +| AllowAnyMethod default value: false | Boolean | True to enable the [Access-Control-Allow-Methods: \*](https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Access-Control-Allow-Methods) header in the agent's response to a [preflight request](https://developer.mozilla.org/en-US/docs/Glossary/preflight_request). | +| AllowCredentials default value: false | Boolean | True to enable the [Access-Control-Allow-Credentials: true](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials) header in the agent's response to a [preflight request](https://developer.mozilla.org/en-US/docs/Glossary/preflight_request). | + +## Application Insights + +Usercube supports the Application Insights integration. It means that you can monitor the lifecycle +of the application through a dedicated interface, which can be useful to measure performance, +observe how the application is used or detect performance anomalies. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +appsettings.json +{ +  ... +  "ApplicationInsights": { +    "InstrumentationKey": "" +  } +} +``` + +The application insights details are: + +| Name | Type | Details | +| -------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| InstrumentationKey default value: null | String | Key linked to the AppInsights instance to which the server's logs, requests, dependencies and performance are to be sent. See Microsoft's documentation to create an[ instrumentation key](https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-new-resource). | + +**NOTE:** The logs sent to AppInsights are configured through the Logger properties. See the +[ Monitoring ](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md) topic +for additional information. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md new file mode 100644 index 0000000000..aa2012ebee --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md @@ -0,0 +1,83 @@ +# Azure Key Vault + +## Prerequisites + +First, NETWRIX recommends reading: + +- [Azure Key Vault's overview documentation](https://docs.microsoft.com/en-us/azure/key-vault/general/overview) + and [Basic concepts](https://docs.microsoft.com/azure/key-vault/general/basic-concepts); +- how to + [sign in to Azure and create a vault](https://docs.microsoft.com/en-us/azure/key-vault/general/quick-create-portal#sign-in-to-azure-and-create-a-vault); +- about + [Azure Key Vault's secrets](https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets) + because secrets are the data that Usercube needs to collect. + +## Compatible Settings + +Every key from +[`appsettings.agent.json`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +that has a string value can be saved as a secret into Azure Key Vault. + +See examples in +[connectors' credential protection](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md) +sections. + +## Write Settings to the Vault + +After creating the Azure Key Vault, open its page on Azure's portal and +[add a secret](https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-portal#add-a-secret). + +The important part of adding a secret in Azure Key Vault is defining its name and value: + +- as secrets' names can only contain alphanumeric characters and double dashes (`--`) as separator, + the keys from the `appsettings.agent.json` file must contain only alphanumeric characters too; +- secrets' values are simply the value associated with the key in the JSON file. + +> For example, for the +> [Active Directory](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md): +> +> ``` +> +> appsettings.agent.json { ... "Connections": { ... "ADExport": { "Servers": [ > { > "Server": > +> "paris.contoso.com", > "BaseDN": "DC=paris,DC=com" > }, > { > "Server": "marseille.contoso.com", > +> +> > "BaseDN": "DC=defense,DC=marseille,DC=com" > } > ], "AuthType": "Basic", "Login": "login123", +> > "Password": "password123", "Filter": "(objectclass=\*)", "EnableSSL": "false", } } } +> +> ```` +> +> +> To save the login to Azure Key Vault, create a secret whose name and value are respectively ```Connections--ADExport--Login``` and ```login123```. +> +> To save the second server, create a secret whose name and value are respectively ```Connections--ADExport--Servers--1--Server``` and ```marseille.contoso.com```. __Note that__ the index of the first element is ```0```. +> ```` + +This way, values from the Azure Key Vault take priority over the values from the appsettings files. + +> For example, if `Login` exists in both Azure Key Vault and `appsettings.agent.json`, then the +> value from Azure Key Vault is used. + +## Configure Usercube + +Connect Usercube to Azure Key Vault by adding to the agent's `appsettings.json` file a specific +section. + +> For example: +> +> ``` +> +> appsettings.json +> +> { ... "AzureKeyVault": { "Vault" : "https://identitymanagerkeyvault.vault.azure.net/", +> "ConnectionString": +> "RunAs=App;AppId={dcb9b3a4-159c-45d8-93d5-8d6d677de4a7};TenantId={7a06f56c-47a8-469b-b0c0-089ec0666bd1};AppKey={Ju4m3BWA_U~s9XVlI_btgydJ8w5wY.iD.L}" +> } } +> +> ``` +> +> ``` + +| Name | Details | +| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Vault required | **Type** String **Description** _DNS Name_ found on the page of the vault in Azure's portal. **Info:** usually in the format `https://yourVault.vault.azure.net/`. | +| ConnectionString default value: null | **Type** String **Description** Identification token used to retrieve the various connection keys found in the Azure Key Vault. It concatenates a series of options defining the authentication to Azure Key Vault. `null` - the connection is established with the current user. **Warning**: this user must be connected to the Microsoft Entra ID (formerly Microsoft Azure AD) instance and to the correct tenant. Otherwise, Usercube gets the token from Microsoft Entra ID via: `RunAs=App` - a [managed identity](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#managed-identity). **Warning**: connecting via a managed identity must be enabled on Azure's App Service. `RunAs=App;`**`AppId={ClientId of user-assigned identity}`** - a user-assigned identity. `RunAs=App;`**`AppId={TestAppId};KeyVaultCertificateSecretIdentifier={KeyVaultCertificateSecretIdentifier}`** - the application and a certificate's secret, for custom services authentication. `RunAs=App;`**`AppId={AppId};TenantId={TenantId};CertificateThumbprint={Thumbprint};CertificateStoreLocation={LocalMachine or CurrentUser}`** - a certificate with a thumbprint on TenantId. `RunAs=App;AppId={AppId};TenantId={TenantId};`**`CertificateSubjectName={Subject};`**`CertificateStoreLocation={LocalMachine or CurrentUser}` - a certificate with a DN on TenantId. `RunAs=App;AppId={AppId};TenantId={TenantId};`**`AppKey={ClientSecret}`** - a secret. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md new file mode 100644 index 0000000000..8ef444554c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md @@ -0,0 +1,313 @@ +# CyberArk's AAM Credential Providers + +This guide shows how to protect sensitive data by connecting Usercube to CyberArk's Application +Access Manager (AAM) Credential Providers. + +## Data Protection + +Usercube often needs to connect to +[external systems](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/index.md) with +credentials that need protection. + +By default, the data used to connect to external systems is stored in plain text in the +**Connections** section of the `appsettings.agent.json` file. This is not a secure option. + +## CyberArk for Data Protection + +CyberArk's Application Access Manager (AAM) Credential Providers, part of the Privileged Access +Security solution, is used to stop storing hard-coded credentials in applications, scripts or +configuration files, and instead store them in CyberArk's vault to be centrally logged and managed. + +This way, the company can easily become compliant with potential internal and regulatory +requirements of periodic password replacement, and able to securely monitor privileged access across +all systems, databases and applications. + +CyberArk is made of vaults. Inside a vault, safes can be created and owners allocated. Accounts and +files can then be stored in safes accessible by users. + +**_This section explains how Usercube retrieves these accounts from CyberArk._** + +## Prerequisites + +CyberArk AAM can be used either with: + +- agentless AAM: + [Central Credential Provider](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CCP/The-Central%20-Credential-Provider.htm?tocpath=Get%20Started%7COfferings%7C_____3#central-credential-provider) + (works with Web Service using REST); +- agent-based AAM: + [Credential Provider](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CP%20and%20ASCP/lp_cp.htm?tocpath=Get%20Started%7COfferings%7C_____1#credential-provider) + (works with C/C++ Application Password SDK). + + Implementing the Credential Provider method requires placing the C/C++ Application Password SDK + DLL, named `CPasswordSDK.dll` (on 32-bit systems) or `CPasswordSDK64.dll` (on 64-bit systems), + to the `Runtime` folder of Usercube. + +Usercube supports both AAMs. +[CyberArk's overview](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CCP/The-CyberArk-Application-Identity-Management-Solution.htm?tocpath=Get%20Started%7C_____1#cyberarks-overview) +can help choose which AAM to go to. + +See more details about Credential Provider's +[system requirements](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CP%20and%20ASCP/SysReq-Credential-Provider.htm?tocpath=Installation%7CSystem%20Requirements%7C_____1#system-requirements) +and +[installation guide](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CP%20and%20ASCP/installing-the-Credential-Provider.htm?TocPath=Installation%7CCredential%20Provider%7CInstall%20the%20Credential%20Provider%7C_____0#installation-guide). + +## Compatible Settings + +The following table sums up which keys from `appsettings.agent.json`'s **Connections** section can +be saved to CyberArk: + +| Use Case | Possible Key | +| -------- | ---------------------------------------------- | +| Login | `Login / ApplicationId / ClientId` | +| Password | `Password / ApplicationKey / ClientSecret` | +| Address | `Server / MicrosoftGraphPathApi / ResponseUri` | + +Any [connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/index.md) using +one of these attributes as key can retrieve the associated value from CyberArk. + +> For example, +> [Active Directory](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) +> can retrieve: `Login`; `Password`; `Server`. + +## Set Authorization Details + +While the application's identifier is required, setting an authentication method and allowed +machines is optional but recommended for security concerns. + +### AppID + +[See CyberArk's documentation on how to add an application to the vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/Common/Adding-Applications.htm?tocpath=Administration%7CManage%20applications%7C_____1#see-cyberarks-documentation-on-how-to-add-an-application-to-the-vault). + +CyberArk uses for each client application an AppID, i.e. a unique name to identify the application's +permissions to access given safes and stored secrets. + +### Authentication + +Several +[authentication methods](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/Common/Adding-Applications.htm?tocpath=Administration%7CManage%20applications%7C_____1#authentication-methods) +are available to protect the whole system and make sure that Usercube actually does the API calls. + +NETWRIX recommends: + +- using the certificate's serial number (see below how to configure certificates) when working with + the agentless AAM - Central Credential Provider; +- generating a hash with the AIMGetAppInfo utility when working with the agent-based AAM - + Credential Provider. + +### Allowed machines + +Finally, +[allowed machines](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/Common/Adding-Applications.htm?tocpath=Administration%7CManage%20applications%7C_____1#allowed-machines) +can be added to the safe. This way, the Credential Provider verifies that only applications running +from an authorized machine can access secrets. + +### SSL certificate + +If IIS is configured with `AIMWebService` set to `Require SSL`, then an SSL certificate must be +provided. + +Usercube does not require a certificate, so it can be launched without certificate-related +parameters, if CyberArk is configured to allow it. + +## Create a CyberArk Account + +CyberArk's Password Vault Web Access (PVWA) is meant to enable users to access sensitive data +through accounts in CyberArk, from any local or remote location. + +The following procedure requires credentials in order to connect to PVWA. + +Create a CyberArk account by +[adding it to the PVWA](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20and%20ASCP/cv_Managing-Single-Accounts.htm?tocpath=Administration%7CCredential%20Provider%7CAccounts%20and%20Safes%7C_____1#adding-it-to-the-pvwa), +defining at least the following properties: + +```` +| Property Name | Key in appsettings.agent.json | +| ------------- | ------------------------------- | +| Username | Login | +| Address | Server | +| Password | Password | + +NETWRIX recommends customizing the account's name because it will be used in [```appsettings.cyberArk.agent.json```](#appsettingscyberarkagentjson) to retrieve this account from the vault. + +```` + +## Assign the Permissions + +[See CyberArk's documentation on how to add a safe member](https://docs.cyberark.com/PAS/13.0/en/Content/PASIMP/Safes-add-a-safe-member-ClassicUI.htm?tocpath=Administrator%7CPrivileged%20Accounts%7CAccess%20Control%7CSafes%20and%20Safe%20members%7CClassic%20interface%7C_____3). + +In order to assign the permissions to access the application, follow CyberArk's instructions to +[build the environment for the Credential Provider in the PVWA](https://docs.cyberark.com/AAM-CP/13.0/en/Content/CP%20and%20ASCP/Building-CP-Environment.htm). + +The aim here is to give the right permissions to: + +- the AAM user, by default named `Prov_{Credential Provider machine name}`, meant to enable the + Credential Provider to authenticate to the vault and retrieve passwords; +- the application, via its AppID. + +## Configure Usercube + +Connect Usercube to CyberArk by adding to the agent's `appsettings.json` file a specific section. + +> For example: +> +> ``` +> appsettings.json +> +> { +> ... +> "CyberArk": { +> "UseCyberArkSetting": true, +> "SafeName": "safeName", +> "ApplicationId" : "appId", +> "Server" : "serverUrl", +> "File": "certificateFilePath", +> "Password": "certificatePassword", +> "DistinguishedName": "certificateSubjectDistinguishedName", +> "Thumbprint": "certificateThumbprint", +> "StoreName": "certificateStoreName", +> "StoreLocation": "certificateStoreLocation" +> }, +> ... +> } +> ``` + +### Vault settings + +| Name | Details | +| --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| UseCyberArkSetting default value: False | **Type** Boolean **Description** `True` to enable the CyberArk Provider for Usercube. | +| SafeName required | **Type** String **Description** Name of the safe containing the accounts used by Usercube. | +| ApplicationId required | **Type** String **Description** Application ID of the application that can access the safe. | +| Server required | **Type** String **Description** URL configured for the CyberArk Vault. It is recommended to use HTTPS for security purposes. **Note:** the `Server` attribute is only used with the CyberArk Central Credential Provider (Agentless AAM). | + +### Certificate settings + +Certificate settings are only used with the Central Credential Provider (agentless AAM). They set +the location of the public key certificate and the private key used by the agent to handle encrypted +network communications with CyberArk. + +This information can be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive + (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or `.pfx` file) stored in the _Agent_'s host file system. The archive contains both the public key + certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains + both the public key certificate and the private key. + + NETWRIX recommends using Windows' certificate store. + + On the other hand, the PFX file takes priority over Windows' certificate, which means that when + `File` is specified then the PFX certificate is used, even if the options for Windows' + certificate are specified too. + + In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +#### As a PFX file + +> For example: +> +> ``` +> appsettings.json +> +> { +> ... +> "CyberArk": { +> "UseCyberArkSetting": true, +> "SafeName": "safeName", +> "ApplicationId" : "appId", +> "Server" : "serverUrl", +> "File": "C:/identitymanagerAgentContoso/contoso.pfx", +> "Password": "oarjr6r9f00" +> }, +> ... +> } +> ``` + +The archive is set using the following attributes: + +| Name | Details | +| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| File required | **Type** String **Description** [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password optional | **Type** String **Description** [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. **Info:** storing a `.pfx` file's password in plain text in a production environment is strongly discouraged. It should always be encrypted using the [`Usercube-Protect-CertificatePassword.exe` tool](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md). | + +#### As a Certificate in the Windows Store + +> For example: +> +> ``` +> appsettings.json +> +> { +> ... +> "CyberArk": { +> "UseCyberArkSetting": true, +> "SafeName": "safeName", +> "ApplicationId" : "appId", +> "Server" : "serverUrl", +> "DistinguishedName": "CN=contoso, OU=Biz, O=Contoso, L=Marseille, S=MA, C=FR", +> "StoreName": "My", +> "StoreLocation": "LocalMachine" +> }, +> ... +> } +> ``` + +The Windows certificate is set using these attributes: + +| Name | Details | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | +| DistinguishedName optional | **Type** String **Description** _SubjectDistinguishedName_ of the store certificate. **Note:** required when `Thumbprint` is not specified. | +| Thumbprint optional | **Type** String **Description** _Thumbprint_ of the store certificate. **Note:** required when `DistinguishedName` is not specified. | +| StoreLocation required | **Type** String **Description** Location of the relevant Windows certificate store: `LocalMachine` or `CurrentUser`. | +| StoreName required | **Type** String **Description** Name of the relevant Windows certificate store. | + +## Usercube's CyberArk Vault + +Once configured, Usercube retrieves the sensitive values from CyberArk via the +`appsettings.cyberArk.agent.json` file. + +In this file: + +- the keys must follow the same structure as in the **Connections** of the `appsettings.agent.json` + file; +- the values are the names of the accounts created before. + +> The following example saves in CyberArk the credentials for `AD_Export`, with the accounts +> `AdAccount` and `AdServer2`: +> +> ``` +> appsettings.cyberArk.agent.json +> { +> "Connections": { +> "AD_Export": { +> "Login": "AdAccount", +> "Password": "AdAccount", +> "Servers": [ +> { +> "Server": "AdAccount" +> }, +> { +> "Server": "AdServer2" +> } +> ] +> } +> } +> } +> ``` +> +> Thus, when launching a job via the `AD_Export` connection, Usercube gets the values for `Login`, +> `Password` and `Server` from CyberArk, and the others from `appsettings.agent.json`. + +After updating `appsettings.cyberArk.agent.json`, the agent must be restarted for the changes to +take effect. + +To get a given property's value, Usercube reads first the section in +`appsettings.cyberArk.agent.json` for the appropriate connection. Only if the property is not listed +here will Usercube read the corresponding section in `appsettings.agent.json` to find it. + +Thus, when a property is listed in both appsettings files, the value from the CyberArk vault takes +priority over the one from the usual appsettings file. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/index.md new file mode 100644 index 0000000000..8406948aee --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/index.md @@ -0,0 +1,99 @@ +# Agent Configuration + +_Usercube Agent_'s configuration includes connection information to the managed systems and to the +_Server_. Protection of sensitive credentials can be achieved through RSA encryption, storing +information within a _CyberArk Vault_, or using an _Azure Key Vault_ safe. + +## Configuration Files + +The _Agent_ configuration uses two sets of settings: the agent **appsettings** set and the +**appsettings.agent** set. + +1. The + [appsettings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) + set is written either to the _Agent_'s working directory + [appsettings.json file](/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/index.md) + or as + [environment variables](/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/index.md). +2. The + [appsettings.agent](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) + set is written as + [environment variables](/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/index.md) + or to the + [appsettings.agent.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) + files from the Agent's working directory. +3. There are two additional files involved in the _Agent_'s configuration to protect sensitive data: + [appsettings.encrypted.agent.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) + and + [appsettings.cyberark.agent.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md). + +## Protect Credentials + +Managed system credentials are sensitive information. Usercube offers three strategies to protect +sensitive data. + +### RSA encryption + +Any _Agent_ configuration setting value can be encrypted using `Usercube-Protect-X509JsonValue` and +`Usercube-Protect-X509JsonFile` tools. An encrypted value is then written to the +[appsettings.encrypted.agent.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) +file. + +It means that any sensitive setting value that the user chooses to protect this way won't be written +to the +[appsettings.agent.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +file but to the +[appsettings.encrypted.agent.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) +file. + +### CyberArk Vault + +Any _Agent_ configuration setting value can be encrypted using Usercube's _CyberArk_ integration. + +To put it simply, any sensitive setting value that the user chooses to protect this way won't be +written to the +[appsettings.agent.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +file but stored within a _CyberArk Vault_. + +### Azure Key Vault safe + +Any _Agent_ configuration setting value can be encrypted using Usercube's _Azure Key Vault_ +integration. + +To put it simply, any sensitive setting value that the user chooses to protect this way won't be +written to the +[appsettings.agent.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +file but stored within an _Azure Key Vault_ safe. + +## Merge Priority + +Because of the credential protection system, the _Agent_ connection information to managed systems +can be written to the following configuration sources: + +- The + [appsettings.agent.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) + file which contains plain text, non-encrypted setting information. +- The + [appsettings.encrypted.agent.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) + file which contains encrypted setting information. +- An _Azure Key Vault_ safe (see + [azure key vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md)). +- A _CyberArk__Vault_ referenced by the + [appsettings.cyberark.agent.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + file. +- The + [appsettings.connection.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md) + file. + +Each configuration source is loaded one after the other, in the following order: + +1. [appsettings.agent.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +2. [appsettings.encrypted.agent.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) +3. _[Azure Key Vault](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md)_ + safe +4. _[CyberArk](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + Vault_ +5. [appsettings.connection.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md) + +If a json key is defined in multiple configuration source, only the last loaded json key is +preserved to build the final configuration. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md new file mode 100644 index 0000000000..118daf0e44 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md @@ -0,0 +1,62 @@ +# RSA Encryption + +Usercube provides a few options to protect sensitive data via RSA encryption. + +## Overview + +Sensitive data can be RSA encrypted by using Usercube's tools: + +- [`Usercube-Protect-X509JsonValue.exe`](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md) + to encrypt given values; +- [`Usercube-Protect-X509JsonFile.exe`](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md) + to encrypt a whole file. + + The file encryption tool should be used only on files that contain only plain text values, not + already encrypted ones. + +Once encrypted, sensitive values can be added to the `appsettings.encrypted.json` and +`appsettings.encrypted.agent.json` files. Usercube will read first the values from the encrypted +appsettings files, before reading those from the usual non-encrypted appsettings files. + +These methods require an [X.509 public key certificate](https://en.wikipedia.org/wiki/X.509) (the +same for the encrypted appsettings files and the tools). + +The value encryption tool can be used to encrypt specific values to be added to the encrypted +appsettings files without having to encrypt the whole files again. + +## Focus on the Encrypted Appsettings Files + +The `appsettings.encrypted.json` and `appsettings.encrypted.agent.json` files contain respectively +the `appsettings.json` and `appsettings.agent.json` files' sensitive setting values which are +protected by RSA encryption. + +These files follow the exact same structure as the +[agent's configuration files](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/index.md). + +### Read the Encrypted Files + +Usercube can use an RSA decoding algorithm fed by a +[public-key certificate](https://en.wikipedia.org/wiki/X.509) in order to read the encrypted +application settings. + +This requires the usual appsettings file(s) to have `UseEncryptedAppsettings` set to `true`. See +below. + +``` +appsettings.json and/or appsettings.agent.json + +{ + ... + "EncryptionCertificate": { + "File": "./identitymanager.pfx", + "Password": "secret", + "UseEncryptedAppsettings": true + } +} +``` + +This way, values from the encrypted file take priority over the values from the non-encrypted +appsettings files. + +> For example, if `Password` exists in both the encrypted file and the non-encrypted file, then the +> value from the encrypted file is used. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/how-tos/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/how-tos/index.md new file mode 100644 index 0000000000..ef3b713a53 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/how-tos/index.md @@ -0,0 +1,6 @@ +# How-Tos + +These guides will help you configure technical settings with practical step-by-step procedures. + +- #### [Configure Okta for Usercube Authentication](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md) + Configure the OIDC to set up the authentication to Usercube. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md new file mode 100644 index 0000000000..cc9c7f21eb --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md @@ -0,0 +1,74 @@ +# Configure Okta for Usercube Authentication + +This guide shows how to configure the OIDC to set up the authentication to Usercube. + +## Create the Application + +On the Okta dashboard, select the **Applications** section. Click on the **Add Application** button. + +![Add Application](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_addapplication.webp) + +Then click on the **Create New App** button. + +![Create New App](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnewapp.webp) + +Select the platform "Native app". The only sign-on method is the OpenID Connect. Click on +**Create**. + +![Create Native App](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnativeapp.webp) + +In **General Settings**, name your Application. You can also add a logo. + +In the **Configure OpenID Connect** section, enter the connection redirection URL in the part: +**Login redirect URLs**. To find out this URL, just take the URL of the Usercube application and +add: "/signin-oidc". The Usercube disconnection redirection URL is also necessary. To construct it, +take Usercube's URL again and, at the end, add: "/signout-callback-oidc". + +The **Logout redirect URLs** section is marked as optional but it is mandatory for Usercube. + +![Save Application](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_saveapplication.webp) + +## Configure the Client Credentials + +The client secret in Usercube is required for the OIDC connection. You must therefore configure this +OIDC connection option in the application. In the Application Dashboard, click on **Edit** in the +**Client Credentials** section. Select the option **Use Client Authentication** and save the +changes. + +![Client Credentials](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_clientcredentials.webp) + +## Configure the Application Settings + +In the **Application** section, check the box **Implicit (Hybrid)** so that the connection with +Usercube can operate correctly. **Allow ID Token with implicit grant type** is optional. + +![Application Section](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_applicationsection.webp) + +## Configure the appsettings.json + +In the **authentication** section of your appsettings file, the **OpenId** section must be +configured with the following information: + +- ClientId: **Client ID** found in the Okta **Client Credentials** section +- ClientSecret: **Client secret** found in the Okta **Client Credentials** section +- Authority: **Okta Domain** found in the Okta **General Settings** section +- SaveToken: True + +``` +appsettings.json +{ + ... + "OpenId": { + "Enabled": true, + "Okta": { + "AuthenticationScheme": "Okta authentication", + "DisplayName": "Okta authentication", + "ClientId": "Client ID", + "ClientSecret": "Client secret", + "Authority": "Okta Domain", + "SaveToken": true + } + } +} + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/index.md new file mode 100644 index 0000000000..d754ee45c5 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/index.md @@ -0,0 +1,211 @@ +# Network Configuration + +Usercube's network technical configuration includes: + +- Database connection +- Managed systems connection +- Synchronization and fulfillment processes +- End-user authentication +- Logging + +## Introduction + +Configuration settings are saved in configuration files or in the host system's environment +variables. + +Configuration settings are detailed further in the following sections: + +- Server configuration, including connection to the database and end-user authentication. See the + [Server Configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/index.md) + topic for additional information. +- Agent configuration, including connection to the managed systems. See the + [Agent Configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/index.md) + topic for additional information. +- Monitoring, indicating how to set up monitoring for Usercube. See the + [Monitoring](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md) topic + for additional information. + +## Write Settings + +How to write settings for the network configuration. + +### Sets, sections and values + +Configuration setting values are organized by functionality into three sets: + +1. The Server's appsettings set gathers general-purpose settings for the Server (including database + connection and end-user authentication). See the + [Server Configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/index.md) + topic for additional information. +2. The Agent's appsettings set gathers general-purpose settings for the Agent executable process. + See the + [Application Settings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) + topic for additional information. +3. The appsettings.agent set gathers settings for the Agent's connection to the managed systems. See + the + [appsettings.agent](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) + topic for additional information. + +Each set can be seen as a +[tree-like structure](https://en.wikipedia.org/wiki/Tree_(data_structure)) where leaves are a +name-value pair: the name of the setting and the value of the setting. + +Within a Configuration Set Tree, settings are organized into meaningful sections which can be +further organized into subsections, leading to a tree-like structure where sections are nodes. For +example, settings involving end-user authentication are gathered in the Authentication section, +containing another subsection for every authentication method such as OpenId or OAuth. + +This means that every setting value either belongs to the settings root node or to a section, itself +belonging to a parent section. + +![tree like structure](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/network-configuration/tree-like-structure.webp) + +### Configuration files + +Settings can be written as `json` objects stored in `.json` files in the Server or Agent working +directory. + +Relevant files for the Server can be found in the Server working directory: + +- `appsettings.json` + +Relevant files for the Agent can be found in its working directory: + +- `appsettings.json` +- `appsettings.agent.json` +- `appsettings.encrypted.agent.json` +- `appsettings.cyberArk.agent.json` + +Each setting file is organized into several sections as shown in the Sets, Sections and values +diagram. See the +[Architecture](/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/index.md) topic +for additional information. + +Each section's name matches a top level attribute of the file's `json` object. + +The section content is written as the matching attribute's value which can be broken down into a set +of setting attributes and subsection attributes. + +Each subsection can then be broken down into more setting attributes and deeper nested subsections. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +settings.example.json +{ +   "sectionA": { +       "subsectionnameA1":{ +            "settingnameA11":"settingA11value", +            "settingnameA12":"settingA12value" +       }, +       "settingnameA2": "settingvalueA2", +        }, +   "sectionB": { +       "settingnameB1": "settingB1value", +       "settingnameB2": "settingB2value" +   } +} +``` + +In Integrated-agent mode, agent configuration is written to the Server's `appsettings.json` file. +See the [Overview](/docs/identitymanager/6.1/identitymanager/installation-guide/overview/index.md) topic +for additional information. + +#### Reminder + +The backslash character `\` is an escape character in a JSON file. An error will appear when parsing +the JSON file if the backslash is followed by a non-escapable character. To use a backslash in a +string, it must be escaped by another backslash. + +In this example, the value for the attribute `Password` will be parsed as ``: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    "Password": "" +} +``` + +### Environment variables + +Alternatively, settings can be stored as environment variables on Usercube's host system. + +Each setting value is stored as the value of an environment variable whose name is the concatenation +of all the ancestor sections and the setting name separated by **__** (two underscores). + +Here is an example showing how to construct a setting environment variable name from its matching +`json` file. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    "Scheduler": { +        "Enabled": true, +        "LockFilePath": "../Temp/scheduler.lock" +    }, +    "Swagger": { +        "Enabled": true +    } +} +``` + +The name becomes Scheduler**Enabled, Scheduler**LockFilePath and Swagger__Enabled. + +## Manage Several Environments + +How to manage several network environments. + +### Using files + +Every setting value can be overwritten to fit a specific environment. + +The environment within which Usercube runs is set by the system environment variable +ASPNETCORE_ENVIRONMENT. The default value is Production. Usual examples include Development, +Staging, and Production. + +To overwrite setting values for a specific environment, one can write environment-specific +configuration files. + +For every appsettings.``.json file, an appsettings.``.``.json can be created +where `` is the name of the relevant environment matching the ASPNETCORE_ENVIRONMENT +value. + +The appsettings.``.``.json file has the exact same section/attribute/subsection +shape as the main appsettings file. + +Usercube's configuration will be the result of merging both files. + +Should a setting be written in both files, Usercube will use the +appsettings.``.``.json value. + +Leveraging this priority mechanism is how one can override a setting value to match a particular +environment. Another mechanism can be used: using environment variables. + +### Using environment variables + +Setting values can also be stored as environment variables on Usercube's host system. +Environment-variables-stored setting values have priority over json-file-stored setting values. Here +is how to use this mechanism to handle multiple environments. + +In the web.config file, an `` element in the node +`` is used to set a setting value +for the application. + +### Configuration stages + +Configuration encompasses: + +- The Server configuration with a connection to the database and end-user authentication. See the + [Server Configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/index.md) + topic for additional information. +- The Agent configuration with a connection to the managed systems. See the + [Agent Configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/index.md) + topic for additional information. +- The Logger configuration. See the + [Monitoring](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md) topic + for additional information. diff --git a/docs/usercube/6.1/usercube/integration-guide/network-configuration/password-management/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/password-management/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/network-configuration/password-management/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/password-management/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/proxy/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/proxy/index.md new file mode 100644 index 0000000000..aa9c53e018 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/proxy/index.md @@ -0,0 +1,228 @@ +# Proxy Server + +Usercube server or agent can be configured to go through a proxy server to access internal or +external web resources. + +## Introduction + +A Usercube agent often needs to access internal or external systems using the HTTP protocol. It may +easily be configured to use a proxy server through which all or part of the HTTP traffic will be +routed. + +## Proxy Related Environment Variables + +The proxy configuration is based on a set of standard dotnet environment variables: + +- `HTTPS_PROXY`: the proxy server used on HTTPS requests. +- `NO_PROXY`: a comma-separated list of hostnames that should be excluded from proxying. + +The dotnet environment does not rely on the OS-wide proxy configuration. It is mandatory to use the +above-mentioned environment variables to configure the proxy. + +### HTTPS_PROXY + +The `HTTPS_PROXY` environment variable may be the hostname or IP address, optionally followed by a +colon and port number, or it may be an http URL, optionally including a username and password for +proxy authentication. + +The URL must start with `http`, **not https**, and cannot include any text after the hostname, IP, +or port. + +This example shows various ways to properly configure a proxy server using Powershell: + +``` + +# A hostname with port (recommended syntax) +$env:HTTPS_PROXY="proxy.contoso.com:6060" +# A hostname without port +$env:HTTPS_PROXY="proxy.contoso.com" +# An IP address with port +$env:HTTPS_PROXY="10.65.1.1:6060" +# A URL with port: +# Warning: Even if we want to route HTTPS traffic, we MUST give a URL with http scheme. +# Warning: Do not add trailing slash. +$env:HTTPS_PROXY="http://proxy.contoso.com:6060" + +``` + +We recommend using the `:` syntax since it is not misleading. We discourage using +the `http://:` syntax since it is not intuitive to indicate the `http` scheme to +route `https` traffic. However, if you decide to use this syntax, do not forget to include a comment +stating that `http` scheme is mandatory at the configuration level, even if it will not be used at +runtime. + +#### Do not do + +This example shows the wrong ways to initialize the `HTTPS_PROXY` environment variable. The +environment variable will be **silently ignored** and the traffic will not be routed through the +proxy. + +``` + +# WRONG: A URL with https scheme +$env:HTTPS_PROXY="https://proxy.contoso.com:6060" +# WRONG: A URL with text after the port number +$env:HTTPS_PROXY="http://proxy.contoso.com:6060/" +# WRONG: A URL with text after the hostname +$env:HTTPS_PROXY="http://proxy.contoso.com/" + +``` + +#### Authenticated proxy + +When the proxy server needs the user to be authenticated, the `HTTPS_PROXY` environment variable can +include the username and password as follows: + +``` + +# A URL to authenticate to the proxy with login=mylogin and password=mypassword +$env:HTTPS_PROXY="http://mylogin:mypassword@proxy.contoso.com:6060" + +``` + +### NO_PROXY + +The `NO_PROXY` environment variable is a comma-separated list of hostnames that should be excluded +from proxying. To exclude all subdomains ("wildcard" exclusion), domains in the `NO_PROXY` list need +to be prefixed with a dot (`.`), which is standard, but not particularly well documented. **Do not +use the star (`*`) prefix !!!** + +This example shows various ways to exclude domains from proxying: + +``` + +# Exclude only www.google.com: +# www.google.com: will not go through the proxy +# maps.google.com: will go through the proxy +$env:NO_PROXY="www.google.com" +# Exclude only www.google.com and www.microsoft.com: +$env:NO_PROXY="www.google.com,www.microsoft.com" +# Exclude all google.com and all microsoft.com subdomains: +# Do not prepend the domain name with a '*' +# www.google.com: will not go through the proxy +# maps.google.com: will not go through the proxy +# www.microsoft.com: will not go through the proxy +$env:NO_PROXY=".google.com,.microsoft.com" + +``` + +#### Do not do + +This example shows the wrong ways to initialize the `NO_PROXY` environment variable. + +``` + +# WRONG: starting with '*' to indicate a wildcard exclusion +# Only the domain exactly named *.contoso.com will be excluded from proxying, +# which means there is no exclusion configured. +$env:NO_PROXY="*.contoso.com" + +``` + +## Where to Define Proxy Environment Variables + +The proxy configuration is based on a set of standard dotnet environment variables, they can be +defined in various places according to the practices in place in your organization: + +- At OS level +- At user level: for the user running the Usercube server or agent +- At IIS level: in the application `web.config` file + +Note that when creating an environment variable in IIS `web.config` file, all child processes +created by the IIS application will inherit from this environment variables. For example, while +running the Usercube agent all tasks started by the agent will inherit the proxy environment +variables. + +This example shows how to configure the proxy in the IIS `web.config` file: + +``` + + + + ... + + +``` + +## Testing the Proxy Configuration + +To test the proxy configuration for the dotnet environment, it is advised to use Powershell 5 or +Powershell Core. + +In the following examples, you may adapt the proxy hostname/port and the URL to test. + +### Using Powershell 5 + +To test that a Usercube agent using a proxy server can reach the Usercube server: Go to the +`/Runtime` directory. + +``` + +$env:HTTPS_PROXY="proxy.contoso.com" +./identitymanager-Invoke-Job.exe --api-url https://contoso.usercube.com/ --api-client-id Job --api-secret secret -j UnknownJob + +# Given the credentials are valid, you should get an exception as follows: +# ---> System.Exception: Job: UnknownJob is not found +# This exception shows that the server has been reached and that the job identifier is not known. +# The proxy is properly configured !!! + +``` + +**Do not use** Invoke-WebRequest or Test-NetConnection to test the proxy configuration. In +Powershell 5, these tools are using a different network stack from dotnet environment and are using +the OS-wide proxy settings. They will ignore the `HTTPS_PROXY` environment variable + +### Using Powershell Core + +Powershell Core is based on the same network stack as dotnet environment. The proxy configuration +can be tested using the Invoke-WebRequest and Test-NetConnection tools. If tests are successful +using Invoke-WebRequest, they will be successful too if the same environment variables are provided +to the Usercube server or agent. + +Powershell Core will only take the `HTTPS_PROXY` environment variable into account if it was created +before the Powershell Core process was started. + +``` + +# Create the environment variable in this Powershell Core process. +# This variable will not alter the proxy configuration of this process. +$env:HTTPS_PROXY="proxy.contoso.com" +# Start a child Powershell Core process which will inherit from the HTTPS_PROXY environment variable. +# This variable will alter the proxy configuration of this child process. +pwsh +Invoke-WebRequest https://contoso.usercube.com/ +# The result should display an HTTP 200 response from the Usercube server. + +# Go back to the parent Powershell parent process. +exit + +``` + +### Known errors when proxy is not properly configured + +When the proxy environment variables does not match the expected format, they will be **silently** +ignored. + +- If `HTTPS_PROXY` is ignored, the network stack will try to directly access public URL's without + going through the proxy. +- If `NO_PROXY` is ignored, the internal traffic will be routed through the proxy. + +When testing the proxy configuration, if you get one of the following error message: + +- ` No such host is known.` +- `H�te inconnu` + +It means that the `HTTPS_PROXY` is not set or does not match the expected format. The HTTP client +tries to directly resolve the public hostname instead of resolving the proxy hostname. + +Review the `HTTPS_PROXY` value, check that it does not: + +- use the `https` scheme +- include trailing slashes or characters after the hostname:port + +## Reference Documentation + +- [HttpClient.DefaultProxy](https://learn.microsoft.com/en-us/dotnet/api/system.net.http.httpclient.defaultproxy?view=net-8.0&viewFallbackFrom=netcore-8.0#httpclientdefaultproxy): + reference for environment variables. +- NO_PROXY: [unofficial documentation](https://stackoverflow.com/a/62663469) for wildcard domain + exclusion diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md new file mode 100644 index 0000000000..2fe52fd739 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md @@ -0,0 +1,83 @@ +# Connection to the Database + +The connection of Usercube's server to the database is set through the `appsettings` top-level +`ConnectionString` and the `AzureCredentials` attributes: + +| Name | Details | +| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectionString required | **Type** String **Description** Identification token used to retrieve the connection information for the server to access Usercube's database in SQL Server. **Note:** must be compliant with [SQL Server connection string syntax](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md). [See more information in the Installation Guide](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md). **Example**`{ � "ConnectionString": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" }` | +| ConnectionStringGovernor required | **Type** String **Description** Identification token used to retrieve the connection information to SQL Server Resource Governor which is a feature used to manage SQL Server's workload and system resource consumption. **Info:** Resource Governor enables specifying limits on the amount of CPU, physical I/O, and memory that incoming application requests can use. **Note:** must be compliant with [SQL Server connection string syntax](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md). **Note:** all tasks and jobs use this connection string, when specified. **Example**`{ � "ConnectionStringGovernor": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" }` | +| AzureCredentials required | **Type** [AzureCredentials](#azurecredentials) **Description** Settings used with the `ConnectionString` to access the database in SQL Server, hosted on Microsoft Entra ID (formerly Microsoft Azure AD). | + +## AzureCredentials + +The database can be accessed one of two ways: + +- either by specifying `User Id` and `password` keywords directly in the connection string: + + > For example: + > + > ``` + > + > "ConnectionString": "data source=.;Database=UsercubeContoso;User + > Id=UsercubeServerContoso;Password=myPassword;Min Pool Size=10;encrypt=false;" + > + > ``` + > + > ``` + +- or, to avoid exposing the `User Id` and `password` in a connection string sent through the + network, by using the built-in Microsoft Entra ID authentication method: + + > For example: + > + > ``` + > + > "ConnectionString": "Server=tcp:.database.windows.net,1433;Initial + > Catalog=;Persist Security + > Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;" + > + > ``` + > + > ``` + +[See Microsoft's documentation for more details about authentication methods](https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver15) + +> The following example authenticates with ClientId and ClientSecret: +> +> ``` +> +> appsettings.json +> +> { ... "ConnectionString": "Server=tcp:.database.windows.net,1433;Initial Catalog=;Persist Security +> Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;", +> +> "AzureCredentials": { "ClientId": "", "AADTenantId": "", "ClientSecret": "" } } +> +> ``` +> +> ``` + +> The following example authenticates with a pfx-stored public key certificate (password-protected +> pfx archive): +> +> ``` +> +> appsettings.json +> +> { ... "ConnectionString": "Server=tcp:.database.windows.net,1433;Initial Catalog=;Persist Security +> Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;", +> +> "AzureCredentials": { "ClientId": "", "AADTenantId": "", "EncryptionCertificate": { "File": "", +> "Password": "" } } } +> +> ``` +> +> ``` + +| Name | Details | +| -------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ClientId optional | **Type** String **Description** Client ID obtained from Microsoft Entra ID when [registering Usercube as an application](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app). | +| AADTenantId optional | **Type** String **Description** Microsoft Entra ID's tenant identifier obtained when [registering Usercube as an application](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app).**Note:** remember to set Usercube as owner of the targeted database when registering Usercube as an application in Microsoft Entra ID. | +| ClientSecret optional | **Type** String **Description** Microsoft Entra ID's client secret used by Usercube to authenticate.**Note:** used only if `EncryptionCertificate` is not specified. | +| EncryptionCertificate required, if ClientSecret is not defined | **Type** [`EncryptionCertificate`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md#encryptioncertificate) **Description** Location of the certificate used by Usercube to authenticate, instead of the `ClientSecret`. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md new file mode 100644 index 0000000000..e1b5bd51f1 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md @@ -0,0 +1,858 @@ +# End-User Authentication + +## Overview + +Before end-users can connect to Usercube through the UI, they will have to authenticate. + +Usercube supports **seven** authentication methods organized into two categories: _Internal_ methods +and _External_ methods. + +It is highly recommended that you use an _External_ method. _Internal_ methods are mostly used for +debug, test and development purposes. + +### Internal methods + +The _Internal_ methods use _Usercube Server_'s internal authentication server. They rely on one of +these _Identity Server User Stores_: + +- **Test User Store**, used in development environments. +- **Active Directory User Store**, using an Active Directory to authenticate. + +### External methods + +_External_ methods use external authentication providers. + +Usercube supports **five** types of external authentication providers. **Four** are based on +different flavors of the _OAuth 2.0_ protocol. The last one is integrated with Windows. + +- [OpenIdConnect](https://openid.net/connect/) +- [WS-Federation](http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.html) +- [OAuth](https://tools.ietf.org/html/rfc6749) +- [SAML2](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) +- [Integrated Windows Authentication (IWA)](https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/integrated-windows-authentication). + +### Using more than one provider + +For each authentication method, one or several authentication providers can be set up. If several +authentication providers are set up, end-users will be prompted to choose their preferred method of +authentication. + +![authent_1](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/authent_1.webp) + +#### Internal Method & Test Mode Form + +![authent_2](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/authent_2.webp) + +#### External Method Prompt + +## Identity Server RSA Key Pair + +A public key certificate and a private key are used to handle encrypted communication with external +authentication providers. This is used, for example, by the _Usercube Server_ to retrieve the +provider's signing key. It is mandatory to validate _JWT tokens_ in an OAuth-flavor scenario. + +This information can be set one of two ways: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called `.pfx` file) stored in + the _Agent_'s host file system. The archive contains both the public key certificate and the + private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains + both the public key certificate and the private key. + +### PFX file + +The archive is set using the following attributes on the `appsettings > IdentityServer` section (see +Configuration): + +- **X509KeyFilePath** is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the + Agent's host file system. +- **X509KeyFilePassword** (_optional_) is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) + archive password. + +#### Example + + ``` + +"IdentityServer": \{ "X509KeyFilePath": "C:/identitymanagerAgentContoso/contoso.pfx", +"X509KeyFilePassword": "oarjr6r9f00" \} + +```` + + +### Certificate + +The certificate from a Windows certificate store is set up using these attributes on the ```appsettings > IdentityServer``` section (see Configuration): + +| Name | Details | +| --- | --- | +| X509SubjectDistinguishedName optional (if _Thumbprint_ is non-empty) | Sets the store certificate's _SubjectDistinguishedName_. | +| _X509Thumbprint_ optional (if _DistinguishedName_ is non-empty) | Sets the store certificate's _Thumbprint_. | +| X509StoreLocation required | Sets the Relevant Windows certificate store's location: ```LocalMachine``` or ```CurrentUser```. | +| X509StoreName required | Sets the relevant Windows certificate store's name. | + +#### Example + + ``` + +"IdentityServer": \{ + "X509SubjectDistinguishedName":"UsercubeContoso", + "X509StoreLocation": "LocalMachine", + "X509StoreName": "AuthRoot" +\} + +```` + +Usercube Server won't start if the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive set up +during this step is identical to the one provided with the SDK. Users must provide their own +certificate. +[Self-signed certificates](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/server/index.md) +are accepted as valid. + +## Configuration Section Description + +Authentication is set up using the following two sections of the Server's `appsettings` set. + +- `IdentityServer` +- `Authentication` + + ``` + +\{ "IdentityServer":\{ ... \}, "Authentication":\{ ... \} \} + +```` + + +The ```authentication``` section mostly fits the following pattern: + + ``` + +"Authentication":\{ + ``:\{ + ``:\{ + ... + \}, + ...., + ``:\{ + ... + \}, + \}, + ``:\{ + ``:\{ + ... + \}, + ...., + ``:\{ + ... + \}, + \} +\} + +```` + +Several authentication providers can be defined (here above, `` to +``), using one or several authentication protocols (here above, +`` and ``). + +Most of the authentication providers need the user to choose an **AuthenticationScheme**. It is a +string that will be used to uniquely identify this authentication method in Usercube. Its goal is to +enable Usercube's testers to identify which authentication method is used in the logs or in the +code, with a mnemonic name. Any name can be used as long as all AuthenticationSchemes are different. + +This guide doesn't cover how to set up authorizations within Usercube. Authorization for an end-user +to access Usercube resources relies on assigning roles to profiles. Identity credentials used for +authentication must be +[linked to these profiles in the applicative configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/settings/index.md#linked-to-these-profiles-in-the-applicative-configuration). + +Authentication-related settings are set through the following +[_sections_](/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/index.md#_sections_) +of the `appsettings` set: + +- `IdentityServer` +- `Authentication` + +### IdentityServer + +This is the general-purpose authentication settings section. + +The `IdentityServer` section allows the following attributes: + +| Name | Details | +| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Enabled default value: true | **Type** Boolean **Description** Enables or disables the Identity Server. | +| AllowWindowsAuthentication default value: false | **Type** Boolean **Description** Allows Windows authentication. Will work only when the Active Directory User Store is enabled. | +| ShowPII default value: false | **Type** Boolean **Description** Sets whether or not PII is shown in logs. For security reasons, this setting should be used sparingly. | +| ValidationKeys optional | **Type** String Array **Description** Allows the definition of public certificate paths for token validation. | +| IssuerURI optional | Sets the unique name of this server instance. | +| PostLogoutRedirectUri optional | Sets a specific URI to which the user will be redirected after a successful logout. | +| PublicOrigin optional | Sets the origin name for this _Usercube Server_ instance. Useful if end-users authenticate through a proxy server. | +| X509File required | Is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the Agent's host file system (see [Public key certificate and private key](#public-key-certificate-and-private-key)). | +| X509KeyFilePassword optional | Is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password (see [Public key certificate and private key](#public-key-certificate-and-private-key)). | +| X509SubjectDistinguishedName optional | Sets the store certificate's _SubjectDistinguishedName_ (see [Public key certificate and private key](#public-key-certificate-and-private-key)). | +| _X509Thumbprint_ optional | Sets the store certificate's _Thumbprint_ (see [Public key certificate and private key](#public-key-certificate-and-private-key)). | +| X509StoreLocation required | Sets the relevant Windows certificate store's location (see [Public key certificate and private key](#public-key-certificate-and-private-key)). | +| X509StoreName required | Sets the relevant Windows certificate store's name (see [Public key certificate and private key](#public-key-certificate-and-private-key)). | + +### Authentication + +This section contains specific settings for each configuration method. + +At the root, the following properties can be used: + +| Name | Details | +| ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | +| Enabled default value: true | **Type** Boolean **Description** Enables or disables authentication. | +| RequireHttpsMetadata default value: true | **Type** Boolean **Description** Specifies whether HTTPS is required for the discovery endpoint. | +| AllowLocalLogin required | **Type** Boolean **Description** If `true`, a Login Form replaces Windows Authentication. | +| CookieLifeTime default value: 8 | **Type** Int **Description** Maximum duration (in hours) after which the session expires automatically. | +| LifeTimeSliding default value: 10 | **Type** Int **Description** Duration (in minutes) after which the session expires automatically, if no action is taken during this time. | + +Then, a subsection for every authentication method is used. Supported subsections are: + +- `OpenId` +- `OAuth` +- `WsFederation` +- `SAML2` +- `ActiveDirectoryUserStore` +- `TestUserStore` + +## Set Up Integrated Windows Authentication (IWA) + +This authentication method can be used to authenticate users within an Active Directory domain using +their respective domain account. + +This authentication is silent: when an end-user tries to access Usercube, the browser retrieves +identity credentials from the Windows session where the user is logged in and sends them to the +domain controller for authentication. The domain controller confirms the user's identity and +validates it for Usercube. The end-user doesn't have to input any credentials. + +If Integrated Windows Authentication is used, internal methods have to be disabled with the +`"AllowLocalLogin":false` setting. + +### Requirements + +Setting up this authentication method requires the following: + +- Usercube runs as an [Internet Information Services (IIS)](https://www.iis.net/) website. +- Windows Authentication is + [enabled on Windows server](https://www.microsoft.com/fr-fr/evalcenter/evaluate-windows-server-2016). +- Windows Authentication is + [enabled for the Usercube IIS website](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/#enabled-for-the-usercube-iis-website). + +### Configuration + +Integrated Windows Authentication is configured using the following sections: + +1. Set the **IdentityServer** > **AllowWindowsAuthentication** attribute to `true`. +2. Set the **Authentication** > **AllowLocalLogin** attribute to `false`. + +> The following example sets up Windows Authentication. Windows Server and IIS requirements have +> been checked. +> +> ``` +> +> appsettings.json +> +> ... "IdentityServer":\{ "AllowWindowsAuthentication":"true", \}, "Authentication":\{ +> "AllowLocalLogin":"false", \} ... +> +> ``` +> +> ``` + +## Set Up an Open ID Connect Provider + +One or several **Open ID Connect** authentication providers can be set up under the +`authentication > OpenId` section. + +### Overview + +#### Multiple providers + +One or several **Open ID Connect** authentication providers can be set up. + +#### Registration process + +Using an **Open ID Connect** authentication requires the _Usercube Server_ to be registered to the +provider. A _ClientID_ and a _ClientSecret_ are issued as a result of the registration process. They +both allow Usercube to identify itself to the authentication provider. +[Here is an example of registering Usercube to an Microsoft Entra ID (formerly Microsoft Azure AD) used as Open ID Connect provider.](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings) + +#### Callback URL + +The target **Open ID Connect** provider needs to be aware of the URI where to send the +authentication token if the authentication succeeds. Depending on the provider, it is called a +**callback URL**, a **callback path**, an **authorization callback URL**, or a **redirect URI**. + +During the registration process, the provider will ask for the URL. + +Usercube's **callback URL** for **Open ID Connect** is `/signin-oidc` where +`` is the address of your _Usercube Server_ such as +`https://identitymanager.contoso.com`. + +#### Authority + +An **Open ID Connect** provider is identified by its **Authority**, according to the +[Open ID Connect specifications](https://openid.net/connect/). + +#### NameClaimType + +To authorize an end-user, _Usercube Server_ retrieves a specific claim (a key-value pair, +transmitted through the OIDC-issued JWT token) returned by the provider and looks for a resource +that matches this claim's value. The comparison is carried out according to +[the resource and property set as the end-user's identity in the applicative configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md). + +The name of the claim that is retrieved for this purpose defaults to `sub` which is one of +[the standard _Claim names_ for the Open ID Connect protocol](https://openid.net/specs/openid-connect-core-1_0.html#the-standard-_claim-names_-for-the-open-id-connect-protocol). +However, some providers might not fill the `sub` value with meaningful data, or use non-standard +_Claim names_. + +For this reason, the name of the claim that is retrieved by Usercube for authorization purposes can +be set up according to the provider's specifics. + +See the [**NameClaimType**](#__nameclaimtype__) configuration attribute. + +Users should be able to get a list of the claim names used by their authentication providers from +their providers' portal website, documentation or administrators. + +For example, the following claim provides no meaningful `sub` value. + + ``` + +\{ "name": "John Doe", "preferred_username": "john.doe@contoso.com", "sub": "11v7ert42azerttyZD6d4" +\} + +```` + + +Using the following applicative configuration setting that sets ```Ad_Entry:userPrincipalName``` as the value to be matched against a claim in order to identify a user's profile, the ```preferred_username ```__NameClaimType__ should be used. + + ``` + + `` + +```` + +### Configuration + +First, the Open ID Connect method must be enabled. + +Under the `OpenId` section: + +| Name | Details | +| ---------------- | --------------------------------------------------------------------------- | +| Enabled required | **Type** Boolean **Description** Enables or disables the OpenId connection. | + +For each **Open ID Connect** provider to integrate, a new section is added under the `OpenID` +subsection. Any section name can be used. This section name is only used as a means for the user to +find the authentication method in the configuration files. + +Under the new subsection, the following parameters are used to configure the authentication method: + +| Name | Details | +| ---------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AuthenticationScheme required | Is the unique identifier of this authentication method within Usercube. Any string value can be used, unique among all authentication methods. | +| DisplayName optional | Is the provider display name. Chosen by the user, it is used in the UI to identify the authentication method. | +| ClientId required | Is the Client ID issued during the registration of Usercube to the chosen Open ID Connect provider. | +| ClientSecret required | Is the Client Secret issued during the registration of Usercube to the chosen Open ID Connect provider. | +| Authority required | This URL identifies the Open ID Connect provider for Usercube according to the [Open ID Connect specifications](https://openid.net/connect/). It can be retrieved from the target Open ID Connect provider documentation. For example, [Microsoft's documentation indicates the Microsoft Identity Platform Open ID Connect authority](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc). | +| NameClaimType optional | Sets the type of the claim that will be retrieved by Usercube to identify the end-user. The retrieved claim will be compared against [the resource and property set as the end-user's identity in the applicative configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md). | +| Scopes optional | Sets the list of the requested [scopes](https://auth0.com/docs/scopes/openid-connect-scopes). By default, the requested scopes are: `openid`, `profile` and `email`. | +| SaveTokens default value: false | **Type** Boolean **Description** Only for Okta providers. Set to `true if authentication uses an Okta provider. For more information about Okta configuration, see [Okta](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md). | +| MetadataAddress optional | URL address of a copy of the metadata, used when the authority metadata cannot be accessed from the Usercube server, for example because of a firewall. | +| RequireHttpsMetadata default value: true | **Type** Boolean **Description** By default the authority metadata must use HTTPS. Set to `false to use a simple HTTP metadata, in case a local copy of the metadata is used or for test environment. | +| ResponseMode optional | **Type** String **Description** Response mode for OpenIdConnect. - `Query` - `FormPost` - `Fragment` [See OpenId documentation](https://openid.net/specs/openid-connect-core-1_0.html). | +| ResponseType optional | **Type** String **Description** Response type for OpenIdConnect. - `Code` - `CodeIdToken` - `CodeIdTokenToken` - `CodeToken` - `IdToken` - `IdTokenToken` - `None` - `Token` [See examples in the OpenId documentation](https://openid.net/specs/openid-connect-core-1_0.html#see-examples-in-the-openid-documentation). | + +#### Example + +This example configures an _OpenId Connect_ authority located at +[https://login.microsoftonline.com/bbd35166-7c13-49f3-8041-9551f2847b69](https://login.microsoftonline.com/bbd35166-7c13-49f3-8041-9551f2847b69). + +This authentication provider is identified within the `appsettings.json`_OpenId Connect_ providers +list as _OpenId1_. + +Within Usercube, it will be identified with the authentication scheme _AzureOIDC_. + +It will be displayed as _Connection Microsoft Entra ID with OIDC protocol_ in the UI external login +prompt. + + ``` + +\{ "Authentication": \{ ... "OpenId": \{ "Enabled": "True", "OpenId1": \{ "AuthenticationScheme": +"AzureOIDC", "DisplayName": "Connection Microsoft Entra ID with OIDC protocol", "ClientId": +"6779ef20e75817b79602", "ClientSecret": +"5ef0234c039c725e21ffc727a60c44895a39dce1c81ae36dc5d002feae82c1c0 ", "Authority": +"https://login.microsoftonline.com/bbd35166-7c13-49f3-8041-9551f2847b69", "NameClaimType": +"preferred_username", "Scopes": ["openid", "profile"] \} \} \} \} + +```` + + +## Set Up an OAuth Provider + +One or several __OAuth__ authentication providers can be set up under the ```authentication > OAuth``` section. + +### Overview + +#### Multiple providers + +One or several __OAuth__ authentication providers can be set up. + +#### Registration process + +Using an __OAuth__ authentication requires _Usercube Server_ to be registered to the provider. A _ClientID_ and a _ClientSecret_ are issued as a result of the registration process. They both allow Usercube to identify itself to the authentication provider. + +#### Callback URL + +The target __OAuth__ provider needs to be aware of the URI where to send the authentication token if the authentication succeeds. Depending on the provider, it is called a __callback URL__, a __callback path__, an __authorization callback URL__, or a __redirect URI__. + +During the registration process, the provider will ask for the URL. + +Usercube's __callback URL__ for __OAuth__ is ```/``` where `````` is the address of your Usercube Server such as ```https://identitymanager.contoso.com``` and `````` can be set up to any value chosen by the user using the __CallbackPath__ configuration attribute. The only constraint is to make sure the __CallbackPath__ value in Usercube's configuration is the same as in the __OAuth__ provider registration screen for Usercube. + +### Configuration + +First, the OAuth method must be enabled under the ```authentication > OAuth``` section. + +| Name | Details | +| --- | --- | +| Enabled required | __Type__ Boolean __Description__ Enables or disables the OAuth connection. | + +Then, users must create a new section per __OAuth__ provider. Users are free to choose any section name. Its sole purpose is for users to find the authentication method in the configuration files. + +Each section is configured with the following settings: + +| Name | Details | +| --- | --- | +| AuthenticationScheme required | Is the unique identifier of this authentication method within Usercube. Any string value can be used, unique among all authentication methods. | +| DisplayName optional | Is the provider display name. Chosen by the user, it is used in the UI to identify the authentication method. | +| ClientId required | Is the Client ID issued to Usercube during the registration process. | +| ClientSecret required | Is the Client Secret issued to Usercube during the registration process. | +| ClaimsIssuer required | Is a unique identifier that will mark claims issued by this __OAuth__ provider for Usercube. This mark is used for debugging, monitoring, or security purposes in situations where multiple __OAuth__ providers are involved. It's still useful if only one provider is used. Any string value can be used. Convention dictates that it is a URL shaped value such as ```https://accounts.google.com```. | +| AuthorizationEndpoint required | Is the provider's Authorization Endpoint URI. This is where the end-user's browser is redirected to start the authentication process. Usually ends with ```/auth``` or ```/authorize```. This information must be retrieved from the provider's portal. | +| _TokenEndpoint_ required | Is the provider's Token Endpoint URI. This is where the client sends token requests, using an authorization code obtained during the authentication process. This information must be retrieved from the provider's portal. | +| CallbackPath required | Sets the callback path where the client is redirected after a successful authentication. Any string value can be used as long as it is reported to the provider during the [registration process](#registration-process). | +| SaveTokens default value: false | __Type__ Boolean __Description__ Only for Okta providers. Set to `true if authentication uses an Okta provider. For more information about Okta configuration, see [Okta](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md). | +| Scope optional | Sets the list of the requested [scopes](https://auth0.com/docs/scopes/openid-connect-scopes). | + +##### Example + +The following example configures an __OAuth__-based authentication provider identified as _OAuthContoso_Washington_ in the configuration file. + +It will be displayed as _Contoso OAuth Washington_ in the UI external login prompt, and uniquely identified within Usercube by the authentication scheme _contoso_0987_. + +_Usercube Server_ marks received claims using _[https://accounts.google.com](https://accounts.google.com)_ as a claim issuer identifier. + +```/signin-oauth``` has been chosen as __CallbackPath__ and set up as such in the OAuth provider's portal during Usercube's registration. + + ``` + +\{ + "Authentication": + \{ + ... + "OAuth": \{ + "Enabled": "True", + "OAuthContoso_Washington": \{ + "AuthenticationScheme": "AzureOAuth", + "DisplayName": "Connection Microsoft Entra ID with OAuth protocol", + "ClientId": "6779ef20e75817b79602", + "ClientSecret": "5ef0234c039c725e21ffc727a60c44895a39dce1c81ae36dc5d002feae82c1c0 ", + "ClaimsIssuer": "https://accounts.google.com", + "AuthorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth", + "TokenEndpoint": "https://oauth2.googleapis.com/token", + "CallbackPath": "/signin-oauth", + "Scopes": ["openid", "profile"] + \} + \} + \} +\} + +```` + +## Set Up a WS-Federation Provider + +One or several **WS-Federation** authentication providers can be set up under the +`authentication > WsFederation` subsection. Examples of **WS-Federation** providers include _Active +Directory Federation Services (ADFS)_ and _Microsoft Entra ID (AAD)_. + +### Overview + +#### Multiple providers + +One or several **WS-Federation** authentication providers can be set up. + +#### Registration process + +Using a **WS-Federation** authentication requires _Usercube Server_ to be registered to the +provider. A **Wtrealm** value is set up during the registration process. The value can be generated +by the provider, or set manually as a URL-shaped string value. This allows Usercube to identify +itself to the authentication provider. Here are two examples of registration process: + +- with an + [Active Directory Federation Services](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#active-directory-federation-services) + provider +- with an + [Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#microsoft-entra-id) + provider + +#### Callback URL + +The target **WS-Federation** provider needs to be aware of the URI where to send the authentication +token if the authentication succeeds. Depending on the provider, it is called a **callback URL**, a +**callback path**, an **authorization callback URL**, or a **redirect URI**. + +During the registration process, the provider will ask for the URL. + +Usercube's **callback URL** for **WS-Federation** is `/signin-wsfed` where +`` is the address of your _Usercube Server_ such as +`https://identitymanager.contoso.com`. + +#### Encryption algorithm + +The nature of the encryption algorithm used for exchanging the sign-in key with the provider is +automatically negotiated between _Usercube Server_ and the authentication server. The most secure +algorithm that both systems support is chosen. + +### Configuration + +First, the **WS-Federation** must be enabled under the `authentication > WsFederation` section: + +| Name | Details | +| ---------------- | ------------------------------------------------------------------------------------------ | +| Enabled required | **Type** Boolean **Description** Enables or disables the **WS-Federation** authentication. | + +Then, users must create a new subsection per **WS-Federation** provider. They are free to choose any +section name. Its sole purpose is for users to find the authentication method in the configuration +files. + +Each section is configured with the following settings: + +| Name | Details | +| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| MetadataAddress required | Identifies, for Usercube, the target **WS-Federation** server's metadata. This information is to be retrieved from the app registration process or directly from the **WS-Federation** provider. The value commonly ends with the path `/FederationMetadata/2007-06/FederationMetadata.xml`. - For [Active Directory Federation Services](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#active-directory-federation-services), it is `https:///federationmetadata/2007-06/federationmetadata.xml` with `` the name of your ADFS server such `portal.contoso.com`. - For [Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#microsoft-entra-id), it is also known as **Federation Metadata Document**. It is available in Usercube's registered app _blade_, in the _endpoint_ panel, _Federation Metadata Document_ value. It looks like `https://bbd35166-7c13-49f3-8041-9551f2847b69/FederationMetadata/2007-06/FederationMetadata.xml` with `bbd35166-7c13-49f3-8041-9551f2847b69` Microsoft Entra ID tenant id. | +| Wtrealm required | Identifies the Usercube app within the **WS-Federation** provider. This information is available directly at the authentication provider's portal. It is chosen during the registration process. - For [Active Directory Federation Services](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#active-directory-federation-services), it is the value set as the `relying party WS-Federation Passive protocol URL` parameter during the [registration](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#registration) of Usercube to the ADFS server. It usually looks like an URL such as `https://portal.contoso.com`. - For [Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#microsoft-entra-id), this is the **Application ID URI**. It is available from _Usercube's registered app blade_ > _Expose an API_ > _APP ID URI_. It has been either chosen by the user or generated by the [Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#microsoft-entra-id) provider during the _Expose an API > set > save_ step of the registration. Generated values look like `api://bbd35166-7c13-49f3-8041-9551f2847b69`. | +| DisplayName optional | Is the provider display name. Chosen by the user, it is used in the UI to identify the authentication method. | +| AuthenticationScheme required | Is the unique identifier of this authentication method within Usercube. Any string value can be used, unique among all authentication methods. | + +#### Example + +This example configures a **WS-Federation**-based authentication provider identified as +_WsFederationContoso_LA_ in the configuration file. + +Within Usercube, it will be identified with the authentication scheme _WsFederationAAD_. + +It will be displayed as _Connection Microsoft Entra ID with WS-Federation protocol_ in the UI +external login prompt. + + ``` + +\{ "Authentication": \{ ... "WsFederation": \{ "Enabled": "True", "WsFederationContoso_LA": \{ +"AuthenticationScheme": "WsFederationAAD", "DisplayName": "Connection Microsoft Entra ID with +WS-Federation protocol", "MetadataAddress": +"https://bbd35166-7c13-49f3-8041-9551f2847b69/FederationMetadata/2007-06/FederationMetadata.xml", +"Wtrealm": "api://bbd35166-7c13-49f3-8041-9551f2847b69" \} \} \} \} + +```` + + +## Set Up SAML2 Authentication + +One or several __SAML2__ authentication providers can be set up under the ```authentication > SAML2``` section. + +Usercube does not provide a signature for SAML2 authentication. + +### __Overview__ + +#### Multiple providers + +One or several __SAML2__ authentication providers can be set up. + +#### Registration process + +Using a __SAML2__ authentication requires _Usercube Server_ to be registered to the provider. An __Entity ID URI__ value is set up for Usercube during the registration process. It is used as the prefix for scopes and as the value of the audience claim in access tokens. The value can be generated by the provider, or set manually as a URL-shaped string value. This allows Usercube to identify itself to the authentication provider. + +#### Reply URL + +The target __SAML2__ provider needs to be aware of the URI where to send the authentication token if the authentication succeeds. This URI is called __Reply URL__ or __Assertion Consumer Service (ACS) URL__. + +During the registration process, the provider will ask for the URL. + +Usercube's __Reply URL__ for __SAML2__ is ```/Saml2/Acs``` where `````` is the address of your _Usercube Server_ such as ```https://identitymanager.contoso.com```. + +Make sure to enter this exact URL which is treated case sensitively. + +### __Configuration__ + +First, the __SAML2__ method must be enabled under the ```authentication > SAML2``` section. + +| Name | Details | +| --- | --- | +| Enabled required | __Type__ Boolean __Description__ Enables or disables SAML2 Authentication. | + +Then, users must create a new subsection per __SAML2__ provider. Users are free to choose any section name. Its sole purpose is for users to find the authentication method in the configuration files. + +Each section is configured with the following settings: + +| Name | Details | +| --- | --- | +| MetaDataLocation required | Identifies, for Usercube, the target __SAML2__ server's metadata. This information is to be retrieved from the app registration process or directly from the __SAML2__ provider. The value commonly ends with the path ```/FederationMetadata/2007-06/FederationMetadata.xml```. | +| IdentityProviderEntityID required | Is the __Identity Provider__ Issuer (also known as provider __Entity ID__) that identifies the provider to Usercube. This information is to be retrieved from the provider's portal. For _Microsoft Entra ID_, it is the first line of metadata file. | +| DisplayName optional | Is the provider display name. Chosen by the user, it is used in the UI to identify the authentication method. | +| EntityIdAppliUriID required | Is Usercube's __Entity ID__ issued during the registration process. Also referred to as an __Identifier URI__. For _Microsoft Entra ID_, it is set during the _Expose an API > set > save_ step of the registration. Generated values look like ```api://bbd35166-7c13-49f3-8041-9551f2847b69```. | +| NameIdFormat optional | Is the requested format of the subject's name identifier. | +| MinIncomingSigningAlgorithm optional | Is minimal signing algorithm to validate SAML2 response. | +| EncryptionCertificate optional | __Type__ [EncryptionCertificate] __Description__ Sets the location of the public key certificate and the private key used to handle input and output files encryption. __Note:__ required to enable logout. | +> This example configures a SAML2-based authentication provider identified as _SAMLConnection_ in the configuration file. +> +> It will be displayed as _Connection Azure ActiveDirectory with SAML2 protocol_ in the UI external login prompt. +> +> ``` +> +> \{ +> "Authentication": +> \{ +> ... +> "SAML2": \{ +> "Enabled": true, +> "SAMLConnection": \{ +> "DisplayName": "Connection Microsoft Entra ID with SAML2 protocol", +> "EntityIdAppliUriID": "api://\{client-id\}", +> "MetaDataLocation": "https://login.microsoftonline.com/\{tenant-id\}/federationmetadata/2007-06/federationmetadata.xml", +> "IdentityProviderEntityID": "https://sts.windows.net/\{tenant-id\}/", +> "EncryptionCertificate": \{ +> ... +> \} +> \} +> \} +> \} +> \} +> +> ``` + +### EncryptionCertificate + +This information can be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) or ```.pfx``` file) stored in the _Agent_'s host file system. The archive contains both the public key certificate and the private key. +- As a certificate from a Windows' [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains both the public key certificate and the private key. + + NETWRIX recommends using Windows' certificate store. + + On the other hand, the PFX file takes priority over Windows' certificate, which means that when ```File``` is specified then the PFX certificate is used, even if the options for Windows' certificate are specified too. + + In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +#### As a PFX file + +> For example: +> +> ``` +> +> \{ +> ... +> "EncryptionCertificate": \{ +> "File": "C:/identitymanagerAgentContoso/contoso.pfx", +> "Password": "oarjr6r9f00" +> \} +> \} +> +> ``` + +The archive is set using the following attributes: + +| Name | Details | +| --- | --- | +| File required | __Type__ String __Description__ [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password optional | __Type__ String __Description__ [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +Storing a ```.pfx``` file password in plain text in a production environment is strongly discouraged. It should always be encrypted using the [Usercube-Protect-CertificatePassword tool](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md). + +The archive is set using the following attributes: + +| Name | Details | +| --- | --- | +| File required | __Type__ String __Description__ [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password optional | __Type__ String __Description__ [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. __Info:__ storing a ```.pfx``` file's password in plain text in a production environment is strongly discouraged. It should always be encrypted using the [```Usercube-Protect-CertificatePassword.exe``` tool](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md). | + +#### As a Certificate in the Windows Store + +> For example: +> +> ``` +> +> \{ +> ... +> "EncryptionCertificate": \{ +> "DistinguishedName":"UsercubeContoso", +> "StoreLocation": "LocalMachine", +> "StoreName": "AuthRoot" +> \} +> \} +> +> ``` + +The Windows certificate is set using these attributes: + +| Name | Details | +| --- | --- | +| DistinguishedName optional | __Type__ String __Description__ _SubjectDistinguishedName_ of the store certificate. __Note:__ required when ```Thumbprint``` is not specified. | +| Thumbprint optional | __Type__ String __Description__ _Thumbprint_ of the store certificate. __Note:__ required when ```DistinguishedName``` is not specified. | +| StoreLocation required | __Type__ String __Description__ Location of the relevant Windows certificate store: ```LocalMachine``` or ```CurrentUser```. | +| StoreName required | __Type__ String __Description__ Name of the relevant Windows certificate store. | + +#### Using Azure Key Vault + +If the certificate is saved in Azure Key Vault, we must define the certificate identifier and the [Vault connection](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md). + + ``` + +"EncryptionCertificate": \{ + "CertificateAzureKeyVault": "``" +\} + +```` + +## Set Up Internal Methods + +When _Internal Methods_ is enabled, the end-user is prompted via a _form_ to input a login and a +password. The login to be used is defined within the +[applicative configuration's SelectUserByIdentityQueryHandlerSetting element](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/settings/index.md#applicative-configurations-selectuserbyidentityqueryhandlersetting-element). + +First, the `AllowLocalLogin` parameter needs to be set to `true` in the `Authentication` section. + +```json +"Authentication": { + "AllowLocalLogin":true +} +``` + +Then, _Active Directory User Store_ or _Test User Store_ can be enabled. + +### Active Directory User Store + +The Active Directory User Store allows users to authenticate with a login and password that will be +compared against the Active Directory content. + +Several forests can be set up as identity providers for authentication. This allows, for example, +the authentication of users that belong to different Active Directory forests. + +It is configured under the `Authentication > ActiveDirectoryUserStore` section. + +First, the `ActiveDirectoryUserStore` must be enabled. + + ``` + +"Authentication":{ "AllowLocalLogin":true, "ActiveDirectoryUserStore": { "Enabled": true ... } } + +```` + +| Name | Details | +| --- | --- | +| Enabled required | __Type__ Boolean __Description__ ```True``` to enable authentication via the Active Directory User Store. | + +In the same section, several authentication providers can be defined, each one based on an Active Directory forest. + +For each forest, a new section is added under ```ActiveDirectoryUserStore```. Any name may be chosen for the forest section as long as it is unique. Two forest sections can't be identical though. + + ``` + +"ActiveDirectoryUserStore": { + "Enabled": true, + "Forest1": { + "AuthenticationScheme": "...", + "Server": "...", + ... + } +} + +```` + +Under the new forest section, the following parameters are used to configure the authentication +method. + +> The following example sets a single authentication method, based on the `Forest1` forest. The +> domain controller is located at `127.168.0.1`. If the user enters the login `MyLogin`, the +> resulting logon will be `CONTOSO\paris\MyLogin`. The `Postfix` won't be used as a `Prefix` is +> already provided. +> +> ``` +> +> "ActiveDirectoryUserStore": { "Enabled": true, "Forest1": { "AuthenticationScheme": +> "ADUserStore_Forest1", "Server": "127.168.0.1", "Domain": "CONTOSO", "Prefix": "paris", "Postfix": +> "usercube.contoso" } } +> +> ```` +> +> +> In the following example, if the user enters the login ```MyLogin```, the resulting logon will be ```MyLogin@usercube.contoso```. +> +> ``` +> +> "ActiveDirectoryUserStore": { +> "Enabled": true, +> "Forest1": { +> "AuthenticationScheme": "ADUserStore_Forest1", +> "Server": "127.168.0.1", +> "Postfix": "usercube.contoso" +> } +> } +> +> ```` +> +> The following example enables authentication via the Active Directory User Store, for the +> `Forest1` forest,by checking not only the password and account activation, but also whether the +> password is expired. +> +> ``` +> +> "ActiveDirectoryUserStore": { "Enabled": true, "Forest1": { "AuthenticationScheme": +> "ADUserStore_Forest1", "Server": "127.168.0.1", "Domain": "CONTOSO", "FastBind": false ... } } +> +> ``` +> +> ``` + +| Name | Details | +| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AuthenticationScheme required | Unique identifier of this authentication method within Usercube. Any string value can be used, unique among all authentication methods. | +| Server required | Identification of the domain controller that runs the Active Directory Domain Service against which the authentication is performed. Based on [Microsoft's documentation](https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.protocols.ldapconnection?view=dotnet-plat-ext-8.0), the format is defined either: - by a domain name - by an LDAP server name - or a dotted string representing the IP address of the LDAP server/Domain Controller (_example_: `98.20.33.2`). Optionally, this parameter may also include a port number, separated from the host by a colon (_example_: `98.20.33.2:4520`). | +| Domain optional | Identification of the Active Directory domain or sub-domain against which the authentication will be performed. It is a string used to complete the user's logon in an INet name fashion. The resulting logon will resemble `Domain\login`. The domain is used only if no postfix was provided. This parameter is ignored if the domain or the UPN suffix is already specified in the login. This is the case for a login that conforms to the format `domain\login` or `login@domain.com`. | +| FastBind default value: True | **Type** Boolean **Description** `True` to check a user's credentials by verifying only the password and account activation. | +| NoSigning default value: true | **Type** Boolean **Description** Enables or disables [Kerberos encryption](https://en.wikipedia.org/wiki/Kerberos_(protocol)). | +| Prefix optional | Is a string used to complete the user's logon in an INet name fashion. The resulting logon will resemble `Prefix\login`. The **Postfix** isn't used if the domain or the UPN suffix is already specified in the login. | +| Postfix optional | Is used to complete the user's login in a principal name fashion. The **Postfix** corresponds to the User Principal Name (UPN) suffix. The resulting logon will resemble `login@Postfix`. The **Postfix** isn't used if the domain or the UPN suffix is already specified in the login, or if the **Prefix** is already provided. | +| Ssl default value: false | **Type** Boolean **Description** Enables or disables SSL for network communication between Usercube and the Active Directory. | + +### Test User Store + +A _Test User Store_ can be set up under the `authentication > TestUserStore` section. It allows all +users to authenticate with their login and the same password. + +This should never be used in a production environment. + +The following parameters are available under the `authentication > TestUserStore` section: + +| Name | Details | +| ----------------- | --------------------------------------------------------------------------- | +| Enabled required | **Type** Boolean **Description** Enables or disables the OpenId Connection. | +| Password required | Is the password for all users to authenticate Usercube. | + +#### Example + + ``` + +\{ "Authentication": \{ "AllowLocalLogin":true ... "TestUserStore": \{ "Enabled": true, "Password": +"secret" \} \} \} + +Here is an example using both `IdentityServer` and `Authentication` sections. + +appsettings.json \{ ... "IdentityServer": \{ "X509KeyFilePath": "./identitymanagerContoso.pfx", +"X509KeyFilePassword": "secret" \}, "Authentication": \{ "RequireHttpsMetadata": false, +"TestUserStore": \{ "Enabled": "true", "Password": "secret" \}, "AllowLocalLogin": true \} ... \} + +``` + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md new file mode 100644 index 0000000000..15fa40404d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md @@ -0,0 +1,283 @@ +# Application Settings + +This section describes the settings available in the server's `appsettings.json` file, located in +the server's working directory or in environment variables. + +JSON files can contain any additional information that you might find useful. See the example below. + +> For example, in order to store the agent's address, we can add: +> +> ``` +> +> appsettings.json +> +> "UsercubeAgent": { +> "Url": "http://localhost:1234" +> } +> +> ``` +> +> As Usercube does not know any object named `UsercubeAgent`, its content will be ignored, but it +> can still be used to store information for human use. + +The `appsettings` set allows the following attributes and sections: + +| Name | Details | +| ------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApplicationUri required | **Type** String **Description** URI of the server to use in log messages, to communicate with the server in tasks, to allow certain redirect URIs. **Note:** must be the same as the agent's `appsettings.json`'s `ApplicationUri`. **Example**`appsettings.json { � "ApplicationUri": "usercubeserver.contoso.com:5000" }` | +| EncryptionCertificate required | **Type** [EncryptionCertificate] **Description** Settings to configure the encryption of specific files. | +| License required | **Type** String **Description** License key of the server. **Example**`appsettings.json { � "License": "{"LicensedTo":"Demo","ValidTo":"20120905","IdentityQuota":"10000","Signature":"�"}" }` | +| Agents optional | **Type** Agent List **Description** List of [agents](/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/index.md)' settings used to work on several environments. **Info:** this way, each agent's URI/URL is configured without altering the database. **Example**`appsettings.json { � "Agents": { "Local": { "Uri": "http://localhost:5010" }, � } }` | +| AppDisplay optional | **Type** [AppDisplay](#appdisplay) **Description** Settings to override the [application display](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md) XML configuration. **Info:** useful to change the application's theme and name without redeploying the whole configuration. | +| ApplicationInsights optional | **Type** [ApplicationInsights](#applicationinsights) **Description** Settings to plug to and configure the [AppInsights](https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview) monitoring tool. | +| DataProtection optional | **Type** [DataProtection](#dataprotection) **Description** Settings to configure the encryption used for the authentication cookies and the anti-forgery tokens. **Info:** data protection can be configured to share the keys between several instances of Usercube's server, for example when deployed in a cluster where the servers do not have the same machine id. | +| InstallationDirectoryPath default value: Usercube-Server.exe | **Type** String **Description** Path of the installation directory. **Info:** used to read other configuration files. **Example**`appsettings.json { � "InstallationDirectoryPath": "C://identitymanagerContoso/Runtime" }` | +| MailSettings optional | **Type** [MailSettings](#mailsettings) **Description** Settings to configure the email service. | +| NotUseAgent default value: false | **Type** Boolean **Description** `True` to disable the use of the [agent](/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/index.md). **Example**`appsettings.json { � "NotUseAgent": true }` | +| OpenIdClients optional | **Type** OpenIdClient List **Description** List of hashed secrets used to override the plain-text secrets from the [OpenIdClient](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) XML configuration. **Info:** this way, Usercube stores only hashed secrets, for security purposes. **Note:** each environment must have its own secret, distinct from the others. **Example**`appsettings.json { � "OpenIdClients": { "Job": { "HashedSecret": "K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols" }, "PowerBI": { "HashedSecret": "7b8N2NWka5alDrjM7rFqf7+xqq9LIcT5jSoQ+1Ci2V0" } } }` | +| PowerBISettings optional | **Type** [PowerBISettings](#powerbisettings) **Description** Settings to configure the API used by Power BI to access Usercube data. | +| Serilog optional | **Type** [Serilog](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md) **Description** Settings to configure the logging service, complying to the [Logger](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md) properties and structure. **Example**`appsettings.json { � "Serilog": { "WriteTo": [ "Console" ], "MinimumLevel": { "Default": "Error", "Override": { "Usercube": "Information" } } } }` | +| Swagger optional | **Type** [Swagger](#swagger) **Description** Enabling [Swagger](https://swagger.io/tools/swagger-ui/) enables visualizing and interacting with the API's resources without having any of the implementation logic in place. **Info:** it is automatically generated from Usercube's API, with the visual documentation making it easy for back-end implementation and client-side consumption. | +| TempFolderPath default value: ../Temp | **Type** String **Description** Path to the temporary folder which contains: - `ExportOutput`: directory storing data exported from connectors. - `JobLogs`: directory storing task instance logs. - `Reports`: directory storing generated reports. - `Packages`: directory storing the downloaded package logos. - `PolicySimulations`: directory storing the files generated by policy simulations. - `ProvisioningCache.txt`: file storing the clustered provisioning cache. **Note:** when enabled, this file can be used to coordinate the API cache among clusters. - `CorrelationCache.txt` - `RiskCache.txt` - `ExpressionCache.txt` - `scheduler.lock` - `connector.txt` - `container.reset.txt`: file acting as a reset command for Usercube's server, i.e. any change to this file triggers the reset service, thus reloading all the services instantiated by the server. **Note:** this path can be overridden by **ResetSettings** > **FilepathResetService**. - `Mails`: directory storing the email messages. **Note:** this path can be overridden by **ResetSettings** > **PickupDirectory**. - `Deployment` **Note:** these elements can be removed, but make sure to restart the server after doing so. **Example**`appsettings.json { � "TempFolderPath": "../Temp" }` | +| WorkFolderPath default value: ../Work | **Type** String **Description** Path of the work folder which contains: - `Collect`: directory storing the CSV source files exported by connectors. - `ProvisioningOrders`: directory storing the orders generated by the server. - `FulfillPowerShell`: PowerShell provisioner's working directory. - `FulfillRobotFramework`: Robot Framework's provisioner working directory. - `ExportCookies`: directory storing the cookies used for incremental export. - `Synchronization`: directory storing the agent's data collection results. - `Upload`: directory storing the uploaded media like uploaded pictures, before they are inserted into the database. - `appsettings.connection.json` **Note:** these elements must not be removed, because doing so may disrupt Usercube's execution after restarting. **Example**`appsettings.json { � "WorkFolderPath": "../Work" }` | + +## Swagger + +| Name | Details | +| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | +| Enabled required | **Type** Boolean **Description** `True` to enable Swagger. **Example**`appsettings.json { � "Swagger": { "Enabled": false }, }` | + +## EncryptionCertificate + +This information can be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive + (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or `.pfx` file) stored in the _Agent_'s host file system. The archive contains both the public key + certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains + both the public key certificate and the private key. + + NETWRIX recommends using Windows' certificate store. + + On the other hand, the PFX file takes priority over Windows' certificate, which means that when + `File` is specified then the PFX certificate is used, even if the options for Windows' + certificate are specified too. + + In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +#### As a PFX file + +> For example: +> +> ``` +> +> { +> ... +> "EncryptionCertificate": { +> "File": "C:/identitymanagerAgentContoso/contoso.pfx", +> "Password": "oarjr6r9f00" +> } +> } +> +> ``` + +The archive is set using the following attributes: + +| Name | Details | +| ----------------- | ----------------------------------------------------------------------------------------------------------------------- | +| File required | **Type** String **Description** [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password optional | **Type** String **Description** [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +Storing a `.pfx` file password in plain text in a production environment is strongly discouraged. It +should always be encrypted using the +[Usercube-Protect-CertificatePassword tool](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md). + +The archive is set using the following attributes: + +| Name | Details | +| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| File required | **Type** String **Description** [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password optional | **Type** String **Description** [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. **Info:** storing a `.pfx` file's password in plain text in a production environment is strongly discouraged. It should always be encrypted using the [`Usercube-Protect-CertificatePassword.exe` tool](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md). | + +#### As a Certificate in the Windows Store + +> For example: +> +> ``` +> +> { +> ... +> "EncryptionCertificate": { +> "DistinguishedName":"UsercubeContoso", +> "StoreLocation": "LocalMachine", +> "StoreName": "AuthRoot" +> } +> } +> +> ``` + +The Windows certificate is set using these attributes: + +| Name | Details | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | +| DistinguishedName optional | **Type** String **Description** _SubjectDistinguishedName_ of the store certificate. **Note:** required when `Thumbprint` is not specified. | +| Thumbprint optional | **Type** String **Description** _Thumbprint_ of the store certificate. **Note:** required when `DistinguishedName` is not specified. | +| StoreLocation required | **Type** String **Description** Location of the relevant Windows certificate store: `LocalMachine` or `CurrentUser`. | +| StoreName required | **Type** String **Description** Name of the relevant Windows certificate store. | + +#### Using Azure Key Vault + +If the certificate is saved in Azure Key Vault, we must define the certificate identifier and the +[Vault connection](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md). + +``` + +"EncryptionCertificate": { + "CertificateAzureKeyVault": "" +} + +``` + +#### Disabling file encryption + +The encryption of specific files can be disabled via the following attribute: + +| Name | Details | +| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| EncryptFile default value: true | **Type** Boolean **Description** `True` to encrypt specific files such as logs or temporary files. **Example**`appsettings.json { � EncryptionCertificate": { "EncryptFile": false } }` | + +## MailSettings + +> For example: +> +> ``` +> appsettings.json +> +> { +> ... +> "MailSettings": { +> "FromAddress": "no-reply@acme.com", +> "PickupDirectory": "C:/identitymanagerDemo/Temp/Mails", +> "UseSpecifiedPickupDirectory": true, +> "UseDefaultCredentials": false, +> "SecureSocketOption": "StartTlsWhenAvailable" +> } +> } +> ``` + +| Name | Details | +| ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| FromAddress required | **Type** String **Description** Email address used as sender for Usercube's emails. | +| AllowedDomains optional | **Type** String **Description** List of allowed domains, separated by `;`. | +| CatchAllAddress optional | **Type** String **Description** Email address to be used as catchAll. | +| CatchAllCCAddress optional | **Type** String **Description** Email address to be used as CC catchAll. | +| Enabled default value: true | **Type** Boolean **Description** `True` to activate Usercube's email services. | +| EnableSsl default value: false | **Type** Boolean **`DEPRECATED`**: EnableSsl won't be supported in the future. Please specify a `SecureSocketOption` instead. To keep the same behavior as EnableSsl: `True`, use the setting `SecureSocketOption`: `StartTls`. **Description** `True` to encrypt communication with the SMTP server. **Note:** to be used only when `UseSpecifiedPickupDirectory` is set to `false`. | +| SecureSocketOption default value: Auto | **Type** String **Description** Specifies the encryption strategy to connect to the SMTP server. _If set, this takes priority over `EnableSsl`_. `None`: No SSL or TLS encryption should be used. `Auto`: Allow the mail service to decide which SSL or TLS options to use (default). If the server does not support SSL or TLS, then the connection will not be encrypted. `SslOnConnect`: The connection should use SSL or TLS encryption immediately. `StartTls`: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server. If the server does not support the STARTTLS extension, then the connection will fail and a NotSupportedException will be thrown. `StartTlsWhenAvailable`: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server, but only if the server supports the STARTTLS extension. **Note:** to be used only when `UseSpecifiedPickupDirectory` is set to `false`. | +| Host optional | **Type** String **Description** Name or IP address of the host used for SMTP transactions. **Note:** required when `UseSpecifiedPickupDirectory` is set to `false`. | +| Password optional | **Type** String **Description** Password to be used with the user name as credentials. | +| PickupDirectory optional | **Type** String **Description** Path of the folder where Usercube will save the email messages. **Note:** useful and required when `UseSpecifiedPickupDirectory` is set to `true`. | +| Port optional | **Type** String **Description** Port used for SMTP transactions. **Note:** required when `Host` is defined. | +| UseDefaultCredentials default value: false | **Type** Boolean **Description** `True` to use in requests the default credentials instead of those from `UserName` and `Password` here. | +| UserName optional | **Type** String **Description** User name to be used with the user name as credentials. | +| UseSpecifiedPickupDirectory default value: false | **Type** Boolean **Description** `True` to save email messages to the folder specified in `PickupDirectory` instead of sending them to their recipients through the host specified in `Host`. **Note:** required when `Host` is not defined. | + +## ApplicationInsights + +> For example: +> +> ``` +> +> appsettings.json +> +> { +> ... +> "ApplicationInsights": { +> "InstrumentationKey": "" +> } +> } +> ``` + +| Name | Details | +| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| InstrumentationKey default value: null | **Type** String **Description** Key linked to the AppInsights instance to which the server's logs, requests, dependencies and performance are to be sent. [See Microsoft's documentation to create an instrumentation key](https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-new-resource). | + +The logs sent to AppInsights are configured through the +[Logger properties](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md). + +## PowerBISettings + +> For example: +> +> ``` +> appsettings.json +> +> { +> "PowerBISettings": { +> "PageSize": 500 +> } +> +> } +> ``` + +| Name | Details | +| ---------------------------- | ---------------------------------------------------------------------------------------- | +| PageSize default value: 1000 | **Type** Int32 **Description** Size of the page containing the data returned by the API. | + +## DataProtection + +> For example: +> +> ``` +> appsettings.json +> +> { +> "DataProtection": { +> "KeysPath": "/home/DataProtection", +> "X509KeyFilePath": "../identitymanager.pfx", +> "X509KeyFilePassword": "secret" +> }, +> } +> ``` + +| Name | Details | +| ---------------------------------------------- | --------------------------------------------------------------------------------------------- | +| KeysPath default value: ../Work/DataProtection | **Type** String **Description** Path of the location where the keys' descriptions are stored. | +| X509KeyFilePath optional | **Type** String **Description** Path of the custom certificate used to protect the keys. | +| X509KeyFilePassword optional | **Type** String **Description** Password of the custom certificate used to protect the keys. | + +## AppDisplay + +> For example: +> +> ``` +> appsettings.json +> +> { +> ... +> "AppDisplay": { +> "PrimaryColor": "#01CDE9", +> "SecondaryColor": "#EA6E1A", +> "BannerColor": "#EA6E1A", +> "BannerTextColor": "#ffffff", +> "ApplicationNamePrefix": "QA - ", +> "ApplicationName": "USERCUBE" +> }, +> ... +> } +> ``` + +| Name | Details | +| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------- | +| ApplicationName optional | **Type** String **Description** Name of the application, visible on the application's tabs. | +| ApplicationNamePrefix optional | **Type** String **Description** Prefix to be displayed before the application name. | +| BannerColor optional | **Type** String **Description** HEX code of the color for the banner, i.e. the header displaying logo and navigation bar. | +| BannerTextColor optional | **Type** String **Description** HEX code of the color for the banner's text. | +| PrimaryColor optional | **Type** String **Description** HEX code of the color for the highlighted buttons. | +| SecondaryColor optional | **Type** String **Description** HEX code of the color for the background of the authentication screen. | + +[See more details on application display settings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/index.md new file mode 100644 index 0000000000..a471710e02 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/index.md @@ -0,0 +1,62 @@ +# Server Configuration + +Usercube Server's technical configuration includes settings on end-user authentication, database +connection and some general-purpose settings. + +## Configuration Files + +The Server configuration is included in the Server's appsettings set. + +The appsettings set content can be written to appsettings.json in the Server's working directory or +to environment variables. See the +[ Architecture ](/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/index.md) +topic for additional information. + +The server appsettings supported attributes and sections are described in the following sections: + +- Database Connection +- End-User Authentication +- General-Purpose Settings + +See +the[ Connection to the Database ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md), +[ End-User Authentication ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md) +and +[ Application Settings ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topics for additional information. + +## Secret and Certificate Management + +All the certificates and secrets present in the settings can be loaded with an Azure Key Vault. + +See the +[ Azure Key Vault ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) +topic for additional information. + +## Default Configuration + +The default behavior of the server configuration is outlined through an example. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +{ +    "IdentityServer": { +        // Token signing certificate stored in a file +        "X509KeyFilePath": "<./identitymanagerContoso.pfx>", +        // Optional certificate password +        "X509KeyFilePassword": "" +    }, +    "Authentication": { +        "RequireHttpsMetadata": false, +        "TestUserStore": { +            "Enabled": "", +            "Password": "" +        }, +        "AllowLocalLogin": true +    } +} + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/rsa-encryption/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/rsa-encryption/index.md new file mode 100644 index 0000000000..083a7af3f8 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/rsa-encryption/index.md @@ -0,0 +1,61 @@ +# RSA Encryption + +Usercube provides a few options to protect sensitive data via RSA encryption. + +## Overview + +Sensitive data can be RSA encrypted by using Usercube's tools: + +- [`Usercube-Protect-X509JsonValue.exe`](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md) + to encrypt given values; +- [`Usercube-Protect-X509JsonFile.exe`](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md) + to encrypt a whole file. + + The file encryption tool should be used only on files that contain only plain text values, not + already encrypted ones. + +Once encrypted, sensitive values can be added to the `appsettings.encrypted.json` file. Usercube +will read first the values from the encrypted appsettings file, before reading those from the usual +non-encrypted appsettings file. + +These methods require an [X.509 public key certificate](https://en.wikipedia.org/wiki/X.509) (the +same for the encrypted appsettings file and the tools). + +The value encryption tool can be used to encrypt specific values to be added to the encrypted +appsettings file without having to encrypt the whole file again. + +## Focus on the Encrypted Appsettings File + +The `appsettings.encrypted.json` file contains the `appsettings.json` file's sensitive setting +values which are protected by RSA encryption. + +This file follows the exact same structure as the +[server's configuration files](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/index.md). + +### Read the Encrypted File + +Usercube can use an RSA decoding algorithm fed by a +[public-key certificate](https://en.wikipedia.org/wiki/X.509) in order to read the encrypted +application settings. + +This requires the usual appsettings file(s) to have `UseEncryptedAppsettings` set to `true`. See +below. + +``` +appsettings.json and/or appsettings.agent.json + +{ + ... + "EncryptionCertificate": { + "File": "./identitymanager.pfx", + "Password": "secret", + "UseEncryptedAppsettings": true + } +} +``` + +This way, values from the encrypted file take priority over the values from the non-encrypted +appsettings files. + +> For example, if `Password` exists in both the encrypted file and the non-encrypted file, then the +> value from the encrypted file is used. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/settings/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/settings/index.md new file mode 100644 index 0000000000..bfca303080 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/settings/index.md @@ -0,0 +1,236 @@ +# Various XML Settings + +This section describes Usercube's +[Settings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/index.md) +available in the applicative configuration. Those are mandatory. + +## ConfigurationVersion + +This setting is used to track the current configuration version. + +``` + + + +``` + +- **Version** defines the configuration version. +- **Description** describes this version in detail. +- **Misc** misc. + +## AppDisplay + +This setting is used to customize the application display. + +``` + + + +``` + +- **PrimaryColor** defines the primary color. +- **SecondaryColor** defines the secondary color. +- **BannerColor** defines the banner (header displaying logo and navigation bar) color. +- **BannerTextColor** defines the banner text color. +- **ApplicationName** defines the application name. +- **LogoFile** defines the logo path. Concerning the logo, for an ideal result, the following ratio + should be used: 5:1. +- **LogoMimeType** defines the logo mime type. +- **FaviconFile** defines the favicon path. +- **FaviconMimeType** defines the favicon mime type. +- **FullNameSeparator** defines the full name separator (default value is `�`). +- **DisableProvisioningCounters** disables the counters related to the provisioning screens (**Role + Review**, **Provisioning Review**, **Role Reconciliation**, **Resource Reconciliation** and + **Manual Provisioning** - default value is `false`). + +## CustomLinks + +This setting enables the configuration of custom links that let the user navigate to a custom static +HTML page. Only two CustomLinkSetting can be configured. + +The example below defines two custom links accessible through the URLs +"_your-usercube-domain_/LegalNotice" and "_your-usercube-domain_/TermsOfService", each showing the +content of the corresponding HTML file depending on the currently selected language. + +``` + + + +``` + +- **Url_**(required)_ defines the url address from which to access the custom page. +- **Path*L1***(required)_ defines the path (from the configuration root) to the HTML file to be + rendered depending on the currently selected language in the user interface (`Path_L1` to + `Path_L16` are available). Only `Path_L1` is required. While navigating to a custom link, if no + HTML path was defined for the current language, then `Path_L1` is taken as default. + +To be displayed correctly, images should be embedded in the HTML files as Base64 images using the +`src` attribute like this : ``. You can easily +convert your images using this [Base64 Image Encoder](https://elmah.io/tools/base64-image-encoder/). + +To navigate to the custom links from the user interface, NETWRIX recommends configuring a `MenuItem` +with a `URI` value matching the custom link `URL`. The following example defines two menu items, +accessible from the user account tab in the top right corner of the interface, that allows the user +to navigate to the defined URI addresses. + +``` + + + +``` + +![CustomLinksUserMenu.webp](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/network-configuration/settings/customlinksusermenu_v523.webp) + +## DashboardItemNumber + +Some sections on the dashboard contain multiple links. These links are quick links with counters to +the review page filtered by entity type. The links are sorted by entity type priority. + +![DashboardItemNumber.webp](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/network-configuration/settings/dashboarditemnumber.webp) + +By default, 3 links are displayed. If more than 3 entity type links exist, a link "Others" is +displayed with the concatenation of remaining counters. + +This setting is used to customize the number of links to displayed on each section. + +The max number of links to display is 5. + +``` + + + +``` + +- **RoleReviewSection** defines the number of links to display in the "Role Review" section. +- **ProvisioningReviewSection** defines the number of links to display in the "Provisioning Review" + section. +- **RoleReconciliationSection** defines the number of links to display in the "Role Reconciliation" + section. +- **ResourceReconciliationSection** defines the number of links to display in the "Resource + Reconciliation" section. +- **ManualProvisioningSection** defines the number of links to display in the "Manual Provisioning" + section. +- **MyTasksSection** defines the number of links to display in the "My Tasks" section. + +## SelectUserByIdentityQueryHandler + +_This attribute matches an end-user with a resource from the unified resource repository._ + +Authorization mechanisms within Usercube rely on assigning a +[profile](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md) +to an identity-resource that stands for the end-user digital identity. + +To that end, and end-user authentication credentials are linked to such an identity-resource using +the following pattern: + +1. Authentication credentials are retrieved; +2. Authentication credentials are trimmed using the **AfterToken** and/or **BeforeToken** + attributes; +3. The trimmed result is matched against the **ResourceIdentityProperty** of resources with an + EntityType **OwnerEntityType**; +4. The matching resource found is used to find a profile and authorization for that digital + identity. + +**Attributes** + +- **ResourceIdentityProperty** is the identity-resource property supposed to match the + authentication login used by the end-user. +- **OwnerEntityType** is the entity type of the resources used to store digital identities within + Usercube. +- **BeforeToken_**(optional)_ defines the first character used to trim the authentication login. +- **AfterToken_**(optional)_ defines the second character used to trim the authentication login. + + The trimmed result is the content of the authentication login between _AfterToken_ and + _BeforeToken_. If _BeforeToken_ is empty, trimmed result is everything after _AfterToken_. If + _AfterToken_ is empty, trimmed result is everything before _BeforeToken_. + +- **ResourceDisplayNameProperty** is the property used for displaying login data at the top right of + the application. +- **OwnerPhotoTagProperty** defines the photo property for Usercube users. + +**Example** + +The following example links the authentication credentials of an end-user to its matching resource +of EntityType **Directory_User**. + +In this example, authentication has been set up using +[Integrated Windows Authentication](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md). +In that case, the login used by the end-user is in the form `DOMAIN/userName`. + +The **AfterToken** attribute parses the `DOMAIN/userName` string into `userName`. + +The parsed result `userName` is compared with `AD_Entry:sAMAccountName` property value of +**Directory_User** resources. + +The matching **Directory_User** resource is the resource that stands for the end-user identity +within Usercube. + +``` + + + +``` + +## SelectPersonasByFilterQueryHander + +This setting is used to filter the entity type used by authentication mechanism. + +``` + + + +``` + +- **ResourceDisplayNameProperty** represents the display property. +- **OwnerPhotoTagProperty** defines the photo tag property. +- **PersonTypeFilterProperty** defines the filter property. +- **PersonTypeFilter** defines the filter value. +- **MailProperty** defines the mail property. + +## SelectAllPerformedByAssociationQueryHandler + +This setting enables task delegation to a group of people. + +``` + + + +``` + +- **RootEntityType** indicates the entity type on which the delegation is applied. +- **Binding** defines the binding used to get the list of identities to delegate to. + +_NB: In order for delegation to work, users that are part of the delegate group must have at least +one assigned profile_ + +## Scheduling CleanDataBase + +If the default value for the Task CleanDataBase needs to be overridden, define this setting: + +``` + + + +``` + +- `Timeout`: Defines the maximum time a Job or Task can wait after the last run. +- `CronTabExpression`: Define the cron to launch the CleanDatabase Job. + +#### 7. Password Generation Setting + +It is possible to override some aspects of the password generation (used in password reset features) +using the following setting: + +``` + + + +``` + +- `AllowedSymbolChars`: A string containing the list of symbol chars to be used in the generated + password. The default value is : `!;.,?()[]-_&%$+{}@` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md new file mode 100644 index 0000000000..26d1e2562b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md @@ -0,0 +1,18 @@ +# appsettings.connection + +## Define configuration through UI + +On some configuration screens, such as the connector screen, it is possible to define some of the +[agent's configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/index.md). +This configuration is stored in the **appsettings.connection.json** file, located inside the +[work folder](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md). + +The **appsettings.connection.json** file has the exact same structure as the other +**[appsettings.agent.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md)** +file. + +This configuration file has the highest priority among others agent's configuration sources (see +[Merge Priority](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/index.md#merge-priority)) +. + +You should not modify this file manually. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/technical-files/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/technical-files/index.md new file mode 100644 index 0000000000..8f157074b3 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/technical-files/index.md @@ -0,0 +1,6 @@ +# Technical Files + +This section gathers information relative to the technical files that Usercube could use or generate +in its lifecycle. + +- #### [appsettings.connection](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/custom/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/custom/index.md new file mode 100644 index 0000000000..3becb74bda --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/custom/index.md @@ -0,0 +1,30 @@ +# Custom Notifications + +Custom notifications can be configured for specific needs, to be triggered by a workflow, or +periodically via a task. + +## Workflow-Triggered Notifications + +A notification can be configured to be sent to one or several users right after the execution of a +given activity in a +[workflow](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md). + +> For example, when a user is created in Usercube through a workflow, a notification can be sent to +> the user's manager. A notification can also be sent when someone must process an action for a +> workflow to continue. + +The configuration is made through the XML tag +[`NotificationAspect`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md). + +## Periodic Notifications + +A notification can be configured to be sent to a given user on a regular basis at specified times, +through the +[`SendNotificationsTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md) +as part of a job. + +> For example, a notification can be sent automatically to remind a manager that someone arrives in +> their team a month before the arrival, and again a week before. + +The configuration is made through the XML tag +[`Notification`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/how-tos/customize-native-notification/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/how-tos/customize-native-notification/index.md new file mode 100644 index 0000000000..c5f8185e22 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/how-tos/customize-native-notification/index.md @@ -0,0 +1,44 @@ +# Customize a Native Notification + +This guide shows how to set a template other than the default one for native notifications. + +## Overview + +Usercube natively sends notifications for usual cases. +[See more details](/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/index.md). + +These native notifications are based on cshtml templates available inside the `Runtime` folder. If +the provided templates do not meet your exact needs, then they can be replaced by personalized +templates. + +## Customize a Native Notification + +Customize a native notification by proceeding as follows: + +1. Among the + [list of all native notifications](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md), + get the identifier of the notification whose templates are to be replaced. + + > For example, to customize the notification for one-way password reset: `OneWayPasswordReset`. + +2. In `Runtime/NotificationTemplates`, copy to the configuration folder the cshtml template(s) + associated to the notification that need to be overridden. + + > For example, we can copy the template for the email's body but keep the provided template for + > the subject. Then we have: `Conf/Templates/MyOneWayPasswordReset.cshtml`. + > + > Let's say that we also need to customize the email's subject in French which is the language + > 2: `Conf/Templates/MyOneWayPasswordReset_Subject.fr.cshtml` + +3. Customize the template(s) previously copied to the configuration folder. +4. Configure an XML element + [`NotificationTemplate`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md) + with the identifier collected at step 1, and the relative path(s) to the customized template(s). + + > For example: + > + > ``` + > + > + > + > ``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/how-tos/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/how-tos/index.md new file mode 100644 index 0000000000..eb2898f0a9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/how-tos/index.md @@ -0,0 +1,8 @@ +# How-Tos + +These guides will help you set up notifications with practical step-by-step procedures. + +- #### [Customize a Native Notification](/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/how-tos/customize-native-notification/index.md) + Set a template other than the default one for native notifications.- #### + [Set Notifications' Languages](/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/how-tos/set-language/index.md) + Set the language for all notifications. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/how-tos/set-language/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/how-tos/set-language/index.md new file mode 100644 index 0000000000..0e9fa192cc --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/how-tos/set-language/index.md @@ -0,0 +1,48 @@ +# Set Notifications' Languages + +This guide shows how to set the language for all notifications. + +## Overview + +Usercube sends all kinds of notification emails whose language is by default the language specified +in the configuration as the first language. + +The language can also be configured explicitly with a language code. If this language code is not +defined, then notifications use the first language. + +## Set the First Language + +Set the first language for the whole application by proceeding as follows: + +1. In the XML configuration, create a `Language` with `IndicatorNumber` set to `1`. + [See more details on `Language`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/language/index.md). + + > For example, to set English as the first language: + > + > ``` + > + > + > + > ``` + +2. Deploy the configuration and relaunch the server. + +## Set the Language Explicitly + +Set the language explicitly for server-side-task notifications by proceeding as follows: + +1. In the XML configuration, configure `MailSetting` with a `LanguageCode`. + [See more details on `MailSetting`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md). + + > For example, to set the language to English: + > + > ``` + > + > + > + > ``` + + When `LanguageCode` is not defined, then the language of notifications will be the first + language, i.e. the one specified with `Indicator` set to `1`. + +2. Deploy the configuration and relaunch the server. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/index.md new file mode 100644 index 0000000000..b88da6ca66 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/index.md @@ -0,0 +1,11 @@ +# Notifications + +Usercube is able to send notification emails when an action is expected, or a job ends with an +error. + +Usercube provides +[native notifications](/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/index.md) +for usual cases, for example provisioning review, resource reconciliation, and role reconciliation. + +[Custom notifications](/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/custom/index.md) +can be configured for specific needs, to be triggered by a workflow, or periodically via a task. diff --git a/docs/usercube/6.1/usercube/integration-guide/notifications/native/access-certification/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/access-certification/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/notifications/native/access-certification/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/access-certification/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/errored-jobs/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/errored-jobs/index.md new file mode 100644 index 0000000000..8c4768d112 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/errored-jobs/index.md @@ -0,0 +1,10 @@ +# Jobs with Errors + +Usercube is able to send notification emails when a job ends with an error. The notification email +is sent to the user who has the necessary rights and the permission. + +See the +[ Native Notifications ](/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/index.md) +and +[ Profiles & Permissions ](/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/index.md) +topics for additional information. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/index.md new file mode 100644 index 0000000000..5982e11077 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/index.md @@ -0,0 +1,40 @@ +# Native Notifications + +Usercube provides native notifications for usual cases, for example role review, provisioning +review, access certification, manual provisioning, etc. + +## Overview + +Usercube natively sends notifications for: + +- password reset to the users whose passwords are reset; +- access certification to the users selected as reviewers; +- [manual provisioning](/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/manual-provisioning/index.md) + , provisioning review and role review to the users who own a profile with the permissions to + perform the corresponding actions; +- jobs that finished in state completed/errored/aborted/blocked/warning to the users who own a + profile with the corresponding permissions. + +**Concerning the notifications sent via permissions:** + +In order to receive the notifications, a profile must have the full permission path. Having a +(great-)parent permission will not enable notifications for all child entities. + +For example, the permission `/ProvisioningPolicy/PerformManualProvisioning/Directory_User` allows a +profile to perform manual provisioning with `Directory_User` as the source entity type, and receive +the corresponding notifications. On the contrary, the permission +`/ProvisioningPolicy/PerformManualProvisioning/` allows a profile to perform manual provisioning for +all entity types, but not receive the corresponding notifications. +[See the list of all permissions](/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/permissions/index.md). + +Each permission can be configured in an +[access control entry](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +so that the corresponding notification is disabled. + +All notifications are built based on cshtml templates. The templates for native notifications can be +found in `/Runtime/NotificationTemplates`. + +The templates for native notifications can be adjusted to specific needs through the XML tag +[`NotificationTemplate`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md). + +[See how to customize native notifications](/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/how-tos/customize-native-notification/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/manual-provisioning/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/manual-provisioning/index.md new file mode 100644 index 0000000000..2e3ff68132 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/manual-provisioning/index.md @@ -0,0 +1,30 @@ +# Manual Provisioning + +Usercube natively sends notifications concerning manual provisioning. + +## Overview + +### Notification Trigger + +The notifications are sent after a `FulfillTask` with a connection based on the +[`Ticket/identitymanager`](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md) +package. + +### Notification Recipients + +The notifications are sent to the users who own a profile with the following permission: +`/Custom/ProvisioningPolicy/PerformManualProvisioning/{entityType_identifier}` where +`{entityType_identifier}` is the source entity type. + +In order to receive the notifications, a profile must have the full permission path. Having a +(great-)parent permission will not enable notifications for all child entities. + +For example, the permission `/ProvisioningPolicy/PerformManualProvisioning/Directory_User` allows a +profile to perform manual provisioning with `Directory_User` as the source entity type, and receive +the corresponding notifications. On the contrary, the permission +`/ProvisioningPolicy/PerformManualProvisioning/` allows a profile to perform manual provisioning for +all entity types, but not receive the corresponding notifications. + +The permission can be configured in an +[access control entry](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +so that notifications are disabled. diff --git a/docs/usercube/6.1/usercube/integration-guide/notifications/native/password-reset/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/password-reset/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/notifications/native/password-reset/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/password-reset/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/notifications/native/provisioning-review/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/provisioning-review/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/notifications/native/provisioning-review/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/provisioning-review/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/notifications/native/role-review/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/role-review/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/notifications/native/role-review/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/role-review/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/how-tos/create-assign-profiles/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/how-tos/create-assign-profiles/index.md new file mode 100644 index 0000000000..b77283cb33 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/how-tos/create-assign-profiles/index.md @@ -0,0 +1,59 @@ +# Create and Assign Profiles + +This guide shows how to create in the XML configuration profiles and the appropriate rules to assign +these profiles automatically. + +## Create a Profile + +Here is the xml configuration to create a profile in Usercube. See the +[ Profile ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) +topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +## Automatically Assign Profiles + +To automatically assign profiles it is necessary to manipulate the ProfileRuleContext and +ProfileRule. See the +[AccessControlRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +and +[ProfileRuleContext](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) +topics for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +   +``` + +## Configure the Usercube-Set-InternalUserProfiles Task + +The Usercube-Set-InternalUserProfiles task is mandatory to automatically assign the profile. The +task can be selected from the Job provisioning list. See the +[ SetInternalUserProfilesTask ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) +topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +           +``` + +Here the TaskEntityType is the reference to connect to Usercube and the ResourceType is the same as +in the ProfileRuleContext. Once this configuration is done you can add the task in the job which +provisions the Connector AD. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +                     +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/how-tos/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/how-tos/index.md new file mode 100644 index 0000000000..847adca8a1 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/how-tos/index.md @@ -0,0 +1,9 @@ +# How-Tos + +These guides will help you set up profiles and permissions with practical step-by-step procedures. + +- #### [Create and Assign Profiles](/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/how-tos/create-assign-profiles/index.md) + Create in the XML configuration profiles and the appropriate rules to assign these profiles + automatically.- #### + [Restrict Users' Rights](/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/how-tos/rightsrestriction/index.md) + Define rules to limit users' access rights. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/how-tos/rightsrestriction/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/how-tos/rightsrestriction/index.md new file mode 100644 index 0000000000..cff1917a16 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/how-tos/rightsrestriction/index.md @@ -0,0 +1,136 @@ +# Restrict Users' Rights + +This guide shows how to define rules to limit users' access rights, which is possible via several +elements. + +## Overview + +Each UI element can be accessed only by the users who have a profile with the appropriate access +rights. + +All of this page's examples are based on the following access rights to view the `Directory_User` +entity type: + +``` + + + +``` + +## Assign a Profile Based on Users' Dimensions + +Assign a profile based on users' dimensions by proceeding as follows: + +1. Create the appropriate dimensions. + + > The following example states two user criteria as dimensions: users' organizations and titles: + > + > ``` + > + > + > + > ``` + + [See more details on dimensions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md). + +2. Write profile rules and profile rule contexts to make the previously created dimensions act as + filters in rules meant to assign profiles to users. + + > The following examples creates a rule assigning the `Manager` profile to specific users based + > on their organizations and titles, now that they both exist as dimensions: + > + > ``` + > + > + > + > ``` + + The profile rule context must use a + [`SubBinding`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) + to define the entity type that contains the dimension information. + + [See more details on profile rule contexts](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md). + +## Limit an Entity's Visibility + +Limit an entity's visibility by proceeding as follows: + +1. Create at least one property group to gather a set of entity properties together. + + > For example: + > + > ``` + > + > + > + > ``` + + [See more details on property groups](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md). + +2. Create an access control entity type to list all the properties whose visibility must be + restricted, and link them to a visibility group. + + > For example: + > + > ``` + > + > + > + > ``` + + As a result, all the properties listed in the access control entity type are hidden from users + by default when they have the usual permissions written above. + + To be able to see these properties, a user must have these permissions with a full access. + + > For example to give access to all properties: + > + > ``` + > + > + > + > ``` + > + > And to give access only to a property group: + > + > ``` + > + > + > + > ``` + + When there is not any profile with a full access, then the visibility restriction is lifted and + all users can access the properties. + + See more details on access control entity types. + +## Limit a Profile's Permissions + +Limit a profile's permissions by using filters in the access control rule that give permissions to +the profile. + +> For example to limit permissions based on a hardcoded value: +> +> ``` +> +> +> +> +> +> +> +> ``` +> +> And based on a dimension: +> +> ``` +> +> +> +> +> +> +> +> ``` + +[See more details on access control filters](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md). diff --git a/docs/usercube/6.1/usercube/integration-guide/profiles-permissions/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/profiles-permissions/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/permissions/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/permissions/index.md new file mode 100644 index 0000000000..9839e6b79b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/permissions/index.md @@ -0,0 +1,1973 @@ +# References: Permissions + +### /AccessCertification/AccessCertificationCampaign/Create + +Permission to create objects of type AccessCertificationCampaign + +### /AccessCertification/AccessCertificationCampaign/Delete + +Permission to delete objects of type AccessCertificationCampaign + +### /AccessCertification/AccessCertificationCampaign/Process + +Permission to process AccessCertificationCampaign decisions + +### /AccessCertification/AccessCertificationCampaign/Query + +Permission to query and read objects of type AccessCertificationCampaign + +### /AccessCertification/AccessCertificationCampaign/Update + +Permission to update objects of type AccessCertificationCampaign + +### /AccessCertification/AccessCertificationCampaignPolicy/Query + +Permission to query and read objects of type AccessCertificationCampaignPolicy + +### /AccessControl/AccessControlEntry/Create + +Permission to create objects of type AccessControlEntry + +### /AccessControl/AccessControlEntry/Delete + +Permission to delete objects of type AccessControlEntry + +### /AccessControl/AccessControlEntry/Query + +Permission to query and read objects of type AccessControlEntry + +### /AccessControl/AccessControlEntry/Update + +Permission to update objects of type AccessControlEntry + +### /AccessControl/AccessControlFilter/Create + +Permission to create objects of type AccessControlFilter + +### /AccessControl/AccessControlFilter/Delete + +Permission to delete objects of type AccessControlFilter + +### /AccessControl/AccessControlFilter/Query + +Permission to query and read objects of type AccessControlFilter + +### /AccessControl/AccessControlFilter/Update + +Permission to update objects of type AccessControlFilter + +### /AccessControl/AccessControlPermission/Query + +Permission to query and read objects of type AccessControlPermission + +### /AccessControl/AccessControlRule/Create + +Permission to create objects of type AccessControlRule + +### /AccessControl/AccessControlRule/Delete + +Permission to delete objects of type AccessControlRule + +### /AccessControl/AccessControlRule/Query + +Permission to query and read objects of type AccessControlRule + +### /AccessControl/AccessControlRule/Update + +Permission to update objects of type AccessControlRule + +### /AccessControl/AssignedProfile/Create + +Permission to create objects of type AssignedProfile + +### /AccessControl/AssignedProfile/Delete + +Permission to delete objects of type AssignedProfile + +### /AccessControl/AssignedProfile/Query + +Permission to query and read objects of type AssignedProfile + +### /AccessControl/AssignedProfile/Update + +Permission to update objects of type AssignedProfile + +### /AccessControl/OpenIdClient/Create + +Permission to create objects of type OpenIdClient + +### /AccessControl/OpenIdClient/Delete + +Permission to delete objects of type OpenIdClient + +### /AccessControl/OpenIdClient/Query + +Permission to query and read objects of type OpenIdClient + +### /AccessControl/OpenIdClient/Update + +Permission to update objects of type OpenIdClient + +### /AccessControl/Profile/Create + +Permission to create objects of type Profile + +### /AccessControl/Profile/Delete + +Permission to delete objects of type Profile + +### /AccessControl/Profile/Query + +Permission to query and read objects of type Profile + +### /AccessControl/Profile/Update + +Permission to update objects of type Profile + +### /AccessControl/ProfileRuleContext/Query + +Permission to query and read objects of type ProfileRuleContext + +### /Connectors/Agent/Create + +Permission to create objects of type Agent + +### /Connectors/Agent/Delete + +Permission to delete objects of type Agent + +### /Connectors/Agent/Query + +Permission to query and read objects of type Agent + +### /Connectors/Agent/Update + +Permission to update objects of type Agent + +### /Connectors/Connection/Create + +Permission to create objects of type Connection + +### /Connectors/Connection/Delete + +Permission to delete objects of type Connection + +### /Connectors/Connection/Query + +Permission to query and read objects of type Connection + +### /Connectors/Connection/Update + +Permission to update objects of type Connection + +### /Connectors/ConnectionColumn/Query + +Permission to query and read objects of type ConnectionColumn + +### /Connectors/ConnectionPackage/Query + +Permission to query and read objects of type ConnectionPackage + +### /Connectors/ConnectionTable/Query + +Permission to query and read objects of type ConnectionTable + +### /Connectors/Connector/Create + +Permission to create objects of type Connector + +### /Connectors/Connector/Delete + +Permission to delete objects of type Connector + +### /Connectors/Connector/Query + +Permission to query and read objects of type Connector + +### /Connectors/Connector/Update + +Permission to update objects of type Connector + +### /Connectors/EntityAssociationMapping/Create + +Permission to create objects of type EntityAssociationMapping + +### /Connectors/EntityAssociationMapping/Delete + +Permission to delete objects of type EntityAssociationMapping + +### /Connectors/EntityAssociationMapping/Query + +Permission to query and read objects of type EntityAssociationMapping + +### /Connectors/EntityAssociationMapping/Update + +Permission to update objects of type EntityAssociationMapping + +### /Connectors/EntityPropertyMapping/Create + +Permission to create objects of type EntityPropertyMapping + +### /Connectors/EntityPropertyMapping/Delete + +Permission to delete objects of type EntityPropertyMapping + +### /Connectors/EntityPropertyMapping/Query + +Permission to query and read objects of type EntityPropertyMapping + +### /Connectors/EntityPropertyMapping/Update + +Permission to update objects of type EntityPropertyMapping + +### /Connectors/EntityTypeMapping/Create + +Permission to create objects of type EntityTypeMapping + +### /Connectors/EntityTypeMapping/Delete + +Permission to delete objects of type EntityTypeMapping + +### /Connectors/EntityTypeMapping/Query + +Permission to query and read objects of type EntityTypeMapping + +### /Connectors/EntityTypeMapping/Update + +Permission to update objects of type EntityTypeMapping + +### /Connectors/EntityTypeMappingByConnectorIdQuery/Query + +Permission to query and read objects of type EntityTypeMappingByConnectorIdQuery + +### /Connectors/PasswordResetContextsByIdsQuery/Query + +Permission to query and read objects of type PasswordResetContextsByIdsQuery + +### /Connectors/ProvisionerResourceTypeMapping/Query + +Permission to query and read objects of type ProvisionerResourceTypeMapping + +### /Connectors/ProvisioningSession + +Permission to get provisioning orders from server for a connector. + +### /Connectors/ResourceTypeMapping/Query + +Permission to query and read objects of type ResourceTypeMapping (resource types' fulfill settings +in the UI) when launching a resource-type-related job. + +### /Connectors/SynchronizeSession + +Permission to send connector files to the server. + +### /Custom/AccessCertification/AutoAssigned/`{entityType_identifier}` + +Permission to be automatically assigned to an access certification item corresponding to an access +right owned by an object of type `entityType_identifier`. + +### /Custom/AccessCertification/ManualAssigned/`{entityType_identifier}` + +Permission to be manually assigned to an access certification item corresponding to an access right +owned by an object of type `entityType_identifier`. + +### /Custom/ManageAccounts/`{entityType_identifier}` + +Permission to display the Manage Accounts menu for resources corresponding to an access right owned +by an object of type `entityType_identifier`. + +### /Custom/ProvisioningPolicy/BulkPerformManualProvisioning/`{entityType_identifier}` + +Permission to perform bulk validations on the **Manual Provisioning** page. + +### /Custom/ProvisioningPolicy/BulkReconciliateResources/`{entityType_identifier}` + +Permission to perform bulk validations on the **Resource Reconciliation** page. + +### /Custom/ProvisioningPolicy/BulkReviewProvisioning/`{entityType_identifier}` + +Permission to perform bulk validations on the **Provisioning Review** page (only for errored +orders). + +### /Custom/ProvisioningPolicy/BulkRoleReconciliation/`{entityType_identifier}` + +Permission to perform bulk validations on the **Role Reconciliation** page. + +### /Custom/ProvisioningPolicy/PendingAssignedResourceTypes/`{resourceType_identifier}` + +Permission to query and read all the pending assigned resource types linked to +`{resourceType_identifier}`. + +### /Custom/ProvisioningPolicy/PerformManualProvisioning/`{entityType_identifier}` + +Permission to perform manual provisioning, access the corresponding screens and be notified +accordingly, when `{entityType_identifier}` is the source entity type. + +### /Custom/ProvisioningPolicy/ReconciliateResources/`{entityType_identifier}` + +Permission to reconcile resources corresponding to an access right owned by an object of type +`entityType_identifier`. + +### /Custom/ProvisioningPolicy/ReconciliateRoles/`{entityType_identifier}` + +Permission to reconcile role corresponding to an access right owned by an object of type +`entityType_identifier`. + +### /Custom/ProvisioningPolicy/ReviewProvisioning/`{entityType_identifier}` + +Permission to review provisioning corresponding to an access right owned by an object of type +`entityType_identifier`. + +The permission's recipient will receive a notification email. + +In order to receive the notifications, a profile must have the full permission path. Having a +(great-)parent permission will not enable notifications for all child entities. + +For example, the permission `/ProvisioningPolicy/PerformManualProvisioning/Directory_User` allows a +profile to perform manual provisioning with `Directory_User` as the source entity type, and receive +the corresponding notifications. On the contrary, the permission +`/ProvisioningPolicy/PerformManualProvisioning/` allows a profile to perform manual provisioning for +all entity types, but not receive the corresponding notifications. +Each permission can be configured in an +[access control entry](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +so that the corresponding notification is disabled. + +### /Custom/ProvisioningPolicy/ReviewRoles/`{entityType_identifier}` + +Permission to review roles corresponding to an access right owned by an object of type +`entityType_identifier`. + +The permission's recipient will receive a notification email. + +In order to receive the notifications, a profile must have the full permission path. Having a +(great-)parent permission will not enable notifications for all child entities. + +For example, the permission `/ProvisioningPolicy/PerformManualProvisioning/Directory_User` allows a +profile to perform manual provisioning with `Directory_User` as the source entity type, and receive +the corresponding notifications. On the contrary, the permission +`/ProvisioningPolicy/PerformManualProvisioning/` allows a profile to perform manual provisioning for +all entity types, but not receive the corresponding notifications. +Each permission can be configured in an +[access control entry](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +so that the corresponding notification is disabled. + +### /Custom/Reports/`{reportQuery_identifier}` + +Permission to access reports corresponding to the query `reportQuery_identifier`. + +### /Custom/ResourceChanges/`{connector_identifier}` + +Permission to query and read any resource changes from the `ResourceChanges` table. + +### /Custom/ResourceFileChanges/`{connector_identifier}` + +Permission to query and read any resource file changes from the `ResourceFileChanges` table. + +### /Custom/ResourceFiles/`{entityType_identifier}`/`{property_identifier}`/View + +Permission to query and read any resource files from the `ResourceFile` table corresponding to the +property `property_identifier` of the entity `entityType_identifier`, for example the +`Directory_User` photo property. This permission is generated by the +[`ViewAccessControlRules`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md) +scaffolding. + +### /Custom/ResourceLinkChanges/`{connector_identifier}` + +Permission to query and read any resource link changes from the `ResourceLinkChanges` table. + +### /Custom/Resources/`{entityType_identifier}`/Create + +Permission to create resources corresponding to an access right owned by an object of type +`entityType_identifier`. + +### /Custom/Resources/`{entityType_identifier}`/Delete + +Permission to delete resources corresponding to an access right owned by an object of type +`entityType_identifier`. + +### /Custom/Resources/`{entityType_identifier}`/Query + +Permission to query and read resources corresponding to an access right owned by an object of type +`entityType_identifier`. + +### /Custom/Resources/`{entityType_identifier}`/Self + +Permission to view self resources corresponding to an access right owned by an object of type +`entityType_identifier`. + +### /Custom/Resources/`{entityType_identifier}`/SelfOwnedResources + +Permission to view self owned resources corresponding to an access right owned by an object of type +`entityType_identifier`. + +### /Custom/Resources/`{entityType_identifier}`/SelfTargetResources + +Permission to view self target resources corresponding to an access right owned by an object of type +`entityType_identifier`. + +### /Custom/Resources/`{entityType_identifier}`/Update + +Permission to update resources corresponding to an access right owned by an object of type +`entityType_identifier`. + +### /Custom/Resources/`{entityType_identifier}`/View + +Permission to view resources corresponding to an access right owned by an object of type +`entityType_identifier`. + +### /Custom/Resources/`{entityType_identifier}`/ViewOwnedResources + +Permission to view owned resources corresponding to an access right owned by an object of type +`entityType_identifier`. + +### /Custom/Resources/`{entityType_identifier}`/ViewTargetResources + +Permission to view target resources corresponding to an access right owned by an object of type +`entityType_identifier`. + +### /Custom/Workflows/`{workflow_identifier}`/`{activity_identifier}`/`{activityTemplateState_shortIdentifier}` + +Permission to access the workflow `workflow_identifier`at the activty `activity_identifier` in the +state `activityTemplateState_shortIdentifier`. + +### /Custom/Workflows/Supervise/`{entityType_identifier}` + +Permission to supervise a workflow corresponding to an access right owned by an object of type +`entityType_identifier`. + +### /Custom/WorkflowsNotifications/`{workflow_identifier}`/`{activity_identifier}`/`{activityTemplateState_shortIdentifier}` + +Permission to be notified on a workflow's specific state. Applies to notifications specifying the +recipient's type: `Profile`. + +### /EntityTypeMappings + +### /Jobs/Job/Create + +Permission to create objects of type Job + +### /Jobs/Job/Delete + +Permission to delete objects of type Job + +### /Jobs/Job/Query + +Permission to query and read objects of type Job + +### /Jobs/Job/Update + +Permission to update objects of type Job + +### /Jobs/JobInstance/Create + +Permission to create objects of type JobInstance + +### /Jobs/JobInstance/Delete + +Permission to delete objects of type JobInstance + +### /Jobs/JobInstance/Query + +Permission to query and read objects of type JobInstance + +### /Jobs/JobInstance/Update + +Permission to update objects of type JobInstance + +### /Jobs/JobStep/Create + +Permission to create objects of type JobStep + +### /Jobs/JobStep/Delete + +Permission to delete objects of type JobStep + +### /Jobs/JobStep/Query + +Permission to query and read objects of type JobStep + +### /Jobs/JobStep/Update + +Permission to update objects of type JobStep + +### /Jobs/RunJob/GetLog + +Read permission for JobLog + +### /Jobs/RunJob/Launch/Aborted + +Permission to send notification for job launched which ends in state Aborted + +### /Jobs/RunJob/Launch/Blocked + +Permission to send notification for job launched which ends in state Blocked + +### /Jobs/RunJob/Launch/Completed + +Permission to send notification for job launched which ends in state Completed + +### /Jobs/RunJob/Launch/Errored + +Permission to send notification for job launched which ends in state Errored + +### /Jobs/RunJob/Launch/Warning + +Permission to send notification for job launched which ends in state Warning + +### /Jobs/RunJob/Repair/Aborted + +Permission to send notification for job relaunched which ends in state Aborted + +### /Jobs/RunJob/Repair/Blocked + +Permission to send notification for job relaunched which ends in state Blocked + +### /Jobs/RunJob/Repair/Completed + +Permission to send notification for job relaunched which ends in state Completed + +### /Jobs/RunJob/Repair/Errored + +Permission to send notification for job relaunched which ends in state Errored + +### /Jobs/RunJob/Repair/Warning + +Permission to send notification for job relaunched which ends in state Warning + +### /Jobs/Task/Create + +Permission to create objects of type Task + +### /Jobs/Task/Delete + +Permission to delete objects of type Task + +### /Jobs/Task/Query + +Permission to query and read objects of type Task + +### /Jobs/Task/Update + +Permission to update objects of type Task + +### /Jobs/TaskDependOnTask/Create + +Permission to create objects of type TaskDependOnTask + +### /Jobs/TaskDependOnTask/Delete + +Permission to delete objects of type TaskDependOnTask + +### /Jobs/TaskDependOnTask/Query + +Permission to query and read objects of type TaskDependOnTask + +### /Jobs/TaskDependOnTask/Update + +Permission to update objects of type TaskDependOnTask + +### /Jobs/TaskDimension/Create + +Permission to create objects of type TaskDimension + +### /Jobs/TaskDimension/Delete + +Permission to delete objects of type TaskDimension + +### /Jobs/TaskDimension/Query + +Permission to query and read objects of type TaskDimension + +### /Jobs/TaskDimension/Update + +Permission to update objects of type TaskDimension + +### /Jobs/TaskEntityType/Create + +Permission to create objects of type TaskEntityType + +### /Jobs/TaskEntityType/Delete + +Permission to delete objects of type TaskEntityType + +### /Jobs/TaskEntityType/Query + +Permission to query and read objects of type TaskEntityType + +### /Jobs/TaskEntityType/Update + +Permission to update objects of type TaskEntityType + +### /Jobs/TaskIdByIdentifiersQuery/Query + +Permission to query and read objects of type TaskIdByIdentifiersQuery + +### /Jobs/TaskInstance/Create + +Permission to create objects of type TaskInstance + +### /Jobs/TaskInstance/Delete + +Permission to delete objects of type TaskInstance + +### /Jobs/TaskInstance/Query + +Permission to query and read objects of type TaskInstance + +### /Jobs/TaskInstance/Update + +Permission to update objects of type TaskInstance + +### /Jobs/TaskResourceType/Create + +Permission to create objects of type TaskResourceType + +### /Jobs/TaskResourceType/Delete + +Permission to delete objects of type TaskResourceType + +### /Jobs/TaskResourceType/Query + +Permission to query and read objects of type TaskResourceType + +### /Jobs/TaskResourceType/Update + +Permission to update objects of type TaskResourceType + +### /Metadata/Binding/Create + +Permission to create objects of type Binding + +### /Metadata/Binding/Delete + +Permission to delete objects of type Binding + +### /Metadata/Binding/Query + +Permission to query and read objects of type Binding + +### /Metadata/Binding/Update + +Permission to update objects of type Binding + +### /Metadata/BindingItem/Query + +Permission to query and read objects of type BindingItem + +### /Metadata/Dimension/Create + +Permission to create objects of type Dimension + +### /Metadata/Dimension/Delete + +Permission to delete objects of type Dimension + +### /Metadata/Dimension/Query + +Permission to query and read objects of type Dimension + +### /Metadata/Dimension/Update + +Permission to update objects of type Dimension + +### /Metadata/EntityAssociation/Create + +Permission to create objects of type EntityAssociation + +### /Metadata/EntityAssociation/Delete + +Permission to delete objects of type EntityAssociation + +### /Metadata/EntityAssociation/Query + +Permission to query and read objects of type EntityAssociation + +### /Metadata/EntityAssociation/Update + +Permission to update objects of type EntityAssociation + +### /Metadata/EntityProperty/Create + +Permission to create objects of type EntityProperty + +### /Metadata/EntityProperty/Delete + +Permission to delete objects of type EntityProperty + +### /Metadata/EntityProperty/Query + +Permission to query and read objects of type EntityProperty + +### /Metadata/EntityProperty/Update + +Permission to update objects of type EntityProperty + +### /Metadata/EntityType/Create + +Permission to create objects of type EntityType + +### /Metadata/EntityType/Delete + +Permission to delete objects of type EntityType + +### /Metadata/EntityType/Query + +Permission to query and read objects of type EntityType + +### /Metadata/EntityType/Update + +Permission to update objects of type EntityType + +### /Metadata/Language/Query + +Permission to query and read objects of type Language + +### /Metadata/Setting/Create + +Permission to create objects of type Setting + +### /Metadata/Setting/Delete + +Permission to delete objects of type Setting + +### /Metadata/Setting/Query + +Permission to query and read objects of type Setting + +### /Metadata/Setting/Update + +Permission to update objects of type Setting + +### /Monitoring + +Permission to download server logs from the User Interface (from the **Monitoring** screen). + +### /ProvisioningPolicy/AssignedCompositeRole/Comment + +Permission to comment objects of type AssignedCompositeRole + +### /ProvisioningPolicy/AssignedCompositeRole/Create + +Permission to create objects of type AssignedCompositeRole + +### /ProvisioningPolicy/AssignedCompositeRole/Delete + +Permission to delete objects of type AssignedCompositeRole + +### /ProvisioningPolicy/AssignedCompositeRole/Query + +Permission to query and read objects of type AssignedCompositeRole + +### /ProvisioningPolicy/AssignedCompositeRole/Update + +Permission to update objects of type AssignedCompositeRole + +### /ProvisioningPolicy/AssignedResourceBinary/Create + +Permission to create objects of type AssignedResourceBinary + +### /ProvisioningPolicy/AssignedResourceBinary/Delete + +Permission to delete objects of type AssignedResourceBinary + +### /ProvisioningPolicy/AssignedResourceBinary/Query + +Permission to query and read objects of type AssignedResourceBinary + +### /ProvisioningPolicy/AssignedResourceBinary/Update + +Permission to update objects of type AssignedResourceBinary + +### /ProvisioningPolicy/AssignedResourceNavigation/Create + +Permission to create objects of type AssignedResourceNavigation + +### /ProvisioningPolicy/AssignedResourceNavigation/Delete + +Permission to delete objects of type AssignedResourceNavigation + +### /ProvisioningPolicy/AssignedResourceNavigation/Query + +Permission to query and read objects of type AssignedResourceNavigation + +### /ProvisioningPolicy/AssignedResourceNavigation/Update + +Permission to update objects of type AssignedResourceNavigation + +### /ProvisioningPolicy/AssignedResourceScalar/Create + +Permission to create objects of type AssignedResourceScalar + +### /ProvisioningPolicy/AssignedResourceScalar/Delete + +Permission to delete objects of type AssignedResourceScalar + +### /ProvisioningPolicy/AssignedResourceScalar/Query + +Permission to query and read objects of type AssignedResourceScalar + +### /ProvisioningPolicy/AssignedResourceScalar/Update + +Permission to update objects of type AssignedResourceScalar + +### /ProvisioningPolicy/AssignedResourceType/Comment + +Permission to comment objects of type AssignedResourceType + +### /ProvisioningPolicy/AssignedResourceType/Create + +Permission to create objects of type AssignedResourceType + +### /ProvisioningPolicy/AssignedResourceType/Delete + +Permission to delete objects of type AssignedResourceType + +### /ProvisioningPolicy/AssignedResourceType/ManualProvisioningReview + +Permission to review manual provisioning for object of type AssignedResourceType + +### /ProvisioningPolicy/AssignedResourceType/Query + +Permission to query and read objects of type AssignedResourceType + +### /ProvisioningPolicy/AssignedResourceType/Update + +Permission to update objects of type AssignedResourceType + +### /ProvisioningPolicy/AssignedSingleRole/Comment + +Permission to comment objects of type AssignedSingleRole + +### /ProvisioningPolicy/AssignedSingleRole/Create + +Permission to create objects of type AssignedSingleRole + +### /ProvisioningPolicy/AssignedSingleRole/Delete + +Permission to delete objects of type AssignedSingleRole + +### /ProvisioningPolicy/AssignedSingleRole/Query + +Permission to query and read objects of type AssignedSingleRole + +### /ProvisioningPolicy/AssignedSingleRole/Update + +Permission to update objects of type AssignedSingleRole + +### /ProvisioningPolicy/AutomationRule/Create + +Permission to create objects of type AutomationRule + +### /ProvisioningPolicy/AutomationRule/CreateSimulation + +Permission to create objects of type AutomationRule in simulation + +### /ProvisioningPolicy/AutomationRule/Delete + +Permission to delete objects of type AutomationRule + +### /ProvisioningPolicy/AutomationRule/DeleteSimulation + +Permission to delete objects of type AutomationRule in simulation + +### /ProvisioningPolicy/AutomationRule/Query + +Permission to query and read objects of type AutomationRule + +### /ProvisioningPolicy/AutomationRule/RevertSimulation + +Permission to revert a deletion or update in simulation on objects of type AutomationRule + +### /ProvisioningPolicy/AutomationRule/Simulation + +Permission to query and read objects of type AutomationRule in simulation + +### /ProvisioningPolicy/AutomationRule/Update + +Permission to update objects of type AutomationRule + +### /ProvisioningPolicy/AutomationRule/UpdateSimulation + +Permission to update objects of type AutomationRule in simulation + +### /ProvisioningPolicy/Category/Create + +Permission to create objects of type Category + +### /ProvisioningPolicy/Category/Delete + +Permission to delete objects of type Category + +### /ProvisioningPolicy/Category/Query + +Permission to query and read objects of type Category + +### /ProvisioningPolicy/Category/Update + +Permission to update objects of type Category + +### /ProvisioningPolicy/CompositeRole/Create + +Permission to create objects of type CompositeRole + +### /ProvisioningPolicy/CompositeRole/CreateSimulation + +Permission to create objects of type CompositeRole in simulation + +### /ProvisioningPolicy/CompositeRole/Delete + +Permission to delete objects of type CompositeRole + +### /ProvisioningPolicy/CompositeRole/DeleteSimulation + +Permission to delete objects of type CompositeRole in simulation + +### /ProvisioningPolicy/CompositeRole/Query + +Permission to query and read objects of type CompositeRole + +### /ProvisioningPolicy/CompositeRole/RevertSimulation + +Permission to revert a deletion or update in simulation on objects of type CompositeRole + +### /ProvisioningPolicy/CompositeRole/Simulation + +Permission to query and read objects of type CompositeRole in simulation + +### /ProvisioningPolicy/CompositeRole/Update + +Permission to update objects of type CompositeRole + +### /ProvisioningPolicy/CompositeRole/UpdateSimulation + +Permission to update objects of type CompositeRole in simulation + +### /ProvisioningPolicy/CompositeRoleRule/Create + +Permission to create objects of type CompositeRoleRule + +### /ProvisioningPolicy/CompositeRoleRule/CreateSimulation + +Permission to create objects of type CompositeRoleRule in simulation + +### /ProvisioningPolicy/CompositeRoleRule/Delete + +Permission to delete objects of type CompositeRoleRule + +### /ProvisioningPolicy/CompositeRoleRule/DeleteSimulation + +Permission to delete objects of type CompositeRoleRule in simulation + +### /ProvisioningPolicy/CompositeRoleRule/Query + +Permission to query and read objects of type CompositeRoleRule + +### /ProvisioningPolicy/CompositeRoleRule/RevertSimulation + +Permission to revert a deletion or update in simulation on objects of type CompositeRoleRule + +### /ProvisioningPolicy/CompositeRoleRule/Simulation + +Permission to query and read objects of type CompositeRoleRule in simulation + +### /ProvisioningPolicy/CompositeRoleRule/Update + +Permission to update objects of type CompositeRoleRule + +### /ProvisioningPolicy/CompositeRoleRule/UpdateSimulation + +Permission to update objects of type CompositeRoleRule in simulation + +### /ProvisioningPolicy/ContextRule/Create + +Permission to create objects of type ContextRule + +### /ProvisioningPolicy/ContextRule/CreateSimulation + +Permission to create objects of type ContextRule in simulation + +### /ProvisioningPolicy/ContextRule/Delete + +Permission to delete objects of type ContextRule + +### /ProvisioningPolicy/ContextRule/DeleteSimulation + +Permission to delete objects of type ContextRule in simulation + +### /ProvisioningPolicy/ContextRule/Query + +Permission to query and read objects of type ContextRule + +### /ProvisioningPolicy/ContextRule/RevertSimulation + +Permission to revert a deletion or update in simulation on objects of type ContextRule + +### /ProvisioningPolicy/ContextRule/Simulation + +Permission to query and read objects of type ContextRule in simulation + +### /ProvisioningPolicy/ContextRule/Update + +Permission to update objects of type ContextRule + +### /ProvisioningPolicy/ContextRule/UpdateSimulation + +Permission to update objects of type ContextRule in simulation + +### /ProvisioningPolicy/IdentifiedRisk/Query + +Permission to query and read objects of type IdentifiedRisk + +### /ProvisioningPolicy/MiningRule/Create + +Permission to create objects of type MiningRule + +### /ProvisioningPolicy/MiningRule/Delete + +Permission to delete objects of type MiningRule + +### /ProvisioningPolicy/MiningRule/Query + +Permission to query and read objects of type MiningRule + +### /ProvisioningPolicy/MiningRule/Update + +Permission to update objects of type MiningRule + +### /ProvisioningPolicy/Policy/Create + +Permission to create objects of type Policy + +### /ProvisioningPolicy/Policy/CreateSimulation + +Permission to create objects of type Policy in simulation + +### /ProvisioningPolicy/Policy/Delete + +Permission to delete objects of type Policy + +### /ProvisioningPolicy/Policy/DeleteSimulation + +Permission to delete objects of type Policy in simulation + +### /ProvisioningPolicy/Policy/Query + +Permission to query and read objects of type Policy + +### /ProvisioningPolicy/Policy/RevertSimulation + +Permission to revert a deletion or update in simulation on objects of type Policy + +### /ProvisioningPolicy/Policy/Simulation + +Permission to query and read objects of type Policy in simulation + +### /ProvisioningPolicy/Policy/Update + +Permission to update objects of type Policy + +### /ProvisioningPolicy/Policy/UpdateSimulation + +Permission to update objects of type Policy in simulation + +### /ProvisioningPolicy/PolicySimulation/Create + +Permission to create objects of type PolicySimulation + +### /ProvisioningPolicy/PolicySimulation/Delete + +Permission to delete objects of type PolicySimulation + +### /ProvisioningPolicy/PolicySimulation/Query + +Permission to query and read objects of type PolicySimulation + +### /ProvisioningPolicy/PolicySimulation/Start + +Permission to start a simulation of a policy + +### /ProvisioningPolicy/PolicySimulation/Update + +Permission to update objects of type PolicySimulation + +### /ProvisioningPolicy/PredefinedFunctionQuery/Query + +Permission to query and read objects of type PredefinedFunctionQuery + +### /ProvisioningPolicy/Provisioning/Start + +### /ProvisioningPolicy/RedundantAssignment/Query + +Permission to access the **Redundant Assignment** page. + +### /ProvisioningPolicy/RedundantAssignment/Start + +Permission to compute redundant assignments and remove them. + +### /ProvisioningPolicy/ResourceBinaryRule/Create + +Permission to create objects of type ResourceBinaryRule + +### /ProvisioningPolicy/ResourceBinaryRule/CreateSimulation + +Permission to create objects of type ResourceBinaryRule in simulation + +### /ProvisioningPolicy/ResourceBinaryRule/Delete + +Permission to delete objects of type ResourceBinaryRule + +### /ProvisioningPolicy/ResourceBinaryRule/DeleteSimulation + +Permission to delete objects of type ResourceBinaryRule in simulation + +### /ProvisioningPolicy/ResourceBinaryRule/Query + +Permission to query and read objects of type ResourceBinaryRule + +### /ProvisioningPolicy/ResourceBinaryRule/RevertSimulation + +Permission to revert a deletion or update in simulation on objects of type ResourceBinaryRule + +### /ProvisioningPolicy/ResourceBinaryRule/Simulation + +Permission to query and read objects of type ResourceBinaryRule in simulation + +### /ProvisioningPolicy/ResourceBinaryRule/Update + +Permission to update objects of type ResourceBinaryRule + +### /ProvisioningPolicy/ResourceBinaryRule/UpdateSimulation + +Permission to update objects of type ResourceBinaryRule in simulation + +### /ProvisioningPolicy/ResourceClassificationRule/Create + +Permission to create objects of type ResourceClassificationRule + +### /ProvisioningPolicy/ResourceClassificationRule/CreateSimulation + +Permission to create objects of type ResourceClassificationRule in simulation + +### /ProvisioningPolicy/ResourceClassificationRule/Delete + +Permission to delete objects of type ResourceClassificationRule + +### /ProvisioningPolicy/ResourceClassificationRule/DeleteSimulation + +Permission to delete objects of type ResourceClassificationRule in simulation + +### /ProvisioningPolicy/ResourceClassificationRule/Query + +Permission to query and read objects of type ResourceClassificationRule + +### /ProvisioningPolicy/ResourceClassificationRule/RevertSimulation + +Permission to revert a deletion or update in simulation on objects of type +ResourceClassificationRule + +### /ProvisioningPolicy/ResourceClassificationRule/Simulation + +Permission to query and read objects of type ResourceClassificationRule in simulation + +### /ProvisioningPolicy/ResourceClassificationRule/Update + +Permission to update objects of type ResourceClassificationRule + +### /ProvisioningPolicy/ResourceClassificationRule/UpdateSimulation + +Permission to update objects of type ResourceClassificationRule in simulation + +### /ProvisioningPolicy/ResourceCorrelationRule/Create + +Permission to create objects of type ResourceCorrelationRule + +### /ProvisioningPolicy/ResourceCorrelationRule/CreateSimulation + +Permission to create objects of type ResourceCorrelationRule in simulation + +### /ProvisioningPolicy/ResourceCorrelationRule/Delete + +Permission to delete objects of type ResourceCorrelationRule + +### /ProvisioningPolicy/ResourceCorrelationRule/DeleteSimulation + +Permission to delete objects of type ResourceCorrelationRule in simulation + +### /ProvisioningPolicy/ResourceCorrelationRule/Query + +Permission to query and read objects of type ResourceCorrelationRule + +### /ProvisioningPolicy/ResourceCorrelationRule/RevertSimulation + +Permission to revert a deletion or update in simulation on objects of type ResourceCorrelationRule + +### /ProvisioningPolicy/ResourceCorrelationRule/Simulation + +Permission to query and read objects of type ResourceCorrelationRule in simulation + +### /ProvisioningPolicy/ResourceCorrelationRule/Update + +Permission to update objects of type ResourceCorrelationRule + +### /ProvisioningPolicy/ResourceCorrelationRule/UpdateSimulation + +Permission to update objects of type ResourceCorrelationRule in simulation + +### /ProvisioningPolicy/ResourceHistory/Query + +Permission to query and read objects of type ResourceHistory + +### /ProvisioningPolicy/ResourceManageableAccounts/Query + +Permission to query and read objects of type ResourceManageableAccounts + +### /ProvisioningPolicy/ResourceNavigationRule/Create + +Permission to create objects of type ResourceNavigationRule + +### /ProvisioningPolicy/ResourceNavigationRule/CreateSimulation + +Permission to create objects of type ResourceNavigationRule in simulation + +### /ProvisioningPolicy/ResourceNavigationRule/Delete + +Permission to delete objects of type ResourceNavigationRule + +### /ProvisioningPolicy/ResourceNavigationRule/DeleteSimulation + +Permission to delete objects of type ResourceNavigationRule in simulation + +### /ProvisioningPolicy/ResourceNavigationRule/Query + +Permission to query and read objects of type ResourceNavigationRule + +### /ProvisioningPolicy/ResourceNavigationRule/RevertSimulation + +Permission to revert a deletion or update in simulation on objects of type ResourceNavigationRule + +### /ProvisioningPolicy/ResourceNavigationRule/Simulation + +Permission to query and read objects of type ResourceNavigationRule in simulation + +### /ProvisioningPolicy/ResourceNavigationRule/Update + +Permission to update objects of type ResourceNavigationRule + +### /ProvisioningPolicy/ResourceNavigationRule/UpdateSimulation + +Permission to update objects of type ResourceNavigationRule in simulation + +### /ProvisioningPolicy/ResourceQueryRule/Create + +Permission to create objects of type ResourceQueryRule + +### /ProvisioningPolicy/ResourceQueryRule/CreateSimulation + +Permission to create objects of type ResourceQueryRule in simulation + +### /ProvisioningPolicy/ResourceQueryRule/Delete + +Permission to delete objects of type ResourceQueryRule + +### /ProvisioningPolicy/ResourceQueryRule/DeleteSimulation + +Permission to delete objects of type ResourceQueryRule in simulation + +### /ProvisioningPolicy/ResourceQueryRule/Query + +Permission to query and read objects of type ResourceQueryRule + +### /ProvisioningPolicy/ResourceQueryRule/RevertSimulation + +Permission to revert a deletion or update in simulation on objects of type ResourceQueryRule + +### /ProvisioningPolicy/ResourceQueryRule/Simulation + +Permission to query and read objects of type ResourceQueryRule in simulation + +### /ProvisioningPolicy/ResourceQueryRule/Update + +Permission to update objects of type ResourceQueryRule + +### /ProvisioningPolicy/ResourceQueryRule/UpdateSimulation + +Permission to update objects of type ResourceQueryRule in simulation + +### /ProvisioningPolicy/ResourceScalarRule/Create + +Permission to create objects of type ResourceScalarRule + +### /ProvisioningPolicy/ResourceScalarRule/CreateSimulation + +Permission to create objects of type ResourceScalarRule in simulation + +### /ProvisioningPolicy/ResourceScalarRule/Delete + +Permission to delete objects of type ResourceScalarRule + +### /ProvisioningPolicy/ResourceScalarRule/DeleteSimulation + +Permission to delete objects of type ResourceScalarRule in simulation + +### /ProvisioningPolicy/ResourceScalarRule/Query + +Permission to query and read objects of type ResourceScalarRule + +### /ProvisioningPolicy/ResourceScalarRule/RevertSimulation + +Permission to revert a deletion or update in simulation on objects of type ResourceScalarRule + +### /ProvisioningPolicy/ResourceScalarRule/Simulation + +Permission to query and read objects of type ResourceScalarRule in simulation + +### /ProvisioningPolicy/ResourceScalarRule/Update + +Permission to update objects of type ResourceScalarRule + +### /ProvisioningPolicy/ResourceScalarRule/UpdateSimulation + +Permission to update objects of type ResourceScalarRule in simulation + +### /ProvisioningPolicy/ResourceType/Create + +Permission to create objects of type ResourceType + +### /ProvisioningPolicy/ResourceType/CreateSimulation + +Permission to create objects of type ResourceType in simulation + +### /ProvisioningPolicy/ResourceType/Delete + +Permission to delete objects of type ResourceType + +### /ProvisioningPolicy/ResourceType/DeleteSimulation + +Permission to delete objects of type ResourceType in simulation + +### /ProvisioningPolicy/ResourceType/Query + +Permission to query and read objects of type ResourceType + +### /ProvisioningPolicy/ResourceType/RevertSimulation + +Permission to revert a deletion or update in simulation on objects of type ResourceType + +### /ProvisioningPolicy/ResourceType/Simulation + +Permission to query and read objects of type ResourceType in simulation + +### /ProvisioningPolicy/ResourceType/Update + +Permission to update objects of type ResourceType + +### /ProvisioningPolicy/ResourceType/UpdateSimulation + +Permission to update objects of type ResourceType in simulation + +### /ProvisioningPolicy/ResourceTypeRule/Create + +Permission to create objects of type ResourceTypeRule + +### /ProvisioningPolicy/ResourceTypeRule/CreateSimulation + +Permission to create objects of type ResourceTypeRule in simulation + +### /ProvisioningPolicy/ResourceTypeRule/Delete + +Permission to delete objects of type ResourceTypeRule + +### /ProvisioningPolicy/ResourceTypeRule/DeleteSimulation + +Permission to delete objects of type ResourceTypeRule in simulation + +### /ProvisioningPolicy/ResourceTypeRule/Query + +Permission to query and read objects of type ResourceTypeRule + +### /ProvisioningPolicy/ResourceTypeRule/RevertSimulation + +Permission to revert a deletion or update in simulation on objects of type ResourceTypeRule + +### /ProvisioningPolicy/ResourceTypeRule/Simulation + +Permission to query and read objects of type ResourceTypeRule in simulation + +### /ProvisioningPolicy/ResourceTypeRule/Update + +Permission to update objects of type ResourceTypeRule + +### /ProvisioningPolicy/ResourceTypeRule/UpdateSimulation + +Permission to update objects of type ResourceTypeRule in simulation + +### /ProvisioningPolicy/Risk/Create + +Permission to create objects of type Risk + +### /ProvisioningPolicy/Risk/Delete + +Permission to delete objects of type Risk + +### /ProvisioningPolicy/Risk/OverrideApproval + +Permission to transform an approval risk into a warning risk + +### /ProvisioningPolicy/Risk/OverrideBlocking + +Permission to transform a blocking risk into an approval risk + +### /ProvisioningPolicy/Risk/Query + +Permission to query and read objects of type Risk + +### /ProvisioningPolicy/Risk/Update + +Permission to update objects of type Risk + +### /ProvisioningPolicy/RoleMapping/Create + +Permission to create objects of type RoleMapping + +### /ProvisioningPolicy/RoleMapping/Delete + +Permission to delete objects of type RoleMapping + +### /ProvisioningPolicy/RoleMapping/Query + +Permission to query and read objects of type RoleMapping + +### /ProvisioningPolicy/RoleMapping/Update + +Permission to update objects of type RoleMapping + +### /ProvisioningPolicy/SingleRole/Create + +Permission to create objects of type SingleRole + +### /ProvisioningPolicy/SingleRole/CreateSimulation + +Permission to create objects of type SingleRole in simulation + +### /ProvisioningPolicy/SingleRole/Delete + +Permission to delete objects of type SingleRole + +### /ProvisioningPolicy/SingleRole/DeleteSimulation + +Permission to delete objects of type SingleRole in simulation + +### /ProvisioningPolicy/SingleRole/Query + +Permission to query and read objects of type SingleRole + +### /ProvisioningPolicy/SingleRole/RevertSimulation + +Permission to revert a deletion or update in simulation on objects of type SingleRole + +### /ProvisioningPolicy/SingleRole/Simulation + +Permission to query and read objects of type SingleRole in simulation + +### /ProvisioningPolicy/SingleRole/Update + +Permission to update objects of type SingleRole + +### /ProvisioningPolicy/SingleRole/UpdateSimulation + +Permission to update objects of type SingleRole in simulation + +### /ProvisioningPolicy/SingleRoleRule/Create + +Permission to create objects of type SingleRoleRule + +### /ProvisioningPolicy/SingleRoleRule/CreateSimulation + +Permission to create objects of type SingleRoleRule in simulation + +### /ProvisioningPolicy/SingleRoleRule/Delete + +Permission to delete objects of type SingleRoleRule + +### /ProvisioningPolicy/SingleRoleRule/DeleteSimulation + +Permission to delete objects of type SingleRoleRule in simulation + +### /ProvisioningPolicy/SingleRoleRule/Query + +Permission to query and read objects of type SingleRoleRule + +### /ProvisioningPolicy/SingleRoleRule/RevertSimulation + +Permission to revert a deletion or update in simulation on objects of type SingleRoleRule + +### /ProvisioningPolicy/SingleRoleRule/Simulation + +Permission to query and read objects of type SingleRoleRule in simulation + +### /ProvisioningPolicy/SingleRoleRule/Update + +Permission to update objects of type SingleRoleRule + +### /ProvisioningPolicy/SingleRoleRule/UpdateSimulation + +Permission to update objects of type SingleRoleRule in simulation + +### /Report/GenerateReportFileFromQuery/Query + +Permission to query and read objects of type GenerateReportFileFromQuery + +### /Report/GenerateReportFileFromReportQuery/Query + +Permission to query and read objects of type GenerateReportFileFromReportQuery + +### /Report/ReportQuery/Create + +Permission to create objects of type ReportQuery + +### /Report/ReportQuery/Delete + +Permission to delete objects of type ReportQuery + +### /Report/ReportQuery/Query + +Permission to query and read objects of type ReportQuery + +### /Report/ReportQuery/Update + +Permission to update objects of type ReportQuery + +### /Resources/Incremental/Query + +Permission to query and read objects of type Resource and Resource Link incrementally changed + +### /Resources/Resource/Create + +Permission to create objects of type Resource + +### /Resources/Resource/Delete + +Permission to delete objects of type Resource + +### /Resources/Resource/Query + +Permission to query and read objects of type Resource + +### /Resources/Resource/Update + +Permission to update objects of type Resource + +### /Settings/Manage + +### /Universes/EntityInstance/Query + +Permission to query and read objects of type EntityInstance + +### /Universes/Universe/Query + +Permission to query and read objects of type Universe + +### /Universes/UniverseData/Query + +Permission to query and read objects of type UniverseData + +### /UserInterface/ActivityFormNameByWorkflowInstanceIdQuery/Query + +Permission to query and read objects of type ActivityFormNameByWorkflowInstanceIdQuery + +### /UserInterface/ApplicationInformationsQuery/Query + +Permission to query and read objects of type ApplicationInformationsQuery + +### /UserInterface/ConnectorResourceType/Create + +Permission to create objects of type ConnectorResourceType + +### /UserInterface/ConnectorResourceType/Delete + +Permission to delete objects of type ConnectorResourceType + +### /UserInterface/ConnectorResourceType/Update + +Permission to update objects of type ConnectorResourceType + +### /UserInterface/DisplayEntityAssociation/Create + +Permission to create objects of type DisplayEntityAssociation + +### /UserInterface/DisplayEntityAssociation/Delete + +Permission to delete objects of type DisplayEntityAssociation + +### /UserInterface/DisplayEntityAssociation/Query + +Permission to query and read objects of type DisplayEntityAssociation + +### /UserInterface/DisplayEntityAssociation/Update + +Permission to update objects of type DisplayEntityAssociation + +### /UserInterface/DisplayEntityProperty/Create + +Permission to create objects of type DisplayEntityProperty + +### /UserInterface/DisplayEntityProperty/Delete + +Permission to delete objects of type DisplayEntityProperty + +### /UserInterface/DisplayEntityProperty/Query + +Permission to query and read objects of type DisplayEntityProperty + +### /UserInterface/DisplayEntityProperty/Update + +Permission to update objects of type DisplayEntityProperty + +### /UserInterface/DisplayEntityType/Create + +Permission to create objects of type DisplayEntityType + +### /UserInterface/DisplayEntityType/Delete + +Permission to delete objects of type DisplayEntityType + +### /UserInterface/DisplayEntityType/Query + +Permission to query and read objects of type DisplayEntityType + +### /UserInterface/DisplayEntityType/Update + +Permission to update objects of type DisplayEntityType + +### /UserInterface/DisplayPropertyGroup/Create + +Permission to create objects of type DisplayPropertyGroup + +### /UserInterface/DisplayPropertyGroup/Delete + +Permission to delete objects of type DisplayPropertyGroup + +### /UserInterface/DisplayPropertyGroup/Query + +Permission to query and read objects of type DisplayPropertyGroup + +### /UserInterface/DisplayPropertyGroup/Update + +Permission to update objects of type DisplayPropertyGroup + +### /UserInterface/DisplayTable/Create + +Permission to create objects of type DisplayTable + +### /UserInterface/DisplayTable/Delete + +Permission to delete objects of type DisplayTable + +### /UserInterface/DisplayTable/Query + +Permission to query and read objects of type DisplayTable + +### /UserInterface/DisplayTable/Update + +Permission to update objects of type DisplayTable + +### /UserInterface/DisplayTableColumn/Create + +Permission to create objects of type DisplayTableColumn + +### /UserInterface/DisplayTableColumn/Delete + +Permission to delete objects of type DisplayTableColumn + +### /UserInterface/DisplayTableColumn/Query + +Permission to query and read objects of type DisplayTableColumn + +### /UserInterface/DisplayTableColumn/Update + +Permission to update objects of type DisplayTableColumn + +### /UserInterface/DisplayTableDesignElement/Query + +Permission to query and read objects of type DisplayTableDesignElement + +### /UserInterface/EntityTypeMappingByUiContextQuery/Query + +Permission to query and read objects of type EntityTypeMappingByUiContextQuery + +### /UserInterface/Form/Create + +Permission to create objects of type Form + +### /UserInterface/Form/Delete + +Permission to delete objects of type Form + +### /UserInterface/Form/Query + +Permission to query and read objects of type Form + +### /UserInterface/Form/Update + +Permission to update objects of type Form + +### /UserInterface/FormControl/Create + +Permission to create objects of type FormControl + +### /UserInterface/FormControl/Delete + +Permission to delete objects of type FormControl + +### /UserInterface/FormControl/Query + +Permission to query and read objects of type FormControl + +### /UserInterface/FormControl/Update + +Permission to update objects of type FormControl + +### /UserInterface/HierarchyDataByEntityTypeIdQuery/Query + +Permission to query and read objects of type HierarchyDataByEntityTypeIdQuery + +### /UserInterface/Indicator/Create + +Permission to create objects of type Indicator + +### /UserInterface/Indicator/Delete + +Permission to delete objects of type Indicator + +### /UserInterface/Indicator/Query + +Permission to query and read objects of type Indicator + +### /UserInterface/Indicator/Update + +Permission to update objects of type Indicator + +### /UserInterface/IndicatorItem/Create + +Permission to create objects of type IndicatorItem + +### /UserInterface/IndicatorItem/Delete + +Permission to delete objects of type IndicatorItem + +### /UserInterface/IndicatorItem/Query + +Permission to query and read objects of type IndicatorItem + +### /UserInterface/IndicatorItem/Update + +Permission to update objects of type IndicatorItem + +### /UserInterface/PersonasByFilterQuery/Query + +Permission to query and read objects of type PersonasByFilterQuery + +### /UserInterface/Reload + +Permission to reset the container, in order to update the permissions and the displayed +configuration. + +### /UserInterface/ResourceReadForm/Query + +Permission to query and read objects of type ResourceReadForm + +### /UserInterface/ResourceReadFormActions/Query + +Permission to query and read objects of type ResourceReadFormActions + +### /UserInterface/ResourceSearchForm/Query + +Permission to query and read objects of type ResourceSearchForm + +### /UserInterface/ResourceSelfForm/Query + +Permission to query and read objects of type ResourceSelfForm + +### /UserInterface/SearchBar/Create + +Permission to create objects of type SearchBar + +### /UserInterface/SearchBar/Delete + +Permission to delete objects of type SearchBar + +### /UserInterface/SearchBar/Query + +Permission to query and read objects of type SearchBar + +### /UserInterface/SearchBar/Update + +Permission to update objects of type SearchBar + +### /UserInterface/SearchBarCriterion/Create + +Permission to create objects of type SearchBarCriterion + +### /UserInterface/SearchBarCriterion/Delete + +Permission to delete objects of type SearchBarCriterion + +### /UserInterface/SearchBarCriterion/Query + +Permission to query and read objects of type SearchBarCriterion + +### /UserInterface/SearchBarCriterion/Update + +Permission to update objects of type SearchBarCriterion + +### /UserInterface/Tile/Create + +Permission to create objects of type Tile + +### /UserInterface/Tile/Delete + +Permission to delete objects of type Tile + +### /UserInterface/Tile/Query + +Permission to query and read objects of type Tile + +### /UserInterface/Tile/Update + +Permission to update objects of type Tile + +### /UserInterface/TileDesignElement/Query + +Permission to query and read objects of type TileDesignElement + +### /UserInterface/TileItem/Create + +Permission to create objects of type TileItem + +### /UserInterface/TileItem/Delete + +Permission to delete objects of type TileItem + +### /UserInterface/TileItem/Query + +Permission to query and read objects of type TileItem + +### /UserInterface/TileItem/Update + +Permission to update objects of type TileItem + +### /UserInterface/UserByIdentityQuery/Query + +Permission to query and read objects of type UserByIdentityQuery + +### /UserInterface/WorkflowFormByNameQuery/Query + +Permission to query and read objects of type WorkflowFormByNameQuery + +### /UserInterface/WorkflowFormByWorkflowIdQuery/Query + +Permission to query and read objects of type WorkflowFormByWorkflowIdQuery + +### /Workflows/Activity/Create + +Permission to create objects of type Activity + +### /Workflows/Activity/Delete + +Permission to delete objects of type Activity + +### /Workflows/Activity/Query + +Permission to query and read objects of type Activity + +### /Workflows/Activity/Update + +Permission to update objects of type Activity + +### /Workflows/ActivityInstance/Query + +Permission to query and read objects of type ActivityInstance + +### /Workflows/ActivityInstanceAspectsQuery/Query + +Permission to query and read objects of type ActivityInstanceAspectsQuery + +### /Workflows/ActivityTemplate/Query + +Permission to query and read objects of type ActivityTemplate + +### /Workflows/ActivityTemplateState/Query + +Permission to query and read objects of type ActivityTemplateState + +### /Workflows/ActivityTemplateTransition/Query + +Permission to query and read objects of type ActivityTemplateTransition + +### /Workflows/HistorizedResourceFileByWorkflowInstanceIdQuery/Query + +Permission to query and read objects of type HistorizedResourceFileByWorkflowInstanceIdQuery + +### /Workflows/HomonymEntityLink/Create + +Permission to create objects of type HomonymEntityLink + +### /Workflows/HomonymEntityLink/Delete + +Permission to delete objects of type HomonymEntityLink + +### /Workflows/HomonymEntityLink/Query + +Permission to query and read objects of type HomonymEntityLink + +### /Workflows/HomonymEntityLink/Update + +Permission to update objects of type HomonymEntityLink + +### /Workflows/UserActivityInstance/AssignedTo + +Permission to update the actor on object of type UserActivityInstance + +### /Workflows/UserActivityInstance/ExpectedDate + +Permission to update expected date on object of type UserActivityInstance + +### /Workflows/UserActivityInstance/Query + +Permission to query and read objects of type UserActivityInstance + +### /Workflows/UserActivityInstanceCountQuery/Query + +Permission to query and read objects of type UserActivityInstanceCountQuery + +### /Workflows/Workflow/Create + +Permission to create objects of type Workflow + +### /Workflows/Workflow/Delete + +Permission to delete objects of type Workflow + +### /Workflows/Workflow/Query + +Permission to query and read objects of type Workflow + +### /Workflows/Workflow/Update + +Permission to update objects of type Workflow + +### /Workflows/WorkflowInstance/Query + +Permission to query and read objects of type WorkflowInstance + +### /Workflows/WorkflowInstance/Resume + +### /Workflows/WorkflowInstance/Start + +### /Workflows/WorkflowInstance/Supervise + +Permission to supervise objects of type WorkflowInstance + +### /Workflows/WorkflowInstanceData/Query + +Permission to query and read objects of type WorkflowInstanceData diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/how-tos/argumentsexpression/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/how-tos/argumentsexpression/index.md new file mode 100644 index 0000000000..647aebe7d0 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/how-tos/argumentsexpression/index.md @@ -0,0 +1,97 @@ +# Compute a Resource Type's Provisioning Arguments + +This guide gives examples to understand how to configure a resource type's `ArgumentsExpression` +attribute to compute a resource type's provisioning arguments, for example the identifier of the +workflow to launch, or the identifier of the record to copy. + +## Examples + +This option is used to use provisioning orders to compute useful arguments. + +Most standard situations use only one workflow per action type on a resource (addition, update, +deletion). But in some more complex situations (like using multi records), several workflows are +available for one type of action. As the configuration JSON file of an +[`InternalWorkflow`](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md) +connection cannot contain expressions, a resource type can be configured with the +`ArgumentsExpression` attribute to explicit the arguments of provisioning orders, based on +conditions and variables. + +The following example computes the identifier of the workflow to launch, based on the provisioning +order as a variable (the returned value depends here mostly on the type of change): + +``` + + + +``` + +#### ResourceIdToCopy + +Now consider a record creation for a given identity, inside a multi-record organization. Suppose +that records are defined by their position and location, while other properties are the same for all +records (usually the identity's personal data like the name and birth date). When creating a new +record for an existing identity, you will want to copy an existing record from the database to +modify only the values specific to the new record. + +The following example computes the identifier of the record to copy, if the identity has already +any: + +``` + +("Select Id Where EmployeeId="\" + employeeId.ToString() + "\""); + + if (resources.Any()) { + arguments.Add("ResourceIdToCopy", resources.FirstOrDefault().Id.ToString()); + } +} + +return arguments;" /> + +``` + +## Attributes Provided by Usercube + +| Name | Details | +| ---------------------------- | ----------------------------------------------------------------- | +| ProvisioningOrder.ChangeType | **Type** String **Description** Action of the provisioning order. | + +## Methods Provided by Usercube + +| Name | Details | +| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| IsNone | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsNone() **Description** `True` when the provisioning order demands no change. **Note:** this method can be used only on `ChangeType`. | +| IsAdded | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsAdded() **Description** `True` when the provisioning order demands a resource addition. **Note:** this method can be used only on `ChangeType`. | +| IsUpdated | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsUpdated() **Description** `True` when the provisioning order demands a resource update. **Note:** this method can be used only on `ChangeType`. | +| IsDeleted | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsDeleted() **Description** `True` when the provisioning order demands a resource deletion. **Note:** this method can be used only on `ChangeType`. | +| HasChanged | **Type** Boolean **Usage** provisioningOrder.HasChanged("PropertyName") **Description** `True` when the provisioning order demands a change on a given property. | +| TryGetScalar | **Type** Boolean **Usage** provisioningOrder.TryGetScalar("PropertyName", out var myChange) **Description** `True` when `PropertyName` is a scalar property whose value is changed by the provisioning order. `myChange` takes the new value of `PropertyName` changed by the provisioning order. | +| TryGetAddedNavigations | **Type** Boolean **Usage** provisioningOrder.TryGetAddedNavigations("PropertyName", out var myChanges) **Description** `True` when `PropertyName` is a navigation property to which new values are added by the provisioning order. `myChanges` takes the list of values of `PropertyName` added by the provisioning order. | +| TryGetRemovedNavigations | **Type** Boolean **Usage** provisioningOrder.TryGetRemovedNavigations("PropertyName", out var myChanges) **Description** `True` when `PropertyName` is a navigation property from which some values are removed by the provisioning order. `myChanges` takes the list of values of `PropertyName` removed by the provisioning order. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/how-tos/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/how-tos/index.md new file mode 100644 index 0000000000..cd9adfe3ed --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/how-tos/index.md @@ -0,0 +1,7 @@ +# How-Tos + +These guides will help you perform provisioning with practical step-by-step procedures. + +- #### [Compute a Resource Type's Provisioning Arguments](/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/how-tos/argumentsexpression/index.md) + Configure a resource type's ArgumentsExpression attribute to compute a resource type's + provisioning arguments. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/index.md new file mode 100644 index 0000000000..94c53e790d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/index.md @@ -0,0 +1,5 @@ +# Provisioning + +[See how to anticipate changes due to provisioning thanks to thresholds](/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/prov-thresholds/index.md). + +[See how to implement and perform provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/prov-thresholds/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/prov-thresholds/index.md new file mode 100644 index 0000000000..e5cee5cf64 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/prov-thresholds/index.md @@ -0,0 +1,34 @@ +# Thresholds + +Thresholds are essential safety guards controlling all changes, for example preventing the +overwriting of important data by mistake. + +Thresholds are by default activated to warn users when synchronization or provisioning triggers too +many modifications. If the number of modifications exceeds the specified threshold, Usercube stops +the synchronization/provisioning and displays a warning on the log page. + +Thresholds can be deactivated via the value `0`, though **they should not all be**. Each action must +be "guarded" by at least one threshold. + +Once the changes have been reviewed, +[the blocked job can be resumed](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) +(or not). + +## Thresholds for Provisioning + +Provisioning thresholds can be configured in XML files via +[resource types](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +to count the number of resources impacted by provisioning inside a given resource type. These +thresholds impact the generation of provisioning orders. They are configured with: + +| Absolute Threshold | Relative Threshold | +| ------------------ | ---------------------- | +| `MaximumDelete` | `MaximumDeletePercent` | +| `MaximumInsert` | `MaximumInsertPercent` | +| `MaximumUpdate` | `MaximumUpdatePercent` | + +All thresholds are active. Therefore, the lowest threshold (according to the specific situation) +would be the first to stop the generation of provisioning orders. + +Distinct +[thresholds are configurable for synchronization](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/resources/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/resources/index.md new file mode 100644 index 0000000000..cf620e5c60 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/resources/index.md @@ -0,0 +1,39 @@ +# Resources + +Usercube stores managed systems' data and identities as resources within a resource repository. + +## Resource Repository + +The source of truth for the engine is the data from external sources that are +[copied](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) +into Usercube's database. This persisted set of data, called _resources_, is stored in the +**Resource Repository**. + +The repository keeps a full history of all the changes performed to the resources. It is hence +possible to retrieve a resource's value at a given date or what has been changed over a period. + +Resources can be added to the resource repository from one of four ways: + +1. Input data directly from the + [applicative configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/index.md). + This is useful for a very limited amount of data. This is very often used for debugging or + testing, less often in production. +2. Input data from the UI. This requires configuring the UI and is the most straightforward way for + a reasonable amount of data. This is often used to input reference data that is not in the + managed systems, or for which no source of truth exists. +3. [Load data from a CSV file](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md). + This is how data from managed systems are loaded most of the time. Any reference of identity data + can be loaded into Usercube using CSV files. This is useful if the target organization already + possess such files or can produce them easily. +4. Compute new resources from existing resources. This can be achieved by using the provisioning + tools in a very specific way that is called _internal_ provisioning. This is often used to create + the reference data from managed systems. +5. Insert data directly in the `UR_Resource` table from SQL queries. This is not very safe and + requires a great deal of expertise. + +When using methods 1. and 5., make sure to choose, for new resources, an `Id` that is not yet used +for another resource in the database. Only use positive integer `Id`s for resource-identity (that +is, the resource to which you plan on assigning roles). More on that +[later](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md). + +Resources need a model: the entity model. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignment-dates/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignment-dates/index.md new file mode 100644 index 0000000000..ac757fb75a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignment-dates/index.md @@ -0,0 +1,26 @@ +# Assignment Dates + +Entitlements can be assigned to users +[manually or automatically](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md), +but not on any time period. + +## For Manual Assignments + +During the manual assignment of an entitlement, i.e. role or resource type, to a user, the start and +end dates of the entitlement must follow simple rules: + +- the start date cannot be earlier than the earliest start date in all records of the user; +- the end date cannot be later than the latest end date in all records of the user. + +This means that requesting an entitlement without any start/end dates will actually assign the +entitlement from the records' earliest start date to the latest end date. + +An entitlement cannot be requested with a start date earlier than today's date. But when requesting +a role with an end date later than the records' latest end date, then the role will be assigned with +its end date equal to the records' latest end date. + +## For Automatic Assignments + +The start and end dates of any automatic assignment are based on the dates from the +[context rule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) +defined for the identities. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md new file mode 100644 index 0000000000..639e9e0453 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md @@ -0,0 +1,197 @@ +# Entitlement Assignment + +Assigning entitlements means giving users specific permissions, or access rights, etc. + +## Overview + +As Usercube relies on a [role-based](https://en.wikipedia.org/wiki/Role-based_access_control) +assignment policy, entitlement assignment is simply role assignment. +[See more details](/docs/identitymanager/6.1/identitymanager/integration-guide/role-model/index.md). + +So once a user is assigned a role, Usercube must make the right changes in the managed system(s) to +actually enable the corresponding permission. The values to be changed in the managed systems are +specified in provisioning orders. + +Hence, an entitlement assignment is both the result of the execution of a provisioning order, and +the enablement of an access right. + +## Automatic vs. Manual + +Within Usercube, assignments can be created automatically, or can result from manual requests. + +Automatic assignments are created by Usercube when +[evaluating the policy](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md), +i.e. when computing expected assignments based on existing users and the policy's roles and rules. +Automatic assignments can either: + +- result directly from the application of assignment rules on identities; +- be inferred, cascading, from another assignment. + +Manual assignments and derogations are, on the other hand, requested individually through the UI. + +## Assignments' Approval Workflow + +Some entitlements require the approval of one or several knowledgeable users before actually being +assigned. This is standard procedure in many security-concerned organizations. + +This is configurable through the role's or resource type's +[approval workflow type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md). + +Each step of the approval workflow is associated with a workflow state, so that all assignments can +be tracked and it is clear what step they are at. + +All workflow states are detailed in the database schema of assigned roles or resource types, etc. + +The same approval workflow is used for requests to add or remove roles. + +> For example, Ms. Jackson requests for Mr. Smith the single role `Server Room Access` which has a +> two-step approval workflow: +> +> - At the end of the workflow, the assigned role has the workflow state `Requested`. +> - Once the assignment is processed, the workflow state switches to `Pending Approval 1/2`. +> - Once a reviewer approves the assignment, the state switches to `Pending Approval 2/2` (and if +> the reviewer declined the assignment, the state would switch to `Declined`). +> - Once a second reviewer approves the assignment, the stat switches to `Approved` and the +> assignment is finally effective. + +### Provisioning state + +In addition to the workflow state that represents an assignment's progress in the approval workflow, +any assignment also has a provisioning state to represent its progress in its lifetime from creation +in the database to provisioning to the managed system and to its eventual deletion. + +Contrary to the workflow state that concerns all assignments, the provisioning state is only about +the assignments that need provisioning. + +For example, roles exist only in Usercube and not in the managed systems, so assigned roles do not +have a provisioning state, unlike assigned resource types, scalars and navigations, etc. + +The following schema sums up the usual progress of an assignment's provisioning state: + +![Provisioning State Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/prov_stateschema_v523.webp) + +All provisioning states are detailed in the database schema of assigned resource types, etc. + +> For example, once Mr. Smith's role has completed the approval steps, we expect the provisioning of +> a navigation property: +> +> - It is not yet ready for provisioning because we decided to add a provisioning review by a +> knowledgeable user because it is a sensitive permission, so the assigned resource navigation has +> the `Awaiting Approval` provisioning state. +> - Once a reviewer approves the assignment, the provisioning state switches to `Pending`. +> - Once provisioning orders are computed and transmitted to the agent, the state switches to +> `Transmitted`. +> - Once the agent confirms that the related order is executed, the state switches to `Executed`. +> - Once synchronization validates the consistency of the provisioned value with the policy, the +> state finally switches to `Verified`. + +Assignments whose provisioning orders are blocked because they are `Awaiting Approval` are to be +reviewed on the **Provisioning Review** screen. + +## Non-Conforming Assignments + +Once a policy is configured with all its rules and roles, Usercube can combine it with user +information in order to determine the expected assignments, i.e. the list of all assignments that +comply with the policy. + +On the other hand, via synchronization Usercube can read the existing assignments, i.e. the list of +all assignments that actually exist in the managed systems. + +Technically speaking, Usercube creates entitlements in the managed systems, and "translates" them +into role model language. In other words, Usercube create assignments based on the entitlements +found in the systems. + +A simple comparison between these two lists defines the non-conforming assignments, i.e. the list of +all assignments that do not comply with the policy. + +![Non-Conforming Assignments](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/governance_nonconforming.webp) + +A non-conforming assignment must be reviewed in Usercube by a knowledgeable user, and is therefore: + +- either removed if Usercube correctly spotted it and the owner should indeed not possess this + permission; +- or kept as an exception if the configured rules do not apply to this particular case. + +Non-conforming assignments are to be reviewed on the **Role Reconciliation** and/or **Resource +Reconciliation** screens. + +[See more details on reconciliation](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md). + +Non-conforming assignments can still be split into two categories: + +- pre-existing when they are found during the very first synchronization because they existed before + Usercube's implementation; +- simply non-conforming when they are found later. + +> For example, consider a (navigation) rule stating that the `QuickBooks Level 1 Access` role +> entitles its owner to the `Active Directory QuickBooks` group membership, that enables them to +> access the organization accounting balance information through QuickBooks. +> +> Now, let's say synchronization finds the `Active Directory QuickBooks` group membership for Mr. +> Smith's Active Directory account. The trouble is, Mr. Smith digital identity has not bee assigned +> the `QuickBooks Access` role: this is an inconsistency. +> +> In order to fix the inconsistency, Usercube creates the assignment of this role to Mr. Smith to be +> reviewed by a knowledgeable user who can determine whether the assignment is legitimate or results +> from a mistake. + +### Review automation + +Usercube provides +[automation rules](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md) +to automate the review of non-conforming assignments by automatically approving/declining +assignments that were pending approval for some time, if this behavior is desired. + +> For example, the single role `Server Room Access` is requested for Mr. Smith, with a two-step +> approval workflow. Ms. Jackson is supposed to review it, and then Mr. Jones. If Ms. Jackson takes +> too long, an automation can approve it, or most likely decline it, automatically. This way, the +> approval process ends and will need to be restarted at a later date if the need is genuine. + +## Resource Type Assignments + +Resource types are not as intuitive as roles because they are more complex and subtle. Assigning a +resource type materializes: + +- the creation of a resource, usually an account, in the managed system; +- the creation of scalar and navigation properties for this new resource; +- the + [categorization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) + of the created resource, which means both the correlation of the resource to an owner, and the + classification of the resource into a specific type with specific rules between owner and owned + resources. + +### Reconciliation + +Just like any other assignment, a resource type assignment can be non-confirming when the resource's +existence or its values do not comply with the policy. + +> For example, a SAP account is found for a user who should not have one according to the role +> model's rules. + +An account can also be an orphan when it is found in the managed system, but no owner could be +correlated. + +### Consolidated states + +A resource type assignment also has consolidated workflow and provisioning states to represent the +progress of the resource's scalar and navigation assignments. + +Same as previously, the consolidated provisioning state represents the provisioning progress of the +resource type assignment together with its nested scalar/navigation assignments. + +The consolidated workflow state represents the provisioning progress of the resource type assignment +together with its nested scalar/navigation assignments, and it is described by the following values: + +- `ConsolidatedWorkflowReviewState` represents the progress in the approval workflow for a manual + assignment; + + Except for very technical use cases, resource types should not be requested manually, they + should only be inferred by a role and thus assigned automatically. + +- `ConsolidatedWorkflowBlockedState` indicates whether one or more of the nested scalars/navigations + are blocked; +- `ConsolidatedWorkflowFoundState` indicates whether one or more of the nested scalars/navigations + are stated as non-conforming or pre-existing. + +All consolidated workflow and provisioning states are detailed in the database schema of assigned +resource types. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md new file mode 100644 index 0000000000..561118c28a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md @@ -0,0 +1,128 @@ +# Conforming Assignments + +The +[Compute Role Model](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +task is able to compute, for a given identity, the appropriate assignments. + +If you are interested in a detailed description of the actual Compute Role Model task algorithm, +please refer to the Reference documentation. This article focuses more on the design decisions and +the underlying philosophy of the process. + +## Overview + +This is how Usercube solves the identity lifecycle issue. + +> **FAQ**: During onboarding, moving, offboarding, how can we make sure that an identity has the +> appropriate assignments? +> What are the appropriate assignments? + +They are a trade-off between having enough assignments to work efficiently but not too many as to +pose a security threat. + +Choosing the appropriate assignments is a science as much as an art. Usercube helps formalize +decision rules to make them more efficient. But talking about assignments and their provisioning +requires the appropriate language. + +## Roles + +> **FAQ**: What does assigning an entitlement means? + +In a target application, it is granting an account membership for a group, changing a person's +clearance level, adding an authorized account to the access control list of a resource, etc. + +Performing an assignment requires a great deal of knowledge about the inner mechanisms of the target +authorization mechanism. That makes talking about entitlement even more complicated. Am I talking +about a group, a resource's access control list, a clearance level? + +Usercube here aims at: + +- Making every assignment decision more intentional. +- Making automation of those assignment decisions possible. + +For these goals, Usercube hides this complexity behind an ubiquitous language, using a widely known +model: RBAC. In the end, talking about entitlements is talking about roles. No more multiple obscure +authorization mechanisms. + +This makes thinking about entitlements within Usercube easy. The provisioning issues stay out of the +way, and all the energy can be focused on designing the perfect assignment policy. + +The appropriate model also helps formalizing rules that can be used for automation. + +## Dimensions + +Assignment decisions for a user are always made based on the user's needs and legitimacy. + +> **FAQ**: Are employees working on tasks that need this assignment? Are they senior enough to have +> that responsibility? + +The basis for an assignment decision can be seen as a set of "identity attributes" that represent +the place of the employee in the organization. + +We can formalize these "identity attributes", on which informal assignment decisions are made, by +translating them into dimensions. Usercube's dimensions are exactly that: key criteria, on which +assignment decisions are based. + +Just as roles, dimensions are a fundamental piece of the puzzle. Choosing dimensions forces users to +sit down and really think about what really motivates assignment decisions in the organization. It +is going to help with automation but it is also going to help come up with better decision rules, +and hence improve the overall security of the organization. Assignment rules naturally flow from +dimensions and roles. + +## Rules + +> **FAQ**: Do all employees working on a given task have the entitlements they need? + +Roles and dimensions are the basis for a language that enables users to formalize, in a very +explicit way, the assignment policy: who should get what entitlement. Dimensions are criteria for +decisions and roles are the result of a decision. We are now only missing the rules that map +criteria to roles. + +Those are the assignment rules: single role rules and composite role rules. + +Writing the assignment policy actually becomes very easy. Once dimensions and roles are identified, +assignment rules become obvious. + +The last difficulty is provisioning those assignments. + +## Provisioning + +> **FAQ**: Is the data from the target application complying with the rules created earlier? + +Translating roles into provisioning orders is finding out how the target application should be +changed to satisfy the assignments. This is where the technical complexity that was hidden by the +role, should be written. Authorization mechanisms map so well to RBAC that provisioning mechanisms +naturally flow from the roles. + +Provisioning mechanisms all follow this pattern: + +1. Start with the **identity**. +2. Find the resource in the target application that should be updated to satisfy the assignment + requirement. It is often an account. That's the **correlation**. +3. Compute the value of the data that should be updated in the target resource. That's + **provisioning rules**. + +One last point to consider is that provisioning rules and correlation sometimes depend on the type +of resource we are handling. Authorization mechanisms often discriminate between resources, +depending on their relevance for security. We might need specific provisioning rules to enforce this +difference. + +The resource type materializes the classification of resources of the same application into +categories relevant from a security point of view. As a bonus, classifying resources help with +governance. + +## The Role Model + +> **FAQ**: What is the role model in a nutshell? + +Dimensions, roles, assignment rules, resource type, provisioning rules. + +You start with dimensions. From there, roles are deduced from assignment rules. They are translated +to provisioning orders, following scalar rules and correlation rules and resource types. + +## When There Are No Rules + +If you're not comfortable yet with writing rules that automatically assign roles, you can skip +dimensions and start this whole process from roles. + +You can assign roles manually to users and still benefit from hiding the provisioning complexity +inside roles, and have a good basis for writing down your assignment policy. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md new file mode 100644 index 0000000000..216bd70462 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md @@ -0,0 +1,558 @@ +# Evaluate Policy + +Evaluate Policy is the core algorithm of the assignment policy. See the Assignment Policy topic for +additional information. + +The algorithm is applied by the server to a resource. It has the following responsibilities: + +- Enforcing the assignment rules: the algorithm outputs a list of expected assignments for the input + resource +- Evaluating risks +- Managing assignment lifecycle: updating provisioning states +- Purging expired assignments + +See the +[ Risk Management ](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/risks/index.md) +topic for additional information. + +## Overview + +![Evaluate Policy Overview](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/evaluate-policy-1.webp) + +The main responsibility of the Evaluate Policy is to compute, for every fed resource, the set of +assignments of entitlements that comply with the assignment policy. + +That set is composed of roles that should be assigned to the resource and of scalar and navigation +assignments that should exist for that resource as an owner. The latter are in fact values of target +resource properties to fulfill from that resource fed in the algorithm. Those assignments are +referred to as the expected assignments. Manual assignments and derogations are included as well, as +they become rules within the assignment policy. + +Evaluate Policy also identifies the existing assignments. They represent the actual assignments read +(or more accurately, deduced) from the managed systems' resources. + +Finally, the differences between the existing assignments and the expected assignments are computed. +As a result, a set of non-conforming assignments is revealed, to be fixed by provisioning or +validated as derogations. + +Later, provisioning orders are edited, validated by a knowledgeable user and sent to the agent for +connectors to fulfill and fix the differences. + +Evaluate Policy is executed by the task `Usercube-Compute-RoleModel`, usually included in a +regularly scheduled provisioning job. + +See the [ Connectors ](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/index.md), +[ ComputeRoleModelTask ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md), +and [ Jobs ](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md) +topics for additional information. + +## The Algorithm Steps + +**Step 1 –** **Select resources** from the resource repository, all the relevant properties for +every resource. + +This includes: + +- Attribute values of the resource itself; +- Attribute values of the resources pointed to by a navigation property from the current resource; +- All existing assignments for these resources and their properties such as provisioning state and + workflow state; +- Every property of the source resource, if the resource is a target in an owner/target + relationship; +- Every property of the target resource, if the resource is an owner in an owner/target + relationship; + +Extracting and computing, in an acceptable amount of time, such a load of data is no trivial matter. + +The number of resources to consider is of the order of 100 000 entries for a system managing 10 000 +identities among 4 managed systems. + +To improve execution time, two optimizations are used: + +- Usercube uses + [batching](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching) to + perform the database request. The `SELECT` query is divided into sets of smaller queries called + batches. The size of a batch is configurable in theUsercube-Compute-RoleModel, with the + `BatchSelectSize` attribute. +- Usercube only selects resources for which a new assignment computation is needed. They are + resources updated during the last incremental synchronization, and resources that depend on them. + They are identified by the dirty flag, set during incremental synchronization. See the + [ Upward Data Synchronization ](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) + topic for additional information. + +**NOTE:** For very few edge cases, dependencies between resource values can be difficult to identify +within Usercube. An example involves entity property expressions using +[LINQ](https://docs.microsoft.com/en-us/dotnet/csharp/programming-guide/concepts/linq/) syntax. See +the +[ EntityType ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)topic +for additional information. A second- or third-order binding used in such an expression actually +defines a dependency. But Usercube does not account for it, because of performance-reliability +trade-offs. That means a resource `R1`, using such an expression to compute one of its properties +values from another resource `R2` property value, might not be updated even if `R2` has been updated +by incremental synchronization. This too can be fixed by using complete synchronization once a day. + +**Step 2 –** **Compute expected assignments** + +The second step is building the expected assignment list by applying the assignment rules to the +input resource. + +This step builds a list, from scratch, of every expected assignment, both role assignments and +assignments issued from provisioning rules. + +The list contains: + +- Automatic assignments, inferred from context-based rules +- Automatic assignments, inferred from other assignments, according to role-based rules +- Manual assignments previously created and derogations previously validated +- Assignments updated by an automation rule. See the + [Automation Rule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md) + topic for additional information. + +To build the list, the algorithm first goes through composite role rules, single role rules, +resource type rules, navigation rules, and applies them in that order. See the +[ CompositeRoleRule ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md), +[ SingleRoleRule ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md), +and +[Resource Type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +topics for additional information. This takes care of automatic assignments. Every step influences +the following one: single roles can be inferred from composite roles that have just been assigned by +a reviewer or an automation rule for example. + +Then, manual assignments and derogations are added to the expected assignments list. They are +extracted from the database, where they were saved after being added from the UI or validated +through the UI, and are considered part of the role model. Manual assignments are identified by the +Approved workflow state. Derogations are identified by the Found and Historic workflow states. + +Role assignments as derogations are displayed to the end-user for confirmation in the Role +Reconciliation screen. As long as they are not denied, they are considered a part of the role model +and will not be considered as a non-conforming difference to be fixed by provisioning. They are +deduced from actual resources and resource values found in the managed system, that do not comply +with the assignment rules, and are displayed in the Resource Reconciliation screen. + +Let's detail the rule enforcement mechanisms. + +Match context rules + +Dimensions are really the basis of an assignment process. See the +[ Entitlement Management ](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +Before starting, a context rule is applied, giving for the input resource: + +- The dimension values +- The time period validity of every assignment computed during this Evaluate Policy iteration + +![Computing Context For Input Resource](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/enforce-context.webp) + +Computing expected role assignments + +Role assignments, on the other hand, are the outcome of the assignment process. See the +[ Entitlement Management ](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +Role assignments are the output of composite role rules and single role rules enforcement. The +outcome of those rules, as assigned composite roles and assigned single roles, is conditioned by the +input resource's context. They are the image of the status of trust and privilege granted to a +resource-identity. + +![Computing Expected Role Assignments](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-expected-1.webp) + +Enforcing composite role rules + +The first rules that are enforced are the composite role rules. See the +[ CompositeRoleRule ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md)topic +for additional information. + +For every selected resource, this step enforces composite role rules. That means assigning a +specific composite role to the input resource, based on its context's dimension values. This new +assignment is materialized into a new object called an assigned composite role, stored in the +`UP_AssignedCompositeRoles` table. The resource becomes the owner of the assigned composite role. + +Manual and derogatory assignments of composite roles found in the database are also added to the +expected assignments list. + +Then automation rules are enforced on assigned composite roles. See the +[Automation Rule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md) +topic for additional information. + +**NOTE:** Enforcing automation rules on an assignment means to find, for each assignment, the +matching automation rule, looking at the last review or the creation date, comparing it to the time +defined in the rule and, if needed, apply the rule decision that may approve or decline the +assignment. + +Enforcing single role rules + +Then, single role rules are enforced. That means assigning a specific single role to the input +resource based on its context and existing assigned composite roles, i.e. the composite roles +currently assigned to the resource. Both assigned composite roles freshly created by enforcing +composite role rules and those already in the database are taken into account. In the former case, +single roles created are said to be inferred. + +This is materialized into a new object called an assigned single role, stored in the +UP_AssignedSingleRoles table. The resource becomes the owner of the assigned single role. + +Manual and derogatory assignments found in the database of single roles are also added to the +expected assignments list. + +Then automation rules are enforced on assigned single roles. + +Expected provisioning assignments + +Fulfillment is just the consequence of the role assignment process. See the +[ Entitlement Management ](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +Provisioning-orders-to-be are the output of resource type rules, navigation rules and scalar rules. +The outcome of those rules, as assigned resource types, assigned resource navigation, and assigned +resource scalar is conditioned by the input resource assigned roles, issued during the first +expected role assignments computation or even earlier. They are the exact image of technical +provisioning orders that are to be executed by the agent, after being validated by a knowledgeable +user. See the +[Resource Type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +topic for additional information. + +![Computing Expected Provisioning Assignments](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-expected-2.webp) + +Enforcing resource type rules + +Resource type rules are enforced. This means creating and adding assigned resource types to the +expected assignments list. This means enforcing the need for a resource of that type to be created +in the managed systems, with the input resource as its owner. + +Then automation rules are enforced on assigned resource types. + +A further step will correlate, to find the actual target resource if it exists. If not, it will +eventually become a provisioning order to create such a resource. + +This can be seen as assigning a target resource to an owner. It's still important to note that the +act of assigning a resource to an owner almost always is the consequence of a role assignment. Use +cases for which a single, isolated resource, is "assigned" (i.e. created with specific values) is +rare and is more of a solution to a specific technical problem. + +Enforcing navigation rules + +Finally, navigation rules are enforced. They aim to complete the information about the resource to +be created because of the assigned resource types. If the type rule is the what, this is the how. + +For every assigned resource type, associated navigation rules are enforced. + +Navigation rules are conditioned on the resource's assigned single roles. If a specific single role +is found as assigned to the owner resource of the assigned resource type (i.e. the input resource of +the algorithm), an assigned resource navigation is created in the UP_AssignedResourceNavigation +table, with the resource as its owner. The assigned resource navigation will eventually translate +into a provisioning order. + +The assigned resource navigation is hence the consequence, in the form of a +provisioning-order-to-be, of assigning a role to a resource. + +This means also no assigned resource type, no navigation assignment. Resource type rules are a +prerequisite for the associated navigation rules to be enforced. + +Enforcing scalar rules + +Finally, the scalar rules associated with the target's resource type are enforced and become +assigned resource scalars that will also result in a provisioning order. + +For every assigned resource type, associated scalar rules are enforced. + +They also aim to complete the information about the resource to be created because of the assigned +resource types. + +Found manual assignments and derogation of resource types with their associated navigation and +scalar assignments are added as well. + +**Step 3 –** **Match existing assignments with expected assignments** + +![Computing Expected Provisioning Assignments](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-find-matching.webp) + +The expected assignments list is now built. + +For every expected/computed assigned resource type, assigned single role and assigned composite +role, the algorithm finds the matching existing assignment, from the list of assignments. + +The existing list of assignments in the current database is composed of: + +- Assignments computed by the last Evaluate Policy; +- Assignments created by the classification task, including `Found` and `Historic` ones issued from + the analysis of the resource values from the managed system. + +The result is a list of expected assignments that have a counterpart in the list of existing +assignments. + +**Step 4 –** **Assignments cleansing / purge** + +Some assignments are given an expiration date at creation (see the first step, context rules +enforcement). This is the step where expired assignments are removed from the expected assignments +list. + +They will not be deleted, but historized. The validTo column of the UP_Assigned\* is updated. + +Others have been manually denied via the provisioning review screen, or must be canceled because of +rules or resource value changes. Those are deleted too. + +The result is a list of really existing assignments, without the expired, canceled or explicitly +unwanted ones for any reason. + +**Step 5 –** **Correlation** + +![Computing Expected Provisioning Assignments](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/correlation.webp) + +Resource correlation rules are enforced: for every expected assigned resource type, the algorithm +looks for a target resource that correlates the owner, which is the input resource. + +If found, that correlated resource becomes the target of the assigned resource type. If not, a +provisioning order of creation is written. + +A word about correlation. Correlation is achieved by using resource correlation rules. Each rule +applies to a resource type. It defines for the source entity type a quantity computed from its +attributes. It does the same for the target entity types. Those quantities are called correlation +keys. For a given assigned resource type, the correlation algorithm tries to match the owner +correlation key with all available resources of entity type target. If one is found equal, the +matching resource becomes target of said assigned resource type. For every resource, correlation +keys are computed by a regularly scheduled task and stored in the database. + +**Step 6 –** **Handle assignment lifecycle** + +Expected assigned resource scalars and assigned resource navigations matching existing counterparts +are found. + +For every assigned resource type, assigned resource scalar and assigned resource navigation, the +provisioning state is updated according to the correlated target resource values, the matching +existing assignment state and the provisioning state transition algorithm. + +For expected assignments that have a matching existing counterpart, the correlated target resource +values are analyzed. If they match the expected resource values, that means that the last +provisioning order has been indeed well executed. The provisioning state of the associated +assignment is switched to Applied. Same goes for the role assignments from which those scalar and +navigation assignments originated. + +For expected assignments that do not have a matching existing counterpart, they receive their +Pending or Blocked provisioning state. + +Blocked assignments are submitted for validation in the provisioning review screen. Blocked assigned +resource types are associated with a confidence level that describes the level of confidence of the +correlation between source and target. The confidence level is a configuration of the resource +correlation rules. + +The workflow state is also analyzed; assignments with Approved (or Cancellation) have been approved +(or denied) and can now be provisioned. + +| Workflow state | Description | +| --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| 0—None | Used for Usercube's internal computation | +| 1—Non-conforming | The assignment is not supported by a rule. ![Workflow State: Non-conforming](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp) | +| 2—Requested - Missing Parameters | The assignment has been requested via a workflow, but does not specify at least one required parameter for the role. | +| 3—Pre-existing | The assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp) | +| 4—Requested | The assignment is requested via a workflow, but not yet added. **NOTE:** Usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/4_requested_v603.webp) | +| 5—Calculated - Missing Parameters | The assignment was done by a rule which does not specify at least one required parameter for the role. ![Workflow State: Calculated - Missing Parameters](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/5_calculatedmissingparameters_v603.webp) | +| 8—Pending Approval | The assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/8_pendingapproval_v603.webp) | +| 9—Pending Approval 1 of 2 | The assignment is pending the first approval on a two-step workflow. | +| 10—Pending Approval 2 of 2 | The assignment is pending the second approval on a two-step workflow. | +| 11—Pending Approval 1 of 3 | The assignment is pending the first approval on a three-step workflow. | +| 12—Pending Approval 2 of 3 | The assignment is pending the second approval on a three-step workflow. | +| 13—Pending Approval 3 of 3 | The assignment is pending the third approval on a three-step workflow. | +| 16—Approved | The assignment has completed all approval steps. ![Workflow State: Approved](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp) | +| 17—Declined | The assignment is explicitly declined during one of the approval steps. | +| 20—Cancellation | The assignment is inferred by a role that was declined. ![Workflow State: Cancellation](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/20_cancellation_v603.webp) | + +**Step 7 –** **Delta** + +The existing and expected assignment lists are compared and yield a third list of differences, i.e. +non conforming values in the managed systems that need to be fixed. + +That list will eventually become provisioning orders that will be sent to the agent for fulfillment. + +What constitutes a difference? + +Expected resource and their values not matching the existing resource and their value, for an +existing assignment with an `Applied` or `Executed` provisioning state. + +If the existing assignment is not yet `Applied` the agent might still be preparing the provisioning. +A resource value that does not comply with the role model, but is in the fixing process (meaning an +assignment with a provisioning state of `Pending` or `Sent`) will not come up in the UI. + +**Step 8 –** **Saving the result** + +At this point, Evaluate Policy has computed expected assignments for the resource, by applying rules +and purging expired assignments. + +Expected assignments are: + +- Assigned composite roles and assigned single roles, representing roles assigned to the resource +- Assigned resource scalars and assigned resource navigations, representing scalar and navigation + properties to fulfill to a target resource from that source resource, the ownership relationship + between source and target being materialized by an assigned resource type. + +Expected assigned are written to the database, they will be the basis for the next step: fixing +differences. The writing is optimized by using bulk insert methods. + +To enhance the writing performances, it's not actual assigned\* that are written, but updates from +the existing ones, using the delta computed at step 7. + +For fine-grained assignments such as assigned resource scalars and assigned resource navigations, +Usercube stores the policy value i.e. the value computed by Evaluate Policy (not yet fulfilled) and +the current value i.e. the value currently held by the target resource in the managed systems. + +From there, it is possible to retrieve the differences between existing and expected assignments for +that resource, at any time. + +Remember, the goal of building a set of assignments is twofold: + +- Building a catalog of existing assignments as assigned roles for non-technical users to consult. +- Fulfill target values from source resources so as the managed systems comply with the role model. + +The catalog of existing assignments is now available: they are assigned\* with an Applied +provisioning state. Non technical-users can read assigned single roles and assigned composite roles. +Technical users will be more interested in assigned resource scalars and assigned resource +navigations. + +Fulfilling target values from source resources is going to take the form of provisioning orders, +computed from assigned resource scalars and navigations in the Pending or Blocked state. + +## Fixing Differences + +The engine has computed a list of expected assignments. The difference with the managed system +state, as a list of resource values that infer differences in role assignments, can be fixed by +provisioning the expected assignments to the managed systems. + +Some provisioning orders have to be reviewed by a knowledgeable user. Those are provisioning orders +computed from assigned\* with a Blocked provisioning state. The UI provides screens to perform +review and validation. + +Every provisioning order is to fix a difference that has been caused by a change in the source +resource values or in its target resources. + +Let's see in details what kind of differences Usercube deals with, and what kind of change in the +managed systems triggers them. + +The workflow state of an assignment helps identify the nature of a difference between that +assignment and the managed systems. + +### UI overview + +Differences are displayed in the following screens: + +- **Provisioning Review** displays `Blocked` (non `Found`, non `Historic`) assigned resource types, + assigned resource navigations and assigned resource scalars. They must be reviewed by a + knowledgeable technical end-user. They are assignments mirroring legit provisioning orders + recently computed by the Evaluate Policy. +- **Resource Reconciliation** displays `Found` and `Historic` assigned resource types, assigned + resource navigations and assigned resource scalars. This is where non-conforming resource values + or non-authorized accounts (i.e. a resource that should not exist at all) in the form of + provisioning assignments are displayed. These assignments mirror, at the resource value level, + derogations still not explicitly refused by a knowledgeable end-user. This is where an end-user + can find provisioning assignments that would render legit the non-confirming values and + non-authorized accounts found in the managed systems. +- **Role Reconciliation** displays `Found` and `Historic` assigned single roles and assigned + composite roles. They are role assignments that mirror derogations, at the role level, still not + explicitly refused by a knowledgeable end-user. This is where an end-user can find roles + assignments that would render legit the non-confirming values and non-authorized accounts found in + the managed systems. +- **Redundant Assignments** displays `Approved` assigned roles and assigned resource types tagged as + eligible to be turned into `Calculated`. + +_Remember,_ **Role Review** is a little bit different as it displays manually requested assignments +waiting for manual approval. + +### A target value to update + +A target resource scalar value is different from the scalar value obtained by applying scalar rules +to the source resource. + +This could be caused by a change in the target value directly from within the managed system, before +or after Usercube has been plugged in. For example, a target Active Directory account Email value +has been changed. + +The corresponding assigned\* would be awarded a workflow state Historic or Found given the +difference is about a change in the target made outside/before Usercube and found by +synchronization. + +As Usercube does not overwrite managed systems values without confirmation from a knowledgeable +user, the found non-conforming value will be displayed in the **Resource Reconciliation** screen, +with the suggestion for update. The non-conforming value can either be kept, and become an exception +and overwritten with the rules-issued value. + +This could also be caused by a change in the source resource, by a previous fulfillment of Usercube, +or directly from within the managed system. For example, the HR system has updated the Name of an +employee. Synchronization has detected the change in value, and reapplied rules. And now, the target +Active Directory account name has to be updated. + +The corresponding assigned\* would be awarded a workflow state PolicyApproved given the difference +is about a change in the source that caused the need for a change in the target because of the +applications of the rules. + +This case yields a provisioning order, that could be blocked, and hence displayed in the +**Provisioning Review** screen for validation in the form of a resource update provisioning order. + +### A target resource to create + +A target resource is missing. Applying navigation rules to a source resource yielded the need for a +specific target resource that has not been found by synchronization. + +This could be caused by a missing resource in a managed system even before Usercube was plugged-in +or the deletion of such a resource in the managed system afterward. For example, a nominative Active +Directory account has not been created yet for that existing identity. + +The corresponding assigned\* would be awarded a workflow state Historic or Found given the +difference is about a change or an omission in the target outside/before Usercube and found by +synchronization. + +This case yields a provisioning order, that could be blocked, and hence displayed in the +**Provisioning Review** screen for validation in the form of a missing resource provisioning order. + +This could also be caused by a change in the source resource, by a previous fulfillment of Usercube, +or directly from within the managed system. For example, the HR system has updated the Job Title of +an employee. Synchronization has detected it, and reapplied rules, and now, this identity has to be +awarded a new Active Directory account with higher privileges. + +Or it could be caused by the manual assignment of a new Role from within Usercube to an existing +identity that would grant that identity with a new account and hence a target resource to create. + +The corresponding assigned\* would be awarded a workflow state `PolicyApproved` given the difference +is about a change in the source that caused the need to create a new target because of the +applications of the rules. + +Those cases yield a provisioning order, that could be blocked, and hence displayed in the +**Provisioning Review** screen for validation in the form of a resource creation provisioning order. + +### A target resource to delete + +An extra target resource has been found by synchronization, it's been correlated with our source +resource, but no navigation rules applied to the source resource yielded the need for its existence. + +This could be caused by an extra resource created directly from within a managed system, or the +change of a rule that makes some existing resources moot. For example, an administration Active +Directory account has been created directly from the managed system and granted to an identity who, +according to the rules, is not entitled to it. + +As Usercube does not overwrite managed systems values without confirmation from a knowledgeable +user, the found non-authorized account will be displayed in the **Resource Reconciliation** screen, +with the suggestion for deletion. The non-authorized account can either be kept, and become an +exception and or be deleted to comply with the rules. + +The corresponding assigned\* would be awarded a workflow state `Historic` or `Found` given the +difference is about an extra target added outside/before Usercube and found by synchronization. + +This could also be cause by a change in the source resource, by a previous fulfillment of Usercube, +or directly from within the managed system. For example, the HR system has updated the `Job Title` +of an employee. Synchronization has detected it, and reapplied rules, and now, this identity has to +be awarded a new Active Directory account with lower privileges, the old one must be deleted. + +Or it could be caused by explicitly denying a Role to an existing identity from within Usercube +which would ripple through and forbid this account from existing. + +The corresponding assigned\* would be awarded a workflow state `PolicyApproved` given the difference +is about a change in the source that caused the need to deletion a target because of the +applications of the rules. + +This case yields a provisioning order, that could be blocked, and hence displayed in the +**Provisioning Review** screen for validation in the form of a resource deletion provisioning order. + +Provisioning orders are still fairly technical to read. Non compliant-roles, inferred from +non-compliant resources in the managed systems, are also displayed in the **Role Reconciliation** +screen to be kept or deleted by less technical users. + +## Fulfilling + +Fulfilling assignments is the role of connectors. Provisioning orders are written and sent to the +agent via the `Usercube-Generate-ProvisioningOrders` task is added to every provisioning job. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/index.md new file mode 100644 index 0000000000..3ced2b676d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/index.md @@ -0,0 +1,121 @@ +# Existing Assignments + +The +[Compute Role Model](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +task can deduce from synchronized data a list of assignments for every identity. + +## Overview + +One of the main responsibilities of the Compute Role Model task is to translate data from the realm +of the managed systems (such as accounts or groups) into the realm of roles. + +The process results in a list of existing assignments, expressed as assigned roles, for every +identity. + +This is Usercube's first computation when deployed in an organization: assessing the current state +of the managed system in order to suggest fixes. + +The main process can be summed up as: + +1. Finding the owner `O` of a resource `R` by applying correlation rules. +2. Deducing roles by applying provisioning rules (such as navigation or scalar) "in reverse". In + this step, Usercube tries to find the role that would have yielded a provisioning order for + resource `R`, if assigned to identity `O`. + +The following use cases can be encountered. + +## Use Case 1: One Group, One Role + +This first use case involves a common role model situation: one single role represents one +entitlement, for example an Active Directory group. + +Let's study this use case with an example: a single role _Internet_ is linked to an Active Directory +group _Internet_ through a navigation rule `N`. + +![use_case_1_rolemodel](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_rolemodel.webp) + +We are going to consider here an identity named John Doe, and his Active Directory account +[john.doe@contoso.com](mailto:john.doe@contoso.com). + +The most straightforward way to think about this role model is to consider the direct flow. This +would happen if John Doe's account wasn't a member of the _Internet_ group. + +1. Usercube performs the first synchronization, and correlates the nominative Active Directory + account [john.doe@contoso.com](mailto:john.doe@contoso.com) to John Doe. +2. This account is _not_ a member of the AD group _Internet_. +3. A manager assigns the role to John Doe's identity using Usercube's UI. +4. The Compute Role Model task applies the navigation rule `N`. +5. A provisioning order for John Doe's Active Directory account becoming a member of the group + _Internet_ is issued. + +This is a typical onboarding scenario for John Doe that happens to start a new job within the +organization after Usercube was deployed. + +Now, let's consider what happens for John Doe, if he started his job within the company before +Usercube was ever deployed. + +The initial situation is an identity, John Doe, and a "lonely" Active Directory account, +[john.doe@contoso.com](mailto:john.doe@contoso.com). + +This time, Usercube performs the "deduction" flow. + +Usercube performs the first synchronization and tries to correlate accounts with identities. This +results in finding out that John Doe is the owner of the Active Directory account +[john.doe@contoso.com](mailto:john.doe@contoso.com). The synchronization also shows that the +[john.doe@contoso.com](mailto:john.doe@contoso.com) account is a member of the _Internet_ Active +Directory group. + +The situation in Usercube database at this point is the following. + +![use_case_1_sync](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_sync.webp) + +Integrators have defined the Internet single role and linked it to the _Internet_ AD group through +the navigation rule `N`. + +Now, the Compute Role Model task "studies" the role model: the only rule that assigns the _Internet_ +Active Directory group is the navigation rule `N`. By following the rule in reverse, Usercube +deduces that the role _Internet_ should _de facto_ be assigned to John Doe, so that the rules be +consistent with the data found in the Active Directory. + +The role is now listed under John Doe's assignment list (permissions) in Usercube. + +![use_case_1_deduction](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_deduction.webp) + +## Use Case 2: Several Groups, One Role + +This second use case involves another common role model situation: one single role represents two or +more entitlements. The single role is used here to package several Active Directory group +assignments, for example, assignments which are always granted together to perform certain tasks. + +For example, let _Sales manager_ be a single role linked to the Active Directory groups _operations_ +and _sales_ through two navigation rules `N1` and `N2`. + +The "direct" flow here means that if John Doe is assigned the _Sales manager_ role, Usercube +fulfills the _operations_ and _sales_ group memberships for John Doe's Active Directory account. + +Now, let's consider the reverse flow. If John Doe already had membership for the _operations_ and +_sales_ group before Usercube was deployed, the AD Synchronization will detect it. By applying `N1` +and `N2` in reverse, Usercube deduces that John Doe must have the _Sales manager_ single role. + +His trusted advisor, Mary Webster, isn't a member of the _operations_ group. She is only a member of +the _sales_ group. Usercube applies `N1` in reverse, but there is only one Single Role (_Sales +manager_) that grants the _sales_ group membership. The only way for Mary to be granted the _sales_ +group membership from the role model point-of-view is to have been granted the _Sales manager_ role. +For Usercube, it is as if Mary had been assigned this role, but is missing the _operations_ group. +That is exactly how it is materialized: the identity for Mary in Usercube will be assigned the +_Sales manager_ role, and a missing group membership will come up in the provisioning review screen. + +If the IGA administrator doesn't want Mary to be granted the _Sales manager_ role and hence the +_operations_ group, another role must be created, that only grants the _sales_ group but not the +_operations_ group. + +## Use Case 3: Several Groups, Several Roles + +The third use case is a less common one, but can still be a little confusing. + +Let's take two roles `B` and `C`. + +- `B` grants membership to two groups: `AD1` and `AD2`. +- `C` grants `AD2` and `AD3`. + +This time, if only `AD2` is found for a given user, no deduction can be made. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/generate-contexts/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/generate-contexts/index.md new file mode 100644 index 0000000000..f66692ac8f --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/generate-contexts/index.md @@ -0,0 +1,175 @@ +# Generate Contexts + +A context is a set of dimension-value pairs computed using the +[context rule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) +or the combination of a context rule and the +[record sections](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) +if record sections are configured. + +A context is used to compute the role assignments for an identity by verifying that the +dimension-value pairs meet the role criteria. + +## Basic Context Generation + +When using only a context rule without a record section, the context generation is straightforward: +a set of dimension-value pairs is created by computing the value of the +[dimension bindings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) +on the context rule. + +> For example, the following context rule defines guests' contexts based on their start date, end +> date, and company. +> +> ``` +> +> +> +> ``` + +## Identity Context Generation + +As described in +[identity management](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/index.md), +identities are complex to model. Records were introduced to tackle this complexity by allowing +multiple positions for the same identity. + +[Record sections](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) +go further by modeling the relationship between positions. Indeed with record sections, it is +possible to define: + +- what are the shared properties between all positions? +- what are the properties unique to each position? +- what happens when there is a time gap between two positions, should the previous be extended or + should the future position be used to fill the gap? +- what happens when a position property value is not defined? + +Before illustrating how the record sections can be configured to handle most cases of position +management, here is the background situation for the examples that follow: + +- A position is defined by a `JobTitle`, a `Location`, and a `Department`, all other properties + belong to the identity and are shared between all positions. +- Dimensions are `Category`, `JobTitle`, `Location`, and `Department`. +- Each position will have an `Id`. +- `Sx` represents the start date of the position, and x is the `Id` of the position. +- `Ex` represents the end date of the position, and x is the `Id` of the position. +- `Cs` represents the contract start date. +- `Ce` represents the contract end date. + +The following configuration shows the context rule that will be used for the examples. + +``` + + + +``` + +The context rule start/end dates bindings and expressions won't have any effect on the computation, +they are overridden by the record sections dates properties. + +### Configuration of basic record sections + +``` + +Default section: + + + +Position record section: + + +``` + +The configuration above binds the position to the contract end date, meaning that a position without +an end date will take the end date of the contract. The properties of the position record section +cannot be propagated, meaning if a position does not have a `Location` it cannot take the `Location` +of the previous or future position. + +The following image shows the positions of `Mark Barn` in a defined timeline. + +![simple-recordsection-identity](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/generate-contexts/simple-recordsection-identity.webp) + +With the given configuration and the identity of `Mark Barn`, the following contexts are generated: + +![simple-recordsection-result](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/generate-contexts/simple-recordsection-result.webp) + +Each computed context will be used to create a set of dimension-value pairs, thus having 3 sets for +the +[evaluate policy algorithm](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md). + +Any rules targeting identities with a `fulltime``````Category` will be assigned to `Mark Barn` from +`Cs` to `Ce`. + +Any rules targeting identities working in `London` will be assigned to `Mark Barn` from `S1` to +`E2`. + +Any rules targeting all identities will be assigned to `Mark Barn` from `Cs` to `E2` because from +`E2` to `Ce` there isn't any position. This behavior can be overridden by specifying +`ExtensionKind="None"` on the `Directory_UserRecord_Position` section. + +### Configuration of a position extension + +#### Extension of a property + +The record sections can help extend some position property value when for some time the identity +does not have a position. For example, let's say that an identity can have multiple positions but +they must be in the same `Location`. So it is safe to configure the record sections to copy the +`Location` from a position if: + +- the identity does not have a position for some time; +- for a position, the `Location` is not defined. + +Here is the configuration needed to apply this policy. + +``` + +Default section: + + + +Position record section: + + + + +``` + +The `ExtensionKind="None"` was removed for the `Location` property. + +Using the identity of `Mark Barn` the computed contexts should be as followed: + +![recordsection-withvaluecopy-result1](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/generate-contexts/recordsection-withvaluecopy-result1.webp) + +Any rules targeting identities working in `London` will be assigned to `Mark Barn` from `Cs` to +`Ce`. + +#### Extension of a whole position + +The property value copy can be leveraged to extend a chosen position when for some time the identity +does not have one. The following configuration and the identity of `Phoebe Buffay` will be used to +showcase a position extension. It is done by removing the `ExtensionKind="None"` of the position +properties. + +``` + +Default section: + + + +Position record section: + + + + +``` + +![positionextension-identity](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/generate-contexts/positionextension-identity.webp) + +Two contexts will be generated. + +![positionextension-result](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/generate-contexts/positionextension-result.webp) + +By default, the previous position is extended when there is a gap. If there isn't any previous +position then the next position will be anticipated. + +The choice of the position to extend can be configured by leveraging the `SortKeyExpression` in the +position +[record section](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/index.md new file mode 100644 index 0000000000..4ba36cec3a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/index.md @@ -0,0 +1,137 @@ +# Configure Indirect Permissions + +The following how-to assumes that you have already read the topic on +[indirect permissions](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/indirectpermissions/index.md). + +## Configure Indirect Permissions in an Active Directory + +### Configure an indirect resource rule + +Configuring an Indirect Resource Rule in the Usercube Configuration is the only step needed to set +up Indirect Permissions and can be done by answering the following questions: + +- What is the target Entity Type? There are multiple multiple Entity Types but for this example we + will choose `AD User (nominative)`. Another rule can be written if you want to handle Indirect + Permissions for `AD User (administration)`. +- Which permissions can be obtained transitively in the Active Directory? Users get permissions by + being members of a group. The property is `memberOf`. +- Do we want to look for correspondences in another system? Here, we do not want to. This also means + that `Correspondence`, `CorrespondenceMembershipProperty`, and `Entitlement` will remain blank. + +Finally, if we compile all this information and using the naming of the standard Usercube Demo, we +get the following Indirect Resource Rule: + + ``` + + + +```` + + +After adding this rule to the Configuration, do not forget to deploy the configuration. + +### Set up a test user + +The aim of this section is to give you a step-by-step guide for setting up a test user. It will also cover what is displayed in Usercube. In this example, we will assign a ```Test Group A``` directly to the test user and the ```Test Group A``` will also be a member of the ```Test Group B```. This way, the test user will also have an indirect assignment to the ```Test Group B```. We will also create the corresponding roles. + +![Group Membership Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/indirectpermissionsadexample.webp) + +A running Active Directory instance is required to reproduce these steps yourself. + +#### Edit the Active Directory + +Create two groups in your Active Directory, ```TestGroupA``` and ```TestGroupB```. Then add ```TestGroupA``` as a member of ```TestGroupB```. Finally add a test user as a member of ```TestGroupA```. The test user can be any existing user in the AD that is known by Usercube. + +#### Prepare Usercube + +Since we have manually edited the Active Directory, we first need to run an AD synchronization job. +Then we create one Single Role for each group in the Active Directory. We will name them ```TestRoleA``` and ```TestRoleB``` for ```Directory > User```, : + +![Single Role Configuration Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srconf_5.2.1.webp) + +We will also create a test Composite Role to showcase indirect Composite Roles. We will name it ```TestCRoleAB```: + +![Composite Role Configuration](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/crconf_5.2.1.webp) + +Then we will also need to add some rules. We first need to add one Navigation Rule for each group to link them with their respective Single Role: + +![Navigation Rule Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/navrule_5.2.1.webp) + +And finally, we need to add Single Role Rules to link our two previously created Single Roles to the new Composite Role: + +![Single Role Rule Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srrule_5.2.1.webp) + +Even if two rules of a kind are needed, only one is pictured. Do not forget the other one. + +#### Indirect permission display + +After running a [Compute Role Model](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) task, Indirect Permissions should now appear for your test user. + +The next screenshots were taken after adding the direct assignment directly inside the Active Directory. As such, the direct permission is also flagged as ```Non-conforming```. + +If you first go on the ```View permissions``` tab of your test user, the only new role that appears in the ```Simplified view``` is the indirect Composite Role ```TestCRoleAB```: + +![View Permissions Simplified](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionssimplified_5.2.1.webp) + +To display Indirect Permissions, you need to switch over to the ```Advanced view```. ```TestRoleA``` and ```TestRoleB``` should then appear: + +![View Permissions Advanced](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionsadvanced_5.2.1.webp) + +You can also directly display the Assigned Resource Navigations by clicking on ```AD User (nominative)```. The ```memberOf``` properties will appear in the list: + +![AD Assigned Resource Navigations](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/adassignednavigations_5.2.1.webp) + +## Configure Indirect Permissions in an Microsoft Entra ID + +We can follow the same steps to configure this new rule: + +- What is the target Entity Type? + Once again, we will configure a rule for nominative users. The Entity Type is ```MicrosoftEntraID_DirectoryObject_NominativeUser```. +- Which permissions can be obtained transitively in the Microsoft Entra ID (formerly Microsoft Azure AD)? + Users get permissions by being members of a group. The property is ```memberOf```. +- Do we want to look for correspondences in another system? + Here, we do not want to (it is possible, but it is not the aim of this How-To). + This also means that ```Correspondence```, ```CorrespondenceMembershipProperty```, and ```Entitlement``` will remain blank. + +Finally, if we compile all this information and using the naming of the standard Usercube Demo, we get the following Indirect Resource Rule: + + ``` + + + +```` + +## Configure Indirect Permissions in SharePoint using Correspondences from an Microsoft Entra ID + +We can follow the same steps to configure this new rule, but this time we will showcase the +correspondence feature: + +- What is the target Entity Type? We first start in the Microsoft Entra ID. Once again, we will + configure a rule for nominative users. The Entity Type is + `MicrosoftEntraID_DirectoryObject_NominativeUser`. +- Which permissions can be obtained transitively in the Microsoft Entra ID? Users get permissions by + being members of a group. The property is `memberOf`. +- Do we want to look for correspondences in another system? Yes, we want to find correspondences in + SharePoint. A correspondence can be found using the `SharePointObject` property. +- Which permissions can be obtained transitively in SharePoint? Once again, users get permissions + based on which groups they are a member of. The property capturing this notion for SharePoint + entities is `Group` +- Is being member of a group in SharePoint the type of permissions that we want to capture? While + this can be computed, we are rather interested in compiling which SharePoint objects a user can + view/change/etc. We obtain this information using the `Entitlement` property. + +Finally, if we compile all this information and use the naming convention of the standard Usercube +Demo, we get the following Indirect Resource Rule: + + ``` + + + +``` + + +This rule will also compute indirect permissions for the Microsoft Entra ID. +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/index.md new file mode 100644 index 0000000000..38cffb737b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/index.md @@ -0,0 +1,11 @@ +# How-Tos + +These guides will help you configure role assignment with practical step-by-step procedures. + +- #### [Restrict the Assignment](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/restrict-assignment/index.md) + Use filters on dimensions and/or roles to restrict the assignment of a role or resource + type.- #### + [Infer Single Roles with a Composite Role](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/infer-single-roles/index.md) + Assign several single roles via the assignment of one composite role.- #### + [Configure Indirect Permissions ](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/index.md) + Define indirect resource rules to use indirect permissions in Usercube. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/infer-single-roles/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/infer-single-roles/index.md new file mode 100644 index 0000000000..2606e08fa4 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/infer-single-roles/index.md @@ -0,0 +1,56 @@ +# Infer Single Roles with a Composite Role + +This guide shows how to assign several single roles via the assignment of one composite role. + +It is possible to infer SingleRoles with +[CompositeRole](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md). +The SingleRole can only be inferred by the CompositeRole if both the CompositeRole and SingleRole +rules are verified. + +## Create a Dimension + +The restriction of resource allocations is done from a filter. To do this, it is necessary to create +[dimensions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) +to define which EntityTypes the filters will apply to. + +For the different examples of restrictions, the filters will be based on the EntityType +"Organization" and "Title". + +``` + + + +``` + +## Create a Composite Role + +A CompositeRole is created in the same way as a SingleRole. + +``` + + + +``` + +## Assign the Composite Role Based on the Dimension + +This step is optional for our simple purpose of inferring single roles with a composite role. The +composite role can be linked to a dimension, but it does not have to. + +The CompositeRoleRule can be limited with the use of dimensions. + +``` + + + +``` + +## Assign Single Roles Based on the Composite Role + +The link between a SingleRole and a CompositeRole is made in the SingleRoleRule. + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/restrict-assignment/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/restrict-assignment/index.md new file mode 100644 index 0000000000..59fa56ba19 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/restrict-assignment/index.md @@ -0,0 +1,103 @@ +# Restrict the Assignment + +This guide shows how to use filters on dimensions and/or roles to restrict the assignment of a role +or resource type. + +## Create a Dimension + +The restriction of resource allocations is done from a filter. To do this, it is necessary to create +[dimensions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) +to define which EntityTypes the filters will apply to. + +For the different examples of restrictions, the filters will be based on the EntityType +"Organization" and "Title". + +``` + + + +``` + +## Create a Single Role + +To be able to filter with the dimensions previously created, it is necessary to first create +[single roles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) +which will serve as a restriction to the assignment of ResourceTypes for a given source. + +The example below creates a SingleRole for the EntityType Directory_User (source of the +ResourceTypes you want to restrict). + +``` + + + +``` + +## Assign the Role Based on the Dimension + +We will define a +[single role rule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) +on the "Title"; dimension with a given value to restrict the allocation of a resource in only one +case. + +``` + + + +``` + +D1 represents the dimension whose ColumnMapping="1". + +``` + + + +``` + +The value in property D1 implies that the rule is checked only if the source resource has as +association to the EntityType related to dimension 1 is "FCT0402". + +## Assign a Resource Type Based on the Role + +The restriction on the creation of these accounts is integrated directly into the +[TypeRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +of the +[ResourceTypes](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). +This implies that the ResourceType will only apply if the +[SingleRole rule(s)](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) +are checked. + +This part will link a SingleRole to a ResourceType. This implies that the allocation of a target +resource to a source will only be done if the SingleRole rule(s) are verified. + +``` + + .... + + +``` + +### Use a navigation rule instead of a type rule + +A +[navigationRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +in addition to filling a multi-valued association, also serves as an allocation context for a +ResourceType. + +There are 3 ways to restrict the allocation of the ResourceType with a NavigationRule: + +- Fill in one or more dimensions directly in the NavigationRule. +- Fill in a SingleRole. +- Fill in one or more dimensions and a SingleRole. + +For the last 2 cases this will induce the ResourceType by the SingleRole. + +``` + + ... + + +``` + +In the example above the ResourceType does not need a TypeRule because the NavigationRule already +serves as an allocation context. Unlike the previous example. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/index.md new file mode 100644 index 0000000000..f168151347 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/index.md @@ -0,0 +1,7 @@ +# Role Assignment + +Once the role model is established, role assignment can be performed, i.e. missing or non-conforming +assignments can be detected in order to give users the appropriate access rights. + +Be sure to read first the +[documentation about the role model](/docs/identitymanager/6.1/identitymanager/integration-guide/role-model/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/indirectpermissions/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/indirectpermissions/index.md new file mode 100644 index 0000000000..ee755f70f4 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/indirectpermissions/index.md @@ -0,0 +1,112 @@ +# Indirect Permissions + +Usercube can compute, for a given identity, permissions that are obtained implicitly or indirectly +through assignments. The +[Compute Role Model](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +task is responsible for this functionality. + +## Overview + +Assigning a role to a user can give them new permissions in a managed system by giving access to a +new role or a new group, for example. This assignment is direct as it is entirely explicit. However, +the user might also receive some **additional permissions that are inherited through the new +permission** and that are not explicit. For instance in some systems, users can get permissions by +being a member of a group but groups can also be members of other groups, and therefore allow for +transitive permission acquisitions. These permissions are called indirect. This notion can also be +extended when permissions in a managed system also give other permissions in an external system. + +Indirect Permissions are automatically computed by the +[Compute Role Model](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +along with standard explicit or direct permissions during a full update. Indirect permissions will +not be computed when processing a single user (for instance through "Repair Data (helpdesk)") or +during simulations. + +## Configuration + +The computation of Indirect Permissions is based on the configured +[Indirect Resource Rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md). +**These rules tell Usercube how to navigate the managed system** and how to recover permissions that +a user inherits implicitly. An Indirect Resource Rule is composed of the following properties: + +- `ResourceType`: the + [Resource Type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) + to which the rule will be applied. +- `Property`: the + [Entity Property](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + which corresponds to the user permission in the _target_ system. +- `Correspondence` (optional): the + [Entity Property](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + that is used to recover the correspondence of a resource from the _target_ system in the + _external_ system. +- `CorrespondenceMembershipProperty` (optional): the + [Entity Property](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + which corresponds to the user permission in an _external_ system. +- `Entitlement` (optional): the + [Entity Property](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + that can be configured if the permission in the _external_ system needs to be recovered from the + discovered resources. For instance one can use this property to recover the entitlements of + Sharepoint groups (while `CorrespondenceMembershipProperty` will be used to recover the group + membership graph). + +If either `Correspondence` or `CorrespondenceMembershipProperty` is specified, then the other +property must be specified as well. + +If `Entitlement` is specified, then both `Correspondence` and `CorrespondenceMembershipProperty` +also need to be specified. + +- `TargetEntityTypeProperty`: the + [Entity Property](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + which identifies each rule given a resource type. +- `TargetEntityTypeReflexiveProperty`: the + [Entity Property](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + which corresponds to the user permission in the _target_ system. +- `IndirectResourceBinding`: the + [Binding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/bindings/index.md) that + is used to recover an assignment from a permission in either system (target or external). It is + also used to define the correspondence between resources in both systems. +- `IndirectResourceReflexiveProperty` (optional): the + [Entity Property](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + which corresponds to the user permission in an _external_ system. + +Correspondences between resources are necessarily one-sided: the Indirect Permissions computation is +started in the managed system and if a correspondence is found, the computation will be continued in +the external system. Correspondences won't be checked in the external system. + +An example of an Indirect Resource Rule configuration is available in +[How-To: Configure Indirect Permissions in an Active Directory](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/index.md). + +## What Can Be an Indirect Permission? + +The +[Compute Role Model](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +task will create indirect Assigned Resource Navigations for the permissions that it finds, but **if +and only if these permissions are associated with a +[Resource Navigation Rule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md)**. + +If a +[Single Role](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) +is associated with one of these Resource Navigation Rules, then an indirect Single Role will also be +recovered. + +Finally, if at least one indirect Single Role is used to recover a +[Composite Role](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md), +then the Composite Role will also be indirect. + +## What Can Be Done with Indirect Permissions? + +Currently, Indirect Permissions are only displayed and found in the users' `View Permissions` tab in +the `Advanced View`: Indirect Permissions (except Composite Roles) are hidden in the +`Simplified View`. + +Although Indirect Permissions are marked as `Non-conforming`, they can be neither approved nor +deleted. They also won't appear in Access certification campaigns. + +Indirect Permissions are always indicated by the following icon: +![Indirect Permission Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/indirectpermissions/ic_fluent_flow_20_regular.webp) + +## Disabling the Indirect Permission Computation + +In case of emergency, one can disable the computation of indirect permissions by adding the +`"DisableIndirectPermissions": true` field to the root of the `appsettings`. While the computation +is disabled, indirect permissions will be frozen in time: any existing one will not be deleted and +any potential new one will not be added. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/nonconformingdetection/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/nonconformingdetection/index.md new file mode 100644 index 0000000000..c7fbb3e3e5 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/nonconformingdetection/index.md @@ -0,0 +1,66 @@ +# Non-Conforming Assignments + +The +[Compute Role Model](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +task is able to detect from synchronized data a list of non-conforming or missing +resources/entitlements for every identity. That is one of Usercube's most powerful governance +features, provided you have a full role model configured. + +## Build the conforming assignment list + +The **first step** is building the conforming assignment list, as explained in +[Conforming Assignments](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md). +This list (list `A`) includes the assignments that perfectly comply with the role model/assignment +policy. + +## Build the existing assignment list + +The **second step** is building the existing assignment list (list `B`), as explained in +[Existing Assignments](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/index.md): +every synced resource can be translated into a role assignment following the assignment rules "in +reverse". + +## Compare both lists + +We can now **compare both lists** to find out if the managed systems really comply with the decided +upon assignment policy. + +For every assignment from list `B` representing resources from the synced data: + +1. There is a rule path from the identity attribute to the resource provisioning order in the role + model. The assignment was expected, it can be found in list `A`. +2. There is no rule path from the identity attribute to the resource provisioning order in the role + model. The assignment was unexpected, it is not in list `A` or it is in list `A` but not with + exactly the same property values. + +The "unexpected" (or non-conforming) assignments can be for example orphan accounts. Sometimes, the +account itself should indeed exist according to the rules, but its attribute values are +"unexpected", contradicting scalar rules. + +Non-conforming accounts are presented in the reconciliation screens: from the role point-of-view in +the role reconciliation screen and from the resource point-of-view in the resource reconciliation +screen. + +They need human confirmation to be either kept or destroyed. + +For every assignment from list `A` representing expected assignments: + +1. There is an exact match in list `B`. The managed system complies with the assignment policy for + this resource. +2. There is no match in list `B`: the managed system doesn't comply with the assignment policy. The + resource is missing (the account is missing). + +Missing accounts are presented in the provisioning review for validation before provisioning. + +Usercube will **never delete data** without having a user's confirmation first. That is the reason +why these variations from the ideal aren't fixed automatically but submitted for review. + +Some users might wonder how they can perform governance if they don't have automated rules. +Certification can help. By reviewing (even manually) the entitlement landscape, non-conforming +account proliferation can be contained. + +This feature is the final touch of the **sync-fulfill-verify loop** that makes Usercube so +efficient. It is exactly like a closed-loop control system with a feedback loop: perturbations, in +the form of modifications in a managed system that don't go through Usercube first, trigger a +reaction. This reaction uses the role model to suggest a fix. This is the only way for the state of +the entitlement landscape to tend towards the ideal standards described by the rules. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-mining/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-mining/index.md new file mode 100644 index 0000000000..dce5f298a2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-mining/index.md @@ -0,0 +1,136 @@ +# Role Mining + +Role mining aims to reduce the cost of entitlement management by automating entitlement assignments, +via the analysis of existing assignments. +[See more details about assignment automation](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/index.md). + +## Overview + +After the role catalog is established, the +[Compute-RoleModel](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +task is able to assign single roles to users according to their attributes which are used as +assignment criteria. + +> For example, in the AD, entitlements are given through group membership. Integrators create a +> navigation rule to assign each group to the users who have the corresponding single role. Then, +> the Compute-RoleModel task is able to assign single roles to users according to their existing +> group membership. +> +> In addition to group membership, the assignment of an entitlement to users could also depend on +> users' attributes like their location, position title, etc. + +Now that users received their roles, the role mining tool can analyze these assignments and deduce +[single role rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) +which will assign single roles to certain users matching given criteria. + +![Schema - Role Mining](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_schema.webp) + +Role mining is a Machine Learning process. It is a statistic tool used to emphasize the +[dimensions](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md#dimensions) +that constitute the key criteria for existing role assignments. It detects the most probable links +between identities dimensions and their roles in order to suggest the appropriate entitlement +assignment rules. + +> For example, suppose that 80% of NETWRIX workers in Marseilles have access to an application +> "App". Then, role mining is most likely to recognize the working site as a relevant dimension, and +> suggest to create a rule that gives the "App" access to users whose site is Marseilles. + +Role mining being a statistic tool based on existing entitlement assignments, it appears useless if +the role model contains fewer than 2,000 role assignments. Then, start by reinforcing the +[role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md). + +### Technical Principles + +Role mining works through +[mining rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md) +that Usercube applies with the +[`GetRoleMiningTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md). + +### Entitlement differentiation with rule types + +Mining rules can be configured to generate: + +1. automatic rules, i.e. rules which assign roles automatically with or without a validation; +2. suggested rules, i.e. rules which don't assign roles directly, but suggest them during an + entitlement request for a user. + + ![Suggested](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_suggested_v602.webp) + +You can generate both automatic and suggested rules for the same role, with different precision +levels and different approval workflows. + +> Consider an organization where an unknown ratio of users have a given role. Using the precision +> settings, we can create a mining rule to generate automatic assignment rules when the ratio is +> above 95% and a second mining rule to generate suggested assignment rules when the ratio is +> between 75% and 95%. +> +> ![Rule Types](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype.webp) + +You can also differentiate entitlements according to their sensitivity, for example require +additional reviews following the request of a sensitive entitlement: + +![Rule Types - Sensitivity](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype-sensitivity.webp) + +The automation of entitlement assignments according to sensitivity brings greater confidence in +basic entitlements assignment which won't need to be certified anymore. Thus, automation lets +certification campaigns focus on more sensitive entitlements. + +Role mining should be performed first for automatic rules as they are stricter precision-wise. Thus, +automatic rules should always have priority over suggested rules (via the `Priority` setting). + +### Impact on users' entitlements + +Consider that all users from a given organization have a given role. Then role mining will create a +single role rule to assign automatically this role to any user of this organization. Then users' +entitlements remain unchanged: + +![Impact Example - Use Case 1](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-mining/rolemining_impact_usecase1.webp) + +Now consider that half of users in the organization have the role. Then role mining will not +generate a role assignment rule. Then users' entitlements remain unchanged: + +![Impact Example - Use Case 2](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-mining/rolemining_impact_usecase2.webp) + +Starting from the previous example, consider now that users progressively request the role. As long +as the ratio is below a given threshold, then role mining will not generate a role assignment rule. +Then users' entitlements remain unchanged: + +![Impact Example - Use Case 3](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-mining/rolemining_impact_usecase3.webp) + +Starting from the previous example, consider now that users continue requesting the role. As soon as +the ratio is above the threshold, then role mining will create a single role rule to assign +automatically this role to any user in the organization. Then a few users are going to get the +entitlement: + +![Impact Example - Use Case 4](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-mining/rolemining_impact_usecase4.webp) + +Starting from the previous example, consider now that, as a result of a reorganization or an access +certification for example, some users do not have the role anymore. If the ratio is below the +threshold, then role mining will remove the single role rule. If the role (or its policy) is +configured with a +[grace period](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md), +users who need the role will not lose it. Then users' entitlements remain unchanged: + +![Impact Example - Use Case 5](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-mining/rolemining_impact_usecase5.webp) + +## Perform Role Mining + +[See how to perform role mining](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md). + +### Simulation + +Be aware that you can configure the +[mining task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md) +to generate role assignment rules either directly or in a +[simulation](/docs/identitymanager/6.1/identitymanager/integration-guide/simulation/index.md). + +Simulating the results of role mining allows a knowledgeable user to analyze the impact of role +mining on the role model, before applying them. + +![Schema - Role Mining](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-mining/rolemining_simulation.webp) + +The simulation tool gives another point of view on the role model as it emphasizes the changes. + +![Schema - Role Mining](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-mining/rolemining_simulationresults.webp) + +NETWRIX recommends simulating role mining before applying the results. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-model/how-tos/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-model/how-tos/index.md new file mode 100644 index 0000000000..e27ff3a950 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-model/how-tos/index.md @@ -0,0 +1,7 @@ +# How-Tos + +These guides will help you set up the role model with practical step-by-step procedures. + +## Additional How-Tos + +- #### [Configure a Parameterized Role](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/parameterized-role/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/role-model/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/role-model/index.md new file mode 100644 index 0000000000..1028d1edf7 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/role-model/index.md @@ -0,0 +1,64 @@ +# Role Model + +The role model, with its computation and enforcement, is at the heart of Usercube's engine. It is +composed mainly of roles, representing entitlements, and rules, enforcing the company assignment +policies. + +Make sure to read the +[introduction on entitlement management](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md) +first. + +[See more information about role assignments](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/index.md). + +## Roles + +Roles represent entitlements from the managed systems, but expressed in a language understandable by +non-technical people. + +A single role is meant to represent one entitlement from a managed system, by acting as a label, +thus allowing better organization and readability. + +A composite role is meant to group several single roles into a meaningful, business-themed +entitlement package. + +In this way, the role model can be seen as a +[Role-Based Access Control](https://en.wikipedia.org/wiki/Role-based_access_control) (RBAC). + +## Assignment Rules + +An +[assignment rule](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) +gives an entitlement to a user, usually based on (at least) one criterion from the user's data. +Assignment rules are: + +- single role rules which assign single roles; +- composite role rules which assign composite roles; +- resource type rules which assign resources, usually accounts, of specific types. + +The identity criteria that trigger the rules are named dimensions. + +In this way, the role model can also be seen as an +[Attribute-Based Access Control](https://en.wikipedia.org/wiki/Attribute-based_access_control) +(ABAC) model. + +Usercube gives users access to given resources in the managed systems, based on roles and rules, but +it does not override the managed systems' authorization mechanisms. + +## Enforcement of the Assignment Policy + +The company's policy for entitlement assignment is enforced by Usercube with the the computation of +the role model, through the +[`ComputeRoleModelTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md). +It applies all the configured rules, thus: + +- helping build a catalog of all available entitlements in the managed systems, see + [role naming conventions](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md); +- helping build the rules that define the assignment policy, i.e. the expected entitlement + assignments for all users, see the + [role mining](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md); +- automating entitlement assignment, see + [assignment rules](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md); +- generating the provisioning orders that enable writing to the managed systems, see + [provisioning rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md); +- detecting assignments in the managed systems that do not comply with the policy, see the + [review of non-conforming assignments](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/simulation/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/simulation/index.md new file mode 100644 index 0000000000..4043bcd34d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/simulation/index.md @@ -0,0 +1,44 @@ +# Simulation + +Simulations aim to assess the impact of a modification in the role model, i.e. any modification of a +role or rule, before it is applied. + +## Overview + +Usercube's simulations gather roles and rules which are to be created, modified or deleted, without +being inserted in the actual role model straight away. More specifically, a simulation can involve: + +- [correlation rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) + and + [classification rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md); +- [scalar rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) + and + [navigation rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md); +- [resource type rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md); +- [single roles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) + and + [composite roles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md); +- [single role rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) + and + [composite role rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md). + +A simulation can also be created by the +[role mining tool](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) +for the automation of role assignments. + +Through simulation, integrators can: + +1. create, modify or delete roles and rules in a given policy; + + Only one simulation can be active per policy. + +2. observe via simulation reports the impact on the whole system, i.e. both assignments and + provisioning results, before the changes are applied; +3. decide to confirm or cancel changes. + +NETWRIX recommends using simulation whenever performing an action (creation/modification/deletion) +on the role model. + +## Perform a Simulation + +[See how to perform a simulation](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/index.md new file mode 100644 index 0000000000..b15535e635 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/index.md @@ -0,0 +1,10 @@ +# Synchronization + +The documentation is not yet available for this page and will be completed in the near future. + +[See more information about upward data synchronization](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md). + +[See how to perform data synchronization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) +for a given managed system. + +[See how to anticipate changes due to synchronization thanks to thresholds](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md new file mode 100644 index 0000000000..6c7e78c88d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md @@ -0,0 +1,74 @@ +# Thresholds + +Thresholds are essential safety guards controlling all changes, for example preventing the +overwriting of important data by mistake. + +Thresholds are by default activated to warn users when synchronization or provisioning triggers too +many modifications. If the number of modifications exceeds the specified threshold, Usercube stops +the synchronization/provisioning and displays a warning on the log page. + +Thresholds can be deactivated via the value `0`, though **they should not all be**. Each action must +be "guarded" by at least one threshold. + +Once the changes have been reviewed, +[the blocked job can be resumed](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) +(or not). + +As long as a synchronization job is blocked for a connector, the export, prepare-synchronization and +synchronization tasks of this connector are removed from incremental jobs. The synchronization is +unblocked as soon as the blocked job is resumed, or as soon as a job involving the connector is +launched in complete mode. + +## Thresholds for Synchronization + +Synchronization thresholds can be configured in XML files via: + +- [entity type mappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) + to count the number of resources impacted by synchronization inside a given entity type. They are + configured with: + + | Absolute Threshold | Relative Threshold | + | ---------------------- | ---------------------------- | + | `MaximumDeletedLines` | `MaxPercentageDeletedLines` | + | `MaximumInsertedLines` | `MaxPercentageInsertedLines` | + | `MaximumUpdatedLines` | `MaxPercentageUpdatedLines` | + +- [entity association mappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) + to count the number of navigation properties impacted by synchronization inside a given entity + type. They are configured with: + + | Absolute Threshold | Relative Threshold | + | -------------------------- | -------------------------------- | + | `MaximumLinkDeletedLines` | `MaxLinkPercentageDeletedLines` | + | `MaximumLinkInsertedLines` | `MaxLinkPercentageInsertedLines` | + +- [connectors](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) + to count the number of resources and/or navigation properties impacted by synchronization inside + all entity types of a given connector. They are configured with: + + | Absolute Threshold | Relative Threshold | + | -------------------------- | -------------------------------- | + | **Resources** | | + | `MaximumDeletedLines` | `MaxPercentageDeletedLines` | + | `MaximumInsertedLines` | `MaxPercentageInsertedLines` | + | `MaximumUpdatedLines` | `MaxPercentageUpdatedLines` | + | **Navigation Properties** | | + | `MaximumLinkDeletedLines` | `MaxLinkPercentageDeletedLines` | + | `MaximumLinkInsertedLines` | `MaxLinkPercentageInsertedLines` | + +All thresholds are active. Therefore, the lowest threshold (according to the specific situation) +would be the first to stop synchronization. + +For example, in a connector, the default values for thresholds are 100 modifications for resources +(`Maximum...Lines`) and 1000 modifications for navigation properties (`MaximumLink...Lines`). + +If we launch synchronization for an entity type whose threshold values are lower than the +connector's, then Usercube blocks synchronization as soon as the number of modifications exceeds the +entity type's threshold values. + +If the entity type's threshold values are higher than the connector's, then Usercube blocks +synchronization as soon as the number of modifications exceeds the connector's threshold values (100 +resources or 1000 navigation properties). + +Distinct +[thresholds are configurable for provisioning](/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/prov-thresholds/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md new file mode 100644 index 0000000000..d50a4c14f8 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md @@ -0,0 +1,408 @@ +# Upward Data Synchronization + +Upward Data Synchronization (Sync Up) is the process that copies relevant managed systems data into +[Usercube's resource repository](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md) +and translates them into resources that match the configured Entity Model. + +Performing a _Sync Up_ allows the user to: + +- integrate the managed systems state with Usercube. The copied data serves as the basis for the + assignment computation; +- check that previously edited provisioning orders have been accurately executed; +- ascertains differences between the real managed system state and the theoretical state. + +## Overview + +### A scheduled sync up per managed system + +_Sync Up_ is performed regularly, at least every day, as a +[set of Tasks](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/index.md). + +A _Sync Up_ is planned for every managed system that interact with Usercube. + +A _Sync Up_ is associated with a +[**Connector**](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/index.md). + +### Three sync up mode + +Usercube provides three distinct synchronization algorithms: + +- _incremental_ +- _complete_ +- _initial_ + +_Complete_ is most straightforward one. A _complete__Sync Up_ loads the managed systems' data into +Usercube as-is, replacing entirely the currently held data. + +As it involves sending large amounts of data over HTTP between _Agent_ and _Server_, _complete_ +execution time can be quite large. + +To improve the _Sync Up_ execution time, Usercube provides the _incremental_ mode. This mode only +considers changes made to the managed systems since the last _Sync Up_. Those are applied to the +Usercube's database. Only changes are sent through the network, instead of whole data files, which +allows the _Sync Up_ execution time to be greatly reduced. + +Changes are computed either by the managed system itself, given such capabilities are available, or +by a Usercube's _Agent_. + +However, the _incremental_ mode cannot be 100% reliable for two reasons. + +First, it relies on external inputs that are not directly controlled by Usercube. Second, it only +exports changes based on the managed system state, not on Usercube's database state. + +External perturbations could cause slight differences between the database's state and the managed +systems'. Order can be restored by running a _complete_ Sync Up regularly. A _complete_ Sync Up +ensures the database is in a stable state, faithfully reflecting the managed system state, before +resuming the _incremental Sync Up_ iterations. + +Safeguards are also implemented to avoid accidental overwrites, that would be caused by an empty or +incomplete input. + +Finally, the _initial__Sync Up_ is designed to be used the first time a managed system connects to +Usercube. Just as the _complete_, it loads the data as a whole. But, unlike the _complete_, it does +not overwrites the currently held data and does not provide any safeguard. The _initial_ mode +provides a quick way to perform the first _Sync Up_. The trade-off is security: _initial__Sync Up_ +should only be used the first time a managed system connected to Usercube and the database is empty, +as far as this connector is concerned. Launching the Initial _Sync Up_ twice would actually load the +same data twice whereas launching the _complete_ twice would have the same effect as launching the +_complete_ once. + +### An ETL process + +_Sync Up_ is organized as an +[Extract, Transform, Load](https://en.wikipedia.org/wiki/Extract,_transform,_load) process. It's +composed of three steps: _export_, _prepare-synchronization_, and _synchronization_. + +## Export + +The _Export_ is the first step of the _Sync Up_. + +During this step, data is extracted from the managed system and generates _CSV files_ containing the +managed system's raw data. The **output** of this process is called the **_CSV source files_**. They +are written to the +[export directory](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +waiting to be used by the next-in-line _prepare-synchronization task_. + +The _Export_ occurs _Agent_-side. + +### Native support or custom process + +Depending on the managed systems capabilities, an _Export_ step can be performed by one of +Usercube's native tasks or by custom scripts. + +#### Using Usercube's native process + +Usercube's +[**Connectors**](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/index.md) +provide native _Export_ tasks for the most common managed systems. _Active Directory_, _SAP_, or +_SharePoint_ are examples of natively supported managed systems. The output _CSV source files_ +format is described in the +[**Connectors**](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/index.md) +section together with an exhaustive list of supported source managed systems. + +[Connectors](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/index.md) are +Usercube's link to the managed system. They provide configurable export and fulfill capabilities +that can be used by Usercube _as-is_ without any further development. + +#### Using a custom process + +Exporting data from a managed system without a native Usercube process is still possible by writing +a custom _Export_ process. + +If the managed system has built-in export capabilities, Usercube can simply rely on exports +scheduled by the source managed system. Regularly, the managed system generates reports, in whatever +format. A custom task, such as a +[PowerShell script](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md), +can then be used to retrieve the generated exports, adapt them to the _CSV source files_ format +expected by Usercube and copy them to the +[_export directory_](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md). +The whole can be scheduled and orchestrated by a +[Job](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md). + +**For example**, a common scenario is to configure an HR management system to perform daily extracts +of its data to CSV files for the _Agent_ to find. This usually can be set up without any Usercube's +task, just by using the managed system and the organization's network capabilities. + +If the managed system does not provide built-in export features but provides an API or an exposed +database, it's possible to write a custom _export_ process based on that API or direct requests to +the managed system's database. This process can then be used as an _export task_ wrapped in a +[PowerShell script](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md) +or a +[SQL command](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md). +Any Windows process that can be called from a PowerShell script and generate a CSV file can serve as +an export process. + +**How to choose the custom CSV source file format ?** It's best to keep it simple and stick as +closely as possible to the managed system data model. Data cleansing and translation to the resource +repository's Entity Model is handled later in the _Sync Up_ process. There is no need to try and +optimize the CSV source file format in a custom script. It's best to keep it close to the managed +system to be able to spot early _export_ errors. + +### Export tasks output + +The format of the exported _CSV Source files_ depends on the chosen _Sync Up_ mode and on the used +_export task_. Nonetheless, there are a few criteria that _prepare-synchronization_ expects to find +in those files. + +First, it must be a CSV format. One line per entry, and every attribute as a column. + +Then, there is a slight difference between _Complete/Initial_ and _Incremental_ export. + +With the _Complete_ and _Initial_ modes, _CSV source files_ contain an exact extract of the managed +system's data as a list of entries. At this point, the Entity Model is not yet involved. Every line +of the _CSV source file_ mirrors a line in the source managed system database. + +With _Incremental_ mode, if the source managed system is able, one more column is added. It contains +a ADD, UPDATE, or DELETE instruction. _Incremental_ export generates a list of changes made on the +managed system since the last export, instead of an exact mirror of the data. Active Directory and +Microsoft Entra ID (formerly Microsoft Azure AD), for example, are able to produce such exports, as +LDIF files, that the Active Directory connector translates into _resources_ changes. Usercube's +native support for ServiceNow and SCIM also provides such capabilities. + +In case the source managed system does not possess _incremental_ export capabilities, the changes +computation is performed during the _prepare-synchronization_ step. + +Inside those constraints, every natively supported _export task_ generates its own _CSV source file +format_, described in the +[connectors section](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/index.md). +Usually, two kinds of files are generated: _entries_, describing plain entries, and _associations_, +describing associations between entries. + +All _CSV source files_ are written to the _export directory_. + +At the end of the _export_ step, the +[_export directory_](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +contains several files per connectors, that will be translated into _resources_ during +_prepare-synchronization_ and _synchronization_ steps thanks to Entity Mapping (see below). + +The +[_export directory_](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +can also contain opaque [cookie files](https://ldapwiki.com/wiki/DirSync) used for incremental +export of a few systems such as Active Directory, Microsoft Entra ID, ServiceNow, and SCIM. + +The reader might now understand how, as laid out in the overview, the input data could be unreliable +given the volatile nature of the managed system export methods. _Complete_ and _incremental_ modes +work together to find the best compromise between reliability and execution time. + +### Example + +The following example demonstrates the native Active Directory export process. + +Exporting data from an Active Directory can be achieved by using the +[Usercube-Export-ActiveDirectory task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md) +within a Job. + +The Tasks requests from the source Active Directory all entries that match a configured filter. It +outputs a set of _CSV source files_, containing raw AD Entries data (`ad_entries.csv`), information +about group membership (`ad_members.csv`) and about the hierarchical organization +(`ad_managers.csv`). + +![Active Directory Export Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/synchronization/upward-data-sync/ad_export_example.webp) + +`ad_entries.csv` contains raw AD entry data. + + ``` + +employeeID;businessCategory;extensionAttribute15;objectCategory;sAMAccountName;userPrincipalName;parentdn +00001;fames;ac;turpis;egestas;integer;eget 00002;ullamcorper;eget;nulla;facilisi;etiam +00003;integer;eget;aliquet;nibh;praesent + +```` + + +```ad_managers.csv``` contains a list of associations, representing the link between an employee (```employeeId``` column) and their manager (```manager``` column). + + ``` +employeeID;manager +00001,99812 +00002,99812 +00003,99812 + +```` + +`ad_members.csv` contains also a list of associations, representing the link between a group +(identified by its `dn`) and its members (the `member` column). + + ``` + +dn;member CN=SG_APP_AG002,DC=internal;CN=U34811,DC=internal +CN=SG_APP_AG002,DC=internal;CN=U18184,DC=internal CN=SG_APP_AG002,DC=internal;CN=U43405,DC=internal +CN=SG_APP_AG002,DC=internal;CN=U51630,DC=internal + +```` + + +## Entity Mapping + +The aim of the _Sync Up_ is to load managed systems' data into the resource repository. As such, it requires Usercube to translate data from the managed system format (or, more accurately, the _export task_'s output format) into the resource repository format, that is, the [Entity Model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md). + +The translation rules are described in the [applicative configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/index.md) by [``````](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) and [``````](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) elements. + +[``````](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) elements map the resources _CSV source files_ columns to [Entity Types](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md#entity-types) properties. Each mapping also identifies one column as the _primary key_ for this Entity Type. The _primary key_ is used to uniquely identify a resource in the _Sync Up_ process. It's mandatory to be able to perform _incremental__Sync Up_, as it allows to identify a resource on which an _update_ or a _delete_ has to be performed. + +[``````](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) elements translate the _CSV source files_ into [Entity Associations](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md). They describe rules identifying associations between resources loaded thanks to the [``````](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md). + +## Prepare Synchro + +_Prepare-Synchronization_ is the second step of the _Sync Up_. It transforms the _CSV source files_ further, before the _Synchronization_ step. + +It performs data cleansing and, in _incremental_ mode, computes changes made on the source managed system since the last _Prepare-Synchronization_. + +It's performed on the _Agent_-side. + +### Data cleansing + +The following actions are performed on the _CSV source files._ + +1. Removing columns that are not used in [``````](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) or [``````](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +2. Removing entries that have a null primary key +3. Removing duplicates +4. Sorting entries according to the primary key + +The result of the _Prepare-Synchronization_ is stored in the [_export directory_](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) as three files: + +For every entity type of the relevant _Connector_ involved in an [``````](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) or an [``````](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) , a ```.sorted.csv``` file is generated, containing the final, cleaned, sorted result. + +Duplicates are kept in a separate ```.duplicates.csv``` file. + +Null primary key entries are kept in a separate ```.nullpk.csv``` file. + +### Computing changes + +In _incremental_ mode, changes might need to be computed by the _Agent_. + +If the export step has provided computed changes, no further process is required. The changes will be sent as-is to the server. + +If the export step has provided a full extract of the managed systems, the _prepare-synchronization_ step computes changes. This computation is based on the result of the last data cleansing, generated by the previous _prepare-synchronization_, and stored in the ```previous``` folder in the [_export directory_](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md). + +For _incremental_ mode, it is recommended to use managed systems to compute changes when possible. Dedicated workstations and knowledge of the inner data organization allow managed systems to compute changes with a performance that Usercube can't match. Also, using managed systems for these operations avoid generating heavy files and alleviate Usercube's processing load. + +The result is a set of clean lists of changes stored as ```.sorted.delta``` file containing a _command_ column. + +The _command_ column can take the following values: _insert_, _update_, _delete_, and _merge_. These are instructions for the _synchronization_ step to apply the changes to the database. + +The ```.sorted``` file (the original cleaned export file, not the changes) is stored in the ```previous``` folder inside the [_export directory_](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md). It will be used as a reference for the next _incremental__prepare-synchronization_ to compute the changes if needed. + +Tampering with the ```previous``` folder content would result in false changes in order to be computed and result in data corruption in the Usercube database. To restore the Usercube database to a state faithful to the managed system, a _complete__Sync Up_ would be required. + +### Preparing the server + +At the beginning of every _prepare-synchronization_ process, the _Server_ is notified via HTTP. + +Upon receiving the notification, the server creates a directory on its host environment, identified by a unique GUID, to contain ```.sorted``` or ```.sorted.delta``` files that will be sent by the agent. + +This aims to prevent network errors that would cause an _incremental_ database update to happen more than once. + +That means several _export_ and _Prepare-Synchronization_ tasks can be executed simultaneously, they will be processed by the server one at a time in the right order. + +Of course, any notification of a _complete__Prepare-Synchronization_ would cancel the previous non-processed _incremental_ ones. As a _complete_ reloads the whole database, it renders _incremental_ changes computation moot. + +### Sending clean exports + +```.sorted``` or ```.sorted.delta``` files are sent over HTTP to the _Server_ for the last step. + +### Prepare synchronization tasks + +- [PrepareSynchronizationTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) is the standard _prepare-synchronization_ task. +- [PrepareSynchronization Change Task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) is used to process data source files containing changes. +- [PrepareSynchronizationActiveDirectoryTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) is specialized for Active Directory. This task handles Active Directory _incremental_ prepare-synchronization by using Active Directory _cookies_. + +### Example + +The following illustration models the complete _prepare-synchronization_ steps applied to an Active Directory export. The matching _Connector_ defines an Entity Type _AD Entry_ and two associations: _members_ and _manager_. + +![Active Directory Prepare-Synchronization Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/synchronization/upward-data-sync/ad_preparesynchro_example.webp) + +## Synchro + +_Synchronization_ is the last step. It loads data into the resource repository from cleaned _CSV source files_. It's performed _Server_-side. + +### Translating + +Before writing to the Usercube's database, the _Server_ uses [``````](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) and [``````](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) to translate _CSV source files_ into _Entity Model compliant_ resources and resolve association links. + +### Tables + +The _Synchronization_ step involves four tables from Usercube's database. + +- UR_Resources contains the actual resources. +- Mono-valued associations ( [target column index](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) 128 to 137 included ) are stored in UR_Resources as well, +- Multi-valued associations ( [target column index](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) null or -1 or 0 to 127 included ) are stored in the UR_ResourceLinks table. +- UR_ResourcesChanges and UR_ResourceLinkChanges are intermediary tables, used by the complete mode as an extra step before committing changes to the UR_Resources and UR_ResourceLinks in the context of a safeguard mechanism. + +### Complete + +_Complete__synchronization_ starts with a ```.sorted.csv``` file that contains cleaned data, as in whole data, not mere changes. + +_Complete synchronization_ replaces entirely the database resources. That means that all resource, for that [Connector](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md), that are in the database but not in the _CSV source files_ will be deleted. That means no change made to the database from outside of the connectors or the UI are persistent. + +_Complete synchronization_ does not blindly insert data into Usercube database. Its aim is to update Usercube database to match the ```.sorted``` files received. + +To do so, ```.sorted``` files are translated into resources. Then, ```.sorted``` resources are compared against the currently hold database resources, matching Primary Key to Primary Key, to find differences. + +That means that, just as the _incremental_ mode, the complete mode will actually apply changes to the database. The difference being that the _complete_ synchronization computes the changes on the _Server_ and the _incremental_ computation computes the changes on the _Agent_ or the managed system. Hence, complete synchronization has to send large data files over the network and is slower. + +#### Safeguard + +Before actually updating the database, the number of changes to be applied to the database to match the ```.sorted``` resources is compared to a user-defined threshold. + +The threshold is a percentage of the total number of stored resources. If the number of changes goes over the threshold, the synchronization is blocked. This safeguard aims at detecting human or system errors that could corrupt Usercube's database. For example, a number of _delete_ commands greater than the threshold could be caused by an accidental empty _CSV source file_ being fed to the _synchronization_. + +For this purpose, changes are applied to an intermediary safeguard set of tables, UR_ResourcesChanges and UR_ResourceLinkChanges. The threshold is checked, and if validated, changes are applied to the UR_Resources and UR_ResourceLinks tables. + +### Initial + +_Initial_ synchronization loads the translated resources directly into the database, using INSERT SQL commands. There is no threshold checking, no comparing the data to insert to the currently held data to find differences. It should only be used on a managed system for which Usercube does not hold any resources yet. + +### Incremental + +The incremental mode uses a ```.sorted.delta``` file that contains changes. + +Thresholds are checked just as with the _complete_, using intermediary UR_ResourcesChanges and UR_ResourceLinkChanges. tables. + +Then, changes according to the _command_ column are applied to UR_Resources and UR_ResourceLinks. + +### Synchronization tasks + +- [SynchronizeTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) is the standard _synchronization_ task. +- [SynchronizeChangesTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) is used to handle changes together with [PrepareSynchronization Change Task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md). +- [SynchronizeActiveDirectoryTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) is specialized for Active Directory. To be used with [PrepareSynchronizationActiveDirectoryTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md). + +### Example + +This example illustrates the _complete_ loading of Active Directory ```.sorted``` files into Usercube database. + +![Active Directory Synchronization Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/synchronization/upward-data-sync/ad_synchro_example.webp) + +## Handling Errors + +The _syncro_ step is where potential errors laid out in the overview could impact the database. + +- The ```previous``` folder content could be tampered with; +- Managed systems limitations, or human error in the export step, could result in a wrong or incomplete _CSV source file_ being fed to the _Synchronization_; +- Usercube database could be restored to an older state to try and fix hardware failure or SQL tests gone wrong. + +These events, although exceptional, occur. They cause Usercube's database and the managed systems to be slightly off one another. The _incremental__Sync Up_ cannot fix these differences because the database is not taken into account in the changes computation. The _complete__Sync Up_ can fix it because it compares directly the database against the _export_ output files, i.e. it relies on the managed system's state, not on the database state. + +It is hence recommended to run at least a daily _complete_ synchronization to account for these exceptional events and quickly fix the errors they might have cause into the database. + +Remember that _incremental_ and _complete_ Sync Up modes use safeguards to avoid accidental overwrites. That means any error that could find its way into the database would be small. + +_Incremental_ mode also offers another optimization that will be described in the [evaluate policy section](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md). Trade-offs of that optimization can also be counterbalanced by running a daily _complete_ synchronization. + +## Thresholds + +A introduced earlier, to mitigate the risk of data loss in the case of abnormal data source files, the _synchronization Job_ is locked if the number of changes to apply goes over a specific threshold. + +Thresholds can be configured by the user in the applicative configuration and be specific to a [Connector](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md), an [EntityTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) and/or an [EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). They are expressed as number of lines (ex: ```MaximumInsertedLines```) or as a rate (ex: ```MaxPercentageDeletedLines```). + +A synchronization task locked by a threshold can be unlocked by executing the Synchronization Validation task. + +Thresholds are ignored in _initial_ mode. + +The task's argument ```-force``` can be used to ignore thresholds. + +--- + +Next, a word about the assignment policy. +```` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/build-efficient-jobs/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/build-efficient-jobs/index.md new file mode 100644 index 0000000000..4ca9f2db50 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/build-efficient-jobs/index.md @@ -0,0 +1,129 @@ +# Build Efficient Jobs + +This guide shows how to build efficient jobs by minimizing their costs. + +The rules below must be followed when creating a new job, otherwise the frequent launch of this +scheduled job will trigger errors in a SaaS environment. + +## Rule 1: Use Scaffoldings + +Usercube provides +[scaffoldings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md) +to simplify XML configuration by generating complex XML fragments. + +Most jobs are included in +[job scaffoldings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md), +thus configured in the most optimal way. So start by using scaffoldings to build jobs. + +> For example, the creation from scratch of a job to perform a complete synchronization for a +> connector will be tedious. Instead, use Usercube's scaffolding, like in the following example +> concerning the Microsoft Entra ID (formerly Microsoft Azure AD) connector. Instead of a few dozens +> of lines, write only the following: +> +> ``` +> +> +> +> ``` +> +> +> [See more details about this scaffolding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md). +> ``` + +## Rule 2: Compute Only What's Necessary + +### Execute the tasks on the right entity types + +Many tasks can be executed either on all entity types, or on a given list of entity types. + +Make sure to configure the tasks so that they are executed only on the relevant entity types, not +all of them by default. + +> For example, instead of using `AllEntityType` set to `true`, write the following: +> +> ``` +> +> +> +> +> +> ``` +> +> ``` + +### Launch incremental tasks rather than complete + +When a task is supposed to be executed on changes only, then there is no use executing the task in +complete mode. + +Make the relevant tasks incremental by flagging the resources that were recently modified. +[See how to configure a job to be incremental](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/configure-incremental-job/index.md). + +> For example, instead of computing the role model as if it had never been computed before, apply +> only the changes by writing the following: +> +> ``` +> +> +> +> +> ``` +> +> ``` + +### Launch only the relevant tasks according to the logical chain + +Usercube's tasks are all linked together by a logical chain that implies that some tasks are +supposed to be executed after some others. + +Make sure to +[understand the tasks' logical chain](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md) +to launch only the relevant tasks. + +> For example, there is no use computing expressions or correlations if there was beforehand no +> change in the database. Thus, there should not be +> [`UpdateEntityPropertyExpressionsTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) +> or +> [`ComputeCorrelationKeysTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md) +> without first +> [`SynchronizeTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) +> or +> [`FulfillTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md). + +## Rule 3: Wait for Recurring Tasks + +Inside a recurring job, there is no need including some tasks twice in order to have the whole +cycle, because the next execution will complete what has been started. + +> For example, Usercube's +> [feedback loop](/docs/identitymanager/6.1/identitymanager/introduction-guide/more-info/index.md) uses +> the tasks for synchronization, computation of the role model, provisioning, then once more +> synchronization and computation of the role model. +> +> Instead of including any task twice, rather write a job with each task once, schedule a periodic +> execution of the job, and wait for the next execution to get the whole cycle. For example for the +> AD: +> +> ``` +> +> +> +> +> +> +> +> +> ... +> +> ... +> +> ... +> +> ... +> +> +> ... +> +> ``` +> +> ``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/configure-incremental-job/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/configure-incremental-job/index.md new file mode 100644 index 0000000000..3acd49692f --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/configure-incremental-job/index.md @@ -0,0 +1,56 @@ +# Configure an Incremental Job + +This guide shows how to configure the relevant tasks to make a job incremental. + +## Overview + +When configured as such, Usercube is able to remember after synchronization which resources were +modified, i.e. created, updated and/or deleted. + +It allows future tasks to be executed only on modified resources, in order to minimize jobs' +execution times and costs. + +[See an example of a full incremental job](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md). + +## Configure a Job to Be Incremental + +Configure a job to be incremental by proceeding as follows: + +1. Configure the synchronization task + ([`SynchronizeTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md)) + with `DoNotDeleteChanges` set to `true`. + + This way, Usercube keeps the list of all changed resources. + + > For example, to synchronize incrementally the Active Directory: + > + > ``` + > + > ... + > + > + > ``` + +2. Tag all changed resources by running + [`SetRecentlyModifiedFlagTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md) + after `SynchronizeTask`. + + > For example, following the synchronization task for the Active Directory: + > + > ``` + > + > + > + > ``` + +3. Configure the next tasks with `Dirty` set to `true` to apply them only to resources flagged as + "dirty", i.e. recently modified. + + > For example, to compute correlation keys incrementally: + > + > ``` + > + > ... + > + > + > ``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/configure-jobs/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/configure-jobs/index.md new file mode 100644 index 0000000000..9f939cd31a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/configure-jobs/index.md @@ -0,0 +1,22 @@ +# Configure Jobs + +This guide shows how to define the permissions for creating and using jobs thanks to scaffoldings. + +There are two important jobs in Usercube. The +[**Complete Job**](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md) +and the +[**Incremental Job**](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md). +This two Job Synchronize and fill are using to Synchronize and fill Connectors. + +## Job Scaffoldings + +There are six scaffoldings in Usercube to automatically create jobs in the configuration: + +- A job for all connectors on an Agent + ([Complete](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md)/[Incremental](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md) + mode). +- A job for a specific connector + ([Complete](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md)/[Incremental](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) + mode). +- [Initialization Job](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md) +- [AccessCertification Job](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/fulfillldap/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/fulfillldap/index.md new file mode 100644 index 0000000000..29bf593eac --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/fulfillldap/index.md @@ -0,0 +1,73 @@ +# Configure the Fulfill Task for a Connector + +This guide shows how to create the adequate configuration to add the fulfill task of a given system +(here LDAP) in a job. + +For Usercube fill an LDAP somme configuration element are necessary. + +## [ResourceTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) + +This configuration is to use the fill for the LDAP and configure the Reset Password. + +``` + + + +``` + +## Add connection information to AD Connect + +In the +[Connection Information](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md) +define this section to add all information to use the AD Fulfillment. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "ADFulfillment": { + "Servers": [ + { + "Server": "paris.contoso.com", + "BaseDN": "DC=paris,DC=com" + } + ], + "AuthType": "Basic", + "Login": "CN=exampleCn,DC=exampleDc1,DC=exampleDc2", + "Password": "Password", + "AsAdLds": "true" + } + } +} +``` + +After defining this settings, encrypt this JSON file with +[Usercube-Protect-X509JsonFile](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md). + +## Configure The FulfillTask + +Configure The task with the same ResourceType using in ResourceTypeMapping. It's possible to use a +connector instead of ResourceType. + +``` + + + +``` + +Integrate this Task in the job that provisions the AD connector. + +``` + + ... + ... + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/index.md new file mode 100644 index 0000000000..2e278b0423 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/index.md @@ -0,0 +1,20 @@ +# How-Tos + +These guides will help you configure tasks and jobs with practical step-by-step procedures. + +- #### [Build Efficient Jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/build-efficient-jobs/index.md) + Build efficient jobs by minimizing their costs.- #### + [Configure Jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/configure-jobs/index.md) + Define the permissions for creating and using jobs thanks to scaffoldings.- #### + [Troubleshoot Connector Jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md) + Understand the behavior of synchronization and provisioning tasks in order to spot and fix + errors.- #### + [Configure an Incremental Job](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/configure-incremental-job/index.md) + Configure the relevant tasks to make a job incremental.- #### + [Set up Complete Synchronization](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md) + Build the job that will synchronize the appropriate connectors in complete mode.- #### + [Set Up Incremental Synchronization](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md) + Build the job that will synchronize the appropriate connectors in incremental mode.- #### + [Configure the Fulfill Task for a Connector](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/fulfillldap/index.md) + Create the adequate configuration to add the fulfill task of a given system (here LDAP) in a + job. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md new file mode 100644 index 0000000000..008f5d559f --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md @@ -0,0 +1,223 @@ +# Set up Complete Synchronization + +This guide shows how to build the job that will synchronize the appropriate connectors in complete +mode. + +### 1. Objective + +Create a Synchronization Job in complete mode. This job is used to check for and fix differences in +the resources data after the incremental synchronizations. + +The synchronization Job can be created automatically by a scaffolding. It can create either a job +for each connector and for each agent (see : +[CreateConnectorSynchroComplete](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md)) +or a job for all connectors for each agent (see : +[CreateAgentSynchroComplete](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md)) + +In the following example the Synchronization job for the Connector "AD" will be created. + +``` + + + +``` + +### 2. Create the Export task + +If a pre-treatment is needed, you must create an +[Export Task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md). +Otherwise it is unnecessary. Choose the Export task corresponding to the connector. If the Export +uses the incremental mode, set IgnoreCookieFile to true. + +All Export task have the ContinueOnError property. It is advisable to begin with the value of True +so that the task is not blocking for the Job. + +Example : + +``` + + + +``` + +### 3. Create the Prepare Synchronization task + +Create the PrepareSynchronizationTask with the connector. Set `SynchronizationMode="Complete"` , +except for +[PrepareSynchronizationChangesTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) +which doesn't need this parameter. If it is a Synchronization Changes, or ActiveDirectory, you must +precise it with the `Type` attribute. + +If the job contain Exports for the same connector add the a link between the PrepareSynchronization +and the Export to check the final state of exports. + +Example : + +``` + + + +``` + +For more information on PrepareSynchronization task configuration : +[PrepareSynchronization Task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) + +### 4. Create the Synchronization task + +Create the SynchronizeTask with the same `Type` attribute as the PrepareSynchronizationTask. For the +complete mode the parameter DoNotDeleteChanges must not be present in the task configuration. + +If the job contain Exports for the same connector add the a link between the Synchronization and the +Export to check the final state of exports. + +Example : + +``` + + + +``` + +The Synchronization Validation Task is not needed , since it is managed by the +[state machine](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md). + +For more information on Synchronization task configuration : +[Synchronization Task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) + +For more details on the Synchronization job configuration : Synchronization Job Configuration + +### 5. Create the UpdateEntityPropertyExpressions task + +Create the UpdateEntityPropertyExpressionsTask to compute expression properties of the given +entityTypes or all entityTypes. + +Example : + +``` + + + +``` + +For more information on UpdateEntityPropertyExpressions Task configuration : +[UpdateEntityPropertyExpressionsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + +### 6. Create the ComputeCorrelationKey task + +Create the ComputeCorrelationKey Task to compute correlation keys of the given entityTypes or all +entityTypes. + +Example : + +``` + + + +``` + +For more information about the ComputeCorrelationKey task configuration: +[ComputeCorrelationKeysTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md) + +### 7. Create the ComputeRoleModel task + +Create the ComputeRoleModel Task to create the provisioning order. + +Example : + +``` + + + +``` + +The TaskEntityType elements correspond to the sourceEntityTypes in the +[ResourceTypes](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +which have TargetEntityTypes that are part of the connector to provide. + +For more information on Compute Role Model task configuration: +[ComputeRoleModelTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + +### 8. Create the GenerateProvisioningOrder task + +Create the GenerateProvisioningOrder task. The GenerateProvisioningOrder task will recover all +resources whose provisioningState is at 1 to build a list of JSON files containing all provisioning +orders. The Connector is the same as the connector set in the PrepareSynchronization. The +ForceProvisioning parameter must not be set to true. It's the job state machine who launch this mode +if necessary. + +Example : + +``` + + + +``` + +For more information on GenerateProvisioningOrder task configuration: +[GenerateProvisioningOrdersTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md) + +### 9. Create the Fulfill task + +Create the Fulfill task. + +You must specify the right connection to fulfill the desired system. + +All fulfillment task have the ContinueOnError property. It is advisable to begin with the value of +True so that the task is not blocking for the Job. The fulfill Tasks are directly depanding of +GenerateProvisioningOrdersTask. If this task has not create a new provisioning order. The +fulfillment must be not launch in the job. + +``` + + + +``` + +### 10. Create the UpdateClassification task + +Create the Update Classification Task. The resource Classification is needed if one or more +[resource classification rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md) +are configured for the connector. + +``` + + + +``` + +For more information on Update Classification Task : +[UpdateClassificationTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md) + +### 11. Create the SetInternalUserProfiles task + +Create the Set Internal User Profiles Task. The Profile Assignment is needed if one ore more +[profile rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) +are configured. + +This Task is directly linked to a Fulfill parent. if the fulfillment has been completed with the +state warning or if it was not started or no processing has been performed, launching this task +becomes useless. + +``` + + + +``` + +For more information on SetInternalUserProfiles Task configuration : +[SetInternalUserProfilesTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) + +### 12. Create the all-tasks job + +Once the tasks created. You must create the job to launch all tasks. + +``` + + + +``` + +The job can be scheduled with the `CrontabExpression` attribute + +For more information on job configuration : +[Jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md new file mode 100644 index 0000000000..9976bf7bdd --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md @@ -0,0 +1,258 @@ +# Set Up Incremental Synchronization + +This guide shows how to build the job that will synchronize the appropriate connectors in +incremental mode. + +### 1. Objective + +Create a Synchronization job in incremental mode. + +The synchronization Job can be created automatically by a scaffolding. It can create either a job +for each connector and for each agent (see : +[CreateConnectorSynchroIncremental](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md)) +or a job for all connector for each agent (see : +[CreateAgentSynchroIncremental](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md)) + +In the following example the Synchronization job for the Connector "AD" will be created. + +``` + + + +``` + +### 2. Create the Export task + +If a pre-treatment is needed, you must create an +[Export Task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md). +Otherwise it is unnecessary. Choose the Export task corresponding to the connector. + +All Export task have the ContinueOnError property. It is advisable to begin with the value of True +so that the task is not blocking for the Job. + +Example : + +``` + + + +``` + +### 3. Create the Prepare Synchronization task + +Create the PrepareSynchronizationTask with the connector. Set `SynchronizationMode="Incremental"` , +except for +[PrepareSynchronizationChangesTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) +which doesn't need this parameter and LDAP connector who need complete mode. + +If the job contain Exports for the same connector add the a link between the PrepareSynchronization +and the Export to check the final state of exports. + +Example : + +``` + + + +``` + +For more information on PrepareSynchronization task configuration : +[PrepareSynchronization Task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) + +### 4. Create the Synchronization task + +Create the SynchronizeTask corresponding to the PrepareSynchronization Task. If the +PrepareSynchronization Task is a +[PrepareSynchronizationChangesTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md), +then choose the +[Synchronization Change](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md), +else if it is +[PrepareSynchronizationActiveDirectoryTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) +choose +[SynchronizationADDirSync](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md), +else choose +[SynchronizeTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md). + +In Incremental mode, you must set the attribute `DoNotDeleteChanges="true"` + +For the Incremental mode add link between PrepareSynchronization and Synchronization task for the +same connector. If the job contain Exports for the same connector add the a link between the +Synchronization and the Export to check the final state of exports. + +Example : + +``` + + + +``` + +The Synchronization Validation Task is not needed , since it is managed by the +[state machine](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md). + +For more information on Synchronization task configuration : +[Synchronization Task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) + +### 5. Create the SetRecentlyModifiedFlag task + +Create the Set Recently Modified Flag task. + +Launching this is required only if at least one of the Synchronization in the job has made a change +in the database. + +``` + + + +``` + +For more information on SetRecentlyModifiedFlag Task : +[SetRecentlyModifiedFlag Task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md) + +### 6. Create the UpdateEntityPropertyExpressions task + +Create the UpdateEntityPropertyExpressionsTask to compute expression properties of the given +entityTypes or all entitytypes. Set the attribute Dirty : `Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the +Task SetRecentlyModifiedFlag has been started. + +Example : + +``` + + + +``` + +For more information on UpdateEntityPropertyExpressions Task configuration : +[UpdateEntityPropertyExpressionsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + +### 7. Create the ComputeCorrelationKey task + +Create the ComputeCorrelationKey Task to compute correlation keys of the given entityTypes or all +entityTypes. Set the attribute Dirty : `Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the +Task SetRecentlyModifiedFlag has been started. + +Example : + +``` + + + +``` + +For more information about the Compute Role Model correlation keys task configuration: +[ComputeCorrelationKeysTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md) + +### 8. Create the ComputeRoleModel task + +Create the ComputeRoleModely Task to create the provisioning order. Set the attribute Dirty : +`Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the +Task SetRecentlyModifiedFlag has been started. + +Example : + +``` + + + +``` + +The TaskEntityType elements correspond to the sourceEntityTypes in the +[ResourceTypes](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +which have TargetEntityTypes that are part of the connector to provide. + +For more information on Compute Role Model task configuration: +[ComputeRoleModelTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + +### 9. Create the GenerateProvisioningOrder task + +Create the GenerateProvisioningOrder task. The GenerateProvisioningOrder task will recover all +resources whose provisioningState is at 1 to build a list of JSON files containing all provisioning +orders. The Connector is the same as the connector set in the PrepareSynchronization. + +Example : + +``` + + + +``` + +For more information on provisioning task configuration: +[GenerateProvisioningOrdersTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md) + +### 10. Create the Fulfill task + +Create the Fulfill task. + +You must specify the right connection to fulfill the desired system. + +All fulfillment task have the ContinueOnError property. It is advisable to begin with the value of +True so that the task is not blocking for the Job. The fulfill Tasks are directly depanding of +GenerateProvisioningOrdersTask. If this task has not create a new provisioning order. The +fulfillment must be not launch in the job. + +``` + + + +``` + +### 11. Create the UpdateClassification task + +Create the Update Classification Task. The resource Classification is needed if one or more +[resource classification rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md) +are configured for the connector. Set the attribute Dirty : `Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the +Task SetRecentlyModifiedFlag has been started. + +``` + + + +``` + +For more information on Update Classification Task : +[UpdateClassificationTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md) + +### 12. Create the SetInternalUserProfiles task + +Create the Set Internal User Profiles Task. The Profile Assignment is needed if one ore more +[profile rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) +are configured. + +This Task is directly linked to a Fulfill parent. if the fulfillment has been completed with the +state warning or if it was not started or no processing has been performed, launching this task +becomes useless. + +``` + + + +``` + +For more information on SetInternalUserProfiles Task configuration : +[SetInternalUserProfilesTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) + +### 13. Create the all-tasks job + +Once the tasks created. You must create the job to launch all tasks. + +``` + + + +``` + +The job can be scheduled with the `CrontabExpression` attribute + +For more information on job configuration : +[Jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md new file mode 100644 index 0000000000..e55e3904ca --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md @@ -0,0 +1,107 @@ +# Troubleshoot Connector Jobs + +This guide helps understand the behavior of synchronization and provisioning tasks in order to spot +and fix errors. + +## Overview + +A managed system is synchronized and provisioned to/from Usercube with the following task sequence: + +![Synchronization/Provisioning Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/troubleshoot_synchroprovschema.webp) + +### Export data + +Exporting means that the agent reads the system's data and takes it out to one or several external +files, as tables. + +The output is stored in `Temp/ExportOutput`. + +In order to spot what was exported or not for the next incremental export, cookie files are stored +in `Temp/ExportCookies`. + +[See the details of the export executable `Usercube-Export-Configuration`](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-configuration/index.md). + +### Prepare synchronization + +Preparing the synchronization means that the agent reads the tables, output of the export step, and +produces one file for each association (also named multi-valued navigation property), where the data +is prepared for synchronization. + +> For example, the data is sorted according to their primary keys, in order to optimize the +> comparison with the database. + +The output is stored in `Work/Collect`, and sent to the server to queue in `Work/Synchronization`. + +[See the details of the prepare-synchronization executable `Usercube-Prepare-Synchronization`](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/prepare-synchronization/index.md). + +### Synchronize + +Synchronizing means reading the data of the external file, output of the preparation step, and +taking it to Usercube. + +This is done by the synchronization executable `Usercube-Synchronize`. + +#### Synchronization: build the difference + +The server compares the exported files, output of the preparation step, with the previous data of +the system, and with the data contained in the database. Based on this comparison, the changes are +stored in the database. + +The output is stored in `UR_ResourceChanges`. + +#### Synchronization: finalize + +When at least one +[synchronization threshold](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md) +is exceeded, the change list can be seen in the **Synchronization Changes** tab, accessible from the +job progress screen. + +When the synchronization thresholds are not exceeded, or they are bypassed, the potential +preparatory files are consumed and the changes are applied. + +The server updates the values of the properties computed via expressions. A user's history can be +used to view the impact of this step on the properties. + +### Apply the policy + +Applying the policy means that the server prepares the correlation keys and computes the role model. + +Preparing the correlation keys means that the server recomputes the keys that will later link +accounts to their owners. The output is stored in `UP_ResourceCorrelationKeys`. + +This is done by the correlation key computation executable `Usercube-Compute-CorrelationKeys`. + +Computing the role model means that the server applies all the rules in order to assign accounts and +entitlements to identities. + +The assigned accounts and entitlements are stored in `UP_Assigned*`, and can be seen in users' +**View Permissions** tab. + +This is done by the role model computation executable `Usercube-Compute-RoleModel`. + +### Generate provisioning orders + +Generating the provisioning orders means that the server builds JSON files to prepare the execution +of provisioning. + +The output is stored in `Work/ProvisioningOrders`. + +This is done by the order generation executable `Usercube-Generate-ProvisioningOrders`. + +### Provision + +Provisioning means that the agent asks the server to send the provisioning orders, in order to read +the orders and actually make modifications to the managed system. + +Once consumed, the files are moved to the subfolder `Downloaded`. + +This is done by the provisioning executables `Usercube-Fulfill-*`. + +In order to test the provisioning step, there is no need relaunching the whole task sequence. You +can, for example, keep a provisioning order from the previous step, and adjusting it before +launching provisioning. + +## Troubleshoot + +Troubleshoot an error in a connector job by running each step individually until you see something +that you did not expect. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/index.md new file mode 100644 index 0000000000..4316860f28 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/index.md @@ -0,0 +1,33 @@ +# Tasks & Jobs + +Usercube provides tasks to orchestrate together the executable files that perform IGA actions, and +jobs to orchestrate the tasks together. + +[See more information about tasks](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/tasks/index.md). + +[See more information about jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md). + +[See the list of available tasks](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md). + +Make sure to read +[how to build efficient jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/build-efficient-jobs/index.md). + +## Overview + +NETWRIX' vision for the IGA software is a customizable solution. + +The main idea of Usercube is to offer a software solution that you can tailor to your needs by +selecting IGA "blocks" and executing them in a specific order. + +This is why Usercube is not built as a monolithic software. It is made of a mosaic of small +[specialized services](https://en.wikipedia.org/wiki/Microservices), cohesive independent functions, +each one materialized into a building block of your Usercube solution. Each building block serves a +specific and well delimited IGA function. + +These building blocks are called +[tasks](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/tasks/index.md), and can +be easily organized together and scheduled in +[jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md). + +This approach makes for a perfectly customizable product. It also tremendously helps our users to +ease into Usercube by allowing them to understand it piece by piece. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md new file mode 100644 index 0000000000..29efdf4e56 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md @@ -0,0 +1,38 @@ +# Jobs + +A job is a succession of tasks, to be launched and potentially scheduled, which orchestrate together +the executable files that perform IGA actions. + +## Anatomy of a Job + +Jobs are used to write sets of successive tasks, and schedule their execution. + +[See how to configure jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md). + +A job can contain tasks explicitly, or contain steps used to call existing tasks in order to use a +single task in several jobs. + +## Execution + +Jobs are executed by agents. + +The agent initiates the job and executes the agent-side tasks. Hence, the agent must have access to +the relevant managed systems. The agent orders the execution of the server-side tasks, complying +with the one-way data flow principle. + +A job can be triggered: + +- once manually, through the **Job Execution** screen; +- once manually, using + [`Usercube-Invoke-Job.exe`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/index.md); +- periodically, with Usercube's internal scheduler `CronTabExpression`; +- periodically, with an external Scheduler such as + [Windows Task Scheduler](https://docs.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page). + +## Monitoring + +Any job execution is logged into the `UJ_JobInstances` table. + +They can be monitored through the UI, via the **Job Execution** page. + +# diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/tasks/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/tasks/index.md new file mode 100644 index 0000000000..2d362def23 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/tasks/index.md @@ -0,0 +1,50 @@ +# Tasks + +A task is Usercube's way to configure and use a given executable that performs a given IGA action. + +## Anatomy of a Task + +Each of Usercube's IGA actions is contained in a standard Windows executable file that can be +launched using PowerShell. + +The choice of a simple standard format for Usercube's building blocks makes it very easy to pick and +choose them _a la carte_ to configure the solution. + +Tasks are used to insert these blocks into Usercube's configuration, in order to be launchable via +the UI, or even scheduled to be launched automatically periodically. + +> For example, Usercube's tasks include synchronization, computation of entitlement assignments, or +> provisioning of varied managed systems. +> [See the list of all available tasks](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md). + +[See how to configure tasks](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md). + +## Data Consistency + +Every task is written as a +[transactional process](https://en.wikipedia.org/wiki/Transaction_processing). This means that a +task cannot be executed partially. It is either fully executed, or not executed at all. It +guarantees data consistency as data cannot be harmed by a half-executed task. + +Every task is written as an [idempotent function](https://en.wikipedia.org/wiki/Idempotence). This +means that, for a given input, applying a task one time will produce the same result as applying it +several times. It guarantees data consistency as it prevents the potential side-effects of a retry +which might occur following a network error, or a task failure. + +Every task is designed as a +[single responsibility process](https://en.wikipedia.org/wiki/Single-responsibility_principle). This +principle ensures that two distinct tasks do not have an effect on similar pieces of the system. +This guarantees data consistency by avoiding incompatible changes to be committed by different tasks +at the same time. For the same reasons, a given task cannot be executed twice simultaneously. + +## Task Modes + +Two distinct modes exist to execute tasks inside jobs: + +- In complete mode, tasks process whole inputs with all data. +- In incremental mode, tasks only consider the changes that occurred since their last execution. + This mode is not available for all tasks. + +Both modes can be performed considering potential filters if said tasks involve a specific selection +of data instead of whole inputs. The difference between these modes lies in the consideration of all +data for the complete mode, versus only the last changes for the incremental mode. diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/bindings/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/bindings/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/bindings/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/bindings/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md new file mode 100644 index 0000000000..f8cbbd3461 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md @@ -0,0 +1,71 @@ +# C# utility functions + +These functions can be called in any C# expression specified in the configuration (see +[Expression attributes](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md)) + +These are static functions defined in the class `Usercube.Expressions.Functions.UtilExpressions`. + +The way these functions are configured, they require the `UtilExpressions` prefix, but not +necessarily the rest (`Usercube.Expressions.Functions`). However, using the full namespace would +also work. + +For example, you could use `UtilExpressions.BuildUsername(...)` as shown in the example below. + +[LinQ methods](https://docs.microsoft.com/en-us/dotnet/api/system.linq.enumerable?view=net-8.0) can +be used, without needing to add a prefix. + +## BuildUsername + +Builds a username by concatenating a first name, a separator, a last name and a possible suffix. + +First name and last name are simplified using the +[Simplify](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md) +function. + +``` +string? BuildUsername(string? firstName, string? lastName, string? separator, string? suffix, int? iteration) +``` + +The iteration argument is usually used in a +[BuildUniqueValue](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md) +aspect. If the iteration number is greater than 0, it is inserted after the last name. + +### Example of use in a BuildUniqueValue aspect: + +``` + +``` + +## BuildUsernameWithInitials + +Builds a username by concatenating a first name initials, a separator, a last name and a possible +suffix. + +Hyphenated first names are accepted (In this case, we consider the initial of each first name). + +``` +string? BuildUsernameWithInitials(string? firstName, string? lastName, string? separator, string? suffix, int? maxLength, int? iteration) +``` + +The `maxLength` argument limits the length of the username. + +The iteration argument is usually used in a +[BuildUniqueValue](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md) +aspect. If it is greater than 0, we use several letters of the first name avoiding as much as +possible to insert a number in the built username. + +### Example of use in a BuildUniqueValue aspect: + +``` + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md new file mode 100644 index 0000000000..1379dc9ca1 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md @@ -0,0 +1,275 @@ +# Expressions + +Expressions are a way to define the attributes whose values must be computed based on other +attributes. + +## Overview + +In Usercube's XML configuration, some attributes are defined with expressions. Expression attributes +do not take a plain string value, but rather an expression that computes a value based on a given +input. + +> Typical examples can be found in +> [entity property expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md) +> and +> [scalar rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). + +Every expression must be passed at least one argument and return at least one value. + +The expression can either be provided as a +[built-in function](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md) +or as a full-fledged `C#` expression. See the list of available +[C# utility functions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md) +and +[functions predefined by Usercube](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md). + +When changing the value of a property that is part of some expressions in the configuration, do not +expect to see all expressions recomputed right away. + +In order to ensure the recomputation of all expressions based on the recent change, wait for the +next run of **Update Expressions** in the complete job or through the corresponding connector's +overview page. + +### Expressions in the UI + +In the UI, the attributes that can be defined with an expression show two fields: `Property Path` +and `Expression`. + +> For example, the source object of a scalar rule based on user records is displayed: +> +> ![Property Path and Expression](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/expressions/expression-propertypath_v602.webp) + +The field `Property Path` is usually filled in with the **+** button only when the rule involves one +single attribute. If the object involves more than one attribute, then the attributes are to be +written in `Expression` (C#), with the help of +[predefined simple transformations](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md). + +> The first example defines the source object as simply the user record's `Login` property, while +> the second defines the source object with an expression based on the user record's first and last +> names: +> +> ![Property Path Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/expressions/expression-propertypath-example1_v602.webp) +> +> ![Expression Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/expressions/expression-propertypath-example2_v602.webp) + +### Expressions in XML + +In XML, inside the C# expressions, make sure to escape `"` characters by writing them as `"`. + +> For example: +> +> ``` +> +> +> ``` + +### Nullability checks + +Nullability checks constitute a common area for improvement in C# expressions, rather easy to +implement. + +See Microsoft documentation on +[nullable reference types](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/builtin-types/nullable-reference-types) +and more precisely on +[nullable operators](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/operators/member-access-operators#nullable-operators). + +> For example, the following scalar rule computes the value of users' email addresses via a C# +> expression. The `?` characters cut the operations short by returning `null` when one of the chain +> members returns `null`, thus preventing errors. +> +> ``` +> +> +> ``` + +## Built-in Functions + +Usercube provides a set of +[built-in function](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md) +that implement basic expressions. They can be used as-is or be included in a C# expression. + +Usercube's engine automatically passes the main argument to the function during the computation, but +extra arguments can be provided using the following syntax: + +`function name : arg2 | arg3 | ...` + +### Example + +_Plain built-in function_ + +``` + +// transform string to uppercase +Expression="ToUpper" + +``` + +_Built-in function with parameters_ + +``` + +// add 1440 minutes to a date formated as dd/MM/yyyy +Expression="ParseLocalDateThenAddMinutes:Romance Standard Time|dd/MM/yyyy|1440" + +``` + +## C# Expressions + +More complex expressions can be written as ad-hoc C# code according to the following rules: + +- The expression is prefixed by `C#:ParameterName:` where `ParameterName` is the variable name + pointing to the input value. +- The expression has to return a value + +> For example: +> +> ``` +> +> // user full name +> C#:user:return user.FirstName+" "+user.LastName; +> +> ``` + +### QueryHandler + +Expression can includes squeries, using the QueryHandler service. + +> For example, to query the employee type whose `Identifier` is `CDI`: +> +> ``` +> +> C#:user: +> var resources = queryHandler.Select("Select Id Where Identifier=\"CDI\""); +> return resources.FirstOrDefault()?.Id; +> +> ``` + +> Another example, to query the organization whose `Identifier` is `23040`: +> +> ``` +> +> C#:return queryHandler.Select("Select Identifier Where Id=23040").FirstOrDefault()?.Identifier; +> +> ``` + +### Logger service + +Usercube provides a logger service called "logger" to debug C# expressions. + +> For example: +> +> ``` +> +> C#:resource:logger.LogDebug("Name={0}", resource.Name); return resource.Name; +> +> ``` + +### White list + +.NET libraries from the following white list can be used + +**Authorized Namespaces** + +_Every class and function from the following namespaces is allowed:_ + +- `System.Linq` +- `System.Text.RegularExpressions` + +**Authorized Classes** + +_Beyond the authorized namespaces, the following classes can be used_: + +- `System.Convert` +- `System.Reflection.AssemblyFileVersionAttribute` +- `System.Reflection.AssemblyVersionAttribute` +- `System.Reflection.AssemblyCopyrightAttribute` +- `System.Reflection.AssemblyProductAttribute` +- `System.Reflection.AssemblyCompanyAttribute` +- `System.Reflection.AssemblyTitleAttribute` +- `System.Char` +- `Usercube.Expressions.Functions.UtilExpressions` +- `System.Nullable` +- `System.String` +- `System.Int32` +- `System.Random` + +**Authorized Methods** + +_Beyond the authorized classes, the following methods can be used_: + +- `System.Convert` +- `Microsoft.Extensions.Logging.LoggerExtensions.LogDebug` +- `System.DateTime.Add` +- `System.DateTime.AddDays` +- `System.DateTime.AddHours` +- `System.DateTime.AddMicroseconds` +- `System.DateTime.AddMilliseconds` +- `System.DateTime.AddMinutes` +- `System.DateTime.AddMonths` +- `System.DateTime.AddSeconds` +- `System.DateTime.AddTicks` +- `System.DateTime.AddYears` +- `System.DateTime.Compare` +- `System.DateTime.CompareTo` +- `System.DateTime.DaysInMonth` +- `System.DateTime.Equals` +- `System.DateTime.GetDateTimeFormats` +- `System.DateTime.ToUniversalTime` +- `System.DateTime.ToString` + +Trying to use code from outside this white list would yield the following error during computation: + +`the Method Name : ... Parent Class : ... NameSpace : ... used are not authorized` + +## Literal Expression + +### Overview + +To avoid the use of a C# expression when the parameter is not needed, simple literal values can be +written as literal expressions according to the following rules: + +- The expression is prefixed by the `Literal:` tag. +- The expression value must be valid according to the expected type of the property to which the + expression applies. For example, `Literal:five` does not work for an `Int` property. + +Literal expressions are available for +[`ScalarRule`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md), +[`QueryRule`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +and +[`EntityPropertyExpression`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +expressions whose target +[`EntityProperty`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)`Type` +attribute is of the following : + +- String = 0 +- Bytes = 1 +- Int32 = 2 +- Int64 = 3 +- Bool = 5 +- Guid = 6 +- Double = 7 +- Byte = 9 +- Int16 = 10 +- ForeignKey = 12 + +Literal expressions are not available for +[`QueryRule`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md)`TargetExpression` +attribute, only `SourceExpression`. Literal expressions are not available for rules targeting a +`DateTime` or `Binary` property. + +#### Example + +``` + + + + + + + + + +``` + +Literal expressions targeting `String` properties can accept any value, since it is already a string +in the configuration. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md new file mode 100644 index 0000000000..93c96c6457 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md @@ -0,0 +1,47 @@ +# Predefined functions + +Usercube provides a set of predefined functions that simplify the configuration of entity property +expressions and scalar rules. See the +[ EntityType ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +and +[Resource Type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +topics for additional information. + +Unlike C# expressions, Usercube's predefined functions do not need any prefix. They can be used as +such. See the +[ C# utility functions ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md) +topic for additional information. + +### Examples + +The following example shows two predefined functions. The first function normalizes the HR_Person +FirstName. The other one converts the end date into a UTC date and adds 1440 minutes. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     + +``` + +The following table summarizes existing predefined functions: + +| Name | Description | Parameters | Return type | +| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | -------------------- | -------------- | -------- | +| ToUpper | Returns the input string converted to uppercase, using the current culture. | None | String | +| ToLower | Returns the input string converted to lowercase, using the current culture. | None | String | +| Simplify | Returns the input string converted to uppercase, removing all whitespace and special characters, and replacing diacritics. | None | String | +| RemoveDiacritics | Replaces all the éèçàù by eecau, ä by ae, Ä by AE, ö by oe, Ö by OE, ü by ue, Ü by UE, č by c, Č by C, ø by o, Ø by O, ł by l, Ł by L, ß by ss, æ by ae, Æ by AE, œ by oe, Œ by OE, š by sh, and Š by SH. | None | String | +| ToDoubleMetaphone | An implementation of Double Metaphone phonetic algorithm. | None | String | +| ToSoundex | An implementation of Soundex phonetic algorithm. | None | String | +| ToFirstName | Normalizes a first name (first character of each word in uppercase) separated with ‘-’ and the right accents. | None | String | +| ToTitle | Puts the first character in uppercase. | None | String | +| ToFormatedDN | Returns the input string converted to Distinguished Name format. | None | String | +| ParseLocalDate | Converts the specified string representation of a date and time to its DateTime equivalent using the specified parameters. | Time zone identifier | Input string format. | DateTime | +| ParseLocalDateThenAddMinutes | Converts the input string into a DateTime and adds minutes value. | Time zone identifier | Input string format | Added minutes. | DateTime | +| ParseUniversalDate | Converts the specified string representation of a date and time to its Coordinated Universal Time (UTC). | Input string format. | DateTime | +| ParseUniversalDateThenAddMinutes | Converts the input string into an UTC DateTime and adds minutes value. | Time zone identifier | Input string format | Added minutes. | DateTime | +| FormatLocalDate | Converts the specified string into a local DateTime. | Time zone identifier | Input string format. | DateTime | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/file-hierarchy/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/file-hierarchy/index.md new file mode 100644 index 0000000000..b3f7e99e45 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/file-hierarchy/index.md @@ -0,0 +1,30 @@ +# Hierarchy in Configuration Files + +Every configuration's element falls under the ` urn:schemas-usercube-com:configuration` namespace. +Element `` is the root element of each configuration file. + +``` + + ... + + +``` + +Each configuration element matches to an entry in the database. Detailed description of the element +can be found in the +[Data model part of this documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/index.md). + +For exemple, structure of the `` element wil be found +[here](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/index.md). + +In some case, the element name will not match directly the data model type name. + +For exemple, the element `` in the following XML fragment is a +[AccessControlEntry](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +item in the database. + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/adjust-scaffoldings/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/adjust-scaffoldings/index.md new file mode 100644 index 0000000000..5e0e6dcefe --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/adjust-scaffoldings/index.md @@ -0,0 +1,178 @@ +# Adjust Scaffolded Configuration + +This guide shows how to adjust the XML configuration elements created by scaffoldings. + +## Overview + +A scaffolding is an XML element that will generate a complex XML fragment. It is like a +configuration shortcut that helps configure easily a set of XML elements that are usually configured +together. + +[See the list of all existing scaffoldings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md). + +In most situations, scaffoldings are enough to generate the configuration required to meet the +functional needs. + +However, in some cases, scaffoldings do not meet the exact needs and must be adjusted to generate +the right XML configuration. + +NETWRIX recommends writing XML configuration by first using scaffoldings, adjusting it if needed, +and as a last resort, when no scaffolding meets the needs, writing the configuration manually. + +## Adjust Scaffolded Configuration + +Adjust XML configuration generated by a scaffolding by proceeding as follows: + +1. When working via the UI, start by + [exporting UI configuration elements](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-configuration/index.md). +2. Write an XML element whose identifier is the same as the one generated by the scaffolding. + + Any identifier can be found on the + [documentation page of the corresponding scaffolding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md), + in the section displaying the generated XML fragment. + +3. Add `ConsolidationMode` to the element's properties. + + - By default, the XML item written manually completely replaces the one generated by the + scaffolding. + + The default behavior should be used when needing to rewrite one or a few of the items + generated by a scaffolding, not all of them. + + When needing to rewrite the scaffolding's whole output, just remove the scaffolding and + write the item(s) manually. + + > For example, the `ViewTemplateAdaptable` scaffolding generates, for the `LDAP_Entry` + > entity type, a default display name for all LDAP resources, a display table to view the + > resources, and the corresponding permissions to access the table. Supposing that the + > resulting display table does not fit the needs, we could need to write a customized + > display table from scratch: + > + > ``` + > + > + > + > + > + > + > + > ```` + > + > + > The display table's identifier must be the same as the one generated by the scaffolding. Then the scaffolding is ignored so the display table ```LDAP_Entry``` is defined by the `````` properties written manually here, as well as its `````` child elements written manually here. + > ```` + + > Still from the `ViewTemplateAdaptable` scaffolding, suppose now that the default display + > name does not fit the needs, then we could write a customized display name from scratch: + > + > ``` + > + > + > + > ```` + > + > + > The entity property expression's identifier must be the same as the one generated by the scaffolding. Then the scaffolding is ignored so the display name ```LDAP_Entry_InternalDisplayName``` is defined by the `````` properties written manually here. + > ```` + + - Set to `Merge`, the XML item generated by the scaffolding is completed with additional parent + properties and/or child elements written manually, while keeping the parent properties and the + child elements defined in the scaffolding. + + > For example, the `WorkforceModule` scaffolding generates the `Directory_User` entity type + > (among other things) with a specific set of properties. We could choose to add some + > properties in the entity type: + > + > ``` + > + > + > + > + > + > + > ```` + > + > + > The entity type's identifier must be the same as the one generated by the scaffolding. Then the entity type ```Directory_User``` is defined by the `````` properties of the scaffolding, as well as its `````` child elements written in the scaffolding, and we add the properties written manually here. + > ```` + + > The `WorkforceModule` scaffolding also generates the + > `Directory_UserRecord_UniqueValue_Email` aspect (among other things) that uses unicity + > check rules to generate a unique email address for each new user. We could choose to add a + > unicity check rule in the aspect to compare the new email address to the existing ones + > from Microsoft Entra ID (formerly Microsoft Azure AD): + > + > ``` + > + > + > SourceExpression="C#:record:var firstName = + > record.FirstName.Simplify()?.ToLowerInvariant(); var lastName = + > record.LastName.Simplify()?.ToLowerInvariant(); if (string.IsNullOrEmpty(firstName) || + > string.IsNullOrEmpty(lastName)) { /_ Data missing _/ return null; } + > + > var result = firstName + "." + lastName; + > if (iteration > 0) + > { + > result += iteration.ToString(); + > } + > + > return result;" TargetEntityType="MicrosoftEntraID_DirectoryObject" TargetExpression="C#:azure_ad: + > if(string.IsNullOrEmpty(azure_ad.mail)) + > { + > return null; + > } + > + > var result = azure_ad.mail; + > var index = result.IndexOf('@'); + > if(index >=0) + > { + > result = result.Substring(0, index); + > } + > + > return result;" /> + > + > ```` + > + > + > The aspect's identifier must be the same as the one generated by the scaffolding. Then the aspect ```Directory_UserRecord_UniqueValue_Email``` is defined by the `````` properties of the scaffolding, as well as its `````` child elements written in the scaffolding, and we add the unicity check rule written manually here. + > ```` + + - Set to `Update`, the XML item written manually replaces all parent properties, while keeping + the child elements defined in the scaffolding. + + > For example, the `OptimizeDisplayTable` scaffolding generates the `Directory_User` display + > entity type (among other things) with a specific set of properties. We could choose to + > change just the parent properties of the display entity type without changing its child + > properties: + > + > ``` + > + > + > + > ```` + > + > + > The display entity type's identifier must be the same as the one generated by the scaffolding. Then the display entity type ```Directory_User``` is defined by the `````` properties written manually here, as well as the `````` child elements written in the scaffolding. + > ```` + + - Set to `Delete`, the XML item generated by the scaffolding is deleted, including its child + elements. + + > For example, the `AssignProfileAccessControlRules` scaffolding generates the + > `Administrator_Category_AccessControl_AssignedProfile` access control rule (among other + > things) with possibly child elements. We could choose to remove the whole access control + > rule: + > + > ``` + > + > + > + > ```` + > + > + > The access control rule's identifier must be the same as the one generated by the scaffolding. Then the access control rule ```Administrator_Category_AccessControl_AssignedProfile``` is completely removed. + > ```` + +4. [Deploy the configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/deploy-configuration/index.md) + again. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md new file mode 100644 index 0000000000..418f9b2034 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md @@ -0,0 +1,102 @@ +# Deploy the Configuration + +This guide shows how to deploy the XML configuration, in order to build and use the Usercube +application. + +## Overview + +The process for configuration deployment varies according to the situation: + +- when working on-premise, the configuration must be deployed locally; +- when working SaaS, the configuration must be deployed remotely. + +## Deploy the Configuration Locally + +Deploy a local XML configuration by using the +[`Deploy-Configuration` executable](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/deploy-configuration/index.md) +and declaring at least: + +- the configuration directory; +- the connection string of the database. + +> ``` +> +> ./identitymanager-Deploy-Configuration.exe -d "C:\Usercube\Conf" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +> +> ``` + +## Deploy the Configuration Remotely + +Deploy a SaaS XML configuration by proceeding as follows: + +1. Log in for configuration deployment/export with the + [`Login` executable](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/login/index.md). + + Usercube provides an Open Id Connect (OIDC) authentication process in order to ensure strong + security, visibility and ease of use. + + NETWRIX recommends using Usercube's dedicated in-house OIDC Identity Provider (IDP), but you can + also use your own IDP if you want to manage authentication yourself. + + When using your own IDP, make sure that the IDP implements a valid OIDC protocol and serves id + tokens. + + > For example, when using Usercube's IDP: + > + > ``` + > + > ./identitymanager-Login.exe + > + > ``` + + > For example, when using another IDP: + > + > ``` + > + > Usercube-Login.exe --authority https://my_oidc_authentication_server.com --client-id 34b3c-fb45da-3ed32 + > + > ``` + + Either method will open your default browser to `http://localhost:5005` where you will be + redirected to the specified IDP and will be prompted to log in. + + Specify `--port ` if you want the login page to use another local port. + + If you have already successfully deployed or exported your SaaS configuration at least once, + then there is no need to communicate the authentication information again. Go directly to + step 4. + + However, if, since then, there has been a change in the identity deploying/exporting the + configuration or in the Identity Provider used to log in at step 1, then go through the whole + process again. + +2. Log in to the IDP to be redirected back to this screen: + + ![Usercube-Login.exe Success Screen](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/how-tos/export-configuration/identitymanager-login_success_v602.webp) + + Once authenticated, an identification token is stored on your local machine for the + authentication to Usercube's deployment and export processes. + +3. Copy the entire text within the blue square and send it to your Usercube administrator. + + The administrator will add the identity information to the configuration of your Usercube + instance, to allow the configuration deployment/export. + +4. Deploy the configuration by using the + [`Deploy-Configuration` executable](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/deploy-configuration/index.md) + and declaring at least: + + - the configuration directory; + - the deployment environment; + - the API URL of your Usercube instance. + > ``` + > + > ./identitymanager-Deploy-Configuration.exe -d "C:\Usercube\Conf" --api-url https://my_usercube_instance.com --deployment-slot Development + > + > ``` + + You can deploy the configuration by launching only the `Deploy-Configuration` executable until + the authentication token expires. Then, the token must be refreshed via the `Login` executable + before deploying again. + + The token served by Usercube's IDP expires after one hour. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md new file mode 100644 index 0000000000..eb47c267a8 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md @@ -0,0 +1,102 @@ +# Export the Configuration + +This guide shows how to export the configuration as XML files to a given folder. + +## Overview + +The process for configuration export varies according to the situation: + +- when working on-premise, the configuration must be exported locally; +- when working SaaS, the configuration must be exported remotely. + +[See more details on configuration export](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-configuration/index.md). + +## Export the Configuration Locally + +Export your configuration by using the +[`Export-Configuration` executable](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-configuration/index.md) +and declaring at least: + +- the directory where the configuration is to be exported to; +- the connection string of the database. + +> ``` +> +> ./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" +> +> ``` + +## Export the Configuration Remotely + +Export a SaaS configuration by proceeding as follows: + +1. Log in for configuration deployment/export with the + [`Login` executable](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/login/index.md). + + Usercube provides an Open Id Connect (OIDC) authentication process in order to ensure strong + security, visibility and ease of use. + + NETWRIX recommends using Usercube's dedicated in-house OIDC Identity Provider (IDP), but you can + also use your own IDP if you want to manage authentication yourself. + + When using your own IDP, make sure that the IDP implements a valid OIDC protocol and serves id + tokens. + + > For example, when using Usercube's IDP: + > + > ``` + > + > ./identitymanager-Login.exe + > + > ``` + + > For example, when using another IDP: + > + > ``` + > + > Usercube-Login.exe --authority https://my_oidc_authentication_server.com --client-id 34b3c-fb45da-3ed32 + > + > ``` + + Either method will open your default browser to `http://localhost:5005` where you will be + redirected to the specified IDP and will be prompted to log in. + + Specify `--port ` if you want the login page to use another local port. + + If you have already successfully deployed or exported your SaaS configuration at least once, + then there is no need to communicate the authentication information again. Go directly to + step 4. + + However, if, since then, there has been a change in the identity deploying/exporting the + configuration or in the Identity Provider used to log in at step 1, then go through the whole + process again. + +2. Log in to the IDP to be redirected back to this screen: + + ![Usercube-Login.exe Success Screen](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/how-tos/export-configuration/identitymanager-login_success_v602.webp) + + Once authenticated, an identification token is stored on your local machine for the + authentication to Usercube's deployment and export processes. + +3. Copy the entire text within the blue square and send it to your Usercube administrator. + + The administrator will add the identity information to the configuration of your Usercube + instance, to allow the configuration deployment/export. + +4. Export the configuration by using the + [`Export-Configuration` executable](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-configuration/index.md) + and declaring at least: + + - the configuration directory; + - the API URL of your Usercube instance. + > ``` + > + > ./identitymanager-Export-Configuration.exe -d "C:\Usercube\ExportedConf" --api-url https://my_usercube_instance.com + > + > ``` + + You can export the configuration by launching only the `Export-Configuration` executable until + the authentication token expires. Then, the token must be refreshed via the `Login` executable + before exporting again. + + The token served by Usercube's IDP expires after one hour. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/index.md new file mode 100644 index 0000000000..f685a8c225 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/index.md @@ -0,0 +1,11 @@ +# How-Tos + +These guides will help you build and use the XML configuration with practical step-by-step +procedures. + +- #### [Deploy the Configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md) + Import the XML configuration to build and use the Usercube application.- #### + [Export the Configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md) + Generate in a folder the XML files based on the configuration found in the database.- #### + [Adjust Scaffolded Configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/adjust-scaffoldings/index.md) + Adjust the XML configuration elements created by scaffoldings. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/index.md new file mode 100644 index 0000000000..2b0767488d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/index.md @@ -0,0 +1,19 @@ +# Toolkit for XML Configuration + +A Usercube configuration is **a set of XML files** edited according the **Usercube schema**. The +[recommendations](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/recommendations/index.md) +part of this section explains how to set up an editing environment for the configuration. + +Regardless of the editing space, the **configuration persists in the Usercube database**. It's this +stored configuration that is used at runtime. + +The +[Deploy configuration tool](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md) +is used to **import** a new version of the configuration (from the XML files set). The +[Export configuration tool](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-configuration/index.md) +can be used to **export** the current configuration (to a XML files set). + +The Usercube project's integration cycle consists in developing a configuration by successive +imports in a test instance. + +![Integration cycle](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/configurationcycle.webp) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/languages/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/languages/index.md new file mode 100644 index 0000000000..c079b120f2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/languages/index.md @@ -0,0 +1,29 @@ +# Languages + +Some configuration string must be specified in multiple languages. For this, the name of the +corresponding XML attribute is suffixed by `_L1`, `_L2`,... `_L8`. For example, the property +`DisplayName` of an +[EntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +can be specified in English and French: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... + +``` + +Languages list must be specified by +[Language](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/language/index.md) +elements. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +   +``` + +The code is a combination of an ISO 639 two-letter lowercase culture code associated with a language +and an ISO 3166 two-letter uppercase subculture code associated with a country or region. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/parameter-names/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/parameter-names/index.md new file mode 100644 index 0000000000..fa414adeeb --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/parameter-names/index.md @@ -0,0 +1,67 @@ +# Base32 Parameter Names + +## Base32 Parameter Names + +Some attributes names in the applicative configuration, such a those related to dimensions +identification, are written using a +[Base32 representation of numbers](https://en.wikipedia.org/wiki/Base32). + +Usercube uses flavor of base32 known as **base32hex** described in the +[RFC4648](https://tools.ietf.org/html/rfc4648#rfc4648). + +It uses 10 digits from 0 to 9 and 22 letters from A to V to represent numbers. + +The following table shows the decimal - base32hex equivalent for the first 127 numbers. + +| base32hex | decimal | +| --------- | ------- | +| 0 | 0 | +| 1 | 1 | +| 2 | 2 | +| 3 | 3 | +| 4 | 4 | +| 5 | 5 | +| 6 | 6 | +| 7 | 7 | +| 8 | 8 | +| 9 | 9 | +| a | 10 | +| b | 11 | +| c | 12 | +| d | 13 | +| e | 14 | +| f | 15 | +| g | 16 | +| h | 17 | +| i | 18 | +| j | 19 | +| k | 20 | +| l | 21 | +| m | 22 | +| n | 23 | +| o | 24 | +| p | 25 | +| q | 26 | +| r | 27 | +| s | 28 | +| t | 29 | +| u | 30 | +| v | 31 | +| 10 | 32 | +| 11 | 33 | +| � | � | +| 1A | 42 | +| � | � | +| 20 | 64 | +| � | � | +| 2A | 74 | +| � | � | +| 3V | 127 | + +For example, dimensions are identified by a number going from 0 to 127 in decimal representation and +0 to 3V in base32hex representation. + +The +[ContextRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) +support _128_ dimension parameters going from `B0` to `B3V` using the **base32hex**`0` to `3V` +numbers to identify a dimension. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/recommendations/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/recommendations/index.md new file mode 100644 index 0000000000..a912b378d0 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/recommendations/index.md @@ -0,0 +1,75 @@ +# Recommendations + +## Editor + +[Visual Studio Code](https://code.visualstudio.com/) is the recommended editor for configuration. +Its extensions can highly benefit the configuration experience. NETWRIX recommends the following +extensions: + +- [Project Manager](https://marketplace.visualstudio.com/items?itemName=alefragnani.project-manager) + for file organization; +- [Xml Tools](https://marketplace.visualstudio.com/items?itemName=DotJoshJohnson.xml) for XML + formatting; +- [XML](https://marketplace.visualstudio.com/items?itemName=rogalmic.vscode-xml-complete) by RedHat + to provide auto-completion of XML configuration based on an XSD file; +- [Powershell](https://marketplace.visualstudio.com/items?itemName=ms-vscode.PowerShell) for + Powershell formatting; +- [Rainbow CSV](https://marketplace.visualstudio.com/items?itemName=mechatroner.rainbow-csv) for CSV + formatting; +- [GitLens](https://marketplace.visualstudio.com/items?itemName=eamodio.gitlens) for file history + features. + +### Configure auto-completion + +RedHat's XML extension provides auto-completion based on an XSD file. It opens an auto-completion +popup when you start to edit an element or attribute name. You can open the popup by typing +`Ctrl-Space`. + +![Auto-complete](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/recommendations/autocomplete.webp) + +Configure auto-completion by proceeding as follows: + +1. Retrieve from the SDK artifact the `usercube-configuration.xsd` and + `Usercube.Demo.code-workspace` files. +2. Make sure that these files are in the working directory (for example `C:/identitymanagerDemo`). +3. In `Usercube.Demo.code-workspace`, declare the following setting, replacing the path + `C:/identitymanagerDemo/identitymanager-configuration.xsd` by the path of your XSD file: + + ``` + + "settings": { + "xml.fileAssociations": [ + { + "systemId": "file:///C:/identitymanagerDemo/identitymanager-configuration.xsd", + "pattern": "**/*.xml" + } + ] + } + + ``` + +## Version Control System + +A version control system (like Git) is also recommended so files and configuration history could be +tracked. + +## File Hierarchy + +Some folders in the XML configuration contain files that are generated by Usercube and that must not +be modified manually: + +- `Runtime/Workforce` +- `Runtime/Bootstrap` + +For the configuration to be more readable it is recommended to classify configuration by Connector +or Application Entity. For each Connector or Application Entity create a folder in which will put: + +- **_Connector.xml_** file containing the definition of the Connector, the EntityTypes,the + EntityAssociations and their mappings. +- **_Administrator.xml_** file containing all the ACE for the administrator profile. +- **_Role Model.xml_** file containing the role model configuration. +- **_UI.xml_** file containing the User Interface configuration. +- **_Jobs.xml_** file containing the jobs configuration. +- **_Workflows.xml_** file containing the Workflows configuration for the given connector. + +![Recommendation](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/recommendations/recommendation.webp) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/reservedidentifiers/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/reservedidentifiers/index.md new file mode 100644 index 0000000000..7acab4c99f --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/reservedidentifiers/index.md @@ -0,0 +1,51 @@ +# Reserved identifiers + +Identifiers of +[EntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +and +[EntityProperty](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +cannot be one of the following words: + +These words can't be written in any case, example: id, Id, iD and ID are forbidden. + +- Id +- if +- for +- while +- return +- break +- else +- continue +- ref +- out +- class +- interface +- struct +- foreach +- do +- char +- byte +- string +- int +- long +- null +- public +- private +- protected +- static +- const +- abstract +- try +- catch +- sealed +- void +- true +- false +- finally +- throw +- Exception +- override +- readonly +- return +- enum +- delegate diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md new file mode 100644 index 0000000000..01057b99ce --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md @@ -0,0 +1,32 @@ +# AccessCertificationDataFilter + +When running an Access Certification Campaign, this object defines the scope of assignments of +entitlements to certify for a given Access Certification Campaign. It filters based on the specific +entitlements attributes. + +## Properties + +| Property | Details | +| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Campaign required | **Type** Int64 **Description** The associated campaign. | +| Category optional | **Type** Int64 **Description** Specifies the category targeted by the filter. | +| IncludeCompositeRoles default value: false | **Type** Boolean **Description** `true` to include the composite roles in the certification. | +| IncludeDeniedPermissions default value: true | **Type** Boolean **Description** Filters items with denied permissions from Access Certification Campaign. | +| IncludeDoubleValidation default value: true | **Type** Boolean **Description** `true` to include the assignments of entitlements with two validations in the certification. | +| IncludeManualAssignmentNotAllowed default value: true | **Type** Boolean **Description** `true` to include in the certification the resources that cannot be requested manually, i.e. those from [resource types](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) with `ApprovalWorkflowType` set to `ManualAssignmentNotAllowed`. | +| IncludeNestedCategories default value: false | **Type** Boolean **Description** When a category is used as filter, all its nested categories are also included in the campaign. | +| IncludeNoValidation default value: true | **Type** Boolean **Description** `true` to include the assignments of entitlements without validation in the certification. | +| IncludeResourceNavigations default value: false | **Type** Boolean **Description** `true` to include the resource navigations in the certification. | +| IncludeResourceScalars default value: false | **Type** Boolean **Description** `true` to include the resource scalars in the certification. | +| IncludeResourceTypes default value: false | **Type** Boolean **Description** `true` to include the resource types in the certification. | +| IncludeSimpleValidation default value: true | **Type** Boolean **Description** `true` to include the assignments of entitlements with one validation in the certification. | +| IncludeSingleRoles default value: false | **Type** Boolean **Description** `true` to include the single roles in the certification. | +| IncludeTripleValidation default value: true | **Type** Boolean **Description** `true` to include the assignments of entitlements with three validations in the certification. | +| IncludeWorkflowStateApproved default value: true | **Type** Boolean **Description** `true` to include the manually approved assignments of entitlements in the certification. | +| IncludeWorkflowStateFound default value: true | **Type** Boolean **Description** `true` to include the reconciled assignments of entitlements in the certification. | +| IncludeWorkflowStateHistory default value: true | **Type** Boolean **Description** `true` to include the preexisting approved assignments of entitlements in the certification. | +| IncludeWorkflowStatePolicyApproved default value: true | **Type** Boolean **Description** `true` to include the automatically approved assignments of entitlements in the certification. | +| LatestCertifiedLimitDate optional | **Type** DateTime **Description** If specified, only assignments of entitlements not certified since. | +| ResourceType optional | **Type** Int64 **Description** Specifies the resource type targeted by the filter. | +| Tags optional | **Type** String **Description** Tags of the roles targeted by the campaign filter. The tag separator is `�`. | +| TargetedRisk optional | **Type** Int64 **Description** If set, filters on the owner risk. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md new file mode 100644 index 0000000000..42a23f62b6 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md @@ -0,0 +1,18 @@ +# AccessCertificationOwnerFilter + +When running an Access Certification Campaign, this object defines the scope of assignments of +entitlements to certify for a given Access Certification Campaign. It filters based on the +attributes of entitlements owner. + +## Properties + +| Property | Details | +| ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Campaign required | **Type** Int64 **Description** The associated campaign. | +| D0 optional | **Type** Int64 **Description** Identifier of the dimension 0 (up to 3V in [base32hex](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/parameter-names/index.md)) that filters the owners targeted by the access certification campaign. | +| IndividualOwner optional | **Type** Int64 **Description** If set, filters on the owner. | +| L0 default value: false | **Type** Boolean **Description** `true` to include all the hierarchy beneath the dimension 0. **Note:** this setting can be used only if the corresponding [dimension](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) was declared with `IsHierarchical` set to `true` and with a `ParentProperty`. | +| MinimalRiskScore optional | **Type** Int32 **Description** If set, filters only owners above given risk. | +| OwnerLastModificationDate optional | **Type** DateTime **Description** Date such that the identities to be certified will be those for which the value of the `OwnerLastModificationDateBinding` property was modified since then. **Note:** must be set together with `OwnerLastModificationDateBinding`. | +| OwnerLastModificationDateBinding optional | **Type** Int64 **Description** Binding of the property whose owner will be part of the campaign's targets, if the property's value was modified since `OwnerLastModificationDate`. **Note:** must be set together with `OwnerLastModificationDate`. **Note:** the properties calculated by Usercube cannot be used. | +| TargetedRisk optional | **Type** Int64 **Description** If set, filters on the owner risk. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/index.md new file mode 100644 index 0000000000..3e06c7a451 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/index.md @@ -0,0 +1,5 @@ +# Access Certification + +- #### [AccessCertificationCampaignPolicy](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md) +- #### [AccessCertificationDataFilter](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md) +- #### [AccessCertificationOwnerFilter](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md) diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md new file mode 100644 index 0000000000..5cfb96bb71 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md @@ -0,0 +1,206 @@ +# AccessControlRule + +An access control rule gives to a profile a set of permissions on a data set represented by an +entity type. + +The rule contains filters to restrict its application, and entries to grant or deny the permissions. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +               + +``` + +## Properties + +| Property | Type | Description | +| ----------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 required | String | Display name of the access control rule in language 1 (up to 16). | +| EntityType required | Int64 | Identifier of the entity type that forms the data set on which the rule's permissions are applied. **NOTE:** The entity type can be part of the custom entity model, e.g. `Directory_User` or `AD_Entry`, or part of the built-in entity model, e.g. `AssignedSingleRole` or `Workflows` or `AccessCertificationItem`. | +| Identifier required | String | Unique identifier of the access control. | +| Profile required | Int64 | The id of the profile to which the permissions will be given. | + +## Child Element: Entry + +AccessControlEntry grants or denies a permission to a user. Access Control Entries are part of an +Access Control Rule that defines the users scope of responsibility in the Usercube UI/Workflows. + +**NOTE:** If your configuration contains an access control entry with `Permission="/"` and +`CanExecute="true"` then an error will occur during the configuration deployment, as a profile +should not possess such a big permission. + +### Properties + +| Property | Type | Description | +| ----------------------------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------- | +| CanExecute default value: false | Boolean | Gives permission to execute permission. | +| FullAccessProperties default value: false | Boolean | Gives full access to all properties. | +| IsPostCondition default value: true | Boolean | If true, the rule is evaluated on the entity after modification. | +| IsPreCondition default value: true | Boolean | If true, the rule is evaluated on the entity before modification. | +| Notify default value: true | Boolean | True to send notification emails to the rule's recipient profile when executing tasks related to the specified Permission. | +| Permission required | Int64 | Linked Permission. | +| Priority default value: 0 | Int32 | When a user has several contexts giving him access to the same right, the one with the highest priority is elected. | +| PropertyGroup optional | Int64 | Gives the right to read for the PropertyGroup. | + +## Child Element: Filter + +An access control filter restricts the application of the access control rule to a given subset of +the data set. The rule will give the specified permissions to the profile only on the parts of the +rule's data set for which the filter's condition is met. + +_Remember,_ the ViewHistory permission (/Custom/Resources/Entity_Type/ViewHistory) does not work if +a filter is added. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +   +``` + +This condition is actually a comparison expression between two elements: + +- The value of a property which is originating from an entity targeted by the rule +- A comparison value that can be constant, or originating from the user profile + +![Access Control Filter Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/accesscontrolfilter_schema.webp) + +### Examples + +Filter on a constant value + +The following example gives to the `Administrator` profile certain permissions on user data, but +only concerning users working in the marketing department. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +    ... + + +``` + +Technically speaking, the filter here says that the rule's permissions apply only on users from +`Directory_User` whose `Code` of `MainOrganization` is `Marketing`. + +Filter on the account of the current user + +The following example gives to the `Manager` profile certain permissions on user data, but only +concerning users from the team managed by the current user. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +    ... + + +``` + +Technically speaking, the filter here says that the rule's permissions apply only on the users' +records from `Directory_UserRecord` whose `Id` of `Manager` is the identifier of the account used by +the current user to authenticate to Usercube. + +Filter on the context(s) of the assigned profile(s) of the current user + +The following example gives to the `Manager` profile certain permissions on user data, but only +concerning users working in the same department as the current user. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +    ... + + +``` + +Technically speaking, the filter here says that the rule's permissions apply only on the users from +`Directory_User` whose `Id` of `MainDepartment` is the same identifier as the value set for the +`Department` dimension of the current user, in at least one of their assigned profiles. + +For example, Timothy Callahan is here assigned the `Manager` profile with the `Department` dimension +set to `Treasury/Chief Economist`. + +![Matching Assigned Profile](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/assignedprofile_example_v603.webp) + +Thus, with the previous access control rule, Timothy Callahan will get certain permissions on users +whose main department is `Treasury/Chief Economist`. + +The following example gives to the `RoleOfficerByCategory` profile certain permissions on assigned +single roles, but only concerning the roles of a category assigned to the current user. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +    ... + + +``` + +Technically speaking, the filter here says that the rule's permissions apply only on the assigned +single roles whose `Id` of the `Category` of the `SingleRole` is the same identifier as the value +set for the `Category` property of the current user, in at least one of their assigned profiles. + +Multiple filters + +The following example gives to the `RoleOfficerByCategory` profile the permission to review the +roles of users from `Directory_User`, but only the roles of a category assigned to the current user, +and whose assignment is stated as pending the first approval out of 1, 2 or 3. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +   +     +   +     +   +``` + +Technically speaking, the filter here says that the rule's permissions apply only on the assigned +single roles: + +- Whose `Id` of the `Category` of the `SingleRole` is the same identifier as the value set for the + `Category` property of the current user, in at least one of their assigned profiles, and +- Whose `WorkflowState` is set to 8 or 9 or 11, which mean respectively pending approval 1/1, 1/2 + and 1/3. + +### Properties + +| Property | Type | Description | +| ---------------------------------- | --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding required | Int64 | Binding of the property whose value is to be checked to restrict the application of the rule's permissions. **NOTE:** The binding must be based on the entity type defined in the access control rule. | +| Category default value: false | Boolean | True to compare the value specified by the binding to the categories of the current user's assigned profiles. | +| CompositeRole default value: false | Boolean | True to compare the value specified by the binding to the composite roles of the current user's assigned profiles. See the [ AssignedProfile ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) topic for additional information. | +| CurrentUser default value: false | Boolean | True to compare the value specified by the binding to the identifier of the account used by the current user to authenticate to Usercube. **NOTE:** The current user is the owner of the profile, allowed by the access control rule to perform an action and/or receive a notification. `CurrentUser` is tightly linked to the configuration of the `SelectUserByIdentityQueryHandlerSetting`. | +| Dimension optional | Int64 | Identifier of the dimension whose value(s), from the user's assigned profiles, are to be compared to the value specified by the binding. See [ Dimension ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) and [ AssignedProfile ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) topics for additional information. | +| Group optional | String | Group that the filter is part of. The access control rule filters the permissions by using the union (OR) of all filter groups, and the intersection (AND) of all filters within a group. **NOTE:** When not specified, the filter is part of the default group. | +| Operator default value: 0 | AccessControlFilterOperator | Comparison operator. 0 - Equals. 1 - NotEquals. | +| ResourceType default value: false | Boolean | True to compare the value specified by the binding to the resource types of the current user's assigned profiles. See the [ AssignedProfile ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) topic for additional information. | +| SingleRole default value: false | Boolean | True to compare the value specified by the binding to the single roles of the current user's assigned profiles. See the [ AssignedProfile ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) topic for additional information. | +| Value optional | String | Hard coded value to be compared to the value specified by the binding. | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/index.md new file mode 100644 index 0000000000..ec88e9cc6f --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/index.md @@ -0,0 +1,10 @@ +# Access Control + +- #### [AccessControlPermission](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md) +- #### [AccessControlPropertyGroup](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md) +- #### [AccessControlRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +- #### [AssignedProfile](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) +- #### [OpenIdClient](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) +- #### [Profile](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) +- #### [ProfileContext](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md) +- #### [ProfileRuleContext](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md new file mode 100644 index 0000000000..4eae6282bb --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md @@ -0,0 +1,50 @@ +# OpenIdClient + +OpenIdClient declares an Open Id Connect clientId/secret to call the Usercube API. All the +configurations need at least one clientId used by all the jobs on the agent side to call the server. + +Only the hashed secret is kept in the configuration. The clear version is only known by the API +callers. + +The secret must be strong enough to protect access to the API. + +The good practice is generating a random secret, for example a 32 characters string, from a tool +like KeePass. Each clientId must have it's own secret. The tool +[Usercube-New-OpenIDSecret](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/new-openidsecret/index.md) +can be used to generate secrets and their hashes. + +Each clientId must have a scope of responsibility. The _Profile_ and _ContextId_ properties assign a +required Profile and an optional Profile Context. + +## Examples + +The following code declares a clientId with the Administrator profile. + +``` + + + +``` + +The following code example declares a clientId with the RoleOfficerByCategory profile, restricted to +the profile context defined below. The ContextId property must reference the Id of an existing +Profile Context. Profile contexts don't have identifiers, so to avoid recalculation of the +ProfileContext's Id property on configuration deployment, the Id should be declared manually as +below. To be valid, it must be lower or equal to -2. + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------- | ------------------------------------------------------------------------------------------------------------------- | +| Context optional | **Type** Int64 **Description** Id of the ProfileContext used to further restrict the client scope of responsibility | +| DisplayName_L1 required | **Type** String **Description** Name that will be Displayed on the screen | +| ExpirationDate optional | **Type** DateTime **Description** After this date, the client is no longer usable | +| HashedSecret required | **Type** String **Description** HashedPassword of client | +| Identifier required | **Type** String **Description** Client login name and name | +| Profile required | **Type** Int64 **Description** Profile linked with the client | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/access-control/profile/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/access-control/profile/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md new file mode 100644 index 0000000000..5414549768 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md @@ -0,0 +1,45 @@ +# ProfileRuleContext + +Defines the context in which the rule will be evaluated. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +## Properties + +| Property | Type | Description | +| ----------------------------------- | ------- | ------------------------------------------------------------------------------------------------------ | +| EntityType optional | Int64 | When ResourceType is not used, identifier of the entity type from which the expressions are evaluated. | +| IsAppliedToRoot default value: true | Boolean | The dimensions are queried from the user's information. | +| ResourceType optional | Int64 | The resourceType of the assignedResourcetypes on which the rule is going to be applied on. | +| RootBinding optional | Int64 | Binding to apply on the user resource before executing the root expression(cf Profile Rule). | +| SubBinding optional | Int64 | Binding to apply on the user resource before executing the sub expression(cf Profile Rule). | + +## Child Element: ProfileRule + +Defines the rule to assign a profile to user when matched. + +### Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +     +``` + +### Properties + +| Property | Type | Description | +| ----------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| B0 optional | Int64 | Represents the first dimension binding definition. The 127 other dimension bindings can be referred to by 127 more parameters from B1 to B3V following the base32hex convention. See the [ Base32 Parameter Names ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/parameter-names/index.md) topic for additional information. | +| IsDenied default value: false | Boolean | Profile denied to the user when matched. | +| Profile required | Int64 | Identifier of the profile rule. | +| RootExpression optional | String | C# expression to apply on the source entity type of the context resource type. See the [ Expressions ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| SubExpression optional | String | C# expression to apply on the target entity type of the context resource type. See the [ Expressions ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md new file mode 100644 index 0000000000..cf5fbf85f3 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md @@ -0,0 +1,3 @@ +# Business Intelligence + +- #### [Universe](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md new file mode 100644 index 0000000000..2bb1fdba3d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md @@ -0,0 +1,87 @@ +# Universe + +Universes constitute the basis for the configuration of a new model that we will call universe +model. Users can then exploit it, through the Query module and/or Power BI, to generate graphic +reports. + +## Examples + +##### Basic universe + +The following example builds a universe called `Universe1`: + +``` + + + + + +``` + +![Universe - Basic Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/bi_universeexampledisplaynames.webp) + +When +[getting Usercube data in Power BI](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Display Names)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/universe_columnnamedisplayname.webp) + +##### Basic universe with identifiers instead of display names + +The following example builds a universe called `Universe1` with identifiers as labels instead of +display names: + +``` + + + +``` + +![Universe - Basic Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/bi_universeexample.webp) + +When +[getting Usercube data in Power BI](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Identifiers)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/universe_columnnameidentifier.webp) + +## Properties + +| Property | Details | +| ------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ColumnNamesMode default value: DisplayName | **Type** UniverseColumnNamesMode **Description** Type of label to be displayed as the column names in Power BI, for this universe. `0` - DisplayName: display name of entity instances. `1` - Identifier: identifier of entity instances. | +| DisplayName_L1 optional | **Type** String **Description** Display name of the universe in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Identifier of the universe. | + +## Child Element: AssociationInstance + +An association instance represents, within a universe, the occurrence in the model of an +[entity association](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +### Properties + +| Property | Details | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Association required | **Type** Int64 **Description** Identifier of the entity association, in Usercube's entity model, that corresponds to the association instance. | +| Direction default value: 0 | **Type** Direction **Description** Direction of the association between the two entity instances. It must be the same direction as between the two entity types specified in these entity instances. `0` - Both directions. `1` - From the instance 1 to 2. `2` - From the instance 2 to 1. | +| Instance1 required | **Type** Int64 **Description** Identifier of the entity instance number one. | +| Instance2 required | **Type** Int64 **Description** Identifier of the entity instance number two. | + +## Child Element: EntityInstance + +An entity instance represents, within a universe, the occurrence in the model of an +[entity type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +### Properties + +| Property | Details | +| ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 optional | **Type** String **Description** Display name of the entity instance in language 1 (up to 16). | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type, in Usercube's entity model, that corresponds to the entity instance. | +| FilterEntityProperty optional | **Type** Int64 **Description** Entity property used as filter (FilterProperty must be a navigation property to EntityProperty) | +| FilterEntityType optional | **Type** Int64 **Description** Entity type used as filter (FilterProperty must be a navigation property to EntityType) | +| FilterProperty optional | **Type** Int64 **Description** Property used to filter entity type's instance. | +| FilterResourceType optional | **Type** Int64 **Description** Resource type used as filter (FilterProperty must be a navigation property to ResourceType) | +| FilterValue optional | **Type** String **Description** Constant value used as filter. | +| Identifier required | **Type** String **Description** Identifier of the entity instance. | +| IsHidden default value: false | **Type** Boolean **Description** `true` if the entity instance is to be hidden in Power BI. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/index.md new file mode 100644 index 0000000000..49d2916df3 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/index.md @@ -0,0 +1,3 @@ +# Configuration + +- #### [Scaffoldings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md new file mode 100644 index 0000000000..a79a9288a9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md @@ -0,0 +1,31 @@ +# AccessReviewAdministrationAccessControlRules + +Scaffolding to generate the rights to administrate campaign creation. + +Gives access to a shortcut on the dashboard to access this page. + +![Access Certification Campaigns](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md new file mode 100644 index 0000000000..001f7e697c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md @@ -0,0 +1,4 @@ +# AccessReviews + +- #### [AccessReviewAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md) + Generates the permissions to administrate campaign creation. diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md new file mode 100644 index 0000000000..fbeb90ba02 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md @@ -0,0 +1,8 @@ +# Connectors + +- #### [ConnectorResourceTypeAccessControl](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md) + Gives the rights to create and update resource types, generate provisioning orders and fulfill + from the connector screen.- #### + [SettingsAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md) + Generates the permissions to configure the Workforce Core Solution module and connector + settings. diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md new file mode 100644 index 0000000000..199059faed --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md @@ -0,0 +1,15 @@ +# AccessControlRules + +Scaffoldings for access control give some permissions, by allowing the corresponding API calls. + +- #### [AccessReviews](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md) +- #### [Connectors](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md) +- #### [Jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md) +- #### [Monitoring](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md) +- #### [Profiles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md) +- #### [Queries](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md) +- #### [Resources](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md) +- #### [RoleModels](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md) +- #### [Simulations](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md) +- #### [UserInterfaces](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md) +- #### [Workflows](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md) diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md new file mode 100644 index 0000000000..032e72f5a6 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md @@ -0,0 +1,36 @@ +# Jobs + +- #### [GetJobLogAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md) + Generates the permissions to read task and job instances logs in UI for a given profile.- #### + [JobAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md) + Scaffolding to access the job administration page.- #### + [JobTaskAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md) + Generates all permissions for JobStep entity.- #### + [PendingAssignedResourceTypesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md) + Generates the access control rules which give to a profile the permissions to call the API + Pending AssignedResourceTypes.- #### + [ProvisioningAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md) + Generates the execution rights for Provisioning and Fulfillment tasks for a given profile.- #### + [ResourceChangesViewAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md) + Generates the access control rules which gives to a profile the permissions to call the API + ResourceChange, ResourceFileChange and ResourceLinkChange.- #### + [ResourceTypeMappingControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md) + Generate rights to launch agent fulfillment.- #### + [RunJobAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md) + Generates the permissions to launch jobs from UI for a given profile.- #### + [RunJobNotificationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md) + Generates access control to send notification when job finish with an error state.- #### + [RunJobRepairAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md) + Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning + or a synchronization for a given profile.- #### + [RunJobRepairNotificationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md) + Generates access control to send notification when a relaunch job finish with an error + state.- #### + [SynchronizationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md) + Generates rights to launch synchronization task.- #### + [TaskAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md) + Generates all rights to have the access to job administration page.- #### + [TaskInstanceAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md) + Generates access control to update the task instances.- #### + [WorkflowFulfillmentControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md) + Generates the execution rights to launch Fulfillment workflow for a given profile. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md new file mode 100644 index 0000000000..4a0959c073 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md @@ -0,0 +1,30 @@ +# JobAdministrationAccessControlRules + +Scaffolding to access the job administration page. This page is accessible from the administration +part in dashboard of the user interface. + +![Job Execution](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md new file mode 100644 index 0000000000..439c7e0a73 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md @@ -0,0 +1,5 @@ +# Monitoring + +- #### [MonitoringAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md) + Generates the access control rule which gives to a profile the permission to query the + monitoring screen. diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md new file mode 100644 index 0000000000..f445f8de99 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md @@ -0,0 +1,33 @@ +# AssignProfileAccessControlRules + +Gives to a given profile the rights to create, update, delete and query any assigned profile, from +the **Assigned Profiles** screen. + +![Assigned Profiles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-assignment/home_assignedprofiles_v602.webp) + +## Examples + +The following example gives to the `Administrator` profile the rights to create, update, delete and +query assigned profiles. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md new file mode 100644 index 0000000000..7ca22aedfa --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md @@ -0,0 +1,8 @@ +# Profiles + +- #### [AssignProfileAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md) + Gives to a given profile the rights to create, update, delete and query any assigned + profile.- #### + [OpenIdClientAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md) +- #### [ProfileAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md) + Gives to a given profile the rights to create, update and delete profiles. diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md new file mode 100644 index 0000000000..3d76318c54 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md @@ -0,0 +1,38 @@ +# ProfileAdministrationAccessControlRules + +Gives to a given profile the rights to create, update and delete profiles. + +Profiles are listed on the **Profiles** screen, from **Settings** in the **Configuration** section. + +![Settings](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +![Profiles](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/accesscontrol_profiles_v603.webp) + +[See more details on profiles' APIs](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/accesscontrol/index.md). + +## Examples + +The following example gives to the `Administrator` profile the rights to create, update and delete +profiles. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md new file mode 100644 index 0000000000..6b6d3c7701 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md @@ -0,0 +1,12 @@ +# Queries + +- #### [ManageSettingAccessControlRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md) + Generates the access control rule which gives to a profile the permission to query, create, + update and delete settings from the UM_Settings table.- #### + [ReportAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md) + Generates the permissions to access the report view.- #### + [TargetResourceReportAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md) + Generates the permissions to apply a report for a profile on a given entity.- #### + [UniverseAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md) + Generates an access control rule which gives a profile the permission to access the query page + and run queries. diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md new file mode 100644 index 0000000000..1751590903 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md @@ -0,0 +1,31 @@ +# ReportAccessControlRules + +Generates the rights to access the report view. + +Gives access to a shortcut on the navigation to access this page. + +![Reports](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/reporting/home_reports_v602.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md new file mode 100644 index 0000000000..7f22fd05c4 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md @@ -0,0 +1,32 @@ +# TargetResourceReportAccessControlRules + +Generates the right to apply a report for a profile on a given entity. + +The existence of a report for this entity must exist in order to use this scaffolding. A scaffolding +allows to generate a default report for an entity: +[Entity reports](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md new file mode 100644 index 0000000000..3138a71112 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md @@ -0,0 +1,15 @@ +# Resources + +- #### [CreateResourceIncrementalAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md) + Generates the access control rule which gives to a profile the permission to query the resources + modified incrementally- #### + [ResourceApiAdministration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md) + Generates the permissions to create/update/delete/query resources from a given entity type, for + a given profile.- #### + [ResourcePickerControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md) + Creates the reading right of the resource picker.- #### + [ViewAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md) + Generates the permissions to view an entity type's resources.- #### + [ViewHistoryResourceTemplate](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md) + Generates an access control rule giving to the specified profile the permission to browse the + resources history of the specified entity type. diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules/index.md new file mode 100644 index 0000000000..3a0ec32e67 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules/index.md @@ -0,0 +1,33 @@ +# BulkPerformManualProvisioningAccessControlRules + +The following example assigns permissions to the `Administrator` profile, allowing the simultaneous +review of multiple manual provisioning items for the `Directory_User` entity type. + +``` + + + +``` + +The scaffolding generates the following scaffoldings: + +- [PerformManualProvisioningAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md): + Generates the permissions to access the manual provisioning pages for a given entity type and + profile. + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules/index.md new file mode 100644 index 0000000000..d865dd004d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules/index.md @@ -0,0 +1,38 @@ +# BulkResourceReconciliationAccessControlRules + +The following example assigns to the Administrator profile the rights to reconcile simultaneously +several resources from the Directory_User entity type. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +[Copy](javascript:void(0);) + +``` + +``` + +The scaffolding generates the following scaffoldings: + +- ReconciliateResourcesAccessControlRules: Generates the permissions to access the resource + reconciliation pages for a given entity type and profile. See the + [ ReconciliateResourcesAccessControlRules ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md) + topic for additional information. + +## Properties + +| Property | Type | Description | +| ------------------- | ------ | ---------------------------------------------------------- | +| EntityType required | String | Identifier of the entity type involved in the scaffolding. | +| Profile required | String | Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +   +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules/index.md new file mode 100644 index 0000000000..6683f0ff49 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules/index.md @@ -0,0 +1,33 @@ +# BulkReviewProvisioningAccessControlRules + +The following example assigns permissions to the `Administrator` profile, allowing the simultaneous +review of multiple pending provisioning orders for the `Directory_User` entity type. + +``` + + + +``` + +The scaffolding generates the following scaffoldings: + +- [ReviewProvisioningAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md): + Generates the permissions to access the provisioning review pages for a given entity type and + profile. + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules/index.md new file mode 100644 index 0000000000..8c7c66a7eb --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules/index.md @@ -0,0 +1,16 @@ +# BulkRoleReconciliationAccessControlRules + +Generates the permissions to perform bulk validations on the **Role Reconciliation** page. + +The scaffolding generates the following scaffoldings: + +- [ReconciliateRolesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md): + Generates the permissions to access the role reconciliation pages for a given entity type and + profile. + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md new file mode 100644 index 0000000000..899c96d51e --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md @@ -0,0 +1,14 @@ +# GovernanceRolesAccessControlRules + +Generates the rights to access the role review pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Role Review](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/home_rolereview_v523.webp) + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md new file mode 100644 index 0000000000..a198ea39b3 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md @@ -0,0 +1,45 @@ +# RoleModels + +- #### [BasketRulesControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md) + Generates the permissions to execute the different requests to display the information in the + rights basket.- #### + [BulkPerformManualProvisioningAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules/index.md) + Generates the permissions to perform bulk validations on the \*\*Perform Manual Provisioning\*\* + page.- #### + [BulkResourceReconciliationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules/index.md) + Generates the permissions to perform bulk validations on the \*\*Resource Reconciliation\*\* + page.- #### + [BulkReviewProvisioningAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules/index.md) + Generates the permissions to perform bulk validations on the \*\*Provisioning Review\*\* page + (only for errored orders).- #### + [BulkRoleReconciliationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules/index.md) + Generates the permissions to perform bulk validations on the \*\*Role Reconciliation\*\* + page.- #### + [GovernanceRolesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md) + Generates the permissions to access the governance review pages for a given entity type and + profile.- #### + [PerformManualProvisioningAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md) + Generates the permissions to access the manual provisioning pages for a given entity type and + profile.- #### + [ReconciliateResourcesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md) + Generates the permissions to access the resource reconciliation pages for a given entity type + and profile.- #### + [ReconciliateRolesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md) + Generates the permissions to access the role reconciliation pages for a given entity type and + profile.- #### + [RedundantAssignmentAccessControlRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md) + Generates the permissions to access the \*\*Redundant Assignment\*\* page, to analyze and remove + redundant assignments.- #### + [ReviewProvisioningAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md) + Generates the permissions to access the provisioning review pages for a given entity type and + profile.- #### + [ReviewRolesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md) + Generates the permissions to access the role review pages for a given entity type and + profile.- #### + [RisksAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md) +- #### [RoleAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md) + Generates the permissions to access the configuration pages and create, update, delete the + elements of the role model.- #### + [RoleNamingAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md) + Generates the permissions to configure and launch the automatic creation of roles and rules + based on naming conventions. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md new file mode 100644 index 0000000000..788603b456 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md @@ -0,0 +1,36 @@ +# PerformManualProvisioningAccessControlRules + +Generates the rights to access the access manual provisioning pages for a given entity type and +profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Manual Provisioning](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp) + +The connector connected to the entity type must have the manual type as the provisioning type, +otherwise the information of the entity type cannot be displayed on this screen. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md new file mode 100644 index 0000000000..5ee51ac260 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md @@ -0,0 +1,35 @@ +# ReconciliateResourcesAccessControlRules + +Generates the right to access the reconcile resources pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +Also create the rights to view the TargetEntityTypes of all ResourceTypes whose source is the +EntityType to be filled in the Scaffolding. + +![Resource Reconciliation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md new file mode 100644 index 0000000000..7e20b7362b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md @@ -0,0 +1,32 @@ +# ReconciliateRolesAccessControlRules + +Generates the rights to access the access reconcile roles pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Role Reconciliation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/home_rolereconciliation_v523.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md new file mode 100644 index 0000000000..2021fb4c9b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md @@ -0,0 +1,35 @@ +# RedundantAssignmentAccessControlRule + +Generates the permissions to access the **Redundant Assignment** page, to analyze and remove +redundant assignments. + +Gives access to a shortcut on the dashboard to access this page. + +![Redundant Assignments](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/home_redundantassignments_v602.webp) + +## Examples + +The following example gives to the `Administrator` profile the permissions to access the **Redundant +Assignment** page and perform redundant-assignment related actions. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md new file mode 100644 index 0000000000..8aaa6a9632 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md @@ -0,0 +1,34 @@ +# ReviewProvisioningAccessControlRules + +Generates the right to access the review provisioning pages for a given entity type and profile. +Also create the rights to view the TargetEntityTypes of all ResourceTypes whose source is the +EntityType to be filled in the Scaffolding. + +Gives access to a shortcut on the dashboard to access this page. + +![Provisioning Review](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/home_provisioningreview_v523.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md new file mode 100644 index 0000000000..3ae25d6f1d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md @@ -0,0 +1,32 @@ +# ReviewRolesAccessControlRules + +Generates the rights to access the access roles review pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Role Review](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/home_rolereview_v523.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md new file mode 100644 index 0000000000..5175bb8761 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md @@ -0,0 +1,44 @@ +# RoleAdministrationAccessControlRules + +Generates the rights to access the access configuration pages and create, update, delete for: + +- Policies +- ResourceTypes +- SingleRoles +- CompositeRoles +- ResourceNavigationRules +- ResourceScalarRule +- ResourceCorrelationRule +- CompositeRoleRule +- ResourceTypeRule +- SingleRoleRule +- ContextRule +- Categories + +Gives access to a shortcut on the dashboard to access this page. + +![Configuration Section](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/home_configuration_v603.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md new file mode 100644 index 0000000000..110ea9a320 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md @@ -0,0 +1,4 @@ +# Simulations + +- #### [PolicySimulationControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md) +- #### [RoleAndSimulationControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md) diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md new file mode 100644 index 0000000000..946678cd6b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md @@ -0,0 +1,6 @@ +# UserInterfaces + +- #### [ManageAccounts](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md) +- #### [SearchBarPageAccessControl](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md) + Gives access rights to the different navigation elements of the SearchBars of the pages of the + role model. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md new file mode 100644 index 0000000000..a0fa6e3518 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md @@ -0,0 +1,39 @@ +# ManageAccounts + +Gives access to the **Manage Accounts** buttons for the users of a given entity type. + +![ManageAccounts Button](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/accesscontrol_manageaccounts_v603.webp) + +The scaffolding gives access to the button, but you need to get the permissions on said accounts in +order to see anything once you click on the button. + +## Examples + +The following example gives the `Administrator` profile access to the **Manage Accounts** button for +users from `Directory_User`. + +``` + + + +In order to see AD accounts once clicking on the button: + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md new file mode 100644 index 0000000000..8966070194 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md @@ -0,0 +1,41 @@ +# CreateUpdateDeleteAccessControlRules + +Generates execution rights for the create, update, delete workflows. + +Some prerequisites are necessary to be able to launch this scaffolding. A entity type must be +created with the following naming convention: "Worfklow_" + idenfitier type entity. Three workflows +must be created with the following names: + +- entity type identifier + "_Create"; +- entity type identifier + "_Update"; +- entity type identifier + "_Delete"; + +The scaffolding generates the following scaffoldings: + +- [ViewAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md new file mode 100644 index 0000000000..4d18533297 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md @@ -0,0 +1,11 @@ +# Workflows + +- #### [CreateUpdateDeleteAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md) + Generates execution rights for the create, update, delete workflows.- #### + [UpdateResourcesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md) +- #### [WorkflowAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md) + Generates the permissions to access the task page and visualize the workflows to be executed for + a given entity type and profile.- #### + [WorkflowConfigurationControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md) +- #### [WorkflowOverviewControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md) + Generates the permissions to access the workflow supervision page. diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md new file mode 100644 index 0000000000..f1becfff34 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md @@ -0,0 +1,39 @@ +# WorkflowAccessControlRules + +Generates the rights to access the task page and visualize the different workflows to be executed +for a given entity type and profile. + +Gives access to a shortcut on the dashboard and on the top bar to access this page. + +Top bar shortcut: + +![Tasks in Top Bar](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_topbar_v601.webp) + +DashBoard shortcut: + +![Task in Dashboard](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/home_mytasks_v523.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md new file mode 100644 index 0000000000..c912bec07d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md @@ -0,0 +1,32 @@ +# WorkflowOverviewControlRules + +Generates the rights to access the workflow supervision page. + +Gives access to a shortcut on the dashboard to access this page. + +![Workflow Overview](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/reporting/home_workflowoverview_v602.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md new file mode 100644 index 0000000000..8e3683d367 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md @@ -0,0 +1,80 @@ +# ConnectorMappings + +This scaffolding allows the user to generate the mapping of an entity in a given connector. + +The identifiers of the connector and the entity type must be provided to the scaffolding through the +attributes `Connector` and `EntityType` to make the link between these two elements and create the +mapping. This scaffolding needs to have an argument to know the location of the file to be retrieved +during the collection. This file must be a CSV file with "Command" as the first column and then the +rest of the columns for scalar and mono-navigation properties. This file must be named after the +entity type. If there are multi-valued navigation properties, it is necessary to create a file with +"Command" as first property and the key of the two entities to link. This file must be named after +the identifier of the starting entity type + "_" + the identifier of the navigation property. + +If you are using a CSV connector with files in incremental mode, you must specify the attribute +`IsIncremental` to `true`. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | +| Connector required | **Type** String **Description** Identifier of the connector involved in the job to be generated. | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| IsIncremental optional | **Type** Boolean **Description** `true` to perform an incremental synchronization. | +| Package optional | **Type** ConnectionPackage **Description** For a `ConnectorMappings` scaffolding, identifier of the package for the connection to be generated. | + +## Child Elements + +- [ExcludedProperty](#excludedproperty) (optional) to ignore a given property of the specified + entity type. +- [MappingPath](#mappingpath) (optional) Define the path for csv EntityType mapping + +### ExcludedProperty + +| Property | Details | +| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Property required | **Type** String **Description** Property of the specified entity type that is to be ignored for the generation of entity instances and association instances. | + +A scaffolding does not use filters, but a part of the entity model can be excluded with the +`ExcludedProperty` argument. + +The following example generates a universe `U8_Users` based on the entity type `Directory_User`, +like our U1 but without the `Guests` property: + +``` + + + + + +``` + +When +[getting Usercube data in Power BI](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (ExcludedProperty)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_excluded.webp) + +### MappingPath + +| Property | Details | +| ---------------------------------- | --------------------------------------------------------------------------------------------- | +| IsIncremental default value: false | **Type** Boolean **Description** Defines if the CSV connector files uses the incremental mode | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md new file mode 100644 index 0000000000..6755c9776d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md @@ -0,0 +1,19 @@ +# Entity Types + +- #### [ConnectorMappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md) + Generates the mapping of an entity in a given connector.- #### + [EntityTypeDisplayName](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md) + Computes a default value for resources' internal display names.- #### + [EntityTypeDisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md) + Creates a display table for the given entity.- #### + [EntityTypeDisplayTableAdaptable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md) + Creates an adaptable display table for a given entity type.- #### + [EntityTypeDisplayTargetResourceTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md) + Creates a displaytable for the given entity.- #### + [EntityTypeMenuItem](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md) + Creates a menu item for the entity type, and for its connector if the entity type has an entity + type mapping.- #### + [EntityTypeSearchBar](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md) + Creates the search bar for the entity without criteria.- #### + [TargetResourceReportMenus](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md) + Creates the Item menu for the entity's report so that it is displayed in the report view. diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md new file mode 100644 index 0000000000..e54ab563c7 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md @@ -0,0 +1,4 @@ +# EntityTypes + +- #### [Entity Types](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md) +- #### [Workflows](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md) diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md new file mode 100644 index 0000000000..2da602df91 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md @@ -0,0 +1,17 @@ +# Workflows + +- #### [CreateUpdateDeleteMenus](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md) + Creates creation, update and delete menus for an entity.- #### + [CreateUpdateDeleteWorkflows](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md) +- #### [UpdateResourcesMenus](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md) +- #### [UpdateResourcesWorkflows](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md) +- #### [WorkflowActorsNotification](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md) +- #### [WorkflowEntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md) + Creates an entity that will be the source of all workflows that manipulate the given + entity.- #### + [WorkflowEntityTypeDisplayEntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md) +- #### [WorkflowEntityTypeDisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md) + Creates the display table of the workflow entity of the starting entity.- #### + [WorkflowEntityTypeSearchBar](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md) + Creates the search bar of the workflow entity of the starting entity.- #### + [WorkflowPerformerNotification](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md) diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md new file mode 100644 index 0000000000..f337ed976d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md @@ -0,0 +1,330 @@ +# Scaffoldings + +Usercube provides a list of scaffoldings to act as configuration shortcuts: a scaffolding is an XML +element that will generate a complex XML fragment. + +Available scaffoldings are described below. + +To understand scaffoldings' generated configuration, Usercube's executable +[`Usercube-Export-Configuration`](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/export-configuration/index.md) +can be launched with the `--export-scaffolding` option to export into XML files the configuration +items generated by scaffoldings. + +Remember that these exported files are meant for viewing and understanding purposes, not for using +their content in your own configuration. + +## References + +- #### [AccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md) + +- #### [AccessReviews](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md) + +- #### [AccessReviewAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md) + Generates the permissions to administrate campaign creation. +- #### [Connectors](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md) + +- #### [ConnectorResourceTypeAccessControl](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md) + Gives the rights to create and update resource types, generate provisioning orders and fulfill + from the connector screen.- #### + [SettingsAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md) + Generates the permissions to configure the Workforce Core Solution module and connector + settings. +- #### [Jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md) + +- #### [GetJobLogAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md) + Generates the permissions to read task and job instances logs in UI for a given profile.- #### + [JobAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md) + Scaffolding to access the job administration page.- #### + [JobTaskAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md) + Generates all permissions for JobStep entity.- #### + [PendingAssignedResourceTypesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md) + Generates the access control rules which give to a profile the permissions to call the API + Pending AssignedResourceTypes.- #### + [ProvisioningAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md) + Generates the execution rights for Provisioning and Fulfillment tasks for a given profile.- #### + [ResourceChangesViewAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md) + Generates the access control rules which gives to a profile the permissions to call the API + ResourceChange, ResourceFileChange and ResourceLinkChange.- #### + [ResourceTypeMappingControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md) + Generate rights to launch agent fulfillment.- #### + [RunJobAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md) + Generates the permissions to launch jobs from UI for a given profile.- #### + [RunJobNotificationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md) + Generates access control to send notification when job finish with an error state.- #### + [RunJobRepairAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md) + Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning + or a synchronization for a given profile.- #### + [RunJobRepairNotificationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md) + Generates access control to send notification when a relaunch job finish with an error + state.- #### + [SynchronizationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md) + Generates rights to launch synchronization task.- #### + [TaskAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md) + Generates all rights to have the access to job administration page.- #### + [TaskInstanceAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md) + Generates access control to update the task instances.- #### + [WorkflowFulfillmentControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md) + Generates the execution rights to launch Fulfillment workflow for a given profile. +- #### [Monitoring](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md) + +- #### [MonitoringAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md) + Generates the access control rule which gives to a profile the permission to query the + monitoring screen. +- #### [Profiles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md) + +- #### [AssignProfileAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md) + Gives to a given profile the rights to create, update, delete and query any assigned + profile.- #### + [OpenIdClientAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md) +- #### [ProfileAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md) + Gives to a given profile the rights to create, update and delete profiles. +- #### [Queries](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md) + +- #### [ManageSettingAccessControlRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md) + Generates the access control rule which gives to a profile the permission to query, create, + update and delete settings from the UM_Settings table.- #### + [ReportAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md) + Generates the permissions to access the report view.- #### + [TargetResourceReportAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md) + Generates the permissions to apply a report for a profile on a given entity.- #### + [UniverseAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md) + Generates an access control rule which gives a profile the permission to access the query page + and run queries. +- #### [Resources](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md) + +- #### [CreateResourceIncrementalAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md) + Generates the access control rule which gives to a profile the permission to query the resources + modified incrementally- #### + [ResourceApiAdministration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md) + Generates the permissions to create/update/delete/query resources from a given entity type, for + a given profile.- #### + [ResourcePickerControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md) + Creates the reading right of the resource picker.- #### + [ViewAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md) + Generates the permissions to view an entity type's resources.- #### + [ViewHistoryResourceTemplate](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md) + Generates an access control rule giving to the specified profile the permission to browse the + resources history of the specified entity type. +- #### [RoleModels](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md) + +- #### [BasketRulesControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md) + Generates the permissions to execute the different requests to display the information in the + rights basket.- #### + [BulkPerformManualProvisioningAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules/index.md) + Generates the permissions to perform bulk validations on the \*\*Perform Manual Provisioning\*\* + page.- #### + [BulkResourceReconciliationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules/index.md) + Generates the permissions to perform bulk validations on the \*\*Resource Reconciliation\*\* + page.- #### + [BulkReviewProvisioningAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules/index.md) + Generates the permissions to perform bulk validations on the \*\*Provisioning Review\*\* page + (only for errored orders).- #### + [BulkRoleReconciliationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules/index.md) + Generates the permissions to perform bulk validations on the \*\*Role Reconciliation\*\* + page.- #### + [GovernanceRolesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md) + Generates the permissions to access the governance review pages for a given entity type and + profile.- #### + [PerformManualProvisioningAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md) + Generates the permissions to access the manual provisioning pages for a given entity type and + profile.- #### + [ReconciliateResourcesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md) + Generates the permissions to access the resource reconciliation pages for a given entity type + and profile.- #### + [ReconciliateRolesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md) + Generates the permissions to access the role reconciliation pages for a given entity type and + profile.- #### + [RedundantAssignmentAccessControlRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md) + Generates the permissions to access the \*\*Redundant Assignment\*\* page, to analyze and remove + redundant assignments.- #### + [ReviewProvisioningAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md) + Generates the permissions to access the provisioning review pages for a given entity type and + profile.- #### + [ReviewRolesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md) + Generates the permissions to access the role review pages for a given entity type and + profile.- #### + [RisksAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md) +- #### [RoleAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md) + Generates the permissions to access the configuration pages and create, update, delete the + elements of the role model.- #### + [RoleNamingAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md) + Generates the permissions to configure and launch the automatic creation of roles and rules + based on naming conventions. +- #### [Simulations](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md) + +- #### [PolicySimulationControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md) +- #### [RoleAndSimulationControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md) + +- #### [UserInterfaces](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md) + +- #### [ManageAccounts](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md) +- #### [SearchBarPageAccessControl](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md) + Gives access rights to the different navigation elements of the SearchBars of the pages of the + role model. +- #### [Workflows](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md) + +- #### [CreateUpdateDeleteAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md) + Generates execution rights for the create, update, delete workflows.- #### + [UpdateResourcesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md) +- #### [WorkflowAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md) + Generates the permissions to access the task page and visualize the workflows to be executed for + a given entity type and profile.- #### + [WorkflowConfigurationControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md) +- #### [WorkflowOverviewControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md) + Generates the permissions to access the workflow supervision page. +- #### [EntityTypes](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md) + +- #### [Entity Types](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md) + +- #### [ConnectorMappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md) + Generates the mapping of an entity in a given connector.- #### + [EntityTypeDisplayName](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md) + Computes a default value for resources' internal display names.- #### + [EntityTypeDisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md) + Creates a display table for the given entity.- #### + [EntityTypeDisplayTableAdaptable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md) + Creates an adaptable display table for a given entity type.- #### + [EntityTypeDisplayTargetResourceTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md) + Creates a displaytable for the given entity.- #### + [EntityTypeMenuItem](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md) + Creates a menu item for the entity type, and for its connector if the entity type has an entity + type mapping.- #### + [EntityTypeSearchBar](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md) + Creates the search bar for the entity without criteria.- #### + [TargetResourceReportMenus](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md) + Creates the Item menu for the entity's report so that it is displayed in the report view. +- #### [Workflows](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md) + +- #### [CreateUpdateDeleteMenus](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md) + Creates creation, update and delete menus for an entity.- #### + [CreateUpdateDeleteWorkflows](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md) +- #### [UpdateResourcesMenus](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md) +- #### [UpdateResourcesWorkflows](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md) +- #### [WorkflowActorsNotification](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md) +- #### [WorkflowEntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md) + Creates an entity that will be the source of all workflows that manipulate the given + entity.- #### + [WorkflowEntityTypeDisplayEntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md) +- #### [WorkflowEntityTypeDisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md) + + Creates the display table of the workflow entity of the starting entity.- #### + [WorkflowEntityTypeSearchBar](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md) + Creates the search bar of the workflow entity of the starting entity.- #### + [WorkflowPerformerNotification](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md) + +- #### [Jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md) + +- #### [CleanDatabaseJob](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md) + + Creates the job to clean old tasks and jobs instances with state InProgress + +- #### [CreateAccessCertificationJob](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md) + + Creates the AccessCertification Job. + +- #### [CreateAgentSynchroComplete](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md) + + Creates for the given agent the synchronization job of all connectors present in the agent in + Complete mode. + +- #### [CreateAgentSynchroIncremental](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md) + + Creates for the given agent the synchronization job of all connectors present in the agent in + incremental mode. + +- #### [CreateConnectorsJobs](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md) + + Creates all jobs by connector to launched task in the connector page. + +- #### [CreateConnectorSynchroComplete](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md) + + Creates for the given connector the synchronization in complete mode. + +- #### [CreateConnectorSynchroIncremental](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) + + Creates for the given connector the synchronization job in incremental mode. + +- #### [CreateInitializationJob](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md) + + Creates the Initialization Job for the given agent. + +- #### [Optimizations](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md) + +- #### [OptimizeDisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable/index.md) + + Optimizes all elements found in the given displayTable. + +- #### [queries](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md) + +- #### [TargetResourceReport](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md) + + Creates a ReportQuery with default Query taking all the properties of the entity. + +- #### [UniverseDataModel](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md) + + Creates, within a universe, entity instances and association instances based on a predefined + template. + +- #### [Templates](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md) + +- #### [ConnectorsAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md) + + Gives the permissions to manage the connector pages. + +- #### [CreateAdministratorProfile](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md) + + Creates the profile administrator and all default access control rules. + +- #### [CreateUpdateDeleteTemplate](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate/index.md) + + Creates the three types of workflow for the given entity as well as the execution rights for the + given profile. + +- #### [EntityReportDefault](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault/index.md) + + Creates all configuration items to add a ReportQuery for an EntityType and profile. + +- #### [JobExecutionAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md) + + Assigns a set of rights to a given profile to execute any job, and view all job instances, task + instances and logs. + +- #### [JobViewAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md) + + Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs. + +- #### [SimulationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md) + + Generates the permissions to configure and launch simulations. + +- #### [UpdateResourcesTemplate](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate/index.md) + +- #### [ViewSourceResourceTemplate](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md) + + Creates the display table, fills in the internal display name of the entity, and gives the + rights to see the permissions and sources of the entity for a given profile. + +- #### [ViewTargetResourceTemplate](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md) + + Creates the entity view (designElement = resourceTable), the report and the rights for a given + profile. + +- #### [ViewTemplate](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md) + + Creates the view for the given entity as well as the rights for the given profile. + +- #### [ViewTemplateAdaptable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md) + + Implements a default display name for the resources of a given entity type, displays the + resources in an adaptable table, and give the permissions to view the resources. + +- #### [Workforce](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md) + +- #### [BootstrapModule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md) + + Generates the default settings required to start using Usercube and the Workforce Core Solution + module. + +- #### [WorkforceModule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule/index.md) + Generates the workforce repository based on the data filled in the Workforce Core Solution + module. diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md new file mode 100644 index 0000000000..774077d359 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md @@ -0,0 +1,89 @@ +# CreateInitializationJob + +Creates the Initialization Job for the given agent. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | +| Agent optional | **Type** String **Description** For job scaffoldings, identifier of the agent on which the job to be generated will be launched. | +| DisplayName_L1 optional | **Type** String **Description** Display name of the scaffolding in language 1 (up to 16). | +| JobIdentifier optional | **Type** String **Description** For job scaffoldings, identifier of the job to be generated. If not defined, the job identifier is calculated. | +| OldAlgorithm optional | **Type** Boolean **Description** Internal use. | + +## Child Elements + +- [AddTask](#addtask) (optional) Add a task before or after another in the job +- Configuration (optional) Add the path of the configuration folder if a configuration task is in + the job +- [NoConnectorProvisioning](#noconnectorprovisioning) (optional) Avoid provisioning for a connector +- [NoConnectorSynchronization](#noconnectorsynchronization) (optional) Avoid collect for a connector +- [NotUsed](#notused) (optional) Avoid collect and provisioning for a connector +- [OpenIdIdentifier](#openididentifier) (optional) Add a Open Id to the job and the tasks +- [PrincipalDataConnector](#principaldataconnector) (optional) Specifies the connector that contains + the data for the fulfillment of external systems. + +### AddTask + +| Property | Details | +| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- | +| Task required | **Type** String **Description** Identifier of the task to add | +| TaskToCompareWith required | **Type** String **Description** The identifier of the task before or after which the new task will be inserted | +| After default value: false | **Type** Boolean **Description** For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | +| Before default value: false | **Type** Boolean **Description** For the Argument AddTask the property before define the place of the task to add with the TaskCompareWith. | +| CopyOccurence default value: 0 | **Type** Int32 **Description** For Argument AddTask, Specify the Occurence to copy and add the Task in a specify Job. | +| Occurence default value: 0 | **Type** Int32 **Description** Occurence of the TaskToCompare after or before which the task will be added | + +### Configuration + +| Property | Details | +| ------------- | -------------------------------------------------------------- | +| Path required | **Type** String **Description** Represents the argument value. | + +### NoConnectorProvisioning + +| Property | Details | +| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ConnectorIdentifier required | **Type** String **Description** Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + +### NoConnectorSynchronization + +| Property | Details | +| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ConnectorIdentifier required | **Type** String **Description** Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + +### NotUsed + +| Property | Details | +| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ConnectorIdentifier required | **Type** String **Description** Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + +### OpenIdIdentifier + +| Property | Details | +| ------------------- | -------------------------------------------------------- | +| Identifier required | **Type** String **Description** Identifier of the OpenId | + +### PrincipalDataConnector + +| Property | Details | +| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ConnectorIdentifier required | **Type** String **Description** Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md new file mode 100644 index 0000000000..3790b627e9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md @@ -0,0 +1,20 @@ +# Jobs + +- #### [CleanDatabaseJob](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md) + Creates the job to clean old tasks and jobs instances with state InProgress- #### + [CreateAccessCertificationJob](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md) + Creates the AccessCertification Job.- #### + [CreateAgentSynchroComplete](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md) + Creates for the given agent the synchronization job of all connectors present in the agent in + Complete mode.- #### + [CreateAgentSynchroIncremental](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md) + Creates for the given agent the synchronization job of all connectors present in the agent in + incremental mode.- #### + [CreateConnectorsJobs](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md) + Creates all jobs by connector to launched task in the connector page.- #### + [CreateConnectorSynchroComplete](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md) + Creates for the given connector the synchronization in complete mode.- #### + [CreateConnectorSynchroIncremental](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) + Creates for the given connector the synchronization job in incremental mode.- #### + [CreateInitializationJob](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md) + Creates the Initialization Job for the given agent. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md new file mode 100644 index 0000000000..5462719761 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md @@ -0,0 +1,4 @@ +# Optimizations + +- #### [OptimizeDisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable/index.md) + Optimizes all elements found in the given displayTable. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable/index.md new file mode 100644 index 0000000000..9c10ba6e0f --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable/index.md @@ -0,0 +1,48 @@ +# OptimizeDisplayTable + +This scaffolding optimizes the given display table by replacing its tiles navigation properties by +scalar (pre-computed, via expressions) properties. This ultimately improves the performances of the +SQL queries used to fetch the data displayed in the corresponding table. + +In order to optimize the display table, this scaffolding will create the following elements if they +don't exist. + +- An + [Entity Property](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + for each tile item that uses a navigation binding. This will be used to hold the computed + expression. +- An + [Entity Property Expression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md) + to evaluate the binding expression used by the optimizable tile item. + +Then, the scaffolding will link the display table tile elements to the newly created scalar +properties. + +This scaffolding has a downside which is that the displayed data is less dynamic than a normal +display table, since it requires computing the expression (via jobs) ahead of time. + +## Examples + +The following example optimized the DisplayTable `Directory_User` + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------------------- | ------------------------------------------------------------------------------- | +| DisplayTableIdentifier required | **Type** String **Description** The identifier of the display table to optimize | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md new file mode 100644 index 0000000000..83f51d9912 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md @@ -0,0 +1,7 @@ +# queries + +- #### [TargetResourceReport](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md) + Creates a ReportQuery with default Query taking all the properties of the entity.- #### + [UniverseDataModel](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md) + Creates, within a universe, entity instances and association instances based on a predefined + template. diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md new file mode 100644 index 0000000000..6eee928f4b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md @@ -0,0 +1,332 @@ +# UniverseDataModel + +This scaffolding creates, within a universe, entity instances and association instances based on a +predefined template. + +The entity instances generated by the scaffolding will have: + +- as a display name, the display name of the corresponding navigation property, for example + `Main Record`; +- as an identifier, the identifier of the corresponding navigation which is made of + `_`, for example `Directory_User_MainRecord`. + +## Properties + +| Property | Details | +| ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | +| EntityType required | **Type** String **Description** Identifier of the entity type that we want to represent in the universe (as an entity instance) with all its navigations. | +| Universe required | **Type** String **Description** Identifier of the universe in which the instances to be generated are going to exist. | + +## Child Elements + +- [ExcludedProperty](#excludedproperty) (optional) to ignore a given property of the specified + entity type. +- [RootInstance](#rootinstance) (optional) to rename the core entity instance that is to be + generated, and to avoid data duplication when using several scaffoldings in one universe. +- [SourceEntityType](#sourceentitytype) (optional) Define the source EntityType +- [UniverseTemplate](#universetemplate) (optional) to use a template different from the default one. + +### ExcludedProperty + +| Property | Details | +| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Property required | **Type** String **Description** Property of the specified entity type that is to be ignored for the generation of entity instances and association instances. | + +A scaffolding does not use filters, but a part of the entity model can be excluded with the +`ExcludedProperty` argument. + +The following example generates a universe `U8_Users` based on the entity type `Directory_User`, +like our U1 but without the `Guests` property: + +``` + + + + + +``` + +When +[getting Usercube data in Power BI](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (ExcludedProperty)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_excluded.webp) + +### RootInstance + +| Property | Details | +| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Instance required | **Type** String **Description** Identifier of the entity instance generated based on the EntityType property of the universe scaffolding. If not specified, the identifier of the entity instance is the identifier of the entity type. | + +The following example generates a universe `U2_UserRecords` based on the entity type +`Directory_UserRecord`, naming the entity instance `REC`: + +``` + + + + + +``` + +![Universe (RootInstance)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_rootinstance.webp) + +When +[getting Usercube data in Power BI](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (RootInstance)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_rootinstance.webp) + +#### RootInstance for several scaffoldings together + +A universe can be made of several scaffoldings which need to be grouped together a specific way. One +universe made of two scaffoldings will generate the two entity instances corresponding to the two +specified entity types, with the entity and association instances corresponding to their navigation +properties. To avoid data duplication in the universe model, we use `RootInstance` to rename one of +the entity instances and follow the existing naming rule explained in the introduction. + +**The following example** generates a universe `U3_UserRecords` based on the entity types +`Directory_User` and `Directory_UserRecord` (without `RootInstance`): + +``` + + + +``` + +![Universe Schema (Several Scaffoldings with Data Duplication)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalduplicationschema.webp) + +When +[getting Usercube data in Power BI](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Several Scaffoldings with Data Duplication)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalduplication.webp) + +We see that `Directory_User_Records` and `Directory_UserRecords` represent the same entity +instances. + +**The following example** generates a better version of the universe `U3_UserRecords` based on the +entity types `Directory_User` and `Directory_UserRecord`, renaming `Directory_UserRecord` as +`Directory_User_Records` to follow the naming rule, thus building the universe model with +`Directory_User` as the core entity instance: + +``` + + + + + +``` + +![Universe (Several Scaffoldings without Data Duplication)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalnoduplicationschema.webp) + +When +[getting Usercube data in Power BI](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Several Scaffoldings without Data Duplication)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalnoduplication.webp) + +Thus we removed the duplicated data, and we understand easily the navigations of the model. + +### SourceEntityType + +| Property | Details | +| ------------------- | ----------------------------------------------------------------- | +| Identifier optional | **Type** String **Description** The identifier's SourceEntityType | + +### UniverseTemplate + +| Property | Details | +| ----------------- | -------------------------------------------------------------- | +| Template required | **Type** String **Description** Represents the argument value. | + +#### Default Template + +When no template is specified, the scaffolding generates: + +- an entity instance based on a given entity type; +- an association instance and an entity instance for each navigation property of the entity type. + +**The following example** generates a universe `U1_Users` based on the entity type `Directory_User`: + +``` + + + + +``` + +It generates: + +``` + + + + One entity instance for the entity type Directory_User: + + + One association instance and one entity instance per navigation property: + ... + + + +``` + +![Universe (No Template)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_notemplateschema.webp) + +When +[getting Usercube data in Power BI](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (No Template)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_notemplate.webp) + +We see here identifiers instead of display names due to `ColumnNamesMode` set to identifiers. + +#### OwnedResourceTypes + +The following example generates a universe `U4_User` based on the entity type `Directory_User` and +the resources assigned to users: + +``` + + + + + +``` + +It generates: + +``` + + + + One entity instance for the entity type Directory_User. + + + Association instances and entity instances about the AD_Entry_NominativeUser resource type: + + + + Same for all resource types. + ... + + + +``` + +![Universe (Template Schema: Owned Resource Types)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedresourcetypesschema.webp) + +When +[getting Usercube data in Power BI](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Template: Owned Resource Types)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedresourcetypes.webp) + +#### ResourceResourceTypes + +The following example generates a universe `U5_AD` based on the entity type `AD_Entry` and the +owners of AD resources: + +``` + + + + + +``` + +The configuration generated by this snippet is similar to the one for `OwnedResourceTypes`. + +![Universe (Template Schema: Resource Resource Types)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_resourceresourcetypesschema.webp) + +When +[getting Usercube data in Power BI](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Template: Resource Resource Types)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_resourceresourcetypes.webp) + +#### OwnedSingleRoles + +The following example generates a universe `U6_User` based on the entity type `Directory_User` and +the single roles assigned to users: + +``` + + + + + +``` + +It generates: + +``` + + + + One entity instance for the entity type Directory_User. + + + One entity instance containing data about role assignments, and one association instance linking it to Directory_User: + + + One entity instance containing the single roles, and one association instance linking it to the role assignment data: + + +``` + +![Universe (Template Schema: Owned Single Roles)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedsinglerolesschema.webp) + +When +[getting Usercube data in Power BI](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Template: Owned Single Roles)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedsingleroles.webp) + +#### OwnedCompositeRoles + +The following example generates a universe `U7_User` based on the entity type `Directory_User` and +the composite roles assigned to users: + +``` + + + + + +``` + +The configuration generated by this snippet is similar to the one for `OwnedSingleRoles`. + +![Universe (Template Schema: Owned Composite Roles)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedcompositerolesschema.webp) + +When +[getting Usercube data in Power BI](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Template: Owned Composite Roles)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedcompositeroles.webp) + +## Mixed Example + +Scaffoldings can be adjusted with +[universe configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md). + +The following example generates a universe `U9_AccessControl` aiming to create reports displaying +users and their profiles. In our situation, profiles are assigned to AD accounts based on a given +context. This is why we base our universe on the entity types `AD_Entry`, `AssignedProfile` and +`ProfileContext`. Plus, there are 10 dimensions in contexts, but only dimensions 0 and 1 are used, +so we exclude the others. We exclude also resource types and single roles that are of no use for us +here. + +``` + + + +``` + +When +[getting Usercube data in Power BI](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Mixed Example)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_mixedexample.webp) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md new file mode 100644 index 0000000000..97309b004d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md @@ -0,0 +1,52 @@ +# ConnectorsAccessControlRules + +Gives the permissions to manage the connector pages. + +Generates the permissions to access the connectors pages, the policies page, the access roles page, +the access rules page and the job execution page. + +Gives access to shortcuts on the dashboard to access these pages. + +![Connectors](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + +The scaffolding generates the following scaffoldings: + +- [ConnectorResourceTypeAccessControl](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md): + Gives the rights to create and update resource types, generate provisioning orders and fulfill + from the connector screen. +- [JobViewAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md): + Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs. +- [ResourceTypeMappingControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md): + Generate rights to launch agent fulfillment. +- [RoleAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md): + Generates the permissions to access the configuration pages and create, update, delete the + elements of the role model. +- [RunJobRepairAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md): + Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning or + a synchronization for a given profile. +- [TaskAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md): + Generates all rights to have the access to job administration page. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md new file mode 100644 index 0000000000..01043911ef --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md @@ -0,0 +1,128 @@ +# CreateAdministratorProfile + +This scaffolding creates the administrator profile with a predefined set of rights. + +To create the rights for this profile, a scaffolding list is launched inside the creation of the +administrator profile. + +The scaffolding generates the following scaffoldings: + +- [AccessReviewAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md): + Generates the permissions to administrate campaign creation. +- [AssignProfileAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md): + Gives to a given profile the rights to create, update, delete and query any assigned profile. +- [BasketRulesControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md): + Generates the permissions to execute the different requests to display the information in the + rights basket. +- [ConnectorResourceTypeAccessControl](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md): + Gives the rights to create and update resource types, generate provisioning orders and fulfill + from the connector screen. +- [ConnectorsAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md): + Gives the permissions to manage the connector pages. +- [CreateConnectorsJobs](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md): + Creates all jobs by connector to launched task in the connector page. +- [CreateResourceIncrementalAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md): + Generates the access control rule which gives to a profile the permission to query the resources + modified incrementally +- [JobExecutionAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md): + Assigns a set of rights to a given profile to execute any job, and view all job instances, task + instances and logs. +- [ManageAccounts](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md): +- [ManageSettingAccessControlRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md): + Generates the access control rule which gives to a profile the permission to query, create, update + and delete settings from the UM_Settings table. +- [MonitoringAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md): + Generates the access control rule which gives to a profile the permission to query the monitoring + screen. +- [PerformManualProvisioningAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md): + Generates the permissions to access the manual provisioning pages for a given entity type and + profile. +- [ProfileAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md): + Gives to a given profile the rights to create, update and delete profiles. +- [ProvisioningAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md): + Generates the execution rights for Provisioning and Fulfillment tasks for a given profile. +- [ReconciliateResourcesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md): + Generates the permissions to access the resource reconciliation pages for a given entity type and + profile. +- [ReconciliateRolesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md): + Generates the permissions to access the role reconciliation pages for a given entity type and + profile. +- [RedundantAssignmentAccessControlRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md): + Generates the permissions to access the **Redundant Assignment** page, to analyze and remove + redundant assignments. +- [ReportAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md): + Generates the permissions to access the report view. +- [ResourceApiAdministration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md): + Generates the permissions to create/update/delete/query resources from a given entity type, for a + given profile. +- [ResourcePickerControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md): + Creates the reading right of the resource picker. +- [ResourceTypeMappingControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md): + Generate rights to launch agent fulfillment. +- [ReviewProvisioningAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md): + Generates the permissions to access the provisioning review pages for a given entity type and + profile. +- [ReviewRolesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md): + Generates the permissions to access the role review pages for a given entity type and profile. +- [RisksAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md): +- [RoleAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md): + Generates the permissions to access the configuration pages and create, update, delete the + elements of the role model. +- [RoleNamingAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md): + Generates the permissions to configure and launch the automatic creation of roles and rules based + on naming conventions. +- [SettingsAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md): + Generates the permissions to configure the Workforce Core Solution module and connector settings. +- [SimulationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md): + Generates the permissions to configure and launch simulations. +- [SynchronizationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md): + Generates rights to launch synchronization task. +- [TaskAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md): + Generates all rights to have the access to job administration page. +- [UniverseAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md): + Generates an access control rule which gives a profile the permission to access the query page and + run queries. +- [ViewHistoryResourceTemplate](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md): + Generates an access control rule giving to the specified profile the permission to browse the + resources history of the specified entity type. +- [WorkflowConfigurationControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md): +- [WorkflowFulfillmentControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md): + Generates the execution rights to launch Fulfillment workflow for a given profile. +- [WorkflowOverviewControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md): + Generates the permissions to access the workflow supervision page. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | + +## Child Elements + +- [DisplayNameProfile](#displaynameprofile) (optional) defines a display name for the administrator + profile for a given language. + +### DisplayNameProfile + +| Property | Details | +| -------------------- | ------------------------------------------------------------------------------------ | +| DisplayName required | **Type** String **Description** Display name of the profile in the related language. | +| Identifier required | **Type** String **Description** Code of the language for the display name. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate/index.md new file mode 100644 index 0000000000..afd9f3ef5c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate/index.md @@ -0,0 +1,48 @@ +# CreateUpdateDeleteTemplate + +Creates the three types of workflow for the given entity as well as the execution rights for the +given profile. + +The scaffolding generates the following scaffoldings: + +- [CreateUpdateDeleteAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md): + Generates execution rights for the create, update, delete workflows. +- [CreateUpdateDeleteMenus](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md): + Creates creation, update and delete menus for an entity. +- [CreateUpdateDeleteWorkflows](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md): +- [EntityTypeDisplayName](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md): + Computes a default value for resources' internal display names. +- [EntityTypeDisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md): + Creates a display table for the given entity. +- [EntityTypeSearchBar](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md): + Creates the search bar for the entity without criteria. +- [ViewAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. +- [WorkflowEntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md): + Creates an entity that will be the source of all workflows that manipulate the given entity. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type** String **Description** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type** String **Description** Identifier of the property involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault/index.md new file mode 100644 index 0000000000..c61a8ba791 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault/index.md @@ -0,0 +1,21 @@ +# EntityReportDefault + +Creates all configuration items to add a ReportQuery for an EntityType and profile. + +The scaffolding generates the following scaffoldings: + +- [ReportAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md): + Generates the permissions to access the report view. +- [TargetResourceReport](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md): + Creates a ReportQuery with default Query taking all the properties of the entity. +- [TargetResourceReportAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md): + Generates the permissions to apply a report for a profile on a given entity. +- [TargetResourceReportMenus](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md): + Creates the Item menu for the entity's report so that it is displayed in the report view. + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md new file mode 100644 index 0000000000..ef4abf7ef9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md @@ -0,0 +1,30 @@ +# Templates + +- #### [ConnectorsAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md) + Gives the permissions to manage the connector pages.- #### + [CreateAdministratorProfile](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md) + Creates the profile administrator and all default access control rules.- #### + [CreateUpdateDeleteTemplate](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate/index.md) + Creates the three types of workflow for the given entity as well as the execution rights for the + given profile.- #### + [EntityReportDefault](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault/index.md) + Creates all configuration items to add a ReportQuery for an EntityType and profile.- #### + [JobExecutionAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md) + Assigns a set of rights to a given profile to execute any job, and view all job instances, task + instances and logs.- #### + [JobViewAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md) + Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs.- #### + [SimulationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md) + Generates the permissions to configure and launch simulations.- #### + [UpdateResourcesTemplate](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate/index.md) +- #### [ViewSourceResourceTemplate](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md) + Creates the display table, fills in the internal display name of the entity, and gives the + rights to see the permissions and sources of the entity for a given profile.- #### + [ViewTargetResourceTemplate](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md) + Creates the entity view (designElement = resourceTable), the report and the rights for a given + profile.- #### + [ViewTemplate](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md) + Creates the view for the given entity as well as the rights for the given profile.- #### + [ViewTemplateAdaptable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md) + Implements a default display name for the resources of a given entity type, displays the + resources in an adaptable table, and give the permissions to view the resources. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md new file mode 100644 index 0000000000..d2b18fcacd --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md @@ -0,0 +1,45 @@ +# JobExecutionAccessControlRules + +This scaffolding assigns a set of rights to a given profile to execute any job, and view all job +instances, task instances and logs. + +The scaffolding generates the following scaffoldings: + +- [JobViewAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md): + Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs. +- [RunJobAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md): + Generates the permissions to launch jobs from UI for a given profile. +- [RunJobNotificationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md): + Generates access control to send notification when job finish with an error state. +- [RunJobRepairAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md): + Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning or + a synchronization for a given profile. +- [RunJobRepairNotificationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md): + Generates access control to send notification when a relaunch job finish with an error state. + +## Examples + +The following example assigns to the `Administrator` profile the rights to execute all jobs and view +job instances, task instances and logs: + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md new file mode 100644 index 0000000000..3fbb94948b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md @@ -0,0 +1,33 @@ +# JobViewAccessControlRules + +Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs. This +Scaffolding performs a set of scaffolding rights for Jobs and Tasks. + +The scaffolding generates the following scaffoldings: + +- [GetJobLogAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md): + Generates the permissions to read task and job instances logs in UI for a given profile. +- [JobAdministrationAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md): + Scaffolding to access the job administration page. +- [PendingAssignedResourceTypesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md): + Generates the access control rules which give to a profile the permissions to call the API Pending + AssignedResourceTypes. +- [ResourceChangesViewAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md): + Generates the access control rules which gives to a profile the permissions to call the API + ResourceChange, ResourceFileChange and ResourceLinkChange. + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md new file mode 100644 index 0000000000..cc557c5152 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md @@ -0,0 +1,35 @@ +# SimulationAccessControlRules + +This scaffolding generates the rights to configure and launch simulations. + +It also gives access to a shortcut on the dashboard allowing to enter the simulation screen. Through +this screen, simulations can be launched and results can be visualized. + +The scaffolding generates the following scaffoldings: + +- [PolicySimulationControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md): +- [RoleAndSimulationControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md): + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate/index.md new file mode 100644 index 0000000000..ca81c39b29 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate/index.md @@ -0,0 +1,41 @@ +# UpdateResourcesTemplate + +The scaffolding generates the following scaffoldings: + +- [EntityTypeDisplayName](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md): + Computes a default value for resources' internal display names. +- [EntityTypeDisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md): + Creates a display table for the given entity. +- [UpdateResourcesAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md): +- [UpdateResourcesMenus](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md): +- [UpdateResourcesWorkflows](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md): +- [ViewAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. +- [WorkflowEntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md): + Creates an entity that will be the source of all workflows that manipulate the given entity. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type** String **Description** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type** String **Description** Identifier of the property involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md new file mode 100644 index 0000000000..42e951ce65 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md @@ -0,0 +1,45 @@ +# ViewTargetResourceTemplate + +Creates the entity view (designElement = resourceTable), the report and the rights for a given +profile. + +The scaffolding generates the following scaffoldings: + +- [EntityTypeDisplayName](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md): + Computes a default value for resources' internal display names. +- [EntityTypeDisplayTargetResourceTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md): + Creates a displaytable for the given entity. +- [TargetResourceReport](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md): + Creates a ReportQuery with default Query taking all the properties of the entity. +- [TargetResourceReportAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md): + Generates the permissions to apply a report for a profile on a given entity. +- [TargetResourceReportMenus](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md): + Creates the Item menu for the entity's report so that it is displayed in the report view. +- [ViewAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type** String **Description** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type** String **Description** Identifier of the property involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md new file mode 100644 index 0000000000..7d9096acd5 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md @@ -0,0 +1,42 @@ +# ViewTemplate + +Creates the view for the given entity as well as the rights for the given profile. + +The scaffolding generates the following scaffoldings: + +- [EntityTypeDisplayName](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md): + Computes a default value for resources' internal display names. +- [EntityTypeDisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md): + Creates a display table for the given entity. +- [ViewAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. + +## Examples + +The following example implements a default display name for resources from the +`Directory_PresenceState` entity type, displays the resources in a table, and gives to the +`Administrator` profile the permissions to view the resources. + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type** String **Description** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type** String **Description** Identifier of the property involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md new file mode 100644 index 0000000000..ce37e1c93c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md @@ -0,0 +1,43 @@ +# ViewTemplateAdaptable + +Implements a default display name for the resources of a given entity type, displays the resources +in an adaptable table, and give the permissions to view the resources. + +The scaffolding generates the following scaffoldings: + +- [EntityTypeDisplayName](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md): + Computes a default value for resources' internal display names. +- [EntityTypeDisplayTableAdaptable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md): + Creates an adaptable display table for a given entity type. +- [ViewAccessControlRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. + +## Examples + +The following example implements a default display name for resources from the +`Directory_PresenceState` entity type, displays the resources in an adaptable table, and gives to +the `Administrator` profile the permissions to view the resources. + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type** String **Description** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type** String **Description** Identifier of the property involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md new file mode 100644 index 0000000000..c84922e4d2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md @@ -0,0 +1,8 @@ +# Workforce + +- #### [BootstrapModule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md) + Generates the default settings required to start using Usercube and the Workforce Core Solution + module.- #### + [WorkforceModule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule/index.md) + Generates the workforce repository based on the data filled in the Workforce Core Solution + module. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule/index.md new file mode 100644 index 0000000000..56c26833d9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule/index.md @@ -0,0 +1,6262 @@ +# WorkforceModule + +Generates the workforce repository based on the data filled in the Workforce Core Solution module. + +## Examples + +The following example generates the Workforce module in the application: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + +``` + +## Properties + +| Property | Type | Description | +| ----------------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------- | +| IsEnabled default value: true | Boolean | True to enable the Worforce module. If set to false, Usercube deletes all existing items computed by the Workforce Core Solution module. | + +## Child Elements + +Here is a list of child elements: + +- CompositeProfile (optional) – Defines the users profiles +- EmailGeneration (optional) – Defines the email generation policy +- HomonymEntityLinkOptions (optional) – Updates/Modifies the HomonymEntityLink of the + Directory_UserRecord entity of the workforce configuration +- LoginGeneration (optional) – Defines the login generation policy +- ModelUsage (optional) – Defines the entity types/properties that must be ignored from the model + and customize the pickers for the kept ones +- NewExternalWorkflow (optional) – Enable/disable the review step for the new external workflow +- NewInternalWorkflow (optional) – Enable/disable the review step for the new internal workflow +- UniqueIdentifierGeneration (optional) – Defines the unique identifier generation policy + +### CompositeProfile + +| Property | Type | Description | +| ----------------------------- | ------ | ---------------------------------------------------------- | +| AreaOfResponsibility required | String | Represents the argument value. | +| ProfileDisplayName required | String | Generic column used to store information for internal use. | +| ProfileIdentifier required | String | Generic column used to store information for internal use. | +| TargetProfile required | String | Generic column used to store information for internal use. | + +### EmailGeneration + +| Property | Type | Description | +| ---------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------- | +| Strategy required | String | Represents the argument value. | +| Domain optional | String | Generic column used to store information for internal use. | +| NameSeparator optional | String | Character used to separate users' names and first names in their generated emails and logins (in the Workforce Core Solution module). | + +### HomonymEntityLinkOptions + +| Property | Type | Description | +| ----------------------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ActivatePhoneticComparison default value: false | Boolean | Adds 3 filters in the HomonymEntityLink comparing the first and last names (current workflow) to the phonetic properties corresponding to the first and last names (existing records). | +| DisableBirthNameComparison default value: false | Boolean | Deletes the filter in the HomonymEntityLink comparing the last name (current workflow) with the birth name (existing records). | +| DisableInversion default value: false | Boolean | Deletes the filters in the HomonymEntityLink comparing the first name (current workflow) with the last name (existing records) and the last name (current workflow) with the first name (existing records). | + +### LoginGeneration + +| Property | Type | Description | +| ------------------ | ------ | ---------------------------------------------------------- | +| Strategy required | String | Represents the argument value. | +| MaxLength optional | Int32 | Generic column used to store information for internal use. | +| Prefix optional | String | Generic column used to store information for internal use. | + +### ModelUsage + +| Property | Type | Description | +| -------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding required | String | Generic column used to store information for internal use. | +| Count optional | Int32 | Generic column used to store information for internal use. | +| ForcedCount optional | Int32 | Number of entries for a given entity or entity's property in the workforce data model. The `ForcedCount` value overwrites the count computed by Usercube. | + +### NewExternalWorkflow + +| Property | Type | Description | +| ------------------------------------- | ------- | --------------------------------------------------------------------------------------------------------- | +| IsReviewRequired default value: false | Boolean | For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | + +### NewInternalWorkflow + +| Property | Type | Description | +| ------------------------------------ | ------- | --------------------------------------------------------------------------------------------------------- | +| IsReviewRequired default value: true | Boolean | For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | + +### UniqueIdentifierGeneration + +| Property | Type | Description | +| ---------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------- | +| Strategy required | String | Represents the argument value. | +| Max optional | Int32 | Upper limit of the range used for the generation of unique identifiers. | +| Min optional | Int32 | Lower limit of the range used for the generation of unique identifiers. | +| NameSeparator optional | String | Character used to separate users' names and first names in their generated emails and logins (in the Workforce Core Solution module). | +| Prefix optional | String | Prefix used for the generation of unique identifiers. | + +## Generated XML + +Our example generates the following configuration: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     +     +     +     +     + +     +     +     +     +     +     + + +     +     +     +     +     + +     +     +     +     +     +     +     +     +     +     +     +     + +     +     +     +     +     +     + + +     +     +     +     +     + +     +     +     +     +     +     + +     +     +     +     +     +     +     +     + + +     +     + + +     +     + + +     +     + + +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     + + +     +     +     +     +     +     + + +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     + + +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     + + +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     +     +     +     + + + +     +     +     +     +     +     +     + + + + + +     + + +     +     +     +     +     + + +     +     + + +     +     + + +     +     + + + + +     + + +     +     +     + + +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +     +     +     +     +     +     + + +     +     +     + + +
+ +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     +     +     + + +
+ +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     +     + + +     +     + + +
+ +     +     +     +     +     +     +     +     +     + + + + + + + + + + +     +     +     +     + + +     + + + + + + + + + + +     +     +     +     + + +     +     +     +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + +
+ + +
+ +     +     +         +         +     +     +     +     +     +     +     +     +     +     + + +
+ +   +     +       +       +     +   +   +   +   +   +     +     +   +   +   +     +   + + +
+ +   + + +
+ +     +     +     +     +     +     +     +     + + +
+ + +
+ +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +
+ + +
+ + + + + + + + + + + + + + + + + + + + + +
+ + +     +     +     +     +     + + + + + + + + + + +
+ + +     +     +     +     +     + + + +
+ +     +     +     + + + + + + + + + + + + + + + + + + + +
+ +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     +     +     + + +
+ + +
+ + + + + + + + + + + + + + + + + + + +     + + + + + + +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0) +{ +result += iteration.ToString(); +} +result = result + (record.UserType?.EmailSuffix ?? string.Empty) + '@' + (record.Subsidiary?.EmailDomain ?? "acme.com"); +return result;" IterationsCount="10"> + 0) +{ +result += iteration.ToString(); +} +return result;" TargetEntityType="Directory_ReservedEmail" TargetExpression="C#:reservedEmail: +if (string.IsNullOrEmpty(reservedEmail.Value)) +{ +return null; +} +var result = reservedEmail.Value; +var index = result.IndexOf('@'); +if(index >=0) +{ +result = result.Substring(0, index); +} +return result;" /> + 0) +{ +result += iteration.ToString(); +} +return result;" TargetEntityType="Directory_UserRecord" TargetExpression="C#:record: +if (string.IsNullOrEmpty(record.Email)) +{ +return null; +} +var result = record.Email; +/*Delete Domain*/ +var index = result.IndexOf('@'); +if(index >= 0) +{ +result = result.Substring(0, index); +} +var resources = queryHandler.Select("select EmailSuffix"); +foreach (var resource in resources.Where(r => r != null && r.EmailSuffix != null).OrderByDescending(r => r.EmailSuffix!.Length)) +{ +var foundIndex = result.IndexOf(resource.EmailSuffix!); +if (foundIndex >= 0) +{ +    result = result.Substring(0, foundIndex); +    break; +} +} +return result;" /> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +  + +    
+     +     +     +         +         +         +         +         +    
+             +             +                 +             +            
+                

Hello,

+                An update user request needs your attention. +                 +                     +                     +                     +                     +                     +                     +                     +
Summary
Date@System.DateTime.Now.ToLocalTime().ToString("dd/MM/yyyy hh:mm", System.Globalization.CultureInfo.InvariantCulture)
Full Name@Model.MainRecord.FirstName @Model.MainRecord.LastName
User Type@Model.MainRecord.UserType.DisplayName
Contract Start Date@Model.MainRecord.ContractStartDate
Contract End Date@Model.MainRecord.ContractEndDate
Department@Model.MainRecord.Organization.DisplayName
+                @Html.MessageBody(new { style = "box-sizing: border-box; color: #74787E; font-family: sans-serif, 'Helvetica Neue', Helvetica, sans-serif;" }) +                
+        
+     +    
+         +         +             +         +        
+            This message was created by an automated workflow in Usercube. Do not reply. +            
+    
+     +     +    
+ +  + + +" CssFile="@media only screen and (max-width: 620px) { +table[class=body] h1 { +    font-size: 28px !important; +    margin-bottom: 10px !important; +} +table[class=body] p, +table[class=body] ul, +table[class=body] ol, +table[class=body] td, +table[class=body] span, +table[class=body] a { +    font-size: 16px !important; +} +table[class=body] .wrapper, +table[class=body] .article { +    padding: 10px !important; +} +table[class=body] .content { +    padding: 0 !important; +} +table[class=body] .container { +    padding: 0 !important; +    width: 100% !important; +} +table[class=body] .main { +    border-left-width: 0 !important; +    border-radius: 0 !important; +    border-right-width: 0 !important; +} +table[class=body] .btn table { +    width: 100% !important; +} +table[class=body] .btn a { +    width: 100% !important; +} +table[class=body] .img-responsive { +    height: auto !important; +    max-width: 100% !important; +    width: auto !important; +} +} +/* ------------------------------------- +PRESERVE THESE STYLES IN THE HEAD +------------------------------------- */ +@media all { +.ExternalClass { +    width: 100%; +} +    .ExternalClass, +    .ExternalClass p, +    .ExternalClass span, +    .ExternalClass font, +    .ExternalClass td, +    .ExternalClass div { +        line-height: 100%; +    } +.apple-link a { +    color: inherit !important; +    font-family: inherit !important; +    font-size: inherit !important; +    font-weight: inherit !important; +    line-height: inherit !important; +    text-decoration: none !important; +} +.btn-primary table td:hover { +    background-color: #34495e !important; +} +.btn-primary a:hover { +    background-color: #34495e !important; +    border-color: #34495e !important; +} +} +body { +background-color: #f6f6f6; +font-family: sans-serif; +-webkit-font-smoothing: antialiased; +font-size: 14px; +line-height: 1.4; +margin: 0; +padding: 0; +-ms-text-size-adjust: 100%; +-webkit-text-size-adjust: 100%; +} +"> + + + + + +  + +    
+     +     +     +         +         +         +         +         +    
+             +             +                 +             +            
+                

Hello,

+                A new user request needs your attention. +                 +                     +                     +                     +                     +                     +                     +                     +
Summary
Date@System.DateTime.Now.ToLocalTime().ToString("dd/MM/yyyy hh:mm", System.Globalization.CultureInfo.InvariantCulture)
Full Name@Model.Records.First().FirstName @Model.Records.First().LastName
User Type@Model.Records.First().UserType.DisplayName
Contract Start Date@Model.Records.First().ContractStartDate
Contract End Date@Model.Records.First().ContractEndDate
Department@Model.Records.First().Organization.DisplayName
+                @Html.MessageBody(new { style = "box-sizing: border-box; color: #74787E; font-family: sans-serif, 'Helvetica Neue', Helvetica, sans-serif;" }) +                
+        
+     +    
+         +         +             +         +        
+            This message was created by an automated workflow in Usercube. Do not reply. +            
+    
+     +     +    
+ +  + + +" CssFile="@media only screen and (max-width: 620px) { +table[class=body] h1 { +    font-size: 28px !important; +    margin-bottom: 10px !important; +} +table[class=body] p, +table[class=body] ul, +table[class=body] ol, +table[class=body] td, +table[class=body] span, +table[class=body] a { +    font-size: 16px !important; +} +table[class=body] .wrapper, +table[class=body] .article { +    padding: 10px !important; +} +table[class=body] .content { +    padding: 0 !important; +} +table[class=body] .container { +    padding: 0 !important; +    width: 100% !important; +} +table[class=body] .main { +    border-left-width: 0 !important; +    border-radius: 0 !important; +    border-right-width: 0 !important; +} +table[class=body] .btn table { +    width: 100% !important; +} +table[class=body] .btn a { +    width: 100% !important; +} +table[class=body] .img-responsive { +    height: auto !important; +    max-width: 100% !important; +    width: auto !important; +} +} +/* ------------------------------------- +PRESERVE THESE STYLES IN THE HEAD +------------------------------------- */ +@media all { +.ExternalClass { +    width: 100%; +} +    .ExternalClass, +    .ExternalClass p, +    .ExternalClass span, +    .ExternalClass font, +    .ExternalClass td, +    .ExternalClass div { +        line-height: 100%; +    } +.apple-link a { +    color: inherit !important; +    font-family: inherit !important; +    font-size: inherit !important; +    font-weight: inherit !important; +    line-height: inherit !important; +    text-decoration: none !important; +} +.btn-primary table td:hover { +    background-color: #34495e !important; +} +.btn-primary a:hover { +    background-color: #34495e !important; +    border-color: #34495e !important; +} +} +body { +background-color: #f6f6f6; +font-family: sans-serif; +-webkit-font-smoothing: antialiased; +font-size: 14px; +line-height: 1.4; +margin: 0; +padding: 0; +-ms-text-size-adjust: 100%; +-webkit-text-size-adjust: 100%; +} +"> + + + + + + +"2022-05-31T00:00:00Z"))" ReturnedEntityType="Directory_UserRecord" /> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/agent/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/agent/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md new file mode 100644 index 0000000000..15df45ad44 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md @@ -0,0 +1,147 @@ +# Connection + +A connection represents a link between a +[connector](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +and a connection package. + +## Examples + +The following example creates a connection for the previously created connector `AD`, using the +package `Usercube.AD@0000001` with only the export task and not the fulfill task. + +``` + + + +``` + +We will need to configure the connection settings in the `appsettings.agent.json` file, by adding a +`ADExportFulfillment` part in the `Connections` section, for example: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "ADExportFulfillment": { + "Servers": [ + { + "Server": "contoso.server.com", + "BaseDN": "DC=contoso,DC=com" + } + ], + "AuthType": "Basic", + "Login": "Contoso", + "Password": "ContOso$123456789", + "Filter": "(objectclass=*)", + "EnableSSL": "true" + }, + ... + } +} +``` + +Details about these settings can be found in Usercube's +[connector references](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/index.md). + +## Properties + +| Property | Details | +| ------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Connector required | **Type** Int64 **Description** Identifier of the linked connector. **Note:** a connection can be used by one and only one connector. | +| DeactivationExportFulfill default value: 0 | **Type** DeactivationExportFulfill **Description** For a connection having a package which implements both export and fulfill, this option can deactivate either the export or the fulfill part. `0` - **None**: keeps both parts. `1` - **Export**: deactivates export. `2` - **Fulfill**: deactivates fulfill. | +| DisplayName_L1 required | **Type** String **Description** Display name of the connection in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Unique identifier of the connection. It must start with a letter followed by up to 441 characters, chosen from the following set: point, dash, letter, or number. **Warning:** identifiers are case insensitive, for example the identifiers `adexport` and `ADEXPORT` cannot exist simultaneously. | +| Package required | **Type** Enumeration **Description** Identifier of the linked connection package which defines the connection's capabilities and technologies to export and/or fulfill data. | + +## Child Element: Transformation + +A connection transformation is optional, but can be needed to adjust the Excel files, output of +[export tasks](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md)from +Excel export connections, before +[prepare-synchronization tasks](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md). +The following operations are possible: + +- filtering out given rows; +- adding/removing days from specific date properties; +- merging columns together. + +### Examples + +#### Edit dates + +The following example sets all users' end dates to the end of the day instead of the morning. This +way, the end dates of users' permissions will be managed more easily. + +Technically speaking, Usercube implements a sort of extra-task between the export and +prepare-synchronization tasks of HR synchronization. The CSV files produced by the export task of +the connection `Directory` are to be transformed: Usercube will add 1 day to all dates between 1900 +and 2100, contained in the `ContractEndDate`, `PositionEndDate` and `EndDate` columns of the +`Directory_UserRecord` table. + +This date edition goes the other way around when loading data back to your systems: if Usercube adds +a few days when synchronizing, then it removes the same few days when using the synchronized data. + +``` + + + + + +``` + +#### Filter out rows + +The following example filters the CSV files produced by the export of the `Directory` connection, in +order to keep only German sites, i.e. the rows where `Identifier` starts with `DE_`. + +``` + + + + + +``` + +#### Merge columns together + +Consider the situation where users' organizations are defined in 4 levels. + +The following example merges the `Company`, `Subsidiary`, `Department` and `Team` columns of the +`Directory_UserRecord` table, output of the export of the `Directory` connection, in order to +concatenate the 4 properties into a single `FullOrganization` property. + +Setting `RemoveEmpty` to `true` means that rather than having an organization such as +`Contoso//HR/Payroll`, we will have `Contoso/HR/Payroll`. + +Setting `RemoveDuplicates` to `true` means that rather than having an organization such as +`Contoso/Contoso/HR/Payroll`, we will have `Contoso/HR/Payroll`. + +``` + + + + + +``` + +### Properties + +| Property | Details | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AddedDays optional | **Type** Float **Description** Number of days to add to the date column to be transformed, specified in `Column`, when the transformation type is `TransformDate`. The value can be negative, for example `-0.5` removes 12 hours from the date. | +| Column optional | **Type** String **Description** Column (case-sensitive) used as input of the filtering and the date editing transformations, and as output of the merging transformation. When defining an output, `Column` can be an existing column or a column to be created. | +| ConcatSeparator optional | **Type** String **Description** Separator used between the concatenated values, when the transformation type is `ConcatColumns`. | +| DatePattern optional | **Type** String **Description** Format of the transformed dates to be stored when the original object is not a date, when the transformation type is `TransformDate`. **Note:** for example we could need this property when using CSV files which store everything as strings, including dates. | +| InputColumn optional | **Type** String **Description** Column (case-sensitive) used as input when the transformation type is `TransformDate`, and as part of the input when the transformation type is `ConcatColumns`. **Note:** required for `ConcatColumns`. **Note:** when not specified for `TransformDate`, `Column` is used as input. | +| InputColumn2 optional | **Type** String **Description** Second (up to fifth) input column (case-sensitive) when the transformation type is `ConcatColumns`. | +| MaxYear optional | **Type** Int32 **Description** Year after which the date contained in the input of the transformation of type `TransformDate` is ignored by the transformation. | +| MinYear optional | **Type** Int32 **Description** Year before which the date contained in the input of the transformation of type `TransformDate` is ignored by the transformation. | +| RemoveDuplicates optional | **Type** Boolean **Description** `true` to keep only one of two identical and successive values, when the transformation type is `ConcatColumns`. | +| RemoveEmpty optional | **Type** Boolean **Description** `true` to ignore empty values, when the transformation type is `ConcatColumns`. | +| SortValues optional | **Type** Boolean **Description** `true` to sort the concatenated values by alphabetical order, when the transformation type is `ConcatColumns`. **Note:** concatenated values are sorted after duplicates are removed, when relevant. | +| Table optional | **Type** String **Description** Table on which the transformation is to be applied. **Note:** must be of the format `_` (case-sensitive). | +| Type required | **Type** ConnectionTransformationType **Description** Type of the transformation: **ConcatColumns**: concatenates `InputColumn` columns into `Column` with a separator defined in `ConcatSeparator`, potentially with additional transformation options among `RemoveDuplicates`, `RemoveEmpty`, `SortValues`. **TransformDate**: adds or removes a given number of days defined in `AddedDays` to/from the date stored in `InputColumn` or `Column`, only for dates between `MinYear` and `MaxYear`, in order to be stored in `Column` in the format defined by `DatePattern`. **WhereValue**: filters the rows based on a comparison with the `WhereOperator` and `WhereValue` arguments. | +| WhereOperator optional | **Type** ConnectionTransformationWhereValueOperator **Description** Operator of the comparison that filters out rows from the CSV file(s), when the transformation type is `WhereValue`: `Equals`; `NotEquals`; `Contains`; `CotContains`; `StartsWith`; `EndsWith`; `Regex`. | +| WhereValue optional | **Type** String **Description** Value (case-sensitive) that the content of `Column` will be compared to, when the transformation type is `WhereValue`. | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md new file mode 100644 index 0000000000..240aea626b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md @@ -0,0 +1,77 @@ +# Connector + +Connectors provide the means by which Usercube communicates with managed platforms, applications and +systems. They describe how the data from these systems are mapped to the +[entity model](/docs/identitymanager/6.1/identitymanager/integration-guide/entity-model/index.md). + +A connector in most case represents an application model. It is composed of entities and +associations. + +> For example we can define an HR connector, with the following entities: Person, Department, +> Function, Location, etc. and with the following associations: Person-Department, Person-Site, +> Person-Manager(Person), etc. + +A connector is used to synchronize each of its entities and associations in Usercube's physical +model. A connector is defined with: + +- [entity types](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md); +- [entity associations](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md); +- [entity type mappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) + and + [entity association mappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) + to link the entity types and associations to the corresponding files and columns containing the + exported data from the managed system. + +## Examples + +The following example creates a `HR` connector on the agent called `Local` previously declared by +[an `` element](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md). + +We create the right +[connections](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +to use the connector as a +[CSV connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/csv/index.md) +aiming to export HR CSV files into new CSV files in Usercube's format. + +The +[entity types](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +model the resources as `HR_Person` or `HR_Organization`, defining properties. + +The +[entity type mappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +link the entity types to the source files. + +The +[entity association](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +creates a link between the two entity types. + +The +[entity association mapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +links the association to the source files. + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Agent optional | **Type** Int64 **Description** Identifier of the agent where the connector's tasks are launched. | +| CompleteJob default value: 0 | **Type** JobIntegrationRule **Description** Indicates how the connector should be used in the complete job (scaffolding): `0` - Used `1` - NotUsed `2` - OnlySynchronization `3` - OnlyProvisioning Warning: The job scaffolding has priority over the connector's decision. For example, if your job scaffolding specifies that the Microsoft Entra ID is `NotUsed` for the complete job, setting that connector to `Used` for the complete job will not activate it. You should not only add the `Used` to the connector but also remove the `NotUsed` from the configuration of the job scaffolding. | +| DisplayName_L1 required | **Type** String **Description** Connector DisplayName. | +| Identifier required | **Type** String **Description** Connector Identifier. | +| IncrementalJob default value: 0 | **Type** JobIntegrationRule **Description** Indicates how the connector should be used in the incremental job (scaffolding): `0` - Used `1` - NotUsed `2` - OnlySynchronization `3` - OnlyProvisioning Warning: The job scaffolding has priority over the connector's decision. For example, if your job scaffolding specifies that the Microsoft Entra ID is `NotUsed` for the incremental job, setting that connector to `Used` for the incremental job will not activate it. You should not only add the `Used` to the connector but also remove the `NotUsed` from the configuration of the job scaffolding. | +| IsDeactivated default value: false | **Type** Boolean **Description** Indicates that the export and the provisioning are deactivated for this connector. | +| MaximumDeletedLines default value: 100 | **Type** Int32 **Description** Deleted lines threshold. Sets the maximum number of resources that can be removed from the connector when running the synchronization job. | +| MaximumInsertedLines default value: 100 | **Type** Int32 **Description** Inserted lines threshold. Sets the maximum number of resources that can be added into the connector when running the synchronization job. | +| MaximumLinkDeletedLines default value: 1000 | **Type** Int32 **Description** Deleted association links threshold. Sets the maximum number of navigation properties that can be removed from the connector when running the synchronization job. | +| MaximumLinkInsertedLines default value: 1000 | **Type** Int32 **Description** Inserted association links threshold. Sets the maximum number of navigation properties that can be added into the connector when running the synchronization job. | +| MaximumUpdatedLines default value: 100 | **Type** Int32 **Description** Updated lines threshold. Sets the maximum number of resources that can be modified within the connector when running the synchronization job. | +| MaxLinkPercentageDeletedLines default value: 5 | **Type** Int32 **Description** Deleted association links threshold in percent. | +| MaxLinkPercentageInsertedLines default value: 5 | **Type** Int32 **Description** Inserted association links threshold in percent. | +| MaxPercentageDeletedLines default value: 5 | **Type** Int32 **Description** Deleted lines threshold in percent. | +| MaxPercentageInsertedLines default value: 5 | **Type** Int32 **Description** Inserted lines threshold in percent. | +| MaxPercentageUpdatedLines default value: 5 | **Type** Int32 **Description** Updated lines threshold in percent. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md new file mode 100644 index 0000000000..65348c08e0 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md @@ -0,0 +1,25 @@ +# EntityAssociationMapping + +Contains all the +[Entity Association](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +that can be materialized in the Usercube physical model. An association mapping can be established +between two properties of the same entity type mapping or between two properties of different entity +type mappings having the same connector. See +[Connector](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +to see how to configure an EntityAssociationMapping. + +## Properties + +| Property | Details | +| ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| C0 optional | **Type** String **Description** In a ServiceNow connector, generic column used during provisioning to map the property to be provisioned (target property from the entity association mapping). This column stores the name of the table in ServiceNow in which the property exists. | +| Column1 required | **Type** String **Description** The column of EntityPropertyMapping1 in the association data source. | +| Column2 required | **Type** String **Description** The column of EntityPropertyMapping2 in the association data source. | +| ConnectionTable optional | **Type** String **Description** Association data source containing Column1 and Column2. Example: ConnectionTable="datasource" | +| Connector required | **Type** Int64 **Description** Id of the connector to which it is linked. | +| EntityPropertyMapping1 required | **Type** Int64 **Description** The ID of mapping of the property use to establish the association. The property must be a unique key. | +| EntityPropertyMapping2 required | **Type** Int64 **Description** The ID of mapping of the property use to establish the association. The property must be a unique key. | +| MaximumDeletedLines default value: 0 | **Type** Int32 **Description** Deleted association links threshold. Sets the maximum number of navigation properties that can be removed from the entity type when running the synchronization job. | +| MaximumInsertedLines default value: 0 | **Type** Int32 **Description** Inserted association links threshold. Sets the maximum number of navigation properties that can be added into the entity type when running the synchronization job. | +| MaxPercentageDeletedLines default value: 0 | **Type** Int32 **Description** Deleted association links threshold in percent. | +| MaxPercentageInsertedLines default value: 0 | **Type** Int32 **Description** Inserted association links threshold in percent. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md new file mode 100644 index 0000000000..9786939852 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md @@ -0,0 +1,46 @@ +# EntityTypeMapping + +An entity type mapping links a given +[entity type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)'s +properties with the source columns of the corresponding managed system. The entity type mapping +specifies the related +[connector](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +and the path to the CSV source file which contains, or will contain, the data exported from the +managed system. Each of its [properties](#properties) will define the corresponding source column +and specific options. + +An entity type mapping shares the same identifier as its related entity type. + +[See the example of a whole connector containing an entity type mapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md). + +## Properties + +| Property | Details | +| ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| C0 optional | **Type** String **Description** In a Microsoft Entra ID connector (formerly Microsoft Azure AD), generic column used to map the entities to be exported. By default, Usercube exports: `user`; `group`; `directoryRole`; `servicePrincipal`. | +| ConnectionTable optional | **Type** String **Description** Name of the CSV file which contains, or will contain, the exported data from the corresponding entity type. | +| Connector optional | **Type** Int64 **Description** Identifier of the related connector. | +| MaximumDeletedLines default value: 0 | **Type** Int32 **Description** Deleted lines threshold. Sets the maximum number of resources that can be removed from the entity type when running the synchronization job. | +| MaximumInsertedLines default value: 0 | **Type** Int32 **Description** Inserted lines threshold. Sets the maximum number of resources that can be added into the entity type when running the synchronization job. | +| MaximumUpdatedLines default value: 0 | **Type** Int32 **Description** Updated lines threshold. Sets the maximum number of resources that can be modified within the entity type when running the synchronization job. | +| MaxPercentageDeletedLines default value: 0 | **Type** Int32 **Description** Deleted lines threshold in percent. | +| MaxPercentageInsertedLines default value: 0 | **Type** Int32 **Description** Inserted lines threshold in percent. | +| MaxPercentageUpdatedLines default value: 0 | **Type** Int32 **Description** Updated lines threshold in percent. | + +## Child Element: Property + +Contains all the +[entity properties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +of an +[entity type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +that can be synchronized into Usercube physical model. Each mapping share the same id as its +corresponding property in the entity type. + +### Properties + +| Property | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectionColumn optional | **Type** String **Description** Specifies the corresponding column in the entity type data source. | +| Format optional | **Type** String **Description** The format of the attribute in the external system. Ex: 1601date for LDAP Date. | +| IsPrimaryKey default value: false | **Type** Boolean **Description** `true` if the property is designated to be the unique and immutable key that uniquely identifies any resource from the entity type, during synchronization. Each entity type mapping must have a primary key. It prevents duplicates and null resources. | +| IsUniqueKey default value: false | **Type** Boolean **Description** `true` if the property is designated to be one of the unique keys that uniquely identify any resource from the entity type in an association/navigation, during synchronization. Each entity type mapping can have up to three unique keys, in addition to the mapping key that already acts as such. **Note:** AD synchronization requires the `dn` property to have either `IsUniqueKey` or `EntityType` > `Property` > `IsKey` set to `true` (key property in the UI). | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/index.md new file mode 100644 index 0000000000..a7b0013538 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/index.md @@ -0,0 +1,10 @@ +# Connectors + +- #### [Agent](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md) +- #### [Connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +- #### [ConnectionTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md) +- #### [Connector](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +- #### [ResourceTypeMappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) +- #### [EntityAssociationMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +- #### [EntityTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +- #### [PasswordResetSettings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md new file mode 100644 index 0000000000..2a3bfeb301 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md @@ -0,0 +1,79 @@ +# PasswordResetSettings + +This set of password reset settings contains the configuration to perform password reset operations +such as change, reset, etc. + +## Examples + +The following example declares a password reset settings. + +``` + + + +``` + +### Password length and counts + +The following example makes Usercube generate a password with at least 12 characters in total, at +least 8 lowercase characters, 4 uppercase characters, 2 digits and 2 symbols. + +``` + + + +``` + +As the total of all counts (16) is greater than the length (12), the password length will be the +count total (16). + +The following example makes Usercube generate a password with at least 12 characters in total, at +least 8 lowercase characters, 4 uppercase characters, 2 digits and 2 symbols. + +``` + + + +``` + +As the total of all counts (4) is lower than the length (8), the password will be generated with 8 +characters, among them 1 lowercase character, 1 uppercase character, 1 digit, 1 symbol, and 4 more +random characters. + +The generated password's strength can also be checked via a regular expression (regex) through +`StrengthCheck`. Thus, the following example makes Usercube generate a password with at least 9 +characters including at least one digit, one lowercase letter, one uppercase and one special +character. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AutoGenerate default value: false | **Type** Boolean **Description** `true` to make Usercube generate the password automatically. | +| BeneficiaryEmailBinding optional | **Type** Int64 **Description** Binding to the email address property whose password is to be reset. | +| BeneficiaryFullNameBinding optional | **Type** Int64 **Description** Binding to the full name property of the user(s) whose password is to be reset. | +| DefaultPassword optional | **Type** String **Description** Default password to set when `AutoGenerate` is set to `false`. | +| DisableNotifications default value: false | **Type** Boolean **Description** `true` to disable the mailing of notifications concerning password reset. | +| GeneratedDigitCharsCount default value: 2 | **Type** Int32 **Description** Number of digit characters in the password generated by Usercube when `AutoGenerate` is set to `true`. | +| GeneratedLength default value: 12 | **Type** Int32 **Description** Length of the password generated by Usercube when `AutoGenerate` is set to `true`. | +| GeneratedLowerCaseCharsCount default value: 6 | **Type** Int32 **Description** Number of lower case characters in the password generated by Usercube when `AutoGenerate` is set to `true`. | +| GeneratedSymbolCharsCount default value: 2 | **Type** Int32 **Description** Number of symbol characters in the password generated by Usercube when `AutoGenerate` is set to `true`. | +| GeneratedUpperCaseCharsCount default value: 2 | **Type** Int32 **Description** Number of upper case characters in the password generated by Usercube when `AutoGenerate` is set to `true`. | +| Identifier required | **Type** String **Description** Identifier of the set of password reset settings. | +| Mode default value: 0 | **Type** Int64 **Description** Mode used by the password reset service. `0` - Disabled. `1` - One-Way. `2` - Two-Way. | +| MustChange default value: false | **Type** Boolean **Description** `true` to force users to modify their passwords on the first login. | +| NotificationCC optional | **Type** String **Description** Email address to set as CC recipient of all password reset notifications. | +| NotifiedEmailBinding optional | **Type** Int64 **Description** Binding to the email address property of the person to be notified. | +| NotifiedFullNameBinding optional | **Type** Int64 **Description** Binding to the full name property of the person to be notified. | +| StrengthCheck optional | **Type** String **Description** Regular expression (regex) that generated passwords must match, when `AutoGenerate` is set to `true`. **Note:** the strength of passwords set manually by users can be configured via [`PasswordTestsSetting`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting/index.md). | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/azureadresourcetypemapping/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/azureadresourcetypemapping/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/azureadresourcetypemapping/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/azureadresourcetypemapping/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping/index.md new file mode 100644 index 0000000000..51cfcffcc7 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping/index.md @@ -0,0 +1,25 @@ +# EasyVistaResourceTypeMapping + +Any resource type mapping must be configured with the same identifier as the related resource type. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CatalogCode required | **Type** String **Description** Code of the catalog. It is possible to define three catalog codes, one for each provisioning action (add, modify, delete) by separating them with `�`, for example `42�25�43`. | +| Connection required | **Type** String **Description** Identifier of the corresponding connection. | +| RecipientId required | **Type** String **Description** Identifier of the ticket's recipient. | +| Description optional | **Type** String **Description** File path of the template used for the generation of the ticket description. | +| ImpactId optional | **Type** String **Description** [Impact](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Service%20Manager%20-%20All%20Menus/References%20Tables/#impact) of the ticket. | +| SeverityId optional | **Type** String **Description** [Severity level](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Service%20Manager%20-%20All%20Menus/References%20Tables/#severity-level) of the ticket. | +| TicketSynchroIsNotAvailable default value: false | **Type** Boolean **Description** `true` to set synchronization as unavailable for this resource type. Once the ticket is closed and the resource is created, updated or deleted, then the assignment's status is directly set to `Verified`. **Note:** only used with the [package for tickets](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md). | +| Title optional | **Type** String **Description** File path of the template used for the generation of the ticket title. | +| UrgencyId optional | **Type** String **Description** [Urgency level](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Service%20Manager%20-%20All%20Menus/References%20Tables/#urgency-level) of the ticket. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md new file mode 100644 index 0000000000..5e67e023a5 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md @@ -0,0 +1,13 @@ +# ResourceTypeMappings + +- #### [AzureADResourceTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/azureadresourcetypemapping/index.md) +- #### [EasyVistaResourceTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping/index.md) + To create a ticket in EasyVista, some information need to be provided to the external system and + are configured through the XML configuration in the resource type mappings- #### + [LdapResourceTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping/index.md) +- #### [ManualProvisioningResourceTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping/index.md) +- #### [OktaResourceTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping/index.md) +- #### [SapResourceTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md) +- #### [ScimResourceTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping/index.md) +- #### [ServiceNowResourceTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md) +- #### [SharePointResourceTypeMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping/index.md) diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping/index.md new file mode 100644 index 0000000000..91dbbf7610 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping/index.md @@ -0,0 +1,18 @@ +# ManualProvisioningResourceTypeMapping + +Any resource type mapping must be configured with the same identifier as the related resource type. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Connection required | **Type** String **Description** Identifier of the corresponding connection. | +| TicketSynchroIsNotAvailable optional | **Type** Boolean **Description** `true` to set synchronization as unavailable for this resource type. Once the ticket is closed and the resource is created, updated or deleted, then the assignment's status is directly set to `Verified`. **Note:** only used with the [package for tickets](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md). | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md new file mode 100644 index 0000000000..df77fef17e --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md @@ -0,0 +1,36 @@ +# ServiceNowResourceTypeMapping + +Any resource type mapping must be configured with the same identifier as the related resource type. + +Any resource type linked to a ServiceNow connection must be configured with a set of parameters to +map the properties in Usercube with those in ServiceNow, for provisioning purposes. + +Below is an example of an incident ticket in ServiceNow, where relevant properties (from Usercube's +perspective) are emphasized: + +![ServiceNow Ticket Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/servicenow_example.webp) + +## Examples + +``` + + + + + +``` + +## Properties + +| Property | Details | +| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Connection required | **Type** String **Description** Identifier of the corresponding connection. | +| DefaultObjectClass optional | **Type** String **Description** Default object class used by the provisioner, for example `person`, `organizationalPerson`, `user`, etc. **Note:** multiple default object classes are separated with `
`. | +| PasswordResetSetting optional | **Type** String **Description** Identifier of the corresponding password reset setting. | +| TicketAdditionalInformation optional | **Type** String **Description** Information to add at the end of the description for all tickets created for this resource type. **Note:** only used with the [package for tickets](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md). | +| TicketCallerId optional | **Type** String **Description** Attribute that corresponds to the identifier of the "caller" person in ServiceNow. **Note:** required when using the [package for tickets](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md). | +| TicketCategory optional | **Type** String **Description** Category in which new tickets will be created in ServiceNow for this resource type. **Note:** only used with the [package for tickets](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md). | +| TicketImpact default value: Low | **Type** TicketImpact **Description** Impact of the ticket in ServiceNow: `Low`; `Medium`; `High`. **Note:** only used with the [package for tickets](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md). | +| TicketSubCategory optional | **Type** String **Description** Subcategory in which new tickets will be created in ServiceNow for this resource type. **Note:** only used with the [package for tickets](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md). | +| TicketSynchroIsNotAvailable default value: false | **Type** Boolean **Description** `true` to set synchronization as unavailable for this resource type. Once the ticket is closed and the resource is created, updated or deleted, then the assignment's status is directly set to `Verified`. **Note:** only used with the [package for tickets](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md). | +| TicketUrgency default value: Low | **Type** TicketUrgency **Description** Urgency of the ticket in ServiceNow: `Low`; `Medium`; `High`. **Note:** only used with the [package for tickets](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md). | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/index.md new file mode 100644 index 0000000000..b9110cbb8b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/index.md @@ -0,0 +1,22 @@ +# XML Configuration Schema + +## Overview + +The XML configuration schema shows some similarities with the database schema but they are not the +same. + +## Family Entity Listing + +- #### [Access Control](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/index.md) +- #### [Connectors](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/index.md) +- #### [Configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/index.md) +- #### [User Interface](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/index.md) +- #### [Jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/index.md) +- #### [Metadata](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/index.md) +- #### [Notifications](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/index.md) +- #### [Provisioning](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/index.md) +- #### [Reporting](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/reporting/index.md) +- #### [Resources](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/resources/index.md) +- #### [Access Certification](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/index.md) +- #### [Business Intelligence](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md) +- #### [Workflows](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/index.md new file mode 100644 index 0000000000..94329a6eab --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/index.md @@ -0,0 +1,11 @@ +# Jobs + +A job is defined via the `Job` tag to orchestrate tasks together, in order to perform specific +actions. + +All +[task types](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md) +are child elements of jobs. + +- #### [Job](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) +- #### [Tasks](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md) diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/job/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/job/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md new file mode 100644 index 0000000000..61816a2206 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md @@ -0,0 +1,23 @@ +# Agent Tasks + +- #### [ActivityInstanceActorTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md) + Update the Actors for the workflows instances- #### + [CreateDatabaseViewsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md) + Generates entity model SQL views in the Usercube database.- #### + [ExportTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md) + Runs the specified connection's export.- #### + [FulfillTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md) + Retrieves provisioning orders from the informed connector generated by + GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is + possible to launch it with a list of TaskResourceTypes.- #### + [InvokeApiTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md) + Tool to launch any Usercube API.- #### + [InvokeAspectsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md) + Call specific api in Usercube.- #### + [InvokeExpressionTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md) + Launches on agent side a powershell script given as input.- #### + [InvokeSqlCommandTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md) + Takes as input an SQL file or an SQL command to output several CSV files that can be used by the + collection.- #### + [PrepareSynchronizationTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) + Cleanses exported CSV files. diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md new file mode 100644 index 0000000000..f5feba53d2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md @@ -0,0 +1,122 @@ +# PrepareSynchronizationTask + +## View Behavior Details + +The task reads files from the source directory, usually the +[temp folder > ExportOutput](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +folder. + +### Cleanse data + +The following actions are performed on the _CSV source files_: + +1. Remove columns that are not used in + [``](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) + or + [``](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). +2. Remove entries that have a null primary key. +3. Remove duplicates. +4. Sort entries according to the primary key. + +The result of the _Prepare-Synchronization_ is stored in the +[_export directory_](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +as three files: + +- For every entity type of the relevant _Connector_ involved in an + [``](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) + or an + [``](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) + , a `.sorted.csv` file is generated, containing the final, cleansed and sorted result. +- Duplicates are kept in a separate `.duplicates.csv` file. +- Null primary key entries are kept in a separate `.nullpk.csv` file. + +All files produced by the task are in the +[work folder > Collect](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +directory. + +### Compute changes + +In _incremental_ mode, changes might need to be computed by the _Agent_: + +- If the Export step has provided computed changes, no further process is required. The changes will + be sent as-is to the server. +- If the Export step has provided a full extract of the managed systems, the + _Prepare-Synchronization_ step computes changes. This computation is based on the result of the + last data cleansing, generated by the previous _Prepare-Synchronization_, and stored in the + `previous` folder in the + [_export directory_](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md). + +For _incremental_ mode, it is recommended, whenever possible, to use managed systems to compute +changes. Dedicated workstations and knowledge of the inner data organization allow managed systems +to compute changes with performance that Usercube can't match. Using managed systems for these +operations avoids generating heavy files and alleviates Usercube's processing load. + +The result is a set of clean lists of changes stored as a `.sorted.delta` file containing a +_command_ column. The _command_ column can take the following values: + +- _insert_ +- _update_ +- _delete_ +- _merge_ + +These values are instructions for the _Synchronization_ step to apply the changes to the database. + +The `.sorted` file (that is, the **original** clean export file, **not** the changes) is stored in +the `previous` folder inside the +[_export directory_](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md). +It will be used as a reference for the next _incremental_ Prepare-Synchronization to compute the +changes, if needed. + +Tampering with the `previous` folder content would result in false changes leading to false +computation. It would result in data corruption in the Usercube database. To restore the Usercube +database and reflect the managed system data updates, a _complete__Sync Up_ would be required. + +### Prepare the server + +At the beginning of every _Prepare-Synchronization_ process, the _Server_ is notified via HTTP. + +Upon receiving the notification, the server creates a directory on its host environment, identified +by a unique GUID, to contain `.sorted` or `.sorted.delta` files that will be sent by the agent. + +This is designed to prevent network errors that would cause an _incremental_ database update to +happen more than once. + +This means that several _Export_ and _Prepare-Synchronization_ tasks can be executed simultaneously. +These tasks will be processed by the server one at a time, in the right order. + +Any notification of a _complete_ Prepare-Synchronization would cancel the previous non-processed +_incremental_ Prepare-Synchronizations. As a _complete_ Prepare-Synchronization reloads the whole +database, it renders _incremental_ changes computation moot. + +### Send clean exports + +`.sorted` or `.sorted.delta` files are sent over HTTP to the _Server_ for the last step. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Agent required | **Type** String **Description** Identifier of the agent on which the job will be launched. **Warning:** all jobs containing the task must be launched on the same agent or on the server. | +| Connector required | **Type** String **Description** Identifier of the connector involved in the task. | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| OpenIdClient required | **Type** String **Description** Connection client for the task. | +| SynchronizationMode required | **Type** DataCollectType **Description** Synchronization mode for collect and synchronization Task. List of Modes: - Initial = 0, - Complete = 1, - Incremental = 2 | +| ColumnName optional | **Type** String **Description** If there is a delta in the synchronization, specifies the column name which stores the command | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | +| Type default value: None | **Type** PrepareSynchronizationType **Description** Define the type of PrepareSynchronization to launch the correct executable in job. | +| WorkingDirectory optional | **Type** String **Description** Path of the working directory | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md new file mode 100644 index 0000000000..cbf0601513 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md @@ -0,0 +1,99 @@ +# Tasks + +- #### [Agent Tasks](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md) + +- #### [ActivityInstanceActorTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md) + Update the Actors for the workflows instances- #### + [CreateDatabaseViewsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md) + Generates entity model SQL views in the Usercube database.- #### + [ExportTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md) + Runs the specified connection's export.- #### + [FulfillTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md) + Retrieves provisioning orders from the informed connector generated by + GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is + possible to launch it with a list of TaskResourceTypes.- #### + [InvokeApiTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md) + Tool to launch any Usercube API.- #### + [InvokeAspectsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md) + Call specific api in Usercube.- #### + [InvokeExpressionTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md) + Launches on agent side a powershell script given as input.- #### + [InvokeSqlCommandTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md) + Takes as input an SQL file or an SQL command to output several CSV files that can be used by the + collection.- #### + [PrepareSynchronizationTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) + Cleanses exported CSV files. +- #### [Server Tasks](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md) + +- #### [BuildRoleModelTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md) + Applies the role naming rules, i.e. generates single roles and navigation rules based on + resources matching a given pattern.- #### + [ComputeCorrelationKeysTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md) + The Compute Role Model correlation keys will pre-calculate all the keys needed by the Compute + Role Model to match the resources.- #### + [ComputeRiskScoresTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md) + Update risk score with the risk settings.- #### + [ComputeRoleModelTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + The Compute Role Model will calculate the role model of all whose EntityTypes sources are + included in the list of EntityTypes given in the start of this job.- #### + [DeployConfigurationTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md) + From a folder, retrieves all configuration xml files to calculate the configuration items to + insert, update or delete.- #### + [FulfillTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md) + Retrieves provisioning orders from the informed connector generated by + GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is + possible to launch it with a list of TaskResourceTypes.- #### + [GenerateProvisioningOrdersTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md) + The provisioning task will recover all resources whose provisioningState is at 1 to build a list + of JSON files containing all provisioning orders.- #### + [GetRoleMiningTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md) + Role mining is the process of analyzing user-to-resource mapping data to determine or modify + user permissions for role-based access control (RBAC) in an enterprise. In a business setting, + roles are defined according to job competency, authority and responsibility.- #### + [InvokeExpressionTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md) + Launches on agent side a powershell script given as input.- #### + [InvokeSqlCommandTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md) + Takes as input an SQL file or an SQL command to output several CSV files that can be used by the + collection.- #### + [MaintainIndexesTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md) + Index maintenance and statistics update for all database tables.- #### + [ManageConfigurationIndexesTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask/index.md) + Manage indexes for items from configuration.- #### + [ProcessAccessCertificationItemsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md) + Process decisions on access certification items.- #### + [ResetValidFromTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md) + Initialize historization tables by setting each entity's first record `ValidFrom` value to + 0001-01-01 00:00:00.00.- #### + [SavePreExistingAccessRightsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md) + During an initial installation of Usercube, data normally provided by Usercube or through a + derogation in the User Interface is already present in the application system.- #### + [SendAccessCertificationNotificationTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md) + Notify assigned users having pending access certification items in campaign marked with + `NotificationNeeded`.- #### + [SendNotificationsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md) + Task that sends a notification to each configured recipient.- #### + [SendRoleModelNotificationsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md) + Task that sends a notification to all users who have pending roles to review, only for roles + with a simple approval workflow, i.e. pending the validation 1 out of 1.- #### + [SetAccessCertificationReviewerTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md) + Assign access certification items to users according to their profiles and the access control + rules.- #### + [SetInternalUserProfilesTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) + Will execute the profile rules of the different resource types given in parameters to create, + modify or delete profiles in automatic mode.- #### + [SetRecentlyModifiedFlagTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md) + When synchronizing in full or incremental mode, it is possible to optimize the compute + performance of the role model by taking into account only the changes made by the + synchronization.- #### + [SynchronizeTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) + Retrieves the files generated by the prepare-synchronization task to insert the data into the + Usercube database.- #### + [UpdateAccessCertificationCampaignTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md) + Starts or stops the access certification campaigns according to their `StartDate` and + `EndDate`.- #### + [UpdateClassificationTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md) + Classifies a list of resources that are part of the resourceType data targets as an argument to + this job.- #### + [UpdateEntityPropertyExpressionsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + Calculates either for all entities or for a list of entities the expressions and inserts the + values in the database. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md new file mode 100644 index 0000000000..7475abc5cb --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md @@ -0,0 +1,27 @@ +# BuildRoleModelTask + +Applies the +[role mappings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md), +also named +[role naming rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md), +i.e. generates single roles and navigation rules based on resources matching a given pattern. + +> For example, this task can transform AD groups with a special naming convention into roles. + +## Examples + +The following example applies all role naming rules linked to the AD connector. + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------- | ---------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| Connector optional | **Type** String **Description** Identifier of the connector whose role mappings / role naming rules are to be applied. | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md new file mode 100644 index 0000000000..5b241cf716 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md @@ -0,0 +1,79 @@ +# ComputeRoleModelTask + +This task applies all rules in the role model of all +[resource types](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +whose source entity types are specified as child elements of the task. + +## Behavior Details + +### Property creation/update + +If the resource or property needs to be created or changed, the policy inserts a new line in one of +the following 3 tables: + +- Assigned resource types +- Assigned resource scalars +- Assigned resource navigation + +Their provisioning state will therefore increase to either 1 or 5. + +If the resource already exists in the database, then the policy checks whether the existing value is +the same as the computed value. If the existing value is the same as the computed value, then the +provisioning state goes to 4. + +### Notifications + +Executing the `ComputeRoleModelTask` will modify some roles' workflow states, and it will send a +notification for each of these roles being: + +- pending approval (1/1, 1/2, 2/2, 1/3, 2/3, 3/3); +- blocked because of a risk. + +## Examples + +The following example applies all rules in the role model concerning the entity types `HR_Service`, +`HR_Category`, `HR_Site` and `HR_Person`. + +``` + + + +``` + +### Ignore Archiving + +While archiving data for audits is part of the main purposes of Usercube, some elements can be +prevented from being archived, for example during Usercube's installation and initialization. + +The following example is similar to the previous one, except that the values prior to the changes on +assigned single roles, composite roles, resource types, scalar or navigation properties, or +binaries, will not be stored in the database. + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| BatchInsertSize default value: 0 | **Type** Int32 **Description** Defines the batch insert size. | +| BatchSelectSize default value: 0 | **Type** Int32 **Description** Defines the batch select size. | +| BlockAllResourceTypeProvisioning default value: false | **Type** Boolean **Description** `true` to force an additional mandatory review (on the **Provisioning Review** screen) of all provisioning orders for all resource types, no matter whether the resource types' `BlockProvisioning` boolean is set to `true` or `false`. | +| BlockProvisioning default value: false | **Type** Boolean **Description** `true` to block the provisioning policy orders. | +| Dirty default value: false | **Type** Boolean **Description** Initiate use only dirty resources. | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | +| IgnoreHistorization default value: false | **Type** Boolean **Description** `true` to prevent Usercube from archiving the changes (resource creation, update, deletion) performed by the task. Impacted tables are: `UP_AssignedSingleRoles`, `UP_AssignedCompositeRoles`, `UP_AssignedResourceTypes`, `UP_AssignedResourceScalars`, `UP_AssignedResourceNavigations`, `UP_AssignedResourceBinaries`. | +| LdifFilePath optional | **Type** String **Description** Path to save the ldif file | +| UseLdif default value: false | **Type** Boolean **Description** to simulate or not into a ldif file | + +## Child Element: TaskEntityType + +A task entity type defines the entity type on which the task is applied. + +| Property | Details | +| ------------------- | ----------------------------------------------------------------------------------------------- | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type that the task is to be applied on. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md new file mode 100644 index 0000000000..d9ac31e6c3 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md @@ -0,0 +1,23 @@ +# DeployConfigurationTask + +From a folder, retrieves all configuration xml files to calculate the configuration items to insert, +update or delete. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | +| ConfigurationDirectory required | **Type** String **Description** Directory of the configuration to import | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| GeneratedCodeNamespace optional | **Type** String **Description** The namespace of the generated code (entities + writer). | +| GeneratedCodePath optional | **Type** String **Description** The path of the generated code (entities + writer). | +| GeneratedFile optional | **Type** String **Description** The path of the xml file in which all the configuration is generated by the scaffoldings. | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md new file mode 100644 index 0000000000..c7f13676fe --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md @@ -0,0 +1,74 @@ +# Server Tasks + +- #### [BuildRoleModelTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md) + Applies the role naming rules, i.e. generates single roles and navigation rules based on + resources matching a given pattern.- #### + [ComputeCorrelationKeysTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md) + The Compute Role Model correlation keys will pre-calculate all the keys needed by the Compute + Role Model to match the resources.- #### + [ComputeRiskScoresTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md) + Update risk score with the risk settings.- #### + [ComputeRoleModelTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + The Compute Role Model will calculate the role model of all whose EntityTypes sources are + included in the list of EntityTypes given in the start of this job.- #### + [DeployConfigurationTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md) + From a folder, retrieves all configuration xml files to calculate the configuration items to + insert, update or delete.- #### + [FulfillTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md) + Retrieves provisioning orders from the informed connector generated by + GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is + possible to launch it with a list of TaskResourceTypes.- #### + [GenerateProvisioningOrdersTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md) + The provisioning task will recover all resources whose provisioningState is at 1 to build a list + of JSON files containing all provisioning orders.- #### + [GetRoleMiningTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md) + Role mining is the process of analyzing user-to-resource mapping data to determine or modify + user permissions for role-based access control (RBAC) in an enterprise. In a business setting, + roles are defined according to job competency, authority and responsibility.- #### + [InvokeExpressionTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md) + Launches on agent side a powershell script given as input.- #### + [InvokeSqlCommandTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md) + Takes as input an SQL file or an SQL command to output several CSV files that can be used by the + collection.- #### + [MaintainIndexesTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md) + Index maintenance and statistics update for all database tables.- #### + [ManageConfigurationIndexesTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask/index.md) + Manage indexes for items from configuration.- #### + [ProcessAccessCertificationItemsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md) + Process decisions on access certification items.- #### + [ResetValidFromTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md) + Initialize historization tables by setting each entity's first record `ValidFrom` value to + 0001-01-01 00:00:00.00.- #### + [SavePreExistingAccessRightsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md) + During an initial installation of Usercube, data normally provided by Usercube or through a + derogation in the User Interface is already present in the application system.- #### + [SendAccessCertificationNotificationTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md) + Notify assigned users having pending access certification items in campaign marked with + `NotificationNeeded`.- #### + [SendNotificationsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md) + Task that sends a notification to each configured recipient.- #### + [SendRoleModelNotificationsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md) + Task that sends a notification to all users who have pending roles to review, only for roles + with a simple approval workflow, i.e. pending the validation 1 out of 1.- #### + [SetAccessCertificationReviewerTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md) + Assign access certification items to users according to their profiles and the access control + rules.- #### + [SetInternalUserProfilesTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) + Will execute the profile rules of the different resource types given in parameters to create, + modify or delete profiles in automatic mode.- #### + [SetRecentlyModifiedFlagTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md) + When synchronizing in full or incremental mode, it is possible to optimize the compute + performance of the role model by taking into account only the changes made by the + synchronization.- #### + [SynchronizeTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) + Retrieves the files generated by the prepare-synchronization task to insert the data into the + Usercube database.- #### + [UpdateAccessCertificationCampaignTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md) + Starts or stops the access certification campaigns according to their `StartDate` and + `EndDate`.- #### + [UpdateClassificationTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md) + Classifies a list of resources that are part of the resourceType data targets as an argument to + this job.- #### + [UpdateEntityPropertyExpressionsTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + Calculates either for all entities or for a list of entities the expressions and inserts the + values in the database. diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask/index.md new file mode 100644 index 0000000000..ae60d929a5 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask/index.md @@ -0,0 +1,17 @@ +# ManageConfigurationIndexesTask + +Manage indexes for configuration items with the +tool[Usercube-Manage-ConfigurationDependantIndexes](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/manage-configurationdependantindexes/index.md). + +## Examples + +``` + +``` + +## Properties + +| Property | Details | +| ----------------------- | ---------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md new file mode 100644 index 0000000000..44eb66735b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md @@ -0,0 +1,36 @@ +# SendNotificationsTask + +Task that sends all the custom notifications defined by the +[`Notification`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md) +XML tag. + +## Examples + +The following example, included in a job potentially scheduled periodically, will send all custom +notifications defined via `Notification` such as the example below. The task will send the +notifications concerning the `Directory_User` entity type. + +``` + + + +Knowing that we have for example: + + +``` + +## Properties + +| Property | Details | +| -------------------------- | ---------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| BatchSize default value: 0 | **Type** Int32 **Description** Block size for batch calculation. | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | + +## Child Element: TaskEntityType + +A task entity type defines the entity type on which the task is applied. + +| Property | Details | +| ------------------- | ----------------------------------------------------------------------------------------------- | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type that the task is to be applied on. | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md new file mode 100644 index 0000000000..86766bfafc --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md @@ -0,0 +1,43 @@ +# SetInternalUserProfilesTask + +Will execute the profile rules of the different resource types given in parameters to create, modify +or delete profiles in automatic mode. + +It is necessary to set up +[ProfileRuleContext](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md) +as well as +[profileRules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) +to be able to use this job. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| -------------------------------- | ---------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| BatchInsertSize default value: 0 | **Type** Int32 **Description** Defines the batch insert size. | +| BatchSelectSize default value: 0 | **Type** Int32 **Description** Defines the batch select size. | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | + +## Child Element: TaskEntityType + +A task entity type defines the entity type on which the task is applied. + +| Property | Details | +| ------------------- | ----------------------------------------------------------------------------------------------- | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type that the task is to be applied on. | + +## Child Element: TaskResourceType + +The table TaskResourceTypes makes the link between the tasks and the Resourcetypes. + +| Property | Details | +| --------------------- | ------------------------------------------------------ | +| ResourceType required | **Type** Int64 **Description** Linked resourceType id. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md new file mode 100644 index 0000000000..3e9614782b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md @@ -0,0 +1,31 @@ +# SetRecentlyModifiedFlagTask + +When synchronizing in full or incremental mode, it is possible to optimize the compute performance +of the role model by taking into account only the changes made by the synchronization. This +optimization is based on the `dirty` property of the entity +[Resource](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/resources/resource/index.md). +The task +[Usercube-Compute-RoleModel](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +with option `dirty` set to `true` will treat only resources marked as dirty. + +This task is used to set the `dirty` flag on all resources based on +[ResourceChange, ResourceLinkChange and ResourceFileChange entities](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/resources/index.md). +After this, it clears this changes tables. + +This task works correctly only if **previous synchronization tasks have not cleared the change +tables** (option `DoNotDeleteChanges` set to `true`). + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------- | ---------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md new file mode 100644 index 0000000000..34a0a853ba --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md @@ -0,0 +1,31 @@ +# SynchronizeTask + +Retrieves the files generated by the +[prepare-synchronization](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) +to insert the data into the Usercube database. + +For more information on how the Synchronization works, see +[Sync Up](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md). + +Collection must be done by the +[PrepareSynchronizationTask](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md). + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------------------------- | ------------------------------------------------------------------------------------------- | +| Connector required | **Type** String **Description** Identifier of the connector involved in the task. | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| DoNotDeleteChanges default value: false | **Type** Boolean **Description** Do not delete change in the change tables. | +| ForceSynchronization default value: false | **Type** Boolean **Description** Force the synchronization | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | +| Orphans default value: false | **Type** Boolean **Description** Save orphans in a CSV output file | +| Type default value: None | **Type** PrepareSynchronizationType **Description** Define type of prepare synchronization. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md new file mode 100644 index 0000000000..d42ea12be5 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md @@ -0,0 +1,23 @@ +# UpdateAccessCertificationCampaignTask + +Starts or stops the access certification campaigns according to their `StartDate` and `EndDate`. The +task also computes the Access Certification Items to certify (applying +[Access Certification Data Filter](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md) +and +[Access Certification Owner Filter](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md)), +and fill the database with them. + +## Examples + +``` + + < + +``` + +## Properties + +| Property | Details | +| ----------------------- | ---------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/binding/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/binding/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md new file mode 100644 index 0000000000..a3b752daf2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md @@ -0,0 +1,47 @@ +# Dimension + +A dimension is an +[Entity Type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +used to define an organizational filter for the Usercube role model. + +## Examples + +The following XML fragment defines the dimension `Organization0`. The dimension values are of +`Directory_Organization` type. The `ColumnMapping` attribute specifies the column (0 to 127) used to +store the dimension value in the assignment rule tables. + +``` + + + +``` + +Some types of entities can be organized in a hierarchical tree structure. Thus, for example, +organizational units form a tree structure modeled by a `Parent` navigation property that links the +entity type to itself. It is possible to use the hierarchical aspect of a dimension in an assignment +rule criterion. For example, the assignment must be extended to the whole subunits of a department. +Such a dimension must be declared as a hierarchical dimension by specifying the attribute +`IsHierarchical="true"`. + +``` + +... + ... + + +``` + +The attribute `ParentProperty` specifies the navigational property defining the hierarchy (`Parent` +is the navigation property that links the `Directory_Organization` type to itself). + +## Properties + +| Property | Details | +| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ColumnMapping required | **Type** Int32 **Description** Specifies the corresponding column in the role model rules. | +| DisplayName_L1 optional | **Type** String **Description** Display name of the dimension in language 1 (up to 16). | +| EntityType required | **Type** Int64 **Description** References the linked entity type. | +| Identifier required | **Type** String **Description** Unique identifier of the dimension. | +| IsExcludedFromRoleMining default value: false | **Type** Boolean **Description** `true` to exclude the dimension from role mining. It means that the dimension is not used as a criteria in the generated rules. | +| IsHierarchical default value: false | **Type** Boolean **Description** `true` to define a hierarchical dimension. **Note:** Cannot be used without `ParentProperty`. | +| ParentProperty optional | **Type** Int64 **Description** Specifies the navigational property defining the hierarchy. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md new file mode 100644 index 0000000000..35ac199401 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md @@ -0,0 +1,40 @@ +# EntityAssociation + +An entity association is used to model an association in Usercube's metadata. See the +[example of a whole connector](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +with its entity properties and associations. + +## Examples + +The following example associates one title (as a property from the entity type +`Directory_UserRecord`) with several user records (as a property from the entity type +`Directory_Title`). + +``` + + + +``` + +### Many-to-many association + +The following example associates SAB users with groups, with the possibility to link one group to +several users, and one user to several groups. + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| DisplayName_L1 optional | **Type** String **Description** Display name of the association in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Unique identifier of the association. It must be unique to the entity model scope. | +| IsProperty1Collection default value: false | **Type** Boolean **Description** `true` to define a many-to-one association. | +| IsProperty2Collection default value: false | **Type** Boolean **Description** `true` to define a one-to-many association. | +| Property1 required | **Type** Int64 **Description** Defines the first navigation property. A navigation property can be mono-valued or multi-valued (with its corresponding `IsPropertyCollection` set to `true`). Mono-valued navigation properties may be optimized (with a `TargetColumnIndex`) or not (without `TargetColumnIndex`). See more details under the TargetColumnIndex section of the [entity type property](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)'s page. | +| Property2 required | **Type** Int64 **Description** Defines the second navigation property. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md new file mode 100644 index 0000000000..efa1c0f95d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md @@ -0,0 +1,29 @@ +# EntityPropertyExpression + +An entity property expression is a property computed from a binding and/or +[C#](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md) or +[literal](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md) +expressions. + +## Examples + +The following example computes the record display name. + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding optional | **Type** Int64 **Description** References the binding used to compute the result. | +| EntityType required | **Type** Int64 **Description** Identifier of the referenced entity type | +| Expression optional | **Type** String **Description** References the C# or literal expression used to compute the result. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| Identifier required | **Type** String **Description** Unique identifier of the expression. | +| Priority default value: 0 | **Type** Int32 **Description** Specifies the execution priority. | +| Property required | **Type** Int64 **Description** Identifier of the referenced entity property | +| PropertyCriteria optional | **Type** Int64 **Description** References the property criteria used to compute navigation properties. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md new file mode 100644 index 0000000000..7e117af005 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md @@ -0,0 +1,79 @@ +# EntityType + +Represents a conceptual model of a business object, such as a person entity or an organization +entity. See +[Connector](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +on how to configure define an EntityType. + +## Properties + +| Property | Details | +| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 optional | **Type** String **Description** Display name of the entity type in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Unique identifier of the entity type. It must is be unique to the _entity model_ scope. Cannot be a [reserved identifier](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/reservedidentifiers/index.md). | +| LicenseTag optional | **Type** String **Description** Value of the `Tag` parameter of the license key (in `appsettings.json`) linked to the entity type. All the features allowed by the license key are enabled for this entity type, otherwise only default features are available. | +| TableName optional | **Type** String **Description** Represents the table name of hard coded entity types. Exclusively reserved to Usercube connector for Power BI. | + +## Child Element: Property + +An entity property represents a property of an Entity Type. See +[Connector](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +on how to configure/define an EntityProperty. + +### Examples + +#### Populate navigational property from non primary key + +Some configuration elements will be linked to an entity whose id is not known at configuration time. +In this case, another key must be used. On each entity type property, the `IsKey` attribute +specifies that the property can be used as a key during configuration import. + +For example, the _Code_ property of the _Title_ entity type is marked as a key. + +``` + + ... + + +``` + +All _Title_ instances will be replicated from a managed system. So, at configuration time, +Usercube's internal primary key for this _Title_ is not known. + +We hence cannot write a _SingleRoleRule_ with a Dimension criteria based on _Title_ as the primary +key. + +We can however, use a non-primary key, that is known in advance, because it depends on the managed +system's data and not on Usercube. + +For example, the below `Dimension1` attribute references a _Title_ entity by its _Code_ value. + +``` + + + +``` + +#### Changing the multiplicity of a property + +It is sometimes necessary to change the multiplicity of a property (Scalar property to Navigation +property or vice-versa). As long as the property was not used in any workflow, this can be properly +handled by `Deploy-Configuration.exe`. If it _was_ used in one or more workflows, foreign key +conflicts (in UW_Changes database table) may occur, preventing the configuration from being +deployed. To solve this problem, references to this property must be manually cleaned up with SQL +queries directly in the database before deploying the configuration. + +### Properties + +| Property | Details | +| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 optional | **Type** String **Description** Display name of the property in language 1 (up to 16). **Note:** cannot be "Id". | +| FlexibleComparisonExpression optional | **Type** String **Description** Expression used to transform the query input value for comparison using a flexible operator. | +| GroupByProperty optional | **Type** Int64 **Description** Property used to regroup navigation resources (resources used in navigation rules) by value. When defined, the Evaluate policy will enforce that one and only one item of a group can be assigned to an identity on a given date range. **Warning:** whenever the value of this property changes for a resource used in the defined navigation rules, the server needs to be restarted in order for the changes to be taken into account. | +| HistoryPrecision default value: 0 | **Type** Int32 **Description** Defines the number of minutes to wait, after a property change, before triggering the record history mechanism. | +| Identifier required | **Type** String **Description** Unique identifier of the property. It must be unique to the parent entity type scope. Cannot be a [reserved identifier](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/reservedidentifiers/index.md) and can only contain numbers (except the first character) and letters without accents. **Note:** cannot be "Id". | +| IsKey default value: false | **Type** Boolean **Description** `true` if the property is designated to be one of the keys that uniquely identify any resource from the entity type in the configuration. Each entity type must have at least one key. **Note:** AD synchronization requires the `dn` property to have either `IsKey` or `EntityTypeMapping` > `Property` > `IsUniqueKey` set to `true` (key property in the UI). | +| Language optional | **Type** Int64 **Description** Language associated to the property if it is localized (optional). | +| NeutralProperty optional | **Type** Int64 **Description** Neutral property associated to the property if it is localized (optional). | +| TargetColumnIndex default value: -1 | **Type** Int32 **Description** Specifies the corresponding column in the resource entity. `0` to `3`: scalar property whose value exceeds 443 characters. `4` to `127`: scalar property whose value does not exceed 443 characters (or optimized mono-valued navigation property : see note). `128` to `152`: optimized mono-valued navigation property only. `-1`: non-optimized mono or multi-valued navigation property (stored in `UR_ResourceLink`), or binary (stored in `UR_ResourceLink`). **Note:** optimized mono-valued navigation properties should have their `TargetColumnIndex` between 128 and 152 included to be fully optimized. However, if all are already taken, `TargetColumnIndex` from 0 to 127 included (usually for scalar properties) may also be used. In this case the first available `TargetColumnIndex` in ascending order should be used. | +| Type default value: 0 | **Type** EntityPropertyType **Description** Property type. `0` - **String**. `1` - **Bytes**. `2` - **Int32**. `3` - **Int64**. `4` - **DateTime**. `5` - **Bool**. `6` - **Guid**. `7` - **Double**. `8` - **Binary**. `9` - **Byte**. `10` - **Int16**. `12` - **ForeignKey**: indicates a navigation property, i.e. a property related to an association between entities. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/index.md new file mode 100644 index 0000000000..e6e709e1a1 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/index.md @@ -0,0 +1,10 @@ +# Metadata + +- #### [AccessControlEntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype/index.md) +- #### [Binding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) +- #### [Dimension](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) +- #### [EntityAssociation](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +- #### [EntityPropertyExpression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md) +- #### [EntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +- #### [Language](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/language/index.md) +- #### [Settings](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/index.md) diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/language/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/language/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/language/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/language/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md new file mode 100644 index 0000000000..4e39282192 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md @@ -0,0 +1,61 @@ +# AppDisplaySetting + +This setting is used to customize the application display. + +## Examples + +### Set colors, logos and names + +The following example sets: + +- "Netwrix Usercube" as name of the application visible on the tabs; +- the logo to be displayed in the top left corner; +- the favicon to be displayed on the tabs; +- the **banner color**, **banner gradient color**, **banner selected tab color**, **banner text + color**, **primary color** and **secondary color**. + +``` + + + +``` + +![AppDisplay - Tab](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_tab_v603.webp) + +![AppDisplay - Basic Screen](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_screen2_v603.webp) + +![AppDisplay - Authentication](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_screen1_v603.webp) + +### Disable counters + +The following example disables the counters that are usually visible on the dashboard: + +> ![AppDisplay - Without Counters](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_counters_v603.webp) + +``` + + + +``` + +![AppDisplay - Without Counters](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_nocounters_v603.webp) + +## Properties + +| Property | Details | +| ------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApplicationName optional | **Type** String **Description** Name of the application, visible on the application's tabs. | +| BannerColor optional | **Type** String **Description** HEX code of the color for the banner, i.e. the header displaying logo and navigation bar. | +| BannerGradientColor optional | **Type** String **Description** HEX code of the color for the banner's gradient to be visible at the middle of the banner. | +| BannerSelectedTabColor optional | **Type** String **Description** HEX code of the color for the line that emphasizes the selected tab. | +| BannerTextColor optional | **Type** String **Description** HEX code of the color for the banner's text. | +| DisableProvisioningCounters default value: false | **Type** String **Description** `true` to disable the counters related to the administration screens: **Role Review**, **Provisioning Review**, **Role Reconciliation**, **Resource Reconciliation** and **Manual Provisioning**. | +| FaviconFile optional | **Type** String **Description** Path of the favicon to be displayed in the application's tabs. | +| FaviconMimeType optional | **Type** String **Description** Mime type of the favicon. | +| FullNameSeparator default value: � | **Type** String **Description** Separator of the full name. | +| Identifier default value: AppDisplay | **Type** String **Description** Unique identifier of the setting. | +| LogoFile optional | **Type** String **Description** Path of the logo to be displayed in the top left corner. | +| LogoMimeType optional | **Type** String **Description** Mime type of the logo. | +| Preview optional | **Type** String **Description** Documentation unavailable. | +| PrimaryColor optional | **Type** String **Description** HEX code of the color for the highlighted buttons. | +| SecondaryColor optional | **Type** String **Description** HEX code of the color for the background of the authentication screen. | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/index.md new file mode 100644 index 0000000000..1a2e91833f --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/index.md @@ -0,0 +1,26 @@ +# Settings + +- #### [AppDisplaySetting](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md) + This setting is used to customize the application display.- #### + [ConfigurationVersionSetting](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting/index.md) + Used to track the current configuration version.- #### + [CustomLink1Setting](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting/index.md) + Used to display a given static HTML file to a custom URL address.- #### + [CustomLink2Setting](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting/index.md) + Used to display a given static HTML file to a custom URL address.- #### + [DashboardItemNumberSetting](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting/index.md) + Used to customize the number of links to display on each section on the Dashboard. If no value + is defined, the default value is 3. The value must be greater than 0 and less than or equal to + 5.- #### + [MailSetting](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md) +- #### [PasswordGenerationSetting](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting/index.md) +- #### [PasswordTestsSetting](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting/index.md) + This setting enables a check on the passwords set manually by users.- #### + [SchedulingCleanDataBaseSetting](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting/index.md) + If the default value for the Task CleanDataBase needs to be overridden.- #### + [SelectAllPerformedByAssociationQueryHandlerSetting](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting/index.md) + This setting enables task delegation to a group of people.- #### + [SelectPersonasByFilterQueryHandlerSetting](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting/index.md) + This setting is used to filter the entity type used by authentication mechanism.- #### + [SelectUserByIdentityQueryHandlerSetting](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md) + This attribute matches an end-user with a resource from the unified resource repository. diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting/index.md new file mode 100644 index 0000000000..80a8ebc849 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting/index.md @@ -0,0 +1,25 @@ +# PasswordTestsSetting + +This setting enables a check on the passwords set manually by users. + +The strength of passwords generated by Usercube can be configured via +[`PasswordResetSettings`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md)'s +`StrengthCheck`. + +## Examples + +The following example encourages users to choose a strong password with at least 9 characters +including at least one digit, one lowercase letter, one uppercase and one special character. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier default value: PasswordTests | **Type** String **Description** Unique identifier of the setting. | +| PasswordRegex optional | **Type** String **Description** Regular expression(s) (regex) that users' passwords must match to be acceptable when set manually. When setting several regex, passwords must match all of them to be considered strong, and 70% to be considered average. Below that, a password is considered weak and cannot be confirmed. **Default value:**`'^..*$', '^...*$', '^....*$', '^.....*$', '^......*$', '^.......*$', '^........*$', '^.........*$', '^..........*$', '^.*[0-9].*$', '^.*[a-z].*$', '^.*[A-Z].*$', '^.*[^A-Za-z0-9].*$'` | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md new file mode 100644 index 0000000000..3fd3e983a1 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md @@ -0,0 +1,58 @@ +# SelectUserByIdentityQueryHandlerSetting + +This attribute matches an end-user with a resource from the central repository. + +Authorization mechanisms within Usercube rely on assigning a profile to a resource that stands for +the end-user digital identity. + +To that end, end-user authentication credentials are linked to such an identity using the following +pattern: + +1. authentication credentials are retrieved; +2. authentication credentials are trimmed using the `AfterToken` and/or `BeforeToken` attributes; +3. the trimmed result is matched against the `ResourceIdentityProperty` of resources with the entity + type specified by `OwnerEntityType`; +4. the matching resource is used to find a profile and authorization for that digital identity. + +After modifying the authentication mode via `SelectUserByIdentityQueryHandlerSetting`, Usercube +server must be restarted. On a SaaS environment, contact your Usercube administrator. + +## Examples + +The following example links the authentication credentials of an end-user to its matching resource +of EntityType **Directory_User**. + +In this example, authentication has been set up using +[Integrated Windows Authentication](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md). +In that case, the login used by the end-user is in the form `DOMAIN/userName`. + +The **AfterToken** attribute parses the `DOMAIN/userName` string into `userName`. + +The parsed result `userName` is compared with `AD_Entry:sAMAccountName` property value of +**Directory_User** resources. + +The matching **Directory_User** resource is the resource that stands for the end-user identity +within Usercube. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| AfterToken optional | **Type** String **Description** Second character used to trim the authentication login. The trimmed result is the content of the authentication login between `AfterToken` and `BeforeToken`. If `BeforeToken` is empty, trimmed result is everything after `AfterToken`. If `AfterToken` is empty, trimmed result is everything before `BeforeToken`. | +| BeforeToken optional | **Type** String **Description** First character used to trim the authentication login. The trimmed result is the content of the authentication login between `AfterToken` and `BeforeToken`. If `BeforeToken` is empty, trimmed result is everything after `AfterToken`. If `AfterToken` is empty, trimmed result is everything before `BeforeToken`. | +| Identifier default value: SelectUserByIdentityQueryHandler | **Type** String **Description** Unique identifier of the setting. | +| OwnerEntityType optional | **Type** String **Description** Entity type of the resources used to store digital identities within Usercube. | +| OwnerPhotoTagProperty optional | **Type** String **Description** Photo property for Usercube users. | +| ResourceDisplayNameProperty optional | **Type** String **Description** Property used for displaying login data at the top right of the application. | +| ResourceIdentityProperty optional | **Type** String **Description** Identity-resource property supposed to match the authentication login used by the end-user. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/index.md new file mode 100644 index 0000000000..0b810d4f4a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/index.md @@ -0,0 +1,5 @@ +# Notifications + +- #### [Notification](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md) +- #### [Notifications (Typed)](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md) +- #### [NotificationTemplate](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md new file mode 100644 index 0000000000..c4acf54804 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md @@ -0,0 +1,41 @@ +# Notification + +A notification can be configured to be sent to a given user on a regular basis at specified times, +through the +[`SendNotificationsTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md) +as part of a job. + +## Examples + +The following example defines a notification to inform/remind managers of the arrival of new +employees in their team. + +The notification is built based on: + +- the template `Notification.cshtml`; +- the styles `Notification.css`; +- the subject defined by `TitleExpression`. + +The notification is sent for each new user, i.e. each user whose contract start date is in the +future. The notification is sent to the new user's manager(s). + +The notification will be sent again as a reminder after 7 days, by the next `SendNotificationsTask`. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CssTemplate optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** required when creating a customized notification with ``. | +| Identifier required | **Type** String **Description** Unique identifier of the notification. | +| OwnerEntityType required | **Type** Int64 **Description** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression` and `QueryFilterExpression`. | +| QueryFilterExpression optional | **Type** String **Description** C# expression that returns a Usercube Squery in order to define the sending condition of the notification. The expression's variable type is defined in `OwnerEntityType`. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| RazorTemplate optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** required when creating a customized notification with ``. | +| RecipientMailBinding optional | **Type** Int64 **Description** Binding of the property that corresponds to the email addresses that will receive the notification. | +| ReminderInterval default value: 0 | **Type** Int32 **Description** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type** String **Description** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification/index.md new file mode 100644 index 0000000000..e2410812d9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification/index.md @@ -0,0 +1,36 @@ +# AccessCertificationNotification + +Reminder notification concerning access certification. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified +by the native notification for access certification (on resources from `Directory_User`) and have +not yet performed the action. The email's content and styles are those from the original +notification, but the subject is overridden by `TitleExpression` here. + +``` + + + +``` + +The following example sends the exact same notification as the previous example, but with different +templates for the content and the styles. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the notification. | +| OwnerEntityType required | **Type** String **Description** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression`. | +| CssTemplate optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type** Int32 **Description** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type** String **Description** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md new file mode 100644 index 0000000000..5a52a99366 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md @@ -0,0 +1,12 @@ +# Notifications (Typed) + +- #### [AccessCertificationNotification](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification/index.md) + Reminder notification concerning access certification.- #### + [ManualProvisioningNotification](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification/index.md) + Reminder notification concerning manual provisioning.- #### + [ProvisioningReviewNotification](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification/index.md) + Reminder notification concerning provisioning review.- #### + [RolePolicyNotification](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification/index.md) + Reminder notification concerning role model tasks.- #### + [RoleReviewNotification](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification/index.md) + Reminder notification concerning role review. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification/index.md new file mode 100644 index 0000000000..779df640d3 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification/index.md @@ -0,0 +1,36 @@ +# ManualProvisioningNotification + +Reminder notification concerning manual provisioning. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified +by the native notification for manual provisioning (on resources from `Directory_User`) and have not +yet performed the action. The email's content and styles are those from the original notification, +but the subject is overridden by `TitleExpression` here. + +``` + + + +``` + +The following example sends the exact same notification as the previous example, but with different +templates for the content and the styles. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the notification. | +| OwnerEntityType required | **Type** String **Description** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression`. | +| CssTemplate optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type** Int32 **Description** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type** String **Description** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification/index.md new file mode 100644 index 0000000000..2168b216cb --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification/index.md @@ -0,0 +1,36 @@ +# ProvisioningReviewNotification + +Reminder notification concerning provisioning review. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified +by the native notification for provisioning review (on resources from `Directory_User`) and have not +yet performed the action. The email's content and styles are those from the original notification, +but the subject is overridden by `TitleExpression` here. + +``` + + + +``` + +The following example sends the exact same notification as the previous example, but with different +templates for the content and the styles. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the notification. | +| OwnerEntityType required | **Type** String **Description** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression`. | +| CssTemplate optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type** Int32 **Description** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type** String **Description** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification/index.md new file mode 100644 index 0000000000..5c5f9e95ad --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification/index.md @@ -0,0 +1,36 @@ +# RoleReviewNotification + +Reminder notification concerning role review. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified +by the native notification for role review (on resources from `Directory_User`) and have not yet +performed the action. The email's content and styles are those from the original notification, but +the subject is overridden by `TitleExpression` here. + +``` + + + +``` + +The following example sends the exact same notification as the previous example, but with different +templates for the content and the styles. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the notification. | +| OwnerEntityType required | **Type** String **Description** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression`. | +| CssTemplate optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type** Int32 **Description** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type** String **Description** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md new file mode 100644 index 0000000000..2d387cf9a3 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md @@ -0,0 +1,44 @@ +# NotificationTemplate + +A notification template is used to overwrite the subject and/or body of a native notification with +personalized templates. + +Usercube natively sends notifications for usual cases. + +These native notifications are based on cshtml templates available inside the `Runtime` folder. If +the provided templates do not meet your exact needs, then they can be replaced by personalized +notification templates. See the +[ Native Notifications ](/docs/identitymanager/6.1/identitymanager/integration-guide/notifications/native/index.md)topic +for additional information. + +## Examples + +The following example overwrites the template of the notification provided by Usercube for role +review. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +The following example defines a template for the notification's subject. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +// WorkflowReviewRolesSummary_Subject.cshtml +@using Usercube.Application.DeltaProvisioning.Notification +@model WorkflowReviewRolesSummary +Review Roles - @(@Model.AssignedCompositeRoles.Any() ? @Model.AssignedCompositeRoles.FirstOrDefault().Owner.FullName : @Model.AssignedSingleRoles.FirstOrDefault().Owner.FullName) +``` + +## Properties + +| Property | Type | Description | +| --------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| BodyTemplate_L1 optional | String | Path to the Razor cshtml file that defines the email's body template in language 1 (up to 16). **NOTE:** The path must be relative to the configuration folder, and the file must be inside it. | +| Identifier required | String | Identifier of the native notification to adjust, among: - `BlockedProvisioningInformations` - `OneWayPasswordReset` - `PendingAccessCertificationModel` - `PerformManualProvisioningSummary` - `RolePolicySummary` - `RunJobNotification` - `TwoWayPasswordReset` - `WorkflowReviewProvisioningSummary` - `WorkflowReviewRolesSummary` | +| SubjectTemplate_L1 optional | String | Path to the Razor cshtml file that defines the email's subject template in language 1 (up to 16). **NOTE:** The path must be relative to the configuration folder, and the file must be inside it. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md new file mode 100644 index 0000000000..0fa896a940 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md @@ -0,0 +1,100 @@ +# Automation Rule + +Automation rules make automatic decisions instead of the reviewer on assignments that still need to +be reviewed after a given waiting period. + +There are distinct types of automation rules: + +- A composite role automation rule targets the assigned composite roles corresponding to a given + composite role. + + `CompositeRoleAutomationRule` is equivalent to `AutomationRule` with its `Type` set to + `CompositeRole`, and requires specifying the `CompositeRole` property; + +- A single role automation rule targets the assigned single roles corresponding to a given single + role. + + `SingleRoleAutomationRule` is equivalent to `AutomationRule` with its `Type` set to + `SingleRole`, and requires specifying the `SingleRole` property; + +- A resource type automation rule targets the assigned resource types corresponding to a given + resource type. + + `ResourceTypeAutomationRule` is equivalent to `AutomationRule` with its `Type` set to + `ResourceType`, and requires specifying the `ResourceType` property; + +- A category automation rule targets the assigned roles and resource types corresponding to a given + category and a given entity type. + + `CategoryAutomationRule` is equivalent to `AutomationRule` with its `Type` set to `Category`, + and requires specifying the `Category` and `EntityType` properties; + +- A policy automation rule targets the assigned roles and resource types corresponding to a given + policy and a given entity type. + + `PolicyAutomationRule` is equivalent to `AutomationRule` with its `Type` set to `Policy`, and + requires specifying the `Policy` and `EntityType` properties. + +_Remember,_ Netwrix recommends always using the typed syntax. + +For example, you should always use `SingleRoleAutomationRule`, rather than `AutomationRule` with +`Type` set to `CompositeRole`. + +All these rules target the assignments which have a specific workflow state which is specified in +the rule. + +Automation rules can also specify dimensions. + +One assignment should be involved in the decision of only one automation rule. However, one +assignment can easily be targeted by several automation rules. In this case, the Provisioning Policy +algorithm prioritizes the most specific rule. + +For example, considering an assigned composite role, Usercube's algorithm prioritizes a composite +role automation rule, before a category automation rule, before a policy automation rule. + +After this prioritization, when an assignment is still targeted by several rules due to dimensions, +then Usercube prioritizes a rule implying a decline decision. + +## Examples + +In the following example, the two first rules are equivalent (except for the workflow state's +value), but the second one shows the preferred syntax. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +    This rule approves all the assignments of the "FCT0070" composite role, which are waiting for the first of two required approvals for more than one hour: +     +    This rule approves all the assignments of the "FCT0070" composite role, which are waiting for the second of two required approvals for more than one hour: +     +    This rule approves all the assignments of the "BO028" single role, which are waiting for their required approval for more than one hour: +     +    This rule approves all the assignments of the "SAB_User_NominativeUser" resource type, which are waiting for their required approval for more than one hour: +     +    This rule declines all the assignments to the entity type "Directory_User" concerning the "IT Administration" category, which are waiting for the first of two required approvals for more than one hour: +     +    This rule declines all the assignments to the entity type "Directory_User" concerning the "Default" policy, which are found during a synchronization without a linked automatic rule, for more than one hour: +     +    This rule declines all the assignments to the entity type "Directory_User" concerning the "Default" policy, which are found during the first synchronization without a linked automatic rule, for more than one hour: +     + +``` + +## Properties + +| Property | Type | Description | +| ------------------------------ | ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Category optional | Int64 | Identifier of the category targeted by the rule. | +| CompositeRole optional | Int64 | Identifier of the composite role targeted by the rule. | +| D0 optional | Int64 | Value of the dimension 0 (up to 127) that filters the assignments targeted by the rule. | +| Decision default value: 0 | AutomationRuleDecision | Decision to apply on the targeted assignments. 0 - Approve. 1 - Decline. | +| EntityType required | Int64 | Identifier of the entity type targeted by the rule. This property should not be specified when writing an automation rule among the following: composite role automation rule; single role automation rule; resource type automation rule. These rules imply the entity type. | +| HoursToWait default value: -1 | Int32 | Waiting period (in hours) from the most recent change in the workflow state of the assignments, before the decision can be applied. | +| L0 default value: false | Boolean | True to indicate that the rules targets the assignments with not only the dimension 0 (up to 127), but also this dimension's child elements. | +| Policy optional | Int64 | Identifier of the policy that the rule is part of. | +| ResourceType optional | Int64 | Identifier of the resource type targeted by the rule. | +| SingleRole optional | Int64 | Identifier of the single role targeted by the rule. | +| Type required | AutomationRuleType | Object type targeted by the rule. 0 - CompositeRole. 1 - SingleRole. 2 - ResourceType. 4 - Category. 5 - Policy. | +| WorkflowState default value: 0 | WorkflowState | Workflow state of the assignments targeted by the rule. `0` - **None**: used for Usercube's internal computation. `1` - **Non-conforming**: the assignment is not supported by a rule. ![Workflow State: Non-conforming](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp) `3` - **Pre-existing**: the assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp) `4` - **Requested**: the assignment is requested via a workflow, but not yet added. **NOTE:** Usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/4_requested_v603.webp) `5` - **Calculated - Missing Parameters**: the assignment was done by a rule which does not specify at least one required parameter for the role. ![Workflow State: Calculated - Missing Parameters](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/5_calculatedmissingparameters_v603.webp) `8` - **Pending Approval**: the assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/8_pendingapproval_v603.webp) `9` - **Pending Approval 1 of 2**: the assignment is pending the first approval on a two-step workflow. `10` - **Pending Approval 2 of 2**: the assignment is pending the second approval on a two-step workflow. `11` - **Pending Approval 1 of 3**: the assignment is pending the first approval on a three-step workflow. `12` - **Pending Approval 2 of 3**: the assignment is pending the second approval on a three-step workflow. `13` - **Pending Approval 3 of 3**: the assignment is pending the third approval on a three-step workflow. `16` - **Approved**: the assignment has completed all approval steps. ![Workflow State: Approved](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp) `17` - **Declined**: the assignment is explicitly declined during one of the approval steps. ![Workflow State: Declined](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/17_declined_v603.webp) `18` - **Calculated**: the assignment is given by one of Usercube's rules. ![Workflow State: Calculated](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/18_calculated_v603.webp) `19` - **Inactive**: the assignment has expired and is not yet removed. Does not appear in the UI. `20` - **Cancellation**: the assignment is inferred by a role that was declined. See the [ Reconcile a Property ](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) topic for additional information. ![Workflow State: Cancellation](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/20_cancellation_v603.webp) `21` - **Suggested**: the assignment comes from a rule of type `Suggested` and appears among suggested permissions in the owner's permission basket. See the [ SingleRoleRule ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. ![Workflow State: Suggested](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/21_suggested_v603.webp) `22` - **Suggested**: the assignment comes from a rule of type `Automatic but with Validation` and appears among suggested permissions for a pre-existing user. See the [ SingleRoleRule ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. _Remember,_ the states `21` and `22` are both displayed in the UI as **Suggested** but they do not mean the exact same thing. `23` - **Automatic but with Validation**: the assignment comes from a rule of type `Automatic but with Validation` and appears in a new user's permission basket. See the [ SingleRoleRule ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. `24` - **Approved - Questioned**: the assignment was approved manually, then a change has been made in the assignment's source data via one of Usercube's workflows that should change the assignment but the manual approval is authoritative. See the [Resource Type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topic for additional information. ![Workflow State: Approved - Questioned](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/24_approvedquestioned_v603.webp) `25` - **Pending Approval - Risk**: the assignment must be reviewed due to a risk. ![Workflow State: Pending Approval (Risk)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/25_pendingapprovalrisk_v603.webp) `26` - **Blocked**: the assignment is blocked due to a risk of type `Blocking`. Does not appear in the UI. `27` - **Prolonged**: the assignment has expired but it was set with a grace period. See the [ SingleRoleRule ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. ![Workflow State: Prolonged](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/27_prolonged_v603.webp) `116` - **Approved - Risk**: the assignment is approved despite a risk. ![Workflow State: Approved (Risk)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp) `118` - **Given by a Role**: the assignment comes from the assignment of a role. For example, when a user is assigned a SAP entitlement without having a SAP account, the account is created automatically with this state. ![Workflow State: Given by a Role](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/118_givenbyarole_v603.webp) **Found** - Will match assignments not supported by a rule. ![Workflow State: Non-conforming](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp) **Historic** - Will match assignments not supported by a rule, which existed before the production launch. ![Workflow State: Pre-existing](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp) | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md new file mode 100644 index 0000000000..376ab50741 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md @@ -0,0 +1,26 @@ +# Category + +A category is a classification of Composite Roles, Single Roles or/and +[Resource Types](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). +It can be used to group multiple roles of the same context. + +## Examples + +The following example declares a new category called "Shares - Public". + +``` + + + +``` + +## Properties + +| Property | Details | +| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Description_L1 optional | **Type** String **Description** Describe this category in detail. | +| DisplayName_L1 required | **Type** String **Description** Display name of the category in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Unique identifier of the category. | +| IsCollapsed default value: false | **Type** Boolean **Description** Defines if the category must be collapsed by default in the permission list of a resource (View Permissions popup and roles basket). | +| Parent optional | **Type** Int64 **Description** Represents the parent category definition. | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the category is part of. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md new file mode 100644 index 0000000000..5ba56a840e --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md @@ -0,0 +1,50 @@ +# CompositeRole + +Defines basic information about a composite role. Composite roles identify affiliations or job +functions by which users can be grouped. A composite role is a business role comprehensible by +managers. It provides a layer of abstraction above existing entitlements, technical roles and single +roles. + +Roles can be used to: + +- Grant various types and levels of access. +- Restrict access to sensitive information assets by grouping entitlements in a form that is + meaningful to the business. +- Grant the minimum privileges required by an individual to perform his/her job. + +Roles can be requested manually, or they can be configured to be assigned automatically via a +[Composite Role Rule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md). +To further control access, roles can be related via required, inherited, or permitted relationships. + +## Examples + +The following example declares a new composite role. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApprovalWorkflowType default value: 0 | **Type** ProvisioningPolicyApprovalWorkflow **Description** Number of validations required to assign manually the composite role (from `None` to `Three`). The value `ManualAssignmentNotAllowed` is used when a manual assignment cannot be performed. | +| Category optional | **Type** Int64 **Description** Identifier of the category that the role is part of. | +| CommentActivationOnApproveInReview default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a request of the role and deciding to approve it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeclineInReview default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a request of the role and deciding to refuse it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeleteGapInReconciliation default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to delete it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnKeepGapInReconciliation default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to keep it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| Description_L1 optional | **Type** String **Description** Detailed description of the single role in language 1 (up to 16). | +| DisplayName_L1 required | **Type** String **Description** Display name of the composite role in language 1 (up to 16). | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type whose resources can receive the composite role. | +| GracePeriod optional | **Type** Int32 **Description** Duration (in minutes) for which a lost automatic composite role is prolonged. The grace period is only applied if the loss of the entitlement is due to a change in the rules (rule deletion or criteria changes). A review will be required to validate or decline the entitlement prolongation. Inferred entitlements won't be lost unless the end of the grace period is reached or the prolongation is declined. If it is not defined, the value is inherited from the policy. | +| HideOnSimplifiedView default value: false | **Type** Boolean **Description** `true` to show the role in a user's basket only in advanced view and not simplified view. This flag is applied only on automatic assignments. | +| Identifier required | **Type** String **Description** Unique identifier of the composite role. | +| ImplicitApproval default value: 0 | **Type** Byte **Description** Indicates if the validation steps of the composite role can be skipped. `0` - Inherited: implicit approval value in the associated policy. `1` - Explicit: all the workflow steps must be approved. `2` - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| MaxDuration optional | **Type** Int32 **Description** Duration (in minutes) after which the role will be automatically revoked, if no earlier end date is specified. It impacts only the roles which are manually assigned after the maximum duration is set. Pre-assigned roles are not impacted. If no duration is set on the role, the `MaxDuration` of the associated policy is applied. If the `MaxDuration` is set to 0 on the role, it prevents the associated policy from applying its `MaxDuration` to it. | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the role is part of. | +| ProlongationWithoutApproval default value: 0 | **Type** ProlongationWithoutApproval **Description** Indicates whether the role can be extended without any validation. `0` - Inherited: gets the value from the policy. `1` - Enabled. `2` - Disabled. | +| R0 default value: false | **Type** Boolean **Description** `true` to set the dimension 0 (up to 3V following the [base32hex convention](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/parameter-names/index.md)) as a required parameter when assigning the role. | +| Tags optional | **Type** String **Description** Tags of the roles targeted by the campaign filter. The tag separator is `�`. | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/context/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/context/index.md new file mode 100644 index 0000000000..8ddb692c88 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/context/index.md @@ -0,0 +1,17 @@ +# Context + +A context is the result of the combination of all identity-related entities, for example personal +data, contracts or positions, so that all dimension values contained in a given context are valid +for a given user on a given period of time. + +Contexts define the resources' scopes of responsibility. They are used during provisioning to +simplify the application of the role model's rules based on dimensions. + +[See more information about context generation](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md). + +## Properties + +| Property | Details | +| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | +| Automatic default value: false | **Type** Boolean **Description** Specifies the automatic assignments. | +| D0 optional | **Type** Int64 **Description** Dimension0 identifier, specifies the scope in which the assignment is restricted. Going from 0 to 127. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md new file mode 100644 index 0000000000..8039fe413c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md @@ -0,0 +1,189 @@ +# ContextRule + +A context rule configures, for the identities of a given entity type, the generation of contexts +which are used in provisioning to simplify the application of the role model's rules. + +A context rule should be created for each entity type for which we want to assign entitlements +automatically based on users' attributes. + +Without a context rule, automatic entitlements (assigned via the role model's rules): + +- cannot be assigned based on users' attributes; +- don't have specific start and end dates, so they are valid from the resource creation until its + deletion. + +[See more information about context generation](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md). + +A context rule can be configured with +[record sections](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) +in situations where a user needs to be modeled by several contexts over time or simultaneously. + +Without record sections, a context rule can generate only one context per user. This means that +users cannot have more than one contract, or position, at a time, and that data changes cannot be +anticipated. + +## Examples + +The following example generates contexts, i.e. sets of dimension-value pairs, for users from +`Directory_User` as resources of `Directory_User:Records`. + +Both the start and end dates of the future contexts are defined with C# expressions based on users' +contract and position start/end dates. + +All contexts are to be made of the properties specified by the bindings `B0` to `B7`. + +``` + + + +``` + +### ExcludeExpression + +The following example is similar to the previous one, except that we choose to exclude users +declared as "draft" from the role model and provisioning calculations. + +``` + + + +``` + +This option can exclude workers who are not validated yet, or who have left the company, for +example. + +### RiskFactorType + +The following example is similar to the previous one, except that we force the final risk score of a +user to be the maximum value of all their risk scores. + +``` + + + +``` + +### Role mining + +Context rules also contain some parameters for +[role mining](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md). + +Users are distributed in a hypercube made of all dimensions, like in the following table (left) when +we have only 2 dimensions, where for example `1`, `2`, `3`, etc. are users' possible locations, and +`A`, `B`, `C`, etc. are users' possible departments in the company. When considering one dimension +and sorting the dimension values per user percentage, we get the following table (right). + +![Role Mining Tables](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/contextrules_rolemining.webp) + +The tables here represent a simple situation with few dimensions. But the higher the number of +dimensions, the more complex are role mining's computations. This is known as the curse of +dimensionality. + +The following example is similar to the first one, except that we customize some role mining +parameters which help tackle the curse of dimensionality: + +- `MinIdentitiesCount` establishes that the role mining's engine will generate a role assignment + rule only when the rule is applicable to at least 5 users; +- `ReductionOutlierPercentage` establishes that the role mining's engine will consider the last 2.0% + dimension values (from `Y` to `Z` in the table above) to be grouped together in a single category + "Others". + + The definition of the outlier percentage is particularly useful when managing, for example a + services company with thousands of distinct organizations, where many organizations contain only + one or two users. We can safely choose to group into a single fictitious organization the 2% of + all users that involve the smallest organizations. + +``` + + + +``` + +### Certification items + +Unlike `ResourcesStartBinding` and `ResourcesEndBinding`, `ResourcesStartExpression` and +`ResourcesEndExpression` cannot be used to define the resources to include in the related +certification campaigns. Thus, when needing to define which resources to include with more than +start/end bindings, add a comparison based on `ResourceCertificationComparisonBinding`, +`ResourceCertificationComparisonOperator` and `ResourceCertificationComparisonValue`. + +The following example includes in certification campaigns only the resources that have their +`IsActivePosition` property set to `1`. + +``` + + + +``` + +**Note:** must be configured together with the other `ResourceCertificationComparison` properties. +**Note:** when not specified, certification items are defined by `ResourcesStartBinding` and +`ResourcesStartBinding`. + +## Properties + +| Property | Details | +| ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| B0 optional | **Type** Int64 **Description** Binding of the dimension 0 (up to 3V in [base32hex](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/parameter-names/index.md)). The dimension can then be used in rules to filter the rules' targets. | +| DisplayName_L1 required | **Type** String **Description** Display name of the context rule in language 1 (up to 16). | +| ExcludeExpression optional | **Type** String **Description** C# expression that defines the resources to exclude from context generation, because they should not be part of the role model and provisioning calculations. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| Identifier required | **Type** String **Description** Unique identifier of the context rule. | +| MinIdentitiesCount default value: 0 | **Type** Int32 **Description** Minimum number of identities to take into account to generate a rule by the role mining engine. | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the rule is part of. | +| ReductionOutlierPercentage default value: 0.0 | **Type** Float **Description** Proportion of identities that are grouped together by role mining to aggregate all the small entities in one "other" category. This is used to speed up the mining process as the number of groups can be greatly reduced. | +| ResourceCertificationComparisonBinding optional | **Type** Int64 **Description** Binding of the property whose value is to be compared to `ResourceCertificationComparisonValue` in order to specify the resources to include in the related certification campaigns. **Note:** must be configured together with the other `ResourceCertificationComparison...` properties. **Note:** when not specified, certification items are defined by `ResourcesStartBinding` and `ResourcesStartBinding`. And when they are not specified either, there is no filtering, so all valid resources (those with `ValidTo` later than today's date) are included. | +| ResourceCertificationComparisonOperator optional | **Type** QueryComparisonOperator **Description** Operator of the comparison that specifies the resources to include in the related certification campaigns. **Note:** must be configured together with the other `ResourceCertificationComparison...` properties. **Note:** when not specified, certification items are defined by `ResourcesStartBinding` and `ResourcesStartBinding`. And when they are not specified either, there is no filtering, so all valid resources (those with `ValidTo` later than today's date) are included. | +| ResourceCertificationComparisonValue optional | **Type** String **Description** Value to be compared to the value of `ResourcesCertificationComparisonBinding` in order to specify the resources to include in the related certification campaigns. **Note:** must be configured together with the other `ResourceCertificationComparison...` properties. **Note:** when not specified, certification items are defined by `ResourcesStartBinding` and `ResourcesStartBinding`. And when they are not specified either, there is no filtering, so all valid resources (those with `ValidTo` later than today's date) are included. | +| ResourcesBinding optional | **Type** Int64 **Description** Binding that represents the entity type of the contexts to be created from the `SourceEntityType`. It can also be defined via `ResourcesExpression`. | +| ResourcesEndBinding optional | **Type** Int64 **Description** Binding of the date property among those from `ResourcesBinding` which specifies the end of validity for all [properties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md#properties) of the context. It can also be defined via `ResourcesEndExpression`. **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [record sections](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md). | +| ResourcesEndExpression optional | **Type** String **Description** Expression based on the `ResourcesBinding` entity type that defines the end of validity for all [properties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md#properties) of the context. It can also be defined via `ResourcesEndBinding`. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [record sections](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md). | +| ResourcesExpression optional | **Type** String **Description** Expression based on `SourceEntityType` that defines the entity type of the contexts to be created. It can also be defined via `ResourcesBinding`. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| ResourcesStartBinding optional | **Type** Int64 **Description** Binding of the date property among those from `ResourcesBinding` which specifies the beginning of validity for all [properties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md#properties) of the context. It can also be defined via `ResourcesStartExpression`. **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [record sections](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md). | +| ResourcesStartExpression optional | **Type** String **Description** Expression based on the `ResourcesBinding` entity type that defines the beginning of validity for all [properties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md#properties) of the context. It can also be defined via `ResourcesStartBinding`. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [record sections](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md). | +| RiskFactorType optional | **Type** RiskFactorType **Description** Operator used to aggregate a user's risk scores together to compute the user's global risk score. `0` - **None**. `1` - **Max**: a user's final risk score is the maximum value among all their risk scores. `2` - **Average**: a user's final risk score is the average value of all their risk scores. | +| SourceEntityType required | **Type** Int64 **Description** Identifier of the entity type of the parent resource. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/index.md new file mode 100644 index 0000000000..a00d1493da --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/index.md @@ -0,0 +1,23 @@ +# Provisioning + +This section describes different entities that manages the process of granting, changing, or +removing user permissions to systems, applications and databases based on the security policy. + +- #### [AutomationRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md) +- #### BulkChange +- #### [Category](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md) +- #### [CompositeRole](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) +- #### [CompositeRoleRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md) +- #### [Context](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/context/index.md) +- #### [ContextRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) +- #### [IndirectResourceRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md) +- #### [MiningRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md) +- #### [Policy](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) +- #### [RecordSection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) +- #### [ResourceClassificationRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md) +- #### [ResourceCorrelationRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) +- #### [ResourceType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +- #### [Risk](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) +- #### [RoleMapping](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md) +- #### [SingleRole](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) +- #### [SingleRoleRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md new file mode 100644 index 0000000000..ed7cbd50ba --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md @@ -0,0 +1,69 @@ +# MiningRule + +After roles are assigned to users, Usercube can use mining rules to perform role mining. Role mining +means that Usercube analyzes existing assignments in order to suggest +[single role rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) +which will assign +[single roles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) +to certain users matching given criteria. + +The +[role mining task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md) +replaces the existing single role rules in the specified rule policy with the new generated ones. + +## Examples + +The following example set of mining rules targets the roles owned by users from `Directory_User`. +These mining rules are part of the `Default` policy while the role assignment rules are to be +generated to be part of the `Mining` policy. + +The following rules have a different impact whether they are applied individually, or all together. +Indeed, during role mining, the first mining rule of type `Required` applies to given roles with a +given precision, then the second mining rule applies to a larger group of roles but only to those +still with no linked single role rules. + +- The first rule will generate required rules (i.e. automatic assignments) for sensitive assignments + that require 2 or 3 validations, with a high precision (via `PrecisionMinPercentage` and + `FalsePositiveMaxPercentage`). + + ``` + + + + ``` + +- The second rule will generate required rules (i.e. automatic assignments) for all assignments, + with a lower precision. + + ``` + + + + ``` + +- The third rule will generate suggested rules (i.e. assignments listed as suggested in users' + permission baskets) for all assignments, with an even lower precision. + + ``` + + + + ``` + +## Properties + +| Property | Details | +| --------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Category optional | **Type** Int64 **Description** Identifier of the category containing the roles targeted by role mining's analysis. | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type that represents the owners of the roles targeted by role mining's entitlement analysis. | +| ExcludeRole default value: false | **Type** Boolean **Description** `true` to ignore the specified roles during the mining process triggered by the next mining rules (in terms of priority). | +| FalsePositiveMaxPercentage default value: 0.0 | **Type** Float **Description** Maximum authorized percentage of false positive assignments, i.e. roles that are assigned to users who should not have them. NETWRIX recommends around 1%, to be lowered when working on a sensitive application and/or a large user population, and vice versa. | +| IncludeDoubleValidation default value: true | **Type** Boolean **Description** `true` to include in role mining's analysis the roles requiring two validations. | +| IncludeNoValidation default value: true | **Type** Boolean **Description** `true` to include in role mining's analysis the roles requiring zero validations. | +| IncludeSimpleValidation default value: true | **Type** Boolean **Description** `true` to include in role mining's analysis the roles requiring one validation. | +| IncludeTripleValidation default value: true | **Type** Boolean **Description** `true` to include in role mining's analysis the roles requiring three validations. | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the mining rule is part of. | +| PrecisionMinPercentage default value: 100.0 | **Type** Float **Description** Minimum authorized percentage of correct role assignments, considering both the roles that are assigned to users who should have them, and the roles that are not assigned to users who should not have them. NETWRIX recommends around 99.5%, to be lowered when working on a sensitive application and/or a large user population, and vice versa. | +| Priority default value: 0 | **Type** Int32 **Description** Priority order of the mining rule. Usercube applies mining rules one after the other in descending order. **Info:** a mining rule can generate single role rules only for the single roles that were not already associated with a single role rule by another mining rule during the same role mining task. | +| RulePolicy optional | **Type** Int64 **Description** Identifier of the policy that the generated single role rules are to be part of. **Note:** NETWRIX recommends using a policy dedicated to role mining in order not to remove existing assignment rules. | +| RuleType default value: 0 | **Type** Int32 **Description** Represents the type of the generated single role rules. `0` - **Required**: the role is automatically assigned to users matching the criteria. `1` - **RequestedAutomatically**: the role is listed in the permission basket of new workers. These assignments can still be modified. For existing workers, the rule's type is `Suggested`. `2` - **Suggested**: the role is listed among suggested permissions in the permission basket of users matching the criteria during an entitlement request. Suggested assignments must be selected manually to be requested, and will go through the validation process. | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md new file mode 100644 index 0000000000..22231b4fcd --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md @@ -0,0 +1,190 @@ +# RecordSection + +Record sections shape identity data for a given entity type, by grouping properties into sections, +for example personal data, contract or position. + +Record sections impact the generation of identities' contexts which contain users' dimension values +valid on a given period of time. The aim is to simplify the application of the role model' rules for +provisioning. + +Thanks to this data organization in sections, the identities of a given entity type can be modeled +by more than one context over time, even simultaneously. This means that users can have more than +one contract, or position, at a time, and that data changes can be anticipated. + +[See more details about identity modeling](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md). + +**Configuration recommendations:** + +As record sections cannot be configured without a +[context rule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md), +NETWRIX recommends starting with the configuration of the context rule before configuring record +sections. + +NETWRIX recommends defining at least two record sections: a default section for the properties +shared by all records, and another section for a given set of properties which differentiate between +records. The default section must contain zero properties, the shared properties are those that are +not defined in the other section(s). + +For example, to model several positions for a single user, we configure the default record section +to contain the properties shared by all positions such as personal data, and we configure the +position section to contain the properties specific to each position. Similar to the position +section, we can also typically configure a section for contracts. + +## Examples + +The following example models users from the `Directory_User` entity type with three sets of +properties: user properties, contract properties and position properties. All created records will +be resources from the `Directory_UserRecord` entity type. + +The properties from the contract (or position) section are the properties specific to each contract +(or position). The properties from `Directory_User` that are not specified in the record sections +are the properties shared between all records, here user properties. + +Each section must be defined with start and end dates, so that Usercube's engine is able to combine +all periods of validity and apply the rules with the right input at any time. + +``` + +Default section: + ... + + +Contract section: + ... + + +Position section: + ... + + +``` + +### InstanceKeyExpression + +The following example computes a unique key for each record section instance. This way, we can +distinguish between contracts thanks to their identifiers, same for positions, and between user +property sets thanks to a C# expression based on the start date. + +``` + +Default section: + + +Contract section: + ... + + +Position section: + ... + + +``` + +An instance key is required when we need to uniquely identify a context, i.e. when we may have +several simultaneous contexts. + +For example, an instance key is required for the position section when users can have overlapping +positions. + +### IsDefaultBoundariesSection + +The following example uses the contract start/end dates as default boundaries in users' +[validity period](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md), +instead of those from the default section. It may be because, for example, HR services do not enter +an end date for the personal data of users on permanent contracts. So we prefer to use the start and +end dates of their contracts. + +``` + +Contract section: + ... + + +``` + +### Context extension + +There can be some time gap where no context is defined, for example a time gap with a position but +no contract or vice versa. Usercube offers the possibility to choose whether an existing context is +to be extended to the period without context. And in case we decide to use another context and +extend its values, which context should it be? + +![Schema - ExtensionKind](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/recordsection_extensionkind.webp) + +Here, we decide to extend an existing contract to the gap, for example because users' email +addresses are built using the contract type to add `-ext` for external users. And we decide to not +extend the position. + +In the following example, the contract section uses `SortKeyExpression` to establish between +existing contracts a priority order that will determine which contract should be extended to the +gap. Based on this C# expression that returns a value `A`, `B` or `C`, the `ExtendedSortKey` +considers as extendable only the contract(s) whose expression returns `C`. + +The position section uses `ExtensionKind` set to `None` to block the extension mechanism. + +``` + +Contract section: + ... + + +Position section: + ... + + +``` + +When not specifying any sort key nor extended sort key, Usercube will select a context to extend to +the gap. However, it may not be functionally the most meaningful context. + +## Properties + +| Property | Details | +| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| BoundaryKind default value: 0 | **Type** RecordBoundaryKind **Description** Defines how the section dates are computed for a resource, when the current start/end dates are null. `0` - None: start date and end date are equal respectively to the minimum value of `StartProperty` and maximum value of `EndProperty` when comparing the default sections of all records. `1` - Kept: start and end dates are equal respectively to the default start date (1900/01/01 00:00:00) and end date (2079/06/06 00:00:00). **Info:** the boundary has no effect on the default section which is the reference to compute the default dates in other sections. When the default section's start/end dates are null, then they equal the default start/end dates. | +| DisplayName_L1 required | **Type** String **Description** Display name of the section in language 1 (up to 16). | +| EndProperty optional | **Type** Int64 **Description** Date property among those from the `ResourceEntityType` which specifies the end of validity for all [properties](#properties) of the section. It cannot be a property computed by an `EntityPropertyExpression`. | +| ExtendedSortKey optional | **Type** String **Description** Value used as a threshold for `SortKeyExpression` values to determine whether the property values of a given record section can be extended from a context where the values are defined to another context where no properties from the section are defined. This extension is enabled only when the value of `SortKeyExpression` of the section is higher (with an ordinal comparison) than `ExtendedSortKey`. | +| ExtensionKind default value: 0 | **Type** RecordExtensionKind **Description** Defines whether the section's property values can be extended (copied) from a context where the properties are defined to another context where no properties from the section are defined. `0` - Default: the section's property values can be extended. `4` - None: the section's property values cannot be extended. | +| Identifier required | **Type** String **Description** Unique identifier of the section. | +| InstanceKeyExpression optional | **Type** String **Description** Expression returning a key to uniquely identify a context, i.e. distinguish between job positions for example when users can have several concurrent positions, or between contracts. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| IsDefaultBoundariesSection default value: false | **Type** Boolean **Description** `true` to use the start/end dates of this section as the default boundaries, i.e. the start/end dates of users' [validity period](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md). When no section has `IsDefaultBoundaries` set to `true`, the default section (the one without properties) is automatically selected. | +| ResourceEntityType required | **Type** Int64 **Description** Identifier of the entity type of the multiple records to be created. | +| SortKeyExpression optional | **Type** String **Description** C# expression used to compute a value for each record, to be used as a priority, following an ordinal comparison. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). When a record section has `ExtensionKind` set to `Default` and a priority value higher than `ExtendedSortKey`, then the record property values can be extended from a context where the values are defined to another context where no properties from the section are defined. | +| SourceEntityType required | **Type** Int64 **Description** Identifier of the entity type of the parent resource. | +| StartProperty optional | **Type** Int64 **Description** Date property among those from the `ResourceEntityType` which specifies the beginning of validity for all [properties](#properties) of the section. It cannot be a property computed by an `EntityPropertyExpression`. | + +## Child Element: Property + +A record section is a set of record properties which belong to the resource entity type. + +### Examples + +In the following example, the position section gathers the properties `Organization`, `Location` and +`Title`, while the default section gathers all the other properties from `Directory_UserRecord`. + +The property `Location` can be extended from a context where the location is defined to a context +where it is not. The two other properties cannot be extended. + +See more details about record extension. + +``` + +Default section: + + + +Position section: + + + + +``` + +### Properties + +| Property | Details | +| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ExtensionKind default value: 0 | **Type** RecordExtensionKind **Description** Defines whether the property value can be extended (copied) from a context where the section properties are defined to another context where no properties from the section are defined. `0` - Default: the property value can be extended. `4` - None: the property value cannot be extended. **Note:** a property value can be extended only if the section is extendable too. | +| IsExcluded default value: false | **Type** Boolean **Description** Excludes the given property from the section. This is used only in the default section to remove properties such as the RecordIdentifier that are always different between all the records and that are thus not interesting for the provisioning rules. | +| Property required | **Type** Int64 **Description** Identifier of the property from the record section's `ResourceEntityType` that is to be part of the section. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md new file mode 100644 index 0000000000..79da2af5b3 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md @@ -0,0 +1,25 @@ +# ResourceClassificationRule + +In Usercube, this type of rule is used to classify the resources based on a C# expression. + +## Examples + +The following example declares a rule to classify the Active Directory accounts based on the dn +values. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the rule is part of. | +| ResourceType required | **Type** Int64 **Description** Represents the resource type definition. | +| ResourceTypeIdentificationConfidenceLevel default value: 0 | **Type** Int32 **Description** Defines the confidence level used to match the resources. | +| SourceMatchedConfidenceLevel default value: false | **Type** Boolean **Description** Defines the confidence level used to match the sources. | +| TargetExpression optional | **Type** String **Description** Defines the C# expression used to classify the resources. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md new file mode 100644 index 0000000000..0f5157b834 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md @@ -0,0 +1,58 @@ +# ResourceCorrelationRule + +A correlation rule is used to +[correlate](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md) +the resources, i.e. link resources to their owners. + +## Examples + +#### Correlation based on unchanged attributes + +The following example creates an Active Directory correlation rule based on the mail property: + +``` + + + +``` + +#### Correlation based on attributes changed by a function + +The following example copies the previous example (based on unchanged attributes), but using a +predefined function (`ToLower`) in source and target bindings' expressions, to compare the email +attributes: + +``` + + + +``` + +A +[list of predefined functions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md) +is available. + +#### Correlation based on attributes within a C# expression + +The following example creates an Active Directory correlation rule based on the comparison between +the AD's simplified display name and an expression from the external system: + +``` + + + +``` + +This example also uses a confidence rate equals to 80%. + +## Properties + +| Property | Details | +| --------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the rule is part of. | +| ResourceType required | **Type** Int64 **Description** Identifier of the resource type. | +| SourceBinding optional | **Type** Int64 **Description** Binding property from the source system. | +| SourceExpression optional | **Type** String **Description** Binding expression based on properties from the source system. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| SourceMatchedConfidenceLevel default value: 0 | **Type** Int32 **Description** Defines the correlation confidence rate of this rule. If the value is less than 100, we process a manual review step to confirm the choice. | +| TargetBinding optional | **Type** Int64 **Description** Binding property from the target system. | +| TargetExpression optional | **Type** String **Description** Binding expression based on properties from the target system. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md new file mode 100644 index 0000000000..2f2781257b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md @@ -0,0 +1,677 @@ +# Resource Type + +In Usercube, a resource type is a conceptual model used to categorize resources. It groups together, +with a meaningful name, resources sharing the same intent and the same authorization system. +Resource types are assigned directly to a resource rather than mapped to a role. A resource type can +be assigned manually, or configured to be assigned automatically via a resource type rule. + +## Examples + +The following example declares a new resource type to provision the LDAP service accounts: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +### ArgumentsExpression + +This option is used to use provisioning orders to compute useful arguments. + +Most standard situations use only one workflow per action type on a resource (addition, update, +deletion). But in some more complex situations (like using multi records), several workflows are +available for one type of action. As the configuration JSON file of an InternalWorkflow connection +cannot contain expressions, a resource type can be configured with the ArgumentsExpression attribute +to explicit the arguments of provisioning orders, based on conditions and variables. See the +[InternalWorkflow](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md) +topic for additional information. + +The following example computes the identifier of the workflow to launch, based on the provisioning +order as a variable (the returned value depends here mostly on the type of change): + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +#### ResourceIdToCopy + +Now consider a record creation for a given identity, inside a multi-record organization. Suppose +that records are defined by their position and location, while other properties are the same for all +records (usually the identity's personal data like the name and birth date). When creating a new +record for an existing identity, you will want to copy an existing record from the database to +modify only the values specific to the new record. + +The following example computes the identifier of the record to copy, if the identity has already +any: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +("Select Id Where EmployeeId="\" + employeeId.ToString() + "\""); +  if (resources.Any()) { +    arguments.Add("ResourceIdToCopy", resources.FirstOrDefault().Id.ToString()); +  } +}   +return arguments;" /> +``` + +### DependsOn + +This option is used to configure another resource type as prerequisite for this resource type. + +For example, a Microsoft Exchange account requires the email address of a related Active Directory +account. + +In this case, we want to configure the Exchange Account resource type so that a user cannot own an +Exchange account when they do not own an AD account. + +The following example is meant to perform an automatic check to prevent the execution of any +provisioning order for the creation of an Exchange account when the user does not own an AD +nominative account. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +### DependsOnOwnerProperty + +This option is used to configure a property as prerequisite for the resource type. + +Consider an Active Directory administrator account which should be able to perform manual +provisioning to ServiceNow. Then it requires the random identifier computed by ServiceNow. + +In this case, we want to configure the AD_Entry_AdministrationUser resource type so that a user +cannot own an AD administrator account when they do not have an identifier in ServiceNow. + +**NOTE:** The DependsOnOwnerProperty of a resource type should only refer to scalar values that are +part of the properties of the SourceEntityType. + +The following example is meant to perform an automatic check to prevent the execution of any +provisioning order for the creation of an AD administrator account when the user does not have an +identifier in ServiceNow. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +### DiscardManualAssignments + +This option is used to set Usercube as authoritative following a manual change in a managed system. + +Suppose a resource type managing the provisioning of Active Directory nominative accounts based on +users data in Usercube (Directory_User). Suppose a scalar rule that provisions the AD's sn property +based on users' last names. + +The following scenario is about a user named Cedric Blanc, whose AD's sn property is set by the +scalar rule to Blanc. + +![Example - State 0](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state0_v602.webp) + +Let's see what happens when the user's name is changed manually directly in the AD. + +Suppose that we change in the AD the last name to White. As the scalar rule computes the sn value +based on the user's data which still states the last name Blanc, such a change induces a difference +between the value calculated by the rule and the actual value in the AD. This difference is spotted +by the next synchronization, triggering a non-conforming assignment on the Resource Reconciliation +page. + +![Example - State 1](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state1_v602.webp) + +![Example - Step 1](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_step1_v602.webp) + +![Example - Step 2](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_step2_v602.webp) + +Once this manual new value is confirmed, the property is stated as **Approved**. + +![Example - State 2](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state2_v602.webp) + +Now suppose that the user's last name is changed to Black via Usercube's workflows. As the source +data is changed, the scalar rule computes a new value for sn. There are two options: + +- The default configuration (DiscardManualAssignments set to false) considers manual assignments, + i.e. changes made directly in the managed system, as authoritative. So there will be no + provisioning of the newly computed value for sn. The current sn value that was written manually in + the AD stays as is, no matter the changes in the source data (here the user's last name). Usercube + only states the property's value as Questioned. + + ![Example - State 3](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state3_v602.webp) + + **NOTE:** No change in the source data can affect the property's value. However, any manual + change made in the managed system will trigger a non-conforming assignment. Then, reconciling + the property by choosing to keep Usercube's suggested value will make the property's value go + back to Calculated and thus follow the changes in the source data. + + **NOTE:** If DiscardManualAssignments is changed from False to True, then the state of the + property's value does not matter. Usercube applies the rules of the role model, and generates a + provisioning order to overwrite the manual change White with the newly computed value Black. + + ![Example - State 4](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state4_v602.webp) + +In this scenario for Cedric Blanc, these behaviors can be summed up like the following: + +![Schema for DiscardManualAssignments](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_schema.webp) + +### Correlate Multiple Resources + +With the **Correlation Multiple Resources** option, Usercube can link a single owner to several +existing target objects of the same resource type. This setting can be used in conjunction with the +**Suggest all resources** option to fine tune the behavior. + +Below, we illustrate the different scenarios that are possible, taking into consideration whether a +resource type has previously been correlated to the owner or not. + +![suggestallcorrelations-nnn](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nnn.webp) + +- The value for both **Correlate Multiple Resources** and **Suggest All Correlations** is **No** + there is no Resource already correlated so the first match with the highest confidence rate is + **Correlated** if it is `>100` or **Suggested** if it is `<100`. As for all other matches with + lower confidence rate they will be ignored. + + ![suggestallcorrelations-nnn2](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nnn2.webp) + + If there are no Resources to be correlated with a confidence rate `>100`, the ones below with + confidence rate below 100 are Suggested or Ignored. + + ![suggestallcorrelations-nny](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nny.webp) + +- The value for both **Correlate Multiple Resources** and **Suggest All Correlations** is **No** + there is one Resource already correlated so due to this all future correlations will be ignored. + + ![suggestallcorrelations-nyn](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nyn.webp) + +- The value for **Correlate Multiple Resources** is **No**, **Suggest All Correlations** is **Yes** + there is no Resource already correlated so all Resource Types will be **Suggested**. + + ![suggestallcorrelations-nyy](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nyy.webp) + +- The value for **Correlate Multiple Resources** is **No**, **Suggest All Correlations** is **Yes** + there is one Resource already correlated so the Resource Types that have a confidence rate `>100` + will be **Suggested**. As for all other matches with lower confidence rate they will be ignored. + + ![suggestallcorrelations-ynn](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-ynn.webp) + +- The value for **Correlate Multiple Resources** is **Yes**, **Suggest All Correlations** is **No**, + and there is no Resource already correlated so Resource Types that have a confidence rate `>100` + will be **Correlated** and the ones `<100` will be **Suggested** if there are no higher matches + otherwise they will be ignored. + + ![suggestallcorrelations-ynn2](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-ynn2.webp) + + If there are no Resources to be correlated with a confidence rate `>100`, the ones with + confidence rate below 100 are Suggested. + + ![suggestallcorrelations-yny](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-yny.webp) + +- The value for **Correlate Multiple Resources** is **Yes**, **Suggest All Correlations** is **No** + there is one Resource already correlated so the matches with confidence rate `>100` will be + **Correlated** and the ones `<100` will be ignored. + + ![suggestallcorrelations-yyny](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-yyny.webp) + +- The value for **Correlate Multiple Resources** is **Yes**, **Suggest All Correlations** is **Yes** + one Resource could be already correlated or not so the matches with confidence rate `>100` will be + **Correlated** and the ones `<100` will be **Suggested**. + +## Properties + +| Property | Type | Description | +| ------------------------------------------------------------------- | ---------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AllowAdd default value: true | Boolean | Enables Usercube to automatically create new resources in the managed system when their owners are given the right entitlements. Otherwise, resource managers must create resources manually directly in the managed system. | +| AllowRemove default value: true | Boolean | Enables Usercube to automatically deprovision resources in the managed system when their owners are deprived of the right entitlements. Otherwise, Usercube is able to delete resources in the managed system only with a manual approval on the Resource Reconciliation screen. | +| ApprovalWorkflowType default value: 0 | ProvisioningPolicyApprovalWorkflow | Indicates the number of validation to give to a role given manually (from None to Three). The value ManualAssignmentNotAllowed is used when a manual assignment cannot be performed. Netwrix recommends using ManualAssignmentNotAllowed for all resource types. | +| ArgumentsExpression optional | String | C# expression used to compute the arguments of provisioning orders, for example a workflow identifier, in a situation where it is not obvious. The aim is to enable an InternalWorkflow connector to fulfill correctly a virtual managed system by launching the right workflows based on a given provisioning order. This expression must return a dictionary of string. ArgumentsExpression is useful only when provisioning via the following packages: Active Directory, Apache Directory, Generic LDAP, Open LDAP, Oracle LDAP, Red Hat Directory Server and Workflow. | +| BlockProvisioning default value: true | Boolean | True to block the provisioning policy orders. | +| Category optional | Int64 | Resource type category. | +| CorrelateMultipleResources default value: false | Boolean | True to extend the QueryRule/CorrelationRule to match as many target resources as possible (no blocking like this is normally the case). | +| DependsOn optional | Int64 | Identifier of another resource type that must be provisioned for a given identity before the current resource type can be provisioned for said identity. | +| DependsOnOwnerProperty optional | Int64 | Identifier of one of the owner properties that must be filled before the current resource type can be provisioned for said identity. | +| Description_L1 optional | String | Describe this resource type in detail. | +| DiscardManualAssignments default value: false | Boolean | True to always allow the provisioning of a new property value, i.e. re-computed by a provisioning rule after a change in the source data, no matter the property's current workflow state. Set to false, any manual change of a property's value made directly in the target system will be "protected" (only after the change is approved in Usercube in Resource Reconciliation). It means that a future change in the source data will not trigger the provisioning of the new value to the target system. Instead, Usercube will keep the value of the manual change, and state the value as **Questioned**. This option should be set to true when: \* using multiple authoritative sources and the latest value should be provisioned; \* a source system is not often synchronized to Usercube but should stay the authoritative source. | +| DisplayName_L1 required | String | Display name of the resource type in language 1 (up to 16). | +| FulfillHoursAheadOfTime default value: 0 | Int32 | Anticipate resource fulfill order hours ahead of they start time. It is helpful for manual fulfillment and/or long fulfillment process. It differs from TimeOffset because the start date of the resource to fulfill is not impacted. | +| HideOnSimplifiedView default value: false | Boolean | True to hide this resource type in the basket simplified view. This flag is applied only on automatic assignments. | +| Identifier required | String | Unique identifier of the resource type. | +| ImplicitApproval default value: 0 | Byte | Indicates if the validation steps of the resource type can be skipped. 0 - Inherited: implicit approval value in the associated policy. 1 - Explicit: all the workflow steps must be approved. 2 - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| ManualAssignmentEndDateLockedToContextMode default value: inherited | RoleManualAssignmentEndDateLockedToContextMode | Inherited (default value) it uses the policy's ManualAssignmentEndDateLockedToContextMode value. The values are: - **Explicit, by default not context bound**: By default, the assignment's end date will not be context bound in order to encourage the manual entry of an end date - **Explicit, by default context bound**: By default, the assignment's end date will be context bound and therefore locked, but a manual date can be entered. - **Never**: The assignment's end date will never be locked and needs to be specified manually - **Always**: The assignment's end date is always locked according to the applicable context rule. | +| MaximumDelete default value: 0 | Int32 | Deleted lines threshold. Sets the maximum number of resources that can be removed from the resource type when running the provisioning job. | +| MaximumDeletePercent default value: 30 | Int32 | Deleted lines threshold in percent. | +| MaximumInsert default value: 0 | Int32 | Inserted lines threshold. Sets the maximum number of resources that can be added into the resource type when running the provisioning job. | +| MaximumInsertPercent default value: 30 | Int32 | Inserted lines threshold in percent. | +| MaximumUpdate default value: 0 | Int32 | Updated lines threshold. Sets the maximum number of resources that can be modified within the resource type when running the provisioning job. | +| MaximumUpdatePercent default value: 30 | Int32 | Updated lines threshold in percent. | +| P0 default value: false | Boolean | True to indicate that the resource type is parametrized, i.e. there is at least one type rule configured to assign the resource type based on the dimension 0 (up to 3V following the base32hex convention). See the [ Base32 Parameter Names ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/parameter-names/index.md) topic for additional information. | +| Policy required | Int64 | Identifier of the policy that the resource type is part of. | +| ProlongationWithoutApproval default value: 0 | ProlongationWithoutApproval | Indicates whether the resource type can be extended without any validation. 0 - Inherited: gets the value from the policy. 1 - Enabled. 2 - Disabled. | +| R0 default value: false | Boolean | True to set the dimension 0 (up to 3V following the base32hex convention) as a required parameter when assigning the resource type. See the [ Base32 Parameter Names ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/parameter-names/index.md) topic for additional information. | +| RemoveOrphans default value: false | Boolean | True to authorize the deprovisioning of this resource when it does not have an owner. Can only be true when AllowRemove property is also true. | +| SourceEntityType required | Int64 | Identifier of the source entity type. | +| SuggestAllCorrelations optionalAttribute | Boolean | Allows correlation suggestions for rules with a confidence rate below 100, even if other correlations with a confidence rate above 100 have been found. | +| TargetEntityType required | Int64 | Identifier of the target entity type. | +| TransmittedStateValidityPeriod default value: 0 | Int32 | Time period (in minutes) after which fulfillment orders in Transmitted/Executed states are automatically set in Error state. - when provisioning automatically, then set 1, 2 or 3 times the period between two synchronizations. - when provisioning manually and synchronizing regularly, then set around 15 days. - when provisioning manually with few synchronizations, then don't set it. | + +## Child Element: BinaryRule + +A ResourceBinaryRule allows to specify the file that must be set to an assigned resource binary +property. It is defined by a child element `` of the `` element. The +source file should already be synchronized and stored inside and reference as an EntityType +property. + +### Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +        ... +       +``` + +### Properties + +| Property | Type | Description | +| ------------------------------------------ | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding optional | Int64 | Defines the binding expression to get the file property. | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| Property required | Int64 | Identifier of the property used to represent the file on the target EntityType. | +| SingleRole optional | Int64 | Identifier of the single role. The single role must be assigned to the owner so that the file can be provisioned on the resource. See the [ SingleRole ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) topic for additional information. | +| TimeOffsetAfterReference default value: 0 | Int32 | Defines the offset after reference (in minutes). | +| TimeOffsetBeforeReference default value: 0 | Int32 | Defines the offset before reference (in minutes). | +| TimeOffsetReference default value: 0 | TimeOffsetReference | Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. 0 - Default: the offset inherited from the type rule. 1 - Around: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. 2 - Before: the offset before and after reference are both applied from the start date of the resource. 3 - After: the offset before and after reference are both applied from the end date of the resource. in a situation with several binary rules, the order of application is: After, then Before, then Around, then Default. Each rule is able to overwrite those previously applied in case they overlap. two offsets of the same mode should never overlap. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: NavigationRule + +A navigation rule computes the value of a given navigation property for target resources, based on +the properties of their owners (source resources and entitlements). These properties are to be +provisioned, i.e. written to the managed system. Contrary to query rules, navigation rules assign +resources regardless of the attributes of source resources. + +A navigation rule is defined by the child element `` of the `` +element. + +**NOTE:** Both navigation and query rules compute navigation properties. The value of one navigation +property should be computed by either navigation or query rules, not both. + +See the +[ Compute a Navigation Property ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md) +topic for additional information. + +### Examples + +Computation based on other properties + +The following example declares a new rule to give the SG_APP_SharePoint_HR_Owner group to all users +who had the SharePoint_HR_Owner role. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +The following rule will set users' Active Directory nominative account in the +CN=SG_APP_DL-INTERNET-Restricted,OU=Applications,DC=acme,DC=internal group for people having the +DL-INTERNET-Restricted role. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +     + +``` + +Parametrized roles + +The role catalog can be optimized by reducing the number of roles, by configuring parametrized +roles. See the +[ Configure a Parameterized Role ](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/parameterized-role/index.md)topic +for additional information. + +This optimization will simplify the functional understanding of the role catalog, and speed up +Usercube's calculations. + +Supposing that the 10th dimension (dimension A following the base32hex convention) is created for +time slots, the following example creates a single role Access/A_Brune_HR for all time slots. Each +time-slot-related entitlement will be assigned to users by configuring one navigation rule per +entitlement, using the dimension as a required parameter. See the +[ Dimension ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) +and +[ Base32 Parameter Names ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/parameter-names/index.md)topics +for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +             +``` + +### Properties + +| Property | Type | Description | +| ------------------------------------------ | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| D0 optional | Int64 | Value to match for the dimension D0 (up to D127) to trigger the rule. For example, considering that D0 corresponds to users' countries, then set D0 to France to compute the navigation property for users whose country is France. Specifying at least one dimension makes the linked role parametrized. | +| IsDenied default value: false | Boolean | True to forbid the resource assignment instead of applying it. | +| L0 default value: false | Boolean | True to activate inheritance for D0 (up to 127). | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| Property required | Int64 | Identifier of the navigation property to be computed. | +| Resource required | Int64 | Identifier of the resource to be assigned as a value of the impacted navigation property. Said resource must be part of the entity type that the navigation property points to. | +| SingleRole optional | Int64 | Identifier of a single role, which users must have to trigger the property computation. | +| TimeOffsetAfterReference default value: 0 | Int32 | Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | Int32 | Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | TimeOffsetReference | Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. 0 - Default: the offset inherited from the type rule. 1 - Around: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. 2 - Before: the offset before and after reference are both applied from the start date of the resource. 3 - After: the offset before and after reference are both applied from the end date of the resource. In a situation with several navigation rules, the order of application is descending (After-Before-Around-Default). Thus each time offset is able to overwrite those previously applied in case they overlap, for mono-valued properties. two offsets of the same mode should never overlap for mono-valued properties. Overlapping rules on a multi-valued property do not conflict with each other, Usercube stores all computed values. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: QueryRule + +A query rule computes the value of a given navigation property for target resources, based on the +properties of their owners (source resources and entitlements). These properties are to be +provisioned, i.e. written to the managed system. Contrary to navigation rules, query rules assign +resources to target resources according to a query via a C# expression with conditions, based on the +attributes of the source resources. See the +[ Expressions ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md) +topic for additional information. + +A query rule is defined by the child element `` of the `` element. + +Both navigation and query rules compute navigation properties. The value of one navigation property +should be computed by either navigation or query rules, not both. + +See the +[ Compute a Navigation Property ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md) +topic for additional information. + +### Examples + +Computation based on other properties + +The following example declares a new rule to compute the parent distinguished name for guest users. +Here we do not use source properties, but a literal expression for all guest users. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +     + +``` + +### Properties + +| Property | Type | Description | +| --------------------------------------------- | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| Property required | Int64 | Identifier of the navigation property to be computed. | +| SourceBinding optional | Int64 | Binding of the property from the source entity type to be compared with the target binding/expression, in order to find a matching resource to be the value of Property. | +| SourceExpression optional | String | C# expression to compare with the target binding/expression in order to compute the value of Property with the matching resource. See the [ Expressions ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| TargetBinding optional | Int64 | Binding of the property from the entity type pointed by Property, which will be the value of Property if it matches the source binding/expression. | +| TargetExpression optional | String | C# expression to compare with the source binding/expression in order to compute the value of Property with the matching resource.See the [ Expressions ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. The TargetExpression must contain at least one target property, it cannot be a literal expression. | +| TargetMatchedConfidenceLevel default value: 0 | Int32 | Percentage rate expressing the confidence in the rule according to data quality and sensitivity. Usercube considers the rules in descending order of confidence rate, the first matching rule is applied. 0 to 99: imposes that a resource manager reviews the property computation on the Resource Reconciliation page. 100 to 150: computes the property automatically. | +| TimeOffsetAfterReference default value: 0 | Int32 | Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | Int32 | Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | TimeOffsetReference | TypeDescriptionOffset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. 0 - Default: the offset inherited from the type rule. 1 - Around: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. 2 - Before: the offset before and after reference are both applied from the start date of the resource. 3 - After: the offset before and after reference are both applied from the end date of the resource. In a situation with several query rules, the order of application is descending (After-Before-Around-Default). Thus each time offset is able to overwrite those previously applied in case they overlap, for mono-valued properties. two offsets of the same mode should never overlap for mono-valued properties. Overlapping rules on a multi-valued property do not conflict with each other, Usercube stores all computed values. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: ScalarRule + +A scalar rule computes the value of a given scalar property for target resources, based on the +properties of their owners (source resources and entitlements). These properties are to be +provisioned, i.e. written to the managed system. + +A scalar rule is defined by the child element `` of the `` element. + +See the +[ Compute a Scalar Property ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md) +topic for additional information. + +### Examples + +Computation based on other properties + +The following example shows two scalar rules. The first one computes users' emails based on AD +values. The other one contains a C# expression to compute AccountExpires. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +       +     + +``` + +The next example computes the firstName property of a App1_Account from the resource type +App1_Standard_Account, indicating that it must be equal to the firstName of the source resource. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +     + +``` + +Computation via a literal expression + +The following example translates to "the userAccountControl property of a App1_Account of resource +type App1_Standard_Account must be equal to 66048. It uses a literal expression. See the +[ Expressions ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md) +topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +     + +``` + +Binding + +The Binding attribute complies with the binding expression syntax or the calculation expression +syntax. So, it can use the C# language to specify a more complex binding. See the +[ Bindings ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/bindings/index.md) and +[ Expressions ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md) +topics for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +IsMapped + +Consider a system that we want to connect to Usercube , let's call it SYST, using a title property. +Consider also that SYST needs to be provisioned with the value of title, but does not allow any +other system to retrieve the said value. + +In this case, we set `IsMapped` to false so that Usercube sends the adequate provisioning order when +needed, and then is able to change the provisioning state to **Executed** without synchronization. +See the +[Provision](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md)[ Synchronize Data ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) +topic for additional information. + +The following example computes users' title in a given managed system, based on Usercube's +`PersonalTitle` property without ever retrieving the value: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +TimeOffset + +A scalar rule is applied according to reference start and end dates (configured through record +sections and context rules), usually users' arrival and departure days. It means that, for a user +matching the rule's criteria, a property is to be computed, by default, from the user's arrival day +until their departure day. See the +[ RecordSection ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) +and +[ ContextRule ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) +topics for additional information. + +![Schema - Default Application Period](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetdefault.webp) + +A time offset adjusts the period for which the rule applies and computes a property's value. + +The following example impacts the property for the activation of nominative AD accounts: + +- The first rule deactivates the account from its creation, i.e. 1 month before the user's arrival + day, until the arrival day; +- The second rule activates the account from the user's arrival day until their departure; +- The third rule deactivates the account from the user's departure day and until its deletion, i.e. + 6 months after the departure day. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                ... + +``` + +![Schema - Offset Application Period](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetexample.webp) + +If the time period of property computation exceeds the limits of the period of resource type +assignment, then the period of resource type assignment is extended accordingly. + +Note that the rules are applied in a specific order according to their offset reference: After, +Before, Around and Default. Each rule overwrites pre-existing values. Thus in case of overlapping +rules, Default-offset rules overwrite the values of Around-offset rules, which overwrite the values +of Before-offset rules, which overwrite the values of After-offset rules. We could have the +following: + +![Schema - Overlapping Offsets](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetoverlap.webp) + +### Properties + +| Property | Type | Description | +| ------------------------------------------ | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding optional | Int64 | Defines the binding expression. | +| ComparisonType default value: 0 | ComparisonType | Defines the comparison type for the computed value, when Usercube retrieves it from the managed system during synchronization, and compares it to the value stored in Usercube's database. 0 - CaseSensitive: compares words exactly as they are. 1 - IgnoreCase: ignores the difference between upper and lower case. 2 - IgnoreDiacritics: considers all letters with diacritics (é, à, ç) to be equivalent to their base letters (e, a, c...). 3 - Simplified: ignores diacritics, case and characters which are not letters. 4 - Approximate: does the same as Simplified but also ignores some spelling mistakes. Some letters are considered equivalent (Z and S, Y and I, W and V, K and C, SS and C). All H can be missing. A T, D or S can be missing at the very end. Finally, it ignores all duplicate letters (other than SS). There is no comparison for unmapped properties (IsMapped set to false). | +| Expression optional | String | Expression used to compute the target property specified in Property. See the [ Expressions ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. for C# expressions, Usercube provides an implicit variable called "assignment" that contains basic information about the linked assigned resource type, i.e. StartDate, EndDate and ParametersValues. | +| IsMapped default value: true | Boolean | True to use the scalar rule's computation to both provision the managed system and synchronize the property back to Usercube, thus both create and update. Otherwise, the scalar rule's computation is used only to provision the managed system and the property will be ignored during synchronization, thus create only. This way the property can never be displayed as non-conforming. IsMapped is usually set to false in order to adapt the configuration to the constraints of the managed system, when Usercube does not retrieve and/or update the property value. | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| Property required | Int64 | Identifier of the scalar property to be computed. | +| SingleRole optional | Int64 | Identifier of a single role that users must have to trigger the property computation. scalar rules must not be dependent on dimensions or role as far as possible as, according to Usercube, a good rights policy must be based on group membership and not on mono-valued properties. | +| TimeOffsetAfterReference default value: 0 | Int32 | Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | Int32 | Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | TimeOffsetReference | Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. 0 - Default: the offset inherited from the type rule. 1 - Around: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. 2 - Before: the offset before and after reference are both applied from the start date of the resource. 3 - After: the offset before and after reference are both applied from the end date of the resource. in a situation with several scalar rules, the order of application is: After, then Before, then Around, then Default. Each rule is able to overwrite those previously applied in case they overlap. two offsets of the same mode should never overlap. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: TypeRule + +A resource type rule assigns resources to given users if they match specific criteria. These +resources are to be provisioned, i.e. written to the managed system. + +A resource type rule is defined by the child element `` of the `` element. + +**NOTE:** The specification of several resource type rules for one resource type implies the union +of all rules, i.e. the combination of all rules (and all sets of criteria) with an OR operator. + +### Examples + +With a dimension criterion + +The following rule will assign an App1_Standard_Account resource (resource of type App1_Account) to +any User whose organization dimension (dimension binded to column 0) identifier is Marketing. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +    ... + +``` + +With a single role criterion + +In addition to dimensions, a single role can be used as a criterion for a rule. + +The following rule will assign an App1_Standard_Account resource to all User whose organization +dimension identifier is Marketing and having the single role Multimedia_Designer. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +    ... + +``` + +Without any criterion + +Di and SingleRole conditions are not mandatory. A type rule with no condition entails the creation +of an AssignedResourceType, and hence of a target resource (from the target entity type), for every +source resource (from the source entity type). See the AssignedResourceType topic for additional +information. + +The following example declares a new rule to give the resource type "AD_Entry_NominativeUser" to all +users. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +    ... + +``` + +### Properties + +| Property | Type | Description | +| ------------------------------------------ | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| D0 optional | Int64 | Value to match for the dimension D0 (up to D127) to trigger the rule. For example, considering that D0 corresponds to users' countries, then set D0 to France to assign the resource type to users whose country is France. specifying at least one dimension makes the linked resource type parametrized. | +| IsDenied default value: false | Boolean | True to forbid the assignment instead of applying it. | +| L0 default value: false | Boolean | True to activate inheritance for D0 (up to 127). | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| SingleRole optional | Int64 | Identifier of a single role, which users must have to trigger the resource type assignment. | +| TimeOffsetAfterReference default value: 0 | Int32 | Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | Int32 | Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | TimeOffsetReference | Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. 0 - Default: no offset. 1 - Around: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. 2 - Before: the offset before and after reference are both applied from the start date of the resource. 3 - After: the offset before and after reference are both applied from the end date of the resource. In a situation with several resource type rules, the order of application is descending (After-Before-Around-Default). Thus each time offset is able to overwrite those previously applied in case they overlap. two offsets of the same mode should never overlap. Resources' start and end dates can be configured through record sections and/or context rules. | +| Type default value: 0 | RuleType | Represents the type of the rule. 0 - Required: the resource type is automatically assigned to users matching the criteria. 1 - Requested Automatically: the resource type is listed in the permission basket of new workers. These assignments can still be modified. For existing workers, the rule's type is Suggested. 2 - Suggested: the resource type is listed among suggested permissions in the permission basket of users matching the criteria during an entitlement request. Suggested assignments must be selected manually to be requested, and will go through the validation process. | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md new file mode 100644 index 0000000000..8d6ae938b9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md @@ -0,0 +1,69 @@ +# RoleMapping + +Defines a naming rule to create a single role in a specific category based on a property. A +navigation rule will also be created by the naming rule, giving the property to the target user when +the created single role is assigned to this user. + +## Examples + +### Additional condition + +The following example uses `WhereExpression` to condition the application of the rule. + +NETWRIX recommends using this property only when the properties from the rule items do not suffice. + +Here the naming convention says that we should create a single role for each group (`memberOf` +value) whose `dn` starts with `SG_`and whose dn's second part (between two `_`) is made of three +characters. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApprovalRequired default value: false | **Type** Boolean **Description** Indicates that the generated role must be approved before being used by a policy. | +| ApprovalWorkflowType default value: None | **Type** ProvisioningPolicyApprovalWorkflow **Description** Indicates the number of validation to give to a manual role (from 0 to 3 inclusive). The value 4 is used when a manual assignment cannot be performed. | +| Category optional | **Type** Int64 **Description** Identifier of the category. | +| CategoryDisplayNameBinding optional | **Type** Int64 **Description** Defines the binding used to compute the category display name. | +| CategoryDisplayNameExpression optional | **Type** String **Description** References the C# or literal expression used to compute the category display name. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| CategoryIdentifierBinding optional | **Type** Int64 **Description** Binding used to compute the category identifier. | +| CategoryIdentifierExpression optional | **Type** String **Description** C# or literal expression used to compute the category identifier. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| CommentActivationOnApproveInReview default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a request of the role and deciding to approve it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeclineInReview default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a request of the role and deciding to refuse it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeleteGapInReconciliation default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to delete it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnKeepGapInReconciliation default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to keep it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| DisplayNameBinding optional | **Type** Int64 **Description** Defines the binding used to compute the role display name. | +| DisplayNameExpression optional | **Type** String **Description** References the C# or literal expression used to compute the role display name. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| HideOnSimplifiedView default value: false | **Type** Boolean **Description** `true` to hide this role in the basket simplified view. This flag is applied only on automatic assignments. | +| Identifier required | **Type** String **Description** Identifier of the role mapping. | +| IdentifierBinding optional | **Type** Int64 **Description** Binding used to compute the role identifier. | +| IdentifierExpression optional | **Type** String **Description** C# or literal expression used to compute the role identifier. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| ImplicitApproval default value: 0 | **Type** Byte **Description** Indicates if the validation steps of the single role can be skipped. `0` - Inherited: implicit approval value in the associated policy. `1` - Explicit: all the workflow steps must be approved. `2` - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| ParentCategoryIdentifierBinding optional | **Type** Int64 **Description** Defines the binding used to compute the parent category. | +| ParentCategoryIdentifierExpression optional | **Type** String **Description** References the C# or literal expression used to compute the parent category. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the rule is part of. | +| Property required | **Type** Int64 **Description** Property on which the naming rule will be applied. | +| ResourceType required | **Type** Int64 **Description** Resource type on which the naming rule will be applied. | +| RolePolicy optional | **Type** Int64 **Description** Identifier of the policy used for the roles created by the naming rule. | +| WhereExpression optional | **Type** String **Description** C# expression returning a boolean, used to condition the application of the naming convention. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | + +## Child Element: Rule + +Represent the sets of conditions which will determine the enforcement of the naming rule. + +## Child Element: Item + +Represents one of the conditions used to determine the enforcement of the naming rule. + +### Properties + +| Property | Details | +| ------------------------- | ---------------------------------------------------------------------------------------------------------------- | +| Operator default value: 0 | **Type** QueryComparisonOperator **Description** Operator used in the condition for the naming rule enforcement. | +| Property required | **Type** Int64 **Description** Property on which the condition for the naming rule enforcement is based. | +| Value optional | **Type** String **Description** Value used in the condition for the naming rule enforcement. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md new file mode 100644 index 0000000000..1e42c537c7 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md @@ -0,0 +1,75 @@ +# SingleRole + +A single role is a way to represent an entitlement that is to be assigned to an identity. It brings +a layer of abstraction through a user-friendly name, close to the business view. + +Roles can be used to: + +- grant accesses of various types and levels; +- restrict access to sensitive information assets, by grouping entitlements in a form that is + meaningful from a business point of view; +- grant the minimum privileges required by an individual to perform his/her job. + +Roles can be requested manually, or they can be configured to be assigned automatically via +[single role rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) +depending on identities' attributes. + +## Examples + +The following example declares a new single role in the default policy; in the category `Internet`; +for resources from `Directory_User`; with one approval needed. + +``` + + + +``` + +### Parameterized roles + +The role catalog can be optimized by reducing the number of roles, by configuring parameterized +roles. +[See how to via the UI](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/parameterized-role/index.md). + +This optimization will simplify the functional understanding of the role catalog, and speed up +Usercube's calculations. + +Supposing that the 10th +[dimension](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) +(dimension A following the +[base32hex convention](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/parameter-names/index.md)) +is created for time slots, the following example creates a single role `Access/A_Brune_HR` for all +time slots. Each time-slot-related entitlement will be assigned to users by configuring one +navigation rule per entitlement, using the dimension as a required parameter. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApprovalWorkflowType default value: 0 | **Type** ProvisioningPolicyApprovalWorkflow **Description** Number of validations required to assign manually the single role (from `None` to `Three`). The value `ManualAssignmentNotAllowed` is used when a manual assignment cannot be performed. | +| Category optional | **Type** Int64 **Description** Identifier of the category that the role is part of. | +| CommentActivationOnApproveInReview default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a request of the role and deciding to approve it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeclineInReview default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a request of the role and deciding to refuse it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeleteGapInReconciliation default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to delete it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnKeepGapInReconciliation default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to keep it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| D0 optional | **Type** Int64 **Description** Value that will be set for the dimension 0 (up to 3V following the [base32hex convention](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/parameter-names/index.md)) for all users with the role. | +| Description_L1 optional | **Type** String **Description** Detailed description of the single role in language 1 (up to 16). | +| DisplayName_L1 required | **Type** String **Description** Display name of the single role in language 1 (up to 16). | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type whose resources can receive the single role. | +| GracePeriod optional | **Type** Int32 **Description** Duration (in minutes) for which a lost automatic single role is prolonged. The grace period is only applied if the loss of the entitlement is due to a change in the rules (rule deletion or criteria changes). A review will be required to validate or decline the entitlement prolongation. Inferred entitlements won't be lost unless the end of the grace period is reached or the prolongation is declined. If it is not defined, the value is inherited from the policy. | +| HideOnSimplifiedView default value: false | **Type** Boolean **Description** `true` to show the role in a user's basket only in advanced view and not simplified view. This flag is applied only on automatic assignments. | +| Identifier required | **Type** String **Description** Identifier of the single role. | +| ImplicitApproval default value: 0 | **Type** Byte **Description** Indicates whether the validation steps of the single role can be skipped. `0` - Inherited: implicit approval value from the associated policy. `1` - Explicit: all the workflow steps must be approved. `2` - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| MaxDuration optional | **Type** Int32 **Description** Duration (in minutes) after which the role will be automatically revoked, if no earlier end date is specified. It impacts only the roles which are manually assigned after the maximum duration is set. Pre-assigned roles are not impacted. If no duration is set on the role, the `MaxDuration` of the associated policy is applied. If the `MaxDuration` is set to 0 on the role, it prevents the associated policy from applying its `MaxDuration` to it. | +| Policy required | **Type** Int64 **Description** Identifier of the policy in which the role exists. | +| ProlongationWithoutApproval default value: 0 | **Type** ProlongationWithoutApproval **Description** Indicates whether the role can be extended without any validation. `0` - Inherited: gets the value from the policy. `1` - Enabled. `2` - Disabled. | +| R0 default value: false | **Type** Boolean **Description** `true` to set the dimension 0 (up to 3V following the [base32hex convention](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/parameter-names/index.md)) as a required parameter when assigning the role. | +| State default value: Manual | **Type** RoleState **Description** Mark that differentiates the roles analyzed in the role mining process. `0` - Manual: the role was created manually. `1` - Generated: the role was generated by a role mapping rule. | +| Tags optional | **Type** String **Description** Label(s) that can later be used to filter the target roles of access certification campaigns. The tag separator is `�`. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md new file mode 100644 index 0000000000..94bf5da443 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md @@ -0,0 +1,25 @@ +# SingleRoleRule + +A single role rule assigns a single role to users who match given criteria. + +## Examples + +The following example declares a new rule to give the single role to all the "FCT0000" users. + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CompositeRole optional | **Type** Int64 **Description** Identifier of a [composite role](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) that users must have to trigger the rule. | +| D0 optional | **Type** Int64 **Description** Value to match for the dimension `D0` (up to `D127`) to trigger the rule. For example, considering that `D0` corresponds to users' countries, then set `D0` to `France` to assign the single role to users whose country is `France`. | +| IsDenied default value: false | **Type** Boolean **Description** `true` to forbid the assignment instead of applying it. | +| L0 default value: false | **Type** Boolean **Description** `true` to activate inheritance for `D0` (up to 127). | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the rule is part of. | +| Role required | **Type** Int64 **Description** Identifier of the single role to be assigned. | +| Type default value: 0 | **Type** RuleType **Description** Type of the rule. `0` - **Required**: the role is automatically assigned to users matching the criteria. `1` - **RequestedAutomatically**: the role is listed in the permission basket of new workers, these assignments can still be modified. For existing workers, the rule's type is `Suggested`. `2` - **Suggested**: the role is listed among suggested permissions in the permission basket of users matching the criteria during an entitlement request, suggested assignments must be selected manually to be requested. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/reporting/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/reporting/index.md new file mode 100644 index 0000000000..cf9924e1a8 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/reporting/index.md @@ -0,0 +1,3 @@ +# Reporting + +- #### [ReportQuery](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/reporting/reportquery/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/reporting/reportquery/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/reporting/reportquery/index.md new file mode 100644 index 0000000000..66a706bfcd --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/reporting/reportquery/index.md @@ -0,0 +1,26 @@ +# ReportQuery + +Allows the user to define queries to generate a report in a CSV file. When creating a new +ReportQuery it is recommended to also create the linked +[MenuItem](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md). + +## Examples + +``` + + + + + + + +``` + +## Properties + +| Property | Details | +| --------------------------- | --------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the report query in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Report query Identifier. | +| Query required | **Type** String **Description** The report query written following Usercube EBNF Grammar rules. | +| ReturnedEntityType required | **Type** Int64 **Description** Returned Entity Type ID. The entity type can be seen as the FROM of a sql query. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/resources/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/resources/index.md new file mode 100644 index 0000000000..0c33483cb8 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/resources/index.md @@ -0,0 +1,3 @@ +# Resources + +- #### [Resource](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/resources/resource/index.md) diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/resources/resource/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/resources/resource/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/resources/resource/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/resources/resource/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md new file mode 100644 index 0000000000..63a997ab24 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md @@ -0,0 +1,136 @@ +# DisplayEntityType + +The `` element sets information about how an entity type is to be displayed by +the UI. + +## Examples + +``` + + + +``` + +### Zoom on Priority + +The Priority property controls the order in which entity types are displayed in the entity type +selection dropdown of the following administration screens: + +- Role Review +- Provisioning Review +- Role Reconciliation +- Resource Reconciliation +- My Tasks (also known as Workflow Management) +- Workflow Overview +- Access Rules + +By default, the entity type with the highest priority is selected first. The end user can later +change the selection using the top-left dropdown. + +![Change Selection](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/ui_displaypriorities_changeselection_v521beta.webp) + +Priorities are integer values, positive or negative. The most important priority is assigned to the +lowest value. + +Entity Types with the same priority are sorted by `Identifier`, in the alphabetical order, where +relevant. + +Entity Types for which a priority isn't set by a `` configuration element are +assigned an equally less important priority than the least important priority set by a +`` element. + +**Example** + +This example shows how to define priorities between the main Entity Types of the organizational +model. The highest priority is assigned to `Directory_User` and the lowest priority to +`Directory_Application`. All other entity types are assigned an equally low priority, below +`Directory_Application`. In the dropdown they will be sorted by alphabetical order. + +``` +dashboard.xml + + +``` + +#### Priorities for workflows + +The dropdown in My Tasks (also known as Workflow Management) and Workflow Overview screens is +related to workflows, not to entity types per se. + +In Usercube, each workflow is associated with a workflow-entity type. + +To configure the priority order for elements in the dropdown in these screens, the user should +remember to take the workflow-entity types in the ` + +``` + +But the order in which "Workflow for Directory_User" and "Workflow for Directory_Guest" appear in +the My Tasks screen is configured like this. + +``` +dashboard.xml + + +``` + +## Properties + +| Property | Details | +| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AutocompleteBinding optional | **Type** Int64 **Description** Defines the binding of the property used for search in the auto complete picker (this activates the auto complete picker). | +| Color optional | **Type** String **Description** Defines the color used when displaying this entity type (it must be a 6 digit hexadecimal value, preceded by a �#'). | +| D0IsActive default value: false | **Type** Boolean **Description** Is dimension0 active for this entity type (D0IsActive to D3VIsActive following the [base32hex convention](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/parameter-names/index.md). | +| HideRoles default value: false | **Type** Boolean **Description** `true` to skip the **Access Permissions** step (the one containing the roles) in the default forms for this entity type. | +| IconCode optional | **Type** String **Description** Defines the icode code ("People", "MapPin", "Suitcase"�). | +| IsHierarchical default value: false | **Type** Boolean **Description** Is hierarchical entity type. | +| MinSearchLength optional | **Type** Int32 **Description** Defines the minimum number of characters from which the search in the auto complete picker starts - 4 if it is not defined (the AutocompleteBinding must be defined). | +| PluralDisplayName_L1 optional | **Type** String **Description** Display name of the entity type in plural in language 1 (up to 16). | +| Priority default value: 2147483647 | **Type** Int32 **Description** Sets the display priority of the Entity Type in the administration screens dropdown and the dashboard. A priority is an integer value, positive or negative. The highest priority is assigned to the lowest number. See the Priority section above. | + +## Child Element: Property + +Entity referencing the Entity properties (with which it share the same ID) that can be displayed in +the Usercube interface. + +### Properties + +| Property | Details | +| ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AddedMinutes optional | **Type** Int32 **Description** Add minutes to the date field with this property. Can be overwritten in every form control, display table column or tile item that displays the property. | +| AutocompleteBinding optional | **Type** Int64 **Description** Defines the binding of the property used for search in the auto complete picker (this activates the auto complete picker if the input type of the display property is a picker). | +| DisplayOrder default value: 0 | **Type** Int32 **Description** Defines the property display order. | +| DisplayTable optional | **Type** Int64 **Description** Identifier of the display table. | +| Format optional | **Type** String **Description** Defines a formating method on the property values ("ParseSince1601Date", "ToStringUserAccountControl", "FormatDate" and "ParseBoolean"). | +| Group optional | **Type** Int64 **Description** Identifier of the display property group, i.e. the fieldset, that the property is part of in the default UI form. | +| IconCode optional | **Type** String **Description** Defines the icode code. | +| InputType default value: Auto | **Type** Enumeration **Description** Identifier of the input type. | +| IsHidden default value: false | **Type** Boolean **Description** Property is hidden. | +| IsReadOnly default value: false | **Type** Boolean **Description** Property is readOnly. | +| IsRequired default value: false | **Type** Boolean **Description** Property is required. | +| MinSearchLength optional | **Type** Int32 **Description** Defines the minimum number of characters from which the search in the auto complete picker starts - 4 if it is not defined (the input type of the display property must be a picker and the AutocompleteBinding must be defined). | +| NavigationBinding optional | **Type** Int64 **Description** Defines the binding of the resource on which the user will be redirected when he clicks on an element of a BasicCollection. | +| OutputType default value: Auto | **Type** Enumeration **Description** Identifier of the output type. | +| PlaceHolderText_L1 optional | **Type** String **Description** Property place holder text. | +| Tile optional | **Type** Int64 **Description** Identifier of the tile. | +| ToolTipText_L1 optional | **Type** String **Description** Property tool tip text. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md new file mode 100644 index 0000000000..c24fb29667 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md @@ -0,0 +1,28 @@ +# DisplayPropertyGroup + +A display property group bundles a list of entity properties together in a fieldset in the UI. + +## Examples + +The following example will group a specific set of properties together, when displaying AD entries. + +``` + + + +Knowing that we have the following properties: + ... + + +``` + +![Display Property Group - Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/displaypropertygroup_example_v603.webp) + +Any property without a value is not displayed. + +## Properties + +| Property | Details | +| ----------------------- | -------------------------------------------------------------------------------------- | +| DisplayName_L1 optional | **Type** String **Description** Display name of the fieldset in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Unique identifier of the property group. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md new file mode 100644 index 0000000000..e381a51a82 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md @@ -0,0 +1,89 @@ +# DisplayTable + +A table displays a collections of entity type data grouped into rows. + +## Examples + +### DisplayTableDesignElement + +#### table + +The following example displays sites as a table. + +``` + + + +``` + +![Example - DisplayTableDesignElement Set to Table](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_table_v602.webp) + +#### list + +The following example displays users as a list. + +``` + + + +``` + +![Example - DisplayTableDesignElement Set to List](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_list_v602.webp) + +For resources to be displayed as a list, the display table must also be configured with tiles. + +#### resourcetable + +The following example displays AD entries as a table, with an "Owner/Type" column. + +``` + + + +``` + +![Example - DisplayTableDesignElement Set to ResourceTable](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_resourcetable_v602.webp) + +## Properties + +| Property | Details | +| ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayTableDesignElement required | **Type** Enumeration **Description** Design of the display table. `-1` - **table**: resources are displayed in a table. `-2` - **list**: resources are displayed in a list. `-3` - **resourcetable**: resources are displayed in a table containing an "Owner/Type" column. `-4` - **adaptable**: resources are displayed in a table with an "Owner/Type" column only if the entity type is the target of a resource type, otherwise the table is without said column. | +| EntityType required | **Type** Int64 **Description** Represents the linked entity type. | +| HomonymEntityLink optional | **Type** Int64 **Description** Defines the homonym display table. | +| Identifier required | **Type** String **Description** Unique identifier of the table. | +| IsEntityTypeDefault default value: false | **Type** Boolean **Description** Default display table used in the application. | +| LinesPerPage default value: 15 | **Type** Int32 **Description** Defines the maximum lines per page. | +| ParentProperty optional | **Type** Int64 **Description** Property to navigate to the parent level when the table displays a tree of values (for example `Organization.ParentOrganization`). | + +## Child Element: Column + +Contains all the display table columns. + +### Examples + +``` + + + +``` + +### Properties + +| Property | Details | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AddedMinutes optional | **Type** Int32 **Description** Add minutes to the date field with this property. If the value is not defined, the default value is the one defined for the associated display entity property. | +| CanBeFiltered default value: false | **Type** Boolean **Description** Can filter the column data. | +| ColumnSize default value: 1 | **Type** Int32 **Description** Defines the column size. | +| DefaultSortPriority optional | **Type** Int32 **Description** Defines the default sort priority. | +| DisplayBinding optional | **Type** Int64 **Description** Represents the linked binding path to a scalar property. | +| DisplayName_L1 optional | **Type** String **Description** Display name of the column in language 1 (up to 16). | +| IsDisplayInDropDownList default value: false | **Type** Boolean **Description** Is a drop down list column. | +| IsDisplayInSummaryView default value: false | **Type** Boolean **Description** Is a summary view column. | +| IsResizable default value: false | **Type** Boolean **Description** Is resizable column. | +| IsSortable default value: false | **Type** Boolean **Description** Is sortable column. | +| OptimizedDisplayBinding optional | **Type** Int64 **Description** Optimized Binding allows DisplayTables to be faster displayed. If it is filled in, it takes priority over the DisplayBinding located in the DisplayTableColumn. | +| OptimizedSortBinding optional | **Type** Int64 **Description** An optimized sort binding allows display tables to be faster displayed. If it is filled in, it takes priority over the sort binding located in the display table column. | +| SearchOperator default value: 0 | **Type** QueryComparisonOperator **Description** Defines the search operator (Equal, NotEqual, Contain, StartWith�). | +| SortBinding optional | **Type** Int64 **Description** Represents the sort binding path to a scalar property. | +| Tile optional | **Type** Int64 **Description** Identifier of the tile. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md new file mode 100644 index 0000000000..d2e11fe7b9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md @@ -0,0 +1,123 @@ +# Form + +A form contains a set of input fields (called controls) to be filled by a user, in a structured way. +A form must have a form type to be displayed and used in the UI. A form without a type can be called +in another form. + +## Examples + +The following example shows a form called `Directory_UserRecord_View` that involves resources from +the entity type `Directory_UserRecord` to collect personal data and contract information via some +structured fields to fill. + +``` + +
+ ... + + + + +``` + +### Display settings + +#### Hide the "Access Permissions" tab + +When `HideRoles` is set to `true`, then the **Access Permissions** tab is not accessible. + +![Access Permissions](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_hideroles_v603.webp) + +#### Adjust the request type + +When `WorkflowRequestType` is set to `Self`, then the finalization step looks like: + +![WorkflowRequestType = Self](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_requesttypeself_v603.webp) + +When `WorkflowRequestType` is set to `Helpdesk`, then the finalization step looks like: + +![WorkflowRequestType = Helpdesk](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_requesttypehelpdesk_v603.webp) + +#### Display records in a table + +![RecordTable Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_recordtable_v603.webp) + +## Properties + +| Property | Details | +| -------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity optional | **Type** Int64 **Description** Defines the linked activity template. | +| ActivityState optional | **Type** Enumeration **Description** Defines the linked activity state template. | +| AddRowLabel_L1 optional | **Type** String **Description** Defines the "add row" button label when using WorkflowUpdateSeveralRecordsEntityForm. | +| EntityType required | **Type** Int64 **Description** Represents the linked entity type. | +| FormTitle_L1 optional | **Type** String **Description** Title of the form in language 1 (up to 16). | +| FormType default value: Auto | **Type** FormType **Description** Represents the linked form type. | +| HideRecordAddButton default value: false | **Type** Boolean **Description** `true` to hide the button used to add a new record. | +| HideRecordRemoveButton default value: false | **Type** Boolean **Description** `true` to hide the button used to remove an existing record. | +| HideRoles default value: false | **Type** Boolean **Description** `true` to hide the **Access Permissions** tab. | +| Identifier required | **Type** String **Description** Unique identifier of the form. | +| IsDefaultSelfForm default value: false | **Type** Boolean **Description** Entity type default self form. | +| IsDefaultViewForm default value: false | **Type** Boolean **Description** Entity type default view form. | +| IsDeleteForm default value: false | **Type** Boolean **Description** Is a delete form. | +| MainProperty optional | **Type** Int64 **Description** Represents the form main property. | +| MainPropertyLabel_L1 optional | **Type** String **Description** Defines the main property label text. | +| Menu optional | **Type** Int64 **Description** Defines the linked menu item. | +| RecordEndProperty optional | **Type** Int64 **Description** Defines the workflow end date property. If not specified, the property �EndDate' of the record entity type is considered as RecordEndProperty. | +| RecordFilter default value: CurrentAndFuture | **Type** RecordFilter **Description** Defines the record display option. `0` - Current: shows current positions. `1` - CurrentAndFuture: shows current and future positions. Recommended. `2` - All: shows past, present and future positions. Not recommended for clarity issues. | +| RecordProperty optional | **Type** Int64 **Description** Defines the workflow record property. | +| RecordSortProperty optional | **Type** Int64 **Description** Defines the workflow sort property. | +| RecordStartProperty optional | **Type** Int64 **Description** Defines the workflow start date property. If not specified, the property �StartDate' of the record entity type is considered as RecordStartProperty. | +| RecordTable optional | **Type** Int64 **Description** Identifier of the display table to be used to display resources' records in a workflow. | +| RemoveRowLabel_L1 optional | **Type** String **Description** Defines the "remove row" button label when using WorkflowUpdateSeveralRecordsEntityForm. | +| TableTitle_L1 optional | **Type** String **Description** Defines the table title when using WorkflowUpdateSeveralRecordsEntityForm. | +| WorkflowRequestType default value: 0 | **Type** WorkflowRequestType **Description** Type of the request of the related workflow. `0` - None. `1` - Self. `2` - Helpdesk. `3` - Administration. | + +## Child Element: Control + +A form control is an input field to be filled by a user. Controls can be inserted in other controls +in order to display the form fields in a structured way. + +### Examples + +The following example shows a form called `Directory_UserRecord_View` that collects first personal +data via some controls, and then calls another form `Workflow_Directory_User_AddRecord_Base` to +collect record information. In this example is a tree control which defines the relationships +between a worker and their managers (N+1 to N+3). The aim is to display in the form (in the UI) the +organization chart made of the worker and their managers. + +``` + +
+ + +``` + +### Properties + +| Property | Details | +| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AddedMinutes optional | **Type** Int32 **Description** Add minutes to the date field with this property. If the value is not defined, the default value is the one defined for the associated display entity property. | +| Binding optional | **Type** Int64 **Description** Identifier of the binding property. **Note:** when displaying an organization chart, this binding is meant to represent the first manager level (N+1). In this case, it must be a mono-valued navigation. | +| Binding2 optional | **Type** Int64 **Description** Identifier of the binding property used to represent the second manager level (N+2) in the organization chart. It must be a mono-valued navigation. Cannot be used when `Binding` is not defined. | +| Binding3 optional | **Type** Int64 **Description** Identifier of the binding property used to represent the third manager level (N+3) in the organization chart. It must be a mono-valued navigation. Cannot be used when `Binding2` is not defined. | +| ColumnSize optional | **Type** Int32 **Description** Defines the control column size. | +| DefaultValueBinding optional | **Type** Int64 **Description** Automatically sets the value in the control depending on this binding and the selected value in another corresponding picker. It's only available for controls with picker. _For example: `` After a selection of an organization in another picker in the form, the field location will be automatically set by the main location of the manager of the selected organization._ | +| DisplayName_L1 optional | **Type** String **Description** Display name of the control in language 1 (up to 16). | +| DisplayTable optional | **Type** Int64 **Description** Identifier of the table. | +| EmbeddedForm optional | **Type** Int64 **Description** Identifier of the form to insert in the control. With this method, one form can be imported to several forms. **Warning:** can be used only with `OutputType` set to `TransformImport`. | +| EntityType optional | **Type** Int64 **Description** Represents the linked entity type. | +| ExtensionIdentifier optional | **Type** String **Description** This property is used to extend the Usercube UI. | +| FilterBinding1 optional | **Type** Int64 **Description** Coupled with LinkedBinding1, it allows filtering on a list of items. FilterBinding1 defines the binding that determines the search value. Linked filters are only available for controls with the `Picker` InputType. | +| FilterBinding2 optional | **Type** Int64 **Description** Coupled with LinkedBinding2, it allows filtering on a list of items. FilterBinding2 defines the binding that determines the search value. Linked filters are only available for controls with the `Picker` InputType. | +| HomonymEntityLink optional | **Type** Int64 **Description** Defines the homonym form control. | +| InputType default value: Inherited | **Type** Enumeration **Description** Input type of the control. | +| IsReadOnly optional | **Type** Boolean **Description** Is a readonly form control. | +| IsRequired optional | **Type** Boolean **Description** Is a required form control. | +| LinkedBinding1 optional | **Type** Int64 **Description** Coupled with FilterBinding1, it allows filtering on a list of items. LinkedBinding1 defines the binding on which the search will be carried out. Linked filters are only available for controls with the `Picker` InputType. | +| LinkedBinding2 optional | **Type** Int64 **Description** Coupled with FilterBinding2, it allows filtering a list of items. LinkedBinding2 defines the binding on which the search will be carried out. Linked filters are only available for controls with the `Picker` InputType. | +| Name optional | **Type** String **Description** Identifies the control inside the Form. This is used for translation files when a control cannot be identified by its binding such as for FieldSet. | +| NavigationBinding optional | **Type** Int64 **Description** Defines the binding of the resource on which the user will be redirected when he clicks on an element of a BasicCollection. If not defined, the one defined in DisplayEntityProperty is used. | +| OutputType default value: Inherited | **Type** Enumeration **Description** Output type of the control. | +| ParentControl optional | **Type** Int64 **Description** Defines the parent form control. | +| PlaceHolderText_L1 optional | **Type** String **Description** Defines the place holder text. | +| Tile optional | **Type** Int64 **Description** Identifier of the tile. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/index.md new file mode 100644 index 0000000000..8cbb7401ba --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/index.md @@ -0,0 +1,11 @@ +# User Interface + +- #### [DisplayEntityAssociation](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation/index.md) +- #### [DisplayEntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) +- #### [DisplayPropertyGroup](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md) +- #### [DisplayTable](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +- #### [Form](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) +- #### [Indicator](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/indicator/index.md) +- #### [MenuItem](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) +- #### [SearchBar](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md) +- #### [Tile](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/indicator/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/indicator/index.md new file mode 100644 index 0000000000..6a48762371 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/indicator/index.md @@ -0,0 +1,78 @@ +# Indicator + +An Indicator displays a banner alongside the resource information whenever it meets a specific +criteria. + +More precisely, an indicator displays the appropriate banner whenever the _Binding_ matches the +_Item Value_ according to the _Comparison operator_, as can be seen on the example below. + +The banner is displayed wherever the associated resource appears. + +For example, if we create an indicator pointing out the risk score of a user, the banner will show +on the left-side of the user +[tile](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md) +and the user +[form](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md). +If we create an indicator pointing out whether an AD account is unused or disabled, the banner will +show on the left-side of the AD Entries tile and form. + +One entity can show several banners, one for several different properties. They appear one above the +other if there are four banners or less, one next to the other if there are more. + +One indicator can posess several items, that define the information for the banner to be displayed. +The indicators order is important because the banner will get the information of the first item +matching the observed property. + +## Examples + +The following example entails the display of a red banner for a user with a high risk score and an +orange banner for a user with a medium risk. + +The XML file below states that if the risk score is greater than 75, only the indicator "High risk" +will be displayed and not "Medium risk". If it is lower than 75 and greater than 30, the indicator +will be "Medium risk". If it is lower than 30, there will be no indicator. + +``` + + + +``` + +Note that if you write the "Medium risk" item before the "High risk" one, even if the score if +greater than 75, the banner will be orange according to the first item: + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Binding optional | **Type** Int64 **Description** Defines the binding path to a scalar property. | +| ComparisonOperator required | **Type** QueryComparisonOperator **Description** Defines how to compare the given binding to an indicator item value. All possible values: - Auto: The SearchOperator is calculated by the engine according to the type of element. - NotEqual: finds the elements that are not equal to the desired value. - Equal: finds the elements that are strictly equal to the desired value. - Contain: finds the elements that contain the desired value. - StartWith: finds the elements that start with the desired value. - EndWith: finds the elements that end with the desired value. - NotContain: finds the elements that do not contain the desired value. - NotStartWith: finds the elements that do not start with the desired value. - NotEndWith: finds the elements that do not end with the desired value. - GreaterThan: finds the elements that are greater than the desired value. - LessThan: finds the elements that are less than the desired value. - GreaterThanOrEqual: finds the elements that are greater than or equal to the desired value. - LessThanOrEqual: finds the elements that are less than or equal to the desired value. - Flexible\*: The Flexible search operators transform the desired value according to the FlexibleComparisonExpression defined in Property then search. The flexible operators are: - FlexibleEqual. - FlexibleContain. - FlexibleStartWith. - FlexibleEndWith. | +| EntityType required | **Type** Int64 **Description** Represents the linked entity type. | +| OptimizedBinding optional | **Type** Int64 **Description** Optimized Binding allows Indicators to be faster displayed. If it is filled in, it takes priority over the Binding located in the Indicator. | +| Order required | **Type** Int32 **Description** Defines the order in which the banners are displayed. If there is no order needed, its value is zero for all indicators. | + +## Child Element: Item + +Defines the banner to be displayed informations. See Indicator for more details. + +### Examples + +``` + + + +``` + +### Properties + +| Property | Details | +| ----------------------- | ------------------------------------------------------------------------------------------------------- | +| Color required | **Type** String **Description** Defines the color of the item. | +| DisplayName_L1 optional | **Type** String **Description** Display name of the banner in language 1 (up to 16). | +| Value optional | **Type** String **Description** Defines the value with which the indicator binding will be compared to. | diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md new file mode 100644 index 0000000000..b7b8d42f6a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md @@ -0,0 +1,59 @@ +# AddChangeAspect + +Modifies a given property value. + +## Examples + +The following example computes a new value for the property `IsDraft` from the `Directory_User` +entity type. The new value is always `true`. The pointcuts define when the value change must happen. + +``` + + + + +``` + +### Accept Null Value + +The following example computes a new value for the `Card` property in users' records, considering +`null` as a value. Instead of being ignored, a `null` value returned by `Expression` will replace +the old value. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding required | **Type** String **Description** Binding whose difference with `ExpressionBinding` defines the property to be changed. | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| AcceptNullValueExpression optional | **Type** String **Description** C# expression returning a boolean, `true` to consider `null` for the new value returned by `Expression`. By default, `null` values are ignored. | +| Expression optional | **Type** String **Description** C# expression returning a new value for the property to be changed. **Note:** this property can also be defined by a binding via `ExpressionBinding`. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | **Type** String **Description** Expression that conditions the aspect execution. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Usercube when to execute the linked +[aspect](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md new file mode 100644 index 0000000000..80bdd088db --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md @@ -0,0 +1,81 @@ +# AssertValueAspect + +Checks whether the value of a given property satisfies a given condition. + +## Examples + +The following example makes sure that, when creating a new employee, the contract end date is after +the contract start date. The pointcuts define when the value assertion must happen. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +         +``` + +### Assert a multi-valued object + +When asserting a multi-valued object, said object must not be called through a binding that goes +back and forth between entities. + +For example, to manage records, using the ExpressionBinding set to +``. Records and the Expression using C#:record:return +record.Directory_User.Records... will not work. + +Instead, the ExpressionBinding should be set to `` and the +Expression should use C#:user:return user.Records. + +The following example makes sure that a user's positions do not overlap. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +     +``` + +## Properties + +| Property | Type | Description | +| -------------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding required | String | Binding whose difference with ExpressionBinding defines the property to be validated by the aspect. | +| Identifier required | String | Unique identifier of the aspect. | +| Expression optional | String | C# expression returning a boolean, false to invalidate the property value. | +| ExpressionBinding optional | String | Binding: - Defines the variable type used in the potential expressions specified in the aspect; - Whose difference with Binding defines the property involved in the aspect **NOTE:** Required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | String | Expression that conditions the aspect execution. See the [ Expressions ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| Message_L1 optional | String | Message in language 1 (up to 16) to be displayed when the property is invalidated by the condition specified in Expression. | +| Priority default value: 0 | Int32 | Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **NOTE:** The priority can be a negative value. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Usercube when to execute the linked aspect. See the +[ Aspects ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md) +topic for additional information. + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Type | Description | +| ---------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | Int64 | Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | Enumeration | Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | PointCutMode | Mode defining when exactly the aspect is triggered around the specified workflow's activity state. 0 - Before — the aspect will be executed on entry to the specified activity state, regardless of the transition used. 1 - After — the aspect will be executed on exit from the specified activity state, regardless of the transition used. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md new file mode 100644 index 0000000000..9f7fdf24fe --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md @@ -0,0 +1,41 @@ +# AssertValueRequiredAspect + +Checks whether a given property has a non-null value. + +## Examples + +The following example makes sure that the contract start date is specified for any new worker. The +pointcuts define when the value assertion must happen. + +``` + + + + +``` + +## Properties + +| Property | Details | +| -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding required | **Type** String **Description** Binding whose difference with `ExpressionBinding` defines the property to be validated by the aspect. | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | **Type** String **Description** Expression that conditions the aspect execution. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| Message_L1 optional | **Type** String **Description** Message in language 1 (up to 16) to be displayed when the property is empty. | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Usercube when to execute the linked +[aspect](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md new file mode 100644 index 0000000000..ed21c481ef --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md @@ -0,0 +1,215 @@ +# BuildUniqueValueAspect + +Computes a unique value for a given property. + +## Examples + +The following example generates bots' logins during their creation. + +``` + + + + +``` + +## Properties + +| Property | Details | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Binding required | **Type** String **Description** Binding whose difference with `ExpressionBinding` defines the property to be computed. | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| Expression optional | **Type** String **Description** C# expression that computes the unique value. **Note:** the computation can be configured in SQL instead of C# via `SqlBuildExpression`. Decide whether to use either `Expression` or `SqlBuildExpression`, not both. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| HistorizeBinding optional | **Type** String **Description** Binding that stores all the old values computed by the aspect. | +| HistorizeSeparator default value: � | **Type** String **Description** Defines the character used as a separator in the `HistorizeBinding` property. | +| IfExpression optional | **Type** String **Description** Expression that conditions the aspect execution. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| IterationsCount default value: 0 | **Type** String **Description** Maximum number of computation attempts without finding a unique value. **Note:** a variable named `iteration` is available to use the attempt number in the expressions of the aspect and/or of the potential unicity check rules, for example to help manage homonyms. Hence, a custom variable cannot be declared with the name `iteration`. | +| Message_L1 default value: | **Type** String **Description** Message in language 1 (up to 16) to be displayed when the value generation failed, i.e. when `IterationsCount` is exceeded. | +| OnlyIfNew default value: false | **Type** String **Description** `true` to trigger the aspect only for the creation of new resources. | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | +| SimulationExpression optional | **Type** String **Description** Expression used instead of the `Expression` parameter when previewing the workflow result before its implementation. | +| SqlBuildExpression optional | **Type** String **Description** SQL command that computes the unique value. **Note:** the computation can be configured in C# instead of SQL via `Expression`. Decide whether to use either `SqlBuildExpression` or `Expression`, not both. | +| SqlCheckExpression optional | **Type** String **Description** SQL request that checks whether the value computed with the binding/expression is unique, i.e. not yet used by another resource.**Note:** required if zero unicity check rules are linked to the aspect.**Warning:** the SQL request must be efficient because a potential timeout may block the progress of the workflow. For example, when the database's state and indexes are not well known, prefer to use views rather than the whole tables, because views store way fewer elements than tables, which makes them faster to use in a request. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Usercube when to execute the linked +[aspect](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | + +## Child Element: UnicityCheckRule + +A unicity check rule ensures that the expression computed by a `BuildUniqueValue`aspect for a given +property is unique, i.e. not yet used by another resource, in a given entity type. + +The comparison performed by these rules to check unicity can be configured in SQL instead of C# via +the `SqlCheckExpression` property of the aspect. + +The value of the source binding/expression is computed based on the properties of the source +resource which is the resource whose property we compute via the `BuildUniqueValue` aspect. + +The rule compares the return value of the source binding/expression with the existing values of the +target binding/expression in the target entity type. + +![Schema: Unicity Check](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/aspects_unicitycheck.webp) + +> For example, we need to generate an email address for any new user joining the company. We +> configure in a `BuildUniqueValue` aspect that users' emails are computed with +> `{firstName}.{lastName}@{EmailDomain}`. +> +> Consider a new user called John Doe. We need to link to the aspect a unicity check rule that is +> going to compare the email core `john.doe` with the email cores of existing resources in a given +> entity type. Thus Usercube can ensure that the email core is unique, and finally build the unique +> email address. + +Both source and target bindings/expressions must be consistent with the binding/expression used in +the corresponding aspect which must not use a `SqlCheckExpression`. + +One `BuildUniqueValue` aspect can be linked to many unicity check rules, but should not be linked to +more than one rule per target entity type. + +The unicity check rules linked to a same aspect are combined with the AND operator. It means that +the aspect's iteration goes up when at least one of the rules detects non-unicity. + +When creating or updating a unicity check rule, launch the +[`ComputeCorrelationKeysTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md)before +applying the role model and launching workflows. + +**For information:** Usercube needs to store the correlation keys linked to the expressions defined +in the unicity check rule, such as the return value, the entity type, etc. That's why the task +mentioned above must be launched before launching any workflow using a unicity check rule. + +### Examples + +#### Basic example + +The following example checks the unicity of the login of a new user. + +> In order to be able to write the source and target bindings/expressions of the unicity check rule, +> you must understand the binding/expression of the corresponding `BuildUniqueValue` aspect: +> +> ``` +> +> +> +> ``` + +We want to check the unicity of the new user's login, compared with the logins of existing users: + +``` + + + +``` + +Here the source binding and expression are those from the aspect. + +#### Multiple unicity checks + +With the same aspect as the previous example, we might want to compare the login of the new user +with the list of reserved logins too: + +``` + + + +``` + +#### Sophisticated example + +The following example checks the unicity of the email address of a new user. + +> In order to be able to write the source and target bindings/expressions of the unicity check rule, +> you must understand the binding/expression of the corresponding `BuildUniqueValue` aspect: +> +> ``` +> +> +> // We want an email address such as {firstName}.{lastName}@{EmailDomain}. +> +> Expression="C#:record:var firstName = record.FirstName.Simplify()?.ToLowerInvariant(); +> var lastName = record.LastName.Simplify()?.ToLowerInvariant(); +> if (string.IsNullOrEmpty(firstName) || string.IsNullOrEmpty(lastName)) +> { +> // Missing data +> return null; +> } +> +> var result = firstName + "." + lastName; +> +> // If the email core, i.e. {firstName}.{lastName}, is already used, then we try with {firstName}.{lastName}2, etc. +> if (iteration > 0) +> { +> result += iteration.ToString(); +> } +> +> result = result + '@' + record.Subsidiary?.EmailDomain; +> return result;" IterationsCount="10" /> +> +> ``` + +We want to include in the unicity check only the email's core `firstName.lastName` without the +`@EmailDomain` part. This is why the source expression starts like the aspect's expression but does +not add the domain part, and the target expression removes the domain part from existing values: + +``` + + + +``` + +| Property | Details | +| ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| SourceBinding optional | **Type** Int64 **Description** Binding property (from the source entity type specified in the corresponding workflow) whose value is to be compared with the existing values of the target binding/expression. **Note:** when not specified, the unicity check rule uses the binding from the aspect. | +| SourceExpression optional | **Type** String **Description** Binding expression (based on properties from the source entity type specified in the corresponding workflow) whose value is to be compared with the existing values of the target binding/expression. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). **Note:** when not specified, the unicity check rule uses the expression from the aspect. | +| TargetBinding optional | **Type** Int64 **Description** Binding property (from the target entity type) whose values corresponding to existing resources are to be compared with the value of the source binding/expression. | +| TargetEntityType required | **Type** Int64 **Description** Identifier of the entity type for which the rule checks the property's unicity. | +| TargetExpression optional | **Type** String **Description** Binding expression (based on properties from the target entity type) whose values corresponding to existing resources are to be compared with the value of the source binding/expression. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md new file mode 100644 index 0000000000..0ece8d7ed8 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md @@ -0,0 +1,21 @@ +# Aspects + +An aspect is a modularization of a concern that cuts across multiple workflows. Usercube uses +aspects to perform some specific actions at given workflow steps. + +> For example, an aspect can assert a given user's input is valid. + +- #### [AddChangeAspect](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md) + Modifies a given property value.- #### + [AssertValueAspect](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md) + Checks whether the value of a given property satisfies a given condition.- #### + [AssertValueRequiredAspect](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md) + Checks whether a given property has a non-null value.- #### + [BuildUniqueValueAspect](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md) + Computes a unique value for a given property.- #### + [InvokeScriptAspect](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md) + Executes a customized script.- #### + [InvokeWorkflowAspect](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md) + Launches a workflow.- #### + [NotificationAspect](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md) + Sends a notification email to one or several users. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md new file mode 100644 index 0000000000..fcd331db3c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md @@ -0,0 +1,40 @@ +# InvokeScriptAspect + +Executes a customized script. + +## Examples + +The following example executes the script `aspect.ps1` on the local agent, when creating a new user. + +``` + + + + +``` + +## Properties + +| Property | Details | +| -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| Agent optional | **Type** String **Description** Agent on which the script will be launched. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | **Type** String **Description** Expression that conditions the aspect execution. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | +| ScriptFile optional | **Type** String **Description** Path of the script file to be executed by the aspect. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Usercube when to execute the linked +[aspect](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md new file mode 100644 index 0000000000..723fa42777 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md @@ -0,0 +1,40 @@ +# InvokeWorkflowAspect + +Launches a workflow. + +## Examples + +The following example launches the workflow `Directory_User_VehicleRequest` when a vehicle is +requested for a new internal user. + +``` + + + + +``` + +## Properties + +| Property | Details | +| -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| Workflow required | **Type** String **Description** Identifier of the workflow to be launched. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | **Type** String **Description** Expression that conditions the aspect execution. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Usercube when to execute the linked +[aspect](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md new file mode 100644 index 0000000000..350f1b093b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md @@ -0,0 +1,127 @@ +# NotificationAspect + +Sends a notification email to one or several users. + +## Examples + +The following example sends a notification email based on the template +`Notification_Directory_Guest.cshtml` and the subject computed by `SubjectExpression_L1`, which both +use data from `Workflow_Directory_Guest:Directory_Guest`, and on the styles from +`Notification_Directory_Guest.css`. + +``` + + + + +``` + +The notification will be sent after the `Request` activity of the `Directory_Guest_AdvancedStart` +workflow is executed. See pointcuts for more details. + +The notification will be sent to all email addresses defined by `Directory_Guest:Mail`. See +recipients for more details. + +## Properties + +| Property | Details | +| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| Binding optional | **Type** String **Description** Binding whose difference with `ExpressionBinding` defines the property that corresponds to identities' email addresses, when `Type` is set to `Binding`. | +| CssFile optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | +| RazorFile_L1 optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template in language 1 (up to 16). **Note:** the path must be relative to the configuration folder, and the file must be inside it. | +| SubjectExpression_L1 optional | **Type** String **Description** C# expression that defines the email's subject in language 1 (up to 16). The expression's variable type is defined in `ExpressionBinding`. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Usercube when to execute the linked +[aspect](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | + +## Child Element: Recipient + +A recipient defines one or several identities who will receive a notification from +`NotificationAspect`. + +### Examples + +The following example sends a notification email to the actors of the next step of the workflow. + +``` + + + + + +``` + +The following example sends a notification email to the performers of the `Request` activity of the +`Directory_User_StartInternal` workflow when the state is `Executed`. + +``` + + + + + +``` + +The following example sends a notification email to the email address, stored in `Mail`, of the +user(s) from `Directory_User` targeted by the workflow, so here the new user created by the +`Directory_User_StartInternal` workflow. + +``` + + + + + +``` + +The following example sends a notification email to all identities whose email addresses are defined +as `{lastName}@company.com`. + +``` + + + + + +``` + +The following example sends a notification to all identities with a profile that includes the right +permission. + +``` + + + + + +Knowing that we also have: + + + + +``` + +| Property | Details | +| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity optional | **Type** Int64 **Description** Identifier of the activity whose last performers are to be notified, when `Type` is set to `Performer`. **Note:** must be set together with `ActivityState`. | +| ActivityState optional | **Type** Enumeration **Description** Identifier of the activity state whose last performers are to be notified, when `Type` is set to `Performer`. **Note:** must be set together with `Activity`. | +| Binding optional | **Type** Int64 **Description** Binding of the property that represents the notification's recipients, when `Type` is set to `Binding`. | +| EmailAddresses optional | **Type** String **Description** Email addresses of the notification's recipients, when `Type` is set to `Hardcoded`. | +| Expression optional | **Type** String **Description** C# expression that returns the email addresses of the notification's recipients, as strings or `IEnumerable`, when `Type` is set to `Expression`. The expression's variable type is defined in `ExpressionBinding` in the associated `NotificationAspect`. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| IsCC default value: false | **Type** Boolean **Description** `true` to send the notification email to the recipient(s) as a carbon copy (CC). | +| Type required | **Type** RecipientType **Description** Type of recipients for the email notification. **Actor**: the identities with the permissions to act on the next step of the workflow specified in the pointcut. **Performer**: the actors of a past workflow step specified in `Activity` and `ActivityState`. **Binding**: the identities whose email addresses are designated by the property specified in `Binding`. **Hardcoded**: the identities whose email addresses are specified explicitly in `EmailAddresses`. **Expression**: the identities whose email addresses match the C# expression specified in `Expression`. **Profile**: the identities with the permission `/Custom/WorkflowsNotifications/{workflow_identifier}/` `{activity_identifier}/{activityTemplateState_shortIdentifier}`. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/index.md new file mode 100644 index 0000000000..1ba9e76013 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/index.md @@ -0,0 +1,26 @@ +# Forms + +Workflows use forms to collect input data through the UI. A form is a set of fields, configured with +controls. A control can define a field to fill, a fields set, call an existing form, etc. depending +on its output type. + +- #### [WorkflowAddAndEndRecordEntityForm](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md) + Displays a form to define the end date of an existing record, and replace it with a new record + at said date, by duplicating and adjusting the old record.- #### + [WorkflowAddRecordEntityForm](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md) + Displays a form to add a new record for an existing resource, by duplicating and adjusting an + existing record.- #### + [WorkflowCreateEntityForm](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md) + Displays a form to create a new resource, without a record.- #### + [WorkflowCreateRecordEntityForm](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md) + Displays a form to create a new resource with a record.- #### + [WorkflowCreateSeveralRecordsEntityForm](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md) + Displays a form to create a new resource with one or several records.- #### + [WorkflowEditEntityForm](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md) + Displays a form to update or delete an existing resource, without a record.- #### + [WorkflowUpdateRecordEntitiesForm](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md) + Displays a form to update data for several resources simultaneously.- #### + [WorkflowUpdateRecordEntityForm](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md) + Displays a form to select an existing record and update it.- #### + [WorkflowUpdateSeveralRecordsEntityForm](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md) + Displays a form to create, update or delete one or several records. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md new file mode 100644 index 0000000000..32cb6324e0 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md @@ -0,0 +1,76 @@ +# WorkflowAddAndEndRecordEntityForm + +Displays a form to define the end date of an existing record, and replace it with a new record at +said date, by duplicating and adjusting the old record. + +## Examples + +The following example is a form to update a position. + +``` + + + +With the following form for the resource data's content and summary: +
+ +And with the following form for the record data's content and summary, and for the data that groups records together: +
+ +``` + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: + +![Form Example - Update Position](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/formexample_workflowaddandendrecordentityform_v603.webp) + +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same +values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially +modified, as one. + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's +execution: + +![Summary Form Example - Update Position](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/formexample_workflowaddandendrecordentityform_summary_v603.webp) + +## Properties + +| Property | Details | +| -------- | ------- | + +## Child Element: MainControl + +Set of fields to collect data about the main resource. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordControl + +Set of fields to collect data about the resource's record. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordUniqueItemControl + +Set of fields that group records together. All records with the same data in +`RecordUniqueItemControl` are displayed in the workflow as only one record, and they will +potentially be modified together. When not specified, records will be grouped by the data from +`RecordControl`. + +| Property | Details | +| -------- | ------- | + +## Child Element: MainSummaryControl + +Set of fields to sum up the data collected by `MainControl` after the workflow's execution. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordSummaryControl + +Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. + +| Property | Details | +| -------- | ------- | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md new file mode 100644 index 0000000000..455d716c9d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md @@ -0,0 +1,79 @@ +# WorkflowAddRecordEntityForm + +Displays a form to add a new record for an existing resource, by duplicating and adjusting an +existing record. + +## Examples + +The following example is a form to request a computer. + +``` + + + +With the following form for the resource data's content and summary: +
+ +And with the following form for the record data's content and summary: +
+ +And with the following form for the data that groups records together: +
+ +``` + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: + +![Form Example - Computer Request](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/formexample_workflowaddrecordentityform_v603.webp) + +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same +values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially +modified, as one. + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's +execution: + +![Summary Form Example - Computer Request](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/formexample_workflowaddrecordentityform_summary_v603.webp) + +## Properties + +| Property | Details | +| -------- | ------- | + +## Child Element: MainControl + +Set of fields to collect data about the main resource. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordControl + +Set of fields to collect data about the resource's record. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordUniqueItemControl + +Set of fields that group records together. All records with the same data in +`RecordUniqueItemControl` are displayed in the workflow as only one record, and they will +potentially be modified together. When not specified, records will be grouped by the data from +`RecordControl`. + +| Property | Details | +| -------- | ------- | + +## Child Element: MainSummaryControl + +Set of fields to sum up the data collected by `MainControl` after the workflow's execution. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordSummaryControl + +Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. + +| Property | Details | +| -------- | ------- | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md new file mode 100644 index 0000000000..fb66437eb2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md @@ -0,0 +1,34 @@ +# Workflow Create Entity Form + +Displays a form to create a new resource, without a record. + +## Examples + +The following example is a form to create a new site. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +         +With the following form for the workflow's content: +
                                                                                                                         +And with the following form for the workflow's summary: +
                                                                 + +``` + +The content of `MainControl` is visible during the workflow's execution: + +![Form Example - Site Creation](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/formexample_workflowcreateentityform_v603.webp) + +The content of `SummaryControl` is visible after the workflow's execution: + +![Summary Form Example - Site Creation](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/formexample_workflowcreateentityform_summary_v603.webp) + +## Properties + +| Property | Description | +| ----------------------------- | -------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: SummaryControl | Set of fields to sum up the collected data after the workflow's execution. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md new file mode 100644 index 0000000000..1547815ed3 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md @@ -0,0 +1,64 @@ +# WorkflowCreateRecordEntityForm + +Displays a form to create a new resource with a record. + +## Examples + +The following example is a form to create a new user from HR. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     +     +     + +With the following form for the workflow's content and summary about resource data: +
+     +         +     + +And with the following form for the workflow's content about record data: +
+     +     +     +     +     +     +     +     +     + +And with the following form for the workflow's summary on record data: +
+     +         +         +         +         +         +     + + +``` + +The content of `MainControl` is visible during the workflow's execution: + +![Form Example - New User from HR](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/formexample_workflowcreaterecordentityform_v603.webp) + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's +execution. + +## Properties + +| Property | Description | +| ----------------------------------- | --------------------------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: RecordControl | Set of fields to collect data about the resource's record. | +| Child Element: MainSummaryControl | Set of fields to sum up the data collected by `MainControl` after the workflow's execution. | +| Child Element: RecordSummaryControl | Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md new file mode 100644 index 0000000000..3cd28cce5b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md @@ -0,0 +1,53 @@ +# WorkflowCreateSeveralRecordsEntityForm + +Displays a form to create a new resource with one or several records. + +## Examples + +The following example is a form to request a computer. + +``` + + + +With the following form for the resource's data: +
+ +And with the following form for the data shared with all records: +
+ +And with the following form for the data specific to each record: +
+ +``` + +The contents of `MainControl`, `RecordControl` and `RecordUniqueItemControl` are visible during the +workflow's execution: + +![Form Example - New User from Helpdesk](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/formexample_workflowcreateseveralrecordsentityform_v603.webp) + +## Properties + +| Property | Details | +| -------- | ------- | + +## Child Element: MainControl + +Set of fields to collect data about the main resource. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordControl + +Set of fields to collect data shared between all the resource's records. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordUniqueItemControl + +Set of fields to collect data specific to each record. + +| Property | Details | +| -------- | ------- | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md new file mode 100644 index 0000000000..e43a0ea7d6 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md @@ -0,0 +1,43 @@ +# WorkflowEditEntityForm + +Displays a form to update or delete an existing resource, without a record. + +## Examples + +The following example is a form to request a computer. + +``` + + + +With the following form for the workflow's content and summary: +
+ +``` + +The content of `MainControl` is visible during the workflow's execution: + +![Form Example - Computer Request](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/formexample_workfloweditentityform_v603.webp) + +The content of `SummaryControl` is visible after the workflow's execution: + +![Summary Form Example - Computer Request](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/formexample_workfloweditentityform_summary_v603.webp) + +## Properties + +| Property | Details | +| -------- | ------- | + +## Child Element: MainControl + +Set of fields to collect data about the main resource. + +| Property | Details | +| -------- | ------- | + +## Child Element: SummaryControl + +Set of fields to sum up the collected data after the workflow's execution. + +| Property | Details | +| -------- | ------- | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md new file mode 100644 index 0000000000..ed0937c83b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md @@ -0,0 +1,75 @@ +# WorkflowUpdateRecordEntitiesForm + +Displays a form to update data for several resources simultaneously. + +## Examples + +The following example is a form to update users' positions in bulk. + +``` + + + +With the following form for the workflow's content and summary about resource data: +
+ +And with the following form for the workflow's content and summary about record data: +
+ +And with the following form for the data that groups records together: +
+ +``` + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: + +![Form Example - Mass Update](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/formexample_workflowupdaterecordentitiesform_v603.webp) + +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same +values for all the properties in `RecordUniqueItemControl` will be modified as one. + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's +execution: + +## Properties + +| Property | Details | +| -------- | ------- | + +## Child Element: MainControl + +Set of fields to collect data about the main resource. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordControl + +Set of fields to collect data about the resource's record. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordUniqueItemControl + +Set of fields that group records together. All records with the same data in +`RecordUniqueItemControl` are displayed in the workflow as only one record, and they will +potentially be modified together. When not specified, records will be grouped by the data from +`RecordControl`. + +| Property | Details | +| -------- | ------- | + +## Child Element: MainSummaryControl + +Set of fields to sum up the data collected by `MainControl` after the workflow's execution. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordSummaryControl + +Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. + +| Property | Details | +| -------- | ------- | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md new file mode 100644 index 0000000000..6821ea1ed9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md @@ -0,0 +1,78 @@ +# WorkflowUpdateRecordEntityForm + +Displays a form to select an existing record and update it. + +## Examples + +The following example is a form to update a user's record from helpdesk. + +``` + + + +With the following form for the resource's data and summary: +
+ +And with the following form for the data shared with all records and for the summary: +
+ +And with the following form for the data that groups records together: +
+ +``` + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: + +![Form Example - Update Data](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/formexample_workflowupdaterecordentityform_v603.webp) + +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same +values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially +modified, as one. + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's +execution: + +![Summary Form Example - Update Data](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/formexample_workflowupdaterecordentityform_summary_v603.webp) + +## Properties + +| Property | Details | +| -------- | ------- | + +## Child Element: MainControl + +Set of fields to collect data about the main resource. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordControl + +Set of fields to collect data about the resource's record. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordUniqueItemControl + +Set of fields that group records together. All records with the same data in +`RecordUniqueItemControl` are displayed in the workflow as only one record, and they will +potentially be modified together. When not specified, records will be grouped by the data from +`RecordControl`. + +| Property | Details | +| -------- | ------- | + +## Child Element: MainSummaryControl + +Set of fields to sum up the data collected by `MainControl` after the workflow's execution. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordSummaryControl + +Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. + +| Property | Details | +| -------- | ------- | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md new file mode 100644 index 0000000000..17e3bcec81 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md @@ -0,0 +1,89 @@ +# WorkflowUpdateSeveralRecordsEntityForm + +Displays a form to create, update or delete one or several records. + +## Examples + +The following example is a form to create, update and/or delete one or several positions for a given +user. + +``` + + + +With the following form for the resource's data: +
+ +And with the following form for the data shared with all records: +
+ +And with the following form for the data used to update existing records: +
+ +And with the following form for the data used to add new records: +
+ + + +And with the following form for the data that groups records together: +
+ +``` + +The contents of `MainControl`, `RecordControl`, `RecordSlaveUniqueItemControl` and +`RecordSlaveControl` are visible during the workflow's execution: + +![Form Example - Manage a User's Positions](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/formexample_workflowupdateseveralrecordsentityform_v603.webp) + +When adding a new position, we decide to make `Title` available, in addition to the fields used to +update existing records: + +![Form Example - Manage a User's Positions - New Record](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/formexample_workflowupdateseveralrecordsentityform_newrecord_v603.webp) + +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same +values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially +modified, as one. + +## Properties + +| Property | Details | +| -------- | ------- | + +## Child Element: MainControl + +Set of fields to collect data about the main resource. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordControl + +Set of fields to collect data when adding new records. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordUniqueItemControl + +Set of fields that group records together. All records with the same data in +`RecordUniqueItemControl` are displayed in the workflow as only one record, and they will +potentially be modified together. When not specified, records will be grouped by the data from +`RecordControl`. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordSlaveUniqueItemControl + +Set of fields to collect the data shared with all the resource's records, for example contract +information when managing positions. + +| Property | Details | +| -------- | ------- | + +## Child Element: RecordSlaveControl + +Set of fields to collect data when updating existing records. + +| Property | Details | +| -------- | ------- | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md new file mode 100644 index 0000000000..f9d0db76ab --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md @@ -0,0 +1,46 @@ +# HomonymEntityLink + +This entity is used to configure the homonym workflow. + +## Examples + +``` + + + +``` + +In this example the homonym is linked to a +[Control](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) +and it will be applied for the +[Binding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) +included in the +[Control](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) +where the homonym is located. Read more about +[how to configure homonym filters](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/workflowhomonym/index.md). + +``` + +
+ +``` + +## Properties + +| Property | Details | +| ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| FormEntityType required | **Type** Int64 **Description** In a [Form](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md), an [EntityType](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) is defined and the [Binding](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) of this Form will be loaded from this EntityType. The FormEntityType property represents this EntityType. | +| Identifier required | **Type** String **Description** Unique identifier of the HomonymEntityLink. | + +## Child Element: Filter + +Defines combination of property comparison to use to find homonyms. + +### Properties + +| Property | Details | +| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ComparisonProperty1 optional | **Type** Int64 **Description** Defines the property used to compare with the form control `Property`. It should not be defined if it the same as the property in the attribute `Property`. Going from 1 to 5. | +| Expression1 optional | **Type** String **Description** Defines the C# expression to apply on the homonymy form controls. The result of the expression evaluation will be compared with the corresponding `ComparisonProperty` using the defined `Operator`. If the `ComparisonProperty` is a computed property, no need to define the expression if it is the same as the one for the computed property. It will be automatically used when finding homonyms. Going from 1 to 5. [See more details on C# expressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). | +| Operator1 default value: 2 | **Type** QueryComparisonOperator **Description** Defines the operator to use to compare between the `ComparisonProperty` and the `Property` or the `Expression` evaluation result. By default the `Equal` operator is used. Going from 1 to 5. All possible values: `0` - Auto: The `Operator` is calculated by the engine according to the type of element. `1` - NotEqual: finds the elements that are not equal to the desired value. `2` - Equal: finds the elements that are strictly equal to the desired value. `3` - Contain: finds the elements that contain the desired value. `4` - StartWith: finds the elements that start with the desired value. `5` - EndWith: finds the elements that end with the desired value. `6` - NotContain: finds the elements that do not contain the desired value. `7` - NotStartWith: finds the elements that do not start with the desired value. `8` - NotEndWith: finds the elements that do not end with the desired value. `9` - GreaterThan: finds the elements that are greater than the desired value. `10` - LessThan: finds the elements that are less than the desired value. `11` - GreaterThanOrEqual: finds the elements that are greater than or equal to the desired value. `12` - LessThanOrEqual: finds the elements that are less than or equal to the desired value. `*`- Flexible: The `Flexible` operators transform the desired value according to the `FlexibleComparisonExpression` defined in the `EntityProperty` then search. The flexible operators are: `13` - FlexibleEqual `14` - FlexibleContain `15` - FlexibleStartWith `16` - FlexibleEndWith | +| Property1 optional | **Type** Int64 **Description** Defines the form control property to use to compare with `ComparisonOperator` using the defined `Operator`. Going from 1 to 5. | diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/index.md new file mode 100644 index 0000000000..13713b6989 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/index.md @@ -0,0 +1,6 @@ +# Workflows + +- #### [Aspects](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md) +- #### [Forms](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/index.md) +- #### [HomonymEntityLink](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md) +- #### [Workflow](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) diff --git a/docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md new file mode 100644 index 0000000000..ab068dd6d4 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md @@ -0,0 +1,44 @@ +# Create Menu Items + +After creating a workflow as for the EntityTypes, is mandatory to create the MenuItems to create the +Navigation to this Workflow. + +### Create menu items for a workflow in a resource entity list + +To add a link to an entity's workflow displayed under the search bar on the visualization page of +the entity's resource list you need to create a menu containing the different workflows and put a +link to the entity's searchBar as below. + +[See available icons](https://uifabricicons.azurewebsites.net/). + +The first MenuItem is the main action displayed on the right. + +The other MenuItems are displayed from left to right. + +``` + + + +``` + +This XML element gives the following result: + +![Add workflow link in resource list entity](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinentitylist.webp) + +### Create menu items for a workflow in a resource view + +In the resource view it is also possible to create links to different workflows. + +These workflows will manipulate the selected resource in the view. + +``` + + + +``` + +This XML element gives the following result: + +![Workflow in resource view](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinresourceview.webp) + +![All workflow in resource view*](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/ui/how-tos/create-menu-items/allworkflowinresourceview.webp) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md new file mode 100644 index 0000000000..20a726226d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md @@ -0,0 +1,60 @@ +# Customize Display Tables + +This part shows how to define a custom way to display entity types' data. + +[Read more about display tables](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md). + +## Table + +This display table with `DisplayTableDesignElement` set to `table` will display the list of +resources as a simple table filled with several columns. + +``` + + + +``` + +Here is the visualization of this display table on the interface: + +![DisplayTable(Table)](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestable.webp) + +Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed +like a table) if a criterion linked to this column is already displayed in a searchbar. This avoids +filter duplication. Thus, the `` property can be deleted in the `` argument. + +## Resource Table + +The property `DisplayTableDesignElement` set to `resourcetable` allows you to create a table similar +to the display table with `DisplayTableDesignElement` set to `table` but adds a column containing +the owner of the resource. + +``` + + + +``` + +Here is the visualization of this resource table on the interface: + +![ResourceTable](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablesresourcetable.webp) + +## Display Table with Tiles + +[Read more about tiles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md). + +Instead of creating a table, it is possible to create tiles to give another rendering of the user +interface. It is therefore necessary to create the different tiles first. After creating the tiles, +they must be imported into the display table with `DisplayTableDesignElement` set to `list`. + +If the display table uses tiles, then you can't use bindings. + +``` + + + +``` + +Here is the visualization of this display table on the interface: + +![DisplayTable with Tiles](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestiles.webp) diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-forms/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-forms/index.md new file mode 100644 index 0000000000..b6b9757c8d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-forms/index.md @@ -0,0 +1,79 @@ +# Customize Forms + +This guide shows how to define a custom way to display the input fields to be filled in a given +workflow. + +[Read more about forms](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md). + +## Create a View Template for Entities Using Scaffoldings + +Two scaffoldings generate the view, the display table and the rights to access the entity's +resources. + +- [View template](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md): + Creates the display table, the default view and access rights to the entity. +- [Entity template:](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md) + Creates the entity view (designElement = ResourceTable), the report and the rights for a given + profile. + +These scaffoldings are not enough to access resources. You must add a menu item to define the +navigation in the view in the user interface. + +## Create an Entity View + +To create the entity view, you must manipulate a +[form](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md). + +The view form doesn't give access to the view in the interface or the rights to access the +interface. + +The following elements must be in place: + +- [MenuItem](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md) +- [Entity accessControl](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md) + +To create the view, you can manipulate one or more forms. The example below shows how to create a +view from several different forms. This will allow you to reuse some forms in workflows. + +``` + +
+ +``` + +It is also possible to create only one form that contains all the information: + +``` + +
+ +``` + +### Create an Entity View Using Records + +Some entities may have entity records. To view the entity in question with all the records attached +to it, it is necessary to fill in forms that will load the record data as well as forms for the +parent entity. + +The view form doesn't give access to the view in the interface or the rights to access it. + +The following elements must be in place: + +- [MenuItem](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md) +- [Entity accessControl](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md) + +In the example below, the view form will display all records. To change the filter on the record +display, you must change the +[record filter](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md). + +``` + +
+ +``` + +The record filter not only changes the display options of the record, but also changes the display +of the rights associated with this record. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-search-bar/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-search-bar/index.md new file mode 100644 index 0000000000..fdf12203ce --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-search-bar/index.md @@ -0,0 +1,51 @@ +# Customize Search Bars + +This guide shows how to define a custom way to search from a list of a given entity type's +properties. + +[Read more about searchbars](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md). + +## Default Search Bar + +To search on a resource list for an entity, you must enter a SearchBar tag for the given entity. + +``` + + + +``` + +Here is the visualization of this searchbar on the interface: + +![SearchBarWithoutFilters](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarwithoutfilter.webp) + +Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed +like a table) if a criterion linked to this column is already displayed in a searchbar. This avoids +filter duplication. Thus, the `` property can be deleted in the `` argument +in the display table. + +## Create Default Filters + +To add a default filter, you must add both of the following properties to a +[criterion](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md): + +- DefaultValue +- Operator + +``` + + + +``` + +Here is the visualization of this criterion on the interface: + +![SearchBarFilter](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarfilters.webp) + +## Search Bar Menu + +Each menu item is a link to an entity's workflow displayed under the search bar on the visualization +page of the entity's resource list. + +For more information, see +[Create Menu Item for Workflow in Resource Entity List](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/index.md new file mode 100644 index 0000000000..eb56263822 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/index.md @@ -0,0 +1,15 @@ +# How-Tos + +These guides will help you configure various UI settings with practical step-by-step procedures. + +- #### [Import Product Translations into Usercube](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/producttranslations/index.md) + Write the JSON file containing the translations of Usercube's components (buttons, etc.) and + deploy them.- #### + [Create Menu Items](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md) + Create the menu items required to access the workflow in the UI.- #### + [Customize Display Tables](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md) + Define a custom way to display entity types' data.- #### + [Customize Search Bars](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-search-bar/index.md) + Define a custom way to search from a list of a given entity type's properties.- #### + [Customize Forms](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-forms/index.md) + Define a custom way to display the input fields to be filled in a given workflow. diff --git a/docs/usercube/6.1/usercube/integration-guide/ui/how-tos/producttranslations/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/producttranslations/index.md similarity index 100% rename from docs/usercube/6.1/usercube/integration-guide/ui/how-tos/producttranslations/index.md rename to docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/producttranslations/index.md diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/ui/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/ui/index.md new file mode 100644 index 0000000000..60114d78d4 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/ui/index.md @@ -0,0 +1,3 @@ +# User Interface + +[See how to customize Usercube's User Interface](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md new file mode 100644 index 0000000000..8f9ea38676 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md @@ -0,0 +1,136 @@ +# Activity Templates + +This section describes the activities that constitute and model a +[workflow](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md). +Each activity is assigned a template, made of states and transitions. + +## Overview + +Going through an activity means going through [states](#states) and [transitions](#transitions). + +![Activity Template - Example](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_example.webp) + +By default, Usercube's workflow engine implements the following activity templates: + +- [`Action`](#action) +- [`ActionWithRefine`](#actionwithrefine) +- [`Review`](#review) +- [`ReviewWithFeedback`](#reviewwithfeedback) +- `ContinueWith` +- [`Persist`](#persist) +- [`PersistOnlyResources`](#persistonlyresources) + +## Activity Templates + +### Action + +Awaits user modifications without another user's intervention. + +![Activity Template - Action](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_action.webp) + +### ActionWithRefine + +Awaits user modifications with the possibility to delegate the action to another user. + +![Activity Template - ActionWithRefine](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_actionwithrefine.webp) + +The `ActionWithRefine` activity can be translated into the following form: + +![ActionWithRefine in the UI](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/activity-templates/activity_actionwithrefine_v602.webp) + +### Review + +Awaits user approval without another user's intervention. + +![Activity Template - Review](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_review.webp) + +### ReviewWithFeedback + +Awaits user approval with the possiblity of getting feedback from another user before taking the +action. + +![Activity Template - ReviewWithFeedback](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_reviewwithfeedback.webp) + +The `ReviewWithFeedback` activity can be translated into the following form: + +![ReviewWithFeedback in the UI](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/activity-templates/activity_reviewwithfeedback_v602.webp) + +### Persist + +Saves the workflow's collected data to the repository and triggers dependent processes (i.e. +computation of the role model and provisioning). This activity has only the transition +`Persist-Invoked-Invoke` and the state `Persist-Invoked`. It has no user interaction, and hence no +need for permissions. + +### PersistOnlyResources + +Saves the workflow's collected data to the repository without triggering the dependent processes +(i.e. computation of the role model and provisioning). This activity has only the transition +`PersistOnlyResources-Invoked-Invoke` and the state `PersistOnlyResources-Invoked`. It has no user +interaction, and hence no need for permissions. + +> For example, `PersistOnlyResources` can be used in a workflow to add a new user, as we first +> create a user sheet but without any account, etc. + +## States + +By default, Usercube's workflow engine implements the following state templates: + +- `Action-ActionPending` +- `Action-Executed` +- `Action-Aborted` +- `Action-Purged` +- `ActionWithRefine-ActionPending` +- `ActionWithRefine-Executed` +- `ActionWithRefine-RefinePending` +- `ActionWithRefine-Aborted` +- `ActionWithRefine-Purged` +- `Review-ReviewPending` +- `Review-Declined` +- `Review-Approved` +- `Review-Aborted` +- `Review-Purged` +- `ReviewWithFeedback-ReviewPending` +- `ReviewWithFeedback-Approved` +- `ReviewWithFeedback-Declined` +- `ReviewWithFeedback-RefinePending` +- `ReviewWithFeedback-Aborted` +- `ReviewWithFeedback-Purged` +- `ContinueWith-Invoked` +- `Persist-Invoked` +- `PersistOnlyResources-Invoked` + +## Transitions + +By default, Usercube's workflow engine implements the following transition templates: + +- `Action-ActionPending-Save` +- `Action-ActionPending-Execute` +- `Action-ActionPending-Abort` +- `Action-Aborted-Purge` +- `ActionWithRefine-ActionPending-Save` +- `ActionWithRefine-ActionPending-Execute` +- `ActionWithRefine-ActionPending-Delegate` +- `ActionWithRefine-ActionPending-Abort` +- `ActionWithRefine-RefinePending-Save` +- `ActionWithRefine-RefinePending-Delegate` +- `ActionWithRefine-RefinePending-Execute` +- `ActionWithRefine-RefinePending-Abort` +- `ActionWithRefine-Aborted-Purge` +- `Review-ReviewPending-Save` +- `Review-ReviewPending-Approve` +- `Review-ReviewPending-Decline` +- `Review-ReviewPending-Abort` +- `Review-Aborted-Purge` +- `ReviewWithFeedback-ReviewPending-Save` +- `ReviewWithFeedback-ReviewPending-Approve` +- `ReviewWithFeedback-ReviewPending-Decline` +- `ReviewWithFeedback-ReviewPending-Refine` +- `ReviewWithFeedback-ReviewPending-Abort` +- `ReviewWithFeedback-Aborted-Purge` +- `ReviewWithFeedback-RefinePending-Save` +- `ReviewWithFeedback-RefinePending-Delegate` +- `ReviewWithFeedback-RefinePending-Execute` +- `ContinueWith-Invoked-Invoke` +- `Persist-Invoked-Invoke` +- `PersistOnlyResources-Invoked-Invoke` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md new file mode 100644 index 0000000000..7610a089df --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md @@ -0,0 +1,150 @@ +# Configure a Homonym Detection + +In this section we configure the homonym search that checks if a resource already exists in the +system, preventing duplicates. + +## Process + +1. Create a homonym entity link, either with a default filter or customized filters +2. Create a display table to display the homonym result _(optional)_ +3. Define the part of the workflow form where homonyms must be checked + +## Create a Homonym Entity Link + +A +[homonym entity link](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md) +defines a new homonym search to be performed in a workflow form. It can be defined in different +ways. + +### With a default filter + +``` + + +``` + +When no filter is defined for the homonym entity link, the search for homonyms is performed +according to the homonym control form. See section below. + +### With customized filters + +[Homonym entity link filters](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md) +allow to define customized filters for a homonym search. + +#### Simple filter + +``` + + +``` + +Here, since the default operator is `Equal`, the search for homonyms is performed by comparing the +values of the `LastName` and `FirstName` properties with an exact spelling. + +_NB: This example matches the default filter that would be computed based on the homonym control +example in the section below._ + +#### Flexible filter + +A filter can be defined to compare the values in an approximate way. + +- A flexible operator must be used, such as `FlexibleEqual`, `FlexibleStartWith`, etc. +- A flexible expression must be defined on the comparison property. + +1. When the input search value is retrieved directly from the property value + + ``` + + + ``` + +Here, `Property1` is set, so the search for homonyms is performed by comparing the `LastName` value, +entered by the user in the workflow form, with the phonetic value of existing resources stored as +the `PhoneticLastName` property in the database. + +Before performing the comparison, the flexible expression of the comparison property is applied to +the input value. + +2. When the input search value is deducted + + ``` + + + ``` + +Here: + +- In the first filter, `Property1` and `Expression1` are not set, so the search value is computed by + applying the expression defined for `ComparisonProperty1` from the input values, eg. + `(record.FirstName + ' ' + record.LastName).Appproximate()`. +- In the second filter, `Expression1` is set, so the search value is computed by applying the + `Expression1` from the input values. This filter allows checking the homonyms on the reversed full + name (to manage the case where the user reverses the first and last name for example). + +The search for homonyms is performed by comparing the search values computed based on each filter +with the values stored in the database and retrieves all resources that match any of the filters. + +#### Filter on a language property + +If a filter is set on a language property, the search for homonyms is performed on the property +associated to the main language. + +``` + + +``` + +Here, the `Name` property is a neutral property associated with two localized properties `Name_en` +and `Name_fr`. + +If English is the main language, the search for homonyms is performed on the `Name_en` value. + +## Create a Display Table _(optional)_ + +A +[display table](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +is used to define how a list of the same entity type should be displayed. + +By default, the homonyms are displayed using the default display table of the related entity type. + +To display homonyms in a different way than the default, a specific display table must be created +where the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. + +``` + + + +``` + +For more options, read +[how to configure display tables](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md). + +## Define the Homonym Control in the Workflow Form + +The +[form](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) +where the homonyms are to be checked must contain a layout fieldset control where: + +- the properties to check are represented; +- the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. + +When the homonym entity link has no filter set and therefore the filter is calculated automatically, +the homonym control form must only contain up to 5 controls where `Binding` attribute is defined. +Indeed, a filter can only be defined on up to 5 properties, see +[filter definition](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md). + +``` +
+ + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/index.md new file mode 100644 index 0000000000..bb3dde1b67 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/index.md @@ -0,0 +1,48 @@ +# How To Create a Workflow + +This guide shows how to create a +[workflow](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md) through the +XML configuration. + +## Process + +1. Declare a new + [workflow](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) + with given activities following Usercube's + [activity templates](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md). +2. Configure the input + [form](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) + with the right output type according to the purpose of the workflow. +3. Assign the adequate permissions via an + [access control rule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md). +4. Add + [menu items](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md). +5. Add + [aspects](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md), + according to the purpose of the workflow. +6. Add optional elements if needed: + [summaries](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md); a + [homonym detection](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md); + a + [display table](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md) + different from Usercube's default one. + +## Examples + +You can also find configuration examples for several types of workflow: + +- #### [For Resource Creation (Mono Record)](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/index.md) + How to create a workflow to create a new resource with a unique record.- #### + [For Resource Creation (Multi Records)](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/index.md) + How to create a workflow to create a new resource with several records.- #### + [For Resource Update (No Record)](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/index.md) + How to create a workflow to update an existing simple resource, i.e. to update, within a given + existing resource, properties that do not involve records.- #### + [For Resource Update (Mono Record)](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/index.md) + How to create a workflow to schedule the replacement of the unique record of an existing + resource with a new one.- #### + [For Resource Update (Multi Records)](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/index.md) + Create a workflow to update an existing resource through its several records.- #### + [Configure a Homonym Detection](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md) + How to configure the homonym search that checks if a resource already exists in the system, + preventing duplicates. diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/index.md new file mode 100644 index 0000000000..61a76032b9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/index.md @@ -0,0 +1,206 @@ +# For Resource Creation (Mono Record) + +This section guides you through the procedure for the creation of a workflow to create a new +resource with a unique record. + +## Declare a Workflow + +This +[workflow](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) +is made of four activities: + +1. [`ActionWithRefine`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#actionwithrefine): + sends the creation request with a possibility of delegation. +2. [`PersistOnlyResources`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#persistonlyresources): + saves the collected data to the repository without triggering provisioning. +3. [`ReviewWithFeedback`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#reviewwithfeedback): + reviews the creation request with the possibility of getting feedback from another user. +4. [`Persist`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#persist): + saves the collected data and triggers provisioning. + +The example below creates a workflow to create a new worker. + +``` + + + +``` + +## Create Forms + +The XML configuration below represents the creation of a +[form](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) +that defines the elements to display in the workflow. + +Here we create two structured forms: the preliminary one is called inside the main one, and the main +one is to be called in our final workflow form. + +``` + +Preliminary form for user data: +
+ +Preliminary form for user's contract data: + + +Preliminary form for user's position data: +
+ +Main form for all data: +
+ Section calling the preliminary form for user data: + + Section calling the preliminary form for contract data: + + Section calling the preliminary form for position data: + + +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed +when launching the workflow. It has the type corresponding to a resource's creation with one record, +i.e. `WorkflowCreateRecordEntityForm` and it must specify the workflow's context (the entity type of +the involved resources, the main property, the activity when the form is called, etc. +[see more details](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md)): + +``` + + + +``` + +A `WorkflowCreateRecordEntityForm` requires the following child elements: + +- `MainControl` that defines user's data; + +``` + + + + + +``` + +The `MainControl` attribute is here an empty container because we configure all personal data, +contracts and positions as +[records](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md) +to be able to anticipate changes for example. The line with the empty `MainControl` is not +mandatory. + +- `RecordControl` that defines record data, and calls the form created previously. + +``` + + + + + +``` + +![UI Form](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/howto_resourcecreationmono_form_v602.webp) + +### Add a summary (Optional) + +Another child element `RecordSummaryControl` can be added to insert a summary part, i.e. the form +used after the workflow execution to show some values, most of the time those affected by the +workflow, typically the properties editable in the workflow or generated properties. So in our +situation, it displays the `EmployeeId` and `Mail` attributes that the workflow just computed: + +``` + +Summary form: +
+ + + +``` + +![UI Summary](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/howto_resourcecreationmono_summary_v602.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right +users. Read about +[workflows' permissions](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md). + +Below is an example of an access control rule where the `Administrator` profile gets the permissions +for the whole creation request and review from the previously created workflow: + +``` + + + + Permissions for the Request activity: + + + Permissions for the Review activity: + + +``` + +## Create Menu Items in the UI + +[Menu items](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) +must be defined to make the workflow accessible in the UI. + +Creating a new resource, an interesting location for this workflow could be the users list page. + +![Workflow Menu Items - Users List](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/menuitems_userslist_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the +existing +[menu items list](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md): + +``` + + ... + + +``` + +## Add Aspects + +For each workflow, it is possible to add +[aspects](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md#aspects) +according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates, read +[how to configure a homonym detection](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md). + +When using records, the homonym detection displays the list of records and not just the list of +users. + +Below is an example where a homonym entity link, based on the user's name, is called in the workflow +form: + +``` + +Homonym detection: + + + +Partial form for user data: +... + ... + +``` + +![UI Homonym Detection](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmono_homonym_v603.webp) + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Usercube, read +[how to configure a display table](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/index.md new file mode 100644 index 0000000000..bf380e543f --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/index.md @@ -0,0 +1,220 @@ +# For Resource Creation (Multi Records) + +This section guides you through the procedure for the creation of a workflow to create a new +resource with several records. + +## Declare a Workflow + +This +[workflow](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) +is made of four activities: + +1. [`ActionWithRefine`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#actionwithrefine): + sends the creation request with a possibility of delegation. +2. [`PersistOnlyResources`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#persistonlyresources): + saves the collected data to the repository without triggering provisioning. +3. [`ReviewWithFeedback`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#reviewwithfeedback): + reviews the creation request with the possibility of getting feedback from another user. +4. [`Persist`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#persist): + saves the collected data and triggers provisioning. + +The example below creates a workflow to create a new helpdesk worker, with the possibility to create +several records at once for said worker. + +``` + + + +``` + +## Create Forms + +The XML configuration below represents the creation of a +[form](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) +that defines the elements to display in the workflow. + +Here we create three structured forms, all to be called in our final workflow form. + +``` + +First form for the user's identification data: +
+ +Second form for the user's data shared with all records: +
+ + Section for user's personal data, here their name and phone numbers: + + + Section for user's contract data, here their contract's type, start and end dates: + + +Third form for the user's data specific to each record individually, so here position information: +
+ +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed +when launching the workflow. It has the type corresponding to a resource's creation with several +records, i.e. `WorkflowCreateSeveralRecordEntityForm` and it must specify the workflow's context +(the entity type of the involved resources, the main property, the activity when the form is called, +etc. +[see more details](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md)): + +``` + + + +``` + +A `WorkflowCreateSeveralRecordEntityForm` requires the following child elements: + +- `MainControl` that defines the user's data that never changes so identification data, and calls + the firstform created previously; + +``` + + + + + +``` + +- `RecordControl` that defines the record data shared with all records, and calls the secondform + created previously; + +``` + + + + + +``` + +In a situation where users can have several positions but also several contracts, then contract data +would be part of the form called by `RecordUniqueItemControl` instead of `RecordControl`. + +In a situation where positions, contracts and personal data are all configured as +[records](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md) +because we want to be able to anticipate changes for example, then there would not be any data +shared by all records. Then `RecordControl` would be empty. See the configuration example below this +note. + +> ``` +> +> ... +> +> ... +> +> +> ``` + +- `RecordUniqueItemControl` (optional but recommended) that defines the record data specific to each + record individually, and calls the thirdform created previously. + +``` + + + + + +``` + +![UI Form](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmulti_form_v603.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right +users. Read about +[workflows' permissions](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md). + +Below is an example of an access control rule where the `Administrator` profile gets the permissions +for the whole creation request and review from the previously created workflow: + +``` + + + + Permissions for the Request activity: + + + Permissions for the Review activity: + + +``` + +## Create Menu Items in the UI + +[Menu items](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) +must be defined to make the workflow accessible in the UI. + +Creating a new resource, an interesting location for this workflow could be the users list page. + +![Workflow Menu Items - Users List](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/menuitems_userslist_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the +existing +[menu items list](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md): + +``` + + ... + + + +``` + +## Add Aspects + +For each workflow, it is possible to add +[aspects](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md#aspects) +according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates, read +[how to configure a homonym detection](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md). + +When using records, the homonym detection displays the list of records and not just the list of +users. + +Below is an example where a homonym entity link, based on the user's name, is called in the workflow +form: + +``` + +Homonym detection: + + + +Partial form for user data: +... + ... + +``` + +![UI Homonym Detection](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmono_homonym_v603.webp) + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Usercube, read +[how to configure a display table](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md). + +Below is an example of a display table for our situation: + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/index.md new file mode 100644 index 0000000000..aa09e0af61 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/index.md @@ -0,0 +1,138 @@ +# For Resource Update (Mono Record) + +This section guides you through the procedure for the creation of a workflow to schedule the +replacement of the unique record of an existing resource with a new one. + +## Declare a Workflow + +This +[workflow](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) +is made of two activities: + +1. [`ActionWithRefine`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#actionwithrefine): + sends the resource's record update request with a possibility of delegation. +2. [`Persist`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#persist): + saves the collected data and triggers provisioning. + +The example below creates a workflow to update only the user's name. + +``` + + + +``` + +For now, our workflow works with an immediate validation and an immediate effect. + +## Create Forms + +The XML configuration below represents the creation of a +[form](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) +that defines the elements to display in the workflow. + +Here we just have the full name field to update the corresponding attributes for a given user: + +``` + +
+ +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed +when launching the workflow. It has the type corresponding to a (unique) record's replacement, i.e. +`WorkflowAddAndEndRecordEntityForm` and it must specify the workflow's context (the entity type of +the involved resources, the main property, the activity when the form is called, etc. +[see more details](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md)): + +``` + + + +``` + +A `WorkflowAddAndEndRecordEntityForm` requires the following child elements: + +- `MainControl` that defines user's data; + +``` + + + + + +``` + +The `MainControl` attribute is here an empty container, because it is a mandatory attribute that is +not involved in the changes of this workflow. + +- `RecordControl` that defines record data, and call the form created previously. + +``` + + + + + +``` + +![UI Form](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/howto_resourceupdatemono_form_v603.webp) + +`End of transition` sets the date for the change of records scheduled by this form. + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right +users. Read about +[workflows' permissions](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md). + +Below is an example of an access control rule where the `Administrator` profile gets the permissions +for the whole update request from the previously created workflow: + +``` + + + +``` + +## Create Menu Items in the UI + +[Menu items](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) +must be defined to make the workflow accessible in the UI. + +Updating an existing resource, this workflow manages one given resource at a time. Hence an +interesting location for this workflow could be the individual view page of users. + +![Workflow Menu Items - User's Page](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the +existing +[menu items list](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md): + +``` + + ... + + + +``` + +## Add Aspects + +For each workflow, it is possible to add +[aspects](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md#aspects) +according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates, read +[how to configure a homonym detection](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md). + +When using records, the homonym detection displays the list of records and not just the list of +users. + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Usercube, read +[how to configure a display table](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/index.md new file mode 100644 index 0000000000..14ad19a098 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/index.md @@ -0,0 +1,183 @@ +# For Resource Update (Multi Records) + +This section guides you through the procedure for the creation of a workflow to update an existing +resource through its several records. + +## Declare a Workflow + +This +[workflow](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) +is made of three activities: + +1. [`ActionWithRefine`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#actionwithrefine): + sends the resource's records update request with a possibility of delegation. +2. [`ReviewWithFeedback`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#reviewwithfeedback): + reviews the update request with the possibility of getting feedback from another user. +3. [`Persist`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#persist): + saves the collected data and triggers provisioning. + +The example below creates a workflow to update the records of an existing user: + +``` + + + +``` + +## Create Forms + +The XML configuration below represents the creation of a +[form](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) +that defines the elements to display in the workflow. + +Here we create three structured forms, all to be called in our final workflow form: + +``` + +First form for the user's record data, shared with all records: +
+ +Second form for the user's record data, specific to each record individually: +
+ +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed +when launching the workflow. It has the type corresponding to a resource's update with several +records, i.e. `WorkflowUpdateSeveralRecordEntityForm` and it must specify the workflow's context +(the entity type of the involved resources, the main property, the activity when the form is called, +etc. +[see more details](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md)): + +``` + + + +``` + +`WorkflowUpdateSeveralRecordEntityForm` displays a date picker for the end of transition, to +schedule the record replacement. + +A `WorkflowUpdateSeveralRecordEntityForm` requires the following child elements: + +- `MainControl` that defines user's data; + +``` + + + + + +``` + +The `MainControl` attribute is here an empty container, because it is a mandatory attribute that is +not involved in the changes of this workflow. + +- `RecordControl` that defines the record data shared with all records and calls the firstform + created previously; + +``` + + + + + +``` + +- `RecordUniqueItemControl` that defines the record data specific to each record individually, and + calls the secondform created previously; + +``` + + + + + +``` + +- `RecordSlaveControl` that copies an existing record to be the base, i.e. pre-fill the fields, for + the update of record data specific to each record individually. Thus it calls the same form as + `RecordUniqueItemControl`. + +``` + + + + + +``` + +- `RecordSlaveUniqueItemControl` that copies an existing record to be the base, i.e. pre-fill the + fields, for the update of record data shared with all records. Thus it calls the same form as + `RecordControl`. + +``` + + + + + +``` + +The `RecordSlaveControl` attribute calls here the same form as `RecordUniqueControl`, because it +copies part of the main record to pre-fill the fields of `RecordUniqueControl`. + +![UI Form](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/howto_resourceupdatemulti_form_v603.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right +users. Read about +[workflows' permissions](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md). + +Below is an example of an access control rule where the `Administrator` profile gets the permissions +for the whole update request from the previously created workflow: + +``` + + + +``` + +## Create Menu Items in the UI + +[Menu items](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) +must be defined to make the workflow accessible in the UI. + +Updating an existing resource, this workflow manages one given resource at a time. Hence an +interesting location for this workflow could be the individual view page of users. + +![Workflow Menu Items - User's Page](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the +existing +[menu items list](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md): + +``` + + ... + + + +``` + +## Add Aspects + +For each workflow, it is possible to add +[aspects](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md#aspects) +according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates, read +[how to configure a homonym detection](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md). + +When using records, the homonym detection displays the list of records and not just the list of +users. + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Usercube, read +[how to configure a display table](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/index.md new file mode 100644 index 0000000000..36e54af017 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/index.md @@ -0,0 +1,130 @@ +# For Resource Update (No Record) + +This section guides you through the procedure for the creation of a workflow to update a simple +resource, i.e. to update, within a given resource, properties that do not involve records. + +## Declare a Workflow + +This +[workflow](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) +is made of two activities: + +1. [`ActionWithRefine`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#actionwithrefine): + sends the resource's update request with a possibility of delegation. +2. [`Persist`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#persist): + saves the collected data and triggers provisioning. + +The example below creates a workflow to update only the user's `IsDraft` attribute. + +``` + + + +``` + +## Create Forms + +The XML configuration below represents the creation of a +[form](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) +that defines the elements to display in the workflow. + +Here we just have one field called `IsDraft` to update the corresponding boolean attribute for a +given user: + +``` + +
+ +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed +when launching the workflow. It has the type corresponding to a resource's update, i.e. +`WorkflowEditEntityForm` and it must specify the workflow's context (the entity type of the involved +resources, the main property, the activity when the form is called, etc. +[see more details](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md)): + +``` + + + +``` + +A `WorkflowEditEntityForm` requires one child element `MainControl` that defines the actual content +of the workflow's form and calls the form created previously: + +``` + + + + + +``` + +![UI Form](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/howto_resourceupdateno_form_v603.webp) + +### Add a summary (Optional) + +Another child element `SummaryControl` can be added to insert a summary part, i.e. the form used +after the workflow execution to show some values, most of the time those affected by the workflow, +typically the properties editable in the workflow or generated properties. So in our situation, it +displays the `IsDraft` attribute that the user just changed: + +``` + + + + + +``` + +![UI Summary](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/howto_resourceupdateno_summary_v603.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right +users. Read about +[workflows' permissions](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md). + +Below is an example of an access control rule where the `Administrator` profile gets the permissions +for the whole update request from the previously created workflow: + +``` + + + +``` + +## Create Menu Items in the UI + +[Menu items](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) +must be defined to make the workflow accessible in the UI. + +Updating an existing resource, this workflow manages one given resource at a time. Hence an +interesting location for this workflow could be the individual view page of users. + +![Workflow Menu Items - User's Page](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the +existing +[menu items list](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md): + +``` + + ... + + + +``` + +## Add Aspects + +For each workflow, it is possible to add +[aspects](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md#aspects) +according to the workflow's purpose. + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Usercube, read +[how to configure a display table](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md new file mode 100644 index 0000000000..b6b436d7ea --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md @@ -0,0 +1,193 @@ +# Workflows + +In software business, a +[workflow](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) +is a series of specific actions taken by specific people to accomplish specific tasks. For Usercube, +workflows are models of business workflows, processes or procedures. + +## Overview + +Workflows model business processes and update data within Usercube, they handle managed systems only +indirectly through Usercube. They are engaged in order to complete a task, assigning rights for +instance. It is a way of getting work done, a series of steps that are required to be completed +sequentially. Most of the time, Usercube's workflows are made for: + +1. manual entitlement requests = request / send notification(s) / approve / assign entitlement. +2. addition/update/deletion of resources (used in practice for identities) = create / give basic + entitlements / review / apply changes. + +Workflows are very configurable objects with many available options. However, the most efficient way +to use workflows in IGA is to keep them simple. Usercube's demo workflows constitute effective +examples. + +A workflow is made of several elements: + +- a series of [activities](#activities) that constitutes the workflow; +- a form that collects input data; +- [permissions](#permissions) required to realize the workflow's activities; +- [menu items](#menu-items) that make the workflow and its activities accessible; +- [aspects](#aspects) that allow specific actions to be performed; +- a summary(optional) of the workflow's results; +- a homonym detection(optional) that prevents duplicates in resources; +- a display table(optional) that replaces Usercube's default table displaying the data of the + created/modified resource. + +### Technical principles + +- A workflow is linked to + one[entity type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + and concerns only resources from said entity type. For example, a workflow can be linked to + `Directory_User` or `Directory_Department` according to the workflow's purpose, but not both + together. +- The aim of a workflow is to get input data (either a form or just an approval) from users involved + in the workflow, then build a change set, and finally apply said change set to the relevant + resource. +- Starting a workflow means starting its first activity. + +## Activities + +A workflow is made of successive activities, each of which is assigned an +[activity template](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md) +that defines how transitions occur from a workflow step to another. + +Activities never run in parallel in a workflow. Each activity can start once the previous one +reached its final state. + +## Forms + +Workflows use +[forms](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) +to collect input data through the UI. + +A form is a set of fields, configured with +[controls](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md). +A control can define a field to fill, a fields set, call an existing form, etc. depending on its +output type. To be displayed in the UI, and potentially filled by a given user with the appropriate +data, a form must have a type. + +Forms without a type can be created in order to be called in other forms with a type. It can be +useful to structure your forms, and to avoid rewriting a part of form that is needed in most forms +for example. + +### Form types + +Usercube provides a few form types. Each form type implies the necessity of specific controls as +child elements with specific purposes. + +The following table presents the required child controls required for each form type applicable to a +workflow's input form: + +- **M** for `MainControl`(required) groups resource data apart from record data; +- **Su** for `SummaryControl`(optional when no/mono record) sums up resource data, mostly computed + properties, after the workflow's execution; +- **R** for `RecordControl`(required when handling records) groups the record data shared with all + records; +- **RUI** for `RecordUniqueItemControl`(recommended when handling records) groups the record data + specific to each record individually; +- **RSUI** for `RecordSlaveUniqueItemControl`(optional when updating multi records) appoints an + existing record to be the base of the fields' pre-filling, before the update of the record data + shared with all records; +- **RS** for `RecordSlaveControl`(recommended when updating multi records) appoints an existing + record to be the base of the fields' pre-filling, before the update of the record data specific to + each record individually; +- **RSu** for `RecordSummaryControl`(optional when handling mono record) sums up record data, mostly + computed properties, after the workflow's execution. + +| Form Type | M | Su | R | RUI | RSUI | RS | RSu | +| ----------------------------------------- | ---- | ---- | ---- | ----- | ----- | ---- | ---- | +| Workflow**Create**EntityForm | Req. | Opt. | | | | | | +| Workflow**Edit**EntityForm | Req. | Opt. | | | | | | +| Workflow**UpdateRecord**EntityForm | Req. | Opt. | Req. | Reco. | | | Opt. | +| Workflow**AddRecord**EntityForm | Req. | Opt. | Req. | Reco. | | | Opt. | +| Workflow**AddAndEndRecord**EntityForm | Req. | Opt. | Req. | Reco. | | | Opt. | +| Workflow**CreateRecord**EntityForm | Req. | Opt. | Req. | | | | Opt. | +| Workflow**CreateSeveralRecord**EntityForm | Req. | | Req. | Reco. | | | | +| Workflow**UpdateSeveralRecord**EntityForm | Req. | | Req. | Reco. | Reco. | Opt. | | +| Workflow**UpdateRecord**Entit**ies**Form | Req. | Opt. | Req. | Reco. | | | Opt. | + +## Permissions + +For each workflow, some permissions must be assigned to specific +[profiles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) +so that said profiles are entitled to realize the workflow's actions. + +While assigning the specific permissions of a workflow, it is necessary to assign the involved +profiles a few essential rights via the +[`WorkflowAccessControlRules`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md) +scaffolding. + +A workflow needs a permission for each of all its activity states involving user interaction. This +means that, for example, the activities following the templates +[`Persist`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#persist) +and +[`PersistOnlyResources`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#persistonlyresources) +do not require any permission. This also means that, in the example of the +[`Action`](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/activity-templates/index.md#action) +template, a workflow would need permissions for the states `ActionPending`, `Aborted` and `Purged` +(because deletion requires an authorization), but not for the state `Executed` that does not involve +user interaction or special authorization. + +All these permissions can be shared and distributed among several profiles, according to the purpose +of the workflow. + +Usercube's permissions are assigned through +[access control rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +and follow the naming rule: +`/Custom/workflows/{workflow_identifier}/{activity_identifier}/{activityTemplateState_shortIdentifier}`. + +> For example: `Permission="/Custom/Workflows/Directory_User_StartInternal/Request/ActionPending"` +> gives the right to act from the state `ActionPending` (so save, execute, etc.), inside a +> previously created activity `Request`, inside the workflow `Directory_User_StartInternal`. + +A permission specifying the activity without the activity state gives the permissions for all +activity states in this activity. + +For example: `Permission="/Custom/Workflows/Directory_User_StartInternal/Request"` +**Caution**: this way of writing permissions is unsafe in case of a modification in the activity. So +use it only for a "super admin" kind of profile if you are certain you want to give all rights. + +## Menu Items + +[Menu items](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) +make workflows accessible from the UI. + +Usercube's UI is configured so that workflows are accesible from: + +- the list of users accessible from the **Directory** section on the home page; + ![Workflow Menu Items - Users List](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/menuitems_userslist_v603.webp) +- the view page of a given user. In this case, the workflows manipulate the selected user. + ![Workflow Menu Items - User's Page](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) + +## Aspects + +An +[aspect](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md) +definition allows an action to be performed at a specific point in a workflow. Usercube provides a +few +[aspect templates](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md) +that give the opportunity to delegate administration, to notify people of a request's progress and +to compute special values like unique logins or email addresses. + +## Summaries (Optional) + +A summary can be displayed at the end of a workflow to sum up the collected information. The +displayed data is configured through the `SummaryControl` or `RecordSummaryControl` introduced +previously. A summary is particularly useful for workflows that compute properties like the +`EmployeeId` or the email address. Thus calculated fields can be displayed after the workflow's +execution. + +## Homonym Detections (Optional) + +A homonym search checks if a resource already exists in the system before creating/modifying it, +preventing duplicates. It is configured through a +[homonym entity link](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md). + +[Read how to configure a homonym detection](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md). + +## Display Tables (Optional) + +Usercube provides a default +[display table](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +to show the created/modified resource's data, but you can configure your own. + +[Read how to configure a display table](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/workflow-uses/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/workflow-uses/index.md new file mode 100644 index 0000000000..ef878881b4 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/workflow-uses/index.md @@ -0,0 +1,67 @@ +# Workflow Uses + +An Usercube +[Workflow](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) +is the sequence of processes that a company has established to manage identities across the +organization. Workflows makes an approval business process more efficient by managing and tracking +all of the human tasks involved with the process and by providing a record of the process after it +is completed. + +The identity management +[Workflow](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) +can be broken into four key areas: + +## 1. Onboarding + +The initial creation of the user. This can occur manually within the identity management system or +it could be triggered from an HR system. Here is the xml configuration to create the user onboarding +Workflow in Usercube : + +``` + + + +``` + +The _"User_Onboarding"_ Workflow is composed of the following activities: + +- _"Request"_ to initialize the creation of an user in Usercube. +- _"PersistDraft"_ to save a preliminary version of the user object. +- _"Review"_ to validate or not the requested item. +- _"Persist"_ to take into account the requested item. + +## 2. User Modifications + +After the initial setup of access, there are ongoing changes. Those changes can center in on a +user's rights. These rights may need to be expanded or contracted. The user's information may need +to be modified. Here is an example to create the user change name Workflow in Usercube : + +``` + + + +``` + +## 3. IT Resource Modifications + +The other area of on-going changes is the addition and removal of various IT resources. These +resources can include devices, applications, and networks. Here is the xml configuration to create +the resource modifications Workflow in Usercube : + +``` + + + +``` + +## 4. Offboarding + +The end of the identity lifecycle is the offboarding of a user. Credentials are terminated and the +user's account access is terminated everywhere. Here is the xml configuration to create the user +offboarding Workflow in Usercube : + +``` + + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/workflowhomonym/index.md b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/workflowhomonym/index.md new file mode 100644 index 0000000000..22bf0ab4a7 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/workflowhomonym/index.md @@ -0,0 +1,186 @@ +# Workflow Homonym + +In this section we configure the homonym detection that checks if a resource already exists in the +system, preventing duplicates. + +## Process + +1. Create a homonym entity link, either with a default filter or customized filters +2. Create a display table to display the homonym result _(optional)_ +3. Define the part of the workflow form where homonyms must be checked + +## Create a Homonym Entity Link + +A +[homonym entity link](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md) +defines a new homonym detection to be performed in a workflow form. It can be defined in different +ways. + +### With a default filter + +``` + + +``` + +When no filter is defined for the homonym entity link, the detection for homonyms is performed +according to the homonym control form. See section below. + +### With customized filters + +[Homonym entity link filters](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md) +allow to define customized filters for a homonym detection. + +#### Simple filter + +``` + + +``` + +Here, since the default operator is `Equal`, the detection for homonyms is performed by comparing +the values of the `LastName` and `FirstName` properties with an exact spelling. + +_NB: This example matches the default filter that would be computed based on the homonym control +example in the section below._ + +#### Filters on several entities + +A homonym entity link can contain filters on the properties from several distinct entity types. + +> The following example searches for homonyms among usual workers (from `Directory_UserRecord`) but +> also the guests (from `Directory_Guest`): +> +> ``` +> +> Property1="LastName" +> Property2="FirstName" +> /> +> Property1="LastName" ComparisonProperty1="Directory_Guest:LastName" +> Property2="FirstName" ComparisonProperty2="Directory_Guest:FirstName" +> /> +> +> +> ``` + +In this case, a display table is required for the additional entity. See the section below. + +#### Flexible filter + +A filter can be defined to compare the values in an approximate way. + +- A flexible operator must be used, such as `FlexibleEqual`, `FlexibleStartWith`, etc. +- A flexible expression must be defined on the comparison property. + +1. When the input detection value is retrieved directly from the property value + + ``` + + + ``` + +Here, `Property1` is set, so the detection for homonyms is performed by comparing the `LastName` +value, entered by the user in the workflow form, with the phonetic value of existing resources +stored as the `PhoneticLastName` property in the database. + +Before performing the comparison, the flexible expression of the comparison property is applied to +the input value. + +2. When the input detection value is deducted + + ``` + + + ``` + +Here: + +- In the first filter, `Property1` and `Expression1` are not set, so the detection value is computed + by applying the expression defined for `ComparisonProperty1` from the input values, eg. + `(record.FirstName + ' ' + record.LastName).Appproximate()`. +- In the second filter, `Expression1` is set, so the detection value is computed by applying the + `Expression1` from the input values. This filter allows checking the homonyms on the reversed full + name (to manage the case where the user reverses the first and last name for example). + +The detection for homonyms is performed by comparing the detection values computed based on each +filter with the values stored in the database and retrieves all resources that match any of the +filters. + +#### Filter on a language property + +If a filter is set on a language property, the detection for homonyms is performed on the property +associated to the main language. + +``` + + +``` + +Here, the `Name` property is a neutral property associated with two localized properties `Name_en` +and `Name_fr`. + +If English is the main language, the detection for homonyms is performed on the `Name_en` value. + +## Create a Display Table _(optional)_ + +A +[display table](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +is used to define how a list of the same entity type should be displayed. + +By default, the homonyms are displayed using the default display table of the related entity type. + +To display homonyms in a different way than the default, a specific display table must be created +where the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. + +``` + + + +``` + +## Define the Homonym Control in the Workflow Form + +The +[form](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) +where the homonyms are to be checked must contain a layout fieldset control where: + +- the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. +- the properties to check (defined in the homonym filters) are represented in the control bindings. +- the bindings are all represented in the homonym filters. + +When the homonym entity link has no filter set and therefore the filter is calculated automatically, +the homonym control form must only contain up to 5 controls where `Binding` attribute is defined. +Indeed, a filter can only be defined on up to 5 properties, see +[filter definition](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md). + +``` +
+ + +``` + +If a filter is declared with a `ComparisonProperty` attribute (and so without a `Property`), then +the properties used in the `Expression` (whether defined in the filter or elsewhere in the +configuration) to compute the `ComparisonProperty` must also be represented in the control bindings. + +In the example below, the properties used in the `Expression1` attribute that must be represented in +the control bindings are `LastName` and `FirstName`. + +``` + + +``` diff --git a/docs/identitymanager/6.1/identitymanager/introduction-guide/architecture/index.md b/docs/identitymanager/6.1/identitymanager/introduction-guide/architecture/index.md new file mode 100644 index 0000000000..e628ebad5d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/introduction-guide/architecture/index.md @@ -0,0 +1,40 @@ +# Architecture + +Usercube is built to work via a specific architecture made of a server, an agent and a database. + +## Server, Agent and Database + +Usercube works via: + +- a server which operates computation, stores all applicative data in the database, and serves a web + User Interface; +- at least one agent which operates data flows to/from the managed systems. + + The managed systems' credentials are used only by the agent and are never disclosed to the + server. + +The agent can call the server, but the server cannot call the agent. The data flows' initiatives are +always from the agent. + +## Installation Types + +Usercube can be installed: + +- SaaS so that the server dwells in the cloud and is provided as a service; + + ![Architecture: SaaS](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/architecture/saas/architecture_saas.webp) + +- on-premises so that the server is installed on an isolated network within the company. + + ![Architecture: On-Premises](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/architecture/on-prem/architecture_onprem.webp) + +## Next Steps + +Let's learn about +[Usercube's configuration](/docs/identitymanager/6.1/identitymanager/introduction-guide/configuration/index.md). + +## Learn More + +[Learn more on Usercube's architecture](/docs/identitymanager/6.1/identitymanager/integration-guide/architecture/index.md). + +[Learn more on network configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/introduction-guide/configuration/index.md b/docs/identitymanager/6.1/identitymanager/introduction-guide/configuration/index.md new file mode 100644 index 0000000000..94173c08b7 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/introduction-guide/configuration/index.md @@ -0,0 +1,49 @@ +# Configuration + +There are several options for configuring Usercube. + +## Application Configuration + +### User Interface + +NETWRIX strongly recommends that Usercube be configured, as much as possible, via the UI. + +### XML files + +For advanced users, if the UI is not enough, Usercube can also be configured via XML files. These +XML files should be placed in a `Conf` folder directly inside the working directory. + +### Database + +Usercube's application configuration, whether it is made from the UI or the XML files, is stored in +a database which should never be modified manually. + +## Network Configuration + +Usercube's server and agent(s) are configured via JSON files, mainly `appsettings.json` and +`appsettings.agent.json`. + +## Next Steps + +This is the end of the introduction guide, so you should now be able to dive into: + +- the [User Guide](/docs/identitymanager/6.1/identitymanager/user-guide/index.md) to configure Usercube + from scratch via the UI, following the step-by-step procedures; +- the [Integration Guide](/docs/identitymanager/6.1/identitymanager/integration-guide/index.md) to + complete Usercube's configuration in XML according to your needs; +- the [Installation Guide](/docs/identitymanager/6.1/identitymanager/installation-guide/index.md) to + install Usercube in a production environment. + +## Learn More + +[Learn more on the working directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md). + +[See how to configure Usercube from scratch via the UI](/docs/identitymanager/6.1/identitymanager/user-guide/index.md). + +[See how to export the UI configuration to XML files](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md). + +[See how to (re)deploy the XML configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md). + +[Learn more about the XML configuration schema](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/index.md). + +[Learn more about network configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/introduction-guide/index.md b/docs/identitymanager/6.1/identitymanager/introduction-guide/index.md new file mode 100644 index 0000000000..fa022e4d2c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/introduction-guide/index.md @@ -0,0 +1,25 @@ +# Introduction Guide + +This guide is designed to give a complete overview of Usercube's principles, main objectives and +capabilities. + +NETWRIX strongly recommends starting here to fully benefit from the +[Integration Guide](/docs/identitymanager/6.1/identitymanager/integration-guide/index.md)'s or the +[User Guide](/docs/identitymanager/6.1/identitymanager/user-guide/index.md)'s contents. + +## Target Audience + +This guide is meant to be read by: + +- integrators who configure Usercube to match their projects' needs; +- IGA project managers who want to get a better understanding of Usercube. + +## Prior Knowledge + +A basic knowledge of Identity and Access Management (IAM) and Identity Governance and Administration +(IGA) is required to understand this guide. + +## First Steps + +Let's dive in with an +[overview of IGA and Usercube](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/index.md). diff --git a/docs/usercube/6.1/usercube/introduction-guide/more-info/index.md b/docs/identitymanager/6.1/identitymanager/introduction-guide/more-info/index.md similarity index 100% rename from docs/usercube/6.1/usercube/introduction-guide/more-info/index.md rename to docs/identitymanager/6.1/identitymanager/introduction-guide/more-info/index.md diff --git a/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md b/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md new file mode 100644 index 0000000000..3fa5226434 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md @@ -0,0 +1,186 @@ +# Entitlement Management + +Managing identities' entitlements requires managing entitlements and assigning them to identities. +This page is about the role model. + +## Role Model Overview + +A managed system's entitlements can have many forms. They authorize identities to access certain +data on a given system, or a physical location. + +> For example, entitlements in the Active Directory are usually group memberships. For example, to +> have administrator rights in the Iris application, a user must be part of the members of the group +> `SG_APP_IT/Development/Iris/Administrator`. + +Usercube is designed to help establish an exhaustive and reliable catalog of the entitlements +available in the managed systems, and assign the right entitlements to the right users. + +![Role Catalog and Users](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/entitlement-management/entitlements_rolecatalogusers.webp) + +Thus, the role model contains: + +- the entitlements, as roles, for all managed systems; +- the rules that trigger the assignment of entitlements to identities, and more broadly manage the + systems' resources. Some of them act as link between Usercube's roles and the systems' accounts + and permissions. Some of them are linked to, and thus apply only to, specific resource types. + +![Role Model](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/entitlement-management/entitlements_rolemodel.webp) + +The role model is a subset of a policy that also includes +[governance](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/governance/index.md) +data such as risk definition. So, at a higher level, distinct policies can be used to implement +distinct behaviors. + +## A Role Catalog + +Usercube intends to represent IGA-related access right mechanisms by a +[role-based](https://en.wikipedia.org/wiki/Role-based_access_control) model. The goal of the role +catalog is contain an exhaustive list of entitlements from all managed systems. + +Entitlements from the managed systems are modeled by roles. For each entitlement, NETWRIX advises +creating a single role, with an easily understandable name, more functional than technical, so that +everyone knows what the role is for. + +![Single Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarole.webp) + +Each individual entitlement should usually be modeled by a single role, and single roles can be +grouped together into composite roles to be closer to real job positions. + +![Composite Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/entitlement-management/entitlements_compositeroles.webp) + +## A Rule Set + +Roles alone are not enough to give identities the systems' technical entitlements. We need rules to +have Usercube write users' entitlements in the managed systems. Rules are further used to +automatically assign roles to users, or to categorize users and accounts, etc. + +### Provisioning rules + +Just like identities, accounts are represented in Usercube by an +[entity-relationship model](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/identity-management/index.md). +So Usercube manages entitlements as resources' attribute values. + +> For example, giving specific Active Directory permissions to a new user means not only creating a +> new AD account, but also setting values for certain account properties like `cn`, +> `sAMaccountName`, `userAccountControl` or `dn`, etc. + +Provisioning rules write the actual entitlements to the managed systems, most often based on users' +roles. + +> For example, to give an AD entitlement to a user, we usually need to give them a group membership. +> Thus, we should have a rule that, when a user is assigned a specific role, adds the user to the +> member list of a specific AD group. + +![Provisioning Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/entitlement-management/entitlements_provisioningrules.webp) + +Even when a role is manually assigned, provisioning rules will determine which account (and +permission groups) are given as entitlements. + +Usercube's provisioning rules are: + +- scalar rules to compute simple string properties; +- navigation rules and query rules to compute properties that act as foreign keys in a database; +- resource type rules to automatically create resources. + +### Assignment rules + +While the role catalog and provisioning rules are together enough to manually give users their +access rights, we often want Usercube to do this automatically. Assignment rules automatically +assign roles to identities based on specific criteria. + +> For example, we can choose to assign the role `Benefits Manager - FR` to any user whose job title +> is benefits manager and whose location is in France. + +![Assignment Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/entitlement-management/entitlements_assignmentrules.webp) + +Once all assignment rules are created, Usercube is able to spot existing assignments that are not +supported by any rule, marking them as non-conforming. +[See more details on governance](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/governance/index.md). + +Usercube's assignment rules are: + +- single role rules and composite role rules to assign single and composite roles; +- resource type rules to assign accounts. + +### Categorization rules + +Different resources can be managed through different rules, by being part of different resource +types. So a resource type is a group a resources that have the same IGA-related purposes. +Categorization rules categorize resources into resource types and link identities to the accounts +they own. + +> For example, we might need to differentiate AD's standard accounts from administration accounts. +> This way, we can configure different email addresses for privileged accounts, for example +> [adm.john.smith@contoso.com](mailto:adm.john.smith@contoso.com). We can also add more approval +> steps in the workflows related to privileged accounts, for more security than for standard +> accounts. + +![Categorization Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/entitlement-management/entitlements_categorizationrules.webp) + +Usercube's categorization rules are: + +- correlation rules to link identities to the accounts they own; +- classification rules to categorize resources into resource types. + +### More rules + +Usercube provides more kinds of rules for optimization purposes, for example role naming conventions +to help build the role catalog by generating roles and navigation rules based on the entitlements' +names, or automation rules to help with governance by automating the review of the assignments that +do not comply with the configured rules. + +### Dimensions + +Rules can be triggered based on users' assigned roles, but also based on user data. + +The +[identity model](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/identity-management/index.md) +can be refined by configuring dimensions: criteria from among resources' +[attributes](https://en.wikipedia.org/wiki/Attribute-based_access_control) that will trigger the +application of the rules. Then Usercube applies the rule for any resource whose value for a given +attribute matches the reference value specified in the rule. + +> For example, a user can be assigned the role `Benefits Manager - FR` only if their job title is +> benefits manager and their location is in France. In this case, users' attributes "job title" and +> "location" are the dimensions that trigger the assignment rule. + +In a nutshell, dimensions determine who should be assigned the entitlements. + +Usercube's name and logo are based on this dimension concept: entitlement assignment is governed by +users' attributes defined as dimensions. Let's schematize users around these dimensions: + +- The schema for this with one dimension would be a line with all available values for the + dimension, and identities are distributed along the line. +- The schema with two dimensions would be a table, a square. +- The schema with three dimensions would be a 3D cube. And you can imagine 4D or 5D hypercubes, etc. + +![Dimensions - 1D](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension1.webp) + +#### 1D + +![Dimensions - 2D](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension2.webp) + +#### 2D + +![Dimensions - 3D](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension3.webp) + +## Next Steps + +Let's learn about +[governance](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/governance/index.md). + +## Learn More + +[Learn more on the role model](/docs/identitymanager/6.1/identitymanager/integration-guide/role-model/index.md). + +[Learn how to build the single role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md). + +[Learn more on composite roles](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/composite-role-creation/index.md). + +[Learn more on role assignment](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/index.md). + +[Learn more on provisioning rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md). + +[Learn more on assignment rules](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md). + +[Learn more on resource categorization rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/governance/index.md b/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/governance/index.md new file mode 100644 index 0000000000..1ffc0c6b7e --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/governance/index.md @@ -0,0 +1,41 @@ +# Governance + +Usercube not only gives the right entitlements to the right identities, but also makes sure that, +over time, every assignment still complies with the configured policy. + +## Enforcing the Policy + +By reading entitlement data from the managed systems, Usercube builds an exhaustive list of existing +assignments for all identities in all managed systems. + +Rules and roles define a policy. By definition, assignments not supported by a rule do not comply +with the policy. These assignments are identified as non-conforming in order to be acted upon by +knowledgeable users who can decide whether the assignment is warranted, such as security officers. + +![Non-Conforming Assignments](/img/versioned_docs/identitymanager_6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/governance_nonconforming.webp) + +A non-conforming assignment must be reviewed in Usercube by a knowledgeable user, and is therefore: + +- either removed if Usercube correctly spotted it and the owner should indeed not possess this + permission; +- or kept as an exception if the configured rules do not apply to this particular case. + +## Other Governance Tools + +Usercube provides a set of governance tools to help enforce the policy, like access certification +campaigns, risk management or reporting. + +## Next Steps + +Let's read some +[use case stories](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/use-cases/index.md). + +## Learn More + +[Learn more on governance](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/index.md). + +[Learn more on reporting](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md). + +[Learn more on access certification](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/index.md). + +[Learn more on risk management](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/risk-management/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/identity-management/index.md b/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/identity-management/index.md new file mode 100644 index 0000000000..5318c34d33 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/identity-management/index.md @@ -0,0 +1,132 @@ +# Identity Management + +Managing identities' entitlements requires starting by managing identities themselves. + +## A Central Repository + +A company involves many sorts of identities: obviously employees, but also external workers like +contractors who are usually not tracked in the company's systems except for billing purposes, bots, +softwares, etc. All identity types that need to be assigned entitlements to work within the company +must be represented. + +Companies often use about one system for each identity type. Usercube capitalizes on information +from several source systems in order to build a central repository meant to contain all the data +necessary to manage all identities throughout their whole lifecycle. + +![Usercube's Repository](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/identity-management/identities_repository.webp) + +Usercube's central repository acts as an intermediary between the systems that provide data, for +example the HR system, and those that receive data, for example the Active Directory. This greatly +reduces the complexity in the links between all systems. + +Without an intermediary, adding one system to a set of n systems requires up to n sets of rules, one +for each reading/writing relationship that this system has with the others. The complexity is +quadratic. + +Now with the central repository as an intermediary, implementing a new system requires only one more +set of rules. The complexity becomes linear. + +![identities_complexityquadratic](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/identity-management/identities_complexityquadratic.webp) + +#### Quadratic Complexity + +![identities_complexitylinear](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/identity-management/identities_complexitylinear.webp) + +#### Linear Complexity + +## An Entity Relationship Model + +Identities, along with any IGA-related data, are modeled in Usercube by an +[entity-relationship model](https://en.wikipedia.org/wiki/Entity%E2%80%93relationship_model?featherlight=true). + +All this data is organized and modeled by entities. This concept is quite similar to a database: an +entity is a set of properties, some are scalar so "simple" properties, and others are navigation +properties which make links between entities, quite like foreign keys in a database. + +> For example, consider an entity `Directory_User` with properties like `Name`, `Email`, `JobTitle`, +> `Department`. +> +> Another entity could be `Directory_Department`, linked to `Directory_User` through a navigation +> property. +> +> Another entity could be `SAB_User` to model SAB accounts owned by users from `Directory_User`. The +> accounts from `SAB_User` could be related to groups from another entity `SAB_Group`. + +![Entity Type - Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytypecreation_schema.webp) + +These entities' instances are called resources in Usercube. A resource can be the digital identity +of a user (human or bot), or an AD account or any other account, or an entry from the HR system, or +the representation of a department of the company, etc. + +> Consider once more the `Directory_User` entity with properties like `Name`, `Email`, `JobTitle`, +> `Department`. Then a resource could be the digital identity of an employee whose name is John +> Smith, with the email address [john.smith@contoso.com](mailto:john.smith@contoso.com) and working +> as an assistant manager in the accounting department. + +While Usercube provides a predefined model that should fit most organizations, it can still be +adjusted to your exact needs. Thus, Usercube provides a customizable model to organize a company's +data according to its IGA-related needs, which is also most reliable because it is kept up-to-date. + +## Connectors + +Each entity is related to a managed system, for example the Active Directory or SAB or ServiceNow, +etc. The reading/writing data between the system and Usercube are ensured by connectors. So Usercube +can be configured with one connector for each managed system. + +![Connector Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp) + +For a given system, a connector contains: + +- the technology which enables data flows between the system and Usercube; +- the related entities which model the system's resources; +- the categories which group the system's resources together according to the rules that we want to + apply to manage entitlement assignment for this system. + +Thus, a connector enables synchronization, i.e. Usercube reading from a managed system via an +[extract, transform, load](https://en.wikipedia.org/wiki/Extract,_transform,_load) process. + +![Synchronization](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/overview_synchronization.webp) + +> A typical example is the synchronization of the HR system's data to retrieve employees' personal +> information. + +It also enables provisioning, i.e. Usercube writing to a managed system, but that is something we +will dig into +[later](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/governance/index.md). + +![Provisioning](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/overview_provisioning.webp) + +## Repository Updates + +Once Usercube is configured, with not only connectors but also +[roles and rules, etc.](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md) +(which constitute a different topic), changes can be made to the repository through: + +- synchronization, when changes were made in the managed systems and then synchronized, so copied, + to Usercube; +- manual input, mostly used for a few resources/properties that rarely change such as contractors' + identities; +- workflows which contain approval steps to complete before the changes are actually applied; +- the + [policy's rules](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md) + that trigger changes to the repository directly, and those that trigger changes to managed systems + and impact the repository indirectly after the next synchronization. + +## Next Steps + +Let's learn about +[entitlement management](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md). + +## Learn More + +[Learn more on identity management](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/index.md). + +[See how to create the workforce repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md). + +[Learn more on connectors](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/index.md). + +[See how to create a connector](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md). + +[Learn more on synchronization](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/index.md). + +[Learn more on workflows](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/index.md b/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/index.md new file mode 100644 index 0000000000..a33d34fad4 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/index.md @@ -0,0 +1,87 @@ +# IGA and Usercube + +Usercube is a powerful tool for Identity Governance and Administration (IGA) automation. + +## Identity Governance and Administration (IGA) + +Identity Governance and Administration (IGA) is a combination of Identity Access Management (IAM) +and Identity Access Governance (IAG). + +- IAM is about allowing the right identities to have the right permissions at the right time for the + right reasons. +- IAG is about providing visibility regarding identities, user access, and for monitoring + compliance. + +[See Gartner's documentation on IGA](https://www.gartner.com/en/documents/3885381). + +## Why Usercube + +We could explain Usercube's purpose like this: + +**Typically, Usercube manages entitlements automatically according to a user's needs, for example +Active Directory group memberships.** + +--- + +**First, we need to manage identities.** + +To do so, Usercube capitalizes on information from several source systems in order to build a +central repository. This repository should contain all the organizational data relevant for access +management for all users, meaning not only employees but also contractors, bots, or any kind of +identity. + +![Synchronization](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/overview_synchronization.webp) + +**This implies involving external systems.** + +Access management requires reading/writing data to/from varied systems and applications, like the +Active Directory. Usercube provides an expanded set of connectors which contain the technology +required for IGA-related data flows. + +![Connectors](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/overview_connectors.webp) + +[See more details on identity management and connection between systems](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/identity-management/index.md). + +--- + +**Then, we need to manage entitlements, in other words access rights, or permissions.** + +Usercube helps you build a role catalog that lists all entitlements from all managed systems. The +technical entitlements can then associated with new, functional names that more clearly represent a +business-oriented view point. + +In addition, Usercube helps you determine identities' expected entitlements by building a role +model. This model contains different kinds of rules that will suggest entitlement assignments, or +even assign them directly, based on the imported organizational data. + +As each working environment has its own particularities, you will be able to refine the identity +model by defining dimensions, i.e. criteria from among organizational data that will trigger the +rules. + +![Calculation](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/overview_calculation.webp) + +--- + +**Finally, we need to actually give identities their entitlements and then govern them.** + +Usercube can be configured to provision the managed systems in order to apply the changes dictated +by the role model. This provisioning can be done either directly, with automatic provisioning, or by +notifying system administrators of the needed changes. Thus, identities finally get their +entitlements. + +![Provisioning](/img/versioned_docs/identitymanager_6.1/identitymanager/introduction-guide/overview/overview_provisioning.webp) + +Furthermore, Usercube provides a few workflows for entitlement request or user data modification, +which often include approval from a third party, hence identities get their entitlements securely. + +[See more details on entitlement management](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md). + +Thanks to the role model and data flows between Usercube and the managed systems, Usercube ensures +the compliance of existing permission assignments with the policy, pointing out non-conforming +assignments. + +[See more details on governance](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/governance/index.md). + +## Examples + +[Find use case stories](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/use-cases/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/use-cases/index.md b/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/use-cases/index.md new file mode 100644 index 0000000000..b273e65815 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/use-cases/index.md @@ -0,0 +1,59 @@ +# Use Case Stories + +Here is a basic use case story to explain how Usercube manages IGA. + +## Use Case + +Mr. James was just hired to join the Contoso company as a mechanical engineer. He will need access +to some of the company's most sensitive data, such as confidential blueprints, mechanical design +software licenses, and source files. + +### Identity management + +The central repository already exists, containing all workers, all departments, etc. + +Mr. James' manager uses one of Usercube's workflows to add Mr. James as a new employee, filling in +his first name, last name, job title ("Mechanical Engineer"), his contract type ("permanent") and +his start date. + +The rest of Mr. James' personal information, such as his birth date, etc., can be filled later by +someone from the HR department. + +### Entitlement management + +As Mr. James is not the first mechanical engineer in Contoso, Usercube already contains a composite +role named "R&D Mechanical Engineer". This role is meant to give its owners access to the company's +sensitive data useful for mechanical engineers. Assigning this role will trigger the assignment of +several single roles, each one giving one access right. + +Technically speaking, each access right is granted via a membership to a specific Active Directory +group. Thus Usercube also contains a navigation rule that gives this group membership to any user +owning this single role. + +In our example, each access right corresponds to an AD group membership, but it could be any +entitlement in any external system. + +For Mr. James to get the access rights that he needs, there are several options: + +- either Mr. James' manager manually assigns the "R&D Mechanical Engineer" role to him via a + workflow before his arrival, for example setting the start date to two weeks after Mr. James' + first day as he will be in training before then; +- or there may be an assignment rule that automatically assigns the role to any user with the job + title "Mechanical Engineer", so Mr. James will get the role on his first day. + +As the needed access rights involve the AD, Mr. James also needs to own an AD account which will be +linked to its identity in Usercube via correlation rules. + +Once the requests for the role and the account are approved, Usercube can connect to the Active +Directory and create Mr. James' account and add it to the proper groups, via provisioning rules. + +### Governance + +Once the role model is well underway, Usercube can compare existing access rights to expected access +rights. Thus, Usercube makes sure that Mr. James always has all the entitlements he needs in order +to work, but not more to prevent security breaches. + +## Next Steps + +Let's learn about +[Usercube's architecture](/docs/identitymanager/6.1/identitymanager/introduction-guide/architecture/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/migration-guide/5.0.x-to-5.1/index.md b/docs/identitymanager/6.1/identitymanager/migration-guide/5.0.x-to-5.1/index.md new file mode 100644 index 0000000000..177aa361cd --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/migration-guide/5.0.x-to-5.1/index.md @@ -0,0 +1,90 @@ +# 5.0.X to 5.1 + +## 1. Jobs + +For any information about Jobs or Tasks: + +- [Data model: Jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/index.md) +- [Execute Jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md) +- [information about all Tasks](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md) +- [Information about Jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) + +#### a. Powershell + +In the old configuration, the Tasks needed to have an InstanceIdentifier (-i) to be launched. This +argument no longer exists today. + +**Old powershell:** + +``` + + & $exeSynchronizationJob -j AzureAD_Synchronization -i 'Synchronizing AzureAD' -s $sqlConnectionString -p $pathTempSynchronization -u $apiUri -a $jobSecret -c $jobClientId -t AzureAD + +``` + +**New powershell:** + +``` + + & $exeSynchronizationJob -j AzureAD_Synchronization -s $sqlConnectionString -p $pathTempSynchronization -u $apiUri -a $jobSecret -c $jobClientId -t AzureAD + +``` + +**Other change:** + +There are not openIdClient in all Synchronization. A new property is necessary to launch a +synchronization with a command: + +``` + + [Required] + "-o|--cacheFilePath ", "Specifies the cache file directory to reload provisioning cache." (SingleValue) + +``` + +There are not OpenIdclient for manualProvisioning. + +In FulfillLDAPTask, the property Port doesn't exist in 5.1. The Server property write with this rule +: "Host:Port" + +#### b. Configuration XML + +In old configuration the task was named Job. All Jobs in 5.0.X are called Tasks in 5.1. The +Executable "Usercube-Upgrade-ConfigurationVersion" writes correctly Job in Task and Use the +scaffolding type. But the migrated tasks are not configured. it's necessary to check all Tasks and +connectors too before importing configuration. + +**old Task configuration:** + +``` + + + +``` + +**New Task configuration:** + +``` + + + +``` + +#### c. Api RunJob + +This API no longer exists in version 5.1. To launch a Task on the server side you must use either: + +- The automaton (by creating a Job and linking the Tasks you want to launch) +- The [RunTask API](/docs/identitymanager/6.1/identitymanager/integration-guide/api/server/job/index.md) + +#### d. Information system appsettings + +All the information of the information system is on this file: +[appsettings.ConnectionInformation.json](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). +To launch Tasks that need to connect to this system and that are launched with the automaton, you +must enter this information in this file. + +#### f. Encryption appsettings.ConnectionInformation.json + +All data from external systems is in a JSON that can be encrypted with an RSA key. Encrypt this with +[Usercube-Protect-X509JsonFile](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/migration-guide/5.0.x-to-5.1/newtaskconvention/index.md b/docs/identitymanager/6.1/identitymanager/migration-guide/5.0.x-to-5.1/newtaskconvention/index.md new file mode 100644 index 0000000000..b0895bd6bb --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/migration-guide/5.0.x-to-5.1/newtaskconvention/index.md @@ -0,0 +1,43 @@ +# New Task Name Convention + +| Old Name | New Name | +| ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Usercube.UpdateDirty | [Usercube-Set-RecentlyModifiedFlag](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md) | +| Usercube.RBACMining | [Usercube-Get-RoleMining](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md) | +| Usercube.Provisioner.Download | [Usercube-Fulfill-ToFile](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md) | +| Usercube.Provisioner.LDAP.Job | [Usercube-Fulfill-LDAP](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md) | +| Usercube.Provisioner.AzureAd | [Usercube-Fulfill-AzureAd](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md) | +| Usercube.Provisioner.Manual.Job | Usercube-Update-FulfillmentSates | +| Usercube.Provisioner.Workflow | [Usercube-Fulfill-InternalWorkflows](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md) | +| Usercube.Provisioner.Job | Usercube-Fulfill-InternalResources | +| Usercube.ProfileAssignment.Job | [Usercube-Set-InternalUserProfiles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) | +| Usercube.PreExistingAssignment | [Usercube-Save-PreExistingAccessRights](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md) | +| Usercube.OpenIdClient.Generator | [Usercube-New-OpenIDSecret](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/new-openidsecret/index.md) | +| Usercube.UpgradeXml | Usercube-Upgrade-ConfigurationVersion | +| Usercube.MigrateDatabase | Usercube-Upgrade-DatabaseVersion | +| Usercube.CreateResourceViews | [Usercube-Create-DatabaseViews](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md) | +| Usercube.ApiCall | [Usercube-Invoke-API](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md) | +| Usercube.Anonymizer | Usercube-Anonymize | +| Usercube.ResourceClassification | [Usercube-Update-Classification](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md) | +| Usercube.EntityProperties.Expressions.Job | [Usercube-Update-EntityPropertyExpressions](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) | +| Usercube.Provisioning.Job | [Usercube-Generate-ProvisioningOrders](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md) | +| Usercube.ProvisioningPolicy.Job | [Usercube-Compute-RoleModel](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) | +| Usercube.Synchronization.ADDirSync.Job | [Usercube-Synchronize-ActiveDirectory](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) | +| Usercube.Synchronization.Change.Job | [Usercube-Synchronize-Changes](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) | +| Usercube.Synchronization.Job | [Usercube-Synchronize](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) | +| Usercube.Synchronization.Validation.Job | Usercube-Synchronize-Validation | +| Usercube.DirSyncCollector | [Usercube-Export-ActiveDirectory](https://extranet.usercube.com/5.1/5.1.7.7/Documentation/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exports/ExportActiveDirectoryTask/) | +| Usercube.Exports.AzureAD | [Usercube-Export-AzureAD](https://extranet.usercube.com/5.1/5.1.7.7/Documentation/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exports/ExportAzureADTask/) | +| Usercube.Exports.RACF | [Usercube-Export-RACF](https://extranet.usercube.com/5.1/5.1.7.7/Documentation/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exports/ExportRACFTask) | +| Usercube.Exports.SHAREPOINT | [Usercube-Export-SharePoint](https://extranet.usercube.com/5.1/5.1.7.7/Documentation/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exports/ExportSharePointTask/) | +| Usercube.Exports.TSS | [Usercube-Export-TSS](https://extranet.usercube.com/5.1/5.1.7.7/Documentation/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exports/ExportTSSTask) | +| Usercube.Client | Usercube-Server | +| Usercube.LdapCmd | [Usercube-Export-LDAP](https://extranet.usercube.com/5.1/5.1.7.7/Documentation/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exports/ExportLDAPTask/) | +| Usercube.SqlCmd | [Usercube-Invoke-SqlCommandAgent](https://extranet.usercube.com/5.1/5.1.7.7/Documentation/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exports/InvokeSqlCommandTask/) / [Usercube-Invoke-SqlCommandServer](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md) | +| Usercube.Collectors.ADDirSync.Job | [Usercube-Prepare-SynchronizationActiveDirectory](https://extranet.usercube.com/5.1/5.1.7.7/Documentation/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exports/preparesynchronizationtask/) | +| Usercube.Collectors.Change.Job | [Usercube-Prepare-SynchronizationChange](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) | +| Usercube.Collectors.Job | [Usercube-Prepare-Synchronization](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) | +| Usercube.Notification.Job | Usercube-Send-Notification | +| Usercube.Configuration import | Usercube-Deploy-Configuration | +| Usercube.Configuration export | Usercube-Export-Configuration | +| Usercube.Configuration generate | Usercube-Generate-Configuration | diff --git a/docs/identitymanager/6.1/identitymanager/migration-guide/5.1.0to5.1.1/index.md b/docs/identitymanager/6.1/identitymanager/migration-guide/5.1.0to5.1.1/index.md new file mode 100644 index 0000000000..a4ed2b88ac --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/migration-guide/5.1.0to5.1.1/index.md @@ -0,0 +1,160 @@ +# 5.1.0 to 5.1.1 + +## Migrate Server Settings + +#### TestUserStore And LocalLogin + +The sections `TestUserStore` and `AllowLocalLogin` are moved from IdentityServer to Authentication. + +Old Settings: + + ``` + +"IdentityServer": { "AllowLocalLogin": true, "TestUserStore": { "Enabled": "true", "Password": +"secret" } + +```` + + +New Settings: + + ``` + + "Authentication": { + "AllowLocalLogin": true, + "TestUserStore": { + "Enabled": "true", + "Password": "secret" + } + +```` + +#### External Loggin + +All ExternalLogin are modified and now use a list of elements: + +#### [WsFed](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md) Authentication + +Old Settings: + + ``` + +"WsFederation": { "Enabled": "True", "MetadataAddress": +"https:///FederationMetadata/2007-06/FederationMetadata.xml", "Wtrealm": "https://localhost:44307/" +} + +```` + + +New Settings: + + ``` + + "WsFederation": { + "Enabled": "True", + "WsFederation1": { + "AuthenticationScheme": "WsFederation scheme 1", + "DisplayName": "Active Directory displayName", + "MetadataAddress": "https:///FederationMetadata/2007-06/FederationMetadata.xml", + "Wtrealm": "https://localhost:44307/" + } + } + +```` + +#### [OpenId](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md) Authentication + +Old Settings: + + ``` + +"OpenId": { "Enabled": "True", "ClientId": "clientID", "ClientSecret": "secret", "Authority": +"https://login.microsoftonline.com/" } + +```` + + +New Settings: + + ``` + + "OpenId": { + "Enabled": "True", + "OpenId1": { + "AuthenticationScheme": "AzureAD", + "DisplayName": "Microsoft Entra ID Connection", + "ClientId": "clientID", + "ClientSecret": "secret", + "Authority": "https://login.microsoftonline.com/" + } + } + +```` + +#### [Active Directory](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md) Authentication + +Old Settings: + + ``` + +"ActiveDirectoryUserStore": { "Enabled": true, "Server": "ServerUri", "Domain": "DomainName", +"Prefix": "Prefix", "Postfix": "Postfix" } + +```` + + +New Settings: + + ``` + +"ActiveDirectoryUserStore": { + "Enabled": true, + "Forest1": { + "Server": "ServerUri", + "Domain": "DomainName", + "Prefix": "Prefix", + "Postfix": "Postfix" + } + } + +```` + +#### [Optional Settings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) + +All working directories are optional in 5.1.1 + +## Agent Settings + +#### [Optional Settings](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) + +All working directories are optional in 5.1.1 + +## [Logger Settings](/docs/identitymanager/6.1/identitymanager/integration-guide/monitoring/index.md) + +In server/Agent and logger Setting the configuration are changes. + +Old Settings: + + ``` + +"Logging": { "IncludeScopes": false, "LogLevel": { "Default": "Error", "Usercube": "Information" }, +"Serilog": { "WriteTo": [ { "Name": "Console" } ] } } + +```` + + +New Settings: + + ``` + + "Serilog": { + "WriteToConsole": true, + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + } + } + +```` diff --git a/docs/identitymanager/6.1/identitymanager/migration-guide/5.1.1to5.1.7/index.md b/docs/identitymanager/6.1/identitymanager/migration-guide/5.1.1to5.1.7/index.md new file mode 100644 index 0000000000..6e0d683380 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/migration-guide/5.1.1to5.1.7/index.md @@ -0,0 +1,41 @@ +# Migration Guide + +### Migrating from 5.1.1 (or any newer version) to 5.1.7 + +Since version 5.1.1, migrating your Usercube installation to a newer version is as simple as +following these steps. + +These steps must absolutely be followed in the given order. + +1. Stop server +2. Rename the existing Runtime folder to + + `RuntimeOld` + +3. Install the new runtime from + + `Runtime_XXXX.zip` + +4. Migrate the database + + Example: + `./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;"` + +5. Migrate the + + `appSettings` + + Example: + `./identitymanager-Upgrade-Appsettings.exe --version 5.X.X --input-path "C:/identitymanagerDemo/RuntimeOld/" --connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;"` + + where 5.X.X is the _MigrateFrom_ version + +6. Migrate the configuration + + Example: + `./identitymanager-Upgrade-ConfigurationVersion.exe --version 5.X.X --xml-path "C:/identitymanagerDemo/ConfOld/" --output "C:/identitymanagerDemo/Conf/"` + + where 5.X.X is the _MigrateFrom_ version + +7. Deploy-Configuration (optional) This allows new features to be taken into account, if relevant. +8. Start server diff --git a/docs/identitymanager/6.1/identitymanager/migration-guide/5.1.7to5.2.3/index.md b/docs/identitymanager/6.1/identitymanager/migration-guide/5.1.7to5.2.3/index.md new file mode 100644 index 0000000000..ea58e713f4 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/migration-guide/5.1.7to5.2.3/index.md @@ -0,0 +1,325 @@ +# Migration Guide + +### Migrating from 5.1.7 to 5.2.3 + +**IMPORTANT: BEFORE YOU BEGIN, PLEASE NOTE**: +The file paths in the appsettings.agent.json file must correspond with the file paths that are in +the version of the configuration that is currently loaded into the database in order to undertake a +migration. Additionally, if any files use relative paths, a warning will be displayed asking that +the `--runtime-path` argument be used. +If your installation has several agents, the "InformationSystems" section should be concatenated +into one appsettings.agent.json that is used when the instructions below indicate that the agent's +appsettings.agent.json should be copied into a new temporary folder. +The starting version for this migration must be a version 5.1.7.X. +CyberArk and Azure Key Vault integrations cannot be automatically migrated. +SAP and SharePoint connectors cannot be automatically migrated. + +In the following migration examples, `--version` always refers to the starting version. In this case +it will be 5.1.7. + +**Choose the set(s) of instructions that correspond to your installation type:** + +- Upgrade Server and Agent (Integrated Agent Installation) +- Upgrade Server Only (Remote Agent Installation) +- Upgrade Agent Only (Remote Agent Installation) + +## Upgrade Server and Agent (Integrated Agent Installation) + +1. Verify your starting version, if it's not already 5.1.7.X, please migrate to the most recent + 5.1.7 before proceeding. +2. Stop server +3. Backup and Install + + 1. Backup the database. + 2. Rename the Runtime folder to create a backup, for example `RuntimeOld` + 3. Install the new runtime from `Runtime_XXXX.zip` on the Usercube server machine + +4. Migrate the database + + 1. Backup the existing database + 2. Create a temporary folder accessible by the Usercube server. Example: + `C:/identitymanagerExamplePath/AppSettingsFolder` + 3. Copy all the old appsettings (appsettings.agent.json, appsettings.encrypted.agent.json, + appsettings.json) and paste them into the newly created folder. + 4. Copy all the old appsettings (appsettings.agent.json, appsettings.encrypted.agent.json, + appsettings.json) and paste them into the new Runtime folder. + 5. Start the database upgrade utility: + Example 1: + + ``` + ./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;" --appsettings-path "C:/identitymanagerExamplePath/AppSettingsFolder/appsettings.agent.json" + ``` + + Example 2: + + ``` + ./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;" --appsettings-path "C:/identitymanagerExamplePath/AppSettingsFolder/appsettings.agent.json" --runtime-path C:/identitymanagerExampleAgent/Runtime + ``` + +5. Move File Locations + + 1. Optional: If you don't want to locate the Temp and Work folders in the default location + (example: C:/identitymanagerExamplePath"), add the following arguments to the original + appsettings.json file and update the two folder values with the desired locations instead of + the default values shown here: + - "TempFolderPath": `"_../Temp_"`, + - "WorkFolderPath": `"_../Work_"` + 2. Delete the folder C:/identitymanagerExamplePath/Temp/Collect + 3. Run the move files utility. + + If encryption is activated in your Usercube then add the settings corresponding to your + certificate (see Usercube-Encrypt-File + [generic arguments](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/encrypt-file/index.md)). + + Example with encryption + deactivated:`./identitymanager-Upgrade-Files.exe --version "5.1.7" --migrate-agent`Example with + certificate:`./identitymanager-Upgrade-Files.exe --version "5.1.7" --migrate-agent --file-cert-file "certificateFile" --file-cert-password "certificatePassword"`or``` + ./identitymanager-Upgrade-Files.exe --version "5.1.7" --migrate-agent --file-cert-thumbprint + "certificateThumbprint" --file-cert-store-location "certificateStoreLocation" + --file-cert-store-name "certificateStoreName" + + ``` + + ``` + +6. Prepare the appsettings migration + + 1. Start the Usercube _server_ with the new 5.2 version and the original appsettings files. + 2. Run the appsettings preparation tool to create a new files named "520.json" and "522.json" + inside the temporary appsettings folder which is output path. + Example 1: + + ``` + ./identitymanager-Prepare-UpgradeAppsettings.exe --version "5.1.7" --output-path "C:/identitymanagerExamplePath/AppSettingsFolder" + ``` + + or, if the database is available and/or the agent identifer is not the default value of + "Local", use a variation of + + Example 2: + + ``` + ./identitymanager-Prepare-UpgradeAppsettings.exe --version "5.1.7" --output-path "C:/identitymanagerExamplePath/AppSettingsFolder" --connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;" --agent-identifier "Remote" + ``` + +7. Migrate the appsettings.agent.json + + 1. From the server's `Work` folder (by default it's located at the same level as the `Runtime` + folder) , copy the newly created `appsettings.connection.json` to the output path used in the + previous step. + 2. Migrate the `appSettings` agent file. + Example: + + ``` + ./identitymanager-Upgrade-Appsettings.exe --version "5.1.7" --input-path "C:/identitymanagerExamplePath/AppSettingsFolder/" --migrate-only-agent + ``` + + 3. The new appsettings files should now already be copied to the current Runtime folder. + +8. Restart the server +9. Optional: Migrate the configuration (This allows new features to be taken into account.) + + 1. Rename the Conf folder to create a backup, for example `ConfOld`. + 2. Make sure the temporary appsettings folder still has the old, pre-migration + appsettings.agent.json. + 3. Run the utility to migrate the configuration. + Example 1:`./identitymanager-Upgrade-ConfigurationVersion.exe --version "5.1.7" --xml-path "C:/identitymanagerExamplePath/ConfOld/" --output "C:/identitymanagerExamplePath/Conf/" --appsettings-path "C:/identitymanagerExamplePath/AppSettingsFolder/appsettings.agent.json"`Example + 2:``` ./identitymanager-Upgrade-ConfigurationVersion.exe --version "5.1.7" --xml-path + "C:/identitymanagerExamplePath/ConfOld/" --output "C:/identitymanagerExamplePath/Conf/" --appsettings-path + "C:/identitymanagerExamplePath/AppSettingsFolder/appsettings.agent.json" --runtime-path + "C:/identitymanagerExamplePath/Runtime" + + ``` + + ``` + + 4. Optional: update the configuration version now that it has been migrated. **NOTE: Change + nothing else in the configuration except what is needed for the migration. The newly migrated + conf should be the functional equivalent of the one already in the database.** + 5. Execute these three delete queries in the database: + + ```sql + DELETE FROM UJ_TaskResourceTypes + DELETE FROM UJ_JobSteps + ``` + + 6. Deploy the configuration. Since the new configuration import tool is smarter: + - Errors may be shown indicating that xml attributes are unknown. This simply means that + they should be deleted from the xml tag because they are not used. + - Errors may be shown indicating that permissions do not exist. In most cases, this will be + because a state was added at the end of the permission that is no longer necessary. For + example: `/Custom/WorkflowsNotifications/Self_ChangeName/Review/Approved` should become + `/Custom/WorkflowsNotifications/Self_ChangeName/Review` + 7. Restart the server + 8. To use the new Connector pages, go to each connector and click `Refresh all schemas` + +## Upgrade Server Only (Remote Agent Installation) + +1. Verify your starting version, if it's not already 5.1.7.X, please migrate to the most recent + 5.1.7 before proceeding. +2. Stop server and remote agent(s) +3. Backup and Install + + 1. Backup the database. + 2. Rename the Runtime folder to create a backup, for example `RuntimeOld` + 3. Install the new runtime from `Runtime_XXXX.zip` on the Usercube server machine + 4. Copy all the original appsettings\* files from `RuntimeOld` to the new `Runtime` + +4. Migrate the Database + + 1. Backup the existing database + 2. Obtain the appsettings.agent.json file from the agent + 3. Create a temporary folder accessible by the Usercube server. Example: + `C:/identitymanagerExamplePath/AppSettingsFolder` + 4. Copy the agent's appsettings.agent.json (and the appsettings.encrypted.agent.json if it + exists) to the newly created folder. + 5. Copy the server's old appsettings.json into the new Runtime folder. + 6. Start the database upgrade utility: + Example 1:`./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;" --appsettings-path "C:/identitymanagerExamplePath/AppSettingsFolder/appsettings.agent.json"`Example + 2:``` ./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "data + source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;" --appsettings-path + "C:/identitymanagerExamplePath/AppSettingsFolder/appsettings.agent.json" --runtime-path + "C:/identitymanagerExampleAgent/Runtime" + + ``` + + ``` + +5. Move File Locations + + 1. Optional: If you don't want to locate the Temp and Work folders in the default location + (example: C:/identitymanagerExamplePath"), add the following arguments to the original + appsettings.json file and update the two folder values with the desired locations instead of + the default values shown here: + - "TempFolderPath": `"_../Temp_"`, + - "WorkFolderPath": `"_../Work_"` + 2. Delete the folder C:/identitymanagerExamplePath/Temp/Collect + 3. Run the move files utility. + + ``` + This case represents a Server Only migration so encryption settings are never required because encrypted agent files will not be migrated. + + ``` + + Example:``` ./identitymanager-Upgrade-Files.exe --version "5.1.7" + + ``` + + ``` + +6. Restart the server. +7. Restart the remote agent(s). +8. **Do not upgrade or deploy the configuration until the agent has also been upgraded.** + +## Upgrade Agent Only (Remote Agent Installation) + +This installation should be performed only after the server has been upgraded. + +1. Verify your starting version, if it's not already 5.1.7.X, please migrate to the most recent + 5.1.7 before proceeding. +2. Stop the agent. +3. Backup and Install + + 1. Rename the Runtime folder to create a backup, for example `RuntimeOld` + 2. Install the new runtime from `Runtime_XXXX.zip` on the Usercube server machine + +4. Move File Locations + + 1. Optional: If you don't want to locate the Temp and Work folders in the default location + (example: C:/identitymanagerExamplePath"), add the following arguments to the original + appsettings.json file and update the two folder values with the desired locations instead of + the default values shown here: + - "TempFolderPath": `"_../Temp_"`, + - "WorkFolderPath": `"_../Work_"` + 2. Delete the folder C:/identitymanagerExamplePath/Temp/Collect + 3. Run the move files utility. + + ``` + If encryption is activated in your Usercube then add the settings corresponding to your certificate (see Usercube-Encrypt-File [generic arguments](/integration-guide/executables/references/encrypt-file/index.html#generic-argument)). + + ``` + + Example with encryption + deactivated:`./identitymanager-Upgrade-Files.exe --version "5.1.7" --migrate-agent`Example with + certificate:`./identitymanager-Upgrade-Files.exe --version "5.1.7" --migrate-agent --file-cert-file "certificateFile" --file-cert-password "certificatePassword"`or``` + ./identitymanager-Upgrade-Files.exe --version "5.1.7" --migrate-agent --file-cert-thumbprint + "certificateThumbprint" --file-cert-store-location "certificateStoreLocation" + --file-cert-store-name "certificateStoreName" + + ``` + + ``` + + 4. Copy the file(s) "./tracked-accounts-`{system-identifier}`.csv" from the old Runtime (if they + exist) to the new `WorkFolderPath` location (the default is "../Work") + +5. Prepare appsettings migration + + 1. Create a new temporary folder for the appsettings files, for example `AppSettingsFolder` + 2. Copy all the appsettings files from the old (agent) runtime to the newly created folder and + to the new Runtime + 3. If you use IIS, copy the web.config from the old (agent) runtime to the new Runtime + 4. Start the server (with the new runtime) + 5. Run the appsettings preparation tool to create a new files named "520.json" and "522.json" + inside the output path. + Example 1:``` ./identitymanager-Prepare-UpgradeAppsettings.exe --version "5.1.7" --output-path + "C:/identitymanagerExamplePath/AppSettingsFolder" + ````or, if the database is available and/or the agent identifier is not the default value of "Local", use a variation of + Example 2:``` + ./identitymanager-Prepare-UpgradeAppsettings.exe --version "5.1.7" --output-path "C:/identitymanagerExamplePath/AppSettingsFolder" --connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;" --agent-identifier "Remote" + ```` + +6. Migrate the appsettings + + 1. From the `Work` folder (by default it's located at the same level as the `Runtime` folder) , + copy the `appsettings.connection.json` to the temporary appsettings folder. + 2. Migrate the `appSettings` agent file. + Example: + + ``` + ./identitymanager-Upgrade-Appsettings.exe --version "5.1.7" --input-path "C:/identitymanagerExamplePath/AppSettingsFolder/" --migrate-only-agent + ``` + + 3. The new appsettings files should now already be copied to the current Runtime folder. + +7. Restart the agent. +8. Optional: Migrate the configuration (This allows new features to be taken into account.) + + 1. Rename the Conf folder to create a backup, for example `ConfOld`. + 2. Make sure the temporary appsettings folder still has the old, pre-migration + appsettings.agent.json. + 3. Run the utility to migrate the configuration. Example 1: + + ``` + ./identitymanager-Upgrade-ConfigurationVersion.exe --version "5.1.7" --xml-path "C:/identitymanagerExamplePath/ConfOld/" --output "C:/identitymanagerExamplePath/Conf/" --appsettings-path "C:/identitymanagerExamplePath/AppSettingsFolder/appsettings.agent.json" + ``` + + Example 2: + + ``` + ./identitymanager-Upgrade-ConfigurationVersion.exe --version "5.1.7" --xml-path "C:/identitymanagerExamplePath/ConfOld/" --output "C:/identitymanagerExamplePath/Conf/" --appsettings-path "C:/identitymanagerExamplePath/AppSettingsFolder/appsettings.agent.json" --runtime-path "C:/identitymanagerExampleAgent/Runtime" + ``` + + 4. Optional: update the configuration version now that it has been migrated. **NOTE: Change + nothing else in the configuration except what is needed for the migration. The newly migrated + conf should be the functional equivalent of the one already in the database.** + 5. Execute these three delete queries in the database: + + ```sql + DELETE FROM UJ_TaskEntityTypes + DELETE FROM UJ_TaskResourceTypes + DELETE FROM UJ_JobSteps + ``` + + 6. Deploy the configuration. Since the new configuration import tool is smarter: + + - Errors may be shown indicating that xml attributes are unknown. This simply means that + they should be deleted from the xml tag because they are not used. + - Errors may be shown indicating that permissions do not exist. In most cases, this will be + because a state was added at the end of the permission that is no longer necessary. For + example: `/Custom/WorkflowsNotifications/Self_ChangeName/Review/Approved` should become + `/Custom/WorkflowsNotifications/Self_ChangeName/Review` + + 7. Restart the server + 8. To use the new Connector pages, go to each connector and its connections and refresh each + schema diff --git a/docs/identitymanager/6.1/identitymanager/migration-guide/5.2.xto6.0/index.md b/docs/identitymanager/6.1/identitymanager/migration-guide/5.2.xto6.0/index.md new file mode 100644 index 0000000000..a057c6055e --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/migration-guide/5.2.xto6.0/index.md @@ -0,0 +1,191 @@ +# 5.2.X to 6.0 + +These instructions are for migrating from 5.2.1 (or higher) to version 6.0. If migrating from a +version older than 5.2.1, see the instructions at the bottom of this page. Note that the +configuration and the agent can be migrated independently of one another. + +In the following migration examples `--version` always refers to the _starting_ version. Make sure +to reference either 5.2.1, 5.2.2 or 5.2.3 as is appropriate. + +**Choose the set(s) of instructions that correspond to your installation type:** + +For SaaS environments, choose: + +- [Upgrade Agent Only](#upgrade-agent-only) + +For On Premises integrated environments, choose : + +- [Upgrade Server and Integrated Agent](#upgrade-server-and-integrated-agent) + +For On Premises separated/remote environments, the server should be upgraded before the agent. Use +the following instructions: + +- [Upgrade Server Only](#upgrade-server-only) +- [Upgrade Agent Only](#upgrade-agent-only) + +## Upgrade Server and Integrated Agent + +1. Install the new .NET 6.0 Framework hosting bundle from + [https://dotnet.microsoft.com/en-us/download/dotnet/6.0](https://dotnet.microsoft.com/en-us/download/dotnet/6.0). +2. Stop server +3. Backup and Install + + 1. Backup the database. + 2. Rename the Runtime folder to create a backup, for example `RuntimeOld` + 3. Install the new runtime from `Runtime_XXXX.zip` on the Usercube server machine + 4. Copy all the original appsettings json files from `RuntimeOld` to the new `Runtime` + 5. In the appsettings.json file, at the end of the connection string add `;Encrypt=false` or + `;Encrypt=true` depending on the database configuration. + > For example: + > + > ``` + > + > "ConnectionString": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + > + > ``` + +4. Migrate the database + + 1. Backup the existing database + 2. Start the database upgrade utility: + > For example: + > + > ``` + > + > ./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + > + > ``` + +5. Recompute all property expressions and correlation keys by using the + [`Update-EntityPropertyExpressions`](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/update-entitypropertyexpressions/index.md) + and + [`Compute-CorrelationKeys`](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/compute-correlationkeys/index.md) + executables from the `Runtime` folder. + + > For example: + > + > ``` + > + > ./identitymanager-Update-EntityPropertyExpressions.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" -a + > ./identitymanager-Compute-CorrelationKeys.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" -a + > + > ``` + +6. Restart the server +7. Optional: Migrate the configuration (This allows new features to be taken into account.) + + 1. Make sure the XML configuration has already been imported to the database. If not, import the + configuration with the old Runtime into the database. + 2. Rename the Conf folder to create a backup, for example `ConfOld`. + 3. Run the utility to migrate the configuration. + > For example: + > + > ``` + > + > ./identitymanager-Upgrade-ConfigurationVersion.exe --version "5.2.3" --xml-path "C:/identitymanagerExamplePath/ConfOld/" --output "C:/identitymanagerExamplePath/Conf/" + > + > ``` + 4. Optional: update the configuration version now that it has been migrated. **NOTE: Change + nothing else in the configuration except what is needed for the migration. The newly migrated + conf should be the functional equivalent of the one already in the database.** + 5. Deploy the configuration, correcting any warnings or new errors (that appear because the + configuration import tool is smarter). + 6. Restart the server + +## Upgrade Server Only + +1. Install the new .NET 6.0 Framework hosting bundle from + [https://dotnet.microsoft.com/en-us/download/dotnet/6.0](https://dotnet.microsoft.com/en-us/download/dotnet/6.0). +2. Stop server and remote agent(s) +3. Backup and Install + + 1. Backup the database. + 2. Rename the Runtime folder to create a backup, for example `RuntimeOld` + 3. Install the new runtime from `Runtime_XXXX.zip` on the Usercube server machine + 4. Copy all the original appsettings json files from `RuntimeOld` to the new `Runtime` + 5. In the appsettings.json file, at the end of the connection string add `;Encrypt=false` or + `;Encrypt=true` depending on the database configuration. + > For example: + > + > ``` + > + > "ConnectionString": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + > + > ``` + +4. Migrate the Database + + 1. Backup the existing database + 2. Start the database upgrade utility: + > For example: + > + > ``` + > + > ./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + > + > ``` + +5. Recompute all property expressions and correlation keys by using the + [`Update-EntityPropertyExpressions`](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/update-entitypropertyexpressions/index.md) + and + [`Compute-CorrelationKeys`](/docs/identitymanager/6.1/identitymanager/integration-guide/executables/references/compute-correlationkeys/index.md) + executables from the `Runtime` folder. + + > For example: + > + > ``` + > + > ./identitymanager-Update-EntityPropertyExpressions.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" -a + > ./identitymanager-Compute-CorrelationKeys.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" -a + > + > ``` + +6. Restart the server. +7. Restart the remote agent(s). +8. **Do not upgrade or deploy the configuration until the agent has also been upgraded.** + +## Upgrade Agent Only + +This installation should be performed only after the server has been upgraded. + +1. Install the new .NET 6.0 Framework hosting bundle from + [https://dotnet.microsoft.com/en-us/download/dotnet/6.0](https://dotnet.microsoft.com/en-us/download/dotnet/6.0). +2. Stop the agent. +3. Backup and Install + + 1. Rename the Runtime folder to create a backup, for example `RuntimeOld` + 2. Install the new runtime from `Runtime_XXXX.zip` on the Usercube server machine + 3. Copy all the original appsettings json files from `RuntimeOld` to the new `Runtime` + +4. Restart the agent. +5. Optional: Migrate the configuration (This allows new features to be taken into account.) + + 1. Make sure the XML configuration has already been imported to the database. If not, import the + configuration with the old Runtime into the database. + 2. Rename the Conf folder to create a backup, for example `ConfOld`. + 3. Run the utility to migrate the configuration. + > For example: + > + > ``` + > + > ./identitymanager-Upgrade-ConfigurationVersion.exe --version "5.2.3" --xml-path "C:/identitymanagerExamplePath/ConfOld/" --output "C:/identitymanagerExamplePath/Conf/" + > + > ``` + 4. Optional: update the configuration version now that it has been migrated. **NOTE: Change + nothing else in the configuration except what is needed for the migration. The newly migrated + conf should be the functional equivalent of the one already in the database.** + 5. Deploy the configuration, correcting any warnings or new errors (that appear because the + configuration import tool is smarter). + 6. Restart the server + +## Migrating from a version older than 5.2.1? + +Because of breaking changes introduced in 5.2.0, migration from older versions can't be handled by +the process described above. + +Please follow these guides to handle migrations from older versions. + +- [5.1.0 to 5.1.1](/docs/identitymanager/6.1/identitymanager/migration-guide/5.1.0to5.1.1/index.md) +- [5.0 to 5.1](/docs/identitymanager/6.1/identitymanager/migration-guide/5.0.x-to-5.1/index.md) +- [5.1.1 to 5.1.7](/docs/identitymanager/6.1/identitymanager/migration-guide/5.1.1to5.1.7/index.md) +- [5.1.7 to 5.2.3](/docs/identitymanager/6.1/identitymanager/migration-guide/5.1.7to5.2.3/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/migration-guide/index.md b/docs/identitymanager/6.1/identitymanager/migration-guide/index.md new file mode 100644 index 0000000000..c1efe2e926 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/migration-guide/index.md @@ -0,0 +1,42 @@ +# Migration Guide + +This guide is designed to provide step-by-step procedures in order to migrate Usercube from your +current version to the latest one. + +This page will guide you through a migration to a more recent version with no major changes. + +For example from 6.0.215 to 6.0.216. +For a migration between versions with major changes, check this guide's subsections. + +For example see the +[ 5.2.X to 6.0 ](/docs/identitymanager/6.1/identitymanager/migration-guide/5.2.xto6.0/index.md) topic +for additional information on migration. + +## Upgrade the Server Only for a Minor Migration + +In order to upgrade only the sever do the following: + +**Step 1 –** Download the new runtime from the expected version from +[Netwrix portal](https://extranet.usercube.com/). + +**Step 2 –** Stop the server. + +**Step 3 –** Rename the `Runtime` folder to create a backup, for example `RuntimeOld`. + +![Extranet Artifacts](/img/versioned_docs/identitymanager_6.1/identitymanager/migration-guide/extranet_v601.webp) + +**Step 4 –** Extract the content of the new runtime to the same folder as `RuntimeOld`, inside a new +`Runtime` folder. + +**Step 5 –** Copy the original `appsettings.json` and `appsettings-agent.json` files from +`RuntimeOld` to the new `Runtime`. + +**Step 6 –** Restart the server. + +## Migrate from Older Versions + +- [5.2.X to 6.0](/docs/identitymanager/6.1/identitymanager/migration-guide/5.2.xto6.0/index.md) +- [5.1.7 to 5.2.3](/docs/identitymanager/6.1/identitymanager/migration-guide/5.1.7to5.2.3/index.md) +- [5.1.1 To 5.1.7](/docs/identitymanager/6.1/identitymanager/migration-guide/5.1.1to5.1.7/index.md) +- [5.1.0 to 5.1.1](/docs/identitymanager/6.1/identitymanager/migration-guide/5.1.0to5.1.1/index.md) +- [5.0.X to 5.1](/docs/identitymanager/6.1/identitymanager/migration-guide/5.0.x-to-5.1/index.md) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/index.md new file mode 100644 index 0000000000..40f4a8410d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/index.md @@ -0,0 +1,113 @@ +# Execute a Certification Campaign + +How to execute access certification campaigns, i.e. review specific entitlement assignments and +deprovision inappropriate access. + +## Overview + +The aim of an access certification campaign is to review specific entitlement assignments for +specific identities, in order to certify them and express an audit opinion that justifies their +necessity. + +Once certification campaigns are scheduled, the assigned reviewers must decide for all relevant +assignments if they ought to be deleted or not. + +## Participants and Artifacts + +The execution part should be performed in cooperation with the staff who review access in the +campaign scheduling. + The monitoring part should be performed in cooperation with the staff in charge of campaign +scheduling. + +| Input | Output | +| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| [Scheduled certification campaign](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md) (required) | Certified access | + +## Execute Certification + +Execute certification by proceeding as follows: + +1. Access the ongoing campaigns by clicking on the **Access Certification** section on the home + page. + + ![Home - Access Certification](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/home_accesscertification_v523.webp) + + On this page, all assignments to be reviewed are listed. + + ![Access Certification](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_accesscertification_v602.webp) + + Each assignment can be commented by clicking on the corresponding icon. + + ![Comment Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconcomment_v522.svg) + +2. Choose one of the three possibilities to verify all assignments one by one: + + In order to help reviewers in the decision-making process, each assignment shows a + recommendation icon, indicating whether said assignment complies with the role model. + + See the icons below this note. + + The Recommended icon indicates that the entitlement has been automatically granted according to + the security policy. You can approve it because it is compliant. + The Not Recommended icon indicates that the entitlement does not comply with the security + policy. It is recommended to refuse it, unless the user really needs it. + + An absence of any icon indicates that the entitlement does not comply with the security policy. + However, it has been manually granted or denied. Thus there is no recommendation, please review + this entitlement carefully. + + ![Recommendation Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconrecommendation_v522.svg) + + ![Discouragement Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_icondiscouragement_v522.svg) + + - Either click on the approval icon to confirm that this entitlement is necessary for this + identity. + + ![Approval Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconapproval_v522.svg) + + - Or click on the decline icon to confirm that this entitlement is not necessary for this + identity. + + ![Decline Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg) + + - Or click on the three dots icon to highlight that this entitlement is not part of your scope + of responsibility and forward it to the adequate person. + + ![Forward Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconforward_v522.svg) + +3. Click on **Confirm Decisions** on the left of the page. + + If you've made an erroneous decision, exiting the page before confirming offers the possibility + to quit without saving and start over from the last confirm. + +## Monitor a Certification Campaign + +Existing certification campaigns are listed on the page accessible via the **Access Certification +Campaigns** button on the home page in the **Administration** section. + +![Home - Access Certification Campaigns](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp) + +![Campaigns Page](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_campaigns_v602.webp) + +### Get reports + +A **Download** button is available for each campaign. It downloads a CSV report that lists all the +entitlement assignments to be reviewed, the corresponding reviewers and their decisions. + +![Report Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_decisions_v522.webp) + +### Send notifications + +The notification icon on the line of a given campaign offers the possibility to send reminder +notifications to the staff who has not finished processing the campaign. + +### Generate provisioning orders + +Once entitlement assignments have been reviewed, the final step is to apply these decisions. + +An **Apply Decisions** button is available for each campaign. It shows all the decisions made in the +campaign. The campaign administrator can then decide to actually apply said decisions and generate +the appropriate provisioning orders for deprovisioning unjustified entitlements. Said orders will be +considered during the next provisioning job. + +![Apply Decisions](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_applydecisions_v602.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md new file mode 100644 index 0000000000..1f2f9677f2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md @@ -0,0 +1,106 @@ +# Schedule a Certification Campaign + +How to create and schedule access certification campaigns, defining their scope. + +## Overview + +The aim of an access certification campaign is to review specific access and entitlements for +specific identities, in order to certify them and express an audit opinion that justifies their +necessity. + +Here, you will learn how to create and schedule a certification campaign, defining its scope, via +the filters specifying the reviewers and items to be reviewed. + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of auditing because they +know what entitlements need to be reviewed. + +| Input | Output | +| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| [Identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) [Role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (optional) [Risks](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/risk-management/index.md) (optional) | Scheduled certification campaign(s) | + +## Create a Certification Campaign + +Create an access certification campaign by proceeding as follows: + +1. Click on **Access Certification Campaigns** in the **Administration** section on the home page. + + ![Home - Access Certification Campaigns](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp) + +2. Click on the addition button at the top right and fill in the fields. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + ![New Certification Campaign](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_newcertificationcampaign_v602.webp) + + - `Identifier`: must be unique among certification campaigns and without any whitespace. + - `Name`: will be displayed in the UI to identify the campaign. + - `Start Date`: date for the campaign beginning and display on the reviewers' **Access + Certification** screen. The access reviewed during the campaign are those existing at the + start date. Any change in the permissions after the start date won't be reviewed in the + campaign. + - `End Date`: date for the campaign deadline. + - `Target Entity Type`: entity type targeted by the campaign. + - `Target Reviewers`: set of identities in charge of the access review. Available target + reviewers are configured via + [certification policies](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/accesscertification/index.md). + - `Target Specificities`: + [data filters](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md) + that specify the campaign scope, i.e. the permissions to include by object type, category, + approval state, etc. A campaign is based on the union of all specificities. See the detailed + fields below. + + ![Target Specificities](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetspecificities_v602.webp) + + The certification campaign will target the permissions that meet the intersection (AND) of + all criteria. + + When giving a list of role tags, the targeted roles will be those having at least one of the + tags (OR). + + - `Target Owners`: + [owner filters](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md) + on the dimensions of the identities that are subject to the certification campaign. A campaign + is based on the intersection of all filters. See the detailed fields below. + + ![Target Owner Filters](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetowners_v602.webp) + + According to the target entity type, additional filters can be available. + + ![Target Owner Additional Filters](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetownersadditional_v603.webp) + + - `Individual Owner`: single identity whose accesses are to be certified by the campaign. + - `Active Target`: the identities to be certified will be those for which a given property + (here from `Directory_UserRecord`) was modified since a given date. + + Only properties that are not calculated by Usercube can be used here to filter the target owners of the certification campaign. + + > The following campaign creates certification orders aimed at all the assigned single + > roles of two specific users. + > + > ![Campaign Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_example_v602.webp) + +3. Click on **Create** and see a line added on the campaigns page. + + ![Campaigns Page](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_newlycreated_v603.webp) + +4. Apply the changes by clicking on **Launch**, thus running the + [access certification job](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/accesscertification/index.md). + + This job's logs are accessible from the **Job Results** button. + + > For example: + > + > ![Execute Access Reviews Job](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_job_v522.webp) + +## Impact of Modifications + +Any field of a certification campaign can be changed before its start date. Once a given +certification campaign has started, it is possible to modify only its name, identifier and end date. +It can be deleted at any time. + +## Verify Campaign Scheduling + +In order to verify the process, check on the **Access Certification Campaigns** page that the +created certification campaign has the right parameters. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/index.md new file mode 100644 index 0000000000..34dc630fb1 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/index.md @@ -0,0 +1,40 @@ +# Perform Access Certification + +How to certify existing access by reviewing a specific range of assigned permissions for auditing +purposes. + +## Overview + +The aim of an access certification campaign is to review specific entitlement assignments for +specific identities, in order to certify them and express an audit opinion that justifies their +necessity. So, for all relevant permissions, the idea is to specify if these assignments ought to be +deleted or not. + +There are several ways to arrange an access certification campaign. Among others, through filters +you can choose to focus on: + +- a certain category of roles; +- a certain type of assignment; +- assignments not certified since a certain date; +- assignments presenting a certain level of + [risk](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/risk-management/index.md). + +Certification campaigns can be +[configured with XML](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/accesscertification/index.md) +but the UI described in this guide can be enough on its own. + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of auditing because they +know which entitlements need to be reviewed. + +| Input | Output | +| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| [Identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) [Role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (optional) [Risks](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/risk-management/index.md) (optional) | Certified access | + +## Perform Access Certification + +Perform access certification by proceeding as follows: + +1. [Schedule a certification campaign](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md). +2. [Execute a certification campaign](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/administrate/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/index.md new file mode 100644 index 0000000000..c74cc32b1f --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/index.md @@ -0,0 +1,51 @@ +# Administrate + +- #### [Generate Reports](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md) + + How to use Usercube's reporting modules to produce IGA reports for auditing and governance + purposes. + +- #### [Review Orphaned and Unused Accounts](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md) + + How to remediate license and security issues caused by orphaned and/or unused accounts. + +- #### [Provision](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) + + How to write to a managed system + +- #### [Review Provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md) + How to review provisioning orders before generation.- #### + [Provision Manually](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md) + How to use Usercube to manually write to the managed systems.- #### + [Provision Automatically](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md) + How to make Usercube automatically write to the managed systems. +- #### [Review Non-conforming Assignments](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md) + + How to review non-conforming assignments, i.e. approve or decline the suggestions made by + Usercube after every synchronization. The aim is to handle the differences between the values + from the managed systems and those computed by Usercube's role model. + +- #### [Reconcile a Role](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md) + How to review non-conforming permissions, i.e. approve or decline the role suggestions made by + Usercube after every synchronization. The aim is to handle the differences between the + navigation values from the managed systems and those computed by Usercube according to the role + catalog.- #### + [Reconcile a Property](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) + How to review unreconciled properties. The aim is to handle the differences between the property + values from the managed systems and those computed by Usercube according to provisioning + rules.- #### + [Review an Unauthorized Account](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md) + How to remediate unauthorized accounts. The aim is to review the accounts whose assignments + don't comply with the rules of the role model. +- #### [Perform Access Certification](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/index.md) + + How to certify existing access by reviewing a specific range of assigned permissions for + auditing purposes. + +- #### [Schedule a Certification Campaign](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md) + How to create and schedule access certification campaigns, defining their scope.- #### + [Execute a Certification Campaign](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/index.md) + How to execute access certification campaigns, i.e. review specific entitlement assignments and + deprovision inappropriate access. +- #### [Request Entitlement Assignment](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/manual-assignment-request/index.md) + How to send a manual request to add, update or remove an entitlement for an identity. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/administrate/manual-assignment-request/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/manual-assignment-request/index.md new file mode 100644 index 0000000000..225ca8eaa0 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/manual-assignment-request/index.md @@ -0,0 +1,82 @@ +# Request Entitlement Assignment + +How to send a manual request to add, update or remove an entitlement for an identity. + +## Overview + +Changes in an identity's entitlements can be handled using Usercube's predefined workflows to: + +- view the list of the identity's entitlements, with Usercube's suggestions according to the + identity's position; +- modify the identity's entitlements (add, update, remove). + +## Participants and Artifacts + +An assignment can be requested for a user sometimes by said user themselves, most often by their +manager, and on some occasions by the involved application owner. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | +| [Identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) [Role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (required) | Updated entitlements | + +## View Identity's Entitlements + +View the identity's entitlements by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Click on the user to be checked. + + ![Workflow - User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp) + +3. Click on **View Permissions** to access the entitlement list. + + ![View Permissions Tab](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +## Modify Identity's Entitlements + +Act on an existing identity by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Click on the user to be modified. + + ![Workflow - User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp) + +3. Click on **Actions** > **Modify Permissions** to launch the workflow for a manual entitlement + request. + + ![Workflow - Modify Permissions](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_changeuser_v602.webp) + +4. Follow the workflow's instructions to select entitlements and the action to be performed. You + can: + + - select entitlements to add; + - modify the potential options of the entitlements you are adding; + - delete entitlements which were assigned or declined manually; + - deny entitlements which were assigned automatically; + - allow denied entitlements by assigning them back manually. + + If the request is about assigning an entitlement via a role which requires at least one + approval, then sending the request triggers the display of said request on the **Role Review** + screen. + + ```` + Home Page - Role Review + + ```In this case, the requested entitlement will be displayed in the user's \*\*View Permissions\*\* tab only after the request is reviewed. + ```` + +## Verify Entitlement Request + +In order to verify the process, check that the change you made in the user's entitlements is +displayed in their **View Permissions** tab in the directory. + +![Home Page - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +![View Permissions Tab](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md new file mode 100644 index 0000000000..b07917c23a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md @@ -0,0 +1,67 @@ +# Review Non-conforming Assignments + +How to review non-conforming assignments, i.e. approve or decline the suggestions made by Usercube +after every synchronization. The aim is to handle the differences between the values from the +managed systems and those computed by Usercube's role model. + +## Overview + +Integrators must review three main types of non-conforming entitlement assignments: + +- Non-conforming roles: Usercube finds roles assigned to users in the managed systems that no rule + in the role model can justify. +- Unreconciled properties: Usercube's role model computes property values that are different from + the values in the managed systems. +- Unauthorized accounts: no rule from the role model can justify their actual assignment to an + identity. + +Unreconciled properties, unauthorized accounts and non-conforming roles are part of +[non-conforming assignments](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/nonconformingdetection/index.md). +The global aim of the review is to handle the gaps between the +[existing assignments](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/index.md) +(real values) and the +[conforming assignments](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md) +(theoretical values computed by Usercube from the role model rules). + +A high number of non-conforming assignments can come from an issue in configuration rules. + +Non-conforming roles and unauthorized accounts can be mass reviewed through +[automation rules](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md). + +# Participants and Artifacts + +This operation should be performed in cooperation with application owners who are in charge of +applications' entitlements (technical side), and/or managers who know their team's entitlements +(functional side). + +| Input | Output | +| -------------------------------------------------------------------------------------------------------------- | --------------------- | +| [Provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) (required) | Complying assignments | + +### Pre-existing assignments vs. non-conforming assignments + +The assignments specified as non-conforming during the very first execution of the role model are +called pre-existing assignments. Pre-existing assignments are tagged differently from other +non-conforming assignments by the +[`SavePreExistingAccessRightsTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md) +because they can indicate that: + +- The rules are not optimal yet. +- Data in the managed system needs more cleanup. + +Obviously, pre-existing assignments can also prove to be exceptions to the rules, like +non-conforming assignments, and need to be validated as such. + +## Review Non-conforming Assignments + +While there can be dependencies between the review of non-conforming roles and unreconciled +properties, there are no absolute requirements regarding the sequential order of the non-conforming +assignment review: + +- [Review non-conforming roles](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md). +- [Review unreconciled properties](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md). +- [Review unauthorized accounts](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md). + +[Risks](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/risk-management/index.md) can be +defined to highlight the most sensitive accounts/permissions, in order to establish a priority order +in the review of non-conforming assignments. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md new file mode 100644 index 0000000000..31c9077bd0 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md @@ -0,0 +1,175 @@ +# Reconcile a Property + +How to review unreconciled properties. The aim is to handle the differences between the property +values from the managed systems and those computed by Usercube according to +[provisioning rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md). + +## Overview + +Unreconciled properties are considered as non-conforming assignments because Usercube's role model +has computed property values that are different from the values in the managed systems. + +### Property reconciliation with role reconciliation + +For some managed systems, roles are tightly linked to navigation properties. + +> For example, the AD hosts groups for various applications, and a role is assigned through a group +> membership. An entitlement can be assigned to an identity by adding said identity's DN to the +> `member` property of the appropriate group. Usercube translates it by editing the identity's +> `memberOf` property with the new group. + +In this case, when a role is assigned in the managed system without an existing rule that justifies +the role, then new items appear on the **Role Reconciliation**and the **Resource Reconciliation** +screens. + +> In the case of the AD example, consider that we want to assign a specific role in SAP. Then, we +> find the corresponding group in the AD and add the identity's DN to its `member` property. +> +> The result is a new item on the **Role Reconciliation** screen for said SAP role, plus an item on +> the **Resource Reconciliation** screen for the new `memberOf` property for said identity. +> +> If the identity didn't have an AD account yet, then it is automatically created, and the item on +> the **Resource Reconciliation** screen displays also a modification of the `accountExpires` +> property. + +As roles and navigation properties are technically bonded together, their reviews are linked too: + +- If the role is reviewed (approved/declined), then the corresponding property is automatically + reconciled accordingly. +- If the property is reviewed (approved/declined), then the corresponding role is automatically + reviewed too, its + [workflow state](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) + transitioned to `Manual` (if approved) or `Cancellation` (if declined, then a deprovisioning order + is sent). + +> So let's say we add `C�dric Blanc` to the list of members of the SAP groups `SG_APP_SAP_1` and +> `SG_APP_SAP_211`. Then, after the next synchronization, Usercube displays one item for each role +> on the **Role Reconciliation** screen, and one item for all changes in the AD account on the +> **Resource Reconciliation** screen: +> +> ![Example - Role Reconciliation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_examplerole_v602.webp) +> +> ![Example - Resource Reconciliation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresource_v602.webp) +> +> ![Example - Resource Reconciliation - Properties](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresourceprop_v602.webp) + +## Participants and Artifacts + +This operation should be performed in cooperation with application owners in charge of applications' +entitlements. + +| Input | Output | +| -------------------------------------------------------------------------------------------------------------- | -------------------- | +| [Provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) (required) | Complying properties | + +## Review an Unreconciled Property + +Review an unreconciled property by proceeding as follows: + +1. Ensure that the task for the computation of the role model was launched recently, through the + complete job on the **Job Execution** page� + + ![Home Page - Job Execution](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + + � Or through the connector's overview page, **Jobs** > **Compute Role Model**. + + ![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +2. Get to the **Resource Reconciliation** page, accessible from the corresponding section on the + home page. + + ![Home Page - Resource Reconciliation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + +3. Select `Unreconciled properties` as a `Workflow State`. + + ![Unreconciled Property](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewprop_unreconciled_v522.webp) + +4. Choose the default resource view or the property view with the top right toggle. +5. Select a property to review. + + > In the following example, the user `Nicolas Faure` is the owner of a given resource, here a + > nominative SAB account associated with his email address. In the **Resource Properties to be + > Verified** frame, there is one unreconciled property that happens to be `Group`. + > + > ![Unreconciled Property Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewprop_example_v602.webp) + + - `Name`: unreconciled property name. + - `Proposed Value`: value proposed by Usercube. + - `Current Value`: value currently in the managed system. + - `Provisioning State`: + [provisioning state](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md). + - `Start Date`: date for the beginning of the property value existence. + - `End Date`: date for the end of the property value existence. + + The **Other Resource Properties** frame shows the complying properties associated with the + resource. + +6. Choose one of the three possibilities to verify the property: + + Decisions must be made with caution as they cannot be undone. + + - Either click on the approval icon to update the property with the proposed value. It discards + the whole property history. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + + ![Edition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg) + + ![Deletion Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/reviewrole_icondelete_v602.svg) + + Automatic changes are essential for frequently-changing attributes. However, saving history + information can sometimes be important for some attributes such as logins and emails. + + - Or click on the decline icon to not update the property and keep the resource value. In the + future, this property will no longer be changed automatically. + + ![Decline Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + + Retaining manual control of changes for sensitive data (i.e. `SAMAccountName`) can be of + interest. Usercube won't be able to change this data and the service account manager will + avoid authentication errors. It can be interesting to keep manual some sensitive data + changes like `SAMAccountName` for example, so that Usercube does not change it and the + service account manager does not risk problems in authentication. + + - Or click on the postponement icon to delay the decision. An unreconciled property is ignored + by Usercube, and therefore cannot be modified. + + ![Postponement Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + +7. Click on **Confirm Property Values**. +8. Trigger + [provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) + by launching, on the appropriate connector's overview page, **Jobs** > **Generate Provisioning + Orders**, then, after this first task is done, **Jobs** > **Fulfill**. + + ![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +### Use property view + +By default, non-conforming assignments are listed by resource. It is possible to click on a resource +and then access the list of all unreconciled properties for said resource. + +![Resource View](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp) + +It can be helpful to have the non-conforming assignments regrouped by property, as some of the +changes can be similar, so very likely to be validated by the same user. This is why a property view +can be enabled by clicking on the `Property View` toggle at the top right corner. + +Once enabled, select a resource type to display all unreconciled properties linked to said resource +type. In addition, select a property to display only the unreconciled properties linked to said +resource type and property. + +![Property View](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp) + +The review process is the same with both views. However with property view, reviewers don't click on +a given line, but choose a decision directly on the left of the property line. + +In addition, using property view enables bulk reconciliation to approve the proposed values or keep +the current values for several resources simultaneously. + +![Bulk Reconcile](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp) + +## Verify Property Reconciliation + +In order to verify the process, check that the changes you ordered appear on the corresponding +user's page in the directory. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md new file mode 100644 index 0000000000..3beceab313 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md @@ -0,0 +1,121 @@ +# Reconcile a Role + +How to review non-conforming permissions, i.e. approve or decline the role suggestions made by +Usercube after every synchronization. The aim is to handle the differences between the navigation +values from the managed systems and those computed by Usercube according to the role catalog. + +## Overview + +Non-conforming roles are considered as non-conforming assignments because no rule from Usercube's +model can justify their actual assignment to an identity. + +### Role reconciliation with property reconciliation + +For some managed systems, roles are tightly linked to navigation properties. + +> For example, the AD hosts groups dedicated to various applications, and a role is assigned through +> group membership. An entitlement can be assigned to an identity by adding said identity's DN to +> the `member` property of the appropriate group. Usercube translates it by editing the identity's +> `memberOf` property with the new group. + +In this case, when a role is assigned in the managed system without an existing rule that justifies +the role, then new items appear on the **Role Reconciliation**and the **Resource Reconciliation** +screens. + +> In the case of the AD example, consider that we want to assign a specific role in SAP. Then, we +> find the corresponding group in the AD and add the identity's DN to its `member` property. +> +> The result is a new item on the **Role Reconciliation** screen for said SAP role, plus an item on +> the **Resource Reconciliation** screen for the new `memberOf` property for said identity. +> +> If the identity didn't have an AD account yet, then it is automatically created, and the item on +> the **Resource Reconciliation** screen displays also a modification of the `accountExpires` +> property. + +As roles and navigation properties are technically bonded together, their reviews are linked too: + +- If the role is reviewed (approved/declined), then the corresponding property is automatically + reconciled accordingly. +- If the property is reviewed (approved/declined), then the corresponding role is automatically + reviewed too, its + [workflow state](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) + transitioned to `Manual` (if approved) or `Cancellation` (if declined, then a deprovisioning order + is sent). + +> So let's say we add `C�dric Blanc` to the list of members of the SAP groups `SG_APP_SAP_1` and +> `SG_APP_SAP_211`. Then, after the next synchronization, Usercube displays one item for each role +> on the **Role Reconciliation** screen, and one item for all changes in the AD account on the +> **Resource Reconciliation** screen: +> +> ![Example - Role Reconciliation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_examplerole_v602.webp) +> +> ![Example - Resource Reconciliation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresource_v602.webp) +> +> ![Example - Resource Reconciliation - Properties](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresourceprop_v602.webp) + +## Participants and Artifacts + +This operation should be performed in cooperation with managers who know their team's expected +entitlements. + +| Input | Output | +| -------------------------------------------------------------------------------------------------------------- | --------------- | +| [Provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) (required) | Complying roles | + +## Review a Non-conforming Permission + +Review a non-conforming permission by proceeding as follows: + +1. Ensure that the + [`ComputeRoleModelTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + was launched recently, through the complete job on the **Job Execution** page� + + ![Home Page - Job Execution](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + + � Or through the connector's overview page, **Jobs** > **Compute Role Model**. + + ![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +2. On the home page, click on the entity type that you want to manage in the **Role Reconciliation** + section, to get to the non-conforming permissions page. + + ![Home Page - Role Reconciliation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/home_rolereconciliation_v523.webp) + + ![Role Reconciliation Page](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/reviewrole_rolereconciliation_v603.webp) + + Each non-conforming permission can be commented by clicking on the corresponding icon. + + ![Comment Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconcomment_v522.svg) + +3. Choose one of the two possibilities to verify the permission: + + Contrary to resources, reviewed roles are then displayed on the **Role Review** page accessible + from the home page, and can be reviewed again. + + - Either click on the approval icon to keep the non-conforming permission. + + ![Approval Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/orphan_iconapprove_v602.svg) + + - Or click on the decline icon to delete the non-conforming permission. + + ![Decline Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/orphan_icondecline_v522.svg) + +4. Trigger + [provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) + by launching, on the appropriate connector's overview page, **Jobs** > **Generate Provisioning + Orders**, then, after this first task is done, **Jobs** > **Fulfill**. + + ![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +### Use bulk provisioning + +Several roles can be reconciled simultaneously by clicking on **Bulk Reconcile Roles**. + +![Bulk Reconcile Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/reviewrole_rolereconciliationbulk_v603.webp) + +## Verify Role Reconciliation + +In order to verify the process, check that the changes you ordered appear on the corresponding +user's **View Permissions** tab. + +![View Permissions Tab](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md new file mode 100644 index 0000000000..fcaeb5b8e3 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md @@ -0,0 +1,110 @@ +# Review an Unauthorized Account + +How to remediate unauthorized accounts. The aim is to review the accounts whose assignments don't +comply with the rules of the role model. + +## Overview + +Unauthorized accounts are considered as non-conforming assignments because no rule from Usercube's +model can justify their actual assignment to an identity. + +## Participants and Artifacts + +This operation should be performed in cooperation with application owners in charge of applications' +entitlements. + +| Input | Output | +| -------------------------------------------------------------------------------------------------------------- | ------------------ | +| [Provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) (required) | Complying accounts | + +## Review an Unauthorized Account + +Review an unauthorized account by proceeding as follows: + +1. Ensure that the + [`ComputeRoleModelTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + was launched recently, through the complete job on the **Job Execution** page� + + ![Home Page - Job Execution](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + + � Or through the connector's overview page, **Jobs** > **Compute Role Model**. + + ![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +2. Get to the **Resource Reconciliation** page, accessible from the corresponding section on the + home page. + + ![Home Page - Resource Reconciliation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + +3. Select `Unauthorized account` as the `Workflow State`. Orphaned accounts appear with no owner. + + ![Resource Reconciliation Page](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/unauth_unauthorizedaccounts_v602.webp) + +4. Choose the default resource view or the property view with the top right toggle. +5. Click on the line of an account with an owner. + + In the following example, the nominative LDAP account linked to the resource + `U40897 / Internal Users / acme / com` has the owner `Maxime Guillot` with an 80% confidence + rate. + + ![Select Decision](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/unauth_reviewunauthorized_v602.webp) + + The displayed confidence rate means that a rule actually assigned the account to the identity, + but with a + [confidence rate](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/classification/index.md) + too low to imply full automatic assignment. Approval will be required. + + The **Resource Properties** frame shows all the properties of the resources. They can be + [updated](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) + by clicking on the edit button. + + ![Edit Button](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/unauth_updateprop_v522.webp) + +6. Select the appropriate decision. + + Decisions must be made with caution as they cannot be undone. + +7. Click on **Confirm Account Deletion** or **Authorize Account** according to the previous + decision. +8. Trigger + [provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) + by launching, on the appropriate connector's overview page, **Jobs** > **Generate Provisioning + Orders**, then, after this first task is done, **Jobs** > **Fulfill**. + + ![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +### Use property view + +By default, non-conforming assignments are listed by resource. It is possible to click on a resource +and then access the list of all unreconciled properties for said resource. + +![Resource View](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp) + +It can be helpful to have the non-conforming assignments regrouped by property, as some of the +changes can be similar, so very likely to be validated by the same user. This is why a property view +can be enabled by clicking on the `Property View` toggle at the top right corner. + +Once enabled, select a resource type to display all unreconciled properties linked to said resource +type. In addition, select a property to display only the unreconciled properties linked to said +resource type and property. + +![Property View](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp) + +The review process is the same with both views. However with property view, reviewers don't click on +a given line, but choose a decision directly on the left of the property line. + +In addition, using property view enables bulk reconciliation to approve the proposed values or keep +the current values for several resources simultaneously. + +![Bulk Reconcile](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp) + +Bulk keeping non-authorized accounts, by clicking on **Bulk Reconcile** then **Approve Current +Values**, does not approve their unreconciled properties which will still be displayed on this +screen. + +## Verify Review + +In order to verify the process, check that the changes you ordered appear on the corresponding +user's **View Permissions** tab. + +![View Permissions Tab](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md new file mode 100644 index 0000000000..246e3fe017 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md @@ -0,0 +1,187 @@ +# Review Orphaned and Unused Accounts + +How to remediate license and security issues caused by orphaned and/or unused accounts. + +## Overview + +The review of unused and orphaned accounts is essential to solve security and license management +issues. Orphan accounts are without an owner, while unused accounts remain open without any +activity. + +### Orphaned accounts list + +A list of all orphaned accounts can be found on some entity type pages. Said pages can be accessed +through the menu items on the left of the home page, in the **Connectors** section. + +![Home - Entity Types](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp) + +These entity type pages can be +[configured via XML](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/index.md) to +customize all displayed columns and available filters, especially the **Orphan** filter that spots +uncorrelated resources, and the **Owner / Resource Type** column that shows the owner of each +resource. + +![Owner / Resource Type Column](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/reporting/orphan_entitytype_v523.webp) + +In the `Orphan` field, select `Yes` to see all existing resources without an owner. + +In addition, filters can be configured in the +[reporting module](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md) +to list orphaned accounts. Choose to display `User` and `AD User (nominative)` with a filter on void +user's display names. + +The orphaned accounts detected by Usercube are not all legitimate. Some accounts are considered +orphaned because of an error in the account data or assignment rule. + +### Unused accounts list + +The way to identify activity in a managed system is highly dependent on said system. Thus, activity +identification cannot be generalized, and the absence of activity in accounts isn't recognizable +with the configuration as is. Integrators must configure a specific property fulfilling this +purpose. + +> For example in the AD, we can compute a Boolean property `isUnused` based on other AD accounts' +> properties. Below is an example that you can use and adjust to your specific configuration: +> +> ``` +> +> Here we write an expression for isUnused based on the bits of userAccountControl, the value of accountExpires and the value of LastLogonTimeStamp: +> +> +> +> ``` + +Once this "unused" property is created, a list of all unused accounts can be displayed thanks to the +filters in the +[query module](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md), +based on said property. + +> The previous example about the AD's `isUnused` property can be complemented in the query module by +> displaying this property alongside users' `EmployeeId`. +> +> ![Query of Unused Accounts](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_unusedquery_v602.webp) + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------ | ------------------------------------ | +| [Categorization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) (required) | Removed orphaned and unused accounts | + +## Review an Orphaned Account + +Review an orphaned account by proceeding as follows: + +1. Get to the **Resource Reconciliation** page, accessible from the corresponding section on the + home page. + + ![Home Page - Resource Reconciliation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + +2. Select `Unauthorized account` as the `Workflow State`. Orphaned accounts are those appearing with + no owner. + + ![Resource Reconciliation Page](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/unauth_unauthorizedaccounts_v602.webp) + +3. Choose the default resource view or the property view with the top right toggle. +4. Click on the line of an account without an owner. + + > In the following example, the nominative AD account linked to the email address + > `nathan.smith@acme.com` has no owner. + > + > ![Select Owner](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_revieworphans_v602.webp) + > + > ![Owners List](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_revieworphans-owners_v602.webp) + +5. Answer the following questions in order to understand the situation. + + - Has the account been used recently? + - Why is it orphan? + - Who is it supposed to belong to? + - If it is a service account, is it useful? Has it been used recently? + + - A used account must be connected to its rightful owner. + - An unused account must be deleted. + + - If this account belongs to a person, is the user still in the organization or did they leave? + + - If the owner has left for more than XXX (time period defined by the security officer's + rules), the account must be deleted. + - If the owner has left for less than XXX, the account must be connected to its owner and + deactivated. + - If the owner is still in the organization, the account must be connected to its owner. Is + there a rule to change? + + We said that useful service accounts must be connected to their owners due to the fact that an + orphaned account cannot be + [certified](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/index.md). + But a service account must not be linked to a person, for the departure of said person from the + company may trigger the loss of the service account. + This is why we create identities with `Application` as their `UserType`, each + application-identity linked to a person supposed to manage it. Thus, service accounts must be + connected to application identities, themselves owned by people. That way, if the owner of the + application leaves, the application-identity is not deleted, and the service accounts it owns + are not deprovisioned. + + See the schema below this note. + + ![Schema - Service Accounts](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_serviceaccounts.webp) + +6. Select the appropriate owner or no owner at all, according to the previous analysis. + + Decisions must be made with caution as they cannot be undone. + + When binding an orphaned account to an existing owner, properties might need to be reconciled. + +7. Click on **Confirm Account Deletion** or **Authorize Account** according to the previous + decision. + +### Use property view + +By default, non-conforming assignments are listed by resource. It is possible to click on a resource +and then access the list of all unreconciled properties for said resource. + +![Resource View](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp) + +It can be helpful to have the non-conforming assignments regrouped by property, as some of the +changes can be similar, so very likely to be validated by the same user. This is why a property view +can be enabled by clicking on the `Property View` toggle at the top right corner. + +Once enabled, select a resource type to display all unreconciled properties linked to said resource +type. In addition, select a property to display only the unreconciled properties linked to said +resource type and property. + +![Property View](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp) + +The review process is the same with both views. However with property view, reviewers don't click on +a given line, but choose a decision directly on the left of the property line. + +In addition, using property view enables bulk reconciliation to approve the proposed values or keep +the current values for several resources simultaneously. + +![Bulk Reconcile](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp) + +## Verify Review + +In order to verify the process, check that the line for your reviewed item has been removed from the +**Resource Reconciliation** screen. + +In addition, if you reconciled an orphaned account with an owner, check the user's permissions to +see said account. + +![View Permissions Tab](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md new file mode 100644 index 0000000000..c04e2d5303 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md @@ -0,0 +1,56 @@ +# Provision Automatically + +How to make Usercube automatically write to the managed systems. + +## Overview + +In the lifecycle of a resource (entitlement assignment, resource creation, resource update, etc.), +automated provisioning is used to minimize human intervention and trust Usercube with role model +enforcement in external systems. + +### Provisioning states + +In an assignment request's lifecycle, provisioning automation implies skipping the `Transmitted` +state as Usercube no longer waits for a user to make changes anymore. For this reason, an assignment +request goes through the following provisioning states: + +![Provisioning State Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/provauto_states_v523.webp) + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate. + +| Input | Output | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| [Provisioning orders](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md) (required) automated provisioning [connection](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) (required) | Updated managed systems | + +## Implement Automated Provisioning + +automated provisioning is performed through a connection using a +[package](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/index.md) +for fulfilling external systems (e.g., the +[Active Directory package](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/active-directory/index.md)). + +## Perform Automated Provisioning + +There is no procedure to perform automated provisioning, for it is automatic and thus handled by +Usercube in daily jobs. + +Make sure that the task used to compute and generate provisioning orders was launched after the +request (or the provisioning review, if any), through the complete job in the **Job Execution** +page. + +![Home Page - Job Execution](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + +## Verify Automated Provisioning + +In order to verify the process: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Follow the + [manual assignment workflow](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/manual-assignment-request/index.md) + to make a change in one of their permissions, which involves automated provisioning. +3. Perform automated provisioning and check in Usercube that the change was effectively made. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md new file mode 100644 index 0000000000..1293fa3871 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md @@ -0,0 +1,120 @@ +# Provision + +How to write to an externally managed system. + +**A word about terminology** — Let's clarify the concept of writing to a managed system. + +There are two notions involved: + +- Fulfillment — writing to a managed system, manually or automatically +- Provisioning — writing automatically as provisioning is automated fulfillment + +But in everyday conversation, in the interface and in this documentation, we use the term +provisioning instead of fulfillment. + +## Overview + +When modeling your connectors, you had to decide what data you wanted Usercube to manage within the +external systems. You configured your connectors, and among other things you chose the appropriate +connections and packages, to manage identities and their entitlements by writing directly to the +managed systems. This is done through said connectors' provisioning capabilities. See the +[ Model the Data ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) +and +[ Create a Connection ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) +topics for additional information. + +When changes are performed on identity data, entitlements or the role model inside Usercube, +provisioning orders are generated in order to actually write said changes to the external systems. +These changes can be written automatically or manually. Manual provisioning is used to involve +humans and make them act on the external systems, instead of Usercube. Automatic provisioning is +used to minimize human intervention and trust Usercube with role model enforcement in external +systems. See the +[ Provision Manually ](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md) +and +[ Provision Automatically ](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md)topics +for additional information. + +### Provisioning states + +Usercube handles provisioning by assigning a provisioning state to assignment requests. + +Here is the list of provisioning states and their description: + +| Provisioning state | Description | +| ------------------- | ------------------------------------------------------------------------- | +| 0—None | Used for Usercube's internal computation. | +| 1—Pending | The order is ready for provisioning but not sent to the agent. | +| 2—Transmitted | The agent has collected this order but no feedback has been received yet. | +| 3—Errored | The agent returned errors. | +| 4—Verified | The order is provisioned in the synchronized data. | +| 5—Awaiting Approval | The order is blocked until a review is performed. | +| 6—Inactive | The order is blocked as it is considered as useless (order in the past). | +| 7—Error | The role model threw an exception while evaluating the order. | +| 8—Executed | The agent returned OK. | + +These states are detailed with their transitions on the individual pages specific to provisioning +review, manual provisioning and automated provisioning. See the +[ Entitlement Assignment ](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +and +[ Review Provisioning ](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md) +topics for additional information. + +### Provisioning review + +For security purposes, provisioning orders sometimes need to be reviewed before being propagated to +the managed system. Then, a user with the right entitlements accesses the **Provisioning Review** +page. Users can either approve provisioning orders that will then be unblocked and finally +propagated, or they can decline orders that will subsequently be ignored. See the +[ Configure a User Profile ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-configuration/index.md)topic +for additional information. + +The review prior to the provisioning of entitlement assignments is usually performed based on the +resource type of given identities. For example, the assignment of sensitive entitlements will +require a review before being provisioned, whereas basic rights can be assigned at once. Therefore, +resources must be carefully classified beforehand. See the +[ Classify Resources ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/classification/index.md) +topic for additional information. + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of managed systems. + +| Input | Output | +| ----------------------------------------------------------------------------------------------------------------------- | ------------------ | +| Connector's data model (required) Classified resources (required) Provisioning Rules (required) Role catalog (required) | Provisioned system | + +See the +[ Model the Data ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md), +[ Classify Resources ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/classification/index.md), +[ Create a Provisioning Rule ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md), +and +[ Create Roles in the Role Catalog ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +topics for additional information. + +## Perform Provisioning + +In order to perform the provisioning you have to: + +- Choose whether to adjust your resource types to implement provisioning review +- Choose whether to adjust your connections to implement manual and/or automated provisioning + +## Verify Provisioning + +In order to verify the process: + +![Home Page - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +**Step 1 –** Select a test user in the directory, accessible from the home page. + +**Step 2 –** Follow the manual assignment workflow to make a change in one of their entitlements, +which involves the type of provisioning that you want to test. + +![View Permissions Tab](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +**Step 3 –** Check the provisioning state of the requested entitlement at every step, in the user's +**View Permissions** tab. + +![Provisioning State Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/prov_stateschema_v523.webp) + +Whether your provisioning workflows trigger provisioning review, or whether they trigger manual or +automated provisioning, below is the global state schema. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md new file mode 100644 index 0000000000..ba9906387c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md @@ -0,0 +1,82 @@ +# Provision Manually + +How to use Usercube to manually write to the managed systems. + +## Overview + +In the lifecycle of a resource (entitlement assignment, resource creation, resource update, etc.), +manual provisioning is used to make humans intervene and act on the external systems, instead of +Usercube. + +### Provisioning states + +In its lifecycle, an assignment request goes through the following provisioning states: + +![Provisioning State Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_states_v523.webp) + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of managed systems as +write permissions are required. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------- | +| [Provisioning orders](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md) (required) Manual provisioning [connection](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) (required) | Updated managed systems | + +## Implement Manual Provisioning + +Manual provisioning is performed through a connection using the +[manual ticket package](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md). +Besides, for a resource to be manually provisioned, the corresponding resource type must be +configured with the manual connection set to `Provisioning Connection` in the **Fulfill Settings**. + +## Perform Manual Provisioning + +Perform manual provisioning by proceeding as follows: + +1. Ensure that the task to compute or generate provisioning orders was launched after the request + (or the provisioning review, if any), through the complete job in the **Job Execution** page. + + ![Home Page - Job Execution](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + + ![Manual Provisioning Screen](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_page_v603.webp) + +2. Access the manual provisioning orders page by clicking on the entity type that you want to manage + in the **Manual Provisioning** section. + + ![Home Page - Manual Provisioning](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp) + +3. Choose a line to handle the corresponding provisioning order. +4. Creation, edition and deletion orders follow the same process: read Usercube's suggestions and + create, edit or delete the appropriate resource directly in the managed system (outside + Usercube). + + ![Creation Provisioning Order](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_createresource_v522.webp) + + ![Creation Provisioning Order](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_editresource_v522.webp) + +5. Choose to confirm or report an error. + +### Use bulk provisioning + +Several orders can be provisioned simultaneously by clicking on **Bulk Provision**. + +![Bulk Provisioning](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_bulk_v603.webp) + +## Verify Manual Provisioning + +In order to verify the process: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Follow the + [manual assignment workflow](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/manual-assignment-request/index.md) + to make a change in one of their permissions, which involves manual provisioning. +3. Perform manual provisioning and check the provisioning state of the requested entitlement at + every step, in the user's **View Permissions** tab. + +![View Permissions Tab](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +4. Check in your managed system that the change was effectively made. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md new file mode 100644 index 0000000000..95b491e133 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md @@ -0,0 +1,237 @@ +# Review Provisioning + +How to review provisioning orders before generation. + +## Overview + +For security purposes, provisioning orders sometimes need to be reviewed before being computed and +actually generated. Then, a user with +[the right permissions](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-configuration/index.md) +accesses the **Provisioning Review** page. They can either approve provisioning orders that will +then be computed, generated and finally ready for actual provisioning, or they can decline orders +that will subsequently be ignored. + +### Provisioning states + +In an assignment request's lifecycle, provisioning review adds a few steps between the moment when +the request is issued and when provisioning orders are computed: + +![Provisioning State Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_states_v523.webp) + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of managed systems. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- | +| [Provisioning rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) (required) [Role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (required) | Provisioning orders | + +## Implement Provisioning Review + +Provisioning review is configured for a given resource type. Therefore, you can decide to force the +review of provisioning orders when +[configuring a resource type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md). +You can choose to: + +- Set the number of required approvals by a + [role officer](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/role-officer-management/index.md), + via the `Approval Workflow` option. +- Enable a technical approval by the application owner, via the `Block provisioning orders` option. + +Provisioning review can also be triggered when a +[fulfillment](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/identity-management/index.md) +error occurs. + +## Review Provisioning Orders + +Review provisioning orders by proceeding as follows: + +1. On the home page, click on the entity type that you want to manage in the **Provisioning Review** + section. + + ![Home Page - Provisioning Review](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/home_provisioningreview_v523.webp) + + ![Provisioning Review](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_provreview_v602.webp) + +2. Click on a line to access details and handle addition, association, update or deletion orders. + + Once reviewed, provisioning orders are to be executed by Usercube during the next **Fulfill** + task, accessible from the corresponding connector's overview page, in the **Resource Types** + frame. + + Automatic provisioning orders are directly executed, while manual provisioning orders are listed + on the **Manual Provisioning** page. + + ![Fulfill Task](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +### Handle an addition order + +Usercube shows all the properties of the new resource to be created: + +![Addition Order Review](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewaddition_v602.webp) + +- `Proposed Value`: value proposed by Usercube. +- [`Provisioning State`](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +- `Start Date`: date for the beginning of the property value existence. +- `End Date`: date for the end of the property value existence. +- [`Workflow State`](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md): + describes the origin or approval state of an assignment. +- `Confidence Rate`: rate expressing the confidence in the corresponding + [query rule](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md). + +Handle an addition order by proceeding as follows: + +1. For all resource properties to be verified, choose one of the possibilities: + + - Either click on the approval icon to order the property creation with the proposed value. + + ![Addition - Approval Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + + - Or click on the decline icon to refuse the property creation. + + ![Addition - Decline Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + + - Or click on the postponement icon to delay the decision. + + ![Addition - Postponement Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + +2. Choose to confirm or ignore the creation. + +### Handle an association order + +Usercube displays a given owner and a given resource to be associated with a given +[confidence rate](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/classification/index.md) +and all resource properties to be verified: + +![Association Order Review](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewassociation_v602.webp) + +- `Confidence rate of proposed resource`: rate expressing the confidence in this + [correlation](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/correlation/index.md). +- `Proposed Value`: value proposed by Usercube. +- `Current Value`: value currently in the managed system. +- [`Provisioning State`](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +- `Start Date`: date for the beginning of the property value existence. +- `End Date`: date for the end of the property value existence. +- [`Workflow State`](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md): + describes the origin or approval state of an assignment. +- `Confidence Rate`: rate expressing the confidence in the corresponding + [query rule](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md). + +Handle an association order by proceeding as follows: + +1. For all resource properties to be verified, choose one of the possibilities: + + - Either click on the approval icon to validate the proposed property value. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + + ![Edition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg) + + ![Deletion Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/reviewrole_icondelete_v602.svg) + + - Or click on the decline icon to refuse the property association. + + ![Addition - Decline Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + + - Or click on the postponement icon to delay the decision. + + ![Addition - Postponement Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + +2. Choose to confirm or deny the association. + +### Handle an update order + +Usercube shows a given resource and all resource properties to be verified: + +![Edition Order Review](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewedition_v602.webp) + +- `Proposed Value`: value proposed by Usercube. +- `Current Value`: value currently in the managed system. +- [`Provisioning State`](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +- `Start Date`: date for the beginning of the property value existence. +- `End Date`: date for the end of the property value existence. +- [`Workflow State`](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md): + describes the origin or approval state of an assignment. +- `Confidence Rate`: rate expressing the confidence in the corresponding + [query rule](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md). + +Handle an update order by proceeding as follows: + +1. For all resource properties to be verified, choose one of the possibilities: + + - Either click on the approval icon to order the property update with the proposed value. + + ![Edition - Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + + ![Edition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg) + + - Or click on the decline icon to refuse the property update. + + ![Addition - Decline Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + + - Or click on the postponement icon to delay the decision. + + ![Addition - Postponement Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + +2. Click on **Confirm Property Values**. + +### Handle a deletion order + +Usercube shows a given owner and their resources to be deleted: + +![Deletion Order Review](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewdeletion_v602.webp) + +Handle a deletion order by choosing either to confirm the deletion or to keep the resource. + +### Use property view + +By default, provisioning orders are listed by resource. It is possible to click on a resource and +then access the list of all provisioning orders for that resource. + +![Resource View](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_resourceview_v603.webp) + +In addition, using resource view enables bulk unblocking for provisioning orders with errors. + +![Bulk Unblock](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_bulkunblock_v603.webp) + +It can be helpful to have the provisioning orders regrouped by property, as some of the changes can +be similar, so very likely to be validated by the same user. This is why a property view can be +enabled by clicking on the `Property View` toggle at the top right corner. + +Once enabled, select a resource type to display all provisioning orders linked to that resource +type. In addition, select a property to display only the provisioning orders linked to these +resource type and property. + +![Property View](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_propertyview_v603.webp) + +The review process is similar on both views. However with property view, reviewers don't click on a +given line, but choose a decision directly on the left of the property line. + +## Verify Provisioning Review + +In order to verify the process: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Follow the + [manual assignment workflow](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/manual-assignment-request/index.md) + to make a change in one of their permissions, which involves provisioning review. +3. Check that the provisioning state is `Pending` in the user's **View Permissions** tab. + + ![View Permissions Tab](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +4. Click on **Jobs** > **Fulfill** on the corresponding connector's overview page, in the **Resource + Types** frame, to execute the provisioning orders. + + ![Home Page - Job Execution](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +5. The orders using automated provisioning should be + [automatically handled](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md) + with their state switching to `Executed`, while those using manual provisioning should appear on + the + [**Manual Provisioning**](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md) + page with their state switching to `Transmitted`. + +![Home Page - Manual Provisioning](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md new file mode 100644 index 0000000000..f20179780b --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md @@ -0,0 +1,134 @@ +# Generate Reports + +How to use Usercube's reporting modules to produce IGA reports for auditing and governance purposes. + +## Overview + +Reporting features help users produce reports for auditing and performance evaluation. The aim is to +be aware of the whole assignment landscape, display it for analysis, and act upon it if needed. +Governance also helps produce audit-ready reports. You can start to set up governance features +relatively early in your Usercube journey and measure your progress from the very start. + +A few reporting tools are already available in Usercube, used in other parts of your IGA project, +for example: + +- the list of entitlements for a given user in their **View Permissions** tab; + + ![View Permissions Tab](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +- the list of all requests that you are authorized to see in **Workflow Overview** accessible from + the home page in the **Administration** section; + + ![Home - Workflow Overview](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/reporting/home_workflowoverview_v602.webp) + +- the + [list of orphaned accounts](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md). + + ![Orphaned Account List](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/reporting/orphan_entitytype_v523.webp) + +Usercube puts users in control of their reporting. Rich features help produce customizable reports +that can be used to check the assignment policy results, or gather information for an audit. + +Usercube provides several different levels of reporting according to your needs and technical tools. +You can: + +- [download predefined reports](#download-predefined-reports) for simple needs; +- add new reports to the predefined ones through XML configuration, for recurring needs that aren't + met by available reports (this requires XML configuration knowledge); +- [create customized reports](#create-customized-reports) with the Query module and its universes + configured beforehand, to meet specific needs (this requires certain technical knowledge); +- create customized graphic reports with PowerBI, to meet specific needs (this requires certain + technical knowledge). + +## Participants and Artifacts + +This operation can be performed by any user interested in producing IGA reports. + +| Input | Output | +| ------------------ | ------- | +| Entries (required) | Reports | + +## Download Predefined Reports + +Usercube provides a selection of predefined reports available in the solution. They represent the +most common use cases. + +The accessibility of these predefined reports was configured during +[profile configuration](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-configuration/index.md). + +Download predefined reports by proceeding as follows: + +1. Click on **Reports** on the left of the home page to access the list of predefined reports. + + ![Home Page - Reports](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/reporting/home_reports_v602.webp) + + ![Reports](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/reporting/reporting_predefinedreports_v602.webp) + +2. Choose the appropriate report and click on **Download** to get an Excel report. The + downward-pointing arrow provides additional report formats. + +## Add New Reports to the List + +When facing frequent reporting requirements outside the scope of predefined reports, new reports can +be configured with XML via +[`ReportQuery`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/reporting/reportquery/index.md) +and +[specific query grammar](/docs/identitymanager/6.1/identitymanager/integration-guide/api/squery/index.md). + +## Create Customized Reports + +When facing a one-time need for producing specific reports, Usercube's Query module helps display +attributes chosen from the data which is already +[synchronized](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) and +[classified](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/classification/index.md). +This module offers the possibility to customize reports and download them. + +The Query module is based on predefined +[universes](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) +that can be adjusted later on in +[XML configuration](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md), +just like the list of available query models. + +Create a custom report by proceeding as follows: + +1. Click on **Query** in the **Administration** section on the home page. + + ![Home Page - Query](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/reporting/home_query_v602.webp) + + ![Query Page](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/reporting/reporting_querypage_v602.webp) + +2. Choose a query model from among the list. +3. Click on **Fields to Display** and select the appropriate fields from among the database + [universe](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) + and click on **Confirm**. + + ![Fields to Display](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/reporting/reporting_fieldstodisplay_v522.webp) + + In cases where Usercube doesn't display correctly the information you need, you must try to + understand the + [entity instances](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) + and + [association instances](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) + that constitute the + [universe](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) + that you are working with. Perhaps the fields that you chose cannot be properly correlated. + +4. Click on **Filters**, write the appropriate condition and click on **Confirm**. + + ![Filters](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/reporting/reporting_filters_v602.webp) + + For example, a report could list user names and identifiers � but only those with their + `Contract end date` less than today's date � so that we will see all the workers who have left + the organization and are still stored in Usercube. + +5. Once all report settings are defined, click on **Download** to get a CSV report. + +## Create Customized Graphic Reports with Power BI + +When facing a periodic need for producing specific reports, especially when a visual presentation is +required, Usercube offers the possibility to connect to the +[Power BI](https://powerbi.microsoft.com/en-us/what-is-power-bi) application. This application will +allow you to create customized reports with a vast range of display options (such as graphs, charts, +matrixes, etc.) using Usercube's universes. + +[See how to analyze Usercube's data with Power BI](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/deploy/authentication/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/authentication/index.md new file mode 100644 index 0000000000..fc531728e0 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/authentication/index.md @@ -0,0 +1,5 @@ +# Set Up User Authentication + +How to allow end-users to authenticate and use the Usercube application. See the +[ End-User Authentication ](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md) +topic for additional information. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/deploy/change-management/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/change-management/index.md new file mode 100644 index 0000000000..2177c71dee --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/change-management/index.md @@ -0,0 +1,122 @@ +# Plan Change Management + +How to anticipate the deep changes in the organization's applications and processes due to Usercube +installation as a new IGA tool. + +Change management is not only part of any IGA project. It is a full project in itself that requires +its own project officer, objectives, success indicators, etc. It starts on the very first day with +the project kickoff, and runs alongside the technical project. + +## Overview + +The applications and processes of the organization are about to change deeply. Change management is +crucial because it determines the future proper use of the solution and the gain that can be +achieved by the organization. It requires an upstream impact analysis in order to define the +strategy to adopt. + +### Process + +A digital project follows two parallel processes: + +- The organizational and digital process used to design, build and deploy the solution. +- The human process urging staff to accept the solution, familiarize themselves with it, join and + interact with the project. + +Change management aims to support the teams throughout the human process. + +![Process of Change Management](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/change-management/changemanagement_process.webp) + +These processes include mandatory steps that all staff members have to go through, but not +necessarily at the same pace. For that reason, change managers can benefit from the use of personas, +i.e. creating characters that represent key populations. + +## Participants and Artifacts + +![Actors of Change Management](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/change-management/changemanagement_actors.webp) + +The aim of a Project Management Officer concerning critical stakeholders is to enable: + +- Decision makers to trigger holistic change in response to recurring factors in daily issues. This + can be translated into promoting efforts towards the broader enterprise strategy, focusing on + recurring challenges, identifying common denominators, not exceeding Project Management Office's + capacity and promoting PMO's shifting value proposition. +- Managers to grow maturity and confidence in change management because they allow responsibility + distribution throughout the organization. They need support in self-assessment and change + management at varying degrees according to the strategic importance and complexity level of + change. This can be translated into DIY change supports like templates, change coaches for + tailored guidance, or change drivers for end-to-end execution. +- The employees impacted by change to enter the decision-making process at an early stage, thus + improving change absorption. They must be engaged as active participants in shaping change + decisions, in order to avoid extreme leader-dictated or consensus-based strategies. + +| Input | Output | +| ----------------------------------- | ------------------------ | +| Upstream impact analysis (required) | Business ready to change | + +## Run Change Management for Usercube + +In order to profitably handle change management, any project should start with the question: **in +three years from now, what will be the (three to five) main facts attesting the success of this +project?** The answer will shape the strategy. + +Whether Usercube replaces manual processes or an existing IGA tool, change management methods are +going to be the same. Only the analysis of impacted populations and the effort made to onboard them +can define the appropriate response. + +IGA impact is based on data quality. Therefore, change management must encompass everything and +everyone that consumes and/or feeds data. All three population segments (decision makers, managers +and employees) are involved in data quality in one way or another. Hence, it is essential that they +understand IGA as an advantage instead of a constraint. + +Run change management by proceeding as follows: + +1. Identify the populations impacted by change. Below is an example of impacted populations that can + vary enormously. + + ![Usual Populations](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/change-management/changemanagement_populations.webp) + +2. For all listed populations, estimate their size and the expected impact on them, through + indicators like the frequency of their future use of the solution. Use personas to represent key + population members, such as VIP users that don't use the application much, or users not feeling + comfortable with computers. +3. According to the previous impact analysis, implement adjusted change management methods. You can + get inspiration from the following examples. + +| | Population | Size | Impact | Possible Actions | +| --- | ----------- | ---- | ---------------------- | ---------------------------------------------------------------------------------------------------- | +| 1 | All | 500 | Low | Introduction email Public video Information article | +| 2 | End-Users | 50 | High | Coffee corner: coffee break with the local support team offering tutorials and exercises on Usercube | +| 3a | HR/Managers | 10 | High (daily use) | Tutorials and exercises with a support team to get started quickly with Usercube | +| 3b | HR/Managers | 10 | Medium (bimonthly use) | Step-by-step procedure video or flyer | + +##### Example 1 + +Informing relevant populations is essential. For large populations (ex.: 500 employees), an +introduction email can be sent to everyone or a video published on a public website or played on +screens visible in the workplace. + +##### Example 2 + +A medium or large population (i.e. the size of a department in your organization) might be receptive +to informal meetings such as a coffee break with the local support team offering tutorials and +exercises on Usercube. + +##### Example 3 + +Let us consider HR teams and managers which have a change impact depending on their frequency of use +of the application. + +###### Example 3a + +If they frequently use the application (i.e. daily use), they will benefit from tutorials and +exercises with a support team to get started quickly with Usercube. + +###### Example 3b + +If they infrequently use the application (i.e. bimonthly use), they may rather benefit from training +materials such as a step-by-step procedure video or flyer. + +## Verify Change Management + +In order to verify the process, change managers can rely on implemented indicators, in the same way +as for any project management situation. diff --git a/docs/usercube/6.1/usercube/user-guide/deploy/implementation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/implementation/index.md similarity index 100% rename from docs/usercube/6.1/usercube/user-guide/deploy/implementation/index.md rename to docs/identitymanager/6.1/identitymanager/user-guide/deploy/implementation/index.md diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/deploy/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/index.md new file mode 100644 index 0000000000..222f735dc2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/index.md @@ -0,0 +1,28 @@ +# Deploy + +- #### [Plan Change Management](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/change-management/index.md) + + How to anticipate the deep changes in the organization's applications and processes due to + Usercube installation as a new IGA tool. + +- #### [Install the Production Agent](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/index.md) + + How to install a local agent for production environment. + +- #### [Configure the Agent's Settings](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/settings-files/index.md) + How to configure the agent's application settings via the `web.config`, `appsettings.json` and + `appsettings.agent.json` files.- #### + [Install IIS via Server Manager](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md) + How to configure the local server to install IIS via Server Manager.- #### + [Configure the Pool and Site](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md) + How to configure the application pool and website via IIS.- #### + [Set the Working Directory's Permissions](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md) + How to assign to the pool the right permissions on the working directory.- #### + [Finalize the Installation](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md) + How to finalize the installation of the agent. +- #### [Set Up User Authentication](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/authentication/index.md) + + How to allow end-users to authenticate and use the Usercube application. + +- #### [Implement Usercube](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/implementation/index.md) + How to actually implement Usercube solution. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md new file mode 100644 index 0000000000..4631afd098 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md @@ -0,0 +1,57 @@ +# Set the Working Directory's Permissions + +This guide shows how to assign to the pool the right permissions on the working directory. + +## Overview + +For Usercube to work correctly, the pool of the production agent must be configured with specific +permissions on the working directory. + +This page describes the optimal configuration of the pool's permissions on the working directory to +prepare the production agent's installation. + +## Set the Working Directory's Permissions + +Set the working directory's permissions by proceeding as follows: + +1. Right-click on the working directory, for example `C:/identitymanager`, to select **Properties**, and in + the **Security** tab, click on **Advanced**. + + ![Working Directory Properties: Step 1](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties1.webp) + +2. In the **Permissions** tab, click on **Add**, and in the pop-up window click on **Select a + principal**. + + ![Working Directory Properties: Step 2](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties2.webp) + +3. Click on **Locations�** to choose the current computer, and in the text area enter + `iis apppool/identitymanager` (`Usercube` being the name of the previously created pool). + + ![Working Directory Properties: Step 3](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties3.webp) + + An error at this point should come either from a mistake in the pool's name or in the selected + location. + +4. Click on **OK** and make sure that only the **Read and execute**, **List folder contents** and + **Read** permissions are selected. + + ![Working Directory Properties: Step 4](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties4.webp) + +5. Click on **OK** in the windows until they are all closed. +6. Right-click on the `Temp` folder to select **Properties**, and in the **Security** tab, click on + **Edit**. + + ![Temp Folder Properties: Step 1](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_foldersproperties1.webp) + +7. Select the user corresponding to the pool and give them `Full control`. + + ![Temp Folder Properties: Step 2](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_foldersproperties2.webp) + +8. Click on **OK** in the windows until they are all closed. +9. Repeat the last few steps (those concerning the `Temp` folder) to apply them to the `Work` and + `Mails` folders. + +## Next Steps + +To continue, +[finalize the installation in a few steps](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md new file mode 100644 index 0000000000..e3e75cbab2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md @@ -0,0 +1,28 @@ +# Finalize the Installation + +This guide shows how finalize the installation of the agent. + +## Overview + +This page describes the last few steps that the production agent needs for Usercube to run +correctly. + +## Finalize the Installation + +Finalize the installation of the agent by proceeding as follows: + +1. Install + [Windows' hosting bundle for ASP.Net Runtime](https://dotnet.microsoft.com/en-us/download/dotnet/8.0). + + If the bundle was installed before + [IIS configuration](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md), + then IIS might not display the AspNetCore module and Usercube will not run. In this case, + relaunch the bundle's installation executable to perform a repair. + +2. When using a proxy, + [adjust the configuration accordingly](/docs/identitymanager/6.1/identitymanager/installation-guide/reverse-proxy/index.md). + +## Next Steps + +To continue, follow the instructions to +[verify the agent's installation](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md new file mode 100644 index 0000000000..5d0d123130 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md @@ -0,0 +1,68 @@ +# Configure the Pool and Site + +This guide shows how to configure the application pool and website via IIS. + +## Overview + +IIS provides a platform for hosting and managing websites. +[See more details](https://learn.microsoft.com/fr-fr/iis/get-started/introduction-to-iis/introduction-to-iis-architecture). + +To install the production agent, a website must be created and configured correctly, as part of an +application pool. + +This page describes the optimal configuration in IIS to prepare the production agent's installation. + +## Configure the Application Pool and Site + +Configure the application pool and site by proceeding as follows: + +1. Open IIS and remove the default site and pool. + + IIS can usually be found in Windows' search menu, or from Server Manager by accessing the + **Tools** menu. + + ![IIS: Step 1](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis1.webp) + +2. Right-click on **Application Pools** to add a new pool named `Usercube`. + + ![IIS: Step 2](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis2.webp) + +3. Right-click on **Sites** to add a new site named `Usercube`, make sure that the + selected application pool is `Usercube` and set the `path` field to the `Runtime` folder. + + ![IIS: Step 3](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis3.webp) + +4. Right-click on the application pool to open its advanced settings and make sure that the + following parameters are set as such: + + ![IIS: Step 4](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis4.webp) + + ![IIS: Step 5](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis5.webp) + +5. Make sure that IIS contains an SSL certificate, by accessing the home page of IIS server and + double-clicking on **Server Certificates**. + + If the certificate is not ready yet, generate an auto-signed certificate. + + ![IIS Server Certificate: Step 1](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate1.webp) + + If the certificate is not there yet, import it by clicking on **Import�** in the right-side + menu, and specify the certificate's path and password. + + ![IIS Server Certificate: Step 2](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate2.webp) + +6. Add the certificate's URL to the site by right-clicking on the site, selecting **Edit Bindings�** + and clicking on **Add**, then choosing `https` as type, `443` as port, specifying the server's + URL (without the `https` part) as host name, and finally selecting the server certificate. + + ![IIS Server Certificate: Step 3](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate3.webp) + + Click on **OK**. + + If the server's certificate is not available at this point, then make sure it was correctly + imported in the previous step. + +## Next Steps + +To continue, +[set the right permissions on the working directory](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md new file mode 100644 index 0000000000..aeb03312e8 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md @@ -0,0 +1,47 @@ +# Install IIS via Server Manager + +This guide shows how to configure the local server to install IIS via Server Manager. + +## Overview + +When running on Windows Server, Server Manager makes available parameters to configure the local +server at will. +[See more details](https://learn.microsoft.com/en-us/windows-server/administration/server-manager/manage-the-local-server-and-the-server-manager-console). + +This page describes the optimal configuration of the local server to install IIS in order to prepare +the production agent's installation. + +## Install IIS via Server Manager + +Install IIS via Server Manager by proceeding as follows: + +1. Open the Server Manager program and click on **Add roles and features**. + + ![Server Manager: Step 1](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager1.webp) + +2. Click on **Next**, then in **Installation Type** make sure that **Role-based or feature-based + installation** is selected and click on **Next**. + + ![Server Manager: Step 2](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager2.webp) + +3. In **Server Selection** tick **Select a server from the server pool** and click on **Next**. + + ![Server Manager: Step 3](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager3.webp) + +4. In **Server Roles** tick **Web Server (IIS)**. + + ![Server Manager: Step 4](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager4.webp) + +5. In **Features** select **Remote Server Administration Tools** > **Role Administration Tools** > + **AD DA and AD LDS Tools** > **AD DS Tools** > **AD DS Snap-Ins and Command-Line Tools**. + + ![Server Manager: Step 5](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager5.webp) + +6. In **Confirmation** click on **Install**. + + ![Server Manager: Step 6](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager6.webp) + +## Next Steps + +To continue, +[configure the application pool and website via IIS](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/index.md new file mode 100644 index 0000000000..796f921f88 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/index.md @@ -0,0 +1,71 @@ +# Install the Production Agent + +This guide shows how to install an +[agent](/docs/identitymanager/6.1/identitymanager/introduction-guide/architecture/index.md)separated +from the server, for production environment. + +## Overview + +Like all [agents](/docs/identitymanager/6.1/identitymanager/introduction-guide/architecture/index.md), +the production agent aims to extract data from a given managed system, and transmit said data to the +Usercube server. If necessary, the agent also enables the managed system's provisioning according to +the orders computed by the Usercube server. + +Usercube solution can use several agents, each of them manages a given system. This section is about +installing the agent managing the production environment. + +Once agents are configured in addition to the default one provided by SaaS, you need to think about +what agent to choose during each +[connector declaration](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md). +The appropriate agent has access to the managed system. + +## Requirements + +Ensure that all +[agent requirements](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/agent-requirements/index.md) +can be met before starting the installation of the production agent. + +Requirements for the agent installation can change over the course of the project, according to the +project purpose. + +### Encryption certificates + +Ensure that your encryption certificates are valid by checking their: expiration date; signatory; +key size exceeding 2048; sha256 and not sha-1. + +### Server Manager + +Ensure that the device used for the installation has the Server Manager program. + +## Participants and Artifacts + +Integrators should have all the elements they need to operate. + +| Input | Output | +| ----------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| [Agent prerequisites](/docs/identitymanager/6.1/identitymanager/installation-guide/requirements/agent-requirements/index.md) (required) | Production agent | + +## Install the Production Agent + +Install the production agent by proceeding as follows: + +1. [Create the working directory](/docs/identitymanager/6.1/identitymanager/installation-guide/production-ready/working-directory/index.md) + and make sure it contains the folders: `Mails`; `Sources`; `Temp`; `Work`. +2. [Configure the agent's application settings](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/settings-files/index.md) + via the `web.config`, `appsettings.json` and `appsettings.agent.json` files. +3. [Configure the local server to install IIS](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md) + via Server Manager. +4. [Configure the application pool and website](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md) + via IIS. +5. [Set the right permissions on the working directory](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md). +6. [Finalize the production agent's installation](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md). + +## Verify Agent Installation + +In order to verify the process: + +- make sure the website is accessible from IIS by clicking on **Browse** (in the menu on the right), + and from your browser; +- if logs are enabled, then stop the pool to make sure that no error is thrown; +- perform from a local device agent-side actions such as sending test emails, reading and/or writing + inside working folders, or launching/scheduling agent-side tasks. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/settings-files/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/settings-files/index.md new file mode 100644 index 0000000000..e46b1f516c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/settings-files/index.md @@ -0,0 +1,261 @@ +# Configure the Agent's Settings + +This guide shows how to configure the agent's application settings via the `web.config`, +`appsettings.json` and `appsettings.agent.json` files. + +## Overview + +Usercube provides JSON files to configure varied application settings, named +[`appsettings.json`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +and +[`appsettings.agent.json`](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +This page describes the optimal configuration of the production agent's application settings. + +## Configure the Agent's Settings + +Configure the agent's settings by proceeding as follows: + +1. From the `Runtime/Agent` folder, copy the files `appsettings.json`, `appsettings.agent.json` and + `web.config` and paste them in the `Runtime` folder, thus replacing the pre-existing ones. +2. Open `web.config` and make sure that, in the `aspNetCore` tag, the value of `arguments` is set to + `./identitymanager-Agent.dll`. + + When needing to get the agent's logs, set also `stdoutLogEnabled` to `true`. See more details in + [Microsoft's documentation](https://learn.microsoft.com/fr-fr/aspnet/core/host-and-deploy/iis/logging-and-diagnostics?view=aspnetcore-7.0). + + ``` + + web.config + + ... + ... + ... + + ``` + +3. Open `appsettings.json` and make sure that: + + - **License** contains a valid license; + - **IdentityServer** contains the encryption certificate's path and password provided by + NETWRIX' team, in order to secure agent/server identification; + + > For example: + > + > ``` + > + > appsettings.json + > + > "IdentityServer": { + > "X509KeyFilePath": "./identitymanager.pfx", + > "X509KeyFilePassword": "secret" + > } + > + > ``` + + - you get an encryption certificate which will be used to encrypt specific files such as logs or + temporary files, and that **EncryptionCertificate** contains its path and password; + + > For example: + > + > ``` + > + > appsettings.json + > + > "EncryptionCertificate": { + > "File": "./identitymanager-Files.pfx", + > "Password": "secret", + > "EncryptFile": true + > } + > + > ``` + + **EncryptFile** can stay set to `false` while verifying the agent installation, but for + security reasons it must be set to `true` afterwards. + + If the certificates' passwords contain `@`, then they must be escaped via the `@` as first + character of the strings. + + - **ApplicationUri** contains the server's address, provided by NETWRIX' team when working in a + SaaS environment; + + > For example: + > + > ``` + > + > appsettings.json + > + > "ApplicationUri": "http://localhost:5000" + > + > ``` + + Do not write a `/` character at the end of the string. + + - **Cors** > **AllowAnyHeader**, **AllowAnyMethod** and **AllowCredentials** are set to `true`; + + ``` + + appsettings.json + + "Cors": { + "AllowAnyHeader": "true", + "AllowAnyMethod": "true", + "AllowCredentials": "true" + } + + ``` + +4. Open `appsettings.agent.json` and make sure that: + + - **OpenId** > **AgentIdentifier** specifies the agent's name which must match the XML + configuration. + [See more details](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "OpenId": { + > "AgentIdentifier": "MyAgent" + > } + > + > ``` + > + > With the following configuration: + > + > ``` + > + > + > + > ``` + + - **OpenId** > **OpenIdClients** > **Job** contains the non-hashed value of the password of + "Job-Remote" provided by NETWRIX' team� + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "OpenId": { + > "AgentIdentifier": "MyAgent", + > "OpenIdClients": { + > "Job": "secret" + > } + > } + > + > ``` + + � and add the hashed value of this password to the `OpenIdClient` named `Job` from the XML + configuration; + + > For example: + > + > ``` + > + > + > + > ``` + + - **OpenId** > **DefaultOpenIdClient** is set to `Job`; + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "OpenId": { + > "AgentIdentifier": "MyAgent", + > "OpenIdClients": { + > "Job": "secret" + > }, + > "DefaultOpenIdClient": "Job" + > } + > + > ``` + + - **PasswordResetSettings** > **TwoFactorSettings** > **ApplicationUri** contains the server's + address, provided by NETWRIX' team when working in a SaaS environment; + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "PasswordResetSettings": { + > "TwoFactorSettings": { + > "ApplicationUri": "http://localhost:5000" + > } + > } + > + > ``` + + - **PasswordResetSettings** > **EncryptionCertificate** contains contains the path and password + of the certificate used to secure password tokens; + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "PasswordResetSettings": { + > "TwoFactorSettings": { + > "ApplicationUri": "http://localhost:5000" + > }, + > "EncryptionCertificate": { + > "File": "../identitymanager.pfx", + > "Password": "secret" + > } + > } + > + > ``` + + - **PasswordResetSettings** > **MailSettings** > **PickupDirectory** is set to the `Mails` + folder and **FromAddress** to `no-reply@.com`; + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "PasswordResetSettings": { + > "TwoFactorSettings": { + > "ApplicationUri": "http://localhost:5000" + > }, + > "EncryptionCertificate": { + > "File": "../identitymanager.pfx", + > "Password": "secret" + > }, + > "MailSettings": { + > "PickupDirectory": "../Mails", + > "FromAddress": "no-reply@contoso.com" + > } + > } + > + > ``` + + - **SourcesRootPaths** contains the path to the `Sources` folder. + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "SourcesRootPaths": [ + > "C:/identitymanager/Sources" + > ] + > + > ``` + +## Next Steps + +To continue, +[configure the local server to install IIS via Server Manager](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/global-process/howto-maintaindirectory/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/global-process/howto-maintaindirectory/index.md new file mode 100644 index 0000000000..11850cc1ec --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/global-process/howto-maintaindirectory/index.md @@ -0,0 +1,15 @@ +# How to Maintain the Workforce Directory + +How to keep the workforce directory up to date. + +## Overview + +![Process Schema - How to Implement a New System](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/global-process/howto-maintaindirectory/globalprocess_schemamaintain.webp) + +## Process Details + +Be aware that the integration of an IGA tool is an iterative process. Thus, after +[following the starting process](/docs/identitymanager/6.1/identitymanager/user-guide/global-process/howto-start/index.md) +and creating the workforce directory, you can come back at any time and complete the directory that +you started, +[updating identity data](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/global-process/howto-newsystem/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/global-process/howto-newsystem/index.md new file mode 100644 index 0000000000..d40d4a7fb3 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/global-process/howto-newsystem/index.md @@ -0,0 +1,85 @@ +# How to Implement a New System + +How to add a new system to the solution. + +## Overview + +When connecting Usercube to a new system, several process paths can be taken according to your +strategy. There is no option fundamentally better than the others, your decision must depend on your +needs. + +The **option A** leads quickly to +[the implementation in production environment](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/index.md), +i.e. a new application in Usercube's scope. With this, you can +[review orphan and unused accounts](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md), +[provision the AD](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md), +[reconcile properties](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md), +and +[generate reports](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md), +for example the list of profiles assigned to users. + +The **option B** takes more time as it goes through the creation of the role model based on the +system's entitlements, but it leads to even more gain as you can also +[reconcile roles](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md), +perform +[access certification](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/index.md) +and +[request entitlement assignment](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/manual-assignment-request/index.md), +and also +[generate reports](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md), +for example the list of assigned single roles. + +The option B is more complicated and time-consuming than the option A, but leads to more gain. Be +aware that you can go through the process options simultaneously. + +![Process Schema - How to Implement a New System](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/global-process/howto-newsystem/globalprocess_schemaconnectsyst.webp) + +## Process Details + +### Common starting steps + +1. [Connect Usercube to the system](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md): + create the appropriate connector with its connections and entity types. +2. [Synchronize the system's data](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) + into Usercube. + + Based on this, you can + [generate reports](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md), + for example the list of resources in the system. A few predefined reports are available from the + start, you can generate any report from this list as soon as it makes sense according to the + integration progress. + +3. [Categorize resources](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) + in order to classify them according to their intent, and correlate these resources with their + owners. +4. [Create provisioning rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) + to write to the system in order to update the resources' properties directly in the system. +5. [Adjust the rules by reconciling resources](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md), + i.e. analyze the differences spotted between the reality of resources' properties and those + computed by the previously established rules. Especially, verify that accounts are correlated to + the right owners and that their properties have the right values. + + Either the integrator handles the customization of the rules and the review of non-conforming + resources, or they can assign an application administrator profile to a given user to perform + it. Assigning this profile requires profile configuration, see steps 11 and 12. + +After connecting Usercube to an external system, two process options are available according to your +needs: either aim directly to the implementation in production environment, or first build the role +model in order to enable more administration activities. Both options can be started simultaneously. + +### Option A: Straight to production implementation + +Go directly to the common final steps (step 8). + +### Option B: First build the role model + +6. [Create roles in the role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) + for applications managed by the system. +7. [Automate role assignments](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/index.md) + if needed: use Role Mining to create single role rules in bulk; adjust the generated rules + individually and manually. + +### Common final steps + +8. Perform tests. +9. Deploy the pre-production configuration to the production environment. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/global-process/howto-start/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/global-process/howto-start/index.md new file mode 100644 index 0000000000..66fd5f224f --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/global-process/howto-start/index.md @@ -0,0 +1,115 @@ +# How to Start + +How to start integrating Usercube with your own needs. + +## Overview + +When starting with Usercube, several process paths can be taken according to your strategy. There is +no option fundamentally better than the others, your decision must depend on your needs. + +The **option 1** leads quickly to +[identity management](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/index.md), +i.e. users' on-boarding/movement/off-boarding without needing a periodic synchronization. + +The **option 2A** takes more time as it requires the installation of an agent on your network in +order to connect Usercube to the system and use the AD's data, but it leads to more gain as you can +also +[review orphan and unused accounts](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md), +[provision the AD](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md), +[reconcile properties](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md), +and +[generate reports](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md), +for example the list of profiles assigned to users. + +The **option 2B** takes even more time as it goes through the creation of the role model based on +the system's entitlements, but it leads to even more gain as you can also +[reconcile roles](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md), +perform +[access certification](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/index.md) +and +[request entitlement assignment](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/manual-assignment-request/index.md), +and also +[generate reports](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md), +for example the list of assigned single roles. + +The options 2A and 2B are more complicated and time-consuming than the option 1, but lead to more +gain. Be aware that you can go through the process options simultaneously. + +NETWRIX recommends the option 1 to be able to start IGA without waiting for the installation of an +agent in your network, and go through the option 2 simultaneously. + +![Process Schema - How to Start with Usercube](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/global-process/howto-start/globalprocess_schemastart.webp) + +## Process Details + +### Common starting steps + +1. [Install the development environment](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/development-environment-installation/index.md). +2. [Create the workforce directory](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md): + configure the generation of unique properties; load workforce identities to Usercube; adjust the + data model. + +After these first steps, two process options are available according to your needs: either aim +directly to identity management and the opening of Usercube to end-users, or first connect Usercube +to an external system in order to enable more administration activities. Both options can be started +simultaneously. + +### Option 1: Based on the workforce directory + +Starting with the workforce directory does not require the installation of a local agent. + +Go directly to the common final steps (step 10). + +### Option 2: Based on an external system + +Starting with an external system requires the installation of a local agent. + +3. [Connect Usercube to the system by creating a connector](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md). +4. [Synchronize the system's data](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) + into Usercube. + + Based on this, you can + [generate reports](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md), + for example the list of resources in the system. A few predefined reports are available from the + start, you can generate any report from this list as soon as it makes sense according to the + integration progress. + +5. [Categorize resources](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) + in order to classify them according to their intent, and correlate these resources with their + owners. +6. [Create provisioning rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) + to write to the system in order to update the resources' properties directly in the system. +7. [Adjust the rules by reconciling resources](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md), + i.e. analyze the differences spotted between the reality of resources' properties and those + computed by the previously established rules. Especially, verify that accounts are correlated to + the right owners and that their properties have the right values. + + Either the integrator handles the customization of the rules and the review of non-conforming + resources, or they can assign an application administrator profile to a given user to perform + it. Assigning this profile requires profile configuration, see steps 11 and 12. + +After connecting Usercube to an external system, two process options are available according to your +needs: either aim directly to identity management and the opening of Usercube to end-users, or first +build the role model in order to enable more administration activities. Both options can be started +simultaneously. + +### Option 2A: Straight to identity management + +Go directly to the common final steps (step 10). + +### Option 2B: First build the role model + +8. [Create roles in the role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) + for applications managed by the system. +9. [Automate role assignments](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/index.md) + if needed: use Role Mining to create single role rules in bulk; adjust the generated rules + individually and manually. + +### Common final steps + +10. Adjust HR workflows to keep the workforce directory updated (only in XML configuration). +11. [Define the permissions for your user profiles](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-configuration/index.md). +12. Define the authentication mode by configuring `SelectUserByIdentityQueryHandlerSetting` (only in + XML configuration), and + [assign profiles to users](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-assignment/index.md) + to open the application to end-users. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/global-process/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/global-process/index.md new file mode 100644 index 0000000000..58dd20715d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/global-process/index.md @@ -0,0 +1,17 @@ +# Global Process + +How do the process activities success each other. + +NETWRIX recommends working with a SaaS installation and with the User Interface as long as possible, +because identity management is optimized by mastering identities inside Usercube. + +Be aware that the integration of an IGA tool is an iterative process. There is no simple linear +process. This user guide provides the following processes that can follow one another and +intertwine. + +- #### [How to Start](/docs/identitymanager/6.1/identitymanager/user-guide/global-process/howto-start/index.md) + How to start integrating Usercube with your own needs.- #### + [How to Maintain the Workforce Directory](/docs/identitymanager/6.1/identitymanager/user-guide/global-process/howto-maintaindirectory/index.md) + How to keep the workforce directory up to date.- #### + [How to Implement a New System](/docs/identitymanager/6.1/identitymanager/user-guide/global-process/howto-newsystem/index.md) + How to add a new system to the solution. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/index.md new file mode 100644 index 0000000000..08671addcb --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/index.md @@ -0,0 +1,110 @@ +# User Guide + +Usercube's User Guide leads the reader through all the necessary steps to autonomously build an IGA +solution based on Usercube, either from scratch or using Usercube's IGA Core Solution, with the aim +of quickly delivering value. + +## Target Audience + +This guide is intended to be read by Usercube administrators, i.e. power users who configure +Usercube to match their company's needs. + +## Prior Knowledge + +This guide presumes some knowledge of Usercube on the part of the reader who should have previously +read the [Introduction Guide](/docs/identitymanager/6.1/identitymanager/introduction-guide/index.md) in +order to be aware of the main purposes, principles and capabilities of Usercube. + +Using this guide does not require any advanced IT skills. All the configuration steps take place +through Usercube's UI or MS Excel files. + +NETWRIX strongly recommends starting from the +[Introduction Guide](/docs/identitymanager/6.1/identitymanager/introduction-guide/index.md) to fully +benefit from the User Guide's content. + +## Overview + +This guide is made of step-by-step procedures that take the reader through setting up Usercube from +scratch and creating IGA value as quickly as possible. + +The procedures are meant to guide the reader through a standard setup, based on Usercube's IGA Core +Solution, and with NETWRIX' suggestions and recommendations. Any advanced configuration can be +performed later using the content of the +[Integration Guide](/docs/identitymanager/6.1/identitymanager/integration-guide/index.md). + +Thus, even when having very specific needs, NETWRIX still recommends starting the project with the +basics presented in this guide. The IGA solution can be enhanced later on with the help of NETWRIX' +experts. This way, IGA value can already be delivered while the project continues for optimization +purposes. + +## Content + +This guide is organized into activities, each activity containing an overview, the input, output, +and participants as well as step-by-step procedures and a way to verify the outcome. + +Some activities are grouped together when they depend on each other to create value or when they +contribute to a same goal. + +While some activities must be carried out before others for technical and/or functional reasons, the +order is not absolute. Please follow the instructions and recommendations detailed with the +[global process](/docs/identitymanager/6.1/identitymanager/user-guide/global-process/index.md). + +All activities are organized into bigger sections which are distinguishable by their functional +intent: set up; administrate; optimize; deploy and maintain. + +### Set up + +Learn how to configure a working environment, how to set up identity lifecycles, and how to build a +catalog of roles for entitlement management, in order to configure the Minimum Viable Product. + +### Administrate + +Learn how to enforce your security policies through access certification, or resource/role +reconciliation, provisioning review, etc. + +### Optimize + +Learn how to enhance the IGA solution through automation and model optimization. + +> For example, learn how to adjust the identity model and the role model in order to make them +> resemble the company's reality, learn how to improve the data quality by automating entitlement +> assignment decisions, or by automatically provisioning assignments to the managed systems. Learn +> how to push the automation wall thanks to Usercube's AI with role mining. + +### Deploy + +Learn how to deploy the solution to a production environment. + +### Maintain + +Learn how to maintain the solution, because the project is iterative. Learn how to keep the data +model up to date according to the company's changes, or how to add new systems to the loop, while +Usercube is already running in production. + +## How to Use this Guide + +Start by studying the +[global process](/docs/identitymanager/6.1/identitymanager/user-guide/global-process/index.md) that +details every activity in their respective sections and how they relate to one another. You will get +a good view of the steps to take from start to finish. + +Follow the path, stop at each activity, and go check out the details on the matching page of the +guide, in the corresponding section. There you will find recommendations and practical steps to +complete the activity and test it. Then you can resume following the path. + +At any step along the way, once you feel comfortable, you can decide to take another direction than +the recommended process, as long as you take into account the input artifacts specified in each +activity page, which represent actual technical dependencies. You can start an activity only if all +the previous technical dependencies are met. + +Keep in mind that completing sections one by one is the quickest way to deliver value. Nevertheless, +they are not rigorously dependent on each other. You do not have to complete one entirely in order +to go to the next. But they are not rigorously independent either. There are some activities in the +first one that are required for activities in the second. Read the input artifacts to choose the +correct order. + +> For example, if you are looking forward to fixing non authorized account (from the +> **Administrate** section) you do not have to complete the **Set Up** section entirely. You just +> have to complete the **Categorize Resources** activity, and all the activities connected to it +> upstream . You do not have to complete other activities such as the **Create Roles in the Role +> Catalog** activity. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/index.md new file mode 100644 index 0000000000..4479d78159 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/index.md @@ -0,0 +1,41 @@ +# Update Identity Data + +How to perform modifications in the identity repository, to manage onboarding, offboarding and +position changes. + +This part is not about changing the data model, but data itself. + +## Overview + +After the identity repository is initiated, you will need to modify it for many possible reasons. +Among them: + +- update all identities with new attributes because you didn't have the required information during + the repository creation, or because it wasn't a priority for you then; +- perform onboarding: add new identities as new workers arrive in the company; +- modify identities' attributes to fix existing errors, or to reflect a real change in users' data, + or model a position change; +- remove identities' attributes, as they are no longer required to manage entitlements; +- perform offboarding: remove identities with all their attributes, as users leave the company. + +## Participants and Artifacts + +Integrators are able to perform an identity update if they master the new data. + +| Input | Output | +| ---------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | +| [Identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) New identity data (required) | Updated identity repository | + +## Modify Identity Data + +Modify identity data by proceeding as follows, according to the changes to be made: + +- either + [update data individually](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md) + by using predefined workflows in the UI; +- or + [perform a same change on several identities simultaneously](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/index.md) + by using Usercube's predefined workflow in the UI; +- or + [update data on a massive scale](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md) + by uploading an external file into Usercube, as an incremental version of the identity repository. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md new file mode 100644 index 0000000000..9e831193ef --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md @@ -0,0 +1,72 @@ +# Update an Individual Identity + +How to manage onboarding, position changes and offboarding through the UI, for a single identity. + +This part is not about changing the data model, but data itself. + +## Overview + +Individual changes in identity data can be handled using Usercube's predefined workflows to: + +- [declare a new identity](#declare-a-new-identity) (for an internal as well as an external worker); +- act on existing identities, including modify their data, manage their contract and/or positions, + suspend all accounts linked to them, or reactivate them, repair some data, or delete these + identities. + +## Participants and Artifacts + +A given user's data can be updated occasionally by their manager, but most often by the HR +department. + +| Input | Output | +| ---------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | +| [Identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) New identity data (required) | Updated identity repository | + +## Declare a New Identity + +Declare a new worker by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. According to the type of the user to be declared, click on the corresponding button. + + ![Workflow - New User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_newuser_v602.webp) + +3. Follow the workflow's instructions to fill the form with the user's data, choose the user's + entitlements from your + [role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) + and send the request. + +## Act on an Existing Identity + +Act on an existing identity by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Click on the user to be modified. + + ![Workflow - User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp) + +3. Click on **Actions** or **Helpdesk** to select the action to perform. + + ![Workflow - Modify Permissions](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_changeuser_v602.webp) + +4. Follow the workflow's instructions. + + If the workflow has been configured in this way, the update request may require a review. In + this case, sending the request triggers the display of said request on the **My Tasks** screen + for the reviewer, while the state of the request is pending. In this case, the requested updates + will be displayed in Usercube only after the request has been reviewed. + + ![Request - Review Pending](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_reviewpending_v523.webp) + +## Verify Data Update + +In order to verify the process, check that the right data is displayed in the directory for the +involved user. + +![Home Page - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md new file mode 100644 index 0000000000..86c973254d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md @@ -0,0 +1,132 @@ +# Update Identities in Bulk + +How to perform a mass change in identity data, by uploading an incremental version of the identity +repository. + +This part is not about changing the data model, but data itself. + +Here we describe the incremental update of identities, but the update of any other +[File/CSV](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/csv/index.md) +works the same. + +## Overview + +When the number of changes gets high, identity data update through the UI becomes tedious. +Therefore, Usercube offers the possibility to fill a predefined file with data to be modified, in +order to perform all changes simultaneously. + +Data update can be performed in complete mode or incremental mode. + +## Participants and Artifacts + +Identity data can be updated most often in cooperation with the HR department. + +| Input | Output | +| ---------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | +| [Identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) New identity data (required) | Updated identity repository | + +## Update Data in Complete Mode + +Mass update identity data (in complete mode) by proceeding as follows: + +1. Access the directory connector from **Connectors** on the home page, in the **Configuration** + section. + + ![Home - Connectors](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + +2. On the connector's page, choose the connection corresponding to identities. +3. In the connection's settings, download the Excel template full of the data from your database. + + ![Download Full Template](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/maintain/identity-data-modification/mass-update/datamodif_downloadtemplatedata_v602.webp) + +4. Update the data that needs change. +5. Ensure that the field `Path (Complete mode)` is filled with the path of the source file. +6. Click on **Upload** and choose the file you modified with new data. + + ![Upload](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/maintain/identity-data-modification/mass-update/connection_upload_v602.webp) + +7. Click on **Check Connection** to verify the path. + + ![Check Connection](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp) + +8. Click on **Save & Close**. +9. Back on the connector's page, + [launch synchronization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md). + + Be cautious about + [thresholds](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md). + +## Update Data in Incremental Mode + +Mass update identity data (in incremental mode) by proceeding as follows: + +1. Access the directory connector from **Connectors** on the home page, in the **Configuration** + section. + + ![Home - Connectors](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + +2. On the connector's page, choose the connection corresponding to identities. +3. In the connection's settings, download the empty Excel template. + + ![Download Full Template](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/maintain/identity-data-modification/mass-update/datamodif_downloadtemplateempty_v602.webp) + +4. Fill only the data to be modified, specify the unique identifier for each entry (for correlation + purposes), and fill the column `Command`, which can take a few available inputs: + + - `Add` to incorporate new attributes; + - `Modify` to change existing attributes; + + Attributes can be emptied using the value `NULL_NULL`. + + - `Delete` to remove attributes from the datamodel; + + Instead of using `Delete`, you can + [scan the data model](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) + to exclude unused attributes. + + - `Merge` to input an identity's data and modify the corresponding attributes if said identity + already exists, create a new identity otherwise. + > For example, if a few users switch working sites, then the modification is performed by + > filling the file only with said users' identifiers and new sites. Fill the column + > `Command` with `Modify`. The rest will not be changed. + +5. Ensure that the field `Path (Incremental mode)` is filled with the path of the source file. +6. Click on **Upload** and choose the file you modified with new data. + + ![Upload](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/maintain/identity-data-modification/mass-update/connection_upload_v602.webp) + +7. Click on **Check Connection** to verify the path. + + ![Check Connection](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp) + +8. Click on **Save & Close**. +9. Back on the connector's page, + [launch synchronization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md). + + Be cautious about + [thresholds](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md). + +## Verify Data Update + +In order to verify the process: + +- Check manually a sample in the `User` directory accessible from the home page. You should verify + at least your own sheet and the sheets for your hierarchy. + + ![Home - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +- Check that every organization still has a manager. Organizations are accessible in the + `Department` directory accessible from the home page. + + ![Home - Directory Department](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + + ![List of Departments](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + + If the system contains many organizations, then it is also possible to list them with their + managers through the + [Query module](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md). + +- [Create reports](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md) + with indicators on the workers number per type or per organization for example (through Usercube' + predefined reports, the Query module or Power BI), in order to ensure that Usercube's content + sticks to reality. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/index.md new file mode 100644 index 0000000000..de011fe67e --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/index.md @@ -0,0 +1,67 @@ +# Update Multiple Identities + +How to perform a same change in data for several identities simultaneously. + +This part is not about changing the data model, but data itself. + +## Overview + +When a same change is needed by a high number of users, then Usercube provides a UI workflow to +perform this change for all selected identities simultaneously. + +> For example, if a whole department in the company is moved to a new working site, then all users +> working in said department must have their `Site` attribute updated. + +## Participants and Artifacts + +Given users' data can be updated occasionally by their managers, but most often by the HR +department. + +| Input | Output | +| ---------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | +| [Identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) New identity data (required) | Updated identity repository | + +## Update + +Perform multiple updates by proceeding as follows: + +1. Click on **Multiple Updates**, accessible from the directory on the home page. + + ![Home Page - Multiple Updates](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/home_multipleupdates_v523.webp) + +2. Follow the workflow's instructions to perform the change, assign new entitlements if needed, and + send the request. + + ![Multiple Updates Form](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/datamodif_multipleform_v602.webp) + + If the workflow has been configured in this way, the update request may require a review. In + this case, sending the request triggers the display of said request on the **My Tasks** screen + for the reviewer, while the state of the request is pending. In this case, the requested updates + will be displayed in Usercube only after the request has been reviewed. + + ![Request - Review Pending](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_reviewpending_v523.webp) + +## Verify Data Update + +In order to verify the process: + +- Check manually a sample in the `User` directory accessible from the home page. You should verify + at least your own sheet and the sheets assigned to your hierarchy. + + ![Home - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +- Check that every organization still has a manager. Organizations are accessible in the + `Department` directory on the home page. + + ![Home - Directory Department](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + + ![List of Departments](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + + If the system contains numerous organizations, it is also possible to list them with their + managers through the + [Query module](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md). + +- [Create reports](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md) + with indicators, for example, on the number of workers per type or per organization (through + Usercube's predefined reports, the Query module or Power BI), to ensure that Usercube's content + sticks to reality. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/maintain/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/maintain/index.md new file mode 100644 index 0000000000..c3dce9a8f9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/maintain/index.md @@ -0,0 +1,17 @@ +# Maintain + +- #### [Update Identity Data](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/index.md) + + How to perform modifications in the identity repository, to manage onboarding, offboarding and + position changes. + +- #### [Update an Individual Identity](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md) + How to perform changes in data for a single identity, through the UI.- #### + [Update Multiple Identities](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/index.md) + How to perform a same change in data for several identities simultaneously, through the + UI.- #### + [Update Identities in Bulk](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md) + How to perform a mass change in identity data, by uploading a complete or incremental version of + the identity repository. +- #### [Troubleshoot](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/troubleshooting/index.md) + How to troubleshoot Usercube when facing technical issues. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/maintain/troubleshooting/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/maintain/troubleshooting/index.md new file mode 100644 index 0000000000..4fd9be3598 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/maintain/troubleshooting/index.md @@ -0,0 +1,143 @@ +# Troubleshoot + +How to troubleshoot Usercube when facing technical issues. + +## Overview + +Daily technical issues can lead to some unexpected results in Usercube. This page is meant to give +some clues and use cases in order to solve usual issues. + +> For example, the issues described below can happen when there is a network cut, or an application +> IP address is being changed, or an important password is being modified. + +[See troubleshooting instructions concerning connector jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md). + +### Prerequisites + +In order to troubleshoot Usercube efficiently, the user, usually an application administrator, must +have access to: + +- the connector screens, especially the jobs available there; + + ![Connector Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_connectorjobs_v603.webp) + +- the resource screens (identities, accounts, etc.) with their data, and especially their history + and sources; + + ![User Data](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_userdata_v603.webp) + +- basic workflows, for example the usual helpdesk workflow, that give access to users' entitlements + and enable data modification and repair. + + ![Helpdesk Workflow](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_helpdesk_v603.webp) + +## Participants and Artifacts + +Here integrators give way to managers to handle the solution by themselves. + +| Input | Output | +| ---------------------------------------------------------------------------------------------------------------- | ------------------- | +| [Implemented system](/docs/identitymanager/6.1/identitymanager/user-guide/deploy/implementation/index.md) (required) | Working environment | + +## Troubleshoot Synchronization Issues + +### Errored export task + +If the export task ends with an error, then you should: + +- check the task's logs; +- check the export files' dates in the `Temp/ExportOutput` folder; +- if there was an external problem, then relaunch the export in complete mode. + +### Missing data after incremental synchronization + +If the data is incomplete after incremental synchronization, then you should relaunch +synchronization in complete mode. + +NETWRIX recommends scheduling an incremental synchronization approximately every 15 minutes, and a +complete synchronization once a day. + +### Exceeded thresholds + +If a synchronization threshold is exceeded, then check whether the threshold is legitimate. If not, +it means that the warning comes from a change in the managed system, so you should fix the data +directly in the managed system. + +[See more details on synchronization thresholds](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md). + +## Troubleshoot Provisioning Issues + +### Blocked provisioning orders + +If provisioning orders are blocked while expected to be automatic, it can come from: + +- the **Require Provisioning Review** option being enabled in the related resource type; +- the role model being computed through the + [`ComputeRoleModelTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + or the corresponding executable, with the block provisioning option; +- a provisioning order being already blocked for the same resource due to a prior operation; +- a correlation/classification rule with a confidence rate below 100%, which means that either + important data is missing or the rule is not right. + +**Verify:** After debugging the blocked-order situation, the related blocked orders must be reviewed +on the **Provisioning Review** screen to be unblocked. + +### Errored provisioning orders + +> For example, consider a provisioning task supposed to delete 150 accounts, while the relevant +> service account does not have the relevant writing rights. Thus it ends up with 150 errored +> provisioning orders. + +If provisioning orders end up with an error, then you should check the errors' details in +**Provisioning Review** to determine where the error comes from. + +**Verify:** After debugging the errored-order situation, unblock one provisioning order and relaunch +provisioning to make sure the fix gives the expected result. Only then, unblock all related errored +orders and relaunch provisioning. + +If the error comes from miscalculated properties, for example missing parent dn or duplicated +logins, then you should review scalar and/or query rules. + +**Verify:** After debugging the situation, recompute the role model for only one user to make sure +the fix gives the expected result. Only then, recompute the role model for all users through the +**Compute Role Model** job of connector screens. + +To recompute the role model for only one user, you can use the helpdesk workflow. It will give you +access to the user's entitlements via the workflow's **Access Permissions** step, where you can +check the changes without having to validate. + +### Incorrect provisioned values + +If provisioning orders produce incorrect values, then it can come from: + +- incorrect identity data, in which case you should select a test user, click on **View Sources** to + see which sources contributed to the data, and click on **View History** to see when the data + changed. +- wrong provisioning rules, i.e. scalar, navigation and/or query rules; + + **Verify:** After debugging the situation, use the helpdesk workflow to edit a field and check + the changes for only one user to make sure the fix gives the expected result. Only then, + recompute the role model for all users through the **Compute Role Model** job of connector + screens. See more details on how to use the helpdesk workflow for debug purposes. + +> For example, if identity data has changed and HR data has not, then it must come from the rules. + +### Exceeded thresholds + +If a provisioning threshold is exceeded, then check whether the threshold is legitimate. If not, it +means that the warning can come from: + +- incorrect identity data, in which case you should select a test user, click on **View Sources** to + see which sources contributed to the data, and click on **View History** to see when the data + changed. +- wrong provisioning rules, i.e. scalar, navigation and/or query rules; + + **Verify:** After debugging the situation, use the helpdesk workflow to edit a field and check + the changes for only one user to make sure the fix gives the expected result. Only then, + recompute the role model for all users through the **Compute Role Model** job of connector + screens. See more details on how to use the helpdesk workflow for debug purposes. + +## Troubleshoot Entitlement Issues + +If users have unexpected entitlements, then you should click on an entitlement and/or access +**Workflow Overview** to see the entitlements' details, for example who requested them, etc. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md new file mode 100644 index 0000000000..5194f8ebca --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md @@ -0,0 +1,117 @@ +# Automate Role Assignments + +How to manually build rules to automate the assignment of +[roles](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +to identities. + +## Overview + +Single role rules and composite role rules are assignment rules. Assignment rules are designed to +automatically assign respectively +[single roles](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +and +[composite roles](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/composite-role-creation/index.md) +(based on specific criteria) to identities. One rule must be created for every role to assign. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application's users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------- | --------------------- | +| [Role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (required) | Role assignment rules | + +## Create a Role Assignment Rule + +Create a role assignment rule by proceeding as follows: + +1. Access the rules page by clicking on **Access Rules** on the home page in the **Configuration** + section. + + ![Home Page - Access Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the source entity type for the future scalar rule. + + ![Entity Type Choice](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +3. Click on the **Composite Roles** or **Single Roles** tab and on the addition button at the top + right corner. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create an Assignment Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/assignmentrules_newsrolerule_v602.webp) + + - `Single Role`: single role to be automatically assigned in a single role rule. + `Composite Role` for a composite role rule. + - `Type`: assignment type that can be: `Suggested` so that the role is listed among suggested + permissions in the permission basket of users matching the criteria during an entitlement + request, suggested assignments must be selected manually to be requested; or `Automatic` so + that the role is automatically assigned to users matching the criteria; or + `Automatic but with validation` so that the role is listed in the permission basket of new + workers, these assignments can still be modified. + + The rule's type can be `Suggested` only if the related role is allowed to be requested + manually. + + - `Single role denied`: option that forbids the assignment instead of applying it. + - **Criteria**: conditions that, if met, trigger the single role automatic assignment. + + Role assignment rules can be based on identity dimensions. Moreover, single role rules can be + based on composite roles. + +5. Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a role assignment rule is taken into account when the next +[`ComputeRoleModelTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +runs to compute new assignments. Therefore, if a given rule's criterion is modified, then all +corresponding assignments are computed again. If a role was assigned automatically to an identity by +a role assignment rule, and if this assignment doesn't comply with the new version of the rule, then +the corresponding role is automatically removed. + +A modification in a role assignment rule can trigger the removal of a role only on the Usercube +side. There are several barriers to cross before said role is removed from the managed system. + +> For example, consider a single role rule that assigns the single role +> `Business role: electronic banking` to all users in the `Tours` department. Let's say that we +> replace `Tours` with `Orleans`. Then, after the next launch of the complete job, all users in the +> `Orleans` department get said role, while the users in the `Tours` department are deprived of said +> role. + +[Simulations](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md) are +available in order to anticipate the changes induced by a creation/modification/deletion in role +assignment rules. + +Assignment rules can sometimes give to users an entitlement that they had already received manually. +Hence, new assignment rules can imply redundancies between the entitlements assigned manually and +approved, and those calculated by a rule and assigned automatically. + +NETWRIX recommends removing redundant assignments after any assignment rule is created or updated. + +NETWRIX recommends +[removing redundant assignments](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md) +after any assignment rule is created or updated. + +## Verify Rule Creation + +In order to verify the process, start by checking the rule's details on the **Access Rules** page. +Then, you can: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Create a role assignment rule for a role that said user doesn't already have, and based on + criteria which the selected user satisfies. +3. Trigger the computation of the role model through the complete job on the **Job Execution** page + in the **Administration** section. + + ![Home - Job Execution](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + +4. See the new permission in the user's **View Permissions** tab. + + ![View Permissions Tab](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/index.md new file mode 100644 index 0000000000..26b55923b8 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/index.md @@ -0,0 +1,225 @@ +# Automate Assignments + +How to automate entitlement assignment. + +## Overview + +Once you are able to assign manually the right entitlements to the right identities for the right +reasons, you realize how tedious and error-prone entitlement assignment is, and you want to automate +it. + +The strategy for the automation of entitlement assignment lies in the automatic making of assignment +decisions, based on several automation levels provided by Usercube: + +1. Automation of the creation of the role model, i.e. both roles and navigation rules that represent + entitlements in the managed systems, through + [role naming rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md) + based on resources' naming conventions in the managed systems. +2. Automation of entitlement assignment through + [assignment rules](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md), + which use identity criteria (called + [dimensions](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md#dimensions), + like identities' department or work location, etc.) to decide what entitlements to assign + automatically to identities. +3. Automation of the creation of said assignment rules through + [Role Mining](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md), + based on existing data analysis. + +![Automation Concept](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/automation_schema.webp) + +Assignment rules can sometimes give to users an entitlement that they had already received manually. +Hence, new assignment rules can imply redundancies between the entitlements assigned manually and +approved, and those calculated by a rule and assigned automatically. + +NETWRIX recommends removing redundant assignments after any assignment rule is created or updated. + +NETWRIX recommends +[removing redundant assignments](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md) +after any assignment rule is created or updated. + +The main goal of automation is to reach the optimal cost, playing on assignment efficiency, quality +and quantity. + +### Assessment of manual assignment + +So far, Usercube's configuration has enabled users to use workflows to add and remove entitlements +to/from identities. These assignments can be +[fulfilled](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) +manually or automatically, but the decision-making process that defines who gets what entitlement is +still manual. Manual assignment poses the following risks: + +- Delay can happen: on the day a worker joins an organization, they rely on a manual action to get + all the entitlements required for them to start working. Even with + [roles](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) + aiming to help managers to understand actual entitlements, delay happens. +- Errors can happen: human mistakes are expected in role distribution, even though largely mitigated + by the + [role review process](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md) + and + [certification campaigns](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/index.md). +- It is time-consuming. + +The entitlement management cost mainly varies according to the number of managed entitlements. +Manual processing for entitlement requests implies a linear growth of the management cost according +to the number of managed entitlements. + +![Optimal Cost Chart - Manual Assignments](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_manual.webp) + +### Automation benefits + +There is a high potential gain coming with the automation of assignment decisions: + +- Machine Learning masters the error rate, as it is used as a parameter for Role Mining, i.e. + masters false positive assignments (entitlements assigned to a user while they ought not to) which + constitute a security breach, and false negative assignments (entitlements not assigned to a user + who needs it) which are functionnaly blocking; +- Machine Learning achieves lower error rates than people; +- Machine Learning can compute the role model way faster than a person. Consequently, the model can + be computed more frequently and thus sticks closer to reality. + +![Optimal Cost Chart - Automation Benefits](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_automationbenefits.webp) + +Automation helps integrators find basic assignment rules and face the previous risks, thus reducing +cost. + +### Automation precautions + +Assignments do not have to be automated all at once. + +On the one hand, before being automatically assigned, entitlements can be merely suggested by +Usercube and assigned manually. + +On the other hand, a distinction can be made between assignments according to their sensitivity, for +example using different error rates, or using +[simulation](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md), or +automating the assignment of basic entitlements while suggesting sensitive entitlements, etc. + +This way, security can be improved for example by making certification target only the sensitive +entitlements that cannot be processed by Machine Learning. There is no need anymore to certify +automatic assignments. + +Plus, you can also use attributes as additional precautions, such as a grace period during which, +after the application of a rule revoking a resource/entitlement, managers can decide for each user +individually whether they need to keep said entitlement. + +In a way, maturity with Machine Learning in IGA is much like a GPS: once we traveled using only +paper maps, before the first navigation tools were commercialized. Then we learned how to use these +tools, while keeping a map to be able to verify the GPS instructions. We found secure methods to +navigate through all GPS evolutions, until we trusted GPS enough to guide us completely. + +### Automation limits + +However, automation implies an increasing number of rules. And a high number of rules implies a +certain complexity in rule model understanding, and consequently hiring expensive expert contractors +to write the right rules. It drives up costs considerably and draws you near the automation wall. + +![Optimal Cost Chart - Automation Limits](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_automationlimits.webp) + +The automation wall represents the automation threshold that cannot be overcome. It mostly comes +from the fact that with limited data, automation capabilities are also limited. Everything cannot be +automated. + +### Automation strategy + +The idea is to stop automation when the automatic cost curve increases faster than the manual cost +curve. The optimal profitability is represented on the chart and can be achieved via the optimal mix +of automatic and manual assignments. + +![Optimal Cost Chart](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost.webp) + +Automation strategy consists in using Machine Learning through Role Mining to get closer to the +automation wall. And, as Role Mining doesn't enable overcoming said wall, the goal is to move the +wall further away by improving data quality and quantity. + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | +| [Role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (required) | Ideally automated role model | + +## Automate Entitlement Assignment + +The process of assignment automation is the following: + +1. [Perform Role Mining](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) + to approach the automation wall. + + Role Mining covers more use cases than writing assignment rules manually. It diminishes the + error rate and implies a lower execution cost. And thus, it brings the optimal cost closer to + the automation wall. + + ![Optimal Cost Chart - Role Mining](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_rolemining.webp) + + **Enlarge the number of managed entitlements by tolerating errors:** + + Automation reduces the error rate by avoiding human mistakes. Errors can still occur such as + "[false positives](https://en.wikipedia.org/wiki/Binary_classification)", i.e. users receiving + inappropriate entitlements, thus creating security issues. However, experience shows that a + slight error tolerance in Role Mining can highly benefit automation. + + NETWRIX recommends trying Role Mining with **1%** tolerated false positives, and **99.5%** + expected precision. Then adapt to your situation according to the reports. + + For example, suppose an organization working with many distinct departments. If you see that the + automation rate skyrockets when the error rate reaches the number of workers in one department, + then it probably means that Usercube misses data concerning one of the departments. Thus the + error rate allows Usercube to "ignore" one of the departments in the organization, and optimize + automation. + +2. Generate and analyze + [reports](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md) with + tools like + [Power BI](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md) to + assess the automation wall and identify improvement areas. + + > For example in the following Power BI chart, automation is, on average, highly implemented + > except for `SharePoint Projects`. This fact reveals a low level of awareness among the workers + > about their respective projects. This is a typical area for improvement in data quality. + > + > ![Data Quality Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex.webp) + + > For example, if charts show a high number of identities in the category `No Position`, + > integrators understand that the data model must be completed for role mining to be efficient. + > + > ![Data Quantity Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex2.webp) + + > For example, if charts show a high number of unused roles, integrators understand that the + > role model needs further improvement because roles are not adequate. + > + > ![Data Quality Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex3.webp) + + > For example, if charts show low automation rate per department, integrators will understand + > that many identities may have switched departments while keeping their previous entitlements. + > + > ![Data Quality Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex4.webp) + +3. Improve data quality and quantity to move the automation wall. + + Whether automatic or manual, assignment decisions are based on existing data analysis. Data + quantity and quality therefore define the position of the wall. + + Improvement in existing data quantity and quality entails the possibility of managing a higher + number of entitlements. + + ![Optimal Cost Chart - Improved Data](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_data.webp) + + A high quantity of data simplifies data analysis and inferences in assignment rules. + + A high quality of data also simplifies data analysis and enables better accuracy in assignment + rules. + + > For example, contractors' data is often less familiar to HR departments. Efforts can be made + > in this direction to enhance automation. + + Moreover, focus must be directed on actual and correct entitlements, using Usercube's + [access certification](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/index.md). + + Data reliability prevents integrators from easy extrapolation mistakes. + + > For example, consider the NETWRIX team in Marseilles mostly composed of R&D workers. If + > integrators miss information, they might inadvertently create a rule giving `R&D` group + > membership to all workers in Marseilles, while there are also workers from other departments. + +4. Repeat. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md new file mode 100644 index 0000000000..6c0a7da628 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md @@ -0,0 +1,124 @@ +# Remove Redundant Assignments + +How to remove redundant assignments, i.e. +[manual](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +assignments of roles and resource types that are assigned by a rule too. + +## Overview + +[Assignment rules](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) +can sometimes give to users an entitlement that they had already received manually. Hence, new +assignment rules can imply redundancies between the entitlements assigned manually and approved, and +those calculated by a rule and assigned automatically. + +NETWRIX recommends removing redundant assignments after any assignment rule is created or updated. + +This guide is about switching the manual assignments, which are allowed by the role model, into +calculated automatic entitlements handled by the role model. Once automatic, an entitlement is fully +part of the role model and stops constituting an exception. + +### Assignment validity period + +All entitlements are assigned on a given validity period, i.e. from a given start date to a given +end date: + +- When assigning an entitlement to a user manually, the start and end dates are specified + explicitly. +- When assigning entitlements to users via assignment rules, the start and end dates are based on + the owner's data, for example their contract or position start/end dates. These assignments are + automatic. + +NETWRIX recommends always preferring calculated assignments over manual ones, because calculated +assignments follow the changes in their owners' data and are consequently more secure. + +For example, consider a user Jean who starts working as an architect with a given role. +When assigning the role manually, when Jean changes her job, her manager will have to remove the +role manually. When assigning the role via a rule, when Jean changes a job, the role will be removed +automatically. + +### Process + +This process is an optimization of the role model. It is part of the "compute role model" process +where all rules of the role model are applied. + +The classic behavior gives priority to approved manual entitlements over calculated automatic ones. +A manual assignment stays as is, even if the entitlement is also assigned by a rule. + +> For example, consider a user who has a given entitlement which was assigned to them manually on +> several distinct time periods. When creating a rule that assigns the same entitlement to them +> automatically on a given time period, then we have: +> +> ![Schema - Compute Role Model](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_examplewithout.webp) + +The redundant assignment analysis gives priority to the rules inside the role model and the policy. +When an entitlement is assigned via a rule, it is stated as calculated, even if it is also assigned +manually. Thus, manual assignments whose start and end dates overlap with the validity period are to +be truncated or deleted. + +> For example, consider the same situation as before. Using the redundant assignments analysis, then +> we have: +> +> ![Schema - Redundant Assignment Analysis](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_examplewith.webp) + +Redundant assignments can be removed by Usercube only when the corresponding assigned items are +tagged as redundant and displayed in the most recent report. The manual assigned items that are not +tagged are still kept as discretionary entitlements and will not be removed. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application's users, entitlements and data model. + +| Input | Output | +| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | +| [Role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (required) [Role assignment rules](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) (required) [Role mining](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) (optional) | Minimized derogations | + +## Remove Redundant Assignments + +Remove redundant assignments by proceeding as follows: + +1. Click on **Redundant Assignments** on the home page in the **Administration** section. + + ![Home Page - Redundant Assignments](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/home_redundantassignments_v602.webp) + +2. Click on **Analyze** to tag the manual roles and resource types from all policies eligible for + conversion to an automatic state. + + ![Redundant Assignments - Buttons](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_buttons_v602.webp) + + Previous tags are cleared at each instance of this tagging process. + +3. Click on **Download Excel** to download a dedicated XLSX report which contains one tab per entity + type representing identities. + + > The following example states that in the entity type `Directory_User`, the user Nicholas + > Acosta had the single role `Banking/Sales/Eunomia/Administrator` starting from February 28th + > 2023 (dateA) until May 16th (dateD). A new single role rule assigns him this role from April + > 14th (dateB) until 25th 2023 (dateC). + > + > ![Redundant Assignments - Report Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_reportexample_v602.webp) + > + > It means that Nicholas Acosta will have the role in the calculated state from dateB to dateC, + > and he will keep the role in the approved state from dateA to dateB and from dateC to dateD. + +4. If the report's content is satisfying, then click on **Apply** to actually switch eligible manual + roles to calculated. + +## Verify Redundant Assignment Removal + +In order to verify the process: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. For one of the users mentioned in the report, access their permissions. + + ![View Permissions Tab](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +3. Check that their roles (mentioned in the report) have actually switched from approved to + calculated. + + > When removing redundant assignments based on the previous report example, we can see: + > + > ![Redundant Assignments - Result](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_reportexampleverif_v602.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md new file mode 100644 index 0000000000..ab713ed802 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md @@ -0,0 +1,185 @@ +# Perform Role Mining + +How to use role mining to suggest role assignment rules based on existing assignments, in order to +push the +[automation wall](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/index.md) +further. + +## Overview + +After the role catalog is established, the +[Compute-RoleModel](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +task is able to assign single roles to users according to their attributes which are used as +assignment criteria. + +> For example, in the AD, entitlements are given through group membership. Integrators create a +> navigation rule to assign each group to the users who have the corresponding single role. Then, +> the Compute-RoleModel task is able to assign single roles to users according to their existing +> group membership. +> +> In addition to group membership, the assignment of an entitlement to users could also depend on +> users' attributes like their location, position title, etc. + +Now that users received their roles, the role mining tool can analyze these assignments and deduce +[single role rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) +which will assign single roles to certain users matching given criteria. + +![Schema - Role Mining](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_schema.webp) + +Role mining is a Machine Learning process. It is a statistic tool used to emphasize the +[dimensions](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md#dimensions) +that constitute the key criteria for existing role assignments. It detects the most probable links +between identities dimensions and their roles in order to suggest the appropriate entitlement +assignment rules. + +> For example, suppose that 80% of NETWRIX workers in Marseilles have access to an application +> "App". Then, role mining is most likely to recognize the working site as a relevant dimension, and +> suggest to create a rule that gives the "App" access to users whose site is Marseilles. + +Role mining being a statistic tool based on existing entitlement assignments, it appears useless if +the role model contains fewer than 2,000 role assignments. Then, start by reinforcing the +[role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md). + +### Technical Principles + +Role mining works through +[mining rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md) +that Usercube applies with the +[`GetRoleMiningTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md). + +### Entitlement differentiation with rule types + +Mining rules can be configured to generate: + +1. automatic rules, i.e. rules which assign roles automatically with or without a validation; +2. suggested rules, i.e. rules which don't assign roles directly, but suggest them during an + entitlement request for a user. + + ![Suggested](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_suggested_v602.webp) + +You can generate both automatic and suggested rules for the same role, with different precision +levels and different approval workflows. + +> Consider an organization where an unknown ratio of users have a given role. Using the precision +> settings, we can create a mining rule to generate automatic assignment rules when the ratio is +> above 95% and a second mining rule to generate suggested assignment rules when the ratio is +> between 75% and 95%. +> +> ![Rule Types](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype.webp) + +You can also differentiate entitlements according to their sensitivity, for example require +additional reviews following the request of a sensitive entitlement: + +![Rule Types - Sensitivity](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype-sensitivity.webp) + +The automation of entitlement assignments according to sensitivity brings greater confidence in +basic entitlements assignment which won't need to be certified anymore. Thus, automation lets +certification campaigns focus on more sensitive entitlements. + +Role mining should be performed first for automatic rules as they are stricter precision-wise. Thus, +automatic rules should always have priority over suggested rules (via the `Priority` setting). + +[See more details about role mining](/docs/identitymanager/6.1/identitymanager/integration-guide/role-mining/index.md). + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------- | ----------------- | +| [Role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (required) | Single role rules | + +## Create a Mining Rule + +Create a mining rule by proceeding as follows: + +1. On the home page in the **Configuration** section, click on the **Role Mining** button. + + ![Home page - Connectors](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/home_rolemining_v60.webp) + + You will see all existing mining rules. + +2. Click on the addition button at the top right and fill in the fields. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + ![New Mining Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_miningrule_v602.webp) + + - `Policy`: + [policy](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md) + in which the mining rule exists. + - `Entity Type`: + [entity type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) + on which the mining rule is applied, i.e. the entity type targeted by role mining's + entitlement analysis. + - `Category`: + [category](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md) + containing the roles targeted by role mining's analysis. + - `Include roles with specific validations`: includes in role mining's analysis the roles + requiring zero and/or one and/or two and/or three validations. + - `Exclude Role from Mining`: ignores the specified roles during the mining process triggered by + the next mining rules (in terms of priority). + - `Rule Policy`: + [policy](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md) + in which the single role rules will be generated. + + NETWRIX recommends using a policy dedicated to role mining in order not to remove existing + assignment rules. + + - `Rule Type`: type of the generated single role rules, which defines the type of role + assignment that can be: `Suggested` so that the resource type is listed among suggested + permissions in the permission basket of users matching the criteria during an entitlement + request, suggested assignments must be selected manually to be requested; or `Automatic` so + that the resource type is automatically assigned to users matching the criteria; or + `Automatic but with validation` so that the resource type is listed in the permission basket + of new workers, these assignments can still be modified. + - `Priority`: priority order of the mining rule. Usercube applies mining rules one after the + other in descending order. + - `Minimum Precision`: minimum authorized percentage of correct role assignments, considering + both the roles that are assigned to users who should have them, and the roles that are not + assigned to users who should not have them. + + NETWRIX recommends around 99.5%, to be lowered when working on a sensitive application + and/or a large user population, and vice versa. + + - `Maximum Allowed False Positives`: maximum authorized percentage of false positive + assignments, i.e. roles that are assigned to users who should not have them. + + NETWRIX recommends around 1%, to be lowered when working on a sensitive application and/or a + large user population, and vice versa. + + **Enlarge the number of managed entitlements by tolerating errors:** + + Automation reduces the error rate by avoiding human mistakes. Errors can still occur such as + "[false positives](https://en.wikipedia.org/wiki/Binary_classification)", i.e. users receiving + inappropriate entitlements, and thus creating security issues. However, experience shows that a + slight error tolerance in role mining can highly benefit automation. + +3. Click on **Create** and see a line added on the rules page. +4. Click on **Simulate** to perfom role mining in a + [simulation](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md). + + ![Role Mining Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_launchjob_v602.webp) + + If you need to bypass the simulation process, clicking on **Launch** will perform role mining + and apply its results directly. NETWRIX recommends always performing role mining in simulation. + +## Impact of Modifications + +Assignment rules can sometimes give to users an entitlement that they had already received manually. +Hence, new assignment rules can imply redundancies between the entitlements assigned manually and +approved, and those calculated by a rule and assigned automatically. + +NETWRIX recommends removing redundant assignments after any assignment rule is created or updated. + +NETWRIX recommends +[removing redundant assignments](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md) +after any assignment rule is created or updated. + +## Verify Role Mining + +In order to verify the process, access the rule list from the home page. + +![Home - Access Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +Select **Single Roles** and check that the single role rules are created with the right parameters. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/optimize/composite-role-creation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/composite-role-creation/index.md new file mode 100644 index 0000000000..6894389abe --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/composite-role-creation/index.md @@ -0,0 +1,123 @@ +# Create a Composite Role + +How to define +[composite roles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) +in order to create sets of +[single roles](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +easy to assign. + +## Overview + +A +[composite role](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) +is a set of single roles that are usually assigned together, because they revolve around the same +application, or the same job, etc. Composite roles are aggregates of single roles, they can help +organize the role catalog. + +![Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_applicativeroles.webp) + +A composite role is a business role comprehensible by managers. It provides an additional layer of +abstraction above existing entitlements and single roles. We can say that if a single role allows a +user to perform a task, a composite role allows them to perform a job. + +### Composite roles and Role Mining + +Composite roles can also be created based on the rules provided by +[Role Mining](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md). +Rules link roles to dimensions. + +The following example shows single roles from `A` to `F`. Role Mining suggested the rules on the +schema, linking these single roles to the organizations `R&D` and `Project` as well as to the +functions `developer`, `writer`, `contractor` and `project manager`. The idea is to use these rules +to create composite roles. Here, we clearly have one role for `R&D-developer`, one for `R&D-writer`, +`Project-contractor` and `Project-project manager`. Thus, it is clear here that composite roles add +an abstraction layer. + +![Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_schema.webp) + +[Single role rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) +link composite roles to +[single roles](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md): +a single role rule states that specific single roles are assigned according to specific criteria, +particularly composite roles. Thus, a composite role assignment can imply specific single role +assignments. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the +application's users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------- | --------------- | +| [Role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (required) | Composite roles | + +## Create a Composite Role + +Create a composite role by proceeding as follows: + +1. On the home page in the **Configuration** section, click on **Access Roles** to access the roles + page. + + ![Home Page - Access Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +2. On the roles page, click on the adequate category and create a role by clicking on **+ New** at + the top right corner. +3. Fill in the fields. + + ![Create a Composite Role](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_newcrole_v602.webp) + + - `Identifier`: must be unique among roles and without any whitespace. + - `Name`: will be displayed in the UI to identify the single role. + - `Policy`: + [policy](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md) + in which the role exists. + - `Entity Type`: entity type targetted by the role. + - `Category`: category assigned to the role. + - `Secondary Categories`: other potential categories assigned to the role. + - `Approval Workflow`: represents the number of validations required to assign the role. + - `Approve Role Implicitly`: needs at least a simple approval workflow. `Implicit` mode bypasses + the approval step(s) if the person who issues the role request is also the + [role officer](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/role-officer-management/index.md). + `Explicit` refuses said bypass. `Inherited` follows the + [policy](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md) + decision to approve roles implicitly or not. + - `Hide in Simplified View`: hides the role from the users' **Simplified View** in **View + Permissions** dialog. This setting does not apply to roles which are either inferred or have + workflow states which require manual action. + - `Comment Management on Permission Review`: to change if different from the role policy. + - `Maximum Duration`: duration (in minutes) after which the role will be automatically revoked, + if no earlier end date is specified. It impacts only the roles which are manually assigned + after the maximum duration is set. Pre-assigned roles are not impacted. If no duration is set + on the role, the `MaxDuration` of the associated policy is applied. If the `MaxDuration` is + set to 0 on the role, it prevents the associated policy from applying its `MaxDuration` to it. + +4. Click on **Create** and see a line added on the roles page. +5. Create at least one + [single role rule](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) + with the composite role as a criterion. + +## Impact of Modifications + +When deleting a composite role, caution must be used when deleting the corresponding single role +rules. Indeed, these rules thus lose their criteria and may be applied to far too many people after +that. + +[Simulations](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md) are +available in order to anticipate the changes induced by a creation/modification/deletion in roles +and single role rules. + +## Verify Composite Role Creation + +In order to verify the process, check that the role and rule are created with the right parameters. + +For roles, click on **Access Roles** on the home page in the **Configuration** section. + +![Home Page - Access Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +Select composite roles and find the role you created inside the right category and with the right +parameters. + +![Access Composite Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_testroles_v602.webp) + +For rules, follow the instructions about +[assignment rules](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/optimize/hr-connector-creation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/hr-connector-creation/index.md new file mode 100644 index 0000000000..361e87a0c5 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/hr-connector-creation/index.md @@ -0,0 +1,121 @@ +# Create an HR Connector + +How to create a +[connector](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md) +dedicated to the automation of identity management (creation, update, deletion), via the +[synchronization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) +of HR data into Usercube and internal +[provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md). + +## Overview + +### HR connector in the global process + +The HR connector is no priority but rather an optimization, handled at the end of the configuration +cycle. + +The HR connector is sometimes the first created connector, used to develop the identity repository. + +However, the HR connector requires a specific IT infrastructure (agent, proxy, Virtual Machine, +etc.) which can take time to implement, and delay the project's progress. + +Moreover, in the long run it poses a few problems as HR data usually misses crucial information such +as contractor data, or the projects employees are working on. This can mean that: + +- the identity repository is filled using several sources. And when creating identities + automatically from HR data and other sources, you need to specify which properties of each + identity can be overwritten by a change in HR and which cannot. This is to avoid manually changed + attributes being overwritten by the HR data by mistake. This is very tedious. +- the HR data is rarely up to date early enough to be really useful as a trigger for identity + creation and deletion. As a result, identities end up being created manually through workflows + most of the time. + +Hence we choose to build the first iteration of the project upon a manual data upload to +[create the initial identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md). + +This way, we do not have to wait for the agent's implementation to create the first profiles and +start connecting systems (AD, SAB, SAP, etc.). Thus value is created faster and we can focus on IGA +activities such as the review of orphaned and unused accounts, eliminating risk earlier in the +process. + +We can still connect HR data, later on, to check consistency between our identity repository and HR +data, through a certification-like process. + +### Technical details + +An HR connector is considered an inbound connector, as it writes to the central identity repository +inside Usercube. + +![Inbound System=](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/hr-connector-creation/connectorcreation_inbound.webp) + +As Usercube is able to feed all managed systems, it can also feed itself thanks to specific +connections such as the +[InternalWorkflow](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md) +connection. It means that the corresponding connector is able to launch workflows within Usercube +and keep track. + +Typically, an HR connector with such a connection would be able to launch workflows inside Usercube +for identity creation, update and deletion, based on HR files. + +## Participants and Artifacts + +This operation should be performed in cooperation with HR staff who can access HR data. + +| Input | Output | +| ----------------------------------------------------------------------------------------------------------------------------- | ------------ | +| [Identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) | HR connector | + +## Create an HR Connector + +Create an HR connector by proceeding as follows: + +1. Outside Usercube, + [model your connector](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md). +2. [Declare an HR connector](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md) + using your local agent. + + ![HR Connector Declaration](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/hr-connector-creation/hr_connectordeclaration_v602.webp) + +3. [Create an Export CSV connection](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) + for each HR file to connect. + + ![HR Connection](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/hr-connector-creation/hr_connection_v602.webp) + +4. [Create the entity types](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) + corresponding to your model. For example: + + ![HR Entity Type - Scalar Properties](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/hr-connector-creation/hr_entitytypes_v602.webp) + + ![HR Entity Type - Navigation Properties](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/hr-connector-creation/hr_entitytypen_v602.webp) + +5. Don't forget to + [reload](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) + and + [synchronize](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) + to access HR data within Usercube. + + ![Reload](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + + ![Synchronize Job](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs_v602.webp) + +## Verify HR Connector Creation + +In order to verify the process: + +1. Launch synchronization. +2. Access the connector's logs (from **Job Results** on the connector's dashboard) to ensure that + synchronization completed successfully. + + ![Jobs Results](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/synchro_results_v603.webp) + +3. Check that the entity types have been added to the left menu of the home page. + + ![Test Entity Type](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/hr-connector-creation/hr_validatemenu_v600.webp) + +4. Access the relevant entity types (from the menu items on the left of the home page) to check + synchronized resources, by navigating in the UI from the accounts through a sample of + associations, via the Eye icon: + + ![Eye Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg) + + You should seek configuration validation, not validation of the actual data being synchronized. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md new file mode 100644 index 0000000000..382437b3c5 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md @@ -0,0 +1,114 @@ +# Modify the Identity Data Model + +How to make data model properties evolve according to the organization's needs. + +## Overview + +The identity data model must contain all the information needed to manage identities and their +permissions, and only the information strictly required for this purpose. + +You already considered the data needed for identity management during: + +- the + [initial identities loading](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) + and the creation of the identity repository; +- [connector modeling](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) + which is the analysis phase before connector creation; +- [entity type creation](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) + which is the technical implementation of the connector model. + +The data model established during these steps might change to evolve alongside the needs of the +connected systems, the management strategy, and any change in the organization such as a change of +structure, a new division, etc. + +This part is about integrating these changes in the existing data model. + +### Dimensions + +Usercube calls +[dimensions](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md#dimensions) +the attributes that assignment rules rely on. They are essential criteria that differentiate users +in order to give them the appropriate roles. + +### Personal data security + +Only professional data should be used in the identity data model, not personal data. + +## Participants and Artifacts + +Integrators are able to perform an identity update if they master the new data model. + +| Input | Output | +| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | +| [Initial identities loading](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) New identity data model (required) | Updated identity data model | + +## Add or Modify Properties + +The data model can be updated in the UI via a feature scanning the data model. This scan performs an +analysis on the data previously imported through the Excel file. It detects properties which are +always empty and suggests to remove them from the data model, for clarity purposes. + +> For example, some systems don't store phone numbers. Then, scanning the data model will allow +> Usercube to suggest removing the property about phone numbers. Note that Usercube only provides +> suggestions but makes no decision. You could choose to keep the phone number property anyway in +> order to fill it later. + +NETWRIX recommends updating the data model through the scan feature, as this feature is driven by +Usercube's suggestions. + +However, the identity data model can also be updated through the directory's entity types, following +the previously given +[instructions for entity type creation](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md). + +### Through a data model scan + +Add or modify properties within the identity data model by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. Access the data model on the **Workforce** > **Data Model** page. +3. Change the display option to show or hide properties in the identity repository. + + ![Scan Data Model - Display Option](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/identity-datamodel-modification/datamodelmodif_scan_v600.webp) + +4. After your changes are complete, click on the Save icon at the top. + + ![Save Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + +5. Click on the **Reload** button to apply the recent changes to the application. + + ![Reload Button](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp) + +## Delete Properties + +Integrators should keep in mind that the fields that they want to delete might be used in connectors +or other places they didn't think about. Existing assignments might be impacted. + +Usercube suggests the removal only of empty fields. In this case, there is nothing to worry about. + +## Verify Data Model Modification + +In order to verify the process: + +- Check manually a sample in the user directory accessible from the home page. You should verify at + least your own sheet and the sheets assigned to your hierarchy. + + ![Home - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +- Check that every organization still has a manager. Organizations are accessible in the department + directory accessible from the home page. + + ![Home - Directory Department](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + + ![List of Departments](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + + If the system contains numerous organizations, it is also possible to list them with their + managers through the + [Query module](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md). + +- [Create reports](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md) + with indicators, for example, on the number of workers per type or per organization (through + Usercube's predefined reports, the Query module or Power BI), to ensure that Usercube's content + sticks to reality. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/optimize/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/index.md new file mode 100644 index 0000000000..a942e11dc9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/index.md @@ -0,0 +1,47 @@ +# Optimize + +- #### [Modify the Identity Data Model](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md) + + How to make data model properties evolve according to the organization's needs. + +- #### [Create an HR Connector](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/hr-connector-creation/index.md) + + How to create a connector dedicated to the automation of identity management (creation, update, + deletion), via the synchronization of HR data into Usercube and internal provisioning. + +- #### [Manage Risks](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/risk-management/index.md) + + How to use the risk management module to identify entitlement assignments that pose a security + risk, especially about segregation of duties and high privileges. + +- #### [Create a Policy](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md) + + How to define policies to organize roles and rules. + +- #### [Automate the Review of Non-conforming Assignments](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md) + + How to automate the review of non-conforming assignments through automation rules. + +- #### [Automate Assignments](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/index.md) + + How to automate entitlement assignment. + +- #### [Automate Role Assignments](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) + How to manually build rules to automate the assignment of roles to identities.- #### + [Perform Role Mining](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) + How to use role mining to suggest role assignment rules based on existing assignments, in order + to push the automation wall further.- #### + [Remove Redundant Assignments](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md) + How to remove redundant assignments, i.e. manual assignments of roles and resource types that + are assigned by a rule too. +- #### [Create a Composite Role](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/composite-role-creation/index.md) + + How to define composite roles in order to create sets of single roles easy to assign. + +- #### [Configure a Parameterized Role](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/parameterized-role/index.md) + + How to reduce the number of roles in the model by configuring roles with parameters. + +- #### [Perform a Simulation](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md) + How to assess the impact of a modification on the role model, including the role catalog, role + assignment rules and resource correlation rules, using a dedicated policy. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md new file mode 100644 index 0000000000..b243906d58 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md @@ -0,0 +1,104 @@ +# Automate the Review of Non-conforming Assignments + +How to automate the review of non-conforming assignments through automation rules. See the +[ Review Non-conforming Assignments ](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md) +and +[Automation Rule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md) +topics for additional information. + +## Overview + +Non-conforming assignments can't be reviewed entirely automatically because this type of review +sometimes needs the intervention of a knowledgeable user. However, automation rules can help by +making automatic decisions (in place of the reviewer) on assignments that need to be reviewed after +a given waiting period. + +This type of rule is useful for example, when integrators intend to: + +- Decline all non-conforming assignments after X days to avoid accumulation. The waiting time can be + null if they need to delete non-conforming assignments as soon as they are detected; +- Automatically approve or decline discretionary requests if there is no validation after X days; +- Send notifications to validators before declining or approving pending approval assignments; +- Get information in order to deactivate an AD account if it hasn't been used in the past X days, + before deleting it. + +Integrators must show caution with pending approval assignments because this type of rule could +short-circuit the whole approval process. + +## Participants and Artifacts + +This operation should be performed in cooperation with managers who know the organization and their +team's entitlements. + +| Input | Output | +| ------------------------------------------------------------------------------------ | --------------------------- | +| Mastered non-conforming assignment review (required) Categorized accounts (optional) | Automated assignment review | + +See the +[ Review Non-conforming Assignments ](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md) +and +[ Categorize Resources ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) +topics for additional information. + +## Create an Automation Rule + +Create an automation rule by proceeding as follows: + +![Home Page - Access Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +**Step 1 –** On the home page in the **Configuration** section, click on **Access Rules**. + +![Entity Type Choice](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +**Step 2 –** In the dropdown menu at the top left, choose the entity type to which the future rule +will be applied. + +![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +**Step 3 –** Click on the **Automations** tab and on the addition button at the top right corner. + +![New Automation Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/reviewautomation_newrulefields_v602.webp) + +**Step 4 –** Fill in the fields. + +- Decision — Action to be taken on the described assignments. +- Criteria — Conditions that, if met, trigger the rule. + Currently, the criteria are used to match the context of an assignment and not the user data. + For example, if a single role is assigned based on a specific Department, then the context of the + assignment has the information about the Department. In that case, an automation rule having in + its dimensions that given Department will match this assignment and could Deny/Accept it. +- However, if a single role is assigned without any context on the Department (for example, a manual + assignment with no parameter on the role), the automation rule will never match this assignment. +- **NOTE:** No context will never be present for non-conforming or pre-existing roles +- Type — Assignment type concerned by the new rule. Once filled, a new field is displayed to select + precisely an object from the existing objects belonging to this type. +- Workflow State — Workflow state of the assignments that need a decision. +- Waiting Period — Time period since the last change in the assignments' workflow states. + +_Remember,_ in a nutshell, this rule applies Decision to all assignments of Type (and matching all +criteria), whose workflow state has been set to Workflow State for more than Waiting Period. + +## Impact of Modifications + +A modification in an automation rule doesn't impact the assignments affected by the previous version +of the rule. + +## Verify Review Automation + +In order to verify the process: + +**Step 1 –** On the **Role Review** or **Role Reconciliation** screen, spot an entitlement +assignment. + +**Step 2 –** Create an automation rule matching said assignment. + +![Home Page - Job Execution](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + +**Step 3 –** Compute the role model through the complete job on the **Job Execution** page. + +**Step 4 –** Check on the **Role Review** page that the assignment's workflow state changed +according to the rule's settings. + +![New Automation Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/reviewautomation_rulemessage_v522.webp) + +Any role affected by an automation rule shows a specific message on the **Role Review** page. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/optimize/parameterized-role/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/parameterized-role/index.md new file mode 100644 index 0000000000..144a4cdd37 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/parameterized-role/index.md @@ -0,0 +1,110 @@ +# Configure a Parameterized Role + +How to reduce the number of roles in the model by configuring roles with parameters. + +## Overview + +The assignment of a role to a user gives them an entitlement, usually a group membership, thanks to +a navigation rule. +[See more details on roles and navigation rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md). + +![Simple Role](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_simplerole.webp) + +To enable the assignment of all existing entitlements, the role model usually contains numerous +roles. + +> For example, the SAP role can be given with slight differences according to the users' +> subsidiaries: +> +> ![Role Matrix](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_numerousroles.webp) + +In order to reduce the number of roles, we can configure roles with parameters by inserting a +criterion in the navigation rules. Thus, instead of having as many roles as entitlements (left on +the schema), we can have way fewer roles (right on the schema). + +![With/Without Parameters](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameters.webp) + +> In the previous example, with a parameter on the subsidiary, the number of roles would be divided +> by three. + +By extension, a composite role that assigns a parameterized single role is parameterized too. + +This way, when assigning a parameterized role, a popup window is displayed where the parameter must +be specified. + +The same thing goes with type rules instead of navigation rules when we want to assign resource +types instead of entitlements. + +## Configure a Parameterized Role + +Configure a parameterized role by proceeding as follows: + +1. Create in XML a + [dimension](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) + corresponding to the parameter that will affect the role. + + > For example, let's consider that we have many roles available on three different time slots: 8 + > hours a day, 12 hours a day, or 24 hours a day. We create a dimension for these time slots. + > + > ``` + > + > + > + > ``` + +2. In the UI, + [create a single role](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md#create-a-single-role). + + > For example: + > + > ![Example - Role](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerole_v603.webp) + +3. [Create one navigation rule](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) + linked to the role for each available value of the parameter. + + > Here we have three navigation rules, one for each distinct time slot (dimension A). For + > example: + > + > ![Example - Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerule_v603.webp) + + Make sure that the corresponding dimension is specified in the right `DisplayEntityType` in XML + to be displayed in the UI. + +4. Go back to the roles page to edit the single role from step 2, if needing to set the parameter + required. + + > For example: + > + > ![Example - Role Parameter Required](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_exampleroleparameter_v603.webp) + +5. If you want Usercube to provide suggestions to set the parameter's value, then make sure that + users' + [context rule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) + specifies the dimension. + + > For example, with the `Title` dimension: + > + > ``` + > + > + > + > ``` + +## Verify the Parameterized Role + +In order to verify the process, +[request manually](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/manual-assignment-request/index.md) +the parameterized role for a test user. Some additional pop-ups are displayed to set a value for the +role's parameter. + +> In our example: +> +> ![Example - Step 1](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameterexamplestep1_v603.webp) +> +> ![Example - Step 2](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameterexamplestep2_v603.webp) + +If the dimension is specified in the users' context rule, then Usercube will provide suggestions. + +> For example, concerning the `Title` dimension mentioned above: +> +> ![Example - Suggestion](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerolesuggestion_v603.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md new file mode 100644 index 0000000000..c583b09e5a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md @@ -0,0 +1,89 @@ +# Create a Policy + +How to define +[policies](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) +to organize roles and rules. + +## Overview + +A +[policy](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) +is a subgroup of the role model. It defines an ensemble of +[roles](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +and +[assignment rules](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/index.md) +that apply to specific identities. So policies are used to handle separately several sets of +identities, based on +[dimensions](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md#dimensions) +with different permissions and workflows. + +Integrators must minimize the number of policies because it segments identities, and segmentation +implies high maintenance. NETWRIX recommends using one policy per population. A population is a +group of people that can be managed following the same rules, role model, workflows, etc. This +means, for example, one policy for workers (meaning employees and contractors), another one for +partners, another one for clients. But sometimes partners are included in the same policy as +workers, it depends on the organization. + +Usercube provides a default policy. Only when the project is mature enough should integrators think +about creating additional policies. + +## Participants and Artifacts + +Integrators must have the knowledge of the organization strategy towards identity management. + +| Input | Output | +| ---------------------------------------------------------------------------------------------------------------------------------- | ------ | +| [Resource type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) (optional) | Policy | + +## Create a Policy + +Create a policy by proceeding as follows: + +1. Access the policies screen by clicking on **Access Policies** on the home page in the + **Configuration** section. + +![Home - Access Policies](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/policy-creation/home_accesspolicies_v602.webp) + +2. Click on **+ New policy** at the top right corner. + +![New Policy](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/policy-creation/policycreation_policies_v602.webp) + +3. Fill in the information fields. + + ![New Policy Fields](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/policy-creation/policycreation_newpolicy_v602.webp) + + - `Identifier`: must be unique among policies and without any whitespace. + - `Name`: will be displayed in the UI to identify the resource type. + - `Provisioning`: allows + [provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) + for the policy. + - `Simulation`: allows + [simulation](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md) + creation for the policy. + - `Approve Roles Implicitly`: can be enabled to bypass approval steps if the person who issues a + given role request is also the + [role officer](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/role-officer-management/index.md). + - `Roles can be prolonged without a new approval workflow`: enables the policy's roles and + resource types to have their assignment's end dates postponed without any validation. + - `Is Managed by External Source`: can be enabled only during policy creation to indicate that + its permissions are managed by another IGA tool and are to be ignored by Usercube's role model + computation. + - `Maximum Duration`: duration (in minutes) after which the policy's roles and resource types + will be automatically revoked, if no earlier end date is specified. It impacts only the roles + and resource types which are manually assigned after the maximum duration is set. Pre-assigned + items are not impacted. + - `Grace Period`: duration (in minutes) for which a lost automatic role or resource type is + prolonged. A review will be required to validate or decline the entitlement prolongation. + Inferred entitlements won't be lost unless the end of the grace period is reached or the + prolongation is declined. + - **Dimensions**: criteria that, if met, trigger the membership of given identities to the + policy. + + What we call _another IGA tool_ can be another application or even another version of Usercube. + +4. Click on **Create**. + +## Verify Policy Creation + +In order to verify the process, check that the policy has been added with the right options to the +list on the **Access Policies** page. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/optimize/risk-management/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/risk-management/index.md new file mode 100644 index 0000000000..851cf7bcff --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/risk-management/index.md @@ -0,0 +1,178 @@ +# Manage Risks + +How to use the +[risk management](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/risks/index.md) +module to identify entitlement assignments that pose a security risk, especially about segregation +of duties and high privileges. + +## Overview + +A +[risk](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) +describes a sensitive situation in which entitlement assignments need to be monitored for security +purposes. Examples include: + +- Segregation of duties: a situation where at least two entitlements pose a risk when assigned to + the same identity. +- High privilege: a particularly sensitive entitlement. + +[Risk management](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/risks/index.md) +is essential to auditing. Among other things, it allows auditors to: + +- Identify the identities representing the highest security risk. +- Compute the corresponding + [risk score](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/risks/index.md#risk-score). +- Schedule + [access certification campaigns](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/index.md) + accordingly. + +Using risks involves three steps: + +1. Create a risk: declare the nature of the risk. +2. Create risk rules: create the rules that assign risks to identities, depending on identities' + entitlement assignments. +3. Monitor risks: via the **Identified Risks** screen or certification campaigns. + +## Participants and Artifacts + +Integrators may need the help of the application owner, security manager and role model officers to +assess risks inherent to entitlements. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | +| [Identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) [Role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (required) | Risks catalog | + +## Create a Risk + +Create a risk by proceeding as follows: + +1. On the home page in the **Configuration** section, click on **Risks**. + + ![Home Page - Risks](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/risk-management/home_risks_v602.webp) + +2. On the risks page, click on the addition button at the top right corner. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +3. Fill in the fields. + + ![New Risk](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/risk-management/riskmanagement_newrisk_v602.webp) + + - `Identifier`: must be unique among risks and without any whitespace. + - `Name`: will be displayed in the UI to identify the risk. + - `Policy`: + [policy](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md) + in which the risk exists. + - `Entity Type`: + [entity type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) + targetted by the risk. + - `Description`: explanation of the risk that will be displayed with the exemption policy + message. + - `Remediation`: potential alternative solutions that will be displayed with the exemption + policy message. + - [`Exemption Policy`](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/risks/index.md) + - [`Type`](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/risks/index.md) + - `Level`: risk level that is used to compute + [risk scores](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/risks/index.md). + - `Rules`: a risk is based on the union of + [rules](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/risks/index.md), + themselves based on the intersection of rule items. A rule item specifies the risk-triggering + resource(s). A high-privilege risk must contain at least one rule with one rule item. A + segregation-of-duties risk must contain at least two rule items in the same rule. Read below + how to write risk rules. + + When risks are based on the exemption policy called **Approval required**, the corresponding + role requests appear on the + [**Role Review**](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md) + screen with a specific workflow state. See below this note. + + ![Risk Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/risk-management/riskmanagement_workflowstate_v523.webp) + + ### Write risk rules + + A risk rule is simply the condition that triggers the assignment of a risk to an identity, + depending on the identity's entitlements. + + Within Usercube, an entitlement assigned to an identity is represented by the value of a given + [navigation property](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md), + in a resource owned by said identity. + + > For example, imagine that we want to grant unlimited Internet access to the administrator + > profile of an identity. This entitlement won't be assigned directly to the identity but to + > their AD administration account. In our Active Directory, there is a resource called + > `DL-INTERNET-Restricted` identified from among AD entries as a group. Therefore, we need to + > add this group membership to the properties of the identity's AD account, using + > `DL-INTERNET-Restricted` as a value of the `memberOf` property. + +4. Choose the + [resource type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) + to be targetted by the risk. + + > We choose `AD User (administration)` to prevent this situation from happening in our example. + +5. Choose the navigation property that corresponds to the situation. + + > `memberOf` in our example. + +6. Choose a value for this navigation property. The value would be a resource from the unified + [resource repository](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/identity-management/index.md). + + > The group `DL-INTERNET-Restricted` in our example. + + ![Risk Item Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/risk-management/riskmanagement_newriskitem_v602.webp) + + This final value is an entitlement, linked to the owner identity through the navigation property + and the ownership relationship. + + This final value is an entitlement, linked to the owner identity through the navigation property + and the ownership relationship. + + > In our example, a risk is identified for a person as soon as their administration AD account + > is part of the `DL-INTERNET-Restricted` group. + +7. Click on **Create**. + + Risks are taken into account from the moment the `Compute Resource Risk Scores` task runs (or + the + [complete job](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) + which contains said task). + + The `Compute Resource Risk Scores` task doesn't need to be launched right away, but new risks + can't be identified before it runs at least once. + +## Monitor Identified Risks + +After creating at least one risk and computing risk scores, identified risks are listed on the +**Identified Risks** screen, accessible from the home page in the **Administration** section. + +![Home Page - Identified Risks](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/risk-management/home_identifiedrisks_v602.webp) + +![Identified Risks](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/risk-management/riskmanagement_identifiedrisks_v522.webp) + +For a given identity in the list, user information can be viewed and accessed by clicking +respectively on the eye and arrow buttons on the right-hand side. + +## Impact of Modifications + +Modifications in a risk are taken into account only after running the `Compute Risk Scores` task. +Therefore, risk scores are computed according to the new parameters. + +**After a modification:** while risk scores are computed for all identities and assignments +(pre-existing and newly created), a modified +[exemption policy](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/risks/index.md) +is applied only to future entitlement assignments. For example, changing the exemption policy of a +risk from warning to blocking won't remove entitlements from the identities who already have them. +But future assignments are going to be blocked. + +The deletion of a risk simply triggers the computation of risk scores during the next +`Compute Risk Scores` task, and removes any exemption policy steps in an assignment request. + +## Verify Risk Management + +In order to verify the process, assign to a fake identity a permission that is supposed to trigger +the created risk, and check the consequences: + +- The message displayed at the end of the entitlement request must correspond to the configuration + of the + [exemption policy](/docs/identitymanager/6.1/identitymanager/integration-guide/governance/risks/index.md). +- Once the entitlement is assigned, a line must appear on the **Identified Risks** page. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md new file mode 100644 index 0000000000..1f91a29c0d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md @@ -0,0 +1,137 @@ +# Perform a Simulation + +How to assess the impact of a modification on the role model, including the +[role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md), +[role assignment rules](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) +and +[resource correlation rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/correlation/index.md), +using a dedicated +[policy](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md). + +## Overview + +Usercube's simulations gather roles and rules which are to be created, modified or deleted, without +being inserted in the actual role model straight away. More specifically, a simulation can involve: + +- [correlation rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) + and + [classification rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md); +- [scalar rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) + and + [navigation rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md); +- [resource type rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md); +- [single roles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) + and + [composite roles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md); +- [single role rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) + and + [composite role rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md). + +A simulation can also be created by the +[role mining tool](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) +for the automation of role assignments. + +Through simulation, integrators can: + +1. create, modify or delete roles and rules in a given policy; + + Only one simulation can be active per policy. + +2. observe via simulation reports the impact on the whole system, i.e. both assignments and + provisioning results, before the changes are applied; +3. decide to confirm or cancel changes. + +NETWRIX recommends using simulation whenever performing an action (creation/modification/deletion) +on the role model. + +## Participants and Artifacts + +Integrators are able to perform simulation if they master the new role model. + +| Input | Output | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | +| [Role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (optional) [Role assignment rules](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) (optional) [Categorized resources](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) (optional) | Updated role model | + +## Launch a Simulation + +Launch a simulation by proceeding as follows: + +1. Access the simulation list by clicking on **Simulations** on the home page, in the + **Configuration** section. + + ![Home - Simulations](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/simulation/home_simulations_v600.webp) + + ![Simulation List](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/simulation/simulation_list_v602.webp) + +2. Create a new simulation by clicking on the addition button at the top right corner. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +3. Fill in the fields. + + ![Simulation List](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/simulation/simulation_new_v602.webp) + +4. Click on **+ Create**. +5. Perform changes through the **Roles Changes** and **Rules Changes** tabs and the following icons, + respectively for addition, modification and deletion: + + ![Edition - Approval Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + ![Recommendation Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/simulation/simulation_iconedit_v600.svg) + + ![Discouragement Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/simulation/simulation_icondelete_v600.svg) + + At any time, you can click on the line of a previously made change to access its description, + even click on **Cancel** to erase it. + + ![Cancel Change](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/simulation/simulation_cancel_v602.webp) + +6. Click on **Start** to launch the simulation. + + ![Start Simulation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/simulation/simulation_start_v602.webp) + +7. After a few seconds, click on **Refresh** to display the simulation results. +8. Observe the results in the overview and in the Excel report available via the Download button. + + ![Download Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/icondownload_v602.svg) + +## Shift from Simulation to Production + +After all needed changes have been simulated, you can decide to apply or cancel them. + +![Apply or Cancel Changes](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/optimize/simulation/simulation_decision_v600.webp) + +Then, the simulation is no longer active. + +Clicking on **Apply** applies the simulated changes to the role model. You need to launch the +[Compute-RoleModel](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +task to observe the actual changes in users' entitlements. + +## Impact of Modifications + +Once you've applied or canceled the changes of a simulation, said simulation is no longer active. If +you still need to simulate changes on the same policy, you can create a new simulation. + +Deleting a simulation doesn't impact the role model. It simply undoes the simulated changes which +haven't been applied yet. + +## Verify Modification + +In order to verify the process, check that the roles and rules are created with the right +parameters. + +For roles, click on **Access Roles** on the home page in the **Configuration** section. + +![Home Page - Access Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +Select the type of role that you want to check, and find the roles you created inside the right +category and with the right parameters. + +![Select Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/categorycreation_test_v602.webp) + +For rules, click on **Access Rules** on the home page in the **Configuration** section. + +![Home Page - Access Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +Select the type of rule that you want to check, and find the rules you created with the right +parameters. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/classification/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/classification/index.md new file mode 100644 index 0000000000..baac636044 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/classification/index.md @@ -0,0 +1,194 @@ +# Classify Resources + +How to define +[classification rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md) +in order to classify remaining uncorrelated resources, assigning them +[resource types](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md). + +## Overview + +### Classification purpose + +Classification is the process of putting on an existing resource a label called resource type, to +show its intent and/or purpose within the managed system. +[Read more about the purpose of classification](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md). + +Every resource type can be assigned a set of classification rules. + +### About the confidence rate + +As the aim here is to classify uncorrelated resources in a given managed system, classification +rules are going to rely on the patterns in resources' attributes, such as naming conventions. + +Sometimes, the managed system doesn't use rigorous rules and thus data quality isn't enough to allow +the creation of a single infallible correlation/classification rule for all resources. Hence, you +may need to create several correlation/classification rules. + +Each rule is configured with a confidence rate to express its reliability, according to data quality +and sensitivity. + +In our case, correlation/classification can be based on a first rule applicable to quality data +resources with a high confidence rate, and a second rule applicable to resources with a lower data +quality. This second rule is going to have a lower confidence rate, thus a lower priority, because +the strategy is to apply the first rule as much as possible. But the second rule is essential in +case the first one doesn't apply, though it cannot be trusted as much as the first rule. + +Hence correlation/classification rules are configured with a confidence rate: + +- from 100 to 150% to correlate resources automatically without a manual validation; +- from 0 to 99% to impose that a resource manager reviews the correlation/classification. See more + details in the section below. + +Usercube considers the rules in descending order of confidence rate. The first matching rule is +applied. + +In other words: + +- if there is at least one matching rule with a confidence rate above 100%, then the one with the + highest rate is applied; +- if there isn't and there is at least one matching rule with a confidence rate below 100%, then the + one with the highest rate is suggested. + +There is no predefined priority order between two rules with the same confidence rate. + +### Focus on reviews + +When the confidence rate is below 100%, correlation and classification reviews are to be done: + +- on the **Provisioning Review** page when the owned resource is allowed by the role model, i.e. + requested manually or assigned automatically by a resource type rule; + + ![Correlation Review - Provisioning Review Screen](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsprovisioningreview_v603.webp) + +- on the **Resource Reconciliation** page when the owned resource is not allowed by the role model, + i.e. not requested manually nor assigned by a resource type rule. For example, the creation of a + correlation rule without a resource type rule triggers unauthorized accounts on the **Resource + Reconciliation** page. + + ![Correlation Review - Resource Reconciliation Screen](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsresourcereconciliation_v603.webp) + +Broadly speaking, the **Resource Reconciliation** page displays non-conforming assignments/values +(gaps), i.e. resources and property values from the managed systems that are not allowed by a rule +in Usercube. The **Provisioning Review** page displays the resource and property changes whose +workflows require a manual approval. + +### Classification rule example + +Classification rules are commonly based on logins or organizational units. Account types are usually +assigned specific strings to be easily recognized, such as for example `adm` for administrator +accounts. They can also include the employee identifier which includes specific digits according to +the account type. + +Consider an organization that places basic users in organizational units `Users` and `Locations` +with a CN starting with `U`. This means that a basic user should have a `dn` attribute different +from zero, containing `OU=Users` and `OU=Locations`, and starting with `CN=U`. Then, a +classification rule could take as a target expression: + +``` + +return resource.dn != null && resource.dn.Contains("OU=Users,") && resource.dn.Contains("OU=Locations,") && resource.dn.StartsWith("CN=U"); + +``` + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | +| [Resource type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) (required) [Synchronized data](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) (required) [Correlation rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/correlation/index.md) (recommended) | Classification rules | + +## Create a Classification Rule + +The principle of a classification rule is to use the expression of the target object, to assign (or +not), the resource type to said object. + +Fill a resource type with a classification rule by proceeding as follows: + +1. On the relevant resource type's page, click on **Classification Rules** and the addition icon. + + ![New Classification Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/resourcetype_newclassifrule_v602.webp) + + Classification rules can also be created through the **Access Rules** screen (accessible from + the home page, in the **Configuration** section), clicking on the **Classifications** tab and + the addition button at the top right corner. + + ![Home - Access Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +2. Fill in the fields. + + ![New Classification Rule Fields](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/resourcetype_newclassifrulefields_v602.webp) + + - **Target Object** > `Expression`: C# expression based on the resource that needs to be + classified. + - `Confidence Rate`: rate expressing the rule's reliability, and its priority order. See the + detailed explanation. + > Our overview example would look like: + > + > ![Classification Rule Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/classification_example_v602.webp) + +3. Click on **Create** and see a line added on the rules page. +4. On the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Classify + Resource Types** to apply the new classification rules. + +![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +## Impact of Modifications + +An action (addition/modification/deletion) on a classification rule doesn't trigger a new +computation of classification for the resources that are already categorized, i.e. both classified +and correlated. The new version of said classification rule will be applied only to new resources +along with the existing resources whose correlation and/or classification was not yet reviewed (as +unauthorized accounts on the **Resource Reconciliation** screen). + +Thus only non-conforming resources (unauthorized accounts on the **Resource Reconciliation** screen) +can have their correlation and classification re-computed. + +Even without selecting an owner, reviewing unauthorized accounts on the **Resource Reconciliation** +screen "blocks" correlation and classification "as is". Neither will be re-computed. + +This also means that only non-conforming resources (displayed on the **Resource Reconciliation** +screen) can have their classification questioned and re-computed. + +[Simulations](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md) are +available in order to anticipate the changes induced by a creation/modification/deletion in +classification rules. + +Any modification in classification rules is taken into account via the classification job: on the +connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Classify Resource +Types**. + +![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +## Verify Classification + +In order to verify the process, analyze samples and check that all objects are classified, and well +classified. To do so, click on the target entity type(s) affected by your rule(s) in the left menu +of the home page. + +![Test Entity Type](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp) + +The entity type's page can be +[configured via XML](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/index.md) to +customize all displayed columns and available filters, especially the **Uncategorized** filter that +spots unclassified resources, and the **Owner / Resource Type** column that shows the resource type +assigned to each resource. + +![Owner / Resource Type Column](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/classification_test_v522.webp) + +Therefore, check that all resources show here a resource type. Moreover, a knowledgeable person must +analyze a few samples to ensure that resources are classified in the right resource type. + +## Troubleshooting + +#### If a resource is not classified (or not correctly), then� + +![Unclassified Resource](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/classification_unclassified_v600.webp) + +- If the resource is correlated, check whether the corresponding correlation rule is in the right + resource type. +- If the resource is not correlated, check the validity of the classification rules. +- Check the resource's data quality. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/correlation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/correlation/index.md new file mode 100644 index 0000000000..f595428bb9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/correlation/index.md @@ -0,0 +1,215 @@ +# Correlate Resources + +How to define +[correlation rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) +to match up resources across systems, usually accounts with their owner. + +## Overview + +### Correlation purpose + +Correlation is the process of establishing an ownership relationship between a source resource +(usually an identity) and a target resource (usually an account). It is the basis of the link +between an identity and their fine-grained entitlements. +[Read more about the purpose of correlation](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md). + +Every resource type can be assigned a set of correlation rules. + +Correlation rules must be created with caution as an error in the correlated attributes may result +in the unwanted assignment of a given account to an existing user. + +Correlation should be based on immutable attributes, for example codes that don't change during the +resource's lifecycle rather than display names that can vary in time. This method prevents +integrators from losing the history of the changes made to a resource after a correction. + +> In addition to display names, counter-examples for correlation properties are: positions; marital +> names; locations� + +### About the confidence rate + +As the aim here is to correlate all resources in a given resource type, correlation rules are going +to rely on the patterns in resources' attributes, such as naming conventions. + +Sometimes, the managed system doesn't use rigorous rules and thus data quality isn't enough to allow +the creation of a single infallible correlation/classification rule for all resources. Hence, you +may need to create several correlation/classification rules. + +Each rule is configured with a confidence rate to express its reliability, according to data quality +and sensitivity. + +In our case, correlation/classification can be based on a first rule applicable to quality data +resources with a high confidence rate, and a second rule applicable to resources with a lower data +quality. This second rule is going to have a lower confidence rate, thus a lower priority, because +the strategy is to apply the first rule as much as possible. But the second rule is essential in +case the first one doesn't apply, though it cannot be trusted as much as the first rule. + +Hence correlation/classification rules are configured with a confidence rate: + +- from 100 to 150% to correlate resources automatically without a manual validation; +- from 0 to 99% to impose that a resource manager reviews the correlation/classification. See more + details in the section below. + +Usercube considers the rules in descending order of confidence rate. The first matching rule is +applied. + +In other words: + +- if there is at least one matching rule with a confidence rate above 100%, then the one with the + highest rate is applied; +- if there isn't and there is at least one matching rule with a confidence rate below 100%, then the + one with the highest rate is suggested. + +There is no predefined priority order between two rules with the same confidence rate. + +### Focus on reviews + +When the confidence rate is below 100%, correlation and classification reviews are to be done: + +- on the **Provisioning Review** page when the owned resource is allowed by the role model, i.e. + requested manually or assigned automatically by a resource type rule; + + ![Correlation Review - Provisioning Review Screen](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsprovisioningreview_v603.webp) + +- on the **Resource Reconciliation** page when the owned resource is not allowed by the role model, + i.e. not requested manually nor assigned by a resource type rule. For example, the creation of a + correlation rule without a resource type rule triggers unauthorized accounts on the **Resource + Reconciliation** page. + + ![Correlation Review - Resource Reconciliation Screen](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsresourcereconciliation_v603.webp) + +Broadly speaking, the **Resource Reconciliation** page displays non-conforming assignments/values +(gaps), i.e. resources and property values from the managed systems that are not allowed by a rule +in Usercube. The **Provisioning Review** page displays the resource and property changes whose +workflows require a manual approval. + +### Correlation rule examples + +Consider AD accounts (target) and their owners (source). A classic example is to try and correlate +identities and AD accounts based on the first name and last name. We can write a correlation rule +that states that, for a given identity, Usercube looks for all AD accounts that bear the same first +name and the same last name. All AD accounts that match this description are said to be correlated +to the identity. The identity becomes the owner of the accounts. + +A set of correlation rules for a resource type could be: + +- a rule with 100% confidence on login + name + first name; +- a rule with 90% confidence on login only. + +Usual rules can also be made, for example, on: + +- name + first name using phonetics to avoid typos; +- first name + name + entry date if the entry date is known in the source systems; +- email address; +- Windows login. + +Correlation rules don't have to compare equivalent properties from Usercube and from the managed +system. A rule can compare for example users' `Login` from Usercube with their `sAMAccountName` from +the AD, even using C# expressions if needed. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | +| [Identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) [Resource type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) (required) [Synchronized data](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) (required) | Correlation rules | + +## Create a Correlation Rule + +The principle of a correlation rule is to compare the expressions of the source and target objects. + +Fill a resource type with a correlation rule by proceeding as follows: + +1. On the relevant resource type's page, click on **Correlation Rules** and **+ New**. + + ![New Correlation Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/correlation/resourcetype_newcorrelrule_v602.webp) + + Correlation rules can also be created through the **Access Rules** screen (accessible from the + home page, in the **Configuration** section), clicking on the **Correlations** tab and the + addition button at the top right corner. + + ![Home - Access Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +2. Fill in the fields. + + ![New Correlation Rule Fields](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/correlation/resourcetype_newcorrelrulefields_v602.webp) + + - **Source Object**: at least one property from the source system that is going to be linked to + a given target object. Can be defined by a property path and/or an + [expression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). + - **Target Object**: one property from the managed system that is going to be linked to a given + source object. Can be defined by a property path and/or an + [expression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). + - `Confidence Rate`: rate expressing the rule's reliability, and its priority order. See the + detailed explanation. + > In this example, a person via their login and name, is the owner of a nominative AD + > account via its `sAMAccountName` attribute and display name: + > + > ![Correlation Rule Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/correlation/correlation_example_v602.webp) + +3. Click on **Create** and see a line added on the rules page. +4. On the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Prepare + Correlation Keys** to compute the expressions used in the new correlation rule(s), and click on + **Jobs** > **Compute Role Model** to apply all correlation rules. + +![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +## Impact of Modifications + +An action (addition/modification/deletion) on a correlation rule doesn't trigger a new computation +of correlation for the resources that are already correlated. The new version of said correlation +rule will be applied only to new resources, along with the existing resources whose correlation was +not yet reviewed (as unauthorized accounts on the **Resource Reconciliation** screen). + +Thus only non-conforming resources (unauthorized accounts on the **Resource Reconciliation** screen) +can have their correlation and classification re-computed. + +Even without selecting an owner, reviewing unauthorized accounts on the **Resource Reconciliation** +screen "blocks" correlation and classification "as is". Neither will be re-computed. + +[Simulations](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md) are +available in order to anticipate the changes induced by a creation/modification/deletion in +correlation rules. + +Any modification in correlation rules is taken into account via the following jobs: on the connector +dashboard and in the **Resource Types** frame, click on **Jobs** > **Prepare Correlation Keys**, and +then on **Jobs** > **Compute Role Model**. + +![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +## Verify Correlation + +In order to verify the process, check the list of +[orphaned accounts](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md) +and analyze them to look for patterns revealing correlation issues. To do so, click on the target +entity type(s) affected by your rule(s) in the left menu of the home page. + +![Test Entity Type](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp) + +The entity type's page can be +[configured via XML](/docs/identitymanager/6.1/identitymanager/integration-guide/ui/how-tos/index.md) to +customize all displayed columns and available filters, especially the **Orphan** filter that spots +resources without an owner, and the **Owner / Resource Type** column that shows the owner assigned +to each resource. + +![Owner / Resource Type Column](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/correlation/correlation_test_v522.webp) + +A knowledgeable person must analyze a few samples to ensure that resources' owners can all +[be justified](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md), +meaning that orphaned accounts are supposed to be so, and that correlated resources are matched with +the right owner. + +Another possibility of correlation validation is to compare the number of AD accounts to the number +of users. However, keep in mind that several accounts are sometimes assigned to a single user. + +## Troubleshooting + +#### If a resource is not correlated (or not correctly), then� + +![Uncorrelated Resource](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/correlation/correlation_uncorrelated_v600.webp) + +- Check the validity of correlation rules. +- Check the resource's data quality. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md new file mode 100644 index 0000000000..54285762d5 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md @@ -0,0 +1,156 @@ +# Categorize Resources + +How to correlate managed systems' resources with identities, classifying resources into +[resource types](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). + +## Overview + +Managing resources can quickly become chaotic when the number of resources increases significantly. +You will need to manage orphaned (without an owner) and unused accounts through resource reviews, +and make sure that all accounts follow their owner's lifecycle. To do so, resources can be +categorized, which for our purposes means two things. They are: + +- correlated with their owners, so that accounts follow the corresponding identity's lifecycle. + > For example, if a user leaves the company, then their account is deactivated accordingly. +- classified according to their intents, in other words you need to specify resources' functions or + goals within the managed system, especially in terms of security; + > For example, a basic user account (low-privileged) and an administrator account + > (high-privileged) have different intents. These two distinct account types are handled in + > different ways security-wise, and they represent different entitlements with different + > security measures applied. + +Categorization is designed to help resource managers to easily identify a resource's owner and +purpose. + +> For example, when Usercube spots an orphaned account, resource managers must be able to determine +> whether the account should have an owner, or if it is a service/technical account and thus does +> not need an owner. + +### Technical principles + +Technically, Usercube uses the notion of resource types to categorize resources. A resource type is, +in fact, a way to gather similar resources under one meaningful name, because they have the same +intent. + +> Our example above would use a resource type `AD User (administration)` to group all AD +> administrator accounts, and `AD User (nominative)` to group all AD basic user accounts. + +Thus, a resource type is a name that informs users about the intent of a resource. As stated above, +it serves to implement our two elements of categorization. This happens with two distinct sets of +rules, one for correlation, and the other for classification. + +[**Classification**](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md) +is a process that simply aims to assign a resource type to specific resources. A specific resource +can only be assigned a single resource type. + +![Classification Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/categorization_classifschema.webp) + +Any resource that is unclassified will not be available for review. + +[**Correlation**](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md) +is a process that aims to establish an ownership relationship between two resources. In most cases, +an identity resource that becomes the owner of an account resource. + +![Correlation Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/categorization_correlschema.webp) + +While an owner can possess several resources, a resource can have only one owner. + +Some resources are orphaned (without an owner) for good reasons. For example service/technical +accounts are often used by applications to access data held in Usercube or other managed systems and +don't belong to a specific user. + +As stated previously, both classification and correlation work through sets of rules. + +> For basic users, we have in Usercube: +> +> ![Example - Basic Users in Usercube](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/categorization_examplebasicuser.webp) +> +> For basic users, we have in the AD: +> +> ![Example - Basic Users in AD](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/categorization_examplebasicad.webp) +> +> Thus our example could induce the following rules: | Classification Rules | Correlation Rules | | +> --- | --- | | all accounts from OU=Users | 1. mail (from AD) = user's email +> franck.antoine@acme.com = franck.antoine@acme.com 2. displayName = user's last name + user's first +> name Antoine Franck = Antoine + Franck | + +> For administrators, we have in Usercube: +> +> ![Example - Basic Users in Usercube](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/categorization_exampleadminuser.webp) +> +> For administrators, we have in the AD: +> +> ![Example - Admin Users in AD](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/categorization_exampleadminad.webp) +> +> Thus our example could induce the following rules: | Classification Rules | Correlation Rules | | +> --- | --- | | all accounts from OU=Administrators | 1. sAMAccountName = "A" + user's employee id +> A28022 = A + 28022 2. displayName = "ADM" + user's last name + user's first name ADM Colin Jean = +> ADM + Colin + Jean | + +Sometimes you may not know if your rules are always going to apply. Therefore, each rule expresses a +certain level of confidence. Usercube will establish a priority order between rules based on the +confidence rate, and will also act differently depending on whether the confidence rate is above or +below 100%. +[Find more details](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/correlation/index.md). + +A resource type can have zero correlation rules, since accounts can be without owners. But a +resource type with neither correlation nor classification rules serves no purpose. + +**Correlation triggers classification:** a matching correlation rule for a given resource type will +perform both actions of categorization: both correlating a resource with its owner, and classifying +the resource at the same time. + +See below this note. + +Hence, integrators should start with correlation rules, and then write classification rules for any +remaining uncorrelated resources. + +In the same way, Usercube will apply correlation rules before classification rules. + +![Categorization Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/categorization_categschema.webp) + +Now that you have created resource types and their correlation/classification rules, you have +created the first elements for your +[role model](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md). +The role model contains all the roles and rules which drive the entitlement assignment logic inside +Usercube. + +A role model is made up of +[policies](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) +which contain roles, rules and resource types. Most often the default policy is enough. However, in +more complex situations, +[additional policies can be created](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md) +to separate groups of roles, rules and resource types. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application's users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | +| [Identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) [Connector](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md) (required) [Synchronized data](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) (required) | Categorized resources Correlated accounts Orphaned account list | + +## Categorize Resources + +Categorize resources by proceeding as follows: + +1. Create at least one + [resource type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md); +2. Create the appropriate + [correlation rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/correlation/index.md); +3. Create the appropriate + [classification rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/classification/index.md) + for accounts that do not have an owner. + +NETWRIX recommends creating/modifying/deleting correlation and classification rules using +[simulations](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md) in +order to previsualize changes. + +## Next Steps + +Once accounts are categorized, integrators can start +[creating provisioning rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md). + +Categorization also enables the +[review of orphaned and unused accounts](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md new file mode 100644 index 0000000000..447097f89a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md @@ -0,0 +1,230 @@ +# Create a Resource Type + +How to create the container for future correlation and classification rules inside a given managed +system. + +## Overview + +A +[resource type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +is created to highlight differences in intent between resources. It materializes the organization's +profiles. In a given managed system, different types of resources have different security needs. + +> For example, can usually be found: +> +> - nominative accounts for basic user accounts with low privileges; +> - administrator accounts for accounts with higher privileges, on several administration +> entitlements levels; +> - generic accounts, i.e. shared by a group of users (often for testing use); +> - old in opposition to new accounts because of potentially evolving naming conventions; +> - service accounts owned by applications instead of users. + +In practice, a specific resource type is created for a given resource when there are differences in: + +- the owner type (for example worker, partner, customer, application, robot, etc.); +- the required set of + [classification](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/classification/index.md) + and/or + [correlation](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/correlation/index.md) + rules; +- the approval circuit for a resource's modification or assignment, i.e. the number of required + approvals, validators, etc.; +- the type of + [provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) + (manual or automatic). + +### Source vs. target resource + +Resource types are the vessel for ownership relationships. They involve the definition of source and +target objects chosen from among the properties of existing +[entity types](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md). +The source (usually identities) is the owner of the target (usually resources from your managed +systems, such as a nominative AD account). This relationship is the basis for +[correlation](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/correlation/index.md) +as much as for future +[provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md). + +[Read more about ownership relationships](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md). + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | +| [Identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (optional) [Target connector](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md) (required) [Synchronized data](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) (optional) | Resource type | + +## Create a Resource Type + +A new resource type requires an existing +[entity type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md). + +Create a resource type by proceeding as follows: + +1. On the relevant connector page, click on the addition button in the **Resource Types** frame. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + Resource types can also be created through the **Access Roles** screen (accessible from the home + page, in the **Configuration** section), using the **+ New** button and selecting + `Resource Type` in the first field called `Type`. + + ![Home - Access Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +2. Fill in the fields. + + ![New Resource Type](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/resourcetype_newresourcet_v603.webp) + + - `Identifier`: must be unique among resource types, without any whitespace, and be + C#-compatible. + [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + - `Name`: will be displayed in the UI to identify the resource type. + - `Policy`: + [policy](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md) + in which the resource type exists. + - `Source Entity Type`: entity type (from any existing connector) used to fill the target entity + type. + - `Target Entity Type`: entity type (part of the connector) to be filled with the source entity + type. + - `Category`: category assigned to the resource type. It can be chosen from among the existing + categories or + [created](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) + directly from the categories list by clicking on the **+ Category** button. + - `Approval Workflow`: represents the number of validations required to assign a resource from + this type to an identity. + - `Approve Role Implicitly`: relevant only for workflows with at least a simple approval + process. `Implicit` mode bypasses the approval step(s) if the person who issues the role + request is also the + [role officer](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/role-officer-management/index.md). + `Explicit` refuses said bypass. `Inherited` follows the + [policy](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md) + decision to approve role implicitly or not. + - `Prolongation without a new approval workflow`: enables the resource type to have its + assignment's end date postponed without any validation. `Inherited` follows the + [policy](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md) + decision to enable this option or not. + - `Hide in Simplified View`: hides the role from the users' **Simplified View** in **View + Permissions** dialog. This setting does not apply to roles which are either inferred or have + workflow states which require manual action. + - `Arguments Expression`: when using a connection for automatic provisioning, C# expression used + to compute a dictionary of strings in order to compute the arguments of + [provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) + orders, such as the identifier of the workflow to launch within Usercube, or the identifier of + the user's record to copy. + [Find examples](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). + - `Allow Addition`: enables Usercube to automatically create new resources in the managed system + when their owners are given the right entitlements. Otherwise, resource managers must create + resources manually directly in the managed system. + + > Consider a role `SAP` which assigns an SAP account to a user. Consider also that SAP + > accounts are configured with `Allow Addition` disabled. In this case, if we give the role + > `SAP` to a user, then said user doesn't automatically receive an SAP account. The relevant + > resource manager must create an account for said user in the SAP application. + + - `Allow Removal`: enables Usercube to automatically deprovision resources in the managed system + when their owners are deprived of the right entitlements. Otherwise, Usercube is able to + delete resources in the managed system only with a manual approval on the **Resource + Reconciliation** screen. + + > Consider a role `SAP` which assigns an SAP account to a user. Consider also that SAP + > accounts are configured with `Allow Removal` disabled. Finally, consider a given user who + > has the role `SAP` and the corresponding SAP account. In this case, if we deprive said + > user from the role `SAP`, then the SAP account isn't automatically deleted. Usercube + > displays this assignment as non-conforming on the **Resource Reconciliation** page, and + > the relevant resource manager must confirm the account deletion. + + **Allow Addition / Allow Removal:** + + These options set to `No` are interesting especially in testing mode when the role model + isn't entirely reliable yet. + + - `Remove If Orphaned`: enables Usercube to automatically deprovision resources when their owner + is deleted. Otherwise, said resources are displayed on the + [**Resource Reconciliation**](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) + screen. Can be activated only if `Allow Removal` is activated too. + - `Require Provisioning Review`: forces an additional mandatory review of all + [provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) + orders for the resource type (on the + [**Provisioning Review**](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md) + screen). + + > Consider AD accounts. While nominative accounts can be provisioned without specific + > precautions (option set to `No`), administrator accounts sometimes require an additional + > review (option set to `Yes`). + + This option can be bypassed when computing the role model by clicking on the **Compute Role + Model, no provisioning review** job in the **Resource Type** frame on the connector's + overview page. + + - `Discard Manual Assignments`: allows the provisioning of a new value computed by a + provisioning rule for a property, based on a change in the source data, no matter the + property's current workflow state. + + Set to `No`, any manual change of a property's value made directly in the target system will + be "protected" (only after the change is approved in Usercube in **Resource + Reconciliation**). It means that a future change in the source data will not trigger the + provisioning of the new value. Instead, Usercube will keep the value of the manual change, + and state the value as `Questioned`. + + > Consider an HR system (source) whose data isn't often synchronized into Usercube. Let's + > say that a user marries and changes their name. In this case, the value in Usercube needs + > to be updated (via workflows) so that all managed systems are updated too with the new + > name. However, `Discard Manual Assignments` should be enabled because the HR system should + > still be the authoritative source in case of another change. + > + > [See a full example](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). + + - `Correlate Multiple Resources`: enables Usercube to link a single owner to several existing + target objects from this resource type. + + > Consider records, representing users' positions in the resource type + > `User Record (from HR)`. In some organizations, one user can have several records at once, + > or have several records that overlap, and these records can be created either via + > Usercube's workflows or via the upload of an HR file. Thus, on the one hand it is complex + > to anticipate the number of records created for an identity, on the other hand there + > shouldn't be records without an owner. In other words, when creating a new record via a + > workflow, we want the record to be linked to the right user, whether or not a record is + > already linked to the user's HR sheet. Therefore, the correlation of multiple resources + > (of the same resource type) to a single owner should be permitted. + + - `Transmitted State Validity`: The period in minutes during which fulfillment orders can stay + in Transmitted/Executed state. When the time is exceeded the orders are set in error state. + - `Depends On Resource Type`: potential resource type (other than the one presently created) + which must be provisioned for a given identity before this resource type can be created for + said identity. + + > This option can be used so that a user must have an AD account before they can own an + > Exchange account, because the Exchange account needs the AD account's address. + > [Find a full example](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). + + - `Depends On Owner Property`: potential properties which must be filled for a given identity + before this resource type can be created for said identity. + + > This option can be used so that a user must have a ServiceNow identifier before they can + > own an AD administrator account, because the AD administrator account needs this random + > identifier computed by ServiceNow in order to be able to perform manual provisioning in + > ServiceNow. + > [Find a full example](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). + +3. Fill the **Fulfill Settings** arguments according to the selected + [package](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/index.md). + + Integrators need to know the required + [provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) + connection, especially whether the connection is about manual or automated provisioning. + Automatic provisioning means that Usercube writes in the managed system. Manual provisioning + means that Usercube isn't allowed to write directly inside the managed system, and thus it + creates tickets so that resource managers perform the needed changes. + +4. Click on **+ Create & Close** > **Create**. + +## Verify Resource Type Creation + +In order to verify the process, check that the resource type has been added with the right options +to the list on the **Access Roles** page, accessible from the home page in the **Administration** +section. + +![Home - Access Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +![Test Connector](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/resourcetype_test_v602.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/configure-workflows/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/configure-workflows/index.md new file mode 100644 index 0000000000..d67c07ae74 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/configure-workflows/index.md @@ -0,0 +1,107 @@ +# Configure Onboarding Workflows + +How to adjust the validation process and homonym detection of onboarding +[workflows](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md). + +## Overview + +Onboarding workflows are the processes that users follow in order to add in Usercube a new user, as +a new employee has arrived in the company. + +The most common situation consists in having two onboarding workflows: one for employees and one for +contractors. The Workforce Core Solution module provides these two workflows. + +Usually, using one of these workflows means: + +1. filling a form containing the new user's information, such as their name, first name, contract + type, job title, etc; +2. if needed, sending the request of user creation for review by a knowledgeable user. + +[See how to create a new worker in Usercube](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md). + +### User Creation Review + +Usercube provides the review step as optional, for its necessity depends on the situation. + +To perform the review of a user creation, one should have the right permissions. + +![Review Permissions](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/workflows_reviewpermissions_v601.webp) + +When a review is needed, a notification appears on the **MY TASKS** tab at the top. + +![My Tasks Tab](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_topbar_v601.webp) + +The reviewer can then complete the creation request and finally approve it. + +### Homonym Detection + +User creation often benefits from a homonym detection that checks if the resource already exists in +the system, preventing duplicates. + +Usercube provides a homonym detection, whose parameters can be adjusted. + +[See more information about homonym detection](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/index.md). + +## Participants and Artifacts + +Integrators must have the knowledge of the organization strategy towards the expected validation +process and homonym detection during users' onboarding. + +| Input | Output | +| ----------------------------------------------------------------------------------------------------------------------------- | ----------------------------- | +| [Identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) | Adjusted Onboarding Workflows | + +## Configure Onboarding Workflows + +Configure onboarding workflows by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section, then on **Workforce** > + **Onboarding Workflows** in the left menu. + + ![Home - Settings](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. For each workflow, choose whether a review step is required. + + ![Workflows Review Steps](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/workflows_reviewsteps_v601.webp) + + NETWRIX recommends enabling the review for the onboarding of employees, and disabling the review + for contractors. + + From experience, in most use cases, the onboarding of new workers is done by their managers, and + HR people review the creation of employees and not contractors. It also happens that HR people + are in full charge of employees, in which case they do the onboarding and don't need a review. + +3. Configure the homonym detection. + + ![Workflows Homonym Detection](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/workflows_homonyms_v601.webp) + + NETWRIX recommends enabling the birth name comparison to detect user duplicates due to name + changes, when the GDPR supports it. + + The other parameters for homonym detection should be enabled/disabled according to your needs. + +4. Click on **Save** at the top of the page. + + ![Save Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + +## Verify Workflow Configuration + +Validate the process by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Execute the workflows for a new employee and a new contractor. +3. Make sure that the homonym detection works in accordance with the specified options. + + > For example, if the inversion comparison is enabled between the first and last names: + > + > ![Workflows Homonym Detection](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/workflows_verifyhomonyms_v601.webp) + +4. Make sure that the potential validation steps are in accordance with the specified options. + +## Next Steps + +Once onboarding workflows are configured, integrators can start +[configuring a connector](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md new file mode 100644 index 0000000000..a41a535abc --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md @@ -0,0 +1,167 @@ +# Create a Connection + +How to create a +[connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +inside a [connector](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/index.md) +and choose the appropriate package. + +## Overview + +A connection is the information that allows to connect to a managed system, which includes +credentials and path. + +There is a minimum of one connection per connector. In many cases, there is one connection for +[synchronization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) +and one connection for +[provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md). + +A connection is associated with a package, representing the technology to use for the data transfer. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +purpose of the application. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------- | +| [Connector container](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md) (required) [Connector model](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) (required) | Connection(s) | + +## Create a Connection + +Create a connection by proceeding as follows: + +1. Click on the addition button in the **Connections** frame on the connector's summary page. + + ![Add a New Connection](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/connection_newconnection_v602.webp) + +2. Fill in the connection information fields on the left, then [select a package](#select-a-package) + (AD, CSV, etc.) and fill the associated agent settings on the right. + + ![Connection Creation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_connectioncreation_v602.webp) + + - `Identifier`: must be unique among connections, without any whitespace, start with a letter, + and contain only letters, numbers, `.` and/or `-`. + - `Name`: will be displayed in the UI to identify the connection. + - `Package`: the technology that enables the connection. Choose the package that fits best the + managed system. See details below. + - `Agent Settings`: depends on the selected package. + + Then click on **Create & Close**. + +### Select a package + +A package is chosen according to the following constraints: + +- What kind of technologies do we need? + + > An Active Directory, a plain CSV file, etc. + +- Do we need + [incremental or complete](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md)[synchronizations](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md), + or both? + + [Incremental synchronizations](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md), + usually launched approximatively every two hours, are to be performed for real-time needs, while + [complete synchronizations](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md), + scheduled no more than once a day, will recover any changes that may have slipped through the + cracks of the incremental synchronizations. + +- Do we need + [provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md)? + If so, should provisioning be performed manually or automatically by Usercube? + +NETWRIX recommends starting by creating a connector that only does synchronization, and do not worry +yet about provisioning. It allows Usercube to read data from your managed system, without writing to +the system. + +One connector can contain several connections, and each connection contains one package. + +> For example, an `AD` connector, that will handle synchronization and provisioning between Usercube +> and an AD, would generally use the `Directory/Active Directory` package which can do +> synchronization and automated provisioning. A second package for manual provisioning, +> `Ticket/identitymanager` could be added to request manual provisioning of administration accounts that +> need more security. + +Each type of package needs its own settings, and +[secured options](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/configuration-details/connections/index.md#secured-options) +can be used to store sensitive connection information. + +## Refresh Schemas + +A schema is a snapshot of the data structure (metadata) retrieved by a connection. It needs to be +refreshed to enable the configuration of entity types and resource types. + +Usercube refreshes a connection's schema: + +- after the connection creation; +- when clicking on **Refresh Schema** on the connection's page: only the schema of the current + connection is refreshed; + + ![Refresh Schema of One Connection](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshschema_v522.webp) + +- when clicking on **Refresh all schemas** on the connector's page: all schemas of the connector are + refreshed. + + ![Refresh all Schemas](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshall_v602.webp) + +In the **Connections** frame, either the last successful schema update is indicated or an icon is +shown if the refresh schema failed. + +![Failed Refresh Schemas](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_failedindicator_v602.webp) + +Some packages don't generate a schema. For these packages, the **Refresh Schema** button isn't +displayed on the connection's page. On the connector's page, a connection without schema is +indicated by the sentence "_There is no schema for this connection_". + +![No Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_noschema_v522.webp) + +The connections' schemas must be refreshed before editing the connector's entity types via the UI, +whether the connections were created via the UI or XML configuration. Otherwise, there will be no +connection table available in the `Source` dropdown, so you will not be able to save anything. + +## Impact of Modifications + +Changes on a connection may imply changes in the connector's entity types. When a connection schema +changes, a warning may appear in the entity type screen indicating that a mapped property doesn't +exist anymore. + +## Verify the Connection + +In order to verify the process: + +1. click on **Check Connection** to ensure that Usercube can reach the managed system; + + ![Check Connection](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp) + + Some connectors have both + [incremental and complete](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md) + setting modes. They are relatively independent so they both need to be tested. + +2. check that the connection appears in the **Connections** frame with the right options, and + without the Failed icon. + +![Decline Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg) + +## Troubleshooting + +#### If the Failed icon appears, then� + +![Decline Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg) + +Ensure that the schema of the connection is refreshed. + +#### If the schema couldn't be recovered, then� + +![Schema Not Recovered](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/connection_notrecovered_v523.webp) + +- Ensure that the managed system is properly connected. +- Check the connection's settings. + + > Example: For a CSV connection, ensure that the file paths are written correctly in full, such + > as `C:/identitymanagerDemo/Sources/Directory.xlsx`. + +You may have a schema that could not be recovered if you work with a system without a direct access +to the agent. In this case, schema refreshment will fail but that does not mean that there +necessarily is a problem. + +Try again from a system that can access the agent. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md new file mode 100644 index 0000000000..e571ffc9e8 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md @@ -0,0 +1,71 @@ +# Create the Connector + +How to declare the technical container of a +[connector](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md). + +## Overview + +Here, you will learn how to create a connector: the shell that harbors entity types and connections +related to a single managed system. + +Keep in mind that a Usercube installation can have more than one +[agent](/docs/identitymanager/6.1/identitymanager/introduction-guide/architecture/index.md). Connectors +should be created with a specific agent in mind since the agent needs to physically connect to the +managed system's data. Fortunately, you don't need to worry about that right now, since you are +starting with the agent provided with Usercube's SaaS environment. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +purpose of the application. + +| Input | Output | +| ----- | --------------- | +| - | Empty connector | + +## Create a Connector Container + +Create a connector container by proceeding as follows: + +1. On the home page in the **Configuration** section, click on the **Connectors** button. + + ![Home page - Connectors](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + + You will see all existing connectors. + +2. Click on the addition icon and fill in the information fields. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + ![Connector creation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_declaration_v602.webp) + + - `Identifier`: must be unique among connectors, without any whitespace, start with a letter, + and contain only letters, numbers, `.` and/or `-`. + - `Name`: will be displayed in the UI to identify the connector. + - `Agent`: + [agent](/docs/identitymanager/6.1/identitymanager/introduction-guide/architecture/index.md) that + the connector is supposed to use. + + NETWRIX recommends choosing the provided SaaS agent. + + - `Complete Job`: + [job](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md) + scheduled to perform a set of tasks, including + complete[synchronization and/or provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md) + for all the connectors, for which you selected the corresponding checkbox. + - `Incremental Job`: + [job](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md) + scheduled to perform frequently a set of tasks, including + incremental[synchronization and/or provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md) + for all the connectors, for which you selected the corresponding checkbox. + +3. Click on **+ Create** to get on the connector's overview page: + + ![Connector page](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_connectorpage_v602.webp) + +## Verify the Connector Declaration + +In order to verify the process, check that the connector has been added to the connectors list with +the right name and identifier. + +![Test Connector](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_test_v602.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md new file mode 100644 index 0000000000..e30ee7a1c2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md @@ -0,0 +1,511 @@ +# Model the Data + +How to choose the appropriate model for a connector's data. + +## Overview + +In this part, you work outside Usercube to define the model that is going to be used in the next +steps to represent a managed system's resources and entitlements inside Usercube, as a connector. + +This page is no technical procedure, but rather a guide aiming to give a global view on connectors +(with their components and their purpose), in order to help integrators choose the most appropriate +way to model the managed system in the form of a connector later inside Usercube. + +The aim is to think about said managed system in order to specify: + +- what data you need to import into Usercube; +- how you are going to organize this data together, and model it as a connector inside Usercube. + +### Useful data + +Modeling the connector is a matter of identifying what data you want to get into Usercube. You +should not retrieve all the data from the managed system, but only two kinds of useful data: + +1. data that represents how the authorization system works in the managed system, i.e. data that + composes entitlements and their assignments; +2. data that you want to watch and/or control and/or fulfill. + +The model must take both into account. So both kinds of data must be extracted from the managed +system. + +> Let's take an example. An Active Directory manages authorization through group membership (using +> the user-group paradigm). +> +> So first we need to retrieve both groups and accounts, in order to manage the AD's assignments of +> entitlements for our users (in the AD language: manage their accounts and group memberships). +> +> Secondly, we want to control attributes such as the name or e-mail of the account, and ensure they +> are consistent with the correlated identity. Thus these attributes are the second kind of +> information that we want to retrieve. + +### Data models + +Fortunately, you won't have to design your connector model from scratch. NETWRIX has done a little +work ahead, and you are presented here with four model templates that have proven to work so far. +Experience shows that most managed systems can be shaped using one or a mix of the following: + +- the User model is the most simple model for a connector, where a user is directly associated with + a list of entitlements; +- the [User-Group](#user-group) model represents typical + [Role-Based Access Control](https://en.wikipedia.org/wiki/Role-based_access_control) mechanisms, + where the ability to perform an action is granted through accounts' membership to a specific group + (also called role or profile according to the system); +- the [Account-Profile-Transaction](#account-profile-transaction) model represents a system, where + the ability to perform an action is granted through the assignment of fine-grained entitlements + (called transactions) which are packaged into profiles; +- the [Star](#star) model represents a system, where the ability to perform an action is granted + through the assignment of entitlements which are based on at least two variable parameters. + +Each template presents a few objects and the relationships between them. To become the model of the +actual managed system, these objects must be renamed and their attributes defined according to the +reality of said managed system. + +This sheet guides you through choosing the right model template for your connector. The actual +technical implementation of the model will be tackled in the last part of the connector +configuration: +[entity type creation](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md). + +**Connector model and roles:** + +The design of a model must take into account what is really going on inside the managed system in +terms of entitlements, and be flexible enough to express it as roles in the context of the +[role model](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md). +The role model is the universal RBAC/ABAC language used by Usercube to express all entitlements. + +You don't have to worry about this "role" part right now. It is going to be tackled during +[single role catalog creation](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md). +At this point, you will take a look at the way roles are defined and linked to resources to +represent entitlements. But the work starts here, by modeling the resources that exist in the +managed system. Some of those resources, such as Active Directory groups, include interesting +information about entitlements. + +Right now, you can see the connector's model as a precise description of the shape of the technical +resources and entitlements of the managed system. And, you can see roles as the higher-order +universal language in which entitlements and their assignments are expressed in Usercube for all +managed systems. + +**Connector model and provisioning**: + +After defining the [useful data](#useful-data) that you need to model a given system, you also have +to decide what data you need Usercube to write to the managed system. Usercube writing to an +external system is called +[provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md). + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +purpose of the application. + +| Input | Output | +| ----- | --------------- | +| - | Connector model | + +## Define the Connector Model + +Define your connector model by proceeding as follows: + +1. Use the advice and examples given about each model template to find the template that most + closely matches your use case. +2. Adapt the template to the reality of your managed system by renaming and adjusting the model's + objects. +3. Define your [useful data](#useful-data), and thus the attributes of each object according to the + reality of the data in your managed system. +4. Ensure that all objects have at least one attribute that can serve as a key to be uniquely + identified within Usercube. You will get more details about keys during + [entity type creation](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md). +5. Ensure the following guidelines' enforcement: + + **Keep it simple** + + The model must stay as simple as possible. Embed just enough information. + + **Keep it readable for most users** + + The model must be easy to understand. For this, adopt a business approach, i.e. make the model + user-friendly and close to real activities. This functional approach is essential to the + efficiency of data flows + ([synchronization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md)/[provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) + loop). Keep in mind that the aim is to define a model close to the reality of the system. + + **Keep it open to changes** + + The model is going to change and evolve during the life of the application, to account for new + needs or changes. This must be considered too in the initial model to make future changes less + painful. + +Find at the bottom a procedure example about modeling the Active Directory. + +## Model Templates + +All templates are detailed with examples and schemas with the following key: + +![Schemas' Key](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_key.webp) + +During the technical modeling inside Usercube, these objects will become entity types, their +attributes will become scalar properties, the links between them will become navigation properties. + +### User + +#### Authorization mechanisms + +The User template is the most simple model for a connector, and used to represent a user directly +associated with a list of entitlements. + +Users are represented by the accounts they own, and entitlements are represented by resources. + +Permissions can be managed: + +- by resource, with a list of authorized accounts for each resource; +- by account, with a list of authorized resources for each account. + +#### Model + +![User Model](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user.webp) + +Thus you need to create one entity type to represent either accounts or other resources. + +Each entity type needs to be shaped with properties, chosen according to the data useful for +entitlement assignment. + +The only sensitive and required properties are the +[keys](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) +and the property holding entitlements. It means that: + +- if entitlements are managed by resource, then the entity type representing resources must have an + attribute (scalar property) containing the list of authorized accounts; +- if entitlements are managed by account, then the entity type representing accounts must have an + attribute (scalar property) containing the list of authorized resources. + +**Recommendation: categorize accounts in types** + +Some of the managed systems following this model offer predefined types of accounts, with a +pre-packaged set of authorizations (such as the `basic` user with read/write permissions on +non-sensitive resources, or the `admin` with higher privileges). + +Account types make modeling easier, as they bring another level of information about the +entitlements they contain. So we can embed more useful information in the model, thanks to an +attribute that represents the account type. + +In further steps, you will be able to define one +[resource type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) per +account type and map each one to a +[role](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +for assignment and +[provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md). + +#### Example - Canteen badges + +Canteen badges are a simple system handled with the User model. Indeed users can simply have among +their attributes the access authorization for a given building and a given time. Or also, instead of +creating an entity type for users, we can create an entity type for the badges. They would have in +their attributes their respective access location and time, and an attribute listing authorized +users. + +![User Model - Canteen Badges Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user-canteen.webp) + +#### Example - Mailboxes + +Mailboxes constitute a complex system, but IGA purposes require little information (only accounts) +so this system can too be handled with the User model, either through users and their entitlement +lists, or through mailbox entitlements and their lists of authorized users. + +![User Model - Mailboxes Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user-mailbox.webp) + +### User-Group + +#### Authorization mechanisms + +The User-Group template is better suited to represent typical Role-Based Access Control +authorization mechanisms, where a user is authorized to perform an action according to their +account's membership to a specific group. Instead of groups, some systems talk about roles or +profiles: users are authorized to perform an action through a given role or profile which they are +assigned, instead of a group membership. It is all the same idea, and the User-Group template is +perfect for them too. + +Groups can also be categorized and grouped into larger groups. + +Users are represented by the accounts they own. + +#### Model + +![User-Group Model](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_usergroup.webp) + +Thus you need to create one entity type to represent groups (or roles or profiles) and one for +accounts. + +Each entity type needs to be shaped with properties, chosen according to the data useful for +entitlement assignment. + +The only sensitive and required properties are those constituting the link between both entity +types, i.e. the navigation properties representing the group membership. + +**Recommendation: categorize accounts in types** + +Many of the managed systems following this model, just like the User model, distinguish between +several types of accounts. + +In further steps, you will be able to define one +[resource type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) per +account type and map each one to a +[role](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +for assignment and +[provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md). + +#### Example - SAB + +The SAB system handles authorizations using users and groups. A user is authorized to perform an +action according to their group membership. + +We define two entity types `SAB - User` and `SAB - Group`. We fill them with a few attributes useful +to manage entitlements in the SAB application. Finally, we add a navigation property in both entity +types in order to link `User` with `Group` with an "n-to-n" relationship. + +![User-Group Example - SAB](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_sab.webp) + +#### Example - RACF + +The [RACF](https://www.ibm.com/docs/en/zos-basic-skills?topic=zos-what-is-racf) connector is used to +manage critical entitlements on the mainframe. RACF is a complex system, but IGA purposes only +require information about accounts and groups, as entitlements are given by group membership. Thus +the system can be simplified to be managed by Usercube following the User-Group model. + +![User-Group Example - RACF](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_racf.webp) + +For RACF, Usercube provisions only the link between accounts and groups. + +#### Example - TSS + +The TSS connector is similar to RACF in its use, but manages fine-grained entitlements at a higher +level than RACF. TSS is at least as complex as RACF, and its connector follows a similar +simplification as RACF's. + +Usercube manages users (with their accounts) and groups called here profiles. Both users and +profiles are grouped into departments, themselves grouped into partitions. Entitlements are called +authorizations, and are linked to users through group (profile) membership. + +![User-Group Example - TSS](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_tss.webp) + +For TSS, Usercube provisions only the link between users and profiles. + +Usercube receives a write access for users and profiles, only a read access for the rest of the +model. It is interesting to keep the whole model for query goals such as listing a given user's +entitlements. + +**Recommendation: categorize accounts in types** + +Many of the managed systems following this model, just like the User model, distinguish between +several types of accounts. + +In further steps, you will be able to define one +[resource type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) per +account type and map each one to a +[role](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +for assignment and +[provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md). + +**Roles:** During the +[creation of the role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +in the next steps, for this connector you can build roles based on the group-membership system +represented by users and profiles. Thus you will create +[navigation rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +to represent the link between users and profiles. + +#### Example - SDGE + +The SDGE connector is used not to manage people but positions, so the application screens depend on +the user's position. In other words, Usercube is going to manage users' entitlements in SDGE through +their positions. + +The object `User` or `Account` from the template, which contains users' accounts, is called here +`Worker`. + +The object `Group` from the template is called here `Position` (grouped into organizations, +themselves grouped into organization types). It contains the way an entitlement is given, here +through a given position and wallet. + +![User-Group Example - SDGE](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_sdge.webp) + +For SDGE, Usercube provisions only workers and the link between workers and positions. + +### Account-Profile-Transaction + +#### Authorization mechanisms + +The Account-Profile-Transaction model is better suited to represent a system, with the following +basic characteristics: + +- To be able to perform an action or read a piece of data, a user must be granted one or several + transactions. Transactions represent fine-grained entitlements. They can be associated to a type + and conditions that restrict their use, such as a maximum per day or a context of validity. +- Transactions are not assigned directly to an account, but are packaged into profiles, which are + then assigned to accounts, which are owned by users. +- Profiles can sometimes be classified into categories representing the sensitivity of the + transactions they contain. + > For example, profile categories can be `Privilege Profiles` for high privilege transactions on + > sensitive data, and `Technical Profiles` for technical transactions related to system + > administration. + +#### Model + +![Account-Profile-Transaction Model](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_profiletransaction.webp) + +Thus you need to create one entity type to represent accounts, one for profiles, and one for +transactions. + +Each entity type needs to be shaped with properties, chosen according to the data useful for +entitlement assignment. + +The only sensitive and required properties are those constituting the link between entity types, +i.e. the navigation properties representing the packaging of transactions into profiles on the one +hand, and the assignment of profiles to accounts on the other hand. You can potentially add a +navigation property in the `Profile` entity type in order to categorize profiles within larger +profiles. + +Instead of creating as many `Profile` objects as there are categories of profile, NETWRIX recommends +shaping the `Profile` object with a `category` attribute. Indeed, a multiple-object model +complexifies the addition of new profiles in the future. And as new profiles can be created in the +future though, then you must plan for it. + +For example, instead of modeling two artificial types of profiles called `PP` for "Privilege +Profile" and `TP` for "Technical Profile", prefer a single object `P` that represents all profiles +using a specific attribute to differenciate technical from privilege profiles. This way, the model +sticks to the real capacity of the technical tool and all use-cases are considered. + +See the schema below this note. + +![Profiles Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_profiles.webp) + +Transactions are not mandatory in a model. Most of the time, the profile packages are predefined +once and for all, or are the responsibility of the application owner. Then Usercube doesn't need to +manage the specific transactions for a profile directly inside the managed system. You can hence +avoid modeling transactions altogether. In this case, you fall back on the User-Group model with a +twist: if profile categories are relevant in the system's authorization mechanism, then you must +take them into account. + +#### Example - TSS + +The TSS connector is actually a mix of the [User-Group](#user-group) and Account-Profile-Transaction +models. The User-Group part is explained above. + +![User-Group Example - TSS](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_tss-prof-trans.webp) + +Transactions are called here authorizations. + +For TSS, Usercube provisions only the link between users and profiles. Transactions (and the rest of +the model) are only readable. + +### Star + +#### Authorization mechanisms + +The Star model is better suited to represent a system, where the ability to perform an action is +granted through the assignment of entitlements, based on several variable parameters, most often the +combination of a profile and at least one user data criteria. + +> For example, you might want to give certain entitlements only to users who have an administrator +> profile and work in Marseilles. + +As the parameter combination is not predetermined, the whole system can become highly complex with +the addition of data criteria. + +Users are represented by the accounts they own. + +**Comparison with other models:** while the [User-Group](#user-group) model grants an entitlement +via a group membership, the Star model grants said entitlement via a special authorization linking +the right criteria altogether (i.e. the right profile and other user parameters). + +#### Model + +![Star Model](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_star.webp) + +Thus you need to create one entity type to represent accounts, one for each criterion, and another +one to represent the object linking acounts to criteria. + +Each entity type needs to be shaped with properties, chosen according to the data useful for +entitlement assignment. + +The difficulty of this model is to map everything to +[roles](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +in the role model. In Usercube's role model, one assignment is always one role. But in this case, in +the managed system, an assignment is a tuple of things. + +To map the tuple of things on a role, we have several choices: + +1. Create a role per possible combination of tuple of things. This can quickly get out of hand as + far as the number of created roles is concerned. +2. Use parametrized roles. The number of roles will be contained, but it is a little more + complicated to configure. + +The flexibility generated by parameters is particularly interesting for roles that incorporate +entitlements in a more complex way than application roles. If the information contained in a role is +complicated to deduce, then parameters can bring some clarity in the configuration. The objective is +always to minimize the number of distinct roles, and the number of roles that are assigned to one +given identity. + +#### Example + +Consider an application which manages entitlement assignment with different rules, according to +users' profiles, attachment areas and sites. Our example shows 4 profiles, 4 attachment areas and 3 +sites. So a user may be assigned a given entitlement for a given profile, attachment area and site. + +![Star Model Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_starmodel.webp) + +For this connector, Usercube provisions only the links between accounts and linking objects, and the +links between linking objects and each criterion. + +Concerning roles, integrators have two options: + +- either create a specific role for `Profile_i` with `AttachmentArea_j` and `Site_k` for all + available profiles, attachment areas and sites, which makes a total of 48 roles (for a quite + simple example); +- or create a single role with parameters for profiles, attachment areas and sites. + +## Procedure Example + +**Step 1: choose the connector model.** + +Let's say we are modeling an Active Directory, which handles authorization through the group +memberships of accounts. In other words, to assign an entitlement to an identity, we make the AD +account of said identity member of the corresponding AD group. That is exactly what the User-Group +template is designed to handle. + +![User-Group Model](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_usergroup.webp) + +**Step 2: adapt the model to your reality.** + +We start by renaming the `Account` object as `AD_User` and the `Group` object as `AD_Group`. + +![AD Example - Step 1](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_ad-step1.webp) + +**Step 3: define useful data close to your reality.** + +We shape these objects with the following attributes: + +![AD Example - Step 2](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_ad.webp) + +**Step 4: ensure that all objects have unique keys.** + +Indeed we defined `objectGuid` as a key for both accounts and groups. + +**Step 5: ensure the guidelines' enforcement.** + +We could content ourselves with this model. The main benefit of this model is to closely mimic the +reality of the AD authorization mechanism. But we'd like to go a bit further, applying a "keep it +open to changes" approach. + +Observe the similarities between `AD_User` and `AD_Group`. There are many attributes repeating +between the two entity types. + +We can simplify: prefer a single object `AD_Entry` that can represent both users and groups. The +difference between the two types of object will be made clear via specific properties like +`objectCategory`, `member` and `memberOf`. + +Beyond avoiding repetition, this makes the model easily adaptable if new elements pop up. + +> For example, we could want to include computers or organizational units in the model in the +> future. Instead of creating two new additional objects `AD_Computer` and `AD_OU`, the existing +> object `AD_Entry` can represent them both at no additional modeling cost. Even though we could add +> `AD_Computer` and `AD_OU` without merging groups with entries, designing `AD_Entry` with all these +> attributes provides the means to add objects without creating new entity types. +> +> ![AD_Entry Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_adentry.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md new file mode 100644 index 0000000000..fe4989ead1 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md @@ -0,0 +1,73 @@ +# Organize Resources' Datasheets + +How to change the default display of the resource data from this entity type, by creating display +groups. + +## Overview + +Here you will learn how to change how a resource's data is organized in the UI, by creating display +groups. + +If you do not add display groups, Usercube displays the data of this entity type's resources in +alphabetic order. + +> For example, for an HR user without any display groups: +> +> ![Without Display Groups](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_without_v603.webp) + +## Organize Resources' Datasheets + +Organize resources' datasheets by proceeding as follows: + +1. Start by creating the entity type with its + [scalar properties](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md) + and + [keys](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md). +2. Ensure that the created properties are saved by clicking on **Save & Close** > **Save** at the + top right corner. +3. On the entity type's definition page, click on the **Display** tab. + + ![Display Groups](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_v603.webp) + +4. Click on the arrow to see the entity type's properties listed in the alphabetical order, and drag + and drop the properties to customize the order. + + > For example: + > + > ![Display Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example1_v603.webp) + +5. When needing to group properties together, click on **Add Display Group**, fill in the fields and + select from the pop-up window the properties to be grouped. + + ![Display Group Fields](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_fields_v603.webp) + + - `Identifier`: must be unique among display groups, without any whitespace, and be + C#-compatible. + [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + - `Name`: will be displayed in the UI to indicate the property group. + > For example: + > + > ![Display Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example2_v603.webp) + > + > The entity type's resources would look like: + > + > ![Display Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example2results_v603.webp) + +6. Click on **Save & Close**. + + Changes in display groups won't take effect until the next + [`Update-EntityPropertyExpressionsTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + runs. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you +should reload the schema to implement the changes. You do not need to click on the button every +time. It is essential though to reload after the final changes are made. + +![Reload](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the +left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md new file mode 100644 index 0000000000..06aa5bdcc8 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md @@ -0,0 +1,80 @@ +# Set Resources' Display Names + +How to change the value of the +[display name](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +for resources of an +[entity type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +## Overview + +Here you will learn how to change a resource's display name, which is the name used by the UI to +identify a resource of an entity type. Its value is computed from existing properties. For example +for the entity type `HR - User`, integrators may set the display name to: +` - `. + +![Display Name - Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_displaynameexample_v600.webp) + +If you do not set your own display name, Usercube provides a default value based on the first scalar +property after alphabetizing all the properties whose name contains `name`. + +## Set the Resource's Display Name + +Set the resource's display name by proceeding as follows: + +1. Start by creating the entity type with its + [scalar properties](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md) + and + [keys](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md). +2. Ensure that the created properties are saved by clicking on **Save & Close** > **Save** at the + top right corner. +3. On the entity type's definition page, click on the **Settings** tab. + + ![Display Name - Property Path](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_displayname_v603.webp) + +4. Set the display name. As a display name, you can use either the value of an existing property, or + compute an + [expression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md) + based on existing properties. + + > A resource from `AD - Entry` can be displayed using its `userPrincipalName` with predefined + > functions. + > + > ![AD Entity Type - Display Name](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplead4_v602.webp) + > + > ![AD Entity Type - Display Name Result](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplead4-result_v602.webp) + + > Another example from the HR connector (User entity type): + > + > ![HR User Entity Type - Display Name](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplehr_v602.webp) + > + > ![HR User Entity Type - Display Name Result](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplehr-result_v602.webp) + +5. Click on **Save & Close**. + + Changes inside connectors won't take effect until the next + [synchronization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md). + More specifically, changes in display names won't take effect until the next + [`Update-EntityPropertyExpressionsTask`](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + runs. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you +should reload the schema to implement the changes. You do not need to click on the button every +time. It is essential though to reload after the final changes are made. + +![Reload](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the +left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. + +## Troubleshooting + +#### If no property appears in the display name auto-completion, then� + +![No Property](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_troubleprop_v602.webp) + +Ensure that the created properties are saved by clicking on **Save & Close** > **Save** at the top +right corner of the screen. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md new file mode 100644 index 0000000000..07e8623d50 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md @@ -0,0 +1,85 @@ +# Create the Entity Type + +How to create the technical container of an +[entity type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +## Overview + +Here, you will learn how to create an +[entity type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md): +the shell that harbors the (scalar and navigation) properties which describe a given set of +resources related to one managed system. + +## Create the Entity Type + +Create the entity type by proceeding as follows: + +1. Access the connector's page by clicking on the **Connectors** button on the home page in the + **Configuration** section, then on the relevant connector. + + ![Home page - Connectors](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + +2. On the connector's page, in the **Entity Types** frame, click on the addition button. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +3. Fill in the information fields. + + ![Entity type creation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_entitytypecreation_v602.webp) + + - `Identifier`: must be unique among entity types, without any whitespace, and be C#-compatible. + [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + NETWRIX recommends using `_` in the singular. + - `Name`: will be displayed in the UI to identify the entity type. + - `Icon`: can be chosen from [Microsoft's list](https://uifabricicons.azurewebsites.net/) and + will be displayed with the entity type in the left menu of the home page. + - `Auto Complete in Pickers`: can be set once properties are created (and saved) so that, when + using a searchbar for selected properties, Usercube suggests existing entries. + +4. In the entity type's **Properties** section, choose a source so that the connection provides the + source's data structure. + + ![Properties' source](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_propertiessource_v522.webp) + + > Let's use the example of an AD connector. We create an entity type `AD - Entry` to gather the + > valuable information from the AD, i.e. all the AD entries (groups and accounts) which we want + > to classify, with the properties that are useful for assignment management. + > + > The AD connector uses as a source `Connection Active Directory - entries`. Its structure was + > retrieved when we + > [refreshed the schemas](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) + > of the `Active Directory` connection, thus retrieving the attributes from the Active Directory + > and storing them temporarily on the agent side, inside CSV files. + +## Next Steps + +To continue, +[define at least one scalar property](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md) +for this entity type. + +## Troubleshooting + +#### If there are no connection tables available in the **Source** dropdown list of an entity type, then� + +![Properties' source](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_propertiessource_v522.webp) + +Ensure that there are existing connections: + +- if this is the case, then click on + [**Refresh all schemas**](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) + on the connector page, and verify that there is no error. +- if not, then you must + [create at least one connection](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md). + +#### If there is a message stating to refresh the connection's schema, then� + +![No Connection Table Error](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_troubleshootingschema_v603.webp) + +Start by making sure that the connection's schema is refreshed by clicking on +[**Refresh all schemas**](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) +on the connector page, and verify that there is no error. + +If the message is still displayed, then it means that the previously selected connection table no +longer exists in the managed system. In this case, either the table's name simply changed, or the +table is not relevant anymore. Then you should find a relevant table in the **Source** dropdown +list. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md new file mode 100644 index 0000000000..b45d43c1cd --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md @@ -0,0 +1,69 @@ +# Create an Entity Type + +How to create an +[entity type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +that corresponds to the connector model. + +## Overview + +An entity type is a model of a managed system's data. It defines the shape of the associated +resources (instances of said model) and not the intent (that would be a +[resource type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md)). +It defines a set of +[properties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md#properties) +describing said resources and linking them together. + +In other words, an entity type is supposed to model the representation of a certain group of +resources inside Usercube. It is a relational model, made of properties +([scalar properties](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md)) +and links between entity types +([navigation properties](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md)), +both described later. + +![Entity Type - Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytypecreation_schema.webp) + +The configuration of entity types depends entirely on the +[previously established model](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md). + +Entity types will impact the import of the managed system's resources, and the way said resources +are displayed in the UI. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +purpose of the application. + +| Input | Output | +| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| [Connection](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) (required) [Refreshed schemas](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) (required) [Connector's data model](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) (required) | Entity type | + +## Create an Entity Type + +Create an entity type by proceeding as follows: + +1. [Create the entity type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md). +2. [Define the scalar properties](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md) + to be used in the entity type. +3. [Choose the primary key and key properties](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md) + which will identify resources. +4. [Define navigation properties](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md) + if applicable. +5. [Customize the display names](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md) + for the entity type's resources. +6. [Organize the datasheets](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md) + for the entity type's resources in Usercube. + +For some connectors, Usercube provides a template to automatically create a basic configuration. See +below this note. + +> For example, the Active Directory template automatically creates an AD entity type and two +> resource types for a standard AD connector. The template is available for a connector with an AD +> connection but no entity types. +> +> ![Entity Type - AD Template](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytype_template_v602.webp) + +## Verify the Entity Type + +Changes will take effect once you have launched synchronization. Therefore, in order to verify the +process, follow the +[verification procedure indicated for a synchronization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md new file mode 100644 index 0000000000..2351f77ef9 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md @@ -0,0 +1,122 @@ +# Select Primary Keys + +How to choose +[key properties](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +and a +[mapping key](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +in order to uniquely identify the +[entity type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)'s +resources at different points in a resource's lifecycle. + +## Overview + +Here you will learn how to select keys from among the entity type's scalar properties, in order to +ensure the unique identification of resources at different times. + +It is important to show caution when choosing the mapping key and key properties for a set of data. +Every extracted resource must have unique keys in order to be uniquely identified in all IGA actions +performed by Usercube. + +### Key properties + +The key property of an entity type is a property chosen from among scalar properties. A key property +is used only in the XML configuration, but required when working both from the UI or from the XML +configuration. + +The purpose of key properties is to uniquely identify a resource from the entity type in the XML +configuration. In particular, some rules need to fetch a resource, by querying the key property's +column in Usercube's database. + +> For example a navigation rule involving an AD group can be written: +> +> ``` +> +> +> +> ``` +> +> Usercube needs to know what column to query to find the right resource via `CN=SG_APP_AG002...`. +> In this example we must choose `dn` as a key property because it is the `dn` property we use to +> represent the AD resource. + +Key properties must be unique and immutable. They do not have to be immutable but they must enable +resources to be uniquely identifiable at t time. + +> The `dn` attribute of a resource in the Active Directory usually depends on the resource's +> position, which often changes during the resource's lifecycle. However, `dn` is unique at a given +> time, and rather useful to define for example +> [query rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) +> for `parentdn`. + +Only one key property is required, but using several key properties can sometimes help with the +rules in the XML configuration. Usercube will search the columns of each key property, one by one, +until a corresponding resource is found. + +> For example, the AD's unique identifier is `objectGuid`. However, integrators may prefer to use +> `dn` because it constitutes a clearer group identification from a user's point of view. Plus, +> `objectGuid` is environment-specific so using it can complexify a situation where we want to move +> the configuration from an environment to another. +> +> Since an `objectGuid` can still be an interesting identifier, we want to have both the `dn` and +> the `objectGuid` as key properties. In this case, Usercube will be able to fetch a resource in a +> rule using said resource's `dn` or `objectGuid`. + +### Mapping key + +The mapping key is also chosen from among scalar properties, and serves to uniquely identify any +resource during +[synchronization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md). +It must be unique and immutable, i.e. must not change during the whole lifecycle of the resource. + +> A mapping key cannot be based on properties subject to change, such as the display name of any +> object, or users' title which could be renamed. +> +> For example, resources from the AD are usually identified through the `objectGuid` attribute which +> is therefore specified as mapping key. + +Commonly used mapping keys are: + +- `objectGuid` for the Active Directory +- `objectid` for Microsoft Entra ID +- `entryUuid` for LDAP +- `Identifier` for the directory +- `Login` for SAB +- `sapid` for SAP +- `sys_id` for ServiceNow +- `EmployeeId` for the HR + +Since the mapping is able to uniquely identify any resource, NETWRIX recommends that your mapping +key is always part of your key properties. + +## Select the Entity Type's Keys + +Create an entity type by proceeding as follows: + +1. Start by + [defining the entity type's scalar properties](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md). + + ![Keys](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_keys_v522.webp) + +2. In the entity type's **Properties** section, choose the key properties. +3. Choose the mapping key. +4. Click on **Create & Close** > **Create** to save your changes. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you +should reload the schema to implement the changes. You do not need to click on the button every +time. It is essential though to reload after the final changes are made. + +![Reload](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the +left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. + +## Next Steps + +After the entity type is created with its scalar properties and keys, you can +[define navigation properties](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md) +and/or +[set the resources' display name](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md new file mode 100644 index 0000000000..1c4f58a1e0 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md @@ -0,0 +1,195 @@ +# Define Navigation Properties + +How to define the properties which describe the +[entity type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)'s +relationships to other entity types. + +## Overview + +Here you will learn to define navigation properties, which contain scalar values just like +[scalar properties](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md), +but which are also linked to and point to other properties, from the same entity type or to another +entity type. + +> For example, `memberOf` can contain a list of groups thus linking a user to groups, and a group to +> other groups. In the UI, `memberOf` is displayed just like scalar properties, but you can click on +> its values to access each group in the list. Here for the AD entry `ADM Vidal Pierre`: +> +> ![Navigation Property - memberOf](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_memberof_v600.webp) +> +> Clicking on one of these groups will display said group's properties including the other side of +> the `memberOf` property, called `member`, which contains the list of users and groups which are +> members of the group. Here for the AD group `SG_APP_RAY_0_LDAP_READLDSFEDE`: +> +> ![Navigation Property - member](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_member_v600.webp) + +> As another example, a department needs to be linked to a manager who is an existing user. So the +> user identifier is used in the `Manager` property to create the link between the department and +> the manager/user. In the UI, when looking at a given department data, `Manager` is displayed just +> like scalar properties, but you can click on its value to access the page of the department's +> manager. +> +> ![Navigation Property - Manager](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_manager_v600.webp) +> +> Clicking on the manager will display said user's properties including the `Department` property, +> which points back to the managed department. +> +> ![Navigation Property - Managed Department](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_managerof_v600.webp) + +Navigation properties can create a link: + +- inside an entity type; +- between two entity types from the same connector; +- between two entity types from different connectors. + +Inside Usercube, a navigation property has a flip side, one for each linked element. + +For example in the AD, the group membership of a user is represented by the properties `member` for +groups (containing a list of users) and `memberOf` for users (containing a list of groups). +However, some managed systems only have one of these two sides. + +The AD only uses `member` from among groups' properties. Users don't have a `memberOf` property. +But, as Usercube uses and links both sides, it is able to "translate" the information, so that a +navigation property, which actually exists in the managed system, can be linked to the two +corresponding navigation properties in Usercube. + +When importing data to Usercube, the `member` property from the AD will update the `member` property +in Usercube, and Usercube will update the `memberOf` property accordingly. + +Most often, properties inside Usercube are each linked to a property from the managed system. This +way, data from the managed system can be imported into Usercube and stored in the corresponding +property. These properties are mapped from the source (see step 3). + +If the property to be created does not exist in the external source, it is impossible to map the +property, but it can still be created with **+ Add a navigation property**. + +This can be used to store data needed for assignment management, but which you cannot write to the +connected system. Since these properties do not exist in the connected system, they cannot be +written or read. + +[See the example for scalar properties](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md). + +## Define the Entity Type's Navigation Properties + +Define the entity type's navigation properties by proceeding as follows: + +1. Start by + [declaring the entity type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md). +2. In the entity type's **Properties** section, click on **Navigation Properties** tab. +3. Click on **Map a navigation property** to display existing columns from the external source, and + select the properties to be used as navigations in the entity type. +4. Fill in the information fields. + + ![Navigation Properties](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_navigationproperties_v602.webp) + + If you map a column from the source, then the first line of the navigation property is about + said column. The second line is about the new property to be linked to the first one, always of + the entity type. + + - **APPLICATION METADATA**: fields about the display of the properties inside Usercube. + + - `Identifier`: must be unique among properties, without any whitespace, and be + C#-compatible. + [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + - `Entity Type`: always the entity type for the second property, but the first property can + be mapped from any existing entity type in the application. + - `Storage Indicator`: describes the association that can be **mono-valued** (meaning 1-to-1 + or many-to-1) or **multi-valued** (meaning 1-to-many or many-to-many). + + For one entity type, Usercube can store up to 25 optimized mono-valued navigation + properties. For performance purposes, NETWRIX recommends choosing + `optimized mono-valued` as a storage indicator as often as possible. + + If the entity type contains more than 25 mono-valued properties, then a priority must be + established, choosing to optimize: + + 1. properties displayed in forms and search bars; + 2. properties used for the computation of expressions and the role model; + 3. other properties. + + - `Name`: will be displayed in the UI to identify the property. + + **Names and identifiers**: + + A mono-valued property is supposed to be written in the singular, a multi-valued + property is supposed to be plural. This convention facilitates maintenance. + + Entity properties' names and identifiers cannot be "Id". + + - **EXTERNAL SYSTEM**: fields about the corresponding properties inside the connected + application. + + - `Source`: connection that leads to the source file(s). + + You can **choose the source** of a new navigation property by: + + - mapping the property from source so that the connection table is automatically + selected as the table from this entity type; + - opening the dropdown list to choose a connection table from among the other entity + types from this connector; + - clicking on the search icon to choose a connection table from among all other + connectors. + + - `Source Column`: column in the external system where the property data comes from. + - `Column Content`: property of the source column used to identify any resource in the + association. + + > For example, the source column ```manager``` contains the ```dn``` of users to make the association, thus we choose ```dn``` as the source content. + + > For example, `AD - Entry` uses the following navigation properties: + > + > `Entries`; `assistant`; `assistantOf`; `manager`; `directReports`; `memberOf`; + > `member`; `parentdn`; `children`. + > + > ![AD Entity Type - Navigation Properties](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_examplead3_v603.webp) + +5. Click on the Gear symbol to add advanced settings if needed. + + ![Advanced Settings](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_propertiessettings_v602.webp) + + - `Icon`: can be chosen from [Microsoft's list](https://uifabricicons.azurewebsites.net/) and + will be displayed with the property among users' data. + - **Source Expression**: expression that defines the property based on at least one source + object. Can be defined by a property path and/or an + [expression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). + + > For example, the scalar property `isUnused` is created to spot unused accounts via a + > combination of `accountExpires` and `lastLogonTimestamp`: + > + > ![Advanced Settings](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_sourceexpressionexample_v60.webp) + + - `Flexible Comparison Expression`: expression that inserts adaptable + [comparison flexibility](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) + when using a searchbar for the property. + - `History Precision`: time period over which Usercube historically records only one value. + + > For example, the scalar property `lastLogonTimestamp` of an AD resource is modified every + > time the user connects to the application. Every modification triggers the historization + > of all properties for said resource inside the database. Hence, the database can quickly + > become full of data. In order to lighten the database, we can set the `History Precision` + > option to one week (10080 minutes) so that resources are historized once a week at most + > (concerning changes on `lastLogonTimestamp`). In the meantime, in case of a change, + > instead of historizing resources with all their properties, only `lastLogonTimestamp` is + > updated with the new value. + + Clicking on **Continue** closes the pop-up window so that you can continue the configuration of + the entity type. But it does not save anything. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you +should reload the schema to implement the changes. You do not need to click on the button every +time. It is essential though to reload after the final changes are made. + +![Reload](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the +left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. + +## Next Steps + +After the entity type is created with its scalar properties and keys, and navigation properties, you +can +[set the resources' display names](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md new file mode 100644 index 0000000000..3a541b9d9a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md @@ -0,0 +1,157 @@ +# Define Scalar Properties + +How to define the simple, or scalar, properties of an +[entity type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)'s +resources. + +## Overview + +Here you will learn how to define scalar properties, which contain scalar values, mostly based on +the properties from the corresponding managed system. + +> For example: `DisplayName`; `Email`; `Identifier`; `StartDate`; etc. +> +> ![Scalar Properties](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarex_v600.webp) + +Most often, properties inside Usercube are each linked to a property from the managed system. This +way, data from the managed system can be imported into Usercube and stored in the corresponding +property. These properties are mapped from the source (see step 2). + +If the property to be created does not exist in the external source, it is impossible to map the +property, but it can still be created with **+ Add a scalar property**. + +This can be used to store data needed for assignment management, but which you cannot write to the +connected system. Since these properties do not exist in the connected system, they cannot be +written or read. + +For example, we may need to create in the AD the property `isUnused` to spot unused accounts. It +would be configured with a C# expression based on other properties from the same entity type. These +properties, such as `accountExpires` and `lastLogonTimestamp`, are each linked to a property from +the AD, while `isUnused` is for governance and surveying AD accounts. + +Such properties do not exist in the AD, and thus will never be written to the AD, nor overwritten by +any property from the AD, but will be recalculated based on the other properties. + +## Define the Entity Type's Scalar Properties + +Define the entity type's scalar properties by proceeding as follows: + +1. Start by + [declaring the entity type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md). +2. In the entity type's **Properties** section, click on **Map scalar properties** to display + existing columns from the external source, and select the properties to be used in the entity + type. + + ![Map from source](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarpropertiesmap_v602.webp) + + You need to configure at least one property to be able to define primary keys later, and thus + create an entity type. + +3. Fill in the information fields. + + ![Scalar properties](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarproperties_v603.webp) + + - **APPLICATION METADATA**: fields about the future display of the properties inside Usercube. + + - `Identifier`: must be unique among properties, without any whitespace, and be + C#-compatible. + [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + - `Name`: will be displayed in the UI to indicate the property. + + Entity properties' names and identifiers cannot be "Id". + + - `Format`: format used for the property's display in Usercube, for search tools and + computation based on said property. Do not keep the default string format if the property + is not a string. + [See more details on available formats](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md). + + > For example, dates, booleans, integers, etc. + + For one entity type, Usercube can store up to 128 scalar properties of any format, and + an unlimited number of binaries which are stored differently. Among these 128 + properties, only 4 can be formatted as more-than-443-character strings (with a limit of + 4,000 characters), and 124 as less-than-443-character strings. + + - **EXTERNAL SYSTEM**: fields about the corresponding properties inside the connected system. + + - `Source Column`: column in the external system where the property data comes from. + Advanced settings can be configured according to the description below. + - `Format`: for mapped properties, format used to convert a value during export and fulfill + from Usercube to the connected system, whenever different from a string. + > To continue with the `AD - Entry` entity type, we map all the properties we need: + > + > `accountExpires`; `c`; `cn`; `comment`; `company`; `department`; `description`; + > `displayName`; `division`; `dn`; `employeeId`; `employeeNumber`; `employeeType`; + > `extensionAttribute10`; `extensionAttribute11`; `givenName`; `groupType`; + > `homeDirectory`; `homeDrive`; `initials`; `l`; `lastLogonTimestamp`; `mail`; `mobile`; + > `objectCategory`; `objectGuid`; `objectSid`; `ou`; `pwdLastSet`; `rdn`; + > `sAMAccountName`; `scriptPath`; `sn`; `st`; `telephoneNumber`; `thumbnailPhoto`; + > `title`; `uid`; `userAccountControl`; `userPrincipalName`; `whenCreated`. + > + > We create the properties that do not exist in the external system: `AppName`; + > `businessCategory`; `isUnused`; `thumbnailPhotoTag`. + > + > Some of them have a specific format in case of provisioning to the managed AD like + > `thumbnailPhoto` of format `Binary` or `objectCategory` as `RDN` or `pwdLastSet` as + > `1601 Date`. + > + > ![AD Entity Type - Scalar Properties](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_examplead2_v602.webp) + +4. Click on the Gear symbol to add advanced settings if needed. + + ![Advanced Settings](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_propertiessettings_v602.webp) + + - `Icon`: can be chosen from [Microsoft's list](https://uifabricicons.azurewebsites.net/) and + will be displayed with the property among users' data. + - **Source Expression**: expression that defines the property based on at least one source + object. Can be defined by a property path and/or an + [expression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). + + > For example, `isUnused` is created to spot unused accounts via a combination of + > `accountExpires` and `lastLogonTimestamp`: + > + > ![Advanced Settings](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_sourceexpressionexample_v60.webp) + + - `Flexible Comparison Expression`: expression that inserts adaptable + [comparison flexibility](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) + when using a searchbar for the property. + - `History Precision`: time period over which Usercube historically records only one value. + + > For example, the `lastLogonTimestamp` property of an AD resource is modified every time + > the user connects to the application. Every modification triggers the historization of all + > properties for said resource inside the database. Hence, the database can quickly become + > full of data. In order to lighten the database, we can set the `History Precision` option + > to one week (10080 minutes) so that resources are historized once a week at most + > (concerning changes on `lastLogonTimestamp`). In the meantime, in case of a change, + > instead of historizing resources with all their properties, only `lastLogonTimestamp` is + > updated with the new value. + + Clicking on **Continue** closes the pop-up window so that you can continue the configuration of + the entity type. But it does not save anything. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you +should reload the schema to implement the changes. You do not need to click on the button every +time. It is essential though to reload after the final changes are made. + +![Reload](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the +left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. + +## Next Steps + +Before saving, you must first +[choose the entity type's keys](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md) +from among scalar properties. + +## Troubleshooting + +#### If the Format column is not displayed in the External System part, then� + +![Scalar properties](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarpropertieswithoutformat_v522.webp) + +Refresh the connections' schemas. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md new file mode 100644 index 0000000000..83b19358c8 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md @@ -0,0 +1,168 @@ +# Connect to a Managed System + +How to create a new +[connector](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +using the provided SaaS +[agent](/docs/identitymanager/6.1/identitymanager/introduction-guide/architecture/index.md). + +Usercube provides demo applications +([Banking](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/index.md) +and +[HR](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/index.md)) +to help set up connectors, test them, and understand Usercube's abilities towards external systems. + +## Overview + +Connectors are the mechanisms that enable Usercube to read and write data to/from your +organization's systems. The +[feedback](/docs/identitymanager/6.1/identitymanager/introduction-guide/more-info/index.md) mechanism +ensures Usercube's reliability. + +In this documentation, we talk about managed systems (sometimes called external systems) to refer to +third-party applications, i.e. the applications used in your organization, such as Active Directory, +ServiceNow, EasyVista, SAP, SharePoint, etc. + +A connector, therefore, acts as an interface between Usercube and a managed system. + +![Connector Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp) + +NETWRIX strongly recommends the creation of one connector for one application. + +> For example, integrators may create an `AD` connector with the goal of importing an Active +> Directory's data into Usercube, and writing to the Active Directory from Usercube, either manually +> for administration accounts, or automatically for basic accounts. +> +> Integrators may create a `SharePoint` connector in order to manage read and write entitlements for +> users in SharePoint. + +### Data Flows + +In the early steps of a project, we'll consider most of our connectors to be outbound, i.e. Usercube +will feed data into connected managed systems. + +![Outbound System=](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connectorcreation_outbound.webp) + +In this case, data flows between Usercube and the managed system are also called: + +- [synchronization](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/index.md) + in the "managed system-to-Usercube" direction; +- [provisioning](/docs/identitymanager/6.1/identitymanager/integration-guide/provisioning/index.md) in + the "Usercube-to-managed system" direction. + +For a connector's synchronization, Usercube provides tools to perform a basic extraction of the +system's data in the form of CSV files. These files are cleaned and loaded into Usercube. In other +words, synchronizing means taking a snapshot of the managed system's data and loading into Usercube. + +For provisioning, Usercube generates provisioning orders and the connector provides tools to either +automatically write these orders to the managed system or to create a ticket for manual +provisioning. + +> For example, we can use the data from Usercube's +> [identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) +> to fill in later the AD's fields, such as users' display names based on their first names and last +> names from the repository. + +Usercube can also benefit from inbound connectors, that will write data to Usercube's central +identity repository. While both inbound and outbound connectors allow data to flow both ways, they +do not work in the same manner. +[See more details about this advanced topic](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/hr-connector-creation/index.md). + +### Technical principles + +Usercube's connectors all operate on the same basic principles. Technically speaking: + +> For example, let's say that we want to connect Usercube to our Active Directory, or AD. + +- a + [connector](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) + must be created, first as a named container which will include the connections and entity types + related to one managed system; + + > We create a connector named `AD` (so far, an empty shell). + +- a connector is linked to an + [agent](/docs/identitymanager/6.1/identitymanager/introduction-guide/architecture/index.md) which acts + as the go-between for Usercube's server and the managed system; + + > Our `AD` connector uses the provided SaaS agent. + +- a + [connection](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) + describes the technology used that enables data to flow back and forth between Usercube and the + managed system; + + > We want to use a connection `Directory/Active Directory` to perform synchronization and + > automated provisioning, and a second connection `Ticket/identitymanager` to perform manual + > provisioning through Usercube. + + You can find standard connections dedicated to one application (AD, Microsoft Entra ID, etc.), + and generic connections to communicate with any application (CSV, Powershell, RobotFramework, + SQL, etc.). + +- the shape of the extracted managed system's data is modeled by + [entity types](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + (we will use the term resource to refer to an entity type that has been instantiated); + + > We create a single entity type `AD - Entry` which contains all the attributes that will + > describe its resources, i.e. AD groups and users. The attributes include the department, the + > employee identifier, the manager, the group membership (`member`/`memberOf`), the dn, the + > parent dn, etc. + +- the intent of resources within the managed system is made clear by categorizing resources into + [resource types](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). + More details are given when tackling + [categorization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md). + + > We categorize AD resources into distinct resource types: `AD User (nominative)` for basic + > accounts, which we want Usercube to provision automatically; `AD User (administration)` for + > sensitive administration accounts, which we want to provision manually through Usercube. + +![Connector Technical Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectortechnicalschema.webp) + +A connector requires at least one connection and one entity type. + +When provisioning a managed system, the corresponding connector also needs at least one resource +type. + +**Local vs. Saas agents:** To simplify things, Usercube has made it possible to start configuring +connectors without installing a local +[agent](/docs/identitymanager/6.1/identitymanager/introduction-guide/architecture/index.md) in your +organization's network. Instead, you can use the agent integrated with Usercube's server in the +Cloud (SaaS agent). + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +functional and technical details of the application. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| Administrator account for the [development environment](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/development-environment-installation/index.md) (required) [Identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) [User profiles](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-configuration/index.md) (required) | Connector Connected System | + +## Create a Target Connector + +For one managed system, create a connector by proceeding as follows: + +1. Outside Usercube, + [model](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) + the system's data structure. +2. [Create a connector](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md) + for said managed system. +3. Enable the technical transfer of data by + [creating and configuring connections](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md). +4. [Set up entity types](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) + to represent the data model decided upon in step 1. + +**Connector modification:** The process for modifying a connector is not so different from the +process for creating a connector, as you mainly modify the fields specified during creation. +However, keep in mind that a connector must be deactivated before modification, in order to withdraw +the connector's synchronization- and provisioning-related tasks from any jobs. See below this note. + +You can activate the connector again at any time using the same button. + +![Jobs Results Dashboard](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/synchro_dashboard_v522.webp) + +## Next Steps + +Once the connector has been created, you can start +[configuring synchronization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/development-environment-installation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/development-environment-installation/index.md new file mode 100644 index 0000000000..c1cdc2fc49 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/development-environment-installation/index.md @@ -0,0 +1,37 @@ +# Install the Development Environment + +How to connect to Usercube's SaaS environment to set up the development environment. + +When using Usercube's on-premise option, follow the procedure of +[installation of the bootstrap version](/docs/identitymanager/6.1/identitymanager/installation-guide/quick-start/index.md). + +## Overview + +The installation of Usercube's production environment usually takes time, while we want to start +configuring at once. + +This is why Usercube offers a bootstrap version of the application, useful as a development +environment. + +## Participants and Artifacts + +Integrators must be in contact with NETWRIX to be able to get infos about the SaaS tenant URL and +authentication. + +| Input | Output | +| ----- | ----------------------- | +| - | Development environment | + +## Install the Development Environment + +The documentation is not yet available for this part and will be completed in the near future. + +## Verify Environment Installation + +In order to verify the process, try to authenticate to Usercube server, and access the configuration +screens. + +## Next Steps + +Once the development environment is ready, integrators can start +[creating the workforce directory](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/index.md new file mode 100644 index 0000000000..435c3ecbb8 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/index.md @@ -0,0 +1,93 @@ +# Set Up + +- #### [Install the Development Environment](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/development-environment-installation/index.md) + + How to connect to Usercube's SaaS environment to set up the development environment. + +- #### [Create the Workforce Repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) + + How to initiate the repository for workforce identities by loading identities into Usercube with + the right attributes. + +- #### [Configure Unique Property Generation](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md) + How to configure Usercube to generate unique identifiers, mails and logins for any user who does + not have them already.- #### + [Load Identities to Usercube](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md) + How to load identities into Usercube for the first time using a basic data model in the form of + a template MS Excel file.- #### + [Template Description](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md) + Description of the MS Excel template for the creation of the identities repository.- #### + [Adjust the Workforce Data Model](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md) + How to select the properties to be part of the data model for the workforce repository + (therefore displayed in the UI), and choose their optimal displaying mode. +- #### [Configure a User Profile](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-configuration/index.md) + + How to tweak the permissions for actions within Usercube, for a standard set of basic Usercube + profiles. + +- #### [Configure Onboarding Workflows](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/configure-workflows/index.md) + + How to adjust the parameters of onboarding workflows. + +- #### [Connect to a Managed System](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md) + + How to create a new connector using the provided SaaS agent. + +- #### [Model the Data](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) + How to choose the appropriate model for a connector's data.- #### + [Create the Connector](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md) + How to create the technical container of a connector.- #### + [Create a Connection](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) + How to create a connection inside a connector and choose the appropriate package.- #### + [Create an Entity Type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) + How to create an entity type that corresponds to the connector model. +- #### [Synchronize Data](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) + + How to launch data synchronization, i.e. read managed systems' data and load it into Usercube. + +- #### [Categorize Resources](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) + + How to correlate managed systems' resources with identities, classifying resources into resource + types. + +- #### [Create a Resource Type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) + How to create the container for future correlation and classification rules inside a given + managed system.- #### + [Correlate Resources](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/correlation/index.md) + How to define correlation rules to match up resources across systems, usually accounts with + their owner.- #### + [Classify Resources](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/classification/index.md) + How to define classification rules in order to classify remaining uncorrelated resources, + assigning them resource types. +- #### [Create a Provisioning Rule](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) + + How to define scalar rules, navigation rules and/or query rules to compute and provision target + resources values from source resources values. + +- #### [Create Resources](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md) + How to define resource type rules to create new (target) resources for given users, computing + and provisioning their properties based on source resources.- #### + [Compute a Scalar Property](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md) + How to define scalar rules to compute and provision the values of scalar properties for target + resources based on source resources.- #### + [Compute a Navigation Property](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md) + How to define navigation rules and/or query rules to compute and provision the values of + navigation properties for target resources based on source resources. +- #### [Create Roles in the Role Catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) + + How to define single roles to model entitlements, and organize them inside the role catalog, + basis of the role model. + +- #### [Create Roles in Bulk](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md) + How to create role naming rules, which create single roles using existing naming conventions + from the managed system.- #### + [Create a Category](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md) + How to structure roles into categories.- #### + [Create a Role Manually](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) + How to create single roles manually. +- #### [Assign Users a Profile](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-assignment/index.md) + + How to assign Usercube's access permissions to users through profiles. + +- #### [Manage Role Officers](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/role-officer-management/index.md) + How to manage role officers in order to ensure the approval for entitlement assignments. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md new file mode 100644 index 0000000000..7cd88d37cd --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md @@ -0,0 +1,106 @@ +# Adjust the Workforce Data Model + +How to select the properties to be part of the data model for the workforce repository (therefore +displayed in the UI), and choose their optimal displaying mode. + +## Overview + +After you created the initial version of the workforce repository, Usercube provides an easy method +to optimize the structure of the data model, for example preventing empty fields in the UI. + +According to the number of resources in the organization, Usercube's analysis of the data model's +usage suggests: + +- to remove unused entity types (country, site, gender, subsidiary, etc.) from the data model and + from the UI; +- to remove unused properties (phone number of a user, position end date, town of a site, etc.) from + fields to fill in the workflows for entity creation, except for properties that are essential to + Usercube's operation and thus ensured to be part of the data model (e.g. the contract's start + date); +- an optimized display mode in the UI for all entity types, and for the fields which link to another + entity (manager of a department, contract type of a user, gender of a user, etc.) and thus require + a query tool (dropdown box, search bar, etc.). + +You can then make your own choice about activating/deactivating/re-activating any property, and you +will be able to make modifications at any time. + +## Participants and Artifacts + +Integrators may need the help of the HR department who know the organization. + +| Input | Output | +| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- | +| [Usercube's server](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/development-environment-installation/index.md) (required) [Initial workforce repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md) (required) | Adjusted workforce repository | + +## Adjust the Data Model + +Adjust the data model by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. On the **Workforce** > **Data Model** page, click on the following icon to adjust the data model + to your specific situation. + + ![Scan Data Model](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/iconscandatamodel_v602.svg) + + ![Scan Data Model](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scandatamodel_v60.webp) + + Usercube counts the entries for each attribute and suggests a quantification: + + - Empty attributes are deactivated as they should be excluded to simplify the data model. + - Non-empty attributes are quantified (e.g. small, large, etc.) to be displayed in the UI's + forms optimally (e.g. dropdown list, search tool, etc.). + + ![Scan Data Model - Result](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scandatamodel-result_v523.webp) + +3. Observe the result and adjust manually the data model if needed, by clicking on the properties. + + While Usercube suggests a structure for the data model, the choice is yours to + activate/deactivate any property. + + > For example, empty attributes should be excluded to simplify the data model. However, you can + > choose to keep an empty property anyway if you know that you want to fill it in later. + + Note that Usercube stays authoritative to activate some properties that are mandatory for + Usercube's operation. + + For example the contract's start date is necessary for Usercube's workflows. + + [Modifications can be performed](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md) + later, decisions can be reconsidered. + +4. Click on the Save icon at the top. + + ![Save Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + +5. Click on the **Reload** button to apply the recent changes to the application. + + ![Reload Button](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp) + +## Verify Identities Loading + +In order to validate the process: + +1. Choose a test field and note its displaying mode. + + > For example, our `Region` field in `Site` is sized as `large`. + > + > ![Scan Data Model - Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example_v523.webp) + +2. Navigate within Usercube to find a workflow using the test field. Observe the displaying mode in + the UI. + + > Our `State` field must be filled in during the creation of a new site. It can be filled by + > opening a pop-up and choosing the region in the list. + > + > ![Scan Data Model - Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example2_v523.webp) + > + > ![Scan Data Model - Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example3_v523.webp) + +3. Back on the scanning feature, change the displaying mode of your test field and save. + + > We change `large` to `extra small`. + +4. Verify the test field's displaying mode. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md new file mode 100644 index 0000000000..d00576a878 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md @@ -0,0 +1,113 @@ +# Configure Unique Property Generation + +How to configure Usercube to generate unique identifiers, mails and logins for any user who does not +have them already. + +## Overview + +All users need to: + +- be uniquely identifiable through an identifier, for example in order to link all accounts to their + owners; +- have a reserved unique email address, even if they do not need a mailbox; +- have a unique login that can be used as a seed for all users' accounts. + +For each unique property, Usercube provides a set of generation rules. You are free to choose the +most adequate method regarding your actual approach. + +An identifier/email/login suffix can be specified later according to users' contract types, when +[loading identities](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md) +through an Excel template. + +For example, contractors can get `-ext` added automatically to their email addresses. +The unicity checks performed for identifiers/emails/logins do not consider prefixes nor suffixes. + +For example, `john.doe@acme.com` and `john.doe-ext@acme.com` cannot exist simultaneously. + +## Participants and Artifacts + +Integrators may need the help of the HR department to understand the actual approach of the +organization to compute these unique properties. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | +| [Usercube's server](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/development-environment-installation/index.md) (required) | Generation rules for unique properties | + +## Configure Unique Property Generation + +Configure the generation of unique properties by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. On the **Workforce** > **Identifiers, Mails & Logins** page, you can follow Usercube's + instructions to configure the generation of a unique identifier for new workers (if needed), + based on one of the available options. + + ![Unique Identifier Generation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniqueidentifier_v602.webp) + + - `Based on Full Name`: replaces all diacritics by the non-accentuated variants; removes all + special characters; can add a separator between the first name and the last name if needed + (such as `.` most often); in case of homonyms, appends a sequence number to the full name. + - `Based on Last Name`: uses the first letter of the first name; in case of homonyms, uses more + letters of the first name up to the whole first name; in case of homonyms still, appends a + sequence number to the full name. + - `Random Number`: uses a random number with a default prefix which is used when no specific + prefix is specified on the user's contract type. + + NETWRIX recommends using random numbers, as they have the advantage of not containing any + personal information nor giving any hint about the users' seniority. + + - `Sequence`: uses a sequence with a default prefix which is used when no specific prefix is + configured on the user's contract type. + +3. Follow Usercube's instructions to configure the generation of a unique email address for all + users (who do not have one), based on one of the available options. + + ![Unique Email Generation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniqueemail_v602.webp) + + - `Based on Full Name`: replaces all diacritics by the non-accentuated variants; removes all + special characters; can add a separator between the first name and the last name if needed + (such as `.` most often); in case of homonyms, appends a sequence number to the full name. + - `Based on Last Name`: uses the first letter of the first name; in case of homonyms, uses more + letters of the first name up to the whole first name; in case of homonyms still, appends a + sequence number to the full name. + - `Based on Unique Identifier`: uses a combination of the unique identifier (defined on the same + page) and the email domain. + + No matter the strategy: + + - the default email domain is used when no specific domain is specified on the user's + subsidiary; + - emails are generated in a way that lets users keep their email address, even if they move + from contractors to employees, or change to another subsidiary. + +4. Follow Usercube's instructions to configure the generation of a unique login for new workers (who + do not have one), based on one of the available options. + + ![Unique Login Generation](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniquelogin_v602.webp) + + - `Based on Email`: uses the local part of the email, i.e. before `@`. + - `Based on Full Email`: uses the full email. + - `Based on Unique Identifier`: uses the unique identifier (defined on the same page) prepended + with the default prefix when no specific prefix is specified on the user's contract type. + +5. Click on the Save icon at the top. + + ![Save Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + +6. Click on the **Reload** button to apply the recent changes to the application. + + ![Reload Button](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp) + +## Verify Property Generation + +In order to verify the process, add a fictitious employee through the workflows from the UI. + +![Home - New Employee](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/home_newemployee_v600.webp) + +Verify in the directory that the employee's sheet displays the expected values for the configured +unique properties. + +![Home - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md new file mode 100644 index 0000000000..28cc784ad3 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md @@ -0,0 +1,123 @@ +# Create the Workforce Repository + +How to initiate the repository for workforce identities by loading identities into Usercube with the +right attributes. + +## Overview + +Loading the digital identities into Usercube is the very first task you have to perform, once you +installed the development environment. + +The identity repository is supposed to contain the list of all kinds of identities in the company. +Each identity will be represented by a set of properties that are to be used in the calculations for +entitlement assignments. + +> For example, a user can be represented by an identifier and linked to their position which +> includes the user's employee id, last name and first name, email, user type, organization, etc. +> +> ![Identity Repository Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-example.webp) + +> In Usercube, the identity repository can look like the following: +> +> ![Identity Repository Result](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository_v602.webp) +> +> ![Identity Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-person_v602.webp) + +[See more information about the identity repository](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/identity-repository/index.md). + +The initial workforce repository is going to be the first version of a comprehensive repository +containing all users in the organization. This repository is crucial in setting up the identity +lifecycle management features and managing assignments of entitlements. + +### Creation strategy for the workforce repository + +In a nutshell, Usercube has made it as easy as a copy-paste from employee and contractor HR files +into an MS Excel file. + +#### Special properties generation + +First, you have to choose rules about how email, login, and internal identifiers are going to be +built for new identities, and for existing identities who do not have these unique properties yet. + +#### Organizational model creation + +Then, you are going to need a model of the organization's structure where the identities fit in. +This model is supposed to provide valuable information for automation and governance features later. + +The model is where you are going to identify for example the type of identities you want to manage +(such as employees and contractors), the hierarchical relationships between them, the geographical +areas they work in, and so on. + +Usercube has already built a template model for you, in the form of an Excel file. This basic model +is customizable and will be adaptable to most organizations. You can customize it simply by writing +information from your organization into said Excel file. + +Even if you have more specific or exotic needs that aren't met by this model, it is still a good +starting point and a good way to quickly start delivering value. We recommend that you start +building your project using this model, identify its limits along the way, and +[enhance it](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md) +down the road to make it fit your needs more accurately. + +#### Organizational model filling + +Then, you write down the actual identities information, still using the same Excel file, using data +from HR extractions or other records of contractors and temporary workers. As simple as a +copy-paste. + +The data you are going to load is analyzed by the engine and some simplifications will be suggested. + +**HR synchronization is not enough:** + +Another way of handling a part of the initial data loading is to set up an automated synchronization +of HR data with Usercube. + +While it seems to be a good idea, it poses a few problems. Among them: + +- a specific IT infrastructure is required and its implementation is likely to delay the project's + progress; +- HR data usually misses crucial information (for example contractor data) and is rarely up to date + early enough to be really useful. + +Hence, in order to rather focus on awaited IGA activities, we choose to build the first iteration of +the project upon a manual data upload to create the initial workforce repository. + +[Read more about why you should postpone connecting your HR data](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/hr-connector-creation/index.md). + +## Participants and Artifacts + +Integrators may need the help of the HR department and its assistants who know the organization in +order to get the identity and organizational data. After the initial loading, the HR department can +review the data to confirm its accuracy. + +| Input | Output | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | +| [Usercube's server](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/development-environment-installation/index.md) (required) Organizational chart (required)) HR data (required) Third-party staff data (optional) | Initial workforce repository | + +## Create the Workforce Repository + +Create the workforce repository by proceeding as follows: + +1. [Configure the generation of unique properties](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md) + for all users, pre-existing and new, who do not have them yet. +2. [Load identities to Usercube](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md) + based on the recommended attributes from the provided + [organizational model template](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md). +3. [Adjust the identity data model](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md) + following Usercube's suggestions. +4. Continue with the next steps of this guide, and come back later to fill the organizational model + with additional data. + +## Next Steps + +Once the initial identities are loaded, integrators can start the +[user profile configuration](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-configuration/index.md). + +From there you will be able to keep your repository up to date: + +- [concerning identity data](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/index.md) + through workflows; +- [concerning the data model](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md) + +The initial identities loading also enables: + +- [HR connector creation](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/hr-connector-creation/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md new file mode 100644 index 0000000000..707bf0aaf1 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md @@ -0,0 +1,186 @@ +# Load Identities to Usercube + +How to load identities into Usercube for the first time using a basic data model in the form of a +template MS Excel file. + +## Overview + +Loading the digital identities into Usercube is the very first task you have to perform, once you +installed the development environment. + +The initial workforce repository is going to be the first version of a comprehensive directory +containing all users in the organization. This directory is crucial in setting up the identity +lifecycle management features and managing assignments of entitlements. + +Usercube contains a template model, downloadable as an Excel file. Below is an example of a part of +the `UserRecord` tab, used in Usercube's demo: + +![Template Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_templateexample_v602.webp) + +### Useful data + +Not all data is useful for identity governance and administration. Thus, to start designing the +repository, you must be aware of which data is necessary and which is unhelpful. Useful data is the +data that: + +- needs to be provisioned to the managed applications; + + > For example, if you need to provision users' phone numbers in a given application, then you + > should fill in the workforce repository's `Phone Number` property. + +- is needed to manage identities' lifecycles; + + > For example, consider that internal employees must be managed by HR officers only, then you'll + > need to identify whether users are internal employees or external contractors. Then you should + > make sure that you fill an `Employee Type` property with at least two values: one for internal + > employees, and one for external contractors. + +- is needed to automatically grant permissions. + + > For example, if a user's position title ("manager" for instance), defines what users currently + > do, and thus what permissions they need, then you should make sure to fill in a property + > storing the position's title in the workforce repository. + +## Participants and Artifacts + +Integrators may need the help of the HR department who knows the organization in order to get the +identity and organizational data. After the initial loading, the HR department can review the data +to confirm its accuracy. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------- | +| [Usercube's server](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/development-environment-installation/index.md) (required) HR data (required) Third-party staff data (optional) | Initial workforce repository | + +## Load Identities + +Load identities for the first time by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. On the **Workforce** > **Data Upload** page, download the empty Excel template. + + ![Upload Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/icondownload_v602.svg) + +3. Collect identity and organizational data. + + If you don't know where to start, identities most often include long-term employees, temporary + employees (such as interns and temps) and external contractors. The template contains a + `UserType` tab that lists all the types of workers that you want to include, i.e. the usual + identities listed just before, but also partners, clients, even applications. + + Workforce should include obviously all current workers, but also incoming workers, and those who + left the organization in the past XXX (time period defined by the rules of the security + officer). It is interesting to have past workers in order to understand + [orphaned accounts](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md) + and ensure that they are supposed to be orphaned. + + **Employees** + + The workers that are directly employed by the organization usually have their data stored in the + HR system. + + **Contractors** + + Often third-party workers like contractors are not part of the HR system. Then, there are a few + possible solutions to get their data: + + - through purchasing department if it doesn't imply any personal data security breach; + - manually with knowledgeable people, for example department managers and assistants; + - through a filter on data from available directories, for example on the email address if it + contains a specific string like `.ext@`; + - through an Active Directory extraction with a filter on an attribute that works with a + specific part, for example on the employee identifier. + +4. Fill said template with the data you collected. + + The Excel file contains several tabs which organize data, but not all tabs and columns are + mandatory. You can find + [**more details about the template's description**](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md). + Below are the minimum recommended attributes (mandatory in orange): + + ![Template Recommendations](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_templatereco_v600.webp) + + [**Click here to download a template example**](/files/identitymanager/user-guide/set-up/initial-identities-loading/Directory_example_V602.xlsx). + + Every object (so every tab) of the directory must have a **key**, which is an attribute: + + - unique, i.e. designed to uniquely identify an object/resource, one key can't be shared; + - immutable, i.e. must not change during the whole lifecycle of the object/resource, even for + renaming for example; + - consistent, i.e. identical everywhere the object/resource is specified. + + Among other things, a consistent key allows identities to use the same login in all + applications. A consistent key is also essential to form the link between identities and the + other objects (organizations, titles, etc.). + + **Create your initial workforce repository with only recommended attributes.** + + As we aim to quickly enable Identity Governance and Administration (IGA) actions (like the + review of orphaned and unused accounts, or access certification, etc.), NETWRIX recommends + loading identities with only necessary data. The model can be completed later. + + Moreover, Usercube's + [Query module](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md) + can help gather data from other systems. + + For example, let's say that contractors' phone numbers are found only in the AD. Then we can + wait for the connection of Usercube to the AD, and finally use the Query module to collect + missing data. In this case: + + 1. Upload the `Directory.xlsx` file with only recommended data, validate and synchronize as + explained on this page. + 2. Connect the AD, + [synchronize](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md) + AD data, update + [correlation and classification](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md). + 3. Follow + [the usual query procedure](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md) + to request phone numbers from the AD. + 4. Ensure you display a key (for example `EmployeeId` or `email`) to master the order of the + displayed data. + 5. Download the report. + 6. Copy the report's columns one by one to paste them into the Directory.xlsx file. + 7. Synchronize directory data. + +5. Back on the **Workforce** > **Data Upload** page, upload the filled Excel file to the server in + order to feed the data back to Usercube. + + ![Upload Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/iconupload_v602.svg) + + The latest uploaded file overwrites the previous one. + +6. Click on **Verify and Synchronize** to check the file's consistency and import its data into + Usercube. + + ![Verify and Synchronize](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_dataupload-synchronize_v602.webp) + + Now you are able to view users' pages in the directory. + + ![Directory - Users](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_directoryusers_v602.webp) + +## Verify Identities Loading + +In order to validate the process: + +- Check manually a sample in the user directory accessible from the home page. You should verify at + least your own sheet and the sheets for your hierarchy. + + ![Home - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +- Check that every organization includes a manager. Organizations are accessible from the department + directory on the home page. + + ![Home - Directory Department](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + + ![List of Departments](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + + If the system contains many organizations, then it is also possible to list each organization + with its manager through the + [Query module](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md). + +- [Create reports](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md) + with indicators on the number of workers per type or per organization for example (through + Usercube' predefined reports, the Query module or Power BI), in order to ensure that Usercube's + content sticks to reality. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md new file mode 100644 index 0000000000..1aa760f3f3 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md @@ -0,0 +1,253 @@ +# Template Description + +Description of the MS Excel template for the creation of the identities repository. + +[Click here to download a template example](/files/identitymanager/user-guide/set-up/initial-identities-loading/Directory_example_V602.xlsx). + +![Template Model](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/initial-identities-loading/template-description/initialload_templatemodel_v603.webp) + +All tabs contain a column `Command` only used at a later stage to +[modify (massively) identity data](/docs/identitymanager/6.1/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md). + +## User - Required + +[An identity is split into two parts](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/index.md), +the first one being the parent resource called `User` which represents the user's identity card. It +contains the few attributes which shall not change during the identity's lifecycle. + +| Attribute | Type | Description | +| ---------------------------- | ------- | ----------- | +| Identifier (required) | String | | +| ConsentPhotoUsage (optional) | Boolean | | +| IsDraft (optional) | Boolean | | + +## UserRecord - Required + +[An identity is split into two parts](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/index.md), +the second one being the one or several child resources called `UserRecord` which represent the +user's positions. Records belong to users and help materialize: + +- several positions at once; +- validity periods for positions/assignments unrelated to the user itself; +- position changes. + +In other words, records represent the lifecycle of a user inside the company, i.e. multiple +contracts, mutation, etc. + +Thus, the `UserRecord` tab usually holds users' information that might change over time, while the +`User` tab groups all records of a given user around its identifier. + +| Attribute | Type | Description | +| ---------------------------------------------------------------------------------------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| RecordIdentifier (recommended) | String | Identifier of the [record](/docs/identitymanager/6.1/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md). **Note:** it can be the same as `PositionIdentifier` when users can have no more than one contract simultaneously. **Note:** required when using records. | +| User (required) | ForeignKey | `Identifier` from the `User` tab. | +| EmployeeId (recommended) | String | | +| Gender (optional) | ForeignKey | `Identifier` from the [`Gender`](#gender) tab. | +| PersonalTitle (optional) | ForeignKey | `Identifier` from the [`PersonalTitle`](#personaltitle) tab. | +| FirstName (recommended) | String | | +| LastName (recommended) | String | | +| BirthName (optional) | String | | +| BirthDate (optional) | DateTime | | +| Email (recommended) | String | | +| EmailAliases (optional) | String | Outdated, or any other email address associated with the user. This is used to prevent the re-assignment of a previously used address. | +| Login (optional) | String | | +| PhoneNumber (optional) | String | | +| MobileNumber (optional) | String | | +| VIP (optional) | Boolean | `True` to specify that the user is special/important. | +| ContractIdentifier (required) | String | | +| ContractStartDate (required) | DateTime | Start date of the user's contract in the company. | +| ContractEndDate (recommended for permanent contracts, required for fixed-term contracts) | DateTime | End date of the user's contract in the company. | +| AccessesExpirationDate (optional) | DateTime | Date when the user will be deprived of their access rights. | +| UserType (required) | ForeignKey | `Identifier` from the `UserType` tab. | +| Subsidiary (optional) | ForeignKey | `Identifier` from the [`Subsidiary`](#subsidiary) tab. | +| ExternalCompany (optional) | ForeignKey | `Identifier` from the [`ExternalCompany`](#externalcompany) tab. | +| PositionIdentifier (required) | String | | +| PositionStartDate (optional) | DateTime | | +| PositionEndDate (optional) | DateTime | | +| Organization (recommended) | ForeignKey | `Identifier` from the [`Organization`](#organization) tab. | +| Manager (recommended) | String | Line manager. `Identifier` from the `User` tab. | +| IGAManager (optional) | String | Validator of IGA requests. `Identifier` from the `User` tab. | +| JobTitle (optional) | String | | +| Title (optional) | ForeignKey | `Identifier` from the [`Title`](#title) tab. | +| Site (optional) | ForeignKey | `Identifier` from the [`Site`](#site) tab. | +| Office (optional) | ForeignKey | `Identifier` from the [`Office`](#office) tab. | +| OfficeNumber (optional) | String | | +| IsMainPosition (optional) | Boolean | | +| Suspended (optional) | Boolean | | +| StartDate (optional) | DateTime | Start date of the record, used for changes that aren't related to contract and position information, for example a scheduled name change. | +| EndDate (optional) | DateTime | End date of the record, used for changes that aren't related to contract and position information, for example a scheduled name change. | + +**Recommendations**: + +- There is no absolute need for a unique identifier, because Usercube can compute one in the next + steps. +- Be aware of the difference between a hierarchical manager and an IGA manager who approves + entitlement requests. They aren't necessarily the same person. + +## UserType - Required + +User types represent users' contract types, such as permanent contract, fixed term contract, +interim, contractor, trainee, etc. + +| Attribute | Type | Description | +| ------------------------------------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| Category (required) | ForeignKey | `Identifier` from the [`UserCategory`](#usercategory) tab. | +| EmailSuffix (optional) | String | Suffix to concatenate to the email string (immediately before the `@` character). | +| IsExternal (required) | Boolean | | +| LoginPrefix (optional) | String | | +| LoginSuffix (optional) | String | | +| UniqueIdentifierPrefix (optional) | String | | +| UniqueIdentifierRangeEnd (optional) | Int32 | Used to partition users' identifiers. For example, `UniqueIdentifierRangeEnd` set to 9999 means that no unique identifier should be greater than 9999. | +| UniqueIdentifierRangeStart (optional) | Int32 | Used to partition users' identifiers. For example, `UniqueIdentifierRangeStart` set to 1000 means that no unique identifier should be less than 1000. | +| UniqueIdentifierSuffix (optional) | String | | + +## UserCategory + +Categories constitute an additional layer to organize users who can be sorted by types and then +further by categories, and categories can be transverse or not. + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## Subsidiary + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| EmailDomain (optional) | String | | + +## ExternalCompany + +Including external workers into the workforce repository requires listing external companies. + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## Organization + +A company is divided into organizations, also called departments, such as the board of directors, +corporate banking, call center, USA operations, France operations, treasury, etc. + +| Attribute | Type | Description | +| ------------------------- | ---------- | ------------------------------------------------------------------ | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| Manager (recommended) | ForeignKey | `Identifier` from the `User` tab. | +| Assistant (optional) | ForeignKey | `Identifier` from the `User` tab. | +| Parent (optional) | ForeignKey | `Identifier` of another organization. | +| Type (optional) | ForeignKey | `Identifier` from the [`OrganizationType`](#organizationtype) tab. | + +## OrganizationType + +Organizations can be categorized into organization types, if relevant. + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## Title + +Each position can be represented by a title which names said position, such as architect, CEO, +purchasing manager, recruiter, etc. + +| Attribute | Type | Description | +| ------------------------- | ---------- | -------------------------------------------------------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| JobCategory (optional) | ForeignKey | `Identifier` from the [`JobCategory`](#jobcategory) tab. | + +## JobCategory + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## Country + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| ISOCode (optional) | String | | + +## Region + +| Attribute | Type | Description | +| ------------------------- | ---------- | ------------------------------------------------ | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| Country (optional) | ForeignKey | `Identifier` from the [`Country`](#country) tab. | + +## Site + +All positions specify a working site. + +| Attribute | Type | Description | +| ---------------------------- | ---------- | ---------------------------------------------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| Name (optional) | String | | +| StreetNumber (optional) | Int32 | | +| StreetName (optional) | String | | +| StreetType (optional) | String | | +| Floor (optional) | Int32 | | +| PostalCode (optional) | Int32 | | +| City (optional) | String | | +| Region (optional) | ForeignKey | `Identifier` from the [`Region`](#region) tab. | +| PreferredLanguage (optional) | String | | +| TimeZone (optional) | Int32 | | +| Latitude (optional) | Int64 | | +| Longitude (optional) | Int64 | | +| Url (optional) | String | | + +## Office + +| Attribute | Type | Description | +| ------------------------- | ---------- | ------------------------------------------ | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| Site (recommended) | ForeignKey | `Identifier` from the [`Site`](#site) tab. | + +## PersonalTitle + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## Gender + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## ReservedEmail + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Description (recommended) | String | | +| Value (required) | String | | + +## ReservedIdentifier + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Description (recommended) | String | | +| Value (required) | String | | + +## ReservedLogin + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Description (recommended) | String | | +| Value (required) | String | | diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md new file mode 100644 index 0000000000..c402e81f57 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md @@ -0,0 +1,65 @@ +# Create a Provisioning Rule + +How to define +[scalar rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md), +[navigation rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +and/or +[query rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +to compute and provision target resources values from source resources values. + +## Overview + +[Categorization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) +led to the grouping of resources into resource types (classification), and the establishment of +source-to-target relationships between these resources (correlation). + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to compute the values of +[scalar and navigation properties](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) +for the target resources used in entitlement management, based on source resources. We are going to +[provision](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) +these properties, i.e. write them to the managed system. + +The right tools for the job are provisioning rules: scalar rules, navigation rules, query rules. + +These provisioning rules are designed to: + +1. retrieve the input data in source objects; +2. compute the output value for target objects; +3. provision the corresponding properties in the managed system with the computation result. + +Another kind of provisioning rule is called resource type rule. Instead of computing existing +properties, resource type rules create automatically target resources to be owned by given source +resources (identities). + +In testing mode, the impacted resource types can be +[configured to block provisioning](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md), +by adding a mandatory review before actually writing to the managed system. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------ | ----------------------------------------- | +| [Categorization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) (required) | Scalar rules Navigation rules Query rules | + +## Create Provisioning Rules + +- [Create resource type rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md) + to automatically create resources. +- [Create scalar rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md) + to compute scalar properties; +- [Create navigation and/or query rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md) + to compute navigation properties. + +NETWRIX recommends creating/modifying/deleting provisioning rules using +[simulations](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md) in +order to anticipate changes. + +## Next Steps + +Once provisioning rules are created, integrators can start +[creating the single role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md new file mode 100644 index 0000000000..94d79d16f2 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md @@ -0,0 +1,259 @@ +# Compute a Navigation Property + +How to define +[navigation rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +and/or +[query rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +to compute and provision the values of navigation properties for target resources based on source +resources. + +## Overview + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to compute the values of +[navigation properties](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) +for the target resources used in entitlement management, based on source resources. We are going to +[provision](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) +these properties, i.e. write them to the managed system. + +The right tools for the job are navigation and query rules. + +A navigation property's value can be computed by a navigation rule or a query rule, assigning a +given resource from the entity type pointed by the navigation property (which can be the target +entity type itself). Let's call this entity type the "other" one. + +- A navigation rule assigns a fixed resource, which is chosen from among the "other" entity type's + resources during the rule's creation. The assigned resource is the same for all impacted accounts. + **Use a navigation rule when a given resource must be assigned, regardless of users' attributes.** +- A query rule assigns a resource from the "other" entity type too. However, the resource is chosen + according to a query via a C# expression with conditions, based on the attributes of the source + objects (usually users). Hence, contrary to a navigation rule, a query rule can assign a different + resource for each impacted account, based on the attributes of the account's owner. **Use a query + rule when there is the need to use variables from among users' attributes to select the resource + to assign.** + +![Schema - Scalar Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_schemanavigation.webp) + +> A **navigation rule** could add the AD group `SG_APP_SQL` to the `memberOf` navigation property to +> all AD nominative accounts provided that the user has the single role `SQL Server Administration`. + +> A **query rule** could compute the value of the `department` navigation property for ServiceNow +> nominative accounts (entity type `ServiceNow_User`), with a query from among resources from the +> `ServiceNow_Department` entity type, where the name of the resource would match the display name +> of the organization specified for the user (owner of the ServiceNow account). +> +> We need here to query the `ServiceNow_Department` entity type in order to find the right +> department to update the value of `department`, which is specific to each ServiceNow account. +> +> Thus, each user owning a ServiceNow account will see the value of `department` in their account +> updated with the resource from `ServiceNow_Department` which corresponds to the department +> specified for this user. + +> Another **query rule** could compute the `parentdn` attribute for AD nominative accounts, with a +> query from among AD entries, where the `dn` attribute of the resource would match a complex +> expression based on the user's (owner of the AD account) presence state, employee type, location, +> etc. +> +> We need here to query the `AD - Entry` entity type in order to find the right dn to update the +> value of `parentdn`, which is specific to each AD nominative account. +> +> Thus, each AD nominative account will have the value of its `parentdn` set according to its +> owner's attributes (presence state, employee type, location, etc.). + +The application of a navigation rule can depend on the assignment of a +[single role](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md), +and/or user +[dimensions](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md#dimensions). + +A query rule does not use criteria as it is designed to compute a given navigation property for all +existing resources in a given resource type. However, in case of several query rules on a same +property, the application of a query rule depends on its +[confidence rate](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/classification/index.md) +and the corresponding priority it receives compared to other query rules. + +While both navigation and query rules compute navigation properties, the value of one navigation +property should be computed by either navigation or query rules, not both. + +In Usercube, a navigation property has two "sides", one for each linked element. + +For example in the AD, the group membership of a user is represented by the properties `member` for +groups (containing a list of users) and `memberOf` for users (containing a list of groups). +However, some managed systems only have one of these two sides. + +The AD only uses `member` from among groups' properties. Users do not have a `memberOf` property. +But, as Usercube uses and links both sides, it is able to "translate" the information, so that the +corresponding navigation property, which actually exists in the managed system, is modified by the +navigation/query rule. + +Usercube assigns an entitlement to a user by assigning a group-membership to an account. Thus we can +create a navigation rule which adds a group to the `memberOf` property of given accounts. Usercube +will update the `member` property of groups accordingly (in Usercube), and then provision the +`member` property of said groups in the AD, adding the impacted accounts. + +A navigation rule will trigger the creation of a target resource for all impacted source resources +(so all users), which are not yet correlated with a resource of this resource type. + +A query rule does not create resources, and only computes the navigation properties of existing +resources. + +## Guidelines + +### Expression code must not contain too much data + +Once configured, a rule is a complicated object to modify. Therefore, you must keep business data in +the resource and out of the expression. It is easier to change data than to change a rule. + +> For example, consider an organization that manages email addresses according to the site with +> `.fr` for France and `.be` for Belgium. +> +> A working option could be to write an expression with a condition `if` on the site to assign the +> domain name. However, if the organization expands and needs to consider an additional country, +> then the rule requires change in the expression code. +> +> A better solution is to change the identity data model by adding a field `Domain Name` to describe +> the object `Site`, and to be used in the rule expression. In this case, if there is an additional +> country, then a new field is added in the data model for `Site` and `Domain Name`. Thus, the rule +> expression remains simple by using the new objects, for example +> `Email = FirstName + "." + LastName + "@" + Company + "." + DomainName`. + +### Priority between navigation/query rules + +It means that: + +- several rules computing the same property with different criteria should not coexist; +- the only reason to have several rules to compute a single property is when changing the property + value over time, via + [time offsets](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------ | ---------------------------- | +| [Categorization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) (required) | Navigation rules Query rules | + +## Create a Navigation Rule + +Fill an entity type with a navigation rule by proceeding as follows: + +1. Click on **Access Rules** on the home page in the **Configuration** section. + + ![Home - Access Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the source entity type for the future navigation + rule. + + ![Entity Type Choice](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +3. Click on the **Navigations** tab and on the addition button at the top right corner. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create a Navigation Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/singlerolescatalog_createnavrule_v602.webp) + + - `Join`: navigation property from the target entity type, whose value is to be impacted. + - `Resource`: resource from the entity type pointed by the `Join`, which is to be added to the + `Join` property. + - `Navigation denied`: option that forbids the resource assignment. + - `Offset of effective date`: time period that defines the actual effective date for property + computation according to the value's start and/or end date. + + > For example, account activation and deactivation can be managed according to the start + > and/or end dates. + + - **Criteria**: conditions that, if met, trigger the rule application. + > Our example would look like: + > + > ![Scalar Rule Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplenav_v602.webp) + +5. Click on **Create** and see a line added on the rules page. + +## Create a Query Rule + +Fill an entity type with a query rule by proceeding as follows: + +1. Click on **Access Rules** on the home page in the **Configuration** section. + + ![Home - Access Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the source entity type for the future query rule. + + ![Entity Type Choice](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +3. Click on the **Queries** tab and on the addition button at the top right corner. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create Query Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_queryrule_v522.webp) + + Once the `Resource Type` is provided, more fields appear. + + ![Query Rule Fields](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_queryrulefields_v602.webp) + + - **Target Object** > `Property to fill`: navigation property from the target entity type, whose + value is to be impacted. + - **Target Object**: property (or expression of properties) from the entity type pointed by the + `Property to fill`, which will be the value of the `Property to fill` if it matches the source + object. Can be defined by a property path and/or an + [expression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). + - **Source Object**: property (or expression of properties) from the source entity type, which + TODO:. Can be defined by a property path and/or an + [expression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). + - `Offset of effective date`: time period that defines the actual effective date according to + the value's start and/or end date. An offset of effective date can be useful for some + attributes. For example, account activation and deactivation can be managed according to the + start and/or end dates. + - `Confidence Rate`: rate expressing the confidence in this link, and its priority order. + [See the detailed explanation](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/classification/index.md). + > Our examples would look like: + > + > ![Query Rule Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplequery_v602.webp) + > + > ![Query Rule Example 2](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplequerybis_v602.webp) + +5. Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a navigation or query rule is taken into account when launching the role model +computation task, in the **Resource Types** frame of the corresponding connector's overview page, +via **Jobs** > **Compute Role Model**. + +![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +This task applies the rules and computes new properties. Therefore, if a given rule's criterion is +modified, then all corresponding assignments are computed again. If a resource was created +automatically for an identity through a navigation rule (and its criteria), and if the user's +criteria do not comply with the new version of the rule, then the corresponding resource is +automatically deleted. + +A modification in a provisioning rule can trigger the removal of a resource only on the Usercube +side. There are several barriers to cross before said resource is removed from the managed system. + +[Simulations](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md) are +available in order to anticipate the changes induced by a creation/modification/deletion in +navigation and query rules. + +## Verify Rule Creation + +In order to verify the process: + +1. On the corresponding connector's overview page, in the **Resource Types** frame click on + **Jobs** > **Compute Role Model** to apply all rules. + + ![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +2. Review + [unauthorized accounts](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md) + (on the **Resource Reconciliation** screen) and + [roles](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md) + (on the **Role Reconciliation** screen) to help check query rules: if there are numerous + properties to be reconciled following the same pattern, then there may be a rule that needs to be + changed. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md new file mode 100644 index 0000000000..f89a271e59 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md @@ -0,0 +1,122 @@ +# Create Resources + +How to define +[resource type rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +to create new (target) resources for given users, computing and provisioning their properties based +on source resources. + +## Overview + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to create target resources and assign them to given users. We are going to +[provision](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) +these resources, i.e. write them to the managed system. + +The right tools for the job are resource type rules. + +The application of a resource type rule can depend on the assignment of a +[single role](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md), +and/or user +[dimensions](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md#dimensions). + +> A resource type rule could assign a SAP account to users working in Germany, and who already have +> the role `SAP: manager access`. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------ | ------------------- | +| [Categorization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) (required) | Resource type rules | + +## Create a Resource Type Rule + +Create a resource type rule by proceeding as follows: + +1. Click on **Access Rules** on the home page in the **Configuration** section. + + ![Home - Access Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the source entity type for the future scalar rule. + + ![Entity Type Choice](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +3. Click on the **Resource Types** tab and on the addition button at the top right corner. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create a Resource Type Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/provrules_typerule_v602.webp) + + - `Resource Type`: resource type to be automatically assigned. + - `Type`: assignment type that can be: `Suggested` so that the resource type is listed among + suggested permissions in the permission basket of users matching the criteria during an + entitlement request, suggested assignments must be selected manually to be requested; or + `Automatic` so that the resource type is automatically assigned to users matching the + criteria; or `Automatic but with validation` so that the resource type is listed in the + permission basket of new workers, these assignments can still be modified. + - `Resource type denied`: option that forbids the assignment. + - `Offset of effective date`: time period that defines the actual effective date for resource + creation/deletion according to the value's start and/or end date. + - **Criteria**: conditions that, if met, trigger the resource creation. + > Our example would look like: + > + > ![Resource Type Rule Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/provrules_exampletype_v602.webp) + +5. Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a resource type rule is taken into account when launching the role model +computation task, in the **Resource Types** frame of the corresponding connector's overview page, +via **Jobs** > **Compute Role Model**. + +![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +This task applies the rules and computes new assignments. Therefore, if a given rule's criterion is +modified, then all corresponding assignments are computed again. If a resource was created +automatically for an identity by a resource type rule, and if the user's criteria do not comply with +the new version of the rule, then the corresponding resource is automatically deleted. + +A modification in a resource type rule can trigger the removal of a resource only on the Usercube +side. There are several barriers to cross before said resource is removed from the managed system: +first before the creation of an `AssignedResourceType` in Usercube's database, and again before the +actual action in the managed system. + +> In our example, let's say that we replace the country criterion `Germany` with `France`. Consider +> a user who had a SAP account assigned through this rule. Now that the country criterion has +> changed, our user working in Germany would be deprived of their account. + +[Simulations](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md) are +available in order to anticipate the changes induced by a creation/modification/deletion in resource +type rules. + +## Verify Rule Creation + +In order to verify the process, start by checking the rule's details on the **Access Rules** page. +Then, you can: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Create a resource type rule involving an account that said user doesn't already have, based on + criteria which the selected user satisfies. +3. Trigger the computation of the role model by clicking, on the corresponding connector's overview + page, in the **Resource Types** frame, on **Jobs** > **Compute Role Model** to apply all rules. + + ![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +4. See the new account in the user's **View Permissions** tab. + + ![View Permissions Tab](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + + If the type rule uses a single role as a criterion, and the user has said role, then both the + resource type and the role will be displayed in the user's permissions, but only if the role is + related to a + [navigation rule](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md). + Otherwise, only the resource type will be visible. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md new file mode 100644 index 0000000000..35daf2547c --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md @@ -0,0 +1,198 @@ +# Compute a Scalar Property + +How to define +[scalar rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +to compute and provision the values of scalar properties for target resources based on source +resources. + +## Overview + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to compute the values of +[scalar properties](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) +for the target resources used in entitlement management, based on source resources. We are going to +[provision](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) +these properties, i.e. write them to the managed system. + +The right tools for the job are scalar rules. + +A scalar property's value can be computed by a scalar rule, based on at least one scalar property +from the source entity type, possibly writing a C# expression. + +![Schema - Scalar Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_schemascalar.webp) + +> A scalar rule could define the scalar property `displayName` of nominative AD accounts based on +> its owner's name with the expression: +> +> `return person.LastName + " " + person.FirstName;` + +The application of a scalar rule can depend on the assignment of a +[single role](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md). + +Sometimes we create in Usercube properties which are not directly linked to any real property in the +managed system. A scalar rule on this kind of property will not find a property to provision in the +managed system, and thus will not produce any result. + +For example, we may need to create in the AD the property `isUnused` (to spot unused accounts) with +a C# expression based on other properties from the same entity type. These properties, such as +`accountExpires` and `lastLogonTimestamp`, are each linked to a property from the AD, while +`isUnused` is for Usercube's use only. This scalar property `isUnused` does not exist in the AD, +thus **will never be provisioned to the AD**, and thus **will not be computed by a scalar rule**. + +Also some properties, like `lastLogonTimestamp` in the AD or identifiers from ServiceNow, must be +changed only by their application. Usercube can/must not change these properties, thus **no +provisioning rule is appropriate for them**. + +A scalar rule using a single role as criterion will trigger the creation of a target resource for +all impacted source resources (so all users), which are not yet correlated with a resource of this +resource type. + +Without a criterion, a scalar rule does not create resources, and only computes the scalar +properties of existing resources. + +## Guidelines + +### Expression code must not contain too much data + +Once configured, a rule is a complicated object to modify. Therefore, you must keep business data in +the resource and out of the expression. It is easier to change data than to change a rule. + +> For example, consider an organization that manages email addresses according to the site with +> `.fr` for France and `.be` for Belgium. +> +> A working option could be to write an expression with a condition `if` on the site to assign the +> domain name. However, if the organization expands and needs to consider an additional country, +> then the rule requires change in the expression code. +> +> A better solution is to change the identity data model by adding a field `Domain Name` to describe +> the object `Site`, and to be used in the rule expression. In this case, if there is an additional +> country, then a new field is added in the data model for `Site` and `Domain Name`. Thus, the rule +> expression remains simple by using the new objects, for example +> `Email = FirstName + "." + LastName + "@" + Company + "." + DomainName`. + +### Priority between scalar rules + +A scalar rule with a role as a criterion has a higher priority than a rule without a role criterion. + +> For example, consider the situation where we want the login `A` for users with the single role +> `RA`, and the login `B` for the others. In this case, we can write two distinct scalar rules where +> the first one has the role `RA` as a criterion. This rule will be applied before the other. + +Other than that, there should not be more than one rule meant to provision a given property on a +given time period. + +It means that: + +- several rules computing the same property with different criteria should not coexist; +- the only reason to have several rules to compute a single property is when changing the property + value over time, via + [time offsets](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------ | ------------ | +| [Categorization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md) (required) | Scalar rules | + +## Create a Scalar Rule + +Fill an entity type with a scalar rule by proceeding as follows: + +1. Click on **Access Rules** on the home page in the **Configuration** section. + + ![Home - Access Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the source entity type for the future scalar rule. + + ![Entity Type Choice](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +3. Click on the **Scalars** tab and on the addition button at the top right corner. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create Scalar Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_scalarrule_v522.webp) + + Once the `Resource Type` is provided, more fields appear. + + ![Scalar Rule Fields](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_scalarrulefields_v602.webp) + + - **Source Object**: scalar property (or expression of scalar properties) from the source entity + type, which constitutes the input for the computation of the target object. Can be defined by + a property path and/or an + [expression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). + - **Target Object**: scalar property from the target entity type, whose value is to be impacted. + - `Offset of effective date`: time period that defines the actual effective date for property + computation according to the value's start and/or end date. + + > For example, account activation and deactivation can be managed according to the start + > and/or end dates. + + - `Applicable`: `Create & Update` to use this computation to both provision the managed system + and synchronize the property back to Usercube; `Create Only` to use this computation to only + provision the managed system and ignore this property during synchronization, this way the + property can never be displayed as non-conforming. + + > `CreateOnly` is usually set to adapt the configuration to the constraints of the managed + > system, when Usercube does not retrieve and/or update the property value. + > + > For example, consider a system, that we want to connect to Usercube (let's call it `SYST`) + > using a `title` property. Consider also that `SYST` needs to be provisioned with the value + > of `title`, but does not allow any other system to retrieve said value. + > + > In this case, we use `CreateOnly` so that Usercube sends the adequate provisioning order + > when needed, and then is able to change the + > [provisioning state](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/provisioning/index.md) + > to `Verified` without + > [synchronization](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md). + + - `Comparison type`: + [comparison type](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) + between the value of the target object computed by the rule and its value from the managed + system. Non-conforming values are displayed on the **Provisioning Review** screen. + - **Criteria**: conditions that, if met, trigger the rule application. + > Our example would look like: + > + > ![Scalar Rule Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_examplescalar_v522.webp) + +5. Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a scalar rule is taken into account when launching the role model computation +task, in the **Resource Types** frame of the corresponding connector's overview page, via **Jobs** > +**Compute Role Model**. + +![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +This task applies the rules and computes new properties. Therefore, if a given rule's criterion is +modified, then all corresponding assignments are computed again. If a resource was created +automatically for an identity through a scalar rule (and its single role criterion), and if the +user's criteria do not comply with the new version of the rule, then the corresponding resource is +automatically deleted. + +A modification in a provisioning rule can trigger the removal of a resource only on the Usercube +side. There are several barriers to cross before said resource is removed from the managed system. + +[Simulations](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md) are +available in order to anticipate the changes induced by a creation/modification/deletion in scalar +rules. + +## Verify Rule Creation + +In order to verify the process: + +1. On the corresponding connector's overview page, in the **Resource Types** frame click on + **Jobs** > **Compute Role Model** to apply all rules. + + ![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +2. [Review unreconciled properties](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) + (on the **Resource Reconciliation** screen) to help check scalar rules: if there are numerous + properties to be reconciled following the same pattern, then there may be a rule that needs to be + changed. diff --git a/docs/usercube/6.1/usercube/user-guide/set-up/role-officer-management/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/role-officer-management/index.md similarity index 100% rename from docs/usercube/6.1/usercube/user-guide/set-up/role-officer-management/index.md rename to docs/identitymanager/6.1/identitymanager/user-guide/set-up/role-officer-management/index.md diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md new file mode 100644 index 0000000000..2c0e5fb709 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md @@ -0,0 +1,77 @@ +# Create a Category + +How to structure roles into +[categories](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md). + +## Overview + +A +[category](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md) +is usually created to: + +- reflect the validation process, i.e. represent groups of roles that follow the same validation + process with the same validator(s); +- help users find intuitively the entitlement that they are looking for. + +> For example, creating one category per application often fulfills both requirements. + +There is usually one +[validator](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/role-officer-management/index.md) +per category. + +There can be several category levels. For example, integrators can choose to create one category per +department, then one per position, and finally one per application. They usually gather roles by +application. Here are a few examples of categories: `AD`, `HR` , `SAP`, `IT Administration`, +`Test Environments`, etc. Some of these "application categories" are gathered into larger categories +by theme as long as their role owner is identical. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the +application's users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------- | ---------- | +| [Role catalog](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (optional) | Categories | + +## Create a Category + +Categories are not mandatory to create roles, but they are highly recommended to organize single +roles. + +Create a category by proceeding as follows: + +1. On the home page in the **Configuration** section, click on **Access Roles** to access the roles + page. + + ![Home Page - Access Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +2. All existing + [categories](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) + are shown in the menus on the left. To create a new category, click on **+**. + + ![Add a New Category](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/singlerolescatalog_newcategory_v602.webp) + +3. Fill in the fields. + + ![Create a Category](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/singlerolescatalog_createcategory_v602.webp) + + - `Identifier`: must be unique among categories and without any whitespace. + - `Name`: will be displayed in the UI to identify the created category. + - `Collapsed in the role tree`: option that enables a collapsed view of the category in the role + tree. + - `Parent category`: optional link to an existing category that would contain the created + category. + +4. Click on **Create** and see the category added in the menus. + + When creating a category, you must be cautious about the associated + [validators](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/role-officer-management/index.md) + that are not yet defined. + +## Verify Category Creation + +In order to verify the process, check on the **Access Roles** screen that the category is created +with the right parameters. + +![Verify Category](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/categorycreation_test_v602.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md new file mode 100644 index 0000000000..a6d0aeda6a --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md @@ -0,0 +1,237 @@ +# Create Roles in the Role Catalog + +How to define +[single roles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) +to model entitlements, and organize them in the role catalog, basis of the +[role model](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md). + +The creation of the role catalog is a time-consuming part, with an important workload concerning the +description of the internal processes for all applications. Actors here need to really understand +the useful permissions within managed applications. + +## Overview + +The aim here is to establish and create the exhaustive list of +[roles](/docs/identitymanager/6.1/identitymanager/integration-guide/role-model/index.md#roles) needed by +the organization. Roles are a way to represent entitlements which are assigned to identities, so +that said identities are able to work with the managed systems. + +![Schema - Single Role](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarole.webp) + +In other words, establishing the role catalog aims to list exhaustively and explicitly all the roles +in the organization, hiding the technical complexity of entitlements behind the business vision of +user-friendly names and categories, in order to: + +- assign roles to users, by + [requesting them manually](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/manual-assignment-request/index.md), + or using + [rules that assign roles automatically](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) + based on users' attributes; +- simplify the implementation of Segregation of Duties (SoD); +- simplify the implementation and execution of access certification campaigns. + +Roles are not chosen at random as they must correspond to the way entitlements were modeled during +[connector modeling](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md). + +### Technical Principles + +Usercube's roles are all built the same way. Technically speaking: + +- a role is part of a policy which is a subgroup of the role model. + [Read more about the concept of role model](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md). + + > Let's take the example of the unlimited Internet access, part of the default policy. + +- a role is created to be owned by users represented by a given entity type; + + > We choose users from `Directory_User`. + +- roles need to be structured so + [categories](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md) + are created to: + + - represent groups of roles that follow the same validation process with the same validator(s); + - help users find intuitively the entitlement that they are looking for. + + NETWRIX recommends creating one category per application, as this method often fulfills both + requirements. + + Then single roles can be grouped together through + [composite roles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) + for applicative purposes, allowing users to be assigned several entitlements simultaneously. + Leave composite roles for later, when the system runs as is and would benefit from an additional + layer in the + [role model](/docs/identitymanager/6.1/identitymanager/introduction-guide/overview/entitlement-management/index.md). + + > This role is part of the previously created `Internet` category. + +- a role is created with a given approval workflow according to the entitlement's sensitivity; + + ![Schema - Approval Workflow](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemaapprovals.webp) + + > We choose to require one manual validation from a knowledgeable user before the Internet role + > is assigned to a user. + +- to be effective, roles must be linked to actual entitlements in the managed systems. Technically + speaking, this means that for each entitlement that you want to assign through a given role, you + must create a + [navigation rule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) + to build said link. A navigation rule is specific to one + [resource type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/index.md). + + ![Schema - Single Role with Navigation Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarolerule.webp) + + > We link the role to the entitlement named `SG_APP_DL-INTERNET-ALL` in the AD, via a navigation + > rule that assigns this entitlement to the `memberOf` property of AD nominative accounts, for + > all users having the role. + + This part is about + [single roles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md), + dealing with entitlements one-to-one. The idea is to associate one single role with one + fine-grained entitlement. + + ![Schema - Roles and Identities](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarolesidentities.webp) + + > For example, an accountant needs read access to the accounting software, a project manager to + > their billable hours for their projects on SAP, etc. + + When roles are well-defined, one entitlement request must lead to the direct functional + entitlement assignment. No more, no less. + +## Strategy for Role Creation + +### Role structuring + +Functionally speaking, the main benefit of roles is to give entitlements user-friendly names, easily +understandable by managers. And to be understandable, roles must be structured. + +The strategy for role creation and structuring varies according to the +[model established](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) +for a given system. Here, we will take as example the common use-case that organizes and categorizes +roles by application. Then, the strategy varies whether the system hosts a single application (like +SAB or SAP) or several (like the AD or LDAP). + +In any case, role creation and maintenance are made easier by entitlements' naming conventions. +Thus, no matter the kind of system that you are working with, if the system uses no naming +conventions, then you should start by creating some. They will be the basis for role structure in +Usercube, and will really simplify role creation. + +#### One system for one application + +A common and intuitive case is when a system is simply one application. Then, integrators can create +one role per entitlement in said application, and one category for the application. + +> The SAP application is about entitlements only for itself. Then, we create a single role per +> entitlement in SAP inside a category called `SAP`: +> +> ![Roles Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymono_v602.webp) + +#### One system hosting several applications with existing naming conventions + +If a given system is used to manage entitlements for several applications, then building categories +becomes more complicated. + +> For example, the Active Directory usually hosts many groups used to manage entitlements in several +> distinct applications. +> +> ![AD Groups](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymulti_v522.webp) + +The goal here is to find a way to clarify the link between each entitlement and the corresponding +application. + +If the system uses naming conventions for entitlements, then it is possible to deduce the +application it corresponds to, from the entitlements' names. + +> For example, a group is called `SG_APP_banking/digital/haumea/reader` in the AD. The membership to +> this group gives an entitlement. Knowing the organization, integrators understand that this +> entitlement is about the department `banking`, the position `digital`, the application `haumea` +> and the access right `reader`. + +Roles can be created accordingly, with one role per entitlement and a category per application. + +#### One system hosting several applications without existing naming conventions + +However, in the case of a connector for several applications, sometimes no information can be +deduced from the entitlements' names. It is still necessary to find a way to clarify the link +between each entitlement and the corresponding application. + +Then, the solution is to add information inside the managed system, creating a specific field or +filling an empty field. + +> For example in the Active Directory, integrators can modify the field called `description` to +> specify the application name (such as Outlook in this example). +> +> ![Appropriated Field](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymultinoname_v522.webp) + +Thus, the needed information is added to the managed system. After the execution of synchronization, +said data is accessible inside Usercube database and can be used as a naming convention. + +In some cases, integrators are not allowed to create/modify fields in the external systems. Then, +the information can be added on Usercube side only. As the new field doesn't exist in the external +systems, it can't be overwritten. + +### Automation of role creation + +The UI provides tools to create single roles +[manually](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md), +working top-down from abstraction (role name) to the technical aspects (navigation rule and +technical entitlement). Most projects use thousands of single roles, which makes role creation a +long, tedious and repetitive process. + +![Schema - Role Creation Top-Down](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schematopdown.webp) + +Roles can also be created bottom-up via +[role naming rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md). +Instead of the previous process, you can use the name of said entitlement in your managed system to +create automatically the corresponding single role and rule (and category if it does not already +exist). In other words, Usercube's naming rules are to be based on your existing naming conventions +for entitlements. + +![Schema - Role Creation Top-Down](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemabottomup.webp) + +One naming rule can generate many roles, so a few automatic rules can easily and faster create the +single role catalog. Naming rules prove particularly useful when you need to add multiple new +permissions in your external system. You won't have to create manually the corresponding categories, +roles and rules as long as said permissions are created with properties matching the conditions from +the rules. + +NETWRIX recommends starting the role catalog with as many naming rules as possible before creating +roles manually. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the +application's users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- | +| [Connector's data model](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) (required) [Provisioning Rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) (required) [Classification](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/classification/index.md) (required) | Single role catalog | + +## Create the Single Role Catalog + +Create the single role catalog by proceeding as follows: + +1. Create as many single roles as possible (with their navigation rules and categories) via + [role naming rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md). +2. Complete the role catalog if needed by creating manually additional + [categories](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md) + and + [single roles with their navigation rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md). +3. Add + [composite roles](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/composite-role-creation/index.md) + to the single role catalog only if the project is mature enough. Composite roles are more complex + than single roles and they are not mandatory. + +## Impact of Modifications + +[Simulations](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/simulation/index.md) are +available in order to anticipate the changes induced by a creation/modification/deletion in roles +and navigation rules. + +## Next Steps + +Once the role catalog is established, integrators can start +[role officer management](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/role-officer-management/index.md). + +The role catalog is also a prerequisite for +[risk management](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/risk-management/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md new file mode 100644 index 0000000000..44736d1084 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md @@ -0,0 +1,170 @@ +# Create a Role Manually + +How to create single roles manually. + +## Overview + +A +[single role](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) +is a way to represent an entitlement that is to be assigned to an identity. It brings a layer of +abstraction through a user-friendly name, close to the business view. + +To be effective, roles must be linked to actual entitlements in the managed systems. Within +Usercube, an entitlement assigned to an identity is in fact represented by the value of a given +[navigation property](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md), +in a resource owned by said identity. Thus, each role is linked to one +[navigation rule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +per entitlement. + +> For example, imagine that we want to grant unlimited Internet access to the administrator profile +> of an identity. This entitlement won't be assigned directly to the identity but to its AD +> administration account. In our Active Directory, there is a resource called +> `DL-INTERNET-Restricted` identified from among AD entries as a group. So we need to add this group +> membership to the properties of the identity's AD account, using `DL-INTERNET-Restricted` as a +> value of the `memberOf` property. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the +application's users, entitlements and data model. + +| Input | Output | +| --------------------------------------------------------------------------------------------------------------------------- | ------------ | +| [Classification](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/categorization/classification/index.md) (required) | Single roles | + +## Create a Single Role + +Create a single role by proceeding as follows: + +1. On the home page in the **Configuration** section, click on **Access Roles** to access the roles + page. + + ![Home Page - Access Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +2. On the roles page, click on the adequate category and create a role by clicking on **+ New** at + the top right corner. +3. Fill in the fields. + + ![Create a Single Role](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/singlerolescatalog_createsinglerole_v602.webp) + + - `Identifier`: must be unique among roles and without any whitespace. + - `Name`: will be displayed in the UI to identify the created single role. + - `Tags`: label(s) that can later be used to filter the target roles of + [access certification campaigns](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md). + + NETWRIX recommends using role tags when you want to perform an access certification on a set + of roles that are from several categories. + + - `Category`: category which is to contain the created role. + - `Secondary Categories`: other potential categories which are to contain the created role. + - `Approval Workflow`: represents the number of validations required to assign the created role. + - `Approve Role Implicitly`: needs at least simple approval workflow. `Implicit` mode bypasses + the approval step(s) if the person who makes the role request is also the + [role officer](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/role-officer-management/index.md). + `Explicit` refuses said bypass. `Inherited` follows the + [policy](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md) + decision to approve roles implicitly or not. + - `Allow Manual Assignment`: allows the role to be requested manually. + + Set to `No`, the role can be assigned only via automatic rules. Therefore, the associated + [single role rules](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) + cannot have their `Type` set to `Suggested`. + + - `Hide in Simplified View`: hides the role from the users' **Simplified View** in **View + Permissions** dialog. This setting does not apply to roles which are either inferred or have + workflow states which require manual action. + - `Maximum Duration`: duration (in minutes) after which the role will be automatically revoked, + if no earlier end date is specified. + + The maximum duration impacts only the roles which are manually assigned after the maximum + duration is set. Pre-assigned roles are not impacted. + + - If no duration is set on the role, the maximum duration of the associated policy is + applied. + - If the duration is set to 0 on the role, it prevents the associated policy from applying + its maximum duration to it. + + - `Grace Period`: duration (in minutes) for which a lost automatic single role is prolonged. A + review will be required to validate or decline the entitlement prolongation. Inferred + entitlements won't be lost unless the end of the grace period is reached or the prolongation + is declined. + + The grace period is only applied if the loss of the entitlement is due to a change in the + rules, i.e. rule deletion or criteria changes. + + If the grace period is not defined, the value is inherited from the policy. + +4. Click on **Create** and see a line added on the roles page. +5. Create at least one navigation rule with the single role as a criterion. + +## Create a Navigation Rule + +Navigation rules aim to assign given resources to identities based on specific criteria. A +navigation rule sets the value of the navigation property on a specific resource, if a given +condition is met. It is linked to a parent resource type that sets the target entity type. One rule +creates one navigation. + +Create a navigation rule by proceeding as follows: + +1. On the home page in the **Configuration** section, click on **Access Rules** to access the rules + page. + + ![Home Page - Access Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the entity type to which the future navigation rule + will be applied. + + ![Entity Type Choice](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +3. Click on the **Navigations** tab and on the addition button at the top right corner. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create a Navigation Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/singlerolescatalog_createnavrule_v602.webp) + + - `Join`: target property whose value is impacted by the created rule. + - `Resource`: value to be set on the JOIN. + - `Navigation denied`: option that forbids the resource assignment. + - `Offset of effective date`: time period that defines the actual effective date according to + the value's start and/or end date. An offset of effective date can be useful for some + attributes. For example, account activation and deactivation can be managed according to the + start and/or end dates. + - **Criteria**: conditions that, if met, trigger the created navigation. + +5. Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +When deleting a single role, caution must be used when deleting the corresponding navigation rules. +Indeed, these rules thus lose their criteria and may be applied to far too many people after that. + +## Verify Single Role Creation + +In order to verify the process, check that the role and rule are created with the right parameters. + +For roles, click on **Access Roles** on the home page in the **Configuration** section. + +![Home Page - Access Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +Select single roles and find the role you created inside the right category and with the right +parameters. + +![Access Single Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testroles_v602.webp) + +> Our example would look like: +> +> ![Example - Generated Role](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleroleresult_v602.webp) + +For rules, click on **Access Rules** on the home page in the **Configuration** section. + +![Home Page - Access Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +Select navigation rules and find the rule(s) you created with the right parameters. + +![Access Navigation Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testrules_v602.webp) + +> Our example would look like: +> +> ![Example - Generated Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleruleresult_v523.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md new file mode 100644 index 0000000000..07a6a12354 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md @@ -0,0 +1,176 @@ +# Create Roles in Bulk + +How to create +[role naming rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md), +which create single roles using existing naming conventions from the managed system. + +## Overview + +A +[role naming rule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md) +automatically creates single roles and the corresponding navigation rules based on the name of the +corresponding entitlements in the managed system. + +Role naming rules replace the tedious process of manual role creation. Instead of creating roles +individually with their navigation rules, you can use role naming rules to generate roles in bulk +and thus faster create the single role catalog. + +> For example, consider a naming convention in our organization that states that AD groups have +> their cn: `SG_APP_`. Then, we can create a naming rule that indicates that for +> all AD groups starting with `SG_APP_`, we create a role that gives the adequate user the +> corresponding group membership, with `` as a name. For example, we have the +> application Contoso and the group `SG_APP_Contoso`. + +Roles created via role naming rules can still be modified later in the UI, if needed. + +A role naming rule, for a given resource type, creates roles and rules only for resources which are +not yet linked to a role, nor a navigation rule of this resource type. This implies that: + +- role naming rules do not overwrite manual changes; +- role naming rules cannot link more than one resource (so one entitlement) to one role. + +If a role naming rule is supposed to create a role that already exists, then a corresponding +navigation rule is created only if the existing role has the same policy and category as specified +in the role naming rule. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the +application's users, entitlements and data model. + +| Input | Output | +| ---------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | +| [Provisioning Rules](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) (required) | Role naming rule Single roles Navigation rules Categories | + +## Create a Role Naming Rule + +Create a role naming rule by proceeding as follows: + +1. On the home page, click on **Access Rules** in the **Configuration** section. + + ![Home Page - Access Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the entity type to which the future naming rule will + be applied. + + ![Entity Type Choice](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +3. Click on the **Role Naming Conventions** tab and on the addition button at the top right corner. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create a Naming Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_newrule_v602.webp) + + - `Policy`: + [policy](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) + in which the rule exists. + - `Property`: navigation property which will define the actual entitlement in the future + [navigation rule](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md). + - `Identifier`: must be unique among rules and without any whitespace. + - **+ New Rule**: a naming rule is based on the union of + [rules](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md), + themselves based on the intersection of + [rule items](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md). + A rule item specifies one of the conditions that will trigger the enforcement of the naming + rule. + - `Where Expression`: C# expression returning a boolean to condition the application of the + rule. + [See a full example](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md). + + NETWRIX recommends using this option only when the options available in the rule items do + not suffice. + + - **Single Role**: + [single role(s)](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) + to be created. + + - `Identifier`: must be unique among roles and without any whitespace. If the defined + identifier is already used, then neither the role nor the rule is created. Can be defined + by a property path and/or an + [expression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md) + (mandatory). + - `Name`: will be displayed in the UI to identify the future single role. Can be defined by + a property path and/or an + [expression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). + + - **Category**: + [category](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md) + for the future role(s). + + - `Identifier`: either matches an existing category and selects it, or doesn't match and + therefore a new category is created. Can be defined by a property path and/or an + [expression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). + - `Name`: will be displayed in the UI to identify the category. Ignored if the `Identifier` + attribute matches an existing category's identifier. Can be defined by a property path + and/or an + [expression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). + - ` Parent Identifier`: for a potential parent category. Must match an existing category's + identifier. Can be defined by a property path and/or an + [expression](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md). + - `Default Category`: category for the future role(s) if the category's `Identifier` + attribute isn't filled in or doesn't compute. + + - `Role Policy`: + [policy](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) + in which the future roles exist. + - `Approval Workflow`: represents the number of validations required to assign the future + role(s). + - `Approve Role Implicitly`: needs at least a simple approval workflow. `Implicit` mode bypasses + the approval step(s) if the person who issues the role request is also the + [role officer](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/role-officer-management/index.md). + `Explicit` refuses said bypass. `Inherited` follows the + [policy](/docs/identitymanager/6.1/identitymanager/user-guide/optimize/policy-creation/index.md) + decision to approve roles implicitly or not. + - `Hide in Simplified View`: hides the role from the users' **Simplified View** in **View + Permissions** dialog. This setting does not apply to roles which are either inferred or have + workflow states which require manual action. + - `Comment Management on Permission Review`: to change if different from the role policy. + > Our example would look like: + > + > ![Example - Naming Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_example_v602.webp) + +5. Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +As naming rules are applied only to resources that aren't already linked to a role or a navigation +rule, neither deletion nor modification in a naming rule can affect the previously created roles and +rules. + +## Verify Naming Convention + +In order to verify the process: + +1. to take the changes into account, on the appropriate connector's overview page click on + **Jobs** > **Apply Naming Conventions**; + + ![Resource Type Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +2. check that the correct roles and rules were created. + +For roles, click on **Access Roles** on the home page in the **Configuration** section. + +![Home Page - Access Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +Select single roles and find the role(s) you created inside the right category and with the right +parameters. + +![Access Single Roles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testroles_v602.webp) + +> Our example would look like: +> +> ![Example - Generated Role](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleroleresult_v602.webp) + +For rules, click on **Access Rules** on the home page in the **Configuration** section. + +![Home Page - Access Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +Select navigation rules and find the rule(s) you created with the right parameters. + +![Access Navigation Rules](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testrules_v602.webp) + +> Our example would look like: +> +> ![Example - Generated Rule](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleruleresult_v523.webp) diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md new file mode 100644 index 0000000000..a1cf0d441d --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/synchronization/index.md @@ -0,0 +1,281 @@ +# Synchronize Data + +How to launch data synchronization, i.e. read managed systems' data and load it into Usercube. + +## Overview + +Data synchronization is a data flow from the managed systems into Usercube. + +### Process + +A [connector](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md)'s +main purpose is to read and export the data +[previously mapped with entity types](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) +in order to synchronize it with Usercube. Connectors provide tools to perform a basic extraction of +the system's data in the form of CSV/XLSX files. These files are cleansed and loaded into Usercube. +Synchronization is a three-step ETL process going through export, synchronization preparation and +the synchronization itself. + +![Synchronization Schema](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/synchro_schema.webp) + +#### Export + +The +[`Export` task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md) +creates extractions, a snapshot of the managed system's data, used to insert and/or refresh the data +that is inside Usercube. Extractions are accessible when there is at least one connection with an +export-enabled +[package](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/index.md). +Extracted data becomes meaningful when it is loaded into resources as specified by the +[entity type](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) +structure. + +Exported data is stored inside CSV files in the folder `/{InstallationFolder}/Temp/ExportOutput`. + +#### Prepare synchronization + +The +[`Prepare Synchronization` task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) +performs a preparatory data cleansing to spot errors and list them in a generated file in the +`/{InstallationFolder}/Work/Synchronization` folder. + +> For example, this task spots an identity if it is linked to an organization code which doesn't +> exist. + +#### Synchronize + +The +[`Synchronize` task](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) +loads data into Usercube's database. + +[**Read more about the synchronization process**](/docs/identitymanager/6.1/identitymanager/integration-guide/synchronization/upward-data-sync/index.md). + +### Prerequisites + +#### Extracted data must have keys + +Every extracted resource must have an attribute that serves as a primary key so that Usercube can +uniquely identify the resource to be added/updated/deleted during synchronization. You must have +defined keys during +[entity type creation](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md). + +#### Extractions must not be modified before synchronization + +Extractions must not be modified manually, for it may induce synchronization issues. + +> For example, saving an XLSX file implies an automatic modification of format. + +Also, synchronization must not be disturbed by a change in the source format, such as the deletion +of a column in the middle of the file. + +#### **Thresholds must never be deactivated** + +Thresholds are essential safety guards that control all changes, for example preventing the +overwriting of important data by mistake. Thresholds are by default activated to warn users when +synchronization or provisioning triggers too many modifications. If the number of modifications +exceeds the specified threshold, Usercube stops the synchronization and displays a warning +_"Threshold Exceeded"_ on the log page described below. + +Once the changes have been reviewed, the blocked job can be resumed (or not). + +Thresholds are configured with default values using the following +[`Connector` attributes](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md): + +- `MaximumDeletedLines`, `MaximumInsertedLines` and `MaximumUpdatedLines` for scalar properties; +- `MaxPercentageDeletedLines`, `MaxPercentageInsertedLines` and `MaxPercentageUpdatedLines` for + scalar properties by percentage; +- `MaximumLinkDeletedLines`, `MaximumLinkInsertedLines` and `MaximumLinkUpdatedLines` for navigation + properties; +- `MaxLinkPercentageDeletedLines`, `MaxLinkPercentageInsertedLines` and + `MaxLinkPercentageUpdatedLines` for navigation properties by percentage. + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to perform synchronization. + +| Input | Output | +| ----------------------------------------------------------------------------------------------------------------------------- | ----------------- | +| [Connector with its entity types](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md) (required) | Synchronized data | + +## Launch Synchronization + +Launch synchronization for a given managed system by proceeding as follows: + +1. Access the list of connectors by clicking on **Connectors** on the home page in the + **Configuration** section. + + ![Home - Connectors](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + +2. On the relevant connector page, in the **Entity Types** frame, click on **Jobs**. + + Here are all the tasks available for synchronization. They synchronize all connections and + entity types for only this connector. It is possible to launch them individually in order to + test them and debug a situation, or all together with **All Tasks**. According to the created + [connection(s) and package(s)](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md), + all these tasks can be launched either in + [incremental or complete](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md) + mode. + + ![Synchronize Job](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs_v602.webp) + + - `Update Expressions`: computes the expressions used in the entity type mapping. + - `All Tasks`: launches all previous tasks in a row. + + Notice that some connectors, depending on their connections and packages, can't be synchronized + in incremental mode. As a consequence, when clicking on the **Jobs** button, you wouldn't have a + choice between `Complete` and `Incremental`. See below this note. + + ![Synchronize Job (Only Complete)](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs-complete_v602.webp) + +## Manage Synchronization Automation + +Export and synchronization are executed manually from the connector screens. By default, they are +also part of scheduled +[jobs](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/jobs/index.md) provided by +Usercube: + +- the + [complete job](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md) + is scheduled to launch a synchronization once a day of all resources, modified or not; +- the + [incremental job](/docs/identitymanager/6.1/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md) + is scheduled to launch a synchronization several times a day only of the resources modified since + the last synchronization. + +Scheduling the jobs avoids manually triggering them everyday. + +However, you can choose to withdraw a given connector from both the complete and incremental jobs by +clicking on **Deactivate** on the connector's dashboard. This is particularly useful when modifying +a connector. You can also re-insert it at any time with the same button which is now named +**Activate**. + +![Jobs Results Dashboard](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/synchro_dashboard_v522.webp) + +You can fine-tune the synchronization and/or provisioning of the connector by clicking on the +**Edit** button. + +![Edit button](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/synchro_edit_v600.webp) + +Click on **Job Results** to access the progress of this connector's jobs. + +All jobs are accessible on the **Job Execution** page in the **Administration** section. + +![Home - Job Execution](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + +## Verify an Entity Type's Synchronization + +In order to verify both the synchronization configuration and +[entity types](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md): + +1. Launch synchronization. +2. Access the connector's logs (from **Job Results** on the connector's dashboard) to ensure that + synchronization completed successfully. + + ![Jobs Results](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/synchro_results_v603.webp) + +3. Check that the entity types have been added to the left menu of the home page. + + ![Test Entity Type](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp) + +4. Access the relevant entity types (from the menu items on the left of the home page) to check + synchronized resources, by navigating in the UI from the accounts through a sample of + associations, via the eye icon: + + ![Eye Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg) + + You should first look for configuration validation, and only later validation of the actual data + being synchronized. + + > For example, let's say we created a connector for SAB that contains two entity types called + > `SAB - Users` and `SAB - Groups`. Then, the home page shows them on the left. + > + > ![SAB Example - Home Page](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/synchro_examplesab_v522.webp) + > + > Clicking on `SAB - Users` displays the list of all synchronized resources. + > + > ![SAB Example - Data List](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/synchro_examplesab2_v602.webp) + > + > Clicking on any resource displays its detailed attributes, for example `Abbott Mark`: + > + > ![SAB Example - Resource Attributes](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/synchro_examplesab3_v602.webp) + > + > Clicking on any eye icon displays the corresponding resource. SAB was created here with a + > simple + > [user-group schema](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) + > that links n users to n groups. So here, we can check these links by navigating from a given + > user to one of their groups, to one of said group's users, to one of said user's groups, etc. + +## Troubleshooting + +Make sure you followed the prerequisite guidelines for synchronization. + +Keep in mind that a problem observed in synchronized data might also come from a mistake made +previously in the +[connector's configuration](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md). +Therefore, logs can give more details. Logs are accessible from the **Job Results** button on the +dashboard of a given connector. + +Don't hesitate to launch synchronization-related tasks individually and observe the corresponding +logs in order to debug a situation. + +#### If the connector and/or entity type doesn't appear in the menu items, then� + +![Test Entity Type](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp) + +Access the relevant connector's page and click on the +[**Reload**](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) +button to take into account the last changes in the entity type mappings. + +#### If a newly added property doesn't appear in users' data, then� + +Access the relevant connector's page to click on the +[**Reload**](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) +button to take into account the most recent changes in the entity type mappings. + +#### If a synchronization is blocked by an exceeded threshold, then� + +![Threshold warning](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/synchro_threshold_v603.webp) + +Find out the reasons to decide whether or not to bypass the threshold. Proceed as follows: + +1. On the logs page (accessible from the **Job Results** button), click on the line of a task + instance to see its logs. +2. Study synchronization counters and the list of all synchronization changes. These tools help you + make a decision about whether to bypass synchronization thresholds. + + ![Job progress](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/synchro_thresholdlog_v603.webp) + + In most cases, the first synchronization exceeds thresholds because no data exists in Usercube + yet. Thus, a high quantity of modifications is expected and the synchronization is to be + resumed. + + Numerous modifications can also be triggered by: + + - a change in date format; + - the input of blank files by mistake, because it would overwrite and erase all existing data; + - a swap of two headers in an input file. + +3. If, after verifying, all changes are legitimate, click on the **Resume** button at the top of the + job progress page. This will restart the job and allow the changes to be synchronized. + + Be cautious, check twice for mistakes before resuming. + + ![Resumed Job](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/synchro_thresholdresumed_v602.webp) + +#### If an export doesn't complete, then� + +- Check the connection's settings. +- If you manually typed the source column of a property in the entity types, then make sure that the + source column exists in the corresponding managed system. + + ![Source Column](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/entitytype_sourcecolumn_v602.webp) + +#### If a given property from users' data is displayed in an unexpected way, then� + +Check the format of both the application metadata and the external system. + +![Property Format](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/synchronization/entitytype_format_v523.webp) + +> For example, if you find that a given date doesn't comply with what you set, then maybe the format +> in the External System section wasn't correctly selected, thus inducing a conversion error during +> the export computation. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-assignment/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-assignment/index.md new file mode 100644 index 0000000000..bf171cb483 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-assignment/index.md @@ -0,0 +1,130 @@ +# Assign Users a Profile + +How to assign Usercube's access permissions to users through profiles. + +## Overview + +All the permissions to access items in Usercube, and to perform given actions, are managed by +assigning profiles to users and permissions to profiles. See the +[ AssignedProfile ](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) +and +[ References: Permissions ](/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/permissions/index.md) +topics for additional information. + +![Schema - Profile Assignment](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/profiles_schema.webp) + +For example, the access to the list of users with their personal data is usually restricted to HR +people, and the possibility to modify personal data restricted to HR managers. + +We define here a permission as an entitlement within Usercube. See the +[ Configure a User Profile ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-configuration/index.md) +topic for additional information. + +Users are assigned profiles according to the permissions they need to work, at least one profile per +user. A user without a profile cannot access the application. Experience shows that most users have +one profile, sometimes two, and rare case have maximum three, or more. + +The goal here is to link users to basic profiles. + +The right time to assign profiles to users is just before they need it, so it depends on the +deployment strategy. +For example, we connected a given application and now we want to list orphaned accounts. Then we +need to assign a role officer. + +The priority is often about resource managers who will review orphaned and unused accounts. + +## Participants and Artifacts + +Integrators must have the knowledge of who must be able to access what within Usercube. + +| Input | Output | +| ------------------------------ | ----------------- | +| Configured profiles (required) | Assigned profiles | + +See the +[ Configure a User Profile ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-configuration/index.md) +topic for additional information. + +## Assign a Profile to an Account + +In the following section you will read about how to assign a profile to an account. + +Manual assignment + +Assign manually a profile to a user by proceeding as follows: + +![Home Page - Assigned Profiles](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-assignment/home_assignedprofiles_v602.webp) + +**Step 1 –** Access the **Assigned Profiles** screen from the home page in the **Administration** +section. + +![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +**Step 2 –** Click on the addition button at the top right corner. + +![New Profile](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-assignment/roleofficers_newprofile_v602.webp) + +**Step 3 –** Fill in the fields. + +- **Profile**: Profile chosen from among existing profiles. +- **Resource**: Identity chosen from among entries to be assigned said profile. +- **Profile's Email**: Email created in order to receive the corresponding approval requests. +- **Deny this Profile**: Option that forbids the profile assignment instead of applying it. +- **Start Date** and **End Date**: Particularly useful for profile delegation. + +**NOTE:** If filters are defined in the Access Rules, and are assigned to the profile, a +**Criteria** section will appear containing them. Filters are conditions that, if met, trigger the +Access Control Rule Application. +The only filters which can be displayed in this section are filters related to dimensions or hard +coded criteria (Single Role, Composite Role, Resource Type and Category). +The filters are defined in the XML configuration on the access control rules. The criteria displayed +are a fusion of the filters of all the rules associated with the profile. See the +[AccessControlRule](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +topic for additional information. + +Automatic assignment + +The largest profiles with the most basic permissions (like a simple access to the application) +concern many identities and are low-privileged. Thus integrators can set up profile assignment rules +through the XML configuration in order to assign profiles automatically, based on accounts' resource +type and potentially specific criteria. See the +[ProfileRuleContext](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) +topic for additional information. + +![Launch Button](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-assignment/launch_v603.webp) + +Click on **Launch** to apply these profile rules. + +**NOTE:** Profile rules can also be applied through the same button on the **Profiles** page, by +clicking on **Settings** in the **Configuration** section, then on **General** > **Profiles** in the +left menu. + +## Delegate a Profile + +Sometimes, users need to lend their entitlements, while on leave for example. In this case, it is +interesting to create new profiles, identical to the initial ones but without the right to delegate +the corresponding entitlements. + +For example, let us consider the Manager profile which we appointed as request validator per +department. In order to ensure the presence of all validators at all times, we choose to create a +Assistant Manager profile which is to be assigned occasionally to another user by a manager. A user +with the Assistant Manager profile will receive exactly the same entitlements as someone with the +Manager profile, except for the ability to assign the Assistant Manager to another user. + +Thus no workflow in Usercube can be blocked by the absence of the workflow's actors, and security is +ensured by preventing unwanted entitlement delegation. + +## Verify Profile Configuration and Assignment + +In order to verify both profile configuration and assignment, check that a sample of users can +effectively perform the actions allowed by their profiles. See the +[ Configure a User Profile ](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-configuration/index.md) +topic for additional information. + +A functioning and well-assigned profile must not trigger 403 errors in the server logs, nor in the +UI in the form of a red notification at the bottom right corner of the application. This kind of +error appears if an entitlement is incomplete, i.e. giving access to a button but not to the page +said button leads to. + +For example, you can check whether an ordinary user can access another user's personal data from the +**Directory** tile. diff --git a/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-configuration/index.md b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-configuration/index.md new file mode 100644 index 0000000000..9664915957 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-configuration/index.md @@ -0,0 +1,117 @@ +# Configure a User Profile + +How to tweak the +[permissions](/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/permissions/index.md) +for actions within Usercube, for a set of basic +[profiles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md). + +## Overview + +All the permissions for accessing items and performing actions in Usercube are managed by assigning +[profiles](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) +to users and +[permissions](/docs/identitymanager/6.1/identitymanager/integration-guide/profiles-permissions/permissions/index.md) +to profiles. + +![Schema - Profile Assignment](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/profiles_schema.webp) + +> For example, access to user lists with personal data is usually restricted to HR staff, and the +> modification of personal data would be restricted to HR managers. + +We define here a permission as an entitlement within Usercube. + +Permissions can be about: + +- administration, which gives access to + [administration](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/index.md) actions, + accessible in the **Administration** section on the home page; +- directory, which gives access to users' data (with several available levels of access), and also + any other data accessible in the **Directory** section on the home page; +- workflows, which gives access to actions for users' lifecycle (onboarding-movement-offboarding), + through the workflows provided by Usercube within the **Directory** pages; +- reports, which gives access to Usercube's + [predefined reports](/docs/identitymanager/6.1/identitymanager/user-guide/administrate/reporting/index.md) + about workforce. +- notifications, which enables notification reception when specific workflows are launched. + +NETWRIX recommends creating and using the following profiles: + +- `Administrator` for requesting entitlements, performing potential additional role reviews, and + updating user data, the role model and the settings; +- `Helpdesk` for requesting entitlements and updating user data only, not for updating the role + model or other settings; +- `HR` for managing internal users, i.e. creating, updating and deleting them; +- `Manager` for requesting their teams' entitlements and managing their external users, like + contractors; +- `RoleOfficer` for reviewing and approving roles; +- `User` for basic viewing of user and organizational information. + +A user can have up to 10 assigned profiles. + +The goal here is to create profiles and link specific permissions to the profiles, in order to build +a set of typical profiles that will later be +[assigned to power users](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-assignment/index.md). +Instead of assigning permissions one by one to users, you will assign them sets of permissions (i.e. +profiles). + +### Responsibility scopes + +Each permission can be assigned a responsibility scope, which represents the scope of action of +users with said permission. + +> For example, managers can be assigned the `View Requests` and `Manage Accounts` permissions, but +> only for the teams in which they have the manager title. In this case they will handle the +> entitlement requests within the team they manage, having their scope of responsibility defined as +> their team. It means that the manager cannot see or do anything outside the identities included in +> their team. + +## Participants and Artifacts + +Integrators must have the knowledge of the organization strategy towards the IGA project. + +| Input | Output | +| ----------------------------------------------------------------------------------------------------------------------------- | ------------- | +| [Identity repository](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) | User profiles | + +## Configure a User Profile + +Configure a user profile by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section, then on **General** > + **Profiles** in the left menu. + + ![Home - Configuration](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. Check whether the profile to configure is part of the provided list. If not, create it by + clicking on the addition button at the top right and fill in the fields. + + ![Addition Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + ![New Profile](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/profiles_creation_v602.webp) + + - `Identifier`: must be unique among profiles and without any whitespace. + - `Name`: will be displayed in the UI to identify the profile. + + Click on **Create**. + +3. Access the page for profile configuration by clicking on **Workforce** > **Profiles & + Permissions** in the left menu. +4. Follow Usercube's instructions for assigning permissions to the profile by clicking on the + appropriate permissions, one by one, selecting if needed their responsibility scope. + + ![Profile Configuration Example](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/profiles_example_v603.webp) + +5. Click on **Save** at the top of the page. + + ![Save Icon](/img/versioned_docs/identitymanager_6.1/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + +## Verify Profile Configuration + +Before you can see the profile in action, it needs to be assigned to a user. + +[See these instructions for assigning profiles to users](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/user-profile-assignment/index.md). + +## Next Steps + +Once user profiles are configured, integrators can start +[configuring onboarding workflows](/docs/identitymanager/6.1/identitymanager/user-guide/set-up/connect-system/index.md). diff --git a/docs/identitymanager/6.1/identitymanager/whatsnew/index.md b/docs/identitymanager/6.1/identitymanager/whatsnew/index.md new file mode 100644 index 0000000000..5d8348e477 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/whatsnew/index.md @@ -0,0 +1,39 @@ +# What's New + +## New Netwrix Community! + +All Netwrix product announcements and bug fix lists have moved to the new Netwrix Community. See +announcements for Netwrix Usercube in the +[Usercube](https://community.netwrix.com/c/identitymanager/announcements/150) area of our new community. + +The following information highlights the new and enhanced features introduced in this Netwrix +Usercube version. + +## Netwrix Usercube v6.1 Released 8-Apr-2024 + +Major Highlights + +- New bulk features are available for the administration screens listed below. To use, filter to + select the desired elements, click on the new **Bulk** button, and choose from the presented + options. + - Provisioning Review, in the case of errored provisioning orders + - Role Review + - Resource Reconciliation + - Manual Provisioning +- The technical base has been upgraded and will last for the next few years. Concretely, the Runtime + and the Agent prerequisites have changed: the .NET 8.0 runtime is now required instead of dotnet + 6.0. + +- Access Control and Workflows + - On workflows the "Save" button label has been changed to "Save Draft". +- Certifications and Risks + - Certification campaign targets are now more clearly described on the campaign summary screen. +- Logs / Performance / Security + - Improved error messages. + +Other Enhancements + +- The Usercube-Manage-History.exe now handles large databases when the `purge-before-date` and the + `purge-before-months` parameters are used. +- For the SaaS environment, certain restrictions for the quantity of sent emails have been put into + place. diff --git a/docs/identitymanager/6.1/identitymanager/whatsnew/olderversions/index.md b/docs/identitymanager/6.1/identitymanager/whatsnew/olderversions/index.md new file mode 100644 index 0000000000..85d21cfd57 --- /dev/null +++ b/docs/identitymanager/6.1/identitymanager/whatsnew/olderversions/index.md @@ -0,0 +1,3835 @@ +# Usercube v5.x Release Notes + +## Version 5.2.3.19 + +Release date 10-Oct-2022 + +#### Enhancements + +- Connectors and Integrations + - New option to specify the filter column by EntityType in Cyberark/SCIM to mitigate export + errors due to extraction limits. + +#### Fixed Bugs + +- Jobs and Policy + - For security, when assigned resource types are canceled due to inconsistent data, they are now + blocked despite the block provisioning attribute being set to false. + - The naming conventions task no longer fails with an "EMPTY" error message when a naming rule + uses only indirect properties of the mapped group (instead of direct properties). +- Logs / Performance / Security + - The database history will no longer grow indefinitely when there are navigation rules + targeting deleted groups/profiles. Previously, the history was increased after each role model + evaluation. +- UI / UX + - Enhanced performance when displaying the Workflow Overview page. +- Other + - The custom links feature now allows the targeting of a URI outside the Usercube application + not only from the dashboard, but also from the left menu. + +## Version 5.2.3.17 + +Release date 27-Sep-2022 + +#### Fixed Bugs: + +- Access Control and Workflows + - Unauthorized errors will no longer occur in specific cases where certain dependent data is + modified in a workflow. + - When using Usercube's Workflow connector for an HR synchronization, error messages are now + stored in the database as well as in the log files. + - In addition, the workflow connector's package could handle only provisioning orders for + identities with multiple records. Now, the connector also works for identities without + records.  NOTE: The agent needs to be upgraded to benefit from this correction. +- Connectors and Integrations + - For a SCIM/Salesforce connector, under certain conditions permissions were deleted and created + at each synchronization.  This has been corrected. + - New option to specify the filter column by EntityType in Cyberark/SCIM to mitigate export + errors due to extraction limits. +- Jobs and Policy + - New hierarchical dimensions are now immediately calculated without needing to restart the + Usercube server. + - Resources could be correlated using rules from other types. Now, the correlations are computed + using only the rules of the expected resource type. +- Logs / Performance / Security + - Improved role query performance when filtering by category (on the Access Roles screen and in + the catalog of the role permission basket). +- Other + - Is it now possible to use `--product-translations` to import product translation files when + deploying the configuration to the SaaS environment. + +## Version 5.2.3.16 + +Release date 12-Sep-2022 + +#### Enhancements: + +- Connectors and Integrations + - Some systems using the LDAP protocol require some attributes for creation and/or update + requests. If these attributes are not synchronized in Usercube, they cannot be provided by + scalar rules or navigation rules. Now, these attributes can be given as arguments in the + provisioning order, using the ResourceType's ArgumentsExpression. See the + [documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md). + - For the PowerBI integration, a new configuration parameter permits choosing between showing + the identifier or the display name for columns in PowerBI. After the changing the parameter + and deploying the configuration, the PowerBI cache must be fully emptied. +- Jobs and Policy + - The configuration deployment tool now throws an error if two different tasks use the same + identifier. (To add the same task to more than one job the `step` tag can be used.) +- Logs / Performance / Security + - More coherence checks are made when importing with the configuration deployment tool. + - The server now gives more detailed information about PowerBI errors. +- Other + - When the server is launched, the database is now upgraded to the latest version. +- UI / UX + - A new custom menu link feature has been added. It enables the configuration of custom links + that let the user navigate to a custom static HTML pages. At this time, only two custom link + settings can be configured. Two examples have been added to the Usercube demo configuration + with URLs : /LegalNotice & /TermsService. See the + [documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/settings/index.md) + for more information. + +#### Fixed Bugs: + +- Access Control and Workflows + - The deploy configuration tool now correctly reads languages 9 to 16 for email notification + templates. + - Notification emails are no longer sent multiple times to the same group and/or generic email + address. +- Jobs and Policy + - Corrected an issue where, occasionally, the first user that opens the permission basket after + a server restart could get a runtime error. + - Corrected an issue where manual assignments were lost when updating owner information. + - Assigned resource types are no longer canceled when the resource type grouping parameters are + changed (P0, etc.). + - All group memberships are now retrieved when using an Active Directory connection. Previously, + restored objects (that had been previously deleted) were excluded. +- Logs / Performance / Security + - Performance issues have been corrected when using the View History feature for an identity. +- Other + - The option `--product-translation` has been fixed, allowing the export of the product + translations. +- UI / UX + - Top menu bar links now refresh correctly when a list, without default value for the top menu + bar, is opened. + - Column headers on generic list pages are now displayed in the correct language. + - Search bar filters now properly take into account the `AddedMinutes` for date values. + +## Version 5.2.3.12 + +Release date 28-Jul-2022 + +#### Enhancements: + +- Access Control and Workflows + - For homonym filters, bindings from different entity types can now be used. For example, it is + possible to verify that a new user does not an already exist as employee **or** a guest. +- Connectors and Integrations + - Fulfill capabilities have been added to the EasyVista connector: employees can be created, + updated and archived (to the extent allowed by the EasyVista API). + - The SCIM connector, when used with Salesforce, was limited to 2000 users. It is now able to + export all users. + - The SCIM connector also had some issues when provisioning attributes from extension schemas. + It is now able to provision any attribute in any SCIM-compatible instance. +- Jobs and Policy + - When FulfillWorkflow is used with the ResourceIdToCopy parameter, the provisioning order + didn't set null values for null navigations. Now, a cloned record can have navigation + properties that are null. +- Logs / Performance / Security + - New verbose logs show the data source paths (CSV or PowerShell script paths) that are allowed + by the agent as specified in the connections settings file. +- UI / UX + - On the dashboard, it was not possible to add MenuItem with URI targeting a page outside the + Usercube application. Now, any link is allowed in the MenuItem.URI property. +- Other + - A new API retrieves entity type data that has been updated (creation, modification or + deletion), in an incremental mode, from a given date. See the [documentation] + (/integration-guide/api/server/resource/index.html#apiresourceincrementaltypedate). + - When the server is launched, the database is now upgraded to the latest version if necessary + +#### Fixed Bugs: + +- Access Control and Workflows + - If a property is in a VisibilityGroup and a user without permissions wants to query it with + the Query Module, an empty column will be returned instead of the real values. + - Previously, a browser's cache had to be cleared after updating a UI form's configuration. Now, + simply re-opening the browser will take the new changes into account. + - The RemoveDiacritics method now replaces special characters like � or � with their non + accentuated equivalent (oe and sh for these examples). + - The Workflow Overview screen is shown without error when a record is added during a workflow + request step and subsequently removed in the review step. + - At the end of a workflow, mandatory drop-down lists that had only one pre-filled value no + longer generate validation errors. + - In workflow forms, the combo box items are now systematically sorted in alphabetical order. + - Fixed an issue where 500 errors appeared in workflows or in the permissions basket after a + property had been removed by a configuration change. +- Certifications and Risks + - In certain cases, AccessControlRules for AccessCertificationItems were not respecting a single + filter. Now a single filter is respected. +- Connectors and Integrations + - When an unplugged connection is used in a connector already containing synchronization + connection(s), the prepare synchronization no longer fails. + - On the connector screen, labels for Active Directory and LDAP resource type settings have been + clarified. + - The Excel connector can now properly do exports when date columns also contain the time. +- Jobs and Policy + - During a new composite role's validation, linked single roles that were "pre-existing" are no + longer temporarily deleted. + - Correction for an issue where, under certain circumstances, a denied role could stay on the + role review screen. + - Navigation rules are now properly taken into account when created via the UI. + - Canceled assigned resource types are now correctly deleted once the target resource is + deprovisioned. + - Denying a role linked to a non-conforming account is now correctly handled so that the deny + decision will be remembered and the role will no longer appear for validation. + - Role model computation results are now always the same whether executed via a workflow or + executed via the executable. + - Corrected a regression where, while manually running jobs with a remote agent, the job + initiator was empty. + - All single roles related to parameterized navigations in a non-conforming state are shown as + non-conforming. Previously, only a few were shown. +- Logs / Performance / Security + - Corrected certain SQL deadlocks that were happening when workflow changes were persisted while + the Usercube-Generate-ProvisioningOrders was running. + - The bindings required for each workflow step are now stored in a cache in the Temp/Cache + folder. This enhances cold start server performance. + - The SetRecentlyModifiedFlag task has been optimized. + - Performance enhancements for screen loading times. + - The workflow summary has been optimized to load more quickly. + - Submitting a workflow request could trigger hundreds of small database queries when many roles + and accounts were added or removed to the user. Now, the database queries are batched together + to reduce the workflow execution duration. + - The dashboard counters are updated less frequently to enhance the application's performance. + - Correction for an issue where, after a server restart, if many workflow requests were executed + immediately, some could fail with a 500 error. +- UI / UX + - Navigating through certain workflows no longer incorrectly affects the filter on the Access + Roles page, so roles linked to a disabled policy are now correctly displayed. + - When a workflow was initiated from a top level menu, sometimes the URL path was incorrectly + built using an incorrect origin. Now the path is correctly built. + - On pop-up windows, the action buttons are displayed if the window height has been changed, for + example after resizing a page or zooming. + - To avoid date confusion, if an incorrect number of digits are typed into a date field, an + error is now displayed. + - On lists of entity types, display indicators now correctly update depending on the chosen + language. +- Other + - The configuration export is now more reliable when a connector is created via the UI. + +## Version 5.2.3.03 + +Release date 3-Jun-2022 + +#### Fixed Bugs: + +- Connectors and Integrations + - When verifying permissions for new schema objects in an Azure AD, service account permission + verifications could fail and the synchronization job would also fail. Now a lack of + permissions for new schema objects does not block the entire synchronization. NOTE: This + requires that the agent be upgraded. + - When writing to LDAP directories, the LDAP connections were not reused when there were a very + large number of provisioning orders. Now, the LDAP connections are pooled correctly to + optimize job performance. NOTE: This requires that the agent be upgraded. +- Jobs and Policy + - Corrected a regression where certain custom emails, sent via a job, caused an error. + +## Version 5.2.3.02 + +Release date 31-May-2022 + +### **Compatibility notice:** + +This release includes compatibility ruptures. The migration steps in the documentation's +[Migration](/docs/identitymanager/6.1/identitymanager/migration-guide/index.md) section must therefore +be followed. + +For licensing reasons, the Oracle and MySQL dlls have been removed from the Runtime. If these +connectors are used, please refer to the documentation for +[MySQL](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/mysql/index.md) +and +[Oracle](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/oracle-database/index.md) +for more information. + +#### Fixed Bugs: + +- Access Control and Workflows + - Previously, clicking on a link in a Usercube email worked only when the user was already + authenticated. Now the link is correctly reached even if an authentication detour is required. +- Connectors and Integrations + - On connections with secured options, corrected an issue when saving values if no secured + option is specified. + - The `CreateAgentSynchroIncremental` scaffolding now verifies the connection types so that only + connectors with incremental synchronizations are included. + - Correction for an issue when loading certain entities with PowerBI. +- Jobs and Policy + - The Usercube-Set-RecentlyModifiedFlag task performance could be degraded in large databases. + The task is now optimized. + - Offsets are correctly applied when there are overlapping positions for an assigned resource + type that is given by a single role. + - When deleting a resource using the fulfill internal workflow with an Exclusion Expression in + the Context Rule for the corresponding entityType, if the Exclude Expression doesn't evaluate + correctly at runtime then the owner is now automatically excluded and a message is logged. + Also, the task now ends in a warning state. + - Scalars and navigations are correctly computed when an assigned resource type is given + manually. + - Emails configured to be sent when jobs end in a specific state, now indicate the job's + identifier (instead of the database id) and the state (error, warning, etc.) of the job. + - The permissions for `ProvisioningPolicy/Policy/Query` and `ProvisioningPolicy/Policy` have now + been removed from the BasketRulesControlRules scaffolding. They give access to the dashboard + icon "Policies" which should not be part of this scaffolding. If this scaffolding is in use, + the permissions won't be modified immediately in the database, but will be removed after a + configuration deployment. If preserving them after a configuration deployment is necessary, + they should be added in manually for the appropriate profiles or configuration migration can + be performed. + - When the case of an AD attribute is changed, it's now correctly taken into account in the + provisioning order. +- Logs / Performance / Security + - Corrected an issue where multiple updates created a database dead lock. + - Exceptions related to asynchronous SQL executions are now logged. +- UI / UX + - On the Assigned Profiles screen, edit and delete buttons are visible only when the user has + the right to perform such an action. +- Other + - When there is only one universe in a query module, the query is now correctly retrieved when + reloading the page or copying/pasting the URL. + +## Version 5.2.3.01 - Release Candidate + +Release date 17-May-2022 + +### **Compatibility notice:** + +This release includes compatibility ruptures. The migration steps in the documentation's +[Migration](/docs/identitymanager/6.1/identitymanager/migration-guide/index.md) section must therefore +be followed. + +For licensing reasons, the Oracle and MySQL dlls have been removed from the Runtime. If these +connectors are used, please refer to the documentation for +[MySQL](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/mysql/index.md) +and +[Oracle](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-packages/oracle-database/index.md) +for more information. + +#### Enhancements: + +- Access Control and Workflows + - Homonym searches are now more customizable. See the + [documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md) + for more information. + - Improvements to the ToSoundex method used in expressions: now, all diacritics glyphs are + replaced by simple letter to get the Soundex value. +- Certifications and Risks + - The certification campaign page has been simplified to facilitate the review of access items: + suggestions are provided based on the role model and a help dialog has been added. + ![Certification](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.3.certification.webp) +- Connectors and Integrations + - The PowerBI report generated by the Role Mining tool has new tabs with metrics about the + generated rules. + - Two new connectors are now available for EasyVista in the Usercube marketplace. One allows the + synchronization of users and the other allows the provisioning of tickets. For more + information see the documentation, for + [users](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md) + and + [tickets](/docs/identitymanager/6.1/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md). + Please contact your customer success manager for information about licensing. NOTE: This + feature requires that the agent be upgraded. + - On the connector screens, source columns are now modifiable by the user even without a schema + refresh. + - For the ServiceNow package and the ServiceNow ticket package, client id and secret have been + transformed as secured options. + ![SecureOptions](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.3.servicenowsecureoptions.webp) + - For the AzureAD connector, exporting the extension attributes is now allowed. +- Jobs and Policy + - When a job is blocked due to exceeding a synchronization threshold, a "Synchronization + Changes" tab is displayed on the job detail page and entity types can be selected to see all + changed resources + ![DepassedThresholdCounters](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.3.depassedthresholdcounters.webp)![DepassedThresholdChanges](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.3.depassedthresholdchanges.webp) + - Integrated a new "Literal" expression option, reducing the need for C# code for simple cases. + The "Literal" expression is available for ResourceScalarRule expressions, ResourceQueryRule + source expressions and EntityPropertyExpression expressions for creation and update. See the + [documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/index.md) + for more information. + - The role model simulation has been redesigned and has more fonctionality. + ![SimulationAddDelete](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.3.simulationadddelete.webp)![SimulationResults](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.3.simulationresults.webp) + - Resource Types have a new option, "Depends On" which assures that resource types are created + in the correct order. For example, an Exchange Account would be created after the Active + Directory account. + ![ResourceTypeDependsOn](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.3.resourcetypedependson.webp) + - The Usercube-Set-RecentlyModifiedFlag tool now propagates "dirty" flag on users to their + associated records. +- UI / UX + - The dashboard has been enhanced. Icons are now color-customizable and administration icons are + split by entity type and the counters for administrative actions have been re-introduced. + ![Dashboard](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.3.dashboard.webp) + - A setting has been introduced to disable dashboard counters related to the provisioning + screens (Role Review, Provisioning Review, Role Reconciliation, Resource Reconciliation and + Manual Provisioning. This can help with performance issues. See `DisableProvisioningCounters` + in the + [documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/settings/index.md). + - Entity histories are now available. Browse an entity's history and view all the events related + to that entity. Events of the same type can be compared in order to see differences between + dates. + ![ViewHistory](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.3.viewhistory.webp) + - An entity's data can now be viewed as of a specific date. + ![DataAsOfDate](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.3.dataasofdate.webp) + - Enhancements have been made to the Resource Type screens so that the correct flow of actions + is encouraged. + - On the Assigned Profiles screen, the search operator on the Profile column now uses a + "Contain" filter instead of "StartWith". + - The screen for defining automation rules has been improved for clarity. + ![AutomationRules](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.3.automationrules.webp) +- Other + - When exporting the configuration, the option �mark-for-export will now flag all items created + via the UI so that they will also export. A second execution of the task is no longer + necessary. + - Additionally, there is a new option that will mark certain elements of the Role Model for + export (�mark-rolemodel-for-export). Currently this includes the following items created via + the UI: + - Single Roles + - Composite Roles + - Single Role Rules + - Composite Role Rules + - Pending Approval Rules + - Improvements have been made to the deploy configuration tool to catch more configuration + syntax problems. + - The list of keys for English and French translations have been added to the SDK. + - Product translations can now be imported with the configuration deployment tool. + - Role Mapping feature allows to automatically create roles and rules corresponding to an + external system permission based on a set of naming conventions. + +#### Fixed bugs: + +- Access Control and Workflows + - Workflows with a `ContinueWith` activity now correctly find all email recipients without + throwing an error. + - Homonym verifications that are applied in an update workflow now ignore the current resource's + record(s) so as not to propose the same resource as a homonym. +- Connectors and Integrations + - Synchronized values with spaces are no longer trimmed, correctly representing an exact copy of + the incoming data. This change may generate extra reconciliation tasks. + - The scaffolding `ConnectorMappings` now works correctly when, for entity associations, + `IsProperty1Collection` is true. Previously it only worked if `IsProperty2Collection` was + true. + - In the case of a remote agent, using "Account Management" and choosing "Reset Password (by + email)", the email is now sent correctly. + - On the connector screens, adding a final backslash to a connection parameter (for example, a + folder path) is now properly handled. + - Corrected a problem where, for CSV connector synchronizations, multiple encoded quotation + marks were causing problems. + - On the Connector Entity Type pages, error messages have been downgraded to warning messages + and are better placed to communicate the real issue. +- Jobs and Policy + - When a job has an errored task and a task blocked because of an exceeded threshold, the + "Relaunch" option is no longer available. + - On the Resource Reconciliation page, mono-valued properties could be listed, but shown as + unchanged. Now, they are now longer listed. + - The `CreateInitializationJob` scaffolding's task sequencing has been corrected. + - In certain cases, with `CorrelateMultipleResoruces` as true, `AssignedResourceScalars` could + be duplicated in the database, blocking the compute role model. This has been corrected. + - During internal provisioning, corrections were made when deleting resources linked to other + resources. This case wasn't always handled correctly, causing performance difficulties. + - When performing an RH synchronization with an associated fulfill internal workflow and when, + for the same user, a position was added and deleted at the same time, both the add and the + delete are now taken into account. +- UI / UX + - When a user navigates from one entity to another, the links on the actions bar are now + correctly reloaded based on the user's permissions. + - Specifying a control InputType as hidden now works correctly for ForeignKey properties + - Display tables with searchable/sortable headers are now easier to use. The search and filter + buttons are now always displayed instead of requiring a column resize in order to access them. + - On the connection screens, the connection identifier is now read-only after creation. + - Corrected errors that were sometimes thrown when creating query or scalar roles via the UI. + - Occasionally, on some browsers, elements based on the page height weren't correctly calculated + and caused a blank page. This issue has been fixed. + - In a workflow that manages several positions, a deleted position would move to the top of the + list. Now it stays in its original location. + - Now, in a layout row set, the checkbox's label is displayed next to the checkbox. +- Other + - When updated in the configuration, two ContextRule calculated properties + `ResourcesStartExpression` and `ResourcesEndExpression` are now correctly updated when the + configuration is imported. + - The configuration export tool now exports the resource key reference instead of the id for: + SingleRoleRules, CompositeRoleRules, ResourceNavigationRules, and ResourceTypeRules. + - The deployment configuration tool now blocks the display table column SearchOperators that are + "FlexibleContain" since this configuration is not allowed. + +## Version 5.2.2.7 + +Release date 12-Apr-2022 + +#### Fixed bugs: + +- Connectors and Integrations + - When the PrepareSynchronization finishes in error, the synchronization is now closed, so the + next synchronizations are no longer blocked. + - The PassworResetSetting now correctly generates a password using the `GeneratedLength`, + `GeneratedUpperCaseCharsCount`, `GeneratedDigitCharsCount`, `GeneratedSymbolCharsCount`, + `GeneratedLowerCaseCharsCount` options. + - Link values in an LDAP export were written both to their own files and to the entries file. + Now there are no duplicate lines in the entries file. NOTE: This feature requires that the + agent be upgraded. + - For the SCIM connector's export, the output file name for association mappings is now correct. + NOTE: This feature requires that the agent be upgraded. +- Jobs and Policy + - In a situation where a ResourceType can be inferred by several single roles, some of which can + be inferred by several composite roles, giving a composite role could result in the + ResourceType's disappearance during the approval phase. This has been corrected. + - The ComputeRoleModel task could fail if a scalar rule value was longer than 4,000 characters. + Now, only the specific value is tagged as an error instead of the whole task. + - The provisioning calculation can better handle dates far into the future or the past. + - For resources imported via XML, primary key columns are now automatically calculated. + - Running simultaneous correlation key calculations is now blocked, in order to avoid primary + key violation constraints. + - Certain SQL deadlocks are now prevented when running a FulfillInternalResources task. + - Deactivating a connector no longer removes too many tasks from scaffolded multi-connector + jobs. + - The Compute Role Model now correctly detects when a hierarchical dimension is cyclical and + stack overflow errors are no longer thrown. + - Offsets defined at the TypeRule level are now correctly applied to all properties of an + AssignedResourceType. +- Logs / Performance / Security / Other + - Indexed view names are now shorter (using hexa encoding) because very long names could cause + errors while importing the configuration. + - The Usercube-Manage-History tool now cleans the history with smaller batches to reduce the SQL + server memory/disk usage. + - Menus protected with dynamic filters by profile were checked for all the possible profiles + instead of only the needed one(s). This has been optimized and now, administrators get their + menus faster. + - When viewing an entity, menus displayed slowly when their permissions were protected with + complex filters. Now, the response times are greatly optimized. + - The complexity of SQL queries performed in jobs and workflows has been greatly reduced, + enhancing overall performance. + - The permission basket response time has been reduced. + - More index optimizations. +- UI / UX + - Correction for a regression where the date selection component gave errors when the language + was French. + - An XML configuration with an OptimizeDisplayTable scaffolding can now be deployed if one of + the columns is the resource's InternalDisplayName property. + - Corrected a regression where, on the view page of an entity with records, the "View More" + button no longer existed. + - The job duration time is now correctly displayed when a job takes longer than one day. + - Automation rules created by the UI and XML were displayed differently on the Automations + screen when viewing by ResourceType. This display has now been harmonized. + - On the workflow supervision screen, navigation bindings in display elements no loner generate + a blank page for deleted users. + +## Version 5.2.2.1 - Commercial Release + +Release date 24-Feb-2022 + +### **Compatibility notice:** + +This release includes compatibility ruptures. The migration steps in the documentation's +[Migration](/docs/identitymanager/6.1/identitymanager/migration-guide/index.md) section must therefore +be followed. + +#### Enhancements: + +- Connectors and Integrations + - The Export-ActiveDirectory tool has a new argument `--request-timeout` that configures the + LDAP client-side timeout when synchronizing the Active Directory. +- Jobs and Policy + - On the Access Rule pages, hours and minutes can now be defined for time offsets. +- Other + - The configuration can now be deployed remotely via an HTTP post request. See the + [documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md) + for more information. + +#### Fixed bugs: + +- Access Control and Workflows + - A cache issue with QueryHandler queries has been corrected. + - Profiles with filters that concern multiple records are now correctly calculating based on all + records instead of only one. + - Building SQL queries on complex entity models that have more than one multi-valued navigation + no longer throws an error. + - When synchronizing from an HR source with multiple positions, and when existing positions have + end dates, an added position's end date is now also being taken into account. + - When synchronizing an HR source, the triggered workflows' subjects are no longer partially + empty for employees with positions that were added and removed at the same time. +- Other + - For APIs, when a query specifies a multi-valued join the continuation token is now correct. + +## Version 5.2.2.0 - Release Candidate + +Release date 10-Feb-2022 + +#### Enhancements: + +- Access Control and Workflows + + - Workflows that are in process or have been previously saved, can now be aborted. Once aborted, + a purge option is now available on the Workflow Overview screen to completely remove the + workflow. + ![WorkflowAbort](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.2.workflowabort.webp)![WorkflowPurge](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.2.workflowpurge.webp) + - A user can now re-forward tasks from the Workflow Overview screen: + - If the ActivityTemplate is `ActionWithRefine`, only the previous performer can re-forward + (the one from which originates the previous forward/re-forward). + - If the ActivityTemplate is `ReviewWithFeedback`, only the original reviewer(s) or + performer can re-forward. + - Drop-down lists can now be automatically populated based on previously chosen values. In the + following example, choosing a manager will automatically fill the �Organization' and + �Location' fields with the manager's respective values: + + ```xml + + ``` + +- Certifications and Risks + - Added performance optimizations for recertification campaigns. + - On the Access Certification Review screen, the green pop-up confirmation notification is no + longer displayed. + - On the risk warning pop-up screen, a description field is now visible in addition to the + remediation field. +- Connectors and Integrations + - A new button on the connector screen refreshes all the connector's schemas. + ![ConnectorRefreshAllSchemas](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.2.connectorrefreshallschemas.webp) + - On the connector screens, when using the SQL Connection Package, errors thrown by fetch schema + operations are displayed near the appropriate field. + - The RACF connector now extracts account/group associations in a 0203.csv file. + - On the SQL connection screens, the packages now have dedicated fields for User ID and Password + so they can be encrypted in the storage system. + - The two original CSV packages have been merged into one, that can do complete and/or + incremental synchronizations according to the Path and PathIncremental attributes. NOTE: This + feature requires that the agent be upgraded. + - For the Excel connection package, different file paths can now be specified for complete + and/or incremental synchronizations. NOTE: These corrections require upgrading the agent. + ![ExcelSynchroPaths](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.2.excelsynchropaths.webp) + - On the entity mapping screen, a mapped column is no longer removed from the mapping selection + screen, so that several properties can now be defined on the same connection column. + ![RemapColumns](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.2.remapcolumns.webp) + - Updated the default web.config file to automatically start the scheduler when IIS starts. + - For connection packages that manage an incremental synchronization mode, the jobs button now + allows the choice between complete and incremental synchronizations. + ![JobCompleteAndIncremental](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.2.virtualjobcompleteandincremental.webp) + - The Robot Framework connector is now able to generate a secure password. +- Jobs and Policy + - _Behavior modification_: When reconciliating a composite role, the application will not assign + a composite role unless all linked single roles are also assigned. Previously, only one + non-ambiguous linked single role would be enough to assign the composite role. This prevents a + mix of allowed and denied single roles displayed on the users' permission lists. + - When deploying the configuration, the `CronTabExpression` is now checked and an error will be + thrown if it is invalid. + - On the provisioning review and resource reconciliation screens, we are now able to postpone + the decision on an individual property. + ![PostponDecision](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.2.postponedecision.webp) + - The permission assignment pop-up has been enhanced. + - dates and comments can be directly modified + - an item can be deleted with the button on each line + ![PermissionsPopup](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.2.permissionpopup.webp) + - Added ability to see the role requester's comment on the role review screen and in the role + review notification email. + ![RoleReviewComment](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.2.rolereviewcomment.webp) + - On the provisioning review screen, it is now possible to filter by resource type and by + specific properties. + ![ProvisioningReviewWithPropertyView](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.2.provisioningreviewwithpropertyview.webp) + - On the provisioning review screen, it is now possible to filter on properties once a resource + type has been chosen. + - An error indicator is now displayed on a ResourceType's assigned properties when the + ProvisioningState equals RuntimeErrored. + - Jobs from the connector screens are now moved to a dedicated category on the job execution + screen so they are no longer intermixed with other jobs. +- Logs / Performance / Security + + - The resource identity property can now be overridden in appsettings.json, allowing different + environments to use different settings: + + ```json + "SelectUserByIdentityQueryHandler": \{ +    "ResourceIdentityProperty": "AD_Entry:objectSid"\} + + ``` + + - An agent scheduler will now wait for the lock file to be released before starting. Previously, + it would start and immediately fail, unable to recover. + - When C# expressions are compiled, the line number and the C# error identifier are now given. + - C# tuples can now be used in C# expressions. + - The complete job scaffolding now contains a new task that updates configuration-related + database indexes. + - For added security, the file paths used in a connector's connections are now checked against a + list of authorized file paths located in the appsettings.agent.json under the SourcesRootPaths + attribute. More information is available in the + [documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + - Added encryption support for appsettings.json agent and server files. More information is + available in the documentation for the + [agent](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) + and for the + [server](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/rsa-encryption/index.md). + +- UI / UX + - When creating or modifying an element that can have an offset date (`Navigation Rule`, + `Query Rule`, `Resource Type` or `Scalar Rule`), there is now a possibility to choose "Never" + so that the element will never expire and will display as "No End Date". + - New customization options for the top bar/banner (background color as well as font color) are + available by specifying the colors in the `appsettings` or in the config - using `BannerColor` + and `BannerTextColor`. If no color is specified in the appsettings, the colors specified in + the configuration are used. If no colors are specified in the configuration, the default + colors are used. This allows easy configuration of color differentiation by environment. + - On the connector screens, it is now possible to configure an EntityType's Internal Display + Name expression. + - When several records are changed in a workflow, the Workflow Overview screen now gives a + position summary to indicate which position was modified. + ![WorkflowOverviewSeePositions](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.2.workflowoverviewseepositions.webp) + - In workflows, child component labels are now displayed when using the `LayoutRowSet` component + ![ChildLabels](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.2.childlabelsonlayoutrowset.webp) + - In the UI only, Pending Approval Rules have been renamed as Automation Rules. + - Automation Rules (formerly Pending Approval Rules) can now be created via the Access Rules + screen. + ![AutomationRules](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.2.automationrules.webp) + - It's now possible to use URIs in menu items that are up to 2048 characters in length. + - On the connector screens, specific errors are now displayed near the associated fields instead + of as general, global errors. + - An indicator is now displayed in the connection list when the last schema update failed. + ![RefreshSchemaFailIndicator](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.2.refreshschemafailindicator.webp) +- Other + - The Configuration Deployment tool has been completely re-written. New performance enhancements + make the import faster and error and warning messages are clearer. + - The Configuration Export tool has also been completely re-written and is now functional. With + `--mark-for-export`, items created by the connector pages can now be exported (other areas of + the application are coming soon). An exported configuration can now also be re-imported. + - A new option, `--reset-database`, has been added to the Configuration Deployment tool. It + enables a full re-set of the Usercube database using the files ResetDatabase.sql and + Usercube.sql (they are now in the Runtime package). This allows for a new, clean Usercube + instance, and works both locally and remotely. + - A new literal option is available for expressions. This expression now works for + `RessourceScalarRules` expressions, `ResourceQueryRules` source expressions, and + `EntityPropertyExpression` expressions. Examples of the first two types of rules have been + added to the demo configuration. + - Two new utility functions for C# expressions: `BuildUsername` and `BuildUsernameWithInitials`. + See the + [C# utility functions section](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md) + of the documentation. + - Two demo applications representing a Banking and an HR system have been added to the SDK to + illustrate interactions with managed systems. + - InvokeSqlCommands can now be overridden in the agent appsettings file. More information is + available in the + [documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md) + +#### Fixed bugs: + +- Access Control and Workflows + - Assigned profiles can no longer be given to users who do not possess the required resource for + authentication and logging into Usercube. + - In a workflow without a persist step, the last activity can now be completed from the UI. + Previously, the message "This task has already been handled." was displayed prematurely. + - Access review campaigns are now started based on UTC time instead of the system time. + - In a workflow with a required photo (using AssertValueRequiredAspect) where the photo is + missing, the assert message is now clearly visible on the missing photo's frame. + - When the �Message' field on the �Finalize' step of a workflow contains more than 4000 + characters, a clear error messages is now displayed. + - When an automatically assigned profile is manually denied, it will no longer be recreated. +- Certifications and Risks + - The job that processes certification campaigns no longer tries to assign certification items + after a campaign's end date. +- Connectors and Integrations + - In some cases, deleted AD entries were not detected by the incremental synchronization. Now, + the entries are always correctly removed from the database by the synchronization. + - When creating an entity type, an error was thrown when trying to use the same identifier as + one that had been previously deleted. Now a previously deleted identifier can be re-used. + - A clearer error message is now presented if an incremental synchronization fails because a + prior set of data for comparison is not available. +- Jobs and Policy + - The "Automatic, but with validation" role option can now be used in all types of workflows. + Before, it required the user to pass through a workflow's permissions page to function + properly. + - Assigned resource types' offsets are now taken account if they are inferred from a manually + approved single role. + - The `SetRecentlyModifiedFlagTask` no longer deletes changes generated during a blocked + synchronization. + - For mono-valued application permissions waiting for approval on the provisioning review + screen, navigations are no longer staying blocked after initially being unlocked/sent or + errored. + - The search filters on the job page are working again. + - After exceeding a threshold in a job and then relaunching the job, the task line now shows the + number of entities added, deleted, and updated. Before, the counters were staying at the zero + values from when the job was blocked. +- Logs / Performance / Security + - When an SQL exception occurred, only the SQL error message was logged and the specific query + was logged only if the log level was Verbose. Now, the query is logged in all cases. +- UI / UX + - The job task "Provisioning Orders Generation" is now named "Compute Role Model" for clarity. + - Entering an incorrect format in a date field will now give clearer error messages. +- Other + - The PowerBI API connector now supports properties having the same name. + - Using the Query UI or the PowerBI plugin, when displaying the resources of a given resource + type, like "AD admin accounts", only resources of the correct type are returned. Previously, + all resources were returned. + - The C# expressions for the role mapping are now recompiled by the XML tool. Previously, they + were only compiled when the -c argument was explicitly provided. + +## Version 5.2.1.3 + +Release date 26-Jan-2022 + +#### Fixed bugs: + +- Connectors and Integrations + - Creating an EntityType using the UI with a plural display name no longer throws an error. + - The connector generator tool has been re-enabled. +- Jobs and Policy + - Removed incorrect associations with existing records when deleting resources via a + synchronization job. This was causing problems with multi-position synchronizations. + - For Resource Types with `DiscardManualAssignements`=true, changes needing reconciliation could + not be manually kept as they were immediately discarded. Now, only manual values impacted by + workflow changes are discarded. + - When running a compute role model on an entity type having a resource type where correlate + multiple resources was enabled, a unique key violation has been corrected. + - Mono-valued navigations are now deprovisioned when they are deleted in source files. +- UI + - Correction for a regression where, on multiple position workflows, the "Delete the selected + position" button disappears when clicked. +- Other + - Added the possibility to specify a minimum authentication algorithm for SAML configuration + using `MinIncomingSigningAlgorithm`. More information is available in the documentation's + [�End User Authentication' section](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md). + - Correction for a situation where, when two UI controls were linked together with a + LinkedBinding, the generated query could be incorrect when the LinkedBinding and the + FilterBinding values differed. + - It is now possible to configure a path to public certificates in the appsettings.json using + the attribute ValidationKeys in the section IdentityServer. These public keys can be used by + Usercube to validate tokens generated by external applications. + +## Version 5.2.1.1 + +Release date 14-Jan-2022 + +#### Fixed bugs: + +- Connectors and Integrations + + - Corrections for SCIM export and provisioning. NOTE: These corrections require upgrading the + agent. + - For a password reset settings: + - The `StrengthCheck` regex can now be used to verify the auto-generated password + - If the `MustChange` attribute is set to true, the user will now be forced to change the + password at the first connection. NOTE: This correction requires upgrading the agent. + - For CSV Connector packages, ANSI encoding can now be specified as "windows-1252". Previously, + only "iso-8859-1" was working. + +- Jobs and Policy + + - Correction for a regression where role parameters weren't displayed in the permissions list. + - If an existing assigned resource property is non-conforming or pre-existing, the workflow + state no longer changes. + - Changed properties are now filtered based on current resource Ids. This prevents the modifying + of linked entities' pre-existing/non-conforming permissions, for example Person.Manager. + - Manual provisioning tasks for generated assigned resource types now respect the start date and + the `FulfillHoursAheadOftime` + - When values are modified in an external system, AssignedResourceNavigations are now in the + correct state so that non-conforming navigations from query rules are now indicated as + cancelled instead of non-conforming. + - Fixed a bug where unmapped scalar properties were considered "verified" before the execution + of the corresponding provisioning order. + - When a `RecordSection` is configured, outdated records are now ignored in the Compute Role + Model if there is an up-to-date record present. + - Correction for offset calculations when no end date exists. + - New permissions with effective dates that are included in, or overlapping with, dates of an + existing permission are now correctly handled. + - When verified assigned resource navigations are deleted in an external system, they are now + correctly marked as missing. + - Running the compute role model task twice without any rule changes no longer triggers any + updates. + - Correction for an error on the provisioning review page when requesting the creation of a new + resource. + - For some resource type assignments that are awaiting correlation review, the properties were + not computed. Now, all relevant properties are correctly computed. + - If a permission assignment is non-conforming, a TimeOffset will no longer try to modify the + assignment. + - Corrected an error related to checks for job cancellations during server-side tasks. + - A policy's `IsExternal` property can no longer be updated. It can only be set when the Policy + is created. + - On the provisioning screen, corrected an issue when trying to assign a different resource to a + provisioning order. + - Modifying values of applied mono-valued navigations no longer changes the state, incorrectly, + to non-conforming. + - Corrected the infinite queries requests during a connector synchronization when two entity + properties use the `Option` type. + +- UI + + - On a given ResourceType, when `AllowAdd` is set to false, the ResourceType will not be an + option when choosing new permissions. However, it will remain an option for other types of + actions (risk or rules, for example). + +- Workflows and Access Control + + - Spaces can no longer be inserted before or after values in workflow forms, such as first name + or last name. Now, all whitespace characters are trimmed when submitting a workflow. + +- Other + + - The query module no longer throws "join not found" errors when designing a query for a deep + data model. + - Fixed the problem with the query module that occasionally resulted in a null reference error. + - Corrected a configuration deployment error when several `IndirectResourceRules` were + configured with the same property. + - Corrected a problem where encodings for `EntityTypeMappings` were lost when migrating from + older versions to 5.2 versions. + +## Version 5.1.7.17 + +Release date 22-Dec-2021 + +#### Fixed Bugs: + +- Jobs and Policy + - During a connector synchronization, corrected a problem where a time-out was caused when two + entity properties use the `Option` type. + +## Version 5.1.7.16 + +Release date 09-Dec-2021 + +#### Fixed Bugs: + +- Jobs and Policy + - Fixed a ComputeRoleModel regression for ResourceTypeRules using dimensions or parameters. + +## Version 5.1.7.15 + +Release date 06-Dec-2021 + +#### Fixed Bugs: + +- Jobs and Policy + - Scalars for ResourceTypes with `CorrelateMultipleResources` set to true, are no longer + duplicated when the provisioning policy is run. + +## Version 5.1.7.14 + +Release date 29-Nov-2021 + +#### Fixed Bugs: + +- Jobs and Policy + + - When an existing navigation value is different from the one suggested by the role model, the + assigned resource navigation is now marked as "Non-conforming". Previously, the state was + incorrectly indicated as "Cancellation". + +- Connectors and Integrations + + - To prevent password constraint errors, a new configuration setting, + "PasswordGenerationSetting", permits a whitelist of allowed symbol characters for password + generation called "AllowedSymbolChars". When provided, the white list will override the + default symbol character list: "!;.,?()[]-\_&%$+{}@". More information is provided in the + documentation's + [�References' section](/docs/identitymanager/6.1/identitymanager/integration-guide/network-configuration/settings/index.md). + +## Version 5.1.7.13 + +Release date 10-Nov-2021 + +#### Fixed Bugs: + +- Jobs and Policy + + - Provisioning policy: keep the same workflow state when the existing assigned resource property + is found or historic. + - Provisioning policy: filter changed properties based on current resource ids (to prevent + modifying linked entities found/historic permissions: Person.Manager). + - Fix offset computing when there is no end date. + +- Connectors and Integrations + + - Password Reset : Use the "StrengthCheck" regex to verify if the auto-generated password is + matching. + +## Version 5.1.7.12 + +Release date 27-Oct-2021 + +#### Fixed Bugs: + +- Jobs and Policy + - During the Compute Rule Model, calculating offsets on minimum and maximum date values no + longer throws an error. + - Fixed a SQL timeout on the Workflow Overview screen that could appear for workflows where a + role was manually modified. + - When a RecordSection is configured, outdated records are now ignored in the Compute Role Model + if there is an up-to-date record present. + +## Version 5.2.1.0 + +Release date 21-Oct-2021 + +### **Compatibility notice:** + +This release includes compatibility ruptures. The migration steps in the documentation's +[Migration](/docs/identitymanager/6.1/identitymanager/migration-guide/index.md) section must therefore +be followed. + +#### Enhancements: + +- Certifications and Risks + - "Declined" labels have been changed to "Refused" to keep vocabulary clear and consistent. +- Connectors and Integrations + - The CSV Connector can now properly refresh the schema when reading files that have extensions + different than "csv", such as "txt". + - PowerShell sensitive options are now hidden when passing them to the API. + - Add secured options fields for sensitive data in the PowerShell connection settings. + ![Secured Options](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.1.securedoptions.webp) +- Jobs and Policy + - Azure AD binary properties can now be provisioned. + - Indirect permissions can now be displayed on user permission screens. See the + [documentation](/docs/identitymanager/6.1/identitymanager/integration-guide/role-assignment/indirectpermissions/index.md) + for more information. + ![Indirect Permissions](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.1.indirectpermissions.webp) +- Logs/Performance/Security + - The new `Usercube-Manage-History` tool manages the data history stored in the database. It can + purge old data or consolidate the history. + - The `Usercube-Manage-ConfigurationDependantIndexes` tool has a new option "�auto" to + automatically generate database indexes based on the specific configuration. This improves the + database performances for the directory pages and all the review screens. + - Just after login, the first display of the dashboard was slow because of missing SQL indexes. + The database schema and the SQL index management tool have new indexes to optimize these first + connections. + - Enhanced system verifications before running the initialization job. +- Other + - The XSD for LdapResourceTypeMapping has been corrected. + - Using the XSD, resources can be referenced by Id, so we now propose these attributes, for + example D0Id. + - Added a new Report Query Universe including identified Risks. + - The Role Mining utility now gives a better results summary, showing the percentage of existing + permissions that are taken into account by new rules and the number of exceptions that still + remain. +- UI + - When multiple languages are configured, the indicator number is now used to identify the + language in the front-end (instead of the index in the table). + - On the Fulfill Internal Workflow connection screen, the transition list selection field is now + pre-filtered based on the selected workflow type. + - Search bar items that a user is not allowed to modify are now hidden. + - Priorities can now be set on DisplayEntityTypes so that the highest priority EntityTypes will + be selected by default on administration screens. Priorities are selected based on + ContextRules during the migration. In most cases, these will need adjusting. + - On the Jobs screen, progress indicators for Provisioning Policy tasks are now displayed. + - Orphan and Uncategorized filters on resource screens have been improved. + ![Orphan and Uncategorized filters](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.1.orphanuncat.webp) + - AddedMinutes is now configurable for Display Entity Properties, Form Controls and Display + Tables (column and tile items). The value set on the Display Entity Property is the default + value used if no specific value is set for a form control or the display table. + Note that the current behavior does not change for WorkflowUpdateSeveralRecordsEntity forms. + When a property is displayed in a display table without a set value for AddedMinutes (on the + column or tile item and therefore not on the display property either), but the property is + displayed in the form, then the AddedMinutes set on the form control is used to display the + property value in the display table. + - Optimized language-related property bindings for neutral properties in DisplayTables are now + handled. + - New links to owners on Reconciliation and Provisioning Review screens. + ![Links on Reconciliation](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.1.linksfromresourcerec.webp)![Links on Provisioning Review](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.1.linksfromprovreview.webp) + - New fields for existing options are now configurable on the ResourceType creation screens: + - Remove Orphans + - Block Provisioning Orders + - Discard Manual Assignments + - Correlate Multiple Resources + ![New Options Resource Types](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.1.resourcetypenewoptions.webp) + - Errors on the EntityType configuration screen are now detected and displayed on each concerned + field. + - Improved the workflow state filter on the Role Review page: all "Pending approval" workflow + states, except PendingRiskApproval, have now been grouped under one generic option "Pending + Approval" instead of split into the different phases of approval. + ![Pending Approval Filters](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.1.pendingapprovalsimplification.webp) +- Workflows and Access Control + - On the "My Tasks" screen, it is now possible to attribute tasks to a member of a review team. + ![Assign Tasks 1](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.1.assignedto1.webp)![Assign Tasks 2](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.1.assignedto2.webp) + +#### Fixed bugs: + +- Certifications and Risks + - When creating and updating a Certification Campaign, risk options and filters are no longer + visible in the Target Specificities or Owner filters if no risks have been created. + - Correction for active target filters in access certification campaigns for situations where + identity changes were planned ahead of time. +- Connectors and Integrations + - On the Connector Connection screen, the button "Check Connection" is disabled if the "Filters" + field is empty. This harmonizes the behavior with other connection packages and avoids a + notification error. + - There is now a default DataTypeConverter for the Generic SQL Package. NOTE: This correction + requires upgrading the agent. + - Two connections can no longer have the same name; the comparison is now case-insensitive. +- Jobs and Policy + - Force tasks to periodically evaluate the overall job state: if the job state is finished, the + task will now finish as well. + - Correction for the use of `ContinueOnError` for server side tasks. + - After deleting a resource and then synchronizing, the provisioning state is now correctly set + to executed instead of verified. + - The TransmittedStateValidityPeriod is now taken into account for existing provisioning orders + and duration periods greater than one day. + - `CommentActivation` for Role Reviews can now be set on the Policy in the XML configuration. +- Logs/Performance/Security + - Add colors in the `Usercube-Get-JobSteps` output to make it easier to differentiate the tasks. + - The anonymization tool now completes without exceeding the time out. + - Added an error message when running `Usercube-Get-JobSteps` with an incorrect job identifier. + - AzureAD cookie files are now encrypted. This is handled during migration. + - The OpenIdClient is now retrieved and saved when workflows re-created or reviewed via the API. +- Other + - Certain special characters are no longer removed during configuration migrations. + - CSV report columns are now generated in the same order as they are expressed in the report + configuration. +- UI + - The counter refresh has been improved on the �My Tasks' dashboard icon. + - Error notifications are now always displayed when the API returns an error 403 (unauthorized) + when retrieving resources for a dropdown. + - Search filters are smarter when passing from one type of filter to another. + - Default values in search bars are now taken into account in a list displayed like a table. + - In search fields, placeholders were incorrect when they moved from inside the field to the top + label. For example, in a User search bar, the placeholder on the empty field Name was "Name" + but once a value was defined in the field, the top label was "Phonetic First/Last Name" + instead of "Name". + - Autocomplete pickers outside of Form Controls are now displayed properly. + - A regression was fixed so that, on the Role Review and Role Reconciliation pop-up screens, the + link to the owner has been re-established. + - The record display on the Workflow Overview screen now groups records properly even if their + changes are identical. + - Filters on boolean properties are smarter: when "No" is selected, resources with property + value equals to "False" or "Null" are returned instead of only "False". + - Entity Property Identifier names are now verified on the connector pages. They can't be a + reserved word, must start with a letter, can't contain accents, must contain only letters and + digits. + - In workflows, RecordSortProperties defined in the configuration were previously unused. Now, a + record list in a workflow is sortable by: + - The RecordSortProperty, if it is defined + - The sort defined for the DisplayTable, if it is defined + - The first column, if the defined DisplayTable is a "table" or the ResourceId if it's a + "list" + - On the permission modification page, corrected a regression where the "Allow" button was + activated when the selected permission was already allowed. + - Harmonize the usage of data filters on primary screens and pop-up screens. +- Workflows and Access Control + - When changes are applied during a workflow validation step, all records are now correctly + updated instead of only one record being updated. + - ResourceFiles are now deleted when the associated resource is deleted + - In a multiple-step workflow with photo changes, the photo is now visible in intermediary steps + and only the last image is persisted. + - Added necessary permissions to the `CreateAdministratorProfile` scaffolding so that + administrators can use the basic Risk Module. + - The configuration deployment tool no longer permits the creation of two aspects that point to + the same binding on the same workflow. + +## Version 5.2.0.8 + +Release date 12-Oct-2021 + +#### Fixed Bugs: + +- Certifications and Risks + - Database query optimization for the Access Certification review items. + - When no photo property is set and an access review item has been forwarded, an issue with + nulls has been fixed. +- Connectors and Integrations + - The AD refresh schema mechanism has been modified to require fewer permissions and therefore + avoid "unauthorized" errors. NOTE: This correction requires upgrading the agent. + - Corrections for the SCIM export mechanism. NOTE: This correction requires upgrading the agent. + - The "Manage Accounts" menu was displayed for users having matching permissions on all + identities. Access to this menu is no longer denied for users with a filtered scope of + responsibility. + - Corrected a random error, "Cannot compare files with a different header", on incremental CSV + file synchronizations. NOTE: This correction requires upgrading the agent. +- Jobs and Policy + - A cancelled assigned resource navigation is now kept when the provisioning state is + "executed". + - Corrected a case where automatic roles weren't removed when the user's end date arrived. + - Corrected certain primary key conflicts when trying to merge property changes while using the + Fulfill Internal Workflow. + - When a single role gives permissions that are forbidden by a Segregation of Duties blocking + risk, the Compute-RoleModel calculation no longer fails. + - For manual provisioning modifications, when only one permission assignment is changed all the + other provisioning states now stay as they were instead of reverting to an "executed" state. + - All linked resources are now updated when `CorrelateMultipleResources` is activated. +- Logs/Performance/Security + - If the ActiveDirectoryUserStore was used with the login form, the credentials submitted are + taken into account instead of constantly reusing the credentials of the first logged in user. + NOTE: This correction requires upgrading the agent. + - The `Usercube-Get-JobSteps` tool now displays the tasks sorted by level and launch order + instead of simply by launch order. + - The selection fields on resource entities are now faster. +- UI + - Dates using the language 'en-GB' in date selection fields now allow a date in the European + format to be typed in, instead of forcing an American format. +- Workflows and Access Control + - Custom email notifications with filters used in the `QueryFilterExpression` no longer throw an + occasional "Index was outside the bounds of the array" exception that prevented emails from + being sent. + - Fixed an SQL timeout on the Workflow Overview screen that could appear for workflows in which + a role was manually modified. +- Other + - The Role Mining tool now uses less memory with huge datasets. + - Reports generated by scaffoldings are displayed on the dedicated menu. + +## Version 5.1.7.11 + +Release date 24-Sep-2021 + +#### Fixed Bugs: + +- Certifications and Risks + + - When no photo property is set and an access review item has been forwarded, an issue with + nulls has been fixed. + +- Jobs and Policy + + - When an assigned resource navigation is pending deletion, the state will now stay as + cancellation, rather than reverting to non-conforming. + - An orphaned account that had recently been correlated is now no longer be considered an + orphan, preventing incorrect account deletions. + - When computed permission assignments are null, a null reference exception is no longer thrown. + - Corrected a case where automatic roles weren't removed when the user's end date arrived. + - All linked resources are now updated when `CorrelateMultipleResources` is activated. + +- Workflows and Access Control + + - Added a new, optional, expression to `AddChangeAspect`: `AcceptNullValueExpression` is a C# + expression that must return a boolean value in order to specify whether `Null` is a taken into + account as the changed value when it's returned by `Expression` parameter. By default, the + value of `AcceptNullValueExpression` is false. + - Custom email notifications with filters used in the `QueryFilterExpression` could sometimes + have an "Index was outside the bounds of the array" exception that prevented emails from being + sent. This has been corrected. + +- Other + + - For OpenId Connect authentication, the response_mode and response_type settings can now be + switched from code flow with PKCE to implicit flow. + +## Version 5.2.0.6 + +Release date 30-Aug-2021 + +### **Migration notice:** + +This release includes updated instructions for migrating from the version 5.1.7. The migration steps +in the documentation's [Migration](/docs/identitymanager/6.1/identitymanager/migration-guide/index.md) +section must therefore be followed. + +There is no migration to be done from version 5.2.0.2. + +#### Fixed Bugs: + +- Certifications and Risks + - Corrected the generation of Certification reports: in the case of an owner's DisplayName that + is null, we now show the Id of the owner. +- Connectors and Integrations + - When deploying an XML configuration, a SequenceException will no longer occur when a + ResourceTypeMapping is not linked to the correct connection. + - The Connection used by Fulfill tasks can now be overridden. Previously, these tasks were + always using their ResourceTypes' Connections. + - The Salesforce connector in 5.1 agents will no longer throw a System.NullReferenceException + when calling a 5.2 server during the provisioning of user accounts. + - For an Oracle database connection, the IsolationLevel parameter has changed for the + InvokeSQLTask to prevent database locks. +- Jobs and Policy + - Deploying the XML configuration no longer deletes navigation rules that were configured from + the UI. + - Fixed a runtime exception that could cause ChannelClosedExceptions when launching + ComputeRoleModel. + - When an assigned resource navigation is pending deletion, the state will now stay cancelled, + rather than reverting to non-conforming. + - An orphaned account that had recently been correlated is no longer be considered an orphan, + preventing incorrect account deletions. + - The ComputeRoleModel task now runs successfully after the deletion of a ResourceType. + - When computed permission assignments are null, a null reference exception is no longer thrown. + - Null reference error should no longer be thrown by the FulfillInternalWorkflow task. + - Multi-valued dimensions are properly taken into account during the initialization phase. +- Migration from 5.1 + - The migration to 5.2 considered a CSV file shared by several entity types from the same + connector as an error. Now, the migration automatically creates a CSV connection shared by all + the entity types that need it. + - The XML generated by the 5.2 migration tool is now indented correctly. + - When migrating the XML configuration, redundant elements are no longer generated when the same + CSV files are used in several mappings. + - The XML migration now sets the Manual connector package for ResourceTypeMappings that had a + Manual fulfillment in 5.1. + - Certain ResourceTypeMappings now migrate properly with their connection information. + - FulfillDatabase connectors now properly migrate to FulfillWorkflow. + - Various additional improvements to the migration tool. +- Other + - For OpenId Connect authentication, the response_mode and response_type settings can now be + switched from code flow with PKCE to implicit flow. + - For clustered server installations, the appSettings.json now has a new DataProtection section + to configure a shared certificate for generating anti-forgery tokens and protecting + authentication cookies. + - The generate configuration tool now also generates CSV Connections. +- UI + - The "OptimizeDisplayTable" scaffolding now properly handles simple columns (columns not + containing tiles). +- Workflows and Access Control + - The "OnlyIfNew" attribute is now taken into account for "BuildUniqueValue" aspects. + +## Version 5.1.7.10 + +Release date 4-Aug-2021 + +#### Fixed Bugs: + +- Certifications and Risks + + - When defining a campaign, the ResourceType's data filter compliance check regarding the + campaign's specified EntityType is now performed correctly. + +- Connectors and Integrations + + - Added two new parameters to fix OAuth 2.0 settings: + - "Scope" in OAuth 2.0 Settings + - "SubClaimType" + +- Jobs and Policy + + - Fixed lost correlations for resource types without any property rules (Scalar, Navigation, + Query). + - Fixed issues with provisioning orders that had empty content in the UI for Manual + Provisioning. + - In specific circumstances, the `FulfillInternalWorkflowTask` is now better able to calculate + the workflow that should be used. + - During the synchronization process, a double quote was appended to values that already + contained double quotes. Now, the synchronization parser correctly takes this character into + account. + +- Logs/Performance/Security + + - Agent log settings are now independent of server log settings for jobs. + - If the server was down and an agent's authentication token had expired, it could no longer + execute jobs when the server came back online. Now, the agent can correctly refresh the + authentication token as needed. + - Logs will be shown in debug level when, because of a context rule exclude expression, an owner + is excluded from the Role Model computation. + +- UI + + - `DislpayTables` (of type "table") shown on the "Provisioning review" and "Role reconciliation" + screens can now be filtered by the scalar properties that exist in search criterion and in + column headers as well. + - Multi-valued properties are no longer automatically duplicated when adding a new record in a + multi-record record workflow form. + - On the Role Reconciliation and Role Review pages, a wait spinner now exists to prevent a user + from clicking (quickly) on a decision button more than once. + - Pop-up value-selection screens will now show the correct number of lines/value options. + - Fixed a bug where the Workflow Supervision page was giving an empty display for modified + fields when the `RecordSlaveForm` was not defined. + +- Workflows and Access Control + + - Correction for the generic email reminder calculation so that no empty emails are sent, and + that each email contains one reminder. + - Workflows with multi-records and multi-valued properties no longer give errors during workflow + validations. + - Added a new, optional, expression to `AddChangeAspect`: `AcceptNullValueExpression` is a C# + expression that must return a boolean value in order to specify whether `null` is taken into + account as the changed value if/when it's returned by the `Expression` parameter. By default, + the value of `AcceptNullValueExpression` is false. + - The Policy.Identifier property can now be used in `AccessControlRule` filters. An HTTP 500 + error is no longer returned on the permissions page when this property is used. + - Roles can now be correctly reviewed when the configuration contains a Profile targeting both + Roles and Categories at the same time. + +- Other + + - Configuration Export/Import no longer throws an error because of policy roles that have been + partially deleted. + +## Version 5.2.0.2 + +Release date 23-Jul-21 + +### **Compatibility notice:** + +This release includes compatibility ruptures. The migration steps in the documentation's +[Migration](/docs/identitymanager/6.1/identitymanager/migration-guide/index.md) section must therefore +be followed. + +#### Enhancements: + +- Connectors and Integrations + + - New connector configuration screens + ![ConnectorHomePage](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.0.connectorhomepage.webp) + - Connector marketplace with packages for existing connectors and integrations: + - CRM/Salesforce + - Custom/JSON + - Custom/PowerShell + - Database/Generic SQL + - Database/MySQL + - Database/ODBC + - Database/Oracle + - Database/PostgreSQL + - Database/SQL Server + - Usercube/Workflow + - Directory/Active Directory + - Directory/Apache Directory + - Directory/Azure Active Directory + - Directory/Generic LDAP + - Directory/LDIF + - Directory/Open LDAP + - Directory/Red Hat Directory Server + - ERP/SAP + - ERP/Workday + - File/CSV + - File/CSV delta + - ITSM/ServiceNow + - Mainframe/RACF + - Mainframe/Top Secret + - PAM/CyberArk + - Storage/Shared Folders + - Storage/SharePoint + - Ticket/ServiceNow + - Ticket/identitymanager + - Ticket/identitymanager And Create/Update/Delete resources + - Usercube/Database + - Usercube/Workflow + - New Connectors + - Custom/Robot Framework + - Database/MySQL + - Database/ODBC + - Database/Oracle + - Database/PostgreSQL + - Database/SQL Server + - Database/SQL Server Entitlements + - File/Excel + - File/Excel delta + - Server/Microsoft Exchange + - Storage/Home Folders + ![MarketPlace](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.0.marketplace.webp) + - Connector overview page: view information of each connector in a dashboard format. + ![ADConnectorPage.webp](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.0.adconnectorpage.webp) + - Connections: view and edit a connection, specifying the connection package and the agent + settings. + ![ConnectorConnection.webp](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.0.connectorconnection.webp) + - Connector EntityTypes: manage the meta data of the entity type, its display, its mapping + and its properties (metadata, mapping, association). + ![ConnectorSABEntityType.webp](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.0.connectorsabentitytype.webp)![ConnectorSABEntityTypeNav.webp](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.0.connectorsabentitytypenav.webp) + - Correlation and classification rules can be created inside the application. + ![CorrelationClassification](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.0.connectorcorrelationclassification.webp) + - Connector Agent Settings: The section InformationSystems in the appsettings.agent.json has + been renamed as "Connections." This is handled by the migration utility. + - A binary property (like photos) can now be updated via synchronization. + - Added two new parameters for OAuth 2.0 settings: + - "Scope" in OAuth 2.0 Settings + - "SubClaimType" + - Azure AD can now export any entity. + - LDAP has been refactored, and one connection will now export the entries and the links. + - Output files name are changed for all connectors that were using prefixes. Now, instead of the + prefix, we have: export*name + "*" + connection_identifier. For example, for an AD where the + connection identifier is ADExportFulfillment, the entry file will be named + "ad_ADExportFulfillment_entries.csv". + - PowerBI plugin to retrieve data from Usercube. + +- Certifications and Risks + + - During or at the end of a certification campaign, reviewed items with a "Refused" decision can + now be queued for immediate deprovisioning. + ![CertificationDecisions](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.0.certificationdecisions.webp) + - Denied permissions can be filtered out when creating and/or modifying an Access Certification + campaign. + - Risks are now displayed with their remediation message. + - The new permissions /ProvisioningPolicy/Risk/OverrideBlocking and + /ProvisioningPolicy/Risk/OverrideApproval allow a user profile to override the risk settings. + As an example, for an administrator with these permissions, a blocking risk becomes one + requiring special approval or a risk with only a warning. + +- Jobs and Policy + + - A new parameter "DeactivationExportFulfill" disables Export or Fulfill in a Connection that is + linked to a package having a Fulfill or an Export. Consequently, with this parameter, a + connection that no longer implements Fulfill cannot be implemented in a ResourceTypeMapping + and a connection with Export disabled will no longer be used by Scaffoldings to create Export + Tasks in jobs. + - A new type of rule, `PendingApprovalRule`, allows an �Allow' or �Deny' decision to + automatically be made for pending Roles or ResourceTypes after a specified time period. + - A task's progress display on the job detail page has now been adapted according to the type of + task. + - Multi-valued dimensions for the role model are now supported. + - Non-conforming permissions for departed and archived users are now canceled. + - Removal of all export task types and update of a single export task type, "ExportTask" that + replaces all other exports. + - The Roles, Rules and Risks dialogs now show the author and date of the last change. + ![RoleModelHistory](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.0.rolemodelhistory.webp) + - On the Access Rules page, there is a new filter on the Type for Single/Composite roles and + Resource Types + ![RuleFilter](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.0.rulefilter.webp) + +- Logs/Performance/Security + + - Corrected a typo in the appSettings files where PageResult should be PagedResult. The + migration tool will update these settings. + - Fix LDAP error messages when a dn can't be found. + - Parsing errors related to json files now indicate the name of the errored file. + - TempFolderPath and WorkFolderPath are two new settings defined in the appsettings.json. They + allow the definition of the Temp path, whose default location is `../Temp`and whose content + can be deleted, before restarting the server, without altering the behavior of Usercube and + the Work path, whose content shouldn't be removed or altered. + - The cookies used for incremental exports are now stored in /ExportCookies + - The SQL zz\_\* views for reading and updating custom entities have been enhanced. There are no + longer views for the optimized associations as their values were already available in the + mono-valued side entity type's view. Furthermore, the SQL views for non-optimized associations + now have the `_type` column, allowing the direct insertion of rows with SQL statements. + +- Other + + - All the CSV files stored in the Temp folder now use a comma "," as column separator instead of + semicolumn ";". These files are therefore fully CSV compliant. + +- UI + + - Enhancements to the auto-complete functionality of selection fields in workflows. + - In entity type configuration UI, if the identifier of the entity type or its properties are + not C#-compliant, the creation/update of the entity type is forbidden and error messages are + displayed on each corresponding field. + - Identifiers of EntityTypes or their properties must be C#-compliant. In the new Connector + screens, errors are presented to the user if this constraint is not respected. + - On the Resource Type definition screen, the addition and removal of associated permissions is + now configurable (corresponding to AllowAdd and AllowRemove in the xml configuration). + - Role descriptions are now visible throughout the application: + + - On the Access Roles screen (description column + tooltip if more than 30 characters), + - On a user's page, when adding permissions: + - On the dialog where the permissions are selected (column + tooltip) + - On the summary screen, when hovering over the permission a tooltip is displayed + - While viewing the permissions of a user (View Permissions screen), when clicking on a + permission, a dialog opens, the description has been added below the role name) + - When reviewing a permission + + - The number of configurable languages has increased from 8 to 16. + - When creating policy rules, a role's FullName (with categories) is now displayed instead of + the simple DisplayName. + - When data can be saved, the button label has been changed from "Edit" to "Save" on the + following pages: + + - Access Certification Campaigns, + - Assigned Profiles, + - Access Policies, + - Access Roles, + - Access Rules, + - Risks + - Connectors + +- Workflows and Access Control + + - A new workflow type has been created that allows mass updates: + `WorkflowUpdateRecordEntitiesForm`![5.2.0.UpdateMultipleUsers](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.2.0.updatemultipleusers.webp) + - On CompositeRoles and SingleRoles, the new "Approve Role Implicitly" setting allows users with + profiles for requesting _and_ reviewing permissions to request roles and then skip the review + steps. By default, all the roles must be explicitly reviewed. + +#### Fixed Bugs: + +- Connectors and Integrations + + - A default value was added for the attribute MicrosoftGraphPathApi for the Azure AD connector. + - Display an explicit error when trying to reset password of non-existent resources (deleted + resources or those awaiting creation). + - Fixed a bug where access control filters were not taken into account for password reset + operations (from the agent API). + - Fixed the KeyVault configuration loading which did not consider a variable depth greater + than 1. + - The executables Usercube.Fulfill.SharePoint.exe and Usercube.Export.Workday.exe were renamed + respectively as Usercube-Fulfill-SharePoint.exe and Usercube-Export-Workday.exe. + - TSS, RACF and SAP exports now have a prefix for their output, which is the connection + identifier, similar to other connectors. + +- Certifications and Risks + + - The executable Usercube-Update-AccesCertificationCampaign is now named + Usercube-Update-AccessCertificationCampaign + - When defining a campaign, the compliance check of the data filter on the ResourceType compared + to the target entity type of the campaign is now performed correctly. + +- Jobs and Policy + + - "Pre-existing" resource types with a confidence rate of less than 100 percent are now properly + shown on the Provisioning Review screen in the "Correlation" section instead of the Resource + Reconciliation screen. + - A double quote was appended to values containing a double quote during the synchronization + process. Now, the synchronization parser correctly takes this character into account. + - A scaffolded job based on a connector without any EntityTypeAssociations will no longer try to + create PrepareSynchronisation and Synchronisation tasks. + - Added an updating job on Agent scheduler, which periodically refreshes the job list, in cases + of the database has been updated. + - An EntityType is now forced to have only one related context rule. + - During an AD synchronization, records are now compared correctly between CSV file and database + so changes will not be detected with the exact same files. + - For added security, the default Approval Workflow Type for new roles now Simple (one approval) + instead of zero approvals. + - For Usercube-Update-EntityPropertyExpressions and Usercube-Update-Classification the argument + has been changed from `--diry` to `--dirty`. + - In computing delta synchronizations, a resource shouldn't have multiple owners. + - The Entity Property of type "Option" has been changed to "ForeignKey", so + `` becomes + `` + - The InvokeAspectsTask's progress state is now correctly passed on to the job running the task. + The possible values are Completed, Aborted, or Errored. + - The scaffolding for the correlation calculations now takes into account all source EntityTypes + that are relevant to a given ResourceType. + +- Logs/Performance/Security + + - Add Logger service to help debug C# Expressions. Example: + `C#:resource:logger.LogDebug("Name={0}", resource.Name); return resource.Name;` + - Added a verification to the Deploy-Configuration tool that prevents two or more dimensions + from having the same SQL column index. + - Agent log settings are now independent of server log settings for jobs. + - Corrected certain silent errors when deploying configuration to the SaaS environment. + - Fixed a bug in the login process causing page links to be redirected to the home page after + login, if a login was necessary, rather than the page specified. + - If the server was down and an agent's authentication token had expired, it could no longer + execute jobs when the server came back online. Now, the agent can correctly refresh the + authentication token as needed. + - Logs for unauthorized access give better information about missing permissions. + - Nullable checks for C# expressions have been added during configuration deployment to prevent + runtime exceptions. They will be displayed as warnings. + - The Access Certification report now generates more quickly. + - The attribute FilesAreNotEncrypted no longer exists. The encryption is now only retrieved from + the EncryptFile attribute in the appsettings.json. This change is handled by the migration. + - When loading the configuration indicated with the appsettings files, the precedence has been + corrected so that the encrypted appsettings (appsettings.encrypted.agent.json) override the + normal appsettings (appsettings.agent.json). + +- Other + + - A bookmark from the Universes queries can be copied from one environment to another. + - Calls to a non-existent API now return a 404 Not Found error instead of the index page. + - In `AccessCertificationDataFilter` and `AccessCertificationOwnerFilter`, the property + `TargettedRisk` was changed to `TargetedRisk`. + +- UI + + - DisplayTables (of type "table") shown on the "Provisioning review" and "Role reconciliation" + screens can now be filtered by the Last Name and First Name columns. + - Fixed incorrect top menu bar translations when the language is changed. + - Fixed selection screens that were occasionally showing the wrong number of lines. + - In Campaign Reviews, items are now always visible even when the name of the permission is a + long string. + - Multi-valued properties are no longer automatically duplicated when adding a new record in a + multi-record record workflow form. + - On the permissions page, removal of a conflict message when a new assignment corresponds to + one that is already in a process of deletion. + - On the Role Reconciliation and Role Review pages a wait spinner now exists to prevent a user + from clicking on a decision button more than once. + - Pagination buttons on the Workflow Overview screen no longer shift to the vertical center of + the page. + - Provisioning Review UI: Take into account the case where the resource has not yet been + synchronized and correctly display a screen title of "Update" instead of "New". + - Upgrade the Index manager tool in search fields so it will handle Display Tables that don't + use Tiles (for example, the ResourceTables) + - When no values are displayed on a screen, the actions "Next page" and "Previous page" now + return coherence results. + +- Workflows and Access Control + + - Correction for the generic email reminder calculation so that no empty emails are sent and + each email contains one reminder. + - On an Entity with records workflow, changes were wrong when a field in the record section + tried to update a property of the main entity. Now, there is no error and an updated field in + the record section will correctly update the main entity property. For example: a Photo field + in the record section updates the property Photo of Directory_User. + - On notification aspects with recipients as a specific profile, a filter on ValueId is now + correctly handled. + - Roles can now be correctly reviewed when the configuration contains a Profile targeting both + Roles and Categories at the same time. + - Rules of type "Automatic, with validation" are now only given automatically during new user + workflows. This prevents a situation where all future permission modifications would + continually generate validation requests. + - The ContinueWith Activity to merge workflows now functions properly. + - The Policy.Identifier property can now be used in AccessControlRule filters. An HTTP 500 error + is no longer returned on the permissions page when this property is used. + - The scaffolding ViewAccessControlRules no longer gives the wide-reaching "/" permission. + - When processing notification aspects for the same permission using the "Profile" recipient + type, certain access rules are no longer skipped. + - Workflows with multi-records and multi-valued properties no longer give errors during the + workflow validations. + +## Version 5.1.7.9 + +Release date 24-Jun-2021 + +#### Fixed Bugs: + +- Connectors and Integrations + - Correction for a problem with the initialization of the password reset services, where the + encryption certificate was used instead of the password reset certificate when Usercube was + installed on-premises. + - Correction for time-consuming Azure AD exports which were ending too soon due to an expired + token. + - Fixed mail settings password handling for SMTP servers. + - Passwords with fewer than 12 characters can now be generated for new accounts. +- Jobs and Policy + - Expression assemblies are now loaded when evaluating expressions for provisioning rules. This + avoids potential incompatibilities between the DLL and the C# expressions. + - Non-Conforming single roles are now correctly detected when a ResourceType does not have any + scalar rules. + - To prevent certain timeouts, a new, optional, parameter, JobLaunchTimeout, can now be added to + the appsettings to override the current default for starting jobs. The default value is 7500 + milliseconds. See the documentation for more details. +- Logs/Performance/Security + - New clearer, error messages are thrown when RecordStartProperty or RecordEndProperty are not + correctly specified on Forms based on records. + - More logs have been added to the scheduler: + - when a job has stopped (with its execution time) + - when sleeping, with the sleep time + - the execution/sleep time ratio + - the full list of scheduled jobs + - Correction for the task logs when a job is stopped or errors out. +- Workflows and Access Control + - Corrected an error that prevented standard users from seeing their permissions or sources and + from making requests, even if allowed by the configuration. + - When new records are added in a review step, the navigation properties are now correctly + duplicated. + - Correction for some missing parent workflow permissions. + +## Version 5.1.7.8 + +Release date 7-Jun-2021 + +#### Mini migration: + +Before migrating the agent, if the file `tracked-accounts-{system-identifier}.csv` exists inside the +(old) runtime, it should be moved to Usercube's Temp folder. If this setting was previously +configured in the appsettings, no change is necessary. See the first bug below for more information. + +#### Enhancements: + +Connectors and Integrations + +- The Usercube-Discover-ActiveDirectory tool has been enhanced to determine the domain controller + closest to the agent. + +Logs/Performance/Security + +- Certain, less important, "Warning" messages displayed in the logs have been downgraded to the + debug level. + +#### Fixed Bugs: + +- Connectors and Integrations + + - To prevent a loss of tracking abilities for resetting passwords, the default appsettings has + been changed from: `./tracked-accounts-{system-identifier}.csv` to + `Temp/tracked-accounts-{system-identifier}.csv` + - The Export-ActiveDirectory tool now tries several times to synchronize an AD's content, even + in cases of server-side timeouts. + +- Jobs and Policy + + - In certain cases, blocked provisioning orders were not disappearing from the Provisioning + Review screen once they were unblocked. This has been corrected by removing + AssignedResourceNavigations that were linked to deleted resources. + - Sometimes, the same resource would have two consecutive provisioning review tasks. Now, the + provisioning reviews are fused together. + - In a case where a ResourceType is updated by a navigation rule and the role review is still + pending, the resource will now no longer appear on the list of pending provisioning review + items. + - Correction for authorized resources with correlation confidence levels of 100%, that under + certain conditions, were being considered as unauthorized. + - In some cases, where a resource is inferred only indirectly by roles instead of by a direct + rule, a role waiting for approval could trigger the resource deprovisioning. + - Sometimes, when several jobs are scheduled at exactly the same time, only one of the jobs was + executed. Now, each job is executed one after the other. + - The job locking mechanism which prevented manual jobs from being executed at the same time has + been removed. + +- UI + + - Previously, the ResourceType attributes, AllowAdd and AllowRemove, were only taken into + account when the ResourceTypes were controlled by automatic assignments. Now, they are also + taken into account with manual assignments in the UI. Specifically, + - On the permissions screen when the associated resource type has `AllowRemove="false"`: + - For manually assigned resource types: the Delete and Deny buttons are disabled + - For automatically assigned resource type: the Deny button is disabled + - On the "Add Permissions" screen, resource types that have `AllowAdd="false"` are not displayed + +- Workflows and Access Control + + - In multi-position HR systems, new positions for an existing user are now generating an update + workflow instead of incorrectly re-creating the user. -In the Identity Server, the public + origin parameter has been reintroduced to assist with authentications using proxies and a mix + of http and https. + +- Other + + - When importing the configuration, the error message "An item with the same key has already + been added." was sometimes shown. Now, these duplicate key exceptions are handled better. + +## Version 5.1.7.7 + +Release date: 18-May-2021 + +#### Fixed Bugs: + +- Connectors and Integrations + - Optimizations for LDAP exports and AD synchronizations. +- Jobs and Policy + - The scheduler now works properly with the `CronTimeZone` attribute set to `ServerTime`. + - The end date for a pre-existing assignment now updates when the user's end date is updated. + - Manually-given composite roles can now be removed without any issues. + - An agent can now execute only one job at a time, preventing conflicts. A second job that + starts while one is already active, will quickly end in an error state. + - The job scaffolding now correctly interprets the `FulfillInternalWokflow` command. +- Logs/Performance/Security + - Logging out now functions correctly when an external login has been used. + - Corrected the logout problem for Okta authentication with Open ID Connect + - Added new Option for OpenID section to save the ID_Token + - When the certificate password contains an `@`, and the password is unencrypted in the + appsettings file, it is now interpreted correctly as long as the `P@ssword` is introduced with + an `@`. Example: `"Password": "@P@ssword"` + - Added a home page for Usercube-Agent, to verify the correct setup. +- UI + - Date formats are now correctly displayed in DisplayTable Tiles + - The Collection property can now only be displayed if the output/input type is + collection-compliant according to the property's current read/write mode: + - if the form is read-only or the control associated to the property is read-only or the + property itself is read-only: the collection property must have the �BasicCollection' + output type to be displayed. + - if the form is in write mode and the control associated to the property is not read-only + and the property itself is not read-only: the collection property must have the �Picker' + input type to be displayed and editable. + - Multi-valued properties are now displayed as added or deleted on the Workflow Overview page. +- Workflows and Access Control + - Fixed a bug where the password reset notification email for Active Direcotry accounts was + displaying the DN instead of the sAMAccountName + - Corrected an error on Access Policies, Access Roles, Access Rules and Risk pages when the user + had only read-only permissions. +- Other + - When recuperating Access Certification Campaign filters, empty result sets are now properly + handled. + - With API calls related to resources, it is now possible to set a null value. + +## Version 5.1.7.6 + +Release date: 20-Apr-2021 + +#### Fixed Bugs: + +- Connectors and Integrations + - The agent now sends compressed data to the server when synchronizing a connector, thus + reducing the upload time and the bandwidth usage. +- Jobs and Policy + - Inferred navigations are now in an automatic state after reconciling a resource with the role + model. + - Pre-existing resource type reconciliation now correctly passes the state to automatic when the + role model value is chosen. + - On the resource reconciliation screen, a recategorized resource with no owner now correctly + has a �Verified' provisioning state and a �Manual' workflow state. + - For permissions, an assignment in a cancellation state is now correctly overridden by a new, + automatic assignment. + - Fixed a regression in the Compute-Role-Model algorithm so that properties are no longer marked + as non-conforming. +- UI + - Read-only multi-valued collections can now be displayed in: + - workflows/activities for simple resources without records (Location, Company for example) + - workflows/activities for resources with records: only in the main resource section + - Correction made to multi-valued pickers so that all elements are properly deleted when + unselected. +- Workflows and Access Control + - The password reset notification emails for AD Accounts were sometimes displaying the DN. Now, + the sAMAccountName is shown. + - Emails for password reset now correctly show accented characters in the subject line. + +## Version 5.1.7.5 + +Release date: 30-Mar-2021 + +#### Enhancements: + +New - Mono-Profile Application Management feature: A new property `GroupByProperty_Id` has been +added to support this feature. It is used to regroup navigation resources (resources used in +navigation rules) by value. When defined, the Evaluate policy will enforce that one and only one +item of a group can be assigned to an identity for a given date range. + +Whenever the value of this property changes for a resource used in the defined navigation rules, the +**Server** needs to be restarted in order for the changes to be taken into account. + +#### Fixed bugs: + +- Connectors and Integrations + - During certain large synchronization jobs, the error "Unable to read data from the transport + connection: An existing connection was forcibly closed by the remote host" should no longer + appear. +- Jobs and Policy + - On the job screens, the counters are now correctly calculated. Additionally when a job has + been re-started and finished, the counters correctly indicate all the steps of full job. + - When the database is initialized, missing accounts had their navigations marked as + "Pre-existing" but not the accounts themselves. As such, they could not be reviewed in the + Provisioning Review. Now, all of these accounts can be fully reviewed. + - Binaries are now correctly handed by the SavePreExistingAccessRights task. + - The Resource Reconciliation screen was displaying accounts with unchanged groups for some + pre-existing memberships. Now, the role model evaluation correctly clears theses cases. + - Correction made to the SavePreExistingAccessRightsTask when custom SQL queries are used to + refine the permission set that needs to be updated. + - Non-conforming navigations now start on the detection date instead of on the owner's start + date. + - On non-conforming accounts, all scalar properties that were different from computed ones were + marked as non-conforming except for those without a value. Now, all differences are marked as + non-conforming. + - Correction made to fix SQL deadlock issues when cleaning orphan assignments. + - Mark source scalar/navigation properties as "Manual" when the target is updated from + workflows. +- Logs/Performance/Security + - Logging out now functions correctly when an external login has been used. + - Correction made to the quantity of historical data that was being saved in the UP_Assigned\* + tables. +- UI + - On the "View Permissions" workflow page, in simplified view, declined permissions are now + hidden. + - When selecting permissions, previously declined permissions are now indicated with an "X" and + the tool tip message has changed to indicate that the role has been previously declined. + - At the end of a review step of a workflow, after adding someone in the "CC" field and then + returning to the permissions page, an error was thrown. This situation was corrected. + - Correction for errors that were occasionally appearing while loading a user's permission page. +- Workflows and Access Control + - When assigning a profile, a different email address can be specified for notifications. This + address is now taken into consideration for Role/Provisioning review notifications. + - The aspect, `AssertValueRequired`, now correctly manages multi-valued navigation properties + during modification. + - An error is no longer thrown when an actor who receives a forwarded workflow tries to delete a + manual role. + - Any data search, with a filter on a sensitive property, was directly denied to prevent any + information leaks. Now, the motor queries to see if the filter is a superset of the sensitive + property access filter, in which case it will allow access. + - If a record's end date is set to the past in the request step of workflow, and the record + filter is `CurrentAndFuture`, the modified record was not shown in future workflow steps. This + has been corrected, so modified records will be visible in all steps of a workflow despite the + record filter. + - If a workflow reviewer's email address is an empty string, an error was thrown when finishing + the workflow's request step. Now, nulls and empty strings are handled without errors. + - Assigned profile contexts will now be correctly emptied when values are deleted. + +## Version 5.1.7.4 + +Release date: 16-Mar-2021 + +#### Fixed bugs: + +- Correction for an error message "default value cannot be null" when running certain executables. + +## Version 5.1.7.3 + +Release date: 12-Mar-2021 + +#### Fixed bugs: + +- Connectors and Integrations + - Corrected English/French language confusion in the password reset/initialization notification + template. + - Correction for a concurrent process issue when doing TSS Exports. + - Correction for a null reference exception in the LDAP Export Task when it is configured + manually and not all required arguments are provided. + - Correction in the calculation of the ExportRACF task identifier that generated an error when + adjusting a scaffolded job by adding a new task before or after ExportRACF. +- Jobs and Policy + - Canceling pre-existing role assignments after an owner's departure now works correctly. + - Correction for a regression where agent-specific tasks could not be scheduled by the agent + that is included in the on premises server. Jobs were still executed correctly when run from + the UI or another agent. + - In QueryRules with a C# TargetExpression, the correlation keys are now correctly fetched using + a better SQL filter. + - Non-conforming group membership was not cleaned up once a rule assign had automatically given + a group to an account. Now, these memberships are marked as Automatic and are no longer + displayed in the Resource Reconciliation. +- Logs/Performance/Security + - Included a better error message in the configuration import tool when an added task is not + present in the configuration. + - Improvements to database locking mechanism to prevent errors during jobs + - Some of the LDAP requests sent when creating a new AD account and initializing its password + were not logged. + - General performance enhancements +- UI + - Fixed an incorrect BasicCollection display while viewing resources with records. + - On the Workflow Overview page, active changes to past records are still shown even when the + RecordFilter is set to Current or CurrentAndFuture. + - When opening an existing QueryRule, all the QueryRule properties are now visible +- Workflows and Access Control + - Access control filters are now correctly applied in all steps of a workflow. + - In a Review workflow step where the workflow was transferred, the problem with the + recalculation of the actors has been fixed. + - Review notifications, for both role reviews and provisioning reviews, are now correctly sent + to second or third level reviewers. + - On role review emails, the subject line no longer shows HTML encoded characters. + +## Version 5.1.7.2 + +Release date: 26-Feb-2021 + +#### Fixed bugs: + +- Connectors and Integrations + - In an Active Directory for a complete synchronization, all group members are now retrieved. +- Jobs and Policy + - Addition of a new API version guarantees backward compatibility between older agents and a + 5.1.7.X server. + - Restarting multiple blocked synchronization tasks now works correctly. + - Corrected a problem where, when starting a job, the agent didn't have enough visibility about + server actions to correctly report the status. +- Workflows and Access Control + - It is again possible to save a workflow from the first tab/step. + - Review Provisioning/Roles notifications: assignment start and end dates are now accessible in + the AssignedItem model. + - Certain bindings from aspects/expressions were not handled correctly, now the correct + properties will be loaded for the UI. + +## Version 5.1.7.1 + +Release date: 19-Feb-2021 + +#### Fixed bugs: + +- Connectors and Integrations + + - On the Manage Account screen, clearer messages have been introduced when password related and + unlock problems occur. + - On the Manage Account screen, a default regex expression for measuring password strength is + now used when the configuration lacks the setting "PasswordTests". + +- Errors/Logs/Security + + - Correction for a regression where the agent could not start when `EncryptFile` was set to + `false`. + - For RoleReview and RoleReconciliation, permissions are now also verified server-side. + +- Jobs and Policy + + - Confirming an "Unreconciled property" now performs the correct operation. + - Correction for a deadlock issue when running the Compute-Role-Model executable. + - Correction for a situation where the scheduler was periodically stopping. + - Correction for the primary key constraint violation when computing the role model. + - Correction to the provisioning policy where found or historical assignments, with a + correlation score of less than 100, gave errors. + - Correction where the creation of a new nested entity threw an exception. + - Entity Property Expression will now correctly delete the link between two entities. + - In the Provisioning policy, found resource properties are no longer marked as Auto, instead + they are now marked as Found in order to reflect the workflow state of the resource. + - Manual roles are no longer deleted until all the inferred roles are obsolete. + - Removal of the button "Retry" in Jobs and JobInstance screens that could cause data + duplication. + - The argument, WorkflowIdentifier, was not taken into account by the ProvisionerWorkflow. + - The Provisioning Policy now removes links between entities if the data does not, or no longer, + exists. + - Correction made to the AddTask instruction that now permits adding a Task in the first + position of a job. + +- UI + + - Adding a multi-valued property to a record no longer produces an error. + - Correction made on the creation of a new entity where the "Picker" input type was not properly + working. + - Fixed an inversion of FilterBinding and LinkedBinding that caused an error in some situations. + - On the Role Review screen, an issue was corrected for mismatched lines. + - On the workflow supervision page, a regression has been fixed when viewing a deleted entity. + - The screen pagination on no longer ignores some items. + - Tool-tip result explanations in French were missing for certain job tasks. + - Many similar SQL queries were executed each time the permission page was opened and when a + workflow request was submitted. The UI could display "Timeout" error messages occasionally. + Now, these duplicate queries have been removed. + +- Workflows and Access Control + + - During a workflow review, the position table is now refreshed when updating/selecting values. + - When submitting a workflow, the access control layer could prevent changes computed by + expressions or generated by aspects. Now, only the user changes (from the UI) are checked. + - A role added in a workflow request step can now be deleted in the review step without error. + - Correction for the situation where, when using the `WorkflowNotification` permission with a + specific email address added to a profile assignment, notifications were ignoring the specific + address and still going to the user's normal address. + - To correct a problem in the BuildUniqueValueAspect where it was impossible to obtain Entity + information from an associated Record, a new key "ResourceIdToCopy" was added in the + configurable argument dictionary, in the ArgumentExpression of the ResourceType attribute. The + value of this key must be a long in a string format. If this value is present in the + dictionary, the resource created by the workflow provisioner will be a copy of the resource + with the ID of the value. + + Configuration example: + + ``` + + + ``` + +- Other + + - A correction was made for the date serialization. + - For the query module, the command timeout has now been set to 20 seconds to avoid server + problems. + - Query module: SQL optimization to reduce FULL joins. + +## Version 5.1.7 + +Release date: 14-Jan-2021 + +### **Compatibility notice:** + +This release includes compatibility ruptures. The migration steps in the documentation's +[Migration](https://extranet.usercube.com/5.1/5.1.7/Documentation/migration-guide/) section must +therefore be followed IN THE ORDER INDICATED. + +#### Enhancements: + +- Connectors and Integrations + - New attribute types are available for Active Directory, LDAP, OpenLDAP and ServiceNow Exports. + - If any export fails (because an exception occurs or a task is stopped), the output files are + deleted to prevent corrupted and/or incomplete data. + - Microsoft Exchange Export functionality for incremental and complete synchronizations is now + available. + - Orphan associations can now be exported to a CSV file using a new `Orphans` attribute on the + `SynchronizationTask`. See the + [documentation](https://extranet.usercube.com/5.1/5.1.7/Documentation/integration-guide/toolkit/xml-configuration/jobs/tasks/server/SynchronizeTask) + for more information. + - Added a NoSigning option to the Export-LDAP which deactivates the Kerberos encryption when + using the �Negotiate' authentication type. + - Binary properties can now be synchronized and provisioned. + - Added the ability to select the NameId format in the Saml2 Settings +- Errors/Logs/Security + - Improved error messages during AD synchronization. + - Improved error messages when parameters passed to an API method are invalid. + - New database maintenance and diagnostic tools have been created. +- Other + + - The risk management module has been improved. When creating a risk, an Exemption Policy must + be chosen. Available options are: + + - _Warning_: A simple warning is displayed when adding a new role creating the risk. The + user can choose to continue or cancel the action. + - _Blocking_: The role creating the risk cannot be added. The user can only cancel the + action. + - _Approval Required_: The role creating the risk must be approved before continuing on with + the classic role approval workflow, if any. (NOTE: this option is only available if the + risk module has been purchased.) + ![RiskCreation](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.7.riskcreation.webp) + + On the "Add permissions" page, the "Risk" popup has been reworked to display all risks + and their exemption policies. + + ![RiskPermissionPopup](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.7.riskpermissionpopup.webp) + + On the "Role review" page, if the risk module has been purchased, it is now possible to + filter on roles with a risk that are waiting for approval. + + ![RiskFilterOnProvisioningReview](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.7.riskfilteronprovisioningreview.webp) + + - A new task now exists to determine if any workflow instances have been executed, and if so, + the agent can execute a PowerShell script accordingly. + + Here are several examples: + + ``` + + + ``` + + and / or + + ``` + + + ``` + + - Retrieval of many of the entity types used by the UI has been optimized: + + - Rules + - Role Review + - Role Reconciliation + - Provisioning Review + - Resource Reconciliation + - Manual Provisioning + - Workflow Review + - Workflow Supervision + - Access Certification Campaign (edit dialog box) + - Identified Risks + + - Performance enhancements for front-end queries related to role parameters. + - The tool �Usercube-Create-ConfigurationIndexes' has been renamed as + �Usercube-Manage-ConfigurationDependantIndexes' and includes the maintenance and deletion of + indexes according to configuration changes. + - All API methods based on a �squery' have two new optional parameters: + + - `PageSize` + - `ContinuationToken` If `PageSize` is specified (`top` must not be specified in the + squery), the response will contain a `ContinuationToken` which can be used to get next + items + + - The subject prefix indicated at the end of a Workflow is predefined, but is now also + modifiable. + - Improvements in managing UI translations: + + - activity template state: is the display name used in Workflow Overview + - default access certification campaign policy: is the display name used in Access + Certification Campaign + - InternalDisplayName property: is shared by all custom entity types, and used in the table + view list when no display table is defined. The header displayed for the unique table + column is the identifier "InternalDisplayName" because no display names are defined for + this property. + + When deploying the configuration, if the languages have been changed (or if the update is + forced using the corresponding option), the display names are updated according to the + configured languages. + + For now only two languages are supported, English and French. If there are no translations + defined for one of the configured languages: + + - in the case of the primary language, the display name is set to the default translation + (English). + - otherwise the display name is empty + + To update the database, deploy the configuration with the `--force-translations` option. + +#### Fixed bugs: + +- Connectors and Integrations + + - When using the scaffolding to create a job with the FulfillToServiceNowTicket task, a + ServiceNowUpdateFulfillmentState task is now added. If the resource is created internally an + UpdateExpressionTask is also added. This corrects a problem where the correlation task wasn't + started and so synchronized resources could not pass to a verified state. + - Synchronization will no longer be blocked by duplicated unique keys, the first one will be + used. + - Improvements when parsing CSV files + - OpenId: added a new attribute to the "OpenIdSetting" to set the requested scopes. + - SCIM: the provisioning of booleans has been fixed. + +- Errors/Logs/Security + + - Display a warning if a scalar property, which is not a neutral definition, does not have a + correct TargetColumnIndex + - When importing the configuration, a new verification on `Indicator` checks if the `Item` + values are coherent with respect to the property to which the `Indicator` is bound. + - When a scaffolding configuration is incorrect, the file and line number are now displayed in + error messages. + - An exported configuration that is re-imported now respects menu items and form control + hierarchies. + - The typo QueryHander has been fixed and is now correctly QueryHandler. + - When importing the configuration, an improved error message is given when a role is not found. + - Reintroduced an option, where when deploying the configuration, we could choose to replace + Language1 by Language2: `--use-l2`. + +- Jobs and Policy + + - TimeOffsetReference "After" now works correctly to keep a single role until the end date of an + entitlement that is inferred by it. + - When running a job, the log instance can now be opened without errors. + - The Update-TreeDimensionHierarchies Task has been moved inside the motor and has been deleted + as it no longer needs to be called explicitly. **Warning**: If this task has been manually + added to a scaffolding with the `AddTask` instruction, the automatic migration doesn't work + for this case and will need to be deleted manually. + - On review and reconcile pages, the "Keep Current value" option now works correctly for AD + resources when a change to the parentDN is proposed. + - The policy repository now loads correctly with the automatic roles that required validation. + - With large role models, ComputeRoleModel manages memory usage better. + - QueryRule expression values are now case sensitive on the permission modification page, + previously there were inconsistencies in case comparisons between the simulation presented on + the permission page and the real provisioning. + - Correction for the creation and update of a resource for a simple entity in Fulfill Internal + workflow. + - Correction for a problem where, during a provisioning review with a resource correlated at + less than 100 percent, choosing to create a new resource gave an error. + - Fixed an exception thrown by FulfillInternalResources with sent orders previously created. + - Enable the AssignedProfile task in the Complete Job's scaffolding. + - Corrected a problem where ambiguous correlations (multiple accounts matching the same rule) + were not properly handled. + - Corrected the CreateInitializationJob scaffolding when two agents are present in the + configuration. The scaffolding now takes the agent specified instead of the first agent. + - The alias �force-synchronization has been changed to �force-synchronization-provisioning for + Usercube-Invoke-Job and Usercube-Invoke-ServerJob. **Warning**: This is currently a rupture, + but only for PowerShell scripts. It will be handled for ascending compatibility in the planned + 5.1.7.1 release. + +- UI + + - In search bar filters, true/false filters now correctly return true/false and not "undefined". + - An aspect error on a read only field is now correctly displayed in the user interface. + - On the Workflow Summary and Workflow Overview pages, an incorrect display of the owner under + certain circumstances was fixed. + - On the Query page, corrected a blank page error when the universes had not been correctly + fetched. + - Dates with a value of 0 are now displayed as �Never (0)'. + - Fixed the display of declined inferred roles on the permissions page. + - There is no longer an error raised after selecting a user, viewing their permissions, + selecting a resource type and then clicking on the overview section to see the history. + - Pagination in Access Certification Review screen has been fixed. + +- Workflows and Access Control + + - Improved behavior of Workflow AddAndEndRecordEntity: now, according to date changes, records + can be copied, updated or deleted instead of ending all records and creating only one record. + - On the WorkflowAddRecordEntityForm, the first record is now selected by default + - The HideRecordRemoveButton on workflows has been updated: + + - "false" (the default value) indicates that any record can be deleted (as long as at least + one exists). + - "true" indicates that records from previously completed workflows should not be removed, + so the button is hidden for these older records but is still available for records + manipulated in the current workflow. + + - Correction for an error when CC'ing someone at the end of a workflow. + - Multiple `` of type "Expression" can now be defined in an notification aspect. + - Fixed a bug where deleting a user before completing the user entry workflow gave an error. + - Improvements that take into account changes induced by Aspects. + - Correction for `` tag now permits configurations such as + + ``` + + + ``` + + to replace the SQL scripts used in the Initialization jobs, among other uses. + +- Other + + - Correction for a date issue where a certification campaign ended a day too soon. + - Correction for the QueryHandler method which prevented the use of dynamic values in squeries. + - SQL fragmentation by the Provisioning Policy has been reduced. + +## Version 5.1.6.2 + +Release date: 9-Feb-2021 + +#### Fixed bugs: + +- On the Role Review screen, an issue was corrected where the lines were mismatched. +- Correction for a regression where the agent could not start when `EncryptFile` was set to `false`. +- The agent scheduler can now correctly interpret the workaround permitting its use with a Usercube + certificate. +- For the query module, the command timeout has now been set to 20 seconds to avoid server problems. +- The argument, `WorkflowIdentifier`, was not taken into account by the Provisioner Workflow. + +## Version 5.1.6.1 + +Release date: 8-Jan-2021 + +#### Fixed bugs: + +- Correction for the CreateConnectorJob scaffolding where the NoSynchronization argument was + ignored. +- Fixed a problem with resetting the password from the user interface in a distributed installation. +- Synchronization compatibility for older agents has been restored. +- Fixed a bug in Compute-Role-Model that was causing LoadWith to throw an unauthorized exception. +- The provisioning policy now correctly overrides correlated resources with the most recent changes. +- Assigned resource scalars and types were incorrectly updated when Compute-RoleModel was run twice + in a row. +- Correction for the situation where rules with dimensions were no longer loaded when initializing + RoleRecovery (only rules without any dimensions were taken into account). +- Filters on Categories with AccessControlRule for AccessCertification now function properly. +- The WorkflowState is now correctly updated when a 'non-conforming' scalar/navigation finally + matches the role model rules. +- General security fixes. + +## Version 5.1.6 + +Release date: 16-Nov-2020 + +### **Compatibility notice:** + +This release includes compatibility ruptures. The migration steps in the documentation's +[�Migration' section](/docs/identitymanager/6.1/identitymanager/migration-guide/index.md) must therefore +be followed IN THE ORDER INDICATED. + +For enhanced security, we are now checking to see if a custom SSL certificate is being used. In the +case that the Usercube certificate provided in the SDK is still is being used, there will be an +error when starting the server. + +To continue to use the Usercube certificate in non-production environments, add +`"AuthorizeUsercubeCertificate": true,` to appsettings.json files at the root. + +#### Enhancements: + +- UI + + - Improved the view for the manual provisioning screen so that it clearly shows the actions to + be taken. + ![ManualProvisioning](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.6.manualprovisioning.webp) + - Added a filter in Reconciliation Review screen in order to filter by inferred / not-inferred + permissions. Leaving the filter at its default "not-inferred" setting shows only permissions + that were NOT automatically mapped to roles (so that permissions mapped to roles can be + handled on the Role Reconciliation screen). + ![InferredFilter](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.6.inferredfilter.webp) + - The screen for reviewing assigned resources type has been improved. Now, when a user opens the + dialog for an unauthorized account, all properties to be verified are in read-only mode + because the recommended action is the deletion of the account. If instead, the user chooses + "Authorize Account", a pop-up warns that there are properties to be verified. Once verified, + the choice "Confirm Account Authorization" is available. + ![UnauthorizedAccount](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.6.unauthorizedacct.webp)![UnauthorizedAccountProperties](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.6.unauthorizedacctproperties.webp) + - Previously, a user could not add permissions if another, exactly identical permission with the + same dates existed. Now, the dates are not simply compared, but the date ranges and conflicts + or overlaps between permissions are displayed as permissions are added. + ![ConflictingDates](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.6.conflictingdates.webp) + - On the permissions page, if an assigned resource type or its properties are pre-existing or + non-conforming, the consolidated state column now adds the information in the tooltip message + and the icon also shows the status as either pre-existing or non-conforming. + - Display a minimum amount of information when a resource processed in the workflow has not yet + been created or no longer exists in the database. + ![ChangeSummaryDeletion](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.6.changesummarydelete.webp) + +- Workflows and Access Control + + - Emails related to Role Model notifications can now be filtered based on Access Control + Entries. In an AccessControlEntry, we have an existing flag, `Notify`. By default, this value + is set to true, and the user is notified when a task corresponding to this permission needs to + be performed. It can be set to false to prevent the user from receiving notification mails. + See the following example which prevents role review emails from going to the + "RoleOfficerSpecific" profile. + + ```xml + + ``` + + - Enhancements to the FulfillInternalWorkflow: + - correction made for deleted provisioning orders that weren't working. + - when multiple records change for the same entity, all changed records are now taken into + account, not simply the first one found. + - a new case is handled for deletions: if an entity and all of the entity's records are in + delete mode and no kind of "deletion date" is detected in the fulfill configuration, the + resources will be deleted and not updated. + - Workflow notification e-mail subjects are now prefixed with information about the relevant + resource: + - In case of a creation workflow, the prefix is a pseudo-display name, computed from the + form's raw data, of the resource to be created. + - In case of an update workflow, the prefix is the internal display name of the resource + being modified. + - A workflow's subtitle now also displays the same prefix. + - Added a possibility to filter on Categories with AccessControlRules for AccessCertification. + +- Connectors and Integrations + + - New Workday connector for exports. The two modes, incremental and complete, take into account + all entities (workers, locations ,job positions etc�). + - The SCIM connector can now do a partial incremental synchronization. With this new + functionality comes a new optional attribute, SyncCookiesFile. SyncCookiesFile specifies the + path of the cookie file used for incremental synchronization. Example: + "C:/identitymanagerDemo/Sources/example_cookie.bin" See more information in the documentation: Home + Page > Integration Guide > Connectors > SCIM + - Password Reset Improvements + - Added the ability to set a static CC recipient email address for password reset + notifications (per resource type). + - In password reset notification emails, the resource type name is now displayed. + - The SharePoint connector now synchronizes multiple SharePoint sites and provisions account + membership modifications. + - The connector generator can now handle larger CSV files. + - SSL is now available for OpenLDAP Exports (with new attributes in the OpenLDAPSetting). + - Usercube can now use certificates with CyberArk AAM to secure the password retrieval. + - New Azure Key Vault configuration for appsettings.json on both the Server and Agent sides. + +- Jobs / Policy + + - Two new options for the Invoke-Job command: + - option `--task-type`: Tasks of this type are launched first. + - option `--task-string-contains`: Launches all of the tasks having an identifier containing + the given value. + - A new argument, `PrincipalDataConnector`, for the InitializationJob scaffolding has been + introduced. If this argument is used, the last ComputeRoleModel and + UpdateEntityPropertyExpressionsTask of the initialization job will contain all the entities of + the specified connector. See the documentation for more information. + - On the jobs screen, a new button "Retry" exists if an incremental job finishes with warning + state or in an errored state. This button will relaunch the incremental job in complete mode. + - Added a file format encoding attribute for InvokeSqlCommandTask. See the documentation for + more information: Home > Integration Guide > References > Tasks > Server > Export > + Usercube-Invoke-SqlCommand. + +- Optimizations + + - Added a new scaffolding type, `OptimizeDisplayTable` that optimizes a DisplayTable's + performance (using computed expressions instead of navigation bindings). See the documentation + for more information. + - Added a new attribute to use the SQL resource governor for all jobs and tasks, + `ConnectionStringGovernor`. See the documentation for more information. + - A new method for storing historical data that reduces the index fragmentation of the Resource + table has been introduced. + - A new tool, `Usercube-Create-ConfigurationIndexes`, has been created for optimizing the + database by analyzing a specific configuration and adding the related and necessary SQL + indexes and statistics + - UI back-end queries have been optimized on the following screens: + - Role Review and Reconciliation + - Provisioning Review and Resource Reconciliation + - My Tasks + - Queries + - Identified Risks + - Access Certification + - Manual Provisioning + - Job Execution + - Access Policies, Roles and Rules + - API calls when starting the application + +- Tools + + - The generate configuration tool can now read encrypted data files. See the documentation: + Home > Integration Guide > References > Tasks > Server > Tools > Generate Configuration + - The Export configuration tool now has a new attribute `--use-resource-key` (or `-rk`). If + used, a resource reference will now be exported as a key (the resource used corresponds to the + property marked `IsKey` in the entity model) instead as an internal id. (This makes importing + the exported configuration into another database possible, but it is not the default setting + to avoid performance issues.) Ex: ` Integration Guide > + References > Tasks > Agent > Tools > Usercube-Update-ActivityInstanceActor. + - When processing notification aspects for the same permission using the "Profile" recipient + type, certain access rules are no longer skipped. + - Dates displayed in emails sent for Access Reviews now show the UTC value (which corresponds to + what is visible on the Access Review screens). + +- Connectors + + - Correction for a problem where csv values exported from RACF were incorectly mapped to user + information. + - A binary property (like photos) can now be updated via synchronization. + - Correction for an exceeded size limit error when synchronizing with a big data sample + - Job scaffoldings have been fixed for a situation where a connector that used two different + information systems for two different task types did not correctly attribute the parent. + - When loading a CSV file, values exceeding the database column length limit are now truncated, + and a warning is displayed. + - Safety levels have been reduced when performing inserts, deletions or updates on lines or + links with synchronization and provisioning. The new values are described in the + documentation: Home Page > Integration Guide > References > Data model > Connectors > + Connector. + - Fixed a bug where the password initialization fails on LDAP connections when using the + "TwoWay" Mode + - The ActiveDirectoryUseStore section of appSettings.agent.json has been moved to the + Authentication section to harmonize setting locations. This change will be applied with the + migration tool. + - The ServiceNow connector can now write fulfillment tickets to ServiceNow's incident table. + `ServiceNowTicketUpdateFulfillmentStateTask` has been added to the scaffolding with a + following `UpdateEntityPropertyExpressionsTask`. + +- Jobs / Policy + + - Correction for the AddTask argument when two or more tasks have been added before or after + same task. + - Added an optional flag `Dirty` which provides the possibility of using a "dirty" (or modified) + attribute with the FulfillInternalResourceTask in the configuration. + - Invoke-SQL, when exporting to a CSV file, now correctly formats data types. + - When a job finishes with a blocked state and when two or more tasks are blocked, the Relaunch + button now re-starts all blocked tasks and not only the first task. + - When a non-conforming single role is found, the AssignedResourceType is now set properly. + - The UpdateParametersContextDisplayNames task now manages configurations with either zero or + one dimension. + - The Policy gives more predictable results when correlating resources in the cases where users + have several types of resources that could belong to them. + - Correction where the IndirectResourceRule was not generating the appropriate role + reconciliation tasks. + - Provisioning orders are now only generated for Applied, Executed, Sent, or Pending assignments + and not for Errored or Blocked assignments. + - Corrected a problem where non-conforming permissions didn't correctly pass to conforming when + the appropriate rules were added. + - A provisioning order will no longer be generated when a resource does not have any properties. + - The Classification Job was updated to clean assignments correlated by the Provisioning Policy, + preventing multiple assignments of the same resource. + - The Provisioning Policy now refreshes correlated resources that have been found and updates + the correlation score accordingly. + - Assigned roles with missing parameters are now correctly handled and computed if/when the + parameters are provided. + - Deleting a policy now properly deletes all its corresponding items (after a warning message). + - For identified risks, the owner filter definition has been clarified. + +- Configuration Deployment / Error handling / Logs + + - The configuration deployment tool is more robust. It now verifies + - that all agents are the same inside a job and inside a task. + - that an EntityType's name is not a reserved name. + - the xml attributes for SelectUserByIdentityQueryHandlerSetting and + SelectPersonasByFilterQueryHanderSetting + - whether entity types and entity properties have spaces and if found, a clear error message + is given. + - ResourceViewRecordEntityForms to make sure that the RecordSortProperty attribute is a + scalar property. + - if an element has a property defined more than once (with same identifier) + - that TileItems and DisplayTablesColumns reference mono-valued column bindings. + - that a main language is specified. + - Better messages or error handling for + - situations where role approvers don't have email addresses. + - when files used for synchronization have a bad encoding. + - the InvokeSQLCommand task errors, thereby forcing the corresponding job to end in an + error. + - problems during Prepare-Synchronization: the filename is now displayed. + - a situation where RessourceType is detected as being in a cyclic graph in scaffolded jobs. + - missing permissions when a user's authorization fails for a certain action. + - Error management has been enhanced in the configuration deployment tool: multiple errors can + now be displayed. + - In job logs, the arguments related to passwords (certificates, password, secret�) are now + hidden. + - Mail settings information is now displayed when the Usercube server starts. + +- Other + + - Correction for an LDAP authentication timeout issue after a long idle period between + connections + - The base32hex naming convention now has a dedicated page in the documentation. See Home Page > + Integration Guide > Applicative Configuration > Miscellaneous + - Increased security for photo uploads. + - Renamed SelectUserByIdentityQueryHanderSetting to SelectUserByIdentityQueryHandlerSetting. + This is handled in the migration tool. + +## Version 5.1.5.1 + +Release date 2020-10-05 + +#### Fixed bugs: + +- For LDAP connectors, the objectClass filter can now correctly handle multiple values. +- For a connector typed as ActiveDirectory, we now check for the existence of the + PrepareSynchronizationTask and SynchronizeTask. +- Correction for a case where, in an installation scenario with a remote agent, the agent attempted + to query the database directly instead of querying the Usercube server's APIs. +- Correction so that the agent-side task, ActivityInstanceActor, updates the workflow instances in a + job. +- The incremental synchronization now correctly ignores changes made to attributes that are not + specified in the configuration. +- Correction to correct the quantity of historical data being saved in the UP_Assigned\* tables. +- To prevent synchronization errors, attributes that are too long are now truncated at the size of + the column. +- Correction for incorrectly interpreted empty values when, under certain conditions, the Review + tasks for the WorkflowUpdateSeveralRecordsEntityForm with no PersistDraft Activity, was giving a + blank page. +- For a ResourceType, the ArgumentsExpression now evaluates the correct target entity type. + +## Version 5.1.5 + +Release date: 2020-09-15 + +### **Compatibility notice:** + +This release includes compatibility ruptures. The migration steps in the following section must +therefore be followed IN THE ORDER INDICATED. + +#### Migration steps: + +1. Stop server +2. Rename the existing Runtime folder to �RuntimeOld' +3. Install the new runtime from �Runtime_XXXX.zip' +4. Migrate the database: + + `Usercube-Upgrade-DatabaseVersion --connection-string "database connection string"` + +5. Migrate the appSettings: + `Usercube-Upgrade-AppSettings --input-path "old runtime directory" --version 5.X.X -�connection-string "database connection string"` + (where 5.X.X is the "MigrateFrom" version) +6. Migrate the configuration: + `Usercube-Upgrade-ConfigurationVersion --version 5.X.X --xml-path "source conf path" --output "target conf path"` + (where 5.X.X is the "MigrateFrom" version) +7. Optional: Deploy-Configuration: + `Usercube-Deploy-Configuration -d " conf path " -s "database connection string" -e` (Without + redeploying the configuration new features will not be taken into account.) +8. Start server + +> Note: +> +> - Risk scores are included in our new Risk Management Module. Only Segregation of Duties risks are +> present with the basic license. +> - For SaaS installations, the agent must be upgraded to benefit from a bug correction related to +> password resets of existing accounts. +> - For API calls, make sure to enter the new versioning attribute mentioned lower down in the +> release notes: �api-version'=v where v is the API version. Currently all API verions are at 1.0. + +#### Enhancements: + +New UI features + +- New display indicators are available to indicate certain resource attributes (for example: VIP, + External, High Risk etc). + ![DisplayIndicator1](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.5.displayindicator1.webp)![DisplayIndicator2](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.5.displayindicator2.webp)![DisplayIndicator3](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.5.displayindicator3.webp) + Each indicator is configurable: + +``` + + +``` + +- Role parameters are now suggested based on a user's existing permissions and job specificities. + ![RoleParamterSuggestions](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.5.roleparamsuggestions.webp) +- Introduction of a new page that lists all identified risks. + ![IdentifiedRisks](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.5.identifiedrisks.webp) +- Approval comments can now be set at the access policy level. The default values are: + - for approvals: Optional + - for rejections: Required + - for deleting a non-conforming permission: Optional + - for keeping a non-conforming permission: Required These access policy comment requirements can + also be overridden at the role level. On the policy configuration screen: + ![CommentMgmt.Policy](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.5.commentmgmt.policy.webp) + On the role configuration screen: + ![CommentMgmt.Role](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.5.commentmgmt.role.webp) +- Secondary categories are now displayed in the role detail dialog. + ![SecondaryCategory](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.5.secondarycategory.webp) +- In the role reconciliation list view, a new column with the date of detection has been introduced. + By default this column is used for sorting the page. + ![DetectionDate](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.5.detectiondate.webp) +- A new refresh button has been added for the following screens: + - My Tasks + - Workflow Overview + - Role Review + - Role Reconciliation + - Provisioning Review + - Resource Reconciliation + - Manual Provisioning + - Assigned Profiles + - Access Rules + - Access Roles + - Policies + ![Refresh](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.5.refresh.webp) +- On Resource Review and Resource Reconciliation dialogs, an asterisk is now displayed to show if + the property is required. If the DisplayEntityProperty has IsRequired="true", an asterisk is be + displayed. + ![Asterisks](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.5.asterisks.webp) +- On screens with pagination, the page number is now saved. This allows a user who clicks on a + resource and then closes the popup, to return to the same page as before. +- On the Resource Reconciliation page, when the resource type is changed and parameters are needed, + Usercube now prompts for parameter values. + +New Job features + +- Within a job, multiple tasks with the same level indication can now be executed at the same time. + See the documentation for more information Home > Integration Guide > References > Data model > + Jobs > Task. +- Usercube-Get-JobSteps and Usercube-Invoke-Job tools now provide more detailed information about + each task. +- For the scaffolding jobs, resourceTypes are now sorted as a tree to make sure fulfillments are + performed in the correct order. (For example, in the case of multiple data sources or more than + one data master.) +- New, smarter job execution logic which runs tasks or not depending on previous results. For + example, if a Data Collect returns zero lines, the dependent synchronization task does not need to + run. In the documentation, see examples on the page Home Page > Integration Guide > How-Tos > + Configure Usercube Jobs > Synchronization Complete or search for the attribute `TaskDependsOnTask` + for more information. + +Other new items + +- Because mail settings are unique to each environment, mailSettings have been moved from the + database to the appsettings configuration. In order to migrate and preserve existing mailSettings, + you must follow the migration instructions above in these Release Notes. +- A new C# expression can be added to the Provisioning Policy to compute the provisioning order + arguments like "WorkflowIdentifier". See more information in the documentation: Home Page > + Integration Guide > References > Data model > Provisioning > ResourceType. +- Scalar and query rule expressions: there is a new implicit variable called "assignment" that + contains the assigned resource type start date, end date and parameter values. More information + can be found in the documentation: Home Page > Integration Guide > References > Data model > + Provisioning > ResourceScalarRule +- The mono-valued association property TargetColumnIndex limit has been extended. An index can now + be defined between 128 and 152. +- All of Usercube's API are now versioned. The new required parameter "api-version", facilitates the + choice of the API version, allowing scripts, tools and agents to be backwards-compatible with the + newer versions of Usercube. +- Added missing error notifications after failed API requests. +- Enhancement of role parameter reconciliation based on fine-grained permissions. +- Dependences have now been created between computed expressions allowing, on a given EntityType, + the use of the result of a first computed property to compute a second one. For example, on a + Directory_User, the MainRecord can now be used in Bindings/Expressions of other Directory_User + properties. This is managed with a Priority setting. +- The scheduler has a new parameter allowing it to be based either on Universal Time (UMT - + Greenwich Meridian) or the server's local time zone. + +#### Fixed bugs: + +UI Corrections + +- In email notifications, the password font has been changed so the characters are clearer. +- When a login is incorrect, better error messages are now shown. +- Correction for a refresh problem when a photo taken with the webcam was updated. +- The language of authentication form can now be configured to languages other than English. +- On the workflow activities pages, the EntityType selection list is now based on access control + rules, only showing entities for which a user has permissions. +- Fixed a bug encountered when requesting a resource creation on the Manual Provisioning page. +- Improve management of incoherent dates in the UI, restricting certain dates from being entered in + the past and correctly handling dates on assigned roles that have just been requested. +- In the query and correlation rule dialog boxes, a correction was made for editing the bindings. +- Query Page: Fixed a blank page error while adding a field after a query reset. +- On the Role Review page, review buttons are hidden for the pre-existing and non-conforming + assigned roles which should be managed on the Role Reconciliation screen. +- Dates related to a DatePicker with "AddedMinutes" now changes correctly on rendering (for example, + after closing the view permissions dialog box). +- When creating or modifying a new assigned profile, the list of available profiles are now sorted + in alphabetical order. +- Access Certification: Improved message when there is nothing to review. +- On the permissions page, for a manual assignment, the �Deny' option is only available when the + permission is being first added and is not available in any other situation. (In other situations, + the only option is �Delete'.) +- Fixed a 400 error when the displayName of an access certification in progress is updated. +- Fixed an error in workflow simplified views, where permissions being added could not be deleted. +- On the Role Review screen, for approved or declined permissions: + - hide the comment button if no comment was previously added + - disable the comment button when there are existing comments +- Certain variables incorrectly displayed by Internet Explorer have been corrected. +- Fixed some incorrect behavior when a user creates or updates role categories. +- Improved the display of resource values. All values displayed in the application (in lists and on + the resource page) must have the same display. If a "format" is defined for a + displayEntityProperty, this format is applied. Otherwise, the value is displayed according to the + type of the EntityProperty. +- Fixed an error on shared forms where, in an activity, the form was not displayed and on the + workflow overview page, the changes in the form were not displayed. +- On workflow finalization screens, the placeholder values for the "CC" and "At the request of" + fields have been corrected. +- In resource views, the display of a collection property with an intermediary mono-valued binding + (for example, person.User.OwnedApplications) is now allowed. +- On the Resource Reconciliation page: buttons are now clickable when the user changes the resource + type, selects a resource with a different entity type, and then re-selects the proposed entity + type. +- On the Query page, the action buttons are now disabled if a user has made no selections. +- On the role review page, the hovering for a permission's history was replaced by a button to make + sure it was always accessible. +- Fixed an incorrect arrow display for offset dates in navigation and scalar rule dialogs. +- A new warning message has been added when deleting access policies: "Warning: all objects linked + to this policy will be deleted". +- Using a dropdown list to select a resource that doesn't have a display name no longer throws an + error. +- Jobs that are blocked because a security threshold has been exceeded are now clearly indicated. +- Composite and single role metadata have been added to the access review module which permits, + among other things, the filtering of access review items. + +Security and performance corrections + +- The InvokeSQLCommandTask now correctly interprets the LogLevel that has been indicated. +- A series of optimizations have been made for connector synchronizations. +- Certain tasks, such as Compute Role Model, no longer fail after a timeout and have been optimized. +- New, tightened security on API calls. +- Optimizations for the loading of the user directory pages. +- Upgrades for error and warning logs for the Usercube-Invoke-Job and Usercube-Invoke-ServerJob + tools. +- The ComputeCorrelationKeyTasks in job scaffolding have been optimized. +- Change the default value for the BlockProvisioning attribute of ComputeRoleModelTask, from false + to true in order to prevent unexpected fulfillments. + +Configuration Deployment + +- When deploying the conf, if the arguments �configuration-directory and �database-connection-string + are missing, the exception is now thrown correctly. +- During the configuration deployment, scaffoldings now check a connector's existence. +- Errors are now thrown when multiple tasks are declared with the same identifier. +- Error messages during configuration deployment no longer show unnecessary information. +- Giving an incorrect identifier for a job, now gives a clear error. +- Added new error checking to prevent conflicting aspects. +- Harmonization of similar attributes: FilesAreEncrypted in the MappingPath scaffolding argument has + been switched to FilesAreNotEncrypted. + +Other corrections + +- Correction for regression in Windows SSO authentication +- The InvokeSQLServer jobs now correctly abort when the user clicks on the �Stop' button during a + job's execution. +- Transactions are no longer blocked when several resource types are provisioned at the same time. +- Exporting the configuration to XML files now also exports default values. +- Usercube-Get-JobSteps now returns a clear description of the error if the job identifier is wrong. +- In Usercube-Anonymize a new argument to specify the delimiter is available: "�csv-separator" (or + its short alias "-s"). +- In Usercube-Update-FulfillmentStates, the short alias "-h" for the input path was removed because + it conflicted with the help alias. +- Date filters have been modified to take advantage of database partitioning, if it has been + enabled. +- Fixed the Export-LDAP timeout argument which wasn't accepting values other than 0. +- The AD Export tool now correctly extracts CNs containing special characters (for example, a + comma). +- The tool Usercube-Anonymize.exe now anonymises columns with empty values. +- Incremental AD synchronizations, when run after a long period of time, are no longer giving + errors. +- Improvements for handling of deleted objects/entities and their dependent objects. +- Fulfillment orders are now generated when an assignment state is Pending (add or delete) or + Applied (modify). +- A job that was twice blocked for exceeding security thresholds can now be properly re-started + after the second blockage. +- The data anonymization tool can better handle empty attributes, invalid DNs or invalid email + addresses. It can also now handle multi-valued attributes. +- Correction for the LDIF export where attributes from distinct entities were getting interchanged. +- Fixed a regression where the argument FilesAreNotEncrypted was not taken into account for all + exports. +- In appSettings, in the EncryptionSettings section, when UseEncryption and EncryptFile were both + false, there was still an error for a missing certificate. +- The Initialization scaffolding job is now always created with UserStartDenied, so it cannot be + re-executed. +- Correction made to Usercube-Fulfill-InternalWorkflows concerning entities without records. +- For fulfillment simulation, the simulation file is now correctly created. +- For the SCIM connector a new OAuth2Url attribute for retrieving tokens has been added, in order to + handle a situation where the system cannot determine this information. +- Corrected a bug on certification review items when managers change. +- Corrected some regressions for Export-LDAP. +- When using the ActiveDirectoryUserStore, the Domain setting is required, and we now verify its + existence at startup. +- Display names are now computed for all provisioning contexts. +- Fixed a bug where the ad/ldap provisioner was not properly tracking the account's activation to + trigger the password reset mechanism. + +#### Known issues: + +Workflow task counters were causing performance issues and so they have been temporarily removed +from the home page for Role Review, Provisioning Review, Role Reconciliation and Resource +Reconcilation. They will be back in version 5.1.6. + +## Version 5.1.4.2 + +Release date: 2020-08-12 + +#### Fixed bugs: + +- Reduce the manual assignments end dates based on the new end date (if it is smaller) and the + offsets. +- Improved scheduler error handling. +- Tasks such as Compute Role Model failed on timeout and needed to be optimized. + +## Version 5.1.4.1 + +Release date: 2020-07-31 + +#### Fixed bugs: + +- Added the namespace System.Globalization for the C# expression white list. It is now possible to + use .ToTitle() and culture info. +- Correction for a regression in the agent scheduler. +- Adaptations made allowing the execution of server-side scripts on Linux. + +## Version 5.1.4 + +Release date: 2020-07-24 + +### **Compatibility notice:** + +This release includes compatibility ruptures. The migration steps in the following section must +therefore be followed. + +#### Migration steps: + +1. Stop server +2. Rename the existing Runtime folder to �RuntimeOld' +3. Install the new runtime from �Runtime_XXXX.zip' +4. Migrate the database: + + `Usercube-Upgrade-DatabaseVersion -s "database connection string"` + +5. Migrate the configuration: + `Usercube-Upgrade-ConfigurationVersion -s 5.X.X -c "source conf path" -o "target conf path"` + (where 5.X.X is the "MigrateFrom" version) +6. Migrate the appSettings: + `Usercube-Upgrade-AppSettings --input-path "old runtime directory" --version 5.X.X` (where 5.X.X + is the "MigrateFrom" version) +7. Optional: Deploy-Configuration: + + `Usercube-Deploy-Configuration -d " conf path " -s "database connection string" -e` + +8. Start server + +#### Enhancements: + +- New Account management functionality for changing or re-initializing passwords as well as + unlocking accounts is now available. + ![PasswordReset](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.4.passwordreset.webp) +- Role Parameters are now displayed in all views with permissions (lists and dialog). + ![Parameters](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.4.parameters.webp) +- Improvements on manual provisioning screens: + + - Add start and end date columns in the list of properties + - Add request number, start and end assignment dates + - Added the possibility of clicking on the request number + - Other general improvements + ![ManualProvisiong](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.4.manualprovisioning.webp) + +- The Usercube Documentation has been significantly improved. + + - The content has been reorganized in four Guides: introduction, integration, installation, and + migration. + - The Introduction has been extended + - The Installation Guide has been reviewed and improved + - The Technical Configuration and Connectors documentation, now in the Integration Guide, have + been reviewed and improved. + - Look and feel has been improved. + +- On the provisioning review page when the pending orders filter is enabled, a filter now exists for + the action type. + ![ProvisioningFilter](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.4.provisioningfilter.webp) +- On screens that show the cancellation of resources, the edit icon is replaced by a cancel icon on + to avoid confusion. + ![CancellationIcon](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.4.cancellationicon.webp) +- Active Directory forests are now natively supported. +- ServiceNow ticketing + + - Added new Task `FulfillToServiceNowTicketTask` to create tickets in ServiceNow requesting + creation, update or deletion of any resource. Upon creation of the ticket, the + AssignedResource state will be in a Transmitted state. + - Added new Task `ServiceNowTicketUpdateFulfillmentStateTask` to retrieve canceled and closed + tickets. When retrieving tickets, AssignedResources states will be set to executed or errored. + - New xml fields in ResourceTypeMapping: + - `TicketCallerIdIdentifier` The name of the attribute to get the id of the user (in the + ticketing system) for whom the ticket will be created. + - `TicketCategory` and `TicketSubCategory` Information indicating in which category the + ticket should be created. + - `TicketImpact` and `TicketUrgency` For prioritizing + - `TicketAdditionalInformation` Additional textual information that will appear in the + ticket. + +- The back-end is now capable of calculating a simple "risk score" for each user. This will be more + visible in the UI in upcoming versions. +- Other new UI features: + + - The auto-complete in drop-down lists is now optional. The list has auto-complete only if the + auto-complete binding is defined for the display property or for the associated display entity + type. The auto-complete binding defined for the display property overrides the auto-complete + binding defined for the display entity type. If not specified otherwise, the minimum length of + search characters is four. + - In the dialog box of the Resource Review and Resource Reconciliation screens, the "Value" + column header has been renamed to "Proposed Value" to clarify the meaning. + - On the Job Execution page, several new filters allow the user to filter all Job Instances by + date range. A filtered view will show all types of Job Instances and will not be restricted to + the one chosen in the left-hand menu. + - Improve auto-complete drop-down lists: + - display "No results" when no results are found + - display "Enter at least N characters to start the search" when the number of characters + entered is less than minSearchLength + - display waiting spinner when results are being requested + +- New security features: + + - Added security for job instance API calls, including security that locks or unlocks API calls + and launches or blocks specific tasks depending on the license purchased. + - Usercube-Protect-X509JsonFile is a new tool that encrypts each value in a JSON file. + - Added protection against unwanted uses of C# functions in the configuration files. + +- Other new items + + - AppSettings.json files have been restructured + - Multiple records are now taken into account for internal workflow fulfillment. + - In the configuration files, link properties used in EntityAssociations are now declared as + Type ForeignKey, instead of Int64. + - A new package was integrated for AD/LDAP export and fulfillment allowing this functionality + from non-Windows servers. + - For command line tools, all the parameters can now be passed as regular arguments or through + stdin. Reading the parameters from stdin is enabled by the �stdin argument. This is especially + useful for securely sending passwords and other sensitive information to the tools. The + Usercube-Invoke-Job tool leverages this mechanism for all the jobs' tasks. + - The `Usercube-Deploy-Configuration` tool has been modified to error out for configuration + errors like invalid query rule target bindings, giving clear indications of how the + configuration files should be corrected. + - Arguments are now harmonized for `Usercube-Invoke-API`. + +#### Fixed bugs: + +- UI corrections + + - UI font optimizations. + - Fixed the display of breadcrumb in permission name columns: now the last item is displayed. + - Fix picker to avoid unnecessary API requests and to filter from the previous search only if + the character is added at the end + - Fix the display of drop-down options (search results and disabled options) + - The text of the disabled options ("Enter at least [n] characters[�]" / "No results") must not + fill out the input text of the drop-down list + - Fix focus on multi-selection picker. + - Fix error in a single selection picker with search where the second selection was not taken + into account. + - Auto-complete picker now manages search on bindings with more than one property. + - On the job screen, the duration for a task that is "Pending Launch" is no longer shown with an + incorrect value. + - In Job view, jobs instance state icons are no longer cut off on the left side. We can now see + all of state icons. + - On the Query page, certain navigation properties that should not have been displayed were + removed. + - Now, if Usercube is configured without dimensions, the home dashboard is still displayed and + features that previously needed dimensions are no longer broken. + - On pages with permission lists, sorting now works correctly. + - Fixed error in UI selection component: multiple selections are now correctly handled. + - When displaying the same entity type for two different dimensions we now display the dimension + labels instead of entity labels (which were then repeated). + - Fix for left and right navigation keys that couldn't be used to type something in a filter + research bar. + - Enhancements to UI for role deletions + - For the user's circle logo, if there are more than two initials, their size in image is + automatically reduced and if there are more than five initials, they are truncated to display + a maximum of five characters. + - Currently, a pre-existing permission cannot be deleted or updated from the permissions page: + the element cannot be selected (no checkmark) and a tool-tip is displayed to explain "This + permission cannot be modified." + - On the Workflow Overview page, when owner information is not available (for example when user + has been deleted or when a new user creation is still in draft form), a simple dash ("-") is + now displayed instead of a user icon with no information. + - Agent-side jobs can now be started from the UI. + +- Security and log corrections + + - Correction for a security vulnerability that prevents usage of forbidden properties in query + filters. + - Correction to minor security issue where passwords were being saved in browsers. Auto-complete + is now set to off for password fields. + - With the InvokeExpression function (agent and server) logs generated inside the PowerShell + script are now taken into account in the task instance logs. + - Unclear logs about workflows and data are now more explicit. + - HttpClient error detail is now written to the logs. + - Solution for an intermittent problem where encrypted logs were truncated, preventing + decryption. + +- Other corrections + + - For AD provisioning, if the service account doesn't have proper write permissions, errors are + now correctly thrown when a new group membership cannot be created. + - Correction for the duplication of workflows after the launch of FulfillInternalWorkflow. + - Corrections to the enforcement of scopes of responsibility during API calls. + - Improvements in the detection of existing permissions with parameters. + - For LDAP provisioning, a connection is made to the LDAP server only in the case where there + are fulfilment orders to be executed. + - Password notification mails did not take into account the culture settings in the appSettings + files and were always in English. + - For an export AD or LDAP, we now verify if the logins or passwords are null or empty and show + an error if necessary. + - In searching for existing permissions mono-valued properties were not taken into account. + - Corrections to regressions in the role mining tool related to the new encryption settings. + - Corrected the Re-launch Job to handle the case where a task warning is present in job before a + blocked task. Now the job can be relaunched instead of being blocked. + - Corrections made to the task override feature for all Property Enumerator values, + TaskResourceTypes, TaskEntityTypes, and TaskDimensions. + - Correction for server-side timeout issues, including a new parameter in appSettings.json + (agent side) `TaskTimeoutSupplement` that adds an optional timeout supplement for the + execution of server tasks in Invoke-Job. + - Category hierarchy is now taken into account when evaluating access control rules. + - Role parameter functionality has been added to all 128 available dimensions. Previously, only + the first eight could be used with parameters. + - Scalar and query rules are now evaluated correctly when an assigned resource type has a + non-deducible parameter. + - Fix a blocked state for Job Instances where the job also contains a warning instance. + - Corrected arguments used in the SharePoint connector + - Corrected configuration migration of the GroupByDimension configuration attribute. + - The Role Model now sets the resource type classification confidence rate to 100% even if the + correlated owner is not at 100%. The Resource Classification now targets only resources + without owners to prevent any interaction between the correlations and the classification. + - Correction to the Invoke-Server-SQL tool for AzureAD authentication + - Both Export Invoke Sql commands (agent and server) now delete the resultant half-finished CSV + file when they are stopped in the UI and the UI properly shows an aborted state. + - Fix made to Negotiate Authentication in LDAP Fulfillment. + - In the Provisioning Review, the Current Value column is now correctly calculated and + displayed. + - Several ResourceTypes can now be provisioned at the same time. + - Correction for provisioning review errors where occasionally, the button was not available to + unblock and retry. + - Correction for AD authentication problem over SSL. + - Fixed regression errors in the PowerShell fulfillment. + - Differences on manually overridden scalar property values (i.e. an AD attribute) are now + correctly detected. + - Correction for the Workflow States that were incorrect when approving a declined role. + - Shared Folder improvements: + - New task available for the SharedFolder export. + - New option for logging in with a service account. + +## Version 5.1.3.1 + +Release date: 2020-06-15 + +#### Fixed bugs: + +- Agent-side jobs can now be started from the UI. +- Correction for provisioning review errors where occasionally, the button was not available to + unblock and retry. +- Differences on manually overridden scalar property values (i.e. an AD attribute) are now correctly + detected. +- Enhancements to UI for role deletions +- Fixed error in UI selection component: multiple selections are now correctly handled. +- HttpClient error detail is now written to the logs. +- In the Provisioning Review, the Current Value column is now correctly calculated and displayed. +- On pages with permission lists, sorting now works correctly. +- On the provisioning review page when the pending orders filter is enabled, a filter now exists for + the action type. +- Several ResourceTypes can now be provisioned at the same time. +- Solution for an intermittent problem where encrypted logs were truncated, preventing decryption. + +Release date: 2020-06-02 + +### **Compatibility notice:** + +This release includes compatibility ruptures. The migration steps in the following section must +therefore be followed. + +#### Migration steps: + +1. Stop server +2. Install the new runtime �Runtime_XXXX.zip' +3. Migrate the database: + + `Usercube-Upgrade-DatabaseVersion -s "database connection string"` + +4. Migrate the configuration: + `Usercube-Upgrade-ConfigurationVersion -s 5.X.X -c "source conf path" -o "target conf path"` + (where 5.X.X is the "MigrateFrom" version) +5. Deploy-Configuration: + + `Usercube-Deploy-Configuration -d " conf path " -s "database connection string" -e` + +6. Start server + +#### Enhancements: + +- Performance enhancements in the database and the front-end +- In both modes (SaaS and On-Premises) all work files, whether on the agent or the server, can be + encrypted. Encryption is optional but is enabled by default with the DataSourceIsEncrypted + parameter. The encryption includes logs, temporary files generated by the synchronization, the + provisioning, the reports and the provisioners (like pending password re-sets). More information + is available in the documentation: References > Data model > Connectors > EntityTypeMapping and + EntityTypeAssociationMapping. Also, in Technical configuration > Agent configuration > Encryption + Certificate section. +- CyberArk Integration: Login and passwords can now be retrieved from CyberArk Vault for real-time + use in synchronization and/or provisioning. +- New connector SCIM for services implementing SCIM endpoints. More information available in the + documentation: + - Technical configuration > Information System Settings > SCIM Settings + - References > Tasks > Agent > Exports > Usercube-Export-SCIM + - References > Tasks > Agent > Fulfillment > Usercube-Fulfill-SCIM +- ServiceNow improvements: + - Exports and Fulfillment now support OAuth2 authentication with new optional arguments + available in the settings. + - Export now supports Date, Boolean, Int32, Int64 formats and can export multiple tables at + once. + - Provisioning of many-to-many tables: the name of the table corresponding to the association + must be given in the new XML field EntityAssociationMapping:DatasourceName. + - New XML field "DatasourceName" for EntityAssociationMapping: this field is optional and + specifies mapping for n-n relations. Currently it is only be used for ServiceNow provisioning. + - More information is available in the documentation: References > Tasks > Agent > Fulfilment > + Usercube-Fulfill-ServiceNow and References > Data model > EntityAssociationMapping +- AppInsights integration +- Parallel user workflows are now possible. +- New Query page: + - Columns can be chosen and rearranged + ![UnivQuery2](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.universequery1.webp) + - According to type of property selected, the filtered value field is changed correspondingly + ![UnivQuery2](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.universequery2.webp) + - Display fields are easily searchable + ![UnivQuery2](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.universequery3.webp) + - Queries can be bookmarked + ![UnivQuery2](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.universequery4.webp) +- New functionality for managing risks. + ![RiskMgmt1](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.riskmanagement1.webp)![RiskMgmt2](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.riskmanagement2.webp)![RiskMgmt3](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.riskmanagement2.webp)![RiskMgmt4](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.riskmanagement4.webp)![RiskMgmt5](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.riskmanagement5.webp) +- Review Comments can now be configured for each role and for each review type: pending and + non-conforming role permissions. There are three values to choose from: + - Disabled + - Optional (set by default on the approval of a pending role permission and on delete a + non-conforming role permission) + - Required (set by default on the refusal of a pending role permission and on keep a + non-conforming role permission) + ![CommentMgmt](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.commentmgmt.webp) +- In role review/reconciliation comment dialogs, add informational data about the permission being + approved/denied. +- In the roles catalog, instead of a generic column title, the second column title now displays the + of type of object being shown: single rules for single rules, etc. + ![RolesCatalog](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.rolescatalog.webp) +- Implement two views to display permissions lists: + - view grouped by categories, with the name column filtering on role and/or category name + ![PermissionTree](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.permissionstree.webp) + - view list where all columns can be sorted + ![PermissionList](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.permissionslist.webp) +- On the workflow overview page, a new list of permissions shows the permissions impacted by the + workflow with their workflow states and provisioning states, clearly indicating the state of all + validations related to the workflow. + ![OverviewStates](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.overviewstates.webp) +- Allow filter on the workflow overview list by "Completed" or "Pending". + ![OverviewListFilter](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.overviewlistfilter.webp) +- On the Job Execution screen, a new search bar has been added permitting sorting by "State" of the + job instances. +- UI enhancements aligning fields and their labels. +- New step in InitializationJob: initialize history tables by setting each entity's first record + ValidFrom value to 0001-01-01 00:00:00.00. +- Improve clarity on Provisioning Review and Resource Reconciliation screens. + - Add action indication (create, update, delete) in the list of assigned resource types to + review or reconcile + ![RoleReviewActions](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.rolereviewactions.webp) + - In dialogs, dynamic button labels indicating the action that will be performed based on user + choices. + ![DynamicLabels](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.dynamiclabels.webp) +- Added a new filter when running an access certification campaign: it is now possible to target all + entities having a property modified since a given date. + ![CertificationTargetDate](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.certificationtargetdate.webp) +- New indicators in workflow overview to display records added, modified, or deleted. + ![WorkflowOverviewIndicators](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.workflowoverviewindicators.webp) +- On the workflow overview page, all translation modifications are now shown as well. + ![Translations](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.3.overviewlanguage.webp) +- Enhance scalar rule expressions with a new argument that provides basic information about the + assigned resource type: Id, StartDate, EndDate. More information in the documentation: + References > Data model > Provisioning > ResourceScalarRule +- Provisioning policy: extend the QueryRule/CorrelationRule to match multiple resources +- In Request Summaries, more information has been added: the workflow state, and a link to the + Request and the Workflow owner. +- Enhancements to sorting capabilities on Workflow Overview page. +- Enhancements to error messages regarding invalid XML when deploying configuration. +- In the UI, field value selections can now be typed, instead of always needing to click. +- The notification aspect has new recipient type, "Expression", where the email address is built by + a C# expression. +- The execution of an aspect can now be determined by an expression (IfExpression attribute). (For + migration: the P12 attribute in v5.0.x for the BuildUniqueValue aspect are now migrated to the + IfExpression attribute.) +- Modification of the job repair mode: the starting order is now calculated in the Invoke Job and + the Invoke Server Job and has been removed from the front end. +- Simplification when executing any task in debug mode: The TaskIdentifier and TaskID are no longer + necessary and the task can be launched with only the name of the json object from the + appSettings.ConnectionInformation.json. Example: + `./identitymanager-Fulfill-AzureAD.exe --AzureAD_Setting "AzureAD_Export_Fulfillment" -t "-2"` +- Addition of the attribute option "�force" to the jobs: Invoke-Job and Invoke-ServerJob. These jobs + can now be forced in order to avoid a blocked situation. More information in the documentation + References > Jobs > Server Side > Invoke Job. +- Improved security features to prevent unauthorized or diverted use of the application by iframe + elements. +- Improvements to reports with historical information. +- Restrictions and securing of API calls +- FulfillmentType and InformationSystemIdentifier parameters have been moved from the connector + level to the ResourceTypeMapping level allowing different types of fulfillment on different types + of accounts. For example, nominative accounts can be automatically provisioned, and administrator + accounts can be manually provisioned. Accordingly, a new information system Identifier + Fulfill-InternalWorkflow is available for the appsettings.ConnectionInformation.json file. More + information is available in the documentation: References > Data model > Connectors > + ResourceTypeMapping and Technical configuration > Information System Settings + +#### Fixed bugs: + +- Better sequencing was introduced for the password reset phase of an AD account when the + creation/modification of the account fails. +- Fixed an error on resource lists: the resource displayed above the "See more" button must be + filtered by the default filters configured in search bar of the entity type. +- Fixed a bug where the workflow overview displayed the wrong photo in some workflow steps +- The photo no longer disappears after a workflow is saved or forwarded. +- A problem with the scaffolding for ServiceNow and incremental synchronizations was resolved. +- Under certain conditions, there were issues releasing LDAP connection pools during + synchronizations. +- Correction to some consistency problems in the UX related to the resource type counters. +- Resource display names on the permissions page are now truncated if too long. Hovering over the + truncated string will display the full name. +- During synchronization, an exception is no longer thrown when more than one entity property has + the same source column. +- A number of Usercube migration issues were fixed. +- Fixed inconsistencies in ConsolidatedWorkflowBlockedState and ConsolidatedWorkflowBlockedCount + related to pre-existing permissions. +- Role Parameter contexts are now automatically set if the values can be deduced from the owner. +- Corrections to Usercube-Export-RACF tool related to duplicate columns. +- The synchronization job was, on rare occasions, executing the process twice for the same entity + type. +- The role access management dialog, when opened via URL, now correctly loads all data. +- The start date field is now taken into account in a UsercubeWorkflowAddAndEndRecordEntity workflow + form. +- A warning is now presented to the user when creating an access rule without criteria warning about + creating a rule applicable for all users/entities. +- On the role review and role reconciliation screens, the button now no longer disappears if the + screen width is too small. +- On the Certification review page, a new column shows a denied icon if the permissions have been + denied to the user. +- Corrections made to the reviewing and reconciliation of composite roles. +- Homonym warning now correctly shows only one resource instead of all related resource records. +- Allow sorting and filtering of the records table in a workflow according to the configuration + definition. The table is now sorted by default according to the DefaultSortPriority. +- In a scheduled job change, the transition end date now allows the definition of an end of position + before the start date of a new position. +- On the permissions page, an assignment is now in its correct category after closing the + view-detail modal. +- For workflows with several records, the workflow overview display page now correctly shows the + shared section and all positions and the relevant position for the workflow. +- Alignment of the contents on the request summary and workflow overview pages. Start date and end + date were added in request summary and resource of assigned resource type is displayed in workflow + overview. +- If one dimension is not defined, or has been deleted (for example, dimensions 0, 1, 3, and 4 are + defined but not dimension 2), the UI should not request values for the missing dimension in the + parameter modal. +- Job ToolTip placement modified so as not to interfere with buttons. +- On the permissions page, a permission added manually during an earlier step of the same workflow + cannot be changed. To change it, it should be deleted and then reintroduced with the desired + modifications. +- The BuildUniqueValue aspect can be managed by the new attribute OnlyIfNew="True" so the value will + only be built if the resource is new. +- A configuration containing scaffolding elements can now be exported without errors. +- The access context rules now correctly filter "type" column for optimized associations. +- On the role reconciliation screen: selecting "Delete" for a pre-existing item now correctly + removes the associated line. +- Corrected a problem where certification campaigns with filters on owners couldn't be started. +- Corrections to server availability behind a reverse proxy. +- Generalized the pending activities counter so it will work across different time zones. +- Correction to the AddTask argument in the job scaffolding where a compared task is calculated more + than once in the same job. +- In the pagination of entity type display tables, boolean properties are properly managed. +- Correction to the agent-side Swagger implementation. +- On the workflow overview page, enhancements in displaying Review Pending and Refine Pending: + - Potential actors are displayed before the action is completed. + - Once the action is completed, the interface shows who performed the action. +- Improved records displayed by default when no records match with the record filter for the form, + most often seen in the case when a user is archived. + - If the record filter is set to "CurrentAndFuture" and there are no present or future records, + the most recent of the past records is displayed by default. + - If the record filter is set to "Current" and there are no present records: + - If there are future any records, the first of the future records is displayed by default. + - If there are no future records, the most recent of the past records is displayed by + default. +- Correction regarding an occasional authentication errors when running the compute properties + expressions. +- Documentation enhancements and corrections. +- If the log information is missing in appSettings, a default serilog section is now created. +- The clean database job schedule was deleted to allow for more flexibility in the configuration + layer. +- Correction to the linkDependTasks argument in the job scaffolding. +- Occasionally, a job launched via the UI errored too quickly and no message was sent to the front + end. Now a jobInstance is systematically created so any error message will be visible. +- In encryption appSettings, the private key is no longer required. +- Remove links on the workflow overview page when the active user does not have permissions to reach + these pages. +- Correction made related to the execution of the InvokeSqlCommand on both server and agent side. +- No longer check for login and password if the Authentication Type is Negotiate. +- Send a better error when the ConnectionInformation appsettings is not correctly defined. +- The initialization scaffolding now includes the UpdateTreeDimensionTask after the + DeployConfiguration, to correctly calculate tree dimensions. +- The workflow overview page now correctly displays deleted positions. +- For synchronization jobs, if the connector key information is not present in the json settings, a + TaskInstance error is now presented on the job screen. +- Fix progress "Completed" for Server Tasks. +- A single update of a "one to many" relationship that is stored in resoucelinks tables now works + properly. +- In computing delta synchronizations: a resource should not have multiple owners. +- Corrected an internal error when performing a workflow on a user with multiple positions. +- Corrected a bug related to jobs blocked multiple times which appeared in certain cases. + +## Version 5.1.2 + +Release date: 2020-04-10 + +### **Compatibility notice:** + +This release includes compatibility ruptures. The migration steps in the following section must +therefore be followed. + +#### Migration steps: + +1. Stop server +2. Install the new runtime �Runtime_XXXX.zip' +3. Migrate the database: + + `Usercube-Upgrade-DatabaseVersion -s "database connection string"` + +4. Migrate the configuration: + + `Usercube-Upgrade-ConfigurationVersion -s 5.1.0 -c "source conf path" -o "target conf path"` + +5. Deploy-Configuration: + + `Usercube-Deploy-Configuration -d " conf path " -s "database connection string" -e` + +6. Start server + +#### Enhancements: + +- New UI for login and logout pages + ![Login](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.2.login.webp) +- Improvements to font and layouts. +- New connector for ServiceNow with options for incremental or complete synchronizations. +- The SAML2 protocol can now be used for authentication. See the documentation: Technical + configuration > Server configuration > Section 1.2.4 +- New integration avec QRadar +- Workflow overview has been improved: + - new design elements + - shows workflows added, updated or deleted + - shows assignments added, updated or deleted + - the page title is now the subject of the last activity instance and not simply the workflow's + name + - the state is highlighted + - a link to the owner has been added + - an optional parameter in the activity configuration can hide a workflow from the overview + screen (WorkflowOverviewDisable). + ![WorkflowOverview](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.2.workflowoverview.27635.webp) +- The title of the bottom section on the Request Summary is no longer hard coded in the product. It + is configurable and displayed in workflow overview. + ![ImpInfoBlock](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.2.workflowoverview.impinfo.webp) +- In the detail screens of My Tasks and in workflow summary screens, a new eye icon is shown next to + the Request ID which links to a summary of the entire request. +- In the Jobs UI, the task logs are now colored like they would be if executed from the command + line, so warnings and errors are now easier to identify. + ![ColoredErrors](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.2.colorederrors.webp) +- When running a certification campaign and choosing what to certify, it is now possible to filter + by specific users. + ![CertifByOwner](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.2.certifbyuser.webp) +- Display the type of Approval Workflow in the role catalog and in the list of suggested + permissions. + ![ApprovalWorkflowSuggestions](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.2.approvalworkflowsuggestions.webp) +- On the Role Review screen, new improvements show the history of the request including any comments + previously made. +- New filters have been added to resource lists shown in DisplayTables with + DisplayTableDesignElement="resourcetable": + - Display uncategorized resources + - Display orphaned resources + - Display resources linked to a specific resource type + - Filter by resource owner's name + ![ResourceFilters](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.2.resourcefilters.webp) +- A new job, UsercubeCleanDatabase, is available that resets the all TaskInstance and JobInstance + that haven't responded in over 2 hours. Overriding this task is possible with the setting + SchedulingCleanDataBaseSetting. +- A new job now exists, Usercube-Invoke-ServerJob, to execute tasks server-side without the need for + an agent. See documentation: References > Jobs > Jobs On Server Side +- New optional arguments have been introduced for the Usercube-Invoke-Job that specify the + encryption certificate (with file or certificate store). See documentation: References > Jobs > + Jobs On Agent Side +- Agent-side tasks now have two new optional arguments, CertificateFilePath and + CertificateFilePassword, for encrypting service account connection information. +- Job task dependence has been introduced which will prevent a child task from launching if a parent + task didn't complete successfully. See the documentation: References > Jobs > "Link two tasks in a + job" +- The confidence rate of query and correlation rules can now be set between 0 and 150. In the + Provisioning Review and Resource Reconciliation screens, if the confidence rate is greater than + 100%, the user will see 100% displayed, indicating simply that the correlation exists. A value + greater than 100% is used only to prioritize multiple rules with a confidence rate of 100%, not to + approve a permissions assignment. +- In the configuration, a new flag "Hide on simplified view" is available for use on roles and + resource types that should not be visible on the user's permissions screen's simplified view. +- Normalize, clean up and add increase the number of possible dimensions from 8 to 128 for + profilecontexts, profilerules and contextrules. + +#### Fixed bugs: + +- Fixed a bug in which Chrome, in rare cases, was rejecting some cookies and preventing + authentication. +- Fixed inconsistent date parsing using the timezone syntax (IANA id) +- Correction made to the provisioning tool that was requesting account password resets, although the + password reset was disabled. +- Correction that allows the modification of a photo in update workflows. +- Fixed some hardcoded entity types in some frontend URIs +- The "Usercube-Deploy-Configuration" tool now checks that photo properties are completed with their + tag properties. +- Fixed an issue where the password reset settings were not taken into account when the server is + also considered as agent (On Premises setup). +- Photos now delete properly if the user chooses to remove an existing photo. +- Query rule errors are now in log files and no longer in the database. +- The command Usercube-Invoke-Expression can now return more errors. +- When importing a configuration, display table bindings are now checked and if necessary, a clear + error is presented. +- The InvokeAPITask now verifies the existence of the three required properties when creating the + HttpClient for all agent tasks. +- Unnecessary processing and unnecessary server requests from the UI were removed to improvement + application performance. +- English translations for Access Certification were improved. +- The wording was improved on the user permissions and the modify permissions screens. +- In the TileItem configuration element, the display order indicator is now taken into account with + "LineDisplayOrderIndicator". +- Added a default filter from the URL in resource lists with the �resourcetable' DesignElement + attribute. +- In resource lists with a �resourcetable' DesignElement attribute, the resource type picker now + displays only resource types with a target entity type matching the resource's entity type. +- To enhance clarity, on the Access Rules screen, rule types have been renamed. + - Automatic (instead of Requested) + - Automatic with validation (instead of Requested Automatically) +- In the "modify permission screen" for a resource, when selecting a new resource type, a modal + opens to select the target resource to be associated with the selected entity type. The drop-down + in the modal now displays only resources whose type is the same as the resource type's target. +- On the Reports screen, Report Name filtering was fixed. +- LDAP connections now close properly. +- Correction to the Active-Directory full export that was not working when the "WhenCreated" + attribute was not in the list of attributes to fetch. +- Synchronization exceptions are more explicit. +- During Prepare-Synchronization, if multiple values (lines) are detected for a mono valued + attribute (column) only the first one in the ordered list is taken into account. +- In the new single role rule dialog, �Automatic' is pre-selected as the default role type value. +- The Request Number search field in the Workflow Overview screen is now case-insensitive. +- Corrections in the cleanup when an entity, used as a dimension in an access rule, is deleted, +- Search bar values now better retain the default values across the application. +- Improvements on pagination when filters change on the "My Tasks", "Role Review", "Workflow + Overview" and "Manual Provisioning" pages. +- The record filter in a form is now correctly managed when it is equal to "Current". +- Set the default value of the record filter in a form to filter on current and future records. +- Correction to badly placed pagination buttons in a list when the third tile has more rows than the + second. +- When adding or updating an access certification campaign, if a user starts modifying and then + clicks outside the window, a warning now pops up to indicate that changes are in progress. +- Deny icons on permission assignments if the assignment is non-conforming or historic have been + removed. Conversely, the possibility of denying a non-conforming or historic permission assignment + is blocked. +- In Role Review, the workflow state filters are now kept when changing between entities. +- Disable the complete refresh of the page when user clicks on links on an account button. Now, only + the new content of the page is loaded, not the entire page. +- A new workflow label "Cancellation" has been introduced to clarify misunderstandings. +- On the Resource Reconciliation page, unnecessary sorting options were removed where filters are + more relevant. +- Deleted hardcoded entity type in creation workflow. The real entity type is now retrieved. +- Correction of a search error on generic tables where the configured search operator was not taken + into account. +- The CreateSeveralRecordsEntity workflow no longer gives a blank screen when the first record is + deleted. Now, the last record is shown, as in the UpdateSeveralRecordsEntity workflow. +- Fix incorrect translation values in the new role dialog. +- Correction for an �undefined' workflow error when RecordStartProperty and RecordEndProperty + weren't defined. +- In the Resource Reconciliation detail screen, the column lengths in the data tables are now + adjustable. +- Warning messages used to confirm deletions are now red instead of orange. +- Opening the provisioning review modal, a user with the appropriate permissions can click on the + eye icon and be correctly taken to the original request. +- In the Assigned Role view, when a role is in the awaiting approval state, the icon at the left of + a role name more clearly indicates an awaiting status. +- A reviewer on the Access Campaign page, can no longer possible to make the same choice repeatedly. +- On the Access Certification screen, the counter is now updated when choices are confirmed. +- Now, in Access Certification a certification item review assignment incorporates start and end + dates specified on assigned profiles. +- In the BuildUniqueValue aspect, a new variable "iteration" allowed in the SQL query permits the + creation of unique values over the same type of object. For example, a unique value for each + UserRecord. +- In a RecordEntityForm, input modifications in the MainControl section are now correctly taken into + account. +- WorkflowAddRecordEntity form containing read-only fields no longer causes an error when + submitting. +- While the AzureAD connector was directly creating guests, new options allow guests to be invited + via the standard Azure AD mechanism. To enable this new feature, the guests' ResourceTypeMapping + must be updated as in the following example: + `` +- The XML configuration tool now gives a clear and detailed error message when a configured object + has an invalid reference to another one, for example, a Pointcut towards a non-existing Workflow. +- The configuration deployment tool was crashing when a CorrelationRule had an incorrect + ResourceType reference. Now, a clear error message is displayed. +- QueryRules that had both a Source and Target expression were not compiled when deploying the + configuration. Now, the role model is applied correctly for these properties. +- Errors are now returned when certain incorrect values are found in + appsettings.ConnectionInformation.json. +- The Configuration argument is now optional in the scaffolding CreateInitializationJob. +- Correction to the calculation of pre-existing values by adding a provisioning block in the last + calculated ComputeRoleModel for Initialization Job Scaffolding. +- Correction to identifier generation for ServiceNow and PowerShell Task in all scaffolding to + prevent conflicts. +- Fix English Grammar in JobLogs view. +- In the File Access tool, correction was made for a null pointer exception in an optional argument. +- Correction to path information that was truncated in the File Access module. +- If a user receives a forwarded task, even if they normally do not have access for this type of + task, they will be given the proper permissions to act on the forwarded task. +- Fix to provide the correct application URL in email notifications. +- When clicking on a task from an email, if the task has been treated, the progress of the task and + a message are now displayed instead of an error. +- Deleting a role/resource type is blocked while it is assigned to a user or used in a rule. +- The provisioning policy is now applied correctly for mono-valued fields that don't have a target + column index. +- If the ResourceType attribute "AllowRemove" flag is false, the provisioning policy keeps this + resource type even if it is no longer needed according to permission rules. + +## Version 5.1.1 + +Release date: 2020-03-03 + +### **Compatibility notice:** + +This release includes compatibility ruptures. The migration steps in the following section must +therefore be followed. + +#### Migration steps: + +1. Stop server +2. Install the new runtime �Runtime_XXXX.zip' +3. Migrate the database: + + `Usercube-Upgrade-DatabaseVersion -s "database connection string"` + +4. Migrate the configuration: + + `Usercube-Upgrade-ConfigurationVersion -s 5.1.0 -c "source conf path" -o "target conf path"` + +5. Update appSettings files according instructions in the Usercube documentation: "Migration + Usercube configuration > 5.1.0 to 5.1.1" +6. Deploy-Configuration: + + `Usercube-Deploy-Configuration -d " conf path " -s "database connection string" -e` + +7. Start server + +#### Minor Enhancements: + +- The dashboard has new icons for task badges. + ![Dasboard](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.1.dashboard.webp) +- Role reconciliation icons have been updated to more clearly indicate their use and subsequent + consequences to the roles. + ![RoleReconciliationIcons](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.1.rolereconciliationicons.webp) +- The new image picker allows the possibility for uploading an existing photo or using the webcam to + take a photo. + ![TakeAPhoto](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.1.takephoto.webp) +- All roles are now displayed in the same section including suggested roles. + ![RolesTogether](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.1.rolestogether.webp) +- The role details page now displays the request and certification histories. + ![RoleHistories](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.1.rolehistories.webp) +- The role catalog displays the type of approval workflow. + ![ApprovalTypesDisplayed](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.1.approvaltypesdisplayed.webp) +- A given certification campaign can now filter roles to be certified by their number of approvals + and by their last certification date. + ![CertifyCriterion](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.1.certifycriterion.webp) +- A new certification report linked to each campaign allows the extraction of real-time results to + an Excel file. + ![CertificationReportButton](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.1.certificationreportbutton.webp) + ![CertificationReportResults](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.1.certificationreportresults.webp) + +#### Fixed bugs: + +- A resource type with an end date in the past now has a �Blocked' state once the provisioning + policy is executed (instead of �Pending'). +- The Active Directory data collect could hang when an entry was moved to the AD basket and then + purged from the AD logs. Now, these entries are considered as completely deleted. +- Configuration deployment now correctly handles the situation when the EntityType, ResourceType or + Dimension lists are empty. +- Correction to InvokeExpression tool on the agent side. +- Cumulate the list of missing propertyMappings during the synchronization preparation instead of + having separate errors for each one. +- Permits the stack trace to be displayed in the logs. +- In the daily synchronization job, correction to the SendNotification task. +- Before executing AD or LDAP server calls, the connection is now verified. +- A synchronization in incremental mode empties previously filled fields that currently have a null + value. +- Correction related to incorrect arguments in the synchronization preparation. +- The AD provisionner can now handle the modification of an account when the password is not yet + set. +- Correction related to Windows authentication +- Record filters set for workflow record forms are now properly taken into account (property + RecordFilter of a Form with options for displaying: All, Current only or Current and Future only). +- Logging in with a form-based ActiveDirectory authentication can now avoid timeout issues using the + fastBind option. Logs are also more explicit on login failures at the Debug level. +- Better logs for the LDAP provisioner which now indicate the attribute concerned by an error +- A search bar defined without advanced criterion no longer throws errors. +- Workflow management pagination is more robust. +- Increased allowable length in the InputPath parameter of InvokeExpressionTask from 442 characters + to 4000. +- For data extractions, new check to test the existence of the data source file. +- New option to deprovision a resource when the owner is deleted: RemoveOrphans attribute has been + added in the ReourceType entity. +- Deploy-Configuration tool now returns an error when EntityAssociationMapping configuration is + inconsistent. +- Corrected error in search view of page of roles which prevented changing the value approval + workflow levels. +- Increased robustness in the synchronization process: + - Prevent synchronization errors when multiple properties use the same column in the source + file. + - A binary property cannot have a target column index. + - A synchronized column cannot be defined more than once in the source file. +- Adding a record to an existing multi-record entity no longer throws SQL errors. +- ComputeCorrelationKeys now uses correct binding for query rules. + +## Version 5.1.0 + +Release date: 2020-01-20 + +### **Compatibility notice:** + +This is a major upgrade. The migration steps below must be followed. + +#### Migration steps: + +1. If necessary, upgrade to .NetCore to version 3.1 or later. +2. Install the new runtime: a. Copy the new runtime.zip b. Modify the ApplicationUri and the + ConnectionString c. Add the client license (send an email to + [sales@usercube.com](mailto:sales@usercube.com)) +3. Migrate the database: a. `Usercube-Upgrade-DatabaseVersion -s "database name"` b. Execute the + last part of the file �Usercube.sql' starting with the line + `DELETE "ua_accesscontrolpermissions"` +4. Migrate the configuration: a. + `Usercube-Upgrade-ConfigurationVersion -s 5.0.0 -c "conf source" -o "conf cible"` b. + `Usercube-Deploy-Configuration -d � conf � -s � base � -e` + +#### Major Enchancements: + +- Certification: Roles, accounts and groups can now be certified. Certfication campaigns can be + defined on different levels of roles and each certification item can be transfered elsewhere if + necessary. + - Campaign creation + ![CampaignCreation](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.0.campaigncreation.webp) + - Campaigns lists + ![Campaigns](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.0.campaigns.webp) +- Jobs: Jobs can now be executed on the server as well as the agent, with detail of each job step + including direct access to execution logs. + ![Jobs](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.0.jobs.webp) +- Historisation: Historisation is now active for the metadata tables, resoure tables et most + provisioning tables (tables UM*, UR* et UP\_). For optimal performance, the SQL server needs table + partitioning capabilities. +- The permissions page now displays access rights in a tree layout. +- Suggested roles are now possible. They can be defined with access rules where the type is + �Suggested'. + ![SuggestedRoles](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.0.suggestedroles.webp) +- Dashboard counters are now visible indicating actionable tasks since last time. + ![Counters](/img/versioned_docs/identitymanager_6.1/identitymanager/whatsnew/olderversions/5.1.0.counters.webp) +- New notifictions for provisioning reviews, role reviews, provisioining summaries, role summaries, + and certification requests needing treatment. + +#### Minor Enhancements: + +- The agent containts a new SAP Connector. This connector requires SAP Netweaver for Java with at + least the following versions: SAP NetWeaver '04 SPS 14 or SAP NetWeaver 7.0 SPS 05. The connector + can + - synchronize users, groups and roles + - fulfill users and group/role memberships + - initialize users' passwords +- New ldif connector. This connector will read ldif files as source for synchronization. +- A new OpenLDAP Connector can handle incremental OpenLDAP exports +- The Access Rules page now permits the creation/modification/deletion of QueryRules +- Encryption now possible in json files to secure connection settings. See the documentation: + References > Tools > Usercube-Protect-ConnectorSettings. +- Values coming from authoritative sources can be overridden by changing them in the User Interface + and Workflows. The forced values are then locked and can no longer be changed by the authoritative + source. Now, if the source changes, a special warning tracks that the forced values should be + reviewed, and reset if needed. +- Product licensing is now translated into a product setting. A license key must be provided for + each server installation. The license key defines the available features and usage limits. +- When synchronization or provisioning safety limits are triggered, the exact cause is now logged by + the server (count or percentage of inserted/updated/deleted rows or links). +- A new approval workflow with three steps is now available for composite roles, single roles and + resource types. +- The unncessary attribute DisplayOrder has been removed from MenuItem children, SearchCriterion and + DisplayTables. +- 26043: On the assigned profiles page and roles pages, search now returns results where the string + is contained in the title (not simply starting with). +- IsUniqueKey is a new attribute of an Entity Association Mapping. +- TransformExpression has been renamed to FlexibleComparisonExpression (the migration script will + update the configuration). +- Harmonization of URLs and page titles. +- Simplification of Role and ResourceType pickers. +- Activity state in the UI now reflects the name defined in the database. +- 23094, 23095: Updated UI components. +- Remove unncessary cancel button on login page. +- Size of photo on the resource page reduced. +- In the provisioning policy, can define a query rule with a target expression. +- Permissions page now takes into account aspects and computed expressions. +- Resource correlation keys are precalculated for better provisioning policy performance. +- Enhanced mechanism for calculating recipients of workflow notifications +- Attribute ComparisonType for resource scalar rules has new possible values (see documentation) +- Optional comments can now be added in role review, when a role is declined and in role + reconciliation, when a role is kept. + +#### Fixed bugs: + +- A data line with many caracters is now word-wrapped to a second line instead of being truncated. +- Provisioning orders are now generated with correct commands when a linked assignment has not been + correlated. +- Add a category picker that wasn't available when assigning a profile. +- Fix correcting problem related to deletion/modification of validity dates when assigning a + profile. diff --git a/docs/usercube/6.1/index.md b/docs/identitymanager/6.1/index.md similarity index 100% rename from docs/usercube/6.1/index.md rename to docs/identitymanager/6.1/index.md diff --git a/docs/identitymanager/6.2/identitymanager/index.md b/docs/identitymanager/6.2/identitymanager/index.md new file mode 100644 index 0000000000..70da0311b4 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/index.md @@ -0,0 +1,19 @@ +# A software solution to match your IGA needs + +To learn about Netwrix Identity Manager (formerly Usercube) and build the solution you need, explore +our guides. + +The present documentation mentions the Netwrix Identity Manager (formerly Usercube) application as +simply Identity Manager. + +Identity Manager's guides include: + +- An [Introduction Guide](/docs/identitymanager/6.2/identitymanager/introduction-guide/index.md) if you are new to Identity Manager. +- A [User Guide](/docs/identitymanager/6.2/identitymanager/user-guide/index.md) to configure Identity Manager from scratch via the UI. +- An [Integration Guide](/docs/identitymanager/6.2/identitymanager/integration-guide/index.md) to complete Identity Manager's configuration in + XML according to your needs. +- An [Installation Guide](/docs/identitymanager/6.2/identitymanager/installation-guide/index.md) to install Identity Managerin a production + environment. +- A [Migration Guide](/docs/identitymanager/6.2/identitymanager/migration-guide/index.md) to upgrade to a new version of Identity Manager. +- [ What's New](/docs/identitymanager/6.2/identitymanager/whatsnew/index.md) to get details about specific changes in Identity Manager's + updates. diff --git a/docs/identitymanager/6.2/identitymanager/installation-guide/index.md b/docs/identitymanager/6.2/identitymanager/installation-guide/index.md new file mode 100644 index 0000000000..c92e10107c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/installation-guide/index.md @@ -0,0 +1,19 @@ +# Installation Guide + +This guide is designed to help you install Identity Manager in a production environment. + +## Target Audience + +This guide is intended for **system administrators** and **system architects**. + +Required knowledge includes: + +- Windows Server administration +- Internet Information Services (IIS) administration +- SQL Server administration + +## Overview + +The installation of Identity Manager requires architectural decisions to be made. An +[ Overview ](/docs/identitymanager/6.2/identitymanager/installation-guide/overview/index.md) of the architecture and available configurations will help you make +informed decisions. diff --git a/docs/identitymanager/6.2/identitymanager/installation-guide/overview/index.md b/docs/identitymanager/6.2/identitymanager/installation-guide/overview/index.md new file mode 100644 index 0000000000..a1213a883c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/installation-guide/overview/index.md @@ -0,0 +1,116 @@ +# Overview + +This section will give you an overview of Identity Manager's components, their requirements and +constraints, and possible interconnection schemes. At the end of this section, you should be able to +choose the installation setup that fits best your organization's needs. + +## Components and Data Flow + +![Components & Data Flow](/img/product_docs/identitymanager/identitymanager/installation-guide/overview/components_data_flow.webp) + +### Components + +Identity Manager's solution includes at least three components. + +#### **1.** Server + +One server handles all of Identity Manager's computing needs, internal database management and +serves the UI as a web application accessible through a browser. + +The SaaS offering hosts the Identity Manager Server in the **Cloud**. This means that the server +needs not be installed within a Identity Manager SaaS installation. + +#### **2.** Database + +One database stores Identity Manager's data. + +With the SaaS offering, the Identity Manager Database is hosted in the **Cloud** and needs not be +installed. + +The port used to access the database depends on the +[database configuration](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/server-network-configuration?view=sql-server-ver15#database-configuration) +and the +[connectionString](https://learn.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlconnection.connectionstring?view=dotnet-plat-ext-8.0) +set in the technical configuration. See the +[Network Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/index.md) topic for additional +information. + +#### **3.** Agents + +One or several agents perform synchronization and provisioning to/from the managed systems. + +### Data flow + +Identity Manager needs the following data flows to be enabled: + +- The **Server** requires opening connections to the **Database**. +- The **Agents** require opening HTTPS connections to the **Server**. +- The **Agents** require accessing **managed systems**. +- All end-users' **browsers** require opening HTTPS connections to the **Server**. +- All end-users' **browsers** require accessing the authentication providers. See the + [Install the Server](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. +- Some end-users' **browsers** require opening HTTPS connections to the **Agents**. + + These connections are used to launch `Jobs` or use the `Reset Password` capabilities of some + connectors. This requirement only applies to a few specific **administrator type profiles**. + +- The **Server** and the **Agent** both need to access an **SMTP server** to + [ Send Notifications ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/email-server/index.md). + +## SaaS vs. On-Premise + +Identity Manager comes in two flavors: SaaS and On-Premise. + +- The **SaaS** offering only requires the Agent to be installed on your organization network. +- The **On-Premise** offering requires the Agent, the + [Install the Server](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md), and the + [ Install the Database ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/database/index.md) to be installed. + +See the [ Install the Agents](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/agent/index.md) topics for additional information. + +## Hosting Hardware + +Depending on the existing network infrastructure and constraints, Identity Manager's components can +be organized in several ways. + +### Database and Servers + +The Identity Manager Database can be installed on the same workstation as the Identity +Manager Server or run on a separate machine. The second approach is recommended. + +### Server and Agents + +The Identity Manager Server and the Agents can be spread between several workstations. See the +[ Install the Agents](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/agent/index.md) topics for additional information. + +Two scenarios unfold: + +**1.** The server and agents are installed on separate workstations + +This approach is useful when managed systems need to run on separate and isolated networks. + +![Server & Agents isolated](/img/product_docs/identitymanager/identitymanager/installation-guide/overview/distribution_1.webp) + +**2.** The Server and one Agent are installed on the same workstation + +In that case, the Identity Manager Agent can run directly within the Identity Manager Server +process. The hosting workstation would **only host a Identity Manager Server process** (with the +integrated agent) and no separate agent needs to be installed. The database could be installed on +the same workstation or on a separate one. + +![Server & Agent together](/img/product_docs/identitymanager/identitymanager/installation-guide/overview/distribution_2.webp) + +## Authentication + +End-users will be able to access Identity Manager after authentication. Several authentication +methods are available. See the [Install the Server](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md) topic for +additional information. + +## Email Server + +Identity Manager sends notifications to users by email. An email server will have to be set up for +the Agent and the Server. See the [ Send Notifications ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/email-server/index.md) +topic for additional information. + +Before you check out the installation steps, make sure that all the +[Requirements](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/index.md) are met. diff --git a/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/agent/index.md b/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/agent/index.md new file mode 100644 index 0000000000..ac3d7c702f --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/agent/index.md @@ -0,0 +1,530 @@ +# Install the Agents + +Most on-premises installations use an agent integrated with Identity Manager's server. If this is +your case, and the server is already installed, no need to go further. If, on the other hand, you +need separate agents, or if you are installing Identity Manager's agents within Identity Manager's +SaaS offering, this is the way to go. + +**NOTE:** Please make sure that Identity Manager's agent requirements are met before going further. +See the [ Agent ](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/agent-requirements/index.md) topic for additional information. + +## Agent Working Directory + +The agent runtime content should be extracted from the runtime archive following the instructions +provided in the [ Create a Working Directory ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md) topic. + +In the separate agent setup, the agent is usually installed on a different workstation from the +server. + +The agent is configured thanks to the appsettings.agent.json file. See the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information. + +## Create an IIS Website + +It is recommended to run the Identity Manager agent as an IIS website. + +_Remember,_ to install Identity Manager's agent as a Windows service, see the +[ Agent ](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/agent-requirements/index.md) topic for additional information. + +Adding Identity Manager's agent as an IIS website can be achieved with the +[Internet Information Services (IIS) Manager](https://www.iis.net/) which can be launched with the +`INETMGR.MSC` command. You need to have an IIS 10.0 or greater. + +The Microsoft Documentation provides the +[prerequisites](https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-8.0) +and the procedure to +[create a new IIS site](https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-8.0#create-a-new-iis-site). + +The information needed to go through the creation process are the following: + +- Identity Manager's agent uses an in-process hosting model +- Identity Manager's agent uses .NET +- Identity Manager agent's web.config dwells in the runtime directory + + It might require a few modifications to target the agent instead of the server: + + **Step 1 –** Open web.config with a text editor. + + **Step 2 –** Change the arguments and stdoutLogFile attributes of the `aspNet` element as + indicated below: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +- When creating the website, enter the following data: + + **Step 1 –** Site name: Identity Manager Agent `Organization` is the recommended naming + convention + + **Step 2 –** Physical path: /`agent working directory`/Runtime + + **Step 3 –** Type: http + + **Step 4 –** IP address: All unassigned + + **Step 5 –** Port & Hostname: To access Identity Manager's agent. Use the hostname and port that + has been reserved for Identity Manager. + +After creation, the following settings are recommended: + +- **Application Pool** > **Identity Manager `Organization`** > **Advanced Settings** > **General** > + **Start Mode** set to AlwaysRunning; +- **Application Pool** > `Identity Manager Organization` > **Advanced Settings** > **Process + Model** > **Idle Time-out** (minutes) set to 0 and Load User Profile set to True; +- **Application Pool** > **Identity Manager `Organization`** > **Recycling** > Regular time + intervals set to 0. + + Recycling the application pool creates a discontinuation in the connection between server and + agent, which can disrupt some of Identity Manager's features such as the job scheduler. IIS + already recycles the application pool at each setting change, thus Netwrix recommends not using + periodic recycling. + +The following is +[mandatory](https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-8.0#mandatory): + +- **Application Pool** > **Identity Manager `Organization`** > **Advanced Settings** > **General** > + **.NET CLR Version** > **No Managed Code** + +![IIS Settings](/img/product_docs/identitymanager/identitymanager/installation-guide/production-ready/server/iis_settings.webp) + +This sums up IIS settings. + +## Hosting Bundle + +You need to install the +[dotnet hosting bundle](https://dotnet.microsoft.com/en-us/download/dotnet/8.0) (version 8.0 or +higher) to be able to run dotnet application. + +## Select an Agent Identity + +The agent, through Identity Manager's server IIS Website, should be assigned a service account with +the relevant permissions. See the [ Agent ](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/agent-requirements/index.md) topic +for additional information. + +You can either: + +- Use the built-in application pool identity and grant this identity the right permissions. See the + [ Install the Agents](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/agent/index.md) topic for additional information. +- Use a custom Windows service account with the right permissions and use it as an IIS identity for + Identity Manager's agent IIS Website + +### Check default behavior + +Usually, creating an IIS application pool, such as the one within which Identity Manager's server +website runs, triggers the creation of a service account `IIS APPPOOL/apppool_name` (where +`apppool_name` is the application pool name) known as an application pool identity. It is associated +with the IIS website. This account is granted basic group membership that should enable it to access +what it needs. + +For more information about IIS identities, visit the +[Microsoft Documentation](https://support.microsoft.com/en-us/help/4466942/understanding-identities-in-iis). + +Building on this default behavior, the default Application Pool Identity is usually granted the +necessary permissions for Identity Manager's server to operate. + +Before going further, you should check the following points: + +**Step 1 –** Find the group membership of `IIS APPPOOL\apppool_name`. + +**Step 2 –** Check the permissions on the working directory. Right-click the working directory and +select Security. The group section should contain one of the `IIS APPPOOL/apppool_name` groups, +namely Users. And, + +**Step 3 –** If the built-in application pool identity has been created but does not have the right +permissions, you can follow the steps outlined in Install the Agents section to fix it. Go back to +the section to make sure that the built-in application pool identity is effectively used by Identity +Manager's server IIS Website. + +**Step 4 –** If you would rather use a custom service account instead of the built-in application +pool identity, start with Install the Agents. + +**Step 5 –** If you're not sure what to do, follow the procedure below, starting with Install the +Agents. + +Once the steps indicated above are completed you can carry on with setting an IIS Identity. + +### Set an IIS Identity + +If you want to use the built-in application pool identity created with the application pool, you can +use +the[ Microsoft documentation](https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities). + +If you would rather use a custom service account created for Identity Manager's agent, follow the +procedure below. + +The following implies that a +[custom service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts) +has already been created for Identity Manager's agent. See +the[Install the Server](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. + +Follow the steps below to set an IIS identity and note that these are the same for the server: + +**Step 1 –** Open the IIS Manager (`INETMGR.MSC`). + +**Step 2 –** Open the **Application Pools** node underneath the machine node. + +**Step 3 –** Select the Identity ManagerAgent/`Organization` application pool. + +**Step 4 –** Right-click and select **Advanced Settings**. + +**Step 5 –** In the **Process Model** section, on the **Identity** list item, click on the three +dots to open the **Application Pool Identity** dialog. + +**Step 6 –** Select the **Custom Account** radio button and click on **Set**. + +**Step 7 –** Enter the Service Account credentials. + +**Step 8 –** Click **OK**. You're all set. + +Identity Manager's server IIS site will now use this identity to access the database and the working +directory. + +## Set the Agent Permissions + +Identity Manager's agent needs specific permissions on its working directory to run, write +synchronization output and read provisioning orders. See the +[Server](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/server-requirements/index.md) topic for additional information. + +Up to four folders have to be considered: + +- the working directory +- the runtime directory, usually `C:/identitymanager/Runtime` +- the data collection directory, usually `C:/identitymanager/Temp` +- the provisioning orders directory, usually `C:/identitymanager/Temp` (same as for the data + collection directory). + +See the[ Create a Working Directory ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md) and +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topics for additional information. + +Further check the permissions of the service account and perform the steps for each of the relevant +directories: + +**Step 1 –** Go to the working directory parent folder. + +**Step 2 –** Right-click the working directory. + +**Step 3 –** Select **Properties**. + +**Step 4 –** Select **Security**. + +The agent service account selected in the previous step can either: + +- have the necessary permissions or it belongs to a group that does, so no further action is + required +- is missing one of the permissions + +To fix the missing permissions follow the steps: + +**Step 1 –** Click on **Edit**. + +**Step 2 –** Click on **Add**. + +**Step 3 –** In the **Enter the object names to select** textbox, enter the service account name in +the down-level logon format. For example, if you chose the built-in application pool identity, this +would be `IIS APPPOOL/identitymanagerAgent`. + +**Step 4 –** Click on **OK**. + +**Step 5 –** Select the newly added user name in the Group or user names panel at the top of the +window. + +![Object Names](/img/product_docs/identitymanager/identitymanager/installation-guide/production-ready/server/enter-the-object-names-to-select.webp) + +**Step 6 –** Check the **Allow** column for the relevant permissions. Check the **Deny** column for +the others. See the[Server](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/server-requirements/index.md) topic for additional +information. + +**Step 7 –** Click **OK**. + +The working directory permissions are all set. + +The same steps have to be performed on the runtime, the data collection and the provisioning orders +directories. See the[ Create a Working Directory ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md) and +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topics for additional information. + +## Name the Agent + +Every agent is assigned a name. This name will be used in the UI to differentiate agents for the +end-user, and in the XML configuration to assign connectors to specific agents. + +In the appsettings.agent.json file, the **OpenId** > **AgentIdentifier** can be set to any string +except for Local which is already taken by Identity Manager's inner workings. Then the agent set in +the XML configuration must have the same string as identifier. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +": { + "AgentIdentifier": "" +} +``` + +With the following configuration: + +``` + +``` + +## Connect the Agent to the Managed Systems + +The Runtime/appsettings.agent.json file is a technical configuration file that will enable you set +up the connection between the agent and the target managed systems. See the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information. + +Every agent is associated with an appsettings.agent.json file. + +The integration team should communicate the list of the managed systems to be connected to the +agent, together with their configuration. + +Here is an example of appsettings.agent.json connecting an agent to an Active Directory and an SAP +server. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + ... + "Connections": { + "ADExport": { + "Servers": [ + { + "Server": "", + "BaseDN": "" + } + ], + "AuthType": "", + "Login": "", + "Password": "", + "Filter": "<(objectclass=*)>", + "EnableSSL": "" + } + "": { + "Server": "", + "Login": "", + "Password": "" + } + } +} +``` + +_Remember,_ storing sensitive managed system data in configuration files, such as login/password +pairs, is strongly discouraged. Sensitive data should be protected by one of the credentials +protection methods. See the[Connectors](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/index.md) topic for +additional information. + +## Encryption Key Pair + +Identity Manager's agent needs an +[RSA key pair](https://en.wikipedia.org/wiki/Public-key_cryptography) to perform various encryption +operations, such as source, configuration, or log file encryptions. + +An RSA key pair, as in an [X.509](https://fr.wikipedia.org/wiki/X.509) public key certificate and a +private key, can be stored one of two ways: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or .pfx file) stored in the server's host file system. The file contains both the public key + certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains + both the public key certificate and the private key. This is the recommended method. + +The key pair can be generated with tools such as +[OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) or Microsoft's +[New-SelfSignedCertificate](https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2022-ps) +and +[pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +Here's an example showing how to generate a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) +archive (`UsercubeContoso.pfx`) bundling a public key certificate (`Identity Manager contoso.cert`) +and a private key (`usercubecontoso.key`) with OpenSSL, with a 50-year expiration date: + +**Step 1 –** Enter the following command: + +``` +openssl req -x509 -newkey rsa:1024 -keyout usercubecontoso.key -out usercubecontoso.cert -days 18250 +``` + +**Step 2 –** Enter the following command: + +``` +openssl req -x509 -newkey rsa:1024 -keyout usercubecontoso.key -out usercubecontoso.cert -days 18250 +``` + +Public key certificates can also be bought from trusted certificate providers and bundled with a +private key into a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive using step 2 in the +frame above. + +The certificate has to be linked to Identity Manager via EncryptionCertificate in the +appsettings.agent.json file. + +See +the[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topic for additional information about configuration parameters. + +### Certificate as a plain file + +The following parameters are used to link the file to Identity Manager in EncryptionCertificate. + +[PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive can be +[password protected](https://www.openssl.org/docs/man1.1.0/man1/openssl.html#password-protected), +hence the X509KeyFilePassword attribute. + +Storing a `.pfx` file password in plain text in a production environment is strongly discouraged. It +should always be encrypted using the Usercube-Protect-CertificatePassword tool. See +the[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + ... + "": { + "": "<./identitymanagerContoso.pfx>", + "": "" + } + ... +} +``` + +### Certificate in the certificate store + +The certificate can be stored in the certificate store instead of the file system. This is the +recommended method. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + ... + "": { + "":"", + "": "", + "": "" + } + ... +} +``` + +## Connect the Agent to Server + +The connection to Identity Manager's server can be configured through: + +- The applicationUri attribute in the Runtime/appsettings.agent.json file has to be set to Identity + Manager's server URL + +- OpenIdClients and DefaultOpenIdClient must be used to set the agent's credentials to connect to + the server; See + the[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) + and[ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) + topics for additional information. + +Their content should be provided by the integration team, in relation to the OpenIdClient tag in the +applicative configuration. See +the[ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) +topic for additional information. + +The following example shows an appsettings.agent.json file that sets an agent to connect to Identity +Manager's server (`https://identitymanagerserver.contoso.com`) with the OpenId client identifier `Job` and +the password `secret`, stored in the OpenIdClients list which also contains the "admin/secret" +login/password pair. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ + .... + "ApplicationUri": "", + "OpenIdClients": { + "Job": "", + "Admin": "" + }, + "DefaultOpenIdClient": "" +} +``` + +_Remember,_ storing plain text passwords in configuration files is strongly discouraged. Sensitive +passwords should be encrypted. + +## Install the Agent as a Windows Service + +Installing Identity Manager's agent as a Windows service instead of an IIS website is mostly useful +when using IIS is rendered moot by another system. For example, using a reverse proxy in front of +Identity Manager's agent. + +To install Identity Manager's agent as a service in Windows server, use the following command: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +sc.exe create Usercube binpath= "" displayname= "" start= auto obj= "" password= "" +``` + +_Remember,_ make sure to include a space between each parameter's equal sign (=) and the parameter +value. + +## Configure the Starting Mode in IIS (optional) + +This step is important if the scheduler is enabled. IIS starts Identity Manager's agent only if an +incoming http request is made on the server and the scheduler is not launched until Identity +Manager's agent is started. Because of that, you need to carefully set up the starting mode of IIS +to force the starting of Identity Manager's agent. + +Identity Manager's agent warm up is done using the `` element in the +web.config file, the configuration is described +[here.](https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization) + +You need to: + +**Step 1 –** Enable the Application Initialization feature + +**Step 2 –** Modify the applicationHost.config file to set the startMode of the application pool as +AlwaysRunning. You also need to set the preloadEnabled of your application set to true. It is +advised to backup the applicationHost.config file when doing this step to prevent mistakes. + +**Step 3 –** Double check that the following section is set in your web.config file, in the section +system.webServer: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +\ +\ +\ + +``` + +Once done, you need to check that the configured jobs are launched via the Identity Manager's +scheduler without having to manually issue a request on Identity Manager's agent. + +If this is not correctly configured, any restart of your IIS or application pool could prevent jobs +from being launched. + +## What's Next? + +The last step in the installation process is setting up an Email server. See the +[Send Notifications](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/email-server/index.md)topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/database/index.md b/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/database/index.md new file mode 100644 index 0000000000..626883a24d --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/database/index.md @@ -0,0 +1,66 @@ +# Install the Database + +The Identity Manager Database can be installed on the Server workstation or on a separate machine. + +Please make sure that the [Database](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/database-requirements/index.md) requirements +are met before going further. + +## Steps + +### 1. Install SQL server + +Microsoft's extensive documentation can be used to get help +[installing a SQL Server 2016 or later](https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server). + +### 2. Create the database + +The recommended naming convention is `Usercube`, where `` is the name of +the organization targeted by this installation. + +> **FAQ**: +> [How to create a database in SQL Server?](https://docs.microsoft.com/en-us/sql/relational-databases/databases/create-a-database?view=sql-server-ver15) + +The database name is of no technical importance, but following the naming convention will make it +easier to read the guide. + +### 3. Initialize the database + +The database scheme can be initialized by running the `Usercube.sql` script (found in the +`SQL_.zip` archive) on the newly created database. + +Preferred methods include +[SQL Server Management Studio](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15) +and +[command line](https://docs.microsoft.com/en-us/sql/ssms/scripting/sqlcmd-use-the-utility?view=sql-server-ver15). + +#### Example of procedure for SQL Server Management Studio 2019 + +- Open SQL Server Management Studio. +- Connect to your SQL Server instance. +- In the top left corner, select **File** > **Open** > **File**. +- Select the `Usercube.sql` file. +- Open the file. The file is now open in the main SQL Server Management Studio window. +- Locate the database name dropdown, next to the **Execute** button in the top left section of the + screen. + +![Execute Query](/img/product_docs/identitymanager/identitymanager/installation-guide/production-ready/database/execute_query.webp) + +- From the dropdown, select the newly created database. +- Click **Execute**. + +#### Example using the sqlcmd CLI + +``` +sqlcmd -S \ -d Usercube -i +``` + +## What's Next? + +The next step will consist in: + +- Setting up the Identity Manager Server as an IIS website. +- Creating a custom service account. +- Granting the necessary database permissions for this account. + +It will also show how to test the Identity Manager Database connection. See the +[Install the Server](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/email-server/index.md b/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/email-server/index.md new file mode 100644 index 0000000000..aba927a7ae --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/email-server/index.md @@ -0,0 +1,102 @@ +# Send Notifications + +An SMTP server is used by the Identity Manager Server to send notification emails to its users, and +by the Identity Manager Agent to send Reset Password emails. + +## Email Delivery + +### Via a local SMTP server and the pickup directory + +Both the Agent and the Server can send emails using a **local SMTP server** with Microsoft's +**Pickup Directory** feature. + +**Pickup Directory** is a feature offered by most of Microsoft's SMTP services, such as IIS SMTP +service or Microsoft Exchange Server. + +The pickup directory helps reducing network overhead by eliminating SMTP traffic between +applications, such as the Identity Manager Server or Identity Manager Agent, and SMTP servers. It is +particularly useful when using emails as notifications. + +To send an email, an application usually communicates with an SMTP server via the SMTP protocol. In +the real world, email notifications generate a lot of traffic on the organization network. This +extra traffic can be avoided by having applications (such as the Identity Manager Server or Identity +Manager Agent) write emails as local files in a local directory instead of sending SMTP packets. + +The SMTP server will then periodically check the directory and send any email found in it. The SMTP +exchange between the applications and the SMTP server is replaced by file writing and reading. + +The directory where clients write emails as files is called the **pickup directory**. + +### Via an external SMTP server + +Both the Agent and the Server can get their emails delivered through an **external** SMTP server. + +## Server Emails + +The SMTP server used by the Identity Manager Server is configured in the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md). + +Here is an example with an external SMTP server. + +``` + +appsettings.json + +{ + ... + "MailSettings": { + "Host": "smtp.contoso.com", + "FromAddress": "no-reply@contoso.com" + } +} + +``` + +The **Host** attribute is the hostname or IP address of an external SMTP server. You can also +specify a directory path instead, that would be the **pickup directory** of your **local** SMTP +server. + +You can also input a **UserName** and **Password** if the SMTP server requires Identity Manager to +authenticate to send emails. + +## Agent Emails + +From the agent side, the email settings dwell in the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +file. + +Here is a classic example that enables Identity Manager to send emails through the +_smtp.contoso.com_ server using _[no-reply@contoso.com](mailto:no-reply@contoso.com)_ as the sender +address. The Identity Manager Agent will authenticate to the SMTP server with the _contosoIdentity +Manager_ login. + +``` + +"MailSettings": { + "FromAddress": "no-reply@contoso.com", + "Host":"smtp.contoso.com", + "Port":993, + "Username": "contosousercube", + "Password": "secret" + } + +``` + +If you'd rather use a **local** SMTP server with **pickup directory**, _Host_, _Port_, _Username_ +and _Password_ won't be needed. + +``` + +"MailSettings": { + "FromAddress": "no-reply@contoso.com", + "UseSpecifiedPickupDirectory": true, + "PickupDirectory": "C:/Temp/identitymanagerContosoPickup", + } + +``` + +## That's It! + +Now, you're all set to start using Identity Manager. + +Enjoy the benefits of your new Identity and Access Management solution. diff --git a/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/index.md b/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/index.md new file mode 100644 index 0000000000..4a90f42194 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/index.md @@ -0,0 +1,35 @@ +# Production-Ready Installation + +This guide leads the reader through the steps to install Identity Manager for production purposes. + +**1.\_\_**Before proceeding\_\_, you should go through the [ Overview ](/docs/identitymanager/6.2/identitymanager/installation-guide/overview/index.md) and +[Requirements](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/index.md) sections to make fundamental decisions about Identity +Manager setup, including: + +- Whether to install the database within the Identity Manager Server or on a separated workstation. +- How many Agents will be installed? +- If only one Agent is installed, whether to install it as an integrated agent or a separate agent. +- What end-user authentication methods are to be used? +- What hosting environment is used for the Agent and the Server? + +**2.** You should **get the following archives ready**: + +- Identity Manager runtime: `runtime_.zip` +- Identity Manager database scheme: `Usercube.sql` from the `SQL_.zip` + +**3.** This guide is **based on the following choices**: + +- Identity Manager Server running with IIS +- Identity Manager Database connection with Windows authentication + +This guide will allow you to **extrapolate** less common configurations and will provide links to +the relevant [Network Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/index.md) +sections. + +Our examples use the fabled +[Contoso Corporation](https://docs.microsoft.com/en-us/microsoft-365/enterprise/contoso-overview?view=o365-worldwide) +as target organization. + +## What's Next? + +The first step consists in [ Create a Working Directory ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md b/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md new file mode 100644 index 0000000000..5d0dea5365 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md @@ -0,0 +1,533 @@ +# Install the Server + +**NOTE:** If you are a SaaS client this topic does not apply. You can skip directly to end user +authentication. See the [Set up End-User Authentication](#set-up-end-user-authentication) topic for +additional information. + +Identity Manager Server can be installed on the same workstation as the database or on a separate +workstation. If Identity Manager is installed on a separate workstation, it requires the SQL +PowerShell components to function properly. + +Please make sure that the server requirements are met before going further. See the +[Server](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/server-requirements/index.md) topic for additional information. + +## Server Working Directory + +The server executable is beeing been extracted to the working directory as `Usercube-Server.exe` and +`Usercube-Server.dll` and will enable a user or IIS to run the Identity Manager Server. See the +[ Create a Working Directory ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md)topic for additional information. + +## Set up the License Key + +The license key provided by Identity Manager must be set up in the **appsetting.json** > **License +attribute**. See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +## Create an IIS Website + +It is recommended to run the Identity Manager Server as an IIS website. + +To install the Identity Manager Server as a Windows service, please jump to Install the Server as a +Windows Service. See the [Install the Server](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. + +Adding the Identity Manager Server as an IIS website can be achieved with the +[Internet Information Services (IIS) Manager](https://www.iis.net) which can be launched with the +`INETMGR.MSC` command. You need to have an IIS 10.0 or greater. + +An IIS website must be created using the +[Microsoft guide](https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-8.0) +and the following parameters: + +- Site name: `Usercube` is the recommended naming convention +- Physical path — `//Runtime` +- Type — `http` +- IP address — `All unassigned` +- Port & Hostname — To access the Identity Manager Server and the UI. Use the hostname and port that + has been reserved for Identity Manager. + +During installation, the following information guides some of your choices: + +- The Identity Manager Server uses an in-process hosting model +- Identity Manager Server's `web.config` can be found in the `Runtime` folder +- The Identity Manager Server uses .NET + +After creation, the following settings are recommended: + +- **Application Pool** > `Usercube` > **Advanced Settings** > **General** > Start Mode + set to `AlwaysRunning`; +- **Application Pool** > `Usercube` > **Advanced Settings** > **Process Model** > Idle + Time-out (minutes) set to `0` and Load User Profile set to `True`; +- **Application Pool** > `Usercube` > **Recycling** > Regular time intervals set to + `0`. + + Recycling the application pool creates a discontinuation in the connection between server and + agent, which can disrupt some of Identity Manager's features such as the job scheduler. IIS + already recycles the application pool at each setting change, thus Netwrix Identity Manager + (formerly Usercube) recommends not using periodic recycling. + +The following is mandatory: + +- **Application Pool** > `Usercube` > **Advanced Settings** > **General** > .NET CLR + Version > `No Managed Code` + +![IIS Settings](/img/product_docs/identitymanager/identitymanager/installation-guide/production-ready/server/iis_settings.webp) + +An SSL Certificate should also be set to the IIS Server to perform HTTPS communication with +end-users. + +## Hosting Bundle + +You need to install the dotnet hosting bundle (version 8.0 or higher) to be able to run dotnet +application. + +## Select a Server Identity + +The Identity Manager Server, through the IIS Website, should be assigned a service account with the +relevant permissions. + +### Create the service account + +This section requires using an Active Directory account with sufficient privileges to create service +accounts on the domain. + +To create a service account you need to perform the following steps: + +**Step 1 –** Log on to a Windows server in the target domain environment. You should use an account +with the necessary permissions to create new domain accounts. + +**NOTE:** The target domain is the domain where SQL Server is installed. + +**Step 2 –** Access the _Active Directory User and Computers_ tool with the command `dsa.mc`. + +**Step 3 –** Select the target domain and Click on **Users**. From the users list, right-click to +select **New** > **User**. + +**Step 4 –** Choose a mnemonic _First Name_ for the Identity Manager Server, as for example +`UsercubeContosoServer`, and click **Next**. + +_Remember,_ the down-level log on name in the format `DOMAIN/userName`,.as for example +`CONTOSO/identitymanagerContosoServer`. + +**Step 5 –** Set a password and remember it for later, check the boxes **User cannot change +password** and **Password never expires**. + +This newly created service account is a domain account and will be used as an IIS identity. + +**NOTE:** You can go further and use Managed Service Account to avoid dealing with the service +account password update yourself and let Windows worry about it. This feature requires installing +Identity Manager on Windows Server 2016 or later, and using an Active Directory with a forest level +set to Windows Server 2016 or later. + +### Set an IIS identity + +The following implies that a custom service account has already been created for the Identity +Manager Server. + +To set an IIS identity you need to perform the following steps: + +**Step 1 –** Open the IIS Manager (`INETMGR.MSC`) and then the **Application Pools** node underneath +the machine node. + +**Step 2 –** Select the `Usercube/` application pool and right-click and select +**Advanced Settings**. + +**Step 3 –** In the **Process Model** section, on the **Identity** list item, click on the three +dots to open the **Application Pool Identity** dialog. + +**Step 4 –** Select the **Custom Account** radio button and click on **Set** and enter the +previously created Service Account credentials: + +- User name in the format `DOMAIN/userName` that you have previously written down +- Password, previously remembered + +**Step 5 –** Click **OK**. You're all set. + +The Identity Manager Server IIS site will now use this identity to access the database and the +working directory. + +## Set-up Permissions + +The Server permissions include the database and working directory. + +### Set- up the database permissions + +The service account used by the Server to access the database needs the following database-level +roles in SQL Server: + +- `Public` +- `Dbowner` + +And the `Administer bulk operations` server-level role. + +This guide will show you how to perform these operations using SQL Server Management Studio: + +**Step 1 –** Open SQL Server Management Studio (SSMS) and log in to access the server on which runs +the Identity Manager Database with an account member of the **sysadmin** or **securityadmin** +server-level role. + +![New Login](/img/product_docs/accessanalyzer/install/application/newlogin.webp) + +**Step 2 –** Expand the **Security** and **Login** nodes, and look for the Identity Manager service +account in the list. + +If you cannot find the service account click on the **Login** node, right-click and select **New** > +**Login**. + +**Step 3 –** On the **General** page, enter the service account login name in the down-level logon +format, such as `CONTOSO/identitymanagerContosoServer`. If you're not sure about the correct spelling of +your service account or domain, you can search for it using the search window. From the **Login** +node, right-click and select **New login** > **Login name** > **Search**. + +**Step 4 –** Choose either**Windows authentication** if you chose to connect the server to the +database with a Windows service account (Integrated Security=SSPI in the connection string) or a +**SQL Server authentication** for a SQL Server account (if you set up the connection string with a +login/password). In the SQL case, fill in the same password in the form as in the connection string. +You should now see the newly created login in the Login list. + +**Step 5 –** From the **Login** node, right-click the newly created login and select **Properties** +then go to the **Server Roles** page on the left and make sure **public** is checked. + +**Step 6 –** Go to **User Mapping**and make sure `Usercube/` is checked (top panel), +as well as **db_owner** and **public** (bottom panel). + +![Bulk](/img/product_docs/identitymanager/identitymanager/installation-guide/production-ready/server/bulk.webp) + +**Step 7 –** Right-click the **Server** root node and select **Properties**, and in the +**Permissions** tab, select the service account or group name. + +**Step 8 –** Grant the **Administer bulk operations** permission. and confirm with **OK**. + +Identity Manager Server now has the required permissions to access the database. + +### Set the working directory permissions + +The Identity Manager Server needs specific permissions on the working directory to run, read +synchronization output, and write provisioning orders. See the +[Server](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/server-requirements/index.md) topic for additional information. + +Up to four folders have to be considered: + +- The working directory +- The runtime directory, usually `C:/identitymanager/Runtime` +- The data collection directory, usually `C:/identitymanager/Temp` +- The provisioning orders directory, usually `C:/identitymanager/Temp` (same as for the data + collection directory). + +See the [ Create a Working Directory ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md) and +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topics for additional information. + +The following steps can be performed for each of the relevant directories. + +First, let's check what permissions the service account already has. + +To do so go to the working directory parent folder, right-click the working directory, select +**Properties** and then select **Security**. + +From there, you have two choices. + +The Identity Manager Server service account that was chosen previously: + +- Already has or belongs to a group that already has the needed permissions. There is nothing more + to do +- Is missing one of the needed permissions and you need to perform the steps underlined below: + + **Step 1 –** Click on **Edit** and then on **Add**. + + ![Object Names](/img/product_docs/identitymanager/identitymanager/installation-guide/production-ready/server/enter-the-object-names-to-select.webp) + + **Step 2 –** In the **Enter the object names to select** textbox, enter the service account name + in the down-level log on format, such as `CONTOSO/identitymanagerContosoServer`, then click **OK**. + + **Step 3 –** Select the newly added user name in the **Group or user names** panel at the top of + the window. + + **Step 4 –** Check the **Allow** column for the relevant permissions. Check the **Deny** column + for the others, and then **OK**. + +The working directory permissions are all set. + +The same steps have to be performed on the runtime, the data collection and the provisioning orders +directories. See the [ Create a Working Directory ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md) and +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topics for additional information. + +## Encryption and Authentication Key Pairs + +The Identity Manager Server requires an RSA-2048 encryption key pair to perform various encryption +operations, such as source, configuration, or log file encryptions. Identity Manager's Identity +Server also needs an RSA-2048 authentication key pair for end-user authentication purposes. + +These certificates don't need to be integrated into the target organization's Public Key +Infrastructure (PKI) and don't require an expiration date. They're only relevant to specific +Identity Manager temporary data and can be changed at any time. + +Each RSA key pair, as in an [X.509](https://en.wikipedia.org/wiki/X.509) public key certificate and +a private key, can be stored one of two ways: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called Personal Information + Exchange file or `.pfx` file) stored in the Server's host file system. The file contains both the + public key certificate and the private key. +- As a certificate from a Windows' certificate store identified by SubjectDistinguishedName or by + Thumbprint. The Windows certificate also contains both the public key certificate and the private + key. This is the recommended method. + +The key pairs can be generated with tools such as +[OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) or Microsoft's +[New-SelfSignedCertificate](https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps), and [pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +Here's an example showing how to generate a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) +archive (`UsercubeContoso.pfx`) bundling a public key certificate (`usercubecontoso.cert`) and an +RSA-2048 private key (`usercubecontoso.key`) with OpenSSL, with a 50-year expiration date: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +1. +openssl req -x509 -newkey rsa:2048 -keyout usercubecontoso.key -out usercubecontoso.cert -days 18250 +2.  +openssl pkcs12 -export -out UsercubeContoso.pfx -inkey usercubecontoso.key -in usercubecontoso.cert + +``` + +Public key certificates can also be bought from trusted certificate providers and bundled with a +private key into a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive using step **2** in the +frame above. + +### Generate and use an encryption key pair + +This is the key pair used to perform various encryption operations, such as source, configuration, +or log file encryptions. + +**Step 1 –** Generate a key pair using the OpenSSL method. + +**Step 2 –** Store the key pair as a `.pfx` file or use the Windows +[certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in#certificate-store) +(recommended). + +**Step 3 –** Link the generated certificate to Identity Manager. + +### Generate and use an identity server key pair + +This is the key pair used by the Identity Server for end-user authentication purposes. + +**Step 1 –** Generate a key pair using the OpenSSL method. + +**Step 2 –** Store the key pair as a .`pfx` file or use the Windows +[certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in#certificate-store) +(recommended). + +**Step 3 –** Link the generated certificate to Identity Manager. + +#### Certificate as a plain file + +The following parameters are used to link the file to Identity Manager in the `IdentityServer` +section. + +[PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive can be password protected, hence the +`X509KeyFilePassword` attribute. + +Storing a `.pfx` file password in plain text in a production environment is strongly discouraged. +The password should always be encrypted using the Usercube-Protect-CertificatePassword tool. See the +[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +{ +  ... +  "IdentityServer": { +      "X509KeyFilePath": "./identitymanagerContoso.pfx", +      "X509KeyFilePassword": "eff@%fmel/" +  } +  ... +} +``` + +#### Certificate in the certificate store + +The certificate can be stored in the certificate store instead of the file system. This is the +recommended method. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +{ +  ... +  "IdentityServer": { +      "X509SubjectDistinguishedName":"UsercubeContoso", +      "X509StoreLocation": "LocalMachine", +      "X509StoreName": "AuthRoot" +    } +  ... +} +``` + +## Connect the Server to the Database + +Now that the Identity Manager Server has been provided with a service account with the right +permissions, let's finalize the setup. + +The connection between the Server and the Database requires choosing an authentication method: +[Windows Authentication](https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver15#windows-authentication) +or SQL Server authentication. See the +[ Connection to the Database ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md) +and +[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topics for additional information. Windows authentication will require the IIS identity to be set to +the custom Windows service account used to log in to the Identity Manager's Windows Server session. +SQL authentication will work with both the _built-in_ app pool identity and a custom service +account. This authentication method will write the login and password directly in the connection +string. + +`Runtime/appsettings.json` is a technical configuration file that enables you to set up the +connection between the Server and the Database through the ConnectionString attribute. See the +[Network Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/index.md) topic for +additional information. + +The connection string is set up in the `Runtime/appsettings.json` configuration file which can be +edited with any text editor, such as [Notepad++](https://notepad-plus-plus.org/downloads/). + +If the SQL Server is hosted on Azure, you should use the AzureCredentials setting before going +further. + +In the`Runtime/appsettings.json` file, find or write the `ConnectionString` attributes following the +examples shown below: + +The first example sets a connection string using the Windows authentication +(`Integrated Security=SSPI`) to connect, on a local SQL Server system (`source=.`), to the +`UsercubeContoso` database. See the + +The service account used by the Server to access the Database is either: + +- A Windows account if the connection string was set up using `Integrated Security=SSPI`. +- A SQL Server account if the connection string was set up with a login/password. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +appsettings.json +{ +... +"ConnectionString": "data source=.;Database=UsercubeContoso;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +... +} + +``` + +The second example sets a connection string using the SQL Server authentication. +`CONTOSO/identitymanagerContosoServer` has been set as the Identity Manager Server IIS website identity. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +appsettings.json +{ +... +"ConnectionString": "data source=.;Database=Usercube;User Id=CONTOSO/identitymanagerContosoServer;Password=myPassword;Min Pool Size=10;encrypt=false;" +... +} + +``` + +**_RECOMMENDED:_** SQL Server authentication stores plain text credentials in the configuration +file. This is strongly discouraged. To avoid storing plain text credentials, you should always +strive to use Windows authentication or encrypt sensitive setting values such as the connection +string. + +## SSL Certificate + +The Identity ManagerServer requires the use of an SSL Certificate trusted by all the target +end-users' browsers. The standard setup is to use a certificate signed by the target organization's +PKI root Certificate Authority and import the certificate into the end-user's Windows Store. + +This can be achieved using the +[Microsoft Management Console (MMC)](https://en.wikipedia.org/wiki/Microsoft_Management_Console). +See the +[View certificates with the MMC](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in) +for additional information. + +## DNS + +Your organization's DNS needs to be updated according to the requirements indicated in Hostname and +DNS. See the [Server](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/server-requirements/index.md) topic for additional +information. + +## Test Your Installation + +In order to test your installation you must: + +**Step 1 –** Make sure the IIS site is running. + +**Step 2 –** Go to the following URL with a browser: `:/hc` with the hostname and +port set up in Create an IIS website. See the [Install the Server](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md) topic for additional +information. + +**Step 3 –** The Identity Manager Server is trying to access the Database. If it succeeds, the +message **Healthy** should be displayed in the browser. + +## Configure the Starting Mode in IIS (optional) + +This step is important if the scheduler is enabled. IIS starts the Identity Manager Server only if +an incoming http request is made on the server and the scheduler is not launched until the Identity +Manager Server is started. Because of that, you need to carefully set up the starting mode of IIS to +force the starting of the Identity Manager Server. + +The Identity Manager Server warm up is done using the `` element in the +web.config file, the configuration is described in the +[Microsoft documentation](https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization). + +You need to: + +- Enable the **Application Initialization** feature +- Modify the **applicationHost.config** file to set the **startMode** of the application pool as + **AlwaysRunning**. You also need to set the preloadEnabled of your application set to true. It is + advised to backup the **applicationHost.config** file when doing this step to prevent mistakes. +- Double check that the following section is set in your web.config file, in the section + system.webServer: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +   + +``` + +Once done, you need to check that the configured jobs are launched via the Identity Manager's +scheduler without having to manually issue a request on the Identity Manager Server. + +If this is not correctly configured, any restart of your IIS or application pool could prevent jobs +from being launched. + +## Set up End-User Authentication + +The next step consists in setting up one or more authentication methods for end-users. You may +choose one or several external authentication providers among the following: + +- [OpenId Connect](https://openid.net/connect/) +- [WS-Federation](http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.html) +- [OAuth](https://tools.ietf.org/html/rfc6749) +- [SAML2](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) +- [Integrated Windows Authentication (IWA)](https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/integrated-windows-authentication) + +Everything you need to know about setting up authentication is provided in the Technical +Configuration Guide. See the +[ End-User Authentication](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md) +topic for additional information. + +## What's Next? + +Install the Agent is the next step of the process. See the [ Install the Agents](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/agent/index.md) +topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md b/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md new file mode 100644 index 0000000000..77768f80df --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md @@ -0,0 +1,57 @@ +# Create a Working Directory + +The working directory is a simple Windows directory where Identity Manager's Server and/or Agent +executable(s) and dependencies are stored on the workstation. This section shows how to set up the +directory for the rest of the installation and Identity Manager's lifespan. + +The following steps are to be performed on the Server workstation. They will also have to be +executed on the Agent workstation if a separate Agent setup has been chosen. + +## Steps + +### 1. Create the working directory + +The recommended naming convention is `C:/identitymanager`, where `` is the name +of the organization targeted by this installation. + +### 2. Extract the content of the runtime archive + +Extract the content of the `Runtime` archive into a `Runtime` folder in the newly created working +directory. + +### 3. Create a new empty folder in the working directory + +The folder will be used by the Server and Agent to write and read synchronization files and +provisioning orders. Job logs are usually found here. It is usually named `Temp` and is referenced +in the technical configuration files. + +The working directory structure should now resemble the following: + +``` +??UsercubeXXX + ? ??Temp + ? ??Runtime + ? ? ??wwwroot + ? ? ... + ? ? ??Usercube-Server.exe + ? ? ??Usercube-Agent.exe + ? ? ... + ? ? ??appsettings.agent.json + ? ? ??appsettings.cyberArk.agent.json + ? ? ??appsettings.encrypted.agent.json + ? ? ??appsettings.json + +``` + +`Runtime` contains Identity Manager executables and configuration files, including: + +- `Usercube-Server.exe`: the Identity Manager Server executable, which also contains an Agent. +- `Usercube-Agent.exe`: the separate Identity Manager Agent executable, that will be used only if + you choose to install a separate agent. +- `appsettings.*.json`: + [Network Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/index.md). + +## What's Next? + +Next section shows how to install the Identity Manager Database. See the +[ Install the Database ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/database/index.md)topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/installation-guide/quick-start/index.md b/docs/identitymanager/6.2/identitymanager/installation-guide/quick-start/index.md new file mode 100644 index 0000000000..f9b3400946 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/installation-guide/quick-start/index.md @@ -0,0 +1,91 @@ +# Quick Start Guide + +This guide leads the reader through the steps to quickly install Identity Manager's bootstrap +version. + +## Prerequisites + +The installation of Identity Manager requires: + +- A certificate named Usercube.pfx + ([see the Microsoft tool to create a self-signed certificate](https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2022-ps)) + + If the certificate is named something other than Usercube.pfx, remember to change the name in + the Runtime/appsettings.json file too. + +- [Database](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/database-requirements/index.md)-related specifications + +## Install the Bootstrap Version + +**Step 1 –** Go on the Netwrix Identity Manager (formerly Usercube) +[portal](https://www.netwrix.com/sign_in.html?rf=my_products.html) and download the artifacts of the +expected version. + +![Extranet Artifacts](/img/product_docs/identitymanager/identitymanager/installation-guide/quick-start/extranet_v601.webp) + +**Step 2 –** Extract from SDK the folder Identity Manager Bootstrap anywhere on the computer. + +**Step 3 –** Extract the content of Runtime to Identity Manager Bootstrap. + +When extracting Identity Manager Bootstrap to the root of the computer, it looks like: + +![Project Directory](/img/product_docs/identitymanager/identitymanager/installation-guide/quick-start/directory_v602.webp) + +**Step 4 –** Move or copy your certificate inside the Runtime folder. + +**Step 5 –** Create a Sources folder in Identity Manager Bootstrap. + +_Remember,_ if you don't have the Identity Manager Bootstrap folder or if you don't create the +Sources folder, the Path in the Directory connection in the Runtime/appsettings.agent.json must be +adapted. Note that you don't need to have a Directory.xlsx file at the location described by this +Path for now. + +**Step 6 –** Create a database named Identity Manager, using the default options. + +**NOTE:** When using a database server other than Microsoft SQL Server or a different database name, +remember to change the connection string accordingly, in the Runtime/appsettings.json file and in +the future command lines. + +**Step 7 –** Execute the Runtime/identitymanager.sql file in the database. + +**Step 8 –** Open a command prompt and deploy the configuration. See +the[ Usercube-Deploy Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/deploy-configuration/index.md) +topic for additional information. + +In our example, the command would be, in the Runtime folder: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Deploy-Configuration.exe -s "" -d "" +``` + +**Step 9 –** Launch the server. See the +[Usercube-Server ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/server/index.md) topic for +additional information. + +In our example, the command would be, still in the Runtime folder: + +``` +./identitymanager-Server.exe +``` + +**Step 10 –** Open a browser and navigate to http://localhost:5000. Authenticate with administrator +as a username and the password specified in the Runtime/appsettings.json file, in the Authentication +section. + +![Authentication Dialog](/img/product_docs/identitymanager/identitymanager/installation-guide/quick-start/authentication_v601.webp) + +Now you can start using the application. + +## Next Steps + +From there, you can start setting up Identity Manager via the **Settings** page which is accessible +from the **Configuration** section of the home page. + +![Home Page - Settings](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +Then, Netwrix Identity Manager (formerly Usercube) recommends following the user guide to start the +configuration of your IGA project from scratch. See the [User Guide](/docs/identitymanager/6.2/identitymanager/user-guide/index.md) +topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/agent-requirements/index.md b/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/agent-requirements/index.md new file mode 100644 index 0000000000..20ededf7db --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/agent-requirements/index.md @@ -0,0 +1,153 @@ +# Agent + +This section identifies the requirements for an Identity Manager agent. + +## Software + +The agent is a .NET application. + +Running an agent requires installing the +[Windows hosting bundle for ASP.Net Runtime](https://dotnet.microsoft.com/en-us/download/dotnet/8.0). + +## Hosting + +When used separated from the server, the agent can be run as: + +- An [Internet Information Services (IIS)](https://www.iis.net/) website from the minimal version + IIS 10.0 (recommended) +- A + [Windows service](https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications) +- A stand-alone executable for tests or debugging purposes + +### Integrated agent + +Some installations require multiple separate agents, but most of them use a single integrated agent +that runs within the Identity Manager server process. In that case, the server executable contains +the agents and no agent executable needs to be executed. It means that if a Identity Manager server +is already installed, no further installation is required. + +In this case, the agent working directory is the same as the server working directory, and both the +agent's and server's `appsettings` share the same configuration. The `appsettings.agent` +configuration set is still configured through environment variables or via a separate +`appsettings.agent.json` file stored next to the `Usercube-Server.exe` executable, in the common +working directory. See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +and +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topics for additional information. + +## Service Accounts + +The agent should be assigned a +[Windows Server service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts). + +The installation of the server as part of an Active Directory domain requires the use of an account +with sufficient privileges to create a service account on the domain. + +It can be either the IIS built-in +[application pool identity](https://support.microsoft.com/en-us/help/4466942/understanding-identities-in-iis), +or a custom +[Windows Server service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts). + +### Working directory permissions + +The agent's service account needs specific permissions on the +[ Create a Working Directory ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md): + +- _Read_, _Modify_, and _List folder contents_ on the working directory; +- _Read & Execute_ and _List folder contents_ on the `Runtime` directory, usually + `C:/identitymanager/Runtime`, in order to run the agent executable; +- _Read_, _Modify_, and _List folder contents_ on the directory for provisioning orders, whose path + depends on the `Work` folder's path; +- _Read_, _Modify_, _List folder contents_, and _Write_ on the directory for data collection, whose + path depends on the `Work` folder's path. + +See the [ Create a Working Directory ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md) and +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topics for additional information. + +Other permissions should be denied. + +> **FAQ**: How to set up directory permissions in Windows Server? See the +> [Install the Server](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. + +### Managed systems' permissions + +Every Identity Manager agent needs one or several service accounts on the target managed systems, +able to read and write to said managed systems. + +> For example, using Identity Manager with an Active Directory instance requires the agent to be +> assigned an Active Directory service account that can read, write, change users' passwords, update +> group memberships, and synchronize the whole Active Directory. + +Before going further, make sure the integration team has provided: + +- The list of all managed systems +- Service accounts with the necessary permissions for the agent to perform _Read_ and/or _Write_ + operations on the systems associated with a connector allowing respectively synchronization and/or + provisioning; See the [Connectors](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/index.md) topic for + additional information. +- service accounts' credentials + +Managed systems credentials are stored in the `appsettings.agent` configuration set and can be +protected. See the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +and [ Modules ](/docs/identitymanager/6.2/identitymanager/integration-guide/modules/index.md) topics for additional information. + +### Database permissions + +The agent needs a service account that can authenticate to SQL Server. + +## Hostname and DNS + +The agent needs to be assigned a hostname within the organization's domain. End-user browsers must +be able to resolve the agent's hostname. + +The associated DNS zone needs to be +[updated accordingly](https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/create-an-alias-cname-record-in-dns-for-web1). + +The DNS alias should be written in lowercase in order to comply with as many security rules as +possible. + +## SSL Certificate + +The agent requires the use of HTTPS ports and an SSL certificate in order to perform HTTPS +communication with the server. + +## Emails + +The agent needs access to an SMTP server to +[ Send Notifications ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/email-server/index.md). + +## Encryption Key Pair + +An [RSA-2048 encryption key pair](https://en.wikipedia.org/wiki/Public-key_cryptography) is required +for the agent in order to perform various encryption operations, such as source, configuration, or +log file encryptions; + +Such a certificate does not need to be integrated into the target organization's Public Key +Infrastructure and does not require an expiration date. They are only relevant to internal and +temporary Identity Manager data and can be changed at any time. + +An RSA key pair, as in an [X.509](https://fr.wikipedia.org/wiki/X.509) public key certificate and a +private key, can be stored either: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or `.pfx` file) stored in the _server_'s host file system. The archive contains both the public + key certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains + both the public key certificate and the private key. This is the recommended method. + +The key pair can be generated with tools such as +[OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) or Microsoft's +[New-SelfSignedCertificate](https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps) +and +[pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +## What's Next? + +To start the installation, follow either the [ Quick Start Guide](/docs/identitymanager/6.2/identitymanager/installation-guide/quick-start/index.md) or the +[Production-Ready Installation](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/database-requirements/index.md b/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/database-requirements/index.md new file mode 100644 index 0000000000..e7953aa456 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/database-requirements/index.md @@ -0,0 +1,119 @@ +# Database + +This section identifies hardware and software requirements for Identity Manager's database. + +## Hardware + +The database disk storage requirements depend on multiple factors as the database lifespan and the +number of entries, for example 100,000 users can take up appropriately 10 GB of storage + +**NOTE:** The maximum SQL Express database is 10 GB. + +## Software + +Identity Manager uses a +[SQL Server database](https://www.microsoft.com/en-us/sql-server/sql-server-2019) and supports SQL +Server 2016 or later. + +The +[database requirements](https://docs.microsoft.com/en-us/sql/sql-server/install/hardware-and-software-requirements-for-installing-sql-server?view=sql-server-ver15) +may depend on the chosen SQL Server edition and version. + +### Recommended features + +The following features are also highly recommended: + +- [Always On availability groups](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/always-on-availability-groups-sql-server): + only available in the Enterprise edition of SQL Server 2016 or later + + > **FAQ**: + > [How to enable Always On availability groups in SQL Server?](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/enable-and-disable-always-on-availability-groups-sql-server?view=sql-server-ver15) + +- [Database Mirroring](https://docs.microsoft.com/en-us//sql/database-engine/database-mirroring/database-mirroring-sql-server?view=sqlallproducts-allversions): + available in all editions of SQL Server 2016 or later + + > **FAQ**: + > [How to enable database mirroring in SQL Server?](https://docs.microsoft.com/en-us/sql/database-engine/database-mirroring/setting-up-database-mirroring-sql-server?view=sql-server-ver15) + +- [Table Partitioning](https://docs.microsoft.com/en-us/sql/relational-databases/partitions/partitioned-tables-and-indexes?view=sql-server-ver15) + + The data history feature introduced in Identity Manager v5.1.0, might cause some tables to grow + significantly. + + Database performance is greatly improved by enabling the + [Table Partitioning](https://docs.microsoft.com/en-us/sql/relational-databases/partitions/partitioned-tables-and-indexes?view=sql-server-ver15) + feature for the `UR_Resource` and `UP_Assigned*` tables: + + | `UP_Assigned*` Tables | + | -------------------------- | + | UP_AssignedResourceTypes | + | UP_AssignedSingleRoles | + | UP_AssignedCompositeRoles | + | UP_AssignedNavigationRules | + | UP_AssignedScalarRules | + + This feature is available and enabled by default in SQL Server 2016 or later. + + > **FAQ**: + > [How to create partitioned tables and indexes?](https://docs.microsoft.com/en-us/sql/relational-databases/partitions/create-partitioned-tables-and-indexes?view=sql-server-ver15) + +### Additional tools + +The installation and setup of the database require using either +[SQL server Management Studio](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15) +or the +[`sqlcmd` command line tool](https://docs.microsoft.com/en-us/sql/ssms/scripting/sqlcmd-use-the-utility?view=sql-server-ver15). + +## SQL Server Authentication + +Identity Manager can authenticate to SQL Server using either a SQL Server authentication login or a +Windows authentication login. + +Netwrix recommends using the +[Windows authentication login](https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver15) +to avoid storing a plain text password in the technical configuration files. + +## SQL Server Roles + +The database administrator must be able to assign the following roles to the service account used by +Identity Manager to access the SQL Server database: + +- `db_owner` which is a + [database-level role](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver15). + This role grants its owner the authorization to perform all configuration and maintenance + activities on the database, and to drop the database in SQL Server. +- `bulkadmin` which is a + [server-level role](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles?view=sql-server-ver15). + This role grants its owner the authorization to perform bulk operations on the database. + + Although `bulkadmin` is a server-level role, it still requires Identity Manager to have + database-level permissions granted by the `db_owner` role. It means that bulk operations can be + performed on the database only if Identity Manager has been granted the `db_owner` role. + + Granting `bulkadmin` role to the server's service account requires access to an account member + of the `sysadmin` or `securityadmin` server-level role on the target SQL Server. See the + [Install the Server](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. + +For more information about identity and permission management in SQL Server, see +[Microsoft's documentation](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/getting-started-with-database-engine-permissions?view=sql-server-ver15). + +## Shared SQL Server and Dedicated Database + +Identity Manager's SQL Server installation can be used to host other database applications. + +Identity Manager's database itself must be used exclusively for Identity Manager. + +## Connection to the Server + +SQL feed must be open from Identity Manager's server to SQL Server. + +## Optimization + +The +[max degree of parallelism (MAXDOP)](https://learn.microsoft.com/en-us/azure/azure-sql/database/configure-max-degree-of-parallelism?view=azuresql-db) +must be set to 1 in the SQL database. + +## What's Next? + +Let's move on to the requirements for Identity Manager's server. See the +[Server](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/server-requirements/index.md) topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/device-requirements/index.md b/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/device-requirements/index.md new file mode 100644 index 0000000000..b9d8d251e9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/device-requirements/index.md @@ -0,0 +1,47 @@ +# Integration Device + +This section identifies the requirements for the Saas installation of Identity Manager. For the +requirements of on premise installation see the Integration Device topic in the Identity Manager 6.0 +or 6.1 +[Netwrix Identity Manager (formerly Usercube) Help Center](https://helpcenter.netwrix.com/category/identitymanager) +for additional information. + +## Hardware + +No matter whether the machine is virtual or physical, running a Identity Manager server or agent +requires at least 8 GB of RAM, 20 GB of disk storage, and a dual-core CPU. + +**NOTE:** Netwrix Identity Manager (formerly Usercube) recommends a 4-core CPU if SQL server is +installed on this device. + +## Software + +[.NET version 8.0](https://dotnet.microsoft.com/en-us/download/dotnet/8.0/runtime) or higher must be +installed. + +Microsoft Excel must be installed. + +A web browser must be accessible to test the future installation. Identity Manager's UI supports all +popular browsers: + +- Google Chrome (latest 2 versions) +- Mozilla Firefox (latest 2 versions) +- Apple Safari (latest 2 versions) +- Microsoft Edge Chromium + +## Administrator Account + +A Windows local administrator account is required to install the server and agent on the target +Windows Server workstation. + +## Additional Recommendations + +A not-so-minimalist text editor such as [Notepad++](https://notepad-plus-plus.org/downloads/) can be +useful to comfortably edit network configuration files. See the +[Network Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/index.md)topic for +additional information. + +## What's Next? + +Let's move on to the requirements for Identity Manager's database. See +the[Database](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/database-requirements/index.md)topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/index.md b/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/index.md new file mode 100644 index 0000000000..47491ef61e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/index.md @@ -0,0 +1,8 @@ +# Requirements + +This section identifies hardware and software requirements for each Identity Manager component: + +- [Integration Device](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/device-requirements/index.md) +- [Database](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/database-requirements/index.md) +- [Server](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/server-requirements/index.md) +- [ Agent ](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/agent-requirements/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/server-requirements/index.md b/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/server-requirements/index.md new file mode 100644 index 0000000000..86890e65e4 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/server-requirements/index.md @@ -0,0 +1,144 @@ +# Server + +This section identifies software requirements for Identity Manager's server. + +## License Key + +The server requires a license key provided by Netwrix Identity Manager (formerly Usercube). See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +## Software + +The server is a .NET application. + +Running the server requires installing the +[Windows hosting bundle for ASP.Net Runtime](https://dotnet.microsoft.com/en-us/download/dotnet/8.0). + +## Hosting + +The server can be run as: + +- An [Internet Information Services (IIS)](https://www.iis.net/) website from the minimal version + IIS 10.0 (recommended) +- A + [Windows service](https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications); +- a stand-alone executable for tests or debugging purposes. + +It is recommended to enable the following +[Internet Information Services (IIS)](https://www.iis.net/) features to host Identity Manager: + +- [Windows Authentication](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/#windows-authentication) +- [Anonymous Authentication](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/anonymousauthentication#anonymous-authentication) + +## Service Accounts + +The installation of the server as part of an Active Directory domain requires the use of an account +with sufficient privileges to create a service account on the domain. + +The server should be assigned a +[custom Windows service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts). + +The IIS built-in +[application pool identity](https://support.microsoft.com/en-us/help/4466942/understanding-identities-in-iis) +should not be used, because it will prevent the custom account from connecting to a distant SQL +Server. Hence Netwrix Identity Manager (formerly Usercube) recommends using a domain account. + +### Working directory permissions + +The agent's service account needs specific permissions presented in +the[ Create a Working Directory ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md) topic as: + +- _Read_ and _List folder contents_ on the working directory; +- _Read & Execute_ and _List folder contents_ on the `Runtime` directory, usually + `C:/identitymanager/Runtime`, in order to run the agent executable; +- _Read_ and _List folder contents_ on the directory for provisioning orders, whose path depends on + the `Work` folder's path; +- _Read_, _List folder contents_, and _Write_ on the directory for data collection, whose path + depends on the `Work` folder's path. + +See the [ Create a Working Directory ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md) and +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topics for additional information. + +Other permissions should be denied. + +> **FAQ**: How to set up directory permissions in Windows Server? See the +> [Install the Server](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. + +### Database permissions + +If Windows' authentication is used for SQL Server, then the server should be able to authenticate to +SQL Server with its assigned service account. It means that the server's service account needs to be +assigned an SQL Server login with the relevant roles, including necessarily either `sysadmin` or +`securityadmin`. + +See the [Database](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/database-requirements/index.md) and +[Install the Server](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md) topics for additional information. + +## Hostname and DNS + +In the case of an on-premises installation, the server needs to be assigned a hostname within the +organization's domain. Agents must be able to resolve the server's hostname. + +The associated DNS zone needs to be +[updated accordingly](https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/create-an-alias-cname-record-in-dns-for-web1). + +The DNS alias should be written in lowercase in order to comply with as many security rules as +possible. + +## SSL Certificate + +The server requires the use of an SSL certificate in order to perform HTTPS communication with +end-users' browsers. + +Identity Manager SaaS offering comes with an SSL certificate signed by a trusted certificate +authority for the `*.usercube.com` domains. This certificate allows end-users to access the server +through the Internet without any further configuration. Using another domain name for the SaaS +installation requires providing Netwrix Identity Manager (formerly Usercube) with the corresponding +SSL certificate signed by a trusted certificate Authority. + +Identity Manager on-premises offering requires the use of an SSL certificate trusted by all the +target end-users' browsers. Standard practices use a certificate signed by the target organization's +Public Key Infrastructure (PKI) root certificate authority. The on-premise SSL certificate must be +set up in IIS. + +## Emails + +The server needs access to an SMTP server to +[ Send Notifications ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/email-server/index.md). + +## Encryption and Identity Server Key Pairs + +An [RSA-2048 encryption key pair](https://en.wikipedia.org/wiki/Public-key_cryptography) is required +for: + +- Identity Manager's server in order to perform various encryption operations, such as source, + configuration, or log file encryptions; +- Identity Manager's Identity Server for end-user authentication purposes. + +Such a certificate does not need to be integrated into the target organization's Public Key +Infrastructure and does not require an expiration date. They are only relevant to internal and +temporary Identity Manager data and can be changed at any time. + +An RSA key pair, as in an [X.509](https://fr.wikipedia.org/wiki/X.509) public key certificate and a +private key, can be stored either: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or `.pfx` file) stored in the _server_'s host file system. The archive contains both the public + key certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains + both the public key certificate and the private key. This is the recommended method. + +The key pair can be generated with tools such as +[OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) or Microsoft's +[New-SelfSignedCertificate](https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps) +and[ pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +## What's Next? + +Let's move on to Identity Manager's agent requirements. See the +[ Agent ](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/agent-requirements/index.md) topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/installation-guide/reverse-proxy/index.md b/docs/identitymanager/6.2/identitymanager/installation-guide/reverse-proxy/index.md new file mode 100644 index 0000000000..7ed3bfa320 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/installation-guide/reverse-proxy/index.md @@ -0,0 +1,202 @@ +# Reverse Proxy + +Identity Manager can be installed behind a +[reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) that acts as an intermediate server +between users and Identity Manager's server, in order to process users' requests and redirect them +to the right server(s), for performance and security purposes. + +## Overview + +A reverse proxy is usually used when: + +- needing to encrypt the requests from/to end-users on the one hand, and on the other hand to be + able to monitor plain text requests from/to Identity Manager's server; + + ![Proxy Purposes: Encryption](/img/product_docs/identitymanager/identitymanager/installation-guide/reverse-proxy/proxy_purpose_encryption.webp) + +- installing Identity Manager with an integrated agent on a network isolated from the users' + browsers, in order to be able to access sensitive systems which are protected by being set up on a + network isolated from the Internet; + + ![Proxy Installation Example](/img/product_docs/identitymanager/identitymanager/installation-guide/reverse-proxy/proxy_example.webp) + + This installation will be used for the configuration examples below. + +- using several Identity Manager's server instances for load-balancing purposes. + + ![Proxy Purposes: Load Balancing](/img/product_docs/identitymanager/identitymanager/installation-guide/reverse-proxy/proxy_purpose_loadbalancing.webp) + +As Identity Manager is session-less, working with several servers does not imply the need to +synchronize sessions between servers, nor the need to guarantee that a particular IP will be +processed by a particular server. + +### Nginx + +For these tasks, [nginx](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/#nginx) +is a relevant choice of reverse proxy. There are several versions of nginx available, suitable for +several Linux-based environments. +[Installation instructions](https://docs.nginx.com/nginx/admin-guide/installing-nginx/) can be found +directly on the nginx website. + +At its core, Identity Manager is an ASP.NET application with a Kestrel server. We can configure a +nginx reverse proxy accordingly by following +[Microsoft's guidelines](https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-nginx?view=aspnetcore-8.0&tabs=linux-ubuntu#microsofts-guidelines). + +Nginx +[configuration files](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/) +are usually located in `/etc/nginx`. + +### Load balancing + +Nginx offers several +[load balancing methods](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#load-balancing-methods) +which are all compatible with Identity Manager. + +Then, in order for servers to be able to properly schedule and coordinate synchronization and +provisioning, the following file locations must be shared by all Identity Manager servers: + +- TempFolderPath +- WorkFolderPath + +All Identity Manager servers also share a database. See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topic for additional information. + +## Basic Configuration + +The following is a basic configuration, in the `nginx.conf` file, with one virtual host, that +directs incoming requests on `` from network 1 to a Identity Manager server instance +at `` on network 2. + +``` + +nginx.conf + +worker_processes auto; + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /nginx-1.19.7/logs/access.log; + error_log /nginx-1.19.7/logs/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + ## + # Virtual Host Configs + ## + + server { + listen default_server; + server_name ; + + location / { + proxy_pass http://; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection keep-alive; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + } + } +} + +``` + +Where: + +- `` is the port that nginx listens to on network 1 for incoming HTTP requests. It + should be set to `80`, except if you have another web server listening for port 80 requests and + passing them to your nginx server. +- `` is the URL used by end-users to request Identity Manager's server, such as + `contoso.usercube.com`. It is the content of the host header in the incoming HTTP request. +- `` is Identity Manager's server URL on network 2. + +With this configuration, SSL is enabled between the nginx proxy and the client, but not between the +proxy and Identity Manager's server. `gzip` is used to compress files to be sent over the network. + +### Static files + +Performance can be enhanced for static file serving. This requires extracting static files such as +the UI JavaScript application and the logo and pictures, and storing them on the nginx server +directly.See more information about +[static file serving with nginx](https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content/). + +## Load Balancing Configuration + +Load balancing involves at least two Identity Manager servers to which +[nginx, acting as a load balancer](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/), +distributes the load of incoming requests. + +Then, in addition to the configuration from the previous example, a group of servers must be +declared, using the `upstream` directive in the `http` section. + +The following configuration defines a group named `usercubegroup` which contains two server +configurations, each one resolving to an actual Identity Manager's server instance: + +``` + +... +http { + upstream usercubegroup { + server usercube1.contoso.com; + server usercube2.contoso.com; + } + ... +} +... + +``` + +Then, the name of the group takes the place of `` in the virtual host +definition: + +``` + +server { + listen default_server; + server_name ; + + location / { + proxy_pass http://IdentityManagergroup; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection keep-alive; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + } + + } + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/api/authentication/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/api/authentication/index.md new file mode 100644 index 0000000000..6fac691ebd --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/api/authentication/index.md @@ -0,0 +1,26 @@ +# Authentication + +Identity Manager API authentication is based on the +[OpenIdConnect protocol](https://openid.net/connect/). Configuration informations are accessible on: +`[Usercube application URL]/.well-known/openid-configuration`. + +An OpenId client must be previously defined using an +[ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) configuration +element. + +The `client_id` parameter to use in calls to the OpenIdConnect protocol endpoints must be the +concatenation of `clientId`, `@` and the domain of the application. + +For example, client defined by + +``` + + + +``` + +for the Identity Manager application hosted on `usercube.mycompany.com` must use +`MyApplication@usercube.mycompany.com` as `client_id` parameter in any call to the OpenIdConnect +endpoints. + +The scope to access to the Identity Manager API is `usercube_api`. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/api/how-tos/request-postman/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/api/how-tos/request-postman/index.md new file mode 100644 index 0000000000..273b7b236a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/api/how-tos/request-postman/index.md @@ -0,0 +1,89 @@ +# Request APIs via Postman + +This guide shows how to configure Postman to be able to request Identity Manager's API. + +## Get an Access Token + +Get an access token by proceeding as follows: + +1. Launch Postman. +2. Create a new request by clicking on **+ New** then **Request**. + + ![Postman: New Request](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_newrequest.webp) + +3. Fill in the fields and click on **Save to Identity Manager**. + + ![Postman: New Request Fields](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_requestfields.webp) + +4. Fill in the authentication information as follows: + + ![Postman: Authentication](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_authentication.webp) + + - **Method**: POST + - **URL**: `URL IdentityManager`/connect/token + - **Body**: + - **client_id**: `OpenIdClient id`@`FQDN Usercube` + - **client_secret**: `OpenIdClient secret` + - **scope**: usercube_api + - **grant_type**: client_credentials + +5. Click on **Send** and get the access token from the response body. + + ![Postman: Access Token](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstoken.webp) + +## Use an Access Token + +Use an access token by proceeding as follows: + +1. Create a new request in Postman. +2. Fill in the authorization information as follows: + + ![Postman: Authorization](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_authorization.webp) + + - **Method**: GET + - **URL**: `/?api-version=1.0` + - **Authorization**: + - **TYPE**: Bearer Token + - **Token**: `` + +3. Click on **Send** and get the result from the response body. + + ![Postman: Access Token Result](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstokenresult.webp) + +## Create a Combined Request + +Create a combined request by proceeding as follows: + +1. Create a new request in Postman. +2. Fill in the authorization information as follows: + + ![Postman: Authorization (Combined Request)](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_authorizationcombined.webp) + + - **Method**: GET + - **URL**: `/?api-version=1.0` + - **Authorization**: + - **TYPE**: OAuth 2.0 + - **Header Prefix**: Bearer + +3. Click on **Get New Access Token** and fill in the fields as follows: + + ![Postman: New Access Token Fields (Combined Request)](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_newaccesstokencombined.webp) + + - **Token Name**: `` + - **Grant Type**: Client Credentials + - **Access Token URL**: `/connect/token` + - **Client ID**: `@` + + Do not replace `@` with its encoding. + + - **Client Secret**: `` + - **Scope**: usercube_api + - **Client Authentication**: Send client credentials in body + +4. Click on **Request Token** to get the token. + + ![Postman: Get Token (Combined Request)](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_gettokencombined.webp) + +5. Click on **Use Token** and **Send** and get the result from the response body. + + ![Postman: Access Token Result (Combined Request)](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstokenresult.webp) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/api/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/api/index.md new file mode 100644 index 0000000000..3b083473c3 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/api/index.md @@ -0,0 +1,26 @@ +# API + +Agent and server expose a REST API. + +## OpenAPI Definition + +This feature is optional and must be activated by the Swagger settings section. See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) topic +for additional information. + +The page `[Usercube application's URL]/swagger` can be used to explore and test the API. + +This page is built by the [Swagger UI tool](https://swagger.io/tools/swagger-ui/) from the Identity +Manager [OpenAPI](https://swagger.io/specification/) definition. + +![Usercube server swagger page](/img/product_docs/identitymanager/identitymanager/integration-guide/api/swagger.webp) + +A function can have several versions. This is why the API description is split into several OpenAPI +definition files. + +Each definition file is accessible in JSON format on URL +`[Usercube application's URL]/swagger/{version}/swagger.json`. + +The Swagger UI page is accessible anonymously but each call from this page to the API must have an +authenticated context. To do so, you only need to be logged to the application from the same browser +instance (Authentication is carried by a cookie). diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/api/pagination/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/api/pagination/index.md new file mode 100644 index 0000000000..92733073b9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/api/pagination/index.md @@ -0,0 +1,18 @@ +# Pagination + +Each function returning a list of items supports pagination. This pagination is based on the +PageSize and ContinuationToken parameters. + +The principle is to call the function with the ContinuationToken obtained from the previous call. + +![Pagination sequence diagram](/img/product_docs/identitymanager/identitymanager/integration-guide/api/pagination/pagination.webp) + +**NOTE:** Pagination is optional. If PageSize is not specified, the function will return all items +or use the limit specified in the squery parameter. If PageSize is specified, no limit must be +specified in the squery parameter. + +A DefaultPageSize as well as a MaxPageSize can be defined in the Applicative configuration settings. +If the given PageSize or squery limit is above the MaxPageSize, the limit of the MaxPageSize` is +used. See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. diff --git a/docs/usercube/6.2/usercube/integration-guide/api/squery/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/api/squery/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/api/squery/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/api/squery/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/index.md new file mode 100644 index 0000000000..d4a86390f1 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/index.md @@ -0,0 +1,127 @@ +# Protect Agent/Server Communication + +This guide shows how to set up a secured authentication system between Identity Manager's agent and +server. + +## Overview + +Identity Manager provides a simple way to protect the communication between agent and server, using +OpenID Connect. + +First, make sure to understand the OpenID protocol. For example, +[see Microsoft's documentation on the matter](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc). + +The idea, when sending data from the agent to the server, is the following: + +1. the agent decrypts its own data which was encrypted with the agent-side certificate; +2. the agent calls the server, and sends its HTTPS-encrypted message; +3. the server receives and decrypts the message, before encrypting it again with its own encryption + certificate configured by Identity Manager. + +![Schema: Agent/Server Communication](/img/product_docs/identitymanager/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/agent-server-communication.webp) + +### Configuration details + +The server must be configured, in its `appsettings.json`, with: + +- an encryption certificate with the private and public keys, in order to be able to send signed + tokens. + +The agent must be configured, in its `appsettings.json`, with: + +- an encryption certificate with at least the server's public key, in order to be able to verify the + tokens sent by the server; +- another encryption certificate meant to encrypt specific files such as logs or temporary files; +- an SSL encryption certificate for the HTTPS connection. + + The SSL certificate is required when working in an on-premises environment. In a SaaS + environment, Identity Manager provides it. + +In order to give to the agent the right permissions, the XML configuration must specify an +[OpenIdClient](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) linked to +its hashed secret, and to a Identity Manager profile. + +## Protect Agent/Server Communication + +Protect agent/server communication by proceeding as follows: + +1. Make sure that both the agent and server configurations specify an encryption certificate. See + the + [Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) + for additional information. + + > For example: + > + > ``` + > + > appsettings.json + > + > { + > "IdentityServer": { + > "X509KeyFilePath": "./Usercube.pfx", + > "X509KeyFilePassword": "secret" + > }, + > ... + > } + > + > ``` + +2. Make sure that the agent is also configured with its own encryption certificate. See the + [Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) + for additional information. + + > For example: + > + > ``` + > + > appsettings.json + > + > { + > "EncryptionCertificate": { + > "File": "./identitymanager-Files.pfx", + > "Password": "secret", + > "EncryptFile": true + > }, + > ... + > } + > + > ``` + +3. Configure an `OpenIdClient`, both on agent side in `appsettings.agent.json` with the non-hashed + secret and on server side in the XML configuration with the secret hashed by the + [ Usercube-New-OpenIDSecret ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/new-openidsecret/index.md) + executable. See the + [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) for + additional information. + + > For example on agent side: + > + > ``` + > + > appsettings.agent.json + > + > { + > "OpenId": { + > "OpenIdClients": { + > "Job": "newSecret" + > }, + > ... + > } + > ... + > } + > + > ``` + > + > And on server side: + > + > ``` + > + > ./identitymanager-New-OpenIDSecret.exe --client-secret secret + > + > ``` + > + > `` + > + > ``` + > + > ``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/index.md new file mode 100644 index 0000000000..d2dcba962c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/index.md @@ -0,0 +1,68 @@ +# Architecture + +This article dives deeper into Identity Manager's design principles. Security and flexibility are +the main concerns of the architecture. + +## A Two-Tier Architecture + +Identity Manager is made of two parts: + +- The Identity Manager server operates the main process. It uses a dedicated database, serves the + client side part of the web application and exposes its API. +- The Identity Manager agent operates data exchange with the information system. It implements a + specific API called by the web client application. + +Agent and server are [ASP.Net](https://docs.microsoft.com/en-us/aspnet/core/) applications running +on Windows. Identity Manager's database is a +[Microsoft SQLServer](https://www.microsoft.com/en-us/sql-server) relational database. + +![Architecture](/img/product_docs/changetracker/changetracker/architecture.webp) + +See the [ SaaS Environment ](/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/saas/index.md) topic for additional information on Netwrix Identity +Manager (formerly Usercube) recommended architecture when working in a SaaS environment. + +See the [ On-Premises Environment ](/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/on-prem/index.md) topic for additional information on Netwrix +Identity Manager (formerly Usercube)' recommended architecture when working in an on-premises +environment. + +See how to +[ Protect Agent/Server Communication ](/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/index.md). + +## Isolation Principle + +Identity Manager server has no direct access to the information system of the organization. It can +be installed on an isolated network (typically in the cloud). Only the agent can read or write the +information system. All exchanges between agent and server are operated through the HTTP protocol +(HTTPS recommended in production). + +## Unidirectional Command Flow + +All reading or writing actions in the information system are initiated by the agent. Identity +Manager server will never call the agent. The Agent periodically polls the server to gather the +actions to process. + +Tasks can run on the Server side or on the Agent side. + +Tasks that run on the Server side are still executed by an Agent. This is the application of the +one-way data flow principle. Agents can send commands to the Server to execute a Task through an +HTTP request but the Server cannot command an Agent, hence isolating the sensitive Agents from the +exposed Server. + +As a result, each set of planned Tasks is assigned to a specific Agent, depending on the managed +systems its Tasks relate to. + +Agents also receive HTTP/HTTPS requests from the browser to allow authenticated end-users to launch +jobs from the UI. + +## Authentication + +Identity Manager can authenticate users within an Active Directory domain or using an OpenID +identity server. For development mode, Identity Manager implements a form-based authentication using +a unique password for all users . See the +[ End-User Authentication](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md) +topic for additional information. + +## Multi-Agent Capability + +Multiple agents can be installed. This allows Identity Manager to operate in a context where the +information system is partitioned over several networks. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/on-prem/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/on-prem/index.md new file mode 100644 index 0000000000..2b1cbbafbd --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/on-prem/index.md @@ -0,0 +1,29 @@ +# On-Premises Environment + +When working in an on-premises environment, Identity Manager needs a specific architecture. + +## Overview + +Identity Manager recommends the following architecture: + +![On-Premises Recommended Architecture](/img/product_docs/identitymanager/identitymanager/integration-guide/architecture/on-prem/architecture_onprem.webp) + +Most situations do not need Identity Manager so much that they need a fail-over system, i.e. +installing several Identity Manager instances in order to prevent breakdowns. In most situations, a +single Identity Manager instance is enough. + +### Server + +The server should be stateless, i.e. it should store only temporary files. + +### Agent(s) + +One or several additional agents can be needed only when using a sensitive network, for example an +administration network separated from the main network. + +### Database + +The database is a critical item, and thus should be set up with a mirror. The database mirror can +have lower CPU and RAM and be on a different location. + +Identity Manager recommends using an incremental backup. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/saas/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/saas/index.md new file mode 100644 index 0000000000..a945f41abc --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/saas/index.md @@ -0,0 +1,14 @@ +# SaaS Environment + +When working in a SaaS environment, Identity Manager needs a specific architecture. + +## Overview + +Identity Manager recommends the following architecture: + +![SaaS Recommended Architecture](/img/product_docs/identitymanager/identitymanager/integration-guide/architecture/saas/architecture_saas.webp) + +### Agent(s) + +One or several additional agents can be needed only when using a sensitive network, for example an +administration network separated from the main network. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/configuration-details/connections/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/configuration-details/connections/index.md new file mode 100644 index 0000000000..ab92f94f93 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/configuration-details/connections/index.md @@ -0,0 +1,102 @@ +# Connections + +This page gathers useful information concerning the possible uses of connections, used by connectors +in order to extract and/or fulfill data from/to external systems. + +## Connection Configuration + +A connector needs at least one +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) which needs to be +declared both in the XML configuration and in the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +file to be used. The connection settings must be set in appsettings.agent.json > Connections > +**connectionIdentifier**, where **connectionIdentifier** is the identifier specified for the +connection in the XML configuration. + +See the [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) topic for +additional information. + +The information stored in the connection depends on the export and/or fulfill technologies used by +the connection's package. + +See the [References: Connectors](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/index.md) topic for additional +information. + +## Connection Tables + +A [ Connection Table ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md) +represents the potential output of the connection's +[ Export Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md), when the +connection's package allows export. The export process generates CSV files (our connection tables) +whose names start with the connection's identifier. The files' suffixes depend on the connector. See +the [References: Connectors](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/index.md) topic for additional information. + +The name of these files are used to specify the connection tables of the +[ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +and +[ Entity Association Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +in order to link the connectors' properties to the source files and columns from the managed +systems. + +A connection table is used in the definition of an entity type as `Source`, while the available +columns of the selected table are used for the mapping as `Source Columns`. + +![connectiontables_ui_v60](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/configuration-details/connections/connectiontables_ui_v60.webp) + +## Refresh Schema + +A schema is a snapshot of the data structure (metadata) retrieved by a connection. It needs to be +refreshed to enable the configuration of entity types and resource types. + +Identity Manager refreshes a connection's schema: + +- after the connection creation; +- when clicking on **Refresh Schema** on the connection's page: only the schema of the current + connection is refreshed; + + ![Refresh Schema of One Connection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshschema_v522.webp) + +- when clicking on **Refresh all schemas** on the connector's page: all schemas of the connector are + refreshed. + + ![Refresh all Schemas](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshall_v602.webp) + +In the **Connections** frame, either the last successful schema update is indicated or an icon is +shown if the refresh schema failed. + +![Failed Refresh Schemas](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_failedindicator_v602.webp) + +Some packages don't generate a schema. For these packages, the **Refresh Schema** button isn't +displayed on the connection's page. On the connector's page, a connection without schema is +indicated by the sentence "There is no schema for this connection". + +![No Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_noschema_v522.webp) + +The connections' schemas must be refreshed before editing the connector's entity types via the UI, +whether the connections were created via the UI or XML configuration. Otherwise, there will be no +connection table available in the `Source` dropdown, so you will not be able to save anything. + +## Export/Fulfill Tasks and Resource Type Mappings + +Connections are given to `ExportTasks` through the `Connection` attribute, which is mandatory as the +`ExportTask` needs this information to use the right technology and search the information in the +`appsettings.agent.json`. + +It can also be given to `FulfillTasks` the same way but must not be if the `FulfillTask` has +`TaskResourceTypes`. + +`ResourceTypeMappings` have the `Connection` attribute as well, which is mandatory. If a +`FulfillTask` has `TaskResourceTypes`, it will use the given connections to provision the different +`ResourceTypes`. + +## Secured Options + +A connection's parameters fall into two categories: regular or secured options. + +The particularity of secured options is that, once set, they will never again be shown to users. +Hence, extra care should be taken while specifying them. + +There are several types of secured options: a simple field or multiple key-value fields. + +See the [ Configure Secured Options ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/index.md) topic for +additional information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/configuration-details/credential-protection/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/configuration-details/credential-protection/index.md new file mode 100644 index 0000000000..f1d6a126f8 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/configuration-details/credential-protection/index.md @@ -0,0 +1,7 @@ +# Credential Protection + +The credentials of any managed system can be protected using an +[ RSA Encryption ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), a +[CyberArk's AAM Credential Providers ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) +vault or an +[Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) safe. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/configuration-details/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/configuration-details/index.md new file mode 100644 index 0000000000..e5223cf7ab --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/configuration-details/index.md @@ -0,0 +1,10 @@ +# Configuration Details + +This part gathers information about connector configuration. + +Netwrix Identity Manager (formerly Usercube) recommends creating and configuring a connector via the +UI. See the [ Connect to a Managed System ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/index.md) +topic for additional information. + +- [Connections](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/configuration-details/connections/index.md) +- [Credential Protection](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/configuration-details/credential-protection/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md new file mode 100644 index 0000000000..7619c0b35d --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md @@ -0,0 +1,151 @@ +# References: Format for the EntityPropertyMapping + +This page lists all available formats for entity properties, in order to help you manage said +formats when exporting and fulfilling resources from/to external systems. + +The attribute `Format` can be defined in an EntityPropertyMapping to indicate the format of the data +in the external system. It will allow Identity Manager to correctly convert the data to its own +format during the export and fulfillment processes. + +## Available Formats + +### Active Directory / LDAP / OpenLDAP + +| Format | Corresponding Property Type | Note | +| ------------------------------------ | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| _Bit:\:\_ | String/Int16/Int32/Int64 | When provisioning a bitmask property, for example `userAccountControl`, the format must contain the identifier of the property and the bit to be provisioned, for example `bit:userAccountControl:2`. | +| _Bool_ | Bool | | +| _Byte_ | Byte | | +| _Bytes/Binary_ | Bytes/Binary | | +| _Concat:separator_ | String | Mono-valued attribute that may contain multiple values separated by a `` (example: `extensionAttribute15` which requires using `concat:;`) | +| _DateTime/1601Date_ | DateTime | [Classic LDAP Dates](https://www.epochconverter.com/ldap) and [Generalized DateTimes](https://ldapwiki.com/wiki/GeneralizedTime) | +| _Double_ | Double | | +| _Guid_ | Guid | 32 digits Guid (example: c076e361fa5f428e833939a449ce2db3) | +| _Int16_ | Int16 | | +| _Int32_ | Int32 | | +| _Int64_ | Int64/ForeignKey/Option | Some attributes are stored as long integers (_Int64_) even though their name implies that they hold dates, like `accountExpires` and `pwdLastSet` attributes. | +| _MultivaluedText_ | String | Multi-valued attribute flattened to a string containing values separated by a `\n`. Its provisioning with a scalar rule requires a specific sorting, see the focus under this table. | +| _RDN_ | String | [Relative Distinguished Name](https://ldap.com/ldap-dns-and-rdns/) | +| _SID_ | String | [Security Identifiers](https://ldapwiki.com/wiki/ObjectSID) | + +#### Focus on Bit + +Some systems use bitmask properties, i.e. properties containing a set of boolean flags represented +by individual bits. + +Scalar properties are provisioned by scalar rules, usually changing the whole value of the property. +For bitmask properties, changing the whole value often requires an unnecessarily complex expression. +Hence, a bitmask property should be modified one bit at a time (bit provisioning). In order to +change only one flag without altering the others, a bitmask property must be completed by one +fictitious property for each bit to be modified. + +Then scalar rules can be created for each single-bit property individually. + +In a given resource type, there should be scalar rules either for the bitmask property, or for the +single-bit "sub-properties", not both. + +> For example, we choose to create a property `bit_userAccountControl_2` to represent the second bit +> of `userAccountControl`. +> +> ![New Property for Bit Provisioning](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/entitypropertymapping-format/bitprov_property_v603.webp) +> +> XML configuration looks like the following: +> +> ```xml +> +> +> +> ... +> +> +> +> +> ... +> +> ``` + +When creating a property of bit format: + +- through the UI, there is no need filling the connection column field, because it will be filled + automatically once the format fields are filled. A manual value for connection column would be + overridden. +- through XML configuration, the connection column must be specified manually but there are no + additional requirements. + +#### Focus on MultivaluedText + +To provision a `MultivaluedText` property, the associated scalar rule's source object must return a +`string`, where the values are separated by a `\n`. Most of the time, the value of the source object +is computed with an expression. + +The order of the values within the property is important, because Identity Manager will use the +results of the synchronization and of the computation of the scalar rule's expression. Identity +Manager compares both results to compute the `Verified` provisioning state if they are found equal. +Regarding that fact, if the scalar rule's expression does not compute the `MultivaluedText` with the +values in the same order as Identity Manager's synchronization, the property will never be +`Verified`. + +Netwrix Identity Manager (formerly Usercube) recommends, in the scalar rule's expression, ordering +the elements before joining them into a `string` with +`myList.OrderBy(e => e, StringComparer.OrdinalIgnoreCase)`, where `myList` is the list of values. + +> For example, the scalar rule's C# expression for a `MultivaluedText` can look like: +> +> ``` +> +> +> +> ``` + +### ServiceNow + +| Format | Corresponding Property Type | Description | +| ------------------ | --------------------------- | ---------------------------------------------------------- | +| _Bool_ | Bool | | +| _Byte_ | Byte | | +| _Bytes/Binary_ | Bytes/Binary | | +| _DateTime or Date_ | DateTime | Date in ServiceNow format | +| _Double_ | Double | | +| _Guid_ | Guid | 32 digits Guid (example: c076e361fa5f428e833939a449ce2db3) | +| _Int16_ | Int16 | | +| _Int32_ | Int32 | | +| _Int64_ | Int64/ForeignKey/Option | | + +#### Example + +In this example, we will export and fulfill the start date of an employee in a ServiceNow instance. + +We define an [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) called `u_startdate` with the +**Type**`DateTime` to display it as a date in the UI. + +``` +ServiceNow Connector.xml +... + ... + +``` + +To correctly export the start date from ServiceNow, we transform the string received into a string +that is readable as a date by Identity Manager. To do so, we must declare in the EntityTypeMapping +that we will not receive a simple string, but a string formatted as a `DateTime`. + +``` +ServiceNow Connector.xml +... + ... + +``` + +This allows the export of the attribute `u_startdate` as a date in Identity Manager's format. + +The fulfillment will use the same format defined in the EntityTypeMapping through the **Binding** +declared in the ResourceType. + +![Export and Fulfill Data transformation](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/entitypropertymapping-format/entitypropertymapping-format-flowchart.webp) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/azuread-register/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/azuread-register/index.md new file mode 100644 index 0000000000..03c87b67ff --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/azuread-register/index.md @@ -0,0 +1,125 @@ +# Register for Microsoft Entra ID + +This guide shows how to +[register](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) +Identity Manager as an application, i.e. grant Identity Manager a service account, with Microsoft +Identity Platform to authenticate to a Microsoft Entra ID (formerly Azure Active Directory), and how +to grant Identity Manager the +[directory permissions](https://docs.microsoft.com/en-us/graph/permissions-reference) for reading +the data to be exported via the +[Microsoft Graph API](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api). + +## Create a New Registration + +Create a new registration for Identity Manager with Microsoft Identity Platform by proceeding as +follows: + +1. Go to [the Microsoft portal](https://portal.azure.com/). +2. Log in using the organization's credentials. +3. Find the **Microsoft Entra ID** menu on the left panel. +4. Go to **App Registrations** in the left panel. +5. Click the **+ New Registration** button in the top menu. + + ![Azure AD Export - Add New Registration](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportregistration.webp) + + A new registration form is displayed: + + - Name: display name of your application for the currently created registration. It is used to + identify this registration within Microsoft Entra ID. In the case at hand, it won't be + displayed to the end-user since Identity Manager doesn't access the Microsoft Entra ID using + end-user identity but [its own](https://docs.microsoft.com/en-us/graph/auth-v2-service). + + Netwrix Identity Manager (formerly Usercube) recommends using a mnemonic name resembling + Identity Manager Organization in order to remember it as the registration of Identity + Manager within the target Microsoft Entra ID, for example Identity Manager Contoso. + + - [Supported account types](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-supported-account-types): + select **Accounts in this organizational directory only (... - Single tenant)**. + + Identity Manager uses its own identity to access the API. It doesn't access the data on + behalf of a user. To authenticate, it uses credentials of a service account granted by this + registration, in the form of an **ApplicationId** and a secret Client Secret. + + See how to get **ApplicationId** and **ApplicationKey**. + + This service account is stored in the organizational directory, and hence using the + [Principle of Least Privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), + only **Accounts in this organizational directory** are supported for authentication within + this registration scope. + + - Redirect URI: + + - The left combo box represents the type of application. It influences the authorization + protocol exchanges. Identity Manager is of type Web. + - The right line edit isn't applicable to our case and should be left blank. It is used for + end-user authentication, but doesn't apply to Identity Manager. + +6. Confirm the registration with the **Register** button at the bottom of the page. + +### Get the application's identifier + +**ApplicationId** is available in the registration overview. Get it by proceeding as follows: + +1. Go to **App Registrations** in the left panel. +2. Select **Owned applications** > **Identity Manager**. +3. Go to **Overview** in the left panel. + + The **Essentials** top panel displays the **Application (client) ID** required by the Identity + Manager Agent. The same page also displays the **Directory (tenant) ID** that will also be + needed by the Identity Manager Agent. + + ![Azure AD Export - New ApplicationId](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportapplicationid.webp) + +### Get the application's secret key + +A **Client Secret** key needs to be generated. Get it by proceeding as follows: + +1. Go to **App Registrations** in the left panel. +2. Select **Owned applications** > **Identity Manager**. +3. Go to **Certificate & Secrets** in the left panel. +4. Click the **+ New client secret** button in the bottom panel **Client Secrets**. +5. Input a mnemonic name such as Identity Manager Organization Secret. +6. It is recommended to use a short **expiration period** such as 1 year. +7. Confirm the creation with the **Add** button. + + The Client Secret is now listed in the bottom panel **Client Secrets**. The Client Secret value + is needed by the Identity Manager Agent settings file. + + ![Azure AD Export - New Client Secret](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportsecret.webp) + + The **Client Secret** value is only displayed in the UI in plain text at first. After a while, + it is only displayed as `**************`. It should hence be stored in the + appsettings.agent.json file or an environment variable as soon as it is created, to be used + subsequently by Identity Manager. If the key is lost, a new key can be created to replace the + lost one. + +## Grant Directory Permissions + +Grant Identity Manager directory permissions by proceeding as follows: + +1. Go to **App Registrations** in the left panel. +2. Select **Owned applications** > **Identity Manager**. +3. Go to **API Permissions** in the left panel. +4. Click on the **+ Add a permission** button. + + ![Azure AD Export - Add Permission](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportpermissions.webp) + +5. Go to **Microsoft graph** > **Application permissions**. +6. Search and open the **Directory** category. +7. Check the **Directory.Read.All** permission. + + If you plan on configuring fulfillment too, you must only check the **Directory.ReadWrite.All** + permission. + + ![Azure AD Export - Directory Permission](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportdirectorypermission.webp) + +8. Confirm with the **Add permissions** button at the bottom of the page. + + You now see the Directory.Read.All or Directory.ReadWrite.All permission in the **Configured + permissions** list with a **⚠ Not granted for ...** status. + +9. Grant admin consent by clicking on **√ Grant admin consent for** name of the organization. + + ![Azure AD Export - Grant Admin Consent](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportadminconsent.webp) + + You should now see the status displayed as **√ Granted for** name of the organization. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/index.md new file mode 100644 index 0000000000..65177cf7ef --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/index.md @@ -0,0 +1,57 @@ +# Configure Secured Options + +This guide shows how to configure secured options to ensure data security in a connection's +parameters. + +## Overview + +A connection's parameters fall into two categories: regular or secured options. + +The particularity of secured options is that, once set, they will never again be shown to users. +Hence, extra care should be taken while specifying them. + +There are several types of secured options: a simple field or multiple key-value fields. + +## Configure a Secured Option + +Configure a secured option by proceeding as follows: + +1. Among a connection's parameters, identify the secured option: + + - for a simple field: + + ![AD creation](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adlogin_v603.webp) + + - for multiple key-value fields: + + ![SQL connection string](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_keyvalue_v603.webp) + + Contrary to simple fields, multiple-key-value secured options are not restricted to a given + property. They are arbitrary and can be set to anything. + +2. Fill the field(s) and, if needed, click on the eye icon to make the content visible. + + ![Eye Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg) + + > For example, for a simple field in an AD connection, the **Login** and **Password** are by + > default hidden with ??????: + > + > ![Login Secured Options Hidden](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adexample_v603.webp) + > + > ![Login Secured Options Revealed](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adexamplevisible_v603.webp) + + > For example, for multiple key-value fields in an SQL connection, some elements of the + > connection string might be sensitive and need to be hidden: + > + > ![SQL connection string](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_sqlexample1_v603.webp) + > + > In this example, the database name and the minimal pool size are secured options: + > + > ![SQL Secured option filled](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_sqlexample2_v603.webp) + + > Another example of multiple key-value fields in a Powershell connection: + > + > ![Powershell Secured option hidden](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_powershellexample_v603.webp) + +3. Once saved, any secured option's value can no longer be seen. However, it can still be modified + by deleting the value and re-specifying it. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/index.md new file mode 100644 index 0000000000..b2d1994d5d --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/index.md @@ -0,0 +1,373 @@ +# For Microsoft Entra ID + +See the[ Microsoft Entra ID](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md) topic for +additional information about creating a connector. + +## Prerequisites + +The following are prerequisites for the connector creation. + +Configure the external system + +See the [Register for Microsoft Entra ID](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/azuread-register/index.md) topic for additional +information on how to register Identity Manager. + +Configure Identity Manager + +See the [ Microsoft Entra ID](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md) topic for +additional information on the connection. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +[Copy](javascript:void(0);) + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "": { +      "ApplicationId": "", +      "ApplicationKey": "<25d408a1925d4c081925b\d40819>", +      "TenantId": "<25d40819-f23f-4837-9d50-a9a52da50b8c>", +      "MicrosoftGraphPathApi": "", +    } +  } +} +``` + +## Build the Connector + +See the [ Connect to a Managed System ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/index.md) +topic for additional information on how to build a connector via the UI, with its connections, +entity types and mappings. + +This example declares the Entra ID connector on the Local agent: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/AzureAD/AzureAD Connector.xml + + +    ... +     +    ... + + +``` + +### Entity model + +The entity model should match as closely as possible the structure of the relevant Microsoft Entra +ID data, and be aligned with Identity Manager's repository. See the +[Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md)topic for additional information. + +For example, Microsoft Entra ID's Users and Groups can be described by entity types, and group +memberships by entity associations. + +The following example defines an entity type named AzureAD_DirectoryObject to match the attributes +selected for extraction from the Microsoft Entra ID instance: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/AzureAD/AzureAD Connector.xml +... + +     +     +     +     +     +     +     +     +     +     +     +     +     quot;true" /> +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + +... + +``` + +Notice the omitted TargetColumnIndex attribute for the members and memberOf properties. This means +that these properties are navigation properties. + +The following example declares an n-n association between two AzureAD_DirectoryObjects, where: + +- memberOf is a collection of Groups IDs of which this AzureAD_DirectoryObject is a member; +- members from a Group is a collection of AzureAD_DirectoryObjects IDs which are members of this + Group. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/AzureAD/AzureAD Connector.xml +... + +... + +``` + +Notice the format of the Property1 and Property2 XML attributes: the name of the entity type is +followed by a colon (:) and the name of an entity property. It is a binding describing in one +expression, the target entity type and property. See +the[ Binding ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) topic for additional +information. + +Entity mapping + +Each property of the entity type must be mapped to an attribute among those exported from Microsoft +Entra ID. + +So each element of an entity type mapping is meant to link a property from the CSV file containing +the exported Microsoft Entra ID attributes to a property from the entity type. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/AzureAD/AzureAD Connector.xml +... + +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +... +``` + +As a result, synchronization updates Identity Manager's UR_Resource table based on the data of the +exported CSV files. Considering that AzureAD_DirectoryObject has never been synchronized, the +UR_Resource table receives a new line for which the 47th column (City) is filled in with the city +column from the `C:/UsercubeDemo/Temp/ExportOutput/AzureADContosoNYExport_directoryobjects.csv` +file. + +An association mapping is the equivalent of an entity type mapping, but for the properties of an +entity association instead of an entity type. + +The following example describes the "actual group/member" associations between +AzureAD_DirectoryObjects. + +These associations are exported from the Microsoft Entra ID system into the +`C:/UsercubeDemo/Temp/ExportOutput/AzureADContosoNYExport_members_group.csv` file, containing, for +each group, a list of members in the following format, with id being the id of an Microsoft Entra ID +object and groupId the matching Group's id to which the object belongs: + +| Id | GroupId | +| --- | ------- | +| 12 | 454 | +| 3 | 454 | +| 4 | 454 | +| 5 | 333 | +| 2 | 333 | + +The following entity association mapping maps the properties from the +AzureAD_DirectoryObject_members entity association: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/AzureAD/AzureAD Connector.xml +... + + +... + +``` + +Here the members property of the AzureAD_DirectoryObject entity (written to the Property1 attribute +of the AzureAD_DirectoryObject_members entity association) is filled in by values from the groupId +column (written to the Column1 attribute of the AzureAD_DirectoryObject_members entity association +mapping) of the CSV file. + +And the membersOf property of the AzureAD_DirectoryObject entity (written to the Property2 attribute +of the AzureAD_DirectoryObject_members entity association) is filled in by values from the Id column +(written to the Column2 attribute of the AzureAD_DirectoryObject_members entity association mapping) +of the CSV file. + +## Display the Connector in the UI + +This is how the connectors are displayed on the UI. + +Menu items + +Each connector should be configured with a menu item, which is created automatically when working +via the UI. + +![Menu Item - Azure AD Connector](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_menuitem_v603.webp) + +In XML, it should look like this: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/AzureAD/AzureAD Nav.xml + +``` + +Displayed resources + +See the +[ Organize Resources' Datasheets ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md) +topic for additional information on how to set the display properties via the UI. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/AzureAD/AzureAD UI.xml + +     +     + + +``` + +![Navigation Properties - Azure AD Connector](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_navproperties_v603.webp) + +Microsoft Entra ID's resources are listed in a table. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/AzureAD/AzureAD UI.xml + +     +     +     + + +``` + +![Display Table - Azure AD Connector](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_table_v603.webp) + +This is how the resources are displayed on the UI. + +Resources' display names + +See the +[ Set Resources' Display Names ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md) +topic for additional information on how to set resources' display names via the UI. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/AzureAD/AzureAD UI.xml + +``` + +Permissions + +In order to access the connector, any user must have the right permissions. + +The following example sets the permissions to access the Microsoft Entra ID connector and resources +for the Administrator profile. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/AzureAD/AzureAD Profile Administrator.xml + +     +     + + +     + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/create-connector/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/create-connector/index.md new file mode 100644 index 0000000000..fe3e10a112 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/create-connector/index.md @@ -0,0 +1,143 @@ +# Create a Connector + +How to implement a [ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +via XML to connect Identity Manager to an external system. + +See an example on how to [For Microsoft Entra ID](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/index.md). + +Netwrix Identity Manager (formerly Usercube)strongly recommends configuring as much as possible via +the UI instead of XML files. See the +[ Connect to a Managed System ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/index.md) topic to +learn how to create a connector via the UI. + +## Prerequisites + +### Configure the external system + +Some systems need additional configuration for Identity Manager to connect. + +### Configure Identity Manager + +Identity Manager's agent must be set up to access the system's data via the related connector. + +Netwrix Identity Manager (formerly Usercube) recommends performing the configuration via Identity +Manager's configuration files like `appsettings.json` and `appsettings.agent.json`. However, these +settings can also be input through environment variables. See the +[Network Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/index.md) topic for additional information. + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + + ``` + + appsettings.agent.json + +{ ... "Connections": { ... "": { ... } } } + +```` + + +The identifier of the connection and thus the name of the subsection must: + +- Be unique. + +- Not begin with a digit. + +- Not contain ```<```, ```>```, ```:```, ```"```, ```/```, ```\```, ```|```, ```?```, ```*``` and ```_```. + +Netwrix Identity Manager (formerly Usercube) recommends completing this guide without credential protection, and once the configuration works switch to a more secure way of storing credentials. + +See the [ +Microsoft Entra ID](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md) topic to learn how to protect Microsoft Entra ID's credentials. + +## Build the Connector + +See the [ +Connect to a Managed System +](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/index.md) topic to learn how to build a connector via the UI, with its connections, entity types and mappings. + +When exporting the configuration, a `connectorName` connector should be found in the ```Conf/connectorName/connectorName Connector.xml``` file. + +All XML files must start with the `````` and `````` elements. + +### Entity model + +The [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) of the connector defines how the exported data will be written to Identity Manager's repository. It should match as closely as possible the structure of the relevant data from the external system, and be aligned with Identity Manager's repository. + +The entity model is configured by [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) and [ +Entity Association +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) containing scalar and navigation [ +Entity Type +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +The entity model can be refined later in the project. + +### Entity mapping + +Each property of the entity type must be mapped to an attribute from among those exported from the system. + +Entity mapping is configured through [ +Entity Type Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) and [ +Entity Association Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). + +So each element of an entity type mapping is meant to link a property from the result of the CSV export file containing the exported attributes to a property from the entity type. + +In the mapping, the CSV file is identified by the ```ConnectionTable``` and the entity type by the ```Identifier```. + +An association mapping is the equivalent of an entity type mapping, but for the properties of an entity association instead of an entity type. + +## Display the Connector in the UI + +### Menu items + +Identity Manager provides a menu item to list all connectors in the dashboard's left menu. + +![Menu Item - Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp) + +> It is usually written like this: +> +> ``` +> +> Runtime/Bootstrap/Nav.xml +> +> +> +> ``` + +Then each connector should be configured with a menu item, which is created automatically when working via the UI. + +### Displayed resources + +See the [ +Organize Resources' Datasheets +](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md) to learn more on how to set the display properties via the UI. + +In the XML configuration, scalar properties are automatically displayed in the datasheets of the connector's resources. But navigation properties must be declared explicitly. + +The properties to be displayed are configured through [Display Entity Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md). + +Microsoft Entra ID's resources are listed in a table. + +The resources are displayed in a table configurable through a [Display Table](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md). + +### Resources' display names + +See the [ +Set Resources' Display Names +](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md) to learn how to set resources' display names via the UI. + +Each resource is displayed in the UI with a display name. + +Resources' display names are customizable through [ +Entity Type +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +### Permissions + +In order to access the connector, a user must have the right permissions. + +Permissions within Identity Manager are configured through [Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md). +```` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/index.md new file mode 100644 index 0000000000..0ab1279ef4 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/index.md @@ -0,0 +1,85 @@ +# Run the Banking Demo Application + +This guide shows how to set up and run the Banking demo application. + +## Banking Application Description + +The Banking application is a demo application that represents a web based external system. The +Banking application contains: + +- A main page +- A list of users, accessible by clicking on **Users** at the top of the page. It is possible to add + a user by clicking on **Create New User** + + ![Users list](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/demoapps_banking_userslist.webp) + +- A list of groups, accessible by clicking on **Groups** at the top of the page. Clicking on + **Details** on a group shows the users belonging to that group +- A user's details page for each user, accessible by clicking on **Details** on a user in the users + list + + ![User details](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/demoapps_banking_userdetails.webp) + +The most interesting part of the Banking application is a user's page. On a user's page, it is +possible to: + +- Edit the user's information +- Delete the user +- Add the user to a group +- Remove the user from a group +- Set the user's password + +The Banking application uses a database named BankingSystem as a data source. The changes made to a +user are applied to the database, and will be saved. + +The Banking application exposes an API that complies with SCIM 2.0 (RFC 7643 & RFC 7644) standards. +This API provides: + +- Token retrieval in two different ways — Login/Password and Client Credentials. This is not real + authentication so you can input any values, as the system only verifies if the fields are empty. +- A schema endpoint (/Schemas) that returns metadata describing SCIM resource types. This includes + attributes, types, mutability, and required fields for Users and Groups, following SCIM 2.0 + specifications. +- Operations on users, including: Get list, Get by ID, Create, Update, and Delete (CRUD) +- Operations on groups, limited to Get list only + +**NOTE:** In the Banking Demo Application appsettings two parameters are available: + +- `RequireAuthorization` (default: true) — When enabled, the system checks whether a token is + present in the request headers +- `RequireSecureHeader` (default: false) — When enabled, the system verifies that the + SecureHeaderparameter is included in the request headers + +_Remember,_ a Postman collection is provided in the same folder as the executable (.exe) to +facilitate API testing. + +## Running the Banking Application + +The Banking Application is part of the Netwrix Identity Manager (formerly Usercube) SDK, and comes +with prefilled sources. To run the Banking application: + +**Step 1 –** Download the SDK. + +**Step 2 –** Download the Runtime. + +**Step 3 –** Create a database named BankingSystem. + +**Step 4 –** Go to the Runtime folder. + +**Step 5 –** Run **./identitymanager-FillBankingDatabase.exe** --connection-string \{connection string\} +--sources-path \{sources path\} --banking-sql-path \{banking sql path\}, replacing \{connection +string\} with the BankingSystem database connection string, \{sources path\} with the path to +SDK/DemoApps/Sources, and \{banking sql path\} with the path to SDK/DemoApps/Banking. + +**Step 6 –** Go to the **SDK/DemoApps/Banking** folder. + +**Step 7 –** Run **./Banking.exe** in a command prompt + +**Step 8 –** In a web browser, enter the URL localhost:5000. + +The Banking application is running, and the web browser is on the Banking home page. + +To set the Banking application to another port, run /Banking.exe --urls http://localhost:\{port +number\}. To access the application, enter the URL localhost:\{port number\} in a web browser. + +Some ports are not recognized by web browsers, or may already be used. Choose a port wisely. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/index.md new file mode 100644 index 0000000000..fe291478ac --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/index.md @@ -0,0 +1,36 @@ +# Run the HR Demo Application + +This guide shows how to set up and run the HR demo application. + +## HR Application Description + +The HR application is a demo application that represents a web based external system. The HR +application contains an employee list. + +![Users list](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/demoapps_hr_userslist.webp) + +Each employee also has their own page, with the possibility to edit their profile or delete them. It +is also possible to add a new employee. + +![User details](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/demoapps_hr_userdetails.webp) + +The HR application uses csv files as data sources. When a user is added, deleted, or edited, the csv +file will be modified, and the changes will be saved. + +## Running the HR Application + +The HR Application is part of the Identity Manager SDK, and comes with prefilled sources. To run the +HR application: + +- Download the Identity Manager SDK. +- Go to SDK/DemoApps/HR. +- Modify **appsettings.json** > **CSVPath** to "..\\Sources". +- Run **./HR.exe** in a command prompt. +- In a web browser, enter the URL **localhost:5000**. + +The HR application is running, and the web browser is on the HR application employee list. + +To set the HR application to another port, run ./HR.exe --urls http://localhost:\{port number\}. To +access the application, enter the URL localhost:\{port number\} in a web browser. + +Some ports are not recognized by web browsers, or may already be used. Choose a port wisely. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/index.md new file mode 100644 index 0000000000..c237e0fd6e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/index.md @@ -0,0 +1,269 @@ +# Interact with a GUI Application via Robot Framework + +This guide shows how to write a Robot Framework script which interacts with an external application. + +## Example: Interacting with an application via a GUI + +Consider an external system that is accessible through a GUI program, and that does not offer an +API. In this situation, we can either interact manually with the external system , or with a Robot +Framework connection. + +## Prerequisites + +This guide will focus only on how to interact with a GUI application. The guide on how to write a +Robot Framework script explains the basics of Robot Framework. The basic prerequisites can be found +on the Robot Framework connector page. See the +[ Write a Robot Framework Script ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md) and +[ Robot Framework ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md) topics for additional +information. + +The requirements specific to the Robot Framework FlaUI library are as follows: + +- Python 3.7 or 3.8. For Python 3.9, using `pip install wheel` in the command prompt may solve + installation errors. +- Robot Framework FlaUI library: use `pip install --upgrade robotframework-flaui` in the command + prompt. +- The application with the GUI. + +Other Robot Framework libraries can interact with applications. The [desktop part of the zoomba +library] can also interact with a program, but requires an appium server. + +While not strictly required, it is highly recommended that the +[Robot Framework FlaUI library documentation](https://gdatasoftwareag.github.io/robotframework-flaui/keywords/1.6.6.html) +be consulted. + +## Inspecting tools + +Most FlaUI keywords require an XPath locator. These XPaths can be found using the FlaUI inspection +tool. Download the +[FlaUI inspection tool zip archive](https://github.com/FlaUI/FlaUInspect/releases), then extract the +files to a folder. The inspection tool can be launched simply by running `FlaUIInspect.exe`. + +This tool lets you choose the UIA (UI Automation) version. Picking UIA3 should work in most use +cases. + +The FlaUI inspection tool shows each window that is open on the computer. To find the element the +script is supposed to interact with, it is possible to manually search through the windows, and +through the elements. However, the easiest way is to use the Hover Mode, which is accessible in the +tool bar by clicking on **Mode** > **Hover Mode (use Ctrl)**. To see the XPath, click on **Mode** > +**Show XPath**. + +![Show XPath](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/robotframeworkflaui_flauishowxpath.webp) + +To see the XPath of an element, hover over the element, and press control. A red box should appear +around the element, and the FlaUI inspection tool should show the element's information. The XPath +should be at the bottom left of the FlaUI element. + +![Highlight Element](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/robotframeworkflaui_flauixpathexample.webp) + +As an example, imagine an application showing a list of files and folders. Targeting a specific file +would produce an XPath in the shape of `/Window/Pane[3]/Pane/Pane[2]/List/Group[1]/ListItem[1]`. The +important parts of this path are the beginning and the end. The beginning of the XPath specifies the +window. The middle part of the XPath, in most cases, is irrelevant. + +The last part of the XPath however, `/Group[1]/ListItem[1]`, is what should be modified to find the +right file. `Group[1]` means the element is in the first file group. `ListItem[1]` means the element +is the first file of the group. Depending on the file explorer view mode, the XPath may end with +`Edit[1]`, which means the targeted element is the name section of the file. + +As the Window's number may change, it should be specified by name. For the Downloads folder, +`Window[@Name='Downloads']` specifies the window. The file may not always be at the same position, +so it should also be specified. If the file is `FlaUInspect.exe`, it can be specified with +`ListItem[@Name='FlaUInspect.exe']`. The Group may also change. It is not easy to find the right +group, so the best method is to remove the groups, by right clicking, then selecting **Group by** > +**(None)**. + +## Use Case: Set a file to read-only + +Consider an HR system that creates a file for each employee. When an employee retires, it may be +interesting to set the file to read-only, so that it is not modified by accident. It is possible to +set the file to read-only by provisioning it with the Robot Framework. + +### Define settings + +As with every other Robot Framework script, the Identity Manager Robot Framework resource needs to +be imported to launch the provisioning. The FlaUI library also needs to be imported to use its +keywords. + +``` + +*** Settings *** +Resource C:/UsercubeDemo/Runtime/UsercubeRobotFramework.resource +Library FlaUILibrary + +``` + +### Define variables + +The `Variables` section contains variables that are used in the rest of the script. As the section +is at the start of the script, the variables are easy to update. In this case, the folder's name and +path are important variables that may be changed. + +``` + +*** Variables *** +${FOLDERNAME} RobotFrameworkIdentity +${FOLDERPATH} C:/UsercubeDemo/${FOLDERNAME} + +``` + +### Define custom keywords + +To modify a file's properties, the script needs custom keywords that allow the desired actions to be +accomplished. In this case, to navigate through the explorer program. These keywords were written +with the Windows 10 File Explorer in mind. + +| Keyword | Details | +| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Open Explorer | Opens and attaches the explorer program to FlaUI. A program can be attached to FlaUI by its name or by its `Pid`, which stands for process identifier. The `Launch Application` keyword returns a `Pid`, however the program may launch multiple processes. In the case of the explorer, it is almost always running, even if no explorer windows are open. The `Pid` returned may not be the correct one. Attaching by the program name seems to work in this case. | +| Open Folder | Opens the folder specified in the `Variables` section. Accessing the address bar is not trivial, as it is not a text field until it is clicked. However, clicking on most elements of the address bar does not open the text field. In this keyword, the icon in the address bar is clicked, which opens the text field. | +| Get File Name | Returns the file's name. This allows the computation of the file's name through a keyword instead of an expression, which can make syntax easier. | +| Set File To Read Only | Sets the file corresponding to the user to read only. This keyword calls the other keywords in the right order, and is used to simplify the readability of the script. | +| Open File Properties | Right clicks on a file, then opens the file's properties. The right click is on the file's image, but it could be changed to any of the file's fields. Note that changing the folder's view mode or ordering may alter the file's XPath. | +| Select Read Only | Selects the read only option. This keyword simply clicks on the radio button, then clicks on the `Ok` button. If the radio button is already ticked, the file will no longer be in read only mode. The script clicks on the `Ok` button as it automatically closes the properties window, unlike the `Apply` button. | +| Close Explorer | Clicks on the cross to close the explorer window. It is also possible to close the program with the `Close Application` keyword, however that also closes the background explorer process, so closing only the window is better. | + +``` + +Open Explorer + Launch Application explorer + Attach Application By Name explorer + Open Folder + +Open Folder + Click /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/Pane/ToolBar/SplitButton + Set Text To Textbox /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/ComboBox/Edit[@Name='Address'] ${FOLDERPATH} + Press Key s'ENTER' + +Get File Name + [Arguments] ${order} + [return] ${order['Changes']['Identifier']}.txt + +Set File To Read Only + [Arguments] ${order} + ${FileName}= Get File Name ${order} + Open File Properties ${FileName} + Select ReadOnly ${FileName} + +Open File Properties + [Arguments] ${filename} + Right Click /Window[@Name='${FOLDERNAME}']/Pane[3]/Pane/Pane[2]/List/ListItem[@Name='${filename}']/Image + Click /Menu[@Name='Context']/MenuItem[@Name='Properties'] + +Select Read Only + [Arguments] ${filename} + Click /Window[@Name='${filename} Properties']/CheckBox[@Name='Read-only'] + Click /Window[@Name='${filename} Properties']/Button[@Name='OK'] + +Close Explorer + Click /Window[@Name='${FOLDERNAME}']/TitleBar/Button[@Name='Close'] + +``` + +### Define mandatory keywords + +To provision the system, the script must contain the three mandatory keywords: `ExecuteAdd`, +`ExecuteDelete`, and `ExecuteModify`. In this case, only ExecuteDelete is implemented. (It is +considered, perhaps foolishly, that employees will not come out of retirement!) + +``` + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Set File To Read Only ${order} + +ExecuteModify + [Arguments] ${order} + Log To Console ExecuteModify is not implemented + +``` + +### Define test cases + +Although the Robot Framework is used for provisioning in Identity Manager, it is most often used for +testing, which is why the `Test Cases` section defines what should happen when Identity +Manager starts the Robot Framework task. The `Launch Provisioning` keyword is the one that will +fetch the provisioning orders. + +``` + +*** Test Cases *** +Run Provisioning + Open Explorer + Launch Provisioning + Close Explorer + +``` + +### Read the full script + +The full script is as follows: + +``` + +*** Settings *** +Resource C:/UsercubeDemo/Runtime/UsercubeRobotFramework.resource +Library FlaUILibrary + +*** Variables *** +${FOLDERNAME} RobotFrameworkIdentity +${FOLDERPATH} C:/UsercubeDemo/${FOLDERNAME} + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Set File To Read Only ${order} + +ExecuteModify + [Arguments] ${order} + Log To Console ExecuteModify is not implemented + +Open Explorer + Launch Application explorer + Attach Application By Name explorer + Open Folder + +Open Folder + Click /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/Pane/ToolBar/SplitButton + Set Text To Textbox /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/ComboBox/Edit[@Name='Address'] ${FOLDERPATH} + Press Key s'ENTER' + +Get File Name + [Arguments] ${order} + [return] ${order['Changes']['Identifier']}.txt + +Set File To Read Only + [Arguments] ${order} + ${FileName}= Get File Name ${order} + Open File Properties ${FileName} + Select ReadOnly ${FileName} + +Open File Properties + [Arguments] ${filename} + Right Click /Window[@Name='${FOLDERNAME}']/Pane[3]/Pane/Pane[2]/List/ListItem[@Name='${filename}']/Image + Click /Menu[@Name='Context']/MenuItem[@Name='Properties'] + +Select Read Only + [Arguments] ${filename} + Click /Window[@Name='${filename} Properties']/CheckBox[@Name='Read-only'] + Click /Window[@Name='${filename} Properties']/Button[@Name='OK'] + +Close Explorer + Click /Window[@Name='${FOLDERNAME}']/TitleBar/Button[@Name='Close'] + +*** Test Cases *** +Run Provisioning + Open Explorer + Launch Provisioning + Close Explorer + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/index.md new file mode 100644 index 0000000000..4e0dca2421 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/index.md @@ -0,0 +1,409 @@ +# Interact with a Web Page via Robot Framework + +This guide explains how to write a Robot Framework script that interacts with a web based external +system. + +## Example: Interacting with a web-based application + +Consider an external system that is accessible through a web interface, and that does not offer an +API. In this situation, we can either interact manually with the external system , or with a Robot +Framework connection. + +## Prerequisites + +This guide will focus only on how to interact with a web-based application. The guide on how to +write a Robot Framework script explains the basics of Robot Framework. The basic prerequisites can +be found on the Robot Framework connector page. See the +[ Write a Robot Framework Script ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md) and +[ Robot Framework ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md) topics for additional +information. + +The prerequisites are explained in detail at the +[Robot Framework selenium pypi](https://pypi.org/project/robotframework-seleniumlibrary/) page. + +The requirements specific to the Robot Framework Selenium library are as follows: + +- Robot Framework selenium library: use `pip install --upgrade robotframework-seleniumlibrary` in + the command prompt. +- A web browser. +- A web driver that corresponds to the web browser and its version. Webdrivers can be found in + the[ Selenium website](https://www.selenium.dev/selenium/docs/api/py/index.html#selenium-website). + This web driver should be in your path. To check that the web driver is in your path, use + `gcm {webdriver_name}`. As an example for Edge, use `gcm MicrosoftWebDriver`. + +The web driver for Edge is called `msedgedriver.exe`, but the Robot Framework may expect it to be +called `MicrosoftWebDriver.exe` depending on the python version. Renaming the web driver from +`msedgedriver.exe` to `MicrosoftWebDriver.exe` should fix this issue. + +If the browser is updated, the web driver should also be updated. + +While not strictly required, it is highly reccomended to look at the +[Robot Framework selenium library documentation](https://robotframework.org/SeleniumLibrary/SeleniumLibrary.html). + +## Selenium basics + +Selenium is a web browser automation tool. Selenium can automatically perform scripted actions in a +web browser. Selenium is not easy to use on its own, and it is easier to use Selenium via the Robot +Framework. However, the basics are still the same. + +The basic structure of a web page is defined with HTML. It is accessible with the inspect tool, +which can be opened by pressing the F12 key on most browsers. For Selenium, we want to find +information on specific parts of the page. Inspecting an element can be done by right clicking the +element, and clicking **Inspect**. + +![Inspect Tool](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/robotframeworkselenium_inspecttool.webp) + +Suppose the goal of the script is to copy the content of the code block, and paste it to a file, to +ensure that the file is up to date with the documentation. To do this, the Robot Framework has to +click on the **copy to clipboard** button with the keyword +[`Click Element`](https://robotframework.org/SeleniumLibrary/SeleniumLibrary.html#click-element). + +## Locating elements + +As stated in the Robot Framework SeleniumLibrary documentation, the keyword `Click Element` requires +an element locator. The element locator identifies which element the Robot Framework should click. +To ensure the right element is clicked, the element locator should only match the one element which +should be clicked. + +In the HTML, the button has a class `class="copy-to-clipboard"`. The element locator +`class:copy-to-clipboard` matches the button. However, there are other buttons with the same class +on the page. The easiest way to click the right button is with an XPath element locator. + +### XPath element locators + +Each element on the web page has an XPath, and each XPath uniquely identifies an element. This means +that we can always use an XPath locator. To get the XPath of an element, inspect the element, then +right click it in the HTML, and click on **Copy** > **Full XPath**. + +![Copy Full XPath](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/robotframeworkselenium_copyfullxpath.webp) + +For the `copy to clipboard` button, the XPath is +`/html/body/section/div[2]/div[3]/div[1]/pre[4]/span`. + +XPaths change as the page is updated. Using a location strategy other than the XPath strategy should +reduce the maintenance needs of the script. + +### Hypertext references and API calls + +Some elements have links to other websites or pages of the same website. In the HTML inspection, +these elements are likely to have a `href` attribute containing the link. `Href` stands for +hypertext reference. By going directly to the linked URL instead of clicking the link, the script +does not need to specify an element locator for the link. + +In some cases, an API can be called simply by going to the right URL. This URL may be used as a +shortcut to avoid having to fill in text fields. The `href` attributes may show the format of the +API calls. + +## Use Case: Fulfill groups in a Banking system + +The Banking system is a Identity Manager demo application that represents an external system. The +Banking system stores basic information on its users such as their names, mail addresses� The most +interesting part of the Banking system is the groups functionality, as users can belong to multiple +groups, and groups can have multiple users. + +The goal of this use case is to extract the existing associations between groups and users from the +Banking system into Identity Manager, then provide a way to add users to a group and remove users +from a group. To showcase the password generation, the script will generate a password for the +provisioned users' accounts. + +### Connector configuration + +As stated in the previous part, the Banking connector is supposed to link the users and their +groups. This means that the connector has a user entity type, and a group entity type, with an +entity association between them. + +The Banking connector has to be able to extract the data, and fulfill the Banking system. The +fulfillment of the Banking system can only be done through its web application, which means the +Robot Framework Selenium library will be used. The extraction of the data will be performed through +an SQL connection. + +For simplicity's sake, only the user's `Login` is kept. + +``` + + + + +``` + +The notion of groups in the Banking system is replaced by the notion of single roles in Identity +Manager. A user belonging to the accountant group in the Banking system has the accountant single +role in Identity Manager. To automate the correspondance, the connector's configuration requires a +rule between the group resource and the single role. This can be done with a navigation rule for +each single role and corresponding group. + +For simplicity's sake, only three roles are kept. + +``` + + + +``` + +### Define settings + +As with every other Robot Framework script, the resource needs to be imported to launch the +provisioning. The SeleniumLibrary also needs to be imported to use its keywords. + +``` + +*** Settings *** +Resource C:/UsercubeDemo/Runtime/UsercubeRobotFramework.resource +Library SeleniumLibrary + +``` + +### Define variables + +The variables in the `Variables` section can serve two purposes. + +- Values that should be modified easily: The browser and the Banking web application URL change with + the provisioning environment. +- Values that are used multiple times: The Banking web application URL is used three times in the + script. This avoids editing mistakes that happen when only one of the instances is modified. + +``` + +*** Variables *** +${BROWSER} edge +${BANKINGURL} http://localhost:5011 + +``` + +### Define custom keywords + +The script defines several custom keywords. As the element locators may not be easily +understandable, it is important that the keywords are not long, and have descriptive names. + +| Keyword | Details | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Modify User | Sets a password for the user, then applies the provisioning order. This keyword does everything the `Execute Modify` keyword should do, so that it can be used for error handling. As the provisioned resource type may not have password reset settings, the password generation could fail, which is why it is called by the `Try Keyword` keyword. | +| Restart Banking And Fail | Restarts the Banking Application, then fails the keyword execution. This keyword should be used when the Banking application is in an unknown state. | +| Launch Banking App | Launches the Banking web application. To check that the web browser is on the right page, the title of the page is verified with the `Title Should Be` keyword. | +| Set Password | Generates a password for the provisioned user, sets their Banking password to that password, then sends a notification. This keyword attempts to send the notification as soon as the password is set. First, this ensures that the notification is sent even if the rest of the script would crash. Second, this keeps the password in memory for the least amount of time possible, which reduces security risks. | +| Add Group To User | Selects the group that should be added, and clicks the **Save** button. This keyword also verifies that the web browser has the expected title. The `Click Element At Coordinates` keyword is used to reset the state of the page, as selecting the group hides the **Save** button. | +| Search User And Add Group | Goes to the page to add groups to the right user, and calls `Add Group To User`. This keyword also verifies that the web page has the expected title. | +| Add Groups | Calls `Search User And Add Group` for each group in the provisioning order. | +| Add All Groups | Computes the number of groups to add, and if there is at least one, calls `Add Groups`. The only way to find the number of groups to add is in the **Changes** > **groups_add** section of the provisioning order. This section does not exist if there are no groups to add, so the `Run Keyword And Ignore Error` is called to avoid propagating the error. | +| Remove Group From User | Goes to the URL corresponding to the API call to remove the group from the user. | +| Remove Groups | Calls `Remove Group From User` for each group in the provisioning order. | +| Remove All Groups | Computes the number of groups to remove, and if there is at least one, calls `Remove Groups`. The only way to find the number of groups to remove is in the **Changes** > **groups_remove** section of the provisioning order. This section does not exist if there are no groups to remove, so the `Run Keyword And Ignore Error` is called to avoid propagating the error. | + +``` + +*** Keywords *** +Modify User + [Arguments] ${order} + Try Keyword Set Password ${order} + Catch Keyword Go To ${BANKINGURL}/User + Title Should Be All Users - Banking System + Add All Groups ${order} + Remove All Groups ${order} + +Restart Banking And Fail + Close Browser + Launch Banking App + Fail ${Provisioning failed, restarting the browser} + +Launch Banking App + Open Browser ${BANKINGURL} ${BROWSER} + Title Should Be Home Page - Banking System + +Set Password + [Arguments] ${order} + Go To ${BANKINGURL}/User/SetPassword/${login} + Title Should Be Edit ${login} - Banking System + ${password}= Generate Password + Input Text id:Password ${password} + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Send Password Notification + +Add Group To User + [Arguments] ${groupName} + Select From List By Value name:group ${groupName} + Click Element at Coordinates name:group 250 0 + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Title Should Be All Users - Banking System + +Search User And Add Group + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/AddGroup/${login} + Title Should Be Add Group to ${login} - Banking System + Add Group To User ${groupName} + +Add Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Search User And Add Group ${order['Resource']['login']} ${order['Changes']['groups_add'][${i}]['name']} + END + +Add All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_add']} + Run Keyword If '${status}' == 'PASS' Add Groups ${order} ${length} + +Remove Group From User + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/RemoveGroup/${login}?groupId=${groupName} + +Remove Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Remove Group From User ${order['Resource']['login']} ${order['Changes']['groups_remove'][${i}]['name']} + END + +Remove All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_remove']} + Run Keyword If '${status}' == 'PASS' Remove Groups ${order} ${length} + +``` + +### Define mandatory keywords + +To be able to provision the system, the script must contain the `ExecuteAdd`, `ExecuteDelete`, and +`ExecuteModify` keyword. As the Banking system is only able to modify existing accounts, only the +`Execute Modify` keyword is implemented. + +To simplify error handling, the `Execute Modify` keyword only calls the `Modify User` keyword. As +only a single keyword is needed, it can be called within the `Try Keyword` keyword. This means that +the error handling can be handled with the `Catch Keyword` keyword. + +``` + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Log To Console ExecuteDelete is not implemented + +ExecuteModify + [Arguments] ${order} + Try Keyword Modify User ${order} + Catch Keyword Restart Banking And Fail + +``` + +### Define test cases + +Although the Robot Framework is used for provisioning in Identity Manager, it is most often used for +testing, which is why the `Test Cases` section defines what should happen when Identity +Manager starts the Robot Framework task. Note that the `Launch Provisioning` keyword is mandatory +for the provisioning to happen. + +As the browser should always be closed after the tests, a teardown is used to ensure that regardless +of the script's execution state, the browser is closed. + +``` + +*** Test Cases *** +Run Provisioning + Launch Banking App + Launch Provisioning + [Teardown] Close Browser + +``` + +### Read the full script + +The full script is as follows: + +``` + +*** Settings *** +Resource C:/UsercubeDemo/Runtime/UsercubeRobotFramework.resource +Library SeleniumLibrary + +*** Variables *** +${BROWSER} edge +${BANKINGURL} http://localhost:5011 + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Log To Console ExecuteDelete is not implemented + +ExecuteModify + [Arguments] ${order} + Try Keyword Modify User ${order} + Catch Keyword Restart Banking And Fail + +Modify User + [Arguments] ${order} + Try Keyword Set Password ${order} + Catch Keyword Go To ${BANKINGURL}/User + Title Should Be All Users - Banking System + Add All Groups ${order} + Remove All Groups ${order} + +Restart Banking And Fail + Close Browser + Launch Banking App + Fail ${Provisioning failed, restarting the browser} + +Launch Banking App + Open Browser ${BANKINGURL} ${BROWSER} + Title Should Be Home Page - Banking System + +Set Password + [Arguments] ${order} + Go To ${BANKINGURL}/User/SetPassword/${login} + Title Should Be Edit ${login} - Banking System + ${password}= Generate Password + Input Text id:Password ${password} + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Send Password Notification + +Add Group To User + [Arguments] ${groupName} + Select From List By Value name:group ${groupName} + Click Element at Coordinates name:group 250 0 + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Title Should Be All Users - Banking System + +Search User And Add Group + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/AddGroup/${login} + Title Should Be Add Group to ${login} - Banking System + Add Group To User ${groupName} + +Add Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Search User And Add Group ${order['Resource']['login']} ${order['Changes']['groups_add'][${i}]['name']} + END + +Add All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_add']} + Run Keyword If '${status}' == 'PASS' Add Groups ${order} ${length} + +Remove Group From User + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/RemoveGroup/${login}?groupId=${groupName} + +Remove Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Remove Group From User ${order['Resource']['login']} ${order['Changes']['groups_remove'][${i}]['name']} + END + +Remove All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_remove']} + Run Keyword If '${status}' == 'PASS' Remove Groups ${order} ${length} + +*** Test Cases *** +Run Provisioning + Launch Banking App + Launch Provisioning + [Teardown] Close Browser + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md new file mode 100644 index 0000000000..b6708c5435 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md @@ -0,0 +1,661 @@ +# Fulfill Microsoft Exchange via PowerShell + +This guide shows how to set up a +[ PowerShellProv ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) connector to fulfill data in +Microsoft Exchange Server. It will focus on registering Identity Manager within the target Microsoft +Exchange instance, configuring the connector, and building the job to perform a regularly scheduled +fulfillment. Of course, any other system compatible with PowerShell can be chosen. + +## Prerequisites + +### External System Configuration + +Check the following prerequisites: + +- [ PowerShellProv ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) +- [ Microsoft Exchange ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md) +- [Active Directory](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) + +Let's consider a simplified system, including three parts: + +1. Identity Manager +2. Microsoft Exchange Server +3. Active Directory + +For more details on the complete system, see +[Exchange architecture](https://docs.microsoft.com/en-us/exchange/network-configuration/architecture?view=exchserver-2016). + +Identity Manager can: + +- export and fulfill AD entries independently of Microsoft Exchange. +- export mailboxes from Microsoft Exchange independently of AD. +- fulfill a mailbox but Identity Manager needs first to fulfill an AD entry and then, launch the + Microsoft Exchange Fulfill. + +### Identity Manager Configuration + +This step sets up the Identity Manager Agent to use the Active Directory and PowerShell connectors +in order to fulfill the Microsoft Exchange mailboxes. + +The settings must be entered in `appsettings.agent.json > Connections`. For more details, see the +[Active Directory](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) and +[ PowerShellProv ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) sections. + +#### Add Sections + +As explained previously, the simplified system consists of Identity Manager and two other systems. +It means that settings are required in `appsettings.agent.json` to connect with the systems. See the +[ Microsoft Exchange ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md), +[ PowerShellProv ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md), +and[Active Directory](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) topics for additional +information. + +> This example contains export and fulfillment settings for the Active Directory and for Microsoft +> Exchange: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> ... +> "ADFulfillment": { +> "Servers": [ +> { +> "Server": "...", +> "BaseDN": "..." +> }, +> { +> "Server": "paris.contoso.com", +> "BaseDN": "DC=defense,DC=paris,DC=com" +> } +> ], +> "AuthType": "Basic", +> "Login": "...", +> "Password": "...", +> "Filter": "(objectclass=*)", +> "EnableSSL": true, +> } +> "MicrosoftExchangeExportFulfillment": { +> // Export Microsoft Exchange settings +> ... +> // Fulfillment Microsoft Exchange settings +> "PowerShellScriptPath": "C:/UsercubeDemo/Scripts/Fulfill-Exchange.ps1", +> "Options": { +> "AuthType": "Basic", +> "Server": "http://ex-server1/powershell", +> "Login": "PIXELABS\\Administrateur", +> "Password": "Secret123" +> } +> }, +> } +> } +> ``` + +As this guide focuses on the fulfillment of an external system, export settings will be omitted. + +The Fulfill-PowerShell needs a script whose path is defined by the attribute +**PowerShellScriptPath**. Identity Manager provides a script in the SDK in +`Usercube.Demo/Scripts/Fulfill-Exchange.ps1`.See the +[ Write a PowerShell Script for Provisioning ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md) topic +for more details on how to write a customized script. + +To define and apply additional settings when authenticating to an external system, we can set the +attribute [ PowerShellProv ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) and add required +parameters for authentication. + +In the example above, the `Basic` AuthType was chosen to show how to fill the credentials, but it +isn't mandatory to use this +[ Microsoft Exchange ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md). + +For pedagogical reasons, this guide focuses on the simplest way to set up the fulfillment, but it's +not the most secure. Hence, it is strongly recommended to use Kerberos AuthType or +[ PowerShellProv ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) via Azure Key Vault or +CyberArk in a production environment. +Netwrix Identity Manager (formerly Usercube) recommends completing this guide once, testing the +configuration, and only then, switching to a more secure way of storing credentials. + +## Build the Connector + +To be used for export tasks, a connector must be declared in +the[Toolkit for XML Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/index.md) and linked to an Agent. + +It is strongly recommended that the applicative configuration be stored in the working directory +Conf folder as a set of xml files organized by connector. To follow this structure, create a +MicrosoftExchange directory in the Conf folder. + +### Declare a Connector + +In the `MicrosoftExchange` directory, create a `MicrosoftExchange Connector.xml` file. This file +contains the declaration of the connector and the associated +[Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md). + +> This example declares the +> `MicrosoftExchange`[connector](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +> on the `Local` agent, and the +> [connection](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) linked to the +> previously defined `MicrosoftExchangeExportFulfillment` JSON section (see the [example](#example) +> above): +> +> ``` +> Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +> ... +> ... +> +> +> ``` + +### Write Entity Types + +The [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) should match as closely as possible the structure +of the Microsoft Exchange data relevant for Identity Manager. It is designed by analyzing the +Microsoft Exchange data structure, and describing said data with +[Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) and +[ Entity Association ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +Eventually, it is up to the integration team to design the +[Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) that best serves the +[ Assignment Policy ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md) needs. It will most likely be +refined iteratively throughout the project integration. + +A good starting point for the Entity Model is to mirror the shape of the Microsoft Exchange +mailboxes and databases. + +##### Example + +This example defines the entity types named MicrosoftExchange_Database and +MicrosoftExchange_Mailbox. + +Notice the omitted **TargetColumnIndex** attribute and the presence of Type="ForeignKey" for the +Mailboxes and Database properties. If omitted, this attribute indicates that the properties are +navigation properties. + +``` +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... + ... + +``` + +### Write the Entity Type Mapping + +The entity type must be mapped, on a property by property basis, to the exported attributes of +Microsoft Exchange mailboxes and databases (namely, the columns of the CSV source files generated by +the export). The +[ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +element maps scalar properties from a CSV source file to an EntityType. + +##### Example + +In this example, the CSV source files are microsoftexchange_databases.csv and +microsoftexchange_mailboxes.csv located in the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder. + +``` +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... + ... + +``` + +### Write Entity Associations + +Entity types are associated through their navigation properties with +[ Entity Association ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +elements. + +##### Example + +The following example declares a `1:n` (`'one-to-many'`) association. One +`MicrosoftExchange_Database` may be referenced by any number of `MicrosoftExchange_Mailbox`_(es)_, +but each `MicrosoftExchange_Mailbox` can only reference one `MicrosoftExchange_Database`. + +The properties used for the association must be `Primary` or `Unique` keys. + +``` +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... +... + +``` + +### Write the Entity Association Mapping + +The +[ Entity Association Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +element maps column values from a CSV source file to an EntityType navigation property. + +##### Example + +This example describes the mailbox/database associations between MicrosoftExchange_Mailbox and +MicrosoftExchange_Database. Thanks to the **Export** Microsoft Exchange job, the file +microsoftexchange_mailboxes.csv is generated. This file looks like: + +``` + +Command;Property_1;Property_2;...;Property_N +Add;value1;value2;...;valueN + +``` + +Each line of the CSV file corresponds to a `MicrosoftExchange_Mailbox`. The properties used in the +association are: + +- `Guid`: the Guid of the `MicrosoftExchange_Mailbox`. +- `Name`: the name of the `MicrosoftExchange_Database` referencing the `MicrosoftExchange_Mailbox` + (name is unique among the databases). + +The following table can be extracted from the CSV file: + +| Guid | Name | +| ------------------------------------ | --------------------------- | +| 4ecbdba7-e984-409a-a9ac-6027ac81fa42 | Mailbox Database 1882404652 | +| 1d3e67a2-7d44-46f1-a300-afa73ae120f4 | DB1 | +| aab57e15-847b-4e16-96f1-82ebc54c01e2 | DB1 | +| ea513604-3758-463f-9b72-6c42ea949260 | DB2 | + +It means that the MicrosoftExchange_Mailbox with Guid ? 4ecbdba7-e984-409a-a9ac-6027ac81fa42 is +contained in the MicrosoftExchange_Database with Name ? Mailbox Database 1882404652. This +association is created for every line in the CSV file, and therefore also for every line in the +table above. + +This can be enabled with an **EntityAssociationMapping** like in the following XML: + +``` +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... +... + +``` + +The CSV file `microsoftexchange_mailboxes.csv` must be exported to the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder. + +## Build the Role Model + +A +[ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) +must be created with the following elements: + +- `ResourceType` +- `ResourceTypeMapping` +- `ResourceCorrelationRule` +- `SingleRole` (optional) + +### Resource Type + +A [Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) is a +conceptual model of an information system object, here a mailbox. + +The resource type contains several rules: + +- [Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) which + assigns a resource to a user +- [Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) which + specifies the value to be set to an assigned resource scalar property +- [Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) which + specifies a value to be set to an assigned resource multi-valued navigation property + +#### Example + +``` +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml" +... + ... + +``` + +The TargetEntityType is MicrosoftExchange_Mailbox and the SourceEntityType is Directory_User. + +This Resource Type allows Identity Manager to compute the values used when fulfilling the external +system. + +Finally, the Navigation Rule sets the property Database of the entity MicrosoftExchange_Mailbox. See +the [ Fulfill Microsoft Exchange via PowerShell ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md) topic for additional information. + +### Resource Type Mapping + +A +[Resource Type Mappings](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) +element contains all the resource types (sharing the same Identifier) that can be provisioned into +targeted platforms, applications, and systems. + +#### Example + +``` +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml" +... +... + +``` + +In this example, `Fulfill-PowerShell` requires only a simple `ResourceTypeMapping` (including only +one `Identifier` and one `Connection`): + +- The **Identifier** attribute is `MicrosoftExchange_Mailbox_NominativeUser` which corresponds to + the identifier of the resource type defined earlier. +- The **Connection** attribute is `MicrosoftExchangeExportFulfillment` which corresponds to the + section in `appsettings.agent.json` containing the parameters used to provision the external + system. + +### Resource Correlation Rule + +A +[ Resource Correlation Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) +is used to correlate the resource `MicrosoftExchange_Mailbox_NominativeUser` with the +`Directory_User`. + +#### Example + +``` +Conf/MicrosoftExchange/NotImplementInAutoTest/Directory User Role Model MicrosoftExchange.xml" +... +... + +``` + +This rule means if the `SamAccountName` (`MicrosoftExchange_Mailbox`) is equal to the `Login` +(`Directory_User`) then, the `ResourceType` can be linked to the `User` with a confidence rate of +100%. + +### Single Role (optional) + +A [ Single Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) encapsulates +system entitlements. + +#### Example + +``` +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml" +... +... + +``` + +This single role was previously used in one of the navigation rules defined in the `ResourceType`. + +``` +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml" +... +... + +``` + +If a `Directory_User` is assigned the SingleRole `DB1` then, the `NavigationRule` indicates that the +property `Database` (in `MicrosoftExchange_Mailbox`) will have the value +`9c512155-d912-4fcb-9448-0755fbaf1b96` (unique id of a `MicrosoftExchange_Database`). + +## Display + +This step focuses on configuring a nice display for the synchronized list of resources in the UI. + +### Navigation + +A [ Menu Item ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) can be added to +include a link to the resources list in the left menu on the UI home screen. + +It is strongly recommended that you gather synchronized resources menu items under parent menu +items. This is usually declared in the `Nav.xml` file in the configuration root folder. + +NETWRIX also advises to use a new `MicrosoftExchange Nav.xml` file in the `MicrosoftExchange` +connector's folder to add a `mailboxes` and `databases` menu item. + +#### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange Nav.xml +... + ... + +``` + +This example adds a new menu item under the `Nav_Connectors` menu item declared in the root +`Conf/Nav.xml` file. This new menu item gives access to the list of synchronized Microsoft Exchange +entities. + +![Microsoft Exchange Menu Items](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_menu_item_5.1.7.webp) + +### Configuration + +It is strongly recommended that the display configuration be written to a new +`MicrosoftExchange UI.xml` file in the `MicrosoftExchange` connector's folder. + +#### All-in-One Scaffolding + +The +[ View Target Resource Template ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md) +generates all the required elements to be seen by the user. + +##### Example + +The documentation explains what is generated by the following scaffolding: + +``` +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... +... + +``` + +The following sections show how to override the elements generated by this scaffolding in order to +provide a more precise display. + +#### Display Entity Type + +The +[Display Entity Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) +describes how a single resource should be displayed. + +##### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... + ... + +``` + +This example configures the following display for +[wolfgang.abendroth@acme.com](mailto:wolfgang.abendroth@acme.com). + +![Microsoft Exchange Display Entity Type](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) + +The scalar properties require no configuration: they are automatically displayed. The only +information that the +[DisplayEntityType](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) +adds here, is that the property `BasicCollection` is a navigation property. An eye icon will be +displayed to take you directly to the matching page. + +#### Display Table + +The [Display Table](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +elements describe how a list of resources should be displayed. + +The +[](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md)[Display Table](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +contains a list of +[Display Table](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) columns +elements that identify which properties should be included in the list display. + +##### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... + ... + +``` + +This example configures the following list display: + +![Microsoft Exchange Display Table](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_table_5.1.7.webp) + +#### Internal Display Name + +An `InternalDisplayName` can also be declared as an +[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). The +`InternalDisplayName` is used in several UI screens to identify a resource for the user. + +With no custom `InternalDisplayName`, a default value is used (instead of the first property of the +identity) containing the string **name**. If no such property is found, the first declared property +of the entity type is used. + +##### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... +... + +``` + +This example adds the `InternalDisplayName` to the `MicrosoftExchange_Mailbox` entity type to be +used by the UI. + +### Permissions + +This step focuses on setting up permissions for Identity Manager's end-users granting them access to +the connector. + +The +[Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +and +[Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +elements define +[ AccessControlPermission ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md) +permissions for end-user profiles to read and write the connector's data (such as resources of a +given entity type). It is used by the UI when displaying data such as resources and available roles. + +It is strongly recommended that permissions be written to a new file. For example, the administrator +profile permissions can be written to the `MicrosoftExchange Profile Administrator.xml` file. + +#### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange Profile Administrator.xml +... +... + +``` + +This example sets permissions for the `Administrator` profile. + +It entitles an administrator to display Microsoft Exchange resources (`mailboxes` and `databases`) +and role categories from the UI. + +## Jobs + +### Construction + +This step focuses on writing a Complete Synchronization Job. + +Netwrix Identity Manager (formerly Usercube)recommends writing Jobs associated with the +MicrosoftExchange connector to the Conf/MicrosoftExchange/MicrosoftExchange Jobs.xml file. + +#### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange Jobs.xml +... + ... + +``` + +This job will be executed on Microsoft Exchange's +connector[ Fulfill Microsoft Exchange via PowerShell ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md). + +Notice the **Identifier** attribute with the value `Job` in the `OpenIdIdentifier` tag. It refers to +the `ClientId` written to the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +technical configuration. The Tasks will authenticate with the profile associated with this +`ClientId` in the `` xml configuration element. + +There is also the tag `` which means that the export will not be executed. +Removing the tag will launch export-related tasks before fulfillment-related tasks. Export tasks +need the same XML configuration and additional settings +in[ Fulfill Microsoft Exchange via PowerShell ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md). + +All the job steps generated by the scaffolding can be found in the +[Create Connector Synchro Complete](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md) +scaffolding. + +Check +[Create Connector Synchro Incremental](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) +for incremental synchronization. + +### Permissions + +The execution of a Job entails the execution of Tasks, reading/writing to the Database and sending +files over to the Server. These operations are protected by an authorization mechanism. + +A [ Profile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) is required and +must have the proper permissions for the associated Job or Task to perform. + +Here, jobs use the default `OpenId`. + +### Job Launch + +Scheduling the job execution can rely either on Identity Manager's scheduler or an external +scheduler. + +#### With Scheduler + +Use the [ Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) Cron Tab Expression attribute. + +#### With an external scheduler + +An external scheduler would rely on the +[ Usercube-Invoke-Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-job/index.md) tool. + +## Validation + +### Deploy Configuration + +The configuration is written to the database using the +[ Deploy Configuration Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md) +tool. + +### Test + +#### ADMicrosoftExchange Prerequisites + +An Active Directory configuration is required for Microsoft Exchange to work. Fill +the[ Fulfill Microsoft Exchange via PowerShell ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md) settings in accordance with the +configuration. + +To reset the password, if **AuthType** is `Basic`, then **EnableSSL** must be `true`. +Otherwise, if **AuthType** is `Kerberos`, then **EnableSSL** is not required. + +#### Mailbox Creation + +To create a new mailbox, apply the following procedure: + +1. Select a user and validate both resource types `ADMicrosoftExchange_Entry_NominativeUser` and + `MicrosoftExchange_Mailbox_NominativeUser`. +2. In the Provisioning Review, confirm both resource types. +3. First, launch the job AD Microsoft Exchange Synchronization. +4. Then, launch the job Microsoft Exchange Synchronization. + +In fact, an `ADMicrosoftExchange_Entry` is required to create a mailbox. To update or delete an +existing mailbox, the Active Directory part can be skipped. + +#### Interface display + +The Synchronization job should be found in the UI, under the **Job Execution** menu, with the name +input in the Job's **DisplayName_Li** attribute. + +![Microsoft Exchange Jobs](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_jobs_5.1.7.webp) + +From there, the Synchronization job can be launched and debugged (if needed). + +After execution, Microsoft Exchange resources and databases should be in the `UR_Resources` table of +the SQL Server database. + +The results can also be viewed on the UI: + +![Microsoft Exchange Menu Items](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_menu_item_5.1.7.webp) + +![Microsoft Exchange Display Entity Type](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) + +![Microsoft Exchange Display Table](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_table_5.1.7.webp) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/index.md new file mode 100644 index 0000000000..dde7a397bd --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/index.md @@ -0,0 +1,801 @@ +# Export CyberArk Data via SCIM + +This guide shows how to set up a [SCIM](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/scim/index.md) connector to +extract data from your CyberArk instance into CSV source files that will in turn be fed to the +[ Upward Data Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) task and to your +Identity Manager resource repository. It will focus on registering Identity Manager within the +target CyberArk instance, configuring the connector, and building the job to perform regularly +scheduled synchronization. + +## Prerequisites + +### External system configuration + +Usually CyberArk provides the environment to use AAM (_Application Access Manager_) and SCIM +(_System for Cross-domain Identity Management_). For example, PrivateArk Server, PrivateArk and +other tools can be found on a VM-based environment. + +It is strongly recommended that you follow the official **CyberArk SCIM Server Implementation +Guide** (the CyberArk team can provide this document) in order to set up the environment. When +you've completed the installation or if CyberArk has already installed it, you can verify the +installation: + +1. Log into **PrivateArk Client**, locate and open the **SCIM Config** safe. +2. Check the presence of the following objects: + + - `Encryption-key`: The SCIM Server uses a local cache to store objects retrieved from the + Vault. Although no credentials (other than the ones in the SCIM Config safe, which are not + stored on the cache) are retrieved, we encrypt the cache with this encryption key. The key is + randomly generated, and not exposed by the installer, but can be changed if desired. + - `GlobalConfig.yml`: This is the configuration file for the overall SCIM server settings. It is + responsible for the setting of performance parameters and additional added features. + - `Usercube-account`: This is a privileged account to allow Identity Manager to authenticate its + REST API requests to the SCIM Server. The password for this account must be the same as the + Identity Manager-user (Identity Manager can be replaced by any other name like Client). + - `SCIM-account`: This is a privileged account, managed by the Central Policy Manager (CPM is + the module of the PAM tool that is responsible for managing the passwords and any + policies/exceptions configured), which allows the SCIM server to retrieve the password for + SCIM-user through an Application Identity Manager (AIM) Credential Provider call. + +3. Verify that the following **Users** were created in the PrivateArk Client: + + - Go to **Tools** > **Administrative Tools**. + - Select **Users and Groups**. + - Ensure the following users have been created: + + - `SCIM-user`: This is a CyberArk user with full privileges for creating and managing Safes, + Accounts, Permissions, and Users. This user is required by the CyberArk's Command Line + Interface (PACLI, used to perform quick Vault-level functions without logging in to the + PrivateArk client) on the SCIM server for logging into the Vault and managing objects on + behalf of client applications such as Identity Manager. + - `Client-user`: This is a CyberArk user for authenticating requests made to the SCIM server + using the REST API. (The name Client-user' can change and be replaced by Identity + Manager-user' for example.) + + Now we can consider that the installation is correct, the login is `Usercube-user` and the + password `CyberArk1`. + +### Identity Manager configuration + +This step sets up the Identity Manager Agent to use the SCIM connector and access the CyberArk data. + +The settings must be entered in the appsettings.agent > Connections section. See the +[SCIM](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/scim/index.md) topic for additional information. + +#### Connect to the target CyberArk instance + +In the `Connections` section, add one new subsection that will contain the credentials for the +target CyberArk. Use a meaningful name to remember which CyberArk is accessed via this section. + +> This example connects via the `SCIMCyberArkExport` connection to the CyberArk system: +> +> ``` +> +> appsettings.agent.json +> +> { ... "Connections": { ... "SCIMCyberArkExport": { ... } } } +> +> ``` +> +> ``` + +#### Input credentials + +In the newly created subsection, fill in: + +- The **Server** attribute with the CyberArk's address. It has the form: + `https://host:port/CyberArk/scim`. +- The **Login** attribute with the User's login value (in our example, `Usercube-user`). +- The **Password** attribute with the User's login value (in our example, `Cyberark1`). + +> For example: +> +> ``` +> +> appsettings.agent.json +> +> { ... "Connections": { ... "SCIMCyberArkExport": { "Server": "https://host:port/CyberArk/scim", +> "Login": "Usercube-user", "Password": "Cyberark1" } } } +> +> ``` +> +> ``` + +For pedagogical reasons, this guide focuses on the simplest way to set up the export, but it's not +the most secure. Hence it is strongly recommended that you protect credentials using Azure Key Vault +or CyberArk in a production environment. +Netwrix Identity Manager (formerly Usercube)recommends completing this guide once, testing the +configuration, and only then, switching to a more secure way of storing credentials. + +#### Set exported objects, exported attributes and export files + +This step focuses on choosing and setting up the list of SCIM objects and attributes to be exported. + +The **Filter** attribute defines what is exported. It is located in the +`appsettings.agent > Connections > SCIMCyberArkExport` subsection previously created. + +##### Choose objects to export + +The list of objects to export depends on the Role Model requirements. The list will evolve +iteratively as the project's needs become clearer. + +The SCIM entities available in a CyberArk implementation are: + +- **Users**: CyberArk Users. +- **Containers**: Containers/CyberArk Safes. +- **ContainerPermissions**: Permissions on CyberArk Safes. +- **Privileged Data**: Privileged Data/CyberArk Accounts. +- **Groups**: CyberArk Groups. + +Filters are defined in the next part. + +##### Filtering + +An exhaustive list of entities and attributes provided by CyberArk is available in their +[technical documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/Applications/AppsOvw/SCIM-Provisioning.htm) +or the SCIM `Swagger UI`. + +The `Filter` and `FilterGroup` setting syntax is detailed in the +[SCIM](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/scim/index.md) optional attributes. + +`SCIMSyntax` must also be set to `CyberArk` because the CyberArk system doesn't strictly follow all +the SCIM rules at the moment. + +##### Example + +The following example sets up the **Users**, **ContainerPermissions**, **Containers** and **Groups** +for export. + +For **Users**, we give an example for each type of attribute: + +- **userName** is an attribute of the base schema. +- **ldapFullDN** is an attribute of the `urn:ietf:params:scim:schemas:cyberark:1.0:User` schema + because it is separated by `:`. +- **givenName** is a sub-attribute of the attribute `name` because it is separated by `:`. + +Notice the `*` that separates the entities. + + ``` + + appsettings.agent.json + +{ ... "Connections": { ... "SCIMCyberArkExport": { "Server": "https://host:port/CyberArk/scim", +"Login": "Usercube-user", "Password": "Cyberark1", "Filter": +"Users;urn:ietf:params:scim:schemas:cyberark:1.0:User:ldapFullDN|ldapDirectory id userName active +name:givenName|middleName|familyName emails:value phoneNumbers:value title profileUrl source +nativeIdentifier*ContainerPermissions;id user:value group:value container:value rights*Containers;id +displayName type name", "FilterGroup": "Groups;id displayName", "SCIMSyntax": "CyberArk" } } } + +```` + + +##### Set up export files + +The export generates CSV source files that will be fed to the [ +Upward Data Synchronization +](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) task. + +The SCIM connector generates one file per entity, the name is generated as: ```EntryFile``` + ```'_'``` + ```FilterEntity``` or ```MembersFile``` + ```'_'``` + ```FilterGroupEntity```. + +Moreover, ```SyncCookiesFile``` can be specified to indicate the location of the cookie file for an incremental export. + +See the [SCIM](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/scim/index.md)topic for additional information. + +The target directory and file name are chosen freely. However, Netwrix Identity Manager (formerly Usercube) strongly recommends using the [ +Create a Working Directory +](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md) ```Temp/ExportOutput``` folder and choosing file names that start with the ```CyberArk_``` prefix. + +##### Example + +With the following example, the resulting files are: + +- ```C:/UsercubeDemo/Temp/ExportOutput/CyberArk_Users.csv``` +- ```C:/UsercubeDemo/Temp/ExportOutput/CyberArk_ContainerPermissions.csv``` +- ```C:/UsercubeDemo/Temp/ExportOutput/CyberArk_Containers.csv``` +- ```C:/UsercubeDemo/Temp/ExportOutput/CyberArk_members_Groups.csv``` + +```` + +appsettings.agent.json { ... "Connections": { ... "SCIMCyberArkExport": { "Server": +"https://host:port/CyberArk/scim", "Login": "Usercube-user", "Password": "Cyberark1", "Filter": +"Users;urn:ietf:params:scim:schemas:cyberark:1.0:User:ldapFullDN|ldapDirectory id userName active +name:givenName|middleName|familyName emails:value phoneNumbers:value title profileUrl source +nativeIdentifier*ContainerPermissions;id user:value group:value container:value rights*Containers;id +displayName type name", "FilterGroup": "Groups;id displayName", "EntryFile": +"C:/UsercubeDemo/Temp/ExportOutput/CyberArk", "MembersFile": +"C:/UsercubeDemo/Temp/ExportOutput/CyberArk_members", "SCIMSyntax": "CyberArk" } } } + +```` + + +Every file contains the data as CSV, with one column per attribute. + +## Build the Connector + +### Declare a connector + +To be used for export tasks, a connector must be declared in the [Toolkit for XML Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/index.md) and linked to an Agent. + +It is strongly recommended that the applicative configuration be stored the [ +Create a Working Directory +](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md) ```Conf``` folder as a set of ```xml``` files organized by connector. + +- In the ```Conf``` folder, create a ```SCIMCyberArk``` directory. +- In the ```SCIMCyberArk``` directory create a ```CyberArk Connector.xml``` file. + + This file contains the declaration of the connector and the associated Entity Model. +- Use the [ + Connector + ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) element to declare the connector with the following attributes: + + - __Identifier__ identifies this connector in the [Toolkit for XML Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/index.md). We recommend using a meaningful name such as ```CyberArk```. If several connections to several CyberArk targets are possible, only one CyberArk Connector per Agent is used. + - __DisplayName_Li, i ? [1..16]__ are used in the UI. + - __Agent__ is the identifier of the Agent that will run this connector's export task. The Agent's identifier can be found in the agent's [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) \> OpenId \> AgentIdentifier. +- Don't forget the `````` and `````` elements (see example below). + +> This example declares the ```CyberArk``` connector on the ```Local``` agent: +> +>``` +> +>Conf/SCIMCyberArk/CyberArk Connector.xml +> +> ... +> ... +> +> ``` + +### Build the entity model + +The exported data to be written to the [Identity Management](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/identity-management/index.md) must be aligned with the [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md). + +The [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) should match as closely as possible the structure of the CyberArk data relevant for Identity Manager. It is designed by analyzing the CyberArk data structure, and describing said data with the [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) and [Entity Association](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). Eventually, it is up to the integration team to design the [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) that best serves the [Assignment Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md) needs. It will most likely be refined iteratively throughout the project integration. + +A good starting point for the Entity Model is to mirror the shape of the exported CyberArk SCIM objects. This guide provides a few examples that can serve this purpose. Thus, CyberArk SCIM objects such as __Users__ and __Groups__ can be described by [Assignment Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md), and group membership by [Entity Association](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +The [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) for the CyberArk connector is written in the [Toolkit for XML Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/index.md). It is strongly recommended to write the entity model to the newly created ```Conf/SCIMCyberArk/CyberArk Connector.xml``` file. + +#### Write entity types + +Declaring an [Assignment Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md) is achieved with the `````` tag and the following attributes: + +- __Identifier__ is the entity type's name. It must be unique among the entity types. It is strongly recommended to prefix this name with the connector's name. An example for CyberArk is ```CyberArk_User```. +- __DisplayName_Li, i ? [1..16]__ are used in the UI to identify this [Assignment Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md) for the end-user. __DisplayName_L1__ is the name of the entity type in _language number one_. If this language is _English_, a good example value would be ```CyberArk - User```. + +##### Example + +```` + +Conf/SCIMCyberArk/CyberArk Connector.xml ... + ... ... + +```` + + +The CyberArk SCIM objects attributes are modeled by [Assignment Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md)properties, with the `````` tags declared as children of the ``````. + +Remember that there are several kinds of by [Assignment Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md) (determined by the ```TargetColumnIndex```): scalar and navigation. + +- Scalar properties can be defined to represent scalar attributes such as ```userName```, ```active``` or ```givenName```. +- Navigation properties represent associations such as group memberships. + +Finally, the main attributes of the `````` tag are the following: + +- __Identifier__ identifies the property with a mandatory unique name. It must be unique among the entity properties for this entity type. +- __DisplayName_Li, i ? [1..16]__ are used in the UI. +- __Type__ defines the type of property. A scalar property type can be: ```String```, ```Bytes```, ```Int16```, ```Int32```, ```Int64```, ```DateTime```, ```Bool```, ```Guid```, ```Double```, ```Binary```, ```Byte```, or ```Option```. The navigation property type is ```ForeignKey```. +- __TargetColumnIndex__ defines in which column of the resource table the property is stored. See more details at [Entity Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +##### Example + +This example defines an entity type named ```CyberArk_User``` to match the attributes selected for extraction from CyberArk in the previous example. + +Notice the omitted __TargetColumnIndex__ attribute and the presence of ```Type="ForeignKey"``` for the ```groups``` and ```containers``` properties. If omitted, this attribute indicates that the properties are navigation properties. + +```` + +Conf/SCIMCyberArk/CyberArk Connector.xml ... + + + + + + + + + + + + + + + + +... + +```` + + +#### Write entity associations + +[Assignment Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md) are associated through their navigation properties with [Entity Association](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) elements. + +##### Example + +The following example declares an ```n-n``` association between a ```CyberArk_User``` and ```CyberArk_Group```. + +The ```groups``` property of a ```CyberArk_User``` is a collection of __Group__ IDs (modeled as an ```CyberArk_Group``` EntityType) of which this ```CyberArk_User``` is a member. + +The ```Users``` property of a ```CyberArk_Group``` is a collection of ```CyberArk_User```IDs which are members of this __Group__. + +```` + +Conf/SCIMCyberArk/CyberArk Connector.xml ... +... + +```` + + +The exact nature of the IDs are described by the associated [Entity Association Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). + +Notice the format of the __Property1__ and __Property2__ xml attributes: the name of the entity type followed by ```:``` and the name of an entity property. It is a [Binding](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) that describes in one expression both the target entity type and property. + +### Create mapping + +The entity type must be mapped property by property to the exported attributes of CyberArk SCIM objects (namely, the columns of the CSV source files generated by the export). + +The [Entity Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), [Entity Association Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md), and Entity Property Mapping elements serve this purpose. + +#### Write the entity type mapping + +The [Entity Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) element maps scalar properties from the CSV source file to an entity type. + +The CSV source file path is written to the __ConnectionTable__ xml attribute. The target entity type name is written to the __Identifier__ xml attribute. + +```` + +Conf/SCIMCyberArk/CyberArk Connector.xml ... + +... ... + +```` + + +To do so, the entity type mapping uses the [Entity Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) element with the `````` tag. This maps the CSV column from ```ConnectionColumn``` to the target EntityType property which is written to the __Identifier__ attribute. + +##### Example + +```` + +Conf/SCIMCyberArk/CyberArk Connector.xml ... + + + + + + + + + + + + + + + +... + +```` + + +As a result, after synchronization, the ```UR_Resource``` table will be updated from the CSV source files data. + +Let's take the example of a new ```CyberArk_User``` which has never been synchronized. The ```UR_Resource``` table receives a new line for which the _6th_ column (```userName```) is filled in with the ```userName``` column from the ```C:/UsercubeDemo/Temp/ExportOutput/CyberArk_Users.csv``` file. + +#### Write the entity association mapping + +The [Entity Association Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) element maps navigation properties, used in [Entity Association](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +An [](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md)[Entity Association Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) element refers to an [Entity Association](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) written to the __Identifier__ xml attribute. Then, just as the [Entity Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) element, it maps columns values from a CSV source file to an EntityType property. + +##### Example + +The following example describes the actual user/group associations between ```CyberArk_User``` and ```CyberArk_Group```. +These associations are exported from the CyberArk system into the ```C:/UsercubeDemo/Temp/ExportOutput/CyberArk_members_Groups.csv``` file. Each line of the file associates a value (property ```CyberArk_id``` from ```CyberArk_Group```) and a MemberId (property ```CyberArk_id``` from ```CyberArk_User```). + +| value | MemberId | +| --- | --- | +| 1 | 100 | +| 1 | 101 | +| 2 | 102 | +| 2 | 103 | +| 3 | 104 | + +The following [](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md)[Entity Association Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) describes the mapping for the ```CyberArk_Group_Members``` EntityAssociation: + +```` + +Conf/SCIMCyberArk/CyberArk Connector.xml ... +... + +```` + + +Here are a few explanations: + +###### Users_CyberArk_Group_ + +The ```Users``` property in the ```CyberArk_Group``` entity: + +- is written to the __Property1__ attribute of the ```CyberArk_Group_Members``` [Entity Association](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) element. +- is filled in by values from the ```MemberId``` column (written to the __Column2__ attribute of the ```CyberArk_Group_Members``` [](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md)[Entity Association Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) element) in the ```C:/UsercubeDemo/Temp/ExportOutput/CyberArk_members_Groups.csv``` file. + +These values identify resources of type ```CyberArk_User``` by their ```CyberArk_id``` property (written to the __EntityPropertyMapping2__ attribute of the [](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md)[Entity Association Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) element. + +###### Groups_CyberArk_User_ + +The ```Groups``` property in the ```CyberArk_User``` entity: + +- is written to the __Property2__ attribute of the ```CyberArk_Group_Members``` [Entity Association](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) element). +- is filled in by values from the _value_ column (written to the __Column1__ attribute of the ```CyberArk_Group_Members``` [Entity Association Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) element) in the ```C:/UsercubeDemo/Temp/ExportOutput/CyberArk_members_Groups.csv``` file. + +These values identify resources of type ```CyberArk_Group``` by their ```CyberArk_id``` property (written to the __EntityPropertyMapping1__ attribute of the [Entity Association Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) element). + +## Display + +This step focuses on configuring a nice display for the synchronized list of resources in the UI. + +### Navigation + +A [Menu Item](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) can be added to include a link to the resources list in the left menu in the UI home screen. + +#### Parent menu item + +It strongly recommended to gather synchronized resources menu items under parent menu items. This is usually declared in the configuration root folder ```Nav.xml``` file. + +##### Example + +```` + +Conf/Nav.xml ... + +... + +```` + + +#### Child menu item + +It is strongly recommended to use a new ```CyberArk Nav.xml``` file in the ```SCIMCyberArk``` connector's folder in order to add the CyberArk SCIM objects menu item. + +##### Example + +```` + +Conf/SCIMCyberArk/CyberArk Nav.xml ... + + ... + +```` + + +Adds a new menu item under the ```Nav_Connectors``` menu item declared in the root ```Nav.xml``` file. This new menu item gives access to the list of synchronized CyberArk SCIM objects. + +![SCIM CyberArk Menu Items](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_menu_item_5.1.6.webp) + +### Configuration + +It is strongly recommended that the display configuration be written to a new ```CyberArk UI.xml``` file in the ```SCIMCyberArk``` connector's folder. + +#### Display entity type + +The [Display EntityType](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) describes how a single resource should be displayed. + +##### Example + +```` + +Conf/SCIMCyberArk/CyberArk UI.xml ... + +... + +```` + + +This configuration configures that display for [christian.adam@acme.com](mailto:christian.adam@acme.com): + +![SCIM CyberArk Display Entity Type](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_display_entity_type_5.1.6.webp) + +The scalar properties don't need to be configured: they are automatically displayed. The only information that the [DisplayEntityType](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) adds here, is that the property ```BasicCollection``` is a navigation property. An eye icon will be displayed to take you directly to the matching page. + +#### Display table + +The [DisplayTable](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) elements describe how a list of resources should be displayed. + +The [DisplayTable](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) contains a list of [DisplayTableColumn](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md#child-element-column) elements that identify which properties should be included in the list display. + +##### Example + +```` + +Conf/SCIMCyberArk/CyberArk UI.xml ... + + + + + + + +... + +```` + + +configures the following list display: + +![SCIM CyberArk Display Table](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_display_table_5.1.6.webp) + +#### Internal display name + +An ```InternalDisplayName``` can also be declared as an [ +Entity Type +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). The ```InternalDisplayName``` is used in several UI screens to identify a resource for the user. + +With no custom ```InternalDisplayName```, a default value is used (instead of the first property of the identity) containing the string _"name"_. If no such property is found, the first declared property of the entity type is used. + +##### Example + +```` + +Conf/SCIMCyberArk/CyberArk UI.xml ... +... + +```` + + +adds the ```InternalDisplayName``` to the CyberArk_User entity type to be used by the UI. + +### Permissions + +This step focuses on setting up permissions for Identity Manager's end-users granting them access to the connector. + +The [Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) and [Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) elements define [AccessControlPermission](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md) for end-user profiles to read and write the connector's data (such as resources of a given entity type). It used by the UI when displaying data such as resources and available roles. + +It is strongly recommended that permissions be written to a new file. For example, the administrator profile permissions can be written to the ```CyberArk Profile Administrator.xml``` file. + +#### Example + +The following example sets permissions for the ```Administrator``` profile. + +It entitles an administrator to display ```CyberArk SCIM``` resource and role categories from the UI. + +```` + +Conf/AzureAD/AzureAD Profile Administrator.xml ... + + + + + + +... + +```` + + +## Jobs + +### Construction + +This step focuses on writing a ```Complete``` Synchronization job. + +It is strongly recommended to write Jobs associated with the ```CyberArk``` connector to the ```Conf/SCIMCyberArk/SCIM CyberArk Jobs.xml``` file. + +### Components + +All the job steps can be found in the [Create Connector Synchro Complete](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md) scaffolding. + +#### Example + +```` + +Conf/SCIMCyberArk/SCIM CyberArk Jobs.xml ... + +... + +```` + + +This job will be executed on CyberArk's connector agent. + +Notice the __Identifier__ attribute with the value ```Job``` in the ```OpenIdIdentifier``` tag. It refers to the ```ClientId``` written to the [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) technical configuration. The Tasks will authenticate with the profile associated with this ```ClientId``` in the `````` xml configuration element. + +Incremental synchronization can be configured with the following [Create Connector Synchro Incremental](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md). + +### Permissions + +The execution of a Job entails execution of Tasks, reading/writing to the Database and sending files over to the Server. These operations are protected by an authorization mechanism. + +To complete a Job, the Agent, via the [Usercube-Invoke-Job](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-job/index.md) uses: + +- A [Profile](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) associated with the Job itself to read/write: + - ```UJ_Jobs``` and ```UJ_Tasks``` tables in a list of tasks + - ```UJ_JobInstances``` tables in the progress report +- a Profile for each Task, to read/write ```UJ_TaskInstances``` tables (Progress Report) and perform other operations such as sending export files over to the Server. + +Each Profile must be assigned the right permissions for the associated Job or Task to perform. + +Every request from Agent to Server within the execution of a Job needs to be authenticated with an [OpenIdClient](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect /Secret pair, linked to a Profile. + +#### Create a profile + +Here, we focus on creating one profile, used by the Job and every Task of the Job. + +```` + +Conf/Profile AgentJob.xml ... +... + +```` + + +As the Principle of Least Privilege states, Netwrix Identity Manager (formerly Usercube)strongly recommends that you create a [Profile](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) to be used during the Synchronization jobs which will be different from the one used during the Provisioning job. This contributes to separating access rights. The same principle applied even more rigorously would make Identity Manager create one profile per Task. It isn't necessary as most Synchronization tasks require the same permissions. + +#### Grant synchronization access rights to the profile + +For an Agent to launch server-side Tasks from the Job via the [Usercube-Invoke-Job](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-job/index.md), the profile linked to these tasks and used by the tool should be authorized to execute said tasks. + +Server-side Tasks for a simple Synchronization job usually are: + +- Prepare-Synchronization +- Synchronization + +Required permissions are: + +__View Tasks__ + +- ```/Jobs/Task/Query``` + +__Progress Report__ + +- ```/Jobs/JobInstance/Query``` +- ```/Jobs/JobInstance/Update``` +- ```/Jobs/TaskInstance/Query``` +- ```/Jobs/TaskInstance/update``` + +__Synchronization and Prepare-Synchronization__ + +- ```/Connectors/Connector/Query``` +- ```/Connectors/SynchronizeSession``` + +Granting access can be done via the [Synchronization Access Control Rules](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md) scaffolding and the[Job View Access Control Rules](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md) scaffolding. + +The following examples (or similar) should be written to ```Conf/Profile AgentSychro.xml```. + +> This example entitles the administrator profile to run any synchronization job: +> +> ``` +> +> Conf/Profile AgentSychro.xml +> ... +> ... +> +> ``` + +#### Grant end-users permissions to run jobs from the UI + +In addition, for end-users to be able to launch a job from the UI, they must be assigned a profile with the following access rights: + +- ```/Jobs/RunJob/Launch``` + +This can be done via the[Job Execution Access Control Rules](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md) scaffolding. + +##### Example + +```` + +Conf/Profile AgentSychro.xml ... +... + +```` + + +#### Declare usable ClientId/Secret pairs in the configuration + +An Agent's [Profile](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) is associated with a ```ClientId/Secret``` pair used by the Agent to authenticate to the Server. + +Usable ```ClientId/Secret``` pairs are written to the database from the xml configuration using the [OpenIdClient](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) xml element. + +It is strongly recommended that you write the `````` xml element to a new or existing ```OpenIdClients.xml``` file in the configuration root folder. + +The ```ClientId/Secret``` pair hence created must be associated with the profile created or updated in the previous step, via the __Profile__ attribute. + +##### __Example__ + +The following example creates a ```ClientId/Secret``` pair to be used by the Agent to authenticate to the Server and complete Jobs. The secret is hashed with the [ +Usercube-New-OpenIDSecret +](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/new-openidsecret/index.md) tool. + +```` + +Conf/OpenIdClients.xml ... + +... + +```` + + +#### Set up the Agent to use ClientId/Secret pairs + +The ```ClientId/Secret``` pairs that the Agent may use are written to the Agent's [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) technical configuration set. + +The ```ClientId``` of such ```ClientId/Secret``` pairs can then be used as a value in a Task __OpenIdClient__ attribute. + +Pairs written in the ```OpenIdClient``` section may be used by Tasks. + +The Job itself uses the ```DefaultOpenIdClient``` value. + +> This example sets the "Job/secret" pair to be used by tasks and jobs: +> +> ``` +> appsettings.agent.json +> { +> ... +> "OpenId":{ +> "OpenIdClients": { +> "Job": "secret" +> }, +> "DefaultOpenIdClient": "Job" +> } +> } +> +> ``` + +### Job launch + +Scheduling the job execution can rely either on Identity Manager's scheduler or an external scheduler. + +#### With Identity Manager's scheduler + +Use the Job [Job](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) attribute. + +> This example uses Identity Manager's scheduler to execute the ```CyberArk_Synchronize_Complete_Manually``` job every fifteen minutes: +> +> ``` +> Conf/SCIMCyberArk/SCIM CyberArk Jobs.xml +> ... +> +> +> ``` + +For more details about checking Crontab expressions, see the [crontab.guru](https://crontab.guru/every-15-minutes) website. + +#### With an external scheduler + +An external scheduler would rely on the [Usercube-Invoke-Job](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-job/index.md) tool. + +##### Example + +The following command can be scheduled. It executes the ```CyberArk_Synchronize_Complete_Manually``` using the "Job/secret" authentication pair to connect to the Identity Manager Server at ```http://usercube.contoso.com```. + +```` + +./identitymanager-Invoke-Job.exe -j "CyberArk_Synchronize_Complete_Manually" --api-secret secret +--api-client-id Job --api-url "http://usercube.contoso.com" + +```` + + +## Validation + +### Deploy configuration + +The configuration is written to the database using the [Deploy Configuration Task](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md). + +### Test + +The Synchronization job should be found in the UI, under the __Job Execution__ menu, with the name input in the Job's __DisplayName_Li__ attribute. + +From there, it can be launched and debugged (if needed). + +After execution, CyberArk SCIM Objects resources should be in the ```UR_Resources``` table of the SQL Server database. +```` diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/azuread/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/azuread/index.md new file mode 100644 index 0000000000..295bd942ee --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/azuread/index.md @@ -0,0 +1,111 @@ +# For Microsoft Entra ID + +This example is about implementing incremental synchronization for an +[ Microsoft Entra ID](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md) connector (formerly +Microsoft Azure AD). + +## Build the Incremental Synchronization Job + +Identity Manager provides a full-written job to perform incremental synchronization through the UI. + +See how to launch incremental +[ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md)via the UI. + +> For example: +> +> ``` +> +> Conf/AzureAD/AzureAD Jobs.xml +> +> +> ... +> +> ``` +> +> ``` + +### Components + +Identity Manager provides a +[Create Connector Synchro Incremental](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) +scaffolding that generates the configuration for these steps. + +> For example: +> +> ``` +> +> Conf/AzureAD/AzureAD Jobs.xml +> +> +> +> +> ```` +> +> +> Note that the ```Job``` value in ```OpenIdIdentifier``` refers to the ```ClientId``` written to the [](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md#)[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) file. Each task will authenticate with the profile associated with this ClientId. +> ```` + +### Permissions for the agent + +This part is not specific to a connector type, see the +[ Set Up Incremental Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/index.md) topic for additional information. + +### Agent's authentication to the server + +This part is not specific to a connector type, see the +[ Set Up Incremental Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/index.md) topic for additional information. + +### Permissions for users + +This part is not specific to a connector type, see the +[ Set Up Incremental Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/index.md) topic for additional information. + +## Schedule the Job + +Scheduling the job execution can rely either on Identity Manager's scheduler or on an external +scheduler. + +### Using scheduler + +> The following example uses Identity Manager's scheduler to execute the +> `AzureAD_Synchronization_Delta` job every fifteen minutes: +> +> ``` +> +> Conf/AzureAD/AzureAD Jobs.xml +> +> +> ... +> +> ``` +> +> ``` + +### Using an external scheduler + +An external scheduler relies on +the[ Usercube-Invoke-Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-job/index.md).exe. + +> The following command can be scheduled. It executes the `AzureAD_Synchronization_Delta` job using +> the `Job/secret` authentication pair to connect to the Identity Manager Server at +> `http://usercube.contoso.com`: +> +> ``` +> +> ./identitymanager-Invoke-Job.exe -j "AzureAD_Synchronization_Delta" --api-secret secret --api-client-id +> Job --api-url "http://usercube.contoso.com" +> +> ``` +> +> ``` + +## Validate the Job + +Validate the job's execution by proceeding as follows: + +1. Deploy the XML configuration to the database, by using the + [ Deploy Configuration Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md). +2. In the UI, access the **Job Execution** page from the dashboard's **Administration** section. +3. Find the job named with the string input in the job's `DisplayName_Li` property, and launch it. +4. Once the job is completed, Microsoft Entra ID objects should be synchronized to the database's + `UR_Resources` table. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/index.md new file mode 100644 index 0000000000..c799653ac3 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/index.md @@ -0,0 +1,202 @@ +# Set Up Incremental Synchronization + +How to implement an incremental synchronization +[ Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) for a given +[ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) via XML, to upload +the related system's resources to Identity Manager. + +See an example on [ For Microsoft Entra ID ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/azuread/index.md) (formerly Microsoft Azure AD). + +Netwrix Identity Manager (formerly Usercube) strongly recommends configuring as much as possible via +the UI instead of XML files. See how to +[ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md)via the UI. + +## Prerequisites + +First read how to [Create a Connector](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/create-connector/index.md). + +## Build the Incremental Synchronization Job + +Identity Manager provides a fully-written standardized job to perform incremental synchronization +through the UI. See here: + +See how to launch incremental +[ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md)via the UI. + +Any IGA action is configured through [ Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md). + +Synchronization jobs contain tasks that are to be executed on agent side. + +### Components + +Any synchronization job should include: + +1. export; +2. synchronization preparation; +3. synchronization. + +The export is configured and performed by the +[ Export Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md), the +synchronization preparation by the +[ Prepare Synchronization Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) +and the synchronization by the +[ Synchronize Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md). + +See the [ Upward Data Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) topic +for additional information. + +Identity Manager provides a scaffolding that generates the configuration for these steps, named +[Create Connector Synchro Incremental](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md). + +This guide is about incremental synchronization, but complete synchronization can be configured with +the +[Create Connector Synchro Complete](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md) +scaffolding. + +### Permissions for the agent + +In order to launch a job via the +[ Usercube-Invoke-Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-job/index.md) tool, the agent must +use a profile with the right permissions for each task. + +Permissions within Identity Manager are configured through +[Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md). + +> For example: +> +> ``` +> +> Conf/Profile AgentJob.xml +> +> +> +> ``` +> +> ``` + +Netwrix Identity Manager (formerly Usercube) recommends the creation of a profile for +synchronization jobs, and another for provisioning jobs, in order to comply with the principle of +least privilege. + +In order to run a synchronization job, the agent requires the permissions to: + +- view the tasks via `/Jobs/Task/Query`; +- access progress reports via `/Jobs/JobInstance/Query`, `/Jobs/JobInstance/Update`, + `/Jobs/TaskInstance/Query` and `/Jobs/TaskInstance/Update`; +- prepare the synchronization and synchronize via `/Connectors/Connector/Query` and + `/Connectors/SynchronizeSession`. + +Identity Manager provides scaffoldings that generate the configuration for granting these +permissions: +[ Synchronization Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md) +and +[ Job View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md). + +> The following example permits the `AgentSynchro` profile to run any synchronization job: +> +> ``` +> +> Conf/Profile AgentSynchro.xml +> +> +> +> ``` +> +> ``` + +### Agent's authentication to the server + +Every request from agent to server within the execution of a job needs to be authenticated with an +[ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect +ClientId/Secret pair. + +So first, the configuration must contain a `ClientId/Secret` pair. + +Usable `ClientId/Secret` pairs are configured through an +[ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md). + +> The following example uses a secret hashed +> by[ Usercube-New-OpenIDSecret ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/new-openidsecret/index.md): +> +> ``` +> +> Conf/OpenIdClients.xml +> +> +> +> ``` +> +> ``` + +Then, the agent's profile must be linked to one of the `ClientId/Secret` pairs. + +Agents' settings are configured in their +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md).json +file. + +> The following example sets the `Job/secret` pair to be used by tasks and jobs: +> +> ``` +> +> appsettings.agent.json +> +> { ... "OpenId":{ "OpenIdClients": { "Job": "secret" }, "DefaultOpenIdClient": "Job" } } +> +> ``` +> +> ``` + +### Permissions for users + +In order to launch the job, a user must have the right permissions. + +Permissions within Identity Manager are configured through +[Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md). + +In order to launch a synchronization job, a user requires the appropriate permission: +`/Jobs/RunJob/Launch`. + +Identity Manager provides a +[ Job Execution Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md)that +generates the configuration for granting this permission. + +> For example: +> +> ``` +> +> Conf/Profile AgentSynchro.xml +> +> +> +> ``` +> +> ``` + +## Schedule the Job + +Scheduling the job execution can rely either on Identity Manager's scheduler or on an external +scheduler. + +### Using scheduler + +Identity Manager's scheduler is configured through the +[ Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md)'s `CronTabExpression` property. + +[See Crontab documentationfor more details ](https://crontab.guru/every-15-minutes). + +### Using an external scheduler + +An external scheduler relies on using an external mechanism to schedule +the[ Usercube-Invoke-Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-job/index.md).exe. + +## Validate the Job + +Validate the job's execution by proceeding as follows: + +1. Deploy the XML configuration to the database, by using + the[ Deploy Configuration Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md). +2. In the UI, access the **Job Execution** page from the dashboard's **Administration** section. +3. Find the job named with the string specified in the XML configuration in the job's `DisplayName` + property, and launch it. +4. Once the job is completed, the system's objects should be synchronized to the database's + `UR_Resources` table. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/index.md new file mode 100644 index 0000000000..c12052f525 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/index.md @@ -0,0 +1,847 @@ +# Set up SharePoint's Export and Synchronization + +This guide shows how to set up a [SharePoint](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md) +connector to extract data from your SharePoint instance into CSV source files that will be fed to +the Synchronization task and to your Identity Manager resource repository. It will focus on +registering Identity Manager within the target SharePoint, configuring the connector, and building +the job to perform a regularly scheduled synchronization. + +## Prerequisites + +### External system configuration + +This step is designed to grant Identity Manager a service account to authenticate with the target +SharePoint sites. It includes the following substeps: + +- Create a service account for Identity Manager in your Microsoft Entra ID (formerly Microsoft Azure + AD). +- Go the SharePoint sites which need to be scanned. +- Log in using the organization credentials. +- Go to the **Members List** in the right corner. +- Click on the **Add members** button. +- Enter the name of the Identity Manager service account or its email address. + +![SharePoint Export Add Member](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/sharepoint_export_add_member.webp) + +The service account is now a member of the site. However, to scan the site, the service account +needs to be owner of the site. + +- Go to the **Members List** in the right corner. +- Under the name of the Identity Manager service account, click on the arrow. +- Choose **Owner**. + +![SharePoint Export Role Owner](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/sharepoint_export_role_owner.webp) + +### Configuration + +This step sets up the Identity Manager Agent in order to use the SharePoint connector and access the +SharePoint data. + +This guide focuses on the[ Architecture ](/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/index.md) method. Remember that +settings can also be input through [ Architecture ](/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/index.md). + +#### Connect to the SharePoint instance + +In this `Connections` section, add one new subsection that will contain the credentials for the +target SharePoint. + +> This example connects via the `SharePointExportContoso` connection to the Contoso SharePoint site: +> +> ``` +> +> appsettings.agent.json +> +> { ... "Connections": { ... "SharePointExportContoso": { ... } } } +> +> ``` +> +> ``` + +#### Input credentials + +In the newly created subsection, fill in: + +- The **Server** attribute with the address of the root SharePoint site to scan. +- The **Login** attribute with the login of the service account created. +- The **Password** attribute with the password of the service account created. + +> For example: +> +> ``` +> +> appsettings.agent.json +> +> { ... "Connections": { ... "SharePointExportContoso": { "Server": +> "https://contoso.sharepoint.com/", "Login": "usercube.service@contoso.com", "Password": +> "19f23f48379d50a9a50b8c" } } } +> +> ``` +> +> ``` + +For pedagogical reasons, this guide focuses on the simplest way to set up the export, but it's not +the most secure. Hence it is strongly recommended that you protect credentials using Azure Key Vault +or Cyber Ark in a production environment. +Netwrix Identity Manager (formerly Usercube) recommends completing this guide once, testing the +configuration, and only then, switching to a more secure way of storing credentials. + +##### Set up export files + +The export generates CSV source files that will be fed to the +[ Upward Data Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) task. + +The target path for these files can be set up using the following settings: + +- `appsetings.agent > Connections > SharePointExportContoso > OutputDir` +- `appsetings.agent > Connections > SharePointExportContoso > FileNamePrefix` + +###### Example + + ``` + + appsettings.agent.json + +{ ... "Connections": { ... "SharePointExportContoso": { "Server": "https://contoso.sharepoint.com/", +"Login": "usercube.service@contoso.com", "Password": "19f23f48379d50a9a50b8c" } } } + +```` + + +### SharePoint sites + +Different kinds of SharePoint sites exist. We will describe here the different cases that the integration team might encounter and how to handle them. + +#### Root site with subsites + +A root site has a URL like ```https://contoso.sharepoint.com``` and can have subsites. For example, the subsite ```Finance``` has a URL like ```https://contoso.sharepoint.com/Finance```. Subsites can also have subsites. +To scan the root site and the subsite tree, the root site must be specified in the __Server__ attribute. +Retrieved users can be assigned to/removed from all groups found, but cannot be created. To create a user account, you need to create it in the associated Microsoft Entra ID: it will automatically create a SharePoint user account. + +#### Multiple sites + +A SharePoint can also have other sites which are not subsites of the root site. For example, the site ProjectTeam has a URL like ```https://contoso.sharepoint.com/sites/ProjectTeam```. +These sites can't be scanned from the root site by using the __Server__ attribute. + +To scan these sites, you have to export their URL from SharePoint in a CSV file and use the __CsvUrls__ attribute in the settings. + +###### Example + + ``` + + appsettings.agent.json +{ + ... + "Connections": { + ... + "SharePointExportContoso": { + "Server": "https://contoso.sharepoint.com/", + "Login": "usercube.service@contoso.com", + "Password": "19f23f48379d50a9a50b8c" + "CsvUrls": "C:/identitymanager/Temp/ExportOutput/SP_otherSites.csv�URL�," + } + } +} +```` + +In this example, `C:/identitymanager/Temp/ExportOutput/SP_otherSites.csv` is the path of the exported CSV +file, `URL` is the column name of the URLs, and `,` is the separator used in the file. The character +`�` is used to separate the three data items. + +The CSV file containing the URLS can be generated with two methods: + +- Go to `https://contoso-admin.sharepoint.com` of your SharePoint site, in the menu **Sites** > + **Active sites** and click on the **Export** button above the table. +- Use a script with the + [SharePointOnlinePowerShell commands](https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/?view=sharepoint-ps), + specifically + [Get-SPO Site](https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/get-sposite?view=sharepoint-ps). + +These sites are not synchronized with the root site. Users present in a site are not necessarily +present in the others. You can only assign users to a SharePoint group, on condition that they are +already members of this site. You can't use the SharePoint connector to make a user a member of this +kind of site. Depending on the system you are working on, you could achieve this by using the +associated Microsoft Entra ID or the system generating these SharePoint sites (for example, +Microsoft Teams can create an associated SharePoint site for each Teams Group). + +## Build the Connector + +### Declare a connector + +To be used for export and fulfill tasks, a connector has to be declared in the applicative +configuration and linked to an Agent. See the +[Toolkit for XML Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/index.md) topic for additional information. + +It is strongly recommended that the applicative configuration be stored in the working directory +`Conf` folder as a set of `xml` files organized by connector. See +the[ Create a Working Directory ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md) +topic for additional information. + +- In the `Conf` folder, create a `SharePoint` directory. +- In the `SharePoint` directory, create a `SharePoint Connector.xml` file. + + This file should contain the declaration of the connector and the associated + [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md). + +- Use the [ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md)element to + declare the connector with the following attributes: + + - **Identifier** identifies this connector in the applicative configuration. See the + [Toolkit for XML Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/index.md) topic for additional information. + It is strongly recommended to use a meaningful name such as `SharePoint`. If several + connections to several SharePoint targets are possible, only one SharePoint Connector per + Agent is used. + - **DisplayName_Li, i ? [1..16]** are used in the UI. + - **Agent** is the identifier of the Agent that runs this connector's export task. The Agent's + identifier can be found in the agent's + [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) + configuration set > OpenId > AgentIdentifier setting attribute. + +- Don't forget the `` and `` elements (see example below). + +> This example declares the `SharePoint` connector on the `Local` agent: +> +> ``` +> +> Conf/SharePoint/SharePoint Connector.xml +> +> ... +> +> ... +> +> +> +> ``` +> +> ``` + +### Build the entity model + +The exported data to be written to the resource repository must be aligned with the +[Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md). See +the[ Identity Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/identity-management/index.md)topic +for additional information. + +The [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) should match as closely as possible the structure +of the SharePoint data relevant for Identity Manager. It is designed by analyzing the SharePoint +data structure, and describing said data with [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md)and +[ Entity Association ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +Eventually, it is up to the integration team to design the +[Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) that best serves the +[ Assignment Policy ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md)needs. It will be refined +iteratively throughout the project phase. + +A good starting point for the Entity Model is to mirror the shape of the exported SharePoint +objects. This guide provides a few examples that can serve this purpose. + +#### Write the entity model + +The [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) for the SharePoint connector is written in the +applicative configuration. See the [Toolkit for XML Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/index.md) topic +for additional information. It is strongly recommended to write the connector to the newly created +`Conf/SharePoint/SharePoint Connector.xml` file. + +#### Write entity types + +Declaring an [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) is achieved with the `` tag +and the following attributes: + +- **Identifier** is the entity type's name. It must be unique among the entity types. It is strongly + recommended to prefix this name with the connector's name. An example for SharePoint is + `SharePoint_directoryObject`. +- **DisplayName_Li, i ? [1..16]** are used in the UI to identify this + [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md)for the end-user. **DisplayName_L1** is the name of + the entity type in _language number one_. If this language is _English_, a good example of value + is `SharePoint - Object`. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + +... ... + +```` + + +The SharePoint object attributes are modeled by [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md), with the `````` tags declared as children of the ``````. + +Remember that there are several kinds of properties: scalar and navigation. Scalar properties can be defined to represent scalar attributes such as ```city```, ```country``` or ```companyName```. represent associations such as group memberships. See the [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) topic for additional information. + +The main attributes of the `````` tag are the following: + +- __Identifier__ identifies the property with a mandatory unique name. It must be unique among the entity properties for this entity type. +- __DisplayName_Li, i ? [1..16]__ are used in the UI. +- __Type__ defines the type of the property. A scalar property type is chosen among ```String```, ```Bytes```, ```Int16```, ```Int32```, ```Int64```, ```DateTime```, ```Bool```, ```Guid```, ```Double```, ```Binary```, ```Byte```, and ```Option```. The navigation property type is ```ForeignKey```. +- __TargetColumnIndex__ defines in which column of the resource table the property is stored. See more details about Target Column Index. See the [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) topic for additional information. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml +... + ... + +```` + +In this example, we have created four entity types, each one corresponding to a notion in +SharePoint. + +#### Write entity associations + +[Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) types are associated through their navigation +properties with +[ Entity Association ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +elements. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + +... + + + + + + +... + +```` + + +The exact nature of the IDs are described by the associated [ +Entity Association Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). + +Notice the format of the __Property1__ and __Property2__ xml attributes: the name of the entity type is followed by ```:``` and the name of an entity property. It is a [ +Binding +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) describing in one expression, the target entity type and property. + +### Create mapping + +The entity type must be mapped property by property to the exported attributes of SharePoint objects (namely, the columns of the CSV source files generated by the export). + +The [ +Entity Type Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), [ +Entity Association Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md), and [ +Entity Type Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) elements serve this purpose. + +#### Entity type mapping + +The [ +Entity Type Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) element maps the scalar properties from the CSV source file to an entity type. + +The CSV source file path is written to the ```ConnectionTable``` xml attribute. The target entity type name is written to the ```Identifier``` xml attribute. + + ``` + + Conf/SharePoint/SharePoint Connector.xml + ... + ... + ... + +```` + +To do so, the entity type mapping element uses the +[ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +element with the `` tag. This maps the CSV column from `ConnectionColumn` to the target +EntityType property which is written to the **Identifier** attribute. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + +... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ... + +```` + + +As a result, after synchronization, the ```UR_Resource``` table will be updated from the CSV source file data. + +#### Entity association mapping + +The [ +Entity Association Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) element maps the navigation properties used in [ +Entity Association +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +An [ +Entity Association Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) element refers to an [ +Entity Association +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md)written to the ```Identifier``` xml attribute. Then, like [ +Entity Type Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), it maps column values from a CSV source file to an EntityType property. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + ... + ... + +```` + +## Display + +This step focuses on configuring a nice display for the synchronized list of resources in the UI. + +### Nav + +A [ Menu Item ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) can be added to +include a link to the resources list in the left menu on the UI home screen. + +#### Parent menu item + +It is strongly recommended that you gather synchronized resources menu items under parent menu +items. This is usually declared in the `Nav.xml` file in the configuration root folder. + +##### Example + + ``` + + Conf/Nav.xml + +... + +... + +```` + + +#### Child menu item + +It is strongly recommended to use a new ```SharePoint Nav.xml``` file in the ```SharePoint``` connector's folder to add the SharePoint objects menu item. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Nav.xml +... +... + +```` + +This example adds a new menu item under the `Nav_Connectors` menu item declared in the root +`Nav.xml` file. This new menu item gives access to the list of synchronized SharePoint entities. + +### Display + +It is strongly recommended that the display configuration be written to a new `SharePoint UI.xml` +file in the `SharePoint` connector's folder. + +#### Display entity type + +The +[Display Entity Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) +describes how a single resource should be displayed. + +##### Example + + ``` + + Conf/SharePoint/SharePoint UI.xml + +... + + + + + + + + + + + +... + +```` + + +The scalar properties require no configuration: they are automatically displayed. The only information that the [Display Entity Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) adds here, is that the property ```BasicCollection``` is a navigation property. An eye icon will be displayed to take you directly to the matching page. + +#### Display table + +[Display Table](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) elements describe how a list of resources should be displayed. + +The [Display Table](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) contains a list of display table column elements that identify which properties should be included in the list display. + +##### Example + + ``` + + Conf/SharePoint/SharePoint UI.xml +... + ... + +```` + +#### Internal display name + +An `InternalDisplayName` can also be declared as an [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md). +The `InternalDisplayName` is used in several UI screens to identify a resource for the user. + +With no custom `InternalDisplayName`, a default value is used (instead of the first property of the +identity) containing the string _"name"_. If no such property is found, the first declared property +of the entity type is used. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + +... + + + + ... + +```` + + +This example adds the ```InternalDisplayName``` to the ```SharePoint_Entity```, ```SharePoint_Role```, ```SharePoint_Object``` and ```SharePoint_RoleAssignment``` entity types to be used by the UI. + +### Permissions + +This step focuses on setting up permissions for Identity Manager's end-users granting them access to the connector. + +The [Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) and [Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) elements define [ +AccessControlPermission +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md) for end-user profiles to read and write the connector's data (such as resources of a given entity type). It is used by the UI when displaying data such as resources and available roles. + +It is strongly recommended that permissions be written to a new file. For example, the administrator profile permissions can be written to the ```SharePoint Profile Administrator.xml``` file. + +#### Example + + ``` + + Conf/SharePoint/SharePoint Profile Administrator.xml +... + ... + +```` + +This example sets permissions for the `Administrator` profile. + +It entitles an administrator to display `SharePoint_Entity` resource and role categories from the +UI. + +## Jobs + +### Construction + +It is strongly recommended to write Jobs associated with the `SharePoint` connector to the +`Conf/SharePoint/SharePoint Jobs.xml` file. + +A job is declared with the `` xml element. It contains Tasks that perform the main steps and +other related operations. + +#### Example + + ``` + + Conf/SharePoint/SharePoint Jobs.xml + +... + +... ... + +```` + + +Notice the __Agent__ attribute that contains the name of the Agent which executes the Job. This attribute is mandatory for a Job containing Tasks executed agent-side, even if a unique local Agent exists. See the [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) topic for additional information. + +### Components + +The[ +Upward Data Synchronization +](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md)job includes three steps: + +- Export +- Prepare-Synchro +- Synchro + +These three steps are all contained in a which allows the generation of the Incremental Synchronization configuration. See the [Create Connector Synchro Incremental](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) topic for additional information. + +#### Example + + ``` + + Conf/SharePoint/SharePoint Jobs.xml +... + ... + +```` + +### Permissions + +The execution of a Job entails execution of Tasks, reading/writing to the Database and sending files +over to the Server. These operations are protected by an authorization mechanism. + +To complete a Job, the Agent, via +the[ Usercube-Invoke-Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-job/index.md) uses: + +- a [ Profile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) associated with + the Job itself, to read/write: + - `UJ_Jobs` and `UJ_Tasks` tables in a list of tasks + - `UJ_JobInstances` tables in the progress report +- a Profile for each Task, to read/write `UJ_TaskInstances` tables (Progress Report) and perform + other operations such as sending export files over to the Server. + +Each Profile must be assigned the right permissions for the associated Job or Task to perform. + +Every request from Agent to Server within the execution of a Job needs to be authenticated with an +[ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect +ClientId/Secret pair, linked to a Profile. + +#### Create a profile + +Here, we focus on creating one profile, used by the Job and every Task of the Job. + + ``` + + Conf/Profile AgentJob.xml + +... ... + +```` + + +As the Principle of Least Privilege states, Netwrix Identity Manager (formerly Usercube)strongly recommends that you create a[ +Profile +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) to be used during the Synchronization jobs which will be different from the one used during the Provisioning job. This contributes to separating access rights. +The same principle applied even more rigorously would make Identity Manager create one profile per Task. It isn't necessary as most Synchronization tasks require the same permissions. + +#### Grant synchronization access rights to the profile + +For an Agent to launch server-side Tasks from the Job via the[ +Usercube-Invoke-Job +](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-job/index.md) tool, the profile linked to these tasks and used by the tool should be authorized to execute said tasks. + +Server-side Tasks for a simple Synchronization job usually are: + +- Prepare-Synchronization +- Synchronization + +Required permissions are: + +__View Tasks__ + +- ```/Jobs/Task/Query``` + +__Progress Report__ + +- ```/Jobs/JobInstance/Query``` +- ```/Jobs/JobInstance/Update``` +- ```/Jobs/TaskInstance/Query``` +- ```/Jobs/TaskInstance/Update``` + +__Synchronization and Prepare-Synchronization__ + +- ```/Connectors/Connector/Query``` +- ```/Connectors/SynchronizeSession``` + +Granting access can be done via the [ +Synchronization Access Control Rules +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md) and the [ +Job View Access Control Rules +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md). + +The following examples should be written to ```Conf/Profile AgentSychro.xml```. + +##### Example + +The following example entitles the administrator to run any Synchronization job: + + ``` + +```` + +#### Grant end-users permissions to run jobs from the UI + +In addition, for end-users to be able to launch a job from the UI, they must be assigned a profile +with the following access rights: + +- `/Jobs/RunJob/Launch` + +This can be done via +the[ Job Execution Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md) +scaffolding. + +##### Example + + ``` + +```` + + +#### Declare usable ClientId/Secret pairs in the configuration + +An Agent's a[ +Profile +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md)is associated with a ```ClientId/Secret``` pair used by the Agent to authenticate to the Server. + +Usable ```ClientId/Secret``` pairs are written to the database from the xml configuration using the[ +OpenIdClient +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) xml element. + +It is strongly recommended to write the `````` xml element to a new or existing ```OpenIdClients.xml``` file in the configuration root folder. + +The ```ClientId/Secret``` pair hence created must be associated with the profile created or updated in the previous step, via the __Profile__ attribute. + +##### __Example__ + +The following example creates a ```ClientId/Secret``` pair to be used by the Agent to authenticate to the Server and complete Jobs. The secret is hashed with the[ +Usercube-New-OpenIDSecret +](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/new-openidsecret/index.md)tool. + + ``` + + Conf/OpenIdClients.xml +... + +... + +```` + + ``` + + Conf/OpenIdClients.xml + +... + +... + +```` + + +#### Set up the Agent to use ClientId/Secret pairs + +The ```ClientId/Secret``` pairs that the Agent may use are written to the Agent's [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) technical configuration set. + +The ```ClientId``` of such ```ClientId/Secret``` pairs can then be used as a value in a Task __OpenIdClient__ attribute. + +Pairs written in the ```OpenIdClient``` section may be used by Tasks. + +The Job itself uses the ```DefaultOpenIdClient``` value. + +> This example sets the "Job/secret" pair to be used by tasks and jobs: +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "OpenId":{ +> "OpenIdClients": { +> "Job": "secret" +> }, +> "DefaultOpenIdClient": "Job" +> } +> } +> +> ``` + +### Job launch + +Scheduling the job execution can rely either on Identity Manager's scheduler or an external scheduler. + +#### With Scheduler + +Use the Job [ +Job +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) attribute. + +> This example uses Identity Manager's scheduler to execute the ```SharePoint_Synchronization_Delta``` job every fifteen minutes: +> +> ``` +> +> Conf/SharePoint/SharePoint Jobs.xml +> ... +> +> +> ``` + +For more details about checking Crontab expressions, see the [crontab.guru](https://crontab.guru/every-15-minutes) website. + +#### With an external scheduler + +An external scheduler would rely on the[ +Usercube-Invoke-Job +](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-job/index.md) tool. + +##### Example + +The following command can be scheduled. It executes the ```SharePoint_Synchronization_Delta``` job using the "Job/Secret" authentication pair to connect to the Identity Manager Server at ```http://usercube.contoso.com```. + + ``` + +./identitymanager-Invoke-Job.exe -j "SharePoint_Synchronization_Delta" --api-secret secret --api-client-id Job --api-url "http://usercube.contoso.com" + +```` + +## Validation + +### Deploy configuration + +The configuration is written to the database using the +[ Deploy Configuration Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md). + +### Test + +The Synchronization job should be found in the UI, under the **Job Execution** menu, with the name +input in the Job's **DisplayName_Li** attribute. + +From there, it can be launched and debugged (if needed). + +After execution, SharePoint Objects resources should be in the `UR_Resources` table of the SQL +Server database. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md new file mode 100644 index 0000000000..d0e130f9cf --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md @@ -0,0 +1,336 @@ +# Write a PowerShell Script for Provisioning + +This guide shows how to write a PowerShell script used by the +[ PowerShellProv ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) connector. + +## Structure of a PowerShell Script + +The goal of the script is to append, for each provisioning order, a line in a CSV file. + +Let's consider the following `ResourceType`: + +``` + +... + ... + +``` + +The end of the CSV file must look like: + +``` + +command;identifier;firstName;lastName +... +insert;007;James;Bond +... + +``` + +### Define the common part of every script + +The goal of the common part is to get all required variables needed by the script. + +Two parameters are required at the top of the script: + +``` + +param( + [Parameter(Mandatory = $true)][string]$resultsFilePath, + [Parameter(Mandatory = $true)][string]$ordersPath +) + +``` + +- `resultsFilePath` is the agent-side path of the result file containing the summary of the executed + and errored orders. +- `ordersPath` is the agent-side folder path containing the JSON provisioning orders. + +It is important for these settings to be defined at the top of the script and keep these names +because they are filled by the `Fulfill-PowerShell` connector. + +The `Fulfill-CSV.ps1` script must be placed in the script folder of Identity Manager containing the +`Environment.ps1` script. Thanks to this, environment variables (such as `$runtimePath`) are loaded +and can be used in the script: + +``` + +. (Join-Path -Path $PSScriptRoot -ChildPath "Environment.ps1") +. (Join-Path -Path $runtimePath -ChildPath "Usercube-Visit-Orders.ps1") + +``` + +### Define the specific function + +A function which is called for each provisioning order must be defined. + +#### Define the header + +The header is always the same. Only the name of the function can change: + +``` + +function Fulfill-CSV { + param ([parameter(Mandatory = $true)] $order) + +``` + +The previous parameter `$order` is an object corresponding to the following provisioning order +(JSON): + +``` + +{ + "ProvisioningOrdersList": [ + { + "AssignedResourceTypeId": "3930001", + "ChangeType": "Added", + "WorkflowInstanceId": "81", + "Owner": { + "Id": "21511", + "InternalDisplayName": "007 - Bond James", + "Identifier": "007", + "EmployeeId": "007", + "PhotoTag": -3065, + "MainFirstName": "James", + "MainLastName": "Bond", + ... + }, + "ResourceType": { + "Id": "-41", + "SourceEntityType": { + "Id": "51", + "Identifier": "Directory_User" + }, + "TargetEntityType": { + "Id": "70", + "Identifier": "PowerShellCsv_User" + }, + "Identifier": "PowerShellCsv_User_NominativeUser" + }, + "Changes": { + "identifier": "007", + "firstName": "James", + "lastName": "Bond" + } + } + ] +} +``` + +There can be more sections and attributes. + +#### Define mandatory parameters + +The `ChangeType` parameter (`Added`, `Deleted` or `Modified`) is always mandatory and must be +checked. + +Depending on the function requirements, other parameters should be checked. For example, the +function below always needs an identifier to work properly, therefore you should check its presence. + +``` + + $changeType = $order.ChangeType + # if the change type is not recognized, we throw an error + if ($changeType -ne 'Added' -and $changeType -ne 'Deleted' -and $changeType -ne 'Modified') { + $artId = $order.AssignedResourceTypeId + throw "Order ChangeType: $changeType not recognized in AssignedResourceTypeId: '$artId'" + } + + # if the section is Changes, we want to create/update the identifier + $identifier = $order.Changes.identifier + if(!$identifier){ + # if the section is Resources, we want to keep the same identifier + $identifier = $order.Resource.identifier + if(!$identifier){ + throw "identifier is the primary key and must not be null." + } + } + +``` + +#### Define order processing + +This is the last part of the function: + +- Parameters from the provisioning order are stored in variables. +- A specific treatment is applied if `ChangeType` is `Added`, `Deleted` or `Modified`. + +``` + + # firstName and lastName are the two other properties of the ResourceType + $firstName = $order.Changes.firstName + $lastName = $order.Changes.lastName + + # change type defines what is written in the 'command' column + if ($changeType -eq 'Added') { + $command = "Insert" + } + elseif ($changeType -eq 'Deleted') { + $command = "Delete" + } + elseif ($changeType -eq 'Modified') { + $command = "Update" + } + + # CSV columns are command, identifier, firstName and lastName + $script:powershellResults += New-Object -TypeName psobject -Property @{Command = "$command"; identifier = "$identifier"; firstName = "$firstName"; lastName = "$lastName" } +} + +``` + +Define how to send logs to Identity Manager + +The three methods to log in Identity Manager are: + +- **Write-Host**: writes Information in the log. +- **Throw**: raises an exception (which stops the script), and writes the Error in the log (the + provisioning order will be errored too). +- **Write-Error**: writes Error in the log (the provisioning order will be errored too). It is not + recommended because the script continues its execution. + +Now that the function has been defined, the main code of the script can be written. + +### Write the main code of the script + +Read the options parameter from the standard input + +The [ PowerShellProv ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) isn't mandatory in the +JSON file. If it isn't provided, don't perform this step. + +``` + +# Just to show how to read the options in the script +$options = [System.Console]::ReadLine() +$options = ConvertFrom-Json $options +$options.Message # -> Hello + +``` + +Rest of the main script + +In general, this part contains the code to connect to the external system and executes the +`Usercube-Visit-Orders` script. + +``` + +# The goal of the script is to write the users in the following CSV file +$powershellResultFilePath = Join-Path -Path "$demoPath" -ChildPath "Temp/ExportOutput/powershellcsv_users.csv" + +# powershellResults has a larger scope and is used in the last line of the Fulfill-CSV function +$powershellResults = @() + +# Usercube-Visit-Orders is provided by Usercube, it must not be modified +# It loops on the provisioning orders and calls Fulfill-CSV on each of them +Usercube-Visit-Orders $resultsFilePath $ordersPath Fulfill-CSV + +# We write the results in $powershellResultFilePath +if ($powershellResults.Length -gt 0){ + $powershellResults | ConvertTo-Csv -Delimiter ";" -NoTypeInformation | & (Join-Path -Path "$runtimePath" -ChildPath "Usercube-Encrypt-File.exe") -o $powershellResultFilePath +} + +``` + +Never modify `Usercube-Visit-Orders.ps1`. + +## Synthesis + +### Skeleton + +To sum up the previous part, the script can be written as follows: + +``` + +# Common part + +# Specific function + # Header of the function + # Check mandatory parameters + # Order processing (treatment for Added, Deleted or Modified) + +# Main script + # Read standard input (Optional) + # Rest of the main script (Connection, Usercube-Visit-Order...) + +``` + +### Full script + +The full script is as follows: + +``` + +# Common part + +param( + [Parameter(Mandatory = $true)][string]$resultsFilePath, + [Parameter(Mandatory = $true)][string]$ordersPath +) + +. (Join-Path -Path $PSScriptRoot -ChildPath "Environment.ps1") +. (Join-Path -Path $runtimePath -ChildPath "Usercube-Visit-Orders.ps1") + +# Specific function + +function Fulfill-CSV { + param ([parameter(Mandatory = $true)] $order) + + $changeType = $order.ChangeType + # if the change type is not recognized, we throw an error + if ($changeType -ne 'Added' -and $changeType -ne 'Deleted' -and $changeType -ne 'Modified') { + $artId = $order.AssignedResourceTypeId + throw "Order ChangeType: $changeType not recognized in AssignedResourceTypeId: '$artId'" + } + + # if the section is Changes, we want to create/update the identifier + $identifier = $order.Changes.identifier + if(!$identifier){ + # if the section is Resources, we want to keep the same identifier + $identifier = $order.Resource.identifier + if(!$identifier){ + throw "identifier is the primary key and must not be null." + } + } + + # firstName and lastName are the two other properties of the ResourceType + $firstName = $order.Changes.firstName + $lastName = $order.Changes.lastName + + # change type defines what is written in the 'command' column + if ($changeType -eq 'Added') { + $command = "Insert" + } + elseif ($changeType -eq 'Deleted') { + $command = "Delete" + } + elseif ($changeType -eq 'Modified') { + $command = "Update" + } + + # CSV columns are command, identifier, firstName and lastName + $script:powershellResults += New-Object -TypeName psobject -Property @{Command = "$command"; identifier = "$identifier"; firstName = "$firstName"; lastName = "$lastName" } +} + +# Main script + +# Just to show how to read the options in the script +$options = [System.Console]::ReadLine() +$options = ConvertFrom-Json $options +$options.Message # -> Hello + +# The goal of the script is to write the users in the following CSV file +$powershellResultFilePath = Join-Path -Path "$demoPath" -ChildPath "Temp/ExportOutput/powershellcsv_users.csv" + +# powershellResults has a larger scope and is used in the last line of the Fulfill-CSV function +$powershellResults = @() + +# Usercube-Visit-Orders is provided by Usercube, it must not be modified +# It loops on the provisioning orders and calls Fulfill-CSV on each of them +Usercube-Visit-Orders $resultsFilePath $ordersPath Fulfill-CSV + +# We write the results in $powershellResultFilePath +if ($powershellResults.Length -gt 0){ + $powershellResults | ConvertTo-Csv -Delimiter ";" -NoTypeInformation | & (Join-Path -Path "$runtimePath" -ChildPath "Usercube-Encrypt-File.exe") -o $powershellResultFilePath +} + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md new file mode 100644 index 0000000000..1a9ad12092 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md @@ -0,0 +1,513 @@ +# Write a Robot Framework Script + +This guide shows how to write a Robot Framework script that will be used by +[ Robot Framework ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md). + +## Structure of a Robot Framework Script + +### Build the skeleton + +A Robot Framework script is divided into four main parts: + +1. **Settings**: contains the instructions to import library or external resource files. +2. **Variables**: contains the global variables shared by all the functions in the script. +3. **Keywords**: contains all the functions defined by the user. +4. **Test Cases**: contains the functions which will be run when the script is launched. + +#### Example + +``` + +*** Settings *** +Library Telnet + +*** Variables *** +${IPADDRESS} 192.168.1.22 + +*** Keywords *** +Open Telnet Connection + Open Connection ${IPADDRESS} prompt=$ + +*** Test Cases *** +Run Provisioning + Open Telnet Connection + +``` + +Let's analyze the four parts of this example: + +- **Settings**: we import here the Telnet library to use the functions defined in it. +- **Variables**: we define the variable `IPADDRESS` to use it later. +- **Keywords**: we define a custom function called `Open Telnet Connection`. It will use a function + defined in the Telnet library (called `Open Connection`) and the variable `IPADDRESS` which has + been defined before in the `Variables` section. +- **Test Cases**: we define here the main function which we choose to call `Run Provisioning` (it + can be named anything), and which will be run when launching the script. It will use the function + `Open Telnet Connection`. + +Robot Framework needs two spaces between two different instructions to parse them correctly. +For example, `Open Connection` consists of only one instruction. Only one space is thus needed +between the two words. But, `Open Connection ${IPADDRESS}` consists of two instructions, the +function and the parameter. Two spaces are then required to separate `Connection` from +`${IPADDRESS}`. +To read your script more easily, you could also use the pipe character (`|`) between instructions, +like this: `Open Connection | ${IPADDRESS}`. + +See the [Robot Framework Libraries](https://robotframework.org/#robot-framework-libraries) for +additional information. + +### Define specific functions + +To use a Robot Framework script for provisioning external systems with Identity Manager, the +following elements are required in the script: + +- The import of a resource file written by Identity Manager called + `UsercubeRobotFramework.resource`. +- The definition of three functions which will be called by Identity Manager to perform three + required actions: `ExecuteAdd`, `ExecuteDelete` and `ExecuteModify`. These functions are where you + will write the actions to perform on the external system. +- The use of one function to start the provisioning called `Launch Provisioning`. + +Never modify the resource file `UsercubeRobotFramework.resource`. + +#### Example + +The resource file defined at the beginning of the script is located in Identity Manager's `Runtime` +folder. Therefore, you will have to change the path accordingly. + +``` + +*** Settings *** +Resource C:/UsercubeContoso/Runtime/UsercubeRobotFramework.resource + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + ... + +ExecuteDelete + [Arguments] ${order} + ... + +ExecuteModify + [Arguments] ${order} + ... + +... + +*** Test Cases *** +Run Provisioning + ... + Launch Provisioning + ... + +``` + +The parameter `${order}` is mandatory only for the three functions: `ExecuteAdd`, `ExecuteDelete` +and `ExecuteModify`. It is an object corresponding to the following sample provisioning order +(JSON): + +``` + +{ + "AssignedResourceTypeId": "3930001", + "ChangeType": "Added", + "WorkflowInstanceId": "81", + "Owner": { + "Id": "21511", + "InternalDisplayName": "007 - Bond James", + "Identifier": "007", + "EmployeeId": "007", + "PhotoTag": -3065, + "MainFirstName": "James", + "MainLastName": "Bond", + ... + }, + "ResourceType": { + "Id": "-41", + "SourceEntityType": { + "Id": "51", + "Identifier": "Directory_User" + }, + "TargetEntityType": { + "Id": "70", + "Identifier": "RobotFramework_User" + }, + "Identifier": "RobotFramework_User_NominativeUser" + }, + "Changes": { + "identifier": "007", + "firstName": "James", + "lastName": "Bond" + } +} +``` + +The elements of `${order}`can be accessed like this: `${order['Changes']['identifier']}`. + +See the +[Robot Framework User Guide](https://robotframework.org/robotframework/latest/RobotFrameworkUserGuide.html) +for additional information. + +## Keywords + +| Keyword | Details | +| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | ------- | +| Catch Keyword | **Arguments** `Keyword`: Keyword `*args` **Description** Launches `Keyword` with the given arguments `*args` if the keyword launched by `Try Keyword` failed. If `Try Keyword` was not called, this keyword will not do anything. `Catch Keyword` should always be called right after `Try Keyword`. **Example** Try to connect to `Usercube.com`. If the connection fails, restart the browser and try to connect to `Usercube.com`: `Connect to URL Try Keyword Go To Usercube.com Catch Keyword Restart Browser At URL Usercube.com` | +| Generate Password | **Description** Generates a password based on the [ Password Reset Settings ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md) associated to the [Resource Type Mappings](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) being provisioned `Send Password Notification` should always be called after `Generate Password`, preferably right after the password is used. If `Send Password Notification` is not called before the provisioning of the resource is over, it will automatically be called. If multiple passwords should be generated, `Send Password Notification` should be called after each password generation. **Returns** `Password`: string | +| Get Secure Data | **Arguments** `Attribute`: string `Erase Data`: boolean **Description** Retrieves the secured option `Attribute` from the connector configuration. If `Erase Data` is set to true, the secured option is deleted once it is read. **Example** Get Login option and erase it: ```Get Secure Data | Login | True``` | +| Launch Provisioning | **Description** Launches the provisioning defined by the provisioning orders. This keyword is required for any provisioning to happen. | +| Log Debug | **Arguments** `Message`: string **Description** Logs `Message` at the `Debug` log level. **Example** Log a keyword failure message: `Log Debug The keyword has failed` | +| Log Error | **Arguments** `Message`: string **Description** Logs `Message` at the `Error` log level. **Example** Log a keyword failure message: `Log Error The keyword has failed` | +| Send Password Notification | **Description** Sends a notification containing the last password generated. If `Generate Password` is called and `Send Password Notification` is not called before the provisioning of the resource is over, `Send Password Notification` will automatically be called. | +| Try Keyword | **Arguments** `Keyword`: Keyword `*args` **Description** Launches `Keyword` with the given arguments `*args`, and ignores its errors. If `Keyword` fails, the keyword sent to `Catch Keyword` will run. `Try Keyword` should always be called right before `Catch Keyword`. **Example** Try to connect to `Usercube.com`. If the connection fails, restart the browser and try to connect to `Usercube.com`: `Connect to URL Try Keyword Go To Usercube.com Catch Keyword Restart Browser At URL Usercube.com` | + +## Error handling + +Consider a web application that contains user information. Suppose a user is missing from the web +application. When the script attempts to reach the user's information page, it will reach an error +page, and fail. The next user's provisioning starts, but the web browser is still on the error page, +so the script keeps failing. + +In this example, if a user's provisioning fails, each subsequent provisioning will fail. This +failure issue can be solved with the error handling custom keywords. + +Consider the following example using the Robot Framework Selenium library: + +``` + +Open Usercube Website + Open Browser + Connect To Usercube + [Teardown] Close Browser + +Restart Browser + [Arguments] ${url} + Log Debug An error has occured, restarting the browser + Close Browser + Open Browser ${url} + +Connect To Usercube + Try Keyword Go To Usercube.com + Catch Keyword Restart Browser Usercube.com + Page Should Contain Usercube + +``` + +In this example, the keyword `Open Usercube Website` opens a browser, then calls +`Connect To Usercube`. To ensure that the browser is closed regardless of the script's success, the +`Close Browser` keyword is used in a teardown. A keyword in a teardown is always executed regardless +of what happens in the script or in the teardown. + +The `Restart Browser` keyword logs a debug message before restarting the browser to help debug the +script. The `Connect To Usercube` tries to use the `Go To` keyword to connect to the `Usercube.com` +web page. As `Go To` is used with `Try Keyword`, if the execution fails, `Restart Browser` is called +by `Catch Keyword`. This means that if the browser fails to load `Usercube.com`, the browser +restarts. Last, `Connect To Usercube` verifies that the page contains the word `Usercube`. + +### Error Handling for ExecuteAdd, ExecuteDelete, and ExecuteModify + +The `ExecuteAdd`, `ExecuteDelete`, and `ExecuteModify` methods are harder to interact with. First, +it is not possible to get their execution status within the script. Second, if the execution failed, +it should be kept as a failure in order to log the failure. + +To simplify error handling, consider the following structure: + +``` + +Execute Add + [Arguments] ${order} + Try Keyword Add User ${order} + Catch Keyword Restart Program And Fail Add User failed. + +Add User + [Arguments] ${order} + Click New User + Fill In Information ${order} + Click Add User + +Restart Program And Fail + [Arguments] ${failmessage} + Close Program + Start Program + Fail ${failmessage} + +``` + +In this example, `ExecuteAdd` does not call the custom keywords to add a new user directly, and only +calls `Add User` instead. This means that it is possible to call `Add User` from the `Try Keyword` +keyword. If `Add User` fails, then `Execute Add` fails. Therefore it is possible to catch a failure +with this structure. + +Note that `Restart Program And Fail` fails. This failure is necessary as the provisioning order +would be counted as a success otherwise. + +## Testing a RobotFramework script + +In order to write a RobotFramework script, we need to test that it works. It is possible to test the +script by running a fulfillment job from the Identity Manager interface. While this kind of test +proves that everything works as expected, it can take a long time. There is a faster method to check +that the script runs. + +Suppose the RobotFramework script's path is `RobotFramework/script.robot`. + +We need the following elements : + +- A provisioning order, in folder `RobotFrameworkScript/Order`. The provisioning order can be + encrypted or unencrypted. The script will write the encrypted results to + `RobotFrameworkScript/Order/results.csv`. +- The path to the `Runtime` folder. In our example, we will consider this path as + `C:/UsercubeDemo/Runtime`. + +The `RobotFramework/script.robot` script may be run from the command prompt. + +``` +cd RobotFramework + +robot --variable ORDERPATH:./Order --variable RUNTIMEPATH:C:/UsercubeDemo/Runtime --variable RESULTPATH:./Order/results.csv ./script.robot +``` + +This command will generate an output file, a log file, and a report file in the `RobotFramework` +folder. This command will also write information to the command prompt. + +For most testing cases, we only care about the command prompt information and the log file, written +at `RobotFramework/log.html`. The other outputs can be removed. + +``` +cd RobotFramework + +robot --loglevel NONE --report NONE --variable ORDERPATH:./Order --variable RUNTIMEPATH:C:/UsercubeDemo/Runtime --variable RESULTPATH:./Order/results.csv ./script.robot +``` + +### `Get Secure Data` and `Generate Password` + +Most keywords are not different when a script is launched manually. The keywords `Get Secure Data` +and `Generate Password` are exceptions. + +- `Get Secure Data`: This keyword expects the Robot Framework process to receive a json list of + attributes in the stdin stream. This can be provided manually by writing the data in the command + prompt. As an example, if the script requires a `Login` and `Password` attribute : + `{"Login":"login","Password":"password"}` +- `Generate Password`: This keyword expects a file that contains the + [ Password Reset Settings ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md) + associated to the provisioned + [Resource Type Mappings](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md). + The easiest way to enable the `Generate Password` keyword is as follow: + - Launch the Robot Framework fulfillment through the Identity Manager web application with a + blank script. + - Copy the `PasswordResetSettings` folder generated in the most recent subfolder of + `Work/FulfillRobotFramework`. + - Paste the folder in the same folder as the provisioning order. + +## Use Case: Write a Script to Fulfill a CSV File + +The goal of the script is to append, for each provisioning order, a line in a CSV file located on an +external system which we will access through a Telnet connection. + +Let's consider the following `ResourceType`: + +``` + +... + ... + +``` + +The end of the CSV file must look like: + +``` + +command;identifier;firstName;lastName +... +Insert;007;James;Bond +... + +``` + +### Define settings + +In every Robot Framework script, we need to import the resource file +`UsercubeRobotFramework.resource`. In this example, we also need to import the Telnet library to use +its functions. + +``` + +*** Settings *** +Resource C:/UsercubeContoso/Runtime/UsercubeRobotFramework.resource +Library Telnet + +``` + +### Define variables + +To connect to the external system through Telnet, we need an IP address corresponding to the +external system. We will store the IP address in the global variable `${IPADDRESS}`. We also use the +global variable `${CSVFILEPATH}` to define the CSV file where the data will be written in the +external system. + +``` + +*** Variables *** +${CSVFILEPATH} /home/contoso/robotframework_users.csv +${IPADDRESS} 192.168.1.22 + +``` + +### Define custom keywords + +We define all the custom functions which we will use to provision the external system: + +- `Delete CSV File`: removes a possible pre-existing CSV file. +- `Write In CSV`: executes a command to write the line in the CSV file in the external system. +- `Write Data`: formats the line to write in the CSV and calls `Write In CSV` to write it. +- `Write Header`: defines the header to write in the CSV and calls `Write Data` to write it. +- `Open Telnet Connection`: opens the Telnet connection to the external system using the login and + the password defined in the + [ Robot Framework ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md) attribute in + `appsettings.agent.json`, as well as the IP address defined in the `Variables` section. + +``` + +*** Keywords *** +Delete CSV File + Execute Command rm ${CSVFILEPATH} + +Write In CSV + [Arguments] ${line} + Execute Command echo ${line} >> ${CSVFILEPATH} + +Write Data + [Arguments] ${command} ${identifier} ${firstName} ${lastName} + Write In CSV '"${command}","${identifier}","${firstName}","${lastName}"' + +Write Header + Write Data Command identifier firstName lastName + +Open Telnet Connection + Open Connection ${IPADDRESS} prompt=$ + Read Until login + ${LOGIN}= Get Secure Data Login False + Write ${LOGIN} + Read Until Password + ${PASSWORD}= Get Secure Data Password True + Write ${PASSWORD} + +``` + +The method `Get Secure Data` will retrieve the value of the attributes filled in the +[ Robot Framework ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md) in +`appsettings.agent.json`. This is the method strongly recommended by Identity Manager. However, you +could also enter the value directly into the script (example: `${LOGIN}= UserName`). This may be +easier for initial testing purposes. + +### Define mandatory keywords + +To be able to provision the external system, we need the three required functions: `ExecuteAdd`, +`ExecuteDelete` and `ExecuteModify`. These methods are called by the connector depending on the +action to perform on the external system. + +``` + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Write Data Insert ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteDelete + [Arguments] ${order} + Write Data Delete ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteModify + [Arguments] ${order} + Write Data Update ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +``` + +Here, for each action, we use the function `Write Data` defined in the previous section to write the +changes to the CSV file with a corresponding word `Insert`, `Delete` or `Update`. + +### Define test cases + +The function launched by the Robot Framework script will be written in the section `Test Cases` and +will be called `Run Provisioning`. + +``` + +*** Test Cases *** +Run Provisioning + Open Telnet Connection + Delete CSV File + Write Header + Launch Provisioning + Close All Connections + +``` + +In our test case, we will perform the following operations in `Run Provisioning`: + +- Open the Telnet connection with the external system. +- Remove a possible pre-existing CSV file. +- Write the header to the new CSV file. +- Launch the Identity Manager provisioning. The method `Launch Provisioning` is mandatory when using + the Robot Framework connector. +- Close the Telnet connection with the external system. + +### Read the full script + +The full script is as follows: + +``` + +*** Settings *** +Resource C:/UsercubeContoso/Runtime/UsercubeRobotFramework.resource +Library Telnet + +*** Variables *** +${CSVFILEPATH} /home/contoso/robotframework_users.csv +${IPADDRESS} 192.168.1.22 + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Write Data Insert ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteDelete + [Arguments] ${order} + Write Data Delete ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteModify + [Arguments] ${order} + Write Data Update ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +Delete CSV File + Execute Command rm ${CSVFILEPATH} + +Write In CSV + [Arguments] ${line} + Execute Command echo ${line} >> ${CSVFILEPATH} + +Write Data + [Arguments] ${command} ${identifier} ${firstName} ${lastName} + Write In CSV '"${command}","${identifier}","${firstName}","${lastName}"' + +Write Header + Write Data Command identifier firstName lastName + +Open Telnet Connection + Open Connection ${IPADDRESS} prompt=$ + Read Until login + ${LOGIN}= Get Secure Data Login False + Write ${LOGIN} + Read Until Password + ${PASSWORD}= Get Secure Data Password True + Write ${PASSWORD} + +*** Test Cases *** +Run Provisioning + Open Telnet Connection + Delete CSV File + Write Header + Launch Provisioning + Close All Connections + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-sync-powershell-script/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-sync-powershell-script/index.md new file mode 100644 index 0000000000..2137e165a2 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-sync-powershell-script/index.md @@ -0,0 +1,6 @@ +# Write a PowerShell Script for Synchronization + +This guide shows how to write a PowerShell script used by the +[ PowerShellSync ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellsync/index.md) connector. + +The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/how-tos/write-ticket-template/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-ticket-template/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/how-tos/write-ticket-template/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-ticket-template/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/index.md new file mode 100644 index 0000000000..1c4d3c6a0d --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/index.md @@ -0,0 +1,172 @@ +# Connectors + +Connectors are Identity Manager's links to the managed systems, the technical representation of the +entity model. A connector is used to export data as CSV source files for Identity Manager's +synchronization process and to fulfill entitlement assignments to a given managed system. See the +[ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md), +[Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md), and +[ Upward Data Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) topics for additional +information. + +## Overview + +Connectors are the mechanisms that enable Identity Manager to read and write data to/from your +organization's systems. The feedback mechanism ensures Identity Manager's reliability. + +In this documentation, we talk about managed systems (sometimes called external systems) to refer to +third-party applications, i.e. the applications used in your organization, such as Active Directory, +ServiceNow, EasyVista, SAP, SharePoint, etc. + +A connector, therefore, acts as an interface between Identity Manager and a managed system. + +![Connector Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp) + +Netwrix Identity Manager (formerly Usercube)strongly recommends the creation of one connector for +each application. + +> For example, integrators may create an `AD` connector with the goal of importing an Active +> Directory's data into Identity Manager, and writing to the Active Directory from Identity Manager, +> either manually for administration accounts, or automatically for basic accounts. +> +> Integrators may create a `SharePoint` connector in order to manage read and write entitlements for +> users in SharePoint. + +### Data Flows + +In the early steps of a project, we'll consider most of our connectors to be outbound, i.e. Identity +Manager will feed data into connected managed systems. + +![Outbound System=](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connectorcreation_outbound.webp) + +In this case, data flows between Identity Manager and the managed system are also called: + +- Synchronization in the managed system-to-Identity Manager direction +- Provisioning in the Identity Manager-to-managed system direction + +For a connector's synchronization, Identity Manager provides tools to perform a basic extraction of +the system's data in the form of CSV files. These files are cleaned and loaded into Identity +Manager. In other words, synchronizing means taking a snapshot of the managed system's data and +loading into Identity Manager. + +For provisioning, Identity Manager generates provisioning orders and the connector provides tools to +either automatically write these orders to the managed system or to create a ticket for manual +provisioning. + +> For example, we can use the data from Identity Manager's identity repository to fill in later the +> AD's fields, such as users' display names based on their first names and last names from the +> repository. See the +> [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) +> topic for additional information. + +Identity Manager can also benefit from inbound connectors, that will write data to Identity +Manager's central identity repository. While both inbound and outbound connectors allow data to flow +both ways, they do not work in the same manner. See the +[ Create an HR Connector ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/hr-connector-creation/index.md) topic for +additional information. + +### Technical principles + +Identity Manager's connectors all operate on the same basic principles. Technically speaking: + +> For example, let's say that we want to connect Identity Manager to our Active Directory, or AD: + +- A connector must be created, first as a named container which will include the connections and + entity types related to one managed system; See the + [ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) topic for additional + information. + + > We create a connector named `AD` (so far, an empty shell). + +- A connector is linked to an agent which acts as the go-between for Identity Manager's server and + the managed system; See the [ Architecture ](/docs/identitymanager/6.2/identitymanager/introduction-guide/architecture/index.md) topic + for additional information. + + > Our `AD` connector uses the provided SaaS agent. + +- A connection describes the technology used that enables data to flow back and forth between + Identity Manager and the managed system; See the + [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) topic for additional + information. + + > We want to use a connection `Directory/Active Directory` to perform synchronization and + > automated provisioning, and a second connection `Ticket/Usercube` to perform manual + > provisioning through Identity Manager. + + You can find standard connections dedicated to one application (AD, Microsoft Entra ID, etc.), + and generic connections to communicate with any application (CSV, Powershell, RobotFramework, + SQL, etc.). + +- The shape of the extracted managed system's data is modeled by entity types (we will use the term + resource to refer to an entity type that has been instantiated); See the + [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) topic for additional + information. + + > We create a single entity type `AD - Entry` which contains all the attributes that will + > describe its resources, i.e. AD groups and users. The attributes include the department, the + > employee identifier, the manager, the group membership (`member`/`memberOf`), the dn, the + > parent dn, etc. + +- The intent of resources within the managed system is made clear by categorizing resources into + resource types. See the + [Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) and + [ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) topics for additional + information. + + > We categorize AD resources into distinct resource types: `AD User (nominative)` for basic + > accounts, which we want Identity Manager to provision automatically; + > `AD User (administration)` for sensitive administration accounts, which we want to provision + > manually through Identity Manager. + +![Connector Technical Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectortechnicalschema.webp) + +A connector requires at least one connection and one entity type. + +When provisioning a managed system, the corresponding connector also needs at least one resource +type. + +**Local vs. Saas agents** — To simplify things, Identity Managerhas made it possible to start +configuring connectors without installing a local agent in your organization's network. Instead, you +can use the agent integrated with Identity Manager's server in the Cloud (SaaS agent). See the +[ Architecture ](/docs/identitymanager/6.2/identitymanager/introduction-guide/architecture/index.md) topic for additional information. + +## Configure a Connector + +Netwrix Identity Manager (formerly Usercube)recommends creating and configuring a connector via the +UI. See the [ Connect to a Managed System ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/index.md) topic +for additional information. + +## Supported Systems + +| Connector | Description | Synchronization | Provisioning | +| ------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- | ------------ | +| Active Directory | Exports and fulfills data from/to an Active Directory instance. See the [Active Directory](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) topic for additional information. | √ | √ | +| Azure | Exports Azure resources, role definitions and role assignments. See the [ Azure ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/azure/index.md) topic for additional information. | √ | X | +| Microsoft Entra ID (formerly Microsoft Azure AD) | Exports and fulfills data from/to a Microsoft Entra ID instance. See the Microsoft Entra ID, [For Microsoft Entra ID](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/index.md), and [ For Microsoft Entra ID ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/azuread/index.md) topics for additional information. | √ | X | +| CSV | Exports data from a CSV file. See the [ CSV ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/csv/index.md) topic for additional information. | √ | X | +| EasyVista | Exports data from an EasyVista-compliant system. See the [ EasyVista ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md) topic for additional information. | √ | √ | +| EasyVista Ticket | Creates tickets in an EasyVista instance. See the [ EasyVista Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md) and [ Write a Template for a Ticket Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-ticket-template/index.md) topics for additional information. | X | √ | +| Google Workspace | Exports and fulfills users and groups from/to a Google Workspace instance. See the [ Google Workspace ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/index.md) topic for additional information. | √ | √ | +| Home Folder | Export home folders from input directories. See the [ Home Folder ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/homefolder/index.md) topic for additional information. | √ | X | +| InternalResources | Opens manual provisioning tickets in Identity Manager. See the [Internal Resources](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/internalresources/index.md) topic for additional information. | X | √ | +| InternalWorkflow | Retrieves provisioning order files from a connector or a resource type list, and starts a workflow accordingly. See the [InternalWorkflow](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md) topic for additional information. | X | √ | +| Json | Generates JSON files for each provisioning order. See the [JSON](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/json/index.md) topic for additional information. | X | √ | +| LDAP | Exports and fulfills data from/to an LDAP-compliant system. See the [ LDAP ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md) topic for additional information. | √ | √ | +| LDIF | Generates CSV source files from an LDIF file. See the [LDIF](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/ldif/index.md) topic for additional information. | √ | X | +| Microsoft Excel | Exports data from an XLSX file. See the [ Microsoft Excel ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/excel/index.md) topic for additional information. | √ | X | +| Microsoft Exchange | Exports data from a Microsoft Exchange instance. See the [ Microsoft Exchange ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md) topic for additional information. | √ | √ | +| OData | Exports entities from an OData instance. See the [ OData ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/odata/index.md) topic for additional information. | √ | X | +| OpenLDAP | Exports and fulfills from/to an OpenLDAP directory. See the [ OpenLDAP ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/openldap/index.md) topic for additional information. | √ | √ | +| PowerShell | Executes PowerShell scripts to generate CSV source files from otherwise unsupported sources. See the [ PowerShellProv ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md), [ Write a PowerShell Script for Provisioning ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md), and [ Fulfill Microsoft Exchange via PowerShell ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md) topics for additional information. | X | √ | +| RACF | Exports data from a RACF file. See the [ RACF ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/racf/index.md) topic for additional information. | √ | X | +| Robot Framework | Executes Robot Framework scripts to fulfill data to external systems. See the [ Robot Framework ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md), [ Write a Robot Framework Script ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md), [Interact with a Web Page via Robot Framework](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/index.md), and [Interact with a GUI Application via Robot Framework](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/index.md) topics for additional information. | X | √ | +| SAP | Exports and fulfills data from/to an SAP system. See the [ SAP Netweaver ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/index.md) topic for additional information. | √ | X | +| SAP ERP 6.0 | Exports and fulfills data from/to an SAP ERP 6.0 system. See the [SAP ERP 6.0 and SAP S4/HANA](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md) topics for additional information. | √ | √ | +| SCIM | Exports and fulfills data from/to a SCIM-compliant web application. See the [SCIM](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/scim/index.md), [ Export CyberArk Data via SCIM ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/index.md) and [ Provision Salesforce Users' Profiles via SCIM ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md) topics for additional information. | √ | √ | +| ServiceNow Entity Management | Manages ServiceNow entities. See the [ ServiceNow ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md) topic for additional information. | √ | √ | +| ServiceNow Ticket | Creates tickets in ServiceNow. See the [ ServiceNowTicket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md) topic for additional information. | X | √ | +| SharedFolder | Scans a Windows file directory and exports a list of folders, files, users and their associated permissions. See the [ SharedFolders ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/index.md) topic for additional information. | √ | X | +| SharePoint | Exports a SharePoint's list of objects, users, groups, roles and their relationships. See the [SharePoint](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md) and [Set up SharePoint's Export and Synchronization](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/index.md)topics for additional information. | √ | √ | +| SQL | Exports data from various Database Management Systems. See the [ Sql ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sql/index.md) topic for additional information. | √ | X | +| SQL Server Entitlements | Exports server and database principals from Microsoft SQL Server. See the [ Sql Server Entitlements ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md) topic for additional information. | √ | X | +| Top Secret | Exports the Top Secret (TSS) users and profiles. See the [ Top Secret ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/topsecret/index.md) topic for additional information. | √ | X | +| Workday | Exports data from a Workday instance. See the [ Workday ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/workday/index.md) topic for additional information. | √ | X | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md new file mode 100644 index 0000000000..0c8bf27b85 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md @@ -0,0 +1,405 @@ +# Active Directory + +This connector exports and fulfills users and groups from/to an +[Active Directory](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-domain-services) +instance. + +This page is about Directory/Active Directory. See the [Active Directory](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) topic for +additional information. + +![Package: Directory/Active Directory](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/activedirectory/packages_ad_v603.webp) + +## Overview + +Active Directory is a directory service developed by Microsoft for Windows domain networks. The +Active Directory connector exports Active Directory (AD) entries to Identity Manager's resource +repository. This connector also enables automated provisioning from the resource repository to the +AD. + +## Prerequisites + +Implementing this connector requires: + +- Reading first the appsettings documentation; See the + [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) + topic for additional information. +- Opening the LDAP feed from Identity Manager's server to the Active Directory, with the ports 389 + for LDAP and 636 for LDAPS. +- A service account with reading and writing permissions on the target Active Directory instance. It + means that the Replicating Directory Changes rights are required for the service account, but also + for the Active Directory root and the AD children. See the instructions below for additional + information. +- An SSL connection which is mandatory for the AD connector to initialize and change a password. +- Enabling rights inheritance in the **Advanced Security Settings**. + +### Enable Active Directory Permissions + +To enable permissions, the Active Directory administrator must do the following: + +**Step 1 –** Check the **View** details in the Active Directory and Computers. + +![Enable Permissions - Step 1](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_01.webp) + +**Step 2 –** Open the **Advanced Security Settings** dialog box for the domain root. + +![Enable Permissions - Step 2](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_02.webp) + +**Step 3 –** Select the **Replicating Directory Changes** check box from the list. + +![Enable Permissions - Step 3](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_03.webp) + +**Step 4 –** To change groups' membership, in the Applies field, select Descendent Group object and +select the **Read Members** and **Write Members** check boxes from the list. + +![Read/Write Members](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_04.webp) + +**Step 5 –** To Reset Password capabilities, in the Applies field, select Descendent User object and +select the **Read lockoutTime** and **Write lockoutTime** check boxes from the list. + +![Read/Write Lockout Times](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_05.webp) + +Administrator rights must not be granted to the service account. Doing otherwise would create a +security breach. Administrator rights must only be granted to the target perimeter. + +## Export + +For a configured set of Active Directory entries, this connector exports all attributes from the +connector's configuration to CSV files. + +The export is executed by a job from the UI, or via Identity Manager-Export-ActiveDirectory.exe in +the command prompt. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +appsettings.agent.json > Connections section: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json + { + ... + "Connections": { + ... + "\": { + ... + } + } + } +``` + +The identifier of the connection and thus the name of the subsection must: + +- Be unique. +- Not begin with a digit. +- Not contain `\<`, `\>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example configures a connection to the Active Directory Domain Controller +> contoso.server.com using Basic Authentication with **BaseDN**, **Login**, **Password** with +> EnableSSL for all entries ( "Filter": "(objectclass=\*)"): +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> appsettings.agent.json +>                     { +>                     ... +>                     "Connections": { +>                     "ADExport": { +>                     "Filter": "(objectclass=*)", +>                     "Servers": [ +>                     { +>                     "Server": "contoso.server.com", +>                     "BaseDN": "DC=contoso,DC=com" +>                     } +>                     ], +>                     "AuthType": "Basic", +>                     "AsAdLds": false, +>                     "EnableSSL": true, +>                     "Login": "Contoso", +>                     "NoSigning": false, +>                     "Password": "ContOso$123456789", +>                     "RetryDelay": 10 +>                     } +>                     } +>                 } +> ``` + +#### Setting attributes + +| Name | Type | Description | +| --------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Servers required | Server List | List of pairs that define the target servers, made of: - Server: domain controller URL. - BaseDN: base Distinguished Name used to connect to the related server. | +| AsAdLds optional | Boolean | True to state the managed system as an AD LDS. It is used for extracting the schema through the connection screen. | +| EnableSSL optional | Boolean | True to enable SSL protocol for authentication requests. recommended when using AuthType set to Basic because basic authentication packets are not encrypted by default. SSL is not available on Linux. | +| NoSigning optional | Boolean | True to disable Kerberos encryption. | +| AuthType default value: Negotiate | String | Authentication method used by Identity Manager to authenticate to the server. Access is granted to the target domain controller: Anonymous - without any login/password; Basic - via the BaseDN, Login and Password attributes; Negotiate - via GSS-API negotiations with the Kerberos mechanism used for authentication. | +| Login optional | String | Login used by Identity Manager for basic authentication. It is required when AuthType is set to Basic. | +| Password optional | String | Password used by Identity Manager for basic authentication. It is required when AuthType is set to Basic. | +| Filter required | String | Value that filters out the corresponding entries from the AD instance which will not be exported. Only non-filtered entries are exported. The filter value complies with Microsoft's [search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | +| RetryDelay optional | Int32 | Time (in milliseconds) after which Identity Manager retries a timeout request. | +| RequestTimeout optional | Int32 | Time (in seconds) after which a connection faces a timeout. | +| ConnectionTimeout optional | Int32 | Time (in seconds) after which a connection faces a timeout. | + +### Output details + +This connector is meant to generate: + +- A file named `\`\_entries.csv, with one column for each property having a + ConnectionColumn and each property without it but used in an entity association; + + Any property can be exported in a specific format when specified. See the + [ References: Format for the EntityPropertyMapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md) + topic for additional information. + +- An additional file for each related table other than entries; +- A cookie file named \\_cookie.bin, containing the time of the last export + in order to perform incremental exports. + + **NOTE:** Most exports can be run in complete mode, where the CSV files will contain all + entries, or in incremental mode, where CSV files will contain only the entries which have been + modified since the last synchronization. + + A task can use the IgnoreCookieFile boolean property, and a command line (with an executable) + can use the option --ignore-cookies. + +The CSV files are stored in the ExportOutput folder, and the cookie file in the ExportCookies +folder. See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topic for additional information. + +For example, with the following configuration example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + + +``` + +We would have `C:/UsercubeContoso/Temp/ExportOutput/ADExport_entries.csv` with a column for each +scalar property. See the [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) topic for additional +information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +ADExport_entries.csv + command,dn,objectCategory,objectGuid,objectSid,pwdLastSet,thumbnailPhoto,parentdn + ... +``` + +Also, ADExport_member as ConnectionTable in a mapping will trigger the generation of the file +`C:/UsercubeContoso/Temp/ExportOutput/ADExport_member.csv` with member as link attribute: + +``` +ADExport_member.csv + command,dn,member + ... +``` + +And `C:/UsercubeContoso/Work/ExportCookies/ADExport_cookie.bin` + +### Synchronize multiple forests + +This connector can export resources from multiple forests trusted by the same AD domain. + +It requires specifying the **Server** and **BaseDN** pairs in **Servers** for all the forests used +as source for the export. + +Each **BaseDN** will generate a cookie file, but the entries from all **BaseDN** properties will be +written to the same CSV file. + +> The following example exports data from two sources: both on the same **Server** +> (contoso.server.com), but on two different **BaseDN**s (DC=contoso,DC=com and +> DC=defense,DC=contoso,DC=com). +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> appsettings.agent.json +>                     { +>                     ... +>                     "Connections": { +>                     "ADExport": { +>                     "Servers": [ +>                     { +>                     "Server": "", +>                     "BaseDN": "" +>                     }, +>                     { +>                     "Server": "", +>                     "BaseDN": "" +>                     } +>                     ], +>                     "AuthType": "", +>                     "Login": "", +>                     "Password": "", +>                     "Filter": "<(objectclass=*)>", +>                     "EnableSSL": "" +>                     } +>                     } +>                 } +> ``` +> +> The export creates two cookie files: ADExport_cookie_0.bin for the first **BaseDN**, and +> ADExport_cookie_1.bin for the second **BaseDN**, but the entries of both **BaseDN** properties +> will be written in ADExport_entries.csv. + +## Fulfill + +This connector writes to the Active Directory, to create, update and delete entries, initiated +manually through the UI or automatically by enforcing the policy. See the +[Evaluate Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) topic for additional +information. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> The following example connects to an AD LDS system located at contoso.server.com. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> appsettings.agent.json +>                     { +>                     ... +>                     "Connections": { +>                     ... +>                     "ADFulfillment": { +>                     "Servers": [ +>                     { +>                     "Server": "", +>                     "BaseDN": "" +>                     } +>                     ], +>                     "AuthType": "Basic", +>                     "AsAdLds": "true", +>                     "EnableSSL": true, +>                     "Login": "", +>                     "NoSigning": false, +>                     "Password": "", +>                     } +>                     } +>                 } +> ``` + +#### Setting attributes + +| Name | Type | DescriptionDetails | +| --------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Servers required | Server List | List of pairs that define the target servers, made of: - Server: domain controller URL. - BaseDN: base Distinguished Name used to connect to the related server. | +| AsAdLds optional | Boolean | True to state the managed system as an AD LDS. It isInfo: used for extracting the schema through the connection screen. | +| EnableSSL optional | Boolean | True to enable SSL protocol for authentication requests. **NOTE:** recommended when using AuthType set to Basic because basic authentication packets are not encrypted by default. SSL is not available on Linux. | +| NoSigning optional | Boolean | True to disable Kerberos encryption. | +| AuthType default value: Negotiate | String | Authentication method used by Identity Manager to authenticate to the server. Access is granted to the target domain controller: Anonymous - without any login/password; Basic - via the BaseDN, Login and Password attributes; Negotiate - via GSS-API negotiations with the Kerberos mechanism used for authentication. | +| Login optional | String | Login used by Identity Manager for basic authentication. **NOTE:** It is required when AuthType is set to Basic. | +| Password optional | String | Password used by Identity Manager for basic authentication. **NOTE:** It is required when AuthType is set to Basic. | + +### Output details + +This connector can create a new resource, and update and delete an existing resource via the UI. + +A new resource is created with the state disabled, corresponding to the useraccountcontrol +value 514. When it is approved, its disabled state is removed and the useraccountcontrol value +becomes 512. + +### Provision multiple forests + +Same as for export, this connector can fulfill resources to multiple forests trusted by the same AD +domain, by specifying the Server and BaseDN pairs in Servers for all forests. + +The following example fulfills data to two targets: both on the same Server (contoso.server.com), +but on two different BaseDNs (DC=contoso,DC=com and DC=defense,DC=contoso,DC=com). + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json + { + ... + "Connections": { + ... + "ADFulfillment": { + "Servers": [ + { + "Server": "", + "BaseDN": "" + }, + { + "Server": "", + "BaseDN": "" + } + ], + "AuthType": "Basic", + "Login": "", + "Password": "", + "AsAdLds": "true" + } + } + } +``` + +### Add attributes to the requests + +Some systems using the LDAP protocol require additional attributes in the creation and/or update +requests. + +If these attributes are not synchronized in Identity Manager, then they cannot be computed and +provided by scalar rules or navigation rules. In this case, they can be given as arguments in the +provisioning order, through the ResourceType's ArgumentsExpression. + +The following example adds the attribute description with a value depending on what is modified: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + + + +``` + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information on how to configure password reset settings. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the appsettings.encrypted.agent.json file. See the + [ RSA Encryption ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) + topic for additional information. +- An Azure Key Vault safe; See the + [Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + topic for additional information. + +- A CyberArk Vault able to store Active Directory's Login, Password and Server. See the + [CyberArk's AAM Credential Providers ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/azure/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/azure/index.md new file mode 100644 index 0000000000..5040be1d32 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/azure/index.md @@ -0,0 +1,132 @@ +# Azure + +This connector exports +[Azure](https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-azure) +resources, role definitions and assignments. + +This page is about [ Azure ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/azure/index.md). + +![Package: Cloud/Azure](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/azure/packages_azure_v603.webp) + +## Prerequisites + +Implementing this connector requires at least the `Security Reader` role, because Identity +Manager does not access the [Azure API](https://docs.microsoft.com/en-us/rest/api/azure/) on behalf +of a user but with [its own identity](https://docs.microsoft.com/en-us/rest/api/azure/). + +## Export + +For a given Azure tenant with resources, this connector exports Azure resources, role definitions +and role assignments to CSV files. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + + ``` + + appsettings.agent.json + +{ ... "Connections": { ... "": { ... } } } + +```` + + +The identifier of the connection and thus the name of the subsection must: + +- be unique. + +- not begin with a digit. + +- not contain ```<```, ```>```, ```:```, ```"```, ```/```, ```\```, ```|```, ```?```, ```*``` and ```_```. + +> The following example +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "AzureExport": { +> "ApplicationId": "contosoAzure897", +> "ApplicationKey": "25d408a1925d4c081925b\\d40819", +> "SubscriptionId": "Contoso", +> "TenantId": "25d40819-f23f-4837-9d50-a9a52da50b8c", +> "AzurePath": "https://management.azure.com/.default", +> "AzurePathApi": "https://management.azure.com", +> "ResponseUri": "https://agent.usercubecontoso.com" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --- | --- | +| ApplicationId required | __Type__ String __Description__ GUID that uniquely identifies the application registration in the Azure tenant. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Identity Manager__ > __Overview__ > __Application (client) ID__ | +| ApplicationKey required | __Type__ String __Description__ Secret associated with the ```ApplicationId```. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Identity Manager__ > __Certificate & secrets__ > __Client secrets__ > __Client Secret__ | +| TenantId required | __Type__ String __Description__ GUID that uniquely identifies the Azure tenant. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Identity Manager__ > __Overview__ > __Application (tenant) ID__ | +| ResponseUri default value: ```http://localhost``` | __Type__ String __Description__ URI used by Azure to contact back the application with the tokens. This response Uri needs to be registered in the [app registration](https://aka.ms/msal-net-register-app). | +| | | +| --- | --- | +| SubscriptionId required | __Type__ String __Description__ GUID that uniquely identifies the subscription associated to the ```ApplicationId```. [See how to find it](https://www.youtube.com/watch?v=6b1J03fDnOg&t=3s). | +| AzurePath default value: ```https://management.azure.com/.default``` | __Type__ String __Description__ Scope requested to access a protected API. For this flow (client credentials), the scope should be of the form __`{ResourceIdUri/.default}`__. [See Microsoft's documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#see-microsofts-documentation). | +| AzurePathApi default value: ```https://management.azure.com``` | __Type__ String __Description__ Azure Uri API. | + +### Output details + +This connector is meant to generate to the [Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) folder the following CSV files: + +```_RoleDefinition.csv``` with the following columns: + +- __id__: role definition's Azure id; +- __name__: role definition's id; +- __roleName__: role definition's name; +- __type__: role definition's type, for example it can describe if it is a built-in role or a customized one; +- __description__: role definition's description. + +```_Resource.csv``` with the following columns: + +- __id__: resource's Azure id; +- __name__: resource's name; +- __type__: resource's type; +- __location__: resource's geographical location; +- __managedBy__: GUID or Azure id of the resource's manager; +- __principalId__: resource's identity PrincipalId; +- __ResourceIdentitytype__: resource's identity type. + +```_RoleAssignment.csv``` with the following columns: + +- __id__: role assignment's Azure id; +- __name__: role assignment's id; +- __roleDefinitionId__: role definition's Azure id; +- __principalId__: Microsoft Entra ID (formerly Microsoft Azure AD)'s object GUID; +- __scope__: resource's Azure id. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [ + RSA Encryption + ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) configured in the ```appsettings.encrypted.agent.json``` file; +- An [Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) safe; + +- A [CyberArk's AAM Credential Providers + ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) able to store Azure's ```ApplicationId``` and ```ApplicationKey```. +```` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/csv/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/csv/index.md new file mode 100644 index 0000000000..0902fb6497 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/csv/index.md @@ -0,0 +1,113 @@ +# CSV + +This connector exports data from a [CSV file](https://en.wikipedia.org/wiki/Comma-separated_values). + +This page is about [ CSV ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/csv/index.md). + +![Package: File/CSV](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/csv/packages_csv_v603.webp) + +## Overview + +Files in CSV format are commonly used to store information. + +## Prerequisites + +Implementing this connector requires the source file to be in CSV format. + +## Export + +This export copies the information found in a CSV file and transforms it into a new CSV file in the +Identity Manager's format. + +### Configuration + +This process is configured through a +[](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md)[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +in the UI and/or the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "HRContoso": { +> "Path": "C:/UsercubeContoso/Contoso/hr_conto(.*?).csv", +> "PathIncremental": "C:/UsercubeContoso/Contoso/hr_delta_conto(.*?).csv", +> "Encoding": "UTF-16", +> "Separator": ";", +> "IsFileNameRegex": true, +> "NumberOfLinesToSkip": 1, +> "ValuesToTrim": [ +> "*", +> "%" +> ] +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Path Required if PathIncremental is not defined. | **Type** String **Description** Path of the input file to be used for complete synchronization. | +| PathIncremental Required if Path is not defined. | **Type** String **Description** Path of the input file to be used for incremental synchronization. | +| IsFileNameRegex optional | **Type** Boolean **Description** `True` to enter a regex instead of a normal string for `Path` and `PathIncremental`. **Note:** if several files correspond to the regex, then the export will use the last created file. **Info:** useful when the filename is only partially known, for example when using a generated file. | +| ValuesToTrim optional | **Type** String List **Description** Ordered list of the characters to trim at the beginning and at the end of the headers and values of the input file. **Note:** the second value will be trimmed after the first, the order is important. **Example** When writing `$` first and then `%` in `ValuesToTrim`, then "$%I am an example$%" becomes "I am an example$". | +| Encoding default value: UTF-8 | **Type** String **Description** Encoding of the input file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | +| NumberOfLinesToSkip default value: 0 | **Type** Int32 **Description** Number of lines to skip in order to reach the line used as data header. | + +### Output details + +This connector is meant to generate a CSV file, named `.csv`, to the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder. + +For example, when exporting a connection named `HRCountries`, the output file will be named +`HRCountries.csv`. + +The file's columns come from the header line from the input CSV file. + +All columns with headers, even empty ones, will be written to the output. However, columns without +headers will not be written. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use +[](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md)[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), +nor a [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md). + +Still, data protection can be ensured through an +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md new file mode 100644 index 0000000000..509174e056 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md @@ -0,0 +1,220 @@ +# EasyVista + +This connector exports and fulfills users from/to an +[EasyVista](https://wiki.easyvista.com/xwiki/bin/view/Documentation/?language=en)-compliant system. + +This page is about [ EasyVista ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md). + +![Package: ITSM/EasyVista](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/easyvista/packages_easyvista_v603.webp) + +## Overview + +EasyVista is an IT Service Manager that provides a service to organize IT resources in a company by +using tickets. This allows users to manage projects, materials and teams through a customizable +interface. + +## Prerequisites + +Implementing this connector requires: + +- Reading first the + [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) + topic; +- An EasyVista account with reading/writing permissions on the target instance; +- A view to be created in EasyVista for each type of entity to export. + +## Export + +This connector exports a list of users, with their attributes specified in the connector's +configuration, to CSV files. + +It can also export any custom entity, provided that a view exists for it in EasyVista. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> ... +> "ExportEasyVista": { +> "Server": "https://easy-vista.instance.com/", +> "Account": "11111", +> "Login": "username", +> "Password": "userPassword", +> "ExportSettingsOptions": { +> "Profiles": "https://easy-vista.instance.com/api/v1/11111/internalqueries?queryguid={019B0523-F1C4-4G84-AA04-47BA16F16EB2}&filterguid={Z8A61D04-EZEC-42F1-A3E1-E9E09654BE68}&viewguid={2740V37A-A0ZC-4E50-A1F1-CF0987B9EFEA}" +> } +> } +> } +> } +> ``` + +The `ExportSettingsOptions` attribute is necessary only if custom entities are exported. It is not +required if only the users are exported. +Besides, `"Profiles"` is used here as an example and corresponds to a name to identify the exported +entities. + +#### Setting attributes + +| Name | Details | +| ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URI of the server to connect to. | +| Account required | **Type** String **Description** Account to use to connect to the EasyVista instance. | +| Login required | **Type** String **Description** Username to use to connect to the EasyVista instance. | +| Password required | **Type** String **Description** Password to use to connect to the EasyVista instance. | +| | | +| --- | --- | +| ExportSettingsOptions optional | **Type** List **Description** List of entities to retrieve from the EasyVista instance. **Note:** for any customized entity to be exported, this argument must contain its REST API URL. **Get REST API URLs** Access the relevant view in EasyVista and click on **...** > **Rest API Url** to copy the URL. For example: ![EasyVista Profiles View](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/easyvista/easyvista_view_v523.webp) | + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +export output folder: + +- a CSV file, named `_Employees.csv`, with one column for each property having + a `ConnectionColumn` and each property without it but used in an entity association; +- a CSV file for each customized entity, named `_.csv`. + +> For example, with the following entity type mapping for employees: +> +> ``` +> +> +> +> ``` +> +> And the following entity type mapping for profiles: +> +> ``` +> +> EntityType Identifier="EasyVista_Profiles" DisplayName_L1="EasyVista Profiles" Property Identifier="NAME_EN" DisplayName_L1="NAME_EN" TargetColumnIndex="23" Type="String" Type="String" IsKey="true" //EntityTypeEntityTypeMapping Identifier="EVProfiles" Connector="ExportEasyVista" ConnectionTable="EasyVistaExport_Profiles" Property Identifier="PROFILE_GUID">>>> ><<<<<
 +> +> ``` +> +> Then we will have `C:/UsercubeContoso/Sources/EasyVistaExport_Employees.csv` as follows: +> +> ``` +> EasyVistaExport_Employees.csv +> last_name +> Talma Bart +> Tanner Carol +> Taverner David +> Taylor Eric +> Telemann Franck +> Thomson Georges +> ... +> +> ``` +> +> Then we will have `C:/UsercubeContoso/Sources/EasyVistaExport_Profiles.csv` as follows: +> +> ``` +> EasyVistaExport_Profiles.csv +> NAME_EN, PROFILE_GUID +> Administration {value of the PROFILE_GUID} +> LOB Manager {value of the PROFILE_GUID} +> Product Team {value of the PROFILE_GUID} +> Project Manager {value of the PROFILE_GUID} +> ... +> +> ``` + +Users created from the API are retrieved by Identity Manager only after a complete synchronization. + +## Fulfill + +The EasyVista connector writes to EasyVista to create, archive (delete from Identity Manager's point +of view) and update employees, initiated manually through the UI or automatically by +[Evaluate Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "FulfillEasyVista": { +> "Server": "https://easy-vista.instance.com/", +> "Account": "11111", +> "Login": "username", +> "Password": "userPassword" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ----------------- | ------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URI of the server to connect to. | +| Account required | **Type** String **Description** Account to use to connect to the EasyVista instance. | +| Login required | **Type** String **Description** Username to use to connect to the EasyVista instance. | +| Password required | **Type** String **Description** Password to use to connect to the EasyVista instance. | + +### Output details + +This connector can: + +- Create and update employees and their profiles, but is limited by + [API limitations](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Integration/WebService%20REST/REST%20API%20-%20Create%20an%20employee/); + + In particular, this connector cannot set dates nor the `employee_id` property. + +- Archive employees, i.e. set the `CONTRACT_END_DATE` to the date of the fulfill execution. + + This action is performed when Identity Manager fulfills a provisioning order with a `Deleted` + change type. + +## Authentication + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic to find out more on how to configure password reset settings. + +### Credential protection + +Data protection can be ensured through: + +- [](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md)[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +- A + [CyberArk's AAM Credential Providers ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store EasyVista's `Login`, `Password`, `Account` and `Server`. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md new file mode 100644 index 0000000000..18903bd2a0 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md @@ -0,0 +1,78 @@ +# EasyVista Ticket + +This connector opens tickets in +[EasyVista](https://wiki.easyvista.com/xwiki/bin/view/Documentation/?language=en) for manual +provisioning. + +This page is about [ EasyVista Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/easyvistaticket/index.md). + +![Package: Ticket/EasyVista](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/packages_easyvistaticket_v603.webp) + +## Overview + +EasyVista is an IT Service Manager that provides a service to organize IT resources in a company by +using tickets. This allows users to manage projects, materials and teams through a customizable +interface. + +This connector focuses on the creation of EasyVista tickets for editing manually EasyVista +resources. + +## Prerequisites + +Implementing this connector requires: + +- Reading first the + [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md); +- An EasyVista account with reading/writing permissions on the target instance. + +## Export + +This connector exports some of EasyVista entities, see the export capabilities of the +[ EasyVista ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/easyvista/index.md) connector. Some entities cannot be +exported. + +## Fulfill + +This connector writes to EasyVista to create incident and request tickets containing information to +create, update or delete a resource. It does not create a resource directly. + +Once created, the ticket is managed in EasyVista, not in Identity Manager. + +When the ticket is closed or canceled, Identity Manager updates the +[Entitlement Assignment](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) of the +resource accordingly. + +See the fulfill capabilities of the [ EasyVista ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md) connector. + +> For example: +> +> ``` +> appsettings.agent.json +> "EasyVistaManual": { +> "Server": "https://example.easyvista.com/", +> "Login": "username", +> "Password": "password", +> "Account": "11111" +> }, +> +> ``` + +## Authentication + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic to find out more on how to configure password reset settings. + +### Credential protection + +Data protection can be ensured through: + +- [ RSA Encryption ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +- a + [CyberArk's AAM Credential Providers ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store EasyVista's `Login`, `Password`, `Account` and `Server`. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/excel/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/excel/index.md new file mode 100644 index 0000000000..653544554e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/excel/index.md @@ -0,0 +1,135 @@ +# Microsoft Excel + +This connector exports datasheets from a +[Microsoft Excel](https://www.microsoft.com/en-us/microsoft-365/excel) (XLSX) file. + +This page is about [ Excel ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/excel/index.md). + +![Package: File/Microsoft Excel](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/excel/packages_excel_v603.webp) + +## Overview + +Microsoft Excel files using the XLSX file format are commonly used to store information. + +## Prerequisites + +Implementing this connector requires the input file to be in the XLSX format. + +## Export + +This connector copies the information from an XLSX file into CSV files, one per spreadsheet, while +filtering out spreadsheets and trimming values if needed. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "HRContoso": { +> "Path": "C:/UsercubeContoso/Contoso/hr_conto(.*?).xlsx", +> "PathIncremental": "C:/UsercubeContoso/Contoso/hr_delta_conto(.*?).xlsx", +> "IsFileNameRegex": "true", +> "SheetOptions": [ +> { +> "SheetIgnored": "false", +> "NumberOfLinesToSkip": 1 +> }, +> { +> "SheetIgnored": "true" +> } +> ], +> "ValuesToTrim": [ +> "$", +> "%" +> ] +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Path Required if PathIncremental is not defined. | **Type** String **Description** Path of the input file to be used for complete synchronization. | +| PathIncremental Required if Path is not defined. | **Type** String **Description** Path of the input file to be used for incremental synchronization. | +| IsFileNameRegex optional | **Type** Boolean **Description** `True` to enter a regex instead of a normal string for `Path` and `PathIncremental`. **Note:** if several files correspond to the regex, then the export will use the last created file. **Info:** useful when the filename is only partially known, for example when using a generated file. | +| ValuesToTrim optional | **Type** String List **Description** Ordered list of the characters to trim at the beginning and at the end of the headers and values of the input file. **Note:** the second value will be trimmed after the first, the order is important. **Example** When writing `$` first and then `%` in `ValuesToTrim`, then "$%I am an example$%" becomes "I am an example$". | +| | | +| --- | --- | +| SheetOptions optional | **Type** Sheet Option List **Description** List of options for each sheet of the input file. The first element of the list sets the options for the first sheet, the second element for the second sheet, etc. | + +##### SheetOptions + +| Name | Details | +| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | +| SheetIgnored required | **Type** Boolean **Description** `True` to exclude the sheet from export. | +| | | +| --- | --- | +| NumberOfLinesToSkip default value: 0 | **Type** Int32 **Description** Number of lines to skip in order to reach the line used as data header. | + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder a CSV file per spreadsheet included in the export, named `_.csv` +where `` is the spreadsheet's index. + +Note that `0` is the first index, not `1`. + +> For example, when exporting the content of a 2-sheet Excel file with a connection named +> `HRContoso`, the output files will be named `HRContoso_0.csv` for the first spreadsheet, and +> `HRContoso_1.csv` for the second. + +The file's columns come from the header line from the input Excel file. + +All columns with headers, even empty ones, will be written to the output. However, columns without +headers will not be written. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use +[ RSA Encryption ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), nor +a +[CyberArk's AAM Credential Providers ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)Vault. + +Still, data protection can be ensured through an +[Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) safe. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/index.md new file mode 100644 index 0000000000..dcd9d04286 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/index.md @@ -0,0 +1,168 @@ +# Google Workspace + +This connector exports and fulfills users and groups from/to a +[Google Workspace](https://developers.google.com/workspace) instance. + +This page is about [ Google Workspace ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/googleworkspace/index.md). + +![Package: Directory/Google Workspace](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/packages_workspace_v603.webp) + +## Overview + +Google Workspace provides a set of softwares and products developed by Google. The Google Workspace +connector exports and fulfills users and groups from/to a Google Workspace instance. It exports +user-group memberships too. + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md)documentation; +- a service account impersonating the following permission scopes: + [https://www.googleapis.com/auth/admin.directory. user](https://www.googleapis.com/auth/admin.directory.user) + and + [https://www.googleapis.com/auth/admin.directory.group](https://www.googleapis.com/auth/admin.directory.group). + + See + [Google's documentation](https://developers.google.com/workspace/guides/create-credentials#googles-documentation) + Google's documentation to create the service account with the right impersonation. + + _Remember,_ Google's documentation describes this procedure as optional, while the Google + Workspace connector requires it. + +## Export + +This connector extracts users, groups and user-group memberships from a Google Workspace instance, +and write the output to CSV files. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "GoogleExportFulfillment": { +> "CredentialsFilePath": "C:/UsercubeDemo/GoogleCredentials.json", +> "User": "B29607@acme.internal", +> "PageSize": "100" +> } +> } +> } +> +> ``` + +#### Setting attributes + +| Name | Details | +| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CredentialsFilePath required | **Type** String **Description** Path of Google Workspace's JSON credentials file. [See Google's documentation to create these credentials](https://developers.google.com/workspace/guides/create-credentials#see-googles-documentation-to-create-these-credentials). | +| User required | **Type** String **Description** Email address of the service account mentioned in the prerequisites section. | +| | | +| --- | --- | +| PageSize default value: 50 | **Type** Int32 **Description** Number of items, i.e. users and/or groups and/or memberships, retrievable from Google Workspace by each API call (from 1 to 500). | + +### Output details + +This connector is meant to generate to the +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) folder the +following CSV files: + +- `GoogleExportFulfillment_Users.csv` and `GoogleExportFulfillment_Groups.csv` whose headers come + from the entity type mapping's `ConnectionColumn` and from the entity association mappings' + columns which are not _members_ columns; +- `GoogleExportFulfillment_Members.csv` with the following columns: + - **value**: ID of the group; + - **MemberId**: ID of the group member. + +If the connection column describes a sub-property, then the name should have the following pattern: +`{property}:{sub-property}`. The character `":"` should not be used in other situations. + +> For example: +> +> ``` +> +> +> +> ``` +> +> Note that we have here `AgreedToTerms` which is a single property, and `FamilyName` which is a +> sub-property of `Name`, hence the name `Name:FamilyName` as the `ConnectionColumn`. + +## Fulfill + +This connector can write to Google Workspace to create, update, and/or delete users and user-group +memberships. + +### Configuration + +[Same as for export](#export), fulfill is configured through connections. + +> For example: +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "GoogleExportFulfillment": { +> "CredentialsFilePath": "C:/UsercubeDemo/GoogleCredentials.json", +> "User": "B29607@acme.internal" +> } +> } +> } +> +> ``` + +#### Setting attributes + +| Name | Details | +| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CredentialsFilePath required | **Type** String **Description** Path of Google Workspace's JSON credentials file. [See Google's documentation to create these credentials](https://developers.google.com/workspace/guides/create-credentials#see-googles-documentation-to-create-these-credentials). | +| User required | **Type** String **Description** Email address of the service account mentioned in the prerequisites section. | + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use +[ RSA Encryption ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), nor +a +[CyberArk's AAM Credential Providers ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)Vault. + +Still, data protection can be ensured through an +[Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) safe. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/homefolder/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/homefolder/index.md new file mode 100644 index 0000000000..189985db17 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/homefolder/index.md @@ -0,0 +1,130 @@ +# Home Folder + +This connector exports [home folders](https://en.wikipedia.org/wiki/Home_directory)' content. + +This page is about [ Home Folders ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/home-folders/index.md). + +![Package: Storage/Home Folders](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/homefolder/packages_homefolders_v603.webp) + +## Overview + +Home Folders, also called Home Directory, is a user-dedicated storage area where users' personal +files can be accessed. In general, a home folder is private so only its owner and administrators can +access it. Moreover, the folders are often centralized because they are located on a network server. +It allows making backups regularly and easily accessing the folders. + +## Prerequisites + +Implementing this connector requires: + +- reading first how to + [Set, View, Change, or Remove Special Permissions](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc772196(v=ws.10)) + and check the + [File and Folder Permissions](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732880(v=ws.10)) + list; +- an account with at least the special permission Read on all home folders in order to be able to + export them. + +## Export + +This connector exports all the home folders to a CSV file. + +This connector performs only complete export, not incremental. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "HomeFolderExport": { +> "InputDirectories": [ +> "C:/ContosoFolder", +> "C:/ContosoFolder2", +> ], +> "Domain": "Windows", +> "Interactive": true, +> "Login": "Contoso", +> "Password": "ContOso$123456789" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| InputDirectories required | **Type** String List **Description** List of the directories that contain the home folders to be exported. | +| Domain optional | **Type** String **Description** Domain of the account used to access the home folders. | +| Interactive default value: False | **Type** Boolean **Description** `True` to set the authentication as interactive. `False` to set it batch. [See Microsoft's documentation for more details](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonusera#see-microsofts-documentation-for-more-details). | +| | | +| --- | --- | +| Login optional | **Type** String **Description** Login of the account used to access the files and folders. **Note:** when not specified and `Password` neither, then the account running Identity Manager will be used. **Note:** if `Domain` is null, then `Login` must be set in the User Principal Name (UPN) format. | +| Password optional | **Type** String **Description** Password of the account used to access the files and folders. **Note:** when not specified and `Login` neither, then the account running Identity Manager will be used. | + +### Output details + +This connector is meant to generate a CSV file, named `.csv`, to the +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) folder, with the +following columns: + +- **Command**: empty for now, as the connector performs only complete export. +- **Name**: name of the home folder. + +> For example, when exporting with a connection named `HomeFolderExport`, then the output file will +> be named `HomeFolderExport.csv` and will look like: +> +> ``` +> HomeFolderExport.csv +> Command,Name +> ... +> ``` + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md)[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md)safe; + +- [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + Home Folder's `Login` and `Password`. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/index.md new file mode 100644 index 0000000000..85fcead63e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/index.md @@ -0,0 +1,136 @@ +# References: Connectors + +Connectors are the mechanisms that enable Identity Manager to read and write data to/from your +organization's systems. Here is a list of reference connectors: + +- [Active Directory](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) + + Exports and fulfills users and groups from/to an Active Directory instance. + +- [ Azure ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/azure/index.md) + + Exports Azure resources, role definitions and assignments. + +- [ CSV ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/csv/index.md) + + Exports data from a CSV file. + +- [ EasyVista ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md) + + Exports and fulfills users from/to an EasyVista-compliant system. + +- [ EasyVista Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md) + + Opens tickets in EasyVista for manual provisioning. + +- [ Google Workspace ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/index.md) + + Exports and fulfills users and groups from/to a Google Workspace instance. + +- [ Home Folder ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/homefolder/index.md) + + Exports home folders' content. + +- [InternalWorkflow](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md) + + Triggers workflows in Identity Manager for a system's provisioning orders. + +- [Internal Resources](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/internalresources/index.md) + + Opens manual provisioning tickets in Identity Manager. + +- [JSON](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/json/index.md) + + Generates JSON files for each provisioning order. + +- [ LDAP ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md) + + Exports and fulfills entries from/to a LDAP-compliant system. + +- [LDIF](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/ldif/index.md) + + Exports entries from a LDIF file. + +- [ Microsoft Entra ID](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md) + + Exports and fulfills user and groups from/to a Microsoft Entra ID instance. + +- [ Microsoft Excel ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/excel/index.md) + + Exports datasheets from a Microsoft Excel (XLSX) file. + +- [ Microsoft Exchange ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md) + + Exports mailboxes from a Microsoft Exchange instance. + +- [ OData ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/odata/index.md) + + Exports and fulfills entries from/to an OData instance. + +- [Okta](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/okta/index.md) + + Exports and fulfills entries from/to an Okta instance. + +- [ OpenLDAP ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/openldap/index.md) + + Exports and fulfills entries from/to an OpenLDAP directory. + +- [ PowerShellProv ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) + + Writes to an external system via a PowerShell script. + +- [ PowerShellSync ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellsync/index.md) + + Exports data from an external system via a Powershell script. + +- [ RACF ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/racf/index.md) + + Exports users and profiles from a RACF file. + +- [ Robot Framework ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md) + + Writes to an external system via a Robot Framework script. + +- [SAP ERP 6.0 and SAP S4/HANA](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md) + + Exports and fulfills users and roles from/to a SAP ERP 6.0 or SAP S4/HANA instance. + +- [ SAP Netweaver ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/index.md) + + Exports and fulfills users and roles from/to a SAP Netweaver instance. + +- [SCIM](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/scim/index.md) + + Exports and fulfills entities from/to a SCIM-compliant application. + +- [ ServiceNow ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md) + + Exports and fulfills any data from/to a ServiceNow CMDB. + +- [ ServiceNowTicket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md) + + Opens tickets in ServiceNow for manual provisioning. + +- [ SharedFolders ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/index.md) + + Exports users and permissions from Windows shared folders. + +- [SharePoint](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md) + + Exports sites, folders, groups and permissions from a SharePoint instance. + +- [ Sql ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sql/index.md) + + Exports data from one of various Database Management Systems. + +- [ Sql Server Entitlements ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md) + + Exports entitlements from Microsoft SQL Server. + +- [ Top Secret ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/topsecret/index.md) + + Exports users and profiles from a Top Secret (TSS) instance. + +- [ Workday ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/workday/index.md) + + Exports users and groups from a Workday instance. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/internalresources/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/internalresources/index.md new file mode 100644 index 0000000000..b678417c32 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/internalresources/index.md @@ -0,0 +1,20 @@ +# Internal Resources + +This connector opens manual provisioning tickets in Identity Manager. + +This page is about: + +- Ticket/Identity Manager +- Ticket/Identity Manager And Create/Update/Delete resources + +See the [ Manual Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md) and +[ Manual Ticket and CUD Resources ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md) +topics for additional information. + +![Package: Ticket/Usercube](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/internalresources/packages_identitymanagerticket_v603.webp) + +![Package: Ticket/Usercube And Create/Update/Delete resources](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/internalresources/packages_identitymanagerticketcud_v603.webp) + +See the +[ Provision Manually ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md) +topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md new file mode 100644 index 0000000000..be06b485f7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md @@ -0,0 +1,210 @@ +# InternalWorkflow + +This connector triggers workflows in Identity Manager for a system's provisioning orders. + +This page is about Identity Manager Internal Workflow. See the +[ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/workflow/index.md) topic for additional information. + +![Package: Usercube/Workflow](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/packages_workflow_v603.webp) + +## Overview + +This connector is singular because it does not connect Identity Manager to an external system. + +Instead, it is made to read the provisioning orders of a given connector or resource type, and +launch specific workflows still within Identity Manager, depending on each order's type (creation, +update, deletion). + +It works via a JSON file used to set the workflow to launch along with its arguments such as its +message and body. + +## Prerequisites + +Implementing this connector requires: + +- Knowledge of the basic principles of Identity Manager's workflows. See the + [ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/workflow/index.md) topic for additional information. +- Configuring in Identity Manager the workflows for the arrival of a new user, the update of a + pre-existing user, and for the departure of a user + +## Export + +There are no export capabilities for this connector. + +## Fulfill + +This connector retrieves the files containing provisioning orders that correspond to a given list of +connectors or resource types, and then starts workflows according to the type of the provisioning +orders (Added, Modified, Deleted) found in the JSON files. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +appsettings.agent.json > **Connections** section: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} +``` + +**NOTE:** The identifier of the connection and thus the name of the subsection must: + +- be unique +- not begin with a digit +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "HR_Person_To_Directory_UserRecord": { +        "WorkflowJsonPath": "" +    } +  } +} +``` + +The configuration setting must have the following attributes: + +| Name | Type | Description | +| ------------------------- | ------ | ------------------------------------------------------- | +| WorkflowJsonPath required | String | Path of the JSON file used to configure this connector. | + +WorkflowJsonPath + +The file specified in WorkflowJsonPath must have a specific structure. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +FulfillInternalWorkflow.json +{ +  "SourceEntityIdentifier": "Directory_UserRecord", +  "NavigationToTargetEntity": "User", +  "NavigationTargetToSource": "Records", +  "TargetEntityTypeIdentifier": "Directory_User", +  "FulfillInternalWorkflowConfigurations": [ +    { +      "ChangeType": "Added", +      "Model": { +        "WorkflowIdentifier": "Directory_User_StartInternal", +        "TransitionIdentifier": "ActionWithRefine-ActionPending-Execute", +        "Message": "workflow start: $Changes:LastName$ - $Changes:FirstName$, EmployeeId: $Changes:EmployeeId$", +        "Body": "body of workflow $Changes:EmployeeId$ - $Changes:Site.Label$" +      }, +      "ScalarProperties": [ +        "LastName", +        "FirstName", +        "ContractStartDate", +        "ContractEndDate" +      ], +      "NavigationProperties": [ +        "Category", +        "Service", +        "Site" +      ] +    }, +    { +      "ChangeType": "Modified", +      "Model": { +        "WorkflowIdentifier": "Directory_User_ChangeName", +        "TransitionIdentifier": "ActionWithRefine-ActionPending-Execute", +        "Message": "workflow Update: $Resource:LastName$ - $Resource:FirstName$, EmployeeId: $Resource:EmployeeId$", +        "Body": "body of workflow Update for  $Resource:EmployeeId$ " +      }, +      "ScalarProperties": [ +        "FirstName", +        "LastName" +      ] +    }, +    { +      "ChangeType": "Deleted", +      "Model": { +        "WorkflowIdentifier": "Directory_User_End", +        "TransitionIdentifier": "ActionWithRefine-ActionPending-Execute", +        "Message": "workflow end Directory_Person for $Resource:LastName$ - $Resource:FirstName$", +        "Body": "body if workflow end for $Resource:LastName$ - $Resource:FirstName$" +      }, +      "DateProperties": [ +        "ContractEndDate" +      ] +    } +  ] +} + +``` + +_Remember,_ as workflows' aspects are computed during the fulfill process, all the required +properties must be present in the provisioning order and in this JSON file. + +Setting attributes + +The table below summarizes the setting attributes. + +| Name | Type | Description | +| ----------------------------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Body required | String | Body of the message transmitted by the workflow. | +| ChangeType required | String | Type of the provisioning order: Added; Modified; Deleted. | +| DateProperties optional | DateTime List | List of the properties corresponding to the dates that the workflow is to fill in. **NOTE:** When not specified and ChangeType is set to Deleted, then the dates are filled with the workflow's execution date. | +| Message required | String | Message sent to the accounts impacted by the workflow. | +| NavigationProperties optional | String List | List of the navigation properties to get from the provisioning orders in order to complete the workflow. | +| NavigationTargetToSource optional | String | Navigation property that makes the link from the target entity type to the source entity type. **NOTE:** Required when using records. For example, it's not required when working with departments or sites. See the[ Position Change via Records ](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md) topic for additional information. | +| NavigationToTargetEntity optional | String | Navigation property that makes the link from the source entity type to the target entity type. **NOTE:** Required when using records. For example, it's not required when working with departments or sites. See the[ Position Change via Records ](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md) topic for additional information. | +| ScalarProperties optional | String List | List of the scalar properties to get from the provisioning orders in order to complete the workflow. | +| SourceEntityIdentifier required | String | Identifier of the source entity type of the workflow. | +| TransitionIdentifier required | String | Identifier of the workflow's transition after execution. | +| TargetEntityTypeIdentifier required | String | Identifier of the target entity type of the workflow. | +| WorkflowIdentifier optional | String | Identifier of the workflow to be started. **NOTE:** Optional but recommended because it acts as default value when there is no related ArgumentsExpression or it does not return a valid identifier. See the[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topic for additional information. | + +The table below summarizes the variables for messages and bodies. + +| Name | Type | Description | +| -------- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Changes | String List | Prefix used to get data from the **Changes** section of the provisioning order. Example **Changes:LastName** retrieves the value of the **LastName** property from the order's changes. | +| Resource | String List | Prefix used to get data from Identity Manager's database. Example **Resource:LastName** retrieves the value of the **LastName** property from the database. | + +### Output details + +All three types of workflows (onboarding, update and off-boarding) can be completed with the fulfill +Internal Workflow. + +## Authentication + +See the following to figure out authentication. + +Password reset + +This connector does not reset passwords. + +Credential protection + +This connector has no credential attributes, and therefore does not use RSA encryption, nor a +CyberArk Vault. See the +[ RSA Encryption ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) and +[CyberArk's AAM Credential Providers ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) +topics for additional information. + +Still, data protection can be ensured through an Azure Key Vault safe. See the +[Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md)topic +for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/json/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/json/index.md new file mode 100644 index 0000000000..912f520420 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/json/index.md @@ -0,0 +1,10 @@ +# JSON + +This connector generates [JSON](https://www.json.org/json-en.html) files for each provisioning +order. + +This page is about [ JSON ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/json/index.md) + +![Package: Custom/JSON](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/json/packages_json_v603.webp) + +The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md new file mode 100644 index 0000000000..e3d4bb19fc --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md @@ -0,0 +1,285 @@ +# LDAP + +This connector exports and fulfills entries from/to an [LDAP](https://ldap.com/)-compliant system. + +This page is about: + +- [ Generic LDAP ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/generic-ldap/index.md); +- [ Oracle LDAP ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/oracle-ldap/index.md); +- [ Apache Directory ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/apache-directory/index.md); +- [ Red Hat Directory Server ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/red-hat-directory-server/index.md). + +![Package: Directory/Generic LDAP](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapgeneric_v603.webp) + +![Package: Directory/Oracle LDAP](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldaporacle_v603.webp) + +![Package: Directory/Apache Directory](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapapache_v603.webp) + +![Package: Directory/Red Hat Directory Server](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapredhat_v603.webp) + +## Overview + +The Lightweight Directory Access Protocol (LDAP) is a flexible and well supported standards-based +mechanism for interacting with directory servers. + +## Prerequisites + +Implementing this connector requires reading first the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md)documentation. + +## Export + +For a configured set of LDAP entries, this connector exports the list of all attributes from the +connector's configuration. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> ... +> "LDAPExport": { +> "Servers": [ +> { +> "Server": "contoso.server.com", +> "AuthType": "Basic", +> "Login": "Contoso", +> "Password": "ContOso$123456789", +> "Controls": [ +> "PagedResult", +> "DomainScope" +> ], +> "NoSigning": false, +> "EnableSSL": true +> } +> ], +> "Tables": [ +> { +> "Table": "entries", +> "BaseDN": "DC=contoso,DC=com", +> "Filter": "(objectclass=*)", +> "Scope": "Subtree" +> }, +> { +> "Table": "member", +> "BaseDN": "DC=contoso,DC=com", +> "Filter": "(&(member=*)(objectclass=groupOfEntries))", +> "Scope": "Subtree" +> } +> ], +> "SizeLimit": 5000, +> "TimeLimit": 5, +> "TimeOut": 30 +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Servers required | **Type** Server List **Description** List of servers to connect to. | +| Tables required | **Type** Table List **Description** List of specific setting attributes to retrieve entries and links. **Note:** having a table named `entries` is mandatory. | +| SizeLimit optional | **Type** Int32 **Description** Maximum number of objects returned in the search request. **Note:** ignored when using `Servers`:`Controls`. | +| TimeLimit optional | **Type** Int32 **Description** Maximum duration (in seconds) of the request. | +| TimeOut optional | **Type** Int32 **Description** Time period (in seconds) before the connection to the LDAP is closed. | + +##### Servers + +| Name | Details | +| --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the target domain controller. | +| Controls optional | **Type** String List **Description** List of the controls that will be applied to the request. Possible values are: `PagedResult` to limit the number of returned queries. Results will be returned in smaller and limited packets. `DomainScope` to enable domain control, i.e. the LDAP server won't generate any referrals when completing a request, and the search is restricted to a single name context. **Note:**`PagedResult` is required when using `DomainScope`. [See more details in Microsoft's documentation](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/ldap-server-domain-scope-oid). | +| | | +| --- | --- | +| EnableSSL optional | **Type** Boolean **Description** `True` to enable SSL protocol for authentication requests. **Note:** recommended when using `AuthType` set to `Basic` because basic authentication packets are not encrypted by default. **Info:** SSL is not available on Linux. | +| NoSigning optional | **Type** Boolean **Description** `True` to disable Kerberos encryption. | +| | | +| --- | --- | +| AuthType default value: Negotiate | **Type** String **Description** Authentication method used by Identity Manager to authenticate to the server. Access is granted to the target domain controller: `Anonymous` - without any login/password; `Basic` - via the `BaseDN`, `Login` and `Password` attributes; `Negotiate` - via GSS-API negotiations with the Kerberos mechanism used for authentication. | +| Login optional | **Type** String **Description** Login used by Identity Manager for basic authentication. **Note:** required when `AuthType` is set to `Basic`. | +| Password optional | **Type** String **Description** Password used by Identity Manager for basic authentication. **Note:** required when `AuthType` is set to `Basic`. | + +##### Tables + +| Name | Details | +| --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| BaseDN required | **Type** String **Description** Base Distinguished Name to be used to connect to the server. | +| Table required | **Type** String **Description** Name of the table: it should be `entries` for the main entries, and the name of the LDAP's link attribute otherwise. | +| | | +| --- | --- | +| Filter required | **Type** String **Description** Entries to be excluded from export among all entries from the LDAP instance. Only non-filtered entries are exported. The filter must use [Microsoft's search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | +| Scope optional | **Type** String **Description** Search scope to be applied to the request. The result will be limited to: `Base` - the base of the object; `OneLevel` - the immediate children of the object; `Subtree` - the entire subtree from the base object down. | + +### Output details + +This connector is meant to generate to the +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) folder one file +per element in **Tables**, named `_.csv`, with one column for each +property having a `ConnectionColumn` and each property without it but used in an entity association. + +Any property can be exported in a specific format when specified. See the +[ References: Format for the EntityPropertyMapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md) +topic for additional information. + +> With the previous example and the following entity type mapping: +> +> ``` +> +> +> +> ``` +> +> We would have `C:/UsercubeContoso/Temp/ExportOutput/LDAPExport_entries.csv` like: +> +> ``` +> LDAPExport_entries.csv +> displayName,dn,entryUuid,objectClass,ou,parentdn +> ... +> +> ``` +> +> And we would also have `C:/UsercubeContoso/Temp/ExportOutput/LDAPExport_member.csv` like: +> +> ``` +> LDAPExport_member.csv +> dn,member +> ... +> +> ``` + +## Fulfill + +The LDAP connector fulfills the creation, deletion and update of LDAP entries, initiated through the +Identity Manager UI or by [Evaluate Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) +enforcement. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "LDAPFulfillment": { +> "Servers": [ +> { +> "Server": "contoso.server.com", +> "AuthType": "Basic", +> "Login": "Contoso", +> "Password": "ContOso$123456789" +> } +> ], +> "Tables": [ +> { +> "Table": "entries", +> "BaseDN": "DC=contoso,DC=com" +> } +> ], +> "IsLdapPasswordReset": true, +> "AsAdLds": false +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Servers required | **Type** [Server](#servers) List **Description** List of servers to connect to. | +| Tables required | **Type** [Table](#tables) List **Description** List of specific setting attributes to retrieve the entries and the links. **Note:** having a table named `entries` is mandatory. | +| AsAdLds required | **Type** Boolean **Description** `True` to state the managed system as an AD LDS. | +| IsLdapPasswordReset optional | **Type** Boolean **Description** `True` to state the managed system as an LDAP-compliant system supporting password reset. | + +### Output details + +This connector can create a new resource, and update and delete an existing resource via the UI. + +A new resource is created with the state `disabled`, corresponding to the **useraccountcontrol** +value `514`. When it is approved, its `disabled` state is removed and the **useraccountcontrol** +value becomes `512`. + +### Add attributes to the requests + +Some systems using the LDAP protocol require additional attributes in the creation and/or update +requests. + +If these attributes are not synchronized in Identity Manager, then they cannot be computed and +provided by scalar rules or navigation rules. In this case, they can be given as arguments in the +provisioning order, through the `ResourceType`'s `ArgumentsExpression`. + +> The following example adds the attribute `description` with a value depending on what is modified: +> +> ``` +> +> ArgumentsExpression="C#:resource: +> var arguments = new System.Collections.Generic.Dictionary(); +> +> if (provisioningOrder.HasChanged("cn")) { +> arguments.Add("description", "This entry's login has been modified by Usercube."); +> } +> else if (provisioningOrder.HasChanged("mail")) { +> arguments.Add("description", "This entry's email has been modified by Usercube."); +> } +> else { +> arguments.Add("description", "This entry has been modified by Usercube."); +> } +> +> return arguments;"> +> +> +> +> ``` + +## Authentication + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic to learn how to configure password reset settings. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +- a [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + LDAP's `Login`, `Password` and `Server`. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/ldif/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/ldif/index.md new file mode 100644 index 0000000000..2b6f5a583b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/ldif/index.md @@ -0,0 +1,105 @@ +# LDIF + +This connector exports entries from an +[LDIF](https://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format) file. + +This page is about [ LDIF ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/ldif/index.md). + +![Package: Directory/LDIF](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/ldif/packages_ldif_v603.webp) + +## Overview + +The LDAP Data Interchange Format (LDIF) is a standard plain text data interchange format for +representing LDAP (Lightweight Directory Access Protocol) directory content and update requests. +LDIF conveys directory content as a set of records, one record for each object (or entry). It also +represents update requests, such as Add, Modify, Delete, and Rename, as a set of records, one record +for each update request. + +## Prerequisites + +Implementing this connector requires no particular prerequisites. + +## Export + +This connector generates a CSV file from an input LDIF file containing entries to be exported. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md)in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "LdifExport": { +> "LDIFFile": "C:/UsercubeContoso/Contoso/contoso.ldif", +> "FilterAttribute": "objectClass", +> "FilterValues": "user organizationalUnit", +> "Attributes": [ "dn", "objectClass", "cn", "SAMAccountName", "Name", "userprincipalname" ], +> "LdifEncoding": "UTF-8", +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| LDIFFile required | **Type** String **Description** Path of the LDIF input file. | +| FilterAttribute required | **Type** String **Description** Property from the connector's configuration whose value is to be compared with the values from `FilterValues`, in order to filter the entries to export. | +| FilterValues required | **Type** String **Description** List of values to be compared with the value of `FilterAttribute`, in order to filter the entries to export. Identity Manager will export only the entries matching the filter. **Note:** multiple values must be separated by white spaces. | +| Attributes required | **Type** String List **Description** List of properties from the connector's configuration to be exported. | +| LdifEncoding default value: UTF-8 | Encoding of the file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | + +### Output details + +This connector is meant to generate to the +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) folder a CSV file +named `LdifExport.csv`, with the following columns: + +``` +LdifExport.csv +Command,dn,objectClass,cn,SAMAccountName,Name,userprincipalname +Insert,value1,value2,...,valueN +``` + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Credential protection + +This connector has no credential attributes, and therefore does not use +[](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md)[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), +nor a [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md)Vault. + +Still, data protection can be ensured through an +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md new file mode 100644 index 0000000000..b0ca847533 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md @@ -0,0 +1,260 @@ +# Microsoft Entra ID + +This connector exports and fulfills user and groups from/to a +[Microsoft Entra ID](https://www.microsoft.com/fr-fr/security/business/identity-access/microsoft-entra-id) +(formerly Microsoft Azure AD) instance. + +See the[ Microsoft Entra ID ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/azure-active-directory/index.md)topic for +additional information. + +![Package: Directory/Microsoft Entra ID](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/packages_azuread_v603.webp) + +## Overview + +Microsoft Entra ID is Microsoft's cloud-based identity and access management service which helps +your employees sign in and access resources in: + +- External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS + applications; +- Internal resources, such as apps on your corporate network and intranet, along with any cloud apps + developed by your own organization. + +## Prerequisites + +Implementing this connector requires giving Identity Manager +[application permissions](https://docs.microsoft.com/en-us/graph/auth/auth-concepts#application-permissions), +because Identity Manager does not access the +[Microsoft Graph API](https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-1.0) on behalf +of a user but with [its own identity](https://docs.microsoft.com/en-us/graph/auth-v2-service), and +delegated permissions are not enough. These application permissions require the consent of an +administrator of the target Microsoft Entra ID tenant. + +See the[Register for Microsoft Entra ID](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/azuread-register/index.md) topic on how to +register Identity Manager as an application with the Microsoft Identity Platform in order to grant +Identity Manager a service account which authenticates with the target Microsoft Entra ID. + +## Export + +For a configured set of directory objects on an Microsoft Entra ID instance, this connector exports +the list of configured attributes in the associated entity type mapping to a CSV file. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration. See +the[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md)topic for +additional information. + +Or in the `appsettings.agent.json > Connections` section: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +**NOTE:** The identifier of the connection and thus the name of the subsection must: + +- be unique +- not begin with a digit +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_` + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "AzureADExport": { + "ApplicationId": "", + "ApplicationKey": "<25d408a1925d4c081925b\\d40819>", + "TenantId": "<25d40819-f23f-4837-9d50-a9a52da50b8c>", + "MicrosoftGraphPathApi": "", + "ResponseUri": "" + } + } +} +``` + +Setting attributes + +The table below summarizes the setting attributes of Microsoft Entra ID connector. + +| Name | Type | Description | +| -------------------------------------------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ApplicationId (required) | String | GUID that uniquely identifies the application registration in the Azure tenant. **NOTE:** The value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Overview** > **Application (client) ID** | +| ApplicationKey (required) | String | Secret associated with the `ApplicationId` **NOTE:** The value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Certificate & secrets** > **Client secrets** > **Client Secret** | +| TenantId (required) | String | GUID that uniquely identifies the Azure tenant. **NOTE:** The value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Overview** > **Application (tenant) ID** | +| ResponseUri (default value: `http://localhost`) | String | URI used by Azure to contact back the application with the tokens. This response Uri needs to be registered in the [app registration](https://aka.ms/msal-net-register-app). | +| MicrosoftAuthorityPath (optional) | String | Pattern for Microsoft Authority Path. | +| MicrosoftGraphPath (default value: `https://graph.microsoft.com/.default`) | String | Scope requested to access a protected API. **NOTE:** For this flow (client credentials), the scope should be of the form `{ResourceIdUri/.default}`. [See Microsoft's documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#see-microsofts-documentation) for additional information. | +| MicrosoftGraphPathApi (default value: `https://graph.microsoft.com/v1.0/`) | String | Microsoft Graph Uri API. | + +### Output details + +This connector is meant to generate the following files: + +- `_directoryobjects.csv` containing the property values from the entity type + mapping associated with the connection. + + **NOTE:** The values are exported from the entities listed in the attribute `C0` of the + `EntityTypeMapping`. + + For example, with the following configuration: + + Code attributes enclosed with `<>` need to be replaced with a custom value before entering the + script in the command line. + + ``` + + + + + + + + ``` + + Four entities are exported (`user`; `group`; `directoryRole`; `servicePrincipal`) and whose + names are to be found in the column `@odata.type`. Then `AzureADExport_directoryobjects.csv` + looks like: + + ``` + AzureADExport_directoryobjects.csv + Command,@odata.type,accountEnabled,id,mail + ... + ``` + + _Remember,_ attributes described as "Supported only on the Get `` API" in the + [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-1.0) + documentation cannot be retrieved through this connector. The export task will raise an error if + these attributes are used in your EntityTypeMapping. + + This connector supports + [Microsoft Entra ID Schema Extensions](https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions) + but does not support + [Microsoft Graph Schema Extensions](https://docs.microsoft.com/en-us/graph/extensibility-schema-groups). + +- `__.csv` describing the navigation property from + one entity to another. + + For example `AzureADExport_members_group.csv` would look like: + + ``` + AzureADExport_members_group.csv + Command,groupId,id + ... + ``` + + Where command can be `insert`, `update` or `delete`; groupId is the id of the group; id is the + id of the group member (in this context). + + **NOTE:** Only the navigation properties `members` and `owners` are exported. These navigation + properties are automatically detected according to the data exported. + +- one file `_cookie_.bin` per entity, containing an URL with a + `delta token` useful for incremental export. + + > For example `AzureADExport_cookie_user.bin` + + _Remember,_ most exports can be run in complete mode, where the CSV files will contain all + entries, or in incremental mode, where CSV files will contain only the entries which have been + modified since the last synchronization. + + A task can use the IgnoreCookieFile boolean property, and a command line (with an executable) + can use the option --ignore-cookies. + +The CSV files are stored in the Export Output folder, and the cookie file in the Export Cookies +folder. See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topic for additional information. + +For more details, see Microsoft's documentation on +[columns and attributes synchronized to Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized). + +## Fulfill + +This connector writes to the Microsoft Entra ID, to create, update and delete Microsoft Entra ID +objects, initiated manually through the UI or automatically by enforcing the policy. See +the[Evaluate Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md)topic for additional +information. + +### Configuration + +Same as for export, fulfill is configured through connections. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "AzureADFulfillment": { + "ApplicationId": "", + "ApplicationKey": "<84468d65324ghj\\de9864d3d7e89026>", + "TenantId": "<25d40819-f23f-4837-9d50-a9a52da50b8c>", + "MicrosoftGraphPathApi": "", + "ResponseUri": "" + } + } +} +``` + +Setting attributes + +The table below summarizes the setting attributes. + +| Name | Type | Description | +| ---------------------------------------------------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApplicationId required | String | GUID that uniquely identifies the application registration in the Azure tenant. **NOTE:** value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Overview** > **Application (client) ID** | +| ApplicationKey required | String | Secret associated with the `ApplicationId`. **NOTE:** value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Certificate & secrets** > **Client secrets** > **Client Secret** | +| TenantId required | String | **NOTE:** GUID that uniquely identifies the Azure tenant. value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Overview** > **Application (tenant) ID** | +| ResponseUri default value: `http://localhost` | String | URI used by Azure to contact back the application with the tokens. This response Uri needs to be registered in the [app registration](https://aka.ms/msal-net-register-app). | +| MicrosoftGraphPathApi default value: https://graph.microsoft.com/v1.0/ | String | Microsoft Graph Uri API. | + +### Output details + +This connector can create a new resource, update and delete any Microsoft Entra ID objects and +groups' memberships via the UI. + +## Authentication + +See the following to figure out authentication. + +Password reset + +See +the[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information on how to configure password reset settings. + +Credential protection + +Data protection can be ensured through: + +- [ RSA Encryption ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file +- An [Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +- A + [CyberArk's AAM Credential Providers ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + Vault able to store Microsoft Entra ID's `ApplicationId` and `ApplicationKey`. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md new file mode 100644 index 0000000000..f71b26e7c5 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md @@ -0,0 +1,162 @@ +# Microsoft Exchange + +This connector exports mailboxes from a +[Microsoft Exchange](https://support.microsoft.com/en-us/office/what-is-a-microsoft-exchange-account-47f000aa-c2bf-48ac-9bc2-83e5c6036793) +instance. + +This page is about [ Microsoft Exchange ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/microsoft-exchange/index.md). + +![Package: Server/Microsoft Exchange](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/packages_exchange_v603.webp) + +## Overview + +Microsoft Exchange Server is Microsoft's email, calendar, contact, scheduling and collaboration +platform. It is deployed on the Windows Server operating system (OS) for business use. This +connector uses +[Exchange Server PowerShell (Exchange Management Shell)](https://docs.microsoft.com/en-us/powershell/exchange/exchange-management-shell?view=exchange-ps) +to export databases and mailboxes. + +## Prerequisites + +Implementing this connector requires: + +- a Microsoft Exchange Server 2010, or later. + [See here Exchange Server 2016's requirements](https://docs.microsoft.com/en-us/exchange/plan-and-deploy/system-requirements?view=exchserver-2016); +- installing Windows PowerShell. + [See how to connect to Exchange servers using remote PowerShell](https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-servers-using-remote-powershell?view=exchange-ps). + +## Export + +This connector exports +[mailboxes](https://docs.microsoft.com/en-us/powershell/module/exchange/get-mailbox?view=exchange-ps) +and +[mailbox databases](https://docs.microsoft.com/en-us/powershell/module/exchange/get-mailboxdatabase?view=exchange-ps). +Two CSV files are generated, one with the +[mailbox properties](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328629(v=exchg.140)) +(like `Database`, `EmailAddresses`, `ServerName` , etc.) and the other with +[mailbox database properties](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328150(v=exchg.140)) +(like `Name`, `Server`, `Mounted`, etc.). These properties are explicitly part of the PowerShell +script used by Identity Manager. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "MicrosoftExchangeExport": { +> "AuthType": "Kerberos", +> "Server": "http://mailbox01.contoso.com/PowerShell/" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| -------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** Address of the Exchange Server used by the remote PowerShell: `http:///PowerShell/` where `` is the fully qualified domain name of the Exchange server, like `mailbox01.contoso.com`. | +| PowerShellScriptPath default value: `{your usercube path}/Runtime/Export-Exchange.ps1` | **Type** String **Description** Path of the export script file. | + +### Output details + +This connector is meant to generate the following files: + +- `_mailboxes.csv` with the following columns: + + ``` + _databases.csv + Command,Database,EmailAddresses,UseDatabaseRetentionDefaults,RetainDeletedItemsUntilBackup,DeliverToMailboxAndForward,ExchangeGuid,ExchangeUserAccountControl,ForwardingAddress,ForwardingSmtpAddress,IsMailboxEnabled,ProhibitSendQuota,ProhibitSendReceiveQuota,RecoverableItemsQuota,RecoverableItemsWarningQuota,CalendarLoggingQuota,IsResource,IsLinked,IsShared,SamAccountName,AntispamBypassEnabled,ServerName,UseDatabaseQuotaDefaults,UserPrincipalName,WhenMailboxCreated,IsInactiveMailbox,AccountDisabledIsDirSynced,Alias,OrganizationalUnit,DisplayName,MaxSendSize,MaxReceiveSize,PrimarySmtpAddress,RecipientType,RecipientTypeDetails,Identity,IsValid,Name,DistinguishedName,Guid,ObjectCategory,WhenChangedUTC,WhenCreatedUTC,ObjectState + Insert,value1,value2,...,valueN + ``` + + > For example, we could have + > `C:/UsercubeContoso/Temp/ExportOutput/MicrosoftExchangeExport_mailboxes.csv`. + + [See more details on mailbox properties in Microsoft's documentation](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328629(v=exchg.140)). + +- `_databases.csv` with the following columns: + + ``` + _databases.csv + Command,Name,Server,Mounted,ObjectCategory,Guid,WhenChangedUTC,WhenCreatedUTC,ObjectState + Insert,value1,value2,...,valueN + ``` + + [See more details on mailbox database properties in Microsoft's documentation](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328150(v=exchg.140)). + +- `_cookie.bin` which stores the time of the last successful export, thus + allowing incremental processes. + +The CSV files are stored in the +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) folder, and the +cookie file in the Export Cookies folder. + +## Fulfill + +This connector can create, update or +delete[ mailboxes](https://docs.microsoft.com/en-us/powershell/module/exchange/get-mailbox?view=exchange-ps)' +addresses (PrimarySmtpAddress, ProxyAddress) and mailbox databases. + +As it works via a PowerShell script. See the [ PowerShellProv ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) topic +for additional information. + +Identity Manager's PowerShell script can be found in the SDK in +`Usercube.Demo/Scripts/Fulfill-Exchange.ps1`. + +See the [ PowerShellProv ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) topic for additional information. + +## Authentication + +### Authentication Type + +This connector uses Kerberos authentication when trying to connect with the Exchange Server. + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +- A [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md)able to store + Microsoft Exchange's `Server`. + +This kind of credential protection can be used only for the export process. + +The fulfill process' credentials can be protected by following the instructions for the +PowerShellProv connector. See the [ PowerShellProv ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) topic for +additional information diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/odata/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/odata/index.md new file mode 100644 index 0000000000..716e4a4458 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/odata/index.md @@ -0,0 +1,125 @@ +# OData + +This connector exports and fulfills data from/to an [OData](https://www.odata.org/) instance. + +This page is about [ OData ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/odata/index.md). + +![Package: Custom/OData](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/odata/packages_odata_v603.webp) + +## Overview + +OData (Open Data Protocol) comply with ISO/IEC and OASIS standards. This protocol defines the best +approaches for using RESTful APIs. OData helps you focus on your business logic while building +RESTful APIs without having to worry about the various approaches to define request and response +headers, status codes, HTTP methods, URL conventions, media types, payload formats, query options, +etc. + +## Prerequisites + +Implementing this connector requires reading first the appsettings documentation. + +Identity Manager's service is based on +[OData RFC](https://docs.oasis-open.org/odata/odata/v4.0/odata-v4.0-part1-protocol.html). + +## Export + +This connector extracts all entity sets with all the information needed to rebuild them. This is +based on the connector's metadata. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ODataExport": { +> "Server": "https://YourODataService.com/", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> +> ``` + +#### Setting attributes + +| Name | Details | +| -------------------------- | ----------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the data system. | +| Login optional | **Type** String **Description** Login to connect to the system. | +| Password optional | **Type** String **Description** Password to connect to the system. | +| BearerToken optional | **Type** String **Description** Token to authenticate to the system. | +| ClientId optional | **Type** String **Description** Id to connect to the system via OpenId. | +| ClientSecret optional | **Type** String **Description** Password to connect to the system via OpenId. | +| AuthenticationUrl optional | **Type** String **Description** URL to request the authentication via OpenId. | + +#### XML configuration requirements + +This connector requires from the XML configuration: + +- An + [ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md): + - with the same identifier as the related entity type; + - related to the right connector; + - related to a connection table named `_`; + - with properties whose connection columns represent the property's path in the entity, see the + configuration example below; +- An + [ Entity Association Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md): + - with the same identifier as the related entity association; + - with its `Column1` in the format `UsercubeNav_:` for the + related property in the association; + - with its `Column2` in the format `Of:` for the related + property in the association; + - related to a connection table named `__`. + +The information contained in the entity types and entity associations does not impact the export. + +### Output details + +This connector is meant to generate to the +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) folder one CSV +file for each entity set provided in the connector's configuration. + +The files' column headers come from the entity type mapping's `ConnectionColumn` properties. + +If the connection column describes a sub-property, then the name should have the following pattern: +`{property}:{sub-property}`. The character `":"` should not be used in other situations. + +> For example: \\ Identifier="UserName" DisplayName_L1="User name" Type="String" /\>\ Identifier="FamilyName" DisplayName_L1="Family name" Type="String" /\>\ +> +> ````<""""""Property Identifier=UserName ConnectionColumn=UserName /Property Identifier=FamilyName ConnectionColumn=Name:FamilyName //EntityTypeMapping +> ```EntityTypeMapping Identifier=OData Connector=OData ConnectionTable=OData_People\>\<""""\>\<""""\>\<\> +> Note that we have here ```UserName``` which is a single property, and ```FamilyName``` which is a sub-property of ```Name```, hence the name ```Name:FamilyName``` as the ```ConnectionColumn```. +> ```` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/okta/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/okta/index.md new file mode 100644 index 0000000000..d84dce4848 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/okta/index.md @@ -0,0 +1,277 @@ +# Okta + +This connector exports and fulfills entries from/to Okta application. + +![okta](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/okta/okta.webp) + +## Overview + +Okta is an access management solution that provides SSO and federation capabilities for single +sign-on, multi-factor authentication, and API access management. Okta's platform is widely used by +organizations to protect accesses for digital identities in an increasingly complex and +interconnected digital world. + +### Prerequisites + +Implementing this connector requires: + +- Reading first the appsettings documentation +- An Okta Token with specific permissions on the target instance + +See the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information. + +### Configuration + +To configure the Okta connector it is necessary to: + +**Step 1 –** Create a new user for Netwrix Identity Manager (formerly Usercube). + +In order to do so you must connect to the Okta administration console +`https://myexample-admin.okta.com` and create a new Netwrix Identity Manager (formerly Usercube) +user. + +**NOTE:** For some Okta deployments it is possible to create a service account or to Manage an Okta +user account as a service account. + +**Step 2 –** Assign administrator role and permissions to the Netwrix Identity Manager (formerly +Usercube) user. + +**Step 3 –** Generate a Token for the Netwrix Identity Manager (formerly Usercube) user. + +See the +[Okta documentation](https://help.okta.com/en-us/content/topics/users-groups-profiles/service-accounts/service-accounts-overview.htm) +for additional information. + +### Export + +This connector exports a list of users, groups, applications with their attributes specified in the +connector's configuration, to CSV files. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +appsettings.agent.json > Connections section. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} + +``` + +The identifier of the connection and thus the name of the subsection must: + +- Be unique +- Not begin with a digit +- Not contain \<, \>, :, ", /, \, |, ?, \* and \_. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + "Connections": { + ... + "OktaExportFulfillment": { + "Server": " https://.okta.com", + "ApiKey": "", + } + } +} + +``` + +### Setting attributes + +| Name | Type | Description | +| --------------- | ------ | ----------------------- | +| Server required | String | URI of the data system. | +| ApiKey required | String | User token value. | + +### Output details + +This connector can create, delete and update users, groups and applications, and is meant to +generate the following to the ExportOutput folder : + +- A CSV file, named \\_users.csv, with one column for each property either + having a ConnectionColumn or which is used in an entity association; +- A CSV file, named \\_groups.csv, with one column for each property either + having a ConnectionColumn or which is used in an entity association; +- A CSV file, named \\_apps.csv, with one column for each property either + having a ConnectionColumn or which is used in an entity association; +- A CSV file, named \\_groupsapps.csv, with one column for each property + either having a ConnectionColumn or which is used in an entity association; +- A CSV file, named \\_groupsusers.csv, with one column for each property + either having a ConnectionColumn or which is used in an entity association; + +For example, with the following entity type mapping for users: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + + + + + + + + + + + + + +... + + + + + + + + + + + + + + + +``` + +And the following entity type mapping for groups: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + + + + + + + + + + + + + + + + + + + + +``` + +And the following entity type mapping for applications: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + + + + + + + + + + + + + + + + + +``` + +Then we will have `C:/UsercubeContoso/Sources/OktaExportFulfillment_users.csv` as follows: + +``` +id, status, created, activated, statusChanged, lastLogin, lastUpdated, passwordChanged, type.id, profile.city, profile.costCenter, profile.countryCode, profile.department, profile.displayName +``` + +And `C:/UsercubeContoso/Sources/OktaExportFulfillment_groups.csv` as follows: + +``` +id, created, lastUpdated, lastMemberShipUpdated, type, profile.description, profile.name +``` + +And `C:/UsercubeContoso/Sources/OktaExportFulfillment_apps.csv` as follows: + +``` +id, created, lastUpdated, status, name, label +``` + +### Fulfill + +The Okta connector writes to Okta to create, update and delete entries, initiated manually through +the UI or automatically by enforcing the policy. See the +[Evaluate Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) topic for additional +information. + +### Configuration + +Same as for export, fulfill is configured through connections. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + "Connections": { + ... + "OktaExportFulfillment": { + "Server": " https://.okta.com", + "ApiKey": "", + } + } +} + +``` + +### Password reset + +The password reset settings configuration is described in the appsettings.agent.json file. See the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the appsettings.encrypted.agent.json file +- An [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +- A [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md)Vault able to + store Okta Login, Password, Account and Server. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/openldap/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/openldap/index.md new file mode 100644 index 0000000000..55f530efaa --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/openldap/index.md @@ -0,0 +1,247 @@ +# OpenLDAP + +This connector exports and fulfills entries from/to an [OpenLDAP](https://www.openldap.org/) +directory. + +This page is about [ OData ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/odata/index.md). + +![Package: Directory/Open LDAP](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/openldap/packages_ldapopen_v603.webp) + +## Overview + +OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol (LDAP). + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md)documentation; +- a service account with reading and writing permissions on the target OpenLDAP server; +- enabling SyncProv Overlay for the OpenLDAP server. + + To perform a complete export without the SyncProv Overlay enabled, use rather the + [ LDAP ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md) connector. + +## Export + +This connector exports to CSV files the content of an OpenLDAP Directory. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections":{ +> ... +> "OpenLDAPExport": { +> "Server": "contoso.server.com", +> "DistinguishedName": "DC=contoso,DC=com", +> "Login": "Contoso", +> "Password": "ContOso$123456789", +> "Filter": "(|(objectclass=person)(objectclass=ou))", +> "Scope": "SubTree", +> "SSL": "true" +> } +> ... +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** IP address and port of the OpenLDAP server. | +| DistinguishedName required | **Type** String **Description** Distinguished Name of the domain controller. | +| Login required | **Type** String **Description** OpenLDAP server's login. | +| Password required | **Type** String **Description** OpenLDAP server's password. | +| SSL optional | **Type** Boolean **Description** `True` to enable SSL (Secure Socket Layer) protocol for authentication requests. | +| | | +| --- | --- | +| TimeFormat default value: 60 | **Type** Int32 **Description** Timeout (in seconds) for the export's requests to the targeted server. | +| WaitingTimeInSeconds default value: 30 | **Type** Int32 **Description** Time period (in seconds) during which pulling for changes is not allowed during the persistent phase. | +| | | +| --- | --- | +| Filter required | **Type** String **Description** Entries to be excluded from export among all entries from the LDAP instance. Only non-filtered entries are exported. The filter must use [Microsoft's search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | +| Scope optional | **Type** String **Description** Search scope to be applied to the request. The result will be limited to: `Base` - the base of the object; `OneLevel` - the immediate children of the object; `Subtree` - the entire subtree from the base object down. | + +### Output details + +This connector is meant to generate to +the[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) folder: + +- a CSV file, named `_entry.csv`, with one column for each property having a + `ConnectionColumn` and each property without it but used in an entity association; + + Any property can be exported in a specific format when specified. See the + [ References: Format for the EntityPropertyMapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md) + topic for additional information. + +- a CSV file for each `ConnectionTable` in a related `EntityTypeMapping` or + `EntityAssociationMapping`, and which is not an `entry`, named + `_.csv`; + + > For example, `OpenLDAPExport_member` as `ConnectionTable` in a mapping will generate the file + > `OpenLDAPExport_member.csv` with `member` as link attribute. + +- `_cookie.bin` which stores the time of the last successful export, thus + allowing incremental processes. + + Most exports can be run in complete mode, where the CSV files will contain all entries, or in + incremental mode, where CSV files will contain only the entries which have been modified since + the last synchronization. + + A task can use the `IgnoreCookieFile` boolean property, and a command line (with an executable) + can use the option `--ignore-cookies`. + +The CSV files are stored in the +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) folder, and the +cookie file in the Export Cookies folder. + +> For example, with the following configuration: +> +> ``` +> +> +> +> ``` +> +> We would have `C:/UsercubeContoso/Temp/ExportOutput/OpenLDAPExport.csv` like: +> +> ``` +> entry.csv +> Command,entryUUID,dn,cn,objectClass,parentdn +> Insert,value1,value2,...,valueN +> ``` +> +> And we would also have `C:/UsercubeContoso/Temp/ExportOutput/OpenLDAPExport_member.csv` like: +> +> ``` +> LDAPExport_member.csv +> Command,entryUUID,member +> Insert,value1,value2,...,valueN +> ``` + +## Fulfill + +This connector fulfills via the LDAP connector's fulfill process. + +The LDAP connector fulfills the creation, deletion and update of LDAP entries, initiated through the +Identity Manager UI or by [Evaluate Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) +enforcement. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "OpenLDAPFulfillment": { +> "Server": "contoso.server.com", +> "DistinguishedName": "DC=contoso,DC=com", +> "Login": "Contoso", +> "Password": "ContOso$123456789", +> "SSL": "true", +> "IsLdapPasswordReset": "true" +> } +> } +> } +> ``` + +#### Setting attributes + +| | | +| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Filter required | **Type** String **Description** Entries to be excluded from export among all entries from the LDAP instance. Only non-filtered entries are exported. The filter must use [Microsoft's search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | +| Scope optional | **Type** String **Description** Search scope to be applied to the request. The result will be limited to: `Base` - the base of the object; `OneLevel` - the immediate children of the object; `Subtree` - the entire subtree from the base object down. | +| | | +| --- | --- | +| IsLdapPasswordReset optional | **Type** Boolean **Description** `True` to state the managed system as an LDAP-compliant system supporting password reset. | + +### Output details + +This connector can create a new resource, and update and delete an existing resource via the UI. + +A new resource is created with the state `disabled`, corresponding to the **useraccountcontrol** +value `514`. When it is approved, its `disabled` state is removed and the **useraccountcontrol** +value becomes `512`. + +### Add attributes to the requests + +Some systems using the LDAP protocol require additional attributes in the creation and/or update +requests. + +If these attributes are not synchronized in Identity Manager, then they cannot be computed and +provided by scalar rules or navigation rules. In this case, they can be given as arguments in the +provisioning order, through the `ResourceType`'s `ArgumentsExpression`. + +> The following example adds the attribute `description` with a value depending on what is modified: +> +> ``` +> +> ArgumentsExpression="C#:resource: +> var arguments = new System.Collections.Generic.Dictionary(); +> +> if (provisioningOrder.HasChanged("cn")) { +> arguments.Add("description", "This entry's login has been modified by Usercube."); +> } +> else if (provisioningOrder.HasChanged("mail")) { +> arguments.Add("description", "This entry's email has been modified by Usercube."); +> } +> else { +> arguments.Add("description", "This entry has been modified by Usercube."); +> } +> +> return arguments;"> +> +> +> +> ``` + +## Authentication + +### Credential protection + +Data protection can be ensured through: + +- [](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md)[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md)[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) + safe; + +- a + [](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) + able to store OpenLDAP's `Login`, `Password` and `Server`. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md new file mode 100644 index 0000000000..cf7392d198 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md @@ -0,0 +1,143 @@ +# PowerShellProv + +This connector writes to an external system via a +[PowerShell](https://learn.microsoft.com/en-us/powershell/scripting/overview) script. + +This page is about [ PowerShellProv ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/powershellprov/index.md). + +![Package: Custom/PowerShellProv](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/powershellprov/packages_powershellprov_v603.webp) + +## Overview + +PowerShell is a cross-platform task automation and configuration management framework, consisting of +a command-line shell and scripting language. Unlike most shells which accept and return text, +PowerShell is built on top of the .NET Common Language Runtime (CLR), and accepts and returns .NET +objects. This fundamental change brings entirely new tools and methods for automation. + +## Prerequisites + +Implementing this connector requires: + +- making sure that the command `powershell.exe`, inside the command prompt (`cmd.exe`), does execute + a PowerShell terminal; +- knowledge of scripting in PowerShell 5.1 or later, + [see here PowerShell's requirements](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/install/windows-powershell-system-requirements); +- making sure that the device hosting the agent has its execution policy properly configured to + execute the given PowerShell script; +- checking the targeted system's requirements (environment, libraries, etc.), as this connector is + meant to connect Identity Manager to a PowerShell-compatible system; +- writing and testing a PowerShell script (`.ps1`) according to Netwrix Identity Manager (formerly + Usercube)' guidelines below. + +## Export + +There are no export capabilities for this connector. + +## Fulfill + +This connector executes a PowerShell script for the creation, deletion and update of any entity +linked to the managed system. + +> For example, it can fulfill the `mailboxes` entity from Microsoft Exchange. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example fills a CSV file through the script `Fulfill-CSV.ps1`, for a single target +> managed system identified by the `PowerShellCsvFulfillment` subsection: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "PowerShellCsvFulfillment": { +> "PowerShellScriptPath": "C:/UsercubeDemo/Scripts/Fulfill-CSV.ps1", +> "Options": { +> "Message": "Hello", +> "Login": "admin", +> "Password": "secret" +> } +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| PowerShellScriptPath required | **Type** String **Description** Path of the executed PowerShell script (.ps1). | +| Options optional | **Type** String Pair List **Description** List of key-value pairs for all the variables required by the PowerShell script. **Example** ` "Options": { "Login": "admin", "Password": "secret" }` In order for the script to access these options, the following two lines of code must be included in the script: `$options = [System.Console]::ReadLine() $options = ConvertFrom-Json $options` Afterwards, any one of these variables can be easily accessed: `$options.Login$options.Password # -> admin and secret` | + +### Write a script + +See how to +[ Write a PowerShell Script for Provisioning ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md)to +allow provisioning with this connector. + +## Authentication + +### Password reset + +The PowerShell script manages password reset. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| -------------------- | ------------------------------------------------- | +| Login (optional) | `Connections----Options--Login` | +| Password (optional) | `Connections----Options--Password` | +| PowerShellScriptPath | `Connections----PowerShellScriptPath` | + +- a [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + the attributes from the `Options` section that are compatible with CyberArk. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +> For example, consider `Login` and `Password` values stored in the `PowerShellCsv_Account` account: +> +> ``` +> appsettings.cyberark.agent.json +> { +> "Connections": { +> ... +> "PowerShellCsvFulfillment": { +> "Options": { +> "Login": "PowerShellCsv_Account", +> "Password": "PowerShellCsv_Account" +> } +> } +> } +> } +> ``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellsync/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellsync/index.md new file mode 100644 index 0000000000..1397c6fe8e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/powershellsync/index.md @@ -0,0 +1,108 @@ +# PowerShellSync + +This connector exports data from an external system via a +[PowerShell](https://learn.microsoft.com/en-us/powershell/scripting/overview) script. + +This page is about [ PowerShellSync ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/powershellsync/index.md). + +![Package: Custom/PowerShellSync](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/powershellsync/packages_powershellsync_v603.webp) + +## Overview + +PowerShell is a cross-platform task automation and configuration management framework, consisting of +a command-line shell and scripting language. Unlike most shells which accept and return text, +PowerShell is built on top of the .NET Common Language Runtime (CLR), and accepts and returns .NET +objects. This fundamental change brings entirely new tools and methods for automation. + +Data can be synchronized from any managed system by writing a PowerShell script that generates the +relevant CSV files for Identity Manager. The PowerShellSync connector provides all the necessary +tools for an easy integration of the script with Identity Manager's synchronization mechanisms. + +When Identity Manager provides a native connector for a given system, for example the Active +Directory connector, Netwrix Identity Manager (formerly Usercube)highly recommends using the native +connector rather than this PowerShell connector. + +## Prerequisites + +Implementing this connector requires: + +- making sure that the command `powershell.exe`, inside the command prompt (`cmd.exe`), does execute + a PowerShell terminal; +- knowledge of scripting in PowerShell 5.1 or later, + [see here PowerShell's requirements](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/install/windows-powershell-system-requirements); +- making sure that the device hosting the agent has its execution policy properly configured to + execute the given PowerShell script; +- checking the targeted system's requirements (environment, libraries, etc.), as this connector is + meant to connect Identity Manager to a PowerShell-compatible system; +- writing and testing a PowerShell script (`.ps1`) according to Netwrix Identity Manager (formerly + Usercube)' guidelines below. + +## Export + +This connector executes a PowerShell script that generates one or several CSV files. These files are +to be used during the synchronization of the data from the managed system targeted by the +PowerShellSync connector. + +The CSV files must be written to the `$OutputPath`. + +The export is executed by a job from the UI, or via `Usercube-Export-Powershell.exe` in the command +prompt. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "PowerShellExport": { +> "PowerShellScriptPath": "C:/UsercubeDemo/Scripts/Export-CSV.ps1", +> } +> } +> } +> ``` + +##### Setting attributes + +| Name | Details | +| ----------------------------- | ------------------------------------------------------------------------------------ | +| PowerShellScriptPath required | **Type** String **Description** Path of the PowerShell script (.ps1) to be executed. | + +### Write a script + +Identity Manager provides a few variables to be used in the PowerShell script. + +| Name | Details | +| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | +| OutputPath | **Type** String **Description** Prefix of the path of the generated CSV file. **Info:** the synchronization process requires the generated CSV file to be located in a very specific location, with a specific name prefix. Hence the need for this predefined variable. **Value** [``](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)`/ExportOutput/_` **Example** In this example, if the temp folder is named `Temp` and the connection `PowerShellExport`, then the generated file is: `Temp/ExportOutput/PowerShellExport_users.csv`. ```generateCSV | Export-CSV ($OutputPath + "users.csv")` where`generateCSV``` is a generic PowerShell method that generates CSV files. | +| IsIncremental | **Type** Boolean **Description** Variable to be used to provide a different behavior for complete and incremental synchronization. | + +## Fulfill + +There are no fulfill capabilities for this connector. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/racf/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/racf/index.md new file mode 100644 index 0000000000..c61c23e833 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/racf/index.md @@ -0,0 +1,112 @@ +# RACF + +This connector exports users and profiles from a +[RACF](https://www.ibm.com/docs/en/zos-basic-skills?topic=zos-what-is-racf) file. + +This page is about [ RACF ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/racf/index.md). + +![Package: MainFrame/RACF](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/racf/packages_racf_v603.webp) + +## Overview + +Resource Access Control Facility (RACF) is a security program from IBM OS/390 used to protect users' +resources by controlling their accesses. The RACF connector exports the information saved by RACF +about users, groups and access authorities. + +## Prerequisites + +Implementing this connector requires the input file to be in the RACF format, but it can have any +extension. + +## Export + +This connector extracts the information found in a RACF file and transforms it into CSV files in +Identity Manager format. + +Be aware that Identity Manager supports only the RACF records represented by the following codes: + +- [0100; 0120; 0101; 0102](https://www.ibm.com/docs/en/zos/2.1.0?topic=records-record-formats-produced-by-database-unload-utility#0100-0120-0101-0102) + (groups); +- [0200; 0203](https://www.ibm.com/docs/en/zos/2.1.0?topic=utility-user-record-formats) (users); +- [0500; 0503](https://www.ibm.com/docs/en/zos/2.1.0?topic=utility-general-resource-record-formats) + (general resources). + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example reads RACF data from the `C:/UsercubeContoso/RacfFile.csv` iso-8859-1 file +> and exports it to CSV files in Identity Manager format: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "RACF": { +> "Path": "C:/UsercubeContoso/RacfFile.csv", +> "Encoding": "iso-8859-1", +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Path required | **Type** String **Description** Path of the RACF file to be exported. | +| | | +| --- | --- | +| Encoding default value: UTF-8 | **Type** String **Description** Encoding of the input file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | + +### Output details + +This connector is meant to generate to the +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) folder one CSV +file per record type (0100, 0200, etc.), named `_.csv`. + +> For example, consider an export with a connection named `ExportRacf`, and a source file containing +> the record types 0100, 0120, 0203. Then we will have three output files named +> `ExportRacf_0100.csv`, `ExportRacf_0120.csv` and `ExportRacf_0203.csv`. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), nor a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md). + +Still, data protection can be ensured through an +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md new file mode 100644 index 0000000000..cd1ab003c4 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md @@ -0,0 +1,135 @@ +# Robot Framework + +This connector writes to an external system via a [Robot Framework](https://robotframework.org) +script. + +This page is about [ Robot Framework ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/robot-framework/index.md) + +![Package: Custom/Robot Framework](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/robotframework/packages_robot_v603.webp) + +## Overview + +Robot Framework is an open-source automation framework which can be used for robotic process +automation (RPA). This framework is easy to use thanks to its human-readable syntax. +It has a modular architecture that can be extended by +[libraries](https://robotframework.org/#libraries) implemented with Python or Java. These libraries +provide various tools to interact with a managed system. + +## Prerequisites + +Implementing this connector requires the agent to include the following elements: + +- [Python](https://www.python.org/downloads/) 3.7 or above. Specific Robot Framework libraries may + require a specific Python version; +- Python folder location in the `PATH` environment variable list and the location of its subfolder + `Scripts`; +- Robot Framework: use `pip install robotframework` in the command prompt. If the installation ran + correctly, `robot.exe` should be in your path. You can confirm this by running `gcm robot` in a + powershell console. + +## Export + +There are no export capabilities for this connector. + +## Fulfill + +This connector can create, update and/or delete any entity linked to the managed system. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example fills in a CSV file by using the script `FulfillRobotFramework.robot`: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> ... +> "RobotFrameworkFulfillment": { +> "RobotFrameworkScriptPath": "C:/UsercubeDemo/Scripts/FulfillRobotFramework.robot", +> "Options": { +> "Message": "Hello" +> } +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| RobotFrameworkScriptPath required | **Type** String **Description** Path to the executed Robot Framework script (.robot). | +| Options optional | **Type** String Pair List **Description** List of key-value pairs for all the variables required by the PowerShell script. **Example** ` "Options": { "Login": "admin", "Password": "secret" }` Access these options in the script using the following method: `${login}= Get Secure Data Login False ${password}= Get Secure Data Password True` **Info:** when the boolean argument from `Get Secure Data` is set to `True`, then the value is stored in the variable and erased from memory, hence not retrievable on next call. This enables control over sensitive data like passwords by defining the lifetime of the variable containing sensitive data. **Warning:** never use `Get Secure Data` when `Options` is empty. | + +### Write a script + +See how +to[ Write a Robot Framework Script ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md) to +allow provisioning with this connector. + +## Authentication + +### Password reset + +The script manages password reset. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- an [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ------------------------ | ----------------------------------------------------- | +| Login (optional) | `Connections----Options--Login` | +| Password (optional) | `Connections----Options--Password` | +| RobotFrameworkScriptPath | `Connections----RobotFrameworkScriptPath` | + +- a [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + the attributes from the `Options` section that are compatible with CyberArk. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +> For example, consider `Login` and `Password` values stored in the `RobotFramework_Account` +> account: +> +> ``` +> appsettings.cyberark.agent.json +> { +> "Connections": { +> ... +> "RobotFrameworkFulfillment": { +> "Options": { +> "Login": "RobotFramework_Account", +> "Password": "RobotFramework_Account" +> } +> } +> } +> } +> ``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md new file mode 100644 index 0000000000..c22cc49c60 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md @@ -0,0 +1,310 @@ +# SAP ERP 6.0 and SAP S4/HANA + +This connector exports and fulfills users and roles from/to an +[SAP ERP 6.0](https://www.sap.com/products/erp/what-is-sap-erp.html) or +[SAP HANA](https://www.sap.com/products/technology-platform/hana/what-is-sap-hana.html) instance. + +This page is about ERP/SAP ERP 6.0. + +![Package: ERP/SAP ERP 6.0](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/saperp6/packages_saperp6_v603.webp) + +## Overview + +The SAP Enterprise Resource Planning (SAP ERP) software incorporates the core business processes of +an organization, such as finance, production, supply chain services, procurements, human resources +(HR), etc. The SAP ERP connector exports and fulfills data from/to an SAP ERP 6.0 system. + +## Prerequisites + +Implementing this connector requires: + +- Reading first the appsettings documentation; See the + [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) + topic for additional information. +- An ASE or HANA database with a service account, as a database administrator +- A service account, as a SAP user with at least the roles for user management +- The prerequisites for reading should be set up +- The prerequisites for writing should be set up + +ASE or HANA database with a service account, as a database administrator + +To connect to the SAP database using SSH, use the following commands: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +su sybaba +isql -S -U -P -X +``` + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +isql -S ABA -Usapsso -PV1H#M$4JIgU$qd -X +``` + +Service account, as a SAP user with at least the roles for user management + +Create a login for Identity Manager's service account with at least reading access on user +management tables by using a command from the table below: + +| Table | Usage | +| ----------------- | --------------------------------------- | +| USR02 | Users table | +| AGR_USERS | Links between Users and Roles | +| AGR_TEXTS | Roles labels according to the language | +| USER_ADDR | | +| AGR_1016 AGR_PROF | Links between Profiles and Roles | +| USR10 | Profiles tables | +| USR11 | Profiles labels | +| AGR_DEFINE | Roles table | +| AGR_AGRS | Composition links | +| USGRP | Groups table | +| USGRPT | Groups labels | +| UST04 | Links between Users and Profiles | +| UST10C | Links between Profiles and Sub-profiles | +| AGR_TCODES | Links between Roles and Transactions | +| T002 | Languages codes | + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +execute sp_addlogin \, \, \go use ABA go +execute sp_adduser \go grant select on ABA.SAPSR3.USR02 to usercube grant select on +ABA.SAPSR3.AGR_USERS to usercube grant select on ABA.SAPSR3.USER_ADDR to usercube grant select on +ABA.SAPSR3.AGR_1016 to usercube grant select on ABA.SAPSR3.USR10 to usercube grant select on +ABA.SAPSR3.USR11 to usercube grant select on ABA.SAPSR3.AGR_AGRS to usercube grant select on +ABA.SAPSR3.USGRP to usercube grant select on ABA.SAPSR3.UST04 to usercube grant select on +ABA.SAPSR3.AGR_TCODES to user grant select on ABA.SAPSR3.T002 to usercube Go + +Set up the prerequisites for reading + +To set up the prerequisites for reading follow the steps below. + +**Step 1 –** Copy the DLL `Sap.Data.Hana.Core.v2.1.dll` into the Runtime of Identity Manager. + +![connectorreadprerequisites1](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorreadprerequisites1.webp) + +**Step 2 –** Unzip the "hdbclient.zip" archive to C: drive and add the path to the Path environment +variables. + +![connectorreadprerequisites2](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorreadprerequisites2.webp) + +**Step 3 –** Create environment variables: `HDBADOTNET=C:\hdbclient\ado.net` and +`HDBADOTNETCORE=C:\hdbclient\dotnetcore`. + +Set up the prerequisites for writing + +**NOTE:** Make sure the Read prerequisites are configured first. + +**Step 1 –** Copy the provided DLL `sapnwrfc.dl` into the Runtime of Identity Manager. + +**Step 2 –** Unzip the `dotnet86.zip` archive to `C:\dotnetx86`. + +**Step 3 –** Copy the DLLs icudt50.dll, `icuin50.dll` and icuuc50.dll into the Runtime of Identity +Manager. + +![connectorwriteprerequisites](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorwriteprerequisites.webp) + +**Step 4 –** Disable DLLs search by adding the environment variable `NLSUI_7BIT_FALLBACK=YES`. + +![connectorwriteprerequisites2](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorwriteprerequisites2.webp) + +**Step 5 –** Add new environment variable `USERCUBE_DOTNET32` containing the path to dotnetx86 +(e.g.: `C: \donetx86\dotnet.exe`). + +## Export + +This connector extracts users, roles, profiles, profile memberships, role memberships and groups +from an SAP ERP instance, and writes the output to CSV files. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +**appsettings.agent.json** > **Connections** section. See the +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) topic for +additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +_Remember,_ the identifier of the connection and thus the name of the subsection must: + +- Be unique +- Not begin with a digit. +- Not contain \<, \>, :, /, \, |, ?, \*, and \_. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "SAPExportFulfillment": { + "Server": "serverUrl", + "AseLogin": "login", + "AsePassword": "password", + "Instance": "sapInstance", + "Port": "4242", + "Client": "123", + "Language": "fr" + } + } +} + +``` + +| Name | Type | Description | +| --------------------------- | ------- | -------------------------------------------------------------- | +| IsHana default value: false | Boolean | True to connect to an S/4 HANA instance instead of an ERP 6.0. | +| AseLogin required | String | Login to connect to SAP ASE. | +| AsePassword required | String | Password to connect to SAP ASE. | +| Client required | String | Client id of SAP. | +| Instance required | String | Instance of the SAP database. | +| Language required | String | SAP language. | +| Port required | String | Port of the SAP ERP server. | +| Server required | String | URL of the SAP ERP server. | + +### Output details + +This connector is meant to generate to the ExportOutput folder the following files: + +- SAPExportFulfillment_users.csv; +- SAPExportFulfillment_roles.csv; +- SAPExportFulfillment_usersroles.csv; +- SAPExportFulfillment_profiles.csv; +- SAPExportFulfillment_profilesprofiles.csv; +- SAPExportFulfillment_rolesprofiles.csv; +- SAPExportFulfillment_usersprofiles.csv; +- SAPExportFulfillment_rolesroles.csv; +- SAPExportFulfillment_groups.csv; +- SAPExportFulfillment_rolestransactions.csv. + +See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topic for additional information. + +## Fulfill + +This connector can provision users, role memberships and group memberships to SAP ERP. + +### Configuration + +Same as for export, fulfill is configured through connections. See the +[SAP ERP 6.0 and SAP S4/HANA](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md) topic for additional information. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "SAPExportFulfillment": { + "Server": "", + "BapiLogin": "", + "BapiPassword": "" + } + } +} + +``` + +#### Setting attributes + +| Name | Type | Description | +| --------------------------- | ------- | -------------------------------------------------------------- | +| IsHana default value: false | Boolean | True to connect to an S/4 HANA instance instead of an ERP 6.0. | +| Server required | String | URL of the SAP ERP server. | +| BapiLogin required | String | Login to connect to the specified server. | +| BapiPassword required | String | Password to connect to the specified server. | + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information on how to configure password reset settings. + +When setting a password for an SAP ERP user, the password attribute is defined by the password +specified in the corresponding RessourceTypeMapping. See the +[Sap Resource Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md) +topic for additional information. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the `appsettings.encrypted.agent.json` file +- An Azure Key Vault safe + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ------------ | ------------------------------------------------ | +| Server | Connections--\--Server | +| AseLogin | Connections--\--AseLogin | +| AsePassword | Connections--\--AsePassword | +| Instance | Connections--\--Instance | +| Port | Connections--\--Port | +| Client | Connections--\--Client | +| Language | Connections--\--Language | +| BapiLogin | Connections--\--BapiLogin | +| BapiPassword | Connections--\--BapiPassword | +| SystemNumber | Connections--\--SystemNumber | + +- A CyberArk Vault able to store Active Directory's Login, Password, and Server. + +See the +[ RSA Encryption ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), +[Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md), and +[CyberArk's AAM Credential Providers ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)topics +for additional information. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.cyberark.agent.json +{ + ... + "Connections": { + ... + "SAPExportFulfillment": { + "Login": "SAPExportFulfillment_CyberArkKey", + "Password": "SAPExportFulfillment_CyberArkKey", + "Server": "SAPExportFulfillment_CyberArkKey" + } + } +} +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/index.md new file mode 100644 index 0000000000..d151e2492c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/index.md @@ -0,0 +1,198 @@ +# SAP Netweaver + +This connector exports and fulfills users and roles from/to an +[SAP Netweaver](https://www.sap.com/france/products/technology-platform/hana/what-is-sap-hana.html) +instance. + +This page is about [ SAP S/4 HANA ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/saphana/index.md). + +![Package: ERP/SAP S/4 HANA](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/packages_sap_v603.webp) + +## Overview + +SAP ERP is an enterprise resource planning software developed by the German company SAP SE. The +software incorporates the key business functions of an organization. ERP software includes programs +in all core business areas, such as procurement, production, materials management, sales, marketing, +finance, and human resources (HR). + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md)documentation; +- a service account with reading and writing permissions on the SAP server. + +## Export + +This connector exports users, roles, role memberships and groups from an SAP instance and writes the +output to CSV files. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SAPExportFulfillment": { +> "Server": "serverUrl", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ----------------- | --------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the SAP server. | +| Login required | **Type** String **Description** Login to authenticate to the specified server. | +| Password required | **Type** String **Description** Password to authenticate to the specified server. | + +### Output details + +This connector is meant to generate to the +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) folder the +following CSV files: + +- `sap_users.csv` with the following columns: + + ``` + sap_users.csv + Command,logonname,isserviceuser,firstname,lastname,salutation,title,jobtitle,mobile,displayname,description,email,fax,locale,timezone,validfrom,validto,lastmodifydate,islocked,isaccountlocked,ispasswordlocked,ispassworddisabled,telephone,department,id,securitypolicy,datasource,company,streetaddress,city,zip,pobox,country,state,orgunit,accessibilitylevel,passwordchangerequired + Insert,value1,value2,...,valueN + ``` + +- `sap_groups.csv` with the following columns: + + ``` + sap_groups.csv + Command,uniquename,displayname,description,lastmodifydate,id,datasource,distinguishedname + Insert,value1,value2,...,valueN + ``` + +- `sap_roles.csv` with the following columns: + + ``` + sap_roles.csv + Command,uniquename,displayname,description,lastmodifydate,id,datasource,scopes,actions + Insert,value1,value2,...,valueN + ``` + +- `sap_roles_member.csv` with the following columns: + + ``` + sap_roles_member.csv + Command,id,member + Insert,value1,value2,...,valueN + ``` + +## Fulfill + +This connector writes to SAP to create, update, and/or delete users, groups, roles and group +memberships. + +### Configuration + +Same as for export, fulfill is configured through connections. + +#### Setting attributes + +| Name | Details | +| ----------------- | --------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the SAP server. | +| Login required | **Type** String **Description** Login to authenticate to the specified server. | +| Password required | **Type** String **Description** Password to authenticate to the specified server. | + +> For example: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> "SAPExportFulfillment": { +> "Server": "serverUrl", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` + +## Authentication + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic to learn more on how to configure password reset settings. + +When setting a password for an SAP user, the password attribute is defined by the password specified +in the corresponding +[Resource Type Mappings](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md). + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| --------- | ------------------------------------------------ | +| Server | `Connections----Server` | +| Login | `Connections----Login` | +| Password | `Connections----Password` | + +- a [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + Active Directory's `Login`, `Password` and `Server`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "SAPExportFulfillment": { +> "Login": "SAPExportFulfillment_CyberArkKey", +> "Password": "SAPExportFulfillment_CyberArkKey", +> "Server": "SAPExportFulfillment_CyberArkKey" +> } +> } +> } +> ``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/scim/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/scim/index.md new file mode 100644 index 0000000000..d6de48ae76 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/scim/index.md @@ -0,0 +1,365 @@ +# SCIM + +This connector exports and fulfills entities from/to a +[SCIM](https://www.okta.com/blog/2017/01/what-is-scim/) compliant application. + +This page is about: + +- Custom/SCIM +- CRM/Salesforce +- Messaging/Slack +- PAM/CyberArk + +![Package: Custom/SCIM](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/packages_scim_v603.webp) + +![Package: CRM/Salesforce](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/packages_salesforce_v603.webp) + +![Package: Messaging/Slack](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/packages_slack_v603.webp) + +![Package: PAM/CyberArk](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/packages_cyberark_v603.webp) + +## Overview + +Simple Cloud Identity Management (SCIM) is a Request for Comments (RFC) standard. It describes a +REST API with specific endpoints to get and set data in a web application for IGA purposes. It +allows an identity provider to manage the web application's accounts. For more details about SCIM +and RFC, see the [IETF document](https://tools.ietf.org/html/rfc7644). + +**NOTE:** Similarly to the Salesforce REST-based API, SCIM for Salesforce enables reading and +writing attributes, but writes to a smaller subset. For example, the following properties are +manageable by the Salesforce REST-based API but not SCIM: `PermissionSetGroup`, +`PermissionSetLicense`, `UserPermissionsKnowledgeUser`, `UserPermissionsInteractionUser`, +`UserPermissionsSupportUser`, `CallCenterId`, `SenderEmail`. + +See the +[Salesforce's documentation](https://help.salesforce.com/s/articleView?id=sf.identity_scim_rest_api.htm&type=5) +for additional information. + +## Prerequisites + +Implementing this connector requires the web application that you want to synchronize to implement +SCIM Version 2.0 or later. + +The implementation of the Salesforce connector requires the completion of the following steps: + +- Connect the application +- Enable OAuth authentication +- Reset the user token +- Configure the Salesforce connection + +Connect the application + +To connect to the Salesforce application do the following: + +**Step 1 –** Log into Salesforce using an admin account. + +![salesforce-advancesetup](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-advancesetup.webp) + +**Step 2 –** Go to **Advanced Setup**. + +![salesforce-newconnectedapp](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-newconnectedapp.webp) + +**Step 3 –** Go to **App Manager** and **Create a Connected App**. + +![salesforce-enableoauth](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-enableoauth.webp) + +**Step 4 –** Fill in the details of the application: Application Name, API Name, Contact Email, +select **Enable OAuth Settings**, and complete the mandatory information as callback URL and OAuth +Scopes. + +**Step 5 –** Save the Application. + +![salesforce-manageconnectedapps](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-manageconnectedapps.webp) + +**Step 6 –** Go to **Manage Connected Apps** and click on the newly created application. + +![salesforce-manageconsumerdetails](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-manageconsumerdetails.webp) + +**Step 7 –** Click on **Manage Consumer Details**. + +![salesforce-consumerkey](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-consumerkey.webp) + +**Step 8 –** Copy the Consumer Key and Consumer Secret in your Keypass. + +Enable OAuth authentication + +To enable the OAuth authentication do the following: + +**Step 1 –** Log into Salesforce using an admin account. + +![salesforce-advancesetup](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-advancesetup.webp) + +**Step 2 –** Go to **Advanced Setup**. + +![oauthauthentication](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/oauthauthentication.webp) + +**Step 3 –** Go to **OAuth** and **OpenID Connect Settings** in the **Identity** drop-down menu, +enable the option to **Allow OAuth Username-Password Flows**. + +Reset the user token + +To reset the user token do the following: + +**Step 1 –** Log into Salesforce using an admin account. + +![salesforce-usertoken-settings](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-usertoken-settings.webp) + +**Step 2 –** Click on **Settings** under the profile details. + +![salesforce-resetseuritytoken](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-resetseuritytoken.webp) + +**Step 3 –** Click on **Reset My Security Token**. + +![salesforce-checkemail](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-checkemail.webp) + +**Step 4 –** An email containing the new token will be sent. + +Configure the Salesforce connection + +To configure the Salesforce connection do the following: + +**Step 1 –** Log into Identity Manager using an admin account. + +![salesforce-connector](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-connector.webp) + +**Step 2 –** Create a new Salesforce connector. + +![salesforce-connection](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-connection.webp) + +**Step 3 –** Add a new Salesforce connection. + +![salesforce-agent-settings](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-agent-settings.webp) + +**Step 4 –** Fill the fields in the **Connection Settings** and choose the **Filter**. + +The configuration of the Salesforce connector is completed. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +**appsettings.agent.json** > **Connections** section. +See the [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) topic for +additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +_Remember,_ the identifier of the connection and thus the name of the subsection must: + +- Be unique +- Not begin with a digit +- Not contain \<, \>, :, /, \, |, ?, \*, and \_. + +The following example gets information via SCIM on a web application whose URL base is +`https://example.for.doc.com`: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "SCIMExport": { + "ApplicationId": "", + "Server": "", + "ApplicationKey": "", + "Login": "", + "Password": "", + "Filter": "" + } + } +} +``` + +Here we use an account's credentials (login and password) with our application's credentials +(ApplicationId and ApplicationKey). + +The filter `?filter=active eq \"true\"` retrieves active Users from the external system. + +#### Setting attributes + +| Name | Type | Description | +| ----------------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Filter optional | String | Filters applied in the SCIM request retrieving the entities. You should write the filters as you would write them in the URL (including the "?"). For more details on the syntax, see the [RFC document](https://tools.ietf.org/html/rfc7644#rfc-document). Syntax:EntityNameInSCIM1|scimFilter1\*EntityNameInSCIM2|scimFilter2\*EntityNameInSCIM3|scimFilter3 | +| OAuth2Url optional | String | URL which get tokens for the requests. The system can usually find this information, but sometimes the system gets it wrong, like Salesforce for example. | +| PageSize default value: 200 | String | Maximum number of elements returned by one request. | +| Server required | String | URL of the SCIM endpoints of your application, excluding /v2. | +| ApplicationId optional | String | Login of the application or of the application's Id provider. | +| Login optional | String | Login of the account. | +| OAuthToken optional | String | Generated OAuth token to connect to the application. | +| Password optional | String | Password of the account. | +| ScimSyntax default value: RFC | String | Type of SCIM implementation: RFC - used for the systems that follow SCIM's rules; Salesforce - required when this connector targets Salesforce; CyberArk - required when this connector targets CyberArk. | + +The credential attributes (ApplicationId, ApplicationKey, Login and Password) are used to obtain a +token from the application for our requests. + +### Output details + +This connector is meant to generate to the ExportOutput folder the following CSV files: + +- One file for each SCIM entity, coming from entity type mappings's connection tables, named + `_.csv`, with one column for each property having a ConnectionColumn + and each property without it but used in an entity association; +- One file for each membership, coming from entity association mappings's connection tables, + named` _members_.csv`, with the following columns: + - Value — ID of the group + - MemberId — ID of the group member +- One file for each entity named Containers such as CyberArk's privileged data, named + `_privilegedData_Containers.csv`. + +See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) and +[ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +topics for additional information. + +For the connector to work properly, the connection tables must follow the naming conventions too: +`_ for entities and _members_` for links. + +If the connection column describes a sub-property, then the name should have the following pattern: +`{property}:{sub-property}`. The character ":" should not be used in other situations. + +For example, if we want to retrieve information about Users, Groups and Groups' members, we should +have the following configuration: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +We would have SCIMExport_Users.csv with the column headers id, `name:givenName` and `emails:value`, +`SCIMExport_Groups.csv` with the column headers id and `displayName`, and +`SCIMExport_members_Groups.csv` with the column headers value and `MemberId`. + +Each column contains the value of the corresponding attribute. SCIM attributes are described in the +[RFC document](https://tools.ietf.org/html/rfc7643). + +### Limitations + +The incremental mode only works for User entities and not for the others like Groups or Roles. It +means that entities like Groups or Roles are always handled with the complete mode. + +## Fulfill + +This connector writes to the managed web application to create, update, and/or delete users with +their attributes and group memberships, but no group or other entities. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> The following example writes information to SCIM on a web application whose URL base is +> `https://example.for.doc.com`. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SCIMFulfillment": { +> "ApplicationId": "", +> "Server": "", +> "ApplicationKey": "", +> "Login": "", +> "Password": "", +> "ServiceSupportBulk": true, +> "BulkMaxOperation": 10 +> } +> } +> } +> ``` +> +> Here we use an account's credentials (login and password) with our application's credentials +> (ApplicationId and ApplicationKey). +> +> We specify that bulk requests are supported with a maximum of 10 operations per request. + +#### Setting attributes + +| Name | Type | Description | +| ----------------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| BulkMaxOperation optional | Int32 | Maximum number of operations which can be sent in one bulk request. | +| ServiceSupportBulk optional | Boolean | True to allow bulk requests. depends on the web application's SCIM implementation. See the [RFC document](https://tools.ietf.org/html/rfc7644#rfc-document) for additional information. | +| Server required | String | URL of the SCIM endpoints of your application, excluding /v2. | +| ApplicationId optional | String | Login of the application or of the application's Id provider. | +| ApplicationKey optional | String | Password of the application or of the application's Id provider. | +| Login optional | String | Login of the account. | +| OAuthToken optional | String | Generated OAuth token to connect to the application. | +| Password optional | String | Password of the account. | +| ScimSyntax default value: RFC | String | Type of SCIM implementation: RFC - used for the systems that follow SCIM's rules; Salesforce - required when this connector targets Salesforce; CyberArk - required when this connector targets CyberArk. | + +The credential attributes (ApplicationId, ApplicationKey, Login, and Password) are used to obtain a +token from the application for our requests. + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the `appsettings.encrypted.agent.json` file +- An Azure Key Vault safe + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ------------------ | ------------------------------------------------ | +| ApplicationId | Connections--\--ApplicationId | +| ApplicationKey | Connections--\--ApplicationKey | +| BulkMaxOperation | Connections--\--BulkMaxOperation | +| Login | Connections--\--Login | +| Password | Connections--\--Password | +| ServiceSupportBulk | Connections--\--ServiceSupportBulk | +| Server | Connections--\--Server | + +- A CyberArk Vault able to store Active Directory's Login, Password, and Server. + +See the +[ RSA Encryption ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), +[Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md), and +[CyberArk's AAM Credential Providers ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)topics +for additional information. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.cyberark.agent.json +{ + ... + "Connections": { + ... + "SAPExportFulfillment": { + "Login": "SAPExportFulfillment_CyberArkKey", + "Password": "SAPExportFulfillment_CyberArkKey", + "Server": "SAPExportFulfillment_CyberArkKey" + } + } +} +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md new file mode 100644 index 0000000000..fdaf1b9fd8 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md @@ -0,0 +1,276 @@ +# ServiceNow + +This connector exports and fulfills any data, including users and roles, from/to a +[ServiceNow CMDB](https://www.servicenow.com/products/servicenow-platform/configuration-management-database.html). + +This page is about [ ServiceNow ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow/index.md). + +![Package: ITSM/ServiceNow](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/packages_servicenow_v603.webp) + +## Overview + +ServiceNow is a cloud-based company that provides software as a service (SaaS) for technical +management support. The company specializes in IT service management (ITSM), IT operations +management (ITOM) and IT business management (ITBM), allowing users to manage projects, teams and +customer interactions via a variety of apps and plugins. +This section focuses on ServiceNow Entity Management. To learn about how to use this connector to +create tickets for other resources, see +[ ServiceNow Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md). + +## Prerequisites + +Implementing this connector requires: + +- reading first the appsettings documentation; +- a service account with the **snc_platform_rest_api_access** role, as well as reading and writing + permissions on the target ServiceNow instance; +- the version ServiceNow London or later; +- the appropriate configuration in ServiceNow of authentication, Basic or OAuth. + +## Export + +This connector exports to CSV files ServiceNow's tables (Users, Groups, Group Memberships). + +An incremental search is possible to retrieve added and updated records but a full delta (including +deleted items) can't be performed. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example retrieves from users only those that are active, and no filter is applied to +> the other tables. A single request can retrieve up to 5,000 entries, no more. This means that if +> there are 6,000 `sys_user` to retrieve, then all of them will be retrieved but with two requests. +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password", +> "ResponseSizeLimit":"5000", +> "Filter":"sys_user#active=true" +> } +> } +> } +> ``` +> +> The following example is the same as above, but using OAuth Authentication: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password", +> "ClientId": "ClientId", +> "ClientSecret": "ClientSecret", +> "OAuth2Url": "https://instance.service-now.com/oauth_token.do", +> "ResponseSizeLimit":"5000", +> "Filter":"sys_user#active=true" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the ServiceNow Server Table API endpoint. [See ServiceNow Official API Reference](https://developer.servicenow.com/dev.do#see-servicenow-official-api-reference). **Info:** the URL must start with `https`. | +| Login required | **Type** String **Description** Username of the service account used to connect to the server. | +| Password required | **Type** String **Description** Password of the service account used to connect to the server. | +| ClientId optional | **Type** String **Description** Client Id used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| ClientSecret optional | **Type** String **Description** Client Secret used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| OAuth2Url optional | **Type** String **Description** Application endpoint used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| | | +| --- | --- | +| Server required | **Type** String **Description** URL of the ServiceNow Server Table API endpoint. [See ServiceNow Official API Reference](https://developer.servicenow.com/dev.do#see-servicenow-official-api-reference). **Info:** the URL must start with `https`. | +| Login required | **Type** String **Description** Username of the service account used to connect to the server. | +| Password required | **Type** String **Description** Password of the service account used to connect to the server. | +| ClientId optional | **Type** String **Description** Client Id used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| ClientSecret optional | **Type** String **Description** Client Secret used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| OAuth2Url optional | **Type** String **Description** Application endpoint used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | + +### Output details + +This connector is meant to generate to the +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) folder one CSV +file for each table, named `_.csv`. + +Identity Manager lists the tables to retrieve based on +[ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)'s +and +[ Entity Association Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md)'s +connection tables. + +For the connector to work properly, the connection tables must follow the naming convention too: +`_`. + +> For example, with the following configuration: +> +> ``` +> +> /> +> +> ``` +> +> We would have: +> +> ``` +> ServiceNowExportFulfillment_sys_user.csv +> sys_id,active,name,user_name,email +> ... +> +> ``` +> +> ServiceNowExportFulfillment_sys_group.csv sys_id,name,description ... +> +> ``` +> ServiceNowExportFulfillment_sys_user_grmember.csv +> user,group +> ... +> +> ``` + +## Fulfill + +This connector writes to ServiceNow to create, update, and/or delete any data. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` +> +> The following example is the same as above, but using OAuth Authentication: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password", +> "ClientId": "ClientId", +> "ClientSecret": "ClientSecret", +> "OAuth2Url": "https://instance.service-now.com/oauth_token.do" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the ServiceNow Server Table API endpoint. [See ServiceNow Official API Reference](https://developer.servicenow.com/dev.do#see-servicenow-official-api-reference). **Info:** the URL must start with `https`. | +| Login required | **Type** String **Description** Username of the service account used to connect to the server. | +| Password required | **Type** String **Description** Password of the service account used to connect to the server. | +| ClientId optional | **Type** String **Description** Client Id used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| ClientSecret optional | **Type** String **Description** Client Secret used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| OAuth2Url optional | **Type** String **Description** Application endpoint used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | + +## Authentication + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic to learn more on how to configure password reset settings. + +When setting a password for an ServiceNow user, the password attribute is defined by the password +specified in the corresponding +[Resource Type Mappings](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md). + +### Credentials protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ----------------- | ------------------------------------------------ | +| Server | `Connections----Server` | +| Login | `Connections----Login` | +| Password | `Connections----Password` | +| ClientId | `Connections----ClientId` | +| ClientSecret | `Connections----ClientSecret` | +| OAuth2Url | `Connections----OAuth2Url` | +| Filter | `Connections----Filter` | +| ResponseSizeLimit | `Connections----ResponseSizeLimit` | + +- a [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + Active Directory's `Login`, `Password`, `Server`, `ClientId` and `ClientSecret`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Login": "ServiceNowExportFulfillment_CyberArkKey", +> "Password": "ServiceNowExportFulfillment_CyberArkKey", +> "Server": "ServiceNowExportFulfillment_CyberArkKey", +> "ClientId": "ServiceNowExportFulfillment_CyberArkKey", +> "ClientSecret": "ServiceNowExportFulfillment_CyberArkKey" +> } +> } +> } +> ``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md new file mode 100644 index 0000000000..021765a4ac --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md @@ -0,0 +1,118 @@ +# ServiceNowTicket + +This connector opens tickets in [ServiceNow](https://www.servicenow.com/) for manual provisioning. + +This page is about [ ServiceNow Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md). + +![Package: Ticket/ServiceNow](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/packages_servicenowticket_v603.webp) + +## Overview + +ServiceNow is a cloud-based company that provides software as a service (SaaS) for technical +management support. The company specializes in IT service management (ITSM), IT operations +management (ITOM) and IT business management (ITBM), allowing users to manage projects, teams and +customer interactions via a variety of apps and plugins. +This section focuses on ServiceNow ticket creation for the fulfillment of resources that can't or +shouldn't be performed with an existing fulfill. To learn about how to manage entities, see +[ ServiceNow ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md)Entity Management. + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md)documentation; +- a service account with the **snc_platform_rest_api_access** role, as well as reading and writing + permissions on the target ServiceNow instance; +- the version ServiceNow London or later; +- the appropriate configuration in ServiceNow of authentication, Basic or OAuth. + +## Export + +This connector exports some of ServiceNow entities, see the export capabilities of the +[ ServiceNow ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md)connector. Some entities cannot be exported. + +## Fulfill + +This connector writes to ServiceNow to create incident and request tickets containing information to +create, update or delete a resource. It does not create nor update a resource directly. + +Once created, the ticket is managed in ServiceNow, not in Identity Manager. + +When the ticket is closed or canceled, Identity Manager updates the +[Entitlement Assignment](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) of the +resource accordingly. + +See the fulfill capabilities of the [ ServiceNow ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md)connector. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowFulfillManual": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` + +## Authentication + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic to learn more on how to configure password reset settings. + +When setting a password for a ServiceNow user, the password attribute is set to the chosen value and +the user's **password_needs_reset** attribute is set to `true`. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ------------------------- | ------------------------------------------------------ | +| Server | `Connections----Server` | +| Login | `Connections----Login` | +| Password | `Connections----Password` | +| ClientId | `Connections----ClientId` | +| ClientSecret | `Connections----ClientSecret` | +| OAuth2Url | `Connections----OAuth2Url` | +| TicketCookieDirectoryPath | `Connections----TicketCookieDirectoryPath` | +| ResponseSizeLimit | `Connections----ResponseSizeLimit` | + +- a [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + Active Directory's `Login`, `Password`, `Server`, `ClientId` and `ClientSecret`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowFulfillManual": { +> "Login": "ServiceNowFulfillManual_CyberArkKey", +> "Password": "ServiceNowFulfillManual_CyberArkKey", +> "Server": "ServiceNowFulfillManual_CyberArkKey", +> "ClientId": "ServiceNowFulfillManual_CyberArkKey", +> "ClientSecret": "ServiceNowFulfillManual_CyberArkKey" +> } +> } +> } +> ``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/index.md new file mode 100644 index 0000000000..a2a63a622c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/index.md @@ -0,0 +1,169 @@ +# SharedFolders + +This connector exports users and permissions from Windows shared folders. + +This page is about [ Shared Folders ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/shared-folders/index.md). + +![Package: Storage/Shared Folders](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/packages_sharedfolders_v603.webp) + +## Overview + +Also known as UFA (Identity Manager Folder Access), this connector can be used to scan the access +rights assigned to folders and files in computers and networks which comply with the +[Windows File Security and Access Rights systems](https://docs.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights). + +## Prerequisites + +Implementing this connector requires an account with the permissions: + +- to access all relevant folders and files and read their entitlements; +- **Log on as a batch job** in the local group policy, when the connector's authentication mode is + batch. + + ![SharedFolder - Permission for Batch Authentication](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/sharedfolder_permission.webp) + +## Export + +This connector scans shared folders in order to export their content to CSV files. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example reads `12` levels of folders in the folders `R&D_Projects` and `Management` +> in the network `OfficeNetwork` and in `C:/`. We only read entitlements about folders and we don't +> have access rights to the entitlements associated with the SIDs `S-1-3-2-4` and `S-5-7-6-8`. We +> use the service account [account@example.com](mailto:account@example.com) with its related +> password and domain, and interactive connection: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SharedFolderExport": { +> "InputDirectories": [ "OfficeNetwork/R&D_Projects", "OfficeNetwork/Management", "C:/" ], +> "OnlyDirectoryScan": "true", +> "LevelOfScan": "12", +> "ListOfSIDToAvoid": [ "S-1-3-2-4", "S-5-7-6-8" ], +> "Login": "account@example.com", +> "Password": "accountexamplepassword", +> "Domain": "Example", +> "Interactive": true +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| InputDirectories required | **Type** String List **Description** Paths of the folders to be scanned. | +| Domain optional | **Type** String **Description** Domain of the account used to access files and read their access rights. | +| Interactive default value: False | **Type** Boolean **Description** `True` to set authentication as interactive, `False` to set it as batch. | +| LevelOfScan optional | **Type** Int32 **Description** Number of file and folder levels to be scanned. By default, it scans the whole folder tree for each input directory. | +| ListOfSIDToAvoid optional | **Type** String List **Description** SIDs (users or groups) to exclude from the scan. | +| OnlyDirectoryScan default value: False | **Type** Boolean **Description** `True` to scan only folders' entitlements and not files', `False` to scan all. | +| | | +| --- | --- | +| Login optional | **Type** String **Description** Login of the account used to access the files and folders. **Note:** when not specified and `Password` neither, then the account running Identity Manager will be used. **Note:** if `Domain` is null, then `Login` must be set in the User Principal Name (UPN) format. | +| Password optional | **Type** String **Description** Password of the account used to access the files and folders. **Note:** when not specified and `Login` neither, then the account running Identity Manager will be used. | + +### Output details + +This connector is meant to generate to the +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) folder the +following CSV files: + +- `_ACE.csv`, with the following columns: + - **key**: concatenation of `Right`, `Path` and `OwnerSID`; + - **Path**: path of the folder or file; + - **Right**: entitlement among the following, listed from weakest to strongest: + ListDirectory / ReadData / CreateFiles / WriteData / AppendData / CreateDirectories / + ReadExtendedAttributes / WriteExtendedAttributes / ExecuteFile / Traverse / + DeleteSubdirectoriesAndFiles / ReadAttributes / WriteAttributes / Write / Delete / + ReadPermissions / Read / ReadAndExecute / Modify / ChangePermissions / TakeOwnership / + Synchronize / FullControl + - **AllowOrDeny**: `0` (or `false`) if the entitlement is allowed, `1` (or `true`) if it is + denied; + - **OwnerSID**: SID of the entitlement's owner. +- `_PathInformations.csv`, with the following columns: + - **Path**; + - **ParentPath**: path of the file's or folder's parent folder; + - **BlockInheritance**: `true` if the file or folder blocks entitlement inheritance in the tree; + - **Hierarchy**: hierarchy in the scanned tree. +- `_SID.csv`, with only one column **SID**. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- an [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ----------------- | ------------------------------------------------ | +| Domain | `Connections----Domain` | +| Interactive | `Connections----Interactive` | +| LevelOfScan | `Connections----MembersFile` | +| ListOfSIDToAvoid | `Connections----ListOfSIDToAvoid` | +| Login | `Connections----Login` | +| OnlyDirectoryScan | `Connections----OnlyDirectoryScan` | +| Password | `Connections----Password` | +| InputDirectories | `Connections----InputDirectories` | + +- a [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + Active Directory's `Login` and `Password`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "SharedFolderExport": { +> "Login": "SharedFolderSettings", +> "Password": "SharedFolderSettings" +> } +> } +> } +> ``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md new file mode 100644 index 0000000000..f0878e0503 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md @@ -0,0 +1,274 @@ +# SharePoint + +This connector exports sites, folders, groups and permissions from a +[SharePoint](https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration) instance. + +This page is about Storage/SharePoint. + +![Package: Storage/SharePoint](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sharepoint/packages_sharepoint_v603.webp) + +## Overview + +SharePoint is a system used by organizations to store, organize, share and access information. + +## Prerequisites + +Implementing this connector requires an account with the permissions to access all items and read +their entitlements. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +`appsettings.agent.json > Connections` section: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                  +                        appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} +                 +``` + +The identifier of the connection and thus the name of the subsection must: + +- Be unique. +- Not begin with a digit. +- Not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +The following example scans the example.sharepoint.com SharePoint at the more detailed level +(ListItem) with the account [account.example@acme.com](mailto:account.example@usercube.com): + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "SharePointExport": { +        "Server": "https://example.sharepoint.com/", +        "Scanlevel": "ListItem", +        "Login": "account.example@usercube.com", +        "Password": "account'sexamplepassword", +        "CsvUrls": "C:/identitymanager/source/SP_others.csv¤URL¤," +    } +  } +} +``` + +#### Setting attributes + +| Name | Type | Description | +| --------------------------------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Login required | String | Login of the account used to access files and read their entitlements. | +| Password required | String | Password of the account used to access files and read their entitlements. | +| Server required | String | URL of the SharePoint website to scan. | +| Domain optional | String | Domain, sometimes needed in addition to Login to make the connection to the SharePoint server. | +| TimeOut default value: 300000 | Int32 | Timeout (in milliseconds) for requests. | +| Scanlevel default value: ListItem | Scanlevel | Level of scan to be performed, from less to more detailed: Site; List; and ListItem. | +| CsvUrls optional | String | Path, column and separator (split by ¤) of the CSV file containing the other sites to be scanned. Useful when scanning a SharePoint with a root site (https://example.sharepoint.com) with other sites (https://example.sharepoint.com/sites/OtherSite) which are not sub-sites (https://example.sharepoint.com/SubSite). Sub-sites don't need to be provided through a CSV file because they are found from the root site. | + +### Limitations + +Synchronization in incremental mode does not retrieve user account changes, because SharePoint is +not able to provide this information through its API. + +To avoid unnecessary scanning and to increase performance, the connector in incremental mode does +not scan user accounts from the sites given through CsvUrls. However, it still retrieves the +folders, groups, permissions and the links between users and these elements. + +When needing to retrieve all of user account information, then go through complete synchronization +instead of incremental. + +### Output details + +This connector is meant to generate to the Export Output folder the following CSV files: + +`_Entity.csv`, with the following columns: + +- **command**— empty for complete synchronization, and `merge` for incremental; +- **Collection**— SharePoint server's URL where the information was found; +- **Id**— Identifier of the entity; +- **SharePointId**— Identifier of the entity in the scanned site; +- **Name**— name of the entity; +- **Description**— description of the entity; +- **PrincipalType**— type of the entity, for example `User`, `SecurityGroup` or `SharePointGroup`, + etc.; +- **Email**— email of the user; +- **IsEmailAuthenticationGuestUser**— `true` if the email is for the authentication of a guest user; +- **IsSiteAdmin**— `true` if the user is a site administrator; +- **IsShareByEmailGuestUser**— `true` if the user is a guest invited by email; +- **AadObjectId**— Microsoft Entra ID (formerly Microsoft Azure AD)'s identifier of the entity; + +`_GroupMember.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Group_Id**: Identifier of the group; +- **Entity_Id**: Identifier of the entity related to the group member; + +`_GroupMemberScanFail.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Id**; +- **Name**; +- **Description**; +- **PrincipalType**; + +`_Role.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Id**; +- **Name**; +- **Description**; +- **Permissions**: permissions concatenated together with line breaks; + +`_RoleAssignment.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Key**— concatenation (with `-`) of the `Role_Id`, the `Entity_Id` and the `SecurableObject_Key`; +- **Role_Id**— Identifier of the role; +- **Entity_Id**— Identifier of the entity related to the role; +- **Entity_Name**— name of the group member; +- **SecurableObject_Key**— concatenation (with `|`) of the `Collection` and the relative URLs where + the object was found; + +`_SecurableObject.csv`, with the following columns: + +- **command**; +- **Key**— concatenation (with `|`) of the `Collection` and the relative URLs where the object was + found; +- **Collection**; +- **Level**— level where the securable object was found, among: `Site`; `List`; `ListItem`; +- **Label**— title or display name of the securable object; +- **ParentKey**— key of the securable object's parent; +- **ScanStatus**— status of the scan (success or fail); +- **HasUniqueRoleAssignments**— `true` if entitlement inheritance is blocked for this securable + object; + +`_SecurableObjectRightInheritance.csv`, with the following columns: + +- **command**; +- **Collection**; +- **SecurableObject_Key**; +- **Inheritance_Key**— key of the ancestor object that the securable object gets its inherited + rights from; + +`_SecurableObjectScanFail.csv`, with the following columns: + +- **command**; +- **Key**: concatenation (with `|`) of the `Collection` and the relative URLs where the object was + found; +- **Collection**; +- **Level**; +- **Label**; +- **ParentKey**; +- **HasUniqueRoleAssignments**. + +## Fulfill + +Identity Manager's fulfill functionality can add and remove members from existing SharePoint groups. + +### Configuration + +Same as for export, fulfill is configured through connections. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "SharePointFulfillment": { +        "Server": "https://example.sharepoint.com/", +        "Scanlevel": "ListItem", +        "Login": "account.example@usercube.com", +        "Password": "account'sexamplepassword", +        "CsvUrls": "C:/identitymanager/source/SP_others.csv¤URL¤," +    } +  } +} +``` + +#### Setting attributes + +| Name | Type | Description | +| ----------------------------- | ------ | ---------------------------------------------------------------------------------------------- | +| Login required | String | Login of the account used to access files and read their entitlements. | +| Password required | String | Password of the account used to access files and read their entitlements. | +| Server required | String | URL of the SharePoint website to scan. | +| Domain optional | String | Domain, sometimes needed in addition to Login to make the connection to the SharePoint server. | +| TimeOut default value: 300000 | Int32 | Timeout (in milliseconds) for requests. | + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the `appsettings.encrypted.agent.json` file; +- An Azure Key Vault safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| --------- | ------------------------------------------------ | +| Domain | `Connections----Domain` | +| Login | `Connections----Login` | +| Password | `Connections----Password` | +| Scanlevel | `Connections----Scanlevel` | +| TimeOut | `Connections----TimeOut` | +| Server | `Connections----Server` | +| CsvUrls | `Connections----CsvUrls` | + +- A CyberArk Vault able to store SharePoint's `Login` and `Password`. + +See the +[ RSA Encryption ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), +[Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md), and +[CyberArk's AAM Credential Providers ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)topics +for additional information. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                         +                            appsettings.cyberark.agent.json +{ +  ... +  "Connections": { +    ... +    "SharePointFulfill": { +        "Login": "SharePointSettings", +        "Password": "SharePointSettings" +    } +  } +} +                     +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sql/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sql/index.md new file mode 100644 index 0000000000..e08bf43bae --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sql/index.md @@ -0,0 +1,222 @@ +# Sql + +This connector exports data from one of various +[Database Management Systems](https://en.wikipedia.org/wiki/Database#database-management-systems). + +This page is about: + +- Database/[ Generic SQL ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/generic-sql/index.md); +- Database/[ SQL Server ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/sql-server/index.md); +- Database/[ MySQL ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/mysql/index.md); +- Database/[ ODBC ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/odbc/index.md); +- Database[ Oracle Database ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/oracle-database/index.md); +- Database/[ PostgreSQL ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/postgresql/index.md); +- [ SAP ASE ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/sapase/index.md). + +![Package: Directory/Database/Generic SQL](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlgeneric_v603.webp) + +![Package: Directory/Database/Microsoft SQL Server](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlserver_v603.webp) + +![Package: Directory/Database/MySQL](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlmy_v603.webp) + +![Package: Directory/Database/ODBC](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlodbc_v603.webp) + +![Package: Directory/Database/Oracle](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqloracle_v603.webp) + +![Package: Directory/Database/PostgreSQL](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlpostgre_v603.webp) + +![Package: Directory/Database/SAP ASE](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlsap_v603.webp) + +## Overview + +A database is a collection of relational data which represents some aspects of the real world. A +database system is designed to be built and populated with data for a specific task. + +A Database Management System (DBMS) is a software for storing and retrieving users' data while +considering appropriate security measures. + +> Some popular DBMS systems are Microsoft SQL Server, MySQL, Oracle, PostgreSQL, etc. + +The goal of this connector is to connect to a DBMS and execute a query in order to export a table. + +## Prerequisites + +Implementing this connector requires: + +- the configuration of a DBMS system; + > For example for Microsoft SQL Server 2017, see Microsoft's documentation for + > [planning a SQL Server installation](https://docs.microsoft.com/en-us/sql/sql-server/install/planning-a-sql-server-installation?view=sql-server-2017), + > the + > [SQL Server installation guide](https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server?view=sql-server-2017) + > and (optionally) + > [downloading SQL Server Management Studio (SSMS)](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15). +- creating a database `MyDb` with several tables and data so the user can query on the database, for + testing purposes. + +## Export + +This connector exports the content of any table from an SQL database and writes it to a CSV file. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example configures the connection to Microsoft SQL Server and exports the table +> `UC_Connectors` from the database `MyDb`: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SqlExport": { +> "ConnectionString" : "data source=.;Database=MyDb;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;", +> "SqlCommand": "SELECT * FROM [MyDb].[dbo].[UC_Connectors]" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectionString required | **Type** String **Description** Connection string of the database. See the [specific syntax](https://docs.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlconnection.connectionstring?view=dotnet-plat-ext-5.0). | +| Timeout optional | **Type** Int32 **Description** Time period (in seconds) after which the request attempt is terminated and an error is generated. | +| | | +| --- | --- | +| SqlCommand optional | **Type** String **Description** SQL request to be executed. **Note:** when not specified and `SqlFile` neither, then all the[ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) of this connector will be exported. | +| SqlFile optional | **Type** String **Description** Path of the file containing the SQL request to be executed. **Note:** ignored when `SqlCommand` is specified. **Note:** when not specified and `SqlFile` neither, then all the [ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) of this connector will be exported. | +| CsvEncoding default value: UTF-8 | **Type** String **Description** Encoding of the file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | +| ProviderClassFullName optional | **Type** String **Description** Invariant name to register the provider. **Note:** required when querying a DBMS other than Microsoft SQL Server. | +| ProviderDllName optional | **Type** String **Description** DLL, i.e. name and extension, to be loaded by the connector. **Note:** the DLL must be in the `Runtime` folder. **Note:** required when querying a DBMS other than Microsoft SQL Server. | +| IsolationLevel default value: ReadUncommitted | **Type** String **Description** Locking behavior of the transaction: `ReadUncommitted`; `ReadCommitted` - used for the databases that do not support the ReadUncommitted level, like Oracle databases. | + +### Connect to other DBMS + +Connect to a DBMS other than Microsoft SQL Server by proceeding as follows: + +1. Download and extract the package. + > For MySQL, download the package from [MySql.Data](https://www.nuget.org/packages/MySql.Data/). + > + > ![MySQL: Download Package](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/sql_downloadpackage.webp) +2. Copy the DLL file (corresponding to the correct .Net version) to the `Runtime` folder. + > For MySQL, the DLL is `MySql.Data.dll`. +3. Get the value required for `ProviderClassFullName` and `ProviderDllName`: + + - for a DBMS handled by Identity Manager's packages, by accessing the + [ References: Packages ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/index.md); + + > For MySQL: + > + > ![Package Characteristics Example](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/sql_packagecharacteristics.webp) + + - for another DBMS, by accessing the DBMS' documentation for .Net and finding a class with + **Factory** in its name. + + > If MySQL were not part of Identity Manager's packages, you would see + > [MySqlClientFactory](https://dev.mysql.com/doc/dev/connector-net/latest/api/data_api/MySql.Data.MySqlClient.MySqlClientFactory.html). + + The **Factory** class must derive from **DbProviderFactory**. After verification, the + `ProviderClassFullName` can be found in the **Inheritance Hierarchy** of the class. + + > For MySQL, here `ProviderDllName` is **MySql.Data.dll** and `ProviderClassFullName` is + > **MySql.Data.MySqlClient.MySqlClientFactory**. + > + > Then the following example configures the connection to MySQL and exports the table + > `UC_Connectors` from the database `MyDb` (the SQL command is inside `mySql.sql`): + > + > ``` + > appsettings.agent.json + > { + > ... + > "Connections": { + > ... + > "SqlExport": { + > "ConnectionString" : "Server=localhost;Database=MyDb;Uid=root;Pwd=secret", + > "SqlFile": "C:/UsercubeDemo/Conf/Sql/mySql.sql", + > "ProviderClassFullName": "MySql.Data.MySqlClient.MySqlClientFactory", + > "ProviderDllName": "MySql.Data.dll" + > } + > } + > } + > ``` + > + > Another example for ODBC: + > + > ``` + > appsettings.agent.json + > { + > ... + > "Connections": { + > ... + > "SqlExport": { + > "ConnectionString": "Driver=ODBC Driver 17 for SQL Server;Server={YOUR-PC}\\SQLEXPRESS;Database={Database Name};Hostname=Localhost;DBALIAS={Database Alias};trusted_connection=Yes", + > "ProviderClassFullName": "System.Data.Odbc.OdbcFactory", + > "ProviderDllName": "System.Data.Odbc.dll", + > "SqlCommand": "SELECT * FROM {Table Name}", + > "IsolationLevel": null + > } + > } + > } + > ``` + +### Output details + +This connector is meant to generate to the +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) folder one CSV +file, named `.csv` whose columns correspond to the columns returned by the SQL +query. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| --------------------- | -------------------------------------------------- | +| ConnectionString | `Connections----ConnectionString` | +| SqlCommand | `Connections----SqlCommand` | +| SqlFile | `Connections----SqlFile` | +| CsvEncoding | `Connections----CsvEncoding` | +| ProviderClassFullName | `Connections----ProviderClassFullName` | +| ProviderDllName | `Connections----ProviderDllName` | +| Timeout | `Connections----Timeout` | + +[](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +is not available for this connector. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md new file mode 100644 index 0000000000..7364daad0b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md @@ -0,0 +1,170 @@ +# Sql Server Entitlements + +This connector exports entitlements from +[Microsoft SQL Server](https://www.microsoft.com/en-us/sql-server/). + +This page is about +[ SQL Server Entitlements ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/sql-server-entitlements/index.md). + +![Package: Database/Microsoft SQL Server Entitlements](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/packages_sqlservermanagement_v603.webp) + +## Overview + +Identity Manager can manage permissions within Microsoft SQL Server, by exporting the server's and +databases' principals, i.e. entities that can request Microsoft SQL Server's resources. + +SQL Server supports three types of principals: + +- logins at the server level; +- users at the database level; +- roles (if any) at either level. + +Every principal includes a security identifier (SID). + +## Prerequisites + +Implementing this connector requires: + +- the configuration of a Microsoft SQL Server system; + + > For example, for Microsoft SQL Server 2017, see Microsoft's documentation for + > [planning a SQL Server installation](https://docs.microsoft.com/en-us/sql/sql-server/install/planning-a-sql-server-installation?view=sql-server-2017), + > the + > [SQL Server installation guide](https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server?view=sql-server-2017) + > and (optionally) + > [downloading SQL Server Management Studio (SSMS)](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15); + +- understanding the concept of principals, roles and permissions; + + > A little help on that with: + > + > > [Principals (Database Engine)](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/principals-database-engine?view=sql-server-2017); + > + > > [Create a Login](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/create-a-login?view=sql-server-2017); + > + > > [Server-Level Roles](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles?view=sql-server-2017); + > + > > [Create a Database User](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/create-a-database-user?view=sql-server-2017); + > + > > [Database-Level Roles](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-2017); + > + > > [Permissions (Database Engine)](https://docs.microsoft.com/en-us/sql/relational-databases/security/permissions-database-engine?view=sql-server-2017); + > + > > [Permissions Hierarchy (Database Engine)](https://docs.microsoft.com/en-us/sql/relational-databases/security/permissions-hierarchy-database-engine?view=sql-server-2017). + +- a `ConnectionString` with a `Login` to connect to the SQL Server, where either the login has the + **sysadmin** role, or: + + - the login has the **securityadmin** role, in order to export server principals; + - each database to export has a database user attached to the login with at least one role among + **db_accessadmin**, **db_owner** and **db_securityadmin**, in order to export database + principals. + + [Securables](https://docs.microsoft.com/en-us/sql/relational-databases/security/securables?view=sql-server-2017) + can also be defined manually for both the server and database principals, but this is more + complicated and hence not recommended. + +## Export + +This connector exports from one or several databases to CSV files the following tables: + +- `sys.server_principals`; +- `sys.server_role_members`; +- `sys.database_principals`; +- `sys.database_role_members`. + +This connector exports only in complete mode. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example connects Identity Manager to Microsoft SQL Server and exports the principals +> from the databases `UsercubeDemo` and `AdventureWorks2017`: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SqlServerEntitlementsExport": { +> "ConnectionString": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;", +> "Databases": [ "UsercubeDemo", "AdventureWorks2017" ] +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ConnectionString required | **Type** String **Description** Connection string of the database. See the [specific syntax](https://docs.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlconnection.connectionstring?view=dotnet-plat-ext-5.0). | +| Timeout optional | **Type** Int32 **Description** Time period (in seconds) after which the request attempt is terminated and an error is generated. | +| | | +| --- | --- | +| Databases optional | **Type** String List **Description** List of databases to be exported. **Note:** when not specified, all databases from the SQL Server are exported. | + +### Output details + +This connector is meant to generate to the +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) folder the +following CSV files: + +- `_serverPrincipals.csv`; +- `_serverRoleMembers.csv`; +- `_databasePrincipals.csv`; +- `_databaseRoleMembers.csv`. + +> For example, if the connection identifier is **SqlServerEntitlementsExport**, then the file names +> are `SqlServerEntitlementsExport_serverPrincipals.csv`, etc. + +The output files' columns are the columns returned by the SQL query. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- an [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ---------------- | ------------------------------------------------ | +| ConnectionString | `Connections----ConnectionString` | +| Timeout | `Connections----Timeout` | + +[](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +is not available for this connector. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/topsecret/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/topsecret/index.md new file mode 100644 index 0000000000..4995f03ed1 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/topsecret/index.md @@ -0,0 +1,10 @@ +# Top Secret + +This connector exports users and profiles from a +[Top Secret](https://www.ibm.com/docs/en/szs/2.2?topic=audit-top-secret) (TSS) instance. + +This page is about [ TSS ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/tss/index.md). + +![Package: Mainframe/Top Secret](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/topsecret/packages_tss_v603.webp) + +The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/workday/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/workday/index.md new file mode 100644 index 0000000000..b734ef89c3 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/workday/index.md @@ -0,0 +1,200 @@ +# Workday + +This connector exports users and groups from a +[Workday](https://www.workday.com/en-us/products/talent-management/overview.html) instance. + +This page is about [ Workday ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/workday/index.md). + +![Package: ERP/Workday](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/workday/packages_workday_v603.webp) + +## Prerequisites + +Implementing this connector requires: + +- using Workday Web Services (WWS) Directory + [v34.2](https://community.workday.com/sites/default/files/file-hosting/productionapi/versions/v34.2/index.html) + or later; + + > For example, the + > [Human Resources](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/Human_Resources.html) + > Web Service contains operations that expose Workday Human Capital Management Business Services + > data, including Employee, Contingent Worker and Organization information. + +- access to the Web Services that are to be used; +- the [XPath](https://www.w3.org/TR/1999/REC-xpath-19991116/) syntax to configure and select the + attributes to export. + +## Export + +This connector exports any entity available in WWS. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example connects Identity Manager to Workday and exports `Worker_ID` and `User_ID` +> from the entity Workers returned in +> [Get_Workers_Response](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/samples/Get_Workers_Response.xml): +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "WorkdayExport": { +> "InputFilePath": "C:/UsercubeContoso/Temp/bodies.json", +> "Login": "USERCUBE@contoso", +> "Password": "contoso1996", +> "Server": "https://workday.com/ccx/service/contoso" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| InputFilePath required | **Type** String **Description** Path of the JSON file defining which entities and attributes are to be exported. See more details below. | +| Login required | **Type** String **Description** Login used to authenticate to Workday. | +| Password required | **Type** String **Description** Password used to authenticate to Workday. | +| Server required | **Type** String **Description** URL of the targeted Workday instance. **Syntax:**`https://####.workday.com/ccx/service/tenantName` (without the Web Service part). | + +##### InputFilePath + +The file specified in `InputFilePath` must have a specific structure, with a section for each entity +to be exported. + +> For example: +> +> ``` +> bodies.json +> { +> "Requests": [ +> { +> "XmlBody": " ", +> "EntityName": "workers", +> "IncrementalTag": "Transaction_Log_Criteria_Data", +> "WebService": "Human_Resources/v34.2" +> } +> ] +> } +> ``` + +| Name | Details | +| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| XmlBody required | **Type** String **Description** Request to send to the Web Service. **Syntax:** `"XmlBody": " ... "` - the request body must begin with `` and end with ``; - inside the body, the entity request must use the namespace `bsvc`; - the body must fit on a single line. **Tip:** write the body in a separate XML file and use [TextFixer](https://www.textfixer.com/tools/remove-line-breaks.php) to remove line breaks. **Tip:**[see an example](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/samples/Get_Workers_Request.xml). | +| XPaths optional | **Type** String Pair List **Description** One or several key-value pairs, where: - the key is the attribute name that will be the column name in the output CSV file; - the value is the XPath used in the response to get the attribute value. **Info:** useless most of the time because the information is provided by entity type mappings and entity association mappings. Still useful when using the exe directly. **Note:** Netwrix Identity Manager (formerly Usercube)recommends using an **XPath** to the property `WID`, because it helps logs (in Trace mode) find entities with multi-valued properties. **Syntax:** `"XPaths": { "Attribute_1_Name": "XPath 1", ... "Attribute_N_Name": "XPath N" }` | +| EntityName required | **Type** String **Description** Name of the entity, which conditions the name of the output file. | +| IncrementalTag optional | **Type** String **Description** XML tag associated with the incremental request. **Note:** in the xml request, `` must be the parent of `` which is the parent of `` and ``. **Note:** when not specified, this entity is always exported in complete mode. **Warning:** the `IncrementalTag` part must not be added manually in `XmlBody` because the connector adds it automatically when exporting in incremental mode. | +| WebService required | **Type** String **Description** Name and version of the Web Service. | + +### Output details + +This connector is meant to generate to the +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) folder: + +- one CSV file for each entity, named `_.csv`, with the following + columns: + + - **Command**: used for + [ Prepare Synchronization Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md); + - one column for each XPath found in the + [ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)' + connection columns and + [ Entity Association Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md)' + columns. + [See Workday's documentation to compute XPaths](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/samples/Get_Workers_Response.xml).``` `connectionIdentifier`_`entityName`.csv + + Command,Key_XPath_1,Key_XPath_2,...,Key_XPath_N Add,value1,value2,...,valueN + + ``` + + ``` + +- a cookie file named `workday__cookie.bin`, containing the time of the last + export in order to perform an incremental export. + + Most exports can be run in complete mode, where the CSV files will contain all entries, or in + incremental mode, where CSV files will contain only the entries which have been modified since + the last synchronization. + + A task can use the `IgnoreCookieFile` boolean property, and a command line (with an executable) + can use the option `--ignore-cookies`. + +> For example, with the following configuration: +> +> ``` +> +> +> +> ``` +> +> We choose to export only the entity `workers`, so the output is generated to +> `WorkdayExport_workers.csv` in the directory +> [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md). +> +> The CSV file will include three columns: `Command`; `bsvc:Worker_Data/bsvc:Worker_ID` and +> `bsvc:Worker_Data/bsvc:User_ID`. + +## Authentication + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ------------- | ------------------------------------------------ | +| InputFilePath | `Connections----InputFilePath` | +| Login | `Connections----Login` | +| Password | `Connections----Password` | +| Server | `Connections----Server` | + +- A + [](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) + able to store Workday's `Login`, `Password` and `Server`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "WorkdayExport": { +> "Login": "WorkdayExport_Account", +> "Password": "WorkdayExport_Account" +> } +> } +> } +> ``` diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/active-directory/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/active-directory/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/active-directory/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/active-directory/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/apache-directory/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/apache-directory/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/apache-directory/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/apache-directory/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/azure-active-directory/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/azure-active-directory/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/azure-active-directory/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/azure-active-directory/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/azure/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/azure/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/azure/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/azure/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/csv/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/csv/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/csv/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/csv/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/cyberark/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/cyberark/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/cyberark/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/cyberark/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/easyvista/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/easyvista/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/easyvista/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/easyvista/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/easyvistaticket/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/easyvistaticket/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/easyvistaticket/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/easyvistaticket/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/excel/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/excel/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/excel/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/excel/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/generic-ldap/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/generic-ldap/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/generic-ldap/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/generic-ldap/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/generic-scim/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/generic-scim/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/generic-scim/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/generic-scim/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/generic-sql/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/generic-sql/index.md new file mode 100644 index 0000000000..76ce47fe77 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/generic-sql/index.md @@ -0,0 +1,17 @@ +# Generic SQL + +Exports data from a SQL database. + +| Package Characteristics | Value | +| ----------------------- | ----------------------- | +| Display Name | Database/Generic SQL | +| Identifier | Usercube.SQL@0000001 | +| Export | Usercube-Export-Sql.dll | +| Fulfill | NONE | +| Has Incremental Mode | False | +| Publisher | Identity Manager | + +When creating a connection to a database which is not handled by Identity Manager's packages, you'll +need to fill in the `ProviderDllName` and `ProviderClassFullName` properties of the +[ Sql ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/sql/index.md) connector using the procedure given in the +example. diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/googleworkspace/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/googleworkspace/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/googleworkspace/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/googleworkspace/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/home-folders/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/home-folders/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/home-folders/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/home-folders/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/usercube-database/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/identitymanager-database/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/usercube-database/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/identitymanager-database/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/index.md new file mode 100644 index 0000000000..7ba1a0cfb6 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/index.md @@ -0,0 +1,64 @@ +# References: Packages + +If you are looking for the dll of a given package, be aware that you can often find it in the +[nuget catalog](https://www.nuget.org/packages). Then you can follow the procedure: + +1. Download and extract the package. + +2. Copy the dll file (corresponding to the appropriate .Net version) to the `Runtime` folder. + +- #### [Active Directory](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/active-directory/index.md) + Manages users and groups in Active Directory. This package supports incremental synchronization + with the DirSync mechanism.- #### [Apache Directory](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/apache-directory/index.md) Manages users + and groups in Apache Directory.- #### [Azure](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/azure/index.md) Exports Azure resources, role + definitions and role assignments.- #### [CSV](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/csv/index.md) Exports CSV to prepare + synchronization.- #### [CyberArk](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/cyberark/index.md) Manages CyberArk entities, including user + and group assignments.- #### [EasyVista](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/easyvista/index.md) Manages users inside an EasyVista + instance. This package supports incremental synchronization.- #### + [EasyVista Ticket](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/easyvistaticket/index.md) Creates tickets inside an EasyVista instance. This + package supports incremental synchronization.- #### [Excel ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/excel/index.md) Exports Excel data + sheets.- #### [Generic LDAP](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/generic-ldap/index.md) Manages entries in an LDAP compliant + directory.- #### [Generic SCIM](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/generic-scim/index.md) Manages entities in SCIM compatible + application.- #### [Generic SQL](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/generic-sql/index.md) Exports data from a SQL database.- #### + [Google Workspace](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/googleworkspace/index.md) Manages Google Workspace entities.- #### + [Home Folders](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/home-folders/index.md) Manages Home Folders.- #### [JSON](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/json/index.md) Generate + JSON files for each provisioning order. These JSON can then be used by custom scripts.- #### + [LDIF](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/ldif/index.md) Exports entries from a LDIF file.- #### + [Manual Ticket](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md) Opens manual provisioning tickets in Identity + Manager.- #### [Manual Ticket and CUD Resources](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md) Opens + manual provisioning tickets in Identity Manager.- #### + [Microsoft Entra ID](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/azure-active-directory/index.md) Manages users and groups in Microsoft + Entra ID (formerly Microsoft Azure AD). This package supports incremental synchronization with + the delta API.- #### [Microsoft Exchange](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/microsoft-exchange/index.md) Manages Microsoft + Exchange mailboxes. This package supports incremental synchronization.- #### + [MySQL](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/mysql/index.md) Export data from a MySQL database.- #### [OData](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/odata/index.md) Manages + OData entities.- #### [ODBC](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/odbc/index.md) Exports data from a generic ODBC compatible + database.- #### [Open LDAP](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/open-ldap/index.md) Manages entries in Open LDAP. This package + supports incremental synchronization with the sysrepl mechanism.- #### + [Oracle Database](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/oracle-database/index.md) Export data from an Oracle database.- #### + [Oracle LDAP](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/oracle-ldap/index.md) Manages entries in Oracle Internet Directory.- #### + [PostgreSQL](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/postgresql/index.md) Export data from a PostgreSQL database.- #### + [PowerShellProv](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/powershellprov/index.md) Fulfills an external system with a custom PowerShell + script.- #### [PowerShellSync](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/powershellsync/index.md) Create a CSV export from a Powershell + Script.- #### [RACF](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/racf/index.md) Exports the RACF users and profiles.- #### + [Red Hat Directory Server](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/red-hat-directory-server/index.md) Manages entries in a Red Hat + Directory Server.- #### [Robot Framework](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/robot-framework/index.md) Fulfills an external system + using a Robot Framework script.- #### [Salesforce](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/salesforce/index.md) Manages Salesforce + entities.- #### [SAP ASE](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/sapase/index.md) Exports data from a SAP ASE database.- #### + [SAP ERP 6.0](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/saperp6/index.md) Manages users and roles in SAP ERP 6.0.- #### + [SAP S/4 HANA](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/saphana/index.md) Manages users and roles in SAP S/4 HANA.- #### + [ServiceNow](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow/index.md) Manages any data in the CMDB, including users and roles. This + package supports incremental synchronization.- #### + [ServiceNow Ticket](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) Opens tickets in ServiceNow for the manual + provisioning.- #### [Shared Folders](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/shared-folders/index.md) Manages users and permissions in + Shared Folders.- #### [SharePoint](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/sharepoint/index.md) Exports sites, folders, SharePoint + groups and permissions.- #### [Slack](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/slack/index.md) Manages Slack entities.- #### + [SQL Server](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/sql-server/index.md) Export data from a SQL Server database.- #### + [SQL Server Entitlements](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/sql-server-entitlements/index.md) Exports SQL Server + Entitlements- #### [TSS](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/tss/index.md) Exports the Top Secret users and profiles.- #### + [Unplugged](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/unplugged/index.md) Manages an unplugged system with a completely custom data + model.- #### [Database](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/identitymanager-database/index.md) Updates the Identity Manager database for + each provisioning order. This package is used for HR systems, authoritative systems or other + Identity Manager instances.- #### [Workday](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/workday/index.md) Manages users and groups in + Workday.- #### [Workflow](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/workflow/index.md) Triggers workflows in Identity Manager for each + provisioning order. diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/json/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/json/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/json/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/json/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/ldif/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/ldif/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/ldif/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/ldif/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/manual-ticket/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/manual-ticket/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/microsoft-exchange/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/microsoft-exchange/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/microsoft-exchange/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/microsoft-exchange/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/mysql/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/mysql/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/mysql/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/mysql/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/odata/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/odata/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/odata/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/odata/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/odbc/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/odbc/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/odbc/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/odbc/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/open-ldap/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/open-ldap/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/open-ldap/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/open-ldap/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/oracle-database/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/oracle-database/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/oracle-database/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/oracle-database/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/oracle-ldap/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/oracle-ldap/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/oracle-ldap/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/oracle-ldap/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/postgresql/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/postgresql/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/postgresql/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/postgresql/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/powershellprov/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/powershellprov/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/powershellprov/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/powershellprov/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/powershellsync/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/powershellsync/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/powershellsync/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/powershellsync/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/racf/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/racf/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/racf/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/racf/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/red-hat-directory-server/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/red-hat-directory-server/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/red-hat-directory-server/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/red-hat-directory-server/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/robot-framework/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/robot-framework/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/robot-framework/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/robot-framework/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/salesforce/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/salesforce/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/salesforce/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/salesforce/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/sapase/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/sapase/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/sapase/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/sapase/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/saperp6/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/saperp6/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/saperp6/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/saperp6/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/saphana/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/saphana/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/saphana/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/saphana/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/servicenow-ticket/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/servicenow-ticket/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/servicenow/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/servicenow/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/shared-folders/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/shared-folders/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/shared-folders/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/shared-folders/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/sharepoint/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/sharepoint/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/sharepoint/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/sharepoint/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/slack/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/slack/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/slack/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/slack/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/sql-server-entitlements/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/sql-server-entitlements/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/sql-server-entitlements/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/sql-server-entitlements/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/sql-server/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/sql-server/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/sql-server/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/sql-server/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/tss/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/tss/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/tss/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/tss/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/unplugged/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/unplugged/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/unplugged/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/unplugged/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/workday/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/workday/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/workday/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/workday/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/workflow/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/workflow/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/connectors/references-packages/workflow/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/workflow/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md new file mode 100644 index 0000000000..47e6d92c8a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md @@ -0,0 +1,254 @@ +# Entity Model + +At the heart of any successful IGA project, dwells an efficient data model. + +The data involved in the project, be it reference data, identities, or from the managed systems', +needs to be modeled in a way that is both relevant to the organization and to Identity Manager. + +Identity Manager allows integrators to adapt the data model to the target organization, instead of +forcing the organization to fit in a pre-conceived hardwired model. This philosophy has proven +successful by Identity Manager's field experience and project feedback. + +## Entity-Relationship model + +The model for all resources (that means data from the managed system, reference data and identities) +is written in the [Toolkit for XML Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/index.md) in the form of an +[Entity-Relationship model](https://en.wikipedia.org/wiki/Entity–relationship_model), called the +**entity model**. + +The model is organized into cohesive **connectors**, one for each managed system, and one for the +reference data/identity repository. + +An **entity model** describes the shape of resources (the **metadata**) and how they are built from +real world sources of truth (the **mapping**). + +### Metadata + +The **metadata** of a resource is the description of the resources' shape. Using the +_Entity-Relationship_ vocabulary, it's a list of property names and types for a resource. + +The metadata is written using +[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md), +[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) and +[ Entity Association ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +#### Entity types + +Every resource is assigned an +[](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +that describes its shape. + +It's a description of the resource: it can be a managed system's resource or a real world entity +such as an identity or a department. + +An +[](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +includes: + +- One or more + [](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md#)[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +- Zero or more + [ Entity Association ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) + +#### Entity properties + +Properties are key-value pairs, with a name and type that describes the nature of the value held by +the property. They are described by +[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +There are two kind of properties: **Scalar Properties** and **Navigation Properties**. + +**Scalar Properties** simply hold a value: a string, a number, a date for example. + +Available types include: + +- `String` +- `Bytes` +- `Int32` (32 bits integer) +- `Int64` (64 bits integer) +- `DateTime` +- `Bool` (boolean) +- `Guid` +- `Double` +- `Binary` (binary file like an image) + +For these types, the UI and binding system transforms the value retrieved from the database into the +corresponding type for display. + +**Navigation Properties** properties hold links between the parent resource and another resource. + +**Navigation Properties** type is `ForeignKey`. + +**Navigation Properties** are completed by an Entity Association that explicitly describe the nature +of the link. + +#### Entity association + +An [ Entity Association ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +describes a link between entity types. It connects a pair of navigation properties, from two +**Entity Types**. + +There are two types of navigational properties: + +- _mono-valued_, that link to a [single](https://en.wikipedia.org/wiki/One-to-one_(data_model)) + entity; +- _multi-valued_, that link to a + [collection](https://en.wikipedia.org/wiki/many-to-many_(data_model)) of entities. + +Given a navigation property A of EntityType 1, linking EntityType 1 to navigation properties B of +EntityType 2, then navigation property B is called the reverse property of navigation property A and +navigation property A is called the reverse property of navigation property B. + +For example, + +- The _User_ entity type has the navigational property _Positions_ (a link to **zero or + more\_**Position\_ entities); +- The _Position_ entity type has the navigational property _Person_ (a link to **zero or + one\_**User\_ entity); +- The navigational property _Person_ is the reverse link of the navigational property _Positions;_ +- The _User_ entity type has the navigational property _Manager_ (a link to **zero or one\_**User\_ + entity); +- The _User_ entity type has the navigational property _Subordinates_ (a link to **zero or + more\_**User\_ entities); +- The navigational property _Subordinates_ is the reverse link of the navigational property + _Manager_. + +#### Locatable property + +Some property values must be available in several languages. In this case, we define a **neutral +property** and as many corresponding properties as languages. + +The built-in _InternalDisplayName_ property is a neutral property. Its associated properties are +named \_`InternalDisplayName___L{Index}`_ where \_Index_ reference the +[Languages](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/languages/index.md). + +#### Computed property + +A property can be calculated from other properties. The +[Entity Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) element allows the +expression of a computed property. It references the property (specifying the entity type's +identifier and the property's identifier) and expresses the calculation based on a given entity +using the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md). + +An element `` can be used to calculate a scalar property or a mono-valued +navigation property. In the latter case, the expression must return an integer that corresponds to +the primary key of the target entity. + +#### Display name + +Every declared **EntityType** automatically has the `InternalDisplayName` property even if it is not +explicitly declared in the applicative configuration. + +It represents a user-friendly name for **EntityType** that is used in the UI if needed. + +Its value can be explicitly computed by an +[Entity Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). Otherwise, a default value +is automatically computed by Identity Manager using the first property of the **EntityType** where +`identifier` contains the string _"name"_. If no such property is found, the first declared property +of the **EntityType** is used instead. + +The _InternalDisplayName_ property will be used as a default label of the entity in the UI. + +#### Database mapping + +Resources from the **resource repository** are stored in the generic UR_Resources table. + +This table has: + +- 128 columns to store scalar properties (index 0 to 127). The first four are reserved for big + scalar properties values (as many as 4000 unicode char). he other columns are limited to 442 + unicode char. These columns are named C0 to C3V following a base-32 convention for naming. + +- 25 columns to store mono-valued navigational properties values (index 128 to 152). These columns + are named `I0` to `I4N` following a base-32 convention for naming. + +_Multi-valued navigation property_ values are stored in the UR_ResourceLinks junction table. + +Binary property values (such as pictures or files) are stored in the UR_ResourceFiles table. + +### Mapping + +Identity Manager's Entity Model also contains **a mapping** between the external data and +[Entity Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) or +[](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md)[Entity Association](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). +That's why entity types are organized into **connectors**. The **mapping\_**connects\_ entity types +to external sources of truth. + +This information is provided by the +[Entity Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), their +[Entity Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) and +[Entity Association Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). + +To build Identity Manager resources from external data found in the managed system, the entity model +provides a mapping between the external data (often in the form of CSV files, see +[Upward Data Synchronization](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md)) and entity properties. +This information is provided by the +[Entity Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), their +[Entity Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)and +[Entity Association Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). + +Every [Entity Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)maps +a CSV column to a scalar [Entity Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +Every +[Entity Association Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +maps a CSV column to a navigation +[Entity Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +#### Format + +When exporting entries from an external system, the results are usually retrieved as simple strings, +written in a CSV file, and imported into the Identity Manager Database as-is. But an external system +will rarely uses the same format as Identity Manager to store objects such as dates. + +Let's take, for example, a case where we want to store an employee's start date: + +- In the external system, the date is stored as a string with the format `2020-09-29 22:00:00`. +- In Identity Manager, dates are stored as strings in the format `20200929220000` + +We need to transform the input data, from the export, into something readable by Identity +Manager and, when writing to the external system, transform Identity Manager's data back into +something readable by the external system. + +![Export and Fulfill Data transformation](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/entitypropertymapping-format/entitypropertymapping-format-flowchart.webp) + +The format used in the external system can be provided through the +[Entity Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) using the +[References: Format for the EntityPropertyMapping](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md) +attribute to help Identity Manager to convert data appropriately. + +If the field in the external system is not forced to a specific value type, but is free-form +(example: a string field in which date values are stored but which can sometimes hold other values), +we strongly recommend not using the `Format` attribute to prevent inconsistent user input in the +external system. + +#### Primary key + +When writing an +[Entity Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), one of +the _scalar properties_ should be chosen as +[Entity Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md). This +property will be used by Identity Manager to +[uniquely identify a resource](https://en.wikipedia.org/wiki/Primary_key). It is hence crucial to +choose carefully as many of Identity Manager's processes and optimizations depend on this choice. + +### SQL views + +The `UR_Resource` table contains resources from all the connectors, for all the Entity Types. +Columns names are not semantically meaningful because they have generic I\*/C\* names. For this +reason, Identity Manager provides SQL views to help the user explore the resource repository from +the database. The views are useful to understand how Identity Manager works or to debug a faulty +configuration. + +SQL Views are built by the +[Create Database Views Task](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md). + +SQL Views created by this tool are identified in the database by a `zz_` prefix. + +Created views are not used by the Identity Manager engine directly. Identity Manager's engine always +creates, reads, updates and deletes from the `UR_*` tables. + +## Records + +The **entity model** is enhanced with **records** to handle positions and movements of staff. See +the [Identity Management](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/index.md) topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/index.md new file mode 100644 index 0000000000..4397be96b4 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/index.md @@ -0,0 +1,5 @@ +# Executables + +The documentation is not yet available for this page and will be completed in the near future. + +See the [ Executables ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/index.md) topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/agent/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/agent/index.md new file mode 100644 index 0000000000..cbb5104501 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/agent/index.md @@ -0,0 +1,28 @@ +# Identity Manager-Agent + +This tool runs the Agent on a separate server instance. The Agent is able to communicate with the +[Usercube-Server ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/server/index.md). + +## Examples + +With a properly configured environment, the following command runs the agent. It listens on two +different ports: + +``` +./identitymanager-Agent.exe --urls "http://localhost:6001;http://localhost:6002" +``` + +When the Agent starts, the following log should be displayed (if the log level is set to +_Information_): + +``` +[xx:xx:xx INF] Now listening on: http://localhost:6001 +[xx:xx:xx INF] Now listening on: http://localhost:6002 + +``` + +## Arguments + +| Argument Name | Details | +| --------------- | ---------------------------------------------------------------------- | +| --urls required | **Type** String **Description** URL(s) that the agent is listening to. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/anonymize/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/anonymize/index.md new file mode 100644 index 0000000000..4987088025 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/anonymize/index.md @@ -0,0 +1,118 @@ +# Usercube-Anonymize + +This tool anonymizes data based on a certain knowledge of the database and the data structure. + +## Overview + +Anonymizing data helps unlock situations where it is necessary to send data to varied teams while +guaranteeing the privacy of the data owners. + +> For example, it can be necessary to transmit data to an integration team that needs to set up +> tests or a development environment to work on the applicative configuration. For example, users +> sometimes need to send data to Identity Manager's support team to reproduce a bug and get it +> corrected. + +## Technical Principles + +Anonymizing can be performed on data: + +- from a CSV file, with the output written to a new CSV file; +- directly inside a SQL database, overwriting existing data with the anonymized data. + + In this case, the plain data is lost. So make sure to work on a copy of the original database. + +Several types of data can be anonymized, according to distinct substitution methods that are +deterministic and non-reversible: + +- strings have each alphabetical character substituted for another alphabetical character; + + > For example, `John Doe` becomes `Xert Okl`. + + Diacritical characters are replaced by a non-diacritical equivalent. + +- numbers have each digit substituted for another digit; + + > For example, `54689` becomes `32016`. + +- emails have the username anonymized, while leaving the domain name as is; + + > For example, `johndoe@contoso.com` becomes `xertoekl@contoso.com`. + +- Active Directory's RDN properties (Relative Distinguished Names), in the _attribute=value_ format, + are anonymized via the string method on the value, leaving the attribute as is. + + > For example, `CN=John Doe` becomes `CN=Xert Okl`. + +## Examples + +### Anonymizing a CSV file + +The following example anonymizes the `first_name`, `last_name`, `email` and `phone` column of the +following CSV file: + +``` + +id,first_name,last_name,email,gender,phone +1,Darrin,Crumpe,dcrumpe0@nifty.com,Male,2666420820 +2,Lyon,Boddam,lboddam1@eepurl.com,Male,5927617041 +3,Roxana,Prose,rprose2@statcounter.com,Female,5134883113 +4,Vladimir,Grisedale,vgrisedale3@blogtalkradio.com,Male,1338476916 +5,Jaquith,Pendrich,jpendrich4@merriam-webster.com,Female,1894520819 +6,Art,Sweatland,asweatland5@boston.com,Male,5066492715 +7,Lynelle,Klammt,lklammt6@stumbleupon.com,Female,5653774981 +8,Chicky,Blatherwick,cblatherwick7@walmart.com,Male,4095068397 +9,Delilah,Kauscher,dkauscher8@de.vu,Female,9324858513 +10,Estelle,Melmeth,emelmeth9@dot.gov,Female,2176715812 + +``` + +The following command outputs the anonymized data in STDOUT. + +``` + +./identitymanager-Anonymize.exe -n C:/Projects/identitymanager/Documentation/exampleSources/Anonymizer/users.csv -s "," --columns first_name,last_name,mail:email,number:phone + +``` + +The output is: + +``` + +id,first_name,last_name,email,gender,phone +1,Afccrp,Icqesl,aicqesl0@nifty.com,Male,6111065265 +2,Mdhp,Qhaafe,mqhaafe1@eepurl.com,Male,4665125502 +3,Chlfpf,Schnl,cschnl2@statcounter.com,Female,4230223223 +4,Imfarerc,Ocrnlafml,iocrnlafml3@blogtalkradio.com,Male,2332051621 +5,Jfkqrfg,Slpacrig,jslpacrig4@merriam-webster.com,Female,2260465226 +6,Fcf,Nalffmfpa,fnalffmfpa5@boston.com,Male,4511066524 +7,Mdplmml,Bmfeef,mbmfeef6@stumbleupon.com,Female,4143550622 +8,Igribd,Qmffglcarib,iqmffglcarib7@walmart.com,Male,0564512365 +9,Almrmfg,Bfqniglc,abfqniglc8@de.vu,Female,6360242423 +10,Lnflmml,Elmelfg,lelmelfg9@dot.gov,Female,6251524226 + +``` + +### Anonymizing a SQL Server table + +The following example overwrites the `UR_Resources` table of Identity Manager's database with +anonymized data for the `C3`, `C8`, `CA`, `CB`, `CC` and `CD` columns for all resources whose `Type` +is `17`. + +``` + +.\Usercube-Anonymize.exe --connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" --table UR_Resources --columns "number:C3,C8,number:CA,mail:CB,number:CC,number:CD" --select-query "select * FROM UR_Resources WHERE Type = 17" + +``` + +## Arguments + +| Argument Name | Details | +| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --columns required | **Type** Strings **Description** Columns from the CSV or SQL database that need anonymizing. **Usage** The value is a string sequence in the form `type:columname`, separated by a coma `,`, where `type` is used to choose the anonymize algorithm from among the following formats: `string` (default value); `mail`; `number`; `rdn`, and where `columnname` is the actual name, not case-sensitive, of the column to anonymize. | +| --connection-string optional | **Type** String **Description** Connection string to the SQL Server database to be anonymized. **Note:** required when anonymizing a database. | +| --csv-separator (-s) default value: ; | **Type** String **Description** Separator of the input CSV file, provided between simple quotes. **Note:** used only when anonymizing a CSV file. | +| --entry-file (-n) optional | **Type** String **Description** Path to the input CSV file to anonymize. **Note:** required when anonymizing a CSV file. | +| --no-transaction optional | **Type** No Value **Description** Disables the SQL transaction for the request made by the anonymizing tool to the target SQL Server database. **Warning:** NETWRIX recommends using this option only when using transactions leads to a failure (exceeded RAM usage, exceeded CPU usage), because it could corrupt the data from the database. Make sure to prepare a backup of the database before using this option. **Note:** used only when anonymizing a database. | +| --output (-o) default value: STDOUT | **Type** String **Description** Path of the output CSV file to write the anonymized data. **Note:** used only when anonymizing a CSV file. | +| --select-query (-q) optional | **Type** String **Description** SQL query to filter the rows to be anonymized. **Note:** used only when anonymizing a database, and useful only when the query includes a "WHERE" condition, otherwise the `--table` and `--columns` arguments are enough. **Usage** The table targeted by the query must be on the table specified in `--table`. **Examples** `SELECT Id, name, firstName FROM Resources WHERE resourceType = 'Person'` is a query with a simple condition. `SELECT * FROM Persons WHERE resourceType = 'Person' AND specialFlag = 'TopSecret'` selects all columns, and adds a specific condition. | +| --table (-t) optional | **Type** String **Description** Name of the table from the SQL Server database to be anonymized. **Note:** required when anonymizing a database. | diff --git a/docs/usercube/6.2/usercube/integration-guide/executables/references/check-expressionsconsistency/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/check-expressionsconsistency/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/executables/references/check-expressionsconsistency/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/check-expressionsconsistency/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/compute-correlationkeys/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/compute-correlationkeys/index.md new file mode 100644 index 0000000000..9dacc5bde6 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/compute-correlationkeys/index.md @@ -0,0 +1,33 @@ +# Usercube-Compute-CorrelationKeys + +This tool is used to compute the values of all correlation keys. + +## Examples + +The following example computes the correlation keys of the database defined by the connection +string, for all entity types. + +``` + +./identitymanager-Compute-CorrelationKeys.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" -a + +``` + +## Arguments + +| Argument Name | Details | +| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| --batch-size (-q) default value: 5000 | **Type** Int32 **Description** Batch size for queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | +| | | +| --- | --- | +| --database-connection-string required | **Type** String **Description** Connection string of the database. | +| | | +| --- | --- | +| --all-entityType (-a) optional | **Type** No Value **Description** Applies the tool to all entity types. | +| --batch-size (-q) default value: 5000 | **Type** Int32 **Description** Batch size for queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | +| --dirty optional | **Type** No Value **Description** Applies the tool incrementally by applying it only to resources marked as dirty, i.e. recently modified. | +| --entitytype-list optional | **Type** String List **Description** List of entity types that the tool is to be applied to. **Note:** required when `--all-entityType` is not specified. | +| --resource-identity-property optional | **Type** String **Description** Property used to override the resource identity property set in [SelectUserByIdentityQueryHandler](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md). | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/configuration-transform/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/configuration-transform/index.md new file mode 100644 index 0000000000..0ed8fac7e6 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/configuration-transform/index.md @@ -0,0 +1,41 @@ +# Usercube-Configuration-Transform + +This tool applies a series of transformations specified in a JSON file, on the content of a given +directory. + +## Example + +The following example searches all occurrences of `Directory_User` in the files inside +`C:/UsercubeDemo/Conf` whose names: + +- contain `guest` to replace all occurrences with `Directory_Guest`; +- contain `bot` to replace all occurrences with `Directory_Bot`. + +The resulting files are saved in `C:/UsercubeDemo/ConfTransformed`. + +``` +./identitymanager-Configuration-Transform.exe --input "C:/UsercubeDemo/Conf" --output "C:/UsercubeDemo/ConfTransformed" --transformation-file "C:/UsercubeDemo/transformations.json" +``` + +transformations.json + +``` +{ + "*guest*": { + "Directory_User": "Directory_Guest" + }, + "*bot*": { + "Directory_User": "Directory_Bot" + } +} +``` + +## Arguments + +| Argument Name | Details | +| ------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --input required | **Type** String **Description** Path of the directory on which the transformations are to be applied. | +| --transformation-file required | **Type** String **Description** Path of the JSON file that contains the transformations to be applied. The first half of the following JSON transformation file intends to search all files in the input directory whose names are `filename` (case-insensitively). In those files, any occurrence of `ToBeReplaced` (case-sensitively) is replaced with `Replacement`. `\{ "filename": \{ "ToBeReplaced": "Replacement" \}, "partialfilename*": \{ "ToBeReplaced2": "Replacement2" \} \}` **Note:** instead of a specific file name, Identity Manager can search for files whose names contain a specific string, using the character `*`. | +| | | +| --- | --- | +| --output required | **Type** String **Description** Path of the folder where the result will be saved. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/create-databaseviews/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/create-databaseviews/index.md new file mode 100644 index 0000000000..b6f78a5cd2 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/create-databaseviews/index.md @@ -0,0 +1,38 @@ +# Usercube-Create-DatabaseViews + +Generates entity model SQL views in the Identity Manager database. All views are prefixed by `zz_`. +This tool deletes all views starting by `zz_` and creates views from the entity model described in +the running configuration. + +For every **EntityType**, a matching SQL view is created from the UR_Resource table. + +## Example + +The following example allows the user to connect to Identity Manager server at +`http://usercube.contoso.com`, using the ClientId `Job` and Secret `secret`, to generate views for +Identity Manager's database. + +``` +./identitymanager-Create-DatabaseViews.exe --api-secret secret --api-client-id Job --api-url "http://usercube.contoso.com" --log-level Debug +``` + +## Arguments + +| Argument Name | Details | +| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --progress-use-database optional | **Type** String **Description** Update progress in the SQL database. | +| --progress-use-database-child-instance optional | **Type** String **Description** Initiate child task instance. | +| --progress-use-api optional | **Type** String **Description** Update progress with the API. | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | + +You can explore created views in the Identity Manager database's Views folder in SQL Server +Management Studio + +![SSMS Views](/img/product_docs/identitymanager/identitymanager/integration-guide/executables/references/create-databaseviews/identitymanager-create-databaseviews_ssms.webp) diff --git a/docs/usercube/6.2/usercube/integration-guide/executables/references/csv-transform/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/csv-transform/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/executables/references/csv-transform/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/csv-transform/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/decrypt-file/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/decrypt-file/index.md new file mode 100644 index 0000000000..f36627ef7b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/decrypt-file/index.md @@ -0,0 +1,29 @@ +# Usercube-Decrypt-File + +In Identity Manager, files are encrypted by default. This tool decrypts an input file to save it +into an output file or an OutPutConsole that can be used in Powershell scripts or programs. + +## Examples + +### Result loaded in OutPutConsole (PowerShell Script) + +The following example, used in a Powershell script, saves in the variable `decryptFile` the string +obtained by decrypting the files specified by the `ordersFile` variable. The decryption is made +using the agent side certificate defined in the agent's `appsettings.json`. + +``` + +$decryptFile = & ./identitymanager-Decrypt-File.exe --files $ordersFile + +``` + +## Arguments + +| Argument Name | Details | +| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --files (-f) required | **Type** String **Description** List of all the files to decrypt. | +| --encoding (-e) default value: UTF-8 | **Type** String **Description** Encoding used for any encryption/decryption. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | +| --output-path (-o) optional | **Type** String **Description** Output path to save all decrypted files. **Note:** used only when the result is saved in a file. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/deploy-configuration/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/deploy-configuration/index.md new file mode 100644 index 0000000000..383a8bf2f9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/deploy-configuration/index.md @@ -0,0 +1,64 @@ +# Usercube-Deploy Configuration + +Retrieves all XML configuration files from a given folder, in order to calculate the configuration +items to insert, update or delete in the application. + +## Examples + +Locally + +The following example deploys an on-premise configuration via a direct connection to the database +through its connection string: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Deploy-Configuration.exe -d "C:/identitymanager/Conf" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +``` + +Remotely + +The following example deploys a SaaS configuration via an HTTP POST request to the server of the +remote configuration: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Deploy-Configuration.exe -d "C:/identitymanager/Conf" --api-url https://my_usercube_instance.com +``` + +**_RECOMMENDED:_** To be able to deploy a SaaS configuration, you must first provide your Identity +Manager administrator with identity information. See the +[ Identity Manager Deploy the Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md) +topic for additional information. + +## Arguments + +The table below displays the arguments for the Identity Manager configuration deployment. + +| Argument Name | Type | Description | +| ----------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --configuration-directory (-d) required | String | Path to the configuration folder. | +| --continuous-deployment (-a) optional | No Value | Enables automatic deployment when saving an XML file. | +| --deployment-slot optional | DeploymentSlot | Type of the targeted server among the slot names provided by Netwrix' SaaS team. For example: Development, Staging, Production. it is required when working in a SaaS production environment. | +| --dump-changes-directory optional | String | Path to a directory that will receive the logs of all modifications made to the database. _Remember,_ it can be used with --simulate-only for an additional security before deploying to production. | +| --enable-saas-checks optional | No Value | Enables the checks necessary to deploy in a SaaS environment. _Remember,_ it is enabled automatically when working in SaaS. This argument can be used when deploying locally in order to anticipate a future SaaS deployment. | +| --force-bindings (-bi) optional | No Value | Forces the recomputation of binding paths in the database. | +| --force-cascade-delete optional | No Value | Enables the deletion or archiving of XML configuration items that require extra care and/or approval, usually for dependency issues. _Remember,_ Netwrix recommends using this option only when prompted by the deployment tool. | +| --force-categories (-c) optional | No Value | Forces the recomputation of the counters for role categories in the database. | +| --force-expressions (-e) optional | No Value | Forces the recomputation of C# expressions in the database. | +| --force-permissions (-p) optional | No Value | Forces the recomputation of access permissions in the database. | +| --force-translations optional | No Value | Forces the recomputation of the translations for the activity template states and the internal display name properties in the database. | +| --http-client-timeout-supplement optional | Int32 | Duration (in minutes) after which the deployment command times out, in addition to the default 30 minutes. | +| --no-create-index optional | No Value | Disables the creation of indexes related to the configuration. _Remember,_ Netwrix recommends using this option only when advised by the support team. | +| --reset-database optional | No Value | Deletes the whole database and creates an empty one before deploying. | +| --resource-identity-property optional | String | Overrides the resource identity property used by the **SelectUserByIdentityQueryHandler** settings. | +| --simulate-only optional | No Value | Computes and previews on the screen all the changes to be made, but without editing the database. | +| --api-client-id optional | String | Login of the account authorized by Netwrix for configuration export/deployment in a SaaS environment. **NOTE:** It will be deprecated soon, rather contact the support team. | +| --api-secret optional | String | Password of the account authorized by Netwrix for configuration export/deployment in a SaaS environment. **NOTE:** It will be deprecated soon, rather contact the support team. | +| --api-url optional | String | URL of the server to export/deploy the configuration to, for remote changes. _Remember,_ it is required when --database-connection-string is not specified. | +| --database-connection-string optional | String | Connection string of the database. _Remember,_ it is required when --api-url is not specified. | +| --product-translation optional | No Value | Path of the JSON file that contains the application's translations. See the [Import Product Translations into Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/producttranslations/index.md) topic for more details on how to import the product's translations. | +| --log-level optional | LogLevel | Level of log information among: Verbose; Debug; Information; Warning; Error; Fatal. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate/index.md new file mode 100644 index 0000000000..3c18b31e4c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate/index.md @@ -0,0 +1,60 @@ +# Usercube-EasyVistaTicket-UpdateFulfillmentState + +The use of this executable supposes a previous use of the `Usercube-Fulfill-ToEasyVistaTicket` +executable. + +`Usercube-Fulfill-ToEasyVistaTicket` creates tickets in an EasyVista instance: +`Usercube-EasyVistaTicket-UpdateFulfillmentState` sets the fulfillment state of the corresponding +assigned resource types in Identity Manager for tickets that are closed (`Executed`) or canceled +(`Error`). + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "EasyVista" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +In this example, for all resource types that have a target entity type of the connector `EasyVista`, +we set the fulfillment state of the corresponding assigned resource types. + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "EasyVista_NominativeUser" "EasyVista_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +In this example, for the resource types `EasyVista_NominativeUser` and `EasyVista_Administrator`, we +set the fulfillment state of the corresponding assigned resource types. + +## Arguments + +| Argument Name | Details | +| ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an[ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | +| | | +| --- | --- | +| --url required | **Type** String **Description** EasyVista API Endpoint URL. | +| --account required | **Type** String **Description** EasyVista account. | +| --login required | **Type** String **Description** Path of the file used for complete synchronization. | +| --password required | **Type** String **Description** EasyVista server password. | +| | | +| --- | --- | +| --connector required if --resource-typesis not given | **Type** String **Description** Id or Identifier of the resource types' connector we want to update the fulfillment state. | +| --resource-types required if --connectoris not given | **Type** String List **Description** Id or Identifier of the resource types we want to update the fulfillment state. | +| --certificate-identifier optional | **Type** String **Description** Unique key used to retrieve the certificate in Azure Key Vault. | +| --vault optional | **Type** String **Description** Vault uri. | +| --vault-connection-string optional | **Type** String **Description** Connection string to connect to Azure Key Vault. | +| --batch-size default value: 1000 | **Type** Int32 **Description** Number of provisioning orders to wait between each progress report. | +| --task-instance-id optional | **Type** String **Description** Id of the task instance which have launch the exe in a job context (for log purposes). | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/encrypt-file/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/encrypt-file/index.md new file mode 100644 index 0000000000..e88be51f08 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/encrypt-file/index.md @@ -0,0 +1,37 @@ +# Usercube-Encrypt-File + +In Identity Manager, files are encrypted by default. This tool encrypts an input file or the +InputConsole of a Powershell program or file to save it as an encrypted output file. This task +cannot be configured in the configuration. + +## Examples + +### Launch the tools with input console (powershell script) + +The following example, used in a Powershell script, decrypts the file(s) specified by the +`csvResult` variable and saves the result in the location specified in `resultsFile`. The encryption +is made using the certificate's thumbprint, store location and store name. + +``` + +$csvResult | & ./identitymanager-Encrypt-File.exe --file-cert-thumbprint $certificateThumbprint --file-cert-store-location $certificateStoreLocation --file-cert-store-name $certificateStoreName --output-path $resultsFile + +``` + +## Arguments + +| Argument Name | Details | +| ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | +| --files (-f) optional | **Type** String **Description** List of all the files to encrypt. **Note:** required when the entry is made of files. | +| --output-path (-o) optional | **Type** String **Description** Output path to save the encrypted files or input console. | +| | | +| --- | --- | +| --file-cert-thumbprint optional | **Type** String **Description** Thumbprint of the certificate when the certificate is in the store. | +| --file-cert-dn optional | **Type** String **Description** Subject Distinguished Name of the certificate when the certificate is in the store. | +| --file-cert-store-location optional | **Type** String **Description** Store location of the certificate when the certificate is in the store. | +| --file-cert-store-name optional | **Type** String **Description** Store name of the certificate when the certificate is in the store. | +| --file-cert-file optional | **Type** String **Description** File path of the certificate when the certificate is in a PFX file. | +| --file-cert-password optional | **Type** String **Description** Password of the certificate when the certificate is in a PFX file. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-bacpac/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-bacpac/index.md new file mode 100644 index 0000000000..03d89a3b07 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-bacpac/index.md @@ -0,0 +1,35 @@ +# Usercube-Export-Bacpac + +This tool exports the database to a bacpac file, as a backup. + +## Examples + +The following example generates to \ a bacpac file from the Identity Manager +database with the given connection string and based on the bacpac template from the SQL folder. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Export-Bacpac.exe --database "" -s "" --bacpac-path 0 --template-bacpac-path "" + +``` + +## Arguments + +The list of arguments: + +| Argument Name | Type | Description | +| ------------------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --database-connection-string (-s) required | String | Connection string of the database. | +| --database required | String | Name of the database. | +| --template-bacpac-path required | String | Path of the empty bacpac file or dacpac file containing the database schema. The database export tool includes a .dacpac file, \, in the Runtime folder and should be used as the value for this parameter. It can be generated manually by exporting an empty Identity Manager database. | +| --temp-bacpac-path optional | String | Path of the temporary folder storing the database's data. | +| --bacpac-path required | String | Path of the generated bacpac file. | +| --without-history default value: false | Boolean | True to exclude history data. | +| --without-job-instances default value: false | Boolean | True to exclude job and task instances. | +| --without-workflow-instances default value: false | Boolean | True to exclude workflow instances. | +| --without-campaign-instances default value: false | Boolean | True to exclude access certification campaign items. | +| --without-temp default value: false | Boolean | True to exclude the data of temporary tables. | +| --without-all default value: false | Boolean | True to exclude history data, job and task instances, workflow instances and access certification campaign items. _Remember,_ this option represents the usual use-case. | +| --log-level optional | LogLevel | Level of log information among: Verbose; Debug; Information; Warning; Error; Fatal. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-configuration/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-configuration/index.md new file mode 100644 index 0000000000..02420e6b67 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-configuration/index.md @@ -0,0 +1,187 @@ +# Usercube-Export-Configuration + +Generates in a folder the files of the configuration found in the database. + +While the deployment process is about taking the configuration elements from the XML files to insert +them in the database, the export process is about taking the configuration elements from the +database to generate XML files: + +- A basic export will export the XML configuration that was latest deployed to the database, + including images like logos and favicons; +- A marked export will export the whole configuration as XML files, including the configuration + elements created via the UI; + + As Identity Manager can be configured by writing manually in XML files and/or using the UI, the + marked export helps combining both. + + Netwrix Identity Manager (formerly Usercube) recommends configuring Identity Manager via the UI + as much as possible, and completing the configuration via XML files when needed. + +- a basic export will export the translation JSON files; +- a scaffolding export will export the XML configuration generated by scaffoldings. + +![Schema - Export Process](/img/product_docs/identitymanager/identitymanager/integration-guide/executables/references/export-configuration/identitymanager-export-configuration.webp) + +For all export types, Netwrix Identity Manager (formerly Usercube) recommends using as output +directory a folder other than the one containing the old XML configuration. This way, the exported +configuration does not overwrite the old one, and: + +- the changes can be clearly viewed in a file comparison tool; +- the interesting changes can be selected individually and inserted in the old configuration, to + update the configuration while keeping any manual changes such as comments. + +### Focus on the marked export + +By default, the configuration elements created via the UI are stored in the database just like the +rest of the configuration, but they are not included in deployment and export processes. + +While UI elements are not marked, they are not included in the XML/database comparison performed +during the configuration deployment process. It means that deploying any configuration will not +affect UI elements. + +On the other hand, once UI elements are marked, they will be included in the XML/database comparison +performed during the next configuration deployment process. Then, if these UI elements are not in +the deployed XML files, they will be removed from the database. + +Be careful about what configuration to deploy and export. + +When configuring through both the UI and XML files, make sure to: + +- Export all UI modifications before making changes in XML files and deploying the configuration + again; +- Deploy all XML modifications before making changes in the UI and exporting the configuration + again. + +## Examples + +### Locally vs. remotely + +The following example exports an on-premise configuration via a direct connection to the database +through its connection string: + +``` + +./identitymanager-Export-Configuration.exe -d "C:/identitymanager/ExportedConf" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +The following example exports a SaaS configuration via an HTTP POST request to the server of the +remote configuration: + +``` + +./identitymanager-Export-Configuration.exe -d "C:/identitymanager/ExportedConf" --api-url https://my_usercube_instance.com + +``` + +To be able to export a SaaS configuration, you must first provide your Identity +Manager administrator with identity information. See the +[ Export the Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md) topic for +additional information. + +### Basic export for a change of environment + +The following example exports all configuration elements of the database as a set of XML files, to +the `C:/identitymanager/ExportedConf` folder, for example to move from the pre-production environment to +the production environment. + +``` + +./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" + +``` + +All XML files from `C:/identitymanager/ExportedConf` are removed and replaced with the new set of XML +files, generated based on the configuration elements from the database. + +The default behavior of this tool exports all XML files, from the configuration elements stored in +the database and the XML/database relationships, as well as logos and favicons. Translations are not +exported. + +Most modifications made in the UI will be ignored too. + +### Export UI configuration elements outside the role model + +The following example exports all configuration elements as a set of XML files, including the +configuration modifications made through the UI, except any elements linked to the role model. + +``` + +./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" --mark-for-export + +``` + +All XML files from `C:/identitymanager/ExportedConf` are removed and replaced with the new set of XML +files, generated based on the configuration elements from the database, including UI elements (not +role-model-related) that are now marked for export. + +### Export all UI configuration elements + +The following example exports all configuration elements as a set of XML files, including all +configuration modifications made through the UI, especially role-model-related elements. + +``` + +./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" --mark-for-export --mark-rolemodel-for-export + +``` + +All XML files from `C:/identitymanager/ExportedConf` are removed and replaced with the new set of XML +files, generated based on the configuration elements from the database, including all UI elements +that are now marked for export. + +### Export translation files + +The following example exports to `C:/identitymanager/ExportedConf` the JSON translation files stored in the +database, one per language, replacing the ancient versions potentially pre-existing in the output +directory. + +``` + +./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" --export-translation + +``` + +### Export scaffoldings for debug + +The following example exports XML files containing the configuration generated by all scaffoldings. +It exports one folder per scaffolding type, and in each folder one XML file per scaffolding, +containing the configuration generated by the scaffolding. + +``` + +./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ConfScaffoldings" --export-scaffolding + +``` + +All XML files from `C:/identitymanager/ConfScaffoldings` are removed and replaced with the new set of XML +files, generated based on the scaffoldings from the configuration. + +The scaffolding export's output is meant only for viewing in debug situations and must not be +inserted in the configuration. + +## Arguments + +| Argument Name | Details | +| --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --configuration-directory (-d) required | **Type** String **Description** Path of a directory that will receive the exported configuration. | +| --default-file optional | **Type** String **Description** Path of the file where configuration items are stored by default, when they are not related to a predefined storing file. **Note:** when not specified, these items are not exported. | +| --export-scaffolding optional | **Type** No Value **Description** Exports all scaffoldings and the scaffolded items, i.e. all items generated by scaffoldings. | +| --export-translation optional | **Type** No Value **Description** Exports the JSON files containing all translations, by language. | +| --format-configuration optional | **Type** No Value **Description** Formats the configuration from the folder specified in `--configuration-directory`, in order to correspond to the export result. | +| --mark-for-export optional | **Type** No Value **Description** Exports all configuration elements that were created via the UI, except for those linked to the role model, i.e. the elements exported by the `--mark-rolemodel-for-export` option. | +| --mark-rolemodel-for-export optional | **Type** No Value **Description** Exports all the configuration elements linked to the role model: `SingleRole`; `CompositeRole`; `SingleRoleRule`; `CompositeRoleRule`; and the following rules when they are linked to a role: `PendingApprovalRule`; `ResourceNavigationRule`; `ResourceScalarRule`; `ResourceTypeRule`; `ResourceBinaryRule`. **Warning:** this argument cannot be used without the `--mark-for-export` option. | +| --marked-paths optional | **Type** String List **Description** Identifiers of the elements configured through the UI that need to be exported and thus marked for export. **Note:** used to export specific elements, while the `--mark-*-for-export` options are meant to export whole packages of elements. | +| | | +| --- | --- | +| --api-client-id optional | **Type** String **Description** Login of the account authorized by Netwrix Identity Manager (formerly Usercube) for configuration export/deployment in a SaaS environment. **Note:** soon deprecated, rather contact the support team. | +| --api-secret optional | **Type** String **Description** Password of the account authorized by NETWRIX for configuration export/deployment in a SaaS environment. **Note:** soon deprecated, rather contact the support team. | +| --api-url optional | **Type** String **Description** URL of the server to export/deploy the configuration to, for remote changes. **Note:** required when `--database-connection-string` is not specified. | +| | | +| --- | --- | +| --database-connection-string optional | **Type** String **Description** Connection string of the database. **Note:** required when `--api-url` is not specified. | +| --product-translation optional | **Type** No Value **Description** Path of the JSON file that contains the application's translations. See the [Import Product Translations into Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/producttranslations/index.md) topic for additional information. | +| --scope optional | **Type** String **Description** Path of a folder or file to export/deploy, instead of exporting/deploying the whole configuration. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/usercube/6.2/usercube/integration-guide/executables/references/export-csv/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-csv/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/executables/references/export-csv/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-csv/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/executables/references/export-easyvista/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-easyvista/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/executables/references/export-easyvista/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-easyvista/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/executables/references/export-excel/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-excel/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/executables/references/export-excel/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-excel/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/executables/references/export-scim/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-scim/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/executables/references/export-scim/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-scim/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/executables/references/fillbankingdatabase/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/fillbankingdatabase/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/executables/references/fillbankingdatabase/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/fillbankingdatabase/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/fulfill-easyvista/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/fulfill-easyvista/index.md new file mode 100644 index 0000000000..d21bf6e8c7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/fulfill-easyvista/index.md @@ -0,0 +1,48 @@ +# Usercube-Fulfill-EasyVista + +This executable creates, updates and archives employees in an EasyVista instance. + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "EasyVista" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "EasyVista_NominativeUser" "EasyVista_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +## Arguments + +| Argument Name | Details | +| ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | +| | | +| --- | --- | +| --url required | **Type** String **Description** EasyVista API Endpoint URL. | +| --account required | **Type** String **Description** EasyVista account. | +| --login required | **Type** String **Description** Path of the file used for complete synchronization. | +| --password required | **Type** String **Description** EasyVista server password. | +| | | +| --- | --- | +| --connector required if --resource-typesis not given | **Type** String **Description** Id or Identifier of the resource types' connector we want to update the fulfillment state. | +| --resource-types required if --connectoris not given | **Type** String List **Description** Id or Identifier of the resource types we want to update the fulfillment state. | +| --certificate-identifier optional | **Type** String **Description** Unique key used to retrieve the certificate in Azure Key Vault. | +| --vault optional | **Type** String **Description** Vault uri. | +| --vault-connection-string optional | **Type** String **Description** Connection string to connect to Azure Key Vault. | +| --batch-size default value: 1000 | **Type** Int32 **Description** Number of provisioning orders to wait between each progress report. | +| --task-instance-id optional | **Type** String **Description** Id of the task instance which have launch the exe in a job context (for log purposes). | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/fulfill-scim/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/fulfill-scim/index.md new file mode 100644 index 0000000000..9d557a9b03 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/fulfill-scim/index.md @@ -0,0 +1,43 @@ +# Usercube-Fulfill-Scim + +This executable creates, updates and deleles entries in an application using the SCIM API. + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "SCIM" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "SCIM_NominativeUser" "SCIM_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +## Arguments + +| Argument Name | Details | +| -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | +| | | +| --- | --- | +| --server required | **Type** String **Description** URL of the SCIM endpoints of your application, not including the v2. | +| --login optional | **Type** String **Description** Specifies the login of the account you may need. | +| --password optional | **Type** String **Description** Specifies the password of the account you may need. | +| --application-id optional | **Type** String **Description** Specifies the application connection login or the login of your application's id provider. | +| --application-key optional | **Type** String **Description** Specifies the application connection password or the password of your application's id provider. | +| --oauth-url optional | **Type** String **Description** The server's url when using OAuth2 authentication. | +| --oauth-token optional | **Type** String **Description** Specifies the OAuth token to connect to the application. | +| --scim-syntax optional | **Type** Enum **Description** Specifies the syntax used for requests body. Has to be one of those values: Salesforce (default value) or CyberArk | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/fulfill-toeasyvistaticket/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/fulfill-toeasyvistaticket/index.md new file mode 100644 index 0000000000..81b570c2a7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/fulfill-toeasyvistaticket/index.md @@ -0,0 +1,48 @@ +# Usercube-Fulfill-ToEasyVistaTicket + +This executable creates tickets in an EasyVista instance. + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "EasyVista" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "EasyVista_NominativeUser" "EasyVista_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +## Arguments + +| Argument Name | Details | +| ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | +| | | +| --- | --- | +| --url required | **Type** String **Description** EasyVista API Endpoint URL. | +| --account required | **Type** String **Description** EasyVista account. | +| --login required | **Type** String **Description** Path of the file used for complete synchronization. | +| --password required | **Type** String **Description** EasyVista server password. | +| | | +| --- | --- | +| --connector required if --resource-typesis not given | **Type** String **Description** Id or Identifier of the resource types' connector we want to update the fulfillment state. | +| --resource-types required if --connectoris not given | **Type** String List **Description** Id or Identifier of the resource types we want to update the fulfillment state. | +| --certificate-identifier optional | **Type** String **Description** Unique key used to retrieve the certificate in Azure Key Vault. | +| --vault optional | **Type** String **Description** Vault uri. | +| --vault-connection-string optional | **Type** String **Description** Connection string to connect to Azure Key Vault. | +| --batch-size default value: 1000 | **Type** Int32 **Description** Number of provisioning orders to wait between each progress report. | +| --task-instance-id optional | **Type** String **Description** Id of the task instance which have launch the exe in a job context (for log purposes). | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/generate-configuration/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/generate-configuration/index.md new file mode 100644 index 0000000000..6279d1f866 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/generate-configuration/index.md @@ -0,0 +1,84 @@ +# Usercube-Generate-Configuration + +Generates from a CSV file the configuration of a connector with these entities. + +## Overview + +Two subcommands are possible for generation. + +- simpleconnector +- complexconnector + +The simple connector allows you to generate the configuration for a CSV file and create the +connector. The complex connector allows you to generate the configuration for a list of CSV files +and create the connector. + +### 1. Simple connector + +From a CSV file, generates the configuration of the entity representing the CSV file. + +**The subcommand\_\_\_**simpleconnector**\_**must precede the arguments.\_\_ + +### 2. Complex connector + +From a list of CSV files, generates the configuration of the entities representing each file. The +complex connector requires as an argument an xml file containing all the CSV files to be processed +as well as the primary keys of these files. + +Example of xml file + +``` + + + +``` + +- Path: CSV file path. +- File: Name of the files to be processed. +- PrimaryKey: Fills in the primary key of the CSV file. +- Header: Column name in the CSV file. +- EntityTypeName: Indicates the name of the entity to be created. +- Name: name of the connector to be created. + +**The subcommand\_\_\_**complexconnector**\_**must precede the arguments.\_\_ + +## Examples + +### Simple connector + +``` + +./identitymanager-Generate-Configuration.exe simpleconnector -g "C:/GeneratedFile/file" -f "C:/SourceFile/confFile.csv" + +``` + +### Complex connector + +``` + +./identitymanager-Generate-Configuration.exe complexconnector -g "C:/GeneratedFile/file" "C:/SourceFile/confFile.xml" + +``` + +## Arguments + +| Argument Name | Details | +| ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --generated-file (-g) required | **Type** String **Description** Path to the generated file. | +| --csv-path (-h) optional | **Type** String **Description** Path to the CSV file. **Note:** used only for a simple connector. | +| --encoding (-e) optional | **Type** String **Description** Encoding of the CSV file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). **Note:** used only for a simple connector. | +| --csv-separator (-t) optional | **Type** String **Description** Column separator of the CSV file. **Note:** used only for a simple connector. | +| --generated-connector (-r) optional | **Type** String **Description** Name of the generated connector. **Note:** used only for a simple connector. | +| --keep-all-columns (-k) optional | **Type** No Value **Description** Keeps all the columns. | +| --connector-description optional | **Type** String **Description** XML file that describes the CSV files and their primary key columns. | +| | | +| --- | --- | +| --file-cert-thumbprint optional | **Type** String **Description** Thumbprint of the certificate when the certificate is in the store. | +| --file-cert-dn optional | **Type** String **Description** Subject Distinguished Name of the certificate when the certificate is in the store. | +| --file-cert-store-location optional | **Type** String **Description** Store location of the certificate when the certificate is in the store. | +| --file-cert-store-name optional | **Type** String **Description** Store name of the certificate when the certificate is in the store. | +| --file-cert-file optional | **Type** String **Description** File path of the certificate when the certificate is in a PFX file. | +| --file-cert-password optional | **Type** String **Description** Password of the certificate when the certificate is in a PFX file. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/usercube/6.2/usercube/integration-guide/executables/references/get-jobsteps/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/get-jobsteps/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/executables/references/get-jobsteps/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/get-jobsteps/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/index.md new file mode 100644 index 0000000000..123a7ccab7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/index.md @@ -0,0 +1,170 @@ +# References: Executables + +- [ Identity Manager-Agent ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/agent/index.md) + + Runs the Agent. + +- [Usercube-Anonymize ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/anonymize/index.md) + + Transforms strings to anonymize given data. + +- [ Usercube-Compute-CorrelationKeys ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/compute-correlationkeys/index.md) + + Computes the values of all correlation keys. + +- [ Usercube-Configuration-Transform ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/configuration-transform/index.md) + + Applies a series of transformation. + +- [ Usercube-Create-DatabaseViews ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/create-databaseviews/index.md) + + Generates entity model SQL views in the Identity Manager database. + +- [ Usercube-CSV-Transform ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/csv-transform/index.md) + + Modifies a CSV file by performing operations on its headers and/or columns. + +- [ Usercube-Decrypt-File ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/decrypt-file/index.md) + + Decrypts an input file to save it into an output file or an OutPutConsole that can be used in + Powershell scripts or programs. + +- [ Usercube-Deploy Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/deploy-configuration/index.md) + + Retrieves all XML configuration files from a given folder, in order to calculate the + configuration items to insert, update or delete in the application. + +- [ Usercube-EasyVistaTicket-UpdateFulfillmentState ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate/index.md) + + Updates the assigned resource types according to EasyVista tickets state. + +- [ Usercube-Encrypt-File ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/encrypt-file/index.md) + + Encrypts an input file or the InputConsole of a Powershell program or file to save it as an + encrypted output file. + +- [Usercube-Export-Bacpac](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-bacpac/index.md) + + Exports the database to a bacpac file. + +- [ Usercube-Export-Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-configuration/index.md) + + Generates in a folder the files of the configuration found in the database. + +- [Usercube-Export-Csv ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-csv/index.md) + + Exports CSV files. + +- [ Usercube-Export-EasyVista ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-easyvista/index.md) + + Exports CSV files. + +- [Usercube-Export-Excel ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-excel/index.md) + + Exports Excel files. + +- [Usercube-Export-Scim ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-scim/index.md) + + Exports SCIM entries to a CSV file. + +- [Usercube-FillBankingDatabase ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/fillbankingdatabase/index.md) + + Fills the `BankingSystem` database for the Banking demo application. + +- [ Usercube-Fulfill-EasyVista ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/fulfill-easyvista/index.md) + + Creates, updates and archives employees in an EasyVista instance. + +- [Usercube-Fulfill-Scim ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/fulfill-scim/index.md) + + Creates, updates and deleles entries in an application using the SCIM API. + +- [Usercube-Fulfill-ToEasyVistaTicket ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/fulfill-toeasyvistaticket/index.md) + + Creates ticket in an EasyVista instance. + +- [Usercube-Generate-Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/generate-configuration/index.md) + + Generates from a CSV file the configuration of a connector with these entities. + +- [ Usercube-Get-JobSteps ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/get-jobsteps/index.md) + + Returns the list of all tasks present in a given job. + +- [ Usercube-Invoke-Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-job/index.md) + + Launches a job on the agent side. + +- [ Usercube-Invoke-ServerJob ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-serverjob/index.md) + + Launches jobs on the server side. + +- [ Usercube-Login ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/login/index.md) + + Provides an authentication token needed for SaaS configuration deployment/export. + +- [ Identity Manager-Manage-Configuration Dependent Indexes ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/manage-configurationdependantindexes/index.md) + + Creates the necessary indexes based on the latest deployed configuration to optimize + performances. + +- [Usercube-Manage-History](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/manage-history/index.md) + + Manages the data history stored in the database. It can purge old data or consolidate the + history. + +- [ Usercube-New-OpenIDSecret ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/new-openidsecret/index.md) + + Allows to generate the hashed password of the secret to connect to the given client for agent + side job Identity Manager. + +- [ Usercube-PasswordGenerator ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/passwordgenerator/index.md) + + Generates a password. + +- [ Usercube-Prepare-Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/prepare-synchronization/index.md) + + Cleanses exported CSV files. + +- [ Usercube-Protect-CertificatePassword ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) + + Encrypts a .pfx archive password using a Identity Manager provided RSA key. + +- [ Usercube-Protect-X509JsonFile ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md) + + Encrypts sensitive data from a given JSON file. + +- [ Usercube-Protect-X509JsonValue ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md) + + Encrypts the values of sensitive data. + +- [ Usercube-RefreshSchema ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/refreshschema/index.md) + + Refreshes the schema of a given connection. Takes as input a connection, and refreshes its + schema. The result of the update is stored into the database. + +- [Usercube-Send-PasswordNotification ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/send-passwordnotification/index.md) + + Sends a mail notification for a password initialization or change. + +- [Usercube-Server ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/server/index.md) + + Runs the Server. + +- [Usercube-Update-EntityPropertyExpressions ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/update-entitypropertyexpressions/index.md) + + Recomputes the values of all properties defined via expressions. + +- [Usercube-Upgrade-ConfigurationVersion ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/upgrade-configurationversion/index.md) + + Upgrades your configuration from your current version entered in settings to the latest version. + +- [Usercube-Upgrade-DatabaseVersion ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/upgrade-databaseversion/index.md) + + Runs all the migration scripts to upgrade the database. + +- [ Identity Manager-Agent ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/agent/index.md) + + Runs the Agent. + +- [Usercube-Check-ExpressionsConsistency](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/check-expressionsconsistency/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-job/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-job/index.md new file mode 100644 index 0000000000..32f116b93e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-job/index.md @@ -0,0 +1,93 @@ +# Usercube-Invoke-Job + +This tool launches a job on the agent side. + +## Behavior Details + +The Usercube-Invoke-Job.exe tool is a state machine. + +![Schematization](/img/product_docs/identitymanager/identitymanager/integration-guide/executables/references/invoke-job/job_operation.webp) + +When a job is launched, the state machine starts by computing all the tasks that must be launched in +the job. + +Each task is assigned a launch order which can be configured in +[ Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) steps. All the job's tasks are grouped +together according to their launch order, and they are launched by group. Such task grouping allows +the job to be faster executed. + +The launch orders of all the tasks of a job can be listed by using the +[ Usercube-Get-JobSteps ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/get-jobsteps/index.md) executable. + +Before any task is launched, the state machine checks the task's parent tasks in order to verify +whether the task must be launched or not. + +If the task must be launched, then the state machine checks whether the task should be started +server- or agent-side. + +Then the task is launched, and then: + +- if the task completes successfully, then the next task is loaded and started, or if this was the + last task then the job ends successfully; +- if the task exits in error, then the whole job exits in error and stops; +- if the job is requested to stop from the UI, then the job's state switches to `cancelled` and is + transmitted to the current task in order to not launch the next task; + + A canceled job is not stopped straight away, as the current task first needs to be finished. + +- if the task exits in error while the warning mode is active, then the next job is loaded. + + Only export tasks can have this warning mode. + +- if the task exits blocked, then the whole job stops and can be restarted manually at its + breakpoint; + + Only synchronization and provisioning tasks can exit blocked. + +In the case where the job is blocked and restarted: + +- if the blocked task is a + [ Synchronize Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md), + then the state machine runs a synchronization validation on the related connector, and uses the id + of the blocked task instance to synchronize the related tables; +- if the blocked task is a + [`GenerateProvisioningOrdersTask`](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md), + then the state machine forces the same provisioning on the related connector. + + Both the synchronization validation and the forced provisioning are virtual jobs that do not + exist in the database. However, they will be visible in the UI which keeps track of any launched + task. + +In both cases, the state machine resumes the job with the tasks that were not started due to the +blockage. + +Any task launched by the state machine is linked to a job instance in order to keep track of the +launch group. + +## Example + +``` + +./identitymanager-Invoke-Job.exe -j "AccessCertificationEnd" --api-secret secret --api-client-id Job --api-url "http://localhost:5000" + +``` + +## Arguments + +| Argument Name | Details | +| -------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| | | +| --- | --- | +| --job-identifier (-j) required | **Type** String **Description** Job's identifier to be launched. | +| --repair-job (-r) optional | **Type** No Value **Description** Bool to Decide launch Synchronization Validation or Provisioning with force. | +| --begin-job-step (-b) optional | **Type** String **Description** The step from which the job starts. | +| --end-job-step (-e) optional | **Type** String **Description** The step at which the job stops. | +| --task-identifier (-t) optional | **Type** String **Description** Specify the identification of the task to be started in the job (only this task will be started). | +| --force-synchronization-provisioning (-f) optional | **Type** Int64 **Description** Forces execution when the threshold is reached or exceeded. | +| --task-type (-c) optional | **Type** String **Description** The first task found with this type is launched. | +| --task-string-contains (-s) optional | **Type** String **Description** Launches all tasks with an identifier containing the given value. | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect /Secret pair, linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect /Secret pair/Secret pair, linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-serverjob/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-serverjob/index.md new file mode 100644 index 0000000000..d41352629a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/invoke-serverjob/index.md @@ -0,0 +1,32 @@ +# Usercube-Invoke-ServerJob + +## Invoke a Job (Server Side) + +To launch the job in the Server side only you need to run the executable +Usercube-Invoke-ServerJob.exe. + +To know the task launch orders in job use the following exe: Usercube-Get-Job Steps .exe. See the +[ Usercube-Get-JobSteps ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/get-jobsteps/index.md) topic for additional information. + +## Examples + +``` + +.\Usercube-Invoke-ServerJob.exe -g "CleanDatabase" -s secret + +``` + +## Arguments + +| Argument Name | Details | +| -------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | +| | | +| --- | --- | +| --job-identifier (-j) required | **Type** String **Description** Job's identifier to be launched. | +| --repair-job (-r) optional | **Type** No Value **Description** Bool to Decide launch Synchronization Validation or Provisioning with force. | +| --begin-job-step (-b) optional | **Type** String **Description** The step from which the job starts. | +| --end-job-step (-e) optional | **Type** String **Description** The step at which the job stops. | +| --task-identifier (-t) optional | **Type** String **Description** Specify the identification of the task to be started in the job (only this task will be started). | +| --force-synchronization-provisioning (-f) optional | **Type** Int64 **Description** Forces execution when the threshold is reached or exceeded. | +| --task-type (-c) optional | **Type** String **Description** The first task found with this type is launched. | +| --task-string-contains (-s) optional | **Type** String **Description** Launches all tasks with an identifier containing the given value. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/login/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/login/index.md new file mode 100644 index 0000000000..b49aa43343 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/login/index.md @@ -0,0 +1,48 @@ +# Usercube-Login + +Delegates the authentication process to a third-party Identity Provider which will provide an +authentication token required to allow the remote deployment/export of Identity +Manager configuration. + +The provided authentication token is meant to be sent to the Identity Manager administrator. + +## Examples + +The following example launches the authentication to Identity Manager's in-house Identity Provider +(IDP). It will open your default browser to `http://localhost:5005` where you will be redirected to +Identity Manager's IDP that will provide you with the authentication token. + +``` + +./identitymanager-Login.exe + +``` + +The following example launches the authentication to a specific Identity Provider whose +authentication URL and Client Id are respectively `https://my_oidc_authentication_server.com` and +`34b3c-fb45da-3ed32`. It will open your default browser to `http://localhost:5005` where you will be +redirected to the IDP that will provide you with the authentication token. + +``` + +./identitymanager-Login.exe --authority https://my_oidc_authentication_server.com --client-id 34b3c-fb45da-3ed32 + +``` + +The following example launches the authentication to Identity Manager's Identity Provider, but using +a specific port `5050`. It will open your default browser to `http://localhost:5050` where you will +be redirected to Identity Manager's IDP. that will provide you with the authentication token. + +``` + +./identitymanager-Login.exe --port 5050 + +``` + +## Arguments + +| Argument Name | Details | +| -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --authority optional | **Type** String **Description** Base URL of the Identity Provider used for authentication. When not specified, Identity Manager provides an in-house Identity Provider. | +| --client-id optional | **Type** String **Description** Client Id of the application authorized to delegate the authentication to the specified Identity Provider. When not specified, Identity Manager provides the Client Id for the in-house Identity Provider. **Note:** ask for this id to your internal administrator. | +| --port default value: 5005 | **Type** Int64 **Description** Port used to run the local web page. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/manage-configurationdependantindexes/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/manage-configurationdependantindexes/index.md new file mode 100644 index 0000000000..06d2e5dd34 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/manage-configurationdependantindexes/index.md @@ -0,0 +1,38 @@ +# Identity Manager-Manage-Configuration Dependent Indexes + +This tool creates the necessary SQL indexes based on the latest deployed configuration to optimize +certain queries performances. + +## Available optimizations: + +- Creates SQL indexes and statistics to optimize searches on specific entity types +- Creates SQL indexes to optimize joins between records and main entity types +- Creates SQL indexed views used to compute dashboard counters + +## Examples + +``` + +./identitymanager-Manage-ConfigurationDependantIndexes.exe -e "Directory_User" -r "Directory_UserRecord" "Directory_Guest" -dc -s "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" -a + +``` + +./identitymanager-Manage-ConfigurationDependantIndexes.exe -auto -dc -s "data +source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" -a + +``` + +## Arguments + +| Argument Name | Details | +| --- | --- | +| --entityTypes (-e) optional | __Type__ String List __Description__ Sets the list of entity types for which optimization indexes will be created/updated. | +| --recordEntityTypes (-r) optional | __Type__ String List __Description__ Sets the list of record entity types for which optimization indexes will be created/updated. | +| --userProperties (-p) optional | __Type__ String List __Description__ Sets the list of User' properties that link the records and the users. (the order of the given userProperties' must match the order of the given recordEntityTypes'). | +| --dashboardCounter (-dc) optional | __Type__ No Value __Description__ Adjusts the indexed views for the dashboard counters appropriately. | +| --auto optional | __Type__ No Value __Description__ The entity types, record entity types and user properties are deduced automatically from the provisioning rules configured in the database. | +| --apply-to-database (-a) optional | __Type__ No Value __Description__ Directly applies the resulting SQL script to the database. | +| | | +| --- | --- | +| --database-connection-string required | __Type__ String __Description__ Connection string of the database. | +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/manage-history/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/manage-history/index.md new file mode 100644 index 0000000000..634f810cbd --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/manage-history/index.md @@ -0,0 +1,132 @@ +# Usercube-Manage-History + +This tool optimizes the data history stored in the database, reducing its size and enhancing +database performance. + +The inner workings of this executable are based on the `ValidFrom` and `ValidTo` attributes that +specify the validity period of a given assignment. These attributes are inside the following tables +which are the tables actually purged: `ur_resources`; `ur_resourcelinks`; +`up_assignedcompositeroles`; `up_assignedsingleroles`; `up_assignedresourcenavigations`; +`up_assignedresourcetypes`. + +## Examples + +Purge before a period + +To clean the database periodically, it can be purged of all the history older than a given period of +time. + +The following example deletes all the history from the database that is more than 12-month old: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Manage-History.exe --purge-before-months 12 --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +``` + +Purge before a date + +The database can be purged of all history older than a given date. + +The following example deletes all the history from the database older than May 26th 1993: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Manage-History.exe --purge-before-date 19930526 --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +``` + +Optimize + +The database's history can be optimized by removing intermediate versions based on their age, for +example keeping only one version the last week, one per month the last 6 months and then one per +year for 3 years. + +The following example reduces the history from the database, keeping at most one history version per +interval. Here we keep one version per day (1440 minutes) in the last 7 days, then one version per +month (43920 minutes) in the last 6 months before the previously defined period, then one version +per year (525960 minutes) in the last 2 years before the previously defined periods. + +![Schema - Optimize](/img/product_docs/identitymanager/identitymanager/integration-guide/executables/references/manage-history/tools_managehistory_schema.webp) + +For each period, if there is more than one version (i.e. `ValidFrom` is inside the interval), the +versions are merged in the following way: + +- The latest version is kept +- The oldest date is kept (that is, in the database, the `ValidFor` is equal to the one of the + oldest version in the considered period). + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +./identitymanager-Manage-History.exe --optimize "1440:7 43920:6 525960:2" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +If you want to configure a time period when there is no purge and all history is kept as is, then +you can specify a short duration that allows a single change, for example only one minute. The +following example copies the previous one, in addition we want to keep all changes of the last 6 +hours (360 minutes): `--optimize 1:360 1440:7 43920:6 525960:2`. + +Clean duplicates + +As given data can have several versions in the database, redundant rows can be deleted and replaced +with one row that covers the consolidated time range. + +The following example remove all duplicates in the database. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +./identitymanager-Manage-History.exe --clean-duplicates --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +The following example remove all duplicates induced by the `pwdLastSet` property. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +./identitymanager-Manage-History.exe --clean-duplicates --excluded-resource-columns "pwdLastSet" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +Solicit memory rather than the database + +To reduce the database load, the tool's optimizations can be made via the local device's memory. + +The following example deletes all the history from the database that is more than 12-month old, the +optimizations being computed in memory instead of in the database: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +./identitymanager-Manage-History.exe --purge-before-months 12 --in-memory --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +## Arguments + +| Argument Name | Type | Description | +| ------------------------------------------------------------ | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| --clean-duplicates optional | No Value | Removes duplicate historical data. | +| --entity-type required if --excluded-resource-columns is set | String | When using `--clean-duplicates` option, defines the entity type (Id or Identifier) that should have its duplicates removed from the `UR_Resources` table. | +| --excluded-resource-columns required if --entity-type is set | String list | When using `--clean-duplicates` option, defines the list of column names (the name of the columns in the `UR_Resources` table, or the Identifier of the corresponding um_entityproperty) to exclude when comparing rows of `UR_Resources` table. | +| --in-memory default value: False | No value | Performs optimizations in memory instead of the database. It implies heavy memory consumption but light SQL load. | +| --optimize optional | String list | Reduces the history and optimizes the versions that are kept based on the precision given through ranges in the argument. A range is specified by a duration in minutes followed by the number of occurrences. For example 60:10 defines a range of 60 minutes repeated 10 times, or 10 snapshots repeated at 60 minute intervals. For each interval, at most one version is kept in the history. The intervals are evaluated in the given order from now, backwards. In the previous example, it means the more recent versions are kept with a high precision (one per day initially), then with lesser and lesser precision (one per month and then one per year). If the data has not changed over an interval, no optimization can be done. | +| --purge-before-date optional | String | Deletes all the history older than the given date in the yyyyMMdd format. | +| --purge-before-months optional | String | Deletes all the history older than the given number of months. | +| --database-connection-string required | String | Connection string of the database. | + +The available actions (clean duplicates; purge; optimize) are all optional, but at least one must be +used in the executable command. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/new-openidsecret/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/new-openidsecret/index.md new file mode 100644 index 0000000000..fa9d151948 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/new-openidsecret/index.md @@ -0,0 +1,29 @@ +# Usercube-New-OpenIDSecret + +This tools generates an hash. In practice, we hash a client secret but the tool can generate +randomly a hash without an input string. The name of the executable is: +Usercube-New-OpenIDSecret.exe'. + +## Examples + + ``` + + ./identitymanager-New-OpenIDSecret.exe --client-secret + Shared secret for 'secret' is 'K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=' + +```` + + +The output shows the client secret and its hashed version. It must be entered in the [ +OpenIdClient +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) configuration. + +## Arguments + +| Argument Name | Details | +| --- | --- | +| --client-secret optional | __Type__ String __Description__ OpenID client secret that will be hashed by the program. | +| | | +| --- | --- | +| --log-level optional | __Type__ LogLevel __Description__ Level of log information among: ```Verbose```; ```Debug```; ```Information```; ```Warning```; ```Error```; ```Fatal```. | +```` diff --git a/docs/usercube/6.2/usercube/integration-guide/executables/references/passwordgenerator/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/passwordgenerator/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/executables/references/passwordgenerator/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/passwordgenerator/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/prepare-synchronization/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/prepare-synchronization/index.md new file mode 100644 index 0000000000..7ac058a2ff --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/prepare-synchronization/index.md @@ -0,0 +1,135 @@ +# Usercube-Prepare-Synchronization + +`Usercube-Prepare-Synchronization` is used as the second step of the +[Synchronization](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/index.md) process. It cleanses exported CSV files before +sending them to the server for database loading. It is performed on the _Agent_ side. + +## Behavior Details + +The task reads files from the source directory, usually the temp folder > ExportOutput folder. See +the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +### Cleanse data + +The following actions are performed on the _CSV source files_: + +1. Remove columns that are not used in + [ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) + or + [ Entity Association Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). +2. Remove entries that have a null primary key. +3. Remove duplicates. +4. Sort entries according to the primary key. + +The result of the _Prepare-Synchronization_ is stored in the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +as three files: + +- For every entity type of the relevant _Connector_ involved in an + [ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) + or an + [ Entity Association Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md), + a `.sorted.csv` file is generated, containing the final, cleansed and sorted result. +- Duplicates are kept in a separate `.duplicates.csv` file. +- Null primary key entries are kept in a separate `.nullpk.csv` file. + +All files produced by the task are in the work folder > Collect directory. See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +### Compute changes + +In _incremental_ mode, changes might need to be computed by the _Agent_: + +- If the Export step has provided computed changes, no further process is required. The changes will + be sent as-is to the server. +- If the Export step has provided a full extract of the managed systems, the + _Prepare-Synchronization_ step computes changes. This computation is based on the result of the + last data cleansing, generated by the previous _Prepare-Synchronization_, and stored in the + `previous` folder in the _export directory_. See the + [Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) + topic for additional information. + +For _incremental_ mode, it is recommended, whenever possible, to use managed systems to compute +changes. Dedicated workstations and knowledge of the inner data organization allow managed systems +to compute changes with performance that Identity Manager can't match. Using managed systems for +these operations avoids generating heavy files and alleviates Identity Manager's processing load. + +The result is a set of clean lists of changes stored as a `.sorted.delta` file containing a +_command_ column. The _command_ column can take the following values: + +- _insert_ +- _update_ +- _delete_ +- _merge_ + +These values are instructions for the _Synchronization_ step to apply the changes to the database. + +The `.sorted` file (that is, the **original** clean export file, **not** the changes) is stored in +the `previous` folder inside the _export directory_. It will be used as a reference for the next +_incremental_ Prepare-Synchronization to compute the changes, if needed. See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +Tampering with the `previous` folder content would result in false changes leading to false +computation. It would result in data corruption in the Identity Manager database. To restore the +Identity Manager database and reflect the managed system data updates, a _complete\_\_Sync Up_ would +be required. + +### Prepare the server + +At the beginning of every _Prepare-Synchronization_ process, the _Server_ is notified via HTTP. + +Upon receiving the notification, the server creates a directory on its host environment, identified +by a unique GUID, to contain `.sorted` or `.sorted.delta` files that will be sent by the agent. + +This is designed to prevent network errors that would cause an _incremental_ database update to +happen more than once. + +This means that several _Export_ and _Prepare-Synchronization_ tasks can be executed simultaneously. +These tasks will be processed by the server one at a time, in the right order. + +Any notification of a _complete_ Prepare-Synchronization would cancel the previous non-processed +_incremental_ Prepare-Synchronizations. As a _complete_ Prepare-Synchronization reloads the whole +database, it renders _incremental_ changes computation moot. + +### Send clean exports + +`.sorted` or `.sorted.delta` files are sent over HTTP to the _Server_ for the last step. + +### Example + +The figure models the complete _Prepare-Synchronization_ steps applied to an Active Directory +export. The matching _Connector_ defines an Entity Type _AD Entry_ and two associations (_members_ +and _manager_). + +![Active Directory Prepare-Synchronization Example](/img/product_docs/identitymanager/identitymanager/integration-guide/synchronization/upward-data-sync/ad_preparesynchro_example.webp) + +## Examples + +`Usercube-Prepare-Synchronization` can be used as an executable file as follows: + +``` +./identitymanager-Prepare-Synchronization --api-url myserver.usercube.com --api-client-id myclientid --api-secret myclient secret --connector --agent myagent --synchronization-mode complete + +``` + +## Arguments + +| Name | Details | +| ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --agent required | **Type** [ Agent ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md) **Description** Identifier of the agent where the task runs. | +| --connector required | **Type** [ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) **Description** Identifier of the linked connector. The task is linked to a connector whose entity types are synchronized. | +| --synchronization-mode required | **Type** [ Upward Data Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md)Mode **Description** Synchronization mode for this task can be one of the following: - Initial - Complete - Incremental This must be the same as the associated Export and Synchronize tasks. Use _initial_ if this is the first time the target managed system is synchronized. Use _complete_ to load the data from the managed system as a whole. Use _incremental_ to consider only incremental changes from the last synchronization. In _incremental_ mode, the Prepare-Synchronization task computes changes in the source managed system since the last _Prepare-Synchronization_. | +| --sources-directory default value: ExportOutput | **Type** String **Description** Directory path, relative to temp folder, from which export files to cleanse are read. See the [Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) topic for additional information | +| --working-directory default value: Collect | **Type** String **Description** The directory path, relative to work folder, to which intermediary and cleansed files are stored. See the [Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) topic for additional information | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an OpenID Connect ClientId/Secret pair, linked to a profile with the relevant permissions. See the [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) topic for additional information. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an OpenID Connect ClientId/Secret pair, linked to a profile with the relevant permissions. See the [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) topic for additional information. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md new file mode 100644 index 0000000000..fe5c1639a5 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md @@ -0,0 +1,46 @@ +# Usercube-Protect-CertificatePassword + +This tool helps protecting `.pfx` archives passwords. Given a plain text password, it generates an +encrypted version, that can be stored in a configuration file in place of the plain text one. The +tool uses a hard-coded secret RSA key to generate the encrypted password. Identity Manager uses the +same key to retrieve the plain text password and read the `.pfx` archive. + +## Examples + +Given a `.pfx` archive protected by the `secret` password, an encrypted version can be generated +with the following command: + +``` +./identitymanager-Protect-CertificatePassword.exe --pfx-password "secret" +``` + +The output is the following : + +``` + +ep4BsLtg5RVFVI1kEIMZbV1q7Bg2eAFzeD73YX5fV7eklSIqcJcxHsCQbyY2zKLppXSX+Zpwm7xU5QY6DTAJleFbWsP/p0fjXUn1agy1tQ6l6t6wvURBZcePEgu+ivNjpUENbDIBotPdzbpISLJIjQbISzHDWnHuWPk/l8h0wXU=@WrAj9YdcNK8cQvfopZa5g1QFc1hk6nPolkwQAkU2ORfXupgV7kaWgKF4W/UmC0XXg4zuaqpVui6ivB0jbLTiXgQ62o+bG9ZSEJLaur4d20TMRNadqnWTWPWhVJF6XiS4jX7sDvVrZO3sKQJMNzZSeTKmsl0w0boCBEkuHsWDA24=@0oLLKxcTJGxSx1uGvhexEA== + +``` + +This encrypted password can now be copied to the relevant location in a configuration file. For +example : + +``` +appsettings.json + +{ +... + "EncryptionCertificate": { + "File": "C:/UsercubeAgentContoso/contoso.pfx", + "Password": "ep4BsLtg5RVFVI1kEIMZbV1q7Bg2eAFzeD73YX5fV7eklSIqcJcxHsCQbyY2zKLppXSX+Zpwm7xU5QY6DTAJleFbWsP/p0fjXUn1agy1tQ6l6t6wvURBZcePEgu+ivNjpUENbDIBotPdzbpISLJIjQbISzHDWnHuWPk/l8h0wXU=@WrAj9YdcNK8cQvfopZa5g1QFc1hk6nPolkwQAkU2ORfXupgV7kaWgKF4W/UmC0XXg4zuaqpVui6ivB0jbLTiXgQ62o+bG9ZSEJLaur4d20TMRNadqnWTWPWhVJF6XiS4jX7sDvVrZO3sKQJMNzZSeTKmsl0w0boCBEkuHsWDA24=@0oLLKxcTJGxSx1uGvhexEA==" + } +... +} + +``` + +## Arguments + +| Name | Details | +| ----------------------- | ---------------------------------------------------------------------------- | +| --pfx-password required | **Type** String **Description** Password of the `.pfx` archive's to encrypt. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md new file mode 100644 index 0000000000..49bdc6ab42 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md @@ -0,0 +1,133 @@ +# Usercube-Protect-X509JsonFile + +This tool is used to encrypt a JSON file containing sensitive connection data, for example the +`appsettings-agent.json` file, with +[ RSA Encryption ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md). The +encryption is based on the information given in your `appsettings.json` file about either a PFX file +or the location of the encryption certificate in the Microsoft store. See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +This tool `Usercube-Protect-X509JsonFile` is used to encrypt a whole file, in comparison to the +[ Usercube-Protect-X509JsonValue ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md) tool that encrypts only a +given value. This tool is more appropriate than `Usercube-Protect-X509JsonValue` when you have many +lines to encrypt. + +## Examples + +The command below encrypts the `appsettings.agent.json` file from the `C:/UsercubeTraining` folder +and creates the `appsettings.encrypted.agent.json` file in the same folder. + +``` + +./identitymanager-Protect-X509JsonFile.exe --input-json-file-path "C:/UsercubeTraining/appsettings.agent.json" --output-json-file-path "C:/UsercubeTraining/appsettings.encrypted.agent.json" + +``` + +For example it takes this : + +``` +appsettings.agent.json + +{ + "TaskAgentConfiguration": { + "HttpClientTimeoutSupplement": 0 + }, + "OpenId": { + "OpenIdClients": { + "Job": "secret" + }, + "DefaultOpenIdClient": "Job" + }, + + "PasswordResetSettings": { + "TwoFactorSettings": { + "ApplicationUri": "http://localhost:3000" + }, + "NotificationSettings": { + "Cultures": [ + "en" + ] + } + }, + ... +} + +``` + +And it returns this : + +``` +appsettings.encrypted.agent.json + +{ + "TaskAgentConfiguration": { + "HttpClientTimeoutSupplement": "kxABAEh6CpUOAOMBNPNLKazx9I0vqummv24acN292gonFiK4ov81bjqE2ic+n+HqastXU2aTQcl3IefhEXn9KA2dhnIbDTXB4GhOn9lL9AzUfwKXBr5EBmVy7ggruG2ewpWGK1c3LBJ35km9XvCnzSHLfolZwHNPwM/8b/C6XqSzieoFcO5H92IGJ1lFRboacvp0rO+SkkUv63Ewsk+1MrVLa63oBgWfY6PhMeJvNpWGqCD+I614hB6jE2Li/recwQIPd10XEgFM1OEkZ5ZiO+URxX7MCBe1o20rTaczKR7e7lLQGa/e3Y3i1sFnCm+yRm/lzw0qtDvOtCXlPT13EsHsUunxnR3uH4R6lRBXT30OKobaX7MTQjGkLRChss/GVGCK5w==" + }, + "OpenId": { + "OpenIdClients": { + "Job": "kxABAOkh0BF2GdMedpzmKZZWVWc8IYaiZO2dofmt7lLBP3vMYgLLZYNDyR3x7Ah7tA1r6oSL5gBT3mSFyXB63NJk+QmZqNW1LWdzh+3U+DvNdQw4OfDfFlC5F+nH3/L5iqWc+h1jMlaQBpkqf42Vr8HwFKtqMXLJVXEIyeHSPgHRp1iOjGkNSRNrRQGJ4pVyo0xKmcWsz3qGYf0SnJIzRJ++PcYh/dJgxHAZFsDnV55X3zg72J8teoIEG82GdNjmCV/W4S4edNCYa1gL3KpgDGQq1GEed71Ht1tVYlHlJ4hckE++otQqTgRA2p4nFvo3LmlMag6k4EQRzEk6TOHUlGjUtYgpzMuPqei8/3CRXy5o8YW5R0wVFJJ/jSfYrvR3M9SwJw==" + }, + "DefaultOpenIdClient": "kxABANLI/Qx7X8L1VtIl+FM4RtYlTLLpUUBCp2pucY+jzjlwhbF9fjJhhTP/KmeCj8M2yB4AA1V3AQgcEBvg92I1vCAWXIBgCjz6LUD2yf4FCpACaxNgiBZVAaCELNCgbKDgy9UB1j4sCozpEzReLVtYdOX+KFbGU6zJ808jnrLFMz+YHT4LXMyF94A5Zl86DFT9br6PwR75qImvjDlIUt+7/I8WrT1Nnqn2hXxqzAd1J2W5Xv8Bt9sXFmskSZN9PyOo9EY9t5lVGq++IqjGPWh4vQAXCzIsfRgUfU7PfHKVuSKSHbME1EZwG/FjzOe8B4bO2q/a/qLtGgygyX5ExEkZ/IcrtSZnTdqC83AfyexlEv9Z3wWFAoKGDtI3zhmCZYnuZQ==" + }, + "PasswordResetSettings": { + "TwoFactorSettings": { + "ApplicationUri": "kxABAFAEx4fWwG/ANPVTf/WGyccDxoR2xCy+x+U3Ny1KkqnOFw+SizePTgINTzBaYHLTHABQD0GWW6U+4qiG6DpcIcdAD0VVnddqB5a+YIE0reufXYhZTrDU/9yeG6aUWIHkLl9UudC/nnW6zMrjChiJhJvT7csFKdgbqUazZT56hR0i6XS36a5h2/tTWhbZTkk1Dil5JP7xUcu5CMWyXMUvGvK8gfQozYxo/DJTOiLrWjg5ION1yx+ZqPhcIUxgYaBjxSpfT6U9YMy5mE9JGqf7W76baS9fOVr3H1DAL02icX29uJAcsw1r9k1rJQIKEhAuqTNeuqF6C6iPHJAsail+iteOJEYgBSACRz7Te4t6Hp7PBs0FfP0WY1oL+1T+p7X+HaO1jAJhE50J2AKhGNXTZfE=" + }, + "NotificationSettings": { + "Cultures": [ + "kxABAPwTbpFUbP9xT9HyqtTuMLKT9sVD0Qq1kCsI44d12vJEcW2MMy9K5vKakwTPeJpvY6SafELoHc7AjKnh8ZJi0/Yu4dieE5W+5uXY1uaghYJ/2VjimzIsDhvRhm90xUlaMjdFBjx4HAnxBAtEbEjifdGHxZ0L9F305hXSTORj53u76ctCE5D9HPTN3AgLmyIGv5NExwhD4sgppbf6PWjTEZ7yNcoUpkkS4pJ6BMz+PaQo26A2rMP710zQgG72an4XvxSoR3SwSm0fhLCASgYi8YOZw0j/cfxl/LrW1EQ7gyW0/Mw9v1YRNH3DkbWSeHZ3odhDWdaWkzR6yOEt5hO60eM0w8Tjoed30Jwf+enf1rJFStDe/dhg6vjUIaTn6tt1Gw==" + ] + } + }, + ... +} + +``` + +The previous command can be useful to encrypt, for example, an Active Directory's login used by the +agent during the synchronization process. + +The login to encrypt is stored in the following format, compliant with the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md).json +structure: + +appsettings.beforeEncryption.json + +``` + +{ + ... + "Connections": { + ... + "ADExport": { + "Login": "Administrator" + } + } +} +``` + +This command writes encrypted values from `appsettings.agent.json` to +`C:/UsercubeTraining/appsettings.encrypted.agent.json` following the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md).json +structure: + +``` +appsettings.encrypted.agent.json +{ + ... + "Connections": { + ... + "ADExport": { + "Login": "kxABAM9LW6vyx3TpDXoU5mKKQAwxxNcH9Q2z+dk+E7BNzrI346fUUiPmnJlOJZNX8bA1sokpDHTJBJngdF8LqVuWhk0t+IBpHE+iRJZ4q6i/CzX/OnpoGEHLSL5gZUixIqn9kul5AbxI38d/aGkCGIeAGY73rf0eQRizB2uR/ObR/H9jm3dHGt3TUNyOH4WqdwrXL0WTeMyfme6O+2PMoGvmjVF04keicuisjj/jROxTcDKe69qjPuCJZabR69CA2qP1TPMDMy/zlg8bzRZKepw8VxI4OpIKrbwhaUTauJMR6URPsOZ54fdocKi3oEyvpm2AhX4YF8GpOw7fBQrPWte/JJFOxgIzH1Kh0d0YhC2ZpMCXexfOlB2Y9afWG/t7rdi4VDsEf8gwj+IJ3HbE0dtIPLw=" + } + } +} +``` + +## Arguments + +| Name | Details | +| -------------------------------- | ---------------------------------------------------------------------------- | +| --input-json-file-path required | **Type** String **Description** Path of the input to-be-encrypted json file. | +| --output-json-file-path required | **Type** String **Description** Path of the output encrypted json file. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md new file mode 100644 index 0000000000..bf71ad83ed --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md @@ -0,0 +1,91 @@ +# Usercube-Protect-X509JsonValue + +This tool is used to encrypt sensitive connection data, for example data from the +`appsettings.agent.json` file, with +[ RSA Encryption ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md). The +encryption is based on the information given in your `appsettings.json` file about either a PFX file +or the location of the encryption certificate in the Microsoft store. See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +This tool `Usercube-Protect-X509JsonValue` is used to encrypt only given values, in comparison to +the[ Usercube-Protect-X509JsonValue ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md) tool that encrypts a whole file. This tool is more +appropriate than `Usercube-Protect-X509JsonFile` when you have only a few lines to encrypt. + +## Examples + +The command below encrypts the task agent configuration `0` and the OpenId Client `secret` used in +the `appsettings.agent.json` file. + +``` + +./identitymanager-Protect-X509JsonValue.exe --values "0" "secret" + +``` + +As a response, the powershell returns one string per given value. + +``` + +PS C:/UsercubeTraining/Runtime> ./identitymanager-Protect-X509JsonValue.exe --values "0" "secret" +kxABACJhXxJwnGJSug/nE6ODGGYwnzhX1WeYUHmS7gkMLpF15K7POOZAVWsl93zuYaVStPK0sV+U6mOE4h5IzbT083Uac+/NKic+qNZLYi4PRum+G17pIeSMBu3z7GQJxGGkAeX7dwf0kc/oDW5yAQ1BtFN+k27UHZkUrz0fe/eOZwTHbgV5sSUM+6pXW6IQd2VnVRRKLyWij0MAKsCNlHtv6QE73b8P8u7liRdzWOueqE2blAZk0rm0JzFxZlUQKgIMBTk2cuFWph7rp8dp8h8mDKJl9xbYzAtmM/rgXuhcMYryIrlqFeBWt1J65cfL7HNQb6OX7Imb2LQZmZMI2xc1gFyiXjeINeMriYm3zecnSBMiYEGW6RddE6doJOtrTyznrg== +kxABAJT+2u1C1r0JI8criUz15QkI71x6/BPeNMlPWEL5ZHkTvZWVnMLG/zNJz9PvnjfecROC4fkxPRI5U+sF8W1caH8DtxnzM0ctYD0QtRcpS9z48y2mUzOzl3pU68BQyosyZGZW0ifXVI9UJVGMzMTfWloCw+R+xfZHviYLVGT8y2PKkCBdNp7IcZN4qT6mq8AmTIMSgwagR854n1EHn8lT5nUUFmhZ7iIJ/sonEVG4uyTAjND9YXSsfL9dm2ipTzXrybruIkVU051aczdohreMRsfeSB6TDAYa3GEMNeAb3CzI5I/6NpKYEzZEoYu4JXAzE6bqHeK2oVJyrmTL11kwq4m9fTMwlwmB0GaPeJtbQoih6TIX2qlOPfQdsrZt0dl5qw== + +``` + +Then you just need to copy and paste them. + +The following example shows how to update the OpenId ClientSecret matching the "ContosoCharlotte" +OpenId ClientId in the `appsettings.encrypted.agent.json` file. + +The initial `appsettings.encrypted.agent.json` file resembles the following: + +``` +appsettings.encrypted.agent.json before update +{ + ... + "OpenId": { + "OpenIdClients": { + "ContosoCharlotte": "dKIHkloXG6i1LkxkhjkKoVKS9gFO7Hx8VUm" + } + } +} +``` + +The new ClientSecret to encrypt is _charlotte2028_. + +Using the `Usercube-Protect-X509JsonValue.exe`: + +``` +./identitymanager-Protect-X509JsonValue.exe --values charlotte2028 +``` + +The `--values` parameter also accepts multiple white-space-separated values for encryption. + +The output, in the console, shows the encrypted value for the _charlotte2028_ string. + +``` + +kxABABJR7wYaQIqNjHT/rhYVMp5Vmsao7/eBLb7JCIiHMOKbi2sC0dY0SAJgj50NQ0kEH5LS3Y3TYso98+IdnxAzpURrtNu/LUWCJo1kTLM/taygebc0MK4XbkFmWzEgzLcVhAIy8GyFgEWqgNhOx7vwSPXFRrhQTVqIjwO0QNqxlZ5s6uyQm5fk9es2o6aLL0xwbvqspReFxZwuHrguAoIvkBnaKSsDfTLSuheP6VN7yOglLHvZ8Sn9R42M2BpG/dKIHXG6i1LkxkKoVKS9gFO7Hx8VUmYgxG+qIKTRVHdpMctqWKNUJTsQkmRKs+S3qiA2mgK/iC/dp923TfigAnBLWtyXw8eKDJjZ+s6n878BIf55iEjpgOrbm5FLzj8dfqPhQw== + +``` + +The last step is to update the `appsettings.encrypted.agent.json` file by copy/pasting this new +encrypted value to replace the old one. It results in: + +``` +appsettings.encrypted.agent.json after update +{ + "OpenId": { + "OpenIdClients": { + "ContosoCharlotte": "kxABABJR7wYaQIqNjHT/rhYVMp5Vmsao7/eBLb7JCIiHMOKbi2sC0dY0SAJgj50NQ0kEH5LS3Y3TYso98+IdnxAzpURrtNu/LUWCJo1kTLM/taygebc0MK4XbkFmWzEgzLcVhAIy8GyFgEWqgNhOx7vwSPXFRrhQTVqIjwO0QNqxlZ5s6uyQm5fk9es2o6aLL0xwbvqspReFxZwuHrguAoIvkBnaKSsDfTLSuheP6VN7yOglLHvZ8Sn9R42M2BpG/dKIHXG6i1LkxkKoVKS9gFO7Hx8VUmYgxG+qIKTRVHdpMctqWKNUJTsQkmRKs+S3qiA2mgK/iC/dp923TfigAnBLWtyXw8eKDJjZ+s6n878BIf55iEjpgOrbm5FLzj8dfqPhQw==" + } + } +} +``` + +## Arguments + +| Name | Details | +| ----------------- | ---------------------------------------------------------- | +| --values required | **Type** String **Description** List of values to encrypt. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/refreshschema/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/refreshschema/index.md new file mode 100644 index 0000000000..d6f6eb729e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/refreshschema/index.md @@ -0,0 +1,27 @@ +# Usercube-RefreshSchema + +## Examples + +`Usercube-RefreshSchema` can be used as an executable file as follows: + +``` +dotnet Usercube-RefreshSchema.dll --api-url myserver.usercube.com --api-client-id myclientid --api-secret myclient secret --connection-id -2 + +``` + +The credentials used to connect to the connection come from the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +## Arguments + +| Name | Details | +| -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --connection-id \*required | **Type** Integer **Description** Id of a connection whose schemas are updated. See the [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) topic for additional information. | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/send-passwordnotification/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/send-passwordnotification/index.md new file mode 100644 index 0000000000..1862b7572e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/send-passwordnotification/index.md @@ -0,0 +1,38 @@ +# Usercube-Send-PasswordNotification + +## Examples + +### Manually send a password initialization mail notification + +Consider a user who needs an account in an external system. Consider that this account requires a +password. + +As an example, we will consider that the id of the +[Resource Type Mappings](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) +associated with the external system is 10, and the id of the assigned resource type associated with +the user is 1000. + +Once the password is set, we need to communicate this password to the user. We send a mail +notification to inform the user. + +`--password true --assigned-resource-type 1000 --resource-type-mapping 10` + +For the notification to be sent, the server set at **appsettings** > **ApplicationUri** should be +running. +The [Resource Type Mappings](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) +should have an associated +[ Password Reset Settings ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md). +For +the notification to be sent, the password reset settings should at least contain a notified email +binding. +For the notification to make sense, the password reset settings should at least contain a +beneficiary full name binding. + +## Arguments + +| Argument Name | Details | +| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --assigned-resource-type required | **Type** String **Description** Specifies the id of the assigned resource type corresponding to the user and the external system that is being fulfilled with a new password. This can be found in the provisioning order at **ProvisioningOrdersList** > **AssignedResourceTypeId**. **Example** Send a notification for the assigned resource type with id 1000: `--assigned-resource-type 1000`. | +| --password required | **Type** String **Description** Specifies the new password that will be sent by mail. **Example** Send a notification for the password NewPassword: `--password NewPassword`. | +| --resource-type-mapping required | **Type** String **Description** Specifies the id of the [Resource Type Mappings](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) corresponding to the external system that is being fulfilled with a new password. This can be found in the provisioning order at **ProvisioningOrdersList** > **ResourceType** > **Id**, as the resource type and its corresponding resource type mapping share the same id. **Example** Send a notification for the resource type mapping with id 10: `--resource-type-mapping 10`. | +| --notification-cc optional | **Type** Integer **Description** Specifies an address that should also receive the notification. **Example** Add [admin@acme.admin](mailto:admin@acme.admin) to the mail CC: `--notification-cc admin@acme.admin`. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/server/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/server/index.md new file mode 100644 index 0000000000..cd4c0aa595 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/server/index.md @@ -0,0 +1,27 @@ +# Usercube-Server + +This tool runs the main Identity Manager Server. + +## Examples + +With a properly configured environment, the following command runs the server. It listens on two +different ports: + +``` +./identitymanager-Server.exe --urls "http://localhost:5000;http://localhost:5001" +``` + +When the Server starts, the following log should be displayed (if the log level is set to +_Information_): + +``` +[xx:xx:xx INF] Now listening on: http://localhost:5000 +[xx:xx:xx INF] Now listening on: http://localhost:5001 + +``` + +## Arguments + +| Argument Name | Details | +| --------------- | ----------------------------------------------------------------------- | +| --urls required | **Type** String **Description** URL(s) that the server is listening to. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/update-entitypropertyexpressions/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/update-entitypropertyexpressions/index.md new file mode 100644 index 0000000000..25cedcf5c6 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/update-entitypropertyexpressions/index.md @@ -0,0 +1,35 @@ +# Usercube-Update-EntityPropertyExpressions + +This tool is used to recompute the values of all properties defined via expressions (C#, etc.), +usually to prepare for a connector's synchronization. + +## Examples + +The following example updates the property expressions of the database defined by the connection +string, for all entity types. + +``` + +./identitymanager-Update-EntityPropertyExpressions.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" -a + +``` + +## Arguments + +| Argument Name | Details | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --batch-select-size (-q) default value: 10000 | **Type** Int32 **Description** Batch size for SELECT queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | +| --batch-update-size (-c) default value: 20000 | **Type** Int32 **Description** Batch size for UPDATE queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | +| | | +| --- | --- | +| --database-connection-string required | **Type** String **Description** Connection string of the database. | +| | | +| --- | --- | +| --all-entityType (-a) optional | **Type** No Value **Description** Applies the tool to all entity types. | +| --batch-size (-q) default value: 5000 | **Type** Int32 **Description** Batch size for queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | +| --dirty optional | **Type** No Value **Description** Applies the tool incrementally by applying it only to resources marked as dirty, i.e. recently modified. | +| --entitytype-list optional | **Type** String List **Description** List of entity types that the tool is to be applied to. **Note:** required when `--all-entityType` is not specified. | +| --resource-identity-property optional | **Type** String **Description** Property used to override the resource identity property set in the [ Select User by Identity Query Handler Setting ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md). | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/upgrade-configurationversion/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/upgrade-configurationversion/index.md new file mode 100644 index 0000000000..3f5702a023 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/upgrade-configurationversion/index.md @@ -0,0 +1,29 @@ +# Usercube-Upgrade-ConfigurationVersion + +This tool is used to upgrade your configuration from your current version entered in settings to the +latest version. + +## Examples + +``` + +./identitymanager-Upgrade-ConfigurationVersion.exe --version "5.1.0" --xml-path "C:/UsercubeDemo/Conf" --output "C:/UsercubeDemo/Conf2" + +``` + +In this example, the configuration files are in the folder "C:/UsercubeDemo/Conf" and at version +"5.1.0". This tools will upgrade all the xml files to the latest version and save them in the folder +"C:/UsercubeDemo/Conf2". + +## Arguments + +| Argument Name | Details | +| -------------------- | --------------------------------------------------------------------------------------------------------------------------------- | +| --version required | **Type** String **Description** Current version. | +| --xml-path required | **Type** String **Description** Current xml configuration folder to migrate. | +| | | +| --- | --- | +| --output required | **Type** String **Description** Path of the folder where the result will be saved. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/upgrade-databaseversion/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/upgrade-databaseversion/index.md new file mode 100644 index 0000000000..ee937b4060 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/upgrade-databaseversion/index.md @@ -0,0 +1,50 @@ +# Usercube-Upgrade-DatabaseVersion + +This tool is used to run the necessary migration scripts in order to upgrade the database structure +from its current version to the most recent version. + +## Examples + +To upgrade a database with the connection string `databaseConnectionString`, go to the Runtime +folder of the newest version and launch the tool with the following argument: + +``` + +./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "databaseConnectionString" + +``` + +If the database has been correctly upgraded, the following message should appear: +`Database has been upgraded to version X.X.X`, with "X.X.X" being the newest version to which the +migration was made. + +### With a Mode + +The following example runs the database upgrade tool only for backward compatible changes. + +``` + +./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "databaseConnectionString" --mode BackwardCompatibleChanges + +``` + +### With the Execute Predefined + +The following example runs the database upgrade tool only for backward compatible changes and the +predefined script. As the predefined script is always executed in the other modes, this option is +useful only when specifying `--mode BackwardCompatibleChanges`. + +``` + +./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "databaseConnectionString" --mode BackwardCompatibleChanges --execute-predefined + +``` + +## Arguments + +| Argument Name | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --connection-string (-s) required | **Type** String **Description** Connection string to the database. **Example** `--connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;"` | +| --execute-predefined optional | **Type** No Value **Description** Indicates that the predefined SQL file must be executed, when using the `BackwardCompatibleChanges` mode. | +| --mode default value: All | **Type** Enum **Description** `All` - run all the script types. `BackwardCompatibleChanges` - only execute backward compatible scripts. **Note:** the previous runtime can still work. `BreakingChanges` - only execute breaking scripts. **Note:** the server must be stopped. `CleanupChanges` - only execute cleanup scripts, to cleanup the database after the server restarted with the new runtime. **Example** `--mode BreakingChanges` | +| --force-version optional | **Type** String **Description** Forces the database version instead of using the current one to replay the migration scripts. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/governance/accesscertification/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/governance/accesscertification/index.md new file mode 100644 index 0000000000..1fbd1a1e8c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/governance/accesscertification/index.md @@ -0,0 +1,236 @@ +# Access Certification + +The Access Certification module enables chosen end-users to carry out assignment certification +campaigns, which aim to certify assignments of entitlements. + +## Overview + +The aim of an access certification campaign is to review specific entitlement assignments for +specific identities, in order to certify them and express an audit opinion that justifies their +necessity. So, for all relevant permissions, the idea is to specify if these assignments ought to be +deleted or not. + +There are several ways to arrange an access certification campaign. Among others, through filters +you can choose to focus on: + +- A certain category of roles +- A certain type of assignment +- Assignments not certified since a certain date +- Assignments presenting a certain level of risk. See the + [ Manage Risks ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/risk-management/index.md) topic for additional + information. + +Identity Manager uses an access certification campaign to define the campaign's scope including: + +- The start and end date of the campaign +- The group of entitlement assignments to be certified during the campaign. + +### Job for access certification + +After the campaign's creation, access certification items are assigned to reviewers (Identity +Manager end-users) by the CreateAccessCertificationJob, composed of the following tasks: + +- Identity Manager-Update-AccessCertificationCampaign simply applies the campaign's scope, + determines which permissions are to be certified, by computing certification orders; +- Identity Manager-Set-AccessCertificationReviewer assigns one review for each access certification + item to end-users whose profile's scope of responsibility matches the entitlement to be certified; +- Identity Manager-Send-AccessCertificationNotification sends notifications to concerned reviewers. +- Identity Manager-Process-AccessCertificationItems processes the access certification item + decisions and generates the corresponding deprovisioning orders. + +## Set up the Configuration + +Configuring the Access Certification module entails: + +- Setting up profiles to carry out the certification +- Configuring their scope of responsibility +- Enabling automatic and forwarded assignments of access certification items to end-users + +### Campaign creation + +At least one Identity Manager profile needs permissions to create campaigns. + +Such permission can be granted using the AccessReviewAdministrationAccessControlRules scaffolding. +See the +[ Access Review Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md) +topic for additional information. + +The administrator profile, created with CreateAdministratorProfile scaffolding, already has these +permissions. See the +[ Create Administrator Profile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md) +topic for additional information. + +If you are not using the AccessReviewAdministrationAccessControlRules scaffolding, the user cannot +query on dimensions when editing the owner filters, so you need to give the permissions on the +correct contexts: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +     +``` + +### Profile scope of responsibility + +The scope of responsibility of a profile is a set of criteria that defines which assignment of +entitlements this profile will certify. For example, the **Manager** profile is responsible for +reviewing entitlement assignments of identities working in their department. + +A profile's scope of responsibility is configured by giving access, with access control rules, to a +specific set of access certification items that match the profile's scope of responsibility +criteria. + +The option to display only the **Approve** or **Deny** buttons next to the Access Certification +items can be configured by the administrator on the UI in the **Settings**>**Features**. + +##### Example + +This example shows how to set the scope of responsibility for the **Manager** profile. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +        ... + +``` + +The filter indicates that a review with the **Manager** profile can only access items for which the +binding Owner.Directory_User:MainRecord.Organization.Id matches their dimension organization's +value. + +This example needs to be completed with either automatic assignment or manual assignment +capabilities. + +For certification items to be assigned to a profile, a permission context has to be added to the +access control rule. + +### Access certification item assignments + +Access certification items can be assigned to end-users via: + +- Automatic assignments, computed by the reviewer-setting task when a given profile's scope of + responsibility matches the entitlement to be certified +- Forwarded assignments, automatically assigned to an end-user, but then manually forwarded to + another user from the UI + +#### Automatic assignments + +For a profile to be the target of an automatic assignment of an access certification item, it needs +the `/Custom/AccessCertification/AutoAssigned/{entityTypeName}` permission. + +##### Example + +This example completes the previous one by adding the automatic assignment capabilities. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +        
 +``` + +This example enables automatic assignments of access certification items that match the filter to +end-users with the **Manager** profile. + +If the filter criterion is matched for several end-users, only one is assigned the certification +item, and this assignment is made randomly. Therefore, in order to have a cleaner reviewing +architecture, it is recommended to carefully set the Filter attributes in the access control rules +so that no two end-users' scope of responsibility overlap. + +#### Forwarded assignments + +The target profiles need the following `/Custom/AccessCertification/ManualAssigned/{entityTypeName}` +permission. + +The example below allows the **Manager** profile to be the target of forwarded assignments. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +       +``` + +There is no filter so the Manager profile can certify all forwarded certification orders for the +Directory_User entity type, regardless of his previously configured scope of responsibility. + +It is recommended to have a larger scope for forwarded certification orders than for automatically +assigned ones. + +### Certification policy + +Scopes of responsibility can also be defined in terms of access certification campaign policy. See +the +[ AccessCertificationCampaignPolicy ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md) +topic for additional information. + +Assigning an access certification campaign policy to an access certification campaign allows the +creation of campaigns dedicated specifically to one set of reviewers. + +The following example creates a new policy named Manager. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +It automatically appears on the campaign creation screen, and binds itself to the created campaign: + +![Campaign creation screen with policies](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/accesscertification/creation_5.1.6.webp) + +To use it, modify the access control rules by adding a filter on the campaign policy. See the +[Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +topic for additional information. + +##### Example + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +             +``` + +In this example, the **Manager** profile is only able to certify items for a campaign defined with +the **Manager** policy. + +A default policy is already defined. If no filter is set when giving the permission, the policy is +not considered. + +### Access certification item processing + +Once entitlement assignments have been reviewed (accepted or rejected), the final step is to apply +these decisions with the processing task, eventually denying assignments. This is done through the +UI. See the [Access Certification](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/accesscertification/index.md) topic for additional information. + +The user needs to have the correct permission to launch the item processing: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +   +``` + +It is also possible to add access control filters when creating the permission set so that users can +only access certain type of campaigns. See the +[Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) + +This permission also is given by the AccessReviewAdministrationAccessControlRules scaffolding. See +the +[ Access Review Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md) +topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/governance/how-tos/review-prolonged-entitlements/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/governance/how-tos/review-prolonged-entitlements/index.md new file mode 100644 index 0000000000..95ddaa5029 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/governance/how-tos/review-prolonged-entitlements/index.md @@ -0,0 +1,26 @@ +# Review Prolonged Entitlements + +This guide shows how to allow a manager to review the permissions prolonged by a grace period. + +## Overview + +Consider an entitlement given via a role which is defined with a grace period. Consider that this +role is assigned automatically to some users by a rule of the role model. If this rule changes and +the users are supposed to lose the role, then they keep it for the time defined by the +[ Single Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md), and the role's +workflow state switches from `Automatic` to `Prolonged`. Then a manager must access these +entitlements in the **Role Review** screen, to either approve or decline the role prolongation. + +## Assign the Right to Review Prolonged Entitlements + +The right to review prolonged entitlements is given by adding the appropriate `AccessControlRule` on +a profile. A profile should get the right to review prolonged entitlements given for both single and +composite roles. Technically speaking, we need to create one access control rule for assigned single +roles, and another one for assigned composite roles. In this case we give access to the workflow +state 27 which is the workfow state `Prolonged` linked with the grace period. + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/governance/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/governance/index.md new file mode 100644 index 0000000000..8b6d0c099b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/governance/index.md @@ -0,0 +1,46 @@ +# Governance + +Identity Manager's governance features intend to provide tools that control assignments of +entitlements and measure IGA policies efficiency. Control over the assignments is achieved by +designing a role model, automating assignments, using the risk management module, and performing +certification campaigns. Measuring policies efficiency is enabled by reporting and auditing +capabilities. + +Reporting, access certification campaigns and risk management are three important tools that +complete the governance arsenal. + +## Reporting + +With reporting features, stakeholders can measure the effect of IGA policies on the assignment +landscape and adjust if needed. Governance also helps produce audit-ready reports. You can start to +set up governance features relatively early in your Identity Manager journey and measure your +progress from the very start. + +Identity Manager puts users in control of their reporting. Rich features, such as the query module, +help produce custom reports that can be used to check the assignment policy results, or gather +information for an audit. + +## Access Certification Campaigns + +A certification campaign is a recurring event, scheduled for example every week, month or year, +during which managers review their team members' entitlements. Sensitive assignments are then kept +or removed. + +Certification campaigns are the best way to make sure past assignment decisions are still in the +best interest of the organization. They can be a good way to mitigate a lack of automation in your +assignment decisions concerning, for example, movers or leavers. + +Identity Manager's certification module also helps managers produce accurate reports that they can +present to an auditor. + +See the [Access Certification](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/accesscertification/index.md) topic to learn how to configure +certification campaigns. + +## Risk Management + +The risk management module provides tools for identifying entitlement assignments that pose a +security risk. The module facilitates the analysis and mitigation of different kinds of risks such +as Segregation of Duties (SoD) or High Privilege. Risks can be used to identify sensitive +assignments that should be reviewed first during a certification campaign. + +See the [ Risk Management ](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/risks/index.md) topic to learn how to configure risks. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/index.md new file mode 100644 index 0000000000..bc34fe4560 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/index.md @@ -0,0 +1,126 @@ +# Analyze Identity Manager's Data with Power BI + +This topic explains how to prepare Identity Manager's data and use it in Power BI, with the final +goal to generate user-friendly reports. + +## Overview + +[Power BI](https://powerbi.microsoft.com/en-us/why-power-bi/) is used with Identity Manager to +generate user-friendly reports in an interactive way, based on Identity Manager's database. + +The SaaS edition [Power BI Service](https://www.microsoft.com/en-US/download/details.aspx?id=58494) +contains an integrated Identity Manager connector, so we simply need to make Identity Manager's data +usable by configuring a particular data model. + +As this new model is to be organized into XML elements called universes, we will call the new data +model the universe model. + +Based on this model, Power BI will be able to: + +- query the database +- generate a model containing the data that we want to include in reports +- transform data if needed +- generate customized graphic reports +- publish the reports with Power BI Service (SaaS) or Power BI Report Server (on premises) + +![Process Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/powerbi_process.webp) + +## Prerequisites + +Identity Manager's licenses for Power BI as well as Identity Manager Data are required to operate. + +Integrators need to know: + +- Identity Manager's data model, i.e. the entity names, the associations between the entities to + display, etc. from both Identity Manager-hard-coded and customized parts +- what data needs to be displayed in the end + +**NOTE:** Power BI is able to analyze all Identity Manager's data, hard-coded and customized, but +only current data, i.e. nothing from the history. + +## Analyze Identity Manager's Data with Power BI + +Build the universe model by proceeding as follows: + +**Step 1 –** Define the appropriate universes using scaffoldings. See the +[ Queries ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md) topic +for additional information. + +_Remember,_ in order to understand business intelligence, with its universes, entity instances and +association instances. See the +[ Universe ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) topic +for additional information. +Also note that XML objects that automatically generate XML snippets that would be complex and/or +tedious to write manually. See +the[Scaffoldings](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md) topic +for additional information. + +Netwrix recommends creating no more than one universe to generate one report, to prevent issues +about name uniqueness. + +**Step 2 –** Connect Power BI to Identity Manager to visualize the output model. See the +[Connect Power BI to Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md) topic for additional +information. + +The Power BI applications **Desktop**, **Service** and **Report Server** all offer the Identity +Manager plugin to access Identity Manager's database. + +**Step 3 –** Remember to clear the cache in Power BI when modifying universes, to ensure that all +changes are considered. + +**Step 4 –** Customize the queries in Power BI, if needed, with the +[M language](https://docs.microsoft.com/en-us/powerquery-m). + +You can see in Power BI queries that Identity Manager must be specified as a source via the +expression `Source = Usercube.Universes("")`. + +Integrators may need to customize the model to make it more understandable and easily usable by +end-users. + +For example, the following M query removes the column Company Id from the table +Directory_User_Records, considering that we do not need it for future reports. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +let +    Source = Usercube.Universes(""}) +in +    Directory_User_Records_WithoutCompany +``` + +Another common use for manual queries is the denormalization of the model, when it simplifies the +future queries and reports for end-users. + +**Step 5 –** Generate reports and publish them for end-users by following the steps listed in the +[Power BI documentation.](https://docs.microsoft.com/en-us/power-bi/create-reports/) + +This is how you analyze Identity Manager data through Power BI. + +## Maintain the Model + +In order to maintain the model you must remember the ones listed below. + +Refresh data + +You must define, in Power BI Service or Report Server, a frequency for data refresh so that reports +display up-to-date data. See the +[Power BI documentation](https://docs.microsoft.com/en-us/power-bi/connect-data/refresh-data) for +additional information. + +Data is often refreshed once a day. Define the refresh frequency according to your needs. + +Foresee the Impact of Model Modifications + +A change inside an existing entity, for example adding a scalar field, does not require any +particular actions on the universe model. + +A change in an association requires making the corresponding change in the universe model, as +association instances (in the universe model) are based on entity associations in Identity Manager's +data model. See the +[ Entity Association ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md new file mode 100644 index 0000000000..bdd2c0ea90 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md @@ -0,0 +1,66 @@ +# Connect Power BI to Identity Manager + +This guide shows how to connect Power BI to Identity Manager. + +## Overview + +When facing a periodic need for producing specific reports, especially when a visual presentation is +required, Identity Manager offers the possibility to connect to the +[Power BI](https://powerbi.microsoft.com/en-us/what-is-power-bi) application. This application will +allow you to create customized reports with a vast range of display options (such as graphs, charts, +matrixes, etc.) using Identity Manager's universes. + +## Prerequisites + +- Power BI Desktop must be installed on your device. +- Identity Manager's server must be running. + +## Connect Power BI to Identity Manager + +Connect Power BI to Identity Manager by proceeding as follows: + +1. Open Power BI Desktop. +2. Click on **Get data** either in the welcome window or in the home menu. + + ![Get Data](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdata.webp) + +3. In the opening window, search for Identity Manager, click on its plugin in the right menu, and + click on **Connect**. + + ![Get Data Window](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdatawindow.webp) + +4. Enter Identity Manager's server URL in the opening window. + + ![Server URL](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_url.webp) + +5. In the opening window, enter the + [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md)of + the `Administrator` profile. The `Client Id` expects the concatenation of the identifier of + `OpenIdClient` with `@` and Identity Manager's domain name. See the following example. + + ![Client Id / Client Secret](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clientid.webp) + +6. You can now access in the left panel the + [ Universe ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md)from + Identity Manager configuration. You can click on the desired universe to expand it, and view and + pick the desired tables. + + ![Universe Panel](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_universes.webp) + + **Power BI tip:** to view a table, click on its name. To select a table, check the box next to + the table's name. + +7. Once you've selected all the tables you need, click on **Load** to import data to the Power BI + report. You can also click on **Transform data** to open the query editor and make other changes + in your tables, rows and columns. + +## Clear the Cache + +Remember to clear the cache in Power BI to ensure that all changes are considered. + +Clear the cache by proceeding as follows: + +1. In Power BI, click on **File** > **Options and settings** > **Options**. +2. In the **Data Load** tab, click on **Clear Cache**. + + ![Clear Cache](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clearcache.webp) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/index.md new file mode 100644 index 0000000000..d612b9b7e6 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/index.md @@ -0,0 +1,8 @@ +# Reporting + +The Reporting module is used to generate basic reports in CSV using +[API query grammar](/docs/identitymanager/6.2/identitymanager/integration-guide/api/squery/index.md), or advanced reports using the +[ Business Intelligence ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md) module. + +See the [ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md) topic for +additional information on generating reports. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/governance/risks/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/governance/risks/index.md new file mode 100644 index 0000000000..a6b55f0a26 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/governance/risks/index.md @@ -0,0 +1,173 @@ +# Risk Management + +The Risk Management module provides tools for identifying assignments of entitlement that pose a +security risk. The module helps analyze and mitigate different kinds of risks such as _Segregation +of Duties_ or _High Privilege_. This is the basis for auditing and performing access certifications +with a risk-based method. + +## Overview + +A [ Risk ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) describes a sensitive +situation of entitlement assignments that needs to be monitored. + +Risk management is essential to auditing. End-users can define models of risks, assigned to +identities based on their entitlement assignments. This action identifies identities whose +entitlement landscape might pose a threat or a surface of attack. The identified risks for a given +identity inform the auditor about the exact nature of the threat to help making decisions and +finding methods of remediation. + +To identify the identities that represent the highest risk, Identity Manager computes a risk score +for all identities, based on both the roles already assigned and the roles that are subject of the +current request. The higher the score, the higher the threat. The identities with the highest risk +scores are the priority of the next [Access Certification](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/accesscertification/index.md) +campaign. + +See the [ Manage Risks ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/risk-management/index.md)topic for additional +information on how to use the risk management module to identify entitlement assignments that pose a +security risk. + +## Risk Definition + +A [ Risk ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) is an object that describes a +sensitive situation of assignments of entitlements. + +The assignment of a risk to an identity highlights, for a potential auditor, the need to closely +reconsider said the assignments of said identity. + +A risk is always: + +- part of a [Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md); +- assigned to identities belonging to a specific entity type that was decided during the risk + creation; +- organized inside a [ Risk Management ](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/risks/index.md); +- linked to an [ Risk Management ](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/risks/index.md). + +## Risk Type + +The type of a risk informs the auditor about the exact nature of the situation that the risk +describes. It helps understand the possible causes, the importance of the security threat and +methods of remediation. + +Identity Manager supports two types of risks: + +- a segregation-of-duties risk identifies a threat due to the conjunction of two or more + fine-grained entitlements for the same identity, for example if an identity requests an + entitlement and is also the validator for said entitlement; +- a high-privilege risk identifies a threat due to the assignment of one or more highly sensitive + entitlements, for example the `Domain User` group in an Active Directory. + +## Risk Exemption Policy + +All risks are assigned an exemption policy that defines the behavior of Identity Manager regarding +risks when entitlements are manually requested. + +### Blocking + +Risk-triggering permission requests can be forbidden with the blocking exemption policy. If at least +one of the detected risks in the requested entitlement set has the blocking exemption policy, then +Identity Manager does not allow the set to be requested at all. A message is displayed and the +request must be cancelled: + +![Exemption Policy - Blocking](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/risks/risks_blocking_v522.webp) + +### Approval Required + +Yet, instead of being unilaterally forbidden, risk-triggering permission requests can be authorized +with an additional role review approval with the approval required exemption policy. If at least one +of the detected risks in the requested entitlement set has the approval required exemption policy, +then Identity Manager adds a step where this new set must be reviewed by a knowledgeable user like a +security officer. A message is displayed and the request can be continued or cancelled: + +![Exemption Policy - Approval Required](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/risks/risks_requiredapproval_v522.webp) + +If the request is performed, then a line appears on the **Role Review** screen. + +The workflow state of said request is `Manual`, `Pending approval (risks)` and shows the following +risk icon. + +![Home Page - Role Review](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/risks/risks_riskicon_v522.svg) + +### Warning + +Risk-triggering permissions can also be allowed with only a warning with the warning exemption +policy. If all detected risks in the requested entitlement set has the warning exemption policy, +then Identity Manager displays a message and the request can be continued or cancelled: + +![Exemption Policy - Warning](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/risks/risks_warning_v522.webp) + +### Upon Profile + +The blocking and approval required exemption policies can be ignored according to the profile of the +user and their scope of responsibility, with respectively the blocking upon profile and approval +required upon profile exemption policies. Then they can be assimilated to the warning policy if the +user has the right permission, respectively **/ProvisioningPolicy/Risk/OverrideBlocking** and +**/ProvisioningPolicy/Risk/OverrideApproval**, otherwise they behave like the blocking and approval +required policies. + +Like in the example below, the two permissions can be chained together. For the connected user, a +risk that would have been blocking otherwise, is just a warning. + +``` + + <AccessControlRule Profile="Administrator" EntityType="Risk" Identifier="Administrator_Risk_Override" DisplayName_L1="Administrator_Risk_Override"> <Entry Permission="/ProvisioningPolicy/Risk/OverrideBlocking" CanExecute="true" /> <Entry Permission="/ProvisioningPolicy/Risk/OverrideApproval" CanExecute="true" /> + +``` + +## Risk Assignment + +### Risk Rules + +[ Risk ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) are assigned to resources +manually by a knowledgeable user or automatically, by the +[Evaluate Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) algorithm. + +When a risk is assigned to a resource, a new identified risk is created under the +`UP_IdentifiedRisks` table. + +Automatic assignment of risks is based on +[ Risk ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) rules. For each new +fine-grained assignment on a resource, risk rules are applied. If one of the rules matches the +resource state, the related risks are assigned to the resource. Those rules are themselves based on +fine-grained entitlements, such as an Active Directory account or group membership, modeled by the +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) within Identity +Manager. + +A risk rule states that a risk is assigned to a resource if the resource has one or several specific +fine-grained entitlements. The number of triggering entitlements depends on the risk type. For +example, the segregation-of-duties risks depends on at least two entitlements. The other types of +risk depend on one or more entitlements. + +### Fine-grained entitlement + +A fine-grained entitlement assigned to a resource-identity in Identity Manager is modeled by +navigation property values of the resources owned by the identity. + +To write a risk rule, the end-user has to describe a fine-grained entitlement for a +resource-identity. + +This is the way: + +1. Choose an [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) of which + the resource-identity could be owner. +2. Choose a navigation property of that entity type. +3. Choose a value for that navigation property. The value would be a resource from the unified + resource repository. + +This final value is a fine-grained entitlement, linked to the owner resource-identity through the +navigation property and the ownership relationship. + +## Risk Score + +Once [ Risk ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) are assigned to +identities, Identity Manager computes a risk score for each relevant identity. + +This score allows an auditor to prioritize the +[Access Certification](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/accesscertification/index.md) campaign. The identity with the highest risk +score poses a more serious security threat and has to be handled first. + +During access certification, assignments that are responsible for triggering the risk will be +examined and then, kept or discarded. + +The risk score computation is performed by the risk score task. + +![Compute Risk Score Task](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/risks/risks_riskcomputetask_v522.webp) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/identity-repository/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/identity-repository/index.md new file mode 100644 index 0000000000..c9796effc2 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/identity-repository/index.md @@ -0,0 +1,63 @@ +# Identity Repository + +One of the main purposes of an IGA tool is to build a comprehensive repository containing all +identities in the organization. This repository is essential in order to set up the features for +identity lifecycle management, and manage entitlement assignments. + +## Overview + +The identity repository is supposed to contain the list of all kinds of identities in the company. +Each identity will be represented by a set of properties that are to be used in the calculations for +entitlement assignments. + +> For example, a user can be represented by an identifier and linked to their position which +> includes the user's employee id, last name and first name, email, user type, organization, etc. +> +> ![Identity Repository Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-example.webp) + +> In Identity Manager, the identity repository can look like the following: +> +> ![Identity Repository Result](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository_v602.webp) +> +> ![Identity Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-person_v602.webp) + +The identity repository can be created and updated by: + +- uploading an Excel file provided by Identity Manager with the right model; +- using Identity Manager's workflows; +- synchronizing HR files to Identity Manager via a specific connector. + +Netwrix Identity Manager (formerly Usercube) recommends creating the identity repository by +downloading the provided Excel file, filling it with HR information, and uploading it back. See the +[ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) +topic to learn how to create the workforce repository. + +Then +[ Update Identities in Bulk ](/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md) +with the same kind of process, and +[ Update an Individual Identity ](/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md) +via Identity Manager's workflows. + +### Useful data + +Not all data is useful for identity governance and administration. Thus, to start designing the +repository, you must be aware of which data is necessary and which is unhelpful. Useful data is the +data that: + +- needs to be provisioned to the managed applications; + + > For example, if you need to provision users' phone numbers in a given application, then you + > should fill in the workforce repository's `Phone Number` property. + +- is needed to manage identities' lifecycles; + + > For example, consider that internal employees must be managed by HR officers only, then you'll + > need to identify whether users are internal employees or external contractors. Then you should + > make sure that you fill an `Employee Type` property with at least two values: one for internal + > employees, and one for external contractors. + +- is needed to automatically grant permissions. + + > For example, if a user's position title ("manager" for instance), defines what users currently + > do, and thus what permissions they need, then you should make sure to fill in a property + > storing the position's title in the workforce repository. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/index.md new file mode 100644 index 0000000000..14236de42e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/index.md @@ -0,0 +1,32 @@ +# Identity Management + +Identity management is about creating a repository of identities (all kinds of identities) along +with the entitlements that they need to work. One of the main purposes of an IGA tool is to help +create the identity repository, and to keep it up-to-date with identities' lifecycles within the +company. + +"Identities' lifecycles" mean any Joiners, Movers and Leavers (JML) process, i.e. staff changes, +i.e. any user's onboarding, position modification and offboarding. + +See the [ Identity Repository ](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/identity-repository/index.md) topic for additional information. +See the [ Identity Lifecycle: Joiners, Movers and Leavers ](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md) topic +for additional information on how Identity Manager handles the Joiners, Movers and Leavers (JML) +process. + +Identities in Identity Manager are mostly humans, both internal and external workers, but can also +be applications, bots, service accounts, or anything. + +Identities are stored in the database as [ Resources ](/docs/identitymanager/6.2/identitymanager/integration-guide/resources/index.md), which helps with +Identity Manager's internal mechanisms, for example to modelize identities with +[Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md). + +Additional interesting parts of identity management are: + +- the synchronization of identity changes through several repositories, for example both Identity + Manager and the AD; +- the provisioning of identity properties directly to the connected systems, based on the + computation of the [ Role Model ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/index.md). + +See the [Synchronization](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/index.md) topic for additional information. + +See the [Provisioning](/docs/identitymanager/6.2/identitymanager/integration-guide/provisioning/index.md) topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md new file mode 100644 index 0000000000..aff9f99b2e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md @@ -0,0 +1,11 @@ +# Identity Lifecycle: Joiners, Movers and Leavers + +Identities' Joiners, Movers and Leavers (JML) process can be made easy by using the adequate model: +records. + +In Identity Manager, the JML process is done through workflows or through synchronization to the HR +system. + +See the [ Onboarding and Offboarding ](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md) and +[ Position Change via Records ](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md) topics for additional information on +onboarding and offboarding and position changes via records. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md new file mode 100644 index 0000000000..462fbdd856 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md @@ -0,0 +1,66 @@ +# Onboarding and Offboarding + +In Identity Manager, onboarding and offboarding are done through workflows or through +synchronization to the HR system. + +## Onboarding + +The onboarding process for a new employee or contractor is materialized by the creation of a new +resource in the identity repository. This creation triggers the fulfillment of the entitlements +required by the user to perform their duties and be productive on day one. + +The entitlement fulfillment can be performed in different ways: + +- Identity Manager suggests the entitlements needed by the new user, prepares the provisioning + procedures, and wait for the manual trigger of a manager or security officer. +- Identity Manager automatically triggers the provisioning of the entitlements needed by the new + user, without any more human input. + +See the [Role Assignment](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/index.md) topic for additional information on +entitlement assignment. + +The automation of the entitlement assignment processes can be really helpful. However, you should +not be looking for a full automation, but rather the smart automation of basic assignments such as +"birthrights", while the sensitive ones keep a manual process. + +See the [ Automate Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/index.md) +topic for additional information about the assignment automation. + +## Offboarding + +The offboarding process doesn't necessarily mean the deletion of the resource from the identity +repository because, for legal and/or security purposes, the company may need to be able to access a +person's history in the company for a certain time, even after their departure. + +This is why the departure triggers the removal of all entitlements for the departing identity. +Hence, Identity Manager knows all the past and present entitlements of any identity. + +## Period of Validity + +The joining and leaving of an identity are materialized by the identity's period of validity. This +way, the resource is valid from the start date until the end date. + +These start and end dates can be configured to be different from the actual start and end dates of +the user's contract in the company. + +These dates should then be part of entity types' properties (for example as `StartDate` and +`EndDate`), in order to be used in +[ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) and +[ Context Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md). + +![Identities - Validity Period](/img/product_docs/identitymanager/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/validityperiod.webp) + +At the start date, the resource is created and a few entitlements are assigned to the identity. + +Between the start and end dates, the identity is part of all of Identity Manager's calculations +(role model, etc.). + +At the end date, all the entitlements previously assigned to the identity are removed. + +After the end date and until its explicit deletion, the resource is still in the identity +repository, but it is not part of any calculation anymore. + +Keeping track of former employees usually helps solve issues involving orphan accounts. + +A resource is deleted either via a resource-deletion workflow, or via the synchronization of HR +files if the user was removed from HR lists. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md new file mode 100644 index 0000000000..08ee48e496 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md @@ -0,0 +1,199 @@ +# Position Change via Records + +Identities' Joiners, Movers and Leavers (JML) process can be made easy by using the adequate model: +records and contexts. + +In Identity Manager, position changes are made through workflows or through synchronization to the +HR system. + +## Overview + +The entitlements of a user must be updated with the user's position changes: the entitlements needed +for the previous position are removed, and the entitlements needed for the next position are added. +This is essential to prevent users from cumulating entitlements when moving. + +Just like onboarding, the entitlement fulfillment can be performed either by using Identity +Manager's suggestions for the needed entitlements and adjusting them, or trusting Identity Manager +with an automated fulfillment. + +Identity Manager's calculations for entitlement assignments rely on heuristics, through identities' +key properties called +[ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md). + +> For example, consider an entity type modeling identities with their job title, department and +> location. +> +> Then a user working as a accountant in Paris will receive different entitlements from another user +> working as a marketing specialist in Scranton. + +Hence entitlement assignment is usually based on identities' positions. + +Within the company, an identity can hold one or several positions, sometimes several positions +simultaneously. + +## A Model for Identity Changes + +Any change in an identity's lifecycle, such as a position change, usually entails a change in a +given set of properties simultaneously. + +> For example, a position change can typically trigger a change at least in the job title and +> location, together with the position start and end dates. + +It seems natural to model identities by splitting their properties into three entities: one for +users' personal data, one for their contract(s) and one for their position(s): + +![Records Origin - Three-Entity Model](/img/product_docs/identitymanager/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_firstmodel.webp) + +A user can have several positions over time, even simultaneously. A user's contract can change over +time too. Even personal data is subject to change. This is why we can have several sets of personal +data (and/or several contracts and/or several positions) for a single user, and also why the `User` +entity is meant to contain only users' unique identifiers. + +> For example, in personal data a marriage can imply a name change, a user can start with a +> fixed-term contract and change to a permanent one, and position change is obvious. + +Even without allowing simultaneous positions, contracts or personal data sets, this model helps +anticipate upcoming changes. + +### Contexts + +The model is supposed to facilitate the [Provisioning](/docs/identitymanager/6.2/identitymanager/integration-guide/provisioning/index.md) provisioning +of user data and entitlements, yet this first model does not meet all expectations. In case of +multiple personal data sets for a single user over time, or multiple contracts, or multiple +positions, which values should be used to apply the rules of the role model? How to combine all +start and end dates to make sure that all rules are applied based on the right input? These issues +imply complex C# expressions in provisioning rules. + +> For example, let's write a C# expression to compute users' display names based only on their first +> and last names. To make sure that display names are computed using valid input, we write the +> following: +> +> ``` +> +> C#:user:return user.PersonalDatas.Where(personalData => personalData.Start < DateTime.Now && personalData.End > DateTime.Now).Select(personalData => personalData.FirstName + ' ' + personalData.LastName).FirstOrDefault(); +> +> ``` +> +> Now a more complex example: let's write a C# expression to compute users' departments based on +> their organization's display names, but also their employee identifiers in parenthesis: +> +> ``` +> +> C#:user:return user.Positions.Where(position => position.Start < DateTime.Now && position.End > DateTime.Now).Select(position => position.Organization.DisplayName).FirstOrDefault() + " (" + user.PersonalDatas.Where(personalData => personalData.Start < DateTime.Now && personalData.End > DateTime.Now).Select(personalData => personalData.EmployeeId).FirstOrDefault() + ")"; +> +> ``` + +To simplify the expressions, the model needs to be "flattened" in order to provide all the data of a +given user, valid at a given date. Hence users must be modeled by a set datasheets generated by +Identity Manager, where all values in one datasheet are valid on a given time period. + +> For example, consider the following situation: Mark Barn is a user who has, at day D0, a given set +> of personal data, a given contract and a given position. At day D1, his contract changes from +> fixed-term to permanent. At day D2, he starts an additional position. The two positions overlap +> from day D2 to day D3 when the first position ends. +> +> ![User Example](/img/product_docs/identitymanager/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_userexample.webp) +> +> Over time, the three entities are as follows: +> +> ![Example - Timelines](/img/product_docs/identitymanager/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_timelines.webp) +> +> From this, Identity Manager is able to combine the start and end dates of all entities at all +> times to generate the following datasheets, named contexts: +> +> ![Example - Contexts](/img/product_docs/identitymanager/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_contexts.webp) + +Contexts are the result of the combination of all entities (personal data, contract and position) so +that all values contained in a given context are valid on a given period of time. + +Users can be modeled by up to n\*n\*n contexts, and even more when elements overlap (positions in +this example). + +The complexity that comes from the combination of all start and end dates is tackled by Identity +Manager's engine when it generates users' contexts. As the start and end dates of each value are +pre-computed by Identity Manager, this user model highly simplifies provisioning rules. + +> The C# expressions from the previous example can be written, for the same result, as the +> following, first for users' display names, then departments: +> +> ``` +> +> C#:record:return record.FirstName + ' ' + record.LastName; +> +> ``` +> +> C#:record:return record.Organization.DisplayName + " (" + record.EmployeeId + ")"; +> +> ``` +> +> ``` + +### Records + +The final step to a viable model is to find a way to store optimally this context model in the +database, in order to be able to perform fast requests. Hence, the final model gathers all entities +(personal data, contracts and positions), including their respective start and end dates, into a +single entity named records, where a context is a record instance: + +![Records Origin - Final Model](/img/product_docs/identitymanager/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_thirdmodel.webp) + +While there are as many contexts for a user as the number of changes in the user's datasheet, there +are only as many records as needed to store each value at least once. + +> With the example used for the explanation of contexts with `PD`, `C1`, `C2`, `P1` and `P2`, we +> generate 5 contexts but store only 2 records: `{PD; C1; P1}` and `{PD; C2; P2}`. +> +> From these 2 records, we can rebuild the 5 contexts. + +Contexts can be considered as the conversion tool between the two user models. + +This way, the model stores only Max(n) records instead of n\*n\*n. + +Plus, Identity Manager does not need to archive old data, because records and contexts are used only +to simplify the application of provisioning rules. As only valid values are provisioned, there is no +need to keep track. + +This means that a change to be effective immediately will not trigger the creation of a new record +nor a new context. The record containing the old data will simply be updated. + +A change to be effective in future can trigger the creation of a new record. + +### Configuration + +This identity model can be implemented by configuring a +[ Context Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) and +[ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md): + +``` + + + +Personal data section (default section): + + +Contract section: + + +Position section: + + +``` + +## Position Change + +The position change process for an existing worker is materialized by the assignment/update/removal +of a record to/from an identity. This assignment/update/removal triggers the fulfillment of the +entitlements required by the user based on the properties of a valid record. + +When several contexts are valid at the same time for a given identity, conflicts can arise during +entitlement assignment. They are solved by Identity Manager's engine that establishes a priority +between valid contexts. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/index.md new file mode 100644 index 0000000000..c7f04b645c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/index.md @@ -0,0 +1,39 @@ +# Integration Guide + +This guide is designed to provide the tools and knowledge to fully understand and configure Identity +Manager to match your project's needs. + +## Target Audience + +This guide is meant to be read by integrators who configure Identity Manager to match their +project's needs. + +## Prior Knowledge + +A basic knowledge of Identity and Access Management (IAM) and more precisely of Identity and +Governance Administration (IGA) is required to really understand, implement and use Identity +Manager's features. + +Netwrix Identity Manager (formerly Usercube)strongly recommends starting from the +[Introduction Guide](/docs/identitymanager/6.2/identitymanager/introduction-guide/index.md) to fully benefit from the Integration Guide's +content. + +### Technical skills + +As Identity Manager is a web application, some classic devops skills are needed: + +- Web servers, especially IIS: declare a web site; configure an application pool. +- SQL Server: query data in the database with SQL, including with joins; insert/update data with + SQL; for advanced use, an understanding of database indexes. +- Coding: very basic C# skills; PowerShell scripts. +- XML and JSON syntax for configuration files. +- Git or other source control tools. + +The other technical skills greatly depend on the connectors needed for your projects. The most +frequent ones are: + +- Excel and CSV +- LDAP and Active Directory: understanding of LDAP attributes and of group membership. +- Microsoft Entra ID (formerly Azure Active Directory) +- Exchange +- REST API programming diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/modules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/modules/index.md new file mode 100644 index 0000000000..134b8470dc --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/modules/index.md @@ -0,0 +1,14 @@ +# Modules + +Identity Manager can integrate with other software for issues such as credential protection and +logging. To use these integration modules, they just need to be configured in Identity Manager's +`appsettings.json` file. Below is more module-specific information. + +## Credentials Protection + +- [Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) +- [CyberArk's AAM Credential Providers ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + +## Logging + +- [ Export Logs to a Log Management System ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md new file mode 100644 index 0000000000..e2321c0576 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md @@ -0,0 +1,358 @@ +# Export Logs to a Log Management System + +This guide shows how to use the logging configuration (Serilog) to send Identity Manager's logs into +a log management system, potentially using specific plug-ins to parse the logs. + +Supported log management systems are: + +- [QRadar](https://www.ibm.com/fr-fr/products/qradar-siem); +- [Splunk](https://docs.splunk.com/Documentation/Splunk); +- DataDog. + +## Overview + +Typically, a Serilog configuration includes three parts: **MinimumLevel**, **Using** and +**WriteTo**. See the [ Monitoring ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/index.md) topic for additional information. + +### Usercube's DSM in QRadar + +Identity Manager's Device Support Module is a plug-in that allows your QRadar system to parse +Identity Manager's logs, when producing a JSON output. + +Logs can be sent into QRadar without using Identity Manager's DSM in QRadar, but the logs just won't +be parsed. Not all Identity Manager's logs can be sent to QRadar. See the +[ References: Logs ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/references/index.md) topic for additional information. + +In order to get Identity Manager's DSM, import from QRadar the `Usercube_1.0.0.zip` file, accessible +in the `Runtime` folder. Identity Manager's DSM is set to automatically detect the source. This +means that, once Serilog is configured to send logs to QRadar, performing a few actions in Identity +Manager should make the detection possible. + +## Export Logs to a Log Management System + +Export logs to a log management system by proceeding as follows: + +1. In + [Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) + appsettings. json, make sure to have a **Serilog** section: + + ``` + + + { + ... + "Serilog": { + ... + } + ... + } + + ``` + +2. In the **Serilog** section, add a **Using** section to contain the used sink which depends on the + logs' destination, output format, etc. See the list of supported [ Monitoring ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/index.md). + + Concerning QRadar, Netwrix Identity Manager (formerly Usercube) strongly recommends using the + JSON format, as it can be parsed by Identity Manager's DSM or easily by a homemade parser. + + > For example, to produce a JSON output for QRadar: + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > ... + > } + > ... + > } + > + > ``` + + > For example, to produce an output for Splunk: + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Console", + > "Serilog.Sinks.Splunk.Durable" + > ], + > ... + > } + > ... + > } + > + > ``` + +3. Add a **MinimumLevel** section to define which logs are to be sent to the log management system. + + In order to be sent to any system, Identity Manager's logs must be configured with + **MinimumLevel** set to `Information`, or lower. + + > For example, we can define the logs' minimum level to `Information`. This way, all logs from + > the [ References: Logs ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/references/index.md) with `Information` level or higher are + > sent. + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > ... + > } + > ... + > } + > + > ``` + +4. Add a **WriteTo** section to specify the expected output. + + While **uri**/**host**/**splunkHost** specifies the IP address of the machine hosting your log + management system, the rest of **Args** configuration must be set just like the examples below. + + > For example, to produce a JSON output for QRadar: + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > "WriteTo": [ + > { + > "Name": "UDPSink", + > "Args": { + > "uri": "192.168.13.110", + > "port": "514", + > "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + > } + > } + > ] + > } + > } + > + > ``` + + > For example, to produce an RFC5424 output for QRadar + > ([see more information about UdpSyslog attributes](https://github.com/IonxSolutions/serilog-sinks-syslog#see-more-information-about-udpsyslog-attributes)): + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > "WriteTo": [ + > { + > "Name": "UdpSyslog", + > "Args": { + > "host": "192.168.13.110", + > "port": "514", + > "appName": "Usercube", + > "format": "RFC5424", + > "facility": "Local0", + > "secureProtocols": "SecureProtocols.None", + > "outputTemplate": "[{Timestamp:HH:mm:ss} {Level:u3}] {Message:lj} {NewLine}{Exception}" + > } + > } + > ] + > } + > } + > + > ``` + + > For example, to produce an output for Splunk: + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > "WriteTo": [ + > { + > "Name": "SplunkEventCollector", + > "Args": { + > "splunkHost": , + > "eventCollectorToken": "", + > "bufferFileFullName": "log-buffer.txt" + > } + > } + > ] + > } + > } + > + > ``` + +5. When needing to restrict the logs sent to the system, add a filter and wrap all **WriteTo** + configuration into a sub-logger, in which case the **Name** at **WriteTo**'s root must be + `Logger`. See the [ Monitoring ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/index.md) topic for additional information. + + For all formats, in order to send only the right logs using the specified filter, the + **WriteTo** part must contain a sub-logger with its own filter. Otherwise, the filter will be + applied to all sinks. + + For example, among Identity Manager's logs, only the logs described in the e + [ References: Logs ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/references/index.md) can be parsed by QRadar's DSM and should be used + by a SIEM system. Hence the importance of having a filter and a sub-logger. + + Never include logs with event ids inferior to 500, in order not to be overwhelmed with logs + improper to be used by SIEM systems like QRadar. + + > The following example filters out any log whose event id is lower than 500. + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > "WriteTo": [ + > { + > "Name": "Logger", + > "Args": { + > "configureLogger": { + > "WriteTo": [ + > { + > "Name": "UDPSink", + > "Args": { + > "uri": "192.168.13.110", + > "port": "514", + > "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + > } + > } + > ], + > "Filter": [ + > { + > "Name": "ByIncludingOnly", + > "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + > } + > ] + > } + > } + > } + > ... + > ] + > } + > } + > + > ``` + > + > You could want to filter out the logs whose event ids are 500 too, by replacing + > `EventId.Id >= 500` with `EventId.Id >= 501` in the filter. Or you could want to filter out + > only the logs whose event ids are 502, by replacing `EventId.Id >= 500` with + > ``EventId.Id >= 500 and EventId.Id `<>` 502`` in the filter. + +6. When needing to override the log level for this particular sub-logger, add an additional + **MinimalLevel** section in the **WriteTo** section. + + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > "WriteTo": [ + > { + > "Name": "Logger", + > "Args": { + > "configureLogger": { + > "MinimumLevel": { + > "Default": "Warning" + > }, + > "WriteTo": [ + > { + > "Name": "UDPSink", + > "Args": { + > "uri": "192.168.13.110", + > "port": "514", + > "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + > } + > } + > ], + > "Filter": [ + > { + > "Name": "ByIncludingOnly", + > "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + > } + > ] + > } + > } + > } + > ... + > ] + > } + > } + > + > ``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/index.md new file mode 100644 index 0000000000..c90dc83093 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/index.md @@ -0,0 +1,582 @@ +# Monitoring + +Identity Manager uses [Serilog](https://github.com/serilog/), a highly customizable logging tool, to +provide monitoring capabilities. + +See the [ References: Logs ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/references/index.md) topic for additional information on the list of +existing logs. + +## Introduction + +Serilog configuration is written to both _Agent_'s and _Server_'s `appsettings` sets. The relevant +top-level section is `Serilog`. + +A full description of Serilog's configuration capabilities is available in +[Serilog's official documentation](https://github.com/serilog/serilog-settings-configuration#serilogs-official-documentation). + +Identity Manager-specific configuration is detailed here. + +## Log Level and Namespaces + +### Priority + +Logs can be filtered according to a _log level_. + +A priority order between the log levels is established. + +From low priority to high priority, available log levels are: + +- `Verbose` +- `Debug` +- `Information` +- `Warning` +- `Error` +- `Fatal` + +Every log message is associated with a log level and a user-defined _namespace_. Identity Manager +provides the Identity Manager namespace, associated with logs relevant to the user. + +### MinimumLevel + +The `MinimumLevel` section sets the lowest priority log level that will be displayed. Every log +message associated with a log level of priority strictly lower than the minimum level is ignored. + +`MinimumLevel` value can either be a log level or an object with the following attributes and +subsections: + +- **Default** sets the minimum log level. +- `Override` allows the user to set a different minimum log level for logs from a specific namespace + (See the [ Monitoring ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/index.md) topic for additional information.) + + Within Identity Manager, the following example is a good practice: default logs with a priority + lower than `Error` are filtered out, except for log messages from the Identity Manager + namespace. + +``` +appsettings.json +{ + ... + "Serilog": { + ... + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + } + } +} +``` + +### Custom namespaces + +Here is a table giving some namespace that you could add in the `Override` section, in order to +monitor the associated module. + +| Module | Namespace | +| ----------------------- | ------------------------------ | +| Identity Manager | Identity Manager | +| Scheduler (server side) | Usercube.Jobs.Scheduler.Server | +| Scheduler (agent side) | Usercube.Jobs.Scheduler | + +## Log Properties + +Each log has a specific set of log properties, defined using the context of the server when +generating the log (see +[Formatting](https://github.com/serilog/serilog/wiki/Formatting-Output#formatting)). + +It is possible to modify the format message of the log displayed by overriding the `outputTemplate` +of the logs: + +``` +appsettings.json +{ + ... + "Serilog": { + "MinimumLevel": { + "Default": "Verbose", + }, + "WriteTo": [ + { + "Name": "Console", + "Args": { + "outputTemplate": "[{Timestamp:HH:mm:ss} {Level:u3}] ClientId:{ClientId} {Message:lj}{NewLine}{Exception}" + } + } + ] + } +} +``` + +Among all default properties, Identity Manager adds the ClientId log property which can be displayed +when using the previous `outputTemplate` format. + +## Filters + +In addition to the Microsoft log levels, Serilog provides a +[Filters](https://github.com/serilog/serilog-filters-expressions) feature to build more advanced +filter queries on log messages. + +## Sinks + +Serilog allows the user to route log messages to a variety of logging destinations. Every +destination is referred to as a sink. +[Sinks](https://github.com/serilog/serilog/wiki/Provided-Sinks) allows logs to be routed to +destination such as standard consoles, files and logging services. See the [ Monitoring ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/index.md) +topic for additional information. + +Identity Manager's supported sinks are: + +- `Serilog.Sinks.ApplicationInsights`; +- `Serilog.Sinks.Async`; +- `Serilog.Sinks.Console` to write to the console; +- `Serilog.Sinks.Datadog.Logs`; +- `Serilog.Sinks.File` to write to a file; +- `Serilog.Sinks.Map`; +- `Serilog.Sinks.Network` to write to another network; + + > For example, this sink can be used when producing a JSON output for QRadar. + +- `Serilog.Sinks.PeriodicBatching`; +- `Serilog.Sinks.Splunk.Durable` to send logs to Splunk; +- `Serilog.Sinks.Syslog`. + + > For example, this sink can be used when producing an + > [RFC3164](https://tools.ietf.org/html/rfc3164) or + > [RFC5424](https://tools.ietf.org/html/rfc5424) output for QRadar. + +The log messages can be routed to several logging destinations simultaneously. These destinations +are described in the **WriteTo** attribute. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": [ + "Serilog.Sinks.Network" + ], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "Destination1", + "Args": { + "uri": "192.168.13.110", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + }, + { + "Name": "Destination2", + "Args": { + "uri": "192.168.13.227", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + } + ], + "Filter": [ + { + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + } + ] + } +} +``` + +There can only be one **Filter** attribute associated with a **WriteTo** attribute. Therefore, the +filter defined in the **Filter** attribute is applied to all the destinations contained in the +**WriteTo** attribute. To filter only one destination at a time, sub-loggers can be used. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": [ + "Serilog.Sinks.Network" + ], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "Logger1", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [ + { + "Name": "Destination1", + "Args": { + "uri": "192.168.13.127", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + } + ], + "Filter": [ + { + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + } + ] + } + } + }, + { + "Name": "Logger2", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [ + { + "Name": "Destination2", + "Args": { + "uri": "192.168.13.100", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + }, + { + "Name": "Destination3", + "Args": { + "uri": "192.168.13.408", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + } + ], + "Filter": [ + { + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Test') and EventId.Id >= 800" } + } + ] + } + } + } + ] + } +} +``` + +In the example above, the filter defined in **Logger1** will only apply to **Destination1**, and the +filter defined in **Logger2** will only apply to **Destination2** and **Destination3**. + +When using `Serilog.Sinks.File`, the setting `shared` should be set to `true` in the `Args` section +to enable Identity Manager's **Monitoring** screen functionality. + +As this `shared` setting allows several systems to interact with the log file simultaneously, so we +can have both Serilog writing to the log file and Identity Manager reading it to display its content +on the **Monitoring** screen. + +``` + +{ + ... + "Serilog": { + "WriteTo": [ + { + "Name": "File", + "Args": { + "path": "../Temp/Server/identitymanager-log.txt", + "shared": true, + } + } + ] + } +} +``` + +## QRadar + +QRadar is a supported destination for Identity Manager's logs. + +See the [ Export Logs to a Log Management System ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md) topic to learn +how to send Identity Manager's logs to your QRadar system. + +Three output formats are available for QRadar-routed logs: + +- JSON +- RFC3164 +- RFC5424 + +#### JSON output + +JSON output uses _Serilog.Sinks.Network_ sink. + +The following configures a QRadar JSON output for a QRadar server located at `192.168.13.110`. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": [ + "Serilog.Sinks.Network" + ], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "Logger", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [ + { + "Name": "UDPSink", + "Args": { + "uri": "192.168.13.110", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + } + ], + "Filter": [ + { + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + } + ] + } + } + } + ] + } +} +``` + +#### RFC3164 or RFC5424 output + +Using `Serilog.Sinks.SyslogMessages`_Sink_, the **Serilog.writeTo.configureLogger.Args.format** +attribute is set to `RFC3164` or `RFC5424`. + +The following configures a QRadar RFC5424 output for a QRadar server located at `192.168.13.110`. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": [ + "Serilog.Sinks.Syslog" + ], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "Logger", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [ + { + "Name": "UdpSyslog", + "Args": { + "host": "192.168.13.110", + "port": "514", + "appName": "Usercube", + "format": "RFC5424", + "facility": "Local0", + "secureProtocols": "SecureProtocols.None", + "outputTemplate": "[{Timestamp:HH:mm:ss} {Level:u3}] {Message:lj} +``` + +## Application Insights + +Identity Manager supports the +[Application Insights](https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview) +integration. It means that you can monitor the lifecycle of the application through a dedicated +interface, which can be useful to measure performance, observe how the application is used or detect +performance anomalies. + +### Configuration + +Both the server and the agent support the Application Insights integration. To set it up, you need +to create your own Application Insights instance (see +[Create New Resource](https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-new-resource)). +Once done, you should have an instrumentation key. To plug the server or the agent into the +Application Insights instance, you simply have to set the key at the root of the appsettings file: + +``` +appsettings.json +{ + ... + "ApplicationInsights": { + "InstrumentationKey": "YOUR-INSTRUMENTATION-KEY" + } +} +``` + +This configuration will automatically add a `Serilog.Sinks.ApplicationInsights` to the Serilog +configuration. Thus, declaring explicitly an ApplicationInsights _sink_ in the Serilog configuration +is useless. The `ApplicationInsights` section does not only affect the logging system, but also +sends metrics periodically such as the percentage of CPU usage. + +## Logs Monitoring via User Interface + +Identity Manager offers the ability to download the application logs directly through the User +Interface (UI) via the **Monitoring** screen in the **Administration** section on the Dashboard. + +SaaS installations support this feature automatically while on-premises installations support this +in two ways. The first one is to leverage the path to the logs from the Serilog configuration when +writing application logs into a single file. See the example below. The second option is described +in the following subsection. + +``` +appsettings.json +{ + ... + "Serilog": { + "WriteTo": [ + { + "Name": "File", + "Args": { + "path": "../Temp/Server/identitymanager-log.txt", + "shared": true, + } + } + ] + } +} +``` + +### `LogsPath` + +if you store Identity Manager logs thanks to an external mechanism (the web server, etc), then you +have to use the second option in order to enable this feature which is via an ad hoc parameter at +the root of the appsettings called `LogsPath` indicating the path where the application logs are +located: + +``` +appsettings.json +{ + ... + "Serilog": { + "WriteTo": [ "Console" ], + }, + "LogsPath": "C:/inetpub/logs/LogFiles" +} +``` + +If logs are all stored in one file, provide the path to the file. If they are stored in multiple +separate files within a directory, provide the path to the directory and Identity Manager will +handle providing the most recent logs. + +## Default Configuration + +``` +appsettings.json +{ + ... +"Serilog": { + "WriteTo": [ "Console" ], + "Using": [ "Serilog.Sinks.File" ], + "MinimumLevel": "Error", + "WriteTo": [ + { + "Name": "File", + "Args": { + "path": "../Temp/Server/identitymanager-log.txt", + "shared": true + } + } + ] +} +} +``` + +## Configuration Examples + +### Write log messages + +This example configures _Serilog_ to write log messages to the `../Temp/Server/identitymanager-log.txt` +file. + +``` +appsettings.json +{ + ... +"Serilog": { + "WriteTo": [ "Console" ], + "Using": [ "Serilog.Sinks.File" ], + "MinimumLevel": "Error", + "WriteTo": [ + { + "Name": "File", + "Args": { + "path": "../Temp/Server/identitymanager-log.txt", + "shared": true + } + } + ] +} +} +``` + +### Reduce logging process overhead + +This example shows how to reduce the overhead of the logging process for Identity Manager's main +thread by delegating work to a background thread, using the _Async\_\_Sink_. + +``` +appsettings.json +{ + ... +"Serilog": { + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Debug" + } + }, + "WriteTo": [ + { + "Name": "Async", + "Args": { + "configure": [ + { + "Name": "File", + "Args": { + "path": "C:/Projects/LogTest/identitymanager-test.txt", + "shared: true, + "buffered": "true" + } + } + ] + } + }, + { + "Name": "Console" + } + ] + } +} +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/references/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/references/index.md new file mode 100644 index 0000000000..065de67386 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/references/index.md @@ -0,0 +1,84 @@ +# References: Logs + +## Definition + +This section provides descriptions for logs which are meant to be sent to other systems like SIEMs, +for example QRadar. + +The description will use this template for each log: + +EventId id: int + +EventId name: string + +LogLevel: Trace||Verbose||Debug||Information||Warning||Error||Critical + +Arguments: + +- argument1 (string): description1 (string) +- argument2 (string): description2 (string) +- argument3 (string): description3 (string) + +The EventId id must be unique so we could use it to filter the logs we send. See the +[ Monitoring ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/index.md) topic for additional information. + +#### 500 + +EventId id: 500 + +EventId name: Workflow.StartWorkflowInstance + +LogLevel: Information + +Arguments: + +- WorkflowId: Request number, which includes the workflow instance's id +- Transition: Activity template name +- Perfomer: Identity Manager's login or id of the performer +- WorkflowIdentifier: Workflow's identifier +- Subject: Action performed, with the person's name in modifying permission case + +#### 501 + +EventId id: 501 + +EventId name: Workflow.ResumeWorkflowInstance + +LogLevel: Information + +Arguments: + +- WorkflowId: Request number, which includes the workflow instance's id +- Transition: Activity template name +- Perfomer: Identity Manager's login or id of the performer +- WorkflowIdentifier: Workflow's identifier +- Subject: Action performed, with the person's name in modifying permission case + +#### 502 + +EventId id: 502 + +EventId name: SelectEntityByIdQueryHandler.Handle + +LogLevel: Information + +Arguments: + +- Perfomer: Identity Manager's login or id of the performer +- Subject: Identity Manager's id of the readed resource +- EntityType: Identity Manager's type of the readed resource + +#### 503 + +EventId id: 503 + +EventId name: SelectEntityByIdQueryHandler.Handle + +LogLevel: Error + +Arguments: + +- Perfomer: Identity Manager's login or id of the performer +- Subject: Identity Manager's id of the readed resource +- EntityType: Identity Manager's type of the readed resource +- ExceptionMessage: Exception's message diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md new file mode 100644 index 0000000000..a527d6fec6 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md @@ -0,0 +1,140 @@ +# appsettings.agent + +The appsettings.agent.json file is meant to contain configuration data to be used by the agent to +run Identity Manager. + +It includes: + +- Connections to the managed systems +- Password reset settings +- Connections to potential additional databases +- OpenId information +- Specific task configuration + +JSON files can contain any additional information that you might find useful. See the example below. + +For example, in order to store the agent's address, we can add: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +"UsercubeAgent": { + "Url": "" +} +``` + +As Identity Manager does not know any object named Identity ManagerAgent, its content will be +ignored, but it can still be used to store information for human use. + +## Supported Sections + +| Name | Type | Description | +| ------------------------------- | ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Connections optional | List of Connections | Connection information of all the systems managed by this agent, for synchronization and fulfillment configuration. This section contains a subsection for each connection containing the connection's agent settings. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "Connections": {     …     "": {       "": "":       …     }   } }` Example: `{   …   "Connections": {     …     "Directory": {       "Path": "C:\UsercubeDemo\Sources\Directory.xlsx"     },     "ServiceNowExportFulfillment": {       "Server": "https://INSTANCE.service-now.com/api/now/table",       "Login": "LOGIN",       "Password": "PASSWORD"     }   } }` See the [Create a Connection](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md)and [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) topics for additional information. | +| Databases optional | List of Databases | Names and connection strings of all databases used by the agent through InvokeSqlCommandTask, other than Identity Manager's database and other than the databases provided in Identity Manager's available packages. This subsection contains a subsection for each additional database. **NOTE:** The Database is a subsection of the Connections section mentioned above. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "Databases": {     "": ""   } }` Example: `{   …   "Databases": {     "UsercubeContoso": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;"   } }` | +| OpenId optional | OpenId | OpenId information, i.e. the ClientIds and related ClientSecrets that the agent may use to authenticate to the server in order to launch jobs and tasks. In order to launch jobs and tasks, the profiles related to these OpenId credentials must possess the required permissions. | +| PasswordResetSettings optional | PasswordResetSettings | Parameters which configure the reset password process for the managed systems that support it. | +| SourcesRootPaths optional | String Array | List of folder paths from which Identity Manager is allowed to read. This option is used to validate the sources files defined in file-based connections. These paths are case sensitive. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "SourcesRootPaths": [ "C:/UsercubeContoso/SourceHR", "C:/UsercubeContoso/SourcesPhone" ]  }` | +| TaskAgentConfiguration optional | TaskAgentConfiguration | Various settings to customize the behavior of some agent tasks. | + +## OpenId + +| Name | Type | Description | +| ---------------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AgentIdentifier required | String | Identifier of the agent, as it is named in the XML configuration. With the following configuration: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `` We could have the following setting in the agent's appsettings.agent.json: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "OpenId":{     …     "AgentIdentifier": "MyAgent"   } }` | +| DefaultOpenIdClient required | String | ClientId that defines the default OpenId pair, from the OpenIdClients section, used by the agent to authenticate to the server. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "OpenId":{     "OpenIdClients": {       "Job": "secret1",       "Admin": "secret2",       "Agent": "secret3"     },     "DefaultOpenIdClient": "Agent"   } }` | +| OpenIdClients required | List of OpenIdClients | Pairs of ClientIds and non-hashed ClientSecrets, to override the corresponding secrets specified in the XML configuration. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "OpenId":{     "OpenIdClients": {       "Job": "secret",       "Admin": "secret2"     }   } }` | + +## PasswordResetSettings + +| Name | Type | Description | +| ------------------------------ | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| EncryptionCertificate required | EncryptionCertificate | Location of the public key certificate and the private key used to handle input and output files' encryption. | +| MailSettings optional | MailSettings | Settings for configuring the SMTP server, used to send password reset email notifications. | +| NotificationSettings optional | NotificationSettings | Settings to configure password reset notifications. | +| TokenBuildingSettings optional | TokenBuildingSettings | Settings to build the confirmation token used by the password reset's two-Way mode. The confirmation token is a base-64 encoded JSON Web Token (JWT) token that contains the information required to complete password reset when in two-way mode. It is appended to the confirmation Uri. | +| TwoFactorSettings optional | TwoFactorSettings | Settings to configure the password reset's two-way mode, i.e. the process where Identity Manager sends emails containing links to users for them to click on it and reset their passwords. | + +### EncryptionCertificate + +If you are using the certificate provided in the SDK, the agent will be unable to launch. You must +create your own certificate. + +Encryption certificate information can be set in one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive + (also called + [Personal ](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files)Information + Exchange file or `.pfx` file) stored in the Agent's host file system. The archive contains both + the public key certificate and the private key. + +| Name | Type | Description | +| ----------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| File required | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the agent's host file system. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     "File": ""   } }` | +| Password optional | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     "File": "",     "Password": ""   } }` | + +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains + both the public key certificate and the private key. + +| Name | Type | Description | +| ------------------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DistinguishedName Required if Thumbprint is empty | String | Subject distinguished name of the certificate. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     "DistinguishedName": ""     …   } }` | +| StoreLocation required | String | Location of the relevant Windows certificate. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "StoreLocation": ""   } }` | +| StoreName required | String | Name of the relevant Windows certificate. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "StoreName": ""   } }` | +| Thumbprint Required if DistinguishedName is empty | String | Thumbprint of the certificate. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     "Thumbprint": "<6261A70E599642A21A57A605A73B6D2AE7C5C450>"     …   } }` | + +_Remember,_ Netwrix recommends using Windows' certificate store. + +On the other hand, the PFX file takes priority over Windows' certificate, which means that when +`File` is specified then the PFX certificate is used, even if the options for Windows' certificate +are specified too. + +In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +### MailSettings + +| Name | Type | Description | +| ------------------------------------------------------ | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| FromAddress Required if PickupDirectory is empty | String | Email address used by Identity Manager to send notifications. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "MailSettings": {       "FromAddress": "",       …     }   } }` | +| Host Required if PickupDirectory is empty | String | SMTP server domain name or an IP address. To be used only when UseSpecifiedPickupDirectory is set to false. | +| Password Required | String | Password that Identity Manager will use to login to the SMTP server. used only when the SMTP server is password-protected and UseSpecifiedPickupDirectory is set to false. | +| PickupDirectory Required if FromAddress/Host are empty | | Path to the pickup directory. See the [ Send Notifications ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/email-server/index.md) topic for additional information. See more details on the pickup directory feature. To be used only when UseSpecifiedPickupDirectory is set to true. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "MailSettings": {       "PickupDirectory": "<../Mails>",       …     }   } }` | +| Username required | String | Username for Identity Manager to login to the SMTP server. Used only when the SMTP server is password-protected and UseSpecifiedPickupDirectory is set to false. | +| AllowedDomains optional | String | List of domains to which the SMTP server is authorized to send emails. Domain names must be separated by `<;>`. | +| CatchAllAddress optional | String | Catch-all address that will receive all of Identity Manager's emails instead of usual users. this is helpful for testing before going live. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "MailSettings": {       "CatchAllAddress": "",       …     }   } }` | +| CatchAllCCAddress optional | String | Catch-all address that will receive all of Identity Manager's emails as cc (carbon copied). Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "MailSettings": {       "CatchAllCCAddress": "",       …     }   } }` | +| Enabled default value: True | Boolean | True to enable email sending. When set to false, no email is sent by Identity Manager. | +| EnableSsl default value: False | Boolean | **DEPRECATED**: EnableSsl won't be supported in the future. Please specify a SecureSocketOption instead. To keep the same behavior as EnableSsl: True, use the setting SecureSocketOption: StartTls. True to encrypt communication with the SMTP server. **NOTE:** To be used only when UseSpecifiedPickupDirectory is set to false. | +| SecureSocketOption default value: Auto | String | Specifies the encryption strategy to connect to the SMTP server. If set, this takes priority over EnableSsl. None: No SSL or TLS encryption should be used. Auto: Allow the mail service to decide which SSL or TLS options to use (default). If the server does not support SSL or TLS, then the connection will not be encrypted. SslOnConnect: The connection should use SSL or TLS encryption immediately. StartTls: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server. If the server does not support the STARTTLS extension, then the connection will fail and a NotSupportedException will be thrown. StartTlsWhenAvailable: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server, but only if the server supports the STARTTLS extension. **NOTE:** To be used only when UseSpecifiedPickupDirectory is set to false. | +| Port default value: 0 | String | SMTP server port. **NOTE:** To be used only when UseSpecifiedPickupDirectory is set to false. | +| UseDefaultCredentials default value: False | Boolean | True to use the default username/password pair to login to the SMTP server. When set to false, Windows authentication is used. **NOTE:** To be used only when UseSpecifiedPickupDirectory is set to false. | +| UseSpecifiedPickupDirectory default value: False | Boolean | True to write emails as local files in the specified PickupDirectory instead of sending them as SMTP packets. See the [ Send Notifications ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/email-server/index.md)topic for additional information. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "MailSettings": {       "UseSpecifiedPickupDirectory": true,       …     }   } }` | + +### NotificationSettings + +| Name | Type | Description | +| ------------------------------ | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Cultures default value: ["en"] | String Array | List of languages in which reset-password email notifications will be sent, among: fr and en. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "NotificationSettings": {       "Cultures": [“fr”, “en”]     }   } }` | + +### TokenBuildingSettings + +| Name | Type | Description | +| -------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ValidFor default value: 03:00:00 | String | Validity period of the issued token, and thus of the password reset link. The format must be HH:mm:ss Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "TokenBuildingSettings": {       "ValidFor": "<03:00:00>"     }   } }` | + +### TwoFactorSettings + +| Name | Type | Description | +| ----------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApplicationUri required | String | URI of the Identity Manager application. **NOTE:** this helps create the links in the emails for two-way password reset. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{     …     "PasswordResetSettings": {         …         "TwoFactorSettings": {            "ApplicationUri": ""            …         }     } }` | +| ResetConfirmationUri required | String | Base URI for the password reset link that is sent to the user. The password reset confirmation token is appended to the ResetConfirmationUri. The resulting URI is sent to the user. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{     …     "PasswordResetSettings": {         …         "TwoFactorSettings": {            …            "ResetConfirmationUri": ""         }     } }` | + +## TaskAgentConfiguration + +| Name | Type | Description | +| -------------------------------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| HttpClientTimeoutSupplement default value: 0 | Integer | Additional minutes that extend the default timeout (30 minutes) of the HttpClient instance used to send requests to the server. Here the total timeout will be 50 minutes: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "TaskAgentConfiguration": {     …      "HttpClientAdditionalTimeout": 20   } }` | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md new file mode 100644 index 0000000000..61b83cc0c8 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md @@ -0,0 +1,332 @@ +# Application Settings + +This section describes the settings available in the agent's appsettings.json file, located in the +agent's working directory or in environment variables. + +**NOTE:** JSON files can contain any additional information that you might find useful. See the +example below. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +For example, in order to store the agent's address, we can add: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +appsettings.json +"UsercubeAgent": { +  "Url": "" +} +``` + +As Identity Manager does not know any object named Identity Manager Agent, its content will be +ignored, but it can still be used to store information for human use. + +The appsettings set allows the following attributes and sections: + +| Name | Type | Description | +| --------------------------------------------------------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ApplicationUri (required) | Uri | Server's listening URI. Used by the agent to send requests to the server. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {  "ApplicationUri": " " }` | +| Jobs (optional) | Job | Settings to configure all jobs with common values. | +| Scheduler (optional) | Scheduler | Settings to configure Identity Manager's scheduler. | +| TaskTimeoutSupplement default value: 0 | Int32 | Additional time (in minutes) for the Invoke-Job tool's Timeout property. Example: `appsettings.json {     "TaskTimeoutSupplement": 10 }` | +| InstallationDirectoryPath default value: Usercube-agent.exe directory | String | Path of the installation directory. It is used to read other configuration files. | +| EncryptionCertificate (required) | EncryptionCertificate | Settings to configure the encryption of specific files. | +| IdentityServer (required) | IdentityServer | Settings to configure the agent's encrypted network communication, for example with the server or a browser. | +| Authentication (required) | Authentication | Settings to configure end-user authentication, for example for users to launch a job from the UI. | +| Serilog (optional) | Logger setting | Settings to configure the logging service, complying to the Logger properties and structure. See the [ Monitoring ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/index.md) topic for additional information. Example: `appsettings.json {   "Serilog": {     "WriteTo": [ "Console" ],     "MinimumLevel": {       "Default": "Error",       "Override": {         "Usercube": "Information"         }       }     } }                         ` | +| Cors (optional) | Cors | Settings to configure the agent's [CORS policy](https://developer.mozilla.org/fr/docs/Web/HTTP/CORS), which is useful when using non-integrated agents. | +| ApplicationInsights (optional) | ApplicationInsights | Settings to plug to and configure the [AppInsights](https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview) monitoring tool. | +| TempFolderPath (optional) | String | Path to the temporary folder which contains: - ExportOutput: directory storing data exported from connectors. - JobLogs: directory storing task instance logs. - Reports: directory storing generated reports. - Packages: directory storing the downloaded package logos. - PolicySimulations: directory storing the files generated by policy simulations. - ProvisioningCache.txt: file storing the clustered provisioning cache. When enabled, this file can be used to coordinate the API cache among clusters. - CorrelationCache.txt - RiskCache.txt - ExpressionCache.txt - scheduler.lock - connector.txt - container.reset.txt: file acting as a reset command for Identity Manager's server, i.e. any change to this file triggers the reset service, thus reloading all the services instantiated by the server. Note that this path can be overridden by **ResetSettings** > **FilepathResetService**. - Mails: directory storing the email messages. Note that this path can be overridden by **ResetSettings** > **PickupDirectory**. - Deployment these elements can be removed, but make sure to restart the server after doing so. Example: `appsettings.json {   "TempFolderPath": "../Temp" }` | +| WorkFolderPath (optional) | String | Path of the work folder which contains: - Collect: directory storing the CSV source files exported by connectors. - ProvisioningOrders: directory storing the orders generated by the server. - FulfillPowerShell: PowerShell provisioner's working directory. - FulfillRobotFramework: Robot Framework's provisioner working directory. - ExportCookies: directory storing the cookies used for incremental export. - Synchronization: directory storing the agent's data collection results. - Upload: directory storing the uploaded media like uploaded pictures, before they are inserted into the database. - appsettings.connection.json These elements must not be removed, because doing so may disrupt Identity Manager's execution after restarting. Example: `appsettings.json {   "WorkFolderPath": "../Work" }` | +| JobLaunchTimeout default value: 7500 | String | Time period (in milliseconds) after which, if a launched job has not started, it is considered in error. Example: `appsettings.json {   "JobLaunchTimeout": 9000 }` | +| InvokeSqlCommands default value: null | String | List of parameter sets used to override InvokeSqlCommandTasks' SQLInputFile and OutputPath parameters from the XML configuration. See the [Invoke Sql Command Task](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md) topic for additional information. For each task to override, the key must be the task's identifier. Example: `appsettings.json  {        "InvokeSqlCommands": {         "InvokeSqlCommandTask_Identifier": {           "SQLInputFile": "YourInputFilePath",           "OutputPath": "YourOutputFilePath"  },         } }` | + +## Jobs + +Below is an example of job that can be executed by the agent. + +For example: + +``` +appsettings.json +{ +  ... +  "Jobs": { +    "MaxTaskBatchSize": "2" +  } +} +``` + +| Name | Type | Description | +| --------------------------------- | ----- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| MaxTaskBatchSize default value: 5 | Int64 | Maximum number of tasks that can be launched simultaneously, thus avoiding timeout issues. When executing a job, Identity Manager launches simultaneously the tasks of a same Level. See the [ Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) topic for additional information. If the number of same-level tasks exceeds MaxTaskBatchSize, then Identity Manager inserts new levels. These effective levels can be seen in the job's logs or with the Usercube-Get-JobSteps executable. See the [ Usercube-Get-JobSteps ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/get-jobsteps/index.md) topic for additional information. | + +## Scheduler + +Below is an example of scheduling and a list of attributes. + +For example: + +``` +appsettings.json +{ +  ... +  "Scheduler": { +    "Enabled": "true", +    "MaxLockWatchTime": 3600 + } +} +``` + +| Name | Type | Description | +| ------------------------------------ | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Enabled (optional) | Boolean | True to activate Identity Manager's scheduler. | +| MaxLockWatchTime default value: 1800 | Int32 | Time period (in seconds) to spend watching for the scheduler's lock file before launching it. When set to 0 the duration is infinite, and when set to a negative value the scheduler launch fails if the lock file already exists. This parameter prevents a failure if Identity Manager's scheduler has already been launched from another source. | + +## Encryption Certificate + +This information can be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive + (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or .pfx file) stored in the Agent's host file system. The archive contains both the public key + certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains + both the public key certificate and the private key. + + **NOTE:** Netwrix recommends using Windows' certificate store. + + On the other hand, the PFX file takes priority over Windows' certificate, which means that when + File is specified then the PFX certificate is used, even if the options for Windows' certificate + are specified too. + In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +As a PFX file + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    ... +    "EncryptionCertificate": { +        "File": "", +        "Password": "" +     } + } + +``` + +The archive is set using the following attributes: + +| Name | Type | Description | +| ------------------- | ------ | --------------------------------------------------------------------------------------- | +| File (required) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password (optional) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +**NOTE:** Storing a .pfx file password in plain text in a production environment is strongly +discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword tool. +See[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topic for additional information. + +The archive is set using the following attributes: + +| Name | Type | Description | +| ------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| File (required) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password (optional) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. storing a .pfx file's password in plain text in a production environment is strongly discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword.exe tool. See the[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) topic for additional information. | + +As a Certificate in the Windows Store + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + { +    ... +    "EncryptionCertificate": { +         "DistinguishedName":"", +         "StoreLocation": "", +         "StoreName": "" +     } + } + +``` + +The Windows certificate is set using these attributes: + +| Name | Type | Details | +| ---------------------------- | ------ | --------------------------------------------------------------------------------------------------- | +| DistinguishedName (optional) | String | SubjectDistinguishedName of the store certificate. It is required when Thumbprint is not specified. | +| Thumbprint (optional) | String | Thumbprint of the store certificate. It is required when DistinguishedName is not specified. | +| StoreLocation (required) | String | Location of the relevant Windows certificate store: LocalMachine or CurrentUser. | +| StoreName (required) | String | Name of the relevant Windows certificate store. | + +Using Azure Key Vault + +If the certificate is saved in Azure Key Vault, we must define the certificate identifier and the +Vault connection. See the [Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) topic for additional +information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +"": { +    "CertificateAzureKeyVault": "" +} +``` + +## Identity Server + +Just like the Encryption Certificate, this information can be set one of two ways. + +As a PFX file + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +appsettings.json +"": { +  "X509KeyFilePath": "<./Usercube.pfx>", +  "X509KeyFilePassword": "" +} +``` + +The archive is set using the following attributes: + +| Name | Type | Description | +| ------------------------------ | ------ | ----------------------------------------------------------------------------------------------- | +| X509KeyFilePath (required) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the agent's host file system. | +| X509KeyFilePassword (optional) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +**NOTE:** Storing a .pfx file password in plain text in a production environment is strongly +discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword tool. See +the +[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topic for additional information. + +As a Certificate in the Windows Store + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +"": { +  "X509SubjectDistinguishedName":"", +  "X509StoreLocation": "", +  "X509StoreName": "" +} +``` + +The certificate is set using these attributes: + +| Name | Type | Description | +| --------------------------------------- | ------ | ----------------------------------------------------------------------------------------------- | +| X509StoreLocation (required) | String | Location of the relevant Windows certificate store: LocalMachine or CurrentUser. | +| X509StoreName (required) | String | Name of the relevant Windows certificate store. | +| X509SubjectDistinguishedName (optional) | String | SubjectDistinguishedName of the certificate. It is required when X509Thumbprint is not defined. | +| X509Thumbprint (optional) | String | Thumbprint of the certificate. It is required when X509SubjectDistinguishedName is not defined. | + +**NOTE:** If you are using the certificate provided in the SDK, the agent will fail when launching. +You must create your own certificate. + +You can get the DistinguishedName of the certificate using OpenSSL: + +``` + +openssl x509 -noout -in {certificate file name with full path} -subject + +``` + +## Authentication + +An example of authentication and a list of attributes. + +``` +appsettings.json +{ +  ... +  "Authentication": { +    "Enabled": true, +    "RequireHttpsMetadata": true +  } +} +``` + +| Name | Type | Description | +| ---------------------------------------- | ------- | ------------------------------------------------------ | +| Enabled default value: true | Boolean | True to enable authentication. | +| RequireHttpsMetadata default value: true | Boolean | True to set HTTPS required for the discovery endpoint. | + +## Cors + +An example of cors and a list of attributes. + +``` +appsettings.json +{ +  ... +  "Cors": { +    "AllowAnyHeader": true, +    "AllowAnyMethod": false, +    "AllowCredentials": true +  } +} +``` + +| Name | Type | Description | +| ------------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AllowAnyHeader default value: false | Boolean | True to enable the [Access-Control-Allow-Headers: \*](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers) header in the agent's response to a [preflight request](https://developer.mozilla.org/en-US/docs/Glossary/preflight_request). | +| AllowAnyMethod default value: false | Boolean | True to enable the [Access-Control-Allow-Methods: \*](https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Access-Control-Allow-Methods) header in the agent's response to a [preflight request](https://developer.mozilla.org/en-US/docs/Glossary/preflight_request). | +| AllowCredentials default value: false | Boolean | True to enable the [Access-Control-Allow-Credentials: true](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials) header in the agent's response to a [preflight request](https://developer.mozilla.org/en-US/docs/Glossary/preflight_request). | + +## Application Insights + +Identity Manager supports the Application Insights integration. It means that you can monitor the +lifecycle of the application through a dedicated interface, which can be useful to measure +performance, observe how the application is used or detect performance anomalies. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +appsettings.json +{ +  ... +  "ApplicationInsights": { +    "InstrumentationKey": "" +  } +} +``` + +The application insights details are: + +| Name | Type | Details | +| -------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| InstrumentationKey default value: null | String | Key linked to the AppInsights instance to which the server's logs, requests, dependencies and performance are to be sent. See Microsoft's documentation to create an[ instrumentation key](https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-new-resource). | + +**NOTE:** The logs sent to AppInsights are configured through the Logger properties. See the +[ Monitoring ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/index.md) topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md new file mode 100644 index 0000000000..4b68ec89c6 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md @@ -0,0 +1,91 @@ +# Azure Key Vault + +## Prerequisites + +First, Identity Manager recommends reading: + +- [Azure Key Vault's overview documentation](https://docs.microsoft.com/en-us/azure/key-vault/general/overview) + and [Basic concepts](https://docs.microsoft.com/azure/key-vault/general/basic-concepts); +- How to + [sign in to Azure and create a vault](https://docs.microsoft.com/en-us/azure/key-vault/general/quick-create-portal#sign-in-to-azure-and-create-a-vault); +- About + [Azure Key Vault's secrets](https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets) + because secrets are the data that Identity Manager needs to collect. + +## Compatible Settings + +Every key from appsettings.agent.json that has a string value can be saved as a secret into +Microsoft Entra ID (formerly Azure AD) Key Vault. See the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) topic for additional information. + +Check the examples in connectors' credential protection sections. See the +[ ServiceNow ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md) topic +for additional information. + +## Write Settings to the Vault + +After creating the Azure Key Vault, open its page on Azure's portal and +[add a secret](https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-portal#add-a-secret). + +The important part of adding a secret in Azure Key Vault is defining its name and value: + +- As secrets' names can only contain alphanumeric characters and double dashes (`--`) as separator, + the keys from the appsettings.agent.json file must contain only alphanumeric characters too; +- Secrets' values are simply the value associated with the key in the JSON file. + +For example, for the Active Directory: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                        appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "ADExport": { +      "Servers": [ +        { +          "Server": "", +          "BaseDN": "" +        }, +        { +          "Server": "", +          "BaseDN": "" +        } +      ], +      "AuthType": "", +      "Login": "", +      "Password": "", +      "Filter": "(objectclass=*)", +      "EnableSSL": "false", +    } +  } +} +                     +``` + +To save the login to Azure Key Vault, create a secret whose name and value are respectively +`` and ``. + +To save the second server, create a secret whose name and value are respectively +`` and ``. + +_Remember,_ the index of the first element is `<0>`. + +This way, values from the Azure Key Vault take priority over the values from the appsettings files. + +For example, if Login exists in both Azure Key Vault and appsettings.agent.json, then the value from +Azure Key Vault is used. + +## Configure Usercube + +Netwrix Identity Manager (formerly Usercube)uses the default Azure credentials to connect to the +vault. Since the implementation of default Azure credential is controlled by Microsoft see the +[Default Azure Credential](https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet) +page additional information. + +| Name | Type | Description | +| -------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------- | +| Vault required | String | DNS Name found on the page of the vault in Azure's portal. _Remember,_ usually in the format is `` | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md new file mode 100644 index 0000000000..dd3c436e68 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md @@ -0,0 +1,317 @@ +# CyberArk's AAM Credential Providers + +This guide shows how to protect sensitive data by connecting Identity Manager to CyberArk's +Application Access Manager (AAM) Credential Providers. + +## Data Protection + +Identity Manager often needs to connect to [Connectors](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/index.md) with +credentials that need protection. + +By default, the data used to connect to external systems is stored in plain text in the +**Connections** section of the `appsettings.agent.json` file. This is not a secure option. + +## CyberArk for Data Protection + +CyberArk's Application Access Manager (AAM) Credential Providers, part of the Privileged Access +Security solution, is used to stop storing hard-coded credentials in applications, scripts or +configuration files, and instead store them in CyberArk's vault to be centrally logged and managed. + +This way, the company can easily become compliant with potential internal and regulatory +requirements of periodic password replacement, and able to securely monitor privileged access across +all systems, databases and applications. + +CyberArk is made of vaults. Inside a vault, safes can be created and owners allocated. Accounts and +files can then be stored in safes accessible by users. + +This section explains how Identity Manager retrieves these accounts from CyberArk. + +## Prerequisites + +CyberArk AAM can be used either with: + +- agentless AAM: + [Central Credential Provider](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CCP/The-Central%20-Credential-Provider.htm?tocpath=Get%20Started%7COfferings%7C_____3#central-credential-provider) + (works with Web Service using REST); +- agent-based AAM: + [Credential Provider](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CP%20and%20ASCP/lp_cp.htm?tocpath=Get%20Started%7COfferings%7C_____1#credential-provider) + (works with C/C++ Application Password SDK). + + Implementing the Credential Provider method requires placing the C/C++ Application Password SDK + DLL, named `CPasswordSDK.dll` (on 32-bit systems) or `CPasswordSDK64.dll` (on 64-bit systems), + to the `Runtime` folder of Identity Manager. + +Identity Manager supports both AAMs. +[CyberArk's overview](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CCP/The-CyberArk-Application-Identity-Management-Solution.htm?tocpath=Get%20Started%7C_____1#cyberarks-overview) +can help choose which AAM to go to. + +See more details about Credential Provider's +[system requirements](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CP%20and%20ASCP/SysReq-Credential-Provider.htm?tocpath=Installation%7CSystem%20Requirements%7C_____1#system-requirements) +and +[installation guide](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CP%20and%20ASCP/installing-the-Credential-Provider.htm?TocPath=Installation%7CCredential%20Provider%7CInstall%20the%20Credential%20Provider%7C_____0#installation-guide). + +## Compatible Settings + +The following table sums up which keys from `appsettings.agent.json`'s **Connections** section can +be saved to CyberArk: + +| Use Case | Possible Key | +| -------- | ---------------------------------------------- | +| Login | `Login / ApplicationId / ClientId` | +| Password | `Password / ApplicationKey / ClientSecret` | +| Address | `Server / MicrosoftGraphPathApi / ResponseUri` | + +Any [Connectors](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/index.md) using one of these attributes as key can retrieve the +associated value from CyberArk. + +> For example, +> [Active Directory](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) can +> retrieve: `Login`; `Password`; `Server`. + +## Set Authorization Details + +While the application's identifier is required, setting an authentication method and allowed +machines is optional but recommended for security concerns. + +### AppID + +[See CyberArk's documentation on how to add an application to the vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/Common/Adding-Applications.htm?tocpath=Administration%7CManage%20applications%7C_____1#see-cyberarks-documentation-on-how-to-add-an-application-to-the-vault). + +CyberArk uses for each client application an AppID, i.e. a unique name to identify the application's +permissions to access given safes and stored secrets. + +### Authentication + +Several +[authentication methods](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/Common/Adding-Applications.htm?tocpath=Administration%7CManage%20applications%7C_____1#authentication-methods) +are available to protect the whole system and make sure that Identity Manager actually does the API +calls. + +Netwrix Identity Manager (formerly Usercube)recommends: + +- Using the certificate's serial number (see below how to configure certificates) when working with + the agentless AAM - Central Credential Provider; +- Generating a hash with the AIMGetAppInfo utility when working with the agent-based AAM - + Credential Provider. + +### Allowed machines + +Finally, +[allowed machines](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/Common/Adding-Applications.htm?tocpath=Administration%7CManage%20applications%7C_____1#allowed-machines) +can be added to the safe. This way, the Credential Provider verifies that only applications running +from an authorized machine can access secrets. + +### SSL certificate + +If IIS is configured with `AIMWebService` set to `Require SSL`, then an SSL certificate must be +provided. + +Identity Manager does not require a certificate, so it can be launched without certificate-related +parameters, if CyberArk is configured to allow it. + +## Create a CyberArk Account + +CyberArk's Password Vault Web Access (PVWA) is meant to enable users to access sensitive data +through accounts in CyberArk, from any local or remote location. + +The following procedure requires credentials in order to connect to PVWA. + +Create a CyberArk account by +[adding it to the PVWA](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20and%20ASCP/cv_Managing-Single-Accounts.htm?tocpath=Administration%7CCredential%20Provider%7CAccounts%20and%20Safes%7C_____1#adding-it-to-the-pvwa), +defining at least the following properties: + +``` +| Property Name | Key in appsettings.agent.json | +| ------------- | ------------------------------- | +| Username | Login | +| Address | Server | +| Password | Password | + +Netwrix Identity Manager (formerly Usercube) recommends customizing the account's name because it will be used in [ + + Connection + ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) to retrieve this account from the vault. + +``` + +## Assign the Permissions + +[See CyberArk's documentation on how to add a safe member](https://docs.cyberark.com/PAS/13.0/en/Content/PASIMP/Safes-add-a-safe-member-ClassicUI.htm?tocpath=Administrator%7CPrivileged%20Accounts%7CAccess%20Control%7CSafes%20and%20Safe%20members%7CClassic%20interface%7C_____3). + +In order to assign the permissions to access the application, follow CyberArk's instructions to +[build the environment for the Credential Provider in the PVWA](https://docs.cyberark.com/AAM-CP/13.0/en/Content/CP%20and%20ASCP/Building-CP-Environment.htm). + +The aim here is to give the right permissions to: + +- the AAM user, by default named `Prov_{Credential Provider machine name}`, meant to enable the + Credential Provider to authenticate to the vault and retrieve passwords; +- the application, via its AppID. + +## Configure Usercube + +Connect Identity Manager to CyberArk by adding to the agent's `appsettings.json` file a specific +section. + +> For example: +> +> ``` +> appsettings.json +> +> { +> ... +> "CyberArk": { +> "UseCyberArkSetting": true, +> "SafeName": "safeName", +> "ApplicationId" : "appId", +> "Server" : "serverUrl", +> "File": "certificateFilePath", +> "Password": "certificatePassword", +> "DistinguishedName": "certificateSubjectDistinguishedName", +> "Thumbprint": "certificateThumbprint", +> "StoreName": "certificateStoreName", +> "StoreLocation": "certificateStoreLocation" +> }, +> ... +> } +> ``` + +### Vault settings + +| Name | Details | +| --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| UseCyberArkSetting default value: False | **Type** Boolean **Description** `True` to enable the CyberArk Provider for Identity Manager. | +| SafeName required | **Type** String **Description** Name of the safe containing the [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) used by Identity Manager. | +| ApplicationId required | **Type** String **Description** [CyberArk's AAM Credential Providers ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) of the application that can access the safe. | +| Server required | **Type** String **Description** URL configured for the CyberArk Vault. It is recommended to use HTTPS for security purposes. **Note:** the `Server` attribute is only used with the CyberArk Central Credential Provider (Agentless AAM). | + +### Certificate settings + +Certificate settings are only used with the Central Credential Provider (agentless AAM). They set +the location of the public key certificate and the private key used by the agent to handle encrypted +network communications with CyberArk. + +This information can be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive + (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or `.pfx` file) stored in the _Agent_'s host file system. The archive contains both the public key + certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains + both the public key certificate and the private key. + + Netwrix Identity Manager (formerly Usercube)recommends using Windows' certificate store. + + On the other hand, the PFX file takes priority over Windows' certificate, which means that when + `File` is specified then the PFX certificate is used, even if the options for Windows' + certificate are specified too. + + In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +#### As a PFX file + +> For example: +> +> ``` +> appsettings.json +> +> { +> ... +> "CyberArk": { +> "UseCyberArkSetting": true, +> "SafeName": "safeName", +> "ApplicationId" : "appId", +> "Server" : "serverUrl", +> "File": "C:/UsercubeAgentContoso/contoso.pfx", +> "Password": "oarjr6r9f00" +> }, +> ... +> } +> ``` + +The archive is set using the following attributes: + +| Name | Details | +| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| File required | **Type** String **Description** [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password optional | **Type** String **Description** [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. **Info:** storing a `.pfx` file's password in plain text in a production environment is strongly discouraged. It should always be encrypted using the [ Usercube-Protect-CertificatePassword ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) tool. | + +#### As a Certificate in the Windows Store + +> For example: +> +> ``` +> appsettings.json +> +> { +> ... +> "CyberArk": { +> "UseCyberArkSetting": true, +> "SafeName": "safeName", +> "ApplicationId" : "appId", +> "Server" : "serverUrl", +> "DistinguishedName": "CN=contoso, OU=Biz, O=Contoso, L=Marseille, S=MA, C=FR", +> "StoreName": "My", +> "StoreLocation": "LocalMachine" +> }, +> ... +> } +> ``` + +The Windows certificate is set using these attributes: + +| Name | Details | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | +| DistinguishedName optional | **Type** String **Description** _SubjectDistinguishedName_ of the store certificate. **Note:** required when `Thumbprint` is not specified. | +| Thumbprint optional | **Type** String **Description** _Thumbprint_ of the store certificate. **Note:** required when `DistinguishedName` is not specified. | +| StoreLocation required | **Type** String **Description** Location of the relevant Windows certificate store: `LocalMachine` or `CurrentUser`. | +| StoreName required | **Type** String **Description** Name of the relevant Windows certificate store. | + +## Usercube's CyberArk Vault + +Once [CyberArk's AAM Credential Providers ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md), Identity Manager retrieves the sensitive +values from CyberArk via the `appsettings.cyberArk.agent.json` file. + +In this file: + +- the keys must follow the same structure as in the **Connections** of the `appsettings.agent.json` + file; +- the values are the names of the accounts created before. + +> The following example saves in CyberArk the credentials for `AD_Export`, with the accounts +> `AdAccount` and `AdServer2`: +> +> ``` +> appsettings.cyberArk.agent.json +> { +> "Connections": { +> "AD_Export": { +> "Login": "AdAccount", +> "Password": "AdAccount", +> "Servers": [ +> { +> "Server": "AdAccount" +> }, +> { +> "Server": "AdServer2" +> } +> ] +> } +> } +> } +> ``` +> +> Thus, when launching a job via the `AD_Export` connection, Identity Manager gets the values for +> `Login`, `Password` and `Server` from CyberArk, and the others from `appsettings.agent.json`. + +After updating `appsettings.cyberArk.agent.json`, the agent must be restarted for the changes to +take effect. + +To get a given property's value, Identity Manager reads first the section in +`appsettings.cyberArk.agent.json` for the appropriate connection. Only if the property is not listed +here will Identity Manager read the corresponding section in `appsettings.agent.json` to find it. + +Thus, when a property is listed in both appsettings files, the value from the CyberArk vault takes +priority over the one from the usual appsettings file. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/index.md new file mode 100644 index 0000000000..1d8b2b14d1 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/index.md @@ -0,0 +1,79 @@ +# Agent Configuration + +Identity Manager Agent's configuration includes connection information to the managed systems and to +the Server. Protection of sensitive credentials can be achieved through RSA encryption, storing +information within a CyberArk Vault, or using an Azure Key Vault safe. + +## Configuration Files + +The Agent configuration uses two sets of settings: the agent **appsettings** set and the +**appsettings.agent** set. + +1. The [appsettings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) set is written either to the Agent's working directory + [appsettings.json file](/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/index.md) or as + [environment variables](/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/index.md). +2. The [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) set is written as + [environment variables](/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/index.md) or to the + [appsettings.agent.json](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) files from the Agent's working directory. +3. There are two additional files involved in the _Agent_'s configuration to protect sensitive data: + [appsettings.encrypted.agent.json](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) and + [appsettings.cyberark.agent.json](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md). + +## Protect Credentials + +Managed system credentials are sensitive information. Identity Manager offers three strategies to +protect sensitive data. + +### RSA encryption + +Any Agent configuration setting value can be encrypted using `Usercube-Protect-X509JsonValue` and +`Usercube-Protect-X509JsonFile` tools. An encrypted value is then written to the +[appsettings.encrypted.agent.json](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) file. + +It means that any sensitive setting value that the user chooses to protect this way won't be written +to the [appsettings.agent.json](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) file but to the +[appsettings.encrypted.agent.json](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) file. + +### CyberArk Vault + +Any Agent configuration setting value can be encrypted using Identity Manager's CyberArk +integration. + +To put it simply, any sensitive setting value that the user chooses to protect this way won't be +written to the [appsettings.agent.json](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) file but stored within a +CyberArk Vault. + +### Azure Key Vault safe + +Any Agent configuration setting value can be encrypted using Identity Manager's Azure Key Vault +integration. + +To put it simply, any sensitive setting value that the user chooses to protect this way won't be +written to the [appsettings.agent.json](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) file but stored within an Azure +Key Vault safe. + +## Merge Priority + +Because of the credential protection system, the Agent connection information to managed systems can +be written to the following configuration sources: + +- The [appsettings.agent.json](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) file which contains plain text, + non-encrypted setting information. +- The [appsettings.encrypted.agent.json](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) file which contains encrypted + setting information. +- An Azure Key Vault safe (see [azure key vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md)). +- A CyberArkVault referenced by the + [appsettings.cyberark.agent.json](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + file. +- The [appsettings.connection.json](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md) file. + +Each configuration source is loaded one after the other, in the following order: + +1. [appsettings.agent.json](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +2. [appsettings.encrypted.agent.json](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) +3. _[Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md)_ safe +4. _[CyberArk](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) Vault_ +5. [appsettings.connection.json](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md) + +If a json key is defined in multiple configuration source, only the last loaded json key is +preserved to build the final configuration. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md new file mode 100644 index 0000000000..23b47aec80 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md @@ -0,0 +1,61 @@ +# RSA Encryption + +Identity Manager provides a few options to protect sensitive data via RSA encryption. + +## Overview + +Sensitive data can be RSA encrypted by using Identity Manager's tools: + +- [ Usercube-Protect-X509JsonValue ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md) + to encrypt given values; +- [ Usercube-Protect-X509JsonFile ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md) + to encrypt a whole file. + + The file encryption tool should be used only on files that contain only plain text values, not + already encrypted ones. + +Once encrypted, sensitive values can be added to the `appsettings.encrypted.json` and +`appsettings.encrypted.agent.json` files. Identity Manager will read first the values from the +encrypted appsettings files, before reading those from the usual non-encrypted appsettings files. + +These methods require an [X.509 public key certificate](https://en.wikipedia.org/wiki/X.509) (the +same for the encrypted appsettings files and the tools). + +The value encryption tool can be used to encrypt specific values to be added to the encrypted +appsettings files without having to encrypt the whole files again. + +## Focus on the Encrypted Appsettings Files + +The `appsettings.encrypted.json` and `appsettings.encrypted.agent.json` files contain respectively +the `appsettings.json` and `appsettings.agent.json` files' sensitive setting values which are +protected by RSA encryption. + +These files follow the exact same structure as the [ Agent Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/index.md). + +### Read the Encrypted Files + +Identity Manager can use an RSA decoding algorithm fed by a +[public-key certificate](https://en.wikipedia.org/wiki/X.509) in order to read the encrypted +application settings. + +This requires the usual appsettings file(s) to have `UseEncryptedAppsettings` set to `true`. See +below. + +``` +appsettings.json and/or appsettings.agent.json + +{ + ... + "EncryptionCertificate": { + "File": "./Usercube.pfx", + "Password": "secret", + "UseEncryptedAppsettings": true + } +} +``` + +This way, values from the encrypted file take priority over the values from the non-encrypted +appsettings files. + +> For example, if `Password` exists in both the encrypted file and the non-encrypted file, then the +> value from the encrypted file is used. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md new file mode 100644 index 0000000000..a7b388d2b2 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md @@ -0,0 +1,81 @@ +# Configure Okta + +This guide shows how to configure the OIDC to set up the authentication to Identity Manager. + +## Create the Application + +On the Okta dashboard: + +![Add Application](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_addapplication.webp) + +**Step 1 –** Select the **Applications** section and click on the **Add Application** button. + +![Create New App](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnewapp.webp) + +**Step 2 –** Then click on the **Create New App** button. + +![Create Native App](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnativeapp.webp) + +**Step 3 –** Select the platform **Native app**. The only sign-on method is the OpenID Connect. +Click on **Create**. + +**Step 4 –** In **General Settings**, name your Application. You can also add a logo. + +**Step 5 –** In the **Configure OpenID Connect** section, enter the connection redirection URL in +the part: **Login redirect URLs**. To find out this URL, just take the URL of the Identity Manager +application and add `/signin-oidc`. The Identity Manager disconnection redirection URL is also +necessary. To construct it, take Identity Manager's URL again and, at the end, add +`/signout-callback-oidc`. + +**NOTE:** The **Logout redirect URLs** section is marked as optional but it is mandatory for +Identity Manager. + +![Save Application](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_saveapplication.webp) + +## Configure the Client Credentials + +The client secret in Identity Manager is required for the OIDC connection. You must therefore +configure this OIDC connection option in the application. In the Application Dashboard, click on +**Edit** in the **Client Credentials** section. Select the option **Use Client Authentication** and +save the changes. + +![Client Credentials](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_clientcredentials.webp) + +## Configure the Application Settings + +In the **Application** section, check the box **Implicit (Hybrid)** so that the connection with +Identity Manager can operate correctly. **Allow ID Token with implicit grant type** is optional. + +![Application Section](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_applicationsection.webp) + +## Configure the appsettings.json + +To successfully configure the OpenId protocol, you can refer to the dedicated section in the +detailed guide. See the +[ End-User Authentication](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md) for +additional information. + +Below is an illustrative example of how to set up your `appsettings.json` file. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +                { +                ... +                "OpenId": { +                "Enabled": true, +                "Okta": { +                "AuthenticationScheme": "Okta Authentication", +                "Authority": "https://your-domain.okta.com/oauth2/default", +                "ClientId": "Your Client ID", +                "ClientSecret": "Your Client Secret", +                "DisplayName": "Okta Display Name", +                "NameClaimType": "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", +                "SaveToken": true +                } +                } +                } +             +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/index.md new file mode 100644 index 0000000000..fce421d49a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/index.md @@ -0,0 +1,199 @@ +# Network Configuration + +Identity Manager's network technical configuration includes: + +- Database connection +- Managed systems connection +- Synchronization and fulfillment processes +- End-user authentication +- Logging + +## Introduction + +Configuration settings are saved in configuration files or in the host system's environment +variables. + +Configuration settings are detailed further in the following sections: + +- Server configuration, including connection to the database and end-user authentication. See the + [Server Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/index.md) topic for additional information. +- Agent configuration, including connection to the managed systems. See the + [ Agent Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/index.md) topic for additional information. +- Monitoring, indicating how to set up monitoring for Identity Manager. See the + [ Monitoring ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/index.md)topic for additional information. + +## Write Settings + +How to write settings for the network configuration. + +### Sets, sections and values + +Configuration setting values are organized by functionality into three sets: + +1. The Server's appsettings set gathers general-purpose settings for the Server (including database + connection and end-user authentication). See the + [Server Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/index.md) topic for additional information. +2. The Agent's appsettings set gathers general-purpose settings for the Agent executable process. + See the [Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) topic for additional + information. +3. The appsettings.agent set gathers settings for the Agent's connection to the managed systems. See + the [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) topic for additional + information. + +Each set can be seen as a +[tree-like structure](https://en.wikipedia.org/wiki/Tree_(data_structure)) where leaves are a +name-value pair: the name of the setting and the value of the setting. + +Within a Configuration Set Tree, settings are organized into meaningful sections which can be +further organized into subsections, leading to a tree-like structure where sections are nodes. For +example, settings involving end-user authentication are gathered in the Authentication section, +containing another subsection for every authentication method such as OpenId or OAuth. + +This means that every setting value either belongs to the settings root node or to a section, itself +belonging to a parent section. + +![tree like structure](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/tree-like-structure.webp) + +### Configuration files + +Settings can be written as `json` objects stored in `.json` files in the Server or Agent working +directory. + +Relevant files for the Server can be found in the Server working directory: + +- `appsettings.json` + +Relevant files for the Agent can be found in its working directory: + +- `appsettings.json` +- `appsettings.agent.json` +- `appsettings.encrypted.agent.json` +- `appsettings.cyberArk.agent.json` + +Each setting file is organized into several sections as shown in the Sets, Sections and values +diagram. See the [ Architecture ](/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/index.md) topic for additional information. + +Each section's name matches a top level attribute of the file's `json` object. + +The section content is written as the matching attribute's value which can be broken down into a set +of setting attributes and subsection attributes. + +Each subsection can then be broken down into more setting attributes and deeper nested subsections. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +settings.example.json +{ +   "sectionA": { +       "subsectionnameA1":{ +            "settingnameA11":"settingA11value", +            "settingnameA12":"settingA12value" +       }, +       "settingnameA2": "settingvalueA2", +        }, +   "sectionB": { +       "settingnameB1": "settingB1value", +       "settingnameB2": "settingB2value" +   } +} +``` + +In Integrated-agent mode, agent configuration is written to the Server's `appsettings.json` file. +See the [ Overview ](/docs/identitymanager/6.2/identitymanager/installation-guide/overview/index.md) topic for additional information. + +#### Reminder + +The backslash character `\` is an escape character in a JSON file. An error will appear when parsing +the JSON file if the backslash is followed by a non-escapable character. To use a backslash in a +string, it must be escaped by another backslash. + +In this example, the value for the attribute Password will be parsed as ``: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    "Password": "" +} +``` + +### Environment variables + +Alternatively, settings can be stored as environment variables on Identity Manager's host system. + +Each setting value is stored as the value of an environment variable whose name is the concatenation +of all the ancestor sections and the setting name separated by **\_\_** (two underscores). + +Here is an example showing how to construct a setting environment variable name from its matching +`json` file. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    "Scheduler": { +        "Enabled": true, +        "LockFilePath": "../Temp/scheduler.lock" +    }, +    "Swagger": { +        "Enabled": true +    } +} +``` + +The name becomes Scheduler**Enabled, Scheduler**LockFilePath and Swagger\_\_Enabled. + +## Manage Several Environments + +How to manage several network environments. + +### Using files + +Every setting value can be overwritten to fit a specific environment. + +The environment within which Identity Manager runs is set by the system environment variable +ASPNETCORE_ENVIRONMENT. The default value is Production. Usual examples include Development, +Staging, and Production. + +To overwrite setting values for a specific environment, one can write environment-specific +configuration files. + +For every `appsettings..json` file, an `appsettings...json` can be created +where `` is the name of the relevant environment matching the ASPNETCORE_ENVIRONMENT +value. + +The `appsettings...json` file has the exact same section/attribute/subsection +shape as the main appsettings file. + +Identity Manager's configuration will be the result of merging both files. + +Should a setting be written in both files, Identity Manager will use the +`appsettings...json` value. + +Leveraging this priority mechanism is how one can override a setting value to match a particular +environment. Another mechanism can be used: using environment variables. + +### Using environment variables + +Setting values can also be stored as environment variables on Identity Manager's host system. +Environment-variables-stored setting values have priority over json-file-stored setting values. Here +is how to use this mechanism to handle multiple environments. + +In the web.config file, an `` element in the node +`` is used to set a setting value +for the application. + +### Configuration stages + +Configuration encompasses: + +- The Server configuration with a connection to the database and end-user authentication. See the + [Server Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/index.md) topic for additional information. +- The Agent configuration with a connection to the managed systems. See the + [Agent Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/index.md)topic for additional information. +- The Logger configuration. See the [Monitoring](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/index.md)topic for additional + information. diff --git a/docs/usercube/6.2/usercube/integration-guide/network-configuration/password-management/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/password-management/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/network-configuration/password-management/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/password-management/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/proxy/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/proxy/index.md new file mode 100644 index 0000000000..0ebb4709e7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/proxy/index.md @@ -0,0 +1,228 @@ +# Proxy Server + +Identity Manager server or agent can be configured to go through a proxy server to access internal +or external web resources. + +## Introduction + +A Identity Manager agent often needs to access internal or external systems using the HTTP protocol. +It may easily be configured to use a proxy server through which all or part of the HTTP traffic will +be routed. + +## Proxy Related Environment Variables + +The proxy configuration is based on a set of standard dotnet environment variables: + +- `HTTPS_PROXY`: the proxy server used on HTTPS requests. +- `NO_PROXY`: a comma-separated list of hostnames that should be excluded from proxying. + +The dotnet environment does not rely on the OS-wide proxy configuration. It is mandatory to use the +above-mentioned environment variables to configure the proxy. + +### HTTPS_PROXY + +The `HTTPS_PROXY` environment variable may be the hostname or IP address, optionally followed by a +colon and port number, or it may be an http URL, optionally including a username and password for +[ Proxy Server ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/proxy/index.md)authentication. + +The URL must start with `http`, **not https**, and cannot include any text after the hostname, IP, +or port. + +This example shows various ways to properly configure a proxy server using Powershell: + +``` + +# A hostname with port (recommended syntax) +$env:HTTPS_PROXY="proxy.contoso.com:6060" +# A hostname without port +$env:HTTPS_PROXY="proxy.contoso.com" +# An IP address with port +$env:HTTPS_PROXY="10.65.1.1:6060" +# A URL with port: +# Warning: Even if we want to route HTTPS traffic, we MUST give a URL with http scheme. +# Warning: Do not add trailing slash. +$env:HTTPS_PROXY="http://proxy.contoso.com:6060" + +``` + +We recommend using the `:` syntax since it is not misleading. We discourage using +the `http://:` syntax since it is not intuitive to indicate the `http` scheme to +route `https` traffic. However, if you decide to use this syntax, do not forget to include a comment +stating that `http` scheme is mandatory at the configuration level, even if it will not be used at +runtime. + +#### Do not do + +This example shows the wrong ways to initialize the `HTTPS_PROXY` environment variable. The +environment variable will be **silently ignored** and the traffic will not be routed through the +proxy. + +``` + +# WRONG: A URL with https scheme +$env:HTTPS_PROXY="https://proxy.contoso.com:6060" +# WRONG: A URL with text after the port number +$env:HTTPS_PROXY="http://proxy.contoso.com:6060/" +# WRONG: A URL with text after the hostname +$env:HTTPS_PROXY="http://proxy.contoso.com/" + +``` + +#### Authenticated proxy + +When the proxy server needs the user to be authenticated, the `HTTPS_PROXY` environment variable can +include the username and password as follows: + +``` + +# A URL to authenticate to the proxy with login=mylogin and password=mypassword +$env:HTTPS_PROXY="http://mylogin:mypassword@proxy.contoso.com:6060" + +``` + +### NO_PROXY + +The `NO_PROXY` environment variable is a comma-separated list of hostnames that should be excluded +from proxying. To exclude all subdomains ("wildcard" exclusion), domains in the `NO_PROXY` list need +to be prefixed with a dot (`.`), which is standard, but not particularly well documented. **Do not +use the star (`*`) prefix !!!** + +This example shows various ways to exclude domains from proxying: + +``` + +# Exclude only www.google.com: +# www.google.com: will not go through the proxy +# maps.google.com: will go through the proxy +$env:NO_PROXY="www.google.com" +# Exclude only www.google.com and www.microsoft.com: +$env:NO_PROXY="www.google.com,www.microsoft.com" +# Exclude all google.com and all microsoft.com subdomains: +# Do not prepend the domain name with a '*' +# www.google.com: will not go through the proxy +# maps.google.com: will not go through the proxy +# www.microsoft.com: will not go through the proxy +$env:NO_PROXY=".google.com,.microsoft.com" + +``` + +#### Do not do + +This example shows the wrong ways to initialize the `NO_PROXY` environment variable. + +``` + +# WRONG: starting with '*' to indicate a wildcard exclusion +# Only the domain exactly named *.contoso.com will be excluded from proxying, +# which means there is no exclusion configured. +$env:NO_PROXY="*.contoso.com" + +``` + +## Where to Define Proxy Environment Variables + +The proxy configuration is based on a set of standard dotnet environment variables, they can be +defined in various places according to the practices in place in your organization: + +- At OS level +- At user level: for the user running the Identity Manager server or agent +- At IIS level: in the application `web.config` file + +Note that when creating an environment variable in IIS `web.config` file, all child processes +created by the IIS application will inherit from this environment variables. For example, while +running the Identity Manager agent all tasks started by the agent will inherit the proxy environment +variables. + +This example shows how to configure the proxy in the IIS `web.config` file: + +``` + + + + ... + + +``` + +## Testing the Proxy Configuration + +To test the proxy configuration for the dotnet environment, it is advised to use Powershell 5 or +Powershell Core. + +In the following examples, you may adapt the proxy hostname/port and the URL to test. + +### Using Powershell 5 + +To test that a Identity Manager agent using a proxy server can reach the Identity Manager server: Go +to the `/Runtime` directory. + +``` + +$env:HTTPS_PROXY="proxy.contoso.com" +./identitymanager-Invoke-Job.exe --api-url https://contoso.usercube.com/ --api-client-id Job --api-secret secret -j UnknownJob + +# Given the credentials are valid, you should get an exception as follows: +# ---> System.Exception: Job: UnknownJob is not found +# This exception shows that the server has been reached and that the job identifier is not known. +# The proxy is properly configured !!! + +``` + +**Do not use** Invoke-WebRequest or Test-NetConnection to test the proxy configuration. In +Powershell 5, these tools are using a different network stack from dotnet environment and are using +the OS-wide proxy settings. They will ignore the `HTTPS_PROXY` environment variable + +### Using Powershell Core + +Powershell Core is based on the same network stack as dotnet environment. The proxy configuration +can be tested using the Invoke-WebRequest and Test-NetConnection tools. If tests are successful +using Invoke-WebRequest, they will be successful too if the same environment variables are provided +to the Identity Manager server or agent. + +Powershell Core will only take the `HTTPS_PROXY` environment variable into account if it was created +before the Powershell Core process was started. + +``` + +# Create the environment variable in this Powershell Core process. +# This variable will not alter the proxy configuration of this process. +$env:HTTPS_PROXY="proxy.contoso.com" +# Start a child Powershell Core process which will inherit from the HTTPS_PROXY environment variable. +# This variable will alter the proxy configuration of this child process. +pwsh +Invoke-WebRequest https://contoso.usercube.com/ +# The result should display an HTTP 200 response from the Usercube server. + +# Go back to the parent Powershell parent process. +exit + +``` + +### Known errors when proxy is not properly configured + +When the proxy environment variables does not match the expected format, they will be **silently** +ignored. + +- If `HTTPS_PROXY` is ignored, the network stack will try to directly access public URL's without + going through the proxy. +- If `NO_PROXY` is ignored, the internal traffic will be routed through the proxy. + +When testing the proxy configuration, if you get one of the following error message: + +- ` No such host is known.` +- `H�te inconnu` + +It means that the `HTTPS_PROXY` is not set or does not match the expected format. The HTTP client +tries to directly resolve the public hostname instead of resolving the proxy hostname. + +Review the `HTTPS_PROXY` value, check that it does not: + +- use the `https` scheme +- include trailing slashes or characters after the hostname:port + +## Reference Documentation + +- [HttpClient.DefaultProxy](https://learn.microsoft.com/en-us/dotnet/api/system.net.http.httpclient.defaultproxy?view=net-8.0&viewFallbackFrom=netcore-8.0#httpclientdefaultproxy): + reference for environment variables. +- NO_PROXY: [unofficial documentation](https://stackoverflow.com/a/62663469) for wildcard domain + exclusion diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md new file mode 100644 index 0000000000..ba830873b7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md @@ -0,0 +1,83 @@ +# Connection to the Database + +The connection of Identity Manager's server to the database is set through the `appsettings` +top-level `ConnectionString` and the `AzureCredentials` attributes: + +| Name | Details | +| --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectionString required | **Type** String **Description** Identification token used to retrieve the connection information for the server to access Identity Manager's database in SQL Server. **Note:** must be compliant with SQL Server connection string syntax. See the [Install the Server](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. **Example**`{ � "ConnectionString": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" }` | +| ConnectionStringGovernor required | **Type** String **Description** Identification token used to retrieve the connection information to SQL Server Resource Governor which is a feature used to manage SQL Server's workload and system resource consumption. **Info:** Resource Governor enables specifying limits on the amount of CPU, physical I/O, and memory that incoming application requests can use. **Note:** must be compliant with SQL Server connection string syntax. See the [Install the Server](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. **Note:** all tasks and jobs use this connection string, when specified. **Example**`{ � "ConnectionStringGovernor": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" }` | +| AzureCredentials required | **Type** Azure Credentials **Description** Settings used with the `ConnectionString` to access the database in SQL Server, hosted on Microsoft Entra ID (formerly Microsoft Azure AD). | + +## AzureCredentials + +The database can be accessed one of two ways: + +- either by specifying `User Id` and `password` keywords directly in the connection string: + + > For example: + > + > ``` + > + > "ConnectionString": "data source=.;Database=UsercubeContoso;User + > Id=UsercubeServerContoso;Password=myPassword;Min Pool Size=10;encrypt=false;" + > + > ``` + > + > ``` + +- or, to avoid exposing the `User Id` and `password` in a connection string sent through the + network, by using the built-in Microsoft Entra ID authentication method: + + > For example: + > + > ``` + > + > "ConnectionString": "Server=tcp:.database.windows.net,1433;Initial + > Catalog=;Persist Security + > Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;" + > + > ``` + > + > ``` + +[See Microsoft's documentation for more details about authentication methods](https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver15) + +> The following example authenticates with ClientId and ClientSecret: +> +> ``` +> +> appsettings.json +> +> { ... "ConnectionString": "Server=tcp:.database.windows.net,1433;Initial Catalog=;Persist Security +> Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;", +> +> "AzureCredentials": { "ClientId": "", "AADTenantId": "", "ClientSecret": "" } } +> +> ``` +> +> ``` + +> The following example authenticates with a pfx-stored public key certificate (password-protected +> pfx archive): +> +> ``` +> +> appsettings.json +> +> { ... "ConnectionString": "Server=tcp:.database.windows.net,1433;Initial Catalog=;Persist Security +> Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;", +> +> "AzureCredentials": { "ClientId": "", "AADTenantId": "", "EncryptionCertificate": { "File": "", +> "Password": "" } } } +> +> ``` +> +> ``` + +| Name | Details | +| -------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ClientId optional | **Type** String **Description** Client ID obtained from Microsoft Entra ID when [registering ](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)Identity Manager as an application. | +| AADTenantId optional | **Type** String **Description** Microsoft Entra ID's tenant identifier obtained when [registering ](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)Identity Manager as an application. **Note:** remember to set Identity Manager as owner of the targeted database when registering Identity Manager as an application in Microsoft Entra ID. | +| ClientSecret optional | **Type** String **Description** Microsoft Entra ID's client secret used by Identity Manager to authenticate.**Note:** used only if `EncryptionCertificate` is not specified. | +| EncryptionCertificate required, if ClientSecret is not defined | **Type** Encryption Certificate **Description** Location of the certificate used by Identity Manager to authenticate, instead of the `ClientSecret`. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md new file mode 100644 index 0000000000..5cb722b9a3 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md @@ -0,0 +1,1028 @@ +# End-User Authentication + +## Overview + +Before end-users can connect to Identity Manager through the UI, they will have to authenticate. + +Identity Manager supports seven authentication methods organized into two categories: Internal +methods and External methods. + +It is highly recommended that you use an External method. Internal methods are mostly used for +debug, test and development purposes. + +Internal methods + +The Internal methods use Identity Manager Server's internal authentication server. They rely on one +of these Identity Server User Stores: + +- Test User Store, used in development environments. +- Active Directory User Store, using an Active Directory to authenticate. + +External methods + +External methods use external authentication providers. + +Identity Manager supports five types of external authentication providers of which four are based on +different flavors of the OAuth 2.0 protocol, and the last one is integrated with Windows. + +The types of authentication providers supported by Identity Manager are: + +- [OpenIdConnect](https://openid.net/connect/) +- [WS-Federation](http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.html) +- [OAuth](https://tools.ietf.org/html/rfc6749) +- [SAML2](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) +- [Integrated Windows Authentication (IWA)](https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/integrated-windows-authentication) + +Using more than one provider + +For each authentication method, one or several authentication providers can be set up. If several +authentication providers are set up, end-users will be prompted to choose their preferred method of +authentication. + +Internal method & test mode form: + +![authent_1](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/authent_1.webp) + +External method prompt: + +![authent_2](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/authent_2.webp) + +## Identity Server RSA Key Pair + +A public key certificate and a private key are used to handle encrypted communication with external +authentication providers. This is used, for example, by the Identity Manager Server to retrieve the +provider's signing key. It is mandatory to validate JWT tokens in an OAuth-flavor scenario. + +This information can be set one of two ways: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called `.pfx` file) stored in + the Agent's host file system. The archive contains both the public key certificate and the private + key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains + both the public key certificate and the private key. + +### PFX file + +The archive is set using the following attributes on the appsettings > IdentityServer section: + +- X509KeyFilePath is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the + Agent's host file system. +- X509KeyFilePassword (optional) is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive + password. + +Example + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + "": { + "X509KeyFilePath":C:/UsercubeAgentContoso/contoso.pfx", + "X509KeyFilePassword": "oarjr6r9f00" + } + +``` + +### Certificate + +The certificate from a Windows certificate store is set up using these attributes on the +appsettings > IdentityServer section: + +| Name | Description | +| ------------------------------------------------------------------ | ---------------------------------------------------------------------------------------- | +| X509SubjectDistinguishedName optional (if Thumbprint is non-empty) | Sets the store certificate's SubjectDistinguishedName. | +| X509Thumbprint optional (if DistinguishedName is non-empty) | Sets the store certificate's Thumbprint. | +| X509StoreLocation required | Sets the Relevant Windows certificate store's location: `LocalMachine` or `CurrentUser`. | +| X509StoreName required | Sets the relevant Windows certificate store's name. | + +Example + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +"": { + "X509SubjectDistinguishedName":"", + "X509StoreLocation": "", + "X509StoreName": "" +} + +``` + +**NOTE:** Identity Manager Server won't start if the +[PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive set up during this step is identical to +the one provided with the SDK. Users must provide their own certificate. Self-signed certificates +are accepted as valid. See +the[Install the Server](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/server/index.md)topic for +additional information. + +## Configuration Section Description + +Authentication is set up using the following two sections of the Server's appsettings set: + +- IdentityServer +- Authentication + +``` +{ + "IdentityServer":{ + ... + }, + "Authentication":{ + ... + } +} + +``` + +The authentication section mostly fits the following pattern: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +"":{ + :{ + :{ + ... + }, + ...., + :{ + ... + }, + }, + :{ + :{ + ... + }, + ...., + :{ + ... + }, + } +} + +``` + +Several authentication providers can be defined (here above, `` to +``), using one or several authentication protocols (here above, +`` and ``). + +Most of the authentication providers need the user to choose an AuthenticationScheme. It is a string +that will be used to uniquely identify this authentication method in Identity Manager. Its goal is +to enable Identity Manager's testers to identify which authentication method is used in the logs or +in the code, with a mnemonic name. Any name can be used as long as all AuthenticationSchemes are +different. + +**NOTE:** This guide doesn't cover how to set up authorizations within Identity Manager. +Authorization for an end-user to access Identity Manager resources relies on assigning roles to +profiles. Identity credentials used for authentication must be linked to these profiles in the +applicative configuration. See the [Various XML Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/settings/index.md)topic for +additional information. + +Authentication-related settings are done through the following sections of the appsettings set: + +- IdentityServer +- Authentication + +See the[Architecture](/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/index.md)topic for additional information. + +### Identity Server + +This is the general-purpose authentication settings section. + +The Identity Server section allows the following attributes: + +| Name | Type | Description | +| ------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------ | +| Enabled (default value: true) | Boolean | Enables or disables the Identity Server. | +| AllowWindowsAuthentication (default value: false) | Boolean | Allows Windows authentication. Will work only when the Active Directory User Store is enabled. | +| ShowPII (default value: false) | Boolean | Sets whether or not PII is shown in logs. For security reasons, this setting should be used sparingly. | +| ValidationKeys (optional) | String Array | Allows the definition of public certificate paths for token validation. | +| IssuerURI (optional) | String | Sets the unique name of this server instance. | +| PostLogoutRedirectUri (optional) | String | Sets a specific URI to which the user will be redirected after a successful logout. | +| PublicOrigin (optional) | String | Sets the origin name for this Identity Manager Server instance. Useful if end-users authenticate through a proxy server. | +| X509File (required) | String | Is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the Agent's host file system. | +| X509KeyFilePassword (optional) | String | Is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | +| X509SubjectDistinguishedName (optional) | String | Sets the store certificate's SubjectDistinguishedName. | +| X509Thumbprint (optional) | String | Sets the store certificate's Thumbprint. | +| X509StoreLocation (required) | String | Sets the relevant Windows certificate store's location. | +| X509StoreName (required) | String | Sets the relevant Windows certificate store's name. | + +### Authentication + +This section contains specific settings for each configuration method. + +At the root, the following properties can be used: + +| Name | Type | Description | +| ---------------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------ | +| Enabled default value: true | Boolean | Enables or disables authentication. | +| RequireHttpsMetadata default value: true | Boolean | Specifies whether HTTPS is required for the discovery endpoint. | +| AllowLocalLogin required | Boolean | If `true`, a Login Form replaces Windows Authentication. | +| CookieLifeTime default value: 8 | Int | Maximum duration (in hours) after which the session expires automatically. | +| LifeTimeSliding default value: 10 | Int | Duration (in minutes) after which the session expires automatically, if no action is taken during this time. | + +Then, a subsection for every authentication method is used. Supported subsections are: + +- OpenId +- OAuth +- WsFederation +- SAML2 +- ActiveDirectoryUserStore +- TestUserStore + +## Set Up Integrated Windows Authentication (IWA) + +This authentication method can be used to authenticate users within an Active Directory domain using +their respective domain account. + +This authentication is silent: when an end-user tries to access Identity Manager, the browser +retrieves identity credentials from the Windows session where the user is logged in and sends them +to the domain controller for authentication. The domain controller confirms the user's identity and +validates it for Identity Manager. The end-user doesn't have to input any credentials. + +**NOTE:** If Integrated Windows Authentication is used, internal methods have to be disabled with +the `"AllowLocalLogin":false` setting. + +### Requirements + +Setting up this authentication method requires the following: + +- Identity Manager runs as an [Internet Information Services (IIS)](https://www.iis.net/) website. +- Windows Authentication is + [enabled on Windows server](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016). +- Windows Authentication is + [enabled for the Usercube IIS ](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/#enabled-for-the-usercube-iis)[enabled for the Usercube IIS website](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/#enabled-for-the-usercube-iis-website) + website. + +### Configuration + +Integrated Windows Authentication is configured using the following sections: + +1. Set the **IdentityServer** > **AllowWindowsAuthentication** attribute to `true`. +2. Set the **Authentication** > **AllowLocalLogin** attribute to `false`. + +> The following example sets up Windows Authentication. Windows Server and IIS requirements have +> been checked. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> appsettings.json +> +> ``` +> ... +> "":{ +> "AllowWindowsAuthentication":"", +> }, +> "":{ +> "AllowLocalLogin":"", +> } +> ... +> +> ``` + +## Set Up an OpenID Connect Provider + +One or several OpenID Connect authentication providers can be set up under the Authentication \> +OpenId section. + +Multiple providers + +One or several OpenID Connect authentication providers can be set up. + +Registration process + +Using an OpenID Connect authentication requires the Identity Manager Server to be registered to the +provider. A ClientID and a ClientSecret are issued as a result of the registration process. They +both allow Identity Manager to identify itself to the authentication provider. +[](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings)[See an example](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings) +of how to register Identity Manager to an Microsoft Entra ID (formerly Microsoft Azure AD) used as +OpenID Connect provider. + +Callback URL + +The target OpenID Connect provider needs to be aware of the URI where to send the authentication +token if the authentication succeeds. Depending on the provider, it is called a callback URL, a +callback path, an authorization callback URL, or a redirect URI. + +During the registration process, the provider will ask for the URL. + +Identity Manager's callback URL for OpenID Connect is `<`usercube-server-address>/signin-oidc where +`` is the address of your Identity ManagerServer such as +https://usercube.contoso.com. + +Authority + +An OpenID Connect provider is identified by its Authority, according to the +[OpenID](https://openid.net/connect/)Connect specifications. + +NameClaimType + +To authorize an end-user, Identity Manager Server retrieves a specific claim (a key-value pair, +transmitted through the OIDC-issued JWT token) returned by the provider and looks for a resource +that matches this claim's value. The comparison is carried out according to the resource and +property set as the end-user's identity in the applicative configuration. See the +[Select User by Identity Query Handler Setting](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md) + +The name of the claim that is retrieved for this purpose defaults to `sub` which is one of the +standard +[Claim names for the OpenID Connect protocol](https://openid.net/specs/openid-connect-core-1_0.html#claim-names-for-the-openid-connect-protocol). +However, some providers might not fill the `sub` value with meaningful data, or use non-standard +Claim names. + +For this reason, the name of the claim that is retrieved by Identity Manager for authorization +purposes can be set up according to the provider's specifics. + +**NOTE:** Users should be able to get a list of the claim names used by their authentication +providers from their providers' portal website, documentation or administrators. + +For example, the following claim provides no meaningful `sub` value. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ + "name": "", + "preferred_username": "", + "sub": "<11v7ert42azerttyZD6d4>" +} + +``` + +Using the following applicative configuration setting that sets `Ad_Entry:userPrincipalName` as the +value to be matched against a claim in order to identify a user's profile, the `preferred_username` +NameClaimType should be used. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +``` + +### Configuration + +First, the OpenID Connect method must be enabled. + +Under the OpenId section: + +| Name | Type | Description | +| ---------------- | ------- | ------------------------------------------ | +| Enabled required | Boolean | Enables or disables the OpenId connection. | + +For each OpenID Connect provider to integrate, a new section is added under the OpenID subsection. +Any section name can be used. This section name is only used as a means for the user to find the +authentication method in the configuration files. + +Under the new subsection, the following parameters are used to configure the authentication method: + +| Name | Type | Description | +| ---------------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AuthenticationScheme required | String | Is the unique identifier of this authentication method within Identity Manager. Any string value can be used, unique among all authentication methods. | +| DisplayName optional | String | Is the provider display name. Chosen by the user, it is used in the UI to identify the authentication method. | +| ClientId required | String | Is the Client ID issued during the registration of Identity Manager to the chosen OpenID Connect provider. | +| ClientSecret required | String | Is the Client Secret issued during the registration of Identity Manager to the chosen OpenID Connect provider. | +| Authority required | String | This URL identifies the OpenID Connect provider for Identity Manager according to the [OpenID Connect specifications](https://openid.net/connect/). It can be retrieved from the target OpenID Connect provider documentation. For example, [Microsoft's documentation ](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc)indicates the Microsoft Identity Platform OpenID Connect[ ](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc)authority. | +| NameClaimType optional | String | Sets the type of the claim that will be retrieved by Identity Manager to identify the end-user. The retrieved claim will be compared against the resource and property set as the end-user's identity in the applicative configuration. See the [ Select User by Identity Query Handler Setting ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md)topic for additional information. | +| Scopes optional | String | Sets the list of the requested [scopes](https://auth0.com/docs/scopes/openid-connect-scopes). By default, the requested scopes are: openid, profile and email. | +| SaveTokens default value: false | Boolean | Only for Okta providers. Set to `true if authentication uses an Okta provider. See the [Configure Okta](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md)topic for additional information. | +| MetadataAddress optional | String | URL address of a copy of the metadata, used when the authority metadata cannot be accessed from the Identity Manager server, for example because of a firewall. | +| RequireHttpsMetadata default value: true | Boolean | By default the authority metadata must use HTTPS. Set to `false to use a simple HTTP metadata, in case a local copy of the metadata is used or for test environment. | +| ResponseMode optional | String | Response mode for OpenIdConnect. - Query - FormPost - Fragment [See OpenId documentation](https://openid.net/specs/openid-connect-core-1_0.html). | +| ResponseType optional | String | Response type for OpenIdConnect. - Code - CodeIdToken - CodeIdTokenToken - CodeToken - IdToken - IdTokenToken - None - Token See examples in the [OpenId documentation.](https://openid.net/specs/openid-connect-core-1_0.html#openid-documentation) | + +Example + +This example configures an OpenId Connect authority located at +[https://login.microsoftonline.com/bbd35166-7c13-49f3-8041-9551f2847b69](https://login.microsoftonline.com/bbd35166-7c13-49f3-8041-9551f2847b69). + +This authentication provider is identified within the appsettings.json OpenId Connect providers list +as OpenId1. + +Within Identity Manager, it will be identified with the authentication scheme AzureOIDC. + +It will be displayed as Connection Microsoft Entra ID with OIDC protocol in the UI external login +prompt. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ + "Authentication": + { + ... + "OpenId": { + "Enabled": "", + "OpenId1": { + "AuthenticationScheme": "", + "DisplayName": "", + "ClientId": "<6779ef20e75817b79602>", + "ClientSecret": "<5ef0234c039c725e21ffc727a60c44895a39dce1c81ae36dc5d002feae82c1c0>", + "Authority": "", + "NameClaimType": "", + "Scopes": ["", ""] + } + } + } +} + +``` + +## Set Up an OAuth Provider + +One or several OAuth authentication providers can be set up under the authentication > OAuth +section. + +Multiple providers + +One or several OAuth authentication providers can be set up. + +Registration process + +Using an OAuth authentication requires Identity Manager Server to be registered to the provider. A +ClientID and a ClientSecret are issued as a result of the registration process. They both allow +Identity Manager to identify itself to the authentication provider. + +#### Callback URL + +The target OAuth provider needs to be aware of the URI where to send the authentication token if the +authentication succeeds. Depending on the provider, it is called a callback URL, a callback path, an +authorization callback URL, or a redirect URI. + +During the registration process, the provider will ask for the URL. + +Identity Manager's callback URL for OAuth is `/` where +`` is the address of your Identity Manager Server such as +https://usercube.contoso.com and `` can be set up to any value chosen by the user +using the CallbackPath configuration attribute. The only constraint is to make sure the CallbackPath +value in Identity Manager's configuration is the same as in the OAuth provider registration screen +for Identity Manager. + +### Configuration + +First, the OAuth method must be enabled under the authentication > OAuth section. + +| Name | Type | Description | +| ---------------- | ------- | ----------------------------------------- | +| Enabled required | Boolean | Enables or disables the OAuth connection. | + +Then, users must create a new section per OAuth provider. Users are free to choose any section name. +Its sole purpose is for users to find the authentication method in the configuration files. + +Each section is configured with the following settings: + +| Name | Type | Description | +| ------------------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AuthenticationScheme required | String | Is the unique identifier of this authentication method within Identity Manager. Any string value can be used, unique among all authentication methods. | +| DisplayName optional | String | Is the provider display name. Chosen by the user, it is used in the UI to identify the authentication method. | +| ClientId required | String | Is the Client ID issued to Identity Manager during the registration process. | +| ClientSecret required | String | Is the Client Secret issued to Identity Manager during the registration process. | +| ClaimsIssuer required | String | Is a unique identifier that will mark claims issued by this OAuth provider for Identity Manager. This mark is used for debugging, monitoring, or security purposes in situations where multiple OAuth providers are involved. It's still useful if only one provider is used. Any string value can be used. Convention dictates that it is a URL shaped value such as `https://accounts.google.com`. | +| AuthorizationEndpoint required | String | Is the provider's Authorization Endpoint URI. This is where the end-user's browser is redirected to start the authentication process. Usually ends with /auth or /authorize. This information must be retrieved from the provider's portal. | +| TokenEndpoint required | String | Is the provider's Token Endpoint URI. This is where the client sends token requests, using an authorization code obtained during the authentication process. This information must be retrieved from the provider's portal. | +| CallbackPath required | String | Sets the callback path where the client is redirected after a successful authentication. Any string value can be used as long as it is reported to the provider during the registration process. | +| SaveTokens default value: false | Boolean | Only for Okta providers. Set to `true if authentication uses an Okta provider. See the [Configure Okta](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md)topic for additional information. | +| Scope optional | String | Sets the list of the requested [scopes](https://auth0.com/docs/scopes/openid-connect-scopes). | + +Example + +The following example configures an OAuth-based authentication provider identified as +OAuthContoso_Washington in the configuration file. + +It will be displayed as Contoso OAuth Washington in the UI external login prompt, and uniquely +identified within Identity Manager by the authentication scheme contoso_0987. + +Identity Manager Server marks received claims using +[https://accounts.google.com](https://accounts.google.com) as a claim issuer identifier. + +/signin-oauth has been chosen as CallbackPath and set up as such in the OAuth provider's portal +during Identity Manager's registration. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ + "Authentication": + { + ... + "OAuth": { + "Enabled": "", + "OAuthContoso_Washington": { + "AuthenticationScheme": "", + "DisplayName": "", + "ClientId": "<6779ef20e75817b79602>", + "ClientSecret": "<5ef0234c039c725e21ffc727a60c44895a39dce1c81ae36dc5d002feae82c1c0>", + "ClaimsIssuer": "", + "AuthorizationEndpoint": "", + "TokenEndpoint": "", + "CallbackPath": "", + "Scopes": ["", ""] + } + } + } +} + +``` + +## Set Up a WS-Federation Provider + +One or several WS-Federation authentication providers can be set up under the authentication > +WsFederation subsection. Examples of WS-Federation providers include Active Directory Federation +Services (ADFS) and Microsoft Entra ID (AAD). + +Multiple providers + +One or several WS-Federation authentication providers can be set up. + +Registration process + +Using a WS-Federation authentication requires Identity ManagerServer to be registered to the +provider. A Wtrealm value is set up during the registration process. The value can be generated by +the provider, or set manually as a URL-shaped string value. This allows Identity Manager to identify +itself to the authentication provider. Here are two examples of registration process: + +- with an + [Active Directory Federation Services](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#active-directory-federation-services) + provider +- with an + [Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#microsoft-entra-id) + provider + +Callback URL + +The target WS-Federation provider needs to be aware of the URI where to send the authentication +token if the authentication succeeds. Depending on the provider, it is called a callback URL, a +callback path, an authorization callback URL, or a redirect URI. + +During the registration process, the provider will ask for the URL. + +Identity Manager's callback URL for WS-Federation is +`/signin-wsfed` where `` is the address of +your Identity Manager Server such as `https://usercube.contoso.com`. + +Encryption algorithm + +The nature of the encryption algorithm used for exchanging the sign-in key with the provider is +automatically negotiated between Identity Manager Server and the authentication server. The most +secure algorithm that both systems support is chosen. + +### Configuration + +First, the WS-Federation must be enabled under the authentication > WsFederation section: + +| Name | Type | Description | +| ---------------- | ------- | --------------------------------------------------------- | +| Enabled required | Boolean | Enables or disables the **WS-Federation** authentication. | + +Then, users must create a new subsection per **WS-Federation** provider. They are free to choose any +section name. Its sole purpose is for users to find the authentication method in the configuration +files. + +Each section is configured with the following settings: + +| Name | Description | +| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| MetadataAddress required | Identifies, for Identity Manager, the target **WS-Federation** server's metadata. This information is to be retrieved from the app registration process or directly from the **WS-Federation** provider. The value commonly ends with the path `/`FederationMetadata/2007-06/FederationMetadata.xml. - For [Active Directory Federation Services](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#active-directory-federation-services), it is `https:///federationmetadata/2007-06/federationmetadata.xml` with `` the name of your ADFS server such portal.contoso.com. - For [Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#microsoft-entra-id), it is also known as **Federation Metadata Document**. It is available in Identity Manager's registered app _blade_, in the _endpoint_ panel, _Federation Metadata Document_ value. It looks like https://bbd35166-7c13-49f3-8041-9551f2847b69/FederationMetadata/2007-06/FederationMetadata.xml with bbd35166-7c13-49f3-8041-9551f2847b69 Microsoft Entra ID tenant id. | +| Wtrealm required | Identifies the Identity Manager app within the **WS-Federation** provider. This information is available directly at the authentication provider's portal. It is chosen during the registration process. - For [Active Directory Federation Services](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#active-directory-federation-services), it is the value set as the relying party WS-Federation Passive protocol URL parameter during the [registration](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#registration) of Identity Manager to the ADFS server. It usually looks like an URL such as https://portal.contoso.com. - For [Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#microsoft-entra-id), this is the Application ID URI. It is available from Identity Manager's registered app blade > Expose an API \> APP ID URI. It has been either chosen by the user or generated by the [Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#microsoft-entra-id) provider during the Expose an API \> set \> save step of the registration. Generated values look like api://bbd35166-7c13-49f3-8041-9551f2847b69. | +| DisplayName optional | Is the provider display name. Chosen by the user, it is used in the UI to identify the authentication method. | +| AuthenticationScheme required | Is the unique identifier of this authentication method within Identity Manager. Any string value can be used, unique among all authentication methods. | + +Example + +This example configures a WS-Federation-based authentication provider identified as +WsFederationContoso_LA in the configuration file. + +Within Identity Manager, it will be identified with the authentication scheme WsFederationAAD. + +It will be displayed as _Connection Microsoft Entra ID with WS-Federation protocol_ in the UI +external login prompt. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ + "Authentication": + { + ... + "WsFederation": { + "Enabled": "", + "WsFederationContoso_LA": { + "AuthenticationScheme": "", + "DisplayName": "", + "MetadataAddress": "", + "Wtrealm": "" + } + } + } +} +``` + +## Set Up SAML2 Authentication + +One or several **SAML2** authentication providers can be set up under the authentication > SAML2 +section. + +Identity Manager does not provide a signature for SAML2 authentication. + +Multiple providers + +One or several **SAML2** authentication providers can be set up. + +Registration process + +Using a **SAML2** authentication requires Identity Manager Server to be registered to the provider. +An **Entity ID URI** value is set up for Identity Manager during the registration process. It is +used as the prefix for scopes and as the value of the audience claim in access tokens. The value can +be generated by the provider, or set manually as a URL-shaped string value. This allows Identity +Manager to identify itself to the authentication provider. + +Reply URL + +The target **SAML2** provider needs to be aware of the URI where to send the authentication token if +the authentication succeeds. This URI is called **Reply URL** or **Assertion Consumer Service (ACS) +URL**. + +During the registration process, the provider will ask for the URL. + +Identity Manager's **Reply URL** for **SAML2** is `/Saml2/Acs` where +`` is the address of your Identity Manager Server such as +`https://usercube.contoso.com`. + +Make sure to enter this exact URL which is treated case sensitively. + +Configuration + +First, the SAML2 method must be enabled under the authentication > SAML2 section. + +| Name | Type | Description | +| ---------------- | ------- | ----------------------------------------- | +| Enabled required | Boolean | Enables or disables SAML2 Authentication. | + +Then, users must create a new subsection per SAML2 provider. Users are free to choose any section +name. Its sole purpose is for users to find the authentication method in the configuration files. + +Each section is configured with the following settings: + +| Name | Description | +| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| MetaDataLocation required | Identifies, for Identity Manager, the target SAML2 server's metadata. This information is to be retrieved from the app registration process or directly from the SAML2 provider. The value commonly ends with the path /FederationMetadata/2007-06/FederationMetadata.xml. | +| IdentityProviderEntityID required | Is the Identity Provider Issuer (also known as provider Entity ID) that identifies the provider to Identity Manager. This information is to be retrieved from the provider's portal. For Microsoft Entra ID, it is the first line of metadata file. | +| DisplayName optional | Is the provider display name. Chosen by the user, it is used in the UI to identify the authentication method. | +| EntityIdAppliUriID required | Is Identity Manager's Entity ID issued during the registration process. Also referred to as an Identifier URI. For Microsoft Entra ID, it is set during the Expose an API > set > save step of the registration. Generated values look like `api://bbd35166-7c13-49f3-8041-9551f2847b69`. | +| NameIdFormat optional | Is the requested format of the subject's name identifier. | +| MinIncomingSigningAlgorithm optional | Is minimal signing algorithm to validate SAML2 response. | +| EncryptionCertificate optional | Sets the location of the public key certificate and the private key used to handle input and output files encryption. **NOTE:** This is required to enable logout. | + +> This example configures a SAML2-based authentication provider identified as SAMLConnection in the +> configuration file. +> +> It will be displayed as Connection Azure ActiveDirectory with SAML2 protocol in the UI external +> login prompt. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> { +> "Authentication": +> { +> ... +> "SAML2": { +> "Enabled": true, +> "SAMLConnection": { +> "DisplayName": "", +> "EntityIdAppliUriID": "", +> "MetaDataLocation": "", +> "": "", +> "EncryptionCertificate": { +> ... +> } +> } +> } +> } +> } +> ``` + +### Encryption Certificate + +This information can be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive + (also called + [Personal ](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files)Information + Exchange file or `.pfx` file) stored in the Agent's host file system. The archive contains both + the public key certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains + both the public key certificate and the private key. + +_Remember,_ Netwrix recommends using Windows' certificate store. + +On the other hand, the PFX file takes priority over Windows' certificate, which means that when +`File` is specified then the PFX certificate is used, even if the options for Windows' certificate +are specified too. + +In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +_Remember,_ the AzureKeyVault section is mandatory when using CertificateAzureKeyVault. Identity +Manager server loads the encryption certificate from Azure Key Vault only if the AzureKeyVault and +EncryptionCertificate are defined at the same level in the configuration file. + +#### As a PFX file + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ + ... + "EncryptionCertificate": { + "File": "", + "Password": "" + } +} +``` + +The archive is set using the following attributes: + +| Name | Type | Description | +| ----------------- | ------ | --------------------------------------------------------------------------------------- | +| File required | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password optional | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +Storing a `.pfx` file password in plain text in a production environment is strongly discouraged. It +should always be encrypted using the Identity Manager-Protect-CertificatePassword tool. See the +[Usercube-Protect-CertificatePasswor](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topic for additional information. + +The archive is set using the following attributes: + +| Name | Type | Description | +| ----------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| File required | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password optional | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. Storing a `.pfx` file's password in plain text in a production environment is strongly discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword.exe[ ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md)tool. | + +#### As a Certificate in the Windows Store + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + { + ... + "EncryptionCertificate": { + "DistinguishedName":"", + "StoreLocation": "", + "StoreName": "" + } + } +``` + +The Windows certificate is set using these attributes: + +| Name | Type | Description | +| ---------------------------- | ------ | --------------------------------------------------------------------------------------------------------------- | +| DistinguishedName (optional) | String | SubjectDistinguishedName of the store certificate. **NOTE:** This is required when Thumbprint is not specified. | +| Thumbprint (optional) | String | Thumbprint of the store certificate. **NOTE:** This is required when DistinguishedName is not specified. | +| StoreLocation (required) | String | Location of the relevant Windows certificate store: LocalMachine or CurrentUser. | +| StoreName (required) | String | Name of the relevant Windows certificate store. | + +##### Using Azure Key Vault + +If the certificate is saved in Azure Key Vault, we must define the certificate identifier and the +Vault connection. See the [Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) +topic for additional information. + +_Remember,_ the AzureKeyVault section is mandatory when using CertificateAzureKeyVault. Identity +Manager server loads the encryption certificate from Azure Key Vault only if the AzureKeyVault and +EncryptionCertificate are defined at the same level in the configuration file. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ + "Authentication": { + ... + "SAML2": { + "Enabled": true, + "": { + ... + "AzureKeyVault": { + "Vault": "", + "ConnectionString": "..." + }, + "EncryptionCertificate": { + "CertificateAzureKeyVault": "" + } + } + } + } +} +``` + +## Set Up Internal Methods + +When Internal Methods is enabled, the end-user is prompted via a form to input a login and a +password. The login to be used is defined within the applicative configuration's Select User By +Identity Query Handler Setting element. See the [Various XML Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/settings/index.md) +topic for additional information. + +First, the AllowLocalLogin parameter needs to be set to true in the Authentication section. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +"":{ + "AllowLocalLogin":true +} +``` + +Then, Active Directory User Store or Test User Store can be enabled. + +### Active Directory User Store + +The Active Directory User Store allows users to authenticate with a login and password that will be +compared against the Active Directory content. + +Several forests can be set up as identity providers for authentication. This allows, for example, +the authentication of users that belong to different Active Directory forests. + +It is configured under the Authentication \> ActiveDirectoryUserStore section. + +First, the ActiveDirectoryUserStore must be enabled. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +"":{ + "AllowLocalLogin":true, + "ActiveDirectoryUserStore": { + "Enabled": true + ... + } +} +``` + +| Name | Type | Description | +| ---------------- | ------- | ------------------------------------------------------------------ | +| Enabled required | Boolean | True to enable authentication via the Active Directory User Store. | + +In the same section, several authentication providers can be defined, each one based on an Active +Directory forest. + +For each forest, a new section is added under ActiveDirectoryUserStore. Any name may be chosen for +the forest section as long as it is unique. Two forest sections can't be identical though. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +"": { + "Enabled": true, + "Forest1": { + "AuthenticationScheme": "<...>", + "Server": "<...>", + ... + } +} +``` + +Under the new forest section, the following parameters are used to configure the authentication +method. + +> The following example sets a single authentication method, based on the Forest1 forest. The domain +> controller is located at 127.168.0.1. If the user enters the login MyLogin, the resulting logon +> will be CONTOSO\paris\MyLogin. The Postfix won't be used as a Prefix is already provided. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> "": { +> "Enabled": true, +> "Forest1": { +> "AuthenticationScheme": "", +> "Server": "<127.168.0.1>", +> "Domain": "", +> "Prefix": "", +> "Postfix": "" +> } +> } +> ``` +> +> In the following example, if the user enters the login MyLogin, the resulting logon will be +> MyLogin@Identity Manager.contoso. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> "": { +> "Enabled": true, +> "Forest1": { +> "AuthenticationScheme": "", +> "Server": "<127.168.0.1>", +> "Postfix": "" +> } +> } +> ``` +> +> The following example enables authentication via the Active Directory User Store, for the Forest1 +> forest,by checking not only the password and account activation, but also whether the password is +> expired. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> "": { +> "Enabled": true, +> "Forest1": { +> "AuthenticationScheme": "", +> "Server": "<127.168.0.1>", +> "Domain": "", +> "FastBind": false +> ... +> } +> } +> ``` + +| Name | Type | Description | +| ----------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AuthenticationScheme required | String | Unique identifier of this authentication method within Identity Manager. Any string value can be used, unique among all authentication methods. | +| Server required | String | Identification of the domain controller that runs the Active Directory Domain Service against which the authentication is performed. Based on [Microsoft's documentation](https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.protocols.ldapconnection?view=dotnet-plat-ext-8.0), the format is defined either: - by a domain name - by an LDAP server name - or a dotted string representing the IP address of the LDAP server/Domain Controller (example: 98.20.33.2). Optionally, this parameter may also include a port number, separated from the host by a colon (example: 98.20.33.2:4520). | +| Domain optional | String | Identification of the Active Directory domain or sub-domain against which the authentication will be performed. It is a string used to complete the user's logon in an INet name fashion. The resulting logon will resemble Domain\login. The domain is used only if no postfix was provided. This parameter is ignored if the domain or the UPN suffix is already specified in the login. This is the case for a login that conforms to the format domain\login or login@domain.com. | +| FastBind default value: True | Boolean | True to check a user's credentials by verifying only the password and account activation. | +| NoSigning default value: true | Boolean | Enables or disables [Kerberos encryption](https://en.wikipedia.org/wiki/Kerberos_(protocol)). | +| Prefix optional | String | Is a string used to complete the user's logon in an INet name fashion. The resulting logon will resemble Prefix\\login. The Postfix isn't used if the domain or the UPN suffix is already specified in the login. | +| Postfix optional | String | Is used to complete the user's login in a principal name fashion. The Postfix corresponds to the User Principal Name (UPN) suffix. The resulting logon will resemble login@Postfix. The Postfix isn't used if the domain or the UPN suffix is already specified in the login, or if the Prefix is already provided. | +| Ssl default value: false | Boolean | Enables or disables SSL for network communication between Identity Manager and the Active Directory. | + +### Test User Store + +A Test User Store can be set up under the authentication \> TestUserStore section. It allows all +users to authenticate with their login and the same password. + +_Remember,_ this should never be used in a production environment. + +The following parameters are available under the authentication \> TestUserStore section: + +| Name | Type | Description | +| ----------------- | ------- | --------------------------------------------------------------- | +| Enabled required | Boolean | Enables or disables the OpenId Connection. | +| Password required | String | Is the password for all users to authenticate Identity Manager. | + +Example + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ + "Authentication": + { + "AllowLocalLogin":true + ... + "": { + "Enabled": true, + "Password": "" + } + } +} +Here is an example using both `IdentityServer` and `Authentication` sections. +appsettings.json +{ + ... + "IdentityServer": { + "X509KeyFilePath": "<./UsercubeContoso.pfx>", + "X509KeyFilePassword": "" + }, + "Authentication": { + "RequireHttpsMetadata": false, + "TestUserStore": { + "Enabled": "", + "Password": "" + }, + "AllowLocalLogin": true + } + ... +} +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md new file mode 100644 index 0000000000..3f96cf0d6c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md @@ -0,0 +1,320 @@ +# Application Settings + +This section describes the settings available in the server's appsettings.json file, located in the +server's working directory or in environment variables. + +JSON files can contain any additional information that you might find useful. See the example below. + +For example, in order to store the agent's address, we can add: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +"": { + "Url": "" +} +``` + +As Identity Manager does not know any object named Identity ManagerAgent, its content will be +ignored, but it can still be used to store information for human use. + +The appsettings set allows the following attributes and sections: + +| Name | Type | Description | +| ------------------------------------------------------------ | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApplicationUri required | String | URI of the server to use in log messages, to communicate with the server in tasks, to allow certain redirect URIs. It must be the same as the agent's appsettings.json's ApplicationUri. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json { ... "ApplicationUri": "usercubeserver.contoso.com:5000" }` | +| EncryptionCertificate required | EncryptionCertificate | Settings to configure the encryption of specific files. | +| License | String | License key of the server. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json { ... "License": "{"LicensedTo":"","ValidTo":"<20120905>","IdentityQuota":"<10000>","Signature":"<...>"}" }` | +| Agents optional | Agent List | List of agents' settings used to work on several environments. See the [ Architecture ](/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/index.md) topic for additional information. This way, each Agent's URI/URL is configured without altering the database. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json { ... "Agents": { ... "Local": { "Uri": "http://localhost:5010" }, ... } }` | +| AppDisplay optional | AppDisplay | Settings to override the application display XML configuration. See the [App Display Setting](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md) topic for additional information. It is useful to change the application's theme and name without redeploying the whole configuration. | +| ApplicationInsights optional | ApplicationInsights | Settings to plug to and configure the [App Insights](https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview) monitoring tool. | +| DataProtection optional | DataProtection | Settings to configure the encryption used for the authentication cookies and the anti-forgery tokens. The data protection can be configured to share the keys between several instances of Identity Manager's server, for example when deployed in a cluster where the servers do not have the same machine id. | +| DefaultPageSize optional | UInt | Default number of items returned when using squeries, if none specified in PageSize or in squery limit. | +| HstsPreload optionalAttribute default value: false | Boolean | Sets the preload parameter of the Strict-Transport-Security header. Preload is not part of the RFC specification, but is supported by web browsers to preload [HSTS](https://hstspreload.org/) sites on fresh install. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `
appsettings.json

{
  ...
  "HstsPreload":  true
}
` | +| InstallationDirectoryPath default value: Usercube-Server.exe | String | Path of the installation directory. It is used to read other configuration files. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json { ... "InstallationDirectoryPath": "C://UsercubeContoso/Runtime" }` | +| MailSettings optional | String | Settings to configure the email service. | +| MaxActors default value: 20 maximum value: 50 | UInt | The maximum number of recipients who will be notified of the Workflow changes and can take action. If the number of recipients is exceeding the MaxRecipients value, then the actors will have the task assigned to them but they will not receive an email notification. In order for all actors to receive an email notification the MaxRecipients should be increased as well. | +| MaxPageSize optionalAttribute | UInt | It represents the maximum number of items returned when using squeries. | +| NotUseAgent default value: false | Boolean | True to disable the use of the agent. See the[ Architecture ](/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/index.md) topic for additional information. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json { ... "": true }` | +| OpenIdClients optional | OpenIdClient List | List of hashed secrets used to override the plain-text secrets from the OpenIdClient XML configuration. See the [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) topic for additional information. This way, Identity Manager stores only hashed secrets, for security purposes. Each environment must have its own secret, distinct from the others. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json { ... "OpenIdClients": { ... "Job": { "": "K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols" }, ... } }` | +| PowerBISettings optional | PowerBISettings | Settings to configure the API used by Power BI to access Identity Manager data. | +| Serilog optional | Serilog | Settings to configure the logging service, complying to the Logger properties and structure. See the [ Monitoring ](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/index.md) topic for additional information. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json { ... "Serilog": { ... "WriteTo": [ "Console" ], ... "MinimumLevel": { ... "Override": { ... "Usercube": "Information" ... } ... } ... } }` | +| Swagger optional | Swagger | By enabling [Swagger ](https://swagger.io/tools/swagger-ui/)you can visualize and interact with the API's resources without having any of the implementation logic in place. It is automatically generated from Identity Manager's API, with the visual documentation making it easy for back-end implementation and client-side consumption. | +| TempFolderPath default value: ../Temp | String | Path to the temporary folder which contains: - ExportOutput: directory storing data exported from connectors. - JobLogs: directory storing task instance logs. - Reports: directory storing generated reports. - Packages: directory storing the downloaded package logos. - PolicySimulations: directory storing the files generated by policy simulations. - ProvisioningCache.txt: file storing the clustered provisioning cache. When enabled, this file can be used to coordinate the API cache among clusters. - CorrelationCache.txt - RiskCache.txt - ExpressionCache.txt - scheduler.lock - connector.txt - container.reset.txt: file acting as a reset command for Identity Manager's server, i.e. any change to this file triggers the reset service, thus reloading all the services instantiated by the server. This path can be overridden by **ResetSettings** > **FilepathResetService**. - Mails: directory storing the email messages. This path can be overridden by **ResetSettings** > **PickupDirectory**. - Deployment These elements can be removed, but make sure to restart the server after doing so. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json { ... "" }` | +| WorkFolderPath default value: ../Work | String | Path of the work folder which contains: - Collect: directory storing the CSV source files exported by connectors. - ProvisioningOrders: directory storing the orders generated by the server. - FulfillPowerShell: PowerShell provisioner's working directory. - FulfillRobotFramework: Robot Framework's provisioner working directory. - ExportCookies: directory storing the cookies used for incremental export. - Synchronization: directory storing the agent's data collection results. - Upload: directory storing the uploaded media like uploaded pictures, before they are inserted into the database. - appsettings.connection.json These elements must not be removed, because doing so may disrupt Identity Manager's execution after restarting. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json { ... "" }` | + +## Swagger + +Swagger is set using the attribute below. + +| Name | Type | Description | +| ---------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Enabled required | Boolean | True to enable Swagger. Example: `appsettings.json { ... "Swagger": { ... "Enabled": false ... }, }` **NOTE:** We recommend setting this to false for production environments. | + +## Encryption Certificate + +This information can be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive + (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or .pfx file) stored in the Agent's host file system. The archive contains both the public key + certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains + both the public key certificate and the private key. +- _Remember,_ Netwrix recommends using Windows' certificate store. A subject name can identify + multiple certificates in the same Certificate Store since the Subject Name needs not to be unique. + If there are multiple certificates identified by the subject name given in the appsettings, + Identity Manager will use the first one. However it is not possible to say exactly which + certificate will be loaded first. The thumprint is unique among the certificates so it can help + with for the certificate identification. + +As a PFX file + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ + ... + "EncryptionCertificate": { + "File": "", + "Password": "" + } + } + +``` + +The archive is set using the following attributes: + +| Name | Type | Description | +| ----------------- | ------ | --------------------------------------------------------------------------------------- | +| File required | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password optional | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +Storing a .pfx file password in plain text in a production environment is strongly discouraged. It +should always be encrypted using the Usercube-Protect-CertificatePassword tool. See the +[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topic for additional information. + +The archive is set using the following attributes: + +| Name | Type | Description | +| ----------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| File required | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password optional | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. Storing a .pfx file's password in plain text in a production environment is strongly discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword.exe tool. See the [ Usercube-Protect-CertificatePassword ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) topic for additional information. | + +As a Certificate in the Windows Store + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + { + ... + "EncryptionCertificate": { + "DistinguishedName":"", + "StoreLocation": "", + "StoreName": "" + } + } +``` + +The Windows certificate is set using these attributes: + +| Name | Type | Description | +| -------------------------- | ------ | --------------------------------------------------------------------------------------------------- | +| DistinguishedName optional | String | SubjectDistinguishedName of the store certificate. It is required when Thumbprint is not specified. | +| Thumbprint optional | String | Thumbprint of the store certificate. It is required when DistinguishedName is not specified. | +| StoreLocation required | String | Location of the relevant Windows certificate store: LocalMachine or CurrentUser. | +| StoreName required | String | Name of the relevant Windows certificate store. | + +Using Azure Key Vault + +If the certificate is saved in Azure Key Vault, we must define the certificate identifier and the +Vault connection. See the [Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) +topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +"": { + "CertificateAzureKeyVault": "" +} +``` + +Disabling file encryption + +The encryption of specific files can be disabled via the following attribute: + +| Name | Type | Description | +| ------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| EncryptFile default value: true | Boolean | True to encrypt specific files such as logs or temporary files. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json { ... "EncryptionCertificate": { ... "EncryptFile": false ... } }` | + +## Mail Settings + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +{ + ... + "MailSettings": { + "FromAddress": "", + "PickupDirectory": "", + "UseSpecifiedPickupDirectory": true, + "UseDefaultCredentials": false, + "SecureSocketOption": "" + } +} + +``` + +The mail settings details are: + +| Name | Type | Description | +| ------------------------------------------------ | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| FromAddress required | String | Email address used as sender for Identity Manager's emails. | +| AllowedDomains optional | String | List of allowed domains, separated by `<;>`. | +| CatchAllAddress optional | String | Email address to be used as catchAll. | +| CatchAllCCAddress optional | String | Email address to be used as CC catchAll. | +| Enabled default value: true | Boolean | True to activate Identity Manager's email services. | +| EnableSsl default value: false | Boolean | DEPRECATED: EnableSsl won't be supported in the future. Please specify a SecureSocketOption instead. To keep the same behavior as EnableSsl: True, use the setting SecureSocketOption: StartTls. True to encrypt communication with the SMTP server. To be used only when UseSpecifiedPickupDirectory is set to false. | +| MaxRecipients default value: 20 | String | The maximum number of recipients visible in the "To", "CC" and "BCC" fields. Any additional recipient will be deleted automatically. | +| SecureSocketOption default value: Auto | String | Specifies the encryption strategy to connect to the SMTP server. If set, this takes priority over EnableSsl. None: No SSL or TLS encryption should be used. Auto: Allow the mail service to decide which SSL or TLS options to use (default). If the server does not support SSL or TLS, then the connection will not be encrypted. SslOnConnect: The connection should use SSL or TLS encryption immediately. StartTls: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server. If the server does not support the STARTTLS extension, then the connection will fail and a NotSupportedException will be thrown. StartTlsWhenAvailable: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server, but only if the server supports the STARTTLS extension. To be used only when UseSpecifiedPickupDirectory is set to false. | +| Host optional | String | Name or IP address of the host used for SMTP transactions. It is required when UseSpecifiedPickupDirectory is set to false. | +| Password optional | String | Password to be used with the user name as credentials. | +| PickupDirectory optional | String | Path of the folder where Identity Manager will save the email messages. It is useful and required when UseSpecifiedPickupDirectory is set to true. | +| Port optional | String | Port used for SMTP transactions. It is required when Host is defined. | +| UseDefaultCredentials default value: false | Boolean | True to use in requests the default credentials instead of those from UserName and Password here. | +| UserName optional | String | User name to be used with the user name as credentials. | +| UseSpecifiedPickupDirectory default value: false | Boolean | True to save email messages to the folder specified in PickupDirectory instead of sending them to their recipients through the host specified in Host. Required when Host is not defined. | + +## Application Insights + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +appsettings.json + +``` +{ + ... + "ApplicationInsights": { + "InstrumentationKey": "" + } +} + +``` + +The application insights details are: + +| Name | Type | Description | +| -------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| InstrumentationKey default value: null | String | Key linked to the AppInsights instance to which the server's logs, requests, dependencies and performance are to be sent. See the Microsoft [Create an Application Insights resource](https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-new-resource) article for information on creating an instrumentation key. | + +**NOTE:** The logs sent to AppInsights are configured through the Logger properties. See the +[Monitoring](/docs/identitymanager/6.2/identitymanager/integration-guide/monitoring/index.md) topic for additional information. + +## PowerBI Settings + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +appsettings.json + +``` +{ + "PowerBISettings": { + "PageSize": 500 + }} + +``` + +The PowerBI Settings details are: + +| Name | Type | Description | +| ---------------------------- | ----- | --------------------------------------------------------- | +| PageSize default value: 1000 | Int32 | Size of the page containing the data returned by the API. | + +## Data Protection + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +appsettings.json + +``` +{ + "DataProtection": { + "KeysPath": "", + "X509KeyFilePath": "<../Usercube.pfx>", + "X509KeyFilePassword": "" + }, +} +``` + +The Data Protection details are: + +| Name | Type | Description | +| ---------------------------------------------- | ------ | ------------------------------------------------------------- | +| KeysPath default value: ../Work/DataProtection | String | Path of the location where the keys' descriptions are stored. | +| X509KeyFilePath optional | String | Path of the custom certificate used to protect the keys. | +| X509KeyFilePassword optional | String | Password of the custom certificate used to protect the keys. | + +## App Display + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +appsettings.json + +``` +{ + ... + "AppDisplay": { + "PrimaryColor": "<#01CDE9>", + "SecondaryColor": "<#EA6E1A>", + "BannerColor": "<#EA6E1A>", + "BannerTextColor": "<#ffffff>", + "ApplicationNamePrefix": "", + "ApplicationName": "" + }, + ... +} +``` + +The App Display details are: + +| Name | Type | Description | +| ------------------------------ | ------ | ----------------------------------------------------------------------------------------- | +| ApplicationName optional | String | Name of the application, visible on the application's tabs. | +| ApplicationNamePrefix optional | String | Prefix to be displayed before the application name. | +| BannerColor optional | String | HEX code of the color for the banner, i.e. the header displaying logo and navigation bar. | +| BannerTextColor optional | String | HEX code of the color for the banner's text. | +| PrimaryColor optional | String | HEX code of the color for the highlighted buttons. | +| SecondaryColor optional | String | HEX code of the color for the background of the authentication screen. | + +See the +[App Display Setting](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md) +topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/index.md new file mode 100644 index 0000000000..3122d546da --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/index.md @@ -0,0 +1,57 @@ +# Server Configuration + +Identity Manager Server's technical configuration includes settings on end-user authentication, +database connection and some general-purpose settings. + +## Configuration Files + +The Server configuration is included in the Server's appsettings set. + +The appsettings set content can be written to appsettings.json in the Server's working directory or +to environment variables. See the [ Architecture ](/docs/identitymanager/6.2/identitymanager/integration-guide/architecture/index.md) topic for additional +information. + +The server appsettings supported attributes and sections are described in the following sections: + +- Database Connection +- End-User Authentication +- General-Purpose Settings + +See the[ Connection to the Database ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md), +[ End-User Authentication](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md) and +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) topics for additional information. + +## Secret and Certificate Management + +All the certificates and secrets present in the settings can be loaded with an Azure Key Vault. + +See the [Azure Key Vault](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) topic for additional +information. + +## Default Configuration + +The default behavior of the server configuration is outlined through an example. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +{ +    "IdentityServer": { +        // Token signing certificate stored in a file +        "X509KeyFilePath": "<./UsercubeContoso.pfx>", +        // Optional certificate password +        "X509KeyFilePassword": "" +    }, +    "Authentication": { +        "RequireHttpsMetadata": false, +        "TestUserStore": { +            "Enabled": "", +            "Password": "" +        }, +        "AllowLocalLogin": true +    } +} + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/rsa-encryption/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/rsa-encryption/index.md new file mode 100644 index 0000000000..ccff52bfc1 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/rsa-encryption/index.md @@ -0,0 +1,60 @@ +# RSA Encryption + +Identity Manager provides a few options to protect sensitive data via RSA encryption. + +## Overview + +Sensitive data can be RSA encrypted by using Netwrix Identity Manager (formerly Usercube)'s tools: + +- [ Usercube-Protect-X509JsonValue ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md) + to encrypt given values; +- [ Usercube-Protect-X509JsonFile ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md)to + encrypt a whole file. + + The file encryption tool should be used only on files that contain only plain text values, not + already encrypted ones. + +Once encrypted, sensitive values can be added to the `appsettings.encrypted.json` file. Netwrix +Identity Manager (formerly Usercube) will read first the values from the encrypted appsettings file, +before reading those from the usual non-encrypted appsettings file. + +These methods require an [X.509 public key certificate](https://en.wikipedia.org/wiki/X.509) (the +same for the encrypted appsettings file and the tools). + +The value encryption tool can be used to encrypt specific values to be added to the encrypted +appsettings file without having to encrypt the whole file again. + +## Focus on the Encrypted Appsettings File + +The `appsettings.encrypted.json` file contains the `appsettings.json` file's sensitive setting +values which are protected by RSA encryption. + +This file follows the exact same structure as the [Server Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/index.md) files. + +### Read the Encrypted File + +Identity Manager can use an RSA decoding algorithm fed by a +[public-key certificate](https://en.wikipedia.org/wiki/X.509) in order to read the encrypted +application settings. + +This requires the usual appsettings file(s) to have `UseEncryptedAppsettings` set to `true`. See +below. + +``` +appsettings.json and/or appsettings.agent.json + +{ + ... + "EncryptionCertificate": { + "File": "./Usercube.pfx", + "Password": "secret", + "UseEncryptedAppsettings": true + } +} +``` + +This way, values from the encrypted file take priority over the values from the non-encrypted +appsettings files. + +> For example, if `Password` exists in both the encrypted file and the non-encrypted file, then the +> value from the encrypted file is used. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/settings/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/settings/index.md new file mode 100644 index 0000000000..e3fcb1131c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/settings/index.md @@ -0,0 +1,236 @@ +# Various XML Settings + +This section describes Identity Manager's +[ Settings ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/index.md) available in the +applicative configuration. Those are mandatory. + +## ConfigurationVersion + +This setting is used to track the current configuration version. + +``` + + + +``` + +- **Version** defines the configuration version. +- **Description** describes this version in detail. +- **Misc** misc. + +## AppDisplay + +This setting is used to customize the application display. + +``` + + + +``` + +- **PrimaryColor** defines the primary color. +- **SecondaryColor** defines the secondary color. +- **BannerColor** defines the banner (header displaying logo and navigation bar) color. +- **BannerTextColor** defines the banner text color. +- **ApplicationName** defines the application name. +- **LogoFile** defines the logo path. Concerning the logo, for an ideal result, the following ratio + should be used: 5:1. +- **LogoMimeType** defines the logo mime type. +- **FaviconFile** defines the favicon path. +- **FaviconMimeType** defines the favicon mime type. +- **FullNameSeparator** defines the full name separator (default value is `�`). +- **DisableProvisioningCounters** disables the counters related to the provisioning screens (**Role + Review**, **Provisioning Review**, **Role Reconciliation**, **Resource Reconciliation** and + **Manual Provisioning** - default value is `false`). + +## CustomLinks + +This setting enables the configuration of custom links that let the user navigate to a custom static +HTML page. Only two CustomLinkSetting can be configured. + +The example below defines two custom links accessible through the URLs "_your-Identity +Manager-domain_/LegalNotice" and "your-Identity Manager-domain/TermsOfService", each showing the +content of the corresponding HTML file depending on the currently selected language. + +``` + + + +``` + +- **Url\_**(required)\_ defines the url address from which to access the custom page. +- **Path*L1***(required)\_ defines the path (from the configuration root) to the HTML file to be + rendered depending on the currently selected language in the user interface (`Path_L1` to + `Path_L16` are available). Only `Path_L1` is required. While navigating to a custom link, if no + HTML path was defined for the current language, then `Path_L1` is taken as default. + +To be displayed correctly, images should be embedded in the HTML files as Base64 images using the +`src` attribute like this : ``. You can easily +convert your images using this [Base64 Image Encoder](https://elmah.io/tools/base64-image-encoder/). + +To navigate to the custom links from the user interface, NETWRIX recommends configuring a `MenuItem` +with a `URI` value matching the custom link `URL`. The following example defines two menu items, +accessible from the user account tab in the top right corner of the interface, that allows the user +to navigate to the defined URI addresses. + +``` + + + +``` + +![CustomLinksUserMenu.webp](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/settings/customlinksusermenu_v523.webp) + +## DashboardItemNumber + +Some sections on the dashboard contain multiple links. These links are quick links with counters to +the review page filtered by entity type. The links are sorted by entity type priority. + +![DashboardItemNumber.webp](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/settings/dashboarditemnumber.webp) + +By default, 3 links are displayed. If more than 3 entity type links exist, a link "Others" is +displayed with the concatenation of remaining counters. + +This setting is used to customize the number of links to displayed on each section. + +The max number of links to display is 5. + +``` + + + +``` + +- **RoleReviewSection** defines the number of links to display in the "Role Review" section. +- **ProvisioningReviewSection** defines the number of links to display in the "Provisioning Review" + section. +- **RoleReconciliationSection** defines the number of links to display in the "Role Reconciliation" + section. +- **ResourceReconciliationSection** defines the number of links to display in the "Resource + Reconciliation" section. +- **ManualProvisioningSection** defines the number of links to display in the "Manual Provisioning" + section. +- **MyTasksSection** defines the number of links to display in the "My Tasks" section. + +## SelectUserByIdentityQueryHandler + +_This attribute matches an end-user with a resource from the unified resource repository._ + +Authorization mechanisms within Identity Manager rely on assigning a +[ Profiles ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md) +to an identity-resource that stands for the end-user digital identity. + +To that end, and end-user authentication credentials are linked to such an identity-resource using +the following pattern: + +1. Authentication credentials are retrieved; +2. Authentication credentials are trimmed using the **AfterToken** and/or **BeforeToken** + attributes; +3. The trimmed result is matched against the **ResourceIdentityProperty** of resources with an + EntityType **OwnerEntityType**; +4. The matching resource found is used to find a profile and authorization for that digital + identity. + +**Attributes** + +- **ResourceIdentityProperty** is the identity-resource property supposed to match the + authentication login used by the end-user. +- **OwnerEntityType** is the entity type of the resources used to store digital identities within + Identity Manager. +- **BeforeToken\_**(optional)\_ defines the first character used to trim the authentication login. +- **AfterToken\_**(optional)\_ defines the second character used to trim the authentication login. + + The trimmed result is the content of the authentication login between _AfterToken_ and + _BeforeToken_. If _BeforeToken_ is empty, trimmed result is everything after _AfterToken_. If + _AfterToken_ is empty, trimmed result is everything before _BeforeToken_. + +- **ResourceDisplayNameProperty** is the property used for displaying login data at the top right of + the application. +- **OwnerPhotoTagProperty** defines the photo property for Identity Manager users. + +**Example** + +The following example links the authentication credentials of an end-user to its matching resource +of EntityType **Directory_User**. + +In this example, authentication has been set up using +[ End-User Authentication](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md). In that case, +the login used by the end-user is in the form `DOMAIN/userName`. + +The **AfterToken** attribute parses the `DOMAIN/userName` string into `userName`. + +The parsed result `userName` is compared with `AD_Entry:sAMAccountName` property value of +**Directory_User** resources. + +The matching **Directory_User** resource is the resource that stands for the end-user identity +within Identity Manager. + +``` + + + +``` + +## SelectPersonasByFilterQueryHander + +This setting is used to filter the entity type used by authentication mechanism. + +``` + + + +``` + +- **ResourceDisplayNameProperty** represents the display property. +- **OwnerPhotoTagProperty** defines the photo tag property. +- **PersonTypeFilterProperty** defines the filter property. +- **PersonTypeFilter** defines the filter value. +- **MailProperty** defines the mail property. + +## SelectAllPerformedByAssociationQueryHandler + +This setting enables task delegation to a group of people. + +``` + + + +``` + +- **RootEntityType** indicates the entity type on which the delegation is applied. +- **Binding** defines the binding used to get the list of identities to delegate to. + +_NB: In order for delegation to work, users that are part of the delegate group must have at least +one assigned profile_ + +## Scheduling CleanDataBase + +If the default value for the Task CleanDataBase needs to be overridden, define this setting: + +``` + + + +``` + +- `Timeout`: Defines the maximum time a Job or Task can wait after the last run. +- `CronTabExpression`: Define the cron to launch the CleanDatabase Job. + +#### 7. Password Generation Setting + +It is possible to override some aspects of the password generation (used in password reset features) +using the following setting: + +``` + + + +``` + +- `AllowedSymbolChars`: A string containing the list of symbol chars to be used in the generated + password. The default value is : `!;.,?()[]-_&%$+{}@` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md new file mode 100644 index 0000000000..723058c1cb --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md @@ -0,0 +1,16 @@ +# appsettings.connection + +## Define configuration through UI + +On some configuration screens, such as the connector screen, it is possible to define some of the +[ Agent Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/index.md). This configuration is stored in the +**appsettings.connection.json** file, located inside the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md). + +The **appsettings.connection.json** file has the exact same structure as the other +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) file. + +This configuration file has the highest priority among others agent's configuration sources . See +the [ Agent Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/index.md) topic for additional information. + +You should not modify this file manually. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/technical-files/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/technical-files/index.md new file mode 100644 index 0000000000..8e607f9937 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/technical-files/index.md @@ -0,0 +1,6 @@ +# Technical Files + +This section gathers information relative to the technical files that Identity Manager could use or +generate in its lifecycle. + +- [ appsettings.connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/custom/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/custom/index.md new file mode 100644 index 0000000000..e80e156242 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/custom/index.md @@ -0,0 +1,29 @@ +# Custom Notifications + +Custom notifications can be configured for specific needs, to be triggered by a workflow, or +periodically via a task. + +## Workflow-Triggered Notifications + +A notification can be configured to be sent to one or several users right after the execution of a +given activity in a [Workflows](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/index.md). + +> For example, when a user is created in Identity Manager through a workflow, a notification can be +> sent to the user's manager. A notification can also be sent when someone must process an action +> for a workflow to continue. + +The configuration is made through the XML tag +[ Notification Aspect ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md). + +## Periodic Notifications + +A notification can be configured to be sent to a given user on a regular basis at specified times, +through the +[ Send Notifications Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md) +as part of a job. + +> For example, a notification can be sent automatically to remind a manager that someone arrives in +> their team a month before the arrival, and again a week before. + +The configuration is made through the XML tag +[ Notification ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/how-tos/customize-native-notification/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/how-tos/customize-native-notification/index.md new file mode 100644 index 0000000000..493f82f752 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/how-tos/customize-native-notification/index.md @@ -0,0 +1,44 @@ +# Customize a Native Notification + +This guide shows how to set a template other than the default one for native notifications. + +## Overview + +Identity Manager natively sends notifications for usual cases. See the +[ Native Notifications ](/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/index.md) topic for additional information. + +These native notifications are based on cshtml templates available inside the `Runtime` folder. If +the provided templates do not meet your exact needs, then they can be replaced by personalized +templates. + +## Customize a Native Notification + +Customize a native notification by proceeding as follows: + +1. Among the + [Notification Template](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md), + get the identifier of the notification whose templates are to be replaced. + + > For example, to customize the notification for one-way password reset: `OneWayPasswordReset`. + +2. In `Runtime/NotificationTemplates`, copy to the configuration folder the cshtml template(s) + associated to the notification that need to be overridden. + + > For example, we can copy the template for the email's body but keep the provided template for + > the subject. Then we have: `Conf/Templates/MyOneWayPasswordReset.cshtml`. + > + > Let's say that we also need to customize the email's subject in French which is the language + > 2: `Conf/Templates/MyOneWayPasswordReset_Subject.fr.cshtml` + +3. Customize the template(s) previously copied to the configuration folder. +4. Configure an XML element + [Notification Template](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md) + with the identifier collected at step 1, and the relative path(s) to the customized template(s). + + > For example: + > + > ``` + > + > + > + > ``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/how-tos/set-language/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/how-tos/set-language/index.md new file mode 100644 index 0000000000..4ebf7a5468 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/how-tos/set-language/index.md @@ -0,0 +1,50 @@ +# Set Notifications' Languages + +This guide shows how to set the language for all notifications. + +## Overview + +Identity Manager sends all kinds of notification emails whose language is by default the language +specified in the configuration as the first language. + +The language can also be configured explicitly with a language code. If this language code is not +defined, then notifications use the first language. + +## Set the First Language + +Set the first language for the whole application by proceeding as follows: + +1. In the XML configuration, create a `Language` with `IndicatorNumber` set to `1`. See the + [ Language ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/language/index.md) topic for additional + information. + + > For example, to set English as the first language: + > + > ``` + > + > + > + > ``` + +2. Deploy the configuration and relaunch the server. + +## Set the Language Explicitly + +Set the language explicitly for server-side-task notifications by proceeding as follows: + +1. In the XML configuration, configure `MailSetting` with a `LanguageCode`See the + [ Mail Setting ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md) topic + for additional information. + + > For example, to set the language to English: + > + > ``` + > + > + > + > ``` + + When `LanguageCode` is not defined, then the language of notifications will be the first + language, i.e. the one specified with `Indicator` set to `1`. + +2. Deploy the configuration and relaunch the server. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/index.md new file mode 100644 index 0000000000..ac514e767e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/index.md @@ -0,0 +1,10 @@ +# Notifications + +Identity Manager is able to send notification emails when an action is expected, or a job ends with +an error. + +Identity Manager provides [ Native Notifications ](/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/index.md) for usual cases, for example +provisioning review, resource reconciliation, and role reconciliation. + +[ Custom Notifications ](/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/custom/index.md) can be configured for specific needs, to be triggered by a +workflow, or periodically via a task. diff --git a/docs/usercube/6.2/usercube/integration-guide/notifications/native/access-certification/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/access-certification/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/notifications/native/access-certification/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/access-certification/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/errored-jobs/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/errored-jobs/index.md new file mode 100644 index 0000000000..927c21d47e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/errored-jobs/index.md @@ -0,0 +1,8 @@ +# Jobs with Errors + +Identity Manager is able to send notification emails when a job ends with an error. The notification +email is sent to the user who has the necessary rights and the permission. + +See the [ Native Notifications ](/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/index.md) and +[ Profiles & Permissions ](/docs/identitymanager/6.2/identitymanager/integration-guide/profiles-permissions/index.md) topics for additional +information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/index.md new file mode 100644 index 0000000000..bba12eeaff --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/index.md @@ -0,0 +1,41 @@ +# Native Notifications + +Identity Manager provides native notifications for usual cases, for example role review, +provisioning review, access certification, manual provisioning, etc. + +## Overview + +Identity Manager natively sends notifications for: + +- Password reset to the users whose passwords are reset; +- Access certification to the users selected as reviewers; +- [ Manual Provisioning ](/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/manual-provisioning/index.md), provisioning review and role review to the + users who own a profile with the permissions to perform the corresponding actions; +- Jobs that finished in state completed/errored/aborted/blocked/warning to the users who own a + profile with the corresponding permissions. + +Concerning the notifications sent via permissions: +In order to receive the notifications, a profile must have the full permission path. Having a +(great-)parent permission will not enable notifications for all child entities. + +For example, the permission /ProvisioningPolicy/PerformManualProvisioning/Directory_User allows a +profile to perform manual provisioning with Directory_User as the source entity type, and receive +the corresponding notifications. On the contrary, the permission +`/ProvisioningPolicy/PerformManualProvisioning/` allows a profile to perform manual provisioning for +all entity types, but not receive the corresponding notifications. + +See the [References: Permissions](/docs/identitymanager/6.2/identitymanager/integration-guide/profiles-permissions/permissions/index.md) topic for +additional information. + +Each permission can be configured in an +[Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) so +that the corresponding notification is disabled. + +All notifications are built based on cshtml templates. The templates for native notifications can be +found in `/Runtime/NotificationTemplates`. + +The templates for native notifications can be adjusted to specific needs through the XML tag +[Notification Template](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md). + +See the [ Customize a Native Notification ](/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/how-tos/customize-native-notification/index.md) for +additional information on how to customize native notifications. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/manual-provisioning/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/manual-provisioning/index.md new file mode 100644 index 0000000000..dd06ea9890 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/manual-provisioning/index.md @@ -0,0 +1,29 @@ +# Manual Provisioning + +Identity Manager natively sends notifications concerning manual provisioning. + +## Overview + +### Notification Trigger + +The notifications are sent after a `FulfillTask` with a connection based on the +[ Manual Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md) package. + +### Notification Recipients + +The notifications are sent to the users who own a profile with the following permission: +`/Custom/ProvisioningPolicy/PerformManualProvisioning/{entityType_identifier}` where +`{entityType_identifier}` is the source entity type. + +In order to receive the notifications, a profile must have the full permission path. Having a +(great-)parent permission will not enable notifications for all child entities. + +For example, the permission `/ProvisioningPolicy/PerformManualProvisioning/Directory_User` allows a +profile to perform manual provisioning with `Directory_User` as the source entity type, and receive +the corresponding notifications. On the contrary, the permission +`/ProvisioningPolicy/PerformManualProvisioning/` allows a profile to perform manual provisioning for +all entity types, but not receive the corresponding notifications. + +The permission can be configured in an +[Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +so that notifications are disabled. diff --git a/docs/usercube/6.2/usercube/integration-guide/notifications/native/password-reset/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/password-reset/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/notifications/native/password-reset/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/password-reset/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/notifications/native/provisioning-review/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/provisioning-review/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/notifications/native/provisioning-review/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/provisioning-review/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/notifications/native/role-review/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/role-review/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/notifications/native/role-review/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/role-review/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/profiles-permissions/how-tos/create-assign-profiles/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/profiles-permissions/how-tos/create-assign-profiles/index.md new file mode 100644 index 0000000000..54a58e5cc6 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/profiles-permissions/how-tos/create-assign-profiles/index.md @@ -0,0 +1,59 @@ +# Create and Assign Profiles + +This guide shows how to create in the XML configuration profiles and the appropriate rules to assign +these profiles automatically. + +## Create a Profile + +Here is the xml configuration to create a profile in Identity Manager. See the +[ Profile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) topic for additional +information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +## Automatically Assign Profiles + +To automatically assign profiles it is necessary to manipulate the ProfileRuleContext and +ProfileRule. See the +[Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +and +[Profile Rule Context](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) +topics for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +   +``` + +## Configure the Set InternalUserProfiles Task + +The Identity Manager-Set-InternalUserProfiles task is mandatory to automatically assign the profile. +The task can be selected from the Job provisioning list. See the +[ Set Internal User Profiles Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) +topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +           +``` + +Here the TaskEntityType is the reference to connect to Identity Manager and the ResourceType is the +same as in the ProfileRuleContext. Once this configuration is done you can add the task in the job +which provisions the Connector AD. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +                     +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/profiles-permissions/how-tos/rightsrestriction/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/profiles-permissions/how-tos/rightsrestriction/index.md new file mode 100644 index 0000000000..7fa499160e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/profiles-permissions/how-tos/rightsrestriction/index.md @@ -0,0 +1,140 @@ +# Restrict Users' Rights + +This guide shows how to define rules to limit users' access rights, which is possible via several +elements. + +## Overview + +Each UI element can be accessed only by the users who have a profile with the appropriate access +rights. + +All of this page's examples are based on the following access rights to view the `Directory_User` +entity type: + +``` + + + +``` + +## Assign a Profile Based on Users' Dimensions + +Assign a profile based on users' dimensions by proceeding as follows: + +1. Create the appropriate dimensions. + + > The following example states two user criteria as dimensions: users' organizations and titles: + > + > ``` + > + > + > + > ``` + + See the [ Dimension ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) topic for + additional information. + +2. Write profile rules and profile rule contexts to make the previously created dimensions act as + filters in rules meant to assign profiles to users. + + > The following examples creates a rule assigning the `Manager` profile to specific users based + > on their organizations and titles, now that they both exist as dimensions: + > + > ``` + > + > + > + > ``` + + The profile rule context must use a + [Profile Rule Context](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md)to + define the entity type that contains the dimension information. + + See the [ Dimension ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) topic for + additional information. + +## Limit an Entity's Visibility + +Limit an entity's visibility by proceeding as follows: + +1. Create at least one property group to gather a set of entity properties together. + + > For example: + > + > ``` + > + > + > + > ``` + + See the [ Dimension ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) topic for + additional information. + +2. Create an access control entity type to list all the properties whose visibility must be + restricted, and link them to a visibility group. + + > For example: + > + > ``` + > + > + > + > ``` + + As a result, all the properties listed in the access control entity type are hidden from users + by default when they have the usual permissions written above. See the + [ Dimension ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) topic for + additional information. + + To be able to see these properties, a user must have these permissions with a full access. + + > For example to give access to all properties: + > + > ``` + > + > + > + > ``` + > + > And to give access only to a property group: + > + > ``` + > + > + > + > ``` + + When there is not any profile with a full access, then the visibility restriction is lifted and + all users can access the properties. + +## Limit a Profile's Permissions + +Limit a profile's permissions by using filters in the access control rule that give permissions to +the profile. + +> For example to limit permissions based on a hardcoded value: +> +> ``` +> +> +> +> +> +> +> +> ``` +> +> And based on a dimension: +> +> ``` +> +> +> +> +> +> +> +> ``` + +See the [ Dimension ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) topic for +additional information. diff --git a/docs/usercube/6.2/usercube/integration-guide/profiles-permissions/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/profiles-permissions/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/profiles-permissions/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/profiles-permissions/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/profiles-permissions/permissions/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/profiles-permissions/permissions/index.md new file mode 100644 index 0000000000..a58a80e8eb --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/profiles-permissions/permissions/index.md @@ -0,0 +1,1986 @@ +# References: Permissions + +Here is a list of permissions required for different user profiles: + +- /AccessCertification/AccessCertificationCampaign/Create + + Permission to create objects of type AccessCertificationCampaign. + +- /AccessCertification/AccessCertificationCampaign/Delete + + Permission to delete objects of type AccessCertificationCampaign. + +- /AccessCertification/AccessCertificationCampaign/Process + + Permission to process AccessCertificationCampaign decisions. + +- /AccessCertification/AccessCertificationCampaign/Query + + Permission to query and read objects of type AccessCertificationCampaign. + +- /AccessCertification/AccessCertificationCampaign/Update + + Permission to update objects of type AccessCertificationCampaign. + +- /AccessCertification/AccessCertificationCampaignPolicy/Query + + Permission to query and read objects of type AccessCertificationCampaignPolicy. + +- /AccessControl/AccessControlEntry/Create + + Permission to create objects of type AccessControlEntry. + +- /AccessControl/AccessControlEntry/Delete + + Permission to delete objects of type AccessControlEntry. + +- /AccessControl/AccessControlEntry/Query + + Permission to query and read objects of type AccessControlEntry. + +- /AccessControl/AccessControlEntry/Update + + Permission to update objects of type AccessControlEntry. + +- /AccessControl/AccessControlFilter/Create + + Permission to create objects of type AccessControlFilter. + +- /AccessControl/AccessControlFilter/Delete + + Permission to delete objects of type AccessControlFilter. + +- /AccessControl/AccessControlFilter/Query + + Permission to query and read objects of type AccessControlFilter. + +- /AccessControl/AccessControlFilter/Update + + Permission to update objects of type AccessControlFilter. + +- /AccessControl/AccessControlPermission/Query + + Permission to query and read objects of type AccessControlPermission. + +- /AccessControl/AccessControlRule/Create + + Permission to create objects of type AccessControlRule. + +- /AccessControl/AccessControlRule/Delete + + Permission to delete objects of type AccessControlRule + +- /AccessControl/AccessControlRule/Query + + Permission to query and read objects of type AccessControlRule. + +- /AccessControl/AccessControlRule/Update + + Permission to update objects of type AccessControlRule. + +- /AccessControl/AssignedProfile/Create + + Permission to create objects of type AssignedProfile. + +- /AccessControl/AssignedProfile/Delete + + Permission to delete objects of type AssignedProfile. + +- /AccessControl/AssignedProfile/Query + + Permission to query and read objects of type AssignedProfile. + +- /AccessControl/AssignedProfile/Update + + Permission to update objects of type AssignedProfile. + +- /AccessControl/OpenIdClient/Create + + Permission to create objects of type OpenIdClient. + +- /AccessControl/OpenIdClient/Delete + + Permission to delete objects of type OpenIdClient. + +- /AccessControl/OpenIdClient/Query + + Permission to query and read objects of type OpenIdClient. + +- /AccessControl/OpenIdClient/Update + + Permission to update objects of type OpenIdClient. + +- /AccessControl/Profile/Create + + Permission to create objects of type Profile. + +- /AccessControl/Profile/Delete + + Permission to delete objects of type Profile. + +- /AccessControl/Profile/Query + + Permission to query and read objects of type Profile. + +- /AccessControl/Profile/Update + + Permission to update objects of type Profile. + +- /AccessControl/ProfileRuleContext/Query + + Permission to query and read objects of type ProfileRuleContext. + +- /Connectors/Agent/Create + + Permission to create objects of type Agent. + +- /Connectors/Agent/Delete + + Permission to delete objects of type Agent. + +- /Connectors/Agent/Query + + Permission to query and read objects of type Agent. + +- /Connectors/Agent/Update + + Permission to update objects of type Agent. + +- /Connectors/Connection/Create + + Permission to create objects of type Connection. + +- /Connectors/Connection/Delete + + Permission to delete objects of type Connection. + +- /Connectors/Connection/Query + + Permission to query and read objects of type Connection. + +- /Connectors/Connection/Update + + Permission to update objects of type Connection. + +- /Connectors/ConnectionColumn/Query + + Permission to query and read objects of type ConnectionColumn. + +- /Connectors/ConnectionPackage/Query + + Permission to query and read objects of type ConnectionPackage. + +- /Connectors/ConnectionTable/Query + + Permission to query and read objects of type ConnectionTable. + +- /Connectors/Connector/Create + + Permission to create objects of type Connector. + +- /Connectors/Connector/Delete + + Permission to delete objects of type Connector. + +- /Connectors/Connector/Query + + Permission to query and read objects of type Connector. + +- /Connectors/Connector/Update + + Permission to delete objects of type EntityAssociationMapping. + +- /Connectors/EntityAssociationMapping/Create + + Permission to create objects of type EntityAssociationMapping + +- /Connectors/EntityAssociationMapping/Delete + + Permission to delete objects of type EntityAssociationMapping + +- /Connectors/EntityAssociationMapping/Query +- Permission to query and read objects of type EntityAssociationMapping. +- /Connectors/EntityAssociationMapping/Update + + Permission to update objects of type EntityAssociationMapping. + +- /Connectors/EntityPropertyMapping/Create + + Permission to create objects of type EntityPropertyMapping. + +- /Connectors/EntityPropertyMapping/Delete + + Permission to delete objects of type EntityPropertyMapping. + +- /Connectors/EntityPropertyMapping/Query + + Permission to query and read objects of type EntityPropertyMapping. + +- /Connectors/EntityPropertyMapping/Update + + Permission to update objects of type EntityPropertyMapping + +- /Connectors/EntityTypeMapping/Create + + Permission to create objects of type EntityTypeMapping + +- /Connectors/EntityTypeMapping/Delete + + Permission to delete objects of type EntityTypeMapping + +- /Connectors/EntityTypeMapping/Query + + Permission to query and read objects of type EntityTypeMapping + +- /Connectors/EntityTypeMapping/Update + + Permission to update objects of type EntityTypeMapping + +- /Connectors/EntityTypeMappingByConnectorIdQuery/Query + + Permission to query and read objects of type EntityTypeMappingByConnectorIdQuery + +- /Connectors/PasswordResetContextsByIdsQuery/Query + + Permission to query and read objects of type PasswordResetContextsByIdsQuery + +- /Connectors/ProvisionerResourceTypeMapping/Query + + Permission to query and read objects of type ProvisionerResourceTypeMapping + +- /Connectors/ProvisioningSession + + Permission to get provisioning orders from server for a connector. + +- /Connectors/ResourceTypeMapping/Query + + Permission to query and read objects of type ResourceTypeMapping (resource types' fulfill + settings in the UI) when launching a resource-type-related job. + +- /Connectors/SynchronizeSession + + Permission to send connector files to the server. + +- /Custom/AccessCertification/AutoAssigned/`{entityType_identifier}` + + Permission to be automatically assigned to an access certification item corresponding to an + access right owned by an object of type `entityType_identifier`. + +- /Custom/AccessCertification/ManualAssigned/`{entityType_identifier}` + + Permission to be manually assigned to an access certification item corresponding to an access + right owned by an object of type `entityType_identifier`. + +- /Custom/ManageAccounts/`{entityType_identifier}` + + Permission to display the Manage Accounts menu for resources corresponding to an access right + owned by an object of type `entityType_identifier`. + +- /Custom/ProvisioningPolicy/AssignedRoles/`{entityType_identifier}` + + Permission to view the roles assigned to an object of type entityType_identifier. + +- /Custom/ProvisioningPolicy/BulkPerformManualProvisioning/`{entityType_identifier}` + + Permission to perform bulk validations on the **Manual Provisioning** page. + +- /Custom/ProvisioningPolicy/BulkReconciliateResources/`{entityType_identifier}` + + Permission to perform bulk validations on the **Resource Reconciliation** page. + +- /Custom/ProvisioningPolicy/BulkReviewProvisioning/`{entityType_identifier}` + + Permission to perform bulk validations on the **Provisioning Review** page (only for errored + orders). + +- /Custom/ProvisioningPolicy/BulkRoleReconciliation/`{entityType_identifier}` + + Permission to perform bulk validations on the **Role Reconciliation** page. + +- /Custom/ProvisioningPolicy/PendingAssignedResourceTypes/`{resourceType_identifier}` + + Permission to query and read all the pending assigned resource types linked to + `{resourceType_identifier}`. + +- /Custom/ProvisioningPolicy/PerformManualProvisioning/`{entityType_identifier}` + + Permission to perform manual provisioning, access the corresponding screens and be notified + accordingly, when `{entityType_identifier}` is the source entity type. + +- /Custom/ProvisioningPolicy/ReconciliateResources/`{entityType_identifier}` + + Permission to reconcile resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- /Custom/ProvisioningPolicy/ReconciliateRoles/`{entityType_identifier}` + + Permission to reconcile role corresponding to an access right owned by an object of type + `entityType_identifier`. + +- /Custom/ProvisioningPolicy/ReviewProvisioning/`{entityType_identifier}` + + Permission to review provisioning corresponding to an access right owned by an object of type + `entityType_identifier`. + +- The permission's recipient will receive a notification email. + + **NOTE:** In order to receive the notifications, a profile must have the full permission path. + Having a (great-)parent permission will not enable notifications for all child entities. + + For example, the permission /ProvisioningPolicy/PerformManualProvisioning/Directory_User allows + a profile to perform manual provisioning with Directory_User as the source entity type, and + receive the corresponding notifications. On the contrary, the permission + /ProvisioningPolicy/PerformManualProvisioning/ allows a profile to perform manual provisioning + for all entity types, but not receive the corresponding notifications. + + Each permission can be configured in an access control entry so that the corresponding + notification is disabled. See the + [Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md)topic + for additional information. + +- /Custom/ProvisioningPolicy/ReviewRoles/`{entityType_identifier}` + + Permission to review roles corresponding to an access right owned by an object of type + entityType_identifier. + + The permission's recipient will receive a notification email. + + **NOTE:** In order to receive the notifications, a profile must have the full permission path. + Having a (great-)parent permission will not enable notifications for all child entities. + + For example, the permission /ProvisioningPolicy/PerformManualProvisioning/Directory_User allows + a profile to perform manual provisioning with Directory_User as the source entity type, and + receive the corresponding notifications. On the contrary, the permission + /ProvisioningPolicy/PerformManualProvisioning/ allows a profile to perform manual provisioning + for all entity types, but not receive the corresponding notifications. + Each permission can be configured in an access control entry so that the corresponding + notification is disabled. See the + [Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md)topic + for additional information. + +- /Custom/Reports/`{reportQuery_identifier}` + + Permission to access reports corresponding to the query `reportQuery_identifier`. + +- /Custom/ResourceChanges/`{connector_identifier}` + + Permission to query and read any resource changes from the `ResourceChanges` table. + +- /Custom/ResourceFileChanges/`{connector_identifier}` + + Permission to query and read any resource file changes from the `ResourceFileChanges` table. + +- /Custom/ResourceFiles/`{entityType_identifier}`/`{property_identifier}`/View + + Permission to query and read any resource files from the `ResourceFile` table corresponding to + the property `property_identifier` of the entity `entityType_identifier`, for example the + `Directory_User` photo property. This permission is generated by the + [`ViewAccessControlRules`](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md) + scaffolding. + +- /Custom/ResourceLinkChanges/`{connector_identifier}` + + Permission to query and read any resource link changes from the `ResourceLinkChanges` table. + +- /Custom/Resources/`{entityType_identifier}`/Create + + Permission to create resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- /Custom/Resources/`{entityType_identifier}`/Delete + + Permission to delete resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- /Custom/Resources/`{entityType_identifier}`/Query + + Permission to query and read resources corresponding to an access right owned by an object of + type `entityType_identifier`. + +- /Custom/Resources/`{entityType_identifier}`/Self + + Permission to view self resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- /Custom/Resources/`{entityType_identifier}`/SelfOwnedResources + + Permission to view self owned resources corresponding to an access right owned by an object of + type `entityType_identifier`. + +- /Custom/Resources/`{entityType_identifier}`/SelfTargetResources + + Permission to view self target resources corresponding to an access right owned by an object of + type `entityType_identifier`. + +- /Custom/Resources/`{entityType_identifier}`/Update + + Permission to update resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- /Custom/Resources/`{entityType_identifier}`/View + + Permission to view resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- /Custom/Resources/`{entityType_identifier}`/ViewOwnedResources + + Permission to view owned resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- /Custom/Resources/`{entityType_identifier}`/ViewTargetResources + + Permission to view target resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- /Custom/Workflows/`{workflow_identifier}`/`{activity_identifier}`/`{activityTemplateState_shortIdentifier}` + + Permission to access the workflow `workflow_identifier`at the activty `activity_identifier` in + the state `activityTemplateState_shortIdentifier`. + +- /Custom/Workflows/Supervise/`{entityType_identifier}` + + Permission to supervise a workflow corresponding to an access right owned by an object of type + `entityType_identifier`. + +- /Custom/WorkflowsNotifications/`{workflow_identifier}`/`{activity_identifier}`/`{activityTemplateState_shortIdentifier}` + + Permission to be notified on a workflow's specific state. Applies to notifications specifying + the recipient's type: `Profile`. + +- /EntityTypeMappings + + Permission to see the entity types. + +- /Jobs/Job/Create + + Permission to create objects of type Job. + +- /Jobs/Job/Delete + + Permission to delete objects of type Job. + +- /Jobs/Job/Query + + Permission to query and read objects of type Job. + +- /Jobs/Job/Update + + Permission to update objects of type Job. + +- /Jobs/JobInstance/Create + + Permission to create objects of type JobInstance. + +- /Jobs/JobInstance/Delete + + Permission to delete objects of type JobInstance. + +- /Jobs/JobInstance/Query + + Permission to query and read objects of type JobInstance. + +- /Jobs/JobInstance/Update + + Permission to update objects of type JobInstance. + +- /Jobs/JobStep/Create + + Permission to create objects of type JobStep. + +- /Jobs/JobStep/Delete + + Permission to delete objects of type JobStep + +- /Jobs/JobStep/Query + + Permission to query and read objects of type JobStep. + +- /Jobs/JobStep/Update + + Permission to update objects of type JobStep. + +- /Jobs/RunJob/GetLog + + Read permission for JobLog. + +- /Jobs/RunJob/Launch/Aborted + + Permission to send notification for job launched which ends in state Aborted. + +- /Jobs/RunJob/Launch/Blocked + + Permission to send notification for job launched which ends in state Blocked. + +- /Jobs/RunJob/Launch/Completed + + Permission to send notification for job launched which ends in state Completed. + +- /Jobs/RunJob/Launch/Errored + + Permission to send notification for job launched which ends in state Errored. + +- /Jobs/RunJob/Launch/Warning + + Permission to send notification for job launched which ends in state Warning. + +- /Jobs/RunJob/Repair/Aborted + + Permission to send notification for job relaunched which ends in state Aborted. + +- /Jobs/RunJob/Repair/Blocked + + Permission to send notification for job relaunched which ends in state Blocked. + +- /Jobs/RunJob/Repair/Completed + + Permission to send notification for job relaunched which ends in state Completed. + +- /Jobs/RunJob/Repair/Errored + + Permission to send notification for job relaunched which ends in state Errored. + +- /Jobs/RunJob/Repair/Warning + + Permission to send notification for job relaunched which ends in state Warning. + +- /Jobs/Task/Create + + Permission to create objects of type Task. + +- /Jobs/Task/Delete + + Permission to delete objects of type Task. + +- /Jobs/Task/Query + + Permission to query and read objects of type Task + +- /Jobs/Task/Update + + Permission to update objects of type Task + +- /Jobs/TaskDependOnTask/Create + + Permission to create objects of type TaskDependOnTask. + +- /Jobs/TaskDependOnTask/Delete + + Permission to delete objects of type TaskDependOnTask. + +- /Jobs/TaskDependOnTask/Query + + Permission to query and read objects of type TaskDependOnTask + +- /Jobs/TaskDependOnTask/Update + + Permission to update objects of type TaskDependOnTask. + +- /Jobs/TaskDimension/Create + + Permission to create objects of type TaskDimension. + +- /Jobs/TaskDimension/Delete + + Permission to delete objects of type TaskDimension. + +- /Jobs/TaskDimension/Query + + Permission to query and read objects of type TaskDimension. + +- /Jobs/TaskDimension/Update + + Permission to update objects of type TaskDimension. + +- /Jobs/TaskEntityType/Create + + Permission to create objects of type TaskEntityType. + +- /Jobs/TaskEntityType/Delete + + Permission to delete objects of type TaskEntityType. + +- /Jobs/TaskEntityType/Query + + Permission to query and read objects of type TaskEntityType. + +- /Jobs/TaskEntityType/Update + + Permission to update objects of type TaskEntityType + +- /Jobs/TaskIdByIdentifiersQuery/Query + + Permission to query and read objects of type TaskIdByIdentifiersQuery. + +- /Jobs/TaskInstance/Create + + Permission to create objects of type TaskInstance. + +- /Jobs/TaskInstance/Delete + + Permission to delete objects of type TaskInstance. + +- /Jobs/TaskInstance/Query + + Permission to query and read objects of type TaskInstance. + +- /Jobs/TaskInstance/Update + + Permission to update objects of type TaskInstance. + +- /Jobs/TaskResourceType/Create + + Permission to create objects of type TaskResourceType. + +- /Jobs/TaskResourceType/Delete + + Permission to delete objects of type TaskResourceType. + +- /Jobs/TaskResourceType/Query + + Permission to query and read objects of type TaskResourceType. + +- /Jobs/TaskResourceType/Update + + Permission to update objects of type TaskResourceType. + +- /Metadata/Binding/Create + + Permission to create objects of type Binding. + +- /Metadata/Binding/Delete + + Permission to delete objects of type Binding. + +- /Metadata/Binding/Query + + Permission to query and read objects of type Binding. + +- /Metadata/Binding/Update + + Permission to update objects of type Binding. + +- /Metadata/BindingItem/Query + + Permission to query and read objects of type BindingItem. + +- /Metadata/Dimension/Create + + Permission to create objects of type Dimension. + +- /Metadata/Dimension/Delete + + Permission to delete objects of type Dimension. + +- /Metadata/Dimension/Query + + Permission to query and read objects of type Dimension. + +- /Metadata/Dimension/Update + + Permission to update objects of type Dimension. + +- /Metadata/EntityAssociation/Create + + Permission to create objects of type EntityAssociation. + +- /Metadata/EntityAssociation/Delete + + Permission to delete objects of type EntityAssociation. + +- /Metadata/EntityAssociation/Query + + Permission to query and read objects of type EntityAssociation. + +- /Metadata/EntityAssociation/Update + + Permission to update objects of type EntityAssociation. + +- /Metadata/EntityProperty/Create + + Permission to create objects of type EntityProperty. + +- /Metadata/EntityProperty/Delete + + Permission to delete objects of type EntityProperty. + +- /Metadata/EntityProperty/Query + + Permission to query and read objects of type EntityProperty. + +- /Metadata/EntityProperty/Update + + Permission to update objects of type EntityProperty. + +- /Metadata/EntityType/Create + + Permission to create objects of type EntityType. + +- /Metadata/EntityType/Delete + + Permission to delete objects of type EntityType. + +- /Metadata/EntityType/Query + + Permission to query and read objects of type EntityType. + +- /Metadata/EntityType/Update + + Permission to update objects of type EntityType. + +- /Metadata/Language/Query + + Permission to query and read objects of type Language. + +- /Metadata/Setting/Create + + Permission to create objects of type Setting + +- /Metadata/Setting/Delete + + Permission to delete objects of type Setting + +- /Metadata/Setting/Query + + Permission to query and read objects of type Setting + +- /Metadata/Setting/Update + + Permission to update objects of type Setting + +- /Monitoring + + Permission to download server logs from the User Interface (from the **Monitoring** screen). + +- /ProvisioningPolicy/AssignedCompositeRole/Comment + + Permission to comment objects of type AssignedCompositeRole + +- /ProvisioningPolicy/AssignedCompositeRole/Create + + Permission to create objects of type AssignedCompositeRole + +- /ProvisioningPolicy/AssignedCompositeRole/Delete + + Permission to delete objects of type AssignedCompositeRole + +- /ProvisioningPolicy/AssignedCompositeRole/Query + + Permission to query and read objects of type AssignedCompositeRole + +- /ProvisioningPolicy/AssignedCompositeRole/Update + + Permission to update objects of type AssignedCompositeRole + +- /ProvisioningPolicy/AssignedResourceBinary/Create + + Permission to create objects of type AssignedResourceBinary + +- /ProvisioningPolicy/AssignedResourceBinary/Delete + + Permission to delete objects of type AssignedResourceBinary + +- /ProvisioningPolicy/AssignedResourceBinary/Query + + Permission to query and read objects of type AssignedResourceBinary + +- /ProvisioningPolicy/AssignedResourceBinary/Update + + Permission to update objects of type AssignedResourceBinary + +- /ProvisioningPolicy/AssignedResourceNavigation/Create + + Permission to create objects of type AssignedResourceNavigation + +- /ProvisioningPolicy/AssignedResourceNavigation/Delete + + Permission to delete objects of type AssignedResourceNavigation + +- /ProvisioningPolicy/AssignedResourceNavigation/Query + + Permission to query and read objects of type AssignedResourceNavigation + +- /ProvisioningPolicy/AssignedResourceNavigation/Update + + Permission to update objects of type AssignedResourceNavigation + +- /ProvisioningPolicy/AssignedResourceScalar/Create + + Permission to create objects of type AssignedResourceScalar + +- /ProvisioningPolicy/AssignedResourceScalar/Delete + + Permission to delete objects of type AssignedResourceScalar + +- /ProvisioningPolicy/AssignedResourceScalar/Query + + Permission to query and read objects of type AssignedResourceScalar + +- /ProvisioningPolicy/AssignedResourceScalar/Update + + Permission to update objects of type AssignedResourceScalar + +- /ProvisioningPolicy/AssignedResourceType/Comment + + Permission to comment objects of type AssignedResourceType + +- /ProvisioningPolicy/AssignedResourceType/Create + + Permission to create objects of type AssignedResourceType + +- /ProvisioningPolicy/AssignedResourceType/Delete + + Permission to delete objects of type AssignedResourceType + +- /ProvisioningPolicy/AssignedResourceType/ManualProvisioningReview + + Permission to review manual provisioning for object of type AssignedResourceType + +- /ProvisioningPolicy/AssignedResourceType/Query + + Permission to query and read objects of type AssignedResourceType + +- /ProvisioningPolicy/AssignedResourceType/Update + + Permission to update objects of type AssignedResourceType + +- /ProvisioningPolicy/AssignedSingleRole/Comment + + Permission to comment objects of type AssignedSingleRole + +- /ProvisioningPolicy/AssignedSingleRole/Create + + Permission to create objects of type AssignedSingleRole + +- /ProvisioningPolicy/AssignedSingleRole/Delete + + Permission to delete objects of type AssignedSingleRole + +- /ProvisioningPolicy/AssignedSingleRole/Query + + Permission to query and read objects of type AssignedSingleRole + +- /ProvisioningPolicy/AssignedSingleRole/Update + + Permission to update objects of type AssignedSingleRole + +- /ProvisioningPolicy/AutomationRule/Create + + Permission to create objects of type AutomationRule + +- /ProvisioningPolicy/AutomationRule/CreateSimulation + + Permission to create objects of type AutomationRule in simulation + +- /ProvisioningPolicy/AutomationRule/Delete + + Permission to delete objects of type AutomationRule + +- /ProvisioningPolicy/AutomationRule/DeleteSimulation + + Permission to delete objects of type AutomationRule in simulation + +- /ProvisioningPolicy/AutomationRule/Query + + Permission to query and read objects of type AutomationRule + +- /ProvisioningPolicy/AutomationRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type AutomationRule + +- /ProvisioningPolicy/AutomationRule/Simulation + + Permission to query and read objects of type AutomationRule in simulation + +- /ProvisioningPolicy/AutomationRule/Updat + + Permission to update objects of type AutomationRule + +- /ProvisioningPolicy/AutomationRule/UpdateSimulation + + Permission to update objects of type AutomationRule in simulation + +- /ProvisioningPolicy/Category/Create + + Permission to create objects of type Category + +- /ProvisioningPolicy/Category/Delete + + Permission to delete objects of type Category + +- /ProvisioningPolicy/Category/Query + + Permission to query and read objects of type Category + +- /ProvisioningPolicy/Category/Update + + Permission to update objects of type Category + +- /ProvisioningPolicy/CompositeRole/Create + + Permission to create objects of type CompositeRole + +- /ProvisioningPolicy/CompositeRole/CreateSimulation + + Permission to create objects of type CompositeRole in simulation + +- /ProvisioningPolicy/CompositeRole/Delete + + Permission to delete objects of type CompositeRole + +- /ProvisioningPolicy/CompositeRole/DeleteSimulation + + Permission to delete objects of type CompositeRole in simulation + +- /ProvisioningPolicy/CompositeRole/Query + + Permission to query and read objects of type CompositeRole + +- /ProvisioningPolicy/CompositeRole/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type CompositeRole + +- /ProvisioningPolicy/CompositeRole/Simulation + + Permission to query and read objects of type CompositeRole in simulation + +- /ProvisioningPolicy/CompositeRole/Update + + Permission to update objects of type CompositeRole + +- /ProvisioningPolicy/CompositeRole/UpdateSimulation + + Permission to update objects of type CompositeRole in simulation + +- /ProvisioningPolicy/CompositeRoleRule/Create + + Permission to create objects of type CompositeRoleRule + +- /ProvisioningPolicy/CompositeRoleRule/CreateSimulation + + Permission to create objects of type CompositeRoleRule in simulation + +- /ProvisioningPolicy/CompositeRoleRule/Delete + + Permission to delete objects of type CompositeRoleRule + +- /ProvisioningPolicy/CompositeRoleRule/DeleteSimulation + + Permission to delete objects of type CompositeRoleRule in simulation + +- /ProvisioningPolicy/CompositeRoleRule/Query + + Permission to query and read objects of type CompositeRoleRule + +- /ProvisioningPolicy/CompositeRoleRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type CompositeRoleRule + +- /ProvisioningPolicy/CompositeRoleRule/Simulation + + Permission to query and read objects of type CompositeRoleRule in simulation + +- /ProvisioningPolicy/CompositeRoleRule/Update + + Permission to update objects of type CompositeRoleRule + +- /ProvisioningPolicy/CompositeRoleRule/UpdateSimulation + + Permission to update objects of type CompositeRoleRule in simulation + +- /ProvisioningPolicy/ContextRule/Create + + Permission to create objects of type ContextRule + +- /ProvisioningPolicy/ContextRule/CreateSimulation + + Permission to create objects of type ContextRule in simulation + +- /ProvisioningPolicy/ContextRule/Delete + + Permission to delete objects of type ContextRule + +- /ProvisioningPolicy/ContextRule/DeleteSimulation + + Permission to delete objects of type ContextRule in simulation + +- /ProvisioningPolicy/ContextRule/Query + + Permission to query and read objects of type ContextRule + +- /ProvisioningPolicy/ContextRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ContextRule + +- /ProvisioningPolicy/ContextRule/Simulation + + Permission to query and read objects of type ContextRule in simulation + +- /ProvisioningPolicy/ContextRule/Update + + Permission to update objects of type ContextRule + +- /ProvisioningPolicy/ContextRule/UpdateSimulation + + Permission to update objects of type ContextRule in simulation + +- /ProvisioningPolicy/IdentifiedRisk/Query + + Permission to query and read objects of type IdentifiedRisk + +- /ProvisioningPolicy/MiningRule/Create + + Permission to create objects of type MiningRule + +- /ProvisioningPolicy/MiningRule/Delete + + Permission to delete objects of type MiningRule + +- /ProvisioningPolicy/MiningRule/Query + + Permission to query and read objects of type MiningRule + +- /ProvisioningPolicy/MiningRule/Update + + Permission to update objects of type MiningRule + +- /ProvisioningPolicy/Policy/Create + + Permission to create objects of type Policy + +- /ProvisioningPolicy/Policy/CreateSimulation + + Permission to create objects of type Policy in simulation + +- /ProvisioningPolicy/Policy/Delete + + Permission to delete objects of type Policy + +- /ProvisioningPolicy/Policy/DeleteSimulation + + Permission to delete objects of type Policy in simulation + +- /ProvisioningPolicy/Policy/Query + + Permission to query and read objects of type Policy + +- /ProvisioningPolicy/Policy/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type Policy + +- /ProvisioningPolicy/Policy/Simulation + + Permission to query and read objects of type Policy in simulation + +- /ProvisioningPolicy/Policy/Update + + Permission to update objects of type Policy + +- /ProvisioningPolicy/Policy/UpdateSimulation + + Permission to update objects of type Policy in simulation + +- /ProvisioningPolicy/PolicySimulation/Create + + Permission to create objects of type PolicySimulation + +- /ProvisioningPolicy/PolicySimulation/Delete + + Permission to delete objects of type PolicySimulation + +- /ProvisioningPolicy/PolicySimulation/Query + + Permission to query and read objects of type PolicySimulation + +- /ProvisioningPolicy/PolicySimulation/Start + + Permission to start a simulation of a policy + +- /ProvisioningPolicy/PolicySimulation/Update + + Permission to update objects of type PolicySimulation. + +- /ProvisioningPolicy/PredefinedFunctionQuery/Query + + Permission to query and read objects of type PredefinedFunctionQuery + +- /ProvisioningPolicy/Provisioning/Start + + Permission to compute Provisioning. + +- /ProvisioningPolicy/RedundantAssignment/Query + + Permission to access the **Redundant Assignment** page. + +- /ProvisioningPolicy/RedundantAssignment/Start + + Permission to compute redundant assignments and remove them. + +- /ProvisioningPolicy/ResourceBinaryRule/Create + + Permission to create objects of type ResourceBinaryRule. + +- /ProvisioningPolicy/ResourceBinaryRule/CreateSimulation + + Permission to create objects of type ResourceBinaryRule in simulation. + +- /ProvisioningPolicy/ResourceBinaryRule/CreateSimulation + + Permission to create objects of type ResourceBinaryRule in simulation. + +- /ProvisioningPolicy/ResourceBinaryRule/Delete + + Permission to delete objects of type ResourceBinaryRule. + +- /ProvisioningPolicy/ResourceBinaryRule/DeleteSimulation + + Permission to delete objects of type ResourceBinaryRule in simulatio.n + +- /ProvisioningPolicy/ResourceBinaryRule/Query + + Permission to query and read objects of type ResourceBinaryRule. + +- /ProvisioningPolicy/ResourceBinaryRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ResourceBinaryRule + +- /ProvisioningPolicy/ResourceBinaryRule/Simulation + + Permission to query and read objects of type ResourceBinaryRule in simulation. + +- /ProvisioningPolicy/ResourceBinaryRule/Update + + Permission to update objects of type ResourceBinaryRule. + +- /ProvisioningPolicy/ResourceBinaryRule/UpdateSimulation + + Permission to update objects of type ResourceBinaryRule in simulation. + +- /ProvisioningPolicy/ResourceClassificationRule/Create + + Permission to create objects of type ResourceClassificationRule. + +- /ProvisioningPolicy/ResourceClassificationRule/CreateSimulation + + Permission to create objects of type ResourceClassificationRule in simulation. + +- /ProvisioningPolicy/ResourceClassificationRule/Delete + + Permission to delete objects of type ResourceClassificationRule + +- /ProvisioningPolicy/ResourceClassificationRule/DeleteSimulation + + Permission to delete objects of type ResourceClassificationRule in simulation. + +- /ProvisioningPolicy/ResourceClassificationRule/Query + + Permission to query and read objects of type ResourceClassificationRule. + +- /ProvisioningPolicy/ResourceClassificationRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type + ResourceClassificationRule. + +- /ProvisioningPolicy/ResourceClassificationRule/Simulation + + Permission to query and read objects of type ResourceClassificationRule in simulation. + +- /ProvisioningPolicy/ResourceClassificationRule/Update + + Permission to update objects of type ResourceClassificationRule + +- /ProvisioningPolicy/ResourceClassificationRule/UpdateSimulation + + Permission to update objects of type ResourceClassificationRule in simulation + +- /ProvisioningPolicy/ResourceCorrelationRule/Create + + Permission to create objects of type ResourceCorrelationRule + +- /ProvisioningPolicy/ResourceCorrelationRule/CreateSimulation + + Permission to create objects of type ResourceCorrelationRule in simulation + +- /ProvisioningPolicy/ResourceCorrelationRule/Delete + + Permission to delete objects of type ResourceCorrelationRule + +- /ProvisioningPolicy/ResourceCorrelationRule/DeleteSimulation + + Permission to delete objects of type ResourceCorrelationRule in simulation + +- /ProvisioningPolicy/ResourceCorrelationRule/Query + + Permission to query and read objects of type ResourceCorrelationRule + +- /ProvisioningPolicy/ResourceCorrelationRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type + ResourceCorrelationRule + +- /ProvisioningPolicy/ResourceCorrelationRule/Simulation + + Permission to query and read objects of type ResourceCorrelationRule in simulation + +- /ProvisioningPolicy/ResourceCorrelationRule/Update + + Permission to update objects of type ResourceCorrelationRule + +- /ProvisioningPolicy/ResourceCorrelationRule/UpdateSimulation + + Permission to update objects of type ResourceCorrelationRule in simulation + +- /ProvisioningPolicy/ResourceHistory/Query + + Permission to query and read objects of type ResourceHistory + +- /ProvisioningPolicy/ResourceManageableAccounts/Query + + Permission to query and read objects of type ResourceManageableAccounts + + /ProvisioningPolicy/ResourceNavigationRule/Create + +- Permission to create objects of type ResourceNavigationRule +- /ProvisioningPolicy/ResourceNavigationRule/CreateSimulation + + Permission to create objects of type ResourceNavigationRule in simulation + +- /ProvisioningPolicy/ResourceNavigationRule/Delete + + Permission to delete objects of type ResourceNavigationRule + +- /ProvisioningPolicy/ResourceNavigationRule/DeleteSimulation + + Permission to delete objects of type ResourceNavigationRule in simulation + +- /ProvisioningPolicy/ResourceNavigationRule/Query + + Permission to query and read objects of type ResourceNavigationRule + +- /ProvisioningPolicy/ResourceNavigationRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type + ResourceNavigationRule + +- /ProvisioningPolicy/ResourceNavigationRule/Simulation + + Permission to query and read objects of type ResourceNavigationRule in simulation + +- /ProvisioningPolicy/ResourceNavigationRule/Update + + Permission to update objects of type ResourceNavigationRule + +- /ProvisioningPolicy/ResourceNavigationRule/UpdateSimulation + + Permission to update objects of type ResourceNavigationRule in simulation + +- /ProvisioningPolicy/ResourceQueryRule/Create + + Permission to create objects of type ResourceQueryRule + +- /ProvisioningPolicy/ResourceQueryRule/CreateSimulation + + Permission to create objects of type ResourceQueryRule in simulation + +- /ProvisioningPolicy/ResourceQueryRule/Delete + + Permission to delete objects of type ResourceQueryRule + +- /ProvisioningPolicy/ResourceQueryRule/DeleteSimulation + + Permission to delete objects of type ResourceQueryRule in simulation + +- /ProvisioningPolicy/ResourceQueryRule/Query + + Permission to query and read objects of type ResourceQueryRule + +- /ProvisioningPolicy/ResourceQueryRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ResourceQueryRule + +- /ProvisioningPolicy/ResourceQueryRule/Simulation + + Permission to query and read objects of type ResourceQueryRule in simulation + +- /ProvisioningPolicy/ResourceQueryRule/Update + + Permission to update objects of type ResourceQueryRule + +- /ProvisioningPolicy/ResourceQueryRule/UpdateSimulation + + Permission to update objects of type ResourceQueryRule in simulation + +- /ProvisioningPolicy/ResourceScalarRule/Create + + Permission to create objects of type ResourceScalarRule + +- /ProvisioningPolicy/ResourceScalarRule/CreateSimulation + + Permission to create objects of type ResourceScalarRule in simulation + +- /ProvisioningPolicy/ResourceScalarRule/Delete + + Permission to delete objects of type ResourceScalarRule + +- /ProvisioningPolicy/ResourceScalarRule/DeleteSimulation + + Permission to delete objects of type ResourceScalarRule in simulation + +- /ProvisioningPolicy/ResourceScalarRule/Query + + Permission to query and read objects of type ResourceScalarRule + +- /ProvisioningPolicy/ResourceScalarRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ResourceScalarRule + +- /ProvisioningPolicy/ResourceScalarRule/Simulation + + Permission to query and read objects of type ResourceScalarRule in simulation + +- /ProvisioningPolicy/ResourceScalarRule/Update + + Permission to update objects of type ResourceScalarRule + +- /ProvisioningPolicy/ResourceScalarRule/UpdateSimulation + + Permission to update objects of type ResourceScalarRule in simulation + +- /ProvisioningPolicy/ResourceType/Create + + Permission to create objects of type ResourceType + +- /ProvisioningPolicy/ResourceType/CreateSimulation + + Permission to create objects of type ResourceType in simulation + +- /ProvisioningPolicy/ResourceType/Delete + + Permission to delete objects of type ResourceType + +- /ProvisioningPolicy/ResourceType/DeleteSimulation + + Permission to delete objects of type ResourceType in simulation + +- /ProvisioningPolicy/ResourceType/Query + + Permission to query and read objects of type ResourceType + +- /ProvisioningPolicy/ResourceType/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ResourceType + +- /ProvisioningPolicy/ResourceType/Simulation + + Permission to query and read objects of type ResourceType in simulation + +- /ProvisioningPolicy/ResourceType/Update + + Permission to update objects of type ResourceType + +- /ProvisioningPolicy/ResourceType/UpdateSimulation + + Permission to update objects of type ResourceType in simulation + +- /ProvisioningPolicy/ResourceTypeRule/Create + + Permission to create objects of type ResourceTypeRule + +- /ProvisioningPolicy/ResourceTypeRule/CreateSimulation + + Permission to create objects of type ResourceTypeRule in simulation + +- /ProvisioningPolicy/ResourceTypeRule/Delete + + Permission to delete objects of type ResourceTypeRule + +- /ProvisioningPolicy/ResourceTypeRule/DeleteSimulation + + Permission to delete objects of type ResourceTypeRule in simulation + +- /ProvisioningPolicy/ResourceTypeRule/Query + + Permission to query and read objects of type ResourceTypeRule + +- /ProvisioningPolicy/ResourceTypeRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ResourceTypeRule + +- /ProvisioningPolicy/ResourceTypeRule/Simulation + + Permission to query and read objects of type ResourceTypeRule in simulation + +- /ProvisioningPolicy/ResourceTypeRule/Update + + Permission to update objects of type ResourceTypeRule + +- /ProvisioningPolicy/ResourceTypeRule/UpdateSimulation + + Permission to update objects of type ResourceTypeRule in simulation + +- /ProvisioningPolicy/Risk/Create + + Permission to create objects of type Risk + +- /ProvisioningPolicy/Risk/Delete + + Permission to delete objects of type Risk + +- /ProvisioningPolicy/Risk/OverrideApproval + + ermission to transform an approval risk into a warning risk + +- /ProvisioningPolicy/Risk/OverrideBlocking + + Permission to transform a blocking risk into an approval risk + +- /ProvisioningPolicy/Risk/Query + + Permission to query and read objects of type Risk + +- /ProvisioningPolicy/Risk/Update + + Permission to update objects of type Risk + +- /ProvisioningPolicy/RoleMapping/Create + + Permission to create objects of type RoleMapping + +- /ProvisioningPolicy/RoleMapping/Delete + + Permission to delete objects of type RoleMapping + +- /ProvisioningPolicy/RoleMapping/Query + + Permission to query and read objects of type RoleMapping + +- /ProvisioningPolicy/RoleMapping/Update + + Permission to update objects of type RoleMapping + +- /ProvisioningPolicy/SingleRole/Create + + Permission to create objects of type SingleRole + +- /ProvisioningPolicy/SingleRole/CreateSimulation + + Permission to create objects of type SingleRole in simulation + +- /ProvisioningPolicy/SingleRole/Delete + + Permission to delete objects of type SingleRole + +- /ProvisioningPolicy/SingleRole/DeleteSimulation + + Permission to delete objects of type SingleRole in simulation + +- /ProvisioningPolicy/SingleRole/Query + + Permission to query and read objects of type SingleRole + +- /ProvisioningPolicy/SingleRole/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type SingleRole + +- /ProvisioningPolicy/SingleRole/Simulation + + Permission to query and read objects of type SingleRole in simulation + +- /ProvisioningPolicy/SingleRole/Update + + Permission to update objects of type SingleRole + +- /ProvisioningPolicy/SingleRole/UpdateSimulation + + Permission to update objects of type SingleRole in simulation + +- /ProvisioningPolicy/SingleRoleRule/Create + + Permission to create objects of type SingleRoleRule + +- /ProvisioningPolicy/SingleRoleRule/CreateSimulation + + Permission to create objects of type SingleRoleRule in simulation + +- /ProvisioningPolicy/SingleRoleRule/Delete + + Permission to delete objects of type SingleRoleRule + +- /ProvisioningPolicy/SingleRoleRule/DeleteSimulation + + Permission to delete objects of type SingleRoleRule in simulation + +- /ProvisioningPolicy/SingleRoleRule/Query + + Permission to query and read objects of type SingleRoleRule + +- /ProvisioningPolicy/SingleRoleRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type SingleRoleRule + +- /ProvisioningPolicy/SingleRoleRule/Simulation + + Permission to query and read objects of type SingleRoleRule in simulation + +- /ProvisioningPolicy/SingleRoleRule/Update + + Permission to update objects of type SingleRoleRule + +- /ProvisioningPolicy/SingleRoleRule/UpdateSimulation + + Permission to update objects of type SingleRoleRule in simulation + +- /Report/GenerateReportFileFromQuery/Query + + Permission to query and read objects of type GenerateReportFileFromQuery + +- /Report/GenerateReportFileFromReportQuery/Query + + Permission to query and read objects of type GenerateReportFileFromReportQuery + +- /Report/ReportQuery/Create + + Permission to create objects of type ReportQuery + +- /Report/ReportQuery/Delete + + Permission to delete objects of type ReportQuery + +- /Report/ReportQuery/Query + + Permission to query and read objects of type ReportQuery + +- /Report/ReportQuery/Update + + Permission to update objects of type ReportQuery + +- /Resources/Incremental/Query + + Permission to query and read objects of type Resource and Resource Link incrementally changed + +- /Resources/Resource/Create + + Permission to create objects of type Resource + +- /Resources/Resource/Delete + + Permission to delete objects of type Resource + +- /Resources/Resource/Query + + Permission to query and read objects of type Resource + +- /Resources/Resource/Update + + Permission to update objects of type Resource + +- /Settings/Manage +- /Universes/EntityInstance/Query + + Permission to query and read objects of type EntityInstance + +- /Universes/Universe/Query + + Permission to query and read objects of type Universe + +- /Universes/UniverseData/Query + + Permission to query and read objects of type UniverseData + +- /UserInterface/ActivityFormNameByWorkflowInstanceIdQuery/Query + + Permission to query and read objects of type ActivityFormNameByWorkflowInstanceIdQuery + +- /UserInterface/ApplicationInformationsQuery/Query + + Permission to query and read objects of type ApplicationInformationsQuery + +- /UserInterface/ConnectorResourceType/Create + + Permission to create objects of type ConnectorResourceType + +- /UserInterface/ConnectorResourceType/Delete + + Permission to delete objects of type ConnectorResourceType + +- /UserInterface/ConnectorResourceType/Update + + Permission to update objects of type ConnectorResourceType + +- /UserInterface/DisplayEntityAssociation/Create + + Permission to create objects of type DisplayEntityAssociation + +- /UserInterface/DisplayEntityAssociation/Delete + + Permission to delete objects of type DisplayEntityAssociation + +- /UserInterface/DisplayEntityAssociation/Query + + Permission to query and read objects of type DisplayEntityAssociatio + +- /UserInterface/DisplayEntityAssociation/Update + + Permission to update objects of type DisplayEntityAssociation + +- /UserInterface/DisplayEntityProperty/Create + + Permission to create objects of type DisplayEntityProperty + +- /UserInterface/DisplayEntityProperty/Delete + + Permission to delete objects of type DisplayEntityProperty + +- /UserInterface/DisplayEntityProperty/Query + + Permission to query and read objects of type DisplayEntityProperty + +- /UserInterface/DisplayEntityProperty/Update + + Permission to update objects of type DisplayEntityProperty + +- /UserInterface/DisplayEntityType/Create + + Permission to create objects of type DisplayEntityType + +- /UserInterface/DisplayEntityType/Delete + + Permission to delete objects of type DisplayEntityType + +- /UserInterface/DisplayEntityType/Query + + Permission to query and read objects of type DisplayEntityType + +- /UserInterface/DisplayEntityType/Update + + Permission to update objects of type DisplayEntityType + +- /UserInterface/DisplayPropertyGroup/Create + + Permission to create objects of type DisplayPropertyGroup + +- /UserInterface/DisplayPropertyGroup/Delete + + Permission to delete objects of type DisplayPropertyGroup + +- /UserInterface/DisplayPropertyGroup/Query + + Permission to query and read objects of type DisplayPropertyGroup + +- /UserInterface/DisplayPropertyGroup/Update + + Permission to update objects of type DisplayPropertyGroup + +- /UserInterface/DisplayTable/Create + + Permission to create objects of type DisplayTable + +- /UserInterface/DisplayTable/Delete + + Permission to delete objects of type DisplayTable + +- /UserInterface/DisplayTable/Query + + Permission to query and read objects of type DisplayTable + +- /UserInterface/DisplayTable/Update + + Permission to update objects of type DisplayTable + +- /UserInterface/DisplayTableColumn/Create + + Permission to create objects of type DisplayTableColumn + +- /UserInterface/DisplayTableColumn/Delete + + Permission to delete objects of type DisplayTableColumn + +- /UserInterface/DisplayTableColumn/Query + + Permission to query and read objects of type DisplayTableColumn + +- /UserInterface/DisplayTableColumn/Update + + Permission to update objects of type DisplayTableColumn + +- /UserInterface/DisplayTableDesignElement/Query + + Permission to query and read objects of type DisplayTableDesignElement + +- /UserInterface/EntityTypeMappingByUiContextQuery/Query + + Permission to query and read objects of type EntityTypeMappingByUiContextQuery + +- /UserInterface/Form/Create + + Permission to create objects of type Form + +- /UserInterface/Form/Delete + + Permission to delete objects of type Form + +- /UserInterface/Form/Query + + Permission to query and read objects of type Form + +- /UserInterface/Form/Updat + + Permission to update objects of type Form + +- /UserInterface/FormControl/Create + + Permission to create objects of type FormControl + +- /UserInterface/FormControl/Delete + + Permission to delete objects of type FormControl + +- /UserInterface/FormControl/Query + + Permission to query and read objects of type FormControl + +- /UserInterface/FormControl/Update + + Permission to update objects of type FormControl + +- /UserInterface/HierarchyDataByEntityTypeIdQuery/Query + + Permission to query and read objects of type HierarchyDataByEntityTypeIdQuery + +- /UserInterface/Indicator/Create + + Permission to create objects of type Indicator + +- /UserInterface/Indicator/Delete + + Permission to delete objects of type Indicator + +- /UserInterface/Indicator/Query + + Permission to query and read objects of type Indicator + +- /UserInterface/Indicator/Update + + Permission to update objects of type Indicator + +- /UserInterface/IndicatorItem/Create + + Permission to create objects of type IndicatorItem + +- /UserInterface/IndicatorItem/Delete + + Permission to delete objects of type IndicatorItem + +- /UserInterface/IndicatorItem/Query + + Permission to query and read objects of type IndicatorItem + +- /UserInterface/IndicatorItem/Update + + Permission to update objects of type IndicatorItem + +- /UserInterface/PersonasByFilterQuery/Query + + Permission to query and read objects of type PersonasByFilterQuery + +- /UserInterface/Reload + + Permission to reset the container, in order to update the permissions and the displayed + configuration. + +- /UserInterface/ResourceReadForm/Query + + Permission to query and read objects of type ResourceReadForm + +- /UserInterface/ResourceReadFormActions/Query + + Permission to query and read objects of type ResourceReadFormActions + +- /UserInterface/ResourceSearchForm/Query + + Permission to query and read objects of type ResourceSearchForm + +- /UserInterface/ResourceSelfForm/Query + + Permission to query and read objects of type ResourceSelfForm + +- /UserInterface/SearchBar/Create + + Permission to create objects of type SearchBar + +- /UserInterface/SearchBar/Delete + + Permission to delete objects of type SearchBar + +- /UserInterface/SearchBar/Query + + Permission to query and read objects of type SearchBar + +- /UserInterface/SearchBar/Update + + Permission to update objects of type SearchBar + +- /UserInterface/SearchBarCriterion/Create + + Permission to create objects of type SearchBarCriterion + +- /UserInterface/SearchBarCriterion/Delete + + Permission to delete objects of type SearchBarCriterion + +- /UserInterface/SearchBarCriterion/Query + + Permission to query and read objects of type SearchBarCriterion + +- /UserInterface/SearchBarCriterion/Update + + Permission to update objects of type SearchBarCriterion + +- /UserInterface/Tile/Create + + Permission to create objects of type Tile + +- /UserInterface/Tile/Delete + + Permission to delete objects of type Tile + +- /UserInterface/Tile/Query + + Permission to query and read objects of type Tile + +- /UserInterface/Tile/Update + + Permission to update objects of type Tile + +- /UserInterface/TileDesignElement/Query + + Permission to query and read objects of type TileDesignElement + +- /UserInterface/TileItem/Create + + Permission to create objects of type TileItem + +- /UserInterface/TileItem/Delete + + Permission to delete objects of type TileItem + +- /UserInterface/TileItem/Query + + Permission to query and read objects of type TileItem + +- /UserInterface/TileItem/Update + + Permission to update objects of type TileItem + +- /UserInterface/UserByIdentityQuery/Query + + Permission to query and read objects of type UserByIdentityQuery + +- /UserInterface/WorkflowFormByNameQuery/Query + + Permission to query and read objects of type WorkflowFormByNameQuery + +- /UserInterface/WorkflowFormByWorkflowIdQuery/Query + + Permission to query and read objects of type WorkflowFormByWorkflowIdQuery + +- /Workflows/Activity/Create + + Permission to create objects of type Activity + +- /Workflows/Activity/Delete + + Permission to delete objects of type Activity + +- /Workflows/Activity/Query + + Permission to query and read objects of type Activity + +- /Workflows/Activity/Update + + Permission to update objects of type Activity + +- /Workflows/ActivityInstance/Query + + Permission to query and read objects of type ActivityInstance + +- /Workflows/ActivityInstanceAspectsQuery/Query + + Permission to query and read objects of type ActivityInstanceAspectsQuery + +- /Workflows/ActivityTemplate/Query + + Permission to query and read objects of type ActivityTemplate + +- /Workflows/ActivityTemplateState/Query + + Permission to query and read objects of type ActivityTemplateState + +- /Workflows/ActivityTemplateTransition/Query + + Permission to query and read objects of type ActivityTemplateTransition + +- /Workflows/HistorizedResourceFileByWorkflowInstanceIdQuery/Query + + Permission to query and read objects of type HistorizedResourceFileByWorkflowInstanceIdQuery + +- /Workflows/HomonymEntityLink/Create + + Permission to create objects of type HomonymEntityLink + +- /Workflows/HomonymEntityLink/Delete + + Permission to delete objects of type HomonymEntityLink + +- /Workflows/HomonymEntityLink/Query + + Permission to query and read objects of type HomonymEntityLink + +- /Workflows/HomonymEntityLink/Update + + Permission to update objects of type HomonymEntityLink + +- /Workflows/UserActivityInstance/AssignedTo + + Permission to update the actor on object of type UserActivityInstance + +- /Workflows/UserActivityInstance/ExpectedDate + + Permission to update expected date on object of type UserActivityInstance + +- /Workflows/UserActivityInstance/Query + + Permission to query and read objects of type UserActivityInstance + +- /Workflows/UserActivityInstanceCountQuery/Query + + Permission to query and read objects of type UserActivityInstanceCountQuery + +- /Workflows/Workflow/Create + + Permission to create objects of type Workflow + +- /Workflows/Workflow/Delete + + Permission to delete objects of type Workflow + +- /Workflows/Workflow/Query + + Permission to query and read objects of type Workflow + +- /Workflows/Workflow/Update + + Permission to update objects of type Workflow + +- /Workflows/WorkflowInstance/Query + + Permission to query and read objects of type WorkflowInstance + +- /Workflows/WorkflowInstance/Resume +- /Workflows/WorkflowInstance/Start +- /Workflows/WorkflowInstance/Supervise + + Permission to supervise objects of type WorkflowInstance + +- /Workflows/WorkflowInstanceData/Query + + Permission to query and read objects of type WorkflowInstanceData diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/provisioning/how-tos/argumentsexpression/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/provisioning/how-tos/argumentsexpression/index.md new file mode 100644 index 0000000000..8b1919f3c9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/provisioning/how-tos/argumentsexpression/index.md @@ -0,0 +1,96 @@ +# Compute a Resource Type's Provisioning Arguments + +This guide gives examples to understand how to configure a resource type's `ArgumentsExpression` +attribute to compute a resource type's provisioning arguments, for example the identifier of the +workflow to launch, or the identifier of the record to copy. + +## Examples + +This option is used to use provisioning orders to compute useful arguments. + +Most standard situations use only one workflow per action type on a resource (addition, update, +deletion). But in some more complex situations (like using multi records), several workflows are +available for one type of action. As the configuration JSON file of an +[InternalWorkflow](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md) connection +cannot contain expressions, a resource type can be configured with the `ArgumentsExpression` +attribute to explicit the arguments of provisioning orders, based on conditions and variables. + +The following example computes the identifier of the workflow to launch, based on the provisioning +order as a variable (the returned value depends here mostly on the type of change): + +``` + + + +``` + +#### ResourceIdToCopy + +Now consider a record creation for a given identity, inside a multi-record organization. Suppose +that records are defined by their position and location, while other properties are the same for all +records (usually the identity's personal data like the name and birth date). When creating a new +record for an existing identity, you will want to copy an existing record from the database to +modify only the values specific to the new record. + +The following example computes the identifier of the record to copy, if the identity has already +any: + +``` + +("Select Id Where EmployeeId="\" + employeeId.ToString() + "\""); + + if (resources.Any()) { + arguments.Add("ResourceIdToCopy", resources.FirstOrDefault().Id.ToString()); + } +} + +return arguments;" /> + +``` + +## Attributes Provided by Usercube + +| Name | Details | +| ---------------------------- | ----------------------------------------------------------------- | +| ProvisioningOrder.ChangeType | **Type** String **Description** Action of the provisioning order. | + +## Methods Provided by Usercube + +| Name | Details | +| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| IsNone | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsNone() **Description** `True` when the provisioning order demands no change. **Note:** this method can be used only on `ChangeType`. | +| IsAdded | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsAdded() **Description** `True` when the provisioning order demands a resource addition. **Note:** this method can be used only on `ChangeType`. | +| IsUpdated | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsUpdated() **Description** `True` when the provisioning order demands a resource update. **Note:** this method can be used only on `ChangeType`. | +| IsDeleted | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsDeleted() **Description** `True` when the provisioning order demands a resource deletion. **Note:** this method can be used only on `ChangeType`. | +| HasChanged | **Type** Boolean **Usage** provisioningOrder.HasChanged("PropertyName") **Description** `True` when the provisioning order demands a change on a given property. | +| TryGetScalar | **Type** Boolean **Usage** provisioningOrder.TryGetScalar("PropertyName", out var myChange) **Description** `True` when `PropertyName` is a scalar property whose value is changed by the provisioning order. `myChange` takes the new value of `PropertyName` changed by the provisioning order. | +| TryGetAddedNavigations | **Type** Boolean **Usage** provisioningOrder.TryGetAddedNavigations("PropertyName", out var myChanges) **Description** `True` when `PropertyName` is a navigation property to which new values are added by the provisioning order. `myChanges` takes the list of values of `PropertyName` added by the provisioning order. | +| TryGetRemovedNavigations | **Type** Boolean **Usage** provisioningOrder.TryGetRemovedNavigations("PropertyName", out var myChanges) **Description** `True` when `PropertyName` is a navigation property from which some values are removed by the provisioning order. `myChanges` takes the list of values of `PropertyName` removed by the provisioning order. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/provisioning/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/provisioning/index.md new file mode 100644 index 0000000000..3633ce7d3c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/provisioning/index.md @@ -0,0 +1,6 @@ +# Provisioning + +See how to anticipate changes due to provisioning thanks to +[ Thresholds ](/docs/identitymanager/6.2/identitymanager/integration-guide/provisioning/prov-thresholds/index.md). + +See how to implement and perform [Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/provisioning/prov-thresholds/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/provisioning/prov-thresholds/index.md new file mode 100644 index 0000000000..4f43c9bfe9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/provisioning/prov-thresholds/index.md @@ -0,0 +1,34 @@ +# Thresholds + +Thresholds are essential safety guards controlling all changes, for example preventing the +overwriting of important data by mistake. + +Thresholds are by default activated to warn users when synchronization or provisioning triggers too +many modifications. If the number of modifications exceeds the specified threshold, Identity Manager +stops the synchronization/provisioning and displays a warning on the log page. + +Thresholds can be deactivated via the value `0`, though **they should not all be**. Each action must +be "guarded" by at least one threshold. + +Once the changes have been reviewed, the blocked job can be resumed (or not). See the +[ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md) topic for additional +information. + +## Thresholds for Provisioning + +Provisioning thresholds can be configured in XML files via +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) to count the +number of resources impacted by provisioning inside a given resource type. These thresholds impact +the generation of provisioning orders. They are configured with: + +| Absolute Threshold | Relative Threshold | +| ------------------ | ---------------------- | +| `MaximumDelete` | `MaximumDeletePercent` | +| `MaximumInsert` | `MaximumInsertPercent` | +| `MaximumUpdate` | `MaximumUpdatePercent` | + +All thresholds are active. Therefore, the lowest threshold (according to the specific situation) +would be the first to stop the generation of provisioning orders. + +Distinct [ Thresholds ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md)are configurable for +synchronization. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/resources/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/resources/index.md new file mode 100644 index 0000000000..ccda20b127 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/resources/index.md @@ -0,0 +1,40 @@ +# Resources + +Identity Manager stores managed systems' data and identities as resources within a resource +repository. + +## Resource Repository + +The source of truth for the engine is the data from external sources that are +[ Upward Data Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) into Identity +Manager's database. This persisted set of data, called _resources_, is stored in the **Resource +Repository**. + +The repository keeps a full history of all the changes performed to the resources. It is hence +possible to retrieve a resource's value at a given date or what has been changed over a period. + +Resources can be added to the resource repository from one of four ways: + +1. Input data directly from the [Toolkit for XML Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/index.md). This is useful + for a very limited amount of data. This is very often used for debugging or testing, less often + in production. +2. Input data from the UI. This requires configuring the UI and is the most straightforward way for + a reasonable amount of data. This is often used to input reference data that is not in the + managed systems, or for which no source of truth exists. +3. [ Upward Data Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) from a CSV file. + This is how data from managed systems are loaded most of the time. Any reference of identity data + can be loaded into Identity Manager using CSV files. This is useful if the target organization + already possess such files or can produce them easily. +4. Compute new resources from existing resources. This can be achieved by using the provisioning + tools in a very specific way that is called _internal_ provisioning. This is often used to create + the reference data from managed systems. +5. Insert data directly in the `UR_Resource` table from SQL queries. This is not very safe and + requires a great deal of expertise. + +When using methods 1. and 5., make sure to choose, for new resources, an `Id` that is not yet used +for another resource in the database. Only use positive integer `Id`s for resource-identity (that +is, the resource to which you plan on assigning roles). See the +[Entitlement Assignment](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) topic for +additional information. + +Resources need a model: the entity model. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignment-dates/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignment-dates/index.md new file mode 100644 index 0000000000..a65fad77cd --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignment-dates/index.md @@ -0,0 +1,25 @@ +# Assignment Dates + +Entitlements can be assigned to users manually or automatically, but not on any time period. See the +[Entitlement Assignment](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) topic for additional information. + +## For Manual Assignments + +During the manual assignment of an entitlement, i.e. role or resource type, to a user, the start and +end dates of the entitlement must follow simple rules: + +- the start date cannot be earlier than the earliest start date in all records of the user; +- the end date cannot be later than the latest end date in all records of the user. + +This means that requesting an entitlement without any start/end dates will actually assign the +entitlement from the records' earliest start date to the latest end date. + +An entitlement cannot be requested with a start date earlier than today's date. But when requesting +a role with an end date later than the records' latest end date, then the role will be assigned with +its end date equal to the records' latest end date. + +## For Automatic Assignments + +The start and end dates of any automatic assignment are based on the dates from the +[ Context Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md)defined for the +identities. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md new file mode 100644 index 0000000000..a5a7cdd188 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md @@ -0,0 +1,196 @@ +# Entitlement Assignment + +Assigning entitlements means giving users specific permissions, or access rights, etc. + +## Overview + +As Identity Manager relies on a +[role-based](https://en.wikipedia.org/wiki/Role-based_access_control) assignment policy, entitlement +assignment is simply role assignment. See the [ Role Model ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/index.md)topic for +additional information. + +So once a user is assigned a role, Identity Manager must make the right changes in the managed +system(s) to actually enable the corresponding permission. The values to be changed in the managed +systems are specified in provisioning orders. + +Hence, an entitlement assignment is both the result of the execution of a provisioning order, and +the enablement of an access right. + +## Automatic vs. Manual + +Within Identity Manager, assignments can be created automatically, or can result from manual +requests. + +Automatic assignments are created by Identity Manager when evaluating the policy, i.e. when +computing expected assignments based on existing users and the policy's roles and rules. See the +[Evaluate Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) topic for additional information. Automatic +assignments can: + +- Result directly from the application of assignment rules on identities. See the + [ Assignment Policy ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md)topic for additional information. +- Be inferred and cascading from another assignment. + +Manual assignments and degradations are on the other hand, need to be requested individually through +the UI. + +## Assignments' Approval Workflow + +Some entitlements require the approval of one or several knowledgeable users before actually being +assigned. This is standard procedure in many security-concerned organizations. + +**NOTE:** This is configurable through the role's or resource type's approval workflow type. See the +[ Single Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) topic for +additional information. + +Each step of the approval workflow is associated with a workflow state, so that all assignments can +be tracked and it is clear what step they are at. + +The same approval workflow is used for requests to add or remove roles. + +For example, Ms. Jackson requests for Mr. Smith the single role Server Room Access which has a +two-step approval workflow: + +- At the end of the workflow, the assigned role has the workflow state **Requested**. +- Once the assignment is processed, the workflow state switches to **Pending Approval** 1/2. +- Once a reviewer approves the assignment, the state switches to **Pending Approval** 2/2 (and if + the reviewer declined the assignment, the state would switch to **Declined**). +- Once a second reviewer approves the assignment, the stat switches to **Approved** and the + assignment is finally effective. + +### Provisioning state + +In addition to the workflow state that represents an assignment's progress in the approval workflow, +any assignment also has a provisioning state to represent its progress in its lifetime from creation +in the database to provisioning to the managed system and to its eventual deletion. + +**NOTE:** Contrary to the workflow state that concerns all assignments, the provisioning state is +only about the assignments that need provisioning. + +For example, roles exist only in Identity Manager and not in the managed systems, so assigned roles +do not have a provisioning state, unlike assigned resource types, scalars and navigation, etc. + +![Provisioning State Schema](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/prov_stateschema_v523.webp) + +The schema sums up the usual progress of an assignment's provisioning state. + +For example, once Mr. Smith's role has completed the approval steps, we expect the provisioning of a +navigation property: + +- It is not yet ready for provisioning because we decided to add a provisioning review by a + knowledgeable user because it is a sensitive permission, so the assigned resource navigation has + the **Awaiting Approval** provisioning state. +- Once a reviewer approves the assignment, the provisioning state switches to **Pending**. +- Once provisioning orders are computed and transmitted to the agent, the state switches to + **Transmitted**. +- Once the agent confirms that the related order is executed, the state switches to **Executed**. +- Once synchronization validates the consistency of the provisioned value with the policy, the state + finally switches to **Verified**. + +Assignments whose provisioning orders are blocked because they are **Awaiting Approval** are to be +reviewed on the **Provisioning Review** screen. + +## Non-Conforming Assignments + +Once a policy is configured with all its rules and roles, Identity Manager can combine it with user +information in order to determine the expected assignments, i.e. the list of all assignments that +comply with the policy. + +On the other hand, via synchronization Identity Manager can read the existing assignments, i.e. the +list of all assignments that actually exist in the managed systems. + +Technically speaking, Identity Manager creates entitlements in the managed systems, and "translates" +them into role model language. In other words, Identity Manager create assignments based on the +entitlements found in the systems. + +A simple comparison between these two lists defines the non-conforming assignments, i.e. the list of +all assignments that do not comply with the policy. + +![Non-Conforming Assignments](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/governance_nonconforming.webp) + +A non-conforming assignment must be reviewed in Identity Manager by a knowledgeable user, and is +therefore: + +- Removed if Identity Manager correctly spotted it and the owner should indeed not possess this + permission; +- Kept as an exception if the configured rules do not apply to this particular case. + +**NOTE:** Non-conforming assignments are to be reviewed on the **Role Reconciliation** and/or +**Resource Reconciliation** screens. See the [Evaluate Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) topic +for additional information. + +Non-conforming assignments can still be split into two categories: + +- Pre-existing when they are found during the very first synchronization because they existed before + Identity Manager's implementation; +- Simply non-conforming when they are found later. + +For example, consider a (navigation) rule stating that the QuickBooks Level 1 Access role entitles +its owner to the Active Directory QuickBooks group membership, that enables them to access the +organization accounting balance information through QuickBooks. + +Now, let's say synchronization finds the Active Directory QuickBooks group membership for Mr. +Smith's Active Directory account. The trouble is, Mr. Smith digital identity has not bee assigned +the QuickBooks Access role: this is an inconsistency. + +In order to fix the inconsistency, Identity Manager creates the assignment of this role to Mr. Smith +to be reviewed by a knowledgeable user who can determine whether the assignment is legitimate or +results from a mistake. + +### Review automation + +Identity Manager provides automation rules to automate the review of non-conforming assignments by +automatically approving/declining assignments that were pending approval for some time, if this +behavior is desired. See the +[Automate the Review of Non-conforming Assignments](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md) +topic for additional information. + +For example, the single role Server Room Access is requested for Mr. Smith, with a two-step approval +workflow. Ms. Jackson is supposed to review it, and then Mr. Jones. If Ms. Jackson takes too long, +an automation can approve it, or most likely decline it, automatically. This way, the approval +process ends and will need to be restarted at a later date if the need is genuine. + +## Resource Type Assignments + +Resource types are not as intuitive as roles because they are more complex and subtle. Assigning a +resource type materializes: + +- The creation of a resource, usually an account, in the managed system; +- The creation of scalar and navigation properties for this new resource; +- The categorization of the created resource, which means both the correlation of the resource to an + owner, and the classification of the resource into a specific type with specific rules between + owner and owned resources. See the + [ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) topic for additional + information. + +### Reconciliation + +Just like any other assignment, a resource type assignment can be non-confirming when the resource's +existence or its values do not comply with the policy. + +For example, a SAP account is found for a user who should not have one according to the role model's +rules. + +**NOTE:** An account can also be an orphan when it is found in the managed system, but no owner +could be correlated. + +### Consolidated states + +A resource type assignment also has consolidated workflow and provisioning states to represent the +progress of the resource's scalar and navigation assignments. + +Same as previously, the consolidated provisioning state represents the provisioning progress of the +resource type assignment together with its nested scalar/navigation assignments. + +The consolidated workflow state represents the provisioning progress of the resource type assignment +together with its nested scalar/navigation assignments, and it is described by the following values: + +- ConsolidatedWorkflowReviewState represents the progress in the approval workflow for a manual + assignment; + + **NOTE:** Except for very technical use cases, resource types should not be requested manually, + they should only be inferred by a role and thus assigned automatically. + +- ConsolidatedWorkflowBlockedState indicates whether one or more of the nested scalars/navigations + are blocked; +- ConsolidatedWorkflowFoundState indicates whether one or more of the nested scalars/navigations are + stated as non-conforming or pre-existing. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md new file mode 100644 index 0000000000..2fd63054d8 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md @@ -0,0 +1,128 @@ +# Conforming Assignments + +The +[ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +is able to compute, for a given identity, the appropriate assignments. + +If you are interested in a detailed description of the actual Compute Role Model task algorithm, +please refer to the Reference documentation. This article focuses more on the design decisions and +the underlying philosophy of the process. + +## Overview + +This is how Identity Manager solves the identity lifecycle issue. + +> **FAQ**: During onboarding, moving, offboarding, how can we make sure that an identity has the +> appropriate assignments? +> What are the appropriate assignments? + +They are a trade-off between having enough assignments to work efficiently but not too many as to +pose a security threat. + +Choosing the appropriate assignments is a science as much as an art. Identity Manager helps +formalize decision rules to make them more efficient. But talking about assignments and their +provisioning requires the appropriate language. + +## Roles + +> **FAQ**: What does assigning an entitlement means? + +In a target application, it is granting an account membership for a group, changing a person's +clearance level, adding an authorized account to the access control list of a resource, etc. + +Performing an assignment requires a great deal of knowledge about the inner mechanisms of the target +authorization mechanism. That makes talking about entitlement even more complicated. Am I talking +about a group, a resource's access control list, a clearance level? + +Identity Manager here aims at: + +- Making every assignment decision more intentional. +- Making automation of those assignment decisions possible. + +For these goals, Identity Manager hides this complexity behind an ubiquitous language, using a +widely known model: RBAC. In the end, talking about entitlements is talking about roles. No more +multiple obscure authorization mechanisms. + +This makes thinking about entitlements within Identity Manager easy. The provisioning issues stay +out of the way, and all the energy can be focused on designing the perfect assignment policy. + +The appropriate model also helps formalizing rules that can be used for automation. + +## Dimensions + +Assignment decisions for a user are always made based on the user's needs and legitimacy. + +> **FAQ**: Are employees working on tasks that need this assignment? Are they senior enough to have +> that responsibility? + +The basis for an assignment decision can be seen as a set of "identity attributes" that represent +the place of the employee in the organization. + +We can formalize these "identity attributes", on which informal assignment decisions are made, by +translating them into dimensions. Identity Manager's dimensions are exactly that: key criteria, on +which assignment decisions are based. + +Just as roles, dimensions are a fundamental piece of the puzzle. Choosing dimensions forces users to +sit down and really think about what really motivates assignment decisions in the organization. It +is going to help with automation but it is also going to help come up with better decision rules, +and hence improve the overall security of the organization. Assignment rules naturally flow from +dimensions and roles. + +## Rules + +> **FAQ**: Do all employees working on a given task have the entitlements they need? + +Roles and dimensions are the basis for a language that enables users to formalize, in a very +explicit way, the assignment policy: who should get what entitlement. Dimensions are criteria for +decisions and roles are the result of a decision. We are now only missing the rules that map +criteria to roles. + +Those are the assignment rules: single role rules and composite role rules. + +Writing the assignment policy actually becomes very easy. Once dimensions and roles are identified, +assignment rules become obvious. + +The last difficulty is provisioning those assignments. + +## Provisioning + +> **FAQ**: Is the data from the target application complying with the rules created earlier? + +Translating roles into provisioning orders is finding out how the target application should be +changed to satisfy the assignments. This is where the technical complexity that was hidden by the +role, should be written. Authorization mechanisms map so well to RBAC that provisioning mechanisms +naturally flow from the roles. + +Provisioning mechanisms all follow this pattern: + +1. Start with the **identity**. +2. Find the resource in the target application that should be updated to satisfy the assignment + requirement. It is often an account. That's the **correlation**. +3. Compute the value of the data that should be updated in the target resource. That's + **provisioning rules**. + +One last point to consider is that provisioning rules and correlation sometimes depend on the type +of resource we are handling. Authorization mechanisms often discriminate between resources, +depending on their relevance for security. We might need specific provisioning rules to enforce this +difference. + +The resource type materializes the classification of resources of the same application into +categories relevant from a security point of view. As a bonus, classifying resources help with +governance. + +## The Role Model + +> **FAQ**: What is the role model in a nutshell? + +Dimensions, roles, assignment rules, resource type, provisioning rules. + +You start with dimensions. From there, roles are deduced from assignment rules. They are translated +to provisioning orders, following scalar rules and correlation rules and resource types. + +## When There Are No Rules + +If you're not comfortable yet with writing rules that automatically assign roles, you can skip +dimensions and start this whole process from roles. + +You can assign roles manually to users and still benefit from hiding the provisioning complexity +inside roles, and have a good basis for writing down your assignment policy. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md new file mode 100644 index 0000000000..83e0eebf03 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md @@ -0,0 +1,556 @@ +# Evaluate Policy + +Evaluate Policy is the core algorithm of the assignment policy. See the +[ Assignment Policy ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md) topic for additional information. + +The algorithm is applied by the server to a resource. It has the following responsibilities: + +- Enforcing the assignment rules: the algorithm outputs a list of expected assignments for the input + resource +- Evaluating risks +- Managing assignment lifecycle: updating provisioning states +- Purging expired assignments + +See the [ Risk Management ](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/risks/index.md) topic for additional information. + +## Overview + +![Evaluate Policy Overview](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/evaluate-policy-1.webp) + +The main responsibility of the Evaluate Policy is to compute, for every fed resource, the set of +assignments of entitlements that comply with the assignment policy. + +That set is composed of roles that should be assigned to the resource and of scalar and navigation +assignments that should exist for that resource as an owner. The latter are in fact values of target +resource properties to fulfill from that resource fed in the algorithm. Those assignments are +referred to as the expected assignments. Manual assignments and derogations are included as well, as +they become rules within the assignment policy. + +Evaluate Policy also identifies the existing assignments. They represent the actual assignments read +(or more accurately, deduced) from the managed systems' resources. + +Finally, the differences between the existing assignments and the expected assignments are computed. +As a result, a set of non-conforming assignments is revealed, to be fixed by provisioning or +validated as derogations. + +Later, provisioning orders are edited, validated by a knowledgeable user and sent to the agent for +connectors to fulfill and fix the differences. + +Evaluate Policy is executed by the task `Usercube-Compute-RoleModel`, usually included in a +regularly scheduled provisioning job. + +See the [Connectors](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/index.md), +[ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md), +and [ Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/jobs/index.md) topics for additional information. + +## The Algorithm Steps + +**Step 1 –** **Select resources** from the resource repository, all the relevant properties for +every resource. + +This includes: + +- Attribute values of the resource itself; +- Attribute values of the resources pointed to by a navigation property from the current resource; +- All existing assignments for these resources and their properties such as provisioning state and + workflow state; +- Every property of the source resource, if the resource is a target in an owner/target + relationship; +- Every property of the target resource, if the resource is an owner in an owner/target + relationship; + +Extracting and computing, in an acceptable amount of time, such a load of data is no trivial matter. + +The number of resources to consider is of the order of 100 000 entries for a system managing 10 000 +identities among 4 managed systems. + +To improve execution time, two optimizations are used: + +- Identity Manager uses + [batching](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching) to + perform the database request. The `SELECT` query is divided into sets of smaller queries called + batches. The size of a batch is configurable in the Identity Manager-Compute-RoleModel, with the + `BatchSelectSize` attribute. +- Identity Manager only selects resources for which a new assignment computation is needed. They are + resources updated during the last incremental synchronization, and resources that depend on them. + They are identified by the dirty flag, set during incremental synchronization. See the + [ Upward Data Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) topic for + additional information. + +**NOTE:** For very few edge cases, dependencies between resource values can be difficult to identify +within Identity Manager. An example involves entity property expressions using +[LINQ](https://docs.microsoft.com/en-us/dotnet/csharp/programming-guide/concepts/linq/) syntax. See +the [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)topic for +additional information. A second- or third-order binding used in such an expression actually defines +a dependency. But Identity Manager does not account for it, because of performance-reliability +trade-offs. That means a resource `R1`, using such an expression to compute one of its properties +values from another resource `R2` property value, might not be updated even if `R2` has been updated +by incremental synchronization. This too can be fixed by using complete synchronization once a day. + +**Step 2 –** **Compute expected assignments** + +The second step is building the expected assignment list by applying the assignment rules to the +input resource. + +This step builds a list, from scratch, of every expected assignment, both role assignments and +assignments issued from provisioning rules. + +The list contains: + +- Automatic assignments, inferred from context-based rules +- Automatic assignments, inferred from other assignments, according to role-based rules +- Manual assignments previously created and derogations previously validated +- Assignments updated by an automation rule. See the + [Automation Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md) topic for + additional information. + +To build the list, the algorithm first goes through composite role rules, single role rules, +resource type rules, navigation rules, and applies them in that order. See the +[Composite Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md), +[Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md), and +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topics for +additional information. This takes care of automatic assignments. Every step influences the +following one: single roles can be inferred from composite roles that have just been assigned by a +reviewer or an automation rule for example. + +Then, manual assignments and derogations are added to the expected assignments list. They are +extracted from the database, where they were saved after being added from the UI or validated +through the UI, and are considered part of the role model. Manual assignments are identified by the +Approved workflow state. Derogations are identified by the Found and Historic workflow states. + +Role assignments as derogations are displayed to the end-user for confirmation in the Role +Reconciliation screen. As long as they are not denied, they are considered a part of the role model +and will not be considered as a non-conforming difference to be fixed by provisioning. They are +deduced from actual resources and resource values found in the managed system, that do not comply +with the assignment rules, and are displayed in the Resource Reconciliation screen. + +Let's detail the rule enforcement mechanisms. + +Match context rules + +Dimensions are really the basis of an assignment process. See the +[ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +Before starting, a context rule is applied, giving for the input resource: + +- The dimension values +- The time period validity of every assignment computed during this Evaluate Policy iteration + +![Computing Context For Input Resource](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/enforce-context.webp) + +Computing expected role assignments + +Role assignments, on the other hand, are the outcome of the assignment process. See the +[ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +Role assignments are the output of composite role rules and single role rules enforcement. The +outcome of those rules, as assigned composite roles and assigned single roles, is conditioned by the +input resource's context. They are the image of the status of trust and privilege granted to a +resource-identity. + +![Computing Expected Role Assignments](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-expected-1.webp) + +Enforcing composite role rules + +The first rules that are enforced are the composite role rules. See the +[Composite Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md)topic +for additional information. + +For every selected resource, this step enforces composite role rules. That means assigning a +specific composite role to the input resource, based on its context's dimension values. This new +assignment is materialized into a new object called an assigned composite role, stored in the +`UP_AssignedCompositeRoles` table. The resource becomes the owner of the assigned composite role. + +Manual and derogatory assignments of composite roles found in the database are also added to the +expected assignments list. + +Then automation rules are enforced on assigned composite roles. See the +[Automation Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md) topic for +additional information. + +**NOTE:** Enforcing automation rules on an assignment means to find, for each assignment, the +matching automation rule, looking at the last review or the creation date, comparing it to the time +defined in the rule and, if needed, apply the rule decision that may approve or decline the +assignment. + +Enforcing single role rules + +Then, single role rules are enforced. That means assigning a specific single role to the input +resource based on its context and existing assigned composite roles, i.e. the composite roles +currently assigned to the resource. Both assigned composite roles freshly created by enforcing +composite role rules and those already in the database are taken into account. In the former case, +single roles created are said to be inferred. + +This is materialized into a new object called an assigned single role, stored in the +UP_AssignedSingleRoles table. The resource becomes the owner of the assigned single role. + +Manual and derogatory assignments found in the database of single roles are also added to the +expected assignments list. + +Then automation rules are enforced on assigned single roles. + +Expected provisioning assignments + +Fulfillment is just the consequence of the role assignment process. See the +[ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +Provisioning-orders-to-be are the output of resource type rules, navigation rules and scalar rules. +The outcome of those rules, as assigned resource types, assigned resource navigation, and assigned +resource scalar is conditioned by the input resource assigned roles, issued during the first +expected role assignments computation or even earlier. They are the exact image of technical +provisioning orders that are to be executed by the agent, after being validated by a knowledgeable +user. See the [Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +topic for additional information. + +![Computing Expected Provisioning Assignments](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-expected-2.webp) + +Enforcing resource type rules + +Resource type rules are enforced. This means creating and adding assigned resource types to the +expected assignments list. This means enforcing the need for a resource of that type to be created +in the managed systems, with the input resource as its owner. + +Then automation rules are enforced on assigned resource types. + +A further step will correlate, to find the actual target resource if it exists. If not, it will +eventually become a provisioning order to create such a resource. + +This can be seen as assigning a target resource to an owner. It's still important to note that the +act of assigning a resource to an owner almost always is the consequence of a role assignment. Use +cases for which a single, isolated resource, is "assigned" (i.e. created with specific values) is +rare and is more of a solution to a specific technical problem. + +Enforcing navigation rules + +Finally, navigation rules are enforced. They aim to complete the information about the resource to +be created because of the assigned resource types. If the type rule is the what, this is the how. + +For every assigned resource type, associated navigation rules are enforced. + +Navigation rules are conditioned on the resource's assigned single roles. If a specific single role +is found as assigned to the owner resource of the assigned resource type (i.e. the input resource of +the algorithm), an assigned resource navigation is created in the UP_AssignedResourceNavigation +table, with the resource as its owner. The assigned resource navigation will eventually translate +into a provisioning order. + +The assigned resource navigation is hence the consequence, in the form of a +provisioning-order-to-be, of assigning a role to a resource. + +This means also no assigned resource type, no navigation assignment. Resource type rules are a +prerequisite for the associated navigation rules to be enforced. + +Enforcing scalar rules + +Finally, the scalar rules associated with the target's resource type are enforced and become +assigned resource scalars that will also result in a provisioning order. + +For every assigned resource type, associated scalar rules are enforced. + +They also aim to complete the information about the resource to be created because of the assigned +resource types. + +Found manual assignments and derogation of resource types with their associated navigation and +scalar assignments are added as well. + +**Step 3 –** **Match existing assignments with expected assignments** + +![Computing Expected Provisioning Assignments](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-find-matching.webp) + +The expected assignments list is now built. + +For every expected/computed assigned resource type, assigned single role and assigned composite +role, the algorithm finds the matching existing assignment, from the list of assignments. + +The existing list of assignments in the current database is composed of: + +- Assignments computed by the last Evaluate Policy; +- Assignments created by the classification task, including `Found` and `Historic` ones issued from + the analysis of the resource values from the managed system. + +The result is a list of expected assignments that have a counterpart in the list of existing +assignments. + +**Step 4 –** **Assignments cleansing / purge** + +Some assignments are given an expiration date at creation (see the first step, context rules +enforcement). This is the step where expired assignments are removed from the expected assignments +list. + +They will not be deleted, but historized. The validTo column of the UP_Assigned\* is updated. + +Others have been manually denied via the provisioning review screen, or must be canceled because of +rules or resource value changes. Those are deleted too. + +The result is a list of really existing assignments, without the expired, canceled or explicitly +unwanted ones for any reason. + +**Step 5 –** **Correlation** + +![Computing Expected Provisioning Assignments](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/correlation.webp) + +Resource correlation rules are enforced: for every expected assigned resource type, the algorithm +looks for a target resource that correlates the owner, which is the input resource. + +If found, that correlated resource becomes the target of the assigned resource type. If not, a +provisioning order of creation is written. + +A word about correlation. Correlation is achieved by using resource correlation rules. Each rule +applies to a resource type. It defines for the source entity type a quantity computed from its +attributes. It does the same for the target entity types. Those quantities are called correlation +keys. For a given assigned resource type, the correlation algorithm tries to match the owner +correlation key with all available resources of entity type target. If one is found equal, the +matching resource becomes target of said assigned resource type. For every resource, correlation +keys are computed by a regularly scheduled task and stored in the database. + +**Step 6 –** **Handle assignment lifecycle** + +Expected assigned resource scalars and assigned resource navigations matching existing counterparts +are found. + +For every assigned resource type, assigned resource scalar and assigned resource navigation, the +provisioning state is updated according to the correlated target resource values, the matching +existing assignment state and the provisioning state transition algorithm. + +For expected assignments that have a matching existing counterpart, the correlated target resource +values are analyzed. If they match the expected resource values, that means that the last +provisioning order has been indeed well executed. The provisioning state of the associated +assignment is switched to Applied. Same goes for the role assignments from which those scalar and +navigation assignments originated. + +For expected assignments that do not have a matching existing counterpart, they receive their +Pending or Blocked provisioning state. + +Blocked assignments are submitted for validation in the provisioning review screen. Blocked assigned +resource types are associated with a confidence level that describes the level of confidence of the +correlation between source and target. The confidence level is a configuration of the resource +correlation rules. + +The workflow state is also analyzed; assignments with Approved (or Cancellation) have been approved +(or denied) and can now be provisioned. + +| Workflow state | Description | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| 0—None | Used for Identity Manager's internal computation | +| 1—Non-conforming | The assignment is not supported by a rule. ![Workflow State: Non-conforming](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp) | +| 2—Requested - Missing Parameters | The assignment has been requested via a workflow, but does not specify at least one required parameter for the role. | +| 3—Pre-existing | The assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp) | +| 4—Requested | The assignment is requested via a workflow, but not yet added. **NOTE:** Usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/4_requested_v603.webp) | +| 5—Calculated - Missing Parameters | The assignment was done by a rule which does not specify at least one required parameter for the role. ![Workflow State: Calculated - Missing Parameters](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/5_calculatedmissingparameters_v603.webp) | +| 8—Pending Approval | The assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/8_pendingapproval_v603.webp) | +| 9—Pending Approval 1 of 2 | The assignment is pending the first approval on a two-step workflow. | +| 10—Pending Approval 2 of 2 | The assignment is pending the second approval on a two-step workflow. | +| 11—Pending Approval 1 of 3 | The assignment is pending the first approval on a three-step workflow. | +| 12—Pending Approval 2 of 3 | The assignment is pending the second approval on a three-step workflow. | +| 13—Pending Approval 3 of 3 | The assignment is pending the third approval on a three-step workflow. | +| 16—Approved | The assignment has completed all approval steps. ![Workflow State: Approved](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp) | +| 17—Declined | The assignment is explicitly declined during one of the approval steps. | +| 20—Cancellation | The assignment is inferred by a role that was declined. ![Workflow State: Cancellation](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/20_cancellation_v603.webp) | + +**Step 7 –** **Delta** + +The existing and expected assignment lists are compared and yield a third list of differences, i.e. +non conforming values in the managed systems that need to be fixed. + +That list will eventually become provisioning orders that will be sent to the agent for fulfillment. + +What constitutes a difference? + +Expected resource and their values not matching the existing resource and their value, for an +existing assignment with an `Applied` or `Executed` provisioning state. + +If the existing assignment is not yet `Applied` the agent might still be preparing the provisioning. +A resource value that does not comply with the role model, but is in the fixing process (meaning an +assignment with a provisioning state of `Pending` or `Sent`) will not come up in the UI. + +**Step 8 –** **Saving the result** + +At this point, Evaluate Policy has computed expected assignments for the resource, by applying rules +and purging expired assignments. + +Expected assignments are: + +- Assigned composite roles and assigned single roles, representing roles assigned to the resource +- Assigned resource scalars and assigned resource navigations, representing scalar and navigation + properties to fulfill to a target resource from that source resource, the ownership relationship + between source and target being materialized by an assigned resource type. + +Expected assigned are written to the database, they will be the basis for the next step: fixing +differences. The writing is optimized by using bulk insert methods. + +To enhance the writing performances, it's not actual assigned\* that are written, but updates from +the existing ones, using the delta computed at step 7. + +For fine-grained assignments such as assigned resource scalars and assigned resource navigations, +Identity Manager stores the policy value i.e. the value computed by Evaluate Policy (not yet +fulfilled) and the current value i.e. the value currently held by the target resource in the managed +systems. + +From there, it is possible to retrieve the differences between existing and expected assignments for +that resource, at any time. + +Remember, the goal of building a set of assignments is twofold: + +- Building a catalog of existing assignments as assigned roles for non-technical users to consult. +- Fulfill target values from source resources so as the managed systems comply with the role model. + +The catalog of existing assignments is now available: they are assigned\* with an Applied +provisioning state. Non technical-users can read assigned single roles and assigned composite roles. +Technical users will be more interested in assigned resource scalars and assigned resource +navigations. + +Fulfilling target values from source resources is going to take the form of provisioning orders, +computed from assigned resource scalars and navigations in the Pending or Blocked state. + +## Fixing Differences + +The engine has computed a list of expected assignments. The difference with the managed system +state, as a list of resource values that infer differences in role assignments, can be fixed by +provisioning the expected assignments to the managed systems. + +Some provisioning orders have to be reviewed by a knowledgeable user. Those are provisioning orders +computed from assigned\* with a Blocked provisioning state. The UI provides screens to perform +review and validation. + +Every provisioning order is to fix a difference that has been caused by a change in the source +resource values or in its target resources. + +Let's see in details what kind of differences Identity Manager deals with, and what kind of change +in the managed systems triggers them. + +The workflow state of an assignment helps identify the nature of a difference between that +assignment and the managed systems. + +### UI overview + +Differences are displayed in the following screens: + +- **Provisioning Review** displays `Blocked` (non `Found`, non `Historic`) assigned resource types, + assigned resource navigations and assigned resource scalars. They must be reviewed by a + knowledgeable technical end-user. They are assignments mirroring legit provisioning orders + recently computed by the Evaluate Policy. +- **Resource Reconciliation** displays `Found` and `Historic` assigned resource types, assigned + resource navigations and assigned resource scalars. This is where non-conforming resource values + or non-authorized accounts (i.e. a resource that should not exist at all) in the form of + provisioning assignments are displayed. These assignments mirror, at the resource value level, + derogations still not explicitly refused by a knowledgeable end-user. This is where an end-user + can find provisioning assignments that would render legit the non-confirming values and + non-authorized accounts found in the managed systems. +- **Role Reconciliation** displays `Found` and `Historic` assigned single roles and assigned + composite roles. They are role assignments that mirror derogations, at the role level, still not + explicitly refused by a knowledgeable end-user. This is where an end-user can find roles + assignments that would render legit the non-confirming values and non-authorized accounts found in + the managed systems. +- **Redundant Assignments** displays `Approved` assigned roles and assigned resource types tagged as + eligible to be turned into `Calculated`. + +_Remember,_ **Role Review** is a little bit different as it displays manually requested assignments +waiting for manual approval. + +### A target value to update + +A target resource scalar value is different from the scalar value obtained by applying scalar rules +to the source resource. + +This could be caused by a change in the target value directly from within the managed system, before +or after Identity Manager has been plugged in. For example, a target Active Directory account Email +value has been changed. + +The corresponding assigned\* would be awarded a workflow state Historic or Found given the +difference is about a change in the target made outside/before Identity Manager and found by +synchronization. + +As Identity Manager does not overwrite managed systems values without confirmation from a +knowledgeable user, the found non-conforming value will be displayed in the **Resource +Reconciliation** screen, with the suggestion for update. The non-conforming value can either be +kept, and become an exception and overwritten with the rules-issued value. + +This could also be caused by a change in the source resource, by a previous fulfillment of Identity +Manager, or directly from within the managed system. For example, the HR system has updated the Name +of an employee. Synchronization has detected the change in value, and reapplied rules. And now, the +target Active Directory account name has to be updated. + +The corresponding assigned\* would be awarded a workflow state PolicyApproved given the difference +is about a change in the source that caused the need for a change in the target because of the +applications of the rules. + +This case yields a provisioning order, that could be blocked, and hence displayed in the +**Provisioning Review** screen for validation in the form of a resource update provisioning order. + +### A target resource to create + +A target resource is missing. Applying navigation rules to a source resource yielded the need for a +specific target resource that has not been found by synchronization. + +This could be caused by a missing resource in a managed system even before Identity Manager was +plugged-in or the deletion of such a resource in the managed system afterward. For example, a +nominative Active Directory account has not been created yet for that existing identity. + +The corresponding assigned\* would be awarded a workflow state Historic or Found given the +difference is about a change or an omission in the target outside/before Identity Manager and found +by synchronization. + +This case yields a provisioning order, that could be blocked, and hence displayed in the +**Provisioning Review** screen for validation in the form of a missing resource provisioning order. + +This could also be caused by a change in the source resource, by a previous fulfillment of Identity +Manager, or directly from within the managed system. For example, the HR system has updated the Job +Title of an employee. Synchronization has detected it, and reapplied rules, and now, this identity +has to be awarded a new Active Directory account with higher privileges. + +Or it could be caused by the manual assignment of a new Role from within Identity Manager to an +existing identity that would grant that identity with a new account and hence a target resource to +create. + +The corresponding assigned\* would be awarded a workflow state `PolicyApproved` given the difference +is about a change in the source that caused the need to create a new target because of the +applications of the rules. + +Those cases yield a provisioning order, that could be blocked, and hence displayed in the +**Provisioning Review** screen for validation in the form of a resource creation provisioning order. + +### A target resource to delete + +An extra target resource has been found by synchronization, it's been correlated with our source +resource, but no navigation rules applied to the source resource yielded the need for its existence. + +This could be caused by an extra resource created directly from within a managed system, or the +change of a rule that makes some existing resources moot. For example, an administration Active +Directory account has been created directly from the managed system and granted to an identity who, +according to the rules, is not entitled to it. + +As Identity Manager does not overwrite managed systems values without confirmation from a +knowledgeable user, the found non-authorized account will be displayed in the **Resource +Reconciliation** screen, with the suggestion for deletion. The non-authorized account can either be +kept, and become an exception and or be deleted to comply with the rules. + +The corresponding assigned\* would be awarded a workflow state `Historic` or `Found` given the +difference is about an extra target added outside/before Identity Manager and found by +synchronization. + +This could also be cause by a change in the source resource, by a previous fulfillment of Identity +Manager, or directly from within the managed system. For example, the HR system has updated the +`Job Title` of an employee. Synchronization has detected it, and reapplied rules, and now, this +identity has to be awarded a new Active Directory account with lower privileges, the old one must be +deleted. + +Or it could be caused by explicitly denying a Role to an existing identity from within Identity +Manager which would ripple through and forbid this account from existing. + +The corresponding assigned\* would be awarded a workflow state `PolicyApproved` given the difference +is about a change in the source that caused the need to deletion a target because of the +applications of the rules. + +This case yields a provisioning order, that could be blocked, and hence displayed in the +**Provisioning Review** screen for validation in the form of a resource deletion provisioning order. + +Provisioning orders are still fairly technical to read. Non compliant-roles, inferred from +non-compliant resources in the managed systems, are also displayed in the **Role Reconciliation** +screen to be kept or deleted by less technical users. + +## Fulfilling + +Fulfilling assignments is the role of connectors. Provisioning orders are written and sent to the +agent via the `Usercube-Generate-ProvisioningOrders` task is added to every provisioning job. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/index.md new file mode 100644 index 0000000000..a8bb8b4ab5 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/index.md @@ -0,0 +1,124 @@ +# Existing Assignments + +The +[ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +can deduce from synchronized data a list of assignments for every identity. + +## Overview + +One of the main responsibilities of the Compute Role Model task is to translate data from the realm +of the managed systems (such as accounts or groups) into the realm of roles. + +The process results in a list of existing assignments, expressed as assigned roles, for every +identity. + +This is Identity Manager's first computation when deployed in an organization: assessing the current +state of the managed system in order to suggest fixes. + +The main process can be summed up as: + +1. Finding the owner `O` of a resource `R` by applying correlation rules. +2. Deducing roles by applying provisioning rules (such as navigation or scalar) "in reverse". In + this step, Identity Manager tries to find the role that would have yielded a provisioning order + for resource `R`, if assigned to identity `O`. + +The following use cases can be encountered. + +## Use Case 1: One Group, One Role + +This first use case involves a common role model situation: one single role represents one +entitlement, for example an Active Directory group. + +Let's study this use case with an example: a single role _Internet_ is linked to an Active Directory +group _Internet_ through a navigation rule `N`. + +![use_case_1_rolemodel](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_rolemodel.webp) + +We are going to consider here an identity named John Doe, and his Active Directory account +[john.doe@contoso.com](mailto:john.doe@contoso.com). + +The most straightforward way to think about this role model is to consider the direct flow. This +would happen if John Doe's account wasn't a member of the _Internet_ group. + +1. Identity Manager performs the first synchronization, and correlates the nominative Active + Directory account [john.doe@contoso.com](mailto:john.doe@contoso.com) to John Doe. +2. This account is _not_ a member of the AD group _Internet_. +3. A manager assigns the role to John Doe's identity using Identity Manager's UI. +4. The Compute Role Model task applies the navigation rule `N`. +5. A provisioning order for John Doe's Active Directory account becoming a member of the group + _Internet_ is issued. + +This is a typical onboarding scenario for John Doe that happens to start a new job within the +organization after Identity Manager was deployed. + +Now, let's consider what happens for John Doe, if he started his job within the company before +Identity Manager was ever deployed. + +The initial situation is an identity, John Doe, and a "lonely" Active Directory account, +[john.doe@contoso.com](mailto:john.doe@contoso.com). + +This time, Identity Manager performs the "deduction" flow. + +Identity Manager performs the first synchronization and tries to correlate accounts with identities. +This results in finding out that John Doe is the owner of the Active Directory account +[john.doe@contoso.com](mailto:john.doe@contoso.com). The synchronization also shows that the +[john.doe@contoso.com](mailto:john.doe@contoso.com) account is a member of the _Internet_ Active +Directory group. + +The situation in Identity Manager database at this point is the following. + +![use_case_1_sync](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_sync.webp) + +Integrators have defined the Internet single role and linked it to the _Internet_ AD group through +the navigation rule `N`. + +Now, the Compute Role Model task "studies" the role model: the only rule that assigns the _Internet_ +Active Directory group is the navigation rule `N`. By following the rule in reverse, Identity +Manager deduces that the role _Internet_ should _de facto_ be assigned to John Doe, so that the +rules be consistent with the data found in the Active Directory. + +The role is now listed under John Doe's assignment list (permissions) in Identity Manager. + +![use_case_1_deduction](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_deduction.webp) + +## Use Case 2: Several Groups, One Role + +This second use case involves another common role model situation: one single role represents two or +more entitlements. The single role is used here to package several Active Directory group +assignments, for example, assignments which are always granted together to perform certain tasks. + +For example, let _Sales manager_ be a single role linked to the Active Directory groups _operations_ +and _sales_ through two navigation rules `N1` and `N2`. + +The "direct" flow here means that if John Doe is assigned the _Sales manager_ role, Identity +Manager fulfills the _operations_ and _sales_ group memberships for John Doe's Active Directory +account. + +Now, let's consider the reverse flow. If John Doe already had membership for the _operations_ and +_sales_ group before Identity Manager was deployed, the AD Synchronization will detect it. By +applying `N1` and `N2` in reverse, Identity Manager deduces that John Doe must have the _Sales +manager_ single role. + +His trusted advisor, Mary Webster, isn't a member of the _operations_ group. She is only a member of +the _sales_ group. Identity Manager applies `N1` in reverse, but there is only one Single Role +(_Sales manager_) that grants the _sales_ group membership. The only way for Mary to be granted the +_sales_ group membership from the role model point-of-view is to have been granted the _Sales +manager_ role. For Identity Manager, it is as if Mary had been assigned this role, but is missing +the _operations_ group. That is exactly how it is materialized: the identity for Mary in Identity +Manager will be assigned the _Sales manager_ role, and a missing group membership will come up in +the provisioning review screen. + +If the IGA administrator doesn't want Mary to be granted the _Sales manager_ role and hence the +_operations_ group, another role must be created, that only grants the _sales_ group but not the +_operations_ group. + +## Use Case 3: Several Groups, Several Roles + +The third use case is a less common one, but can still be a little confusing. + +Let's take two roles `B` and `C`. + +- `B` grants membership to two groups: `AD1` and `AD2`. +- `C` grants `AD2` and `AD3`. + +This time, if only `AD2` is found for a given user, no deduction can be made. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/generate-contexts/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/generate-contexts/index.md new file mode 100644 index 0000000000..71dd221e1c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/generate-contexts/index.md @@ -0,0 +1,172 @@ +# Generate Contexts + +A context is a set of dimension-value pairs computed using the +[ Context Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) or the +combination of a context rule and the +[ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) if record +sections are configured. + +A context is used to compute the role assignments for an identity by verifying that the +dimension-value pairs meet the role criteria. + +## Basic Context Generation + +When using only a context rule without a record section, the context generation is straightforward: +a set of dimension-value pairs is created by computing the value of the +[ Context Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) on the context +rule. + +> For example, the following context rule defines guests' contexts based on their start date, end +> date, and company. +> +> ``` +> +> +> +> ``` + +## Identity Context Generation + +As described in the [Identity Management](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/index.md), identities are +complex to model. Records were introduced to tackle this complexity by allowing multiple positions +for the same identity. + +[ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) go further +by modeling the relationship between positions. Indeed with record sections, it is possible to +define: + +- what are the shared properties between all positions? +- what are the properties unique to each position? +- what happens when there is a time gap between two positions, should the previous be extended or + should the future position be used to fill the gap? +- what happens when a position property value is not defined? + +Before illustrating how the record sections can be configured to handle most cases of position +management, here is the background situation for the examples that follow: + +- A position is defined by a `JobTitle`, a `Location`, and a `Department`, all other properties + belong to the identity and are shared between all positions. +- Dimensions are `Category`, `JobTitle`, `Location`, and `Department`. +- Each position will have an `Id`. +- `Sx` represents the start date of the position, and x is the `Id` of the position. +- `Ex` represents the end date of the position, and x is the `Id` of the position. +- `Cs` represents the contract start date. +- `Ce` represents the contract end date. + +The following configuration shows the context rule that will be used for the examples. + +``` + + + +``` + +The context rule start/end dates bindings and expressions won't have any effect on the computation, +they are overridden by the record sections dates properties. + +### Configuration of basic record sections + +``` + +Default section: + + + +Position record section: + + +``` + +The configuration above binds the position to the contract end date, meaning that a position without +an end date will take the end date of the contract. The properties of the position record section +cannot be propagated, meaning if a position does not have a `Location` it cannot take the `Location` +of the previous or future position. + +The following image shows the positions of `Mark Barn` in a defined timeline. + +![simple-recordsection-identity](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/generate-contexts/simple-recordsection-identity.webp) + +With the given configuration and the identity of `Mark Barn`, the following contexts are generated: + +![simple-recordsection-result](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/generate-contexts/simple-recordsection-result.webp) + +Each computed context will be used to create a set of dimension-value pairs, thus having 3 sets for +the [Evaluate Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) algorithm. + +Any rules targeting identities with a `fulltime`Category`will be assigned to`Mark +Barn`from`Cs`to`Ce```. + +Any rules targeting identities working in `London` will be assigned to `Mark Barn` from `S1` to +`E2`. + +Any rules targeting all identities will be assigned to `Mark Barn` from `Cs` to `E2` because from +`E2` to `Ce` there isn't any position. This behavior can be overridden by specifying +`ExtensionKind="None"` on the `Directory_UserRecord_Position` section. + +### Configuration of a position extension + +#### Extension of a property + +The record sections can help extend some position property value when for some time the identity +does not have a position. For example, let's say that an identity can have multiple positions but +they must be in the same `Location`. So it is safe to configure the record sections to copy the +`Location` from a position if: + +- the identity does not have a position for some time; +- for a position, the `Location` is not defined. + +Here is the configuration needed to apply this policy. + +``` + +Default section: + + + +Position record section: + + + + +``` + +The `ExtensionKind="None"` was removed for the `Location` property. + +Using the identity of `Mark Barn` the computed contexts should be as followed: + +![recordsection-withvaluecopy-result1](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/generate-contexts/recordsection-withvaluecopy-result1.webp) + +Any rules targeting identities working in `London` will be assigned to `Mark Barn` from `Cs` to +`Ce`. + +#### Extension of a whole position + +The [property value copy](#extension-of-a-property) can be leveraged to extend a chosen position +when for some time the identity does not have one. The following configuration and the identity of +`Phoebe Buffay` will be used to showcase a position extension. It is done by removing the +`ExtensionKind="None"` of the position properties. + +``` + +Default section: + + + +Position record section: + + + + +``` + +![positionextension-identity](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/generate-contexts/positionextension-identity.webp) + +Two contexts will be generated. + +![positionextension-result](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/generate-contexts/positionextension-result.webp) + +By default, the previous position is extended when there is a gap. If there isn't any previous +position then the next position will be anticipated. + +The choice of the position to extend can be configured by leveraging the `SortKeyExpression` in the +position [ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/index.md new file mode 100644 index 0000000000..edd795bfc5 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/index.md @@ -0,0 +1,139 @@ +# Configure Indirect Permissions + +The following how-to assumes that you have already read the topic on +[ Indirect Permissions ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/indirectpermissions/index.md). + +## Configure Indirect Permissions in an Active Directory + +### Configure an indirect resource rule + +Configuring an Indirect Resource Rule in the Identity Manager Configuration is the only step needed +to set up Indirect Permissions and can be done by answering the following questions: + +- What is the target Entity Type? There are multiple multiple Entity Types but for this example we + will choose `AD User (nominative)`. Another rule can be written if you want to handle Indirect + Permissions for `AD User (administration)`. +- Which permissions can be obtained transitively in the Active Directory? Users get permissions by + being members of a group. The property is `memberOf`. +- Do we want to look for correspondences in another system? Here, we do not want to. This also means + that `Correspondence`, `CorrespondenceMembershipProperty`, and `Entitlement` will remain blank. + +Finally, if we compile all this information and using the naming of the standard Identity +Manager Demo, we get the following Indirect Resource Rule: + + ``` + + + +```` + + +After adding this rule to the Configuration, do not forget to deploy the configuration. + +### Set up a test user + +The aim of this section is to give you a step-by-step guide for setting up a test user. It will also cover what is displayed in Identity Manager. In this example, we will assign a ```Test Group A``` directly to the test user and the ```Test Group A``` will also be a member of the ```Test Group B```. This way, the test user will also have an indirect assignment to the ```Test Group B```. We will also create the corresponding roles. + +![Group Membership Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/indirectpermissionsadexample.webp) + +A running Active Directory instance is required to reproduce these steps yourself. + +#### Edit the Active Directory + +Create two groups in your Active Directory, ```TestGroupA``` and ```TestGroupB```. Then add ```TestGroupA``` as a member of ```TestGroupB```. Finally add a test user as a member of ```TestGroupA```. The test user can be any existing user in the AD that is known by Identity Manager. + +#### Prepare Identity Manager + +Since we have manually edited the Active Directory, we first need to run an AD synchronization job. +Then we create one Single Role for each group in the Active Directory. We will name them ```TestRoleA``` and ```TestRoleB``` for ```Directory > User```, : + +![Single Role Configuration Example](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srconf_5.2.1.webp) + +We will also create a test Composite Role to showcase indirect Composite Roles. We will name it ```TestCRoleAB```: + +![Composite Role Configuration](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/crconf_5.2.1.webp) + +Then we will also need to add some rules. We first need to add one Navigation Rule for each group to link them with their respective Single Role: + +![Navigation Rule Example](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/navrule_5.2.1.webp) + +And finally, we need to add Single Role Rules to link our two previously created Single Roles to the new Composite Role: + +![Single Role Rule Example](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srrule_5.2.1.webp) + +Even if two rules of a kind are needed, only one is pictured. Do not forget the other one. + +#### Indirect permission display + +After running a [ +Compute Role Model Task +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md), Indirect Permissions should now appear for your test user. + +The next screenshots were taken after adding the direct assignment directly inside the Active Directory. As such, the direct permission is also flagged as ```Non-conforming```. + +If you first go on the ```View permissions``` tab of your test user, the only new role that appears in the ```Simplified view``` is the indirect Composite Role ```TestCRoleAB```: + +![View Permissions Simplified](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionssimplified_5.2.1.webp) + +To display Indirect Permissions, you need to switch over to the ```Advanced view```. ```TestRoleA``` and ```TestRoleB``` should then appear: + +![View Permissions Advanced](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionsadvanced_5.2.1.webp) + +You can also directly display the Assigned Resource Navigations by clicking on ```AD User (nominative)```. The ```memberOf``` properties will appear in the list: + +![AD Assigned Resource Navigations](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/adassignednavigations_5.2.1.webp) + +## Configure Indirect Permissions in an Microsoft Entra ID + +We can follow the same steps to configure this new rule: + +- What is the target Entity Type? + Once again, we will configure a rule for nominative users. The Entity Type is ```AzureAD_DirectoryObject_NominativeUser```. +- Which permissions can be obtained transitively in the Microsoft Entra ID (formerly Microsoft Azure AD)? + Users get permissions by being members of a group. The property is ```memberOf```. +- Do we want to look for correspondences in another system? + Here, we do not want to (it is possible, but it is not the aim of this How-To). + This also means that ```Correspondence```, ```CorrespondenceMembershipProperty```, and ```Entitlement``` will remain blank. + +Finally, if we compile all this information and using the naming of the standard Identity Manager Demo, we get the following Indirect Resource Rule: + + ``` + + + +```` + +## Configure Indirect Permissions in SharePoint using Correspondences from an Microsoft Entra ID + +We can follow the same steps to configure this new rule, but this time we will showcase the +correspondence feature: + +- What is the target Entity Type? We first start in the Microsoft Entra ID. Once again, we will + configure a rule for nominative users. The Entity Type is + `AzureAD_DirectoryObject_NominativeUser`. +- Which permissions can be obtained transitively in the Microsoft Entra ID? Users get permissions by + being members of a group. The property is `memberOf`. +- Do we want to look for correspondences in another system? Yes, we want to find correspondences in + SharePoint. A correspondence can be found using the `SharePointObject` property. +- Which permissions can be obtained transitively in SharePoint? Once again, users get permissions + based on which groups they are a member of. The property capturing this notion for SharePoint + entities is `Group` +- Is being member of a group in SharePoint the type of permissions that we want to capture? While + this can be computed, we are rather interested in compiling which SharePoint objects a user can + view/change/etc. We obtain this information using the `Entitlement` property. + +Finally, if we compile all this information and use the naming convention of the standard Identity +Manager Demo, we get the following Indirect Resource Rule: + + ``` + + + +``` + + +This rule will also compute indirect permissions for the Microsoft Entra ID. +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/how-tos/infer-single-roles/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/how-tos/infer-single-roles/index.md new file mode 100644 index 0000000000..456fee40eb --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/how-tos/infer-single-roles/index.md @@ -0,0 +1,56 @@ +# Infer Single Roles with a Composite Role + +This guide shows how to assign several single roles via the assignment of one composite role. + +It is possible to infer SingleRoles with +[ Composite Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md). The +SingleRole can only be inferred by the CompositeRole if both the CompositeRole and SingleRole rules +are verified. + +## Create a Dimension + +The restriction of resource allocations is done from a filter. To do this, it is necessary to create +[ Dimension ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) to define which +EntityTypes the filters will apply to. + +For the different examples of restrictions, the filters will be based on the EntityType +"Organization" and "Title". + +``` + + + +``` + +## Create a Composite Role + +A CompositeRole is created in the same way as a SingleRole. + +``` + + + +``` + +## Assign the Composite Role Based on the Dimension + +This step is optional for our simple purpose of inferring single roles with a composite role. The +composite role can be linked to a dimension, but it does not have to. + +The CompositeRoleRule can be limited with the use of dimensions. + +``` + + + +``` + +## Assign Single Roles Based on the Composite Role + +The link between a SingleRole and a CompositeRole is made in the SingleRoleRule. + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/how-tos/restrict-assignment/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/how-tos/restrict-assignment/index.md new file mode 100644 index 0000000000..34b830d6cd --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/how-tos/restrict-assignment/index.md @@ -0,0 +1,98 @@ +# Restrict the Assignment + +This guide shows how to use filters on dimensions and/or roles to restrict the assignment of a role +or resource type. + +## Create a Dimension + +The restriction of resource allocations is done from a filter. To do this, it is necessary to create +[ Dimension ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) to define which +EntityTypes the filters will apply to. + +For the different examples of restrictions, the filters will be based on the EntityType +"Organization" and "Title". + +``` + + + +``` + +## Create a Single Role + +To be able to filter with the dimensions previously created, it is necessary to first create +[ Single Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) which will +serve as a restriction to the assignment of ResourceTypes for a given source. + +The example below creates a SingleRole for the EntityType Directory_User (source of the +ResourceTypes you want to restrict). + +``` + + + +``` + +## Assign the Role Based on the Dimension + +We will define a +[Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) on the +"Title"; dimension with a given value to restrict the allocation of a resource in only one case. + +``` + + + +``` + +D1 represents the dimension whose ColumnMapping="1". + +``` + + + +``` + +The value in property D1 implies that the rule is checked only if the source resource has as +association to the EntityType related to dimension 1 is "FCT0402". + +## Assign a Resource Type Based on the Role + +The restriction on the creation of these accounts is integrated directly into the type rule of the +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). This implies +that the ResourceType will only apply if the +[Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) are +checked. + +This part will link a SingleRole to a ResourceType. This implies that the allocation of a target +resource to a source will only be done if the SingleRole rule(s) are verified. + +``` + + .... + + +``` + +### Use a navigation rule instead of a type rule + +A [Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) in addition +to filling a multi-valued association, also serves as an allocation context for a ResourceType. + +There are 3 ways to restrict the allocation of the ResourceType with a NavigationRule: + +- Fill in one or more dimensions directly in the NavigationRule. +- Fill in a SingleRole. +- Fill in one or more dimensions and a SingleRole. + +For the last 2 cases this will induce the ResourceType by the SingleRole. + +``` + + ... + + +``` + +In the example above the ResourceType does not need a TypeRule because the NavigationRule already +serves as an allocation context. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/index.md new file mode 100644 index 0000000000..d9001b684b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/index.md @@ -0,0 +1,7 @@ +# Role Assignment + +Once the role model is established, role assignment can be performed, i.e. missing or non-conforming +assignments can be detected in order to give users the appropriate access rights. + +Be sure to read first the documentation about the role model. See the +[ Role Model ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/index.md) topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/indirectpermissions/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/indirectpermissions/index.md new file mode 100644 index 0000000000..0af1c7eda2 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/indirectpermissions/index.md @@ -0,0 +1,107 @@ +# Indirect Permissions + +Identity Manager can compute, for a given identity, permissions that are obtained implicitly or +indirectly through assignments. The +[ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +is responsible for this functionality. + +## Overview + +Assigning a role to a user can give them new permissions in a managed system by giving access to a +new role or a new group, for example. This assignment is direct as it is entirely explicit. However, +the user might also receive some **additional permissions that are inherited through the new +permission** and that are not explicit. For instance in some systems, users can get permissions by +being a member of a group but groups can also be members of other groups, and therefore allow for +transitive permission acquisitions. These permissions are called indirect. This notion can also be +extended when permissions in a managed system also give other permissions in an external system. + +Indirect Permissions are automatically computed by the +[ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +along with standard explicit or direct permissions during a full update. Indirect permissions will +not be computed when processing a single user (for instance through "Repair Data (helpdesk)") or +during simulations. + +## Configuration + +The computation of Indirect Permissions is based on the configured +[ Indirect Resource Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md). +These rules tell Identity Manager how to navigate the managed system and how to recover permissions +that a user inherits implicitly. An Indirect Resource Rule is composed of the following properties: + +- `ResourceType`—The + [Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) to which the + rule will be applied. +- `Property` — The [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + which corresponds to the user permission in the _target_ system. +- `Correspondence` (optional)— The + [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) that is used to + recover the correspondence of a resource from the _target_ system in the _external_ system. +- `CorrespondenceMembershipProperty` (optional) — The + [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) which corresponds to + the user permission in an _external_ system. +- `Entitlement` (optional) — The + [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) that can be + configured if the permission in the _external_ system needs to be recovered from the discovered + resources. For instance one can use this property to recover the entitlements of Sharepoint groups + (while `CorrespondenceMembershipProperty` will be used to recover the group membership graph). + +If either `Correspondence` or `CorrespondenceMembershipProperty` is specified, then the other +property must be specified as well. + +If `Entitlement` is specified, then both `Correspondence` and `CorrespondenceMembershipProperty` +also need to be specified. + +- `TargetEntityTypeProperty` — The + [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) which identifies + each rule given a resource type. +- `TargetEntityTypeReflexiveProperty` — The + [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) which corresponds to + the user permission in the _target_ system. +- `IndirectResourceBinding`— The [ Bindings ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/bindings/index.md) that is used to + recover an assignment from a permission in either system (target or external). It is also used to + define the correspondence between resources in both systems. +- `IndirectResourceReflexiveProperty` (optional): The + [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) which corresponds to + the user permission in an _external_ system. + +Correspondences between resources are necessarily one-sided: the Indirect Permissions computation is +started in the managed system and if a correspondence is found, the computation will be continued in +the external system. Correspondences won't be checked in the external system. + +An example of an Indirect Resource Rule configuration is available in How-To: +[ Configure Indirect Permissions ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/index.md) in an Active +Directory. + +## What Can Be an Indirect Permission? + +The +[ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +will create indirect Assigned Resource Navigations for the permissions that it finds, but if and +only if these permissions are associated with a +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). + +If a [ Single Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) is associated +with one of these Resource Navigation Rules, then an indirect Single Role will also be recovered. + +Finally, if at least one indirect Single Role is used to recover a +[ Composite Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md), then the +Composite Role will also be indirect. + +## What Can Be Done with Indirect Permissions? + +Currently, Indirect Permissions are only displayed and found in the users' `View Permissions` tab in +the `Advanced View`: Indirect Permissions (except Composite Roles) are hidden in the +`Simplified View`. + +Although Indirect Permissions are marked as `Non-conforming`, they can be neither approved nor +deleted. They also won't appear in Access certification campaigns. + +Indirect Permissions are always indicated by the following icon: +![Indirect Permission Icon](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/indirectpermissions/ic_fluent_flow_20_regular.webp) + +## Disabling the Indirect Permission Computation + +In case of emergency, one can disable the computation of indirect permissions by adding the +`"DisableIndirectPermissions": true` field to the root of the `appsettings`. While the computation +is disabled, indirect permissions will be frozen in time: any existing one will not be deleted and +any potential new one will not be added. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/nonconformingdetection/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/nonconformingdetection/index.md new file mode 100644 index 0000000000..4390671d1b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/nonconformingdetection/index.md @@ -0,0 +1,64 @@ +# Non-Conforming Assignments + +The +[ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +is able to detect from synchronized data a list of non-conforming or missing resources/entitlements +for every identity. That is one of Identity Manager's most powerful governance features, provided +you have a full role model configured. + +## Build the conforming assignment list + +The **first step** is building the conforming assignment list, as explained in the +[ Conforming Assignments ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md). This list (list `A`) +includes the assignments that perfectly comply with the role model/assignment policy. + +## Build the existing assignment list + +The **second step** is building the existing assignment list (list `B`), as explained in +the[ Existing Assignments ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/index.md) every synced resource can be +translated into a role assignment following the assignment rules "in reverse". + +## Compare both lists + +We can now **compare both lists** to find out if the managed systems really comply with the decided +upon assignment policy. + +For every assignment from list `B` representing resources from the synced data: + +1. There is a rule path from the identity attribute to the resource provisioning order in the role + model. The assignment was expected, it can be found in list `A`. +2. There is no rule path from the identity attribute to the resource provisioning order in the role + model. The assignment was unexpected, it is not in list `A` or it is in list `A` but not with + exactly the same property values. + +The "unexpected" (or non-conforming) assignments can be for example orphan accounts. Sometimes, the +account itself should indeed exist according to the rules, but its attribute values are +"unexpected", contradicting scalar rules. + +Non-conforming accounts are presented in the reconciliation screens: from the role point-of-view in +the role reconciliation screen and from the resource point-of-view in the resource reconciliation +screen. + +They need human confirmation to be either kept or destroyed. + +For every assignment from list `A` representing expected assignments: + +1. There is an exact match in list `B`. The managed system complies with the assignment policy for + this resource. +2. There is no match in list `B`: the managed system doesn't comply with the assignment policy. The + resource is missing (the account is missing). + +Missing accounts are presented in the provisioning review for validation before provisioning. + +Identity Manager will **never delete data** without having a user's confirmation first. That is the +reason why these variations from the ideal aren't fixed automatically but submitted for review. + +Some users might wonder how they can perform governance if they don't have automated rules. +Certification can help. By reviewing (even manually) the entitlement landscape, non-conforming +account proliferation can be contained. + +This feature is the final touch of the **sync-fulfill-verify loop** that makes Identity Manager so +efficient. It is exactly like a closed-loop control system with a feedback loop: perturbations, in +the form of modifications in a managed system that don't go through Identity Manager first, trigger +a reaction. This reaction uses the role model to suggest a fix. This is the only way for the state +of the entitlement landscape to tend towards the ideal standards described by the rules. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/role-mining/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/role-mining/index.md new file mode 100644 index 0000000000..9c2efd8e8a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/role-mining/index.md @@ -0,0 +1,138 @@ +# Role Mining + +Role mining aims to reduce the cost of entitlement management by automating entitlement assignments, +via the analysis of existing assignments. See the +[ Automate Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/index.md) topic for +additional information. + +## Overview + +After the role catalog is established, the +[ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +is able to assign single roles to users according to their attributes which are used as assignment +criteria. + +> For example, in the AD, entitlements are given through group membership. Integrators create a +> navigation rule to assign each group to the users who have the corresponding single role. Then, +> the Compute-RoleModel task is able to assign single roles to users according to their existing +> group membership. +> +> In addition to group membership, the assignment of an entitlement to users could also depend on +> users' attributes like their location, position title, etc. + +Now that users received their roles, the role mining tool can analyze these assignments and deduce +[Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) which will +assign single roles to certain users matching given criteria. + +![Schema - Role Mining](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_schema.webp) + +Role mining is a Machine Learning process. It is a statistic tool used to emphasize the +[ Conforming Assignments ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md)that +constitute the key criteria for existing role assignments. It detects the most probable links +between identities dimensions and their roles in order to suggest the appropriate entitlement +assignment rules. + +> For example, suppose that 80% of Netwrix Identity Manager (formerly Usercube)workers in Marseilles +> have access to an application "App". Then, role mining is most likely to recognize the working +> site as a relevant dimension, and suggest to create a rule that gives the "App" access to users +> whose site is Marseilles. + +Role mining being a statistic tool based on existing entitlement assignments, it appears useless if +the role model contains fewer than 2,000 role assignments. Then, start by reinforcing the +[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md). + +### Technical Principles + +Role mining works through +[ Mining Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md) that Identity Manager +applies with the +[ Get Role Mining Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md). + +### Entitlement differentiation with rule types + +Mining rules can be configured to generate: + +1. automatic rules, i.e. rules which assign roles automatically with or without a validation; +2. suggested rules, i.e. rules which don't assign roles directly, but suggest them during an + entitlement request for a user. + + ![Suggested](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_suggested_v602.webp) + +You can generate both automatic and suggested rules for the same role, with different precision +levels and different approval workflows. + +> Consider an organization where an unknown ratio of users have a given role. Using the precision +> settings, we can create a mining rule to generate automatic assignment rules when the ratio is +> above 95% and a second mining rule to generate suggested assignment rules when the ratio is +> between 75% and 95%. +> +> ![Rule Types](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype.webp) + +You can also differentiate entitlements according to their sensitivity, for example require +additional reviews following the request of a sensitive entitlement: + +![Rule Types - Sensitivity](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype-sensitivity.webp) + +The automation of entitlement assignments according to sensitivity brings greater confidence in +basic entitlements assignment which won't need to be certified anymore. Thus, automation lets +certification campaigns focus on more sensitive entitlements. + +Role mining should be performed first for automatic rules as they are stricter precision-wise. Thus, +automatic rules should always have priority over suggested rules (via the `Priority` setting). + +### Impact on users' entitlements + +Consider that all users from a given organization have a given role. Then role mining will create a +single role rule to assign automatically this role to any user of this organization. Then users' +entitlements remain unchanged: + +![Impact Example - Use Case 1](/img/product_docs/identitymanager/identitymanager/integration-guide/role-mining/rolemining_impact_usecase1.webp) + +Now consider that half of users in the organization have the role. Then role mining will not +generate a role assignment rule. Then users' entitlements remain unchanged: + +![Impact Example - Use Case 2](/img/product_docs/identitymanager/identitymanager/integration-guide/role-mining/rolemining_impact_usecase2.webp) + +Starting from the previous example, consider now that users progressively request the role. As long +as the ratio is below a given threshold, then role mining will not generate a role assignment rule. +Then users' entitlements remain unchanged: + +![Impact Example - Use Case 3](/img/product_docs/identitymanager/identitymanager/integration-guide/role-mining/rolemining_impact_usecase3.webp) + +Starting from the previous example, consider now that users continue requesting the role. As soon as +the ratio is above the threshold, then role mining will create a single role rule to assign +automatically this role to any user in the organization. Then a few users are going to get the +entitlement: + +![Impact Example - Use Case 4](/img/product_docs/identitymanager/identitymanager/integration-guide/role-mining/rolemining_impact_usecase4.webp) + +Starting from the previous example, consider now that, as a result of a reorganization or an access +certification for example, some users do not have the role anymore. If the ratio is below the +threshold, then role mining will remove the single role rule. If the role (or its policy) is +configured with a [ Single Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md), +users who need the role will not lose it. Then users' entitlements remain unchanged: + +![Impact Example - Use Case 5](/img/product_docs/identitymanager/identitymanager/integration-guide/role-mining/rolemining_impact_usecase5.webp) + +## Perform Role Mining + +See the +[ Perform Role Mining ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) for +additional information. + +### Simulation + +Be aware that you can configure the +[ Get Role Mining Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md) +to generate role assignment rules either directly or in a [Simulation](/docs/identitymanager/6.2/identitymanager/integration-guide/simulation/index.md). + +Simulating the results of role mining allows a knowledgeable user to analyze the impact of role +mining on the role model, before applying them. + +![Schema - Role Mining](/img/product_docs/identitymanager/identitymanager/integration-guide/role-mining/rolemining_simulation.webp) + +The simulation tool gives another point of view on the role model as it emphasizes the changes. + +![Schema - Role Mining](/img/product_docs/identitymanager/identitymanager/integration-guide/role-mining/rolemining_simulationresults.webp) + +Identity Manager recommends simulating role mining before applying the results. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/index.md new file mode 100644 index 0000000000..a8f562c3f2 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/index.md @@ -0,0 +1,62 @@ +# Role Model + +The role model, with its computation and enforcement, is at the heart of Identity Manager's engine. +It is composed mainly of roles, representing entitlements, and rules, enforcing the company +assignment policies. + +Make sure to read the introduction on entitlement management first. See the +[ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) topic +for additional information. + +## Roles + +Roles represent entitlements from the managed systems, but expressed in a language understandable by +non-technical people. + +A single role is meant to represent one entitlement from a managed system, by acting as a label, +thus allowing better organization and readability. + +A composite role is meant to group several single roles into a meaningful, business-themed +entitlement package. + +In this way, the role model can be seen as a +[Role-Based Access Control](https://en.wikipedia.org/wiki/Role-based_access_control) (RBAC). + +## Assignment Rules + +An +[ Automate Role Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) +gives an entitlement to a user, usually based on (at least) one criterion from the user's data. +Assignment rules are: + +- single role rules which assign single roles; +- composite role rules which assign composite roles; +- resource type rules which assign resources, usually accounts, of specific types. + +The identity criteria that trigger the rules are named dimensions. + +In this way, the role model can also be seen as an +[Attribute-Based Access Control](https://en.wikipedia.org/wiki/Attribute-based_access_control) +(ABAC) model. + +Identity Manager gives users access to given resources in the managed systems, based on roles and +rules, but it does not override the managed systems' authorization mechanisms. + +## Enforcement of the Assignment Policy + +The company's policy for entitlement assignment is enforced by Identity Manager with the computation +of the role model, through the +[ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +It applies all the configured rules, thus: + +- helping build a catalog of all available entitlements in the managed systems, see + [ Create Roles in Bulk ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md); +- helping build the rules that define the assignment policy, i.e. the expected entitlement + assignments for all users, see + the[ Perform Role Mining ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md); +- automating entitlement assignment, see + [ Automate Role Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md); +- generating the provisioning orders that enable writing to the managed systems, see + [ Create a Provisioning Rule ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md); +- detecting assignments in the managed systems that do not comply with the policy, see the + [ Review Non-conforming Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md new file mode 100644 index 0000000000..7912a56382 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md @@ -0,0 +1,255 @@ +# Assignment Policy + +The assignment policy is the set of rules enforced on the resources to compute automatic assignments +and risks. It contains the role model and risks definition. + +## The Role Model + +The Introduction Guide introduced the +[ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) and +how it influences assigning entitlements to identities. Let's sum up the key principles here. + +1. Identities are resources. +2. Assignments of entitlements are materialized by resources, their values and associations. +3. Identity Manager uses a [role-based](https://en.wikipedia.org/wiki/Role-based_access_control) + assignment policy to grant entitlements to identities, i.e. granting a role entails granting + entitlements. +4. The role model is first a catalog of available roles + ([ Single Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) and + [ Composite Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md)), + identified by meaningful names aimed at non-technical end-users. These roles represent status of + trust and privileges, to be assigned to identities, manually or automatically. +5. The role model is also a set of rules aiming at assign automatically roles to identities, based + on relevant criteria, namely + [ Dimension ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md). +6. The role model classifies resources by security concerns thanks to resource types. +7. The role model contains correlation rules identifying ownership of target resource by an + identity. +8. The role model contains provisioning rules describing if and how target resources and their + values should be computed from source resource values. + +Resource types, single roles and composite roles can be grouped into +[ Category ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md). They are used in the +UI to organize the Roles catalog display. Categories are organized in a hierarchical tree structure. + +### Policy + +A [Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) is a set of assignment +rules. At least one policy must be declared. + +All resource types, single roles and composite roles and categories belong to a policy. + +## Dimensions And Contexts + +One of Identity Manager's distinctive feature is the use of +[Attribute-Based Access Control](https://en.wikipedia.org/wiki/Attribute-based_access_control) +methods to automatically grant fine-grained entitlements. + +Every identity in the organization operates within a specific context. It is a set of information +relevant to making decisions about assigning entitlements for an identity. For example, an employee +working in the R&D department of the New York office at Contoso Corporation is associated with the +`{R&D, New York}` context. + +Analyzing contexts in the organization allows the integration team, in collaboration with a +knowledgeable member of the target organization, to define key criteria on which to base assignments +of entitlements decisions. Those key criteria are called dimensions. + +The integration team defines +[Context Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) and +[Record Section](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md)in the +applicative configuration that assigns, for every identity, a context as a set of dimension-value +pair. + +The details of how contexts are generated can be found in +[Generate Contexts](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/generate-contexts/index.md). + +Every dimension is associated with a finite set of possible values. That means there is a finite set +of possible context. Hence, typical contexts within which an identity operates are modeled. + +Contexts can then be used as a filter for choosing an identity to which to assign a role. + +This mechanism allows the integration team to define rules to take care of the most basics and +repetitive assignments. For example, a +[Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) assigning a +specific single role to the resources that match a specific context. + +##### Example + +A standard multi-site and multi-department organization would use the following dimensions: + +- `Location`, the physical location where an employee works. +- `Department`, the employee working department, such as `IT`, `Sales` or `Accounting`. + +Roles could be assigned based on location and department of the resource representing an identity. + +For a rule such as "every employee that works in IT must have access to the servers room", the +`ServerRoomAccess` single role would be assigned to every resource of entity type `employee` whose +context contains the value `IT` for the dimension `Department`. + +A context rule would have been written first, defining for every resource of entity type `employee` +how to compute a context: the `Department` dimension value is found in the `department` property of +the resource, the `Location` dimension value is found in the `site` property of the resource. + +## Write Roles And Assignments Rules + +The role model takes a very important place in the applicative configuration. It's built by the +integration team, in collaboration with the target organization, to match the organization's needs +and rules in security. + +The role model is built iteratively, together with the [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md), +as they closely influence one another. + +The role model evolves and lives during the whole IGA project's lifecycle. Organization rules +change, roles and assignment rules are updated, deleted, added. + +The following gives a few ideas about how a to approach the writing of a role model. + +### 1. Identify single roles + +The first iteration of building of the organization reference model starts to reveal the archetypal +responsibilities and positions of the members of the organization. A +[Single Role](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) is defined for every +fine-grained organization-level responsibility or position. + +##### Example + +Contoso Corporation employs project managers in their Aircraft Design department to manage aircraft +design projects for clients all around the world. Those projects involve aerodynamics and structure +engineers, construction workers, quality control agents and sale engineers. + +Everyone in the team needs to access the Internet to do research and send e-mails. That's a first +typical single role `Internet Access` that everyone should be assigned to be able to work. + +Aerodynamics engineers need to access remote high-performance computation servers specifically +designed to solve aerodynamics equations. The sensitive nature of the data sent to those servers, +plus the availability constraints, require restricting access to engineers that absolutely need it +to perform their daily tasks. That's another responsibility, that can be translated to a single role +`Aerodynamics Computation Server` for example, that grants access to those servers. + +Structure engineers, on the other hand, do not perform such heavy computations and do not need +access to the aerodynamics computation server. They can work locally, performing computations on +their own workstation. They're not assigned the `Aerodynamics Computation Server` role. + +Quality control agents need access to sensitive information such as accident reports, on the +internal data server named `data0`. Those highly sensitive privileges are not assigned to everyone. +They can be translated to the `Data Server data0` role. + +The project manager needs access to the `data0` and `data1` servers with client contracts. The +`Data Server data0` and `Data Server data1` roles translate those responsibilities. + +### 2. Identify navigation rules and ownership + +For every [Single Role](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) assigned +to an identity, fine-grained entitlements need to be granted. Those are the resource values in a +managed system. + +Hence, for every single role, the relevant managed systems, type of resource, and resource values to +fulfill are identified. + +They are materialized by: + +- Provisioning rules, such as resource type rules that decide what resources should be found in the + managed systems; and navigation rules or scalar rules, that identify actual values to be fulfilled + from the identity to which the single role is assigned; +- [Resource Correlation Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md), + that identify for an identity, the target resources to fulfill; +- Resource type that organize resources and describe a source/target (or owner/resource) + relationship. + + The resource types identified this way could be suggested to security officers for review, + checking that they match their mental model of the managed system's resources. + + Sets of scalar rules and navigation rules relevant to a specific resource type are gathered into + a resource type. + +#### Example + +Let's consider the `Internet Access` defined at step 1. + +In practice, Contoso Corporation authorizes or block a user Internet access by setting per-user +outbound policies on their network firewall. The firewall integrates with Active Directory which +make it possible to use Active Directory groups membership to enable or disable policies for a user. + +A security officer, to grant Internet access to an employee, would in practice assign a +`Internet Access` group membership to their Active Directory account. That is a fine-grained +entitlement entailed by the assignment of the `Internet Access` single role. That means that, to be +able to grant or restrict Internet access, the link between an identity and their Active Directory +account, used to login to work, must be known. + +To modelize that need within the role model, every identity with `Internet Access` single role is +associated with an Active Directory account. We can find the Active Directory for an identity by +comparing the identity email with the Active Directory entry e-mail. That's an example of +[ Resource Correlation Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) +that define the ownership of an Active Directory entry resource by an identity resource. + +### 3. Write assignment rules + +[Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) describe +criteria for which a [Single Role](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) +is assigned to a resource. The main criterion is a dimension value. For a given resource, the single +role is assigned if the resource's context matches the given dimension value. The second criterion +is the assignment of a specific +[Composite Role](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) (see further). + +A navigation rule describes a fine-grained entitlement in the form of resource association such as a +group membership. Its enforcement is also conditioned by a single role assignment to the relevant +source resource, which in turn materializes the link between a single role and a resource type. + +Those rules are used by Identity Manager to automate role assignments. They are absolutely optional. +A first version of the project can rely on manual assignments of single roles. Those have meaningful +names: Identity Manager already provides a value by allowing non-technical users to request or +assign entitlements. Navigation and or scalar rules can be written in a second time to allow +automated fulfillment. Single role rules can be written after that to set up automated assignments. + +##### Example + +The need for aerodynamics engineers to access the remote computation server is translated by a +single role rule: if the department (a dimension) of that identity is `Aerodynamics R&D` (a +dimension value), then the `Aerodynamics Computation Server` single role must be granted. + +The need for assignment of the `Internet Access` group to the Active Directory account, if the +identity is assigned the `Internet Access` single role is modeled by a navigation rule that +stipulates that if that identity is assigned that role, then the `memberOf` property of the owned +Active Directory entry resource should be set to the AD group named `Internet Access`. + +### 4. Use Composite Roles To Organize Single Roles (optional) + +[Single Role](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) can be packaged into +[Composite Role](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md). Assigning a +composite role to an identity immediately assigns the packaged single role to that identity. Single +roles assigned this way are said to be inferred. + +The [Composite Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md) +(see composite role rules describe criteria for which a composite role is assigned to an identity. +Then, the composite role can be used as a condition in a +[Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md). This is +how packages are built. + +### Summary - A mental model to help build a role model + +To help build a role model, consider this mental model that captures the key events occurring +between the assignments of a role and the actual assignment of entitlement. + +1. A resource-identity `Ri` is associated with a context `Ci`, i.e. dimension values. +2. `Ri` is assigned a single role `SRa`, manually or as a result of dimension comparisons. +3. Identity Manager's engine identifies a resource type `Rt` with the type rule `Tr` whose condition + matches `SRa` and/or `Ci`. +4. Using `Rt`'s definition, Identity Manager's engine identifies by correlation a target resource + `Tr` from the resource repository that must be created or updated to materialize `SRa`. +5. Identity Manager's engine identifies `Rt`'s navigation rule `Nr` whose condition matches `SRa` + and/or `Ci`, and associated scalar rules `Sr`. +6. Using `Sr` and `Nr`'s definition, Identity Manager's engine identifies `Tr`'s values to be + provisioned to materialize `SRa`. + +This series of steps is actually a very simplified version of the +[Evaluate Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) algorithm. + +![Cascading From Dimensions To Roles To Provisioning Orders](/img/product_docs/identitymanager/identitymanager/integration-guide/role-model/role-model-rules/enforce-assignment-policy-summary.webp) + +--- + +## Evaluate Policy + +This chapter gives the basis of the assignments vocabulary. The next chapter enlightens the reader +about the inner details of the Evaluate Policy algorithm. See the +[Evaluate Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/simulation/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/simulation/index.md new file mode 100644 index 0000000000..cffafb07d9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/simulation/index.md @@ -0,0 +1,43 @@ +# Simulation + +Simulations aim to assess the impact of a modification in the role model, i.e. any modification of a +role or rule, before it is applied. + +## Overview + +Identity Manager's simulations gather roles and rules which are to be created, modified or deleted, +without being inserted in the actual role model straight away. More specifically, a simulation can +involve: + +- [ Resource Correlation Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) + and + [ Resource Classification Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md); +- [Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) and + [Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md); +- [Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) rules; +- [ Single Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) and + [ Composite Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md); +- [Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md)and + [Composite Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md). + +A simulation can also be created by the +[ Perform Role Mining ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) for +the automation of role assignments. + +Through simulation, integrators can: + +1. create, modify or delete roles and rules in a given policy; + + Only one simulation can be active per policy. + +2. observe via simulation reports the impact on the whole system, i.e. both assignments and + provisioning results, before the changes are applied; +3. decide to confirm or cancel changes. + +Netwrix Identity Manager (formerly Usercube) recommends using simulation whenever performing an +action (creation/modification/deletion) on the role model. + +## Perform a Simulation + +See the [ Perform a Simulation ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/simulation/index.md) for additional +information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/index.md new file mode 100644 index 0000000000..3a1042fa9b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/index.md @@ -0,0 +1,11 @@ +# Synchronization + +The documentation is not yet available for this page and will be completed in the near future. + +See more information about [ Upward Data Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md). + +See how to [ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md)for a given managed +system. + +See how to anticipate changes due to synchronization thanks to +[ Thresholds ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md new file mode 100644 index 0000000000..8404110152 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md @@ -0,0 +1,73 @@ +# Thresholds + +Thresholds are essential safety guards controlling all changes, for example preventing the +overwriting of important data by mistake. + +Thresholds are by default activated to warn users when synchronization or provisioning triggers too +many modifications. If the number of modifications exceeds the specified threshold, Identity Manager +stops the synchronization/provisioning and displays a warning on the log page. + +Thresholds can be deactivated via the value `0`, though they should not all be. Each action must be +"guarded" by at least one threshold. + +Once the changes have been reviewed, the +[ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md) (or not). + +As long as a synchronization job is blocked for a connector, the export, prepare-synchronization and +synchronization tasks of this connector are removed from incremental jobs. The synchronization is +unblocked as soon as the blocked job is resumed, or as soon as a job involving the connector is +launched in complete mode. + +## Thresholds for Synchronization + +Synchronization thresholds can be configured in XML files via: + +- [ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) to + count the number of resources impacted by synchronization inside a given entity type. They are + configured with: + + | Absolute Threshold | Relative Threshold | + | ---------------------- | ---------------------------- | + | `MaximumDeletedLines` | `MaxPercentageDeletedLines` | + | `MaximumInsertedLines` | `MaxPercentageInsertedLines` | + | `MaximumUpdatedLines` | `MaxPercentageUpdatedLines` | + +- [ Entity Association Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) + to count the number of navigation properties impacted by synchronization inside a given entity + type. They are configured with: + + | Absolute Threshold | Relative Threshold | + | -------------------------- | -------------------------------- | + | `MaximumLinkDeletedLines` | `MaxLinkPercentageDeletedLines` | + | `MaximumLinkInsertedLines` | `MaxLinkPercentageInsertedLines` | + +- [ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) to count the number + of resources and/or navigation properties impacted by synchronization inside all entity types of a + given connector. They are configured with: + + | Absolute Threshold | Relative Threshold | + | -------------------------- | -------------------------------- | + | **Resources** | | + | `MaximumDeletedLines` | `MaxPercentageDeletedLines` | + | `MaximumInsertedLines` | `MaxPercentageInsertedLines` | + | `MaximumUpdatedLines` | `MaxPercentageUpdatedLines` | + | **Navigation Properties** | | + | `MaximumLinkDeletedLines` | `MaxLinkPercentageDeletedLines` | + | `MaximumLinkInsertedLines` | `MaxLinkPercentageInsertedLines` | + +All thresholds are active. Therefore, the lowest threshold (according to the specific situation) +would be the first to stop synchronization. + +For example, in a connector, the default values for thresholds are 100 modifications for resources +(`Maximum...Lines`) and 1000 modifications for navigation properties (`MaximumLink...Lines`). + +If we launch synchronization for an entity type whose threshold values are lower than the +connector's, then Identity Manager blocks synchronization as soon as the number of modifications +exceeds the entity type's threshold values. + +If the entity type's threshold values are higher than the connector's, then Identity Manager blocks +synchronization as soon as the number of modifications exceeds the connector's threshold values (100 +resources or 1000 navigation properties). + +Distinct [ Thresholds ](/docs/identitymanager/6.2/identitymanager/integration-guide/provisioning/prov-thresholds/index.md) are configurable for +provisioning. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md new file mode 100644 index 0000000000..0be7323ea9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md @@ -0,0 +1,436 @@ +# Upward Data Synchronization + +Upward Data Synchronization (Sync Up) is the process that copies relevant managed systems data into +Identity Manager's [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) and translates them into resources +that match the configured Entity Model. + +Performing a _Sync Up_ allows the user to: + +- integrate the managed systems state with Identity Manager. The copied data serves as the basis for + the assignment computation; +- check that previously edited provisioning orders have been accurately executed; +- ascertains differences between the real managed system state and the + [ Assignment Policy ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md) theoretical state. + +## Overview + +### A scheduled sync up per managed system + +_Sync Up_ is performed regularly, at least every day, as a set of +[ Tasks & Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/index.md). + +A _Sync Up_ is planned for every managed system that interact with Identity Manager. + +A _Sync Up_ is associated with a [Connectors](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/index.md). + +### Three sync up mode + +Identity Manager provides three distinct synchronization algorithms: + +- _incremental_ +- _complete_ +- _initial_ + +_Complete_ is most straightforward one. A _complete\_\_Sync Up_ loads the managed systems' data into +Identity Manager as-is, replacing entirely the currently held data. + +As it involves sending large amounts of data over HTTP between _Agent_ and _Server_, _complete_ +execution time can be quite large. + +To improve the _Sync Up_ execution time, Identity Manager provides the _incremental_ mode. This mode +only considers changes made to the managed systems since the last _Sync Up_. Those are applied to +the Identity Manager's database. Only changes are sent through the network, instead of whole data +files, which allows the _Sync Up_ execution time to be greatly reduced. + +Changes are computed either by the managed system itself, given such capabilities are available, or +by a Identity Manager's _Agent_. + +However, the _incremental_ mode cannot be 100% reliable for two reasons. + +First, it relies on external inputs that are not directly controlled by Identity Manager. Second, it +only exports changes based on the managed system state, not on Identity Manager's database state. + +Upward Data Synchronizationcould cause slight differences between the database's state and the +managed systems'. Order can be restored by running a _complete_ Sync Up regularly. A _complete_ Sync +Up ensures the database is in a stable state, faithfully reflecting the managed system state, before +resuming the _incremental Sync Up_ iterations. + +Safeguards are also implemented to avoid accidental overwrites, that would be caused by an empty or +incomplete input. + +Finally, the _initial\_\_Sync Up_ is designed to be used the first time a managed system connects to +Identity Manager. Just as the _complete_, it loads the data as a whole. But, unlike the _complete_, +it does not overwrites the currently held data and does not provide any safeguard. The _initial_ +mode provides a quick way to perform the first _Sync Up_. The trade-off is security: +_initial\_\_Sync Up_ should only be used the first time a managed system connected to Identity +Manager and the database is empty, as far as this connector is concerned. Launching the Initial +_Sync Up_ twice would actually load the same data twice whereas launching the _complete_ twice would +have the same effect as launching the _complete_ once. + +### An ETL process + +_Sync Up_ is organized as an +[Extract, Transform, Load](https://en.wikipedia.org/wiki/Extract,_transform,_load) process. It's +composed of three steps: _export_, _prepare-synchronization_, and _synchronization_. + +## Export + +The _Export_ is the first step of the _Sync Up_. + +During this step, data is extracted from the managed system and generates _CSV files_ containing the +managed system's raw data. The **output** of this process is called the **_CSV source files_**. They +are written to the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) waiting +to be used by the next-in-line _prepare-synchronization task_. + +The _Export_ occurs _Agent_-side. + +### Native support or custom process + +Depending on the managed systems capabilities, an _Export_ step can be performed by one of Identity +Manager's native tasks or by custom scripts. + +#### Using native process + +Identity Manager's [Connectors](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/index.md) provide native _Export_ tasks for the +most common managed systems. _Active Directory_, _SAP_, or _SharePoint_ are examples of natively +supported managed systems. The output _CSV source files_ format is described in the +[Connectors](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/index.md) section together with an exhaustive list of supported source +managed systems. + +[Connectors](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/index.md)are Identity Manager's link to the managed system. They +provide configurable export and fulfill capabilities that can be used by Identity Manager *as-is* +without any further development. + +#### Using a custom process + +Exporting data from a managed system without a native Identity Manager process is still possible by +writing a custom _Export_ process. + +If the managed system has built-in export capabilities, Identity Manager can simply rely on exports +scheduled by the source managed system. Regularly, the managed system generates reports, in whatever +format. A custom task, such as a +[ Invoke Expression Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md), +can then be used to retrieve the generated exports, adapt them to the _CSV source files_ format +expected by Identity Manager and copy them to the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md). The +whole can be scheduled and orchestrated by a [ Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/jobs/index.md). + +**For example**, a common scenario is to configure an HR management system to perform daily extracts +of its data to CSV files for the _Agent_ to find. This usually can be set up without any Identity +Manager's task, just by using the managed system and the organization's network capabilities. + +If the managed system does not provide built-in export features but provides an API or an exposed +database, it's possible to write a custom _export_ process based on that API or direct requests to +the managed system's database. This process can then be used as an _export task_ wrapped in a +[ Invoke Expression Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md) +or a +[ Invoke Sql Command Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md). +Any Windows process that can be called from a PowerShell script and generate a CSV file can serve as +an export process. + +**How to choose the custom CSV source file format ?** It's best to keep it simple and stick as +closely as possible to the managed system data model. Data cleansing and translation to the resource +repository's Entity Model is handled later in the _Sync Up_ process. There is no need to try and +optimize the CSV source file format in a custom script. It's best to keep it close to the managed +system to be able to spot early _export_ errors. + +### Export tasks output + +The format of the exported _CSV Source files_ depends on the chosen _Sync Up_ mode and on the used +_export task_. Nonetheless, there are a few criteria that _prepare-synchronization_ expects to find +in those files. + +First, it must be a CSV format. One line per entry, and every attribute as a column. + +Then, there is a slight difference between _Complete/Initial_ and _Incremental_ export. + +With the _Complete_ and _Initial_ modes, _CSV source files_ contain an exact extract of the managed +system's data as a list of entries. At this point, the Entity Model is not yet involved. Every line +of the _CSV source file_ mirrors a line in the source managed system database. + +With _Incremental_ mode, if the source managed system is able, one more column is added. It contains +a ADD, UPDATE, or DELETE instruction. _Incremental_ export generates a list of changes made on the +managed system since the last export, instead of an exact mirror of the data. Active Directory and +Microsoft Entra ID (formerly Microsoft Azure AD), for example, are able to produce such exports, as +LDIF files, that the Active Directory connector translates into _resources_ changes. Identity +Manager's native support for ServiceNow and SCIM also provides such capabilities. + +In case the source managed system does not possess _incremental_ export capabilities, the changes +computation is performed during the _prepare-synchronization_ step. + +Inside those constraints, every natively supported _export task_ generates its own _CSV source file +format_, described in the [Connectors](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/index.md) section. Usually, two kinds of +files are generated: _entries_, describing plain entries, and _associations_, describing +associations between entries. + +All _CSV source files_ are written to the Upward Data Synchronization. + +At the end of the _export_ step, the Upward Data Synchronization contains several files per +connectors, that will be translated into _resources_ during _prepare-synchronization_ and +_synchronization_ steps thanks to Upward Data Synchronization (see below). + +The Upward Data Synchronization can also contain opaque +[cookie files](https://ldapwiki.com/wiki/DirSync) used for incremental export of a few systems such +as Active Directory, Microsoft Entra ID, ServiceNow, and SCIM. + +The reader might now understand how, as laid out in the overview, the input data could be unreliable +given the volatile nature of the managed system export methods. _Complete_ and _incremental_ modes +work together to find the best compromise between reliability and execution time. + +### Example + +The following example demonstrates the native Active Directory export process. + +Exporting data from an Active Directory can be achieved by using the +[ Export Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md) task within a +Job. + +The Tasks requests from the source Active Directory all entries that match a configured filter. It +outputs a set of _CSV source files_, containing raw AD Entries data (`ad_entries.csv`), information +about group membership (`ad_members.csv`) and about the hierarchical organization +(`ad_managers.csv`). + +![Active Directory Export Example](/img/product_docs/identitymanager/identitymanager/integration-guide/synchronization/upward-data-sync/ad_export_example.webp) + +`ad_entries.csv` contains raw AD entry data. + + ``` + +employeeID;businessCategory;extensionAttribute15;objectCategory;sAMAccountName;userPrincipalName;parentdn +00001;fames;ac;turpis;egestas;integer;eget 00002;ullamcorper;eget;nulla;facilisi;etiam +00003;integer;eget;aliquet;nibh;praesent + +```` + + +```ad_managers.csv``` contains a list of associations, representing the link between an employee (```employeeId``` column) and their manager (```manager``` column). + + ``` +employeeID;manager +00001,99812 +00002,99812 +00003,99812 + +```` + +`ad_members.csv` contains also a list of associations, representing the link between a group +(identified by its `dn`) and its members (the `member` column). + + ``` + +dn;member CN=SG_APP_AG002,DC=internal;CN=U34811,DC=internal +CN=SG_APP_AG002,DC=internal;CN=U18184,DC=internal CN=SG_APP_AG002,DC=internal;CN=U43405,DC=internal +CN=SG_APP_AG002,DC=internal;CN=U51630,DC=internal + +```` + + +## Entity Mapping + +The aim of the _Sync Up_ is to load managed systems' data into the resource repository. As such, it requires Identity Manager to translate data from the managed system format (or, more accurately, the _export task_'s output format) into the resource repository format, that is, the [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md). + +The translation rules are described in the applicative configuration by [ +Entity Type Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) and [ +Entity Association Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) elements. + +Entity Type Mapping elements map the resources _CSV source files_ columns to [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md) properties. Each mapping also identifies one column as the _primary key_ for this Entity Type. The _primary key_ is used to uniquely identify a resource in the _Sync Up_ process. It's mandatory to be able to perform _incremental__Sync Up_, as it allows to identify a resource on which an _update_ or a _delete_ has to be performed. + +[ +Entity Association Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) elements translate the _CSV source files_ into [Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md). They describe rules identifying associations between resources loaded thanks to the [](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)[ +Entity Type Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md). + +## Prepare Synchro + +_Prepare-Synchronization_ is the second step of the _Sync Up_. It transforms the _CSV source files_ further, before the _Synchronization_ step. + +It performs data cleansing and, in _incremental_ mode, computes changes made on the source managed system since the last _Prepare-Synchronization_. + +It's performed on the _Agent_-side. + +### Data cleansing + +The following actions are performed on the _CSV source files._ + +1. Removing columns that are not used in [ + Entity Type Mapping + ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) or [ + Entity Association Mapping + ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +2. Entries that have a null primary key +3. Removing duplicates +4. Sorting entries according to the primary key + +The result of the _Prepare-Synchronization_ is stored in the Upward Data Synchronization as three files: + +For every entity type of the relevant _Connector_ involved in an[ +Entity Type Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) or an[ +Entity Association Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) `````` , a ```.sorted.csv``` file is generated, containing the final, cleaned, sorted result. + +Duplicates are kept in a separate ```.duplicates.csv``` file. + +Null primary key entries are kept in a separate ```.nullpk.csv``` file. + +### Computing changes + +In _incremental_ mode, changes might need to be computed by the _Agent_. + +If the export step has provided computed changes, no further process is required. The changes will be sent as-is to the server. + +If the export step has provided a full extract of the managed systems, the _prepare-synchronization_ step computes changes. This computation is based on the result of the last data cleansing, generated by the previous _prepare-synchronization_, and stored in the ```previous``` folder in the Upward Data Synchronization. + +For _incremental_ mode, it is recommended to use managed systems to compute changes when possible. Dedicated workstations and knowledge of the inner data organization allow managed systems to compute changes with a performance that Identity Manager can't match. Also, using managed systems for these operations avoid generating heavy files and alleviate Identity Manager's processing load. + +The result is a set of clean lists of changes stored as ```.sorted.delta``` file containing a _command_ column. + +The _command_ column can take the following values: _insert_, _update_, _delete_, and _merge_. These are instructions for the _synchronization_ step to apply the changes to the database. + +The ```.sorted``` file (the original cleaned export file, not the changes) is stored in the ```previous``` folder inside the Upward Data Synchronization. It will be used as a reference for the next _incremental__prepare-synchronization_ to compute the changes if needed. + +Tampering with the ```previous``` folder content would result in false changes in order to be computed and result in data corruption in the Identity Manager database. To restore the Identity Manager database to a state faithful to the managed system, a _complete__Sync Up_ would be required. + +### Preparing the server + +At the beginning of every _prepare-synchronization_ process, the _Server_ is notified via HTTP. + +Upon receiving the notification, the server creates a directory on its host environment, identified by a unique GUID, to contain ```.sorted``` or ```.sorted.delta``` files that will be sent by the agent. + +This aims to prevent network errors that would cause an _incremental_ database update to happen more than once. + +That means several _export_ and _Prepare-Synchronization_ tasks can be executed simultaneously, they will be processed by the server one at a time in the right order. + +Of course, any notification of a _complete__Prepare-Synchronization_ would cancel the previous non-processed _incremental_ ones. As a _complete_ reloads the whole database, it renders _incremental_ changes computation moot. + +### Sending clean exports + +```.sorted``` or ```.sorted.delta``` files are sent over HTTP to the _Server_ for the last step. + +### Prepare synchronization tasks + +- [ + Prepare Synchronization Task + ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) is the standard _prepare-synchronization_ task. +- PrepareSynchronization Change Task is used to process data source files containing changes. +- PrepareSynchronization ActiveDirectory Task is specialized for Active Directory. This task handles Active Directory _incremental_ prepare-synchronization by using Active Directory _cookies_. + +### Example + +The following illustration models the complete _prepare-synchronization_ steps applied to an Active Directory export. The matching _Connector_ defines an Entity Type _AD Entry_ and two associations: _members_ and _manager_. + +![Active Directory Prepare-Synchronization Example](/img/product_docs/identitymanager/identitymanager/integration-guide/synchronization/upward-data-sync/ad_preparesynchro_example.webp) + +## Synchro + +_Synchronization_ is the last step. It loads data into the resource repository from cleaned _CSV source files_. It's performed _Server_-side. + +### Translating + +Before writing to the Identity Manager's database, the _Server_ uses [ +Entity Type Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) and[ +Entity Association Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) to translate _CSV source files_ into _Entity Model compliant_ resources and resolve association links. + +### Tables + +The _Synchronization_ step involves four tables from Identity Manager's database. + +- UR_Resources contains the actual resources. +- Mono-valued associations ( target column index 128 to 137 included ) are stored in UR_Resources as well, +- Multi-valued associations ( target column index null or -1 or 0 to 127 included ) are stored in the UR_ResourceLinks table. +- UR_ResourcesChanges and UR_ResourceLinkChanges are intermediary tables, used by the complete mode as an extra step before committing changes to the UR_Resources and UR_ResourceLinks in the context of a safeguard mechanism. + +### Complete + +_Complete__synchronization_ starts with a ```.sorted.csv``` file that contains cleaned data, as in whole data, not mere changes. + +_Complete synchronization_ replaces entirely the database resources. That means that all resource, for that [ +Connector +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md), that are in the database but not in the _CSV source files_ will be deleted. That means no change made to the database from outside of the connectors or the UI are persistent. + +_Complete synchronization_ does not blindly insert data into Identity Manager database. Its aim is to update Identity Manager database to match the ```.sorted``` files received. + +To do so, ```.sorted``` files are translated into resources. Then, ```.sorted``` resources are compared against the currently hold database resources, matching Primary Key to Primary Key, to find differences. + +That means that, just as the _incremental_ mode, the complete mode will actually apply changes to the database. The difference being that the _complete_ synchronization computes the changes on the _Server_ and the _incremental_ computation computes the changes on the _Agent_ or the managed system. Hence, complete synchronization has to send large data files over the network and is slower. + +#### Safeguard + +Before actually updating the database, the number of changes to be applied to the database to match the ```.sorted``` resources is compared to a user-defined threshold. + +The threshold is a percentage of the total number of stored resources. If the number of changes goes over the threshold, the synchronization is blocked. This safeguard aims at detecting human or system errors that could corrupt Identity Manager's database. For example, a number of _delete_ commands greater than the threshold could be caused by an accidental empty _CSV source file_ being fed to the _synchronization_. + +For this purpose, changes are applied to an intermediary safeguard set of tables, UR_ResourcesChanges and UR_ResourceLinkChanges. The threshold is checked, and if validated, changes are applied to the UR_Resources and UR_ResourceLinks tables. + +### Initial + +_Initial_ synchronization loads the translated resources directly into the database, using INSERT SQL commands. There is no threshold checking, no comparing the data to insert to the currently held data to find differences. It should only be used on a managed system for which Identity Manager does not hold any resources yet. + +### Incremental + +The incremental mode uses a ```.sorted.delta``` file that contains changes. + +Thresholds are checked just as with the _complete_, using intermediary UR_ResourcesChanges and UR_ResourceLinkChanges. tables. + +Then, changes according to the _command_ column are applied to UR_Resources and UR_ResourceLinks. + +### Synchronization tasks + +- [ + Synchronize Task + ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) i is the standard _synchronization_ task. +- SynchronizeChanges Task is used to handle changes together with PrepareSynchronization Change Task. +- SynchronizeActive Directory Task is specialized for Active Directory. To be used with PrepareSynchronizationActiveDirectory Task. + +### Example + +This example illustrates the _complete_ loading of Active Directory ```.sorted``` files into Identity Manager database. + +![Active Directory Synchronization Example](/img/product_docs/identitymanager/identitymanager/integration-guide/synchronization/upward-data-sync/ad_synchro_example.webp) + +## Handling Errors + +The _syncro_ step is where potential errors laid out in the overview could impact the database. + +- The ```previous``` folder content could be tampered with; +- Managed systems limitations, or human error in the export step, could result in a wrong or incomplete _CSV source file_ being fed to the _Synchronization_; +- Identity Manager database could be restored to an older state to try and fix hardware failure or SQL tests gone wrong. + +These events, although exceptional, occur. They cause Identity Manager's database and the managed systems to be slightly off one another. The _incremental__Sync Up_ cannot fix these differences because the database is not taken into account in the changes computation. The _complete__Sync Up_ can fix it because it compares directly the database against the _export_ output files, i.e. it relies on the managed system's state, not on the database state. + +It is hence recommended to run at least a daily _complete_ synchronization to account for these exceptional events and quickly fix the errors they might have cause into the database. + +Remember that _incremental_ and _complete_ Sync Up modes use safeguards to avoid accidental overwrites. That means any error that could find its way into the database would be small. + +_Incremental_ mode also offers another optimization that will be described in the [Evaluate Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) section. Trade-offs of that optimization can also be counterbalanced by running a daily _complete_ synchronization. + +## Thresholds + +A introduced earlier, to mitigate the risk of data loss in the case of abnormal data source files, the _synchronization Job_ is locked if the number of changes to apply goes over a specific threshold. + +Thresholds can be configured by the user in the applicative configuration and be specific to a [ +Connector +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md), an [ +Entity Type Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) and/or an[ +Entity Association Mapping +](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). They are expressed as number of lines (ex: ```MaximumInsertedLines```) or as a rate (ex: ```MaxPercentageDeletedLines```). + +A synchronization task locked by a threshold can be unlocked by executing the Synchronization Validation task. + +Thresholds are ignored in _initial_ mode. + +The task's argument ```-force``` can be used to ignore thresholds. + +--- + +Next, a word about the [ +Assignment Policy +](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/role-model-rules/index.md). +```` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/build-efficient-jobs/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/build-efficient-jobs/index.md new file mode 100644 index 0000000000..5f654d3351 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/build-efficient-jobs/index.md @@ -0,0 +1,160 @@ +# Build Efficient Jobs + +This topic shows how to build efficient jobs by minimizing their costs. + +**NOTE:** The rules below must be followed when creating a new job, otherwise the frequent launch of +this scheduled job will trigger errors in a SaaS environment. + +### Prerequisites + +In order to successfully launch a frequent job (defined as a job called more than once an hour) the +following requirements need to be met: + +- Synchronize / Export Task in incremental mode +- The UpdateEntityPropertyExpressions /ComputeCorrelationKeys/ComputeRoleModel tasks do have the + SetRecentlyModifiedFlag set to true +- The ComputeCorrelationKeys/UpdateEntityPropertyExpressions tasks are computed on a subset of + Entity Types (not all Entity Types at once) +- UpdateEntityPropertyExpressions/ComputeCorrelationKeys/ComputeRole tasks are not duplicated +- SetInternalUserProfiles/ActivityInstanceActor tasks are not configured to launch + +## Rule 1: Use Scaffoldings + +Identity Manager provides scaffoldings to simplify XML configuration by generating complex XML +fragments. See the +[Scaffoldings](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md) topic for +additional information. + +Most jobs are included in job scaffoldings, thus configured in the most optimal way. So start by +using scaffoldings to build jobs. See the +[ Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md) topic for +additional information. + +For example, the creation from scratch of a job to perform a complete synchronization for a +connector will be tedious. Instead, use Identity Manager's scaffolding, like in the following +example concerning the Microsoft Entra ID (formerly Microsoft Azure AD) connector. Instead of a few +dozens of lines, write only the following: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                       + +                    +``` + +See +the[Create Connector Synchro Complete](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md)for +additional information. + +## Rule 2: Compute Only What's Necessary + +Execute the tasks on the right entity types + +Many tasks can be executed either on all entity types, or on a given list of entity types. + +Make sure to configure the tasks so that they are executed only on the relevant entity types, not +all of them by default. + +For example, instead of using AllEntityType set to true, write the following: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                         + +       + +                     +``` + +Launch incremental tasks rather than complete + +When a task is supposed to be executed on changes only, then there is no use executing the task in +complete mode. + +Make the relevant tasks incremental by flagging the resources that were recently modified. See the +[ Configure an Incremental Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/configure-incremental-job/index.md) topic for additional +information. + +For example, instead of computing the role model as if it had never been computed before, apply only +the changes by writing the following: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                         +   +                     +``` + +Launch only the relevant tasks according to the logical chain + +Identity Manager's tasks are all linked together by a logical chain that implies that some tasks are +supposed to be executed after some others. + +Make sure to understand the tasks' logical chain to launch only the relevant tasks. See the +[ Troubleshoot Connector Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md) topic for additional +information. + +For example, there is no use computing expressions or correlations if there was beforehand no change +in the database. Thus, there should not be UpdateEntityPropertyExpressionsTask or +ComputeCorrelationKeysTask without first SynchronizeTask or FulfillTask. + +## Rule 3: Wait for Recurring Tasks + +Inside a recurring job, there is no need including some tasks twice in order to have the whole +cycle, because the next execution will complete what has been started. + +For example, Identity Manager's feedback loop uses the tasks for synchronization, computation of the +role model, provisioning, then once more synchronization and computation of the role model. + +Instead of including any task twice, rather write a job with each task once, schedule a periodic +execution of the job, and wait for the next execution to get the whole cycle. For example for the +AD: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                      +                                ... +                ... +               ... +            ... +                ... +   +``` + +``` +                       + +                    +``` + +``` +                         + +       + +                     +``` + +``` +                         +   +                     +``` + +``` +                      +                                ... +                ... +               ... +            ... +                ... +   +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/configure-incremental-job/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/configure-incremental-job/index.md new file mode 100644 index 0000000000..26ff604b5e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/configure-incremental-job/index.md @@ -0,0 +1,56 @@ +# Configure an Incremental Job + +This guide shows how to configure the relevant tasks to make a job incremental. + +## Overview + +When configured as such, Identity Manager is able to remember after synchronization which resources +were modified, i.e. created, updated and/or deleted. + +It allows future tasks to be executed only on modified resources, in order to minimize jobs' +execution times and costs. + +See an example of a full [ Set Up Incremental Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md) job. + +## Configure a Job to Be Incremental + +Configure a job to be incremental by proceeding as follows: + +1. Configure the synchronization task + ([ Synchronize Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md)) + with `DoNotDeleteChanges` set to `true`. + + This way, Identity Manager keeps the list of all changed resources. + + > For example, to synchronize incrementally the Active Directory: + > + > ``` + > + > ... + > + > + > ``` + +2. Tag all changed resources by running + [ Set Recently Modified Flag Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md) + after SynchronizeTask. + + > For example, following the synchronization task for the Active Directory: + > + > ``` + > + > + > + > ``` + +3. Configure the next tasks with `Dirty` set to `true` to apply them only to resources flagged as + "dirty", i.e. recently modified. + + > For example, to compute correlation keys incrementally: + > + > ``` + > + > ... + > + > + > ``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/configure-jobs/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/configure-jobs/index.md new file mode 100644 index 0000000000..27967d6916 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/configure-jobs/index.md @@ -0,0 +1,21 @@ +# Configure Jobs + +This guide shows how to define the permissions for creating and using jobs thanks to scaffoldings. + +There are two important jobs in Identity Manager. The +[ Set up Complete Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md) and the +[ Set Up Incremental Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md). This two Job Synchronize and fill are +using to Synchronize and fill Connectors. + +## Job Scaffoldings + +There are six scaffoldings in Identity Manager to automatically create jobs in the configuration: + +- A job for all connectors on an Agent + ([Create Agent Synchro Complete](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md)/[Create Agent Synchro Incremental](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md) + mode). +- A job for a specific connector + ([Create Connector Synchro Complete](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md)/[Create Agent Synchro Incremental](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md) + mode). +- [Create Initialization Job](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md) +- [Create Access Certification Job](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/fulfillldap/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/fulfillldap/index.md new file mode 100644 index 0000000000..85992d7c80 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/fulfillldap/index.md @@ -0,0 +1,72 @@ +# Configure the Fulfill Task for a Connector + +This guide shows how to create the adequate configuration to add the fulfill task of a given system +(here LDAP) in a job. + +For Identity Manager fill an LDAP some configuration element are necessary. + +## Resource Type Mapping + +This configuration is to use the fill for the LDAP and configure the Reset Password. + +``` + + + +``` + +## Add connection information to AD Connect + +In the [ LDAP ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md) define this section to add +all information to use the AD Fulfillment. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "ADFulfillment": { + "Servers": [ + { + "Server": "paris.contoso.com", + "BaseDN": "DC=paris,DC=com" + } + ], + "AuthType": "Basic", + "Login": "CN=exampleCn,DC=exampleDc1,DC=exampleDc2", + "Password": "Password", + "AsAdLds": "true" + } + } +} +``` + +After defining this settings, encrypt this JSON file with +[ Usercube-Protect-X509JsonFile ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md). + +## Configure The FulfillTask + +Configure The task with the same ResourceType using in ResourceTypeMapping. It's possible to use a +connector instead of ResourceType. + +``` + + + +``` + +Integrate this Task in the job that provisions the AD connector. + +``` + + ... + ... + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md new file mode 100644 index 0000000000..f6d77a5d99 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md @@ -0,0 +1,224 @@ +# Set up Complete Synchronization + +This guide shows how to build the job that will synchronize the appropriate connectors in complete +mode. + +### 1. Objective + +Create a Synchronization Job in complete mode. This job is used to check for and fix differences in +the resources data after the incremental synchronizations. + +The synchronization Job can be created automatically by a scaffolding. It can create either a job +for each connector and for each agent (see : +[Create Connector Synchro Complete](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md)) +or a job for all connectors for each agent (see : +[Create Agent Synchro Complete](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md)) + +In the following example the Synchronization job for the Connector "AD" will be created. + +``` + + + +``` + +### 2. Create the Export task + +If a pre-treatment is needed, you must create an +[ Export Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md). Otherwise +it is unnecessary. Choose the Export task corresponding to the connector. If the Export uses the +incremental mode, set IgnoreCookieFile to true. + +All Export task have the ContinueOnError property. It is advisable to begin with the value of True +so that the task is not blocking for the Job. + +Example : + +``` + + + +``` + +### 3. Create the Prepare Synchronization task + +Create the Prepare Synchronization Task with the connector. Set `SynchronizationMode="Complete"` , +except for +[ Prepare Synchronization Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) +which doesn't need this parameter. If it is a Synchronization Changes, or ActiveDirectory, you must +precise it with the `Type` attribute. + +If the job contain Exports for the same connector add the a link between the PrepareSynchronization +and the Export to check the final state of exports. + +Example : + +``` + + + +``` + +For more information on PrepareSynchronization task configuration : +[ Prepare Synchronization Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md). + +### 4. Create the Synchronization task + +Create the SynchronizeTask with the same `Type` attribute as the PrepareSynchronizationTask. For the +complete mode the parameter DoNotDeleteChanges must not be present in the task configuration. + +If the job contain Exports for the same connector add the a link between the Synchronization and the +Export to check the final state of exports. + +Example : + +``` + + + +``` + +The Synchronization Validation Task is not needed , since it is managed by the +[ Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/jobs/index.md). + +For more information on Synchronization task configuration : +[ Synchronize Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) + +For more details on the Synchronization job configuration : Set up Complete Synchronization Job +Configuration + +### 5. Create the UpdateEntityPropertyExpressions task + +Create the UpdateEntityPropertyExpressionsTask to compute expression properties of the given +entityTypes or all entityTypes. + +Example : + +``` + + + +``` + +For more information on UpdateEntityPropertyExpressions Task configuration : +[UpdateEntityPropertyExpressionsTask](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + +### 6. Create the ComputeCorrelationKey task + +Create the ComputeCorrelationKey Task to compute correlation keys of the given entityTypes or all +entityTypes. + +Example : + +``` + + + +``` + +For more information about the ComputeCorrelationKey task configuration: +[ Compute Correlation Keys Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md) + +### 7. Create the ComputeRoleModel task + +Create the ComputeRoleModel Task to create the provisioning order. + +Example : + +``` + + + +``` + +The TaskEntityType elements correspond to the sourceEntityTypes in the +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) which have +TargetEntityTypes that are part of the connector to provide. + +For more information on Compute Role Model task configuration: +[ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + +### 8. Create the GenerateProvisioningOrder task + +Create the GenerateProvisioningOrder task. The GenerateProvisioningOrder task will recover all +resources whose provisioningState is at 1 to build a list of JSON files containing all provisioning +orders. The Connector is the same as the connector set in the PrepareSynchronization. The +ForceProvisioning parameter must not be set to true. It's the job state machine who launch this mode +if necessary. + +Example : + +``` + + + +``` + +For more information on GenerateProvisioningOrder task configuration: +[Generate Provisioning Orders Task](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md). + +### 9. Create the Fulfill task + +Create the Fulfill task. + +You must specify the right connection to fulfill the desired system. + +All fulfillment task have the ContinueOnError property. It is advisable to begin with the value of +True so that the task is not blocking for the Job. The fulfill Tasks are directly depanding of +GenerateProvisioningOrdersTask. If this task has not create a new provisioning order. The +fulfillment must be not launch in the job. + +``` + + + +``` + +### 10. Create the UpdateClassification task + +Create the Update Classification Task. The resource Classification is needed if one or more +[ Resource Classification Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md) +are configured for the connector. + +``` + + + +``` + +For more information on Update Classification Task : +[ Update Classification Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md) + +### 11. Create the SetInternalUserProfiles task + +Create the Set Internal User Profiles Task. The Profile Assignment is needed if one ore more +[Profile Rule Context](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) +are configured. + +This Task is directly linked to a Fulfill parent. if the fulfillment has been completed with the +state warning or if it was not started or no processing has been performed, launching this task +becomes useless. + +``` + + + +``` + +For more information on SetInternalUserProfiles Task configuration : +[ Set Internal User Profiles Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) + +### 12. Create the all-tasks job + +Once the tasks created. You must create the job to launch all tasks. + +``` + + + +``` + +The job can be scheduled with the `CrontabExpression` attribute + +For more information on job configuration : +[ Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md new file mode 100644 index 0000000000..d158c0aebf --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md @@ -0,0 +1,255 @@ +# Set Up Incremental Synchronization + +This guide shows how to build the job that will synchronize the appropriate connectors in +incremental mode. + +### 1. Objective + +Create a Synchronization job in incremental mode. + +The synchronization Job can be created automatically by a scaffolding. It can create either a job +for each connector and for each agent (see : +[Create Connector Synchro Incremental](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md)) +or a job for all connector for each agent (see : +[Create Agent Synchro Incremental](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md)) + +In the following example the Synchronization job for the Connector "AD" will be created. + +``` + + + +``` + +### 2. Create the Export task + +If a pre-treatment is needed, you must create an +[ Export Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md). Otherwise +it is unnecessary. Choose the Export task corresponding to the connector. + +All Export task have the ContinueOnError property. It is advisable to begin with the value of True +so that the task is not blocking for the Job. + +Example : + +``` + + + +``` + +### 3. Create the Prepare Synchronization task + +Create the PrepareSynchronizationTask with the connector. Set `SynchronizationMode="Incremental"` , +except for +[ Prepare Synchronization Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) +which doesn't need this parameter and LDAP connector who need complete mode. + +If the job contain Exports for the same connector add the a link between the Prepare Synchronization +and the Export to check the final state of exports. + +Example : + +``` + + + +``` + +For more information on PrepareSynchronization task configuration : +[ Prepare Synchronization Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) + +### 4. Create the Synchronization task + +Create the SynchronizeTask corresponding to the Prepare Synchronization Task. If the Prepare +Synchronization Task is a +[ Prepare Synchronization Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md), +then choose the +[ Synchronize Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md), +else if it is Prepare Synchronization Active Directory Task choose Synchronization ADDir Sync, else +choose +[ Synchronize Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md). + +In Incremental mode, you must set the attribute `DoNotDeleteChanges="true"` + +For the Incremental mode add link between PrepareSynchronization and Synchronization task for the +same connector. If the job contain Exports for the same connector add the a link between the +Synchronization and the Export to check the final state of exports. + +Example : + +``` + + + +``` + +The Synchronization Validation Task is not needed , since it is managed by the +[ Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/jobs/index.md). + +For more information on Synchronization task configuration : +[ Synchronize Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) + +### 5. Create the SetRecentlyModifiedFlag task + +Create the Set Recently Modified Flag task. + +Launching this is required only if at least one of the Synchronization in the job has made a change +in the database. + +``` + + + +``` + +For more information on SetRecentlyModifiedFlag Task : +[ Set Recently Modified Flag Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md) + +### 6. Create the UpdateEntityPropertyExpressions task + +Create the UpdateEntityPropertyExpressionsTask to compute expression properties of the given +entityTypes or all entitytypes. Set the attribute Dirty : `Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the +Task SetRecentlyModifiedFlag has been started. + +Example : + +``` + + + +``` + +For more information on UpdateEntityPropertyExpressions Task configuration : +[ Update Entity Property Expressions Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + +### 7. Create the ComputeCorrelationKey task + +Create the ComputeCorrelationKey Task to compute correlation keys of the given entityTypes or all +entityTypes. Set the attribute Dirty : `Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the +Task SetRecentlyModifiedFlag has been started. + +Example : + +``` + + + +``` + +For more information about the Compute Role Model correlation keys task configuration: +[ Compute Correlation Keys Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md) + +### 8. Create the ComputeRoleModel task + +Create the ComputeRoleModely Task to create the provisioning order. Set the attribute Dirty : +`Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the +Task SetRecentlyModifiedFlag has been started. + +Example : + +``` + + + +``` + +The TaskEntityType elements correspond to the sourceEntityTypes in the +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) which have +TargetEntityTypes that are part of the connector to provide. + +For more information on Compute Role Model task configuration: +[ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + +### 9. Create the GenerateProvisioningOrder task + +Create the GenerateProvisioningOrder task. The GenerateProvisioningOrder task will recover all +resources whose provisioningState is at 1 to build a list of JSON files containing all provisioning +orders. The Connector is the same as the connector set in the PrepareSynchronization. + +Example : + +``` + + + +``` + +For more information on provisioning task configuration: +[Generate Provisioning Orders Task](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md). + +### 10. Create the Fulfill task + +Create the Fulfill task. + +You must specify the right connection to fulfill the desired system. + +All fulfillment task have the ContinueOnError property. It is advisable to begin with the value of +True so that the task is not blocking for the Job. The fulfill Tasks are directly depanding of +GenerateProvisioningOrdersTask. If this task has not create a new provisioning order. The +fulfillment must be not launch in the job. + +``` + + + +``` + +### 11. Create the UpdateClassification task + +Create the Update Classification Task. The resource Classification is needed if one or more +[ Resource Classification Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md) +are configured for the connector. Set the attribute Dirty : `Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the +Task SetRecentlyModifiedFlag has been started. + +``` + + + +``` + +For more information on Update Classification Task : +[ Update Classification Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md) + +### 12. Create the SetInternalUserProfiles task + +Create the Set Internal User Profiles Task. The Profile Assignment is needed if one ore more +[Profile Rule Context](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md)are +configured. + +This Task is directly linked to a Fulfill parent. if the fulfillment has been completed with the +state warning or if it was not started or no processing has been performed, launching this task +becomes useless. + +``` + + + +``` + +For more information on SetInternalUserProfiles Task configuration : +[ Set Internal User Profiles Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) + +### 13. Create the all-tasks job + +Once the tasks created. You must create the job to launch all tasks. + +``` + + + +``` + +The job can be scheduled with the `CrontabExpression` attribute + +For more information on job configuration : +[ Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md new file mode 100644 index 0000000000..2d9b03798b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md @@ -0,0 +1,112 @@ +# Troubleshoot Connector Jobs + +This guide helps understand the behavior of synchronization and provisioning tasks in order to spot +and fix errors. + +## Overview + +A managed system is synchronized and provisioned to/from Identity Manager with the following task +sequence: + +![Synchronization/Provisioning Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/troubleshoot_synchroprovschema.webp) + +### Export data + +Exporting means that the agent reads the system's data and takes it out to one or several external +files, as tables. + +The output is stored in `Temp/ExportOutput`. + +In order to spot what was exported or not for the next incremental export, cookie files are stored +in `Temp/ExportCookies`. + +See the +[ Usercube-Export-Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-configuration/index.md) +topic for additional information. + +### Prepare synchronization + +Preparing the synchronization means that the agent reads the tables, output of the export step, and +produces one file for each association (also named multi-valued navigation property), where the data +is prepared for synchronization. + +> For example, the data is sorted according to their primary keys, in order to optimize the +> comparison with the database. + +The output is stored in `Work/Collect`, and sent to the server to queue in `Work/Synchronization`. + +See the +[ Usercube-Export-Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-configuration/index.md) +topic for additional information on how to prepare the synchronization executable +`Usercube-Prepare-Synchronization`. + +### Synchronize + +Synchronizing means reading the data of the external file, output of the preparation step, and +taking it to Identity Manager. + +This is done by the synchronization executable Identity Manager-Synchronize. + +#### Synchronization: build the difference + +The server compares the exported files, output of the preparation step, with the previous data of +the system, and with the data contained in the database. Based on this comparison, the changes are +stored in the database. + +The output is stored in `UR_ResourceChanges`. + +#### Synchronization: finalize + +When at least one synchronization +[ Thresholds ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md) is exceeded, the change list +can be seen in the **Synchronization Changes** tab, accessible from the job progress screen. + +When the synchronization thresholds are not exceeded, or they are bypassed, the potential +preparatory files are consumed and the changes are applied. + +The server updates the values of the properties computed via expressions. A user's history can be +used to view the impact of this step on the properties. + +### Apply the policy + +Applying the policy means that the server prepares the correlation keys and computes the role model. + +Preparing the correlation keys means that the server recomputes the keys that will later link +accounts to their owners. The output is stored in `UP_ResourceCorrelationKeys`. + +This is done by the correlation key computation executable `Usercube-Compute-CorrelationKeys`. + +Computing the role model means that the server applies all the rules in order to assign accounts and +entitlements to identities. + +The assigned accounts and entitlements are stored in `UP_Assigned*`, and can be seen in users' +**View Permissions** tab. + +This is done by the role model computation executable `Usercube-Compute-RoleModel`. + +### Generate provisioning orders + +Generating the provisioning orders means that the server builds JSON files to prepare the execution +of provisioning. + +The output is stored in `Work/ProvisioningOrders`. + +This is done by the order generation executable `Usercube-Generate-ProvisioningOrders`. + +### Provision + +Provisioning means that the agent asks the server to send the provisioning orders, in order to read +the orders and actually make modifications to the managed system. + +Once consumed, the files are moved to the subfolder `Downloaded`. + +This is done by the provisioning executables `Usercube-Fulfill-*`. + +In order to test the provisioning step, there is no need relaunching the whole task sequence. You +can, for example, keep a provisioning order from the previous step, and adjusting it before +launching provisioning. + +## Troubleshoot + +Troubleshoot an error in a connector job by running each step individually until you see something +that you did not expect. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/index.md new file mode 100644 index 0000000000..2da0da10bc --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/index.md @@ -0,0 +1,31 @@ +# Tasks & Jobs + +Identity Manager provides tasks to orchestrate together the executable files that perform IGA +actions, and jobs to orchestrate the tasks together. + +See the [Tasks](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/tasks/index.md) topic for additional information. + +See the [ Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/jobs/index.md) topic for additional information. + +See the [ Tasks ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md) topic for additional +information. + +Make sure to read how to [Build Efficient Jobs](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/build-efficient-jobs/index.md). + +## Overview + +Netwrix Identity Manager (formerly Usercube) vision for the IGA software is a customizable solution. + +The main idea of Identity Manager is to offer a software solution that you can tailor to your needs +by selecting IGA "blocks" and executing them in a specific order. + +This is why Identity Manager is not built as a monolithic software. It is made of a mosaic of small +[specialized services](https://en.wikipedia.org/wiki/Microservices), cohesive independent functions, +each one materialized into a building block of your Identity Manager solution. Each building block +serves a specific and well delimited IGA function. + +These building blocks are called [Tasks](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/tasks/index.md), and can be easily organized together and +scheduled in [ Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/jobs/index.md). + +This approach makes for a perfectly customizable product. It also tremendously helps our users to +ease into Identity Manager by allowing them to understand it piece by piece. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/jobs/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/jobs/index.md new file mode 100644 index 0000000000..d434ad8aa2 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/jobs/index.md @@ -0,0 +1,35 @@ +# Jobs + +A job is a succession of tasks, to be launched and potentially scheduled, which orchestrate together +the executable files that perform IGA actions. + +## Anatomy of a Job + +Jobs are used to write sets of successive tasks, and schedule their execution. + +See how to configure [ Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md). + +A job can contain tasks explicitly, or contain steps used to call existing tasks in order to use a +single task in several jobs. + +## Execution + +Jobs are executed by agents. + +The agent initiates the job and executes the agent-side tasks. Hence, the agent must have access to +the relevant managed systems. The agent orders the execution of the server-side tasks, complying +with the one-way data flow principle. + +A job can be triggered: + +- Once manually, through the **Job Execution** screen; +- Once manually, using Usercube-Invoke-Job.exe; +- Periodically, with Identity Manager's internal scheduler `CronTabExpression`; +- Periodically, with an external Scheduler such as + [Windows Task Scheduler](https://docs.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page). + +## Monitoring + +Any job execution is logged into the UJ_JobInstances table. + +They can be monitored through the UI, via the **Job Execution** page. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/tasks/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/tasks/index.md new file mode 100644 index 0000000000..3ef8fd5a62 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/tasks/index.md @@ -0,0 +1,49 @@ +# Tasks + +A task is Identity Manager's way to configure and use a given executable that performs a given IGA +action. + +## Anatomy of a Task + +Each of Identity Manager's IGA actions is contained in a standard Windows executable file that can +be launched using PowerShell. + +The choice of a simple standard format for Identity Manager's building blocks makes it very easy to +pick and choose them _a la carte_ to configure the solution. + +Tasks are used to insert these blocks into Identity Manager's configuration, in order to be +launchable via the UI, or even scheduled to be launched automatically periodically. + +> For example, Identity Manager's tasks include synchronization, computation of entitlement +> assignments, or provisioning of varied managed systems. See the list of all available +> [ Tasks ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md). + +## Data Consistency + +Every task is written as a +[transactional process](https://en.wikipedia.org/wiki/Transaction_processing). This means that a +task cannot be executed partially. It is either fully executed, or not executed at all. It +guarantees data consistency as data cannot be harmed by a half-executed task. + +Every task is written as an [idempotent function](https://en.wikipedia.org/wiki/Idempotence). This +means that, for a given input, applying a task one time will produce the same result as applying it +several times. It guarantees data consistency as it prevents the potential side-effects of a retry +which might occur following a network error, or a task failure. + +Every task is designed as a +[single responsibility process](https://en.wikipedia.org/wiki/Single-responsibility_principle). This +principle ensures that two distinct tasks do not have an effect on similar pieces of the system. +This guarantees data consistency by avoiding incompatible changes to be committed by different tasks +at the same time. For the same reasons, a given task cannot be executed twice simultaneously. + +## Task Modes + +Two distinct modes exist to execute tasks inside jobs: + +- In complete mode, tasks process whole inputs with all data. +- In incremental mode, tasks only consider the changes that occurred since their last execution. + This mode is not available for all tasks. + +Both modes can be performed considering potential filters if said tasks involve a specific selection +of data instead of whole inputs. The difference between these modes lies in the consideration of all +data for the complete mode, versus only the last changes for the incremental mode. diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/bindings/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/bindings/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/bindings/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/bindings/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md new file mode 100644 index 0000000000..68d78f0c78 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md @@ -0,0 +1,70 @@ +# C# utility functions + +These functions can be called in any C# expression specified in the configuration. See the +[Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. + +These are static functions defined in the class `Usercube.Expressions.Functions.UtilExpressions`. + +The way these functions are configured, they require the `UtilExpressions` prefix, but not +necessarily the rest (`Usercube.Expressions.Functions`). However, using the full namespace would +also work. + +For example, you could use `UtilExpressions.BuildUsername(...)` as shown in the example below. + +[LinQ methods](https://docs.microsoft.com/en-us/dotnet/api/system.linq.enumerable?view=net-8.0) can +be used, without needing to add a prefix. + +## BuildUsername + +Builds a username by concatenating a first name, a separator, a last name and a possible suffix. + +First name and last name are simplified using the +[Predefined functions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md) function. + +``` +string? BuildUsername(string? firstName, string? lastName, string? separator, string? suffix, int? iteration) +``` + +The iteration argument is usually used in a +[ Build Unique Value Aspect ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md). +If the iteration number is greater than 0, it is inserted after the last name. + +### Example of use in a BuildUniqueValue aspect: + +``` + +``` + +## BuildUsernameWithInitials + +Builds a username by concatenating a first name initials, a separator, a last name and a possible +suffix. + +Hyphenated first names are accepted (In this case, we consider the initial of each first name). + +``` +string? BuildUsernameWithInitials(string? firstName, string? lastName, string? separator, string? suffix, int? maxLength, int? iteration) +``` + +The `maxLength` argument limits the length of the username. + +The iteration argument is usually used in a +[ Build Unique Value Aspect ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md). +If it is greater than 0, we use several letters of the first name avoiding as much as possible to +insert a number in the built username. + +### Example of use in a BuildUniqueValue aspect: + +``` + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md new file mode 100644 index 0000000000..60c1152f6b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md @@ -0,0 +1,317 @@ +# Expressions + +Expressions are a way to define the attributes whose values must be computed based on other +attributes. + +## Overview + +In Identity Manager's XML configuration, some attributes are defined with expressions. Expression +attributes do not take a plain string value, but rather an expression that computes a value based on +a given input. See the +[ Entity Property Expression ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md) and +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topics for additional +information. + +Every expression must be passed at least one argument and return at least one value. + +The expression can either be provided as a built-in function or as a full-fledged C# expression. See +the list of available C# utility functions and functions predefined by Identity Manager. See the +[Predefined functions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md) topic for additional information. + +**NOTE:** When changing the value of a property that is part of some expressions in the +configuration, do not expect to see all expressions recomputed right away. + +In order to ensure the recomputation of all expressions based on the recent change, wait for the +next run of Update Expressions in the complete job or through the corresponding connector's overview +page. + +### Expressions in the UI + +In the UI, the attributes that can be defined with an expression show two fields: Property Path and +Expression. + +For example, the source object of a scalar rule based on user records is displayed: + +![Property Path and Expression](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/expressions/expression-propertypath_v602.webp) + +The field Property Path is usually filled in with the + button only when the rule involves one +single attribute. If the object involves more than one attribute, then the attributes are to be +written in Expression (C#), with the help of predefined simple transformations. See the +[Predefined functions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md) topic for additional information. + +The first example defines the source object as simply the user record's Login property, while the +second defines the source object with an expression based on the user record's first and last names: + +![Property Path Example](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/expressions/expression-propertypath-example1_v602.webp) + +![Expression Example](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/expressions/expression-propertypath-example2_v602.webp) + +### Expressions in XML + +In XML, inside the C# expressions, make sure to escape `<">` characters by writing them as `<">`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +``` + +### Nullability checks + +Nullability checks constitute a common area for improvement in C# expressions, rather easy to +implement. + +See Microsoft documentation on +[nullable reference types](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/builtin-types/nullable-reference-types) +and more precisely on +[nullable operators](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/operators/member-access-operators#nullable-operators). + +For example, the following scalar rule computes the value of users' email addresses via a C# +expression. The `` characters cut the operations short by returning null when one of the chain +members returns null, thus preventing errors. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +``` + +## Built-in Functions + +Identity Manager provides a set of built-in function that implement basic expressions. They can be +used as-is or be included in a C# expression. + +Identity Manager's engine automatically passes the main argument to the function during the +computation, but extra arguments can be provided using the following syntax: + +`function name : arg2 | arg3 | ...` + +### Example + +Plain built-in function: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +// transform string to uppercase +Expression="ToUpper" +``` + +Built-in function with parameters: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +// add 1440 minutes to a date formated as dd/MM/yyyy +Expression="ParseLocalDateThenAddMinutes:Romance Standard Time|dd/MM/yyyy|1440" +``` + +## C# Expressions + +More complex expressions can be written as ad-hoc C# code according to the following rules: + +- The expression is prefixed by C#:ParameterName: where ParameterName is the variable name pointing + to the input value. +- The expression has to return a value + +For example: + +``` + +// user full name +C#:user:return user.FirstName+" "+user.LastName; + +``` + +### QueryHandler + +Expression can includes squeries, using the QueryHandler service. + +For example, to query the employee type whose Identifier is CDI: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +C#:user: +var resources = queryHandler.Select("Select Id Where Identifier=\"CDI\""); +return resources.FirstOrDefault()?.Id; +``` + +Another example, to query the organization whose Identifier is `<23040>`: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +C#:return queryHandler.Select("Select Identifier Where Id=23040").FirstOrDefault()?.Identifier; +``` + +### Logger service + +Identity Manager provides a logger service called "logger" to debug C# expressions. + +For example: + +``` +C#:resource:logger.LogDebug("Name={0}", resource.Name); return resource.Name; +``` + +### White list + +The following .NET libraries from the white list can be used. + +Authorized Namespaces + +Every class and function from the following namespaces is allowed: + +- `System.Linq` +- `System.Text.RegularExpressions` + +Authorized Classes + +Beyond the authorized namespaces, the following classes can be used: + +- `System.Convert` +- `System.Reflection.AssemblyFileVersionAttribute` +- `System.Reflection.AssemblyVersionAttribute` +- `System.Reflection.AssemblyCopyrightAttribute` +- `System.Reflection.AssemblyProductAttribute` +- `System.Reflection.AssemblyCompanyAttribute` +- `System.Reflection.AssemblyTitleAttribute` +- `System.Char` +- `Usercube.Expressions.Functions.UtilExpressions` +- `System.Nullable` +- `System.String` +- `System.Int32` +- `System.Random` + +Authorized Methods + +Beyond the authorized classes, the following methods can be used: + +- `System.Convert` +- `Microsoft.Extensions.Logging.LoggerExtensions.LogDebug` +- `System.DateTime.Add` +- `System.DateTime.AddDays` +- `System.DateTime.AddHours` +- `System.DateTime.AddMicroseconds` +- `System.DateTime.AddMilliseconds` +- `System.DateTime.AddMinutes` +- `System.DateTime.AddMonths` +- `System.DateTime.AddSeconds` +- `System.DateTime.AddTicks` +- `System.DateTime.AddYears` +- `System.DateTime.Compare` +- `System.DateTime.CompareTo` +- `System.DateTime.DaysInMonth` +- `System.DateTime.Equals` +- `System.DateTime.GetDateTimeFormats` +- `System.DateTime.ToUniversalTime` +- `System.DateTime.ToString` + +Trying to use code from outside this white list would yield the following error during computation: + +`the Method Name : ... Parent Class : ... NameSpace : ... used are not authorized` + +Method ... cannot be called with entities as arguments. + +However, here is a whitelist of methods that can be called with these kinds of arguments: + +- `System.Linq.Enumerable.Max()` +- `System.Linq.Enumerable.Min()` +- `System.Linq.Enumerable.Count(IEnumerable(IEnumerable, Func(IEnumerable, Func(IEnumerable, Func(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable, int count)` +- `System.Linq.Enumerable.SkipLast(IEnumerable, int count)` +- `System.Linq.Enumerable.ThenBy(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable(IEnumerable, Func, TSource)` +- `System.Linq.Enumerable.FirstOrDefault(IEnumerable, TSource)` +- `System.Linq.Enumerable.FirstOrDefault(IEnumerable, Func(IEnumerable(IEnumerable, Func, TSource)` +- `System.Linq.Enumerable.SingleOrDefault(IEnumerable, TSource)` +- `System.Linq.Enumerable.SingleOrDefault(IEnumerable, Func(IEnumerable(IEnumerable, Func, TSource)` +- `System.Linq.Enumerable.LastOrDefault(IEnumerable, TSource)` +- `System.Linq.Enumerable.LastOrDefault(IEnumerable, Func(IEnumerable` need to be replaced with a custom value before entering the +script in the command line. + +``` + + + + +``` + +Literal expressions targeting String properties can accept any value, since it is already a string +in the configuration. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md new file mode 100644 index 0000000000..848351b536 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md @@ -0,0 +1,48 @@ +# Predefined functions + +Identity Manager provides a set of predefined functions that simplify the configuration of entity +property expressions and scalar rules. See the +[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +and[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topics for additional +information. + +Unlike C# expressions, Identity Manager's predefined functions do not need any prefix. They can be +used as such. See the [ C# utility functions ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md) topic for +additional information. + +### Examples + +The following example shows two predefined functions. The first function normalizes the HR_Person +FirstName. The other one converts the end date into a UTC date and adds 1440 minutes. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     + +``` + +The following table summarizes existing predefined functions: + +| Name | Description | Parameters | Return type | +| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | -------------------- | -------------- | -------- | +| ToUpper | Returns the input string converted to uppercase, using the current culture. | None | String | +| ToLower | Returns the input string converted to lowercase, using the current culture. | None | String | +| Simplify | Returns the input string converted to uppercase, removing all whitespace and special characters, and replacing diacritics. | None | String | +| Trim | Removes all leading and trailing white-space characters from the current string. | None | String | +| TrimStart | Removes all leading white-space characters from the current string. | None | String | +| TrimEnd | Removes all trailing white-space characters from the current string. | None | String | +| RemoveDiacritics | Replaces all the éèçàù by eecau, ä by ae, Ä by AE, ö by oe, Ö by OE, ü by ue, Ü by UE, č by c, Č by C, ø by o, Ø by O, ł by l, Ł by L, ß by ss, æ by ae, Æ by AE, œ by oe, Œ by OE, š by sh, and Š by SH. | None | String | +| ToDoubleMetaphone | An implementation of Double Metaphone phonetic algorithm. | None | String | +| ToSoundex | An implementation of Soundex phonetic algorithm. | None | String | +| ToFirstName | Normalizes a first name (first character of each word in uppercase) separated with ‘-’ and the right accents. | None | String | +| ToTitle | Puts the first character in uppercase. | None | String | +| ToFormatedDN | Returns the input string converted to Distinguished Name format. | None | String | +| ParseLocalDate | Converts the specified string representation of a date and time to its DateTime equivalent using the specified parameters. | Time zone identifier | Input string format. | DateTime | +| ParseLocalDateThenAddMinutes | Converts the input string into a DateTime and adds minutes value. | Time zone identifier | Input string format | Added minutes. | DateTime | +| ParseUniversalDate | Converts the specified string representation of a date and time to its Coordinated Universal Time (UTC). | Input string format. | DateTime | +| ParseUniversalDateThenAddMinutes | Converts the input string into an UTC DateTime and adds minutes value. | Time zone identifier | Input string format | Added minutes. | DateTime | +| FormatLocalDate | Converts the specified string into a local DateTime. | Time zone identifier | Input string format. | DateTime | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/file-hierarchy/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/file-hierarchy/index.md new file mode 100644 index 0000000000..8d0efb35fd --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/file-hierarchy/index.md @@ -0,0 +1,30 @@ +# Hierarchy in Configuration Files + +Every configuration's element falls under the ` urn:schemas-usercube-com:configuration` namespace. +Element `` is the root element of each configuration file. + +``` + + ... + + +``` + +Each configuration element matches to an entry in the database. Detailed description of the element +can be found in the Data model. See the [ XML Configuration Schema ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/index.md) +topic for additional information. + +For example, the structure of the `` element can be found in the +[Connectors](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/index.md) topic. + +In some case, the element name will not match directly the data model type name. + +For example, the element `` in the following XML fragment is a +[Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) item in the +database. + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/how-tos/adjust-scaffoldings/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/how-tos/adjust-scaffoldings/index.md new file mode 100644 index 0000000000..1e71cc728e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/how-tos/adjust-scaffoldings/index.md @@ -0,0 +1,180 @@ +# Adjust Scaffolded Configuration + +This guide shows how to adjust the XML configuration elements created by scaffoldings. + +## Overview + +A scaffolding is an XML element that will generate a complex XML fragment. It is like a +configuration shortcut that helps configure easily a set of XML elements that are usually configured +together. + +See the list of all existing +[Scaffoldings](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md). + +In most situations, scaffoldings are enough to generate the configuration required to meet the +functional needs. + +However, in some cases, scaffoldings do not meet the exact needs and must be adjusted to generate +the right XML configuration. + +NETWRIX recommends writing XML configuration by first using scaffoldings, adjusting it if needed, +and as a last resort, when no scaffolding meets the needs, writing the configuration manually. + +## Adjust Scaffolded Configuration + +Adjust XML configuration generated by a scaffolding by proceeding as follows: + +1. When working via the UI, start by exporting UI + [ Usercube-Export-Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-configuration/index.md) + elements. +2. Write an XML element whose identifier is the same as the one generated by the scaffolding. + + Any identifier can be found in the + [Scaffoldings](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md) topic, in the + section displaying the generated XML fragment. + +3. Add `ConsolidationMode` to the element's properties. + + - By default, the XML item written manually completely replaces the one generated by the + scaffolding. + + The default behavior should be used when needing to rewrite one or a few of the items + generated by a scaffolding, not all of them. + + When needing to rewrite the scaffolding's whole output, just remove the scaffolding and + write the item(s) manually. + + > For example, the `ViewTemplateAdaptable` scaffolding generates, for the `LDAP_Entry` + > entity type, a default display name for all LDAP resources, a display table to view the + > resources, and the corresponding permissions to access the table. Supposing that the + > resulting display table does not fit the needs, we could need to write a customized + > display table from scratch: + > + > ``` + > + > + > + > + > + > + > + > ```` + > + > + > The display table's identifier must be the same as the one generated by the scaffolding. Then the scaffolding is ignored so the display table ```LDAP_Entry``` is defined by the `````` properties written manually here, as well as its `````` child elements written manually here. + > ```` + + > Still from the `ViewTemplateAdaptable` scaffolding, suppose now that the default display + > name does not fit the needs, then we could write a customized display name from scratch: + > + > ``` + > + > + > + > ```` + > + > + > The entity property expression's identifier must be the same as the one generated by the scaffolding. Then the scaffolding is ignored so the display name ```LDAP_Entry_InternalDisplayName``` is defined by the `````` properties written manually here. + > ```` + + - Set to `Merge`, the XML item generated by the scaffolding is completed with additional parent + properties and/or child elements written manually, while keeping the parent properties and the + child elements defined in the scaffolding. + + > For example, the `WorkforceModule` scaffolding generates the `Directory_User` entity type + > (among other things) with a specific set of properties. We could choose to add some + > properties in the entity type: + > + > ``` + > + > + > + > + > + > + > ```` + > + > + > The entity type's identifier must be the same as the one generated by the scaffolding. Then the entity type ```Directory_User``` is defined by the `````` properties of the scaffolding, as well as its `````` child elements written in the scaffolding, and we add the properties written manually here. + > ```` + + > The `WorkforceModule` scaffolding also generates the + > `Directory_UserRecord_UniqueValue_Email` aspect (among other things) that uses unicity + > check rules to generate a unique email address for each new user. We could choose to add a + > unicity check rule in the aspect to compare the new email address to the existing ones + > from Microsoft Entra ID (formerly Microsoft Azure AD): + > + > ``` + > + > + > SourceExpression="C#:record:var firstName = + > record.FirstName.Simplify()?.ToLowerInvariant(); var lastName = + > record.LastName.Simplify()?.ToLowerInvariant(); if (string.IsNullOrEmpty(firstName) || + > string.IsNullOrEmpty(lastName)) { /_ Data missing _/ return null; } + > + > var result = firstName + "." + lastName; + > if (iteration > 0) + > { + > result += iteration.ToString(); + > } + > + > return result;" TargetEntityType="AzureAD_DirectoryObject" TargetExpression="C#:azure_ad: + > if(string.IsNullOrEmpty(azure_ad.mail)) + > { + > return null; + > } + > + > var result = azure_ad.mail; + > var index = result.IndexOf('@'); + > if(index >=0) + > { + > result = result.Substring(0, index); + > } + > + > return result;" /> + > + > ```` + > + > + > The aspect's identifier must be the same as the one generated by the scaffolding. Then the aspect ```Directory_UserRecord_UniqueValue_Email``` is defined by the `````` properties of the scaffolding, as well as its `````` child elements written in the scaffolding, and we add the unicity check rule written manually here. + > ```` + + - Set to `Update`, the XML item written manually replaces all parent properties, while keeping + the child elements defined in the scaffolding. + + > For example, the `OptimizeDisplayTable` scaffolding generates the `Directory_User` display + > entity type (among other things) with a specific set of properties. We could choose to + > change just the parent properties of the display entity type without changing its child + > properties: + > + > ``` + > + > + > + > ```` + > + > + > The display entity type's identifier must be the same as the one generated by the scaffolding. Then the display entity type ```Directory_User``` is defined by the `````` properties written manually here, as well as the `````` child elements written in the scaffolding. + > ```` + + - Set to `Delete`, the XML item generated by the scaffolding is deleted, including its child + elements. + + > For example, the `AssignProfileAccessControlRules` scaffolding generates the + > `Administrator_Category_AccessControl_AssignedProfile` access control rule (among other + > things) with possibly child elements. We could choose to remove the whole access control + > rule: + > + > ``` + > + > + > + > ```` + > + > + > The access control rule's identifier must be the same as the one generated by the scaffolding. Then the access control rule ```Administrator_Category_AccessControl_AssignedProfile``` is completely removed. + > ```` + +4. [ Usercube-Deploy Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/deploy-configuration/index.md) + again. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md new file mode 100644 index 0000000000..65a9c1dd73 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md @@ -0,0 +1,107 @@ +# Identity Manager Deploy the Configuration + +This guide shows how to deploy the XML configuration, in order to build and use the Identity Manager +application. + +## Overview + +The process for configuration deployment varies according to the situation: + +- when working on-premise, the configuration must be deployed locally; +- when working SaaS, the configuration must be deployed remotely. + +## Deploy the Configuration Locally + +Deploy a local XML configuration by using the +[ Usercube-Deploy Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/deploy-configuration/index.md) and +declaring at least: + +- the configuration directory; +- the connection string of the database. + +> ``` +> +> ./identitymanager-Deploy-Configuration.exe -d "C:\Usercube\Conf" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +> +> ``` + +## Deploy the Configuration Remotely + +Deploy a SaaS XML configuration by proceeding as follows: + +1. Log in for configuration deployment/export with the + [ Usercube-Login ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/login/index.md). + + Identity Manager provides an OpenID Connect (OIDC) authentication process in order to ensure + strong security, visibility and ease of use. + + NETWRIX recommends using Identity Manager's dedicated in-house OIDC Identity Provider (IDP), but + you can also use your own IDP if you want to manage authentication yourself. + + When using your own IDP, make sure that the IDP implements a valid OIDC protocol and serves id + tokens. + + > For example, when using Identity Manager's IDP: + > + > ``` + > + > ./identitymanager-Login.exe + > + > ``` + > + > ``` + + > For example, when using another IDP: + > + > ``` + > + > Usercube-Login.exe --authority https://my_oidc_authentication_server.com --client-id + > 34b3c-fb45da-3ed32 + > + > ``` + > + > ``` + + Either method will open your default browser to `http://localhost:5005` where you will be + redirected to the specified IDP and will be prompted to log in. + + Specify `--port ` if you want the login page to use another local port. + + If you have already successfully deployed or exported your SaaS configuration at least once, + then there is no need to communicate the authentication information again. Go directly to + step 4. + + However, if, since then, there has been a change in the identity deploying/exporting the + configuration or in the Identity Provider used to log in at step 1, then go through the whole + process again. + +2. Log in to the IDP to be redirected back to this screen: + + ![Usercube-Login.exe Success Screen](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/how-tos/export-configuration/identitymanager-login_success_v602.webp) + + Once authenticated, an identification token is stored on your local machine for the + authentication to Identity Manager's deployment and export processes. + +3. Copy the entire text within the blue square and send it to your Identity Manager administrator. + + The administrator will add the identity information to the configuration of your Identity + Manager instance, to allow the configuration deployment/export. + +4. Deploy the configuration by using + the[ Usercube-Deploy Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/deploy-configuration/index.md) + and declaring at least: + + - the configuration directory; + - the deployment environment; + - the API URL of your Identity Manager instance. + > ``` + > + > ./identitymanager-Deploy-Configuration.exe -d "C:\Usercube\Conf" --api-url https://my_usercube_instance.com --deployment-slot Development + > + > ``` + + You can deploy the configuration by launching only the `Deploy-Configuration` executable until + the authentication token expires. Then, the token must be refreshed via the `Login` executable + before deploying again. + + The token served by Identity Manager's IDP expires after one hour. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md new file mode 100644 index 0000000000..01949a7d6c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md @@ -0,0 +1,110 @@ +# Export the Configuration + +This guide shows how to export the configuration as XML files to a given folder. + +## Overview + +The process for configuration export varies according to the situation: + +- when working on-premise, the configuration must be exported locally; +- when working SaaS, the configuration must be exported remotely; + +See the +[ Usercube-Export-Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-configuration/index.md) +topic for additional information. + +## Export the Configuration Locally + +Export your configuration by using the +[ Usercube-Export-Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-configuration/index.md) +executable and declaring at least: + +- the directory where the configuration is to be exported to; +- the connection string of the database. + +> ``` +> +> ./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" +> +> ``` + +## Export the Configuration Remotely + +Export a SaaS configuration by proceeding as follows: + +1. Log in for configuration deployment/export with the + [ Usercube-Login ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/login/index.md). + + Identity Manager provides an OpenID Connect (OIDC) authentication process in order to ensure + strong security, visibility and ease of use. + + Netwrix Identity Manager (formerly Usercube)recommends using Identity Manager's dedicated + in-house OIDC Identity Provider (IDP), but you can also use your own IDP if you want to manage + authentication yourself. + + When using your own IDP, make sure that the IDP implements a valid OIDC protocol and serves id + tokens. + + > For example, when using Identity Manager's IDP: + > + > ``` + > + > ./identitymanager-Login.exe + > + > ``` + > + > ``` + + > For example, when using another IDP: + > + > ``` + > + > Usercube-Login.exe --authority https://my_oidc_authentication_server.com --client-id + > 34b3c-fb45da-3ed32 + > + > ``` + > + > ``` + + Either method will open your default browser to `http://localhost:5005` where you will be + redirected to the specified IDP and will be prompted to log in. + + Specify `--port ` if you want the login page to use another local port. + + If you have already successfully deployed or exported your SaaS configuration at least once, + then there is no need to communicate the authentication information again. Go directly to + step 4. + + However, if, since then, there has been a change in the identity deploying/exporting the + configuration or in the Identity Provider used to log in at step 1, then go through the whole + process again. + +2. Log in to the IDP to be redirected back to this screen: + + ![Usercube-Login.exe Success Screen](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/how-tos/export-configuration/identitymanager-login_success_v602.webp) + + Once authenticated, an identification token is stored on your local machine for the + authentication to Identity Manager's deployment and export processes. + +3. Copy the entire text within the blue square and send it to your Identity Manager administrator. + + The administrator will add the identity information to the configuration of your Identity + Manager instance, to allow the configuration deployment/export. + +4. Export the configuration by using the + [ Usercube-Export-Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-configuration/index.md) + and declaring at least: + + - the configuration directory; + - the API URL of your Identity Manager instance. + > ``` + > + > ./identitymanager-Export-Configuration.exe -d "C:\Usercube\ExportedConf" --api-url https://my_usercube_instance.com + > + > ``` + + You can export the configuration by launching only the `Export-Configuration` executable until + the authentication token expires. Then, the token must be refreshed via the `Login` executable + before exporting again. + + The token served by Identity Manager's IDP expires after one hour. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/index.md new file mode 100644 index 0000000000..af311594fb --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/index.md @@ -0,0 +1,19 @@ +# Toolkit for XML Configuration + +The Netwrix Identity Manager (formerly Usercube) configuration is a set of XML files edited +according the Usercube schema. The [ Recommendations ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/recommendations/index.md) part of this +section explains how to set up an editing environment for the configuration. + +Regardless of the editing space, the configuration persists in the Netwrix Identity Manager +(formerly Usercube) database. It's this stored configuration that is used at runtime. + +The +[ Deploy Configuration Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md)tool +is used to **import** a new version of the configuration (from the XML files set). +The[ Usercube-Export-Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-configuration/index.md) can be +used to **export** the current configuration (to a XML files set). + +The Identity Manager project's integration cycle consists in developing a configuration by +successive imports in a test instance. + +![Integration cycle](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/configurationcycle.webp) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/languages/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/languages/index.md new file mode 100644 index 0000000000..d707c17cc3 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/languages/index.md @@ -0,0 +1,25 @@ +# Languages + +Some configuration string must be specified in multiple languages. For this, the name of the +corresponding XML attribute is suffixed by `_L1`, `_L2`,... `_L8`. For example, the property +_DisplayName_ of an [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) can be +specified in English and French: + +``` + + ... + + +``` + +Languages list must be specified by [ Language ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/language/index.md) +elements. + +``` + + + +``` + +The code is a combination of an ISO 639 two-letter lowercase culture code associated with a language +and an ISO 3166 two-letter uppercase subculture code associated with a country or region. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/parameter-names/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/parameter-names/index.md new file mode 100644 index 0000000000..8b882bfee0 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/parameter-names/index.md @@ -0,0 +1,66 @@ +# Base32 Parameter Names + +## Base32 Parameter Names + +Some attributes names in the applicative configuration, such a those related to dimensions +identification, are written using a +[Base32 representation of numbers](https://en.wikipedia.org/wiki/Base32). + +Identity Manager uses flavor of base32 known as **base32hex** described in the +[RFC4648](https://tools.ietf.org/html/rfc4648#rfc4648). + +It uses 10 digits from 0 to 9 and 22 letters from A to V to represent numbers. + +The following table shows the decimal - base32hex equivalent for the first 127 numbers. + +| base32hex | decimal | +| --------- | ------- | +| 0 | 0 | +| 1 | 1 | +| 2 | 2 | +| 3 | 3 | +| 4 | 4 | +| 5 | 5 | +| 6 | 6 | +| 7 | 7 | +| 8 | 8 | +| 9 | 9 | +| a | 10 | +| b | 11 | +| c | 12 | +| d | 13 | +| e | 14 | +| f | 15 | +| g | 16 | +| h | 17 | +| i | 18 | +| j | 19 | +| k | 20 | +| l | 21 | +| m | 22 | +| n | 23 | +| o | 24 | +| p | 25 | +| q | 26 | +| r | 27 | +| s | 28 | +| t | 29 | +| u | 30 | +| v | 31 | +| 10 | 32 | +| 11 | 33 | +| ... | ... | +| 1A | 42 | +| ... | ... | +| 20 | 64 | +| ... | ... | +| 2A | 74 | +| ... | ... | +| 3V | 127 | + +For example, dimensions are identified by a number going from 0 to 127 in decimal representation and +0 to 3V in base32hex representation. + +The [ Context Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) support _128_ dimension +parameters going from `B0` to `B3V` using the **base32hex**`0` to `3V` numbers to identify a +dimension. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/recommendations/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/recommendations/index.md new file mode 100644 index 0000000000..d2ed201c29 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/recommendations/index.md @@ -0,0 +1,75 @@ +# Recommendations + +## Editor + +[Visual Studio Code](https://code.visualstudio.com/) is the recommended editor for configuration. +Its extensions can highly benefit the configuration experience. NETWRIX recommends the following +extensions: + +- [Project Manager](https://marketplace.visualstudio.com/items?itemName=alefragnani.project-manager) + for file organization; +- [Xml Tools](https://marketplace.visualstudio.com/items?itemName=DotJoshJohnson.xml) for XML + formatting; +- [XML](https://marketplace.visualstudio.com/items?itemName=rogalmic.vscode-xml-complete) by RedHat + to provide auto-completion of XML configuration based on an XSD file; +- [Powershell](https://marketplace.visualstudio.com/items?itemName=ms-vscode.PowerShell) for + Powershell formatting; +- [Rainbow CSV](https://marketplace.visualstudio.com/items?itemName=mechatroner.rainbow-csv) for CSV + formatting; +- [GitLens](https://marketplace.visualstudio.com/items?itemName=eamodio.gitlens) for file history + features. + +### Configure auto-completion + +RedHat's XML extension provides auto-completion based on an XSD file. It opens an auto-completion +popup when you start to edit an element or attribute name. You can open the popup by typing +`Ctrl-Space`. + +![Auto-complete](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/recommendations/autocomplete.webp) + +Configure auto-completion by proceeding as follows: + +1. Retrieve from the SDK artifact the `usercube-configuration.xsd` and + `Usercube.Demo.code-workspace` files. +2. Make sure that these files are in the working directory (for example `C:/identitymanagerDemo`). +3. In `Usercube.Demo.code-workspace`, declare the following setting, replacing the path + `C:/identitymanagerDemo/identitymanager-configuration.xsd` by the path of your XSD file: + + ``` + + "settings": { + "xml.fileAssociations": [ + { + "systemId": "file:///C:/identitymanagerDemo/identitymanager-configuration.xsd", + "pattern": "**/*.xml" + } + ] + } + + ``` + +## Version Control System + +A version control system (like Git) is also recommended so files and configuration history could be +tracked. + +## File Hierarchy + +Some folders in the XML configuration contain files that are generated by Identity Manager and that +must not be modified manually: + +- `Runtime/Workforce` +- `Runtime/Bootstrap` + +For the configuration to be more readable it is recommended to classify configuration by Connector +or Application Entity. For each Connector or Application Entity create a folder in which will put: + +- **_Connector.xml_** file containing the definition of the Connector, the EntityTypes,the + EntityAssociations and their mappings. +- **_Administrator.xml_** file containing all the ACE for the administrator profile. +- **_Role Model.xml_** file containing the role model configuration. +- **_UI.xml_** file containing the User Interface configuration. +- **_Jobs.xml_** file containing the jobs configuration. +- **_Workflows.xml_** file containing the Workflows configuration for the given connector. + +![Recommendation](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/recommendations/recommendation.webp) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/reservedidentifiers/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/reservedidentifiers/index.md new file mode 100644 index 0000000000..7944b159ee --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/reservedidentifiers/index.md @@ -0,0 +1,49 @@ +# Reserved identifiers + +Identifiers of [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) and +[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)cannot be one of the following +words: + +These words can't be written in any case, example: id, Id, iD and ID are forbidden. + +- Id +- if +- for +- while +- return +- break +- else +- continue +- ref +- out +- class +- interface +- struct +- foreach +- do +- char +- byte +- string +- int +- long +- null +- public +- private +- protected +- static +- const +- abstract +- try +- catch +- sealed +- void +- true +- false +- finally +- throw +- Exception +- override +- readonly +- return +- enum +- delegate diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md new file mode 100644 index 0000000000..50394d1deb --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md @@ -0,0 +1,32 @@ +# AccessCertificationDataFilter + +When running an Access Certification Campaign, this object defines the scope of assignments of +entitlements to certify for a given Access Certification Campaign. It filters based on the specific +entitlements attributes. + +## Properties + +| Property | Details | +| ------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Campaign required | **Type** Int64 **Description** The associated campaign. | +| Category optional | **Type** Int64 **Description** Specifies the category targeted by the filter. | +| IncludeCompositeRoles default value: false | **Type** Boolean **Description** `true` to include the composite roles in the certification. | +| IncludeDeniedPermissions default value: true | **Type** Boolean **Description** Filters items with denied permissions from Access Certification Campaign. | +| IncludeDoubleValidation default value: true | **Type** Boolean **Description** `true` to include the assignments of entitlements with two validations in the certification. | +| IncludeManualAssignmentNotAllowed default value: true | **Type** Boolean **Description** `true` to include in the certification the resources that cannot be requested manually, i.e. those from [resource types](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) with `ApprovalWorkflowType` set to `ManualAssignmentNotAllowed`. | +| IncludeNestedCategories default value: false | **Type** Boolean **Description** When a category is used as filter, all its nested categories are also included in the campaign. | +| IncludeNoValidation default value: true | **Type** Boolean **Description** `true` to include the assignments of entitlements without validation in the certification. | +| IncludeResourceNavigations default value: false | **Type** Boolean **Description** `true` to include the resource navigations in the certification. | +| IncludeResourceScalars default value: false | **Type** Boolean **Description** `true` to include the resource scalars in the certification. | +| IncludeResourceTypes default value: false | **Type** Boolean **Description** `true` to include the resource types in the certification. | +| IncludeSimpleValidation default value: true | **Type** Boolean **Description** `true` to include the assignments of entitlements with one validation in the certification. | +| IncludeSingleRoles default value: false | **Type** Boolean **Description** `true` to include the single roles in the certification. | +| IncludeTripleValidation default value: true | **Type** Boolean **Description** `true` to include the assignments of entitlements with three validations in the certification. | +| IncludeWorkflowStateApproved default value: true | **Type** Boolean **Description** `true` to include the manually approved assignments of entitlements in the certification. | +| IncludeWorkflowStateFound default value: true | **Type** Boolean **Description** `true` to include the reconciled assignments of entitlements in the certification. | +| IncludeWorkflowStateHistory default value: true | **Type** Boolean **Description** `true` to include the preexisting approved assignments of entitlements in the certification. | +| IncludeWorkflowStatePolicyApproved default value: true | **Type** Boolean **Description** `true` to include the automatically approved assignments of entitlements in the certification. | +| LatestCertifiedLimitDate optional | **Type** DateTime **Description** If specified, only assignments of entitlements not certified since. | +| ResourceType optional | **Type** Int64 **Description** Specifies the resource type targeted by the filter. | +| Tags optional | **Type** String **Description** Tags of the roles targeted by the campaign filter. The tag separator is ¤. | +| TargetedRisk optional | **Type** Int64 **Description** If set, filters on the owner risk. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md new file mode 100644 index 0000000000..83f5035ce9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md @@ -0,0 +1,18 @@ +# AccessCertificationOwnerFilter + +When running an Access Certification Campaign, this object defines the scope of assignments of +entitlements to certify for a given Access Certification Campaign. It filters based on the +attributes of entitlements owner. + +## Properties + +| Property | Details | +| ----------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Campaign required | **Type** Int64 **Description** The associated campaign. | +| D0 optional | **Type** Int64 **Description** Identifier of the dimension 0 (up to 3V in the [ Base32 Parameter Names ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/parameter-names/index.md)) that filters the owners targeted by the access certification campaign. | +| IndividualOwner optional | **Type** Int64 **Description** If set, filters on the owner. | +| L0 default value: false | **Type** Boolean **Description** `true` to include all the hierarchy beneath the dimension 0. **Note:** this setting can be used only if the corresponding [ Dimension ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) was declared with `IsHierarchical` set to `true` and with a `ParentProperty`. | +| MinimalRiskScore optional | **Type** Int32 **Description** If set, filters only owners above given risk. | +| OwnerLastModificationDate optional | **Type** DateTime **Description** Date such that the identities to be certified will be those for which the value of the `OwnerLastModificationDateBinding` property was modified since then. **Note:** must be set together with `OwnerLastModificationDateBinding`. | +| OwnerLastModificationDateBinding optional | **Type** Int64 **Description** Binding of the property whose owner will be part of the campaign's targets, if the property's value was modified since `OwnerLastModificationDate`. **Note:** must be set together with `OwnerLastModificationDate`. **Note:** the properties calculated by Identity Manager cannot be used. | +| TargetedRisk optional | **Type** Int64 **Description** If set, filters on the owner risk. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/index.md new file mode 100644 index 0000000000..15d209cd0e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/index.md @@ -0,0 +1,5 @@ +# Access Certification + +- [ AccessCertificationCampaignPolicy ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md) +- [ AccessCertificationDataFilter ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md) +- [ AccessCertificationOwnerFilter ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md) diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md new file mode 100644 index 0000000000..1eff0b9309 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md @@ -0,0 +1,207 @@ +# Access Control Rule + +An access control rule gives to a profile a set of permissions on a data set represented by an +entity type. + +The rule contains filters to restrict its application, and entries to grant or deny the permissions. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +               + +``` + +## Properties + +| Property | Type | Description | +| ----------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 required | String | Display name of the access control rule in language 1 (up to 16). | +| EntityType required | Int64 | Identifier of the entity type that forms the data set on which the rule's permissions are applied. **NOTE:** The entity type can be part of the custom entity model, e.g. `Directory_User` or `AD_Entry`, or part of the built-in entity model, e.g. `AssignedSingleRole` or `Workflows` or `AccessCertificationItem`. | +| Identifier required | String | Unique identifier of the access control. | +| Profile required | Int64 | The id of the profile to which the permissions will be given. | + +## Child Element: Entry + +AccessControlEntry grants or denies a permission to a user. Access Control Entries are part of an +Access Control Rule that defines the users scope of responsibility in the Identity Manager +UI/Workflows. + +**NOTE:** If your configuration contains an access control entry with `Permission="/"` and +`CanExecute="true"` then an error will occur during the configuration deployment, as a profile +should not possess such a big permission. + +### Properties + +| Property | Type | Description | +| ----------------------------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------- | +| CanExecute default value: false | Boolean | Gives permission to execute permission. | +| FullAccessProperties default value: false | Boolean | Gives full access to all properties. | +| IsPostCondition default value: true | Boolean | If true, the rule is evaluated on the entity after modification. | +| IsPreCondition default value: true | Boolean | If true, the rule is evaluated on the entity before modification. | +| Notify default value: true | Boolean | True to send notification emails to the rule's recipient profile when executing tasks related to the specified Permission. | +| Permission required | Int64 | Linked Permission. | +| Priority default value: 0 | Int32 | When a user has several contexts giving him access to the same right, the one with the highest priority is elected. | +| PropertyGroup optional | Int64 | Gives the right to read for the PropertyGroup. | + +## Child Element: Filter + +An access control filter restricts the application of the access control rule to a given subset of +the data set. The rule will give the specified permissions to the profile only on the parts of the +rule's data set for which the filter's condition is met. + +_Remember,_ the ViewHistory permission (/Custom/Resources/Entity_Type/ViewHistory) does not work if +a filter is added. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +   +``` + +This condition is actually a comparison expression between two elements: + +- The value of a property which is originating from an entity targeted by the rule +- A comparison value that can be constant, or originating from the user profile + +![Access Control Filter Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/accesscontrolfilter_schema.webp) + +### Examples + +Filter on a constant value + +The following example gives to the `Administrator` profile certain permissions on user data, but +only concerning users working in the marketing department. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +    ... + + +``` + +Technically speaking, the filter here says that the rule's permissions apply only on users from +`Directory_User` whose `Code` of `MainOrganization` is `Marketing`. + +Filter on the account of the current user + +The following example gives to the `Manager` profile certain permissions on user data, but only +concerning users from the team managed by the current user. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +    ... + + +``` + +Technically speaking, the filter here says that the rule's permissions apply only on the users' +records from `Directory_UserRecord` whose `Id` of `Manager` is the identifier of the account used by +the current user to authenticate to Identity Manager. + +Filter on the context(s) of the assigned profile(s) of the current user + +The following example gives to the `Manager` profile certain permissions on user data, but only +concerning users working in the same department as the current user. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +    ... + + +``` + +Technically speaking, the filter here says that the rule's permissions apply only on the users from +`Directory_User` whose `Id` of `MainDepartment` is the same identifier as the value set for the +`Department` dimension of the current user, in at least one of their assigned profiles. + +For example, Timothy Callahan is here assigned the `Manager` profile with the `Department` dimension +set to `Treasury/Chief Economist`. + +![Matching Assigned Profile](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/assignedprofile_example_v603.webp) + +Thus, with the previous access control rule, Timothy Callahan will get certain permissions on users +whose main department is `Treasury/Chief Economist`. + +The following example gives to the `RoleOfficerByCategory` profile certain permissions on assigned +single roles, but only concerning the roles of a category assigned to the current user. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +    ... + + +``` + +Technically speaking, the filter here says that the rule's permissions apply only on the assigned +single roles whose `Id` of the `Category` of the `SingleRole` is the same identifier as the value +set for the `Category` property of the current user, in at least one of their assigned profiles. + +Multiple filters + +The following example gives to the `RoleOfficerByCategory` profile the permission to review the +roles of users from `Directory_User`, but only the roles of a category assigned to the current user, +and whose assignment is stated as pending the first approval out of 1, 2 or 3. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +   +     +   +     +   +``` + +Technically speaking, the filter here says that the rule's permissions apply only on the assigned +single roles: + +- Whose `Id` of the `Category` of the `SingleRole` is the same identifier as the value set for the + `Category` property of the current user, in at least one of their assigned profiles, and +- Whose `WorkflowState` is set to 8 or 9 or 11, which mean respectively pending approval 1/1, 1/2 + and 1/3. + +### Properties + +| Property | Type | Description | +| ---------------------------------- | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding required | Int64 | Binding of the property whose value is to be checked to restrict the application of the rule's permissions. **NOTE:** The binding must be based on the entity type defined in the access control rule. | +| Category default value: false | Boolean | True to compare the value specified by the binding to the categories of the current user's assigned profiles. | +| CompositeRole default value: false | Boolean | True to compare the value specified by the binding to the composite roles of the current user's assigned profiles. See the [ Assigned Profile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) topic for additional information. | +| CurrentUser default value: false | Boolean | True to compare the value specified by the binding to the identifier of the account used by the current user to authenticate to Identity Manager. **NOTE:** The current user is the owner of the profile, allowed by the access control rule to perform an action and/or receive a notification. `CurrentUser` is tightly linked to the configuration of the `SelectUserByIdentityQueryHandlerSetting`. | +| Dimension optional | Int64 | Identifier of the dimension whose value(s), from the user's assigned profiles, are to be compared to the value specified by the binding. See [ Dimension ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) and [ Assigned Profile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) topics for additional information. | +| Group optional | String | Group that the filter is part of. The access control rule filters the permissions by using the union (OR) of all filter groups, and the intersection (AND) of all filters within a group. **NOTE:** When not specified, the filter is part of the default group. | +| Operator default value: 0 | AccessControlFilterOperator | Comparison operator. 0 - Equals. 1 - NotEquals. | +| ResourceType default value: false | Boolean | True to compare the value specified by the binding to the resource types of the current user's assigned profiles. See the [ Assigned Profile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) topic for additional information. | +| SingleRole default value: false | Boolean | True to compare the value specified by the binding to the single roles of the current user's assigned profiles. See the [ Assigned Profile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) topic for additional information. | +| Value optional | String | Hard coded value to be compared to the value specified by the binding. | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/index.md new file mode 100644 index 0000000000..d3f662be11 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/index.md @@ -0,0 +1,10 @@ +# Access Control + +- [ AccessControlPermission ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md) +- [ AccessControlPropertyGroup ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md) +- [Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +- [ Assigned Profile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) +- [ OpenIdClient ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) +- [ Profile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) +- [ Profile Context ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md) +- [Profile Rule Context](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md new file mode 100644 index 0000000000..4e3e3c8923 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md @@ -0,0 +1,47 @@ +# OpenIdClient + +OpenIdClient declares an OpenID Connect clientId/secret to call the Identity Manager API. All the +configurations need at least one clientId used by all the jobs on the agent side to call the server. + +Only the hashed secret is kept in the configuration. The clear version is only known by the API +callers. + +The secret must be strong enough to protect access to the API. + +The good practice is generating a random secret, for example a 32 characters string, from a tool +like KeePass. Each clientId must have it's own secret. The tool +[ Usercube-New-OpenIDSecret ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/new-openidsecret/index.md) can be +used to generate secrets and their hashes. + +Each clientId must have a scope of responsibility. The _Profile_ and _ContextId_ properties assign a +required Profile and an optional Profile Context. + +## Examples + +The following code declares a clientId with the Administrator profile. + + ``` + + + +```` + + +The following code example declares a clientId with the RoleOfficerByCategory profile, restricted to the profile context defined below. The ContextId property must reference the Id of an existing Profile Context. Profile contexts don't have identifiers, so to avoid recalculation of the ProfileContext's Id property on configuration deployment, the Id should be declared manually as below. To be valid, it must be lower or equal to -2. + + ``` + + + +```` + +## Properties + +| Property | Details | +| ----------------------- | ------------------------------------------------------------------------------------------------------------------- | +| Context optional | **Type** Int64 **Description** Id of the ProfileContext used to further restrict the client scope of responsibility | +| DisplayName_L1 required | **Type** String **Description** Name that will be Displayed on the screen | +| ExpirationDate optional | **Type** DateTime **Description** After this date, the client is no longer usable | +| HashedSecret required | **Type** String **Description** HashedPassword of client | +| Identifier required | **Type** String **Description** Client login name and name | +| Profile required | **Type** Int64 **Description** Profile linked with the client | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/access-control/profile/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/access-control/profile/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md new file mode 100644 index 0000000000..2b7b332971 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md @@ -0,0 +1,45 @@ +# Profile Rule Context + +Defines the context in which the rule will be evaluated. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +## Properties + +| Property | Type | Description | +| ----------------------------------- | ------- | ------------------------------------------------------------------------------------------------------ | +| EntityType optional | Int64 | When ResourceType is not used, identifier of the entity type from which the expressions are evaluated. | +| IsAppliedToRoot default value: true | Boolean | The dimensions are queried from the user's information. | +| ResourceType optional | Int64 | The resourceType of the assignedResourcetypes on which the rule is going to be applied on. | +| RootBinding optional | Int64 | Binding to apply on the user resource before executing the root expression(cf Profile Rule). | +| SubBinding optional | Int64 | Binding to apply on the user resource before executing the sub expression(cf Profile Rule). | + +## Child Element: ProfileRule + +Defines the rule to assign a profile to user when matched. + +### Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +     +``` + +### Properties + +| Property | Type | Description | +| ----------------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| B0 optional | Int64 | Represents the first dimension binding definition. The 127 other dimension bindings can be referred to by 127 more parameters from B1 to B3V following the base32hex convention. See the [ Base32 Parameter Names ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/parameter-names/index.md) topic for additional information. | +| IsDenied default value: false | Boolean | Profile denied to the user when matched. | +| Profile required | Int64 | Identifier of the profile rule. | +| RootExpression optional | String | C# expression to apply on the source entity type of the context resource type. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| SubExpression optional | String | C# expression to apply on the target entity type of the context resource type. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md new file mode 100644 index 0000000000..8b7eb3eaac --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md @@ -0,0 +1,3 @@ +# Business Intelligence + +- [ Universe ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md new file mode 100644 index 0000000000..624bc49a40 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md @@ -0,0 +1,87 @@ +# Universe + +Universes constitute the basis for the configuration of a new model that we will call universe +model. Users can then exploit it, through the Query module and/or Power BI, to generate graphic +reports. + +## Examples + +##### Basic universe + +The following example builds a universe called `Universe1`: + +``` + + + + + +``` + +![Universe - Basic Example](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/bi_universeexampledisplaynames.webp) + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Display Names)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/universe_columnnamedisplayname.webp) + +##### Basic universe with identifiers instead of display names + +The following example builds a universe called `Universe1` with identifiers as labels instead of +display names: + +``` + + + +``` + +![Universe - Basic Example](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/bi_universeexample.webp) + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Identifiers)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/universe_columnnameidentifier.webp) + +## Properties + +| Property | Details | +| ------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ColumnNamesMode default value: DisplayName | **Type** UniverseColumnNamesMode **Description** Type of label to be displayed as the column names in Power BI, for this universe. `0` - DisplayName: display name of entity instances. `1` - Identifier: identifier of entity instances. | +| DisplayName_L1 optional | **Type** String **Description** Display name of the universe in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Identifier of the universe. | + +## Child Element: Association Instance + +An association instance represents, within a Universe, the occurrence in the model of an +[ Entity Association ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +### Properties + +| Property | Details | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Association required | **Type** Int64 **Description** Identifier of the entity association, in Identity Manager's entity model, that corresponds to the association instance. | +| Direction default value: 0 | **Type** Direction **Description** Direction of the association between the two entity instances. It must be the same direction as between the two entity types specified in these entity instances. `0` - Both directions. `1` - From the instance 1 to 2. `2` - From the instance 2 to 1. | +| Instance1 required | **Type** Int64 **Description** Identifier of the entity instance number one. | +| Instance2 required | **Type** Int64 **Description** Identifier of the entity instance number two. | + +## Child Element: Entity Instance + +An entity instance represents, within a Universe, the occurrence in the model of an +[ Entity Association ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +### Properties + +| Property | Details | +| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| DisplayName_L1 optional | **Type** String **Description** Display name of the entity instance in language 1 (up to 16). | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type, in Identity Manager's entity model, that corresponds to the entity instance. | +| FilterEntityProperty optional | **Type** Int64 **Description** Entity property used as filter (FilterProperty must be a navigation property to EntityProperty) | +| FilterEntityType optional | **Type** Int64 **Description** Entity type used as filter (FilterProperty must be a navigation property to EntityType) | +| FilterProperty optional | **Type** Int64 **Description** Property used to filter entity type's instance. | +| FilterResourceType optional | **Type** Int64 **Description** Resource type used as filter (FilterProperty must be a navigation property to ResourceType) | +| FilterValue optional | **Type** String **Description** Constant value used as filter. | +| Identifier required | **Type** String **Description** Identifier of the entity instance. | +| IsHidden default value: false | **Type** Boolean **Description** `true` if the entity instance is to be hidden in Power BI. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/index.md new file mode 100644 index 0000000000..651d74324c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/index.md @@ -0,0 +1,3 @@ +# Configuration + +- [Scaffoldings](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md new file mode 100644 index 0000000000..2ca9ea9d9c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md @@ -0,0 +1,31 @@ +# Access Review Administration Access Control Rules + +Scaffolding to generate the rights to administrate campaign creation. + +Gives access to a shortcut on the dashboard to access this page. + +![Access Certification Campaigns](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md new file mode 100644 index 0000000000..7237b5c02e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md @@ -0,0 +1,5 @@ +# Access Reviews + +- [ Access Review Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md) + + Generates the permissions to administrate campaign creation. diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md new file mode 100644 index 0000000000..cf4d1ea1bc --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md @@ -0,0 +1,7 @@ +# Connectors + +- #### [ConnectorResourceTypeAccessControl](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md) + Gives the rights to create and update resource types, generate provisioning orders and fulfill + from the connector screen.- #### + [SettingsAccessControlRules](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md) Generates the permissions to + configure the Workforce Core Solution module and connector settings. diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md new file mode 100644 index 0000000000..f0fd0f1c06 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md @@ -0,0 +1,15 @@ +# Access Control Rules + +Scaffoldings for access control give some permissions, by allowing the corresponding API calls. + +- [ Access Reviews ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md) +- [ Connectors ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md) +- [ Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md) +- [ Monitoring ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md) +- [ Profiles ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md) +- [ Queries ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md) +- [ Resources ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md) +- [Role Models](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md) +- [ Simulations ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md) +- [ User Interfaces ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md) +- [ Workflows ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md) diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md new file mode 100644 index 0000000000..9eff0d7e7b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md @@ -0,0 +1,64 @@ +# Jobs + +- [ Get Job Log Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md) + + Generates the permissions to read task and job instances logs in UI for a given profile. + +- [ Job Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md) + + Scaffolding to access the job administration page. + +- [ Job Task Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md) + + Generates all permissions for JobStep entity. + +- [ Pending Assigned Resource Types Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md) + + Generates the access control rules which give to a profile the permissions to call the API + Pending AssignedResourceTypes. + +- [ Provisioning Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md) + + Generates the execution rights for Provisioning and Fulfillment tasks for a given profile. + +- [ Resource Changes View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md) + + Generates the access control rules which gives to a profile the permissions to call the API + ResourceChange, ResourceFileChange and ResourceLinkChange. + +- [ Resource Type Mapping Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md) + + Generate rights to launch agent fulfillment. + +- [ Run Job Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md) + + Generates the permissions to launch jobs from UI for a given profile. + +- [ Run Job Notification Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md) + + Generates access control to send notification when job finish with an error state. + +- [ Run Job Repair Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md) + + Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning + or a synchronization for a given profile. + +- [ Run Job Repair Notification Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md) + + Generates access control to send notification when a relaunch job finish with an error state. + +- [ Synchronization Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md) + + Generates rights to launch synchronization task. + +- [ Task Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md) + + Generates all rights to have the access to job administration page. + +- [ Task Instance Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md) + + Generates access control to update the task instances. + +- [ Workflow Fulfillment Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md) + + Generates the execution rights to launch Fulfillment workflow for a given profile. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md new file mode 100644 index 0000000000..e5045472b7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md @@ -0,0 +1,30 @@ +# Job Administration Access Control Rules + +Scaffolding to access the job administration page. This page is accessible from the administration +part in dashboard of the user interface. + +![Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md new file mode 100644 index 0000000000..3e441d23de --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md @@ -0,0 +1,6 @@ +# Monitoring + +- [ Monitoring Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md) + + Generates the access control rule which gives to a profile the permission to query the + monitoring screen. diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md new file mode 100644 index 0000000000..701770c0cb --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md @@ -0,0 +1,33 @@ +# Assign Profile Access Control Rules + +Gives to a given profile the rights to create, update, delete and query any assigned profile, from +the **Assigned Profiles** screen. + +![Assigned Profiles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/home_assignedprofiles_v602.webp) + +## Examples + +The following example gives to the `Administrator` profile the rights to create, update, delete and +query assigned profiles. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md new file mode 100644 index 0000000000..6271b8f980 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md @@ -0,0 +1,10 @@ +# Profiles + +- [ Assign Profile Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md) + + Gives to a given profile the rights to create, update, delete and query any assigned profile. + +- [ OpenId Client Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md) +- [ Profile Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md) + + Gives to a given profile the rights to create, update and delete profiles. diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md new file mode 100644 index 0000000000..9a6b363c1c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md @@ -0,0 +1,38 @@ +# Profile Administration Access Control Rules + +Gives to a given profile the rights to create, update and delete profiles. + +Profiles are listed on the **Profiles** screen, from **Settings** in the **Configuration** section. + +![Settings](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +![Profiles](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/accesscontrol_profiles_v603.webp) + +See more details on profiles' APIs. + +## Examples + +The following example gives to the `Administrator` profile the rights to create, update and delete +profiles. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md new file mode 100644 index 0000000000..df4eacfda5 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md @@ -0,0 +1,19 @@ +# Queries + +- [ Manage Setting Access Control Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md) + + Generates the access control rule which gives to a profile the permission to query, create, + update and delete settings from the UM_Settings table. + +- [ Report Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md) + + Generates the permissions to access the report view. + +- [ Target Resource Report Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md) + + Generates the permissions to apply a report for a profile on a given entity. + +- [ Universe Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md) + + Generates an access control rule which gives a profile the permission to access the query page + and run queries. diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md new file mode 100644 index 0000000000..ab4e5ac164 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md @@ -0,0 +1,31 @@ +# Report Access Control Rules + +Generates the rights to access the report view. + +Gives access to a shortcut on the navigation to access this page. + +![Reports](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/home_reports_v602.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md new file mode 100644 index 0000000000..e4c1cd43d3 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md @@ -0,0 +1,32 @@ +# Target Resource Report Access Control Rules + +Generates the right to apply a report for a profile on a given entity. + +The existence of a report for this entity must exist in order to use this scaffolding. A scaffolding +allows to generate a default report for an entity: +[ Target Resource Report Menus ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md new file mode 100644 index 0000000000..ed1a081988 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md @@ -0,0 +1,24 @@ +# Resources + +- [ Create Resource Incremental Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md) + + Generates the access control rule which gives to a profile the permission to query the resources + modified incrementally. + +- [ Resource Api Administration ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md) + + Generates the permissions to create/update/delete/query resources from a given entity type, for + a given profile. + +- [ Resource Picker Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md) + + Creates the reading right of the resource picker. + +- [ View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md) + + Generates the permissions to view an entity type's resources. + +- [ View History Resource Template ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md) + + Generates an access control rule giving to the specified profile the permission to browse the + resources history of the specified entity type. diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules/index.md new file mode 100644 index 0000000000..ad3067e0f9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules/index.md @@ -0,0 +1,33 @@ +# Bulk Perform Manual Provisioning Access Control Rules + +The following example assigns permissions to the `Administrator` profile, allowing the simultaneous +review of multiple manual provisioning items for the `Directory_User` entity type. + +``` + + + +``` + +The scaffolding generates the following scaffoldings: + +- [ Perform Manual Provisioning Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md): + Generates the permissions to access the manual provisioning pages for a given entity type and + profile. + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules/index.md new file mode 100644 index 0000000000..dd0f893af5 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules/index.md @@ -0,0 +1,36 @@ +# Bulk Resource Reconciliation Access Control Rules + +The following example assigns to the Administrator profile the rights to reconcile simultaneously +several resources from the Directory_User entity type. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +The scaffolding generates the following scaffoldings: + +- ReconciliateResourcesAccessControlRules: Generates the permissions to access the resource + reconciliation pages for a given entity type and profile. See the + [ Reconciliate Resources Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md) + topic for additional information. + +## Properties + +| Property | Type | Description | +| ------------------- | ------ | ---------------------------------------------------------- | +| EntityType required | String | Identifier of the entity type involved in the scaffolding. | +| Profile required | String | Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +   +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules/index.md new file mode 100644 index 0000000000..b08afd3a7c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules/index.md @@ -0,0 +1,33 @@ +# Bulk Review Provisioning Access Control Rules + +The following example assigns permissions to the `Administrator` profile, allowing the simultaneous +review of multiple errored provisioning orders for the `Directory_User` entity type. + +``` + + + +``` + +The scaffolding generates the following scaffoldings: + +- [ Review Provisioning Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md): + Generates the permissions to access the provisioning review pages for a given entity type and + profile. + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules/index.md new file mode 100644 index 0000000000..2bc7beb5a2 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules/index.md @@ -0,0 +1,16 @@ +# Bulk Role Reconciliation Access Control Rules + +Generates the permissions to perform bulk validations on the **Role Reconciliation** page. + +The scaffolding generates the following scaffoldings: + +- [ Reconciliate Roles Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md): + Generates the permissions to access the role reconciliation pages for a given entity type and + profile. + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md new file mode 100644 index 0000000000..c0beb7877f --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md @@ -0,0 +1,14 @@ +# Governance Roles Access Control Rules + +Generates the rights to access the role review pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Role Review](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/home_rolereview_v523.webp) + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md new file mode 100644 index 0000000000..50bd7466db --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md @@ -0,0 +1,70 @@ +# Role Models + +- [ Basket Rules Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md) + + Generates the permissions to execute the different requests to display the information in the + rights basket. + +- [ Bulk Perform Manual Provisioning Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Perform Manual Provisioning\*\* + page. + +- [Bulk Resource Reconciliation Access Control Rules](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Resource Reconciliation\*\* + page. + +- [ Bulk Review Provisioning Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Provisioning Review\*\* page + (only for errored orders). + +- [ Bulk Role Reconciliation Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Role Reconciliation\*\* page. + +- [ Governance Roles Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md) + + Generates the permissions to access the governance review pages for a given entity type and + profile. + +- [ Perform Manual Provisioning Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md) + + Generates the permissions to access the manual provisioning pages for a given entity type and + profile. + +- [ Reconciliate Resources Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md) + + Generates the permissions to access the resource reconciliation pages for a given entity type + and profile. + +- [ Reconciliate Roles Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md) + + Generates the permissions to access the role reconciliation pages for a given entity type and + profile. + +- [ Redundant Assignment Access Control Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md) + + Generates the permissions to access the \*\*Redundant Assignment\*\* page, to analyze and remove + redundant assignments. + +- [ Review Provisioning Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md) + + Generates the permissions to access the provisioning review pages for a given entity type and + profile. + +- [ Review Roles Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md) + + Generates the permissions to access the role review pages for a given entity type and profile. + +- [ Risks Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md) +- [ Role Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md) + + Generates the permissions to access the configuration pages and create, update, delete the + elements of the role model. + +- [ Role Naming Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md) + + Generates the permissions to configure and launch the automatic creation of roles and rules + based on naming conventions. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md new file mode 100644 index 0000000000..7f188d1b01 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md @@ -0,0 +1,36 @@ +# Perform Manual Provisioning Access Control Rules + +Generates the rights to access the access manual provisioning pages for a given entity type and +profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Manual Provisioning](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp) + +The connector connected to the entity type must have the manual type as the provisioning type, +otherwise the information of the entity type cannot be displayed on this screen. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md new file mode 100644 index 0000000000..8908499a49 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md @@ -0,0 +1,35 @@ +# Reconciliate Resources Access Control Rules + +Generates the right to access the reconcile resources pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +Also create the rights to view the TargetEntityTypes of all ResourceTypes whose source is the +EntityType to be filled in the Scaffolding. + +![Resource Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md new file mode 100644 index 0000000000..e69cf50dc8 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md @@ -0,0 +1,32 @@ +# Reconciliate Roles Access Control Rules + +Generates the rights to access the access reconcile roles pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Role Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/home_rolereconciliation_v523.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md new file mode 100644 index 0000000000..43fc420c76 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md @@ -0,0 +1,35 @@ +# Redundant Assignment Access Control Rule + +Generates the permissions to access the **Redundant Assignment** page, to analyze and remove +redundant assignments. + +Gives access to a shortcut on the dashboard to access this page. + +![Redundant Assignments](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/home_redundantassignments_v602.webp) + +## Examples + +The following example gives to the `Administrator` profile the permissions to access the **Redundant +Assignment** page and perform redundant-assignment related actions. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md new file mode 100644 index 0000000000..161bfcae71 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md @@ -0,0 +1,34 @@ +# Review Provisioning Access Control Rules + +Generates the right to access the review provisioning pages for a given entity type and profile. +Also create the rights to view the TargetEntityTypes of all ResourceTypes whose source is the +EntityType to be filled in the Scaffolding. + +Gives access to a shortcut on the dashboard to access this page. + +![Provisioning Review](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/home_provisioningreview_v523.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md new file mode 100644 index 0000000000..62a4db7405 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md @@ -0,0 +1,32 @@ +# Review Roles Access Control Rules + +Generates the rights to access the access roles review pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Role Review](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/home_rolereview_v523.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md new file mode 100644 index 0000000000..876f47a98d --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md @@ -0,0 +1,44 @@ +# Role Administration Access Control Rules + +Generates the rights to access the access configuration pages and create, update, delete for: + +- Policies +- ResourceTypes +- SingleRoles +- CompositeRoles +- ResourceNavigationRules +- ResourceScalarRule +- ResourceCorrelationRule +- CompositeRoleRule +- ResourceTypeRule +- SingleRoleRule +- ContextRule +- Categories + +Gives access to a shortcut on the dashboard to access this page. + +![Configuration Section](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/home_configuration_v603.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md new file mode 100644 index 0000000000..c550f08dec --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md @@ -0,0 +1,4 @@ +# Simulations + +- [Policy Simulation Control Rules](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md) +- [ Role And Simulation Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md) diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md new file mode 100644 index 0000000000..158705b131 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md @@ -0,0 +1,7 @@ +# User Interfaces + +- [ Manage Accounts ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md) +- [ Search Bar Page Access Control ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md) + + Gives access rights to the different navigation elements of the SearchBars of the pages of the + role model. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md new file mode 100644 index 0000000000..17afcb5c64 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md @@ -0,0 +1,39 @@ +# Manage Accounts + +Gives access to the **Manage Accounts** buttons for the users of a given entity type. + +![ManageAccounts Button](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/accesscontrol_manageaccounts_v603.webp) + +The scaffolding gives access to the button, but you need to get the permissions on said accounts in +order to see anything once you click on the button. + +## Examples + +The following example gives the `Administrator` profile access to the **Manage Accounts** button for +users from `Directory_User`. + +``` + + + +In order to see AD accounts once clicking on the button: + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md new file mode 100644 index 0000000000..384d2800f1 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md @@ -0,0 +1,41 @@ +# Create Update Delete Access Control Rules + +Generates execution rights for the create, update, delete workflows. + +Some prerequisites are necessary to be able to launch this scaffolding. A entity type must be +created with the following naming convention: "Worfklow\_" + idenfitier type entity. Three workflows +must be created with the following names: + +- entity type identifier + "\_Create"; +- entity type identifier + "\_Update"; +- entity type identifier + "\_Delete"; + +The scaffolding generates the following scaffoldings: + +- [ View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): Generates the + permissions to view an entity type's resources. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md new file mode 100644 index 0000000000..9437a6c5c5 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md @@ -0,0 +1,16 @@ +# Workflows + +- [ Create Update Delete Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md) + + Generates execution rights for the create, update, delete workflows. + +- [ Update Resources Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md) +- [ Workflow Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md) + + Generates the permissions to access the task page and visualize the workflows to be executed for + a given entity type and profile. + +- [ Workflow Configuration Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md) +- [ Workflow Overview Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md) + + Generates the permissions to access the workflow supervision page. diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md new file mode 100644 index 0000000000..58652bd665 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md @@ -0,0 +1,39 @@ +# Workflow Access Control Rules + +Generates the rights to access the task page and visualize the different workflows to be executed +for a given entity type and profile. + +Gives access to a shortcut on the dashboard and on the top bar to access this page. + +Top bar shortcut: + +![Tasks in Top Bar](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_topbar_v601.webp) + +DashBoard shortcut: + +![Task in Dashboard](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/home_mytasks_v523.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md new file mode 100644 index 0000000000..37dd938f42 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md @@ -0,0 +1,32 @@ +# Workflow Overview Control Rules + +Generates the rights to access the workflow supervision page. + +Gives access to a shortcut on the dashboard to access this page. + +![Workflow Overview](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/home_workflowoverview_v602.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md new file mode 100644 index 0000000000..8234e6461c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md @@ -0,0 +1,79 @@ +# Connector Mappings + +This scaffolding allows the user to generate the mapping of an entity in a given connector. + +The identifiers of the connector and the entity type must be provided to the scaffolding through the +attributes `Connector` and `EntityType` to make the link between these two elements and create the +mapping. This scaffolding needs to have an argument to know the location of the file to be retrieved +during the collection. This file must be a CSV file with "Command" as the first column and then the +rest of the columns for scalar and mono-navigation properties. This file must be named after the +entity type. If there are multi-valued navigation properties, it is necessary to create a file with +"Command" as first property and the key of the two entities to link. This file must be named after +the identifier of the starting entity type + "\_" + the identifier of the navigation property. + +If you are using a CSV connector with files in incremental mode, you must specify the attribute +`IsIncremental` to `true`. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | +| Connector required | **Type** String **Description** Identifier of the connector involved in the job to be generated. | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| IsIncremental optional | **Type** Boolean **Description** `true` to perform an incremental synchronization. | +| Package optional | **Type** ConnectionPackage **Description** For a `ConnectorMappings` scaffolding, identifier of the package for the connection to be generated. | + +## Child Elements + +- Excluded Property (optional) to ignore a given property of the specified entity type. +- Mapping Path (optional) Define the path for csv EntityType mapping + +### Excluded Property + +| Property | Details | +| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Property required | **Type** String **Description** Property of the specified entity type that is to be ignored for the generation of entity instances and association instances. | + +A scaffolding does not use filters, but a part of the entity model can be excluded with the +`ExcludedProperty` argument. + +The following example generates a universe `U8_Users` based on the entity type `Directory_User`, +like our U1 but without the `Guests` property: + +``` + + + + + +``` + +When getting Identity Manager +[Connect Power BI to Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (ExcludedProperty)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_excluded.webp) + +### Mapping Path + +| Property | Details | +| ---------------------------------- | --------------------------------------------------------------------------------------------- | +| IsIncremental default value: false | **Type** Boolean **Description** Defines if the CSV connector files uses the incremental mode | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md new file mode 100644 index 0000000000..2d23382468 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md @@ -0,0 +1,34 @@ +# Entity Types + +- [ Connector Mappings ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md) + + Generates the mapping of an entity in a given connector. + +- [ Entity Type Display Name ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md) + + Computes a default value for resources' internal display names. + +- [ Entity Type Display Table ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md) + + Creates a display table for the given entity. + +- [ Entity Type Display Table Adaptable ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md) + + Creates an adaptable display table for a given entity type. + +- [ Entity Type Display Target Resource Table ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md) + + Creates a display table for the given entity. + +- [ Entity Type Menu Item ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md) + + Creates a menu item for the entity type, and for its connector if the entity type has an entity + type mapping. + +- [ Entity Type Search Bar ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md) + + Creates the search bar for the entity without criteria. + +- [ Target Resource Report Menus ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md) + + Creates the Item menu for the entity's report so that it is displayed in the report view. diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md new file mode 100644 index 0000000000..a61611de82 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md @@ -0,0 +1,4 @@ +# Entity Types + +- [Entity Types](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md) +- [ Workflows ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md) diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md new file mode 100644 index 0000000000..0c86975ef0 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md @@ -0,0 +1,24 @@ +# Workflows + +- [ Create Update Delete Menus ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md) + + Creates updates and deletes menus for an entity. + +- [ Create Update Delete Workflows ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md) +- [ Update Resources Menus ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md) +- [ Update Resources Workflows ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md) +- [ Workflow Actors Notification ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md) +- [ Workflow Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md) + + Creates an entity that will be the source of all workflows that manipulate the given entity. + +- [ Workflow Entity Type Display Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md) +- [ Workflow Entity Type Display Table ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md) + + Creates the display table of the workflow entity of the starting entity. + +- [ Workflow Entity Type Search Bar ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md) + + Creates the search bar of the workflow entity of the starting entity. + +- [ Workflow Performer Notification ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md) diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md new file mode 100644 index 0000000000..0912ad89c4 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md @@ -0,0 +1,443 @@ +# Scaffoldings + +Identity Manager provides a list of scaffoldings to act as configuration shortcuts: a scaffolding is +an XML element that will generate a complex XML fragment. + +Available scaffoldings are described below. + +To understand scaffoldings' generated configuration, Identity Manager's executable +[ Usercube-Export-Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-configuration/index.md) +can be launched with the `--export-scaffolding` option to export into XML files the configuration +items generated by scaffoldings. + +Remember that these exported files are meant for viewing and understanding purposes, not for using +their content in your own configuration. + +## References + +- [Access Control Rules](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md) + +- [ Access Reviews ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md) + +- [ Access Review Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md) + + Generates the permissions to administrate campaign creation. + +- [ Connectors ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md) + +- [ Connector Resource Type Access Control ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md) + + Gives the rights to create and update resource types, generate provisioning orders and fulfill + from the connector screen. + +- [ Settings Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md) + + Generates the permissions to configure the Workforce Core Solution module and connector + settings. + +- [ Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md) + +- [ Get Job Log Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md) + + Generates the permissions to read task and job instances logs in UI for a given profile. + +- [ Job Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md) + + Scaffolding to access the job administration page. + +- [ Job Task Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md) + + Generates all permissions for JobStep entity. + +- [ Pending Assigned Resource Types Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md) + + Generates the access control rules which give to a profile the permissions to call the API + Pending AssignedResourceTypes. + +- [ Provisioning Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md) + + Generates the execution rights for Provisioning and Fulfillment tasks for a given profile. + +- [ Resource Changes View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md) + + Generates the access control rules which gives to a profile the permissions to call the API + ResourceChange, ResourceFileChange and ResourceLinkChange. + +- [ Resource Type Mapping Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md) + + Generate rights to launch agent fulfillment. + +- [ Run Job Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md) + + Generates the permissions to launch jobs from UI for a given profile. + +- [ Run Job Notification Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md) + + Generates access control to send notification when job finish with an error state. + +- [ Run Job Repair Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md) + + Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning + or a synchronization for a given profile. + +- [ Run Job Repair Notification Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md) + + Generates access control to send notification when a relaunch job finish with an error state. + +- [ Synchronization Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md) + + Generates rights to launch synchronization task. + +- [ Task Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md) + + Generates all rights to have the access to job administration page. + +- [ Task Instance Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md) + + Generates access control to update the task instances. + +- [ Workflow Fulfillment Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md) + + Generates the execution rights to launch Fulfillment workflow for a given profile. + +- [ Monitoring ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md) + +- [ Monitoring Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md) + + Generates the access control rule which gives to a profile the permission to query the + monitoring screen. + +- [ Profiles ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md) + +- [ Assign Profile Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md) + + Gives to a given profile the rights to create, update, delete and query any assigned profile. + +- [ OpenId Client Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md) +- [ Profile Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md) + + Gives to a given profile the rights to create, update and delete profiles. + +- [ Queries ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md) + +- [ Manage Setting Access Control Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md) + + Generates the access control rule which gives to a profile the permission to query, create, + update and delete settings from the UM_Settings table. + +- [ Report Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md) + + Generates the permissions to access the report view. + +- [ Target Resource Report Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md) + + Generates the permissions to apply a report for a profile on a given entity. + +- [ Universe Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md) + + Generates an access control rule which gives a profile the permission to access the query page + and run queries. + +- [ Resources ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md) + +- [ Create Resource Incremental Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md) + + Generates the access control rule which gives to a profile the permission to query the resources + modified incrementally. + +- [ Resource Api Administration ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md) + + Generates the permissions to create/update/delete/query resources from a given entity type, for + a given profile. + +- [ Resource Picker Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md) + + Creates the reading right of the resource picker. + +- [ View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md) + + Generates the permissions to view an entity type's resources. + +- [ View History Resource Template ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md) + + Generates an access control rule giving to the specified profile the permission to browse the + resources history of the specified entity type. + +- [Role Models](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md) + +- [ Basket Rules Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md) + + Generates the permissions to execute the different requests to display the information in the + rights basket. + +- [ Bulk Perform Manual Provisioning Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Perform Manual Provisioning\*\* + page. + +- [Bulk Resource Reconciliation Access Control Rules](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Resource Reconciliation\*\* + page. + +- [ Bulk Review Provisioning Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Provisioning Review\*\* page + (only for errored orders). + +- [ Bulk Role Reconciliation Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Role Reconciliation\*\* page. + +- [ Governance Roles Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md) + + Generates the permissions to access the governance review pages for a given entity type and + profile. + +- [ Perform Manual Provisioning Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md) + + Generates the permissions to access the manual provisioning pages for a given entity type and + profile. + +- [ Reconciliate Resources Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md) + + Generates the permissions to access the resource reconciliation pages for a given entity type + and profile. + +- [ Reconciliate Roles Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md) + + Generates the permissions to access the role reconciliation pages for a given entity type and + profile. + +- [ Redundant Assignment Access Control Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md) + + Generates the permissions to access the \*\*Redundant Assignment\*\* page, to analyze and remove + redundant assignments. + +- [ Review Provisioning Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md) + + Generates the permissions to access the provisioning review pages for a given entity type and + profile. + +- [ Review Roles Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md) + + Generates the permissions to access the role review pages for a given entity type and profile. + +- [ Risks Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md) +- [ Role Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md) + + Generates the permissions to access the configuration pages and create, update, delete the + elements of the role model. + +- [ Role Naming Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md) + + Generates the permissions to configure and launch the automatic creation of roles and rules + based on naming conventions. + +- [ Simulations ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md) + +- [Policy Simulation Control Rules](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md) +- [ Role And Simulation Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md) + +- [ User Interfaces ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md) + +- [ Manage Accounts ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md) +- [ Search Bar Page Access Control ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md) + + Gives access rights to the different navigation elements of the SearchBars of the pages of the + role model. + +- [ Workflows ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md) + +- [ Create Update Delete Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md) + + Generates execution rights for the create, update, delete workflows. + +- [ Update Resources Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md) +- [ Workflow Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md) + + Generates the permissions to access the task page and visualize the workflows to be executed for + a given entity type and profile. + +- [ Workflow Configuration Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md) +- [ Workflow Overview Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md) + + Generates the permissions to access the workflow supervision page. + +- [ Entity Types ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md) + +- [Entity Types](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md) + +- [ Connector Mappings ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md) + + Generates the mapping of an entity in a given connector. + +- [ Entity Type Display Name ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md) + + Computes a default value for resources' internal display names. + +- [ Entity Type Display Table ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md) + + Creates a display table for the given entity. + +- [ Entity Type Display Table Adaptable ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md) + + Creates an adaptable display table for a given entity type. + +- [ Entity Type Display Target Resource Table ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md) + + Creates a display table for the given entity. + +- [ Entity Type Menu Item ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md) + + Creates a menu item for the entity type, and for its connector if the entity type has an entity + type mapping. + +- [ Entity Type Search Bar ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md) + + Creates the search bar for the entity without criteria. + +- [ Target Resource Report Menus ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md) + + Creates the Item menu for the entity's report so that it is displayed in the report view. + +- [ Workflows ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md) + +- [ Create Update Delete Workflows ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md) + + Creates updates and deletes menus for an entity. + +- [ Update Resources Menus ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md) +- [ Update Resources Workflows ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md) +- [ Workflow Actors Notification ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md) +- [ Workflow Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md) + + Creates an entity that will be the source of all workflows that manipulate the given entity. + +- [ Workflow Entity Type Display Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md) +- [ Workflow Entity Type Display Table ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md) + + Creates the display table of the workflow entity of the starting entity. + +- [ Workflow Entity Type Search Bar ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md) + + Creates the search bar of the workflow entity of the starting entity. + +- [ Workflow Performer Notification ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md) + +- [ Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md) + +- [Clean Database Job](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md) + + Creates the job to clean old tasks and jobs instances with state InProgress. + +- [Create Access Certification Job](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md) + + Creates the AccessCertification Job. + +- [Create Agent Synchro Complete](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md) + + Creates for the given agent the synchronization job of all connectors present in the agent in + Complete mode. + +- [Create Agent Synchro Incremental](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md) + + Creates for the given agent the synchronization job of all connectors present in the agent in + incremental mode. + +- [ Create Connectors Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md) + + Creates all jobs by connector to launched task in the connector page. + +- [Create Connector Synchro Complete](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md) + + Creates for the given connector the synchronization in complete mode. + +- [Create Connector Synchro Incremental](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) + + Creates for the given connector the synchronization job in incremental mode. + +- [Create Initialization Job](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md) + + Creates the Initialization Job for the given agent. + +- [ Optimizations ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md) + +- [ Optimize Display Table ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable/index.md) + + Optimizes all elements found in the given displayTable. + +- [ Queries ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md) + +- [ Target Resource Report ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md) + + Creates a ReportQuery with default Query taking all the properties of the entity. + +- [ Universe Data Model ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md) + + Creates, within a universe, entity instances and association instances based on a predefined + template. + +- [Templates](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md) + +- [Connectors Access Control Rules](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md) + + Gives the permissions to manage the connector pages. + +- [ Create Administrator Profile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md) + + Creates the profile administrator and all default access control rules. + +- [ Create Update Delete Template ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate/index.md) + + Creates the three types of workflow for the given entity as well as the execution rights for the + given profile. + +- [ Entity Report Default ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault/index.md) + + Creates all configuration items to add a ReportQuery for an EntityType and profile. + +- [ Job Execution Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md) + + Assigns a set of rights to a given profile to execute any job, and view all job instances, task + instances and logs. + +- [ Job View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md) + + Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs. + +- [ Simulation Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md) + + Generates the permissions to configure and launch simulations. + +- [ Update Resources Template ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate/index.md) +- [ View Source Resource Template ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md) + + Creates the display table, fills in the internal display name of the entity, and gives the + rights to see the permissions and sources of the entity for a given profile. + +- [ View Target Resource Template ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md) + + Creates the entity view (designElement = resourceTable), the report and the rights for a given + profile. + +- [ View Template ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md) + + Creates the view for the given entity as well as the rights for the given profile. + +- [ View Template Adaptable ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md) + + Implements a default display name for the resources of a given entity type, displays the + resources in an adaptable table, and give the permissions to view the resources. + +- [ Workforce ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md) + +- [ Bootstrap Module ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md) + + Generates the default settings required to start using Identity Manager and the Workforce Core + Solution module. + +- [Workforce Module](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule/index.md) + + Generates the workforce repository based on the data filled in the Workforce Core Solution + module. diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md new file mode 100644 index 0000000000..e87b086350 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md @@ -0,0 +1,508 @@ +# Create Initialization Job + +Creates the Initialization Job for the given agent. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +## Properties + +| Property | Type | Description | +| ----------------------- | ------- | -------------------------------------------------------------------------------------------------------------- | +| Agent optional | String | For job scaffoldings, identifier of the agent on which the job to be generated will be launched. | +| DisplayName_L1 optional | String | Display name of the scaffolding in language 1 (up to 16). | +| JobIdentifier optional | String | For job scaffoldings, identifier of the job to be generated. If not defined, the job identifier is calculated. | +| OldAlgorithm optional | Boolean | Internal use. | + +## Child Elements + +The list of child elements includes the following: + +- AddTask (optional) — Add a task before or after another in the job +- Configuration (optional) — Add the path of the configuration folder if a configuration task is in + the job +- FormatPropertiesInResource (optional) — Converts string properties to their corresponding types in + the 'Resource' section of the provisioning order +- NoConnectorProvisioning (optional) — Avoid provisioning for a connector +- NoConnectorSynchronization (optional) — Avoid collect for a connector +- NotUsed (optional) — Avoid collect and provisioning for a connector +- OpenIdIdentifier (optional) — Add a OpenID to the job and the tasks +- PrincipalDataConnector (optional) — Specifies the connector that contains the data for the + fulfillment of external systems. + +### AddTask + +| Property | Type | Description | +| ------------------------------ | ------- | ---------------------------------------------------------------------------------------------------------- | +| Task required | String | Identifier of the task to add. | +| TaskToCompareWith required | String | The identifier of the task before or after which the new task will be inserted | +| After default value: false | Boolean | For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | +| Before default value: false | Boolean | For the Argument AddTask the property before define the place of the task to add with the TaskCompareWith. | +| CopyOccurence default value: 0 | Int32 | For Argument AddTask, Specify the Occurence to copy and add the Task in a specify Job. | +| Occurence default value: 0 | Int32 | Occurence of the TaskToCompare after or before which the task will be added | + +### Configuration + +| Property | Type | Description | +| ------------- | ------ | ------------------------------ | +| Path required | String | Represents the argument value. | + +### NoConnectorProvisioning + +| Property | Type | Description | +| ---------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectorIdentifier required | String | Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + +### NoConnectorSynchronization + +| Property | Type | Description | +| ---------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectorIdentifier required | String | Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + +### NotUsed + +| Property | Type | Description | +| ---------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectorIdentifier required | String | Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + +### OpenIdIdentifier + +| Property | Type | Description | +| ------------------- | ------ | ------------------------ | +| Identifier required | String | Identifier of the OpenId | + +### PrincipalDataConnector + +| Property | Type | Description | +| ---------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectorIdentifier required | String | Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + +## Generated XML + +Our example generates the following configuration: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +   +   +   +   +   +     +     +     +     +     +     +     +     +     +   +   +     +     +   +   +     +     +   +   +   +   +   + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md new file mode 100644 index 0000000000..4e7327cdc5 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md @@ -0,0 +1,35 @@ +# Jobs + +- [Clean Database Job](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md) + + Creates the job to clean old tasks and jobs instances with state InProgress. + +- [Create Access Certification Job](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md) + + Creates the AccessCertification Job. + +- [Create Agent Synchro Complete](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md) + + Creates for the given agent the synchronization job of all connectors present in the agent in + Complete mode. + +- [Create Agent Synchro Incremental](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md) + + Creates for the given agent the synchronization job of all connectors present in the agent in + incremental mode. + +- [ Create Connectors Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md) + + Creates all jobs by connector to launched task in the connector page. + +- [Create Connector Synchro Complete](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md) + + Creates for the given connector the synchronization in complete mode. + +- [Create Connector Synchro Incremental](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) + + Creates for the given connector the synchronization job in incremental mode. + +- [Create Initialization Job](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md) + + Creates the Initialization Job for the given agent. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md new file mode 100644 index 0000000000..161462b77d --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md @@ -0,0 +1,5 @@ +# Optimizations + +- [ Optimize Display Table ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable/index.md) + + Optimizes all elements found in the given displayTable. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable/index.md new file mode 100644 index 0000000000..3692bb5d80 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable/index.md @@ -0,0 +1,45 @@ +# Optimize Display Table + +This scaffolding optimizes the given display table by replacing its tiles navigation properties by +scalar (pre-computed, via expressions) properties. This ultimately improves the performances of the +SQL queries used to fetch the data displayed in the corresponding table. + +In order to optimize the display table, this scaffolding will create the following elements if they +don't exist. + +- An [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)for each tile item that uses a + navigation binding. This will be used to hold the computed expression. +- An [ Entity Property Expression ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md) to + evaluate the binding expression used by the optimizable tile item. + +Then, the scaffolding will link the display table tile elements to the newly created scalar +properties. + +This scaffolding has a downside which is that the displayed data is less dynamic than a normal +display table, since it requires computing the expression (via jobs) ahead of time. + +## Examples + +The following example optimized the DisplayTable `Directory_User` + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------------------- | ------------------------------------------------------------------------------- | +| DisplayTableIdentifier required | **Type** String **Description** The identifier of the display table to optimize | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md new file mode 100644 index 0000000000..628b0f16f5 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md @@ -0,0 +1,10 @@ +# Queries + +- [ Target Resource Report ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md) + + Creates a ReportQuery with default Query taking all the properties of the entity. + +- [ Universe Data Model ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md) + + Creates, within a universe, entity instances and association instances based on a predefined + template. diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md new file mode 100644 index 0000000000..eb492c1ffa --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md @@ -0,0 +1,331 @@ +# Universe Data Model + +This scaffolding creates, within a universe, entity instances and association instances based on a +predefined template. + +The entity instances generated by the scaffolding will have: + +- as a display name, the display name of the corresponding navigation property, for example + `Main Record`; +- as an identifier, the identifier of the corresponding navigation which is made of + `_`, for example `Directory_User_MainRecord`. + +## Properties + +| Property | Details | +| ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | +| EntityType required | **Type** String **Description** Identifier of the entity type that we want to represent in the universe (as an entity instance) with all its navigations. | +| Universe required | **Type** String **Description** Identifier of the universe in which the instances to be generated are going to exist. | + +## Child Elements + +- Excluded Property (optional) to ignore a given property of the specified entity type. +- Root Instance (optional) to rename the core entity instance that is to be generated, and to avoid + data duplication when using several scaffoldings in one universe. +- Source Entity Type (optional) Define the source EntityType +- Universe Template (optional) to use a template different from the default one. + +### Excluded Property + +| Property | Details | +| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Property required | **Type** String **Description** Property of the specified entity type that is to be ignored for the generation of entity instances and association instances. | + +A scaffolding does not use filters, but a part of the entity model can be excluded with the +`ExcludedProperty` argument. + +The following example generates a universe `U8_Users` based on the entity type `Directory_User`, +like our U1 but without the `Guests` property: + +``` + + + + + +``` + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (ExcludedProperty)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_excluded.webp) + +### Root Instance + +| Property | Details | +| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Instance required | **Type** String **Description** Identifier of the entity instance generated based on the EntityType property of the universe scaffolding. If not specified, the identifier of the entity instance is the identifier of the entity type. | + +The following example generates a universe `U2_UserRecords` based on the entity type +`Directory_UserRecord`, naming the entity instance `REC`: + +``` + + + + + +``` + +![Universe (RootInstance)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_rootinstance.webp) + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (RootInstance)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_rootinstance.webp) + +#### RootInstance for several scaffoldings together + +A universe can be made of several scaffoldings which need to be grouped together a specific way. One +universe made of two scaffoldings will generate the two entity instances corresponding to the two +specified entity types, with the entity and association instances corresponding to their navigation +properties. To avoid data duplication in the universe model, we use `RootInstance` to rename one of +the entity instances and follow the existing naming rule explained in the introduction. + +**The following example** generates a universe `U3_UserRecords` based on the entity types +`Directory_User` and `Directory_UserRecord` (without `RootInstance`): + +``` + + + +``` + +![Universe Schema (Several Scaffoldings with Data Duplication)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalduplicationschema.webp) + +When getting Identity Manager +[data in Power BI](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), we see +the following: + +![Universe (Several Scaffoldings with Data Duplication)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalduplication.webp) + +We see that `Directory_User_Records` and `Directory_UserRecords` represent the same entity +instances. + +**The following example** generates a better version of the universe `U3_UserRecords` based on the +entity types `Directory_User` and `Directory_UserRecord`, renaming `Directory_UserRecord` as +`Directory_User_Records` to follow the naming rule, thus building the universe model with +`Directory_User` as the core entity instance: + +``` + + + + + +``` + +![Universe (Several Scaffoldings without Data Duplication)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalnoduplicationschema.webp) + +When getting Identity Managerdata in +[Connect Power BI to Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Several Scaffoldings without Data Duplication)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalnoduplication.webp) + +Thus we removed the duplicated data, and we understand easily the navigations of the model. + +### Source Entity Type + +| Property | Details | +| ------------------- | ----------------------------------------------------------------- | +| Identifier optional | **Type** String **Description** The identifier's SourceEntityType | + +### Universe Template + +| Property | Details | +| ----------------- | -------------------------------------------------------------- | +| Template required | **Type** String **Description** Represents the argument value. | + +#### Default Template + +When no template is specified, the scaffolding generates: + +- an entity instance based on a given entity type; +- an association instance and an entity instance for each navigation property of the entity type. + +**The following example** generates a universe `U1_Users` based on the entity type `Directory_User`: + +``` + + + + +``` + +It generates: + +``` + + + + One entity instance for the entity type Directory_User: + + + One association instance and one entity instance per navigation property: + ... + + + +``` + +![Universe (No Template)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_notemplateschema.webp) + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (No Template)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_notemplate.webp) + +We see here identifiers instead of display names due to `ColumnNamesMode` set to identifiers. + +#### Owned Resource Types + +The following example generates a universe `U4_User` based on the entity type `Directory_User` and +the resources assigned to users: + +``` + + + + + +``` + +It generates: + +``` + + + + One entity instance for the entity type Directory_User. + + + Association instances and entity instances about the AD_Entry_NominativeUser resource type: + + + + Same for all resource types. + ... + + + +``` + +![Universe (Template Schema: Owned Resource Types)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedresourcetypesschema.webp) + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Template: Owned Resource Types)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedresourcetypes.webp) + +#### ResourceResourceTypes + +The following example generates a universe `U5_AD` based on the entity type `AD_Entry` and the +owners of AD resources: + +``` + + + + + +``` + +The configuration generated by this snippet is similar to the one for `OwnedResourceTypes`. + +![Universe (Template Schema: Resource Resource Types)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_resourceresourcetypesschema.webp) + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Template: Resource Resource Types)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_resourceresourcetypes.webp) + +#### Owned Single Roles + +The following example generates a universe `U6_User` based on the entity type `Directory_User` and +the single roles assigned to users: + +``` + + + + + +``` + +It generates: + +``` + + + + One entity instance for the entity type Directory_User. + + + One entity instance containing data about role assignments, and one association instance linking it to Directory_User: + + + One entity instance containing the single roles, and one association instance linking it to the role assignment data: + + +``` + +![Universe (Template Schema: Owned Single Roles)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedsinglerolesschema.webp) + +When getting Identity Managerdata in +[Connect Power BI to Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Template: Owned Single Roles)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedsingleroles.webp) + +#### Owned Composite Roles + +The following example generates a universe `U7_User` based on the entity type `Directory_User` and +the composite roles assigned to users: + +``` + + + + + +``` + +The configuration generated by this snippet is similar to the one for `OwnedSingleRoles`. + +![Universe (Template Schema: Owned Composite Roles)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedcompositerolesschema.webp) + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Template: Owned Composite Roles)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedcompositeroles.webp) + +## Mixed Example + +Scaffoldings can be adjusted with +[universe configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md). + +The following example generates a universe `U9_AccessControl` aiming to create reports displaying +users and their profiles. In our situation, profiles are assigned to AD accounts based on a given +context. This is why we base our universe on the entity types `AD_Entry`, `AssignedProfile` and +`ProfileContext`. Plus, there are 10 dimensions in contexts, but only dimensions 0 and 1 are used, +so we exclude the others. We exclude also resource types and single roles that are of no use for us +here. + +``` + + + +``` + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Mixed Example)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_mixedexample.webp) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md new file mode 100644 index 0000000000..028b8b86e3 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md @@ -0,0 +1,52 @@ +# Connectors Access Control Rules + +Gives the permissions to manage the connector pages. + +Generates the permissions to access the connectors pages, the policies page, the access roles page, +the access rules page and the job execution page. + +Gives access to shortcuts on the dashboard to access these pages. + +![Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + +The scaffolding generates the following scaffoldings: + +- [ Connector Resource Type Access Control ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md): + Gives the rights to create and update resource types, generate provisioning orders and fulfill + from the connector screen. +- [ Job View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md): Scaffolding to generate + a set of rights to view all JobInstances, TaskInstances and logs. +- [ Resource Type Mapping Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md): + Generate rights to launch agent fulfillment. +- [ Role Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md): + Generates the permissions to access the configuration pages and create, update, delete the + elements of the role model. +- [ Run Job Repair Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md): + Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning or + a synchronization for a given profile. +- [ Task Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md): + Generates all rights to have the access to job administration page. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md new file mode 100644 index 0000000000..6c62629b53 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md @@ -0,0 +1,128 @@ +# Create Administrator Profile + +This scaffolding creates the administrator profile with a predefined set of rights. + +To create the rights for this profile, a scaffolding list is launched inside the creation of the +administrator profile. + +The scaffolding generates the following scaffoldings: + +- [ Access Review Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md): + Generates the permissions to administrate campaign creation. +- [ Assign Profile Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md): + Gives to a given profile the rights to create, update, delete and query any assigned profile. +- [ Basket Rules Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md): + Generates the permissions to execute the different requests to display the information in the + rights basket. +- [ Connector Resource Type Access Control ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md): + Gives the rights to create and update resource types, generate provisioning orders and fulfill + from the connector screen. +- [Connectors Access Control Rules](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md): Gives the permissions + to manage the connector pages. +- [ Create Connectors Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md): Creates all jobs by + connector to launched task in the connector page. +- [ Create Resource Incremental Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md): + Generates the access control rule which gives to a profile the permission to query the resources + modified incrementally +- [ Job Execution Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md): Assigns a set + of rights to a given profile to execute any job, and view all job instances, task instances and + logs. +- [ Manage Accounts ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md): +- [ Manage Setting Access Control Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md): + Generates the access control rule which gives to a profile the permission to query, create, update + and delete settings from the UM_Settings table. +- [ Monitoring Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md): + Generates the access control rule which gives to a profile the permission to query the monitoring + screen. +- [ Perform Manual Provisioning Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md): + Generates the permissions to access the manual provisioning pages for a given entity type and + profile. +- [ Profile Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md): + Gives to a given profile the rights to create, update and delete profiles. +- [ Provisioning Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md): + Generates the execution rights for Provisioning and Fulfillment tasks for a given profile. +- [ Reconciliate Roles Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md): + Generates the permissions to access the resource reconciliation pages for a given entity type and + profile. +- [ Reconciliate Roles Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md): + Generates the permissions to access the role reconciliation pages for a given entity type and + profile. +- [ Redundant Assignment Access Control Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md): + Generates the permissions to access the **Redundant Assignment** page, to analyze and remove + redundant assignments. +- [ Report Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md): + Generates the permissions to access the report view. +- [ Resource Api Administration ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md): + Generates the permissions to create/update/delete/query resources from a given entity type, for a + given profile. +- [ Resource Picker Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md): + Creates the reading right of the resource picker. +- [ Resource Type Mapping Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md): + Generate rights to launch agent fulfillment. +- [ Review Provisioning Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md): + Generates the permissions to access the provisioning review pages for a given entity type and + profile. +- [ Review Roles Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md): + Generates the permissions to access the role review pages for a given entity type and profile. +- [ Risks Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md): +- [ Role Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md): + Generates the permissions to access the configuration pages and create, update, delete the + elements of the role model. +- [ Role Naming Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md): + Generates the permissions to configure and launch the automatic creation of roles and rules based + on naming conventions. +- [ Settings Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md): + Generates the permissions to configure the Workforce Core Solution module and connector settings. +- [ Simulation Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md): Generates the + permissions to configure and launch simulations. +- [ Synchronization Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md): + Generates rights to launch synchronization task. +- [ Task Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md): + Generates all rights to have the access to job administration page. +- [ Universe Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md): + Generates an access control rule which gives a profile the permission to access the query page and + run queries. +- [ View History Resource Template ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md): + Generates an access control rule giving to the specified profile the permission to browse the + resources history of the specified entity type. +- [ Workflow Configuration Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md): +- [ Workflow Fulfillment Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md): + Generates the execution rights to launch Fulfillment workflow for a given profile. +- [ Workflow Overview Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md): + Generates the permissions to access the workflow supervision page. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | + +## Child Elements + +- Display Name Profile (optional) defines a display name for the administrator profile for a given + language. + +### Display Name Profile + +| Property | Details | +| -------------------- | ------------------------------------------------------------------------------------ | +| DisplayName required | **Type** String **Description** Display name of the profile in the related language. | +| Identifier required | **Type** String **Description** Code of the language for the display name. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate/index.md new file mode 100644 index 0000000000..592aab17b2 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate/index.md @@ -0,0 +1,48 @@ +# Create Update Delete Template + +Creates the three types of workflow for the given entity as well as the execution rights for the +given profile. + +The scaffolding generates the following scaffoldings: + +- [ Create Update Delete Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md): + Generates execution rights for the create, update, delete workflows. +- [ Create Update Delete Menus ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md): + Creates creation, update and delete menus for an entity. +- [ Create Update Delete Workflows ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md): +- [ Entity Type Display Name ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md): + Computes a default value for resources' internal display names. +- [ Entity Type Display Table ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md): + Creates a display table for the given entity. +- [ Entity Type Search Bar ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md): Creates + the search bar for the entity without criteria. +- [ View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. +- [ Workflow Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md): Creates an + entity that will be the source of all workflows that manipulate the given entity. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type** String **Description** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type** String **Description** Identifier of the property involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault/index.md new file mode 100644 index 0000000000..32ba5df92f --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault/index.md @@ -0,0 +1,21 @@ +# Entity Report Default + +Creates all configuration items to add a ReportQuery for an EntityType and profile. + +The scaffolding generates the following scaffoldings: + +- [ Report Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md): + Generates the permissions to access the report view. +- [ Target Resource Report ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md): Creates a ReportQuery + with default Query taking all the properties of the entity. +- [ Target Resource Report Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md): + Generates the permissions to apply a report for a profile on a given entity. +- [ Target Resource Report Menus ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md): + Creates the Item menu for the entity's report so that it is displayed in the report view. + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md new file mode 100644 index 0000000000..4d93f68d39 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md @@ -0,0 +1,51 @@ +# Templates + +- [Connectors Access Control Rules](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md) + + Gives the permissions to manage the connector pages. + +- [ Create Administrator Profile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md) + + Creates the profile administrator and all default access control rules. + +- [ Create Update Delete Template ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate/index.md) + + Creates the three types of workflow for the given entity as well as the execution rights for the + given profile. + +- [ Entity Report Default ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault/index.md) + + Creates all configuration items to add a ReportQuery for an EntityType and profile. + +- [ Job Execution Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md) + + Assigns a set of rights to a given profile to execute any job, and view all job instances, task + instances and logs. + +- [ Job View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md) + + Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs. + +- [ Simulation Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md) + + Generates the permissions to configure and launch simulations. + +- [ Update Resources Template ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate/index.md) +- [ View Source Resource Template ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md) + + Creates the display table, fills in the internal display name of the entity, and gives the + rights to see the permissions and sources of the entity for a given profile. + +- [ View Target Resource Template ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md) + + Creates the entity view (designElement = resourceTable), the report and the rights for a given + profile. + +- [ View Template ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md) + + Creates the view for the given entity as well as the rights for the given profile. + +- [ View Template Adaptable ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md) + + Implements a default display name for the resources of a given entity type, displays the + resources in an adaptable table, and give the permissions to view the resources. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md new file mode 100644 index 0000000000..dc746c91a9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md @@ -0,0 +1,45 @@ +# Job Execution Access Control Rules + +This scaffolding assigns a set of rights to a given profile to execute any job, and view all job +instances, task instances and logs. + +The scaffolding generates the following scaffoldings: + +- [ Job View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md): Scaffolding to generate + a set of rights to view all JobInstances, TaskInstances and logs. +- [ Run Job Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md): + Generates the permissions to launch jobs from UI for a given profile. +- [ Run Job Notification Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md): + Generates access control to send notification when job finish with an error state. +- [ Run Job Repair Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md): + Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning or + a synchronization for a given profile. +- [ Run Job Repair Notification Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md): + Generates access control to send notification when a relaunch job finish with an error state. + +## Examples + +The following example assigns to the `Administrator` profile the rights to execute all jobs and view +job instances, task instances and logs: + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md new file mode 100644 index 0000000000..d99d196622 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md @@ -0,0 +1,33 @@ +# Job View Access Control Rules + +Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs. This +Scaffolding performs a set of scaffolding rights for Jobs and Tasks. + +The scaffolding generates the following scaffoldings: + +- [ Get Job Log Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md): + Generates the permissions to read task and job instances logs in UI for a given profile. +- [ Job Administration Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md): + Scaffolding to access the job administration page. +- [ Pending Assigned Resource Types Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md): + Generates the access control rules which give to a profile the permissions to call the API Pending + AssignedResourceTypes. +- [ Resource Changes View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md): + Generates the access control rules which gives to a profile the permissions to call the API + ResourceChange, ResourceFileChange and ResourceLinkChange. + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md new file mode 100644 index 0000000000..142109109c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md @@ -0,0 +1,35 @@ +# Simulation Access Control Rules + +This scaffolding generates the rights to configure and launch simulations. + +It also gives access to a shortcut on the dashboard allowing to enter the simulation screen. Through +this screen, simulations can be launched and results can be visualized. + +The scaffolding generates the following scaffoldings: + +- [Policy Simulation Control Rules](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md): +- [ Role And Simulation Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md): + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate/index.md new file mode 100644 index 0000000000..5149d9c99c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate/index.md @@ -0,0 +1,41 @@ +# Update Resources Template + +The scaffolding generates the following scaffoldings: + +- [ Entity Type Display Name ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md): + Computes a default value for resources' internal display names. +- [ Entity Type Display Table ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md): + Creates a display table for the given entity. +- [ Update Resources Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md): +- [ Update Resources Menus ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md): +- [ Update Resources Workflows ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md): +- [ View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. +- [ Workflow Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md): Creates an + entity that will be the source of all workflows that manipulate the given entity. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type** String **Description** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type** String **Description** Identifier of the property involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md new file mode 100644 index 0000000000..ccc2a76e15 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md @@ -0,0 +1,45 @@ +# View Target Resource Template + +Creates the entity view (designElement = resourceTable), the report and the rights for a given +profile. + +The scaffolding generates the following scaffoldings: + +- [ Entity Type Display Name ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md): + Computes a default value for resources' internal display names. +- [ Entity Type Display Target Resource Table ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md): + Creates a displaytable for the given entity. +- [ Target Resource Report ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md): Creates a ReportQuery + with default Query taking all the properties of the entity. +- [ Target Resource Report Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md): + Generates the permissions to apply a report for a profile on a given entity. +- [ Target Resource Report Menus ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md): + Creates the Item menu for the entity's report so that it is displayed in the report view. +- [ View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type** String **Description** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type** String **Description** Identifier of the property involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md new file mode 100644 index 0000000000..965fbdb1c5 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md @@ -0,0 +1,42 @@ +# View Template + +Creates the view for the given entity as well as the rights for the given profile. + +The scaffolding generates the following scaffoldings: + +- [ Entity Type Display Name ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md): + Computes a default value for resources' internal display names. +- [ Entity Type Display Table ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md): + Creates a display table for the given entity. +- [ View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. + +## Examples + +The following example implements a default display name for resources from the +`Directory_PresenceState` entity type, displays the resources in a table, and gives to the +`Administrator` profile the permissions to view the resources. + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type** String **Description** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type** String **Description** Identifier of the property involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md new file mode 100644 index 0000000000..7390ee218b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md @@ -0,0 +1,43 @@ +# View Template Adaptable + +Implements a default display name for the resources of a given entity type, displays the resources +in an adaptable table, and give the permissions to view the resources. + +The scaffolding generates the following scaffoldings: + +- [ Entity Type Display Name ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md): + Computes a default value for resources' internal display names. +- [ Entity Type Display Table Adaptable ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md): + Creates an adaptable display table for a given entity type. +- [ View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. + +## Examples + +The following example implements a default display name for resources from the +`Directory_PresenceState` entity type, displays the resources in an adaptable table, and gives to +the `Administrator` profile the permissions to view the resources. + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type** String **Description** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type** String **Description** Identifier of the property involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md new file mode 100644 index 0000000000..d54527e0d1 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md @@ -0,0 +1,6 @@ +# Workforce + +- [ Bootstrap Module ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md) Generates the default settings required to start + using Identity Manager and the Workforce Core Solution module.- + [Workforce Module](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule/index.md) Generates the workforce repository based on the data + filled in the Workforce Core Solution module. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule/index.md new file mode 100644 index 0000000000..90350eb46d --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule/index.md @@ -0,0 +1,6262 @@ +# Workforce Module + +Generates the workforce repository based on the data filled in the Workforce Core Solution module. + +## Examples + +The following example generates the Workforce module in the application: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + +``` + +## Properties + +| Property | Type | Description | +| ----------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | +| IsEnabled default value: true | Boolean | True to enable the Worforce module. If set to false, Identity Manager deletes all existing items computed by the Workforce Core Solution module. | + +## Child Elements + +Here is a list of child elements: + +- CompositeProfile (optional) – Defines the users profiles +- EmailGeneration (optional) – Defines the email generation policy +- HomonymEntityLinkOptions (optional) – Updates/Modifies the HomonymEntityLink of the + Directory_UserRecord entity of the workforce configuration +- LoginGeneration (optional) – Defines the login generation policy +- ModelUsage (optional) – Defines the entity types/properties that must be ignored from the model + and customize the pickers for the kept ones +- NewExternalWorkflow (optional) – Enable/disable the review step for the new external workflow +- NewInternalWorkflow (optional) – Enable/disable the review step for the new internal workflow +- UniqueIdentifierGeneration (optional) – Defines the unique identifier generation policy + +### CompositeProfile + +| Property | Type | Description | +| ----------------------------- | ------ | ---------------------------------------------------------- | +| AreaOfResponsibility required | String | Represents the argument value. | +| ProfileDisplayName required | String | Generic column used to store information for internal use. | +| ProfileIdentifier required | String | Generic column used to store information for internal use. | +| TargetProfile required | String | Generic column used to store information for internal use. | + +### EmailGeneration + +| Property | Type | Description | +| ---------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------- | +| Strategy required | String | Represents the argument value. | +| Domain optional | String | Generic column used to store information for internal use. | +| NameSeparator optional | String | Character used to separate users' names and first names in their generated emails and logins (in the Workforce Core Solution module). | + +### HomonymEntityLinkOptions + +| Property | Type | Description | +| ----------------------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ActivatePhoneticComparison default value: false | Boolean | Adds 3 filters in the HomonymEntityLink comparing the first and last names (current workflow) to the phonetic properties corresponding to the first and last names (existing records). | +| DisableBirthNameComparison default value: false | Boolean | Deletes the filter in the HomonymEntityLink comparing the last name (current workflow) with the birth name (existing records). | +| DisableInversion default value: false | Boolean | Deletes the filters in the HomonymEntityLink comparing the first name (current workflow) with the last name (existing records) and the last name (current workflow) with the first name (existing records). | + +### LoginGeneration + +| Property | Type | Description | +| ------------------ | ------ | ---------------------------------------------------------- | +| Strategy required | String | Represents the argument value. | +| MaxLength optional | Int32 | Generic column used to store information for internal use. | +| Prefix optional | String | Generic column used to store information for internal use. | + +### ModelUsage + +| Property | Type | Description | +| -------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding required | String | Generic column used to store information for internal use. | +| Count optional | Int32 | Generic column used to store information for internal use. | +| ForcedCount optional | Int32 | Number of entries for a given entity or entity's property in the workforce data model. The `ForcedCount` value overwrites the count computed by Identity Manager. | + +### NewExternalWorkflow + +| Property | Type | Description | +| ------------------------------------- | ------- | --------------------------------------------------------------------------------------------------------- | +| IsReviewRequired default value: false | Boolean | For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | + +### NewInternalWorkflow + +| Property | Type | Description | +| ------------------------------------ | ------- | --------------------------------------------------------------------------------------------------------- | +| IsReviewRequired default value: true | Boolean | For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | + +### UniqueIdentifierGeneration + +| Property | Type | Description | +| ---------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------- | +| Strategy required | String | Represents the argument value. | +| Max optional | Int32 | Upper limit of the range used for the generation of unique identifiers. | +| Min optional | Int32 | Lower limit of the range used for the generation of unique identifiers. | +| NameSeparator optional | String | Character used to separate users' names and first names in their generated emails and logins (in the Workforce Core Solution module). | +| Prefix optional | String | Prefix used for the generation of unique identifiers. | + +## Generated XML + +Our example generates the following configuration: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     +     +     +     +     + +     +     +     +     +     +     + + +     +     +     +     +     + +     +     +     +     +     +     +     +     +     +     +     +     + +     +     +     +     +     +     + + +     +     +     +     +     + +     +     +     +     +     +     + +     +     +     +     +     +     +     +     + + +     +     + + +     +     + + +     +     + + +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     + + +     +     +     +     +     +     + + +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     + + +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     + + +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     +     +     +     + + + +     +     +     +     +     +     +     + + + + + +     + + +     +     +     +     +     + + +     +     + + +     +     + + +     +     + + + + +     + + +     +     +     + + +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +     +     +     +     +     +     + + +     +     +     + + +
+ +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     +     +     + + +
+ +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     +     + + +     +     + + +
+ +     +     +     +     +     +     +     +     +     + + + + + + + + + + +     +     +     +     + + +     + + + + + + + + + + +     +     +     +     + + +     +     +     +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + +
+ + +
+ +     +     +         +         +     +     +     +     +     +     +     +     +     +     + + +
+ +   +     +       +       +     +   +   +   +   +   +     +     +   +   +   +     +   + + +
+ +   + + +
+ +     +     +     +     +     +     +     +     + + +
+ + +
+ +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +
+ + +
+ + + + + + + + + + + + + + + + + + + + + +
+ + +     +     +     +     +     + + + + + + + + + + +
+ + +     +     +     +     +     + + + +
+ +     +     +     + + + + + + + + + + + + + + + + + + + +
+ +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     +     +     + + +
+ + +
+ + + + + + + + + + + + + + + + + + + +     + + + + + + +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0) +{ +result += iteration.ToString(); +} +result = result + (record.UserType?.EmailSuffix ?? string.Empty) + '@' + (record.Subsidiary?.EmailDomain ?? "acme.com"); +return result;" IterationsCount="10"> + 0) +{ +result += iteration.ToString(); +} +return result;" TargetEntityType="Directory_ReservedEmail" TargetExpression="C#:reservedEmail: +if (string.IsNullOrEmpty(reservedEmail.Value)) +{ +return null; +} +var result = reservedEmail.Value; +var index = result.IndexOf('@'); +if(index >=0) +{ +result = result.Substring(0, index); +} +return result;" /> + 0) +{ +result += iteration.ToString(); +} +return result;" TargetEntityType="Directory_UserRecord" TargetExpression="C#:record: +if (string.IsNullOrEmpty(record.Email)) +{ +return null; +} +var result = record.Email; +/*Delete Domain*/ +var index = result.IndexOf('@'); +if(index >= 0) +{ +result = result.Substring(0, index); +} +var resources = queryHandler.Select("select EmailSuffix"); +foreach (var resource in resources.Where(r => r != null && r.EmailSuffix != null).OrderByDescending(r => r.EmailSuffix!.Length)) +{ +var foundIndex = result.IndexOf(resource.EmailSuffix!); +if (foundIndex >= 0) +{ +    result = result.Substring(0, foundIndex); +    break; +} +} +return result;" /> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +  + +    
+     +     +     +         +         +         +         +         +    
+             +             +                 +             +            
+                

Hello,

+                An update user request needs your attention. +                 +                     +                     +                     +                     +                     +                     +                     +
Summary
Date@System.DateTime.Now.ToLocalTime().ToString("dd/MM/yyyy hh:mm", System.Globalization.CultureInfo.InvariantCulture)
Full Name@Model.MainRecord.FirstName @Model.MainRecord.LastName
User Type@Model.MainRecord.UserType.DisplayName
Contract Start Date@Model.MainRecord.ContractStartDate
Contract End Date@Model.MainRecord.ContractEndDate
Department@Model.MainRecord.Organization.DisplayName
+                @Html.MessageBody(new { style = "box-sizing: border-box; color: #74787E; font-family: sans-serif, 'Helvetica Neue', Helvetica, sans-serif;" }) +                
+        
+     +    
+         +         +             +         +        
+            This message was created by an automated workflow in Usercube. Do not reply. +            
+    
+     +     +    
+ +  + + +" CssFile="@media only screen and (max-width: 620px) { +table[class=body] h1 { +    font-size: 28px !important; +    margin-bottom: 10px !important; +} +table[class=body] p, +table[class=body] ul, +table[class=body] ol, +table[class=body] td, +table[class=body] span, +table[class=body] a { +    font-size: 16px !important; +} +table[class=body] .wrapper, +table[class=body] .article { +    padding: 10px !important; +} +table[class=body] .content { +    padding: 0 !important; +} +table[class=body] .container { +    padding: 0 !important; +    width: 100% !important; +} +table[class=body] .main { +    border-left-width: 0 !important; +    border-radius: 0 !important; +    border-right-width: 0 !important; +} +table[class=body] .btn table { +    width: 100% !important; +} +table[class=body] .btn a { +    width: 100% !important; +} +table[class=body] .img-responsive { +    height: auto !important; +    max-width: 100% !important; +    width: auto !important; +} +} +/* ------------------------------------- +PRESERVE THESE STYLES IN THE HEAD +------------------------------------- */ +@media all { +.ExternalClass { +    width: 100%; +} +    .ExternalClass, +    .ExternalClass p, +    .ExternalClass span, +    .ExternalClass font, +    .ExternalClass td, +    .ExternalClass div { +        line-height: 100%; +    } +.apple-link a { +    color: inherit !important; +    font-family: inherit !important; +    font-size: inherit !important; +    font-weight: inherit !important; +    line-height: inherit !important; +    text-decoration: none !important; +} +.btn-primary table td:hover { +    background-color: #34495e !important; +} +.btn-primary a:hover { +    background-color: #34495e !important; +    border-color: #34495e !important; +} +} +body { +background-color: #f6f6f6; +font-family: sans-serif; +-webkit-font-smoothing: antialiased; +font-size: 14px; +line-height: 1.4; +margin: 0; +padding: 0; +-ms-text-size-adjust: 100%; +-webkit-text-size-adjust: 100%; +} +"> + + + + + +  + +    
+     +     +     +         +         +         +         +         +    
+             +             +                 +             +            
+                

Hello,

+                A new user request needs your attention. +                 +                     +                     +                     +                     +                     +                     +                     +
Summary
Date@System.DateTime.Now.ToLocalTime().ToString("dd/MM/yyyy hh:mm", System.Globalization.CultureInfo.InvariantCulture)
Full Name@Model.Records.First().FirstName @Model.Records.First().LastName
User Type@Model.Records.First().UserType.DisplayName
Contract Start Date@Model.Records.First().ContractStartDate
Contract End Date@Model.Records.First().ContractEndDate
Department@Model.Records.First().Organization.DisplayName
+                @Html.MessageBody(new { style = "box-sizing: border-box; color: #74787E; font-family: sans-serif, 'Helvetica Neue', Helvetica, sans-serif;" }) +                
+        
+     +    
+         +         +             +         +        
+            This message was created by an automated workflow in Usercube. Do not reply. +            
+    
+     +     +    
+ +  + + +" CssFile="@media only screen and (max-width: 620px) { +table[class=body] h1 { +    font-size: 28px !important; +    margin-bottom: 10px !important; +} +table[class=body] p, +table[class=body] ul, +table[class=body] ol, +table[class=body] td, +table[class=body] span, +table[class=body] a { +    font-size: 16px !important; +} +table[class=body] .wrapper, +table[class=body] .article { +    padding: 10px !important; +} +table[class=body] .content { +    padding: 0 !important; +} +table[class=body] .container { +    padding: 0 !important; +    width: 100% !important; +} +table[class=body] .main { +    border-left-width: 0 !important; +    border-radius: 0 !important; +    border-right-width: 0 !important; +} +table[class=body] .btn table { +    width: 100% !important; +} +table[class=body] .btn a { +    width: 100% !important; +} +table[class=body] .img-responsive { +    height: auto !important; +    max-width: 100% !important; +    width: auto !important; +} +} +/* ------------------------------------- +PRESERVE THESE STYLES IN THE HEAD +------------------------------------- */ +@media all { +.ExternalClass { +    width: 100%; +} +    .ExternalClass, +    .ExternalClass p, +    .ExternalClass span, +    .ExternalClass font, +    .ExternalClass td, +    .ExternalClass div { +        line-height: 100%; +    } +.apple-link a { +    color: inherit !important; +    font-family: inherit !important; +    font-size: inherit !important; +    font-weight: inherit !important; +    line-height: inherit !important; +    text-decoration: none !important; +} +.btn-primary table td:hover { +    background-color: #34495e !important; +} +.btn-primary a:hover { +    background-color: #34495e !important; +    border-color: #34495e !important; +} +} +body { +background-color: #f6f6f6; +font-family: sans-serif; +-webkit-font-smoothing: antialiased; +font-size: 14px; +line-height: 1.4; +margin: 0; +padding: 0; +-ms-text-size-adjust: 100%; +-webkit-text-size-adjust: 100%; +} +"> + + + + + + +"2022-05-31T00:00:00Z"))" ReturnedEntityType="Directory_UserRecord" /> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/agent/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/agent/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md new file mode 100644 index 0000000000..c9c700a283 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md @@ -0,0 +1,146 @@ +# Connection + +A connection represents a link between a [ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) and a connection +package. + +## Examples + +The following example creates a connection for the previously created connector `AD`, using the +package `Usercube.AD@0000001` with only the export task and not the fulfill task. + +``` + + + +``` + +We will need to configure the connection settings in the `appsettings.agent.json` file, by adding a +`ADExportFulfillment` part in the `Connections` section, for example: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "ADExportFulfillment": { + "Servers": [ + { + "Server": "contoso.server.com", + "BaseDN": "DC=contoso,DC=com" + } + ], + "AuthType": "Basic", + "Login": "Contoso", + "Password": "ContOso$123456789", + "Filter": "(objectclass=*)", + "EnableSSL": "true" + }, + ... + } +} +``` + +Details about these settings can be found in Identity Manager's +[References: Connectors](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/index.md). + +## Properties + +| Property | Details | +| ------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Connector required | **Type** Int64 **Description** Identifier of the linked connector. **Note:** a connection can be used by one and only one connector. | +| DeactivationExportFulfill default value: 0 | **Type** DeactivationExportFulfill **Description** For a connection having a package which implements both export and fulfill, this option can deactivate either the export or the fulfill part. `0` - **None**: keeps both parts. `1` - **Export**: deactivates export. `2` - **Fulfill**: deactivates fulfill. | +| DisplayName_L1 required | **Type** String **Description** Display name of the connection in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Unique identifier of the connection. It must start with a letter followed by up to 441 characters, chosen from the following set: point, dash, letter, or number. **Warning:** identifiers are case insensitive, for example the identifiers `adexport` and `ADEXPORT` cannot exist simultaneously. | +| Package required | **Type** Enumeration **Description** Identifier of the linked connection package which defines the connection's capabilities and technologies to export and/or fulfill data. | + +## Child Element: Transformation + +A connection transformation is optional, but can be needed to adjust the Excel files, output of +[ Export Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md) from Excel export connections, before +[ Prepare Synchronization Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md). The +following operations are possible: + +- filtering out given rows; +- adding/removing days from specific date properties; +- merging columns together. + +### Examples + +#### Edit dates + +The following example sets all users' end dates to the end of the day instead of the morning. This +way, the end dates of users' permissions will be managed more easily. + +Technically speaking, Identity Manager implements a sort of extra-task between the export and +prepare-synchronization tasks of HR synchronization. The CSV files produced by the export task of +the connection `Directory` are to be transformed: Identity Manager will add 1 day to all dates +between 1900 and 2100, contained in the `ContractEndDate`, `PositionEndDate` and `EndDate` columns +of the `Directory_UserRecord` table. + +This date edition goes the other way around when loading data back to your systems: if Identity +Manager adds a few days when synchronizing, then it removes the same few days when using the +synchronized data. + +``` + + + + + +``` + +#### Filter out rows + +The following example filters the CSV files produced by the export of the `Directory` connection, in +order to keep only German sites, i.e. the rows where `Identifier` starts with `DE_`. + +``` + + + + + +``` + +#### Merge columns together + +Consider the situation where users' organizations are defined in 4 levels. + +The following example merges the `Company`, `Subsidiary`, `Department` and `Team` columns of the +`Directory_UserRecord` table, output of the export of the `Directory` connection, in order to +concatenate the 4 properties into a single `FullOrganization` property. + +Setting `RemoveEmpty` to `true` means that rather than having an organization such as +`Contoso//HR/Payroll`, we will have `Contoso/HR/Payroll`. + +Setting `RemoveDuplicates` to `true` means that rather than having an organization such as +`Contoso/Contoso/HR/Payroll`, we will have `Contoso/HR/Payroll`. + +``` + + + + + +``` + +### Properties + +| Property | Details | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AddedDays optional | **Type** Float **Description** Number of days to add to the date column to be transformed, specified in `Column`, when the transformation type is `TransformDate`. The value can be negative, for example `-0.5` removes 12 hours from the date. | +| Column optional | **Type** String **Description** Column (case-sensitive) used as input of the filtering and the date editing transformations, and as output of the merging transformation. When defining an output, `Column` can be an existing column or a column to be created. | +| ConcatSeparator optional | **Type** String **Description** Separator used between the concatenated values, when the transformation type is `ConcatColumns`. | +| DatePattern optional | **Type** String **Description** Format of the transformed dates to be stored when the original object is not a date, when the transformation type is `TransformDate`. **Note:** for example we could need this property when using CSV files which store everything as strings, including dates. | +| InputColumn optional | **Type** String **Description** Column (case-sensitive) used as input when the transformation type is `TransformDate`, and as part of the input when the transformation type is `ConcatColumns`. **Note:** required for `ConcatColumns`. **Note:** when not specified for `TransformDate`, `Column` is used as input. | +| InputColumn2 optional | **Type** String **Description** Second (up to fifth) input column (case-sensitive) when the transformation type is `ConcatColumns`. | +| MaxYear optional | **Type** Int32 **Description** Year after which the date contained in the input of the transformation of type `TransformDate` is ignored by the transformation. | +| MinYear optional | **Type** Int32 **Description** Year before which the date contained in the input of the transformation of type `TransformDate` is ignored by the transformation. | +| RemoveDuplicates optional | **Type** Boolean **Description** `true` to keep only one of two identical and successive values, when the transformation type is `ConcatColumns`. | +| RemoveEmpty optional | **Type** Boolean **Description** `true` to ignore empty values, when the transformation type is `ConcatColumns`. | +| SortValues optional | **Type** Boolean **Description** `true` to sort the concatenated values by alphabetical order, when the transformation type is `ConcatColumns`. **Note:** concatenated values are sorted after duplicates are removed, when relevant. | +| Table optional | **Type** String **Description** Table on which the transformation is to be applied. **Note:** must be of the format `_` (case-sensitive). | +| Type required | **Type** ConnectionTransformationType **Description** Type of the transformation: **ConcatColumns**: concatenates `InputColumn` columns into `Column` with a separator defined in `ConcatSeparator`, potentially with additional transformation options among `RemoveDuplicates`, `RemoveEmpty`, `SortValues`. **TransformDate**: adds or removes a given number of days defined in `AddedDays` to/from the date stored in `InputColumn` or `Column`, only for dates between `MinYear` and `MaxYear`, in order to be stored in `Column` in the format defined by `DatePattern`. **WhereValue**: filters the rows based on a comparison with the `WhereOperator` and `WhereValue` arguments. | +| WhereOperator optional | **Type** ConnectionTransformationWhereValueOperator **Description** Operator of the comparison that filters out rows from the CSV file(s), when the transformation type is `WhereValue`: `Equals`; `NotEquals`; `Contains`; `CotContains`; `StartsWith`; `EndsWith`; `Regex`. | +| WhereValue optional | **Type** String **Description** Value (case-sensitive) that the content of `Column` will be compared to, when the transformation type is `WhereValue`. | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md new file mode 100644 index 0000000000..12a2b52822 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md @@ -0,0 +1,70 @@ +# Connector + +Connectors provide the means by which Identity Manager communicates with managed platforms, +applications and systems. They describe how the data from these systems are mapped to the +[Entity Model](/docs/identitymanager/6.2/identitymanager/integration-guide/entity-model/index.md). + +A connector in most case represents an application model. It is composed of entities and +associations. + +> For example we can define an HR connector, with the following entities: Person, Department, +> Function, Location, etc. and with the following associations: Person-Department, Person-Site, +> Person-Manager(Person), etc. + +A connector is used to synchronize each of its entities and associations in Identity Manager's +physical model. A connector is defined with: + +- [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md); +- [ Entity Association ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md); +- [ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) and + [ Entity Association Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) to link the entity types and + associations to the corresponding files and columns containing the exported data from the managed + system. + +## Examples + +The following example creates a `HR` connector on the agent called `Local` previously declared by an +[ Agent ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md) element. + +We create the right [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) to use the connector as a +[ CSV ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/csv/index.md)aiming to export HR CSV files into +new CSV files in Identity Manager's format. + +The [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) model the resources as `HR_Person` or +`HR_Organization`, defining properties. + +The [ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) link the entity types to the source +files. + +The [ Entity Association ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) creates a link between the two +entity types. + +The [ Entity Association Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) links the association to +the source files. + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Agent optional | **Type** Int64 **Description** Identifier of the agent where the connector's tasks are launched. | +| CompleteJob default value: 0 | **Type** JobIntegrationRule **Description** Indicates how the connector should be used in the complete job (scaffolding): `0` - Used `1` - NotUsed `2` - OnlySynchronization `3` - OnlyProvisioning Warning: The job scaffolding has priority over the connector's decision. For example, if your job scaffolding specifies that the Microsoft Entra ID is `NotUsed` for the complete job, setting that connector to `Used` for the complete job will not activate it. You should not only add the `Used` to the connector but also remove the `NotUsed` from the configuration of the job scaffolding. | +| DisplayName_L1 required | **Type** String **Description** Connector DisplayName. | +| Identifier required | **Type** String **Description** Connector Identifier. | +| IncrementalJob default value: 0 | **Type** JobIntegrationRule **Description** Indicates how the connector should be used in the incremental job (scaffolding): `0` - Used `1` - NotUsed `2` - OnlySynchronization `3` - OnlyProvisioning Warning: The job scaffolding has priority over the connector's decision. For example, if your job scaffolding specifies that the Microsoft Entra ID is `NotUsed` for the incremental job, setting that connector to `Used` for the incremental job will not activate it. You should not only add the `Used` to the connector but also remove the `NotUsed` from the configuration of the job scaffolding. | +| IsDeactivated default value: false | **Type** Boolean **Description** Indicates that the export and the provisioning are deactivated for this connector. | +| MaximumDeletedLines default value: 100 | **Type** Int32 **Description** Deleted lines threshold. Sets the maximum number of resources that can be removed from the connector when running the synchronization job. | +| MaximumInsertedLines default value: 100 | **Type** Int32 **Description** Inserted lines threshold. Sets the maximum number of resources that can be added into the connector when running the synchronization job. | +| MaximumLinkDeletedLines default value: 1000 | **Type** Int32 **Description** Deleted association links threshold. Sets the maximum number of navigation properties that can be removed from the connector when running the synchronization job. | +| MaximumLinkInsertedLines default value: 1000 | **Type** Int32 **Description** Inserted association links threshold. Sets the maximum number of navigation properties that can be added into the connector when running the synchronization job. | +| MaximumUpdatedLines default value: 100 | **Type** Int32 **Description** Updated lines threshold. Sets the maximum number of resources that can be modified within the connector when running the synchronization job. | +| MaxLinkPercentageDeletedLines default value: 5 | **Type** Int32 **Description** Deleted association links threshold in percent. | +| MaxLinkPercentageInsertedLines default value: 5 | **Type** Int32 **Description** Inserted association links threshold in percent. | +| MaxPercentageDeletedLines default value: 5 | **Type** Int32 **Description** Deleted lines threshold in percent. | +| MaxPercentageInsertedLines default value: 5 | **Type** Int32 **Description** Inserted lines threshold in percent. | +| MaxPercentageUpdatedLines default value: 5 | **Type** Int32 **Description** Updated lines threshold in percent. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md new file mode 100644 index 0000000000..c199a921b0 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md @@ -0,0 +1,23 @@ +# Entity Association Mapping + +Contains all the [ Entity Association ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) that can be +materialized in the Identity Manager physical model. An association mapping can be established +between two properties of the same entity type mapping or between two properties of different entity +type mappings having the same connector. See the [ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) topic to learn +how to configure an EntityAssociationMapping. + +## Properties + +| Property | Details | +| ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| C0 optional | **Type** String **Description** In a ServiceNow connector, generic column used during provisioning to map the property to be provisioned (target property from the entity association mapping). This column stores the name of the table in ServiceNow in which the property exists. | +| Column1 required | **Type** String **Description** The column of EntityPropertyMapping1 in the association data source. | +| Column2 required | **Type** String **Description** The column of EntityPropertyMapping2 in the association data source. | +| ConnectionTable optional | **Type** String **Description** Association data source containing Column1 and Column2. Example: ConnectionTable="datasource" | +| Connector required | **Type** Int64 **Description** Id of the connector to which it is linked. | +| EntityPropertyMapping1 required | **Type** Int64 **Description** The ID of mapping of the property use to establish the association. The property must be a unique key. | +| EntityPropertyMapping2 required | **Type** Int64 **Description** The ID of mapping of the property use to establish the association. The property must be a unique key. | +| MaximumDeletedLines default value: 0 | **Type** Int32 **Description** Deleted association links threshold. Sets the maximum number of navigation properties that can be removed from the entity type when running the synchronization job. | +| MaximumInsertedLines default value: 0 | **Type** Int32 **Description** Inserted association links threshold. Sets the maximum number of navigation properties that can be added into the entity type when running the synchronization job. | +| MaxPercentageDeletedLines default value: 0 | **Type** Int32 **Description** Deleted association links threshold in percent. | +| MaxPercentageInsertedLines default value: 0 | **Type** Int32 **Description** Inserted association links threshold in percent. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md new file mode 100644 index 0000000000..c2b756e277 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md @@ -0,0 +1,40 @@ +# Entity Type Mapping + +An entity type mapping links a given [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)'s +properties with the source columns of the corresponding managed system. The entity type mapping +specifies the related [ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) and the path to the CSV source file which +contains, or will contain, the data exported from the managed system. Each of its Entity Type +Mapping properties will define the corresponding source column and specific options. + +An entity type mapping shares the same identifier as its related entity type. + +See the example of a whole [ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) containing an entity type mapping. + +## Properties + +| Property | Details | +| ------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| C0 optional | **Type** String **Description** In a Microsoft Entra ID connector (formerly Microsoft Azure AD), generic column used to map the entities to be exported. By default, Identity Manager exports: `user`; `group`; `directoryRole`; `servicePrincipal`. | +| ConnectionTable optional | **Type** String **Description** Name of the CSV file which contains, or will contain, the exported data from the corresponding entity type. | +| Connector optional | **Type** Int64 **Description** Identifier of the related connector. | +| MaximumDeletedLines default value: 0 | **Type** Int32 **Description** Deleted lines threshold. Sets the maximum number of resources that can be removed from the entity type when running the synchronization job. | +| MaximumInsertedLines default value: 0 | **Type** Int32 **Description** Inserted lines threshold. Sets the maximum number of resources that can be added into the entity type when running the synchronization job. | +| MaximumUpdatedLines default value: 0 | **Type** Int32 **Description** Updated lines threshold. Sets the maximum number of resources that can be modified within the entity type when running the synchronization job. | +| MaxPercentageDeletedLines default value: 0 | **Type** Int32 **Description** Deleted lines threshold in percent. | +| MaxPercentageInsertedLines default value: 0 | **Type** Int32 **Description** Inserted lines threshold in percent. | +| MaxPercentageUpdatedLines default value: 0 | **Type** Int32 **Description** Updated lines threshold in percent. | + +## Child Element: Property + +Contains all the [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) properties that can be +synchronized into Identity Manager physical model. Each mapping share the same id as its +corresponding property in the entity type. + +### Properties + +| Property | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectionColumn optional | **Type** String **Description** Specifies the corresponding column in the entity type data source. | +| Format optional | **Type** String **Description** The format of the attribute in the external system. Ex: 1601date for LDAP Date. | +| IsPrimaryKey default value: false | **Type** Boolean **Description** `true` if the property is designated to be the unique and immutable key that uniquely identifies any resource from the entity type, during synchronization. Each entity type mapping must have a primary key. It prevents duplicates and null resources. | +| IsUniqueKey default value: false | **Type** Boolean **Description** `true` if the property is designated to be one of the unique keys that uniquely identify any resource from the entity type in an association/navigation, during synchronization. Each entity type mapping can have up to three unique keys, in addition to the mapping key that already acts as such. **Note:** AD synchronization requires the `dn` property to have either `IsUniqueKey` or `EntityType` > `Property` > `IsKey` set to `true` (key property in the UI). | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/index.md new file mode 100644 index 0000000000..d33391f95f --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/index.md @@ -0,0 +1,10 @@ +# Connectors + +- [ Agent ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md) +- [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +- [ Connection Table ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md) +- [ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +- [Resource Type Mappings](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) +- [ Entity Association Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +- [ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +- [ Password Reset Settings ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md new file mode 100644 index 0000000000..e4aa6f3b13 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md @@ -0,0 +1,79 @@ +# Password Reset Settings + +This set of password reset settings contains the configuration to perform password reset operations +such as change, reset, etc. + +## Examples + +The following example declares a password reset settings. + +``` + + + +``` + +### Password length and counts + +The following example makes Identity Manager generate a password with at least 12 characters in +total, at least 8 lowercase characters, 4 uppercase characters, 2 digits and 2 symbols. + +``` + + + +``` + +As the total of all counts (16) is greater than the length (12), the password length will be the +count total (16). + +The following example makes Identity Manager generate a password with at least 12 characters in +total, at least 8 lowercase characters, 4 uppercase characters, 2 digits and 2 symbols. + +``` + + + +``` + +As the total of all counts (4) is lower than the length (8), the password will be generated with 8 +characters, among them 1 lowercase character, 1 uppercase character, 1 digit, 1 symbol, and 4 more +random characters. + +The generated password's strength can also be checked via a regular expression (regex) through +`StrengthCheck`. Thus, the following example makes Identity Manager generate a password with at +least 9 characters including at least one digit, one lowercase letter, one uppercase and one special +character. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AutoGenerate default value: false | **Type** Boolean **Description** `true` to make Identity Manager generate the password automatically. | +| BeneficiaryEmailBinding optional | **Type** Int64 **Description** Binding to the email address property whose password is to be reset. | +| BeneficiaryFullNameBinding optional | **Type** Int64 **Description** Binding to the full name property of the user(s) whose password is to be reset. | +| DefaultPassword optional | **Type** String **Description** Default password to set when `AutoGenerate` is set to `false`. | +| DisableNotifications default value: false | **Type** Boolean **Description** `true` to disable the mailing of notifications concerning password reset. | +| GeneratedDigitCharsCount default value: 2 | **Type** Int32 **Description** Number of digit characters in the password generated by Identity Manager when `AutoGenerate` is set to `true`. | +| GeneratedLength default value: 12 | **Type** Int32 **Description** Length of the password generated by Identity Manager when `AutoGenerate` is set to `true`. | +| GeneratedLowerCaseCharsCount default value: 6 | **Type** Int32 **Description** Number of lower case characters in the password generated by Identity Manager when `AutoGenerate` is set to `true`. | +| GeneratedSymbolCharsCount default value: 2 | **Type** Int32 **Description** Number of symbol characters in the password generated by Identity Manager when `AutoGenerate` is set to `true`. | +| GeneratedUpperCaseCharsCount default value: 2 | **Type** Int32 **Description** Number of upper case characters in the password generated by Identity Manager when `AutoGenerate` is set to `true`. | +| Identifier required | **Type** String **Description** Identifier of the set of password reset settings. | +| Mode default value: 0 | **Type** Int64 **Description** Mode used by the password reset service. `0` - Disabled. `1` - One-Way. `2` - Two-Way. | +| MustChange default value: false | **Type** Boolean **Description** `true` to force users to modify their passwords on the first login. | +| NotificationCC optional | **Type** String **Description** Email address to set as CC recipient of all password reset notifications. | +| NotifiedEmailBinding optional | **Type** Int64 **Description** Binding to the email address property of the person to be notified. | +| NotifiedFullNameBinding optional | **Type** Int64 **Description** Binding to the full name property of the person to be notified. | +| StrengthCheck optional | **Type** String **Description** Regular expression (regex) that generated passwords must match, when `AutoGenerate` is set to `true`. **Note:** the strength of passwords set manually by users can be configured via [ Password Tests Setting ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting/index.md). | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping/index.md new file mode 100644 index 0000000000..0fd75b97fd --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping/index.md @@ -0,0 +1,26 @@ +# Easy Vista Resource Type Mapping + +Any resource type mapping must be configured with the same identifier as the related resource type. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +## Properties + +| Property | Type | Description | +| ------------------------------------------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CatalogCode required | String | Code of the catalog. It is possible to define three catalog codes, one for each provisioning action (add, modify, delete) by separating them with ¤, for example 42¤25¤43. | +| Connection required | String | Identifier of the corresponding connection. | +| RecipientId required | String | Identifier of the ticket's recipient. | +| Description optional | String | File path of the template used for the generation of the ticket description. | +| ImpactId optional | String | [Impact](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Service%20Manager%20-%20All%20Menus/References%20Tables/#impact) of the ticket. | +| SeverityId optional | String | [Severity level](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Service%20Manager%20-%20All%20Menus/References%20Tables/#severity-level) of the ticket. | +| TicketSynchroIsNotAvailable default value: false | Boolean | True to set synchronization as unavailable for this resource type. Once the ticket is closed and the resource is created, updated or deleted, then the assignment's status is directly set to Verified. Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | +| Title optional | String | File path of the template used for the generation of the ticket title. | +| UrgencyId optional | String | [Urgency level](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Service%20Manager%20-%20All%20Menus/References%20Tables/#urgency-level) of the ticket. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md new file mode 100644 index 0000000000..e5c846b107 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md @@ -0,0 +1,53 @@ +# Resource Type Mappings + +A resource type mapping links resources sharing the same intent and the same authorization system +with the source columns of the corresponding managed system. The mapping specifies the related +connector and the path to the CSV source file which contains, or will contain, the data exported +from the managed system. + +Here is a list of ResourceType Mapings: + +- [Azure AD Resource Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/microsoftentraidresourcetypemapping/index.md) + + The set of parameters to map the properties of Microsoft Entra ID in Identity Manager, for + provisioning purposes. + +- [Easy Vista Resource Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping/index.md) + + The set of parameters to map the properties of Easy Vista in Identity Manager, for provisioning + purposes. + +- [Ldap Resource Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping/index.md) + + The set of parameters to map the properties of Ldap in Identity Manager, for provisioning + purposes. + +- [Manual Provisioning Resource Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping/index.md) + + The set of parameters to map the properties of Manual Provisioning in Identity Manager, for + provisioning purposes. + +- [Okta Resource Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping/index.md) + + The set of parameters to map the properties of Okta in Identity Manager, for provisioning + purposes. + +- [Sap Resource Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md) + + The set of parameters to map the properties of Sap in Identity Manager, for provisioning + purposes. + +- [Scim Resource Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping/index.md) + + The set of parameters to map the properties of Scim in Identity Manager, for provisioning + purposes. + +- [Service Now Resource Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md) + + The set of parameters to map the properties of Service Now in Identity Manager, for provisioning + purposes. + +- [Share Point Resource Type Mapping](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping/index.md) + + The set of parameters to map the properties of Share Point in Identity Manager, for provisioning + purposes. diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping/index.md new file mode 100644 index 0000000000..b226c31bd4 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping/index.md @@ -0,0 +1,19 @@ +# Manual Provisioning Resource Type Mapping + +Any resource type mapping must be configured with the same identifier as the related resource type. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +## Properties + +| Property | Type | Description | +| ------------------------------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Connection required | String | Identifier of the corresponding connection. | +| TicketSynchroIsNotAvailable optional | Boolean | True to set synchronization as unavailable for this resource type. Once the ticket is closed and the resource is created, updated or deleted, then the assignment's status is directly set to Verified. Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/microsoftentraidresourcetypemapping/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/microsoftentraidresourcetypemapping/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/microsoftentraidresourcetypemapping/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/microsoftentraidresourcetypemapping/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md new file mode 100644 index 0000000000..11426841f2 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md @@ -0,0 +1,37 @@ +# Service Now Resource Type Mapping + +Any resource type mapping must be configured with the same identifier as the related resource type. + +Any resource type linked to a ServiceNow connection must be configured with a set of parameters to +map the properties in Identity Manager with those in ServiceNow, for provisioning purposes. + +Below is an example of an incident ticket in ServiceNow, where relevant properties (from Identity +Manager's perspective) are emphasized: + +![ServiceNow Ticket Example](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/servicenow_example.webp) + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +   + +``` + +## Properties + +| Property | Type | Description | +| ------------------------------------------------ | ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Connection required | String | Identifier of the corresponding connection. | +| DefaultObjectClass optional | String | Default object class used by the provisioner, for example person, organizationalPerson, and user, etc. Multiple default object classes are separated with
. | +| PasswordResetSetting optional | String | Identifier of the corresponding password reset setting. | +| TicketAdditionalInformation optional | String | Information to add at the end of the description for all tickets created for this resource type. Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | +| TicketCallerId optional | String | Attribute that corresponds to the identifier of the "caller" person in ServiceNow. Required when using the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | +| TicketCategory optional | String | Category in which new tickets will be created in ServiceNow for this resource type. **NOTE:** Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | +| TicketImpact default value: Low | TicketImpact | Impact of the ticket in ServiceNow: Low; Medium; or High. Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | +| TicketSubCategory optional | String | Subcategory in which new tickets will be created in ServiceNow for this resource type. Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | +| TicketSynchroIsNotAvailable default value: false | Boolean | True to set synchronization as unavailable for this resource type. Once the ticket is closed and the resource is created, updated or deleted, then the assignment's status is directly set to Verified. Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | +| TicketUrgency default value: Low | TicketUrgency | Urgency of the ticket in ServiceNow: Low; Medium; High. **NOTE:** Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/index.md new file mode 100644 index 0000000000..3d0c27fb37 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/index.md @@ -0,0 +1,22 @@ +# XML Configuration Schema + +## Overview + +The XML configuration schema shows some similarities with the database schema but they are not the +same. + +## Family Entity Listing + +- [ Access Certification ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/index.md) +- [ Connectors ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/index.md) +- [ Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/index.md) +- [ User Interface ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/index.md) +- [ Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/index.md) +- [ Metadata ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/index.md) +- [ Notifications ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/index.md) +- [ Provisioning ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/index.md) +- [ Reporting ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/reporting/index.md) +- [ Resources ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/resources/index.md) +- [ Access Certification ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/index.md) +- [ Business Intelligence ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md) +- [ Workflows ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/index.md new file mode 100644 index 0000000000..9a11c299ed --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/index.md @@ -0,0 +1,9 @@ +# Jobs + +A job is defined via the `Job` tag to orchestrate tasks together, in order to perform specific +actions. + +All [ Tasks ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md) types are child elements of jobs. + +- [ Job ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) +- [ Tasks ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md) diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/job/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/job/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md new file mode 100644 index 0000000000..8c25177716 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md @@ -0,0 +1,40 @@ +# Agent Tasks + +- [ Activity Instance Actor Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md) + + Update the Actors for the workflows instances. + +- [ Create Database Views Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md) + + Generates entity model SQL views in the Identity Manager database. + +- [ Export Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md) + + Runs the specified connection's export. + +- [ Fulfill Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md) + + Retrieves provisioning orders from the informed connector generated by + GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is + possible to launch it with a list of TaskResourceTypes. + +- [ Invoke Api Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md) + + Tool to launch any Identity Manager API. + +- [ Invoke Aspects Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md) + + Call specific api in Identity Manager. + +- [ Invoke Expression Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md) + + Launches on agent side a powershell script given as input. + +- [Invoke Sql Command Task](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md) + + Takes as input an SQL file or an SQL command to output several CSV files that can be used by the + collection. + +- [ Prepare Synchronization Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) + + Cleanses exported CSV files. diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md new file mode 100644 index 0000000000..6b39c6e675 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md @@ -0,0 +1,38 @@ +# Invoke Sql Command Task + +Takes as input an SQL file or an SQL command to output several CSV files that can be used by the +collection. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +**NOTE:** The database Identifier attribute has a specific location where the connection strings for +the database identifiers need to be defined. See the +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md)topic +for additional information. + +## Properties + +| Property | Type | Description | +| -------------------------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 required | String | Display name of the task in language 1 (up to 16). | +| Agent optional | String | Identifier of the agent on which the job will be launched. **NOTE:** When not specified, the task is to be launched on the server. _Remember,_ all jobs containing the task must be launched on the same agent or on the server. | +| ContinueOnError default value: false | Boolean | True if the execution of the Task returning an error should not stop the job machine state. | +| DatabaseIdentifier optional | String | Identifier of the Database to connect to | +| Encoding optional | String | Encoding for the output files. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | +| Identifier optional | String | Unique identifier of the task. | +| IsNotAQuery default value: false | Boolean | To know if the SQL command is a query or not. | +| IsolationLevel optional | String | Specifies the transaction locking behavior for the database connection. | +| OpenIdClient optional | String | Connection client for the task. | +| OutputPath optional | String | Path to save file. Alternative definition: If TaskType is: - ProvisioningPolicyTask: Path to save the LDIF file, - CollectorTask: Path of the working directory, - CollectorChangesTask: Path of the working directory, - CollectorADDirSyncTask: Path of the working directory, - ProvisionerDownloadTask: Path of the destination directory, | +| Provider optional | String | The database provider. | +| ProviderAssemblyQualifiedName optional | String | Database provider assembly qualified name. | +| SQLCommand optional | String | SQL Command to execute. | +| SQLInputFile optional | String | Path of the SQL file. | +| Timeout default value: 0 | Int32 | Specify the timeout if the query need more 30 sec. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md new file mode 100644 index 0000000000..3ddb2a2b19 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md @@ -0,0 +1,119 @@ +# Prepare Synchronization Task + +## View Behavior Details + +The task reads files from the source directory, usually the temp +folder >[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +folder. + +### Cleanse data + +The following actions are performed on the _CSV source files_: + +1. Remove columns that are not used in + [ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) or + [ Entity Association Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). +2. Remove entries that have a null primary key. +3. Remove duplicates. +4. Sort entries according to the primary key. + +The result of the _Prepare-Synchronization_ is stored in the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md)directory +as three files: + +- For every entity type of the relevant _Connector_ involved in an + [ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)> or an + [ Entity Association Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md), a + `.sorted.csv` file is generated, containing the final, cleansed and sorted result. +- Duplicates are kept in a separate `.duplicates.csv` file. +- Null primary key entries are kept in a separate `.nullpk.csv` file. + +All files produced by the task are in the work folder > Collect directory. + +### Compute changes + +In _incremental_ mode, changes might need to be computed by the _Agent_: + +- If the Export step has provided computed changes, no further process is required. The changes will + be sent as-is to the server. +- If the Export step has provided a full extract of the managed systems, the + _Prepare-Synchronization_ step computes changes. This computation is based on the result of the + last data cleansing, generated by the previous _Prepare-Synchronization_, and stored in the + `previous` folder in the + [Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md)directory. + +For _incremental_ mode, it is recommended, whenever possible, to use managed systems to compute +changes. Dedicated workstations and knowledge of the inner data organization allow managed systems +to compute changes with performance that Identity Manager can't match. Using managed systems for +these operations avoids generating heavy files and alleviates Identity Manager's processing load. + +The result is a set of clean lists of changes stored as a `.sorted.delta` file containing a +_command_ column. The _command_ column can take the following values: + +- _insert_ +- _update_ +- _delete_ +- _merge_ + +These values are instructions for the _Synchronization_ step to apply the changes to the database. + +The `.sorted` file (that is, the **original** clean export file, **not** the changes) is stored in +the `previous` folder inside the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md)directory. +It will be used as a reference for the next _incremental_ Prepare-Synchronization to compute the +changes, if needed. + +Tampering with the `previous` folder content would result in false changes leading to false +computation. It would result in data corruption in the Identity Manager database. To restore the +Identity Manager database and reflect the managed system data updates, a _complete\_\_Sync Up_ would +be required. + +### Prepare the server + +At the beginning of every _Prepare-Synchronization_ process, the _Server_ is notified via HTTP. + +Upon receiving the notification, the server creates a directory on its host environment, identified +by a unique GUID, to contain `.sorted` or `.sorted.delta` files that will be sent by the agent. + +This is designed to prevent network errors that would cause an _incremental_ database update to +happen more than once. + +This means that several _Export_ and _Prepare-Synchronization_ tasks can be executed simultaneously. +These tasks will be processed by the server one at a time, in the right order. + +Any notification of a _complete_ Prepare-Synchronization would cancel the previous non-processed +_incremental_ Prepare-Synchronizations. As a _complete_ Prepare-Synchronization reloads the whole +database, it renders _incremental_ changes computation moot. + +### Send clean exports + +`.sorted` or `.sorted.delta` files are sent over HTTP to the _Server_ for the last step. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Agent required | **Type** String **Description** Identifier of the agent on which the job will be launched. **Warning:** all jobs containing the task must be launched on the same agent or on the server. | +| Connector required | **Type** String **Description** Identifier of the connector involved in the task. | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| OpenIdClient required | **Type** String **Description** Connection client for the task. | +| SynchronizationMode required | **Type** DataCollectType **Description** Synchronization mode for collect and synchronization Task. List of Modes: - Initial = 0, - Complete = 1, - Incremental = 2 | +| ColumnName optional | **Type** String **Description** If there is a delta in the synchronization, specifies the column name which stores the command | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | +| Type default value: None | **Type** PrepareSynchronizationType **Description** Define the type of PrepareSynchronization to launch the correct executable in job. | +| WorkingDirectory optional | **Type** String **Description** Path of the working directory | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md new file mode 100644 index 0000000000..68bfaebb40 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md @@ -0,0 +1,166 @@ +# Tasks + +- [Agent Tasks](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md) + +- [ Activity Instance Actor Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md) + + Update the Actors for the workflows instances. + +- [ Create Database Views Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md) + + Generates entity model SQL views in the Identity Manager database. + +- [ Export Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md) + + Runs the specified connection's export. + +- [ Fulfill Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md) + + Retrieves provisioning orders from the informed connector generated by + GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is + possible to launch it with a list of TaskResourceTypes. + +- [ Invoke Api Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md) + + Tool to launch any Identity Manager API. + +- [ Invoke Aspects Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md) + + Call specific api in Identity Manager. + +- [ Invoke Expression Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md) + + Launches on agent side a powershell script given as input. + +- [Invoke Sql Command Task](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md) + + Takes as input an SQL file or an SQL command to output several CSV files that can be used by the + collection. + +- [ Prepare Synchronization Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) + + Cleanses exported CSV files. + +- [ Server Tasks ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md) + +- [ Build Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md) + + Applies the role naming rules, i.e. generates single roles and navigation rules based on + resources matching a given pattern. + +- [ Compute Correlation Keys Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md) + + The Compute Role Model correlation keys will pre-calculate all the keys needed by the Compute + Role Model to match the resources. + +- [ Compute Risk Scores Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md) + + Update risk score with the risk settings. + +- [ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + + The Compute Role Model will calculate the role model of all whose EntityTypes sources are + included in the list of EntityTypes given in the start of this job. + +- [ Deploy Configuration Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md) + + From a folder, retrieves all configuration xml files to calculate the configuration items to + insert, update or delete. + +- [ Fulfill Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md) + + Retrieves provisioning orders from the informed connector generated by + GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is + possible to launch it with a list of TaskResourceTypes. + +- [Generate Provisioning Orders Task](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md) + + The provisioning task will recover all resources whose provisioningState is at 1 to build a list + of JSON files containing all provisioning orders. + +- [ Get Role Mining Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md) + + Role mining is the process of analyzing user-to-resource mapping data to determine or modify + user permissions for role-based access control (RBAC) in an enterprise. In a business setting, + roles are defined according to job competency, authority and responsibility. + +- [ Get Role Mining Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md) +- [ Invoke Expression Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md) + + Launches on agent side a powershell script given as input. + +- [ Invoke Sql Command Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md) + + Takes as input an SQL file or an SQL command to output several CSV files that can be used by the + collection. + +- [ Maintain Indexes Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md) + + Index maintenance and statistics update for all database tables. + +- [ Manage Configuration Indexes Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask/index.md) + + Manage indexes for items from configuration. + +- [ Process Access Certification Items Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md) + + Process decisions on access certification items. + +- [ Reset Valid From Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md) + + Initialize historization tables by setting each entity's first record `ValidFrom` value to + 0001-01-01 00:00:00.00. + +- [ Save Pre-Existing Access Rights Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md) + + During an initial installation of Identity Manager, data normally provided by Identity Manager + or through a derogation in the User Interface is already present in the application system. + +- [ Send Access Certification Notification Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md) + + Notify assigned users having pending access certification items in campaign marked with + `NotificationNeeded`. + +- [ Send Notifications Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md) + + Task that sends a notification to each configured recipient. + +- [ Send Role Model Notifications Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md) + + Task that sends a notification to all users who have pending roles to review, only for roles + with a simple approval workflow, i.e. pending the validation 1 out of 1. + +- [ Set Access Certification Reviewer Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md) + + Assign access certification items to users according to their profiles and the access control + rules. + +- [ Set Internal User Profiles Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) + + Will execute the profile rules of the different resource types given in parameters to create, + modify or delete profiles in automatic mode. + +- [ Set Recently Modified Flag Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md) + + When synchronizing in full or incremental mode, it is possible to optimize the compute + performance of the role model by taking into account only the changes made by the + synchronization. + +- [ Synchronize Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) + + Retrieves the files generated by the prepare-synchronization task to insert the data into the + Identity Manager database. + +- [ Update Access Certification Campaign Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md) + + Starts or stops the access certification campaigns according to their `StartDate` and `EndDate`. + +- [ Update Classification Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md) + + Classifies a list of resources that are part of the resourceType data targets as an argument to + this job. + +- [ Update Entity Property Expressions Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + + Calculates either for all entities or for a list of entities the expressions and inserts the + values in the database. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md new file mode 100644 index 0000000000..bfd42a556a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md @@ -0,0 +1,25 @@ +# Build Role Model Task + +Applies the [ Role Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md), also named +[ Create Roles in Bulk ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md), +i.e. generates single roles and navigation rules based on resources matching a given pattern. + +> For example, this task can transform AD groups with a special naming convention into roles. + +## Examples + +The following example applies all role naming rules linked to the AD connector. + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------- | ---------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| Connector optional | **Type** String **Description** Identifier of the connector whose role mappings / role naming rules are to be applied. | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md new file mode 100644 index 0000000000..97a316aa77 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md @@ -0,0 +1,80 @@ +# Compute Role Model Task + +This task applies all rules in the role model of all +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) whose source entity types are +specified as child elements of the task. + +## Behavior Details + +### Property creation/update + +If the resource or property needs to be created or changed, the policy inserts a new line in one of +the following 3 tables: + +- Assigned resource types +- Assigned resource scalars +- Assigned resource navigation + +Their provisioning state will therefore increase to either 1 or 5. + +If the resource already exists in the database, then the policy checks whether the existing value is +the same as the computed value. If the existing value is the same as the computed value, then the +provisioning state goes to 4. + +### Notifications + +Executing the `ComputeRoleModelTask` will modify some roles' workflow states, and it will send a +notification for each of these roles being: + +- pending approval (1/1, 1/2, 2/2, 1/3, 2/3, 3/3); +- blocked because of a risk. + +## Examples + +The following example applies all rules in the role model concerning the entity types `HR_Service`, +`HR_Category`, `HR_Site` and `HR_Person`. + +``` + + + +``` + +### Ignore Archiving + +While archiving data for audits is part of the main purposes of Identity Manager, some elements can +be prevented from being archived, for example during Identity Manager's installation and +initialization. + +The following example is similar to the previous one, except that the values prior to the changes on +assigned single roles, composite roles, resource types, scalar or navigation properties, or +binaries, will not be stored in the database. + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| BatchInsertSize default value: 0 | **Type** Int32 **Description** Defines the batch insert size. | +| BatchSelectSize default value: 0 | **Type** Int32 **Description** Defines the batch select size. | +| BlockAllResourceTypeProvisioning default value: false | **Type** Boolean **Description** `true` to force an additional mandatory review (on the **Provisioning Review** screen) of all provisioning orders for all resource types, no matter whether the resource types' `BlockProvisioning` boolean is set to `true` or `false`. | +| BlockProvisioning default value: false | **Type** Boolean **Description** `true` to block the provisioning policy orders. | +| Dirty default value: false | **Type** Boolean **Description** Initiate use only dirty resources. | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | +| IgnoreHistorization default value: false | **Type** Boolean **Description** `true` to prevent Identity Manager from archiving the changes (resource creation, update, deletion) performed by the task. Impacted tables are: `UP_AssignedSingleRoles`, `UP_AssignedCompositeRoles`, `UP_AssignedResourceTypes`, `UP_AssignedResourceScalars`, `UP_AssignedResourceNavigations`, `UP_AssignedResourceBinaries`. | +| LdifFilePath optional | **Type** String **Description** Path to save the ldif file | +| UseLdif default value: false | **Type** Boolean **Description** to simulate or not into a ldif file | + +## Child Element: TaskEntityType + +A task entity type defines the entity type on which the task is applied. + +| Property | Details | +| ------------------- | ----------------------------------------------------------------------------------------------- | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type that the task is to be applied on. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md new file mode 100644 index 0000000000..ff45e7aa24 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md @@ -0,0 +1,23 @@ +# Deploy Configuration Task + +From a folder, retrieves all configuration xml files to calculate the configuration items to insert, +update or delete. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | +| ConfigurationDirectory required | **Type** String **Description** Directory of the configuration to import | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| GeneratedCodeNamespace optional | **Type** String **Description** The namespace of the generated code (entities + writer). | +| GeneratedCodePath optional | **Type** String **Description** The path of the generated code (entities + writer). | +| GeneratedFile optional | **Type** String **Description** The path of the xml file in which all the configuration is generated by the scaffoldings. | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md new file mode 100644 index 0000000000..27e4aa6819 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md @@ -0,0 +1,122 @@ +# Server Tasks + +- [ Build Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md) + + Applies the role naming rules, i.e. generates single roles and navigation rules based on + resources matching a given pattern. + +- [ Compute Correlation Keys Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md) + + The Compute Role Model correlation keys will pre-calculate all the keys needed by the Compute + Role Model to match the resources. + +- [ Compute Risk Scores Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md) + + Update risk score with the risk settings. + +- [ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + + The Compute Role Model will calculate the role model of all whose EntityTypes sources are + included in the list of EntityTypes given in the start of this job. + +- [ Deploy Configuration Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md) + + From a folder, retrieves all configuration xml files to calculate the configuration items to + insert, update or delete. + +- [ Fulfill Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md) + + Retrieves provisioning orders from the informed connector generated by + GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is + possible to launch it with a list of TaskResourceTypes. + +- [Generate Provisioning Orders Task](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md) + + The provisioning task will recover all resources whose provisioningState is at 1 to build a list + of JSON files containing all provisioning orders. + +- [ Get Role Mining Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md) + + Role mining is the process of analyzing user-to-resource mapping data to determine or modify + user permissions for role-based access control (RBAC) in an enterprise. In a business setting, + roles are defined according to job competency, authority and responsibility. + +- [ Invoke Expression Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md) + + Launches on agent side a powershell script given as input. + +- [ Invoke Sql Command Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md) + + Takes as input an SQL file or an SQL command to output several CSV files that can be used by the + collection. + +- [ Maintain Indexes Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md) + + Index maintenance and statistics update for all database tables. + +- [ Manage Configuration Indexes Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask/index.md) + + Manage indexes for items from configuration. + +- [ Process Access Certification Items Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md) + + Process decisions on access certification items. + +- [ Reset Valid From Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md) + + Initialize historization tables by setting each entity's first record `ValidFrom` value to + 0001-01-01 00:00:00.00. + +- [ Save Pre-Existing Access Rights Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md) + + During an initial installation of Identity Manager, data normally provided by Identity Manager + or through a derogation in the User Interface is already present in the application system. + +- [ Send Access Certification Notification Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md) + + Notify assigned users having pending access certification items in campaign marked with + `NotificationNeeded`. + +- [ Send Notifications Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md) + + Task that sends a notification to each configured recipient. + +- [ Send Role Model Notifications Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md) + + Task that sends a notification to all users who have pending roles to review, only for roles + with a simple approval workflow, i.e. pending the validation 1 out of 1. + +- [ Set Access Certification Reviewer Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md) + + Assign access certification items to users according to their profiles and the access control + rules. + +- [ Set Internal User Profiles Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) + + Will execute the profile rules of the different resource types given in parameters to create, + modify or delete profiles in automatic mode. + +- [ Set Recently Modified Flag Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md) + + When synchronizing in full or incremental mode, it is possible to optimize the compute + performance of the role model by taking into account only the changes made by the + synchronization. + +- [ Synchronize Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) + + Retrieves the files generated by the prepare-synchronization task to insert the data into the + Identity Manager database. + +- [ Update Access Certification Campaign Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md) + + Starts or stops the access certification campaigns according to their `StartDate` and `EndDate`. + +- [ Update Classification Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md) + + Classifies a list of resources that are part of the resourceType data targets as an argument to + this job. + +- [ Update Entity Property Expressions Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + + Calculates either for all entities or for a list of entities the expressions and inserts the + values in the database. diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask/index.md new file mode 100644 index 0000000000..b42908cd5e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask/index.md @@ -0,0 +1,17 @@ +# Manage Configuration Indexes Task + +Manage indexes for configuration items with the +tool[ Identity Manager-Manage-Configuration Dependent Indexes ](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/manage-configurationdependantindexes/index.md). + +## Examples + +``` + +``` + +## Properties + +| Property | Details | +| ----------------------- | ---------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md new file mode 100644 index 0000000000..261c097c43 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md @@ -0,0 +1,35 @@ +# Send Notifications Task + +Task that sends all the custom notifications defined by the +[ Notification ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md) XML tag. + +## Examples + +The following example, included in a job potentially scheduled periodically, will send all custom +notifications defined via `Notification` such as the example below. The task will send the +notifications concerning the `Directory_User` entity type. + +``` + + + +Knowing that we have for example: + + +``` + +## Properties + +| Property | Details | +| -------------------------- | ---------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| BatchSize default value: 0 | **Type** Int32 **Description** Block size for batch calculation. | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | + +## Child Element: TaskEntityType + +A task entity type defines the entity type on which the task is applied. + +| Property | Details | +| ------------------- | ----------------------------------------------------------------------------------------------- | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type that the task is to be applied on. | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md new file mode 100644 index 0000000000..a116c69e87 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md @@ -0,0 +1,41 @@ +# Set Internal User Profiles Task + +Will execute the profile rules of the different resource types given in parameters to create, modify +or delete profiles in automatic mode. + +It is necessary to set up [ Profile Context ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md) as +well as [Profile Rule Context](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) to be able to +use this job. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| -------------------------------- | ---------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| BatchInsertSize default value: 0 | **Type** Int32 **Description** Defines the batch insert size. | +| BatchSelectSize default value: 0 | **Type** Int32 **Description** Defines the batch select size. | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | + +## Child Element: TaskEntityType + +A task entity type defines the entity type on which the task is applied. + +| Property | Details | +| ------------------- | ----------------------------------------------------------------------------------------------- | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type that the task is to be applied on. | + +## Child Element: TaskResourceType + +The table TaskResourceTypes makes the link between the tasks and the Resourcetypes. + +| Property | Details | +| --------------------- | ------------------------------------------------------ | +| ResourceType required | **Type** Int64 **Description** Linked resourceType id. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md new file mode 100644 index 0000000000..2cc17eb08f --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md @@ -0,0 +1,30 @@ +# Set Recently Modified Flag Task + +When synchronizing in full or incremental mode, it is possible to optimize the compute performance +of the role model by taking into account only the changes made by the synchronization. This +optimization is based on the `dirty` property of the entity +[ Resource ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/resources/resource/index.md). The task +[ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) with option `dirty` set to `true` will +treat only resources marked as dirty. + +This task is used to set the `dirty` flag on all resources based on +[ Resources ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/resources/index.md)Change, Resource Link Change and Resource File Change +entities. After this, it clears this changes tables. + +This task works correctly only if **previous synchronization tasks have not cleared the change +tables** (option `DoNotDeleteChanges` set to `true`). + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------- | ---------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md new file mode 100644 index 0000000000..dd83adf06a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md @@ -0,0 +1,31 @@ +# Synchronize Task + +Retrieves the files generated by the +[ Upward Data Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) to +insert the data into the Identity Manager database. + +For more information on how the Synchronization works, see +[ Upward Data Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md). + +Collection must be done by the +[ Prepare Synchronization Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md). + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------------------------- | ------------------------------------------------------------------------------------------- | +| Connector required | **Type** String **Description** Identifier of the connector involved in the task. | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| DoNotDeleteChanges default value: false | **Type** Boolean **Description** Do not delete change in the change tables. | +| ForceSynchronization default value: false | **Type** Boolean **Description** Force the synchronization | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | +| Orphans default value: false | **Type** Boolean **Description** Save orphans in a CSV output file | +| Type default value: None | **Type** PrepareSynchronizationType **Description** Define type of prepare synchronization. | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/binding/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/binding/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md new file mode 100644 index 0000000000..9babaf1c25 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md @@ -0,0 +1,46 @@ +# Dimension + +A dimension is an [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) used to define an organizational filter +for the Identity Manager role model. + +## Examples + +The following XML fragment defines the dimension `Organization0`. The dimension values are of +`Directory_Organization` type. The `ColumnMapping` attribute specifies the column (0 to 127) used to +store the dimension value in the assignment rule tables. + +``` + + + +``` + +Some types of entities can be organized in a hierarchical tree structure. Thus, for example, +organizational units form a tree structure modeled by a `Parent` navigation property that links the +entity type to itself. It is possible to use the hierarchical aspect of a dimension in an assignment +rule criterion. For example, the assignment must be extended to the whole subunits of a department. +Such a dimension must be declared as a hierarchical dimension by specifying the attribute +`IsHierarchical="true"`. + +``` + +... + ... + + +``` + +The attribute `ParentProperty` specifies the navigational property defining the hierarchy (`Parent` +is the navigation property that links the `Directory_Organization` type to itself). + +## Properties + +| Property | Details | +| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ColumnMapping required | **Type** Int32 **Description** Specifies the corresponding column in the role model rules. | +| DisplayName_L1 optional | **Type** String **Description** Display name of the dimension in language 1 (up to 16). | +| EntityType required | **Type** Int64 **Description** References the linked entity type. | +| Identifier required | **Type** String **Description** Unique identifier of the dimension. | +| IsExcludedFromRoleMining default value: false | **Type** Boolean **Description** `true` to exclude the dimension from role mining. It means that the dimension is not used as a criteria in the generated rules. | +| IsHierarchical default value: false | **Type** Boolean **Description** `true` to define a hierarchical dimension. **Note:** Cannot be used without `ParentProperty`. | +| ParentProperty optional | **Type** Int64 **Description** Specifies the navigational property defining the hierarchy. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md new file mode 100644 index 0000000000..6630a352f9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md @@ -0,0 +1,40 @@ +# Entity Association + +An entity association is used to model an association in Identity Manager's metadata. See the +[ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md)topic for additional information on a whole +connector with its entity properties and associations. + +## Examples + +The following example associates one title (as a property from the entity type +`Directory_UserRecord`) with several user records (as a property from the entity type +`Directory_Title`). + +``` + + + +``` + +### Many-to-many association + +The following example associates SAB users with groups, with the possibility to link one group to +several users, and one user to several groups. + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 optional | **Type** String **Description** Display name of the association in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Unique identifier of the association. It must be unique to the entity model scope. | +| IsProperty1Collection default value: false | **Type** Boolean **Description** `true` to define a many-to-one association. | +| IsProperty2Collection default value: false | **Type** Boolean **Description** `true` to define a one-to-many association. | +| Property1 required | **Type** Int64 **Description** Defines the first navigation property. A navigation property can be mono-valued or multi-valued (with its corresponding `IsPropertyCollection` set to `true`). Mono-valued navigation properties may be optimized (with a `TargetColumnIndex`) or not (without `TargetColumnIndex`). See more details under the TargetColumnIndex section of the [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) properties page. | +| Property2 required | **Type** Int64 **Description** Defines the second navigation property. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md new file mode 100644 index 0000000000..63523918ac --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md @@ -0,0 +1,27 @@ +# Entity Property Expression + +An entity property expression is a property computed from a binding and/or C# or literal +expressions. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. + +## Examples + +The following example computes the record display name. + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Binding optional | **Type** Int64 **Description** References the binding used to compute the result. | +| EntityType required | **Type** Int64 **Description** Identifier of the referenced entity type | +| Expression optional | **Type** String **Description** References the C# or literal expression used to compute the result. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| Identifier required | **Type** String **Description** Unique identifier of the expression. | +| Priority default value: 0 | **Type** Int32 **Description** Specifies the execution priority. | +| Property required | **Type** Int64 **Description** Identifier of the referenced entity property | +| PropertyCriteria optional | **Type** Int64 **Description** References the property criteria used to compute navigation properties. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md new file mode 100644 index 0000000000..3dae6e4502 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md @@ -0,0 +1,78 @@ +# Entity Type + +Represents a conceptual model of a business object, such as a person entity or an organization +entity. See the [ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md)topic for additional information +on how to configure define an EntityType. + +## Properties + +| Property | Details | +| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 optional | **Type** String **Description** Display name of the entity type in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Unique identifier of the entity type. It must is be unique to the _entity model_ scope. Cannot be a [ Reserved identifiers ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/reservedidentifiers/index.md). | +| LicenseTag optional | **Type** String **Description** Value of the `Tag` parameter of the license key (in `appsettings.json`) linked to the entity type. All the features allowed by the license key are enabled for this entity type, otherwise only default features are available. | +| TableName optional | **Type** String **Description** Represents the table name of hard coded entity types. Exclusively reserved to Identity Manager connector for Power BI. | + +## Child Element: Property + +An entity property represents a property of an Entity Type. See the +[Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information on how to +configure/define an EntityProperty. + +### Examples + +#### Populate navigational property from non primary key + +Some configuration elements will be linked to an entity whose id is not known at configuration time. +In this case, another key must be used. On each entity type property, the `IsKey` attribute +specifies that the property can be used as a key during configuration import. + +For example, the _Code_ property of the _Title_ entity type is marked as a key. + +``` + + ... + + +``` + +All _Title_ instances will be replicated from a managed system. So, at configuration time, Identity +Manager's internal primary key for this _Title_ is not known. + +We hence cannot write a _SingleRoleRule_ with a Dimension criteria based on _Title_ as the primary +key. + +We can however, use a non-primary key, that is known in advance, because it depends on the managed +system's data and not on Identity Manager. + +For example, the below `Dimension1` attribute references a _Title_ entity by its _Code_ value. + +``` + + + +``` + +#### Changing the multiplicity of a property + +It is sometimes necessary to change the multiplicity of a property (Scalar property to Navigation +property or vice-versa). As long as the property was not used in any workflow, this can be properly +handled by `Deploy-Configuration.exe`. If it _was_ used in one or more workflows, foreign key +conflicts (in UW_Changes database table) may occur, preventing the configuration from being +deployed. To solve this problem, references to this property must be manually cleaned up with SQL +queries directly in the database before deploying the configuration. + +### Properties + +| Property | Details | +| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 optional | **Type** String **Description** Display name of the property in language 1 (up to 16). **Note:** cannot be "Id". | +| FlexibleComparisonExpression optional | **Type** String **Description** Expression used to transform the query input value for comparison using a flexible operator. | +| GroupByProperty optional | **Type** Int64 **Description** Property used to regroup navigation resources (resources used in navigation rules) by value. When defined, the Evaluate policy will enforce that one and only one item of a group can be assigned to an identity on a given date range. **Warning:** whenever the value of this property changes for a resource used in the defined navigation rules, the server needs to be restarted in order for the changes to be taken into account. | +| HistoryPrecision default value: 0 | **Type** Int32 **Description** Defines the number of minutes to wait, after a property change, before triggering the record history mechanism. | +| Identifier required | **Type** String **Description** Unique identifier of the property. It must be unique to the parent entity type scope. Cannot be a [ Reserved identifiers ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/reservedidentifiers/index.md) and can only contain numbers (except the first character) and letters without accents. **Note:** cannot be "Id". | +| IsKey default value: false | **Type** Boolean **Description** `true` if the property is designated to be one of the keys that uniquely identify any resource from the entity type in the configuration. Each entity type must have at least one key. **Note:** AD synchronization requires the `dn` property to have either `IsKey` or `EntityTypeMapping` > `Property` > `IsUniqueKey` set to `true` (key property in the UI). | +| Language optional | **Type** Int64 **Description** Language associated to the property if it is localized (optional). | +| NeutralProperty optional | **Type** Int64 **Description** Neutral property associated to the property if it is localized (optional). | +| TargetColumnIndex default value: -1 | **Type** Int32 **Description** Specifies the corresponding column in the resource entity. `0` to `3`: scalar property whose value exceeds 443 characters. `4` to `127`: scalar property whose value does not exceed 443 characters (or optimized mono-valued navigation property : see note). `128` to `152`: optimized mono-valued navigation property only. `-1`: non-optimized mono or multi-valued navigation property (stored in `UR_ResourceLink`), or binary (stored in `UR_ResourceLink`). **Note:** optimized mono-valued navigation properties should have their `TargetColumnIndex` between 128 and 152 included to be fully optimized. However, if all are already taken, `TargetColumnIndex` from 0 to 127 included (usually for scalar properties) may also be used. In this case the first available `TargetColumnIndex` in ascending order should be used. | +| Type default value: 0 | **Type** EntityPropertyType **Description** Property type. `0` - **String**. `1` - **Bytes**. `2` - **Int32**. `3` - **Int64**. `4` - **DateTime**. `5` - **Bool**. `6` - **Guid**. `7` - **Double**. `8` - **Binary**. `9` - **Byte**. `10` - **Int16**. `12` - **ForeignKey**: indicates a navigation property, i.e. a property related to an association between entities. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/index.md new file mode 100644 index 0000000000..140eb7b781 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/index.md @@ -0,0 +1,10 @@ +# Metadata + +- [ Access Control Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype/index.md) +- [ Binding ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) +- [ Dimension ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) +- [ Entity Association ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +- [ Entity Property Expression ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md) +- [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +- [ Language ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/language/index.md) +- [ Settings ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/index.md) diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/language/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/language/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/language/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/language/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md new file mode 100644 index 0000000000..2043fd3238 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md @@ -0,0 +1,94 @@ +# App Display Setting + +This setting is used to customize the application display. + +## Examples + +Here are some examples of display settings that can be customized: + +### Set colors, logos and names + +The following example sets: + +- Netwrix Identity Manager (formerly Usercube) as name of the application visible on the tabs; +- The logo to be displayed in the top left corner; +- The favicon to be displayed on the tabs; +- The **banner color**, **banner gradient color**, **banner selected tab color**, **banner text + color**, **primary color** and **secondary color**. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +Colors, logo and name customization: + +![AppDisplay - Basic Screen](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_screen2_v603.webp) + +Display colors customization: + +![AppDisplay - Authentication](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_screen1_v603.webp) + +### Disable counters + +The following example disables the counters that are usually visible on the dashboard: + +![AppDisplay - Without Counters](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_counters_v603.webp) + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +![AppDisplay - Without Counters](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_nocounters_v603.webp) + +### Features + +The feature **Only allow approving and refusing on access certifications items** gives the +administrator the option to limit the user's option to either **Approve** or **Deny** the Access +Certification items while making the **More** button unavailable. + +![allowapprovingdenyingaccesscertificationitems](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-global-settings/allowapprovingdenyingaccesscertificationitems.webp) + +The following example disables the **More** button that is usually visible on certification screen: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +  +``` + +If the feature **Only allow approving and denying on access certification items** is set to **Yes**, +the **More** button is disabled. + +![accesscertificationonlyapprovedeny-disabled](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedeny-disabled.webp) + +See the +[Configure Global Settings](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/configure-global-settings/index.md) +topic for additional information. + +## Properties + +| Property | Type | Description | +| ------------------------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApplicationName (optional) | String | Name of the application, visible on the application's tabs. | +| AccessCertificationOnlyApproveDeny (optional) | Boolean | True to hide the **More** button on the access certification screens, only allowing **Approve** and **Deny** actions. The default value is **false**. | +| BannerColor (optional) | String | HEX code of the color for the banner, i.e. the header displaying logo and navigation bar. | +| BannerGradientColor (optional) | String | HEX code of the color for the banner's gradient to be visible at the middle of the banner. | +| BannerSelectedTabColor (optional) | String | HEX code of the color for the line that emphasizes the selected tab. | +| BannerTextColor (optional) | String | HEX code of the color for the banner's text. | +| DisableProvisioningCounters (default value: false | String | True to disable the counters related to the administration screens: **Role Review**, **Provisioning Review**, **Role Reconciliation**, **Resource Reconciliation** and **Manual Provisioning**. | +| FaviconFile (optional) | String | Path of the favicon to be displayed in the application's tabs. | +| FaviconMimeType (optional) | String | Mime type of the favicon. | +| FullNameSeparator (default value: �) | String | Separator of the full name. | +| Identifier (default value: AppDisplay) | String | Unique identifier of the setting. | +| LogoFile (optional) | String | Path of the logo to be displayed in the top left corner. | +| LogoMimeType (optional) | String | Mime type of the logo. | +| Preview (optional) | String | Documentation unavailable. | +| PrimaryColor (optional) | String | HEX code of the color for the highlighted buttons. | +| SecondaryColor (optional) | String | HEX code of the color for the background of the authentication screen. | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/index.md new file mode 100644 index 0000000000..232180644e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/index.md @@ -0,0 +1,45 @@ +# Settings + +- [App Display Setting](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md) + + This setting is used to customize the application display. + +- [ Configuration Version Setting ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting/index.md) + + Used to track the current configuration version. + +- [ Custom Link 1 Setting ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting/index.md) + + Used to display a given static HTML file to a custom URL address. + +- [ Custom Link 2 Setting ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting/index.md) + + Used to display a given static HTML file to a custom URL address. + +- [ Dashboard Item Number Setting ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting/index.md) + + Used to customize the number of links to display on each section on the Dashboard. If no value + is defined, the default value is 3. The value must be greater than 0 and less than or equal + to 5. + +- [ Mail Setting ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md) +- [ Password Generation Setting ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting/index.md) +- [ Password Tests Setting ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting/index.md) + + This setting enables a check on the passwords set manually by users. + +- [ Scheduling Clean Database Setting ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting/index.md) + + If the default value for the Task CleanDataBase needs to be overridden. + +- [ Select All Performed by Association Query Handler Setting ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting/index.md) + + This setting enables task delegation to a group of people. + +- [Select Personas by Filter Query Handler Setting](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting/index.md) + + This setting is used to filter the entity type used by authentication mechanism. + +- [ Select User by Identity Query Handler Setting ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md) + + This attribute matches an end-user with a resource from the unified resource repository. diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting/index.md new file mode 100644 index 0000000000..4cd51d3c6f --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting/index.md @@ -0,0 +1,24 @@ +# Password Tests Setting + +This setting enables a check on the passwords set manually by users. + +The strength of passwords generated by Identity Manager can be configured via +[ Password Reset Settings ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md) StrengthCheck. + +## Examples + +The following example encourages users to choose a strong password with at least 9 characters +including at least one digit, one lowercase letter, one uppercase and one special character. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier default value: PasswordTests | **Type** String **Description** Unique identifier of the setting. | +| PasswordRegex optional | **Type** String **Description** Regular expression(s) (regex) that users' passwords must match to be acceptable when set manually. When setting several regex, passwords must match all of them to be considered strong, and 70% to be considered average. Below that, a password is considered weak and cannot be confirmed. **Default value:**`'^..*$', '^...*$', '^....*$', '^.....*$', '^......*$', '^.......*$', '^........*$', '^.........*$', '^..........*$', '^.*[0-9].*$', '^.*[a-z].*$', '^.*[A-Z].*$', '^.*[^A-Za-z0-9].*$'` | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md new file mode 100644 index 0000000000..52c2f6ca5a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md @@ -0,0 +1,59 @@ +# Select User by Identity Query Handler Setting + +This attribute matches an end-user with a resource from the central repository. + +Authorization mechanisms within Identity Manager rely on assigning a profile to a resource that +stands for the end-user digital identity. + +To that end, end-user authentication credentials are linked to such an identity using the following +pattern: + +1. authentication credentials are retrieved; +2. authentication credentials are trimmed using the `AfterToken` and/or `BeforeToken` attributes; +3. the trimmed result is matched against the `ResourceIdentityProperty` of resources with the entity + type specified by `OwnerEntityType`; +4. the matching resource is used to find a profile and authorization for that digital identity. + +After modifying the authentication mode via `SelectUserByIdentityQueryHandlerSetting`, Identity +Manager server must be restarted. On a SaaS environment, contact your Identity Manager +administrator. + +## Examples + +The following example links the authentication credentials of an end-user to its matching resource +of EntityType **Directory_User**. + +In this example, authentication has been set up using +[ End-User Authentication](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md). +In that case, the login used by the end-user is in the form `DOMAIN/userName`. + +The **AfterToken** attribute parses the `DOMAIN/userName` string into `userName`. + +The parsed result `userName` is compared with `AD_Entry:sAMAccountName` property value of +**Directory_User** resources. + +The matching **Directory_User** resource is the resource that stands for the end-user identity +within Identity Manager. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| AfterToken optional | **Type** String **Description** Second character used to trim the authentication login. The trimmed result is the content of the authentication login between `AfterToken` and `BeforeToken`. If `BeforeToken` is empty, trimmed result is everything after `AfterToken`. If `AfterToken` is empty, trimmed result is everything before `BeforeToken`. | +| BeforeToken optional | **Type** String **Description** First character used to trim the authentication login. The trimmed result is the content of the authentication login between `AfterToken` and `BeforeToken`. If `BeforeToken` is empty, trimmed result is everything after `AfterToken`. If `AfterToken` is empty, trimmed result is everything before `BeforeToken`. | +| Identifier default value: SelectUserByIdentityQueryHandler | **Type** String **Description** Unique identifier of the setting. | +| OwnerEntityType optional | **Type** String **Description** Entity type of the resources used to store digital identities within Identity Manager. | +| OwnerPhotoTagProperty optional | **Type** String **Description** Photo property for Identity Manager users. | +| ResourceDisplayNameProperty optional | **Type** String **Description** Property used for displaying login data at the top right of the application. | +| ResourceIdentityProperty optional | **Type** String **Description** Identity-resource property supposed to match the authentication login used by the end-user. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/index.md new file mode 100644 index 0000000000..0af58ff693 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/index.md @@ -0,0 +1,5 @@ +# Notifications + +- [ Notification ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md) +- [ Notifications (Typed) ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md) +- [Notification Template](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md new file mode 100644 index 0000000000..7ba45a1d01 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md @@ -0,0 +1,40 @@ +# Notification + +A notification can be configured to be sent to a given user on a regular basis at specified times, +through the [ Send Notifications Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md) as +part of a job. + +## Examples + +The following example defines a notification to inform/remind managers of the arrival of new +employees in their team. + +The notification is built based on: + +- the template `Notification.cshtml`; +- the styles `Notification.css`; +- the subject defined by `TitleExpression`. + +The notification is sent for each new user, i.e. each user whose contract start date is in the +future. The notification is sent to the new user's manager(s). + +The notification will be sent again as a reminder after 7 days, by the next `SendNotificationsTask`. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CssTemplate optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** required when creating a customized notification with ``. | +| Identifier required | **Type** String **Description** Unique identifier of the notification. | +| OwnerEntityType required | **Type** Int64 **Description** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression` and `QueryFilterExpression`. | +| QueryFilterExpression optional | **Type** String **Description** C# expression that returns a Identity Manager Squery in order to define the sending condition of the notification. The expression's variable type is defined in `OwnerEntityType`. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| RazorTemplate optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** required when creating a customized notification with ``. | +| RecipientMailBinding optional | **Type** Int64 **Description** Binding of the property that corresponds to the email addresses that will receive the notification. | +| ReminderInterval default value: 0 | **Type** Int32 **Description** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type** String **Description** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification/index.md new file mode 100644 index 0000000000..53682dfdf1 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification/index.md @@ -0,0 +1,36 @@ +# Access Certification Notification + +Reminder notification concerning access certification. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified +by the native notification for access certification (on resources from `Directory_User`) and have +not yet performed the action. The email's content and styles are those from the original +notification, but the subject is overridden by `TitleExpression` here. + +``` + + + +``` + +The following example sends the exact same notification as the previous example, but with different +templates for the content and the styles. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the notification. | +| OwnerEntityType required | **Type** String **Description** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression`. | +| CssTemplate optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type** Int32 **Description** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type** String **Description** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md new file mode 100644 index 0000000000..24eb937329 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md @@ -0,0 +1,21 @@ +# Notifications (Typed) + +- [ Access Certification Notification ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification/index.md) + + Reminder notification concerning access certification. + +- [ Manual Provisioning Notification ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification/index.md) + + Reminder notification concerning manual provisioning. + +- [ Provisioning Review Notification ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification/index.md) + + Reminder notification concerning provisioning review. + +- [Role Policy Notification](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification/index.md) + + Reminder notification concerning role model tasks. + +- [ Role Review Notification ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification/index.md) + + Reminder notification concerning role review. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification/index.md new file mode 100644 index 0000000000..839a5f550a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification/index.md @@ -0,0 +1,36 @@ +# Manual Provisioning Notification + +Reminder notification concerning manual provisioning. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified +by the native notification for manual provisioning (on resources from `Directory_User`) and have not +yet performed the action. The email's content and styles are those from the original notification, +but the subject is overridden by `TitleExpression` here. + +``` + + + +``` + +The following example sends the exact same notification as the previous example, but with different +templates for the content and the styles. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the notification. | +| OwnerEntityType required | **Type** String **Description** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression`. | +| CssTemplate optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type** Int32 **Description** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type** String **Description** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification/index.md new file mode 100644 index 0000000000..5babdd088d --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification/index.md @@ -0,0 +1,36 @@ +# Provisioning Review Notification + +Reminder notification concerning provisioning review. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified +by the native notification for provisioning review (on resources from `Directory_User`) and have not +yet performed the action. The email's content and styles are those from the original notification, +but the subject is overridden by `TitleExpression` here. + +``` + + + +``` + +The following example sends the exact same notification as the previous example, but with different +templates for the content and the styles. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the notification. | +| OwnerEntityType required | **Type** String **Description** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression`. | +| CssTemplate optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type** Int32 **Description** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type** String **Description** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification/index.md new file mode 100644 index 0000000000..e283816949 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification/index.md @@ -0,0 +1,36 @@ +# Role Review Notification + +Reminder notification concerning role review. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified +by the native notification for role review (on resources from `Directory_User`) and have not yet +performed the action. The email's content and styles are those from the original notification, but +the subject is overridden by `TitleExpression` here. + +``` + + + +``` + +The following example sends the exact same notification as the previous example, but with different +templates for the content and the styles. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the notification. | +| OwnerEntityType required | **Type** String **Description** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression`. | +| CssTemplate optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type** Int32 **Description** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type** String **Description** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md new file mode 100644 index 0000000000..4214c00f6b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md @@ -0,0 +1,43 @@ +# Notification Template + +A notification template is used to overwrite the subject and/or body of a native notification with +personalized templates. + +Identity Manager natively sends notifications for usual cases. + +These native notifications are based on cshtml templates available inside the `Runtime` folder. If +the provided templates do not meet your exact needs, then they can be replaced by personalized +notification templates. See the +[ Native Notifications ](/docs/identitymanager/6.2/identitymanager/integration-guide/notifications/native/index.md)topic for additional information. + +## Examples + +The following example overwrites the template of the notification provided by Identity Manager for +role review. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +The following example defines a template for the notification's subject. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +// WorkflowReviewRolesSummary_Subject.cshtml +@using Usercube.Application.DeltaProvisioning.Notification +@model WorkflowReviewRolesSummary +Review Roles - @(@Model.AssignedCompositeRoles.Any() ? @Model.AssignedCompositeRoles.FirstOrDefault().Owner.FullName : @Model.AssignedSingleRoles.FirstOrDefault().Owner.FullName) +``` + +## Properties + +| Property | Type | Description | +| --------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| BodyTemplate_L1 optional | String | Path to the Razor cshtml file that defines the email's body template in language 1 (up to 16). **NOTE:** The path must be relative to the configuration folder, and the file must be inside it. | +| Identifier required | String | Identifier of the native notification to adjust, among: - `BlockedProvisioningInformations` - `OneWayPasswordReset` - `PendingAccessCertificationModel` - `PerformManualProvisioningSummary` - `RolePolicySummary` - `RunJobNotification` - `TwoWayPasswordReset` - `WorkflowReviewProvisioningSummary` - `WorkflowReviewRolesSummary` | +| SubjectTemplate_L1 optional | String | Path to the Razor cshtml file that defines the email's subject template in language 1 (up to 16). **NOTE:** The path must be relative to the configuration folder, and the file must be inside it. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md new file mode 100644 index 0000000000..bbeacbb4b7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md @@ -0,0 +1,100 @@ +# Automation Rule + +Automation rules make automatic decisions instead of the reviewer on assignments that still need to +be reviewed after a given waiting period. + +There are distinct types of automation rules: + +- A composite role automation rule targets the assigned composite roles corresponding to a given + composite role. + + `CompositeRoleAutomationRule` is equivalent to `AutomationRule` with its `Type` set to + `CompositeRole`, and requires specifying the `CompositeRole` property; + +- A single role automation rule targets the assigned single roles corresponding to a given single + role. + + `SingleRoleAutomationRule` is equivalent to `AutomationRule` with its `Type` set to + `SingleRole`, and requires specifying the `SingleRole` property; + +- A resource type automation rule targets the assigned resource types corresponding to a given + resource type. + + `ResourceTypeAutomationRule` is equivalent to `AutomationRule` with its `Type` set to + `ResourceType`, and requires specifying the `ResourceType` property; + +- A category automation rule targets the assigned roles and resource types corresponding to a given + category and a given entity type. + + `CategoryAutomationRule` is equivalent to `AutomationRule` with its `Type` set to `Category`, + and requires specifying the `Category` and `EntityType` properties; + +- A policy automation rule targets the assigned roles and resource types corresponding to a given + policy and a given entity type. + + `PolicyAutomationRule` is equivalent to `AutomationRule` with its `Type` set to `Policy`, and + requires specifying the `Policy` and `EntityType` properties. + +_Remember,_ Netwrix recommends always using the typed syntax. + +For example, you should always use `SingleRoleAutomationRule`, rather than `AutomationRule` with +`Type` set to `CompositeRole`. + +All these rules target the assignments which have a specific workflow state which is specified in +the rule. + +Automation rules can also specify dimensions. + +One assignment should be involved in the decision of only one automation rule. However, one +assignment can easily be targeted by several automation rules. In this case, the Provisioning Policy +algorithm prioritizes the most specific rule. + +For example, considering an assigned composite role, Identity Manager's algorithm prioritizes a +composite role automation rule, before a category automation rule, before a policy automation rule. + +After this prioritization, when an assignment is still targeted by several rules due to dimensions, +then Identity Manager prioritizes a rule implying a decline decision. + +## Examples + +In the following example, the two first rules are equivalent (except for the workflow state's +value), but the second one shows the preferred syntax. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +    This rule approves all the assignments of the "FCT0070" composite role, which are waiting for the first of two required approvals for more than one hour: +     +    This rule approves all the assignments of the "FCT0070" composite role, which are waiting for the second of two required approvals for more than one hour: +     +    This rule approves all the assignments of the "BO028" single role, which are waiting for their required approval for more than one hour: +     +    This rule approves all the assignments of the "SAB_User_NominativeUser" resource type, which are waiting for their required approval for more than one hour: +     +    This rule declines all the assignments to the entity type "Directory_User" concerning the "IT Administration" category, which are waiting for the first of two required approvals for more than one hour: +     +    This rule declines all the assignments to the entity type "Directory_User" concerning the "Default" policy, which are found during a synchronization without a linked automatic rule, for more than one hour: +     +    This rule declines all the assignments to the entity type "Directory_User" concerning the "Default" policy, which are found during the first synchronization without a linked automatic rule, for more than one hour: +     + +``` + +## Properties + +| Property | Type | Description | +| ------------------------------ | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Category optional | Int64 | Identifier of the category targeted by the rule. | +| CompositeRole optional | Int64 | Identifier of the composite role targeted by the rule. | +| D0 optional | Int64 | Value of the dimension 0 (up to 127) that filters the assignments targeted by the rule. | +| Decision default value: 0 | AutomationRuleDecision | Decision to apply on the targeted assignments. 0 - Approve. 1 - Decline. | +| EntityType required | Int64 | Identifier of the entity type targeted by the rule. This property should not be specified when writing an automation rule among the following: composite role automation rule; single role automation rule; resource type automation rule. These rules imply the entity type. | +| HoursToWait default value: -1 | Int32 | Waiting period (in hours) from the most recent change in the workflow state of the assignments, before the decision can be applied. | +| L0 default value: false | Boolean | True to indicate that the rules targets the assignments with not only the dimension 0 (up to 127), but also this dimension's child elements. | +| Policy optional | Int64 | Identifier of the policy that the rule is part of. | +| ResourceType optional | Int64 | Identifier of the resource type targeted by the rule. | +| SingleRole optional | Int64 | Identifier of the single role targeted by the rule. | +| Type required | AutomationRuleType | Object type targeted by the rule. 0 - CompositeRole. 1 - SingleRole. 2 - ResourceType. 4 - Category. 5 - Policy. | +| WorkflowState default value: 0 | WorkflowState | Workflow state of the assignments targeted by the rule. `0` - **None**: used for Identity Manager's internal computation. `1` - **Non-conforming**: the assignment is not supported by a rule. ![Workflow State: Non-conforming](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp) `3` - **Pre-existing**: the assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp) `4` - **Requested**: the assignment is requested via a workflow, but not yet added. **NOTE:** Usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/4_requested_v603.webp) `5` - **Calculated - Missing Parameters**: the assignment was done by a rule which does not specify at least one required parameter for the role. ![Workflow State: Calculated - Missing Parameters](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/5_calculatedmissingparameters_v603.webp) `8` - **Pending Approval**: the assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/8_pendingapproval_v603.webp) `9` - **Pending Approval 1 of 2**: the assignment is pending the first approval on a two-step workflow. `10` - **Pending Approval 2 of 2**: the assignment is pending the second approval on a two-step workflow. `11` - **Pending Approval 1 of 3**: the assignment is pending the first approval on a three-step workflow. `12` - **Pending Approval 2 of 3**: the assignment is pending the second approval on a three-step workflow. `13` - **Pending Approval 3 of 3**: the assignment is pending the third approval on a three-step workflow. `16` - **Approved**: the assignment has completed all approval steps. ![Workflow State: Approved](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp) `17` - **Declined**: the assignment is explicitly declined during one of the approval steps. ![Workflow State: Declined](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/17_declined_v603.webp) `18` - **Calculated**: the assignment is given by one of Identity Manager's rules. ![Workflow State: Calculated](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/18_calculated_v603.webp) `19` - **Inactive**: the assignment has expired and is not yet removed. Does not appear in the UI. `20` - **Cancellation**: the assignment is inferred by a role that was declined. See the [ Reconcile a Property ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) topic for additional information. ![Workflow State: Cancellation](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/20_cancellation_v603.webp) `21` - **Suggested**: the assignment comes from a rule of type `Suggested` and appears among suggested permissions in the owner's permission basket. See the [Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. ![Workflow State: Suggested](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/21_suggested_v603.webp) `22` - **Suggested**: the assignment comes from a rule of type `Automatic but with Validation` and appears among suggested permissions for a pre-existing user. See the [Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. _Remember,_ the states `21` and `22` are both displayed in the UI as **Suggested** but they do not mean the exact same thing. `23` - **Automatic but with Validation**: the assignment comes from a rule of type `Automatic but with Validation` and appears in a new user's permission basket. See the [Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. `24` - **Approved - Questioned**: the assignment was approved manually, then a change has been made in the assignment's source data via one of Identity Manager's workflows that should change the assignment but the manual approval is authoritative. See the [Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topic for additional information. ![Workflow State: Approved - Questioned](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/24_approvedquestioned_v603.webp) `25` - **Pending Approval - Risk**: the assignment must be reviewed due to a risk. ![Workflow State: Pending Approval (Risk)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/25_pendingapprovalrisk_v603.webp) `26` - **Blocked**: the assignment is blocked due to a risk of type `Blocking`. Does not appear in the UI. `27` - **Prolonged**: the assignment has expired but it was set with a grace period. See the [Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. ![Workflow State: Prolonged](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/27_prolonged_v603.webp) `116` - **Approved - Risk**: the assignment is approved despite a risk. ![Workflow State: Approved (Risk)](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp) `118` - **Given by a Role**: the assignment comes from the assignment of a role. For example, when a user is assigned a SAP entitlement without having a SAP account, the account is created automatically with this state. ![Workflow State: Given by a Role](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/118_givenbyarole_v603.webp) **Found** - Will match assignments not supported by a rule. ![Workflow State: Non-conforming](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp) **Historic** - Will match assignments not supported by a rule, which existed before the production launch. ![Workflow State: Pre-existing](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp) | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md new file mode 100644 index 0000000000..e69c3ca37e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md @@ -0,0 +1,26 @@ +# Category + +A category is a classification of Composite Roles, Single Roles or/and +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). It can be used to group multiple roles of the same +context. + +## Examples + +The following example declares a new category called "Shares - Public". + +``` + + + +``` + +## Properties + +| Property | Details | +| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Description_L1 optional | **Type** String **Description** Describe this category in detail. | +| DisplayName_L1 required | **Type** String **Description** Display name of the category in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Unique identifier of the category. | +| IsCollapsed default value: false | **Type** Boolean **Description** Defines if the category must be collapsed by default in the permission list of a resource (View Permissions popup and roles basket). | +| Parent optional | **Type** Int64 **Description** Represents the parent category definition. | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the category is part of. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md new file mode 100644 index 0000000000..7dcb657e0e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md @@ -0,0 +1,54 @@ +# Composite Role + +Defines basic information about a composite role. Composite roles identify affiliations or job +functions by which users can be grouped. A composite role is a business role comprehensible by +managers. It provides a layer of abstraction above existing entitlements, technical roles and single +roles. + +Roles can be used to: + +- Grant various types and levels of access. +- Restrict access to sensitive information assets by grouping entitlements in a form that is + meaningful to the business. +- Grant the minimum privileges required by an individual to perform their job. + +Roles can be requested manually, or they can be configured to be assigned automatically via a +[Composite Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md). To further control access, roles can be +related via required, inherited, or permitted relationships. + +## Examples + +The following example declares a new composite role. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     + +``` + +## Properties + +| Property | Type | Description | +| ------------------------------------------------------------------------------------------ | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ApprovalWorkflowType default value: 0 | ProvisioningPolicyApprovalWorkflow | Number of validations required to assign manually the composite role (from `None` to `Three`). The value `ManualAssignmentNotAllowed` is used when a manual assignment cannot be performed. | +| Category optional | Int64 | Identifier of the category that the role is part of. | +| CommentActivationOnApproveInReview default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a request of the role and deciding to approve it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeclineInReview default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a request of the role and deciding to refuse it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeleteGapInReconciliation default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to delete it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnKeepGapInReconciliation default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to keep it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| Description_L1 optional | String | Detailed description of the single role in language 1 (up to 16). | +| DisplayName_L1 required | String | Display name of the composite role in language 1 (up to 16). | +| EntityType required | Int64 | Identifier of the entity type whose resources can receive the composite role. | +| GracePeriod optional | Int32 | Duration (in minutes) for which a lost automatic composite role is prolonged. The grace period is only applied if the loss of the entitlement is due to a change in the rules (rule deletion or criteria changes). A review will be required to validate or decline the entitlement prolongation. Inferred entitlements won't be lost unless the end of the grace period is reached or the prolongation is declined. If it is not defined, the value is inherited from the policy. | +| HideOnSimplifiedView default value: false | Boolean | `true` to show the role in a user's basket only in advanced view and not simplified view. This flag is applied only on automatic assignments. | +| Identifier required | String | Unique identifier of the composite role. | +| ImplicitApproval default value: 0 | Byte | Indicates if the validation steps of the composite role can be skipped. `0` - Inherited: implicit approval value in the associated policy. `1` - Explicit: all the workflow steps must be approved. `2` - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| ManualAssignmentEndDateLockedToContextMode default value: ExplicitNotContextBoundByDefault | ManualAssignmentEndDateLockedToContextModeRole | The values are: 0 - ExplicitNotContextBoundByDefault — By default, the assignment's end date will not be context bound in order to encourage the manual entry of an end date 1 - ExplicitContextBoundByDefault — By default, the assignment's end date will be context bound and therefore locked, but a manual date can be entered. 2 - Never — The assignment's end date will never be locked and needs to be specified manually 3 - Always — The assignment's end date is always locked according to the applicable context rule. | +| MaxDuration optional | Int32 | Duration (in minutes) after which the role will be automatically revoked, if no earlier end date is specified. It impacts only the roles which are manually assigned after the maximum duration is set. Pre-assigned roles are not impacted. If no duration is set on the role, the `MaxDuration` of the associated policy is applied. If the `MaxDuration` is set to 0 on the role, it prevents the associated policy from applying its `MaxDuration` to it. | +| Policy required | Int64 | Identifier of the policy that the role is part of. | +| ProlongationWithoutApproval default value: 0 | ProlongationWithoutApproval | Indicates whether the role can be extended without any validation. `0` - Inherited: gets the value from the policy. `1` - Enabled. `2` - Disabled. | +| R0 default value: false | Boolean | `true` to set the dimension 0 (up to 3V following the [ Base32 Parameter Names ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/parameter-names/index.md)) as a required parameter when assigning the role. | +| Tags optional | String | Tags of the roles targeted by the campaign filter. The tag separator is ¤. | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/context/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/context/index.md new file mode 100644 index 0000000000..6608dcabe8 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/context/index.md @@ -0,0 +1,19 @@ +# Context + +A context is the result of the combination of all identity-related entities, for example personal +data, contracts or positions, so that all dimension values contained in a given context are valid +for a given user on a given period of time. + +Contexts define the resources' scopes of responsibility. They are used during provisioning to +simplify the application of the role model's rules based on dimensions. + +See the +[ Identity Lifecycle: Joiners, Movers and Leavers ](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md) +for additional information about context generation. + +## Properties + +| Property | Details | +| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | +| Automatic default value: false | **Type** Boolean **Description** Specifies the automatic assignments. | +| D0 optional | **Type** Int64 **Description** Dimension0 identifier, specifies the scope in which the assignment is restricted. Going from 0 to 127. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md new file mode 100644 index 0000000000..bf6125e2d4 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md @@ -0,0 +1,191 @@ +# Context Rule + +A context rule configures, for the identities of a given entity type, the generation of contexts +which are used in provisioning to simplify the application of the role model's rules. + +A context rule should be created for each entity type for which we want to assign entitlements +automatically based on users' attributes. + +Without a context rule, automatic entitlements (assigned via the role model's rules): + +- cannot be assigned based on users' attributes; +- don't have specific start and end dates, so they are valid from the resource creation until its + deletion. + +See the +[ Identity Lifecycle: Joiners, Movers and Leavers ](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md) +for additional information about context generation. + +A context rule can be configured with [ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) in situations +where a user needs to be modeled by several contexts over time or simultaneously. + +Without record sections, a context rule can generate only one context per user. This means that +users cannot have more than one contract, or position, at a time, and that data changes cannot be +anticipated. + +## Examples + +The following example generates contexts, i.e. sets of dimension-value pairs, for users from +`Directory_User` as resources of `Directory_User:Records`. + +Both the start and end dates of the future contexts are defined with C# expressions based on users' +contract and position start/end dates. + +All contexts are to be made of the properties specified by the bindings `B0` to `B7`. + +``` + + + +``` + +### ExcludeExpression + +The following example is similar to the previous one, except that we choose to exclude users +declared as "draft" from the role model and provisioning calculations. + +``` + + + +``` + +This option can exclude workers who are not validated yet, or who have left the company, for +example. + +### RiskFactorType + +The following example is similar to the previous one, except that we force the final risk score of a +user to be the maximum value of all their risk scores. + +``` + + + +``` + +### Role mining + +Context rules also contain some parameters for +[ Perform Role Mining ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md). + +Users are distributed in a hypercube made of all dimensions, like in the following table (left) when +we have only 2 dimensions, where for example `1`, `2`, `3`, etc. are users' possible locations, and +`A`, `B`, `C`, etc. are users' possible departments in the company. When considering one dimension +and sorting the dimension values per user percentage, we get the following table (right). + +![Role Mining Tables](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/contextrules_rolemining.webp) + +The tables here represent a simple situation with few dimensions. But the higher the number of +dimensions, the more complex are role mining's computations. This is known as the curse of +dimensionality. + +The following example is similar to the first one, except that we customize some role mining +parameters which help tackle the curse of dimensionality: + +- `MinIdentitiesCount` establishes that the role mining's engine will generate a role assignment + rule only when the rule is applicable to at least 5 users; +- `ReductionOutlierPercentage` establishes that the role mining's engine will consider the last 2.0% + dimension values (from `Y` to `Z` in the table above) to be grouped together in a single category + "Others". + + The definition of the outlier percentage is particularly useful when managing, for example a + services company with thousands of distinct organizations, where many organizations contain only + one or two users. We can safely choose to group into a single fictitious organization the 2% of + all users that involve the smallest organizations. + +``` + + + +``` + +### Certification items + +Unlike `ResourcesStartBinding` and `ResourcesEndBinding`, `ResourcesStartExpression` and +`ResourcesEndExpression` cannot be used to define the resources to include in the related +certification campaigns. Thus, when needing to define which resources to include with more than +start/end bindings, add a comparison based on `ResourceCertificationComparisonBinding`, +`ResourceCertificationComparisonOperator` and `ResourceCertificationComparisonValue`. + +The following example includes in certification campaigns only the resources that have their +`IsActivePosition` property set to `1`. + +``` + + + +``` + +**Note:** must be configured together with the other `ResourceCertificationComparison` properties. + +**Note:** when not specified, certification items are defined by `ResourcesStartBinding` and +`ResourcesStartBinding`. + +## Properties + +| Property | Details | +| ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| B0 optional | **Type** Int64 **Description** Binding of the dimension 0 (up to 3V in [ Base32 Parameter Names ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/parameter-names/index.md)). The dimension can then be used in rules to filter the rules' targets. | +| DisplayName_L1 required | **Type** String **Description** Display name of the context rule in language 1 (up to 16). | +| ExcludeExpression optional | **Type** String **Description** C# expression that defines the resources to exclude from context generation, because they should not be part of the role model and provisioning calculations. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| Identifier required | **Type** String **Description** Unique identifier of the context rule. | +| MinIdentitiesCount default value: 0 | **Type** Int32 **Description** Minimum number of identities to take into account to generate a rule by the role mining engine. | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the rule is part of. | +| ReductionOutlierPercentage default value: 0.0 | **Type** Float **Description** Proportion of identities that are grouped together by role mining to aggregate all the small entities in one "other" category. This is used to speed up the mining process as the number of groups can be greatly reduced. | +| ResourceCertificationComparisonBinding optional | **Type** Int64 **Description** Binding of the property whose value is to be compared to `ResourceCertificationComparisonValue` in order to specify the resources to include in the related certification campaigns. **Note:** must be configured together with the other `ResourceCertificationComparison...` properties. **Note:** when not specified, certification items are defined by `ResourcesStartBinding` and `ResourcesStartBinding`. And when they are not specified either, there is no filtering, so all valid resources (those with `ValidTo` later than today's date) are included. | +| ResourceCertificationComparisonOperator optional | **Type** QueryComparisonOperator **Description** Operator of the comparison that specifies the resources to include in the related certification campaigns. **Note:** must be configured together with the other `ResourceCertificationComparison...` properties. **Note:** when not specified, certification items are defined by `ResourcesStartBinding` and `ResourcesStartBinding`. And when they are not specified either, there is no filtering, so all valid resources (those with `ValidTo` later than today's date) are included. | +| ResourceCertificationComparisonValue optional | **Type** String **Description** Value to be compared to the value of `ResourcesCertificationComparisonBinding` in order to specify the resources to include in the related certification campaigns. **Note:** must be configured together with the other `ResourceCertificationComparison...` properties. **Note:** when not specified, certification items are defined by `ResourcesStartBinding` and `ResourcesStartBinding`. And when they are not specified either, there is no filtering, so all valid resources (those with `ValidTo` later than today's date) are included. | +| ResourcesBinding optional | **Type** Int64 **Description** Binding that represents the entity type of the contexts to be created from the `SourceEntityType`. It can also be defined via `ResourcesExpression`. | +| ResourcesEndBinding optional | **Type** Int64 **Description** Binding of the date property among those from `ResourcesBinding` which specifies the end of validity for all [ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) properties of the context. It can also be defined via `ResourcesEndExpression`. **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md). | +| ResourcesEndExpression optional | **Type** String **Description** Expression based on the `ResourcesBinding` entity type that defines the end of validity for all [ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) properties of the context. It can also be defined via `ResourcesEndBinding`. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md). | +| ResourcesExpression optional | **Type** String **Description** Expression based on `SourceEntityType` that defines the entity type of the contexts to be created. It can also be defined via `ResourcesBinding`. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| ResourcesStartBinding optional | **Type** Int64 **Description** Binding of the date property among those from `ResourcesBinding` which specifies the beginning of validity for all [ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) properties of the context. It can also be defined via `ResourcesStartExpression`. **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md). | +| ResourcesStartExpression optional | **Type** String **Description** Expression based on the `ResourcesBinding` entity type that defines the beginning of validity for all [ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) properties of the context. It can also be defined via `ResourcesStartBinding`. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md). | +| RiskFactorType optional | **Type** RiskFactorType **Description** Operator used to aggregate a user's risk scores together to compute the user's global risk score. `0` - **None**. `1` - **Max**: a user's final risk score is the maximum value among all their risk scores. `2` - **Average**: a user's final risk score is the average value of all their risk scores. | +| SourceEntityType required | **Type** Int64 **Description** Identifier of the entity type of the parent resource. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/index.md new file mode 100644 index 0000000000..26afaad1ee --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/index.md @@ -0,0 +1,23 @@ +# Provisioning + +This section describes different entities that manages the process of granting, changing, or +removing user permissions to systems, applications and databases based on the security policy. + +- [Automation Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md) +- Bulk Change +- [ Category ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md) +- [ Composite Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) +- [Composite Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md) +- [ Context ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/context/index.md) +- [ Context Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) +- [ Indirect Resource Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md) +- [ Mining Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md) +- [Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) +- [ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) +- [ Resource Classification Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md) +- [ Resource Correlation Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) +- [Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +- [ Risk ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) +- [ Role Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md) +- [ Single Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) +- [Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md new file mode 100644 index 0000000000..e234efae24 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md @@ -0,0 +1,66 @@ +# Mining Rule + +After roles are assigned to users, Identity Manager can use mining rules to perform role mining. +Role mining means that Identity Manager analyzes existing assignments in order to suggest +[Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) which will assign +[ Single Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) to certain users matching given criteria. + +The [ Build Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md) replaces the +existing single role rules in the specified rule policy with the new generated ones. + +## Examples + +The following example set of mining rules targets the roles owned by users from `Directory_User`. +These mining rules are part of the `Default` policy while the role assignment rules are to be +generated to be part of the `Mining` policy. + +The following rules have a different impact whether they are applied individually, or all together. +Indeed, during role mining, the first mining rule of type `Required` applies to given roles with a +given precision, then the second mining rule applies to a larger group of roles but only to those +still with no linked single role rules. + +- The first rule will generate required rules (i.e. automatic assignments) for sensitive assignments + that require 2 or 3 validations, with a high precision (via `PrecisionMinPercentage` and + `FalsePositiveMaxPercentage`). + + ``` + + + + ``` + +- The second rule will generate required rules (i.e. automatic assignments) for all assignments, + with a lower precision. + + ``` + + + + ``` + +- The third rule will generate suggested rules (i.e. assignments listed as suggested in users' + permission baskets) for all assignments, with an even lower precision. + + ``` + + + + ``` + +## Properties + +| Property | Details | +| --------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Category optional | **Type** Int64 **Description** Identifier of the category containing the roles targeted by role mining's analysis. | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type that represents the owners of the roles targeted by role mining's entitlement analysis. | +| ExcludeRole default value: false | **Type** Boolean **Description** `true` to ignore the specified roles during the mining process triggered by the next mining rules (in terms of priority). | +| FalsePositiveMaxPercentage default value: 0.0 | **Type** Float **Description** Maximum authorized percentage of false positive assignments, i.e. roles that are assigned to users who should not have them. Netwrix Identity Manager (formerly Usercube) recommends around 1%, to be lowered when working on a sensitive application and/or a large user population, and vice versa. | +| IncludeDoubleValidation default value: true | **Type** Boolean **Description** `true` to include in role mining's analysis the roles requiring two validations. | +| IncludeNoValidation default value: true | **Type** Boolean **Description** `true` to include in role mining's analysis the roles requiring zero validations. | +| IncludeSimpleValidation default value: true | **Type** Boolean **Description** `true` to include in role mining's analysis the roles requiring one validation. | +| IncludeTripleValidation default value: true | **Type** Boolean **Description** `true` to include in role mining's analysis the roles requiring three validations. | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the mining rule is part of. | +| PrecisionMinPercentage default value: 100.0 | **Type** Float **Description** Minimum authorized percentage of correct role assignments, considering both the roles that are assigned to users who should have them, and the roles that are not assigned to users who should not have them. NETWRIX recommends around 99.5%, to be lowered when working on a sensitive application and/or a large user population, and vice versa. | +| Priority default value: 0 | **Type** Int32 **Description** Priority order of the mining rule. Identity Manager applies mining rules one after the other in descending order. **Info:** a mining rule can generate single role rules only for the single roles that were not already associated with a single role rule by another mining rule during the same role mining task. | +| RulePolicy optional | **Type** Int64 **Description** Identifier of the policy that the generated single role rules are to be part of. **Note:** NETWRIX recommends using a policy dedicated to role mining in order not to remove existing assignment rules. | +| RuleType default value: 0 | **Type** Int32 **Description** Represents the type of the generated single role rules. `0` - **Required**: the role is automatically assigned to users matching the criteria. `1` - **RequestedAutomatically**: the role is listed in the permission basket of new workers. These assignments can still be modified. For existing workers, the rule's type is `Suggested`. `2` - **Suggested**: the role is listed among suggested permissions in the permission basket of users matching the criteria during an entitlement request. Suggested assignments must be selected manually to be requested, and will go through the validation process. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md new file mode 100644 index 0000000000..67caf40a1a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md @@ -0,0 +1,44 @@ +# Policy + +A policy is a next generation access control (NGAC) which works by assigning permissions to users +based on their roles within an organization, and other dimensions and attributes. A policy is a +sub-group of the role model, containing roles and rules, that allows an administrator to manage the +access specific to their applications. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +All `ResourceType`, `SingleRole`, `CompositeRole` and `Category` must belong to a Policy. This is +done by specifying the `Policy` attribute. See the [Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md), +[ Single Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md), [ Composite Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) and +[ Category ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md) topics for additional information. + +``` + +``` + +## Properties + +| Property | Type | Details | +| ------------------------------------------------------------------------------------------ | ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| CommentActivationOnApproveInReview default value: Optional | CommentActivation | Indicates if a comment is enabled when reviewing a role request associated with the policy, and deciding to approve it. 0 - Disabled. 1 - Optional. 2 - Required. | +| CommentActivationOnDeclineInReview default value: Required | CommentActivation | Indicates if a comment is enabled when reviewing a role request associated with the policy, and deciding to refuse it. 0 - Disabled. 1 - Optional. 2 - Required. | +| CommentActivationOnDeleteGapInReconciliation default value: Optional | CommentActivation | Indicates if a comment is enabled when reviewing a non-conforming role assignment associated with the policy, and deciding to delete it. 0 - Disabled. 1 - Optional. 2 - Required. | +| CommentActivationOnKeepGapInReconciliation default value: Required | CommentActivation | Indicates if a comment is enabled when reviewing a non-conforming role assignment associated with the policy, and deciding to keep it. 0 - Disabled. 1 - Optional. 2 - Required. | +| D0 optional | Int64 | Value of the dimension 0 (up to 127) that filters the access to the policy and its roles. | +| DisplayName_L1 required | String | Display name of the policy in language 1 (up to 16). | +| GracePeriod default value: 0 | Int32 | Duration (in minutes) for which a lost automatic entitlement associated with this policy is prolonged. The grace period is only applied if the loss of the entitlement is due to a change in the rules (rule deletion or criteria changes). A review will be required to validate or decline the entitlement prolongation. Inferred entitlements won't be lost unless the end of the grace period is reached or the prolongation is declined. This value can be overwritten for each composite role and single role. | +| HasImplicitApproval default value: false | Boolean | True to skip the approval circuit when the requester has the appropriate review permissions. This value can be overwritten for each policy object (composite role, single role, resource type). | +| Identifier required | String | Unique identifier of the policy. | +| IsExternal default value: false | Boolean | True to indicate that the policy's roles are outside Identity Manager's scope. The roles are managed by an external source, and Identity Manager cannot add, update nor delete any role. | +| IsProvisioningEnabled default value: false | Boolean | True to enable the provisioning policy. | +| IsSimulationEnabled default value: false | Boolean | True to enable the provisioning policy simulation. | +| ManualAssignmentEndDateLockedToContextMode default value: ExplicitNotContextBoundByDefault | ManualAssignmentEndDateLockedToContextMode | The values are: 0 - ExplicitNotContextBoundByDefault — By default, the assignment's end date will not be context bound in order to encourage the manual entry of an end date 1 - ExplicitContextBoundByDefault — By default, the assignment's end date will be context bound and therefore locked, but a manual date can be entered. 2 - Never — The assignment's end date will never be locked and needs to be specified manually 3 - Always — The assignment's end date is always locked according to the applicable context rule. | +| MaxDuration default value: 0 | Int32 | Duration (in minutes) after which the assignments induced by the policy will be automatically revoked, if no earlier end date is specified. It impacts only the assignments which are performed after the maximum duration is set. Pre-existing assignments are not impacted. | +| ProlongationWithoutApproval default value: false | Boolean | True to allow the policy's roles to be extended without any validation. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md new file mode 100644 index 0000000000..8786a79b94 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md @@ -0,0 +1,191 @@ +# Record Section + +Record sections shape identity data for a given entity type, by grouping properties into sections, +for example personal data, contract or position. + +Record sections impact the generation of identities' contexts which contain users' dimension values +valid on a given period of time. The aim is to simplify the application of the role model' rules for +provisioning. + +Thanks to this data organization in sections, the identities of a given entity type can be modeled +by more than one context over time, even simultaneously. This means that users can have more than +one contract, or position, at a time, and that data changes can be anticipated. + +See the +[ Position Change via Records ](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md)for +additional information on identity modeling. + +**Configuration recommendations:** + +As record sections cannot be configured without a [ Context Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md), Netwrix +Identity Manager (formerly Usercube)recommends starting with the configuration of the context rule +before configuring record sections. + +Netwrix Identity Manager (formerly Usercube)recommends defining at least two record sections: a +default section for the properties shared by all records, and another section for a given set of +properties which differentiate between records. The default section must contain zero properties, +the shared properties are those that are not defined in the other section(s). + +For example, to model several positions for a single user, we configure the default record section +to contain the properties shared by all positions such as personal data, and we configure the +position section to contain the properties specific to each position. Similar to the position +section, we can also typically configure a section for contracts. + +## Examples + +The following example models users from the `Directory_User` entity type with three sets of +properties: user properties, contract properties and position properties. All created records will +be resources from the `Directory_UserRecord` entity type. + +The properties from the contract (or position) section are the properties specific to each contract +(or position). The properties from `Directory_User` that are not specified in the record sections +are the properties shared between all records, here user properties. + +Each section must be defined with start and end dates, so that Identity Manager's engine is able to +combine all periods of validity and apply the rules with the right input at any time. + +``` + +Default section: + ... + + +Contract section: + ... + + +Position section: + ... + + +``` + +### InstanceKeyExpression + +The following example computes a unique key for each record section instance. This way, we can +distinguish between contracts thanks to their identifiers, same for positions, and between user +property sets thanks to a C# expression based on the start date. + +``` + +Default section: + + +Contract section: + ... + + +Position section: + ... + + +``` + +An instance key is required when we need to uniquely identify a context, i.e. when we may have +several simultaneous contexts. + +For example, an instance key is required for the position section when users can have overlapping +positions. + +### IsDefaultBoundariesSection + +The following example uses the contract start/end dates as default boundaries in users' +[validity period](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md#period-of-validity), +instead of those from the default section. It may be because, for example, HR services do not enter +an end date for the personal data of users on permanent contracts. So we prefer to use the start and +end dates of their contracts. + +``` + +Contract section: + ... + + +``` + +### Context extension + +There can be some time gap where no context is defined, for example a time gap with a position but +no contract or vice versa. Identity Manager offers the possibility to choose whether an existing +context is to be extended to the period without context. And in case we decide to use another +context and extend its values, which context should it be? + +![Schema - ExtensionKind](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/recordsection_extensionkind.webp) + +Here, we decide to extend an existing contract to the gap, for example because users' email +addresses are built using the contract type to add `-ext` for external users. And we decide to not +extend the position. + +In the following example, the contract section uses `SortKeyExpression` to establish between +existing contracts a priority order that will determine which contract should be extended to the +gap. Based on this C# expression that returns a value `A`, `B` or `C`, the `ExtendedSortKey` +considers as extendable only the contract(s) whose expression returns `C`. + +The position section uses `ExtensionKind` set to `None` to block the extension mechanism. + +``` + +Contract section: + ... + + +Position section: + ... + + +``` + +When not specifying any sort key nor extended sort key, Identity Manager will select a context to +extend to the gap. However, it may not be functionally the most meaningful context. + +## Properties + +| Property | Details | +| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| BoundaryKind default value: 0 | **Type** RecordBoundaryKind **Description** Defines how the section dates are computed for a resource, when the current start/end dates are null. `0` - None: start date and end date are equal respectively to the minimum value of `StartProperty` and maximum value of `EndProperty` when comparing the default sections of all records. `1` - Kept: start and end dates are equal respectively to the default start date (1900/01/01 00:00:00) and end date (2079/06/06 00:00:00). **Info:** the boundary has no effect on the default section which is the reference to compute the default dates in other sections. When the default section's start/end dates are null, then they equal the default start/end dates. | +| DisplayName_L1 required | **Type** String **Description** Display name of the section in language 1 (up to 16). | +| EndProperty optional | **Type** Int64 **Description** Date property among those from the `ResourceEntityType` which specifies the end of validity for all the Record Section of the section. It cannot be a property computed by an `EntityPropertyExpression`. | +| ExtendedSortKey optional | **Type** String **Description** Value used as a threshold for `SortKeyExpression` values to determine whether the Record Section property values of a given record section can be extended from a context where the values are defined to another context where no properties from the section are defined. This extension is enabled only when the value of `SortKeyExpression` of the section is higher (with an ordinal comparison) than `ExtendedSortKey`. | +| ExtensionKind default value: 0 | **Type** RecordExtensionKind **Description** Defines whether the section's property values can be extended (copied) from a context where the properties are defined to another context where no properties from the section are defined. `0` - Default: the section's property values can be extended. `4` - None: the section's property values cannot be extended. | +| Identifier required | **Type** String **Description** Unique identifier of the section. | +| InstanceKeyExpression optional | **Type** String **Description** Expression returning a key to uniquely identify a context, i.e. distinguish between job positions for example when users can have several concurrent positions, or between contracts. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| IsDefaultBoundariesSection default value: false | **Type** Boolean **Description** `true` to use the start/end dates of this section as the default boundaries, i.e. the start/end dates of users' validity period. When no section has `IsDefaultBoundaries` set to `true`, the default section (the one without properties) is automatically selected. | +| ResourceEntityType required | **Type** Int64 **Description** Identifier of the entity type of the multiple records to be created. | +| SortKeyExpression optional | **Type** String **Description** C# expression used to compute a value for each record, to be used as a priority, following an ordinal comparison. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. When a record section has `ExtensionKind` set to `Default` and a priority value higher than `ExtendedSortKey`, then the record property values can be extended from a context where the values are defined to another context where no properties from the section are defined. | +| SourceEntityType required | **Type** Int64 **Description** Identifier of the entity type of the parent resource. | +| StartProperty optional | **Type** Int64 **Description** Date property among those from the `ResourceEntityType` which specifies the beginning of validity for all he Record Section properties of the section. It cannot be a property computed by an `EntityPropertyExpression`. | + +## Child Element: Property + +A record section is a set of record properties which belong to the resource entity type. + +### Examples + +In the following example, the position section gathers the properties `Organization`, `Location` and +`Title`, while the default section gathers all the other properties from `Directory_UserRecord`. + +The property `Location` can be extended from a context where the location is defined to a context +where it is not. The two other properties cannot be extended. + +See the Record Section topic for additional information. + +``` + +Default section: + + + +Position section: + + + + +``` + +### Properties + +| Property | Details | +| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ExtensionKind default value: 0 | **Type** RecordExtensionKind **Description** Defines whether the property value can be extended (copied) from a context where the section properties are defined to another context where no properties from the section are defined. `0` - Default: the property value can be extended. `4` - None: the property value cannot be extended. **Note:** a property value can be extended only if the section is extendable too. | +| IsExcluded default value: false | **Type** Boolean **Description** Excludes the given property from the section. This is used only in the default section to remove properties such as the RecordIdentifier that are always different between all the records and that are thus not interesting for the provisioning rules. | +| Property required | **Type** Int64 **Description** Identifier of the property from the record section's `ResourceEntityType` that is to be part of the section. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md new file mode 100644 index 0000000000..a662640b32 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md @@ -0,0 +1,25 @@ +# Resource Classification Rule + +In Identity Manager, this type of rule is used to classify the resources based on a C# expression. + +## Examples + +The following example declares a rule to classify the Active Directory accounts based on the dn +values. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the rule is part of. | +| ResourceType required | **Type** Int64 **Description** Represents the resource type definition. | +| ResourceTypeIdentificationConfidenceLevel default value: 0 | **Type** Int32 **Description** Defines the confidence level used to match the resources. | +| SourceMatchedConfidenceLevel default value: false | **Type** Boolean **Description** Defines the confidence level used to match the sources. | +| TargetExpression optional | **Type** String **Description** Defines the C# expression used to classify the resources. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md new file mode 100644 index 0000000000..0d4b8378ba --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md @@ -0,0 +1,56 @@ +# Resource Correlation Rule + +A correlation rule is used to +[ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) +the resources, i.e. link resources to their owners. + +## Examples + +#### Correlation based on unchanged attributes + +The following example creates an Active Directory correlation rule based on the mail property: + +``` + + + +``` + +#### Correlation based on attributes changed by a function + +The following example copies the previous example (based on unchanged attributes), but using a +predefined function (`ToLower`) in source and target bindings' expressions, to compare the email +attributes: + +``` + + + +``` + +A list of [Predefined functions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md) is available. + +#### Correlation based on attributes within a C# expression + +The following example creates an Active Directory correlation rule based on the comparison between +the AD's simplified display name and an expression from the external system: + +``` + + + +``` + +This example also uses a confidence rate equals to 80%. + +## Properties + +| Property | Details | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the rule is part of. | +| ResourceType required | **Type** Int64 **Description** Identifier of the resource type. | +| SourceBinding optional | **Type** Int64 **Description** Binding property from the source system. | +| SourceExpression optional | **Type** String **Description** Binding expression based on properties from the source system. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| SourceMatchedConfidenceLevel default value: 0 | **Type** Int32 **Description** Defines the correlation confidence rate of this rule. If the value is less than 100, we process a manual review step to confirm the choice. | +| TargetBinding optional | **Type** Int64 **Description** Binding property from the target system. | +| TargetExpression optional | **Type** String **Description** Binding expression based on properties from the target system. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md new file mode 100644 index 0000000000..fb9f873a2d --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md @@ -0,0 +1,672 @@ +# Resource Type + +In Identity Manager, a resource type is a conceptual model used to categorize resources. It groups +together, with a meaningful name, resources sharing the same intent and the same authorization +system. Resource types are assigned directly to a resource rather than mapped to a role. A resource +type can be assigned manually, or configured to be assigned automatically via a resource type rule. + +## Examples + +The following example declares a new resource type to provision the LDAP service accounts: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +### ArgumentsExpression + +This option is used for provisioning orders to compute useful arguments. + +Most standard situations use only one workflow per action type on a resource (addition, update, +deletion). But in some more complex situations (like using multi records), several workflows are +available for one type of action. As the configuration JSON file of an InternalWorkflow connection +cannot contain expressions, a resource type can be configured with the ArgumentsExpression attribute +to explicit the arguments of provisioning orders, based on conditions and variables. See the +[InternalWorkflow](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md), +[ Compute a Resource Type's Provisioning Arguments ](/docs/identitymanager/6.2/identitymanager/integration-guide/provisioning/how-tos/argumentsexpression/index.md), +and [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topics for additional information. + +The following example computes the identifier of the workflow to launch, based on the provisioning +order as a variable (the returned value depends here mostly on the type of change): + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +#### ResourceIdToCopy + +Now consider a record creation for a given identity, inside a multi-record organization. Suppose +that records are defined by their position and location, while other properties are the same for all +records (usually the identity's personal data like the name and birth date). When creating a new +record for an existing identity, you will want to copy an existing record from the database to +modify only the values specific to the new record. + +The following example computes the identifier of the record to copy, if the identity has already +any: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +("Select Id Where EmployeeId="\" + employeeId.ToString() + "\""); +  if (resources.Any()) { +    arguments.Add("ResourceIdToCopy", resources.FirstOrDefault().Id.ToString()); +  } +}   +return arguments;" /> +``` + +### DependsOn + +This option is used to configure another resource type as prerequisite for this resource type. + +For example, a Microsoft Exchange account requires the email address of a related Active Directory +account. + +In this case, we want to configure the Exchange Account resource type so that a user cannot own an +Exchange account when they do not own an AD account. + +The following example is meant to perform an automatic check to prevent the execution of any +provisioning order for the creation of an Exchange account when the user does not own an AD +nominative account. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +### DependsOnOwnerProperty + +This option is used to configure a property as prerequisite for the resource type. + +Consider an Active Directory administrator account which should be able to perform manual +provisioning to ServiceNow. Then it requires the random identifier computed by ServiceNow. + +In this case, we want to configure the AD_Entry_AdministrationUser resource type so that a user +cannot own an AD administrator account when they do not have an identifier in ServiceNow. + +**NOTE:** The DependsOnOwnerProperty of a resource type should only refer to scalar values that are +part of the properties of the SourceEntityType. + +The following example is meant to perform an automatic check to prevent the execution of any +provisioning order for the creation of an AD administrator account when the user does not have an +identifier in ServiceNow. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +### DiscardManualAssignments + +This option is used to set Identity Manager as authoritative following a manual change in a managed +system. + +Suppose a resource type managing the provisioning of Active Directory nominative accounts based on +users data in Identity Manager (Directory_User). Suppose a scalar rule that provisions the AD's sn +property based on users' last names. + +The following scenario is about a user named Cedric Blanc, whose AD's sn property is set by the +scalar rule to Blanc. + +![Example - State 0](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state0_v602.webp) + +Let's see what happens when the user's name is changed manually directly in the AD. + +Suppose that we change in the AD the last name to White. As the scalar rule computes the sn value +based on the user's data which still states the last name Blanc, such a change induces a difference +between the value calculated by the rule and the actual value in the AD. This difference is spotted +by the next synchronization, triggering a non-conforming assignment on the Resource Reconciliation +page. + +![Example - State 1](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state1_v602.webp) + +![Example - Step 1](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_step1_v602.webp) + +![Example - Step 2](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_step2_v602.webp) + +Once this manual new value is confirmed, the property is stated as **Approved**. + +![Example - State 2](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state2_v602.webp) + +Now suppose that the user's last name is changed to Black via Identity Manager's workflows. As the +source data is changed, the scalar rule computes a new value for sn. There are two options: + +- The default configuration (DiscardManualAssignments set to false) considers manual assignments, + i.e. changes made directly in the managed system, as authoritative. So there will be no + provisioning of the newly computed value for sn. The current sn value that was written manually in + the AD stays as is, no matter the changes in the source data (here the user's last name). Identity + Manager only states the property's value as Questioned. + + ![Example - State 3](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state3_v602.webp) + + **NOTE:** No change in the source data can affect the property's value. However, any manual + change made in the managed system will trigger a non-conforming assignment. Then, reconciling + the property by choosing to keep Identity Manager's suggested value will make the property's + value go back to Calculated and thus follow the changes in the source data. + + **NOTE:** If DiscardManualAssignments is changed from False to True, then the state of the + property's value does not matter. Identity Manager applies the rules of the role model, and + generates a provisioning order to overwrite the manual change White with the newly computed + value Black. + + ![Example - State 4](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state4_v602.webp) + +In this scenario for Cedric Blanc, these behaviors can be summed up like the following: + +![Schema for DiscardManualAssignments](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_schema.webp) + +### Correlate Multiple Resources + +With the **Correlation Multiple Resources** option, Identity Manager can link a single owner to +several existing target objects of the same resource type. This setting can be used in conjunction +with the **Suggest all resources** option to fine tune the behavior. + +Below, we illustrate the different scenarios that are possible, taking into consideration whether a +resource type has previously been correlated to the owner or not. + +![suggestallcorrelations-nnn](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nnn.webp) + +- The value for both **Correlate Multiple Resources** and **Suggest All Correlations** is **No** + there is no Resource already correlated so the first match with the highest confidence rate is + **Correlated** if it is \>100 or **Suggested** if it is \ `<100`. As for all other matches with + lower confidence rate they will be ignored. + + ![suggestallcorrelations-nnn2](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nnn2.webp) + + If there are no Resources to be correlated with a confidence rate `>100`, the ones below with + confidence rate below 100 are Suggested or Ignored. + + ![suggestallcorrelations-nny](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nny.webp) + +- The value for both **Correlate Multiple Resources** and **Suggest All Correlations** is **No** + there is one Resource already correlated so due to this all future correlations will be ignored. + + ![suggestallcorrelations-nyn](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nyn.webp) + +- The value for **Correlate Multiple Resources** is **No**, **Suggest All Correlations** is **Yes** + there is no Resource already correlated so all Resource Types will be **Suggested**. + + ![suggestallcorrelations-nyy](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nyy.webp) + +- The value for **Correlate Multiple Resources** is **No**, **Suggest All Correlations** **Yes** + there is one Resource already correlated so the Resource Types that have a confidence rate `>100` + will be **Suggested**. As for all other matches with lower confidence rate they will be ignored. + + ![suggestallcorrelations-ynn](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-ynn.webp) + +- The value for **Correlate Multiple Resources** is **Yes**, **Suggest All Correlations** **No**, + and there is no Resource already correlated so Resource Types that have a confidence rate `>100` + will be **Correlated** and the ones `<100` will be **Suggested** if there are no higher matches + otherwise they will be ignored. + + ![suggestallcorrelations-ynn2](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-ynn2.webp) + + If there are no Resources to be correlated with a confidence rate `>100`, the ones with + confidence rate below 100 are Suggested. + + ![suggestallcorrelations-yny](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-yny.webp) + +- The value for **Correlate Multiple Resources** is **Yes**, **Suggest All Correlations** **No** + there is one Resource already correlated so the matches with confidence rate `>100` will be + **Correlated** and the ones `<100` will be ignored. + + ![suggestallcorrelations-yyny](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-yyny.webp) + +- The value for **Correlate Multiple Resources** is **Yes**, **Suggest All Correlations** **Yes** + one Resource could be already correlated or not so the matches with confidence rate `>100` will be + **Correlated** and the ones `<100` will be **Suggested**. + +## Properties + +| Property | Type | Description | +| ------------------------------------------------------------------------------------------ | ------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AllowAdd default value: true | Boolean | Enables Identity Manager to automatically create new resources in the managed system when their owners are given the right entitlements. Otherwise, resource managers must create resources manually directly in the managed system. | +| AllowRemove default value: true | Boolean | Enables Identity Manager to automatically deprovision resources in the managed system when their owners are deprived of the right entitlements. Otherwise, Identity Manager is able to delete resources in the managed system only with a manual approval on the Resource Reconciliation screen. | +| ApprovalWorkflowType default value: 0 | ProvisioningPolicyApprovalWorkflow | Indicates the number of validation to give to a role given manually (from None to Three). The value ManualAssignmentNotAllowed is used when a manual assignment cannot be performed. **NOTE:** Netwrix recommends using ManualAssignmentNotAllowed for all resource types. | +| ArgumentsExpression optional | String | **NOTE:** C# expression used to compute the arguments of provisioning orders, for example a workflow identifier, in a situation where it is not obvious. The aim is to enable an InternalWorkflow connector to fulfill correctly a virtual managed system by launching the right workflows based on a given provisioning order. This expression must return a dictionary of string. **NOTE:** ArgumentsExpression is useful only when provisioning via the following packages: Active Directory, Apache Directory, Generic LDAP, Open LDAP, Oracle LDAP, Red Hat Directory Server and Workflow. | +| BlockProvisioning default value: true | Boolean | True to block the provisioning policy orders. | +| Category optional | Int64 | Resource type category. | +| CorrelateMultipleResources default value: false | Boolean | True to extend the QueryRule/CorrelationRule to match as many target resources as possible (no blocking like this is normally the case). | +| DependsOn optional | Int64 | Identifier of another resource type that must be provisioned for a given identity before the current resource type can be provisioned for said identity. | +| DependsOnOwnerProperty optional | Int64 | Identifier of one of the owner properties that must be filled before the current resource type can be provisioned for said identity. | +| Description_L1 optional | String | Describe this resource type in detail. | +| DiscardManualAssignments default value: false | Boolean | True to always allow the provisioning of a new property value, i.e. re-computed by a provisioning rule after a change in the source data, no matter the property's current workflow state. Set to false, any manual change of a property's value made directly in the target system will be "protected" (only after the change is approved in Identity Manager in Resource Reconciliation). It means that a future change in the source data will not trigger the provisioning of the new value to the target system. Instead, Identity Manager will keep the value of the manual change, and state the value as **Questioned**. This option should be set to true when: \* using multiple authoritative sources and the latest value should be provisioned; \* a source system is not often synchronized to Identity Manager but should stay the authoritative source. | +| DisplayName_L1 required | String | Display name of the resource type in language 1 (up to 16). | +| FulfillHoursAheadOfTime default value: 0 | Int32 | Anticipate resource fulfill order hours ahead of they start time. It is helpful for manual fulfillment and/or long fulfillment process. It differs from TimeOffset because the start date of the resource to fulfill is not impacted. | +| HideOnSimplifiedView default value: false | Boolean | True to hide this resource type in the basket simplified view. This flag is applied only on automatic assignments. | +| Identifier required | String | Unique identifier of the resource type. | +| ImplicitApproval default value: 0 | Byte | Indicates if the validation steps of the resource type can be skipped. 0 - Inherited: implicit approval value in the associated policy. 1 - Explicit: all the workflow steps must be approved. 2 - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| ManualAssignmentEndDateLockedToContextMode default value: ExplicitNotContextBoundByDefault | ManualAssignmentEndDateLockedToContextMode | The values are: 0 - ExplicitNotContextBoundByDefault — By default, the assignment's end date will not be context bound in order to encourage the manual entry of an end date 1 - ExplicitContextBoundByDefault — By default, the assignment's end date will be context bound and therefore locked, but a manual date can be entered. 2 - Never — The assignment's end date will never be locked and needs to be specified manually 3 - Always — The assignment's end date is always locked according to the applicable context rule. | +| MaximumDelete default value: 0 | Int32 | Deleted lines threshold. Sets the maximum number of resources that can be removed from the resource type when running the provisioning job. | +| MaximumDeletePercent default value: 30 | Int32 | Deleted lines threshold in percent. | +| MaximumInsert default value: 0 | Int32 | Inserted lines threshold. Sets the maximum number of resources that can be added into the resource type when running the provisioning job. | +| MaximumInsertPercent default value: 30 | Int32 | Inserted lines threshold in percent. | +| MaximumUpdate default value: 0 | Int32 | Updated lines threshold. Sets the maximum number of resources that can be modified within the resource type when running the provisioning job. | +| MaximumUpdatePercent default value: 30 | Int32 | Updated lines threshold in percent. | +| P0 default value: false | Boolean | True to indicate that the resource type is parametrized, i.e. there is at least one type rule configured to assign the resource type based on the dimension 0 (up to 3V following the base32hex convention). See the [ Base32 Parameter Names ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/parameter-names/index.md) topic for additional information. | +| Policy required | Int64 | Identifier of the policy that the resource type is part of. | +| ProlongationWithoutApproval default value: 0 | ProlongationWithoutApproval | Indicates whether the resource type can be extended without any validation. 0 - Inherited: gets the value from the policy. 1 - Enabled. 2 - Disabled. | +| R0 default value: false | Boolean | True to set the dimension 0 (up to 3V following the base32hex convention) as a required parameter when assigning the resource type. See the [ Base32 Parameter Names ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/parameter-names/index.md) topic for additional information. | +| RemoveOrphans default value: false | Boolean | True to authorize the deprovisioning of this resource when it does not have an owner. Can only be true when AllowRemove property is also true. | +| SourceEntityType required | Int64 | Identifier of the source entity type. | +| SuggestAllCorrelations optionalAttribute | Boolean | Allows correlation suggestions for rules with a confidence rate below 100, even if other correlations with a confidence rate above 100 have been found. | +| TargetEntityType required | Int64 | Identifier of the target entity type. | +| TransmittedStateValidityPeriod default value: 0 | Int32 | Time period (in minutes) after which fulfillment orders in Transmitted/Executed states are automatically set in Error state. **_RECOMMENDED:_** - when provisioning automatically, then set 1, 2 or 3 times the period between two synchronizations. - when provisioning manually and synchronizing regularly, then set around 15 days. - when provisioning manually with few synchronizations, then don't set it. | + +## Child Element: BinaryRule + +A ResourceBinaryRule allows to specify the file that must be set to an assigned resource binary +property. It is defined by a child element `` of the `` element. The +source file should already be synchronized and stored inside and reference as an EntityType +property. + +### Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +        ... +       +``` + +### Properties + +| Property | Type | Description | +| ------------------------------------------ | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding optional | Int64 | Defines the binding expression to get the file property. | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| Property required | Int64 | Identifier of the property used to represent the file on the target EntityType. | +| SingleRole optional | Int64 | Identifier of the single role. The single role must be assigned to the owner so that the file can be provisioned on the resource. See the [ Single Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) topic for additional information. | +| TimeOffsetAfterReference default value: 0 | Int32 | Defines the offset after reference (in minutes). | +| TimeOffsetBeforeReference default value: 0 | Int32 | Defines the offset before reference (in minutes). | +| TimeOffsetReference default value: 0 | TimeOffsetReference | Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. 0 - Default: the offset inherited from the type rule. 1 - Around: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. 2 - Before: the offset before and after reference are both applied from the start date of the resource. 3 - After: the offset before and after reference are both applied from the end date of the resource. **NOTE:** in a situation with several binary rules, the order of application is: After, then Before, then Around, then Default. Each rule is able to overwrite those previously applied in case they overlap. _Remember,_ two offsets of the same mode should never overlap. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: NavigationRule + +A navigation rule computes the value of a given navigation property for target resources, based on +the properties of their owners (source resources and entitlements). These properties are to be +provisioned, i.e. written to the managed system. Contrary to query rules, navigation rules assign +resources regardless of the attributes of source resources. + +A navigation rule is defined by the child element `` of the `` +element. + +**NOTE:** Both navigation and query rules compute navigation properties. The value of one navigation +property should be computed by either navigation or query rules, not both. + +See the +[ Compute a Navigation Property ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md) +topic for additional information. + +### Examples + +Computation based on other properties + +The following example declares a new rule to give the SG_APP_SharePoint_HR_Owner group to all users +who had the SharePoint_HR_Owner role. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +The following rule will set users' Active Directory nominative account in the +CN=SG_APP_DL-INTERNET-Restricted,OU=Applications,DC=acme,DC=internal group for people having the +DL-INTERNET-Restricted role. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +     + +``` + +Parametrized roles + +The role catalog can be optimized by reducing the number of roles, by configuring parametrized +roles. See the +[Configure a Parametrized Role](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/parameterized-role/index.md)topic +for additional information. + +This optimization will simplify the functional understanding of the role catalog, and speed up +Identity Manager's calculations. + +Supposing that the 10th dimension (dimension A following the base32hex convention) is created for +time slots, the following example creates a single role Access/A_Brune_HR for all time slots. Each +time-slot-related entitlement will be assigned to users by configuring one navigation rule per +entitlement, using the dimension as a required parameter. See the +[ Dimension ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) and +[ Base32 Parameter Names ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/parameter-names/index.md)topics for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +             +``` + +### Properties + +| Property | Type | Description | +| ------------------------------------------ | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| D0 optional | Int64 | Value to match for the dimension D0 (up to D127) to trigger the rule. For example, considering that D0 corresponds to users' countries, then set D0 to France to compute the navigation property for users whose country is France. **NOTE:** Specifying at least one dimension makes the linked role parametrized. | +| IsDenied default value: false | Boolean | True to forbid the resource assignment instead of applying it. | +| L0 default value: false | Boolean | True to activate inheritance for D0 (up to 127). | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| Property required | Int64 | Identifier of the navigation property to be computed. | +| Resource required | Int64 | Identifier of the resource to be assigned as a value of the impacted navigation property. Said resource must be part of the entity type that the navigation property points to. | +| SingleRole optional | Int64 | Identifier of a single role, which users must have to trigger the property computation. | +| TimeOffsetAfterReference default value: 0 | Int32 | Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | Int32 | Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | TimeOffsetReference | _Remember,_ Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. 0 - Default: the offset inherited from the type rule. 1 - Around: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. 2 - Before: the offset before and after reference are both applied from the start date of the resource. 3 - After: the offset before and after reference are both applied from the end date of the resource. In a situation with several navigation rules, the order of application is descending (After-Before-Around-Default). Thus each time offset is able to overwrite those previously applied in case they overlap, for mono-valued properties. _Remember,_ two offsets of the same mode should never overlap for mono-valued properties. Overlapping rules on a multi-valued property do not conflict with each other, Identity Manager stores all computed values. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: QueryRule + +A query rule computes the value of a given navigation property for target resources, based on the +properties of their owners (source resources and entitlements). These properties are to be +provisioned, i.e. written to the managed system. Contrary to navigation rules, query rules assign +resources to target resources according to a query via a C# expression with conditions, based on the +attributes of the source resources. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for +additional information. + +A query rule is defined by the child element `` of the `` element. + +Both navigation and query rules compute navigation properties. The value of one navigation property +should be computed by either navigation or query rules, not both. + +See the +[ Compute a Navigation Property ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md) +topic for additional information. + +### Examples + +Computation based on other properties + +The following example declares a new rule to compute the parent distinguished name for guest users. +Here we do not use source properties, but a literal expression for all guest users. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +     + +``` + +### Properties + +| Property | Type | Description | +| --------------------------------------------- | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| Property required | Int64 | Identifier of the navigation property to be computed. | +| SourceBinding optional | Int64 | Binding of the property from the source entity type to be compared with the target binding/expression, in order to find a matching resource to be the value of Property. | +| SourceExpression optional | String | C# expression to compare with the target binding/expression in order to compute the value of Property with the matching resource. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| TargetBinding optional | Int64 | Binding of the property from the entity type pointed by Property, which will be the value of Property if it matches the source binding/expression. | +| TargetExpression optional | String | C# expression to compare with the source binding/expression in order to compute the value of Property with the matching resource.See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. **_RECOMMENDED:_** The TargetExpression must contain at least one target property, it cannot be a literal expression. | +| TargetMatchedConfidenceLevel default value: 0 | Int32 | Percentage rate expressing the confidence in the rule according to data quality and sensitivity. Identity Manager considers the rules in descending order of confidence rate, the first matching rule is applied. 0 to 99: imposes that a resource manager reviews the property computation on the Resource Reconciliation page. 100 to 150: computes the property automatically. | +| TimeOffsetAfterReference default value: 0 | Int32 | Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | Int32 | Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | TimeOffsetReference | TypeDescriptionOffset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. 0 - Default: the offset inherited from the type rule. 1 - Around: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. 2 - Before: the offset before and after reference are both applied from the start date of the resource. 3 - After: the offset before and after reference are both applied from the end date of the resource. In a situation with several query rules, the order of application is descending (After-Before-Around-Default). Thus each time offset is able to overwrite those previously applied in case they overlap, for mono-valued properties. two offsets of the same mode should never overlap for mono-valued properties. Overlapping rules on a multi-valued property do not conflict with each other, Identity Manager stores all computed values. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: ScalarRule + +A scalar rule computes the value of a given scalar property for target resources, based on the +properties of their owners (source resources and entitlements). These properties are to be +provisioned, i.e. written to the managed system. + +A scalar rule is defined by the child element `` of the `` element. + +See the +[Compute a Scalar Property](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md) +topic for additional information. + +### Examples + +Computation based on other properties + +The following example shows two scalar rules. The first one computes users' emails based on AD +values. The other one contains a C# expression to compute AccountExpires. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +       +     + +``` + +The next example computes the firstName property of a App1_Account from the resource type +App1_Standard_Account, indicating that it must be equal to the firstName of the source resource. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +     + +``` + +Computation via a literal expression + +The following example translates to "the userAccountControl property of a App1_Account of resource +type App1_Standard_Account must be equal to 66048. It uses a literal expression. See the +[Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +     + +``` + +Binding + +The Binding attribute complies with the binding expression syntax or the calculation expression +syntax. So, it can use the C# language to specify a more complex binding. See the +[ Bindings ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/bindings/index.md) and [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topics for +additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +IsMapped + +Consider a system that we want to connect to Identity Manager, let's call it SYST, using a title +property. Consider also that SYST needs to be provisioned with the value of title, but does not +allow any other system to retrieve the said value. + +In this case, we set `IsMapped` to false so that Identity Manager sends the adequate provisioning +order when needed, and then is able to change the provisioning state to **Executed** without +synchronization. See the [Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) +[ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md) topic for additional +information. + +The following example computes users' title in a given managed system, based on Identity Manager's +`PersonalTitle` property without ever retrieving the value: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +TimeOffset + +A scalar rule is applied according to reference start and end dates (configured through record +sections and context rules), usually users' arrival and departure days. It means that, for a user +matching the rule's criteria, a property is to be computed, by default, from the user's arrival day +until their departure day. See the [ Record Section ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) and +[ Context Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) topics for additional information. + +![Schema - Default Application Period](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetdefault.webp) + +A time offset adjusts the period for which the rule applies and computes a property's value. + +The following example impacts the property for the activation of nominative AD accounts: + +- The first rule deactivates the account from its creation, i.e. 1 month before the user's arrival + day, until the arrival day; +- The second rule activates the account from the user's arrival day until their departure; +- The third rule deactivates the account from the user's departure day and until its deletion, i.e. + 6 months after the departure day. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                ... + +``` + +![Schema - Offset Application Period](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetexample.webp) + +If the time period of property computation exceeds the limits of the period of resource type +assignment, then the period of resource type assignment is extended accordingly. + +Note that the rules are applied in a specific order according to their offset reference: After, +Before, Around and Default. Each rule overwrites pre-existing values. Thus in case of overlapping +rules, Default-offset rules overwrite the values of Around-offset rules, which overwrite the values +of Before-offset rules, which overwrite the values of After-offset rules. We could have the +following: + +![Schema - Overlapping Offsets](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetoverlap.webp) + +### Properties + +| Property | Type | Description | +| ------------------------------------------ | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding optional | Int64 | Defines the binding expression. | +| ComparisonType default value: 0 | ComparisonType | Defines the comparison type for the computed value, when Identity Manager retrieves it from the managed system during synchronization, and compares it to the value stored in Identity Manager's database. 0 - CaseSensitive: compares words exactly as they are. 1 - IgnoreCase: ignores the difference between upper and lower case. 2 - IgnoreDiacritics: considers all letters with diacritics (é, à, ç) to be equivalent to their base letters (e, a, c...). 3 - Simplified: ignores diacritics, case and characters which are not letters. 4 - Approximate: does the same as Simplified but also ignores some spelling mistakes. Some letters are considered equivalent (Z and S, Y and I, W and V, K and C, SS and C). All H can be missing. A T, D or S can be missing at the very end. Finally, it ignores all duplicate letters (other than SS). There is no comparison for unmapped properties (IsMapped set to false). | +| Expression optional | String | Expression used to compute the target property specified in Property. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. _Remember,_ for C# expressions, Identity Manager provides an implicit variable called "assignment" that contains basic information about the linked assigned resource type, i.e. StartDate, EndDate and ParametersValues. | +| IsMapped default value: true | Boolean | True to use the scalar rule's computation to both provision the managed system and synchronize the property back to Identity Manager, thus both create and update. Otherwise, the scalar rule's computation is used only to provision the managed system and the property will be ignored during synchronization, thus create only. This way the property can never be displayed as non-conforming. IsMapped is usually set to false in order to adapt the configuration to the constraints of the managed system, when Identity Manager does not retrieve and/or update the property value. | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| Property required | Int64 | Identifier of the scalar property to be computed. | +| SingleRole optional | Int64 | Identifier of a single role that users must have to trigger the property computation. _Remember,_ scalar rules must not be dependent on dimensions or role as far as possible as, according to Identity Manager, a good rights policy must be based on group membership and not on mono-valued properties. | +| TimeOffsetAfterReference default value: 0 | Int32 | Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | Int32 | Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | TimeOffsetReference | Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. 0 - Default: the offset inherited from the type rule. 1 - Around: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. 2 - Before: the offset before and after reference are both applied from the start date of the resource. 3 - After: the offset before and after reference are both applied from the end date of the resource. **NOTE:** in a situation with several scalar rules, the order of application is: After, then Before, then Around, then Default. Each rule is able to overwrite those previously applied in case they overlap. _Remember,_ two offsets of the same mode should never overlap. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: TypeRule + +A resource type rule assigns resources to given users if they match specific criteria. These +resources are to be provisioned, i.e. written to the managed system. + +A resource type rule is defined by the child element `` of the `` element. + +**NOTE:** The specification of several resource type rules for one resource type implies the union +of all rules, i.e. the combination of all rules (and all sets of criteria) with an OR operator. + +### Examples + +With a dimension criterion + +The following rule will assign an App1_Standard_Account resource (resource of type App1_Account) to +any User whose organization dimension (dimension binded to column 0) identifier is Marketing. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +    ... + +``` + +With a single role criterion + +In addition to dimensions, a single role can be used as a criterion for a rule. + +The following rule will assign an App1_Standard_Account resource to all User whose organization +dimension identifier is Marketing and having the single role Multimedia_Designer. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +    ... + +``` + +Without any criterion + +Di and SingleRole conditions are not mandatory. A type rule with no condition entails the creation +of an AssignedResourceType, and hence of a target resource (from the target entity type), for every +source resource (from the source entity type). See the AssignedResourceType topic for additional +information. + +The following example declares a new rule to give the resource type "AD_Entry_NominativeUser" to all +users. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +    ... + +``` + +### Properties + +| Property | Type | Description | +| ------------------------------------------ | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| D0 optional | Int64 | Value to match for the dimension D0 (up to D127) to trigger the rule. For example, considering that D0 corresponds to users' countries, then set D0 to France to assign the resource type to users whose country is France. **NOTE:** specifying at least one dimension makes the linked resource type parametrized. | +| IsDenied default value: false | Boolean | True to forbid the assignment instead of applying it. | +| L0 default value: false | Boolean | True to activate inheritance for D0 (up to 127). | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| SingleRole optional | Int64 | Identifier of a single role, which users must have to trigger the resource type assignment. | +| TimeOffsetAfterReference default value: 0 | Int32 | Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | Int32 | Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | TimeOffsetReference | Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. 0 - Default: no offset. 1 - Around: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. 2 - Before: the offset before and after reference are both applied from the start date of the resource. 3 - After: the offset before and after reference are both applied from the end date of the resource. In a situation with several resource type rules, the order of application is descending (After-Before-Around-Default). Thus each time offset is able to overwrite those previously applied in case they overlap. two offsets of the same mode should never overlap. Resources' start and end dates can be configured through record sections and/or context rules. | +| Type default value: 0 | RuleType | Represents the type of the rule. 0 - Required: the resource type is automatically assigned to users matching the criteria. 1 - Requested Automatically: the resource type is listed in the permission basket of new workers. These assignments can still be modified. For existing workers, the rule's type is Suggested. 2 - Suggested: the resource type is listed among suggested permissions in the permission basket of users matching the criteria during an entitlement request. Suggested assignments must be selected manually to be requested, and will go through the validation process. | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md new file mode 100644 index 0000000000..0b0c768278 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md @@ -0,0 +1,69 @@ +# Role Mapping + +Defines a naming rule to create a single role in a specific category based on a property. A +navigation rule will also be created by the naming rule, giving the property to the target user when +the created single role is assigned to this user. + +## Examples + +### Additional condition + +The following example uses `WhereExpression` to condition the application of the rule. + +NETWRIX recommends using this property only when the properties from the rule items do not suffice. + +Here the naming convention says that we should create a single role for each group (`memberOf` +value) whose `dn` starts with `SG_`and whose dn's second part (between two `_`) is made of three +characters. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApprovalRequired default value: false | **Type** Boolean **Description** Indicates that the generated role must be approved before being used by a policy. | +| ApprovalWorkflowType default value: None | **Type** ProvisioningPolicyApprovalWorkflow **Description** Indicates the number of validation to give to a manual role (from 0 to 3 inclusive). The value 4 is used when a manual assignment cannot be performed. | +| Category optional | **Type** Int64 **Description** Identifier of the category. | +| CategoryDisplayNameBinding optional | **Type** Int64 **Description** Defines the binding used to compute the category display name. | +| CategoryDisplayNameExpression optional | **Type** String **Description** References the C# or literal expression used to compute the category display name. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| CategoryIdentifierBinding optional | **Type** Int64 **Description** Binding used to compute the category identifier. | +| CategoryIdentifierExpression optional | **Type** String **Description** C# or literal expression used to compute the category identifier. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| CommentActivationOnApproveInReview default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a request of the role and deciding to approve it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeclineInReview default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a request of the role and deciding to refuse it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeleteGapInReconciliation default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to delete it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnKeepGapInReconciliation default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to keep it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| DisplayNameBinding optional | **Type** Int64 **Description** Defines the binding used to compute the role display name. | +| DisplayNameExpression optional | **Type** String **Description** References the C# or literal expression used to compute the role display name. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| HideOnSimplifiedView default value: false | **Type** Boolean **Description** `true` to hide this role in the basket simplified view. This flag is applied only on automatic assignments. | +| Identifier required | **Type** String **Description** Identifier of the role mapping. | +| IdentifierBinding optional | **Type** Int64 **Description** Binding used to compute the role identifier. | +| IdentifierExpression optional | **Type** String **Description** C# or literal expression used to compute the role identifier. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| ImplicitApproval default value: 0 | **Type** Byte **Description** Indicates if the validation steps of the single role can be skipped. `0` - Inherited: implicit approval value in the associated policy. `1` - Explicit: all the workflow steps must be approved. `2` - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| ParentCategoryIdentifierBinding optional | **Type** Int64 **Description** Defines the binding used to compute the parent category. | +| ParentCategoryIdentifierExpression optional | **Type** String **Description** References the C# or literal expression used to compute the parent category. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the rule is part of. | +| Property required | **Type** Int64 **Description** Property on which the naming rule will be applied. | +| ResourceType required | **Type** Int64 **Description** Resource type on which the naming rule will be applied. | +| RolePolicy optional | **Type** Int64 **Description** Identifier of the policy used for the roles created by the naming rule. | +| WhereExpression optional | **Type** String **Description** C# expression returning a boolean, used to condition the application of the naming convention. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | + +## Child Element: Rule + +Represent the sets of conditions which will determine the enforcement of the naming rule. + +## Child Element: Item + +Represents one of the conditions used to determine the enforcement of the naming rule. + +### Properties + +| Property | Details | +| ------------------------- | ---------------------------------------------------------------------------------------------------------------- | +| Operator default value: 0 | **Type** QueryComparisonOperator **Description** Operator used in the condition for the naming rule enforcement. | +| Property required | **Type** Int64 **Description** Property on which the condition for the naming rule enforcement is based. | +| Value optional | **Type** String **Description** Value used in the condition for the naming rule enforcement. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md new file mode 100644 index 0000000000..c3aacc2436 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md @@ -0,0 +1,85 @@ +# Single Role + +A single role is a way to represent an entitlement that is to be assigned to an identity. It brings +a layer of abstraction through a user-friendly name, close to the business view. + +Roles can be used to: + +- grant accesses of various types and levels; +- restrict access to sensitive information assets, by grouping entitlements in a form that is + meaningful from a business point of view; +- grant the minimum privileges required by an individual to perform their job. + +Roles can be requested manually, or they can be configured to be assigned automatically via +[Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) depending on identities' attributes. + +## Examples + +The following example declares a new single role in the default policy; in the category `Internet`; +for resources from `Directory_User` with one approval needed. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +[Copy](javascript:void(0);) + +``` +   +``` + +### Parameterized roles + +The role catalog can be optimized by reducing the number of roles, by configuring parameterized +roles. + +This optimization will simplify the functional understanding of the role catalog, and speed up +Identity Manager's calculations. + +Supposing that the 10th [ Dimension ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) (dimension A following the +[ Base32 Parameter Names ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/parameter-names/index.md)) is created for time slots, the +following example creates a single role `Access/A_Brune_HR` for all time slots. Each +time-slot-related entitlement will be assigned to users by configuring one navigation rule per +entitlement, using the dimension as a required parameter. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +[Copy](javascript:void(0);) + +``` + + + +     +     +     + + +``` + +## Properties + +| Property | Type | Description | +| ------------------------------------------------------------------------------------------ | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ApprovalWorkflowType default value: 0 | ProvisioningPolicyApprovalWorkflow | Number of validations required to assign manually the single role (from `None` to `Three`). The value `ManualAssignmentNotAllowed` is used when a manual assignment cannot be performed. | +| Category optional | Int64 | Identifier of the category that the role is part of. | +| CommentActivationOnApproveInReview default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a request of the role and deciding to approve it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeclineInReview default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a request of the role and deciding to refuse it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeleteGapInReconciliation default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to delete it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnKeepGapInReconciliation default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to keep it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| D0 optional | Int64 | Value that will be set for the dimension 0 (up to 3V following the [ Base32 Parameter Names ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/parameter-names/index.md)) for all users with the role. | +| Description_L1 optional | String | Detailed description of the single role in language 1 (up to 16). | +| DisplayName_L1 required | String | Display name of the single role in language 1 (up to 16). | +| EntityType required | Int64 | Identifier of the entity type whose resources can receive the single role. | +| GracePeriod optional | Int32 | Duration (in minutes) for which a lost automatic single role is prolonged. The grace period is only applied if the loss of the entitlement is due to a change in the rules (rule deletion or criteria changes). A review will be required to validate or decline the entitlement prolongation. Inferred entitlements won't be lost unless the end of the grace period is reached or the prolongation is declined. If it is not defined, the value is inherited from the policy. | +| HideOnSimplifiedView default value: false | Boolean | `true` to show the role in a user's basket only in advanced view and not simplified view. This flag is applied only on automatic assignments. | +| Identifier required | String | Identifier of the single role. | +| ImplicitApproval default value: 0 | Byte | Indicates whether the validation steps of the single role can be skipped. `0` - Inherited: implicit approval value from the associated policy. `1` - Explicit: all the workflow steps must be approved. `2` - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| ManualAssignmentEndDateLockedToContextMode default value: ExplicitNotContextBoundByDefault | ManualAssignmentEndDateLockedToContextModeRole | The values are: 0 - ExplicitNotContextBoundByDefault — By default, the assignment's end date will not be context bound in order to encourage the manual entry of an end date 1 - ExplicitContextBoundByDefault — By default, the assignment's end date will be context bound and therefore locked, but a manual date can be entered. 2 - Never — The assignment's end date will never be locked and needs to be specified manually 3 - Always — The assignment's end date is always locked according to the applicable context rule. | +| MaxDuration optional | Int32 | Duration (in minutes) after which the role will be automatically revoked, if no earlier end date is specified. It impacts only the roles which are manually assigned after the maximum duration is set. Pre-assigned roles are not impacted. If no duration is set on the role, the `MaxDuration` of the associated policy is applied. If the `MaxDuration` is set to 0 on the role, it prevents the associated policy from applying its `MaxDuration` to it. | +| Policy required | Int64 | Identifier of the policy in which the role exists. | +| ProlongationWithoutApproval default value: 0 | ProlongationWithoutApproval | Indicates whether the role can be extended without any validation. `0` - Inherited: gets the value from the policy. `1` - Enabled. `2` - Disabled. | +| R0 default value: false | Boolean | `true` to set the dimension 0 (up to 3V following the [ Base32 Parameter Names ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/parameter-names/index.md)) as a required parameter when assigning the role. | +| State default value: Manual | RoleState | Mark that differentiates the roles analyzed in the role mining process. `0` - Manual: the role was created manually. `1` - Generated: the role was generated by a role mapping rule. | +| Tags optional | String | Label(s) that can later be used to filter the target roles of access certification campaigns. The tag separator is ¤. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md new file mode 100644 index 0000000000..60441f1e1f --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md @@ -0,0 +1,30 @@ +# Single Role Rule + +A single role rule assigns a single role to users who match given criteria. + +## Examples + +The following example declares a new rule to give the single role to all the `"FCT0000"` users. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     + +``` + +## Properties + +| Property | Type | Description | +| ----------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| CompositeRole optional | Int64 | Identifier of a [ Composite Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) that users must have to trigger the rule. | +| D0 optional | Int64 | Value to match for the dimension `D0` (up to `D127`) to trigger the rule. For example, considering that `D0` corresponds to users' countries, then set `D0` to `France` to assign the single role to users whose country is `France`. | +| IsDenied default value: false | Boolean | `true` to forbid the assignment instead of applying it. | +| L0 default value: false | Boolean | `true` to activate inheritance for `D0` (up to 127). | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| Priority default value: 0 | Int32 | Priority of the rule over the others. The highest priority is defined by the smallest number. This enables, for example, overriding "deny rules" that have a lower priority (higher number). | +| Role required | Int64 | Identifier of the single role to be assigned. | +| Type default value: 0 | RuleType | Type of the rule. `0` - Required — the role is automatically assigned to users matching the criteria. `1` - RequestedAutomatically — the role is listed in the permission basket of new workers, these assignments can still be modified. For existing workers, the rule's type is `Suggested`. `2` - Suggested — the role is listed among suggested permissions in the permission basket of users matching the criteria during an entitlement request, suggested assignments must be selected manually to be requested. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/reporting/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/reporting/index.md new file mode 100644 index 0000000000..0809767c58 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/reporting/index.md @@ -0,0 +1,3 @@ +# Reporting + +- [ Report Query ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/reporting/reportquery/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/reporting/reportquery/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/reporting/reportquery/index.md new file mode 100644 index 0000000000..60d24ce43b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/reporting/reportquery/index.md @@ -0,0 +1,26 @@ +# Report Query + +Allows the user to define queries to generate a report in a CSV file. When creating a new +ReportQuery it is recommended to also create the linked +[ Menu Item ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md). + +## Examples + +``` + + + + + + + +``` + +## Properties + +| Property | Details | +| --------------------------- | --------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the report query in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Report query Identifier. | +| Query required | **Type** String **Description** The report query written following Identity Manager EBNF Grammar rules. | +| ReturnedEntityType required | **Type** Int64 **Description** Returned Entity Type ID. The entity type can be seen as the FROM of a sql query. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/resources/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/resources/index.md new file mode 100644 index 0000000000..a8761addb3 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/resources/index.md @@ -0,0 +1,3 @@ +# Resources + +- [ Resource ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/resources/resource/index.md) diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/resources/resource/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/resources/resource/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/resources/resource/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/resources/resource/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md new file mode 100644 index 0000000000..1b50773073 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md @@ -0,0 +1,146 @@ +# Display Entity Type + +The `` element sets information about how an entity type is to be displayed by +the UI. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                                         +``` + +### Zoom on Priority + +The Priority property controls the order in which entity types are displayed in the entity type +selection dropdown of the following administration screens: + +- Role Review +- Provisioning Review +- Role Reconciliation +- Resource Reconciliation +- My Tasks (also known as Workflow Management) +- Workflow Overview +- Access Rules + +By default, the entity type with the highest priority is selected first. The end user can later +change the selection using the top-left dropdown. + +![Change Selection](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/ui_displaypriorities_changeselection_v521beta.webp) + +Priorities are integer values, positive or negative. The most important priority is assigned to the +lowest value. + +Entity Types with the same priority are sorted by `Identifier`, in the alphabetical order, where +relevant. + +Entity Types for which a priority isn't set by a `` configuration element are +assigned an equally less important priority than the least important priority set by a +`` element. + +Example + +This example shows how to define priorities between the main Entity Types of the organizational +model. The highest priority is assigned to `Directory_User` and the lowest priority to +`Directory_Application`. All other entity types are assigned an equally low priority, below +`Directory_Application`. In the dropdown they will be sorted by alphabetical order. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +dashboard.xml +         + +``` + +#### Priorities for workflows + +The dropdown in My Tasks (also known as Workflow Management) and Workflow Overview screens is +related to workflows, not to entity types per se. + +In Identity Manager, each workflow is associated with a workflow-entity type. + +To configure the priority order for elements in the dropdown in these screens, the user should +remember to take the workflow-entity types in the `` need to be replaced with a custom value before entering the +script in the command line. + +``` +dashboard.xml +     + +``` + +But the order in which "Workflow for Directory_User" and "Workflow for Directory_Guest" appear in +the My Tasks screen is configured like this: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +dashboard.xml +     + +``` + +## Properties + +| Property | Type | Description | +| ----------------------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AutocompleteBinding optional | Int64 | Defines the binding of the property used for search in the auto complete picker (this activates the auto complete picker). | +| Color optional | String | Defines the color used when displaying this entity type (it must be a 6 digit hexadecimal value, preceded by a #). | +| D0IsActive default value: false | Boolean | Is dimension0 active for this entity type (D0IsActive to D3VIsActive following the base32hex convention. | +| HideRoles default value: false | Boolean | True to skip the **Access Permissions** step (the one containing the roles) in the default forms for this entity type. | +| IconCode optional | String | Defines the icode code ("People", "MapPin", "Suitcase"...). | +| IsHierarchical default value: false | Boolean | Is hierarchical entity type. | +| MinSearchLength optional | Int32 | Defines the minimum number of characters from which the search in the auto complete picker starts - 4 if it is not defined (the AutocompleteBinding must be defined). | +| PluralDisplayName_L1 optional | String | Display name of the entity type in plural in language 1 (up to 16). | +| Priority default value: 2147483647 | Int32 | Sets the display priority of the Entity Type in the administration screens dropdown and the dashboard. A priority is an integer value, positive or negative. The highest priority is assigned to the lowest number. See the Priority section above. | + +## Child Element: Property + +Entity referencing the Entity properties (with which it share the same ID) that can be displayed in +the Identity Manager interface. + +### Properties + +| Property | Type | Description | +| ------------------------------- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AddedMinutes optional | Int32 | Add minutes to the date field with this property. Can be overwritten in every form control, display table column or tile item that displays the property. | +| AutocompleteBinding optional | Int64 | Defines the binding of the property used for search in the auto complete picker (this activates the auto complete picker if the input type of the display property is a picker). | +| DisplayOrder default value: 0 | Int32 | Defines the property display order. | +| DisplayTable optional | Int64 | Identifier of the display table. | +| Format optional | String | Defines a formatting method on the property values (`ParseSince1601Date`, `ToStringUserAccountControl`, `FormatDate` and `ParseBoolean`). | +| Group optional | Int64 | Identifier of the display property group, i.e. the fieldset, that the property is part of in the default UI form. | +| IconCode optional | String | Defines the icon code. | +| InputType default value: Auto | Enumeration | Identifier of the input type. See the [Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) topic for additional information. | +| IsHidden default value: false | Boolean | Property is hidden. | +| IsReadOnly default value: false | Boolean | Property is ReadOnly. | +| IsRequired default value: false | Boolean | Property is required. | +| MinSearchLength optional | Int32 | Defines the minimum number of characters from which the search in the auto complete picker starts - 4 if it is not defined (the input type of the display property must be a picker and the AutocompleteBinding must be defined). | +| NavigationBinding optional | Int64 | Defines the binding of the resource on which the user will be redirected when he clicks on an element of a BasicCollection. | +| OutputType default value: Auto | Enumeration | Identifier of the output type. | +| PlaceHolderText_L1 optional | String | Property place holder text. | +| Tile optional | Int64 | Identifier of the tile. | +| ToolTipText_L1 optional | String | Property tool tip text. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md new file mode 100644 index 0000000000..694f677068 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md @@ -0,0 +1,28 @@ +# Display Property Group + +A display property group bundles a list of entity properties together in a fieldset in the UI. + +## Examples + +The following example will group a specific set of properties together, when displaying AD entries. + +``` + + + +Knowing that we have the following properties: + ... + + +``` + +![Display Property Group - Example](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/displaypropertygroup_example_v603.webp) + +Any property without a value is not displayed. + +## Properties + +| Property | Details | +| ----------------------- | -------------------------------------------------------------------------------------- | +| DisplayName_L1 optional | **Type** String **Description** Display name of the fieldset in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Unique identifier of the property group. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md new file mode 100644 index 0000000000..2b2cd82c62 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md @@ -0,0 +1,103 @@ +# Display Table + +A table displays a collections of entity type data grouped into rows. + +See the [Customize Display Tables](/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md)topic for +additional information. + +## Examples + +Below there are a few examples of display tables. + +DisplayTableDesignElement table + +The following example displays sites as a table. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +             +``` + +![Example - DisplayTableDesignElement Set to Table](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_table_v602.webp) + +DisplayTableDesignElement list + +The following example displays users as a list. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +             +``` + +![Example - DisplayTableDesignElement Set to List](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_list_v602.webp) + +_Remember,_ for resources to be displayed as a list, the display table must also be configured with +tiles. + +DisplayTableDesignElement resourcetable + +The following example displays AD entries as a table, with an "Owner/Type" column. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                 +``` + +![Example - DisplayTableDesignElement Set to ResourceTable](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_resourcetable_v602.webp) + +## Properties + +Here is a list of properties of display tables. + +| Property | Type | Description | +| ---------------------------------------- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayTableDesignElement required | Enumeration | Design of the display table. -1 - table: resources are displayed in a table. -2 - list: resources are displayed in a list. -3 - resourcetable: resources are displayed in a table containing an "Owner/Type" column. -4 - adaptable: resources are displayed in a table with an "Owner/Type" column only if the entity type is the target of a resource type, otherwise the table is without said column. | +| EntityType required | Int64 | Represents the linked entity type. | +| HomonymEntityLink optional | Int64 | Defines the homonym display table. | +| Identifier required | String | Unique identifier of the table. | +| IsEntityTypeDefault default value: false | Boolean | Default display table used in the application. | +| LinesPerPage default value: 15 | Int32 | Defines the maximum lines per page. | +| ParentProperty optional | Int64 | Property to navigate to the parent level when the table displays a tree of values (for example Organization.ParentOrganization). | + +## Child Element: Column + +Contains all the display table columns. + +### Example + +Here is an example of a column child element. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                     +``` + +### Properties + +Here is a list of properties of column child element. + +| Property | Type | Description | +| -------------------------------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| AddedMinutes optional | Int32 | Add minutes to the date field with this property. If the value is not defined, the default value is the one defined for the associated display entity property. | +| CanBeFiltered default value: false | Boolean | Can filter the column data. | +| ColumnSize default value: 1 | Int32 | Defines the column size. | +| DefaultSortPriority optional | Int32 | Defines the default sort priority. | +| DisplayBinding optional | Int64 | Represents the linked binding path to a scalar property. | +| DisplayName_L1 optional | String | Display name of the column in language 1 (up to 16). | +| IsDisplayInDropDownList default value: false | Boolean | Is a drop down list column. | +| IsDisplayInSummaryView default value: false | Boolean | Is a summary view column. | +| IsResizable default value: false | Boolean | Is resizable column. | +| IsSortable default value: false | Boolean | Is sortable column. | +| OptimizedDisplayBinding optional | Int64 | Optimized Binding allows DisplayTables to be faster displayed. If it is filled in, it takes priority over the DisplayBinding located in the DisplayTableColumn. | +| OptimizedSortBinding optional | Int64 | An optimized sort binding allows display tables to be faster displayed. If it is filled in, it takes priority over the sort binding located in the display table column. | +| SearchOperator default value: 0 | QueryComparisonOperator | Defines the search operator (Equal, NotEqual, Contain, StartWith). | +| SortBinding optional | Int64 | Represents the sort binding path to a scalar property. | +| Tile optional | Int64 | Identifier of the tile. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md new file mode 100644 index 0000000000..95014313eb --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md @@ -0,0 +1,171 @@ +# Form + +A form contains a set of input fields (called controls) to be filled by a user, in a structured way. +A form must have a form type to be displayed and used in the UI. A form without a type can be called +in another form. + +## Examples + +The following example shows a form called `Directory_UserRecord_View` that involves resources from +the entity type `Directory_UserRecord` to collect personal data and contract information via some +structured fields to fill. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +
+                                                                                            ... +     + +``` + +### Display settings + +The display settings allow you to adjust the display. + +Hide the "Access Permissions" tab + +When `HideRoles` is set to `true`, then the **Access Permissions** tab is not accessible. + +![Access Permissions](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_hideroles_v603.webp) + +Adjust the request type + +When `WorkflowRequestType` is set to `Self`, then the finalization step looks like: + +![WorkflowRequestType = Self](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_requesttypeself_v603.webp) + +When `WorkflowRequestType` is set to `Helpdesk`, then the finalization step looks like: + +![WorkflowRequestType = Helpdesk](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_requesttypehelpdesk_v603.webp) + +Display records in a table + +![RecordTable Example](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_recordtable_v603.webp) + +InputType display + +The InputType represents the type of research property, attribute which supports only a predefined +set of values listed below: + +![inputtypeattachment](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypeattachment.webp) + +- Attachment — represents a control for adding an attachment +- Auto — takes by default the type of the EntityType property + + ![inputtypecheckbox](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypecheckbox.webp) + +- Checkbox — a boolean control which supports one of the two states + + ![inputtypecombobox](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypecombobox.webp) + +- Combobox — a dropdown which supports single selection + + ![inputtypecomboboxmultiselection](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypecomboboxmultiselection.webp) + +- ComboboxMultiSelection — a dropdown which supports multiple selection + + ![inputtypedate](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypedate.webp) + +- Date — Date control +- Hidden — Hides the input + + ![inputtypeimage](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypeimage.webp) + +- Image - Control to show / upload image +- Inherited —Control to get the InputType of the associated display entity property (when nothing is + specified in a Control of a Form, it's the default value). + + ![inputtypepicker](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypepicker.webp) + +- Picker — Opens a grid to select a resource + + ![inputtypetext](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypetext.webp) + +- Text — Displays a single-line of text + + ![inputtypetextarea](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypetextarea.webp) + +- TextArea — A textbox which supports carriage return character. + +## Properties + +| Property | Type | Description | +| -------------------------------------------- | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity optional | Int64 | Defines the linked activity template. | +| ActivityState optional | Enumeration | Defines the linked activity state template. | +| AddRowLabel_L1 optional | String | Defines the "add row" button label when using WorkflowUpdateSeveralRecordsEntityForm. | +| EntityType required | Int64 | Represents the linked entity type. | +| FormTitle_L1 optional | String | Title of the form in language 1 (up to 16). | +| FormType default value: Auto | FormType | Represents the linked form type. | +| HideRecordAddButton default value: false | Boolean | True to hide the button used to add a new record. | +| HideRecordRemoveButton default value: false | Boolean | True to hide the button used to remove an existing record. | +| HideRoles default value: false | Boolean | True to hide the **Access Permissions** tab. | +| Identifier required | String | Unique identifier of the form. | +| IsDefaultSelfForm default value: false | Boolean | Entity type default self form. | +| IsDefaultViewForm default value: false | Boolean | Entity type default view form. | +| IsDeleteForm default value: false | Boolean | Is a delete form. | +| MainProperty optional | Int64 | Represents the form main property. | +| MainPropertyLabel_L1 optional | String | Defines the main property label text. | +| Menu optional | Int64 | Defines the linked menu item. | +| RecordEndProperty optional | Int64 | Defines the workflow end date property. If not specified, the property EndDate of the record entity type is considered as RecordEndProperty. | +| RecordFilter default value: CurrentAndFuture | RecordFilter | Defines the record display option. 0 - Current: shows current positions. 1 - CurrentAndFuture: shows current and future positions. Recommended. 2 - All: shows past, present and future positions. Not recommended for clarity issues. | +| RecordProperty optional | Int64 | Defines the workflow record property. | +| RecordSortProperty optional | Int64 | Defines the workflow sort property. | +| RecordStartProperty optional | Int64 | Defines the workflow start date property. If not specified, the property StartDate of the record entity type is considered as RecordStartProperty. | +| RecordTable optional | Int64 | Identifier of the display table to be used to display resources' records in a workflow. | +| RemoveRowLabel_L1 optional | String | Defines the "remove row" button label when using WorkflowUpdateSeveralRecordsEntityForm. | +| TableTitle_L1 optional | String | Defines the table title when using WorkflowUpdateSeveralRecordsEntityForm. | +| WorkflowRequestType default value: 0 | WorkflowRequestType | Type of the request of the related workflow. 0 - None. 1 - Self. 2 - Helpdesk. 3 - Administration. | + +## Child Element: Control + +A form control is an input field to be filled by a user. Controls can be inserted in other controls +in order to display the form fields in a structured way. + +### Examples + +The following example shows a form called `Directory_UserRecord_View` that collects first personal +data via some controls, and then calls another form `Workflow_Directory_User_AddRecord_Base` to +collect record information. In this example is a tree control which defines the relationships +between a worker and their managers (N+1 to N+3). The aim is to display in the form (in the UI) the +organization chart made of the worker and their managers. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +
                                                                 +     +``` + +### Properties + +| Property | Type | Description | +| ----------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AddedMinutes optional | Int32 | Add minutes to the date field with this property. If the value is not defined, the default value is the one defined for the associated display entity property. | +| Binding optional | Int64 | Identifier of the binding property. **NOTE:** When displaying an organization chart, this binding is meant to represent the first manager level (N+1). In this case, it must be a mono-valued navigation. | +| Binding2 optional | Int64 | Identifier of the binding property used to represent the second manager level (N+2) in the organization chart. It must be a mono-valued navigation. Cannot be used when Binding is not defined. | +| Binding3 optional | Int64 | Identifier of the binding property used to represent the third manager level (N+3) in the organization chart. It must be a mono-valued navigation. Cannot be used when Binding2 is not defined. | +| ColumnSize optional | Int32 | Defines the control column size. | +| DefaultValueBinding optional | Int64 | Automatically sets the value in the control depending on this binding and the selected value in another corresponding picker. It's only available for controls with picker. For example: `` After a selection of an organization in another picker in the form, the field location will be automatically set by the main location of the manager of the selected organization. | +| DisplayName_L1 optional | String | Display name of the control in language 1 (up to 16). | +| DisplayTable optional | Int64 | Identifier of the table. | +| EmbeddedForm optional | Int64 | Identifier of the form to insert in the control. With this method, one form can be imported to several forms. _Remember,_ it can be used only with `OutputType` set to `TransformImport`. | +| EntityType optional | Int64 | Represents the linked entity type. | +| ExtensionIdentifier optional | String | This property is used to extend the Identity Manager UI. | +| FilterBinding1 optional | Int64 | Coupled with LinkedBinding1, it allows filtering on a list of items. FilterBinding1 defines the binding that determines the search value. Linked filters are only available for controls with the `Picker` InputType. | +| FilterBinding2 optional | Int64 | Coupled with LinkedBinding2, it allows filtering on a list of items. FilterBinding2 defines the binding that determines the search value. Linked filters are only available for controls with the `Picker`InputType. | +| HomonymEntityLink optional | Int64 | Defines the homonym form control. | +| InputType default value: Inherited | Enumeration | Input type of the control. | +| IsReadOnly optional | Boolean | Is a read only form control. | +| IsRequired optional | Boolean | Is a required form control. | +| LinkedBinding1 optional | Int64 | Coupled with FilterBinding1, it allows filtering on a list of items. LinkedBinding1 defines the binding on which the search will be carried out. Linked filters are only available for controls with the `Picker` InputType. | +| LinkedBinding2 optional | Int64 | Coupled with FilterBinding2, it allows filtering a list of items. LinkedBinding2 defines the binding on which the search will be carried out. Linked filters are only available for controls with the `Picker` InputType. | +| Name optional | String | Identifies the control inside the Form. This is used for translation files when a control cannot be identified by its binding such as for FieldSet. | +| NavigationBinding optional | Int64 | Defines the binding of the resource on which the user will be redirected when he clicks on an element of a BasicCollection. If not defined, the one defined in DisplayEntityProperty is used. | +| OutputType default value: Inherited | Enumeration | Output type of the control. | +| ParentControl optional | Int64 | Defines the parent form control. | +| PlaceHolderText_L1 optional | String | Defines the place holder text. | +| Tile optional | Int64 | Identifier of the tile. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/index.md new file mode 100644 index 0000000000..7d72ce29ba --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/index.md @@ -0,0 +1,11 @@ +# User Interface + +- [ Display Entity Association ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation/index.md) +- [Display Entity Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) +- [ Display Property Group ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md) +- [Display Table](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +- [Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) +- [ Indicator ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/indicator/index.md) +- [ Menu Item ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) +- [Search Bar](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md) +- [ Tile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/indicator/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/indicator/index.md new file mode 100644 index 0000000000..7ce464d58e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/indicator/index.md @@ -0,0 +1,75 @@ +# Indicator + +An Indicator displays a banner alongside the resource information whenever it meets a specific +criteria. + +More precisely, an indicator displays the appropriate banner whenever the _Binding_ matches the +_Item Value_ according to the _Comparison operator_, as can be seen on the example below. + +The banner is displayed wherever the associated resource appears. + +For example, if we create an indicator pointing out the risk score of a user, the banner will show +on the left-side of the user [ Tile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md) and the user [Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md). If we +create an indicator pointing out whether an AD account is unused or disabled, the banner will show +on the left-side of the AD Entries tile and form. + +One entity can show several banners, one for several different properties. They appear one above the +other if there are four banners or less, one next to the other if there are more. + +One indicator can posess several items, that define the information for the banner to be displayed. +The indicators order is important because the banner will get the information of the first item +matching the observed property. + +## Examples + +The following example entails the display of a red banner for a user with a high risk score and an +orange banner for a user with a medium risk. + +The XML file below states that if the risk score is greater than 75, only the indicator "High risk" +will be displayed and not "Medium risk". If it is lower than 75 and greater than 30, the indicator +will be "Medium risk". If it is lower than 30, there will be no indicator. + +``` + + + +``` + +Note that if you write the "Medium risk" item before the "High risk" one, even if the score if +greater than 75, the banner will be orange according to the first item: + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Binding optional | **Type** Int64 **Description** Defines the binding path to a scalar property. | +| ComparisonOperator required | **Type** QueryComparisonOperator **Description** Defines how to compare the given binding to an indicator item value. All possible values: - Auto: The SearchOperator is calculated by the engine according to the type of element. - NotEqual: finds the elements that are not equal to the desired value. - Equal: finds the elements that are strictly equal to the desired value. - Contain: finds the elements that contain the desired value. - StartWith: finds the elements that start with the desired value. - EndWith: finds the elements that end with the desired value. - NotContain: finds the elements that do not contain the desired value. - NotStartWith: finds the elements that do not start with the desired value. - NotEndWith: finds the elements that do not end with the desired value. - GreaterThan: finds the elements that are greater than the desired value. - LessThan: finds the elements that are less than the desired value. - GreaterThanOrEqual: finds the elements that are greater than or equal to the desired value. - LessThanOrEqual: finds the elements that are less than or equal to the desired value. - Flexible\*: The Flexible search operators transform the desired value according to the FlexibleComparisonExpression defined in Property then search. The flexible operators are: - FlexibleEqual. - FlexibleContain. - FlexibleStartWith. - FlexibleEndWith. | +| EntityType required | **Type** Int64 **Description** Represents the linked entity type. | +| OptimizedBinding optional | **Type** Int64 **Description** Optimized Binding allows Indicators to be faster displayed. If it is filled in, it takes priority over the Binding located in the Indicator. | +| Order required | **Type** Int32 **Description** Defines the order in which the banners are displayed. If there is no order needed, its value is zero for all indicators. | + +## Child Element: Item + +Defines the banner to be displayed information. + +### Examples + +``` + + + +``` + +### Properties + +| Property | Details | +| ----------------------- | ------------------------------------------------------------------------------------------------------- | +| Color required | **Type** String **Description** Defines the color of the item. | +| DisplayName_L1 optional | **Type** String **Description** Display name of the banner in language 1 (up to 16). | +| Value optional | **Type** String **Description** Defines the value with which the indicator binding will be compared to. | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md new file mode 100644 index 0000000000..38b30da9c7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md @@ -0,0 +1,42 @@ +# Search Bar + +The SearchBar is an element of the user interface that allows you to search from a list of +properties of an EntityType. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                 +``` + +## Properties + +| Property | Type | Description | +| ------------------------------- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| EntityType required | Int64 | References the linked entity type. | +| Menu optional | Int64 | References the linked Menu. Each Menu Item of this Menu is a link to an entity's workflow displayed under the search bar on the visualization page of the entity's resource list. | +| SearchBarDesignElement required | Enumeration | Defines the type of the searchBar (Block,Inline). | +| SearchedBinding optional | Int64 | Defines the binding on which the search will be applied. | +| SearchedEntityType required | Int64 | Defines the entity type on which the search will be applied. | + +## Child Element: Criterion + +A SearchBarCriteria defines a search criterion on a given property. See the Search Bar topic for +additional information. + +### Properties + +| Property | Type | Description | +| -------------------------------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ColumnSize required | Int32 | Size of the insertion or selection element of the property. | +| DefaultValue optional | String | Basic filter on the properties on the value or values entered in parameters. | +| DisplayName_L1 optional | String | Display name of the criteria in language 1 (up to 16). | +| InputType required | Enumeration | Type of the research property, supports only a predefined set of values listed below: - Attachment - Auto - Checkbox - Combobox - ComboboxMultiSelection - Date - Hidden - Image - Inherited - Picker - Text - TextArea See the [Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) topic for additional information. | +| IsVisibleInAdvancedView default value: false | Boolean | True to make the property visible in the advanced search but not in the main search properties. | +| Operator default value: 0 | QueryComparisonOperator | Defines how to do the research. All possible values: - Auto — The SearchOperator is calculated by the engine according to the type of element - NotEqual — finds the elements that are not equal to the desired value - Equal — finds the elements that are strictly equal to the desired value - Contain — finds the elements that contain the desired value - StartWith — finds the elements that start with the desired value - EndWith — finds the elements that end with the desired value - NotContain — finds the elements that do not contain the desired value - NotStartWith — finds the elements that do not start with the desired value - NotEndWith — finds the elements that do not end with the desired value - GreaterThan — finds the elements that are greater than the desired value - LessThan — finds the elements that are less than the desired value - GreaterThanOrEqual — finds the elements that are greater than or equal to the desired value - LessThanOrEqual — finds the elements that are less than or equal to the desired value - Flexible\* — The Flexible search operators transform the desired value according to the FlexibleComparisonExpression defined in Property then search. The flexible operators are: - FlexibleEqual - FlexibleContain - FlexibleStartWith - FlexibleEndWith | +| OptimizedBinding1 optional | Int64 | Represents the first optimized binding definition. An optimized binding allows searches to be faster displayed. If it is filled in, it takes priority over the binding located in the search bar criterion column. | +| PlaceHolderText_L1 optional | String | Overloads the DisplayName of the search property with this string. | +| ToolTipText_L1 optional | String | Text displayed in the tool tip. | diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md new file mode 100644 index 0000000000..bbe5365484 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md @@ -0,0 +1,59 @@ +# Add Change Aspect + +Modifies a given property value. + +## Examples + +The following example computes a new value for the property `IsDraft` from the `Directory_User` +entity type. The new value is always `true`. The pointcuts define when the value change must happen. + +``` + + + + +``` + +### Accept Null Value + +The following example computes a new value for the `Card` property in users' records, considering +`null` as a value. Instead of being ignored, a `null` value returned by `Expression` will replace +the old value. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding required | **Type** String **Description** Binding whose difference with `ExpressionBinding` defines the property to be changed. | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| AcceptNullValueExpression optional | **Type** String **Description** C# expression returning a boolean, `true` to consider `null` for the new value returned by `Expression`. By default, `null` values are ignored. | +| Expression optional | **Type** String **Description** C# expression returning a new value for the property to be changed. **Note:** this property can also be defined by a binding via `ExpressionBinding`. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | **Type** String **Description** Expression that conditions the aspect execution. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Identity Manager when to execute the linked +[Aspects](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md new file mode 100644 index 0000000000..ed75b8cc57 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md @@ -0,0 +1,80 @@ +# Assert Value Aspect + +Checks whether the value of a given property satisfies a given condition. + +## Examples + +The following example makes sure that, when creating a new employee, the contract end date is after +the contract start date. The pointcuts define when the value assertion must happen. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +         +``` + +### Assert a multi-valued object + +When asserting a multi-valued object, said object must not be called through a binding that goes +back and forth between entities. + +For example, to manage records, using the ExpressionBinding set to +`Workflow_Directory_User:Directory_User`. Records and the Expression using C#:record:return +record.Directory_User.Records... will not work. + +Instead, the ExpressionBinding should be set to `Workflow_Directory_User:Directory_User` and the +Expression should use C#:user:return user.Records. + +The following example makes sure that a user's positions do not overlap. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +     +``` + +## Properties + +| Property | Type | Description | +| -------------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding required | String | Binding whose difference with ExpressionBinding defines the property to be validated by the aspect. | +| Identifier required | String | Unique identifier of the aspect. | +| Expression optional | String | C# expression returning a boolean, false to invalidate the property value. | +| ExpressionBinding optional | String | Binding: - Defines the variable type used in the potential expressions specified in the aspect; - Whose difference with Binding defines the property involved in the aspect **NOTE:** Required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | String | Expression that conditions the aspect execution. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| Message_L1 optional | String | Message in language 1 (up to 16) to be displayed when the property is invalidated by the condition specified in Expression. | +| Priority default value: 0 | Int32 | Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **NOTE:** The priority can be a negative value. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Identity Manager when to execute the linked aspect. See the +[Aspects](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md) topic for additional information. + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Type | Description | +| ---------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | Int64 | Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | Enumeration | Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | PointCutMode | Mode defining when exactly the aspect is triggered around the specified workflow's activity state. 0 - Before — the aspect will be executed on entry to the specified activity state, regardless of the transition used. 1 - After — the aspect will be executed on exit from the specified activity state, regardless of the transition used. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md new file mode 100644 index 0000000000..55746ac4d4 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md @@ -0,0 +1,41 @@ +# Assert Value Required Aspect + +Checks whether a given property has a non-null value. + +## Examples + +The following example makes sure that the contract start date is specified for any new worker. The +pointcuts define when the value assertion must happen. + +``` + + + + +``` + +## Properties + +| Property | Details | +| -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding required | **Type** String **Description** Binding whose difference with `ExpressionBinding` defines the property to be validated by the aspect. | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | **Type** String **Description** Expression that conditions the aspect execution. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| Message_L1 optional | **Type** String **Description** Message in language 1 (up to 16) to be displayed when the property is empty. | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Identity Manager when to execute the linked +[Aspects](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md new file mode 100644 index 0000000000..d80329bdc5 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md @@ -0,0 +1,215 @@ +# Build Unique Value Aspect + +Computes a unique value for a given property. + +## Examples + +The following example generates bots' logins during their creation. + +``` + + + + +``` + +## Properties + +| Property | Details | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Binding required | **Type** String **Description** Binding whose difference with `ExpressionBinding` defines the property to be computed. | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| Expression optional | **Type** String **Description** C# expression that computes the unique value. **Note:** the computation can be configured in SQL instead of C# via `SqlBuildExpression`. Decide whether to use either `Expression` or `SqlBuildExpression`, not both. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| HistorizeBinding optional | **Type** String **Description** Binding that stores all the old values computed by the aspect. | +| HistorizeSeparator default value: � | **Type** String **Description** Defines the character used as a separator in the `HistorizeBinding` property. | +| IfExpression optional | **Type** String **Description** Expression that conditions the aspect execution. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| IterationsCount default value: 0 | **Type** String **Description** Maximum number of computation attempts without finding a unique value. **Note:** a variable named `iteration` is available to use the attempt number in the expressions of the aspect and/or of the potential unicity check rules, for example to help manage homonyms. Hence, a custom variable cannot be declared with the name `iteration`. | +| Message_L1 default value: | **Type** String **Description** Message in language 1 (up to 16) to be displayed when the value generation failed, i.e. when `IterationsCount` is exceeded. | +| OnlyIfNew default value: false | **Type** String **Description** `true` to trigger the aspect only for the creation of new resources. | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | +| SimulationExpression optional | **Type** String **Description** Expression used instead of the `Expression` parameter when previewing the workflow result before its implementation. | +| SqlBuildExpression optional | **Type** String **Description** SQL command that computes the unique value. **Note:** the computation can be configured in C# instead of SQL via `Expression`. Decide whether to use either `SqlBuildExpression` or `Expression`, not both. | +| SqlCheckExpression optional | **Type** String **Description** SQL request that checks whether the value computed with the binding/expression is unique, i.e. not yet used by another resource.**Note:** required if zero unicity check rules are linked to the aspect.**Warning:** the SQL request must be efficient because a potential timeout may block the progress of the workflow. For example, when the database's state and indexes are not well known, prefer to use views rather than the whole tables, because views store way fewer elements than tables, which makes them faster to use in a request. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Identity Manager when to execute the linked +[Aspects](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | + +## Child Element: UnicityCheckRule + +A unicity check rule ensures that the expression computed by a `BuildUniqueValue`aspect for a given +property is unique, i.e. not yet used by another resource, in a given entity type. + +The comparison performed by these rules to check unicity can be configured in SQL instead of C# via +the [```SqlCheckExpression```](() property of the aspect. + +The value of the source binding/expression is computed based on the properties of the source +resource which is the resource whose property we compute via the `BuildUniqueValue` aspect. + +The rule compares the return value of the source binding/expression with the existing values of the +target binding/expression in the target entity type. + +![Schema: Unicity Check](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/aspects_unicitycheck.webp) + +> For example, we need to generate an email address for any new user joining the company. We +> configure in a `BuildUniqueValue` aspect that users' emails are computed with +> `{firstName}.{lastName}@{EmailDomain}`. +> +> Consider a new user called John Doe. We need to link to the aspect a unicity check rule that is +> going to compare the email core `john.doe` with the email cores of existing resources in a given +> entity type. Thus Identity Manager can ensure that the email core is unique, and finally build the +> unique email address. + +Both source and target bindings/expressions must be consistent with the binding/expression used in +the corresponding aspect which must not use a `SqlCheckExpression`. + +One `BuildUniqueValue` aspect can be linked to many unicity check rules, but should not be linked to +more than one rule per target entity type. + +The unicity check rules linked to a same aspect are combined with the AND operator. It means that +the aspect's iteration goes up when at least one of the rules detects non-unicity. + +When creating or updating a unicity check rule, launch the +[ Compute Correlation Keys Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md)before +applying the role model and launching workflows. + +**For information:** Identity Manager needs to store the correlation keys linked to the expressions +defined in the unicity check rule, such as the return value, the entity type, etc. That's why the +task mentioned above must be launched before launching any workflow using a unicity check rule. + +### Examples + +#### Basic example + +The following example checks the unicity of the login of a new user. + +> In order to be able to write the source and target bindings/expressions of the unicity check rule, +> you must understand the binding/expression of the corresponding `BuildUniqueValue` aspect: +> +> ``` +> +> +> +> ``` + +We want to check the unicity of the new user's login, compared with the logins of existing users: + +``` + + + +``` + +Here the source binding and expression are those from the aspect. + +#### Multiple unicity checks + +With the same aspect as the previous example, we might want to compare the login of the new user +with the list of reserved logins too: + +``` + + + +``` + +#### Sophisticated example + +The following example checks the unicity of the email address of a new user. + +> In order to be able to write the source and target bindings/expressions of the unicity check rule, +> you must understand the binding/expression of the corresponding `BuildUniqueValue` aspect: +> +> ``` +> +> +> // We want an email address such as {firstName}.{lastName}@{EmailDomain}. +> +> Expression="C#:record:var firstName = record.FirstName.Simplify()?.ToLowerInvariant(); +> var lastName = record.LastName.Simplify()?.ToLowerInvariant(); +> if (string.IsNullOrEmpty(firstName) || string.IsNullOrEmpty(lastName)) +> { +> // Missing data +> return null; +> } +> +> var result = firstName + "." + lastName; +> +> // If the email core, i.e. {firstName}.{lastName}, is already used, then we try with {firstName}.{lastName}2, etc. +> if (iteration > 0) +> { +> result += iteration.ToString(); +> } +> +> result = result + '@' + record.Subsidiary?.EmailDomain; +> return result;" IterationsCount="10" /> +> +> ``` + +We want to include in the unicity check only the email's core `firstName.lastName` without the +`@EmailDomain` part. This is why the source expression starts like the aspect's expression but does +not add the domain part, and the target expression removes the domain part from existing values: + +``` + + + +``` + +| Property | Details | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| SourceBinding optional | **Type** Int64 **Description** Binding property (from the source entity type specified in the corresponding workflow) whose value is to be compared with the existing values of the target binding/expression. **Note:** when not specified, the unicity check rule uses the binding from the aspect. | +| SourceExpression optional | **Type** String **Description** Binding expression (based on properties from the source entity type specified in the corresponding workflow) whose value is to be compared with the existing values of the target binding/expression. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. **Note:** when not specified, the unicity check rule uses the expression from the aspect. | +| TargetBinding optional | **Type** Int64 **Description** Binding property (from the target entity type) whose values corresponding to existing resources are to be compared with the value of the source binding/expression. | +| TargetEntityType required | **Type** Int64 **Description** Identifier of the entity type for which the rule checks the property's unicity. | +| TargetExpression optional | **Type** String **Description** Binding expression (based on properties from the target entity type) whose values corresponding to existing resources are to be compared with the value of the source binding/expression. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md new file mode 100644 index 0000000000..38dd5adc96 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md @@ -0,0 +1,34 @@ +# Aspects + +An aspect is a modularization of a concern that cuts across multiple work flows. Identity Manager +uses aspects to perform some specific actions at given workflow steps. + +For example, an aspect can assert a given user's input is valid. + +- [ Add Change Aspect ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md) + + Modifies a given property value. + +- [Assert Value Aspect](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md) + + Checks whether the value of a given property satisfies a given condition. + +- [ Assert Value Required Aspect ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md) + + Checks whether a given property has a non-null value. + +- [ Build Unique Value Aspect ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md) + + Computes a unique value for a given property. + +- [Invoke Script Aspect](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md) + + Executes a customized script. + +- [ Invoke Workflow Aspect ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md) + + Launches a workflow. + +- [ Notification Aspect ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md) + + Sends a notification email to one or several users. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md new file mode 100644 index 0000000000..a0d8c6b572 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md @@ -0,0 +1,47 @@ +# Invoke Script Aspect + +Runs a tailored script asynchronously, independent of the workflow event, necessitating the creation +and execution of a job using an InvokeAspectsTask task. + +## Examples + +The following example executes the script `aspect.ps1` on the local agent, when creating a new user. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + + + + + + +``` + +## Properties + +| Property | Type | Description | +| -------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | String | Unique identifier of the aspect. | +| Agent optional | String | Agent on which the script will be launched. | +| ExpressionBinding optional | String | Binding defines the variable type used in the potential expressions specified in the aspect. The difference with `Binding` defines the property involved in the aspect. **NOTE:** It is required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | String | Expression that conditions the aspect execution. See the [ C# utility functions ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md) topic for additional information. | +| Priority default value: 0 | Int32 | Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **NOTE:** The priority can be a negative value. | +| ScriptFile optional | String | Path of the script file to be executed by the aspect. | + +## ChildElement: PointCut + +A pointcut is a mechanism telling Identity Manager when to execute the linked aspect. See the +[Aspects](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md) topic for additional information. + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Type | Description | +| ---------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | Int64 | Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | Enumeration | Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | PointCutMode | Mode defining when exactly the aspect is triggered around the specified workflow's activity state. 0 - Before — The aspect will be executed on entry to the specified activity state, regardless of the transition used. 1 - After — The aspect will be executed on exit from the specified activity state, regardless of the transition used. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md new file mode 100644 index 0000000000..37a1cea2e8 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md @@ -0,0 +1,40 @@ +# Invoke Workflow Aspect + +Launches a workflow. + +## Examples + +The following example launches the workflow `Directory_User_VehicleRequest` when a vehicle is +requested for a new internal user. + +``` + + + + +``` + +## Properties + +| Property | Details | +| -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| Workflow required | **Type** String **Description** Identifier of the workflow to be launched. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | **Type** String **Description** Expression that conditions the aspect execution. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Identity Manager when to execute the linked +[Aspects](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md new file mode 100644 index 0000000000..baacaf4094 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md @@ -0,0 +1,125 @@ +# Notification Aspect + +Sends a notification email to one or several users. + +## Examples + +The following example sends a notification email based on the template +`Notification_Directory_Guest.cshtml` and the subject computed by `SubjectExpression_L1`, which both +use data from `Workflow_Directory_Guest:Directory_Guest`, and on the styles from +`Notification_Directory_Guest.css`. + +``` + + + + +``` + +The notification will be sent after the `Request` activity of the `Directory_Guest_AdvancedStart` +workflow is executed. +The notification will be sent to all email addresses defined by `Directory_Guest:Mail`. + +## Properties + +| Property | Details | +| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| Binding optional | **Type** String **Description** Binding whose difference with `ExpressionBinding` defines the property that corresponds to identities' email addresses, when `Type` is set to `Binding`. | +| CssFile optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | +| RazorFile_L1 optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template in language 1 (up to 16). **Note:** the path must be relative to the configuration folder, and the file must be inside it. | +| SubjectExpression_L1 optional | **Type** String **Description** C# expression that defines the email's subject in language 1 (up to 16). The expression's variable type is defined in `ExpressionBinding`. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Identity Manager when to execute the linked +[Aspects](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | + +## Child Element: Recipient + +A recipient defines one or several identities who will receive a notification from +`NotificationAspect`. + +### Examples + +The following example sends a notification email to the actors of the next step of the workflow. + +``` + + + + + +``` + +The following example sends a notification email to the performers of the `Request` activity of the +`Directory_User_StartInternal` workflow when the state is `Executed`. + +``` + + + + + +``` + +The following example sends a notification email to the email address, stored in `Mail`, of the +user(s) from `Directory_User` targeted by the workflow, so here the new user created by the +`Directory_User_StartInternal` workflow. + +``` + + + + + +``` + +The following example sends a notification email to all identities whose email addresses are defined +as `{lastName}@company.com`. + +``` + + + + + +``` + +The following example sends a notification to all identities with a profile that includes the right +permission. + +``` + + + + + +Knowing that we also have: + + + + +``` + +| Property | Details | +| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity optional | **Type** Int64 **Description** Identifier of the activity whose last performers are to be notified, when `Type` is set to `Performer`. **Note:** must be set together with `ActivityState`. | +| ActivityState optional | **Type** Enumeration **Description** Identifier of the activity state whose last performers are to be notified, when `Type` is set to `Performer`. **Note:** must be set together with `Activity`. | +| Binding optional | **Type** Int64 **Description** Binding of the property that represents the notification's recipients, when `Type` is set to `Binding`. | +| EmailAddresses optional | **Type** String **Description** Email addresses of the notification's recipients, when `Type` is set to `Hardcoded`. | +| Expression optional | **Type** String **Description** C# expression that returns the email addresses of the notification's recipients, as strings or `IEnumerable`, when `Type` is set to `Expression`. The expression's variable type is defined in `ExpressionBinding` in the associated `NotificationAspect`. See the [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| IsCC default value: false | **Type** Boolean **Description** `true` to send the notification email to the recipient(s) as a carbon copy (CC). | +| Type required | **Type** RecipientType **Description** Type of recipients for the email notification. **Actor**: the identities with the permissions to act on the next step of the workflow specified in the pointcut. **Performer**: the actors of a past workflow step specified in `Activity` and `ActivityState`. **Binding**: the identities whose email addresses are designated by the property specified in `Binding`. **Hardcoded**: the identities whose email addresses are specified explicitly in `EmailAddresses`. **Expression**: the identities whose email addresses match the C# expression specified in `Expression`. **Profile**: the identities with the permission `/Custom/WorkflowsNotifications/{workflow_identifier}/` `{activity_identifier}/{activityTemplateState_shortIdentifier}`. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/index.md new file mode 100644 index 0000000000..498ccbdd63 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/index.md @@ -0,0 +1,45 @@ +# Forms + +Workflows use forms to collect input data through the UI. A form is a set of fields, configured with +controls. A control can define a field to fill, a fields set, call an existing form, etc. depending +on its output type. + +Here is a list of forms: + +- [Workflow Add and End Record Entity Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md) + + Displays a form to define the end date of an existing record, and replace it with a new record + at said date, by duplicating and adjusting the old record. + +- [Workflow Add Record Entity Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md) + + Displays a form to add a new record for an existing resource, by duplicating and adjusting an + existing record. + +- [Workflow Create Entity Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md) + + Displays a form to create a new resource, without a record. + +- [Workflow Create Record Entity Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md) + + Displays a form to create a new resource with a record. + +- [ Workflow Create Several Records Entity Form ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md) + + Displays a form to create a new resource with one or several records. + +- [Workflow Edit Entity Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md) + + Displays a form to update or delete an existing resource, without a record. + +- [Workflow Update Record Entities Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md) + + Displays a form to update data for several resources simultaneously. + +- [Workflow Update Record Entity Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md) + + Displays a form to select an existing record and update it. + +- [Workflow Update Several Records Entity Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md) + + Displays a form to create, update or delete one or several records. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md new file mode 100644 index 0000000000..2f70c0d0e3 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md @@ -0,0 +1,64 @@ +# Workflow Add and End Record Entity Form + +Displays a form to define the end date of an existing record, and replace it with a new record at +said date, by duplicating and adjusting the old record. + +## Examples + +The following example is a form to update a position. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +     +     +     +     +     + +With the following form for the resource data's content and summary: +
+     +     + +And with the following form for the record data's content and summary, and for the data that groups records together: +
+     +         +         +     +     +         +         +         +         +     + + +``` + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: + +![Form Example - Update Position](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/formexample_workflowaddandendrecordentityform_v603.webp) + +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same +values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially +modified, as one. + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's +execution: + +![Summary Form Example - Update Position](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/formexample_workflowaddandendrecordentityform_summary_v603.webp) + +## Properties + +| Property | Description | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: RecordControl | Set of fields to collect data about the resource's record. | +| Child Element: RecordUniqueItemControl | Set of fields that group records together. All records with the same data in `RecordUniqueItemControl` are displayed in the workflow as only one record, and they will potentially be modified together. When not specified, records will be grouped by the data from `RecordControl`. | +| Child Element: MainSummaryControl | Set of fields to sum up the data collected by `MainControl` after the workflow's execution. | +| Child Element: RecordSummaryControl | Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md new file mode 100644 index 0000000000..97fd8e0c13 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md @@ -0,0 +1,68 @@ +# Workflow Add Record Entity Form + +Displays a form to add a new record for an existing resource, by duplicating and adjusting an +existing record. + +## Examples + +The following example is a form to request a computer. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +     +     +     +     +     + +With the following form for the resource data's content and summary: +
+     +     + +And with the following form for the record data's content and summary: +
+     +         +         +     +     +         +         +         +         +     + +And with the following form for the data that groups records together: +
+     + + +``` + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: + +![Form Example - Computer Request](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/formexample_workflowaddrecordentityform_v603.webp) + +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same +values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially +modified, as one. + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's +execution: + +![Summary Form Example - Computer Request](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/formexample_workflowaddrecordentityform_summary_v603.webp) + +## Properties + +| Property | Description | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: RecordControl | Set of fields to collect data about the resource's record. | +| Child Element: RecordUniqueItemControl | Set of fields that group records together. All records with the same data in `RecordUniqueItemControl` are displayed in the workflow as only one record, and they will potentially be modified together. When not specified, records will be grouped by the data from `RecordControl`. | +| Child Element: MainSummaryControl | Set of fields to sum up the data collected by `MainControl` after the workflow's execution. | +| Child Element: RecordSummaryControl | Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md new file mode 100644 index 0000000000..b637f134b7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md @@ -0,0 +1,67 @@ +# Workflow Create Entity Form + +Displays a form to create a new resource, without a record. + +## Examples + +The following example is a form to create a new site. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +     +     + +With the following form for the workflow's content: +
+     +         +         +         +         +         +         +         +         +         +         +     +     +         +         +         +     + +And with the following form for the workflow's summary: +
+     +         +         +         +         +     +     +         +         +     + + +``` + +The content of `MainControl` is visible during the workflow's execution: + +![Form Example - Site Creation](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/formexample_workflowcreateentityform_v603.webp) + +The content of `SummaryControl` is visible after the workflow's execution: + +![Summary Form Example - Site Creation](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/formexample_workflowcreateentityform_summary_v603.webp) + +## Properties + +| Property | Description | +| ----------------------------- | -------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: SummaryControl | Set of fields to sum up the collected data after the workflow's execution. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md new file mode 100644 index 0000000000..53c1f653cc --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md @@ -0,0 +1,64 @@ +# Workflow Create Record Entity Form + +Displays a form to create a new resource with a record. + +## Examples + +The following example is a form to create a new user from HR. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     +     +     + +With the following form for the workflow's content and summary about resource data: +
+     +         +     + +And with the following form for the workflow's content about record data: +
+     +     +     +     +     +     +     +     +     + +And with the following form for the workflow's summary on record data: +
+     +         +         +         +         +         +     + + +``` + +The content of `MainControl` is visible during the workflow's execution: + +![Form Example - New User from HR](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/formexample_workflowcreaterecordentityform_v603.webp) + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's +execution. + +## Properties + +| Property | Description | +| ----------------------------------- | --------------------------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: RecordControl | Set of fields to collect data about the resource's record. | +| Child Element: MainSummaryControl | Set of fields to sum up the data collected by `MainControl` after the workflow's execution. | +| Child Element: RecordSummaryControl | Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md new file mode 100644 index 0000000000..cc7ec17827 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md @@ -0,0 +1,77 @@ +# Workflow Create Several Records Entity Form + +Displays a form to create a new resource with one or several records. + +## Examples + +The following example is a form to request a computer. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +     +     +     + +With the following form for the resource's data: +
+     +     +     +     + +And with the following form for the data shared with all records: +
+     +         +         +         +         +         +         +         +         +     + +And with the following form for the data specific to each record: +
+     +         +         +     +     +         +         +         +         +         +         +     +     +         +         +         +         +         +         +         +     + + +``` + +The contents of `MainControl`, `RecordControl` and `RecordUniqueItemControl` are visible during the +workflow's execution: + +![Form Example - New User from Helpdesk](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/formexample_workflowcreateseveralrecordsentityform_v603.webp) + +## Properties + +| Property | Description | +| -------------------------------------- | ---------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: RecordControl | Set of fields to collect data about the resource's record. | +| Child Element: RecordUniqueItemControl | Set of fields to collect data specific to each record. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md new file mode 100644 index 0000000000..834717fd61 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md @@ -0,0 +1,38 @@ +# Workflow Edit Entity Form + +Displays a form to update or delete an existing resource, without a record. + +## Examples + +The following example is a form to request a computer. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +     +     + +With the following form for the workflow's content and summary: +
+     + + +``` + +The content of `MainControl` is visible during the workflow's execution: + +![Form Example - Computer Request](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/formexample_workfloweditentityform_v603.webp) + +The content of `SummaryControl` is visible after the workflow's execution: + +![Summary Form Example - Computer Request](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/formexample_workfloweditentityform_summary_v603.webp) + +## Properties + +| Property | Description | +| ----------------------------- | -------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: SummaryControl | Set of fields to sum up the collected data after the workflow's execution. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md new file mode 100644 index 0000000000..a777e991df --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md @@ -0,0 +1,63 @@ +# Workflow Update Record Entities Form + +Displays a form to update data for several resources simultaneously. + +## Examples + +The following example is a form to update users' positions in bulk. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +     +     +     +     +     + +With the following form for the workflow's content and summary about resource data: +
+     + +And with the following form for the workflow's content and summary about record data: +
+         +     +         +         +         +         +         +         +         +     + +And with the following form for the data that groups records together: +
+     + + +``` + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: + +![Form Example - Mass Update](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/formexample_workflowupdaterecordentitiesform_v603.webp) + +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same +values for all the properties in `RecordUniqueItemControl` will be modified as one. + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's +execution: + +## Properties + +| Property | Details | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: RecordControl | Set of fields to collect data about the resource's record. | +| Child Element: RecordUniqueItemControl | Set of fields that group records together. All records with the same data in `RecordUniqueItemControl` are displayed in the workflow as only one record, and they will potentially be modified together. When not specified, records will be grouped by the data from `RecordControl`. | +| Child Element: MainSummaryControl | Set of fields to sum up the data collected by `MainControl` after the workflow's execution. | +| Child Element: RecordSummaryControl | Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md new file mode 100644 index 0000000000..2cbf4865fe --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md @@ -0,0 +1,92 @@ +# Workflow Update Record Entity Form + +Displays a form to select an existing record and update it. + +## Examples + +The following example is a form to update a user's record from helpdesk: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +   +   +   +   + +With the following form for the resource's data and summary: +
+   +   + +And with the following form for the data shared with all records and for the summary: +
+   +     +       +       +     +     +     +     +     +       +       +     +     +     +     +   +   +     +     +     +     +     +   +   +     +     +     +     +     +     +     +   + +And with the following form for the data that groups records together: +
+   + + +``` + +**NOTE:** `WorkflowUpdateRecordEntity` used in config Delete mode (`IsDelete=True`) will delete +systematically the main resource and all the associated records. + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: + +![Form Example - Update Data](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/formexample_workflowupdaterecordentityform_v603.webp) + +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same +values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially +modified, as one. + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's +execution: + +![Summary Form Example - Update Data](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/formexample_workflowupdaterecordentityform_summary_v603.webp) + +## Properties + +| Property | Details | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: RecordControl | Set of fields to collect data about the resource's record. | +| Child Element: RecordUniqueItemControl | Set of fields that group records together. All records with the same data in `RecordUniqueItemControl` are displayed in the workflow as only one record, and they will potentially be modified together. When not specified, records will be grouped by the data from `RecordControl`. | +| Child Element: MainSummaryControl | Set of fields to sum up the data collected by `MainControl` after the workflow's execution. | +| Child Element: RecordSummaryControl | Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md new file mode 100644 index 0000000000..755c0a64bc --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md @@ -0,0 +1,89 @@ +# Workflow Update Several Records Entity Form + +Displays a form to create, update or delete one or several records. + +## Examples + +The following example is a form to create, update and/or delete one or several positions for a given +user. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +     +     +     +     +     + +With the following form for the resource's data: +
+     +     + +And with the following form for the data shared with all records: +
+     +     +     +     +     + +And with the following form for the data used to update existing records: +
+     +         +         +         +         +         +         +         +     + +And with the following form for the data used to add new records: +
+     +         +         +         +         +         +         +         +         +     + +And with the following form for the data that groups records together: +
+     + + +``` + +The contents of `MainControl`, `RecordControl`, `RecordSlaveUniqueItemControl` and +`RecordSlaveControl` are visible during the workflow's execution: + +![Form Example - Manage a User's Positions](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/formexample_workflowupdateseveralrecordsentityform_v603.webp) + +When adding a new position, we decide to make `Title` available, in addition to the fields used to +update existing records: + +![Form Example - Manage a User's Positions - New Record](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/formexample_workflowupdateseveralrecordsentityform_newrecord_v603.webp) + +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same +values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially +modified, as one. + +## Properties + +| Property | Details | +| ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: RecordControl | Set of fields to collect data when adding new records. | +| Child Element: RecordUniqueItemControl | Set of fields that group records together. All records with the same data in `RecordUniqueItemControl` are displayed in the workflow as only one record, and they will potentially be modified together. When not specified, records will be grouped by the data from `RecordControl`. | +| Child Element: RecordSlaveUniqueItemControl | Set of fields to collect the data shared with all the resource's records, for example contract information when managing positions. | +| Child Element: RecordSlaveControl | Set of fields to collect data when updating existing records. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md new file mode 100644 index 0000000000..97b2681945 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md @@ -0,0 +1,42 @@ +# Homonym Entity Link + +This entity is used to configure the homonym workflow. + +## Examples + +``` + + + +``` + +In this example the homonym is linked to a [Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) and it will be +applied for the [ Binding ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) included in the Control where the +homonym is located. Read more about how to configure +[ Workflow Homonym ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/workflowhomonym/index.md). + +``` + +
+ +``` + +## Properties + +| Property | Details | +| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| FormEntityType required | **Type** Int64 **Description** In a [Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md), an [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) is defined and the [ Binding ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) of this Form will be loaded from this EntityType. The FormEntityType property represents this EntityType. | +| Identifier required | **Type** String **Description** Unique identifier of the HomonymEntityLink. | + +## Child Element: Filter + +Defines combination of property comparison to use to find homonyms. + +### Properties + +| Property | Details | +| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ComparisonProperty1 optional | **Type** Int64 **Description** Defines the property used to compare with the form control `Property`. It should not be defined if it the same as the property in the attribute `Property`. Going from 1 to 5. | +| Expression1 optional | **Type** String **Description** Defines the C# expression to apply on the homonymy form controls. The result of the expression evaluation will be compared with the corresponding `ComparisonProperty` using the defined `Operator`. If the `ComparisonProperty` is a computed property, no need to define the expression if it is the same as the one for the computed property. It will be automatically used when finding homonyms. Going from 1 to 5. See the [ C# utility functions ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md) topic for additional information. | +| Operator1 default value: 2 | **Type** QueryComparisonOperator **Description** Defines the operator to use to compare between the `ComparisonProperty` and the `Property` or the `Expression` evaluation result. By default the `Equal` operator is used. Going from 1 to 5. All possible values: `0` - Auto: The `Operator` is calculated by the engine according to the type of element. `1` - NotEqual: finds the elements that are not equal to the desired value. `2` - Equal: finds the elements that are strictly equal to the desired value. `3` - Contain: finds the elements that contain the desired value. `4` - StartWith: finds the elements that start with the desired value. `5` - EndWith: finds the elements that end with the desired value. `6` - NotContain: finds the elements that do not contain the desired value. `7` - NotStartWith: finds the elements that do not start with the desired value. `8` - NotEndWith: finds the elements that do not end with the desired value. `9` - GreaterThan: finds the elements that are greater than the desired value. `10` - LessThan: finds the elements that are less than the desired value. `11` - GreaterThanOrEqual: finds the elements that are greater than or equal to the desired value. `12` - LessThanOrEqual: finds the elements that are less than or equal to the desired value. `*`- Flexible: The `Flexible` operators transform the desired value according to the `FlexibleComparisonExpression` defined in the `EntityProperty` then search. The flexible operators are: `13` - FlexibleEqual `14` - FlexibleContain `15` - FlexibleStartWith `16` - FlexibleEndWith | +| Property1 optional | **Type** Int64 **Description** Defines the form control property to use to compare with `ComparisonOperator` using the defined `Operator`. Going from 1 to 5. | diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/index.md new file mode 100644 index 0000000000..b733a61829 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/index.md @@ -0,0 +1,6 @@ +# Workflows + +- [Aspects](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md) +- [Forms](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/index.md) +- [ Homonym Entity Link ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md) +- [ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) diff --git a/docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md new file mode 100644 index 0000000000..75ee5b52b6 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md @@ -0,0 +1,44 @@ +# Create Menu Items + +After creating a workflow as for the EntityTypes, is mandatory to create the MenuItems to create the +Navigation to this Workflow. + +### Create menu items for a workflow in a resource entity list + +To add a link to an entity's workflow displayed under the search bar on the visualization page of +the entity's resource list you need to create a menu containing the different workflows and put a +link to the entity's searchBar as below. + +[See available icons](https://uifabricicons.azurewebsites.net/). + +The first MenuItem is the main action displayed on the right. + +The other MenuItems are displayed from left to right. + +``` + + + +``` + +This XML element gives the following result: + +![Add workflow link in resource list entity](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinentitylist.webp) + +### Create menu items for a workflow in a resource view + +In the resource view it is also possible to create links to different workflows. + +These workflows will manipulate the selected resource in the view. + +``` + + + +``` + +This XML element gives the following result: + +![Workflow in resource view](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinresourceview.webp) + +![All workflow in resource view*](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/create-menu-items/allworkflowinresourceview.webp) diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md new file mode 100644 index 0000000000..bd4df187f5 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md @@ -0,0 +1,68 @@ +# Customize Display Tables + +This part shows how to define a custom way to display entity types' data. + +## Table + +This display table with DisplayTableDesignElement set to table will display the list of resources as +a simple table filled with several columns. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                                     +``` + +Here is the visualization of this display table on the interface: + +![DisplayTable(Table)](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestable.webp) + +Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed +like a table) if a criterion linked to this column is already displayed in a search bar. This avoids +filter duplication. Thus, the `CanBeFiltered` property can be deleted in the `Column` argument. + +## Resource Table + +The property DisplayTableDesignElement set to resourcetable allows you to create a table similar to +the display table with DisplayTableDesignElement set to table but adds a column containing the owner +of the resource. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                           +``` + +Here is the visualization of this resource table on the interface: + +![ResourceTable](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablesresourcetable.webp) + +## Display Table with Tiles + +. + +Instead of creating a table, it is possible to create tiles to give another rendering of the user +interface. It is therefore necessary to create the different tiles first. After creating the tiles, +they must be imported into the display table with `DisplayTableDesignElement` set to `list`. Display +tables with other values of `DisplayTableDesignElement` cannot display tiles. + +See the[ Tile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md) topic for +additional information. + +_Remember,_ if the display table uses tiles, then you can't use bindings. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                                                               +``` + +Here is the visualization of this display table on the interface: + +![DisplayTable with Tiles](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestiles.webp) + +See the [Display Table](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-forms/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-forms/index.md new file mode 100644 index 0000000000..ce2c11944b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-forms/index.md @@ -0,0 +1,80 @@ +# Customize Forms + +This guide shows how to define a custom way to display the input fields to be filled in a given +workflow. + +See the [Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) topic for additional +information. + +## Create a View Template for Entities Using Scaffoldings + +Two scaffoldings generate the view, the display table and the rights to access the entity's +resources. + +- [ View Template ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md): + Creates the display table, the default view and access rights to the entity. +- [ View Template Adaptable ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md): + Creates the entity view (designElement = ResourceTable), the report and the rights for a given + profile. + +These scaffoldings are not enough to access resources. You must add a menu item to define the +navigation in the view in the user interface. + +## Create an Entity View + +To create the entity view, you must manipulate a +[Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md). + +The view form doesn't give access to the view in the interface or the rights to access the +interface. + +The following elements must be in place: + +- [ Create Menu Items ](/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md) +- [ View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md) + +To create the view, you can manipulate one or more forms. The example below shows how to create a +view from several different forms. This will allow you to reuse some forms in workflows. + +``` + +
+ +``` + +It is also possible to create only one form that contains all the information: + +``` + +
+ +``` + +### Create an Entity View Using Records + +Some entities may have entity records. To view the entity in question with all the records attached +to it, it is necessary to fill in forms that will load the record data as well as forms for the +parent entity. + +The view form doesn't give access to the view in the interface or the rights to access it. + +The following elements must be in place: + +- [ Create Menu Items ](/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md) +- [ View Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md) + +In the example below, the view form will display all records. To change the filter on the record +display, you must change the +[Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md). + +``` + +
+ +``` + +The record filter not only changes the display options of the record, but also changes the display +of the rights associated with this record. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-search-bar/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-search-bar/index.md new file mode 100644 index 0000000000..5f0a4fd758 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-search-bar/index.md @@ -0,0 +1,51 @@ +# Customize Search Bars + +This guide shows how to define a custom way to search from a list of a given entity type's +properties. + +See the [Search Bar](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md) topic for +additional information. + +## Default Search Bar + +To search on a resource list for an entity, you must enter a SearchBar tag for the given entity. + +``` + + + +``` + +Here is the visualization of this searchbar on the interface: + +![SearchBarWithoutFilters](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarwithoutfilter.webp) + +Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed +like a table) if a criterion linked to this column is already displayed in a searchbar. This avoids +filter duplication. Thus, the `` property can be deleted in the `` argument +in the display table. + +## Create Default Filters + +To add a default filter, you must add both of the following properties to a +[Search Bar](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md): + +- DefaultValue +- Operator + +``` + + + +``` + +Here is the visualization of this criterion on the interface: + +![SearchBarFilter](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarfilters.webp) + +## Search Bar Menu + +Each menu item is a link to an entity's workflow displayed under the search bar on the visualization +page of the entity's resource list. + +See the [ Create Menu Items ](/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md)topic for additional information diff --git a/docs/usercube/6.2/usercube/integration-guide/ui/how-tos/producttranslations/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/producttranslations/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/ui/how-tos/producttranslations/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/producttranslations/index.md diff --git a/docs/usercube/6.2/usercube/integration-guide/ui/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/ui/index.md similarity index 100% rename from docs/usercube/6.2/usercube/integration-guide/ui/index.md rename to docs/identitymanager/6.2/identitymanager/integration-guide/ui/index.md diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/activity-templates/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/activity-templates/index.md new file mode 100644 index 0000000000..090d45a61a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/activity-templates/index.md @@ -0,0 +1,136 @@ +# Activity Templates + +This section describes the activities that constitute and model a +[ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md). Each activity is assigned +a template, made of states and transitions. + +## Overview + +Going through an activity means going through states and transitions. + +![Activity Template - Example](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_example.webp) + +By default, Identity Manager's workflow engine implements the following activity templates: + +- `Action` +- `Action With Refine` +- `Review` +- `Review With Feedback` +- `Continue With` +- `Persist` +- `Persist OnlyResources` + +## Activity Templates + +### Action + +Awaits user modifications without another user's intervention. + +![Activity Template - Action](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_action.webp) + +### ActionWithRefine + +Awaits user modifications with the possibility to delegate the action to another user. + +![Activity Template - ActionWithRefine](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_actionwithrefine.webp) + +The `ActionWithRefine` activity can be translated into the following form: + +![ActionWithRefine in the UI](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/activity-templates/activity_actionwithrefine_v602.webp) + +### Review + +Awaits user approval without another user's intervention. + +![Activity Template - Review](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_review.webp) + +### ReviewWithFeedback + +Awaits user approval with the possiblity of getting feedback from another user before taking the +action. + +![Activity Template - ReviewWithFeedback](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_reviewwithfeedback.webp) + +The `ReviewWithFeedback` activity can be translated into the following form: + +![ReviewWithFeedback in the UI](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/activity-templates/activity_reviewwithfeedback_v602.webp) + +### Persist + +Saves the workflow's collected data to the repository and triggers dependent processes (i.e. +computation of the role model and provisioning). This activity has only the transition +`Persist-Invoked-Invoke` and the state `Persist-Invoked`. It has no user interaction, and hence no +need for permissions. + +### PersistOnlyResources + +Saves the workflow's collected data to the repository without triggering the dependent processes +(i.e. computation of the role model and provisioning). This activity has only the transition +`PersistOnlyResources-Invoked-Invoke` and the state `PersistOnlyResources-Invoked`. It has no user +interaction, and hence no need for permissions. + +> For example, `PersistOnlyResources` can be used in a workflow to add a new user, as we first +> create a user sheet but without any account, etc. + +## States + +By default, Identity Manager's workflow engine implements the following state templates: + +- `Action-ActionPending` +- `Action-Executed` +- `Action-Aborted` +- `Action-Purged` +- `ActionWithRefine-ActionPending` +- `ActionWithRefine-Executed` +- `ActionWithRefine-RefinePending` +- `ActionWithRefine-Aborted` +- `ActionWithRefine-Purged` +- `Review-ReviewPending` +- `Review-Declined` +- `Review-Approved` +- `Review-Aborted` +- `Review-Purged` +- `ReviewWithFeedback-ReviewPending` +- `ReviewWithFeedback-Approved` +- `ReviewWithFeedback-Declined` +- `ReviewWithFeedback-RefinePending` +- `ReviewWithFeedback-Aborted` +- `ReviewWithFeedback-Purged` +- `ContinueWith-Invoked` +- `Persist-Invoked` +- `PersistOnlyResources-Invoked` + +## Transitions + +By default, Identity Manager's workflow engine implements the following transition templates: + +- `Action-ActionPending-Save` +- `Action-ActionPending-Execute` +- `Action-ActionPending-Abort` +- `Action-Aborted-Purge` +- `ActionWithRefine-ActionPending-Save` +- `ActionWithRefine-ActionPending-Execute` +- `ActionWithRefine-ActionPending-Delegate` +- `ActionWithRefine-ActionPending-Abort` +- `ActionWithRefine-RefinePending-Save` +- `ActionWithRefine-RefinePending-Delegate` +- `ActionWithRefine-RefinePending-Execute` +- `ActionWithRefine-RefinePending-Abort` +- `ActionWithRefine-Aborted-Purge` +- `Review-ReviewPending-Save` +- `Review-ReviewPending-Approve` +- `Review-ReviewPending-Decline` +- `Review-ReviewPending-Abort` +- `Review-Aborted-Purge` +- `ReviewWithFeedback-ReviewPending-Save` +- `ReviewWithFeedback-ReviewPending-Approve` +- `ReviewWithFeedback-ReviewPending-Decline` +- `ReviewWithFeedback-ReviewPending-Refine` +- `ReviewWithFeedback-ReviewPending-Abort` +- `ReviewWithFeedback-Aborted-Purge` +- `ReviewWithFeedback-RefinePending-Save` +- `ReviewWithFeedback-RefinePending-Delegate` +- `ReviewWithFeedback-RefinePending-Execute` +- `ContinueWith-Invoked-Invoke` +- `Persist-Invoked-Invoke` +- `PersistOnlyResources-Invoked-Invoke` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md new file mode 100644 index 0000000000..51c47026ec --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md @@ -0,0 +1,147 @@ +# Configure a Homonym Detection + +In this section we configure the homonym search that checks if a resource already exists in the +system, preventing duplicates. + +## Process + +1. Create a homonym entity link, either with a default filter or customized filters +2. Create a display table to display the homonym result _(optional)_ +3. Define the part of the workflow form where homonyms must be checked + +## Create a Homonym Entity Link + +A [ Homonym Entity Link ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md) +defines a new homonym search to be performed in a workflow form. It can be defined in different +ways. + +### With a default filter + +``` + + +``` + +When no filter is defined for the homonym entity link, the search for homonyms is performed +according to the homonym control form. See the Configure a Homonym Detection topic for additional +information. + +### With customized filters + +[ Homonym Entity Link ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md)filters +allow to define customized filters for a homonym search. + +#### Simple filter + +``` + + +``` + +Here, since the default operator is `Equal`, the search for homonyms is performed by comparing the +values of the `LastName` and `FirstName` properties with an exact spelling. + +_NB: This example matches the default filter that would be computed based on the homonym control +example in the section below._ + +#### Flexible filter + +A filter can be defined to compare the values in an approximate way. + +- A flexible operator must be used, such as `FlexibleEqual`, `FlexibleStartWith`, etc. +- A flexible expression must be defined on the comparison property. + +1. When the input search value is retrieved directly from the property value + + ``` + + + ``` + +Here, `Property1` is set, so the search for homonyms is performed by comparing the `LastName` value, +entered by the user in the workflow form, with the phonetic value of existing resources stored as +the `PhoneticLastName` property in the database. + +Before performing the comparison, the flexible expression of the comparison property is applied to +the input value. + +2. When the input search value is deducted + + ``` + + + ``` + +Here: + +- In the first filter, `Property1` and `Expression1` are not set, so the search value is computed by + applying the expression defined for `ComparisonProperty1` from the input values, eg. + `(record.FirstName + ' ' + record.LastName).Appproximate()`. +- In the second filter, `Expression1` is set, so the search value is computed by applying the + `Expression1` from the input values. This filter allows checking the homonyms on the reversed full + name (to manage the case where the user reverses the first and last name for example). + +The search for homonyms is performed by comparing the search values computed based on each filter +with the values stored in the database and retrieves all resources that match any of the filters. + +#### Filter on a language property + +If a filter is set on a language property, the search for homonyms is performed on the property +associated to the main language. + +``` + + +``` + +Here, the `Name` property is a neutral property associated with two localized properties `Name_en` +and `Name_fr`. + +If English is the main language, the search for homonyms is performed on the `Name_en` value. + +## Create a Display Table _(optional)_ + +A [Display Table](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) is used +to define how a list of the same entity type should be displayed. + +By default, the homonyms are displayed using the default display table of the related entity type. + +To display homonyms in a different way than the default, a specific display table must be created +where the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. + +``` + + + +``` + +See the [Customize Display Tables](/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md) for additional +information. + +## Define the Homonym Control in the Workflow Form + +The [Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) where the homonyms are +to be checked must contain a layout fieldset control where: + +- the properties to check are represented; +- the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. + +When the homonym entity link has no filter set and therefore the filter is calculated automatically, +the homonym control form must only contain up to 5 controls where `Binding` attribute is defined. +Indeed, a filter can only be defined on up to 5 properties. + +``` +
+ + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/index.md new file mode 100644 index 0000000000..467fdc17d7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/index.md @@ -0,0 +1,52 @@ +# How To Create a Workflow + +This guide shows how to create a +[ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) through the XML +configuration. + +## Process + +1. Declare a new [ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) with + given activities following Identity Manager's activity templates. +2. Configure the input [Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) with the + right output type according to the purpose of the workflow. +3. Assign the adequate permissions via an + [Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md). +4. Add [ Menu Item ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md). +5. Add [Aspects](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md), according to the + purpose of the workflow. +6. Add optional elements if needed: [Workflows](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/index.md); a + [ Configure a Homonym Detection ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md); a + [Customize Display Tables](/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md)different from Identity + Manager's default one. + +## Examples + +You can also find configuration examples for several types of workflow: + +- [ For Resource Creation (Mono Record) ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/index.md) + + How to create a workflow to create a new resource with a unique record. + +- [ For Resource Creation (Multi Records) ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/index.md) + + How to create a workflow to create a new resource with several records. + +- [ For Resource Update (No Record) ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/index.md) + + How to create a workflow to update an existing simple resource, i.e. to update, within a given + existing resource, properties that do not involve records. + +- [ For Resource Update (Mono Record) ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/index.md) + + How to create a workflow to schedule the replacement of the unique record of an existing + resource with a new one. + +- [ For Resource Update (Multi Records) ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/index.md) + + Create a workflow to update an existing resource through its several records. + +- [ Configure a Homonym Detection ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md) + + How to configure the homonym search that checks if a resource already exists in the system, + preventing duplicates. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/index.md new file mode 100644 index 0000000000..eb29849533 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/index.md @@ -0,0 +1,204 @@ +# For Resource Creation (Mono Record) + +This section guides you through the procedure for the creation of a +[ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) to create a new +resource with a unique record. + +## Declare a Workflow + +This [ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) is made of four +activities: + +1. `Action With Refine`: sends the creation request with a possibility of delegation. +2. `Persist Only Resources`: saves the collected data to the repository without triggering + provisioning. +3. `Review With Feedback`: reviews the creation request with the possibility of getting feedback + from another user. +4. `Persist`: saves the collected data and triggers provisioning. + +See the [ Activity Templates ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/activity-templates/index.md) topic for additional information. + +The example below creates a workflow to create a new worker. + +``` + + + +``` + +## Create Forms + +The XML configuration below represents the creation of a +[Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) that defines the elements to +display in the workflow. + +Here we create two structured forms: the preliminary one is called inside the main one, and the main +one is to be called in our final workflow form. + +``` + +Preliminary form for user data: +
+ +Preliminary form for user's contract data: + + +Preliminary form for user's position data: +
+ +Main form for all data: +
+ Section calling the preliminary form for user data: + + Section calling the preliminary form for contract data: + + Section calling the preliminary form for position data: + + +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed +when launching the workflow. It has the type corresponding to a resource's creation with one record, +i.e. `WorkflowCreateRecordEntityForm` and it must specify the workflow's context (the entity type of +the involved resources, the main property, the activity when the form is called, etc): + +``` + + + +``` + +A `WorkflowCreateRecordEntityForm` requires the following child elements: + +- `MainControl` that defines user's data; + +``` + + + + + +``` + +The `MainControl` attribute is here an empty container because we configure all personal data, +contracts and positions as records to be able to anticipate changes for example. The line with the +empty `MainControl` is not mandatory. See the +[ Position Change via Records ](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md)topic +for additional information. + +- `RecordControl` that defines record data, and calls the form created previously. See the For + Resource Creation (Mono Record) topic for additional information. + +``` + + + + + +``` + +![UI Form](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/howto_resourcecreationmono_form_v602.webp) + +### Add a summary (Optional) + +Another child element `RecordSummaryControl` can be added to insert a summary part, i.e. the form +used after the workflow execution to show some values, most of the time those affected by the +workflow, typically the properties editable in the workflow or generated properties. So in our +situation, it displays the `EmployeeId` and `Mail` attributes that the workflow just computed: + +``` + +Summary form: +
+ + + +``` + +![UI Summary](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/howto_resourcecreationmono_summary_v602.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right +users. See the [Workflows](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/index.md) topic for additional information. + +Below is an example of an access control rule where the `Administrator` profile gets the permissions +for the whole creation request and review from the previously created workflow: + +``` + + + + Permissions for the Request activity: + + + Permissions for the Review activity: + + +``` + +## Create Menu Items in the UI + +[ Menu Item ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md)must be defined to +make the workflow accessible in the UI. + +Creating a new resource, an interesting location for this workflow could be the users list page. + +![Workflow Menu Items - Users List](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/menuitems_userslist_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the +existing menu items list: + +``` + + ... + + +``` + +## Add Aspects + +For each workflow, it is possible to add aspects according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates see the +[ Configure a Homonym Detection ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md)topic for additional +information. + +When using records, the homonym detection displays the list of records and not just the list of +users. + +Below is an example where a homonym entity link, based on the user's name, is called in the workflow +form: + +``` + +Homonym detection: + + + +Partial form for user data: +... + ... + +``` + +![UI Homonym Detection](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmono_homonym_v603.webp) + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Identity Manager, see the +[Customize Display Tables](/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md) topic for additional +information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/index.md new file mode 100644 index 0000000000..35c2b18b78 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/index.md @@ -0,0 +1,217 @@ +# For Resource Creation (Multi Records) + +This section guides you through the procedure for the creation of a workflow to create a new +resource with several records. + +## Declare a Workflow + +This [ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) is made of four +activities: + +1. `Action With Refine`: sends the creation request with a possibility of delegation. +2. `Persist Only Resources`: saves the collected data to the repository without triggering + provisioning. +3. `Review With Feedback`: reviews the creation request with the possibility of getting feedback + from another user. +4. `Persist`: saves the collected data and triggers provisioning. + +See the [ Activity Templates ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/activity-templates/index.md) topic for additional information. + +The example below creates a workflow to create a new helpdesk worker, with the possibility to create +several records at once for said worker. + +``` + + + +``` + +## Create Forms + +The XML configuration below represents the creation of a +[Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) that defines the elements to +display in the workflow. + +Here we create three structured forms, all to be called in our final workflow form. + +``` + +First form for the user's identification data: +
+ +Second form for the user's data shared with all records: +
+ + Section for user's personal data, here their name and phone numbers: + + + Section for user's contract data, here their contract's type, start and end dates: + + +Third form for the user's data specific to each record individually, so here position information: +
+ +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed +when launching the workflow. It has the type corresponding to a resource's creation with several +records, i.e. `WorkflowCreateSeveralRecordEntityForm` and it must specify the workflow's context +(the entity type of the involved resources, the main property, the activity when the form is called, +etc): + +``` + + + +``` + +A `WorkflowCreateSeveralRecordEntityForm` requires the following child elements: + +- `MainControl` that defines the user's data that never changes so identification data, and calls + the firstform created previously; + +``` + + + + + +``` + +- `RecordControl` that defines the record data shared with all records, and calls the secondform + created previously; + +``` + + + + + +``` + +In a situation where users can have several positions but also several contracts, then contract data +would be part of the form called by `RecordUniqueItemControl` instead of `RecordControl`. + +In a situation where positions, contracts and personal data are all configured as records because we +want to be able to anticipate changes for example, then there would not be any data shared by all +records. Then `RecordControl` would be empty. See the +[ Position Change via Records ](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md) +topic for additional information. + +> ``` +> +> ... +> +> ... +> +> +> ``` + +- `RecordUniqueItemControl` (optional but recommended) that defines the record data specific to each + record individually, and calls the thirdform created previously. + +``` + + + + + +``` + +![UI Form](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmulti_form_v603.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right +users. Read about [ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md)s +permissions. + +Below is an example of an access control rule where the `Administrator` profile gets the permissions +for the whole creation request and review from the previously created workflow: + +``` + + + + Permissions for the Request activity: + + + Permissions for the Review activity: + + +``` + +## Create Menu Items in the UI + +[ Menu Item ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) must be defined +to make the workflow accessible in the UI. + +Creating a new resource, an interesting location for this workflow could be the users list page. + +![Workflow Menu Items - Users List](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/menuitems_userslist_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the +existing menu items list: + +``` + + ... + + + +``` + +## Add Aspects + +For each workflow, it is possible to add aspects according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates see the +[ Configure a Homonym Detection ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md) topic for additional +information. + +When using records, the homonym detection displays the list of records and not just the list of +users. + +Below is an example where a homonym entity link, based on the user's name, is called in the workflow +form: + +``` + +Homonym detection: + + + +Partial form for user data: +... + ... + +``` + +![UI Homonym Detection](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmono_homonym_v603.webp) + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Identity Manager, see the +[Customize Display Tables](/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md) topic for additional +information. + +Below is an example of a display table for our situation: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/index.md new file mode 100644 index 0000000000..e75454ad7e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/index.md @@ -0,0 +1,136 @@ +# For Resource Update (Mono Record) + +This section guides you through the procedure for the creation of a workflow to schedule the +replacement of the unique record of an existing resource with a new one. + +## Declare a Workflow + +This [ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) is made of two +activities: + +1. `Action With Refine`: sends the resource's record update request with a possibility of + delegation. +2. `Persist`: saves the collected data and triggers provisioning. + +See the [ Activity Templates ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/activity-templates/index.md) topic for additional information. + +The example below creates a workflow to update only the user's name. + +``` + + + +``` + +For now, our workflow works with an immediate validation and an immediate effect. + +## Create Forms + +The XML configuration below represents the creation of a +[Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) that defines the elements to +display in the workflow. + +Here we just have the full name field to update the corresponding attributes for a given user: + +``` + +
+ +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed +when launching the workflow. It has the type corresponding to a (unique) record's replacement, i.e. +`WorkflowAddAndEndRecordEntityForm` and it must specify the workflow's context (the entity type of +the involved resources, the main property, the activity when the form is called, etc): + +``` + + + +``` + +A `WorkflowAddAndEndRecordEntityForm` requires the following child elements: + +- `MainControl` that defines user's data; + +``` + + + + + +``` + +The `MainControl` attribute is here an empty container, because it is a mandatory attribute that is +not involved in the changes of this workflow. + +- `RecordControl` that defines record data, and call the form created previously. + +``` + + + + + +``` + +![UI Form](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/howto_resourceupdatemono_form_v603.webp) + +`End of transition` sets the date for the change of records scheduled by this form. + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right +users. Read about [ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md)s +permissions. + +Below is an example of an access control rule where the `Administrator` profile gets the permissions +for the whole update request from the previously created workflow: + +``` + + + +``` + +## Create Menu Items in the UI + +[ Menu Item ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) must be defined +to make the workflow accessible in the UI. + +Updating an existing resource, this workflow manages one given resource at a time. Hence an +interesting location for this workflow could be the individual view page of users. + +![Workflow Menu Items - User's Page](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the +existing menu items list: + +``` + + ... + + + +``` + +## Add Aspects + +For each workflow, it is possible to add aspects according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates, see the +[ Configure a Homonym Detection ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md) topic for additional +information. + +When using records, the homonym detection displays the list of records and not just the list of +users. + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Identity Manager, see the +[Customize Display Tables](/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md) topic for additional +information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/index.md new file mode 100644 index 0000000000..a694c04d8f --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/index.md @@ -0,0 +1,181 @@ +# For Resource Update (Multi Records) + +This section guides you through the procedure for the creation of a workflow to update an existing +resource through its several records. + +## Declare a Workflow + +This [ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) is made of three +activities: + +1. `Action With Refine`: sends the resource's records update request with a possibility of + delegation. +2. `Review With Feedback`: reviews the update request with the possibility of getting feedback from + another user. +3. `Persist`: saves the collected data and triggers provisioning. + +See the [ Activity Templates ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/activity-templates/index.md) topic for additional information. + +The example below creates a workflow to update the records of an existing user: + +``` + + + +``` + +## Create Forms + +The XML configuration below represents the creation of a +[Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) that defines the elements to +display in the workflow. + +Here we create three structured forms, all to be called in our final workflow form: + +``` + +First form for the user's record data, shared with all records: +
+ +Second form for the user's record data, specific to each record individually: +
+ +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed +when launching the workflow. It has the type corresponding to a resource's update with several +records, i.e. `WorkflowUpdateSeveralRecordEntityForm` and it must specify the workflow's context +(the entity type of the involved resources, the main property, the activity when the form is called, +etc): + +``` + + + +``` + +`WorkflowUpdateSeveralRecordEntityForm` displays a date picker for the end of transition, to +schedule the record replacement. + +A `WorkflowUpdateSeveralRecordEntityForm` requires the following child elements: + +- `MainControl` that defines user's data; + +``` + + + + + +``` + +The `MainControl` attribute is here an empty container, because it is a mandatory attribute that is +not involved in the changes of this workflow. + +- `RecordControl` that defines the record data shared with all records and calls the firstform + created previously; + +``` + + + + + +``` + +- `RecordUniqueItemControl` that defines the record data specific to each record individually, and + calls the secondform created previously; + +``` + + + + + +``` + +- `RecordSlaveControl` that copies an existing record to be the base, i.e. pre-fill the fields, for + the update of record data specific to each record individually. Thus it calls the same form as + `RecordUniqueItemControl`. + +``` + + + + + +``` + +- `RecordSlaveUniqueItemControl` that copies an existing record to be the base, i.e. pre-fill the + fields, for the update of record data shared with all records. Thus it calls the same form as + `RecordControl`. + +``` + + + + + +``` + +The `RecordSlaveControl` attribute calls here the same form as `RecordUniqueControl`, because it +copies part of the main record to pre-fill the fields of `RecordUniqueControl`. + +![UI Form](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/howto_resourceupdatemulti_form_v603.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right +users. Read about [ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md)s +permissions. + +Below is an example of an access control rule where the `Administrator` profile gets the permissions +for the whole update request from the previously created workflow: + +``` + + + +``` + +## Create Menu Items in the UI + +[ Menu Item ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) must be defined +to make the workflow accessible in the UI. + +Updating an existing resource, this workflow manages one given resource at a time. Hence an +interesting location for this workflow could be the individual view page of users. + +![Workflow Menu Items - User's Page](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the +existing menu items list: + +``` + + ... + + + +``` + +## Add Aspects + +For each workflow, it is possible to add aspects according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates,see the +[ Configure a Homonym Detection ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md) topic for additional +information. + +When using records, the homonym detection displays the list of records and not just the list of +users. + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Identity Manager, see the +[Customize Display Tables](/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md) topic for additional +information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/index.md new file mode 100644 index 0000000000..2d4aa6e1d8 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/index.md @@ -0,0 +1,126 @@ +# For Resource Update (No Record) + +This section guides you through the procedure for the creation of a workflow to update a simple +resource, i.e. to update, within a given resource, properties that do not involve records. + +## Declare a Workflow + +This [ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) is made of two +activities: + +1. `Action With Refine`: sends the resource's update request with a possibility of delegation. +2. `Persist`: saves the collected data and triggers provisioning. + +See the [ Activity Templates ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/activity-templates/index.md) topic for additional information. + +The example below creates a workflow to update only the user's `IsDraft` attribute. + +``` + + + +``` + +## Create Forms + +The XML configuration below represents the creation of a +[Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) that defines the elements to +display in the workflow. + +Here we just have one field called `IsDraft` to update the corresponding boolean attribute for a +given user: + +``` + +
+ +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed +when launching the workflow. It has the type corresponding to a resource's update, i.e. +`WorkflowEditEntityForm` and it must specify the workflow's context (the entity type of the involved +resources, the main property, the activity when the form is called, etc): + +``` + + + +``` + +A `WorkflowEditEntityForm` requires one child element `MainControl` that defines the actual content +of the workflow's form and calls the form created previously: + +``` + + + + + +``` + +![UI Form](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/howto_resourceupdateno_form_v603.webp) + +### Add a summary (Optional) + +Another child element `SummaryControl` can be added to insert a summary part, i.e. the form used +after the workflow execution to show some values, most of the time those affected by the workflow, +typically the properties editable in the workflow or generated properties. So in our situation, it +displays the `IsDraft` attribute that the user just changed: + +``` + + + + + +``` + +![UI Summary](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/howto_resourceupdateno_summary_v603.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right +users. Read about [ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md)s +permissions. + +Below is an example of an access control rule where the `Administrator` profile gets the permissions +for the whole update request from the previously created workflow: + +``` + + + +``` + +## Create Menu Items in the UI + +[ Menu Item ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) must be defined +to make the workflow accessible in the UI. + +Updating an existing resource, this workflow manages one given resource at a time. Hence an +interesting location for this workflow could be the individual view page of users. + +![Workflow Menu Items - User's Page](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the +existing menu items list: + +``` + + ... + + + +``` + +## Add Aspects + +For each workflow, it is possible to add aspects according to the workflow's purpose. + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Identity Manager, see the +[Customize Display Tables](/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md) topic for additional +information. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/index.md new file mode 100644 index 0000000000..4dd5cc6161 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/index.md @@ -0,0 +1,184 @@ +# Workflows + +In software business, a [ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) is a +series of specific actions taken by specific people to accomplish specific tasks. For Identity +Manager, workflows are models of business workflows, processes or procedures. + +## Overview + +Workflows model business processes and update data within Identity Manager, they handle managed +systems only indirectly through Identity Manager. They are engaged in order to complete a task, +assigning rights for instance. It is a way of getting work done, a series of steps that are required +to be completed sequentially. Most of the time, Identity Manager's workflows are made for: + +1. manual entitlement requests = request / send notification(s) / approve / assign entitlement. +2. addition/update/deletion of resources (used in practice for identities) = create / give basic + entitlements / review / apply changes. + +Workflows are very configurable objects with many available options. However, the most efficient way +to use workflows in IGA is to keep them simple. Identity Manager's demo workflows constitute +effective examples. + +A workflow is made of several elements: + +- a series of activities that constitutes the workflow; +- a form that collects input data; +- permissions required to realize the workflow's activities; +- menu items that make the workflow and its activities accessible; +- aspects that allow specific actions to be performed; +- a summary (optional) of the workflow's results; +- a homonym detection (optional) that prevents duplicates in resources; +- a display table (optional) that replaces Identity Manager's default table displaying the data of + the created/modified resource. + +### Technical principles + +- A workflow is linked to + one[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) and concerns only + resources from said entity type. For example, a workflow can be linked to `Directory_User` or + `Directory_Department` according to the workflow's purpose, but not both together. +- The aim of a workflow is to get input data (either a form or just an approval) from users involved + in the workflow, then build a change set, and finally apply said change set to the relevant + resource. +- Starting a workflow means starting its first activity. + +## Activities + +A workflow is made of successive activities, each of which is assigned an +[ Activity Templates ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/activity-templates/index.md)that defines how transitions occur from a +workflow step to another. + +Activities never run in parallel in a workflow. Each activity can start once the previous one +reached its final state. + +## Forms + +Workflows use [Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) to collect input +data through the UI. + +A form is a set of fields, configured with controls. A control can define a field to fill, a fields +set, call an existing form, etc. depending on its output type. To be displayed in the UI, and +potentially filled by a given user with the appropriate data, a form must have a type. + +Forms without a type can be created in order to be called in other forms with a type. It can be +useful to structure your forms, and to avoid rewriting a part of form that is needed in most forms +for example. + +### Form types + +Identity Manager provides a few form types. Each form type implies the necessity of specific +controls as child elements with specific purposes. + +The following table presents the required child controls required for each form type applicable to a +workflow's input form: + +- **M** for `MainControl`(required) groups resource data apart from record data; +- **Su** for `SummaryControl`(optional when no/mono record) sums up resource data, mostly computed + properties, after the workflow's execution; +- **R** for `RecordControl`(required when handling records) groups the record data shared with all + records; +- **RUI** for `RecordUniqueItemControl`(recommended when handling records) groups the record data + specific to each record individually; +- **RSUI** for `RecordSlaveUniqueItemControl`(optional when updating multi records) appoints an + existing record to be the base of the fields' pre-filling, before the update of the record data + shared with all records; +- **RS** for `RecordSlaveControl`(recommended when updating multi records) appoints an existing + record to be the base of the fields' pre-filling, before the update of the record data specific to + each record individually; +- **RSu** for `RecordSummaryControl`(optional when handling mono record) sums up record data, mostly + computed properties, after the workflow's execution. + +| Form Type | M | Su | R | RUI | RSUI | RS | RSu | +| ------------------------------------------ | ---- | ---- | ---- | ----- | ----- | ---- | ---- | +| Workflow**Create**Entity Form | Req. | Opt. | | | | | | +| Workflow**Edit**Entity Form | Req. | Opt. | | | | | | +| Workflow**UpdateRecord**Entity Form | Req. | Opt. | Req. | Reco. | | | Opt. | +| Workflow**AddRecord**Entity Form | Req. | Opt. | Req. | Reco. | | | Opt. | +| Workflow**AddAndEndRecord**Entity Form | Req. | Opt. | Req. | Reco. | | | Opt. | +| Workflow**CreateRecord**Entity Form | Req. | Opt. | Req. | | | | Opt. | +| Workflow**CreateSeveralRecord**Entity Form | Req. | | Req. | Reco. | | | | +| Workflow**UpdateSeveralRecord**Entity Form | Req. | | Req. | Reco. | Reco. | Opt. | | +| Workflow**UpdateRecord**Entities Form | Req. | Opt. | Req. | Reco. | | | Opt. | + +## Permissions + +For each workflow, some permissions must be assigned to specific +[ Profile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) so that said profiles are +entitled to realize the workflow's actions. + +While assigning the specific permissions of a workflow, it is necessary to assign the involved +profiles a few essential rights via the +[ Workflow Access Control Rules ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md) +scaffolding. + +A workflow needs a permission for each of all its activity states involving user interaction. This +means that, for example, the activities following the templates `Persist` and +`Persist Only Resources` do not require any permission. This also means that, in the example of the +`Action` template, a workflow would need permissions for the states `ActionPending`, `Aborted` and +`Purged` (because deletion requires an authorization), but not for the state `Executed` that does +not involve user interaction or special authorization. See the +[ Activity Templates ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/activity-templates/index.md) topic for additional information. + +All these permissions can be shared and distributed among several profiles, according to the purpose +of the workflow. + +Identity Manager's permissions are assigned through +[Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) and +follow the naming rule: +`/Custom/workflows/{workflow_identifier}/{activity_identifier}/{activityTemplateState_shortIdentifier}`. + +> For example: `Permission="/Custom/Workflows/Directory_User_StartInternal/Request/ActionPending"` +> gives the right to act from the state `ActionPending` (so save, execute, etc.), inside a +> previously created activity `Request`, inside the workflow `Directory_User_StartInternal`. + +A permission specifying the activity without the activity state gives the permissions for all +activity states in this activity. + +For example: `Permission="/Custom/Workflows/Directory_User_StartInternal/Request"` +**Caution**: this way of writing permissions is unsafe in case of a modification in the activity. So +use it only for a "super admin" kind of profile if you are certain you want to give all rights. + +## Menu Items + +[ Menu Item ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) make workflows +accessible from the UI. + +Identity Manager's UI is configured so that workflows are accesible from: + +- the list of users accessible from the **Directory** section on the home page; + ![Workflow Menu Items - Users List](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/menuitems_userslist_v603.webp) +- the view page of a given user. In this case, the workflows manipulate the selected user. + ![Workflow Menu Items - User's Page](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) + +## Aspects + +An [Aspects](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md) definition allows an action to +be performed at a specific point in a workflow. Identity Manager provides a few +[Aspects](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md) templates that give the +opportunity to delegate administration, to notify people of a request's progress and to compute +special values like unique logins or email addresses. + +## Summaries (Optional) + +A summary can be displayed at the end of a workflow to sum up the collected information. The +displayed data is configured through the `SummaryControl` or `RecordSummaryControl` introduced +previously. A summary is particularly useful for workflows that compute properties like the +`EmployeeId` or the email address. Thus calculated fields can be displayed after the workflow's +execution. + +## Homonym Detections (Optional) + +A homonym search checks if a resource already exists in the system before creating/modifying it, +preventing duplicates. It is configured through a +[ Homonym Entity Link ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md). + +See the [ Configure a Homonym Detection ](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md)topic for +additional information. + +## Display Tables (Optional) + +Identity Manager provides a default display table to show the created/modified resource's data, but +you can configure your own. + +See the [Display Table](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) topic for +additional informatrion. diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/workflow-uses/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/workflow-uses/index.md new file mode 100644 index 0000000000..8dd354811b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/workflow-uses/index.md @@ -0,0 +1,65 @@ +# Workflow Uses + +An Identity Manager [ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) is the +sequence of processes that a company has established to manage identities across the organization. +Workflows makes an approval business process more efficient by managing and tracking all of the +human tasks involved with the process and by providing a record of the process after it is +completed. + +The identity management [ Workflow ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) +can be broken into four key areas: + +## 1. Onboarding + +The initial creation of the user. This can occur manually within the identity management system or +it could be triggered from an HR system. Here is the xml configuration to create the user onboarding +Workflow in Identity Manager : + +``` + + + +``` + +The _"User_Onboarding"_ Workflow is composed of the following activities: + +- _"Request"_ to initialize the creation of an user in Identity Manager. +- _"PersistDraft"_ to save a preliminary version of the user object. +- _"Review"_ to validate or not the requested item. +- _"Persist"_ to take into account the requested item. + +## 2. User Modifications + +After the initial setup of access, there are ongoing changes. Those changes can center in on a +user's rights. These rights may need to be expanded or contracted. The user's information may need +to be modified. Here is an example to create the user change name Workflow in Identity Manager : + +``` + + + +``` + +## 3. IT Resource Modifications + +The other area of on-going changes is the addition and removal of various IT resources. These +resources can include devices, applications, and networks. Here is the xml configuration to create +the resource modifications Workflow in Identity Manager : + +``` + + + +``` + +## 4. Offboarding + +The end of the identity lifecycle is the offboarding of a user. Credentials are terminated and the +user's account access is terminated everywhere. Here is the xml configuration to create the user +offboarding Workflow in Identity Manager: + +``` + + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/workflowhomonym/index.md b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/workflowhomonym/index.md new file mode 100644 index 0000000000..b68d4bc860 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/workflowhomonym/index.md @@ -0,0 +1,183 @@ +# Workflow Homonym + +In this section we configure the homonym detection that checks if a resource already exists in the +system, preventing duplicates. + +## Process + +1. Create a homonym entity link, either with a default filter or customized filters +2. Create a display table to display the homonym result _(optional)_ +3. Define the part of the workflow form where homonyms must be checked + +## Create a Homonym Entity Link + +A [ Homonym Entity Link ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md) +defines a new homonym detection to be performed in a workflow form. It can be defined in different +ways. + +### With a default filter + +``` + + +``` + +When no filter is defined for the homonym entity link, the detection for homonyms is performed +according to the homonym control form. See section below. + +### With customized filters + +[ Homonym Entity Link ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md)filters +allow to define customized filters for a homonym detection. + +#### Simple filter + +``` + + +``` + +Here, since the default operator is `Equal`, the detection for homonyms is performed by comparing +the values of the `LastName` and `FirstName` properties with an exact spelling. + +_NB: This example matches the default filter that would be computed based on the homonym control +example in the section below._ + +#### Filters on several entities + +A homonym entity link can contain filters on the properties from several distinct entity types. + +> The following example searches for homonyms among usual workers (from `Directory_UserRecord`) but +> also the guests (from `Directory_Guest`): +> +> ``` +> +> Property1="LastName" +> Property2="FirstName" +> /> +> Property1="LastName" ComparisonProperty1="Directory_Guest:LastName" +> Property2="FirstName" ComparisonProperty2="Directory_Guest:FirstName" +> /> +> +> +> ``` + +In this case, a display table is required for the additional entity. + +#### Flexible filter + +A filter can be defined to compare the values in an approximate way. + +- A flexible operator must be used, such as `FlexibleEqual`, `FlexibleStartWith`, etc. +- A flexible expression must be defined on the comparison property. + +1. When the input detection value is retrieved directly from the property value + + ``` + + + ``` + +Here, `Property1` is set, so the detection for homonyms is performed by comparing the `LastName` +value, entered by the user in the workflow form, with the phonetic value of existing resources +stored as the `PhoneticLastName` property in the database. + +Before performing the comparison, the flexible expression of the comparison property is applied to +the input value. + +2. When the input detection value is deducted + + ``` + + + ``` + +Here: + +- In the first filter, `Property1` and `Expression1` are not set, so the detection value is computed + by applying the expression defined for `ComparisonProperty1` from the input values, eg. + `(record.FirstName + ' ' + record.LastName).Appproximate()`. +- In the second filter, `Expression1` is set, so the detection value is computed by applying the + `Expression1` from the input values. This filter allows checking the homonyms on the reversed full + name (to manage the case where the user reverses the first and last name for example). + +The detection for homonyms is performed by comparing the detection values computed based on each +filter with the values stored in the database and retrieves all resources that match any of the +filters. + +#### Filter on a language property + +If a filter is set on a language property, the detection for homonyms is performed on the property +associated to the main language. + +``` + + +``` + +Here, the `Name` property is a neutral property associated with two localized properties `Name_en` +and `Name_fr`. + +If English is the main language, the detection for homonyms is performed on the `Name_en` value. + +## Create a Display Table _(optional)_ + +A [Display Table](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) is used to +define how a list of the same entity type should be displayed. + +By default, the homonyms are displayed using the default display table of the related entity type. + +To display homonyms in a different way than the default, a specific display table must be created +where the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. + +``` + + + +``` + +## Define the Homonym Control in the Workflow Form + +The [Form](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) where the homonyms are to +be checked must contain a layout fieldset control where: + +- the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. +- the properties to check (defined in the homonym filters) are represented in the control bindings. +- the bindings are all represented in the homonym filters. + +When the homonym entity link has no filter set and therefore the filter is calculated automatically, +the homonym control form must only contain up to 5 controls where `Binding` attribute is defined. +Indeed, a filter can only be defined on up to 5 properties, see filter definition in +[ Homonym Entity Link ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md). + +``` +
+ + +``` + +If a filter is declared with a `ComparisonProperty` attribute (and so without a `Property`), then +the properties used in the `Expression` (whether defined in the filter or elsewhere in the +configuration) to compute the `ComparisonProperty` must also be represented in the control bindings. + +In the example below, the properties used in the `Expression1` attribute that must be represented in +the control bindings are `LastName` and `FirstName`. + +``` + + +``` diff --git a/docs/identitymanager/6.2/identitymanager/introduction-guide/architecture/index.md b/docs/identitymanager/6.2/identitymanager/introduction-guide/architecture/index.md new file mode 100644 index 0000000000..1358f3fbb7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/introduction-guide/architecture/index.md @@ -0,0 +1,41 @@ +# Architecture + +Identity Manager is built to work via a specific architecture made of a server, an agent and a +database. + +## Server, Agent and Database + +Identity Manager works via: + +- a server which operates computation, stores all applicative data in the database, and serves a web + User Interface; +- at least one agent which operates data flows to/from the managed systems. + + The managed systems' credentials are used only by the agent and are never disclosed to the + server. + +The agent can call the server, but the server cannot call the agent. The data flows' initiatives are +always from the agent. + +## Installation Types + +Identity Manager can be installed: + +- SaaS so that the server dwells in the cloud and is provided as a service; + + ![Architecture: SaaS](/img/product_docs/identitymanager/identitymanager/integration-guide/architecture/saas/architecture_saas.webp) + +- on-premises so that the server is installed on an isolated network within the company. + + ![Architecture: On-Premises](/img/product_docs/identitymanager/identitymanager/integration-guide/architecture/on-prem/architecture_onprem.webp) + +## Next Steps + +Let's learn about Identity Manager [Configuration](/docs/identitymanager/6.2/identitymanager/introduction-guide/configuration/index.md). + +## Learn More + +Learn more on Identity Manager's Architecture. + +See the [Network Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/index.md) topic for +additional information. diff --git a/docs/identitymanager/6.2/identitymanager/introduction-guide/configuration/index.md b/docs/identitymanager/6.2/identitymanager/introduction-guide/configuration/index.md new file mode 100644 index 0000000000..e9ab133c96 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/introduction-guide/configuration/index.md @@ -0,0 +1,57 @@ +# Configuration + +There are several options for configuring Identity Manager. + +## Application Configuration + +### User Interface + +Netwrix Identity Manager (formerly Usercube) strongly recommends that Identity Manager be +configured, as much as possible, via the UI. + +### XML files + +For advanced users, if the UI is not enough, Identity Manager can also be configured via XML files. +These XML files should be placed in a `Conf` folder directly inside the working directory. + +### Database + +Identity Manager's application configuration, whether it is made from the UI or the XML files, is +stored in a database which should never be modified manually. + +## Network Configuration + +Identity Manager's server and agent(s) are configured via JSON files, mainly `appsettings.json` and +`appsettings.agent.json`. + +## Next Steps + +This is the end of the introduction guide, so you should now be able to dive into: + +- The [User Guide](/docs/identitymanager/6.2/identitymanager/user-guide/index.md) to configure Identity Manager from scratch via the UI, + following the step-by-step procedures; +- The [Integration Guide](/docs/identitymanager/6.2/identitymanager/integration-guide/index.md) to complete Identity Manager's + configuration in XML according to your needs; +- The [Installation Guide](/docs/identitymanager/6.2/identitymanager/installation-guide/index.md) to install Identity Manager in a + production environment. + +## Learn More + +Learn more on how to +[ Create a Working Directory ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md). + +See the [User Guide](/docs/identitymanager/6.2/identitymanager/user-guide/index.md) topic to learn how to configure Identity Manager +from scratch via the UI. + +See how to +[ Export the Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md) +to XML files. + +See how to +[ Identity Manager Deploy the Configuration ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md). + +Learn more about the +[ XML Configuration Schema ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/index.md). + +Learn more about the +[Network Configuration](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/introduction-guide/index.md b/docs/identitymanager/6.2/identitymanager/introduction-guide/index.md new file mode 100644 index 0000000000..3810e01f97 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/introduction-guide/index.md @@ -0,0 +1,25 @@ +# Introduction Guide + +This guide is designed to give a complete overview of Identity Manager's principles, main objectives +and capabilities. + +Netwrix Identity Manager (formerly Usercube) strongly recommends starting here to fully benefit from +the [Integration Guide](/docs/identitymanager/6.2/identitymanager/integration-guide/index.md)'s or the +[User Guide](/docs/identitymanager/6.2/identitymanager/user-guide/index.md)'s contents. + +## Target Audience + +This guide is meant to be read by: + +- integrators who configure Identity Manager to match their projects' needs; +- IGA project managers who want to get a better understanding of Identity Manager. + +## Prior Knowledge + +A basic knowledge of Identity and Access Management (IAM) and overview (IGA) is required to +understand this guide. + +## First Steps + +Let's dive in with an [IGA and Netwrix Identity Manager](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/index.md) of IGA and Identity +Manager. diff --git a/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md b/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md new file mode 100644 index 0000000000..20a4f2fd70 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md @@ -0,0 +1,189 @@ +# Entitlement Management + +Managing identities' entitlements requires managing entitlements and assigning them to identities. +This page is about the role model. + +## Role Model Overview + +A managed system's entitlements can have many forms. They authorize identities to access certain +data on a given system, or a physical location. + +> For example, entitlements in the Active Directory are usually group memberships. For example, to +> have administrator rights in the Iris application, a user must be part of the members of the group +> `SG_APP_IT/Development/Iris/Administrator`. + +Identity Manager is designed to help establish an exhaustive and reliable catalog of the +entitlements available in the managed systems, and assign the right entitlements to the right users. + +![Role Catalog and Users](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_rolecatalogusers.webp) + +Thus, the role model contains: + +- the entitlements, as roles, for all managed systems; +- the rules that trigger the assignment of entitlements to identities, and more broadly manage the + systems' resources. Some of them act as link between Identity Manager's roles and the systems' + accounts and permissions. Some of them are linked to, and thus apply only to, specific resource + types. + +![Role Model](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_rolemodel.webp) + +The role model is a subset of a policy that also includes [Governance](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/governance/index.md) data +such as risk definition. So, at a higher level, distinct policies can be used to implement distinct +behaviors. + +## A Role Catalog + +Identity Manager intends to represent IGA-related access right mechanisms by a +[role-based](https://en.wikipedia.org/wiki/Role-based_access_control) model. The goal of the role +catalog is contain an exhaustive list of entitlements from all managed systems. + +Entitlements from the managed systems are modeled by roles. For each entitlement, NETWRIX advises +creating a single role, with an easily understandable name, more functional than technical, so that +everyone knows what the role is for. + +![Single Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarole.webp) + +Each individual entitlement should usually be modeled by a single role, and single roles can be +grouped together into composite roles to be closer to real job positions. + +![Composite Roles](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_compositeroles.webp) + +## A Rule Set + +Roles alone are not enough to give identities the systems' technical entitlements. We need rules to +have Identity Manager write users' entitlements in the managed systems. Rules are further used to +automatically assign roles to users, or to categorize users and accounts, etc. + +### Provisioning rules + +Just like identities, accounts are represented in Identity Manager by an +[ Identity Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/identity-management/index.md) entity-relationship model. So Identity +Manager manages entitlements as resources' attribute values. + +> For example, giving specific Active Directory permissions to a new user means not only creating a +> new AD account, but also setting values for certain account properties like `cn`, +> `sAMaccountName`, `userAccountControl` or `dn`, etc. + +Provisioning rules write the actual entitlements to the managed systems, most often based on users' +roles. + +> For example, to give an AD entitlement to a user, we usually need to give them a group membership. +> Thus, we should have a rule that, when a user is assigned a specific role, adds the user to the +> member list of a specific AD group. + +![Provisioning Rules](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_provisioningrules.webp) + +Even when a role is manually assigned, provisioning rules will determine which account (and +permission groups) are given as entitlements. + +Identity Manager's provisioning rules are: + +- scalar rules to compute simple string properties; +- navigation rules and query rules to compute properties that act as foreign keys in a database; +- resource type rules to automatically create resources. + +### Assignment rules + +While the role catalog and provisioning rules are together enough to manually give users their +access rights, we often want Identity Manager to do this automatically. Assignment rules +automatically assign roles to identities based on specific criteria. + +> For example, we can choose to assign the role `Benefits Manager - FR` to any user whose job title +> is benefits manager and whose location is in France. + +![Assignment Rules](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_assignmentrules.webp) + +Once all assignment rules are created, Identity Manager is able to spot existing assignments that +are not supported by any rule, marking them as non-conforming. + +Identity Manager's assignment rules are: + +- single role rules and composite role rules to assign single and composite roles; +- resource type rules to assign accounts. + +### Categorization rules + +Different resources can be managed through different rules, by being part of different resource +types. So a resource type is a group a resources that have the same IGA-related purposes. +Categorization rules categorize resources into resource types and link identities to the accounts +they own. + +> For example, we might need to differentiate AD's standard accounts from administration accounts. +> This way, we can configure different email addresses for privileged accounts, for example +> [adm.john.smith@contoso.com](mailto:adm.john.smith@contoso.com). We can also add more approval +> steps in the workflows related to privileged accounts, for more security than for standard +> accounts. + +![Categorization Rules](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_categorizationrules.webp) + +Identity Manager's categorization rules are: + +- correlation rules to link identities to the accounts they own; +- classification rules to categorize resources into resource types. + +### More rules + +Identity Manager provides more kinds of rules for optimization purposes, for example role naming +conventions to help build the role catalog by generating roles and navigation rules based on the +entitlements' names, or automation rules to help with governance by automating the review of the +assignments that do not comply with the configured rules. + +### Dimensions + +Rules can be triggered based on users' assigned roles, but also based on user data. + +The [ Identity Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/identity-management/index.md) model can be refined by configuring +dimensions: criteria from among resources' +[attributes](https://en.wikipedia.org/wiki/Attribute-based_access_control) that will trigger the +application of the rules. Then Identity Manager applies the rule for any resource whose value for a +given attribute matches the reference value specified in the rule. + +> For example, a user can be assigned the role `Benefits Manager - FR` only if their job title is +> benefits manager and their location is in France. In this case, users' attributes "job title" and +> "location" are the dimensions that trigger the assignment rule. + +In a nutshell, dimensions determine who should be assigned the entitlements. + +Identity Manager's name and logo are based on this dimension concept: entitlement assignment is +governed by users' attributes defined as dimensions. Let's schematize users around these dimensions: + +- The schema for this with one dimension would be a line with all available values for the + dimension, and identities are distributed along the line. +- The schema with two dimensions would be a table, a square. +- The schema with three dimensions would be a 3D cube. And you can imagine 4D or 5D hypercubes, etc. + +![Dimensions - 1D](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension1.webp) + +#### 1D + +![Dimensions - 2D](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension2.webp) + +#### 2D + +![Dimensions - 3D](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension3.webp) + +## Next Steps + +See the [Governance](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/governance/index.md) topic for additional information. + +## Learn More + +Learn more on the [ Role Model ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/index.md). + +Learn how to +[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md). + +Learn more on hoe to +[Create a Composite Role](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/composite-role-creation/index.md). + +Learn more on [Role Assignment](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/index.md). + +Learn more on +[ Create a Provisioning Rule ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md). + +Learn more on +[ Automate Role Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) +rules. + +Learn more on the rules of +[ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/governance/index.md b/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/governance/index.md new file mode 100644 index 0000000000..e919955bf9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/governance/index.md @@ -0,0 +1,42 @@ +# Governance + +Identity Manager not only gives the right entitlements to the right identities, but also makes sure +that, over time, every assignment still complies with the configured policy. + +## Enforcing the Policy + +By reading entitlement data from the managed systems, Identity Manager builds an exhaustive list of +existing assignments for all identities in all managed systems. + +Rules and roles define a policy. By definition, assignments not supported by a rule do not comply +with the policy. These assignments are identified as non-conforming in order to be acted upon by +knowledgeable users who can decide whether the assignment is warranted, such as security officers. + +![Non-Conforming Assignments](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/governance_nonconforming.webp) + +A non-conforming assignment must be reviewed in Identity Manager by a knowledgeable user, and is +therefore: + +- either removed if Identity Manager correctly spotted it and the owner should indeed not possess + this permission; +- or kept as an exception if the configured rules do not apply to this particular case. + +## Other Governance Tools + +Identity Manager provides a set of governance tools to help enforce the policy, like access +certification campaigns, risk management or reporting. + +## Next Steps + +Let's read some [ Use Case Stories ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/use-cases/index.md). + +## Learn More + +Learn more on [Governance](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/index.md). + +Learn more on how to [ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md). + +Learn more on +[ Perform Access Certification ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/index.md). + +Learn more on how to [ Manage Risks ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/risk-management/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/identity-management/index.md b/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/identity-management/index.md new file mode 100644 index 0000000000..7fd3f74119 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/identity-management/index.md @@ -0,0 +1,127 @@ +# Identity Management + +Managing identities' entitlements requires starting by managing identities themselves. + +## A Central Repository + +A company involves many sorts of identities: obviously employees, but also external workers like +contractors who are usually not tracked in the company's systems except for billing purposes, bots, +softwares, etc. All identity types that need to be assigned entitlements to work within the company +must be represented. + +Companies often use about one system for each identity type. Identity Manager capitalizes on +information from several source systems in order to build a central repository meant to contain all +the data necessary to manage all identities throughout their whole lifecycle. + +![Usercube's Repository](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/identity-management/identities_repository.webp) + +Identity Manager's central repository acts as an intermediary between the systems that provide data, +for example the HR system, and those that receive data, for example the Active Directory. This +greatly reduces the complexity in the links between all systems. + +Without an intermediary, adding one system to a set of n systems requires up to n sets of rules, one +for each reading/writing relationship that this system has with the others. The complexity is +quadratic. + +Now with the central repository as an intermediary, implementing a new system requires only one more +set of rules. The complexity becomes linear. + +![quadratic-linear-complexity](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/identity-management/quadratic-linear-complexity.webp) + +## An Entity Relationship Model + +Identities, along with any IGA-related data, are modeled in Identity Manager by an +[entity-relationship model](https://en.wikipedia.org/wiki/Entity%E2%80%93relationship_model?featherlight=true). + +All this data is organized and modeled by entities. This concept is quite similar to a database: an +entity is a set of properties, some are scalar so "simple" properties, and others are navigation +properties which make links between entities, quite like foreign keys in a database. + +> For example, consider an entity `Directory_User` with properties like `Name`, `Email`, `JobTitle`, +> `Department`. +> +> Another entity could be `Directory_Department`, linked to `Directory_User` through a navigation +> property. +> +> Another entity could be `SAB_User` to model SAB accounts owned by users from `Directory_User`. The +> accounts from `SAB_User` could be related to groups from another entity `SAB_Group`. + +![Entity Type - Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytypecreation_schema.webp) + +These entities' instances are called resources in Identity Manager. A resource can be the digital +identity of a user (human or bot), or an AD account or any other account, or an entry from the HR +system, or the representation of a department of the company, etc. + +> Consider once more the `Directory_User` entity with properties like `Name`, `Email`, `JobTitle`, +> `Department`. Then a resource could be the digital identity of an employee whose name is John +> Smith, with the email address [john.smith@contoso.com](mailto:john.smith@contoso.com) and working +> as an assistant manager in the accounting department. + +While Identity Manager provides a predefined model that should fit most organizations, it can still +be adjusted to your exact needs. Thus, Identity Manager provides a customizable model to organize a +company's data according to its IGA-related needs, which is also most reliable because it is kept +up-to-date. + +## Connectors + +Each entity is related to a managed system, for example the Active Directory or SAB or ServiceNow, +etc. The reading/writing data between the system and Identity Manager are ensured by connectors. So +Identity Manager can be configured with one connector for each managed system. + +![Connector Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp) + +For a given system, a connector contains: + +- the technology which enables data flows between the system and Identity Manager; +- the related entities which model the system's resources; +- the categories which group the system's resources together according to the rules that we want to + apply to manage entitlement assignment for this system. + +Thus, a connector enables synchronization, i.e. Identity Manager reading from a managed system via +an [extract, transform, load](https://en.wikipedia.org/wiki/Extract,_transform,_load) process. + +![Synchronization](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/overview_synchronization.webp) + +> A typical example is the synchronization of the HR system's data to retrieve employees' personal +> information. + +It also enables provisioning, i.e. Identity Manager writing to a managed system, but that is +something we will dig into later. + +![Provisioning](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/overview_provisioning.webp) + +## Repository Updates + +Once Identity Manager is configured, with not only connectors but also roles and rules, etc. (which +constitute a different topic), changes can be made to the repository through: + +- synchronization, when changes were made in the managed systems and then synchronized, so copied, + to Identity Manager; +- manual input, mostly used for a few resources/properties that rarely change such as contractors' + identities; +- workflows which contain approval steps to complete before the changes are actually applied; +- the policy's rules that trigger changes to the repository directly, and those that trigger changes + to managed systems and impact the repository indirectly after the next synchronization. + +See the [ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) topic for additional +information. + +## Next Steps + +Let's learn about [ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md). + +## Learn More + +Learn more on Identity Management. + +See how to +[ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md). + +Learn more on [Connectors](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/index.md). + +See how to create a +[ Connect to a Managed System ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/index.md). + +Learn more on [Synchronization](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/index.md). + +Learn more on [Workflows](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/index.md b/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/index.md new file mode 100644 index 0000000000..a257d53c71 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/index.md @@ -0,0 +1,90 @@ +# IGA and Netwrix Identity Manager + +Identity Manager is a powerful tool for Identity Governance and Administration (IGA) automation. + +## Identity Governance and Administration (IGA) + +Identity Governance and Administration (IGA) is a combination of Identity Access Management (IAM) +and Identity Access Governance (IAG). + +- IAM is about allowing the right identities to have the right permissions at the right time for the + right reasons. +- IAG is about providing visibility regarding identities, user access, and for monitoring + compliance. + +[See Gartner's documentation on IGA](https://www.gartner.com/en/documents/3885381). + +## Why Identity Manager + +We could explain Identity Manager's purpose like this: + +Typically, Identity Manager manages entitlements automatically according to a user's needs, for +example Active Directory group memberships. + +--- + +**First, we need to manage identities.** + +To do so, Identity Manager capitalizes on information from several source systems in order to build +a central repository. This repository should contain all the organizational data relevant for access +management for all users, meaning not only employees but also contractors, bots, or any kind of +identity. + +![Synchronization](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/overview_synchronization.webp) + +**This implies involving external systems.** + +Access management requires reading/writing data to/from varied systems and applications, like the +Active Directory. Identity Manager provides an expanded set of connectors which contain the +technology required for IGA-related data flows. + +![Connectors](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/overview_connectors.webp) + +See more details on [ Identity Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/identity-management/index.md) and connection between +systems. + +--- + +**Then, we need to manage entitlements, in other words access rights, or permissions.** + +Identity Manager helps you build a role catalog that lists all entitlements from all managed +systems. The technical entitlements can then associated with new, functional names that more clearly +represent a business-oriented view point. + +In addition, Identity Manager helps you determine identities' expected entitlements by building a +role model. This model contains different kinds of rules that will suggest entitlement assignments, +or even assign them directly, based on the imported organizational data. + +As each working environment has its own particularities, you will be able to refine the identity +model by defining dimensions, i.e. criteria from among organizational data that will trigger the +rules. + +![Calculation](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/overview_calculation.webp) + +--- + +**Finally, we need to actually give identities their entitlements and then govern them.** + +Identity Manager can be configured to provision the managed systems in order to apply the changes +dictated by the role model. This provisioning can be done either directly, with automatic +provisioning, or by notifying system administrators of the needed changes. Thus, identities finally +get their entitlements. + +![Provisioning](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/overview_provisioning.webp) + +Furthermore, Identity Manager provides a few workflows for entitlement request or user data +modification, which often include approval from a third party, hence identities get their +entitlements securely. + +See the [ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) topic for additional +information. + +Thanks to the role model and data flows between Identity Manager and the managed systems, Identity +Manager ensures the compliance of existing permission assignments with the policy, pointing out +non-conforming assignments. + +See the [Governance](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/governance/index.md) topic for additional information. + +## Examples + +Let's read some [ Use Case Stories ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/use-cases/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/use-cases/index.md b/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/use-cases/index.md new file mode 100644 index 0000000000..ba8a52e91b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/use-cases/index.md @@ -0,0 +1,59 @@ +# Use Case Stories + +Here is a basic use case story to explain how Identity Manager manages IGA. + +## Use Case + +Mr. James was just hired to join the Contoso company as a mechanical engineer. He will need access +to some of the company's most sensitive data, such as confidential blueprints, mechanical design +software licenses, and source files. + +### Identity management + +The central repository already exists, containing all workers, all departments, etc. + +Mr. James' manager uses one of Identity Manager's workflows to add Mr. James as a new employee, +filling in his first name, last name, job title ("Mechanical Engineer"), his contract type +("permanent") and his start date. + +The rest of Mr. James' personal information, such as his birth date, etc., can be filled later by +someone from the HR department. + +### Entitlement management + +As Mr. James is not the first mechanical engineer in Contoso, Identity Manager already contains a +composite role named "R&D Mechanical Engineer". This role is meant to give its owners access to the +company's sensitive data useful for mechanical engineers. Assigning this role will trigger the +assignment of several single roles, each one giving one access right. + +Technically speaking, each access right is granted via a membership to a specific Active Directory +group. Thus Identity Manager also contains a navigation rule that gives this group membership to any +user owning this single role. + +In our example, each access right corresponds to an AD group membership, but it could be any +entitlement in any external system. + +For Mr. James to get the access rights that he needs, there are several options: + +- either Mr. James' manager manually assigns the "R&D Mechanical Engineer" role to him via a + workflow before his arrival, for example setting the start date to two weeks after Mr. James' + first day as he will be in training before then; +- or there may be an assignment rule that automatically assigns the role to any user with the job + title "Mechanical Engineer", so Mr. James will get the role on his first day. + +As the needed access rights involve the AD, Mr. James also needs to own an AD account which will be +linked to its identity in Identity Manager via correlation rules. + +Once the requests for the role and the account are approved, Identity Manager can connect to the +Active Directory and create Mr. James' account and add it to the proper groups, via provisioning +rules. + +### Governance + +Once the role model is well underway, Identity Manager can compare existing access rights to +expected access rights. Thus, Identity Manager makes sure that Mr. James always has all the +entitlements he needs in order to work, but not more to prevent security breaches. + +## Next Steps + +Let's learn about Identity Manager [ Architecture ](/docs/identitymanager/6.2/identitymanager/introduction-guide/architecture/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/migration-guide/index.md b/docs/identitymanager/6.2/identitymanager/migration-guide/index.md new file mode 100644 index 0000000000..0a5a75da3d --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/migration-guide/index.md @@ -0,0 +1,56 @@ +# Migration Guide + +This guide is designed to provide step-by-step procedures in order to migrate Identity Manager from +your current version to the latest one. + +**NOTE:** For the latest SaaS versions, if you are using the administrator scaffolding the necessary +permissions for the update are added to the administrator scaffolding and they will be taken into +account the next time the configuration is deployed. + +## General Upgrade Instructions for the Server with Integrated Agent + +**Step 1 –** Download the `usercube-server-runtime` from the expected version from +[](https://extranet.usercube.com/)[Netwrix Portal](https://www.netwrix.com/sign_in.html?rf=my_products.html). + +**Step 2 –** Stop the existing server. + +**Step 3 –** Rename the `Runtime` folder to create a backup, for example `RuntimeOld`. + +**Step 4 –** Extract the content of the new `Runtime`to the same folder as `RuntimeOld`, inside a +new `Runtime` folder. + +**Step 5 –** Copy the original `appsettings.json` and `appsettings-agent.json` files from +`RuntimeOld` to the new `Runtime`. + +**Step 6 –** Restart the server. + +## General Upgrade Instructions for the Agent + +**Step 1 –** Download the `usercube-agent-runtime` from the expected version from +[](https://extranet.usercube.com/)[Netwrix Portal](https://www.netwrix.com/sign_in.html?rf=my_products.html). + +**Step 2 –** Stop the existing agent. + +**Step 3 –** Rename the `Runtime` folder to create a backup, for example `RuntimeOld`. + +**Step 4 –** Extract the content of the new `Runtime`to the same folder as `RuntimeOld`, inside a +new `Runtime` folder. + +**Step 5 –** Copy the original `web.config, appsettings.json` and `appsettings-agent.json` files +from `RuntimeOld` to the new `Runtime`. + +**Step 6 –** Restart the agent. + +## Specific Information to Migrate from v6.1 to v6.2 + +If you are looking to upgrade the Netwrix Identity Manager version from 6.1 to 6.2 you will not need +to take any action because the database will automatically be upgraded. If you have problems +importing your configuration into 6.2 related to C# expressions, please run the Identity +Manager-Check-ExpressionsConsistency tool. See the +[Usercube-Check-ExpressionsConsistency](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/check-expressionsconsistency/index.md) +topic for additional information. + +## Specific Information to Migrate from v6.0 to v6.1 + +If you are looking to upgrade the Netwrix Identity Manager version from 6.0 to 6.1 you will not need +to take any action because the database will automatically be upgraded. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/index.md new file mode 100644 index 0000000000..42ac8e056b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/index.md @@ -0,0 +1,113 @@ +# Execute a Certification Campaign + +How to execute access certification campaigns, i.e. review specific entitlement assignments and +deprovision inappropriate access. + +## Overview + +The aim of an access certification campaign is to review specific entitlement assignments for +specific identities, in order to certify them and express an audit opinion that justifies their +necessity. + +Once certification campaigns are scheduled, the assigned reviewers must decide for all relevant +assignments if they ought to be deleted or not. + +## Participants and Artifacts + +The execution part should be performed in cooperation with the staff who review access in the +campaign scheduling. + The monitoring part should be performed in cooperation with the staff in charge of campaign +scheduling. + +| Input | Output | +| ----------------------------------------------------------------------------------------------- | ---------------- | +| [ Schedule a Certification Campaign ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md) (required) | Certified access | + +## Execute Certification + +Execute certification by proceeding as follows: + +1. Access the ongoing campaigns by clicking on the **Access Certification** section on the home + page. + + ![Home - Access Certification](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/home_accesscertification_v523.webp) + + On this page, all assignments to be reviewed are listed. + + ![Access Certification](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_accesscertification_v602.webp) + + Each assignment can be commented by clicking on the corresponding icon. + + ![Comment Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconcomment_v522.svg) + +2. Choose one of the three possibilities to verify all assignments one by one: + + In order to help reviewers in the decision-making process, each assignment shows a + recommendation icon, indicating whether said assignment complies with the role model. + + See the icons below this note. + + The Recommended icon indicates that the entitlement has been automatically granted according to + the security policy. You can approve it because it is compliant. + The Not Recommended icon indicates that the entitlement does not comply with the security + policy. It is recommended to refuse it, unless the user really needs it. + + An absence of any icon indicates that the entitlement does not comply with the security policy. + However, it has been manually granted or denied. Thus there is no recommendation, please review + this entitlement carefully. + + ![Recommendation Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconrecommendation_v522.svg) + + ![Discouragement Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_icondiscouragement_v522.svg) + + - Either click on the approval icon to confirm that this entitlement is necessary for this + identity. + + ![Approval Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconapproval_v522.svg) + + - Or click on the decline icon to confirm that this entitlement is not necessary for this + identity. + + ![Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg) + + - Or click on the three dots icon to highlight that this entitlement is not part of your scope + of responsibility and forward it to the adequate person. + + ![Forward Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconforward_v522.svg) + +3. Click on **Confirm Decisions** on the left of the page. + + If you've made an erroneous decision, exiting the page before confirming offers the possibility + to quit without saving and start over from the last confirm. + +## Monitor a Certification Campaign + +Existing certification campaigns are listed on the page accessible via the **Access Certification +Campaigns** button on the home page in the **Administration** section. + +![Home - Access Certification Campaigns](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp) + +![Campaigns Page](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_campaigns_v602.webp) + +### Get reports + +A **Download** button is available for each campaign. It downloads a CSV report that lists all the +entitlement assignments to be reviewed, the corresponding reviewers and their decisions. + +![Report Example](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_decisions_v522.webp) + +### Send notifications + +The notification icon on the line of a given campaign offers the possibility to send reminder +notifications to the staff who has not finished processing the campaign. + +### Generate provisioning orders + +Once entitlement assignments have been reviewed, the final step is to apply these decisions. + +An **Apply Decisions** button is available for each campaign. It shows all the decisions made in the +campaign. The campaign administrator can then decide to actually apply said decisions and generate +the appropriate provisioning orders for deprovisioning unjustified entitlements. Said orders will be +considered during the next provisioning job. + +![Apply Decisions](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_applydecisions_v602.webp) diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md new file mode 100644 index 0000000000..275adfef46 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md @@ -0,0 +1,96 @@ +# Schedule a Certification Campaign + +How to create and schedule access certification campaigns, defining their scope. + +## Overview + +The aim of an access certification campaign is to review specific access and entitlements for +specific identities, in order to certify them and express an audit opinion that justifies their +necessity. + +Here, you will learn how to create and schedule a certification campaign, defining its scope via the +filters specifying the reviewers and items to be reviewed. + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of auditing, because they +know what entitlements need to be reviewed. + +| Input | Output | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| [Create the Workforce Repository](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required)
[Create Roles in the Role Catalog](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (optional)
[Manage Risks](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/risk-management/index.md) (optional) | Scheduled certification campaign(s) | + +## Create a Certification Campaign + +Create an access certification campaign by proceeding as follows: + +1. Click on **Access Certification Campaigns** in the **Administration** section on the home page. + + ![Home - Access Certification Campaigns](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp) + +2. Click the addition button at the top right and fill in the fields: + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + ![New Certification Campaign](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_newcertificationcampaign_v602.webp) + + - `Identifier`: Must be unique among campaigns, without whitespace. + - `Name`: Displayed in the UI to identify the campaign. + - `Start Date`: Determines the access snapshot that will be reviewed. Only permissions existing + at this date will be included. + - `End Date`: Campaign deadline. + - `Target Entity Type`: Entity type the campaign targets. + - `Target Reviewers`: Identities responsible for the review, configured via + [Access Certification policies](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/accesscertification/index.md). + - `Target Specificities`: + [AccessCertificationDataFilter](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md) + that define what permissions to include (object type, category, approval state, etc.). The + campaign scope is a **union** of all specificities. + + ![Target Specificities](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetspecificities_v602.webp) + + The campaign targets permissions that meet the **intersection (AND)** of all filters. When + using role tags, roles with **any** of the listed tags are included (**OR** logic). + + - `Target Owners`: Filters based on identity dimensions. These are combined using **AND** logic. + + ![Target Owner Filters](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetowners_v602.webp) + + Additional filters may be available depending on the selected entity type: + + ![Target Owner Additional Filters](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetownersadditional_v603.webp) + + - `Individual Owner`: A single identity whose access will be certified. + - `Active Target`: Identities for which a specific property (from `Directory_UserRecord`) + was modified since a given date. + + > Only properties **not calculated** by Identity Manager can be used to filter target + > owners. + + > Example: The following campaign certifies all single roles assigned to two specific + > users: + > + > ![Campaign Example](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_example_v602.webp) + +3. Click **Create**. The campaign appears in the list. + + ![Campaigns Page](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_newlycreated_v603.webp) + +4. Click **Launch** to apply the changes and start the certification job. + + Logs for this job are available via the **Job Results** button. + + > Example: + > + > ![Execute Access Reviews Job](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_job_v522.webp) + +## Impact of Modifications + +You can modify any field in a certification campaign **before its start date**. +After it begins, only the name, identifier, and end date can be changed. +You may delete the campaign at any time. + +## Verify Campaign Scheduling + +To verify the setup, go to the **Access Certification Campaigns** page and check that the created +campaign has the correct parameters. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/index.md new file mode 100644 index 0000000000..5fec2ff699 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/index.md @@ -0,0 +1,39 @@ +# Perform Access Certification + +How to certify existing access by reviewing a specific range of assigned permissions for auditing +purposes. + +## Overview + +The aim of an access certification campaign is to review specific entitlement assignments for +specific identities, in order to certify them and express an audit opinion that justifies their +necessity. So, for all relevant permissions, the idea is to specify if these assignments ought to be +deleted or not. + +There are several ways to arrange an access certification campaign. Among others, through filters +you can choose to focus on: + +- a certain category of roles; +- a certain type of assignment; +- assignments not certified since a certain date; +- assignments presenting a certain level of risk. + +Certification campaigns can be +[Access Certification](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/accesscertification/index.md) but the +UI described in this guide can be enough on its own. + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of auditing because they +know which entitlements need to be reviewed. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------- | +| [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) [ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md)(optional) [ Manage Risks ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/risk-management/index.md)(optional) | Certified access | + +## Perform Access Certification + +Perform access certification by proceeding as follows: + +1. [ Schedule a Certification Campaign ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md). +2. [ Execute a Certification Campaign ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/assigned-roles/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/assigned-roles/index.md new file mode 100644 index 0000000000..e9204c0d93 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/assigned-roles/index.md @@ -0,0 +1,58 @@ +# Review Assigned Roles + +How to review user permissions grouped by categories. + +**NOTE:** **Assigned Roles** is currently in a preview state and additional functionality will be +added in a future release. + +## Overview + +The **Assigned Roles** section displays a list of the users permissions grouped by categories. This +screen is visible for managers and displays the list of employees part of the team, their roles and +permissions. + +You can review all assigned single roles by category. Through filters you can choose to focus on: + +- **Entity Type** +- **Workflow State** +- **Policy** +- **Role** +- Other custom filters + +## Participants and Artifacts + +This operation should be performed by a user with the right permissions. See the +[ Configure a User Profile ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-configuration/index.md) topic for additional +information. + +The following example provides the rights for the Administrator profile to see the Assigned Roles +page on the **Entity Type** directory user. See the +[ Create a Provisioning Rule ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) and +[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topics for +additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +## Review Assigned Roles + +Review the Assigned Roles by proceeding as follows: + +![assignedroles](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/assigned-roles/assignedroles.webp) + +**Step 1 –** On the home page, in the Administration section of the UI click on Assigned Roles. + +![assignedrolesscreen](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/assigned-roles/assignedrolesscreen.webp) + +**Step 2 –** View the list of users with different assigned roles and filter them by **Entity +Type**, **Workflow State**, **Policy**, **Role** or by using a custom filter. + +**Step 3 –** Download an .xlsx file list of the **Assigned Roles** users according to the selected +filters. + +Revisit the **Assigned Roles** section any time you need to review the information related to +Assigned roles. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/index.md new file mode 100644 index 0000000000..ba34b074df --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/index.md @@ -0,0 +1,74 @@ +# Administrate + +In the Admin section you can do the following: + +- [ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md) + + How to use Identity Manager's reporting modules to produce IGA reports for auditing and + governance purposes. + +- [Review Orphaned and Unused Accounts](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md) + + How to remediate license and security issues caused by orphaned and/or unused accounts. + +- [Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) + + How to write to a managed system. + +- [ Review Provisioning ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md) + + How to review provisioning orders before generation. + +- [ Provision Manually ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md) + + How to use Identity Managerto manually write to the managed systems. + +- [ Provision Automatically ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md) + + How to use Identity Manager to automatically write to the managed systems. + +- [ Review Non-conforming Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md) + + How to review non-conforming assignments, i.e. approve or decline the suggestions made by + Identity Manager after every synchronization. The aim is to handle the differences between the + values from the managed systems and those computed by Identity Manager's role model. + +- [ Reconcile a Role ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md) + + How to review non-conforming permissions, i.e. approve or decline the role suggestions made by + Identity Manager after every synchronization. The aim is to handle the differences between the + navigation values from the managed systems and those computed by Identity Manager according to + the role catalog. + +- [ Reconcile a Property ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) + + How to review unreconciled properties. The aim is to handle the differences between the property + values from the managed systems and those computed by Identity Manager according to provisioning + rules. + +- [ Review an Unauthorized Account ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md) + + How to remediate unauthorized accounts. The aim is to review the accounts whose assignments + don't comply with the rules of the role model. + +- [ Perform Access Certification ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/index.md) + + How to certify existing access by reviewing a specific range of assigned permissions for + auditing purposes. + +- [ Schedule a Certification Campaign ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md) + + How to create and schedule access certification campaigns, defining their scope. + +- [ Execute a Certification Campaign ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/index.md) + + How to execute access certification campaigns, i.e. review specific entitlement assignments and + deprovision inappropriate access. + +- [ Request Entitlement Assignment ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/manual-assignment-request/index.md) + + How to send a manual request to add, update or remove an entitlement for an identity. + +- [Review Assigned Roles](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/assigned-roles/index.md) + + How to review user permissions grouped by roles. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/manual-assignment-request/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/manual-assignment-request/index.md new file mode 100644 index 0000000000..777e53525d --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/manual-assignment-request/index.md @@ -0,0 +1,83 @@ +# Request Entitlement Assignment + +How to send a manual request to add, update or remove an entitlement for an identity. + +## Overview + +Changes in an identity's entitlements can be handled using Identity Manager's predefined workflows +to: + +- View the list of the identity's Request Entitlement Assignment with Identity Manager's suggestions + according to the identity's position; +- Modify the identity's Request Entitlement Assignment (add, update, remove). + +## Participants and Artifacts + +An assignment can be requested for a user sometimes by said user themselves, most often by their +manager, and on some occasions by the involved application owner. + +| Input | Output | +| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | +| [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) [ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (required) | Updated entitlements | + +## View Identity's Entitlements + +View the identity's entitlements by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Click on the user to be checked. + + ![Workflow - User](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp) + +3. Click on **View Permissions** to access the entitlement list. + + ![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +## Modify Identity's Entitlements + +Act on an existing identity by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Click on the user to be modified. + + ![Workflow - User](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp) + +3. Click on **Actions** > **Modify Permissions** to launch the workflow for a manual entitlement + request. + + ![Workflow - Modify Permissions](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_changeuser_v602.webp) + +4. Follow the workflow's instructions to select entitlements and the action to be performed. You + can: + + - select entitlements to add; + - modify the potential options of the entitlements you are adding; + - delete entitlements which were assigned or declined manually; + - deny entitlements which were assigned automatically; + - allow denied entitlements by assigning them back manually. + + If the request is about assigning an entitlement via a role which requires at least one + approval, then sending the request triggers the display of said request on the **Role Review** + screen. + + ```` + Home Page - Role Review + + ```In this case, the requested entitlement will be displayed in the user's \*\*View Permissions\*\* tab only after the request is reviewed. + ```` + +## Verify Entitlement Request + +In order to verify the process, check that the change you made in the user's entitlements is +displayed in their **View Permissions** tab in the directory. + +![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md new file mode 100644 index 0000000000..e047a00fc9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md @@ -0,0 +1,67 @@ +# Review Non-conforming Assignments + +How to review non-conforming assignments, i.e. approve or decline the suggestions made by Identity +Manager after every synchronization. The aim is to handle the differences between the values from +the managed systems and those computed by Identity Manager's role model. + +## Overview + +Integrators must review three main types of non-conforming entitlement assignments: + +- Non-conforming roles: Identity Manager finds roles assigned to users in the managed systems that + no rule in the role model can justify. +- Unreconciled properties: Identity Manager's role model computes property values that are different + from the values in the managed systems. +- Unauthorized accounts: no rule from the role model can justify their actual assignment to an + identity. + +Unreconciled properties, unauthorized accounts and non-conforming roles are part of +[Non-Conforming Assignments](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/nonconformingdetection/index.md). +The global aim of the review is to handle the gaps between the +[ Existing Assignments ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/index.md) +(real values) and the +[ Conforming Assignments ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md) +(theoretical values computed by Identity Manager from the role model rules). + +A high number of non-conforming assignments can come from an issue in configuration rules. + +Non-conforming roles and unauthorized accounts can be mass reviewed through +[Automate the Review of Non-conforming Assignments](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md). + +## Participants and Artifacts + +This operation should be performed in cooperation with application owners who are in charge of +applications' entitlements (technical side), and/or managers who know their team's entitlements +(functional side). + +| Input | Output | +| ---------------------------------------------------------------------------- | --------------------- | +| [](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md)[Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) (required) | Complying assignments | + +### Pre-existing assignments vs. non-conforming assignments + +The assignments specified as non-conforming during the very first execution of the role model are +called pre-existing assignments. Pre-existing assignments are tagged differently from other +non-conforming assignments by the +[ Save Pre-Existing Access Rights Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md) +because they can indicate that: + +- The rules are not optimal yet. +- Data in the managed system needs more cleanup. + +Obviously, pre-existing assignments can also prove to be exceptions to the rules, like +non-conforming assignments, and need to be validated as such. + +## Review Non-conforming Assignments + +While there can be dependencies between the review of non-conforming roles and unreconciled +properties, there are no absolute requirements regarding the sequential order of the non-conforming +assignment review: + +- Review [ Reconcile a Role ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md). +- Review [ Reconcile a Property ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md). +- [ Review an Unauthorized Account ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md). + +[ Manage Risks ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/risk-management/index.md) can be defined to highlight the most +sensitive accounts/permissions, in order to establish a priority order in the review of +non-conforming assignments. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md new file mode 100644 index 0000000000..5b4dacbe2b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md @@ -0,0 +1,171 @@ +# Reconcile a Property + +How to review unreconciled properties. The aim is to handle the differences between the property +values from the managed systems and those computed by Identity Manager according to +[ Create a Provisioning Rule ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md). + +## Overview + +Unreconciled properties are considered as non-conforming assignments because Identity Manager's role +model has computed property values that are different from the values in the managed systems. + +### Property reconciliation with role reconciliation + +For some managed systems, roles are tightly linked to navigation properties. + +> For example, the AD hosts groups for various applications, and a role is assigned through a group +> membership. An entitlement can be assigned to an identity by adding said identity's DN to the +> `member` property of the appropriate group. Identity Manager translates it by editing the +> identity's `memberOf` property with the new group. + +In this case, when a role is assigned in the managed system without an existing rule that justifies +the role, then new items appear on the **Role Reconciliation**and the **Resource Reconciliation** +screens. + +> In the case of the AD example, consider that we want to assign a specific role in SAP. Then, we +> find the corresponding group in the AD and add the identity's DN to its `member` property. +> +> The result is a new item on the **Role Reconciliation** screen for said SAP role, plus an item on +> the **Resource Reconciliation** screen for the new `memberOf` property for said identity. +> +> If the identity didn't have an AD account yet, then it is automatically created, and the item on +> the **Resource Reconciliation** screen displays also a modification of the `accountExpires` +> property. + +As roles and navigation properties are technically bonded together, their reviews are linked too: + +- If the role is reviewed (approved/declined), then the corresponding property is automatically + reconciled accordingly. +- If the property is reviewed (approved/declined), then the corresponding role is automatically + reviewed too, its workflow state transitioned to `Manual` (if approved) or `Cancellation` (if + declined, then a deprovisioning order is sent). + +> So let's say we add `Cedric Blanc` to the list of members of the SAP groups `SG_APP_SAP_1` and +> `SG_APP_SAP_211`. Then, after the next synchronization, Identity Manager displays one item for +> each role on the **Role Reconciliation** screen, and one item for all changes in the AD account on +> the **Resource Reconciliation** screen: +> +> ![Example - Role Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_examplerole_v602.webp) +> +> ![Example - Resource Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresource_v602.webp) +> +> ![Example - Resource Reconciliation - Properties](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresourceprop_v602.webp) + +## Participants and Artifacts + +This operation should be performed in cooperation with application owners in charge of applications' +entitlements. + +| Input | Output | +| --------------------------------------------------- | -------------------- | +| [Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) (required) | Complying properties | + +## Review an Unreconciled Property + +Review an unreconciled property by proceeding as follows: + +1. Ensure that the task for the computation of the role model was launched recently, through the + complete job on the **Job Execution** page� + + ![Home Page - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + + � Or through the connector's overview page, **Jobs** > **Compute Role Model**. + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +2. Get to the **Resource Reconciliation** page, accessible from the corresponding section on the + home page. + + ![Home Page - Resource Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + +3. Select `Unreconciled properties` as a `Workflow State`. + + ![Unreconciled Property](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewprop_unreconciled_v522.webp) + +4. Choose the default resource view or the property view with the top right toggle. See the + Reconcile a Property topic for additional information. +5. Select a property to review. + + > In the following example, the user `Nicolas Faure` is the owner of a given resource, here a + > nominative SAB account associated with his email address. In the **Resource Properties to be + > Verified** frame, there is one unreconciled property that happens to be `Group`. + > + > ![Unreconciled Property Example](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewprop_example_v602.webp) + + - `Name`: unreconciled property name. + - `Proposed Value`: value proposed by Identity Manager. + - `Current Value`: value currently in the managed system. + - `Provisioning State`: provisioning state. + - `Start Date`: date for the beginning of the property value existence. + - `End Date`: date for the end of the property value existence. + + The **Other Resource Properties** frame shows the complying properties associated with the + resource. + +6. Choose one of the three possibilities to verify the property: + + Decisions must be made with caution as they cannot be undone. + + - Either click on the approval icon to update the property with the proposed value. It discards + the whole property history. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + + ![Edition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg) + + ![Deletion Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/reviewrole_icondelete_v602.svg) + + Automatic changes are essential for frequently-changing attributes. However, saving history + information can sometimes be important for some attributes such as logins and emails. + + - Or click on the decline icon to not update the property and keep the resource value. In the + future, this property will no longer be changed automatically. + + ![Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + + Retaining manual control of changes for sensitive data (i.e. `SAMAccountName`) can be of + interest. Identity Manager won't be able to change this data and the service account manager + will avoid authentication errors. It can be interesting to keep manual some sensitive data + changes like `SAMAccountName` for example, so that Identity Manager does not change it and + the service account manager does not risk problems in authentication. + + - Or click on the postponement icon to delay the decision. An unreconciled property is ignored + by Identity Manager, and therefore cannot be modified. + + ![Postponement Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + +7. Click on **Confirm Property Values**. +8. Trigger provisioning by launching, on the appropriate connector's overview page, **Jobs** > + **Generate Provisioning Orders**, then, after this first task is done, **Jobs** > **Fulfill**. + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +### Use property view + +By default, non-conforming assignments are listed by resource. It is possible to click on a resource +and then access the list of all unreconciled properties for said resource. + +![Resource View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp) + +It can be helpful to have the non-conforming assignments regrouped by property, as some of the +changes can be similar, so very likely to be validated by the same user. This is why a property view +can be enabled by clicking on the `Property View` toggle at the top right corner. + +Once enabled, select a resource type to display all unreconciled properties linked to said resource +type. In addition, select a property to display only the unreconciled properties linked to said +resource type and property. + +![Property View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp) + +The review process is the same with both views. However with property view, reviewers don't click on +a given line, but choose a decision directly on the left of the property line. + +In addition, using property view enables bulk reconciliation to approve the proposed values or keep +the current values for several resources simultaneously. + +![Bulk Reconcile](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp) + +## Verify Property Reconciliation + +In order to verify the process, check that the changes you ordered appear on the corresponding +user's page in the directory. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md new file mode 100644 index 0000000000..fad9758afe --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md @@ -0,0 +1,121 @@ +# Reconcile a Role + +How to review non-conforming permissions, i.e. approve or decline the role suggestions made by +Identity Manager after every synchronization. The aim is to handle the differences between the +navigation values from the managed systems and those computed by Identity Manager according to the +role catalog. + +## Overview + +Non-conforming roles are considered as non-conforming assignments because no rule from Identity +Manager's model can justify their actual assignment to an identity. + +### Role reconciliation with property reconciliation + +For some managed systems, roles are tightly linked to navigation properties. + +> For example, the AD hosts groups dedicated to various applications, and a role is assigned through +> group membership. An entitlement can be assigned to an identity by adding said identity's DN to +> the `member` property of the appropriate group. Identity Manager translates it by editing the +> identity's `memberOf` property with the new group. + +In this case, when a role is assigned in the managed system without an existing rule that justifies +the role, then new items appear on the **Role Reconciliation**and the **Resource Reconciliation** +screens. + +> In the case of the AD example, consider that we want to assign a specific role in SAP. Then, we +> find the corresponding group in the AD and add the identity's DN to its `member` property. +> +> The result is a new item on the **Role Reconciliation** screen for said SAP role, plus an item on +> the **Resource Reconciliation** screen for the new `memberOf` property for said identity. +> +> If the identity didn't have an AD account yet, then it is automatically created, and the item on +> the **Resource Reconciliation** screen displays also a modification of the `accountExpires` +> property. + +As roles and navigation properties are technically bonded together, their reviews are linked too: + +- If the role is reviewed (approved/declined), then the corresponding property is automatically + reconciled accordingly. +- If the property is reviewed (approved/declined), then the corresponding role is automatically + reviewed too, its + [Entitlement Assignment](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) + workflow state transitioned to `Manual` (if approved) or `Cancellation` (if declined, then a + deprovisioning order is sent). + +> So let's say we add `Cedric Blanc` to the list of members of the SAP groups `SG_APP_SAP_1` and +> `SG_APP_SAP_211`. Then, after the next synchronization, Identity Manager displays one item for +> each role on the **Role Reconciliation** screen, and one item for all changes in the AD account on +> the **Resource Reconciliation** screen: +> +> ![Example - Role Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_examplerole_v602.webp) +> +> ![Example - Resource Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresource_v602.webp) +> +> ![Example - Resource Reconciliation - Properties](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresourceprop_v602.webp) + +## Participants and Artifacts + +This operation should be performed in cooperation with managers who know their team's expected +entitlements. + +| Input | Output | +| --------------------------------------------------- | --------------- | +| [Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) (required) | Complying roles | + +## Review a Non-conforming Permission + +Review a non-conforming permission by proceeding as follows: + +1. Ensure that the + [ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + was launched recently, through the complete job on the **Job Execution** page + + ![Home Page - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + + � Or through the connector's overview page, **Jobs** > **Compute Role Model**. + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +2. On the home page, click on the entity type that you want to manage in the **Role Reconciliation** + section, to get to the non-conforming permissions page. + + ![Home Page - Role Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/home_rolereconciliation_v523.webp) + + ![Role Reconciliation Page](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/reviewrole_rolereconciliation_v603.webp) + + Each non-conforming permission can be commented by clicking on the corresponding icon. + + ![Comment Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconcomment_v522.svg) + +3. Choose one of the two possibilities to verify the permission: + + Contrary to resources, reviewed roles are then displayed on the **Role Review** page accessible + from the home page, and can be reviewed again. + + - Either click on the approval icon to keep the non-conforming permission. + + ![Approval Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/orphan_iconapprove_v602.svg) + + - Or click on the decline icon to delete the non-conforming permission. + + ![Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/orphan_icondecline_v522.svg) + +4. Trigger [provisioning](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) by launching, on the appropriate connector's + overview page, **Jobs** > **Generate Provisioning Orders**, then, after this first task is done, + **Jobs** > **Fulfill**. + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +### Use bulk provisioning + +Several roles can be reconciled simultaneously by clicking on **Bulk Reconcile Roles**. + +![Bulk Reconcile Roles](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/reviewrole_rolereconciliationbulk_v603.webp) + +## Verify Role Reconciliation + +In order to verify the process, check that the changes you ordered appear on the corresponding +user's **View Permissions** tab. + +![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md new file mode 100644 index 0000000000..5300c44208 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md @@ -0,0 +1,109 @@ +# Review an Unauthorized Account + +How to remediate unauthorized accounts. The aim is to review the accounts whose assignments don't +comply with the rules of the role model. + +## Overview + +Unauthorized accounts are considered as non-conforming assignments because no rule from Identity +Manager's model can justify their actual assignment to an identity. + +## Participants and Artifacts + +This operation should be performed in cooperation with application owners in charge of applications' +entitlements. + +| Input | Output | +| --------------------------------------------------- | ------------------ | +| [Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) (required) | Complying accounts | + +## Review an Unauthorized Account + +Review an unauthorized account by proceeding as follows: + +1. Ensure that the + [ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + was launched recently, through the complete job on the **Job Execution** page: + + ![Home Page - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + + Or through the connector's overview page, **Jobs** > **Compute Role Model**. + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +2. Get to the **Resource Reconciliation** page, accessible from the corresponding section on the + home page. + + ![Home Page - Resource Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + +3. Select `Unauthorized account` as the `Workflow State`. Orphaned accounts appear with no owner. + + ![Resource Reconciliation Page](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/unauth_unauthorizedaccounts_v602.webp) + +4. Choose the default resource view or the Review an Unauthorized Account with the top right toggle. +5. Click on the line of an account with an owner. + + In the following example, the nominative LDAP account linked to the resource + `U40897 / Internal Users / acme / com` has the owner `Maxime Guillot` with an 80% confidence + rate. + + ![Select Decision](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/unauth_reviewunauthorized_v602.webp) + + The displayed confidence rate means that a rule actually assigned the account to the identity, + but with a confidence rate too low to imply full automatic assignment. Approval will be + required. See the [ Classify Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/classification/index.md) + topic for additional information. + + The **Resource Properties** frame shows all the properties of the resources. They can be updated + by clicking on the edit button. See the + [ Reconcile a Property ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) topic for additional information. + + ![Edit Button](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/unauth_updateprop_v522.webp) + +6. Select the appropriate decision. + + Decisions must be made with caution as they cannot be undone. + +7. Click on **Confirm Account Deletion** or **Authorize Account** according to the previous + decision. +8. Trigger [Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) by launching, on the appropriate connector's + overview page, **Jobs** > **Generate Provisioning Orders**, then, after this first task is done, + **Jobs** > **Fulfill**. + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +### Use property view + +By default, non-conforming assignments are listed by resource. It is possible to click on a resource +and then access the list of all unreconciled properties for said resource. + +![Resource View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp) + +It can be helpful to have the non-conforming assignments regrouped by property, as some of the +changes can be similar, so very likely to be validated by the same user. This is why a property view +can be enabled by clicking on the `Property View` toggle at the top right corner. + +Once enabled, select a resource type to display all unreconciled properties linked to said resource +type. In addition, select a property to display only the unreconciled properties linked to said +resource type and property. + +![Property View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp) + +The review process is the same with both views. However with property view, reviewers don't click on +a given line, but choose a decision directly on the left of the property line. + +In addition, using property view enables bulk reconciliation to approve the proposed values or keep +the current values for several resources simultaneously. + +![Bulk Reconcile](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp) + +Bulk keeping non-authorized accounts, by clicking on **Bulk Reconcile** then **Approve Current +Values**, does not approve their unreconciled properties which will still be displayed on this +screen. + +## Verify Review + +In order to verify the process, check that the changes you ordered appear on the corresponding +user's **View Permissions** tab. + +![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md new file mode 100644 index 0000000000..f3bec54a17 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md @@ -0,0 +1,202 @@ +# Review Orphaned and Unused Accounts + +How to remediate license and security issues caused by orphaned and/or unused accounts. + +## Overview + +The review of unused and orphaned accounts is essential to solve security and license management +issues. Orphan accounts are without an owner, while unused accounts remain open without any +activity. + +### Orphaned accounts list + +A list of all orphaned accounts can be found on some entity type pages. Said pages can be accessed +through the menu items on the left of the home page, in the **Connectors** section. + +![Home - Entity Types](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp) + +These entity type pages can be configured via XML to customize all displayed columns and available +filters, especially the **Orphan** filter that spots uncorrelated resources, and the **Owner / +Resource Type** column that shows the owner of each resource. See +the[ Create Menu Items ](/docs/identitymanager/6.2/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md) topic for +additional information on customization. + +![Owner / Resource Type Column](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/orphan_entitytype_v523.webp) + +In the **Orphan** field, select **Yes** to see all existing resources without an owner. + +In addition, filters can be configured in the reporting module to list orphaned accounts. See the +[ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md) topic for additional information. Choose to display +**User** and **AD User** (nominative) with a filter on void user's display names. + +**NOTE:** Some accounts are considered orphaned because of an error in the account data or +assignment rule. +For an entity that is never the target of a resource type, the concept of an orphan does not apply +because the **Owner / Resource Type** column will be hidden. +When using a display table to display these entities, use +DisplayTableDesignElement``({{< relref "/integration-guide/toolkit/xml-configuration/user-interface/displaytable#properties" >}}) `"table"`` +or `"adaptable"`. + +### Unused accounts list + +The way to identify activity in a managed system is highly dependent on said system. Thus, activity +identification cannot be generalized, and the absence of activity in accounts isn't recognizable +with the configuration as is. Integrators must configure a specific property fulfilling this +purpose. + +For example in the AD, we can compute a Boolean property **isUnused** based on other AD accounts' +properties. Below is an example that you can use and adjust to your specific configuration: + +Here we write an expression for isUnused based on the bits of userAccountControl, the value of +**accountExpires** and the value of LastLogonTimeStamp: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +Once this "unused" property is created, a list of all unused accounts can be displayed thanks to the +filters in the query module, based on said property. See the +[ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md) topic for additional information. + +The previous example about the AD's **isUnused** property can be complemented in the query module by +displaying this property alongside users' **EmployeeId**. + +![Query of Unused Accounts](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_unusedquery_v602.webp) + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate as indicated in the +table below. + +| Input | Output | +| ------------------------------------------------------------------------- | ------------------------------------ | +| [ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) (required) | Removed orphaned and unused accounts | + +## Review an Orphaned Account + +Review an orphaned account by proceeding as follows: + +![Home Page - Resource Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + +**Step 1 –** Go to the **Resource Reconciliation** page, accessible from the corresponding section +on the home page. + +![Resource Reconciliation Page](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/unauth_unauthorizedaccounts_v602.webp) + +**Step 2 –** Select **Unauthorized account** as the **Workflow State**. Orphaned accounts are those +appearing with no owner. + +**Step 3 –** Choose the default resource view or the property view with the top right toggle. + +**Step 4 –** Click on the line of an account without an owner. + +![Select Owner](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_revieworphans_v602.webp) + +In the following example, the nominative AD account linked to the email address +nathan.smith@acme.com has no owner. + +You can **Select owner** from the list by clicking on the check box. + +![Owners List](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_revieworphans-owners_v602.webp) + +**Step 5 –** Answer the following questions in order to understand the situation. + +- Has the account been used recently? +- Why is it orphan? +- Who is it supposed to belong to? +- If it is a service account, is it useful? Has it been used recently? + + - A used account must be connected to its rightful owner + - An unused account must be deleted + +- If this account belongs to a person, is the user still in the organization or did they leave? + + - If the owner has left for more than XXX (time period defined by the security officer's rules), + the account must be deleted + - If the owner has left for less than XXX, the account must be connected to its owner and + deactivated. + - If the owner is still in the organization, the account must be connected to its owner. Is + there a rule to change? + +**NOTE:** We said that useful service accounts must be connected to their owners due to the fact +that an orphaned account cannot be certified. .See the +[ Perform Access Certification ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/index.md) topic for additional information. +But a service account must not be linked to a person, for the departure of said person from the +company may trigger the loss of the service account. +This is why we create identities with **Application** as their **UserType**, each +application-identity linked to a person supposed to manage it. Thus,service accounts must be +connected to application identities, themselves owned by people. That way, if the owner of the +application leaves, the application-identity is not deleted, and the service accounts it owns are +not deprovisioned. + +See the schema below this note. + +![Schema - Service Accounts](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_serviceaccounts.webp) + +**Step 6 –** Select the appropriate owner or no owner at all, according to the previous analysis. + +_Remember,_ decisions must be made with caution as they cannot be undone. + +**NOTE:** When binding an orphaned account to an existing owner, properties might need to be +reconciled. + +**Step 7 –** Click on **Confirm Account Deletion** or **Authorize Account** according to the +previous decision. + +By taking the necessary steps the orphan account will be delete or authorized. + +### Use property view + +By default, non-conforming assignments are listed by resource. It is possible to click on a resource +and then access the list of all unreconciled properties for said resource. + +![Resource View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp) + +It can be helpful to have the non-conforming assignments regrouped by property, as some of the +changes can be similar, so very likely to be validated by the same user. This is why a property view +can be enabled by clicking on the **Property View** toggle at the top right corner. + +Once enabled, select a resource type to display all unreconciled properties linked to said resource +type. In addition, select a property to display only the unreconciled properties linked to said +resource type and property. + +![Property View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp) + +The review process is the same with both views. However with property view, reviewers don't click on +a given line, but choose a decision directly on the left of the property line. + +![Bulk Reconcile](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp) + +In addition, using property view enables bulk reconciliation to approve the proposed values or keep +the current values for several resources simultaneously. + +## Verify Review + +In order to verify the process, check that the line for your reviewed item has been removed from the +**Resource Reconciliation** screen. + +![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +In addition, if you reconciled an orphaned account with an owner, check the user's permissions to +see said account. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md new file mode 100644 index 0000000000..f6281fd310 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md @@ -0,0 +1,55 @@ +# Provision Automatically + +How to make Identity Manager automatically write to the managed systems. + +## Overview + +In the lifecycle of a resource (entitlement assignment, resource creation, resource update, etc.), +automated provisioning is used to minimize human intervention and trust Identity Manager with role +model enforcement in external systems. + +### Provisioning states + +In an assignment request's lifecycle, provisioning automation implies skipping the `Transmitted` +state as Identity Manager no longer waits for a user to make changes anymore. For this reason, an +assignment request goes through the following provisioning states: + +![Provisioning State Schema](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/provauto_states_v523.webp) + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate. + +| Input | Output | +| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| [ Review Provisioning ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md) (required) Automated provisioning [Create a Connection](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) (required) | Updated managed systems | + +## Implement Automated Provisioning + +automated provisioning is performed through a connection using a +[ References: Packages ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/index.md) for +fulfilling external systems. + +## Perform Automated Provisioning + +There is no procedure to perform automated provisioning, for it is automatic and thus handled by +Identity Manager in daily jobs. + +Make sure that the task used to compute and generate provisioning orders was launched after the +request (or the provisioning review, if any), through the complete job in the **Job Execution** +page. + +![Home Page - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + +## Verify Automated Provisioning + +In order to verify the process: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Follow the [ Request Entitlement Assignment ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/manual-assignment-request/index.md)to make a + change in one of their permissions, which involves automated provisioning. +3. Perform automated provisioning and check in Identity Manager that the change was effectively + made. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md new file mode 100644 index 0000000000..0ed2797c6f --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md @@ -0,0 +1,112 @@ +# Provision + +How to write to an externally managed system. + +**A word about terminology** — Let's clarify the concept of writing to a managed system. + +There are two notions involved: + +- Fulfillment — writing to a managed system, manually or automatically +- Provisioning — writing automatically as provisioning is automated fulfillment + +But in everyday conversation, in the interface and in this documentation, we use the term +provisioning instead of fulfillment. + +## Overview + +When modeling your connectors, you had to decide what data you wanted Identity Manager to manage +within the external systems. You configured your connectors, and among other things you chose the +appropriate connections and packages, to manage identities and their entitlements by writing +directly to the managed systems. This is done through said connectors' provisioning capabilities. +See the [ Model the Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) and +[Create a Connection](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) topics for +additional information. + +When changes are performed on identity data, entitlements or the role model inside Identity Manager, +provisioning orders are generated in order to actually write said changes to the external systems. +These changes can be written automatically or manually. Manual provisioning is used to involve +humans and make them act on the external systems, instead of Identity Manager. Automatic +provisioning is used to minimize human intervention and trust Identity Manager with role model +enforcement in external systems. See the [ Provision Manually ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md) and +[ Provision Automatically ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md)topics for additional information. + +### Provisioning states + +Identity Manager handles provisioning by assigning a provisioning state to assignment requests. + +Here is the list of provisioning states and their description: + +| Provisioning state | Description | +| ------------------- | ------------------------------------------------------------------------- | +| 0—None | Used for Identity Manager's internal computation. | +| 1—Pending | The order is ready for provisioning but not sent to the agent. | +| 2—Transmitted | The agent has collected this order but no feedback has been received yet. | +| 3—Errored | The agent returned errors. | +| 4—Verified | The order is provisioned in the synchronized data. | +| 5—Awaiting Approval | The order is blocked until a review is performed. | +| 6—Inactive | The order is blocked as it is considered as useless (order in the past). | +| 7—Error | The role model threw an exception while evaluating the order. | +| 8—Executed | The agent returned OK. | + +These states are detailed with their transitions on the individual pages specific to provisioning +review, manual provisioning and automated provisioning. See the +[Entitlement Assignment](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +and [ Review Provisioning ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md) topics for additional information. + +### Provisioning review + +For security purposes, provisioning orders sometimes need to be reviewed before being propagated to +the managed system. Then, a user with the right entitlements accesses the **Provisioning Review** +page. Users can either approve provisioning orders that will then be unblocked and finally +propagated, or they can decline orders that will subsequently be ignored. See the +[ Configure a User Profile ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-configuration/index.md)topic for additional +information. + +The review prior to the provisioning of entitlement assignments is usually performed based on the +resource type of given identities. For example, the assignment of sensitive entitlements will +require a review before being provisioned, whereas basic rights can be assigned at once. Therefore, +resources must be carefully classified beforehand. See the +[ Classify Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/classification/index.md) topic for additional +information. + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of managed systems. + +| Input | Output | +| ----------------------------------------------------------------------------------------------------------------------- | ------------------ | +| Connector's data model (required) Classified resources (required) Provisioning Rules (required) Role catalog (required) | Provisioned system | + +See the [ Model the Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md), +[ Classify Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/classification/index.md), +[ Create a Provisioning Rule ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md), and +[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topics for +additional information. + +## Perform Provisioning + +In order to perform the provisioning you have to: + +- Choose whether to adjust your resource types to implement provisioning review +- Choose whether to adjust your connections to implement manual and/or automated provisioning + +## Verify Provisioning + +In order to verify the process: + +![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +**Step 1 –** Select a test user in the directory, accessible from the home page. + +**Step 2 –** Follow the manual assignment workflow to make a change in one of their entitlements, +which involves the type of provisioning that you want to test. + +![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +**Step 3 –** Check the provisioning state of the requested entitlement at every step, in the user's +**View Permissions** tab. + +![Provisioning State Schema](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/prov_stateschema_v523.webp) + +Whether your provisioning workflows trigger provisioning review, or whether they trigger manual or +automated provisioning, below is the global state schema. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md new file mode 100644 index 0000000000..ffc121561a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md @@ -0,0 +1,81 @@ +# Provision Manually + +How to use Identity Manager to manually write to the managed systems. + +## Overview + +In the lifecycle of a resource (entitlement assignment, resource creation, resource update, etc.), +manual provisioning is used to make humans intervene and act on the external systems, instead of +Identity Manager. + +### Provisioning states + +In its lifecycle, an assignment request goes through the following provisioning states: + +![Provisioning State Schema](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_states_v523.webp) + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of managed systems as +write permissions are required. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| [ Review Provisioning ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md) (required) Manual provisioning [Create a Connection](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) (required) | Updated managed systems | + +## Implement Manual Provisioning + +Manual provisioning is performed through a connection using the +[ Manual Ticket ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md). +Besides, for a resource to be manually provisioned, the corresponding resource type must be +configured with the manual connection set to `Provisioning Connection` in the **Fulfill Settings**. + +## Perform Manual Provisioning + +Perform manual provisioning by proceeding as follows: + +1. Ensure that the task to compute or generate provisioning orders was launched after the request + (or the provisioning review, if any), through the complete job in the **Job Execution** page. + + ![Home Page - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + + ![Manual Provisioning Screen](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_page_v603.webp) + +2. Access the manual provisioning orders page by clicking on the entity type that you want to manage + in the **Manual Provisioning** section. + + ![Home Page - Manual Provisioning](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp) + +3. Choose a line to handle the corresponding provisioning order. +4. Creation, edition and deletion orders follow the same process: read Identity Manager's + suggestions and create, edit or delete the appropriate resource directly in the managed system + (outside Identity Manager). + + ![Creation Provisioning Order](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_createresource_v522.webp) + + ![Creation Provisioning Order](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_editresource_v522.webp) + +5. Choose to confirm or report an error. + +### Use bulk provisioning + +Several orders can be provisioned simultaneously by clicking on **Bulk Provision**. + +![Bulk Provisioning](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_bulk_v603.webp) + +## Verify Manual Provisioning + +In order to verify the process: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Follow the [ Request Entitlement Assignment ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/manual-assignment-request/index.md) to make a + change in one of their permissions, which involves manual provisioning. +3. Perform manual provisioning and check the provisioning state of the requested entitlement at + every step, in the user's **View Permissions** tab. + +![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +4. Check in your managed system that the change was effectively made. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md new file mode 100644 index 0000000000..70f09888db --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md @@ -0,0 +1,242 @@ +# Review Provisioning + +How to review provisioning orders before generation. + +## Overview + +For security purposes, provisioning orders sometimes need to be reviewed before being computed and +actually generated. Then, a user with +[ Configure a User Profile ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-configuration/index.md) accesses the +**Provisioning Review** page. They can either approve provisioning orders that will then be +computed, generated and finally ready for actual provisioning, or they can decline orders that will +subsequently be ignored. + +### Provisioning states + +In an assignment request's lifecycle, provisioning review adds a few steps between the moment when +the request is issued and when provisioning orders are computed: + +![Provisioning State Schema](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_states_v523.webp) + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of managed systems. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- | +| [ Create a Provisioning Rule ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) (required) [ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (required) | Provisioning orders | + +## Implement Provisioning Review + +Provisioning review is configured for a given resource type. Therefore, you can decide to force the +review of provisioning orders when +[ Create a Resource Type ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md). You can +choose to: + +- Set the number of required approvals by a + [ Manage Role Officers ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/role-officer-management/index.md), via the + `Approval Workflow` option. +- Enable a technical approval by the application owner, via the `Block provisioning orders` option. + +Provisioning review can also be triggered when a fulfillment error occurs. See +the[ Identity Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/identity-management/index.md)topic +for additional information. + +## Review Provisioning Orders + +Review provisioning orders by proceeding as follows: + +1. On the home page, click on the entity type that you want to manage in the **Provisioning Review** + section. + + ![Home Page - Provisioning Review](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/home_provisioningreview_v523.webp) + + ![Provisioning Review](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_provreview_v602.webp) + +2. Click on a line to access details and handle addition, association, update or deletion orders. + + Once reviewed, provisioning orders are to be executed by Identity Manager during the next + **Fulfill** task, accessible from the corresponding connector's overview page, in the **Resource + Types** frame. + + Automatic provisioning orders are directly executed, while manual provisioning orders are listed + on the **Manual Provisioning** page. + + ![Fulfill Task](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +### Handle an addition order + +Identity Manager shows all the properties of the new resource to be created: + +![Addition Order Review](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewaddition_v602.webp) + +- `Proposed Value`: value proposed by Identity Manager. +- [Entitlement Assignment](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +- `Start Date`: date for the beginning of the property value existence. +- `End Date`: date for the end of the property value existence. +- `Workflow State`: describes the origin or approval state of an assignment. +- `Confidence Rate`: rate expressing the confidence in the corresponding query rule. + +See the +[Entitlement Assignment](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +and [ Create a Provisioning Rule ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) topics for +additional information. + +Handle an addition order by proceeding as follows: + +1. For all resource properties to be verified, choose one of the possibilities: + + - Either click on the approval icon to order the property creation with the proposed value. + + ![Addition - Approval Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + + - Or click on the decline icon to refuse the property creation. + + ![Addition - Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + + - Or click on the postponement icon to delay the decision. + + ![Addition - Postponement Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + +2. Choose to confirm or ignore the creation. + +### Handle an association order + +Identity Manager displays a given owner and a given resource to be associated with a given +[ Classify Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/classification/index.md)and all resource +properties to be verified: + +![Association Order Review](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewassociation_v602.webp) + +- `Confidence rate of proposed resource`: rate expressing the confidence in this + [ Correlate Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/correlation/index.md). +- `Proposed Value`: value proposed by Identity Manager. +- `Current Value`: value currently in the managed system. +- `Provisioning State` +- `Start Date`: date for the beginning of the property value existence. +- `End Date`: date for the end of the property value existence. +- `Workflow State`: describes the origin or approval state of an assignment. +- `Confidence Rate`: rate expressing the confidence in the corresponding query rule. + +See the +[Entitlement Assignment](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +and [ Create a Provisioning Rule ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) topics for +additional information. + +Handle an association order by proceeding as follows: + +1. For all resource properties to be verified, choose one of the possibilities: + + - Either click on the approval icon to validate the proposed property value. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + + ![Edition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg) + + ![Deletion Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/reviewrole_icondelete_v602.svg) + + - Or click on the decline icon to refuse the property association. + + ![Addition - Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + + - Or click on the postponement icon to delay the decision. + + ![Addition - Postponement Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + +2. Choose to confirm or deny the association. + +### Handle an update order + +Identity Manager shows a given resource and all resource properties to be verified: + +![Edition Order Review](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewedition_v602.webp) + +- `Proposed Value`: value proposed by Identity Manager. +- `Current Value`: value currently in the managed system. +- `Provisioning State` +- `Start Date`: date for the beginning of the property value existence. +- `End Date`: date for the end of the property value existence. +- `Workflow State`: describes the origin or approval state of an assignment. +- `Confidence Rate`: rate expressing the confidence in the corresponding query rule. + +See the +[Entitlement Assignment](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +and [ Create a Provisioning Rule ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) topics for +additional information. + +Handle an update order by proceeding as follows: + +1. For all resource properties to be verified, choose one of the possibilities: + + - Either click on the approval icon to order the property update with the proposed value. + + ![Edition - Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + + ![Edition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg) + + - Or click on the decline icon to refuse the property update. + + ![Addition - Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + + - Or click on the postponement icon to delay the decision. + + ![Addition - Postponement Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + +2. Click on **Confirm Property Values**. + +### Handle a deletion order + +Identity Manager shows a given owner and their resources to be deleted: + +![Deletion Order Review](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewdeletion_v602.webp) + +Handle a deletion order by choosing either to confirm the deletion or to keep the resource. + +### Use property view + +By default, provisioning orders are listed by resource. It is possible to click on a resource and +then access the list of all provisioning orders for that resource. + +![Resource View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_resourceview_v603.webp) + +In addition, using resource view enables bulk unblocking for provisioning orders with errors. + +![Bulk Unblock](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_bulkunblock_v603.webp) + +It can be helpful to have the provisioning orders regrouped by property, as some of the changes can +be similar, so very likely to be validated by the same user. This is why a property view can be +enabled by clicking on the `Property View` toggle at the top right corner. + +Once enabled, select a resource type to display all provisioning orders linked to that resource +type. In addition, select a property to display only the provisioning orders linked to these +resource type and property. + +![Property View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_propertyview_v603.webp) + +The review process is similar on both views. However with property view, reviewers don't click on a +given line, but choose a decision directly on the left of the property line. + +## Verify Provisioning Review + +In order to verify the process: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Follow the [ Request Entitlement Assignment ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/manual-assignment-request/index.md) workflow + to make a change in one of their permissions, which involves provisioning review. +3. Check that the provisioning state is `Pending` in the user's **View Permissions** tab. + + ![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +4. Click on **Jobs** > **Fulfill** on the corresponding connector's overview page, in the **Resource + Types** frame, to execute the provisioning orders. + + ![Home Page - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +5. The orders using automated provisioning should be automatically handled with their state + switching to `Executed`, while those using manual provisioning should appear on the **Manual + Provisioning** page with their state switching to `Transmitted`. + +![Home Page - Manual Provisioning](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp) diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md new file mode 100644 index 0000000000..7621c38c8d --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md @@ -0,0 +1,129 @@ +# Generate Reports + +How to use Identity Manager's reporting modules to produce IGA reports for auditing and governance +purposes. + +## Overview + +Reporting features help users produce reports for auditing and performance evaluation. The aim is to +be aware of the whole assignment landscape, display it for analysis, and act upon it if needed. +Governance also helps produce audit-ready reports. You can start to set up governance features +relatively early in your Identity Manager journey and measure your progress from the very start. + +A few reporting tools are already available in Identity Manager, used in other parts of your IGA +project, for example: + +- the list of entitlements for a given user in their **View Permissions** tab; + + ![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +- the list of all requests that you are authorized to see in **Workflow Overview** accessible from + the home page in the **Administration** section; + + ![Home - Workflow Overview](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/home_workflowoverview_v602.webp) + +- the list of [Review Orphaned and Unused Accounts](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md). + + ![Orphaned Account List](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/orphan_entitytype_v523.webp) + +Identity Manager puts users in control of their reporting. Rich features help produce customizable +reports that can be used to check the assignment policy results, or gather information for an audit. + +Identity Manager provides several different levels of reporting according to your needs and +technical tools. You can: + +- download predefined reports for simple needs; +- add new reports to the predefined ones through XML configuration, for recurring needs that aren't + met by available reports (this requires XML configuration knowledge); +- create customized reports with the Query module and its universes configured beforehand, to meet + specific needs (this requires certain technical knowledge); +- create customized graphic reports with PowerBI, to meet specific needs (this requires certain + technical knowledge). + +## Participants and Artifacts + +This operation can be performed by any user interested in producing IGA reports. + +| Input | Output | +| ------------------ | ------- | +| Entries (required) | Reports | + +## Download Predefined Reports + +Identity Manager provides a selection of predefined reports available in the solution. They +represent the most common use cases. + +The accessibility of these predefined reports was configured during +[ Configure a User Profile ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-configuration/index.md). + +Download predefined reports by proceeding as follows: + +1. Click on **Reports** on the left of the home page to access the list of predefined reports. + + ![Home Page - Reports](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/home_reports_v602.webp) + + ![Reports](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/reporting_predefinedreports_v602.webp) + +2. Choose the appropriate report and click on **Download** to get an Excel report. The + downward-pointing arrow provides additional report formats. + +## Add New Reports to the List + +When facing frequent reporting requirements outside the scope of predefined reports, new reports can +be configured with XML via `Report Query` and specific query grammar. See the +[API query grammar](/docs/identitymanager/6.2/identitymanager/integration-guide/api/squery/index.md) topic for additional +information. + +## Create Customized Reports + +When facing a one-time need for producing specific reports, Identity Manager's Query module helps +display attributes chosen from the data which is already +[ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md) and +[ Classify Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/classification/index.md). This module offers the +possibility to customize reports and download them. + +The Query module is based on predefined +[ Universe ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) +that can be adjusted later on in XML configuration, just like the list of available query models. + +Create a custom report by proceeding as follows: + +1. Click on **Query** in the **Administration** section on the home page. + + ![Home Page - Query](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/home_query_v602.webp) + + ![Query Page](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/reporting_querypage_v602.webp) + +2. Choose a query model from among the list. +3. Click on **Fields to Display** and select the appropriate fields from among the database + [ Universe ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) + and click on **Confirm**. + + ![Fields to Display](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/reporting_fieldstodisplay_v522.webp) + + In cases where Identity Manager doesn't display correctly the information you need, you must try + to understand the entity instances and association instances that constitute the + [ Universe ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) + that you are working with. Perhaps the fields that you chose cannot be properly correlated. + +4. Click on **Filters**, write the appropriate condition and click on **Confirm**. + + ![Filters](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/reporting_filters_v602.webp) + + For example, a report could list user names and identifiers but only those with their + `Contract end date` less than today's date, so that we will see all the workers who have left + the organization and are still stored in Identity Manager. + +5. Once all report settings are defined, click on **Download** to get a CSV report. + +## Create Customized Graphic Reports with Power BI + +When facing a periodic need for producing specific reports, especially when a visual presentation is +required, Identity Manager offers the possibility to connect to the +[Power BI](https://powerbi.microsoft.com/en-us/what-is-power-bi) application. This application will +allow you to create customized reports with a vast range of display options (such as graphs, charts, +matrixes, etc.) using Identity Manager's universes. + +See the +[Connect Power BI to Identity Manager](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md) +topic for additional information on how to analyze Identity Manager's data with Power BI. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/deploy/authentication/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/authentication/index.md new file mode 100644 index 0000000000..0912665f07 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/authentication/index.md @@ -0,0 +1,5 @@ +# Set Up User Authentication + +How to allow end-users to authenticate and use the Identity Manager application. See the +[ End-User Authentication](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md) +topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/deploy/change-management/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/change-management/index.md new file mode 100644 index 0000000000..aacc726a2b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/change-management/index.md @@ -0,0 +1,122 @@ +# Plan Change Management + +How to anticipate the deep changes in the organization's applications and processes due to Identity +Manager installation as a new IGA tool. + +Change management is not only part of any IGA project. It is a full project in itself that requires +its own project officer, objectives, success indicators, etc. It starts on the very first day with +the project kickoff, and runs alongside the technical project. + +## Overview + +The applications and processes of the organization are about to change deeply. Change management is +crucial because it determines the future proper use of the solution and the gain that can be +achieved by the organization. It requires an upstream impact analysis in order to define the +strategy to adopt. + +### Process + +A digital project follows two parallel processes: + +- The organizational and digital process used to design, build and deploy the solution. +- The human process urging staff to accept the solution, familiarize themselves with it, join and + interact with the project. + +Change management aims to support the teams throughout the human process. + +![Process of Change Management](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/change-management/changemanagement_process.webp) + +These processes include mandatory steps that all staff members have to go through, but not +necessarily at the same pace. For that reason, change managers can benefit from the use of personas, +i.e. creating characters that represent key populations. + +## Participants and Artifacts + +![Actors of Change Management](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/change-management/changemanagement_actors.webp) + +The aim of a Project Management Officer concerning critical stakeholders is to enable: + +- Decision makers to trigger holistic change in response to recurring factors in daily issues. This + can be translated into promoting efforts towards the broader enterprise strategy, focusing on + recurring challenges, identifying common denominators, not exceeding Project Management Office's + capacity and promoting PMO's shifting value proposition. +- Managers to grow maturity and confidence in change management because they allow responsibility + distribution throughout the organization. They need support in self-assessment and change + management at varying degrees according to the strategic importance and complexity level of + change. This can be translated into DIY change supports like templates, change coaches for + tailored guidance, or change drivers for end-to-end execution. +- The employees impacted by change to enter the decision-making process at an early stage, thus + improving change absorption. They must be engaged as active participants in shaping change + decisions, in order to avoid extreme leader-dictated or consensus-based strategies. + +| Input | Output | +| ----------------------------------- | ------------------------ | +| Upstream impact analysis (required) | Business ready to change | + +## Run Change Management for Identity Manager + +In order to profitably handle change management, any project should start with the question: **in +three years from now, what will be the (three to five) main facts attesting the success of this +project?** The answer will shape the strategy. + +Whether Identity Manager replaces manual processes or an existing IGA tool, change management +methods are going to be the same. Only the analysis of impacted populations and the effort made to +onboard them can define the appropriate response. + +IGA impact is based on data quality. Therefore, change management must encompass everything and +everyone that consumes and/or feeds data. All three population segments (decision makers, managers +and employees) are involved in data quality in one way or another. Hence, it is essential that they +understand IGA as an advantage instead of a constraint. + +Run change management by proceeding as follows: + +1. Identify the populations impacted by change. Below is an example of impacted populations that can + vary enormously. + + ![Usual Populations](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/change-management/changemanagement_populations.webp) + +2. For all listed populations, estimate their size and the expected impact on them, through + indicators like the frequency of their future use of the solution. Use Plan Change Management to + represent key population members, such as VIP users that don't use the application much, or users + not feeling comfortable with computers. +3. According to the previous impact analysis, implement adjusted change management methods. You can + get inspiration from the following examples. + +| | Population | Size | Impact | Possible Actions | +| ----------------- | ----------- | ---- | ---------------------- | ------------------------------------------------------------------------------------------------------------ | +| [1](#example-1) | All | 500 | Low | Introduction email Public video Information article | +| [2](#example-2) | End-Users | 50 | High | Coffee corner: coffee break with the local support team offering tutorials and exercises on Identity Manager | +| [3a](#example-3a) | HR/Managers | 10 | High (daily use) | Tutorials and exercises with a support team to get started quickly with Identity Manager | +| [3b](#example-3b) | HR/Managers | 10 | Medium (bimonthly use) | Step-by-step procedure video or flyer | + +##### Example 1 + +Informing relevant populations is essential. For large populations (ex.: 500 employees), an +introduction email can be sent to everyone or a video published on a public website or played on +screens visible in the workplace. + +##### Example 2 + +A medium or large population (i.e. the size of a department in your organization) might be receptive +to informal meetings such as a coffee break with the local support team offering tutorials and +exercises on Identity Manager. + +##### Example 3 + +Let us consider HR teams and managers which have a change impact depending on their frequency of use +of the application. + +###### Example 3a + +If they frequently use the application (i.e. daily use), they will benefit from tutorials and +exercises with a support team to get started quickly with Identity Manager. + +###### Example 3b + +If they infrequently use the application (i.e. bimonthly use), they may rather benefit from training +materials such as a step-by-step procedure video or flyer. + +## Verify Change Management + +In order to verify the process, change managers can rely on implemented indicators, in the same way +as for any project management situation. diff --git a/docs/usercube/6.2/usercube/user-guide/deploy/implementation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/implementation/index.md similarity index 100% rename from docs/usercube/6.2/usercube/user-guide/deploy/implementation/index.md rename to docs/identitymanager/6.2/identitymanager/user-guide/deploy/implementation/index.md diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/deploy/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/index.md new file mode 100644 index 0000000000..4781f91399 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/index.md @@ -0,0 +1,39 @@ +# Deploy + +- [ Plan Change Management ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/change-management/index.md) + + How to anticipate the deep changes in the organization's applications and processes due to + Identity Manager installation as a new IGA tool. + +- [ Install the Production Agent ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/index.md) + + How to install a local agent for production environment. + +- [ Configure the Agent's Settings ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/settings-files/index.md) + + How to configure the agent's application settings via the `web.config`, `appsettings.json` and + `appsettings.agent.json` files. + +- [ Install IIS via Server Manager ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md) + + How to configure the local server to install IIS via Server Manager. + +- [ Configure the Pool and Site ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md) + + How to configure the application pool and website via IIS. + +- [ Set the Working Directory's Permissions ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md) + + How to assign to the pool the right permissions on the working directory. + +- [ Finalize the Installation ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md) + + How to finalize the installation of the agent. + +- [Set Up User Authentication](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/authentication/index.md) + + How to allow end-users to authenticate and use the Identity Manager application. + +- [Implement Identity Manager](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/implementation/index.md) + + How to actually implement Identity Manager solution. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md new file mode 100644 index 0000000000..9355ee460d --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md @@ -0,0 +1,56 @@ +# Set the Working Directory's Permissions + +This guide shows how to assign to the pool the right permissions on the working directory. + +## Overview + +For Identity Manager to work correctly, the pool of the production agent must be configured with +specific permissions on the working directory. + +This page describes the optimal configuration of the pool's permissions on the working directory to +prepare the production agent's installation. + +## Set the Working Directory's Permissions + +Set the working directory's permissions by proceeding as follows: + +1. Right-click on the working directory, for example `C:/Usercube`, to select **Properties**, and in + the **Security** tab, click on **Advanced**. + + ![Working Directory Properties: Step 1](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties1.webp) + +2. In the **Permissions** tab, click on **Add**, and in the pop-up window click on **Select a + principal**. + + ![Working Directory Properties: Step 2](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties2.webp) + +3. Click on **Locations** to choose the current computer, and in the text area enter + `iis apppool/Usercube` (`Usercube` being the name of the previously created pool). + + ![Working Directory Properties: Step 3](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties3.webp) + + An error at this point should come either from a mistake in the pool's name or in the selected + location. + +4. Click on **OK** and make sure that only the **Read and execute**, **List folder contents** and + **Read** permissions are selected. + + ![Working Directory Properties: Step 4](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties4.webp) + +5. Click on **OK** in the windows until they are all closed. +6. Right-click on the `Temp` folder to select **Properties**, and in the **Security** tab, click on + **Edit**. + + ![Temp Folder Properties: Step 1](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_foldersproperties1.webp) + +7. Select the user corresponding to the pool and give them `Full control`. + + ![Temp Folder Properties: Step 2](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_foldersproperties2.webp) + +8. Click on **OK** in the windows until they are all closed. +9. Repeat the last few steps (those concerning the `Temp` folder) to apply them to the `Work` and + `Mails` folders. + +## Next Steps + +To continue, [ Finalize the Installation ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md)in a few steps. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md new file mode 100644 index 0000000000..c52ec11055 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md @@ -0,0 +1,29 @@ +# Finalize the Installation + +This guide shows how finalize the installation of the agent. + +## Overview + +This page describes the last few steps that the production agent needs for Identity Manager to run +correctly. + +## Finalize the Installation + +Finalize the installation of the agent by proceeding as follows: + +1. Install + [Windows' hosting bundle for ASP.Net Runtime](https://dotnet.microsoft.com/en-us/download/dotnet/8.0). + + If the bundle was installed before + [ Configure the Pool and Site ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md), then IIS might not display the + AspNetCore module and Identity Manager will not run. In this case, relaunch the bundle's + installation executable to perform a repair. + +2. When using a proxy, adjust the configuration accordingly. See the + [ Reverse Proxy ](/docs/identitymanager/6.2/identitymanager/installation-guide/reverse-proxy/index.md)topic for additional + information. + +## Next Steps + +To continue, follow the instructions to verify the agent's installation. See the +[ Install the Production Agent ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/index.md)topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md new file mode 100644 index 0000000000..0c9dfef5b3 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md @@ -0,0 +1,67 @@ +# Configure the Pool and Site + +This guide shows how to configure the application pool and website via IIS. + +## Overview + +IIS provides a platform for hosting and managing websites. +[See more details](https://learn.microsoft.com/fr-fr/iis/get-started/introduction-to-iis/introduction-to-iis-architecture). + +To install the production agent, a website must be created and configured correctly, as part of an +application pool. + +This page describes the optimal configuration in IIS to prepare the production agent's installation. + +## Configure the Application Pool and Site + +Configure the application pool and site by proceeding as follows: + +1. Open IIS and remove the default site and pool. + + IIS can usually be found in Windows' search menu, or from Server Manager by accessing the + **Tools** menu. + + ![IIS: Step 1](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis1.webp) + +2. Right-click on **Application Pools** to add a new pool named `Usercube`. + + ![IIS: Step 2](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis2.webp) + +3. Right-click on **Sites** to add a new site named `Usercube`, make sure that the + selected application pool is `Usercube` and set the `path` field to the `Runtime` folder. + + ![IIS: Step 3](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis3.webp) + +4. Right-click on the application pool to open its advanced settings and make sure that the + following parameters are set as such: + + ![IIS: Step 4](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis4.webp) + + ![IIS: Step 5](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis5.webp) + +5. Make sure that IIS contains an SSL certificate, by accessing the home page of IIS server and + double-clicking on **Server Certificates**. + + If the certificate is not ready yet, generate an auto-signed certificate. + + ![IIS Server Certificate: Step 1](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate1.webp) + + If the certificate is not there yet, import it by clicking on **Import** in the right-side menu, + and specify the certificate's path and password. + + ![IIS Server Certificate: Step 2](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate2.webp) + +6. Add the certificate's URL to the site by right-clicking on the site, selecting **Edit Bindings** + and clicking on **Add**, then choosing `https` as type, `443` as port, specifying the server's + URL (without the `https` part) as host name, and finally selecting the server certificate. + + ![IIS Server Certificate: Step 3](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate3.webp) + + Click on **OK**. + + If the server's certificate is not available at this point, then make sure it was correctly + imported in the previous step. + +## Next Steps + +To continue, [ Set the Working Directory's Permissions ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md new file mode 100644 index 0000000000..456f73fa2a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md @@ -0,0 +1,47 @@ +# Install IIS via Server Manager + +This guide shows how to configure the local server to install IIS via Server Manager. + +## Overview + +When running on Windows Server, Server Manager makes available parameters to configure the local +server at will. +[See more details](https://learn.microsoft.com/en-us/windows-server/administration/server-manager/manage-the-local-server-and-the-server-manager-console). + +This page describes the optimal configuration of the local server to install IIS in order to prepare +the production agent's installation. + +## Install IIS via Server Manager + +Install IIS via Server Manager by proceeding as follows: + +1. Open the Server Manager program and click on **Add roles and features**. + + ![Server Manager: Step 1](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager1.webp) + +2. Click on **Next**, then in **Installation Type** make sure that **Role-based or feature-based + installation** is selected and click on **Next**. + + ![Server Manager: Step 2](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager2.webp) + +3. In **Server Selection** tick **Select a server from the server pool** and click on **Next**. + + ![Server Manager: Step 3](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager3.webp) + +4. In **Server Roles** tick **Web Server (IIS)**. + + ![Server Manager: Step 4](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager4.webp) + +5. In **Features** select **Remote Server Administration Tools** > **Role Administration Tools** > + **AD DA and AD LDS Tools** > **AD DS Tools** > **AD DS Snap-Ins and Command-Line Tools**. + + ![Server Manager: Step 5](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager5.webp) + +6. In **Confirmation** click on **Install**. + + ![Server Manager: Step 6](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager6.webp) + +## Next Steps + +To continue, [ Configure the Pool and Site ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md)the application pool and +website via IIS. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/index.md new file mode 100644 index 0000000000..fe373be341 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/index.md @@ -0,0 +1,69 @@ +# Install the Production Agent + +This guide shows how to install an agent separated from the server, for production environment. See +the [ Architecture ](/docs/identitymanager/6.2/identitymanager/introduction-guide/architecture/index.md)topic for additional +information. + +## Overview + +Like all agents, the production agent aims to extract data from a given managed system, and transmit +said data to the Identity Manager server. If necessary, the agent also enables the managed system's +provisioning according to the orders computed by the Identity Manager server. See the +[ Architecture ](/docs/identitymanager/6.2/identitymanager/introduction-guide/architecture/index.md)topic for additional information. + +Identity Manager solution can use several agents, each of them manages a given system. This section +is about installing the agent managing the production environment. + +Once agents are configured in addition to the default one provided by SaaS, you need to think about +what agent to choose during each +[ Create the Connector ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md)declaration. The +appropriate agent has access to the managed system. + +## Requirements + +Ensure that all +[ Agent ](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/agent-requirements/index.md)requirements can be +met before starting the installation of the production agent. + +Requirements for the agent installation can change over the course of the project, according to the +project purpose. + +### Encryption certificates + +Ensure that your encryption certificates are valid by checking their: expiration date; signatory; +key size exceeding 2048; sha256 and not sha-1. + +### Server Manager + +Ensure that the device used for the installation has the Server Manager program. + +## Participants and Artifacts + +Integrators should have all the elements they need to operate. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------- | ---------------- | +| [ Agent ](/docs/identitymanager/6.2/identitymanager/installation-guide/requirements/agent-requirements/index.md)prerequisites (required) | Production agent | + +## Install the Production Agent + +Install the production agent by proceeding as follows: + +1. [ Create a Working Directory ](/docs/identitymanager/6.2/identitymanager/installation-guide/production-ready/working-directory/index.md)and + make sure it contains the folders: `Mails`; `Sources`; `Temp`; `Work`. +2. [ Configure the Agent's Settings ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/settings-files/index.md) via the `web.config`, + `appsettings.json` and `appsettings.agent.json` files. +3. Configure the local server to [ Install IIS via Server Manager ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md). +4. [ Configure the Pool and Site ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md) via IIS. +5. [ Set the Working Directory's Permissions ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md). +6. [ Finalize the Installation ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md). + +## Verify Agent Installation + +In order to verify the process: + +- make sure the website is accessible from IIS by clicking on **Browse** (in the menu on the right), + and from your browser; +- if logs are enabled, then stop the pool to make sure that no error is thrown; +- perform from a local device agent-side actions such as sending test emails, reading and/or writing + inside working folders, or launching/scheduling agent-side tasks. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/settings-files/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/settings-files/index.md new file mode 100644 index 0000000000..5d23930d67 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/settings-files/index.md @@ -0,0 +1,264 @@ +# Configure the Agent's Settings + +This guide shows how to configure the agent's application settings via the `web.config`, +`appsettings.json` and `appsettings.agent.json` files. + +## Overview + +Identity Manager provides JSON files to configure varied application settings, named appsettings +json and appsettings.agent.json. See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +and +[appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topics for additional information. + +This page describes the optimal configuration of the production agent's application settings. + +## Configure the Agent's Settings + +Configure the agent's settings by proceeding as follows: + +1. From the `Runtime/Agent` folder, copy the files `appsettings.json`, `appsettings.agent.json` and + `web.config` and paste them in the `Runtime` folder, thus replacing the pre-existing ones. +2. Open `web.config` and make sure that, in the `aspNetCore` tag, the value of `arguments` is set to + `./identitymanager-Agent.dll`. + + When needing to get the agent's logs, set also `stdoutLogEnabled` to `true`. See more details in + [Microsoft's documentation](https://learn.microsoft.com/fr-fr/aspnet/core/host-and-deploy/iis/logging-and-diagnostics?view=aspnetcore-7.0). + + ``` + + web.config + + ... + ... + ... + + ``` + +3. Open `appsettings.json` and make sure that: + + - **License** contains a valid license; + - **IdentityServer** contains the encryption certificate's path and password provided by Netwrix + Identity Manager (formerly Usercube) team, in order to secure agent/server identification; + + > For example: + > + > ``` + > + > appsettings.json + > + > "IdentityServer": { + > "X509KeyFilePath": "./Usercube.pfx", + > "X509KeyFilePassword": "secret" + > } + > + > ``` + + - you get an encryption certificate which will be used to encrypt specific files such as logs or + temporary files, and that **EncryptionCertificate** contains its path and password; + + > For example: + > + > ``` + > + > appsettings.json + > + > "EncryptionCertificate": { + > "File": "./identitymanager-Files.pfx", + > "Password": "secret", + > "EncryptFile": true + > } + > + > ``` + + **EncryptFile** can stay set to `false` while verifying the agent installation, but for + security reasons it must be set to `true` afterwards. + + If the certificates' passwords contain `@`, then they must be escaped via the `@` as first + character of the strings. + + - **ApplicationUri** contains the server's address, provided by Netwrix Identity Manager + (formerly Usercube) team when working in a SaaS environment; + + > For example: + > + > ``` + > + > appsettings.json + > + > "ApplicationUri": "http://localhost:5000" + > + > ``` + + Do not write a `/` character at the end of the string. + + - **Cors** > **AllowAnyHeader**, **AllowAnyMethod** and **AllowCredentials** are set to `true`; + + ``` + + appsettings.json + + "Cors": { + "AllowAnyHeader": "true", + "AllowAnyMethod": "true", + "AllowCredentials": "true" + } + + ``` + +4. Open `appsettings.agent.json` and make sure that: + + - **OpenId** > **AgentIdentifier** specifies the agent's name which must match the XML + configuration. See the + [appsettings.agent](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) + topic for additional information.. + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "OpenId": { + > "AgentIdentifier": "MyAgent" + > } + > + > ``` + > + > With the following configuration: + > + > ``` + > + > + > + > ``` + + - **OpenId** > **OpenIdClients** > **Job** contains the non-hashed value of the password of + "Job-Remote" provided by NETWRIX' team + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "OpenId": { + > "AgentIdentifier": "MyAgent", + > "OpenIdClients": { + > "Job": "secret" + > } + > } + > + > ``` + + and add the hashed value of this password to the `OpenIdClient` named `Job` from the XML + configuration; + + > For example: + > + > ``` + > + > + > + > ``` + + - **OpenId** > **DefaultOpenIdClient** is set to `Job`; + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "OpenId": { + > "AgentIdentifier": "MyAgent", + > "OpenIdClients": { + > "Job": "secret" + > }, + > "DefaultOpenIdClient": "Job" + > } + > + > ``` + + - **PasswordResetSettings** > **TwoFactorSettings** > **ApplicationUri** contains the server's + address, provided by NETWRIX' team when working in a SaaS environment; + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "PasswordResetSettings": { + > "TwoFactorSettings": { + > "ApplicationUri": "http://localhost:5000" + > } + > } + > + > ``` + + - **PasswordResetSettings** > **EncryptionCertificate** contains contains the path and password + of the certificate used to secure password tokens; + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "PasswordResetSettings": { + > "TwoFactorSettings": { + > "ApplicationUri": "http://localhost:5000" + > }, + > "EncryptionCertificate": { + > "File": "../Usercube.pfx", + > "Password": "secret" + > } + > } + > + > ``` + + - **PasswordResetSettings** > **MailSettings** > **PickupDirectory** is set to the `Mails` + folder and **FromAddress** to `no-reply@.com`; + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "PasswordResetSettings": { + > "TwoFactorSettings": { + > "ApplicationUri": "http://localhost:5000" + > }, + > "EncryptionCertificate": { + > "File": "../Usercube.pfx", + > "Password": "secret" + > }, + > "MailSettings": { + > "PickupDirectory": "../Mails", + > "FromAddress": "no-reply@contoso.com" + > } + > } + > + > ``` + + - **SourcesRootPaths** contains the path to the `Sources` folder. + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "SourcesRootPaths": [ + > "C:/identitymanager/Sources" + > ] + > + > ``` + +## Next Steps + +To continue,see the local server to +[ Install IIS via Server Manager ](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/global-process/howto-maintaindirectory/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/global-process/howto-maintaindirectory/index.md new file mode 100644 index 0000000000..4cdd994498 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/global-process/howto-maintaindirectory/index.md @@ -0,0 +1,14 @@ +# How to Maintain the Workforce Directory + +How to keep the workforce directory up to date. + +## Overview + +![Process Schema - How to Implement a New System](/img/product_docs/identitymanager/identitymanager/user-guide/global-process/howto-maintaindirectory/globalprocess_schemamaintain.webp) + +## Process Details + +Be aware that the integration of an IGA tool is an iterative process. Thus, after following +the[ How to Start ](/docs/identitymanager/6.2/identitymanager/user-guide/global-process/howto-start/index.md) process and creating the workforce directory, you can +come back at any time and complete the directory that you started +[ Update Identity Data ](/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/global-process/howto-newsystem/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/global-process/howto-newsystem/index.md new file mode 100644 index 0000000000..044398c0c2 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/global-process/howto-newsystem/index.md @@ -0,0 +1,80 @@ +# How to Implement a New System + +How to add a new system to the solution. + +## Overview + +When connecting Identity Manager to a new system, several process paths can be taken according to +your strategy. There is no option fundamentally better than the others, your decision must depend on +your needs. + +The **option A** leads quickly to the +[ Update Identity Data ](/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/index.md)in production +environment, i.e. a new application in Identity Manager's scope. With this, you can +[Review Orphaned and Unused Accounts](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md), +[Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) the AD, +[ Reconcile a Property ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md)properties, +and [ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md), for example the list of profiles +assigned to users. + +The **option B** takes more time as it goes through the creation of the role model based on the +system's entitlements, but it leads to even more gain as you can also +[ Reconcile a Role ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md), +[ Perform Access Certification ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/index.md)access +certification and +[ Request Entitlement Assignment ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/manual-assignment-request/index.md), and also +[ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md), for example the list of assigned single +roles. + +The option B is more complicated and time-consuming than the option A, but leads to more gain. Be +aware that you can go through the process options simultaneously. + +![Process Schema - How to Implement a New System](/img/product_docs/identitymanager/identitymanager/user-guide/global-process/howto-newsystem/globalprocess_schemaconnectsyst.webp) + +## Process Details + +### Common starting steps + +1. [ Connect to a Managed System ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/index.md): create the appropriate + connector with its connections and entity types. +2. [ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md) into Identity Manager. + + Based on this, you can [ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md), for example + the list of resources in the system. A few predefined reports are available from the start, you + can generate any report from this list as soon as it makes sense according to the integration + progress. + +3. [ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) in order to classify them + according to their intent, and correlate these resources with their owners. +4. [ Create a Provisioning Rule ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) to write to the + system in order to update the resources' properties directly in the system. +5. Adjust the rules by + [ Reconcile a Property ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md)resources, + i.e. analyze the differences spotted between the reality of resources' properties and those + computed by the previously established rules. Especially, verify that accounts are correlated to + the right owners and that their properties have the right values. + + Either the integrator handles the customization of the rules and the review of non-conforming + resources, or they can assign an application administrator profile to a given user to perform + it. Assigning this profile requires profile configuration, see steps 11 and 12. + +After connecting Identity Manager to an external system, two process options are available according +to your needs: either aim directly to the implementation in production environment, or first build +the role model in order to enable more administration activities. Both options can be started +simultaneously. + +### Option A: Straight to production implementation + +Go directly to the common final steps (step 8). + +### Option B: First build the role model + +6. [ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) for + applications managed by the system. +7. [ Automate Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/index.md) if needed: use Role + Mining to create single role rules in bulk; adjust the generated rules individually and manually. + +### Common final steps + +8. Perform tests. +9. Deploy the pre-production configuration to the production environment. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/global-process/howto-start/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/global-process/howto-start/index.md new file mode 100644 index 0000000000..1fb86ec72e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/global-process/howto-start/index.md @@ -0,0 +1,116 @@ +# How to Start + +How to start integrating Identity Manager with your own needs. + +## Overview + +When starting with Identity Manager, several process paths can be taken according to your strategy. +There is no option fundamentally better than the others, your decision must depend on your needs. + +The **option 1** leads quickly to identity management, i.e. users' on-boarding/movement/off-boarding +without needing a periodic synchronization. See the +[ Update Identity Data ](/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/index.md) topic for additional +information. + +The **option 2A** takes more time as it requires the installation of an agent on your network in +order to connect Identity Manager to the system and use the AD's data, but it leads to more gain as +you can also +[Review Orphaned and Unused Accounts](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md), +[Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) the AD, +[ Reconcile a Property ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md)properties, +and [ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md), for example the list of profiles +assigned to users. + +The **option 2B** takes even more time as it goes through the creation of the role model based on +the system's entitlements, but it leads to even more gain as you can also +[ Reconcile a Role ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md), +[ Perform Access Certification ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/index.md) and +[ Request Entitlement Assignment ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/manual-assignment-request/index.md), and also +[ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md), for example the list of assigned single +roles. + +The options 2A and 2B are more complicated and time-consuming than the option 1, but lead to more +gain. Be aware that you can go through the process options simultaneously. + +Netwrix Identity Manager (formerly Usercube) recommends the option 1 to be able to start IGA without +waiting for the installation of an agent in your network, and go through the option 2 +simultaneously. + +![Process Schema - How to Start with Usercube](/img/product_docs/identitymanager/identitymanager/user-guide/global-process/howto-start/globalprocess_schemastart.webp) + +## Process Details + +### Common starting steps + +1. [Install the Development Environment](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/development-environment-installation/index.md). +2. [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md): configure + the generation of unique properties; load workforce identities to Identity Manager; adjust the + data model. + +After these first steps, two process options are available according to your needs: either aim +directly to identity management and the opening of Identity Manager to end-users, or first connect +Identity Manager to an external system in order to enable more administration activities. Both +options can be started simultaneously. + +### Option 1: Based on the workforce directory + +Starting with the workforce directory does not require the installation of a local agent. + +Go directly to the common final steps (step 10). + +### Option 2: Based on an external system + +Starting with an external system requires the installation of a local agent. + +3. Connect Identity Manager to the system by creating a connector. See the + [ Connect to a Managed System ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/index.md) topic for additional + information. +4. [ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md)the system's data into Identity + Manager. + + Based on this, you can [ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md), for example + the list of resources in the system. A few predefined reports are available from the start, you + can generate any report from this list as soon as it makes sense according to the integration + progress. + +5. [ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) in order to classify them + according to their intent, and correlate these resources with their owners. +6. [ Create a Provisioning Rule ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) to write to the + system in order to update the resources' properties directly in the system. +7. Adjust the rules by reconciling resources, i.e. analyze the differences spotted between the + reality of resources' properties and those computed by the previously established rules. + Especially, verify that accounts are correlated to the right owners and that their properties + have the right values. See the + [ Reconcile a Property ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) + topic for additional information. + + Either the integrator handles the customization of the rules and the review of non-conforming + resources, or they can assign an application administrator profile to a given user to perform + it. Assigning this profile requires profile configuration, see steps 11 and 12. + +After connecting Identity Manager to an external system, two process options are available according +to your needs: either aim directly to identity management and the opening of Identity Manager to +end-users, or first build the role model in order to enable more administration activities. Both +options can be started simultaneously. + +### Option 2A: Straight to identity management + +Go directly to the common final steps (step 10). + +### Option 2B: First build the role model + +8. [ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) for + applications managed by the system. +9. [ Automate Role Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) + if needed: use Role Mining to create single role rules in bulk; adjust the generated rules + individually and manually. + +### Common final steps + +10. Adjust HR workflows to keep the workforce directory updated (only in XML configuration). +11. Define the permissions for your user profiles. See the + [ Configure a User Profile ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-configuration/index.md) topic for + additional information. +12. Define the authentication mode by configuring `SelectUserByIdentityQueryHandlerSetting` (only in + XML configuration), and [Assign Users a Profile](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-assignment/index.md) + to open the application to end-users. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/global-process/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/global-process/index.md new file mode 100644 index 0000000000..1743edb208 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/global-process/index.md @@ -0,0 +1,16 @@ +# Global Process + +How do the process activities success each other. + +NETWRIX recommends working with a SaaS installation and with the User Interface as long as possible, +because identity management is optimized by mastering identities inside Identity Manager. + +Be aware that the integration of an IGA tool is an iterative process. There is no simple linear +process. This user guide provides the following processes that can follow one another and +intertwine. + +- #### [How to Start](/docs/identitymanager/6.2/identitymanager/user-guide/global-process/howto-start/index.md) + How to start integrating Identity Manager with your own needs.- #### + [How to Maintain the Workforce Directory](/docs/identitymanager/6.2/identitymanager/user-guide/global-process/howto-maintaindirectory/index.md) How to keep the + workforce directory up to date.- #### [How to Implement a New System](/docs/identitymanager/6.2/identitymanager/user-guide/global-process/howto-newsystem/index.md) + How to add a new system to the solution. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/index.md new file mode 100644 index 0000000000..769fc405bb --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/index.md @@ -0,0 +1,108 @@ +# User Guide + +Identity Manager's User Guide leads the reader through all the necessary steps to autonomously build +an IGA solution based on Identity Manager, either from scratch or using Identity Manager's IGA Core +Solution, with the aim of quickly delivering value. + +## Target Audience + +This guide is intended to be read by Identity Manager administrators, i.e. power users who configure +Identity Manager to match their company's needs. + +## Prior Knowledge + +This guide presumes some knowledge of Identity Manager on the part of the reader who should have +previously read the [Introduction Guide](/docs/identitymanager/6.2/identitymanager/introduction-guide/index.md) in order to be aware of the +main purposes, principles and capabilities of Identity Manager. + +Using this guide does not require any advanced IT skills. All the configuration steps take place +through Identity Manager's UI or MS Excel files. + +Netwrix Identity Manager (formerly Usercube)strongly recommends starting from the +[Introduction Guide](/docs/identitymanager/6.2/identitymanager/introduction-guide/index.md) to fully benefit from the User Guide's content. + +## Overview + +This guide is made of step-by-step procedures that take the reader through setting up Identity +Manager from scratch and creating IGA value as quickly as possible. + +The procedures are meant to guide the reader through a standard setup, based on Identity Manager's +IGA Core Solution, and with Netwrix Identity Manager (formerly Usercube) suggestions and +recommendations. Any advanced configuration can be performed later using the content of the +[Integration Guide](/docs/identitymanager/6.2/identitymanager/integration-guide/index.md). + +Thus, even when having very specific needs, Netwrix Identity Manager (formerly Usercube) still +recommends starting the project with the basics presented in this guide. The IGA solution can be +enhanced later on with the help of our experts. This way, IGA value can already be delivered while +the project continues for optimization purposes. + +## Content + +This guide is organized into activities, each activity containing an overview, the input, output, +and participants as well as step-by-step procedures and a way to verify the outcome. + +Some activities are grouped together when they depend on each other to create value or when they +contribute to a same goal. + +While some activities must be carried out before others for technical and/or functional reasons, the +order is not absolute. Please follow the instructions and recommendations detailed with the +[ Global Process ](/docs/identitymanager/6.2/identitymanager/user-guide/global-process/index.md). + +All activities are organized into bigger sections which are distinguishable by their functional +intent: set up; administrate; optimize; deploy and maintain. + +### Set up + +Learn how to configure a working environment, how to set up identity lifecycles, and how to build a +catalog of roles for entitlement management, in order to configure the Minimum Viable Product. + +### Administrate + +Learn how to enforce your security policies through access certification, or resource/role +reconciliation, provisioning review, etc. + +### Optimize + +Learn how to enhance the IGA solution through automation and model optimization. + +> For example, learn how to adjust the identity model and the role model in order to make them +> resemble the company's reality, learn how to improve the data quality by automating entitlement +> assignment decisions, or by automatically provisioning assignments to the managed systems. Learn +> how to push the automation wall thanks to Identity Manager's AI with role mining. + +### Deploy + +Learn how to deploy the solution to a production environment. + +### Maintain + +Learn how to maintain the solution, because the project is iterative. Learn how to keep the data +model up to date according to the company's changes, or how to add new systems to the loop, while +Identity Manager is already running in production. + +## How to Use this Guide + +Start by studying the [ Global Process ](/docs/identitymanager/6.2/identitymanager/user-guide/global-process/index.md). that details every activity in +their respective sections and how they relate to one another. You will get a good view of the steps +to take from start to finish. + +Follow the path, stop at each activity, and go check out the details on the matching page of the +guide, in the corresponding section. There you will find recommendations and practical steps to +complete the activity and test it. Then you can resume following the path. + +At any step along the way, once you feel comfortable, you can decide to take another direction than +the recommended process, as long as you take into account the input artifacts specified in each +activity page, which represent actual technical dependencies. You can start an activity only if all +the previous technical dependencies are met. + +Keep in mind that completing sections one by one is the quickest way to deliver value. Nevertheless, +they are not rigorously dependent on each other. You do not have to complete one entirely in order +to go to the next. But they are not rigorously independent either. There are some activities in the +first one that are required for activities in the second. Read the input artifacts to choose the +correct order. + +> For example, if you are looking forward to fixing non authorized account (from the +> **Administrate** section) you do not have to complete the **Set Up** section entirely. You just +> have to complete the **Categorize Resources** activity, and all the activities connected to it +> upstream . You do not have to complete other activities such as the **Create Roles in the Role +> Catalog** activity. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/index.md new file mode 100644 index 0000000000..d6489032e8 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/index.md @@ -0,0 +1,42 @@ +# Update Identity Data + +How to perform modifications in the identity repository, to manage onboarding, offboarding and +position changes. + +This part is not about changing the data model, but data itself. + +## Overview + +After the identity repository is initiated, you will need to modify it for many possible reasons. +Among them: + +- update all identities with new attributes because you didn't have the required information during + the repository creation, or because it wasn't a priority for you then; +- perform onboarding: add new identities as new workers arrive in the company; +- modify identities' attributes to fix existing errors, or to reflect a real change in users' data, + or model a position change; +- remove identities' attributes, as they are no longer required to manage entitlements; +- perform offboarding: remove identities with all their attributes, as users leave the company. + +## Participants and Artifacts + +Integrators are able to perform an identity update if they master the new data. + +| Input | Output | +| ----------------------------------------------------------- | --------------------------- | +| Identity repository (required) New identity data (required) | Updated identity repository | + +See the [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) topic +for additional information. + +## Modify Identity Data + +Modify identity data by proceeding as follows, according to the changes to be made: + +- either update data individually by using predefined workflows in the UI; See the + [ Update an Individual Identity ](/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md) topic for additional information. +- or perform a same change on several identities simultaneously by using Identity Manager's + predefined workflow in the UI; See the [ Update Identities in Bulk ](/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md) topic + for additional information. +- or update data on a massive scale by uploading an external file into Identity Manager, as an + incremental version of the identity repository. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md new file mode 100644 index 0000000000..a765850bf6 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md @@ -0,0 +1,71 @@ +# Update an Individual Identity + +How to manage onboarding, position changes and offboarding through the UI, for a single identity. + +This part is not about changing the data model, but data itself. + +## Overview + +Individual changes in identity data can be handled using Identity Manager's predefined workflows to: + +- [declare a new identity](#declare-a-new-identity) (for an internal as well as an external worker); +- [act on existing identities](#act-on-an-existing-identity), including modify their data, manage + their contract and/or positions, suspend all accounts linked to them, or reactivate them, repair + some data, or delete these identities. + +## Participants and Artifacts + +A given user's data can be updated occasionally by their manager, but most often by the HR +department. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------ | --------------------------- | +| [Identity repository](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) New identity data (required) | Updated identity repository | + +## Declare a New Identity + +Declare a new worker by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. According to the type of the user to be declared, click on the corresponding button. + + ![Workflow - New User](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_newuser_v602.webp) + +3. Follow the workflow's instructions to fill the form with the user's data, choose the user's + entitlements from your [role catalog](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) and + send the request. + +## Act on an Existing Identity + +Act on an existing identity by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Click on the user to be modified. + + ![Workflow - User](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp) + +3. Click on **Actions** or **Helpdesk** to select the action to perform. + + ![Workflow - Modify Permissions](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_changeuser_v602.webp) + +4. Follow the workflow's instructions. + + If the workflow has been configured in this way, the update request may require a review. In + this case, sending the request triggers the display of said request on the **My Tasks** screen + for the reviewer, while the state of the request is pending. In this case, the requested updates + will be displayed in Identity Manager only after the request has been reviewed. + + ![Request - Review Pending](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_reviewpending_v523.webp) + +## Verify Data Update + +In order to verify the process, check that the right data is displayed in the directory for the +involved user. + +![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md new file mode 100644 index 0000000000..e8992630d2 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md @@ -0,0 +1,131 @@ +# Update Identities in Bulk + +How to perform a mass change in identity data, by uploading an incremental version of the identity +repository. + +This part is not about changing the data model, but data itself. + +Here we describe the incremental update of identities, but the update of any other File/CSV works +the same. + +## Overview + +When the number of changes gets high, identity data update through the UI becomes tedious. +Therefore, Identity Manager offers the possibility to fill a predefined file with data to be +modified, in order to perform all changes simultaneously. + +Data update can be performed in complete mode or incremental mode. + +## Participants and Artifacts + +Identity data can be updated most often in cooperation with the HR department. + +| Input | Output | +| ----------------------------------------------------------- | --------------------------- | +| Identity repository (required) New identity data (required) | Updated identity repository | + +See the [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) +topic for additional information. + +## Update Data in Complete Mode + +Mass update identity data (in complete mode) by proceeding as follows: + +1. Access the directory connector from **Connectors** on the home page, in the **Configuration** + section. + + ![Home - Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + +2. On the connector's page, choose the connection corresponding to identities. +3. In the connection's settings, download the Excel template full of the data from your database. + + ![Download Full Template](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/mass-update/datamodif_downloadtemplatedata_v602.webp) + +4. Update the data that needs change. +5. Ensure that the field `Path (Complete mode)` is filled with the path of the source file. +6. Click on **Upload** and choose the file you modified with new data. + + ![Upload](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/mass-update/connection_upload_v602.webp) + +7. Click on **Check Connection** to verify the path. + + ![Check Connection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp) + +8. Click on **Save & Close**. +9. Back on the connector's page, launch synchronization. See the + [ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md) topic for additional information. + + Be cautious about thresholds. + +## Update Data in Incremental Mode + +Mass update identity data (in incremental mode) by proceeding as follows: + +1. Access the directory connector from **Connectors** on the home page, in the **Configuration** + section. + + ![Home - Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + +2. On the connector's page, choose the connection corresponding to identities. +3. In the connection's settings, download the empty Excel template. + + ![Download Full Template](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/mass-update/datamodif_downloadtemplateempty_v602.webp) + +4. Fill only the data to be modified, specify the unique identifier for each entry (for correlation + purposes), and fill the column `Command`, which can take a few available inputs: + + - `Add` to incorporate new attributes; + - `Modify` to change existing attributes; + + Attributes can be emptied using the value `NULL_NULL`. + + - `Delete` to remove attributes from the datamodel; + + Instead of using `Delete`, you can scan the data model to exclude unused attributes. See the + [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) + topic for additional information. + + - `Merge` to input an identity's data and modify the corresponding attributes if said identity + already exists, create a new identity otherwise. + > For example, if a few users switch working sites, then the modification is performed by + > filling the file only with said users' identifiers and new sites. Fill the column + > `Command` with `Modify`. The rest will not be changed. + +5. Ensure that the field `Path (Incremental mode)` is filled with the path of the source file. +6. Click on **Upload** and choose the file you modified with new data. + + ![Upload](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/mass-update/connection_upload_v602.webp) + +7. Click on **Check Connection** to verify the path. + + ![Check Connection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp) + +8. Click on **Save & Close**. +9. Back on the connector's page, launch synchronization. See the + [ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md) topic for additional information. + + Be cautious about thresholds. + +## Verify Data Update + +In order to verify the process: + +- Check manually a sample in the `User` directory accessible from the home page. You should verify + at least your own sheet and the sheets for your hierarchy. + + ![Home - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +- Check that every organization still has a manager. Organizations are accessible in the + `Department` directory accessible from the home page. + + ![Home - Directory Department](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + + ![List of Departments](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + + If the system contains many organizations, then it is also possible to list them with their + managers through the Query module. + +- Create reports with indicators on the workers number per type or per organization for example + (through Identity Manager' predefined reports, the Query module or Power BI), in order to ensure + that Identity Manager's content sticks to reality. See the + [ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md) topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/index.md new file mode 100644 index 0000000000..72cb447de7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/index.md @@ -0,0 +1,69 @@ +# Update Multiple Identities + +How to perform a same change in data for several identities simultaneously. + +This part is not about changing the data model, but data itself. + +## Overview + +When a same change is needed by a high number of users, then Identity Manager provides a UI workflow +to perform this change for all selected identities simultaneously. + +> For example, if a whole department in the company is moved to a new working site, then all users +> working in said department must have their `Site` attribute updated. + +## Participants and Artifacts + +Given users' data can be updated occasionally by their managers, but most often by the HR +department. + +| Input | Output | +| ----------------------------------------------------------- | --------------------------- | +| Identity repository (required) New identity data (required) | Updated identity repository | + +See the [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) +topic for additional information. + +## Update + +Perform multiple updates by proceeding as follows: + +1. Click on **Multiple Updates**, accessible from the directory on the home page. + + ![Home Page - Multiple Updates](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/home_multipleupdates_v523.webp) + +2. Follow the workflow's instructions to perform the change, assign new entitlements if needed, and + send the request. + + ![Multiple Updates Form](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/datamodif_multipleform_v602.webp) + + If the workflow has been configured in this way, the update request may require a review. In + this case, sending the request triggers the display of said request on the **My Tasks** screen + for the reviewer, while the state of the request is pending. In this case, the requested updates + will be displayed in Identity Manager only after the request has been reviewed. + + ![Request - Review Pending](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_reviewpending_v523.webp) + +## Verify Data Update + +In order to verify the process: + +- Check manually a sample in the `User` directory accessible from the home page. You should verify + at least your own sheet and the sheets assigned to your hierarchy. + + ![Home - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +- Check that every organization still has a manager. Organizations are accessible in the + `Department` directory on the home page. + + ![Home - Directory Department](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + + ![List of Departments](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + + If the system contains numerous organizations, it is also possible to list them with their + managers through the Query module. + +- Create reports with indicators, for example, on the number of workers per type or per organization + (through Identity Manager's predefined reports, the Query module or Power BI), to ensure that + Identity Manager's content sticks to reality. See the + [ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md) topic for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/maintain/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/maintain/index.md new file mode 100644 index 0000000000..a32687020c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/maintain/index.md @@ -0,0 +1,23 @@ +# Maintain + +- [ Update Identity Data ](/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/index.md) + + How to perform modifications in the identity repository, to manage onboarding, offboarding and + position changes. + + - [ Update an Individual Identity ](/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md) + + How to perform changes in data for a single identity, through the UI. + + - [ Update Multiple Identities ](/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/index.md) + + How to perform a same change in data for several identities simultaneously, through the UI. + + - [ Update Identities in Bulk ](/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md) + + How to perform a mass change in identity data, by uploading a complete or incremental + version of the identity repository. + +- [ Troubleshoot ](/docs/identitymanager/6.2/identitymanager/user-guide/maintain/troubleshooting/index.md) + + How to troubleshoot Identity Manager when facing technical issues. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/maintain/troubleshooting/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/maintain/troubleshooting/index.md new file mode 100644 index 0000000000..5822536340 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/maintain/troubleshooting/index.md @@ -0,0 +1,145 @@ +# Troubleshoot + +How to troubleshoot Identity Manager when facing technical issues. + +## Overview + +Daily technical issues can lead to some unexpected results in Identity Manager. This page is meant +to give some clues and use cases in order to solve usual issues. + +> For example, the issues described below can happen when there is a network cut, or an application +> IP address is being changed, or an important password is being modified. + +See the +[ Troubleshoot Connector Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md) +troubleshooting instructions concerning connector jobs. + +### Prerequisites + +In order to troubleshoot Identity Manager efficiently, the user, usually an application +administrator, must have access to: + +- the connector screens, especially the jobs available there; + + ![Connector Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_connectorjobs_v603.webp) + +- the resource screens (identities, accounts, etc.) with their data, and especially their history + and sources; + + ![User Data](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_userdata_v603.webp) + +- basic workflows, for example the usual helpdesk workflow, that give access to users' entitlements + and enable data modification and repair. + + ![Helpdesk Workflow](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_helpdesk_v603.webp) + +## Participants and Artifacts + +Here integrators give way to managers to handle the solution by themselves. + +| Input | Output | +| ----------------------------------------------------------------------------- | ------------------- | +| [Implement Identity Manager](/docs/identitymanager/6.2/identitymanager/user-guide/deploy/implementation/index.md) (required) | Working environment | + +## Troubleshoot Synchronization Issues + +### Errored export task + +If the export task ends with an error, then you should: + +- check the task's logs; +- check the export files' dates in the `Temp/ExportOutput` folder; +- if there was an external problem, then relaunch the export in complete mode. + +### Missing data after incremental synchronization + +If the data is incomplete after incremental synchronization, then you should relaunch +synchronization in complete mode. + +Netwrix Identity Manager (formerly Usercube) recommends scheduling an incremental synchronization +approximately every 15 minutes, and a complete synchronization once a day. + +### Exceeded thresholds + +If a synchronization threshold is exceeded, then check whether the threshold is legitimate. If not, +it means that the warning comes from a change in the managed system, so you should fix the data +directly in the managed system. + +See more details on [ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md) thresholds. + +## Troubleshoot Provisioning Issues + +### Blocked provisioning orders + +If provisioning orders are blocked while expected to be automatic, it can come from: + +- the **Require Provisioning Review** option being enabled in the related resource type; +- the role model being computed through the + [ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + or the corresponding executable, with the block provisioning option; +- a provisioning order being already blocked for the same resource due to a prior operation; +- a correlation/classification rule with a confidence rate below 100%, which means that either + important data is missing or the rule is not right. + +**Verify:** After debugging the blocked-order situation, the related blocked orders must be reviewed +on the **Provisioning Review** screen to be unblocked. + +### Errored provisioning orders + +> For example, consider a provisioning task supposed to delete 150 accounts, while the relevant +> service account does not have the relevant writing rights. Thus it ends up with 150 errored +> provisioning orders. + +If provisioning orders end up with an error, then you should check the errors' details in +**Provisioning Review** to determine where the error comes from. + +**Verify:** After debugging the errored-order situation, unblock one provisioning order and relaunch +provisioning to make sure the fix gives the expected result. Only then, unblock all related errored +orders and relaunch provisioning. + +If the error comes from miscalculated properties, for example missing parent dn or duplicated +logins, then you should review scalar and/or query rules. + +**Verify:** After debugging the situation, recompute the role model for only one user to make sure +the fix gives the expected result. Only then, recompute the role model for all users through the +**Compute Role Model** job of connector screens. + +To recompute the role model for only one user, you can use the helpdesk workflow. It will give you +access to the user's entitlements via the workflow's **Access Permissions** step, where you can +check the changes without having to validate. + +### Incorrect provisioned values + +If provisioning orders produce incorrect values, then it can come from: + +- incorrect identity data, in which case you should select a test user, click on **View Sources** to + see which sources contributed to the data, and click on **View History** to see when the data + changed. +- wrong provisioning rules, i.e. scalar, navigation and/or query rules; + + **Verify:** After debugging the situation, use the helpdesk workflow to edit a field and check + the changes for only one user to make sure the fix gives the expected result. Only then, + recompute the role model for all users through the **Compute Role Model** job of connector + screens. See more details on how to use the Troubleshoot workflow for debug purposes. + +> For example, if identity data has changed and HR data has not, then it must come from the rules. + +### Exceeded thresholds + +If a provisioning threshold is exceeded, then check whether the threshold is legitimate. If not, it +means that the warning can come from: + +- incorrect identity data, in which case you should select a test user, click on **View Sources** to + see which sources contributed to the data, and click on **View History** to see when the data + changed. +- wrong provisioning rules, i.e. scalar, navigation and/or query rules; + + **Verify:** After debugging the situation, use the helpdesk workflow to edit a field and check + the changes for only one user to make sure the fix gives the expected result. Only then, + recompute the role model for all users through the **Compute Role Model** job of connector + screens. See more details on how to use the helpdesk Troubleshoot workflow for debug purposes. + +## Troubleshoot Entitlement Issues + +If users have unexpected entitlements, then you should click on an entitlement and/or access +**Workflow Overview** to see the entitlements' details, for example who requested them, etc. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md new file mode 100644 index 0000000000..b8e388bcc9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md @@ -0,0 +1,116 @@ +# Automate Role Assignments + +How to manually build rules to automate the assignment of roles to identities. See +the[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +topic for additional information. + +## Overview + +Single role rules and composite role rules are assignment rules. Assignment rules are designed to +automatically assign respectively single roles and composite roles (based on specific criteria) to +identities. One rule must be created for every role to assign. See +the[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +topic for additional information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application's users, entitlements and data model. + +| Input | Output | +| ----------------------- | --------------------- | +| Role Catalog (required) | Role assignment rules | + +See the[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +topic for additional information. + +## Create a Role Assignment Rule + +Create a role assignment rule by proceeding as follows: + +1. Access the rules page by clicking on **Access Rules** on the home page in the **Configuration** + section. + + ![Home Page - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the source entity type for the future scalar rule. + + ![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +3. Click on the **Composite Roles** or **Single Roles** tab and on the addition button at the top + right corner. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create an Assignment Rule](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/assignmentrules_newsrolerule_v602.webp) + + - `Single Role`: single role to be automatically assigned in a single role rule. + `Composite Role` for a composite role rule. + - `Type`: assignment type that can be: `Suggested` so that the role is listed among suggested + permissions in the permission basket of users matching the criteria during an entitlement + request, suggested assignments must be selected manually to be requested; or `Automatic` so + that the role is automatically assigned to users matching the criteria; or + `Automatic but with validation` so that the role is listed in the permission basket of new + workers, these assignments can still be modified. + + The rule's type can be `Suggested` only if the related role is allowed to be requested + manually. + + - `Single role denied`: option that forbids the assignment instead of applying it. + - **Criteria**: conditions that, if met, trigger the single role automatic assignment. + + Role assignment rules can be based on identity dimensions. Moreover, single role rules can be + based on composite roles. + +5. Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a role assignment rule is taken into account when the next +[ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +runs to compute new assignments. Therefore, if a given rule's criterion is modified, then all +corresponding assignments are computed again. If a role was assigned automatically to an identity by +a role assignment rule, and if this assignment doesn't comply with the new version of the rule, then +the corresponding role is automatically removed. + +A modification in a role assignment rule can trigger the removal of a role only on the Identity +Manager side. There are several barriers to cross before said role is removed from the managed +system. + +> For example, consider a single role rule that assigns the single role +> `Business role: electronic banking` to all users in the `Tours` department. Let's say that we +> replace `Tours` with `Orleans`. Then, after the next launch of the complete job, all users in the +> `Orleans` department get said role, while the users in the `Tours` department are deprived of said +> role. + +[ Perform a Simulation ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/simulation/index.md) is available in order to anticipate the changes +induced by a creation/modification/deletion in role assignment rules. + +Assignment rules can sometimes give to users an entitlement that they had already received manually. +Hence, new assignment rules can imply redundancies between the entitlements assigned manually and +approved, and those calculated by a rule and assigned automatically. + +Netwrix Identity Manager (formerly Usercube) recommends removing redundant assignments after any +assignment rule is created or updated. + +## Verify Rule Creation + +In order to verify the process, start by checking the rule's details on the **Access Rules** page. +Then, you can: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Create a role assignment rule for a role that said user doesn't already have, and based on + criteria which the selected user satisfies. +3. Trigger the computation of the role model through the complete job on the **Job Execution** page + in the **Administration** section. + + ![Home - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + +4. See the new permission in the user's **View Permissions** tab. + + ![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/index.md new file mode 100644 index 0000000000..d0f118267d --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/index.md @@ -0,0 +1,219 @@ +# Automate Assignments + +How to automate entitlement assignment. + +## Overview + +Once you are able to assign manually the right entitlements to the right identities for the right +reasons, you realize how tedious and error-prone entitlement assignment is, and you want to automate +it. + +The strategy for the automation of entitlement assignment lies in the automatic making of assignment +decisions, based on several automation levels provided by Identity Manager: + +1. Automation of the creation of the role model, i.e. both roles and navigation rules that represent + entitlements in the managed systems, through + [ Create Roles in Bulk ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md) + based on resources' naming conventions in the managed systems. +2. Automation of entitlement assignment through assignment rules, which use identity criteria + (called dimensions, like identities' department or work location, etc.) to decide what + entitlements to assign automatically to identities. See the + [ Conforming Assignments ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md) + topic for additional information. +3. Automation of the creation of said assignment rules through + [ Perform Role Mining ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md), based on existing data analysis. + +![Automation Concept](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_schema.webp) + +Assignment rules can sometimes give to users an entitlement that they had already received manually. +Hence, new assignment rules can imply redundancies between the entitlements assigned manually and +approved, and those calculated by a rule and assigned automatically. + +Netwrix Identity Manager (formerly Usercube) recommends +[Remove Redundant Assignments](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md) after any assignment rule is +created or updated. + +The main goal of automation is to reach the optimal cost, playing on assignment efficiency, quality +and quantity. + +### Assessment of manual assignment + +So far, Identity Manager's configuration has enabled users to use workflows to add and remove +entitlements to/from identities. These assignments can be fulfilled manually or automatically, but +the decision-making process that defines who gets what entitlement is still manual. Manual +assignment poses the following risks: + +- Delay can happen: on the day a worker joins an organization, they rely on a manual action to get + all the entitlements required for them to start working. Even with roles aiming to help managers + to understand actual entitlements, delay happens. See + the[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topic + for additional information.Errors can happen: human mistakes are expected in role distribution, + even though largely mitigated by the role review process and + [ Perform Access Certification ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/index.md). See the + [ Reconcile a Role ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md) + topic for additional information. +- It is time-consuming. + +The entitlement management cost mainly varies according to the number of managed entitlements. +Manual processing for entitlement requests implies a linear growth of the management cost according +to the number of managed entitlements. + +![Optimal Cost Chart - Manual Assignments](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_manual.webp) + +### Automation benefits + +There is a high potential gain coming with the automation of assignment decisions: + +- Machine Learning masters the error rate, as it is used as a parameter for Role Mining, i.e. + masters false positive assignments (entitlements assigned to a user while they ought not to) which + constitute a security breach, and false negative assignments (entitlements not assigned to a user + who needs it) which are functionnaly blocking; +- Machine Learning achieves lower error rates than people; +- Machine Learning can compute the role model way faster than a person. Consequently, the model can + be computed more frequently and thus sticks closer to reality. + +![Optimal Cost Chart - Automation Benefits](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_automationbenefits.webp) + +Automation helps integrators find basic assignment rules and face the previous risks, thus reducing +cost. + +### Automation precautions + +Assignments do not have to be automated all at once. + +On the one hand, before being automatically assigned, entitlements can be merely suggested by +Identity Manager and assigned manually. + +On the other hand, a distinction can be made between assignments according to their sensitivity, for +example using different error rates, or using simulation, or automating the assignment of basic +entitlements while suggesting sensitive entitlements, etc. + +This way, security can be improved for example by making certification target only the sensitive +entitlements that cannot be processed by Machine Learning. There is no need anymore to certify +automatic assignments. + +Plus, you can also use attributes as additional precautions, such as a grace period during which, +after the application of a rule revoking a resource/entitlement, managers can decide for each user +individually whether they need to keep said entitlement. + +In a way, maturity with Machine Learning in IGA is much like a GPS: once we traveled using only +paper maps, before the first navigation tools were commercialized. Then we learned how to use these +tools, while keeping a map to be able to verify the GPS instructions. We found secure methods to +navigate through all GPS evolutions, until we trusted GPS enough to guide us completely. + +### Automation limits + +However, automation implies an increasing number of rules. And a high number of rules implies a +certain complexity in rule model understanding, and consequently hiring expensive expert contractors +to write the right rules. It drives up costs considerably and draws you near the automation wall. + +![Optimal Cost Chart - Automation Limits](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_automationlimits.webp) + +The automation wall represents the automation threshold that cannot be overcome. It mostly comes +from the fact that with limited data, automation capabilities are also limited. Everything cannot be +automated. + +### Automation strategy + +The idea is to stop automation when the automatic cost curve increases faster than the manual cost +curve. The optimal profitability is represented on the chart and can be achieved via the optimal mix +of automatic and manual assignments. + +![Optimal Cost Chart](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost.webp) + +Automation strategy consists in using Machine Learning through Role Mining to get closer to the +automation wall. And, as Role Mining doesn't enable overcoming said wall, the goal is to move the +wall further away by improving data quality and quantity. + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate. + +| Input | Output | +| ----------------------- | ---------------------------- | +| Role Catalog (required) | Ideally automated role model | + +See the[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +topic for additional information. + +## Automate Entitlement Assignment + +The process of assignment automation is the following: + +1. [ Perform Role Mining ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) to approach the automation wall. + + Role Mining covers more use cases than writing assignment rules manually. It diminishes the + error rate and implies a lower execution cost. And thus, it brings the optimal cost closer to + the automation wall. + + ![Optimal Cost Chart - Role Mining](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_rolemining.webp) + + **Enlarge the number of managed entitlements by tolerating errors:** + + Automation reduces the error rate by avoiding human mistakes. Errors can still occur such as + "[false positives](https://en.wikipedia.org/wiki/Binary_classification)", i.e. users receiving + inappropriate entitlements, thus creating security issues. However, experience shows that a + slight error tolerance in Role Mining can highly benefit automation. + + NETWRIX recommends trying Role Mining with **1%** tolerated false positives, and **99.5%** + expected precision. Then adapt to your situation according to the reports. + + For example, suppose an organization working with many distinct departments. If you see that the + automation rate skyrockets when the error rate reaches the number of workers in one department, + then it probably means that Identity Manager misses data concerning one of the departments. Thus + the error rate allows Identity Manager to "ignore" one of the departments in the organization, + and optimize automation. + +2. [ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md)and analyze them with tools like Power + BI to assess the automation wall and identify improvement areas. + + > For example in the following Power BI chart, automation is, on average, highly implemented + > except for `SharePoint Projects`. This fact reveals a low level of awareness among the workers + > about their respective projects. This is a typical area for improvement in data quality. + > + > ![Data Quality Example](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex.webp) + + > For example, if charts show a high number of identities in the category `No Position`, + > integrators understand that the data model must be completed for role mining to be efficient. + > + > ![Data Quantity Example](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex2.webp) + + > For example, if charts show a high number of unused roles, integrators understand that the + > role model needs further improvement because roles are not adequate. + > + > ![Data Quality Example](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex3.webp) + + > For example, if charts show low automation rate per department, integrators will understand + > that many identities may have switched departments while keeping their previous entitlements. + > + > ![Data Quality Example](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex4.webp) + +3. Improve data quality and quantity to move the automation wall. + + Whether automatic or manual, assignment decisions are based on existing data analysis. Data + quantity and quality therefore define the position of the wall. + + Improvement in existing data quantity and quality entails the possibility of managing a higher + number of entitlements. + + ![Optimal Cost Chart - Improved Data](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_data.webp) + + A high quantity of data simplifies data analysis and inferences in assignment rules. + + A high quality of data also simplifies data analysis and enables better accuracy in assignment + rules. + + > For example, contractors' data is often less familiar to HR departments. Efforts can be made + > in this direction to enhance automation. + + Moreover, focus must be directed on actual and correct entitlements, using Identity Manager's + [ Perform Access Certification ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/index.md). + + Data reliability prevents integrators from easy extrapolation mistakes. + + > For example, consider the Netwrix Identity Manager (formerly Usercube) team in Marseilles + > mostly composed of R&D workers. If integrators miss information, they might inadvertently + > create a rule giving `R&D` group membership to all workers in Marseilles, while there are also + > workers from other departments. + +4. Repeat. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md new file mode 100644 index 0000000000..36249b008b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md @@ -0,0 +1,136 @@ +# Remove Redundant Assignments + +How to remove redundant assignments, i.e. manual assignments of roles and resource types that are +assigned by a rule too. See the +[Entitlement Assignment](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +topic for additional information. + +## Overview + +Assignment rules can sometimes give to users an entitlement that they had already received manually. +Hence, new assignment rules can imply redundancies between the entitlements assigned manually and +approved, and those calculated by a rule and assigned automatically. See the +[ Automate Role Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) topic for additional +information. + +Netwrix recommends removing redundant assignments after any assignment rule is created or updated. + +This guide is about switching the manual assignments, which are allowed by the role model, into +calculated automatic entitlements handled by the role model. Once automatic, an entitlement is fully +part of the role model and stops constituting an exception. + +### Assignment validity period + +All entitlements are assigned on a given validity period, i.e. from a given start date to a given +end date: + +- When assigning an entitlement to a user manually, the start and end dates are specified explicitly + unless the end date is locked. See the + [Create a Role Manually](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) + topic for additional information. +- When assigning entitlements to users via assignment rules, the start and end dates are based on + the owner's data, for example their contract or position start/end dates. These assignments are + automatic. + +Netwrix recommends always preferring calculated assignments over manual ones, because calculated +assignments follow the changes in their owners' data and are consequently more secure. + +For example, consider a user Helen who starts working as an architect with a given role. +When assigning the role manually, when Helen changes her job, her manager will have to remove the +role manually. When assigning the role via a rule, when Helen changes a job, the role will be +removed automatically. + +### Process + +This process is an optimization of the role model. It is part of the "compute role model" process +where all rules of the role model are applied. + +The classic behavior gives priority to approved manual entitlements over calculated automatic ones. +A manual assignment stays as is, even if the entitlement is also assigned by a rule. + +For example, consider a user who has a given entitlement which was assigned to them manually on +several distinct time periods. When creating a rule that assigns the same entitlement to them +automatically on a given time period, then we have: + +![Schema - Compute Role Model](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_examplewithout.webp) + +The redundant assignment analysis gives priority to the rules inside the role model and the policy. +When an entitlement is assigned via a rule, it is stated as calculated, even if it is also assigned +manually. Thus, manual assignments whose start and end dates overlap with the validity period are to +be truncated or deleted. + +For example, consider the same situation as before. Using the redundant assignments analysis, then +we have: + +![Schema - Redundant Assignment Analysis](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_examplewith.webp) + +Redundant assignments can be removed by Identity Manager only when the corresponding assigned items +are tagged as redundant and displayed in the most recent report. The manual assigned items that are +not tagged are still kept as discretionary entitlements and will not be removed. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application's users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------- | ---------------------- | +| Role catalog (required) Role assignment rules (required) Role mining (optional) | Minimized derogation’s | + +See the +[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md), +[ Automate Role Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md), and +[ Perform Role Mining ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) topics for additional information. + +## Remove Redundant Assignments + +Remove redundant assignments by proceeding as follows: + +![Home Page - Redundant Assignments](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/home_redundantassignments_v602.webp) + +**Step 1 –** Click on **Redundant Assignments** on the home page in the **Administration** section. + +![Redundant Assignments - Buttons](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_buttons_v602.webp) + +**Step 2 –** Click on **Analyze** to tag the manual roles and resource types from all policies +eligible for conversion to an automatic state. + +**NOTE:** Previous tags are cleared at each instance of this tagging process. + +**Step 3 –** Click on **Download Excel** to download a dedicated XLSX report which contains one tab +per entity type representing identities. + +![Redundant Assignments - Report Example](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_reportexample_v602.webp) + +The example states that in the entity type Directory_User, the user Nicholas Acosta had the single +role Banking/Sales/Eunomia/Administrator starting from February 28th 2023 (dateA) until May 16th +(dateD). A new single role rule assigns him this role from April 14th (dateB) until 25th 2023 +(dateC). + +It means that Nicholas Acosta will have the role in the **Calculated** state from dateB to dateC, +and he will keep the role in the **Approved** state from dateA to dateB and from dateC to dateD. + +**Step 4 –** If the report's content is satisfying, then click on **Apply** to actually switch +eligible manual roles to calculated. + +## Verify Redundant Assignment Removal + +In order to verify the process: + +![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +**Step 1 –** Access the user directory from the home page. + +![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +**Step 2 –** For one of the users mentioned in the report, access their permissions. + +**Step 3 –** Check that their roles (mentioned in the report) have actually switched from approved +to calculated. + +![Redundant Assignments - Result](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_reportexampleverif_v602.webp) + +When removing redundant assignments based on the previous report example the setting will be as +above. + +Once the steps above completed, the state changes to **Approved**. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md new file mode 100644 index 0000000000..ad12a24d68 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md @@ -0,0 +1,182 @@ +# Perform Role Mining + +How to use role mining to suggest role assignment rules based on existing assignments, in order to +push the [ Automate Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/index.md) wall further. + +## Overview + +After the role catalog is established, the Compute Role Model Task task is able to assign single +roles to users according to their attributes which are used as assignment criteria. + +> For example, in the AD, entitlements are given through group membership. Integrators create a +> navigation rule to assign each group to the users who have the corresponding single role. Then, +> the +> [ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +> is able to assign single roles to users according to their existing group membership. +> +> In addition to group membership, the assignment of an entitlement to users could also depend on +> users' attributes like their location, position title, etc. + +Now that users received their roles, the role mining tool can analyze these assignments and deduce +[Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) +which will assign single roles to certain users matching given criteria. + +![Schema - Role Mining](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_schema.webp) + +Role mining is a Machine Learning process. It is a statistic tool used to emphasize the +[Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) +that constitute the key criteria for existing role assignments. It detects the most probable links +between identities dimensions and their roles in order to suggest the appropriate entitlement +assignment rules. + +> For example, suppose that 80% of NETWRIX workers in Marseilles have access to an application +> "App". Then, role mining is most likely to recognize the working site as a relevant dimension, and +> suggest to create a rule that gives the "App" access to users whose site is Marseilles. + +Role mining being a statistic tool based on existing entitlement assignments, it appears useless if +the role model contains fewer than 2,000 role assignments. Then, start by reinforcing the Role +Catalog. See +the[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +topic for additional information. + +### Technical Principles + +Role mining works through +[ Mining Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md) +that Identity Manager applies with the +[ Get Role Mining Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md). + +### Entitlement differentiation with rule types + +Mining rules can be configured to generate: + +1. automatic rules, i.e. rules which assign roles automatically with or without a validation; +2. suggested rules, i.e. rules which don't assign roles directly, but suggest them during an + entitlement request for a user. + + ![Suggested](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_suggested_v602.webp) + +You can generate both automatic and suggested rules for the same role, with different precision +levels and different approval workflows. + +> Consider an organization where an unknown ratio of users have a given role. Using the precision +> settings, we can create a mining rule to generate automatic assignment rules when the ratio is +> above 95% and a second mining rule to generate suggested assignment rules when the ratio is +> between 75% and 95%. +> +> ![Rule Types](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype.webp) + +You can also differentiate entitlements according to their sensitivity, for example require +additional reviews following the request of a sensitive entitlement: + +![Rule Types - Sensitivity](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype-sensitivity.webp) + +The automation of entitlement assignments according to sensitivity brings greater confidence in +basic entitlements assignment which won't need to be certified anymore. Thus, automation lets +certification campaigns focus on more sensitive entitlements. + +Role mining should be performed first for automatic rules as they are stricter precision-wise. Thus, +automatic rules should always have priority over suggested rules (via the `Priority` setting). + +See more details about role mining. + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate. + +| Input | Output | +| ----------------------- | ----------------- | +| Role Catalog (required) | Single role rules | + +See the[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +topic for additional information. + +## Create a Mining Rule + +Create a mining rule by proceeding as follows: + +1. On the home page in the **Configuration** section, click on the **Role Mining** button. + + ![Home page - Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/home_rolemining_v60.webp) + + You will see all existing mining rules. + +2. Click on the addition button at the top right and fill in the fields. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + ![New Mining Rule](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_miningrule_v602.webp) + + - `Policy`: [Create a Policy](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/policy-creation/index.md) in which the mining rule exists. + - `Entity Type`: + [Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) on which + the mining rule is applied, i.e. the entity type targeted by role mining's entitlement + analysis. + - `Category`: + [ Create a Category ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md) + containing the roles targeted by role mining's analysis. + - `Include roles with specific validations`: includes in role mining's analysis the roles + requiring zero and/or one and/or two and/or three validations. + - `Exclude Role from Mining`: ignores the specified roles during the mining process triggered by + the next mining rules (in terms of priority). + - `Rule Policy`: [Create a Policy](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/policy-creation/index.md) in which the single role + rules will be generated. + + Netwrix Identity Manager (formerly Usercube) recommends using a policy dedicated to role + mining in order not to remove existing assignment rules. + + - `Rule Type`: type of the generated single role rules, which defines the type of role + assignment that can be: `Suggested` so that the resource type is listed among suggested + permissions in the permission basket of users matching the criteria during an entitlement + request, suggested assignments must be selected manually to be requested; or `Automatic` so + that the resource type is automatically assigned to users matching the criteria; or + `Automatic but with validation` so that the resource type is listed in the permission basket + of new workers, these assignments can still be modified. + - `Priority`: priority order of the mining rule. Identity Manager applies mining rules one after + the other in descending order. + - `Minimum Precision`: minimum authorized percentage of correct role assignments, considering + both the roles that are assigned to users who should have them, and the roles that are not + assigned to users who should not have them. + + NETWRIX recommends around 99.5%, to be lowered when working on a sensitive application + and/or a large user population, and vice versa. + + - `Maximum Allowed False Positives`: maximum authorized percentage of false positive + assignments, i.e. roles that are assigned to users who should not have them. + + NETWRIX recommends around 1%, to be lowered when working on a sensitive application and/or a + large user population, and vice versa. + + **Enlarge the number of managed entitlements by tolerating errors:** + + Automation reduces the error rate by avoiding human mistakes. Errors can still occur such as + "[false positives](https://en.wikipedia.org/wiki/Binary_classification)", i.e. users receiving + inappropriate entitlements, and thus creating security issues. However, experience shows that a + slight error tolerance in role mining can highly benefit automation. + +3. Click on **Create** and see a line added on the rules page. +4. Click on **Simulate** to perfom role mining in a simulation. See + the[ Perform a Simulation ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/simulation/index.md) topic for additional information. + + ![Role Mining Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_launchjob_v602.webp) + + If you need to bypass the simulation process, clicking on **Launch** will perform role mining + and apply its results directly. NETWRIX recommends always performing role mining in simulation. + +## Impact of Modifications + +Assignment rules can sometimes give to users an entitlement that they had already received manually. +Hence, new assignment rules can imply redundancies between the entitlements assigned manually and +approved, and those calculated by a rule and assigned automatically. + +Netwrix Identity Manager (formerly Usercube) recommends +[Remove Redundant Assignments](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md) after any assignment rule +is created or updated. + +## Verify Role Mining + +In order to verify the process, access the rule list from the home page. + +![Home - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +Select **Single Roles** and check that the single role rules are created with the right parameters. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/optimize/composite-role-creation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/composite-role-creation/index.md new file mode 100644 index 0000000000..61df1a1155 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/composite-role-creation/index.md @@ -0,0 +1,129 @@ +# Create a Composite Role + +How to define composite roles in order to create sets of single roles easy to assign. See the +[ Composite Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) +and [ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md)topics +for additional information. + +## Overview + +A composite role is a set of single roles that are usually assigned together, because they revolve +around the same application, or the same job, etc. Composite roles are aggregates of single roles, +they can help organize the role catalog. See the +[ Composite Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) +topic for additional information. + +![Schema](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_applicativeroles.webp) + +A composite role is a business role comprehensible by managers. It provides an additional layer of +abstraction above existing entitlements and single roles. We can say that if a single role allows a +user to perform a task, a composite role allows them to perform a job. + +### Composite roles and Role Mining + +Composite roles can also be created based on the rules provided by Role Mining. Rules link roles to +dimensions. See the [ Perform Role Mining ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) topic for +additional information. + +The following example shows single roles from A to F. Role Mining suggested the rules on the schema, +linking these single roles to the organizations R&D and Project as well as to the functions +developer, writer, contractor and project manager. The idea is to use these rules to create +composite roles. Here, we clearly have one role for R&D-developer, one for R&D-writer, +Project-contractor and Project-project manager. Thus, it is clear here that composite roles add an +abstraction layer. + +![Example](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_schema.webp) + +Single role rules link composite roles to single roles: a single role rule states that specific +single roles are assigned according to specific criteria, particularly composite roles. See the +[Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) +and [ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md)topics +for additional information. Thus, a composite role assignment can imply specific single role +assignments. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the +application's users, entitlements and data model. + +| Input | Output | +| ----------------------- | --------------- | +| Role catalog (required) | Composite roles | + +See the [ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +topic for additional information. + +## Create a Composite Role + +Create a composite role by proceeding as follows: + +**Step 1 –** On the home page in the **Configuration** section, click on **Access Roles** to access +the roles page. + +![Home Page - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +**Step 2 –** On the roles page, click on the adequate category and create a role by clicking on **+ +New** at the top right corner. + +**Step 3 –** Fill in the fields. + +![singlerolescatalog_createcompositerole_v62](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/composite-role-creation/singlerolescatalog_createcompositerole_v62.webp) + +- **Identifier**: must be unique among roles and without any whitespace. +- **Name**: will be displayed in the UI to identify the single role. +- **Policy**: policy in which the role exists. +- **Entity Type**: entity type targeted by the role. +- **Category**: category assigned to the role. +- **Secondary Categories**: other potential categories assigned to the role. +- **Approval Workflow**: represents the number of validations required to assign the role. +- Lock the end date: locks manual permission at the end date. Has four options: + + - Inherited: the policy's setting will be used. + - Explicit: at the time of assignment, the end date can be specified manually or can be locked + to the applicable context rule. + - **Never**: the end date will never be locked and needs to be specified manually. + - **Always**: the end date is always locked according to the applicable context rule. + +- **Approve Role Implicitly**: needs at least a simple approval workflow. **Implicit** mode bypasses + the approval step(s) if the person who issues the role request is also the role officer. + **Explicit** refuses said bypass. **Inherited** follows the policy decision to approve roles + implicitly or not. +- **Hide in Simplified View**: hides the role from the users' **Simplified View** in **View + Permissions** dialog. This setting does not apply to roles which are either inferred or have + workflow states which require manual action. +- **Comment Management on Permission Review**: to change if different from the role policy. +- **Maximum Duration**: duration (in minutes) after which the role will be automatically revoked, if + no earlier end date is specified. It impacts only the roles which are manually assigned after the + maximum duration is set. Pre-assigned roles are not impacted. If no duration is set on the role, + the **MaxDuration** of the associated policy is applied. If the **MaxDuration** is set to 0 on the + role, it prevents the associated policy from applying its **MaxDuration** to it. + +**Step 4 –** Click on **Create** and see a line added on the roles page. + +**Step 5 –** Create at least one single role rule with the composite role as a criterion. + +## Impact of Modifications + +When deleting a composite role, caution must be used when deleting the corresponding single role +rules. Indeed, these rules thus lose their criteria and may be applied to far too many people after +that. + +Simulations are available in order to anticipate the changes induced by a +creation/modification/deletion in roles and single role rules. See the +[ Perform a Simulation ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/simulation/index.md)topic for additional information. + +## Verify Composite Role Creation + +In order to verify the process, check that the role and rule are created with the right parameters. + +For roles, click on **Access Roles** on the home page in the **Configuration** section. + +![Home Page - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +Select composite roles and find the role you created inside the right category and with the right +parameters. + +![Access Composite Roles](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_testroles_v602.webp) + +For rules, follow the instructions about assignment rules. See the +[ Automate Role Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/optimize/hr-connector-creation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/hr-connector-creation/index.md new file mode 100644 index 0000000000..6627722dc7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/hr-connector-creation/index.md @@ -0,0 +1,120 @@ +# Create an HR Connector + +How to create a connector dedicated to the automation of identity management (creation, update, +deletion), via the synchronization of HR data into Identity Manager and internal provisioning. See +the[ Connect to a Managed System ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/index.md)provisioning. + +## Overview + +### HR connector in the global process + +The HR connector is no priority but rather an optimization, handled at the end of the configuration +cycle. + +The HR connector is sometimes the first created connector, used to develop the identity repository. + +However, the HR connector requires a specific IT infrastructure (agent, proxy, Virtual Machine, +etc.) which can take time to implement, and delay the project's progress. + +Moreover, in the long run it poses a few problems as HR data usually misses crucial information such +as contractor data, or the projects employees are working on. This can mean that: + +- the identity repository is filled using several sources. And when creating identities + automatically from HR data and other sources, you need to specify which properties of each + identity can be overwritten by a change in HR and which cannot. This is to avoid manually changed + attributes being overwritten by the HR data by mistake. This is very tedious. +- the HR data is rarely up to date early enough to be really useful as a trigger for identity + creation and deletion. As a result, identities end up being created manually through workflows + most of the time. + +Hence we choose to build the first iteration of the project upon a manual data upload to +[ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md). + +This way, we do not have to wait for the agent's implementation to create the first profiles and +start connecting systems (AD, SAB, SAP, etc.). Thus value is created faster and we can focus on IGA +activities such as the review of orphaned and unused accounts, eliminating risk earlier in the +process. + +We can still connect HR data, later on, to check consistency between our identity repository and HR +data, through a certification-like process. + +### Technical details + +An HR connector is considered an inbound connector, as it writes to the central identity repository +inside Identity Manager. + +![Inbound System=](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/hr-connector-creation/connectorcreation_inbound.webp) + +As Identity Manager is able to feed all managed systems, it can also feed itself thanks to specific +connections such as the +[InternalWorkflow](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md) +connection. It means that the corresponding connector is able to launch workflows within Identity +Manager and keep track. + +Typically, an HR connector with such a connection would be able to launch workflows inside Identity +Manager for identity creation, update and deletion, based on HR files. + +## Participants and Artifacts + +This operation should be performed in cooperation with HR staff who can access HR data. + +| Input | Output | +| ------------------------------- | ------------ | +| Identity Repository. (required) | HR connector | + +See the [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md)topic +for additional information. + +## Create an HR Connector + +Create an HR connector by proceeding as follows: + +1. Outside Identity Manager, + [ Model the Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md)of your connector. +2. Declare an HR connector using your local agent. See the + [ Create the Connector ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md) topic for + additional information. + + ![HR Connector Declaration](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/hr-connector-creation/hr_connectordeclaration_v602.webp) + +3. Create an Export CSV connection for each HR file to connect. See the + [Create a Connection](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) topic for + additional information. + + ![HR Connection](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/hr-connector-creation/hr_connection_v602.webp) + +4. [Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) corresponding + to your model. For example: + + ![HR Entity Type - Scalar Properties](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/hr-connector-creation/hr_entitytypes_v602.webp) + + ![HR Entity Type - Navigation Properties](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/hr-connector-creation/hr_entitytypen_v602.webp) + +5. Don't forget to reload and [ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md) to access + HR data within Identity Manager. + + ![Reload](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + + ![Synchronize Job](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs_v602.webp) + +## Verify HR Connector Creation + +In order to verify the process: + +1. Launch synchronization. +2. Access the connector's logs (from **Job Results** on the connector's dashboard) to ensure that + synchronization completed successfully. + + ![Jobs Results](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_results_v603.webp) + +3. Check that the entity types have been added to the left menu of the home page. + + ![Test Entity Type](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/hr-connector-creation/hr_validatemenu_v600.webp) + +4. Access the relevant entity types (from the menu items on the left of the home page) to check + synchronized resources, by navigating in the UI from the accounts through a sample of + associations, via the Eye icon: + + ![Eye Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg) + + You should seek configuration validation, not validation of the actual data being synchronized. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md new file mode 100644 index 0000000000..6beb28d88a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md @@ -0,0 +1,117 @@ +# Modify the Identity Data Model + +How to make data model properties evolve according to the organization's needs. + +## Overview + +The identity data model must contain all the information needed to manage identities and their +permissions, and only the information strictly required for this purpose. + +You already considered the data needed for identity management during: + +- The initial identities loading and the creation of the identity repository; See the + [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) topic for + additional information. +- [ Model the Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md)through connector + modeling which is the analysis phase before connector creation; +- [Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) which is the + technical implementation of the connector model. + +The data model established during these steps might change to evolve alongside the needs of the +connected systems, the management strategy, and any change in the organization such as a change of +structure, a new division, etc. + +This part is about integrating these changes in the existing data model. + +### Dimensions + +Identity Manager calls dimensions the attributes that assignment rules rely on. They are essential +criteria that differentiate users in order to give them the appropriate roles. See the +[ Conforming Assignments ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md) +topic for additional information. + +### Personal data security + +Only professional data should be used in the identity data model, not personal data. + +## Participants and Artifacts + +Integrators are able to perform an identity update if they master the new data model. + +| Input | Output | +| ------------------------------------------------------------------------ | --------------------------- | +| Initial identities loading (required) New identity data model (required) | Updated identity data model | + +See the [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) topic +for additional information. + +## Add or Modify Properties + +The data model can be updated in the UI via a feature scanning the data model. This scan performs an +analysis on the data previously imported through the Excel file. It detects properties which are +always empty and suggests to remove them from the data model, for clarity purposes. + +> For example, some systems don't store phone numbers. Then, scanning the data model will allow +> Identity Manager to suggest removing the property about phone numbers. Note that Identity Manager +> only provides suggestions but makes no decision. You could choose to keep the phone number +> property anyway in order to fill it later. + +NETWRIX recommends updating the data model through the scan feature, as this feature is driven by +Identity Manager's suggestions. + +However, the identity data model can also be updated through the directory's entity types, following +the previously given +[Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md). + +### Through a data model scan + +Add or modify properties within the identity data model by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. Access the data model on the **Workforce** > **Data Model** page. +3. Change the display option to show or hide properties in the identity repository. + + ![Scan Data Model - Display Option](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/identity-datamodel-modification/datamodelmodif_scan_v600.webp) + +4. After your changes are complete, click on the Save icon at the top. + + ![Save Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + +5. Click on the **Reload** button to apply the recent changes to the application. + + ![Reload Button](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp) + +## Delete Properties + +Integrators should keep in mind that the fields that they want to delete might be used in connectors +or other places they didn't think about. Existing assignments might be impacted. + +Identity Manager suggests the removal only of empty fields. In this case, there is nothing to worry +about. + +## Verify Data Model Modification + +In order to verify the process: + +- Check manually a sample in the user directory accessible from the home page. You should verify at + least your own sheet and the sheets assigned to your hierarchy. + + ![Home - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +- Check that every organization still has a manager. Organizations are accessible in the department + directory accessible from the home page. + + ![Home - Directory Department](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + + ![List of Departments](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + + If the system contains numerous organizations, it is also possible to list them with their + managers through the Query module. See + the[ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md) topic for additional information. + +- [ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md) with indicators, for example, on the + number of workers per type or per organization (through Identity Manager's predefined reports, the + Query module or Power BI), to ensure that Identity Manager's content sticks to reality. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/optimize/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/index.md new file mode 100644 index 0000000000..34504c7909 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/index.md @@ -0,0 +1,54 @@ +# Optimize + +- [ Modify the Identity Data Model ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md) + + How to make data model properties evolve according to the organization's needs. + +- [ Create an HR Connector ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/hr-connector-creation/index.md) + + How to create a connector dedicated to the automation of identity management (creation, update, + deletion), via the synchronization of HR data into Identity Manager and internal provisioning. + +- [ Manage Risks ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/risk-management/index.md) + + How to use the risk management module to identify entitlement assignments that pose a security + risk, especially about segregation of duties and high privileges. + +- [Create a Policy](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/policy-creation/index.md) + + How to define policies to organize roles and rules. + +- [Automate the Review of Non-conforming Assignments](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md) + + How to automate the review of non-conforming assignments through automation rules. + +- [ Automate Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/index.md) + + How to automate entitlement assignment. + +- [ Automate Role Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) + + How to manually build rules to automate the assignment of roles to identities. + +- [ Perform Role Mining ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) + + How to use role mining to suggest role assignment rules based on existing assignments, in order + to push the automation wall further. + +- [Remove Redundant Assignments](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md) + + How to remove redundant assignments, i.e. manual assignments of roles and resource types that + are assigned by a rule too. + +- [Create a Composite Role](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/composite-role-creation/index.md) + + How to define composite roles in order to create sets of single roles easy to assign. + +- [Configure a Parametrized Role](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/parameterized-role/index.md) + + How to reduce the number of roles in the model by configuring roles with parameters. + +- [ Perform a Simulation ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/simulation/index.md) + + How to assess the impact of a modification on the role model, including the role catalog, role + assignment rules and resource correlation rules, using a dedicated policy. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md new file mode 100644 index 0000000000..834cfbee35 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md @@ -0,0 +1,103 @@ +# Automate the Review of Non-conforming Assignments + +How to automate the review of non-conforming assignments through automation rules. See the +[ Review Non-conforming Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md) +and +[Automation Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md) +topics for additional information. + +## Overview + +Non-conforming assignments can't be reviewed entirely automatically because this type of review +sometimes needs the intervention of a knowledgeable user. However, automation rules can help by +making automatic decisions (in place of the reviewer) on assignments that need to be reviewed after +a given waiting period. + +This type of rule is useful for example, when integrators intend to: + +- Decline all non-conforming assignments after X days to avoid accumulation. The waiting time can be + null if they need to delete non-conforming assignments as soon as they are detected; +- Automatically approve or decline discretionary requests if there is no validation after X days; +- Send notifications to validators before declining or approving pending approval assignments; +- Get information in order to deactivate an AD account if it hasn't been used in the past X days, + before deleting it. + +Integrators must show caution with pending approval assignments because this type of rule could +short-circuit the whole approval process. + +## Participants and Artifacts + +This operation should be performed in cooperation with managers who know the organization and their +team's entitlements. + +| Input | Output | +| ------------------------------------------------------------------------------------ | --------------------------- | +| Mastered non-conforming assignment review (required) Categorized accounts (optional) | Automated assignment review | + +See the +[ Review Non-conforming Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md) +and [ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) topics for additional +information. + +## Create an Automation Rule + +Create an automation rule by proceeding as follows: + +![Home Page - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +**Step 1 –** On the home page in the **Configuration** section, click on **Access Rules**. + +![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +**Step 2 –** In the dropdown menu at the top left, choose the entity type to which the future rule +will be applied. + +![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) + +**Step 3 –** Click on the **Automations** tab and on the addition button at the top right corner. + +![New Automation Rule](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/reviewautomation_newrulefields_v602.webp) + +**Step 4 –** Fill in the fields. + +- Decision — Action to be taken on the described assignments. +- Criteria — Conditions that, if met, trigger the rule. + Currently, the criteria are used to match the context of an assignment and not the user data. + For example, if a single role is assigned based on a specific Department, then the context of the + assignment has the information about the Department. In that case, an automation rule having in + its dimensions that given Department will match this assignment and could Deny/Accept it. +- However, if a single role is assigned without any context on the Department (for example, a manual + assignment with no parameter on the role), the automation rule will never match this assignment. +- **NOTE:** No context will never be present for non-conforming or pre-existing roles +- Type — Assignment type concerned by the new rule. Once filled, a new field is displayed to select + precisely an object from the existing objects belonging to this type. +- Workflow State — Workflow state of the assignments that need a decision. +- Waiting Period — Time period since the last change in the assignments' workflow states. + +_Remember,_ in a nutshell, this rule applies Decision to all assignments of Type (and matching all +criteria), whose workflow state has been set to Workflow State for more than Waiting Period. + +## Impact of Modifications + +A modification in an automation rule doesn't impact the assignments affected by the previous version +of the rule. + +## Verify Review Automation + +In order to verify the process: + +**Step 1 –** On the **Role Review** or **Role Reconciliation** screen, spot an entitlement +assignment. + +**Step 2 –** Create an automation rule matching said assignment. + +![Home Page - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + +**Step 3 –** Compute the role model through the complete job on the **Job Execution** page. + +**Step 4 –** Check on the **Role Review** page that the assignment's workflow state changed +according to the rule's settings. + +![New Automation Rule](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/reviewautomation_rulemessage_v522.webp) + +Any role affected by an automation rule shows a specific message on the **Role Review** page. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/optimize/parameterized-role/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/parameterized-role/index.md new file mode 100644 index 0000000000..bc9d4caee3 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/parameterized-role/index.md @@ -0,0 +1,126 @@ +# Configure a Parametrized Role + +How to reduce the number of roles in the model by configuring roles with parameters. + +## Overview + +The assignment of a role to a user gives them an entitlement, usually a group membership, thanks to +a navigation rule. See the +[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topic for +additional information. + +![Simple Role](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_simplerole.webp) + +To enable the assignment of all existing entitlements, the role model usually contains numerous +roles. + +For example, the SAP role can be given with slight differences according to the users' subsidiaries: + +> ![Role Matrix](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_numerousroles.webp) + +In order to reduce the number of roles, we can configure roles with parameters by inserting a +criterion in the navigation rules. Thus, instead of having as many roles as entitlements (left on +the schema), we can have way fewer roles (right on the schema). + +![With/Without Parameters](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameters.webp) + +In the previous example, with a parameter on the subsidiary, the number of roles would be divided by +three. + +By extension, a composite role that assigns a parametrized single role is parametrized too. + +This way, when assigning a parametrized role, a pop-up window is displayed where the parameter must +be specified. + +The same thing goes with type rules instead of navigation rules when we want to assign resource +types instead of entitlements. + +## Configure a Parametrized Role + +Configure a parametrized role by proceeding as follows: + +**Step 1 –** Create in XML a dimension corresponding to the parameter that will affect the role. See +the [ Dimension ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) +topic for additional information. + +For example, let's consider that we have many roles available on three different time slots: 8 hours +a day, 12 hours a day, or 24 hours a day. We create a dimension for these time slots. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +![Example - Role](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerole_v603.webp) + +**Step 2 –** Create a single role. See the +[Create a Role Manually](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) +topic for additional information. + +**Step 3 –** Create one navigation rule linked to the role for each available value of the +parameter. See the +[Create a Role Manually](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) +topic for additional information. + +Here we have three navigation rules, one for each distinct time slot (dimension A). For example: + +![Example - Rule](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerule_v603.webp) + +**NOTE:** Make sure that the corresponding dimension is specified in the right `DisplayEntityType` +in XML to be displayed in the UI. + +**NOTE:** It is important to note that for manually assigned roles, if a new dimension is added to +the definition of the role, the assignment's dimension will not be re-calculated, and will therefore +not be propagated to calculate automatic assignments. +Example Scenario — Role A was created as a composite role with no parameters a long time ago. Role A +was later updated to depend on the optional parameter X and a single role rule was created to assign +a single role B if a user had Role A and parameter X set to value Y. +If a user already manually had the role A, even if its dimension X (for example its department, +which could be calculated) was equal to value Y, got its permissions recalculated, that person would +not get the role B. Since the modification occurred after the assignment, it is understood as if the +role was assigned voluntarily with dimension X unset. +However, if a user got role A assigned after the modification, and its dimension X was equal to +value Y, then that user would get the role B. + +![Example - Role Parameter Required](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_exampleroleparameter_v603.webp) + +**Step 4 –** Go back to the roles page to edit the single role from step 2, if needing to set the +parameter required. + +If you want Identity Manager to provide suggestions to set the parameter's value, then make sure +that users' +[context rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) +specifies the dimension. + +For example, with the `Title` dimension: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + + +``` + +## Verify the Parametrized Role + +In order to verify the process, request manually the parametrized role for a test user. Some +additional pop-ups are displayed to set a value for the role's parameter. See the +[ Request Entitlement Assignment ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/manual-assignment-request/index.md) topic for +additional information. + +In our example: + +![Example - Step 1](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameterexamplestep1_v603.webp) + +![Example - Step 2](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameterexamplestep2_v603.webp) + +If the dimension is specified in the users' context rule, then Identity Manager will provide +suggestions. + +![Example - Suggestion](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerolesuggestion_v603.webp) + +For example, concerning the `Title` dimension mentioned above. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/optimize/policy-creation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/policy-creation/index.md new file mode 100644 index 0000000000..b6039ba034 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/policy-creation/index.md @@ -0,0 +1,95 @@ +# Create a Policy + +How to define policies to organize roles and rules. See the +[Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) topic +for additional information. + +## Overview + +A policy is a subgroup of the role model. It defines an ensemble of roles and assignment rules that +apply to specific identities. So policies are used to handle separately several sets of identities, +based on dimensions with different permissions and workflows. See the +[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) and +[ Conforming Assignments ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md)topics +for additional information. + +Integrators must minimize the number of policies because it segments identities, and segmentation +implies high maintenance. Netwrix recommends using one policy per population. A population is a +group of people that can be managed following the same rules, role model, workflows, etc. This +means, for example, one policy for workers (meaning employees and contractors), another one for +partners, another one for clients. But sometimes partners are included in the same policy as +workers, it depends on the organization. + +**NOTE:** Netwrix Identity Manager (formerly Usercube) provides a default policy. Only when the +project is mature enough should integrators think about creating additional policies. + +## Participants and Artifacts + +Integrators must have the knowledge of the organization strategy towards identity management. + +| Input | Output | +| ------------------------ | ------ | +| Resource type (optional) | Policy | + +See the [ Create a Resource Type ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) +topic for additional information. + +## Create a Policy + +Create a policy by proceeding as follows: + +![Home - Access Policies](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/policy-creation/home_accesspolicies_v602.webp) + +**Step 1 –** Access the policies screen by clicking on **Access Policies** on the home page in the +**Configuration** section. + +![New Policy](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/policy-creation/policycreation_policies_v602.webp) + +**Step 2 –** Click on **+ New policy** at the top right corner. + +![createpolicy](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/policy-creation/createpolicy.webp) + +**Step 3 –** Fill in the information fields. + +The UI elements are identified as follows: + +- Identifier — Must be unique among policies and without any whitespace +- Name — Will be displayed in the UI to identify the resource type +- Provisioning — Allows provisioning for the policy +- Simulation — Allows simulation creation for the policy +- Approve Roles Implicitly — Can be enabled to bypass approval steps if the person who issues a + given role request is also the role officer +- Roles can be prolonged without a new approval workflow — Enables the policy's roles and resource + types to have their assignment's end dates postponed without any validation +- Is Managed by External Source — Can be enabled only during policy creation to indicate that its + permissions are managed by another IGA tool and are to be ignored by Identity Manager's role model + computation +- Maximum Duration — Duration (in minutes) after which the policy's roles and resource types will be + automatically revoked, if no earlier end date is specified. It impacts only the roles and resource + types which are manually assigned after the maximum duration is set. Pre-assigned items are not + impacted. +- Grace Period — Duration (in minutes) for which a lost automatic role or resource type is + prolonged. A review will be required to validate or decline the entitlement prolongation. Inferred + entitlements won't be lost unless the end of the grace period is reached or the prolongation is + declined. +- Lock the end date — locks manual permission's at the end date + + - Explicit, by default not context bound — By default, the assignment's end date will not be + context bound in order to encourage the manual entry of an end date + - Explicit, by default context bound — By default, the assignment's end date will be context + bound and therefore locked, but a manual date can be entered + - Never — The assignment's end date will never be locked and needs to be specified manually + - Always — The assignment's end date is always locked according to the applicable context rule + - Dimensions — Criteria that, if met, trigger the membership of given identities to the policy + +**NOTE:** What we call another IGA tool can be another application or even another version of +Identity Manager. + +**Step 4 –** Click on **Create**. + +Once you have completed the steps the policy is created. + +## Verify Policy Creation + +In order to verify the process, check that the policy has been added with the right options to the +list on the **Access Policies** page. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/optimize/risk-management/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/risk-management/index.md new file mode 100644 index 0000000000..7511d3f01a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/risk-management/index.md @@ -0,0 +1,178 @@ +# Manage Risks + +How to use the [ Risk Management ](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/risks/index.md) module to +identify entitlement assignments that pose a security risk, especially about segregation of duties +and high privileges. + +## Overview + +A [ Risk ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) +describes a sensitive situation in which entitlement assignments need to be monitored for security +purposes. Examples include: + +- Segregation of duties: a situation where at least two entitlements pose a risk when assigned to + the same identity. +- High privilege: a particularly sensitive entitlement. + +[ Risk Management ](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/risks/index.md) is essential to auditing. +Among other things, it allows auditors to: + +- Identify the identities representing the highest security risk. +- Compute the corresponding risk score. +- Schedule and [ Perform Access Certification ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/index.md) + accordingly. + +Using risks involves three steps: + +1. Create a risk: declare the nature of the risk. +2. Create risk rules: create the rules that assign risks to identities, depending on identities' + entitlement assignments. +3. Monitor risks: via the **Identified Risks** screen or certification campaigns. + +## Participants and Artifacts + +Integrators may need the help of the application owner, security manager and role model officers to +assess risks inherent to entitlements. + +| Input | Output | +| ------------------------------------------------------ | ------------- | +| Identity repository (required) Role catalog (required) | Risks catalog | + +See the [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) and +[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topics for +additional information. + +## Create a Risk + +Create a risk by proceeding as follows: + +1. On the home page in the **Configuration** section, click on **Risks**. + + ![Home Page - Risks](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/risk-management/home_risks_v602.webp) + +2. On the risks page, click on the addition button at the top right corner. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +3. Fill in the fields. + + ![New Risk](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/risk-management/riskmanagement_newrisk_v602.webp) + + - `Identifier`: must be unique among risks and without any whitespace. + - `Name`: will be displayed in the UI to identify the risk. + - `Policy`: [Create a Policy](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/policy-creation/index.md) in which the risk exists. + - `Entity Type`: + [Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) targeted by + the risk. + - `Description`: explanation of the risk that will be displayed with the exemption policy + message. + - `Remediation`: potential alternative solutions that will be displayed with the exemption + policy message. + - `Exemption Policy` See the + [ Risk Management ](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/risks/index.md) topic for additional + information. + - `Type` + - `Level`: risk level that is used to compute risk scores. + - `Rules`: a risk is based on the union of rules, themselves based on the intersection of rule + items. A rule item specifies the risk-triggering resource(s). A high-privilege risk must + contain at least one rule with one rule item. A segregation-of-duties risk must contain at + least two rule items in the same rule. + + When risks are based on the exemption policy called **Approval required**, the corresponding + role requests appear on the **Role Review** screen with a specific workflow state. See below + this note. See the + [ Reconcile a Role ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md) + topic for additional information. + + ![Risk Icon](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/risk-management/riskmanagement_workflowstate_v523.webp) + + ### Write risk rules + + A risk rule is simply the condition that triggers the assignment of a risk to an identity, + depending on the identity's entitlements. + + Within Identity Manager, an entitlement assigned to an identity is represented by the value of a + given navigation property, in a resource owned by said identity. See the + [Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) topic for + additional information. + + > For example, imagine that we want to grant unlimited Internet access to the administrator + > profile of an identity. This entitlement won't be assigned directly to the identity but to + > their AD administration account. In our Active Directory, there is a resource called + > `DL-INTERNET-Restricted` identified from among AD entries as a group. Therefore, we need to + > add this group membership to the properties of the identity's AD account, using + > `DL-INTERNET-Restricted` as a value of the `memberOf` property. + +4. Choose the resource type to be targetted by the risk. See the + [ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) topic for additional information. + + > We choose `AD User (administration)` to prevent this situation from happening in our example. + +5. Choose the navigation property that corresponds to the situation. + + > `memberOf` in our example. + +6. Choose a value for this navigation property. The value would be a resource from the unified + resource repository. See the + [ Identity Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/identity-management/index.md) topic + for additional information. + + > The group `DL-INTERNET-Restricted` in our example. + + ![Risk Item Example](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/risk-management/riskmanagement_newriskitem_v602.webp) + + This final value is an entitlement, linked to the owner identity through the navigation property + and the ownership relationship. + + This final value is an entitlement, linked to the owner identity through the navigation property + and the ownership relationship. + + > In our example, a risk is identified for a person as soon as their administration AD account + > is part of the `DL-INTERNET-Restricted` group. + +7. Click on **Create**. + + Risks are taken into account from the moment the `Compute Resource Risk Scores` task runs (or + the complete job which contains said task). + + The `Compute Resource Risk Scores` task doesn't need to be launched right away, but new risks + can't be identified before it runs at least once. + +## Monitor Identified Risks + +After creating at least one risk and computing risk scores, identified risks are listed on the +**Identified Risks** screen, accessible from the home page in the **Administration** section. + +![Home Page - Identified Risks](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/risk-management/home_identifiedrisks_v602.webp) + +![Identified Risks](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/risk-management/riskmanagement_identifiedrisks_v522.webp) + +For a given identity in the list, user information can be viewed and accessed by clicking +respectively on the eye and arrow buttons on the right-hand side. + +## Impact of Modifications + +Modifications in a risk are taken into account only after running the `Compute Risk Scores` task. +Therefore, risk scores are computed according to the new parameters. + +**After a modification:** while risk scores are computed for all identities and assignments +(pre-existing and newly created), a modified exemption policy is applied only to future entitlement +assignments. For example, changing the exemption policy of a risk from warning to blocking won't +remove entitlements from the identities who already have them. But future assignments are going to +be blocked. + +The deletion of a risk simply triggers the computation of risk scores during the next +`Compute Risk Scores` task, and removes any exemption policy steps in an assignment request. See the +[ Risk Management ](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/risks/index.md) topic for additional +information. + +## Verify Risk Management + +In order to verify the process, assign to a fake identity a permission that is supposed to trigger +the created risk, and check the consequences: + +- The message displayed at the end of the entitlement request must correspond to the configuration + of the exemption policy. See the + [ Risk Management ](/docs/identitymanager/6.2/identitymanager/integration-guide/governance/risks/index.md) topic for additional + information. +- Once the entitlement is assigned, a line must appear on the **Identified Risks** page. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/optimize/simulation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/simulation/index.md new file mode 100644 index 0000000000..292c21f17a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/optimize/simulation/index.md @@ -0,0 +1,143 @@ +# Perform a Simulation + +How to assess the impact of a modification on the role model, including the role catalog, role +assignment rules and resource correlation rules, using a dedicated +[Create a Policy](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/policy-creation/index.md). See the +[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md), +[ Automate Role Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md)[ Correlate Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/correlation/index.md), +and [Create a Policy](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/policy-creation/index.md) topics for additional information. + +## Overview + +Identity Manager's simulations gather roles and rules which are to be created, modified or deleted, +without being inserted in the actual role model straight away. More specifically, a simulation can +involve: + +- Correlation rules and classification Rule; +- Scalar rules and navigation rules; +- Resource Type rules; +- [ Single Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) + and + [ Composite Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md); +- [Single Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) + and + [Composite Role Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md). + +See the [ Correlate Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/correlation/index.md) +[ Resource Classification Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md), +and +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +topics for additional information. + +A simulation can also be created by the +[ Perform Role Mining ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) for the automation of role +assignments. + +Through simulation, integrators can: + +1. create, modify or delete roles and rules in a given policy; + + Only one simulation can be active per policy. + +2. observe via simulation reports the impact on the whole system, i.e. both assignments and + provisioning results, before the changes are applied; +3. decide to confirm or cancel changes. + +NETWRIX recommends using simulation whenever performing an action (creation/modification/deletion) +on the role model. + +## Participants and Artifacts + +Integrators are able to perform simulation if they master the new role model. + +| Input | Output | +| -------------------------------------------------------------------------------------------- | ------------------ | +| Role catalog (optional) Automate Role Assignments (optional) Categorize Resources (optional) | Updated role model | + +See the [ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md), +[ Automate Role Assignments ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md), and +[ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) topics for additional information. + +## Launch a Simulation + +Launch a simulation by proceeding as follows: + +1. Access the simulation list by clicking on **Simulations** on the home page, in the + **Configuration** section. + + ![Home - Simulations](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/home_simulations_v600.webp) + + ![Simulation List](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/simulation_list_v602.webp) + +2. Create a new simulation by clicking on the addition button at the top right corner. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +3. Fill in the fields. + + ![Simulation List](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/simulation_new_v602.webp) + +4. Click on **+ Create**. +5. Perform changes through the **Roles Changes** and **Rules Changes** tabs and the following icons, + respectively for addition, modification and deletion: + + ![Edition - Approval Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + ![Recommendation Icon](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/simulation_iconedit_v600.svg) + + ![Discouragement Icon](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/simulation_icondelete_v600.svg) + + At any time, you can click on the line of a previously made change to access its description, + even click on **Cancel** to erase it. + + ![Cancel Change](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/simulation_cancel_v602.webp) + +6. Click on **Start** to launch the simulation. + + ![Start Simulation](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/simulation_start_v602.webp) + +7. After a few seconds, click on **Refresh** to display the simulation results. +8. Observe the results in the overview and in the Excel report available via the Download button. + + ![Download Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/icondownload_v602.svg) + +## Shift from Simulation to Production + +After all needed changes have been simulated, you can decide to apply or cancel them. + +![Apply or Cancel Changes](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/simulation_decision_v600.webp) + +Then, the simulation is no longer active. + +Clicking on **Apply** applies the simulated changes to the role model. You need to launch the +[ Compute Role Model Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +to observe the actual changes in users' entitlements. + +## Impact of Modifications + +Once you've applied or canceled the changes of a simulation, said simulation is no longer active. If +you still need to simulate changes on the same policy, you can create a new simulation. + +Deleting a simulation doesn't impact the role model. It simply undoes the simulated changes which +haven't been applied yet. + +## Verify Modification + +In order to verify the process, check that the roles and rules are created with the right +parameters. + +For roles, click on **Access Roles** on the home page in the **Configuration** section. + +![Home Page - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +Select the type of role that you want to check, and find the roles you created inside the right +category and with the right parameters. + +![Select Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/categorycreation_test_v602.webp) + +For rules, click on **Access Rules** on the home page in the **Configuration** section. + +![Home Page - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +Select the type of rule that you want to check, and find the rules you created with the right +parameters. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/classification/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/classification/index.md new file mode 100644 index 0000000000..b595f0cc40 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/classification/index.md @@ -0,0 +1,191 @@ +# Classify Resources + +How to define +[ Resource Classification Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md) +in order to classify remaining uncorrelated resources, assigning them resource types. See the +[ Create a Resource Type ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) topic for additional information. + +## Overview + +### Classification purpose + +Classification is the process of putting on an existing resource a label called resource type, to +show its intent and/or purpose within the managed system. See the +[ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +Every resource type can be assigned a set of classification rules. + +### About the confidence rate + +As the aim here is to classify uncorrelated resources in a given managed system, classification +rules are going to rely on the patterns in resources' attributes, such as naming conventions. + +Sometimes, the managed system doesn't use rigorous rules and thus data quality isn't enough to allow +the creation of a single infallible correlation/classification rule for all resources. Hence, you +may need to create several correlation/classification rules. + +Each rule is configured with a confidence rate to express its reliability, according to data quality +and sensitivity. + +In our case, correlation/classification can be based on a first rule applicable to quality data +resources with a high confidence rate, and a second rule applicable to resources with a lower data +quality. This second rule is going to have a lower confidence rate, thus a lower priority, because +the strategy is to apply the first rule as much as possible. But the second rule is essential in +case the first one doesn't apply, though it cannot be trusted as much as the first rule. + +Hence correlation/classification rules are configured with a confidence rate: + +- from 100 to 150% to correlate resources automatically without a manual validation; +- from 0 to 99% to impose that a resource manager reviews the correlation/classification. + +Identity Manager considers the rules in descending order of confidence rate. The first matching rule +is applied. + +In other words: + +- if there is at least one matching rule with a confidence rate above 100%, then the one with the + highest rate is applied; +- if there isn't and there is at least one matching rule with a confidence rate below 100%, then the + one with the highest rate is suggested. + +There is no predefined priority order between two rules with the same confidence rate. + +### Focus on reviews + +When the confidence rate is below 100%, correlation and classification reviews are to be done: + +- on the **Provisioning Review** page when the owned resource is allowed by the role model, i.e. + requested manually or assigned automatically by a resource type rule; + + ![Correlation Review - Provisioning Review Screen](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsprovisioningreview_v603.webp) + +- on the **Resource Reconciliation** page when the owned resource is not allowed by the role model, + i.e. not requested manually nor assigned by a resource type rule. For example, the creation of a + correlation rule without a resource type rule triggers unauthorized accounts on the **Resource + Reconciliation** page. + + ![Correlation Review - Resource Reconciliation Screen](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsresourcereconciliation_v603.webp) + +Broadly speaking, the **Resource Reconciliation** page displays non-conforming assignments/values +(gaps), i.e. resources and property values from the managed systems that are not allowed by a rule +in Identity Manager. The **Provisioning Review** page displays the resource and property changes +whose workflows require a manual approval. + +### Classification rule example + +Classification rules are commonly based on logins or organizational units. Account types are usually +assigned specific strings to be easily recognized, such as for example `adm` for administrator +accounts. They can also include the employee identifier which includes specific digits according to +the account type. + +Consider an organization that places basic users in organizational units `Users` and `Locations` +with a CN starting with `U`. This means that a basic user should have a `dn` attribute different +from zero, containing `OU=Users` and `OU=Locations`, and starting with `CN=U`. Then, a +classification rule could take as a target expression: + +``` + +return resource.dn != null && resource.dn.Contains("OU=Users,") && resource.dn.Contains("OU=Locations,") && resource.dn.StartsWith("CN=U"); + +``` + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | +| [ Create a Resource Type ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) (required) [ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md) (required) [ Correlate Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/correlation/index.md) (recommended) | Classification rules | + +## Create a Classification Rule + +The principle of a classification rule is to use the expression of the target object, to assign (or +not), the resource type to said object. + +Fill a resource type with a classification rule by proceeding as follows: + +1. On the relevant resource type's page, click on **Classification Rules** and the addition icon. + + ![New Classification Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/resourcetype_newclassifrule_v602.webp) + + Classification rules can also be created through the **Access Rules** screen (accessible from + the home page, in the **Configuration** section), clicking on the **Classifications** tab and + the addition button at the top right corner. + + ![Home - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +2. Fill in the fields. + + ![New Classification Rule Fields](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/resourcetype_newclassifrulefields_v602.webp) + + - **Target Object** > `Expression`: C# expression based on the resource that needs to be + classified. + - `Confidence Rate`: rate expressing the rule's reliability, and its priority order.. + > Our overview example would look like: + > + > ![Classification Rule Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/classification_example_v602.webp) + +3. Click on **Create** and see a line added on the rules page. +4. On the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Classify + Resource Types** to apply the new classification rules. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +## Impact of Modifications + +An action (addition/modification/deletion) on a classification rule doesn't trigger a new +computation of classification for the resources that are already categorized, i.e. both classified +and correlated. The new version of said classification rule will be applied only to new resources +along with the existing resources whose correlation and/or classification was not yet reviewed (as +unauthorized accounts on the **Resource Reconciliation** screen). + +Thus only non-conforming resources (unauthorized accounts on the **Resource Reconciliation** screen) +can have their correlation and classification re-computed. + +Even without selecting an owner, reviewing unauthorized accounts on the **Resource Reconciliation** +screen "blocks" correlation and classification "as is". Neither will be re-computed. + +This also means that only non-conforming resources (displayed on the **Resource Reconciliation** +screen) can have their classification questioned and re-computed. + +Simulations are available in order to anticipate the changes induced by a +creation/modification/deletion in classification rules. See the +[ Perform a Simulation ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/simulation/index.md) topic for additional information. + +Any modification in classification rules is taken into account via the classification job: on the +connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Classify Resource +Types**. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +## Verify Classification + +In order to verify the process, analyze samples and check that all objects are classified, and well +classified. To do so, click on the target entity type(s) affected by your rule(s) in the left menu +of the home page. + +![Test Entity Type](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp) + +The entity type's page can be configured via XML to customize all displayed columns and available +filters, especially the **Uncategorized** filter that spots unclassified resources, and the **Owner +/ Resource Type** column that shows the resource type assigned to each resource. + +![Owner / Resource Type Column](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/classification_test_v522.webp) + +Therefore, check that all resources show here a resource type. Moreover, a knowledgeable person must +analyze a few samples to ensure that resources are classified in the right resource type. + +## Troubleshooting + +If a resource is not classified (or not correctly), then: + +![Unclassified Resource](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/classification_unclassified_v600.webp) + +- If the resource is correlated, check whether the corresponding correlation rule is in the right + resource type. +- If the resource is not correlated, check the validity of the classification rules. +- Check the resource's data quality. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/correlation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/correlation/index.md new file mode 100644 index 0000000000..857680ae7c --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/correlation/index.md @@ -0,0 +1,214 @@ +# Correlate Resources + +How to define the +[ Resource Correlation Rule ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) +to match up resources across systems, usually accounts with their owner. + +## Overview + +### Correlation purpose + +Correlation is the process of establishing an ownership relationship between a source resource +(usually an identity) and a target resource (usually an account). It is the basis of the link +between an identity and their fine-grained entitlements. See the +[ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +Every resource type can be assigned a set of correlation rules. + +Correlation rules must be created with caution as an error in the correlated attributes may result +in the unwanted assignment of a given account to an existing user. + +Correlation should be based on immutable attributes, for example codes that don't change during the +resource's lifecycle rather than display names that can vary in time. This method prevents +integrators from losing the history of the changes made to a resource after a correction. + +> In addition to display names, counter-examples for correlation properties are: positions; marital +> names; locations, etc. + +### About the confidence rate + +As the aim here is to correlate all resources in a given resource type, correlation rules are going +to rely on the patterns in resources' attributes, such as naming conventions. + +Sometimes, the managed system doesn't use rigorous rules and thus data quality isn't enough to allow +the creation of a single infallible correlation/classification rule for all resources. Hence, you +may need to create several correlation/classification rules. + +Each rule is configured with a confidence rate to express its reliability, according to data quality +and sensitivity. + +In our case, correlation/classification can be based on a first rule applicable to quality data +resources with a high confidence rate, and a second rule applicable to resources with a lower data +quality. This second rule is going to have a lower confidence rate, thus a lower priority, because +the strategy is to apply the first rule as much as possible. But the second rule is essential in +case the first one doesn't apply, though it cannot be trusted as much as the first rule. + +Hence correlation/classification rules are configured with a confidence rate: + +- from 100 to 150% to correlate resources automatically without a manual validation; +- from 0 to 99% to impose that a resource manager reviews the correlation/classification. + +Identity Manager considers the rules in descending order of confidence rate. The first matching rule +is applied. + +In other words: + +- if there is at least one matching rule with a confidence rate above 100%, then the one with the + highest rate is applied; +- if there isn't and there is at least one matching rule with a confidence rate below 100%, then the + one with the highest rate is suggested. + +There is no predefined priority order between two rules with the same confidence rate. + +### Focus on reviews + +When the confidence rate is below 100%, correlation and classification reviews are to be done: + +- on the **Provisioning Review** page when the owned resource is allowed by the role model, i.e. + requested manually or assigned automatically by a resource type rule; + + ![Correlation Review - Provisioning Review Screen](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsprovisioningreview_v603.webp) + +- on the **Resource Reconciliation** page when the owned resource is not allowed by the role model, + i.e. not requested manually nor assigned by a resource type rule. For example, the creation of a + correlation rule without a resource type rule triggers unauthorized accounts on the **Resource + Reconciliation** page. + + ![Correlation Review - Resource Reconciliation Screen](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsresourcereconciliation_v603.webp) + +Broadly speaking, the **Resource Reconciliation** page displays non-conforming assignments/values +(gaps), i.e. resources and property values from the managed systems that are not allowed by a rule +in Identity Manager. The **Provisioning Review** page displays the resource and property changes +whose workflows require a manual approval. + +### Correlation rule examples + +Consider AD accounts (target) and their owners (source). A classic example is to try and correlate +identities and AD accounts based on the first name and last name. We can write a correlation rule +that states that, for a given identity, Identity Manager looks for all AD accounts that bear the +same first name and the same last name. All AD accounts that match this description are said to be +correlated to the identity. The identity becomes the owner of the accounts. + +A set of correlation rules for a resource type could be: + +- a rule with 100% confidence on login + name + first name; +- a rule with 90% confidence on login only. + +Usual rules can also be made, for example, on: + +- name + first name using phonetics to avoid typos; +- first name + name + entry date if the entry date is known in the source systems; +- email address; +- Windows login. + +Correlation rules don't have to compare equivalent properties from Identity Manager and from the +managed system. A rule can compare for example users' `Login` from Identity Manager with their +`sAMAccountName` from the AD, even using C# expressions if needed. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| -------------------------------------------------------------------------------------------------------------------------- | ----------------- | +| Identity repository ( (required) Resource types (required) [ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md) (required) | Correlation rules | + +See the [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) and +[ Create a Resource Type ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) topics for additional information. + +## Create a Correlation Rule + +The principle of a correlation rule is to compare the expressions of the source and target objects. + +Fill a resource type with a correlation rule by proceeding as follows: + +1. On the relevant resource type's page, click on **Correlation Rules** and **+ New**. + + ![New Correlation Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/correlation/resourcetype_newcorrelrule_v602.webp) + + Correlation rules can also be created through the **Access Rules** screen (accessible from the + home page, in the **Configuration** section), clicking on the **Correlations** tab and the + addition button at the top right corner. + + ![Home - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +2. Fill in the fields. + + ![New Correlation Rule Fields](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/correlation/resourcetype_newcorrelrulefields_v602.webp) + + - **Source Object**: at least one property from the source system that is going to be linked to + a given target object. Can be defined by a property path and/or an + [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md). + - **Target Object**: one property from the managed system that is going to be linked to a given + source object. Can be defined by a property path and/or an + [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md). + - `Confidence Rate`: rate expressing the rule's reliability, and its priority order. + > In this example, a person via their login and name, is the owner of a nominative AD + > account via its `sAMAccountName` attribute and display name: + > + > ![Correlation Rule Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/correlation/correlation_example_v602.webp) + +3. Click on **Create** and see a line added on the rules page. +4. On the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Prepare + Correlation Keys** to compute the expressions used in the new correlation rule(s), and click on + **Jobs** > **Compute Role Model** to apply all correlation rules. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +## Impact of Modifications + +An action (addition/modification/deletion) on a correlation rule doesn't trigger a new computation +of correlation for the resources that are already correlated. The new version of said correlation +rule will be applied only to new resources, along with the existing resources whose correlation was +not yet reviewed (as unauthorized accounts on the **Resource Reconciliation** screen). + +Thus only non-conforming resources (unauthorized accounts on the **Resource Reconciliation** screen) +can have their correlation and classification re-computed. + +Even without selecting an owner, reviewing unauthorized accounts on the **Resource Reconciliation** +screen "blocks" correlation and classification "as is". Neither will be re-computed. + +Simulations are available in order to anticipate the changes induced by a +creation/modification/deletion in correlation rules. See the +[ Perform a Simulation ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/simulation/index.md) topic for additional information. + +Any modification in correlation rules is taken into account via the following jobs: on the connector +dashboard and in the **Resource Types** frame, click on **Jobs** > **Prepare Correlation Keys**, and +then on **Jobs** > **Compute Role Model**. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +## Verify Correlation + +In order to verify the process, check the list of +[Review Orphaned and Unused Accounts](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md) +and analyze them to look for patterns revealing correlation issues. To do so, click on the target +entity type(s) affected by your rule(s) in the left menu of the home page. + +![Test Entity Type](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp) + +The entity type's page can be configured via XML to customize all displayed columns and available +filters, especially the **Orphan** filter that spots resources without an owner, and the **Owner / +Resource Type** column that shows the owner assigned to each resource. + +![Owner / Resource Type Column](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/correlation/correlation_test_v522.webp) + +A knowledgeable person must analyze a few samples to ensure that resources' owners can all be +justified, meaning that orphaned accounts are supposed to be so, and that correlated resources are +matched with the right owner. + +Another possibility of correlation validation is to compare the number of AD accounts to the number +of users. However, keep in mind that several accounts are sometimes assigned to a single user. + +## Troubleshooting + +If a resource is not correlated (or not correctly), then: + +![Uncorrelated Resource](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/correlation/correlation_uncorrelated_v600.webp) + +- Check the validity of correlation rules. +- Check the resource's data quality. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md new file mode 100644 index 0000000000..4396eb04e2 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md @@ -0,0 +1,155 @@ +# Categorize Resources + +How to correlate managed systems' resources with identities, classifying resources into +[ Create a Resource Type ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md). + +## Overview + +Managing resources can quickly become chaotic when the number of resources increases significantly. +You will need to manage orphaned (without an owner) and unused accounts through resource reviews, +and make sure that all accounts follow their owner's lifecycle. To do so, resources can be +categorized, which for our purposes means two things. They are: + +- correlated with their owners, so that accounts follow the corresponding identity's lifecycle. + > For example, if a user leaves the company, then their account is deactivated accordingly. +- classified according to their intents, in other words you need to specify resources' functions or + goals within the managed system, especially in terms of security; + > For example, a basic user account (low-privileged) and an administrator account + > (high-privileged) have different intents. These two distinct account types are handled in + > different ways security-wise, and they represent different entitlements with different + > security measures applied. + +Categorization is designed to help resource managers to easily identify a resource's owner and +purpose. + +> For example, when Identity Manager spots an orphaned account, resource managers must be able to +> determine whether the account should have an owner, or if it is a service/technical account and +> thus does not need an owner. + +### Technical principles + +Technically, Identity Manager uses the notion of resource types to categorize resources. A resource +type is, in fact, a way to gather similar resources under one meaningful name, because they have the +same intent. + +> Our example above would use a resource type `AD User (administration)` to group all AD +> administrator accounts, and `AD User (nominative)` to group all AD basic user accounts. + +Thus, a resource type is a name that informs users about the intent of a resource. As stated above, +it serves to implement our two elements of categorization. This happens with two distinct sets of +rules, one for correlation, and the other for classification. + +**Classification** is a process that simply aims to assign a resource type to specific resources. A +specific resource can only be assigned a single resource type. See the +[ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +![Classification Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/categorization_classifschema.webp) + +Any resource that is unclassified will not be available for review. + +**Correlation** is a process that aims to establish an ownership relationship between two resources. +In most cases, an identity resource that becomes the owner of an account resource. See the +[ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +![Correlation Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/categorization_correlschema.webp) + +While an owner can possess several resources, a resource can have only one owner. + +Some resources are orphaned (without an owner) for good reasons. For example service/technical +accounts are often used by applications to access data held in Identity Manager or other managed +systems and don't belong to a specific user. + +As stated previously, both classification and correlation work through sets of rules. + +> For basic users, we have in Identity Manager: +> +> ![Example - Basic Users in Usercube](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/categorization_examplebasicuser.webp) +> +> For basic users, we have in the AD: +> +> ![Example - Basic Users in AD](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/categorization_examplebasicad.webp) +> +> Thus our example could induce the following rules: | Classification Rules | Correlation Rules | | +> --- | --- | | all accounts from OU=Users | 1. mail (from AD) = user's email +> franck.antoine@acme.com = franck.antoine@acme.com 2. displayName = user's last name + user's first +> name Antoine Franck = Antoine + Franck | + +> For administrators, we have in Identity Manager: +> +> ![Example - Basic Users in Usercube](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/categorization_exampleadminuser.webp) +> +> For administrators, we have in the AD: +> +> ![Example - Admin Users in AD](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/categorization_exampleadminad.webp) +> +> Thus our example could induce the following rules: | Classification Rules | Correlation Rules | | +> --- | --- | | all accounts from OU=Administrators | 1. sAMAccountName = "A" + user's employee id +> A28022 = A + 28022 2. displayName = "ADM" + user's last name + user's first name ADM Colin Jean = +> ADM + Colin + Jean | + +Sometimes you may not know if your rules are always going to apply. Therefore, each rule expresses a +certain level of confidence. Identity Manager will establish a priority order between rules based on +the confidence rate, and will also act differently depending on whether the confidence rate is above +or below 100%. See the [ Correlate Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/correlation/index.md) topic for additional +information. + +A resource type can have zero correlation rules, since accounts can be without owners. But a +resource type with neither correlation nor classification rules serves no purpose. + +**Correlation triggers classification:** a matching correlation rule for a given resource type will +perform both actions of categorization: both correlating a resource with its owner, and classifying +the resource at the same time. + +See below this note. + +Hence, integrators should start with correlation rules, and then write classification rules for any +remaining uncorrelated resources. + +In the same way, Identity Manager will apply correlation rules before classification rules. + +![Categorization Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/categorization_categschema.webp) + +Now that you have created resource types and their correlation/classification rules, you have +created the first elements for your role model. See the +[ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. The role model contains all the roles and rules which drive the +entitlement assignment logic inside Identity Manager. + +A role model is made up of +[Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) which +contain roles, rules and resource types. Most often the default policy is enough. However, in more +complex situations, additional policies can be created to separate groups of roles, rules and +resource types. See the [Create a Policy](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/policy-creation/index.md) topic for +additional information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application's users, entitlements and data model. + +| Input | Output | +| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | +| [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) [ Create a Resource Type ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) (required) [ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md) (required) | Categorized resources Correlated accounts Orphaned account list | + +## Categorize Resources + +Categorize resources by proceeding as follows: + +1. Create at least one [ Create a Resource Type ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md); +2. Create the appropriate [ Correlate Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/correlation/index.md); +3. Create the appropriate [ Classify Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/classification/index.md) for accounts that do not + have an owner. + +Netwrix Identity Manager (formerly Usercube) recommends creating/modifying/deleting correlation and +classification rules using [ Perform a Simulation ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/simulation/index.md) in order to +previsualize changes. + +## Next Steps + +Once accounts are categorized, integrators can start to +[ Create a Provisioning Rule ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md). + +Categorization also enables the +[Review Orphaned and Unused Accounts](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md new file mode 100644 index 0000000000..295f938015 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md @@ -0,0 +1,223 @@ +# Create a Resource Type + +How to create the container for future correlation and classification rules inside a given managed +system. + +## Overview + +A +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +is created to highlight differences in intent between resources. It materializes the organization's +profiles. In a given managed system, different types of resources have different security needs. + +> For example, can usually be found: +> +> - nominative accounts for basic user accounts with low privileges; +> - administrator accounts for accounts with higher privileges, on several administration +> entitlements levels; +> - generic accounts, i.e. shared by a group of users (often for testing use); +> - old in opposition to new accounts because of potentially evolving naming conventions; +> - service accounts owned by applications instead of users. + +In practice, a specific resource type is created for a given resource when there are differences in: + +- the owner type (for example worker, partner, customer, application, robot, etc.); +- the required set of classification and/or correlation rules; See the + [ Classify Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/classification/index.md), and + [ Correlate Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/correlation/index.md) topics for additional information. +- the approval circuit for a resource's modification or assignment, i.e. the number of required + approvals, validators, etc.; +- the type of provisioning (manual or automatic). See the + [Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) topic for additional information. + +### Source vs. target resource + +Resource types are the vessel for ownership relationships. They involve the definition of source and +target objects chosen from among the properties of existing entity types. The source (usually +identities) is the owner of the target (usually resources from your managed systems, such as a +nominative AD account). This relationship is the basis for correlation as much as for future +provisioning. See the [Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md), +[ Correlate Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/correlation/index.md), +and[Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) topics for additional information. + +See the +[ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| --------------------------------------------------------------------------------------- | ------------- | +| Identity repository (optional) Target connector (required) Synchronized data (optional) | Resource type | + +See the +[ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md)[ Connect to a Managed System ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/index.md), +and [ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md) topics for additional information. + +## Create a Resource Type + +A new resource type requires an existing entity type. See the +[Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) topic for additional +information. + +Create a resource type by proceeding as follows: + +1. On the relevant connector page, click on the addition button in the **Resource Types** frame. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + Resource types can also be created through the **Access Roles** screen (accessible from the home + page, in the **Configuration** section), using the **+ New** button and selecting + `Resource Type` in the first field called `Type`. + + ![Home - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +2. Fill in the fields. + + ![New Resource Type](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/resourcetype_newresourcet_v603.webp) + + - `Identifier`: must be unique among resource types, without any whitespace, and be + C#-compatible. + [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + - `Name`: will be displayed in the UI to identify the resource type. + - `Policy`: [policy](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/policy-creation/index.md) in which the resource type + exists. + - `Source Entity Type`: entity type (from any existing connector) used to fill the target entity + type. + - `Target Entity Type`: entity type (part of the connector) to be filled with the source entity + type. + - `Category`: category assigned to the resource type. It can be chosen from among the existing + categories or [created](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) directly from the + categories list by clicking on the **+ Category** button. + - `Approval Workflow`: represents the number of validations required to assign a resource from + this type to an identity. + - `Approve Role Implicitly`: relevant only for workflows with at least a simple approval + process. `Implicit` mode bypasses the approval step(s) if the person who issues the role + request is also the role officer. `Explicit` refuses said bypass. `Inherited` follows the + policy decision to approve role implicitly or not. See the + [Create a Policy](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/policy-creation/index.md) topic for additional + information. + - `Prolongation without a new approval workflow`: enables the resource type to have its + assignment's end date postponed without any validation. `Inherited` follows the policy + decision to enable this option or not. See the + [Create a Policy](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/policy-creation/index.md) topic for additional + information. + - `Hide in Simplified View`: hides the role from the users' **Simplified View** in **View + Permissions** dialog. This setting does not apply to roles which are either inferred or have + workflow states which require manual action. + - `Arguments Expression`: when using a connection for automatic provisioning, C# expression used + to compute a dictionary of strings in order to compute the arguments of + [provisioning](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) orders, such as the identifier of + the workflow to launch within Identity Manager, or the identifier of the user's record to + copy. See the [Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) topic for additional + information. + - `Allow Addition`: enables Identity Manager to automatically create new resources in the + managed system when their owners are given the right entitlements. Otherwise, resource + managers must create resources manually directly in the managed system. + + > Consider a role `SAP` which assigns an SAP account to a user. Consider also that SAP + > accounts are configured with `Allow Addition` disabled. In this case, if we give the role + > `SAP` to a user, then said user doesn't automatically receive an SAP account. The relevant + > resource manager must create an account for said user in the SAP application. + + - `Allow Removal`: enables Identity Manager to automatically deprovision resources in the + managed system when their owners are deprived of the right entitlements. Otherwise, Identity + Manager is able to delete resources in the managed system only with a manual approval on the + **Resource Reconciliation** screen. + + > Consider a role `SAP` which assigns an SAP account to a user. Consider also that SAP + > accounts are configured with `Allow Removal` disabled. Finally, consider a given user who + > has the role `SAP` and the corresponding SAP account. In this case, if we deprive said + > user from the role `SAP`, then the SAP account isn't automatically deleted. Identity + > Manager displays this assignment as non-conforming on the **Resource Reconciliation** + > page, and the relevant resource manager must confirm the account deletion. + + **Allow Addition / Allow Removal:** + + These options set to `No` are interesting especially in testing mode when the role model + isn't entirely reliable yet. + + - `Remove If Orphaned`: enables Identity Manager to automatically deprovision resources when + their owner is deleted. Otherwise, said resources are displayed on the **Resource + Reconciliation** screen. Can be activated only if `Allow Removal` is activated too. + - `Require Provisioning Review`: forces an additional mandatory review of all provisioning + orders for the resource type (on the + [ Review Provisioning ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md) + screen). + + > Consider AD accounts. While nominative accounts can be provisioned without specific + > precautions (option set to `No`), administrator accounts sometimes require an additional + > review (option set to `Yes`). + + This option can be bypassed when computing the role model by clicking on the **Compute Role + Model, no provisioning review** job in the **Resource Type** frame on the connector's + overview page. + + - `Discard Manual Assignments`: allows the provisioning of a new value computed by a + provisioning rule for a property, based on a change in the source data, no matter the + property's current workflow state. + + Set to `No`, any manual change of a property's value made directly in the target system will + be "protected" (only after the change is approved in Identity Manager in **Resource + Reconciliation**). It means that a future change in the source data will not trigger the + provisioning of the new value. Instead, Identity Manager will keep the value of the manual + change, and state the value as `Questioned`. + + > Consider an HR system (source) whose data isn't often synchronized into Identity Manager. + > Let's say that a user marries and changes their name. In this case, the value in Identity + > Manager needs to be updated (via workflows) so that all managed systems are updated too + > with the new name. However, `Discard Manual Assignments` should be enabled because the HR + > system should still be the authoritative source in case of another change. + + - `Correlate Multiple Resources`: enables Identity Manager to link a single owner to several + existing target objects from this resource type. + + > Consider records, representing users' positions in the resource type + > `User Record (from HR)`. In some organizations, one user can have several records at once, + > or have several records that overlap, and these records can be created either via Identity + > Manager's workflows or via the upload of an HR file. Thus, on the one hand it is complex + > to anticipate the number of records created for an identity, on the other hand there + > shouldn't be records without an owner. In other words, when creating a new record via a + > workflow, we want the record to be linked to the right user, whether or not a record is + > already linked to the user's HR sheet. Therefore, the correlation of multiple resources + > (of the same resource type) to a single owner should be permitted. + + - `Transmitted State Validity`: The period in minutes during which fulfillment orders can stay + in Transmitted/Executed state. When the time is exceeded the orders are set in error state. + - `Depends On Resource Type`: potential resource type (other than the one presently created) + which must be provisioned for a given identity before this resource type can be created for + said identity. + + > This option can be used so that a user must have an AD account before they can own an + > Exchange account, because the Exchange account needs the AD account's address. + + - `Depends On Owner Property`: potential properties which must be filled for a given identity + before this resource type can be created for said identity. + + > This option can be used so that a user must have a ServiceNow identifier before they can + > own an AD administrator account, because the AD administrator account needs this random + > identifier computed by ServiceNow in order to be able to perform manual provisioning in + > ServiceNow. + +3. Fill the **Fulfill Settings** arguments according to the selected package. + + Integrators need to know the required provisioning connection, especially whether the connection + is about manual or automated provisioning. Automatic provisioning means that Identity Manager + writes in the managed system. Manual provisioning means that Identity Manager isn't allowed to + write directly inside the managed system, and thus it creates tickets so that resource managers + perform the needed changes. + +4. Click on **+ Create & Close** > **Create**. + +## Verify Resource Type Creation + +In order to verify the process, check that the resource type has been added with the right options +to the list on the **Access Roles** page, accessible from the home page in the **Administration** +section. + +![Home - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +![Test Connector](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/resourcetype_test_v602.webp) diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/configure-global-settings/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/configure-global-settings/index.md new file mode 100644 index 0000000000..25d2e4b3cf --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/configure-global-settings/index.md @@ -0,0 +1,48 @@ +# Configure Global Settings + +This topic covers the customization in the application **Settings**. + +## Overview + +The Settings interface provides information and management options for the application. + +![accesscertificationonlyapprovedenysettings](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedenysettings.webp) + +### Look and Feel + +The **Look and Feel** section allows you to customize the application to your preferences. + +The customization includes the following: + +- **Application Title**as the name of the application visible on the tabs +- The **Primary Color**, **Secondary Color**, **Banner Color**, **Banner Gradient Color**, **Banner + Selected Tab Color**, and **Banner Text Color** +- The **Logo** to be displayed in the top left corner; + +### Languages + +It presents the languages in which the application can be displayed. In the above example you have +English-United States and French-France. + +See the [ Languages ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/languages/index.md) topic for additional +information. + +### Features + +The feature **Only allow approving and refusing on access certifications items** gives the +administrator the option to limit the user's option to either **Approve** or **Deny** the Access +Certification items while making the **More** button unavailable. + +![allowapprovingdenyingaccesscertificationitems](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-global-settings/allowapprovingdenyingaccesscertificationitems.webp) + +If the feature **Only allow approving and denying on access certification items** is set to **No** +the following will be visible on the certification screen: + +![accesscertificationonlyapprovedeny](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedeny.webp) + +If the feature **Only allow approving and denying on access certification items** is set to **Yes** +the following will be visible on the certification screen: + +![accesscertificationonlyapprovedeny-disabled](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedeny-disabled.webp) + +This is how the user's experience can be customized directly from the UI. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/configure-workflows/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/configure-workflows/index.md new file mode 100644 index 0000000000..3ca4132f2e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/configure-workflows/index.md @@ -0,0 +1,111 @@ +# Configure Onboarding Workflows + +How to adjust the validation process and homonym detection of onboarding +[Workflows](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/index.md). + +## Overview + +Onboarding workflows are the processes that users follow in order to add in Identity Manager a new +user, as a new employee has arrived in the company. + +The most common situation consists in having two onboarding workflows: one for employees and one for +contractors. The Workforce Core Solution module provides these two workflows. + +Usually, using one of these workflows means: + +1. filling a form containing the new user's information, such as their name, first name, contract + type, job title, etc; +2. if needed, sending the request of user creation for review by a knowledgeable user. + +See how to +[ Update an Individual Identity ](/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md)in +Identity Manager. + +### User Creation Review + +Identity Manager provides the review step as optional, for its necessity depends on the situation. + +To perform the review of a user creation, one should have the right permissions. + +![Review Permissions](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/workflows_reviewpermissions_v601.webp) + +When a review is needed, a notification appears on the **MY TASKS** tab at the top. + +![My Tasks Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_topbar_v601.webp) + +The reviewer can then complete the creation request and finally approve it. + +### Homonym Detection + +User creation often benefits from a homonym detection that checks if the resource already exists in +the system, preventing duplicates. + +Identity Manager provides a homonym detection, whose parameters can be adjusted. + +See the [Workflows](/docs/identitymanager/6.2/identitymanager/integration-guide/workflows/index.md) topic for additional information. + +## Participants and Artifacts + +Integrators must have the knowledge of the organization strategy towards the expected validation +process and homonym detection during users' onboarding. + +| Input | Output | +| ------------------------------ | ----------------------------- | +| Identity repository (required) | Adjusted Onboarding Workflows | + +See the [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) topic for +additional information. + +## Configure Onboarding Workflows + +Configure onboarding workflows by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section, then on **Workforce** > + **Onboarding Workflows** in the left menu. + + ![Home - Settings](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. For each workflow, choose whether a review step is required. + + ![Workflows Review Steps](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/workflows_reviewsteps_v601.webp) + + Netwrix Identity Manager (formerly Usercube) recommends enabling the review for the onboarding + of employees, and disabling the review for contractors. + + From experience, in most use cases, the onboarding of new workers is done by their managers, and + HR people review the creation of employees and not contractors. It also happens that HR people + are in full charge of employees, in which case they do the onboarding and don't need a review. + +3. Configure the homonym detection. + + ![Workflows Homonym Detection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/workflows_homonyms_v601.webp) + + Netwrix Identity Manager (formerly Usercube) recommends enabling the birth name comparison to + detect user duplicates due to name changes, when the GDPR supports it. + + The other parameters for homonym detection should be enabled/disabled according to your needs. + +4. Click on **Save** at the top of the page. + + ![Save Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + +## Verify Workflow Configuration + +Validate the process by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Execute the workflows for a new employee and a new contractor. +3. Make sure that the homonym detection works in accordance with the specified options. + + > For example, if the inversion comparison is enabled between the first and last names: + > + > ![Workflows Homonym Detection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/workflows_verifyhomonyms_v601.webp) + +4. Make sure that the potential validation steps are in accordance with the specified options. + +## Next Steps + +Once onboarding workflows are configured, integrators can start configuring a connector. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md new file mode 100644 index 0000000000..ca43f56095 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md @@ -0,0 +1,169 @@ +# Create a Connection + +How to create a +[ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +inside a +[ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +and choose the appropriate package. + +## Overview + +A connection is the information that allows to connect to a managed system, which includes +credentials and path. + +There is a minimum of one connection per connector. In many cases, there is one connection +to[ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md)and one connection for +[Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md). + +A connection is associated with a package, representing the technology to use for the data transfer. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +purpose of the application. + +| Input | Output | +| ------------------------------------------------------- | ------------- | +| Connector container(required) Connector model(required) | Connection(s) | + +See the [ Create the Connector ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md) and +[ Model the Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) topics for additional information. + +## Create a Connection + +Create a connection by proceeding as follows: + +1. Click on the addition button in the **Connections** frame on the connector's summary page. + + ![Add a New Connection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connection_newconnection_v602.webp) + +2. Fill in the connection information fields on the left, then select a package (AD, CSV, etc.) and + fill the associated agent settings on the right. + + ![Connection Creation](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_connectioncreation_v602.webp) + + - `Identifier`: must be unique among connections, without any whitespace, start with a letter, + and contain only letters, numbers, `.` and/or `-`. + - `Name`: will be displayed in the UI to identify the connection. + - `Package`: the technology that enables the connection. Choose the package that fits best the + managed system. See details below. + - `Agent Settings`: depends on the selected package. + + Then click on **Create & Close**. + +### Select a package + +A package is chosen according to the following constraints: + +- What kind of technologies do we need? + + > An Active Directory, a plain CSV file, etc. + +- Do we need incremental or complete synchronizations, or both? + + Incremental synchronizations, usually launched approximately every two hours, are to be + performed for real-time needs, while complete synchronizations, scheduled no more than once a + day, will recover any changes that may have slipped through the cracks of the incremental + synchronizations. See the + [ Upward Data Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) + topic for additional information. + +- Do we need [Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md)? If so, should provisioning be + performed manually or automatically by Identity Manager? + +NETWRIX recommends starting by creating a connector that only does synchronization, and do not worry +yet about provisioning. It allows Identity Manager to read data from your managed system, without +writing to the system. + +One connector can contain several connections, and each connection contains one package. + +> For example, an `AD` connector, that will handle synchronization and provisioning between Identity +> Manager and an AD, would generally use the `Directory/Active Directory` package which can do +> synchronization and automated provisioning. A second package for manual provisioning, +> `Ticket/Usercube` could be added to request manual provisioning of administration accounts that +> need more security. + +Each type of package needs its own settings, and secured options can be used to store sensitive +connection information. See the +[Connections](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/configuration-details/connections/index.md) +topic for additional information. + +## Refresh Schemas + +A schema is a snapshot of the data structure (metadata) retrieved by a connection. It needs to be +refreshed to enable the configuration of entity types and resource types. + +Identity Manager refreshes a connection's schema: + +- after the connection creation; +- when clicking on **Refresh Schema** on the connection's page: only the schema of the current + connection is refreshed; + + ![Refresh Schema of One Connection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshschema_v522.webp) + +- when clicking on **Refresh all schemas** on the connector's page: all schemas of the connector are + refreshed. + + ![Refresh all Schemas](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshall_v602.webp) + +In the **Connections** frame, either the last successful schema update is indicated or an icon is +shown if the refresh schema failed. + +![Failed Refresh Schemas](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_failedindicator_v602.webp) + +Some packages don't generate a schema. For these packages, the **Refresh Schema** button isn't +displayed on the connection's page. On the connector's page, a connection without schema is +indicated by the sentence "_There is no schema for this connection_". + +![No Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_noschema_v522.webp) + +The connections' schemas must be refreshed before editing the connector's entity types via the UI, +whether the connections were created via the UI or XML configuration. Otherwise, there will be no +connection table available in the `Source` dropdown, so you will not be able to save anything. + +## Impact of Modifications + +Changes on a connection may imply changes in the connector's entity types. When a connection schema +changes, a warning may appear in the entity type screen indicating that a mapped property doesn't +exist anymore. + +## Verify the Connection + +In order to verify the process: + +1. click on **Check Connection** to ensure that Identity Manager can reach the managed system; + + ![Check Connection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp) + + Some connectors have both incremental and complete setting modes. See the + [ Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/jobs/index.md)topic for additional + information. They are relatively independent so they both need to be tested. + +2. check that the connection appears in the **Connections** frame with the right options, and + without the Failed icon. + +![Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg) + +## Troubleshooting + +If the Failed icon appears, then: + +![Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg) + +Ensure that the schema of the connection is refreshed. + +If the schema couldn't be recovered, then: + +![Schema Not Recovered](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connection_notrecovered_v523.webp) + +- Ensure that the managed system is properly connected. +- Check the connection's settings. + + > Example: For a CSV connection, ensure that the file paths are written correctly in full, such + > as `C:/UsercubeDemo/Sources/Directory.xlsx`. + +You may have a schema that could not be recovered if you work with a system without a direct access +to the agent. In this case, schema refreshment will fail but that does not mean that there +necessarily is a problem. + +Try again from a system that can access the agent. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md new file mode 100644 index 0000000000..676489e2f7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md @@ -0,0 +1,66 @@ +# Create the Connector + +How to declare the technical container of a +[ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md). + +## Overview + +Here, you will learn how to create a connector: the shell that harbors entity types and connections +related to a single managed system. + +Keep in mind that a Identity Manager installation can have more than one agent. Connectors should be +created with a specific agent in mind since the agent needs to physically connect to the managed +system's data. Fortunately, you don't need to worry about that right now, since you are starting +with the agent provided with Identity Manager's SaaS environment. See the +[ Architecture ](/docs/identitymanager/6.2/identitymanager/introduction-guide/architecture/index.md) topic for additional +information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +purpose of the application. + +| Input | Output | +| ----- | --------------- | +| - | Empty connector | + +## Create a Connector Container + +Create a connector container by proceeding as follows: + +1. On the home page in the **Configuration** section, click on the **Connectors** button. + + ![Home page - Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + + You will see all existing connectors. + +2. Click on the addition icon and fill in the information fields. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + ![Connector creation](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_declaration_v602.webp) + + - `Identifier`: must be unique among connectors, without any whitespace, start with a letter, + and contain only letters, numbers, `.` and/or `-`. + - `Name`: will be displayed in the UI to identify the connector. + - `Agent`: agent that the connector is supposed to use. + + Netwrix Identity Manager (formerly Usercube)recommends choosing the provided SaaS agent. + + - `Complete Job`: [ Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/jobs/index.md) scheduled to + perform a set of tasks, including completesynchronization and/or provisioning for all the + connectors, for which you selected the corresponding checkbox. + - `Incremental Job`: [ Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/jobs/index.md) scheduled + to perform frequently a set of tasks, including incrementalsynchronization and/or provisioning + for all the connectors, for which you selected the corresponding checkbox. + +3. Click on **+ Create** to get on the connector's overview page: + + ![Connector page](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_connectorpage_v602.webp) + +## Verify the Connector Declaration + +In order to verify the process, check that the connector has been added to the connectors list with +the right name and identifier. + +![Test Connector](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_test_v602.webp) diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md new file mode 100644 index 0000000000..9e368e6f39 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md @@ -0,0 +1,493 @@ +# Model the Data + +How to choose the appropriate model for a connector's data. + +## Overview + +In this part, you work outside Identity Manager to define the model that is going to be used in the +next steps to represent a managed system's resources and entitlements inside Identity Manager, as a +connector. + +This page is no technical procedure, but rather a guide aiming to give a global view on connectors +(with their components and their purpose), in order to help integrators choose the most appropriate +way to model the managed system in the form of a connector later inside Identity Manager. + +The aim is to think about said managed system in order to specify: + +- what data you need to import into Identity Manager; +- how you are going to organize this data together, and model it as a connector inside Identity + Manager. + +### Useful data + +Modeling the connector is a matter of identifying what data you want to get into Identity Manager. +You should not retrieve all the data from the managed system, but only two kinds of useful data: + +1. data that represents how the authorization system works in the managed system, i.e. data that + composes entitlements and their assignments; +2. data that you want to watch and/or control and/or fulfill. + +The model must take both into account. So both kinds of data must be extracted from the managed +system. + +> Let's take an example. An Active Directory manages authorization through group membership (using +> the user-group paradigm). +> +> So first we need to retrieve both groups and accounts, in order to manage the AD's assignments of +> entitlements for our users (in the AD language: manage their accounts and group memberships). +> +> Secondly, we want to control attributes such as the name or e-mail of the account, and ensure they +> are consistent with the correlated identity. Thus these attributes are the second kind of +> information that we want to retrieve. + +### Data models + +Fortunately, you won't have to design your connector model from scratch. NETWRIX has done a little +work ahead, and you are presented here with four model templates that have proven to work so far. +Experience shows that most managed systems can be shaped using one or a mix of the following: + +- the User model is the most simple model for a connector, where a user is directly associated with + a list of entitlements; +- the User-Group model represents typical + [Role-Based Access Control](https://en.wikipedia.org/wiki/Role-based_access_control) mechanisms, + where the ability to perform an action is granted through accounts' membership to a specific group + (also called role or profile according to the system); +- the Account-Profile-Transaction model represents a system, where the ability to perform an action + is granted through the assignment of fine-grained entitlements (called transactions) which are + packaged into profiles; +- the Star model represents a system, where the ability to perform an action is granted through the + assignment of entitlements which are based on at least two variable parameters. + +Each template presents a few objects and the relationships between them. To become the model of the +actual managed system, these objects must be renamed and their attributes defined according to the +reality of said managed system. + +This sheet guides you through choosing the right model template for your connector. The actual +technical implementation of the model will be tackled in the last part of the connector +configuration: [Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md). + +**Connector model and roles:** + +The design of a model must take into account what is really going on inside the managed system in +terms of entitlements, and be flexible enough to express it as roles in the context of the role +model. The role model is the universal RBAC/ABAC language used by Identity Manager to express all +entitlements. + +You don't have to worry about this "role" part right now. It is going to be tackled during single +role catalog creation. At this point, you will take a look at the way roles are defined and linked +to resources to represent entitlements. But the work starts here, by modeling the resources that +exist in the managed system. Some of those resources, such as Active Directory groups, include +interesting information about entitlements. + +Right now, you can see the connector's model as a precise description of the shape of the technical +resources and entitlements of the managed system. And, you can see roles as the higher-order +universal language in which entitlements and their assignments are expressed in Identity Manager for +all managed systems. + +**Connector model and provisioning**: + +After defining the useful data that you need to model a given system, you also have to decide what +data you need Identity Manager to write to the managed system. Identity Manager writing to an +external system is called provisioning. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +purpose of the application. + +| Input | Output | +| ----- | --------------- | +| - | Connector model | + +## Define the Connector Model + +Define your connector model by proceeding as follows: + +1. Use the advice and examples given about each model template to find the template that most + closely matches your use case. +2. Adapt the template to the reality of your managed system by renaming and adjusting the model's + objects. +3. Define your useful data, and thus the attributes of each object according to the reality of the + data in your managed system. +4. Ensure that all objects have at least one attribute that can serve as a key to be uniquely + identified within Identity Manager. You will get more details about keys during entity type + creation. +5. Ensure the following guidelines' enforcement: + + **Keep it simple** + + The model must stay as simple as possible. Embed just enough information. + + **Keep it readable for most users** + + The model must be easy to understand. For this, adopt a business approach, i.e. make the model + user-friendly and close to real activities. This functional approach is essential to the + efficiency of data flows (synchronization/provisioning loop). Keep in mind that the aim is to + define a model close to the reality of the system. + + **Keep it open to changes** + + The model is going to change and evolve during the life of the application, to account for new + needs or changes. This must be considered too in the initial model to make future changes less + painful. + +Find at the bottom a procedure example about modeling the Active Directory. + +## Model Templates + +All templates are detailed with examples and schemas with the following key: + +![Schemas' Key](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_key.webp) + +During the technical modeling inside Identity Manager, these objects will become entity types, their +attributes will become scalar properties, the links between them will become navigation properties. + +### User + +#### Authorization mechanisms + +The User template is the most simple model for a connector, and used to represent a user directly +associated with a list of entitlements. + +Users are represented by the accounts they own, and entitlements are represented by resources. + +Permissions can be managed: + +- by resource, with a list of authorized accounts for each resource; +- by account, with a list of authorized resources for each account. + +#### Model + +![User Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user.webp) + +Thus you need to create one entity type to represent either accounts or other resources. + +Each entity type needs to be shaped with properties, chosen according to the data useful for +entitlement assignment. + +The only sensitive and required properties are the keys and the property holding entitlements. It +means that: + +- if entitlements are managed by resource, then the entity type representing resources must have an + attribute (scalar property) containing the list of authorized accounts; +- if entitlements are managed by account, then the entity type representing accounts must have an + attribute (scalar property) containing the list of authorized resources. + +**Recommendation: categorize accounts in types** + +Some of the managed systems following this model offer predefined types of accounts, with a +pre-packaged set of authorizations (such as the `basic` user with read/write permissions on +non-sensitive resources, or the `admin` with higher privileges). + +Account types make modeling easier, as they bring another level of information about the +entitlements they contain. So we can embed more useful information in the model, thanks to an +attribute that represents the account type. + +In further steps, you will be able to define one resource type per account type and map each one to +a role for assignment and provisioning. + +#### Example - Canteen badges + +Canteen badges are a simple system handled with the User model. Indeed users can simply have among +their attributes the access authorization for a given building and a given time. Or also, instead of +creating an entity type for users, we can create an entity type for the badges. They would have in +their attributes their respective access location and time, and an attribute listing authorized +users. + +![User Model - Canteen Badges Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user-canteen.webp) + +#### Example - Mailboxes + +Mailboxes constitute a complex system, but IGA purposes require little information (only accounts) +so this system can too be handled with the User model, either through users and their entitlement +lists, or through mailbox entitlements and their lists of authorized users. + +![User Model - Mailboxes Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user-mailbox.webp) + +### User-Group + +#### Authorization mechanisms + +The User-Group template is better suited to represent typical Role-Based Access Control +authorization mechanisms, where a user is authorized to perform an action according to their +account's membership to a specific group. Instead of groups, some systems talk about roles or +profiles: users are authorized to perform an action through a given role or profile which they are +assigned, instead of a group membership. It is all the same idea, and the User-Group template is +perfect for them too. + +Groups can also be categorized and grouped into larger groups. + +Users are represented by the accounts they own. + +#### Model + +![User-Group Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_usergroup.webp) + +Thus you need to create one entity type to represent groups (or roles or profiles) and one for +accounts. + +Each entity type needs to be shaped with properties, chosen according to the data useful for +entitlement assignment. + +The only sensitive and required properties are those constituting the link between both entity +types, i.e. the navigation properties representing the group membership. + +**Recommendation: categorize accounts in types** + +Many of the managed systems following this model, just like the User model, distinguish between +several types of accounts. + +In further steps, you will be able to define one resource type per account type and map each one to +a role for assignment and provisioning. + +#### Example - SAB + +The SAB system handles authorizations using users and groups. A user is authorized to perform an +action according to their group membership. + +We define two entity types `SAB - User` and `SAB - Group`. We fill them with a few attributes useful +to manage entitlements in the SAB application. Finally, we add a navigation property in both entity +types in order to link `User` with `Group` with an "n-to-n" relationship. + +![User-Group Example - SAB](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_sab.webp) + +#### Example - RACF + +The [RACF](https://www.ibm.com/docs/en/zos-basic-skills?topic=zos-what-is-racf) connector is used to +manage critical entitlements on the mainframe. RACF is a complex system, but IGA purposes only +require information about accounts and groups, as entitlements are given by group membership. Thus +the system can be simplified to be managed by Identity Manager following the User-Group model. + +![User-Group Example - RACF](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_racf.webp) + +For RACF, Identity Manager provisions only the link between accounts and groups. + +#### Example - TSS + +The TSS connector is similar to RACF in its use, but manages fine-grained entitlements at a higher +level than RACF. TSS is at least as complex as RACF, and its connector follows a similar +simplification as RACF's. + +Identity Manager manages users (with their accounts) and groups called here profiles. Both users and +profiles are grouped into departments, themselves grouped into partitions. Entitlements are called +authorizations, and are linked to users through group (profile) membership. + +![User-Group Example - TSS](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_tss.webp) + +For TSS, Identity Manager provisions only the link between users and profiles. + +Identity Manager receives a write access for users and profiles, only a read access for the rest of +the model. It is interesting to keep the whole model for query goals such as listing a given user's +entitlements. + +**Recommendation: categorize accounts in types** + +Many of the managed systems following this model, just like the User model, distinguish between +several types of accounts. + +In further steps, you will be able to define one resource type per account type and map each one to +a role for assignment and provisioning. + +**Roles:** During +the[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md)step for this +connector you can build roles based on the group-membership system represented by users and +profiles. Thus you will create navigation rules to represent the link between users and profiles. + +#### Example - SDGE + +The SDGE connector is used not to manage people but positions, so the application screens depend on +the user's position. In other words, Identity Manager is going to manage users' entitlements in SDGE +through their positions. + +The object `User` or `Account` from the template, which contains users' accounts, is called here +`Worker`. + +The object `Group` from the template is called here `Position` (grouped into organizations, +themselves grouped into organization types). It contains the way an entitlement is given, here +through a given position and wallet. + +![User-Group Example - SDGE](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_sdge.webp) + +For SDGE, Identity Manager provisions only workers and the link between workers and positions. + +### Account-Profile-Transaction + +#### Authorization mechanisms + +The Account-Profile-Transaction model is better suited to represent a system, with the following +basic characteristics: + +- To be able to perform an action or read a piece of data, a user must be granted one or several + transactions. Transactions represent fine-grained entitlements. They can be associated to a type + and conditions that restrict their use, such as a maximum per day or a context of validity. +- Transactions are not assigned directly to an account, but are packaged into profiles, which are + then assigned to accounts, which are owned by users. +- Profiles can sometimes be classified into categories representing the sensitivity of the + transactions they contain. + > For example, profile categories can be `Privilege Profiles` for high privilege transactions on + > sensitive data, and `Technical Profiles` for technical transactions related to system + > administration. + +#### Model + +![Account-Profile-Transaction Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_profiletransaction.webp) + +Thus you need to create one entity type to represent accounts, one for profiles, and one for +transactions. + +Each entity type needs to be shaped with properties, chosen according to the data useful for +entitlement assignment. + +The only sensitive and required properties are those constituting the link between entity types, +i.e. the navigation properties representing the packaging of transactions into profiles on the one +hand, and the assignment of profiles to accounts on the other hand. You can potentially add a +navigation property in the `Profile` entity type in order to categorize profiles within larger +profiles. + +Instead of creating as many `Profile` objects as there are categories of profile, NETWRIX recommends +shaping the `Profile` object with a `category` attribute. Indeed, a multiple-object model +complexifies the addition of new profiles in the future. And as new profiles can be created in the +future though, then you must plan for it. + +For example, instead of modeling two artificial types of profiles called `PP` for "Privilege +Profile" and `TP` for "Technical Profile", prefer a single object `P` that represents all profiles +using a specific attribute to differenciate technical from privilege profiles. This way, the model +sticks to the real capacity of the technical tool and all use-cases are considered. + +See the schema below this note. + +![Profiles Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_profiles.webp) + +Transactions are not mandatory in a model. Most of the time, the profile packages are predefined +once and for all, or are the responsibility of the application owner. Then Identity Manager doesn't +need to manage the specific transactions for a profile directly inside the managed system. You can +hence avoid modeling transactions altogether. In this case, you fall back on the User-Group model +with a twist: if profile categories are relevant in the system's authorization mechanism, then you +must take them into account. + +#### Example - TSS + +The TSS connector is actually a mix of the User-Group and Account-Profile-Transaction models. The +User-Group part is explained above. + +![User-Group Example - TSS](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_tss-prof-trans.webp) + +Transactions are called here authorizations. + +For TSS, Identity Manager provisions only the link between users and profiles. Transactions (and the +rest of the model) are only readable. + +### Star + +#### Authorization mechanisms + +The Star model is better suited to represent a system, where the ability to perform an action is +granted through the assignment of entitlements, based on several variable parameters, most often the +combination of a profile and at least one user data criteria. + +> For example, you might want to give certain entitlements only to users who have an administrator +> profile and work in Marseilles. + +As the parameter combination is not predetermined, the whole system can become highly complex with +the addition of data criteria. + +Users are represented by the accounts they own. + +**Comparison with other models:** while the User-Group model grants an entitlement via a group +membership, the Star model grants said entitlement via a special authorization linking the right +criteria altogether (i.e. the right profile and other user parameters). + +#### Model + +![Star Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_star.webp) + +Thus you need to create one entity type to represent accounts, one for each criterion, and another +one to represent the object linking acounts to criteria. + +Each entity type needs to be shaped with properties, chosen according to the data useful for +entitlement assignment. + +The difficulty of this model is to map everything to roles in the role model. In Identity Manager's +role model, one assignment is always one role. But in this case, in the managed system, an +assignment is a tuple of things. + +To map the tuple of things on a role, we have several choices: + +1. Create a role per possible combination of tuple of things. This can quickly get out of hand as + far as the number of created roles is concerned. +2. Use parametrized roles. The number of roles will be contained, but it is a little more + complicated to configure. + +The flexibility generated by parameters is particularly interesting for roles that incorporate +entitlements in a more complex way than application roles. If the information contained in a role is +complicated to deduce, then parameters can bring some clarity in the configuration. The objective is +always to minimize the number of distinct roles, and the number of roles that are assigned to one +given identity. + +#### Example + +Consider an application which manages entitlement assignment with different rules, according to +users' profiles, attachment areas and sites. Our example shows 4 profiles, 4 attachment areas and 3 +sites. So a user may be assigned a given entitlement for a given profile, attachment area and site. + +![Star Model Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_starmodel.webp) + +For this connector, Identity Manager provisions only the links between accounts and linking objects, +and the links between linking objects and each criterion. + +Concerning roles, integrators have two options: + +- either create a specific role for `Profile_i` with `AttachmentArea_j` and `Site_k` for all + available profiles, attachment areas and sites, which makes a total of 48 roles (for a quite + simple example); +- or create a single role with parameters for profiles, attachment areas and sites. + +## Procedure Example + +**Step 1: choose the connector model.** + +Let's say we are modeling an Active Directory, which handles authorization through the group +memberships of accounts. In other words, to assign an entitlement to an identity, we make the AD +account of said identity member of the corresponding AD group. That is exactly what the User-Group +template is designed to handle. See the Model the Data topic for additional information. + +![User-Group Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_usergroup.webp) + +**Step 2: adapt the model to your reality.** + +We start by renaming the `Account` object as `AD_User` and the `Group` object as `AD_Group`. + +![AD Example - Step 1](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_ad-step1.webp) + +**Step 3: define useful data close to your reality.** + +We shape these objects with the following attributes: + +![AD Example - Step 2](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_ad.webp) + +**Step 4: ensure that all objects have unique keys.** + +Indeed we defined `objectGuid` as a key for both accounts and groups. + +**Step 5: ensure the guidelines' enforcement.** + +We could content ourselves with this model. The main benefit of this model is to closely mimic the +reality of the AD authorization mechanism. But we'd like to go a bit further, applying a "keep it +open to changes" approach. + +Observe the similarities between `AD_User` and `AD_Group`. There are many attributes repeating +between the two entity types. + +We can simplify: prefer a single object `AD_Entry` that can represent both users and groups. The +difference between the two types of object will be made clear via specific properties like +`objectCategory`, `member` and `memberOf`. + +Beyond avoiding repetition, this makes the model easily adaptable if new elements pop up. + +> For example, we could want to include computers or organizational units in the model in the +> future. Instead of creating two new additional objects `AD_Computer` and `AD_OU`, the existing +> object `AD_Entry` can represent them both at no additional modeling cost. Even though we could add +> `AD_Computer` and `AD_OU` without merging groups with entries, designing `AD_Entry` with all these +> attributes provides the means to add objects without creating new entity types. +> +> ![AD_Entry Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_adentry.webp) diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md new file mode 100644 index 0000000000..4ee0b8aeca --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md @@ -0,0 +1,72 @@ +# Organize Resources' Datasheets + +How to change the default display of the resource data from this entity type, by creating display +groups. + +## Overview + +Here you will learn how to change how a resource's data is organized in the UI, by creating display +groups. + +If you do not add display groups, Identity Manager displays the data of this entity type's resources +in alphabetic order. + +> For example, for an HR user without any display groups: +> +> ![Without Display Groups](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_without_v603.webp) + +## Organize Resources' Datasheets + +Organize resources' datasheets by proceeding as follows: + +1. Start by creating the entity type with its scalar properties and keys. See the + [ Define Scalar Properties ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md) and + [ Select Primary Keys ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md) topics for additional information. +2. Ensure that the created properties are saved by clicking on **Save & Close** > **Save** at the + top right corner. +3. On the entity type's definition page, click on the **Display** tab. + + ![Display Groups](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_v603.webp) + +4. Click on the arrow to see the entity type's properties listed in the alphabetical order, and drag + and drop the properties to customize the order. + + > For example: + > + > ![Display Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example1_v603.webp) + +5. When needing to group properties together, click on **Add Display Group**, fill in the fields and + select from the pop-up window the properties to be grouped. + + ![Display Group Fields](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_fields_v603.webp) + + - `Identifier`: must be unique among display groups, without any whitespace, and be + C#-compatible. + [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + - `Name`: will be displayed in the UI to indicate the property group. + > For example: + > + > ![Display Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example2_v603.webp) + > + > The entity type's resources would look like: + > + > ![Display Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example2results_v603.webp) + +6. Click on **Save & Close**. + + Changes in display groups won't take effect until the next + [ Update Entity Property Expressions Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + runs. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you +should reload the schema to implement the changes. You do not need to click on the button every +time. It is essential though to reload after the final changes are made. + +![Reload](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the +left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md new file mode 100644 index 0000000000..95e2d1698e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md @@ -0,0 +1,76 @@ +# Set Resources' Display Names + +How to change the value of the display name for resources of an +[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +## Overview + +Here you will learn how to change a resource's display name, which is the name used by the UI to +identify a resource of an entity type. Its value is computed from existing properties. For example +for the entity type `HR - User`, integrators may set the display name to: +` - `. + +![Display Name - Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_displaynameexample_v600.webp) + +If you do not set your own display name, Identity Manager provides a default value based on the +first scalar property after alphabetizing all the properties whose name contains `name`. + +## Set the Resource's Display Name + +Set the resource's display name by proceeding as follows: + +1. Start by creating the entity type with its calar properties and keys. See the + [ Define Scalar Properties ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md) and + [ Select Primary Keys ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md) topics for additional information. +2. Ensure that the created properties are saved by clicking on **Save & Close** > **Save** at the + top right corner. +3. On the entity type's definition page, click on the **Settings** tab. + + ![Display Name - Property Path](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_displayname_v603.webp) + +4. Set the display name. As a display name, you can use either the value of an existing property, or + compute [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) based on + existing properties. + + > A resource from `AD - Entry` can be displayed using its `userPrincipalName` with predefined + > functions. + > + > ![AD Entity Type - Display Name](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplead4_v602.webp) + > + > ![AD Entity Type - Display Name Result](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplead4-result_v602.webp) + + > Another example from the HR connector (User entity type): + > + > ![HR User Entity Type - Display Name](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplehr_v602.webp) + > + > ![HR User Entity Type - Display Name Result](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplehr-result_v602.webp) + +5. Click on **Save & Close**. + + Changes inside connectors won't take effect until the next + [ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md). More specifically, changes in display + names won't take effect until the next + [ Update Entity Property Expressions Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + runs. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you +should reload the schema to implement the changes. You do not need to click on the button every +time. It is essential though to reload after the final changes are made. + +![Reload](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the +left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. + +## Troubleshooting + +If no property appears in the display name auto-completion, then: + +![No Property](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_troubleprop_v602.webp) + +Ensure that the created properties are saved by clicking on **Save & Close** > **Save** at the top +right corner of the screen. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md new file mode 100644 index 0000000000..17687b67f7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md @@ -0,0 +1,81 @@ +# Create the Entity Type + +How to create the technical container of an +[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +## Overview + +Here, you will learn how to create an +[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md): +the shell that harbors the (scalar and navigation) properties which describe a given set of +resources related to one managed system. + +## Create the Entity Type + +Create the entity type by proceeding as follows: + +1. Access the connector's page by clicking on the **Connectors** button on the home page in the + **Configuration** section, then on the relevant connector. + + ![Home page - Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + +2. On the connector's page, in the **Entity Types** frame, click on the addition button. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +3. Fill in the information fields. + + ![Entity type creation](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_entitytypecreation_v602.webp) + + - `Identifier`: must be unique among entity types, without any whitespace, and be C#-compatible. + [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + NETWRIX recommends using `_` in the singular. + - `Name`: will be displayed in the UI to identify the entity type. + - `Icon`: can be chosen from [Microsoft's list](https://uifabricicons.azurewebsites.net/) and + will be displayed with the entity type in the left menu of the home page. + - `Auto Complete in Pickers`: can be set once properties are created (and saved) so that, when + using a searchbar for selected properties, Identity Manager suggests existing entries. + +4. In the entity type's **Properties** section, choose a source so that the connection provides the + source's data structure. + + ![Properties' source](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_propertiessource_v522.webp) + + > Let's use the example of an AD connector. We create an entity type `AD - Entry` to gather the + > valuable information from the AD, i.e. all the AD entries (groups and accounts) which we want + > to classify, with the properties that are useful for assignment management. + > + > The AD connector uses as a source `Connection Active Directory - entries`. Its structure was + > retrieved when we refreshed the schemas of the `Active Directory` > + > [Create a Connection](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md), thus retrieving the attributes from + > the Active Directory and storing them temporarily on the agent side, inside CSV files. + +## Next Steps + +To continue,[ Define Scalar Properties ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md)for this entity +type. + +## Troubleshooting + +If there are no connection tables available in the **Source** dropdown list of an entity type, then: + +![Properties' source](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_propertiessource_v522.webp) + +Ensure that there are existing connections: + +- if this is the case, then click on **Refresh all schemas** on the connector page, and verify that + there is no error. See the [Create a Connection](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) topic for + additional information. +- if not, then you must create at least one connection. + +If there is a message stating to refresh the connection's schema, then: + +![No Connection Table Error](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_troubleshootingschema_v603.webp) + +Start by making sure that the connection's schema is refreshed by clicking on **Refresh all +schemas** on the connector page, and verify that there is no error. + +If the message is still displayed, then it means that the previously selected connection table no +longer exists in the managed system. In this case, either the table's name simply changed, or the +table is not relevant anymore. Then you should find a relevant table in the **Source** dropdown +list. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md new file mode 100644 index 0000000000..8d3ec6fdeb --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md @@ -0,0 +1,67 @@ +# Create an Entity Type + +How to create an +[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +that corresponds to the connector model. + +## Overview + +An entity type is a model of a managed system's data. It defines the shape of the associated +resources (instances of said model) and not the intent (that would be a resource type. See the +[ Create a Resource Type ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) topic for +additional information. It defines a set of properties describing said resources and linking them +together. + +In other words, an entity type is supposed to model the representation of a certain group of +resources inside Identity Manager. It is a relational model, made of properties +([ Define Scalar Properties ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md)) and links between entity types +([ Define Navigation Properties ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md)), both described later. + +![Entity Type - Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytypecreation_schema.webp) + +The configuration of entity types depends entirely on the previously established +by[ Model the Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md). + +Entity types will impact the import of the managed system's resources, and the way said resources +are displayed in the UI. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +purpose of the application. + +| Input | Output | +| --------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| Connection (required) Refreshed schemas (required) Connector's data [ Model the Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) (required) | Entity type | + +See the [Create a Connection](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) and +[ Model the Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) topics for additional information. + +## Create an Entity Type + +Create an entity type by proceeding as follows: + +1. [ Create the Entity Type ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md). +2. [ Define Scalar Properties ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md)to be used in the entity type. +3. Choose the [ Select Primary Keys ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md) and key properties which will identify + resources. +4. Define [ Define Navigation Properties ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md)if applicable. +5. Customize the [ Set Resources' Display Names ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md) for the entity + type's resources. +6. Organize the [ Organize Resources' Datasheets ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md) for the entity + type's resources in Identity Manager. + +For some connectors, Identity Manager provides a template to automatically create a basic +configuration. See below this note. + +> For example, the Active Directory template automatically creates an AD entity type and two +> resource types for a standard AD connector. The template is available for a connector with an AD +> connection but no entity types. +> +> ![Entity Type - AD Template](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytype_template_v602.webp) + +## Verify the Entity Type + +Changes will take effect once you have launched synchronization. Therefore, in order to verify the +process, follow the verification procedure indicated +to[ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md new file mode 100644 index 0000000000..121b1108f1 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md @@ -0,0 +1,117 @@ +# Select Primary Keys + +How to choose its keys and an +[ Entity Type Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)key +in order to uniquely identify the +[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)'s +resources at different points in a resource's lifecycle. + +## Overview + +Here you will learn how to select keys from among the entity type's scalar properties, in order to +ensure the unique identification of resources at different times. + +It is important to show caution when choosing the mapping key and key properties for a set of data. +Every extracted resource must have unique keys in order to be uniquely identified in all IGA actions +performed by Identity Manager. + +### Key properties + +The key property of an entity type is a property chosen from among scalar properties. A key property +is used only in the XML configuration, but required when working both from the UI or from the XML +configuration. + +The purpose of key properties is to uniquely identify a resource from the entity type in the XML +configuration. In particular, some rules need to fetch a resource, by querying the key property's +column in Identity Manager's database. + +> For example a navigation rule involving an AD group can be written: +> +> ``` +> +> +> +> ``` +> +> Identity Manager needs to know what column to query to find the right resource via +> `CN=SG_APP_AG002...`. In this example we must choose `dn` as a key property because it is the `dn` +> property we use to represent the AD resource. + +Key properties must be unique and immutable. They do not have to be immutable but they must enable +resources to be uniquely identifiable at t time. + +> The `dn` attribute of a resource in the Active Directory usually depends on the resource's +> position, which often changes during the resource's lifecycle. However, `dn` is unique at a given +> time, and rather useful to define for example query rules for `parentdn`. + +Only one key property is required, but using several key properties can sometimes help with the +rules in the XML configuration. Identity Manager will search the columns of each key property, one +by one, until a corresponding resource is found. + +> For example, the AD's unique identifier is `objectGuid`. However, integrators may prefer to use +> `dn` because it constitutes a clearer group identification from a user's point of view. Plus, +> `objectGuid` is environment-specific so using it can complexify a situation where we want to move +> the configuration from an environment to another. +> +> Since an `objectGuid` can still be an interesting identifier, we want to have both the `dn` and +> the `objectGuid` as key properties. In this case, Identity Manager will be able to fetch a +> resource in a rule using said resource's `dn` or `objectGuid`. + +### Mapping key + +The mapping key is also chosen from among scalar properties, and serves to uniquely identify any +resource during the[ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md). It must be unique and +immutable, i.e. must not change during the whole lifecycle of the resource. + +> A mapping key cannot be based on properties subject to change, such as the display name of any +> object, or users' title which could be renamed. +> +> For example, resources from the AD are usually identified through the `objectGuid` attribute which +> is therefore specified as mapping key. + +Commonly used mapping keys are: + +- `objectGuid` for the Active Directory +- `objectid` for Microsoft Entra ID +- `entryUuid` for LDAP +- `Identifier` for the directory +- `Login` for SAB +- `sapid` for SAP +- `sys_id` for ServiceNow +- `EmployeeId` for the HR + +Since the mapping is able to uniquely identify any resource, NETWRIX recommends that your mapping +key is always part of your key properties. + +## Select the Entity Type's Keys + +Create an entity type by proceeding as follows: + +1. Start by defining the entity type's scalar properties. See the + [ Define Scalar Properties ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md) topic for additional + information. + + ![Keys](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_keys_v522.webp) + +2. In the entity type's **Properties** section, choose the key properties. +3. Choose the mapping key. +4. Click on **Create & Close** > **Create** to save your changes. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you +should reload the schema to implement the changes. You do not need to click on the button every +time. It is essential though to reload after the final changes are made. + +![Reload](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the +left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. + +## Next Steps + +After the entity type is created with its scalar properties and keys, you can +[ Define Navigation Properties ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md) and/or +[ Set Resources' Display Names ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md new file mode 100644 index 0000000000..7f26b9c9ab --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md @@ -0,0 +1,164 @@ +# Define Navigation Properties + +How to define the properties that describe the +[Entity Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)'s +relationships to other entity types. + +## Overview + +Navigation properties contain scalar values like other properties, but they link to other +properties—either from the same entity type or another one. +See the [Define Scalar Properties](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md) topic for additional +context. + +> **Example 1**: `memberOf` links a user to groups, or a group to other groups. +> In the UI, `memberOf` behaves like a scalar property, but you can click its values to view the +> associated groups. +> For the AD entry `ADM Vidal Pierre`: +> +> ![Navigation Property - memberOf](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_memberof_v600.webp) +> +> Clicking a group shows its properties, including the reverse side of `memberOf`, called `member`, +> which lists group members. +> For the group `SG_APP_RAY_0_LDAP_READLDSFEDE`: +> +> ![Navigation Property - member](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_member_v600.webp) + +> **Example 2**: Departments can link to managers using the `Manager` property, referencing a user’s +> identifier. +> In the UI, `Manager` behaves like a scalar property, but clicking it opens the manager’s user +> profile: +> +> ![Navigation Property - Manager](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_manager_v600.webp) +> +> That profile includes a `Department` property, pointing back to the managed department: +> +> ![Navigation Property - Managed Department](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_managerof_v600.webp) + +Navigation properties can link: + +- Inside a single entity type +- Between two entity types from the same connector +- Between two entity types from different connectors + +Identity Manager uses a "flip side" for each navigation link. +For example, in AD: + +- `member`: on groups, lists users +- `memberOf`: on users, lists groups + +AD only stores `member` in groups; users don’t have a native `memberOf` property. +Identity Manager synthesizes both ends to ensure full navigation mapping. + +When importing data: + +- `member` in AD updates `member` in Identity Manager +- Identity Manager then updates `memberOf` automatically + +Usually, properties in Identity Manager are mapped to existing ones in the source system. +If a property doesn’t exist in the source, it can still be created (e.g., for internal assignment +logic), but it won’t support read/write operations. + +--- + +## Define the Entity Type's Navigation Properties + +Follow these steps: + +1. Declare the [Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md). +2. In the **Properties** section, open the **Navigation Properties** tab. +3. Click **Map a navigation property** to view available source columns and select the desired + properties. +4. Fill out the configuration fields: + + ![Navigation Properties](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_navigationproperties_v602.webp) + + - The **first line** maps the source column. + - The **second line** defines the new property linked to that column. + +### Application Metadata + +- `Identifier`: Must be unique, whitespace-free, and C#-compatible. + [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure) +- `Entity Type`: Always refers to the current entity type. Source property can be from any. +- `Storage Indicator`: Can be: + + - **Mono-valued** (1:1 or many:1) + - **Multi-valued** (1:many or many:many) + + Identity Manager supports up to 25 optimized mono-valued navigation properties per entity + type. + Prioritize: + + 1. Properties used in forms and search + 2. Properties used in expressions and role models + 3. All others + +- `Name`: Shown in the UI. + Use **singular** for mono-valued, **plural** for multi-valued. + Avoid names like `"Id"` for both identifier and display name. + +### External System + +- `Source`: Connection to the external system. You can select the source by: + + - Mapping from the source (auto-selects connection table) + - Choosing from the dropdown (lists same-connector tables) + - Using the search icon (all connectors) + +- `Source Column`: The source field for data. +- `Column Content`: The field in the source used for identification. + +> Example: If the column is `manager` and it stores user `dn`s, set `dn` as the column content. + +> AD example navigation properties: `Entries`, `assistant`, `assistantOf`, `manager`, +> `directReports`, `memberOf`, `member`, `parentdn`, `children` + +> ![AD Entity Type - Navigation Properties](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_examplead3_v603.webp) + +--- + +5. Click the gear icon to open **Advanced Settings**: + + ![Advanced Settings](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_propertiessettings_v602.webp) + + - `Icon`: Choose from [Microsoft's icon list](https://uifabricicons.azurewebsites.net/) + - `Source Expression`: Defines the property using a property path or + [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) + + > Example: Create an `isUnused` scalar property based on `accountExpires` and + > `lastLogonTimestamp`: + > + > ![Advanced Settings](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_sourceexpressionexample_v60.webp) + + - `Flexible Comparison Expression`: Improves search flexibility for the property. + - `History Precision`: Sets how often the property’s value is historized. + + > Example: `lastLogonTimestamp` is frequently updated. To reduce historization noise, set + > `History Precision` to 10080 minutes (1 week). + > This way, only one update per week is stored. + +Clicking **Continue** closes the window but does **not save** the configuration. + +--- + +## Reload + +After saving changes, a green popup will prompt you to reload the schema. +You can defer this, but **must reload after final changes**. + +![Reload](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + +Reloading ensures the updated navigation properties appear in the UI’s left menu structure. + +You can access the **Reload** button via: + +- The green popup +- The connector’s dashboard + +--- + +## Next Steps + +Once the entity type is configured with scalar, key, and navigation properties, you can +[Set Resources' Display Names](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md new file mode 100644 index 0000000000..61f68969e9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md @@ -0,0 +1,156 @@ +# Define Scalar Properties + +How to define the simple, or scalar, properties of an +[ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)'s +resources. + +## Overview + +Here you will learn how to define scalar properties, which contain scalar values, mostly based on +the properties from the corresponding managed system. + +> For example: `DisplayName`; `Email`; `Identifier`; `StartDate`; etc. +> +> ![Scalar Properties](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarex_v600.webp) + +Most often, properties inside Identity Manager are each linked to a property from the managed +system. This way, data from the managed system can be imported into Identity Manager and stored in +the corresponding property. These properties are mapped from the source (see step 2). + +If the property to be created does not exist in the external source, it is impossible to map the +property, but it can still be created with **+ Add a scalar property**. + +This can be used to store data needed for assignment management, but which you cannot write to the +connected system. Since these properties do not exist in the connected system, they cannot be +written or read. + +For example, we may need to create in the AD the property `isUnused` to spot unused accounts. It +would be configured with a C# expression based on other properties from the same entity type. These +properties, such as `accountExpires` and `lastLogonTimestamp`, are each linked to a property from +the AD, while `isUnused` is for governance and surveying AD accounts. + +Such properties do not exist in the AD, and thus will never be written to the AD, nor overwritten by +any property from the AD, but will be recalculated based on the other properties. + +## Define the Entity Type's Scalar Properties + +Define the entity type's scalar properties by proceeding as follows: + +1. Start by declaring the [ Create the Entity Type ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md). +2. In the entity type's **Properties** section, click on **Map scalar properties** to display + existing columns from the external source, and select the properties to be used in the entity + type. + + ![Map from source](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarpropertiesmap_v602.webp) + + You need to configure at least one property to be able to define primary keys later, and thus + create an entity type. + +3. Fill in the information fields. + + ![Scalar properties](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarproperties_v603.webp) + + - **APPLICATION METADATA**: fields about the future display of the properties inside Identity + Manager. + + - `Identifier`: must be unique among properties, without any whitespace, and be + C#-compatible. + [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + - `Name`: will be displayed in the UI to indicate the property. + + Entity properties' names and identifiers cannot be "Id". + + - `Format`: format used for the property's display in Identity Manager, for search tools and + computation based on said property. Do not keep the default string format if the property + is not a string. See the + [ References: Format for the EntityPropertyMapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md) + topic for additional information. + + > For example, dates, booleans, integers, etc. + + For one entity type, Identity Manager can store up to 128 scalar properties of any + format, and an unlimited number of binaries which are stored differently. Among these + 128 properties, only 4 can be formatted as more-than-443-character strings (with a limit + of 4,000 characters), and 124 as less-than-443-character strings. + + - **EXTERNAL SYSTEM**: fields about the corresponding properties inside the connected system. + + - `Source Column`: column in the external system where the property data comes from. + Advanced settings can be configured according to the description below. + - `Format`: for mapped properties, format used to convert a value during export and fulfill + from Identity Manager to the connected system, whenever different from a string. + > To continue with the `AD - Entry` entity type, we map all the properties we need: + > + > `accountExpires`; `c`; `cn`; `comment`; `company`; `department`; `description`; + > `displayName`; `division`; `dn`; `employeeId`; `employeeNumber`; `employeeType`; + > `extensionAttribute10`; `extensionAttribute11`; `givenName`; `groupType`; + > `homeDirectory`; `homeDrive`; `initials`; `l`; `lastLogonTimestamp`; `mail`; `mobile`; + > `objectCategory`; `objectGuid`; `objectSid`; `ou`; `pwdLastSet`; `rdn`; + > `sAMAccountName`; `scriptPath`; `sn`; `st`; `telephoneNumber`; `thumbnailPhoto`; + > `title`; `uid`; `userAccountControl`; `userPrincipalName`; `whenCreated`. + > + > We create the properties that do not exist in the external system: `AppName`; + > `businessCategory`; `isUnused`; `thumbnailPhotoTag`. + > + > Some of them have a specific format in case of provisioning to the managed AD like + > `thumbnailPhoto` of format `Binary` or `objectCategory` as `RDN` or `pwdLastSet` as + > `1601 Date`. + > + > ![AD Entity Type - Scalar Properties](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_examplead2_v602.webp) + +4. Click on the Gear symbol to add advanced settings if needed. + + ![Advanced Settings](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_propertiessettings_v602.webp) + + - `Icon`: can be chosen from [Microsoft's list](https://uifabricicons.azurewebsites.net/) and + will be displayed with the property among users' data. + - **Source Expression**: expression that defines the property based on at least one source + object. Can be defined by a property path and/or + [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md). + + > For example, `isUnused` is created to spot unused accounts via a combination of + > `accountExpires` and `lastLogonTimestamp`: + > + > ![Advanced Settings](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_sourceexpressionexample_v60.webp) + + - `Flexible Comparison Expression`: expression that inserts adaptable comparison flexibility + when using a searchbar for the property. + - `History Precision`: time period over which Identity Manager historically records only one + value. + + > For example, the `lastLogonTimestamp` property of an AD resource is modified every time + > the user connects to the application. Every modification triggers the historization of all + > properties for said resource inside the database. Hence, the database can quickly become + > full of data. In order to lighten the database, we can set the `History Precision` option + > to one week (10080 minutes) so that resources are historized once a week at most + > (concerning changes on `lastLogonTimestamp`). In the meantime, in case of a change, + > instead of historizing resources with all their properties, only `lastLogonTimestamp` is + > updated with the new value. + + Clicking on **Continue** closes the pop-up window so that you can continue the configuration of + the entity type. But it does not save anything. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you +should reload the schema to implement the changes. You do not need to click on the button every +time. It is essential though to reload after the final changes are made. + +![Reload](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the +left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. + +## Next Steps + +Before saving, you must first[ Select Primary Keys ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md)for the entity type. + +## Troubleshooting + +If the Format column is not displayed in the External System part, then: + +![Scalar properties](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarpropertieswithoutformat_v522.webp) + +Refresh the connections' schemas. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/index.md new file mode 100644 index 0000000000..7dfc53c391 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/index.md @@ -0,0 +1,165 @@ +# Connect to a Managed System + +How to create a new +[ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +using the provided SaaS agent. See the +[ Architecture ](/docs/identitymanager/6.2/identitymanager/introduction-guide/architecture/index.md) topic for additional +information. + +Identity Manager provides demo applications +([Run the Banking Demo Application](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/index.md) +and +[Run the HR Demo Application](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/index.md)) to +help set up connectors, test them, and understand Identity Manager's abilities towards external +systems. + +## Overview + +Connectors are the mechanisms that enable Identity Manager to read and write data to/from your +organization's systems. The feedback mechanism ensures Identity Manager's reliability. + +In this documentation, we talk about managed systems (sometimes called external systems) to refer to +third-party applications, i.e. the applications used in your organization, such as Active Directory, +ServiceNow, EasyVista, SAP, SharePoint, etc. + +A connector, therefore, acts as an interface between Identity Manager and a managed system. + +![Connector Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp) + +NETWRIX strongly recommends the creation of one connector for one application. + +> For example, integrators may create an `AD` connector with the goal of importing an Active +> Directory's data into Identity Manager, and writing to the Active Directory from Identity Manager, +> either manually for administration accounts, or automatically for basic accounts. +> +> Integrators may create a `SharePoint` connector in order to manage read and write entitlements for +> users in SharePoint. + +### Data Flows + +In the early steps of a project, we'll consider most of our connectors to be outbound, i.e. Identity +Manager will feed data into connected managed systems. + +![Outbound System=](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connectorcreation_outbound.webp) + +In this case, data flows between Identity Manager and the managed system are also called: + +- synchronization in the "managed system-to-Identity Manager" direction; +- provisioning in the "Identity Manager-to-managed system" direction. + +For a connector's synchronization, Identity Manager provides tools to perform a basic extraction of +the system's data in the form of CSV files. These files are cleaned and loaded into Identity +Manager. In other words, synchronizing means taking a snapshot of the managed system's data and +loading into Identity Manager. + +For provisioning, Identity Manager generates provisioning orders and the connector provides tools to +either automatically write these orders to the managed system or to create a ticket for manual +provisioning. + +> For example, we can use the data from Identity Manager's Identity repository to fill in later the +> AD's fields, such as users' display names based on their first names and last names from the +> repository. See the [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) +> topic for additional information. + +Identity Manager can also benefit from inbound connectors, that will write data to Identity +Manager's central identity repository. While both inbound and outbound connectors allow data to flow +both ways, they do not work in the same manner. + +### Technical principles + +Identity Manager's connectors all operate on the same basic principles. Technically speaking: + +> For example, let's say that we want to connect Identity Manager to our Active Directory, or AD. + +- a connector must be created, first as a named container which will include the connections and + entity types related to one managed system; + + > We create a connector named `AD` (so far, an empty shell). + +- a + [ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) + is linked to an agent which acts as the go-between for Identity Manager's server and the managed + system; + + > Our `AD` connector uses the provided SaaS agent. + +- a + [ Connection ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) + describes the technology used that enables data to flow back and forth between Identity Manager + and the managed system; + + > We want to use a connection `Directory/Active Directory` to perform synchronization and + > automated provisioning, and a second connection `Ticket/Usercube` to perform manual + > provisioning through Identity Manager. + + You can find standard connections dedicated to one application (AD, Microsoft Entra ID, etc.), + and generic connections to communicate with any application (CSV, Powershell, RobotFramework, + SQL, etc.). + +- the shape of the extracted managed system's data is modeled by + [ Entity Type ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + (we will use the term resource to refer to an entity type that has been instantiated); + + > We create a single entity type `AD - Entry` which contains all the attributes that will + > describe its resources, i.e. AD groups and users. The attributes include the department, the + > employee identifier, the manager, the group membership (`member`/`memberOf`), the dn, the + > parent dn, etc. + +- the intent of resources within the managed system is made clear by categorizing resources into + [ Create a Resource Type ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md). See the + [ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) topic for additional information. + + > We categorize AD resources into distinct resource types: `AD User (nominative)` for basic + > accounts, which we want Identity Manager to provision automatically; + > `AD User (administration)` for sensitive administration accounts, which we want to provision + > manually through Identity Manager. + +![Connector Technical Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectortechnicalschema.webp) + +A connector requires at least one connection and one entity type. + +When provisioning a managed system, the corresponding connector also needs at least one resource +type. + +**Local vs. Saas agents:** To simplify things, Identity Manager has made it possible to start +configuring connectors without installing a local agent in your organization's network. Instead, you +can use the agent integrated with Identity Manager's server in the Cloud (SaaS agent). + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +functional and technical details of the application. + +| Input | Output | +| ----------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| Administrator account for the Development Environment (required) Identity repository (required) User Profile (required) | Connector Connected System | + +See the [Install the Development Environment,](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/development-environment-installation/index.md) +[ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md), and +[ Configure a User Profile ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-configuration/index.md) topics for additional +information. + +## Create a Target Connector + +For one managed system, create a connector by proceeding as follows: + +1. Outside Identity Manager, [ Model the Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md). +2. [ Create the Connector ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md) for said managed system. +3. Enable the technical transfer of data by creating and configuring + [Create a Connection](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md). +4. Set up [Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) to represent the data model decided + upon in step 1. + +**Connector modification:** The process for modifying a connector is not so different from the +process for creating a connector, as you mainly modify the fields specified during creation. +However, keep in mind that a connector must be deactivated before modification, in order to withdraw +the connector's synchronization- and provisioning-related tasks from any jobs. See below this note. + +You can activate the connector again at any time using the same button. + +![Jobs Results Dashboard](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_dashboard_v522.webp) + +## Next Steps + +Once the connector has been created, you can start +to[ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md). diff --git a/docs/usercube/6.2/usercube/user-guide/set-up/development-environment-installation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/development-environment-installation/index.md similarity index 100% rename from docs/usercube/6.2/usercube/user-guide/set-up/development-environment-installation/index.md rename to docs/identitymanager/6.2/identitymanager/user-guide/set-up/development-environment-installation/index.md diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/index.md new file mode 100644 index 0000000000..17f145a14d --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/index.md @@ -0,0 +1,129 @@ +# Set Up + +- [ Install the Development Environment ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/development-environment-installation/index.md) + + How to connect to Identity Manager's SaaS environment to set up the development environment. + +- [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) + + How to initiate the repository for workforce identities by loading identities into Identity + Manager with the right attributes. + +- [ Configure Unique Property Generation ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md) + + How to configure Identity Manager to generate unique identifiers, mails and logins for any user + who does not have them already. + +- [Load Identities to Identity Manager](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md) + + How to load identities into Identity Manager for the first time using a basic data model in the + form of a template MS Excel file. + +- [Template Description](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md) + + Description of the MS Excel template for the creation of the identities repository. + +- [ Adjust the Workforce Data Model ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md) + + How to select the properties to be part of the data model for the workforce repository + (therefore displayed in the UI), and choose their optimal displaying mode. + +- [ Configure a User Profile ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-configuration/index.md) + + How to tweak the permissions for actions within Identity Manager, for a standard set of basic + Identity Manager profiles. + +- [ Configure Onboarding Workflows ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/configure-workflows/index.md) + + How to adjust the parameters of onboarding workflows. + +- [ Connect to a Managed System ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/index.md) + + How to create a new connector using the provided SaaS agent. + +- [ Model the Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) + + How to choose the appropriate model for a connector's data. + +- [ Create the Connector ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md) + + How to create the technical container of a connector. + +- [Create a Connection](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) + + How to create a connection inside a connector and choose the appropriate package. + +- [Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) + + How to create an entity type that corresponds to the connector model. + +- [ Synchronize Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md) + + How to launch data synchronization, i.e. read managed systems' data and load it into Identity + Manager. + +- [ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) + + How to correlate managed systems' resources with identities, classifying resources into resource + types. + +- [ Create a Resource Type ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) + + How to create the container for future correlation and classification rules inside a given + managed system. + +- [ Correlate Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/correlation/index.md) + + How to define correlation rules to match up resources across systems, usually accounts with + their owner. + +- [ Classify Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/classification/index.md) + + How to define classification rules in order to classify remaining uncorrelated resources, + assigning them resource types. + +- [ Create a Provisioning Rule ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) + + How to define scalar rules, navigation rules and/or query rules to compute and provision target + resources values from source resources values. + +- [ Create Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md) + + How to define resource type rules to create new (target) resources for given users, computing + and provisioning their properties based on source resources. + +- [Compute a Scalar Property](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md) + + How to define scalar rules to compute and provision the values of scalar properties for target + resources based on source resources. + +- [ Compute a Navigation Property ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md) + + How to define navigation rules and/or query rules to compute and provision the values of + navigation properties for target resources based on source resources. + +- [ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) + + How to define single roles to model entitlements, and organize them inside the role catalog, + basis of the role model. + +- [ Create Roles in Bulk ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md) + + How to create role naming rules, which create single roles using existing naming conventions + from the managed system. + +- [ Create a Category ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md) + + How to structure roles into categories. + +- [Create a Role Manually](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) + + How to create single roles manually. + +- [Assign Users a Profile](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-assignment/index.md) + + How to assign Identity Manager's access permissions to users through profiles. + +- [ Manage Role Officers ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/role-officer-management/index.md) + + How to manage role officers in order to ensure the approval for entitlement assignments. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md new file mode 100644 index 0000000000..1a23a95c0b --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md @@ -0,0 +1,111 @@ +# Adjust the Workforce Data Model + +How to select the properties to be part of the data model for the workforce repository (therefore +displayed in the UI), and choose their optimal displaying mode. + +## Overview + +After you created the initial version of the workforce repository, Identity Manager provides an easy +method to optimize the structure of the data model, for example preventing empty fields in the UI. + +According to the number of resources in the organization, Identity Manager's analysis of the data +model's usage suggests: + +- to remove unused entity types (country, site, gender, subsidiary, etc.) from the data model and + from the UI; +- to remove unused properties (phone number of a user, position end date, town of a site, etc.) from + fields to fill in the workflows for entity creation, except for properties that are essential to + Identity Manager's operation and thus ensured to be part of the data model (e.g. the contract's + start date); +- an optimized display mode in the UI for all entity types, and for the fields which link to another + entity (manager of a department, contract type of a user, gender of a user, etc.) and thus require + a query tool (dropdown box, search bar, etc.). + +You can then make your own choice about activating/deactivating/re-activating any property, and you +will be able to make modifications at any time. + +## Participants and Artifacts + +Integrators may need the help of the HR department who know the organization. + +| Input | Output | +| -------------------------------------------------------------------------- | ----------------------------- | +| Identity Manager Server (required) Initial workforce repository (required) | Adjusted workforce repository | + +See the [Install the Development Environment](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/development-environment-installation/index.md) +and [Load Identities to Identity Manager](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md) topics for additional +information. + +## Adjust the Data Model + +Adjust the data model by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. On the **Workforce** > **Data Model** page, click on the following icon to adjust the data model + to your specific situation. + + ![Scan Data Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/iconscandatamodel_v602.svg) + + ![Scan Data Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scandatamodel_v60.webp) + + Identity Manager counts the entries for each attribute and suggests a quantification: + + - Empty attributes are deactivated as they should be excluded to simplify the data model. + - Non-empty attributes are quantified (e.g. small, large, etc.) to be displayed in the UI's + forms optimally (e.g. dropdown list, search tool, etc.). + + ![Scan Data Model - Result](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scandatamodel-result_v523.webp) + +3. Observe the result and adjust manually the data model if needed, by clicking on the properties. + + While Identity Manager suggests a structure for the data model, the choice is yours to + activate/deactivate any property. + + > For example, empty attributes should be excluded to simplify the data model. However, you can + > choose to keep an empty property anyway if you know that you want to fill it in later. + + Note that Identity Manager stays authoritative to activate some properties that are mandatory + for Identity Manager's operation. + + For example the contract's start date is necessary for Identity Manager's workflows. + + Modifications can be performed later, decisions can be reconsidered. See the + [ Modify the Identity Data Model ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md) + topic for additional information. + +4. Click on the Save icon at the top. + + ![Save Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + +5. Click on the **Reload** button to apply the recent changes to the application. + + ![Reload Button](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp) + +## Verify Identities Loading + +In order to validate the process: + +1. Choose a test field and note its displaying mode. + + > For example, our `Region` field in `Site` is sized as `large`. + > + > ![Scan Data Model - Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example_v523.webp) + +2. Navigate within Identity Manager to find a workflow using the test field. Observe the displaying + mode in the UI. + + > Our `State` field must be filled in during the creation of a new site. It can be filled by + > opening a pop-up and choosing the region in the list. + > + > ![Scan Data Model - Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example2_v523.webp) + > + > ![Scan Data Model - Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example3_v523.webp) + +3. Back on the scanning feature, change the displaying mode of your test field and save. + + > We change `large` to `extra small`. + +4. Verify the test field's displaying mode. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md new file mode 100644 index 0000000000..993eb04692 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md @@ -0,0 +1,117 @@ +# Configure Unique Property Generation + +How to configure Identity Manager to generate unique identifiers, mails and logins for any user who +does not have them already. + +## Overview + +All users need to: + +- be uniquely identifiable through an identifier, for example in order to link all accounts to their + owners; +- have a reserved unique email address, even if they do not need a mailbox; +- have a unique login that can be used as a seed for all users' accounts. + +For each unique property, Identity Manager provides a set of generation rules. You are free to +choose the most adequate method regarding your actual approach. + +An identifier/email/login suffix can be specified later according to users' contract types, when +loading identities through an Excel template. See the +[Load Identities to Identity Manager](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md) topic for additional +information. +For example, contractors can get `-ext` added automatically to their email addresses. +The unicity checks performed for identifiers/emails/logins do not consider prefixes nor suffixes. + +For example, `john.doe@acme.com` and `john.doe-ext@acme.com` cannot exist simultaneously. + +## Participants and Artifacts + +Integrators may need the help of the HR department to understand the actual approach of the +organization to compute these unique properties. + +| Input | Output | +| ---------------------------------- | -------------------------------------- | +| Identity Manager Server (required) | Generation rules for unique properties | + +See the [Install the Development Environment](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/development-environment-installation/index.md) +topic for additional information. + +## Configure Unique Property Generation + +Configure the generation of unique properties by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. On the **Workforce** > **Identifiers, Mails & Logins** page, you can follow Identity Manager's + instructions to configure the generation of a unique identifier for new workers (if needed), + based on one of the available options. + + ![Unique Identifier Generation](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniqueidentifier_v602.webp) + + - `Based on Full Name`: replaces all diacritics by the non-accentuated variants; removes all + special characters; can add a separator between the first name and the last name if needed + (such as `.` most often); in case of homonyms, appends a sequence number to the full name. + - `Based on Last Name`: uses the first letter of the first name; in case of homonyms, uses more + letters of the first name up to the whole first name; in case of homonyms still, appends a + sequence number to the full name. + - `Random Number`: uses a random number with a default prefix which is used when no specific + prefix is specified on the user's contract type. + + Netwrix Identity Manager (formerly Usercube) recommends using random numbers, as they have + the advantage of not containing any personal information nor giving any hint about the + users' seniority. + + - `Sequence`: uses a sequence with a default prefix which is used when no specific prefix is + configured on the user's contract type. + +3. Follow Identity Manager's instructions to configure the generation of a unique email address for + all users (who do not have one), based on one of the available options. + + ![Unique Email Generation](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniqueemail_v602.webp) + + - `Based on Full Name`: replaces all diacritics by the non-accentuated variants; removes all + special characters; can add a separator between the first name and the last name if needed + (such as `.` most often); in case of homonyms, appends a sequence number to the full name. + - `Based on Last Name`: uses the first letter of the first name; in case of homonyms, uses more + letters of the first name up to the whole first name; in case of homonyms still, appends a + sequence number to the full name. + - `Based on Unique Identifier`: uses a combination of the unique identifier (defined on the same + page) and the email domain. + + No matter the strategy: + + - the default email domain is used when no specific domain is specified on the user's + subsidiary; + - emails are generated in a way that lets users keep their email address, even if they move + from contractors to employees, or change to another subsidiary. + +4. Follow Identity Manager's instructions to configure the generation of a unique login for new + workers (who do not have one), based on one of the available options. + + ![Unique Login Generation](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniquelogin_v602.webp) + + - `Based on Email`: uses the local part of the email, i.e. before `@`. + - `Based on Full Email`: uses the full email. + - `Based on Unique Identifier`: uses the unique identifier (defined on the same page) prepended + with the default prefix when no specific prefix is specified on the user's contract type. + +5. Click on the Save icon at the top. + + ![Save Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + +6. Click on the **Reload** button to apply the recent changes to the application. + + ![Reload Button](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp) + +## Verify Property Generation + +In order to verify the process, add a fictitious employee through the workflows from the UI. + +![Home - New Employee](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/home_newemployee_v600.webp) + +Verify in the directory that the employee's sheet displays the expected values for the configured +unique properties. + +![Home - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md new file mode 100644 index 0000000000..88f674bcd9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md @@ -0,0 +1,122 @@ +# Create the Workforce Repository + +How to initiate the repository for workforce identities by loading identities into Identity +Manager with the right attributes. + +## Overview + +Loading the digital identities into Identity Manager is the very first task you have to perform, +once you installed the development environment. + +The identity repository is supposed to contain the list of all kinds of identities in the company. +Each identity will be represented by a set of properties that are to be used in the calculations for +entitlement assignments. + +> For example, a user can be represented by an identifier and linked to their position which +> includes the user's employee id, last name and first name, email, user type, organization, etc. +> +> ![Identity Repository Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-example.webp) + +> In Identity Manager, the identity repository can look like the following: +> +> ![Identity Repository Result](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository_v602.webp) +> +> ![Identity Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-person_v602.webp) + +See the +[ Identity Repository ](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/identity-repository/index.md) +topic for additional information.. + +The initial workforce repository is going to be the first version of a comprehensive repository +containing all users in the organization. This repository is crucial in setting up the identity +lifecycle management features and managing assignments of entitlements. + +### Creation strategy for the workforce repository + +In a nutshell, Identity Manager has made it as easy as a copy-paste from employee and contractor HR +files into an MS Excel file. + +#### Special properties generation + +First, you have to choose rules about how email, login, and internal identifiers are going to be +built for new identities, and for existing identities who do not have these unique properties yet. + +#### Organizational model creation + +Then, you are going to need a model of the organization's structure where the identities fit in. +This model is supposed to provide valuable information for automation and governance features later. + +The model is where you are going to identify for example the type of identities you want to manage +(such as employees and contractors), the hierarchical relationships between them, the geographical +areas they work in, and so on. + +Identity Manager has already built a template model for you, in the form of an Excel file. This +basic model is customizable and will be adaptable to most organizations. You can customize it simply +by writing information from your organization into said Excel file. + +Even if you have more specific or exotic needs that aren't met by this model, it is still a good +starting point and a good way to quickly start delivering value. We recommend that you start +building your project using this model, identify its limits along the way, and enhance it down the +road to make it fit your needs more accurately. + +#### Organizational model filling + +Then, you write down the actual identities information, still using the same Excel file, using data +from HR extractions or other records of contractors and temporary workers. As simple as a +copy-paste. + +The data you are going to load is analyzed by the engine and some simplifications will be suggested. + +**HR synchronization is not enough:** + +Another way of handling a part of the initial data loading is to set up an automated synchronization +of HR data with Identity Manager. + +While it seems to be a good idea, it poses a few problems. Among them: + +- a specific IT infrastructure is required and its implementation is likely to delay the project's + progress; +- HR data usually misses crucial information (for example contractor data) and is rarely up to date + early enough to be really useful. + +Hence, in order to rather focus on awaited IGA activities, we choose to build the first iteration of +the project upon a manual data upload to create the initial workforce repository. . + +## Participants and Artifacts + +Integrators may need the help of the HR department and its assistants who know the organization in +order to get the identity and organizational data. After the initial loading, the HR department can +review the data to confirm its accuracy. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------ | ---------------------------- | +| Identity Manager Server (required) Organizational chart (required)) HR data (required) Third-party staff data (optional) | Initial workforce repository | + +## Create the Workforce Repository + +Create the workforce repository by proceeding as follows: + +1. [ Configure Unique Property Generation ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md) for all users, + pre-existing and new, who do not have them yet. +2. [Load Identities to Identity Manager](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md) to Identity Manager based on the + recommended attributes from the provided organizational model + [Template Description](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md). +3. [ Adjust the Workforce Data Model ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md) following Identity Manager's + suggestions. +4. Continue with the next steps of this guide, and come back later to fill the organizational model + with additional data. + +## Next Steps + +Once the initial identities are loaded, integrators can start the User Profile configuration. See +the [ Configure a User Profile ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-configuration/index.md) topic for additional +information. + +From there you will be able to keep your repository up to date: + +- concerning identity data through workflows; +- concerning the data model + +The initial identities loading also enables: + +- HR connector creation. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md new file mode 100644 index 0000000000..b4aa772bc9 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md @@ -0,0 +1,186 @@ +# Load Identities to Identity Manager + +How to load identities into Identity Manager for the first time using a basic data model in the form +of a template MS Excel file. + +## Overview + +Loading the digital identities into Identity Manager is the very first task you have to perform, +once you installed the development environment. + +The initial workforce repository is going to be the first version of a comprehensive directory +containing all users in the organization. This directory is crucial in setting up the identity +lifecycle management features and managing assignments of entitlements. + +Identity Manager contains a template model, downloadable as an Excel file. Below is an example of a +part of the `UserRecord` tab, used in Identity Manager's demo: + +![Template Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_templateexample_v602.webp) + +### Useful data + +Not all data is useful for identity governance and administration. Thus, to start designing the +repository, you must be aware of which data is necessary and which is unhelpful. Useful data is the +data that: + +- needs to be provisioned to the managed applications; + + > For example, if you need to provision users' phone numbers in a given application, then you + > should fill in the workforce repository's `Phone Number` property. + +- is needed to manage identities' lifecycles; + + > For example, consider that internal employees must be managed by HR officers only, then you'll + > need to identify whether users are internal employees or external contractors. Then you should + > make sure that you fill an `Employee Type` property with at least two values: one for internal + > employees, and one for external contractors. + +- is needed to automatically grant permissions. + + > For example, if a user's position title ("manager" for instance), defines what users currently + > do, and thus what permissions they need, then you should make sure to fill in a property + > storing the position's title in the workforce repository. + +## Participants and Artifacts + +Integrators may need the help of the HR department who knows the organization in order to get the +identity and organizational data. After the initial loading, the HR department can review the data +to confirm its accuracy. + +| Input | Output | +| --------------------------------------------------------------------------------------- | ---------------------------- | +| Identity Manager Server (required) HR data (required) Third-party staff data (optional) | Initial workforce repository | + +See the [Install the Development Environment](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/development-environment-installation/index.md) +topic for additional information + +## Load Identities + +Load identities for the first time by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. On the **Workforce** > **Data Upload** page, download the empty Excel template. + + ![Upload Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/icondownload_v602.svg) + +3. Collect identity and organizational data. + + If you don't know where to start, identities most often include long-term employees, temporary + employees (such as interns and temps) and external contractors. The template contains a + `UserType` tab that lists all the types of workers that you want to include, i.e. the usual + identities listed just before, but also partners, clients, even applications. + + Workforce should include obviously all current workers, but also incoming workers, and those who + left the organization in the past XXX (time period defined by the rules of the security + officer). It is interesting to have past workers in order to understand the process and ensure + that they are supposed to be orphaned. See the + [Review Orphaned and Unused Accounts](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md) + topic for additional information. + + **Employees** + + The workers that are directly employed by the organization usually have their data stored in the + HR system. + + **Contractors** + + Often third-party workers like contractors are not part of the HR system. Then, there are a few + possible solutions to get their data: + + - through purchasing department if it doesn't imply any personal data security breach; + - manually with knowledgeable people, for example department managers and assistants; + - through a filter on data from available directories, for example on the email address if it + contains a specific string like `.ext@`; + - through an Active Directory extraction with a filter on an attribute that works with a + specific part, for example on the employee identifier. + +4. Fill said template with the data you collected. + + The Excel file contains several tabs which organize data, but not all tabs and columns are + mandatory. You can find **more details about the + [Template Description](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md)**. Below are the minimum recommended + attributes (mandatory in orange): + + ![Template Recommendations](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_templatereco_v600.webp) + + [**Click here to download a template example**](/docs/static/files/identitymanager/user-guide/set-up/initial-identities-loading/Directory_example_V602.xlsx). + + Every object (so every tab) of the directory must have a **key**, which is an attribute: + + - unique, i.e. designed to uniquely identify an object/resource, one key can't be shared; + - immutable, i.e. must not change during the whole lifecycle of the object/resource, even for + renaming for example; + - consistent, i.e. identical everywhere the object/resource is specified. + + Among other things, a consistent key allows identities to use the same login in all + applications. A consistent key is also essential to form the link between identities and the + other objects (organizations, titles, etc.). + + **Create your initial workforce repository with only recommended attributes.** + + As we aim to quickly enable Identity Governance and Administration (IGA) actions (like the + review of orphaned and unused accounts, or access certification, etc.), Netwrix Identity Manager + (formerly Usercube) recommends loading identities with only necessary data. The model can be + completed later. + + Moreover, Identity Manager's Query module can help gather data from other systems. + + For example, let's say that contractors' phone numbers are found only in the AD. Then we can + wait for the connection of Identity Manager to the AD, and finally use the Query module to + collect missing data. In this case: + + 1. Upload the `Directory.xlsx` file with only recommended data, validate and synchronize as + explained on this page. + 2. Connect the AD, synchronize AD data, update correlation and classification. See the + [ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) topic for additional information. + 3. Follow the usual query procedure to request phone numbers from the AD. + 4. Ensure you display a key (for example `EmployeeId` or `email`) to master the order of the + displayed data. + 5. Download the report. + 6. Copy the report's columns one by one to paste them into the Directory.xlsx file. + 7. Synchronize directory data. + +5. Back on the **Workforce** > **Data Upload** page, upload the filled Excel file to the server in + order to feed the data back to Identity Manager. + + ![Upload Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/iconupload_v602.svg) + + The latest uploaded file overwrites the previous one. + +6. Click on **Verify and Synchronize** to check the file's consistency and import its data into + Identity Manager. + + ![Verify and Synchronize](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_dataupload-synchronize_v602.webp) + + Now you are able to view users' pages in the directory. + + ![Directory - Users](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_directoryusers_v602.webp) + +## Verify Identities Loading + +In order to validate the process: + +- Check manually a sample in the user directory accessible from the home page. You should verify at + least your own sheet and the sheets for your hierarchy. + + ![Home - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +- Check that every organization includes a manager. Organizations are accessible from the department + directory on the home page. + + ![Home - Directory Department](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + + ![List of Departments](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + + If the system contains many organizations, then it is also possible to list each organization + with its manager through the Query module. + +- Create reports with indicators on the number of workers per type or per organization for example + (through Identity Manager's predefined reports, the Query module or Power BI), in order to ensure + that Identity Manager's content sticks to reality. + + See the [ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md) topic for additional + information. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md new file mode 100644 index 0000000000..65f9e80c98 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md @@ -0,0 +1,258 @@ +# Template Description + +Description of the MS Excel template for the creation of the identities repository. + +[Click here to download a template example](/docs/static/files/identitymanager/user-guide/set-up/initial-identities-loading/Directory_example_V602.xlsx). + +![Template Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/template-description/initialload_templatemodel_v603.webp) + +All tabs contain a column `Command` only used at a later stage to modify (massively) identity data. +See the +[ Update Identities in Bulk ](/docs/identitymanager/6.2/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md) +topic for additional information. + +## User - Required + +An identity is split into two parts, the first one being the parent resource called `User` which +represents the user's identity card. It contains the few attributes which shall not change during +the identity's lifecycle. See the +[Identity Management](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/index.md) topic for +additional information. + +| Attribute | Type | Description | +| ---------------------------- | ------- | ----------- | +| Identifier (required) | String | | +| ConsentPhotoUsage (optional) | Boolean | | +| IsDraft (optional) | Boolean | | + +## UserRecord - Required + +An identity is split into two parts, the second one being the one or several child resources called +`UserRecord` which represent the user's positions. Records belong to users and help materialize: + +- several positions at once; +- validity periods for positions/assignments unrelated to the user itself; +- position changes. + +In other words, records represent the lifecycle of a user inside the company, i.e. multiple +contracts, mutation, etc. + +Thus, the `UserRecord` tab usually holds users' information that might change over time, while the +`User` tab groups all records of a given user around its identifier. + +| Attribute | Type | Description | +| ---------------------------------------------------------------------------------------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| RecordIdentifier (recommended) | String | Identifier of the Records. See the[ Position Change via Records ](/docs/identitymanager/6.2/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md). **Note:** it can be the same as `PositionIdentifier` when users can have no more than one contract simultaneously. **Note:** required when using records. | +| User (required) | ForeignKey | `Identifier` from the `User` tab. | +| EmployeeId (recommended) | String | | +| Gender (optional) | ForeignKey | `Identifier` from the `Gender` tab. | +| PersonalTitle (optional) | ForeignKey | `Identifier` from the `Personal Title` tab. | +| FirstName (recommended) | String | | +| LastName (recommended) | String | | +| BirthName (optional) | String | | +| BirthDate (optional) | DateTime | | +| Email (recommended) | String | | +| EmailAliases (optional) | String | Outdated, or any other email address associated with the user. This is used to prevent the re-assignment of a previously used address. | +| Login (optional) | String | | +| PhoneNumber (optional) | String | | +| MobileNumber (optional) | String | | +| VIP (optional) | Boolean | `True` to specify that the user is special/important. | +| ContractIdentifier (required) | String | | +| ContractStartDate (required) | DateTime | Start date of the user's contract in the company. | +| ContractEndDate (recommended for permanent contracts, required for fixed-term contracts) | DateTime | End date of the user's contract in the company. | +| AccessesExpirationDate (optional) | DateTime | Date when the user will be deprived of their access rights. | +| UserType (required) | ForeignKey | `Identifier` from the `User Type` tab. | +| Subsidiary (optional) | ForeignKey | `Identifier` from the `Subsidiary` tab. | +| ExternalCompany (optional) | ForeignKey | `Identifier` from the `External Company` tab. | +| PositionIdentifier (required) | String | | +| PositionStartDate (optional) | DateTime | | +| PositionEndDate (optional) | DateTime | | +| Organization (recommended) | ForeignKey | `Identifier` from the `Organization` tab. | +| Manager (recommended) | String | Line manager. `Identifier` from the `User` tab. | +| IGAManager (optional) | String | Validator of IGA requests. `Identifier` from the `User` tab. | +| JobTitle (optional) | String | | +| Title (optional) | ForeignKey | `Identifier` from the `Title` tab. | +| Site (optional) | ForeignKey | `Identifier` from the `Site` tab. | +| Office (optional) | ForeignKey | `Identifier` from the `Office` tab. | +| OfficeNumber (optional) | String | | +| IsMainPosition (optional) | Boolean | | +| Suspended (optional) | Boolean | | +| StartDate (optional) | DateTime | Start date of the record, used for changes that aren't related to contract and position information, for example a scheduled name change. | +| EndDate (optional) | DateTime | End date of the record, used for changes that aren't related to contract and position information, for example a scheduled name change. | + +See the Template Description topic for additional information. + +Recommendations: + +- There is no absolute need for a unique identifier, because Identity Manager can compute one in the + next steps. +- Be aware of the difference between a hierarchical manager and an IGA manager who approves + entitlement requests. They aren't necessarily the same person. + +## UserType - Required + +User types represent users' contract types, such as permanent contract, fixed term contract, +interim, contractor, trainee, etc. + +| Attribute | Type | Description | +| ------------------------------------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| Category (required) | ForeignKey | `Identifier` from the `User Category` tab. | +| EmailSuffix (optional) | String | Suffix to concatenate to the email string (immediately before the `@` character). | +| IsExternal (required) | Boolean | | +| LoginPrefix (optional) | String | | +| LoginSuffix (optional) | String | | +| UniqueIdentifierPrefix (optional) | String | | +| UniqueIdentifierRangeEnd (optional) | Int32 | Used to partition users' identifiers. For example, `UniqueIdentifierRangeEnd` set to 9999 means that no unique identifier should be greater than 9999. | +| UniqueIdentifierRangeStart (optional) | Int32 | Used to partition users' identifiers. For example, `UniqueIdentifierRangeStart` set to 1000 means that no unique identifier should be less than 1000. | +| UniqueIdentifierSuffix (optional) | String | | + +## UserCategory + +Categories constitute an additional layer to organize users who can be sorted by types and then +further by categories, and categories can be transverse or not. + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## Subsidiary + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| EmailDomain (optional) | String | | + +## ExternalCompany + +Including external workers into the workforce repository requires listing external companies. + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## Organization + +A company is divided into organizations, also called departments, such as the board of directors, +corporate banking, call center, USA operations, France operations, treasury, etc. + +| Attribute | Type | Description | +| ------------------------- | ---------- | ---------------------------------------------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| Manager (recommended) | ForeignKey | `Identifier` from the `User` tab. | +| Assistant (optional) | ForeignKey | `Identifier` from the `User` tab. | +| Parent (optional) | ForeignKey | `Identifier` of another organization. | +| Type (optional) | ForeignKey | `Identifier` from the `Organization Type` tab. | + +## OrganizationType + +Organizations can be categorized into organization types, if relevant. + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## Title + +Each position can be represented by a title which names said position, such as architect, CEO, +purchasing manager, recruiter, etc. + +| Attribute | Type | Description | +| ------------------------- | ---------- | ----------------------------------------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| JobCategory (optional) | ForeignKey | `Identifier` from the `Job Category` tab. | + +## JobCategory + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## Country + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| ISOCode (optional) | String | | + +## Region + +| Attribute | Type | Description | +| ------------------------- | ---------- | ------------------------------------ | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| Country (optional) | ForeignKey | `Identifier` from the `Country` tab. | + +## Site + +All positions specify a working site. + +| Attribute | Type | Description | +| ---------------------------- | ---------- | ----------------------------------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| Name (optional) | String | | +| StreetNumber (optional) | Int32 | | +| StreetName (optional) | String | | +| StreetType (optional) | String | | +| Floor (optional) | Int32 | | +| PostalCode (optional) | Int32 | | +| City (optional) | String | | +| Region (optional) | ForeignKey | `Identifier` from the `Region` tab. | +| PreferredLanguage (optional) | String | | +| TimeZone (optional) | Int32 | | +| Latitude (optional) | Int64 | | +| Longitude (optional) | Int64 | | +| Url (optional) | String | | + +## Office + +| Attribute | Type | Description | +| ------------------------- | ---------- | --------------------------------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| Site (recommended) | ForeignKey | `Identifier` from the `Site` tab. | + +## PersonalTitle + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## Gender + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## ReservedEmail + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Description (recommended) | String | | +| Value (required) | String | | + +## ReservedIdentifier + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Description (recommended) | String | | +| Value (required) | String | | + +## ReservedLogin + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Description (recommended) | String | | +| Value (required) | String | | diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md new file mode 100644 index 0000000000..b23ffb9514 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md @@ -0,0 +1,62 @@ +# Create a Provisioning Rule + +How to define scalar rules, navigation rules and/or query rules to compute and provision target +resources values from source resources values. See the +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +topic for additional information. + +## Overview + +[ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) led to the grouping of resources into resource +types (classification), and the establishment of source-to-target relationships between these +resources (correlation). + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to compute the values of scalar and navigation properties for the target +resources used in entitlement management, based on source resources. We are going to +[Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) these properties, i.e. write them to the +managed system. + +The right tools for the job are provisioning rules: scalar rules, navigation rules, query rules. + +These provisioning rules are designed to: + +1. retrieve the input data in source objects; +2. compute the output value for target objects; +3. provision the corresponding properties in the managed system with the computation result. + +Another kind of provisioning rule is called resource type rule. Instead of computing existing +properties, resource type rules create automatically target resources to be owned by given source +resources (identities). + +In testing mode, the impacted resource types can be configured to block provisioning, by adding a +mandatory review before actually writing to the managed system. See the +[ Create a Resource Type ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) topic for additional +information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| ------------------------- | ----------------------------------------- | +| Categorization (required) | Scalar rules Navigation rules Query rules | + +See the [ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) topic for additional information. + +## Create Provisioning Rules + +- [ Create Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md)type rules to automatically create resources. +- [Compute a Scalar Property](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md) to compute scalar properties; +- Create navigation and/or query rules to compute navigation properties. + +Netwrix Identity Manager (formerly Usercube) recommends creating/modifying/deleting provisioning +rules using simulations in order to anticipate changes. See the +[ Perform a Simulation ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/simulation/index.md) topic for additional information. + +## Next Steps + +Once provisioning rules are created, integrators can start +to[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md). diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md new file mode 100644 index 0000000000..60150724a6 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md @@ -0,0 +1,283 @@ +# Compute a Navigation Property + +How to define navigation rules and/or query rules to compute and provision the values of navigation +properties for target resources based on source resources. See the +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +topic for additional information. + +## Overview + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to compute the values of navigation properties for the target resources used in +entitlement management, based on source resources. See +the[ Define Navigation Properties ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md) +topic for additional information. We are going to provision these properties, i.e. write them to the +managed system. See the [Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) topic for +additional information. + +The right tools for the job are navigation and query rules. + +A navigation property's value can be computed by a navigation rule or a query rule, assigning a +given resource from the entity type pointed by the navigation property (which can be the target +entity type itself). Let's call this entity type the "other" one. + +- A Navigation rule assigns a fixed resource, which is chosen from among the "other" entity type's + resources during the rule's creation. The assigned resource is the same for all impacted accounts. + Use a navigation rule when a given resource must be assigned, regardless of users' attributes. +- A Query rule assigns a resource from the "other" entity type too. However, the resource is chosen + according to a query via a C# expression with conditions, based on the attributes of the source + objects (usually users). Hence, contrary to a navigation rule, a query rule can assign a different + resource for each impacted account, based on the attributes of the account's owner. Use a query + rule when there is the need to use variables from among users' attributes to select the resource + to assign. + +![Schema - Scalar Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_schemanavigation.webp) + +> A navigation rule could add the AD group `SG_APP_SQL` to the `memberOf` navigation property to all +> AD nominative accounts provided that the user has the single role `SQL Server Administration`. + +> A query rule could compute the value of the `department` navigation property for ServiceNow +> nominative accounts (entity type `ServiceNow_User`), with a query from among resources from the +> `ServiceNow_Department` entity type, where the name of the resource would match the display name +> of the organization specified for the user (owner of the ServiceNow account). +> +> We need here to query the `ServiceNow_Department` entity type in order to find the right +> department to update the value of `department`, which is specific to each ServiceNow account. +> +> Thus, each user owning a ServiceNow account will see the value of `department` in their account +> updated with the resource from `ServiceNow_Department` which corresponds to the department +> specified for this user. + +> Another query rule could compute the `parentdn` attribute for AD nominative accounts, with a query +> from among AD entries, where the `dn` attribute of the resource would match a complex expression +> based on the user's (owner of the AD account) presence state, employee type, location, etc. +> +> We need here to query the `AD - Entry` entity type in order to find the right dn to update the +> value of `parentdn`, which is specific to each AD nominative account. +> +> Thus, each AD nominative account will have the value of its `parentdn` set according to its +> owner's attributes (presence state, employee type, location, etc.). + +The application of a navigation rule can depend on the assignment of a single role, and/or user +dimensions. See +the[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topic for +additional information on the assignment of a single role and +[ Conforming Assignments ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md) +topic for additional information on dimensions. + +A query rule does not use criteria as it is designed to compute a given navigation property for all +existing resources in a given resource type. However, in case of several query rules on a same +property, the application of a query rule depends on its confidence rate and the corresponding +priority it receives compared to other query rules. See the +[ Classify Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/classification/index.md) topic for additional +information. + +While both navigation and query rules compute navigation properties, the value of one navigation +property should be computed by either navigation or query rules, not both. + +In Identity Manager, a navigation property has two "sides", one for each linked element. + +For example in the AD, the group membership of a user is represented by the properties `member` for +groups (containing a list of users) and `memberOf` for users (containing a list of groups). +However, some managed systems only have one of these two sides. + +The AD only uses `member` from among groups' properties. Users do not have a `memberOf` property. As +Identity Manager uses and links both sides, it is able to "translate" the information, so that the +corresponding navigation property, which actually exists in the managed system, is modified by the +navigation/query rule. + +Identity Manager assigns an entitlement to a user by assigning a group-membership to an account. +Thus we can create a navigation rule which adds a group to the `memberOf` property of given +accounts. Identity Manager will update the `member` property of groups accordingly (in Identity +Manager), and then provision the `member` property of said groups in the AD, adding the impacted +accounts. + +A navigation rule will trigger the creation of a target resource for all impacted source resources +(so all users), which are not yet correlated with a resource of this resource type. + +**NOTE:** A query rule does not create resources, and only computes the navigation properties of +existing resources. + +## Guidelines + +Follow these guidelines when configuring navigation properties. + +Expression code must not contain too much data + +Once configured, a rule is a complicated object to modify. Therefore, you must keep business data in +the resource and out of the expression. It is easier to change data than to change a rule. + +> For example, consider an organization that manages email addresses according to the site with +> `.fr` for France and `.be` for Belgium. +> +> A working option could be to write an expression with a condition `if` on the site to assign the +> domain name. However, if the organization expands and needs to consider an additional country, +> then the rule requires change in the expression code. +> +> A better solution is to change the identity data model by adding a field `Domain Name` to describe +> the object `Site`, and to be used in the rule expression. In this case, if there is an additional +> country, then a new field is added in the data model for `Site` and `Domain Name`. Thus, the rule +> expression remains simple by using the new objects, for example +> `Email = FirstName + "." + LastName + "@" + Company + "." + DomainName`. + +Priority between navigation/query rules + +When creating navigation and query priorities, follow these rules: + +- Several rules computing the same property with different criteria should not coexist; +- The only reason to have several rules to compute a single property is when changing the property + value over time, via time offsets. See the + [Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) + topic for additional information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. See the +[ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) topic for additional information. + +| Input | Output | +| ------------------------- | ---------------------------- | +| Categorization (required) | Navigation rules Query rules | + +## Create a Navigation Rule + +Fill an entity type with a navigation rule by proceeding as follows: + +**Step 1 –** Click on **Access Rules** on the home page in the **Configuration** section. + +![Home - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +**Step 2 –** In the dropdown menu at the top left, choose the source entity type for the future +navigation rule. + +![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +**Step 3 –** Click on the **Navigations** tab and on the addition button at the top right corner. + +![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) + +**Step 4 –** Fill in the fields. + +![Create a Navigation Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/singlerolescatalog_createnavrule_v602.webp) + +- `Join`: navigation property from the target entity type, whose value is to be impacted. +- `Resource`: resource from the entity type pointed by the `Join`, which is to be added to the + `Join` property. +- `Navigation denied`: option that forbids the resource assignment. +- `Offset of effective date`: time period that defines the actual effective date for property + computation according to the value's start and/or end date. + + > For example, account activation and deactivation can be managed according to the start and/or + > end dates. + +- **Criteria**: conditions that, if met, trigger the rule application. + +> Our example would look like: +> +> ![Scalar Rule Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplenav_v602.webp) + +**Step 5 –** Click on **Create** and see a line added on the rules page. + +The navigation rule is now configured and can be found in the Access Rules tab. + +## Create a Query Rule + +Fill an entity type with a query rule by proceeding as follows: + +**Step 1 –** Click on **Access Rules** on the home page in the **Configuration** section. + +![Home - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +**Step 2 –** In the dropdown menu at the top left, choose the source entity type for the future +query rule. + +![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +**Step 3 –** Click on the **Queries** tab and on the addition button at the top right corner. + +![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) + +Fill in the fields. + +![Create Query Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_queryrule_v522.webp) + +Once the `Resource Type` is provided, more fields appear. + +![Query Rule Fields](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_queryrulefields_v602.webp) + +- **Target Object** > `Property to fill`: navigation property from the target entity type, whose + value is to be impacted. +- **Target Object**: property (or expression of properties) from the entity type pointed by the + `Property to fill`, which will be the value of the `Property to fill` if it matches the source + object. Can be defined by a property path and/or an expression. See the + [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional + information. +- **Source Object**: property (or expression of properties) from the source entity type. Can be + defined by a property path and/or an expression. See the + [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional + information. +- `Offset of effective date`: time period that defines the actual effective date according to the + value's start and/or end date. An offset of effective date can be useful for some attributes. For + example, account activation and deactivation can be managed according to the start and/or end + dates. +- `Confidence Rate`: rate expressing the confidence in this link, and its priority order. See + the[ Classify Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/classification/index.md) topic for additional + information. + +> Our examples would look like: +> +> ![Query Rule Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplequery_v602.webp) +> +> ![Query Rule Example 2](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplequerybis_v602.webp) + +Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a navigation or query rule is taken into account when launching the role model +computation task, in the **Resource Types** frame of the corresponding connector's overview page, +via **Jobs** > **Compute Role Model**. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +This task applies the rules and computes new properties. Therefore, if a given rule's criterion is +modified, then all corresponding assignments are computed again. If a resource was created +automatically for an identity through a navigation rule (and its criteria), and if the user's +criteria do not comply with the new version of the rule, then the corresponding resource is +automatically deleted. + +A modification in a provisioning rule can trigger the removal of a resource only on the Identity +Manager side. There are several barriers to cross before said resource is removed from the managed +system. + +Simulations are available in order to anticipate the changes induced by a +creation/modification/deletion in navigation and query rules. See the +[ Perform a Simulation ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/simulation/index.md) topic for additional information. + +## Verify Rule Creation + +In order to verify the process: + +**Step 1 –** On the corresponding connector's overview page, in the **Resource Types** frame click +on **Jobs** > **Compute Role Model** to apply all rules. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +Review unauthorized accounts (on the **Resource Reconciliation** screen) and roles (on the **Role +Reconciliation** screen) to help check query rules: if there are numerous properties to be +reconciled following the same pattern, then there may be a rule that needs to be changed. + +**Step 2 –** On the corresponding connector's overview page, in the **Resource Types** frame click +on **Jobs** > **Compute Role Model** to apply all rules. + +**Step 3 –** Review unauthorized accounts (on the **Resource Reconciliation** screen) and roles (on +the **Role Reconciliation** screen) to help check query rules: if there are numerous properties to +be reconciled following the same pattern, then there may be a rule that needs to be changed. + +See +the[ Review an Unauthorized Account ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md) +and +the[ Reconcile a Role ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md) +topics for additional information. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md new file mode 100644 index 0000000000..0f8eee6ae5 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md @@ -0,0 +1,120 @@ +# Create Resources + +How to define +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +rules to create new (target) resources for given users, computing and provisioning their properties +based on source resources. + +## Overview + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to create target resources and assign them to given users. We are going to +[Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md) these resources, i.e. write them to the +managed system. + +The right tools for the job are resource type rules. + +The application of a resource type rule can depend on the assignment of a single role, and/or user +dimensions. + +> A resource type rule could assign a SAP account to users working in Germany, and who already have +> the role `SAP: manager access`. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| ------------------------- | ------------------- | +| Categorization (required) | Resource type rules | + +See the [ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) topic for additional information. + +## Create a Resource Type Rule + +Create a resource type rule by proceeding as follows: + +1. Click on **Access Rules** on the home page in the **Configuration** section. + + ![Home - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the source entity type for the future scalar rule. + + ![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +3. Click on the **Resource Types** tab and on the addition button at the top right corner. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create a Resource Type Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/provrules_typerule_v602.webp) + + - `Resource Type`: resource type to be automatically assigned. + - `Type`: assignment type that can be: `Suggested` so that the resource type is listed among + suggested permissions in the permission basket of users matching the criteria during an + entitlement request, suggested assignments must be selected manually to be requested; or + `Automatic` so that the resource type is automatically assigned to users matching the + criteria; or `Automatic but with validation` so that the resource type is listed in the + permission basket of new workers, these assignments can still be modified. + - `Resource type denied`: option that forbids the assignment. + - `Offset of effective date`: time period that defines the actual effective date for resource + creation/deletion according to the value's start and/or end date. + - **Criteria**: conditions that, if met, trigger the resource creation. + > Our example would look like: + > + > ![Resource Type Rule Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/provrules_exampletype_v602.webp) + +5. Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a resource type rule is taken into account when launching the role model +computation task, in the **Resource Types** frame of the corresponding connector's overview page, +via **Jobs** > **Compute Role Model**. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +This task applies the rules and computes new assignments. Therefore, if a given rule's criterion is +modified, then all corresponding assignments are computed again. If a resource was created +automatically for an identity by a resource type rule, and if the user's criteria do not comply with +the new version of the rule, then the corresponding resource is automatically deleted. + +A modification in a resource type rule can trigger the removal of a resource only on the Identity +Manager side. There are several barriers to cross before said resource is removed from the managed +system: first before the creation of an Assigned Resource Type in Identity Manager's database, and +again before the actual action in the managed system. + +> In our example, let's say that we replace the country criterion `Germany` with `France`. Consider +> a user who had a SAP account assigned through this rule. Now that the country criterion has +> changed, our user working in Germany would be deprived of their account. + +Simulations are available in order to anticipate the changes induced by a +creation/modification/deletion in resource type rules. + +## Verify Rule Creation + +In order to verify the process, start by checking the rule's details on the **Access Rules** page. +Then, you can: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Create a resource type rule involving an account that said user doesn't already have, based on + criteria which the selected user satisfies. +3. Trigger the computation of the role model by clicking, on the corresponding connector's overview + page, in the **Resource Types** frame, on **Jobs** > **Compute Role Model** to apply all rules. + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +4. See the new account in the user's **View Permissions** tab. + + ![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + + If the type rule uses a single role as a criterion, and the user has said role, then both the + resource type and the role will be displayed in the user's permissions, but only if the role is + related to a [ Compute a Navigation Property ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md). + Otherwise, only the resource type will be visible. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md new file mode 100644 index 0000000000..367bcc83e7 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md @@ -0,0 +1,204 @@ +# Compute a Scalar Property + +How to define scalar rules to compute and provision the values of scalar properties for target +resources based on source resources. See the +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topic +for additional information. + +## Overview + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to compute the values of scalar properties for the target resources used in +entitlement management, based on source resources. See the +[Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) topic for additional +information. We are going to provision these properties, i.e. write them to the managed system. See +the [Provision](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/provisioning/index.md)topic for additional information. + +The right tools for the job are scalar rules. + +A scalar property's value can be computed by a scalar rule, based on at least one scalar property +from the source entity type, possibly writing a C# expression. + +![Schema - Scalar Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_schemascalar.webp) + +A scalar rule could define the scalar property displayName of nominative AD accounts based on its +owner's name with the expression: + +return person.LastName + " " + person.FirstName; + +The application of a scalar rule can depend on the assignment of a single role. See the +[ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topic for +additional information. + +Sometimes we create in Identity Manager properties which are not directly linked to any real +property in the managed system. A scalar rule on this kind of property will not find a property to +provision in the managed system, and thus will not produce any result. + +For example, we may need to create in the AD the property isUnused (to spot unused accounts) with a +C# expression based on other properties from the same entity type. These properties, such as +accountExpires and lastLogonTimestamp, are each linked to a property from the AD, while isUnused is +for Identity Manager's use only. This scalar property isUnused does not exist in the AD, thus will +never be provisioned to the AD, and thus will not be computed by a scalar rule. + +Also some properties, like lastLogonTimestamp in the AD or identifiers from ServiceNow, must be +changed only by their application. Identity Manager can/must not change these properties, thus no +provisioning rule is appropriate for them. + +A scalar rule using a single role as criterion will trigger the creation of a target resource for +all impacted source resources (so all users), which are not yet correlated with a resource of this +resource type. + +Without a criterion, a scalar rule does not create resources, and only computes the scalar +properties of existing resources. + +## Guidelines + +Expression code must not contain too much data + +Once configured, a rule is a complicated object to modify. Therefore, you must keep business data in +the resource and out of the expression. It is easier to change data than to change a rule. + +For example, consider an organization that manages email addresses according to the site with .fr +for France and .be for Belgium. + +A working option could be to write an expression with a condition if on the site to assign the +domain name. However, if the organization expands and needs to consider an additional country, then +the rule requires change in the expression code. + +A better solution is to change the identity data model by adding a field Domain Name to describe the +object Site, and to be used in the rule expression. In this case, if there is an additional country, +then a new field is added in the data model for Site and Domain Name. Thus, the rule expression +remains simple by using the new objects, for example +`Email = FirstName + "." + LastName + "@" + Company + "." + DomainName`. + +Priority between scalar rules + +A scalar rule with a role as a criterion has a higher priority than a rule without a role criterion. + +For example, consider the situation where we want the login `A` for users with the single role `RA`, +and the login `B` for the others. In this case, we can write two distinct scalar rules where the +first one has the role `RA` as a criterion. This rule will be applied before the other. + +Other than that, there should not be more than one rule meant to provision a given property on a +given time period. + +It means that: + +- Several rules computing the same property with different criteria should not coexist; +- The only reason to have several rules to compute a single property is when changing the property + value over time, via time offsets. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| ------------------------- | ------------ | +| Categorization (required) | Scalar rules | + +See the [ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) topic for additional information. + +## Create a Scalar Rule + +Fill an entity type with a scalar rule by proceeding as follows: + +![Home - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +**Step 1 –** Click on **Access Rules** on the home page in the **Configuration** section. + +![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +**Step 2 –** In the dropdown menu at the top left, choose the source entity type for the future +scalar rule. + +![iconadd_v602](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) + +**Step 3 –** Click on the **Scalars** tab and on the addition button at the top right corner. + +![Create Scalar Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_scalarrule_v522.webp) + +**Step 4 –** Fill in the fields. + +![Scalar Rule Fields](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_scalarrulefields_v602.webp) + +Once the Resource Type is provided, more fields appear. + +- Source Object: Scalar property (or expression of scalar properties) from the source entity type, + which constitutes the input for the computation of the target object. Can be defined by a property + path and/or an expression. +- Target Object: Scalar property from the target entity type, whose value is to be impacted. +- Offset of effective date: Time period that defines the actual effective date for property + computation according to the value's start and/or end date. + + For example, account activation and deactivation can be managed according to the start and/or + end dates. + +- Applicable: Create & Update to use this computation to both provision the managed system and + synchronize the property back to Identity Manager; **Create Only** to use this computation to only + provision the managed system and ignore this property during synchronization, this way the + property can never be displayed as non-conforming. + + **Create Only** is usually set to adapt the configuration to the constraints of the managed + system, when Identity Manager does not retrieve and/or update the property value. + + For example, consider a system, that we want to connect to Identity Manager (let's call it SYST) + using a title property. Consider also that SYST needs to be provisioned with the value of title, + but does not allow any other system to retrieve said value. + + In this case, we use **Create Only** so that Identity Manager sends the adequate provisioning + order upon creation, and then is able to change the provisioning state to **Executed** without + synchronization. If any changes impact that **Scalar Property** value the workflow state will be + modified to **PolicyApprovedWithChanges** meaning that the policy value is not equal to the + external system's value and that will not be provisioned. + +- Comparison type: Comparison type between the value of the target object computed by the rule and + its value from the managed system. Non-conforming values are displayed on the **Provisioning + Review** screen. +- Criteria: Conditions that, if met, trigger the rule application. + +Our example would look like: + +![Scalar Rule Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_examplescalar_v522.webp) + +**Step 5 –** Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a scalar rule is taken into account when launching the role model computation +task, in the **Resource Types** frame of the corresponding connector's overview page, via **Jobs** > +**Compute Role Model**. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +This task applies the rules and computes new properties. Therefore, if a given rule's criterion is +modified, then all corresponding assignments are computed again. If a resource was created +automatically for an identity through a scalar rule (and its single role criterion), and if the +user's criteria do not comply with the new version of the rule, then the corresponding resource is +automatically deleted. + +A modification in a provisioning rule can trigger the removal of a resource only on the Identity +Manager side. There are several barriers to cross before said resource is removed from the managed +system. + +Simulations are available in order to anticipate the changes induced by a +creation/modification/deletion in scalar rules. See the +[ Perform a Simulation ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/simulation/index.md) topic for additional information. + +## Verify Rule Creation + +In order to verify the process: + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +**Step 1 –** On the corresponding connector's overview page, in the **Resource Types** frame click +on **Jobs** > **Compute Role Model** to apply all rules. + +**Step 2 –** Review unreconciled properties on the **Resource Reconciliation** screen to help check +scalar rules: if there are numerous properties to be reconciled following the same pattern, then +there may be a rule that needs to be changed. See the +[ Reconcile a Property ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) +topic for additional information. + +Once the steps completed the process is verified. diff --git a/docs/usercube/6.2/usercube/user-guide/set-up/role-officer-management/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/role-officer-management/index.md similarity index 100% rename from docs/usercube/6.2/usercube/user-guide/set-up/role-officer-management/index.md rename to docs/identitymanager/6.2/identitymanager/user-guide/set-up/role-officer-management/index.md diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md new file mode 100644 index 0000000000..7a87eb8f2f --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md @@ -0,0 +1,74 @@ +# Create a Category + +How to structure roles into categories. See the +[ Category ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md) +topic for additional information. + +## Overview + +A category is usually created to: + +- reflect the validation process, i.e. represent groups of roles that follow the same validation + process with the same validator(s); +- help users find intuitively the entitlement that they are looking for. + +> For example, creating one category per application often fulfills both requirements. + +There is usually one validator per category. + +There can be several category levels. For example, integrators can choose to create one category per +department, then one per position, and finally one per application. They usually gather roles by +application. Here are a few examples of categories: `AD`, `HR` , `SAP`, `IT Administration`, +`Test Environments`, etc. Some of these "application categories" are gathered into larger categories +by theme as long as their role owner is identical. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the +application's users, entitlements and data model. + +| Input | Output | +| ----------------------- | ---------- | +| Role Catalog (optional) | Categories | + +See the [ Create Roles in the Role Catalog ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topic for additional information. + +## Create a Category + +Categories are not mandatory to create roles, but they are highly recommended to organize single +roles. + +Create a category by proceeding as follows: + +1. On the home page in the **Configuration** section, click on **Access Roles** to access the roles + page. + + ![Home Page - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +2. All existing categories are shown in the menus on the left. To create a new category, click on + **+**. + + ![Add a New Category](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/singlerolescatalog_newcategory_v602.webp) + +3. Fill in the fields. + + ![Create a Category](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/singlerolescatalog_createcategory_v602.webp) + + - `Identifier`: must be unique among categories and without any whitespace. + - `Name`: will be displayed in the UI to identify the created category. + - `Collapsed in the role tree`: option that enables a collapsed view of the category in the role + tree. + - `Parent category`: optional link to an existing category that would contain the created + category. + +4. Click on **Create** and see the category added in the menus. + + When creating a category, you must be cautious about the associated validators that are not yet + defined. + +## Verify Category Creation + +In order to verify the process, check on the **Access Roles** screen that the category is created +with the right parameters. + +![Verify Category](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/categorycreation_test_v602.webp) diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md new file mode 100644 index 0000000000..9310eaac21 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md @@ -0,0 +1,223 @@ +# Create Roles in the Role Catalog + +How to define +[ Single Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) +to model entitlements, and organize them in the role catalog, basis of the role model. See the +[ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +The creation of the role catalog is a time-consuming part, with an important workload concerning the +description of the internal processes for all applications. Actors here need to really understand +the useful permissions within managed applications. + +## Overview + +The aim here is to establish and create the exhaustive list of +[ Role Model ](/docs/identitymanager/6.2/identitymanager/integration-guide/role-model/index.md) needed by the organization. Roles are +a way to represent entitlements which are assigned to identities, so that said identities are able +to work with the managed systems. + +![Schema - Single Role](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarole.webp) + +In other words, establishing the role catalog aims to list exhaustively and explicitly all the roles +in the organization, hiding the technical complexity of entitlements behind the business vision of +user-friendly names and categories, in order to: + +- assign roles to users, by requesting them manually, or using rules that assign roles automatically + based on users' attributes; +- simplify the implementation of Segregation of Duties (SoD); +- simplify the implementation and execution of access certification campaigns. + +Roles are not chosen at random as they must correspond to the way entitlements were modeled during +connector modeling. + +### Technical Principles + +Identity Manager's roles are all built the same way. Technically speaking: + +- a role is part of a policy which is a subgroup of the role model. See the + [ Entitlement Management ](/docs/identitymanager/6.2/identitymanager/introduction-guide/overview/entitlement-management/index.md) + topic for additional information. + + > Let's take the example of the unlimited Internet access, part of the default policy. + +- a role is created to be owned by users represented by a given entity type; + + > We choose users from `Directory_User`. + +- roles need to be structured so categories are created to: + + - represent groups of roles that follow the same validation process with the same validator(s); + - help users find intuitively the entitlement that they are looking for. + + NETWRIX recommends creating one category per application, as this method often fulfills both + requirements. + + Then single roles can be grouped together through + [ Composite Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) + for applicative purposes, allowing users to be assigned several entitlements simultaneously. + Leave composite roles for later, when the system runs as is and would benefit from an additional + layer in the role model. + + > This role is part of the previously created `Internet` category. + +- a role is created with a given approval workflow according to the entitlement's sensitivity; + + ![Schema - Approval Workflow](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemaapprovals.webp) + + > We choose to require one manual validation from a knowledgeable user before the Internet role + > is assigned to a user. + +- to be effective, roles must be linked to actual entitlements in the managed systems. Technically + speaking, this means that for each entitlement that you want to assign through a given role, you + must create a navigation rule to build said link. A navigation rule is specific to one resource + type. See the [ Categorize Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/index.md) topic for additional + information. + + ![Schema - Single Role with Navigation Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarolerule.webp) + + > We link the role to the entitlement named `SG_APP_DL-INTERNET-ALL` in the AD, via a navigation + > rule that assigns this entitlement to the `memberOf` property of AD nominative accounts, for + > all users having the role. + + This part is about single roles, dealing with entitlements one-to-one. The idea is to associate + one single role with one fine-grained entitlement. + + ![Schema - Roles and Identities](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarolesidentities.webp) + + > For example, an accountant needs read access to the accounting software, a project manager to + > their billable hours for their projects on SAP, etc. + + When roles are well-defined, one entitlement request must lead to the direct functional + entitlement assignment. No more, no less. + +## Strategy for Role Creation + +### Role structuring + +Functionally speaking, the main benefit of roles is to give entitlements user-friendly names, easily +understandable by managers. And to be understandable, roles must be structured. + +The strategy for role creation and structuring varies according to the +[ Model the Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) established for a given system. +Here, we will take as example the common use-case that organizes and categorizes roles by +application. Then, the strategy varies whether the system hosts a single application (like SAB or +SAP) or several (like the AD or LDAP). + +In any case, role creation and maintenance are made easier by entitlements' naming conventions. +Thus, no matter the kind of system that you are working with, if the system uses no naming +conventions, then you should start by creating some. They will be the basis for role structure in +Identity Manager, and will really simplify role creation. + +One system for one application + +A common and intuitive case is when a system is simply one application. Then, integrators can create +one role per entitlement in said application, and one category for the application. + +> The SAP application is about entitlements only for itself. Then, we create a single role per +> entitlement in SAP inside a category called `SAP`: +> +> ![Roles Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymono_v602.webp) + +One system hosting several applications with existing naming conventions + +If a given system is used to manage entitlements for several applications, then building categories +becomes more complicated. + +> For example, the Active Directory usually hosts many groups used to manage entitlements in several +> distinct applications. +> +> ![AD Groups](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymulti_v522.webp) + +The goal here is to find a way to clarify the link between each entitlement and the corresponding +application. + +If the system uses naming conventions for entitlements, then it is possible to deduce the +application it corresponds to, from the entitlements' names. + +> For example, a group is called `SG_APP_banking/digital/haumea/reader` in the AD. The membership to +> this group gives an entitlement. Knowing the organization, integrators understand that this +> entitlement is about the department `banking`, the position `digital`, the application `haumea` +> and the access right `reader`. + +Roles can be created accordingly, with one role per entitlement and a category per application. + +One system hosting several applications without existing naming conventions + +However, in the case of a connector for several applications, sometimes no information can be +deduced from the entitlements' names. It is still necessary to find a way to clarify the link +between each entitlement and the corresponding application. + +Then, the solution is to add information inside the managed system, creating a specific field or +filling an empty field. + +> For example in the Active Directory, integrators can modify the field called `description` to +> specify the application name (such as Outlook in this example). +> +> ![Appropriated Field](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymultinoname_v522.webp) + +Thus, the needed information is added to the managed system. After the execution of synchronization, +said data is accessible inside Identity Manager database and can be used as a naming convention. + +In some cases, integrators are not allowed to create/modify fields in the external systems. Then, +the information can be added on Identity Manager side only. As the new field doesn't exist in the +external systems, it can't be overwritten. + +### Automation of role creation + +The UI provides tools to create single roles manually, working top-down from abstraction (role name) +to the technical aspects (navigation rule and technical entitlement). Most projects use thousands of +single roles, which makes role creation a long, tedious and repetitive process. See the +[Create a Role Manually](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) topic for additional information. + +![Schema - Role Creation Top-Down](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schematopdown.webp) + +Roles can also be created bottom-up via role naming rules. Instead of the previous process, you can +use the name of said entitlement in your managed system to create automatically the corresponding +single role and rule (and category if it does not already exist). In other words, Identity Manager's +naming rules are to be based on your existing naming conventions for entitlements. See the +[ Create Roles in Bulk ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md) topic for additional information. + +![Schema - Role Creation Top-Down](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemabottomup.webp) + +One naming rule can generate many roles, so a few automatic rules can easily and faster create the +single role catalog. Naming rules prove particularly useful when you need to add multiple new +permissions in your external system. You won't have to create manually the corresponding categories, +roles and rules as long as said permissions are created with properties matching the conditions from +the rules. + +NETWRIX recommends starting the role catalog with as many naming rules as possible before creating +roles manually. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the +application's users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- | +| Connector's data [ Model the Data ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) (required) [ Create a Provisioning Rule ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) (required) [ Classify Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/classification/index.md) (required) | Single role catalog | + +## Create the Single Role Catalog + +Create the single role catalog by proceeding as follows: + +1. Create as many single roles as possible (with their navigation rules and categories) via the + [ Create Roles in Bulk ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md) naming rules. +2. Complete the role catalog if needed by creating manually additional + [ Create a Category ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md) and single roles with their navigation rules. +3. Add [Create a Composite Role](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/composite-role-creation/index.md) to the single role + catalog only if the project is mature enough. Composite roles are more complex than single roles + and they are not mandatory. + +## Impact of Modifications + +[ Perform a Simulation ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/simulation/index.md) are available in order to anticipate +the changes induced by a creation/modification/deletion in roles and navigation rules. + +## Next Steps + +Once the role catalog is established, integrators can start role officer management. + +The role catalog is also a prerequisite for +[ Manage Risks ](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/risk-management/index.md)management. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md new file mode 100644 index 0000000000..981323d72a --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md @@ -0,0 +1,192 @@ +# Create a Role Manually + +How to create single roles manually. + +## Overview + +A single role is a way to represent an entitlement that is to be assigned to an identity. It brings +a layer of abstraction through a user-friendly name, close to the business view. See the +[ Single Role ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) +topic for additional information. + +To be effective, roles must be linked to actual entitlements in the managed systems. Within Identity +Manager, an entitlement assigned to an identity is in fact represented by the value of a given +navigation property, in a resource owned by said identity. See the +[Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md)topic for additional +information. Thus, each role is linked to one navigation rule per entitlement. See the +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +topic for additional information. + +**NOTE:** For example, imagine that we want to grant unlimited Internet access to the administrator +profile of an identity. This entitlement won't be assigned directly to the identity but to its AD +administration account. In our Active Directory, there is a resource called `DL-INTERNET-Restricted` +identified from among AD entries as a group. So we need to add this group membership to the +properties of the identity's AD account, using `DL-INTERNET-Restricted` as a value of the +**memberOf** property. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the +application's users, entitlements and data model. + +| Input | Output | +| ------------------------- | ------------ | +| Classification (required) | Single roles | + +See the[ Classify Resources ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/categorization/classification/index.md) topic for additional +information. + +## Create a Single Role + +Create a single role by proceeding as follows: + +![Home Page - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +**Step 1 –** On the home page in the **Configuration** section, click on **Access Roles** to access +the roles page. + +![createsinglerole](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/createsinglerole.webp) + +**Step 2 –** On the roles page, click on the adequate category and create a role by clicking on **+ +New** at the top right corner. + +**Step 3 –** Fill in the fields. + +- Identifier: Must be unique among roles and without any whitespace. +- Name: Will be displayed in the UI to identify the created single role. +- Policy: Policy in which the role exists. +- Entity Type: Entity type targeted by the role. +- Description: Description of the role. +- Tags: Label(s) that can later be used to filter the target roles of access certification + campaigns. See the + [ Schedule a Certification Campaign ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md) + topic for additional information. + + **NOTE:** Netwrix recommends using role tags when you want to perform an access certification on + a set of roles that are from several categories. + +- Category: Category which is to contain the created role. +- Secondary Categories: Other potential categories which are to contain the created role. +- Approval Workflow: Represents the number of validations required to assign the created role. +- Lock the end date: Locks or binds manual permission assignments to the identity's end date (as + defined by the context rule). + + It has five options: + + - Inherited:The policy's setting will be used. + - Explicit, by default not context bound: By default, the assignment's end date will not be + context bound in order to encourage the manual entry of an end date. + - Explicit, by default context bound: By default, the assignment's end date will be context + bound and therefore locked, but a manual date can be entered. + - Never: The assignment's end date will never be locked and needs to be specified manually. + - Always: The assignment's end date is always locked according to the applicable context rule. + +- Approve Role Implicitly: Needs at least the simple approval workflow. **Implicit** mode bypasses + the approval step(s) if the person who makes the role request is also the role officer. + **Explicit** refuses said bypass. **Inherited** follows the policy decision to approve roles + implicitly or not. See the [Create a Policy](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/policy-creation/index.md) topic for + additional information. +- Prolongation without a new approval workflow +- Hide in Simplified View: Hides the role from the users' **Simplified View** in **View + Permissions** dialog. This setting does not apply to roles which are either inferred or have + workflow states which require manual action. +- Maximum Duration: Duration (in minutes) after which the role will be automatically revoked, if no + earlier end date is specified. + + **NOTE:** The maximum duration impacts only the roles which are manually assigned after the + maximum duration is set. Pre-assigned roles are not impacted. + + - If no duration is set on the role, the maximum duration of the associated policy is applied. + - If the duration is set to 0 on the role, it prevents the associated policy from applying its + maximum duration to it. + +- Grace Period: Duration (in minutes) for which a lost automatic single role is prolonged. A review + will be required to validate or decline the entitlement prolongation. Inferred entitlements won't + be lost unless the end of the grace period is reached or the prolongation is declined. + + **NOTE:** The grace period is only applied if the loss of the entitlement is due to a change in + the rules, i.e. rule deletion or criteria changes. + + If the grace period is not defined, the value is inherited from the policy. + +**Step 4 –** Click on **Create** and see a line added on the roles page. + +**Step 5 –** Create at least one navigation rule with the single role as a criterion. + +Once you have completed the steps the single role is created. + +## Create a Navigation Rule + +Navigation rules aim to assign given resources to identities based on specific criteria. A +navigation rule sets the value of the navigation property on a specific resource, if a given +condition is met. It is linked to a parent resource type that sets the target entity type. One rule +creates one navigation. + +Create a navigation rule by proceeding as follows: + +![Home Page - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +**Step 1 –** On the home page in the **Configuration** section, click on **Access Rules** to access +the rules page. + +![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +**Step 2 –** In the drop down menu at the top left, choose the entity type to which the future +navigation rule will be applied. + +![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) + +**Step 3 –** Click on the **Navigations** tab and on the addition button at the top right corner. + +![Create a Navigation Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/singlerolescatalog_createnavrule_v602.webp) + +**Step 4 –** Fill in the fields. + +- Join: Target property whose value is impacted by the created rule. +- Resource: Value to be set on the JOIN. +- Navigation denied: Option that forbids the resource assignment. +- Offset of effective date: Time period that defines the actual effective date according to the + value's start and/or end date. An offset of effective date can be useful for some attributes. For + example, account activation and deactivation can be managed according to the start and/or end + dates. +- Criteria: Conditions that, if met, trigger the created navigation. + +**Step 5 –** Click on **Create** and see a line added on the rules page. + +Once you have completed the steps the navigation rule is created. + +## Impact of Modifications + +When deleting a single role, caution must be used when deleting the corresponding navigation rules. +Indeed, these rules thus lose their criteria and may be applied to far too many people after that. + +## Verify Single Role Creation + +In order to verify the process, check that the role and rule are created with the right parameters. + +![Home Page - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +**Step 1 –** For roles, click on **Access Roles** on the home page in the **Configuration** section. + +![Access Single Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testroles_v602.webp) + +**Step 2 –** Select single roles and find the role you created inside the right category and with +the right parameters. + +Our example would look like: + +![Example - Generated Role](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleroleresult_v602.webp) + +![Home Page - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +**Step 3 –** For rules, click on **Access Rules** on the home page in the **Configuration** section. + +![Access Navigation Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testrules_v602.webp) + +**Step 4 –** Select navigation rules and find the rule(s) you created with the right parameters. + +Our example would look like: + +![Example - Generated Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleruleresult_v523.webp) + +The verification of role creation has been completed. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md new file mode 100644 index 0000000000..216e59ef26 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md @@ -0,0 +1,165 @@ +# Create Roles in Bulk + +How to create role naming rules, which create single roles using existing naming conventions from +the managed system. See the +[ Role Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md) +topic for additional information. + +## Overview + +A role naming rule automatically creates single roles and the corresponding navigation rules based +on the name of the corresponding entitlements in the managed system. + +Role naming rules replace the tedious process of manual role creation. Instead of creating roles +individually with their navigation rules, you can use role naming rules to generate roles in bulk +and thus faster create the single role catalog. + +> For example, consider a naming convention in our organization that states that AD groups have +> their cn: `SG_APP_`. Then, we can create a naming rule that indicates that for +> all AD groups starting with `SG_APP_`, we create a role that gives the adequate user the +> corresponding group membership, with `` as a name. For example, we have the +> application Contoso and the group `SG_APP_Contoso`. + +Roles created via role naming rules can still be modified later in the UI, if needed. + +A role naming rule, for a given resource type, creates roles and rules only for resources which are +not yet linked to a role, nor a navigation rule of this resource type. This implies that: + +- role naming rules do not overwrite manual changes; +- role naming rules cannot link more than one resource (so one entitlement) to one role. + +If a role naming rule is supposed to create a role that already exists, then a corresponding +navigation rule is created only if the existing role has the same policy and category as specified +in the role naming rule. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the +application's users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------------ | --------------------------------------------------------- | +| [ Create a Provisioning Rule ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) (required) | Role naming rule Single roles Navigation rules Categories | + +## Create a Role Naming Rule + +Create a role naming rule by proceeding as follows: + +1. On the home page, click on **Access Rules** in the **Configuration** section. + + ![Home Page - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the entity type to which the future naming rule will + be applied. + + ![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +3. Click on the **Role Naming Conventions** tab and on the addition button at the top right corner. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create a Naming Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_newrule_v602.webp) + + - `Policy`: + [Policy](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) + in which the rule exists. + - `Property`: navigation property which will define the actual entitlement in the future + navigation rule. + - `Identifier`: must be unique among rules and without any whitespace. + - **+ New Rule**: a naming rule is based on the union of rules, themselves based on the + intersection of rule items. A rule item specifies one of the conditions that will trigger the + enforcement of the naming rule. See the + [ Role Mapping ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md) + topic for additional information. + - `Where Expression`: C# expression returning a boolean to condition the application of the + rule. + + Netwrix Identity Manager (formerly Usercube) recommends using this option only when the + options available in the rule items do not suffice. + + - **Single Role**: single role(s) to be created. See the + [Create a Role Manually](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) topic for additional information. + + - `Identifier`: must be unique among roles and without any whitespace. If the defined + identifier is already used, then neither the role nor the rule is created. Can be defined + by a property path and/or + [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md) (mandatory). + - `Name`: will be displayed in the UI to identify the future single role. Can be defined by + a property path and/or an + [Expressions](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/expressions/index.md). + + - **Category**: the + [ Category ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md) + for the future role(s). + + - `Identifier`: either matches an existing category and selects it, or doesn't match and + therefore a new category is created. Can be defined by a property path and/or an + expression. + - `Name`: will be displayed in the UI to identify the category. Ignored if the `Identifier` + attribute matches an existing category's identifier. Can be defined by a property path + and/or an expression. + - ` Parent Identifier`: for a potential parent category. Must match an existing category's + identifier. Can be defined by a property path and/or an expression. + - `Default Category`: category for the future role(s) if the category's `Identifier` + attribute isn't filled in or doesn't compute. + + - `Role Policy`: policy in which the future roles exist. + - `Approval Workflow`: represents the number of validations required to assign the future + role(s). + - `Approve Role Implicitly`: needs at least a simple approval workflow. `Implicit` mode bypasses + the approval step(s) if the person who issues the role request is also the role officer. + `Explicit` refuses said bypass. `Inherited` follows the policy decision to approve roles + implicitly or not. + - `Hide in Simplified View`: hides the role from the users' **Simplified View** in **View + Permissions** dialog. This setting does not apply to roles which are either inferred or have + workflow states which require manual action. + - `Comment Management on Permission Review`: to change if different from the role policy. + > Our example would look like: + > + > ![Example - Naming Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_example_v602.webp) + +5. Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +As naming rules are applied only to resources that aren't already linked to a role or a navigation +rule, neither deletion nor modification in a naming rule can affect the previously created roles and +rules. + +## Verify Naming Convention + +In order to verify the process: + +1. to take the changes into account, on the appropriate connector's overview page click on + **Jobs** > **Apply Naming Conventions**; + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +2. check that the correct roles and rules were created. + +For roles, click on **Access Roles** on the home page in the **Configuration** section. + +![Home Page - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +Select single roles and find the role(s) you created inside the right category and with the right +parameters. + +![Access Single Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testroles_v602.webp) + +> [Our example](() would look like: +> +> ![Example - Generated Role](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleroleresult_v602.webp) + +For rules, click on **Access Rules** on the home page in the **Configuration** section. + +![Home Page - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +Select navigation rules and find the rule(s) you created with the right parameters. + +![Access Navigation Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testrules_v602.webp) + +> Our example would look like: +> +> ![Example - Generated Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleruleresult_v523.webp) diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md new file mode 100644 index 0000000000..23b83f387e --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/synchronization/index.md @@ -0,0 +1,280 @@ +# Synchronize Data + +How to launch data synchronization, i.e. read managed systems' data and load it into Identity +Manager. + +## Overview + +Data synchronization is a data flow from the managed systems into Identity Manager. + +### Process + +A connector's main purpose is to read and export the data previously mapped with +[Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) in order to synchronize it +with Identity Manager. Connectors provide tools to perform a basic extraction of the system's data +in the form of CSV/XLSX files. These files are cleansed and loaded into Identity Manager. +Synchronization is a three-step ETL process going through export, synchronization preparation and +the synchronization itself. + +![Synchronization Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_schema.webp) + +#### Export + +The +[ Export Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md) +creates extractions, a snapshot of the managed system's data, used to insert and/or refresh the data +that is inside Identity Manager. Extractions are accessible when there is at least one connection +with an export-enabled +[ References: Packages ](/docs/identitymanager/6.2/identitymanager/integration-guide/connectors/references-packages/index.md). +Extracted data becomes meaningful when it is loaded into resources as specified by the entity type +structure. + +Exported data is stored inside CSV files in the folder `/{InstallationFolder}/Temp/ExportOutput`. + +#### Prepare synchronization + +The +[ Prepare Synchronization Task ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md)performs +a preparatory data cleansing to spot errors and list them in a generated file in the +`/{InstallationFolder}/Work/Synchronization` folder. + +> For example, this task spots an identity if it is linked to an organization code which doesn't +> exist. + +#### Synchronize + +The `Synchronize` task loads data into Identity Manager's database. + +See the +[ Upward Data Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) +topic for additional information. + +### Prerequisites + +#### Extracted data must have keys + +Every extracted resource must have an attribute that serves as a primary key so that Identity +Manager can uniquely identify the resource to be added/updated/deleted during synchronization. You +must have defined keys during Entity Type creation. See the +[Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) topic for additional +information. + +Extractions must not be modified before synchronization + +Extractions must not be modified manually, for it may induce synchronization issues. + +> For example, saving an XLSX file implies an automatic modification of format. + +Also, synchronization must not be disturbed by a change in the source format, such as the deletion +of a column in the middle of the file. + +Thresholds must never be deactivated + +Thresholds are essential safety guards that control all changes, for example preventing the +overwriting of important data by mistake. Thresholds are by default activated to warn users when +synchronization or provisioning triggers too many modifications. If the number of modifications +exceeds the specified threshold, Identity Manager stops the synchronization and displays a warning +_"Threshold Exceeded"_ on the log page described below. + +Once the changes have been reviewed, the blocked job can be resumed (or not). + +Thresholds are configured with default values using the following +[ Connector ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +attributes: + +- `MaximumDeletedLines`, `MaximumInsertedLines` and `MaximumUpdatedLines` for scalar properties; +- `MaxPercentageDeletedLines`, `MaxPercentageInsertedLines` and `MaxPercentageUpdatedLines` for + scalar properties by percentage; +- `MaximumLinkDeletedLines`, `MaximumLinkInsertedLines` and `MaximumLinkUpdatedLines` for navigation + properties; +- `MaxLinkPercentageDeletedLines`, `MaxLinkPercentageInsertedLines` and + `MaxLinkPercentageUpdatedLines` for navigation properties by percentage. + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to perform synchronization. + +| Input | Output | +| ------------------------------------------ | ----------------- | +| Connector with its entity types (required) | Synchronized data | + +See the [ Connect to a Managed System ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/index.md) topic for additional +information. + +## Launch Synchronization + +Launch synchronization for a given managed system by proceeding as follows: + +1. Access the list of connectors by clicking on **Connectors** on the home page in the + **Configuration** section. + + ![Home - Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + +2. On the relevant connector page, in the **Entity Types** frame, click on **Jobs**. + + Here are all the tasks available for synchronization. They synchronize all connections and + entity types for only this connector. It is possible to launch them individually in order to + test them and debug a situation, or all together with **All Tasks**. According to the created + connection(s) and package(s), all these tasks can be launched either in incremental or complete + mode. + + ![Synchronize Job](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs_v602.webp) + + - `Update Expressions`: computes the expressions used in the entity type mapping. + - `All Tasks`: launches all previous tasks in a row. + + Notice that some connectors, depending on their connections and packages, can't be synchronized + in incremental mode. As a consequence, when clicking on the **Jobs** button, you wouldn't have a + choice between `Complete` and `Incremental`. See below this note. + + ![Synchronize Job (Only Complete)](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs-complete_v602.webp) + +## Manage Synchronization Automation + +Export and synchronization are executed manually from the connector screens. By default, they are +also part of scheduled [ Jobs ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/jobs/index.md) provided by +Identity Manager: + +- the complete job is scheduled to launch a synchronization once a day of all resources, modified or + not; +- the incremental job is scheduled to launch a synchronization several times a day only of the + resources modified since the last synchronization. + +See the +[ Set Up Incremental Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md) +and +[ Set up Complete Synchronization ](/docs/identitymanager/6.2/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md) +topics for additional information. + +Scheduling the jobs avoids manually triggering them everyday. + +However, you can choose to withdraw a given connector from both the complete and incremental jobs by +clicking on **Deactivate** on the connector's dashboard. This is particularly useful when modifying +a connector. You can also re-insert it at any time with the same button which is now named +**Activate**. + +![Jobs Results Dashboard](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_dashboard_v522.webp) + +You can fine-tune the synchronization and/or provisioning of the connector by clicking on the +**Edit** button. + +![Edit button](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_edit_v600.webp) + +Click on **Job Results** to access the progress of this connector's jobs. + +All jobs are accessible on the **Job Execution** page in the **Administration** section. + +![Home - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + +## Verify an Entity Type's Synchronization + +In order to verify both the synchronization configuration and +[Create an Entity Type](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md): + +1. Launch synchronization. +2. Access the connector's logs (from **Job Results** on the connector's dashboard) to ensure that + synchronization completed successfully. + + ![Jobs Results](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_results_v603.webp) + +3. Check that the entity types have been added to the left menu of the home page. + + ![Test Entity Type](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp) + +4. Access the relevant entity types (from the menu items on the left of the home page) to check + synchronized resources, by navigating in the UI from the accounts through a sample of + associations, via the eye icon: + + ![Eye Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg) + + You should first look for configuration validation, and only later validation of the actual data + being synchronized. + + > For example, let's say we created a connector for SAB that contains two entity types called + > `SAB - Users` and `SAB - Groups`. Then, the home page shows them on the left. + > + > ![SAB Example - Home Page](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_examplesab_v522.webp) + > + > Clicking on `SAB - Users` displays the list of all synchronized resources. + > + > ![SAB Example - Data List](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_examplesab2_v602.webp) + > + > Clicking on any resource displays its detailed attributes, for example `Abbott Mark`: + > + > ![SAB Example - Resource Attributes](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_examplesab3_v602.webp) + > + > Clicking on any eye icon displays the corresponding resource. SAB was created here with a + > simple user-group schema that links n users to n groups. So here, we can check these links by + > navigating from a given user to one of their groups, to one of said group's users, to one of + > said user's groups, etc. + +## Troubleshooting + +Make sure you followed the prerequisite guidelines for synchronization. + +Keep in mind that a problem observed in synchronized data might also come from a mistake made +previously in the connector's configuration. Therefore, logs can give more details. Logs are +accessible from the **Job Results** button on the dashboard of a given connector. + +Don't hesitate to launch synchronization-related tasks individually and observe the corresponding +logs in order to debug a situation. + +If the connector and/or entity type doesn't appear in the menu items, then: + +![Test Entity Type](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp) + +Access the relevant connector's page and click on the **Reload** button to take into account the +last changes in the entity type mappings. + +If a newly added property doesn't appear in users' data, then: + +Access the relevant connector's page to click on the **Reload** button to take into account the most +recent changes in the entity type mappings. + +If a synchronization is blocked by an exceeded threshold, then: + +![Threshold warning](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_threshold_v603.webp) + +Find out the reasons to decide whether or not to bypass the threshold. Proceed as follows: + +1. On the logs page (accessible from the **Job Results** button), click on the line of a task + instance to see its logs. +2. Study synchronization counters and the list of all synchronization changes. These tools help you + make a decision about whether to bypass synchronization thresholds. + + ![Job progress](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_thresholdlog_v603.webp) + + In most cases, the first synchronization exceeds thresholds because no data exists in Identity + Manager yet. Thus, a high quantity of modifications is expected and the synchronization is to be + resumed. + + Numerous modifications can also be triggered by: + + - a change in date format; + - the input of blank files by mistake, because it would overwrite and erase all existing data; + - a swap of two headers in an input file. + +3. If, after verifying, all changes are legitimate, click on the **Resume** button at the top of the + job progress page. This will restart the job and allow the changes to be synchronized. + + Be cautious, check twice for mistakes before resuming. + + ![Resumed Job](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_thresholdresumed_v602.webp) + +If an export doesn't complete, then: + +- Check the connection's settings. +- If you manually typed the source column of a property in the entity types, then make sure that the + source column exists in the corresponding managed system. + + ![Source Column](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/entitytype_sourcecolumn_v602.webp) + +If a given property from users' data is displayed in an unexpected way, then: + +Check the format of both the application metadata and the external system. + +![Property Format](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/entitytype_format_v523.webp) + +> For example, if you find that a given date doesn't comply with what you set, then maybe the format +> in the External System section wasn't correctly selected, thus inducing a conversion error during +> the export computation. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-assignment/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-assignment/index.md new file mode 100644 index 0000000000..c7125a6cd3 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-assignment/index.md @@ -0,0 +1,129 @@ +# Assign Users a Profile + +How to assign Identity Manager's access permissions to users through profiles. + +## Overview + +All the permissions to access items in Identity Manager, and to perform given actions, are managed +by assigning profiles to users and permissions to profiles. See the +[ Assigned Profile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) +and [References: Permissions](/docs/identitymanager/6.2/identitymanager/integration-guide/profiles-permissions/permissions/index.md) +topics for additional information. + +![Schema - Profile Assignment](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/profiles_schema.webp) + +For example, the access to the list of users with their personal data is usually restricted to HR +people, and the possibility to modify personal data restricted to HR managers. + +We define here a permission as an entitlement within Identity Manager. See the +[ Configure a User Profile ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-configuration/index.md) topic for additional +information. + +Users are assigned profiles according to the permissions they need to work, at least one profile per +user. A user without a profile cannot access the application. Experience shows that most users have +one profile, sometimes two, and rare case have maximum three, or more. + +The goal here is to link users to basic profiles. + +The right time to assign profiles to users is just before they need it, so it depends on the +deployment strategy. +For example, we connected a given application and now we want to list orphaned accounts. Then we +need to assign a role officer. + +The priority is often about resource managers who will review orphaned and unused accounts. + +## Participants and Artifacts + +Integrators must have the knowledge of who must be able to access what within Identity Manager. + +| Input | Output | +| ------------------------------ | ----------------- | +| Configured profiles (required) | Assigned profiles | + +See the [ Configure a User Profile ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-configuration/index.md) topic for additional +information. + +## Assign a Profile to an Account + +In the following section you will read about how to assign a profile to an account. + +Manual assignment + +Assign manually a profile to a user by proceeding as follows: + +![Home Page - Assigned Profiles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/home_assignedprofiles_v602.webp) + +**Step 1 –** Access the **Assigned Profiles** screen from the home page in the **Administration** +section. + +![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) + +**Step 2 –** Click on the addition button at the top right corner. + +![New Profile](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/roleofficers_newprofile_v602.webp) + +**Step 3 –** Fill in the fields. + +- **Profile**: Profile chosen from among existing profiles. +- **Resource**: Identity chosen from among entries to be assigned said profile. +- **Profile's Email**: Email created in order to receive the corresponding approval requests. +- **Deny this Profile**: Option that forbids the profile assignment instead of applying it. +- **Start Date** and **End Date**: Particularly useful for + [profile delegation](#delegate-a-profile). + +**NOTE:** If filters are defined in the Access Rules, and are assigned to the profile, a +**Criteria** section will appear containing them. Filters are conditions that, if met, trigger the +Access Control Rule Application. +The only filters which can be displayed in this section are filters related to dimensions or hard +coded criteria (Single Role, Composite Role, Resource Type and Category). +The filters are defined in the XML configuration on the access control rules. The criteria displayed +are a fusion of the filters of all the rules associated with the profile. See the +[Access Control Rule](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +topic for additional information. + +Automatic assignment + +The largest profiles with the most basic permissions (like a simple access to the application) +concern many identities and are low-privileged. Thus integrators can set up profile assignment rules +through the XML configuration in order to assign profiles automatically, based on accounts' resource +type and potentially specific criteria. See the +[Profile Rule Context](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) +topic for additional information. + +![Launch Button](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/launch_v603.webp) + +Click on **Launch** to apply these profile rules. + +**NOTE:** Profile rules can also be applied through the same button on the **Profiles** page, by +clicking on **Settings** in the **Configuration** section, then on **General** > **Profiles** in the +left menu. + +## Delegate a Profile + +Sometimes, users need to lend their entitlements, while on leave for example. In this case, it is +interesting to create new profiles, identical to the initial ones but without the right to delegate +the corresponding entitlements. + +For example, let us consider the Manager profile which we appointed as request validator per +department. In order to ensure the presence of all validators at all times, we choose to create a +Assistant Manager profile which is to be assigned occasionally to another user by a manager. A user +with the Assistant Manager profile will receive exactly the same entitlements as someone with the +Manager profile, except for the ability to assign the Assistant Manager to another user. + +Thus no workflow in Identity Manager can be blocked by the absence of the workflow's actors, and +security is ensured by preventing unwanted entitlement delegation. + +## Verify Profile Configuration and Assignment + +In order to verify both profile configuration and assignment, check that a sample of users can +effectively perform the actions allowed by their profiles. See the +[ Configure a User Profile ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-configuration/index.md) topic for additional +information. + +A functioning and well-assigned profile must not trigger 403 errors in the server logs, nor in the +UI in the form of a red notification at the bottom right corner of the application. This kind of +error appears if an entitlement is incomplete, i.e. giving access to a button but not to the page +said button leads to. + +For example, you can check whether an ordinary user can access another user's personal data from the +**Directory** tile. diff --git a/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-configuration/index.md b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-configuration/index.md new file mode 100644 index 0000000000..d8f06efe42 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-configuration/index.md @@ -0,0 +1,115 @@ +# Configure a User Profile + +How to tweak the +[References: Permissions](/docs/identitymanager/6.2/identitymanager/integration-guide/profiles-permissions/permissions/index.md) for +actions within Identity Manager, for a set of basic +[ Assigned Profile ](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md). + +## Overview + +All the permissions for accessing items and performing actions in Identity Manager are managed by +assigning profiles to users and permissions to profiles. + +![Schema - Profile Assignment](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/profiles_schema.webp) + +> For example, access to user lists with personal data is usually restricted to HR staff, and the +> modification of personal data would be restricted to HR managers. + +We define here a permission as an entitlement within Identity Manager. + +Permissions can be about: + +- administration, which gives access to [Administrate](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/index.md) actions, + accessible in the **Administration** section on the home page; +- directory, which gives access to users' data (with several available levels of access), and also + any other data accessible in the **Directory** section on the home page; +- workflows, which gives access to actions for users' lifecycle (onboarding-movement-offboarding), + through the workflows provided by Identity Manager within the **Directory** pages; +- reports, which gives access to Identity Manager's predefined reports about workforce. See the + [ Generate Reports ](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/reporting/index.md) topic for additional information. +- notifications, which enables notification reception when specific workflows are launched. + +Netwrix Identity Manager (formerly Usercube) recommends creating and using the following profiles: + +- `Administrator` for requesting entitlements, performing potential additional role reviews, and + updating user data, the role model and the settings; +- `Helpdesk` for requesting entitlements and updating user data only, not for updating the role + model or other settings; +- `HR` for managing internal users, i.e. creating, updating and deleting them; +- `Manager` for requesting their teams' entitlements and managing their external users, like + contractors; +- `RoleOfficer` for reviewing and approving roles; +- `User` for basic viewing of user and organizational information. + +A user can have up to 10 assigned profiles. + +The goal here is to create profiles and link specific permissions to the profiles, in order to build +a set of typical profiles that will later be assigned to users. See the +[Assign Users a Profile](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-assignment/index.md) topic for additional information. +Instead of assigning permissions one by one to users, you will assign them sets of permissions (i.e. +profiles). + +### Responsibility scopes + +Each permission can be assigned a responsibility scope, which represents the scope of action of +users with said permission. + +> For example, managers can be assigned the `View Requests` and `Manage Accounts` permissions, but +> only for the teams in which they have the manager title. In this case they will handle the +> entitlement requests within the team they manage, having their scope of responsibility defined as +> their team. It means that the manager cannot see or do anything outside the identities included in +> their team. + +## Participants and Artifacts + +Integrators must have the knowledge of the organization strategy towards the IGA project. + +| Input | Output | +| -------------------------------------------------------------------------------------- | ------------- | +| [ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) | User profiles | + +## Configure a User Profile + +Configure a user profile by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section, then on **General** > + **Profiles** in the left menu. + + ![Home - Configuration](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. Check whether the profile to configure is part of the provided list. If not, create it by + clicking on the addition button at the top right and fill in the fields. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + + ![New Profile](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/profiles_creation_v602.webp) + + - `Identifier`: must be unique among profiles and without any whitespace. + - `Name`: will be displayed in the UI to identify the profile. + + Click on **Create**. + +3. Access the page for profile configuration by clicking on **Workforce** > **Profiles & + Permissions** in the left menu. +4. Follow Identity Manager's instructions for assigning permissions to the profile by clicking on + the appropriate permissions, one by one, selecting if needed their responsibility scope. + + ![Profile Configuration Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/profiles_example_v603.webp) + +5. Click on **Save** at the top of the page. + + ![Save Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + +## Verify Profile Configuration + +Before you can see the profile in action, it needs to be assigned to a user. + +See the [Assign Users a Profile](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/user-profile-assignment/index.md) topic for additional +information. + +## Next Steps + +Once user profiles are configured, integrators can start configuring onboarding workflows. See the +[ Create the Workforce Repository ](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/initial-identities-loading/index.md) topic for additional +information. diff --git a/docs/identitymanager/6.2/identitymanager/whatsnew/index.md b/docs/identitymanager/6.2/identitymanager/whatsnew/index.md new file mode 100644 index 0000000000..ae323e27e6 --- /dev/null +++ b/docs/identitymanager/6.2/identitymanager/whatsnew/index.md @@ -0,0 +1,98 @@ +# What's New + +## New Netwrix Community! + +All Netwrix product announcements and bug fix lists have moved to the new Netwrix Community. See +announcements for Netwrix Identity Manager (formerly Usercube) in the +[Identity Manager](https://community.netwrix.com/c/identitymanager/announcements/150) area of our new +community. + +The following information highlights the new and enhanced features introduced in this Netwrix +Identity Manager (formerly Usercube) version. + +## Netwrix Identity Manager (formerly Usercube) November 25, 2024 + +New: Assigned Roles View + +The new Assigned Roles page provides a role-centric view, displaying the list of users with +permissions in a specified role category and including a downloadable report. This feature is +currently in read-only preview, with additional functionality planned for the next release. See the +[Review Assigned Roles](/docs/identitymanager/6.2/identitymanager/user-guide/administrate/assigned-roles/index.md) topic for additional +information. + +New: Context-Bound Manual Permissions + +Manual permission assignments can now be configured to be tied to a context end date using +‘ManualAssignmentEndDateLockedToContext’. For example, a contractor's manual permissions can be +configured to automatically extend when their contact is extended. See the +[Create a Role Manually](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md), +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +and +[Remove Redundant Assignments](/docs/identitymanager/6.2/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md) +topics for additional information. + +New: Suggested Multiple Correlations + +A new option allows multi-correlation resource types to propose correlations with less than 100% +confidence. This behavior is controlled by the new boolean ‘SuggestAllCorrellations’. The default +(false) only suggests correlations with 100% confidence, while setting it to true allows +lower-confidence suggestions. See the +[Resource Type](/docs/identitymanager/6.2/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +topic for additional information. + +Enhancement: Access Control and Workflows + +The maximum number of workflow actors is now configurable via the ‘MaxActors’ key in the +‘appsettings.json’ file. The default value of 20 can now be increased up to 50. See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +Enhancement: Certifications and Risks + +Extra options on certification screens (visible on the "..." button) can now be hidden by setting +**Only allow approving and refusing on access certifications items** to **Yes**. This will leave +only the **Approve** and **Deny** buttons visible. The default setting is **No**. See the +[Configure Global Settings](/docs/identitymanager/6.2/identitymanager/user-guide/set-up/configure-global-settings/index.md) topic for +additional information. + +Enhancement: Connectors and Integrations + +Two new settings, ‘MaxPageSize’ and ‘DefaultPageSize’, have been introduced to control and optimize +API call sizes. See the +[Application Settings](/docs/identitymanager/6.2/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +Enhancement: Jobs and Policy + +Manual correlations for resources with multiple correlations can now be performed from the Resource +Reconciliation screen. + +Enhancement: Logs / Performance / Security + +Incompatible C# expressions in the configuration will now be flagged during configuration imports. A +new tool, ‘Identity Manager-Check-ExpressionsConsistency’, has been introduced to help identify +incompatible expressions. See the +[Usercube-Check-ExpressionsConsistency](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/check-expressionsconsistency/index.md) +topic for additional information. + +Additional logging has been added to the SAP ERP6 provisioning process. + +For SaaS customers, there are new restrictions on scheduled jobs to enforce best practices. Jobs +that run frequently are blocked unless they follow practices such as using incremental modes instead +of full evaluation modes, evaluating only necessary entity types, and avoiding redundant task +executions. Existing jobs are whitelisted, but new non-compliant jobs will generate errors during +configuration imports. + +Enhancement: UI / UX + +Various user interface improvements, including better tooltips on the Role Review screen. + +Enhancement: Other + +The ‘Identity Manager-Export-Bacpac’ tool now allows finer control over data extraction and +anonymization options. See the +[Usercube-Export-Bacpac](/docs/identitymanager/6.2/identitymanager/integration-guide/executables/references/export-bacpac/index.md) topic +for additional information. + +Additionally, the demo license is no longer included in the Runtime zip file. If you need a license, +please contact [Netwrix Support](https://www.netwrix.com/support.html). diff --git a/docs/usercube/6.2/index.md b/docs/identitymanager/6.2/index.md similarity index 100% rename from docs/usercube/6.2/index.md rename to docs/identitymanager/6.2/index.md diff --git a/docs/usercube/6.2/resources/directory_example_v602.xlsx b/docs/identitymanager/6.2/resources/directory_example_v602.xlsx similarity index 100% rename from docs/usercube/6.2/resources/directory_example_v602.xlsx rename to docs/identitymanager/6.2/resources/directory_example_v602.xlsx diff --git a/docs/identitymanager/saas/identitymanager/index.md b/docs/identitymanager/saas/identitymanager/index.md new file mode 100644 index 0000000000..ee2d12b1e7 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/index.md @@ -0,0 +1,19 @@ +# A software solution to match your IGA needs + +To learn about Netwrix Identity Manager (formerly Usercube) and build the solution you need, explore +our guides. + +The present documentation mentions the Netwrix Identity Manager (formerly Usercube) application as +simply Identity Manager. + +Identity Manager's guides include: + +- An [Introduction Guide](/docs/identitymanager/saas/identitymanager/introduction-guide/index.md) if you are new to Identity Manager. +- A [User Guide](/docs/identitymanager/saas/identitymanager/user-guide/index.md) to configure Identity Manager from scratch via the UI. +- An [Integration Guide](/docs/identitymanager/saas/identitymanager/integration-guide/index.md) to complete Identity Manager's configuration in + XML according to your needs. +- An [Installation Guide](/docs/identitymanager/saas/identitymanager/installation-guide/index.md) to install Identity Manager in a production + environment. +- A [Migration Guide](/docs/identitymanager/saas/identitymanager/migration-guide/index.md) to upgrade to a new version of Identity Manager. +- [ What's New](/docs/identitymanager/saas/identitymanager/whatsnew/index.md) to get details about specific changes in Identity Manager's + updates. diff --git a/docs/identitymanager/saas/identitymanager/installation-guide/index.md b/docs/identitymanager/saas/identitymanager/installation-guide/index.md new file mode 100644 index 0000000000..466fc831f8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/installation-guide/index.md @@ -0,0 +1,19 @@ +# Installation Guide + +This guide is designed to help you install Identity Manager in a production environment. + +## Target Audience + +This guide is intended for **system administrators** and **system architects**. + +Required knowledge includes: + +- Windows Server administration +- Internet Information Services (IIS) administration +- SQL Server administration + +## Overview + +The installation of Identity Manager requires architectural decisions to be made. An +[ Overview ](/docs/identitymanager/saas/identitymanager/installation-guide/overview/index.md) of the architecture and available configurations will help you make +informed decisions. diff --git a/docs/identitymanager/saas/identitymanager/installation-guide/overview/index.md b/docs/identitymanager/saas/identitymanager/installation-guide/overview/index.md new file mode 100644 index 0000000000..33749bf313 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/installation-guide/overview/index.md @@ -0,0 +1,116 @@ +# Overview + +This section will give you an overview of Identity Manager's components, their requirements and +constraints, and possible interconnection schemes. At the end of this section, you should be able to +choose the installation setup that fits best your organization's needs. + +## Components and Data Flow + +![Components & Data Flow](/img/product_docs/identitymanager/identitymanager/installation-guide/overview/components_data_flow.webp) + +### Components + +Identity Manager's solution includes at least three components. + +#### **1.** Server + +One server handles all of Identity Manager's computing needs, internal database management and +serves the UI as a web application accessible through a browser. + +The SaaS offering hosts the Identity Manager Server in the **Cloud**. This means that the server +needs not be installed within a Identity Manager SaaS installation. + +#### **2.** Database + +One database stores Identity Manager's data. + +With the SaaS offering, the Identity Manager Database is hosted in the **Cloud** and needs not be +installed. + +The port used to access the database depends on the +[database configuration](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/server-network-configuration?view=sql-server-ver15#database-configuration) +and the +[connectionString](https://learn.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlconnection.connectionstring?view=dotnet-plat-ext-8.0) +set in the technical configuration. See the +[Network Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/index.md) topic for additional +information. + +#### **3.** Agents + +One or several agents perform synchronization and provisioning to/from the managed systems. + +### Data flow + +Identity Manager needs the following data flows to be enabled: + +- The **Server** requires opening connections to the **Database**. +- The **Agents** require opening HTTPS connections to the **Server**. +- The **Agents** require accessing **managed systems**. +- All end-users' **browsers** require opening HTTPS connections to the **Server**. +- All end-users' **browsers** require accessing the authentication providers. See the + [Install the Server](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. +- Some end-users' **browsers** require opening HTTPS connections to the **Agents**. + + These connections are used to launch `Jobs` or use the `Reset Password` capabilities of some + connectors. This requirement only applies to a few specific **administrator type profiles**. + +- The **Server** and the **Agent** both need to access an **SMTP server** to + [ Send Notifications ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/email-server/index.md). + +## SaaS vs. On-Premise + +Identity Manager comes in two flavors: SaaS and On-Premise. + +- The **SaaS** offering only requires the Agent to be installed on your organization network. +- The **On-Premise** offering requires the Agent, the + [Install the Server](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/server/index.md), and the + [ Install the Database ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/database/index.md) to be installed. + +See the [ Install the Agents](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/agent/index.md) topics for additional information. + +## Hosting Hardware + +Depending on the existing network infrastructure and constraints, Identity Manager's components can +be organized in several ways. + +### Database and Servers + +The Identity Manager Database can be installed on the same workstation as the Identity +Manager Server or run on a separate machine. The second approach is recommended. + +### Server and Agents + +The Identity Manager Server and the Agents can be spread between several workstations. See the +[ Install the Agents](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/agent/index.md) topics for additional information. + +Two scenarios unfold: + +**1.** The server and agents are installed on separate workstations + +This approach is useful when managed systems need to run on separate and isolated networks. + +![Server & Agents isolated](/img/product_docs/identitymanager/identitymanager/installation-guide/overview/distribution_1.webp) + +**2.** The Server and one Agent are installed on the same workstation + +In that case, the Identity Manager Agent can run directly within the Identity Manager Server +process. The hosting workstation would **only host a Identity Manager Server process** (with the +integrated agent) and no separate agent needs to be installed. The database could be installed on +the same workstation or on a separate one. + +![Server & Agent together](/img/product_docs/identitymanager/identitymanager/installation-guide/overview/distribution_2.webp) + +## Authentication + +End-users will be able to access Identity Manager after authentication. Several authentication +methods are available. See the [Install the Server](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/server/index.md) topic for +additional information. + +## Email Server + +Identity Manager sends notifications to users by email. An email server will have to be set up for +the Agent and the Server. See the [ Send Notifications ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/email-server/index.md) +topic for additional information. + +Before you check out the installation steps, make sure that all the +[Requirements](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/index.md) are met. diff --git a/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/agent/index.md b/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/agent/index.md new file mode 100644 index 0000000000..62c31b7c40 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/agent/index.md @@ -0,0 +1,531 @@ +# Install the Agents + +Most on-premises installations use an agent integrated with Identity Manager's server. If this is +your case, and the server is already installed, no need to go further. If, on the other hand, you +need separate agents, or if you are installing Identity Manager's agents within Identity Manager's +SaaS offering, this is the way to go. + +**NOTE:** Please make sure that Identity Manager's agent requirements are met before going further. +See the[ Agent ](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/agent-requirements/index.md) topic for additional information. + +## Agent Working Directory + +The agent runtime content should be extracted from the runtime archive following the instructions +provided in the [ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md) topic. + +In the separate agent setup, the agent is usually installed on a different workstation from the +server. + +The agent is configured thanks to the appsettings.agent.json file. See the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information. + +## Create an IIS Website + +It is recommended to run the Identity Manager agent as an IIS website. + +_Remember,_ to install Identity Manager's agent as a Windows service, see the +[ Agent ](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/agent-requirements/index.md) topic for additional information. + +Adding Identity Manager's agent as an IIS website can be achieved with the +[Internet Information Services (IIS) Manager](https://www.iis.net/) which can be launched with the +`INETMGR.MSC` command. You need to have an IIS 10.0 or greater. + +The Microsoft Documentation provides the +[prerequisites](https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-8.0) +and the procedure to +[create a new IIS site](https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-8.0#create-a-new-iis-site). + +The information needed to go through the creation process are the following: + +- Identity Manager's agent uses an in-process hosting model +- Identity Manager's agent uses .NET +- Identity Manager agent's web.config dwells in the runtime directory + + It might require a few modifications to target the agent instead of the server: + + **Step 1 –** Open web.config with a text editor. + + **Step 2 –** Change the arguments and stdoutLogFile attributes of the `` element as + indicated below: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +- When creating the website, enter the following data: + + **Step 1 –** Site name: Identity Manager Agent`` is the recommended naming + convention + + **Step 2 –** Physical path: /``/Runtime + + **Step 3 –** Type: http + + **Step 4 –** IP address: All unassigned + + **Step 5 –** Port & Hostname: To access Identity Manager's agent. Use the hostname and port that + has been reserved for Identity Manager. + +After creation, the following settings are recommended: + +- **Application Pool** > **Identity Manager ``** > **Advanced Settings** > + **General** > **Start Mode** set to AlwaysRunning; +- **Application Pool** > `Identity Manager ` > **Advanced Settings** > **Process + Model** > **Idle Time-out** (minutes) set to 0 and Load User Profile set to True; +- **Application Pool** > **Identity Manager ``** > **Recycling** > Regular time + intervals set to 0. + + Recycling the application pool creates a discontinuation in the connection between server and + agent, which can disrupt some of Identity Manager's features such as the job scheduler. IIS + already recycles the application pool at each setting change, thus Netwrix recommends not using + periodic recycling. + +The following is +[mandatory](https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-8.0#mandatory): + +- **Application Pool** > **Identity Manager ``** > **Advanced Settings** > + **General** > **.NET CLR Version** > **No Managed Code** + +![IIS Settings](/img/product_docs/identitymanager/identitymanager/installation-guide/production-ready/server/iis_settings.webp) + +This sums up IIS settings. + +## Hosting Bundle + +You need to install the +[dotnet hosting bundle](https://dotnet.microsoft.com/en-us/download/dotnet/8.0) (version 8.0 or +higher) to be able to run dotnet application. + +## Select an Agent Identity + +The agent, through Identity Manager's server IIS Website, should be assigned a service account with +the relevant permissions. See the [ Agent ](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/agent-requirements/index.md) topic +for additional information. + +You can either: + +- Use the built-in application pool identity and grant this identity the right permissions. See the + Install the Agents topic for additional information. +- Use a custom Windows service account with the right permissions and use it as an IIS identity for + Identity Manager's agent IIS Website + +### Check default behavior + +Usually, creating an IIS application pool, such as the one within which Identity Manager's server +website runs, triggers the creation of a service account `IIS APPPOOL/` (where +`` is the application pool name) known as an application pool identity. It is +associated with the IIS website. This account is granted basic group membership that should enable +it to access what it needs. + +For more information about IIS identities, visit the +[Microsoft Documentation](https://support.microsoft.com/en-us/help/4466942/understanding-identities-in-iis). + +Building on this default behavior, the default Application Pool Identity is usually granted the +necessary permissions for Identity Manager's server to operate. + +Before going further, you should check the following points: + +**Step 1 –** Find the group membership of `IIS APPPOOL\`. + +**Step 2 –** Check the permissions on the working directory. Right-click the working directory and +select Security. The group section should contain one of the `IIS APPPOOL/` groups, +namely Users. And, + +**Step 3 –** If the built-in application pool identity has been created but does not have the right +permissions, you can follow the steps outlined in Install the Agents section to fix it. Go back to +the section to make sure that the built-in application pool identity is effectively used by Identity +Manager's server IIS Website. + +**Step 4 –** If you would rather use a custom service account instead of the built-in application +pool identity, start with Install the Agents. + +**Step 5 –** If you're not sure what to do, follow the procedure below, starting with Install the +Agents. + +Once the steps indicated above are completed you can carry on with setting an IIS Identity. + +### Set an IIS Identity + +If you want to use the built-in application pool identity created with the application pool, you can +use +the[ Microsoft documentation](https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities). + +If you would rather use a custom service account created for Identity Manager's agent, follow the +procedure below. + +The following implies that a +[custom service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts) +has already been created for Identity Manager's agent. See +the[Install the Server](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. + +Follow the steps below to set an IIS identity and note that these are the same for the server: + +**Step 1 –** Open the IIS Manager (`INETMGR.MSC`). + +**Step 2 –** Open the **Application Pools** node underneath the machine node. + +**Step 3 –** Select the Identity ManagerAgent/`` application pool. + +**Step 4 –** Right-click and select **Advanced Settings**. + +**Step 5 –** In the **Process Model** section, on the **Identity** list item, click on the three +dots to open the **Application Pool Identity** dialog. + +**Step 6 –** Select the **Custom Account** radio button and click on **Set**. + +**Step 7 –** Enter the Service Account credentials. + +**Step 8 –** Click **OK**. You're all set. + +Identity Manager's server IIS site will now use this identity to access the database and the working +directory. + +## Set the Agent Permissions + +Identity Manager's agent needs specific permissions on its working directory to run, write +synchronization output and read provisioning orders. See the +[Server](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/server-requirements/index.md) topic for additional information. + +Up to four folders have to be considered: + +- the working directory +- the runtime directory, usually `C:/identitymanager/Runtime` +- the data collection directory, usually `C:/identitymanager/Temp` +- the provisioning orders directory, usually `C:/identitymanager/Temp` (same as for the data + collection directory). + +See the[ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md) and +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topics for additional information. + +Further check the permissions of the service account and perform the steps for each of the relevant +directories: + +**Step 1 –** Go to the working directory parent folder. + +**Step 2 –** Right-click the working directory. + +**Step 3 –** Select **Properties**. + +**Step 4 –** Select **Security**. + +The agent service account selected in the previous step can either: + +- have the necessary permissions or it belongs to a group that does, so no further action is + required +- is missing one of the permissions + +To fix the missing permissions follow the steps: + +**Step 1 –** Click on **Edit**. + +**Step 2 –** Click on **Add**. + +**Step 3 –** In the **Enter the object names to select** textbox, enter the service account name in +the down-level logon format. For example, if you chose the built-in application pool identity, this +would be `IIS APPPOOL/identitymanagerAgent`. + +**Step 4 –** Click on **OK**. + +**Step 5 –** Select the newly added user name in the Group or user names panel at the top of the +window. + +![Object Names](/img/product_docs/identitymanager/identitymanager/installation-guide/production-ready/server/enter-the-object-names-to-select.webp) + +**Step 6 –** Check the **Allow** column for the relevant permissions. Check the **Deny** column for +the others. See the[Server](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/server-requirements/index.md) topic for additional +information. + +**Step 7 –** Click **OK**. + +The working directory permissions are all set. + +The same steps have to be performed on the runtime, the data collection and the provisioning orders +directories. See the[ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md) and +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topics for additional information. + +## Name the Agent + +Every agent is assigned a name. This name will be used in the UI to differentiate agents for the +end-user, and in the XML configuration to assign connectors to specific agents. + +In the appsettings.agent.json file, the **OpenId** > **AgentIdentifier** can be set to any string +except for Local which is already taken by Identity Manager's inner workings. Then the agent set in +the XML configuration must have the same string as identifier. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +": { +  "AgentIdentifier": "" +  } +``` + +With the following configuration: + +``` + +``` + +## Connect the Agent to the Managed Systems + +The Runtime/appsettings.agent.json file is a technical configuration file that will enable you set +up the connection between the agent and the target managed systems. See the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information. + +Every agent is associated with an appsettings.agent.json file. + +The integration team should communicate the list of the managed systems to be connected to the +agent, together with their configuration. + +Here is an example of appsettings.agent.json connecting an agent to an Active Directory and an SAP +server. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    "ADExport": { +        "Servers": [ +          { +           "Server": "", +           "BaseDN": "" +          } +        ], +        "AuthType": "", +        "Login": "", +        "Password": "", +        "Filter": "<(objectclass=*)>", +        "EnableSSL": "" +    } +    "": { +        "Server": "", +        "Login": "", +        "Password": "" +    } +  } +} +``` + +_Remember,_ storing sensitive managed system data in configuration files, such as login/password +pairs, is strongly discouraged. Sensitive data should be protected by one of the credentials +protection methods. See the[Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md) topic for +additional information. + +## Encryption Key Pair + +Identity Manager's agent needs an +[RSA key pair](https://en.wikipedia.org/wiki/Public-key_cryptography) to perform various encryption +operations, such as source, configuration, or log file encryptions. + +An RSA key pair, as in an [X.509](https://fr.wikipedia.org/wiki/X.509) public key certificate and a +private key, can be stored one of two ways: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or .pfx file) stored in the server's host file system. The file contains both the public key + certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains + both the public key certificate and the private key. This is the recommended method. + +The key pair can be generated with tools such as +[OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) or Microsoft's +[New-SelfSignedCertificate](https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2022-ps) +and +[pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +Here's an example showing how to generate a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) +archive (``) bundling a public key certificate +(``) and a private key (``) with OpenSSL, with a +50-year expiration date: + +**Step 1 –** Enter the following command: + +``` +openssl req -x509 -newkey rsa:1024 -keyout usercubecontoso.key -out usercubecontoso.cert -days 18250 +``` + +**Step 2 –** Enter the following command: + +``` +openssl req -x509 -newkey rsa:1024 -keyout usercubecontoso.key -out usercubecontoso.cert -days 18250 +``` + +Public key certificates can also be bought from trusted certificate providers and bundled with a +private key into a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive using step 2 in the +frame above. + +The certificate has to be linked to Identity Manager via EncryptionCertificate in the +appsettings.agent.json file. + +See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topic for additional information about configuration parameters. + +### Certificate as a plain file + +The following parameters are used to link the file to Identity Manager in EncryptionCertificate. + +[PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive can be +[password protected](https://www.openssl.org/docs/man1.1.0/man1/openssl.html#password-protected), +hence the X509KeyFilePassword attribute. + +Storing a `.pfx` file password in plain text in a production environment is strongly discouraged. It +should always be encrypted using the Usercube-Protect-CertificatePassword tool. See the +[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "": { +      "": "<./identitymanagerContoso.pfx>", +      "": "" +  } +  ... +} +``` + +### Certificate in the certificate store + +The certificate can be stored in the certificate store instead of the file system. This is the +recommended method. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "": { +      "":"", +      "": "", +      "": "" +  } +  ... +} +``` + +## Connect the Agent to Server + +The connection to Identity Manager's server can be configured through: + +- The applicationUri attribute in the Runtime/appsettings.agent.json file has to be set to Identity + Manager's server URL + +- OpenIdClients and DefaultOpenIdClient must be used to set the agent's credentials to connect to + the server; See the + [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) + and[ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) + topics for additional information. + +Their content should be provided by the integration team, in relation to the OpenIdClient tag in the +applicative configuration. See +the[ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) +topic for additional information. + +The following example shows an appsettings.agent.json file that sets an agent to connect to Identity +Manager's server (`https://identitymanagerserver.contoso.com`) with the OpenId client identifier `` +and the password ``, stored in the OpenIdClients list which also contains the "admin/secret" +login/password pair. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    .... +    "ApplicationUri": "", +    "OpenIdClients": { +        "Job": "", +        "Admin": "" +     }, +    "DefaultOpenIdClient": "" +} +``` + +_Remember,_ storing plain text passwords in configuration files is strongly discouraged. Sensitive +passwords should be encrypted. + +## Install the Agent as a Windows Service + +Installing Identity Manager's agent as a Windows service instead of an IIS website is mostly useful +when using IIS is rendered moot by another system. For example, using a reverse proxy in front of +Identity Manager's agent. + +To install Identity Manager's agent as a service in Windows server, use the following command: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +sc.exe create Usercube binpath= "" displayname= "" start= auto obj= "" password= "" +``` + +_Remember,_ make sure to include a space between each parameter's equal sign (=) and the parameter +value. + +## Configure the Starting Mode in IIS (optional) + +This step is important if the scheduler is enabled. IIS starts Identity Manager's agent only if an +incoming http request is made on the server and the scheduler is not launched until Identity +Manager's agent is started. Because of that, you need to carefully set up the starting mode of IIS +to force the starting of Identity Manager's agent. + +Identity Manager's agent warm up is done using the `` element in the +web.config file, the configuration is described +[here.](https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization) + +You need to: + +**Step 1 –** Enable the Application Initialization feature + +**Step 2 –** Modify the applicationHost.config file to set the startMode of the application pool as +AlwaysRunning. You also need to set the preloadEnabled of your application set to true. It is +advised to backup the applicationHost.config file when doing this step to prevent mistakes. + +**Step 3 –** Double check that the following section is set in your web.config file, in the section +system.webServer: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +   + + + +``` + +Once done, you need to check that the configured jobs are launched via the Identity Manager's +scheduler without having to manually issue a request on Identity Manager's agent. + +If this is not correctly configured, any restart of your IIS or application pool could prevent jobs +from being launched. + +## What's Next? + +The last step in the installation process is setting up an Email server. See the +[ Send Notifications ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/email-server/index.md) topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/database/index.md b/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/database/index.md new file mode 100644 index 0000000000..f5c7fedf4c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/database/index.md @@ -0,0 +1,66 @@ +# Install the Database + +The Identity Manager Database can be installed on the Server workstation or on a separate machine. + +Please make sure that the [Database](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/database-requirements/index.md) requirements +are met before going further. + +## Steps + +### 1. Install SQL server + +Microsoft's extensive documentation can be used to get help +[installing a SQL Server 2016 or later](https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server). + +### 2. Create the database + +The recommended naming convention is `Usercube`, where `` is the name of +the organization targeted by this installation. + +> **FAQ**: +> [How to create a database in SQL Server?](https://docs.microsoft.com/en-us/sql/relational-databases/databases/create-a-database?view=sql-server-ver15) + +The database name is of no technical importance, but following the naming convention will make it +easier to read the guide. + +### 3. Initialize the database + +The database scheme can be initialized by running the `Usercube.sql` script (found in the +`SQL_.zip` archive) on the newly created database. + +Preferred methods include +[SQL Server Management Studio](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15) +and +[command line](https://docs.microsoft.com/en-us/sql/ssms/scripting/sqlcmd-use-the-utility?view=sql-server-ver15). + +#### Example of procedure for SQL Server Management Studio 2019 + +- Open SQL Server Management Studio. +- Connect to your SQL Server instance. +- In the top left corner, select **File** > **Open** > **File**. +- Select the `Usercube.sql` file. +- Open the file. The file is now open in the main SQL Server Management Studio window. +- Locate the database name dropdown, next to the **Execute** button in the top left section of the + screen. + +![Execute Query](/img/product_docs/identitymanager/identitymanager/installation-guide/production-ready/database/execute_query.webp) + +- From the dropdown, select the newly created database. +- Click **Execute**. + +#### Example using the sqlcmd CLI + +``` +sqlcmd -S \ -d Usercube -i +``` + +## What's Next? + +The next step will consist in: + +- Setting up the Identity Manager Server as an IIS website. +- Creating a custom service account. +- Granting the necessary database permissions for this account. + +It will also show how to test the Identity Manager Database connection. See the +[Install the Server](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/email-server/index.md b/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/email-server/index.md new file mode 100644 index 0000000000..3a94931ec1 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/email-server/index.md @@ -0,0 +1,102 @@ +# Send Notifications + +An SMTP server is used by the Identity Manager Server to send notification emails to its users, and +by the Identity Manager Agent to send Reset Password emails. + +## Email Delivery + +### Via a local SMTP server and the pickup directory + +Both the Agent and the Server can send emails using a **local SMTP server** with Microsoft's +**Pickup Directory** feature. + +**Pickup Directory** is a feature offered by most of Microsoft's SMTP services, such as IIS SMTP +service or Microsoft Exchange Server. + +The pickup directory helps reducing network overhead by eliminating SMTP traffic between +applications, such as the Identity Manager Server or Identity Manager Agent, and SMTP servers. It is +particularly useful when using emails as notifications. + +To send an email, an application usually communicates with an SMTP server via the SMTP protocol. In +the real world, email notifications generate a lot of traffic on the organization network. This +extra traffic can be avoided by having applications (such as the Identity Manager Server or Identity +Manager Agent) write emails as local files in a local directory instead of sending SMTP packets. + +The SMTP server will then periodically check the directory and send any email found in it. The SMTP +exchange between the applications and the SMTP server is replaced by file writing and reading. + +The directory where clients write emails as files is called the **pickup directory**. + +### Via an external SMTP server + +Both the Agent and the Server can get their emails delivered through an **external** SMTP server. + +## Server Emails + +The SMTP server used by the Identity Manager Server is configured in the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md). + +Here is an example with an external SMTP server. + +``` + +appsettings.json + +{ + ... + "MailSettings": { + "Host": "smtp.contoso.com", + "FromAddress": "no-reply@contoso.com" + } +} + +``` + +The **Host** attribute is the hostname or IP address of an external SMTP server. You can also +specify a directory path instead, that would be the **pickup directory** of your **local** SMTP +server. + +You can also input a **UserName** and **Password** if the SMTP server requires Identity Manager to +authenticate to send emails. + +## Agent Emails + +From the agent side, the email settings dwell in the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +file. + +Here is a classic example that enables Identity Manager to send emails through the +_smtp.contoso.com_ server using _[no-reply@contoso.com](mailto:no-reply@contoso.com)_ as the sender +address. The Identity Manager Agent will authenticate to the SMTP server with the _contosoIdentity +Manager_ login. + +``` + +"MailSettings": { + "FromAddress": "no-reply@contoso.com", + "Host":"smtp.contoso.com", + "Port":993, + "Username": "contosousercube", + "Password": "secret" + } + +``` + +If you'd rather use a **local** SMTP server with **pickup directory**, _Host_, _Port_, _Username_ +and _Password_ won't be needed. + +``` + +"MailSettings": { + "FromAddress": "no-reply@contoso.com", + "UseSpecifiedPickupDirectory": true, + "PickupDirectory": "C:/Temp/identitymanagerContosoPickup", + } + +``` + +## That's It! + +Now, you're all set to start using Identity Manager. + +Enjoy the benefits of your new Identity and Access Management solution. diff --git a/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/index.md b/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/index.md new file mode 100644 index 0000000000..4e1486ab79 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/index.md @@ -0,0 +1,35 @@ +# Production-Ready Installation + +This guide leads the reader through the steps to install Identity Manager for production purposes. + +**1.\_\_**Before proceeding\_\_, you should go through the [ Overview ](/docs/identitymanager/saas/identitymanager/installation-guide/overview/index.md) and +[Requirements](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/index.md) sections to make fundamental decisions about Identity +Manager setup, including: + +- Whether to install the database within the Identity Manager Server or on a separated workstation. +- How many Agents will be installed? +- If only one Agent is installed, whether to install it as an integrated agent or a separate agent. +- What end-user authentication methods are to be used? +- What hosting environment is used for the Agent and the Server? + +**2.** You should **get the following archives ready**: + +- Identity Manager runtime: `runtime_.zip` +- Identity Manager database scheme: `Usercube.sql` from the `SQL_.zip` + +**3.** This guide is **based on the following choices**: + +- Identity Manager Server running with IIS +- Identity Manager Database connection with Windows authentication + +This guide will allow you to **extrapolate** less common configurations and will provide links to +the relevant [Network Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/index.md) +sections. + +Our examples use the fabled +[Contoso Corporation](https://docs.microsoft.com/en-us/microsoft-365/enterprise/contoso-overview?view=o365-worldwide) +as target organization. + +## What's Next? + +The first step consists in [ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md). diff --git a/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/server/index.md b/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/server/index.md new file mode 100644 index 0000000000..744c6bacaa --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/server/index.md @@ -0,0 +1,531 @@ +# Install the Server + +**NOTE:** If you are a SaaS client this topic does not apply. You can skip directly to end user +authentication. See the Set up End-User Authentication topic for additional information. + +Identity Manager Server can be installed on the same workstation as the database or on a separate +workstation. If Identity Manager is installed on a separate workstation, it requires the SQL +PowerShell components to function properly. + +Please make sure that the server requirements are met before going further. See the +[Server](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/server-requirements/index.md) topic for additional information. + +## Server Working Directory + +The server executable is beeing been extracted to the working directory as `Usercube-Server.exe` and +`Usercube-Server.dll` and will enable a user or IIS to run the Identity Manager Server. See the +[ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md) topic for additional information. + +## Set up the License Key + +The license key provided by Identity Manager must be set up in the **appsetting.json** > **License +attribute**. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +## Create an IIS Website + +It is recommended to run the Identity Manager Server as an IIS website. + +To install the Identity Manager Server as a Windows service, please jump to Install the Server as a +Windows Service. See the Install the Server topic for additional information. + +Adding the Identity Manager Server as an IIS website can be achieved with the +[Internet Information Services (IIS) Manager](https://www.iis.net) which can be launched with the +`INETMGR.MSC` command. You need to have an IIS 10.0 or greater. + +An IIS website must be created using the +[Microsoft guide](https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-8.0) +and the following parameters: + +- Site name: `Usercube` is the recommended naming convention +- Physical path — `//Runtime` +- Type — `http` +- IP address — `All unassigned` +- Port & Hostname — To access the Identity Manager Server and the UI. Use the hostname and port that + has been reserved for Identity Manager. + +During installation, the following information guides some of your choices: + +- The Identity Manager Server uses an in-process hosting model +- Identity Manager Server's `web.config` can be found in the `Runtime` folder +- The Identity Manager Server uses .NET + +After creation, the following settings are recommended: + +- **Application Pool** > `Usercube` > **Advanced Settings** > **General** > Start Mode + set to `AlwaysRunning`; +- **Application Pool** > `Usercube` > **Advanced Settings** > **Process Model** > Idle + Time-out (minutes) set to `0` and Load User Profile set to `True`; +- **Application Pool** > `Usercube` > **Recycling** > Regular time intervals set to + `0`. + + Recycling the application pool creates a discontinuation in the connection between server and + agent, which can disrupt some of Identity Manager's features such as the job scheduler. IIS + already recycles the application pool at each setting change, thus Netwrix Identity Manager + (formerly Usercube) recommends not using periodic recycling. + +The following is mandatory: + +- **Application Pool** > `Usercube` > **Advanced Settings** > **General** > .NET CLR + Version > `No Managed Code` + +![IIS Settings](/img/product_docs/identitymanager/identitymanager/installation-guide/production-ready/server/iis_settings.webp) + +An SSL Certificate should also be set to the IIS Server to perform HTTPS communication with +end-users. + +## Hosting Bundle + +You need to install the dotnet hosting bundle (version 8.0 or higher) to be able to run dotnet +application. + +## Select a Server Identity + +The Identity Manager Server, through the IIS Website, should be assigned a service account with the +relevant permissions. + +### Create the service account + +This section requires using an Active Directory account with sufficient privileges to create service +accounts on the domain. + +To create a service account you need to perform the following steps: + +**Step 1 –** Log on to a Windows server in the target domain environment. You should use an account +with the necessary permissions to create new domain accounts. + +**NOTE:** The target domain is the domain where SQL Server is installed. + +**Step 2 –** Access the _Active Directory User and Computers_ tool with the command `dsa.mc`. + +**Step 3 –** Select the target domain and Click on **Users**. From the users list, right-click to +select **New** > **User**. + +**Step 4 –** Choose a mnemonic _First Name_ for the Identity Manager Server, as for example +`UsercubeContosoServer`, and click **Next**. + +_Remember,_ the down-level log on name in the format `DOMAIN/userName`,.as for example +`CONTOSO/identitymanagerContosoServer`. + +**Step 5 –** Set a password and remember it for later, check the boxes **User cannot change +password** and **Password never expires**. + +This newly created service account is a domain account and will be used as an IIS identity. + +**NOTE:** You can go further and use Managed Service Account to avoid dealing with the service +account password update yourself and let Windows worry about it. This feature requires installing +Identity Manager on Windows Server 2016 or later, and using an Active Directory with a forest level +set to Windows Server 2016 or later. + +### Set an IIS identity + +The following implies that a custom service account has already been created for the Identity +Manager Server. + +To set an IIS identity you need to perform the following steps: + +**Step 1 –** Open the IIS Manager (`INETMGR.MSC`) and then the **Application Pools** node underneath +the machine node. + +**Step 2 –** Select the `Usercube/` application pool and right-click and select +**Advanced Settings**. + +**Step 3 –** In the **Process Model** section, on the **Identity** list item, click on the three +dots to open the **Application Pool Identity** dialog. + +**Step 4 –** Select the **Custom Account** radio button and click on **Set** and enter the +previously created Service Account credentials: + +- User name in the format `DOMAIN/userName` that you have previously written down +- Password, previously remembered + +**Step 5 –** Click **OK**. You're all set. + +The Identity Manager Server IIS site will now use this identity to access the database and the +working directory. + +## Set-up Permissions + +The Server permissions include the database and working directory. + +### Set- up the database permissions + +The service account used by the Server to access the database needs the following database-level +roles in SQL Server: + +- `Public` +- `Dbowner` + +And the `Administer bulk operations` server-level role. + +This guide will show you how to perform these operations using SQL Server Management Studio: + +**Step 1 –** Open SQL Server Management Studio (SSMS) and log in to access the server on which runs +the Identity Manager Database with an account member of the **sysadmin** or **securityadmin** +server-level role. + +![New Login](/img/product_docs/accessanalyzer/install/application/newlogin.webp) + +**Step 2 –** Expand the **Security** and **Login** nodes, and look for the Identity Manager service +account in the list. + +If you cannot find the service account click on the **Login** node, right-click and select **New** > +**Login**. + +**Step 3 –** On the **General** page, enter the service account login name in the down-level logon +format, such as `CONTOSO/identitymanagerContosoServer`. If you're not sure about the correct spelling of +your service account or domain, you can search for it using the search window. From the **Login** +node, right-click and select **New login** > **Login name** > **Search**. + +**Step 4 –** Choose either**Windows authentication** if you chose to connect the server to the +database with a Windows service account (Integrated Security=SSPI in the connection string) or a +**SQL Server authentication** for a SQL Server account (if you set up the connection string with a +login/password). In the SQL case, fill in the same password in the form as in the connection string. +You should now see the newly created login in the Login list. + +**Step 5 –** From the **Login** node, right-click the newly created login and select **Properties** +then go to the **Server Roles** page on the left and make sure **public** is checked. + +**Step 6 –** Go to **User Mapping**and make sure `Usercube/` is checked (top panel), +as well as **db_owner** and **public** (bottom panel). + +![Bulk](/img/product_docs/identitymanager/identitymanager/installation-guide/production-ready/server/bulk.webp) + +**Step 7 –** Right-click the **Server** root node and select **Properties**, and in the +**Permissions** tab, select the service account or group name. + +**Step 8 –** Grant the **Administer bulk operations** permission. and confirm with **OK**. + +Identity Manager Server now has the required permissions to access the database. + +### Set the working directory permissions + +The Identity Manager Server needs specific permissions on the working directory to run, read +synchronization output, and write provisioning orders. See the +[Server](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/server-requirements/index.md) topic for additional information. + +Up to four folders have to be considered: + +- The working directory +- The runtime directory, usually `C:/identitymanager/Runtime` +- The data collection directory, usually `C:/identitymanager/Temp` +- The provisioning orders directory, usually `C:/identitymanager/Temp` (same as for the data + collection directory). + +See the [ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md) and +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topics for additional information. + +The following steps can be performed for each of the relevant directories. + +First, let's check what permissions the service account already has. + +To do so go to the working directory parent folder, right-click the working directory, select +**Properties** and then select **Security**. + +From there, you have two choices. + +The Identity Manager Server service account that was chosen previously: + +- Already has or belongs to a group that already has the needed permissions. There is nothing more + to do +- Is missing one of the needed permissions and you need to perform the steps underlined below: + + **Step 1 –** Click on **Edit** and then on **Add**. + + ![Object Names](/img/product_docs/identitymanager/identitymanager/installation-guide/production-ready/server/enter-the-object-names-to-select.webp) + + **Step 2 –** In the **Enter the object names to select** textbox, enter the service account name + in the down-level log on format, such as `CONTOSO/identitymanagerContosoServer`, then click **OK**. + + **Step 3 –** Select the newly added user name in the **Group or user names** panel at the top of + the window. + + **Step 4 –** Check the **Allow** column for the relevant permissions. Check the **Deny** column + for the others, and then **OK**. + +The working directory permissions are all set. + +The same steps have to be performed on the runtime, the data collection and the provisioning orders +directories. See the [ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md) and +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topics for additional information. + +## Encryption and Authentication Key Pairs + +The Identity Manager Server requires an RSA-2048 encryption key pair to perform various encryption +operations, such as source, configuration, or log file encryptions. Identity Manager's Identity +Server also needs an RSA-2048 authentication key pair for end-user authentication purposes. + +These certificates don't need to be integrated into the target organization's Public Key +Infrastructure (PKI) and don't require an expiration date. They're only relevant to specific +Identity Manager temporary data and can be changed at any time. + +Each RSA key pair, as in an [X.509](https://en.wikipedia.org/wiki/X.509) public key certificate and +a private key, can be stored one of two ways: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called Personal Information + Exchange file or `.pfx` file) stored in the Server's host file system. The file contains both the + public key certificate and the private key. +- As a certificate from a Windows' certificate store identified by SubjectDistinguishedName or by + Thumbprint. The Windows certificate also contains both the public key certificate and the private + key. This is the recommended method. + +The key pairs can be generated with tools such as +[OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) or Microsoft's +[New-SelfSignedCertificate](https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps), and [pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +Here's an example showing how to generate a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) +archive (`UsercubeContoso.pfx`) bundling a public key certificate (`usercubecontoso.cert`) and an +RSA-2048 private key (`usercubecontoso.key`) with OpenSSL, with a 50-year expiration date: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +1. +openssl req -x509 -newkey rsa:2048 -keyout usercubecontoso.key -out usercubecontoso.cert -days 18250 +2.  +openssl pkcs12 -export -out UsercubeContoso.pfx -inkey usercubecontoso.key -in usercubecontoso.cert + +``` + +Public key certificates can also be bought from trusted certificate providers and bundled with a +private key into a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive using step **2** in the +frame above. + +### Generate and use an encryption key pair + +This is the key pair used to perform various encryption operations, such as source, configuration, +or log file encryptions. + +**Step 1 –** Generate a key pair using the OpenSSL method. + +**Step 2 –** Store the key pair as a `.pfx` file or use the Windows +[certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in#certificate-store) +(recommended). + +**Step 3 –** Link the generated certificate to Identity Manager. + +### Generate and use an identity server key pair + +This is the key pair used by the Identity Server for end-user authentication purposes. + +**Step 1 –** Generate a key pair using the OpenSSL method. + +**Step 2 –** Store the key pair as a .`pfx` file or use the Windows +[certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in#certificate-store) +(recommended). + +**Step 3 –** Link the generated certificate to Identity Manager. + +#### Certificate as a plain file + +The following parameters are used to link the file to Identity Manager in the `IdentityServer` +section. + +[PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive can be password protected, hence the +`X509KeyFilePassword` attribute. + +Storing a `.pfx` file password in plain text in a production environment is strongly discouraged. +The password should always be encrypted using the Usercube-Protect-CertificatePassword tool. See the +[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +{ +  ... +  "IdentityServer": { +      "X509KeyFilePath": "./identitymanagerContoso.pfx", +      "X509KeyFilePassword": "eff@%fmel/" +  } +  ... +} +``` + +#### Certificate in the certificate store + +The certificate can be stored in the certificate store instead of the file system. This is the +recommended method. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +{ +  ... +  "IdentityServer": { +      "X509SubjectDistinguishedName":"UsercubeContoso", +      "X509StoreLocation": "LocalMachine", +      "X509StoreName": "AuthRoot" +    } +  ... +} +``` + +## Connect the Server to the Database + +Now that the Identity Manager Server has been provided with a service account with the right +permissions, let's finalize the setup. + +The connection between the Server and the Database requires choosing an authentication method: +[Windows Authentication](https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver15#windows-authentication) +or SQL Server authentication. See the +[ Connection to the Database ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md) +and +[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topics for additional information. Windows authentication will require the IIS identity to be set to +the custom Windows service account used to log in to the Identity Manager's Windows Server session. +SQL authentication will work with both the _built-in_ app pool identity and a custom service +account. This authentication method will write the login and password directly in the connection +string. + +`Runtime/appsettings.json` is a technical configuration file that enables you to set up the +connection between the Server and the Database through the ConnectionString attribute. See the +[Network Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/index.md) topic for +additional information. + +The connection string is set up in the `Runtime/appsettings.json` configuration file which can be +edited with any text editor, such as [Notepad++](https://notepad-plus-plus.org/downloads/). + +If the SQL Server is hosted on Azure, you should use the AzureCredentials setting before going +further. + +In the`Runtime/appsettings.json` file, find or write the `ConnectionString` attributes following the +examples shown below: + +The first example sets a connection string using the Windows authentication +(`Integrated Security=SSPI`) to connect, on a local SQL Server system (`source=.`), to the +`UsercubeContoso` database. See the + +The service account used by the Server to access the Database is either: + +- A Windows account if the connection string was set up using `Integrated Security=SSPI`. +- A SQL Server account if the connection string was set up with a login/password. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +appsettings.json +{ +... +"ConnectionString": "data source=.;Database=UsercubeContoso;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +... +} + +``` + +The second example sets a connection string using the SQL Server authentication. +`CONTOSO/identitymanagerContosoServer` has been set as the Identity Manager Server IIS website identity. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +appsettings.json +{ +... +"ConnectionString": "data source=.;Database=Usercube;User Id=CONTOSO/identitymanagerContosoServer;Password=myPassword;Min Pool Size=10;encrypt=false;" +... +} + +``` + +**_RECOMMENDED:_** SQL Server authentication stores plain text credentials in the configuration +file. This is strongly discouraged. To avoid storing plain text credentials, you should always +strive to use Windows authentication or encrypt sensitive setting values such as the connection +string. + +## SSL Certificate + +The Identity ManagerServer requires the use of an SSL Certificate trusted by all the target +end-users' browsers. The standard setup is to use a certificate signed by the target organization's +PKI root Certificate Authority and import the certificate into the end-user's Windows Store. + +This can be achieved using the +[Microsoft Management Console (MMC)](https://en.wikipedia.org/wiki/Microsoft_Management_Console). +See the +[View certificates with the MMC](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in) +for additional information. + +## DNS + +Your organization's DNS needs to be updated according to the requirements indicated in Hostname and +DNS. See the [Server](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/server-requirements/index.md) topic for additional +information. + +## Test Your Installation + +In order to test your installation you must: + +**Step 1 –** Make sure the IIS site is running. + +**Step 2 –** Go to the following URL with a browser: `:/hc` with the hostname and +port set up in Create an IIS website. See the Install the Server topic for additional information. + +**Step 3 –** The Identity Manager Server is trying to access the Database. If it succeeds, the +message **Healthy** should be displayed in the browser. + +## Configure the Starting Mode in IIS (optional) + +This step is important if the scheduler is enabled. IIS starts the Identity Manager Server only if +an incoming http request is made on the server and the scheduler is not launched until the Identity +Manager Server is started. Because of that, you need to carefully set up the starting mode of IIS to +force the starting of the Identity Manager Server. + +The Identity Manager Server warm up is done using the `` element in the +web.config file, the configuration is described in the +[Microsoft documentation](https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization). + +You need to: + +- Enable the **Application Initialization** feature +- Modify the **applicationHost.config** file to set the **startMode** of the application pool as + **AlwaysRunning**. You also need to set the preloadEnabled of your application set to true. It is + advised to backup the **applicationHost.config** file when doing this step to prevent mistakes. +- Double check that the following section is set in your web.config file, in the section + system.webServer: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +   + +``` + +Once done, you need to check that the configured jobs are launched via the Identity Manager's +scheduler without having to manually issue a request on the Identity Manager Server. + +If this is not correctly configured, any restart of your IIS or application pool could prevent jobs +from being launched. + +## Set up End-User Authentication + +The next step consists in setting up one or more authentication methods for end-users. You may +choose one or several external authentication providers among the following: + +- [OpenId Connect](https://openid.net/connect/) +- [WS-Federation](http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.html) +- [OAuth](https://tools.ietf.org/html/rfc6749) +- [SAML2](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) +- [Integrated Windows Authentication (IWA)](https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/integrated-windows-authentication) + +Everything you need to know about setting up authentication is provided in the Technical +Configuration Guide. See the +[ End-User Authentication](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md) +topic for additional information. + +## What's Next? + +Install the Agent is the next step of the process. See the [ Install the Agents](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/agent/index.md) +topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md b/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md new file mode 100644 index 0000000000..db8e647e21 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md @@ -0,0 +1,57 @@ +# Create a Working Directory + +The working directory is a simple Windows directory where Identity Manager's Server and/or Agent +executable(s) and dependencies are stored on the workstation. This section shows how to set up the +directory for the rest of the installation and Identity Manager's lifespan. + +The following steps are to be performed on the Server workstation. They will also have to be +executed on the Agent workstation if a separate Agent setup has been chosen. + +## Steps + +### 1. Create the working directory + +The recommended naming convention is `C:/identitymanager`, where `` is the name +of the organization targeted by this installation. + +### 2. Extract the content of the runtime archive + +Extract the content of the `Runtime` archive into a `Runtime` folder in the newly created working +directory. + +### 3. Create a new empty folder in the working directory + +The folder will be used by the Server and Agent to write and read synchronization files and +provisioning orders. Job logs are usually found here. It is usually named `Temp` and is referenced +in the technical configuration files. + +The working directory structure should now resemble the following: + +``` +??UsercubeXXX + ? ??Temp + ? ??Runtime + ? ? ??wwwroot + ? ? ... + ? ? ??Usercube-Server.exe + ? ? ??Usercube-Agent.exe + ? ? ... + ? ? ??appsettings.agent.json + ? ? ??appsettings.cyberArk.agent.json + ? ? ??appsettings.encrypted.agent.json + ? ? ??appsettings.json + +``` + +`Runtime` contains Identity Manager executables and configuration files, including: + +- `Usercube-Server.exe`: the Identity Manager Server executable, which also contains an Agent. +- `Usercube-Agent.exe`: the separate Identity Manager Agent executable, that will be used only if + you choose to install a separate agent. +- `appsettings.*.json`: + [Network Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/index.md). + +## What's Next? + +Next section shows how to install the Identity Manager Database. See the +[ Install the Database ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/database/index.md)topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/installation-guide/quick-start/index.md b/docs/identitymanager/saas/identitymanager/installation-guide/quick-start/index.md new file mode 100644 index 0000000000..9439fc21eb --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/installation-guide/quick-start/index.md @@ -0,0 +1,91 @@ +# Quick Start Guide + +This guide leads the reader through the steps to quickly install Identity Manager's bootstrap +version. + +## Prerequisites + +The installation of Identity Manager requires: + +- A certificate named Usercube.pfx + ([see the Microsoft tool to create a self-signed certificate](https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2022-ps)) + + If the certificate is named something other than Usercube.pfx, remember to change the name in + the Runtime/appsettings.json file too. + +- [Database](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/database-requirements/index.md)-related specifications + +## Install the Bootstrap Version + +**Step 1 –** Go on the Netwrix Identity Manager (formerly Usercube) +[portal](https://www.netwrix.com/sign_in.html?rf=my_products.html) and download the artifacts of the +expected version. + +![Extranet Artifacts](/img/product_docs/identitymanager/identitymanager/installation-guide/quick-start/extranet_v601.webp) + +**Step 2 –** Extract from SDK the folder Identity Manager Bootstrap anywhere on the computer. + +**Step 3 –** Extract the content of Runtime to Identity Manager Bootstrap. + +When extracting Identity Manager Bootstrap to the root of the computer, it looks like: + +![Project Directory](/img/product_docs/identitymanager/identitymanager/installation-guide/quick-start/directory_v602.webp) + +**Step 4 –** Move or copy your certificate inside the Runtime folder. + +**Step 5 –** Create a Sources folder in Identity Manager Bootstrap. + +_Remember,_ if you don't have the Identity Manager Bootstrap folder or if you don't create the +Sources folder, the Path in the Directory connection in the Runtime/appsettings.agent.json must be +adapted. Note that you don't need to have a Directory.xlsx file at the location described by this +Path for now. + +**Step 6 –** Create a database named Identity Manager, using the default options. + +**NOTE:** When using a database server other than Microsoft SQL Server or a different database name, +remember to change the connection string accordingly, in the Runtime/appsettings.json file and in +the future command lines. + +**Step 7 –** Execute the Runtime/identitymanager.sql file in the database. + +**Step 8 –** Open a command prompt and deploy the configuration. See +the[ Usercube-Deploy Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/deploy-configuration/index.md) +topic for additional information. + +In our example, the command would be, in the Runtime folder: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Deploy-Configuration.exe -s "" -d "" +``` + +**Step 9 –** Launch the server. See the +[Usercube-Server ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/server/index.md) topic for +additional information. + +In our example, the command would be, still in the Runtime folder: + +``` +./identitymanager-Server.exe +``` + +**Step 10 –** Open a browser and navigate to http://localhost:5000. Authenticate with administrator +as a username and the password specified in the Runtime/appsettings.json file, in the Authentication +section. + +![Authentication Dialog](/img/product_docs/identitymanager/identitymanager/installation-guide/quick-start/authentication_v601.webp) + +Now you can start using the application. + +## Next Steps + +From there, you can start setting up Identity Manager via the **Settings** page which is accessible +from the **Configuration** section of the home page. + +![Home Page - Settings](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +Then, Netwrix Identity Manager (formerly Usercube) recommends following the user guide to start the +configuration of your IGA project from scratch. See the [User Guide](/docs/identitymanager/saas/identitymanager/user-guide/index.md) +topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/installation-guide/requirements/agent-requirements/index.md b/docs/identitymanager/saas/identitymanager/installation-guide/requirements/agent-requirements/index.md new file mode 100644 index 0000000000..63e82ba84b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/installation-guide/requirements/agent-requirements/index.md @@ -0,0 +1,153 @@ +# Agent + +This section identifies the requirements for an Identity Manager agent. + +## Software + +The agent is a .NET application. + +Running an agent requires installing the +[Windows hosting bundle for ASP.Net Runtime](https://dotnet.microsoft.com/en-us/download/dotnet/8.0). + +## Hosting + +When used separated from the server, the agent can be run as: + +- An [Internet Information Services (IIS)](https://www.iis.net/) website from the minimal version + IIS 10.0 (recommended) +- A + [Windows service](https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications) +- A stand-alone executable for tests or debugging purposes + +### Integrated agent + +Some installations require multiple separate agents, but most of them use a single integrated agent +that runs within the Identity Manager server process. In that case, the server executable contains +the agents and no agent executable needs to be executed. It means that if a Identity Manager server +is already installed, no further installation is required. + +In this case, the agent working directory is the same as the server working directory, and both the +agent's and server's `appsettings` share the same configuration. The `appsettings.agent` +configuration set is still configured through environment variables or via a separate +`appsettings.agent.json` file stored next to the `Usercube-Server.exe` executable, in the common +working directory. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +and +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topics for additional information. + +## Service Accounts + +The agent should be assigned a +[Windows Server service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts). + +The installation of the server as part of an Active Directory domain requires the use of an account +with sufficient privileges to create a service account on the domain. + +It can be either the IIS built-in +[application pool identity](https://support.microsoft.com/en-us/help/4466942/understanding-identities-in-iis), +or a custom +[Windows Server service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts). + +### Working directory permissions + +The agent's service account needs specific permissions presented in the +[ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md) topic as: + +- _Read_, _Modify_, and _List folder contents_ on the working directory; +- _Read & Execute_ and _List folder contents_ on the `Runtime` directory, usually + `C:/identitymanager/Runtime`, in order to run the agent executable; +- _Read_, _Modify_, and _List folder contents_ on the directory for provisioning orders, whose path + depends on the `Work` folder's path; +- _Read_, _Modify_, _List folder contents_, and _Write_ on the directory for data collection, whose + path depends on the `Work` folder's path. + +See the [ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md) and +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topics for additional information. + +Other permissions should be denied. + +> **FAQ**: How to set up directory permissions in Windows Server? See the +> [Install the Server](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. + +### Managed systems' permissions + +Every Identity Manager agent needs one or several service accounts on the target managed systems, +able to read and write to said managed systems. + +> For example, using Identity Manager with an Active Directory instance requires the agent to be +> assigned an Active Directory service account that can read, write, change users' passwords, update +> group memberships, and synchronize the whole Active Directory. + +Before going further, make sure the integration team has provided: + +- The list of all managed systems +- Service accounts with the necessary permissions for the agent to perform _Read_ and/or _Write_ + operations on the systems associated with a connector allowing respectively synchronization and/or + provisioning; See the [Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md) topic for + additional information. +- service accounts' credentials + +Managed systems credentials are stored in the `appsettings.agent` configuration set and can be +protected. See the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +and [ Modules ](/docs/identitymanager/saas/identitymanager/integration-guide/modules/index.md) topics for additional information. + +### Database permissions + +The agent needs a service account that can authenticate to SQL Server. + +## Hostname and DNS + +The agent needs to be assigned a hostname within the organization's domain. End-user browsers must +be able to resolve the agent's hostname. + +The associated DNS zone needs to be +[updated accordingly](https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/create-an-alias-cname-record-in-dns-for-web1). + +The DNS alias should be written in lowercase in order to comply with as many security rules as +possible. + +## SSL Certificate + +The agent requires the use of HTTPS ports and an SSL certificate in order to perform HTTPS +communication with the server. + +## Emails + +The agent needs access to an SMTP server to +[ Send Notifications ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/email-server/index.md). + +## Encryption Key Pair + +An [RSA-2048 encryption key pair](https://en.wikipedia.org/wiki/Public-key_cryptography) is required +for the agent in order to perform various encryption operations, such as source, configuration, or +log file encryptions; + +Such a certificate does not need to be integrated into the target organization's Public Key +Infrastructure and does not require an expiration date. They are only relevant to internal and +temporary Identity Manager data and can be changed at any time. + +An RSA key pair, as in an [X.509](https://fr.wikipedia.org/wiki/X.509) public key certificate and a +private key, can be stored either: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or `.pfx` file) stored in the _server_'s host file system. The archive contains both the public + key certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains + both the public key certificate and the private key. This is the recommended method. + +The key pair can be generated with tools such as +[OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) or Microsoft's +[New-SelfSignedCertificate](https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps) +and +[pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +## What's Next? + +To start the installation, follow either the [ Quick Start Guide](/docs/identitymanager/saas/identitymanager/installation-guide/quick-start/index.md) or the +[Production-Ready Installation](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/index.md). diff --git a/docs/identitymanager/saas/identitymanager/installation-guide/requirements/database-requirements/index.md b/docs/identitymanager/saas/identitymanager/installation-guide/requirements/database-requirements/index.md new file mode 100644 index 0000000000..353ebb820f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/installation-guide/requirements/database-requirements/index.md @@ -0,0 +1,119 @@ +# Database + +This section identifies hardware and software requirements for Identity Manager's database. + +## Hardware + +The database disk storage requirements depend on multiple factors as the database lifespan and the +number of entries, for example 100,000 users can take up appropriately 10 GB of storage + +**NOTE:** The maximum SQL Express database is 10 GB. + +## Software + +Identity Manager uses a +[SQL Server database](https://www.microsoft.com/en-us/sql-server/sql-server-2019) and supports SQL +Server 2016 or later. + +The +[database requirements](https://docs.microsoft.com/en-us/sql/sql-server/install/hardware-and-software-requirements-for-installing-sql-server?view=sql-server-ver15) +may depend on the chosen SQL Server edition and version. + +### Recommended features + +The following features are also highly recommended: + +- [Always On availability groups](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/always-on-availability-groups-sql-server): + only available in the Enterprise edition of SQL Server 2016 or later + + > **FAQ**: + > [How to enable Always On availability groups in SQL Server?](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/enable-and-disable-always-on-availability-groups-sql-server?view=sql-server-ver15) + +- [Database Mirroring](https://docs.microsoft.com/en-us//sql/database-engine/database-mirroring/database-mirroring-sql-server?view=sqlallproducts-allversions): + available in all editions of SQL Server 2016 or later + + > **FAQ**: + > [How to enable database mirroring in SQL Server?](https://docs.microsoft.com/en-us/sql/database-engine/database-mirroring/setting-up-database-mirroring-sql-server?view=sql-server-ver15) + +- [Table Partitioning](https://docs.microsoft.com/en-us/sql/relational-databases/partitions/partitioned-tables-and-indexes?view=sql-server-ver15) + + The data history feature introduced in Identity Manager v5.1.0, might cause some tables to grow + significantly. + + Database performance is greatly improved by enabling the + [Table Partitioning](https://docs.microsoft.com/en-us/sql/relational-databases/partitions/partitioned-tables-and-indexes?view=sql-server-ver15) + feature for the `UR_Resource` and `UP_Assigned*` tables: + + | `UP_Assigned*` Tables | + | -------------------------- | + | UP_AssignedResourceTypes | + | UP_AssignedSingleRoles | + | UP_AssignedCompositeRoles | + | UP_AssignedNavigationRules | + | UP_AssignedScalarRules | + + This feature is available and enabled by default in SQL Server 2016 or later. + + > **FAQ**: + > [How to create partitioned tables and indexes?](https://docs.microsoft.com/en-us/sql/relational-databases/partitions/create-partitioned-tables-and-indexes?view=sql-server-ver15) + +### Additional tools + +The installation and setup of the database require using either +[SQL server Management Studio](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15) +or the +[`sqlcmd` command line tool](https://docs.microsoft.com/en-us/sql/ssms/scripting/sqlcmd-use-the-utility?view=sql-server-ver15). + +## SQL Server Authentication + +Identity Manager can authenticate to SQL Server using either a SQL Server authentication login or a +Windows authentication login. + +Netwrix recommends using the +[Windows authentication login](https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver15) +to avoid storing a plain text password in the technical configuration files. + +## SQL Server Roles + +The database administrator must be able to assign the following roles to the service account used by +Identity Manager to access the SQL Server database: + +- `db_owner` which is a + [database-level role](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver15). + This role grants its owner the authorization to perform all configuration and maintenance + activities on the database, and to drop the database in SQL Server. +- `bulkadmin` which is a + [server-level role](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles?view=sql-server-ver15). + This role grants its owner the authorization to perform bulk operations on the database. + + Although `bulkadmin` is a server-level role, it still requires Identity Manager to have + database-level permissions granted by the `db_owner` role. It means that bulk operations can be + performed on the database only if Identity Manager has been granted the `db_owner` role. + + Granting `bulkadmin` role to the server's service account requires access to an account member + of the `sysadmin` or `securityadmin` server-level role on the target SQL Server. See the + [Install the Server](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. + +For more information about identity and permission management in SQL Server, see +[Microsoft's documentation](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/getting-started-with-database-engine-permissions?view=sql-server-ver15). + +## Shared SQL Server and Dedicated Database + +Identity Manager's SQL Server installation can be used to host other database applications. + +Identity Manager's database itself must be used exclusively for Identity Manager. + +## Connection to the Server + +SQL feed must be open from Identity Manager's server to SQL Server. + +## Optimization + +The +[max degree of parallelism (MAXDOP)](https://learn.microsoft.com/en-us/azure/azure-sql/database/configure-max-degree-of-parallelism?view=azuresql-db) +must be set to 1 in the SQL database. + +## What's Next? + +Let's move on to the requirements for Identity Manager's server. See the +[Server](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/server-requirements/index.md) topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/installation-guide/requirements/device-requirements/index.md b/docs/identitymanager/saas/identitymanager/installation-guide/requirements/device-requirements/index.md new file mode 100644 index 0000000000..d1f783ea86 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/installation-guide/requirements/device-requirements/index.md @@ -0,0 +1,47 @@ +# Integration Device + +This section identifies the requirements for the Saas installation of Identity Manager. For the +requirements of on premise installation see the Integration Device topic in the Identity Manager 6.0 +or 6.1 +[Netwrix Identity Manager (formerly Usercube) Help Center](https://helpcenter.netwrix.com/category/identitymanager) +for additional information. + +## Hardware + +No matter whether the machine is virtual or physical, running a Identity Manager server or agent +requires at least 8 GB of RAM, 20 GB of disk storage, and a dual-core CPU. + +**NOTE:** Netwrix Identity Manager (formerly Usercube) recommends a 4-core CPU if SQL server is +installed on this device. + +## Software + +[.NET version 8.0](https://dotnet.microsoft.com/en-us/download/dotnet/8.0/runtime) or higher must be +installed. + +Microsoft Excel must be installed. + +A web browser must be accessible to test the future installation. Identity Manager's UI supports all +popular browsers: + +- Google Chrome (latest 2 versions) +- Mozilla Firefox (latest 2 versions) +- Apple Safari (latest 2 versions) +- Microsoft Edge Chromium + +## Administrator Account + +A Windows local administrator account is required to install the server and agent on the target +Windows Server workstation. + +## Additional Recommendations + +A not-so-minimalist text editor such as [Notepad++](https://notepad-plus-plus.org/downloads/) can be +useful to comfortably edit network configuration files. See the +[Network Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/index.md)topic for +additional information. + +## What's Next? + +Let's move on to the requirements for Identity Manager's database. See +the[Database](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/database-requirements/index.md)topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/installation-guide/requirements/index.md b/docs/identitymanager/saas/identitymanager/installation-guide/requirements/index.md new file mode 100644 index 0000000000..ab42ee6d5b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/installation-guide/requirements/index.md @@ -0,0 +1,8 @@ +# Requirements + +This section identifies hardware and software requirements for each Identity Manager component: + +- [Integration Device](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/device-requirements/index.md) +- [Database](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/database-requirements/index.md) +- [Server](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/server-requirements/index.md) +- [ Agent ](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/agent-requirements/index.md) diff --git a/docs/identitymanager/saas/identitymanager/installation-guide/requirements/server-requirements/index.md b/docs/identitymanager/saas/identitymanager/installation-guide/requirements/server-requirements/index.md new file mode 100644 index 0000000000..c80f314d45 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/installation-guide/requirements/server-requirements/index.md @@ -0,0 +1,144 @@ +# Server + +This section identifies software requirements for Identity Manager's server. + +## License Key + +The server requires a license key provided by Netwrix Identity Manager (formerly Usercube). See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +## Software + +The server is a .NET application. + +Running the server requires installing the +[Windows hosting bundle for ASP.Net Runtime](https://dotnet.microsoft.com/en-us/download/dotnet/8.0). + +## Hosting + +The server can be run as: + +- An [Internet Information Services (IIS)](https://www.iis.net/) website from the minimal version + IIS 10.0 (recommended) +- A + [Windows service](https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications); +- a stand-alone executable for tests or debugging purposes. + +It is recommended to enable the following +[Internet Information Services (IIS)](https://www.iis.net/) features to host Identity Manager: + +- [Windows Authentication](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/#windows-authentication) +- [Anonymous Authentication](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/anonymousauthentication#anonymous-authentication) + +## Service Accounts + +The installation of the server as part of an Active Directory domain requires the use of an account +with sufficient privileges to create a service account on the domain. + +The server should be assigned a +[custom Windows service account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts). + +The IIS built-in +[application pool identity](https://support.microsoft.com/en-us/help/4466942/understanding-identities-in-iis) +should not be used, because it will prevent the custom account from connecting to a distant SQL +Server. Hence Netwrix Identity Manager (formerly Usercube) recommends using a domain account. + +### Working directory permissions + +The agent's service account needs specific permissions presented in +the[ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md) topic as: + +- _Read_ and _List folder contents_ on the working directory; +- _Read & Execute_ and _List folder contents_ on the `Runtime` directory, usually + `C:/identitymanager/Runtime`, in order to run the agent executable; +- _Read_ and _List folder contents_ on the directory for provisioning orders, whose path depends on + the `Work` folder's path; +- _Read_, _List folder contents_, and _Write_ on the directory for data collection, whose path + depends on the `Work` folder's path. + +See the [ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md) and +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topics for additional information. + +Other permissions should be denied. + +> **FAQ**: How to set up directory permissions in Windows Server? See the +> [Install the Server](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. + +### Database permissions + +If Windows' authentication is used for SQL Server, then the server should be able to authenticate to +SQL Server with its assigned service account. It means that the server's service account needs to be +assigned an SQL Server login with the relevant roles, including necessarily either `sysadmin` or +`securityadmin`. + +See the [Database](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/database-requirements/index.md) and +[Install the Server](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/server/index.md) topics for additional information. + +## Hostname and DNS + +In the case of an on-premises installation, the server needs to be assigned a hostname within the +organization's domain. Agents must be able to resolve the server's hostname. + +The associated DNS zone needs to be +[updated accordingly](https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/create-an-alias-cname-record-in-dns-for-web1). + +The DNS alias should be written in lowercase in order to comply with as many security rules as +possible. + +## SSL Certificate + +The server requires the use of an SSL certificate in order to perform HTTPS communication with +end-users' browsers. + +Identity Manager SaaS offering comes with an SSL certificate signed by a trusted certificate +authority for the `*.usercube.com` domains. This certificate allows end-users to access the server +through the Internet without any further configuration. Using another domain name for the SaaS +installation requires providing Netwrix Identity Manager (formerly Usercube) with the corresponding +SSL certificate signed by a trusted certificate Authority. + +Identity Manager on-premises offering requires the use of an SSL certificate trusted by all the +target end-users' browsers. Standard practices use a certificate signed by the target organization's +Public Key Infrastructure (PKI) root certificate authority. The on-premise SSL certificate must be +set up in IIS. + +## Emails + +The server needs access to an SMTP server to +[ Send Notifications ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/email-server/index.md). + +## Encryption and Identity Server Key Pairs + +An [RSA-2048 encryption key pair](https://en.wikipedia.org/wiki/Public-key_cryptography) is required +for: + +- Identity Manager's server in order to perform various encryption operations, such as source, + configuration, or log file encryptions; +- Identity Manager's Identity Server for end-user authentication purposes. + +Such a certificate does not need to be integrated into the target organization's Public Key +Infrastructure and does not require an expiration date. They are only relevant to internal and +temporary Identity Manager data and can be changed at any time. + +An RSA key pair, as in an [X.509](https://fr.wikipedia.org/wiki/X.509) public key certificate and a +private key, can be stored either: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or `.pfx` file) stored in the _server_'s host file system. The archive contains both the public + key certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains + both the public key certificate and the private key. This is the recommended method. + +The key pair can be generated with tools such as +[OpenSSL](https://www.openssl.org/docs/manmaster/man1/req.html) or Microsoft's +[New-SelfSignedCertificate](https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps) +and[ pvk2pfx tool](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx?redirectedfrom=MSDN). + +## What's Next? + +Let's move on to Identity Manager's agent requirements. See the +[ Agent ](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/agent-requirements/index.md) topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/installation-guide/reverse-proxy/index.md b/docs/identitymanager/saas/identitymanager/installation-guide/reverse-proxy/index.md new file mode 100644 index 0000000000..e86dcd5866 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/installation-guide/reverse-proxy/index.md @@ -0,0 +1,202 @@ +# Reverse Proxy + +Identity Manager can be installed behind a +[reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) that acts as an intermediate server +between users and Identity Manager's server, in order to process users' requests and redirect them +to the right server(s), for performance and security purposes. + +## Overview + +A reverse proxy is usually used when: + +- needing to encrypt the requests from/to end-users on the one hand, and on the other hand to be + able to monitor plain text requests from/to Identity Manager's server; + + ![Proxy Purposes: Encryption](/img/product_docs/identitymanager/identitymanager/installation-guide/reverse-proxy/proxy_purpose_encryption.webp) + +- installing Identity Manager with an integrated agent on a network isolated from the users' + browsers, in order to be able to access sensitive systems which are protected by being set up on a + network isolated from the Internet; + + ![Proxy Installation Example](/img/product_docs/identitymanager/identitymanager/installation-guide/reverse-proxy/proxy_example.webp) + + This installation will be used for the configuration examples below. + +- using several Identity Manager's server instances for load-balancing purposes. + + ![Proxy Purposes: Load Balancing](/img/product_docs/identitymanager/identitymanager/installation-guide/reverse-proxy/proxy_purpose_loadbalancing.webp) + +As Identity Manager is session-less, working with several servers does not imply the need to +synchronize sessions between servers, nor the need to guarantee that a particular IP will be +processed by a particular server. + +### Nginx + +For these tasks, [nginx](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/#nginx) +is a relevant choice of reverse proxy. There are several versions of nginx available, suitable for +several Linux-based environments. +[Installation instructions](https://docs.nginx.com/nginx/admin-guide/installing-nginx/) can be found +directly on the nginx website. + +At its core, Identity Manager is an ASP.NET application with a Kestrel server. We can configure a +nginx reverse proxy accordingly by following +[Microsoft's guidelines](https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-nginx?view=aspnetcore-8.0&tabs=linux-ubuntu#microsofts-guidelines). + +Nginx +[configuration files](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/) +are usually located in `/etc/nginx`. + +### Load balancing + +Nginx offers several +[load balancing methods](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#load-balancing-methods) +which are all compatible with Identity Manager. + +Then, in order for servers to be able to properly schedule and coordinate synchronization and +provisioning, the following file locations must be shared by all Identity Manager servers: + +- TempFolderPath +- WorkFolderPath + +All Identity Manager servers also share a database. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topic for additional information. + +## Basic Configuration + +The following is a basic configuration, in the `nginx.conf` file, with one virtual host, that +directs incoming requests on `` from network 1 to a Identity Manager server instance +at `` on network 2. + +``` + +nginx.conf + +worker_processes auto; + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /nginx-1.19.7/logs/access.log; + error_log /nginx-1.19.7/logs/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + ## + # Virtual Host Configs + ## + + server { + listen default_server; + server_name ; + + location / { + proxy_pass http://; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection keep-alive; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + } + } +} + +``` + +Where: + +- `` is the port that nginx listens to on network 1 for incoming HTTP requests. It + should be set to `80`, except if you have another web server listening for port 80 requests and + passing them to your nginx server. +- `` is the URL used by end-users to request Identity Manager's server, such as + `contoso.usercube.com`. It is the content of the host header in the incoming HTTP request. +- `` is Identity Manager's server URL on network 2. + +With this configuration, SSL is enabled between the nginx proxy and the client, but not between the +proxy and Identity Manager's server. `gzip` is used to compress files to be sent over the network. + +### Static files + +Performance can be enhanced for static file serving. This requires extracting static files such as +the UI JavaScript application and the logo and pictures, and storing them on the nginx server +directly.See more information about +[static file serving with nginx](https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content/). + +## Load Balancing Configuration + +Load balancing involves at least two Identity Manager servers to which +[nginx, acting as a load balancer](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/), +distributes the load of incoming requests. + +Then, in addition to the configuration from the previous example, a group of servers must be +declared, using the `upstream` directive in the `http` section. + +The following configuration defines a group named `usercubegroup` which contains two server +configurations, each one resolving to an actual Identity Manager's server instance: + +``` + +... +http { + upstream usercubegroup { + server usercube1.contoso.com; + server usercube2.contoso.com; + } + ... +} +... + +``` + +Then, the name of the group takes the place of `` in the virtual host +definition: + +``` + +server { + listen default_server; + server_name ; + + location / { + proxy_pass http://IdentityManagergroup; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection keep-alive; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + } + + } + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/api/authentication/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/api/authentication/index.md new file mode 100644 index 0000000000..c3e7924c09 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/api/authentication/index.md @@ -0,0 +1,26 @@ +# Authentication + +Identity Manager API authentication is based on the +[OpenIdConnect protocol](https://openid.net/connect/). Configuration informations are accessible on: +`[Usercube application URL]/.well-known/openid-configuration`. + +An OpenId client must be previously defined using an +[ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) configuration +element. + +The `client_id` parameter to use in calls to the OpenIdConnect protocol endpoints must be the +concatenation of `clientId`, `@` and the domain of the application. + +For example, client defined by + +``` + + + +``` + +for the Identity Manager application hosted on `usercube.mycompany.com` must use +`MyApplication@usercube.mycompany.com` as `client_id` parameter in any call to the OpenIdConnect +endpoints. + +The scope to access to the Identity Manager API is `usercube_api`. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/api/how-tos/request-postman/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/api/how-tos/request-postman/index.md new file mode 100644 index 0000000000..6c4c18543b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/api/how-tos/request-postman/index.md @@ -0,0 +1,89 @@ +# Request APIs via Postman + +This guide shows how to configure Postman to be able to request Identity Manager's API. + +## Get an Access Token + +Get an access token by proceeding as follows: + +1. Launch Postman. +2. Create a new request by clicking on **+ New** then **Request**. + + ![Postman: New Request](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_newrequest.webp) + +3. Fill in the fields and click on **Save to Identity Manager**. + + ![Postman: New Request Fields](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_requestfields.webp) + +4. Fill in the authentication information as follows: + + ![Postman: Authentication](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_authentication.webp) + + - **Method**: POST + - **URL**: ``/connect/token + - **Body**: + - **client_id**: ``@`` + - **client_secret**: `` + - **scope**: usercube_api + - **grant_type**: client_credentials + +5. Click on **Send** and get the access token from the response body. + + ![Postman: Access Token](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstoken.webp) + +## Use an Access Token + +Use an access token by proceeding as follows: + +1. Create a new request in Postman. +2. Fill in the authorization information as follows: + + ![Postman: Authorization](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_authorization.webp) + + - **Method**: GET + - **URL**: ``/``?api-version=1.0 + - **Authorization**: + - **TYPE**: Bearer Token + - **Token**: `` + +3. Click on **Send** and get the result from the response body. + + ![Postman: Access Token Result](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstokenresult.webp) + +## Create a Combined Request + +Create a combined request by proceeding as follows: + +1. Create a new request in Postman. +2. Fill in the authorization information as follows: + + ![Postman: Authorization (Combined Request)](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_authorizationcombined.webp) + + - **Method**: GET + - **URL**: ``/``?api-version=1.0 + - **Authorization**: + - **TYPE**: OAuth 2.0 + - **Header Prefix**: Bearer + +3. Click on **Get New Access Token** and fill in the fields as follows: + + ![Postman: New Access Token Fields (Combined Request)](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_newaccesstokencombined.webp) + + - **Token Name**: `` + - **Grant Type**: Client Credentials + - **Access Token URL**: ``/connect/token + - **Client ID**: ``@`` + + Do not replace `@` with its encoding. + + - **Client Secret**: `` + - **Scope**: usercube_api + - **Client Authentication**: Send client credentials in body + +4. Click on **Request Token** to get the token. + + ![Postman: Get Token (Combined Request)](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_gettokencombined.webp) + +5. Click on **Use Token** and **Send** and get the result from the response body. + + ![Postman: Access Token Result (Combined Request)](/img/product_docs/identitymanager/identitymanager/integration-guide/api/how-tos/request-postman/postman_accesstokenresult.webp) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/api/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/api/index.md new file mode 100644 index 0000000000..25002278e2 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/api/index.md @@ -0,0 +1,26 @@ +# API + +Agent and server expose a REST API. + +## OpenAPI Definition + +This feature is optional and must be activated by the Swagger settings section. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) topic +for additional information. + +The page `[Usercube application's URL]/swagger` can be used to explore and test the API. + +This page is built by the [Swagger UI tool](https://swagger.io/tools/swagger-ui/) from the Identity +Manager [OpenAPI](https://swagger.io/specification/) definition. + +![Usercube server swagger page](/img/product_docs/identitymanager/identitymanager/integration-guide/api/swagger.webp) + +A function can have several versions. This is why the API description is split into several OpenAPI +definition files. + +Each definition file is accessible in JSON format on URL +`[Usercube application's URL]/swagger/{version}/swagger.json`. + +The Swagger UI page is accessible anonymously but each call from this page to the API must have an +authenticated context. To do so, you only need to be logged to the application from the same browser +instance (Authentication is carried by a cookie). diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/api/pagination/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/api/pagination/index.md new file mode 100644 index 0000000000..dfd35b9d7c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/api/pagination/index.md @@ -0,0 +1,18 @@ +# Pagination + +Each function returning a list of items supports pagination. This pagination is based on the +PageSize and ContinuationToken parameters. + +The principle is to call the function with the ContinuationToken obtained from the previous call. + +![Pagination sequence diagram](/img/product_docs/identitymanager/identitymanager/integration-guide/api/pagination/pagination.webp) + +**NOTE:** Pagination is optional. If PageSize is not specified, the function will return all items +or use the limit specified in the squery parameter. If PageSize is specified, no limit must be +specified in the squery parameter. + +A DefaultPageSize as well as a MaxPageSize can be defined in the Applicative configuration settings. +If the given PageSize or squery limit is above the MaxPageSize, the limit of the MaxPageSize` is +used. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. diff --git a/docs/usercube_saas/usercube/integration-guide/api/squery/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/api/squery/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/api/squery/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/api/squery/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/index.md new file mode 100644 index 0000000000..5d7647a658 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/index.md @@ -0,0 +1,127 @@ +# Protect Agent/Server Communication + +This guide shows how to set up a secured authentication system between Identity Manager's agent and +server. + +## Overview + +Identity Manager provides a simple way to protect the communication between agent and server, using +OpenID Connect. + +First, make sure to understand the OpenID protocol. For example, +[see Microsoft's documentation on the matter](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc). + +The idea, when sending data from the agent to the server, is the following: + +1. the agent decrypts its own data which was encrypted with the agent-side certificate; +2. the agent calls the server, and sends its HTTPS-encrypted message; +3. the server receives and decrypts the message, before encrypting it again with its own encryption + certificate configured by Identity Manager. + +![Schema: Agent/Server Communication](/img/product_docs/identitymanager/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/agent-server-communication.webp) + +### Configuration details + +The server must be configured, in its `appsettings.json`, with: + +- an encryption certificate with the private and public keys, in order to be able to send signed + tokens. + +The agent must be configured, in its `appsettings.json`, with: + +- an encryption certificate with at least the server's public key, in order to be able to verify the + tokens sent by the server; +- another encryption certificate meant to encrypt specific files such as logs or temporary files; +- an SSL encryption certificate for the HTTPS connection. + + The SSL certificate is required when working in an on-premises environment. In a SaaS + environment, Identity Manager provides it. + +In order to give to the agent the right permissions, the XML configuration must specify an +[ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) linked to +its hashed secret, and to a Identity Manager profile. + +## Protect Agent/Server Communication + +Protect agent/server communication by proceeding as follows: + +1. Make sure that both the agent and server configurations specify an encryption certificate. See + the + [Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) + for additional information. + + > For example: + > + > ``` + > + > appsettings.json + > + > { + > "IdentityServer": { + > "X509KeyFilePath": "./identitymanager.pfx", + > "X509KeyFilePassword": "secret" + > }, + > ... + > } + > + > ``` + +2. Make sure that the agent is also configured with its own encryption certificate. See the + [Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) + for additional information. + + > For example: + > + > ``` + > + > appsettings.json + > + > { + > "EncryptionCertificate": { + > "File": "./identitymanager-Files.pfx", + > "Password": "secret", + > "EncryptFile": true + > }, + > ... + > } + > + > ``` + +3. Configure an OpenIdClient, both on agent side in `appsettings.agent.json` with the non-hashed + secret and on server side in the XML configuration with the secret hashed by the + [ Usercube-New-OpenIDSecret ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/new-openidsecret/index.md) + executable. See the + [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) for + additional information. + + > For example on agent side: + > + > ``` + > + > appsettings.agent.json + > + > { + > "OpenId": { + > "OpenIdClients": { + > "Job": "newSecret" + > }, + > ... + > } + > ... + > } + > + > ``` + > + > And on server side: + > + > ``` + > + > ./identitymanager-New-OpenIDSecret.exe --client-secret secret + > + > ``` + > + > `` + > + > ``` + > + > ``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/architecture/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/architecture/index.md new file mode 100644 index 0000000000..da04dfe60c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/architecture/index.md @@ -0,0 +1,68 @@ +# Architecture + +This article dives deeper into Identity Manager's design principles. Security and flexibility are +the main concerns of the architecture. + +## A Two-Tier Architecture + +Identity Manager is made of two parts: + +- The Identity Manager server operates the main process. It uses a dedicated database, serves the + client side part of the web application and exposes its API. +- The Identity Manager agent operates data exchange with the information system. It implements a + specific API called by the web client application. + +Agent and server are [ASP.Net](https://docs.microsoft.com/en-us/aspnet/core/) applications running +on Windows. Identity Manager's database is a +[Microsoft SQLServer](https://www.microsoft.com/en-us/sql-server) relational database. + +![Architecture](/img/product_docs/changetracker/changetracker/architecture.webp) + +See the [ SaaS Environment ](/docs/identitymanager/saas/identitymanager/integration-guide/architecture/saas/index.md) topic for additional information on Netwrix Identity +Manager (formerly Usercube) recommended architecture when working in a SaaS environment. + +See the [ On-Premises Environment ](/docs/identitymanager/saas/identitymanager/integration-guide/architecture/on-prem/index.md) topic for additional information on Netwrix +Identity Manager (formerly Usercube)' recommended architecture when working in an on-premises +environment. + +See how to +[ Protect Agent/Server Communication ](/docs/identitymanager/saas/identitymanager/integration-guide/architecture/how-tos/protect-agent-server-communication/index.md). + +## Isolation Principle + +Identity Manager server has no direct access to the information system of the organization. It can +be installed on an isolated network (typically in the cloud). Only the agent can read or write the +information system. All exchanges between agent and server are operated through the HTTP protocol +(HTTPS recommended in production). + +## Unidirectional Command Flow + +All reading or writing actions in the information system are initiated by the agent. Identity +Manager server will never call the agent. The Agent periodically polls the server to gather the +actions to process. + +Tasks can run on the Server side or on the Agent side. + +Tasks that run on the Server side are still executed by an Agent. This is the application of the +one-way data flow principle. Agents can send commands to the Server to execute a Task through an +HTTP request but the Server cannot command an Agent, hence isolating the sensitive Agents from the +exposed Server. + +As a result, each set of planned Tasks is assigned to a specific Agent, depending on the managed +systems its Tasks relate to. + +Agents also receive HTTP/HTTPS requests from the browser to allow authenticated end-users to launch +jobs from the UI. + +## Authentication + +Identity Manager can authenticate users within an Active Directory domain or using an OpenID +identity server. For development mode, Identity Manager implements a form-based authentication using +a unique password for all users See the +[ End-User Authentication](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md) +topic for additional information. + +## Multi-Agent Capability + +Multiple agents can be installed. This allows Identity Manager to operate in a context where the +information system is partitioned over several networks. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/architecture/on-prem/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/architecture/on-prem/index.md new file mode 100644 index 0000000000..2b1cbbafbd --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/architecture/on-prem/index.md @@ -0,0 +1,29 @@ +# On-Premises Environment + +When working in an on-premises environment, Identity Manager needs a specific architecture. + +## Overview + +Identity Manager recommends the following architecture: + +![On-Premises Recommended Architecture](/img/product_docs/identitymanager/identitymanager/integration-guide/architecture/on-prem/architecture_onprem.webp) + +Most situations do not need Identity Manager so much that they need a fail-over system, i.e. +installing several Identity Manager instances in order to prevent breakdowns. In most situations, a +single Identity Manager instance is enough. + +### Server + +The server should be stateless, i.e. it should store only temporary files. + +### Agent(s) + +One or several additional agents can be needed only when using a sensitive network, for example an +administration network separated from the main network. + +### Database + +The database is a critical item, and thus should be set up with a mirror. The database mirror can +have lower CPU and RAM and be on a different location. + +Identity Manager recommends using an incremental backup. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/architecture/saas/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/architecture/saas/index.md new file mode 100644 index 0000000000..a945f41abc --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/architecture/saas/index.md @@ -0,0 +1,14 @@ +# SaaS Environment + +When working in a SaaS environment, Identity Manager needs a specific architecture. + +## Overview + +Identity Manager recommends the following architecture: + +![SaaS Recommended Architecture](/img/product_docs/identitymanager/identitymanager/integration-guide/architecture/saas/architecture_saas.webp) + +### Agent(s) + +One or several additional agents can be needed only when using a sensitive network, for example an +administration network separated from the main network. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/configuration-details/connections/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/configuration-details/connections/index.md new file mode 100644 index 0000000000..e87207fba9 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/configuration-details/connections/index.md @@ -0,0 +1,102 @@ +# Connections + +This page gathers useful information concerning the possible uses of connections, used by connectors +in order to extract and/or fulfill data from/to external systems. + +## Connection Configuration + +A connector needs at least one +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) which needs to be +declared both in the XML configuration and in the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +file to be used. The connection settings must be set in appsettings.agent.json > Connections > +**connectionIdentifier**, where **connectionIdentifier** is the identifier specified for the +connection in the XML configuration. + +See the [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) topic for +additional information. + +The information stored in the connection depends on the export and/or fulfill technologies used by +the connection's package. + +See the [References: Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/index.md) topic for additional +information. + +## Connection Tables + +A [ Connection Table ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md) +represents the potential output of the connection's +[ Export Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md), when the +connection's package allows export. The export process generates CSV files (our connection tables) +whose names start with the connection's identifier. The files' suffixes depend on the connector. See +the [References: Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/index.md) topic for additional information. + +The name of these files are used to specify the connection tables of the +[ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +and +[ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +in order to link the connectors' properties to the source files and columns from the managed +systems. + +A connection table is used in the definition of an entity type as `Source`, while the available +columns of the selected table are used for the mapping as `Source Columns`. + +![connectiontables_ui_v60](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/configuration-details/connections/connectiontables_ui_v60.webp) + +## Refresh Schema + +A schema is a snapshot of the data structure (metadata) retrieved by a connection. It needs to be +refreshed to enable the configuration of entity types and resource types. + +Identity Manager refreshes a connection's schema: + +- after the connection creation; +- when clicking on **Refresh Schema** on the connection's page: only the schema of the current + connection is refreshed; + + ![Refresh Schema of One Connection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshschema_v522.webp) + +- when clicking on **Refresh all schemas** on the connector's page: all schemas of the connector are + refreshed. + + ![Refresh all Schemas](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshall_v602.webp) + +In the **Connections** frame, either the last successful schema update is indicated or an icon is +shown if the refresh schema failed. + +![Failed Refresh Schemas](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_failedindicator_v602.webp) + +Some packages don't generate a schema. For these packages, the **Refresh Schema** button isn't +displayed on the connection's page. On the connector's page, a connection without schema is +indicated by the sentence "There is no schema for this connection". + +![No Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_noschema_v522.webp) + +The connections' schemas must be refreshed before editing the connector's entity types via the UI, +whether the connections were created via the UI or XML configuration. Otherwise, there will be no +connection table available in the `Source` dropdown, so you will not be able to save anything. + +## Export/Fulfill Tasks and Resource Type Mappings + +Connections are given to `ExportTasks` through the `Connection` attribute, which is mandatory as the +`ExportTask` needs this information to use the right technology and search the information in the +`appsettings.agent.json`. + +It can also be given to `FulfillTasks` the same way but must not be if the `FulfillTask` has +`TaskResourceTypes`. + +`ResourceTypeMappings` have the `Connection` attribute as well, which is mandatory. If a +`FulfillTask` has `TaskResourceTypes`, it will use the given connections to provision the different +`ResourceTypes`. + +## Secured Options + +A connection's parameters fall into two categories: regular or secured options. + +The particularity of secured options is that, once set, they will never again be shown to users. +Hence, extra care should be taken while specifying them. + +There are several types of secured options: a simple field or multiple key-value fields. + +See the [ Configure Secured Options ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/index.md) topic for +additional information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/configuration-details/credential-protection/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/configuration-details/credential-protection/index.md new file mode 100644 index 0000000000..4acb0edd73 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/configuration-details/credential-protection/index.md @@ -0,0 +1,7 @@ +# Credential Protection + +The credentials of any managed system can be protected using an +[ RSA Encryption ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), a +[CyberArk's AAM Credential Providers ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) +vault or an +[Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) safe. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/configuration-details/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/configuration-details/index.md new file mode 100644 index 0000000000..6b55dabee7 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/configuration-details/index.md @@ -0,0 +1,10 @@ +# Configuration Details + +This part gathers information about connector configuration. + +Netwrix Identity Manager (formerly Usercube) recommends creating and configuring a connector via the +UI. See the [ Connect to a Managed System ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/index.md) +topic for additional information. + +- [Connections](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/configuration-details/connections/index.md) +- [Credential Protection](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/configuration-details/credential-protection/index.md) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md new file mode 100644 index 0000000000..ed17692a26 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md @@ -0,0 +1,151 @@ +# References: Format for the EntityPropertyMapping + +This page lists all available formats for entity properties, in order to help you manage said +formats when exporting and fulfilling resources from/to external systems. + +The attribute `Format` can be defined in an EntityPropertyMapping to indicate the format of the data +in the external system. It will allow Identity Manager to correctly convert the data to its own +format during the export and fulfillment processes. + +## Available Formats + +### Active Directory / LDAP / OpenLDAP + +| Format | Corresponding Property Type | Note | +| ------------------------------------ | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| _Bit:``:``_ | String/Int16/Int32/Int64 | When provisioning a bitmask property, for example `userAccountControl`, the format must contain the identifier of the property and the bit to be provisioned, for example `bit:userAccountControl:2`. | +| _Bool_ | Bool | | +| _Byte_ | Byte | | +| _Bytes/Binary_ | Bytes/Binary | | +| _Concat:separator_ | String | Mono-valued attribute that may contain multiple values separated by a `` (example: `extensionAttribute15` which requires using `concat:;`) | +| _DateTime/1601Date_ | DateTime | [Classic LDAP Dates](https://www.epochconverter.com/ldap) and [Generalized DateTimes](https://ldapwiki.com/wiki/GeneralizedTime) | +| _Double_ | Double | | +| _Guid_ | Guid | 32 digits Guid (example: c076e361fa5f428e833939a449ce2db3) | +| _Int16_ | Int16 | | +| _Int32_ | Int32 | | +| _Int64_ | Int64/ForeignKey/Option | Some attributes are stored as long integers (_Int64_) even though their name implies that they hold dates, like `accountExpires` and `pwdLastSet` attributes. | +| _MultivaluedText_ | String | Multi-valued attribute flattened to a string containing values separated by a `\n`. Its provisioning with a scalar rule requires a specific sorting, see the focus under this table. | +| _RDN_ | String | [Relative Distinguished Name](https://ldap.com/ldap-dns-and-rdns/) | +| _SID_ | String | [Security Identifiers](https://ldapwiki.com/wiki/ObjectSID) | + +#### Focus on Bit + +Some systems use bitmask properties, i.e. properties containing a set of boolean flags represented +by individual bits. + +Scalar properties are provisioned by scalar rules, usually changing the whole value of the property. +For bitmask properties, changing the whole value often requires an unnecessarily complex expression. +Hence, a bitmask property should be modified one bit at a time (bit provisioning). In order to +change only one flag without altering the others, a bitmask property must be completed by one +fictitious property for each bit to be modified. + +Then scalar rules can be created for each single-bit property individually. + +In a given resource type, there should be scalar rules either for the bitmask property, or for the +single-bit "sub-properties", not both. + +> For example, we choose to create a property `bit_userAccountControl_2` to represent the second bit +> of `userAccountControl`. +> +> ![New Property for Bit Provisioning](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/entitypropertymapping-format/bitprov_property_v603.webp) +> +> XML configuration looks like the following: +> +> ```xml +> +> +> +> ... +> +> +> +> +> ... +> +> ``` + +When creating a property of bit format: + +- through the UI, there is no need filling the connection column field, because it will be filled + automatically once the format fields are filled. A manual value for connection column would be + overridden. +- through XML configuration, the connection column must be specified manually but there are no + additional requirements. + +#### Focus on MultivaluedText + +To provision a `MultivaluedText` property, the associated scalar rule's source object must return a +`string`, where the values are separated by a `\n`. Most of the time, the value of the source object +is computed with an expression. + +The order of the values within the property is important, because Identity Manager will use the +results of the synchronization and of the computation of the scalar rule's expression. Identity +Manager compares both results to compute the `Verified` provisioning state if they are found equal. +Regarding that fact, if the scalar rule's expression does not compute the `MultivaluedText` with the +values in the same order as Identity Manager's synchronization, the property will never be +`Verified`. + +Netwrix Identity Manager (formerly Usercube) recommends, in the scalar rule's expression, ordering +the elements before joining them into a `string` with +`myList.OrderBy(e => e, StringComparer.OrdinalIgnoreCase)`, where `myList` is the list of values. + +> For example, the scalar rule's C# expression for a `MultivaluedText` can look like: +> +> ``` +> +> +> +> ``` + +### ServiceNow + +| Format | Corresponding Property Type | Description | +| ------------------ | --------------------------- | ---------------------------------------------------------- | +| _Bool_ | Bool | | +| _Byte_ | Byte | | +| _Bytes/Binary_ | Bytes/Binary | | +| _DateTime or Date_ | DateTime | Date in ServiceNow format | +| _Double_ | Double | | +| _Guid_ | Guid | 32 digits Guid (example: c076e361fa5f428e833939a449ce2db3) | +| _Int16_ | Int16 | | +| _Int32_ | Int32 | | +| _Int64_ | Int64/ForeignKey/Option | | + +#### Example + +In this example, we will export and fulfill the start date of an employee in a ServiceNow instance. + +We define an [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) called `u_startdate` with the +**Type**`DateTime` to display it as a date in the UI. + +``` +ServiceNow Connector.xml +... + ... + +``` + +To correctly export the start date from ServiceNow, we transform the string received into a string +that is readable as a date by Identity Manager. To do so, we must declare in the EntityTypeMapping +that we will not receive a simple string, but a string formatted as a `DateTime`. + +``` +ServiceNow Connector.xml +... + ... + +``` + +This allows the export of the attribute `u_startdate` as a date in Identity Manager's format. + +The fulfillment will use the same format defined in the EntityTypeMapping through the **Binding** +declared in the ResourceType. + +![Export and Fulfill Data transformation](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/entitypropertymapping-format/entitypropertymapping-format-flowchart.webp) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/azuread-register/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/azuread-register/index.md new file mode 100644 index 0000000000..03c87b67ff --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/azuread-register/index.md @@ -0,0 +1,125 @@ +# Register for Microsoft Entra ID + +This guide shows how to +[register](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) +Identity Manager as an application, i.e. grant Identity Manager a service account, with Microsoft +Identity Platform to authenticate to a Microsoft Entra ID (formerly Azure Active Directory), and how +to grant Identity Manager the +[directory permissions](https://docs.microsoft.com/en-us/graph/permissions-reference) for reading +the data to be exported via the +[Microsoft Graph API](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api). + +## Create a New Registration + +Create a new registration for Identity Manager with Microsoft Identity Platform by proceeding as +follows: + +1. Go to [the Microsoft portal](https://portal.azure.com/). +2. Log in using the organization's credentials. +3. Find the **Microsoft Entra ID** menu on the left panel. +4. Go to **App Registrations** in the left panel. +5. Click the **+ New Registration** button in the top menu. + + ![Azure AD Export - Add New Registration](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportregistration.webp) + + A new registration form is displayed: + + - Name: display name of your application for the currently created registration. It is used to + identify this registration within Microsoft Entra ID. In the case at hand, it won't be + displayed to the end-user since Identity Manager doesn't access the Microsoft Entra ID using + end-user identity but [its own](https://docs.microsoft.com/en-us/graph/auth-v2-service). + + Netwrix Identity Manager (formerly Usercube) recommends using a mnemonic name resembling + Identity Manager Organization in order to remember it as the registration of Identity + Manager within the target Microsoft Entra ID, for example Identity Manager Contoso. + + - [Supported account types](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-supported-account-types): + select **Accounts in this organizational directory only (... - Single tenant)**. + + Identity Manager uses its own identity to access the API. It doesn't access the data on + behalf of a user. To authenticate, it uses credentials of a service account granted by this + registration, in the form of an **ApplicationId** and a secret Client Secret. + + See how to get **ApplicationId** and **ApplicationKey**. + + This service account is stored in the organizational directory, and hence using the + [Principle of Least Privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), + only **Accounts in this organizational directory** are supported for authentication within + this registration scope. + + - Redirect URI: + + - The left combo box represents the type of application. It influences the authorization + protocol exchanges. Identity Manager is of type Web. + - The right line edit isn't applicable to our case and should be left blank. It is used for + end-user authentication, but doesn't apply to Identity Manager. + +6. Confirm the registration with the **Register** button at the bottom of the page. + +### Get the application's identifier + +**ApplicationId** is available in the registration overview. Get it by proceeding as follows: + +1. Go to **App Registrations** in the left panel. +2. Select **Owned applications** > **Identity Manager**. +3. Go to **Overview** in the left panel. + + The **Essentials** top panel displays the **Application (client) ID** required by the Identity + Manager Agent. The same page also displays the **Directory (tenant) ID** that will also be + needed by the Identity Manager Agent. + + ![Azure AD Export - New ApplicationId](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportapplicationid.webp) + +### Get the application's secret key + +A **Client Secret** key needs to be generated. Get it by proceeding as follows: + +1. Go to **App Registrations** in the left panel. +2. Select **Owned applications** > **Identity Manager**. +3. Go to **Certificate & Secrets** in the left panel. +4. Click the **+ New client secret** button in the bottom panel **Client Secrets**. +5. Input a mnemonic name such as Identity Manager Organization Secret. +6. It is recommended to use a short **expiration period** such as 1 year. +7. Confirm the creation with the **Add** button. + + The Client Secret is now listed in the bottom panel **Client Secrets**. The Client Secret value + is needed by the Identity Manager Agent settings file. + + ![Azure AD Export - New Client Secret](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportsecret.webp) + + The **Client Secret** value is only displayed in the UI in plain text at first. After a while, + it is only displayed as `**************`. It should hence be stored in the + appsettings.agent.json file or an environment variable as soon as it is created, to be used + subsequently by Identity Manager. If the key is lost, a new key can be created to replace the + lost one. + +## Grant Directory Permissions + +Grant Identity Manager directory permissions by proceeding as follows: + +1. Go to **App Registrations** in the left panel. +2. Select **Owned applications** > **Identity Manager**. +3. Go to **API Permissions** in the left panel. +4. Click on the **+ Add a permission** button. + + ![Azure AD Export - Add Permission](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportpermissions.webp) + +5. Go to **Microsoft graph** > **Application permissions**. +6. Search and open the **Directory** category. +7. Check the **Directory.Read.All** permission. + + If you plan on configuring fulfillment too, you must only check the **Directory.ReadWrite.All** + permission. + + ![Azure AD Export - Directory Permission](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportdirectorypermission.webp) + +8. Confirm with the **Add permissions** button at the bottom of the page. + + You now see the Directory.Read.All or Directory.ReadWrite.All permission in the **Configured + permissions** list with a **⚠ Not granted for ...** status. + +9. Grant admin consent by clicking on **√ Grant admin consent for** name of the organization. + + ![Azure AD Export - Grant Admin Consent](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/azuread-register/howtos_azuread_exportadminconsent.webp) + + You should now see the status displayed as **√ Granted for** name of the organization. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/index.md new file mode 100644 index 0000000000..65177cf7ef --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/index.md @@ -0,0 +1,57 @@ +# Configure Secured Options + +This guide shows how to configure secured options to ensure data security in a connection's +parameters. + +## Overview + +A connection's parameters fall into two categories: regular or secured options. + +The particularity of secured options is that, once set, they will never again be shown to users. +Hence, extra care should be taken while specifying them. + +There are several types of secured options: a simple field or multiple key-value fields. + +## Configure a Secured Option + +Configure a secured option by proceeding as follows: + +1. Among a connection's parameters, identify the secured option: + + - for a simple field: + + ![AD creation](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adlogin_v603.webp) + + - for multiple key-value fields: + + ![SQL connection string](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_keyvalue_v603.webp) + + Contrary to simple fields, multiple-key-value secured options are not restricted to a given + property. They are arbitrary and can be set to anything. + +2. Fill the field(s) and, if needed, click on the eye icon to make the content visible. + + ![Eye Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg) + + > For example, for a simple field in an AD connection, the **Login** and **Password** are by + > default hidden with ??????: + > + > ![Login Secured Options Hidden](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adexample_v603.webp) + > + > ![Login Secured Options Revealed](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_adexamplevisible_v603.webp) + + > For example, for multiple key-value fields in an SQL connection, some elements of the + > connection string might be sensitive and need to be hidden: + > + > ![SQL connection string](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_sqlexample1_v603.webp) + > + > In this example, the database name and the minimal pool size are secured options: + > + > ![SQL Secured option filled](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_sqlexample2_v603.webp) + + > Another example of multiple key-value fields in a Powershell connection: + > + > ![Powershell Secured option hidden](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/configure-secured-options/securedoptions_powershellexample_v603.webp) + +3. Once saved, any secured option's value can no longer be seen. However, it can still be modified + by deleting the value and re-specifying it. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/index.md new file mode 100644 index 0000000000..b72c93b92e --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/index.md @@ -0,0 +1,372 @@ +# For Microsoft Entra ID + +See the[ Microsoft Entra ID](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md) topic for +additional information about creating a connector. + +## Prerequisites + +The following are prerequisites for the connector creation. + +Configure the external system + +See the [Register for Microsoft Entra ID](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/azuread-register/index.md) topic for additional +information on how to register Identity Manager. + +Configure Identity Manager + +See the [ Microsoft Entra ID](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md) topic for +additional information on the connection. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "MicrosoftEntraIDContosoNYExport": { +      "ApplicationId": "", +      "ApplicationKey": "<25d408a1925d4c081925b\d40819>", +      "TenantId": "<25d40819-f23f-4837-9d50-a9a52da50b8c>", +      "MicrosoftGraphPathApi": "", +    } +  } +} +``` + +## Build the Connector + +See the [ Connect to a Managed System ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/index.md) +topic for additional information on how to build a connector via the UI, with its connections, +entity types and mappings. + +This example declares the MicrosoftEntraID connector on the Local agent: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/MicrosoftEntraID/MicrosoftEntraID Connector.xml + + +    ... +     +    ... + + +``` + +### Entity model + +The entity model should match as closely as possible the structure of the relevant Microsoft Entra +ID data, and be aligned with Identity Manager's repository. See the +[Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) topic for additional information. + +For example, Microsoft Entra ID's Users and Groups can be described by entity types, and group +memberships by entity associations. + +The following example defines an entity type named MicrosoftEntraID_DirectoryObject to match the +attributes selected for extraction from the Microsoft Entra ID instance: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/MicrosoftEntraID/MicrosoftEntraID Connector.xml +... + +     +     +     +     +     +     +     +     +     +     +     +     +     quot;true" /> +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + +... + +``` + +Notice the omitted TargetColumnIndex attribute for the members and memberOf properties. This means +that these properties are navigation properties. + +The following example declares an n-n association between two MicrosoftEntraID_DirectoryObjects, +where: + +- memberOf is a collection of Groups IDs of which this MicrosoftEntraID_DirectoryObject is a member; +- members from a Group is a collection of MicrosoftEntraID_DirectoryObjects IDs which are members of + this Group. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/MicrosoftEntraID/MicrosoftEntraID Connector.xml +... + +... + +``` + +Notice the format of the Property1 and Property2 XML attributes: the name of the entity type is +followed by a colon (:) and the name of an entity property. It is a binding describing in one +expression, the target entity type and property. See +the[ Binding ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) topic for additional +information. + +Entity mapping + +Each property of the entity type must be mapped to an attribute among those exported from Microsoft +Entra ID. + +So each element of an entity type mapping is meant to link a property from the CSV file containing +the exported Microsoft Entra ID attributes to a property from the entity type. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/MicrosoftEntraID/MicrosoftEntraID Connector.xml +... + +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +... +``` + +As a result, synchronization updates Identity Manager's UR_Resource table based on the data of the +exported CSV files. Considering that AzureAD_DirectoryObject has never been synchronized, the +UR_Resource table receives a new line for which the 47th column (City) is filled in with the city +column from the `C:/identitymanagerDemo/Temp/ExportOutput/AzureADContosoNYExport_directoryobjects.csv` +file. + +An association mapping is the equivalent of an entity type mapping, but for the properties of an +entity association instead of an entity type. + +The following example describes the "actual group/member" associations between +MicrosoftEntraID_DirectoryObjects. + +These associations are exported from the Microsoft Entra ID system into the +`C:/identitymanagerDemo/Temp/ExportOutput/MicrosoftEntraIDContosoNYExport_members_group.csv` file, +containing, for each group, a list of members in the following format, with id being the id of an +Microsoft Entra ID object and groupId the matching Group's id to which the object belongs: + +| Id | GroupId | +| --- | ------- | +| 12 | 454 | +| 3 | 454 | +| 4 | 454 | +| 5 | 333 | +| 2 | 333 | + +The following entity association mapping maps the properties from the +MicrosoftEntraID_DirectoryObject_members entity association: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/MicrosoftEntraID/MicrosoftEntraID Connector.xml +... + + +... + +``` + +Here the members property of the MicrosoftEntraID_DirectoryObject entity (written to the Property1 +attribute of the MicrosoftEntraID_DirectoryObject_members entity association) is filled in by values +from the groupId column (written to the Column1 attribute of the +MicrosoftEntraID_DirectoryObject_members entity association mapping) of the CSV file. + +And the membersOf property of the MicrosoftEntraID_DirectoryObject entity (written to the Property2 +attribute of the MicrosoftEntraID_DirectoryObject_members entity association) is filled in by values +from the Id column (written to the Column2 attribute of the MicrosoftEntraID_DirectoryObject_members +entity association mapping) of the CSV file. + +## Display the Connector in the UI + +This is how the connectors are displayed on the UI. + +Menu items + +Each connector should be configured with a menu item, which is created automatically when working +via the UI. + +![Menu Item - Azure AD Connector](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_menuitem_v603.webp) + +In XML, it should look like this: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/MicrosoftEntraID/MicrosoftEntraID Nav.xml + +``` + +Displayed resources + +See the +[ Organize Resources' Datasheets ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md) +topic for additional information on how to set the display properties via the UI. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/MicrosoftEntraID/MicrosoftEntraID UI.xml + +     +     + + +``` + +![Navigation Properties - Azure AD Connector](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_navproperties_v603.webp) + +Microsoft Entra ID's resources are listed in a table. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/MicrosoftEntraID/MicrosoftEntraID UI.xml + +     +     +     + + +``` + +![Display Table - Azure AD Connector](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/howtos_azure_table_v603.webp) + +This is how the resources are displayed on the UI. + +Resources' display names + +See the +[ Set Resources' Display Names ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md) +topic for additional information on how to set resources' display names via the UI. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/MicrosoftEntraID/MicrosoftEntraID UI.xml + +``` + +Permissions + +In order to access the connector, any user must have the right permissions. + +The following example sets the permissions to access the Microsoft Entra ID connector and resources +for the Administrator profile. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +Conf/MicrosoftEntraID/MicrosoftEntraID Profile Administrator.xml + +     +     + + +     + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/create-connector/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/create-connector/index.md new file mode 100644 index 0000000000..9fa4d459c3 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/create-connector/index.md @@ -0,0 +1,144 @@ +# Create a Connector + +How to implement a [ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +via XML to connect Identity Manager to an external system. + +See an example on how to register [For Microsoft Entra ID](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/index.md). + +Netwrix Identity Manager (formerly Usercube) strongly recommends configuring as much as possible via +the UI instead of XML files. See the +[ Connect to a Managed System ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/index.md) topic to +learn how to create a connector via the UI. + +## Prerequisites + +### Configure the external system + +Some systems need additional configuration for Identity Manager to connect. + +### Configure Identity Manager + +Identity Manager's agent must be set up to access the system's data via the related connector. + +Netwrix Identity Manager (formerly Usercube) recommends performing the configuration via Identity +Manager's configuration files like `appsettings.json` and `appsettings.agent.json`. However, these +settings can also be input through environment variables. See the +[Network Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/index.md) topic for additional information. + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + + ``` + + appsettings.agent.json + +{ ... "Connections": { ... "": { ... } } } + +```` + + +The identifier of the connection and thus the name of the subsection must: + +- Be unique. + +- Not begin with a digit. + +- Not contain ```<```, ```>```, ```:```, ```"```, ```/```, ```\```, ```|```, ```?```, ```*``` and ```_```. + +Netwrix Identity Manager (formerly Usercube) recommends completing this guide without credential protection, and once the configuration works switch to a more secure way of storing credentials. + +See the [ +Microsoft Entra ID](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md) topic to learn how to protect Microsoft Entra ID's credentials. + +## Build the Connector + +See the [ +Connect to a Managed System +](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/index.md) topic to learn how to build a connector via the UI, with its connections, entity types and mappings. + +When exporting the configuration, a `````` connector should be found in the ```Conf// Connector.xml``` file. + +All XML files must start with the `````` and `````` elements. + +### Entity model + +The [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) of the connector defines how the exported data will be written to Identity Manager's repository. It should match as closely as possible the structure of the relevant data from the external system, and be aligned with Identity Manager's repository. + +The entity model is configured by entity type and entity association containing scalar and navigation properties. See the [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md)[ +Entity Association +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md), and [ +Entity Type +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) topics for additional information. + +The entity model can be refined later in the project. + +### Entity mapping + +Each property of the entity type must be mapped to an attribute from among those exported from the system. + +Entity mapping is configured through [ +Entity Type Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) and [ +Entity Association Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). + +So each element of an entity type mapping is meant to link a property from the result of the CSV export file containing the exported attributes to a property from the entity type. + +In the mapping, the CSV file is identified by the ```ConnectionTable``` and the entity type by the ```Identifier```. + +An association mapping is the equivalent of an entity type mapping, but for the properties of an entity association instead of an entity type. + +## Display the Connector in the UI + +### Menu items + +Identity Manager provides a menu item to list all connectors in the dashboard's left menu. + +![Menu Item - Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp) + +> It is usually written like this: +> +> ``` +> +> Runtime/Bootstrap/Nav.xml +> +> +> +> ``` + +Then each connector should be configured with a menu item, which is created automatically when working via the UI. + +### Displayed resources + +See the [ +Organize Resources' Datasheets +](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md) to learn more on how to set the display properties via the UI. + +In the XML configuration, scalar properties are automatically displayed in the datasheets of the connector's resources. But navigation properties must be declared explicitly. + +The properties to be displayed are configured through [Display Entity Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md). + +Microsoft Entra ID's resources are listed in a table. + +The resources are displayed in a table configurable through a [Display Table](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md). + +### Resources' display names + +See the [ +Set Resources' Display Names +](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md) to learn how to set resources' display names via the UI. + +Each resource is displayed in the UI with a display name. + +Resources' display names are customizable through [ +Entity Type +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +property expression. + +### Permissions + +In order to access the connector, a user must have the right permissions. + +Permissions within Identity Manager are configured through [Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md). +```` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/index.md new file mode 100644 index 0000000000..5e2a22a9a2 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/index.md @@ -0,0 +1,87 @@ +# Run the Banking Demo Application + +This guide shows how to set up and run the Banking demo application. + +## Banking Application Description + +The Banking application is a demo application that represents a web based external system. The +Banking application contains: + +- A main page +- A list of users, accessible by clicking on **Users** at the top of the page. It is possible to add + a user by clicking on **Create New User** + + ![Users list](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/demoapps_banking_userslist.webp) + +- A list of groups, accessible by clicking on **Groups** at the top of the page. Clicking on + **Details** on a group shows the users belonging to that group +- A user's details page for each user, accessible by clicking on **Details** on a user in the users + list + + ![User details](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/demoapps_banking_userdetails.webp) + +The most interesting part of the Banking application is a user's page. On a user's page, it is +possible to: + +- Edit the user's information +- Delete the user +- Add the user to a group +- Remove the user from a group +- Set the user's password + +The Banking application uses a database named BankingSystem as a data source. The changes made to a +user are applied to the database, and will be saved. + +The Banking application exposes an API that complies with SCIM 2.0 (RFC 7643 & RFC 7644) standards. +This API provides: + +- Token retrieval in two different ways — Login/Password and Client Credentials. This is not real + authentication so you can input any values, as the system only verifies if the fields are empty. +- A schema endpoint (/Schemas) that returns metadata describing SCIM resource types. This includes + attributes, types, mutability, and required fields for Users and Groups, following SCIM 2.0 + specifications. +- Operations on users, including: Get list, Get by ID, Create, Update, and Delete (CRUD) +- Operations on groups, limited to Get list only + +**NOTE:** In the Banking Demo Application appsettings two parameters are available: + +- `RequireAuthorization` (default: true) — When enabled, the system checks whether a token is + present in the request headers +- `RequireSecureHeader` (default: false) — When enabled, the system verifies that the + SecureHeaderparameter is included in the request headers + +_Remember,_ a Postman collection is provided in the same folder as the executable (.exe) to +facilitate API testing. + +## Running the Banking Application + +The Banking Application is part of the Netwrix Identity Manager (formerly Usercube) SDK, and comes +with prefilled sources. To run the Banking application: + +**Step 1 –** Download the SDK. + +**Step 2 –** Download the Runtime. + +**Step 3 –** Create a database named BankingSystem. + +**Step 4 –** Go to the Runtime folder. + +**Step 5 –** Run +`./identitymanager-FillBankingDatabase.exe --connection-string {connection string} --sources-path {sources path} --banking-sql-path {banking sql path}`, +replacing `{connection string}` with the BankingSystem database connection string, `{sources path}` +with the path to SDK/DemoApps/Sources, and `{banking sql path}` with the path to +SDK/DemoApps/Banking. + +**Step 6 –** Go to the **SDK/DemoApps/Banking** folder. + +**Step 7 –** Run **./Banking.exe** in a command prompt + +**Step 8 –** In a web browser, enter the URL `localhost:5000`. + +The Banking application is running, and the web browser is on the Banking home page. + +To set the Banking application to another port, run +`/Banking.exe --urls http://localhost:{port number}`. To access the application, enter the URL +`localhost:{port number}` in a web browser. + +Some ports are not recognized by web browsers, or may already be used. Choose a port wisely. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/index.md new file mode 100644 index 0000000000..def39dc5c1 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/index.md @@ -0,0 +1,36 @@ +# Run the HR Demo Application + +This guide shows how to set up and run the HR demo application. + +## HR Application Description + +The HR application is a demo application that represents a web based external system. The HR +application contains an employee list. + +![Users list](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/demoapps_hr_userslist.webp) + +Each employee also has their own page, with the possibility to edit their profile or delete them. It +is also possible to add a new employee. + +![User details](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/demoapps_hr_userdetails.webp) + +The HR application uses csv files as data sources. When a user is added, deleted, or edited, the csv +file will be modified, and the changes will be saved. + +## Running the HR Application + +The HR Application is part of the Identity Manager SDK, and comes with prefilled sources. To run the +HR application: + +- Download the Identity Manager SDK. +- Go to SDK/DemoApps/HR. +- Modify **appsettings.json** > **CSVPath** to "..\\Sources". +- Run **./HR.exe** in a command prompt. +- In a web browser, enter the URL **localhost:5000**. + +The HR application is running, and the web browser is on the HR application employee list. + +To set the HR application to another port, run `./HR.exe --urls http://localhost:{port number}`. To +access the application, enter the URL `localhost:{port number}` in a web browser. + +Some ports are not recognized by web browsers, or may already be used. Choose a port wisely. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/index.md new file mode 100644 index 0000000000..9cd1b0a25d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/index.md @@ -0,0 +1,269 @@ +# Interact with a GUI Application via Robot Framework + +This guide shows how to write a Robot Framework script which interacts with an external application. + +## Example: Interacting with an application via a GUI + +Consider an external system that is accessible through a GUI program, and that does not offer an +API. In this situation, we can either interact manually with the external system , or with a Robot +Framework connection. + +## Prerequisites + +This guide will focus only on how to interact with a GUI application. The guide on how to write a +Robot Framework script explains the basics of Robot Framework. The basic prerequisites can be found +on the Robot Framework connector page. See the +[ Write a Robot Framework Script ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md) and +[ Robot Framework ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md) topics for additional +information. + +The requirements specific to the Robot Framework FlaUI library are as follows: + +- Python 3.7 or 3.8. For Python 3.9, using `pip install wheel` in the command prompt may solve + installation errors. +- Robot Framework FlaUI library: use `pip install --upgrade robotframework-flaui` in the command + prompt. +- The application with the GUI. + +Other Robot Framework libraries can interact with applications. The [desktop part of the zoomba +library] can also interact with a program, but requires an appium server. + +While not strictly required, it is highly recommended that the +[Robot Framework FlaUI library documentation](https://gdatasoftwareag.github.io/robotframework-flaui/keywords/1.6.6.html) +be consulted. + +## Inspecting tools + +Most FlaUI keywords require an XPath locator. These XPaths can be found using the FlaUI inspection +tool. Download the +[FlaUI inspection tool zip archive](https://github.com/FlaUI/FlaUInspect/releases), then extract the +files to a folder. The inspection tool can be launched simply by running `FlaUIInspect.exe`. + +This tool lets you choose the UIA (UI Automation) version. Picking UIA3 should work in most use +cases. + +The FlaUI inspection tool shows each window that is open on the computer. To find the element the +script is supposed to interact with, it is possible to manually search through the windows, and +through the elements. However, the easiest way is to use the Hover Mode, which is accessible in the +tool bar by clicking on **Mode** > **Hover Mode (use Ctrl)**. To see the XPath, click on **Mode** > +**Show XPath**. + +![Show XPath](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/robotframeworkflaui_flauishowxpath.webp) + +To see the XPath of an element, hover over the element, and press control. A red box should appear +around the element, and the FlaUI inspection tool should show the element's information. The XPath +should be at the bottom left of the FlaUI element. + +![Highlight Element](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/robotframeworkflaui_flauixpathexample.webp) + +As an example, imagine an application showing a list of files and folders. Targeting a specific file +would produce an XPath in the shape of `/Window/Pane[3]/Pane/Pane[2]/List/Group[1]/ListItem[1]`. The +important parts of this path are the beginning and the end. The beginning of the XPath specifies the +window. The middle part of the XPath, in most cases, is irrelevant. + +The last part of the XPath however, `/Group[1]/ListItem[1]`, is what should be modified to find the +right file. `Group[1]` means the element is in the first file group. `ListItem[1]` means the element +is the first file of the group. Depending on the file explorer view mode, the XPath may end with +`Edit[1]`, which means the targeted element is the name section of the file. + +As the Window's number may change, it should be specified by name. For the Downloads folder, +`Window[@Name='Downloads']` specifies the window. The file may not always be at the same position, +so it should also be specified. If the file is `FlaUInspect.exe`, it can be specified with +`ListItem[@Name='FlaUInspect.exe']`. The Group may also change. It is not easy to find the right +group, so the best method is to remove the groups, by right clicking, then selecting **Group by** > +**(None)**. + +## Use Case: Set a file to read-only + +Consider an HR system that creates a file for each employee. When an employee retires, it may be +interesting to set the file to read-only, so that it is not modified by accident. It is possible to +set the file to read-only by provisioning it with the Robot Framework. + +### Define settings + +As with every other Robot Framework script, the Identity Manager Robot Framework resource needs to +be imported to launch the provisioning. The FlaUI library also needs to be imported to use its +keywords. + +``` + +*** Settings *** +Resource C:/identitymanagerDemo/Runtime/identitymanagerRobotFramework.resource +Library FlaUILibrary + +``` + +### Define variables + +The `Variables` section contains variables that are used in the rest of the script. As the section +is at the start of the script, the variables are easy to update. In this case, the folder's name and +path are important variables that may be changed. + +``` + +*** Variables *** +${FOLDERNAME} RobotFrameworkIdentity +${FOLDERPATH} C:/identitymanagerDemo/${FOLDERNAME} + +``` + +### Define custom keywords + +To modify a file's properties, the script needs custom keywords that allow the desired actions to be +accomplished. In this case, to navigate through the explorer program. These keywords were written +with the Windows 10 File Explorer in mind. + +| Keyword | Details | +| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Open Explorer | Opens and attaches the explorer program to FlaUI. A program can be attached to FlaUI by its name or by its `Pid`, which stands for process identifier. The `Launch Application` keyword returns a `Pid`, however the program may launch multiple processes. In the case of the explorer, it is almost always running, even if no explorer windows are open. The `Pid` returned may not be the correct one. Attaching by the program name seems to work in this case. | +| Open Folder | Opens the folder specified in the `Variables` section. Accessing the address bar is not trivial, as it is not a text field until it is clicked. However, clicking on most elements of the address bar does not open the text field. In this keyword, the icon in the address bar is clicked, which opens the text field. | +| Get File Name | Returns the file's name. This allows the computation of the file's name through a keyword instead of an expression, which can make syntax easier. | +| Set File To Read Only | Sets the file corresponding to the user to read only. This keyword calls the other keywords in the right order, and is used to simplify the readability of the script. | +| Open File Properties | Right clicks on a file, then opens the file's properties. The right click is on the file's image, but it could be changed to any of the file's fields. Note that changing the folder's view mode or ordering may alter the file's XPath. | +| Select Read Only | Selects the read only option. This keyword simply clicks on the radio button, then clicks on the `Ok` button. If the radio button is already ticked, the file will no longer be in read only mode. The script clicks on the `Ok` button as it automatically closes the properties window, unlike the `Apply` button. | +| Close Explorer | Clicks on the cross to close the explorer window. It is also possible to close the program with the `Close Application` keyword, however that also closes the background explorer process, so closing only the window is better. | + +``` + +Open Explorer + Launch Application explorer + Attach Application By Name explorer + Open Folder + +Open Folder + Click /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/Pane/ToolBar/SplitButton + Set Text To Textbox /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/ComboBox/Edit[@Name='Address'] ${FOLDERPATH} + Press Key s'ENTER' + +Get File Name + [Arguments] ${order} + [return] ${order['Changes']['Identifier']}.txt + +Set File To Read Only + [Arguments] ${order} + ${FileName}= Get File Name ${order} + Open File Properties ${FileName} + Select ReadOnly ${FileName} + +Open File Properties + [Arguments] ${filename} + Right Click /Window[@Name='${FOLDERNAME}']/Pane[3]/Pane/Pane[2]/List/ListItem[@Name='${filename}']/Image + Click /Menu[@Name='Context']/MenuItem[@Name='Properties'] + +Select Read Only + [Arguments] ${filename} + Click /Window[@Name='${filename} Properties']/CheckBox[@Name='Read-only'] + Click /Window[@Name='${filename} Properties']/Button[@Name='OK'] + +Close Explorer + Click /Window[@Name='${FOLDERNAME}']/TitleBar/Button[@Name='Close'] + +``` + +### Define mandatory keywords + +To provision the system, the script must contain the three mandatory keywords: `ExecuteAdd`, +`ExecuteDelete`, and `ExecuteModify`. In this case, only ExecuteDelete is implemented. (It is +considered, perhaps foolishly, that employees will not come out of retirement!) + +``` + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Set File To Read Only ${order} + +ExecuteModify + [Arguments] ${order} + Log To Console ExecuteModify is not implemented + +``` + +### Define test cases + +Although the Robot Framework is used for provisioning in Identity Manager, it is most often used for +testing, which is why the `Test Cases` section defines what should happen when Identity +Manager starts the Robot Framework task. The `Launch Provisioning` keyword is the one that will +fetch the provisioning orders. + +``` + +*** Test Cases *** +Run Provisioning + Open Explorer + Launch Provisioning + Close Explorer + +``` + +### Read the full script + +The full script is as follows: + +``` + +*** Settings *** +Resource C:/identitymanagerDemo/Runtime/identitymanagerRobotFramework.resource +Library FlaUILibrary + +*** Variables *** +${FOLDERNAME} RobotFrameworkIdentity +${FOLDERPATH} C:/identitymanagerDemo/${FOLDERNAME} + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Set File To Read Only ${order} + +ExecuteModify + [Arguments] ${order} + Log To Console ExecuteModify is not implemented + +Open Explorer + Launch Application explorer + Attach Application By Name explorer + Open Folder + +Open Folder + Click /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/Pane/ToolBar/SplitButton + Set Text To Textbox /Window[@Name='File Explorer']/Pane[2]/Pane[3]/ProgressBar/ComboBox/Edit[@Name='Address'] ${FOLDERPATH} + Press Key s'ENTER' + +Get File Name + [Arguments] ${order} + [return] ${order['Changes']['Identifier']}.txt + +Set File To Read Only + [Arguments] ${order} + ${FileName}= Get File Name ${order} + Open File Properties ${FileName} + Select ReadOnly ${FileName} + +Open File Properties + [Arguments] ${filename} + Right Click /Window[@Name='${FOLDERNAME}']/Pane[3]/Pane/Pane[2]/List/ListItem[@Name='${filename}']/Image + Click /Menu[@Name='Context']/MenuItem[@Name='Properties'] + +Select Read Only + [Arguments] ${filename} + Click /Window[@Name='${filename} Properties']/CheckBox[@Name='Read-only'] + Click /Window[@Name='${filename} Properties']/Button[@Name='OK'] + +Close Explorer + Click /Window[@Name='${FOLDERNAME}']/TitleBar/Button[@Name='Close'] + +*** Test Cases *** +Run Provisioning + Open Explorer + Launch Provisioning + Close Explorer + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/index.md new file mode 100644 index 0000000000..01d4a63ddc --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/index.md @@ -0,0 +1,409 @@ +# Interact with a Web Page via Robot Framework + +This guide explains how to write a Robot Framework script that interacts with a web based external +system. + +## Example: Interacting with a web-based application + +Consider an external system that is accessible through a web interface, and that does not offer an +API. In this situation, we can either interact manually with the external system , or with a Robot +Framework connection. + +## Prerequisites + +This guide will focus only on how to interact with a web-based application. The guide on how to +write a Robot Framework script explains the basics of Robot Framework. The basic prerequisites can +be found on the Robot Framework connector page. See the +[ Write a Robot Framework Script ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md) and +[ Robot Framework ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md) topics for additional +information. + +The prerequisites are explained in detail at the +[Robot Framework selenium pypi](https://pypi.org/project/robotframework-seleniumlibrary/) page. + +The requirements specific to the Robot Framework Selenium library are as follows: + +- Robot Framework selenium library: use `pip install --upgrade robotframework-seleniumlibrary` in + the command prompt. +- A web browser. +- A web driver that corresponds to the web browser and its version. Webdrivers can be found in + the[ Selenium website](https://www.selenium.dev/selenium/docs/api/py/index.html#selenium-website). + This web driver should be in your path. To check that the web driver is in your path, use + `gcm {webdriver_name}`. As an example for Edge, use `gcm MicrosoftWebDriver`. + +The web driver for Edge is called `msedgedriver.exe`, but the Robot Framework may expect it to be +called `MicrosoftWebDriver.exe` depending on the python version. Renaming the web driver from +`msedgedriver.exe` to `MicrosoftWebDriver.exe` should fix this issue. + +If the browser is updated, the web driver should also be updated. + +While not strictly required, it is highly reccomended to look at the +[Robot Framework selenium library documentation](https://robotframework.org/SeleniumLibrary/SeleniumLibrary.html). + +## Selenium basics + +Selenium is a web browser automation tool. Selenium can automatically perform scripted actions in a +web browser. Selenium is not easy to use on its own, and it is easier to use Selenium via the Robot +Framework. However, the basics are still the same. + +The basic structure of a web page is defined with HTML. It is accessible with the inspect tool, +which can be opened by pressing the F12 key on most browsers. For Selenium, we want to find +information on specific parts of the page. Inspecting an element can be done by right clicking the +element, and clicking **Inspect**. + +![Inspect Tool](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/robotframeworkselenium_inspecttool.webp) + +Suppose the goal of the script is to copy the content of the code block, and paste it to a file, to +ensure that the file is up to date with the documentation. To do this, the Robot Framework has to +click on the **copy to clipboard** button with the keyword +[`Click Element`](https://robotframework.org/SeleniumLibrary/SeleniumLibrary.html#click-element). + +## Locating elements + +As stated in the Robot Framework SeleniumLibrary documentation, the keyword `Click Element` requires +an element locator. The element locator identifies which element the Robot Framework should click. +To ensure the right element is clicked, the element locator should only match the one element which +should be clicked. + +In the HTML, the button has a class `class="copy-to-clipboard"`. The element locator +`class:copy-to-clipboard` matches the button. However, there are other buttons with the same class +on the page. The easiest way to click the right button is with an XPath element locator. + +### XPath element locators + +Each element on the web page has an XPath, and each XPath uniquely identifies an element. This means +that we can always use an XPath locator. To get the XPath of an element, inspect the element, then +right click it in the HTML, and click on **Copy** > **Full XPath**. + +![Copy Full XPath](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/robotframeworkselenium_copyfullxpath.webp) + +For the `copy to clipboard` button, the XPath is +`/html/body/section/div[2]/div[3]/div[1]/pre[4]/span`. + +XPaths change as the page is updated. Using a location strategy other than the XPath strategy should +reduce the maintenance needs of the script. + +### Hypertext references and API calls + +Some elements have links to other websites or pages of the same website. In the HTML inspection, +these elements are likely to have a `href` attribute containing the link. `Href` stands for +hypertext reference. By going directly to the linked URL instead of clicking the link, the script +does not need to specify an element locator for the link. + +In some cases, an API can be called simply by going to the right URL. This URL may be used as a +shortcut to avoid having to fill in text fields. The `href` attributes may show the format of the +API calls. + +## Use Case: Fulfill groups in a Banking system + +The Banking system is a Identity Manager demo application that represents an external system. The +Banking system stores basic information on its users such as their names, mail addresses� The most +interesting part of the Banking system is the groups functionality, as users can belong to multiple +groups, and groups can have multiple users. + +The goal of this use case is to extract the existing associations between groups and users from the +Banking system into Identity Manager, then provide a way to add users to a group and remove users +from a group. To showcase the password generation, the script will generate a password for the +provisioned users' accounts. + +### Connector configuration + +As stated in the previous part, the Banking connector is supposed to link the users and their +groups. This means that the connector has a user entity type, and a group entity type, with an +entity association between them. + +The Banking connector has to be able to extract the data, and fulfill the Banking system. The +fulfillment of the Banking system can only be done through its web application, which means the +Robot Framework Selenium library will be used. The extraction of the data will be performed through +an SQL connection. + +For simplicity's sake, only the user's `Login` is kept. + +``` + + + + +``` + +The notion of groups in the Banking system is replaced by the notion of single roles in Identity +Manager. A user belonging to the accountant group in the Banking system has the accountant single +role in Identity Manager. To automate the correspondance, the connector's configuration requires a +rule between the group resource and the single role. This can be done with a navigation rule for +each single role and corresponding group. + +For simplicity's sake, only three roles are kept. + +``` + + + +``` + +### Define settings + +As with every other Robot Framework script, the resource needs to be imported to launch the +provisioning. The SeleniumLibrary also needs to be imported to use its keywords. + +``` + +*** Settings *** +Resource C:/identitymanagerDemo/Runtime/identitymanagerRobotFramework.resource +Library SeleniumLibrary + +``` + +### Define variables + +The variables in the `Variables` section can serve two purposes. + +- Values that should be modified easily: The browser and the Banking web application URL change with + the provisioning environment. +- Values that are used multiple times: The Banking web application URL is used three times in the + script. This avoids editing mistakes that happen when only one of the instances is modified. + +``` + +*** Variables *** +${BROWSER} edge +${BANKINGURL} http://localhost:5011 + +``` + +### Define custom keywords + +The script defines several custom keywords. As the element locators may not be easily +understandable, it is important that the keywords are not long, and have descriptive names. + +| Keyword | Details | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Modify User | Sets a password for the user, then applies the provisioning order. This keyword does everything the `Execute Modify` keyword should do, so that it can be used for error handling. As the provisioned resource type may not have password reset settings, the password generation could fail, which is why it is called by the `Try Keyword` keyword. | +| Restart Banking And Fail | Restarts the Banking Application, then fails the keyword execution. This keyword should be used when the Banking application is in an unknown state. | +| Launch Banking App | Launches the Banking web application. To check that the web browser is on the right page, the title of the page is verified with the `Title Should Be` keyword. | +| Set Password | Generates a password for the provisioned user, sets their Banking password to that password, then sends a notification. This keyword attempts to send the notification as soon as the password is set. First, this ensures that the notification is sent even if the rest of the script would crash. Second, this keeps the password in memory for the least amount of time possible, which reduces security risks. | +| Add Group To User | Selects the group that should be added, and clicks the **Save** button. This keyword also verifies that the web browser has the expected title. The `Click Element At Coordinates` keyword is used to reset the state of the page, as selecting the group hides the **Save** button. | +| Search User And Add Group | Goes to the page to add groups to the right user, and calls `Add Group To User`. This keyword also verifies that the web page has the expected title. | +| Add Groups | Calls `Search User And Add Group` for each group in the provisioning order. | +| Add All Groups | Computes the number of groups to add, and if there is at least one, calls `Add Groups`. The only way to find the number of groups to add is in the **Changes** > **groups_add** section of the provisioning order. This section does not exist if there are no groups to add, so the `Run Keyword And Ignore Error` is called to avoid propagating the error. | +| Remove Group From User | Goes to the URL corresponding to the API call to remove the group from the user. | +| Remove Groups | Calls `Remove Group From User` for each group in the provisioning order. | +| Remove All Groups | Computes the number of groups to remove, and if there is at least one, calls `Remove Groups`. The only way to find the number of groups to remove is in the **Changes** > **groups_remove** section of the provisioning order. This section does not exist if there are no groups to remove, so the `Run Keyword And Ignore Error` is called to avoid propagating the error. | + +``` + +*** Keywords *** +Modify User + [Arguments] ${order} + Try Keyword Set Password ${order} + Catch Keyword Go To ${BANKINGURL}/User + Title Should Be All Users - Banking System + Add All Groups ${order} + Remove All Groups ${order} + +Restart Banking And Fail + Close Browser + Launch Banking App + Fail ${Provisioning failed, restarting the browser} + +Launch Banking App + Open Browser ${BANKINGURL} ${BROWSER} + Title Should Be Home Page - Banking System + +Set Password + [Arguments] ${order} + Go To ${BANKINGURL}/User/SetPassword/${login} + Title Should Be Edit ${login} - Banking System + ${password}= Generate Password + Input Text id:Password ${password} + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Send Password Notification + +Add Group To User + [Arguments] ${groupName} + Select From List By Value name:group ${groupName} + Click Element at Coordinates name:group 250 0 + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Title Should Be All Users - Banking System + +Search User And Add Group + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/AddGroup/${login} + Title Should Be Add Group to ${login} - Banking System + Add Group To User ${groupName} + +Add Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Search User And Add Group ${order['Resource']['login']} ${order['Changes']['groups_add'][${i}]['name']} + END + +Add All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_add']} + Run Keyword If '${status}' == 'PASS' Add Groups ${order} ${length} + +Remove Group From User + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/RemoveGroup/${login}?groupId=${groupName} + +Remove Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Remove Group From User ${order['Resource']['login']} ${order['Changes']['groups_remove'][${i}]['name']} + END + +Remove All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_remove']} + Run Keyword If '${status}' == 'PASS' Remove Groups ${order} ${length} + +``` + +### Define mandatory keywords + +To be able to provision the system, the script must contain the `ExecuteAdd`, `ExecuteDelete`, and +`ExecuteModify` keyword. As the Banking system is only able to modify existing accounts, only the +`Execute Modify` keyword is implemented. + +To simplify error handling, the `Execute Modify` keyword only calls the `Modify User` keyword. As +only a single keyword is needed, it can be called within the `Try Keyword` keyword. This means that +the error handling can be handled with the `Catch Keyword` keyword. + +``` + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Log To Console ExecuteDelete is not implemented + +ExecuteModify + [Arguments] ${order} + Try Keyword Modify User ${order} + Catch Keyword Restart Banking And Fail + +``` + +### Define test cases + +Although the Robot Framework is used for provisioning in Identity Manager, it is most often used for +testing, which is why the `Test Cases` section defines what should happen when Identity +Manager starts the Robot Framework task. Note that the `Launch Provisioning` keyword is mandatory +for the provisioning to happen. + +As the browser should always be closed after the tests, a teardown is used to ensure that regardless +of the script's execution state, the browser is closed. + +``` + +*** Test Cases *** +Run Provisioning + Launch Banking App + Launch Provisioning + [Teardown] Close Browser + +``` + +### Read the full script + +The full script is as follows: + +``` + +*** Settings *** +Resource C:/identitymanagerDemo/Runtime/identitymanagerRobotFramework.resource +Library SeleniumLibrary + +*** Variables *** +${BROWSER} edge +${BANKINGURL} http://localhost:5011 + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Log To Console ExecuteAdd is not implemented + +ExecuteDelete + [Arguments] ${order} + Log To Console ExecuteDelete is not implemented + +ExecuteModify + [Arguments] ${order} + Try Keyword Modify User ${order} + Catch Keyword Restart Banking And Fail + +Modify User + [Arguments] ${order} + Try Keyword Set Password ${order} + Catch Keyword Go To ${BANKINGURL}/User + Title Should Be All Users - Banking System + Add All Groups ${order} + Remove All Groups ${order} + +Restart Banking And Fail + Close Browser + Launch Banking App + Fail ${Provisioning failed, restarting the browser} + +Launch Banking App + Open Browser ${BANKINGURL} ${BROWSER} + Title Should Be Home Page - Banking System + +Set Password + [Arguments] ${order} + Go To ${BANKINGURL}/User/SetPassword/${login} + Title Should Be Edit ${login} - Banking System + ${password}= Generate Password + Input Text id:Password ${password} + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Send Password Notification + +Add Group To User + [Arguments] ${groupName} + Select From List By Value name:group ${groupName} + Click Element at Coordinates name:group 250 0 + Click Element xpath:/html/body/div/main/div[1]/div/form/div[2]/input + Title Should Be All Users - Banking System + +Search User And Add Group + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/AddGroup/${login} + Title Should Be Add Group to ${login} - Banking System + Add Group To User ${groupName} + +Add Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Search User And Add Group ${order['Resource']['login']} ${order['Changes']['groups_add'][${i}]['name']} + END + +Add All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_add']} + Run Keyword If '${status}' == 'PASS' Add Groups ${order} ${length} + +Remove Group From User + [Arguments] ${login} ${groupName} + Go To ${BANKINGURL}/User/RemoveGroup/${login}?groupId=${groupName} + +Remove Groups + [Arguments] ${order} ${length} + FOR ${i} IN RANGE ${length} + Remove Group From User ${order['Resource']['login']} ${order['Changes']['groups_remove'][${i}]['name']} + END + +Remove All Groups + [Arguments] ${order} + ${status} ${length}= Run Keyword And Ignore Error Get Length ${order['Changes']['groups_remove']} + Run Keyword If '${status}' == 'PASS' Remove Groups ${order} ${length} + +*** Test Cases *** +Run Provisioning + Launch Banking App + Launch Provisioning + [Teardown] Close Browser + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md new file mode 100644 index 0000000000..6442313786 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md @@ -0,0 +1,656 @@ +# Fulfill Microsoft Exchange via PowerShell + +This guide shows how to set up a PowerShell connector to fulfill data in Microsoft Exchange Server. +It will focus on registering Identity Manager within the target Microsoft Exchange instance, +configuring the connector, and building the job to perform a regularly scheduled fulfillment. Of +course, any other system compatible with PowerShell can be chosen. + +## Prerequisites + +### External System Configuration + +Check the following prerequisites: + +- [ PowerShellProv ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) +- [ Microsoft Exchange ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md) +- [Active Directory](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) + +Let's consider a simplified system, including three parts: + +1. Identity Manager +2. Microsoft Exchange Server +3. Active Directory + +For more details on the complete system, see +[Exchange architecture](https://docs.microsoft.com/en-us/exchange/network-configuration/architecture?view=exchserver-2016). + +Identity Manager can: + +- export and fulfill AD entries independently of Microsoft Exchange. +- export mailboxes from Microsoft Exchange independently of AD. +- fulfill a mailbox but Identity Manager needs first to fulfill an AD entry and then, launch the + Microsoft Exchange Fulfill. + +### Identity Manager Configuration + +This step sets up the Identity Manager Agent to use the Active Directory and PowerShell connectors +in order to fulfill the Microsoft Exchange mailboxes. + +The settings must be entered in `appsettings.agent.json > Connections`. For more details, see the +[Active Directory](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) and +[ PowerShellProv ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) sections. + +#### Add Sections + +As explained previously, the simplified system consists of Identity Manager and two other systems. +It means that settings are required in `appsettings.agent.json` to connect with the systems. See the +[ Microsoft Exchange ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md), +[ PowerShellProv ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md), +and[Active Directory](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) topics for additional +information. + +> This example contains export and fulfillment settings for the Active Directory and for Microsoft +> Exchange: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> ... +> "ADFulfillment": { +> "Servers": [ +> { +> "Server": "...", +> "BaseDN": "..." +> }, +> { +> "Server": "paris.contoso.com", +> "BaseDN": "DC=defense,DC=paris,DC=com" +> } +> ], +> "AuthType": "Basic", +> "Login": "...", +> "Password": "...", +> "Filter": "(objectclass=*)", +> "EnableSSL": true, +> } +> "MicrosoftExchangeExportFulfillment": { +> // Export Microsoft Exchange settings +> ... +> // Fulfillment Microsoft Exchange settings +> "PowerShellScriptPath": "C:/identitymanagerDemo/Scripts/Fulfill-Exchange.ps1", +> "Options": { +> "AuthType": "Basic", +> "Server": "http://ex-server1/powershell", +> "Login": "PIXELABS\\Administrateur", +> "Password": "Secret123" +> } +> }, +> } +> } +> ``` + +As this guide focuses on the fulfillment of an external system, export settings will be omitted. + +The Fulfill-PowerShell needs a script whose path is defined by the attribute +**PowerShellScriptPath**. Identity Manager provides a script in the SDK in +`Usercube.Demo/Scripts/Fulfill-Exchange.ps1`.See the +[ Write a PowerShell Script for Provisioning ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md) topic +for additional information on how to write a customized script. + +To define and apply additional settings when authenticating to an external system, we can set the +attribute Options and add required parameters for authentication. + +In the example above, the `Basic` AuthType was chosen to show how to fill the credentials, but it +isn't mandatory to use this . See the +[ Microsoft Exchange ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md) topic for additional +information. + +For pedagogical reasons, this guide focuses on the simplest way to set up the fulfillment, but it's +not the most secure. Hence, it is strongly recommended to use Kerberos AuthType or credentials +protection via Azure Key Vault or CyberArk in a production environment. See the +[ PowerShellProv ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) topic for additional +information. +Netwrix Identity Manager (formerly Usercube) recommends completing this guide once, testing the +configuration, and only then, switching to a more secure way of storing credentials. + +## Build the Connector + +To be used for export tasks, a connector must be declared in the applicative configuration and +linked to an Agent. See the [Toolkit for XML Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/index.md) topic for +additional information. + +It is strongly recommended that the applicative configuration be stored in the working directory +Conf folder as a set of xml files organized by connector. To follow this structure, create a +MicrosoftExchange directory in the Conf folder. + +### Declare a Connector + +In the `MicrosoftExchange` directory, create a `MicrosoftExchange Connector.xml` file. This file +contains the declaration of the connector and the associated +[Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md). + +> This example declares the +> `MicrosoftExchange`[ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +> on the `Local` agent, and the +> [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) linked to the +> previously defined `MicrosoftExchangeExportFulfillment` JSON section (see the example above): +> +> ``` +> Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +> ... +> ... +> +> +> ``` + +### Write Entity Types + +The [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) should match as closely as possible the structure +of the Microsoft Exchange data relevant for Identity Manager. It is designed by analyzing the +Microsoft Exchange data structure, and describing said data with Entity Types and +[ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +Eventually, it is up to the integration team to design the +[Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) that best serves the Role Model needs. It will most +likely be refined iteratively throughout the project integration. See the +[ Assignment Policy ](/docs/identitymanager/saas/identitymanager/integration-guide/role-model/role-model-rules/index.md) topic for additional +information. + +A good starting point for the Entity Model is to mirror the shape of the Microsoft Exchange +mailboxes and databases. + +##### Example + +This example defines the entity types named MicrosoftExchange_Database and +MicrosoftExchange_Mailbox. + +Notice the omitted **TargetColumnIndex** attribute and the presence of Type="ForeignKey" for the +Mailboxes and Database properties. If omitted, this attribute indicates that the properties are +navigation properties. + +``` +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... + ... + +``` + +### Write the Entity Type Mapping + +The entity type must be mapped, on a property by property basis, to the exported attributes of +Microsoft Exchange mailboxes and databases (namely, the columns of the CSV source files generated by +the export). The +[ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +element maps scalar properties from a CSV source file to an EntityType. + +##### Example + +In this example, the CSV source files are microsoftexchange_databases.csv and +microsoftexchange_mailboxes.csv located in the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +folder. + +``` +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... + ... + +``` + +### Write Entity Associations + +Entity types are associated through their navigation properties with +[ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +elements. + +##### Example + +The following example declares a `1:n` (`'one-to-many'`) association. One +`MicrosoftExchange_Database` may be referenced by any number of `MicrosoftExchange_Mailbox`_(es)_, +but each `MicrosoftExchange_Mailbox` can only reference one `MicrosoftExchange_Database`. + +The properties used for the association must be `Primary` or `Unique` keys. + +``` +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... +... + +``` + +### Write the Entity Association Mapping + +The +[ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +element maps column values from a CSV source file to an EntityType navigation property. + +##### Example + +This example describes the mailbox/database associations between MicrosoftExchange_Mailbox and +MicrosoftExchange_Database. Thanks to the **Export** Microsoft Exchange job, the file +microsoftexchange_mailboxes.csv is generated. This file looks like: + +``` + +Command;Property_1;Property_2;...;Property_N +Add;value1;value2;...;valueN + +``` + +Each line of the CSV file corresponds to a `MicrosoftExchange_Mailbox`. The properties used in the +association are: + +- `Guid`: the Guid of the `MicrosoftExchange_Mailbox`. +- `Name`: the name of the `MicrosoftExchange_Database` referencing the `MicrosoftExchange_Mailbox` + (name is unique among the databases). + +The following table can be extracted from the CSV file: + +| Guid | Name | +| ------------------------------------ | --------------------------- | +| 4ecbdba7-e984-409a-a9ac-6027ac81fa42 | Mailbox Database 1882404652 | +| 1d3e67a2-7d44-46f1-a300-afa73ae120f4 | DB1 | +| aab57e15-847b-4e16-96f1-82ebc54c01e2 | DB1 | +| ea513604-3758-463f-9b72-6c42ea949260 | DB2 | + +It means that the MicrosoftExchange_Mailbox with Guid ? 4ecbdba7-e984-409a-a9ac-6027ac81fa42 is +contained in the MicrosoftExchange_Database with Name ? Mailbox Database 1882404652. This +association is created for every line in the CSV file, and therefore also for every line in the +table above. + +This can be enabled with an **EntityAssociationMapping** like in the following XML: + +``` +Conf/MicrosoftExchange/MicrosoftExchange Connector.xml +... +... + +``` + +The CSV file `microsoftexchange_mailboxes.csv` must be exported to the export output folder. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topic for additional information. + +## Build the Role Model + +A +[ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) +must be created with the following elements: + +- `ResourceType` +- `ResourceTypeMapping` +- `ResourceCorrelationRule` +- `SingleRole` (optional) + +### Resource Type + +A [Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) is a +conceptual model of an information system object, here a mailbox. + +The resource type contains several rules: + +- Type Rule which assigns a resource to a user +- which specifies the value to be set to an assigned resource scalar property +- Resource Type which specifies a value to be set to an assigned resource multi-valued navigation + property + +#### Example + +``` +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml" +... + ... + +``` + +The TargetEntityType is MicrosoftExchange_Mailbox and the SourceEntityType is Directory_User. + +This Resource Type allows Identity Manager to compute the values used when fulfilling the external +system. + +Finally, the Navigation Rule sets the property Database of the entity MicrosoftExchange_Mailbox. See +the Fulfill Microsoft Exchange via PowerShell topic for additional information. + +### Resource Type Mapping + +A +[Resource Type Mappings](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) +element contains all the resource types (sharing the same Identifier) that can be provisioned into +targeted platforms, applications, and systems. + +#### Example + +``` +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml" +... +... + +``` + +In this example, `Fulfill-PowerShell` requires only a simple `ResourceTypeMapping` (including only +one `Identifier` and one `Connection`): + +- The **Identifier** attribute is `MicrosoftExchange_Mailbox_NominativeUser` which corresponds to + the identifier of the resource type defined earlier. +- The **Connection** attribute is `MicrosoftExchangeExportFulfillment` which corresponds to the + section in `appsettings.agent.json` containing the parameters used to provision the external + system. + +### Resource Correlation Rule + +A +[ Resource Correlation Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) +is used to correlate the resource `MicrosoftExchange_Mailbox_NominativeUser` with the +`Directory_User`. + +#### Example + +``` +Conf/MicrosoftExchange/NotImplementInAutoTest/Directory User Role Model MicrosoftExchange.xml" +... +... + +``` + +This rule means if the `SamAccountName` (`MicrosoftExchange_Mailbox`) is equal to the `Login` +(`Directory_User`) then, the `ResourceType` can be linked to the `User` with a confidence rate of +100%. + +### Single Role (optional) + +A [ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) encapsulates +system entitlements. + +#### Example + +``` +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml" +... +... + +``` + +This single role was previously used in one of the navigation rules defined in the `ResourceType`. + +``` +Conf/MicrosoftExchange/Directory User Role Model MicrosoftExchange.xml" +... +... + +``` + +If a `Directory_User` is assigned the SingleRole `DB1` then, the `NavigationRule` indicates that the +property `Database` (in `MicrosoftExchange_Mailbox`) will have the value +`9c512155-d912-4fcb-9448-0755fbaf1b96` (unique id of a `MicrosoftExchange_Database`). + +## Display + +This step focuses on configuring a nice display for the synchronized list of resources in the UI. + +### Navigation + +A [ Menu Item ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) can be added to +include a link to the resources list in the left menu on the UI home screen. + +It is strongly recommended that you gather synchronized resources menu items under parent menu +items. This is usually declared in the `Nav.xml` file in the configuration root folder. + +NETWRIX also advises to use a new `MicrosoftExchange Nav.xml` file in the `MicrosoftExchange` +connector's folder to add a `mailboxes` and `databases` menu item. + +#### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange Nav.xml +... + ... + +``` + +This example adds a new menu item under the `Nav_Connectors` menu item declared in the root +`Conf/Nav.xml` file. This new menu item gives access to the list of synchronized Microsoft Exchange +entities. + +![Microsoft Exchange Menu Items](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_menu_item_5.1.7.webp) + +### Configuration + +It is strongly recommended that the display configuration be written to a new +`MicrosoftExchange UI.xml` file in the `MicrosoftExchange` connector's folder. + +#### All-in-One Scaffolding + +The +[ View Target Resource Template ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md) +generates all the required elements to be seen by the user. + +##### Example + +The documentation explains what is generated by the following scaffolding: + +``` +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... +... + +``` + +The following sections show how to override the elements generated by this scaffolding in order to +provide a more precise display. + +#### Display Entity Type + +The +[Display Entity Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) +describes how a single resource should be displayed. + +##### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... + ... + +``` + +This example configures the following display for +[wolfgang.abendroth@acme.com](mailto:wolfgang.abendroth@acme.com). + +![Microsoft Exchange Display Entity Type](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) + +The scalar properties require no configuration: they are automatically displayed. The only +information that the +[Display Entity Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) +adds here, is that the property `BasicCollection` is a navigation property. An eye icon will be +displayed to take you directly to the matching page. + +#### Display Table + +The [Display Table](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +elements describe how a list of resources should be displayed. + +The +[](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md)[Display Table](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +contains a list of +[Display Table](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) columns +elements that identify which properties should be included in the list display. + +##### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... + ... + +``` + +This example configures the following list display: + +![Microsoft Exchange Display Table](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_table_5.1.7.webp) + +#### Internal Display Name + +An `InternalDisplayName` can also be declared as an +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) property +expression. The `InternalDisplayName` is used in several UI screens to identify a resource for the +user. + +With no custom `InternalDisplayName`, a default value is used (instead of the first property of the +identity) containing the string **name**. If no such property is found, the first declared property +of the entity type is used. + +##### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange UI.xml +... +... + +``` + +This example adds the `InternalDisplayName` to the `MicrosoftExchange_Mailbox` entity type to be +used by the UI. + +### Permissions + +This step focuses on setting up permissions for Identity Manager's end-users granting them access to +the connector. + +The +[Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +and Access Control Entry elements define +[ AccessControlPermission ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md) +for end-user profiles to read and write the connector's data (such as resources of a given entity +type). It is used by the UI when displaying data such as resources and available roles. + +It is strongly recommended that permissions be written to a new file. For example, the administrator +profile permissions can be written to the `MicrosoftExchange Profile Administrator.xml` file. + +#### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange Profile Administrator.xml +... +... + +``` + +This example sets permissions for the `Administrator` profile. + +It entitles an administrator to display Microsoft Exchange resources (`mailboxes` and `databases`) +and role categories from the UI. + +## Jobs + +### Construction + +This step focuses on writing a Complete Synchronization Job. + +Netwrix Identity Manager (formerly Usercube) recommends writing Jobs associated with the +MicrosoftExchange connector to the Conf/MicrosoftExchange/MicrosoftExchange Jobs.xml file. + +#### Example + +``` +Conf/MicrosoftExchange/MicrosoftExchange Jobs.xml +... + ... + +``` + +This job will be executed on Microsoft Exchange's connector agent. + +Notice the **Identifier** attribute with the value `Job` in the `OpenIdIdentifier` tag. It refers to +the `ClientId` written to the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +technical configuration. The Tasks will authenticate with the profile associated with this +`ClientId` in the `` xml configuration element. + +There is also the tag `` which means that the export will not be executed. +Removing the tag will launch export-related tasks before fulfillment-related tasks. Export tasks +need the same XML configuration and additional settings in Fulfill Microsoft Exchange via PowerShell +. + +All the job steps generated by the scaffolding can be found in the +[Create Connector Synchro Complete](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md) +scaffolding. + +Check +[Create Connector Synchro Incremental](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) +for incremental synchronization. + +### Permissions + +The execution of a Job entails the execution of Tasks, reading/writing to the Database and sending +files over to the Server. These operations are protected by an authorization mechanism. + +A [ Profile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) is required and +must have the proper permissions for the associated Job or Task to perform. + +Here, jobs use the default `OpenId`. + +### Job Launch + +Scheduling the job execution can rely either on Identity Manager's scheduler or an external +scheduler. + +#### With Scheduler + +Use the [ Job ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) Cron Tab Expression attribute. + +#### With an external scheduler + +An external scheduler would rely on the +[ Usercube-Invoke-Job ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-job/index.md) tool. + +## Validation + +### Deploy Configuration + +The configuration is written to the database using the +[ Deploy Configuration Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md) +tool. + +### Test + +#### ADMicrosoftExchange Prerequisites + +An Active Directory configuration is required for Microsoft Exchange to work. Fill the AD Microsoft +Exchange Export Fulfillment settings in accordance with the configuration. + +To reset the password, if **AuthType** is `Basic`, then **EnableSSL** must be `true`. +Otherwise, if **AuthType** is `Kerberos`, then **EnableSSL** is not required. + +#### Mailbox Creation + +To create a new mailbox, apply the following procedure: + +1. Select a user and validate both resource types `ADMicrosoftExchange_Entry_NominativeUser` and + `MicrosoftExchange_Mailbox_NominativeUser`. +2. In the Provisioning Review, confirm both resource types. +3. First, launch the job AD Microsoft Exchange Synchronization. +4. Then, launch the job Microsoft Exchange Synchronization. + +In fact, an `ADMicrosoftExchange_Entry` is required to create a mailbox. To update or delete an +existing mailbox, the Active Directory part can be skipped. + +#### Interface display + +The Synchronization job should be found in the UI, under the **Job Execution** menu, with the name +input in the Job's **DisplayName_Li** attribute. + +![Microsoft Exchange Jobs](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_jobs_5.1.7.webp) + +From there, the Synchronization job can be launched and debugged (if needed). + +After execution, Microsoft Exchange resources and databases should be in the `UR_Resources` table of +the SQL Server database. + +The results can also be viewed on the UI: + +![Microsoft Exchange Menu Items](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_menu_item_5.1.7.webp) + +![Microsoft Exchange Display Entity Type](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_entity_type_5.1.7.webp) + +![Microsoft Exchange Display Table](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/microsoftexchange_fulfill_display_table_5.1.7.webp) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/index.md new file mode 100644 index 0000000000..794c1ec8e1 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/index.md @@ -0,0 +1,932 @@ +# Export CyberArk Data via SCIM + +This guide shows how to set up a [SCIM](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/scim/index.md) connector to +extract data from your CyberArk instance into CSV source files that will in turn be fed to the +[ Upward Data Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) task and to your +Identity Manager resource repository. It will focus on registering Identity Manager within the +target CyberArk instance, configuring the connector, and building the job to perform regularly +scheduled synchronization. + +## Prerequisites + +### External system configuration + +Usually CyberArk provides the environment to use AAM (_Application Access Manager_) and SCIM +(_System for Cross-domain Identity Management_). For example, PrivateArk Server, PrivateArk and +other tools can be found on a VM-based environment. + +It is strongly recommended that you follow the official **CyberArk SCIM Server Implementation +Guide** (the CyberArk team can provide this document) in order to set up the environment. When +you've completed the installation or if CyberArk has already installed it, you can verify the +installation: + +1. Log into **PrivateArk Client**, locate and open the **SCIM Config** safe. +2. Check the presence of the following objects: + + - `Encryption-key`: The SCIM Server uses a local cache to store objects retrieved from the + Vault. Although no credentials (other than the ones in the SCIM Config safe, which are not + stored on the cache) are retrieved, we encrypt the cache with this encryption key. The key is + randomly generated, and not exposed by the installer, but can be changed if desired. + - `GlobalConfig.yml`: This is the configuration file for the overall SCIM server settings. It is + responsible for the setting of performance parameters and additional added features. + - `Usercube-account`: This is a privileged account to allow Identity Manager to authenticate its + REST API requests to the SCIM Server. The password for this account must be the same as the + Identity Manager-user (Identity Manager can be replaced by any other name like Client). + - `SCIM-account`: This is a privileged account, managed by the Central Policy Manager (CPM is + the module of the PAM tool that is responsible for managing the passwords and any + policies/exceptions configured), which allows the SCIM server to retrieve the password for + SCIM-user through an Application Identity Manager (AIM) Credential Provider call. + +3. Verify that the following **Users** were created in the PrivateArk Client: + + - Go to **Tools** > **Administrative Tools**. + - Select **Users and Groups**. + - Ensure the following users have been created: + + - `SCIM-user`: This is a CyberArk user with full privileges for creating and managing Safes, + Accounts, Permissions, and Users. This user is required by the CyberArk's Command Line + Interface (PACLI, used to perform quick Vault-level functions without logging in to the + PrivateArk client) on the SCIM server for logging into the Vault and managing objects on + behalf of client applications such as Identity Manager. + - `Client-user`: This is a CyberArk user for authenticating requests made to the SCIM server + using the REST API. (The name Client-user' can change and be replaced by Identity + Manager-user' for example.) + + Now we can consider that the installation is correct, the login is `Usercube-user` and the + password `CyberArk1`. + +### Identity Manager configuration + +This step sets up the Identity Manager Agent to use the SCIM connector and access the CyberArk data. + +The settings must be entered in the appsettings.agent > Connections section. See the +[SCIM](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/scim/index.md) topic for additional information. + +#### Connect to the target CyberArk instance + +In the `Connections` section, add one new subsection that will contain the credentials for the +target CyberArk. Use a meaningful name to remember which CyberArk is accessed via this section. + +> This example connects via the `SCIMCyberArkExport` connection to the CyberArk system: +> +> ``` +> +> appsettings.agent.json +> +> { ... "Connections": { ... "SCIMCyberArkExport": { ... } } } +> +> ``` +> +> ``` + +#### Input credentials + +In the newly created subsection, fill in: + +- The **Server** attribute with the CyberArk's address. It has the form: + `https://host:port/CyberArk/scim`. +- The **Login** attribute with the User's login value (in our example, `Usercube-user`). +- The **Password** attribute with the User's login value (in our example, `Cyberark1`). + +> For example: +> +> ``` +> +> appsettings.agent.json +> +> { ... "Connections": { ... "SCIMCyberArkExport": { "Server": "https://host:port/CyberArk/scim", +> "Login": "Usercube-user", "Password": "Cyberark1" } } } +> +> ``` +> +> ``` + +For pedagogical reasons, this guide focuses on the simplest way to set up the export, but it's not +the most secure. Hence it is strongly recommended that you protect credentials using Azure Key Vault +or CyberArk in a production environment. +Netwrix Identity Manager (formerly Usercube) recommends completing this guide once, testing the +configuration, and only then, switching to a more secure way of storing credentials. + +#### Set exported objects, exported attributes and export files + +This step focuses on choosing and setting up the list of SCIM objects and attributes to be exported. + +The **Filter** attribute defines what is exported. It is located in the +`appsettings.agent > Connections > SCIMCyberArkExport` subsection previously created. + +##### Choose objects to export + +The list of objects to export depends on the Role Model requirements. The list will evolve +iteratively as the project's needs become clearer. + +The SCIM entities available in a CyberArk implementation are: + +- **Users**: CyberArk Users. +- **Containers**: Containers/CyberArk Safes. +- **ContainerPermissions**: Permissions on CyberArk Safes. +- **Privileged Data**: Privileged Data/CyberArk Accounts. +- **Groups**: CyberArk Groups. + +Filters are defined in the next part. + +##### Filtering + +An exhaustive list of entities and attributes provided by CyberArk is available in their +[technical documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/Applications/AppsOvw/SCIM-Provisioning.htm) +or the SCIM `Swagger UI`. + +The `Filter` and `FilterGroup` setting syntax is detailed in the +[SCIM](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/scim/index.md) optional attributes. + +`SCIMSyntax` must also be set to `CyberArk` because the CyberArk system doesn't strictly follow all +the SCIM rules at the moment. + +##### Example + +The following example sets up the **Users**, **ContainerPermissions**, **Containers** and **Groups** +for export. + +For **Users**, we give an example for each type of attribute: + +- **userName** is an attribute of the base schema. +- **ldapFullDN** is an attribute of the `urn:ietf:params:scim:schemas:cyberark:1.0:User` schema + because it is separated by `�`. +- **givenName** is a sub-attribute of the attribute `name` because it is separated by `:`. + +Notice the `*` that separates the entities. + + ``` + + appsettings.agent.json + +{ ... "Connections": { ... "SCIMCyberArkExport": { "Server": "https://host:port/CyberArk/scim", +"Login": "Usercube-user", "Password": "Cyberark1", "Filter": +"Users;urn:ietf:params:scim:schemas:cyberark:1.0:User�ldapFullDN|ldapDirectory id userName active +name:givenName|middleName|familyName emails:value phoneNumbers:value title profileUrl source +nativeIdentifier*ContainerPermissions;id user:value group:value container:value rights*Containers;id +displayName type name", "FilterGroup": "Groups;id displayName", "SCIMSyntax": "CyberArk" } } } + +```` + + +##### Set up export files + +The export generates CSV source files that will be fed to the [ +Upward Data Synchronization +](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) task. + +The SCIM connector generates one file per entity, the name is generated as: ```EntryFile``` + ```'_'``` + ```FilterEntity``` or ```MembersFile``` + ```'_'``` + ```FilterGroupEntity```. + +Moreover, ```SyncCookiesFile``` can be specified to indicate the location of the cookie file for an incremental export. + +See the [SCIM](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/scim/index.md)topic for additional information. + +The target directory and file name are chosen freely. However, Netwrix Identity Manager (formerly Usercube) strongly recommends using the Working Directory ```Temp/ExportOutput``` folder and choosing file names that start with the ```CyberArk_``` prefix. See the [ +Create a Working Directory +](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md) topic for additional information. + +##### Example + +With the following example, the resulting files are: + +- ```C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_Users.csv``` +- ```C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_ContainerPermissions.csv``` +- ```C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_Containers.csv``` +- ```C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_members_Groups.csv``` + +```json +// appsettings.agent.json +{ + // ... + "Connections": { + // ... + "SCIMCyberArkExport": { + "Server": "https://host:port/CyberArk/scim", + "Login": "Usercube-user", + "Password": "Cyberark1", + "Filter": "Users;urn:ietf:params:scim:schemas:cyberark:1.0:User�ldapFullDN|ldapDirectory id userName active name:givenName|middleName|familyName emails:value phoneNumbers:value title profileUrl source nativeIdentifier*ContainerPermissions;id user:value group:value container:value rights*Containers;id displayName type name", + "FilterGroup": "Groups;id displayName", + "EntryFile": "C:/identitymanagerDemo/Temp/ExportOutput/CyberArk", + "MembersFile": "C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_members", + "SCIMSyntax": "CyberArk" + } + } +} +```` + +Every file contains the data as CSV, with one column per attribute. + +## Build the Connector + +### Declare a connector + +To be used for export tasks, a connector must be declared in the applicative configuration and +linked to an Agent. See the [Toolkit for XML Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/index.md) topic for +additional information. + +It is strongly recommended that the applicative configuration be stored the +[ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md) +`Conf` folder as a set of `xml` files organized by connector. + +- In the `Conf` folder, create a `SCIMCyberArk` directory. +- In the `SCIMCyberArk` directory create a `CyberArk Connector.xml` file. + + This file contains the declaration of the connector and the associated Entity Model. + +- Use the [ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) element to + declare the connector with the following attributes: + + - **Identifier** identifies this connector in the applicative configuration. We recommend using + a meaningful name such as `CyberArk`. If several connections to several CyberArk targets are + possible, only one CyberArk Connector per Agent is used. See the + [ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md) + topic for additional information. + - **DisplayName_Li, i ? [1..16]** are used in the UI. + - **Agent** is the identifier of the Agent that will run this connector's export task. The + Agent's identifier can be found in the agent's + [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) > + OpenId > AgentIdentifier. + +- Don't forget the `` and `` elements (see example below). + +> This example declares the `CyberArk` connector on the `Local` agent: +> +> ``` +> +> Conf/SCIMCyberArk/CyberArk Connector.xml +> +> ... +> +> ... +> +> +> +> ``` +> +> ``` + +### Build the entity model + +The exported data to be written to the resource repository must be aligned with the +[Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md). See the +[ Identity Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/identity-management/index.md) topic +for additional information. + +The [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) should match as closely as possible the structure +of the CyberArk data relevant for Identity Manager. It is designed by analyzing the CyberArk data +structure, and describing said data with the Entity Types and +[ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). +Eventually, it is up to the integration team to design the +[Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) that best serves the Role Model needs. It will most +likely be refined iteratively throughout the project integration. See the +[ Assignment Policy ](/docs/identitymanager/saas/identitymanager/integration-guide/role-model/role-model-rules/index.md) topic for additional +information. + +A good starting point for the Entity Model is to mirror the shape of the exported CyberArk SCIM +objects. This guide provides a few examples that can serve this purpose. Thus, CyberArk SCIM objects +such as **Users** and **Groups** can be described by Entity Types, and group membership by +[ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). See +the [ Assignment Policy ](/docs/identitymanager/saas/identitymanager/integration-guide/role-model/role-model-rules/index.md) topic for additional +information. + +The [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) for the CyberArk connector is written in the +applicative configuration. It is strongly recommended to write the entity model to the newly created +`Conf/SCIMCyberArk/CyberArk Connector.xml` file. See the +[Toolkit for XML Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/index.md) topic for additional information. + +#### Write entity types + +Declaring an Entity Type is achieved with the `` tag and the following attributes: + +- **Identifier** is the entity type's name. It must be unique among the entity types. It is strongly + recommended to prefix this name with the connector's name. An example for CyberArk is + `CyberArk_User`. +- **DisplayName_Li, i ? [1..16]** are used in the UI to identify this Entity Type for the end-user. + **DisplayName_L1** is the name of the entity type in _language number one_. If this language is + _English_, a good example value would be `CyberArk - User`. See the + [ Assignment Policy ](/docs/identitymanager/saas/identitymanager/integration-guide/role-model/role-model-rules/index.md) topic for additional + information. + +##### Example + + ``` + + Conf/SCIMCyberArk/CyberArk Connector.xml + +... ... ... + +```` + + +The CyberArk SCIM objects attributes are modeled by Entity properties, with the `````` tags declared as children of the ``````. + +Remember that there are several kinds of by (determined by the ```TargetColumnIndex```): scalar and navigation. + +- Scalar properties can be defined to represent scalar attributes such as ```userName```, ```active``` or ```givenName```. +- Navigation properties represent associations such as group memberships. + +Finally, the main attributes of the `````` tag are the following: + +- __Identifier__ identifies the property with a mandatory unique name. It must be unique among the entity properties for this entity type. +- __DisplayName_Li, i ? [1..16]__ are used in the UI. +- __Type__ defines the type of property. A scalar property type can be: ```String```, ```Bytes```, ```Int16```, ```Int32```, ```Int64```, ```DateTime```, ```Bool```, ```Guid```, ```Double```, ```Binary```, ```Byte```, or ```Option```. The navigation property type is ```ForeignKey```. +- __TargetColumnIndex__ defines in which column of the resource table the property is stored. See the [ + Entity Type + ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)topic for additional information. + +##### Example + +This example defines an entity type named ```CyberArk_User``` to match the attributes selected for extraction from CyberArk in the previous example. + +Notice the omitted __TargetColumnIndex__ attribute and the presence of ```Type="ForeignKey"``` for the ```groups``` and ```containers``` properties. If omitted, this attribute indicates that the properties are navigation properties. + + ``` + + Conf/SCIMCyberArk/CyberArk Connector.xml +... + ... + +```` + +#### Write entity associations + +[ Assignment Policy ](/docs/identitymanager/saas/identitymanager/integration-guide/role-model/role-model-rules/index.md) are associated through their +navigation properties with +[ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +elements. + +##### Example + +The following example declares an `n-n` association between a `CyberArk_User` and `CyberArk_Group`. + +The `groups` property of a `CyberArk_User` is a collection of **Group** IDs (modeled as an +`CyberArk_Group` EntityType) of which this `CyberArk_User` is a member. + +The `Users` property of a `CyberArk_Group` is a collection of `CyberArk_User`IDs which are members +of this **Group**. + + ``` + + Conf/SCIMCyberArk/CyberArk Connector.xml + +... +... + +```` + + +The exact nature of the IDs are described by the associated [ +Entity Association Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). + +Notice the format of the __Property1__ and __Property2__ xml attributes: the name of the entity type followed by ```:``` and the name of an entity property. It is a [ +Binding +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) that describes in one expression both the target entity type and property. + +### Create mapping + +The entity type must be mapped property by property to the exported attributes of CyberArk SCIM objects (namely, the columns of the CSV source files generated by the export). + +The [ +Entity Type Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), [ +Entity Association Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md), and Entity Property Mapping elements serve this purpose. + +#### Write the entity type mapping + +The [ +Entity Type Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) element maps scalar properties from the CSV source file to an entity type. + +The CSV source file path is written to the __ConnectionTable__ xml attribute. The target entity type name is written to the __Identifier__ xml attribute. + + ``` + + Conf/SCIMCyberArk/CyberArk Connector.xml +... + ... +... + +```` + +To do so, the entity type mapping uses the +[ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +element with the `` tag. This maps the CSV column from `ConnectionColumn` to the target +EntityType property which is written to the **Identifier** attribute. + +##### Example + + ``` + + Conf/SCIMCyberArk/CyberArk Connector.xml + +... + + + + + + + + + + + + + + + +... + +```` + + +As a result, after synchronization, the ```UR_Resource``` table will be updated from the CSV source files data. + +Let's take the example of a new ```CyberArk_User``` which has never been synchronized. The ```UR_Resource``` table receives a new line for which the _6th_ column (```userName```) is filled in with the ```userName``` column from the ```C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_Users.csv``` file. + +#### Write the entity association mapping + +The [ +Entity Association Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) element maps navigation properties, used in [ +Entity Association +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +An [](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md)[ +Entity Association Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) element refers to an [ +Entity Association +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) written to the __Identifier__ xml attribute. Then, just as the [ +Entity Type Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) element, it maps columns values from a CSV source file to an EntityType property. + +##### Example + +The following example describes the actual user/group associations between ```CyberArk_User``` and ```CyberArk_Group```. +These associations are exported from the CyberArk system into the ```C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_members_Groups.csv``` file. Each line of the file associates a value (property ```CyberArk_id``` from ```CyberArk_Group```) and a MemberId (property ```CyberArk_id``` from ```CyberArk_User```). + +| value | MemberId | +| --- | --- | +| 1 | 100 | +| 1 | 101 | +| 2 | 102 | +| 2 | 103 | +| 3 | 104 | + +The following [](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md)[ +Entity Association Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) describes the mapping for the ```CyberArk_Group_Members``` EntityAssociation: + + ``` + + Conf/SCIMCyberArk/CyberArk Connector.xml +... +... + +```` + +Here are a few explanations: + +###### Users/_CyberArk_Group_ + +The `Users` property in the `CyberArk_Group` entity: + +- is written to the **Property1** attribute of the `CyberArk_Group_Members` + [ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) + element. +- is filled in by values from the `MemberId` column (written to the **Column2** attribute of the + `CyberArk_Group_Members` + [](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md)[ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) + element) in the `C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_members_Groups.csv` file. + +These values identify resources of type `CyberArk_User` by their `CyberArk_id` property (written to +the **EntityPropertyMapping2** attribute of the +[](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md)[ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +element. + +###### Groups/_CyberArk_User_ + +The `Groups` property in the `CyberArk_User` entity: + +- is written to the **Property2** attribute of the `CyberArk_Group_Members` + [ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) + element). +- is filled in by values from the _value_ column (written to the **Column1** attribute of the + `CyberArk_Group_Members` + [ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) + element) in the `C:/identitymanagerDemo/Temp/ExportOutput/CyberArk_members_Groups.csv` file. + +These values identify resources of type `CyberArk_Group` by their `CyberArk_id` property (written to +the **EntityPropertyMapping1** attribute of the +[ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +element). + +## Display + +This step focuses on configuring a nice display for the synchronized list of resources in the UI. + +### Navigation + +A [ Menu Item ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) can be added to +include a link to the resources list in the left menu in the UI home screen. + +#### Parent menu item + +It strongly recommended to gather synchronized resources menu items under parent menu items. This is +usually declared in the configuration root folder `Nav.xml` file. + +##### Example + + ``` + + Conf/Nav.xml + +... + +... + +```` + + +#### Child menu item + +It is strongly recommended to use a new ```CyberArk Nav.xml``` file in the ```SCIMCyberArk``` connector's folder in order to add the CyberArk SCIM objects menu item. + +##### Example + + ``` + + Conf/SCIMCyberArk/CyberArk Nav.xml +... + ... + +```` + +Adds a new menu item under the `Nav_Connectors` menu item declared in the root `Nav.xml` file. This +new menu item gives access to the list of synchronized CyberArk SCIM objects. + +![SCIM CyberArk Menu Items](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_menu_item_5.1.6.webp) + +### Configuration + +It is strongly recommended that the display configuration be written to a new `CyberArk UI.xml` file +in the `SCIMCyberArk` connector's folder. + +#### Display entity type + +The +[Display Entity Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) +describes how a single resource should be displayed. + +##### Example + + ``` + + Conf/SCIMCyberArk/CyberArk UI.xml + +... + +... + +```` + + +This configuration configures that display for [christian.adam@acme.com](mailto:christian.adam@acme.com): + +![SCIM CyberArk Display Entity Type](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_display_entity_type_5.1.6.webp) + +The scalar properties don't need to be configured: they are automatically displayed. The only information that the [Display Entity Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) adds here, is that the property ```BasicCollection``` is a navigation property. An eye icon will be displayed to take you directly to the matching page. + +#### Display table + +The [Display Table](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) elements describe how a list of resources should be displayed. + +The [Display Table](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) contains a list of [Display Table](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) column elements that identify which properties should be included in the list display. + +##### Example + + ``` + + Conf/SCIMCyberArk/CyberArk UI.xml +... + ... + +```` + +configures the following list display: + +![SCIM CyberArk Display Table](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/scim_cyberark_export_display_table_5.1.6.webp) + +#### Internal display name + +An `InternalDisplayName` can also be declared as an +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) property +expression. The `InternalDisplayName` is used in several UI screens to identify a resource for the +user. + +With no custom `InternalDisplayName`, a default value is used (instead of the first property of the +identity) containing the string _"name"_. If no such property is found, the first declared property +of the entity type is used. + +##### Example + + ``` + + Conf/SCIMCyberArk/CyberArk UI.xml + +... +... + +```` + + +adds the ```InternalDisplayName``` to the CyberArk_User entity type to be used by the UI. + +### Permissions + +This step focuses on setting up permissions for Identity Manager's end-users granting them access to the connector. + +The [Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) and [Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) elements define the [ +AccessControlPermission +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md) for end-user profiles to read and write the connector's data (such as resources of a given entity type). It used by the UI when displaying data such as resources and available roles. + +It is strongly recommended that permissions be written to a new file. For example, the administrator profile permissions can be written to the ```CyberArk Profile Administrator.xml``` file. + +#### Example + +The following example sets permissions for the ```Administrator``` profile. + +It entitles an administrator to display ```CyberArk SCIM``` resource and role categories from the UI. + + ``` + + Conf/MicrosoftEntraID/MicrosoftEntraID Profile Administrator.xml +... + ... + +```` + +## Jobs + +### Construction + +This step focuses on writing a `Complete` Synchronization job. + +It is strongly recommended to write Jobs associated with the `CyberArk` connector to the +`Conf/SCIMCyberArk/SCIM CyberArk Jobs.xml` file. + +### Components + +All the job steps can be found in the +[Create Connector Synchro Complete](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md) +scaffolding. + +#### Example + + ``` + + Conf/SCIMCyberArk/SCIM CyberArk Jobs.xml + +... + +... + +```` + + +This job will be executed on CyberArk's connector agent. + +Notice the __Identifier__ attribute with the value ```Job``` in the ```OpenIdIdentifier``` tag. It refers to the ```ClientId``` written to the [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) technical configuration. The Tasks will authenticate with the profile associated with this ```ClientId``` in the `````` xml configuration element. + +Incremental synchronization can be configured with the following scaffolding. See the [Create Connector Synchro Incremental](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) topic for additional information. + +### Permissions + +The execution of a Job entails execution of Tasks, reading/writing to the Database and sending files over to the Server. These operations are protected by an authorization mechanism. + +To complete a Job, the Agent, via the [ +Usercube-Invoke-Job +](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-job/index.md) uses: + +- A [ + Profile + ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) associated with the Job itself to read/write: + - ```UJ_Jobs``` and ```UJ_Tasks``` tables in a list of tasks + - ```UJ_JobInstances``` tables in the progress report +- a Profile for each Task, to read/write ```UJ_TaskInstances``` tables (Progress Report) and perform other operations such as sending export files over to the Server. + +Each Profile must be assigned the right permissions for the associated Job or Task to perform. + +Every request from Agent to Server within the execution of a Job needs to be authenticated with an [ +OpenIdClient +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect /Secret pair, linked to a Profile. + +#### Create a profile + +Here, we focus on creating one profile, used by the Job and every Task of the Job. + + ``` + + Conf/Profile AgentJob.xml +... +... + +```` + +As the Principle of Least Privilege states, Netwrix Identity Manager (formerly Usercube)strongly +recommends that you create a +[ Profile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) to be used during +the Synchronization jobs which will be different from the one used during the Provisioning job. This +contributes to separating access rights. +The same principle applied even more rigorously would make Identity Manager create one profile per +Task. It isn't necessary as most Synchronization tasks require the same permissions. + +#### Grant synchronization access rights to the profile + +For an Agent to launch server-side Tasks from the Job via the +[ Usercube-Invoke-Job ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-job/index.md), the profile linked to +these tasks and used by the tool should be authorized to execute said tasks. + +Server-side Tasks for a simple Synchronization job usually are: + +- Prepare-Synchronization +- Synchronization + +Required permissions are: + +**View Tasks** + +- `/Jobs/Task/Query` + +**Progress Report** + +- `/Jobs/JobInstance/Query` +- `/Jobs/JobInstance/Update` +- `/Jobs/TaskInstance/Query` +- `/Jobs/TaskInstance/update` + +**Synchronization and Prepare-Synchronization** + +- `/Connectors/Connector/Query` +- `/Connectors/SynchronizeSession` + +Granting access can be done via the +[ SynchronizationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md) +scaffolding and +the[ Job View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md) +scaffolding. + +The following examples (or similar) should be written to `Conf/Profile AgentSychro.xml`. + +> This example entitles the administrator profile to run any synchronization job: +> +> ``` +> +> Conf/Profile AgentSychro.xml +> +> ... +> ... +> +> ``` +> +> ``` + +#### Grant end-users permissions to run jobs from the UI + +In addition, for end-users to be able to launch a job from the UI, they must be assigned a profile +with the following access rights: + +- `/Jobs/RunJob/Launch` + +This can be done via the +[ Job Execution Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md) +scaffolding. + +##### Example + + ``` + + Conf/Profile AgentSychro.xml + +... ... + +```` + + +#### Declare usable ClientId/Secret pairs in the configuration + +An Agent's [ +Profile +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) is associated with a ```ClientId/Secret``` pair used by the Agent to authenticate to the Server. + +Usable ```ClientId/Secret``` pairs are written to the database from the xml configuration using the [ +OpenIdClient +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) xml element. + +It is strongly recommended that you write the `````` xml element to a new or existing ```OpenIdClients.xml``` file in the configuration root folder. + +The ```ClientId/Secret``` pair hence created must be associated with the profile created or updated in the previous step, via the __Profile__ attribute. + +##### __Example__ + +The following example creates a ```ClientId/Secret``` pair to be used by the Agent to authenticate to the Server and complete Jobs. The secret is hashed with the [ +Usercube-New-OpenIDSecret +](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/new-openidsecret/index.md) tool. + + ``` + + Conf/OpenIdClients.xml +... + +... + +```` + +#### Set up the Agent to use ClientId/Secret pairs + +The `ClientId/Secret` pairs that the Agent may use are written to the Agent's +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +technical configuration set. + +The `ClientId` of such `ClientId/Secret` pairs can then be used as a value in a Task +**OpenIdClient** attribute. + +Pairs written in the `OpenIdClient` section may be used by Tasks. + +The Job itself uses the `DefaultOpenIdClient` value. + +> This example sets the "Job/secret" pair to be used by tasks and jobs: +> +> ``` +> +> appsettings.agent.json +> +> { ... "OpenId":{ "OpenIdClients": { "Job": "secret" }, "DefaultOpenIdClient": "Job" } } +> +> ``` +> +> ``` + +### Job launch + +Scheduling the job execution can rely either on Identity Manager's scheduler or an external +scheduler. + +#### With Identity Manager's scheduler + +Use the [ Job ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) CronTab Expression attribute. + +> This example uses Identity Manager's scheduler to execute the +> `CyberArk_Synchronize_Complete_Manually` job every fifteen minutes: +> +> ``` +> +> Conf/SCIMCyberArk/SCIM CyberArk Jobs.xml +> +> +> ... +> +> ``` +> +> ``` + +For more details about checking Crontab expressions, see the +[crontab.guru](https://crontab.guru/every-15-minutes) website. + +#### With an external scheduler + +An external scheduler would rely on the +[ Usercube-Invoke-Job ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-job/index.md) tool. + +##### Example + +The following command can be scheduled. It executes the `CyberArk_Synchronize_Complete_Manually` +using the "Job/secret" authentication pair to connect to the Identity Manager Server at +`http://identitymanager.contoso.com`. + + ``` + +./identitymanager-Invoke-Job.exe -j "CyberArk_Synchronize_Complete_Manually" --api-secret secret +--api-client-id Job --api-url "http://identitymanager.contoso.com" + +```` + + +## Validation + +### Deploy configuration + +The configuration is written to the database using the [ +Deploy Configuration Task +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md) tool. + +### Test + +The Synchronization job should be found in the UI, under the __Job Execution__ menu, with the name input in the Job's __DisplayName_Li__ attribute. + +From there, it can be launched and debugged (if needed). + +After execution, CyberArk SCIM Objects resources should be in the ```UR_Resources``` table of the SQL Server database. +```` diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/azuread/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/azuread/index.md new file mode 100644 index 0000000000..cce0e2cb81 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/azuread/index.md @@ -0,0 +1,111 @@ +# For Microsoft Entra ID + +This example is about implementing incremental synchronization for a +[ Microsoft Entra ID](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md) connector (formerly +Microsoft Azure AD). + +## Build the Incremental Synchronization Job + +Identity Manager provides a full-written job to perform incremental synchronization through the UI. + +See how to launch incremental +[ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md)via the UI. + +> For example: +> +> ``` +> +> Conf/MicrosoftEntraID/MicrosoftEntraID Jobs.xml +> +> +> ... +> +> ``` +> +> ``` + +### Components + +Identity Manager provides a +[Create Connector Synchro Incremental](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) +scaffolding that generates the configuration for these steps. + +> For example: +> +> ``` +> +> Conf/MicrosoftEntraID/MicrosoftEntraID Jobs.xml +> +> +> +> +> ```` +> +> +> Note that the ```Job``` value in ```OpenIdIdentifier``` refers to the ```ClientId``` written to the [](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md#)[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) file. Each task will authenticate with the profile associated with this ClientId. +> ```` + +### Permissions for the agent + +This part is not specific to a connector type, see the +[ Set Up Incremental Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/index.md) topic for additional information. + +### Agent's authentication to the server + +This part is not specific to a connector type, see +the[ Set Up Incremental Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/index.md) topic for additional information. + +### Permissions for users + +This part is not specific to a connector type, see +the[ Set Up Incremental Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/index.md) topic for additional information. + +## Schedule the Job + +Scheduling the job execution can rely either on Identity Manager's scheduler or on an external +scheduler. + +### Using scheduler + +> The following example uses Identity Manager's scheduler to execute the +> `AzureAD_Synchronization_Delta` job every fifteen minutes: +> +> ``` +> +> Conf/MicrosoftEntraID/MicrosoftEntraID Jobs.xml +> +> +> ... +> +> ``` +> +> ``` + +### Using an external scheduler + +An external scheduler relies on +the[ Usercube-Invoke-Job ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-job/index.md).exe. + +> The following command can be scheduled. It executes the `AzureAD_Synchronization_Delta` job using +> the `Job/secret` authentication pair to connect to the Identity Manager Server at +> `http://identitymanager.contoso.com`: +> +> ``` +> +> ./identitymanager-Invoke-Job.exe -j "MicrosoftEntraID_Synchronization_Delta" --api-secret secret +> --api-client-id Job --api-url "http://identitymanager.contoso.com" +> +> ``` +> +> ``` + +## Validate the Job + +Validate the job's execution by proceeding as follows: + +1. Deploy the XML configuration to the database, by using the + [ Deploy Configuration Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md). +2. In the UI, access the **Job Execution** page from the dashboard's **Administration** section. +3. Find the job named with the string input in the job's `DisplayName_Li` property, and launch it. +4. Once the job is completed, Microsoft Entra ID objects should be synchronized to the database's + `UR_Resources` table. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/index.md new file mode 100644 index 0000000000..3770374bfe --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/index.md @@ -0,0 +1,202 @@ +# Set Up Incremental Synchronization + +How to implement an incremental synchronization +[ Job ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) for a given +[ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) via XML, to upload +the related system's resources to Identity Manager. + +See an example on [For Microsoft Entra ID](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/azuread/index.md) (formerly Microsoft Azure AD). + +Netwrix Identity Manager (formerly Usercube) strongly recommends configuring as much as possible via +the UI instead of XML files. See how to +[ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md) via the UI. + +## Prerequisites + +First read how to [Create a Connector](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/create-connector/index.md). + +## Build the Incremental Synchronization Job + +Identity Manager provides a fully-written standardized job to perform incremental synchronization +through the UI. See here: + +See how to launch incremental +[ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md)via the UI. + +Any IGA action is configured through [ Job ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md). + +Synchronization jobs contain tasks that are to be executed on agent side. + +### Components + +Any synchronization job should include: + +1. export; +2. synchronization preparation; +3. synchronization. + +The export is configured and performed by the +[ Export Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md), the +synchronization preparation by the +[ Prepare Synchronization Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) +and the synchronization by the +[ Synchronize Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md). + +See the [ Upward Data Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) topic +for additional information. + +Identity Manager provides a scaffolding that generates the configuration for these steps, named +[Create Connector Synchro Incremental](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md). + +This guide is about incremental synchronization, but complete synchronization can be configured with +the +[Create Connector Synchro Complete](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md) +scaffolding. + +### Permissions for the agent + +In order to launch a job via the +[ Usercube-Invoke-Job ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-job/index.md) tool, the agent must +use a profile with the right permissions for each task. + +Permissions within Identity Manager are configured through +[Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md). + +> For example: +> +> ``` +> +> Conf/Profile AgentJob.xml +> +> +> +> ``` +> +> ``` + +Netwrix Identity Manager (formerly Usercube) recommends the creation of a profile for +synchronization jobs, and another for provisioning jobs, in order to comply with the principle of +least privilege. + +In order to run a synchronization job, the agent requires the permissions to: + +- view the tasks via `/Jobs/Task/Query`; +- access progress reports via `/Jobs/JobInstance/Query`, `/Jobs/JobInstance/Update`, + `/Jobs/TaskInstance/Query` and `/Jobs/TaskInstance/Update`; +- prepare the synchronization and synchronize via `/Connectors/Connector/Query` and + `/Connectors/SynchronizeSession`. + +Identity Manager provides scaffoldings that generate the configuration for granting these +permissions: +[ SynchronizationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md) +and +[ Job View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md). + +> The following example permits the `AgentSynchro` profile to run any synchronization job: +> +> ``` +> +> Conf/Profile AgentSynchro.xml +> +> +> +> ``` +> +> ``` + +### Agent's authentication to the server + +Every request from agent to server within the execution of a job needs to be authenticated with an +[ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect +ClientId/Secret pair. + +So first, the configuration must contain a `ClientId/Secret` pair. + +Usable `ClientId/Secret` pairs are configured through an +[ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md). + +> The following example uses a secret hashed +> by[ Usercube-New-OpenIDSecret ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/new-openidsecret/index.md): +> +> ``` +> +> Conf/OpenIdClients.xml +> +> +> +> ``` +> +> ``` + +Then, the agent's profile must be linked to one of the `ClientId/Secret` pairs. + +Agents' settings are configured in their +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md).json +file. + +> The following example sets the `Job/secret` pair to be used by tasks and jobs: +> +> ``` +> +> appsettings.agent.json +> +> { ... "OpenId":{ "OpenIdClients": { "Job": "secret" }, "DefaultOpenIdClient": "Job" } } +> +> ``` +> +> ``` + +### Permissions for users + +In order to launch the job, a user must have the right permissions. + +Permissions within Identity Manager are configured through +[Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md). + +In order to launch a synchronization job, a user requires the appropriate permission: +`/Jobs/RunJob/Launch`. + +Identity Manager provides a +[ Job Execution Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md) +that generates the configuration for granting this permission. + +> For example: +> +> ``` +> +> Conf/Profile AgentSynchro.xml +> +> +> +> ``` +> +> ``` + +## Schedule the Job + +Scheduling the job execution can rely either on Identity Manager's scheduler or on an external +scheduler. + +### Using scheduler + +Identity Manager's scheduler is configured through the +[ Job ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md)'s `CronTabExpression` property. + +[See Crontab documentationfor more details ](https://crontab.guru/every-15-minutes). + +### Using an external scheduler + +An external scheduler relies on using an external mechanism to schedule +the[ Usercube-Invoke-Job ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-job/index.md).exe. + +## Validate the Job + +Validate the job's execution by proceeding as follows: + +1. Deploy the XML configuration to the database, by using the + [ Deploy Configuration Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md). +2. In the UI, access the **Job Execution** page from the dashboard's **Administration** section. +3. Find the job named with the string specified in the XML configuration in the job's `DisplayName` + property, and launch it. +4. Once the job is completed, the system's objects should be synchronized to the database's + `UR_Resources` table. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/index.md new file mode 100644 index 0000000000..8fb5755319 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/index.md @@ -0,0 +1,845 @@ +# Set up SharePoint's Export and Synchronization + +This guide shows how to set up a [SharePoint](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md) +connector to extract data from your SharePoint instance into CSV source files that will be fed to +the Synchronization task and to your Identity Manager resource repository. It will focus on +registering Identity Manager within the target SharePoint, configuring the connector, and building +the job to perform a regularly scheduled synchronization. + +## Prerequisites + +### External system configuration + +This step is designed to grant Identity Manager a service account to authenticate with the target +SharePoint sites. It includes the following substeps: + +- Create a service account for Identity Manager in your Microsoft Entra ID (formerly Microsoft Azure + AD). +- Go the SharePoint sites which need to be scanned. +- Log in using the organization credentials. +- Go to the **Members List** in the right corner. +- Click on the **Add members** button. +- Enter the name of the Identity Manager service account or its email address. + +![SharePoint Export Add Member](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/sharepoint_export_add_member.webp) + +The service account is now a member of the site. However, to scan the site, the service account +needs to be owner of the site. + +- Go to the **Members List** in the right corner. +- Under the name of the Identity Manager service account, click on the arrow. +- Choose **Owner**. + +![SharePoint Export Role Owner](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/sharepoint_export_role_owner.webp) + +### Configuration + +This step sets up the Identity Manager Agent in order to use the SharePoint connector and access the +SharePoint data. + +This guide focuses on the [ Architecture ](/docs/identitymanager/saas/identitymanager/integration-guide/architecture/index.md) method. Remember that +settings can also be input through architecture. + +#### Connect to the SharePoint instance + +In this `Connections` section, add one new subsection that will contain the credentials for the +target SharePoint. + +> This example connects via the `SharePointExportContoso` connection to the Contoso SharePoint site: +> +> ``` +> +> appsettings.agent.json +> +> { ... "Connections": { ... "SharePointExportContoso": { ... } } } +> +> ``` +> +> ``` + +#### Input credentials + +In the newly created subsection, fill in: + +- The **Server** attribute with the address of the root SharePoint site to scan. +- The **Login** attribute with the login of the service account created. +- The **Password** attribute with the password of the service account created. + +> For example: +> +> ``` +> +> appsettings.agent.json +> +> { ... "Connections": { ... "SharePointExportContoso": { "Server": +> "https://contoso.sharepoint.com/", "Login": "usercube.service@contoso.com", "Password": +> "19f23f48379d50a9a50b8c" } } } +> +> ``` +> +> ``` + +For pedagogical reasons, this guide focuses on the simplest way to set up the export, but it's not +the most secure. Hence it is strongly recommended that you protect credentials using Azure Key Vault +or Cyber Ark in a production environment. +Netwrix Identity Manager (formerly Usercube) recommends completing this guide once, testing the +configuration, and only then, switching to a more secure way of storing credentials. + +##### Set up export files + +The export generates CSV source files that will be fed to the +[ Upward Data Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) task. + +The target path for these files can be set up using the following settings: + +- `appsetings.agent > Connections > SharePointExportContoso > OutputDir` +- `appsetings.agent > Connections > SharePointExportContoso > FileNamePrefix` + +###### Example + + ``` + + appsettings.agent.json + +{ ... "Connections": { ... "SharePointExportContoso": { "Server": "https://contoso.sharepoint.com/", +"Login": "usercube.service@contoso.com", "Password": "19f23f48379d50a9a50b8c" } } } + +```` + + +### SharePoint sites + +Different kinds of SharePoint sites exist. We will describe here the different cases that the integration team might encounter and how to handle them. + +#### Root site with subsites + +A root site has a URL like ```https://contoso.sharepoint.com``` and can have subsites. For example, the subsite ```Finance``` has a URL like ```https://contoso.sharepoint.com/Finance```. Subsites can also have subsites. +To scan the root site and the subsite tree, the root site must be specified in the __Server__ attribute. +Retrieved users can be assigned to/removed from all groups found, but cannot be created. To create a user account, you need to create it in the associated Microsoft Entra ID: it will automatically create a SharePoint user account. + +#### Multiple sites + +A SharePoint can also have other sites which are not subsites of the root site. For example, the site ProjectTeam has a URL like ```https://contoso.sharepoint.com/sites/ProjectTeam```. +These sites can't be scanned from the root site by using the __Server__ attribute. + +To scan these sites, you have to export their URL from SharePoint in a CSV file and use the __CsvUrls__ attribute in the settings. + +###### Example + + ``` + + appsettings.agent.json +{ + ... + "Connections": { + ... + "SharePointExportContoso": { + "Server": "https://contoso.sharepoint.com/", + "Login": "usercube.service@contoso.com", + "Password": "19f23f48379d50a9a50b8c" + "CsvUrls": "C:/identitymanager/Temp/ExportOutput/SP_otherSites.csv�URL�," + } + } +} +```` + +In this example, `C:/identitymanager/Temp/ExportOutput/SP_otherSites.csv` is the path of the exported CSV +file, `URL` is the column name of the URLs, and `,` is the separator used in the file. The character +`�` is used to separate the three data items. + +The CSV file containing the URLS can be generated with two methods: + +- Go to `https://contoso-admin.sharepoint.com` of your SharePoint site, in the menu **Sites** > + **Active sites** and click on the **Export** button above the table. +- Use a script with the + [SharePointOnlinePowerShell commands](https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/?view=sharepoint-ps), + specifically + [Get-SPO Site](https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/get-sposite?view=sharepoint-ps). + +These sites are not synchronized with the root site. Users present in a site are not necessarily +present in the others. You can only assign users to a SharePoint group, on condition that they are +already members of this site. You can't use the SharePoint connector to make a user a member of this +kind of site. Depending on the system you are working on, you could achieve this by using the +associated Microsoft Entra ID or the system generating these SharePoint sites (for example, +Microsoft Teams can create an associated SharePoint site for each Teams Group). + +## Build the Connector + +### Declare a connector + +To be used for export and fulfill tasks, a connector has to be declared in the applicative +configuration and linked to an Agent. See the +[Toolkit for XML Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/index.md) topic for additional information. + +It is strongly recommended that the applicative configuration be stored in the working directory +`Conf` folder as a set of `xml` files organized by connector. See +the[ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md) +topic for additional information. + +- In the `Conf` folder, create a `SharePoint` directory. +- In the `SharePoint` directory, create a `SharePoint Connector.xml` file. + + This file should contain the declaration of the connector and the associated + [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md). + +- Use the [ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md)element to + declare the connector with the following attributes: + + - **Identifier** identifies this connector in the applicative configuration. See the + [Toolkit for XML Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/index.md) topic for additional information. + It is strongly recommended to use a meaningful name such as `SharePoint`. If several + connections to several SharePoint targets are possible, only one SharePoint Connector per + Agent is used. + - **DisplayName_Li, i ? [1..16]** are used in the UI. + - **Agent** is the identifier of the Agent that runs this connector's export task. The Agent's + identifier can be found in the agent's + [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) + configuration set > OpenId > AgentIdentifier setting attribute. + +- Don't forget the `` and `` elements (see example below). + +> This example declares the `SharePoint` connector on the `Local` agent: +> +> ``` +> +> Conf/SharePoint/SharePoint Connector.xml +> +> ... +> +> ... +> +> +> +> ``` +> +> ``` + +### Build the entity model + +The exported data to be written to the resource repository must be aligned with the +[Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md). See +the[ Identity Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/identity-management/index.md)topic +for additional information. + +The [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) should match as closely as possible the structure +of the SharePoint data relevant for Identity Manager. It is designed by analyzing the SharePoint +data structure, and describing said data with [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) and an +[ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +Eventually, it is up to the integration team to design the +[Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) that best serves the +[ Assignment Policy ](/docs/identitymanager/saas/identitymanager/integration-guide/role-model/role-model-rules/index.md) needs. It will be refined +iteratively throughout the project phase. + +A good starting point for the Entity Model is to mirror the shape of the exported SharePoint +objects. This guide provides a few examples that can serve this purpose. + +#### Write the entity model + +The [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) for the SharePoint connector is written in the +applicative configuration. See the [Toolkit for XML Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/index.md) topic +for additional information. It is strongly recommended to write the connector to the newly created +`Conf/SharePoint/SharePoint Connector.xml` file. + +#### Write entity types + +Declaring an [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) is achieved with the `` tag +and the following attributes: + +- **Identifier** is the entity type's name. It must be unique among the entity types. It is strongly + recommended to prefix this name with the connector's name. An example for SharePoint is + `SharePoint_directoryObject`. +- **DisplayName_Li, i ? [1..16]** are used in the UI to identify this + [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) for the end-user. **DisplayName_L1** is the name of + the entity type in _language number one_. If this language is _English_, a good example of value + is `SharePoint - Object`. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + +... ... + +```` + + +The SharePoint object attributes are modeled by [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md), with the `````` tags declared as children of the ``````. + +Remember that there are several kinds of properties: scalar and navigation. Scalar properties can be defined to represent scalar attributes such as ```city```, ```country``` or ```companyName```. represent associations such as group memberships. See the [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) topic for additional information. + +The main attributes of the `````` tag are the following: + +- __Identifier__ identifies the property with a mandatory unique name. It must be unique among the entity properties for this entity type. +- __DisplayName_Li, i ? [1..16]__ are used in the UI. +- __Type__ defines the type of the property. A scalar property type is chosen among ```String```, ```Bytes```, ```Int16```, ```Int32```, ```Int64```, ```DateTime```, ```Bool```, ```Guid```, ```Double```, ```Binary```, ```Byte```, and ```Option```. The navigation property type is ```ForeignKey```. +- __TargetColumnIndex__ defines in which column of the resource table the property is stored. See more details about Target Column Index. See the [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) topic for additional information. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml +... + ... + +```` + +In this example, we have created four entity types, each one corresponding to a notion in +SharePoint. + +#### Write entity associations + +[Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) types are associated through their navigation +properties with +[ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +elements. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + +... + + + + + + +... + +```` + + +The exact nature of the IDs are described by the associated [ +Entity Association Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). + +Notice the format of the __Property1__ and __Property2__ xml attributes: the name of the entity type is followed by ```:``` and the name of an entity property. It is a [ +Binding +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) describing in one expression, the target entity type and property. + +### Create mapping + +The entity type must be mapped property by property to the exported attributes of SharePoint objects (namely, the columns of the CSV source files generated by the export). + +The [ +Entity Type Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), [ +Entity Association Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md), and Entity Type Mapping elements serve this purpose. + +#### Entity type mapping + +The [ +Entity Type Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) element maps the scalar properties from the CSV source file to an entity type. + +The CSV source file path is written to the ```ConnectionTable``` xml attribute. The target entity type name is written to the ```Identifier``` xml attribute. + + ``` + + Conf/SharePoint/SharePoint Connector.xml + ... + ... + ... + +```` + +To do so, the entity type mapping element uses the +[ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +element with the `` tag. This maps the CSV column from `ConnectionColumn` to the target +EntityType property which is written to the **Identifier** attribute. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + +... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ... + +```` + + +As a result, after synchronization, the ```UR_Resource``` table will be updated from the CSV source file data. + +#### Entity association mapping + +The [ +Entity Association Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) element maps the navigation properties used in [ +Entity Association +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +An [ +Entity Association Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) element refers to an [ +Entity Association +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) written to the ```Identifier``` xml attribute. Then, like [ +Entity Type Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), it maps column values from a CSV source file to an EntityType property. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + ... + ... + +```` + +## Display + +This step focuses on configuring a nice display for the synchronized list of resources in the UI. + +### Nav + +A [ Menu Item ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) can be added to +include a link to the resources list in the left menu on the UI home screen. + +#### Parent menu item + +It is strongly recommended that you gather synchronized resources menu items under parent menu +items. This is usually declared in the `Nav.xml` file in the configuration root folder. + +##### Example + + ``` + + Conf/Nav.xml + +... + +... + +```` + + +#### Child menu item + +It is strongly recommended to use a new ```SharePoint Nav.xml``` file in the ```SharePoint``` connector's folder to add the SharePoint objects menu item. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Nav.xml +... +... + +```` + +This example adds a new menu item under the `Nav_Connectors` menu item declared in the root +`Nav.xml` file. This new menu item gives access to the list of synchronized SharePoint entities. + +### Display + +It is strongly recommended that the display configuration be written to a new `SharePoint UI.xml` +file in the `SharePoint` connector's folder. + +#### Display entity type + +The +[Display Entity Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) +describes how a single resource should be displayed. + +##### Example + + ``` + + Conf/SharePoint/SharePoint UI.xml + +... + + + + + + + + + + + +... + +```` + + +The scalar properties require no configuration: they are automatically displayed. The only information that the [Display Entity Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) adds here, is that the property ```BasicCollection``` is a navigation property. An eye icon will be displayed to take you directly to the matching page. + +#### Display table + +[Display Table](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) elements describe how a list of resources should be displayed. + +The [Display Table](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) contains a list of display table column elements that identify which properties should be included in the list display. + +##### Example + + ``` + + Conf/SharePoint/SharePoint UI.xml +... + ... + +```` + +#### Internal display name + +An `InternalDisplayName` can also be declared as an [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md). +The `InternalDisplayName` is used in several UI screens to identify a resource for the user. + +With no custom `InternalDisplayName`, a default value is used (instead of the first property of the +identity) containing the string _"name"_. If no such property is found, the first declared property +of the entity type is used. + +##### Example + + ``` + + Conf/SharePoint/SharePoint Connector.xml + +... + + + + ... + +```` + + +This example adds the ```InternalDisplayName``` to the ```SharePoint_Entity```, ```SharePoint_Role```, ```SharePoint_Object``` and ```SharePoint_RoleAssignment``` entity types to be used by the UI. + +### Permissions + +This step focuses on setting up permissions for Identity Manager's end-users granting them access to the connector. + +The [Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) and [Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) elements define [ +AccessControlPermission +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md) for end-user profiles to read and write the connector's data (such as resources of a given entity type). It is used by the UI when displaying data such as resources and available roles. + +It is strongly recommended that permissions be written to a new file. For example, the administrator profile permissions can be written to the ```SharePoint Profile Administrator.xml``` file. + +#### Example + + ``` + + Conf/SharePoint/SharePoint Profile Administrator.xml +... + ... + +```` + +This example sets permissions for the `Administrator` profile. + +It entitles an administrator to display `SharePoint_Entity` resource and role categories from the +UI. + +## Jobs + +### Construction + +It is strongly recommended to write Jobs associated with the `SharePoint` connector to the +`Conf/SharePoint/SharePoint Jobs.xml` file. + +A job is declared with the `` xml element. It contains Tasks that perform the main steps and +other related operations. + +#### Example + + ``` + + Conf/SharePoint/SharePoint Jobs.xml + +... + +... ... + +```` + + +Notice the __Agent__ attribute that contains the name of the Agent which executes the Job. This attribute is mandatory for a Job containing Tasks executed agent-side, even if a unique local Agent exists. See the [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) topic for additional information. + +### Components + +The[ +Upward Data Synchronization +](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md)job includes three steps: + +- Export +- Prepare-Synchro +- Synchro + +These three steps are all contained in a which allows the generation of the Incremental Synchronization configuration. See the [Create Connector Synchro Incremental](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) topic for additional information. + +#### Example + + ``` + + Conf/SharePoint/SharePoint Jobs.xml +... + ... + +```` + +### Permissions + +The execution of a Job entails execution of Tasks, reading/writing to the Database and sending files +over to the Server. These operations are protected by an authorization mechanism. + +To complete a Job, the Agent, via +the[ Usercube-Invoke-Job ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-job/index.md) uses: + +- a [ Profile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) associated with + the Job itself, to read/write: + - `UJ_Jobs` and `UJ_Tasks` tables in a list of tasks + - `UJ_JobInstances` tables in the progress report +- a Profile for each Task, to read/write `UJ_TaskInstances` tables (Progress Report) and perform + other operations such as sending export files over to the Server. + +Each Profile must be assigned the right permissions for the associated Job or Task to perform. + +Every request from Agent to Server within the execution of a Job needs to be authenticated with an +[ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect +ClientId/Secret pair, linked to a Profile. + +#### Create a profile + +Here, we focus on creating one profile, used by the Job and every Task of the Job. + + ``` + + Conf/Profile AgentJob.xml + +... ... + +```` + + +As the Principle of Least Privilege states, Netwrix Identity Manager (formerly Usercube) strongly recommends that you create a[ +Profile +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) to be used during the Synchronization jobs which will be different from the one used during the Provisioning job. This contributes to separating access rights. +The same principle applied even more rigorously would make Identity Manager create one profile per Task. It isn't necessary as most Synchronization tasks require the same permissions. + +#### Grant synchronization access rights to the profile + +For an Agent to launch server-side Tasks from the Job via the [ +Usercube-Invoke-Job +](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-job/index.md) tool, the profile linked to these tasks and used by the tool should be authorized to execute said tasks. + +Server-side Tasks for a simple Synchronization job usually are: + +- Prepare-Synchronization +- Synchronization + +Required permissions are: + +__View Tasks__ + +- ```/Jobs/Task/Query``` + +__Progress Report__ + +- ```/Jobs/JobInstance/Query``` +- ```/Jobs/JobInstance/Update``` +- ```/Jobs/TaskInstance/Query``` +- ```/Jobs/TaskInstance/Update``` + +__Synchronization and Prepare-Synchronization__ + +- ```/Connectors/Connector/Query``` +- ```/Connectors/SynchronizeSession``` + +Granting access can be done via the [ +SynchronizationAccessControlRules +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md) and the [ +Job View Access Control Rules +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md). + +The following examples should be written to ```Conf/Profile AgentSychro.xml```. + +##### Example + +The following example entitles the administrator to run any Synchronization job: + + ``` + +```` + +#### Grant end-users permissions to run jobs from the UI + +In addition, for end-users to be able to launch a job from the UI, they must be assigned a profile +with the following access rights: + +- `/Jobs/RunJob/Launch` + +This can be done via +the[ Job Execution Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md) +scaffolding. + +##### Example + + ``` + +```` + + +#### Declare usable ClientId/Secret pairs in the configuration + +An Agent's a[ +Profile +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md)is associated with a ```ClientId/Secret``` pair used by the Agent to authenticate to the Server. + +Usable ```ClientId/Secret``` pairs are written to the database from the xml configuration using the [ +OpenIdClient +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) xml element. + +It is strongly recommended to write the `````` xml element to a new or existing ```OpenIdClients.xml``` file in the configuration root folder. + +The ```ClientId/Secret``` pair hence created must be associated with the profile created or updated in the previous step, via the __Profile__ attribute. + +##### __Example__ + +The following example creates a ```ClientId/Secret``` pair to be used by the Agent to authenticate to the Server and complete Jobs. The secret is hashed with the[ +Usercube-New-OpenIDSecret +](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/new-openidsecret/index.md) tool. + + ``` + + Conf/OpenIdClients.xml +... + +... + +```` + + ``` + + Conf/OpenIdClients.xml + +... + +... + +```` + + +#### Set up the Agent to use ClientId/Secret pairs + +The ```ClientId/Secret``` pairs that the Agent may use are written to the Agent's [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) technical configuration set. + +The ```ClientId``` of such ```ClientId/Secret``` pairs can then be used as a value in a Task __OpenIdClient__ attribute. + +Pairs written in the ```OpenIdClient``` section may be used by Tasks. + +The Job itself uses the ```DefaultOpenIdClient``` value. + +> This example sets the "Job/secret" pair to be used by tasks and jobs: +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "OpenId":{ +> "OpenIdClients": { +> "Job": "secret" +> }, +> "DefaultOpenIdClient": "Job" +> } +> } +> +> ``` + +### Job launch + +Scheduling the job execution can rely either on Identity Manager's scheduler or an external scheduler. + +#### With Scheduler + +Use the [ +Job +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) attribute. + +> This example uses Identity Manager's scheduler to execute the ```SharePoint_Synchronization_Delta``` job every fifteen minutes: +> +> ``` +> +> Conf/SharePoint/SharePoint Jobs.xml +> ... +> +> +> ``` + +For more details about checking Crontab expressions, see the [crontab.guru](https://crontab.guru/every-15-minutes) website. + +#### With an external scheduler + +An external scheduler would rely on the [ +Usercube-Invoke-Job +](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-job/index.md) tool. + +##### Example + +The following command can be scheduled. It executes the ```SharePoint_Synchronization_Delta``` job using the "Job/Secret" authentication pair to connect to the Identity Manager Server at ```http://identitymanager.contoso.com```. + + ``` + +./identitymanager-Invoke-Job.exe -j "SharePoint_Synchronization_Delta" --api-secret secret --api-client-id Job --api-url "http://identitymanager.contoso.com" + +```` + +## Validation + +### Deploy configuration + +The configuration is written to the database using the +[ Deploy Configuration Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md). + +### Test + +The Synchronization job should be found in the UI, under the **Job Execution** menu, with the name +input in the Job's **DisplayName_Li** attribute. + +From there, it can be launched and debugged (if needed). + +After execution, SharePoint Objects resources should be in the `UR_Resources` table of the SQL +Server database. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md new file mode 100644 index 0000000000..dad426061c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md @@ -0,0 +1,336 @@ +# Write a PowerShell Script for Provisioning + +This guide shows how to write a PowerShell script used by the +[ PowerShellProv ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) connector. + +## Structure of a PowerShell Script + +The goal of the script is to append, for each provisioning order, a line in a CSV file. + +Let's consider the following `ResourceType`: + +``` + +... + ... + +``` + +The end of the CSV file must look like: + +``` + +command;identifier;firstName;lastName +... +insert;007;James;Bond +... + +``` + +### Define the common part of every script + +The goal of the common part is to get all required variables needed by the script. + +Two parameters are required at the top of the script: + +``` + +param( + [Parameter(Mandatory = $true)][string]$resultsFilePath, + [Parameter(Mandatory = $true)][string]$ordersPath +) + +``` + +- `resultsFilePath` is the agent-side path of the result file containing the summary of the executed + and errored orders. +- `ordersPath` is the agent-side folder path containing the JSON provisioning orders. + +It is important for these settings to be defined at the top of the script and keep these names +because they are filled by the `Fulfill-PowerShell` connector. + +The `Fulfill-CSV.ps1` script must be placed in the script folder of Identity Manager containing the +`Environment.ps1` script. Thanks to this, environment variables (such as `$runtimePath`) are loaded +and can be used in the script: + +``` + +. (Join-Path -Path $PSScriptRoot -ChildPath "Environment.ps1") +. (Join-Path -Path $runtimePath -ChildPath "Usercube-Visit-Orders.ps1") + +``` + +### Define the specific function + +A function which is called for each provisioning order must be defined. + +#### Define the header + +The header is always the same. Only the name of the function can change: + +``` + +function Fulfill-CSV { + param ([parameter(Mandatory = $true)] $order) + +``` + +The previous parameter `$order` is an object corresponding to the following provisioning order +(JSON): + +``` + +{ + "ProvisioningOrdersList": [ + { + "AssignedResourceTypeId": "3930001", + "ChangeType": "Added", + "WorkflowInstanceId": "81", + "Owner": { + "Id": "21511", + "InternalDisplayName": "007 - Bond James", + "Identifier": "007", + "EmployeeId": "007", + "PhotoTag": -3065, + "MainFirstName": "James", + "MainLastName": "Bond", + ... + }, + "ResourceType": { + "Id": "-41", + "SourceEntityType": { + "Id": "51", + "Identifier": "Directory_User" + }, + "TargetEntityType": { + "Id": "70", + "Identifier": "PowerShellCsv_User" + }, + "Identifier": "PowerShellCsv_User_NominativeUser" + }, + "Changes": { + "identifier": "007", + "firstName": "James", + "lastName": "Bond" + } + } + ] +} +``` + +There can be more sections and attributes. + +#### Define mandatory parameters + +The `ChangeType` parameter (`Added`, `Deleted` or `Modified`) is always mandatory and must be +checked. + +Depending on the function requirements, other parameters should be checked. For example, the +function below always needs an identifier to work properly, therefore you should check its presence. + +``` + + $changeType = $order.ChangeType + # if the change type is not recognized, we throw an error + if ($changeType -ne 'Added' -and $changeType -ne 'Deleted' -and $changeType -ne 'Modified') { + $artId = $order.AssignedResourceTypeId + throw "Order ChangeType: $changeType not recognized in AssignedResourceTypeId: '$artId'" + } + + # if the section is Changes, we want to create/update the identifier + $identifier = $order.Changes.identifier + if(!$identifier){ + # if the section is Resources, we want to keep the same identifier + $identifier = $order.Resource.identifier + if(!$identifier){ + throw "identifier is the primary key and must not be null." + } + } + +``` + +#### Define order processing + +This is the last part of the function: + +- Parameters from the provisioning order are stored in variables. +- A specific treatment is applied if `ChangeType` is `Added`, `Deleted` or `Modified`. + +``` + + # firstName and lastName are the two other properties of the ResourceType + $firstName = $order.Changes.firstName + $lastName = $order.Changes.lastName + + # change type defines what is written in the 'command' column + if ($changeType -eq 'Added') { + $command = "Insert" + } + elseif ($changeType -eq 'Deleted') { + $command = "Delete" + } + elseif ($changeType -eq 'Modified') { + $command = "Update" + } + + # CSV columns are command, identifier, firstName and lastName + $script:powershellResults += New-Object -TypeName psobject -Property @{Command = "$command"; identifier = "$identifier"; firstName = "$firstName"; lastName = "$lastName" } +} + +``` + +Define how to send logs to Identity Manager + +The three methods to log in Identity Manager are: + +- **Write-Host**: writes Information in the log. +- **Throw**: raises an exception (which stops the script), and writes the Error in the log (the + provisioning order will be errored too). +- **Write-Error**: writes Error in the log (the provisioning order will be errored too). It is not + recommended because the script continues its execution. + +Now that the function has been defined, the main code of the script can be written. + +### Write the main code of the script + +Read the options parameter from the standard input + +The options parameter isn't mandatory in the JSON file. If it isn't provided, don't perform this +step. + +``` + +# Just to show how to read the options in the script +$options = [System.Console]::ReadLine() +$options = ConvertFrom-Json $options +$options.Message # -> Hello + +``` + +Rest of the main script + +In general, this part contains the code to connect to the external system and executes the +`Usercube-Visit-Orders` script. + +``` + +# The goal of the script is to write the users in the following CSV file +$powershellResultFilePath = Join-Path -Path "$demoPath" -ChildPath "Temp/ExportOutput/powershellcsv_users.csv" + +# powershellResults has a larger scope and is used in the last line of the Fulfill-CSV function +$powershellResults = @() + +# Usercube-Visit-Orders is provided by Usercube, it must not be modified +# It loops on the provisioning orders and calls Fulfill-CSV on each of them +Usercube-Visit-Orders $resultsFilePath $ordersPath Fulfill-CSV + +# We write the results in $powershellResultFilePath +if ($powershellResults.Length -gt 0){ + $powershellResults | ConvertTo-Csv -Delimiter ";" -NoTypeInformation | & (Join-Path -Path "$runtimePath" -ChildPath "Usercube-Encrypt-File.exe") -o $powershellResultFilePath +} + +``` + +Never modify `Usercube-Visit-Orders.ps1`. + +## Synthesis + +### Skeleton + +To sum up the previous part, the script can be written as follows: + +``` + +# Common part + +# Specific function + # Header of the function + # Check mandatory parameters + # Order processing (treatment for Added, Deleted or Modified) + +# Main script + # Read standard input (Optional) + # Rest of the main script (Connection, Usercube-Visit-Order...) + +``` + +### Full script + +The full script is as follows: + +``` + +# Common part + +param( + [Parameter(Mandatory = $true)][string]$resultsFilePath, + [Parameter(Mandatory = $true)][string]$ordersPath +) + +. (Join-Path -Path $PSScriptRoot -ChildPath "Environment.ps1") +. (Join-Path -Path $runtimePath -ChildPath "Usercube-Visit-Orders.ps1") + +# Specific function + +function Fulfill-CSV { + param ([parameter(Mandatory = $true)] $order) + + $changeType = $order.ChangeType + # if the change type is not recognized, we throw an error + if ($changeType -ne 'Added' -and $changeType -ne 'Deleted' -and $changeType -ne 'Modified') { + $artId = $order.AssignedResourceTypeId + throw "Order ChangeType: $changeType not recognized in AssignedResourceTypeId: '$artId'" + } + + # if the section is Changes, we want to create/update the identifier + $identifier = $order.Changes.identifier + if(!$identifier){ + # if the section is Resources, we want to keep the same identifier + $identifier = $order.Resource.identifier + if(!$identifier){ + throw "identifier is the primary key and must not be null." + } + } + + # firstName and lastName are the two other properties of the ResourceType + $firstName = $order.Changes.firstName + $lastName = $order.Changes.lastName + + # change type defines what is written in the 'command' column + if ($changeType -eq 'Added') { + $command = "Insert" + } + elseif ($changeType -eq 'Deleted') { + $command = "Delete" + } + elseif ($changeType -eq 'Modified') { + $command = "Update" + } + + # CSV columns are command, identifier, firstName and lastName + $script:powershellResults += New-Object -TypeName psobject -Property @{Command = "$command"; identifier = "$identifier"; firstName = "$firstName"; lastName = "$lastName" } +} + +# Main script + +# Just to show how to read the options in the script +$options = [System.Console]::ReadLine() +$options = ConvertFrom-Json $options +$options.Message # -> Hello + +# The goal of the script is to write the users in the following CSV file +$powershellResultFilePath = Join-Path -Path "$demoPath" -ChildPath "Temp/ExportOutput/powershellcsv_users.csv" + +# powershellResults has a larger scope and is used in the last line of the Fulfill-CSV function +$powershellResults = @() + +# Usercube-Visit-Orders is provided by Usercube, it must not be modified +# It loops on the provisioning orders and calls Fulfill-CSV on each of them +Usercube-Visit-Orders $resultsFilePath $ordersPath Fulfill-CSV + +# We write the results in $powershellResultFilePath +if ($powershellResults.Length -gt 0){ + $powershellResults | ConvertTo-Csv -Delimiter ";" -NoTypeInformation | & (Join-Path -Path "$runtimePath" -ChildPath "Usercube-Encrypt-File.exe") -o $powershellResultFilePath +} + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md new file mode 100644 index 0000000000..7234fc01f5 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md @@ -0,0 +1,512 @@ +# Write a Robot Framework Script + +This guide shows how to write a Robot Framework script that will be used by +[ Robot Framework ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md). + +## Structure of a Robot Framework Script + +### Build the skeleton + +A Robot Framework script is divided into four main parts: + +1. **Settings**: contains the instructions to import library or external resource files. +2. **Variables**: contains the global variables shared by all the functions in the script. +3. **Keywords**: contains all the functions defined by the user. +4. **Test Cases**: contains the functions which will be run when the script is launched. + +#### Example + +``` + +*** Settings *** +Library Telnet + +*** Variables *** +${IPADDRESS} 192.168.1.22 + +*** Keywords *** +Open Telnet Connection + Open Connection ${IPADDRESS} prompt=$ + +*** Test Cases *** +Run Provisioning + Open Telnet Connection + +``` + +Let's analyze the four parts of this example: + +- **Settings**: we import here the Telnet library to use the functions defined in it. +- **Variables**: we define the variable `IPADDRESS` to use it later. +- **Keywords**: we define a custom function called `Open Telnet Connection`. It will use a function + defined in the Telnet library (called `Open Connection`) and the variable `IPADDRESS` which has + been defined before in the `Variables` section. +- **Test Cases**: we define here the main function which we choose to call `Run Provisioning` (it + can be named anything), and which will be run when launching the script. It will use the function + `Open Telnet Connection`. + +Robot Framework needs two spaces between two different instructions to parse them correctly. +For example, `Open Connection` consists of only one instruction. Only one space is thus needed +between the two words. But, `Open Connection ${IPADDRESS}` consists of two instructions, the +function and the parameter. Two spaces are then required to separate `Connection` from +`${IPADDRESS}`. +To read your script more easily, you could also use the pipe character (`|`) between instructions, +like this: `Open Connection | ${IPADDRESS}`. + +See the [Robot Framework Libraries](https://robotframework.org/#robot-framework-libraries) for +additional information. + +### Define specific functions + +To use a Robot Framework script for provisioning external systems with Identity Manager, the +following elements are required in the script: + +- The import of a resource file written by Identity Manager called + `UsercubeRobotFramework.resource`. +- The definition of three functions which will be called by Identity Manager to perform three + required actions: `ExecuteAdd`, `ExecuteDelete` and `ExecuteModify`. These functions are where you + will write the actions to perform on the external system. +- The use of one function to start the provisioning called `Launch Provisioning`. + +Never modify the resource file `UsercubeRobotFramework.resource`. + +#### Example + +The resource file defined at the beginning of the script is located in Identity Manager's `Runtime` +folder. Therefore, you will have to change the path accordingly. + +``` + +*** Settings *** +Resource C:/identitymanagerContoso/Runtime/identitymanagerRobotFramework.resource + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + ... + +ExecuteDelete + [Arguments] ${order} + ... + +ExecuteModify + [Arguments] ${order} + ... + +... + +*** Test Cases *** +Run Provisioning + ... + Launch Provisioning + ... + +``` + +The parameter `${order}` is mandatory only for the three functions: `ExecuteAdd`, `ExecuteDelete` +and `ExecuteModify`. It is an object corresponding to the following sample provisioning order +(JSON): + +``` + +{ + "AssignedResourceTypeId": "3930001", + "ChangeType": "Added", + "WorkflowInstanceId": "81", + "Owner": { + "Id": "21511", + "InternalDisplayName": "007 - Bond James", + "Identifier": "007", + "EmployeeId": "007", + "PhotoTag": -3065, + "MainFirstName": "James", + "MainLastName": "Bond", + ... + }, + "ResourceType": { + "Id": "-41", + "SourceEntityType": { + "Id": "51", + "Identifier": "Directory_User" + }, + "TargetEntityType": { + "Id": "70", + "Identifier": "RobotFramework_User" + }, + "Identifier": "RobotFramework_User_NominativeUser" + }, + "Changes": { + "identifier": "007", + "firstName": "James", + "lastName": "Bond" + } +} +``` + +The elements of `${order}`can be accessed like this: `${order['Changes']['identifier']}`. + +See the +[Robot Framework User Guide](https://robotframework.org/robotframework/latest/RobotFrameworkUserGuide.html) +for additional information. + +## Keywords + +| Keyword | Details | +| -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | ------- | +| Catch Keyword | **Arguments** `Keyword`: Keyword `*args` **Description** Launches `Keyword` with the given arguments `*args` if the keyword launched by `Try Keyword` failed. If `Try Keyword` was not called, this keyword will not do anything. `Catch Keyword` should always be called right after `Try Keyword`. **Example** Try to connect to `Usercube.com`. If the connection fails, restart the browser and try to connect to `Usercube.com`: `Connect to URL Try Keyword Go To Usercube.com Catch Keyword Restart Browser At URL Usercube.com` | +| Generate Password | **Description** Generates a password based on the [ Password Reset Settings ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md) associated to the [Resource Type Mappings](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) being provisioned. `Send Password Notification` should always be called after `Generate Password`, preferably right after the password is used. If `Send Password Notification` is not called before the provisioning of the resource is over, it will automatically be called. If multiple passwords should be generated, `Send Password Notification` should be called after each password generation. **Returns** `Password`: string | +| Get Secure Data | **Arguments** `Attribute`: string `Erase Data`: boolean **Description** Retrieves the secured option `Attribute` from the connector configuration. If `Erase Data` is set to true, the secured option is deleted once it is read. **Example** Get Login option and erase it: ```Get Secure Data | Login | True``` | +| Launch Provisioning | **Description** Launches the provisioning defined by the provisioning orders. This keyword is required for any provisioning to happen. | +| Log Debug | **Arguments** `Message`: string **Description** Logs `Message` at the `Debug` log level. **Example** Log a keyword failure message: `Log Debug The keyword has failed` | +| Log Error | **Arguments** `Message`: string **Description** Logs `Message` at the `Error` log level. **Example** Log a keyword failure message: `Log Error The keyword has failed` | +| Send Password Notification | **Description** Sends a notification containing the last password generated. If `Generate Password` is called and `Send Password Notification` is not called before the provisioning of the resource is over, `Send Password Notification` will automatically be called. | +| Try Keyword | **Arguments** `Keyword`: Keyword `*args` **Description** Launches `Keyword` with the given arguments `*args`, and ignores its errors. If `Keyword` fails, the keyword sent to `Catch Keyword` will run. `Try Keyword` should always be called right before `Catch Keyword`. **Example** Try to connect to `Usercube.com`. If the connection fails, restart the browser and try to connect to `Usercube.com`: `Connect to URL Try Keyword Go To Usercube.com Catch Keyword Restart Browser At URL Usercube.com` | + +## Error handling + +Consider a web application that contains user information. Suppose a user is missing from the web +application. When the script attempts to reach the user's information page, it will reach an error +page, and fail. The next user's provisioning starts, but the web browser is still on the error page, +so the script keeps failing. + +In this example, if a user's provisioning fails, each subsequent provisioning will fail. This +failure issue can be solved with the error handling custom keywords. + +Consider the following example using the Robot Framework Selenium library: + +``` + +Open Usercube Website + Open Browser + Connect To Usercube + [Teardown] Close Browser + +Restart Browser + [Arguments] ${url} + Log Debug An error has occured, restarting the browser + Close Browser + Open Browser ${url} + +Connect To Usercube + Try Keyword Go To Usercube.com + Catch Keyword Restart Browser Usercube.com + Page Should Contain Usercube + +``` + +In this example, the keyword `Open Usercube Website` opens a browser, then calls +`Connect To Usercube`. To ensure that the browser is closed regardless of the script's success, the +`Close Browser` keyword is used in a teardown. A keyword in a teardown is always executed regardless +of what happens in the script or in the teardown. + +The `Restart Browser` keyword logs a debug message before restarting the browser to help debug the +script. The `Connect To Usercube` tries to use the `Go To` keyword to connect to the `Usercube.com` +web page. As `Go To` is used with `Try Keyword`, if the execution fails, `Restart Browser` is called +by `Catch Keyword`. This means that if the browser fails to load `Usercube.com`, the browser +restarts. Last, `Connect To Usercube` verifies that the page contains the word `Usercube`. + +### Error Handling for ExecuteAdd, ExecuteDelete, and ExecuteModify + +The `ExecuteAdd`, `ExecuteDelete`, and `ExecuteModify` methods are harder to interact with. First, +it is not possible to get their execution status within the script. Second, if the execution failed, +it should be kept as a failure in order to log the failure. + +To simplify error handling, consider the following structure: + +``` + +Execute Add + [Arguments] ${order} + Try Keyword Add User ${order} + Catch Keyword Restart Program And Fail Add User failed. + +Add User + [Arguments] ${order} + Click New User + Fill In Information ${order} + Click Add User + +Restart Program And Fail + [Arguments] ${failmessage} + Close Program + Start Program + Fail ${failmessage} + +``` + +In this example, `ExecuteAdd` does not call the custom keywords to add a new user directly, and only +calls `Add User` instead. This means that it is possible to call `Add User` from the `Try Keyword` +keyword. If `Add User` fails, then `Execute Add` fails. Therefore it is possible to catch a failure +with this structure. + +Note that `Restart Program And Fail` fails. This failure is necessary as the provisioning order +would be counted as a success otherwise. + +## Testing a RobotFramework script + +In order to write a RobotFramework script, we need to test that it works. It is possible to test the +script by running a fulfillment job from the Identity Manager interface. While this kind of test +proves that everything works as expected, it can take a long time. There is a faster method to check +that the script runs. + +Suppose the RobotFramework script's path is `RobotFramework/script.robot`. + +We need the following elements : + +- A provisioning order, in folder `RobotFrameworkScript/Order`. The provisioning order can be + encrypted or unencrypted. The script will write the encrypted results to + `RobotFrameworkScript/Order/results.csv`. +- The path to the `Runtime` folder. In our example, we will consider this path as + `C:/identitymanagerDemo/Runtime`. + +The `RobotFramework/script.robot` script may be run from the command prompt. + +``` +cd RobotFramework + +robot --variable ORDERPATH:./Order --variable RUNTIMEPATH:C:/identitymanagerDemo/Runtime --variable RESULTPATH:./Order/results.csv ./script.robot +``` + +This command will generate an output file, a log file, and a report file in the `RobotFramework` +folder. This command will also write information to the command prompt. + +For most testing cases, we only care about the command prompt information and the log file, written +at `RobotFramework/log.html`. The other outputs can be removed. + +``` +cd RobotFramework + +robot --loglevel NONE --report NONE --variable ORDERPATH:./Order --variable RUNTIMEPATH:C:/identitymanagerDemo/Runtime --variable RESULTPATH:./Order/results.csv ./script.robot +``` + +### `Get Secure Data` and `Generate Password` + +Most keywords are not different when a script is launched manually. The keywords `Get Secure Data` +and `Generate Password` are exceptions. + +- `Get Secure Data`: This keyword expects the Robot Framework process to receive a json list of + attributes in the stdin stream. This can be provided manually by writing the data in the command + prompt. As an example, if the script requires a `Login` and `Password` attribute : + `{"Login":"login","Password":"password"}` +- `Generate Password`: This keyword expects a file that contains the + [ Password Reset Settings ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md) + associated to the provisioned + [Resource Type Mappings](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md). + The easiest way to enable the `Generate Password` keyword is as follow: + - Launch the Robot Framework fulfillment through the Identity Manager web application with a + blank script. + - Copy the `PasswordResetSettings` folder generated in the most recent subfolder of + `Work/FulfillRobotFramework`. + - Paste the folder in the same folder as the provisioning order. + +## Use Case: Write a Script to Fulfill a CSV File + +The goal of the script is to append, for each provisioning order, a line in a CSV file located on an +external system which we will access through a Telnet connection. + +Let's consider the following `ResourceType`: + +``` + +... + ... + +``` + +The end of the CSV file must look like: + +``` + +command;identifier;firstName;lastName +... +Insert;007;James;Bond +... + +``` + +### Define settings + +In every Robot Framework script, we need to import the resource file +`UsercubeRobotFramework.resource`. In this example, we also need to import the Telnet library to use +its functions. + +``` + +*** Settings *** +Resource C:/identitymanagerContoso/Runtime/identitymanagerRobotFramework.resource +Library Telnet + +``` + +### Define variables + +To connect to the external system through Telnet, we need an IP address corresponding to the +external system. We will store the IP address in the global variable `${IPADDRESS}`. We also use the +global variable `${CSVFILEPATH}` to define the CSV file where the data will be written in the +external system. + +``` + +*** Variables *** +${CSVFILEPATH} /home/contoso/robotframework_users.csv +${IPADDRESS} 192.168.1.22 + +``` + +### Define custom keywords + +We define all the custom functions which we will use to provision the external system: + +- `Delete CSV File`: removes a possible pre-existing CSV file. +- `Write In CSV`: executes a command to write the line in the CSV file in the external system. +- `Write Data`: formats the line to write in the CSV and calls `Write In CSV` to write it. +- `Write Header`: defines the header to write in the CSV and calls `Write Data` to write it. +- `Open Telnet Connection`: opens the Telnet connection to the external system using the login and + the password defined in the + [ Robot Framework ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md) attribute in + `appsettings.agent.json`, as well as the IP address defined in the `Variables` section. + +``` + +*** Keywords *** +Delete CSV File + Execute Command rm ${CSVFILEPATH} + +Write In CSV + [Arguments] ${line} + Execute Command echo ${line} >> ${CSVFILEPATH} + +Write Data + [Arguments] ${command} ${identifier} ${firstName} ${lastName} + Write In CSV '"${command}","${identifier}","${firstName}","${lastName}"' + +Write Header + Write Data Command identifier firstName lastName + +Open Telnet Connection + Open Connection ${IPADDRESS} prompt=$ + Read Until login + ${LOGIN}= Get Secure Data Login False + Write ${LOGIN} + Read Until Password + ${PASSWORD}= Get Secure Data Password True + Write ${PASSWORD} + +``` + +The method `Get Secure Data` will retrieve the value of the attributes filled in the options in +`appsettings.agent.json`. This is the method strongly recommended by Identity Manager. However, you +could also enter the value directly into the script (example: `${LOGIN}= UserName`). This may be +easier for initial testing purposes. + +### Define mandatory keywords + +To be able to provision the external system, we need the three required functions: `ExecuteAdd`, +`ExecuteDelete` and `ExecuteModify`. These methods are called by the connector depending on the +action to perform on the external system. + +``` + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Write Data Insert ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteDelete + [Arguments] ${order} + Write Data Delete ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteModify + [Arguments] ${order} + Write Data Update ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +``` + +Here, for each action, we use the function `Write Data` defined in the previous section to write the +changes to the CSV file with a corresponding word `Insert`, `Delete` or `Update`. + +### Define test cases + +The function launched by the Robot Framework script will be written in the section `Test Cases` and +will be called `Run Provisioning`. + +``` + +*** Test Cases *** +Run Provisioning + Open Telnet Connection + Delete CSV File + Write Header + Launch Provisioning + Close All Connections + +``` + +In our test case, we will perform the following operations in `Run Provisioning`: + +- Open the Telnet connection with the external system. +- Remove a possible pre-existing CSV file. +- Write the header to the new CSV file. +- Launch the Identity Manager provisioning. The method `Launch Provisioning` is mandatory when using + the Robot Framework connector. +- Close the Telnet connection with the external system. + +### Read the full script + +The full script is as follows: + +``` + +*** Settings *** +Resource C:/identitymanagerContoso/Runtime/identitymanagerRobotFramework.resource +Library Telnet + +*** Variables *** +${CSVFILEPATH} /home/contoso/robotframework_users.csv +${IPADDRESS} 192.168.1.22 + +*** Keywords *** +ExecuteAdd + [Arguments] ${order} + Write Data Insert ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteDelete + [Arguments] ${order} + Write Data Delete ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +ExecuteModify + [Arguments] ${order} + Write Data Update ${order['Changes']['identifier']} ${order['Changes']['firstName']} ${order['Changes']['lastName']} + +Delete CSV File + Execute Command rm ${CSVFILEPATH} + +Write In CSV + [Arguments] ${line} + Execute Command echo ${line} >> ${CSVFILEPATH} + +Write Data + [Arguments] ${command} ${identifier} ${firstName} ${lastName} + Write In CSV '"${command}","${identifier}","${firstName}","${lastName}"' + +Write Header + Write Data Command identifier firstName lastName + +Open Telnet Connection + Open Connection ${IPADDRESS} prompt=$ + Read Until login + ${LOGIN}= Get Secure Data Login False + Write ${LOGIN} + Read Until Password + ${PASSWORD}= Get Secure Data Password True + Write ${PASSWORD} + +*** Test Cases *** +Run Provisioning + Open Telnet Connection + Delete CSV File + Write Header + Launch Provisioning + Close All Connections + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-sync-powershell-script/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-sync-powershell-script/index.md new file mode 100644 index 0000000000..ca228f82b8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-sync-powershell-script/index.md @@ -0,0 +1,6 @@ +# Write a PowerShell Script for Synchronization + +This guide shows how to write a PowerShell script used by the +[ PowerShellSync ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellsync/index.md) connector. + +The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/how-tos/write-ticket-template/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-ticket-template/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/how-tos/write-ticket-template/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-ticket-template/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md new file mode 100644 index 0000000000..c38f63abab --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md @@ -0,0 +1,171 @@ +# Connectors + +Connectors are Identity Manager's links to the managed systems, the technical representation of the +entity model. A connector is used to export data as CSV source files for Identity Manager's +synchronization process and to fulfill entitlement assignments to a given managed system. See the +[ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md),[Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md), +and [ Upward Data Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) topics for +additional information. + +## Overview + +Connectors are the mechanisms that enable Identity Manager to read and write data to/from your +organization's systems. The feedback mechanism ensures Identity Manager's reliability. + +In this documentation, we talk about managed systems (sometimes called external systems) to refer to +third-party applications, i.e. the applications used in your organization, such as Active Directory, +ServiceNow, EasyVista, SAP, SharePoint, etc. + +A connector, therefore, acts as an interface between Identity Manager and a managed system. + +![Connector Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp) + +Netwrix Identity Manager (formerly Usercube)strongly recommends the creation of one connector for +each application. + +> For example, integrators may create an `AD` connector with the goal of importing an Active +> Directory's data into Identity Manager, and writing to the Active Directory from Identity Manager, +> either manually for administration accounts, or automatically for basic accounts. +> +> Integrators may create a `SharePoint` connector in order to manage read and write entitlements for +> users in SharePoint. + +### Data Flows + +In the early steps of a project, we'll consider most of our connectors to be outbound, i.e. Identity +Manager will feed data into connected managed systems. + +![Outbound System=](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connectorcreation_outbound.webp) + +In this case, data flows between Identity Manager and the managed system are also called: + +- Synchronization in the managed system-to-Identity Manager direction +- Provisioning in the Identity Manager-to-managed system direction + +For a connector's synchronization, Identity Manager provides tools to perform a basic extraction of +the system's data in the form of CSV files. These files are cleaned and loaded into Identity +Manager. In other words, synchronizing means taking a snapshot of the managed system's data and +loading into Identity Manager. + +For provisioning, Identity Manager generates provisioning orders and the connector provides tools to +either automatically write these orders to the managed system or to create a ticket for manual +provisioning. + +> For example, we can use the data from Identity Manager's identity repository to fill in later the +> AD's fields, such as users' display names based on their first names and last names from the +> repository. See the +> [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) +> topic for additional information. + +Identity Manager can also benefit from inbound connectors, that will write data to Identity +Manager's central identity repository. While both inbound and outbound connectors allow data to flow +both ways, they do not work in the same manner. See the +[ Create an HR Connector ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/hr-connector-creation/index.md) topic for +additional information. + +### Technical principles + +Identity Manager's connectors all operate on the same basic principles. Technically speaking: + +> For example, let's say that we want to connect Identity Manager to our Active Directory, or AD: + +- A connector must be created, first as a named container which will include the connections and + entity types related to one managed system; See the + [ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) topic for additional + information. + + > We create a connector named `AD` (so far, an empty shell). + +- A connector is linked to an agent which acts as the go-between for Identity Manager's server and + the managed system; See the [ Architecture ](/docs/identitymanager/saas/identitymanager/introduction-guide/architecture/index.md) topic + for additional information. + + > Our `AD` connector uses the provided SaaS agent. + +- A connection describes the technology used that enables data to flow back and forth between + Identity Manager and the managed system; See the + [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) topic for additional + information. + + > We want to use a connection `Directory/Active Directory` to perform synchronization and + > automated provisioning, and a second connection `Ticket/identitymanager` to perform manual + > provisioning through Identity Manager. + + You can find standard connections dedicated to one application (AD, Microsoft Entra ID, etc.), + and generic connections to communicate with any application (CSV, Powershell, RobotFramework, + SQL, etc.). + +- The shape of the extracted managed system's data is modeled by entity types (we will use the term + resource to refer to an entity type that has been instantiated); See the + [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) topic for additional + information. + + > We create a single entity type `AD - Entry` which contains all the attributes that will + > describe its resources, i.e. AD groups and users. The attributes include the department, the + > employee identifier, the manager, the group membership (`member`/`memberOf`), the dn, the + > parent dn, etc. + +- The intent of resources within the managed system is made clear by categorizing resources into + resource types. See the + [Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) and + [ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) topics for additional + information. + + > We categorize AD resources into distinct resource types: `AD User (nominative)` for basic + > accounts, which we want Identity Manager to provision automatically; + > `AD User (administration)` for sensitive administration accounts, which we want to provision + > manually through Identity Manager. + +![Connector Technical Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectortechnicalschema.webp) + +A connector requires at least one connection and one entity type. + +When provisioning a managed system, the corresponding connector also needs at least one resource +type. + +**Local vs. Saas agents** — To simplify things, Identity Manager has made it possible to start +configuring connectors without installing a local agent in your organization's network. Instead, you +can use the agent integrated with Identity Manager's server in the Cloud (SaaS agent). See the +[ Architecture ](/docs/identitymanager/saas/identitymanager/introduction-guide/architecture/index.md) topic for additional information. + +## Configure a Connector + +Netwrix Identity Manager (formerly Usercube)recommends creating and configuring a connector via the +UI. See the [ Connect to a Managed System ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/index.md) topic +for additional information. + +## Supported Systems + +| Connector | Description | Synchronization | Provisioning | +| ------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- | ------------ | +| Active Directory | Exports and fulfills data from/to an Active Directory instance. See the [Active Directory](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) topic for additional information. | √ | √ | +| Azure | Exports Azure resources, role definitions and role assignments. See the [ Azure ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/azure/index.md) topic for additional information. | √ | X | +| Microsoft Entra ID (formerly Microsoft Azure AD) | Exports and fulfills data from/to a Microsoft Entra ID instance. See the Microsoft Entra ID, [For Microsoft Entra ID](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/create-connector/azuread/index.md), and [For Microsoft Entra ID](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/setup-incremental-synchronization/azuread/index.md) topics for additional information. | √ | X | +| CSV | Exports data from a CSV file. See the [ CSV ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/csv/index.md) topic for additional information. | √ | X | +| EasyVista | Exports data from an EasyVista-compliant system. See the [ EasyVista ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md) topic for additional information. | √ | √ | +| EasyVista Ticket | Creates tickets in an EasyVista instance. See the [ EasyVista Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md) and [ Write a Template for a Ticket Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-ticket-template/index.md) topics for additional information. | X | √ | +| Google Workspace | Exports and fulfills users and groups from/to a Google Workspace instance. See the [ Google Workspace ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/index.md) topic for additional information. | √ | √ | +| Home Folder | Export home folders from input directories. See the [ Home Folder ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/homefolder/index.md) topic for additional information. | √ | X | +| InternalResources | Opens manual provisioning tickets in Identity Manager. See the [Internal Resources](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/internalresources/index.md) topic for additional information. | X | √ | +| InternalWorkflow | Retrieves provisioning order files from a connector or a resource type list, and starts a workflow accordingly. See the [InternalWorkflow](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md) topic for additional information. | X | √ | +| Json | Generates JSON files for each provisioning order. See the [JSON](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/json/index.md) topic for additional information. | X | √ | +| LDAP | Exports and fulfills data from/to an LDAP-compliant system. See the [ LDAP ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md) topic for additional information. | √ | √ | +| LDIF | Generates CSV source files from an LDIF file. See the [LDIF](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/ldif/index.md) topic for additional information. | √ | X | +| Microsoft Excel | Exports data from an XLSX file. See the [ Microsoft Excel ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/excel/index.md) topic for additional information. | √ | X | +| Microsoft Exchange | Exports data from a Microsoft Exchange instance. See the [ Microsoft Exchange ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md) topic for additional information. | √ | √ | +| OData | Exports entities from an OData instance. See the [ OData ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/odata/index.md) topic for additional information. | √ | X | +| OpenLDAP | Exports and fulfills from/to an OpenLDAP directory. See the [ OpenLDAP ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/openldap/index.md) topic for additional information. | √ | √ | +| PowerShell | Executes PowerShell scripts to generate CSV source files from otherwise unsupported sources. See the [ PowerShellProv ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md), [ Write a PowerShell Script for Provisioning ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md), and [ Fulfill Microsoft Exchange via PowerShell ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/powershell-fulfill/index.md) topics for additional information. | X | √ | +| RACF | Exports data from a RACF file. See the [ RACF ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/racf/index.md) topic for additional information. | √ | X | +| Robot Framework | Executes Robot Framework scripts to fulfill data to external systems. See the [ Robot Framework ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md), [ Write a Robot Framework Script ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md), [Interact with a Web Page via Robot Framework](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/interact-web-page-robotframework/index.md), and [Interact with a GUI Application via Robot Framework](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/interact-gui-robotframework/index.md) topics for additional information. | X | √ | +| SAP | Exports and fulfills data from/to an SAP system. See the [ SAP Netweaver ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/index.md) topic for additional information. | √ | X | +| SAP ERP 6.0 | Exports and fulfills data from/to an SAP ERP 6.0 system. See the [SAP ERP 6.0 and SAP S4/HANA](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md) topics for additional information. | √ | √ | +| SCIM | Exports and fulfills data from/to a SCIM-compliant web application. See the [SCIM](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/scim/index.md), [ Export CyberArk Data via SCIM ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/scim-cyberark-export/index.md) and [ Provision Salesforce Users' Profiles via SCIM ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/scim-salesforce-provisioning-entitlements/index.md) topics for additional information. | √ | √ | +| ServiceNow Entity Management | Manages ServiceNow entities. See the [ ServiceNow ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md) topic for additional information. | √ | √ | +| ServiceNow Ticket | Creates tickets in ServiceNow. See the [ ServiceNowTicket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md) topic for additional information. | X | √ | +| SharedFolder | Scans a Windows file directory and exports a list of folders, files, users and their associated permissions. See the [ SharedFolders ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/index.md) topic for additional information. | √ | X | +| SharePoint | Exports a SharePoint's list of objects, users, groups, roles and their relationships. See the [SharePoint](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md) and [Set up SharePoint's Export and Synchronization](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/sharepoint-export/index.md)topics for additional information. | √ | √ | +| SQL | Exports data from various Database Management Systems. See the [ Sql ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sql/index.md) topic for additional information. | √ | X | +| SQL Server Entitlements | Exports server and database principals from Microsoft SQL Server. See the [ Sql Server Entitlements ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md) topic for additional information. | √ | X | +| Top Secret | Exports the Top Secret (TSS) users and profiles. See the [ Top Secret ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/topsecret/index.md) topic for additional information. | √ | X | +| Workday | Exports data from a Workday instance. See the [ Workday ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/workday/index.md) topic for additional information. | √ | X | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md new file mode 100644 index 0000000000..93cc01b2d1 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md @@ -0,0 +1,405 @@ +# Active Directory + +This connector exports and fulfills users and groups from/to an +[Active Directory](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-domain-services) +instance. + +This page is about Directory/Active Directory. See the Active Directory topic for additional +information. + +![Package: Directory/Active Directory](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/activedirectory/packages_ad_v603.webp) + +## Overview + +Active Directory is a directory service developed by Microsoft for Windows domain networks. The +Active Directory connector exports Active Directory (AD) entries to Identity Manager's resource +repository. This connector also enables automated provisioning from the resource repository to the +AD. + +## Prerequisites + +Implementing this connector requires: + +- Reading first the appsettings documentation; See the + [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) + topic for additional information. +- Opening the LDAP feed from Identity Manager's server to the Active Directory, with the ports 389 + for LDAP and 636 for LDAPS. +- A service account with reading and writing permissions on the target Active Directory instance. It + means that the Replicating Directory Changes rights are required for the service account, but also + for the Active Directory root and the AD children. See the instructions below for additional + information. +- An SSL connection which is mandatory for the AD connector to initialize and change a password. +- Enabling rights inheritance in the **Advanced Security Settings**. + +### Enable Active Directory Permissions + +To enable permissions, the Active Directory administrator must do the following: + +**Step 1 –** Check the **View** details in the Active Directory and Computers. + +![Enable Permissions - Step 1](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_01.webp) + +**Step 2 –** Open the **Advanced Security Settings** dialog box for the domain root. + +![Enable Permissions - Step 2](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_02.webp) + +**Step 3 –** Select the **Replicating Directory Changes** check box from the list. + +![Enable Permissions - Step 3](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_03.webp) + +**Step 4 –** To change groups' membership, in the Applies field, select Descendent Group object and +select the **Read Members** and **Write Members** check boxes from the list. + +![Read/Write Members](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_04.webp) + +**Step 5 –** To Reset Password capabilities, in the Applies field, select Descendent User object and +select the **Read lockoutTime** and **Write lockoutTime** check boxes from the list. + +![Read/Write Lockout Times](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/activedirectory/references_connectors_activedirectory_05.webp) + +Administrator rights must not be granted to the service account. Doing otherwise would create a +security breach. Administrator rights must only be granted to the target perimeter. + +## Export + +For a configured set of Active Directory entries, this connector exports all attributes from the +connector's configuration to CSV files. + +The export is executed by a job from the UI, or via Identity Manager-Export-ActiveDirectory.exe in +the command prompt. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +appsettings.agent.json > Connections section: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +                { +                ... +                "Connections": { +                ... +                "": { +                ... +                } +                } +            } +``` + +The identifier of the connection and thus the name of the subsection must: + +- Be unique. +- Not begin with a digit. +- Not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example configures a connection to the Active Directory Domain Controller +> contoso.server.com using Basic Authentication with **BaseDN**, **Login**, **Password** with +> EnableSSL for all entries ( "Filter": "(objectclass=\*)"): +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> appsettings.agent.json +>                     { +>                     ... +>                     "Connections": { +>                     "ADExport": { +>                     "Filter": "(objectclass=*)", +>                     "Servers": [ +>                     { +>                     "Server": "contoso.server.com", +>                     "BaseDN": "DC=contoso,DC=com" +>                     } +>                     ], +>                     "AuthType": "Basic", +>                     "AsAdLds": false, +>                     "EnableSSL": true, +>                     "Login": "Contoso", +>                     "NoSigning": false, +>                     "Password": "ContOso$123456789", +>                     "RetryDelay": 10 +>                     } +>                     } +>                 } +> ``` + +#### Setting attributes + +| Name | Type | Description | +| --------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Servers required | Server List | List of pairs that define the target servers, made of: - Server: domain controller URL. - BaseDN: base Distinguished Name used to connect to the related server. | +| AsAdLds optional | Boolean | True to state the managed system as an AD LDS. It is used for extracting the schema through the connection screen. | +| EnableSSL optional | Boolean | True to enable SSL protocol for authentication requests. recommended when using AuthType set to Basic because basic authentication packets are not encrypted by default. SSL is not available on Linux. | +| NoSigning optional | Boolean | True to disable Kerberos encryption. | +| AuthType default value: Negotiate | String | Authentication method used by Identity Manager to authenticate to the server. Access is granted to the target domain controller: Anonymous - without any login/password; Basic - via the BaseDN, Login and Password attributes; Negotiate - via GSS-API negotiations with the Kerberos mechanism used for authentication. | +| Login optional | String | Login used by Identity Manager for basic authentication. It is required when AuthType is set to Basic. | +| Password optional | String | Password used by Identity Manager for basic authentication. It is required when AuthType is set to Basic. | +| Filter required | String | Value that filters out the corresponding entries from the AD instance which will not be exported. Only non-filtered entries are exported. The filter value complies with Microsoft's [search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | +| RetryDelay optional | Int32 | Time (in milliseconds) after which Identity Manager retries a timeout request. | +| RequestTimeout optional | Int32 | Time (in seconds) after which a connection faces a timeout. | +| ConnectionTimeout optional | Int32 | Time (in seconds) after which a connection faces a timeout. | + +### Output details + +This connector is meant to generate: + +- A file named ``\_entries.csv, with one column for each property having a + ConnectionColumn and each property without it but used in an entity association; + + Any property can be exported in a specific format when specified. See the + [ References: Format for the EntityPropertyMapping ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md) + topic for additional information. + +- An additional file for each related table other than entries; +- A cookie file named ``\_cookie.bin, containing the time of the last export + in order to perform incremental exports. + + **NOTE:** Most exports can be run in complete mode, where the CSV files will contain all + entries, or in incremental mode, where CSV files will contain only the entries which have been + modified since the last synchronization. + + A task can use the IgnoreCookieFile boolean property, and a command line (with an executable) + can use the option --ignore-cookies. + +The CSV files are stored in the ExportOutput folder, and the cookie file in the ExportCookies +folder. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topic for additional information. + +For example, with the following configuration example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +                                                 +             +``` + +We would have `C:/identitymanagerContoso/Temp/ExportOutput/ADExport_entries.csv` with a column for each +scalar property. See the [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) topic for additional +information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +ADExport_entries.csv +                command,dn,objectCategory,objectGuid,objectSid,pwdLastSet,thumbnailPhoto,parentdn +            ... +``` + +Also, ADExport_member as ConnectionTable in a mapping will trigger the generation of the file +`C:/identitymanagerContoso/Temp/ExportOutput/ADExport_member.csv` with member as link attribute: + +``` +ADExport_member.csv +                command,dn,member +            ... +``` + +And `C:/identitymanagerContoso/Work/ExportCookies/ADExport_cookie.bin` + +### Synchronize multiple forests + +This connector can export resources from multiple forests trusted by the same AD domain. + +It requires specifying the **Server** and **BaseDN** pairs in **Servers** for all the forests used +as source for the export. + +Each **BaseDN** will generate a cookie file, but the entries from all **BaseDN** properties will be +written to the same CSV file. + +> The following example exports data from two sources: both on the same **Server** +> (contoso.server.com), but on two different **BaseDN**s (DC=contoso,DC=com and +> DC=defense,DC=contoso,DC=com). +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> appsettings.agent.json +>                     { +>                     ... +>                     "Connections": { +>                     "ADExport": { +>                     "Servers": [ +>                     { +>                     "Server": "", +>                     "BaseDN": "" +>                     }, +>                     { +>                     "Server": "", +>                     "BaseDN": "" +>                     } +>                     ], +>                     "AuthType": "", +>                     "Login": "", +>                     "Password": "", +>                     "Filter": "<(objectclass=*)>", +>                     "EnableSSL": "" +>                     } +>                     } +>                 } +> ``` +> +> The export creates two cookie files: ADExport_cookie_0.bin for the first **BaseDN**, and +> ADExport_cookie_1.bin for the second **BaseDN**, but the entries of both **BaseDN** properties +> will be written in ADExport_entries.csv. + +## Fulfill + +This connector writes to the Active Directory, to create, update and delete entries, initiated +manually through the UI or automatically by enforcing the policy. See the +[Evaluate Policy](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) topic for additional +information. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> The following example connects to an AD LDS system located at contoso.server.com. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> appsettings.agent.json +>                     { +>                     ... +>                     "Connections": { +>                     ... +>                     "ADFulfillment": { +>                     "Servers": [ +>                     { +>                     "Server": "", +>                     "BaseDN": "" +>                     } +>                     ], +>                     "AuthType": "Basic", +>                     "AsAdLds": "true", +>                     "EnableSSL": true, +>                     "Login": "", +>                     "NoSigning": false, +>                     "Password": "", +>                     } +>                     } +>                 } +> ``` + +#### Setting attributes + +| Name | Type | DescriptionDetails | +| --------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Servers required | Server List | List of pairs that define the target servers, made of: - Server: domain controller URL. - BaseDN: base Distinguished Name used to connect to the related server. | +| AsAdLds optional | Boolean | True to state the managed system as an AD LDS. It isInfo: used for extracting the schema through the connection screen. | +| EnableSSL optional | Boolean | True to enable SSL protocol for authentication requests. **NOTE:** recommended when using AuthType set to Basic because basic authentication packets are not encrypted by default. SSL is not available on Linux. | +| NoSigning optional | Boolean | True to disable Kerberos encryption. | +| AuthType default value: Negotiate | String | Authentication method used by Identity Manager to authenticate to the server. Access is granted to the target domain controller: Anonymous - without any login/password; Basic - via the BaseDN, Login and Password attributes; Negotiate - via GSS-API negotiations with the Kerberos mechanism used for authentication. | +| Login optional | String | Login used by Identity Manager for basic authentication. **NOTE:** It is required when AuthType is set to Basic. | +| Password optional | String | Password used by Identity Manager for basic authentication. **NOTE:** It is required when AuthType is set to Basic. | + +### Output details + +This connector can create a new resource, and update and delete an existing resource via the UI. + +A new resource is created with the state disabled, corresponding to the useraccountcontrol +value 514. When it is approved, its disabled state is removed and the useraccountcontrol value +becomes 512. + +### Provision multiple forests + +Same as for export, this connector can fulfill resources to multiple forests trusted by the same AD +domain, by specifying the Server and BaseDN pairs in Servers for all forests. + +The following example fulfills data to two targets: both on the same Server (contoso.server.com), +but on two different BaseDNs (DC=contoso,DC=com and DC=defense,DC=contoso,DC=com). + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +                { +                ... +                "Connections": { +                ... +                "ADFulfillment": { +                "Servers": [ +                { +                "Server": "", +                "BaseDN": "" +                }, +                { +                "Server": "", +                "BaseDN": "" +                } +                ], +                "AuthType": "Basic", +                "Login": "", +                "Password": "", +                "AsAdLds": "true" +                } +                } +            } +``` + +### Add attributes to the requests + +Some systems using the LDAP protocol require additional attributes in the creation and/or update +requests. + +If these attributes are not synchronized in Identity Manager, then they cannot be computed and +provided by scalar rules or navigation rules. In this case, they can be given as arguments in the +provisioning order, through the ResourceType's ArgumentsExpression. + +The following example adds the attribute description with a value depending on what is modified: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +                 +                             +             +``` + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information on how to configure password reset settings. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the appsettings.encrypted.agent.json file. See the + [ RSA Encryption ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) + topic for additional information. +- An Azure Key Vault safe; See the + [Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + topic for additional information. + +- A CyberArk Vault able to store Active Directory's Login, Password and Server. See the + [CyberArk's AAM Credential Providers ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/azure/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/azure/index.md new file mode 100644 index 0000000000..defc990fdb --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/azure/index.md @@ -0,0 +1,134 @@ +# Azure + +This connector exports +[Azure](https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-azure) +resources, role definitions and assignments. + +This page is about [ Azure ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/azure/index.md). + +![Package: Cloud/Azure](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/azure/packages_azure_v603.webp) + +## Prerequisites + +Implementing this connector requires at least the `Security Reader` role, because Identity +Manager does not access the [Azure API](https://docs.microsoft.com/en-us/rest/api/azure/) on behalf +of a user but with [its own identity](https://docs.microsoft.com/en-us/rest/api/azure/). + +## Export + +For a given Azure tenant with resources, this connector exports Azure resources, role definitions +and role assignments to CSV files. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + + ``` + + appsettings.agent.json + +{ ... "Connections": { ... "": { ... } } } + +```` + + +The identifier of the connection and thus the name of the subsection must: + +- be unique. + +- not begin with a digit. + +- not contain ```<```, ```>```, ```:```, ```"```, ```/```, ```\```, ```|```, ```?```, ```*``` and ```_```. + +> The following example +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "AzureExport": { +> "ApplicationId": "contosoAzure897", +> "ApplicationKey": "25d408a1925d4c081925b\d40819", +> "SubscriptionId": "Contoso", +> "TenantId": "25d40819-f23f-4837-9d50-a9a52da50b8c", +> "AzurePath": "https://management.azure.com/.default", +> "AzurePathApi": "https://management.azure.com", +> "ResponseUri": "https://agent.usercubecontoso.com" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --- | --- | +| ApplicationId required | __Type__ String __Description__ GUID that uniquely identifies the application registration in the Azure tenant. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Identity Manager__ > __Overview__ > __Application (client) ID__ | +| ApplicationKey required | __Type__ String __Description__ Secret associated with the ```ApplicationId```. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Identity Manager__ > __Certificate & secrets__ > __Client secrets__ > __Client Secret__ | +| TenantId required | __Type__ String __Description__ GUID that uniquely identifies the Azure tenant. __Note:__ value obtained at registration: __App registrations__ > __Owned applications__ > __Identity Manager__ > __Overview__ > __Application (tenant) ID__ | +| ResponseUri default value: ```http://localhost``` | __Type__ String __Description__ URI used by Azure to contact back the application with the tokens. This response Uri needs to be registered in the [app registration](https://aka.ms/msal-net-register-app). | +| | | +| --- | --- | +| SubscriptionId required | __Type__ String __Description__ GUID that uniquely identifies the subscription associated to the ```ApplicationId```. [See how to find it](https://www.youtube.com/watch?v=6b1J03fDnOg&t=3s). | +| AzurePath default value: ```https://management.azure.com/.default``` | __Type__ String __Description__ Scope requested to access a protected API. For this flow (client credentials), the scope should be of the form __`{ResourceIdUri/.default}`__. [See Microsoft's documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#see-microsofts-documentation). | +| AzurePathApi default value: ```https://management.azure.com``` | __Type__ String __Description__ Azure Uri API. | + +### Output details + +This connector is meant to generate to the Export Output folder the following CSV files: + +```_RoleDefinition.csv``` with the following columns: + +- __id__: role definition's Azure id; +- __name__: role definition's id; +- __roleName__: role definition's name; +- __type__: role definition's type, for example it can describe if it is a built-in role or a customized one; +- __description__: role definition's description. + +```_Resource.csv``` with the following columns: + +- __id__: resource's Azure id; +- __name__: resource's name; +- __type__: resource's type; +- __location__: resource's geographical location; +- __managedBy__: GUID or Azure id of the resource's manager; +- __principalId__: resource's identity PrincipalId; +- __ResourceIdentitytype__: resource's identity type. + +```_RoleAssignment.csv``` with the following columns: + +- __id__: role assignment's Azure id; +- __name__: role assignment's id; +- __roleDefinitionId__: role definition's Azure id; +- __principalId__: Microsoft Entra ID (formerly Microsoft Azure AD)'s object GUID; +- __scope__: resource's Azure id. + +See the [Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)topic for additional information. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [ + RSA Encryption + ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) configured in the ```appsettings.encrypted.agent.json``` file; +- An [Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) safe; + +- A [CyberArk's AAM Credential Providers + ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) able to store Azure's ```ApplicationId``` and ```ApplicationKey```. +```` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/csv/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/csv/index.md new file mode 100644 index 0000000000..af3e433b3d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/csv/index.md @@ -0,0 +1,114 @@ +# CSV + +This connector exports data from a [CSV file](https://en.wikipedia.org/wiki/Comma-separated_values). + +This page is about [ CSV ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/csv/index.md). + +![Package: File/CSV](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/csv/packages_csv_v603.webp) + +## Overview + +Files in CSV format are commonly used to store information. + +## Prerequisites + +Implementing this connector requires the source file to be in CSV format. + +## Export + +This export copies the information found in a CSV file and transforms it into a new CSV file in the +Identity Manager's format. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "HRContoso": { +> "Path": "C:/identitymanagerContoso/Contoso/hr_conto(.*?).csv", +> "PathIncremental": "C:/identitymanagerContoso/Contoso/hr_delta_conto(.*?).csv", +> "Encoding": "UTF-16", +> "Separator": ";", +> "IsFileNameRegex": true, +> "NumberOfLinesToSkip": 1, +> "ValuesToTrim": [ +> "*", +> "%" +> ] +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Path Required if PathIncremental is not defined. | **Type** String **Description** Path of the input file to be used for complete synchronization. | +| PathIncremental Required if Path is not defined. | **Type** String **Description** Path of the input file to be used for incremental synchronization. | +| IsFileNameRegex optional | **Type** Boolean **Description** `True` to enter a regex instead of a normal string for `Path` and `PathIncremental`. **Note:** if several files correspond to the regex, then the export will use the last created file. **Info:** useful when the filename is only partially known, for example when using a generated file. | +| ValuesToTrim optional | **Type** String List **Description** Ordered list of the characters to trim at the beginning and at the end of the headers and values of the input file. **Note:** the second value will be trimmed after the first, the order is important. **Example** When writing `$` first and then `%` in `ValuesToTrim`, then "$%I am an example$%" becomes "I am an example$". | +| Encoding default value: UTF-8 | **Type** String **Description** Encoding of the input file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | +| NumberOfLinesToSkip default value: 0 | **Type** Int32 **Description** Number of lines to skip in order to reach the line used as data header. | + +### Output details + +This connector is meant to generate a CSV file, named `.csv`, to the Export +Output folder. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)topic +for additional information. + +For example, when exporting a connection named `HRCountries`, the output file will be named +`HRCountries.csv`. + +The file's columns come from the header line from the input CSV file. + +All columns with headers, even empty ones, will be written to the output. However, columns without +headers will not be written. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use +[](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md)[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), +nor a [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md). + +Still, data protection can be ensured through an +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md new file mode 100644 index 0000000000..bf9d94bee3 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md @@ -0,0 +1,221 @@ +# EasyVista + +This connector exports and fulfills users from/to an +[EasyVista](https://wiki.easyvista.com/xwiki/bin/view/Documentation/?language=en)-compliant system. + +This page is about EasyVista . + +![Package: ITSM/EasyVista](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/easyvista/packages_easyvista_v603.webp) + +## Overview + +EasyVista is an IT Service Manager that provides a service to organize IT resources in a company by +using tickets. This allows users to manage projects, materials and teams through a customizable +interface. + +## Prerequisites + +Implementing this connector requires: + +- Reading first the + [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) + topic; +- An EasyVista account with reading/writing permissions on the target instance; +- A view to be created in EasyVista for each type of entity to export. + +## Export + +This connector exports a list of users, with their attributes specified in the connector's +configuration, to CSV files. + +It can also export any custom entity, provided that a view exists for it in EasyVista. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> ... +> "ExportEasyVista": { +> "Server": "https://easy-vista.instance.com/", +> "Account": "11111", +> "Login": "username", +> "Password": "userPassword", +> "ExportSettingsOptions": { +> "Profiles": "https://easy-vista.instance.com/api/v1/11111/internalqueries?queryguid={019B0523-F1C4-4G84-AA04-47BA16F16EB2}&filterguid={Z8A61D04-EZEC-42F1-A3E1-E9E09654BE68}&viewguid={2740V37A-A0ZC-4E50-A1F1-CF0987B9EFEA}" +> } +> } +> } +> } +> ``` + +The `ExportSettingsOptions` attribute is necessary only if custom entities are exported. It is not +required if only the users are exported. +Besides, `"Profiles"` is used here as an example and corresponds to a name to identify the exported +entities. + +#### Setting attributes + +| Name | Details | +| ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URI of the server to connect to. | +| Account required | **Type** String **Description** Account to use to connect to the EasyVista instance. | +| Login required | **Type** String **Description** Username to use to connect to the EasyVista instance. | +| Password required | **Type** String **Description** Password to use to connect to the EasyVista instance. | +| | | +| --- | --- | +| ExportSettingsOptions optional | **Type** List **Description** List of entities to retrieve from the EasyVista instance. **Note:** for any customized entity to be exported, this argument must contain its REST API URL. **Get REST API URLs** Access the relevant view in EasyVista and click on **...** > **Rest API Url** to copy the URL. For example: ![EasyVista Profiles View](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/easyvista/easyvista_view_v523.webp) | + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +export output folder: + +- a CSV file, named `_Employees.csv`, with one column for each property having + a `ConnectionColumn` and each property without it but used in an entity association; +- a CSV file for each customized entity, named `_.csv`. + +> For example, with the following entity type mapping for employees: +> +> ``` +> +> +> +> ``` +> +> And the following entity type mapping for profiles: +> +> ``` +> +> EntityType Identifier="EasyVista_Profiles" DisplayName_L1="EasyVista Profiles" Property Identifier="NAME_EN" DisplayName_L1="NAME_EN" TargetColumnIndex="23" Type="String" Type="String" IsKey="true" //EntityTypeEntityTypeMapping Identifier="EVProfiles" Connector="ExportEasyVista" ConnectionTable="EasyVistaExport_Profiles" Property Identifier="PROFILE_GUID">>>> ><<<<<
 +> +> ``` +> +> Then we will have `C:/identitymanagerContoso/Sources/EasyVistaExport_Employees.csv` as follows: +> +> ``` +> EasyVistaExport_Employees.csv +> last_name +> Talma Bart +> Tanner Carol +> Taverner David +> Taylor Eric +> Telemann Franck +> Thomson Georges +> ... +> +> ``` +> +> Then we will have `C:/identitymanagerContoso/Sources/EasyVistaExport_Profiles.csv` as follows: +> +> ``` +> EasyVistaExport_Profiles.csv +> NAME_EN, PROFILE_GUID +> Administration {value of the PROFILE_GUID} +> LOB Manager {value of the PROFILE_GUID} +> Product Team {value of the PROFILE_GUID} +> Project Manager {value of the PROFILE_GUID} +> ... +> +> ``` + +Users created from the API are retrieved by Identity Manager only after a complete synchronization. + +## Fulfill + +The EasyVista connector writes to EasyVista to create, archive (delete from Identity Manager's point +of view) and update employees, initiated manually through the UI or automatically by reinforcing the +policy. See the [Evaluate Policy](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) topic for +additional information. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "FulfillEasyVista": { +> "Server": "https://easy-vista.instance.com/", +> "Account": "11111", +> "Login": "username", +> "Password": "userPassword" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ----------------- | ------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URI of the server to connect to. | +| Account required | **Type** String **Description** Account to use to connect to the EasyVista instance. | +| Login required | **Type** String **Description** Username to use to connect to the EasyVista instance. | +| Password required | **Type** String **Description** Password to use to connect to the EasyVista instance. | + +### Output details + +This connector can: + +- Create and update employees and their profiles, but is limited by + [API limitations](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Integration/WebService%20REST/REST%20API%20-%20Create%20an%20employee/); + + In particular, this connector cannot set dates nor the `employee_id` property. + +- Archive employees, i.e. set the `CONTRACT_END_DATE` to the date of the fulfill execution. + + This action is performed when Identity Manager fulfills a provisioning order with a `Deleted` + change type. + +## Authentication + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic to find out more on how to configure password reset settings. + +### Credential protection + +Data protection can be ensured through: + +- [](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md)[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +- A + [CyberArk's AAM Credential Providers ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store EasyVista's `Login`, `Password`, `Account` and `Server`. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md new file mode 100644 index 0000000000..b1daefb73b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md @@ -0,0 +1,79 @@ +# EasyVista Ticket + +This connector opens tickets in +[EasyVista](https://wiki.easyvista.com/xwiki/bin/view/Documentation/?language=en) for manual +provisioning. + +This page is about [ EasyVista Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/easyvistaticket/index.md). + +![Package: Ticket/EasyVista](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/packages_easyvistaticket_v603.webp) + +## Overview + +EasyVista is an IT Service Manager that provides a service to organize IT resources in a company by +using tickets. This allows users to manage projects, materials and teams through a customizable +interface. + +This connector focuses on the creation of EasyVista tickets for editing manually EasyVista +resources. + +## Prerequisites + +Implementing this connector requires: + +- Reading first the + [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md); +- An EasyVista account with reading/writing permissions on the target instance. + +## Export + +This connector exports some of EasyVista entities, see the export capabilities of the +[ EasyVista ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/easyvista/index.md) connector. Some entities cannot be +exported. + +## Fulfill + +This connector writes to EasyVista to create incident and request tickets containing information to +create, update or delete a resource. It does not create a resource directly. + +Once created, the ticket is managed in EasyVista, not in Identity Manager. + +When the ticket is closed or canceled, Identity Manager updates the provisioning state of the +resource accordingly. See the +[Entitlement Assignment](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) topic to +find out more on how to configure password reset settings. + +See the fulfill capabilities of the [ EasyVista ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md) connector. + +> For example: +> +> ``` +> appsettings.agent.json +> "EasyVistaManual": { +> "Server": "https://example.easyvista.com/", +> "Login": "username", +> "Password": "password", +> "Account": "11111" +> }, +> +> ``` + +## Authentication + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic to find out more on how to configure password reset settings. + +### Credential protection + +Data protection can be ensured through: + +- [ RSA Encryption ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +- a + [CyberArk's AAM Credential Providers ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + able to store EasyVista's `Login`, `Password`, `Account` and `Server`. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/excel/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/excel/index.md new file mode 100644 index 0000000000..a2539c0a5f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/excel/index.md @@ -0,0 +1,135 @@ +# Microsoft Excel + +This connector exports datasheets from a +[Microsoft Excel](https://www.microsoft.com/en-us/microsoft-365/excel) (XLSX) file. + +This page is about [ Excel ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/excel/index.md). + +![Package: File/Microsoft Excel](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/excel/packages_excel_v603.webp) + +## Overview + +Microsoft Excel files using the XLSX file format are commonly used to store information. + +## Prerequisites + +Implementing this connector requires the input file to be in the XLSX format. + +## Export + +This connector copies the information from an XLSX file into CSV files, one per spreadsheet, while +filtering out spreadsheets and trimming values if needed. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "HRContoso": { +> "Path": "C:/identitymanagerContoso/Contoso/hr_conto(.*?).xlsx", +> "PathIncremental": "C:/identitymanagerContoso/Contoso/hr_delta_conto(.*?).xlsx", +> "IsFileNameRegex": "true", +> "SheetOptions": [ +> { +> "SheetIgnored": "false", +> "NumberOfLinesToSkip": 1 +> }, +> { +> "SheetIgnored": "true" +> } +> ], +> "ValuesToTrim": [ +> "$", +> "%" +> ] +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Path Required if PathIncremental is not defined. | **Type** String **Description** Path of the input file to be used for complete synchronization. | +| PathIncremental Required if Path is not defined. | **Type** String **Description** Path of the input file to be used for incremental synchronization. | +| IsFileNameRegex optional | **Type** Boolean **Description** `True` to enter a regex instead of a normal string for `Path` and `PathIncremental`. **Note:** if several files correspond to the regex, then the export will use the last created file. **Info:** useful when the filename is only partially known, for example when using a generated file. | +| ValuesToTrim optional | **Type** String List **Description** Ordered list of the characters to trim at the beginning and at the end of the headers and values of the input file. **Note:** the second value will be trimmed after the first, the order is important. **Example** When writing `$` first and then `%` in `ValuesToTrim`, then "$%I am an example$%" becomes "I am an example$". | +| | | +| --- | --- | +| SheetOptions optional | **Type** Sheet Option List **Description** List of options for each sheet of the input file. The first element of the list sets the options for the first sheet, the second element for the second sheet, etc. | + +##### SheetOptions + +| Name | Details | +| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | +| SheetIgnored required | **Type** Boolean **Description** `True` to exclude the sheet from export. | +| | | +| --- | --- | +| NumberOfLinesToSkip default value: 0 | **Type** Int32 **Description** Number of lines to skip in order to reach the line used as data header. | + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder a CSV file per spreadsheet included in the export, named +`_.csv` where `` is the spreadsheet's index. + +Note that `0` is the first index, not `1`. + +> For example, when exporting the content of a 2-sheet Excel file with a connection named +> `HRContoso`, the output files will be named `HRContoso_0.csv` for the first spreadsheet, and +> `HRContoso_1.csv` for the second. + +The file's columns come from the header line from the input Excel file. + +All columns with headers, even empty ones, will be written to the output. However, columns without +headers will not be written. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use +[ RSA Encryption ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), nor +a +[CyberArk's AAM Credential Providers ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)Vault. + +Still, data protection can be ensured through an +[Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) safe. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/index.md new file mode 100644 index 0000000000..7d8c7dd724 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/index.md @@ -0,0 +1,168 @@ +# Google Workspace + +This connector exports and fulfills users and groups from/to a +[Google Workspace](https://developers.google.com/workspace) instance. + +This page is about [ Google Workspace ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/googleworkspace/index.md). + +![Package: Directory/Google Workspace](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/packages_workspace_v603.webp) + +## Overview + +Google Workspace provides a set of softwares and products developed by Google. The Google Workspace +connector exports and fulfills users and groups from/to a Google Workspace instance. It exports +user-group memberships too. + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md)documentation; +- a service account impersonating the following permission scopes: + [https://www.googleapis.com/auth/admin.directory. user](https://www.googleapis.com/auth/admin.directory.user) + and + [https://www.googleapis.com/auth/admin.directory.group](https://www.googleapis.com/auth/admin.directory.group). + + See + [Google's documentation](https://developers.google.com/workspace/guides/create-credentials#googles-documentation) + Google's documentation to create the service account with the right impersonation. + + _Remember,_ Google's documentation describes this procedure as optional, while the Google + Workspace connector requires it. + +## Export + +This connector extracts users, groups and user-group memberships from a Google Workspace instance, +and write the output to CSV files. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "GoogleExportFulfillment": { +> "CredentialsFilePath": "C:/identitymanagerDemo/GoogleCredentials.json", +> "User": "B29607@acme.internal", +> "PageSize": "100" +> } +> } +> } +> +> ``` + +#### Setting attributes + +| Name | Details | +| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CredentialsFilePath required | **Type** String **Description** Path of Google Workspace's JSON credentials file. [See Google's documentation to create these credentials](https://developers.google.com/workspace/guides/create-credentials#see-googles-documentation-to-create-these-credentials). | +| User required | **Type** String **Description** Email address of the service account mentioned in the prerequisites section. | +| | | +| --- | --- | +| PageSize default value: 50 | **Type** Int32 **Description** Number of items, i.e. users and/or groups and/or memberships, retrievable from Google Workspace by each API call (from 1 to 500). | + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder the following CSV files: + +- `GoogleExportFulfillment_Users.csv` and `GoogleExportFulfillment_Groups.csv` whose headers come + from the entity type mapping's `ConnectionColumn` and from the entity association mappings' + columns which are not _members_ columns; +- `GoogleExportFulfillment_Members.csv` with the following columns: + - **value**: ID of the group; + - **MemberId**: ID of the group member. + +If the connection column describes a sub-property, then the name should have the following pattern: +`{property}:{sub-property}`. The character `":"` should not be used in other situations. + +> For example: +> +> ``` +> +> +> +> ``` +> +> Note that we have here `AgreedToTerms` which is a single property, and `FamilyName` which is a +> sub-property of `Name`, hence the name `Name:FamilyName` as the `ConnectionColumn`. + +## Fulfill + +This connector can write to Google Workspace to create, update, and/or delete users and user-group +memberships. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "GoogleExportFulfillment": { +> "CredentialsFilePath": "C:/identitymanagerDemo/GoogleCredentials.json", +> "User": "B29607@acme.internal" +> } +> } +> } +> +> ``` + +#### Setting attributes + +| Name | Details | +| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CredentialsFilePath required | **Type** String **Description** Path of Google Workspace's JSON credentials file. [See Google's documentation to create these credentials](https://developers.google.com/workspace/guides/create-credentials#see-googles-documentation-to-create-these-credentials). | +| User required | **Type** String **Description** Email address of the service account mentioned in the prerequisites section. | + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use +[ RSA Encryption ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), nor +a +[CyberArk's AAM Credential Providers ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)Vault. + +Still, data protection can be ensured through an +[Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) safe. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/homefolder/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/homefolder/index.md new file mode 100644 index 0000000000..22484b10c7 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/homefolder/index.md @@ -0,0 +1,130 @@ +# Home Folder + +This connector exports [home folders](https://en.wikipedia.org/wiki/Home_directory)' content. + +This page is about [ Home Folders ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/home-folders/index.md). + +![Package: Storage/Home Folders](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/homefolder/packages_homefolders_v603.webp) + +## Overview + +Home Folders, also called Home Directory, is a user-dedicated storage area where users' personal +files can be accessed. In general, a home folder is private so only its owner and administrators can +access it. Moreover, the folders are often centralized because they are located on a network server. +It allows making backups regularly and easily accessing the folders. + +## Prerequisites + +Implementing this connector requires: + +- reading first how to + [Set, View, Change, or Remove Special Permissions](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc772196(v=ws.10)) + and check the + [File and Folder Permissions](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732880(v=ws.10)) + list; +- an account with at least the special permission Read on all home folders in order to be able to + export them. + +## Export + +This connector exports all the home folders to a CSV file. + +This connector performs only complete export, not incremental. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "HomeFolderExport": { +> "InputDirectories": [ +> "C:/ContosoFolder", +> "C:/ContosoFolder2", +> ], +> "Domain": "Windows", +> "Interactive": true, +> "Login": "Contoso", +> "Password": "ContOso$123456789" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| InputDirectories required | **Type** String List **Description** List of the directories that contain the home folders to be exported. | +| Domain optional | **Type** String **Description** Domain of the account used to access the home folders. | +| Interactive default value: False | **Type** Boolean **Description** `True` to set the authentication as interactive. `False` to set it batch. [See Microsoft's documentation for more details](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonusera#see-microsofts-documentation-for-more-details). | +| | | +| --- | --- | +| Login optional | **Type** String **Description** Login of the account used to access the files and folders. **Note:** when not specified and `Password` neither, then the account running Identity Manager will be used. **Note:** if `Domain` is null, then `Login` must be set in the User Principal Name (UPN) format. | +| Password optional | **Type** String **Description** Password of the account used to access the files and folders. **Note:** when not specified and `Login` neither, then the account running Identity Manager will be used. | + +### Output details + +This connector is meant to generate a CSV file, named `.csv`,to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder, with the following columns: + +- **Command**: empty for now, as the connector performs only complete export. +- **Name**: name of the home folder. + +> For example, when exporting with a connection named `HomeFolderExport`, then the output file will +> be named `HomeFolderExport.csv` and will look like: +> +> ``` +> HomeFolderExport.csv +> Command,Name +> ... +> ``` + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md)[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md)safe; + +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + Home Folder's `Login` and `Password`. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/index.md new file mode 100644 index 0000000000..1285168147 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/index.md @@ -0,0 +1,136 @@ +# References: Connectors + +Connectors are the mechanisms that enable Identity Manager to read and write data to/from your +organization's systems. Here is a list of reference connectors: + +- [Active Directory](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) + + Exports and fulfills users and groups from/to an Active Directory instance. + +- [ Azure ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/azure/index.md) + + Exports Azure resources, role definitions and assignments. + +- [ CSV ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/csv/index.md) + + Exports data from a CSV file. + +- [ EasyVista ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/easyvista/index.md) + + Exports and fulfills users from/to an EasyVista-compliant system. + +- [ EasyVista Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/easyvistaticket/index.md) + + Opens tickets in EasyVista for manual provisioning. + +- [ Google Workspace ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/googleworkspace/index.md) + + Exports and fulfills users and groups from/to a Google Workspace instance. + +- [ Home Folder ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/homefolder/index.md) + + Exports home folders' content. + +- [InternalWorkflow](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md) + + Triggers workflows in Identity Manager for a system's provisioning orders. + +- [Internal Resources](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/internalresources/index.md) + + Opens manual provisioning tickets in Identity Manager. + +- [JSON](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/json/index.md) + + Generates JSON files for each provisioning order. + +- [ LDAP ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md) + + Exports and fulfills entries from/to a LDAP-compliant system. + +- [LDIF](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/ldif/index.md) + + Exports entries from a LDIF file. + +- [ Microsoft Entra ID](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md) + + Exports and fulfills user and groups from/to a Microsoft Entra ID instance. + +- [ Microsoft Excel ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/excel/index.md) + + Exports datasheets from a Microsoft Excel (XLSX) file. + +- [ Microsoft Exchange ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md) + + Exports mailboxes from a Microsoft Exchange instance. + +- [ OData ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/odata/index.md) + + Exports and fulfills entries from/to an OData instance. + +- [Okta](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/okta/index.md) + + Exports and fulfills entries from/to an Okta instance. + +- [ OpenLDAP ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/openldap/index.md) + + Exports and fulfills entries from/to an OpenLDAP directory. + +- [ PowerShellProv ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) + + Writes to an external system via a PowerShell script. + +- [ PowerShellSync ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellsync/index.md) + + Exports data from an external system via a Powershell script. + +- [ RACF ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/racf/index.md) + + Exports users and profiles from a RACF file. + +- [ Robot Framework ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md) + + Writes to an external system via a Robot Framework script. + +- [SAP ERP 6.0 and SAP S4/HANA](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md) + + Exports and fulfills users and roles from/to a SAP ERP 6.0 or SAP S4/HANA instance. + +- [ SAP Netweaver ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/index.md) + + Exports and fulfills users and roles from/to a SAP Netweaver instance. + +- [SCIM](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/scim/index.md) + + Exports and fulfills entities from/to a SCIM-compliant application. + +- [ ServiceNow ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md) + + Exports and fulfills any data from/to a ServiceNow CMDB. + +- [ ServiceNowTicket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md) + + Opens tickets in ServiceNow for manual provisioning. + +- [ SharedFolders ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/index.md) + + Exports users and permissions from Windows shared folders. + +- [SharePoint](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md) + + Exports sites, folders, groups and permissions from a SharePoint instance. + +- [ Sql ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sql/index.md) + + Exports data from one of various Database Management Systems. + +- [ Sql Server Entitlements ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md) + + Exports entitlements from Microsoft SQL Server. + +- [ Top Secret ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/topsecret/index.md) + + Exports users and profiles from a Top Secret (TSS) instance. + +- [ Workday ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/workday/index.md) + + Exports users and groups from a Workday instance. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/internalresources/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/internalresources/index.md new file mode 100644 index 0000000000..f0b087a827 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/internalresources/index.md @@ -0,0 +1,20 @@ +# Internal Resources + +This connector opens manual provisioning tickets in Identity Manager. + +This page is about: + +- Ticket/Identity Manager +- Ticket/Identity Manager And Create/Update/Delete resources + +See the [ Manual Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md) and +[ Manual Ticket and CUD Resources ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md) +topics for additional information. + +![Package: Ticket/identitymanager](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/internalresources/packages_identitymanagerticket_v603.webp) + +![Package: Ticket/identitymanager And Create/Update/Delete resources](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/internalresources/packages_identitymanagerticketcud_v603.webp) + +See the +[ Provision Manually ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md) +topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md new file mode 100644 index 0000000000..110eb3ce0e --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md @@ -0,0 +1,210 @@ +# InternalWorkflow + +This connector triggers workflows in Identity Manager for a system's provisioning orders. + +This page is about Identity Manager Internal Workflow. See the +[ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/workflow/index.md) topic for additional information. + +![Package: Usercube/Workflow](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/packages_workflow_v603.webp) + +## Overview + +This connector is singular because it does not connect Identity Manager to an external system. + +Instead, it is made to read the provisioning orders of a given connector or resource type, and +launch specific workflows still within Identity Manager, depending on each order's type (creation, +update, deletion). + +It works via a JSON file used to set the workflow to launch along with its arguments such as its +message and body. + +## Prerequisites + +Implementing this connector requires: + +- Knowledge of the basic principles of Identity Manager's workflows. See the + [ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/workflow/index.md) topic for additional information. +- Configuring in Identity Manager the workflows for the arrival of a new user, the update of a + pre-existing user, and for the departure of a user + +## Export + +There are no export capabilities for this connector. + +## Fulfill + +This connector retrieves the files containing provisioning orders that correspond to a given list of +connectors or resource types, and then starts workflows according to the type of the provisioning +orders (Added, Modified, Deleted) found in the JSON files. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +appsettings.agent.json > **Connections** section: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} +``` + +**NOTE:** The identifier of the connection and thus the name of the subsection must: + +- be unique +- not begin with a digit +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "HR_Person_To_Directory_UserRecord": { +        "WorkflowJsonPath": "" +    } +  } +} +``` + +The configuration setting must have the following attributes: + +| Name | Type | Description | +| ------------------------- | ------ | ------------------------------------------------------- | +| WorkflowJsonPath required | String | Path of the JSON file used to configure this connector. | + +WorkflowJsonPath + +The file specified in WorkflowJsonPath must have a specific structure. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +FulfillInternalWorkflow.json +{ +  "SourceEntityIdentifier": "Directory_UserRecord", +  "NavigationToTargetEntity": "User", +  "NavigationTargetToSource": "Records", +  "TargetEntityTypeIdentifier": "Directory_User", +  "FulfillInternalWorkflowConfigurations": [ +    { +      "ChangeType": "Added", +      "Model": { +        "WorkflowIdentifier": "Directory_User_StartInternal", +        "TransitionIdentifier": "ActionWithRefine-ActionPending-Execute", +        "Message": "workflow start: $Changes:LastName$ - $Changes:FirstName$, EmployeeId: $Changes:EmployeeId$", +        "Body": "body of workflow $Changes:EmployeeId$ - $Changes:Site.Label$" +      }, +      "ScalarProperties": [ +        "LastName", +        "FirstName", +        "ContractStartDate", +        "ContractEndDate" +      ], +      "NavigationProperties": [ +        "Category", +        "Service", +        "Site" +      ] +    }, +    { +      "ChangeType": "Modified", +      "Model": { +        "WorkflowIdentifier": "Directory_User_ChangeName", +        "TransitionIdentifier": "ActionWithRefine-ActionPending-Execute", +        "Message": "workflow Update: $Resource:LastName$ - $Resource:FirstName$, EmployeeId: $Resource:EmployeeId$", +        "Body": "body of workflow Update for  $Resource:EmployeeId$ " +      }, +      "ScalarProperties": [ +        "FirstName", +        "LastName" +      ] +    }, +    { +      "ChangeType": "Deleted", +      "Model": { +        "WorkflowIdentifier": "Directory_User_End", +        "TransitionIdentifier": "ActionWithRefine-ActionPending-Execute", +        "Message": "workflow end Directory_Person for $Resource:LastName$ - $Resource:FirstName$", +        "Body": "body if workflow end for $Resource:LastName$ - $Resource:FirstName$" +      }, +      "DateProperties": [ +        "ContractEndDate" +      ] +    } +  ] +} + +``` + +_Remember,_ as workflows' aspects are computed during the fulfill process, all the required +properties must be present in the provisioning order and in this JSON file. + +Setting attributes + +The table below summarizes the setting attributes. + +| Name | Type | Description | +| ----------------------------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Body required | String | Body of the message transmitted by the workflow. | +| ChangeType required | String | Type of the provisioning order: Added; Modified; Deleted. | +| DateProperties optional | DateTime List | List of the properties corresponding to the dates that the workflow is to fill in. **NOTE:** When not specified and ChangeType is set to Deleted, then the dates are filled with the workflow's execution date. | +| Message required | String | Message sent to the accounts impacted by the workflow. | +| NavigationProperties optional | String List | List of the navigation properties to get from the provisioning orders in order to complete the workflow. | +| NavigationTargetToSource optional | String | Navigation property that makes the link from the target entity type to the source entity type. **NOTE:** Required when using records. For example, it's not required when working with departments or sites. See the[ Position Change via Records ](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md) topic for additional information. | +| NavigationToTargetEntity optional | String | Navigation property that makes the link from the source entity type to the target entity type. **NOTE:** Required when using records. For example, it's not required when working with departments or sites. See the[ Position Change via Records ](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md) topic for additional information. | +| ScalarProperties optional | String List | List of the scalar properties to get from the provisioning orders in order to complete the workflow. | +| SourceEntityIdentifier required | String | Identifier of the source entity type of the workflow. | +| TransitionIdentifier required | String | Identifier of the workflow's transition after execution. | +| TargetEntityTypeIdentifier required | String | Identifier of the target entity type of the workflow. | +| WorkflowIdentifier optional | String | Identifier of the workflow to be started. **NOTE:** Optional but recommended because it acts as default value when there is no related ArgumentsExpression or it does not return a valid identifier. See the[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topic for additional information. | + +The table below summarizes the variables for messages and bodies. + +| Name | Type | Description | +| -------- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Changes | String List | Prefix used to get data from the **Changes** section of the provisioning order. Example **Changes:LastName** retrieves the value of the **LastName** property from the order's changes. | +| Resource | String List | Prefix used to get data from Identity Manager's database. Example **Resource:LastName** retrieves the value of the **LastName** property from the database. | + +### Output details + +All three types of workflows (onboarding, update and off-boarding) can be completed with the fulfill +Internal Workflow. + +## Authentication + +See the following to figure out authentication. + +Password reset + +This connector does not reset passwords. + +Credential protection + +This connector has no credential attributes, and therefore does not use RSA encryption, nor a +CyberArk Vault. See the +[ RSA Encryption ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) and +[CyberArk's AAM Credential Providers ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) +topics for additional information. + +Still, data protection can be ensured through an Azure Key Vault safe. See the +[Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md)topic +for additional information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/json/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/json/index.md new file mode 100644 index 0000000000..d5a1be938a --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/json/index.md @@ -0,0 +1,10 @@ +# JSON + +This connector generates [JSON](https://www.json.org/json-en.html) files for each provisioning +order. + +This page is about [ JSON ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/json/index.md) + +![Package: Custom/JSON](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/json/packages_json_v603.webp) + +The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md new file mode 100644 index 0000000000..4242433ae9 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md @@ -0,0 +1,287 @@ +# LDAP + +This connector exports and fulfills entries from/to an [LDAP](https://ldap.com/)-compliant system. + +This page is about: + +- [ Generic LDAP ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/generic-ldap/index.md); +- [ Oracle LDAP ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/oracle-ldap/index.md); +- [ Apache Directory ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/apache-directory/index.md); +- [ Red Hat Directory Server ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/red-hat-directory-server/index.md). + +![Package: Directory/Generic LDAP](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapgeneric_v603.webp) + +![Package: Directory/Oracle LDAP](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldaporacle_v603.webp) + +![Package: Directory/Apache Directory](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapapache_v603.webp) + +![Package: Directory/Red Hat Directory Server](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/ldap/packages_ldapredhat_v603.webp) + +## Overview + +The Lightweight Directory Access Protocol (LDAP) is a flexible and well supported standards-based +mechanism for interacting with directory servers. + +## Prerequisites + +Implementing this connector requires reading first the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md)documentation. + +## Export + +For a configured set of LDAP entries, this connector exports the list of all attributes from the +connector's configuration. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> ... +> "LDAPExport": { +> "Servers": [ +> { +> "Server": "contoso.server.com", +> "AuthType": "Basic", +> "Login": "Contoso", +> "Password": "ContOso$123456789", +> "Controls": [ +> "PagedResult", +> "DomainScope" +> ], +> "NoSigning": false, +> "EnableSSL": true +> } +> ], +> "Tables": [ +> { +> "Table": "entries", +> "BaseDN": "DC=contoso,DC=com", +> "Filter": "(objectclass=*)", +> "Scope": "Subtree" +> }, +> { +> "Table": "member", +> "BaseDN": "DC=contoso,DC=com", +> "Filter": "(&(member=*)(objectclass=groupOfEntries))", +> "Scope": "Subtree" +> } +> ], +> "SizeLimit": 5000, +> "TimeLimit": 5, +> "TimeOut": 30 +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Servers required | **Type** Server List **Description** List of servers to connect to. | +| Tables required | **Type** Table List **Description** List of specific setting attributes to retrieve entries and links. **Note:** having a table named `entries` is mandatory. | +| SizeLimit optional | **Type** Int32 **Description** Maximum number of objects returned in the search request. **Note:** ignored when using `Servers`:`Controls`. | +| TimeLimit optional | **Type** Int32 **Description** Maximum duration (in seconds) of the request. | +| TimeOut optional | **Type** Int32 **Description** Time period (in seconds) before the connection to the LDAP is closed. | + +##### Servers + +| Name | Details | +| --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the target domain controller. | +| Controls optional | **Type** String List **Description** List of the controls that will be applied to the request. Possible values are: `PagedResult` to limit the number of returned queries. Results will be returned in smaller and limited packets. `DomainScope` to enable domain control, i.e. the LDAP server won't generate any referrals when completing a request, and the search is restricted to a single name context. **Note:**`PagedResult` is required when using `DomainScope`. [See more details in Microsoft's documentation](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/ldap-server-domain-scope-oid). | +| | | +| --- | --- | +| EnableSSL optional | **Type** Boolean **Description** `True` to enable SSL protocol for authentication requests. **Note:** recommended when using `AuthType` set to `Basic` because basic authentication packets are not encrypted by default. **Info:** SSL is not available on Linux. | +| NoSigning optional | **Type** Boolean **Description** `True` to disable Kerberos encryption. | +| | | +| --- | --- | +| AuthType default value: Negotiate | **Type** String **Description** Authentication method used by Identity Manager to authenticate to the server. Access is granted to the target domain controller: `Anonymous` - without any login/password; `Basic` - via the `BaseDN`, `Login` and `Password` attributes; `Negotiate` - via GSS-API negotiations with the Kerberos mechanism used for authentication. | +| Login optional | **Type** String **Description** Login used by Identity Manager for basic authentication. **Note:** required when `AuthType` is set to `Basic`. | +| Password optional | **Type** String **Description** Password used by Identity Manager for basic authentication. **Note:** required when `AuthType` is set to `Basic`. | + +##### Tables + +| Name | Details | +| --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| BaseDN required | **Type** String **Description** Base Distinguished Name to be used to connect to the server. | +| Table required | **Type** String **Description** Name of the table: it should be `entries` for the main entries, and the name of the LDAP's link attribute otherwise. | +| | | +| --- | --- | +| Filter required | **Type** String **Description** Entries to be excluded from export among all entries from the LDAP instance. Only non-filtered entries are exported. The filter must use [Microsoft's search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | +| Scope optional | **Type** String **Description** Search scope to be applied to the request. The result will be limited to: `Base` - the base of the object; `OneLevel` - the immediate children of the object; `Subtree` - the entire subtree from the base object down. | + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder one file per element in **Tables**, named `_.csv`, +with one column for each property having a `ConnectionColumn` and each property without it but used +in an entity association. + +Any property can be exported in a specific format when specified. See the +[ References: Format for the EntityPropertyMapping ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md) +topic for additional information. + +> With the previous example and the following entity type mapping: +> +> ``` +> +> +> +> ``` +> +> We would have `C:/identitymanagerContoso/Temp/ExportOutput/LDAPExport_entries.csv` like: +> +> ``` +> LDAPExport_entries.csv +> displayName,dn,entryUuid,objectClass,ou,parentdn +> ... +> +> ``` +> +> And we would also have `C:/identitymanagerContoso/Temp/ExportOutput/LDAPExport_member.csv` like: +> +> ``` +> LDAPExport_member.csv +> dn,member +> ... +> +> ``` + +## Fulfill + +The LDAP connector fulfills the creation, deletion and update of LDAP entries, initiated through the +Identity Manager UI or by assignment policy enforcement. See the +[Evaluate Policy](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) topic for additional +information. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "LDAPFulfillment": { +> "Servers": [ +> { +> "Server": "contoso.server.com", +> "AuthType": "Basic", +> "Login": "Contoso", +> "Password": "ContOso$123456789" +> } +> ], +> "Tables": [ +> { +> "Table": "entries", +> "BaseDN": "DC=contoso,DC=com" +> } +> ], +> "IsLdapPasswordReset": true, +> "AsAdLds": false +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Servers required | **Type** Server List **Description** List of servers to connect to. | +| Tables required | **Type** Table List **Description** List of specific setting attributes to retrieve the entries and the links. **Note:** having a table named `entries` is mandatory. | +| AsAdLds required | **Type** Boolean **Description** `True` to state the managed system as an AD LDS. | +| IsLdapPasswordReset optional | **Type** Boolean **Description** `True` to state the managed system as an LDAP-compliant system supporting password reset. | + +### Output details + +This connector can create a new resource, and update and delete an existing resource via the UI. + +A new resource is created with the state `disabled`, corresponding to the **useraccountcontrol** +value `514`. When it is approved, its `disabled` state is removed and the **useraccountcontrol** +value becomes `512`. + +### Add attributes to the requests + +Some systems using the LDAP protocol require additional attributes in the creation and/or update +requests. + +If these attributes are not synchronized in Identity Manager, then they cannot be computed and +provided by scalar rules or navigation rules. In this case, they can be given as arguments in the +provisioning order, through the `ResourceType`'s `ArgumentsExpression`. + +> The following example adds the attribute `description` with a value depending on what is modified: +> +> ``` +> +> ArgumentsExpression="C#:resource: +> var arguments = new System.Collections.Generic.Dictionary(); +> +> if (provisioningOrder.HasChanged("cn")) { +> arguments.Add("description", "This entry's login has been modified by Usercube."); +> } +> else if (provisioningOrder.HasChanged("mail")) { +> arguments.Add("description", "This entry's email has been modified by Usercube."); +> } +> else { +> arguments.Add("description", "This entry has been modified by Usercube."); +> } +> +> return arguments;"> +> +> +> +> ``` + +## Authentication + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic to learn how to configure password reset settings. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + LDAP's `Login`, `Password` and `Server`. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/ldif/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/ldif/index.md new file mode 100644 index 0000000000..cdccbd6922 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/ldif/index.md @@ -0,0 +1,105 @@ +# LDIF + +This connector exports entries from an +[LDIF](https://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format) file. + +This page is about [ LDIF ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/ldif/index.md). + +![Package: Directory/LDIF](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/ldif/packages_ldif_v603.webp) + +## Overview + +The LDAP Data Interchange Format (LDIF) is a standard plain text data interchange format for +representing LDAP (Lightweight Directory Access Protocol) directory content and update requests. +LDIF conveys directory content as a set of records, one record for each object (or entry). It also +represents update requests, such as Add, Modify, Delete, and Rename, as a set of records, one record +for each update request. + +## Prerequisites + +Implementing this connector requires no particular prerequisites. + +## Export + +This connector generates a CSV file from an input LDIF file containing entries to be exported. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md)in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "LdifExport": { +> "LDIFFile": "C:/identitymanagerContoso/Contoso/contoso.ldif", +> "FilterAttribute": "objectClass", +> "FilterValues": "user organizationalUnit", +> "Attributes": [ "dn", "objectClass", "cn", "SAMAccountName", "Name", "userprincipalname" ], +> "LdifEncoding": "UTF-8", +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| LDIFFile required | **Type** String **Description** Path of the LDIF input file. | +| FilterAttribute required | **Type** String **Description** Property from the connector's configuration whose value is to be compared with the values from `FilterValues`, in order to filter the entries to export. | +| FilterValues required | **Type** String **Description** List of values to be compared with the value of `FilterAttribute`, in order to filter the entries to export. Identity Manager will export only the entries matching the filter. **Note:** multiple values must be separated by white spaces. | +| Attributes required | **Type** String List **Description** List of properties from the connector's configuration to be exported. | +| LdifEncoding default value: UTF-8 | Encoding of the file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder a CSV file named `LdifExport.csv`, with the following columns: + +``` +LdifExport.csv +Command,dn,objectClass,cn,SAMAccountName,Name,userprincipalname +Insert,value1,value2,...,valueN +``` + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Credential protection + +This connector has no credential attributes, and therefore does not use +[](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md)[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), +nor a [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md)Vault. + +Still, data protection can be ensured through an +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md new file mode 100644 index 0000000000..da6d9bec23 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/index.md @@ -0,0 +1,260 @@ +# Microsoft Entra ID + +This connector exports and fulfills user and groups from/to a +[Microsoft Entra ID](https://www.microsoft.com/fr-fr/security/business/identity-access/microsoft-entra-id) +(formerly Microsoft Azure AD) instance. + +See the[ Microsoft Entra ID ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/azure-active-directory/index.md)topic for +additional information. + +![Package: Directory/Microsoft Entra ID](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/microsoftentraid/packages_azuread_v603.webp) + +## Overview + +Microsoft Entra ID is Microsoft's cloud-based identity and access management service which helps +your employees sign in and access resources in: + +- External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS + applications; +- Internal resources, such as apps on your corporate network and intranet, along with any cloud apps + developed by your own organization. + +## Prerequisites + +Implementing this connector requires giving Identity +Manager [application permissions](https://docs.microsoft.com/en-us/graph/auth/auth-concepts#application-permissions), +because Identity Manager does not access the +[Microsoft Graph API](https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-1.0) on behalf +of a user but with [its own identity](https://docs.microsoft.com/en-us/graph/auth-v2-service), and +delegated permissions are not enough. These application permissions require the consent of an +administrator of the target Microsoft Entra ID tenant. + +See the[Register for Microsoft Entra ID](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/azuread-register/index.md) topic on how to +register Identity Manager as an application with the Microsoft Identity Platform in order to grant +Identity Manager a service account which authenticates with the target Microsoft Entra ID. + +## Export + +For a configured set of directory objects on an Microsoft Entra ID instance, this connector exports +the list of configured attributes in the associated entity type mapping to a CSV file. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration. See the +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) topic for +additional information. + +Or in the `appsettings.agent.json > Connections` section: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} +``` + +**NOTE:** The identifier of the connection and thus the name of the subsection must: + +- be unique +- not begin with a digit +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_` + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "MicrosoftEntraIDExport": { +        "ApplicationId": "", +        "ApplicationKey": "<25d408a1925d4c081925b\d40819>", +        "TenantId": "<25d40819-f23f-4837-9d50-a9a52da50b8c>", +        "MicrosoftGraphPathApi": "", +        "ResponseUri": "" +    } +  } +} +``` + +Setting attributes + +The table below summarizes the setting attributes of Microsoft Entra ID connector. + +| Name | Type | Description | +| -------------------------------------------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ApplicationId (required) | String | GUID that uniquely identifies the application registration in the Azure tenant. **NOTE:** The value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Overview** > **Application (client) ID** | +| ApplicationKey (required) | String | Secret associated with the `ApplicationId` **NOTE:** The value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Certificate & secrets** > **Client secrets** > **Client Secret** | +| TenantId (required) | String | GUID that uniquely identifies the Azure tenant. **NOTE:** The value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Overview** > **Application (tenant) ID** | +| ResponseUri (default value: `http://localhost`) | String | URI used by Azure to contact back the application with the tokens. This response Uri needs to be registered in the [app registration](https://aka.ms/msal-net-register-app). | +| MicrosoftAuthorityPath (optional) | String | Pattern for Microsoft Authority Path. | +| MicrosoftGraphPath (default value: https://graph.microsoft.com/.default) | String | Scope requested to access a protected API. **NOTE:** For this flow (client credentials), the scope should be of the form `{ResourceIdUri/.default}`. [See Microsoft's documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#see-microsofts-documentation) for additional information. | +| MicrosoftGraphPathApi (default value: `https://graph.microsoft.com/v1.0/`) | String | Microsoft Graph Uri API. | + +### Output details + +This connector is meant to generate the following files: + +- `_directoryobjects.csv` containing the property values from the entity type + mapping associated with the connection. + + **NOTE:** The values are exported from the entities listed in the attribute `C0` of the + `EntityTypeMapping`. + + For example, with the following configuration: + + Code attributes enclosed with `<>` need to be replaced with a custom value before entering the + script in the command line. + + ``` + + +    +    +    + + + ``` + + Four entities are exported (`user`; `group`; `directoryRole`; `servicePrincipal`) and whose + names are to be found in the column `@odata.type`. Then + `MicrosoftEntraIDExport_directoryobjects.csv` looks like: + + ``` + MicrosoftEntraIDExport_directoryobjects.csv + Command,@odata.type,accountEnabled,id,mail + ... + ``` + + _Remember,_ attributes described as "Supported only on the Get `` API" in the + [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-1.0) + documentation cannot be retrieved through this connector. The export task will raise an error if + these attributes are used in your EntityTypeMapping. + + This connector supports + [Microsoft Entra ID Schema Extensions](https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions) + but does not support + [Microsoft Graph Schema Extensions](https://docs.microsoft.com/en-us/graph/extensibility-schema-groups). + +- `__.csv` describing the navigation property from + one entity to another. + + For example `AzureADExport_members_group.csv` would look like: + + ``` + MicrosoftEntraIDExport_members_group.csv + Command,groupId,id + ... + ``` + + Where command can be `insert`, `update` or `delete`; groupId is the id of the group; id is the + id of the group member (in this context). + + **NOTE:** Only the navigation properties `members` and `owners` are exported. These navigation + properties are automatically detected according to the data exported. + +- one file `_cookie_.bin` per entity, containing an URL with a + `delta token` useful for incremental export. + + > For example `MicrosoftEntraIDExport_cookie_user.bin` + + _Remember,_ most exports can be run in complete mode, where the CSV files will contain all + entries, or in incremental mode, where CSV files will contain only the entries which have been + modified since the last synchronization. + + A task can use the IgnoreCookieFile boolean property, and a command line (with an executable) + can use the option --ignore-cookies. + +The CSV files are stored in the Export Output folder, and the cookie file in the Export Cookies +folder. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topic for additional information. + +For more details, see Microsoft's documentation on +[columns and attributes synchronized to Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized). + +## Fulfill + +This connector writes to the Microsoft Entra ID, to create, update and delete Microsoft Entra ID +objects, initiated manually through the UI or automatically by enforcing the policy. See the +[Evaluate Policy](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) topic for additional +information. + +### Configuration + +Same as for export, fulfill is configured through connections. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "MicrosoftEntraIDFulfillment": { +        "ApplicationId": "", +        "ApplicationKey": "<84468d65324ghj\de9864d3d7e89026>", +        "TenantId": "<25d40819-f23f-4837-9d50-a9a52da50b8c>", +        "MicrosoftGraphPathApi": "", +        "ResponseUri": "" +    } +  } +} +``` + +Setting attributes + +The table below summarizes the setting attributes. + +| Name | Type | Description | +| ---------------------------------------------------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApplicationId required | String | GUID that uniquely identifies the application registration in the Azure tenant. **NOTE:** value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Overview** > **Application (client) ID** | +| ApplicationKey required | String | Secret associated with the `ApplicationId`. **NOTE:** value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Certificate & secrets** > **Client secrets** > **Client Secret** | +| TenantId required | String | **NOTE:** GUID that uniquely identifies the Azure tenant. value obtained at registration: **App registrations** > **Owned applications** > **Identity Manager** > **Overview** > **Application (tenant) ID** | +| ResponseUri default value: `http://localhost` | String | URI used by Azure to contact back the application with the tokens. This response Uri needs to be registered in the [app registration](https://aka.ms/msal-net-register-app). | +| MicrosoftGraphPathApi default value: https://graph.microsoft.com/v1.0/ | String | Microsoft Graph Uri API. | + +### Output details + +This connector can create a new resource, update and delete any Microsoft Entra ID objects and +groups' memberships via the UI. + +## Authentication + +See the following to figure out authentication. + +Password reset + +See +the[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information on how to configure password reset settings. + +Credential protection + +Data protection can be ensured through: + +- [ RSA Encryption ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), + configured in the `appsettings.encrypted.agent.json` file +- An [Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) + safe; + +- A + [CyberArk's AAM Credential Providers ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + Vault able to store Microsoft Entra ID's `ApplicationId` and `ApplicationKey`. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md new file mode 100644 index 0000000000..e23617406f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/index.md @@ -0,0 +1,162 @@ +# Microsoft Exchange + +This connector exports mailboxes from a +[Microsoft Exchange](https://support.microsoft.com/en-us/office/what-is-a-microsoft-exchange-account-47f000aa-c2bf-48ac-9bc2-83e5c6036793) +instance. + +This page is about [ Microsoft Exchange ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/microsoft-exchange/index.md). + +![Package: Server/Microsoft Exchange](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/microsoftexchange/packages_exchange_v603.webp) + +## Overview + +Microsoft Exchange Server is Microsoft's email, calendar, contact, scheduling and collaboration +platform. It is deployed on the Windows Server operating system (OS) for business use. This +connector uses +[Exchange Server PowerShell (Exchange Management Shell)](https://docs.microsoft.com/en-us/powershell/exchange/exchange-management-shell?view=exchange-ps) +to export databases and mailboxes. + +## Prerequisites + +Implementing this connector requires: + +- a Microsoft Exchange Server 2010, or later. + [See here Exchange Server 2016's requirements](https://docs.microsoft.com/en-us/exchange/plan-and-deploy/system-requirements?view=exchserver-2016); +- installing Windows PowerShell. + [See how to connect to Exchange servers using remote PowerShell](https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-servers-using-remote-powershell?view=exchange-ps). + +## Export + +This connector exports +[mailboxes](https://docs.microsoft.com/en-us/powershell/module/exchange/get-mailbox?view=exchange-ps) +and +[mailbox databases](https://docs.microsoft.com/en-us/powershell/module/exchange/get-mailboxdatabase?view=exchange-ps). +Two CSV files are generated, one with the +[mailbox properties](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328629(v=exchg.140)) +(like `Database`, `EmailAddresses`, `ServerName` , etc.) and the other with +[mailbox database properties](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328150(v=exchg.140)) +(like `Name`, `Server`, `Mounted`, etc.). These properties are explicitly part of the PowerShell +script used by Identity Manager. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "MicrosoftExchangeExport": { +> "AuthType": "Kerberos", +> "Server": "http://mailbox01.contoso.com/PowerShell/" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| -------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** Address of the Exchange Server used by the remote PowerShell: `http:///PowerShell/` where `` is the fully qualified domain name of the Exchange server, like `mailbox01.contoso.com`. | +| PowerShellScriptPath default value: `{your usercube path}/Runtime/Export-Exchange.ps1` | **Type** String **Description** Path of the export script file. | + +### Output details + +This connector is meant to generate the following files: + +- `_mailboxes.csv` with the following columns: + + ``` + _databases.csv + Command,Database,EmailAddresses,UseDatabaseRetentionDefaults,RetainDeletedItemsUntilBackup,DeliverToMailboxAndForward,ExchangeGuid,ExchangeUserAccountControl,ForwardingAddress,ForwardingSmtpAddress,IsMailboxEnabled,ProhibitSendQuota,ProhibitSendReceiveQuota,RecoverableItemsQuota,RecoverableItemsWarningQuota,CalendarLoggingQuota,IsResource,IsLinked,IsShared,SamAccountName,AntispamBypassEnabled,ServerName,UseDatabaseQuotaDefaults,UserPrincipalName,WhenMailboxCreated,IsInactiveMailbox,AccountDisabledIsDirSynced,Alias,OrganizationalUnit,DisplayName,MaxSendSize,MaxReceiveSize,PrimarySmtpAddress,RecipientType,RecipientTypeDetails,Identity,IsValid,Name,DistinguishedName,Guid,ObjectCategory,WhenChangedUTC,WhenCreatedUTC,ObjectState + Insert,value1,value2,...,valueN + ``` + + > For example, we could have + > `C:/identitymanagerContoso/Temp/ExportOutput/MicrosoftExchangeExport_mailboxes.csv`. + + [See more details on mailbox properties in Microsoft's documentation](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328629(v=exchg.140)). + +- `_databases.csv` with the following columns: + + ``` + _databases.csv + Command,Name,Server,Mounted,ObjectCategory,Guid,WhenChangedUTC,WhenCreatedUTC,ObjectState + Insert,value1,value2,...,valueN + ``` + + [See more details on mailbox database properties in Microsoft's documentation](https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/ff328150(v=exchg.140)). + +- `_cookie.bin` which stores the time of the last successful export, thus + allowing incremental processes. + +The CSV files are stored in the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output, and the cookie file in the Export Cookies folder. + +## Fulfill + +This connector can create, update or +delete[ mailboxes](https://docs.microsoft.com/en-us/powershell/module/exchange/get-mailbox?view=exchange-ps)' +addresses (PrimarySmtpAddress, ProxyAddress) and mailbox databases. + +As it works via a PowerShell script. See the [ PowerShellProv ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) topic +for additional information. + +Identity Manager's PowerShell script can be found in the SDK in +`Usercube.Demo/Scripts/Fulfill-Exchange.ps1`. + +See the [ PowerShellProv ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) topic for additional information. + +## Authentication + +### Authentication Type + +This connector uses Kerberos authentication when trying to connect with the Exchange Server. + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +- A [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md)able to store + Microsoft Exchange's `Server`. + +This kind of credential protection can be used only for the export process. + +The fulfill process' credentials can be protected by following the instructions for the +PowerShellProv connector. See the [ PowerShellProv ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md) topic for +additional information diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/odata/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/odata/index.md new file mode 100644 index 0000000000..7a0b5e7a34 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/odata/index.md @@ -0,0 +1,135 @@ +# OData + +This connector exports and fulfills data from/to an [OData](https://www.odata.org/) instance. + +This page is about [ OData ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/odata/index.md). + +![Package: Custom/OData](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/odata/packages_odata_v603.webp) + +## Overview + +OData (Open Data Protocol) comply with ISO/IEC and OASIS standards. This protocol defines the best +approaches for using RESTful APIs. OData helps you focus on your business logic while building +RESTful APIs without having to worry about the various approaches to define request and response +headers, status codes, HTTP methods, URL conventions, media types, payload formats, query options, +etc. + +## Prerequisites + +Implementing this connector requires reading first the appsettings documentation. + +Identity Manager's service is based on +[OData RFC](https://docs.oasis-open.org/odata/odata/v4.0/odata-v4.0-part1-protocol.html). + +## Export + +This connector extracts all entity sets with all the information needed to rebuild them. This is +based on the connector's metadata. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ODataExport": { +> "Server": "https://YourODataService.com/", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> +> ``` + +#### Setting attributes + +| Name | Details | +| -------------------------- | ----------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the data system. | +| Login optional | **Type** String **Description** Login to connect to the system. | +| Password optional | **Type** String **Description** Password to connect to the system. | +| BearerToken optional | **Type** String **Description** Token to authenticate to the system. | +| ClientId optional | **Type** String **Description** Id to connect to the system via OpenId. | +| ClientSecret optional | **Type** String **Description** Password to connect to the system via OpenId. | +| AuthenticationUrl optional | **Type** String **Description** URL to request the authentication via OpenId. | + +#### XML configuration requirements + +This connector requires from the XML configuration: + +- An + [ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md): + - with the same identifier as the related entity type; + - related to the right connector; + - related to a connection table named `_`; + - with properties whose connection columns represent the property's path in the entity, see the + configuration example below; +- An + [ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md): + - with the same identifier as the related entity association; + - with its `Column1` in the format `UsercubeNav_:` for the + related property in the association; + - with its `Column2` in the format `Of:` for the related + property in the association; + - related to a connection table named `__`. + +The information contained in the entity types and entity associations does not impact the export. + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder one CSV file for each entity set provided in the connector's configuration. + +The files' column headers come from the entity type mapping's `ConnectionColumn` properties. + +If the connection column describes a sub-property, then the name should have the following pattern: +`{property}:{sub-property}`. The character `":"` should not be used in other situations. + +> For example: +> +> ```xml +> +> +> +> +> ``` +> +> ```xml +> +> +> +> +> ``` +> +> Note that we have here `UserName` which is a single property, and `FamilyName` which is a +> sub-property of `Name`, hence the name `Name:FamilyName` as the `ConnectionColumn`. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/okta/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/okta/index.md new file mode 100644 index 0000000000..fd20578851 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/okta/index.md @@ -0,0 +1,277 @@ +# Okta + +This connector exports and fulfills entries from/to Okta application. + +![okta](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/okta/okta.webp) + +## Overview + +Okta is an access management solution that provides SSO and federation capabilities for single +sign-on, multi-factor authentication, and API access management. Okta's platform is widely used by +organizations to protect accesses for digital identities in an increasingly complex and +interconnected digital world. + +### Prerequisites + +Implementing this connector requires: + +- Reading first the appsettings documentation +- An Okta Token with specific permissions on the target instance + +See the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information. + +### Configuration + +To configure the Okta connector it is necessary to: + +**Step 1 –** Create a new user for Netwrix Identity Manager (formerly Usercube). + +In order to do so you must connect to the Okta administration console +`https://myexample-admin.okta.com` and create a new Netwrix Identity Manager (formerly Usercube) +user. + +**NOTE:** For some Okta deployments it is possible to create a service account or to Manage an Okta +user account as a service account. + +**Step 2 –** Assign administrator role and permissions to the Netwrix Identity Manager (formerly +Usercube) user. + +**Step 3 –** Generate a Token for the Netwrix Identity Manager (formerly Usercube) user. + +See the +[Okta documentation](https://help.okta.com/en-us/content/topics/users-groups-profiles/service-accounts/service-accounts-overview.htm) +for additional information. + +### Export + +This connector exports a list of users, groups, applications with their attributes specified in the +connector's configuration, to CSV files. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +appsettings.agent.json > Connections section. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} + +``` + +The identifier of the connection and thus the name of the subsection must: + +- Be unique +- Not begin with a digit +- Not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +    "Connections": { +        ... +        "OktaExportFulfillment": { +            "Server": " https://.okta.com", +            "ApiKey": "", +        } +    } +} + +``` + +### Setting attributes + +| Name | Type | Description | +| --------------- | ------ | ----------------------- | +| Server required | String | URI of the data system. | +| ApiKey required | String | User token value. | + +### Output details + +This connector can create, delete and update users, groups and applications, and is meant to +generate the following to the ExportOutput folder : + +- A CSV file, named ``\_users.csv, with one column for each property either + having a ConnectionColumn or which is used in an entity association; +- A CSV file, named ``\_groups.csv, with one column for each property either + having a ConnectionColumn or which is used in an entity association; +- A CSV file, named ``\_apps.csv, with one column for each property either + having a ConnectionColumn or which is used in an entity association; +- A CSV file, named ``\_groupsapps.csv, with one column for each property + either having a ConnectionColumn or which is used in an entity association; +- A CSV file, named ``\_groupsusers.csv, with one column for each property + either having a ConnectionColumn or which is used in an entity association; + +For example, with the following entity type mapping for users: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     +     +     +     +     +     +     +     +     +     +     +     +….   + +   +     +     +     +     +     +     +     +     +     +     +     +   + +``` + +And the following entity type mapping for groups: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +   +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +   + +``` + +And the following entity type mapping for applications: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +  +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +   + +``` + +Then we will have `C:/identitymanagerContoso/Sources/OktaExportFulfillment_users.csv` as follows: + +``` +id, status, created, activated, statusChanged, lastLogin, lastUpdated, passwordChanged, type.id, profile.city, profile.costCenter, profile.countryCode, profile.department, profile.displayName +``` + +And `C:/identitymanagerContoso/Sources/OktaExportFulfillment_groups.csv` as follows: + +``` +id, created, lastUpdated, lastMemberShipUpdated, type, profile.description, profile.name +``` + +And `C:/identitymanagerContoso/Sources/OktaExportFulfillment_apps.csv` as follows: + +``` +id, created, lastUpdated, status, name, label +``` + +### Fulfill + +The Okta connector writes to Okta to create, update and delete entries, initiated manually through +the UI or automatically by enforcing the policy. See the +[Evaluate Policy](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) topic for additional +information. + +### Configuration + +Same as for export, fulfill is configured through connections. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +    "Connections": { +        ... +        "OktaExportFulfillment": { +            "Server": " https://.okta.com", +            "ApiKey": "", +        } +    } +} + +``` + +### Password reset + +The password reset settings configuration is described in the appsettings.agent.json file. See the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the appsettings.encrypted.agent.json file +- An [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +- A [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md)Vault able to + store Okta Login, Password, Account and Server. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/openldap/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/openldap/index.md new file mode 100644 index 0000000000..d9542bde5c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/openldap/index.md @@ -0,0 +1,248 @@ +# OpenLDAP + +This connector exports and fulfills entries from/to an [OpenLDAP](https://www.openldap.org/) +directory. + +This page is about [ OData ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/odata/index.md). + +![Package: Directory/Open LDAP](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/openldap/packages_ldapopen_v603.webp) + +## Overview + +OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol (LDAP). + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md)documentation; +- a service account with reading and writing permissions on the target OpenLDAP server; +- enabling SyncProv Overlay for the OpenLDAP server. + + To perform a complete export without the SyncProv Overlay enabled, use rather the + [ LDAP ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md) connector. + +## Export + +This connector exports to CSV files the content of an OpenLDAP Directory. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections":{ +> ... +> "OpenLDAPExport": { +> "Server": "contoso.server.com", +> "DistinguishedName": "DC=contoso,DC=com", +> "Login": "Contoso", +> "Password": "ContOso$123456789", +> "Filter": "(|(objectclass=person)(objectclass=ou))", +> "Scope": "SubTree", +> "SSL": "true" +> } +> ... +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** IP address and port of the OpenLDAP server. | +| DistinguishedName required | **Type** String **Description** Distinguished Name of the domain controller. | +| Login required | **Type** String **Description** OpenLDAP server's login. | +| Password required | **Type** String **Description** OpenLDAP server's password. | +| SSL optional | **Type** Boolean **Description** `True` to enable SSL (Secure Socket Layer) protocol for authentication requests. | +| | | +| --- | --- | +| TimeFormat default value: 60 | **Type** Int32 **Description** Timeout (in seconds) for the export's requests to the targeted server. | +| WaitingTimeInSeconds default value: 30 | **Type** Int32 **Description** Time period (in seconds) during which pulling for changes is not allowed during the persistent phase. | +| | | +| --- | --- | +| Filter required | **Type** String **Description** Entries to be excluded from export among all entries from the LDAP instance. Only non-filtered entries are exported. The filter must use [Microsoft's search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | +| Scope optional | **Type** String **Description** Search scope to be applied to the request. The result will be limited to: `Base` - the base of the object; `OneLevel` - the immediate children of the object; `Subtree` - the entire subtree from the base object down. | + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder: + +- a CSV file, named `_entry.csv`, with one column for each property having a + `ConnectionColumn` and each property without it but used in an entity association; + + Any property can be exported in a specific format when specified. See the + [ References: Format for the EntityPropertyMapping ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md) + topic for additional information. + +- a CSV file for each `ConnectionTable` in a related `EntityTypeMapping` or + `EntityAssociationMapping`, and which is not an `entry`, named + `_.csv`; + + > For example, `OpenLDAPExport_member` as `ConnectionTable` in a mapping will generate the file + > `OpenLDAPExport_member.csv` with `member` as link attribute. + +- `_cookie.bin` which stores the time of the last successful export, thus + allowing incremental processes. + + Most exports can be run in complete mode, where the CSV files will contain all entries, or in + incremental mode, where CSV files will contain only the entries which have been modified since + the last synchronization. + + A task can use the `IgnoreCookieFile` boolean property, and a command line (with an executable) + can use the option `--ignore-cookies`. + +The CSV files are stored in the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder, and the cookie file in the Export Cookies folder. + +> For example, with the following configuration: +> +> ``` +> +> +> +> ``` +> +> We would have `C:/identitymanagerContoso/Temp/ExportOutput/OpenLDAPExport.csv` like: +> +> ``` +> entry.csv +> Command,entryUUID,dn,cn,objectClass,parentdn +> Insert,value1,value2,...,valueN +> ``` +> +> And we would also have `C:/identitymanagerContoso/Temp/ExportOutput/OpenLDAPExport_member.csv` like: +> +> ``` +> LDAPExport_member.csv +> Command,entryUUID,member +> Insert,value1,value2,...,valueN +> ``` + +## Fulfill + +This connector fulfills via the LDAP connector's fulfill process. + +The LDAP connector fulfills the creation, deletion and update of LDAP entries, initiated through the +Identity Manager UI or by [Evaluate Policy](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) +enforcement. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "OpenLDAPFulfillment": { +> "Server": "contoso.server.com", +> "DistinguishedName": "DC=contoso,DC=com", +> "Login": "Contoso", +> "Password": "ContOso$123456789", +> "SSL": "true", +> "IsLdapPasswordReset": "true" +> } +> } +> } +> ``` + +#### Setting attributes + +| | | +| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Filter required | **Type** String **Description** Entries to be excluded from export among all entries from the LDAP instance. Only non-filtered entries are exported. The filter must use [Microsoft's search filter syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax). | +| Scope optional | **Type** String **Description** Search scope to be applied to the request. The result will be limited to: `Base` - the base of the object; `OneLevel` - the immediate children of the object; `Subtree` - the entire subtree from the base object down. | +| | | +| --- | --- | +| IsLdapPasswordReset optional | **Type** Boolean **Description** `True` to state the managed system as an LDAP-compliant system supporting password reset. | + +### Output details + +This connector can create a new resource, and update and delete an existing resource via the UI. + +A new resource is created with the state `disabled`, corresponding to the **useraccountcontrol** +value `514`. When it is approved, its `disabled` state is removed and the **useraccountcontrol** +value becomes `512`. + +### Add attributes to the requests + +Some systems using the LDAP protocol require additional attributes in the creation and/or update +requests. + +If these attributes are not synchronized in Identity Manager, then they cannot be computed and +provided by scalar rules or navigation rules. In this case, they can be given as arguments in the +provisioning order, through the `ResourceType`'s `ArgumentsExpression`. + +> The following example adds the attribute `description` with a value depending on what is modified: +> +> ``` +> +> ArgumentsExpression="C#:resource: +> var arguments = new System.Collections.Generic.Dictionary(); +> +> if (provisioningOrder.HasChanged("cn")) { +> arguments.Add("description", "This entry's login has been modified by Usercube."); +> } +> else if (provisioningOrder.HasChanged("mail")) { +> arguments.Add("description", "This entry's email has been modified by Usercube."); +> } +> else { +> arguments.Add("description", "This entry has been modified by Usercube."); +> } +> +> return arguments;"> +> +> +> +> ``` + +## Authentication + +### Credential protection + +Data protection can be ensured through: + +- [](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md)[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), + configured in the `appsettings.encrypted.agent.json` file; +- an + [](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md)[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) + safe; + +- a + [](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) + able to store OpenLDAP's `Login`, `Password` and `Server`. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md new file mode 100644 index 0000000000..db59c24585 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellprov/index.md @@ -0,0 +1,143 @@ +# PowerShellProv + +This connector writes to an external system via a +[PowerShell](https://learn.microsoft.com/en-us/powershell/scripting/overview) script. + +This page is about [ PowerShellProv ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/powershellprov/index.md). + +![Package: Custom/PowerShellProv](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/powershellprov/packages_powershellprov_v603.webp) + +## Overview + +PowerShell is a cross-platform task automation and configuration management framework, consisting of +a command-line shell and scripting language. Unlike most shells which accept and return text, +PowerShell is built on top of the .NET Common Language Runtime (CLR), and accepts and returns .NET +objects. This fundamental change brings entirely new tools and methods for automation. + +## Prerequisites + +Implementing this connector requires: + +- making sure that the command `powershell.exe`, inside the command prompt (`cmd.exe`), does execute + a PowerShell terminal; +- knowledge of scripting in PowerShell 5.1 or later, + [see here PowerShell's requirements](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/install/windows-powershell-system-requirements); +- making sure that the device hosting the agent has its execution policy properly configured to + execute the given PowerShell script; +- checking the targeted system's requirements (environment, libraries, etc.), as this connector is + meant to connect Identity Manager to a PowerShell-compatible system; +- writing and testing a PowerShell script (`.ps1`) according to Netwrix Identity Manager (formerly + Usercube)' guidelines below. + +## Export + +There are no export capabilities for this connector. + +## Fulfill + +This connector executes a PowerShell script for the creation, deletion and update of any entity +linked to the managed system. + +> For example, it can fulfill the `mailboxes` entity from Microsoft Exchange. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example fills a CSV file through the script `Fulfill-CSV.ps1`, for a single target +> managed system identified by the `PowerShellCsvFulfillment` subsection: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "PowerShellCsvFulfillment": { +> "PowerShellScriptPath": "C:/identitymanagerDemo/Scripts/Fulfill-CSV.ps1", +> "Options": { +> "Message": "Hello", +> "Login": "admin", +> "Password": "secret" +> } +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| PowerShellScriptPath required | **Type** String **Description** Path of the executed PowerShell script (.ps1). | +| Options optional | **Type** String Pair List **Description** List of key-value pairs for all the variables required by the PowerShell script. **Example** ` "Options": { "Login": "admin", "Password": "secret" }` In order for the script to access these options, the following two lines of code must be included in the script: `$options = [System.Console]::ReadLine() $options = ConvertFrom-Json $options` Afterwards, any one of these variables can be easily accessed: `$options.Login$options.Password # -> admin and secret` | + +### Write a script + +See how to +[ Write a PowerShell Script for Provisioning ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-fulfill-powershell-script/index.md)to +allow provisioning with this connector. + +## Authentication + +### Password reset + +The PowerShell script manages password reset. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| -------------------- | ------------------------------------------------- | +| Login (optional) | `Connections----Options--Login` | +| Password (optional) | `Connections----Options--Password` | +| PowerShellScriptPath | `Connections----PowerShellScriptPath` | + +- A [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + the attributes from the `Options` section that are compatible with CyberArk. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +> For example, consider `Login` and `Password` values stored in the `PowerShellCsv_Account` account: +> +> ``` +> appsettings.cyberark.agent.json +> { +> "Connections": { +> ... +> "PowerShellCsvFulfillment": { +> "Options": { +> "Login": "PowerShellCsv_Account", +> "Password": "PowerShellCsv_Account" +> } +> } +> } +> } +> ``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellsync/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellsync/index.md new file mode 100644 index 0000000000..bb44cce795 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/powershellsync/index.md @@ -0,0 +1,108 @@ +# PowerShellSync + +This connector exports data from an external system via a +[PowerShell](https://learn.microsoft.com/en-us/powershell/scripting/overview) script. + +This page is about [ PowerShellSync ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/powershellsync/index.md). + +![Package: Custom/PowerShellSync](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/powershellsync/packages_powershellsync_v603.webp) + +## Overview + +PowerShell is a cross-platform task automation and configuration management framework, consisting of +a command-line shell and scripting language. Unlike most shells which accept and return text, +PowerShell is built on top of the .NET Common Language Runtime (CLR), and accepts and returns .NET +objects. This fundamental change brings entirely new tools and methods for automation. + +Data can be synchronized from any managed system by writing a PowerShell script that generates the +relevant CSV files for Identity Manager. The PowerShellSync connector provides all the necessary +tools for an easy integration of the script with Identity Manager's synchronization mechanisms. + +When Identity Manager provides a native connector for a given system, for example the Active +Directory connector, Netwrix Identity Manager (formerly Usercube)highly recommends using the native +connector rather than this PowerShell connector. + +## Prerequisites + +Implementing this connector requires: + +- making sure that the command `powershell.exe`, inside the command prompt (`cmd.exe`), does execute + a PowerShell terminal; +- knowledge of scripting in PowerShell 5.1 or later, + [see here PowerShell's requirements](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/install/windows-powershell-system-requirements); +- making sure that the device hosting the agent has its execution policy properly configured to + execute the given PowerShell script; +- checking the targeted system's requirements (environment, libraries, etc.), as this connector is + meant to connect Identity Manager to a PowerShell-compatible system; +- writing and testing a PowerShell script (`.ps1`) according to Netwrix Identity Manager (formerly + Usercube)' guidelines below. + +## Export + +This connector executes a PowerShell script that generates one or several CSV files. These files are +to be used during the synchronization of the data from the managed system targeted by the +PowerShellSync connector. + +The CSV files must be written to the `$OutputPath`. + +The export is executed by a job from the UI, or via `Usercube-Export-Powershell.exe` in the command +prompt. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "PowerShellExport": { +> "PowerShellScriptPath": "C:/identitymanagerDemo/Scripts/Export-CSV.ps1", +> } +> } +> } +> ``` + +##### Setting attributes + +| Name | Details | +| ----------------------------- | ------------------------------------------------------------------------------------ | +| PowerShellScriptPath required | **Type** String **Description** Path of the PowerShell script (.ps1) to be executed. | + +### Write a script + +Identity Manager provides a few variables to be used in the PowerShell script. + +| Name | Details | +| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | +| OutputPath | **Type** String **Description** Prefix of the path of the generated CSV file. **Info:** the synchronization process requires the generated CSV file to be located in a very specific location, with a specific name prefix. Hence the need for this predefined variable. **Value** [``](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)`/ExportOutput/_` **Example** In this example, if the temp folder is named `Temp` and the connection `PowerShellExport`, then the generated file is: `Temp/ExportOutput/PowerShellExport_users.csv`. ```generateCSV | Export-CSV ($OutputPath + "users.csv")` where`generateCSV``` is a generic PowerShell method that generates CSV files. | +| IsIncremental | **Type** Boolean **Description** Variable to be used to provide a different behavior for complete and incremental synchronization. | + +## Fulfill + +There are no fulfill capabilities for this connector. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/racf/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/racf/index.md new file mode 100644 index 0000000000..7c7e670b32 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/racf/index.md @@ -0,0 +1,113 @@ +# RACF + +This connector exports users and profiles from a +[RACF](https://www.ibm.com/docs/en/zos-basic-skills?topic=zos-what-is-racf) file. + +This page is about [ RACF ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/racf/index.md). + +![Package: MainFrame/RACF](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/racf/packages_racf_v603.webp) + +## Overview + +Resource Access Control Facility (RACF) is a security program from IBM OS/390 used to protect users' +resources by controlling their accesses. The RACF connector exports the information saved by RACF +about users, groups and access authorities. + +## Prerequisites + +Implementing this connector requires the input file to be in the RACF format, but it can have any +extension. + +## Export + +This connector extracts the information found in a RACF file and transforms it into CSV files in +Identity Manager format. + +Be aware that Identity Manager supports only the RACF records represented by the following codes: + +- [0100; 0120; 0101; 0102](https://www.ibm.com/docs/en/zos/2.1.0?topic=records-record-formats-produced-by-database-unload-utility#0100-0120-0101-0102) + (groups); +- [0200; 0203](https://www.ibm.com/docs/en/zos/2.1.0?topic=utility-user-record-formats) (users); +- [0500; 0503](https://www.ibm.com/docs/en/zos/2.1.0?topic=utility-general-resource-record-formats) + (general resources). + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example reads RACF data from the `C:/identitymanagerContoso/RacfFile.csv` iso-8859-1 file +> and exports it to CSV files in Identity Manager format: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "RACF": { +> "Path": "C:/identitymanagerContoso/RacfFile.csv", +> "Encoding": "iso-8859-1", +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Path required | **Type** String **Description** Path of the RACF file to be exported. | +| | | +| --- | --- | +| Encoding default value: UTF-8 | **Type** String **Description** Encoding of the input file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder one CSV file per record type (0100, 0200, etc.), named +`_.csv`. + +> For example, consider an export with a connection named `ExportRacf`, and a source file containing +> the record types 0100, 0120, 0203. Then we will have three output files named +> `ExportRacf_0100.csv`, `ExportRacf_0120.csv` and `ExportRacf_0203.csv`. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +This connector has no credential attributes, and therefore does not use +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), nor a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md). + +Still, data protection can be ensured through an +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md new file mode 100644 index 0000000000..bec15f96c1 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/robotframework/index.md @@ -0,0 +1,135 @@ +# Robot Framework + +This connector writes to an external system via a [Robot Framework](https://robotframework.org) +script. + +This page is about [ Robot Framework ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/robot-framework/index.md) + +![Package: Custom/Robot Framework](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/robotframework/packages_robot_v603.webp) + +## Overview + +Robot Framework is an open-source automation framework which can be used for robotic process +automation (RPA). This framework is easy to use thanks to its human-readable syntax. +It has a modular architecture that can be extended by +[libraries](https://robotframework.org/#libraries) implemented with Python or Java. These libraries +provide various tools to interact with a managed system. + +## Prerequisites + +Implementing this connector requires the agent to include the following elements: + +- [Python](https://www.python.org/downloads/) 3.7 or above. Specific Robot Framework libraries may + require a specific Python version; +- Python folder location in the `PATH` environment variable list and the location of its subfolder + `Scripts`; +- Robot Framework: use `pip install robotframework` in the command prompt. If the installation ran + correctly, `robot.exe` should be in your path. You can confirm this by running `gcm robot` in a + powershell console. + +## Export + +There are no export capabilities for this connector. + +## Fulfill + +This connector can create, update and/or delete any entity linked to the managed system. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example fills in a CSV file by using the script `FulfillRobotFramework.robot`: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> ... +> "RobotFrameworkFulfillment": { +> "RobotFrameworkScriptPath": "C:/identitymanagerDemo/Scripts/FulfillRobotFramework.robot", +> "Options": { +> "Message": "Hello" +> } +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| RobotFrameworkScriptPath required | **Type** String **Description** Path to the executed Robot Framework script (.robot). | +| Options optional | **Type** String Pair List **Description** List of key-value pairs for all the variables required by the PowerShell script. **Example** ` "Options": { "Login": "admin", "Password": "secret" }` Access these options in the script using the following method: `${login}= Get Secure Data Login False ${password}= Get Secure Data Password True` **Info:** when the boolean argument from `Get Secure Data` is set to `True`, then the value is stored in the variable and erased from memory, hence not retrievable on next call. This enables control over sensitive data like passwords by defining the lifetime of the variable containing sensitive data. **Warning:** never use `Get Secure Data` when `Options` is empty. | + +### Write a script + +See how +to[ Write a Robot Framework Script ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/write-fulfill-robotframework-script/index.md) to +allow provisioning with this connector. + +## Authentication + +### Password reset + +The script manages password reset. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- an [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ------------------------ | ----------------------------------------------------- | +| Login (optional) | `Connections----Options--Login` | +| Password (optional) | `Connections----Options--Password` | +| RobotFrameworkScriptPath | `Connections----RobotFrameworkScriptPath` | + +- A [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + the attributes from the `Options` section that are compatible with CyberArk. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +> For example, consider `Login` and `Password` values stored in the `RobotFramework_Account` +> account: +> +> ``` +> appsettings.cyberark.agent.json +> { +> "Connections": { +> ... +> "RobotFrameworkFulfillment": { +> "Options": { +> "Login": "RobotFramework_Account", +> "Password": "RobotFramework_Account" +> } +> } +> } +> } +> ``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md new file mode 100644 index 0000000000..4243249af1 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/saperp6/index.md @@ -0,0 +1,310 @@ +# SAP ERP 6.0 and SAP S4/HANA + +This connector exports and fulfills users and roles from/to an +[SAP ERP 6.0](https://www.sap.com/products/erp/what-is-sap-erp.html) or +[SAP HANA](https://www.sap.com/products/technology-platform/hana/what-is-sap-hana.html) instance. + +This page is about ERP/SAP ERP 6.0. + +![Package: ERP/SAP ERP 6.0](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/saperp6/packages_saperp6_v603.webp) + +## Overview + +The SAP Enterprise Resource Planning (SAP ERP) software incorporates the core business processes of +an organization, such as finance, production, supply chain services, procurements, human resources +(HR), etc. The SAP ERP connector exports and fulfills data from/to an SAP ERP 6.0 system. + +## Prerequisites + +Implementing this connector requires: + +- Reading first the appsettings documentation; See the + [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) topic + for additional information. +- An ASE or HANA database with a service account, as a database administrator +- A service account, as a SAP user with at least the roles for user management +- The prerequisites for reading should be set up +- The prerequisites for writing should be set up + +ASE or HANA database with a service account, as a database administrator + +To connect to the SAP database using SSH, use the following commands: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +su sybaba +isql -S -U -P -X +``` + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +isql -S ABA -Usapsso -PV1H#M$4JIgU$qd -X +``` + +Service account, as a SAP user with at least the roles for user management + +Create a login for Identity Manager's service account with at least reading access on user +management tables by using a command from the table below: + +| Table | Usage | +| ----------------- | --------------------------------------- | +| USR02 | Users table | +| AGR_USERS | Links between Users and Roles | +| AGR_TEXTS | Roles labels according to the language | +| USER_ADDR | | +| AGR_1016 AGR_PROF | Links between Profiles and Roles | +| USR10 | Profiles tables | +| USR11 | Profiles labels | +| AGR_DEFINE | Roles table | +| AGR_AGRS | Composition links | +| USGRP | Groups table | +| USGRPT | Groups labels | +| UST04 | Links between Users and Profiles | +| UST10C | Links between Profiles and Sub-profiles | +| AGR_TCODES | Links between Roles and Transactions | +| T002 | Languages codes | + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +execute sp_addlogin ``, ``, ``go use ABA go +execute sp_adduser ``go grant select on ABA.SAPSR3.USR02 to usercube grant select on +ABA.SAPSR3.AGR_USERS to usercube grant select on ABA.SAPSR3.USER_ADDR to usercube grant select on +ABA.SAPSR3.AGR_1016 to usercube grant select on ABA.SAPSR3.USR10 to usercube grant select on +ABA.SAPSR3.USR11 to usercube grant select on ABA.SAPSR3.AGR_AGRS to usercube grant select on +ABA.SAPSR3.USGRP to usercube grant select on ABA.SAPSR3.UST04 to usercube grant select on +ABA.SAPSR3.AGR_TCODES to user grant select on ABA.SAPSR3.T002 to usercube Go + +Set up the prerequisites for reading + +To set up the prerequisites for reading follow the steps below. + +**Step 1 –** Copy the DLL `Sap.Data.Hana.Core.v2.1.dll` into the Runtime of Identity Manager. + +![connectorreadprerequisites1](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorreadprerequisites1.webp) + +**Step 2 –** Unzip the “hdbclient.zip” archive to C: drive and add the path to the Path environment +variables. + +![connectorreadprerequisites2](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorreadprerequisites2.webp) + +**Step 3 –** Create environment variables: `HDBADOTNET=C:\hdbclient\ado.net` and +`HDBADOTNETCORE=C:\hdbclient\dotnetcore`. + +Set up the prerequisites for writing + +**NOTE:** Make sure the Read prerequisites are configured first. + +**Step 1 –** Copy the provided DLL `sapnwrfc.dl` into the Runtime of Identity Manager. + +**Step 2 –** Unzip the `dotnet86.zip` archive to `C:\dotnetx86`. + +**Step 3 –** Copy the DLLs icudt50.dll, `icuin50.dll` and icuuc50.dll into the Runtime of Identity +Manager. + +![connectorwriteprerequisites](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorwriteprerequisites.webp) + +**Step 4 –** Disable DLLs search by adding the environment variable `NLSUI_7BIT_FALLBACK=YES`. + +![connectorwriteprerequisites2](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/saperp6/connectorwriteprerequisites2.webp) + +**Step 5 –** Add new environment variable `USERCUBE_DOTNET32` containing the path to dotnetx86 +(e.g.: `C: \donetx86\dotnet.exe`). + +## Export + +This connector extracts users, roles, profiles, profile memberships, role memberships and groups +from an SAP ERP instance, and writes the output to CSV files. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +**appsettings.agent.json** > **Connections** section. See the +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) topic for +additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} +``` + +_Remember,_ the identifier of the connection and thus the name of the subsection must: + +- Be unique +- Not begin with a digit. +- Not contain `<`, `>`, `:`, `/`, `\`, `|`, `?`, `*`, and `_`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +    ... +    "Connections": { +        ... +        "SAPExportFulfillment": { +            "Server": "serverUrl", +            "AseLogin": "login", +            "AsePassword": "password", +            "Instance": "sapInstance", +            "Port": "4242", +            "Client": "123", +            "Language": "fr" +        } +    } +} + +``` + +| Name | Type | Description | +| --------------------------- | ------- | -------------------------------------------------------------- | +| IsHana default value: false | Boolean | True to connect to an S/4 HANA instance instead of an ERP 6.0. | +| AseLogin required | String | Login to connect to SAP ASE. | +| AsePassword required | String | Password to connect to SAP ASE. | +| Client required | String | Client id of SAP. | +| Instance required | String | Instance of the SAP database. | +| Language required | String | SAP language. | +| Port required | String | Port of the SAP ERP server. | +| Server required | String | URL of the SAP ERP server. | + +### Output details + +This connector is meant to generate to the ExportOutput folder the following files: + +- SAPExportFulfillment_users.csv; +- SAPExportFulfillment_roles.csv; +- SAPExportFulfillment_usersroles.csv; +- SAPExportFulfillment_profiles.csv; +- SAPExportFulfillment_profilesprofiles.csv; +- SAPExportFulfillment_rolesprofiles.csv; +- SAPExportFulfillment_usersprofiles.csv; +- SAPExportFulfillment_rolesroles.csv; +- SAPExportFulfillment_groups.csv; +- SAPExportFulfillment_rolestransactions.csv. + +See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +topic for additional information. + +## Fulfill + +This connector can provision users, role memberships and group memberships to SAP ERP. + +### Configuration + +Same as for export, fulfill is configured through connections. See the SAP ERP 6.0 and SAP S4/HANA +topic for additional information. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +    ... +    "Connections": { +        ... +        "SAPExportFulfillment": { +            "Server": "", +            "BapiLogin": "", +            "BapiPassword": "" +        } +    } +} + +``` + +#### Setting attributes + +| Name | Type | Description | +| --------------------------- | ------- | -------------------------------------------------------------- | +| IsHana default value: false | Boolean | True to connect to an S/4 HANA instance instead of an ERP 6.0. | +| Server required | String | URL of the SAP ERP server. | +| BapiLogin required | String | Login to connect to the specified server. | +| BapiPassword required | String | Password to connect to the specified server. | + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic for additional information on how to configure password reset settings. + +When setting a password for an SAP ERP user, the password attribute is defined by the password +specified in the corresponding RessourceTypeMapping. See the +[Sap Resource Type Mapping](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md) +topic for additional information. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the `appsettings.encrypted.agent.json` file +- An Azure Key Vault safe + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ------------ | ------------------------------------------------ | +| Server | Connections--``--Server | +| AseLogin | Connections--``--AseLogin | +| AsePassword | Connections--``--AsePassword | +| Instance | Connections--``--Instance | +| Port | Connections--``--Port | +| Client | Connections--``--Client | +| Language | Connections--``--Language | +| BapiLogin | Connections--``--BapiLogin | +| BapiPassword | Connections--``--BapiPassword | +| SystemNumber | Connections--``--SystemNumber | + +- A CyberArk Vault able to store Active Directory's Login, Password, and Server. + +See the +[ RSA Encryption ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), +[Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md), and +[CyberArk's AAM Credential Providers ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)topics +for additional information. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.cyberark.agent.json +{ +  ... +  "Connections": { +    ... +    "SAPExportFulfillment": { +        "Login": "SAPExportFulfillment_CyberArkKey", +        "Password": "SAPExportFulfillment_CyberArkKey", +        "Server": "SAPExportFulfillment_CyberArkKey" +    } +  } +} +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/index.md new file mode 100644 index 0000000000..553498f28d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/index.md @@ -0,0 +1,198 @@ +# SAP Netweaver + +This connector exports and fulfills users and roles from/to an +[SAP Netweaver](https://www.sap.com/france/products/technology-platform/hana/what-is-sap-hana.html) +instance. + +This page is about [ SAP S/4 HANA ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/saphana/index.md). + +![Package: ERP/SAP S/4 HANA](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sapnetweaver/packages_sap_v603.webp) + +## Overview + +SAP ERP is an enterprise resource planning software developed by the German company SAP SE. The +software incorporates the key business functions of an organization. ERP software includes programs +in all core business areas, such as procurement, production, materials management, sales, marketing, +finance, and human resources (HR). + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md)documentation; +- a service account with reading and writing permissions on the SAP server. + +## Export + +This connector exports users, roles, role memberships and groups from an SAP instance and writes the +output to CSV files. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SAPExportFulfillment": { +> "Server": "serverUrl", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ----------------- | --------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the SAP server. | +| Login required | **Type** String **Description** Login to authenticate to the specified server. | +| Password required | **Type** String **Description** Password to authenticate to the specified server. | + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder the following CSV files: + +- `sap_users.csv` with the following columns: + + ``` + sap_users.csv + Command,logonname,isserviceuser,firstname,lastname,salutation,title,jobtitle,mobile,displayname,description,email,fax,locale,timezone,validfrom,validto,lastmodifydate,islocked,isaccountlocked,ispasswordlocked,ispassworddisabled,telephone,department,id,securitypolicy,datasource,company,streetaddress,city,zip,pobox,country,state,orgunit,accessibilitylevel,passwordchangerequired + Insert,value1,value2,...,valueN + ``` + +- `sap_groups.csv` with the following columns: + + ``` + sap_groups.csv + Command,uniquename,displayname,description,lastmodifydate,id,datasource,distinguishedname + Insert,value1,value2,...,valueN + ``` + +- `sap_roles.csv` with the following columns: + + ``` + sap_roles.csv + Command,uniquename,displayname,description,lastmodifydate,id,datasource,scopes,actions + Insert,value1,value2,...,valueN + ``` + +- `sap_roles_member.csv` with the following columns: + + ``` + sap_roles_member.csv + Command,id,member + Insert,value1,value2,...,valueN + ``` + +## Fulfill + +This connector writes to SAP to create, update, and/or delete users, groups, roles and group +memberships. + +### Configuration + +Same as for export, fulfill is configured through connections. + +#### Setting attributes + +| Name | Details | +| ----------------- | --------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the SAP server. | +| Login required | **Type** String **Description** Login to authenticate to the specified server. | +| Password required | **Type** String **Description** Password to authenticate to the specified server. | + +> For example: +> +> ``` +> appsettings.agent.json +> { +> "Connections": { +> "SAPExportFulfillment": { +> "Server": "serverUrl", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` + +## Authentication + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic to learn more on how to configure password reset settings. + +When setting a password for an SAP user, the password attribute is defined by the password specified +in the corresponding +[Resource Type Mappings](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md). + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| --------- | ------------------------------------------------ | +| Server | `Connections----Server` | +| Login | `Connections----Login` | +| Password | `Connections----Password` | + +- A [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + Active Directory's `Login`, `Password` and `Server`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "SAPExportFulfillment": { +> "Login": "SAPExportFulfillment_CyberArkKey", +> "Password": "SAPExportFulfillment_CyberArkKey", +> "Server": "SAPExportFulfillment_CyberArkKey" +> } +> } +> } +> ``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/scim/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/scim/index.md new file mode 100644 index 0000000000..5fc157be62 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/scim/index.md @@ -0,0 +1,365 @@ +# SCIM + +This connector exports and fulfills entities from/to a +[SCIM](https://www.okta.com/blog/2017/01/what-is-scim/) compliant application. + +This page is about: + +- Custom/SCIM +- CRM/Salesforce +- Messaging/Slack +- PAM/CyberArk + +![Package: Custom/SCIM](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/packages_scim_v603.webp) + +![Package: CRM/Salesforce](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/packages_salesforce_v603.webp) + +![Package: Messaging/Slack](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/packages_slack_v603.webp) + +![Package: PAM/CyberArk](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/packages_cyberark_v603.webp) + +## Overview + +Simple Cloud Identity Management (SCIM) is a Request for Comments (RFC) standard. It describes a +REST API with specific endpoints to get and set data in a web application for IGA purposes. It +allows an identity provider to manage the web application's accounts. For more details about SCIM +and RFC, see the [IETF document](https://tools.ietf.org/html/rfc7644). + +**NOTE:** Similarly to the Salesforce REST-based API, SCIM for Salesforce enables reading and +writing attributes, but writes to a smaller subset. For example, the following properties are +manageable by the Salesforce REST-based API but not SCIM: `PermissionSetGroup`, +`PermissionSetLicense`, `UserPermissionsKnowledgeUser`, `UserPermissionsInteractionUser`, +`UserPermissionsSupportUser`, `CallCenterId`, `SenderEmail`. + +See the +[Salesforce's documentation](https://help.salesforce.com/s/articleView?id=sf.identity_scim_rest_api.htm&type=5) +for additional information. + +## Prerequisites + +Implementing this connector requires the web application that you want to synchronize to implement +SCIM Version 2.0 or later. + +The implementation of the Salesforce connector requires the completion of the following steps: + +- Connect the application +- Enable OAuth authentication +- Reset the user token +- Configure the Salesforce connection + +Connect the application + +To connect to the Salesforce application do the following: + +**Step 1 –** Log into Salesforce using an admin account. + +![salesforce-advancesetup](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-advancesetup.webp) + +**Step 2 –** Go to **Advanced Setup**. + +![salesforce-newconnectedapp](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-newconnectedapp.webp) + +**Step 3 –** Go to **App Manager** and **Create a Connected App**. + +![salesforce-enableoauth](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-enableoauth.webp) + +**Step 4 –** Fill in the details of the application: Application Name, API Name, Contact Email, +select **Enable OAuth Settings**, and complete the mandatory information as callback URL and OAuth +Scopes. + +**Step 5 –** Save the Application. + +![salesforce-manageconnectedapps](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-manageconnectedapps.webp) + +**Step 6 –** Go to **Manage Connected Apps** and click on the newly created application. + +![salesforce-manageconsumerdetails](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-manageconsumerdetails.webp) + +**Step 7 –** Click on **Manage Consumer Details**. + +![salesforce-consumerkey](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-consumerkey.webp) + +**Step 8 –** Copy the Consumer Key and Consumer Secret in your Keypass. + +Enable OAuth authentication + +To enable the OAuth authentication do the following: + +**Step 1 –** Log into Salesforce using an admin account. + +![salesforce-advancesetup](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-advancesetup.webp) + +**Step 2 –** Go to **Advanced Setup**. + +![oauthauthentication](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/oauthauthentication.webp) + +**Step 3 –** Go to **OAuth** and **OpenID Connect Settings** in the **Identity** drop-down menu, +enable the option to **Allow OAuth Username-Password Flows**. + +Reset the user token + +To reset the user token do the following: + +**Step 1 –** Log into Salesforce using an admin account. + +![salesforce-usertoken-settings](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-usertoken-settings.webp) + +**Step 2 –** Click on **Settings** under the profile details. + +![salesforce-resetseuritytoken](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-resetseuritytoken.webp) + +**Step 3 –** Click on **Reset My Security Token**. + +![salesforce-checkemail](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-checkemail.webp) + +**Step 4 –** An email containing the new token will be sent. + +Configure the Salesforce connection + +To configure the Salesforce connection do the following: + +**Step 1 –** Log into Identity Manager using an admin account. + +![salesforce-connector](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-connector.webp) + +**Step 2 –** Create a new Salesforce connector. + +![salesforce-connection](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-connection.webp) + +**Step 3 –** Add a new Salesforce connection. + +![salesforce-agent-settings](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/scim/salesforce-agent-settings.webp) + +**Step 4 –** Fill the fields in the **Connection Settings** and choose the **Filter**. + +The configuration of the Salesforce connector is completed. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +**appsettings.agent.json** > **Connections** section. +See the [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) topic for +additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +_Remember,_ the identifier of the connection and thus the name of the subsection must: + +- Be unique +- Not begin with a digit +- Not contain `<`, `>`, `:`, `/`, `\`, `|`, `?`, `*`, and `_`. + +The following example gets information via SCIM on a web application whose URL base is +`https://example.for.doc.com`: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "SCIMExport": { + "ApplicationId": "", + "Server": "", + "ApplicationKey": "", + "Login": "", + "Password": "", + "Filter": "" + } + } +} +``` + +Here we use an account's credentials (login and password) with our application's credentials +(ApplicationId and ApplicationKey). + +The filter `?filter=active eq \"true\"` retrieves active Users from the external system. + +#### Setting attributes + +| Name | Type | Description | +| ----------------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Filter optional | String | Filters applied in the SCIM request retrieving the entities. You should write the filters as you would write them in the URL (including the "?"). For more details on the syntax, see the [RFC document](https://tools.ietf.org/html/rfc7644#rfc-document). Syntax:EntityNameInSCIM1|scimFilter1\*EntityNameInSCIM2|scimFilter2\*EntityNameInSCIM3|scimFilter3 | +| OAuth2Url optional | String | URL which get tokens for the requests. The system can usually find this information, but sometimes the system gets it wrong, like Salesforce for example. | +| PageSize default value: 200 | String | Maximum number of elements returned by one request. | +| Server required | String | URL of the SCIM endpoints of your application, excluding /v2. | +| ApplicationId optional | String | Login of the application or of the application's Id provider. | +| Login optional | String | Login of the account. | +| OAuthToken optional | String | Generated OAuth token to connect to the application. | +| Password optional | String | Password of the account. | +| ScimSyntax default value: RFC | String | Type of SCIM implementation: RFC - used for the systems that follow SCIM's rules; Salesforce - required when this connector targets Salesforce; CyberArk - required when this connector targets CyberArk. | + +The credential attributes (ApplicationId, ApplicationKey, Login and Password) are used to obtain a +token from the application for our requests. + +### Output details + +This connector is meant to generate to the ExportOutput folder the following CSV files: + +- One file for each SCIM entity, coming from entity type mappings's connection tables, named + `_.csv`, with one column for each property having a ConnectionColumn + and each property without it but used in an entity association; +- One file for each membership, coming from entity association mappings's connection tables, + named` _members_.csv`, with the following columns: + - Value — ID of the group + - MemberId — ID of the group member +- One file for each entity named Containers such as CyberArk's privileged data, named + `_privilegedData_Containers.csv`. + +See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) and +[ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +topics for additional information. + +For the connector to work properly, the connection tables must follow the naming conventions too: +`_ for entities and _members_` for links. + +If the connection column describes a sub-property, then the name should have the following pattern: +`{property}:{sub-property}`. The character ":" should not be used in other situations. + +For example, if we want to retrieve information about Users, Groups and Groups' members, we should +have the following configuration: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +We would have SCIMExport_Users.csv with the column headers id, `name:givenName` and `emails:value`, +`SCIMExport_Groups.csv` with the column headers id and `displayName`, and +`SCIMExport_members_Groups.csv` with the column headers value and `MemberId`. + +Each column contains the value of the corresponding attribute. SCIM attributes are described in the +[RFC document](https://tools.ietf.org/html/rfc7643). + +### Limitations + +The incremental mode only works for User entities and not for the others like Groups or Roles. It +means that entities like Groups or Roles are always handled with the complete mode. + +## Fulfill + +This connector writes to the managed web application to create, update, and/or delete users with +their attributes and group memberships, but no group or other entities. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> The following example writes information to SCIM on a web application whose URL base is +> `https://example.for.doc.com`. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SCIMFulfillment": { +> "ApplicationId": "", +> "Server": "", +> "ApplicationKey": "", +> "Login": "", +> "Password": "", +> "ServiceSupportBulk": true, +> "BulkMaxOperation": 10 +> } +> } +> } +> ``` +> +> Here we use an account's credentials (login and password) with our application's credentials +> (ApplicationId and ApplicationKey). +> +> We specify that bulk requests are supported with a maximum of 10 operations per request. + +#### Setting attributes + +| Name | Type | Description | +| ----------------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| BulkMaxOperation optional | Int32 | Maximum number of operations which can be sent in one bulk request. | +| ServiceSupportBulk optional | Boolean | True to allow bulk requests. depends on the web application's SCIM implementation. See the [RFC document](https://tools.ietf.org/html/rfc7644#rfc-document) for additional information. | +| Server required | String | URL of the SCIM endpoints of your application, excluding /v2. | +| ApplicationId optional | String | Login of the application or of the application's Id provider. | +| ApplicationKey optional | String | Password of the application or of the application's Id provider. | +| Login optional | String | Login of the account. | +| OAuthToken optional | String | Generated OAuth token to connect to the application. | +| Password optional | String | Password of the account. | +| ScimSyntax default value: RFC | String | Type of SCIM implementation: RFC - used for the systems that follow SCIM's rules; Salesforce - required when this connector targets Salesforce; CyberArk - required when this connector targets CyberArk. | + +The credential attributes (ApplicationId, ApplicationKey, Login, and Password) are used to obtain a +token from the application for our requests. + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the `appsettings.encrypted.agent.json` file +- An Azure Key Vault safe + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ------------------ | ------------------------------------------------ | +| ApplicationId | Connections--``--ApplicationId | +| ApplicationKey | Connections--``--ApplicationKey | +| BulkMaxOperation | Connections--``--BulkMaxOperation | +| Login | Connections--``--Login | +| Password | Connections--``--Password | +| ServiceSupportBulk | Connections--``--ServiceSupportBulk | +| Server | Connections--``--Server | + +- A CyberArk Vault able to store Active Directory's Login, Password, and Server. + +See the +[ RSA Encryption ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), +[Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md), and +[CyberArk's AAM Credential Providers ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)topics +for additional information. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.cyberark.agent.json +{ + ... + "Connections": { + ... + "SAPExportFulfillment": { + "Login": "SAPExportFulfillment_CyberArkKey", + "Password": "SAPExportFulfillment_CyberArkKey", + "Server": "SAPExportFulfillment_CyberArkKey" + } + } +} +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md new file mode 100644 index 0000000000..be9c26cc25 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md @@ -0,0 +1,276 @@ +# ServiceNow + +This connector exports and fulfills any data, including users and roles, from/to a +[ServiceNow CMDB](https://www.servicenow.com/products/servicenow-platform/configuration-management-database.html). + +This page is about [ ServiceNow ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow/index.md). + +![Package: ITSM/ServiceNow](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/packages_servicenow_v603.webp) + +## Overview + +ServiceNow is a cloud-based company that provides software as a service (SaaS) for technical +management support. The company specializes in IT service management (ITSM), IT operations +management (ITOM) and IT business management (ITBM), allowing users to manage projects, teams and +customer interactions via a variety of apps and plugins. +This section focuses on ServiceNow Entity Management. To learn about how to use this connector to +create tickets for other resources, see +[ ServiceNow Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md). + +## Prerequisites + +Implementing this connector requires: + +- reading first the appsettings documentation; +- a service account with the **snc_platform_rest_api_access** role, as well as reading and writing + permissions on the target ServiceNow instance; +- the version ServiceNow London or later; +- the appropriate configuration in ServiceNow of authentication, Basic or OAuth. + +## Export + +This connector exports to CSV files ServiceNow's tables (Users, Groups, Group Memberships). + +An incremental search is possible to retrieve added and updated records but a full delta (including +deleted items) can't be performed. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example retrieves from users only those that are active, and no filter is applied to +> the other tables. A single request can retrieve up to 5,000 entries, no more. This means that if +> there are 6,000 `sys_user` to retrieve, then all of them will be retrieved but with two requests. +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password", +> "ResponseSizeLimit":"5000", +> "Filter":"sys_user#active=true" +> } +> } +> } +> ``` +> +> The following example is the same as above, but using OAuth Authentication: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password", +> "ClientId": "ClientId", +> "ClientSecret": "ClientSecret", +> "OAuth2Url": "https://instance.service-now.com/oauth_token.do", +> "ResponseSizeLimit":"5000", +> "Filter":"sys_user#active=true" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the ServiceNow Server Table API endpoint. [See ServiceNow Official API Reference](https://developer.servicenow.com/dev.do#see-servicenow-official-api-reference). **Info:** the URL must start with `https`. | +| Login required | **Type** String **Description** Username of the service account used to connect to the server. | +| Password required | **Type** String **Description** Password of the service account used to connect to the server. | +| ClientId optional | **Type** String **Description** Client Id used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| ClientSecret optional | **Type** String **Description** Client Secret used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| OAuth2Url optional | **Type** String **Description** Application endpoint used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| | | +| --- | --- | +| Server required | **Type** String **Description** URL of the ServiceNow Server Table API endpoint. [See ServiceNow Official API Reference](https://developer.servicenow.com/dev.do#see-servicenow-official-api-reference). **Info:** the URL must start with `https`. | +| Login required | **Type** String **Description** Username of the service account used to connect to the server. | +| Password required | **Type** String **Description** Password of the service account used to connect to the server. | +| ClientId optional | **Type** String **Description** Client Id used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| ClientSecret optional | **Type** String **Description** Client Secret used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| OAuth2Url optional | **Type** String **Description** Application endpoint used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder one CSV file for each table, named `_.csv`. + +Identity Manager lists the tables to retrieve based on +[ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)'s +and +[ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md)'s +connection tables. + +For the connector to work properly, the connection tables must follow the naming convention too: +`_`. + +> For example, with the following configuration: +> +> ``` +> +> /> +> +> ``` +> +> We would have: +> +> ``` +> ServiceNowExportFulfillment_sys_user.csv +> sys_id,active,name,user_name,email +> ... +> +> ``` +> +> ServiceNowExportFulfillment_sys_group.csv sys_id,name,description ... +> +> ``` +> ServiceNowExportFulfillment_sys_user_grmember.csv +> user,group +> ... +> +> ``` + +## Fulfill + +This connector writes to ServiceNow to create, update, and/or delete any data. + +### Configuration + +Same as for export, fulfill is configured through connections. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` +> +> The following example is the same as above, but using OAuth Authentication: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password", +> "ClientId": "ClientId", +> "ClientSecret": "ClientSecret", +> "OAuth2Url": "https://instance.service-now.com/oauth_token.do" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Server required | **Type** String **Description** URL of the ServiceNow Server Table API endpoint. [See ServiceNow Official API Reference](https://developer.servicenow.com/dev.do#see-servicenow-official-api-reference). **Info:** the URL must start with `https`. | +| Login required | **Type** String **Description** Username of the service account used to connect to the server. | +| Password required | **Type** String **Description** Password of the service account used to connect to the server. | +| ClientId optional | **Type** String **Description** Client Id used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| ClientSecret optional | **Type** String **Description** Client Secret used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | +| OAuth2Url optional | **Type** String **Description** Application endpoint used (and required) with [OAuth](https://docs.servicenow.com/bundle/latest-platform-administration/page/administer/security/concept/c_OAuthApplications.html). | + +## Authentication + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic to learn more on how to configure password reset settings. + +When setting a password for an ServiceNow user, the password attribute is defined by the password +specified in the corresponding +[Resource Type Mappings](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md). + +### Credentials protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ----------------- | ------------------------------------------------ | +| Server | `Connections----Server` | +| Login | `Connections----Login` | +| Password | `Connections----Password` | +| ClientId | `Connections----ClientId` | +| ClientSecret | `Connections----ClientSecret` | +| OAuth2Url | `Connections----OAuth2Url` | +| Filter | `Connections----Filter` | +| ResponseSizeLimit | `Connections----ResponseSizeLimit` | + +- A [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + Active Directory's `Login`, `Password`, `Server`, `ClientId` and `ClientSecret`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowExportFulfillment": { +> "Login": "ServiceNowExportFulfillment_CyberArkKey", +> "Password": "ServiceNowExportFulfillment_CyberArkKey", +> "Server": "ServiceNowExportFulfillment_CyberArkKey", +> "ClientId": "ServiceNowExportFulfillment_CyberArkKey", +> "ClientSecret": "ServiceNowExportFulfillment_CyberArkKey" +> } +> } +> } +> ``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md new file mode 100644 index 0000000000..d08c96d420 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/index.md @@ -0,0 +1,119 @@ +# ServiceNowTicket + +This connector opens tickets in [ServiceNow](https://www.servicenow.com/) for manual provisioning. + +This page is about [ ServiceNow Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md). + +![Package: Ticket/ServiceNow](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/servicenowticket/packages_servicenowticket_v603.webp) + +## Overview + +ServiceNow is a cloud-based company that provides software as a service (SaaS) for technical +management support. The company specializes in IT service management (ITSM), IT operations +management (ITOM) and IT business management (ITBM), allowing users to manage projects, teams and +customer interactions via a variety of apps and plugins. +This section focuses on ServiceNow ticket creation for the fulfillment of resources that can't or +shouldn't be performed with an existing fulfill. To learn about how to manage entities, see +[ ServiceNow ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md)Entity Management. + +## Prerequisites + +Implementing this connector requires: + +- reading first the + [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md)documentation; +- a service account with the **snc_platform_rest_api_access** role, as well as reading and writing + permissions on the target ServiceNow instance; +- the version ServiceNow London or later; +- the appropriate configuration in ServiceNow of authentication, Basic or OAuth. + +## Export + +This connector exports some of ServiceNow entities, see the export capabilities of the +[ ServiceNow ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md)connector. Some entities cannot be exported. + +## Fulfill + +This connector writes to ServiceNow to create incident and request tickets containing information to +create, update or delete a resource. It does not create nor update a resource directly. + +Once created, the ticket is managed in ServiceNow, not in Identity Manager. + +When the ticket is closed or canceled, Identity Manager updates the provisioning state of the +resource accordingly. See the +[Entitlement Assignment](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) topic for +additional information. + +See the fulfill capabilities of the [ ServiceNow ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md)connector. + +> For example: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowFulfillManual": { +> "Server": "https://instance.service-now.com/api/now/table", +> "Login": "login", +> "Password": "password" +> } +> } +> } +> ``` + +## Authentication + +### Password reset + +See the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topic to learn more on how to configure password reset settings. + +When setting a password for a ServiceNow user, the password attribute is set to the chosen value and +the user's **password_needs_reset** attribute is set to `true`. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ------------------------- | ------------------------------------------------------ | +| Server | `Connections----Server` | +| Login | `Connections----Login` | +| Password | `Connections----Password` | +| ClientId | `Connections----ClientId` | +| ClientSecret | `Connections----ClientSecret` | +| OAuth2Url | `Connections----OAuth2Url` | +| TicketCookieDirectoryPath | `Connections----TicketCookieDirectoryPath` | +| ResponseSizeLimit | `Connections----ResponseSizeLimit` | + +- A [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + Active Directory's `Login`, `Password`, `Server`, `ClientId` and `ClientSecret`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "ServiceNowFulfillManual": { +> "Login": "ServiceNowFulfillManual_CyberArkKey", +> "Password": "ServiceNowFulfillManual_CyberArkKey", +> "Server": "ServiceNowFulfillManual_CyberArkKey", +> "ClientId": "ServiceNowFulfillManual_CyberArkKey", +> "ClientSecret": "ServiceNowFulfillManual_CyberArkKey" +> } +> } +> } +> ``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/index.md new file mode 100644 index 0000000000..3a09946770 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/index.md @@ -0,0 +1,169 @@ +# SharedFolders + +This connector exports users and permissions from Windows shared folders. + +This page is about [ Shared Folders ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/shared-folders/index.md). + +![Package: Storage/Shared Folders](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/packages_sharedfolders_v603.webp) + +## Overview + +Also known as UFA (Identity Manager Folder Access), this connector can be used to scan the access +rights assigned to folders and files in computers and networks which comply with the +[Windows File Security and Access Rights systems](https://docs.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights). + +## Prerequisites + +Implementing this connector requires an account with the permissions: + +- to access all relevant folders and files and read their entitlements; +- **Log on as a batch job** in the local group policy, when the connector's authentication mode is + batch. + + ![SharedFolder - Permission for Batch Authentication](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sharedfolder/sharedfolder_permission.webp) + +## Export + +This connector scans shared folders in order to export their content to CSV files. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example reads `12` levels of folders in the folders `R&D_Projects` and `Management` +> in the network `OfficeNetwork` and in `C:/`. We only read entitlements about folders and we don't +> have access rights to the entitlements associated with the SIDs `S-1-3-2-4` and `S-5-7-6-8`. We +> use the service account [account@example.com](mailto:account@example.com) with its related +> password and domain, and interactive connection: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SharedFolderExport": { +> "InputDirectories": [ "OfficeNetwork/R&D_Projects", "OfficeNetwork/Management", "C:/" ], +> "OnlyDirectoryScan": "true", +> "LevelOfScan": "12", +> "ListOfSIDToAvoid": [ "S-1-3-2-4", "S-5-7-6-8" ], +> "Login": "account@example.com", +> "Password": "accountexamplepassword", +> "Domain": "Example", +> "Interactive": true +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| InputDirectories required | **Type** String List **Description** Paths of the folders to be scanned. | +| Domain optional | **Type** String **Description** Domain of the account used to access files and read their access rights. | +| Interactive default value: False | **Type** Boolean **Description** `True` to set authentication as interactive, `False` to set it as batch. | +| LevelOfScan optional | **Type** Int32 **Description** Number of file and folder levels to be scanned. By default, it scans the whole folder tree for each input directory. | +| ListOfSIDToAvoid optional | **Type** String List **Description** SIDs (users or groups) to exclude from the scan. | +| OnlyDirectoryScan default value: False | **Type** Boolean **Description** `True` to scan only folders' entitlements and not files', `False` to scan all. | +| | | +| --- | --- | +| Login optional | **Type** String **Description** Login of the account used to access the files and folders. **Note:** when not specified and `Password` neither, then the account running Identity Manager will be used. **Note:** if `Domain` is null, then `Login` must be set in the User Principal Name (UPN) format. | +| Password optional | **Type** String **Description** Password of the account used to access the files and folders. **Note:** when not specified and `Login` neither, then the account running Identity Manager will be used. | + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder the following CSV files: + +- `_ACE.csv`, with the following columns: + - **key**: concatenation of `Right`, `Path` and `OwnerSID`; + - **Path**: path of the folder or file; + - **Right**: entitlement among the following, listed from weakest to strongest: + ListDirectory / ReadData / CreateFiles / WriteData / AppendData / CreateDirectories / + ReadExtendedAttributes / WriteExtendedAttributes / ExecuteFile / Traverse / + DeleteSubdirectoriesAndFiles / ReadAttributes / WriteAttributes / Write / Delete / + ReadPermissions / Read / ReadAndExecute / Modify / ChangePermissions / TakeOwnership / + Synchronize / FullControl + - **AllowOrDeny**: `0` (or `false`) if the entitlement is allowed, `1` (or `true`) if it is + denied; + - **OwnerSID**: SID of the entitlement's owner. +- `_PathInformations.csv`, with the following columns: + - **Path**; + - **ParentPath**: path of the file's or folder's parent folder; + - **BlockInheritance**: `true` if the file or folder blocks entitlement inheritance in the tree; + - **Hierarchy**: hierarchy in the scanned tree. +- `_SID.csv`, with only one column **SID**. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ----------------- | ------------------------------------------------ | +| Domain | `Connections----Domain` | +| Interactive | `Connections----Interactive` | +| LevelOfScan | `Connections----MembersFile` | +| ListOfSIDToAvoid | `Connections----ListOfSIDToAvoid` | +| Login | `Connections----Login` | +| OnlyDirectoryScan | `Connections----OnlyDirectoryScan` | +| Password | `Connections----Password` | +| InputDirectories | `Connections----InputDirectories` | + +- A [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) able to store + Active Directory's `Login` and `Password`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "SharedFolderExport": { +> "Login": "SharedFolderSettings", +> "Password": "SharedFolderSettings" +> } +> } +> } +> ``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md new file mode 100644 index 0000000000..f827dc0358 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sharepoint/index.md @@ -0,0 +1,276 @@ +# SharePoint + +This connector exports sites, folders, groups and permissions from a +[SharePoint](https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration) instance. + +This page is about Storage/SharePoint. + +![Package: Storage/SharePoint](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sharepoint/packages_sharepoint_v603.webp) + +## Overview + +SharePoint is a system used by organizations to store, organize, share and access information. + +## Prerequisites + +Implementing this connector requires an account with the permissions to access all items and read +their entitlements. + +### Configuration + +This process is configured through a connection in the UI and/or the XML configuration, and in the +`appsettings.agent.json > Connections` section: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                  +                        appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "": { +      ... +    } +  } +} +                 +``` + +The identifier of the connection and thus the name of the subsection must: + +- Be unique. +- Not begin with a digit. +- Not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +The following example scans the example.sharepoint.com SharePoint at the more detailed level +(ListItem) with the account [account.example@acme.com](mailto:account.example@usercube.com): + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "SharePointExport": { +        "Server": "https://example.sharepoint.com/", +        "Scanlevel": "ListItem", +        "Login": "account.example@usercube.com", +        "Password": "account'sexamplepassword", +        "CsvUrls": "C:/identitymanager/source/SP_others.csv¤URL¤," +    } +  } +} +``` + +#### Setting attributes + +| Name | Type | Description | +| --------------------------------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Login required | String | Login of the account used to access files and read their entitlements. | +| Password required | String | Password of the account used to access files and read their entitlements. | +| Server required | String | URL of the SharePoint website to scan. | +| Domain optional | String | Domain, sometimes needed in addition to Login to make the connection to the SharePoint server. | +| TimeOut default value: 300000 | Int32 | Timeout (in milliseconds) for requests. | +| Scanlevel default value: ListItem | Scanlevel | Level of scan to be performed, from less to more detailed: Site; List; and ListItem. | +| CsvUrls optional | String | Path, column and separator (split by ¤) of the CSV file containing the other sites to be scanned. Useful when scanning a SharePoint with a root site (https://example.sharepoint.com) with other sites (https://example.sharepoint.com/sites/OtherSite) which are not sub-sites (https://example.sharepoint.com/SubSite). Sub-sites don't need to be provided through a CSV file because they are found from the root site. | + +### Limitations + +Synchronization in incremental mode does not retrieve user account changes, because SharePoint is +not able to provide this information through its API. + +To avoid unnecessary scanning and to increase performance, the connector in incremental mode does +not scan user accounts from the sites given through CsvUrls. However, it still retrieves the +folders, groups, permissions and the links between users and these elements. + +When needing to retrieve all of user account information, then go through complete synchronization +instead of incremental. + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder the following CSV files: + +`_Entity.csv`, with the following columns: + +- **command**— empty for complete synchronization, and `merge` for incremental; +- **Collection**— SharePoint server's URL where the information was found; +- **Id**— Identifier of the entity; +- **SharePointId**— Identifier of the entity in the scanned site; +- **Name**— name of the entity; +- **Description**— description of the entity; +- **PrincipalType**— type of the entity, for example `User`, `SecurityGroup` or `SharePointGroup`, + etc.; +- **Email**— email of the user; +- **IsEmailAuthenticationGuestUser**— `true` if the email is for the authentication of a guest user; +- **IsSiteAdmin**— `true` if the user is a site administrator; +- **IsShareByEmailGuestUser**— `true` if the user is a guest invited by email; +- **AadObjectId**— Microsoft Entra ID (formerly Microsoft Azure AD)'s identifier of the entity; + +`_GroupMember.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Group_Id**: Identifier of the group; +- **Entity_Id**: Identifier of the entity related to the group member; + +`_GroupMemberScanFail.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Id**; +- **Name**; +- **Description**; +- **PrincipalType**; + +`_Role.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Id**; +- **Name**; +- **Description**; +- **Permissions**: permissions concatenated together with line breaks; + +`_RoleAssignment.csv`, with the following columns: + +- **command**; +- **Collection**; +- **Key**— concatenation (with `-`) of the `Role_Id`, the `Entity_Id` and the `SecurableObject_Key`; +- **Role_Id**— Identifier of the role; +- **Entity_Id**— Identifier of the entity related to the role; +- **Entity_Name**— name of the group member; +- **SecurableObject_Key**— concatenation (with `|`) of the `Collection` and the relative URLs where + the object was found; + +`_SecurableObject.csv`, with the following columns: + +- **command**; +- **Key**— concatenation (with `|`) of the `Collection` and the relative URLs where the object was + found; +- **Collection**; +- **Level**— level where the securable object was found, among: `Site`; `List`; `ListItem`; +- **Label**— title or display name of the securable object; +- **ParentKey**— key of the securable object's parent; +- **ScanStatus**— status of the scan (success or fail); +- **HasUniqueRoleAssignments**— `true` if entitlement inheritance is blocked for this securable + object; + +`_SecurableObjectRightInheritance.csv`, with the following columns: + +- **command**; +- **Collection**; +- **SecurableObject_Key**; +- **Inheritance_Key**— key of the ancestor object that the securable object gets its inherited + rights from; + +`_SecurableObjectScanFail.csv`, with the following columns: + +- **command**; +- **Key**: concatenation (with `|`) of the `Collection` and the relative URLs where the object was + found; +- **Collection**; +- **Level**; +- **Label**; +- **ParentKey**; +- **HasUniqueRoleAssignments**. + +## Fulfill + +Identity Manager's fulfill functionality can add and remove members from existing SharePoint groups. + +### Configuration + +Same as for export, fulfill is configured through connections. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "SharePointFulfillment": { +        "Server": "https://example.sharepoint.com/", +        "Scanlevel": "ListItem", +        "Login": "account.example@usercube.com", +        "Password": "account'sexamplepassword", +        "CsvUrls": "C:/identitymanager/source/SP_others.csv¤URL¤," +    } +  } +} +``` + +#### Setting attributes + +| Name | Type | Description | +| ----------------------------- | ------ | ---------------------------------------------------------------------------------------------- | +| Login required | String | Login of the account used to access files and read their entitlements. | +| Password required | String | Password of the account used to access files and read their entitlements. | +| Server required | String | URL of the SharePoint website to scan. | +| Domain optional | String | Domain, sometimes needed in addition to Login to make the connection to the SharePoint server. | +| TimeOut default value: 300000 | Int32 | Timeout (in milliseconds) for requests. | + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- RSA encryption, configured in the `appsettings.encrypted.agent.json` file; +- An Azure Key Vault safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| --------- | ------------------------------------------------ | +| Domain | `Connections----Domain` | +| Login | `Connections----Login` | +| Password | `Connections----Password` | +| Scanlevel | `Connections----Scanlevel` | +| TimeOut | `Connections----TimeOut` | +| Server | `Connections----Server` | +| CsvUrls | `Connections----CsvUrls` | + +- A CyberArk Vault able to store SharePoint's `Login` and `Password`. + +See the +[ RSA Encryption ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md), +[Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md), and +[CyberArk's AAM Credential Providers ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)topics +for additional information. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                         +                            appsettings.cyberark.agent.json +{ +  ... +  "Connections": { +    ... +    "SharePointFulfill": { +        "Login": "SharePointSettings", +        "Password": "SharePointSettings" +    } +  } +} +                     +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sql/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sql/index.md new file mode 100644 index 0000000000..5312719697 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sql/index.md @@ -0,0 +1,222 @@ +# Sql + +This connector exports data from one of various +[Database Management Systems](https://en.wikipedia.org/wiki/Database#database-management-systems). + +This page is about: + +- Database/[ Generic SQL ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/generic-sql/index.md); +- Database/[ SQL Server ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/sql-server/index.md); +- Database/[ MySQL ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/mysql/index.md); +- Database/[ ODBC ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/odbc/index.md); +- Database[ Oracle Database ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/oracle-database/index.md); +- Database/[ PostgreSQL ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/postgresql/index.md); +- [ SAP ASE ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/sapase/index.md). + +![Package: Directory/Database/Generic SQL](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlgeneric_v603.webp) + +![Package: Directory/Database/Microsoft SQL Server](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlserver_v603.webp) + +![Package: Directory/Database/MySQL](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlmy_v603.webp) + +![Package: Directory/Database/ODBC](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlodbc_v603.webp) + +![Package: Directory/Database/Oracle](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqloracle_v603.webp) + +![Package: Directory/Database/PostgreSQL](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlpostgre_v603.webp) + +![Package: Directory/Database/SAP ASE](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/packages_sqlsap_v603.webp) + +## Overview + +A database is a collection of relational data which represents some aspects of the real world. A +database system is designed to be built and populated with data for a specific task. + +A Database Management System (DBMS) is a software for storing and retrieving users' data while +considering appropriate security measures. + +> Some popular DBMS systems are Microsoft SQL Server, MySQL, Oracle, PostgreSQL, etc. + +The goal of this connector is to connect to a DBMS and execute a query in order to export a table. + +## Prerequisites + +Implementing this connector requires: + +- the configuration of a DBMS system; + > For example for Microsoft SQL Server 2017, see Microsoft's documentation for + > [planning a SQL Server installation](https://docs.microsoft.com/en-us/sql/sql-server/install/planning-a-sql-server-installation?view=sql-server-2017), + > the + > [SQL Server installation guide](https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server?view=sql-server-2017) + > and (optionally) + > [downloading SQL Server Management Studio (SSMS)](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15). +- creating a database `MyDb` with several tables and data so the user can query on the database, for + testing purposes. + +## Export + +This connector exports the content of any table from an SQL database and writes it to a CSV file. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example configures the connection to Microsoft SQL Server and exports the table +> `UC_Connectors` from the database `MyDb`: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SqlExport": { +> "ConnectionString" : "data source=.;Database=MyDb;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;", +> "SqlCommand": "SELECT * FROM [MyDb].[dbo].[UC_Connectors]" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectionString required | **Type** String **Description** Connection string of the database. See the [specific syntax](https://docs.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlconnection.connectionstring?view=dotnet-plat-ext-5.0). | +| Timeout optional | **Type** Int32 **Description** Time period (in seconds) after which the request attempt is terminated and an error is generated. | +| | | +| --- | --- | +| SqlCommand optional | **Type** String **Description** SQL request to be executed. **Note:** when not specified and `SqlFile` neither, then all the[ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) of this connector will be exported. | +| SqlFile optional | **Type** String **Description** Path of the file containing the SQL request to be executed. **Note:** ignored when `SqlCommand` is specified. **Note:** when not specified and `SqlFile` neither, then all the [ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) of this connector will be exported. | +| CsvEncoding default value: UTF-8 | **Type** String **Description** Encoding of the file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | +| ProviderClassFullName optional | **Type** String **Description** Invariant name to register the provider. **Note:** required when querying a DBMS other than Microsoft SQL Server. | +| ProviderDllName optional | **Type** String **Description** DLL, i.e. name and extension, to be loaded by the connector. **Note:** the DLL must be in the `Runtime` folder. **Note:** required when querying a DBMS other than Microsoft SQL Server. | +| IsolationLevel default value: ReadUncommitted | **Type** String **Description** Locking behavior of the transaction: `ReadUncommitted`; `ReadCommitted` - used for the databases that do not support the ReadUncommitted level, like Oracle databases. | + +### Connect to other DBMS + +Connect to a DBMS other than Microsoft SQL Server by proceeding as follows: + +1. Download and extract the package. + > For MySQL, download the package from [MySql.Data](https://www.nuget.org/packages/MySql.Data/). + > + > ![MySQL: Download Package](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/sql_downloadpackage.webp) +2. Copy the DLL file (corresponding to the correct .Net version) to the `Runtime` folder. + > For MySQL, the DLL is `MySql.Data.dll`. +3. Get the value required for `ProviderClassFullName` and `ProviderDllName`: + + - for a DBMS handled by Identity Manager's packages, by accessing the + [ References: Packages ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/index.md); + + > For MySQL: + > + > ![Package Characteristics Example](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sql/sql_packagecharacteristics.webp) + + - for another DBMS, by accessing the DBMS' documentation for .Net and finding a class with + **Factory** in its name. + + > If MySQL were not part of Identity Manager's packages, you would see + > [MySqlClientFactory](https://dev.mysql.com/doc/dev/connector-net/latest/api/data_api/MySql.Data.MySqlClient.MySqlClientFactory.html). + + The **Factory** class must derive from **DbProviderFactory**. After verification, the + `ProviderClassFullName` can be found in the **Inheritance Hierarchy** of the class. + + > For MySQL, here `ProviderDllName` is **MySql.Data.dll** and `ProviderClassFullName` is + > **MySql.Data.MySqlClient.MySqlClientFactory**. + > + > Then the following example configures the connection to MySQL and exports the table + > `UC_Connectors` from the database `MyDb` (the SQL command is inside `mySql.sql`): + > + > ``` + > appsettings.agent.json + > { + > ... + > "Connections": { + > ... + > "SqlExport": { + > "ConnectionString" : "Server=localhost;Database=MyDb;Uid=root;Pwd=secret", + > "SqlFile": "C:/identitymanagerDemo/Conf/Sql/mySql.sql", + > "ProviderClassFullName": "MySql.Data.MySqlClient.MySqlClientFactory", + > "ProviderDllName": "MySql.Data.dll" + > } + > } + > } + > ``` + > + > Another example for ODBC: + > + > ``` + > appsettings.agent.json + > { + > ... + > "Connections": { + > ... + > "SqlExport": { + > "ConnectionString": "Driver=ODBC Driver 17 for SQL Server;Server={YOUR-PC}\\SQLEXPRESS;Database={Database Name};Hostname=Localhost;DBALIAS={Database Alias};trusted_connection=Yes", + > "ProviderClassFullName": "System.Data.Odbc.OdbcFactory", + > "ProviderDllName": "System.Data.Odbc.dll", + > "SqlCommand": "SELECT * FROM {Table Name}", + > "IsolationLevel": null + > } + > } + > } + > ``` + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder one CSV file, named `.csv` whose columns correspond to the +columns returned by the SQL query. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| --------------------- | -------------------------------------------------- | +| ConnectionString | `Connections----ConnectionString` | +| SqlCommand | `Connections----SqlCommand` | +| SqlFile | `Connections----SqlFile` | +| CsvEncoding | `Connections----CsvEncoding` | +| ProviderClassFullName | `Connections----ProviderClassFullName` | +| ProviderDllName | `Connections----ProviderDllName` | +| Timeout | `Connections----Timeout` | + +[](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +is not available for this connector. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md new file mode 100644 index 0000000000..f52c1469d4 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/index.md @@ -0,0 +1,170 @@ +# Sql Server Entitlements + +This connector exports entitlements from +[Microsoft SQL Server](https://www.microsoft.com/en-us/sql-server/). + +This page is about +[ SQL Server Entitlements ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/sql-server-entitlements/index.md). + +![Package: Database/Microsoft SQL Server Entitlements](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/sqlserverentitlements/packages_sqlservermanagement_v603.webp) + +## Overview + +Identity Manager can manage permissions within Microsoft SQL Server, by exporting the server's and +databases' principals, i.e. entities that can request Microsoft SQL Server's resources. + +SQL Server supports three types of principals: + +- logins at the server level; +- users at the database level; +- roles (if any) at either level. + +Every principal includes a security identifier (SID). + +## Prerequisites + +Implementing this connector requires: + +- the configuration of a Microsoft SQL Server system; + + > For example, for Microsoft SQL Server 2017, see Microsoft's documentation for + > [planning a SQL Server installation](https://docs.microsoft.com/en-us/sql/sql-server/install/planning-a-sql-server-installation?view=sql-server-2017), + > the + > [SQL Server installation guide](https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server?view=sql-server-2017) + > and (optionally) + > [downloading SQL Server Management Studio (SSMS)](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15); + +- understanding the concept of principals, roles and permissions; + + > A little help on that with: + > + > > [Principals (Database Engine)](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/principals-database-engine?view=sql-server-2017); + > + > > [Create a Login](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/create-a-login?view=sql-server-2017); + > + > > [Server-Level Roles](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles?view=sql-server-2017); + > + > > [Create a Database User](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/create-a-database-user?view=sql-server-2017); + > + > > [Database-Level Roles](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-2017); + > + > > [Permissions (Database Engine)](https://docs.microsoft.com/en-us/sql/relational-databases/security/permissions-database-engine?view=sql-server-2017); + > + > > [Permissions Hierarchy (Database Engine)](https://docs.microsoft.com/en-us/sql/relational-databases/security/permissions-hierarchy-database-engine?view=sql-server-2017). + +- a `ConnectionString` with a `Login` to connect to the SQL Server, where either the login has the + **sysadmin** role, or: + + - the login has the **securityadmin** role, in order to export server principals; + - each database to export has a database user attached to the login with at least one role among + **db_accessadmin**, **db_owner** and **db_securityadmin**, in order to export database + principals. + + [Securables](https://docs.microsoft.com/en-us/sql/relational-databases/security/securables?view=sql-server-2017) + can also be defined manually for both the server and database principals, but this is more + complicated and hence not recommended. + +## Export + +This connector exports from one or several databases to CSV files the following tables: + +- `sys.server_principals`; +- `sys.server_role_members`; +- `sys.database_principals`; +- `sys.database_role_members`. + +This connector exports only in complete mode. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example connects Identity Manager to Microsoft SQL Server and exports the principals +> from the databases `UsercubeDemo` and `AdventureWorks2017`: +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "SqlServerEntitlementsExport": { +> "ConnectionString": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;", +> "Databases": [ "UsercubeDemo", "AdventureWorks2017" ] +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ConnectionString required | **Type** String **Description** Connection string of the database. See the [specific syntax](https://docs.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlconnection.connectionstring?view=dotnet-plat-ext-5.0). | +| Timeout optional | **Type** Int32 **Description** Time period (in seconds) after which the request attempt is terminated and an error is generated. | +| | | +| --- | --- | +| Databases optional | **Type** String List **Description** List of databases to be exported. **Note:** when not specified, all databases from the SQL Server are exported. | + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder the following CSV files: + +- `_serverPrincipals.csv`; +- `_serverRoleMembers.csv`; +- `_databasePrincipals.csv`; +- `_databaseRoleMembers.csv`. + +> For example, if the connection identifier is **SqlServerEntitlementsExport**, then the file names +> are `SqlServerEntitlementsExport_serverPrincipals.csv`, etc. + +The output files' columns are the columns returned by the SQL query. + +## Fulfill + +There are no fulfill capabilities for this connector. + +## Authentication + +### Password reset + +This connector does not reset passwords. + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ---------------- | ------------------------------------------------ | +| ConnectionString | `Connections----ConnectionString` | +| Timeout | `Connections----Timeout` | + +[](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +is not available for this connector. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/topsecret/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/topsecret/index.md new file mode 100644 index 0000000000..6a14b55796 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/topsecret/index.md @@ -0,0 +1,10 @@ +# Top Secret + +This connector exports users and profiles from a +[Top Secret](https://www.ibm.com/docs/en/szs/2.2?topic=audit-top-secret) (TSS) instance. + +This page is about [ TSS ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/tss/index.md). + +![Package: Mainframe/Top Secret](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/topsecret/packages_tss_v603.webp) + +The documentation is not yet available for this page and will be completed in the near future. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/workday/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/workday/index.md new file mode 100644 index 0000000000..dc74853d5a --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/workday/index.md @@ -0,0 +1,202 @@ +# Workday + +This connector exports users and groups from a +[Workday](https://www.workday.com/en-us/products/talent-management/overview.html) instance. + +This page is about [ Workday ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/workday/index.md). + +![Package: ERP/Workday](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/references-connectors/workday/packages_workday_v603.webp) + +## Prerequisites + +Implementing this connector requires: + +- using Workday Web Services (WWS) Directory + [v34.2](https://community.workday.com/sites/default/files/file-hosting/productionapi/versions/v34.2/index.html) + or later; + + > For example, the + > [Human Resources](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/Human_Resources.html) + > Web Service contains operations that expose Workday Human Capital Management Business Services + > data, including Employee, Contingent Worker and Organization information. + +- access to the Web Services that are to be used; +- the [XPath](https://www.w3.org/TR/1999/REC-xpath-19991116/) syntax to configure and select the + attributes to export. + +## Export + +This connector exports any entity available in WWS. + +### Configuration + +This process is configured through a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) in the UI and/or +the XML configuration, and in the `appsettings.agent.json > Connections` section: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "": { + ... + } + } +} +``` + +The identifier of the connection and thus the name of the subsection must: + +- be unique. +- not begin with a digit. +- not contain `<`, `>`, `:`, `"`, `/`, `\`, `|`, `?`, `*` and `_`. + +> The following example connects Identity Manager to Workday and exports `Worker_ID` and `User_ID` +> from the entity Workers returned in +> [Get_Workers_Response](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/samples/Get_Workers_Response.xml): +> +> ``` +> appsettings.agent.json +> { +> ... +> "Connections": { +> ... +> "WorkdayExport": { +> "InputFilePath": "C:/identitymanagerContoso/Temp/bodies.json", +> "Login": "USERCUBE@contoso", +> "Password": "contoso1996", +> "Server": "https://workday.com/ccx/service/contoso" +> } +> } +> } +> ``` + +#### Setting attributes + +| Name | Details | +| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| InputFilePath required | **Type** String **Description** Path of the JSON file defining which entities and attributes are to be exported. See more details below. | +| Login required | **Type** String **Description** Login used to authenticate to Workday. | +| Password required | **Type** String **Description** Password used to authenticate to Workday. | +| Server required | **Type** String **Description** URL of the targeted Workday instance. **Syntax:**`https://####.workday.com/ccx/service/tenantName` (without the Web Service part). | + +##### InputFilePath + +The file specified in `InputFilePath` must have a specific structure, with a section for each entity +to be exported. + +> For example: +> +> ``` +> bodies.json +> { +> "Requests": [ +> { +> "XmlBody": " ", +> "EntityName": "workers", +> "IncrementalTag": "Transaction_Log_Criteria_Data", +> "WebService": "Human_Resources/v34.2" +> } +> ] +> } +> ``` + +| Name | Details | +| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| XmlBody required | **Type** String **Description** Request to send to the Web Service. **Syntax:** `"XmlBody": " ... "` - the request body must begin with `` and end with ``; - inside the body, the entity request must use the namespace `bsvc`; - the body must fit on a single line. **Tip:** write the body in a separate XML file and use [TextFixer](https://www.textfixer.com/tools/remove-line-breaks.php) to remove line breaks. **Tip:**[see an example](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/samples/Get_Workers_Request.xml). | +| XPaths optional | **Type** String Pair List **Description** One or several key-value pairs, where: - the key is the attribute name that will be the column name in the output CSV file; - the value is the XPath used in the response to get the attribute value. **Info:** useless most of the time because the information is provided by entity type mappings and entity association mappings. Still useful when using the exe directly. **Note:** Netwrix Identity Manager (formerly Usercube)recommends using an **XPath** to the property `WID`, because it helps logs (in Trace mode) find entities with multi-valued properties. **Syntax:** `"XPaths": { "Attribute_1_Name": "XPath 1", ... "Attribute_N_Name": "XPath N" }` | +| EntityName required | **Type** String **Description** Name of the entity, which conditions the name of the output file. | +| IncrementalTag optional | **Type** String **Description** XML tag associated with the incremental request. **Note:** in the xml request, `` must be the parent of `` which is the parent of `` and ``. **Note:** when not specified, this entity is always exported in complete mode. **Warning:** the `IncrementalTag` part must not be added manually in `XmlBody` because the connector adds it automatically when exporting in incremental mode. | +| WebService required | **Type** String **Description** Name and version of the Web Service. | + +### Output details + +This connector is meant to generate to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +Output folder: + +- one CSV file for each entity, named `_.csv`, with the following + columns: + + - **Command**: used for + [ Prepare Synchronization Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md); + - one column for each XPath found in the + [ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)' + connection columns and + [ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md)' + columns. + [See Workday's documentation to compute XPaths](https://community.workday.com/sites/default/files/file-hosting/productionapi/Human_Resources/v34.2/samples/Get_Workers_Response.xml).``` `\_.csv` + + Command,Key_XPath_1,Key_XPath_2,...,Key_XPath_N Add,value1,value2,...,valueN + + ``` + + ``` + +- a cookie file named `workday__cookie.bin`, containing the time of the last + export in order to perform an incremental export. + + Most exports can be run in complete mode, where the CSV files will contain all entries, or in + incremental mode, where CSV files will contain only the entries which have been modified since + the last synchronization. + + A task can use the `IgnoreCookieFile` boolean property, and a command line (with an executable) + can use the option `--ignore-cookies`. + +> For example, with the following configuration: +> +> ``` +> +> +> +> ``` +> +> We choose to export only the entity `workers`, so the output is generated to +> `WorkdayExport_workers.csv` in the +> [Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)Export +> Output directory . +> +> The CSV file will include three columns: `Command`; `bsvc:Worker_Data/bsvc:Worker_ID` and +> `bsvc:Worker_Data/bsvc:User_ID`. + +## Authentication + +### Credential protection + +Data protection can be ensured through: + +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md), configured in + the `appsettings.encrypted.agent.json` file; +- An [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) safe; + +| Attribute | Naming Convention for the Key in Azure Key Vault | +| ------------- | ------------------------------------------------ | +| InputFilePath | `Connections----InputFilePath` | +| Login | `Connections----Login` | +| Password | `Connections----Password` | +| Server | `Connections----Server` | + +- A + [](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) + able to store Workday's `Login`, `Password` and `Server`. + +Protected attributes are stored inside a safe in CyberArk, into an account whose identifier can be +retrieved by Identity Manager from `appsettings.cyberark.agent.json`. + +> For example: +> +> ``` +> appsettings.cyberark.agent.json +> { +> ... +> "Connections": { +> ... +> "WorkdayExport": { +> "Login": "WorkdayExport_Account", +> "Password": "WorkdayExport_Account" +> } +> } +> } +> ``` diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/active-directory/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/active-directory/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/active-directory/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/active-directory/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/apache-directory/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/apache-directory/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/apache-directory/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/apache-directory/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/azure-active-directory/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/azure-active-directory/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/azure-active-directory/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/azure-active-directory/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/azure/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/azure/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/azure/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/azure/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/csv/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/csv/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/csv/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/csv/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/cyberark/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/cyberark/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/cyberark/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/cyberark/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/easyvista/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/easyvista/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/easyvista/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/easyvista/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/easyvistaticket/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/easyvistaticket/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/easyvistaticket/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/easyvistaticket/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/excel/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/excel/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/excel/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/excel/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/generic-ldap/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/generic-ldap/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/generic-ldap/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/generic-ldap/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/generic-scim/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/generic-scim/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/generic-scim/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/generic-scim/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/generic-sql/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/generic-sql/index.md new file mode 100644 index 0000000000..db010e0762 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/generic-sql/index.md @@ -0,0 +1,17 @@ +# Generic SQL + +Exports data from a SQL database. + +| Package Characteristics | Value | +| ----------------------- | ----------------------- | +| Display Name | Database/Generic SQL | +| Identifier | Usercube.SQL@0000001 | +| Export | Usercube-Export-Sql.dll | +| Fulfill | NONE | +| Has Incremental Mode | False | +| Publisher | Identity Manager | + +When creating a connection to a database which is not handled by Identity Manager's packages, you'll +need to fill in the `ProviderDllName` and `ProviderClassFullName` properties of the +[ Sql ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/sql/index.md) connector using the procedure given in the +example. diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/googleworkspace/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/googleworkspace/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/googleworkspace/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/googleworkspace/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/home-folders/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/home-folders/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/home-folders/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/home-folders/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/usercube-database/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/identitymanager-database/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/usercube-database/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/identitymanager-database/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/index.md new file mode 100644 index 0000000000..2edcd06424 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/index.md @@ -0,0 +1,201 @@ +# References: Packages + +If you are looking for the dll of a given package, be aware that you can often find it in the +[nuget catalog](https://www.nuget.org/packages). Then you can follow the procedure: + +1. Download and extract the package. + +2. Copy the dll file (corresponding to the appropriate .Net version) to the `Runtime` folder. + +- [ Active Directory ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/active-directory/index.md) + + Manages users and groups in Active Directory. This package supports incremental synchronization + with the DirSync mechanism. + +- [ Apache Directory ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/apache-directory/index.md) + + Manages users and groups in Apache Directory. + +- [ Azure ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/azure/index.md) + + Exports Azure resources, role definitions and role assignments. + +- [ CSV ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/csv/index.md) + + Exports CSV to prepare synchronization. + +- [ CyberArk ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/cyberark/index.md) + + Manages CyberArk entities, including user and group assignments. + +- [ EasyVista ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/easyvista/index.md) + + Manages users inside an EasyVista instance. This package supports incremental synchronization. + +- [ EasyVista Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/easyvistaticket/index.md) + + Creates tickets inside an EasyVista instance. This package supports incremental synchronization. + +- [ Excel ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/excel/index.md) + + Exports Excel data sheets. + +- [ Generic LDAP ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/generic-ldap/index.md) + + Manages entries in an LDAP compliant directory. + +- [ Generic SCIM ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/generic-scim/index.md) + + Manages entities in SCIM compatible application. + +- [ Generic SQL ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/generic-sql/index.md) + + Exports data from a SQL database. + +- [ Google Workspace ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/googleworkspace/index.md) + + Manages Google Workspace entities. + +- [ Home Folders ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/home-folders/index.md) + + Manages Home Folders. + +- [ JSON ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/json/index.md) + + Generate JSON files for each provisioning order. These JSON can then be used by custom scripts. + +- [ LDIF ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/ldif/index.md) + + Exports entries from a LDIF file. + +- [ Manual Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md) + + Opens manual provisioning tickets in Identity Manager. + +- [ Manual Ticket and CUD Resources ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md) + + Opens manual provisioning tickets in Identity Manager. + +- [ Microsoft Entra ID ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/azure-active-directory/index.md) + + Manages users and groups in Microsoft Entra ID (formerly Microsoft Azure AD). This package + supports incremental synchronization with the delta API. + +- [ Microsoft Exchange ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/microsoft-exchange/index.md) + + Manages Microsoft Exchange mailboxes. This package supports incremental synchronization. + +- [ MySQL ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/mysql/index.md) + + Export data from a MySQL database. + +- [ OData ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/odata/index.md) + + Manages OData entities. + +- [ ODBC ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/odbc/index.md) + + Exports data from a generic ODBC compatible database. + +- [ Open LDAP ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/open-ldap/index.md) + + Manages entries in Open LDAP. This package supports incremental synchronization with the sysrepl + mechanism. + +- [ Oracle Database ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/oracle-database/index.md) + + Export data from an Oracle database. + +- [ Oracle LDAP ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/oracle-ldap/index.md) + + Manages entries in Oracle Internet Directory. + +- [ PostgreSQL ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/postgresql/index.md) + + Export data from a PostgreSQL database. + +- [ PowerShellProv ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/powershellprov/index.md) + + Fulfills an external system with a custom PowerShell script. + +- [ PowerShellSync ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/powershellsync/index.md) + + Create a CSV export from a Powershell Script. + +- [ RACF ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/racf/index.md) + + Exports the RACF users and profiles. + +- [ Red Hat Directory Server ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/red-hat-directory-server/index.md) + + Manages entries in a Red Hat Directory Server. + +- [ Robot Framework ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/robot-framework/index.md) + + Fulfills an external system using a Robot Framework script. + +- [ Salesforce ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/salesforce/index.md) + + Manages Salesforce entities. + +- [ SAP ASE ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/sapase/index.md) + + Exports data from a SAP ASE database. + +- [ SAP ERP 6.0 ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/saperp6/index.md) + + Manages users and roles in SAP ERP 6.0. + +- [ SAP S/4 HANA ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/saphana/index.md) + + Manages users and roles in SAP S/4 HANA. + +- [ ServiceNow ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow/index.md) + + Manages any data in the CMDB, including users and roles. This package supports incremental + synchronization. + +- [ ServiceNow Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) + + Opens tickets in ServiceNow for the manual provisioning. + +- [ Shared Folders ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/shared-folders/index.md) + + Manages users and permissions in Shared Folders. + +- [ SharePoint ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/sharepoint/index.md) + + Exports sites, folders, SharePoint groups and permissions. + +- [ Slack ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/slack/index.md) + + Manages Slack entities. + +- [ SQL Server ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/sql-server/index.md) + + Export data from a SQL Server database. + +- [ SQL Server Entitlements ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/sql-server-entitlements/index.md) + + Exports SQL Server Entitlements. + +- [ TSS ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/tss/index.md) + + Exports the Top Secret users and profiles. + +- [ Unplugged ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/unplugged/index.md) + + Manages an unplugged system with a completely custom data model. + +- [Database](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/identitymanager-database/index.md) + + Updates the Identity Manager database for each provisioning order. This package is used for HR + systems, authoritative systems or other Identity Manager instances. + +- [ Workday ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/workday/index.md) + + Manages users and groups in Workday. + +- [ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/workflow/index.md) + + Triggers workflows in Identity Manager for each provisioning order. diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/json/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/json/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/json/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/json/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/ldif/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/ldif/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/ldif/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/ldif/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md new file mode 100644 index 0000000000..4f4843faca --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/manual-ticket-and-cud-resources/index.md @@ -0,0 +1,40 @@ +# Manual Ticket and CUD Resources + +Opens manual provisioning tickets in Identity Manager. + +| Package Characteristics | Value | +| ----------------------- | ----------------------------------------------------------------------------------------- | +| Display Name | Ticket/identitymanager And Create/Update/Delete resources | +| Identifier | Usercube.UpdateManualProvisioningTicket@0000001 | +| Export | NONE | +| Fulfill | `Usercube-UpdateManualProvisioningTicket.dll` and `Usercube-Update-FulfillmentStates.dll` | +| Has Incremental Mode | False | +| Publisher | Identity Manager | + +## Virtual Resources + +This package allows to create tickets in the Manual Provisioning screen. + +After the validation of the ticket, the state of the resource will be `Executed`. +If a synchronization is available for the system manually fulfilled, the state could change to +`Verified` if the synchronized data are the ones expected. +If the external system cannot be synchronized, Identity Manager offers the possibility to create +virtual resources. It means that the data is not provided by a synchronization, but we trust the +validation of the ticket in the manual provisioning screen. The resources are created accordingly as +if they were coming from an external system. + +## Rights for CUD Resources + +If this package is used from the interface, the necessary rights will be automatically added. +If this package is used from the XML configuration, some rights will need to be added to allow the +creation, update or deletion of virtual resources. + +### Example + +Here is an example for an entity type called `MyTicketEntity`: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md new file mode 100644 index 0000000000..402c099620 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md @@ -0,0 +1,12 @@ +# Manual Ticket + +Opens manual provisioning tickets in Identity Manager. + +| Package Characteristics | Value | +| ----------------------- | ------------------------------------- | +| Display Name | Ticket/identitymanager | +| Identifier | Usercube.Manual@0000001 | +| Export | NONE | +| Fulfill | Usercube-Update-FulfillmentStates.dll | +| Has Incremental Mode | False | +| Publisher | Identity Manager | diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/microsoft-exchange/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/microsoft-exchange/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/microsoft-exchange/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/microsoft-exchange/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/mysql/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/mysql/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/mysql/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/mysql/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/odata/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/odata/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/odata/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/odata/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/odbc/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/odbc/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/odbc/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/odbc/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/open-ldap/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/open-ldap/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/open-ldap/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/open-ldap/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/oracle-database/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/oracle-database/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/oracle-database/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/oracle-database/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/oracle-ldap/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/oracle-ldap/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/oracle-ldap/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/oracle-ldap/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/postgresql/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/postgresql/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/postgresql/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/postgresql/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/powershellprov/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/powershellprov/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/powershellprov/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/powershellprov/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/powershellsync/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/powershellsync/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/powershellsync/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/powershellsync/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/racf/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/racf/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/racf/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/racf/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/red-hat-directory-server/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/red-hat-directory-server/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/red-hat-directory-server/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/red-hat-directory-server/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/robot-framework/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/robot-framework/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/robot-framework/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/robot-framework/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/salesforce/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/salesforce/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/salesforce/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/salesforce/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/sapase/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/sapase/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/sapase/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/sapase/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/saperp6/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/saperp6/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/saperp6/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/saperp6/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/saphana/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/saphana/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/saphana/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/saphana/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/servicenow-ticket/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/servicenow-ticket/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/servicenow/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/servicenow/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/shared-folders/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/shared-folders/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/shared-folders/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/shared-folders/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/sharepoint/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/sharepoint/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/sharepoint/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/sharepoint/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/slack/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/slack/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/slack/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/slack/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/sql-server-entitlements/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/sql-server-entitlements/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/sql-server-entitlements/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/sql-server-entitlements/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/sql-server/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/sql-server/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/sql-server/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/sql-server/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/tss/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/tss/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/tss/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/tss/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/unplugged/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/unplugged/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/unplugged/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/unplugged/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/workday/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/workday/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/workday/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/workday/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/connectors/references-packages/workflow/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/workflow/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/connectors/references-packages/workflow/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/workflow/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md new file mode 100644 index 0000000000..c4959402ce --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md @@ -0,0 +1,252 @@ +# Entity Model + +At the heart of any successful IGA project, dwells an efficient data model. + +The data involved in the project, be it reference data, identities, or from the managed systems', +needs to be modeled in a way that is both relevant to the organization and to Identity Manager. + +Identity Manager allows integrators to adapt the data model to the target organization, instead of +forcing the organization to fit in a pre-conceived hardwired model. This philosophy has proven +successful by Identity Manager's field experience and project feedback. + +## Entity-Relationship model + +The model for all resources (that means data from the managed system, reference data and identities) +is written in the applicative configuration in the form of an +[Entity-Relationship model](https://en.wikipedia.org/wiki/Entity–relationship_model), called the +**entity model**. See the [Toolkit for XML Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/index.md) topic for additional +information. + +The model is organized into cohesive **connectors**, one for each managed system, and one for the +reference data/identity repository. + +An **entity model** describes the shape of resources (the **metadata**) and how they are built from +real world sources of truth (the **mapping**). + +### Metadata + +The **metadata** of a resource is the description of the resources' shape. Using the +_Entity-Relationship_ vocabulary, it's a list of property names and types for a resource. + +The metadata is written using +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md), +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) and +[ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +#### Entity types + +Every resource is assigned an +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) that describes its shape. + +It's a description of the resource: it can be a managed system's resource or a real world entity +such as an identity or a department. + +An [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) includes: + +- One or more [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +- Zero or more + [ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) + +#### Entity properties + +Properties are key-value pairs, with a name and type that describes the nature of the value held by +the property. They are described by +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) properties. + +There are two kind of properties: **Scalar Properties** and **Navigation Properties**. + +**Scalar Properties** simply hold a value: a string, a number, a date for example. + +Available types include: + +- `String` +- `Bytes` +- `Int32` (32 bits integer) +- `Int64` (64 bits integer) +- `DateTime` +- `Bool` (boolean) +- `Guid` +- `Double` +- `Binary` (binary file like an image) + +For these types, the UI and binding system transforms the value retrieved from the database into the +corresponding type for display. + +**Navigation Properties** properties hold links between the parent resource and another resource. + +**Navigation Properties** type is `ForeignKey`. + +**Navigation Properties** are completed by an Entity Association that explicitly describe the nature +of the link. + +#### Entity association + +An [ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +describes a link between entity types. It connects a pair of navigation properties, from two +**Entity Types**. + +There are two types of navigational properties: + +- _mono-valued_, that link to a [single](https://en.wikipedia.org/wiki/One-to-one_(data_model)) + entity; +- _multi-valued_, that link to a + [collection](https://en.wikipedia.org/wiki/many-to-many_(data_model)) of entities. + +Given a navigation property A of EntityType 1, linking EntityType 1 to navigation properties B of +EntityType 2, then navigation property B is called the reverse property of navigation property A and +navigation property A is called the reverse property of navigation property B. + +For example, + +- The _User_ entity type has the navigational property _Positions_ (a link to **zero or + more\_**Position\_ entities); +- The _Position_ entity type has the navigational property _Person_ (a link to **zero or + one\_**User\_ entity); +- The navigational property _Person_ is the reverse link of the navigational property _Positions;_ +- The _User_ entity type has the navigational property _Manager_ (a link to **zero or one\_**User\_ + entity); +- The _User_ entity type has the navigational property _Subordinates_ (a link to **zero or + more\_**User\_ entities); +- The navigational property _Subordinates_ is the reverse link of the navigational property + _Manager_. + +#### Locatable property + +Some property values must be available in several languages. In this case, we define a **neutral +property** and as many corresponding properties as languages. + +The built-in _InternalDisplayName_ property is a neutral property. Its associated properties are +named \_`InternalDisplayName___L{Index}`_ where \_Index_ reference the +[Languages](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/languages/index.md). + +#### Computed property + +A property can be calculated from other properties. The +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) property expression +element allows the expression of a computed property. It references the property (specifying the +entity type's identifier and the property's identifier) and expresses the calculation based on a +given entity using the calculation [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) syntax. + +An element `` can be used to calculate a scalar property or a mono-valued +navigation property. In the latter case, the expression must return an integer that corresponds to +the primary key of the target entity. + +#### Display name + +Every declared **EntityType** automatically has the `InternalDisplayName` property even if it is not +explicitly declared in the applicative configuration. + +It represents a user-friendly name for **EntityType** that is used in the UI if needed. + +Its value can be explicitly computed by an +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) property expression. +Otherwise, a default value is automatically computed by Identity Manager using the first property of +the **EntityType** where `identifier` contains the string _"name"_. If no such property is found, +the first declared property of the **EntityType** is used instead. + +The _InternalDisplayName_ property will be used as a default label of the entity in the UI. + +#### Database mapping + +Resources from the **resource repository** are stored in the generic UR_Resources table. + +This table has: + +- 128 columns to store scalar properties (index 0 to 127). The first four are reserved for big + scalar properties values (as many as 4000 unicode char). he other columns are limited to 442 + unicode char. These columns are named C0 to C3V following a base-32 convention for naming. + +- 25 columns to store mono-valued navigational properties values (index 128 to 152). These columns + are named `I0` to `I4N` following a base-32 convention for naming. + +_Multi-valued navigation property_ values are stored in the UR_ResourceLinks junction table. + +Binary property values (such as pictures or files) are stored in the UR_ResourceFiles table. + +### Mapping + +Identity Manager's Entity Model also contains **a mapping** between the external data and +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) properties or +[](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md)[ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). +That's why entity types are organized into **connectors**. The **mapping\_**connects\_ entity types +to external sources of truth. + +This information is provided by the +[ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), their +[ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) and +[ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). + +To build Identity Manager resources from external data found in the managed system, the entity model +provides a mapping between the external data (often in the form of CSV files, see +[ Upward Data Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md)) and entity +properties. This information is provided by the +[ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), their +[ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)and +[ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). + +Every +[ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)maps a +CSV column to a scalar [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +Every +[ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +maps a CSV column to a navigation +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +#### Format + +When exporting entries from an external system, the results are usually retrieved as simple strings, +written in a CSV file, and imported into the Identity Manager Database as-is. But an external system +will rarely uses the same format as Identity Manager to store objects such as dates. + +Let's take, for example, a case where we want to store an employee's start date: + +- In the external system, the date is stored as a string with the format `2020-09-29 22:00:00`. +- In Identity Manager, dates are stored as strings in the format `20200929220000` + +We need to transform the input data, from the export, into something readable by Identity +Manager and, when writing to the external system, transform Identity Manager's data back into +something readable by the external system. + +![Export and Fulfill Data transformation](/img/product_docs/identitymanager/identitymanager/integration-guide/connectors/entitypropertymapping-format/entitypropertymapping-format-flowchart.webp) + +The format used in the external system can be provided through the +[ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) using +the +[ References: Format for the EntityPropertyMapping ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md) +attribute to help Identity Manager to convert data appropriately. + +If the field in the external system is not forced to a specific value type, but is free-form +(example: a string field in which date values are stored but which can sometimes hold other values), +we strongly recommend not using the `Format` attribute to prevent inconsistent user input in the +external system. + +#### Primary key + +When writing an +[ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md), one of +the _scalar properties_ should be chosen as primary key. This property will be used by Identity +Manager to [uniquely identify a resource](https://en.wikipedia.org/wiki/Primary_key). It is hence +crucial to choose carefully as many of Identity Manager's processes and optimizations depend on this +choice. + +### SQL views + +The `UR_Resource` table contains resources from all the connectors, for all the Entity Types. +Columns names are not semantically meaningful because they have generic I\*/C\* names. For this +reason, Identity Manager provides SQL views to help the user explore the resource repository from +the database. The views are useful to understand how Identity Manager works or to debug a faulty +configuration. + +SQL Views are built by the +[ Create Database Views Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md). + +SQL Views created by this tool are identified in the database by a `zz_` prefix. + +Created views are not used by the Identity Manager engine directly. Identity Manager's engine always +creates, reads, updates and deletes from the `UR_*` tables. + +## Records + +The **entity model** is enhanced with **records** to handle positions and movements of staff. See +the [Identity Management](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/index.md) topic for additional information. diff --git a/docs/usercube_saas/usercube/integration-guide/executables/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/executables/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/executables/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/agent/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/agent/index.md new file mode 100644 index 0000000000..1974381f59 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/agent/index.md @@ -0,0 +1,28 @@ +# Usercube-Agent + +This tool runs the Agent on a separate server instance. The Agent is able to communicate with the +[Usercube-Server ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/server/index.md). + +## Examples + +With a properly configured environment, the following command runs the agent. It listens on two +different ports: + +``` +./identitymanager-Agent.exe --urls "http://localhost:6001;http://localhost:6002" +``` + +When the Agent starts, the following log should be displayed (if the log level is set to +_Information_): + +``` +[xx:xx:xx INF] Now listening on: http://localhost:6001 +[xx:xx:xx INF] Now listening on: http://localhost:6002 + +``` + +## Arguments + +| Argument Name | Details | +| --------------- | ---------------------------------------------------------------------- | +| --urls required | **Type** String **Description** URL(s) that the agent is listening to. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/anonymize/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/anonymize/index.md new file mode 100644 index 0000000000..4987088025 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/anonymize/index.md @@ -0,0 +1,118 @@ +# Usercube-Anonymize + +This tool anonymizes data based on a certain knowledge of the database and the data structure. + +## Overview + +Anonymizing data helps unlock situations where it is necessary to send data to varied teams while +guaranteeing the privacy of the data owners. + +> For example, it can be necessary to transmit data to an integration team that needs to set up +> tests or a development environment to work on the applicative configuration. For example, users +> sometimes need to send data to Identity Manager's support team to reproduce a bug and get it +> corrected. + +## Technical Principles + +Anonymizing can be performed on data: + +- from a CSV file, with the output written to a new CSV file; +- directly inside a SQL database, overwriting existing data with the anonymized data. + + In this case, the plain data is lost. So make sure to work on a copy of the original database. + +Several types of data can be anonymized, according to distinct substitution methods that are +deterministic and non-reversible: + +- strings have each alphabetical character substituted for another alphabetical character; + + > For example, `John Doe` becomes `Xert Okl`. + + Diacritical characters are replaced by a non-diacritical equivalent. + +- numbers have each digit substituted for another digit; + + > For example, `54689` becomes `32016`. + +- emails have the username anonymized, while leaving the domain name as is; + + > For example, `johndoe@contoso.com` becomes `xertoekl@contoso.com`. + +- Active Directory's RDN properties (Relative Distinguished Names), in the _attribute=value_ format, + are anonymized via the string method on the value, leaving the attribute as is. + + > For example, `CN=John Doe` becomes `CN=Xert Okl`. + +## Examples + +### Anonymizing a CSV file + +The following example anonymizes the `first_name`, `last_name`, `email` and `phone` column of the +following CSV file: + +``` + +id,first_name,last_name,email,gender,phone +1,Darrin,Crumpe,dcrumpe0@nifty.com,Male,2666420820 +2,Lyon,Boddam,lboddam1@eepurl.com,Male,5927617041 +3,Roxana,Prose,rprose2@statcounter.com,Female,5134883113 +4,Vladimir,Grisedale,vgrisedale3@blogtalkradio.com,Male,1338476916 +5,Jaquith,Pendrich,jpendrich4@merriam-webster.com,Female,1894520819 +6,Art,Sweatland,asweatland5@boston.com,Male,5066492715 +7,Lynelle,Klammt,lklammt6@stumbleupon.com,Female,5653774981 +8,Chicky,Blatherwick,cblatherwick7@walmart.com,Male,4095068397 +9,Delilah,Kauscher,dkauscher8@de.vu,Female,9324858513 +10,Estelle,Melmeth,emelmeth9@dot.gov,Female,2176715812 + +``` + +The following command outputs the anonymized data in STDOUT. + +``` + +./identitymanager-Anonymize.exe -n C:/Projects/identitymanager/Documentation/exampleSources/Anonymizer/users.csv -s "," --columns first_name,last_name,mail:email,number:phone + +``` + +The output is: + +``` + +id,first_name,last_name,email,gender,phone +1,Afccrp,Icqesl,aicqesl0@nifty.com,Male,6111065265 +2,Mdhp,Qhaafe,mqhaafe1@eepurl.com,Male,4665125502 +3,Chlfpf,Schnl,cschnl2@statcounter.com,Female,4230223223 +4,Imfarerc,Ocrnlafml,iocrnlafml3@blogtalkradio.com,Male,2332051621 +5,Jfkqrfg,Slpacrig,jslpacrig4@merriam-webster.com,Female,2260465226 +6,Fcf,Nalffmfpa,fnalffmfpa5@boston.com,Male,4511066524 +7,Mdplmml,Bmfeef,mbmfeef6@stumbleupon.com,Female,4143550622 +8,Igribd,Qmffglcarib,iqmffglcarib7@walmart.com,Male,0564512365 +9,Almrmfg,Bfqniglc,abfqniglc8@de.vu,Female,6360242423 +10,Lnflmml,Elmelfg,lelmelfg9@dot.gov,Female,6251524226 + +``` + +### Anonymizing a SQL Server table + +The following example overwrites the `UR_Resources` table of Identity Manager's database with +anonymized data for the `C3`, `C8`, `CA`, `CB`, `CC` and `CD` columns for all resources whose `Type` +is `17`. + +``` + +.\Usercube-Anonymize.exe --connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" --table UR_Resources --columns "number:C3,C8,number:CA,mail:CB,number:CC,number:CD" --select-query "select * FROM UR_Resources WHERE Type = 17" + +``` + +## Arguments + +| Argument Name | Details | +| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --columns required | **Type** Strings **Description** Columns from the CSV or SQL database that need anonymizing. **Usage** The value is a string sequence in the form `type:columname`, separated by a coma `,`, where `type` is used to choose the anonymize algorithm from among the following formats: `string` (default value); `mail`; `number`; `rdn`, and where `columnname` is the actual name, not case-sensitive, of the column to anonymize. | +| --connection-string optional | **Type** String **Description** Connection string to the SQL Server database to be anonymized. **Note:** required when anonymizing a database. | +| --csv-separator (-s) default value: ; | **Type** String **Description** Separator of the input CSV file, provided between simple quotes. **Note:** used only when anonymizing a CSV file. | +| --entry-file (-n) optional | **Type** String **Description** Path to the input CSV file to anonymize. **Note:** required when anonymizing a CSV file. | +| --no-transaction optional | **Type** No Value **Description** Disables the SQL transaction for the request made by the anonymizing tool to the target SQL Server database. **Warning:** NETWRIX recommends using this option only when using transactions leads to a failure (exceeded RAM usage, exceeded CPU usage), because it could corrupt the data from the database. Make sure to prepare a backup of the database before using this option. **Note:** used only when anonymizing a database. | +| --output (-o) default value: STDOUT | **Type** String **Description** Path of the output CSV file to write the anonymized data. **Note:** used only when anonymizing a CSV file. | +| --select-query (-q) optional | **Type** String **Description** SQL query to filter the rows to be anonymized. **Note:** used only when anonymizing a database, and useful only when the query includes a "WHERE" condition, otherwise the `--table` and `--columns` arguments are enough. **Usage** The table targeted by the query must be on the table specified in `--table`. **Examples** `SELECT Id, name, firstName FROM Resources WHERE resourceType = 'Person'` is a query with a simple condition. `SELECT * FROM Persons WHERE resourceType = 'Person' AND specialFlag = 'TopSecret'` selects all columns, and adds a specific condition. | +| --table (-t) optional | **Type** String **Description** Name of the table from the SQL Server database to be anonymized. **Note:** required when anonymizing a database. | diff --git a/docs/usercube_saas/usercube/integration-guide/executables/references/check-expressionsconsistency/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/check-expressionsconsistency/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/executables/references/check-expressionsconsistency/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/executables/references/check-expressionsconsistency/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/compute-correlationkeys/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/compute-correlationkeys/index.md new file mode 100644 index 0000000000..bb11a44f99 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/compute-correlationkeys/index.md @@ -0,0 +1,33 @@ +# Usercube-Compute-CorrelationKeys + +This tool is used to compute the values of all correlation keys. + +## Examples + +The following example computes the correlation keys of the database defined by the connection +string, for all entity types. + +``` + +./identitymanager-Compute-CorrelationKeys.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" -a + +``` + +## Arguments + +| Argument Name | Details | +| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| --batch-size (-q) default value: 5000 | **Type** Int32 **Description** Batch size for queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | +| | | +| --- | --- | +| --database-connection-string required | **Type** String **Description** Connection string of the database. | +| | | +| --- | --- | +| --all-entityType (-a) optional | **Type** No Value **Description** Applies the tool to all entity types. | +| --batch-size (-q) default value: 5000 | **Type** Int32 **Description** Batch size for queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | +| --dirty optional | **Type** No Value **Description** Applies the tool incrementally by applying it only to resources marked as dirty, i.e. recently modified. | +| --entitytype-list optional | **Type** String List **Description** List of entity types that the tool is to be applied to. **Note:** required when `--all-entityType` is not specified. | +| --resource-identity-property optional | **Type** String **Description** Property used to override the resource identity property set in [SelectUserByIdentityQueryHandler](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md). | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/configuration-transform/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/configuration-transform/index.md new file mode 100644 index 0000000000..4f6b796769 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/configuration-transform/index.md @@ -0,0 +1,46 @@ +# Usercube-Configuration-Transform + +This tool applies a series of transformations specified in a JSON file, on the content of a given +directory. + +## Example + +The following example searches all occurrences of `Directory_User` in the files inside +`C:/identitymanagerDemo/Conf` whose names: + +- contain `guest` to replace all occurrences with `Directory_Guest`; +- contain `bot` to replace all occurrences with `Directory_Bot`. + +The resulting files are saved in `C:/identitymanagerDemo/ConfTransformed`. + +``` + +./identitymanager-Configuration-Transform.exe --input "C:/identitymanagerDemo/Conf" --output "C:/identitymanagerDemo/ConfTransformed" --transformation-file "C:/identitymanagerDemo/transformations.json" + +``` + +transformations.json + +```json +{ + "*guest*": { + "Directory_User": "Directory_Guest" + }, + "*bot*": { + "Directory_User": "Directory_Bot" + } +} +``` + +```` + +## Arguments + +| Argument Name | Details | +| --- | --- | +| --input required | __Type__ String __Description__ Path of the directory on which the transformations are to be applied. | +| --transformation-file required | __Type__ String __Description__ Path of the JSON file that contains the transformations to be applied. The first half of the following JSON transformation file intends to search all files in the input directory whose names are ```filename``` (case-insensitively). In those files, any occurrence of ```ToBeReplaced``` (case-sensitively) is replaced with ```Replacement```. ```{ "filename": { "ToBeReplaced": "Replacement" }, "partialfilename*": { "ToBeReplaced2": "Replacement2" } }``` __Note:__ instead of a specific file name, Identity Manager can search for files whose names contain a specific string, using the character ```*```. | +| | | +| --- | --- | +| --output required | __Type__ String __Description__ Path of the folder where the result will be saved. | +```` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/create-databaseviews/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/create-databaseviews/index.md new file mode 100644 index 0000000000..54ce56dce5 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/create-databaseviews/index.md @@ -0,0 +1,38 @@ +# Usercube-Create-DatabaseViews + +Generates entity model SQL views in the Identity Manager database. All views are prefixed by `zz_`. +This tool deletes all views starting by `zz_` and creates views from the entity model described in +the running configuration. + +For every **EntityType**, a matching SQL view is created from the UR_Resource table. + +## Example + +The following example allows the user to connect to Identity Manager server at +`http://identitymanager.contoso.com`, using the ClientId `Job` and Secret `secret`, to generate views for +Identity Manager's database. + +``` +./identitymanager-Create-DatabaseViews.exe --api-secret secret --api-client-id Job --api-url "http://identitymanager.contoso.com" --log-level Debug +``` + +## Arguments + +| Argument Name | Details | +| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --progress-use-database optional | **Type** String **Description** Update progress in the SQL database. | +| --progress-use-database-child-instance optional | **Type** String **Description** Initiate child task instance. | +| --progress-use-api optional | **Type** String **Description** Update progress with the API. | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | + +You can explore created views in the Identity Manager database's Views folder in SQL Server +Management Studio + +![SSMS Views](/img/product_docs/identitymanager/identitymanager/integration-guide/executables/references/create-databaseviews/identitymanager-create-databaseviews_ssms.webp) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/csv-transform/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/csv-transform/index.md new file mode 100644 index 0000000000..4a70039411 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/csv-transform/index.md @@ -0,0 +1,68 @@ +# Usercube-CSV-Transform + +## Examples + +### Define a primary key + +Consider the file `C:/identitymanagerContoso/Sources/hr_example.csv` with the following headers line: + +`Login,Company,Email,FirstName,LastName` + +To avoid having too much duplicated information on each line in a CSV file, we need to define a +primary key for the file which will allow the pooling of common information. We choose to +concatenate the values of the columns `Login` and `Company ` with a `-` as separator in an `Id` +column, which will be defined as key for our file. + +`--input-file C:/identitymanagerContoso/Sources/hr_example.csv --columns-concat "Login Company - ID"`--columns-key +ID``` + +### Handle multi-valued columns in a generated file + +Consider the file `C:/identitymanagerContoso/Sources/hr_example123.csv` with the following headers line +separated by a `;`: + +`GroupAzure;Members;GroupSharePoint;Members` + +This file is automatically generated by a script and the suffix (`123`here) is incremented on each +generation. Thus, we need to use a regex to avoid changing the command line for each new generated +file. + +`--input-file C:/identitymanagerContoso/Sources/hr_example(.*?).csv --regex --separator ;` + +The file contains two headers with the same name, each related to one kind of group. Thus, we need +to rename one of these headers. + +`--input-file C:/identitymanagerContoso/Sources/hr_example(.*?).csv --regex --separator ; --headers-edit-name "Members MembersAzure"` + +In this example, we will consider that the two Members columns contain all members for each group +separated by a `,` for the first Members column, and by a `*` for the second one. We need to +transform these columns in Identity Manager's format for multi-valued attributes. + +`--input-file C:/identitymanagerContoso/Sources/hr_example(.*?).csv --regex --separator ; --headers-edit-name "Members MembersAzure" --columns-multivalued "MembersAzure ," "Members *"` + +## Arguments + +| Argument Name | Details | +| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| --input-path required | **Type** String **Description** Specifies the CSV file to modify. **Example** Define `C:/identitymanagerContoso/Sources/hr_example.csv` as input file: `--input-file C:/identitymanagerContoso/Sources/hr_example.csv`. | +| --output-path optional | **Type** String **Description** Specifies the output path, which is the exports' output path by default. **Example** Define `C:/identitymanagerContoso/Test` as output folder: `--output-path "C:/identitymanagerContoso/Test"`. | +| --new-name optional, required **if** --regex is true | **Type** String **Description** Specifies the new name for the output file. **Example** Define new name `hr_transformed.csv`: `--new-name hr_transformed.csv`. | +| --input-file-encoding default value: UTF-8 | **Type** String **Description** Encoding of the input file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). **Example** `--input-file-encoding UTF-16`. | +| --headers-edit-index optional | **Type** String List **Description** Specifies the headers to edit by index, which is particularly useful to rename empty headers. Each member of the list is written like `index newHeader`. **Example** Add or replace header at index 1 with `ExampleHeader` : `--headers-edit-index "1 ExampleHeader"`. | +| --headers-edit-name optional | **Type** String List **Description** Specifies the headers to rename (first found) with the new name. Each member of the list is written like `currentHeader newHeader`. **Example** Rename headers `CompanyId` into `Company` and `int32_1` into `int32`: `--headers-edit-name "CompanyId Company" "int32_1 int32"`. | +| --headers-remove-index optional | **Type** Integer **Description** Specifies the headers to remove by index. This command can be used to remove the second occurrence of a duplicate header by specifying its index. **Example** Remove header located at index 5: `--headers-remove-index 5`. | +| --headers-remove-name optional | **Type** String List **Description** Specifies the headers to remove by name (first found). **Example** Remove first occurrences of headers `date1` and `bool1`: `--headers-remove-name date1 bool1`. | +| --new-headers optional | **Type** String List **Description** **ONLY** for files without headers, specifies the new headers **except** the ones created by the concatenation of columns. **Example** Defines `header1` and `header2` as headers of the file: `--new-headers header1 header2`. | +| --columns-concat optional | **Type** String List **Description** Specifies the columns to concatenate and how. Each member of the list is written like `column1Header column2Header`. If you want to specify characters between the column values, you can write `column1Header column2Header charactersBetween`. This operation creates a new column where it puts the result of the concatenation. This column header is the concatenation of the headers, but you can change it by writing the member like `column1Header column2Header charactersBetween newColumnHeader`. **Example** Concatenate columns: - `Company` and `Employee` with a `-` between them. `ID` will be the new column header. - `guid1` and `bytes1` with `_` between them. - `int32_2` and `int64_2` with nothing in between. `--columns-concat "Company Employee - ID" "guid1 bytes1 _" "int32_2 int64_2"` . | +| --columns-multivalued optional | **Type** String List **Description** Specifies the columns with multi-valued values not splittable with breaks. Each member of the list is written like `columnHeader separator`. **Example** Handle columns `multivalued1`, using separator `,`, and `multivalued2`, using separator `*`: `--columns-multivalued "multivalued1 ," "multivalued2 *"`. | +| --columns-date optional | **Type** String List **Description** Specifies the columns with date values, and their date format, to format them into Identity Manager's format. Each member of the list is written like `columnHeader dateFormat`. **Example** Format date columns `date1` and `date2`, using the format `yyyyddMMHHmmss`: `--columns-date "date1 yyyyddMMHHmmss" "date2 yyyyddMMHHmmss"`. | +| --columns-bool optional | **Type** String List **Description** Specifies the columns with Boolean values to convert them into Identity Manager's format. **Example** Format Boolean columns `bool1` and `bool2`: `--columns-bool bool1 bool2`. | +| --columns-int32 optional | **Type** String List **Description** Specifies the columns with Int32 values to convert them into Identity Manager's format. **Example** Format Int32 columns `int32_1` and `int32_2 `: `--columns-int32 int32_1 int32_2`. | +| --columns-int64 optional | **Type** String List **Description** Specifies the columns with Int64 values to convert them into Identity Manager's format. **Example** Format Int64 columns `int64_1`and `int64_2`: `--columns-int64 int64_1 int64_2`. | +| --columns-guid optional | **Type** String List **Description** Specifies the columns with Guid values to convert them into Identity Manager's format. **Example** Format Guid columns `guid1`and `guid2`: `--columns-guid guid1 guid2`. | +| --columns-bytes optional | **Type** String List **Description** Specifies the columns with Bytes values to convert them into Identity Manager's format. **Example** Format Bytes columns `bytes1` and `bytes2`: `--columns-bytes bytes1 bytes2`. | +| --columns-key optional | **Type** String List **Description** Specifies the columns key to delete duplicates (the first line found is the one we keep). A column created by this tool can be specified as a key column through this argument, like the columns created by the `--columns-concat` for example. **Example** Define columns `RawId` and `ID` as keys: `--columns-key RawId ID`. | +| | | +| --- | --- | +| --regex optional | **Type** No Value **Description** The file name is a regex so we find the last generated corresponding file. | +| --separator optional | **Type** String **Description** Defines the separator if different than `,`. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/decrypt-file/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/decrypt-file/index.md new file mode 100644 index 0000000000..f36627ef7b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/decrypt-file/index.md @@ -0,0 +1,29 @@ +# Usercube-Decrypt-File + +In Identity Manager, files are encrypted by default. This tool decrypts an input file to save it +into an output file or an OutPutConsole that can be used in Powershell scripts or programs. + +## Examples + +### Result loaded in OutPutConsole (PowerShell Script) + +The following example, used in a Powershell script, saves in the variable `decryptFile` the string +obtained by decrypting the files specified by the `ordersFile` variable. The decryption is made +using the agent side certificate defined in the agent's `appsettings.json`. + +``` + +$decryptFile = & ./identitymanager-Decrypt-File.exe --files $ordersFile + +``` + +## Arguments + +| Argument Name | Details | +| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --files (-f) required | **Type** String **Description** List of all the files to decrypt. | +| --encoding (-e) default value: UTF-8 | **Type** String **Description** Encoding used for any encryption/decryption. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | +| --output-path (-o) optional | **Type** String **Description** Output path to save all decrypted files. **Note:** used only when the result is saved in a file. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/deploy-configuration/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/deploy-configuration/index.md new file mode 100644 index 0000000000..1dfcb85967 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/deploy-configuration/index.md @@ -0,0 +1,64 @@ +# Usercube-Deploy Configuration + +Retrieves all XML configuration files from a given folder, in order to calculate the configuration +items to insert, update or delete in the application. + +## Examples + +Locally + +The following example deploys an on-premise configuration via a direct connection to the database +through its connection string: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Deploy-Configuration.exe -d "C:/identitymanager/Conf" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +``` + +Remotely + +The following example deploys a SaaS configuration via an HTTP POST request to the server of the +remote configuration: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Deploy-Configuration.exe -d "C:/identitymanager/Conf" --api-url https://my_usercube_instance.com +``` + +**_RECOMMENDED:_** To be able to deploy a SaaS configuration, you must first provide your Identity +Manager administrator with identity information. See the +[ Deploy the Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md) topic for +additional information. + +## Arguments + +The table below displays the arguments for the Identity Manager configuration deployment. + +| Argument Name | Type | Description | +| ----------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --configuration-directory (-d) required | String | Path to the configuration folder. | +| --continuous-deployment (-a) optional | No Value | Enables automatic deployment when saving an XML file. | +| --deployment-slot optional | DeploymentSlot | Type of the targeted server among the slot names provided by Netwrix' SaaS team. For example: Development, Staging, Production. it is required when working in a SaaS production environment. | +| --dump-changes-directory optional | String | Path to a directory that will receive the logs of all modifications made to the database. _Remember,_ it can be used with --simulate-only for an additional security before deploying to production. | +| --enable-saas-checks optional | No Value | Enables the checks necessary to deploy in a SaaS environment. _Remember,_ it is enabled automatically when working in SaaS. This argument can be used when deploying locally in order to anticipate a future SaaS deployment. | +| --force-bindings (-bi) optional | No Value | Forces the recomputation of binding paths in the database. | +| --force-cascade-delete optional | No Value | Enables the deletion or archiving of XML configuration items that require extra care and/or approval, usually for dependency issues. _Remember,_ Netwrix recommends using this option only when prompted by the deployment tool. | +| --force-categories (-c) optional | No Value | Forces the recomputation of the counters for role categories in the database. | +| --force-expressions (-e) optional | No Value | Forces the recomputation of C# expressions in the database. | +| --force-permissions (-p) optional | No Value | Forces the recomputation of access permissions in the database. | +| --force-translations optional | No Value | Forces the recomputation of the translations for the activity template states and the internal display name properties in the database. | +| --http-client-timeout-supplement optional | Int32 | Duration (in minutes) after which the deployment command times out, in addition to the default 30 minutes. | +| --no-create-index optional | No Value | Disables the creation of indexes related to the configuration. _Remember,_ Netwrix recommends using this option only when advised by the support team. | +| --reset-database optional | No Value | Deletes the whole database and creates an empty one before deploying. | +| --resource-identity-property optional | String | Overrides the resource identity property used by the **SelectUserByIdentityQueryHandler** settings. | +| --simulate-only optional | No Value | Computes and previews on the screen all the changes to be made, but without editing the database. | +| --api-client-id optional | String | Login of the account authorized by Netwrix for configuration export/deployment in a SaaS environment. **NOTE:** It will be deprecated soon, rather contact the support team. | +| --api-secret optional | String | Password of the account authorized by Netwrix for configuration export/deployment in a SaaS environment. **NOTE:** It will be deprecated soon, rather contact the support team. | +| --api-url optional | String | URL of the server to export/deploy the configuration to, for remote changes. _Remember,_ it is required when --database-connection-string is not specified. | +| --database-connection-string optional | String | Connection string of the database. _Remember,_ it is required when --api-url is not specified. | +| --product-translation optional | No Value | Path of the JSON file that contains the application's translations. See the [Import Product Translations into Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/producttranslations/index.md) topic for more details on how to import the product's translations. | +| --log-level optional | LogLevel | Level of log information among: Verbose; Debug; Information; Warning; Error; Fatal. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate/index.md new file mode 100644 index 0000000000..70f5550872 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate/index.md @@ -0,0 +1,60 @@ +# Usercube-EasyVistaTicket-UpdateFulfillmentState + +The use of this executable supposes a previous use of the `Usercube-Fulfill-ToEasyVistaTicket` +executable. + +`Usercube-Fulfill-ToEasyVistaTicket` creates tickets in an EasyVista instance: +`Usercube-EasyVistaTicket-UpdateFulfillmentState` sets the fulfillment state of the corresponding +assigned resource types in Identity Manager for tickets that are closed (`Executed`) or canceled +(`Error`). + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "EasyVista" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +In this example, for all resource types that have a target entity type of the connector `EasyVista`, +we set the fulfillment state of the corresponding assigned resource types. + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "EasyVista_NominativeUser" "EasyVista_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +In this example, for the resource types `EasyVista_NominativeUser` and `EasyVista_Administrator`, we +set the fulfillment state of the corresponding assigned resource types. + +## Arguments + +| Argument Name | Details | +| ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an[ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | +| | | +| --- | --- | +| --url required | **Type** String **Description** EasyVista API Endpoint URL. | +| --account required | **Type** String **Description** EasyVista account. | +| --login required | **Type** String **Description** Path of the file used for complete synchronization. | +| --password required | **Type** String **Description** EasyVista server password. | +| | | +| --- | --- | +| --connector required if --resource-typesis not given | **Type** String **Description** Id or Identifier of the resource types' connector we want to update the fulfillment state. | +| --resource-types required if --connectoris not given | **Type** String List **Description** Id or Identifier of the resource types we want to update the fulfillment state. | +| --certificate-identifier optional | **Type** String **Description** Unique key used to retrieve the certificate in Azure Key Vault. | +| --vault optional | **Type** String **Description** Vault uri. | +| --vault-connection-string optional | **Type** String **Description** Connection string to connect to Azure Key Vault. | +| --batch-size default value: 1000 | **Type** Int32 **Description** Number of provisioning orders to wait between each progress report. | +| --task-instance-id optional | **Type** String **Description** Id of the task instance which have launch the exe in a job context (for log purposes). | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/encrypt-file/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/encrypt-file/index.md new file mode 100644 index 0000000000..e88be51f08 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/encrypt-file/index.md @@ -0,0 +1,37 @@ +# Usercube-Encrypt-File + +In Identity Manager, files are encrypted by default. This tool encrypts an input file or the +InputConsole of a Powershell program or file to save it as an encrypted output file. This task +cannot be configured in the configuration. + +## Examples + +### Launch the tools with input console (powershell script) + +The following example, used in a Powershell script, decrypts the file(s) specified by the +`csvResult` variable and saves the result in the location specified in `resultsFile`. The encryption +is made using the certificate's thumbprint, store location and store name. + +``` + +$csvResult | & ./identitymanager-Encrypt-File.exe --file-cert-thumbprint $certificateThumbprint --file-cert-store-location $certificateStoreLocation --file-cert-store-name $certificateStoreName --output-path $resultsFile + +``` + +## Arguments + +| Argument Name | Details | +| ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | +| --files (-f) optional | **Type** String **Description** List of all the files to encrypt. **Note:** required when the entry is made of files. | +| --output-path (-o) optional | **Type** String **Description** Output path to save the encrypted files or input console. | +| | | +| --- | --- | +| --file-cert-thumbprint optional | **Type** String **Description** Thumbprint of the certificate when the certificate is in the store. | +| --file-cert-dn optional | **Type** String **Description** Subject Distinguished Name of the certificate when the certificate is in the store. | +| --file-cert-store-location optional | **Type** String **Description** Store location of the certificate when the certificate is in the store. | +| --file-cert-store-name optional | **Type** String **Description** Store name of the certificate when the certificate is in the store. | +| --file-cert-file optional | **Type** String **Description** File path of the certificate when the certificate is in a PFX file. | +| --file-cert-password optional | **Type** String **Description** Password of the certificate when the certificate is in a PFX file. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-bacpac/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-bacpac/index.md new file mode 100644 index 0000000000..3c5ce8c930 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-bacpac/index.md @@ -0,0 +1,36 @@ +# Usercube-Export-Bacpac + +This tool exports the database to a bacpac file, as a backup. + +## Examples + +The following example generates to `C:/identitymanagerDemo` a bacpac file from the Identity +Manager database with the given connection string and based on the bacpac template from the SQL +folder. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Export-Bacpac.exe --database "" -s "" --bacpac-path 0 --template-bacpac-path "" + +``` + +## Arguments + +The list of arguments: + +| Argument Name | Type | Description | +| ------------------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --database-connection-string (-s) required | String | Connection string of the database. | +| --database required | String | Name of the database. | +| --template-bacpac-path required | String | Path of the empty bacpac file or dacpac file containing the database schema. The database export tool includes a .dacpac file, ``, in the Runtime folder and should be used as the value for this parameter. It can be generated manually by exporting an empty Identity Manager database. | +| --temp-bacpac-path optional | String | Path of the temporary folder storing the database's data. | +| --bacpac-path required | String | Path of the generated bacpac file. | +| --without-history default value: false | Boolean | True to exclude history data. | +| --without-job-instances default value: false | Boolean | True to exclude job and task instances. | +| --without-workflow-instances default value: false | Boolean | True to exclude workflow instances. | +| --without-campaign-instances default value: false | Boolean | True to exclude access certification campaign items. | +| --without-temp default value: false | Boolean | True to exclude the data of temporary tables. | +| --without-all default value: false | Boolean | True to exclude history data, job and task instances, workflow instances and access certification campaign items. _Remember,_ this option represents the usual use-case. | +| --log-level optional | LogLevel | Level of log information among: Verbose; Debug; Information; Warning; Error; Fatal. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-configuration/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-configuration/index.md new file mode 100644 index 0000000000..f8d5b23a2f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-configuration/index.md @@ -0,0 +1,187 @@ +# Usercube-Export-Configuration + +Generates in a folder the files of the configuration found in the database. + +While the deployment process is about taking the configuration elements from the XML files to insert +them in the database, the export process is about taking the configuration elements from the +database to generate XML files: + +- A basic export will export the XML configuration that was latest deployed to the database, + including images like logos and favicons; +- A marked export will export the whole configuration as XML files, including the configuration + elements created via the UI; + + As Identity Manager can be configured by writing manually in XML files and/or using the UI, the + marked export helps combining both. + + Netwrix Identity Manager (formerly Usercube) recommends configuring Identity Manager via the UI + as much as possible, and completing the configuration via XML files when needed. + +- a basic export will export the translation JSON files; +- a scaffolding export will export the XML configuration generated by scaffoldings. + +![Schema - Export Process](/img/product_docs/identitymanager/identitymanager/integration-guide/executables/references/export-configuration/identitymanager-export-configuration.webp) + +For all export types, Netwrix Identity Manager (formerly Usercube) recommends using as output +directory a folder other than the one containing the old XML configuration. This way, the exported +configuration does not overwrite the old one, and: + +- the changes can be clearly viewed in a file comparison tool; +- the interesting changes can be selected individually and inserted in the old configuration, to + update the configuration while keeping any manual changes such as comments. + +### Focus on the marked export + +By default, the configuration elements created via the UI are stored in the database just like the +rest of the configuration, but they are not included in deployment and export processes. + +While UI elements are not marked, they are not included in the XML/database comparison performed +during the configuration deployment process. It means that deploying any configuration will not +affect UI elements. + +On the other hand, once UI elements are marked, they will be included in the XML/database comparison +performed during the next configuration deployment process. Then, if these UI elements are not in +the deployed XML files, they will be removed from the database. + +Be careful about what configuration to deploy and export. + +When configuring through both the UI and XML files, make sure to: + +- Export all UI modifications before making changes in XML files and deploying the configuration + again; +- Deploy all XML modifications before making changes in the UI and exporting the configuration + again. + +## Examples + +### Locally vs. remotely + +The following example exports an on-premise configuration via a direct connection to the database +through its connection string: + +``` + +./identitymanager-Export-Configuration.exe -d "C:/identitymanager/ExportedConf" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +The following example exports a SaaS configuration via an HTTP POST request to the server of the +remote configuration: + +``` + +./identitymanager-Export-Configuration.exe -d "C:/identitymanager/ExportedConf" --api-url https://my_usercube_instance.com + +``` + +To be able to export a SaaS configuration, you must first provide your Identity +Manager administrator with identity information. See the +[ Export the Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md) topic for +additional information. + +### Basic export for a change of environment + +The following example exports all configuration elements of the database as a set of XML files, to +the `C:/identitymanager/ExportedConf` folder, for example to move from the pre-production environment to +the production environment. + +``` + +./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" + +``` + +All XML files from `C:/identitymanager/ExportedConf` are removed and replaced with the new set of XML +files, generated based on the configuration elements from the database. + +The default behavior of this tool exports all XML files, from the configuration elements stored in +the database and the XML/database relationships, as well as logos and favicons. Translations are not +exported. + +Most modifications made in the UI will be ignored too. + +### Export UI configuration elements outside the role model + +The following example exports all configuration elements as a set of XML files, including the +configuration modifications made through the UI, except any elements linked to the role model. + +``` + +./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" --mark-for-export + +``` + +All XML files from `C:/identitymanager/ExportedConf` are removed and replaced with the new set of XML +files, generated based on the configuration elements from the database, including UI elements (not +role-model-related) that are now marked for export. + +### Export all UI configuration elements + +The following example exports all configuration elements as a set of XML files, including all +configuration modifications made through the UI, especially role-model-related elements. + +``` + +./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" --mark-for-export --mark-rolemodel-for-export + +``` + +All XML files from `C:/identitymanager/ExportedConf` are removed and replaced with the new set of XML +files, generated based on the configuration elements from the database, including all UI elements +that are now marked for export. + +### Export translation files + +The following example exports to `C:/identitymanager/ExportedConf` the JSON translation files stored in the +database, one per language, replacing the ancient versions potentially pre-existing in the output +directory. + +``` + +./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" --export-translation + +``` + +### Export scaffoldings for debug + +The following example exports XML files containing the configuration generated by all scaffoldings. +It exports one folder per scaffolding type, and in each folder one XML file per scaffolding, +containing the configuration generated by the scaffolding. + +``` + +./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ConfScaffoldings" --export-scaffolding + +``` + +All XML files from `C:/identitymanager/ConfScaffoldings` are removed and replaced with the new set of XML +files, generated based on the scaffoldings from the configuration. + +The scaffolding export's output is meant only for viewing in debug situations and must not be +inserted in the configuration. + +## Arguments + +| Argument Name | Details | +| --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --configuration-directory (-d) required | **Type** String **Description** Path of a directory that will receive the exported configuration. | +| --default-file optional | **Type** String **Description** Path of the file where configuration items are stored by default, when they are not related to a predefined storing file. **Note:** when not specified, these items are not exported. | +| --export-scaffolding optional | **Type** No Value **Description** Exports all scaffoldings and the scaffolded items, i.e. all items generated by scaffoldings. | +| --export-translation optional | **Type** No Value **Description** Exports the JSON files containing all translations, by language. | +| --format-configuration optional | **Type** No Value **Description** Formats the configuration from the folder specified in `--configuration-directory`, in order to correspond to the export result. | +| --mark-for-export optional | **Type** No Value **Description** Exports all configuration elements that were created via the UI, except for those linked to the role model, i.e. the elements exported by the `--mark-rolemodel-for-export` option. | +| --mark-rolemodel-for-export optional | **Type** No Value **Description** Exports all the configuration elements linked to the role model: `SingleRole`; `CompositeRole`; `SingleRoleRule`; `CompositeRoleRule`; and the following rules when they are linked to a role: `PendingApprovalRule`; `ResourceNavigationRule`; `ResourceScalarRule`; `ResourceTypeRule`; `ResourceBinaryRule`. **Warning:** this argument cannot be used without the `--mark-for-export` option. | +| --marked-paths optional | **Type** String List **Description** Identifiers of the elements configured through the UI that need to be exported and thus marked for export. **Note:** used to export specific elements, while the `--mark-*-for-export` options are meant to export whole packages of elements. | +| | | +| --- | --- | +| --api-client-id optional | **Type** String **Description** Login of the account authorized by Netwrix Identity Manager (formerly Usercube) for configuration export/deployment in a SaaS environment. **Note:** soon deprecated, rather contact the support team. | +| --api-secret optional | **Type** String **Description** Password of the account authorized by NETWRIX for configuration export/deployment in a SaaS environment. **Note:** soon deprecated, rather contact the support team. | +| --api-url optional | **Type** String **Description** URL of the server to export/deploy the configuration to, for remote changes. **Note:** required when `--database-connection-string` is not specified. | +| | | +| --- | --- | +| --database-connection-string optional | **Type** String **Description** Connection string of the database. **Note:** required when `--api-url` is not specified. | +| --product-translation optional | **Type** No Value **Description** Path of the JSON file that contains the application's translations. See the [Import Product Translations into Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/producttranslations/index.md) topic for additional information. | +| --scope optional | **Type** String **Description** Path of a folder or file to export/deploy, instead of exporting/deploying the whole configuration. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-csv/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-csv/index.md new file mode 100644 index 0000000000..4f22f8ebec --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-csv/index.md @@ -0,0 +1,65 @@ +# Usercube-Export-Csv + +## Examples + +### Exporting a file respecting the default parameters + +Consider the file `C:/identitymanagerContoso/Sources/hr_example.csv` with `,` as separator and `UTF8` +encoding, it can be exported with the command: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.csv --ignore-cookies --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput` + +The output file will be located in `C:/identitymanagerContoso/Temp/ExportOutput/HREXAMPLE.csv` and the +content will be a copy of `hr_example.csv`'s one and an `UTF8` encoding. + +### Define a separator + +Consider the file `C:/identitymanagerContoso/Sources/hr_example.csv` with `;` as separator. + +As `,` is considered to be the default separator, we must set it: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.csv --ignore-cookies --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --separator ;` + +The result's content will be the same but with `,` as separator. + +### Use a regex file name + +Consider that you deal with a generated file that follows the regex: +`C:/identitymanagerContoso/Sources/hr_example(.*?).csv`, for example +`C:/identitymanagerContoso/Sources/hr_example5fH8g1.csv`. If several files match with the regex, the +executable uses the last one that was generated. + +You can put your regex and precise that it is one with the `--regex` argument: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example(.*?).csv --ignore-cookies --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --regex` + +## Use the Path Duality and the Not-Launch-Export System + +In a larger context, the export might be used for complete or incremental synchronization. That is +why it has two paths: `--raw-files-path` for complete synchronizations, `--path-incremental` for +incremental ones. + +In the export's scope, it only means one thing, what path must be used depends on +`--ignore-cookies`: its presence meaning that we are in a complete synchronization context and we +use `--raw-files-path`; its absence that we are in an incremental one and we use +`--path-incremental`. + +It means that if the user gives `--ignore-cookies` and not `--raw-files-path`, or if they give +neither `--ignore-cookies` nor `--path-incremental`, the export will not be launched to prevent any +problem (complete data for an incremental synchronization for example). The `--force-complete` +argument bypasses this security: in the product, it is used for the initialization job, where we +want to perform a complete synchronization, even for CSV connections with only an incremental path. + +## Arguments + +| Argument Name | Details | +| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | +| --connection-identifier optional | **Type** String **Description** Connector's connection identifier. The output file will have this identifier as name. | +| --output-path required | **Type** String **Description** Output path for the files generated by the export. | +| | | +| --- | --- | +| --ignore-cookies optional | **Type** No Value **Description** Specifies the synchronization mode, its presence meaning complete, its absence incremental. | +| | | +| --- | --- | +| --regex optional | **Type** No Value **Description** The file name is a regex so we find the last generated corresponding file. | +| --separator optional | **Type** String **Description** Defines the separator if different than `,`. | diff --git a/docs/usercube_saas/usercube/integration-guide/executables/references/export-easyvista/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-easyvista/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/executables/references/export-easyvista/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-easyvista/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-excel/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-excel/index.md new file mode 100644 index 0000000000..1cf85dc055 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-excel/index.md @@ -0,0 +1,84 @@ +# Usercube-Export-Excel + +## Examples + +### Exporting a file respecting the default parameters + +Consider the file `C:/identitymanagerContoso/Sources/hr_example.xlsx` with `UTF8` encoding, it can be +exported using these command's arguments: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.xlsx --not-incremental --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput` + +The output file(s) will be located in `C:/identitymanagerContoso/Temp/ExportOutput/`. Their number +corresponds to the number of sheets in the XLSX file and they would be labeled: `HREXAMPLE_0.csv`, +`HREXAMPLE_1.csv`, ... `HREXAMPLE_n-1.csv` where n corresponds to the amount of spread sheets of the +XLSX file. The encoding is `UTF8` and the separator is `,`. + +### Skipping some file's lines + +The possibility to skip lines is made available using the `--lines-to-skip` argument: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.xlsx --not-incremental --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --lines-to-skip 10` + +As a consequence, the exported file would include the content of the XLSX file without the ten first +lines. + +### Regex in file name + +Considering a generated file following the regex: `C:/identitymanagerContoso/Sources/hr_example(.*?).xlsx`, +for instance `C:/identitymanagerContoso/Sources/hr_example5fH8g1.xlsx`, if several files match with the +regex, the executable would use the most recent one. + +The regex can be included in the filename and would need to be precised using the `--is-regex` +argument: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example(.*?).xlsx --not-incremental --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --is-regex` + +### Choosing value to trim + +It's possible to precise characters to trim using the `--values-to-trim` argument: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.xlsx --not-incremental --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --values-to-trim e` + +The CSV output file will see every words beginning and ending by "e" (lower-case, this process is +case sensitive) removed of this letter. + +### Ignoring particular sheets + +The `--sheets-ignored` argument allows the user to specify for each sheet if it should be ignored +during the export. More precisely, a list of true or false arguments should be specified +respectively to the sheets. Let's say the `C:/identitymanagerContoso/Sources/hr_example.xlsx` file +possesses three sheets, in order to export the first and the last ones the arguments would be: + +`--raw-files-path C:/identitymanagerContoso/Sources/hr_example.xlsx --not-incremental --connection-identifier HREXAMPLE --output-path C:/identitymanagerContoso/Temp/ExportOutput --sheets-ignored false true true false` + +Thus, two CSV files would be created corresponding to the the chosen ones: `HREXAMPLE_0.csv` and +`HREXAMPLE_3.csv`. + +## Path Duality and the Not-Launch-Export System + +The export executable might be used for a complete or an incremental synchronization. Thus, it +possesses two paths that could be precised - depending on the case - with the `--raw-files-path` for +complete synchronizations argument or the `--path-incremental` for incremental ones. + +At the end of the day, the `--not-incremental` argument defines the export behavior: if present it +means a complete synchronization should be performed and the `--raw-files-path` argument must be +precised; if missing an incremental synchronization would be performed using `--path-incremental`. + +It means that if the user provide the `--not-incremental` argument and no `--raw-files-path`, or if +the user doesn't provide `--not-incremental` nor `--path-incremental`, the export will not be +launched to prevent any issue (complete data for an incremental synchronization for instance). The +`--force-complete` argument bypasses this safeguard: during the initialization job for example, +where we want to perform a complete synchronization, even for Excel connections with only an +incremental path. + +## Arguments + +| Argument Name | Details | +| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | +| --not-incremental optional | **Type** No Value **Description** Specifies the synchronization mode, its presence meaning complete, its absence incremental. | +| --is-regex optional | **Type** No Value **Description** The file's name is a regex so we find the last generated corresponding file. | +| | | +| --- | --- | +| --connection-identifier optional | **Type** String **Description** Connector's connection identifier. The output file will have this identifier as name. | +| --output-path required | **Type** String **Description** Output path for the files generated by the export. | diff --git a/docs/usercube_saas/usercube/integration-guide/executables/references/export-scim/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-scim/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/executables/references/export-scim/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-scim/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/executables/references/fillbankingdatabase/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/fillbankingdatabase/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/executables/references/fillbankingdatabase/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/executables/references/fillbankingdatabase/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/fulfill-easyvista/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/fulfill-easyvista/index.md new file mode 100644 index 0000000000..35018faa59 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/fulfill-easyvista/index.md @@ -0,0 +1,48 @@ +# Usercube-Fulfill-EasyVista + +This executable creates, updates and archives employees in an EasyVista instance. + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "EasyVista" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "EasyVista_NominativeUser" "EasyVista_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +## Arguments + +| Argument Name | Details | +| ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | +| | | +| --- | --- | +| --url required | **Type** String **Description** EasyVista API Endpoint URL. | +| --account required | **Type** String **Description** EasyVista account. | +| --login required | **Type** String **Description** Path of the file used for complete synchronization. | +| --password required | **Type** String **Description** EasyVista server password. | +| | | +| --- | --- | +| --connector required if --resource-typesis not given | **Type** String **Description** Id or Identifier of the resource types' connector we want to update the fulfillment state. | +| --resource-types required if --connectoris not given | **Type** String List **Description** Id or Identifier of the resource types we want to update the fulfillment state. | +| --certificate-identifier optional | **Type** String **Description** Unique key used to retrieve the certificate in Azure Key Vault. | +| --vault optional | **Type** String **Description** Vault uri. | +| --vault-connection-string optional | **Type** String **Description** Connection string to connect to Azure Key Vault. | +| --batch-size default value: 1000 | **Type** Int32 **Description** Number of provisioning orders to wait between each progress report. | +| --task-instance-id optional | **Type** String **Description** Id of the task instance which have launch the exe in a job context (for log purposes). | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/fulfill-scim/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/fulfill-scim/index.md new file mode 100644 index 0000000000..518842c976 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/fulfill-scim/index.md @@ -0,0 +1,43 @@ +# Usercube-Fulfill-Scim + +This executable creates, updates and deleles entries in an application using the SCIM API. + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "SCIM" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "SCIM_NominativeUser" "SCIM_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://scim.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +## Arguments + +| Argument Name | Details | +| -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | +| | | +| --- | --- | +| --server required | **Type** String **Description** URL of the SCIM endpoints of your application, not including the v2. | +| --login optional | **Type** String **Description** Specifies the login of the account you may need. | +| --password optional | **Type** String **Description** Specifies the password of the account you may need. | +| --application-id optional | **Type** String **Description** Specifies the application connection login or the login of your application's id provider. | +| --application-key optional | **Type** String **Description** Specifies the application connection password or the password of your application's id provider. | +| --oauth-url optional | **Type** String **Description** The server's url when using OAuth2 authentication. | +| --oauth-token optional | **Type** String **Description** Specifies the OAuth token to connect to the application. | +| --scim-syntax optional | **Type** Enum **Description** Specifies the syntax used for requests body. Has to be one of those values: Salesforce (default value) or CyberArk | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/fulfill-toeasyvistaticket/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/fulfill-toeasyvistaticket/index.md new file mode 100644 index 0000000000..b880022a8e --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/fulfill-toeasyvistaticket/index.md @@ -0,0 +1,48 @@ +# Usercube-Fulfill-ToEasyVistaTicket + +This executable creates tickets in an EasyVista instance. + +## Examples + +### Connector specified + +When specifying `--connector`, there is no need to specify `--resource-types`: + +`--connector "3" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifier can be also given instead of the id: + +`--connector "EasyVista" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +### Resource types specified + +When specifying `--resource-types`, there is no need to specify `--connector`: + +`--resource-types "40" "41" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret" --url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +But the identifiers can be also given instead of the id: + +`--resource-types "EasyVista_NominativeUser" "EasyVista_Administrator" --api-url "http://localhost:5000/" --api-client-id "Job" --api-secret "secret"--url "https://easyvista.contoso.com" --account "12345" --login "Contoso" --password "cOntoSo6789"` + +## Arguments + +| Argument Name | Details | +| ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | +| | | +| --- | --- | +| --url required | **Type** String **Description** EasyVista API Endpoint URL. | +| --account required | **Type** String **Description** EasyVista account. | +| --login required | **Type** String **Description** Path of the file used for complete synchronization. | +| --password required | **Type** String **Description** EasyVista server password. | +| | | +| --- | --- | +| --connector required if --resource-typesis not given | **Type** String **Description** Id or Identifier of the resource types' connector we want to update the fulfillment state. | +| --resource-types required if --connectoris not given | **Type** String List **Description** Id or Identifier of the resource types we want to update the fulfillment state. | +| --certificate-identifier optional | **Type** String **Description** Unique key used to retrieve the certificate in Azure Key Vault. | +| --vault optional | **Type** String **Description** Vault uri. | +| --vault-connection-string optional | **Type** String **Description** Connection string to connect to Azure Key Vault. | +| --batch-size default value: 1000 | **Type** Int32 **Description** Number of provisioning orders to wait between each progress report. | +| --task-instance-id optional | **Type** String **Description** Id of the task instance which have launch the exe in a job context (for log purposes). | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/generate-configuration/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/generate-configuration/index.md new file mode 100644 index 0000000000..6279d1f866 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/generate-configuration/index.md @@ -0,0 +1,84 @@ +# Usercube-Generate-Configuration + +Generates from a CSV file the configuration of a connector with these entities. + +## Overview + +Two subcommands are possible for generation. + +- simpleconnector +- complexconnector + +The simple connector allows you to generate the configuration for a CSV file and create the +connector. The complex connector allows you to generate the configuration for a list of CSV files +and create the connector. + +### 1. Simple connector + +From a CSV file, generates the configuration of the entity representing the CSV file. + +**The subcommand\_\_\_**simpleconnector**\_**must precede the arguments.\_\_ + +### 2. Complex connector + +From a list of CSV files, generates the configuration of the entities representing each file. The +complex connector requires as an argument an xml file containing all the CSV files to be processed +as well as the primary keys of these files. + +Example of xml file + +``` + + + +``` + +- Path: CSV file path. +- File: Name of the files to be processed. +- PrimaryKey: Fills in the primary key of the CSV file. +- Header: Column name in the CSV file. +- EntityTypeName: Indicates the name of the entity to be created. +- Name: name of the connector to be created. + +**The subcommand\_\_\_**complexconnector**\_**must precede the arguments.\_\_ + +## Examples + +### Simple connector + +``` + +./identitymanager-Generate-Configuration.exe simpleconnector -g "C:/GeneratedFile/file" -f "C:/SourceFile/confFile.csv" + +``` + +### Complex connector + +``` + +./identitymanager-Generate-Configuration.exe complexconnector -g "C:/GeneratedFile/file" "C:/SourceFile/confFile.xml" + +``` + +## Arguments + +| Argument Name | Details | +| ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --generated-file (-g) required | **Type** String **Description** Path to the generated file. | +| --csv-path (-h) optional | **Type** String **Description** Path to the CSV file. **Note:** used only for a simple connector. | +| --encoding (-e) optional | **Type** String **Description** Encoding of the CSV file. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). **Note:** used only for a simple connector. | +| --csv-separator (-t) optional | **Type** String **Description** Column separator of the CSV file. **Note:** used only for a simple connector. | +| --generated-connector (-r) optional | **Type** String **Description** Name of the generated connector. **Note:** used only for a simple connector. | +| --keep-all-columns (-k) optional | **Type** No Value **Description** Keeps all the columns. | +| --connector-description optional | **Type** String **Description** XML file that describes the CSV files and their primary key columns. | +| | | +| --- | --- | +| --file-cert-thumbprint optional | **Type** String **Description** Thumbprint of the certificate when the certificate is in the store. | +| --file-cert-dn optional | **Type** String **Description** Subject Distinguished Name of the certificate when the certificate is in the store. | +| --file-cert-store-location optional | **Type** String **Description** Store location of the certificate when the certificate is in the store. | +| --file-cert-store-name optional | **Type** String **Description** Store name of the certificate when the certificate is in the store. | +| --file-cert-file optional | **Type** String **Description** File path of the certificate when the certificate is in a PFX file. | +| --file-cert-password optional | **Type** String **Description** Password of the certificate when the certificate is in a PFX file. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/usercube_saas/usercube/integration-guide/executables/references/get-jobsteps/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/get-jobsteps/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/executables/references/get-jobsteps/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/executables/references/get-jobsteps/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/index.md new file mode 100644 index 0000000000..31b3b1c8db --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/index.md @@ -0,0 +1,170 @@ +# References: Executables + +- [Usercube-Agent ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/agent/index.md) + + Runs the Agent. + +- [Usercube-Anonymize ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/anonymize/index.md) + + Transforms strings to anonymize given data. + +- [ Usercube-Compute-CorrelationKeys ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/compute-correlationkeys/index.md) + + Computes the values of all correlation keys. + +- [ Usercube-Configuration-Transform ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/configuration-transform/index.md) + + Applies a series of transformation. + +- [ Usercube-Create-DatabaseViews ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/create-databaseviews/index.md) + + Generates entity model SQL views in the Identity Manager database. + +- [ Usercube-CSV-Transform ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/csv-transform/index.md) + + Modifies a CSV file by performing operations on its headers and/or columns. + +- [ Usercube-Decrypt-File ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/decrypt-file/index.md) + + Decrypts an input file to save it into an output file or an OutPutConsole that can be used in + Powershell scripts or programs. + +- [ Usercube-Deploy Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/deploy-configuration/index.md) + + Retrieves all XML configuration files from a given folder, in order to calculate the + configuration items to insert, update or delete in the application. + +- [ Usercube-EasyVistaTicket-UpdateFulfillmentState ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/easyvistaticket-updatefulfillmentstate/index.md) + + Updates the assigned resource types according to EasyVista tickets state. + +- [ Usercube-Encrypt-File ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/encrypt-file/index.md) + + Encrypts an input file or the InputConsole of a Powershell program or file to save it as an + encrypted output file. + +- [Usercube-Export-Bacpac](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-bacpac/index.md) + + Exports the database to a bacpac file. + +- [ Usercube-Export-Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-configuration/index.md) + + Generates in a folder the files of the configuration found in the database. + +- [Usercube-Export-Csv ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-csv/index.md) + + Exports CSV files. + +- [ Usercube-Export-EasyVista ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-easyvista/index.md) + + Exports CSV files. + +- [Usercube-Export-Excel ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-excel/index.md) + + Exports Excel files. + +- [Usercube-Export-Scim ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-scim/index.md) + + Exports SCIM entries to a CSV file. + +- [Usercube-FillBankingDatabase ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/fillbankingdatabase/index.md) + + Fills the `BankingSystem` database for the Banking demo application. + +- [ Usercube-Fulfill-EasyVista ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/fulfill-easyvista/index.md) + + Creates, updates and archives employees in an EasyVista instance. + +- [Usercube-Fulfill-Scim ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/fulfill-scim/index.md) + + Creates, updates and deleles entries in an application using the SCIM API. + +- [Usercube-Fulfill-ToEasyVistaTicket ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/fulfill-toeasyvistaticket/index.md) + + Creates ticket in an EasyVista instance. + +- [Usercube-Generate-Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/generate-configuration/index.md) + + Generates from a CSV file the configuration of a connector with these entities. + +- [ Usercube-Get-JobSteps ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/get-jobsteps/index.md) + + Returns the list of all tasks present in a given job. + +- [ Usercube-Invoke-Job ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-job/index.md) + + Launches a job on the agent side. + +- [ Usercube-Invoke-ServerJob ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-serverjob/index.md) + + Launches jobs on the server side. + +- [ Usercube-Login ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/login/index.md) + + Provides an authentication token needed for SaaS configuration deployment/export. + +- [ Usercube-Manage-Configuration Dependent Indexes ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/manage-configurationdependantindexes/index.md) + + Creates the necessary indexes based on the latest deployed configuration to optimize + performances. + +- [Usercube-Manage-History](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/manage-history/index.md) + + Manages the data history stored in the database. It can purge old data or consolidate the + history. + +- [ Usercube-New-OpenIDSecret ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/new-openidsecret/index.md) + + Allows to generate the hashed password of the secret to connect to the given client for agent + side job Identity Manager. + +- [ Usercube-PasswordGenerator ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/passwordgenerator/index.md) + + Generates a password. + +- [ Usercube-Prepare-Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/prepare-synchronization/index.md) + + Cleanses exported CSV files. + +- [ Usercube-Protect-CertificatePassword ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) + + Encrypts a .pfx archive password using a Identity Manager provided RSA key. + +- [ Usercube-Protect-X509JsonFile ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md) + + Encrypts sensitive data from a given JSON file. + +- [ Usercube-Protect-X509JsonValue ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md) + + Encrypts the values of sensitive data. + +- [ Usercube-RefreshSchema ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/refreshschema/index.md) + + Refreshes the schema of a given connection. Takes as input a connection, and refreshes its + schema. The result of the update is stored into the database. + +- [Usercube-Send-PasswordNotification ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/send-passwordnotification/index.md) + + Sends a mail notification for a password initialization or change. + +- [Usercube-Server ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/server/index.md) + + Runs the Server. + +- [Usercube-Update-EntityPropertyExpressions ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/update-entitypropertyexpressions/index.md) + + Recomputes the values of all properties defined via expressions. + +- [Usercube-Upgrade-ConfigurationVersion ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/upgrade-configurationversion/index.md) + + Upgrades your configuration from your current version entered in settings to the latest version. + +- [Usercube-Upgrade-DatabaseVersion ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/upgrade-databaseversion/index.md) + + Runs all the migration scripts to upgrade the database. + +- [Usercube-Agent ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/agent/index.md) + + Runs the Agent. + +- [Usercube-Check-ExpressionsConsistency](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/check-expressionsconsistency/index.md) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-job/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-job/index.md new file mode 100644 index 0000000000..b84a29d594 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-job/index.md @@ -0,0 +1,93 @@ +# Usercube-Invoke-Job + +This tool launches a job on the agent side. + +## Behavior Details + +The Usercube-Invoke-Job.exe tool is a state machine. + +![Schematization](/img/product_docs/identitymanager/identitymanager/integration-guide/executables/references/invoke-job/job_operation.webp) + +When a job is launched, the state machine starts by computing all the tasks that must be launched in +the job. + +Each task is assigned a launch order which can be configured in +[ Job ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) steps. All the job's tasks are grouped +together according to their launch order, and they are launched by group. Such task grouping allows +the job to be faster executed. + +The launch orders of all the tasks of a job can be listed by using the +[ Usercube-Get-JobSteps ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/get-jobsteps/index.md) executable. + +Before any task is launched, the state machine checks the task's parent tasks in order to verify +whether the task must be launched or not. + +If the task must be launched, then the state machine checks whether the task should be started +server- or agent-side. + +Then the task is launched, and then: + +- if the task completes successfully, then the next task is loaded and started, or if this was the + last task then the job ends successfully; +- if the task exits in error, then the whole job exits in error and stops; +- if the job is requested to stop from the UI, then the job's state switches to `cancelled` and is + transmitted to the current task in order to not launch the next task; + + A canceled job is not stopped straight away, as the current task first needs to be finished. + +- if the task exits in error while the warning mode is active, then the next job is loaded. + + Only export tasks can have this warning mode. + +- if the task exits blocked, then the whole job stops and can be restarted manually at its + breakpoint; + + Only synchronization and provisioning tasks can exit blocked. + +In the case where the job is blocked and restarted: + +- if the blocked task is a + [ Synchronize Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md), + then the state machine runs a synchronization validation on the related connector, and uses the id + of the blocked task instance to synchronize the related tables; +- if the blocked task is a + [Generate Provisioning Orders Task](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md), + then the state machine forces the same provisioning on the related connector. + + Both the synchronization validation and the forced provisioning are virtual jobs that do not + exist in the database. However, they will be visible in the UI which keeps track of any launched + task. + +In both cases, the state machine resumes the job with the tasks that were not started due to the +blockage. + +Any task launched by the state machine is linked to a job instance in order to keep track of the +launch group. + +## Example + +``` + +./identitymanager-Invoke-Job.exe -j "AccessCertificationEnd" --api-secret secret --api-client-id Job --api-url "http://localhost:5000" + +``` + +## Arguments + +| Argument Name | Details | +| -------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| | | +| --- | --- | +| --job-identifier (-j) required | **Type** String **Description** Job's identifier to be launched. | +| --repair-job (-r) optional | **Type** No Value **Description** Bool to Decide launch Synchronization Validation or Provisioning with force. | +| --begin-job-step (-b) optional | **Type** String **Description** The step from which the job starts. | +| --end-job-step (-e) optional | **Type** String **Description** The step at which the job stops. | +| --task-identifier (-t) optional | **Type** String **Description** Specify the identification of the task to be started in the job (only this task will be started). | +| --force-synchronization-provisioning (-f) optional | **Type** Int64 **Description** Forces execution when the threshold is reached or exceeded. | +| --task-type (-c) optional | **Type** String **Description** The first task found with this type is launched. | +| --task-string-contains (-s) optional | **Type** String **Description** Launches all tasks with an identifier containing the given value. | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect /Secret pair, linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect /Secret pair/Secret pair, linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-serverjob/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-serverjob/index.md new file mode 100644 index 0000000000..0435cdd250 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/invoke-serverjob/index.md @@ -0,0 +1,32 @@ +# Usercube-Invoke-ServerJob + +## Invoke a Job (Server Side) + +To launch the job in the Server side only you need to run the executable +Usercube-Invoke-ServerJob.exe. + +To know the task launch orders in job use the following exe: Usercube-Get-Job Steps .exe. See the +[ Usercube-Get-JobSteps ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/get-jobsteps/index.md) topic for additional information. + +## Examples + +``` + +.\Usercube-Invoke-ServerJob.exe -g "CleanDatabase" -s secret + +``` + +## Arguments + +| Argument Name | Details | +| -------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | +| | | +| --- | --- | +| --job-identifier (-j) required | **Type** String **Description** Job's identifier to be launched. | +| --repair-job (-r) optional | **Type** No Value **Description** Bool to Decide launch Synchronization Validation or Provisioning with force. | +| --begin-job-step (-b) optional | **Type** String **Description** The step from which the job starts. | +| --end-job-step (-e) optional | **Type** String **Description** The step at which the job stops. | +| --task-identifier (-t) optional | **Type** String **Description** Specify the identification of the task to be started in the job (only this task will be started). | +| --force-synchronization-provisioning (-f) optional | **Type** Int64 **Description** Forces execution when the threshold is reached or exceeded. | +| --task-type (-c) optional | **Type** String **Description** The first task found with this type is launched. | +| --task-string-contains (-s) optional | **Type** String **Description** Launches all tasks with an identifier containing the given value. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/login/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/login/index.md new file mode 100644 index 0000000000..b49aa43343 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/login/index.md @@ -0,0 +1,48 @@ +# Usercube-Login + +Delegates the authentication process to a third-party Identity Provider which will provide an +authentication token required to allow the remote deployment/export of Identity +Manager configuration. + +The provided authentication token is meant to be sent to the Identity Manager administrator. + +## Examples + +The following example launches the authentication to Identity Manager's in-house Identity Provider +(IDP). It will open your default browser to `http://localhost:5005` where you will be redirected to +Identity Manager's IDP that will provide you with the authentication token. + +``` + +./identitymanager-Login.exe + +``` + +The following example launches the authentication to a specific Identity Provider whose +authentication URL and Client Id are respectively `https://my_oidc_authentication_server.com` and +`34b3c-fb45da-3ed32`. It will open your default browser to `http://localhost:5005` where you will be +redirected to the IDP that will provide you with the authentication token. + +``` + +./identitymanager-Login.exe --authority https://my_oidc_authentication_server.com --client-id 34b3c-fb45da-3ed32 + +``` + +The following example launches the authentication to Identity Manager's Identity Provider, but using +a specific port `5050`. It will open your default browser to `http://localhost:5050` where you will +be redirected to Identity Manager's IDP. that will provide you with the authentication token. + +``` + +./identitymanager-Login.exe --port 5050 + +``` + +## Arguments + +| Argument Name | Details | +| -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --authority optional | **Type** String **Description** Base URL of the Identity Provider used for authentication. When not specified, Identity Manager provides an in-house Identity Provider. | +| --client-id optional | **Type** String **Description** Client Id of the application authorized to delegate the authentication to the specified Identity Provider. When not specified, Identity Manager provides the Client Id for the in-house Identity Provider. **Note:** ask for this id to your internal administrator. | +| --port default value: 5005 | **Type** Int64 **Description** Port used to run the local web page. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/manage-configurationdependantindexes/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/manage-configurationdependantindexes/index.md new file mode 100644 index 0000000000..2746556613 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/manage-configurationdependantindexes/index.md @@ -0,0 +1,38 @@ +# Usercube-Manage-Configuration Dependent Indexes + +This tool creates the necessary SQL indexes based on the latest deployed configuration to optimize +certain queries performances. + +## Available optimizations: + +- Creates SQL indexes and statistics to optimize searches on specific entity types +- Creates SQL indexes to optimize joins between records and main entity types +- Creates SQL indexed views used to compute dashboard counters + +## Examples + +``` + +./identitymanager-Manage-ConfigurationDependantIndexes.exe -e "Directory_User" -r "Directory_UserRecord" "Directory_Guest" -dc -s "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" -a + +``` + +./identitymanager-Manage-ConfigurationDependantIndexes.exe -auto -dc -s "data +source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" -a + +``` + +## Arguments + +| Argument Name | Details | +| --- | --- | +| --entityTypes (-e) optional | __Type__ String List __Description__ Sets the list of entity types for which optimization indexes will be created/updated. | +| --recordEntityTypes (-r) optional | __Type__ String List __Description__ Sets the list of record entity types for which optimization indexes will be created/updated. | +| --userProperties (-p) optional | __Type__ String List __Description__ Sets the list of User' properties that link the records and the users. (the order of the given userProperties' must match the order of the given recordEntityTypes'). | +| --dashboardCounter (-dc) optional | __Type__ No Value __Description__ Adjusts the indexed views for the dashboard counters appropriately. | +| --auto optional | __Type__ No Value __Description__ The entity types, record entity types and user properties are deduced automatically from the provisioning rules configured in the database. | +| --apply-to-database (-a) optional | __Type__ No Value __Description__ Directly applies the resulting SQL script to the database. | +| | | +| --- | --- | +| --database-connection-string required | __Type__ String __Description__ Connection string of the database. | +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/manage-history/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/manage-history/index.md new file mode 100644 index 0000000000..634f810cbd --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/manage-history/index.md @@ -0,0 +1,132 @@ +# Usercube-Manage-History + +This tool optimizes the data history stored in the database, reducing its size and enhancing +database performance. + +The inner workings of this executable are based on the `ValidFrom` and `ValidTo` attributes that +specify the validity period of a given assignment. These attributes are inside the following tables +which are the tables actually purged: `ur_resources`; `ur_resourcelinks`; +`up_assignedcompositeroles`; `up_assignedsingleroles`; `up_assignedresourcenavigations`; +`up_assignedresourcetypes`. + +## Examples + +Purge before a period + +To clean the database periodically, it can be purged of all the history older than a given period of +time. + +The following example deletes all the history from the database that is more than 12-month old: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Manage-History.exe --purge-before-months 12 --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +``` + +Purge before a date + +The database can be purged of all history older than a given date. + +The following example deletes all the history from the database older than May 26th 1993: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +./identitymanager-Manage-History.exe --purge-before-date 19930526 --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +``` + +Optimize + +The database's history can be optimized by removing intermediate versions based on their age, for +example keeping only one version the last week, one per month the last 6 months and then one per +year for 3 years. + +The following example reduces the history from the database, keeping at most one history version per +interval. Here we keep one version per day (1440 minutes) in the last 7 days, then one version per +month (43920 minutes) in the last 6 months before the previously defined period, then one version +per year (525960 minutes) in the last 2 years before the previously defined periods. + +![Schema - Optimize](/img/product_docs/identitymanager/identitymanager/integration-guide/executables/references/manage-history/tools_managehistory_schema.webp) + +For each period, if there is more than one version (i.e. `ValidFrom` is inside the interval), the +versions are merged in the following way: + +- The latest version is kept +- The oldest date is kept (that is, in the database, the `ValidFor` is equal to the one of the + oldest version in the considered period). + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +./identitymanager-Manage-History.exe --optimize "1440:7 43920:6 525960:2" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +If you want to configure a time period when there is no purge and all history is kept as is, then +you can specify a short duration that allows a single change, for example only one minute. The +following example copies the previous one, in addition we want to keep all changes of the last 6 +hours (360 minutes): `--optimize 1:360 1440:7 43920:6 525960:2`. + +Clean duplicates + +As given data can have several versions in the database, redundant rows can be deleted and replaced +with one row that covers the consolidated time range. + +The following example remove all duplicates in the database. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +./identitymanager-Manage-History.exe --clean-duplicates --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +The following example remove all duplicates induced by the `pwdLastSet` property. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +./identitymanager-Manage-History.exe --clean-duplicates --excluded-resource-columns "pwdLastSet" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +Solicit memory rather than the database + +To reduce the database load, the tool's optimizations can be made via the local device's memory. + +The following example deletes all the history from the database that is more than 12-month old, the +optimizations being computed in memory instead of in the database: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +./identitymanager-Manage-History.exe --purge-before-months 12 --in-memory --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" + +``` + +## Arguments + +| Argument Name | Type | Description | +| ------------------------------------------------------------ | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| --clean-duplicates optional | No Value | Removes duplicate historical data. | +| --entity-type required if --excluded-resource-columns is set | String | When using `--clean-duplicates` option, defines the entity type (Id or Identifier) that should have its duplicates removed from the `UR_Resources` table. | +| --excluded-resource-columns required if --entity-type is set | String list | When using `--clean-duplicates` option, defines the list of column names (the name of the columns in the `UR_Resources` table, or the Identifier of the corresponding um_entityproperty) to exclude when comparing rows of `UR_Resources` table. | +| --in-memory default value: False | No value | Performs optimizations in memory instead of the database. It implies heavy memory consumption but light SQL load. | +| --optimize optional | String list | Reduces the history and optimizes the versions that are kept based on the precision given through ranges in the argument. A range is specified by a duration in minutes followed by the number of occurrences. For example 60:10 defines a range of 60 minutes repeated 10 times, or 10 snapshots repeated at 60 minute intervals. For each interval, at most one version is kept in the history. The intervals are evaluated in the given order from now, backwards. In the previous example, it means the more recent versions are kept with a high precision (one per day initially), then with lesser and lesser precision (one per month and then one per year). If the data has not changed over an interval, no optimization can be done. | +| --purge-before-date optional | String | Deletes all the history older than the given date in the yyyyMMdd format. | +| --purge-before-months optional | String | Deletes all the history older than the given number of months. | +| --database-connection-string required | String | Connection string of the database. | + +The available actions (clean duplicates; purge; optimize) are all optional, but at least one must be +used in the executable command. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/new-openidsecret/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/new-openidsecret/index.md new file mode 100644 index 0000000000..34f3bf505c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/new-openidsecret/index.md @@ -0,0 +1,29 @@ +# Usercube-New-OpenIDSecret + +This tools generates an hash. In practice, we hash a client secret but the tool can generate +randomly a hash without an input string. The name of the executable is: +Usercube-New-OpenIDSecret.exe'. + +## Examples + + ``` + + ./identitymanager-New-OpenIDSecret.exe --client-secret + Shared secret for 'secret' is 'K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=' + +```` + + +The output shows the client secret and its hashed version. It must be entered in the [ +OpenIdClient +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) configuration. + +## Arguments + +| Argument Name | Details | +| --- | --- | +| --client-secret optional | __Type__ String __Description__ OpenID client secret that will be hashed by the program. | +| | | +| --- | --- | +| --log-level optional | __Type__ LogLevel __Description__ Level of log information among: ```Verbose```; ```Debug```; ```Information```; ```Warning```; ```Error```; ```Fatal```. | +```` diff --git a/docs/usercube_saas/usercube/integration-guide/executables/references/passwordgenerator/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/passwordgenerator/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/executables/references/passwordgenerator/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/executables/references/passwordgenerator/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/prepare-synchronization/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/prepare-synchronization/index.md new file mode 100644 index 0000000000..c058740510 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/prepare-synchronization/index.md @@ -0,0 +1,135 @@ +# Usercube-Prepare-Synchronization + +`Usercube-Prepare-Synchronization` is used as the second step of the +[Synchronization](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/index.md) process. It cleanses exported CSV files before +sending them to the server for database loading. It is performed on the _Agent_ side. + +## Behavior Details + +The task reads files from the source directory, usually the temp folder > ExportOutput folder. See +the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +### Cleanse data + +The following actions are performed on the _CSV source files_: + +1. Remove columns that are not used in + [ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) + or + [ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). +2. Remove entries that have a null primary key. +3. Remove duplicates. +4. Sort entries according to the primary key. + +The result of the _Prepare-Synchronization_ is stored in the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +as three files: + +- For every entity type of the relevant _Connector_ involved in an + [ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) + or an + [ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md), + a `.sorted.csv` file is generated, containing the final, cleansed and sorted result. +- Duplicates are kept in a separate `.duplicates.csv` file. +- Null primary key entries are kept in a separate `.nullpk.csv` file. + +All files produced by the task are in the work folder > Collect directory. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +### Compute changes + +In _incremental_ mode, changes might need to be computed by the _Agent_: + +- If the Export step has provided computed changes, no further process is required. The changes will + be sent as-is to the server. +- If the Export step has provided a full extract of the managed systems, the + _Prepare-Synchronization_ step computes changes. This computation is based on the result of the + last data cleansing, generated by the previous _Prepare-Synchronization_, and stored in the + `previous` folder in the _export directory_. See the + [Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) + topic for additional information. + +For _incremental_ mode, it is recommended, whenever possible, to use managed systems to compute +changes. Dedicated workstations and knowledge of the inner data organization allow managed systems +to compute changes with performance that Identity Manager can't match. Using managed systems for +these operations avoids generating heavy files and alleviates Identity Manager's processing load. + +The result is a set of clean lists of changes stored as a `.sorted.delta` file containing a +_command_ column. The _command_ column can take the following values: + +- _insert_ +- _update_ +- _delete_ +- _merge_ + +These values are instructions for the _Synchronization_ step to apply the changes to the database. + +The `.sorted` file (that is, the **original** clean export file, **not** the changes) is stored in +the `previous` folder inside the _export directory_. It will be used as a reference for the next +_incremental_ Prepare-Synchronization to compute the changes, if needed. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +Tampering with the `previous` folder content would result in false changes leading to false +computation. It would result in data corruption in the Identity Manager database. To restore the +Identity Manager database and reflect the managed system data updates, a _complete\_\_Sync Up_ would +be required. + +### Prepare the server + +At the beginning of every _Prepare-Synchronization_ process, the _Server_ is notified via HTTP. + +Upon receiving the notification, the server creates a directory on its host environment, identified +by a unique GUID, to contain `.sorted` or `.sorted.delta` files that will be sent by the agent. + +This is designed to prevent network errors that would cause an _incremental_ database update to +happen more than once. + +This means that several _Export_ and _Prepare-Synchronization_ tasks can be executed simultaneously. +These tasks will be processed by the server one at a time, in the right order. + +Any notification of a _complete_ Prepare-Synchronization would cancel the previous non-processed +_incremental_ Prepare-Synchronizations. As a _complete_ Prepare-Synchronization reloads the whole +database, it renders _incremental_ changes computation moot. + +### Send clean exports + +`.sorted` or `.sorted.delta` files are sent over HTTP to the _Server_ for the last step. + +### Example + +The figure models the complete _Prepare-Synchronization_ steps applied to an Active Directory +export. The matching _Connector_ defines an Entity Type _AD Entry_ and two associations (_members_ +and _manager_). + +![Active Directory Prepare-Synchronization Example](/img/product_docs/identitymanager/identitymanager/integration-guide/synchronization/upward-data-sync/ad_preparesynchro_example.webp) + +## Examples + +`Usercube-Prepare-Synchronization` can be used as an executable file as follows: + +``` +./identitymanager-Prepare-Synchronization --api-url myserver.usercube.com --api-client-id myclientid --api-secret myclient secret --connector --agent myagent --synchronization-mode complete + +``` + +## Arguments + +| Name | Details | +| ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --agent required | **Type** [ Agent ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md) **Description** Identifier of the agent where the task runs. | +| --connector required | **Type** [ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) **Description** Identifier of the linked connector. The task is linked to a connector whose entity types are synchronized. | +| --synchronization-mode required | **Type** [ Upward Data Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md)Mode **Description** Synchronization mode for this task can be one of the following: - Initial - Complete - Incremental This must be the same as the associated Export and Synchronize tasks. Use _initial_ if this is the first time the target managed system is synchronized. Use _complete_ to load the data from the managed system as a whole. Use _incremental_ to consider only incremental changes from the last synchronization. In _incremental_ mode, the Prepare-Synchronization task computes changes in the source managed system since the last _Prepare-Synchronization_. | +| --sources-directory default value: ExportOutput | **Type** String **Description** Directory path, relative to temp folder, from which export files to cleanse are read. See the [Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) topic for additional information | +| --working-directory default value: Collect | **Type** String **Description** The directory path, relative to work folder, to which intermediary and cleansed files are stored. See the [Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) topic for additional information | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an OpenID Connect ClientId/Secret pair, linked to a profile with the relevant permissions. See the [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) topic for additional information. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an OpenID Connect ClientId/Secret pair, linked to a profile with the relevant permissions. See the [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) topic for additional information. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md new file mode 100644 index 0000000000..ac2c991ffb --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md @@ -0,0 +1,46 @@ +# Usercube-Protect-CertificatePassword + +This tool helps protecting `.pfx` archives passwords. Given a plain text password, it generates an +encrypted version, that can be stored in a configuration file in place of the plain text one. The +tool uses a hard-coded secret RSA key to generate the encrypted password. Identity Manager uses the +same key to retrieve the plain text password and read the `.pfx` archive. + +## Examples + +Given a `.pfx` archive protected by the `secret` password, an encrypted version can be generated +with the following command: + +``` +./identitymanager-Protect-CertificatePassword.exe --pfx-password "secret" +``` + +The output is the following : + +``` + +ep4BsLtg5RVFVI1kEIMZbV1q7Bg2eAFzeD73YX5fV7eklSIqcJcxHsCQbyY2zKLppXSX+Zpwm7xU5QY6DTAJleFbWsP/p0fjXUn1agy1tQ6l6t6wvURBZcePEgu+ivNjpUENbDIBotPdzbpISLJIjQbISzHDWnHuWPk/l8h0wXU=@WrAj9YdcNK8cQvfopZa5g1QFc1hk6nPolkwQAkU2ORfXupgV7kaWgKF4W/UmC0XXg4zuaqpVui6ivB0jbLTiXgQ62o+bG9ZSEJLaur4d20TMRNadqnWTWPWhVJF6XiS4jX7sDvVrZO3sKQJMNzZSeTKmsl0w0boCBEkuHsWDA24=@0oLLKxcTJGxSx1uGvhexEA== + +``` + +This encrypted password can now be copied to the relevant location in a configuration file. For +example : + +``` +appsettings.json + +{ +... + "EncryptionCertificate": { + "File": "C:/identitymanagerAgentContoso/contoso.pfx", + "Password": "ep4BsLtg5RVFVI1kEIMZbV1q7Bg2eAFzeD73YX5fV7eklSIqcJcxHsCQbyY2zKLppXSX+Zpwm7xU5QY6DTAJleFbWsP/p0fjXUn1agy1tQ6l6t6wvURBZcePEgu+ivNjpUENbDIBotPdzbpISLJIjQbISzHDWnHuWPk/l8h0wXU=@WrAj9YdcNK8cQvfopZa5g1QFc1hk6nPolkwQAkU2ORfXupgV7kaWgKF4W/UmC0XXg4zuaqpVui6ivB0jbLTiXgQ62o+bG9ZSEJLaur4d20TMRNadqnWTWPWhVJF6XiS4jX7sDvVrZO3sKQJMNzZSeTKmsl0w0boCBEkuHsWDA24=@0oLLKxcTJGxSx1uGvhexEA==" + } +... +} + +``` + +## Arguments + +| Name | Details | +| ----------------------- | ---------------------------------------------------------------------------- | +| --pfx-password required | **Type** String **Description** Password of the `.pfx` archive's to encrypt. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md new file mode 100644 index 0000000000..80289aae81 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md @@ -0,0 +1,133 @@ +# Usercube-Protect-X509JsonFile + +This tool is used to encrypt a JSON file containing sensitive connection data, for example the +`appsettings-agent.json` file, with +[ RSA Encryption ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md). The +encryption is based on the information given in your `appsettings.json` file about either a PFX file +or the location of the encryption certificate in the Microsoft store. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +This tool `Usercube-Protect-X509JsonFile` is used to encrypt a whole file, in comparison to the +[ Usercube-Protect-X509JsonValue ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md) tool that encrypts only a +given value. This tool is more appropriate than `Usercube-Protect-X509JsonValue` when you have many +lines to encrypt. + +## Examples + +The command below encrypts the `appsettings.agent.json` file from the `C:/identitymanagerTraining` folder +and creates the `appsettings.encrypted.agent.json` file in the same folder. + +``` + +./identitymanager-Protect-X509JsonFile.exe --input-json-file-path "C:/identitymanagerTraining/appsettings.agent.json" --output-json-file-path "C:/identitymanagerTraining/appsettings.encrypted.agent.json" + +``` + +For example it takes this : + +``` +appsettings.agent.json + +{ + "TaskAgentConfiguration": { + "HttpClientTimeoutSupplement": 0 + }, + "OpenId": { + "OpenIdClients": { + "Job": "secret" + }, + "DefaultOpenIdClient": "Job" + }, + + "PasswordResetSettings": { + "TwoFactorSettings": { + "ApplicationUri": "http://localhost:3000" + }, + "NotificationSettings": { + "Cultures": [ + "en" + ] + } + }, + ... +} + +``` + +And it returns this : + +``` +appsettings.encrypted.agent.json + +{ + "TaskAgentConfiguration": { + "HttpClientTimeoutSupplement": "kxABAEh6CpUOAOMBNPNLKazx9I0vqummv24acN292gonFiK4ov81bjqE2ic+n+HqastXU2aTQcl3IefhEXn9KA2dhnIbDTXB4GhOn9lL9AzUfwKXBr5EBmVy7ggruG2ewpWGK1c3LBJ35km9XvCnzSHLfolZwHNPwM/8b/C6XqSzieoFcO5H92IGJ1lFRboacvp0rO+SkkUv63Ewsk+1MrVLa63oBgWfY6PhMeJvNpWGqCD+I614hB6jE2Li/recwQIPd10XEgFM1OEkZ5ZiO+URxX7MCBe1o20rTaczKR7e7lLQGa/e3Y3i1sFnCm+yRm/lzw0qtDvOtCXlPT13EsHsUunxnR3uH4R6lRBXT30OKobaX7MTQjGkLRChss/GVGCK5w==" + }, + "OpenId": { + "OpenIdClients": { + "Job": "kxABAOkh0BF2GdMedpzmKZZWVWc8IYaiZO2dofmt7lLBP3vMYgLLZYNDyR3x7Ah7tA1r6oSL5gBT3mSFyXB63NJk+QmZqNW1LWdzh+3U+DvNdQw4OfDfFlC5F+nH3/L5iqWc+h1jMlaQBpkqf42Vr8HwFKtqMXLJVXEIyeHSPgHRp1iOjGkNSRNrRQGJ4pVyo0xKmcWsz3qGYf0SnJIzRJ++PcYh/dJgxHAZFsDnV55X3zg72J8teoIEG82GdNjmCV/W4S4edNCYa1gL3KpgDGQq1GEed71Ht1tVYlHlJ4hckE++otQqTgRA2p4nFvo3LmlMag6k4EQRzEk6TOHUlGjUtYgpzMuPqei8/3CRXy5o8YW5R0wVFJJ/jSfYrvR3M9SwJw==" + }, + "DefaultOpenIdClient": "kxABANLI/Qx7X8L1VtIl+FM4RtYlTLLpUUBCp2pucY+jzjlwhbF9fjJhhTP/KmeCj8M2yB4AA1V3AQgcEBvg92I1vCAWXIBgCjz6LUD2yf4FCpACaxNgiBZVAaCELNCgbKDgy9UB1j4sCozpEzReLVtYdOX+KFbGU6zJ808jnrLFMz+YHT4LXMyF94A5Zl86DFT9br6PwR75qImvjDlIUt+7/I8WrT1Nnqn2hXxqzAd1J2W5Xv8Bt9sXFmskSZN9PyOo9EY9t5lVGq++IqjGPWh4vQAXCzIsfRgUfU7PfHKVuSKSHbME1EZwG/FjzOe8B4bO2q/a/qLtGgygyX5ExEkZ/IcrtSZnTdqC83AfyexlEv9Z3wWFAoKGDtI3zhmCZYnuZQ==" + }, + "PasswordResetSettings": { + "TwoFactorSettings": { + "ApplicationUri": "kxABAFAEx4fWwG/ANPVTf/WGyccDxoR2xCy+x+U3Ny1KkqnOFw+SizePTgINTzBaYHLTHABQD0GWW6U+4qiG6DpcIcdAD0VVnddqB5a+YIE0reufXYhZTrDU/9yeG6aUWIHkLl9UudC/nnW6zMrjChiJhJvT7csFKdgbqUazZT56hR0i6XS36a5h2/tTWhbZTkk1Dil5JP7xUcu5CMWyXMUvGvK8gfQozYxo/DJTOiLrWjg5ION1yx+ZqPhcIUxgYaBjxSpfT6U9YMy5mE9JGqf7W76baS9fOVr3H1DAL02icX29uJAcsw1r9k1rJQIKEhAuqTNeuqF6C6iPHJAsail+iteOJEYgBSACRz7Te4t6Hp7PBs0FfP0WY1oL+1T+p7X+HaO1jAJhE50J2AKhGNXTZfE=" + }, + "NotificationSettings": { + "Cultures": [ + "kxABAPwTbpFUbP9xT9HyqtTuMLKT9sVD0Qq1kCsI44d12vJEcW2MMy9K5vKakwTPeJpvY6SafELoHc7AjKnh8ZJi0/Yu4dieE5W+5uXY1uaghYJ/2VjimzIsDhvRhm90xUlaMjdFBjx4HAnxBAtEbEjifdGHxZ0L9F305hXSTORj53u76ctCE5D9HPTN3AgLmyIGv5NExwhD4sgppbf6PWjTEZ7yNcoUpkkS4pJ6BMz+PaQo26A2rMP710zQgG72an4XvxSoR3SwSm0fhLCASgYi8YOZw0j/cfxl/LrW1EQ7gyW0/Mw9v1YRNH3DkbWSeHZ3odhDWdaWkzR6yOEt5hO60eM0w8Tjoed30Jwf+enf1rJFStDe/dhg6vjUIaTn6tt1Gw==" + ] + } + }, + ... +} + +``` + +The previous command can be useful to encrypt, for example, an Active Directory's login used by the +agent during the synchronization process. + +The login to encrypt is stored in the following format, compliant with the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md).json +structure: + +appsettings.beforeEncryption.json + +``` + +{ + ... + "Connections": { + ... + "ADExport": { + "Login": "Administrator" + } + } +} +``` + +This command writes encrypted values from `appsettings.agent.json` to +`C:/identitymanagerTraining/appsettings.encrypted.agent.json` following the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md).json +structure: + +``` +appsettings.encrypted.agent.json +{ + ... + "Connections": { + ... + "ADExport": { + "Login": "kxABAM9LW6vyx3TpDXoU5mKKQAwxxNcH9Q2z+dk+E7BNzrI346fUUiPmnJlOJZNX8bA1sokpDHTJBJngdF8LqVuWhk0t+IBpHE+iRJZ4q6i/CzX/OnpoGEHLSL5gZUixIqn9kul5AbxI38d/aGkCGIeAGY73rf0eQRizB2uR/ObR/H9jm3dHGt3TUNyOH4WqdwrXL0WTeMyfme6O+2PMoGvmjVF04keicuisjj/jROxTcDKe69qjPuCJZabR69CA2qP1TPMDMy/zlg8bzRZKepw8VxI4OpIKrbwhaUTauJMR6URPsOZ54fdocKi3oEyvpm2AhX4YF8GpOw7fBQrPWte/JJFOxgIzH1Kh0d0YhC2ZpMCXexfOlB2Y9afWG/t7rdi4VDsEf8gwj+IJ3HbE0dtIPLw=" + } + } +} +``` + +## Arguments + +| Name | Details | +| -------------------------------- | ---------------------------------------------------------------------------- | +| --input-json-file-path required | **Type** String **Description** Path of the input to-be-encrypted json file. | +| --output-json-file-path required | **Type** String **Description** Path of the output encrypted json file. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md new file mode 100644 index 0000000000..081102e361 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md @@ -0,0 +1,91 @@ +# Usercube-Protect-X509JsonValue + +This tool is used to encrypt sensitive connection data, for example data from the +`appsettings.agent.json` file, with +[ RSA Encryption ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md). The +encryption is based on the information given in your `appsettings.json` file about either a PFX file +or the location of the encryption certificate in the Microsoft store. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +This tool `Usercube-Protect-X509JsonValue` is used to encrypt only given values, in comparison to +the Usercube-Protect-X509JsonValue tool that encrypts a whole file. This tool is more appropriate +than `Usercube-Protect-X509JsonFile` when you have only a few lines to encrypt. + +## Examples + +The command below encrypts the task agent configuration `0` and the OpenId Client `secret` used in +the `appsettings.agent.json` file. + +``` + +./identitymanager-Protect-X509JsonValue.exe --values "0" "secret" + +``` + +As a response, the powershell returns one string per given value. + +``` + +PS C:/identitymanagerTraining/Runtime> ./identitymanager-Protect-X509JsonValue.exe --values "0" "secret" +kxABACJhXxJwnGJSug/nE6ODGGYwnzhX1WeYUHmS7gkMLpF15K7POOZAVWsl93zuYaVStPK0sV+U6mOE4h5IzbT083Uac+/NKic+qNZLYi4PRum+G17pIeSMBu3z7GQJxGGkAeX7dwf0kc/oDW5yAQ1BtFN+k27UHZkUrz0fe/eOZwTHbgV5sSUM+6pXW6IQd2VnVRRKLyWij0MAKsCNlHtv6QE73b8P8u7liRdzWOueqE2blAZk0rm0JzFxZlUQKgIMBTk2cuFWph7rp8dp8h8mDKJl9xbYzAtmM/rgXuhcMYryIrlqFeBWt1J65cfL7HNQb6OX7Imb2LQZmZMI2xc1gFyiXjeINeMriYm3zecnSBMiYEGW6RddE6doJOtrTyznrg== +kxABAJT+2u1C1r0JI8criUz15QkI71x6/BPeNMlPWEL5ZHkTvZWVnMLG/zNJz9PvnjfecROC4fkxPRI5U+sF8W1caH8DtxnzM0ctYD0QtRcpS9z48y2mUzOzl3pU68BQyosyZGZW0ifXVI9UJVGMzMTfWloCw+R+xfZHviYLVGT8y2PKkCBdNp7IcZN4qT6mq8AmTIMSgwagR854n1EHn8lT5nUUFmhZ7iIJ/sonEVG4uyTAjND9YXSsfL9dm2ipTzXrybruIkVU051aczdohreMRsfeSB6TDAYa3GEMNeAb3CzI5I/6NpKYEzZEoYu4JXAzE6bqHeK2oVJyrmTL11kwq4m9fTMwlwmB0GaPeJtbQoih6TIX2qlOPfQdsrZt0dl5qw== + +``` + +Then you just need to copy and paste them. + +The following example shows how to update the OpenId ClientSecret matching the "ContosoCharlotte" +OpenId ClientId in the `appsettings.encrypted.agent.json` file. + +The initial `appsettings.encrypted.agent.json` file resembles the following: + +``` +appsettings.encrypted.agent.json before update +{ + ... + "OpenId": { + "OpenIdClients": { + "ContosoCharlotte": "dKIHkloXG6i1LkxkhjkKoVKS9gFO7Hx8VUm" + } + } +} +``` + +The new ClientSecret to encrypt is _charlotte2028_. + +Using the `Usercube-Protect-X509JsonValue.exe`: + +``` +./identitymanager-Protect-X509JsonValue.exe --values charlotte2028 +``` + +The `--values` parameter also accepts multiple white-space-separated values for encryption. + +The output, in the console, shows the encrypted value for the _charlotte2028_ string. + +``` + +kxABABJR7wYaQIqNjHT/rhYVMp5Vmsao7/eBLb7JCIiHMOKbi2sC0dY0SAJgj50NQ0kEH5LS3Y3TYso98+IdnxAzpURrtNu/LUWCJo1kTLM/taygebc0MK4XbkFmWzEgzLcVhAIy8GyFgEWqgNhOx7vwSPXFRrhQTVqIjwO0QNqxlZ5s6uyQm5fk9es2o6aLL0xwbvqspReFxZwuHrguAoIvkBnaKSsDfTLSuheP6VN7yOglLHvZ8Sn9R42M2BpG/dKIHXG6i1LkxkKoVKS9gFO7Hx8VUmYgxG+qIKTRVHdpMctqWKNUJTsQkmRKs+S3qiA2mgK/iC/dp923TfigAnBLWtyXw8eKDJjZ+s6n878BIf55iEjpgOrbm5FLzj8dfqPhQw== + +``` + +The last step is to update the `appsettings.encrypted.agent.json` file by copy/pasting this new +encrypted value to replace the old one. It results in: + +``` +appsettings.encrypted.agent.json after update +{ + "OpenId": { + "OpenIdClients": { + "ContosoCharlotte": "kxABABJR7wYaQIqNjHT/rhYVMp5Vmsao7/eBLb7JCIiHMOKbi2sC0dY0SAJgj50NQ0kEH5LS3Y3TYso98+IdnxAzpURrtNu/LUWCJo1kTLM/taygebc0MK4XbkFmWzEgzLcVhAIy8GyFgEWqgNhOx7vwSPXFRrhQTVqIjwO0QNqxlZ5s6uyQm5fk9es2o6aLL0xwbvqspReFxZwuHrguAoIvkBnaKSsDfTLSuheP6VN7yOglLHvZ8Sn9R42M2BpG/dKIHXG6i1LkxkKoVKS9gFO7Hx8VUmYgxG+qIKTRVHdpMctqWKNUJTsQkmRKs+S3qiA2mgK/iC/dp923TfigAnBLWtyXw8eKDJjZ+s6n878BIf55iEjpgOrbm5FLzj8dfqPhQw==" + } + } +} +``` + +## Arguments + +| Name | Details | +| ----------------- | ---------------------------------------------------------- | +| --values required | **Type** String **Description** List of values to encrypt. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/refreshschema/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/refreshschema/index.md new file mode 100644 index 0000000000..5184651fcc --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/refreshschema/index.md @@ -0,0 +1,27 @@ +# Usercube-RefreshSchema + +## Examples + +`Usercube-RefreshSchema` can be used as an executable file as follows: + +``` +dotnet Usercube-RefreshSchema.dll --api-url myserver.usercube.com --api-client-id myclientid --api-secret myclient secret --connection-id -2 + +``` + +The credentials used to connect to the connection come from the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md). + +## Arguments + +| Name | Details | +| -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --connection-id \*required | **Type** Integer **Description** Id of a connection whose schemas are updated. See the [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) topic for additional information. | +| | | +| --- | --- | +| --api-client-id required | **Type** String **Description** Login used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-secret required | **Type** String **Description** Password used to authenticate to the server. Every request from agent to server needs to be authenticated with an [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) Connect ClientId/Secret pair, linked to a profile with the relevant permissions. | +| --api-url required | **Type** String **Description** URL of Identity Manager server. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/send-passwordnotification/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/send-passwordnotification/index.md new file mode 100644 index 0000000000..c346f57189 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/send-passwordnotification/index.md @@ -0,0 +1,38 @@ +# Usercube-Send-PasswordNotification + +## Examples + +### Manually send a password initialization mail notification + +Consider a user who needs an account in an external system. Consider that this account requires a +password. + +As an example, we will consider that the id of the +[Resource Type Mappings](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) +associated with the external system is 10, and the id of the assigned resource type associated with +the user is 1000. + +Once the password is set, we need to communicate this password to the user. We send a mail +notification to inform the user. + +`--password true --assigned-resource-type 1000 --resource-type-mapping 10` + +For the notification to be sent, the server set at **appsettings** > **ApplicationUri** should be +running. +The [Resource Type Mappings](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) +should have an associated +[ Password Reset Settings ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md). +For +the notification to be sent, the password reset settings should at least contain a notified email +binding. +For the notification to make sense, the password reset settings should at least contain a +beneficiary full name binding. + +## Arguments + +| Argument Name | Details | +| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --assigned-resource-type required | **Type** String **Description** Specifies the id of the assigned resource type corresponding to the user and the external system that is being fulfilled with a new password. This can be found in the provisioning order at **ProvisioningOrdersList** > **AssignedResourceTypeId**. **Example** Send a notification for the assigned resource type with id 1000: `--assigned-resource-type 1000`. | +| --password required | **Type** String **Description** Specifies the new password that will be sent by mail. **Example** Send a notification for the password NewPassword: `--password NewPassword`. | +| --resource-type-mapping required | **Type** String **Description** Specifies the id of the [Resource Type Mappings](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) corresponding to the external system that is being fulfilled with a new password. This can be found in the provisioning order at **ProvisioningOrdersList** > **ResourceType** > **Id**, as the resource type and its corresponding resource type mapping share the same id. **Example** Send a notification for the resource type mapping with id 10: `--resource-type-mapping 10`. | +| --notification-cc optional | **Type** Integer **Description** Specifies an address that should also receive the notification. **Example** Add [admin@acme.admin](mailto:admin@acme.admin) to the mail CC: `--notification-cc admin@acme.admin`. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/server/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/server/index.md new file mode 100644 index 0000000000..cd4c0aa595 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/server/index.md @@ -0,0 +1,27 @@ +# Usercube-Server + +This tool runs the main Identity Manager Server. + +## Examples + +With a properly configured environment, the following command runs the server. It listens on two +different ports: + +``` +./identitymanager-Server.exe --urls "http://localhost:5000;http://localhost:5001" +``` + +When the Server starts, the following log should be displayed (if the log level is set to +_Information_): + +``` +[xx:xx:xx INF] Now listening on: http://localhost:5000 +[xx:xx:xx INF] Now listening on: http://localhost:5001 + +``` + +## Arguments + +| Argument Name | Details | +| --------------- | ----------------------------------------------------------------------- | +| --urls required | **Type** String **Description** URL(s) that the server is listening to. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/update-entitypropertyexpressions/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/update-entitypropertyexpressions/index.md new file mode 100644 index 0000000000..5bcf523804 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/update-entitypropertyexpressions/index.md @@ -0,0 +1,35 @@ +# Usercube-Update-EntityPropertyExpressions + +This tool is used to recompute the values of all properties defined via expressions (C#, etc.), +usually to prepare for a connector's synchronization. + +## Examples + +The following example updates the property expressions of the database defined by the connection +string, for all entity types. + +``` + +./identitymanager-Update-EntityPropertyExpressions.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false" -a + +``` + +## Arguments + +| Argument Name | Details | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --batch-select-size (-q) default value: 10000 | **Type** Int32 **Description** Batch size for SELECT queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | +| --batch-update-size (-c) default value: 20000 | **Type** Int32 **Description** Batch size for UPDATE queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | +| | | +| --- | --- | +| --database-connection-string required | **Type** String **Description** Connection string of the database. | +| | | +| --- | --- | +| --all-entityType (-a) optional | **Type** No Value **Description** Applies the tool to all entity types. | +| --batch-size (-q) default value: 5000 | **Type** Int32 **Description** Batch size for queries. [See more details](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching). | +| --dirty optional | **Type** No Value **Description** Applies the tool incrementally by applying it only to resources marked as dirty, i.e. recently modified. | +| --entitytype-list optional | **Type** String List **Description** List of entity types that the tool is to be applied to. **Note:** required when `--all-entityType` is not specified. | +| --resource-identity-property optional | **Type** String **Description** Property used to override the resource identity property set in the [ Select User by Identity Query Handler Setting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md). | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/upgrade-configurationversion/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/upgrade-configurationversion/index.md new file mode 100644 index 0000000000..9de88048a8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/upgrade-configurationversion/index.md @@ -0,0 +1,29 @@ +# Usercube-Upgrade-ConfigurationVersion + +This tool is used to upgrade your configuration from your current version entered in settings to the +latest version. + +## Examples + +``` + +./identitymanager-Upgrade-ConfigurationVersion.exe --version "5.1.0" --xml-path "C:/identitymanagerDemo/Conf" --output "C:/identitymanagerDemo/Conf2" + +``` + +In this example, the configuration files are in the folder "C:/identitymanagerDemo/Conf" and at version +"5.1.0". This tools will upgrade all the xml files to the latest version and save them in the folder +"C:/identitymanagerDemo/Conf2". + +## Arguments + +| Argument Name | Details | +| -------------------- | --------------------------------------------------------------------------------------------------------------------------------- | +| --version required | **Type** String **Description** Current version. | +| --xml-path required | **Type** String **Description** Current xml configuration folder to migrate. | +| | | +| --- | --- | +| --output required | **Type** String **Description** Path of the folder where the result will be saved. | +| | | +| --- | --- | +| --log-level optional | **Type** LogLevel **Description** Level of log information among: `Verbose`; `Debug`; `Information`; `Warning`; `Error`; `Fatal`. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/upgrade-databaseversion/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/upgrade-databaseversion/index.md new file mode 100644 index 0000000000..ee937b4060 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/upgrade-databaseversion/index.md @@ -0,0 +1,50 @@ +# Usercube-Upgrade-DatabaseVersion + +This tool is used to run the necessary migration scripts in order to upgrade the database structure +from its current version to the most recent version. + +## Examples + +To upgrade a database with the connection string `databaseConnectionString`, go to the Runtime +folder of the newest version and launch the tool with the following argument: + +``` + +./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "databaseConnectionString" + +``` + +If the database has been correctly upgraded, the following message should appear: +`Database has been upgraded to version X.X.X`, with "X.X.X" being the newest version to which the +migration was made. + +### With a Mode + +The following example runs the database upgrade tool only for backward compatible changes. + +``` + +./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "databaseConnectionString" --mode BackwardCompatibleChanges + +``` + +### With the Execute Predefined + +The following example runs the database upgrade tool only for backward compatible changes and the +predefined script. As the predefined script is always executed in the other modes, this option is +useful only when specifying `--mode BackwardCompatibleChanges`. + +``` + +./identitymanager-Upgrade-DatabaseVersion.exe --connection-string "databaseConnectionString" --mode BackwardCompatibleChanges --execute-predefined + +``` + +## Arguments + +| Argument Name | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --connection-string (-s) required | **Type** String **Description** Connection string to the database. **Example** `--connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;"` | +| --execute-predefined optional | **Type** No Value **Description** Indicates that the predefined SQL file must be executed, when using the `BackwardCompatibleChanges` mode. | +| --mode default value: All | **Type** Enum **Description** `All` - run all the script types. `BackwardCompatibleChanges` - only execute backward compatible scripts. **Note:** the previous runtime can still work. `BreakingChanges` - only execute breaking scripts. **Note:** the server must be stopped. `CleanupChanges` - only execute cleanup scripts, to cleanup the database after the server restarted with the new runtime. **Example** `--mode BreakingChanges` | +| --force-version optional | **Type** String **Description** Forces the database version instead of using the current one to replay the migration scripts. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/governance/accesscertification/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/governance/accesscertification/index.md new file mode 100644 index 0000000000..b0de075414 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/governance/accesscertification/index.md @@ -0,0 +1,237 @@ +# Access Certification + +The Access Certification module enables chosen end-users to carry out assignment certification +campaigns, which aim to certify assignments of entitlements. + +## Overview + +The aim of an access certification campaign is to review specific entitlement assignments for +specific identities, in order to certify them and express an audit opinion that justifies their +necessity. So, for all relevant permissions, the idea is to specify if these assignments ought to be +deleted or not. + +There are several ways to arrange an access certification campaign. Among others, through filters +you can choose to focus on: + +- A certain category of roles +- A certain type of assignment +- Assignments not certified since a certain date +- Assignments presenting a certain level of risk. See the + [ Manage Risks ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/risk-management/index.md) topic for additional + information. + +Identity Manager uses an access certification campaign to define the campaign's scope including: + +- The start and end date of the campaign +- The group of entitlement assignments to be certified during the campaign. + +### Job for access certification + +After the campaign's creation, access certification items are assigned to reviewers (Identity +Manager end-users) by the CreateAccessCertificationJob, composed of the following tasks: + +- Identity Manager-Update-AccessCertificationCampaign simply applies the campaign's scope, + determines which permissions are to be certified, by computing certification orders; +- Identity Manager-Set-AccessCertificationReviewer assigns one review for each access certification + item to end-users whose profile's scope of responsibility matches the entitlement to be certified; +- Identity Manager-Send-AccessCertificationNotification sends notifications to concerned reviewers. +- Identity Manager-Process-AccessCertificationItems processes the access certification item + decisions and generates the corresponding deprovisioning orders. + +## Set up the Configuration + +Configuring the Access Certification module entails: + +- Setting up profiles to carry out the certification +- Configuring their scope of responsibility +- Enabling automatic and forwarded assignments of access certification items to end-users + +### Campaign creation + +At least one Identity Manager profile needs permissions to create campaigns. + +Such permission can be granted using the AccessReviewAdministrationAccessControlRules scaffolding. +See the +[ Access Review Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md) +topic for additional information. + +The administrator profile, created with CreateAdministratorProfile scaffolding, already has these +permissions. See the +[ Create Administrator Profile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md) +topic for additional information. + +If you are not using the AccessReviewAdministrationAccessControlRules scaffolding, the user cannot +query on dimensions when editing the owner filters, so you need to give the permissions on the +correct contexts: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +     +``` + +### Profile scope of responsibility + +The scope of responsibility of a profile is a set of criteria that defines which assignment of +entitlements this profile will certify. For example, the **Manager** profile is responsible for +reviewing entitlement assignments of identities working in their department. + +A profile's scope of responsibility is configured by giving access, with access control rules, to a +specific set of access certification items that match the profile's scope of responsibility +criteria. + +The option to display only the **Approve** or **Deny** buttons next to the Access Certification +items can be configured by the administrator on the UI in the **Settings**>**Features**. + +##### Example + +This example shows how to set the scope of responsibility for the **Manager** profile. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +        ... + +``` + +The filter indicates that a review with the **Manager** profile can only access items for which the +binding Owner.Directory_User:MainRecord.Organization.Id matches their dimension organization's +value. + +This example needs to be completed with either automatic assignment or manual assignment +capabilities. + +For certification items to be assigned to a profile, a permission context has to be added to the +access control rule. + +### Access certification item assignments + +Access certification items can be assigned to end-users via: + +- Automatic assignments, computed by the reviewer-setting task when a given profile's scope of + responsibility matches the entitlement to be certified +- Forwarded assignments, automatically assigned to an end-user, but then manually forwarded to + another user from the UI + +#### Automatic assignments + +For a profile to be the target of an automatic assignment of an access certification item, it needs +the `/Custom/AccessCertification/AutoAssigned/{entityTypeName}` permission. + +##### Example + +This example completes the previous one by adding the automatic assignment capabilities. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +         +``` + +This example enables automatic assignments of access certification items that match the filter to +end-users with the **Manager** profile. + +If the filter criterion is matched for several end-users, only one is assigned the certification +item, and this assignment is made randomly. Therefore, in order to have a cleaner reviewing +architecture, it is recommended to carefully set the Filter attributes in the access control rules +so that no two end-users' scope of responsibility overlap. + +#### Forwarded assignments + +The target profiles need the following `/Custom/AccessCertification/ManualAssigned/{entityTypeName}` +permission. + +The example below allows the **Manager** profile to be the target of forwarded assignments. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +       +``` + +There is no filter so the Manager profile can certify all forwarded certification orders for the +Directory_User entity type, regardless of his previously configured scope of responsibility. + +It is recommended to have a larger scope for forwarded certification orders than for automatically +assigned ones. + +### Certification policy + +Scopes of responsibility can also be defined in terms of access certification campaign policy. See +the +[ AccessCertificationCampaignPolicy ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md) +topic for additional information. + +Assigning an access certification campaign policy to an access certification campaign allows the +creation of campaigns dedicated specifically to one set of reviewers. + +The following example creates a new policy named Manager. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +It automatically appears on the campaign creation screen, and binds itself to the created campaign: + +![Campaign creation screen with policies](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/accesscertification/creation_5.1.6.webp) + +To use it, modify the access control rules by adding a filter on the campaign policy. See the +[Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +topic for additional information. + +##### Example + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +             +``` + +In this example, the **Manager** profile is only able to certify items for a campaign defined with +the **Manager** policy. + +A default policy is already defined. If no filter is set when giving the permission, the policy is +not considered. + +### Access certification item processing + +Once entitlement assignments have been reviewed (accepted or rejected), the final step is to apply +these decisions with the processing task, eventually denying assignments. This is done through the +UI. See the Access Certification topic for additional information. + +The user needs to have the correct permission to launch the item processing: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +   +``` + +It is also possible to add access control filters when creating the permission set so that users can +only access certain type of campaigns. See the +[Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +topic for additional information. + +This permission also is given by the AccessReviewAdministrationAccessControlRules scaffolding. See +the +[ Access Review Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md) +topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/governance/how-tos/review-prolonged-entitlements/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/governance/how-tos/review-prolonged-entitlements/index.md new file mode 100644 index 0000000000..8cc931c92a --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/governance/how-tos/review-prolonged-entitlements/index.md @@ -0,0 +1,28 @@ +# Review Prolonged Entitlements + +This guide shows how to allow a manager to review the permissions prolonged by a grace period. + +## Overview + +Consider an entitlement given via a role which is defined with a grace period. Consider that this +role is assigned automatically to some users by a rule of the role model. If this rule changes and +the users are supposed to lose the role, then they keep it for the time defined by the grace period, +and the role's workflow state switches from `Automatic` to `Prolonged`. Then a manager must access +these entitlements in the **Role Review** screen, to either approve or decline the role +prolongation. See the +[ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) topic for +additional information. + +## Assign the Right to Review Prolonged Entitlements + +The right to review prolonged entitlements is given by adding the appropriate `AccessControlRule` on +a profile. A profile should get the right to review prolonged entitlements given for both single and +composite roles. Technically speaking, we need to create one access control rule for assigned single +roles, and another one for assigned composite roles. In this case we give access to the workflow +state 27 which is the workfow state `Prolonged` linked with the grace period. + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/governance/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/governance/index.md new file mode 100644 index 0000000000..892426dd1c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/governance/index.md @@ -0,0 +1,46 @@ +# Governance + +Identity Manager's governance features intend to provide tools that control assignments of +entitlements and measure IGA policies efficiency. Control over the assignments is achieved by +designing a role model, automating assignments, using the risk management module, and performing +certification campaigns. Measuring policies efficiency is enabled by reporting and auditing +capabilities. + +Reporting, access certification campaigns and risk management are three important tools that +complete the governance arsenal. + +## Reporting + +With reporting features, stakeholders can measure the effect of IGA policies on the assignment +landscape and adjust if needed. Governance also helps produce audit-ready reports. You can start to +set up governance features relatively early in your Identity Manager journey and measure your +progress from the very start. + +Identity Manager puts users in control of their reporting. Rich features, such as the query module, +help produce custom reports that can be used to check the assignment policy results, or gather +information for an audit. + +## Access Certification Campaigns + +A certification campaign is a recurring event, scheduled for example every week, month or year, +during which managers review their team members' entitlements. Sensitive assignments are then kept +or removed. + +Certification campaigns are the best way to make sure past assignment decisions are still in the +best interest of the organization. They can be a good way to mitigate a lack of automation in your +assignment decisions concerning, for example, movers or leavers. + +Identity Manager's certification module also helps managers produce accurate reports that they can +present to an auditor. + +See the [Access Certification](/docs/identitymanager/saas/identitymanager/integration-guide/governance/accesscertification/index.md) topic to learn how to configure +certification campaigns. + +## Risk Management + +The risk management module provides tools for identifying entitlement assignments that pose a +security risk. The module facilitates the analysis and mitigation of different kinds of risks such +as Segregation of Duties (SoD) or High Privilege. Risks can be used to identify sensitive +assignments that should be reviewed first during a certification campaign. + +See the [ Risk Management ](/docs/identitymanager/saas/identitymanager/integration-guide/governance/risks/index.md) topic to learn how to configure risks. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/index.md new file mode 100644 index 0000000000..fe99b1b79b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/index.md @@ -0,0 +1,126 @@ +# Analyze Identity Manager's Data with Power BI + +This topic explains how to prepare Identity Manager's data and use it in Power BI, with the final +goal to generate user-friendly reports. + +## Overview + +[Power BI](https://powerbi.microsoft.com/en-us/why-power-bi/) is used with Identity Manager to +generate user-friendly reports in an interactive way, based on Identity Manager's database. + +The SaaS edition [Power BI Service](https://www.microsoft.com/en-US/download/details.aspx?id=58494) +contains an integrated Identity Manager connector, so we simply need to make Identity Manager's data +usable by configuring a particular data model. + +As this new model is to be organized into XML elements called universes, we will call the new data +model the universe model. + +Based on this model, Power BI will be able to: + +- query the database +- generate a model containing the data that we want to include in reports +- transform data if needed +- generate customized graphic reports +- publish the reports with Power BI Service (SaaS) or Power BI Report Server (on premises) + +![Process Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/reporting/how-tos/analyze-powerbi/powerbi_process.webp) + +## Prerequisites + +Identity Manager's licenses for Power BI as well as Identity Manager Data are required to operate. + +Integrators need to know: + +- Identity Manager's data model, i.e. the entity names, the associations between the entities to + display, etc. from both Identity Manager-hard-coded and customized parts +- what data needs to be displayed in the end + +**NOTE:** Power BI is able to analyze all Identity Manager's data, hard-coded and customized, but +only current data, i.e. nothing from the history. + +## Analyze Identity Manager's Data with Power BI + +Build the universe model by proceeding as follows: + +**Step 1 –** Define the appropriate universes using scaffoldings. See the +[ Queries ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md) topic +for additional information. + +_Remember,_ in order to understand business intelligence, with its universes, entity instances and +association instances. See the +[ Universe ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) topic +for additional information. +Also note that XML objects that automatically generate XML snippets that would be complex and/or +tedious to write manually. See +the[Scaffoldings](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md) topic +for additional information. + +Netwrix recommends creating no more than one universe to generate one report, to prevent issues +about name uniqueness. + +**Step 2 –** Connect Power BI to Identity Manager to visualize the output model. See the +[Connect Power BI to Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md) topic for additional +information. + +The Power BI applications **Desktop**, **Service** and **Report Server** all offer the Identity +Manager plugin to access Identity Manager's database. + +**Step 3 –** Remember to clear the cache in Power BI when modifying universes, to ensure that all +changes are considered. + +**Step 4 –** Customize the queries in Power BI, if needed, with the +[M language](https://docs.microsoft.com/en-us/powerquery-m). + +You can see in Power BI queries that Identity Manager must be specified as a source via the +expression `Source = Usercube.Universes("")`. + +Integrators may need to customize the model to make it more understandable and easily usable by +end-users. + +For example, the following M query removes the column Company Id from the table +Directory_User_Records, considering that we do not need it for future reports. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +let +    Source = Usercube.Universes(""}) +in +    Directory_User_Records_WithoutCompany +``` + +Another common use for manual queries is the denormalization of the model, when it simplifies the +future queries and reports for end-users. + +**Step 5 –** Generate reports and publish them for end-users by following the steps listed in the +[Power BI documentation.](https://docs.microsoft.com/en-us/power-bi/create-reports/) + +This is how you analyze Identity Manager data through Power BI. + +## Maintain the Model + +In order to maintain the model you must remember the ones listed below. + +Refresh data + +You must define, in Power BI Service or Report Server, a frequency for data refresh so that reports +display up-to-date data. See the +[Power BI documentation](https://docs.microsoft.com/en-us/power-bi/connect-data/refresh-data) for +additional information. + +Data is often refreshed once a day. Define the refresh frequency according to your needs. + +Foresee the Impact of Model Modifications + +A change inside an existing entity, for example adding a scalar field, does not require any +particular actions on the universe model. + +A change in an association requires making the corresponding change in the universe model, as +association instances (in the universe model) are based on entity associations in Identity Manager's +data model. See the +[ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md new file mode 100644 index 0000000000..8846c7cdef --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md @@ -0,0 +1,66 @@ +# Connect Power BI to Identity Manager + +This guide shows how to connect Power BI to Identity Manager. + +## Overview + +When facing a periodic need for producing specific reports, especially when a visual presentation is +required, Identity Manager offers the possibility to connect to the +[Power BI](https://powerbi.microsoft.com/en-us/what-is-power-bi) application. This application will +allow you to create customized reports with a vast range of display options (such as graphs, charts, +matrixes, etc.) using Identity Manager's universes. + +## Prerequisites + +- Power BI Desktop must be installed on your device. +- Identity Manager's server must be running. + +## Connect Power BI to Identity Manager + +Connect Power BI to Identity Manager by proceeding as follows: + +1. Open Power BI Desktop. +2. Click on **Get data** either in the welcome window or in the home menu. + + ![Get Data](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdata.webp) + +3. In the opening window, search for Identity Manager, click on its plugin in the right menu, and + click on **Connect**. + + ![Get Data Window](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_getdatawindow.webp) + +4. Enter Identity Manager's server URL in the opening window. + + ![Server URL](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_url.webp) + +5. In the opening window, enter the + [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md)of + the `Administrator` profile. The `Client Id` expects the concatenation of the identifier of + `OpenIdClient` with `@` and Identity Manager's domain name. See the following example. + + ![Client Id / Client Secret](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clientid.webp) + +6. You can now access in the left panel the + [ Universe ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md)from + Identity Manager configuration. You can click on the desired universe to expand it, and view and + pick the desired tables. + + ![Universe Panel](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_universes.webp) + + **Power BI tip:** to view a table, click on its name. To select a table, check the box next to + the table's name. + +7. Once you've selected all the tables you need, click on **Load** to import data to the Power BI + report. You can also click on **Transform data** to open the query editor and make other changes + in your tables, rows and columns. + +## Clear the Cache + +Remember to clear the cache in Power BI to ensure that all changes are considered. + +Clear the cache by proceeding as follows: + +1. In Power BI, click on **File** > **Options and settings** > **Options**. +2. In the **Data Load** tab, click on **Clear Cache**. + + ![Clear Cache](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/powerbi_clearcache.webp) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/index.md new file mode 100644 index 0000000000..23aeb78f21 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/index.md @@ -0,0 +1,8 @@ +# Reporting + +The Reporting module is used to generate basic reports in CSV using +[API query grammar](/docs/identitymanager/saas/identitymanager/integration-guide/api/squery/index.md), or advanced reports using the +[ Business Intelligence ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md) module. + +See the [ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md) topic for +additional information on generating reports. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/governance/risks/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/governance/risks/index.md new file mode 100644 index 0000000000..1048f7407c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/governance/risks/index.md @@ -0,0 +1,174 @@ +# Risk Management + +The Risk Management module provides tools for identifying assignments of entitlement that pose a +security risk. The module helps analyze and mitigate different kinds of risks such as _Segregation +of Duties_ or _High Privilege_. This is the basis for auditing and performing access certifications +with a risk-based method. + +## Overview + +A [ Risk ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) describes a sensitive +situation of entitlement assignments that needs to be monitored. + +Risk management is essential to auditing. End-users can define models of risks, assigned to +identities based on their entitlement assignments. This action identifies identities whose +entitlement landscape might pose a threat or a surface of attack. The identified risks for a given +identity inform the auditor about the exact nature of the threat to help making decisions and +finding methods of remediation. + +To identify the identities that represent the highest risk, Identity Manager computes a risk score +for all identities, based on both the roles already assigned and the roles that are subject of the +current request. The higher the score, the higher the threat. The identities with the highest risk +scores are the priority of the next [Access Certification](/docs/identitymanager/saas/identitymanager/integration-guide/governance/accesscertification/index.md) +campaign. + +See the [ Manage Risks ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/risk-management/index.md)topic for additional +information on how to use the risk management module to identify entitlement assignments that pose a +security risk. + +## Risk Definition + +A [ Risk ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) is an object that describes a +sensitive situation of assignments of entitlements. + +The assignment of a risk to an identity highlights, for a potential auditor, the need to closely +reconsider said the assignments of said identity. + +A risk is always: + +- part of a [Policy](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md); +- assigned to identities belonging to a specific entity type that was decided during the risk + creation; +- organized inside a type; +- linked to an exemption policy. + +## Risk Type + +The type of a risk informs the auditor about the exact nature of the situation that the risk +describes. It helps understand the possible causes, the importance of the security threat and +methods of remediation. + +Identity Manager supports two types of risks: + +- a segregation-of-duties risk identifies a threat due to the conjunction of two or more + fine-grained entitlements for the same identity, for example if an identity requests an + entitlement and is also the validator for said entitlement; +- a high-privilege risk identifies a threat due to the assignment of one or more highly sensitive + entitlements, for example the `Domain User` group in an Active Directory. + +## Risk Exemption Policy + +All risks are assigned an exemption policy that defines the behavior of Identity Manager regarding +risks when entitlements are manually requested. + +### Blocking + +Risk-triggering permission requests can be forbidden with the blocking exemption policy. If at least +one of the detected risks in the requested entitlement set has the blocking exemption policy, then +Identity Manager does not allow the set to be requested at all. A message is displayed and the +request must be cancelled: + +![Exemption Policy - Blocking](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/risks/risks_blocking_v522.webp) + +### Approval Required + +Yet, instead of being unilaterally forbidden, risk-triggering permission requests can be authorized +with an additional role review approval with the approval required exemption policy. If at least one +of the detected risks in the requested entitlement set has the approval required exemption policy, +then Identity Manager adds a step where this new set must be reviewed by a knowledgeable user like a +security officer. A message is displayed and the request can be continued or cancelled: + +![Exemption Policy - Approval Required](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/risks/risks_requiredapproval_v522.webp) + +If the request is performed, then a line appears on the **Role Review** screen. + +The workflow state of said request is `Manual`, `Pending approval (risks)` and shows the following +risk icon. + +![Home Page - Role Review](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/risks/risks_riskicon_v522.svg) + +### Warning + +Risk-triggering permissions can also be allowed with only a warning with the warning exemption +policy. If all detected risks in the requested entitlement set has the warning exemption policy, +then Identity Manager displays a message and the request can be continued or cancelled: + +![Exemption Policy - Warning](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/risks/risks_warning_v522.webp) + +### Upon Profile + +The blocking and approval required exemption policies can be ignored according to the profile of the +user and their scope of responsibility, with respectively the blocking upon profile and approval +required upon profile exemption policies. Then they can be assimilated to the warning policy if the +user has the right permission, respectively **/ProvisioningPolicy/Risk/OverrideBlocking** and +**/ProvisioningPolicy/Risk/OverrideApproval**, otherwise they behave like the blocking and approval +required policies. + +Like in the example below, the two permissions can be chained together. For the connected user, a +risk that would have been blocking otherwise, is just a warning. + +``` + + <AccessControlRule Profile="Administrator" EntityType="Risk" Identifier="Administrator_Risk_Override" DisplayName_L1="Administrator_Risk_Override"> <Entry Permission="/ProvisioningPolicy/Risk/OverrideBlocking" CanExecute="true" /> <Entry Permission="/ProvisioningPolicy/Risk/OverrideApproval" CanExecute="true" /> + +``` + +## Risk Assignment + +### Risk Rules + +[ Risk ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) are assigned to resources +manually by a knowledgeable user or automatically, by the +[Evaluate Policy](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) algorithm. + +When a risk is assigned to a resource, a new identified risk is created under the +`UP_IdentifiedRisks` table. + +Automatic assignment of risks is based on +[ Risk ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) rules. For each new +fine-grained assignment on a resource, risk rules are applied. If one of the rules matches the +resource state, the related risks are assigned to the resource. Those rules are themselves based on +fine-grained entitlements, such as an Active Directory account or group membership, modeled by the +navigation rules within Identity Manager. See the +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topic for +additional information. + +A risk rule states that a risk is assigned to a resource if the resource has one or several specific +fine-grained entitlements. The number of triggering entitlements depends on the risk type. For +example, the segregation-of-duties risks depends on at least two entitlements. The other types of +risk depend on one or more entitlements. + +### Fine-grained entitlement + +A fine-grained entitlement assigned to a resource-identity in Identity Manager is modeled by +navigation property values of the resources owned by the identity. + +To write a risk rule, the end-user has to describe a fine-grained entitlement for a +resource-identity. + +This is the way: + +1. Choose an [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) of which + the resource-identity could be owner. +2. Choose a navigation property of that entity type. +3. Choose a value for that navigation property. The value would be a resource from the unified + resource repository. + +This final value is a fine-grained entitlement, linked to the owner resource-identity through the +navigation property and the ownership relationship. + +## Risk Score + +Once [ Risk ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) are assigned to +identities, Identity Manager computes a risk score for each relevant identity. + +This score allows an auditor to prioritize the +[Access Certification](/docs/identitymanager/saas/identitymanager/integration-guide/governance/accesscertification/index.md) campaign. The identity with the highest risk +score poses a more serious security threat and has to be handled first. + +During access certification, assignments that are responsible for triggering the risk will be +examined and then, kept or discarded. + +The risk score computation is performed by the risk score task. + +![Compute Risk Score Task](/img/product_docs/identitymanager/identitymanager/integration-guide/governance/risks/risks_riskcomputetask_v522.webp) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/identity-repository/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/identity-repository/index.md new file mode 100644 index 0000000000..6670729c3f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/identity-repository/index.md @@ -0,0 +1,64 @@ +# Identity Repository + +One of the main purposes of an IGA tool is to build a comprehensive repository containing all +identities in the organization. This repository is essential in order to set up the features for +identity lifecycle management, and manage entitlement assignments. + +## Overview + +The identity repository is supposed to contain the list of all kinds of identities in the company. +Each identity will be represented by a set of properties that are to be used in the calculations for +entitlement assignments. + +> For example, a user can be represented by an identifier and linked to their position which +> includes the user's employee id, last name and first name, email, user type, organization, etc. +> +> ![Identity Repository Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-example.webp) + +> In Identity Manager, the identity repository can look like the following: +> +> ![Identity Repository Result](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository_v602.webp) +> +> ![Identity Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-person_v602.webp) + +The identity repository can be created and updated by: + +- uploading an Excel file provided by Identity Manager with the right model; +- using Identity Manager's workflows; +- synchronizing HR files to Identity Manager via a specific connector. + +Netwrix Identity Manager (formerly Usercube) recommends creating the identity repository by +downloading the provided Excel file, filling it with HR information, and uploading it back. See the +[ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) +topic to learn how to create the workforce repository. + +Then perform mass updates with the same kind of process, and update an Individual Identity via +Identity Manager's workflows. See the +[ Update Identities in Bulk ](/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md) +and +[ Update an Individual Identity ](/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md)topics +for additional information. + +### Useful data + +Not all data is useful for identity governance and administration. Thus, to start designing the +repository, you must be aware of which data is necessary and which is unhelpful. Useful data is the +data that: + +- needs to be provisioned to the managed applications; + + > For example, if you need to provision users' phone numbers in a given application, then you + > should fill in the workforce repository's `Phone Number` property. + +- is needed to manage identities' lifecycles; + + > For example, consider that internal employees must be managed by HR officers only, then you'll + > need to identify whether users are internal employees or external contractors. Then you should + > make sure that you fill an `Employee Type` property with at least two values: one for internal + > employees, and one for external contractors. + +- is needed to automatically grant permissions. + + > For example, if a user's position title ("manager" for instance), defines what users currently + > do, and thus what permissions they need, then you should make sure to fill in a property + > storing the position's title in the workforce repository. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/index.md new file mode 100644 index 0000000000..5185f8c607 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/index.md @@ -0,0 +1,32 @@ +# Identity Management + +Identity management is about creating a repository of identities (all kinds of identities) along +with the entitlements that they need to work. One of the main purposes of an IGA tool is to help +create the identity repository, and to keep it up-to-date with identities' lifecycles within the +company. + +"Identities' lifecycles" mean any Joiners, Movers and Leavers (JML) process, i.e. staff changes, +i.e. any user's onboarding, position modification and offboarding. + +See the [ Identity Repository ](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/identity-repository/index.md) topic for additional information. +See the [ Identity Lifecycle: Joiners, Movers and Leavers ](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md) topic +for additional information on how Identity Manager handles the Joiners, Movers and Leavers (JML) +process. + +Identities in Identity Manager are mostly humans, both internal and external workers, but can also +be applications, bots, service accounts, or anything. + +Identities are stored in the database as [ Resources ](/docs/identitymanager/saas/identitymanager/integration-guide/resources/index.md), which helps with +Identity Manager's internal mechanisms, for example to modelize identities with +[Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) types. + +Additional interesting parts of identity management are: + +- the synchronization of identity changes through several repositories, for example both Identity + Manager and the AD; +- the provisioning of identity properties directly to the connected systems, based on the + computation of the [ Role Model ](/docs/identitymanager/saas/identitymanager/integration-guide/role-model/index.md). + +See the [Synchronization](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/index.md) topic for additional information. + +See the [Provisioning](/docs/identitymanager/saas/identitymanager/integration-guide/provisioning/index.md) topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md new file mode 100644 index 0000000000..cb6e029990 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md @@ -0,0 +1,11 @@ +# Identity Lifecycle: Joiners, Movers and Leavers + +Identities' Joiners, Movers and Leavers (JML) process can be made easy by using the adequate model: +records. + +In Identity Manager, the JML process is done through workflows or through synchronization to the HR +system. + +See the [ Onboarding and Offboarding ](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md) and +[ Position Change via Records ](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md) topics for additional information on +onboarding and offboarding and position changes via records. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md new file mode 100644 index 0000000000..a863f73148 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md @@ -0,0 +1,66 @@ +# Onboarding and Offboarding + +In Identity Manager, onboarding and offboarding are done through workflows or through +synchronization to the HR system. + +## Onboarding + +The onboarding process for a new employee or contractor is materialized by the creation of a new +resource in the identity repository. This creation triggers the fulfillment of the entitlements +required by the user to perform their duties and be productive on day one. + +The entitlement fulfillment can be performed in different ways: + +- Identity Manager suggests the entitlements needed by the new user, prepares the provisioning + procedures, and wait for the manual trigger of a manager or security officer. +- Identity Manager automatically triggers the provisioning of the entitlements needed by the new + user, without any more human input. + +See the [Role Assignment](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/index.md) topic for additional information on +entitlement assignment. + +The automation of the entitlement assignment processes can be really helpful. However, you should +not be looking for a full automation, but rather the smart automation of basic assignments such as +"birthrights", while the sensitive ones keep a manual process. + +See the [ Automate Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/index.md) +topic for additional information about the assignment automation. + +## Offboarding + +The offboarding process doesn't necessarily mean the deletion of the resource from the identity +repository because, for legal and/or security purposes, the company may need to be able to access a +person's history in the company for a certain time, even after their departure. + +This is why the departure triggers the removal of all entitlements for the departing identity. +Hence, Identity Manager knows all the past and present entitlements of any identity. + +## Period of Validity + +The joining and leaving of an identity are materialized by the identity's period of validity. This +way, the resource is valid from the start date until the end date. + +These start and end dates can be configured to be different from the actual start and end dates of +the user's contract in the company. + +These dates should then be part of entity types' properties (for example as `StartDate` and +`EndDate`), in order to be used in +[ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) and +[ Context Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md). + +![Identities - Validity Period](/img/product_docs/identitymanager/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/validityperiod.webp) + +At the start date, the resource is created and a few entitlements are assigned to the identity. + +Between the start and end dates, the identity is part of all of Identity Manager's calculations +(role model, etc.). + +At the end date, all the entitlements previously assigned to the identity are removed. + +After the end date and until its explicit deletion, the resource is still in the identity +repository, but it is not part of any calculation anymore. + +Keeping track of former employees usually helps solve issues involving orphan accounts. + +A resource is deleted either via a resource-deletion workflow, or via the synchronization of HR +files if the user was removed from HR lists. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md new file mode 100644 index 0000000000..ddea96fc2c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md @@ -0,0 +1,199 @@ +# Position Change via Records + +Identities' Joiners, Movers and Leavers (JML) process can be made easy by using the adequate model: +records and contexts. + +In Identity Manager, position changes are made through workflows or through synchronization to the +HR system. + +## Overview + +The entitlements of a user must be updated with the user's position changes: the entitlements needed +for the previous position are removed, and the entitlements needed for the next position are added. +This is essential to prevent users from cumulating entitlements when moving. + +Just like onboarding, the entitlement fulfillment can be performed either by using Identity +Manager's suggestions for the needed entitlements and adjusting them, or trusting Identity Manager +with an automated fulfillment. + +Identity Manager's calculations for entitlement assignments rely on heuristics, through identities' +key properties called +[ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md). + +> For example, consider an entity type modeling identities with their job title, department and +> location. +> +> Then a user working as a accountant in Paris will receive different entitlements from another user +> working as a marketing specialist in Scranton. + +Hence entitlement assignment is usually based on identities' positions. + +Within the company, an identity can hold one or several positions, sometimes several positions +simultaneously. + +## A Model for Identity Changes + +Any change in an identity's lifecycle, such as a position change, usually entails a change in a +given set of properties simultaneously. + +> For example, a position change can typically trigger a change at least in the job title and +> location, together with the position start and end dates. + +It seems natural to model identities by splitting their properties into three entities: one for +users' personal data, one for their contract(s) and one for their position(s): + +![Records Origin - Three-Entity Model](/img/product_docs/identitymanager/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_firstmodel.webp) + +A user can have several positions over time, even simultaneously. A user's contract can change over +time too. Even personal data is subject to change. This is why we can have several sets of personal +data (and/or several contracts and/or several positions) for a single user, and also why the `User` +entity is meant to contain only users' unique identifiers. + +> For example, in personal data a marriage can imply a name change, a user can start with a +> fixed-term contract and change to a permanent one, and position change is obvious. + +Even without allowing simultaneous positions, contracts or personal data sets, this model helps +anticipate upcoming changes. + +### Contexts + +The model is supposed to facilitate the [Provisioning](/docs/identitymanager/saas/identitymanager/integration-guide/provisioning/index.md) provisioning +of user data and entitlements, yet this first model does not meet all expectations. In case of +multiple personal data sets for a single user over time, or multiple contracts, or multiple +positions, which values should be used to apply the rules of the role model? How to combine all +start and end dates to make sure that all rules are applied based on the right input? These issues +imply complex C# expressions in provisioning rules. + +> For example, let's write a C# expression to compute users' display names based only on their first +> and last names. To make sure that display names are computed using valid input, we write the +> following: +> +> ``` +> +> C#:user:return user.PersonalDatas.Where(personalData => personalData.Start < DateTime.Now && personalData.End > DateTime.Now).Select(personalData => personalData.FirstName + ' ' + personalData.LastName).FirstOrDefault(); +> +> ``` +> +> Now a more complex example: let's write a C# expression to compute users' departments based on +> their organization's display names, but also their employee identifiers in parenthesis: +> +> ``` +> +> C#:user:return user.Positions.Where(position => position.Start < DateTime.Now && position.End > DateTime.Now).Select(position => position.Organization.DisplayName).FirstOrDefault() + " (" + user.PersonalDatas.Where(personalData => personalData.Start < DateTime.Now && personalData.End > DateTime.Now).Select(personalData => personalData.EmployeeId).FirstOrDefault() + ")"; +> +> ``` + +To simplify the expressions, the model needs to be "flattened" in order to provide all the data of a +given user, valid at a given date. Hence users must be modeled by a set datasheets generated by +Identity Manager, where all values in one datasheet are valid on a given time period. + +> For example, consider the following situation: Mark Barn is a user who has, at day D0, a given set +> of personal data, a given contract and a given position. At day D1, his contract changes from +> fixed-term to permanent. At day D2, he starts an additional position. The two positions overlap +> from day D2 to day D3 when the first position ends. +> +> ![User Example](/img/product_docs/identitymanager/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_userexample.webp) +> +> Over time, the three entities are as follows: +> +> ![Example - Timelines](/img/product_docs/identitymanager/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_timelines.webp) +> +> From this, Identity Manager is able to combine the start and end dates of all entities at all +> times to generate the following datasheets, named contexts: +> +> ![Example - Contexts](/img/product_docs/identitymanager/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_contexts.webp) + +Contexts are the result of the combination of all entities (personal data, contract and position) so +that all values contained in a given context are valid on a given period of time. + +Users can be modeled by up to n\*n\*n contexts, and even more when elements overlap (positions in +this example). + +The complexity that comes from the combination of all start and end dates is tackled by Identity +Manager's engine when it generates users' contexts. As the start and end dates of each value are +pre-computed by Identity Manager, this user model highly simplifies provisioning rules. + +> The C# expressions from the previous example can be written, for the same result, as the +> following, first for users' display names, then departments: +> +> ``` +> +> C#:record:return record.FirstName + ' ' + record.LastName; +> +> ``` +> +> C#:record:return record.Organization.DisplayName + " (" + record.EmployeeId + ")"; +> +> ``` +> +> ``` + +### Records + +The final step to a viable model is to find a way to store optimally this context model in the +database, in order to be able to perform fast requests. Hence, the final model gathers all entities +(personal data, contracts and positions), including their respective start and end dates, into a +single entity named records, where a context is a record instance: + +![Records Origin - Final Model](/img/product_docs/identitymanager/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/recordsorigin_thirdmodel.webp) + +While there are as many contexts for a user as the number of changes in the user's datasheet, there +are only as many records as needed to store each value at least once. + +> With the example used for the explanation of contexts with `PD`, `C1`, `C2`, `P1` and `P2`, we +> generate 5 contexts but store only 2 records: `{PD; C1; P1}` and `{PD; C2; P2}`. +> +> From these 2 records, we can rebuild the 5 contexts. + +Contexts can be considered as the conversion tool between the two user models. + +This way, the model stores only Max(n) records instead of n\*n\*n. + +Plus, Identity Manager does not need to archive old data, because records and contexts are used only +to simplify the application of provisioning rules. As only valid values are provisioned, there is no +need to keep track. + +This means that a change to be effective immediately will not trigger the creation of a new record +nor a new context. The record containing the old data will simply be updated. + +A change to be effective in future can trigger the creation of a new record. + +### Configuration + +This identity model can be implemented by configuring a +[ Context Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) and +[ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md): + +```` + +`````` + +Personal data section (default section): + + +Contract section: + `````` `````` `````` + +Position section: + `````` `````` `````` `````` `````` `````` `````` `````` `````` `````` `````` + +```` + +## Position Change + +The position change process for an existing worker is materialized by the assignment/update/removal +of a record to/from an identity. This assignment/update/removal triggers the fulfillment of the +entitlements required by the user based on the properties of a valid record. + +When several contexts are valid at the same time for a given identity, conflicts can arise during +entitlement assignment. They are solved by Identity Manager's engine that establishes a priority +between valid contexts. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/index.md new file mode 100644 index 0000000000..173e1f6612 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/index.md @@ -0,0 +1,39 @@ +# Integration Guide + +This guide is designed to provide the tools and knowledge to fully understand and configure Identity +Manager to match your project's needs. + +## Target Audience + +This guide is meant to be read by integrators who configure Identity Manager to match their +project's needs. + +## Prior Knowledge + +A basic knowledge of Identity and Access Management (IAM) and more precisely of Identity and +Governance Administration (IGA) is required to really understand, implement and use Identity +Manager's features. + +Netwrix Identity Manager (formerly Usercube)strongly recommends starting from the +[Introduction Guide](/docs/identitymanager/saas/identitymanager/introduction-guide/index.md) to fully benefit from the Integration Guide's +content. + +### Technical skills + +As Identity Manager is a web application, some classic devops skills are needed: + +- Web servers, especially IIS: declare a web site; configure an application pool. +- SQL Server: query data in the database with SQL, including with joins; insert/update data with + SQL; for advanced use, an understanding of database indexes. +- Coding: very basic C# skills; PowerShell scripts. +- XML and JSON syntax for configuration files. +- Git or other source control tools. + +The other technical skills greatly depend on the connectors needed for your projects. The most +frequent ones are: + +- Excel and CSV +- LDAP and Active Directory: understanding of LDAP attributes and of group membership. +- Microsoft Entra ID (formerly Azure Active Directory) +- Exchange +- REST API programming diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/modules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/modules/index.md new file mode 100644 index 0000000000..56d0fcb208 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/modules/index.md @@ -0,0 +1,14 @@ +# Modules + +Identity Manager can integrate with other software for issues such as credential protection and +logging. To use these integration modules, they just need to be configured in Identity Manager's +`appsettings.json` file. Below is more module-specific information. + +## Credentials Protection + +- [Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) +- [CyberArk's AAM Credential Providers ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md) + +## Logging + +- [ Export Logs to a Log Management System ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md new file mode 100644 index 0000000000..7e9222eae7 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md @@ -0,0 +1,358 @@ +# Export Logs to a Log Management System + +This guide shows how to use the logging configuration (Serilog) to send Identity Manager's logs into +a log management system, potentially using specific plug-ins to parse the logs. + +Supported log management systems are: + +- [QRadar](https://www.ibm.com/fr-fr/products/qradar-siem); +- [Splunk](https://docs.splunk.com/Documentation/Splunk); +- DataDog. + +## Overview + +Typically, a Serilog configuration includes three parts: **MinimumLevel**, **Using** and +**WriteTo**. See the [ Monitoring ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/index.md) topic for additional information. + +### Usercube's DSM in QRadar + +Identity Manager's Device Support Module is a plug-in that allows your QRadar system to parse +Identity Manager's logs, when producing a JSON output. + +Logs can be sent into QRadar without using Identity Manager's DSM in QRadar, but the logs just won't +be parsed. Not all Identity Manager's logs can be sent to QRadar. See the +[ References: Logs ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/references/index.md) topic for additional information. + +In order to get Identity Manager's DSM, import from QRadar the `Usercube_1.0.0.zip` file, accessible +in the `Runtime` folder. Identity Manager's DSM is set to automatically detect the source. This +means that, once Serilog is configured to send logs to QRadar, performing a few actions in Identity +Manager should make the detection possible. + +## Export Logs to a Log Management System + +Export logs to a log management system by proceeding as follows: + +1. In + [Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md), + make sure to have a **Serilog** section: + + ``` + + + { + ... + "Serilog": { + ... + } + ... + } + + ``` + +2. In the **Serilog** section, add a **Using** section to contain the used sink which depends on the + logs' destination, output format, etc. See the list of supported [ Monitoring ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/index.md). + + Concerning QRadar, Netwrix Identity Manager (formerly Usercube) strongly recommends using the + JSON format, as it can be parsed by Identity Manager's DSM or easily by a homemade parser. + + > For example, to produce a JSON output for QRadar: + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > ... + > } + > ... + > } + > + > ``` + + > For example, to produce an output for Splunk: + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Console", + > "Serilog.Sinks.Splunk.Durable" + > ], + > ... + > } + > ... + > } + > + > ``` + +3. Add a **MinimumLevel** section to define which logs are to be sent to the log management system. + + In order to be sent to any system, Identity Manager's logs must be configured with + **MinimumLevel** set to `Information`, or lower. + + > For example, we can define the logs' minimum level to `Information`. This way, all logs from + > the [ References: Logs ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/references/index.md) with `Information` level or higher are + > sent. + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > ... + > } + > ... + > } + > + > ``` + +4. Add a **WriteTo** section to specify the expected output. + + While **uri**/**host**/**splunkHost** specifies the IP address of the machine hosting your log + management system, the rest of **Args** configuration must be set just like the examples below. + + > For example, to produce a JSON output for QRadar: + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > "WriteTo": [ + > { + > "Name": "UDPSink", + > "Args": { + > "uri": "192.168.13.110", + > "port": "514", + > "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + > } + > } + > ] + > } + > } + > + > ``` + + > For example, to produce an RFC5424 output for QRadar + > ([see more information about UdpSyslog attributes](https://github.com/IonxSolutions/serilog-sinks-syslog#see-more-information-about-udpsyslog-attributes)): + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > "WriteTo": [ + > { + > "Name": "UdpSyslog", + > "Args": { + > "host": "192.168.13.110", + > "port": "514", + > "appName": "Usercube", + > "format": "RFC5424", + > "facility": "Local0", + > "secureProtocols": "SecureProtocols.None", + > "outputTemplate": "[{Timestamp:HH:mm:ss} {Level:u3}] {Message:lj} {NewLine}{Exception}" + > } + > } + > ] + > } + > } + > + > ``` + + > For example, to produce an output for Splunk: + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > "WriteTo": [ + > { + > "Name": "SplunkEventCollector", + > "Args": { + > "splunkHost": , + > "eventCollectorToken": "", + > "bufferFileFullName": "log-buffer.txt" + > } + > } + > ] + > } + > } + > + > ``` + +5. When needing to restrict the logs sent to the system, add a filter and wrap all **WriteTo** + configuration into a sub-logger, in which case the **Name** at **WriteTo**'s root must be + `Logger`. See the [ Monitoring ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/index.md) topic for additional information. + + For all formats, in order to send only the right logs using the specified filter, the + **WriteTo** part must contain a sub-logger with its own filter. Otherwise, the filter will be + applied to all sinks. + + For example, among Identity Manager's logs, only the logs described in the e + [ References: Logs ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/references/index.md) can be parsed by QRadar's DSM and should be used + by a SIEM system. Hence the importance of having a filter and a sub-logger. + + Never include logs with event ids inferior to 500, in order not to be overwhelmed with logs + improper to be used by SIEM systems like QRadar. + + > The following example filters out any log whose event id is lower than 500. + > + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > "WriteTo": [ + > { + > "Name": "Logger", + > "Args": { + > "configureLogger": { + > "WriteTo": [ + > { + > "Name": "UDPSink", + > "Args": { + > "uri": "192.168.13.110", + > "port": "514", + > "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + > } + > } + > ], + > "Filter": [ + > { + > "Name": "ByIncludingOnly", + > "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + > } + > ] + > } + > } + > } + > ... + > ] + > } + > } + > + > ``` + > + > You could want to filter out the logs whose event ids are 500 too, by replacing + > `EventId.Id >= 500` with `EventId.Id >= 501` in the filter. Or you could want to filter out + > only the logs whose event ids are 502, by replacing `EventId.Id >= 500` with + > ``EventId.Id >= 500 and EventId.Id `<>` 502`` in the filter. + +6. When needing to override the log level for this particular sub-logger, add an additional + **MinimalLevel** section in the **WriteTo** section. + + > ``` + > + > appsettings.json + > + > { + > ... + > "Serilog": { + > "Using": [ + > "Serilog.Sinks.Network" + > ], + > "MinimumLevel": { + > "Default": "Error", + > "Override": { + > "Usercube": "Information" + > } + > }, + > "WriteTo": [ + > { + > "Name": "Logger", + > "Args": { + > "configureLogger": { + > "MinimumLevel": { + > "Default": "Warning" + > }, + > "WriteTo": [ + > { + > "Name": "UDPSink", + > "Args": { + > "uri": "192.168.13.110", + > "port": "514", + > "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + > } + > } + > ], + > "Filter": [ + > { + > "Name": "ByIncludingOnly", + > "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + > } + > ] + > } + > } + > } + > ... + > ] + > } + > } + > + > ``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/index.md new file mode 100644 index 0000000000..e5b49adc51 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/index.md @@ -0,0 +1,582 @@ +# Monitoring + +Identity Manager uses [Serilog](https://github.com/serilog/), a highly customizable logging tool, to +provide monitoring capabilities. + +See the [ References: Logs ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/references/index.md) topic for additional information on the list of +existing logs. + +## Introduction + +Serilog configuration is written to both _Agent_'s and _Server_'s `appsettings` sets. The relevant +top-level section is `Serilog`. + +A full description of Serilog's configuration capabilities is available in +[Serilog's official documentation](https://github.com/serilog/serilog-settings-configuration#serilogs-official-documentation). + +Identity Manager-specific configuration is detailed here. + +## Log Level and Namespaces + +### Priority + +Logs can be filtered according to a _log level_. + +A priority order between the log levels is established. + +From low priority to high priority, available log levels are: + +- `Verbose` +- `Debug` +- `Information` +- `Warning` +- `Error` +- `Fatal` + +Every log message is associated with a log level and a user-defined _namespace_. Identity Manager +provides the Identity Manager namespace, associated with logs relevant to the user. + +### MinimumLevel + +The `MinimumLevel` section sets the lowest priority log level that will be displayed. Every log +message associated with a log level of priority strictly lower than the minimum level is ignored. + +`MinimumLevel` value can either be a log level or an object with the following attributes and +subsections: + +- **Default** sets the minimum log level. +- `Override` allows the user to set a different minimum log level for logs from a specific + namespace. See the Monitoring topic for additional information. + + Within Identity Manager, the following example is a good practice: default logs with a priority + lower than `Error` are filtered out, except for log messages from the Identity Manager + namespace. + +``` +appsettings.json +{ + ... + "Serilog": { + ... + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + } + } +} +``` + +### Custom namespaces + +Here is a table giving some namespace that you could add in the `Override` section, in order to +monitor the associated module. + +| Module | Namespace | +| ----------------------- | ------------------------------ | +| Identity Manager | Identity Manager | +| Scheduler (server side) | Usercube.Jobs.Scheduler.Server | +| Scheduler (agent side) | Usercube.Jobs.Scheduler | + +## Log Properties + +Each log has a specific set of log properties, defined using the context of the server when +generating the log (see +[Formatting](https://github.com/serilog/serilog/wiki/Formatting-Output#formatting)). + +It is possible to modify the format message of the log displayed by overriding the `outputTemplate` +of the logs: + +``` +appsettings.json +{ + ... + "Serilog": { + "MinimumLevel": { + "Default": "Verbose", + }, + "WriteTo": [ + { + "Name": "Console", + "Args": { + "outputTemplate": "[{Timestamp:HH:mm:ss} {Level:u3}] ClientId:{ClientId} {Message:lj}{NewLine}{Exception}" + } + } + ] + } +} +``` + +Among all default properties, Identity Manager adds the ClientId log property which can be displayed +when using the previous `outputTemplate` format. + +## Filters + +In addition to the Microsoft log levels, Serilog provides a +[Filters](https://github.com/serilog/serilog-filters-expressions) feature to build more advanced +filter queries on log messages. + +## Sinks + +Serilog allows the user to route log messages to a variety of logging destinations. Every +destination is referred to as a sink. +[Sinks](https://github.com/serilog/serilog/wiki/Provided-Sinks) allows logs to be routed to +destination such as standard consoles, files and logging services. See the Monitoring topic for +additional information. + +Identity Manager's supported sinks are: + +- `Serilog.Sinks.ApplicationInsights`; +- `Serilog.Sinks.Async`; +- `Serilog.Sinks.Console` to write to the console; +- `Serilog.Sinks.Datadog.Logs`; +- `Serilog.Sinks.File` to write to a file; +- `Serilog.Sinks.Map`; +- `Serilog.Sinks.Network` to write to another network; + + > For example, this sink can be used when producing a JSON output for QRadar. + +- `Serilog.Sinks.PeriodicBatching`; +- `Serilog.Sinks.Splunk.Durable` to send logs to Splunk; +- `Serilog.Sinks.Syslog`. + + > For example, this sink can be used when producing an + > [RFC3164](https://tools.ietf.org/html/rfc3164) or + > [RFC5424](https://tools.ietf.org/html/rfc5424) output for QRadar. + +The log messages can be routed to several logging destinations simultaneously. These destinations +are described in the **WriteTo** attribute. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": [ + "Serilog.Sinks.Network" + ], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "Destination1", + "Args": { + "uri": "192.168.13.110", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + }, + { + "Name": "Destination2", + "Args": { + "uri": "192.168.13.227", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + } + ], + "Filter": [ + { + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + } + ] + } +} +``` + +There can only be one **Filter** attribute associated with a **WriteTo** attribute. Therefore, the +filter defined in the **Filter** attribute is applied to all the destinations contained in the +**WriteTo** attribute. To filter only one destination at a time, sub-loggers can be used. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": [ + "Serilog.Sinks.Network" + ], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "Logger1", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [ + { + "Name": "Destination1", + "Args": { + "uri": "192.168.13.127", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + } + ], + "Filter": [ + { + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + } + ] + } + } + }, + { + "Name": "Logger2", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [ + { + "Name": "Destination2", + "Args": { + "uri": "192.168.13.100", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + }, + { + "Name": "Destination3", + "Args": { + "uri": "192.168.13.408", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + } + ], + "Filter": [ + { + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Test') and EventId.Id >= 800" } + } + ] + } + } + } + ] + } +} +``` + +In the example above, the filter defined in **Logger1** will only apply to **Destination1**, and the +filter defined in **Logger2** will only apply to **Destination2** and **Destination3**. + +When using `Serilog.Sinks.File`, the setting `shared` should be set to `true` in the `Args` section +to enable Identity Manager's **Monitoring** screen functionality. + +As this `shared` setting allows several systems to interact with the log file simultaneously, so we +can have both Serilog writing to the log file and Identity Manager reading it to display its content +on the **Monitoring** screen. + +``` + +{ + ... + "Serilog": { + "WriteTo": [ + { + "Name": "File", + "Args": { + "path": "../Temp/Server/identitymanager-log.txt", + "shared": true, + } + } + ] + } +} +``` + +## QRadar + +QRadar is a supported destination for Identity Manager's logs. + +See the [ Export Logs to a Log Management System ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/how-tos/qradar-setting/index.md) topic to learn +how to send Identity Manager's logs to your QRadar system. + +Three output formats are available for QRadar-routed logs: + +- JSON +- RFC3164 +- RFC5424 + +#### JSON output + +JSON output uses _Serilog.Sinks.Network_ sink. + +The following configures a QRadar JSON output for a QRadar server located at `192.168.13.110`. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": [ + "Serilog.Sinks.Network" + ], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "Logger", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [ + { + "Name": "UDPSink", + "Args": { + "uri": "192.168.13.110", + "port": "514", + "textFormatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" + } + } + ], + "Filter": [ + { + "Name": "ByIncludingOnly", + "Args": { "expression": "StartsWith(SourceContext, 'Usercube') and EventId.Id >= 500" } + } + ] + } + } + } + ] + } +} +``` + +#### RFC3164 or RFC5424 output + +Using `Serilog.Sinks.SyslogMessages`_Sink_, the **Serilog.writeTo.configureLogger.Args.format** +attribute is set to `RFC3164` or `RFC5424`. + +The following configures a QRadar RFC5424 output for a QRadar server located at `192.168.13.110`. + +``` +appsettings.json +{ + ... +"Serilog": { + "Using": [ + "Serilog.Sinks.Syslog" + ], + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Information" + } + }, + "WriteTo": [ + { + "Name": "Logger", + "Args": { + "configureLogger": { + "MinimumLevel": { + "Default": "Information" + }, + "WriteTo": [ + { + "Name": "UdpSyslog", + "Args": { + "host": "192.168.13.110", + "port": "514", + "appName": "Usercube", + "format": "RFC5424", + "facility": "Local0", + "secureProtocols": "SecureProtocols.None", + "outputTemplate": "[{Timestamp:HH:mm:ss} {Level:u3}] {Message:lj} +``` + +## Application Insights + +Identity Manager supports the +[Application Insights](https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview) +integration. It means that you can monitor the lifecycle of the application through a dedicated +interface, which can be useful to measure performance, observe how the application is used or detect +performance anomalies. + +### Configuration + +Both the server and the agent support the Application Insights integration. To set it up, you need +to create your own Application Insights instance (see +[Create New Resource](https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-new-resource)). +Once done, you should have an instrumentation key. To plug the server or the agent into the +Application Insights instance, you simply have to set the key at the root of the appsettings file: + +``` +appsettings.json +{ + ... + "ApplicationInsights": { + "InstrumentationKey": "YOUR-INSTRUMENTATION-KEY" + } +} +``` + +This configuration will automatically add a `Serilog.Sinks.ApplicationInsights` to the Serilog +configuration. Thus, declaring explicitly an ApplicationInsights _sink_ in the Serilog configuration +is useless. The `ApplicationInsights` section does not only affect the logging system, but also +sends metrics periodically such as the percentage of CPU usage. + +## Logs Monitoring via User Interface + +Identity Manager offers the ability to download the application logs directly through the User +Interface (UI) via the **Monitoring** screen in the **Administration** section on the Dashboard. + +SaaS installations support this feature automatically while on-premises installations support this +in two ways. The first one is to leverage the path to the logs from the Serilog configuration when +writing application logs into a single file. See the example below. The second option is described +in the following subsection. + +``` +appsettings.json +{ + ... + "Serilog": { + "WriteTo": [ + { + "Name": "File", + "Args": { + "path": "../Temp/Server/identitymanager-log.txt", + "shared": true, + } + } + ] + } +} +``` + +### `LogsPath` + +if you store Identity Manager logs thanks to an external mechanism (the web server, etc), then you +have to use the second option in order to enable this feature which is via an ad hoc parameter at +the root of the appsettings called `LogsPath` indicating the path where the application logs are +located: + +``` +appsettings.json +{ + ... + "Serilog": { + "WriteTo": [ "Console" ], + }, + "LogsPath": "C:/inetpub/logs/LogFiles" +} +``` + +If logs are all stored in one file, provide the path to the file. If they are stored in multiple +separate files within a directory, provide the path to the directory and Identity Manager will +handle providing the most recent logs. + +## Default Configuration + +``` +appsettings.json +{ + ... +"Serilog": { + "WriteTo": [ "Console" ], + "Using": [ "Serilog.Sinks.File" ], + "MinimumLevel": "Error", + "WriteTo": [ + { + "Name": "File", + "Args": { + "path": "../Temp/Server/identitymanager-log.txt", + "shared": true + } + } + ] +} +} +``` + +## Configuration Examples + +### Write log messages + +This example configures _Serilog_ to write log messages to the `../Temp/Server/identitymanager-log.txt` +file. + +``` +appsettings.json +{ + ... +"Serilog": { + "WriteTo": [ "Console" ], + "Using": [ "Serilog.Sinks.File" ], + "MinimumLevel": "Error", + "WriteTo": [ + { + "Name": "File", + "Args": { + "path": "../Temp/Server/identitymanager-log.txt", + "shared": true + } + } + ] +} +} +``` + +### Reduce logging process overhead + +This example shows how to reduce the overhead of the logging process for Identity Manager's main +thread by delegating work to a background thread, using the _Async\_\_Sink_. + +``` +appsettings.json +{ + ... +"Serilog": { + "MinimumLevel": { + "Default": "Error", + "Override": { + "Usercube": "Debug" + } + }, + "WriteTo": [ + { + "Name": "Async", + "Args": { + "configure": [ + { + "Name": "File", + "Args": { + "path": "C:/Projects/LogTest/identitymanager-test.txt", + "shared: true, + "buffered": "true" + } + } + ] + } + }, + { + "Name": "Console" + } + ] + } +} +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/references/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/references/index.md new file mode 100644 index 0000000000..1c15c29e01 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/references/index.md @@ -0,0 +1,84 @@ +# References: Logs + +## Definition + +This section provides descriptions for logs which are meant to be sent to other systems like SIEMs, +for example QRadar. + +The description will use this template for each log: + +EventId id: int + +EventId name: string + +LogLevel: Trace||Verbose||Debug||Information||Warning||Error||Critical + +Arguments: + +- argument1 (string): description1 (string) +- argument2 (string): description2 (string) +- argument3 (string): description3 (string) + +The EventId id must be unique so we could use it to filter the logs we send. See the +[ Monitoring ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/index.md) topic for additional information. + +#### 500 + +EventId id: 500 + +EventId name: Workflow.StartWorkflowInstance + +LogLevel: Information + +Arguments: + +- WorkflowId: Request number, which includes the workflow instance's id +- Transition: Activity template name +- Perfomer: Identity Manager's login or id of the performer +- WorkflowIdentifier: Workflow's identifier +- Subject: Action performed, with the person's name in modifying permission case + +#### 501 + +EventId id: 501 + +EventId name: Workflow.ResumeWorkflowInstance + +LogLevel: Information + +Arguments: + +- WorkflowId: Request number, which includes the workflow instance's id +- Transition: Activity template name +- Perfomer: Identity Manager's login or id of the performer +- WorkflowIdentifier: Workflow's identifier +- Subject: Action performed, with the person's name in modifying permission case + +#### 502 + +EventId id: 502 + +EventId name: SelectEntityByIdQueryHandler.Handle + +LogLevel: Information + +Arguments: + +- Perfomer: Identity Manager's login or id of the performer +- Subject: Identity Manager's id of the readed resource +- EntityType: Identity Manager's type of the readed resource + +#### 503 + +EventId id: 503 + +EventId name: SelectEntityByIdQueryHandler.Handle + +LogLevel: Error + +Arguments: + +- Perfomer: Identity Manager's login or id of the performer +- Subject: Identity Manager's id of the readed resource +- EntityType: Identity Manager's type of the readed resource +- ExceptionMessage: Exception's message diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md new file mode 100644 index 0000000000..c3ec62874e --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md @@ -0,0 +1,140 @@ +# appsettings.agent + +The appsettings.agent.json file is meant to contain configuration data to be used by the agent to +run Identity Manager. + +It includes: + +- Connections to the managed systems +- Password reset settings +- Connections to potential additional databases +- OpenId information +- Specific task configuration + +JSON files can contain any additional information that you might find useful. See the example below. + +For example, in order to store the agent's address, we can add: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +"UsercubeAgent": { +  "Url": "" +} +``` + +As Identity Manager does not know any object named Identity ManagerAgent, its content will be +ignored, but it can still be used to store information for human use. + +## Supported Sections + +| Name | Type | Description | +| ------------------------------- | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Connections optional | List of Connections | Connection information of all the systems managed by this agent, for synchronization and fulfillment configuration. This section contains a subsection for each connection containing the connection's agent settings. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "Connections": {     …     "": {       "": "":        …     }   } }` Example: `{   …   "Connections": {     …     "Directory": {       "Path": "C:\UsercubeDemo\Sources\Directory.xlsx"     },     "ServiceNowExportFulfillment": {       "Server": "https://INSTANCE.service-now.com/api/now/table",       "Login": "LOGIN",       "Password": "PASSWORD"     }   } }` See the [Create a Connection](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md)and [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) topics for additional information. | +| Databases optional | List of Databases | Names and connection strings of all databases used by the agent through InvokeSqlCommandTask, other than Identity Manager's database and other than the databases provided in Identity Manager's available packages. This subsection contains a subsection for each additional database. **NOTE:** The Database is a subsection of the Connections section mentioned above. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "Databases": {     "": ""   } }` Example: `{   …   "Databases": {     "UsercubeContoso": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;"   } }` | +| OpenId optional | OpenId | OpenId information, i.e. the ClientIds and related ClientSecrets that the agent may use to authenticate to the server in order to launch jobs and tasks. In order to launch jobs and tasks, the profiles related to these OpenId credentials must possess the required permissions. | +| PasswordResetSettings optional | PasswordResetSettings | Parameters which configure the reset password process for the managed systems that support it. | +| SourcesRootPaths optional | String Array | List of folder paths from which Identity Manager is allowed to read. This option is used to validate the sources files defined in file-based connections. These paths are case sensitive. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "SourcesRootPaths": [ "C:/identitymanagerContoso/SourceHR", "C:/identitymanagerContoso/SourcesPhone" ]  }` | +| TaskAgentConfiguration optional | TaskAgentConfiguration | Various settings to customize the behavior of some agent tasks. | + +## OpenId + +| Name | Type | Description | +| ---------------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AgentIdentifier required | String | Identifier of the agent, as it is named in the XML configuration. With the following configuration: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `` We could have the following setting in the agent’s appsettings.agent.json: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "OpenId":{     …     "AgentIdentifier": "MyAgent"   } }` | +| DefaultOpenIdClient required | String | ClientId that defines the default OpenId pair, from the OpenIdClients section, used by the agent to authenticate to the server. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "OpenId":{     "OpenIdClients": {       "Job": "secret1",       "Admin": "secret2",       "Agent": "secret3"     },     "DefaultOpenIdClient": "Agent"   } }` | +| OpenIdClients required | List of OpenIdClients | Pairs of ClientIds and non-hashed ClientSecrets, to override the corresponding secrets specified in the XML configuration. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "OpenId":{     "OpenIdClients": {       "Job": "secret",       "Admin": "secret2"     }   } }` | + +## PasswordResetSettings + +| Name | Type | Description | +| ------------------------------ | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| EncryptionCertificate required | EncryptionCertificate | Location of the public key certificate and the private key used to handle input and output files' encryption. | +| MailSettings optional | MailSettings | Settings for configuring the SMTP server, used to send password reset email notifications. | +| NotificationSettings optional | NotificationSettings | Settings to configure password reset notifications. | +| TokenBuildingSettings optional | TokenBuildingSettings | Settings to build the confirmation token used by the password reset's two-Way mode. The confirmation token is a base-64 encoded JSON Web Token (JWT) token that contains the information required to complete password reset when in two-way mode. It is appended to the confirmation Uri. | +| TwoFactorSettings optional | TwoFactorSettings | Settings to configure the password reset's two-way mode, i.e. the process where Identity Manager sends emails containing links to users for them to click on it and reset their passwords. | + +### EncryptionCertificate + +If you are using the certificate provided in the SDK, the agent will be unable to launch. You must +create your own certificate. + +Encryption certificate information can be set in one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive + (also called + [Personal ](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files)Information + Exchange file or `.pfx` file) stored in the Agent's host file system. The archive contains both + the public key certificate and the private key. + +| Name | Type | Description | +| ----------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| File required | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the agent's host file system. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     "File": ""   } }` | +| Password optional | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     "File": "",     "Password": ""   } }` | + +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains + both the public key certificate and the private key. + +| Name | Type | Description | +| ------------------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DistinguishedName Required if Thumbprint is empty | String | Subject distinguished name of the certificate. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     "DistinguishedName": ""     …   } }` | +| StoreLocation required | String | Location of the relevant Windows certificate. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "StoreLocation": ""   } }` | +| StoreName required | String | Name of the relevant Windows certificate. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "StoreName": ""   } }` | +| Thumbprint Required if DistinguishedName is empty | String | Thumbprint of the certificate. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     "Thumbprint": "<6261A70E599642A21A57A605A73B6D2AE7C5C450>"     …   } }` | + +_Remember,_ Netwrix recommends using Windows' certificate store. + +On the other hand, the PFX file takes priority over Windows' certificate, which means that when +`File` is specified then the PFX certificate is used, even if the options for Windows' certificate +are specified too. + +In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +### MailSettings + +| Name | Type | Description | +| ------------------------------------------------------ | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| FromAddress Required if PickupDirectory is empty | String | Email address used by Identity Manager to send notifications. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "MailSettings": {       "FromAddress": "",       …     }   } }` | +| Host Required if PickupDirectory is empty | String | SMTP server domain name or an IP address. To be used only when UseSpecifiedPickupDirectory is set to false. | +| Password Required | String | Password that Identity Manager will use to login to the SMTP server. used only when the SMTP server is password-protected and UseSpecifiedPickupDirectory is set to false. | +| PickupDirectory Required if FromAddress/Host are empty | | Path to the pickup directory. See the [ Send Notifications ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/email-server/index.md) topic for additional information. See more details on the pickup directory feature. To be used only when UseSpecifiedPickupDirectory is set to true. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "MailSettings": {       "PickupDirectory": "<../Mails>",       …     }   } }` | +| Username required | String | Username for Identity Manager to login to the SMTP server. Used only when the SMTP server is password-protected and UseSpecifiedPickupDirectory is set to false. | +| AllowedDomains optional | String | List of domains to which the SMTP server is authorized to send emails. Domain names must be separated by `;`. | +| CatchAllAddress optional | String | Catch-all address that will receive all of Identity Manager's emails instead of usual users. this is helpful for testing before going live. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "MailSettings": {       "CatchAllAddress": "",       …     }   } }` | +| CatchAllCCAddress optional | String | Catch-all address that will receive all of Identity Manager's emails as cc (carbon copied). Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "MailSettings": {       "CatchAllCCAddress": "",       …     }   } }` | +| Enabled default value: True | Boolean | True to enable email sending. When set to false, no email is sent by Identity Manager. | +| EnableSsl default value: False | Boolean | **DEPRECATED**: EnableSsl won't be supported in the future. Please specify a SecureSocketOption instead. To keep the same behavior as EnableSsl: True, use the setting SecureSocketOption: StartTls. True to encrypt communication with the SMTP server. **NOTE:** To be used only when UseSpecifiedPickupDirectory is set to false. | +| SecureSocketOption default value: Auto | String | Specifies the encryption strategy to connect to the SMTP server. If set, this takes priority over EnableSsl. None: No SSL or TLS encryption should be used. Auto: Allow the mail service to decide which SSL or TLS options to use (default). If the server does not support SSL or TLS, then the connection will not be encrypted. SslOnConnect: The connection should use SSL or TLS encryption immediately. StartTls: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server. If the server does not support the STARTTLS extension, then the connection will fail and a NotSupportedException will be thrown. StartTlsWhenAvailable: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server, but only if the server supports the STARTTLS extension. **NOTE:** To be used only when UseSpecifiedPickupDirectory is set to false. | +| Port default value: 0 | String | SMTP server port. **NOTE:** To be used only when UseSpecifiedPickupDirectory is set to false. | +| UseDefaultCredentials default value: False | Boolean | True to use the default username/password pair to login to the SMTP server. When set to false, Windows authentication is used. **NOTE:** To be used only when UseSpecifiedPickupDirectory is set to false. | +| UseSpecifiedPickupDirectory default value: False | Boolean | True to write emails as local files in the specified PickupDirectory instead of sending them as SMTP packets. See the [ Send Notifications ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/email-server/index.md)topic for additional information. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "MailSettings": {       "UseSpecifiedPickupDirectory": true,       …     }   } }` | + +### NotificationSettings + +| Name | Type | Description | +| ------------------------------ | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Cultures default value: ["en"] | String Array | List of languages in which reset-password email notifications will be sent, among: fr and en. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "NotificationSettings": {       "Cultures": [“fr”, “en”]     }   } }` | + +### TokenBuildingSettings + +| Name | Type | Description | +| -------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ValidFor default value: 03:00:00 | String | Validity period of the issued token, and thus of the password reset link. The format must be HH:mm:ss Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "PasswordResetSettings": {     …     "TokenBuildingSettings": {       "ValidFor": "<03:00:00>"     }   } }` | + +### TwoFactorSettings + +| Name | Type | Description | +| ----------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApplicationUri required | String | URI of the Identity Manager application. **NOTE:** this helps create the links in the emails for two-way password reset. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{     …     "PasswordResetSettings": {         …         "TwoFactorSettings": {            "ApplicationUri": ""            …         }     } }` | +| ResetConfirmationUri required | String | Base URI for the password reset link that is sent to the user. The password reset confirmation token is appended to the ResetConfirmationUri. The resulting URI is sent to the user. Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{     …     "PasswordResetSettings": {         …         "TwoFactorSettings": {            …            "ResetConfirmationUri": ""         }     } }` | + +## TaskAgentConfiguration + +| Name | Type | Description | +| -------------------------------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| HttpClientTimeoutSupplement default value: 0 | Integer | Additional minutes that extend the default timeout (30 minutes) of the HttpClient instance used to send requests to the server. Here the total timeout will be 50 minutes: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `{   …   "TaskAgentConfiguration": {     …      "HttpClientAdditionalTimeout": 20   } }` | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md new file mode 100644 index 0000000000..f6ba6ed1d1 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md @@ -0,0 +1,333 @@ +# Application Settings + +This section describes the settings available in the agent's appsettings.json file, located in the +agent's working directory or in environment variables. + +**NOTE:** JSON files can contain any additional information that you might find useful. See the +example below. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +For example, in order to store the agent's address, we can add: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +appsettings.json +"UsercubeAgent": { +  "Url": "" +} +``` + +As Identity Manager does not know any object named Identity Manager Agent, its content will be +ignored, but it can still be used to store information for human use. + +The appsettings set allows the following attributes and sections: + +| Name | Type | Description | +| --------------------------------------------------------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ApplicationUri (required) | Uri | Server's listening URI. Used by the agent to send requests to the server. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {  "ApplicationUri": " " }` | +| Jobs (optional) | Job | Settings to configure all jobs with common values. | +| Scheduler (optional) | Scheduler | Settings to configure Identity Manager's scheduler. | +| TaskTimeoutSupplement default value: 0 | Int32 | Additional time (in minutes) for the Invoke-Job tool's Timeout property. Example: `appsettings.json {     "TaskTimeoutSupplement": 10 }` | +| InstallationDirectoryPath default value: Usercube-agent.exe directory | String | Path of the installation directory. It is used to read other configuration files. | +| EncryptionCertificate (required) | EncryptionCertificate | Settings to configure the encryption of specific files. | +| IdentityServer (required) | IdentityServer | Settings to configure the agent's encrypted network communication, for example with the server or a browser. | +| Authentication (required) | Authentication | Settings to configure end-user authentication, for example for users to launch a job from the UI. | +| Serilog (optional) | Logger setting | Settings to configure the logging service, complying to the Logger properties and structure. See the [ Monitoring ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/index.md) topic for additional information. Example: `appsettings.json {   "Serilog": {     "WriteTo": [ "Console" ],     "MinimumLevel": {       "Default": "Error",       "Override": {         "Usercube": "Information"         }       }     } }                         ` | +| Cors (optional) | Cors | Settings to configure the agent's [CORS policy](https://developer.mozilla.org/fr/docs/Web/HTTP/CORS), which is useful when using non-integrated agents. | +| ApplicationInsights (optional) | ApplicationInsights | Settings to plug to and configure the [AppInsights](https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview) monitoring tool. | +| TempFolderPath (optional) | String | Path to the temporary folder which contains: - ExportOutput: directory storing data exported from connectors. - JobLogs: directory storing task instance logs. - Reports: directory storing generated reports. - Packages: directory storing the downloaded package logos. - PolicySimulations: directory storing the files generated by policy simulations. - ProvisioningCache.txt: file storing the clustered provisioning cache. When enabled, this file can be used to coordinate the API cache among clusters. - CorrelationCache.txt - RiskCache.txt - ExpressionCache.txt - scheduler.lock - connector.txt - container.reset.txt: file acting as a reset command for Identity Manager's server, i.e. any change to this file triggers the reset service, thus reloading all the services instantiated by the server. Note that this path can be overridden by **ResetSettings** > **FilepathResetService**. - Mails: directory storing the email messages. Note that this path can be overridden by **ResetSettings** > **PickupDirectory**. - Deployment these elements can be removed, but make sure to restart the server after doing so. Example: `appsettings.json {   "TempFolderPath": "../Temp" }` | +| WorkFolderPath (optional) | String | Path of the work folder which contains: - Collect: directory storing the CSV source files exported by connectors. - ProvisioningOrders: directory storing the orders generated by the server. - FulfillPowerShell: PowerShell provisioner's working directory. - FulfillRobotFramework: Robot Framework's provisioner working directory. - ExportCookies: directory storing the cookies used for incremental export. - Synchronization: directory storing the agent's data collection results. - Upload: directory storing the uploaded media like uploaded pictures, before they are inserted into the database. - appsettings.connection.json These elements must not be removed, because doing so may disrupt Identity Manager's execution after restarting. Example: `appsettings.json {   "WorkFolderPath": "../Work" }` | +| JobLaunchTimeout default value: 7500 | String | Time period (in milliseconds) after which, if a launched job has not started, it is considered in error. Example: `appsettings.json {   "JobLaunchTimeout": 9000 }` | +| InvokeSqlCommands default value: null | String | List of parameter sets used to override InvokeSqlCommandTasks' SQLInputFile and OutputPath parameters from the XML configuration. See the [Invoke Sql Command Task](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md) topic for additional information. For each task to override, the key must be the task's identifier. Example: `appsettings.json  {        "InvokeSqlCommands": {         "InvokeSqlCommandTask_Identifier": {           "SQLInputFile": "YourInputFilePath",           "OutputPath": "YourOutputFilePath"  },         } }` | + +## Jobs + +Below is an example of job that can be executed by the agent. + +For example: + +``` +appsettings.json +{ +  ... +  "Jobs": { +    "MaxTaskBatchSize": "2" +  } +} +``` + +| Name | Type | Description | +| --------------------------------- | ----- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| MaxTaskBatchSize default value: 5 | Int64 | Maximum number of tasks that can be launched simultaneously, thus avoiding timeout issues. When executing a job, Identity Manager launches simultaneously the tasks of a same Level. See the [ Job ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) topic for additional information. If the number of same-level tasks exceeds MaxTaskBatchSize, then Identity Manager inserts new levels. These effective levels can be seen in the job's logs or with the Usercube-Get-JobSteps executable. See the [ Usercube-Get-JobSteps ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/get-jobsteps/index.md) topic for additional information. | + +## Scheduler + +Below is an example of scheduling and a list of attributes. + +For example: + +``` +appsettings.json +{ +  ... +  "Scheduler": { +    "Enabled": "true", +    "MaxLockWatchTime": 3600 + } +} +``` + +| Name | Type | Description | +| ------------------------------------ | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Enabled (optional) | Boolean | True to activate Identity Manager's scheduler. | +| MaxLockWatchTime default value: 1800 | Int32 | Time period (in seconds) to spend watching for the scheduler's lock file before launching it. When set to 0 the duration is infinite, and when set to a negative value the scheduler launch fails if the lock file already exists. This parameter prevents a failure if Identity Manager's scheduler has already been launched from another source. | + +## Encryption Certificate + +This information can be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive + (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or .pfx file) stored in the Agent's host file system. The archive contains both the public key + certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains + both the public key certificate and the private key. + + **NOTE:** Netwrix recommends using Windows' certificate store. + + On the other hand, the PFX file takes priority over Windows' certificate, which means that when + File is specified then the PFX certificate is used, even if the options for Windows' certificate + are specified too. + In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +As a PFX file + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    ... +    "EncryptionCertificate": { +        "File": "", +        "Password": "" +     } + } + +``` + +The archive is set using the following attributes: + +| Name | Type | Description | +| ------------------- | ------ | --------------------------------------------------------------------------------------- | +| File (required) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password (optional) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +**NOTE:** Storing a .pfx file password in plain text in a production environment is strongly +discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword tool. See +the +[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topic for additional information. + +The archive is set using the following attributes: + +| Name | Type | Description | +| ------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| File (required) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password (optional) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. storing a .pfx file's password in plain text in a production environment is strongly discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword.exe tool. See the[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) topic for additional information. | + +As a Certificate in the Windows Store + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + { +    ... +    "EncryptionCertificate": { +         "DistinguishedName":"", +         "StoreLocation": "", +         "StoreName": "" +     } + } + +``` + +The Windows certificate is set using these attributes: + +| Name | Type | Details | +| ---------------------------- | ------ | --------------------------------------------------------------------------------------------------- | +| DistinguishedName (optional) | String | SubjectDistinguishedName of the store certificate. It is required when Thumbprint is not specified. | +| Thumbprint (optional) | String | Thumbprint of the store certificate. It is required when DistinguishedName is not specified. | +| StoreLocation (required) | String | Location of the relevant Windows certificate store: LocalMachine or CurrentUser. | +| StoreName (required) | String | Name of the relevant Windows certificate store. | + +Using Azure Key Vault + +If the certificate is saved in Azure Key Vault, we must define the certificate identifier and the +Vault connection. See the [Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) topic for additional +information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +"": { +    "CertificateAzureKeyVault": "" +} +``` + +## Identity Server + +Just like the Encryption Certificate, this information can be set one of two ways. + +As a PFX file + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +appsettings.json +"": { +  "X509KeyFilePath": "<./identitymanager.pfx>", +  "X509KeyFilePassword": "" +} +``` + +The archive is set using the following attributes: + +| Name | Type | Description | +| ------------------------------ | ------ | ----------------------------------------------------------------------------------------------- | +| X509KeyFilePath (required) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the agent's host file system. | +| X509KeyFilePassword (optional) | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +**NOTE:** Storing a .pfx file password in plain text in a production environment is strongly +discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword tool. See +the +[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topic for additional information. + +As a Certificate in the Windows Store + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +"": { +  "X509SubjectDistinguishedName":"", +  "X509StoreLocation": "", +  "X509StoreName": "" +} +``` + +The certificate is set using these attributes: + +| Name | Type | Description | +| --------------------------------------- | ------ | ----------------------------------------------------------------------------------------------- | +| X509StoreLocation (required) | String | Location of the relevant Windows certificate store: LocalMachine or CurrentUser. | +| X509StoreName (required) | String | Name of the relevant Windows certificate store. | +| X509SubjectDistinguishedName (optional) | String | SubjectDistinguishedName of the certificate. It is required when X509Thumbprint is not defined. | +| X509Thumbprint (optional) | String | Thumbprint of the certificate. It is required when X509SubjectDistinguishedName is not defined. | + +**NOTE:** If you are using the certificate provided in the SDK, the agent will fail when launching. +You must create your own certificate. + +You can get the DistinguishedName of the certificate using OpenSSL: + +``` + +openssl x509 -noout -in {certificate file name with full path} -subject + +``` + +## Authentication + +An example of authentication and a list of attributes. + +``` +appsettings.json +{ +  ... +  "Authentication": { +    "Enabled": true, +    "RequireHttpsMetadata": true +  } +} +``` + +| Name | Type | Description | +| ---------------------------------------- | ------- | ------------------------------------------------------ | +| Enabled default value: true | Boolean | True to enable authentication. | +| RequireHttpsMetadata default value: true | Boolean | True to set HTTPS required for the discovery endpoint. | + +## Cors + +An example of cors and a list of attributes. + +``` +appsettings.json +{ +  ... +  "Cors": { +    "AllowAnyHeader": true, +    "AllowAnyMethod": false, +    "AllowCredentials": true +  } +} +``` + +| Name | Type | Description | +| ------------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AllowAnyHeader default value: false | Boolean | True to enable the [Access-Control-Allow-Headers: \*](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers) header in the agent's response to a [preflight request](https://developer.mozilla.org/en-US/docs/Glossary/preflight_request). | +| AllowAnyMethod default value: false | Boolean | True to enable the [Access-Control-Allow-Methods: \*](https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Access-Control-Allow-Methods) header in the agent's response to a [preflight request](https://developer.mozilla.org/en-US/docs/Glossary/preflight_request). | +| AllowCredentials default value: false | Boolean | True to enable the [Access-Control-Allow-Credentials: true](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials) header in the agent's response to a [preflight request](https://developer.mozilla.org/en-US/docs/Glossary/preflight_request). | + +## Application Insights + +Identity Manager supports the Application Insights integration. It means that you can monitor the +lifecycle of the application through a dedicated interface, which can be useful to measure +performance, observe how the application is used or detect performance anomalies. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +appsettings.json +{ +  ... +  "ApplicationInsights": { +    "InstrumentationKey": "" +  } +} +``` + +The application insights details are: + +| Name | Type | Details | +| -------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| InstrumentationKey default value: null | String | Key linked to the AppInsights instance to which the server's logs, requests, dependencies and performance are to be sent. See Microsoft's documentation to create an[ instrumentation key](https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-new-resource). | + +**NOTE:** The logs sent to AppInsights are configured through the Logger properties. See the +[ Monitoring ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/index.md) topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md new file mode 100644 index 0000000000..01d75a6186 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md @@ -0,0 +1,91 @@ +# Azure Key Vault + +## Prerequisites + +First, Identity Manager recommends reading: + +- [Azure Key Vault's overview documentation](https://docs.microsoft.com/en-us/azure/key-vault/general/overview) + and [Basic concepts](https://docs.microsoft.com/azure/key-vault/general/basic-concepts); +- How to + [sign in to Azure and create a vault](https://docs.microsoft.com/en-us/azure/key-vault/general/quick-create-portal#sign-in-to-azure-and-create-a-vault); +- About + [Azure Key Vault's secrets](https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets) + because secrets are the data that Identity Manager needs to collect. + +## Compatible Settings + +Every key from appsettings.agent.json that has a string value can be saved as a secret into +Microsoft Entra ID (formerly Azure AD) Key Vault. See the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) topic for additional information. + +Check the examples in connectors' credential protection sections. See the +[ ServiceNow ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/servicenowentitymanagement/index.md) topic +for additional information. + +## Write Settings to the Vault + +After creating the Azure Key Vault, open its page on Azure's portal and +[add a secret](https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-portal#add-a-secret). + +The important part of adding a secret in Azure Key Vault is defining its name and value: + +- As secrets' names can only contain alphanumeric characters and double dashes (`--`) as separator, + the keys from the appsettings.agent.json file must contain only alphanumeric characters too; +- Secrets' values are simply the value associated with the key in the JSON file. + +For example, for the Active Directory: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                        appsettings.agent.json +{ +  ... +  "Connections": { +    ... +    "ADExport": { +      "Servers": [ +        { +          "Server": "", +          "BaseDN": "" +        }, +        { +          "Server": "", +          "BaseDN": "" +        } +      ], +      "AuthType": "", +      "Login": "", +      "Password": "", +      "Filter": "(objectclass=*)", +      "EnableSSL": "false", +    } +  } +} +                     +``` + +To save the login to Azure Key Vault, create a secret whose name and value are respectively +`` and ``. + +To save the second server, create a secret whose name and value are respectively +`` and ``. + +_Remember,_ the index of the first element is `0`. + +This way, values from the Azure Key Vault take priority over the values from the appsettings files. + +For example, if Login exists in both Azure Key Vault and appsettings.agent.json, then the value from +Azure Key Vault is used. + +## Configure Usercube + +Netwrix Identity Manager (formerly Usercube)uses the default Azure credentials to connect to the +vault. Since the implementation of default Azure credential is controlled by Microsoft see the +[Default Azure Credential](https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet) +page additional information. + +| Name | Type | Description | +| -------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------- | +| Vault required | String | DNS Name found on the page of the vault in Azure's portal. _Remember,_ usually in the format is `https://yourVault.vault.azure.net/`. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md new file mode 100644 index 0000000000..4c8fc91978 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md @@ -0,0 +1,319 @@ +# CyberArk's AAM Credential Providers + +This guide shows how to protect sensitive data by connecting Identity Manager to CyberArk's +Application Access Manager (AAM) Credential Providers. + +## Data Protection + +Identity Manager often needs to connect to [Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md) with +credentials that need protection. See the [Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md) topic for +additional information. + +By default, the data used to connect to external systems is stored in plain text in the +**Connections** section of the `appsettings.agent.json` file. This is not a secure option. + +## CyberArk for Data Protection + +CyberArk's Application Access Manager (AAM) Credential Providers, part of the Privileged Access +Security solution, is used to stop storing hard-coded credentials in applications, scripts or +configuration files, and instead store them in CyberArk's vault to be centrally logged and managed. + +This way, the company can easily become compliant with potential internal and regulatory +requirements of periodic password replacement, and able to securely monitor privileged access across +all systems, databases and applications. + +CyberArk is made of vaults. Inside a vault, safes can be created and owners allocated. Accounts and +files can then be stored in safes accessible by users. + +This section explains how Identity Manager retrieves these accounts from CyberArk. + +## Prerequisites + +CyberArk AAM can be used either with: + +- agentless AAM: + [Central Credential Provider](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CCP/The-Central%20-Credential-Provider.htm?tocpath=Get%20Started%7COfferings%7C_____3#central-credential-provider) + (works with Web Service using REST); +- agent-based AAM: + [Credential Provider](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CP%20and%20ASCP/lp_cp.htm?tocpath=Get%20Started%7COfferings%7C_____1#credential-provider) + (works with C/C++ Application Password SDK). + + Implementing the Credential Provider method requires placing the C/C++ Application Password SDK + DLL, named `CPasswordSDK.dll` (on 32-bit systems) or `CPasswordSDK64.dll` (on 64-bit systems), + to the `Runtime` folder of Identity Manager. + +Identity Manager supports both AAMs. +[CyberArk's overview](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CCP/The-CyberArk-Application-Identity-Management-Solution.htm?tocpath=Get%20Started%7C_____1#cyberarks-overview) +can help choose which AAM to go to. + +See more details about Credential Provider's +[system requirements](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CP%20and%20ASCP/SysReq-Credential-Provider.htm?tocpath=Installation%7CSystem%20Requirements%7C_____1#system-requirements) +and +[installation guide](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/11.4/en/Content/CP%20and%20ASCP/installing-the-Credential-Provider.htm?TocPath=Installation%7CCredential%20Provider%7CInstall%20the%20Credential%20Provider%7C_____0#installation-guide). + +## Compatible Settings + +The following table sums up which keys from `appsettings.agent.json`'s **Connections** section can +be saved to CyberArk: + +| Use Case | Possible Key | +| -------- | ---------------------------------------------- | +| Login | `Login / ApplicationId / ClientId` | +| Password | `Password / ApplicationKey / ClientSecret` | +| Address | `Server / MicrosoftGraphPathApi / ResponseUri` | + +Any [Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md) using one of these attributes as key can retrieve the +associated value from CyberArk. + +> For example, +> [Active Directory](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/activedirectory/index.md) can +> retrieve: `Login`; `Password`; `Server`. + +## Set Authorization Details + +While the application's identifier is required, setting an authentication method and allowed +machines is optional but recommended for security concerns. + +### AppID + +[See CyberArk's documentation on how to add an application to the vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/Common/Adding-Applications.htm?tocpath=Administration%7CManage%20applications%7C_____1#see-cyberarks-documentation-on-how-to-add-an-application-to-the-vault). + +CyberArk uses for each client application an AppID, i.e. a unique name to identify the application's +permissions to access given safes and stored secrets. + +### Authentication + +Several +[authentication methods](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/Common/Adding-Applications.htm?tocpath=Administration%7CManage%20applications%7C_____1#authentication-methods) +are available to protect the whole system and make sure that Identity Manager actually does the API +calls. + +Netwrix Identity Manager (formerly Usercube)recommends: + +- Using the certificate's serial number (see below how to configure certificates) when working with + the agentless AAM - Central Credential Provider; +- Generating a hash with the AIMGetAppInfo utility when working with the agent-based AAM - + Credential Provider. + +### Allowed machines + +Finally, +[allowed machines](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/Common/Adding-Applications.htm?tocpath=Administration%7CManage%20applications%7C_____1#allowed-machines) +can be added to the safe. This way, the Credential Provider verifies that only applications running +from an authorized machine can access secrets. + +### SSL certificate + +If IIS is configured with `AIMWebService` set to `Require SSL`, then an SSL certificate must be +provided. + +Identity Manager does not require a certificate, so it can be launched without certificate-related +parameters, if CyberArk is configured to allow it. + +## Create a CyberArk Account + +CyberArk's Password Vault Web Access (PVWA) is meant to enable users to access sensitive data +through accounts in CyberArk, from any local or remote location. + +The following procedure requires credentials in order to connect to PVWA. + +Create a CyberArk account by +[adding it to the PVWA](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20and%20ASCP/cv_Managing-Single-Accounts.htm?tocpath=Administration%7CCredential%20Provider%7CAccounts%20and%20Safes%7C_____1#adding-it-to-the-pvwa), +defining at least the following properties: + +``` +| Property Name | Key in appsettings.agent.json | +| ------------- | ------------------------------- | +| Username | Login | +| Address | Server | +| Password | Password | + +Netwrix Identity Manager (formerly Usercube) recommends customizing the account's name because it will be used in [ + + Connection + ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) to retrieve this account from the vault. + +``` + +## Assign the Permissions + +[See CyberArk's documentation on how to add a safe member](https://docs.cyberark.com/PAS/13.0/en/Content/PASIMP/Safes-add-a-safe-member-ClassicUI.htm?tocpath=Administrator%7CPrivileged%20Accounts%7CAccess%20Control%7CSafes%20and%20Safe%20members%7CClassic%20interface%7C_____3). + +In order to assign the permissions to access the application, follow CyberArk's instructions to +[build the environment for the Credential Provider in the PVWA](https://docs.cyberark.com/AAM-CP/13.0/en/Content/CP%20and%20ASCP/Building-CP-Environment.htm). + +The aim here is to give the right permissions to: + +- the AAM user, by default named `Prov_{Credential Provider machine name}`, meant to enable the + Credential Provider to authenticate to the vault and retrieve passwords; +- the application, via its AppID. + +## Configure Usercube + +Connect Identity Manager to CyberArk by adding to the agent's `appsettings.json` file a specific +section. + +> For example: +> +> ``` +> appsettings.json +> +> { +> ... +> "CyberArk": { +> "UseCyberArkSetting": true, +> "SafeName": "safeName", +> "ApplicationId" : "appId", +> "Server" : "serverUrl", +> "File": "certificateFilePath", +> "Password": "certificatePassword", +> "DistinguishedName": "certificateSubjectDistinguishedName", +> "Thumbprint": "certificateThumbprint", +> "StoreName": "certificateStoreName", +> "StoreLocation": "certificateStoreLocation" +> }, +> ... +> } +> ``` + +### Vault settings + +| Name | Details | +| --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| UseCyberArkSetting default value: False | **Type** Boolean **Description** `True` to enable the CyberArk Provider for Identity Manager. | +| SafeName required | **Type** String **Description** Name of the safe containing the accounts used by Identity Manager. See the CyberArk's AAM Credential Providers topic for additional information. | +| ApplicationId required | **Type** String **Description** Application ID of the application that can access the safe. See the CyberArk's AAM Credential Providers topic for additional information. | +| Server required | **Type** String **Description** URL configured for the CyberArk Vault. It is recommended to use HTTPS for security purposes. **Note:** the `Server` attribute is only used with the CyberArk Central Credential Provider (Agentless AAM). | + +### Certificate settings + +Certificate settings are only used with the Central Credential Provider (agentless AAM). They set +the location of the public key certificate and the private key used by the agent to handle encrypted +network communications with CyberArk. + +This information can be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive + (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or `.pfx` file) stored in the _Agent_'s host file system. The archive contains both the public key + certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by _SubjectDistinguishedName_ or by _Thumbprint_. The Windows certificate also contains + both the public key certificate and the private key. + + Netwrix Identity Manager (formerly Usercube)recommends using Windows' certificate store. + + On the other hand, the PFX file takes priority over Windows' certificate, which means that when + `File` is specified then the PFX certificate is used, even if the options for Windows' + certificate are specified too. + + In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +#### As a PFX file + +> For example: +> +> ``` +> appsettings.json +> +> { +> ... +> "CyberArk": { +> "UseCyberArkSetting": true, +> "SafeName": "safeName", +> "ApplicationId" : "appId", +> "Server" : "serverUrl", +> "File": "C:/identitymanagerAgentContoso/contoso.pfx", +> "Password": "oarjr6r9f00" +> }, +> ... +> } +> ``` + +The archive is set using the following attributes: + +| Name | Details | +| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| File required | **Type** String **Description** [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password optional | **Type** String **Description** [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. **Info:** storing a `.pfx` file's password in plain text in a production environment is strongly discouraged. It should always be encrypted using the [ Usercube-Protect-CertificatePassword ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) tool. | + +#### As a Certificate in the Windows Store + +> For example: +> +> ``` +> appsettings.json +> +> { +> ... +> "CyberArk": { +> "UseCyberArkSetting": true, +> "SafeName": "safeName", +> "ApplicationId" : "appId", +> "Server" : "serverUrl", +> "DistinguishedName": "CN=contoso, OU=Biz, O=Contoso, L=Marseille, S=MA, C=FR", +> "StoreName": "My", +> "StoreLocation": "LocalMachine" +> }, +> ... +> } +> ``` + +The Windows certificate is set using these attributes: + +| Name | Details | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | +| DistinguishedName optional | **Type** String **Description** _SubjectDistinguishedName_ of the store certificate. **Note:** required when `Thumbprint` is not specified. | +| Thumbprint optional | **Type** String **Description** _Thumbprint_ of the store certificate. **Note:** required when `DistinguishedName` is not specified. | +| StoreLocation required | **Type** String **Description** Location of the relevant Windows certificate store: `LocalMachine` or `CurrentUser`. | +| StoreName required | **Type** String **Description** Name of the relevant Windows certificate store. | + +## Usercube's CyberArk Vault + +Once configured, Identity Manager retrieves the sensitive values from CyberArk via the +`appsettings.cyberArk.agent.json` file. See the CyberArk's AAM Credential Providers topic for +additional information. + +In this file: + +- the keys must follow the same structure as in the **Connections** of the `appsettings.agent.json` + file; +- the values are the names of the accounts created before. + +> The following example saves in CyberArk the credentials for `AD_Export`, with the accounts +> `AdAccount` and `AdServer2`: +> +> ``` +> appsettings.cyberArk.agent.json +> { +> "Connections": { +> "AD_Export": { +> "Login": "AdAccount", +> "Password": "AdAccount", +> "Servers": [ +> { +> "Server": "AdAccount" +> }, +> { +> "Server": "AdServer2" +> } +> ] +> } +> } +> } +> ``` +> +> Thus, when launching a job via the `AD_Export` connection, Identity Manager gets the values for +> `Login`, `Password` and `Server` from CyberArk, and the others from `appsettings.agent.json`. + +After updating `appsettings.cyberArk.agent.json`, the agent must be restarted for the changes to +take effect. + +To get a given property's value, Identity Manager reads first the section in +`appsettings.cyberArk.agent.json` for the appropriate connection. Only if the property is not listed +here will Identity Manager read the corresponding section in `appsettings.agent.json` to find it. + +Thus, when a property is listed in both appsettings files, the value from the CyberArk vault takes +priority over the one from the usual appsettings file. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/index.md new file mode 100644 index 0000000000..f2aa85fc90 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/index.md @@ -0,0 +1,73 @@ +# Agent Configuration + +Identity Manager Agent's configuration includes connection information to the managed systems and to +the Server. Protection of sensitive credentials can be achieved through RSA encryption, storing +information within a CyberArk Vault, or using an Azure Key Vault safe. + +## Configuration Files + +The Agent configuration uses two sets of settings: the agent **appsettings** set and the +**appsettings.agent** set. + +1. The [Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) set is written either to the Agent's working + directory appsettings.json file or as environment variables. See the + [ Architecture ](/docs/identitymanager/saas/identitymanager/integration-guide/architecture/index.md) topic for additional information. +2. The [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) set is written as environment variables or to + the appsettings.agent.json files from the Agent's working directory. +3. There are two additional files involved in the _Agent_'s configuration to protect sensitive data: + appsettings.encrypted. agent. json and appsettings.cyberark.agent.json. See the + [ RSA Encryption ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md) and + [CyberArk's AAM Credential Providers ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/cyberark-application-access-manager-credential-providers/index.md)topics + for additional information. + +## Protect Credentials + +Managed system credentials are sensitive information. Identity Manager offers three strategies to +protect sensitive data. + +### RSA encryption + +Any Agent configuration setting value can be encrypted using `Usercube-Protect-X509JsonValue` and +`Usercube-Protect-X509JsonFile` tools. An encrypted value is then written to the +appsettings.encrypted.agent.json file. + +It means that any sensitive setting value that the user chooses to protect this way won't be written +to the appsettings.agent.json file but to the appsettings.encrypted.agent.json file. + +### CyberArk Vault + +Any Agent configuration setting value can be encrypted using Identity Manager's CyberArk +integration. + +To put it simply, any sensitive setting value that the user chooses to protect this way won't be +written to the appsettings.agent.json file but stored within a CyberArk Vault. + +### Azure Key Vault safe + +Any Agent configuration setting value can be encrypted using Identity Manager's Azure Key Vault +integration. + +To put it simply, any sensitive setting value that the user chooses to protect this way won't be +written to the appsettings.agent.json file but stored within an Azure Key Vault safe. + +## Merge Priority + +Because of the credential protection system, the Agent connection information to managed systems can +be written to the following configuration sources: + +- The appsettings.agent.json file which contains plain text, non-encrypted setting information. +- The appsettings.encrypted.agent.json file which contains encrypted setting information. +- An [Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) safe. +- A CyberArkVault referenced by the appsettings.cyberark.agent.json file. +- The appsettings. connection.json file. + +Each configuration source is loaded one after the other, in the following order: + +1. appsettings.agent.json +2. appsettings.encrypted.agent.json +3. _Azure Key Vault_ safe +4. _CyberArk Vault_ +5. appsettings.connection.json + +If a json key is defined in multiple configuration source, only the last loaded json key is +preserved to build the final configuration. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md new file mode 100644 index 0000000000..663af5e89c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/rsa-encryption/index.md @@ -0,0 +1,61 @@ +# RSA Encryption + +Identity Manager provides a few options to protect sensitive data via RSA encryption. + +## Overview + +Sensitive data can be RSA encrypted by using Identity Manager's tools: + +- [ Usercube-Protect-X509JsonValue ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md) + to encrypt given values; +- [ Usercube-Protect-X509JsonFile ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md) + to encrypt a whole file. + + The file encryption tool should be used only on files that contain only plain text values, not + already encrypted ones. + +Once encrypted, sensitive values can be added to the `appsettings.encrypted.json` and +`appsettings.encrypted.agent.json` files. Identity Manager will read first the values from the +encrypted appsettings files, before reading those from the usual non-encrypted appsettings files. + +These methods require an [X.509 public key certificate](https://en.wikipedia.org/wiki/X.509) (the +same for the encrypted appsettings files and the tools). + +The value encryption tool can be used to encrypt specific values to be added to the encrypted +appsettings files without having to encrypt the whole files again. + +## Focus on the Encrypted Appsettings Files + +The `appsettings.encrypted.json` and `appsettings.encrypted.agent.json` files contain respectively +the `appsettings.json` and `appsettings.agent.json` files' sensitive setting values which are +protected by RSA encryption. + +These files follow the exact same structure as the [ Agent Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/index.md). + +### Read the Encrypted Files + +Identity Manager can use an RSA decoding algorithm fed by a +[public-key certificate](https://en.wikipedia.org/wiki/X.509) in order to read the encrypted +application settings. + +This requires the usual appsettings file(s) to have `UseEncryptedAppsettings` set to `true`. See +below. + +``` +appsettings.json and/or appsettings.agent.json + +{ + ... + "EncryptionCertificate": { + "File": "./identitymanager.pfx", + "Password": "secret", + "UseEncryptedAppsettings": true + } +} +``` + +This way, values from the encrypted file take priority over the values from the non-encrypted +appsettings files. + +> For example, if `Password` exists in both the encrypted file and the non-encrypted file, then the +> value from the encrypted file is used. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md new file mode 100644 index 0000000000..b41d13b340 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md @@ -0,0 +1,81 @@ +# Configure Okta + +This guide shows how to configure the OIDC to set up the authentication to Identity Manager. + +## Create the Application + +On the Okta dashboard: + +![Add Application](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_addapplication.webp) + +**Step 1 –** Select the **Applications** section and click on the **Add Application** button. + +![Create New App](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnewapp.webp) + +**Step 2 –** Then click on the **Create New App** button. + +![Create Native App](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_createnativeapp.webp) + +**Step 3 –** Select the platform **Native app**. The only sign-on method is the OpenID Connect. +Click on **Create**. + +**Step 4 –** In **General Settings**, name your Application. You can also add a logo. + +**Step 5 –** In the **Configure OpenID Connect** section, enter the connection redirection URL in +the part: **Login redirect URLs**. To find out this URL, just take the URL of the Identity Manager +application and add `/signin-oidc`. The Identity Manager disconnection redirection URL is also +necessary. To construct it, take Identity Manager's URL again and, at the end, add +`/signout-callback-oidc`. + +**NOTE:** The **Logout redirect URLs** section is marked as optional but it is mandatory for +Identity Manager. + +![Save Application](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_saveapplication.webp) + +## Configure the Client Credentials + +The client secret in Identity Manager is required for the OIDC connection. You must therefore +configure this OIDC connection option in the application. In the Application Dashboard, click on +**Edit** in the **Client Credentials** section. Select the option **Use Client Authentication** and +save the changes. + +![Client Credentials](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_clientcredentials.webp) + +## Configure the Application Settings + +In the **Application** section, check the box **Implicit (Hybrid)** so that the connection with +Identity Manager can operate correctly. **Allow ID Token with implicit grant type** is optional. + +![Application Section](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/how-tos/okta/okta_applicationsection.webp) + +## Configure the appsettings.json + +To successfully configure the OpenId protocol, you can refer to the dedicated section in the +detailed guide. See the +[ End-User Authentication](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md) for +additional information. + +Below is an illustrative example of how to set up your `appsettings.json` file. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +{ +  ... +  "OpenId": { +    "Enabled": true, +    "Okta": { +      "AuthenticationScheme": "Okta Authentication", +      "Authority": "https://your-domain.okta.com/oauth2/default", +      "ClientId": "Your Client ID", +      "ClientSecret": "Your Client Secret", +      "DisplayName": "Okta Display Name", +      "NameClaimType": "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", +      "SaveToken": true +    } +  } +} + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/index.md new file mode 100644 index 0000000000..fb3e3d8996 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/index.md @@ -0,0 +1,199 @@ +# Network Configuration + +Identity Manager's network technical configuration includes: + +- Database connection +- Managed systems connection +- Synchronization and fulfillment processes +- End-user authentication +- Logging + +## Introduction + +Configuration settings are saved in configuration files or in the host system's environment +variables. + +Configuration settings are detailed further in the following sections: + +- Server configuration, including connection to the database and end-user authentication. See the + [Server Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/index.md) topic for additional information. +- Agent configuration, including connection to the managed systems. See the + [ Agent Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/index.md) topic for additional information. +- Monitoring, indicating how to set up monitoring for Identity Manager. See the + [ Monitoring ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/index.md)topic for additional information. + +## Write Settings + +How to write settings for the network configuration. + +### Sets, sections and values + +Configuration setting values are organized by functionality into three sets: + +1. The Server's appsettings set gathers general-purpose settings for the Server (including database + connection and end-user authentication). See the + [Server Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/index.md) topic for additional information. +2. The Agent's appsettings set gathers general-purpose settings for the Agent executable process. + See the [Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) topic for additional + information. +3. The appsettings.agent set gathers settings for the Agent's connection to the managed systems. See + the [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) topic for additional + information. + +Each set can be seen as a +[tree-like structure](https://en.wikipedia.org/wiki/Tree_(data_structure)) where leaves are a +name-value pair: the name of the setting and the value of the setting. + +Within a Configuration Set Tree, settings are organized into meaningful sections which can be +further organized into subsections, leading to a tree-like structure where sections are nodes. For +example, settings involving end-user authentication are gathered in the Authentication section, +containing another subsection for every authentication method such as OpenId or OAuth. + +This means that every setting value either belongs to the settings root node or to a section, itself +belonging to a parent section. + +![tree like structure](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/tree-like-structure.webp) + +### Configuration files + +Settings can be written as `json` objects stored in `.json` files in the Server or Agent working +directory. + +Relevant files for the Server can be found in the Server working directory: + +- `appsettings.json` + +Relevant files for the Agent can be found in its working directory: + +- `appsettings.json` +- `appsettings.agent.json` +- `appsettings.encrypted.agent.json` +- `appsettings.cyberArk.agent.json` + +Each setting file is organized into several sections as shown in the Sets, Sections and values +diagram. See the [ Architecture ](/docs/identitymanager/saas/identitymanager/integration-guide/architecture/index.md) topic for additional information. + +Each section's name matches a top level attribute of the file's `json` object. + +The section content is written as the matching attribute's value which can be broken down into a set +of setting attributes and subsection attributes. + +Each subsection can then be broken down into more setting attributes and deeper nested subsections. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +settings.example.json +{ +   "sectionA": { +       "subsectionnameA1":{ +            "settingnameA11":"settingA11value", +            "settingnameA12":"settingA12value" +       }, +       "settingnameA2": "settingvalueA2", +        }, +   "sectionB": { +       "settingnameB1": "settingB1value", +       "settingnameB2": "settingB2value" +   } +} +``` + +In Integrated-agent mode, agent configuration is written to the Server's `appsettings.json` file. +See the [ Overview ](/docs/identitymanager/saas/identitymanager/installation-guide/overview/index.md) topic for additional information. + +#### Reminder + +The backslash character `\` is an escape character in a JSON file. An error will appear when parsing +the JSON file if the backslash is followed by a non-escapable character. To use a backslash in a +string, it must be escaped by another backslash. + +In this example, the value for the attribute Password will be parsed as ``: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    "Password": "" +} +``` + +### Environment variables + +Alternatively, settings can be stored as environment variables on Identity Manager's host system. + +Each setting value is stored as the value of an environment variable whose name is the concatenation +of all the ancestor sections and the setting name separated by **\_\_** (two underscores). + +Here is an example showing how to construct a setting environment variable name from its matching +`json` file. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    "Scheduler": { +        "Enabled": true, +        "LockFilePath": "../Temp/scheduler.lock" +    }, +    "Swagger": { +        "Enabled": true +    } +} +``` + +The name becomes Scheduler**Enabled, Scheduler**LockFilePath and Swagger\_\_Enabled. + +## Manage Several Environments + +How to manage several network environments. + +### Using files + +Every setting value can be overwritten to fit a specific environment. + +The environment within which Identity Manager runs is set by the system environment variable +ASPNETCORE_ENVIRONMENT. The default value is Production. Usual examples include Development, +Staging, and Production. + +To overwrite setting values for a specific environment, one can write environment-specific +configuration files. + +For every appsettings.``.json file, an appsettings.``.``.json can be created +where `` is the name of the relevant environment matching the ASPNETCORE_ENVIRONMENT +value. + +The appsettings.``.``.json file has the exact same section/attribute/subsection +shape as the main appsettings file. + +Identity Manager's configuration will be the result of merging both files. + +Should a setting be written in both files, Identity Manager will use the +appsettings.``.``.json value. + +Leveraging this priority mechanism is how one can override a setting value to match a particular +environment. Another mechanism can be used: using environment variables. + +### Using environment variables + +Setting values can also be stored as environment variables on Identity Manager's host system. +Environment-variables-stored setting values have priority over json-file-stored setting values. Here +is how to use this mechanism to handle multiple environments. + +In the web.config file, an `` element in the node `` > +`` > `` > `` is used to set a setting value for +the application. + +### Configuration stages + +Configuration encompasses: + +- The Server configuration with a connection to the database and end-user authentication. See the + [Server Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/index.md) topic for additional information. +- The Agent configuration with a connection to the managed systems. See the + [ Agent Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/index.md)topic for additional information. +- The Logger configuration. See the [ Monitoring ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/index.md)topic for additional + information. diff --git a/docs/usercube_saas/usercube/integration-guide/network-configuration/password-management/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/password-management/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/network-configuration/password-management/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/password-management/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/proxy/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/proxy/index.md new file mode 100644 index 0000000000..40b67d96a8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/proxy/index.md @@ -0,0 +1,228 @@ +# Proxy Server + +Identity Manager server or agent can be configured to go through a proxy server to access internal +or external web resources. + +## Introduction + +A Identity Manager agent often needs to access internal or external systems using the HTTP protocol. +It may easily be configured to use a proxy server through which all or part of the HTTP traffic will +be routed. + +## Proxy Related Environment Variables + +The proxy configuration is based on a set of standard dotnet environment variables: + +- `HTTPS_PROXY`: the proxy server used on HTTPS requests. +- `NO_PROXY`: a comma-separated list of hostnames that should be excluded from proxying. + +The dotnet environment does not rely on the OS-wide proxy configuration. It is mandatory to use the +above-mentioned environment variables to configure the proxy. + +### HTTPS_PROXY + +The `HTTPS_PROXY` environment variable may be the hostname or IP address, optionally followed by a +colon and port number, or it may be an http URL, optionally including a username and password for +Proxy Server authentication. + +The URL must start with `http`, **not https**, and cannot include any text after the hostname, IP, +or port. + +This example shows various ways to properly configure a proxy server using Powershell: + +``` + +# A hostname with port (recommended syntax) +$env:HTTPS_PROXY="proxy.contoso.com:6060" +# A hostname without port +$env:HTTPS_PROXY="proxy.contoso.com" +# An IP address with port +$env:HTTPS_PROXY="10.65.1.1:6060" +# A URL with port: +# Warning: Even if we want to route HTTPS traffic, we MUST give a URL with http scheme. +# Warning: Do not add trailing slash. +$env:HTTPS_PROXY="http://proxy.contoso.com:6060" + +``` + +We recommend using the `:` syntax since it is not misleading. We discourage using +the `http://:` syntax since it is not intuitive to indicate the `http` scheme to +route `https` traffic. However, if you decide to use this syntax, do not forget to include a comment +stating that `http` scheme is mandatory at the configuration level, even if it will not be used at +runtime. + +#### Do not do + +This example shows the wrong ways to initialize the `HTTPS_PROXY` environment variable. The +environment variable will be **silently ignored** and the traffic will not be routed through the +proxy. + +``` + +# WRONG: A URL with https scheme +$env:HTTPS_PROXY="https://proxy.contoso.com:6060" +# WRONG: A URL with text after the port number +$env:HTTPS_PROXY="http://proxy.contoso.com:6060/" +# WRONG: A URL with text after the hostname +$env:HTTPS_PROXY="http://proxy.contoso.com/" + +``` + +#### Authenticated proxy + +When the proxy server needs the user to be authenticated, the `HTTPS_PROXY` environment variable can +include the username and password as follows: + +``` + +# A URL to authenticate to the proxy with login=mylogin and password=mypassword +$env:HTTPS_PROXY="http://mylogin:mypassword@proxy.contoso.com:6060" + +``` + +### NO_PROXY + +The `NO_PROXY` environment variable is a comma-separated list of hostnames that should be excluded +from proxying. To exclude all subdomains ("wildcard" exclusion), domains in the `NO_PROXY` list need +to be prefixed with a dot (`.`), which is standard, but not particularly well documented. **Do not +use the star (`*`) prefix !!!** + +This example shows various ways to exclude domains from proxying: + +``` + +# Exclude only www.google.com: +# www.google.com: will not go through the proxy +# maps.google.com: will go through the proxy +$env:NO_PROXY="www.google.com" +# Exclude only www.google.com and www.microsoft.com: +$env:NO_PROXY="www.google.com,www.microsoft.com" +# Exclude all google.com and all microsoft.com subdomains: +# Do not prepend the domain name with a '*' +# www.google.com: will not go through the proxy +# maps.google.com: will not go through the proxy +# www.microsoft.com: will not go through the proxy +$env:NO_PROXY=".google.com,.microsoft.com" + +``` + +#### Do not do + +This example shows the wrong ways to initialize the `NO_PROXY` environment variable. + +``` + +# WRONG: starting with '*' to indicate a wildcard exclusion +# Only the domain exactly named *.contoso.com will be excluded from proxying, +# which means there is no exclusion configured. +$env:NO_PROXY="*.contoso.com" + +``` + +## Where to Define Proxy Environment Variables + +The proxy configuration is based on a set of standard dotnet environment variables, they can be +defined in various places according to the practices in place in your organization: + +- At OS level +- At user level: for the user running the Identity Manager server or agent +- At IIS level: in the application `web.config` file + +Note that when creating an environment variable in IIS `web.config` file, all child processes +created by the IIS application will inherit from this environment variables. For example, while +running the Identity Manager agent all tasks started by the agent will inherit the proxy environment +variables. + +This example shows how to configure the proxy in the IIS `web.config` file: + +``` + + + + ... + + +``` + +## Testing the Proxy Configuration + +To test the proxy configuration for the dotnet environment, it is advised to use Powershell 5 or +Powershell Core. + +In the following examples, you may adapt the proxy hostname/port and the URL to test. + +### Using Powershell 5 + +To test that a Identity Manager agent using a proxy server can reach the Identity Manager server: Go +to the `/Runtime` directory. + +``` + +$env:HTTPS_PROXY="proxy.contoso.com" +./identitymanager-Invoke-Job.exe --api-url https://contoso.usercube.com/ --api-client-id Job --api-secret secret -j UnknownJob + +# Given the credentials are valid, you should get an exception as follows: +# ---> System.Exception: Job: UnknownJob is not found +# This exception shows that the server has been reached and that the job identifier is not known. +# The proxy is properly configured !!! + +``` + +**Do not use** Invoke-WebRequest or Test-NetConnection to test the proxy configuration. In +Powershell 5, these tools are using a different network stack from dotnet environment and are using +the OS-wide proxy settings. They will ignore the `HTTPS_PROXY` environment variable + +### Using Powershell Core + +Powershell Core is based on the same network stack as dotnet environment. The proxy configuration +can be tested using the Invoke-WebRequest and Test-NetConnection tools. If tests are successful +using Invoke-WebRequest, they will be successful too if the same environment variables are provided +to the Identity Manager server or agent. + +Powershell Core will only take the `HTTPS_PROXY` environment variable into account if it was created +before the Powershell Core process was started. + +``` + +# Create the environment variable in this Powershell Core process. +# This variable will not alter the proxy configuration of this process. +$env:HTTPS_PROXY="proxy.contoso.com" +# Start a child Powershell Core process which will inherit from the HTTPS_PROXY environment variable. +# This variable will alter the proxy configuration of this child process. +pwsh +Invoke-WebRequest https://contoso.usercube.com/ +# The result should display an HTTP 200 response from the Usercube server. + +# Go back to the parent Powershell parent process. +exit + +``` + +### Known errors when proxy is not properly configured + +When the proxy environment variables does not match the expected format, they will be **silently** +ignored. + +- If `HTTPS_PROXY` is ignored, the network stack will try to directly access public URL's without + going through the proxy. +- If `NO_PROXY` is ignored, the internal traffic will be routed through the proxy. + +When testing the proxy configuration, if you get one of the following error message: + +- ` No such host is known.` +- `Hote inconnu` + +It means that the `HTTPS_PROXY` is not set or does not match the expected format. The HTTP client +tries to directly resolve the public hostname instead of resolving the proxy hostname. + +Review the `HTTPS_PROXY` value, check that it does not: + +- use the `https` scheme +- include trailing slashes or characters after the hostname:port + +## Reference Documentation + +- [HttpClient.DefaultProxy](https://learn.microsoft.com/en-us/dotnet/api/system.net.http.httpclient.defaultproxy?view=net-8.0&viewFallbackFrom=netcore-8.0#httpclientdefaultproxy): + reference for environment variables. +- NO_PROXY: [unofficial documentation](https://stackoverflow.com/a/62663469) for wildcard domain + exclusion diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md new file mode 100644 index 0000000000..1d0e85e443 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md @@ -0,0 +1,83 @@ +# Connection to the Database + +The connection of Identity Manager's server to the database is set through the `appsettings` +top-level `ConnectionString` and the `AzureCredentials` attributes: + +| Name | Details | +| --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectionString required | **Type** String **Description** Identification token used to retrieve the connection information for the server to access Identity Manager's database in SQL Server. **Note:** must be compliant with SQL Server connection string syntax. See the [Install the Server](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. **Example**`{ � "ConnectionString": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" }` | +| ConnectionStringGovernor required | **Type** String **Description** Identification token used to retrieve the connection information to SQL Server Resource Governor which is a feature used to manage SQL Server's workload and system resource consumption. **Info:** Resource Governor enables specifying limits on the amount of CPU, physical I/O, and memory that incoming application requests can use. **Note:** must be compliant with SQL Server connection string syntax. See the [Install the Server](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/server/index.md) topic for additional information. **Note:** all tasks and jobs use this connection string, when specified. **Example**`{ � "ConnectionStringGovernor": "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" }` | +| AzureCredentials required | **Type** Azure Credentials **Description** Settings used with the `ConnectionString` to access the database in SQL Server, hosted on Microsoft Entra ID (formerly Microsoft Azure AD). | + +## AzureCredentials + +The database can be accessed one of two ways: + +- either by specifying `User Id` and `password` keywords directly in the connection string: + + > For example: + > + > ``` + > + > "ConnectionString": "data source=.;Database=UsercubeContoso;User + > Id=UsercubeServerContoso;Password=myPassword;Min Pool Size=10;encrypt=false;" + > + > ``` + > + > ``` + +- or, to avoid exposing the `User Id` and `password` in a connection string sent through the + network, by using the built-in Microsoft Entra ID authentication method: + + > For example: + > + > ``` + > + > "ConnectionString": "Server=tcp:.database.windows.net,1433;Initial + > Catalog=;Persist Security + > Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;" + > + > ``` + > + > ``` + +[See Microsoft's documentation for more details about authentication methods](https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver15) + +> The following example authenticates with ClientId and ClientSecret: +> +> ``` +> +> appsettings.json +> +> { ... "ConnectionString": "Server=tcp:.database.windows.net,1433;Initial Catalog=;Persist Security +> Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;", +> +> "AzureCredentials": { "ClientId": "", "AADTenantId": "", "ClientSecret": "" } } +> +> ``` +> +> ``` + +> The following example authenticates with a pfx-stored public key certificate (password-protected +> pfx archive): +> +> ``` +> +> appsettings.json +> +> { ... "ConnectionString": "Server=tcp:.database.windows.net,1433;Initial Catalog=;Persist Security +> Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;", +> +> "AzureCredentials": { "ClientId": "", "AADTenantId": "", "EncryptionCertificate": { "File": "", +> "Password": "" } } } +> +> ``` +> +> ``` + +| Name | Details | +| -------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ClientId optional | **Type** String **Description** Client ID obtained from Microsoft Entra ID when [registering ](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)Identity Manager as an application. | +| AADTenantId optional | **Type** String **Description** Microsoft Entra ID's tenant identifier obtained when [registering ](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)Identity Manager as an application. **Note:** remember to set Identity Manager as owner of the targeted database when registering Identity Manager as an application in Microsoft Entra ID. | +| ClientSecret optional | **Type** String **Description** Microsoft Entra ID's client secret used by Identity Manager to authenticate.**Note:** used only if `EncryptionCertificate` is not specified. | +| EncryptionCertificate required, if ClientSecret is not defined | **Type** Encryption Certificate **Description** Location of the certificate used by Identity Manager to authenticate, instead of the `ClientSecret`. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md new file mode 100644 index 0000000000..db1bddc95e --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md @@ -0,0 +1,1031 @@ +# End-User Authentication + +## Overview + +Before end-users can connect to Identity Manager through the UI, they will have to authenticate. + +Identity Manager supports seven authentication methods organized into two categories: Internal +methods and External methods. + +It is highly recommended that you use an External method. Internal methods are mostly used for +debug, test and development purposes. + +Internal methods + +The Internal methods use Identity Manager Server's internal authentication server. They rely on one +of these Identity Server User Stores: + +- Test User Store, used in development environments. +- Active Directory User Store, using an Active Directory to authenticate. + +External methods + +External methods use external authentication providers. + +Identity Manager supports five types of external authentication providers of which four are based on +different flavors of the OAuth 2.0 protocol, and the last one is integrated with Windows. + +The types of authentication providers supported by Identity Manager are: + +- [OpenIdConnect](https://openid.net/connect/) +- [WS-Federation](http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.html) +- [OAuth](https://tools.ietf.org/html/rfc6749) +- [SAML2](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) +- [Integrated Windows Authentication (IWA)](https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/integrated-windows-authentication) + +Using more than one provider + +For each authentication method, one or several authentication providers can be set up. If several +authentication providers are set up, end-users will be prompted to choose their preferred method of +authentication. + +Internal method & test mode form: + +![authent_1](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/authent_1.webp) + +External method prompt: + +![authent_2](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/authent_2.webp) + +## Identity Server RSA Key Pair + +A public key certificate and a private key are used to handle encrypted communication with external +authentication providers. This is used, for example, by the Identity Manager Server to retrieve the +provider's signing key. It is mandatory to validate JWT tokens in an OAuth-flavor scenario. + +This information can be set one of two ways: + +- As a [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive (also called `.pfx` file) stored in + the Agent's host file system. The archive contains both the public key certificate and the private + key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains + both the public key certificate and the private key. + +### PFX file + +The archive is set using the following attributes on the appsettings > IdentityServer section: + +- X509KeyFilePath is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the + Agent's host file system. +- X509KeyFilePassword (optional) is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive + password. + +Example + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +  "": { +    "X509KeyFilePath":C:/identitymanagerAgentContoso/contoso.pfx", +    "X509KeyFilePassword": "oarjr6r9f00" +  } + +``` + +### Certificate + +The certificate from a Windows certificate store is set up using these attributes on the +appsettings > IdentityServer section: + +| Name | Description | +| ------------------------------------------------------------------ | ---------------------------------------------------------------------------------------- | +| X509SubjectDistinguishedName optional (if Thumbprint is non-empty) | Sets the store certificate's SubjectDistinguishedName. | +| X509Thumbprint optional (if DistinguishedName is non-empty) | Sets the store certificate's Thumbprint. | +| X509StoreLocation required | Sets the Relevant Windows certificate store's location: `LocalMachine` or `CurrentUser`. | +| X509StoreName required | Sets the relevant Windows certificate store's name. | + +Example + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +"": { +    "X509SubjectDistinguishedName":"", +    "X509StoreLocation": "", +    "X509StoreName": "" +} + +``` + +**NOTE:** Identity Manager Server won't start if the +[PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive set up during this step is identical to +the one provided with the SDK. Users must provide their own certificate. Self-signed certificates +are accepted as valid. See +the[Install the Server](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/server/index.md)topic for +additional information. + +## Configuration Section Description + +Authentication is set up using the following two sections of the Server's appsettings set: + +- IdentityServer +- Authentication + +``` +{ +    "IdentityServer":{ +        ... +    }, +    "Authentication":{ +        ... +    } +} + +``` + +The authentication section mostly fits the following pattern: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +"":{ +    :{ +          :{ +                  ... +          }, +          ...., +          :{ +                  ... +          }, +    }, +    :{ +          :{ +                  ... +          }, +          ...., +          :{ +                  ... +          }, +    } +} + +``` + +Several authentication providers can be defined (here above, `` to +``), using one or several authentication protocols (here above, +`` and ``). + +Most of the authentication providers need the user to choose an AuthenticationScheme. It is a string +that will be used to uniquely identify this authentication method in Identity Manager. Its goal is +to enable Identity Manager's testers to identify which authentication method is used in the logs or +in the code, with a mnemonic name. Any name can be used as long as all AuthenticationSchemes are +different. + +**NOTE:** This guide doesn't cover how to set up authorizations within Identity Manager. +Authorization for an end-user to access Identity Manager resources relies on assigning roles to +profiles. Identity credentials used for authentication must be linked to these profiles in the +applicative configuration. See the [ Various XML Settings ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/settings/index.md)topic for +additional information. + +Authentication-related settings are done through the following sections of the appsettings set: + +- IdentityServer +- Authentication + +See the[ Architecture ](/docs/identitymanager/saas/identitymanager/integration-guide/architecture/index.md)topic for additional information. + +### Identity Server + +This is the general-purpose authentication settings section. + +The Identity Server section allows the following attributes: + +| Name | Type | Description | +| ------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------ | +| Enabled (default value: true) | Boolean | Enables or disables the Identity Server. | +| AllowWindowsAuthentication (default value: false) | Boolean | Allows Windows authentication. Will work only when the Active Directory User Store is enabled. | +| ShowPII (default value: false) | Boolean | Sets whether or not PII is shown in logs. For security reasons, this setting should be used sparingly. | +| ValidationKeys (optional) | String Array | Allows the definition of public certificate paths for token validation. | +| IssuerURI (optional) | String | Sets the unique name of this server instance. | +| PostLogoutRedirectUri (optional) | String | Sets a specific URI to which the user will be redirected after a successful logout. | +| PublicOrigin (optional) | String | Sets the origin name for this Identity Manager Server instance. Useful if end-users authenticate through a proxy server. | +| X509File (required) | String | Is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the Agent's host file system. | +| X509KeyFilePassword (optional) | String | Is the [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | +| X509SubjectDistinguishedName (optional) | String | Sets the store certificate's SubjectDistinguishedName. | +| X509Thumbprint (optional) | String | Sets the store certificate's Thumbprint. | +| X509StoreLocation (required) | String | Sets the relevant Windows certificate store's location. | +| X509StoreName (required) | String | Sets the relevant Windows certificate store's name. | + +### Authentication + +This section contains specific settings for each configuration method. + +At the root, the following properties can be used: + +| Name | Type | Description | +| ---------------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------ | +| Enabled default value: true | Boolean | Enables or disables authentication. | +| RequireHttpsMetadata default value: true | Boolean | Specifies whether HTTPS is required for the discovery endpoint. | +| AllowLocalLogin required | Boolean | If `true`, a Login Form replaces Windows Authentication. | +| CookieLifeTime default value: 8 | Int | Maximum duration (in hours) after which the session expires automatically. | +| LifeTimeSliding default value: 10 | Int | Duration (in minutes) after which the session expires automatically, if no action is taken during this time. | + +Then, a subsection for every authentication method is used. Supported subsections are: + +- OpenId +- OAuth +- WsFederation +- SAML2 +- ActiveDirectoryUserStore +- TestUserStore + +## Set Up Integrated Windows Authentication (IWA) + +This authentication method can be used to authenticate users within an Active Directory domain using +their respective domain account. + +This authentication is silent: when an end-user tries to access Identity Manager, the browser +retrieves identity credentials from the Windows session where the user is logged in and sends them +to the domain controller for authentication. The domain controller confirms the user's identity and +validates it for Identity Manager. The end-user doesn't have to input any credentials. + +**NOTE:** If Integrated Windows Authentication is used, internal methods have to be disabled with +the `"AllowLocalLogin":false` setting. + +### Requirements + +Setting up this authentication method requires the following: + +- Identity Manager runs as an [Internet Information Services (IIS)](https://www.iis.net/) website. +- Windows Authentication is + [enabled on Windows server](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016). +- Windows Authentication is + [enabled for the Usercube IIS ](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/#enabled-for-the-usercube-iis)[enabled for the Usercube IIS website](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/#enabled-for-the-usercube-iis-website) + website. + +### Configuration + +Integrated Windows Authentication is configured using the following sections: + +- Set the **IdentityServer** > **AllowWindowsAuthentication** attribute to `true`. + +- Set the **Authentication** > **AllowLocalLogin** attribute to `false`. + +1. Set the **IdentityServer** > **AllowWindowsAuthentication** attribute to `true`. +2. Set the **Authentication** > **AllowLocalLogin** attribute to `false`. + +> The following example sets up Windows Authentication. Windows Server and IIS requirements have +> been checked. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> appsettings.json +> ... +> "":{ +>     "AllowWindowsAuthentication":"", +> }, +> "":{ +>     "AllowLocalLogin":"", +> } +> ... +> +> ``` + +## Set Up an OpenID Connect Provider + +One or several OpenID Connect authentication providers can be set up under the Authentication > +OpenId section. + +Multiple providers + +One or several OpenID Connect authentication providers can be set up. + +Registration process + +Using an OpenID Connect authentication requires the Identity Manager Server to be registered to the +provider. A ClientID and a ClientSecret are issued as a result of the registration process. They +both allow Identity Manager to identify itself to the authentication provider. +[](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings)[See an example](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings) +of how to register Identity Manager to an Microsoft Entra ID (formerly Microsoft Azure AD) used as +OpenID Connect provider. + +Callback URL + +The target OpenID Connect provider needs to be aware of the URI where to send the authentication +token if the authentication succeeds. Depending on the provider, it is called a callback URL, a +callback path, an authorization callback URL, or a redirect URI. + +During the registration process, the provider will ask for the URL. + +Identity Manager's callback URL for OpenID Connect is `/signin-oidc` where +`` is the address of your Identity Manager Server such as +`https://identitymanager.contoso.com`. + +Authority + +An OpenID Connect provider is identified by its Authority, according to the +[OpenID ](https://openid.net/connect/)Connect specifications. + +NameClaimType + +To authorize an end-user, Identity Manager Server retrieves a specific claim (a key-value pair, +transmitted through the OIDC-issued JWT token) returned by the provider and looks for a resource +that matches this claim's value. The comparison is carried out according to the resource and +property set as the end-user's identity in the applicative configuration. See the +[ Select User by Identity Query Handler Setting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md) + +The name of the claim that is retrieved for this purpose defaults to `sub` which is one of the +standard +[Claim names for the OpenID Connect protocol](https://openid.net/specs/openid-connect-core-1_0.html#claim-names-for-the-openid-connect-protocol). +However, some providers might not fill the `sub` value with meaningful data, or use non-standard +Claim names. + +For this reason, the name of the claim that is retrieved by Identity Manager for authorization +purposes can be set up according to the provider's specifics. + +**NOTE:** Users should be able to get a list of the claim names used by their authentication +providers from their providers' portal website, documentation or administrators. + +For example, the following claim provides no meaningful `sub` value. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    "name": "", +    "preferred_username": "", +    "sub": "<11v7ert42azerttyZD6d4>" +} + +``` + +Using the following applicative configuration setting that sets `Ad_Entry:userPrincipalName` as the +value to be matched against a claim in order to identify a user's profile, the `preferred_username` +NameClaimType should be used. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +  + +``` + +### Configuration + +First, the OpenID Connect method must be enabled. + +Under the OpenId section: + +| Name | Type | Description | +| ---------------- | ------- | ------------------------------------------ | +| Enabled required | Boolean | Enables or disables the OpenId connection. | + +For each OpenID Connect provider to integrate, a new section is added under the OpenID subsection. +Any section name can be used. This section name is only used as a means for the user to find the +authentication method in the configuration files. + +Under the new subsection, the following parameters are used to configure the authentication method: + +| Name | Type | Description | +| ---------------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AuthenticationScheme required | String | Is the unique identifier of this authentication method within Identity Manager. Any string value can be used, unique among all authentication methods. | +| DisplayName optional | String | Is the provider display name. Chosen by the user, it is used in the UI to identify the authentication method. | +| ClientId required | String | Is the Client ID issued during the registration of Identity Manager to the chosen OpenID Connect provider. | +| ClientSecret required | String | Is the Client Secret issued during the registration of Identity Manager to the chosen OpenID Connect provider. | +| Authority required | String | This URL identifies the OpenID Connect provider for Identity Manager according to the [OpenID Connect specifications](https://openid.net/connect/). It can be retrieved from the target OpenID Connect provider documentation. For example, [Microsoft's documentation ](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc)indicates the Microsoft Identity Platform OpenID Connect[ ](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc)authority. | +| NameClaimType optional | String | Sets the type of the claim that will be retrieved by Identity Manager to identify the end-user. The retrieved claim will be compared against the resource and property set as the end-user's identity in the applicative configuration. See the [ Select User by Identity Query Handler Setting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md)topic for additional information. | +| Scopes optional | String | Sets the list of the requested [scopes](https://auth0.com/docs/scopes/openid-connect-scopes). By default, the requested scopes are: openid, profile and email. | +| SaveTokens default value: false | Boolean | Only for Okta providers. Set to `true if authentication uses an Okta provider. See the [Configure Okta](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md)topic for additional information. | +| MetadataAddress optional | String | URL address of a copy of the metadata, used when the authority metadata cannot be accessed from the Identity Manager server, for example because of a firewall. | +| RequireHttpsMetadata default value: true | Boolean | By default the authority metadata must use HTTPS. Set to `false to use a simple HTTP metadata, in case a local copy of the metadata is used or for test environment. | +| ResponseMode optional | String | Response mode for OpenIdConnect. - Query - FormPost - Fragment [See OpenId documentation](https://openid.net/specs/openid-connect-core-1_0.html). | +| ResponseType optional | String | Response type for OpenIdConnect. - Code - CodeIdToken - CodeIdTokenToken - CodeToken - IdToken - IdTokenToken - None - Token See examples in the [OpenId documentation.](https://openid.net/specs/openid-connect-core-1_0.html#openid-documentation) | + +Example + +This example configures an OpenId Connect authority located at +[https://login.microsoftonline.com/bbd35166-7c13-49f3-8041-9551f2847b69](https://login.microsoftonline.com/bbd35166-7c13-49f3-8041-9551f2847b69). + +This authentication provider is identified within the appsettings.json OpenId Connect providers list +as OpenId1. + +Within Identity Manager, it will be identified with the authentication scheme AzureOIDC. + +It will be displayed as Connection Microsoft Entra ID with OIDC protocol in the UI external login +prompt. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    "Authentication": +    { +        ... +        "OpenId": { +            "Enabled": "", +            "OpenId1": { +                "AuthenticationScheme": "", +                "DisplayName": "", +                "ClientId": "<6779ef20e75817b79602>", +                "ClientSecret": "<5ef0234c039c725e21ffc727a60c44895a39dce1c81ae36dc5d002feae82c1c0>", +                "Authority": "", +                "NameClaimType": "", +                "Scopes": ["", ""] +            } +        } +    } +} + +``` + +## Set Up an OAuth Provider + +One or several OAuth authentication providers can be set up under the authentication > OAuth +section. + +Multiple providers + +One or several OAuth authentication providers can be set up. + +Registration process + +Using an OAuth authentication requires Identity Manager Server to be registered to the provider. A +ClientID and a ClientSecret are issued as a result of the registration process. They both allow +Identity Manager to identify itself to the authentication provider. + +#### Callback URL + +The target OAuth provider needs to be aware of the URI where to send the authentication token if the +authentication succeeds. Depending on the provider, it is called a callback URL, a callback path, an +authorization callback URL, or a redirect URI. + +During the registration process, the provider will ask for the URL. + +Identity Manager's callback URL for OAuth is ``/`` where +`` is the address of your Identity Manager Server such as +https://identitymanager.contoso.com and `` can be set up to any value chosen by the user +using the CallbackPath configuration attribute. The only constraint is to make sure the CallbackPath +value in Identity Manager's configuration is the same as in the OAuth provider registration screen +for Identity Manager. + +### Configuration + +First, the OAuth method must be enabled under the authentication > OAuth section. + +| Name | Type | Description | +| ---------------- | ------- | ----------------------------------------- | +| Enabled required | Boolean | Enables or disables the OAuth connection. | + +Then, users must create a new section per OAuth provider. Users are free to choose any section name. +Its sole purpose is for users to find the authentication method in the configuration files. + +Each section is configured with the following settings: + +| Name | Type | Description | +| ------------------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AuthenticationScheme required | String | Is the unique identifier of this authentication method within Identity Manager. Any string value can be used, unique among all authentication methods. | +| DisplayName optional | String | Is the provider display name. Chosen by the user, it is used in the UI to identify the authentication method. | +| ClientId required | String | Is the Client ID issued to Identity Manager during the registration process. | +| ClientSecret required | String | Is the Client Secret issued to Identity Manager during the registration process. | +| ClaimsIssuer required | String | Is a unique identifier that will mark claims issued by this OAuth provider for Identity Manager. This mark is used for debugging, monitoring, or security purposes in situations where multiple OAuth providers are involved. It's still useful if only one provider is used. Any string value can be used. Convention dictates that it is a URL shaped value such as https://accounts.google.com. | +| AuthorizationEndpoint required | String | Is the provider's Authorization Endpoint URI. This is where the end-user's browser is redirected to start the authentication process. Usually ends with /auth or /authorize. This information must be retrieved from the provider's portal. | +| TokenEndpoint required | String | Is the provider's Token Endpoint URI. This is where the client sends token requests, using an authorization code obtained during the authentication process. This information must be retrieved from the provider's portal. | +| CallbackPath required | String | Sets the callback path where the client is redirected after a successful authentication. Any string value can be used as long as it is reported to the provider during the registration process. | +| SaveTokens default value: false | Boolean | Only for Okta providers. Set to `true if authentication uses an Okta provider. See the [Configure Okta](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/how-tos/okta/index.md)topic for additional information. | +| Scope optional | String | Sets the list of the requested [scopes](https://auth0.com/docs/scopes/openid-connect-scopes). | + +Example + +The following example configures an OAuth-based authentication provider identified as +OAuthContoso_Washington in the configuration file. + +It will be displayed as Contoso OAuth Washington in the UI external login prompt, and uniquely +identified within Identity Manager by the authentication scheme contoso_0987. + +Identity Manager Server marks received claims using +[https://accounts.google.com](https://accounts.google.com) as a claim issuer identifier. + +/signin-oauth has been chosen as CallbackPath and set up as such in the OAuth provider's portal +during Identity Manager's registration. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    "Authentication": +    { +        ... +        "OAuth": { +            "Enabled": "", +            "OAuthContoso_Washington": { +                "AuthenticationScheme": "", +                "DisplayName": "", +                "ClientId": "<6779ef20e75817b79602>", +                "ClientSecret": "<5ef0234c039c725e21ffc727a60c44895a39dce1c81ae36dc5d002feae82c1c0>", +                "ClaimsIssuer": "", +                "AuthorizationEndpoint": "", +                "TokenEndpoint": "", +                "CallbackPath": "", +                "Scopes": ["", ""] +            } +        } +    } +} + +``` + +## Set Up a WS-Federation Provider + +One or several WS-Federation authentication providers can be set up under the authentication > +WsFederation subsection. Examples of WS-Federation providers include Active Directory Federation +Services (ADFS) and Microsoft Entra ID (AAD). + +Multiple providers + +One or several WS-Federation authentication providers can be set up. + +Registration process + +Using a WS-Federation authentication requires Identity ManagerServer to be registered to the +provider. A Wtrealm value is set up during the registration process. The value can be generated by +the provider, or set manually as a URL-shaped string value. This allows Identity Manager to identify +itself to the authentication provider. Here are two examples of registration process: + +- with an + [Active Directory Federation Services](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#active-directory-federation-services) + provider +- with an + [Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#microsoft-entra-id) + provider + +Callback URL + +The target WS-Federation provider needs to be aware of the URI where to send the authentication +token if the authentication succeeds. Depending on the provider, it is called a callback URL, a +callback path, an authorization callback URL, or a redirect URI. + +During the registration process, the provider will ask for the URL. + +Identity Manager's callback URL for WS-Federation is +``/signin-wsfed where `` is the address of +your Identity Manager Server such as https://identitymanager.contoso.com. + +Encryption algorithm + +The nature of the encryption algorithm used for exchanging the sign-in key with the provider is +automatically negotiated between Identity Manager Server and the authentication server. The most +secure algorithm that both systems support is chosen. + +### Configuration + +First, the WS-Federation must be enabled under the authentication > WsFederation section: + +| Name | Type | Description | +| ---------------- | ------- | --------------------------------------------------------- | +| Enabled required | Boolean | Enables or disables the **WS-Federation** authentication. | + +Then, users must create a new subsection per **WS-Federation** provider. They are free to choose any +section name. Its sole purpose is for users to find the authentication method in the configuration +files. + +Each section is configured with the following settings: + +| Name | Description | +| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| MetadataAddress required | Identifies, for Identity Manager, the target **WS-Federation** server's metadata. This information is to be retrieved from the app registration process or directly from the **WS-Federation** provider. The value commonly ends with the path `/`FederationMetadata/2007-06/FederationMetadata.xml. - For [Active Directory Federation Services](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#active-directory-federation-services), it is https://``/federationmetadata/2007-06/federationmetadata.xml with `` the name of your ADFS server such portal.contoso.com. - For [Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#microsoft-entra-id), it is also known as **Federation Metadata Document**. It is available in Identity Manager's registered app _blade_, in the _endpoint_ panel, _Federation Metadata Document_ value. It looks like https://bbd35166-7c13-49f3-8041-9551f2847b69/FederationMetadata/2007-06/FederationMetadata.xml with bbd35166-7c13-49f3-8041-9551f2847b69 Microsoft Entra ID tenant id. | +| Wtrealm required | Identifies the Identity Manager app within the **WS-Federation** provider. This information is available directly at the authentication provider's portal. It is chosen during the registration process. - For [Active Directory Federation Services](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#active-directory-federation-services), it is the value set as the relying party WS-Federation Passive protocol URL parameter during the [registration](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#registration) of Identity Manager to the ADFS server. It usually looks like an URL such as https://portal.contoso.com. - For [Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#microsoft-entra-id), this is the Application ID URI. It is available from Identity Manager's registered app blade > Expose an API > APP ID URI. It has been either chosen by the user or generated by the [Microsoft Entra ID](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0#microsoft-entra-id) provider during the Expose an API > set > save step of the registration. Generated values look like api://bbd35166-7c13-49f3-8041-9551f2847b69. | +| DisplayName optional | Is the provider display name. Chosen by the user, it is used in the UI to identify the authentication method. | +| AuthenticationScheme required | Is the unique identifier of this authentication method within Identity Manager. Any string value can be used, unique among all authentication methods. | + +Example + +This example configures a WS-Federation-based authentication provider identified as +WsFederationContoso_LA in the configuration file. + +Within Identity Manager, it will be identified with the authentication scheme WsFederationAAD. + +It will be displayed as _Connection Microsoft Entra ID with WS-Federation protocol_ in the UI +external login prompt. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    "Authentication": +    { +        ... +        "WsFederation": { +            "Enabled": "", +            "WsFederationContoso_LA": { +                "AuthenticationScheme": "", +                "DisplayName": "", +                "MetadataAddress": "", +                "Wtrealm": "" +            } +        } +    } +} +``` + +## Set Up SAML2 Authentication + +One or several **SAML2** authentication providers can be set up under the authentication > SAML2 +section. + +Identity Manager does not provide a signature for SAML2 authentication. + +Multiple providers + +One or several **SAML2** authentication providers can be set up. + +Registration process + +Using a **SAML2** authentication requires Identity Manager Server to be registered to the provider. +An **Entity ID URI** value is set up for Identity Manager during the registration process. It is +used as the prefix for scopes and as the value of the audience claim in access tokens. The value can +be generated by the provider, or set manually as a URL-shaped string value. This allows Identity +Manager to identify itself to the authentication provider. + +Reply URL + +The target **SAML2** provider needs to be aware of the URI where to send the authentication token if +the authentication succeeds. This URI is called **Reply URL** or **Assertion Consumer Service (ACS) +URL**. + +During the registration process, the provider will ask for the URL. + +Identity Manager's **Reply URL** for **SAML2** is ``/Saml2/Acs where +`` is the address of your Identity Manager Server such as +https://identitymanager.contoso.com. + +Make sure to enter this exact URL which is treated case sensitively. + +Configuration + +First, the SAML2 method must be enabled under the authentication > SAML2 section. + +| Name | Type | Description | +| ---------------- | ------- | ----------------------------------------- | +| Enabled required | Boolean | Enables or disables SAML2 Authentication. | + +Then, users must create a new subsection per SAML2 provider. Users are free to choose any section +name. Its sole purpose is for users to find the authentication method in the configuration files. + +Each section is configured with the following settings: + +| Name | Description | +| ------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| MetaDataLocation required | Identifies, for Identity Manager, the target SAML2 server's metadata. This information is to be retrieved from the app registration process or directly from the SAML2 provider. The value commonly ends with the path /FederationMetadata/2007-06/FederationMetadata.xml. | +| IdentityProviderEntityID required | Is the Identity Provider Issuer (also known as provider Entity ID) that identifies the provider to Identity Manager. This information is to be retrieved from the provider's portal. For Microsoft Entra ID, it is the first line of metadata file. | +| DisplayName optional | Is the provider display name. Chosen by the user, it is used in the UI to identify the authentication method. | +| EntityIdAppliUriID required | Is Identity Manager's Entity ID issued during the registration process. Also referred to as an Identifier URI. For Microsoft Entra ID, it is set during the Expose an API > set > save step of the registration. Generated values look like api://bbd35166-7c13-49f3-8041-9551f2847b69. | +| NameIdFormat optional | Is the requested format of the subject's name identifier. | +| MinIncomingSigningAlgorithm optional | Is minimal signing algorithm to validate SAML2 response. | +| EncryptionCertificate optional | Sets the location of the public key certificate and the private key used to handle input and output files encryption. **NOTE:** This is required to enable logout. | + +> This example configures a SAML2-based authentication provider identified as SAMLConnection in the +> configuration file. +> +> It will be displayed as Connection Azure ActiveDirectory with SAML2 protocol in the UI external +> login prompt. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> { +>     "Authentication": +>     { +>         ... +>         "SAML2": { +>             "Enabled": true, +>             "SAMLConnection": { +>                 "DisplayName": "",  +>                 "EntityIdAppliUriID": "",  +>                 "MetaDataLocation": "",  +>                 "": "", +>                 "EncryptionCertificate": { +>                 ... +>                 } +>             } +>         } +>     } +> } +> ``` + +### Encryption Certificate + +This information can be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive + (also called + [Personal ](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files)Information + Exchange file or `.pfx` file) stored in the Agent's host file system. The archive contains both + the public key certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains + both the public key certificate and the private key. + +_Remember,_ Netwrix recommends using Windows' certificate store. + +On the other hand, the PFX file takes priority over Windows' certificate, which means that when +`File` is specified then the PFX certificate is used, even if the options for Windows' certificate +are specified too. + +In both ways, missing and/or incorrect settings trigger an error and no certificate is loaded. + +_Remember,_ the AzureKeyVault section is mandatory when using CertificateAzureKeyVault. Identity +Manager server loads the encryption certificate from Azure Key Vault only if the AzureKeyVault and +EncryptionCertificate are defined at the same level in the configuration file. + +#### As a PFX file + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    ... +    "EncryptionCertificate": { +        "File": "", +        "Password": "" +     } + } +``` + +The archive is set using the following attributes: + +| Name | Type | Description | +| ----------------- | ------ | --------------------------------------------------------------------------------------- | +| File required | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password optional | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +Storing a `.pfx` file password in plain text in a production environment is strongly discouraged. It +should always be encrypted using the Identity Manager-Protect-CertificatePassword tool. See the +[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topic for additional information. + +The archive is set using the following attributes: + +| Name | Type | Description | +| ----------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| File required | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password optional | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. Storing a `.pfx` file's password in plain text in a production environment is strongly discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword.exe[ ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md)tool. | + +#### As a Certificate in the Windows Store + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + { +    ... +    "EncryptionCertificate": { +         "DistinguishedName":"", +         "StoreLocation": "", +         "StoreName": "" +     } + } +``` + +The Windows certificate is set using these attributes: + +| Name | Type | Description | +| ---------------------------- | ------ | --------------------------------------------------------------------------------------------------------------- | +| DistinguishedName (optional) | String | SubjectDistinguishedName of the store certificate. **NOTE:** This is required when Thumbprint is not specified. | +| Thumbprint (optional) | String | Thumbprint of the store certificate. **NOTE:** This is required when DistinguishedName is not specified. | +| StoreLocation (required) | String | Location of the relevant Windows certificate store: LocalMachine or CurrentUser. | +| StoreName (required) | String | Name of the relevant Windows certificate store. | + +##### Using Azure Key Vault + +If the certificate is saved in Azure Key Vault, we must define the certificate identifier and the +Vault connection. See the [Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) +topic for additional information. + +_Remember,_ the AzureKeyVault section is mandatory when using CertificateAzureKeyVault. Identity +Manager server loads the encryption certificate from Azure Key Vault only if the AzureKeyVault and +EncryptionCertificate are defined at the same level in the configuration file. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    "Authentication": { +        ... +        "SAML2": { +            "Enabled": true, +            "": { +                ... +                "AzureKeyVault": { +                    "Vault": "", +                    "ConnectionString": "..." +                }, +                "EncryptionCertificate": { +                    "CertificateAzureKeyVault": "" +                } +            } +        } +    } +} +``` + +## Set Up Internal Methods + +When Internal Methods is enabled, the end-user is prompted via a form to input a login and a +password. The login to be used is defined within the applicative configuration's Select User By +Identity Query Handler Setting element. See the [ Various XML Settings ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/settings/index.md) +topic for additional information. + +First, the AllowLocalLogin parameter needs to be set to true in the Authentication section. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +"":{ +    "AllowLocalLogin":true +} +``` + +Then, Active Directory User Store or Test User Store can be enabled. + +### Active Directory User Store + +The Active Directory User Store allows users to authenticate with a login and password that will be +compared against the Active Directory content. + +Several forests can be set up as identity providers for authentication. This allows, for example, +the authentication of users that belong to different Active Directory forests. + +It is configured under the Authentication > ActiveDirectoryUserStore section. + +First, the ActiveDirectoryUserStore must be enabled. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +"":{ +    "AllowLocalLogin":true, +    "ActiveDirectoryUserStore": { +        "Enabled": true +        ... +    } +} +``` + +| Name | Type | Description | +| ---------------- | ------- | ------------------------------------------------------------------ | +| Enabled required | Boolean | True to enable authentication via the Active Directory User Store. | + +In the same section, several authentication providers can be defined, each one based on an Active +Directory forest. + +For each forest, a new section is added under ActiveDirectoryUserStore. Any name may be chosen for +the forest section as long as it is unique. Two forest sections can't be identical though. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +"": { +    "Enabled": true, +    "Forest1": { +        "AuthenticationScheme": "<...>", +        "Server": "<...>", +        ... +    } +} +``` + +Under the new forest section, the following parameters are used to configure the authentication +method. + +> The following example sets a single authentication method, based on the Forest1 forest. The domain +> controller is located at 127.168.0.1. If the user enters the login MyLogin, the resulting logon +> will be CONTOSO\paris\MyLogin. The Postfix won't be used as a Prefix is already provided. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> "": { +>   "Enabled": true, +>   "Forest1": { +>       "AuthenticationScheme": "", +>       "Server": "<127.168.0.1>", +>       "Domain": "", +>       "Prefix": "", +>       "Postfix": "" +>   } +> } +> ``` +> +> In the following example, if the user enters the login MyLogin, the resulting logon will be +> MyLogin@Identity Manager.contoso. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> "": { +>   "Enabled": true, +>   "Forest1": { +>       "AuthenticationScheme": "", +>       "Server": "<127.168.0.1>", +>       "Postfix": "" +>   } +> } +> ``` +> +> The following example enables authentication via the Active Directory User Store, for the Forest1 +> forest,by checking not only the password and account activation, but also whether the password is +> expired. +> +> Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +> script in the command line. +> +> ``` +> "": { +>   "Enabled": true, +>   "Forest1": { +>       "AuthenticationScheme": "", +>       "Server": "<127.168.0.1>", +>       "Domain": "", +>       "FastBind": false +>       ... +>   } +> } +> ``` + +| Name | Type | Description | +| ----------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AuthenticationScheme required | String | Unique identifier of this authentication method within Identity Manager. Any string value can be used, unique among all authentication methods. | +| Server required | String | Identification of the domain controller that runs the Active Directory Domain Service against which the authentication is performed. Based on [Microsoft's documentation](https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.protocols.ldapconnection?view=dotnet-plat-ext-8.0), the format is defined either: - by a domain name - by an LDAP server name - or a dotted string representing the IP address of the LDAP server/Domain Controller (example: 98.20.33.2). Optionally, this parameter may also include a port number, separated from the host by a colon (example: 98.20.33.2:4520). | +| Domain optional | String | Identification of the Active Directory domain or sub-domain against which the authentication will be performed. It is a string used to complete the user's logon in an INet name fashion. The resulting logon will resemble Domain\login. The domain is used only if no postfix was provided. This parameter is ignored if the domain or the UPN suffix is already specified in the login. This is the case for a login that conforms to the format domain\login or login@domain.com. | +| FastBind default value: True | Boolean | True to check a user's credentials by verifying only the password and account activation. | +| NoSigning default value: true | Boolean | Enables or disables [Kerberos encryption](https://en.wikipedia.org/wiki/Kerberos_(protocol)). | +| Prefix optional | String | Is a string used to complete the user's logon in an INet name fashion. The resulting logon will resemble Prefix\login. The Postfix isn't used if the domain or the UPN suffix is already specified in the login. | +| Postfix optional | String | Is used to complete the user's login in a principal name fashion. The Postfix corresponds to the User Principal Name (UPN) suffix. The resulting logon will resemble login@Postfix. The Postfix isn't used if the domain or the UPN suffix is already specified in the login, or if the Prefix is already provided. | +| Ssl default value: false | Boolean | Enables or disables SSL for network communication between Identity Manager and the Active Directory. | + +### Test User Store + +A Test User Store can be set up under the authentication > TestUserStore section. It allows all +users to authenticate with their login and the same password. + +_Remember,_ this should never be used in a production environment. + +The following parameters are available under the authentication > TestUserStore section: + +| Name | Type | Description | +| ----------------- | ------- | --------------------------------------------------------------- | +| Enabled required | Boolean | Enables or disables the OpenId Connection. | +| Password required | String | Is the password for all users to authenticate Identity Manager. | + +Example + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    "Authentication": +    { +      "AllowLocalLogin":true +        ... +        "": { +            "Enabled": true, +            "Password": "" +        } +    } +} +Here is an example using both `IdentityServer` and `Authentication` sections. +appsettings.json +{ +    ... +    "IdentityServer": { +        "X509KeyFilePath": "<./identitymanagerContoso.pfx>", +        "X509KeyFilePassword": "" +    }, +    "Authentication": { +        "RequireHttpsMetadata": false, +        "TestUserStore": { +            "Enabled": "", +            "Password": "" +        }, +        "AllowLocalLogin": true +    } +    ... +} +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md new file mode 100644 index 0000000000..204d7e709c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md @@ -0,0 +1,316 @@ +# Application Settings + +This section describes the settings available in the server's appsettings.json file, located in the +server's working directory or in environment variables. + +JSON files can contain any additional information that you might find useful. See the example below. + +For example, in order to store the agent's address, we can add: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +"": { +  "Url": "" +} +``` + +As Identity Manager does not know any object named Identity Manager Agent, its content will be +ignored, but it can still be used to store information for human use. + +The appsettings set allows the following attributes and sections: + +| Name | Type | Description | +| ------------------------------------------------------------ | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApplicationUri required | String | URI of the server to use in log messages, to communicate with the server in tasks, to allow certain redirect URIs. It must be the same as the agent's appsettings.json's ApplicationUri. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …       “ApplicationUri”: “usercubeserver.contoso.com:5000” }` | +| EncryptionCertificate required | EncryptionCertificate | Settings to configure the encryption of specific files. | +| License | String | License key of the server. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …       “License”: “{"LicensedTo":"","ValidTo":"<20120905>","IdentityQuota":"<10000>","Signature":"<…>"}" }` | +| Agents optional | Agent List | List of agents' settings used to work on several environments. See the [ Architecture ](/docs/identitymanager/saas/identitymanager/integration-guide/architecture/index.md) topic for additional information. This way, each Agent's URI/URL is configured without altering the database. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …       “Agents”: {             “Local”: {                   “Uri”: “”             },             …       } }` | +| AppDisplay optional | AppDisplay | Settings to override the application display XML configuration. See the [App Display Setting](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md) topic for additional information. It is useful to change the application's theme and name without redeploying the whole configuration. | +| ApplicationInsights optional | ApplicationInsights | Settings to plug to and configure the [App Insights](https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview) monitoring tool. | +| DataProtection optional | DataProtection | Settings to configure the encryption used for the authentication cookies and the anti-forgery tokens. The data protection can be configured to share the keys between several instances of Identity Manager's server, for example when deployed in a cluster where the servers do not have the same machine id. | +| DefaultPageSize optional | UInt | Default number of items returned when using squeries, if none specified in PageSize or in squery limit. | +| HstsPreload optionalAttribute default value: false | Boolean | Sets the preload parameter of the Strict-Transport-Security header. Preload is not part of the RFC specification, but is supported by web browsers to preload [HSTS](https://hstspreload.org/) sites on fresh install. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `
appsettings.json

{
  ...
  "HstsPreload":  true
}
 ` | +| InstallationDirectoryPath default value: Usercube-Server.exe | String | Path of the installation directory. It is used to read other configuration files. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …      “InstallationDirectoryPath”:  “” }` | +| MailSettings optional | String | Settings to configure the email service. | +| MaxActors default value: 20 maximum value: 50 | UInt | The maximum number of recipients who will be notified of the Workflow changes and can take action. If the number of recipients is exceeding the MaxRecipients value, then the actors will have the task assigned to them but they will not receive an email notification. In order for all actors to receive an email notification the MaxRecipients should be increased as well. | +| MaxPageSize optionalAttribute | UInt | It represents the maximum number of items returned when using squeries. | +| NotUseAgent default value: false | Boolean | True to disable the use of the agent. See the[ Architecture ](/docs/identitymanager/saas/identitymanager/integration-guide/architecture/index.md) topic for additional information. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …     "":  true }` | +| OpenIdClients optional | OpenIdClient List | List of hashed secrets used to override the plain-text secrets from the OpenIdClient XML configuration. See the [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) topic for additional information. This way, Identity Manager stores only hashed secrets, for security purposes. Each environment must have its own secret, distinct from the others. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …     "OpenIdClients": {             "Job": {                   "": ""             },             "PowerBI": {                   "": "<7b8N2NWka5alDrjM7rFqf7+xqq9LIcT5jSoQ+1Ci2V0>"             }       } }` | +| PowerBISettings optional | PowerBISettings | Settings to configure the API used by Power BI to access Identity Manager data. | +| Serilog optional | Serilog | Settings to configure the logging service, complying to the Logger properties and structure. See the [ Monitoring ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/index.md) topic for additional information. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …     "Serilog": {             "WriteTo": [ "Console" ],             "MinimumLevel": {                   "Default": "Error",                   "Override": {                         "Usercube": "Information"                   }             }       } }` | +| Swagger optional | Swagger | By enabling [Swagger ](https://swagger.io/tools/swagger-ui/)you can visualize and interact with the API's resources without having any of the implementation logic in place. It is automatically generated from Identity Manager's API, with the visual documentation making it easy for back-end implementation and client-side consumption. | +| TempFolderPath default value: ../Temp | String | Path to the temporary folder which contains: - ExportOutput: directory storing data exported from connectors. - JobLogs: directory storing task instance logs. - Reports: directory storing generated reports. - Packages: directory storing the downloaded package logos. - PolicySimulations: directory storing the files generated by policy simulations. - ProvisioningCache.txt: file storing the clustered provisioning cache. When enabled, this file can be used to coordinate the API cache among clusters. - CorrelationCache.txt - RiskCache.txt - ExpressionCache.txt - scheduler.lock - connector.txt - container.reset.txt: file acting as a reset command for Identity Manager's server, i.e. any change to this file triggers the reset service, thus reloading all the services instantiated by the server. This path can be overridden by **ResetSettings** > **FilepathResetService**. - Mails: directory storing the email messages. This path can be overridden by **ResetSettings** > **PickupDirectory**. - Deployment These elements can be removed, but make sure to restart the server after doing so. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …     "" }` | +| WorkFolderPath default value: ../Work | String | Path of the work folder which contains: - Collect: directory storing the CSV source files exported by connectors. - ProvisioningOrders: directory storing the orders generated by the server. - FulfillPowerShell: PowerShell provisioner's working directory. - FulfillRobotFramework: Robot Framework's provisioner working directory. - ExportCookies: directory storing the cookies used for incremental export. - Synchronization: directory storing the agent's data collection results. - Upload: directory storing the uploaded media like uploaded pictures, before they are inserted into the database. - appsettings.connection.json These elements must not be removed, because doing so may disrupt Identity Manager's execution after restarting. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …     "" }` | + +## Swagger + +Swagger is set using the attribute below. + +| Name | Type | Description | +| ---------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Enabled required | Boolean | True to enable Swagger. Example: `appsettings.json {       …     "Swagger": {         "Enabled": false       }, }` **NOTE:** We recommend setting this to false for production environments. | + +## Encryption Certificate + +This information can be set one of two ways: + +- As a [Public Key Cryptography Standards (PKCS) #12](https://en.wikipedia.org/wiki/PKCS_12) archive + (also called + [Personal Information Exchange file](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/personal-information-exchange---pfx--files) + or .pfx file) stored in the Agent's host file system. The archive contains both the public key + certificate and the private key. +- As a certificate from a Windows' + [certificate store](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/working-with-certificates#certificate-store) + identified by SubjectDistinguishedName or by Thumbprint. The Windows certificate also contains + both the public key certificate and the private key. +- _Remember,_ Netwrix recommends using Windows' certificate store. A subject name can identify + multiple certificates in the same Certificate Store since the Subject Name needs not to be unique. + If there are multiple certificates identified by the subject name given in the appsettings, + Identity Manager will use the first one. However it is not possible to say exactly which + certificate will be loaded first. The thumprint is unique among the certificates so it can help + with for the certificate identification. + +As a PFX file + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +{ +    ... +    "EncryptionCertificate": { +        "File": "", +        "Password": "" +     } + } + +``` + +The archive is set using the following attributes: + +| Name | Type | Description | +| ----------------- | ------ | --------------------------------------------------------------------------------------- | +| File required | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password optional | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. | + +Storing a .pfx file password in plain text in a production environment is strongly discouraged. It +should always be encrypted using the Usercube-Protect-CertificatePassword tool. See the +[ Usercube-Protect-CertificatePassword ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) +topic for additional information. + +The archive is set using the following attributes: + +| Name | Type | Description | +| ----------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| File required | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive path on the host file system. | +| Password optional | String | [PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) archive password. Storing a .pfx file's password in plain text in a production environment is strongly discouraged. It should always be encrypted using the Usercube-Protect-CertificatePassword.exe tool. See the [ Usercube-Protect-CertificatePassword ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-certificatepassword/index.md) topic for additional information. | + +As a Certificate in the Windows Store + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + { +    ... +    "EncryptionCertificate": { +         "DistinguishedName":"", +         "StoreLocation": "", +         "StoreName": "" +     } + } +``` + +The Windows certificate is set using these attributes: + +| Name | Type | Description | +| -------------------------- | ------ | --------------------------------------------------------------------------------------------------- | +| DistinguishedName optional | String | SubjectDistinguishedName of the store certificate. It is required when Thumbprint is not specified. | +| Thumbprint optional | String | Thumbprint of the store certificate. It is required when DistinguishedName is not specified. | +| StoreLocation required | String | Location of the relevant Windows certificate store: LocalMachine or CurrentUser. | +| StoreName required | String | Name of the relevant Windows certificate store. | + +Using Azure Key Vault + +If the certificate is saved in Azure Key Vault, we must define the certificate identifier and the +Vault connection. See the [Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) +topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +"": { +    "CertificateAzureKeyVault": "" +}     +``` + +Disabling file encryption + +The encryption of specific files can be disabled via the following attribute: + +| Name | Type | Description | +| ------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| EncryptFile default value: true | Boolean | True to encrypt specific files such as logs or temporary files. Example: Code attributes enclosed with `<>` need to be replaced with a custom value before entering the script in the command line. `appsettings.json {       …       EncryptionCertificate": {             "EncryptFile": false       } }` | + +## Mail Settings + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +{ +  ... +  "MailSettings": { +    "FromAddress": "", +    "PickupDirectory": "", +    "UseSpecifiedPickupDirectory": true, +    "UseDefaultCredentials": false, +    "SecureSocketOption": "" +  } +} +           +``` + +The mail settings details are: + +| Name | Type | Description | +| ------------------------------------------------ | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| FromAddress required | String | Email address used as sender for Identity Manager's emails. | +| AllowedDomains optional | String | List of allowed domains, separated by `;`. | +| CatchAllAddress optional | String | Email address to be used as catchAll. | +| CatchAllCCAddress optional | String | Email address to be used as CC catchAll. | +| Enabled default value: true | Boolean | True to activate Identity Manager's email services. | +| EnableSsl default value: false | Boolean | DEPRECATED: EnableSsl won't be supported in the future. Please specify a SecureSocketOption instead. To keep the same behavior as EnableSsl: True, use the setting SecureSocketOption: StartTls. True to encrypt communication with the SMTP server. To be used only when UseSpecifiedPickupDirectory is set to false. | +| MaxRecipients default value: 20 | String | The maximum number of recipients visible in the "To", "CC" and "BCC" fields. Any additional recipient will be deleted automatically. | +| SecureSocketOption default value: Auto | String | Specifies the encryption strategy to connect to the SMTP server. If set, this takes priority over EnableSsl. None: No SSL or TLS encryption should be used. Auto: Allow the mail service to decide which SSL or TLS options to use (default). If the server does not support SSL or TLS, then the connection will not be encrypted. SslOnConnect: The connection should use SSL or TLS encryption immediately. StartTls: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server. If the server does not support the STARTTLS extension, then the connection will fail and a NotSupportedException will be thrown. StartTlsWhenAvailable: Elevates the connection to use TLS encryption immediately after reading the greeting and capabilities of the server, but only if the server supports the STARTTLS extension. To be used only when UseSpecifiedPickupDirectory is set to false. | +| Host optional | String | Name or IP address of the host used for SMTP transactions. It is required when UseSpecifiedPickupDirectory is set to false. | +| Password optional | String | Password to be used with the user name as credentials. | +| PickupDirectory optional | String | Path of the folder where Identity Manager will save the email messages. It is useful and required when UseSpecifiedPickupDirectory is set to true. | +| Port optional | String | Port used for SMTP transactions. It is required when Host is defined. | +| UseDefaultCredentials default value: false | Boolean | True to use in requests the default credentials instead of those from UserName and Password here. | +| UserName optional | String | User name to be used with the user name as credentials. | +| UseSpecifiedPickupDirectory default value: false | Boolean | True to save email messages to the folder specified in PickupDirectory instead of sending them to their recipients through the host specified in Host. Required when Host is not defined. | + +## Application Insights + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +{ +  ... +  "ApplicationInsights": { +    "InstrumentationKey": "" +  } +} +           +``` + +The application insights details are: + +| Name | Type | Description | +| -------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| InstrumentationKey default value: null | String | Key linked to the AppInsights instance to which the server's logs, requests, dependencies and performance are to be sent. See the Microsoft [Create an Application Insights resource](https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-new-resource) article for information on creating an instrumentation key. | + +**NOTE:** The logs sent to AppInsights are configured through the Logger properties. See the +[ Monitoring ](/docs/identitymanager/saas/identitymanager/integration-guide/monitoring/index.md) topic for additional information. + +## PowerBI Settings + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +{ +  "PowerBISettings": { +    "PageSize": 500 +  }} +           +``` + +The PowerBI Settings details are: + +| Name | Type | Description | +| ---------------------------- | ----- | --------------------------------------------------------- | +| PageSize default value: 1000 | Int32 | Size of the page containing the data returned by the API. | + +## Data Protection + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +{ +  "DataProtection": { +    "KeysPath": "", +    "X509KeyFilePath": "<../identitymanager.pfx>", +    "X509KeyFilePassword": "" +  }, +}         +``` + +The Data Protection details are: + +| Name | Type | Description | +| ---------------------------------------------- | ------ | ------------------------------------------------------------- | +| KeysPath default value: ../Work/DataProtection | String | Path of the location where the keys' descriptions are stored. | +| X509KeyFilePath optional | String | Path of the custom certificate used to protect the keys. | +| X509KeyFilePassword optional | String | Password of the custom certificate used to protect the keys. | + +## App Display + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +appsettings.json +{ +  ... +  "AppDisplay": { +    "PrimaryColor": "<#01CDE9>", +    "SecondaryColor": "<#EA6E1A>", +    "BannerColor": "<#EA6E1A>", +    "BannerTextColor": "<#ffffff>", +    "ApplicationNamePrefix": "", +    "ApplicationName": "" +  }, +  ... +}          +``` + +The App Display details are: + +| Name | Type | Description | +| ------------------------------ | ------ | ----------------------------------------------------------------------------------------- | +| ApplicationName optional | String | Name of the application, visible on the application's tabs. | +| ApplicationNamePrefix optional | String | Prefix to be displayed before the application name. | +| BannerColor optional | String | HEX code of the color for the banner, i.e. the header displaying logo and navigation bar. | +| BannerTextColor optional | String | HEX code of the color for the banner's text. | +| PrimaryColor optional | String | HEX code of the color for the highlighted buttons. | +| SecondaryColor optional | String | HEX code of the color for the background of the authentication screen. | + +See the +[App Display Setting](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md) +topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/index.md new file mode 100644 index 0000000000..5575547480 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/index.md @@ -0,0 +1,57 @@ +# Server Configuration + +Identity Manager Server's technical configuration includes settings on end-user authentication, +database connection and some general-purpose settings. + +## Configuration Files + +The Server configuration is included in the Server's appsettings set. + +The appsettings set content can be written to appsettings.json in the Server's working directory or +to environment variables. See the [ Architecture ](/docs/identitymanager/saas/identitymanager/integration-guide/architecture/index.md) topic for additional +information. + +The server appsettings supported attributes and sections are described in the following sections: + +- Database Connection +- End-User Authentication +- General-Purpose Settings + +See the[ Connection to the Database ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/database-connection/index.md), +[ End-User Authentication](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md) and +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) topics for additional information. + +## Secret and Certificate Management + +All the certificates and secrets present in the settings can be loaded with an Azure Key Vault. + +See the [Azure Key Vault](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/azure-key-vault/index.md) topic for additional +information. + +## Default Configuration + +The default behavior of the server configuration is outlined through an example. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +{ +    "IdentityServer": { +        // Token signing certificate stored in a file +        "X509KeyFilePath": "<./identitymanagerContoso.pfx>", +        // Optional certificate password +        "X509KeyFilePassword": "" +    }, +    "Authentication": { +        "RequireHttpsMetadata": false, +        "TestUserStore": { +            "Enabled": "", +            "Password": "" +        }, +        "AllowLocalLogin": true +    } +} + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/rsa-encryption/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/rsa-encryption/index.md new file mode 100644 index 0000000000..81deeaa9ce --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/rsa-encryption/index.md @@ -0,0 +1,60 @@ +# RSA Encryption + +Identity Manager provides a few options to protect sensitive data via RSA encryption. + +## Overview + +Sensitive data can be RSA encrypted by using Netwrix Identity Manager (formerly Usercube)'s tools: + +- [ Usercube-Protect-X509JsonValue ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-x509jsonvalue/index.md) + to encrypt given values; +- [ Usercube-Protect-X509JsonFile ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md) + to encrypt a whole file. + + The file encryption tool should be used only on files that contain only plain text values, not + already encrypted ones. + +Once encrypted, sensitive values can be added to the `appsettings.encrypted.json` file. Netwrix +Identity Manager (formerly Usercube) will read first the values from the encrypted appsettings file, +before reading those from the usual non-encrypted appsettings file. + +These methods require an [X.509 public key certificate](https://en.wikipedia.org/wiki/X.509) (the +same for the encrypted appsettings file and the tools). + +The value encryption tool can be used to encrypt specific values to be added to the encrypted +appsettings file without having to encrypt the whole file again. + +## Focus on the Encrypted Appsettings File + +The `appsettings.encrypted.json` file contains the `appsettings.json` file's sensitive setting +values which are protected by RSA encryption. + +This file follows the exact same structure as the [Server Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/index.md) files. + +### Read the Encrypted File + +Identity Manager can use an RSA decoding algorithm fed by a +[public-key certificate](https://en.wikipedia.org/wiki/X.509) in order to read the encrypted +application settings. + +This requires the usual appsettings file(s) to have `UseEncryptedAppsettings` set to `true`. See +below. + +``` +appsettings.json and/or appsettings.agent.json + +{ + ... + "EncryptionCertificate": { + "File": "./identitymanager.pfx", + "Password": "secret", + "UseEncryptedAppsettings": true + } +} +``` + +This way, values from the encrypted file take priority over the values from the non-encrypted +appsettings files. + +> For example, if `Password` exists in both the encrypted file and the non-encrypted file, then the +> value from the encrypted file is used. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/settings/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/settings/index.md new file mode 100644 index 0000000000..847b864256 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/settings/index.md @@ -0,0 +1,236 @@ +# Various XML Settings + +This section describes Identity Manager's +[ Settings ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/index.md) available in the +applicative configuration. Those are mandatory. + +## ConfigurationVersion + +This setting is used to track the current configuration version. + +``` + + + +``` + +- **Version** defines the configuration version. +- **Description** describes this version in detail. +- **Misc** misc. + +## AppDisplay + +This setting is used to customize the application display. + +``` + + + +``` + +- **PrimaryColor** defines the primary color. +- **SecondaryColor** defines the secondary color. +- **BannerColor** defines the banner (header displaying logo and navigation bar) color. +- **BannerTextColor** defines the banner text color. +- **ApplicationName** defines the application name. +- **LogoFile** defines the logo path. Concerning the logo, for an ideal result, the following ratio + should be used: 5:1. +- **LogoMimeType** defines the logo mime type. +- **FaviconFile** defines the favicon path. +- **FaviconMimeType** defines the favicon mime type. +- **FullNameSeparator** defines the full name separator (default value is `�`). +- **DisableProvisioningCounters** disables the counters related to the provisioning screens (**Role + Review**, **Provisioning Review**, **Role Reconciliation**, **Resource Reconciliation** and + **Manual Provisioning** - default value is `false`). + +## CustomLinks + +This setting enables the configuration of custom links that let the user navigate to a custom static +HTML page. Only two CustomLinkSetting can be configured. + +The example below defines two custom links accessible through the URLs "_your-Identity +Manager-domain_/LegalNotice" and "your-Identity Manager-domain/TermsOfService", each showing the +content of the corresponding HTML file depending on the currently selected language. + +``` + + + +``` + +- **Url\_**(required)\_ defines the url address from which to access the custom page. +- **Path*L1***(required)\_ defines the path (from the configuration root) to the HTML file to be + rendered depending on the currently selected language in the user interface (`Path_L1` to + `Path_L16` are available). Only `Path_L1` is required. While navigating to a custom link, if no + HTML path was defined for the current language, then `Path_L1` is taken as default. + +To be displayed correctly, images should be embedded in the HTML files as Base64 images using the +`src` attribute like this : ``. You can easily +convert your images using this [Base64 Image Encoder](https://elmah.io/tools/base64-image-encoder/). + +To navigate to the custom links from the user interface, NETWRIX recommends configuring a `MenuItem` +with a `URI` value matching the custom link `URL`. The following example defines two menu items, +accessible from the user account tab in the top right corner of the interface, that allows the user +to navigate to the defined URI addresses. + +``` + + + +``` + +![CustomLinksUserMenu.webp](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/settings/customlinksusermenu_v523.webp) + +## DashboardItemNumber + +Some sections on the dashboard contain multiple links. These links are quick links with counters to +the review page filtered by entity type. The links are sorted by entity type priority. + +![DashboardItemNumber.webp](/img/product_docs/identitymanager/identitymanager/integration-guide/network-configuration/settings/dashboarditemnumber.webp) + +By default, 3 links are displayed. If more than 3 entity type links exist, a link "Others" is +displayed with the concatenation of remaining counters. + +This setting is used to customize the number of links to displayed on each section. + +The max number of links to display is 5. + +``` + + + +``` + +- **RoleReviewSection** defines the number of links to display in the "Role Review" section. +- **ProvisioningReviewSection** defines the number of links to display in the "Provisioning Review" + section. +- **RoleReconciliationSection** defines the number of links to display in the "Role Reconciliation" + section. +- **ResourceReconciliationSection** defines the number of links to display in the "Resource + Reconciliation" section. +- **ManualProvisioningSection** defines the number of links to display in the "Manual Provisioning" + section. +- **MyTasksSection** defines the number of links to display in the "My Tasks" section. + +## SelectUserByIdentityQueryHandler + +_This attribute matches an end-user with a resource from the unified resource repository._ + +Authorization mechanisms within Identity Manager rely on assigning +[ Profiles ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md) +to an identity-resource that stands for the end-user digital identity. + +To that end, and end-user authentication credentials are linked to such an identity-resource using +the following pattern: + +1. Authentication credentials are retrieved; +2. Authentication credentials are trimmed using the **AfterToken** and/or **BeforeToken** + attributes; +3. The trimmed result is matched against the **ResourceIdentityProperty** of resources with an + EntityType **OwnerEntityType**; +4. The matching resource found is used to find a profile and authorization for that digital + identity. + +**Attributes** + +- **ResourceIdentityProperty** is the identity-resource property supposed to match the + authentication login used by the end-user. +- **OwnerEntityType** is the entity type of the resources used to store digital identities within + Identity Manager. +- **BeforeToken\_**(optional)\_ defines the first character used to trim the authentication login. +- **AfterToken\_**(optional)\_ defines the second character used to trim the authentication login. + + The trimmed result is the content of the authentication login between _AfterToken_ and + _BeforeToken_. If _BeforeToken_ is empty, trimmed result is everything after _AfterToken_. If + _AfterToken_ is empty, trimmed result is everything before _BeforeToken_. + +- **ResourceDisplayNameProperty** is the property used for displaying login data at the top right of + the application. +- **OwnerPhotoTagProperty** defines the photo property for Identity Manager users. + +**Example** + +The following example links the authentication credentials of an end-user to its matching resource +of EntityType **Directory_User**. + +In this example, authentication has been set up using +[ End-User Authentication](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md). In that case, +the login used by the end-user is in the form `DOMAIN/userName`. + +The **AfterToken** attribute parses the `DOMAIN/userName` string into `userName`. + +The parsed result `userName` is compared with `AD_Entry:sAMAccountName` property value of +**Directory_User** resources. + +The matching **Directory_User** resource is the resource that stands for the end-user identity +within Identity Manager. + +``` + + + +``` + +## SelectPersonasByFilterQueryHander + +This setting is used to filter the entity type used by authentication mechanism. + +``` + + + +``` + +- **ResourceDisplayNameProperty** represents the display property. +- **OwnerPhotoTagProperty** defines the photo tag property. +- **PersonTypeFilterProperty** defines the filter property. +- **PersonTypeFilter** defines the filter value. +- **MailProperty** defines the mail property. + +## SelectAllPerformedByAssociationQueryHandler + +This setting enables task delegation to a group of people. + +``` + + + +``` + +- **RootEntityType** indicates the entity type on which the delegation is applied. +- **Binding** defines the binding used to get the list of identities to delegate to. + +_NB: In order for delegation to work, users that are part of the delegate group must have at least +one assigned profile_ + +## Scheduling CleanDataBase + +If the default value for the Task CleanDataBase needs to be overridden, define this setting: + +``` + + + +``` + +- `Timeout`: Defines the maximum time a Job or Task can wait after the last run. +- `CronTabExpression`: Define the cron to launch the CleanDatabase Job. + +#### 7. Password Generation Setting + +It is possible to override some aspects of the password generation (used in password reset features) +using the following setting: + +``` + + + +``` + +- `AllowedSymbolChars`: A string containing the list of symbol chars to be used in the generated + password. The default value is : `!;.,?()[]-_&%$+{}@` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md new file mode 100644 index 0000000000..2d00c234f1 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md @@ -0,0 +1,16 @@ +# appsettings.connection + +## Define configuration through UI + +On some configuration screens, such as the connector screen, it is possible to define some of the +[ Agent Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/index.md). This configuration is stored in the +**appsettings.connection.json** file, located inside the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) work folder. + +The **appsettings.connection.json** file has the exact same structure as the other +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) file. + +This configuration file has the highest priority among others agent's configuration sources . See +the [ Agent Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/index.md) topic for additional information. + +You should not modify this file manually. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/technical-files/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/technical-files/index.md new file mode 100644 index 0000000000..eaed9eb9ca --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/technical-files/index.md @@ -0,0 +1,6 @@ +# Technical Files + +This section gathers information relative to the technical files that Identity Manager could use or +generate in its lifecycle. + +- [ appsettings.connection ](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/technical-files/appsettings.connection/index.md) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/notifications/custom/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/custom/index.md new file mode 100644 index 0000000000..ae28cc677b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/custom/index.md @@ -0,0 +1,29 @@ +# Custom Notifications + +Custom notifications can be configured for specific needs, to be triggered by a workflow, or +periodically via a task. + +## Workflow-Triggered Notifications + +A notification can be configured to be sent to one or several users right after the execution of a +given activity in [Workflows](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/index.md). + +> For example, when a user is created in Identity Manager through a workflow, a notification can be +> sent to the user's manager. A notification can also be sent when someone must process an action +> for a workflow to continue. + +The configuration is made through the XML tag +[ Notification Aspect ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md). + +## Periodic Notifications + +A notification can be configured to be sent to a given user on a regular basis at specified times, +through the +[ Send Notifications Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md) +as part of a job. + +> For example, a notification can be sent automatically to remind a manager that someone arrives in +> their team a month before the arrival, and again a week before. + +The configuration is made through the XML tag +[ Notification ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md). diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/notifications/how-tos/customize-native-notification/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/how-tos/customize-native-notification/index.md new file mode 100644 index 0000000000..b179904481 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/how-tos/customize-native-notification/index.md @@ -0,0 +1,46 @@ +# Customize a Native Notification + +This guide shows how to set a template other than the default one for native notifications. + +## Overview + +Identity Manager natively sends notifications for usual cases. See the +[ Native Notifications ](/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/index.md) topic for additional information. + +These native notifications are based on cshtml templates available inside the `Runtime` folder. If +the provided templates do not meet your exact needs, then they can be replaced by personalized +templates. + +## Customize a Native Notification + +Customize a native notification by proceeding as follows: + +1. Among the + [Notification Template](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md), + get the identifier of the notification whose templates are to be replaced. See the + [Notification Template](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md) + topic for additional information. + + > For example, to customize the notification for one-way password reset: `OneWayPasswordReset`. + +2. In `Runtime/NotificationTemplates`, copy to the configuration folder the cshtml template(s) + associated to the notification that need to be overridden. + + > For example, we can copy the template for the email's body but keep the provided template for + > the subject. Then we have: `Conf/Templates/MyOneWayPasswordReset.cshtml`. + > + > Let's say that we also need to customize the email's subject in French which is the language + > 2: `Conf/Templates/MyOneWayPasswordReset_Subject.fr.cshtml` + +3. Customize the template(s) previously copied to the configuration folder. +4. Configure an XML element + [Notification Template](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md) + with the identifier collected at step 1, and the relative path(s) to the customized template(s). + + > For example: + > + > ``` + > + > + > + > ``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/notifications/how-tos/set-language/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/how-tos/set-language/index.md new file mode 100644 index 0000000000..38e4c3dcc8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/how-tos/set-language/index.md @@ -0,0 +1,50 @@ +# Set Notifications' Languages + +This guide shows how to set the language for all notifications. + +## Overview + +Identity Manager sends all kinds of notification emails whose language is by default the language +specified in the configuration as the first language. + +The language can also be configured explicitly with a language code. If this language code is not +defined, then notifications use the first language. + +## Set the First Language + +Set the first language for the whole application by proceeding as follows: + +1. In the XML configuration, create a `Language` with `IndicatorNumber` set to `1`. See the + [ Language ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/language/index.md) topic for additional + information. + + > For example, to set English as the first language: + > + > ``` + > + > + > + > ``` + +2. Deploy the configuration and relaunch the server. + +## Set the Language Explicitly + +Set the language explicitly for server-side-task notifications by proceeding as follows: + +1. In the XML configuration, configure `MailSetting` with a `LanguageCode`See the + [ Mail Setting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md) topic + for additional information. + + > For example, to set the language to English: + > + > ``` + > + > + > + > ``` + + When `LanguageCode` is not defined, then the language of notifications will be the first + language, i.e. the one specified with `Indicator` set to `1`. + +2. Deploy the configuration and relaunch the server. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/notifications/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/index.md new file mode 100644 index 0000000000..777a0a0663 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/index.md @@ -0,0 +1,10 @@ +# Notifications + +Identity Manager is able to send notification emails when an action is expected, or a job ends with +an error. + +Identity Manager provides [ Native Notifications ](/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/index.md) for usual cases, for example +provisioning review, resource reconciliation, and role reconciliation. + +[ Custom Notifications ](/docs/identitymanager/saas/identitymanager/integration-guide/notifications/custom/index.md) can be configured for specific needs, to be triggered by a +workflow, or periodically via a task. diff --git a/docs/usercube_saas/usercube/integration-guide/notifications/native/access-certification/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/access-certification/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/notifications/native/access-certification/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/access-certification/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/errored-jobs/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/errored-jobs/index.md new file mode 100644 index 0000000000..5ce7a9590e --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/errored-jobs/index.md @@ -0,0 +1,8 @@ +# Jobs with Errors + +Identity Manager is able to send notification emails when a job ends with an error. The notification +email is sent to the user who has the necessary rights and the permission. + +See the [ Native Notifications ](/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/index.md) and +[ Profiles & Permissions ](/docs/identitymanager/saas/identitymanager/integration-guide/profiles-permissions/index.md) topics for additional +information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/index.md new file mode 100644 index 0000000000..3828c2502f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/index.md @@ -0,0 +1,41 @@ +# Native Notifications + +Identity Manager provides native notifications for usual cases, for example role review, +provisioning review, access certification, manual provisioning, etc. + +## Overview + +Identity Manager natively sends notifications for: + +- Password reset to the users whose passwords are reset; +- Access certification to the users selected as reviewers; +- [ Manual Provisioning ](/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/manual-provisioning/index.md), provisioning review and role review to the + users who own a profile with the permissions to perform the corresponding actions; +- Jobs that finished in state completed/errored/aborted/blocked/warning to the users who own a + profile with the corresponding permissions. + +Concerning the notifications sent via permissions: +In order to receive the notifications, a profile must have the full permission path. Having a +(great-)parent permission will not enable notifications for all child entities. + +For example, the permission /ProvisioningPolicy/PerformManualProvisioning/Directory_User allows a +profile to perform manual provisioning with Directory_User as the source entity type, and receive +the corresponding notifications. On the contrary, the permission +`/ProvisioningPolicy/PerformManualProvisioning/` allows a profile to perform manual provisioning for +all entity types, but not receive the corresponding notifications. + +See the [References: Permissions](/docs/identitymanager/saas/identitymanager/integration-guide/profiles-permissions/permissions/index.md) topic for +additional information. + +Each permission can be configured in an +[Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) so +that the corresponding notification is disabled. + +All notifications are built based on cshtml templates. The templates for native notifications can be +found in `/Runtime/NotificationTemplates`. + +The templates for native notifications can be adjusted to specific needs through the XML tag +[Notification Template](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md). + +See the [ Customize a Native Notification ](/docs/identitymanager/saas/identitymanager/integration-guide/notifications/how-tos/customize-native-notification/index.md) for +additional information on how to customize native notifications. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/manual-provisioning/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/manual-provisioning/index.md new file mode 100644 index 0000000000..f85bfaa448 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/manual-provisioning/index.md @@ -0,0 +1,29 @@ +# Manual Provisioning + +Identity Manager natively sends notifications concerning manual provisioning. + +## Overview + +### Notification Trigger + +The notifications are sent after a `FulfillTask` with a connection based on the +[ Manual Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md) package. + +### Notification Recipients + +The notifications are sent to the users who own a profile with the following permission: +`/Custom/ProvisioningPolicy/PerformManualProvisioning/{entityType_identifier}` where +`{entityType_identifier}` is the source entity type. + +In order to receive the notifications, a profile must have the full permission path. Having a +(great-)parent permission will not enable notifications for all child entities. + +For example, the permission `/ProvisioningPolicy/PerformManualProvisioning/Directory_User` allows a +profile to perform manual provisioning with `Directory_User` as the source entity type, and receive +the corresponding notifications. On the contrary, the permission +`/ProvisioningPolicy/PerformManualProvisioning/` allows a profile to perform manual provisioning for +all entity types, but not receive the corresponding notifications. + +The permission can be configured in an +[Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +so that notifications are disabled. diff --git a/docs/usercube_saas/usercube/integration-guide/notifications/native/password-reset/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/password-reset/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/notifications/native/password-reset/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/password-reset/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/notifications/native/provisioning-review/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/provisioning-review/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/notifications/native/provisioning-review/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/provisioning-review/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/notifications/native/role-review/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/role-review/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/notifications/native/role-review/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/role-review/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/profiles-permissions/how-tos/create-assign-profiles/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/profiles-permissions/how-tos/create-assign-profiles/index.md new file mode 100644 index 0000000000..3805d52e68 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/profiles-permissions/how-tos/create-assign-profiles/index.md @@ -0,0 +1,59 @@ +# Create and Assign Profiles + +This guide shows how to create in the XML configuration profiles and the appropriate rules to assign +these profiles automatically. + +## Create a Profile + +Here is the xml configuration to create a profile in Identity Manager. See the +[ Profile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) topic for additional +information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +## Automatically Assign Profiles + +To automatically assign profiles it is necessary to manipulate the ProfileRuleContext and +ProfileRule. See the +[Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +and +[Profile Rule Context](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) +topics for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +   +``` + +## Configure the Set InternalUserProfiles Task + +The Identity Manager-Set-InternalUserProfiles task is mandatory to automatically assign the profile. +The task can be selected from the Job provisioning list. See the +[ Set Internal User Profiles Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) +topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +           +``` + +Here the TaskEntityType is the reference to connect to Identity Manager and the ResourceType is the +same as in the ProfileRuleContext. Once this configuration is done you can add the task in the job +which provisions the Connector AD. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +                     +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/profiles-permissions/how-tos/rightsrestriction/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/profiles-permissions/how-tos/rightsrestriction/index.md new file mode 100644 index 0000000000..6f383ec6c0 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/profiles-permissions/how-tos/rightsrestriction/index.md @@ -0,0 +1,139 @@ +# Restrict Users' Rights + +This guide shows how to define rules to limit users' access rights, which is possible via several +elements. + +## Overview + +Each UI element can be accessed only by the users who have a profile with the appropriate access +rights. + +All of this page's examples are based on the following access rights to view the `Directory_User` +entity type: + +``` + + + +``` + +## Assign a Profile Based on Users' Dimensions + +Assign a profile based on users' dimensions by proceeding as follows: + +1. Create the appropriate dimensions. + + > The following example states two user criteria as dimensions: users' organizations and titles: + > + > ``` + > + > + > + > ``` + + See the [ Dimension ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) topic for + additional information. + +2. Write profile rules and profile rule contexts to make the previously created dimensions act as + filters in rules meant to assign profiles to users. + + > The following examples creates a rule assigning the `Manager` profile to specific users based + > on their organizations and titles, now that they both exist as dimensions: + > + > ``` + > + > + > + > ``` + + The profile rule context must use a Sub-Binding to define the entity type that contains the + dimension information. + + See the [ Dimension ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) topic for + additional information. + +## Limit an Entity's Visibility + +Limit an entity's visibility by proceeding as follows: + +1. Create at least one property group to gather a set of entity properties together. + + > For example: + > + > ``` + > + > + > + > ``` + + See the [ Dimension ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) topic for + additional information. + +2. Create an access control entity type to list all the properties whose visibility must be + restricted, and link them to a visibility group. + + > For example: + > + > ``` + > + > + > + > ``` + + As a result, all the properties listed in the access control entity type are hidden from users + by default when they have the usual permissions written above. See the + [ Dimension ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) topic for + additional information. + + To be able to see these properties, a user must have these permissions with a full access. + + > For example to give access to all properties: + > + > ``` + > + > + > + > ``` + > + > And to give access only to a property group: + > + > ``` + > + > + > + > ``` + + When there is not any profile with a full access, then the visibility restriction is lifted and + all users can access the properties. + +## Limit a Profile's Permissions + +Limit a profile's permissions by using filters in the access control rule that give permissions to +the profile. + +> For example to limit permissions based on a hardcoded value: +> +> ``` +> +> +> +> +> +> +> +> ``` +> +> And based on a dimension: +> +> ``` +> +> +> +> +> +> +> +> ``` + +See the [ Dimension ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) topic for +additional information. diff --git a/docs/usercube_saas/usercube/integration-guide/profiles-permissions/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/profiles-permissions/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/profiles-permissions/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/profiles-permissions/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/profiles-permissions/permissions/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/profiles-permissions/permissions/index.md new file mode 100644 index 0000000000..97cca3fa80 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/profiles-permissions/permissions/index.md @@ -0,0 +1,1985 @@ +# References: Permissions + +Here is a list of permissions required for different user profiles: + +- /AccessCertification/AccessCertificationCampaign/Create + + Permission to create objects of type AccessCertificationCampaign. + +- /AccessCertification/AccessCertificationCampaign/Delete + + Permission to delete objects of type AccessCertificationCampaign. + +- /AccessCertification/AccessCertificationCampaign/Process + + Permission to process AccessCertificationCampaign decisions. + +- /AccessCertification/AccessCertificationCampaign/Query + + Permission to query and read objects of type AccessCertificationCampaign. + +- /AccessCertification/AccessCertificationCampaign/Update + + Permission to update objects of type AccessCertificationCampaign. + +- /AccessCertification/AccessCertificationCampaignPolicy/Query + + Permission to query and read objects of type AccessCertificationCampaignPolicy. + +- /AccessControl/AccessControlEntry/Create + + Permission to create objects of type AccessControlEntry. + +- /AccessControl/AccessControlEntry/Delete + + Permission to delete objects of type AccessControlEntry. + +- /AccessControl/AccessControlEntry/Query + + Permission to query and read objects of type AccessControlEntry. + +- /AccessControl/AccessControlEntry/Update + + Permission to update objects of type AccessControlEntry. + +- /AccessControl/AccessControlFilter/Create + + Permission to create objects of type AccessControlFilter. + +- /AccessControl/AccessControlFilter/Delete + + Permission to delete objects of type AccessControlFilter. + +- /AccessControl/AccessControlFilter/Query + + Permission to query and read objects of type AccessControlFilter. + +- /AccessControl/AccessControlFilter/Update + + Permission to update objects of type AccessControlFilter. + +- /AccessControl/AccessControlPermission/Query + + Permission to query and read objects of type AccessControlPermission. + +- /AccessControl/AccessControlRule/Create + + Permission to create objects of type AccessControlRule. + +- /AccessControl/AccessControlRule/Delete + + Permission to delete objects of type AccessControlRule + +- /AccessControl/AccessControlRule/Query + + Permission to query and read objects of type AccessControlRule. + +- /AccessControl/AccessControlRule/Update + + Permission to update objects of type AccessControlRule. + +- /AccessControl/AssignedProfile/Create + + Permission to create objects of type AssignedProfile. + +- /AccessControl/AssignedProfile/Delete + + Permission to delete objects of type AssignedProfile. + +- /AccessControl/AssignedProfile/Query + + Permission to query and read objects of type AssignedProfile. + +- /AccessControl/AssignedProfile/Update + + Permission to update objects of type AssignedProfile. + +- /AccessControl/OpenIdClient/Create + + Permission to create objects of type OpenIdClient. + +- /AccessControl/OpenIdClient/Delete + + Permission to delete objects of type OpenIdClient. + +- /AccessControl/OpenIdClient/Query + + Permission to query and read objects of type OpenIdClient. + +- /AccessControl/OpenIdClient/Update + + Permission to update objects of type OpenIdClient. + +- /AccessControl/Profile/Create + + Permission to create objects of type Profile. + +- /AccessControl/Profile/Delete + + Permission to delete objects of type Profile. + +- /AccessControl/Profile/Query + + Permission to query and read objects of type Profile. + +- /AccessControl/Profile/Update + + Permission to update objects of type Profile. + +- /AccessControl/ProfileRuleContext/Query + + Permission to query and read objects of type ProfileRuleContext. + +- /Connectors/Agent/Create + + Permission to create objects of type Agent. + +- /Connectors/Agent/Delete + + Permission to delete objects of type Agent. + +- /Connectors/Agent/Query + + Permission to query and read objects of type Agent. + +- /Connectors/Agent/Update + + Permission to update objects of type Agent. + +- /Connectors/Connection/Create + + Permission to create objects of type Connection. + +- /Connectors/Connection/Delete + + Permission to delete objects of type Connection. + +- /Connectors/Connection/Query + + Permission to query and read objects of type Connection. + +- /Connectors/Connection/Update + + Permission to update objects of type Connection. + +- /Connectors/ConnectionColumn/Query + + Permission to query and read objects of type ConnectionColumn. + +- /Connectors/ConnectionPackage/Query + + Permission to query and read objects of type ConnectionPackage. + +- /Connectors/ConnectionTable/Query + + Permission to query and read objects of type ConnectionTable. + +- /Connectors/Connector/Create + + Permission to create objects of type Connector. + +- /Connectors/Connector/Delete + + Permission to delete objects of type Connector. + +- /Connectors/Connector/Query + + Permission to query and read objects of type Connector. + +- /Connectors/Connector/Update + + Permission to delete objects of type EntityAssociationMapping. + +- /Connectors/EntityAssociationMapping/Create + + Permission to create objects of type EntityAssociationMapping + +- /Connectors/EntityAssociationMapping/Delete + + Permission to delete objects of type EntityAssociationMapping + +- /Connectors/EntityAssociationMapping/Query +- Permission to query and read objects of type EntityAssociationMapping. +- /Connectors/EntityAssociationMapping/Update + + Permission to update objects of type EntityAssociationMapping. + +- /Connectors/EntityPropertyMapping/Create + + Permission to create objects of type EntityPropertyMapping. + +- /Connectors/EntityPropertyMapping/Delete + + Permission to delete objects of type EntityPropertyMapping. + +- /Connectors/EntityPropertyMapping/Query + + Permission to query and read objects of type EntityPropertyMapping. + +- /Connectors/EntityPropertyMapping/Update + + Permission to update objects of type EntityPropertyMapping + +- /Connectors/EntityTypeMapping/Create + + Permission to create objects of type EntityTypeMapping + +- /Connectors/EntityTypeMapping/Delete + + Permission to delete objects of type EntityTypeMapping + +- /Connectors/EntityTypeMapping/Query + + Permission to query and read objects of type EntityTypeMapping + +- /Connectors/EntityTypeMapping/Update + + Permission to update objects of type EntityTypeMapping + +- /Connectors/EntityTypeMappingByConnectorIdQuery/Query + + Permission to query and read objects of type EntityTypeMappingByConnectorIdQuery + +- /Connectors/PasswordResetContextsByIdsQuery/Query + + Permission to query and read objects of type PasswordResetContextsByIdsQuery + +- /Connectors/ProvisionerResourceTypeMapping/Query + + Permission to query and read objects of type ProvisionerResourceTypeMapping + +- /Connectors/ProvisioningSession + + Permission to get provisioning orders from server for a connector. + +- /Connectors/ResourceTypeMapping/Query + + Permission to query and read objects of type ResourceTypeMapping (resource types' fulfill + settings in the UI) when launching a resource-type-related job. + +- /Connectors/SynchronizeSession + + Permission to send connector files to the server. + +- `/Custom/AccessCertification/AutoAssigned/{entityType_identifier}` + + Permission to be automatically assigned to an access certification item corresponding to an + access right owned by an object of type `entityType_identifier`. + +- `/Custom/AccessCertification/ManualAssigned/{entityType_identifier}` + + Permission to be manually assigned to an access certification item corresponding to an access + right owned by an object of type `entityType_identifier`. + +- `/Custom/ManageAccounts/{entityType_identifier}` + + Permission to display the Manage Accounts menu for resources corresponding to an access right + owned by an object of type `entityType_identifier`. + +- `/Custom/ProvisioningPolicy/AssignedRoles/{entityType_identifier}` + + Permission to view the roles assigned to an object of type entityType_identifier. + +- `/Custom/ProvisioningPolicy/BulkPerformManualProvisioning/{entityType_identifier}` + + Permission to perform bulk validations on the **Manual Provisioning** page. + +- `/Custom/ProvisioningPolicy/BulkReconciliateResources/{entityType_identifier}` + + Permission to perform bulk validations on the **Resource Reconciliation** page. + +- `/Custom/ProvisioningPolicy/BulkReviewProvisioning/{entityType_identifier}` + + Permission to perform bulk validations on the **Provisioning Review** page (only for errored + orders). + +- `/Custom/ProvisioningPolicy/BulkRoleReconciliation/{entityType_identifier}` + + Permission to perform bulk validations on the **Role Reconciliation** page. + +- `/Custom/ProvisioningPolicy/PendingAssignedResourceTypes/{resourceType_identifier}` + + Permission to query and read all the pending assigned resource types linked to + `{resourceType_identifier}`. + +- `/Custom/ProvisioningPolicy/PerformManualProvisioning/{entityType_identifier}` + + Permission to perform manual provisioning, access the corresponding screens and be notified + accordingly, when `{entityType_identifier}` is the source entity type. + +- `/Custom/ProvisioningPolicy/ReconciliateResources/{entityType_identifier}` + + Permission to reconcile resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/ProvisioningPolicy/ReconciliateRoles/{entityType_identifier}` + + Permission to reconcile role corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/ProvisioningPolicy/ReviewProvisioning/{entityType_identifier}` + + Permission to review provisioning corresponding to an access right owned by an object of type + `entityType_identifier`. + +- The permission's recipient will receive a notification email. + + **NOTE:** In order to receive the notifications, a profile must have the full permission path. + Having a (great-)parent permission will not enable notifications for all child entities. + + For example, the permission /ProvisioningPolicy/PerformManualProvisioning/Directory_User allows + a profile to perform manual provisioning with Directory_User as the source entity type, and + receive the corresponding notifications. On the contrary, the permission + /ProvisioningPolicy/PerformManualProvisioning/ allows a profile to perform manual provisioning + for all entity types, but not receive the corresponding notifications. + Each permission can be configured in an access control entry so that the corresponding + notification is disabled. See the + [Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md)topic + for additional information. + +- `/Custom/ProvisioningPolicy/ReviewRoles/{entityType_identifier}` + + Permission to review roles corresponding to an access right owned by an object of type + entityType_identifier. + + The permission's recipient will receive a notification email. + + **NOTE:** In order to receive the notifications, a profile must have the full permission path. + Having a (great-)parent permission will not enable notifications for all child entities. + + For example, the permission /ProvisioningPolicy/PerformManualProvisioning/Directory_User allows + a profile to perform manual provisioning with Directory_User as the source entity type, and + receive the corresponding notifications. On the contrary, the permission + /ProvisioningPolicy/PerformManualProvisioning/ allows a profile to perform manual provisioning + for all entity types, but not receive the corresponding notifications. + Each permission can be configured in an access control entry so that the corresponding + notification is disabled. See the + [Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md)topic + for additional information. + +- `/Custom/Reports/{reportQuery_identifier}` + + Permission to access reports corresponding to the query `reportQuery_identifier`. + +- `/Custom/ResourceChanges/{connector_identifier}` + + Permission to query and read any resource changes from the `ResourceChanges` table. + +- `/Custom/ResourceFileChanges/{connector_identifier}` + + Permission to query and read any resource file changes from the `ResourceFileChanges` table. + +- `/Custom/ResourceFiles/{entityType_identifier}/{property_identifier}/View` + + Permission to query and read any resource files from the `ResourceFile` table corresponding to + the property `property_identifier` of the entity `entityType_identifier`, for example the + `Directory_User` photo property. This permission is generated by the + [`ViewAccessControlRules`](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md) + scaffolding. + +- `/Custom/ResourceLinkChanges/{connector_identifier}` + + Permission to query and read any resource link changes from the `ResourceLinkChanges` table. + +- `/Custom/Resources/{entityType_identifier}/Create` + + Permission to create resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/Delete` + + Permission to delete resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/Query` + + Permission to query and read resources corresponding to an access right owned by an object of + type `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/Self` + + Permission to view self resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/SelfOwnedResources` + + Permission to view self owned resources corresponding to an access right owned by an object of + type `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/SelfTargetResources` + + Permission to view self target resources corresponding to an access right owned by an object of + type `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/Update` + + Permission to update resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/View` + + Permission to view resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/ViewOwnedResources` + + Permission to view owned resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/Resources/{entityType_identifier}/ViewTargetResources` + + Permission to view target resources corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/Workflows/{workflow_identifier}/{activity_identifier}/{activityTemplateState_shortIdentifier}` + + Permission to access the workflow `workflow_identifier`at the activty `activity_identifier` in + the state `activityTemplateState_shortIdentifier`. + +- `/Custom/Workflows/Supervise/{entityType_identifier}` + + Permission to supervise a workflow corresponding to an access right owned by an object of type + `entityType_identifier`. + +- `/Custom/WorkflowsNotifications/{workflow_identifier}/{activity_identifier}/{activityTemplateState_shortIdentifier}` + + Permission to be notified on a workflow's specific state. Applies to notifications specifying + the recipient's type: `Profile`. + +- /EntityTypeMappings + + Permission to see the entity types. + +- /Jobs/Job/Create + + Permission to create objects of type Job. + +- /Jobs/Job/Delete + + Permission to delete objects of type Job. + +- /Jobs/Job/Query + + Permission to query and read objects of type Job. + +- /Jobs/Job/Update + + Permission to update objects of type Job. + +- /Jobs/JobInstance/Create + + Permission to create objects of type JobInstance. + +- /Jobs/JobInstance/Delete + + Permission to delete objects of type JobInstance. + +- /Jobs/JobInstance/Query + + Permission to query and read objects of type JobInstance. + +- /Jobs/JobInstance/Update + + Permission to update objects of type JobInstance. + +- /Jobs/JobStep/Create + + Permission to create objects of type JobStep. + +- /Jobs/JobStep/Delete + + Permission to delete objects of type JobStep + +- /Jobs/JobStep/Query + + Permission to query and read objects of type JobStep. + +- /Jobs/JobStep/Update + + Permission to update objects of type JobStep. + +- /Jobs/RunJob/GetLog + + Read permission for JobLog. + +- /Jobs/RunJob/Launch/Aborted + + Permission to send notification for job launched which ends in state Aborted. + +- /Jobs/RunJob/Launch/Blocked + + Permission to send notification for job launched which ends in state Blocked. + +- /Jobs/RunJob/Launch/Completed + + Permission to send notification for job launched which ends in state Completed. + +- /Jobs/RunJob/Launch/Errored + + Permission to send notification for job launched which ends in state Errored. + +- /Jobs/RunJob/Launch/Warning + + Permission to send notification for job launched which ends in state Warning. + +- /Jobs/RunJob/Repair/Aborted + + Permission to send notification for job relaunched which ends in state Aborted. + +- /Jobs/RunJob/Repair/Blocked + + Permission to send notification for job relaunched which ends in state Blocked. + +- /Jobs/RunJob/Repair/Completed + + Permission to send notification for job relaunched which ends in state Completed. + +- /Jobs/RunJob/Repair/Errored + + Permission to send notification for job relaunched which ends in state Errored. + +- /Jobs/RunJob/Repair/Warning + + Permission to send notification for job relaunched which ends in state Warning. + +- /Jobs/Task/Create + + Permission to create objects of type Task. + +- /Jobs/Task/Delete + + Permission to delete objects of type Task. + +- /Jobs/Task/Query + + Permission to query and read objects of type Task + +- /Jobs/Task/Update + + Permission to update objects of type Task + +- /Jobs/TaskDependOnTask/Create + + Permission to create objects of type TaskDependOnTask. + +- /Jobs/TaskDependOnTask/Delete + + Permission to delete objects of type TaskDependOnTask. + +- /Jobs/TaskDependOnTask/Query + + Permission to query and read objects of type TaskDependOnTask + +- /Jobs/TaskDependOnTask/Update + + Permission to update objects of type TaskDependOnTask. + +- /Jobs/TaskDimension/Create + + Permission to create objects of type TaskDimension. + +- /Jobs/TaskDimension/Delete + + Permission to delete objects of type TaskDimension. + +- /Jobs/TaskDimension/Query + + Permission to query and read objects of type TaskDimension. + +- /Jobs/TaskDimension/Update + + Permission to update objects of type TaskDimension. + +- /Jobs/TaskEntityType/Create + + Permission to create objects of type TaskEntityType. + +- /Jobs/TaskEntityType/Delete + + Permission to delete objects of type TaskEntityType. + +- /Jobs/TaskEntityType/Query + + Permission to query and read objects of type TaskEntityType. + +- /Jobs/TaskEntityType/Update + + Permission to update objects of type TaskEntityType + +- /Jobs/TaskIdByIdentifiersQuery/Query + + Permission to query and read objects of type TaskIdByIdentifiersQuery. + +- /Jobs/TaskInstance/Create + + Permission to create objects of type TaskInstance. + +- /Jobs/TaskInstance/Delete + + Permission to delete objects of type TaskInstance. + +- /Jobs/TaskInstance/Query + + Permission to query and read objects of type TaskInstance. + +- /Jobs/TaskInstance/Update + + Permission to update objects of type TaskInstance. + +- /Jobs/TaskResourceType/Create + + Permission to create objects of type TaskResourceType. + +- /Jobs/TaskResourceType/Delete + + Permission to delete objects of type TaskResourceType. + +- /Jobs/TaskResourceType/Query + + Permission to query and read objects of type TaskResourceType. + +- /Jobs/TaskResourceType/Update + + Permission to update objects of type TaskResourceType. + +- /Metadata/Binding/Create + + Permission to create objects of type Binding. + +- /Metadata/Binding/Delete + + Permission to delete objects of type Binding. + +- /Metadata/Binding/Query + + Permission to query and read objects of type Binding. + +- /Metadata/Binding/Update + + Permission to update objects of type Binding. + +- /Metadata/BindingItem/Query + + Permission to query and read objects of type BindingItem. + +- /Metadata/Dimension/Create + + Permission to create objects of type Dimension. + +- /Metadata/Dimension/Delete + + Permission to delete objects of type Dimension. + +- /Metadata/Dimension/Query + + Permission to query and read objects of type Dimension. + +- /Metadata/Dimension/Update + + Permission to update objects of type Dimension. + +- /Metadata/EntityAssociation/Create + + Permission to create objects of type EntityAssociation. + +- /Metadata/EntityAssociation/Delete + + Permission to delete objects of type EntityAssociation. + +- /Metadata/EntityAssociation/Query + + Permission to query and read objects of type EntityAssociation. + +- /Metadata/EntityAssociation/Update + + Permission to update objects of type EntityAssociation. + +- /Metadata/EntityProperty/Create + + Permission to create objects of type EntityProperty. + +- /Metadata/EntityProperty/Delete + + Permission to delete objects of type EntityProperty. + +- /Metadata/EntityProperty/Query + + Permission to query and read objects of type EntityProperty. + +- /Metadata/EntityProperty/Update + + Permission to update objects of type EntityProperty. + +- /Metadata/EntityType/Create + + Permission to create objects of type EntityType. + +- /Metadata/EntityType/Delete + + Permission to delete objects of type EntityType. + +- /Metadata/EntityType/Query + + Permission to query and read objects of type EntityType. + +- /Metadata/EntityType/Update + + Permission to update objects of type EntityType. + +- /Metadata/Language/Query + + Permission to query and read objects of type Language. + +- /Metadata/Setting/Create + + Permission to create objects of type Setting + +- /Metadata/Setting/Delete + + Permission to delete objects of type Setting + +- /Metadata/Setting/Query + + Permission to query and read objects of type Setting + +- /Metadata/Setting/Update + + Permission to update objects of type Setting + +- /Monitoring + + Permission to download server logs from the User Interface (from the **Monitoring** screen). + +- /ProvisioningPolicy/AssignedCompositeRole/Comment + + Permission to comment objects of type AssignedCompositeRole + +- /ProvisioningPolicy/AssignedCompositeRole/Create + + Permission to create objects of type AssignedCompositeRole + +- /ProvisioningPolicy/AssignedCompositeRole/Delete + + Permission to delete objects of type AssignedCompositeRole + +- /ProvisioningPolicy/AssignedCompositeRole/Query + + Permission to query and read objects of type AssignedCompositeRole + +- /ProvisioningPolicy/AssignedCompositeRole/Update + + Permission to update objects of type AssignedCompositeRole + +- /ProvisioningPolicy/AssignedResourceBinary/Create + + Permission to create objects of type AssignedResourceBinary + +- /ProvisioningPolicy/AssignedResourceBinary/Delete + + Permission to delete objects of type AssignedResourceBinary + +- /ProvisioningPolicy/AssignedResourceBinary/Query + + Permission to query and read objects of type AssignedResourceBinary + +- /ProvisioningPolicy/AssignedResourceBinary/Update + + Permission to update objects of type AssignedResourceBinary + +- /ProvisioningPolicy/AssignedResourceNavigation/Create + + Permission to create objects of type AssignedResourceNavigation + +- /ProvisioningPolicy/AssignedResourceNavigation/Delete + + Permission to delete objects of type AssignedResourceNavigation + +- /ProvisioningPolicy/AssignedResourceNavigation/Query + + Permission to query and read objects of type AssignedResourceNavigation + +- /ProvisioningPolicy/AssignedResourceNavigation/Update + + Permission to update objects of type AssignedResourceNavigation + +- /ProvisioningPolicy/AssignedResourceScalar/Create + + Permission to create objects of type AssignedResourceScalar + +- /ProvisioningPolicy/AssignedResourceScalar/Delete + + Permission to delete objects of type AssignedResourceScalar + +- /ProvisioningPolicy/AssignedResourceScalar/Query + + Permission to query and read objects of type AssignedResourceScalar + +- /ProvisioningPolicy/AssignedResourceScalar/Update + + Permission to update objects of type AssignedResourceScalar + +- /ProvisioningPolicy/AssignedResourceType/Comment + + Permission to comment objects of type AssignedResourceType + +- /ProvisioningPolicy/AssignedResourceType/Create + + Permission to create objects of type AssignedResourceType + +- /ProvisioningPolicy/AssignedResourceType/Delete + + Permission to delete objects of type AssignedResourceType + +- /ProvisioningPolicy/AssignedResourceType/ManualProvisioningReview + + Permission to review manual provisioning for object of type AssignedResourceType + +- /ProvisioningPolicy/AssignedResourceType/Query + + Permission to query and read objects of type AssignedResourceType + +- /ProvisioningPolicy/AssignedResourceType/Update + + Permission to update objects of type AssignedResourceType + +- /ProvisioningPolicy/AssignedSingleRole/Comment + + Permission to comment objects of type AssignedSingleRole + +- /ProvisioningPolicy/AssignedSingleRole/Create + + Permission to create objects of type AssignedSingleRole + +- /ProvisioningPolicy/AssignedSingleRole/Delete + + Permission to delete objects of type AssignedSingleRole + +- /ProvisioningPolicy/AssignedSingleRole/Query + + Permission to query and read objects of type AssignedSingleRole + +- /ProvisioningPolicy/AssignedSingleRole/Update + + Permission to update objects of type AssignedSingleRole + +- /ProvisioningPolicy/AutomationRule/Create + + Permission to create objects of type AutomationRule + +- /ProvisioningPolicy/AutomationRule/CreateSimulation + + Permission to create objects of type AutomationRule in simulation + +- /ProvisioningPolicy/AutomationRule/Delete + + Permission to delete objects of type AutomationRule + +- /ProvisioningPolicy/AutomationRule/DeleteSimulation + + Permission to delete objects of type AutomationRule in simulation + +- /ProvisioningPolicy/AutomationRule/Query + + Permission to query and read objects of type AutomationRule + +- /ProvisioningPolicy/AutomationRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type AutomationRule + +- /ProvisioningPolicy/AutomationRule/Simulation + + Permission to query and read objects of type AutomationRule in simulation + +- /ProvisioningPolicy/AutomationRule/Updat + + Permission to update objects of type AutomationRule + +- /ProvisioningPolicy/AutomationRule/UpdateSimulation + + Permission to update objects of type AutomationRule in simulation + +- /ProvisioningPolicy/Category/Create + + Permission to create objects of type Category + +- /ProvisioningPolicy/Category/Delete + + Permission to delete objects of type Category + +- /ProvisioningPolicy/Category/Query + + Permission to query and read objects of type Category + +- /ProvisioningPolicy/Category/Update + + Permission to update objects of type Category + +- /ProvisioningPolicy/CompositeRole/Create + + Permission to create objects of type CompositeRole + +- /ProvisioningPolicy/CompositeRole/CreateSimulation + + Permission to create objects of type CompositeRole in simulation + +- /ProvisioningPolicy/CompositeRole/Delete + + Permission to delete objects of type CompositeRole + +- /ProvisioningPolicy/CompositeRole/DeleteSimulation + + Permission to delete objects of type CompositeRole in simulation + +- /ProvisioningPolicy/CompositeRole/Query + + Permission to query and read objects of type CompositeRole + +- /ProvisioningPolicy/CompositeRole/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type CompositeRole + +- /ProvisioningPolicy/CompositeRole/Simulation + + Permission to query and read objects of type CompositeRole in simulation + +- /ProvisioningPolicy/CompositeRole/Update + + Permission to update objects of type CompositeRole + +- /ProvisioningPolicy/CompositeRole/UpdateSimulation + + Permission to update objects of type CompositeRole in simulation + +- /ProvisioningPolicy/CompositeRoleRule/Create + + Permission to create objects of type CompositeRoleRule + +- /ProvisioningPolicy/CompositeRoleRule/CreateSimulation + + Permission to create objects of type CompositeRoleRule in simulation + +- /ProvisioningPolicy/CompositeRoleRule/Delete + + Permission to delete objects of type CompositeRoleRule + +- /ProvisioningPolicy/CompositeRoleRule/DeleteSimulation + + Permission to delete objects of type CompositeRoleRule in simulation + +- /ProvisioningPolicy/CompositeRoleRule/Query + + Permission to query and read objects of type CompositeRoleRule + +- /ProvisioningPolicy/CompositeRoleRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type CompositeRoleRule + +- /ProvisioningPolicy/CompositeRoleRule/Simulation + + Permission to query and read objects of type CompositeRoleRule in simulation + +- /ProvisioningPolicy/CompositeRoleRule/Update + + Permission to update objects of type CompositeRoleRule + +- /ProvisioningPolicy/CompositeRoleRule/UpdateSimulation + + Permission to update objects of type CompositeRoleRule in simulation + +- /ProvisioningPolicy/ContextRule/Create + + Permission to create objects of type ContextRule + +- /ProvisioningPolicy/ContextRule/CreateSimulation + + Permission to create objects of type ContextRule in simulation + +- /ProvisioningPolicy/ContextRule/Delete + + Permission to delete objects of type ContextRule + +- /ProvisioningPolicy/ContextRule/DeleteSimulation + + Permission to delete objects of type ContextRule in simulation + +- /ProvisioningPolicy/ContextRule/Query + + Permission to query and read objects of type ContextRule + +- /ProvisioningPolicy/ContextRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ContextRule + +- /ProvisioningPolicy/ContextRule/Simulation + + Permission to query and read objects of type ContextRule in simulation + +- /ProvisioningPolicy/ContextRule/Update + + Permission to update objects of type ContextRule + +- /ProvisioningPolicy/ContextRule/UpdateSimulation + + Permission to update objects of type ContextRule in simulation + +- /ProvisioningPolicy/IdentifiedRisk/Query + + Permission to query and read objects of type IdentifiedRisk + +- /ProvisioningPolicy/MiningRule/Create + + Permission to create objects of type MiningRule + +- /ProvisioningPolicy/MiningRule/Delete + + Permission to delete objects of type MiningRule + +- /ProvisioningPolicy/MiningRule/Query + + Permission to query and read objects of type MiningRule + +- /ProvisioningPolicy/MiningRule/Update + + Permission to update objects of type MiningRule + +- /ProvisioningPolicy/Policy/Create + + Permission to create objects of type Policy + +- /ProvisioningPolicy/Policy/CreateSimulation + + Permission to create objects of type Policy in simulation + +- /ProvisioningPolicy/Policy/Delete + + Permission to delete objects of type Policy + +- /ProvisioningPolicy/Policy/DeleteSimulation + + Permission to delete objects of type Policy in simulation + +- /ProvisioningPolicy/Policy/Query + + Permission to query and read objects of type Policy + +- /ProvisioningPolicy/Policy/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type Policy + +- /ProvisioningPolicy/Policy/Simulation + + Permission to query and read objects of type Policy in simulation + +- /ProvisioningPolicy/Policy/Update + + Permission to update objects of type Policy + +- /ProvisioningPolicy/Policy/UpdateSimulation + + Permission to update objects of type Policy in simulation + +- /ProvisioningPolicy/PolicySimulation/Create + + Permission to create objects of type PolicySimulation + +- /ProvisioningPolicy/PolicySimulation/Delete + + Permission to delete objects of type PolicySimulation + +- /ProvisioningPolicy/PolicySimulation/Query + + Permission to query and read objects of type PolicySimulation + +- /ProvisioningPolicy/PolicySimulation/Start + + Permission to start a simulation of a policy + +- /ProvisioningPolicy/PolicySimulation/Update + + Permission to update objects of type PolicySimulation. + +- /ProvisioningPolicy/PredefinedFunctionQuery/Query + + Permission to query and read objects of type PredefinedFunctionQuery + +- /ProvisioningPolicy/Provisioning/Start + + Permission to compute Provisioning. + +- /ProvisioningPolicy/RedundantAssignment/Query + + Permission to access the **Redundant Assignment** page. + +- /ProvisioningPolicy/RedundantAssignment/Start + + Permission to compute redundant assignments and remove them. + +- /ProvisioningPolicy/ResourceBinaryRule/Create + + Permission to create objects of type ResourceBinaryRule. + +- /ProvisioningPolicy/ResourceBinaryRule/CreateSimulation + + Permission to create objects of type ResourceBinaryRule in simulation. + +- /ProvisioningPolicy/ResourceBinaryRule/CreateSimulation + + Permission to create objects of type ResourceBinaryRule in simulation. + +- /ProvisioningPolicy/ResourceBinaryRule/Delete + + Permission to delete objects of type ResourceBinaryRule. + +- /ProvisioningPolicy/ResourceBinaryRule/DeleteSimulation + + Permission to delete objects of type ResourceBinaryRule in simulatio.n + +- /ProvisioningPolicy/ResourceBinaryRule/Query + + Permission to query and read objects of type ResourceBinaryRule. + +- /ProvisioningPolicy/ResourceBinaryRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ResourceBinaryRule + +- /ProvisioningPolicy/ResourceBinaryRule/Simulation + + Permission to query and read objects of type ResourceBinaryRule in simulation. + +- /ProvisioningPolicy/ResourceBinaryRule/Update + + Permission to update objects of type ResourceBinaryRule. + +- /ProvisioningPolicy/ResourceBinaryRule/UpdateSimulation + + Permission to update objects of type ResourceBinaryRule in simulation. + +- /ProvisioningPolicy/ResourceClassificationRule/Create + + Permission to create objects of type ResourceClassificationRule. + +- /ProvisioningPolicy/ResourceClassificationRule/CreateSimulation + + Permission to create objects of type ResourceClassificationRule in simulation. + +- /ProvisioningPolicy/ResourceClassificationRule/Delete + + Permission to delete objects of type ResourceClassificationRule + +- /ProvisioningPolicy/ResourceClassificationRule/DeleteSimulation + + Permission to delete objects of type ResourceClassificationRule in simulation. + +- /ProvisioningPolicy/ResourceClassificationRule/Query + + Permission to query and read objects of type ResourceClassificationRule. + +- /ProvisioningPolicy/ResourceClassificationRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type + ResourceClassificationRule. + +- /ProvisioningPolicy/ResourceClassificationRule/Simulation + + Permission to query and read objects of type ResourceClassificationRule in simulation. + +- /ProvisioningPolicy/ResourceClassificationRule/Update + + Permission to update objects of type ResourceClassificationRule + +- /ProvisioningPolicy/ResourceClassificationRule/UpdateSimulation + + Permission to update objects of type ResourceClassificationRule in simulation + +- /ProvisioningPolicy/ResourceCorrelationRule/Create + + Permission to create objects of type ResourceCorrelationRule + +- /ProvisioningPolicy/ResourceCorrelationRule/CreateSimulation + + Permission to create objects of type ResourceCorrelationRule in simulation + +- /ProvisioningPolicy/ResourceCorrelationRule/Delete + + Permission to delete objects of type ResourceCorrelationRule + +- /ProvisioningPolicy/ResourceCorrelationRule/DeleteSimulation + + Permission to delete objects of type ResourceCorrelationRule in simulation + +- /ProvisioningPolicy/ResourceCorrelationRule/Query + + Permission to query and read objects of type ResourceCorrelationRule + +- /ProvisioningPolicy/ResourceCorrelationRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type + ResourceCorrelationRule + +- /ProvisioningPolicy/ResourceCorrelationRule/Simulation + + Permission to query and read objects of type ResourceCorrelationRule in simulation + +- /ProvisioningPolicy/ResourceCorrelationRule/Update + + Permission to update objects of type ResourceCorrelationRule + +- /ProvisioningPolicy/ResourceCorrelationRule/UpdateSimulation + + Permission to update objects of type ResourceCorrelationRule in simulation + +- /ProvisioningPolicy/ResourceHistory/Query + + Permission to query and read objects of type ResourceHistory + +- /ProvisioningPolicy/ResourceManageableAccounts/Query + + Permission to query and read objects of type ResourceManageableAccounts + + /ProvisioningPolicy/ResourceNavigationRule/Create + +- Permission to create objects of type ResourceNavigationRule +- /ProvisioningPolicy/ResourceNavigationRule/CreateSimulation + + Permission to create objects of type ResourceNavigationRule in simulation + +- /ProvisioningPolicy/ResourceNavigationRule/Delete + + Permission to delete objects of type ResourceNavigationRule + +- /ProvisioningPolicy/ResourceNavigationRule/DeleteSimulation + + Permission to delete objects of type ResourceNavigationRule in simulation + +- /ProvisioningPolicy/ResourceNavigationRule/Query + + Permission to query and read objects of type ResourceNavigationRule + +- /ProvisioningPolicy/ResourceNavigationRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type + ResourceNavigationRule + +- /ProvisioningPolicy/ResourceNavigationRule/Simulation + + Permission to query and read objects of type ResourceNavigationRule in simulation + +- /ProvisioningPolicy/ResourceNavigationRule/Update + + Permission to update objects of type ResourceNavigationRule + +- /ProvisioningPolicy/ResourceNavigationRule/UpdateSimulation + + Permission to update objects of type ResourceNavigationRule in simulation + +- /ProvisioningPolicy/ResourceQueryRule/Create + + Permission to create objects of type ResourceQueryRule + +- /ProvisioningPolicy/ResourceQueryRule/CreateSimulation + + Permission to create objects of type ResourceQueryRule in simulation + +- /ProvisioningPolicy/ResourceQueryRule/Delete + + Permission to delete objects of type ResourceQueryRule + +- /ProvisioningPolicy/ResourceQueryRule/DeleteSimulation + + Permission to delete objects of type ResourceQueryRule in simulation + +- /ProvisioningPolicy/ResourceQueryRule/Query + + Permission to query and read objects of type ResourceQueryRule + +- /ProvisioningPolicy/ResourceQueryRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ResourceQueryRule + +- /ProvisioningPolicy/ResourceQueryRule/Simulation + + Permission to query and read objects of type ResourceQueryRule in simulation + +- /ProvisioningPolicy/ResourceQueryRule/Update + + Permission to update objects of type ResourceQueryRule + +- /ProvisioningPolicy/ResourceQueryRule/UpdateSimulation + + Permission to update objects of type ResourceQueryRule in simulation + +- /ProvisioningPolicy/ResourceScalarRule/Create + + Permission to create objects of type ResourceScalarRule + +- /ProvisioningPolicy/ResourceScalarRule/CreateSimulation + + Permission to create objects of type ResourceScalarRule in simulation + +- /ProvisioningPolicy/ResourceScalarRule/Delete + + Permission to delete objects of type ResourceScalarRule + +- /ProvisioningPolicy/ResourceScalarRule/DeleteSimulation + + Permission to delete objects of type ResourceScalarRule in simulation + +- /ProvisioningPolicy/ResourceScalarRule/Query + + Permission to query and read objects of type ResourceScalarRule + +- /ProvisioningPolicy/ResourceScalarRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ResourceScalarRule + +- /ProvisioningPolicy/ResourceScalarRule/Simulation + + Permission to query and read objects of type ResourceScalarRule in simulation + +- /ProvisioningPolicy/ResourceScalarRule/Update + + Permission to update objects of type ResourceScalarRule + +- /ProvisioningPolicy/ResourceScalarRule/UpdateSimulation + + Permission to update objects of type ResourceScalarRule in simulation + +- /ProvisioningPolicy/ResourceType/Create + + Permission to create objects of type ResourceType + +- /ProvisioningPolicy/ResourceType/CreateSimulation + + Permission to create objects of type ResourceType in simulation + +- /ProvisioningPolicy/ResourceType/Delete + + Permission to delete objects of type ResourceType + +- /ProvisioningPolicy/ResourceType/DeleteSimulation + + Permission to delete objects of type ResourceType in simulation + +- /ProvisioningPolicy/ResourceType/Query + + Permission to query and read objects of type ResourceType + +- /ProvisioningPolicy/ResourceType/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ResourceType + +- /ProvisioningPolicy/ResourceType/Simulation + + Permission to query and read objects of type ResourceType in simulation + +- /ProvisioningPolicy/ResourceType/Update + + Permission to update objects of type ResourceType + +- /ProvisioningPolicy/ResourceType/UpdateSimulation + + Permission to update objects of type ResourceType in simulation + +- /ProvisioningPolicy/ResourceTypeRule/Create + + Permission to create objects of type ResourceTypeRule + +- /ProvisioningPolicy/ResourceTypeRule/CreateSimulation + + Permission to create objects of type ResourceTypeRule in simulation + +- /ProvisioningPolicy/ResourceTypeRule/Delete + + Permission to delete objects of type ResourceTypeRule + +- /ProvisioningPolicy/ResourceTypeRule/DeleteSimulation + + Permission to delete objects of type ResourceTypeRule in simulation + +- /ProvisioningPolicy/ResourceTypeRule/Query + + Permission to query and read objects of type ResourceTypeRule + +- /ProvisioningPolicy/ResourceTypeRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type ResourceTypeRule + +- /ProvisioningPolicy/ResourceTypeRule/Simulation + + Permission to query and read objects of type ResourceTypeRule in simulation + +- /ProvisioningPolicy/ResourceTypeRule/Update + + Permission to update objects of type ResourceTypeRule + +- /ProvisioningPolicy/ResourceTypeRule/UpdateSimulation + + Permission to update objects of type ResourceTypeRule in simulation + +- /ProvisioningPolicy/Risk/Create + + Permission to create objects of type Risk + +- /ProvisioningPolicy/Risk/Delete + + Permission to delete objects of type Risk + +- /ProvisioningPolicy/Risk/OverrideApproval + + ermission to transform an approval risk into a warning risk + +- /ProvisioningPolicy/Risk/OverrideBlocking + + Permission to transform a blocking risk into an approval risk + +- /ProvisioningPolicy/Risk/Query + + Permission to query and read objects of type Risk + +- /ProvisioningPolicy/Risk/Update + + Permission to update objects of type Risk + +- /ProvisioningPolicy/RoleMapping/Create + + Permission to create objects of type RoleMapping + +- /ProvisioningPolicy/RoleMapping/Delete + + Permission to delete objects of type RoleMapping + +- /ProvisioningPolicy/RoleMapping/Query + + Permission to query and read objects of type RoleMapping + +- /ProvisioningPolicy/RoleMapping/Update + + Permission to update objects of type RoleMapping + +- /ProvisioningPolicy/SingleRole/Create + + Permission to create objects of type SingleRole + +- /ProvisioningPolicy/SingleRole/CreateSimulation + + Permission to create objects of type SingleRole in simulation + +- /ProvisioningPolicy/SingleRole/Delete + + Permission to delete objects of type SingleRole + +- /ProvisioningPolicy/SingleRole/DeleteSimulation + + Permission to delete objects of type SingleRole in simulation + +- /ProvisioningPolicy/SingleRole/Query + + Permission to query and read objects of type SingleRole + +- /ProvisioningPolicy/SingleRole/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type SingleRole + +- /ProvisioningPolicy/SingleRole/Simulation + + Permission to query and read objects of type SingleRole in simulation + +- /ProvisioningPolicy/SingleRole/Update + + Permission to update objects of type SingleRole + +- /ProvisioningPolicy/SingleRole/UpdateSimulation + + Permission to update objects of type SingleRole in simulation + +- /ProvisioningPolicy/SingleRoleRule/Create + + Permission to create objects of type SingleRoleRule + +- /ProvisioningPolicy/SingleRoleRule/CreateSimulation + + Permission to create objects of type SingleRoleRule in simulation + +- /ProvisioningPolicy/SingleRoleRule/Delete + + Permission to delete objects of type SingleRoleRule + +- /ProvisioningPolicy/SingleRoleRule/DeleteSimulation + + Permission to delete objects of type SingleRoleRule in simulation + +- /ProvisioningPolicy/SingleRoleRule/Query + + Permission to query and read objects of type SingleRoleRule + +- /ProvisioningPolicy/SingleRoleRule/RevertSimulation + + Permission to revert a deletion or update in simulation on objects of type SingleRoleRule + +- /ProvisioningPolicy/SingleRoleRule/Simulation + + Permission to query and read objects of type SingleRoleRule in simulation + +- /ProvisioningPolicy/SingleRoleRule/Update + + Permission to update objects of type SingleRoleRule + +- /ProvisioningPolicy/SingleRoleRule/UpdateSimulation + + Permission to update objects of type SingleRoleRule in simulation + +- /Report/GenerateReportFileFromQuery/Query + + Permission to query and read objects of type GenerateReportFileFromQuery + +- /Report/GenerateReportFileFromReportQuery/Query + + Permission to query and read objects of type GenerateReportFileFromReportQuery + +- /Report/ReportQuery/Create + + Permission to create objects of type ReportQuery + +- /Report/ReportQuery/Delete + + Permission to delete objects of type ReportQuery + +- /Report/ReportQuery/Query + + Permission to query and read objects of type ReportQuery + +- /Report/ReportQuery/Update + + Permission to update objects of type ReportQuery + +- /Resources/Incremental/Query + + Permission to query and read objects of type Resource and Resource Link incrementally changed + +- /Resources/Resource/Create + + Permission to create objects of type Resource + +- /Resources/Resource/Delete + + Permission to delete objects of type Resource + +- /Resources/Resource/Query + + Permission to query and read objects of type Resource + +- /Resources/Resource/Update + + Permission to update objects of type Resource + +- /Settings/Manage +- /Universes/EntityInstance/Query + + Permission to query and read objects of type EntityInstance + +- /Universes/Universe/Query + + Permission to query and read objects of type Universe + +- /Universes/UniverseData/Query + + Permission to query and read objects of type UniverseData + +- /UserInterface/ActivityFormNameByWorkflowInstanceIdQuery/Query + + Permission to query and read objects of type ActivityFormNameByWorkflowInstanceIdQuery + +- /UserInterface/ApplicationInformationsQuery/Query + + Permission to query and read objects of type ApplicationInformationsQuery + +- /UserInterface/ConnectorResourceType/Create + + Permission to create objects of type ConnectorResourceType + +- /UserInterface/ConnectorResourceType/Delete + + Permission to delete objects of type ConnectorResourceType + +- /UserInterface/ConnectorResourceType/Update + + Permission to update objects of type ConnectorResourceType + +- /UserInterface/DisplayEntityAssociation/Create + + Permission to create objects of type DisplayEntityAssociation + +- /UserInterface/DisplayEntityAssociation/Delete + + Permission to delete objects of type DisplayEntityAssociation + +- /UserInterface/DisplayEntityAssociation/Query + + Permission to query and read objects of type DisplayEntityAssociatio + +- /UserInterface/DisplayEntityAssociation/Update + + Permission to update objects of type DisplayEntityAssociation + +- /UserInterface/DisplayEntityProperty/Create + + Permission to create objects of type DisplayEntityProperty + +- /UserInterface/DisplayEntityProperty/Delete + + Permission to delete objects of type DisplayEntityProperty + +- /UserInterface/DisplayEntityProperty/Query + + Permission to query and read objects of type DisplayEntityProperty + +- /UserInterface/DisplayEntityProperty/Update + + Permission to update objects of type DisplayEntityProperty + +- /UserInterface/DisplayEntityType/Create + + Permission to create objects of type DisplayEntityType + +- /UserInterface/DisplayEntityType/Delete + + Permission to delete objects of type DisplayEntityType + +- /UserInterface/DisplayEntityType/Query + + Permission to query and read objects of type DisplayEntityType + +- /UserInterface/DisplayEntityType/Update + + Permission to update objects of type DisplayEntityType + +- /UserInterface/DisplayPropertyGroup/Create + + Permission to create objects of type DisplayPropertyGroup + +- /UserInterface/DisplayPropertyGroup/Delete + + Permission to delete objects of type DisplayPropertyGroup + +- /UserInterface/DisplayPropertyGroup/Query + + Permission to query and read objects of type DisplayPropertyGroup + +- /UserInterface/DisplayPropertyGroup/Update + + Permission to update objects of type DisplayPropertyGroup + +- /UserInterface/DisplayTable/Create + + Permission to create objects of type DisplayTable + +- /UserInterface/DisplayTable/Delete + + Permission to delete objects of type DisplayTable + +- /UserInterface/DisplayTable/Query + + Permission to query and read objects of type DisplayTable + +- /UserInterface/DisplayTable/Update + + Permission to update objects of type DisplayTable + +- /UserInterface/DisplayTableColumn/Create + + Permission to create objects of type DisplayTableColumn + +- /UserInterface/DisplayTableColumn/Delete + + Permission to delete objects of type DisplayTableColumn + +- /UserInterface/DisplayTableColumn/Query + + Permission to query and read objects of type DisplayTableColumn + +- /UserInterface/DisplayTableColumn/Update + + Permission to update objects of type DisplayTableColumn + +- /UserInterface/DisplayTableDesignElement/Query + + Permission to query and read objects of type DisplayTableDesignElement + +- /UserInterface/EntityTypeMappingByUiContextQuery/Query + + Permission to query and read objects of type EntityTypeMappingByUiContextQuery + +- /UserInterface/Form/Create + + Permission to create objects of type Form + +- /UserInterface/Form/Delete + + Permission to delete objects of type Form + +- /UserInterface/Form/Query + + Permission to query and read objects of type Form + +- /UserInterface/Form/Updat + + Permission to update objects of type Form + +- /UserInterface/FormControl/Create + + Permission to create objects of type FormControl + +- /UserInterface/FormControl/Delete + + Permission to delete objects of type FormControl + +- /UserInterface/FormControl/Query + + Permission to query and read objects of type FormControl + +- /UserInterface/FormControl/Update + + Permission to update objects of type FormControl + +- /UserInterface/HierarchyDataByEntityTypeIdQuery/Query + + Permission to query and read objects of type HierarchyDataByEntityTypeIdQuery + +- /UserInterface/Indicator/Create + + Permission to create objects of type Indicator + +- /UserInterface/Indicator/Delete + + Permission to delete objects of type Indicator + +- /UserInterface/Indicator/Query + + Permission to query and read objects of type Indicator + +- /UserInterface/Indicator/Update + + Permission to update objects of type Indicator + +- /UserInterface/IndicatorItem/Create + + Permission to create objects of type IndicatorItem + +- /UserInterface/IndicatorItem/Delete + + Permission to delete objects of type IndicatorItem + +- /UserInterface/IndicatorItem/Query + + Permission to query and read objects of type IndicatorItem + +- /UserInterface/IndicatorItem/Update + + Permission to update objects of type IndicatorItem + +- /UserInterface/PersonasByFilterQuery/Query + + Permission to query and read objects of type PersonasByFilterQuery + +- /UserInterface/Reload + + Permission to reset the container, in order to update the permissions and the displayed + configuration. + +- /UserInterface/ResourceReadForm/Query + + Permission to query and read objects of type ResourceReadForm + +- /UserInterface/ResourceReadFormActions/Query + + Permission to query and read objects of type ResourceReadFormActions + +- /UserInterface/ResourceSearchForm/Query + + Permission to query and read objects of type ResourceSearchForm + +- /UserInterface/ResourceSelfForm/Query + + Permission to query and read objects of type ResourceSelfForm + +- /UserInterface/SearchBar/Create + + Permission to create objects of type SearchBar + +- /UserInterface/SearchBar/Delete + + Permission to delete objects of type SearchBar + +- /UserInterface/SearchBar/Query + + Permission to query and read objects of type SearchBar + +- /UserInterface/SearchBar/Update + + Permission to update objects of type SearchBar + +- /UserInterface/SearchBarCriterion/Create + + Permission to create objects of type SearchBarCriterion + +- /UserInterface/SearchBarCriterion/Delete + + Permission to delete objects of type SearchBarCriterion + +- /UserInterface/SearchBarCriterion/Query + + Permission to query and read objects of type SearchBarCriterion + +- /UserInterface/SearchBarCriterion/Update + + Permission to update objects of type SearchBarCriterion + +- /UserInterface/Tile/Create + + Permission to create objects of type Tile + +- /UserInterface/Tile/Delete + + Permission to delete objects of type Tile + +- /UserInterface/Tile/Query + + Permission to query and read objects of type Tile + +- /UserInterface/Tile/Update + + Permission to update objects of type Tile + +- /UserInterface/TileDesignElement/Query + + Permission to query and read objects of type TileDesignElement + +- /UserInterface/TileItem/Create + + Permission to create objects of type TileItem + +- /UserInterface/TileItem/Delete + + Permission to delete objects of type TileItem + +- /UserInterface/TileItem/Query + + Permission to query and read objects of type TileItem + +- /UserInterface/TileItem/Update + + Permission to update objects of type TileItem + +- /UserInterface/UserByIdentityQuery/Query + + Permission to query and read objects of type UserByIdentityQuery + +- /UserInterface/WorkflowFormByNameQuery/Query + + Permission to query and read objects of type WorkflowFormByNameQuery + +- /UserInterface/WorkflowFormByWorkflowIdQuery/Query + + Permission to query and read objects of type WorkflowFormByWorkflowIdQuery + +- /Workflows/Activity/Create + + Permission to create objects of type Activity + +- /Workflows/Activity/Delete + + Permission to delete objects of type Activity + +- /Workflows/Activity/Query + + Permission to query and read objects of type Activity + +- /Workflows/Activity/Update + + Permission to update objects of type Activity + +- /Workflows/ActivityInstance/Query + + Permission to query and read objects of type ActivityInstance + +- /Workflows/ActivityInstanceAspectsQuery/Query + + Permission to query and read objects of type ActivityInstanceAspectsQuery + +- /Workflows/ActivityTemplate/Query + + Permission to query and read objects of type ActivityTemplate + +- /Workflows/ActivityTemplateState/Query + + Permission to query and read objects of type ActivityTemplateState + +- /Workflows/ActivityTemplateTransition/Query + + Permission to query and read objects of type ActivityTemplateTransition + +- /Workflows/HistorizedResourceFileByWorkflowInstanceIdQuery/Query + + Permission to query and read objects of type HistorizedResourceFileByWorkflowInstanceIdQuery + +- /Workflows/HomonymEntityLink/Create + + Permission to create objects of type HomonymEntityLink + +- /Workflows/HomonymEntityLink/Delete + + Permission to delete objects of type HomonymEntityLink + +- /Workflows/HomonymEntityLink/Query + + Permission to query and read objects of type HomonymEntityLink + +- /Workflows/HomonymEntityLink/Update + + Permission to update objects of type HomonymEntityLink + +- /Workflows/UserActivityInstance/AssignedTo + + Permission to update the actor on object of type UserActivityInstance + +- /Workflows/UserActivityInstance/ExpectedDate + + Permission to update expected date on object of type UserActivityInstance + +- /Workflows/UserActivityInstance/Query + + Permission to query and read objects of type UserActivityInstance + +- /Workflows/UserActivityInstanceCountQuery/Query + + Permission to query and read objects of type UserActivityInstanceCountQuery + +- /Workflows/Workflow/Create + + Permission to create objects of type Workflow + +- /Workflows/Workflow/Delete + + Permission to delete objects of type Workflow + +- /Workflows/Workflow/Query + + Permission to query and read objects of type Workflow + +- /Workflows/Workflow/Update + + Permission to update objects of type Workflow + +- /Workflows/WorkflowInstance/Query + + Permission to query and read objects of type WorkflowInstance + +- /Workflows/WorkflowInstance/Resume +- /Workflows/WorkflowInstance/Start +- /Workflows/WorkflowInstance/Supervise + + Permission to supervise objects of type WorkflowInstance + +- /Workflows/WorkflowInstanceData/Query + + Permission to query and read objects of type WorkflowInstanceData diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/provisioning/how-tos/argumentsexpression/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/provisioning/how-tos/argumentsexpression/index.md new file mode 100644 index 0000000000..801573eee1 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/provisioning/how-tos/argumentsexpression/index.md @@ -0,0 +1,96 @@ +# Compute a Resource Type's Provisioning Arguments + +This guide gives examples to understand how to configure a resource type's `ArgumentsExpression` +attribute to compute a resource type's provisioning arguments, for example the identifier of the +workflow to launch, or the identifier of the record to copy. + +## Examples + +This option is used to use provisioning orders to compute useful arguments. + +Most standard situations use only one workflow per action type on a resource (addition, update, +deletion). But in some more complex situations (like using multi records), several workflows are +available for one type of action. As the configuration JSON file of an +[InternalWorkflow](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md) connection +cannot contain expressions, a resource type can be configured with the `ArgumentsExpression` +attribute to explicit the arguments of provisioning orders, based on conditions and variables. + +The following example computes the identifier of the workflow to launch, based on the provisioning +order as a variable (the returned value depends here mostly on the type of change): + +``` + + + +``` + +#### ResourceIdToCopy + +Now consider a record creation for a given identity, inside a multi-record organization. Suppose +that records are defined by their position and location, while other properties are the same for all +records (usually the identity's personal data like the name and birth date). When creating a new +record for an existing identity, you will want to copy an existing record from the database to +modify only the values specific to the new record. + +The following example computes the identifier of the record to copy, if the identity has already +any: + +``` + +("Select Id Where EmployeeId="\" + employeeId.ToString() + "\""); + + if (resources.Any()) { + arguments.Add("ResourceIdToCopy", resources.FirstOrDefault().Id.ToString()); + } +} + +return arguments;" /> + +``` + +## Attributes Provided by Usercube + +| Name | Details | +| ---------------------------- | ----------------------------------------------------------------- | +| ProvisioningOrder.ChangeType | **Type** String **Description** Action of the provisioning order. | + +## Methods Provided by Usercube + +| Name | Details | +| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| IsNone | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsNone() **Description** `True` when the provisioning order demands no change. **Note:** this method can be used only on `ChangeType`. | +| IsAdded | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsAdded() **Description** `True` when the provisioning order demands a resource addition. **Note:** this method can be used only on `ChangeType`. | +| IsUpdated | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsUpdated() **Description** `True` when the provisioning order demands a resource update. **Note:** this method can be used only on `ChangeType`. | +| IsDeleted | **Type** Boolean **Usage** provisioningOrder.ChangeType.IsDeleted() **Description** `True` when the provisioning order demands a resource deletion. **Note:** this method can be used only on `ChangeType`. | +| HasChanged | **Type** Boolean **Usage** provisioningOrder.HasChanged("PropertyName") **Description** `True` when the provisioning order demands a change on a given property. | +| TryGetScalar | **Type** Boolean **Usage** provisioningOrder.TryGetScalar("PropertyName", out var myChange) **Description** `True` when `PropertyName` is a scalar property whose value is changed by the provisioning order. `myChange` takes the new value of `PropertyName` changed by the provisioning order. | +| TryGetAddedNavigations | **Type** Boolean **Usage** provisioningOrder.TryGetAddedNavigations("PropertyName", out var myChanges) **Description** `True` when `PropertyName` is a navigation property to which new values are added by the provisioning order. `myChanges` takes the list of values of `PropertyName` added by the provisioning order. | +| TryGetRemovedNavigations | **Type** Boolean **Usage** provisioningOrder.TryGetRemovedNavigations("PropertyName", out var myChanges) **Description** `True` when `PropertyName` is a navigation property from which some values are removed by the provisioning order. `myChanges` takes the list of values of `PropertyName` removed by the provisioning order. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/provisioning/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/provisioning/index.md new file mode 100644 index 0000000000..e3060a4337 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/provisioning/index.md @@ -0,0 +1,6 @@ +# Provisioning + +See how to anticipate changes due to provisioning thanks to +[ Thresholds ](/docs/identitymanager/saas/identitymanager/integration-guide/provisioning/prov-thresholds/index.md). + +See how to implement and perform [Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md). diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/provisioning/prov-thresholds/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/provisioning/prov-thresholds/index.md new file mode 100644 index 0000000000..ac569a6c0f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/provisioning/prov-thresholds/index.md @@ -0,0 +1,34 @@ +# Thresholds + +Thresholds are essential safety guards controlling all changes, for example preventing the +overwriting of important data by mistake. + +Thresholds are by default activated to warn users when synchronization or provisioning triggers too +many modifications. If the number of modifications exceeds the specified threshold, Identity Manager +stops the synchronization/provisioning and displays a warning on the log page. + +Thresholds can be deactivated via the value `0`, though **they should not all be**. Each action must +be "guarded" by at least one threshold. + +Once the changes have been reviewed, the blocked job can be resumed (or not). See the +[ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md) topic for additional +information. + +## Thresholds for Provisioning + +Provisioning thresholds can be configured in XML files via +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) to count the +number of resources impacted by provisioning inside a given resource type. These thresholds impact +the generation of provisioning orders. They are configured with: + +| Absolute Threshold | Relative Threshold | +| ------------------ | ---------------------- | +| `MaximumDelete` | `MaximumDeletePercent` | +| `MaximumInsert` | `MaximumInsertPercent` | +| `MaximumUpdate` | `MaximumUpdatePercent` | + +All thresholds are active. Therefore, the lowest threshold (according to the specific situation) +would be the first to stop the generation of provisioning orders. + +Distinct [ Thresholds ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md) are configurable for +synchronization. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/resources/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/resources/index.md new file mode 100644 index 0000000000..6cb383912d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/resources/index.md @@ -0,0 +1,41 @@ +# Resources + +Identity Manager stores managed systems' data and identities as resources within a resource +repository. + +## Resource Repository + +The source of truth for the engine is the data from external sources that are copied into Identity +Manager's database. This persisted set of data, called _resources_, is stored in the **Resource +Repository**. See the [ Upward Data Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) +topic for additional information. + +The repository keeps a full history of all the changes performed to the resources. It is hence +possible to retrieve a resource's value at a given date or what has been changed over a period. + +Resources can be added to the resource repository from one of four ways: + +1. Input data directly from the applicative configuration. This is useful for a very limited amount + of data. This is very often used for debugging or testing, less often in production. See the + [Toolkit for XML Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/index.md) topic for additional information. +2. Input data from the UI. This requires configuring the UI and is the most straightforward way for + a reasonable amount of data. This is often used to input reference data that is not in the + managed systems, or for which no source of truth exists. +3. Load data from a CSV file. This is how data from managed systems are loaded most of the time. See + the [ Upward Data Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) topic for + additional information. Any reference of identity data can be loaded into Identity Manager using + CSV files. This is useful if the target organization already possess such files or can produce + them easily. +4. Compute new resources from existing resources. This can be achieved by using the provisioning + tools in a very specific way that is called _internal_ provisioning. This is often used to create + the reference data from managed systems. +5. Insert data directly in the `UR_Resource` table from SQL queries. This is not very safe and + requires a great deal of expertise. + +When using methods 1. and 5., make sure to choose, for new resources, an `Id` that is not yet used +for another resource in the database. Only use positive integer `Id`s for resource-identity (that +is, the resource to which you plan on assigning roles). See the +[Entitlement Assignment](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) topic for +additional information. + +Resources need a model: the entity model. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignment-dates/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignment-dates/index.md new file mode 100644 index 0000000000..d163eb9403 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignment-dates/index.md @@ -0,0 +1,25 @@ +# Assignment Dates + +Entitlements can be assigned to users manually or automatically, but not on any time period. See the +[Entitlement Assignment](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) topic for additional information. + +## For Manual Assignments + +During the manual assignment of an entitlement, i.e. role or resource type, to a user, the start and +end dates of the entitlement must follow simple rules: + +- the start date cannot be earlier than the earliest start date in all records of the user; +- the end date cannot be later than the latest end date in all records of the user. + +This means that requesting an entitlement without any start/end dates will actually assign the +entitlement from the records' earliest start date to the latest end date. + +An entitlement cannot be requested with a start date earlier than today's date. But when requesting +a role with an end date later than the records' latest end date, then the role will be assigned with +its end date equal to the records' latest end date. + +## For Automatic Assignments + +The start and end dates of any automatic assignment are based on the dates from the +[ Context Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md)defined for the +identities. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md new file mode 100644 index 0000000000..e221bf8371 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md @@ -0,0 +1,196 @@ +# Entitlement Assignment + +Assigning entitlements means giving users specific permissions, or access rights, etc. + +## Overview + +As Identity Manager relies on a +[role-based](https://en.wikipedia.org/wiki/Role-based_access_control) assignment policy, entitlement +assignment is simply role assignment. See the [ Role Model ](/docs/identitymanager/saas/identitymanager/integration-guide/role-model/index.md)topic for +additional information. + +So once a user is assigned a role, Identity Manager must make the right changes in the managed +system(s) to actually enable the corresponding permission. The values to be changed in the managed +systems are specified in provisioning orders. + +Hence, an entitlement assignment is both the result of the execution of a provisioning order, and +the enablement of an access right. + +## Automatic vs. Manual + +Within Identity Manager, assignments can be created automatically, or can result from manual +requests. + +Automatic assignments are created by Identity Manager when evaluating the policy, i.e. when +computing expected assignments based on existing users and the policy's roles and rules. See the +[Evaluate Policy](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) topic for additional information. Automatic +assignments can: + +- Result directly from the application of assignment rules on identities. See the + [ Assignment Policy ](/docs/identitymanager/saas/identitymanager/integration-guide/role-model/role-model-rules/index.md)topic for additional information. +- Be inferred and cascading from another assignment. + +Manual assignments and degradations are on the other hand, need to be requested individually through +the UI. + +## Assignments' Approval Workflow + +Some entitlements require the approval of one or several knowledgeable users before actually being +assigned. This is standard procedure in many security-concerned organizations. + +**NOTE:** This is configurable through the role's or resource type's approval workflow type. See the +[ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) topic for +additional information. + +Each step of the approval workflow is associated with a workflow state, so that all assignments can +be tracked and it is clear what step they are at. + +The same approval workflow is used for requests to add or remove roles. + +For example, Ms. Jackson requests for Mr. Smith the single role Server Room Access which has a +two-step approval workflow: + +- At the end of the workflow, the assigned role has the workflow state **Requested**. +- Once the assignment is processed, the workflow state switches to **Pending Approval** 1/2. +- Once a reviewer approves the assignment, the state switches to **Pending Approval** 2/2 (and if + the reviewer declined the assignment, the state would switch to **Declined**). +- Once a second reviewer approves the assignment, the stat switches to **Approved** and the + assignment is finally effective. + +### Provisioning state + +In addition to the workflow state that represents an assignment's progress in the approval workflow, +any assignment also has a provisioning state to represent its progress in its lifetime from creation +in the database to provisioning to the managed system and to its eventual deletion. + +**NOTE:** Contrary to the workflow state that concerns all assignments, the provisioning state is +only about the assignments that need provisioning. + +For example, roles exist only in Identity Manager and not in the managed systems, so assigned roles +do not have a provisioning state, unlike assigned resource types, scalars and navigation, etc. + +![Provisioning State Schema](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/prov_stateschema_v523.webp) + +The schema sums up the usual progress of an assignment's provisioning state. + +For example, once Mr. Smith's role has completed the approval steps, we expect the provisioning of a +navigation property: + +- It is not yet ready for provisioning because we decided to add a provisioning review by a + knowledgeable user because it is a sensitive permission, so the assigned resource navigation has + the **Awaiting Approval** provisioning state. +- Once a reviewer approves the assignment, the provisioning state switches to **Pending**. +- Once provisioning orders are computed and transmitted to the agent, the state switches to + **Transmitted**. +- Once the agent confirms that the related order is executed, the state switches to **Executed**. +- Once synchronization validates the consistency of the provisioned value with the policy, the state + finally switches to **Verified**. + +Assignments whose provisioning orders are blocked because they are **Awaiting Approval** are to be +reviewed on the **Provisioning Review** screen. + +## Non-Conforming Assignments + +Once a policy is configured with all its rules and roles, Identity Manager can combine it with user +information in order to determine the expected assignments, i.e. the list of all assignments that +comply with the policy. + +On the other hand, via synchronization Identity Manager can read the existing assignments, i.e. the +list of all assignments that actually exist in the managed systems. + +Technically speaking, Identity Manager creates entitlements in the managed systems, and "translates" +them into role model language. In other words, Identity Manager create assignments based on the +entitlements found in the systems. + +A simple comparison between these two lists defines the non-conforming assignments, i.e. the list of +all assignments that do not comply with the policy. + +![Non-Conforming Assignments](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/governance_nonconforming.webp) + +A non-conforming assignment must be reviewed in Identity Manager by a knowledgeable user, and is +therefore: + +- Removed if Identity Manager correctly spotted it and the owner should indeed not possess this + permission; +- Kept as an exception if the configured rules do not apply to this particular case. + +**NOTE:** Non-conforming assignments are to be reviewed on the **Role Reconciliation** and/or +**Resource Reconciliation** screens. See the [Evaluate Policy](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) topic +for additional information. + +Non-conforming assignments can still be split into two categories: + +- Pre-existing when they are found during the very first synchronization because they existed before + Identity Manager's implementation; +- Simply non-conforming when they are found later. + +For example, consider a (navigation) rule stating that the QuickBooks Level 1 Access role entitles +its owner to the Active Directory QuickBooks group membership, that enables them to access the +organization accounting balance information through QuickBooks. + +Now, let's say synchronization finds the Active Directory QuickBooks group membership for Mr. +Smith's Active Directory account. The trouble is, Mr. Smith digital identity has not bee assigned +the QuickBooks Access role: this is an inconsistency. + +In order to fix the inconsistency, Identity Manager creates the assignment of this role to Mr. Smith +to be reviewed by a knowledgeable user who can determine whether the assignment is legitimate or +results from a mistake. + +### Review automation + +Identity Manager provides automation rules to automate the review of non-conforming assignments by +automatically approving/declining assignments that were pending approval for some time, if this +behavior is desired. See the +[Automate the Review of Non-conforming Assignments](/docs/identitymanager/saas/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md) +topic for additional information. + +For example, the single role Server Room Access is requested for Mr. Smith, with a two-step approval +workflow. Ms. Jackson is supposed to review it, and then Mr. Jones. If Ms. Jackson takes too long, +an automation can approve it, or most likely decline it, automatically. This way, the approval +process ends and will need to be restarted at a later date if the need is genuine. + +## Resource Type Assignments + +Resource types are not as intuitive as roles because they are more complex and subtle. Assigning a +resource type materializes: + +- The creation of a resource, usually an account, in the managed system; +- The creation of scalar and navigation properties for this new resource; +- The categorization of the created resource, which means both the correlation of the resource to an + owner, and the classification of the resource into a specific type with specific rules between + owner and owned resources. See the + [ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) topic for additional + information. + +### Reconciliation + +Just like any other assignment, a resource type assignment can be non-confirming when the resource's +existence or its values do not comply with the policy. + +For example, a SAP account is found for a user who should not have one according to the role model's +rules. + +**NOTE:** An account can also be an orphan when it is found in the managed system, but no owner +could be correlated. + +### Consolidated states + +A resource type assignment also has consolidated workflow and provisioning states to represent the +progress of the resource's scalar and navigation assignments. + +Same as previously, the consolidated provisioning state represents the provisioning progress of the +resource type assignment together with its nested scalar/navigation assignments. + +The consolidated workflow state represents the provisioning progress of the resource type assignment +together with its nested scalar/navigation assignments, and it is described by the following values: + +- ConsolidatedWorkflowReviewState represents the progress in the approval workflow for a manual + assignment; + + **NOTE:** Except for very technical use cases, resource types should not be requested manually, + they should only be inferred by a role and thus assigned automatically. + +- ConsolidatedWorkflowBlockedState indicates whether one or more of the nested scalars/navigations + are blocked; +- ConsolidatedWorkflowFoundState indicates whether one or more of the nested scalars/navigations are + stated as non-conforming or pre-existing. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md new file mode 100644 index 0000000000..79632c8d0b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md @@ -0,0 +1,128 @@ +# Conforming Assignments + +The +[ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +is able to compute, for a given identity, the appropriate assignments. + +If you are interested in a detailed description of the actual Compute Role Model task algorithm, +please refer to the Reference documentation. This article focuses more on the design decisions and +the underlying philosophy of the process. + +## Overview + +This is how Identity Manager solves the identity lifecycle issue. + +> **FAQ**: During onboarding, moving, offboarding, how can we make sure that an identity has the +> appropriate assignments? +> What are the appropriate assignments? + +They are a trade-off between having enough assignments to work efficiently but not too many as to +pose a security threat. + +Choosing the appropriate assignments is a science as much as an art. Identity Manager helps +formalize decision rules to make them more efficient. But talking about assignments and their +provisioning requires the appropriate language. + +## Roles + +> **FAQ**: What does assigning an entitlement means? + +In a target application, it is granting an account membership for a group, changing a person's +clearance level, adding an authorized account to the access control list of a resource, etc. + +Performing an assignment requires a great deal of knowledge about the inner mechanisms of the target +authorization mechanism. That makes talking about entitlement even more complicated. Am I talking +about a group, a resource's access control list, a clearance level? + +Identity Manager here aims at: + +- Making every assignment decision more intentional. +- Making automation of those assignment decisions possible. + +For these goals, Identity Manager hides this complexity behind an ubiquitous language, using a +widely known model: RBAC. In the end, talking about entitlements is talking about roles. No more +multiple obscure authorization mechanisms. + +This makes thinking about entitlements within Identity Manager easy. The provisioning issues stay +out of the way, and all the energy can be focused on designing the perfect assignment policy. + +The appropriate model also helps formalizing rules that can be used for automation. + +## Dimensions + +Assignment decisions for a user are always made based on the user's needs and legitimacy. + +> **FAQ**: Are employees working on tasks that need this assignment? Are they senior enough to have +> that responsibility? + +The basis for an assignment decision can be seen as a set of "identity attributes" that represent +the place of the employee in the organization. + +We can formalize these "identity attributes", on which informal assignment decisions are made, by +translating them into dimensions. Identity Manager's dimensions are exactly that: key criteria, on +which assignment decisions are based. + +Just as roles, dimensions are a fundamental piece of the puzzle. Choosing dimensions forces users to +sit down and really think about what really motivates assignment decisions in the organization. It +is going to help with automation but it is also going to help come up with better decision rules, +and hence improve the overall security of the organization. Assignment rules naturally flow from +dimensions and roles. + +## Rules + +> **FAQ**: Do all employees working on a given task have the entitlements they need? + +Roles and dimensions are the basis for a language that enables users to formalize, in a very +explicit way, the assignment policy: who should get what entitlement. Dimensions are criteria for +decisions and roles are the result of a decision. We are now only missing the rules that map +criteria to roles. + +Those are the assignment rules: single role rules and composite role rules. + +Writing the assignment policy actually becomes very easy. Once dimensions and roles are identified, +assignment rules become obvious. + +The last difficulty is provisioning those assignments. + +## Provisioning + +> **FAQ**: Is the data from the target application complying with the rules created earlier? + +Translating roles into provisioning orders is finding out how the target application should be +changed to satisfy the assignments. This is where the technical complexity that was hidden by the +role, should be written. Authorization mechanisms map so well to RBAC that provisioning mechanisms +naturally flow from the roles. + +Provisioning mechanisms all follow this pattern: + +1. Start with the **identity**. +2. Find the resource in the target application that should be updated to satisfy the assignment + requirement. It is often an account. That's the **correlation**. +3. Compute the value of the data that should be updated in the target resource. That's + **provisioning rules**. + +One last point to consider is that provisioning rules and correlation sometimes depend on the type +of resource we are handling. Authorization mechanisms often discriminate between resources, +depending on their relevance for security. We might need specific provisioning rules to enforce this +difference. + +The resource type materializes the classification of resources of the same application into +categories relevant from a security point of view. As a bonus, classifying resources help with +governance. + +## The Role Model + +> **FAQ**: What is the role model in a nutshell? + +Dimensions, roles, assignment rules, resource type, provisioning rules. + +You start with dimensions. From there, roles are deduced from assignment rules. They are translated +to provisioning orders, following scalar rules and correlation rules and resource types. + +## When There Are No Rules + +If you're not comfortable yet with writing rules that automatically assign roles, you can skip +dimensions and start this whole process from roles. + +You can assign roles manually to users and still benefit from hiding the provisioning complexity +inside roles, and have a good basis for writing down your assignment policy. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md new file mode 100644 index 0000000000..feff60c8eb --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md @@ -0,0 +1,556 @@ +# Evaluate Policy + +Evaluate Policy is the core algorithm of the assignment policy. See the +[ Assignment Policy ](/docs/identitymanager/saas/identitymanager/integration-guide/role-model/role-model-rules/index.md) topic for additional information. + +The algorithm is applied by the server to a resource. It has the following responsibilities: + +- Enforcing the assignment rules: the algorithm outputs a list of expected assignments for the input + resource +- Evaluating risks +- Managing assignment lifecycle: updating provisioning states +- Purging expired assignments + +See the [ Risk Management ](/docs/identitymanager/saas/identitymanager/integration-guide/governance/risks/index.md) topic for additional information. + +## Overview + +![Evaluate Policy Overview](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/evaluate-policy-1.webp) + +The main responsibility of the Evaluate Policy is to compute, for every fed resource, the set of +assignments of entitlements that comply with the assignment policy. + +That set is composed of roles that should be assigned to the resource and of scalar and navigation +assignments that should exist for that resource as an owner. The latter are in fact values of target +resource properties to fulfill from that resource fed in the algorithm. Those assignments are +referred to as the expected assignments. Manual assignments and derogations are included as well, as +they become rules within the assignment policy. + +Evaluate Policy also identifies the existing assignments. They represent the actual assignments read +(or more accurately, deduced) from the managed systems' resources. + +Finally, the differences between the existing assignments and the expected assignments are computed. +As a result, a set of non-conforming assignments is revealed, to be fixed by provisioning or +validated as derogations. + +Later, provisioning orders are edited, validated by a knowledgeable user and sent to the agent for +connectors to fulfill and fix the differences. + +Evaluate Policy is executed by the task `Usercube-Compute-RoleModel`, usually included in a +regularly scheduled provisioning job. + +See the [Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md), +[ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md), +and [ Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/jobs/index.md) topics for additional information. + +## The Algorithm Steps + +**Step 1 –** **Select resources** from the resource repository, all the relevant properties for +every resource. + +This includes: + +- Attribute values of the resource itself; +- Attribute values of the resources pointed to by a navigation property from the current resource; +- All existing assignments for these resources and their properties such as provisioning state and + workflow state; +- Every property of the source resource, if the resource is a target in an owner/target + relationship; +- Every property of the target resource, if the resource is an owner in an owner/target + relationship; + +Extracting and computing, in an acceptable amount of time, such a load of data is no trivial matter. + +The number of resources to consider is of the order of 100 000 entries for a system managing 10 000 +identities among 4 managed systems. + +To improve execution time, two optimizations are used: + +- Identity Manager uses + [batching](https://docs.microsoft.com/en-us/azure/azure-sql/performance-improve-use-batching) to + perform the database request. The `SELECT` query is divided into sets of smaller queries called + batches. The size of a batch is configurable in the Identity Manager-Compute-RoleModel, with the + `BatchSelectSize` attribute. +- Identity Manager only selects resources for which a new assignment computation is needed. They are + resources updated during the last incremental synchronization, and resources that depend on them. + They are identified by the dirty flag, set during incremental synchronization. See the + [ Upward Data Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) topic for + additional information. + +**NOTE:** For very few edge cases, dependencies between resource values can be difficult to identify +within Identity Manager. An example involves entity property expressions using +[LINQ](https://docs.microsoft.com/en-us/dotnet/csharp/programming-guide/concepts/linq/) syntax. See +the [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)topic for +additional information. A second- or third-order binding used in such an expression actually defines +a dependency. But Identity Manager does not account for it, because of performance-reliability +trade-offs. That means a resource `R1`, using such an expression to compute one of its properties +values from another resource `R2` property value, might not be updated even if `R2` has been updated +by incremental synchronization. This too can be fixed by using complete synchronization once a day. + +**Step 2 –** **Compute expected assignments** + +The second step is building the expected assignment list by applying the assignment rules to the +input resource. + +This step builds a list, from scratch, of every expected assignment, both role assignments and +assignments issued from provisioning rules. + +The list contains: + +- Automatic assignments, inferred from context-based rules +- Automatic assignments, inferred from other assignments, according to role-based rules +- Manual assignments previously created and derogations previously validated +- Assignments updated by an automation rule. See the + [Automation Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md) topic for + additional information. + +To build the list, the algorithm first goes through composite role rules, single role rules, +resource type rules, navigation rules, and applies them in that order. See the +[Composite Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md), +[Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md), and +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topics for +additional information. This takes care of automatic assignments. Every step influences the +following one: single roles can be inferred from composite roles that have just been assigned by a +reviewer or an automation rule for example. + +Then, manual assignments and derogations are added to the expected assignments list. They are +extracted from the database, where they were saved after being added from the UI or validated +through the UI, and are considered part of the role model. Manual assignments are identified by the +Approved workflow state. Derogations are identified by the Found and Historic workflow states. + +Role assignments as derogations are displayed to the end-user for confirmation in the Role +Reconciliation screen. As long as they are not denied, they are considered a part of the role model +and will not be considered as a non-conforming difference to be fixed by provisioning. They are +deduced from actual resources and resource values found in the managed system, that do not comply +with the assignment rules, and are displayed in the Resource Reconciliation screen. + +Let's detail the rule enforcement mechanisms. + +Match context rules + +Dimensions are really the basis of an assignment process. See the +[ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +Before starting, a context rule is applied, giving for the input resource: + +- The dimension values +- The time period validity of every assignment computed during this Evaluate Policy iteration + +![Computing Context For Input Resource](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/enforce-context.webp) + +Computing expected role assignments + +Role assignments, on the other hand, are the outcome of the assignment process. See the +[ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +Role assignments are the output of composite role rules and single role rules enforcement. The +outcome of those rules, as assigned composite roles and assigned single roles, is conditioned by the +input resource's context. They are the image of the status of trust and privilege granted to a +resource-identity. + +![Computing Expected Role Assignments](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-expected-1.webp) + +Enforcing composite role rules + +The first rules that are enforced are the composite role rules. See the +[Composite Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md)topic +for additional information. + +For every selected resource, this step enforces composite role rules. That means assigning a +specific composite role to the input resource, based on its context's dimension values. This new +assignment is materialized into a new object called an assigned composite role, stored in the +`UP_AssignedCompositeRoles` table. The resource becomes the owner of the assigned composite role. + +Manual and derogatory assignments of composite roles found in the database are also added to the +expected assignments list. + +Then automation rules are enforced on assigned composite roles. See the +[Automation Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md) topic for +additional information. + +**NOTE:** Enforcing automation rules on an assignment means to find, for each assignment, the +matching automation rule, looking at the last review or the creation date, comparing it to the time +defined in the rule and, if needed, apply the rule decision that may approve or decline the +assignment. + +Enforcing single role rules + +Then, single role rules are enforced. That means assigning a specific single role to the input +resource based on its context and existing assigned composite roles, i.e. the composite roles +currently assigned to the resource. Both assigned composite roles freshly created by enforcing +composite role rules and those already in the database are taken into account. In the former case, +single roles created are said to be inferred. + +This is materialized into a new object called an assigned single role, stored in the +UP_AssignedSingleRoles table. The resource becomes the owner of the assigned single role. + +Manual and derogatory assignments found in the database of single roles are also added to the +expected assignments list. + +Then automation rules are enforced on assigned single roles. + +Expected provisioning assignments + +Fulfillment is just the consequence of the role assignment process. See the +[ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +Provisioning-orders-to-be are the output of resource type rules, navigation rules and scalar rules. +The outcome of those rules, as assigned resource types, assigned resource navigation, and assigned +resource scalar is conditioned by the input resource assigned roles, issued during the first +expected role assignments computation or even earlier. They are the exact image of technical +provisioning orders that are to be executed by the agent, after being validated by a knowledgeable +user. See the [Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +topic for additional information. + +![Computing Expected Provisioning Assignments](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-expected-2.webp) + +Enforcing resource type rules + +Resource type rules are enforced. This means creating and adding assigned resource types to the +expected assignments list. This means enforcing the need for a resource of that type to be created +in the managed systems, with the input resource as its owner. + +Then automation rules are enforced on assigned resource types. + +A further step will correlate, to find the actual target resource if it exists. If not, it will +eventually become a provisioning order to create such a resource. + +This can be seen as assigning a target resource to an owner. It's still important to note that the +act of assigning a resource to an owner almost always is the consequence of a role assignment. Use +cases for which a single, isolated resource, is "assigned" (i.e. created with specific values) is +rare and is more of a solution to a specific technical problem. + +Enforcing navigation rules + +Finally, navigation rules are enforced. They aim to complete the information about the resource to +be created because of the assigned resource types. If the type rule is the what, this is the how. + +For every assigned resource type, associated navigation rules are enforced. + +Navigation rules are conditioned on the resource's assigned single roles. If a specific single role +is found as assigned to the owner resource of the assigned resource type (i.e. the input resource of +the algorithm), an assigned resource navigation is created in the UP_AssignedResourceNavigation +table, with the resource as its owner. The assigned resource navigation will eventually translate +into a provisioning order. + +The assigned resource navigation is hence the consequence, in the form of a +provisioning-order-to-be, of assigning a role to a resource. + +This means also no assigned resource type, no navigation assignment. Resource type rules are a +prerequisite for the associated navigation rules to be enforced. + +Enforcing scalar rules + +Finally, the scalar rules associated with the target's resource type are enforced and become +assigned resource scalars that will also result in a provisioning order. + +For every assigned resource type, associated scalar rules are enforced. + +They also aim to complete the information about the resource to be created because of the assigned +resource types. + +Found manual assignments and derogation of resource types with their associated navigation and +scalar assignments are added as well. + +**Step 3 –** **Match existing assignments with expected assignments** + +![Computing Expected Provisioning Assignments](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/compute-find-matching.webp) + +The expected assignments list is now built. + +For every expected/computed assigned resource type, assigned single role and assigned composite +role, the algorithm finds the matching existing assignment, from the list of assignments. + +The existing list of assignments in the current database is composed of: + +- Assignments computed by the last Evaluate Policy; +- Assignments created by the classification task, including `Found` and `Historic` ones issued from + the analysis of the resource values from the managed system. + +The result is a list of expected assignments that have a counterpart in the list of existing +assignments. + +**Step 4 –** **Assignments cleansing / purge** + +Some assignments are given an expiration date at creation (see the first step, context rules +enforcement). This is the step where expired assignments are removed from the expected assignments +list. + +They will not be deleted, but historized. The validTo column of the UP_Assigned\* is updated. + +Others have been manually denied via the provisioning review screen, or must be canceled because of +rules or resource value changes. Those are deleted too. + +The result is a list of really existing assignments, without the expired, canceled or explicitly +unwanted ones for any reason. + +**Step 5 –** **Correlation** + +![Computing Expected Provisioning Assignments](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/correlation.webp) + +Resource correlation rules are enforced: for every expected assigned resource type, the algorithm +looks for a target resource that correlates the owner, which is the input resource. + +If found, that correlated resource becomes the target of the assigned resource type. If not, a +provisioning order of creation is written. + +A word about correlation. Correlation is achieved by using resource correlation rules. Each rule +applies to a resource type. It defines for the source entity type a quantity computed from its +attributes. It does the same for the target entity types. Those quantities are called correlation +keys. For a given assigned resource type, the correlation algorithm tries to match the owner +correlation key with all available resources of entity type target. If one is found equal, the +matching resource becomes target of said assigned resource type. For every resource, correlation +keys are computed by a regularly scheduled task and stored in the database. + +**Step 6 –** **Handle assignment lifecycle** + +Expected assigned resource scalars and assigned resource navigations matching existing counterparts +are found. + +For every assigned resource type, assigned resource scalar and assigned resource navigation, the +provisioning state is updated according to the correlated target resource values, the matching +existing assignment state and the provisioning state transition algorithm. + +For expected assignments that have a matching existing counterpart, the correlated target resource +values are analyzed. If they match the expected resource values, that means that the last +provisioning order has been indeed well executed. The provisioning state of the associated +assignment is switched to Applied. Same goes for the role assignments from which those scalar and +navigation assignments originated. + +For expected assignments that do not have a matching existing counterpart, they receive their +Pending or Blocked provisioning state. + +Blocked assignments are submitted for validation in the provisioning review screen. Blocked assigned +resource types are associated with a confidence level that describes the level of confidence of the +correlation between source and target. The confidence level is a configuration of the resource +correlation rules. + +The workflow state is also analyzed; assignments with Approved (or Cancellation) have been approved +(or denied) and can now be provisioned. + +| Workflow state | Description | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| 0—None | Used for Identity Manager's internal computation | +| 1—Non-conforming | The assignment is not supported by a rule. ![Workflow State: Non-conforming](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp) | +| 2—Requested - Missing Parameters | The assignment has been requested via a workflow, but does not specify at least one required parameter for the role. | +| 3—Pre-existing | The assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp) | +| 4—Requested | The assignment is requested via a workflow, but not yet added. **NOTE:** Usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/4_requested_v603.webp) | +| 5—Calculated - Missing Parameters | The assignment was done by a rule which does not specify at least one required parameter for the role. ![Workflow State: Calculated - Missing Parameters](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/5_calculatedmissingparameters_v603.webp) | +| 8—Pending Approval | The assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/8_pendingapproval_v603.webp) | +| 9—Pending Approval 1 of 2 | The assignment is pending the first approval on a two-step workflow. | +| 10—Pending Approval 2 of 2 | The assignment is pending the second approval on a two-step workflow. | +| 11—Pending Approval 1 of 3 | The assignment is pending the first approval on a three-step workflow. | +| 12—Pending Approval 2 of 3 | The assignment is pending the second approval on a three-step workflow. | +| 13—Pending Approval 3 of 3 | The assignment is pending the third approval on a three-step workflow. | +| 16—Approved | The assignment has completed all approval steps. ![Workflow State: Approved](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp) | +| 17—Declined | The assignment is explicitly declined during one of the approval steps. | +| 20—Cancellation | The assignment is inferred by a role that was declined. ![Workflow State: Cancellation](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/20_cancellation_v603.webp) | + +**Step 7 –** **Delta** + +The existing and expected assignment lists are compared and yield a third list of differences, i.e. +non conforming values in the managed systems that need to be fixed. + +That list will eventually become provisioning orders that will be sent to the agent for fulfillment. + +What constitutes a difference? + +Expected resource and their values not matching the existing resource and their value, for an +existing assignment with an `Applied` or `Executed` provisioning state. + +If the existing assignment is not yet `Applied` the agent might still be preparing the provisioning. +A resource value that does not comply with the role model, but is in the fixing process (meaning an +assignment with a provisioning state of `Pending` or `Sent`) will not come up in the UI. + +**Step 8 –** **Saving the result** + +At this point, Evaluate Policy has computed expected assignments for the resource, by applying rules +and purging expired assignments. + +Expected assignments are: + +- Assigned composite roles and assigned single roles, representing roles assigned to the resource +- Assigned resource scalars and assigned resource navigations, representing scalar and navigation + properties to fulfill to a target resource from that source resource, the ownership relationship + between source and target being materialized by an assigned resource type. + +Expected assigned are written to the database, they will be the basis for the next step: fixing +differences. The writing is optimized by using bulk insert methods. + +To enhance the writing performances, it's not actual assigned\* that are written, but updates from +the existing ones, using the delta computed at step 7. + +For fine-grained assignments such as assigned resource scalars and assigned resource navigations, +Identity Manager stores the policy value i.e. the value computed by Evaluate Policy (not yet +fulfilled) and the current value i.e. the value currently held by the target resource in the managed +systems. + +From there, it is possible to retrieve the differences between existing and expected assignments for +that resource, at any time. + +Remember, the goal of building a set of assignments is twofold: + +- Building a catalog of existing assignments as assigned roles for non-technical users to consult. +- Fulfill target values from source resources so as the managed systems comply with the role model. + +The catalog of existing assignments is now available: they are assigned\* with an Applied +provisioning state. Non technical-users can read assigned single roles and assigned composite roles. +Technical users will be more interested in assigned resource scalars and assigned resource +navigations. + +Fulfilling target values from source resources is going to take the form of provisioning orders, +computed from assigned resource scalars and navigations in the Pending or Blocked state. + +## Fixing Differences + +The engine has computed a list of expected assignments. The difference with the managed system +state, as a list of resource values that infer differences in role assignments, can be fixed by +provisioning the expected assignments to the managed systems. + +Some provisioning orders have to be reviewed by a knowledgeable user. Those are provisioning orders +computed from assigned\* with a Blocked provisioning state. The UI provides screens to perform +review and validation. + +Every provisioning order is to fix a difference that has been caused by a change in the source +resource values or in its target resources. + +Let's see in details what kind of differences Identity Manager deals with, and what kind of change +in the managed systems triggers them. + +The workflow state of an assignment helps identify the nature of a difference between that +assignment and the managed systems. + +### UI overview + +Differences are displayed in the following screens: + +- **Provisioning Review** displays `Blocked` (non `Found`, non `Historic`) assigned resource types, + assigned resource navigations and assigned resource scalars. They must be reviewed by a + knowledgeable technical end-user. They are assignments mirroring legit provisioning orders + recently computed by the Evaluate Policy. +- **Resource Reconciliation** displays `Found` and `Historic` assigned resource types, assigned + resource navigations and assigned resource scalars. This is where non-conforming resource values + or non-authorized accounts (i.e. a resource that should not exist at all) in the form of + provisioning assignments are displayed. These assignments mirror, at the resource value level, + derogations still not explicitly refused by a knowledgeable end-user. This is where an end-user + can find provisioning assignments that would render legit the non-confirming values and + non-authorized accounts found in the managed systems. +- **Role Reconciliation** displays `Found` and `Historic` assigned single roles and assigned + composite roles. They are role assignments that mirror derogations, at the role level, still not + explicitly refused by a knowledgeable end-user. This is where an end-user can find roles + assignments that would render legit the non-confirming values and non-authorized accounts found in + the managed systems. +- **Redundant Assignments** displays `Approved` assigned roles and assigned resource types tagged as + eligible to be turned into `Calculated`. + +_Remember,_ **Role Review** is a little bit different as it displays manually requested assignments +waiting for manual approval. + +### A target value to update + +A target resource scalar value is different from the scalar value obtained by applying scalar rules +to the source resource. + +This could be caused by a change in the target value directly from within the managed system, before +or after Identity Manager has been plugged in. For example, a target Active Directory account Email +value has been changed. + +The corresponding assigned\* would be awarded a workflow state Historic or Found given the +difference is about a change in the target made outside/before Identity Manager and found by +synchronization. + +As Identity Manager does not overwrite managed systems values without confirmation from a +knowledgeable user, the found non-conforming value will be displayed in the **Resource +Reconciliation** screen, with the suggestion for update. The non-conforming value can either be +kept, and become an exception and overwritten with the rules-issued value. + +This could also be caused by a change in the source resource, by a previous fulfillment of Identity +Manager, or directly from within the managed system. For example, the HR system has updated the Name +of an employee. Synchronization has detected the change in value, and reapplied rules. And now, the +target Active Directory account name has to be updated. + +The corresponding assigned\* would be awarded a workflow state PolicyApproved given the difference +is about a change in the source that caused the need for a change in the target because of the +applications of the rules. + +This case yields a provisioning order, that could be blocked, and hence displayed in the +**Provisioning Review** screen for validation in the form of a resource update provisioning order. + +### A target resource to create + +A target resource is missing. Applying navigation rules to a source resource yielded the need for a +specific target resource that has not been found by synchronization. + +This could be caused by a missing resource in a managed system even before Identity Manager was +plugged-in or the deletion of such a resource in the managed system afterward. For example, a +nominative Active Directory account has not been created yet for that existing identity. + +The corresponding assigned\* would be awarded a workflow state Historic or Found given the +difference is about a change or an omission in the target outside/before Identity Manager and found +by synchronization. + +This case yields a provisioning order, that could be blocked, and hence displayed in the +**Provisioning Review** screen for validation in the form of a missing resource provisioning order. + +This could also be caused by a change in the source resource, by a previous fulfillment of Identity +Manager, or directly from within the managed system. For example, the HR system has updated the Job +Title of an employee. Synchronization has detected it, and reapplied rules, and now, this identity +has to be awarded a new Active Directory account with higher privileges. + +Or it could be caused by the manual assignment of a new Role from within Identity Manager to an +existing identity that would grant that identity with a new account and hence a target resource to +create. + +The corresponding assigned\* would be awarded a workflow state `PolicyApproved` given the difference +is about a change in the source that caused the need to create a new target because of the +applications of the rules. + +Those cases yield a provisioning order, that could be blocked, and hence displayed in the +**Provisioning Review** screen for validation in the form of a resource creation provisioning order. + +### A target resource to delete + +An extra target resource has been found by synchronization, it's been correlated with our source +resource, but no navigation rules applied to the source resource yielded the need for its existence. + +This could be caused by an extra resource created directly from within a managed system, or the +change of a rule that makes some existing resources moot. For example, an administration Active +Directory account has been created directly from the managed system and granted to an identity who, +according to the rules, is not entitled to it. + +As Identity Manager does not overwrite managed systems values without confirmation from a +knowledgeable user, the found non-authorized account will be displayed in the **Resource +Reconciliation** screen, with the suggestion for deletion. The non-authorized account can either be +kept, and become an exception and or be deleted to comply with the rules. + +The corresponding assigned\* would be awarded a workflow state `Historic` or `Found` given the +difference is about an extra target added outside/before Identity Manager and found by +synchronization. + +This could also be cause by a change in the source resource, by a previous fulfillment of Identity +Manager, or directly from within the managed system. For example, the HR system has updated the +`Job Title` of an employee. Synchronization has detected it, and reapplied rules, and now, this +identity has to be awarded a new Active Directory account with lower privileges, the old one must be +deleted. + +Or it could be caused by explicitly denying a Role to an existing identity from within Identity +Manager which would ripple through and forbid this account from existing. + +The corresponding assigned\* would be awarded a workflow state `PolicyApproved` given the difference +is about a change in the source that caused the need to deletion a target because of the +applications of the rules. + +This case yields a provisioning order, that could be blocked, and hence displayed in the +**Provisioning Review** screen for validation in the form of a resource deletion provisioning order. + +Provisioning orders are still fairly technical to read. Non compliant-roles, inferred from +non-compliant resources in the managed systems, are also displayed in the **Role Reconciliation** +screen to be kept or deleted by less technical users. + +## Fulfilling + +Fulfilling assignments is the role of connectors. Provisioning orders are written and sent to the +agent via the `Usercube-Generate-ProvisioningOrders` task is added to every provisioning job. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/index.md new file mode 100644 index 0000000000..aa2fadc93f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/index.md @@ -0,0 +1,124 @@ +# Existing Assignments + +The +[ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +can deduce from synchronized data a list of assignments for every identity. + +## Overview + +One of the main responsibilities of the Compute Role Model task is to translate data from the realm +of the managed systems (such as accounts or groups) into the realm of roles. + +The process results in a list of existing assignments, expressed as assigned roles, for every +identity. + +This is Identity Manager's first computation when deployed in an organization: assessing the current +state of the managed system in order to suggest fixes. + +The main process can be summed up as: + +1. Finding the owner `O` of a resource `R` by applying correlation rules. +2. Deducing roles by applying provisioning rules (such as navigation or scalar) "in reverse". In + this step, Identity Manager tries to find the role that would have yielded a provisioning order + for resource `R`, if assigned to identity `O`. + +The following use cases can be encountered. + +## Use Case 1: One Group, One Role + +This first use case involves a common role model situation: one single role represents one +entitlement, for example an Active Directory group. + +Let's study this use case with an example: a single role _Internet_ is linked to an Active Directory +group _Internet_ through a navigation rule `N`. + +![use_case_1_rolemodel](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_rolemodel.webp) + +We are going to consider here an identity named John Doe, and his Active Directory account +[john.doe@contoso.com](mailto:john.doe@contoso.com). + +The most straightforward way to think about this role model is to consider the direct flow. This +would happen if John Doe's account wasn't a member of the _Internet_ group. + +1. Identity Manager performs the first synchronization, and correlates the nominative Active + Directory account [john.doe@contoso.com](mailto:john.doe@contoso.com) to John Doe. +2. This account is _not_ a member of the AD group _Internet_. +3. A manager assigns the role to John Doe's identity using Identity Manager's UI. +4. The Compute Role Model task applies the navigation rule `N`. +5. A provisioning order for John Doe's Active Directory account becoming a member of the group + _Internet_ is issued. + +This is a typical onboarding scenario for John Doe that happens to start a new job within the +organization after Identity Manager was deployed. + +Now, let's consider what happens for John Doe, if he started his job within the company before +Identity Manager was ever deployed. + +The initial situation is an identity, John Doe, and a "lonely" Active Directory account, +[john.doe@contoso.com](mailto:john.doe@contoso.com). + +This time, Identity Manager performs the "deduction" flow. + +Identity Manager performs the first synchronization and tries to correlate accounts with identities. +This results in finding out that John Doe is the owner of the Active Directory account +[john.doe@contoso.com](mailto:john.doe@contoso.com). The synchronization also shows that the +[john.doe@contoso.com](mailto:john.doe@contoso.com) account is a member of the _Internet_ Active +Directory group. + +The situation in Identity Manager database at this point is the following. + +![use_case_1_sync](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_sync.webp) + +Integrators have defined the Internet single role and linked it to the _Internet_ AD group through +the navigation rule `N`. + +Now, the Compute Role Model task "studies" the role model: the only rule that assigns the _Internet_ +Active Directory group is the navigation rule `N`. By following the rule in reverse, Identity +Manager deduces that the role _Internet_ should _de facto_ be assigned to John Doe, so that the +rules be consistent with the data found in the Active Directory. + +The role is now listed under John Doe's assignment list (permissions) in Identity Manager. + +![use_case_1_deduction](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/use_case_1_deduction.webp) + +## Use Case 2: Several Groups, One Role + +This second use case involves another common role model situation: one single role represents two or +more entitlements. The single role is used here to package several Active Directory group +assignments, for example, assignments which are always granted together to perform certain tasks. + +For example, let _Sales manager_ be a single role linked to the Active Directory groups _operations_ +and _sales_ through two navigation rules `N1` and `N2`. + +The "direct" flow here means that if John Doe is assigned the _Sales manager_ role, Identity +Manager fulfills the _operations_ and _sales_ group memberships for John Doe's Active Directory +account. + +Now, let's consider the reverse flow. If John Doe already had membership for the _operations_ and +_sales_ group before Identity Manager was deployed, the AD Synchronization will detect it. By +applying `N1` and `N2` in reverse, Identity Manager deduces that John Doe must have the _Sales +manager_ single role. + +His trusted advisor, Mary Webster, isn't a member of the _operations_ group. She is only a member of +the _sales_ group. Identity Manager applies `N1` in reverse, but there is only one Single Role +(_Sales manager_) that grants the _sales_ group membership. The only way for Mary to be granted the +_sales_ group membership from the role model point-of-view is to have been granted the _Sales +manager_ role. For Identity Manager, it is as if Mary had been assigned this role, but is missing +the _operations_ group. That is exactly how it is materialized: the identity for Mary in Identity +Manager will be assigned the _Sales manager_ role, and a missing group membership will come up in +the provisioning review screen. + +If the IGA administrator doesn't want Mary to be granted the _Sales manager_ role and hence the +_operations_ group, another role must be created, that only grants the _sales_ group but not the +_operations_ group. + +## Use Case 3: Several Groups, Several Roles + +The third use case is a less common one, but can still be a little confusing. + +Let's take two roles `B` and `C`. + +- `B` grants membership to two groups: `AD1` and `AD2`. +- `C` grants `AD2` and `AD3`. + +This time, if only `AD2` is found for a given user, no deduction can be made. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/generate-contexts/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/generate-contexts/index.md new file mode 100644 index 0000000000..61099caff7 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/generate-contexts/index.md @@ -0,0 +1,171 @@ +# Generate Contexts + +A context is a set of dimension-value pairs computed using the +[ Context Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) or the +combination of a context rule and the +[ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) if record +sections are configured. + +A context is used to compute the role assignments for an identity by verifying that the +dimension-value pairs meet the role criteria. + +## Basic Context Generation + +When using only a context rule without a record section, the context generation is straightforward: +a set of dimension-value pairs is created by computing the value of the dimension bindings on the +[ Context Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md). + +> For example, the following context rule defines guests' contexts based on their start date, end +> date, and company. +> +> ``` +> +> +> +> ``` + +## Identity Context Generation + +As described in the [Identity Management](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/index.md), identities are +complex to model. Records were introduced to tackle this complexity by allowing multiple positions +for the same identity. + +[ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) go further +by modeling the relationship between positions. Indeed with record sections, it is possible to +define: + +- what are the shared properties between all positions? +- what are the properties unique to each position? +- what happens when there is a time gap between two positions, should the previous be extended or + should the future position be used to fill the gap? +- what happens when a position property value is not defined? + +Before illustrating how the record sections can be configured to handle most cases of position +management, here is the background situation for the examples that follow: + +- A position is defined by a `JobTitle`, a `Location`, and a `Department`, all other properties + belong to the identity and are shared between all positions. +- Dimensions are `Category`, `JobTitle`, `Location`, and `Department`. +- Each position will have an `Id`. +- `Sx` represents the start date of the position, and x is the `Id` of the position. +- `Ex` represents the end date of the position, and x is the `Id` of the position. +- `Cs` represents the contract start date. +- `Ce` represents the contract end date. + +The following configuration shows the context rule that will be used for the examples. + +``` + + + +``` + +The context rule start/end dates bindings and expressions won't have any effect on the computation, +they are overridden by the record sections dates properties. + +### Configuration of basic record sections + +``` + +Default section: + + + +Position record section: + + +``` + +The configuration above binds the position to the contract end date, meaning that a position without +an end date will take the end date of the contract. The properties of the position record section +cannot be propagated, meaning if a position does not have a `Location` it cannot take the `Location` +of the previous or future position. + +The following image shows the positions of `Mark Barn` in a defined timeline. + +![simple-recordsection-identity](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/generate-contexts/simple-recordsection-identity.webp) + +With the given configuration and the identity of `Mark Barn`, the following contexts are generated: + +![simple-recordsection-result](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/generate-contexts/simple-recordsection-result.webp) + +Each computed context will be used to create a set of dimension-value pairs, thus having 3 sets for +the [Evaluate Policy](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) algorithm. + +Any rules targeting identities with a `fulltime`Category`will be assigned to`Mark +Barn`from`Cs`to`Ce```. + +Any rules targeting identities working in `London` will be assigned to `Mark Barn` from `S1` to +`E2`. + +Any rules targeting all identities will be assigned to `Mark Barn` from `Cs` to `E2` because from +`E2` to `Ce` there isn't any position. This behavior can be overridden by specifying +`ExtensionKind="None"` on the `Directory_UserRecord_Position` section. + +### Configuration of a position extension + +#### Extension of a property + +The record sections can help extend some position property value when for some time the identity +does not have a position. For example, let's say that an identity can have multiple positions but +they must be in the same `Location`. So it is safe to configure the record sections to copy the +`Location` from a position if: + +- the identity does not have a position for some time; +- for a position, the `Location` is not defined. + +Here is the configuration needed to apply this policy. + +```` + +Default section: + + + +Position record section: + `````` + `````` + `````` + +```` + +The `ExtensionKind="None"` was removed for the `Location` property. + +Using the identity of `Mark Barn` the computed contexts should be as followed: + +![recordsection-withvaluecopy-result1](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/generate-contexts/recordsection-withvaluecopy-result1.webp) + +Any rules targeting identities working in `London` will be assigned to `Mark Barn` from `Cs` to +`Ce`. + +#### Extension of a whole position + +The property value copy can be leveraged to extend a chosen position when for some time the identity +does not have one. See the Generate Contexts topic for additional information. The following +configuration and the identity of `Phoebe Buffay` will be used to showcase a position extension. It +is done by removing the `ExtensionKind="None"` of the position properties. + +```` + +Default section: + + + +Position record section: + + `````` `````` `````` + + +```` + +![positionextension-identity](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/generate-contexts/positionextension-identity.webp) + +Two contexts will be generated. + +![positionextension-result](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/generate-contexts/positionextension-result.webp) + +By default, the previous position is extended when there is a gap. If there isn't any previous +position then the next position will be anticipated. + +The choice of the position to extend can be configured by leveraging the `SortKeyExpression` in the +position [ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md). diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/index.md new file mode 100644 index 0000000000..913b5d28a2 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/index.md @@ -0,0 +1,139 @@ +# Configure Indirect Permissions + +The following how-to assumes that you have already read the topic on +[ Indirect Permissions ](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/indirectpermissions/index.md). + +## Configure Indirect Permissions in an Active Directory + +### Configure an indirect resource rule + +Configuring an Indirect Resource Rule in the Identity Manager Configuration is the only step needed +to set up Indirect Permissions and can be done by answering the following questions: + +- What is the target Entity Type? There are multiple multiple Entity Types but for this example we + will choose `AD User (nominative)`. Another rule can be written if you want to handle Indirect + Permissions for `AD User (administration)`. +- Which permissions can be obtained transitively in the Active Directory? Users get permissions by + being members of a group. The property is `memberOf`. +- Do we want to look for correspondences in another system? Here, we do not want to. This also means + that `Correspondence`, `CorrespondenceMembershipProperty`, and `Entitlement` will remain blank. + +Finally, if we compile all this information and using the naming of the standard Identity +Manager Demo, we get the following Indirect Resource Rule: + + ``` + + + +```` + + +After adding this rule to the Configuration, do not forget to deploy the configuration. + +### Set up a test user + +The aim of this section is to give you a step-by-step guide for setting up a test user. It will also cover what is displayed in Identity Manager. In this example, we will assign a ```Test Group A``` directly to the test user and the ```Test Group A``` will also be a member of the ```Test Group B```. This way, the test user will also have an indirect assignment to the ```Test Group B```. We will also create the corresponding roles. + +![Group Membership Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/indirectpermissionsadexample.webp) + +A running Active Directory instance is required to reproduce these steps yourself. + +#### Edit the Active Directory + +Create two groups in your Active Directory, ```TestGroupA``` and ```TestGroupB```. Then add ```TestGroupA``` as a member of ```TestGroupB```. Finally add a test user as a member of ```TestGroupA```. The test user can be any existing user in the AD that is known by Identity Manager. + +#### Prepare Identity Manager + +Since we have manually edited the Active Directory, we first need to run an AD synchronization job. +Then we create one Single Role for each group in the Active Directory. We will name them ```TestRoleA``` and ```TestRoleB``` for ```Directory > User```, : + +![Single Role Configuration Example](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srconf_5.2.1.webp) + +We will also create a test Composite Role to showcase indirect Composite Roles. We will name it ```TestCRoleAB```: + +![Composite Role Configuration](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/crconf_5.2.1.webp) + +Then we will also need to add some rules. We first need to add one Navigation Rule for each group to link them with their respective Single Role: + +![Navigation Rule Example](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/navrule_5.2.1.webp) + +And finally, we need to add Single Role Rules to link our two previously created Single Roles to the new Composite Role: + +![Single Role Rule Example](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/srrule_5.2.1.webp) + +Even if two rules of a kind are needed, only one is pictured. Do not forget the other one. + +#### Indirect permission display + +After running a [ +Compute Role Model Task +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md), Indirect Permissions should now appear for your test user. + +The next screenshots were taken after adding the direct assignment directly inside the Active Directory. As such, the direct permission is also flagged as ```Non-conforming```. + +If you first go on the ```View permissions``` tab of your test user, the only new role that appears in the ```Simplified view``` is the indirect Composite Role ```TestCRoleAB```: + +![View Permissions Simplified](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionssimplified_5.2.1.webp) + +To display Indirect Permissions, you need to switch over to the ```Advanced view```. ```TestRoleA``` and ```TestRoleB``` should then appear: + +![View Permissions Advanced](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/viewpermissionsadvanced_5.2.1.webp) + +You can also directly display the Assigned Resource Navigations by clicking on ```AD User (nominative)```. The ```memberOf``` properties will appear in the list: + +![AD Assigned Resource Navigations](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/adassignednavigations_5.2.1.webp) + +## Configure Indirect Permissions in an Microsoft Entra ID + +We can follow the same steps to configure this new rule: + +- What is the target Entity Type? + Once again, we will configure a rule for nominative users. The Entity Type is ```MicrosoftEntraID_DirectoryObject_NominativeUser```. +- Which permissions can be obtained transitively in the Microsoft Entra ID (formerly Microsoft Azure AD)? + Users get permissions by being members of a group. The property is ```memberOf```. +- Do we want to look for correspondences in another system? + Here, we do not want to (it is possible, but it is not the aim of this How-To). + This also means that ```Correspondence```, ```CorrespondenceMembershipProperty```, and ```Entitlement``` will remain blank. + +Finally, if we compile all this information and using the naming of the standard Identity Manager Demo, we get the following Indirect Resource Rule: + + ``` + + + +```` + +## Configure Indirect Permissions in SharePoint using Correspondences from an Microsoft Entra ID + +We can follow the same steps to configure this new rule, but this time we will showcase the +correspondence feature: + +- What is the target Entity Type? We first start in the Microsoft Entra ID. Once again, we will + configure a rule for nominative users. The Entity Type is + `MicrosoftEntraID_DirectoryObject_NominativeUser`. +- Which permissions can be obtained transitively in the Microsoft Entra ID? Users get permissions by + being members of a group. The property is `memberOf`. +- Do we want to look for correspondences in another system? Yes, we want to find correspondences in + SharePoint. A correspondence can be found using the `SharePointObject` property. +- Which permissions can be obtained transitively in SharePoint? Once again, users get permissions + based on which groups they are a member of. The property capturing this notion for SharePoint + entities is `Group` +- Is being member of a group in SharePoint the type of permissions that we want to capture? While + this can be computed, we are rather interested in compiling which SharePoint objects a user can + view/change/etc. We obtain this information using the `Entitlement` property. + +Finally, if we compile all this information and use the naming convention of the standard Identity +Manager Demo, we get the following Indirect Resource Rule: + + ``` + + + +``` + + +This rule will also compute indirect permissions for the Microsoft Entra ID. +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/how-tos/infer-single-roles/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/how-tos/infer-single-roles/index.md new file mode 100644 index 0000000000..7e9fd0989d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/how-tos/infer-single-roles/index.md @@ -0,0 +1,56 @@ +# Infer Single Roles with a Composite Role + +This guide shows how to assign several single roles via the assignment of one composite role. + +It is possible to infer SingleRoles with +[ Composite Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md). The +SingleRole can only be inferred by the CompositeRole if both the CompositeRole and SingleRole rules +are verified. + +## Create a Dimension + +The restriction of resource allocations is done from a filter. To do this, it is necessary to create +a [ Dimension ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) to define which +EntityTypes the filters will apply to. + +For the different examples of restrictions, the filters will be based on the EntityType +"Organization" and "Title". + +``` + + + +``` + +## Create a Composite Role + +A CompositeRole is created in the same way as a SingleRole. + +``` + + + +``` + +## Assign the Composite Role Based on the Dimension + +This step is optional for our simple purpose of inferring single roles with a composite role. The +composite role can be linked to a dimension, but it does not have to. + +The CompositeRoleRule can be limited with the use of dimensions. + +``` + + + +``` + +## Assign Single Roles Based on the Composite Role + +The link between a SingleRole and a CompositeRole is made in the SingleRoleRule. + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/how-tos/restrict-assignment/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/how-tos/restrict-assignment/index.md new file mode 100644 index 0000000000..1a89207355 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/how-tos/restrict-assignment/index.md @@ -0,0 +1,98 @@ +# Restrict the Assignment + +This guide shows how to use filters on dimensions and/or roles to restrict the assignment of a role +or resource type. + +## Create a Dimension + +The restriction of resource allocations is done from a filter. To do this, it is necessary to create +a [ Dimension ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) to define which +EntityTypes the filters will apply to. + +For the different examples of restrictions, the filters will be based on the EntityType +"Organization" and "Title". + +``` + + + +``` + +## Create a Single Role + +To be able to filter with the dimensions previously created, it is necessary to first create +[ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) which will +serve as a restriction to the assignment of ResourceTypes for a given source. + +The example below creates a SingleRole for the EntityType Directory_User (source of the +ResourceTypes you want to restrict). + +``` + + + +``` + +## Assign the Role Based on the Dimension + +We will define a +[Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) on the +"Title"; dimension with a given value to restrict the allocation of a resource in only one case. + +``` + + + +``` + +D1 represents the dimension whose ColumnMapping="1". + +``` + + + +``` + +The value in property D1 implies that the rule is checked only if the source resource has as +association to the EntityType related to dimension 1 is "FCT0402". + +## Assign a Resource Type Based on the Role + +The restriction on the creation of these accounts is integrated directly into the type rule of the +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). This implies +that the ResourceType will only apply if the +[Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) are +checked. + +This part will link a SingleRole to a ResourceType. This implies that the allocation of a target +resource to a source will only be done if the SingleRole rule(s) are verified. + +``` + + .... + + +``` + +### Use a navigation rule instead of a type rule + +A [Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) in addition +to filling a multi-valued association, also serves as an allocation context for a ResourceType. + +There are 3 ways to restrict the allocation of the ResourceType with a NavigationRule: + +- Fill in one or more dimensions directly in the NavigationRule. +- Fill in a SingleRole. +- Fill in one or more dimensions and a SingleRole. + +For the last 2 cases this will induce the ResourceType by the SingleRole. + +``` + + ... + + +``` + +In the example above the ResourceType does not need a TypeRule because the NavigationRule already +serves as an allocation context. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/index.md new file mode 100644 index 0000000000..8a99309547 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/index.md @@ -0,0 +1,7 @@ +# Role Assignment + +Once the role model is established, role assignment can be performed, i.e. missing or non-conforming +assignments can be detected in order to give users the appropriate access rights. + +Be sure to read first the documentation about the role model. See the +[ Role Model ](/docs/identitymanager/saas/identitymanager/integration-guide/role-model/index.md) topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/indirectpermissions/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/indirectpermissions/index.md new file mode 100644 index 0000000000..c4b24ed16f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/indirectpermissions/index.md @@ -0,0 +1,107 @@ +# Indirect Permissions + +Identity Manager can compute, for a given identity, permissions that are obtained implicitly or +indirectly through assignments. The +[ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +is responsible for this functionality. + +## Overview + +Assigning a role to a user can give them new permissions in a managed system by giving access to a +new role or a new group, for example. This assignment is direct as it is entirely explicit. However, +the user might also receive some **additional permissions that are inherited through the new +permission** and that are not explicit. For instance in some systems, users can get permissions by +being a member of a group but groups can also be members of other groups, and therefore allow for +transitive permission acquisitions. These permissions are called indirect. This notion can also be +extended when permissions in a managed system also give other permissions in an external system. + +Indirect Permissions are automatically computed by the +[ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +along with standard explicit or direct permissions during a full update. Indirect permissions will +not be computed when processing a single user (for instance through "Repair Data (helpdesk)") or +during simulations. + +## Configuration + +The computation of Indirect Permissions is based on the configured +[ Indirect Resource Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md). +These rules tell Identity Manager how to navigate the managed system and how to recover permissions +that a user inherits implicitly. An Indirect Resource Rule is composed of the following properties: + +- `ResourceType`—The + [Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) to which the + rule will be applied. +- `Property` — The [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + which corresponds to the user permission in the _target_ system. +- `Correspondence` (optional)— The + [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) that is used to + recover the correspondence of a resource from the _target_ system in the _external_ system. +- `CorrespondenceMembershipProperty` (optional) — The + [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) which corresponds to + the user permission in an _external_ system. +- `Entitlement` (optional) — The + [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) that can be + configured if the permission in the _external_ system needs to be recovered from the discovered + resources. For instance one can use this property to recover the entitlements of Sharepoint groups + (while `CorrespondenceMembershipProperty` will be used to recover the group membership graph). + +If either `Correspondence` or `CorrespondenceMembershipProperty` is specified, then the other +property must be specified as well. + +If `Entitlement` is specified, then both `Correspondence` and `CorrespondenceMembershipProperty` +also need to be specified. + +- `TargetEntityTypeProperty` — The + [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) which identifies + each rule given a resource type. +- `TargetEntityTypeReflexiveProperty` — The + [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) which corresponds to + the user permission in the _target_ system. +- `IndirectResourceBinding`— The [ Bindings ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/bindings/index.md) that is used to + recover an assignment from a permission in either system (target or external). It is also used to + define the correspondence between resources in both systems. +- `IndirectResourceReflexiveProperty` (optional): The + [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) which corresponds to + the user permission in an _external_ system. + +Correspondences between resources are necessarily one-sided: the Indirect Permissions computation is +started in the managed system and if a correspondence is found, the computation will be continued in +the external system. Correspondences won't be checked in the external system. + +An example of an Indirect Resource Rule configuration is available in How-To: +[ Configure Indirect Permissions ](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/how-tos/configureindirectpermissions/index.md) in an Active +Directory. + +## What Can Be an Indirect Permission? + +The +[ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +will create indirect Assigned Resource Navigations for the permissions that it finds, but if and +only if these permissions are associated with a +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). + +If a [ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) is associated +with one of these Resource Navigation Rules, then an indirect Single Role will also be recovered. + +Finally, if at least one indirect Single Role is used to recover a +[ Composite Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md), then the +Composite Role will also be indirect. + +## What Can Be Done with Indirect Permissions? + +Currently, Indirect Permissions are only displayed and found in the users' `View Permissions` tab in +the `Advanced View`: Indirect Permissions (except Composite Roles) are hidden in the +`Simplified View`. + +Although Indirect Permissions are marked as `Non-conforming`, they can be neither approved nor +deleted. They also won't appear in Access certification campaigns. + +Indirect Permissions are always indicated by the following icon: +![Indirect Permission Icon](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/indirectpermissions/ic_fluent_flow_20_regular.webp) + +## Disabling the Indirect Permission Computation + +In case of emergency, one can disable the computation of indirect permissions by adding the +`"DisableIndirectPermissions": true` field to the root of the `appsettings`. While the computation +is disabled, indirect permissions will be frozen in time: any existing one will not be deleted and +any potential new one will not be added. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/nonconformingdetection/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/nonconformingdetection/index.md new file mode 100644 index 0000000000..a00c64d56b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/nonconformingdetection/index.md @@ -0,0 +1,64 @@ +# Non-Conforming Assignments + +The +[ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +is able to detect from synchronized data a list of non-conforming or missing resources/entitlements +for every identity. That is one of Identity Manager's most powerful governance features, provided +you have a full role model configured. + +## Build the conforming assignment list + +The **first step** is building the conforming assignment list, as explained in the +[ Conforming Assignments ](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md). This list (list `A`) +includes the assignments that perfectly comply with the role model/assignment policy. + +## Build the existing assignment list + +The **second step** is building the existing assignment list (list `B`), as explained in +the[ Existing Assignments ](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/index.md) every synced resource can be +translated into a role assignment following the assignment rules "in reverse". + +## Compare both lists + +We can now **compare both lists** to find out if the managed systems really comply with the decided +upon assignment policy. + +For every assignment from list `B` representing resources from the synced data: + +1. There is a rule path from the identity attribute to the resource provisioning order in the role + model. The assignment was expected, it can be found in list `A`. +2. There is no rule path from the identity attribute to the resource provisioning order in the role + model. The assignment was unexpected, it is not in list `A` or it is in list `A` but not with + exactly the same property values. + +The "unexpected" (or non-conforming) assignments can be for example orphan accounts. Sometimes, the +account itself should indeed exist according to the rules, but its attribute values are +"unexpected", contradicting scalar rules. + +Non-conforming accounts are presented in the reconciliation screens: from the role point-of-view in +the role reconciliation screen and from the resource point-of-view in the resource reconciliation +screen. + +They need human confirmation to be either kept or destroyed. + +For every assignment from list `A` representing expected assignments: + +1. There is an exact match in list `B`. The managed system complies with the assignment policy for + this resource. +2. There is no match in list `B`: the managed system doesn't comply with the assignment policy. The + resource is missing (the account is missing). + +Missing accounts are presented in the provisioning review for validation before provisioning. + +Identity Manager will **never delete data** without having a user's confirmation first. That is the +reason why these variations from the ideal aren't fixed automatically but submitted for review. + +Some users might wonder how they can perform governance if they don't have automated rules. +Certification can help. By reviewing (even manually) the entitlement landscape, non-conforming +account proliferation can be contained. + +This feature is the final touch of the **sync-fulfill-verify loop** that makes Identity Manager so +efficient. It is exactly like a closed-loop control system with a feedback loop: perturbations, in +the form of modifications in a managed system that don't go through Identity Manager first, trigger +a reaction. This reaction uses the role model to suggest a fix. This is the only way for the state +of the entitlement landscape to tend towards the ideal standards described by the rules. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/role-mining/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/role-mining/index.md new file mode 100644 index 0000000000..62e3122128 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/role-mining/index.md @@ -0,0 +1,138 @@ +# Role Mining + +Role mining aims to reduce the cost of entitlement management by automating entitlement assignments, +via the analysis of existing assignments. See the +[ Automate Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/index.md) topic for +additional information. + +## Overview + +After the role catalog is established, the +[ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +is able to assign single roles to users according to their attributes which are used as assignment +criteria. + +> For example, in the AD, entitlements are given through group membership. Integrators create a +> navigation rule to assign each group to the users who have the corresponding single role. Then, +> the Compute-RoleModel task is able to assign single roles to users according to their existing +> group membership. +> +> In addition to group membership, the assignment of an entitlement to users could also depend on +> users' attributes like their location, position title, etc. + +Now that users received their roles, the role mining tool can analyze these assignments and deduce +[Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) which will +assign single roles to certain users matching given criteria. + +![Schema - Role Mining](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_schema.webp) + +Role mining is a Machine Learning process. It is a statistic tool used to emphasize the dimensions +that constitute the key criteria for existing role assignments. See the +[ Conforming Assignments ](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md)topic for +additional information. It detects the most probable links between identities dimensions and their +roles in order to suggest the appropriate entitlement assignment rules. + +> For example, suppose that 80% of Netwrix Identity Manager (formerly Usercube) workers in +> Marseilles have access to an application "App". Then, role mining is most likely to recognize the +> working site as a relevant dimension, and suggest to create a rule that gives the "App" access to +> users whose site is Marseilles. + +Role mining being a statistic tool based on existing entitlement assignments, it appears useless if +the role model contains fewer than 2,000 role assignments. Then, start by reinforcing the +[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md). + +### Technical Principles + +Role mining works through +[ Mining Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md) that Identity Manager +applies with the +[ Get Role Mining Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md). + +### Entitlement differentiation with rule types + +Mining rules can be configured to generate: + +1. automatic rules, i.e. rules which assign roles automatically with or without a validation; +2. suggested rules, i.e. rules which don't assign roles directly, but suggest them during an + entitlement request for a user. + + ![Suggested](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_suggested_v602.webp) + +You can generate both automatic and suggested rules for the same role, with different precision +levels and different approval workflows. + +> Consider an organization where an unknown ratio of users have a given role. Using the precision +> settings, we can create a mining rule to generate automatic assignment rules when the ratio is +> above 95% and a second mining rule to generate suggested assignment rules when the ratio is +> between 75% and 95%. +> +> ![Rule Types](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype.webp) + +You can also differentiate entitlements according to their sensitivity, for example require +additional reviews following the request of a sensitive entitlement: + +![Rule Types - Sensitivity](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype-sensitivity.webp) + +The automation of entitlement assignments according to sensitivity brings greater confidence in +basic entitlements assignment which won't need to be certified anymore. Thus, automation lets +certification campaigns focus on more sensitive entitlements. + +Role mining should be performed first for automatic rules as they are stricter precision-wise. Thus, +automatic rules should always have priority over suggested rules (via the `Priority` setting). + +### Impact on users' entitlements + +Consider that all users from a given organization have a given role. Then role mining will create a +single role rule to assign automatically this role to any user of this organization. Then users' +entitlements remain unchanged: + +![Impact Example - Use Case 1](/img/product_docs/identitymanager/identitymanager/integration-guide/role-mining/rolemining_impact_usecase1.webp) + +Now consider that half of users in the organization have the role. Then role mining will not +generate a role assignment rule. Then users' entitlements remain unchanged: + +![Impact Example - Use Case 2](/img/product_docs/identitymanager/identitymanager/integration-guide/role-mining/rolemining_impact_usecase2.webp) + +Starting from the previous example, consider now that users progressively request the role. As long +as the ratio is below a given threshold, then role mining will not generate a role assignment rule. +Then users' entitlements remain unchanged: + +![Impact Example - Use Case 3](/img/product_docs/identitymanager/identitymanager/integration-guide/role-mining/rolemining_impact_usecase3.webp) + +Starting from the previous example, consider now that users continue requesting the role. As soon as +the ratio is above the threshold, then role mining will create a single role rule to assign +automatically this role to any user in the organization. Then a few users are going to get the +entitlement: + +![Impact Example - Use Case 4](/img/product_docs/identitymanager/identitymanager/integration-guide/role-mining/rolemining_impact_usecase4.webp) + +Starting from the previous example, consider now that, as a result of a reorganization or an access +certification for example, some users do not have the role anymore. If the ratio is below the +threshold, then role mining will remove the single role rule. If the role (or its policy) is +configured with a grace period, users who need the role will not lose it. Then users' entitlements +remain unchanged: + +![Impact Example - Use Case 5](/img/product_docs/identitymanager/identitymanager/integration-guide/role-mining/rolemining_impact_usecase5.webp) + +## Perform Role Mining + +See the +[ Perform Role Mining ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) for +additional information. + +### Simulation + +Be aware that you can configure the +[ Get Role Mining Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md) +to generate role assignment rules either directly or in a [Simulation](/docs/identitymanager/saas/identitymanager/integration-guide/simulation/index.md). + +Simulating the results of role mining allows a knowledgeable user to analyze the impact of role +mining on the role model, before applying them. + +![Schema - Role Mining](/img/product_docs/identitymanager/identitymanager/integration-guide/role-mining/rolemining_simulation.webp) + +The simulation tool gives another point of view on the role model as it emphasizes the changes. + +![Schema - Role Mining](/img/product_docs/identitymanager/identitymanager/integration-guide/role-mining/rolemining_simulationresults.webp) + +Identity Manager recommends simulating role mining before applying the results. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/role-model/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/role-model/index.md new file mode 100644 index 0000000000..cc57c9c639 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/role-model/index.md @@ -0,0 +1,67 @@ +# Role Model + +The role model, with its computation and enforcement, is at the heart of Identity Manager's engine. +It is composed mainly of roles, representing entitlements, and rules, enforcing the company +assignment policies. + +Make sure to read the introduction on entitlement management first. See the +[ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) topic +for additional information. + +## Roles + +Roles represent entitlements from the managed systems, but expressed in a language understandable by +non-technical people. + +A single role is meant to represent one entitlement from a managed system, by acting as a label, +thus allowing better organization and readability. + +A composite role is meant to group several single roles into a meaningful, business-themed +entitlement package. + +In this way, the role model can be seen as a +[Role-Based Access Control](https://en.wikipedia.org/wiki/Role-based_access_control) (RBAC). + +## Assignment Rules + +An +[ Automate Role Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) +gives an entitlement to a user, usually based on (at least) one criterion from the user's data. +Assignment rules are: + +- single role rules which assign single roles; +- composite role rules which assign composite roles; +- resource type rules which assign resources, usually accounts, of specific types. + +The identity criteria that trigger the rules are named dimensions. + +In this way, the role model can also be seen as an +[Attribute-Based Access Control](https://en.wikipedia.org/wiki/Attribute-based_access_control) +(ABAC) model. + +Identity Manager gives users access to given resources in the managed systems, based on roles and +rules, but it does not override the managed systems' authorization mechanisms. + +## Enforcement of the Assignment Policy + +The company's policy for entitlement assignment is enforced by Identity Manager with the computation +of the role model, through the +[ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +It applies all the configured rules, thus: + +- helping build a catalog of all available entitlements in the managed systems; See the + [ Create Roles in Bulk ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md) + topic for additional information. +- helping build the rules that define the assignment policy, i.e. the expected entitlement + assignments for all users; See + the[ Perform Role Mining ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) + topic for additional information. +- automating entitlement assignment; See + the[ Automate Role Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) + topic for additional information. +- generating the provisioning orders that enable writing to the managed systems; See + the[ Create a Provisioning Rule ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) + topic for additional information. +- detecting assignments in the managed systems that do not comply with the policy; See + the[ Review Non-conforming Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md) + topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/role-model/role-model-rules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/role-model/role-model-rules/index.md new file mode 100644 index 0000000000..67fa13e17b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/role-model/role-model-rules/index.md @@ -0,0 +1,259 @@ +# Assignment Policy + +The assignment policy is the set of rules enforced on the resources to compute automatic assignments +and risks. It contains the role model and risks definition. + +## The Role Model + +The Introduction Guide introduced the role model and how it influences assigning entitlements to +identities. Let's sum up the key principles here. See the +[ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +1. Identities are resources. +2. Assignments of entitlements are materialized by resources, their values and associations. +3. Identity Manager uses a [role-based](https://en.wikipedia.org/wiki/Role-based_access_control) + assignment policy to grant entitlements to identities, i.e. granting a role entails granting + entitlements. +4. The role model is first a catalog of available roles + ([ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) and + [ Composite Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md)), + identified by meaningful names aimed at non-technical end-users. These roles represent status of + trust and privileges, to be assigned to identities, manually or automatically. +5. The role model is also a set of rules aiming at assign automatically roles to identities, based + on relevant criteria, namely + [ Dimension ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md). +6. The role model classifies resources by security concerns thanks to resource types. +7. The role model contains correlation rules identifying ownership of target resource by an + identity. +8. The role model contains provisioning rules describing if and how target resources and their + values should be computed from source resource values. + +Resource types, single roles and composite roles can be grouped into +[ Category ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md). They are used in the +UI to organize the Roles catalog display. Categories are organized in a hierarchical tree structure. + +### Policy + +A [Policy](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) is a set of assignment +rules. At least one policy must be declared. + +All resource types, single roles and composite roles and categories belong to a policy. + +## Dimensions And Contexts + +One of Identity Manager's distinctive feature is the use of +[Attribute-Based Access Control](https://en.wikipedia.org/wiki/Attribute-based_access_control) +methods to automatically grant fine-grained entitlements. + +Every identity in the organization operates within a specific context. It is a set of information +relevant to making decisions about assigning entitlements for an identity. For example, an employee +working in the R&D department of the New York office at Contoso Corporation is associated with the +`{R&D, New York}` context. + +Analyzing contexts in the organization allows the integration team, in collaboration with a +knowledgeable member of the target organization, to define key criteria on which to base assignments +of entitlements decisions. Those key criteria are called dimensions. + +The integration team defines +[ Context Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) and +[ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md)in the +applicative configuration that assigns, for every identity, a context as a set of dimension-value +pair. + +The details of how contexts are generated can be found in +[ Generate Contexts ](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/generate-contexts/index.md). + +Every dimension is associated with a finite set of possible values. That means there is a finite set +of possible context. Hence, typical contexts within which an identity operates are modeled. + +Contexts can then be used as a filter for choosing an identity to which to assign a role. + +This mechanism allows the integration team to define rules to take care of the most basics and +repetitive assignments. For example, a +[Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) assigning a +specific single role to the resources that match a specific context. + +##### Example + +A standard multi-site and multi-department organization would use the following dimensions: + +- `Location`, the physical location where an employee works. +- `Department`, the employee working department, such as `IT`, `Sales` or `Accounting`. + +Roles could be assigned based on location and department of the resource representing an identity. + +For a rule such as "every employee that works in IT must have access to the servers room", the +`ServerRoomAccess` single role would be assigned to every resource of entity type `employee` whose +context contains the value `IT` for the dimension `Department`. + +A context rule would have been written first, defining for every resource of entity type `employee` +how to compute a context: the `Department` dimension value is found in the `department` property of +the resource, the `Location` dimension value is found in the `site` property of the resource. + +## Write Roles And Assignments Rules + +The role model takes a very important place in the applicative configuration. It's built by the +integration team, in collaboration with the target organization, to match the organization's needs +and rules in security. + +The role model is built iteratively, together with the [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md), +as they closely influence one another. See the [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) topic for +additional information. + +The role model evolves and lives during the whole IGA project's lifecycle. Organization rules +change, roles and assignment rules are updated, deleted, added. + +The following gives a few ideas about how a to approach the writing of a role model. + +### 1. Identify single roles + +The first iteration of building of the organization reference model starts to reveal the archetypal +responsibilities and positions of the members of the organization. A +[ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) is defined for +every fine-grained organization-level responsibility or position. + +##### Example + +Contoso Corporation employs project managers in their Aircraft Design department to manage aircraft +design projects for clients all around the world. Those projects involve aerodynamics and structure +engineers, construction workers, quality control agents and sale engineers. + +Everyone in the team needs to access the Internet to do research and send e-mails. That's a first +typical single role `Internet Access` that everyone should be assigned to be able to work. + +Aerodynamics engineers need to access remote high-performance computation servers specifically +designed to solve aerodynamics equations. The sensitive nature of the data sent to those servers, +plus the availability constraints, require restricting access to engineers that absolutely need it +to perform their daily tasks. That's another responsibility, that can be translated to a single role +`Aerodynamics Computation Server` for example, that grants access to those servers. + +Structure engineers, on the other hand, do not perform such heavy computations and do not need +access to the aerodynamics computation server. They can work locally, performing computations on +their own workstation. They're not assigned the `Aerodynamics Computation Server` role. + +Quality control agents need access to sensitive information such as accident reports, on the +internal data server named `data0`. Those highly sensitive privileges are not assigned to everyone. +They can be translated to the `Data Server data0` role. + +The project manager needs access to the `data0` and `data1` servers with client contracts. The +`Data Server data0` and `Data Server data1` roles translate those responsibilities. + +### 2. Identify navigation rules and ownership + +For every [ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) assigned +to an identity, fine-grained entitlements need to be granted. Those are the resource values in a +managed system. + +Hence, for every single role, the relevant managed systems, type of resource, and resource values to +fulfill are identified. + +They are materialized by: + +- Provisioning rules, such as Resource Type rules that decide what resources should be found in the + managed systems; and navigation rules or scalar rules, that identify actual values to be fulfilled + from the identity to which the single role is assigned; +- [ Resource Correlation Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) + that identify for an identity, the target resources to fulfill; +- Resource type that organize resources and describe a source/target (or owner/resource) + relationship. + + The resource types identified this way could be suggested to security officers for review, + checking that they match their mental model of the managed system's resources. + + Sets of scalar rules and navigation rules relevant to a specific resource type are gathered into + a resource type. + +#### Example + +Let's consider the `Internet Access` defined at step 1. + +In practice, Contoso Corporation authorizes or block a user Internet access by setting per-user +outbound policies on their network firewall. The firewall integrates with Active Directory which +make it possible to use Active Directory groups membership to enable or disable policies for a user. + +A security officer, to grant Internet access to an employee, would in practice assign a +`Internet Access` group membership to their Active Directory account. That is a fine-grained +entitlement entailed by the assignment of the `Internet Access` single role. That means that, to be +able to grant or restrict Internet access, the link between an identity and their Active Directory +account, used to login to work, must be known. + +To modelize that need within the role model, every identity with `Internet Access` single role is +associated with an Active Directory account. We can find the Active Directory for an identity by +comparing the identity email with the Active Directory entry e-mail. That's an example of +[ Resource Correlation Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) +that define the ownership of an Active Directory entry resource by an identity resource. + +### 3. Write assignment rules + +[Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) describe +criteria for which a +[ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) is assigned to a +resource. The main criterion is a dimension value. For a given resource, the single role is assigned +if the resource's context matches the given dimension value. The second criterion is the assignment +of a specific +[ Composite Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) (see +further). + +A navigation rule describes a fine-grained entitlement in the form of resource association such as a +group membership. Its enforcement is also conditioned by a single role assignment to the relevant +source resource, which in turn materializes the link between a single role and a resource type. + +Those rules are used by Identity Manager to automate role assignments. They are absolutely optional. +A first version of the project can rely on manual assignments of single roles. Those have meaningful +names: Identity Manager already provides a value by allowing non-technical users to request or +assign entitlements. Navigation and or scalar rules can be written in a second time to allow +automated fulfillment. Single role rules can be written after that to set up automated assignments. + +##### Example + +The need for aerodynamics engineers to access the remote computation server is translated by a +single role rule: if the department (a dimension) of that identity is `Aerodynamics R&D` (a +dimension value), then the `Aerodynamics Computation Server` single role must be granted. + +The need for assignment of the `Internet Access` group to the Active Directory account, if the +identity is assigned the `Internet Access` single role is modeled by a navigation rule that +stipulates that if that identity is assigned that role, then the `memberOf` property of the owned +Active Directory entry resource should be set to the AD group named `Internet Access`. + +### 4. Use Composite Roles To Organize Single Roles (optional) + +[ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) can be packaged +into [ Composite Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md). +Assigning a composite role to an identity immediately assigns the packaged single role to that +identity. Single roles assigned this way are said to be inferred. + +The [Composite Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md) +(see composite role rules describe criteria for which a composite role is assigned to an identity. +Then, the composite role can be used as a condition in a +[Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md). This is +how packages are built. + +### Summary - A mental model to help build a role model + +To help build a role model, consider this mental model that captures the key events occurring +between the assignments of a role and the actual assignment of entitlement. + +1. A resource-identity `Ri` is associated with a context `Ci`, i.e. dimension values. +2. `Ri` is assigned a single role `SRa`, manually or as a result of dimension comparisons. +3. Identity Manager's engine identifies a resource type `Rt` with the type rule `Tr` whose condition + matches `SRa` and/or `Ci`. +4. Using `Rt`'s definition, Identity Manager's engine identifies by correlation a target resource + `Tr` from the resource repository that must be created or updated to materialize `SRa`. +5. Identity Manager's engine identifies `Rt`'s navigation rule `Nr` whose condition matches `SRa` + and/or `Ci`, and associated scalar rules `Sr`. +6. Using `Sr` and `Nr`'s definition, Identity Manager's engine identifies `Tr`'s values to be + provisioned to materialize `SRa`. + +This series of steps is actually a very simplified version of the +[Evaluate Policy](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) algorithm. + +![Cascading From Dimensions To Roles To Provisioning Orders](/img/product_docs/identitymanager/identitymanager/integration-guide/role-model/role-model-rules/enforce-assignment-policy-summary.webp) + +--- + +## Evaluate Policy + +This chapter gives the basis of the assignments vocabulary. The next chapter enlightens the reader +about the inner details of the Evaluate Policy algorithm. See the +[Evaluate Policy](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/simulation/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/simulation/index.md new file mode 100644 index 0000000000..f2059408e4 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/simulation/index.md @@ -0,0 +1,42 @@ +# Simulation + +Simulations aim to assess the impact of a modification in the role model, i.e. any modification of a +role or rule, before it is applied. + +## Overview + +Identity Manager's simulations gather roles and rules which are to be created, modified or deleted, +without being inserted in the actual role model straight away. More specifically, a simulation can +involve: + +- [ Resource Correlation Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) + and + [ Resource Classification Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md); +- Scalar rules and navigation rules; +- [Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) rules; +- [ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) and + [ Composite Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md); +- [Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md)and + [Composite Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md). + +A simulation can also be created by the role mining tool for the automation of role assignments. See +the [ Perform Role Mining ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) +topic for additional information. + +Through simulation, integrators can: + +1. create, modify or delete roles and rules in a given policy; + + Only one simulation can be active per policy. + +2. observe via simulation reports the impact on the whole system, i.e. both assignments and + provisioning results, before the changes are applied; +3. decide to confirm or cancel changes. + +Netwrix Identity Manager (formerly Usercube) recommends using simulation whenever performing an +action (creation/modification/deletion) on the role model. + +## Perform a Simulation + +See the [ Perform a Simulation ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/simulation/index.md) for additional +information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/index.md new file mode 100644 index 0000000000..b8dc456a43 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/index.md @@ -0,0 +1,11 @@ +# Synchronization + +The documentation is not yet available for this page and will be completed in the near future. + +See more information about [ Upward Data Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md). + +See how to [ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md)for a given managed +system. + +See how to anticipate changes due to synchronization thanks to +[ Thresholds ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md). diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md new file mode 100644 index 0000000000..eca94da0ce --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md @@ -0,0 +1,74 @@ +# Thresholds + +Thresholds are essential safety guards controlling all changes, for example preventing the +overwriting of important data by mistake. + +Thresholds are by default activated to warn users when synchronization or provisioning triggers too +many modifications. If the number of modifications exceeds the specified threshold, Identity Manager +stops the synchronization/provisioning and displays a warning on the log page. + +Thresholds can be deactivated via the value `0`, though they should not all be. Each action must be +"guarded" by at least one threshold. + +Once the changes have been reviewed, the blocked job can be resumed (or not). See the +[ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md) topic for additional +information. + +As long as a synchronization job is blocked for a connector, the export, prepare-synchronization and +synchronization tasks of this connector are removed from incremental jobs. The synchronization is +unblocked as soon as the blocked job is resumed, or as soon as a job involving the connector is +launched in complete mode. + +## Thresholds for Synchronization + +Synchronization thresholds can be configured in XML files via: + +- [ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) to + count the number of resources impacted by synchronization inside a given entity type. They are + configured with: + + | Absolute Threshold | Relative Threshold | + | ---------------------- | ---------------------------- | + | `MaximumDeletedLines` | `MaxPercentageDeletedLines` | + | `MaximumInsertedLines` | `MaxPercentageInsertedLines` | + | `MaximumUpdatedLines` | `MaxPercentageUpdatedLines` | + +- [ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) + to count the number of navigation properties impacted by synchronization inside a given entity + type. They are configured with: + + | Absolute Threshold | Relative Threshold | + | -------------------------- | -------------------------------- | + | `MaximumLinkDeletedLines` | `MaxLinkPercentageDeletedLines` | + | `MaximumLinkInsertedLines` | `MaxLinkPercentageInsertedLines` | + +- [ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) to count the number + of resources and/or navigation properties impacted by synchronization inside all entity types of a + given connector. They are configured with: + + | Absolute Threshold | Relative Threshold | + | -------------------------- | -------------------------------- | + | **Resources** | | + | `MaximumDeletedLines` | `MaxPercentageDeletedLines` | + | `MaximumInsertedLines` | `MaxPercentageInsertedLines` | + | `MaximumUpdatedLines` | `MaxPercentageUpdatedLines` | + | **Navigation Properties** | | + | `MaximumLinkDeletedLines` | `MaxLinkPercentageDeletedLines` | + | `MaximumLinkInsertedLines` | `MaxLinkPercentageInsertedLines` | + +All thresholds are active. Therefore, the lowest threshold (according to the specific situation) +would be the first to stop synchronization. + +For example, in a connector, the default values for thresholds are 100 modifications for resources +(`Maximum...Lines`) and 1000 modifications for navigation properties (`MaximumLink...Lines`). + +If we launch synchronization for an entity type whose threshold values are lower than the +connector's, then Identity Manager blocks synchronization as soon as the number of modifications +exceeds the entity type's threshold values. + +If the entity type's threshold values are higher than the connector's, then Identity Manager blocks +synchronization as soon as the number of modifications exceeds the connector's threshold values (100 +resources or 1000 navigation properties). + +Distinct [ Thresholds ](/docs/identitymanager/saas/identitymanager/integration-guide/provisioning/prov-thresholds/index.md) are configurable for +provisioning. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md new file mode 100644 index 0000000000..8db2c8aae6 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md @@ -0,0 +1,444 @@ +# Upward Data Synchronization + +Upward Data Synchronization (Sync Up) is the process that copies relevant managed systems data into +Identity Manager's resource repository and translates them into resources that match the configured +Entity Model. See the [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) topic for additional information. + +Performing a _Sync Up_ allows the user to: + +- integrate the managed systems state with Identity Manager. The copied data serves as the basis for + the assignment computation; +- check that previously edited provisioning orders have been accurately executed; +- ascertains differences between the real managed system state and the + [ Assignment Policy ](/docs/identitymanager/saas/identitymanager/integration-guide/role-model/role-model-rules/index.md) theoretical state. + +## Overview + +### A scheduled sync up per managed system + +_Sync Up_ is performed regularly, at least every day, as a set of +[ Tasks & Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/index.md). + +A _Sync Up_ is planned for every managed system that interact with Identity Manager. + +A _Sync Up_ is associated with a [Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md). + +### Three sync up mode + +Identity Manager provides three distinct synchronization algorithms: + +- _incremental_ +- _complete_ +- _initial_ + +_Complete_ is most straightforward one. A _complete\_\_Sync Up_ loads the managed systems' data into +Identity Manager as-is, replacing entirely the currently held data. + +As it involves sending large amounts of data over HTTP between _Agent_ and _Server_, _complete_ +execution time can be quite large. + +To improve the _Sync Up_ execution time, Identity Manager provides the _incremental_ mode. This mode +only considers changes made to the managed systems since the last _Sync Up_. Those are applied to +the Identity Manager's database. Only changes are sent through the network, instead of whole data +files, which allows the _Sync Up_ execution time to be greatly reduced. + +Changes are computed either by the managed system itself, given such capabilities are available, or +by a Identity Manager's _Agent_. + +However, the _incremental_ mode cannot be 100% reliable for two reasons. + +First, it relies on external inputs that are not directly controlled by Identity Manager. Second, it +only exports changes based on the managed system state, not on Identity Manager's database state. + +External perturbations could cause slight differences between the database's state and the managed +systems'. Order can be restored by running a _complete_ Sync Up regularly. A _complete_ Sync Up +ensures the database is in a stable state, faithfully reflecting the managed system state, before +resuming the _incremental Sync Up_ iterations. + +Safeguards are also implemented to avoid accidental overwrites, that would be caused by an empty or +incomplete input. + +Finally, the _initial\_\_Sync Up_ is designed to be used the first time a managed system connects to +Identity Manager. Just as the _complete_, it loads the data as a whole. But, unlike the _complete_, +it does not overwrites the currently held data and does not provide any safeguard. The _initial_ +mode provides a quick way to perform the first _Sync Up_. The trade-off is security: +_initial\_\_Sync Up_ should only be used the first time a managed system connected to Identity +Manager and the database is empty, as far as this connector is concerned. Launching the Initial +_Sync Up_ twice would actually load the same data twice whereas launching the _complete_ twice would +have the same effect as launching the _complete_ once. + +### An ETL process + +_Sync Up_ is organized as an +[Extract, Transform, Load](https://en.wikipedia.org/wiki/Extract,_transform,_load) process. It's +composed of three steps: _export_, _prepare-synchronization_, and _synchronization_. + +## Export + +The _Export_ is the first step of the _Sync Up_. + +During this step, data is extracted from the managed system and generates _CSV files_ containing the +managed system's raw data. The **output** of this process is called the **_CSV source files_**. They +are written to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) export +directory waiting to be used by the next-in-line _prepare-synchronization task_. + +The _Export_ occurs _Agent_-side. + +### Native support or custom process + +Depending on the managed systems capabilities, an _Export_ step can be performed by one of Identity +Manager's native tasks or by custom scripts. + +#### Using native process + +Identity Manager's [Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md) provide native _Export_ tasks for the +most common managed systems. _Active Directory_, _SAP_, or _SharePoint_ are examples of natively +supported managed systems. The output _CSV source files_ format is described in the +[Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md) section together with an exhaustive list of supported source +managed systems. + +[Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md)are Identity Manager's link to the managed system. They +provide configurable export and fulfill capabilities that can be used by Identity Manager *as-is* +without any further development. + +#### Using a custom process + +Exporting data from a managed system without a native Identity Manager process is still possible by +writing a custom _Export_ process. + +If the managed system has built-in export capabilities, Identity Manager can simply rely on exports +scheduled by the source managed system. Regularly, the managed system generates reports, in whatever +format. A custom task, such as a +[ Invoke Expression Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md), +can then be used to retrieve the generated exports, adapt them to the _CSV source files_ format +expected by Identity Manager and copy them to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) export +directory. The whole can be scheduled and orchestrated by a +[ Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/jobs/index.md). + +**For example**, a common scenario is to configure an HR management system to perform daily extracts +of its data to CSV files for the _Agent_ to find. This usually can be set up without any Identity +Manager's task, just by using the managed system and the organization's network capabilities. + +If the managed system does not provide built-in export features but provides an API or an exposed +database, it's possible to write a custom _export_ process based on that API or direct requests to +the managed system's database. This process can then be used as an _export task_ wrapped in a +[ Invoke Expression Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md) +or an +[ Invoke Sql Command Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md). +See the +[ Invoke Expression Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md) +topic for additional information. Any Windows process that can be called from a PowerShell script +and generate a CSV file can serve as an export process. + +**How to choose the custom CSV source file format ?** It's best to keep it simple and stick as +closely as possible to the managed system data model. Data cleansing and translation to the resource +repository's Entity Model is handled later in the _Sync Up_ process. There is no need to try and +optimize the CSV source file format in a custom script. It's best to keep it close to the managed +system to be able to spot early _export_ errors. + +### Export tasks output + +The format of the exported _CSV Source files_ depends on the chosen _Sync Up_ mode and on the used +_export task_. Nonetheless, there are a few criteria that _prepare-synchronization_ expects to find +in those files. + +First, it must be a CSV format. One line per entry, and every attribute as a column. + +Then, there is a slight difference between _Complete/Initial_ and _Incremental_ export. + +With the _Complete_ and _Initial_ modes, _CSV source files_ contain an exact extract of the managed +system's data as a list of entries. At this point, the Entity Model is not yet involved. Every line +of the _CSV source file_ mirrors a line in the source managed system database. + +With _Incremental_ mode, if the source managed system is able, one more column is added. It contains +a ADD, UPDATE, or DELETE instruction. _Incremental_ export generates a list of changes made on the +managed system since the last export, instead of an exact mirror of the data. Active Directory and +Microsoft Entra ID (formerly Microsoft Azure AD), for example, are able to produce such exports, as +LDIF files, that the Active Directory connector translates into _resources_ changes. Identity +Manager's native support for ServiceNow and SCIM also provides such capabilities. + +In case the source managed system does not possess _incremental_ export capabilities, the changes +computation is performed during the _prepare-synchronization_ step. + +Inside those constraints, every natively supported _export task_ generates its own _CSV source file +format_, described in the [Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md) section. Usually, two kinds of +files are generated: _entries_, describing plain entries, and _associations_, describing +associations between entries. + +All _CSV source files_ are written to the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) export +directory. + +At the end of the _export_ step, the Upward Data Synchronization contains several files per +connectors, that will be translated into _resources_ during _prepare-synchronization_ and +_synchronization_ steps thanks to Entity Mapping (see below). + +The [Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +export directory can also contain opaque [cookie files](https://ldapwiki.com/wiki/DirSync) used for +incremental export of a few systems such as Active Directory, Microsoft Entra ID, ServiceNow, and +SCIM. + +The reader might now understand how, as laid out in the overview, the input data could be unreliable +given the volatile nature of the managed system export methods. _Complete_ and _incremental_ modes +work together to find the best compromise between reliability and execution time. + +### Example + +The following example demonstrates the native Active Directory export process. + +Exporting data from an Active Directory can be achieved by using the +[ Export Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md) task within a +Job. + +The Tasks requests from the source Active Directory all entries that match a configured filter. It +outputs a set of _CSV source files_, containing raw AD Entries data (`ad_entries.csv`), information +about group membership (`ad_members.csv`) and about the hierarchical organization +(`ad_managers.csv`). + +![Active Directory Export Example](/img/product_docs/identitymanager/identitymanager/integration-guide/synchronization/upward-data-sync/ad_export_example.webp) + +`ad_entries.csv` contains raw AD entry data. + + ``` + +employeeID;businessCategory;extensionAttribute15;objectCategory;sAMAccountName;userPrincipalName;parentdn +00001;fames;ac;turpis;egestas;integer;eget 00002;ullamcorper;eget;nulla;facilisi;etiam +00003;integer;eget;aliquet;nibh;praesent + +```` + + +```ad_managers.csv``` contains a list of associations, representing the link between an employee (```employeeId``` column) and their manager (```manager``` column). + + ``` +employeeID;manager +00001,99812 +00002,99812 +00003,99812 + +```` + +`ad_members.csv` contains also a list of associations, representing the link between a group +(identified by its `dn`) and its members (the `member` column). + + ``` + +dn;member CN=SG_APP_AG002,DC=internal;CN=U34811,DC=internal +CN=SG_APP_AG002,DC=internal;CN=U18184,DC=internal CN=SG_APP_AG002,DC=internal;CN=U43405,DC=internal +CN=SG_APP_AG002,DC=internal;CN=U51630,DC=internal + +```` + + +## Entity Mapping + +The aim of the _Sync Up_ is to load managed systems' data into the resource repository. As such, it requires Identity Manager to translate data from the managed system format (or, more accurately, the _export task_'s output format) into the resource repository format, that is, the [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md). + +The translation rules are described in the applicative configuration by [ +Entity Type Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) and [ +Entity Association Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) elements. + +Entity Type Mapping elements map the resources _CSV source files_ columns to [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md) properties. Each mapping also identifies one column as the _primary key_ for this Entity Type. The _primary key_ is used to uniquely identify a resource in the _Sync Up_ process. It's mandatory to be able to perform _incremental__Sync Up_, as it allows to identify a resource on which an _update_ or a _delete_ has to be performed. + +[ +Entity Association Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) elements translate the _CSV source files_ into [Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md). They describe rules identifying associations between resources loaded thanks to the [](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)[ +Entity Type Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md). + +## Prepare Synchro + +_Prepare-Synchronization_ is the second step of the _Sync Up_. It transforms the _CSV source files_ further, before the _Synchronization_ step. + +It performs data cleansing and, in _incremental_ mode, computes changes made on the source managed system since the last _Prepare-Synchronization_. + +It's performed on the _Agent_-side. + +### Data cleansing + +The following actions are performed on the _CSV source files._ + +1. Removing columns that are not used in [ + Entity Type Mapping + ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) or [ + Entity Association Mapping + ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +2. Entries that have a null primary key +3. Removing duplicates +4. Sorting entries according to the primary key + +The result of the _Prepare-Synchronization_ is stored in the [Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) export directory as three files: + +For every entity type of the relevant _Connector_ involved in an[ +Entity Type Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) or an[ +Entity Association Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) `````` , a ```.sorted.csv``` file is generated, containing the final, cleaned, sorted result. + +Duplicates are kept in a separate ```.duplicates.csv``` file. + +Null primary key entries are kept in a separate ```.nullpk.csv``` file. + +### Computing changes + +In _incremental_ mode, changes might need to be computed by the _Agent_. + +If the export step has provided computed changes, no further process is required. The changes will be sent as-is to the server. + +If the export step has provided a full extract of the managed systems, the _prepare-synchronization_ step computes changes. This computation is based on the result of the last data cleansing, generated by the previous _prepare-synchronization_, and stored in the ```previous``` folder in the [Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) export directory. + +For _incremental_ mode, it is recommended to use managed systems to compute changes when possible. Dedicated workstations and knowledge of the inner data organization allow managed systems to compute changes with a performance that Identity Manager can't match. Also, using managed systems for these operations avoid generating heavy files and alleviate Identity Manager's processing load. + +The result is a set of clean lists of changes stored as ```.sorted.delta``` file containing a _command_ column. + +The _command_ column can take the following values: _insert_, _update_, _delete_, and _merge_. These are instructions for the _synchronization_ step to apply the changes to the database. + +The ```.sorted``` file (the original cleaned export file, not the changes) is stored in the ```previous``` folder inside the +Upward Data Synchronization +. It will be used as a reference for the next _incremental__prepare-synchronization_ to compute the changes if needed. + +Tampering with the ```previous``` folder content would result in false changes in order to be computed and result in data corruption in the Identity Manager database. To restore the Identity Manager database to a state faithful to the managed system, a _complete__Sync Up_ would be required. + +### Preparing the server + +At the beginning of every _prepare-synchronization_ process, the _Server_ is notified via HTTP. + +Upon receiving the notification, the server creates a directory on its host environment, identified by a unique GUID, to contain ```.sorted``` or ```.sorted.delta``` files that will be sent by the agent. + +This aims to prevent network errors that would cause an _incremental_ database update to happen more than once. + +That means several _export_ and _Prepare-Synchronization_ tasks can be executed simultaneously, they will be processed by the server one at a time in the right order. + +Of course, any notification of a _complete__Prepare-Synchronization_ would cancel the previous non-processed _incremental_ ones. As a _complete_ reloads the whole database, it renders _incremental_ changes computation moot. + +### Sending clean exports + +```.sorted``` or ```.sorted.delta``` files are sent over HTTP to the _Server_ for the last step. + +### Prepare synchronization tasks + +- [ + Prepare Synchronization Task + ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) is the standard _prepare-synchronization_ task. +- PrepareSynchronization Change Task is used to process data source files containing changes. +- PrepareSynchronization ActiveDirectory Task is specialized for Active Directory. This task handles Active Directory _incremental_ prepare-synchronization by using Active Directory _cookies_. + +### Example + +The following illustration models the complete _prepare-synchronization_ steps applied to an Active Directory export. The matching _Connector_ defines an Entity Type _AD Entry_ and two associations: _members_ and _manager_. + +![Active Directory Prepare-Synchronization Example](/img/product_docs/identitymanager/identitymanager/integration-guide/synchronization/upward-data-sync/ad_preparesynchro_example.webp) + +## Synchro + +_Synchronization_ is the last step. It loads data into the resource repository from cleaned _CSV source files_. It's performed _Server_-side. + +### Translating + +Before writing to the Identity Manager's database, the _Server_ uses [ +Entity Type Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) and[ +Entity Association Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) to translate _CSV source files_ into _Entity Model compliant_ resources and resolve association links. + +### Tables + +The _Synchronization_ step involves four tables from Identity Manager's database. + +- UR_Resources contains the actual resources. +- Mono-valued associations ( target column index 128 to 137 included ) are stored in UR_Resources as well, +- Multi-valued associations ( target column index null or -1 or 0 to 127 included ) are stored in the UR_ResourceLinks table. +- UR_ResourcesChanges and UR_ResourceLinkChanges are intermediary tables, used by the complete mode as an extra step before committing changes to the UR_Resources and UR_ResourceLinks in the context of a safeguard mechanism. + +### Complete + +_Complete__synchronization_ starts with a ```.sorted.csv``` file that contains cleaned data, as in whole data, not mere changes. + +_Complete synchronization_ replaces entirely the database resources. That means that all resource, for that [ +Connector +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md), that are in the database but not in the _CSV source files_ will be deleted. That means no change made to the database from outside of the connectors or the UI are persistent. + +_Complete synchronization_ does not blindly insert data into Identity Manager database. Its aim is to update Identity Manager database to match the ```.sorted``` files received. + +To do so, ```.sorted``` files are translated into resources. Then, ```.sorted``` resources are compared against the currently hold database resources, matching Primary Key to Primary Key, to find differences. + +That means that, just as the _incremental_ mode, the complete mode will actually apply changes to the database. The difference being that the _complete_ synchronization computes the changes on the _Server_ and the _incremental_ computation computes the changes on the _Agent_ or the managed system. Hence, complete synchronization has to send large data files over the network and is slower. + +#### Safeguard + +Before actually updating the database, the number of changes to be applied to the database to match the ```.sorted``` resources is compared to a user-defined threshold. + +The threshold is a percentage of the total number of stored resources. If the number of changes goes over the threshold, the synchronization is blocked. This safeguard aims at detecting human or system errors that could corrupt Identity Manager's database. For example, a number of _delete_ commands greater than the threshold could be caused by an accidental empty _CSV source file_ being fed to the _synchronization_. + +For this purpose, changes are applied to an intermediary safeguard set of tables, UR_ResourcesChanges and UR_ResourceLinkChanges. The threshold is checked, and if validated, changes are applied to the UR_Resources and UR_ResourceLinks tables. + +### Initial + +_Initial_ synchronization loads the translated resources directly into the database, using INSERT SQL commands. There is no threshold checking, no comparing the data to insert to the currently held data to find differences. It should only be used on a managed system for which Identity Manager does not hold any resources yet. + +### Incremental + +The incremental mode uses a ```.sorted.delta``` file that contains changes. + +Thresholds are checked just as with the _complete_, using intermediary UR_ResourcesChanges and UR_ResourceLinkChanges. tables. + +Then, changes according to the _command_ column are applied to UR_Resources and UR_ResourceLinks. + +### Synchronization tasks + +- [ + Synchronize Task + ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) is the standard _synchronization_ task. +- SynchronizeChanges Task is used to handle changes together with PrepareSynchronization Change Task. +- SynchronizeActive Directory Task is specialized for Active Directory. To be used with PrepareSynchronizationActiveDirectory Task. + +### Example + +This example illustrates the _complete_ loading of Active Directory ```.sorted``` files into Identity Manager database. + +![Active Directory Synchronization Example](/img/product_docs/identitymanager/identitymanager/integration-guide/synchronization/upward-data-sync/ad_synchro_example.webp) + +## Handling Errors + +The _syncro_ step is where potential errors laid out in the overview could impact the database. + +- The ```previous``` folder content could be tampered with; +- Managed systems limitations, or human error in the export step, could result in a wrong or incomplete _CSV source file_ being fed to the _Synchronization_; +- Identity Manager database could be restored to an older state to try and fix hardware failure or SQL tests gone wrong. + +These events, although exceptional, occur. They cause Identity Manager's database and the managed systems to be slightly off one another. The _incremental__Sync Up_ cannot fix these differences because the database is not taken into account in the changes computation. The _complete__Sync Up_ can fix it because it compares directly the database against the _export_ output files, i.e. it relies on the managed system's state, not on the database state. + +It is hence recommended to run at least a daily _complete_ synchronization to account for these exceptional events and quickly fix the errors they might have cause into the database. + +Remember that _incremental_ and _complete_ Sync Up modes use safeguards to avoid accidental overwrites. That means any error that could find its way into the database would be small. + +_Incremental_ mode also offers another optimization that will be described in the [Evaluate Policy](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/evaluate-policy/index.md) section. Trade-offs of that optimization can also be counterbalanced by running a daily _complete_ synchronization. + +## Thresholds + +A introduced earlier, to mitigate the risk of data loss in the case of abnormal data source files, the _synchronization Job_ is locked if the number of changes to apply goes over a specific threshold. + +Thresholds can be configured by the user in the applicative configuration and be specific to a [ +Connector +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md), an [ +Entity Type Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) and/or an[ +Entity Association Mapping +](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). They are expressed as number of lines (ex: ```MaximumInsertedLines```) or as a rate (ex: ```MaxPercentageDeletedLines```). + +A synchronization task locked by a threshold can be unlocked by executing the Synchronization Validation task. + +Thresholds are ignored in _initial_ mode. + +The task's argument ```-force``` can be used to ignore thresholds. + +--- + +Next, a word about the [ +Assignment Policy +](/docs/identitymanager/saas/identitymanager/integration-guide/role-model/role-model-rules/index.md). +```` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/build-efficient-jobs/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/build-efficient-jobs/index.md new file mode 100644 index 0000000000..e79516a1eb --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/build-efficient-jobs/index.md @@ -0,0 +1,160 @@ +# Build Efficient Jobs + +This topic shows how to build efficient jobs by minimizing their costs. + +**NOTE:** The rules below must be followed when creating a new job, otherwise the frequent launch of +this scheduled job will trigger errors in a SaaS environment. + +### Prerequisites + +In order to successfully launch a frequent job (defined as a job called more than once an hour) the +following requirements need to be met: + +- Synchronize / Export Task in incremental mode +- The UpdateEntityPropertyExpressions /ComputeCorrelationKeys/ComputeRoleModel tasks do have the + SetRecentlyModifiedFlag set to true +- The ComputeCorrelationKeys/UpdateEntityPropertyExpressions tasks are computed on a subset of + Entity Types (not all Entity Types at once) +- UpdateEntityPropertyExpressions/ComputeCorrelationKeys/ComputeRole tasks are not duplicated +- SetInternalUserProfiles/ActivityInstanceActor tasks are not configured to launch + +## Rule 1: Use Scaffoldings + +Identity Manager provides scaffoldings to simplify XML configuration by generating complex XML +fragments. See the +[Scaffoldings](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md) topic for +additional information. + +Most jobs are included in job scaffoldings, thus configured in the most optimal way. So start by +using scaffoldings to build jobs. See the +[ Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md) topic for +additional information. + +For example, the creation from scratch of a job to perform a complete synchronization for a +connector will be tedious. Instead, use Identity Manager's scaffolding, like in the following +example concerning the Microsoft Entra ID (formerly Microsoft Azure AD) connector. Instead of a few +dozens of lines, write only the following: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                       + +                    +``` + +See +the[Create Connector Synchro Complete](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md)for +additional information. + +## Rule 2: Compute Only What's Necessary + +Execute the tasks on the right entity types + +Many tasks can be executed either on all entity types, or on a given list of entity types. + +Make sure to configure the tasks so that they are executed only on the relevant entity types, not +all of them by default. + +For example, instead of using AllEntityType set to true, write the following: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                         + +       + +                     +``` + +Launch incremental tasks rather than complete + +When a task is supposed to be executed on changes only, then there is no use executing the task in +complete mode. + +Make the relevant tasks incremental by flagging the resources that were recently modified. See the +[ Configure an Incremental Job ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/configure-incremental-job/index.md) topic for additional +information. + +For example, instead of computing the role model as if it had never been computed before, apply only +the changes by writing the following: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                         +   +                     +``` + +Launch only the relevant tasks according to the logical chain + +Identity Manager's tasks are all linked together by a logical chain that implies that some tasks are +supposed to be executed after some others. + +Make sure to understand the tasks' logical chain to launch only the relevant tasks. See the +[ Troubleshoot Connector Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md) topic for additional +information. + +For example, there is no use computing expressions or correlations if there was beforehand no change +in the database. Thus, there should not be UpdateEntityPropertyExpressionsTask or +ComputeCorrelationKeysTask without first SynchronizeTask or FulfillTask. + +## Rule 3: Wait for Recurring Tasks + +Inside a recurring job, there is no need including some tasks twice in order to have the whole +cycle, because the next execution will complete what has been started. + +For example, Identity Manager's feedback loop uses the tasks for synchronization, computation of the +role model, provisioning, then once more synchronization and computation of the role model. + +Instead of including any task twice, rather write a job with each task once, schedule a periodic +execution of the job, and wait for the next execution to get the whole cycle. For example for the +AD: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                      +                                ... +                ... +               ... +            ... +                ... +   +``` + +``` +                       + +                    +``` + +``` +                         + +       + +                     +``` + +``` +                         +   +                     +``` + +``` +                      +                                ... +                ... +               ... +            ... +                ... +   +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/configure-incremental-job/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/configure-incremental-job/index.md new file mode 100644 index 0000000000..6cfa04d9d3 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/configure-incremental-job/index.md @@ -0,0 +1,57 @@ +# Configure an Incremental Job + +This guide shows how to configure the relevant tasks to make a job incremental. + +## Overview + +When configured as such, Identity Manager is able to remember after synchronization which resources +were modified, i.e. created, updated and/or deleted. + +It allows future tasks to be executed only on modified resources, in order to minimize jobs' +execution times and costs. + +See the [ Set Up Incremental Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md) topic for additional information +on a full Incremental job. + +## Configure a Job to Be Incremental + +Configure a job to be incremental by proceeding as follows: + +1. Configure the synchronization task + ([ Synchronize Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md)) + with `DoNotDeleteChanges` set to `true`. + + This way, Identity Manager keeps the list of all changed resources. + + > For example, to synchronize incrementally the Active Directory: + > + > ``` + > + > ... + > + > + > ``` + +2. Tag all changed resources by running + [ Set Recently Modified Flag Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md) + after SynchronizeTask. + + > For example, following the synchronization task for the Active Directory: + > + > ``` + > + > + > + > ``` + +3. Configure the next tasks with `Dirty` set to `true` to apply them only to resources flagged as + "dirty", i.e. recently modified. + + > For example, to compute correlation keys incrementally: + > + > ``` + > + > ... + > + > + > ``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/configure-jobs/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/configure-jobs/index.md new file mode 100644 index 0000000000..50d9fb04ca --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/configure-jobs/index.md @@ -0,0 +1,21 @@ +# Configure Jobs + +This guide shows how to define the permissions for creating and using jobs thanks to scaffoldings. + +There are two important jobs in Identity Manager. The Complete Job and the Incremental +Synchronization. This two Job Synchronize and fill are using to Synchronize and fill Connectors. See +the [Set up Complete Synchronization](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md) and +[ Set Up Incremental Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md) topics for additional information. + +## Job Scaffoldings + +There are six scaffoldings in Identity Manager to automatically create jobs in the configuration: + +- A job for all connectors on an Agent (Complete/Incremental mode); See the + [Create Agent Synchro Complete](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md) + and + [Create Agent Synchro Incremental](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md) + topics for additional information. +- A job for a specific connector (Complete/Incremental mode). +- [Create Initialization Job](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md) +- [Create Access Certification Job](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/fulfillldap/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/fulfillldap/index.md new file mode 100644 index 0000000000..ef772c24ed --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/fulfillldap/index.md @@ -0,0 +1,72 @@ +# Configure the Fulfill Task for a Connector + +This guide shows how to create the adequate configuration to add the fulfill task of a given system +(here LDAP) in a job. + +For Identity Manager fill an LDAP some configuration element are necessary. + +## Resource Type Mapping + +This configuration is to use the fill for the LDAP and configure the Reset Password. + +``` + + + +``` + +## Add connection information to AD Connect + +The [ LDAP ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/ldap/index.md) connection information define +this section to add all information to use the AD Fulfillment. + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "ADFulfillment": { + "Servers": [ + { + "Server": "paris.contoso.com", + "BaseDN": "DC=paris,DC=com" + } + ], + "AuthType": "Basic", + "Login": "CN=exampleCn,DC=exampleDc1,DC=exampleDc2", + "Password": "Password", + "AsAdLds": "true" + } + } +} +``` + +After defining this settings, encrypt this JSON file with +[ Usercube-Protect-X509JsonFile ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/protect-x509jsonfile/index.md). + +## Configure The FulfillTask + +Configure The task with the same ResourceType using in ResourceTypeMapping. It's possible to use a +connector instead of ResourceType. + +``` + + + +``` + +Integrate this Task in the job that provisions the AD connector. + +``` + + ... + ... + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md new file mode 100644 index 0000000000..1031b8128b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md @@ -0,0 +1,223 @@ +# Set up Complete Synchronization + +This guide shows how to build the job that will synchronize the appropriate connectors in complete +mode. + +### 1. Objective + +Create a Synchronization Job in complete mode. This job is used to check for and fix differences in +the resources data after the incremental synchronizations. + +The synchronization Job can be created automatically by a scaffolding. It can create either a job +for each connector and for each agent (see the +[Create Connector Synchro Complete](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md) +topic for additional information) or a job for all connectors for each agent (see the +[Create Agent Synchro Complete](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md) +topic for additional information). + +In the following example the Synchronization job for the Connector "AD" will be created. + +``` + + + +``` + +### 2. Create the Export task + +If a pre-treatment is needed, you must create an +[ Export Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md). Otherwise +it is unnecessary. Choose the Export task corresponding to the connector. If the Export uses the +incremental mode, set IgnoreCookieFile to true. + +All Export task have the ContinueOnError property. It is advisable to begin with the value of True +so that the task is not blocking for the Job. + +Example : + +``` + + + +``` + +### 3. Create the Prepare Synchronization task + +Create the Prepare Synchronization Task with the connector. Set `SynchronizationMode="Complete"` , +except for +[ Prepare Synchronization Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) +which doesn't need this parameter. If it is a Synchronization Changes, or ActiveDirectory, you must +precise it with the `Type` attribute. + +If the job contain Exports for the same connector add the a link between the PrepareSynchronization +and the Export to check the final state of exports. + +Example : + +``` + + + +``` + +See the +[ Prepare Synchronization Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) +for additional information on the PrepareSynchronization task configuration. + +### 4. Create the Synchronization task + +Create the SynchronizeTask with the same `Type` attribute as the PrepareSynchronizationTask. For the +complete mode the parameter DoNotDeleteChanges must not be present in the task configuration. + +If the job contain Exports for the same connector add the a link between the Synchronization and the +Export to check the final state of exports. + +Example : + +``` + + + +``` + +The Synchronization Validation Task is not needed , since it is managed by the +[ Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/jobs/index.md) state machine. + +For more information on Synchronization task configuration : +[ Synchronize Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) + +### 5. Create the UpdateEntityPropertyExpressions task + +Create the UpdateEntityPropertyExpressionsTask to compute expression properties of the given +entityTypes or all entityTypes. + +Example : + +``` + + + +``` + +For more information on UpdateEntityPropertyExpressions Task configuration : +[UpdateEntityPropertyExpressionsTask](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + +### 6. Create the ComputeCorrelationKey task + +Create the ComputeCorrelationKey Task to compute correlation keys of the given entityTypes or all +entityTypes. + +Example : + +``` + + + +``` + +For more information about the ComputeCorrelationKey task configuration: +[ Compute Correlation Keys Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md) + +### 7. Create the ComputeRoleModel task + +Create the ComputeRoleModel Task to create the provisioning order. + +Example : + +``` + + + +``` + +The TaskEntityType elements correspond to the sourceEntityTypes in the +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) which have +TargetEntityTypes that are part of the connector to provide. + +For more information on Compute Role Model task configuration: +[ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + +### 8. Create the GenerateProvisioningOrder task + +Create the GenerateProvisioningOrder task. The GenerateProvisioningOrder task will recover all +resources whose provisioningState is at 1 to build a list of JSON files containing all provisioning +orders. The Connector is the same as the connector set in the PrepareSynchronization. The +ForceProvisioning parameter must not be set to true. It's the job state machine who launch this mode +if necessary. + +Example : + +``` + + + +``` + +For more information on GenerateProvisioningOrder task configuration: +[Generate Provisioning Orders Task](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md). + +### 9. Create the Fulfill task + +Create the Fulfill task. + +You must specify the right connection to fulfill the desired system. + +All fulfillment task have the ContinueOnError property. It is advisable to begin with the value of +True so that the task is not blocking for the Job. The fulfill Tasks are directly depanding of +GenerateProvisioningOrdersTask. If this task has not create a new provisioning order. The +fulfillment must be not launch in the job. + +``` + + + +``` + +### 10. Create the UpdateClassification task + +Create the Update Classification Task. The resource Classification is needed if one or more +[ Resource Classification Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md) +are configured for the connector. + +``` + + + +``` + +For more information on Update Classification Task : +[ Update Classification Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md) + +### 11. Create the SetInternalUserProfiles task + +Create the Set Internal User Profiles Task. The Profile Assignment is needed if one ore more +[Profile Rule Context](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) +are configured. + +This Task is directly linked to a Fulfill parent. if the fulfillment has been completed with the +state warning or if it was not started or no processing has been performed, launching this task +becomes useless. + +``` + + + +``` + +For more information on SetInternalUserProfiles Task configuration : +[ Set Internal User Profiles Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) + +### 12. Create the all-tasks job + +Once the tasks created. You must create the job to launch all tasks. + +``` + + + +``` + +The job can be scheduled with the `CrontabExpression` attribute + +For more information on job configuration : +[ Job ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md new file mode 100644 index 0000000000..a42abd1d5b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md @@ -0,0 +1,255 @@ +# Set Up Incremental Synchronization + +This guide shows how to build the job that will synchronize the appropriate connectors in +incremental mode. + +### 1. Objective + +Create a Synchronization job in incremental mode. + +The synchronization Job can be created automatically by a scaffolding. It can create either a job +for each connector and for each agent (see : +[Create Connector Synchro Incremental](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md)) +or a job for all connector for each agent (see : +[Create Agent Synchro Incremental](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md)) + +In the following example the Synchronization job for the Connector "AD" will be created. + +``` + + + +``` + +### 2. Create the Export task + +If a pre-treatment is needed, you must create an +[ Export Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md). Otherwise +it is unnecessary. Choose the Export task corresponding to the connector. + +All Export task have the ContinueOnError property. It is advisable to begin with the value of True +so that the task is not blocking for the Job. + +Example : + +``` + + + +``` + +### 3. Create the Prepare Synchronization task + +Create the PrepareSynchronizationTask with the connector. Set `SynchronizationMode="Incremental"` , +except for +[ Prepare Synchronization Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) +which doesn't need this parameter and LDAP connector who need complete mode. + +If the job contain Exports for the same connector add the a link between the Prepare Synchronization +and the Export to check the final state of exports. + +Example : + +``` + + + +``` + +For more information on PrepareSynchronization task configuration : +[ Prepare Synchronization Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) + +### 4. Create the Synchronization task + +Create the SynchronizeTask corresponding to the Prepare Synchronization Task. If the Prepare +Synchronization Task is a +[ Prepare Synchronization Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md), +then choose the +[ Synchronize Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md), +else if it is Prepare Synchronization Active Directory Task choose Synchronization ADDir Sync, else +choose +[ Synchronize Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md). + +In Incremental mode, you must set the attribute `DoNotDeleteChanges="true"` + +For the Incremental mode add link between PrepareSynchronization and Synchronization task for the +same connector. If the job contain Exports for the same connector add the a link between the +Synchronization and the Export to check the final state of exports. + +Example : + +``` + + + +``` + +The Synchronization Validation Task is not needed , since it is managed by the +[ Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/jobs/index.md). + +For more information on Synchronization task configuration : +[ Synchronize Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) + +### 5. Create the SetRecentlyModifiedFlag task + +Create the Set Recently Modified Flag task. + +Launching this is required only if at least one of the Synchronization in the job has made a change +in the database. + +``` + + + +``` + +For more information on SetRecentlyModifiedFlag Task : +[ Set Recently Modified Flag Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md) + +### 6. Create the UpdateEntityPropertyExpressions task + +Create the UpdateEntityPropertyExpressionsTask to compute expression properties of the given +entityTypes or all entitytypes. Set the attribute Dirty : `Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the +Task SetRecentlyModifiedFlag has been started. + +Example : + +``` + + + +``` + +For more information on UpdateEntityPropertyExpressions Task configuration : +[ Update Entity Property Expressions Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + +### 7. Create the ComputeCorrelationKey task + +Create the ComputeCorrelationKey Task to compute correlation keys of the given entityTypes or all +entityTypes. Set the attribute Dirty : `Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the +Task SetRecentlyModifiedFlag has been started. + +Example : + +``` + + + +``` + +For more information about the Compute Role Model correlation keys task configuration: +[ Compute Correlation Keys Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md) + +### 8. Create the ComputeRoleModel task + +Create the ComputeRoleModely Task to create the provisioning order. Set the attribute Dirty : +`Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the +Task SetRecentlyModifiedFlag has been started. + +Example : + +``` + + + +``` + +The TaskEntityType elements correspond to the sourceEntityTypes in the +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) which have +TargetEntityTypes that are part of the connector to provide. + +For more information on Compute Role Model task configuration: +[ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + +### 9. Create the GenerateProvisioningOrder task + +Create the GenerateProvisioningOrder task. The GenerateProvisioningOrder task will recover all +resources whose provisioningState is at 1 to build a list of JSON files containing all provisioning +orders. The Connector is the same as the connector set in the PrepareSynchronization. + +Example : + +``` + + + +``` + +For more information on provisioning task configuration: +[Generate Provisioning Orders Task](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md). + +### 10. Create the Fulfill task + +Create the Fulfill task. + +You must specify the right connection to fulfill the desired system. + +All fulfillment task have the ContinueOnError property. It is advisable to begin with the value of +True so that the task is not blocking for the Job. The fulfill Tasks are directly depanding of +GenerateProvisioningOrdersTask. If this task has not create a new provisioning order. The +fulfillment must be not launch in the job. + +``` + + + +``` + +### 11. Create the UpdateClassification task + +Create the Update Classification Task. The resource Classification is needed if one or more +[ Resource Classification Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md) +are configured for the connector. Set the attribute Dirty : `Dirty="true"`. + +Since dirty mode is enabled, a dependency is only needed to run the expression computation if the +Task SetRecentlyModifiedFlag has been started. + +``` + + + +``` + +For more information on Update Classification Task : +[ Update Classification Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md) + +### 12. Create the SetInternalUserProfiles task + +Create the Set Internal User Profiles Task. The Profile Assignment is needed if one ore more +[Profile Rule Context](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md)are +configured. + +This Task is directly linked to a Fulfill parent. if the fulfillment has been completed with the +state warning or if it was not started or no processing has been performed, launching this task +becomes useless. + +``` + + + +``` + +For more information on SetInternalUserProfiles Task configuration : +[ Set Internal User Profiles Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) + +### 13. Create the all-tasks job + +Once the tasks created. You must create the job to launch all tasks. + +``` + + + +``` + +The job can be scheduled with the `CrontabExpression` attribute + +For more information on job configuration : +[ Job ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md new file mode 100644 index 0000000000..6123375eb0 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md @@ -0,0 +1,112 @@ +# Troubleshoot Connector Jobs + +This guide helps understand the behavior of synchronization and provisioning tasks in order to spot +and fix errors. + +## Overview + +A managed system is synchronized and provisioned to/from Identity Manager with the following task +sequence: + +![Synchronization/Provisioning Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/troubleshoot_synchroprovschema.webp) + +### Export data + +Exporting means that the agent reads the system's data and takes it out to one or several external +files, as tables. + +The output is stored in `Temp/ExportOutput`. + +In order to spot what was exported or not for the next incremental export, cookie files are stored +in `Temp/ExportCookies`. + +See the +[ Usercube-Export-Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-configuration/index.md) +topic for additional information. + +### Prepare synchronization + +Preparing the synchronization means that the agent reads the tables, output of the export step, and +produces one file for each association (also named multi-valued navigation property), where the data +is prepared for synchronization. + +> For example, the data is sorted according to their primary keys, in order to optimize the +> comparison with the database. + +The output is stored in `Work/Collect`, and sent to the server to queue in `Work/Synchronization`. + +See the +[ Usercube-Export-Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-configuration/index.md) +topic for additional information on how to prepare the synchronization executable +`Usercube-Prepare-Synchronization`. + +### Synchronize + +Synchronizing means reading the data of the external file, output of the preparation step, and +taking it to Identity Manager. + +This is done by the synchronization executable Identity Manager-Synchronize. + +#### Synchronization: build the difference + +The server compares the exported files, output of the preparation step, with the previous data of +the system, and with the data contained in the database. Based on this comparison, the changes are +stored in the database. + +The output is stored in `UR_ResourceChanges`. + +#### Synchronization: finalize + +When at least one synchronization +[ Thresholds ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/synchro-thresholds/index.md) is exceeded, the change list +can be seen in the **Synchronization Changes** tab, accessible from the job progress screen. + +When the synchronization thresholds are not exceeded, or they are bypassed, the potential +preparatory files are consumed and the changes are applied. + +The server updates the values of the properties computed via expressions. A user's history can be +used to view the impact of this step on the properties. + +### Apply the policy + +Applying the policy means that the server prepares the correlation keys and computes the role model. + +Preparing the correlation keys means that the server recomputes the keys that will later link +accounts to their owners. The output is stored in `UP_ResourceCorrelationKeys`. + +This is done by the correlation key computation executable `Usercube-Compute-CorrelationKeys`. + +Computing the role model means that the server applies all the rules in order to assign accounts and +entitlements to identities. + +The assigned accounts and entitlements are stored in `UP_Assigned*`, and can be seen in users' +**View Permissions** tab. + +This is done by the role model computation executable `Usercube-Compute-RoleModel`. + +### Generate provisioning orders + +Generating the provisioning orders means that the server builds JSON files to prepare the execution +of provisioning. + +The output is stored in `Work/ProvisioningOrders`. + +This is done by the order generation executable `Usercube-Generate-ProvisioningOrders`. + +### Provision + +Provisioning means that the agent asks the server to send the provisioning orders, in order to read +the orders and actually make modifications to the managed system. + +Once consumed, the files are moved to the subfolder `Downloaded`. + +This is done by the provisioning executables `Usercube-Fulfill-*`. + +In order to test the provisioning step, there is no need relaunching the whole task sequence. You +can, for example, keep a provisioning order from the previous step, and adjusting it before +launching provisioning. + +## Troubleshoot + +Troubleshoot an error in a connector job by running each step individually until you see something +that you did not expect. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/index.md new file mode 100644 index 0000000000..9c4f55a330 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/index.md @@ -0,0 +1,31 @@ +# Tasks & Jobs + +Identity Manager provides tasks to orchestrate together the executable files that perform IGA +actions, and jobs to orchestrate the tasks together. + +See the [Tasks](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/tasks/index.md) topic for additional information. + +See the [ Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/jobs/index.md) topic for additional information. + +See the [ Tasks ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md) topic for additional +information. + +Make sure to read how to [Build Efficient Jobs](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/build-efficient-jobs/index.md). + +## Overview + +Netwrix Identity Manager (formerly Usercube) vision for the IGA software is a customizable solution. + +The main idea of Identity Manager is to offer a software solution that you can tailor to your needs +by selecting IGA "blocks" and executing them in a specific order. + +This is why Identity Manager is not built as a monolithic software. It is made of a mosaic of small +[specialized services](https://en.wikipedia.org/wiki/Microservices), cohesive independent functions, +each one materialized into a building block of your Identity Manager solution. Each building block +serves a specific and well delimited IGA function. + +These building blocks are called [Tasks](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/tasks/index.md), and can be easily organized together and +scheduled in [ Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/jobs/index.md). + +This approach makes for a perfectly customizable product. It also tremendously helps our users to +ease into Identity Manager by allowing them to understand it piece by piece. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/jobs/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/jobs/index.md new file mode 100644 index 0000000000..7d6fd03a23 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/jobs/index.md @@ -0,0 +1,35 @@ +# Jobs + +A job is a succession of tasks, to be launched and potentially scheduled, which orchestrate together +the executable files that perform IGA actions. + +## Anatomy of a Job + +Jobs are used to write sets of successive tasks, and schedule their execution. + +See how to configure [ Job ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md). + +A job can contain tasks explicitly, or contain steps used to call existing tasks in order to use a +single task in several jobs. + +## Execution + +Jobs are executed by agents. + +The agent initiates the job and executes the agent-side tasks. Hence, the agent must have access to +the relevant managed systems. The agent orders the execution of the server-side tasks, complying +with the one-way data flow principle. + +A job can be triggered: + +- Once manually, through the **Job Execution** screen; +- Once manually, using Usercube-Invoke-Job.exe; +- Periodically, with Identity Manager's internal scheduler `CronTabExpression`; +- Periodically, with an external Scheduler such as + [Windows Task Scheduler](https://docs.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page). + +## Monitoring + +Any job execution is logged into the UJ_JobInstances table. + +They can be monitored through the UI, via the **Job Execution** page. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/tasks/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/tasks/index.md new file mode 100644 index 0000000000..a569dcc2af --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/tasks/index.md @@ -0,0 +1,49 @@ +# Tasks + +A task is Identity Manager's way to configure and use a given executable that performs a given IGA +action. + +## Anatomy of a Task + +Each of Identity Manager's IGA actions is contained in a standard Windows executable file that can +be launched using PowerShell. + +The choice of a simple standard format for Identity Manager's building blocks makes it very easy to +pick and choose them _a la carte_ to configure the solution. + +Tasks are used to insert these blocks into Identity Manager's configuration, in order to be +launchable via the UI, or even scheduled to be launched automatically periodically. + +> For example, Identity Manager's tasks include synchronization, computation of entitlement +> assignments, or provisioning of varied managed systems. See the list of all available +> [ Tasks ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md). + +## Data Consistency + +Every task is written as a +[transactional process](https://en.wikipedia.org/wiki/Transaction_processing). This means that a +task cannot be executed partially. It is either fully executed, or not executed at all. It +guarantees data consistency as data cannot be harmed by a half-executed task. + +Every task is written as an [idempotent function](https://en.wikipedia.org/wiki/Idempotence). This +means that, for a given input, applying a task one time will produce the same result as applying it +several times. It guarantees data consistency as it prevents the potential side-effects of a retry +which might occur following a network error, or a task failure. + +Every task is designed as a +[single responsibility process](https://en.wikipedia.org/wiki/Single-responsibility_principle). This +principle ensures that two distinct tasks do not have an effect on similar pieces of the system. +This guarantees data consistency by avoiding incompatible changes to be committed by different tasks +at the same time. For the same reasons, a given task cannot be executed twice simultaneously. + +## Task Modes + +Two distinct modes exist to execute tasks inside jobs: + +- In complete mode, tasks process whole inputs with all data. +- In incremental mode, tasks only consider the changes that occurred since their last execution. + This mode is not available for all tasks. + +Both modes can be performed considering potential filters if said tasks involve a specific selection +of data instead of whole inputs. The difference between these modes lies in the consideration of all +data for the complete mode, versus only the last changes for the incremental mode. diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/bindings/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/bindings/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/bindings/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/bindings/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md new file mode 100644 index 0000000000..0b0d4c4b92 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md @@ -0,0 +1,70 @@ +# C# utility functions + +These functions can be called in any C# expression specified in the configuration. See the +[Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. + +These are static functions defined in the class `Usercube.Expressions.Functions.UtilExpressions`. + +The way these functions are configured, they require the `UtilExpressions` prefix, but not +necessarily the rest (`Usercube.Expressions.Functions`). However, using the full namespace would +also work. + +For example, you could use `UtilExpressions.BuildUsername(...)` as shown in the example below. + +[LinQ methods](https://docs.microsoft.com/en-us/dotnet/api/system.linq.enumerable?view=net-8.0) can +be used, without needing to add a prefix. + +## BuildUsername + +Builds a username by concatenating a first name, a separator, a last name and a possible suffix. + +First name and last name are simplified using the Simplify function. See the +[Predefined functions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md)topic for additional information. + +``` +string? BuildUsername(string? firstName, string? lastName, string? separator, string? suffix, int? iteration) +``` + +The iteration argument is usually used with the help of +[ Build Unique Value Aspect ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md). +If the iteration number is greater than 0, it is inserted after the last name. + +### Example of use in a BuildUniqueValue aspect: + +``` + +``` + +## BuildUsernameWithInitials + +Builds a username by concatenating a first name initials, a separator, a last name and a possible +suffix. + +Hyphenated first names are accepted (In this case, we consider the initial of each first name). + +``` +string? BuildUsernameWithInitials(string? firstName, string? lastName, string? separator, string? suffix, int? maxLength, int? iteration) +``` + +The `maxLength` argument limits the length of the username. + +The iteration argument is usually used with the help of +[ Build Unique Value Aspect ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md). +If it is greater than 0, we use several letters of the first name avoiding as much as possible to +insert a number in the built username. + +### Example of use in a BuildUniqueValue aspect: + +``` + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md new file mode 100644 index 0000000000..9ef3a91f28 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md @@ -0,0 +1,314 @@ +# Expressions + +Expressions are a way to define the attributes whose values must be computed based on other +attributes. + +## Overview + +In Identity Manager's XML configuration, some attributes are defined with expressions. Expression +attributes do not take a plain string value, but rather an expression that computes a value based on +a given input. See the +[ Entity Property Expression ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md) and +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topics for additional +information. + +Every expression must be passed at least one argument and return at least one value. + +The expression can either be provided as a built-in function or as a full-fledged C# expression. See +the list of available C# utility functions and functions predefined by Identity Manager. See the +[Predefined functions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md) topic for additional information. + +**NOTE:** When changing the value of a property that is part of some expressions in the +configuration, do not expect to see all expressions recomputed right away. + +In order to ensure the recomputation of all expressions based on the recent change, wait for the +next run of Update Expressions in the complete job or through the corresponding connector's overview +page. + +### Expressions in the UI + +In the UI, the attributes that can be defined with an expression show two fields: Property Path and +Expression. + +For example, the source object of a scalar rule based on user records is displayed: + +![Property Path and Expression](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/expressions/expression-propertypath_v602.webp) + +The field Property Path is usually filled in with the + button only when the rule involves one +single attribute. If the object involves more than one attribute, then the attributes are to be +written in Expression (C#), with the help of predefined simple transformations. See the +[Predefined functions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md) topic for additional information. + +The first example defines the source object as simply the user record's Login property, while the +second defines the source object with an expression based on the user record's first and last names: + +![Property Path Example](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/expressions/expression-propertypath-example1_v602.webp) + +![Expression Example](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/expressions/expression-propertypath-example2_v602.webp) + +### Expressions in XML + +In XML, inside the C# expressions, make sure to escape `"` characters by writing them as `"`. + +For example: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +``` + +### Nullability checks + +Nullability checks constitute a common area for improvement in C# expressions, rather easy to +implement. + +See Microsoft documentation on +[nullable reference types](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/builtin-types/nullable-reference-types) +and more precisely on +[nullable operators](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/operators/member-access-operators#nullable-operators). + +For example, the following scalar rule computes the value of users' email addresses via a C# +expression. The `` characters cut the operations short by returning null when one of the chain +members returns null, thus preventing errors. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +``` + +## Built-in Functions + +Identity Manager provides a set of built-in function that implement basic expressions. They can be +used as-is or be included in a C# expression. + +Identity Manager's engine automatically passes the main argument to the function during the +computation, but extra arguments can be provided using the following syntax: + +`function name : arg2 | arg3 | ...` + +### Example + +Plain built-in function: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +// transform string to uppercase +Expression="ToUpper" +``` + +Built-in function with parameters: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +// add 1440 minutes to a date formated as dd/MM/yyyy +Expression="ParseLocalDateThenAddMinutes:Romance Standard Time|dd/MM/yyyy|1440" +``` + +## C# Expressions + +More complex expressions can be written as ad-hoc C# code according to the following rules: + +- The expression is prefixed by C#:ParameterName: where ParameterName is the variable name pointing + to the input value. +- The expression has to return a value + +For example: + +``` + +// user full name +C#:user:return user.FirstName+" "+user.LastName; + +``` + +### QueryHandler + +Expression can includes squeries, using the QueryHandler service. + +For example, to query the employee type whose Identifier is CDI: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +C#:user: +var resources = queryHandler.Select("Select Id Where Identifier=\"CDI\""); +return resources.FirstOrDefault()?.Id; +``` + +Another example, to query the organization whose Identifier is `<23040>`: + +``` +C#:return queryHandler.Select("Select Identifier Where Id=23040").FirstOrDefault()?.Identifier; +``` + +### Logger service + +Identity Manager provides a logger service called "logger" to debug C# expressions. + +For example: + +``` +C#:resource:logger.LogDebug("Name={0}", resource.Name); return resource.Name; +``` + +### White list + +The following .NET libraries from the white list can be used. + +Authorized Namespaces + +Every class and function from the following namespaces is allowed: + +- `System.Linq` +- `System.Text.RegularExpressions` + +Authorized Classes + +Beyond the authorized namespaces, the following classes can be used: + +- `System.Convert` +- `System.Reflection.AssemblyFileVersionAttribute` +- `System.Reflection.AssemblyVersionAttribute` +- `System.Reflection.AssemblyCopyrightAttribute` +- `System.Reflection.AssemblyProductAttribute` +- `System.Reflection.AssemblyCompanyAttribute` +- `System.Reflection.AssemblyTitleAttribute` +- `System.Char` +- `Usercube.Expressions.Functions.UtilExpressions` +- `System.Nullable` +- `System.String` +- `System.Int32` +- `System.Random` + +Authorized Methods + +Beyond the authorized classes, the following methods can be used: + +- `System.Convert` +- `Microsoft.Extensions.Logging.LoggerExtensions.LogDebug` +- `System.DateTime.Add` +- `System.DateTime.AddDays` +- `System.DateTime.AddHours` +- `System.DateTime.AddMicroseconds` +- `System.DateTime.AddMilliseconds` +- `System.DateTime.AddMinutes` +- `System.DateTime.AddMonths` +- `System.DateTime.AddSeconds` +- `System.DateTime.AddTicks` +- `System.DateTime.AddYears` +- `System.DateTime.Compare` +- `System.DateTime.CompareTo` +- `System.DateTime.DaysInMonth` +- `System.DateTime.Equals` +- `System.DateTime.GetDateTimeFormats` +- `System.DateTime.ToUniversalTime` +- `System.DateTime.ToString` + +Trying to use code from outside this white list would yield the following error during computation: + +`the Method Name : ... Parent Class : ... NameSpace : ... used are not authorized` + +Method ... cannot be called with entities as arguments. + +However, here is a whitelist of methods that can be called with these kinds of arguments: + +- `System.Linq.Enumerable.Max()` +- `System.Linq.Enumerable.Min()` +- `System.Linq.Enumerable.Count(IEnumerable(IEnumerable, Func(IEnumerable, Func(IEnumerable, Func(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable, int count)` +- `System.Linq.Enumerable.SkipLast(IEnumerable, int count)` +- `System.Linq.Enumerable.ThenBy(IEnumerable, Func(IEnumerable(IEnumerable, Func(IEnumerable(IEnumerable(IEnumerable, Func, TSource)` +- `System.Linq.Enumerable.FirstOrDefault(IEnumerable, TSource)` +- `System.Linq.Enumerable.FirstOrDefault(IEnumerable, Func(IEnumerable(IEnumerable, Func, TSource)` +- `System.Linq.Enumerable.SingleOrDefault(IEnumerable, TSource)` +- `System.Linq.Enumerable.SingleOrDefault(IEnumerable, Func(IEnumerable(IEnumerable, Func, TSource)` +- `System.Linq.Enumerable.LastOrDefault(IEnumerable, TSource)` +- `System.Linq.Enumerable.LastOrDefault(IEnumerable, Func(IEnumerable` need to be replaced with a custom value before entering the +script in the command line. + +``` + + + + +``` + +Literal expressions targeting String properties can accept any value, since it is already a string +in the configuration. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md new file mode 100644 index 0000000000..8bb8b1e40f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md @@ -0,0 +1,48 @@ +# Predefined functions + +Identity Manager provides a set of predefined functions that simplify the configuration of entity +property expressions and scalar rules. See the +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +and[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topics for additional +information. + +Unlike C# expressions, Identity Manager's predefined functions do not need any prefix. They can be +used as such. See the [ C# utility functions ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md) topic for +additional information. + +### Examples + +The following example shows two predefined functions. The first function normalizes the HR_Person +FirstName. The other one converts the end date into a UTC date and adds 1440 minutes. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     + +``` + +The following table summarizes existing predefined functions: + +| Name | Description | Parameters | Return type | +| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | -------------------- | -------------- | -------- | +| ToUpper | Returns the input string converted to uppercase, using the current culture. | None | String | +| ToLower | Returns the input string converted to lowercase, using the current culture. | None | String | +| Simplify | Returns the input string converted to uppercase, removing all whitespace and special characters, and replacing diacritics. | None | String | +| Trim | Removes all leading and trailing white-space characters from the current string. | None | String | +| TrimStart | Removes all leading white-space characters from the current string. | None | String | +| TrimEnd | Removes all trailing white-space characters from the current string. | None | String | +| RemoveDiacritics | Replaces all the éèçàù by eecau, ä by ae, Ä by AE, ö by oe, Ö by OE, ü by ue, Ü by UE, č by c, Č by C, ø by o, Ø by O, ł by l, Ł by L, ß by ss, æ by ae, Æ by AE, œ by oe, Œ by OE, š by sh, and Š by SH. | None | String | +| ToDoubleMetaphone | An implementation of Double Metaphone phonetic algorithm. | None | String | +| ToSoundex | An implementation of Soundex phonetic algorithm. | None | String | +| ToFirstName | Normalizes a first name (first character of each word in uppercase) separated with ‘-’ and the right accents. | None | String | +| ToTitle | Puts the first character in uppercase. | None | String | +| ToFormatedDN | Returns the input string converted to Distinguished Name format. | None | String | +| ParseLocalDate | Converts the specified string representation of a date and time to its DateTime equivalent using the specified parameters. | Time zone identifier | Input string format. | DateTime | +| ParseLocalDateThenAddMinutes | Converts the input string into a DateTime and adds minutes value. | Time zone identifier | Input string format | Added minutes. | DateTime | +| ParseUniversalDate | Converts the specified string representation of a date and time to its Coordinated Universal Time (UTC). | Input string format. | DateTime | +| ParseUniversalDateThenAddMinutes | Converts the input string into an UTC DateTime and adds minutes value. | Time zone identifier | Input string format | Added minutes. | DateTime | +| FormatLocalDate | Converts the specified string into a local DateTime. | Time zone identifier | Input string format. | DateTime | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/file-hierarchy/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/file-hierarchy/index.md new file mode 100644 index 0000000000..0985a38c9b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/file-hierarchy/index.md @@ -0,0 +1,30 @@ +# Hierarchy in Configuration Files + +Every configuration's element falls under the ` urn:schemas-usercube-com:configuration` namespace. +Element `` is the root element of each configuration file. + +``` + + ... + + +``` + +Each configuration element matches to an entry in the database. Detailed description of the element +can be found in the Data model. See the [ XML Configuration Schema ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/index.md) +topic for additional information. + +For example, the structure of the `` element can be found in the +[Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md) topic. + +In some case, the element name will not match directly the data model type name. + +For example, the element `` in the following XML fragment is a +[Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) item in the +database. + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/how-tos/adjust-scaffoldings/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/how-tos/adjust-scaffoldings/index.md new file mode 100644 index 0000000000..277d1892c3 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/how-tos/adjust-scaffoldings/index.md @@ -0,0 +1,181 @@ +# Adjust Scaffolded Configuration + +This guide shows how to adjust the XML configuration elements created by scaffoldings. + +## Overview + +A scaffolding is an XML element that will generate a complex XML fragment. It is like a +configuration shortcut that helps configure easily a set of XML elements that are usually configured +together. + +See the list of all existing +[Scaffoldings](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md). + +In most situations, scaffoldings are enough to generate the configuration required to meet the +functional needs. + +However, in some cases, scaffoldings do not meet the exact needs and must be adjusted to generate +the right XML configuration. + +NETWRIX recommends writing XML configuration by first using scaffoldings, adjusting it if needed, +and as a last resort, when no scaffolding meets the needs, writing the configuration manually. + +## Adjust Scaffolded Configuration + +Adjust XML configuration generated by a scaffolding by proceeding as follows: + +1. When working via the UI, start by exporting UI configuration elements. See the + [ Usercube-Export-Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-configuration/index.md) + topic for additional information. +2. Write an XML element whose identifier is the same as the one generated by the scaffolding. + + Any identifier can be found in the + [Scaffoldings](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md) topic, in the + section displaying the generated XML fragment. + +3. Add `ConsolidationMode` to the element's properties. + + - By default, the XML item written manually completely replaces the one generated by the + scaffolding. + + The default behavior should be used when needing to rewrite one or a few of the items + generated by a scaffolding, not all of them. + + When needing to rewrite the scaffolding's whole output, just remove the scaffolding and + write the item(s) manually. + + > For example, the `ViewTemplateAdaptable` scaffolding generates, for the `LDAP_Entry` + > entity type, a default display name for all LDAP resources, a display table to view the + > resources, and the corresponding permissions to access the table. Supposing that the + > resulting display table does not fit the needs, we could need to write a customized + > display table from scratch: + > + > ``` + > + > + > + > + > + > + > + > ```` + > + > + > The display table's identifier must be the same as the one generated by the scaffolding. Then the scaffolding is ignored so the display table ```LDAP_Entry``` is defined by the `````` properties written manually here, as well as its `````` child elements written manually here. + > ```` + + > Still from the `ViewTemplateAdaptable` scaffolding, suppose now that the default display + > name does not fit the needs, then we could write a customized display name from scratch: + > + > ``` + > + > + > + > ```` + > + > + > The entity property expression's identifier must be the same as the one generated by the scaffolding. Then the scaffolding is ignored so the display name ```LDAP_Entry_InternalDisplayName``` is defined by the `````` properties written manually here. + > ```` + + - Set to `Merge`, the XML item generated by the scaffolding is completed with additional parent + properties and/or child elements written manually, while keeping the parent properties and the + child elements defined in the scaffolding. + + > For example, the `WorkforceModule` scaffolding generates the `Directory_User` entity type + > (among other things) with a specific set of properties. We could choose to add some + > properties in the entity type: + > + > ``` + > + > + > + > + > + > + > ```` + > + > + > The entity type's identifier must be the same as the one generated by the scaffolding. Then the entity type ```Directory_User``` is defined by the `````` properties of the scaffolding, as well as its `````` child elements written in the scaffolding, and we add the properties written manually here. + > ```` + + > The `WorkforceModule` scaffolding also generates the + > `Directory_UserRecord_UniqueValue_Email` aspect (among other things) that uses unicity + > check rules to generate a unique email address for each new user. We could choose to add a + > unicity check rule in the aspect to compare the new email address to the existing ones + > from Microsoft Entra ID (formerly Microsoft Azure AD): + > + > ``` + > + > + > SourceExpression="C#:record:var firstName = + > record.FirstName.Simplify()?.ToLowerInvariant(); var lastName = + > record.LastName.Simplify()?.ToLowerInvariant(); if (string.IsNullOrEmpty(firstName) || + > string.IsNullOrEmpty(lastName)) { /_ Data missing _/ return null; } + > + > var result = firstName + "." + lastName; + > if (iteration > 0) + > { + > result += iteration.ToString(); + > } + > + > return result;" TargetEntityType="MicrosoftEntraID_DirectoryObject" TargetExpression="C#:azure_ad: + > if(string.IsNullOrEmpty(azure_ad.mail)) + > { + > return null; + > } + > + > var result = azure_ad.mail; + > var index = result.IndexOf('@'); + > if(index >=0) + > { + > result = result.Substring(0, index); + > } + > + > return result;" /> + > + > ```` + > + > + > The aspect's identifier must be the same as the one generated by the scaffolding. Then the aspect ```Directory_UserRecord_UniqueValue_Email``` is defined by the `````` properties of the scaffolding, as well as its `````` child elements written in the scaffolding, and we add the unicity check rule written manually here. + > ```` + + - Set to `Update`, the XML item written manually replaces all parent properties, while keeping + the child elements defined in the scaffolding. + + > For example, the `OptimizeDisplayTable` scaffolding generates the `Directory_User` display + > entity type (among other things) with a specific set of properties. We could choose to + > change just the parent properties of the display entity type without changing its child + > properties: + > + > ``` + > + > + > + > ```` + > + > + > The display entity type's identifier must be the same as the one generated by the scaffolding. Then the display entity type ```Directory_User``` is defined by the `````` properties written manually here, as well as the `````` child elements written in the scaffolding. + > ```` + + - Set to `Delete`, the XML item generated by the scaffolding is deleted, including its child + elements. + + > For example, the `AssignProfileAccessControlRules` scaffolding generates the + > `Administrator_Category_AccessControl_AssignedProfile` access control rule (among other + > things) with possibly child elements. We could choose to remove the whole access control + > rule: + > + > ``` + > + > + > + > ```` + > + > + > The access control rule's identifier must be the same as the one generated by the scaffolding. Then the access control rule ```Administrator_Category_AccessControl_AssignedProfile``` is completely removed. + > ```` + +4. Deploy the Configuration again. See + the[ Usercube-Deploy Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/deploy-configuration/index.md) + for additional information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md new file mode 100644 index 0000000000..148650d92b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md @@ -0,0 +1,107 @@ +# Deploy the Configuration + +This guide shows how to deploy the XML configuration, in order to build and use the Identity Manager +application. + +## Overview + +The process for configuration deployment varies according to the situation: + +- when working on-premise, the configuration must be deployed locally; +- when working SaaS, the configuration must be deployed remotely. + +## Deploy the Configuration Locally + +Deploy a local XML configuration by using +the[ Usercube-Deploy Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/deploy-configuration/index.md) +executable and declaring at least: + +- the configuration directory; +- the connection string of the database. + +> ``` +> +> ./identitymanager-Deploy-Configuration.exe -d "C:\Usercube\Conf" --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" +> +> ``` + +## Deploy the Configuration Remotely + +Deploy a SaaS XML configuration by proceeding as follows: + +1. Log in for configuration deployment/export with the + [ Usercube-Login ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/login/index.md) executable. + + Identity Manager provides an OpenID Connect (OIDC) authentication process in order to ensure + strong security, visibility and ease of use. + + NETWRIX recommends using Identity Manager's dedicated in-house OIDC Identity Provider (IDP), but + you can also use your own IDP if you want to manage authentication yourself. + + When using your own IDP, make sure that the IDP implements a valid OIDC protocol and serves id + tokens. + + > For example, when using Identity Manager's IDP: + > + > ``` + > + > ./identitymanager-Login.exe + > + > ``` + > + > ``` + + > For example, when using another IDP: + > + > ``` + > + > Usercube-Login.exe --authority https://my_oidc_authentication_server.com --client-id + > 34b3c-fb45da-3ed32 + > + > ``` + > + > ``` + + Either method will open your default browser to `http://localhost:5005` where you will be + redirected to the specified IDP and will be prompted to log in. + + Specify `--port ` if you want the login page to use another local port. + + If you have already successfully deployed or exported your SaaS configuration at least once, + then there is no need to communicate the authentication information again. Go directly to + step 4. + + However, if, since then, there has been a change in the identity deploying/exporting the + configuration or in the Identity Provider used to log in at step 1, then go through the whole + process again. + +2. Log in to the IDP to be redirected back to this screen: + + ![Usercube-Login.exe Success Screen](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/how-tos/export-configuration/identitymanager-login_success_v602.webp) + + Once authenticated, an identification token is stored on your local machine for the + authentication to Identity Manager's deployment and export processes. + +3. Copy the entire text within the blue square and send it to your Identity Manager administrator. + + The administrator will add the identity information to the configuration of your Identity + Manager instance, to allow the configuration deployment/export. + +4. Deploy the configuration by using + the[ Usercube-Deploy Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/deploy-configuration/index.md) + executable and declaring at least: + + - the configuration directory; + - the deployment environment; + - the API URL of your Identity Manager instance. + > ``` + > + > ./identitymanager-Deploy-Configuration.exe -d "C:\Usercube\Conf" --api-url https://my_usercube_instance.com --deployment-slot Development + > + > ``` + + You can deploy the configuration by launching only the `Deploy-Configuration` executable until + the authentication token expires. Then, the token must be refreshed via the `Login` executable + before deploying again. + + The token served by Identity Manager's IDP expires after one hour. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md new file mode 100644 index 0000000000..6b0aab4a90 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md @@ -0,0 +1,110 @@ +# Export the Configuration + +This guide shows how to export the configuration as XML files to a given folder. + +## Overview + +The process for configuration export varies according to the situation: + +- when working on-premise, the configuration must be exported locally; +- when working SaaS, the configuration must be exported remotely; + +See the +[ Usercube-Export-Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-configuration/index.md) +topic for additional information. + +## Export the Configuration Locally + +Export your configuration by using the +[ Usercube-Export-Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-configuration/index.md) +executable and declaring at least: + +- the directory where the configuration is to be exported to; +- the connection string of the database. + +> ``` +> +> ./identitymanager-Export-Configuration.exe --database-connection-string "data source=.;Database=Usercube;Integrated Security=SSPI;Min Pool Size=10;encrypt=false;" --configuration-directory "C:/identitymanager/ExportedConf" +> +> ``` + +## Export the Configuration Remotely + +Export a SaaS configuration by proceeding as follows: + +1. Log in for configuration deployment/export with the + [ Usercube-Login ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/login/index.md) executable. + + Identity Manager provides an OpenID Connect (OIDC) authentication process in order to ensure + strong security, visibility and ease of use. + + Netwrix Identity Manager (formerly Usercube) recommends using Identity Manager's dedicated + in-house OIDC Identity Provider (IDP), but you can also use your own IDP if you want to manage + authentication yourself. + + When using your own IDP, make sure that the IDP implements a valid OIDC protocol and serves id + tokens. + + > For example, when using Identity Manager's IDP: + > + > ``` + > + > ./identitymanager-Login.exe + > + > ``` + > + > ``` + + > For example, when using another IDP: + > + > ``` + > + > Usercube-Login.exe --authority https://my_oidc_authentication_server.com --client-id + > 34b3c-fb45da-3ed32 + > + > ``` + > + > ``` + + Either method will open your default browser to `http://localhost:5005` where you will be + redirected to the specified IDP and will be prompted to log in. + + Specify `--port ` if you want the login page to use another local port. + + If you have already successfully deployed or exported your SaaS configuration at least once, + then there is no need to communicate the authentication information again. Go directly to + step 4. + + However, if, since then, there has been a change in the identity deploying/exporting the + configuration or in the Identity Provider used to log in at step 1, then go through the whole + process again. + +2. Log in to the IDP to be redirected back to this screen: + + ![Usercube-Login.exe Success Screen](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/how-tos/export-configuration/identitymanager-login_success_v602.webp) + + Once authenticated, an identification token is stored on your local machine for the + authentication to Identity Manager's deployment and export processes. + +3. Copy the entire text within the blue square and send it to your Identity Manager administrator. + + The administrator will add the identity information to the configuration of your Identity + Manager instance, to allow the configuration deployment/export. + +4. Export the configuration by using the + [ Usercube-Export-Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-configuration/index.md) + and declaring at least: + + - the configuration directory; + - the API URL of your Identity Manager instance. + > ``` + > + > ./identitymanager-Export-Configuration.exe -d "C:\Usercube\ExportedConf" --api-url https://my_usercube_instance.com + > + > ``` + + You can export the configuration by launching only the `Export-Configuration` executable until + the authentication token expires. Then, the token must be refreshed via the `Login` executable + before exporting again. + + The token served by Identity Manager's IDP expires after one hour. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/index.md new file mode 100644 index 0000000000..d7326e1bea --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/index.md @@ -0,0 +1,19 @@ +# Toolkit for XML Configuration + +The Netwrix Identity Manager (formerly Usercube) configuration is a set of XML files edited +according the Usercube schema. The [ Recommendations ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/recommendations/index.md) part of this +section explains how to set up an editing environment for the configuration. + +Regardless of the editing space, the configuration persists in the Netwrix Identity Manager +(formerly Usercube) database. It's this stored configuration that is used at runtime. + +The +[ Deploy Configuration Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md) +tool is used to **import** a new version of the configuration (from the XML files set). +The[ Usercube-Export-Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-configuration/index.md) can be +used to **export** the current configuration (to a XML files set). + +The Identity Manager project's integration cycle consists in developing a configuration by +successive imports in a test instance. + +![Integration cycle](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/configurationcycle.webp) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/languages/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/languages/index.md new file mode 100644 index 0000000000..3af3caddf8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/languages/index.md @@ -0,0 +1,25 @@ +# Languages + +Some configuration string must be specified in multiple languages. For this, the name of the +corresponding XML attribute is suffixed by `_L1`, `_L2`,... `_L8`. For example, the property +_DisplayName_ of an [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) can be +specified in English and French: + +``` + + ... + + +``` + +Languages list must be specified by [ Language ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/language/index.md) +elements. + +``` + + + +``` + +The code is a combination of an ISO 639 two-letter lowercase culture code associated with a language +and an ISO 3166 two-letter uppercase subculture code associated with a country or region. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/parameter-names/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/parameter-names/index.md new file mode 100644 index 0000000000..041d3f5046 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/parameter-names/index.md @@ -0,0 +1,66 @@ +# Base32 Parameter Names + +## Base32 Parameter Names + +Some attributes names in the applicative configuration, such a those related to dimensions +identification, are written using a +[Base32 representation of numbers](https://en.wikipedia.org/wiki/Base32). + +Identity Manager uses flavor of base32 known as **base32hex** described in the +[RFC4648](https://tools.ietf.org/html/rfc4648#rfc4648). + +It uses 10 digits from 0 to 9 and 22 letters from A to V to represent numbers. + +The following table shows the decimal - base32hex equivalent for the first 127 numbers. + +| base32hex | decimal | +| --------- | ------- | +| 0 | 0 | +| 1 | 1 | +| 2 | 2 | +| 3 | 3 | +| 4 | 4 | +| 5 | 5 | +| 6 | 6 | +| 7 | 7 | +| 8 | 8 | +| 9 | 9 | +| a | 10 | +| b | 11 | +| c | 12 | +| d | 13 | +| e | 14 | +| f | 15 | +| g | 16 | +| h | 17 | +| i | 18 | +| j | 19 | +| k | 20 | +| l | 21 | +| m | 22 | +| n | 23 | +| o | 24 | +| p | 25 | +| q | 26 | +| r | 27 | +| s | 28 | +| t | 29 | +| u | 30 | +| v | 31 | +| 10 | 32 | +| 11 | 33 | +| ... | ... | +| 1A | 42 | +| ... | ... | +| 20 | 64 | +| ... | ... | +| 2A | 74 | +| ... | ... | +| 3V | 127 | + +For example, dimensions are identified by a number going from 0 to 127 in decimal representation and +0 to 3V in base32hex representation. + +The [ Context Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) support _128_ dimension +parameters going from `B0` to `B3V` using the **base32hex**`0` to `3V` numbers to identify a +dimension. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/recommendations/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/recommendations/index.md new file mode 100644 index 0000000000..02f5b3e73b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/recommendations/index.md @@ -0,0 +1,75 @@ +# Recommendations + +## Editor + +[Visual Studio Code](https://code.visualstudio.com/) is the recommended editor for configuration. +Its extensions can highly benefit the configuration experience. Netwrix Identity Manager (formerly +Usercube) recommends the following extensions: + +- [Project Manager](https://marketplace.visualstudio.com/items?itemName=alefragnani.project-manager) + for file organization; +- [Xml Tools](https://marketplace.visualstudio.com/items?itemName=DotJoshJohnson.xml) for XML + formatting; +- [XML](https://marketplace.visualstudio.com/items?itemName=rogalmic.vscode-xml-complete) by RedHat + to provide auto-completion of XML configuration based on an XSD file; +- [Powershell](https://marketplace.visualstudio.com/items?itemName=ms-vscode.PowerShell) for + Powershell formatting; +- [Rainbow CSV](https://marketplace.visualstudio.com/items?itemName=mechatroner.rainbow-csv) for CSV + formatting; +- [GitLens](https://marketplace.visualstudio.com/items?itemName=eamodio.gitlens) for file history + features. + +### Configure auto-completion + +RedHat's XML extension provides auto-completion based on an XSD file. It opens an auto-completion +popup when you start to edit an element or attribute name. You can open the popup by typing +`Ctrl-Space`. + +![Auto-complete](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/recommendations/autocomplete.webp) + +Configure auto-completion by proceeding as follows: + +1. Retrieve from the SDK artifact the `usercube-configuration.xsd` and + `Usercube.Demo.code-workspace` files. +2. Make sure that these files are in the working directory (for example `C:/identitymanagerDemo`). +3. In `Usercube.Demo.code-workspace`, declare the following setting, replacing the path + `C:/identitymanagerDemo/identitymanager-configuration.xsd` by the path of your XSD file: + + ``` + + "settings": { + "xml.fileAssociations": [ + { + "systemId": "file:///C:/identitymanagerDemo/identitymanager-configuration.xsd", + "pattern": "**/*.xml" + } + ] + } + + ``` + +## Version Control System + +A version control system (like Git) is also recommended so files and configuration history could be +tracked. + +## File Hierarchy + +Some folders in the XML configuration contain files that are generated by Identity Manager and that +must not be modified manually: + +- `Runtime/Workforce` +- `Runtime/Bootstrap` + +For the configuration to be more readable it is recommended to classify configuration by Connector +or Application Entity. For each Connector or Application Entity create a folder in which will put: + +- **_Connector.xml_** file containing the definition of the Connector, the EntityTypes,the + EntityAssociations and their mappings. +- **_Administrator.xml_** file containing all the ACE for the administrator profile. +- **_Role Model.xml_** file containing the role model configuration. +- **_UI.xml_** file containing the User Interface configuration. +- **_Jobs.xml_** file containing the jobs configuration. +- **_Workflows.xml_** file containing the Workflows configuration for the given connector. + +![Recommendation](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/recommendations/recommendation.webp) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/reservedidentifiers/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/reservedidentifiers/index.md new file mode 100644 index 0000000000..8099139fa7 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/reservedidentifiers/index.md @@ -0,0 +1,49 @@ +# Reserved identifiers + +Identifiers of [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) and +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)cannot be one of the following +words: + +These words can't be written in any case, example: id, Id, iD and ID are forbidden. + +- Id +- if +- for +- while +- return +- break +- else +- continue +- ref +- out +- class +- interface +- struct +- foreach +- do +- char +- byte +- string +- int +- long +- null +- public +- private +- protected +- static +- const +- abstract +- try +- catch +- sealed +- void +- true +- false +- finally +- throw +- Exception +- override +- readonly +- return +- enum +- delegate diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md new file mode 100644 index 0000000000..b0882fbb3a --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md @@ -0,0 +1,32 @@ +# AccessCertificationDataFilter + +When running an Access Certification Campaign, this object defines the scope of assignments of +entitlements to certify for a given Access Certification Campaign. It filters based on the specific +entitlements attributes. + +## Properties + +| Property | Details | +| ------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Campaign required | **Type** Int64 **Description** The associated campaign. | +| Category optional | **Type** Int64 **Description** Specifies the category targeted by the filter. | +| IncludeCompositeRoles default value: false | **Type** Boolean **Description** `true` to include the composite roles in the certification. | +| IncludeDeniedPermissions default value: true | **Type** Boolean **Description** Filters items with denied permissions from Access Certification Campaign. | +| IncludeDoubleValidation default value: true | **Type** Boolean **Description** `true` to include the assignments of entitlements with two validations in the certification. | +| IncludeManualAssignmentNotAllowed default value: true | **Type** Boolean **Description** `true` to include in the certification the resources that cannot be requested manually, i.e. those from resource types with `ApprovalWorkflowType` set to `ManualAssignmentNotAllowed`. See the [Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topic for additional information. | +| IncludeNestedCategories default value: false | **Type** Boolean **Description** When a category is used as filter, all its nested categories are also included in the campaign. | +| IncludeNoValidation default value: true | **Type** Boolean **Description** `true` to include the assignments of entitlements without validation in the certification. | +| IncludeResourceNavigations default value: false | **Type** Boolean **Description** `true` to include the resource navigations in the certification. | +| IncludeResourceScalars default value: false | **Type** Boolean **Description** `true` to include the resource scalars in the certification. | +| IncludeResourceTypes default value: false | **Type** Boolean **Description** `true` to include the resource types in the certification. | +| IncludeSimpleValidation default value: true | **Type** Boolean **Description** `true` to include the assignments of entitlements with one validation in the certification. | +| IncludeSingleRoles default value: false | **Type** Boolean **Description** `true` to include the single roles in the certification. | +| IncludeTripleValidation default value: true | **Type** Boolean **Description** `true` to include the assignments of entitlements with three validations in the certification. | +| IncludeWorkflowStateApproved default value: true | **Type** Boolean **Description** `true` to include the manually approved assignments of entitlements in the certification. | +| IncludeWorkflowStateFound default value: true | **Type** Boolean **Description** `true` to include the reconciled assignments of entitlements in the certification. | +| IncludeWorkflowStateHistory default value: true | **Type** Boolean **Description** `true` to include the preexisting approved assignments of entitlements in the certification. | +| IncludeWorkflowStatePolicyApproved default value: true | **Type** Boolean **Description** `true` to include the automatically approved assignments of entitlements in the certification. | +| LatestCertifiedLimitDate optional | **Type** DateTime **Description** If specified, only assignments of entitlements not certified since. | +| ResourceType optional | **Type** Int64 **Description** Specifies the resource type targeted by the filter. | +| Tags optional | **Type** String **Description** Tags of the roles targeted by the campaign filter. The tag separator is ¤. | +| TargetedRisk optional | **Type** Int64 **Description** If set, filters on the owner risk. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md new file mode 100644 index 0000000000..29a1c75d4b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md @@ -0,0 +1,18 @@ +# AccessCertificationOwnerFilter + +When running an Access Certification Campaign, this object defines the scope of assignments of +entitlements to certify for a given Access Certification Campaign. It filters based on the +attributes of entitlements owner. + +## Properties + +| Property | Details | +| ----------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Campaign required | **Type** Int64 **Description** The associated campaign. | +| D0 optional | **Type** Int64 **Description** Identifier of the dimension 0 (up to 3V in the [ Base32 Parameter Names ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/parameter-names/index.md)) that filters the owners targeted by the access certification campaign. | +| IndividualOwner optional | **Type** Int64 **Description** If set, filters on the owner. | +| L0 default value: false | **Type** Boolean **Description** `true` to include all the hierarchy beneath the dimension 0. **Note:** this setting can be used only if the corresponding [ Dimension ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) was declared with `IsHierarchical` set to `true` and with a `ParentProperty`. | +| MinimalRiskScore optional | **Type** Int32 **Description** If set, filters only owners above given risk. | +| OwnerLastModificationDate optional | **Type** DateTime **Description** Date such that the identities to be certified will be those for which the value of the `OwnerLastModificationDateBinding` property was modified since then. **Note:** must be set together with `OwnerLastModificationDateBinding`. | +| OwnerLastModificationDateBinding optional | **Type** Int64 **Description** Binding of the property whose owner will be part of the campaign's targets, if the property's value was modified since `OwnerLastModificationDate`. **Note:** must be set together with `OwnerLastModificationDate`. **Note:** the properties calculated by Identity Manager cannot be used. | +| TargetedRisk optional | **Type** Int64 **Description** If set, filters on the owner risk. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/index.md new file mode 100644 index 0000000000..ba5b09d3ee --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/index.md @@ -0,0 +1,5 @@ +# Access Certification + +- [ AccessCertificationCampaignPolicy ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationcampaignpolicy/index.md) +- [ AccessCertificationDataFilter ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md) +- [ AccessCertificationOwnerFilter ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationownerfilter/index.md) diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md new file mode 100644 index 0000000000..a39b512281 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md @@ -0,0 +1,207 @@ +# Access Control Rule + +An access control rule gives to a profile a set of permissions on a data set represented by an +entity type. + +The rule contains filters to restrict its application, and entries to grant or deny the permissions. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +               + +``` + +## Properties + +| Property | Type | Description | +| ----------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 required | String | Display name of the access control rule in language 1 (up to 16). | +| EntityType required | Int64 | Identifier of the entity type that forms the data set on which the rule's permissions are applied. **NOTE:** The entity type can be part of the custom entity model, e.g. `Directory_User` or `AD_Entry`, or part of the built-in entity model, e.g. `AssignedSingleRole` or `Workflows` or `AccessCertificationItem`. | +| Identifier required | String | Unique identifier of the access control. | +| Profile required | Int64 | The id of the profile to which the permissions will be given. | + +## Child Element: Entry + +AccessControlEntry grants or denies a permission to a user. Access Control Entries are part of an +Access Control Rule that defines the users scope of responsibility in the Identity Manager +UI/Workflows. + +**NOTE:** If your configuration contains an access control entry with `Permission="/"` and +`CanExecute="true"` then an error will occur during the configuration deployment, as a profile +should not possess such a big permission. + +### Properties + +| Property | Type | Description | +| ----------------------------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------- | +| CanExecute default value: false | Boolean | Gives permission to execute permission. | +| FullAccessProperties default value: false | Boolean | Gives full access to all properties. | +| IsPostCondition default value: true | Boolean | If true, the rule is evaluated on the entity after modification. | +| IsPreCondition default value: true | Boolean | If true, the rule is evaluated on the entity before modification. | +| Notify default value: true | Boolean | True to send notification emails to the rule's recipient profile when executing tasks related to the specified Permission. | +| Permission required | Int64 | Linked Permission. | +| Priority default value: 0 | Int32 | When a user has several contexts giving him access to the same right, the one with the highest priority is elected. | +| PropertyGroup optional | Int64 | Gives the right to read for the PropertyGroup. | + +## Child Element: Filter + +An access control filter restricts the application of the access control rule to a given subset of +the data set. The rule will give the specified permissions to the profile only on the parts of the +rule's data set for which the filter's condition is met. + +_Remember,_ the ViewHistory permission (/Custom/Resources/Entity_Type/ViewHistory) does not work if +a filter is added. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +   +``` + +This condition is actually a comparison expression between two elements: + +- The value of a property which is originating from an entity targeted by the rule +- A comparison value that can be constant, or originating from the user profile + +![Access Control Filter Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/accesscontrolfilter_schema.webp) + +### Examples + +Filter on a constant value + +The following example gives to the `Administrator` profile certain permissions on user data, but +only concerning users working in the marketing department. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +    ... + + +``` + +Technically speaking, the filter here says that the rule's permissions apply only on users from +`Directory_User` whose `Code` of `MainOrganization` is `Marketing`. + +Filter on the account of the current user + +The following example gives to the `Manager` profile certain permissions on user data, but only +concerning users from the team managed by the current user. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +    ... + + +``` + +Technically speaking, the filter here says that the rule's permissions apply only on the users' +records from `Directory_UserRecord` whose `Id` of `Manager` is the identifier of the account used by +the current user to authenticate to Identity Manager. + +Filter on the context(s) of the assigned profile(s) of the current user + +The following example gives to the `Manager` profile certain permissions on user data, but only +concerning users working in the same department as the current user. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +    ... + + +``` + +Technically speaking, the filter here says that the rule's permissions apply only on the users from +`Directory_User` whose `Id` of `MainDepartment` is the same identifier as the value set for the +`Department` dimension of the current user, in at least one of their assigned profiles. + +For example, Timothy Callahan is here assigned the `Manager` profile with the `Department` dimension +set to `Treasury/Chief Economist`. + +![Matching Assigned Profile](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/assignedprofile_example_v603.webp) + +Thus, with the previous access control rule, Timothy Callahan will get certain permissions on users +whose main department is `Treasury/Chief Economist`. + +The following example gives to the `RoleOfficerByCategory` profile certain permissions on assigned +single roles, but only concerning the roles of a category assigned to the current user. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +    ... + + +``` + +Technically speaking, the filter here says that the rule's permissions apply only on the assigned +single roles whose `Id` of the `Category` of the `SingleRole` is the same identifier as the value +set for the `Category` property of the current user, in at least one of their assigned profiles. + +Multiple filters + +The following example gives to the `RoleOfficerByCategory` profile the permission to review the +roles of users from `Directory_User`, but only the roles of a category assigned to the current user, +and whose assignment is stated as pending the first approval out of 1, 2 or 3. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +   +     +   +     +   +``` + +Technically speaking, the filter here says that the rule's permissions apply only on the assigned +single roles: + +- Whose `Id` of the `Category` of the `SingleRole` is the same identifier as the value set for the + `Category` property of the current user, in at least one of their assigned profiles, and +- Whose `WorkflowState` is set to 8 or 9 or 11, which mean respectively pending approval 1/1, 1/2 + and 1/3. + +### Properties + +| Property | Type | Description | +| ---------------------------------- | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding required | Int64 | Binding of the property whose value is to be checked to restrict the application of the rule's permissions. **NOTE:** The binding must be based on the entity type defined in the access control rule. | +| Category default value: false | Boolean | True to compare the value specified by the binding to the categories of the current user's assigned profiles. | +| CompositeRole default value: false | Boolean | True to compare the value specified by the binding to the composite roles of the current user's assigned profiles. See the [ Assigned Profile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) topic for additional information. | +| CurrentUser default value: false | Boolean | True to compare the value specified by the binding to the identifier of the account used by the current user to authenticate to Identity Manager. **NOTE:** The current user is the owner of the profile, allowed by the access control rule to perform an action and/or receive a notification. `CurrentUser` is tightly linked to the configuration of the `SelectUserByIdentityQueryHandlerSetting`. | +| Dimension optional | Int64 | Identifier of the dimension whose value(s), from the user's assigned profiles, are to be compared to the value specified by the binding. See [ Dimension ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) and [ Assigned Profile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) topics for additional information. | +| Group optional | String | Group that the filter is part of. The access control rule filters the permissions by using the union (OR) of all filter groups, and the intersection (AND) of all filters within a group. **NOTE:** When not specified, the filter is part of the default group. | +| Operator default value: 0 | AccessControlFilterOperator | Comparison operator. 0 - Equals. 1 - NotEquals. | +| ResourceType default value: false | Boolean | True to compare the value specified by the binding to the resource types of the current user's assigned profiles. See the [ Assigned Profile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) topic for additional information. | +| SingleRole default value: false | Boolean | True to compare the value specified by the binding to the single roles of the current user's assigned profiles. See the [ Assigned Profile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) topic for additional information. | +| Value optional | String | Hard coded value to be compared to the value specified by the binding. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/index.md new file mode 100644 index 0000000000..f47aaccaa7 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/index.md @@ -0,0 +1,10 @@ +# Access Control + +- [ AccessControlPermission ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpermission/index.md) +- [ AccessControlPropertyGroup ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolpropertygroup/index.md) +- [Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +- [ Assigned Profile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) +- [ OpenIdClient ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md) +- [ Profile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) +- [ Profile Context ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md) +- [Profile Rule Context](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md new file mode 100644 index 0000000000..153759a06b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/openidclient/index.md @@ -0,0 +1,47 @@ +# OpenIdClient + +OpenIdClient declares an OpenID Connect clientId/secret to call the Identity Manager API. All the +configurations need at least one clientId used by all the jobs on the agent side to call the server. + +Only the hashed secret is kept in the configuration. The clear version is only known by the API +callers. + +The secret must be strong enough to protect access to the API. + +The good practice is generating a random secret, for example a 32 characters string, from a tool +like KeePass. Each clientId must have it's own secret. The tool +[ Usercube-New-OpenIDSecret ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/new-openidsecret/index.md) can be +used to generate secrets and their hashes. + +Each clientId must have a scope of responsibility. The _Profile_ and _ContextId_ properties assign a +required Profile and an optional Profile Context. + +## Examples + +The following code declares a clientId with the Administrator profile. + + ``` + + + +```` + + +The following code example declares a clientId with the RoleOfficerByCategory profile, restricted to the profile context defined below. The ContextId property must reference the Id of an existing Profile Context. Profile contexts don't have identifiers, so to avoid recalculation of the ProfileContext's Id property on configuration deployment, the Id should be declared manually as below. To be valid, it must be lower or equal to -2. + + ``` + + + +```` + +## Properties + +| Property | Details | +| ----------------------- | ------------------------------------------------------------------------------------------------------------------- | +| Context optional | **Type** Int64 **Description** Id of the ProfileContext used to further restrict the client scope of responsibility | +| DisplayName_L1 required | **Type** String **Description** Name that will be Displayed on the screen | +| ExpirationDate optional | **Type** DateTime **Description** After this date, the client is no longer usable | +| HashedSecret required | **Type** String **Description** HashedPassword of client | +| Identifier required | **Type** String **Description** Client login name and name | +| Profile required | **Type** Int64 **Description** Profile linked with the client | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/access-control/profile/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/access-control/profile/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md new file mode 100644 index 0000000000..57a5f4f524 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md @@ -0,0 +1,45 @@ +# Profile Rule Context + +Defines the context in which the rule will be evaluated. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +## Properties + +| Property | Type | Description | +| ----------------------------------- | ------- | ------------------------------------------------------------------------------------------------------ | +| EntityType optional | Int64 | When ResourceType is not used, identifier of the entity type from which the expressions are evaluated. | +| IsAppliedToRoot default value: true | Boolean | The dimensions are queried from the user's information. | +| ResourceType optional | Int64 | The resourceType of the assignedResourcetypes on which the rule is going to be applied on. | +| RootBinding optional | Int64 | Binding to apply on the user resource before executing the root expression(cf Profile Rule). | +| SubBinding optional | Int64 | Binding to apply on the user resource before executing the sub expression(cf Profile Rule). | + +## Child Element: ProfileRule + +Defines the rule to assign a profile to user when matched. + +### Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +     +``` + +### Properties + +| Property | Type | Description | +| ----------------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| B0 optional | Int64 | Represents the first dimension binding definition. The 127 other dimension bindings can be referred to by 127 more parameters from B1 to B3V following the base32hex convention. See the [ Base32 Parameter Names ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/parameter-names/index.md) topic for additional information. | +| IsDenied default value: false | Boolean | Profile denied to the user when matched. | +| Profile required | Int64 | Identifier of the profile rule. | +| RootExpression optional | String | C# expression to apply on the source entity type of the context resource type. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| SubExpression optional | String | C# expression to apply on the target entity type of the context resource type. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md new file mode 100644 index 0000000000..c173a8e42c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md @@ -0,0 +1,3 @@ +# Business Intelligence + +- [ Universe ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md new file mode 100644 index 0000000000..757311536d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md @@ -0,0 +1,87 @@ +# Universe + +Universes constitute the basis for the configuration of a new model that we will call universe +model. Users can then exploit it, through the Query module and/or Power BI, to generate graphic +reports. + +## Examples + +##### Basic universe + +The following example builds a universe called `Universe1`: + +``` + + + + + +``` + +![Universe - Basic Example](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/bi_universeexampledisplaynames.webp) + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Display Names)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/universe_columnnamedisplayname.webp) + +##### Basic universe with identifiers instead of display names + +The following example builds a universe called `Universe1` with identifiers as labels instead of +display names: + +``` + + + +``` + +![Universe - Basic Example](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/bi_universeexample.webp) + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Identifiers)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/universe_columnnameidentifier.webp) + +## Properties + +| Property | Details | +| ------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ColumnNamesMode default value: DisplayName | **Type** UniverseColumnNamesMode **Description** Type of label to be displayed as the column names in Power BI, for this universe. `0` - DisplayName: display name of entity instances. `1` - Identifier: identifier of entity instances. | +| DisplayName_L1 optional | **Type** String **Description** Display name of the universe in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Identifier of the universe. | + +## Child Element: Association Instance + +An association instance represents, within a Universe , the occurrence in the model of an +[ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +### Properties + +| Property | Details | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Association required | **Type** Int64 **Description** Identifier of the entity association, in Identity Manager's entity model, that corresponds to the association instance. | +| Direction default value: 0 | **Type** Direction **Description** Direction of the association between the two entity instances. It must be the same direction as between the two entity types specified in these entity instances. `0` - Both directions. `1` - From the instance 1 to 2. `2` - From the instance 2 to 1. | +| Instance1 required | **Type** Int64 **Description** Identifier of the entity instance number one. | +| Instance2 required | **Type** Int64 **Description** Identifier of the entity instance number two. | + +## Child Element: Entity Instance + +An entity instance represents, within a Universe , the occurrence in the model of an +[ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md). + +### Properties + +| Property | Details | +| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| DisplayName_L1 optional | **Type** String **Description** Display name of the entity instance in language 1 (up to 16). | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type, in Identity Manager's entity model, that corresponds to the entity instance. | +| FilterEntityProperty optional | **Type** Int64 **Description** Entity property used as filter (FilterProperty must be a navigation property to EntityProperty) | +| FilterEntityType optional | **Type** Int64 **Description** Entity type used as filter (FilterProperty must be a navigation property to EntityType) | +| FilterProperty optional | **Type** Int64 **Description** Property used to filter entity type's instance. | +| FilterResourceType optional | **Type** Int64 **Description** Resource type used as filter (FilterProperty must be a navigation property to ResourceType) | +| FilterValue optional | **Type** String **Description** Constant value used as filter. | +| Identifier required | **Type** String **Description** Identifier of the entity instance. | +| IsHidden default value: false | **Type** Boolean **Description** `true` if the entity instance is to be hidden in Power BI. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/index.md new file mode 100644 index 0000000000..3434f3abf8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/index.md @@ -0,0 +1,3 @@ +# Configuration + +- [Scaffoldings](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md new file mode 100644 index 0000000000..2ca9ea9d9c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md @@ -0,0 +1,31 @@ +# Access Review Administration Access Control Rules + +Scaffolding to generate the rights to administrate campaign creation. + +Gives access to a shortcut on the dashboard to access this page. + +![Access Certification Campaigns](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md new file mode 100644 index 0000000000..e5dea8b0c2 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md @@ -0,0 +1,5 @@ +# Access Reviews + +- [ Access Review Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md) + + Generates the permissions to administrate campaign creation. diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md new file mode 100644 index 0000000000..4dcfb45cae --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md @@ -0,0 +1,11 @@ +# Connectors + +- [ Connector Resource Type Access Control ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md) + + Gives the rights to create and update resource types, generate provisioning orders and fulfill + from the connector screen. + +- [ Settings Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md) + + Generates the permissions to configure the Workforce Core Solution module and connector + settings. diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md new file mode 100644 index 0000000000..176aba4efd --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md @@ -0,0 +1,15 @@ +# Access Control Rules + +Scaffoldings for access control give some permissions, by allowing the corresponding API calls. + +- [ Access Reviews ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md) +- [ Connectors ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md) +- [ Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md) +- [ Monitoring ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md) +- [ Profiles ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md) +- [ Queries ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md) +- [ Resources ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md) +- [Role Models](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md) +- [ Simulations ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md) +- [ User Interfaces ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md) +- [ Workflows ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md) diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md new file mode 100644 index 0000000000..18c5a5570e --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md @@ -0,0 +1,64 @@ +# Jobs + +- [ GetJobLogAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md) + + Generates the permissions to read task and job instances logs in UI for a given profile. + +- [ JobAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md) + + Scaffolding to access the job administration page. + +- [ JobTaskAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md) + + Generates all permissions for JobStep entity. + +- [ PendingAssignedResourceTypesAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md) + + Generates the access control rules which give to a profile the permissions to call the API + Pending AssignedResourceTypes. + +- [ ProvisioningAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md) + + Generates the execution rights for Provisioning and Fulfillment tasks for a given profile. + +- [ ResourceChangesViewAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md) + + Generates the access control rules which gives to a profile the permissions to call the API + ResourceChange, ResourceFileChange and ResourceLinkChange. + +- [ ResourceTypeMappingControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md) + + Generate rights to launch agent fulfillment. + +- [ RunJobAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md) + + Generates the permissions to launch jobs from UI for a given profile. + +- [ RunJobNotificationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md) + + Generates access control to send notification when job finish with an error state. + +- [ RunJobRepairAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md) + + Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning + or a synchronization for a given profile. + +- [ RunJobRepairNotificationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md) + + Generates access control to send notification when a relaunch job finish with an error state. + +- [ SynchronizationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md) + + Generates rights to launch synchronization task. + +- [ TaskAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md) + + Generates all rights to have the access to job administration page. + +- [ TaskInstanceAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md) + + Generates access control to update the task instances. + +- [ WorkflowFulfillmentControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md) + + Generates the execution rights to launch Fulfillment workflow for a given profile. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md new file mode 100644 index 0000000000..7cd80956bf --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md @@ -0,0 +1,30 @@ +# JobAdministrationAccessControlRules + +Scaffolding to access the job administration page. This page is accessible from the administration +part in dashboard of the user interface. + +![Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md new file mode 100644 index 0000000000..c2f55d29a0 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md @@ -0,0 +1,6 @@ +# Monitoring + +- [ MonitoringAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md) + + Generates the access control rule which gives to a profile the permission to query the + monitoring screen. diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md new file mode 100644 index 0000000000..701770c0cb --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md @@ -0,0 +1,33 @@ +# Assign Profile Access Control Rules + +Gives to a given profile the rights to create, update, delete and query any assigned profile, from +the **Assigned Profiles** screen. + +![Assigned Profiles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/home_assignedprofiles_v602.webp) + +## Examples + +The following example gives to the `Administrator` profile the rights to create, update, delete and +query assigned profiles. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md new file mode 100644 index 0000000000..7f4ce637c2 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md @@ -0,0 +1,10 @@ +# Profiles + +- [ Assign Profile Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md) + + Gives to a given profile the rights to create, update, delete and query any assigned profile. + +- [ OpenId Client Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md) +- [ Profile Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md) + + Gives to a given profile the rights to create, update and delete profiles. diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md new file mode 100644 index 0000000000..9a6b363c1c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md @@ -0,0 +1,38 @@ +# Profile Administration Access Control Rules + +Gives to a given profile the rights to create, update and delete profiles. + +Profiles are listed on the **Profiles** screen, from **Settings** in the **Configuration** section. + +![Settings](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +![Profiles](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/accesscontrol_profiles_v603.webp) + +See more details on profiles' APIs. + +## Examples + +The following example gives to the `Administrator` profile the rights to create, update and delete +profiles. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md new file mode 100644 index 0000000000..31fd3bbe59 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md @@ -0,0 +1,19 @@ +# Queries + +- [ Manage Setting Access Control Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md) + + Generates the access control rule which gives to a profile the permission to query, create, + update and delete settings from the UM_Settings table. + +- [ Report Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md) + + Generates the permissions to access the report view. + +- [ Target Resource Report Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md) + + Generates the permissions to apply a report for a profile on a given entity. + +- [ Universe Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md) + + Generates an access control rule which gives a profile the permission to access the query page + and run queries. diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md new file mode 100644 index 0000000000..ab4e5ac164 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md @@ -0,0 +1,31 @@ +# Report Access Control Rules + +Generates the rights to access the report view. + +Gives access to a shortcut on the navigation to access this page. + +![Reports](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/home_reports_v602.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md new file mode 100644 index 0000000000..2faf95e01a --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md @@ -0,0 +1,32 @@ +# Target Resource Report Access Control Rules + +Generates the right to apply a report for a profile on a given entity. + +The existence of a report for this entity must exist in order to use this scaffolding. A scaffolding +allows to generate a default report for an entity: +[ Target Resource Report Menus ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md new file mode 100644 index 0000000000..d5e8f84a8f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md @@ -0,0 +1,24 @@ +# Resources + +- [ Create Resource Incremental Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md) + + Generates the access control rule which gives to a profile the permission to query the resources + modified incrementally. + +- [ Resource Api Administration ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md) + + Generates the permissions to create/update/delete/query resources from a given entity type, for + a given profile. + +- [ Resource Picker Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md) + + Creates the reading right of the resource picker. + +- [ View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md) + + Generates the permissions to view an entity type's resources. + +- [ View History Resource Template ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md) + + Generates an access control rule giving to the specified profile the permission to browse the + resources history of the specified entity type. diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules/index.md new file mode 100644 index 0000000000..66de23b57e --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules/index.md @@ -0,0 +1,33 @@ +# Bulk Perform Manual Provisioning Access Control Rules + +The following example assigns permissions to the `Administrator` profile, allowing the simultaneous +review of multiple manual provisioning items for the `Directory_User` entity type. + +``` + + + +``` + +The scaffolding generates the following scaffoldings: + +- [ Perform Manual Provisioning Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md): + Generates the permissions to access the manual provisioning pages for a given entity type and + profile. + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules/index.md new file mode 100644 index 0000000000..8904ebd2ef --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules/index.md @@ -0,0 +1,36 @@ +# Bulk Resource Reconciliation Access Control Rules + +The following example assigns to the Administrator profile the rights to reconcile simultaneously +several resources from the Directory_User entity type. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +The scaffolding generates the following scaffoldings: + +- ReconciliateResourcesAccessControlRules: Generates the permissions to access the resource + reconciliation pages for a given entity type and profile. See the + [ Reconciliate Resources Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md) + topic for additional information. + +## Properties + +| Property | Type | Description | +| ------------------- | ------ | ---------------------------------------------------------- | +| EntityType required | String | Identifier of the entity type involved in the scaffolding. | +| Profile required | String | Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +   +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules/index.md new file mode 100644 index 0000000000..99c2fed8ac --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules/index.md @@ -0,0 +1,33 @@ +# Bulk Review Provisioning Access Control Rules + +The following example assigns permissions to the `Administrator` profile, allowing the simultaneous +review of multiple errored provisioning orders for the `Directory_User` entity type. + +``` + + + +``` + +The scaffolding generates the following scaffoldings: + +- [ Review Provisioning Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md): + Generates the permissions to access the provisioning review pages for a given entity type and + profile. + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules/index.md new file mode 100644 index 0000000000..816032ad51 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules/index.md @@ -0,0 +1,16 @@ +# Bulk Role Reconciliation Access Control Rules + +Generates the permissions to perform bulk validations on the **Role Reconciliation** page. + +The scaffolding generates the following scaffoldings: + +- [ Reconciliate Roles Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md): + Generates the permissions to access the role reconciliation pages for a given entity type and + profile. + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md new file mode 100644 index 0000000000..c0beb7877f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md @@ -0,0 +1,14 @@ +# Governance Roles Access Control Rules + +Generates the rights to access the role review pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Role Review](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/home_rolereview_v523.webp) + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md new file mode 100644 index 0000000000..c29bcf9c35 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md @@ -0,0 +1,70 @@ +# Role Models + +- [ Basket Rules Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md) + + Generates the permissions to execute the different requests to display the information in the + rights basket. + +- [ Bulk Perform Manual Provisioning Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Perform Manual Provisioning\*\* + page. + +- [Bulk Resource Reconciliation Access Control Rules](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Resource Reconciliation\*\* + page. + +- [ Bulk Review Provisioning Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Provisioning Review\*\* page + (only for errored orders). + +- [ Bulk Role Reconciliation Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Role Reconciliation\*\* page. + +- [ Governance Roles Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md) + + Generates the permissions to access the governance review pages for a given entity type and + profile. + +- [ Perform Manual Provisioning Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md) + + Generates the permissions to access the manual provisioning pages for a given entity type and + profile. + +- [ Reconciliate Resources Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md) + + Generates the permissions to access the resource reconciliation pages for a given entity type + and profile. + +- [ Reconciliate Roles Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md) + + Generates the permissions to access the role reconciliation pages for a given entity type and + profile. + +- [ Redundant Assignment Access Control Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md) + + Generates the permissions to access the \*\*Redundant Assignment\*\* page, to analyze and remove + redundant assignments. + +- [ Review Provisioning Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md) + + Generates the permissions to access the provisioning review pages for a given entity type and + profile. + +- [ Review Roles Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md) + + Generates the permissions to access the role review pages for a given entity type and profile. + +- [ Risks Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md) +- [ Role Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md) + + Generates the permissions to access the configuration pages and create, update, delete the + elements of the role model. + +- [ Role Naming Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md) + + Generates the permissions to configure and launch the automatic creation of roles and rules + based on naming conventions. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md new file mode 100644 index 0000000000..7f188d1b01 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md @@ -0,0 +1,36 @@ +# Perform Manual Provisioning Access Control Rules + +Generates the rights to access the access manual provisioning pages for a given entity type and +profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Manual Provisioning](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp) + +The connector connected to the entity type must have the manual type as the provisioning type, +otherwise the information of the entity type cannot be displayed on this screen. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md new file mode 100644 index 0000000000..8908499a49 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md @@ -0,0 +1,35 @@ +# Reconciliate Resources Access Control Rules + +Generates the right to access the reconcile resources pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +Also create the rights to view the TargetEntityTypes of all ResourceTypes whose source is the +EntityType to be filled in the Scaffolding. + +![Resource Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md new file mode 100644 index 0000000000..e69cf50dc8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md @@ -0,0 +1,32 @@ +# Reconciliate Roles Access Control Rules + +Generates the rights to access the access reconcile roles pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Role Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/home_rolereconciliation_v523.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md new file mode 100644 index 0000000000..43fc420c76 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md @@ -0,0 +1,35 @@ +# Redundant Assignment Access Control Rule + +Generates the permissions to access the **Redundant Assignment** page, to analyze and remove +redundant assignments. + +Gives access to a shortcut on the dashboard to access this page. + +![Redundant Assignments](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/home_redundantassignments_v602.webp) + +## Examples + +The following example gives to the `Administrator` profile the permissions to access the **Redundant +Assignment** page and perform redundant-assignment related actions. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md new file mode 100644 index 0000000000..161bfcae71 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md @@ -0,0 +1,34 @@ +# Review Provisioning Access Control Rules + +Generates the right to access the review provisioning pages for a given entity type and profile. +Also create the rights to view the TargetEntityTypes of all ResourceTypes whose source is the +EntityType to be filled in the Scaffolding. + +Gives access to a shortcut on the dashboard to access this page. + +![Provisioning Review](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/home_provisioningreview_v523.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md new file mode 100644 index 0000000000..62a4db7405 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md @@ -0,0 +1,32 @@ +# Review Roles Access Control Rules + +Generates the rights to access the access roles review pages for a given entity type and profile. + +Gives access to a shortcut on the dashboard to access this page. + +![Role Review](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/home_rolereview_v523.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md new file mode 100644 index 0000000000..876f47a98d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md @@ -0,0 +1,44 @@ +# Role Administration Access Control Rules + +Generates the rights to access the access configuration pages and create, update, delete for: + +- Policies +- ResourceTypes +- SingleRoles +- CompositeRoles +- ResourceNavigationRules +- ResourceScalarRule +- ResourceCorrelationRule +- CompositeRoleRule +- ResourceTypeRule +- SingleRoleRule +- ContextRule +- Categories + +Gives access to a shortcut on the dashboard to access this page. + +![Configuration Section](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/home_configuration_v603.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md new file mode 100644 index 0000000000..b974e5a002 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md @@ -0,0 +1,4 @@ +# Simulations + +- [Policy Simulation Control Rules](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md) +- [ Role And Simulation Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md) diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md new file mode 100644 index 0000000000..00867b0fed --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md @@ -0,0 +1,7 @@ +# User Interfaces + +- [ Manage Accounts ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md) +- [ Search Bar Page Access Control ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md) + + Gives access rights to the different navigation elements of the SearchBars of the pages of the + role model. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md new file mode 100644 index 0000000000..17afcb5c64 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md @@ -0,0 +1,39 @@ +# Manage Accounts + +Gives access to the **Manage Accounts** buttons for the users of a given entity type. + +![ManageAccounts Button](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/accesscontrol_manageaccounts_v603.webp) + +The scaffolding gives access to the button, but you need to get the permissions on said accounts in +order to see anything once you click on the button. + +## Examples + +The following example gives the `Administrator` profile access to the **Manage Accounts** button for +users from `Directory_User`. + +``` + + + +In order to see AD accounts once clicking on the button: + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md new file mode 100644 index 0000000000..c6f7e0477d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md @@ -0,0 +1,41 @@ +# Create Update Delete Access Control Rules + +Generates execution rights for the create, update, delete workflows. + +Some prerequisites are necessary to be able to launch this scaffolding. A entity type must be +created with the following naming convention: "Worfklow\_" + idenfitier type entity. Three workflows +must be created with the following names: + +- entity type identifier + "\_Create"; +- entity type identifier + "\_Update"; +- entity type identifier + "\_Delete"; + +The scaffolding generates the following scaffoldings: + +- [ View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): Generates the + permissions to view an entity type's resources. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md new file mode 100644 index 0000000000..72c6c020b4 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md @@ -0,0 +1,16 @@ +# Workflows + +- [ Create Update Delete Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md) + + Generates execution rights for the create, update, delete workflows. + +- [ Update Resources Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md) +- [ Workflow Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md) + + Generates the permissions to access the task page and visualize the workflows to be executed for + a given entity type and profile. + +- [ Workflow Configuration Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md) +- [ Workflow Overview Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md) + + Generates the permissions to access the workflow supervision page. diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md new file mode 100644 index 0000000000..58652bd665 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md @@ -0,0 +1,39 @@ +# Workflow Access Control Rules + +Generates the rights to access the task page and visualize the different workflows to be executed +for a given entity type and profile. + +Gives access to a shortcut on the dashboard and on the top bar to access this page. + +Top bar shortcut: + +![Tasks in Top Bar](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_topbar_v601.webp) + +DashBoard shortcut: + +![Task in Dashboard](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/home_mytasks_v523.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md new file mode 100644 index 0000000000..37dd938f42 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md @@ -0,0 +1,32 @@ +# Workflow Overview Control Rules + +Generates the rights to access the workflow supervision page. + +Gives access to a shortcut on the dashboard to access this page. + +![Workflow Overview](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/home_workflowoverview_v602.webp) + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md new file mode 100644 index 0000000000..c6108a43f5 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md @@ -0,0 +1,79 @@ +# Connector Mappings + +This scaffolding allows the user to generate the mapping of an entity in a given connector. + +The identifiers of the connector and the entity type must be provided to the scaffolding through the +attributes `Connector` and `EntityType` to make the link between these two elements and create the +mapping. This scaffolding needs to have an argument to know the location of the file to be retrieved +during the collection. This file must be a CSV file with "Command" as the first column and then the +rest of the columns for scalar and mono-navigation properties. This file must be named after the +entity type. If there are multi-valued navigation properties, it is necessary to create a file with +"Command" as first property and the key of the two entities to link. This file must be named after +the identifier of the starting entity type + "\_" + the identifier of the navigation property. + +If you are using a CSV connector with files in incremental mode, you must specify the attribute +`IsIncremental` to `true`. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | +| Connector required | **Type** String **Description** Identifier of the connector involved in the job to be generated. | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| IsIncremental optional | **Type** Boolean **Description** `true` to perform an incremental synchronization. | +| Package optional | **Type** ConnectionPackage **Description** For a `ConnectorMappings` scaffolding, identifier of the package for the connection to be generated. | + +## Child Elements + +- Excluded Property (optional) to ignore a given property of the specified entity type. +- Mapping Path (optional) Define the path for csv EntityType mapping + +### Excluded Property + +| Property | Details | +| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Property required | **Type** String **Description** Property of the specified entity type that is to be ignored for the generation of entity instances and association instances. | + +A scaffolding does not use filters, but a part of the entity model can be excluded with the +`ExcludedProperty` argument. + +The following example generates a universe `U8_Users` based on the entity type `Directory_User`, +like our U1 but without the `Guests` property: + +``` + + + + + +``` + +When getting Identity Manager +[Connect Power BI to Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (ExcludedProperty)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_excluded.webp) + +### Mapping Path + +| Property | Details | +| ---------------------------------- | --------------------------------------------------------------------------------------------- | +| IsIncremental default value: false | **Type** Boolean **Description** Defines if the CSV connector files uses the incremental mode | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md new file mode 100644 index 0000000000..169e13e232 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md @@ -0,0 +1,34 @@ +# Entity Types + +- [ Connector Mappings ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md) + + Generates the mapping of an entity in a given connector. + +- [ Entity Type Display Name ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md) + + Computes a default value for resources' internal display names. + +- [ Entity Type Display Table ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md) + + Creates a display table for the given entity. + +- [ Entity Type Display Table Adaptable ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md) + + Creates an adaptable display table for a given entity type. + +- [ Entity Type Display Target Resource Table ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md) + + Creates a display table for the given entity. + +- [ Entity Type Menu Item ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md) + + Creates a menu item for the entity type, and for its connector if the entity type has an entity + type mapping. + +- [ Entity Type Search Bar ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md) + + Creates the search bar for the entity without criteria. + +- [ Target Resource Report Menus ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md) + + Creates the Item menu for the entity's report so that it is displayed in the report view. diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md new file mode 100644 index 0000000000..27c26b171f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md @@ -0,0 +1,4 @@ +# Entity Types + +- [Entity Types](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md) +- [ Workflows ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md) diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md new file mode 100644 index 0000000000..7cf0caf025 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md @@ -0,0 +1,24 @@ +# Workflows + +- [ Create Update Delete Menus ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md) + + Creates updates and deletes menus for an entity. + +- [ Create Update Delete Workflows ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md) +- [ Update Resources Menus ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md) +- [ Update Resources Workflows ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md) +- [ Workflow Actors Notification ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md) +- [ Workflow Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md) + + Creates an entity that will be the source of all workflows that manipulate the given entity. + +- [ Workflow Entity Type Display Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md) +- [ Workflow Entity Type Display Table ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md) + + Creates the display table of the workflow entity of the starting entity. + +- [ Workflow Entity Type Search Bar ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md) + + Creates the search bar of the workflow entity of the starting entity. + +- [ Workflow Performer Notification ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md) diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md new file mode 100644 index 0000000000..4a40b7cb3a --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/index.md @@ -0,0 +1,443 @@ +# Scaffoldings + +Identity Manager provides a list of scaffoldings to act as configuration shortcuts: a scaffolding is +an XML element that will generate a complex XML fragment. + +Available scaffoldings are described below. + +To understand scaffoldings' generated configuration, Identity Manager's executable +[ Usercube-Export-Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-configuration/index.md) +can be launched with the `--export-scaffolding` option to export into XML files the configuration +items generated by scaffoldings. + +Remember that these exported files are meant for viewing and understanding purposes, not for using +their content in your own configuration. + +## References + +- [Access Control Rules](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/index.md) + +- [ Access Reviews ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/index.md) + +- [ Access Review Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md) + + Generates the permissions to administrate campaign creation. + +- [ Connectors ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/index.md) + +- [ Connector Resource Type Access Control ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md) + + Gives the rights to create and update resource types, generate provisioning orders and fulfill + from the connector screen. + +- [ Settings Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md) + + Generates the permissions to configure the Workforce Core Solution module and connector + settings. + +- [ Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/index.md) + +- [ GetJobLogAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md) + + Generates the permissions to read task and job instances logs in UI for a given profile. + +- [ JobAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md) + + Scaffolding to access the job administration page. + +- [ JobTaskAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobtaskadministrationaccesscontrolrules/index.md) + + Generates all permissions for JobStep entity. + +- [ PendingAssignedResourceTypesAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md) + + Generates the access control rules which give to a profile the permissions to call the API + Pending AssignedResourceTypes. + +- [ ProvisioningAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md) + + Generates the execution rights for Provisioning and Fulfillment tasks for a given profile. + +- [ ResourceChangesViewAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md) + + Generates the access control rules which gives to a profile the permissions to call the API + ResourceChange, ResourceFileChange and ResourceLinkChange. + +- [ ResourceTypeMappingControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md) + + Generate rights to launch agent fulfillment. + +- [ RunJobAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md) + + Generates the permissions to launch jobs from UI for a given profile. + +- [ RunJobNotificationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md) + + Generates access control to send notification when job finish with an error state. + +- [ RunJobRepairAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md) + + Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning + or a synchronization for a given profile. + +- [ RunJobRepairNotificationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md) + + Generates access control to send notification when a relaunch job finish with an error state. + +- [ SynchronizationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md) + + Generates rights to launch synchronization task. + +- [ TaskAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md) + + Generates all rights to have the access to job administration page. + +- [ TaskInstanceAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskinstanceadministrationaccesscontrolrules/index.md) + + Generates access control to update the task instances. + +- [ WorkflowFulfillmentControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md) + + Generates the execution rights to launch Fulfillment workflow for a given profile. + +- [ Monitoring ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/index.md) + +- [ MonitoringAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md) + + Generates the access control rule which gives to a profile the permission to query the + monitoring screen. + +- [ Profiles ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/index.md) + +- [ Assign Profile Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md) + + Gives to a given profile the rights to create, update, delete and query any assigned profile. + +- [ OpenId Client Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/openidclientadministrationaccesscontrolrules/index.md) +- [ Profile Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md) + + Gives to a given profile the rights to create, update and delete profiles. + +- [ Queries ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/index.md) + +- [ Manage Setting Access Control Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md) + + Generates the access control rule which gives to a profile the permission to query, create, + update and delete settings from the UM_Settings table. + +- [ Report Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md) + + Generates the permissions to access the report view. + +- [ Target Resource Report Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md) + + Generates the permissions to apply a report for a profile on a given entity. + +- [ Universe Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md) + + Generates an access control rule which gives a profile the permission to access the query page + and run queries. + +- [ Resources ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/index.md) + +- [ Create Resource Incremental Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md) + + Generates the access control rule which gives to a profile the permission to query the resources + modified incrementally. + +- [ Resource Api Administration ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md) + + Generates the permissions to create/update/delete/query resources from a given entity type, for + a given profile. + +- [ Resource Picker Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md) + + Creates the reading right of the resource picker. + +- [ View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md) + + Generates the permissions to view an entity type's resources. + +- [ View History Resource Template ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md) + + Generates an access control rule giving to the specified profile the permission to browse the + resources history of the specified entity type. + +- [Role Models](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/index.md) + +- [ Basket Rules Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md) + + Generates the permissions to execute the different requests to display the information in the + rights basket. + +- [ Bulk Perform Manual Provisioning Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkperformmanualprovisioningaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Perform Manual Provisioning\*\* + page. + +- [Bulk Resource Reconciliation Access Control Rules](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkresourcereconciliationaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Resource Reconciliation\*\* + page. + +- [ Bulk Review Provisioning Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkreviewprovisioningaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Provisioning Review\*\* page + (only for errored orders). + +- [ Bulk Role Reconciliation Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/bulkrolereconciliationaccesscontrolrules/index.md) + + Generates the permissions to perform bulk validations on the \*\*Role Reconciliation\*\* page. + +- [ Governance Roles Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/governancerolesaccesscontrolrules/index.md) + + Generates the permissions to access the governance review pages for a given entity type and + profile. + +- [ Perform Manual Provisioning Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md) + + Generates the permissions to access the manual provisioning pages for a given entity type and + profile. + +- [ Reconciliate Resources Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliateresourcesaccesscontrolrules/index.md) + + Generates the permissions to access the resource reconciliation pages for a given entity type + and profile. + +- [ Reconciliate Roles Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md) + + Generates the permissions to access the role reconciliation pages for a given entity type and + profile. + +- [ Redundant Assignment Access Control Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md) + + Generates the permissions to access the \*\*Redundant Assignment\*\* page, to analyze and remove + redundant assignments. + +- [ Review Provisioning Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md) + + Generates the permissions to access the provisioning review pages for a given entity type and + profile. + +- [ Review Roles Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md) + + Generates the permissions to access the role review pages for a given entity type and profile. + +- [ Risks Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md) +- [ Role Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md) + + Generates the permissions to access the configuration pages and create, update, delete the + elements of the role model. + +- [ Role Naming Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md) + + Generates the permissions to configure and launch the automatic creation of roles and rules + based on naming conventions. + +- [ Simulations ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/index.md) + +- [Policy Simulation Control Rules](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md) +- [ Role And Simulation Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md) + +- [ User Interfaces ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/index.md) + +- [ Manage Accounts ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md) +- [ Search Bar Page Access Control ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/searchbarpageaccesscontrol/index.md) + + Gives access rights to the different navigation elements of the SearchBars of the pages of the + role model. + +- [ Workflows ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/index.md) + +- [ Create Update Delete Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md) + + Generates execution rights for the create, update, delete workflows. + +- [ Update Resources Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md) +- [ Workflow Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md) + + Generates the permissions to access the task page and visualize the workflows to be executed for + a given entity type and profile. + +- [ Workflow Configuration Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md) +- [ Workflow Overview Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md) + + Generates the permissions to access the workflow supervision page. + +- [ Entity Types ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/index.md) + +- [Entity Types](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/index.md) + +- [ Connector Mappings ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/connectormappings/index.md) + + Generates the mapping of an entity in a given connector. + +- [ Entity Type Display Name ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md) + + Computes a default value for resources' internal display names. + +- [ Entity Type Display Table ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md) + + Creates a display table for the given entity. + +- [ Entity Type Display Table Adaptable ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md) + + Creates an adaptable display table for a given entity type. + +- [ Entity Type Display Target Resource Table ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md) + + Creates a display table for the given entity. + +- [ Entity Type Menu Item ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypemenuitem/index.md) + + Creates a menu item for the entity type, and for its connector if the entity type has an entity + type mapping. + +- [ Entity Type Search Bar ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md) + + Creates the search bar for the entity without criteria. + +- [ Target Resource Report Menus ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md) + + Creates the Item menu for the entity's report so that it is displayed in the report view. + +- [ Workflows ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/index.md) + +- [ Create Update Delete Workflows ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md) + + Creates updates and deletes menus for an entity. + +- [ Update Resources Menus ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md) +- [ Update Resources Workflows ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md) +- [ Workflow Actors Notification ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowactorsnotification/index.md) +- [ Workflow Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md) + + Creates an entity that will be the source of all workflows that manipulate the given entity. + +- [ Workflow Entity Type Display Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplayentitytype/index.md) +- [ Workflow Entity Type Display Table ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypedisplaytable/index.md) + + Creates the display table of the workflow entity of the starting entity. + +- [ Workflow Entity Type Search Bar ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytypesearchbar/index.md) + + Creates the search bar of the workflow entity of the starting entity. + +- [ Workflow Performer Notification ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowperformernotification/index.md) + +- [ Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md) + +- [Clean Database Job](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md) + + Creates the job to clean old tasks and jobs instances with state InProgress. + +- [Create Access Certification Job](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md) + + Creates the AccessCertification Job. + +- [Create Agent Synchro Complete](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md) + + Creates for the given agent the synchronization job of all connectors present in the agent in + Complete mode. + +- [Create Agent Synchro Incremental](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md) + + Creates for the given agent the synchronization job of all connectors present in the agent in + incremental mode. + +- [ Create Connectors Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md) + + Creates all jobs by connector to launched task in the connector page. + +- [Create Connector Synchro Complete](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md) + + Creates for the given connector the synchronization in complete mode. + +- [Create Connector Synchro Incremental](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) + + Creates for the given connector the synchronization job in incremental mode. + +- [Create Initialization Job](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md) + + Creates the Initialization Job for the given agent. + +- [ Optimizations ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md) + +- [ Optimize Display Table ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable/index.md) + + Optimizes all elements found in the given displayTable. + +- [ Queries ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md) + +- [ Target Resource Report ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md) + + Creates a ReportQuery with default Query taking all the properties of the entity. + +- [ Universe Data Model ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md) + + Creates, within a universe, entity instances and association instances based on a predefined + template. + +- [Templates](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md) + +- [Connectors Access Control Rules](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md) + + Gives the permissions to manage the connector pages. + +- [ Create Administrator Profile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md) + + Creates the profile administrator and all default access control rules. + +- [ Create Update Delete Template ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate/index.md) + + Creates the three types of workflow for the given entity as well as the execution rights for the + given profile. + +- [ Entity Report Default ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault/index.md) + + Creates all configuration items to add a ReportQuery for an EntityType and profile. + +- [ Job Execution Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md) + + Assigns a set of rights to a given profile to execute any job, and view all job instances, task + instances and logs. + +- [ Job View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md) + + Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs. + +- [ Simulation Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md) + + Generates the permissions to configure and launch simulations. + +- [ Update Resources Template ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate/index.md) +- [ View Source Resource Template ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md) + + Creates the display table, fills in the internal display name of the entity, and gives the + rights to see the permissions and sources of the entity for a given profile. + +- [ View Target Resource Template ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md) + + Creates the entity view (designElement = resourceTable), the report and the rights for a given + profile. + +- [ View Template ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md) + + Creates the view for the given entity as well as the rights for the given profile. + +- [ View Template Adaptable ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md) + + Implements a default display name for the resources of a given entity type, displays the + resources in an adaptable table, and give the permissions to view the resources. + +- [ Workforce ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md) + +- [ Bootstrap Module ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md) + + Generates the default settings required to start using Identity Manager and the Workforce Core + Solution module. + +- [Workforce Module](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule/index.md) + + Generates the workforce repository based on the data filled in the Workforce Core Solution + module. diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md new file mode 100644 index 0000000000..e87b086350 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md @@ -0,0 +1,508 @@ +# Create Initialization Job + +Creates the Initialization Job for the given agent. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +## Properties + +| Property | Type | Description | +| ----------------------- | ------- | -------------------------------------------------------------------------------------------------------------- | +| Agent optional | String | For job scaffoldings, identifier of the agent on which the job to be generated will be launched. | +| DisplayName_L1 optional | String | Display name of the scaffolding in language 1 (up to 16). | +| JobIdentifier optional | String | For job scaffoldings, identifier of the job to be generated. If not defined, the job identifier is calculated. | +| OldAlgorithm optional | Boolean | Internal use. | + +## Child Elements + +The list of child elements includes the following: + +- AddTask (optional) — Add a task before or after another in the job +- Configuration (optional) — Add the path of the configuration folder if a configuration task is in + the job +- FormatPropertiesInResource (optional) — Converts string properties to their corresponding types in + the 'Resource' section of the provisioning order +- NoConnectorProvisioning (optional) — Avoid provisioning for a connector +- NoConnectorSynchronization (optional) — Avoid collect for a connector +- NotUsed (optional) — Avoid collect and provisioning for a connector +- OpenIdIdentifier (optional) — Add a OpenID to the job and the tasks +- PrincipalDataConnector (optional) — Specifies the connector that contains the data for the + fulfillment of external systems. + +### AddTask + +| Property | Type | Description | +| ------------------------------ | ------- | ---------------------------------------------------------------------------------------------------------- | +| Task required | String | Identifier of the task to add. | +| TaskToCompareWith required | String | The identifier of the task before or after which the new task will be inserted | +| After default value: false | Boolean | For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | +| Before default value: false | Boolean | For the Argument AddTask the property before define the place of the task to add with the TaskCompareWith. | +| CopyOccurence default value: 0 | Int32 | For Argument AddTask, Specify the Occurence to copy and add the Task in a specify Job. | +| Occurence default value: 0 | Int32 | Occurence of the TaskToCompare after or before which the task will be added | + +### Configuration + +| Property | Type | Description | +| ------------- | ------ | ------------------------------ | +| Path required | String | Represents the argument value. | + +### NoConnectorProvisioning + +| Property | Type | Description | +| ---------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectorIdentifier required | String | Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + +### NoConnectorSynchronization + +| Property | Type | Description | +| ---------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectorIdentifier required | String | Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + +### NotUsed + +| Property | Type | Description | +| ---------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectorIdentifier required | String | Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + +### OpenIdIdentifier + +| Property | Type | Description | +| ------------------- | ------ | ------------------------ | +| Identifier required | String | Identifier of the OpenId | + +### PrincipalDataConnector + +| Property | Type | Description | +| ---------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectorIdentifier required | String | Identifier of the connector involved in the following arguments: `NoConnectorSynchronization`; `NoConnectorProvisioning`; `NotUsed`; `FulfillInternalWorkflowsPath`; `PrincipalDataConnector`. | + +## Generated XML + +Our example generates the following configuration: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +   +   +   +   +   +   +   +     +     +     +     +     +     +     +     +     +   +   +     +     +   +   +     +     +   +   +   +   +   + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md new file mode 100644 index 0000000000..eab16b814e --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/index.md @@ -0,0 +1,35 @@ +# Jobs + +- [Clean Database Job](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/cleandatabasejob/index.md) + + Creates the job to clean old tasks and jobs instances with state InProgress. + +- [Create Access Certification Job](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createaccesscertificationjob/index.md) + + Creates the AccessCertification Job. + +- [Create Agent Synchro Complete](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchrocomplete/index.md) + + Creates for the given agent the synchronization job of all connectors present in the agent in + Complete mode. + +- [Create Agent Synchro Incremental](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createagentsynchroincremental/index.md) + + Creates for the given agent the synchronization job of all connectors present in the agent in + incremental mode. + +- [ Create Connectors Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md) + + Creates all jobs by connector to launched task in the connector page. + +- [Create Connector Synchro Complete](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchrocomplete/index.md) + + Creates for the given connector the synchronization in complete mode. + +- [Create Connector Synchro Incremental](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsynchroincremental/index.md) + + Creates for the given connector the synchronization job in incremental mode. + +- [Create Initialization Job](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createinitializationjob/index.md) + + Creates the Initialization Job for the given agent. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md new file mode 100644 index 0000000000..4cb7aa823c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/index.md @@ -0,0 +1,5 @@ +# Optimizations + +- [ Optimize Display Table ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable/index.md) + + Optimizes all elements found in the given displayTable. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable/index.md new file mode 100644 index 0000000000..c8cce78481 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/optimizations/optimizedisplaytable/index.md @@ -0,0 +1,45 @@ +# Optimize Display Table + +This scaffolding optimizes the given display table by replacing its tiles navigation properties by +scalar (pre-computed, via expressions) properties. This ultimately improves the performances of the +SQL queries used to fetch the data displayed in the corresponding table. + +In order to optimize the display table, this scaffolding will create the following elements if they +don't exist. + +- An [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)for each tile item that uses a + navigation binding. This will be used to hold the computed expression. +- An [ Entity Property Expression ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md) to + evaluate the binding expression used by the optimizable tile item. + +Then, the scaffolding will link the display table tile elements to the newly created scalar +properties. + +This scaffolding has a downside which is that the displayed data is less dynamic than a normal +display table, since it requires computing the expression (via jobs) ahead of time. + +## Examples + +The following example optimized the DisplayTable `Directory_User` + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------------------- | ------------------------------------------------------------------------------- | +| DisplayTableIdentifier required | **Type** String **Description** The identifier of the display table to optimize | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md new file mode 100644 index 0000000000..f7e9a4b172 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/index.md @@ -0,0 +1,10 @@ +# Queries + +- [ Target Resource Report ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md) + + Creates a ReportQuery with default Query taking all the properties of the entity. + +- [ Universe Data Model ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md) + + Creates, within a universe, entity instances and association instances based on a predefined + template. diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md new file mode 100644 index 0000000000..ee1c89cdfe --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/index.md @@ -0,0 +1,331 @@ +# Universe Data Model + +This scaffolding creates, within a universe, entity instances and association instances based on a +predefined template. + +The entity instances generated by the scaffolding will have: + +- as a display name, the display name of the corresponding navigation property, for example + `Main Record`; +- as an identifier, the identifier of the corresponding navigation which is made of + `_`, for example `Directory_User_MainRecord`. + +## Properties + +| Property | Details | +| ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | +| EntityType required | **Type** String **Description** Identifier of the entity type that we want to represent in the universe (as an entity instance) with all its navigations. | +| Universe required | **Type** String **Description** Identifier of the universe in which the instances to be generated are going to exist. | + +## Child Elements + +- Excluded Property (optional) to ignore a given property of the specified entity type. +- Root Instance (optional) to rename the core entity instance that is to be generated, and to avoid + data duplication when using several scaffoldings in one universe. +- Source Entity Type (optional) Define the source EntityType +- Universe Template (optional) to use a template different from the default one. + +### Excluded Property + +| Property | Details | +| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Property required | **Type** String **Description** Property of the specified entity type that is to be ignored for the generation of entity instances and association instances. | + +A scaffolding does not use filters, but a part of the entity model can be excluded with the +`ExcludedProperty` argument. + +The following example generates a universe `U8_Users` based on the entity type `Directory_User`, +like our U1 but without the `Guests` property: + +``` + + + + + +``` + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (ExcludedProperty)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_excluded.webp) + +### Root Instance + +| Property | Details | +| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Instance required | **Type** String **Description** Identifier of the entity instance generated based on the EntityType property of the universe scaffolding. If not specified, the identifier of the entity instance is the identifier of the entity type. | + +The following example generates a universe `U2_UserRecords` based on the entity type +`Directory_UserRecord`, naming the entity instance `REC`: + +``` + + + + + +``` + +![Universe (RootInstance)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_rootinstance.webp) + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (RootInstance)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_rootinstance.webp) + +#### RootInstance for several scaffoldings together + +A universe can be made of several scaffoldings which need to be grouped together a specific way. One +universe made of two scaffoldings will generate the two entity instances corresponding to the two +specified entity types, with the entity and association instances corresponding to their navigation +properties. To avoid data duplication in the universe model, we use `RootInstance` to rename one of +the entity instances and follow the existing naming rule explained in the introduction. + +**The following example** generates a universe `U3_UserRecords` based on the entity types +`Directory_User` and `Directory_UserRecord` (without `RootInstance`): + +``` + + + +``` + +![Universe Schema (Several Scaffoldings with Data Duplication)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalduplicationschema.webp) + +When getting Identity Manager +[data in Power BI](/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), we see +the following: + +![Universe (Several Scaffoldings with Data Duplication)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalduplication.webp) + +We see that `Directory_User_Records` and `Directory_UserRecords` represent the same entity +instances. + +**The following example** generates a better version of the universe `U3_UserRecords` based on the +entity types `Directory_User` and `Directory_UserRecord`, renaming `Directory_UserRecord` as +`Directory_User_Records` to follow the naming rule, thus building the universe model with +`Directory_User` as the core entity instance: + +``` + + + + + +``` + +![Universe (Several Scaffoldings without Data Duplication)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalnoduplicationschema.webp) + +When getting Identity Managerdata in +[Connect Power BI to Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Several Scaffoldings without Data Duplication)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_severalnoduplication.webp) + +Thus we removed the duplicated data, and we understand easily the navigations of the model. + +### Source Entity Type + +| Property | Details | +| ------------------- | ----------------------------------------------------------------- | +| Identifier optional | **Type** String **Description** The identifier's SourceEntityType | + +### Universe Template + +| Property | Details | +| ----------------- | -------------------------------------------------------------- | +| Template required | **Type** String **Description** Represents the argument value. | + +#### Default Template + +When no template is specified, the scaffolding generates: + +- an entity instance based on a given entity type; +- an association instance and an entity instance for each navigation property of the entity type. + +**The following example** generates a universe `U1_Users` based on the entity type `Directory_User`: + +``` + + + + +``` + +It generates: + +``` + + + + One entity instance for the entity type Directory_User: + + + One association instance and one entity instance per navigation property: + ... + + + +``` + +![Universe (No Template)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_notemplateschema.webp) + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (No Template)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_notemplate.webp) + +We see here identifiers instead of display names due to `ColumnNamesMode` set to identifiers. + +#### Owned Resource Types + +The following example generates a universe `U4_User` based on the entity type `Directory_User` and +the resources assigned to users: + +``` + + + + + +``` + +It generates: + +``` + + + + One entity instance for the entity type Directory_User. + + + Association instances and entity instances about the AD_Entry_NominativeUser resource type: + + + + Same for all resource types. + ... + + + +``` + +![Universe (Template Schema: Owned Resource Types)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedresourcetypesschema.webp) + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Template: Owned Resource Types)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedresourcetypes.webp) + +#### ResourceResourceTypes + +The following example generates a universe `U5_AD` based on the entity type `AD_Entry` and the +owners of AD resources: + +``` + + + + + +``` + +The configuration generated by this snippet is similar to the one for `OwnedResourceTypes`. + +![Universe (Template Schema: Resource Resource Types)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_resourceresourcetypesschema.webp) + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Template: Resource Resource Types)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_resourceresourcetypes.webp) + +#### Owned Single Roles + +The following example generates a universe `U6_User` based on the entity type `Directory_User` and +the single roles assigned to users: + +``` + + + + + +``` + +It generates: + +``` + + + + One entity instance for the entity type Directory_User. + + + One entity instance containing data about role assignments, and one association instance linking it to Directory_User: + + + One entity instance containing the single roles, and one association instance linking it to the role assignment data: + + +``` + +![Universe (Template Schema: Owned Single Roles)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedsinglerolesschema.webp) + +When getting Identity Managerdata in +[Connect Power BI to Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Template: Owned Single Roles)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedsingleroles.webp) + +#### Owned Composite Roles + +The following example generates a universe `U7_User` based on the entity type `Directory_User` and +the composite roles assigned to users: + +``` + + + + + +``` + +The configuration generated by this snippet is similar to the one for `OwnedSingleRoles`. + +![Universe (Template Schema: Owned Composite Roles)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedcompositerolesschema.webp) + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Template: Owned Composite Roles)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_ownedcompositeroles.webp) + +## Mixed Example + +Scaffoldings can be adjusted with +[universe configuration](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md). + +The following example generates a universe `U9_AccessControl` aiming to create reports displaying +users and their profiles. In our situation, profiles are assigned to AD accounts based on a given +context. This is why we base our universe on the entity types `AD_Entry`, `AssignedProfile` and +`ProfileContext`. Plus, there are 10 dimensions in contexts, but only dimensions 0 and 1 are used, +so we exclude the others. We exclude also resource types and single roles that are of no use for us +here. + +``` + + + +``` + +When getting Identity Manager data in +[Connect Power BI to Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md), +we see the following: + +![Universe (Mixed Example)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/universedatamodel/universe_mixedexample.webp) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md new file mode 100644 index 0000000000..fa52b12cc6 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md @@ -0,0 +1,52 @@ +# Connectors Access Control Rules + +Gives the permissions to manage the connector pages. + +Generates the permissions to access the connectors pages, the policies page, the access roles page, +the access rules page and the job execution page. + +Gives access to shortcuts on the dashboard to access these pages. + +![Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + +The scaffolding generates the following scaffoldings: + +- [ Connector Resource Type Access Control ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md): + Gives the rights to create and update resource types, generate provisioning orders and fulfill + from the connector screen. +- [ Job View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md): Scaffolding to generate + a set of rights to view all JobInstances, TaskInstances and logs. +- [ ResourceTypeMappingControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md): + Generate rights to launch agent fulfillment. +- [ Role Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md): + Generates the permissions to access the configuration pages and create, update, delete the + elements of the role model. +- [ RunJobRepairAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md): + Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning or + a synchronization for a given profile. +- [ TaskAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md): + Generates all rights to have the access to job administration page. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md new file mode 100644 index 0000000000..dfe81c8d76 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md @@ -0,0 +1,128 @@ +# Create Administrator Profile + +This scaffolding creates the administrator profile with a predefined set of rights. + +To create the rights for this profile, a scaffolding list is launched inside the creation of the +administrator profile. + +The scaffolding generates the following scaffoldings: + +- [ Access Review Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/accessreviews/accessreviewadministrationaccesscontrolrules/index.md): + Generates the permissions to administrate campaign creation. +- [ Assign Profile Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/assignprofileaccesscontrolrules/index.md): + Gives to a given profile the rights to create, update, delete and query any assigned profile. +- [ Basket Rules Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/basketrulescontrolrules/index.md): + Generates the permissions to execute the different requests to display the information in the + rights basket. +- [ Connector Resource Type Access Control ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/connectorresourcetypeaccesscontrol/index.md): + Gives the rights to create and update resource types, generate provisioning orders and fulfill + from the connector screen. +- [Connectors Access Control Rules](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md): Gives the permissions + to manage the connector pages. +- [ Create Connectors Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/jobs/createconnectorsjobs/index.md): Creates all jobs by + connector to launched task in the connector page. +- [ Create Resource Incremental Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/createresourceincrementalaccesscontrolrules/index.md): + Generates the access control rule which gives to a profile the permission to query the resources + modified incrementally +- [ Job Execution Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md): Assigns a set + of rights to a given profile to execute any job, and view all job instances, task instances and + logs. +- [ Manage Accounts ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/userinterfaces/manageaccounts/index.md): +- [ Manage Setting Access Control Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/managesettingaccesscontrolrule/index.md): + Generates the access control rule which gives to a profile the permission to query, create, update + and delete settings from the UM_Settings table. +- [ MonitoringAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/monitoring/monitoringadministrationaccesscontrolrules/index.md): + Generates the access control rule which gives to a profile the permission to query the monitoring + screen. +- [ Perform Manual Provisioning Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/performmanualprovisioningaccesscontrolrules/index.md): + Generates the permissions to access the manual provisioning pages for a given entity type and + profile. +- [ Profile Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/profiles/profileadministrationaccesscontrolrules/index.md): + Gives to a given profile the rights to create, update and delete profiles. +- [ ProvisioningAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/provisioningaccesscontrolrules/index.md): + Generates the execution rights for Provisioning and Fulfillment tasks for a given profile. +- [ Reconciliate Roles Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md): + Generates the permissions to access the resource reconciliation pages for a given entity type and + profile. +- [ Reconciliate Roles Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reconciliaterolesaccesscontrolrules/index.md): + Generates the permissions to access the role reconciliation pages for a given entity type and + profile. +- [ Redundant Assignment Access Control Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/redundantassignmentaccesscontrolrule/index.md): + Generates the permissions to access the **Redundant Assignment** page, to analyze and remove + redundant assignments. +- [ Report Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md): + Generates the permissions to access the report view. +- [ Resource Api Administration ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourceapiadministration/index.md): + Generates the permissions to create/update/delete/query resources from a given entity type, for a + given profile. +- [ Resource Picker Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/resourcepickercontrolrules/index.md): + Creates the reading right of the resource picker. +- [ ResourceTypeMappingControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcetypemappingcontrolrules/index.md): + Generate rights to launch agent fulfillment. +- [ Review Provisioning Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewprovisioningaccesscontrolrules/index.md): + Generates the permissions to access the provisioning review pages for a given entity type and + profile. +- [ Review Roles Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/reviewrolesaccesscontrolrules/index.md): + Generates the permissions to access the role review pages for a given entity type and profile. +- [ Risks Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/risksadministrationaccesscontrolrules/index.md): +- [ Role Administration Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/roleadministrationaccesscontrolrules/index.md): + Generates the permissions to access the configuration pages and create, update, delete the + elements of the role model. +- [ Role Naming Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/rolemodels/rolenamingaccesscontrolrules/index.md): + Generates the permissions to configure and launch the automatic creation of roles and rules based + on naming conventions. +- [ Settings Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/connectors/settingsaccesscontrolrules/index.md): + Generates the permissions to configure the Workforce Core Solution module and connector settings. +- [ Simulation Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md): Generates the + permissions to configure and launch simulations. +- [ SynchronizationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/synchronizationaccesscontrolrules/index.md): + Generates rights to launch synchronization task. +- [ TaskAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/taskadministrationaccesscontrolrules/index.md): + Generates all rights to have the access to job administration page. +- [ Universe Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/universeaccesscontrolrules/index.md): + Generates an access control rule which gives a profile the permission to access the query page and + run queries. +- [ View History Resource Template ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewhistoryresourcetemplate/index.md): + Generates an access control rule giving to the specified profile the permission to browse the + resources history of the specified entity type. +- [ Workflow Configuration Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowconfigurationcontrolrules/index.md): +- [ WorkflowFulfillmentControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/workflowfulfillmentcontrolrules/index.md): + Generates the execution rights to launch Fulfillment workflow for a given profile. +- [ Workflow Overview Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowoverviewcontrolrules/index.md): + Generates the permissions to access the workflow supervision page. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | + +## Child Elements + +- Display Name Profile (optional) defines a display name for the administrator profile for a given + language. + +### Display Name Profile + +| Property | Details | +| -------------------- | ------------------------------------------------------------------------------------ | +| DisplayName required | **Type** String **Description** Display name of the profile in the related language. | +| Identifier required | **Type** String **Description** Code of the language for the display name. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate/index.md new file mode 100644 index 0000000000..47a065bfd0 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate/index.md @@ -0,0 +1,48 @@ +# Create Update Delete Template + +Creates the three types of workflow for the given entity as well as the execution rights for the +given profile. + +The scaffolding generates the following scaffoldings: + +- [ Create Update Delete Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/createupdatedeleteaccesscontrolrules/index.md): + Generates execution rights for the create, update, delete workflows. +- [ Create Update Delete Menus ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeletemenus/index.md): + Creates creation, update and delete menus for an entity. +- [ Create Update Delete Workflows ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/createupdatedeleteworkflows/index.md): +- [ Entity Type Display Name ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md): + Computes a default value for resources' internal display names. +- [ Entity Type Display Table ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md): + Creates a display table for the given entity. +- [ Entity Type Search Bar ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypesearchbar/index.md): Creates + the search bar for the entity without criteria. +- [ View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. +- [ Workflow Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md): Creates an + entity that will be the source of all workflows that manipulate the given entity. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type** String **Description** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type** String **Description** Identifier of the property involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault/index.md new file mode 100644 index 0000000000..65f7f33e04 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault/index.md @@ -0,0 +1,21 @@ +# Entity Report Default + +Creates all configuration items to add a ReportQuery for an EntityType and profile. + +The scaffolding generates the following scaffoldings: + +- [ Report Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/reportaccesscontrolrules/index.md): + Generates the permissions to access the report view. +- [ Target Resource Report ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md): Creates a ReportQuery + with default Query taking all the properties of the entity. +- [ Target Resource Report Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md): + Generates the permissions to apply a report for a profile on a given entity. +- [ Target Resource Report Menus ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md): + Creates the Item menu for the entity's report so that it is displayed in the report view. + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType required | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md new file mode 100644 index 0000000000..26e2c56a1d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/index.md @@ -0,0 +1,51 @@ +# Templates + +- [Connectors Access Control Rules](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/connectorsaccesscontrolrules/index.md) + + Gives the permissions to manage the connector pages. + +- [ Create Administrator Profile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createadministratorprofile/index.md) + + Creates the profile administrator and all default access control rules. + +- [ Create Update Delete Template ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/createupdatedeletetemplate/index.md) + + Creates the three types of workflow for the given entity as well as the execution rights for the + given profile. + +- [ Entity Report Default ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/entityreportdefault/index.md) + + Creates all configuration items to add a ReportQuery for an EntityType and profile. + +- [ Job Execution Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md) + + Assigns a set of rights to a given profile to execute any job, and view all job instances, task + instances and logs. + +- [ Job View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md) + + Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs. + +- [ Simulation Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md) + + Generates the permissions to configure and launch simulations. + +- [ Update Resources Template ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate/index.md) +- [ View Source Resource Template ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md) + + Creates the display table, fills in the internal display name of the entity, and gives the + rights to see the permissions and sources of the entity for a given profile. + +- [ View Target Resource Template ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md) + + Creates the entity view (designElement = resourceTable), the report and the rights for a given + profile. + +- [ View Template ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md) + + Creates the view for the given entity as well as the rights for the given profile. + +- [ View Template Adaptable ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md) + + Implements a default display name for the resources of a given entity type, displays the + resources in an adaptable table, and give the permissions to view the resources. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md new file mode 100644 index 0000000000..69235b5955 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobexecutionaccesscontrolrules/index.md @@ -0,0 +1,45 @@ +# Job Execution Access Control Rules + +This scaffolding assigns a set of rights to a given profile to execute any job, and view all job +instances, task instances and logs. + +The scaffolding generates the following scaffoldings: + +- [ Job View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md): Scaffolding to generate + a set of rights to view all JobInstances, TaskInstances and logs. +- [ RunJobAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobadministrationaccesscontrolrules/index.md): + Generates the permissions to launch jobs from UI for a given profile. +- [ RunJobNotificationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobnotificationaccesscontrolrules/index.md): + Generates access control to send notification when job finish with an error state. +- [ RunJobRepairAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairadministrationaccesscontrolrules/index.md): + Generates the permissions to launch from UI jobs that are in state blocked after a Provisioning or + a synchronization for a given profile. +- [ RunJobRepairNotificationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/runjobrepairnotificationaccesscontrolrules/index.md): + Generates access control to send notification when a relaunch job finish with an error state. + +## Examples + +The following example assigns to the `Administrator` profile the rights to execute all jobs and view +job instances, task instances and logs: + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md new file mode 100644 index 0000000000..9cfce93272 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/jobviewaccesscontrolrules/index.md @@ -0,0 +1,33 @@ +# Job View Access Control Rules + +Scaffolding to generate a set of rights to view all JobInstances, TaskInstances and logs. This +Scaffolding performs a set of scaffolding rights for Jobs and Tasks. + +The scaffolding generates the following scaffoldings: + +- [ GetJobLogAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/getjoblogadministrationaccesscontrolrules/index.md): + Generates the permissions to read task and job instances logs in UI for a given profile. +- [ JobAdministrationAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/jobadministrationaccesscontrolrules/index.md): + Scaffolding to access the job administration page. +- [ PendingAssignedResourceTypesAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/pendingassignedresourcetypesaccesscontrolrules/index.md): + Generates the access control rules which give to a profile the permissions to call the API Pending + AssignedResourceTypes. +- [ ResourceChangesViewAccessControlRules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/jobs/resourcechangesviewaccesscontrolrules/index.md): + Generates the access control rules which gives to a profile the permissions to call the API + ResourceChange, ResourceFileChange and ResourceLinkChange. + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md new file mode 100644 index 0000000000..3e6e2c3dcd --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/simulationaccesscontrolrules/index.md @@ -0,0 +1,35 @@ +# Simulation Access Control Rules + +This scaffolding generates the rights to configure and launch simulations. + +It also gives access to a shortcut on the dashboard allowing to enter the simulation screen. Through +this screen, simulations can be launched and results can be visualized. + +The scaffolding generates the following scaffoldings: + +- [Policy Simulation Control Rules](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/policysimulationcontrolrules/index.md): +- [ Role And Simulation Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/simulations/roleandsimulationcontrolrules/index.md): + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------- | -------------------------------------------------------------------------------------- | +| Profile required | **Type** String **Description** Identifier of the profile involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate/index.md new file mode 100644 index 0000000000..03dd7010eb --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/updateresourcestemplate/index.md @@ -0,0 +1,41 @@ +# Update Resources Template + +The scaffolding generates the following scaffoldings: + +- [ Entity Type Display Name ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md): + Computes a default value for resources' internal display names. +- [ Entity Type Display Table ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md): + Creates a display table for the given entity. +- [ Update Resources Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/updateresourcesaccesscontrolrules/index.md): +- [ Update Resources Menus ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesmenus/index.md): +- [ Update Resources Workflows ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/updateresourcesworkflows/index.md): +- [ View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. +- [ Workflow Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/workflows/workflowentitytype/index.md): Creates an + entity that will be the source of all workflows that manipulate the given entity. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type** String **Description** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type** String **Description** Identifier of the property involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewsourceresourcetemplate/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md new file mode 100644 index 0000000000..c84bc5a755 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtargetresourcetemplate/index.md @@ -0,0 +1,45 @@ +# View Target Resource Template + +Creates the entity view (designElement = resourceTable), the report and the rights for a given +profile. + +The scaffolding generates the following scaffoldings: + +- [ Entity Type Display Name ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md): + Computes a default value for resources' internal display names. +- [ Entity Type Display Target Resource Table ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytargetresourcetable/index.md): + Creates a displaytable for the given entity. +- [ Target Resource Report ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/queries/targetresourcereport/index.md): Creates a ReportQuery + with default Query taking all the properties of the entity. +- [ Target Resource Report Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/queries/targetresourcereportaccesscontrolrules/index.md): + Generates the permissions to apply a report for a profile on a given entity. +- [ Target Resource Report Menus ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/targetresourcereportmenus/index.md): + Creates the Item menu for the entity's report so that it is displayed in the report view. +- [ View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type** String **Description** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type** String **Description** Identifier of the property involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md new file mode 100644 index 0000000000..3fa8ec1139 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md @@ -0,0 +1,42 @@ +# View Template + +Creates the view for the given entity as well as the rights for the given profile. + +The scaffolding generates the following scaffoldings: + +- [ Entity Type Display Name ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md): + Computes a default value for resources' internal display names. +- [ Entity Type Display Table ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytable/index.md): + Creates a display table for the given entity. +- [ View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. + +## Examples + +The following example implements a default display name for resources from the +`Directory_PresenceState` entity type, displays the resources in a table, and gives to the +`Administrator` profile the permissions to view the resources. + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type** String **Description** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type** String **Description** Identifier of the property involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md new file mode 100644 index 0000000000..6c4de08170 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md @@ -0,0 +1,43 @@ +# View Template Adaptable + +Implements a default display name for the resources of a given entity type, displays the resources +in an adaptable table, and give the permissions to view the resources. + +The scaffolding generates the following scaffoldings: + +- [ Entity Type Display Name ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplayname/index.md): + Computes a default value for resources' internal display names. +- [ Entity Type Display Table Adaptable ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/entitytypes/entitytypes/entitytypedisplaytableadaptable/index.md): + Creates an adaptable display table for a given entity type. +- [ View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md): + Generates the permissions to view an entity type's resources. + +## Examples + +The following example implements a default display name for resources from the +`Directory_PresenceState` entity type, displays the resources in an adaptable table, and gives to +the `Administrator` profile the permissions to view the resources. + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------- | ------------------------------------------------------------------------------------------ | +| EntityType optional | **Type** String **Description** Identifier of the entity type involved in the scaffolding. | +| Profile optional | **Type** String **Description** Identifier of the profile involved in the scaffolding. | +| Property optional | **Type** String **Description** Identifier of the property involved in the scaffolding. | + +## Generated XML + +Our example generates the following configuration: + +``` + + + +``` diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md new file mode 100644 index 0000000000..a78442af82 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/index.md @@ -0,0 +1,6 @@ +# Workforce + +- [ Bootstrap Module ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/bootstrapmodule/index.md) Generates the default settings required to start + using Identity Manager and the Workforce Core Solution module.- + [Workforce Module](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule/index.md) Generates the workforce repository based on the data + filled in the Workforce Core Solution module. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule/index.md new file mode 100644 index 0000000000..90350eb46d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/workforce/workforcemodule/index.md @@ -0,0 +1,6262 @@ +# Workforce Module + +Generates the workforce repository based on the data filled in the Workforce Core Solution module. + +## Examples + +The following example generates the Workforce module in the application: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + +``` + +## Properties + +| Property | Type | Description | +| ----------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | +| IsEnabled default value: true | Boolean | True to enable the Worforce module. If set to false, Identity Manager deletes all existing items computed by the Workforce Core Solution module. | + +## Child Elements + +Here is a list of child elements: + +- CompositeProfile (optional) – Defines the users profiles +- EmailGeneration (optional) – Defines the email generation policy +- HomonymEntityLinkOptions (optional) – Updates/Modifies the HomonymEntityLink of the + Directory_UserRecord entity of the workforce configuration +- LoginGeneration (optional) – Defines the login generation policy +- ModelUsage (optional) – Defines the entity types/properties that must be ignored from the model + and customize the pickers for the kept ones +- NewExternalWorkflow (optional) – Enable/disable the review step for the new external workflow +- NewInternalWorkflow (optional) – Enable/disable the review step for the new internal workflow +- UniqueIdentifierGeneration (optional) – Defines the unique identifier generation policy + +### CompositeProfile + +| Property | Type | Description | +| ----------------------------- | ------ | ---------------------------------------------------------- | +| AreaOfResponsibility required | String | Represents the argument value. | +| ProfileDisplayName required | String | Generic column used to store information for internal use. | +| ProfileIdentifier required | String | Generic column used to store information for internal use. | +| TargetProfile required | String | Generic column used to store information for internal use. | + +### EmailGeneration + +| Property | Type | Description | +| ---------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------- | +| Strategy required | String | Represents the argument value. | +| Domain optional | String | Generic column used to store information for internal use. | +| NameSeparator optional | String | Character used to separate users' names and first names in their generated emails and logins (in the Workforce Core Solution module). | + +### HomonymEntityLinkOptions + +| Property | Type | Description | +| ----------------------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ActivatePhoneticComparison default value: false | Boolean | Adds 3 filters in the HomonymEntityLink comparing the first and last names (current workflow) to the phonetic properties corresponding to the first and last names (existing records). | +| DisableBirthNameComparison default value: false | Boolean | Deletes the filter in the HomonymEntityLink comparing the last name (current workflow) with the birth name (existing records). | +| DisableInversion default value: false | Boolean | Deletes the filters in the HomonymEntityLink comparing the first name (current workflow) with the last name (existing records) and the last name (current workflow) with the first name (existing records). | + +### LoginGeneration + +| Property | Type | Description | +| ------------------ | ------ | ---------------------------------------------------------- | +| Strategy required | String | Represents the argument value. | +| MaxLength optional | Int32 | Generic column used to store information for internal use. | +| Prefix optional | String | Generic column used to store information for internal use. | + +### ModelUsage + +| Property | Type | Description | +| -------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding required | String | Generic column used to store information for internal use. | +| Count optional | Int32 | Generic column used to store information for internal use. | +| ForcedCount optional | Int32 | Number of entries for a given entity or entity's property in the workforce data model. The `ForcedCount` value overwrites the count computed by Identity Manager. | + +### NewExternalWorkflow + +| Property | Type | Description | +| ------------------------------------- | ------- | --------------------------------------------------------------------------------------------------------- | +| IsReviewRequired default value: false | Boolean | For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | + +### NewInternalWorkflow + +| Property | Type | Description | +| ------------------------------------ | ------- | --------------------------------------------------------------------------------------------------------- | +| IsReviewRequired default value: true | Boolean | For the Argument AddTask the property after define the place of the task to add with the TaskCompareWith. | + +### UniqueIdentifierGeneration + +| Property | Type | Description | +| ---------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------- | +| Strategy required | String | Represents the argument value. | +| Max optional | Int32 | Upper limit of the range used for the generation of unique identifiers. | +| Min optional | Int32 | Lower limit of the range used for the generation of unique identifiers. | +| NameSeparator optional | String | Character used to separate users' names and first names in their generated emails and logins (in the Workforce Core Solution module). | +| Prefix optional | String | Prefix used for the generation of unique identifiers. | + +## Generated XML + +Our example generates the following configuration: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     +     +     +     +     + +     +     +     +     +     +     + + +     +     +     +     +     + +     +     +     +     +     +     +     +     +     +     +     +     + +     +     +     +     +     +     + + +     +     +     +     +     + +     +     +     +     +     +     + +     +     +     +     +     +     +     +     + + +     +     + + +     +     + + +     +     + + +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     + + +     +     +     +     +     +     + + +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     + + +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     + + +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     +     +     +     + + + +     +     +     +     +     +     +     + + + + + +     + + +     +     +     +     +     + + +     +     + + +     +     + + +     +     + + + + +     + + +     +     +     + + +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +     +     +     +     +     +     + + +     +     +     + + +
+ +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     +     +     + + +
+ +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     +     + + +     +     + + +
+ +     +     +     +     +     +     +     +     +     + + + + + + + + + + +     +     +     +     + + +     + + + + + + + + + + +     +     +     +     + + +     +     +     +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + +
+ + +
+ +     +     +         +         +     +     +     +     +     +     +     +     +     +     + + +
+ +   +     +       +       +     +   +   +   +   +   +     +     +   +   +   +     +   + + +
+ +   + + +
+ +     +     +     +     +     +     +     +     + + +
+ + +
+ +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +
+ + +
+ + + + + + + + + + + + + + + + + + + + + +
+ + +     +     +     +     +     + + + + + + + + + + +
+ + +     +     +     +     +     + + + +
+ +     +     +     + + + + + + + + + + + + + + + + + + + +
+ +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     +     +     + + +     +     +     +     +     +     +     +     + + +
+ + +
+ + + + + + + + + + + + + + + + + + + +     + + + + + + +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0) +{ +result += iteration.ToString(); +} +result = result + (record.UserType?.EmailSuffix ?? string.Empty) + '@' + (record.Subsidiary?.EmailDomain ?? "acme.com"); +return result;" IterationsCount="10"> + 0) +{ +result += iteration.ToString(); +} +return result;" TargetEntityType="Directory_ReservedEmail" TargetExpression="C#:reservedEmail: +if (string.IsNullOrEmpty(reservedEmail.Value)) +{ +return null; +} +var result = reservedEmail.Value; +var index = result.IndexOf('@'); +if(index >=0) +{ +result = result.Substring(0, index); +} +return result;" /> + 0) +{ +result += iteration.ToString(); +} +return result;" TargetEntityType="Directory_UserRecord" TargetExpression="C#:record: +if (string.IsNullOrEmpty(record.Email)) +{ +return null; +} +var result = record.Email; +/*Delete Domain*/ +var index = result.IndexOf('@'); +if(index >= 0) +{ +result = result.Substring(0, index); +} +var resources = queryHandler.Select("select EmailSuffix"); +foreach (var resource in resources.Where(r => r != null && r.EmailSuffix != null).OrderByDescending(r => r.EmailSuffix!.Length)) +{ +var foundIndex = result.IndexOf(resource.EmailSuffix!); +if (foundIndex >= 0) +{ +    result = result.Substring(0, foundIndex); +    break; +} +} +return result;" /> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +  + +    
+     +     +     +         +         +         +         +         +    
+             +             +                 +             +            
+                

Hello,

+                An update user request needs your attention. +                 +                     +                     +                     +                     +                     +                     +                     +
Summary
Date@System.DateTime.Now.ToLocalTime().ToString("dd/MM/yyyy hh:mm", System.Globalization.CultureInfo.InvariantCulture)
Full Name@Model.MainRecord.FirstName @Model.MainRecord.LastName
User Type@Model.MainRecord.UserType.DisplayName
Contract Start Date@Model.MainRecord.ContractStartDate
Contract End Date@Model.MainRecord.ContractEndDate
Department@Model.MainRecord.Organization.DisplayName
+                @Html.MessageBody(new { style = "box-sizing: border-box; color: #74787E; font-family: sans-serif, 'Helvetica Neue', Helvetica, sans-serif;" }) +                
+        
+     +    
+         +         +             +         +        
+            This message was created by an automated workflow in Usercube. Do not reply. +            
+    
+     +     +    
+ +  + + +" CssFile="@media only screen and (max-width: 620px) { +table[class=body] h1 { +    font-size: 28px !important; +    margin-bottom: 10px !important; +} +table[class=body] p, +table[class=body] ul, +table[class=body] ol, +table[class=body] td, +table[class=body] span, +table[class=body] a { +    font-size: 16px !important; +} +table[class=body] .wrapper, +table[class=body] .article { +    padding: 10px !important; +} +table[class=body] .content { +    padding: 0 !important; +} +table[class=body] .container { +    padding: 0 !important; +    width: 100% !important; +} +table[class=body] .main { +    border-left-width: 0 !important; +    border-radius: 0 !important; +    border-right-width: 0 !important; +} +table[class=body] .btn table { +    width: 100% !important; +} +table[class=body] .btn a { +    width: 100% !important; +} +table[class=body] .img-responsive { +    height: auto !important; +    max-width: 100% !important; +    width: auto !important; +} +} +/* ------------------------------------- +PRESERVE THESE STYLES IN THE HEAD +------------------------------------- */ +@media all { +.ExternalClass { +    width: 100%; +} +    .ExternalClass, +    .ExternalClass p, +    .ExternalClass span, +    .ExternalClass font, +    .ExternalClass td, +    .ExternalClass div { +        line-height: 100%; +    } +.apple-link a { +    color: inherit !important; +    font-family: inherit !important; +    font-size: inherit !important; +    font-weight: inherit !important; +    line-height: inherit !important; +    text-decoration: none !important; +} +.btn-primary table td:hover { +    background-color: #34495e !important; +} +.btn-primary a:hover { +    background-color: #34495e !important; +    border-color: #34495e !important; +} +} +body { +background-color: #f6f6f6; +font-family: sans-serif; +-webkit-font-smoothing: antialiased; +font-size: 14px; +line-height: 1.4; +margin: 0; +padding: 0; +-ms-text-size-adjust: 100%; +-webkit-text-size-adjust: 100%; +} +"> + + + + + +  + +    
+     +     +     +         +         +         +         +         +    
+             +             +                 +             +            
+                

Hello,

+                A new user request needs your attention. +                 +                     +                     +                     +                     +                     +                     +                     +
Summary
Date@System.DateTime.Now.ToLocalTime().ToString("dd/MM/yyyy hh:mm", System.Globalization.CultureInfo.InvariantCulture)
Full Name@Model.Records.First().FirstName @Model.Records.First().LastName
User Type@Model.Records.First().UserType.DisplayName
Contract Start Date@Model.Records.First().ContractStartDate
Contract End Date@Model.Records.First().ContractEndDate
Department@Model.Records.First().Organization.DisplayName
+                @Html.MessageBody(new { style = "box-sizing: border-box; color: #74787E; font-family: sans-serif, 'Helvetica Neue', Helvetica, sans-serif;" }) +                
+        
+     +    
+         +         +             +         +        
+            This message was created by an automated workflow in Usercube. Do not reply. +            
+    
+     +     +    
+ +  + + +" CssFile="@media only screen and (max-width: 620px) { +table[class=body] h1 { +    font-size: 28px !important; +    margin-bottom: 10px !important; +} +table[class=body] p, +table[class=body] ul, +table[class=body] ol, +table[class=body] td, +table[class=body] span, +table[class=body] a { +    font-size: 16px !important; +} +table[class=body] .wrapper, +table[class=body] .article { +    padding: 10px !important; +} +table[class=body] .content { +    padding: 0 !important; +} +table[class=body] .container { +    padding: 0 !important; +    width: 100% !important; +} +table[class=body] .main { +    border-left-width: 0 !important; +    border-radius: 0 !important; +    border-right-width: 0 !important; +} +table[class=body] .btn table { +    width: 100% !important; +} +table[class=body] .btn a { +    width: 100% !important; +} +table[class=body] .img-responsive { +    height: auto !important; +    max-width: 100% !important; +    width: auto !important; +} +} +/* ------------------------------------- +PRESERVE THESE STYLES IN THE HEAD +------------------------------------- */ +@media all { +.ExternalClass { +    width: 100%; +} +    .ExternalClass, +    .ExternalClass p, +    .ExternalClass span, +    .ExternalClass font, +    .ExternalClass td, +    .ExternalClass div { +        line-height: 100%; +    } +.apple-link a { +    color: inherit !important; +    font-family: inherit !important; +    font-size: inherit !important; +    font-weight: inherit !important; +    line-height: inherit !important; +    text-decoration: none !important; +} +.btn-primary table td:hover { +    background-color: #34495e !important; +} +.btn-primary a:hover { +    background-color: #34495e !important; +    border-color: #34495e !important; +} +} +body { +background-color: #f6f6f6; +font-family: sans-serif; +-webkit-font-smoothing: antialiased; +font-size: 14px; +line-height: 1.4; +margin: 0; +padding: 0; +-ms-text-size-adjust: 100%; +-webkit-text-size-adjust: 100%; +} +"> + + + + + + +"2022-05-31T00:00:00Z"))" ReturnedEntityType="Directory_UserRecord" /> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/agent/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/agent/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md new file mode 100644 index 0000000000..0d87fca3c4 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md @@ -0,0 +1,146 @@ +# Connection + +A connection represents a link between a [ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) and a connection +package. + +## Examples + +The following example creates a connection for the previously created connector `AD`, using the +package `Usercube.AD@0000001` with only the export task and not the fulfill task. + +``` + + + +``` + +We will need to configure the connection settings in the `appsettings.agent.json` file, by adding a +`ADExportFulfillment` part in the `Connections` section, for example: + +``` +appsettings.agent.json +{ + ... + "Connections": { + ... + "ADExportFulfillment": { + "Servers": [ + { + "Server": "contoso.server.com", + "BaseDN": "DC=contoso,DC=com" + } + ], + "AuthType": "Basic", + "Login": "Contoso", + "Password": "ContOso$123456789", + "Filter": "(objectclass=*)", + "EnableSSL": "true" + }, + ... + } +} +``` + +Details about these settings can be found in Identity Manager's +[References: Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/index.md). + +## Properties + +| Property | Details | +| ------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Connector required | **Type** Int64 **Description** Identifier of the linked connector. **Note:** a connection can be used by one and only one connector. | +| DeactivationExportFulfill default value: 0 | **Type** DeactivationExportFulfill **Description** For a connection having a package which implements both export and fulfill, this option can deactivate either the export or the fulfill part. `0` - **None**: keeps both parts. `1` - **Export**: deactivates export. `2` - **Fulfill**: deactivates fulfill. | +| DisplayName_L1 required | **Type** String **Description** Display name of the connection in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Unique identifier of the connection. It must start with a letter followed by up to 441 characters, chosen from the following set: point, dash, letter, or number. **Warning:** identifiers are case insensitive, for example the identifiers `adexport` and `ADEXPORT` cannot exist simultaneously. | +| Package required | **Type** Enumeration **Description** Identifier of the linked connection package which defines the connection's capabilities and technologies to export and/or fulfill data. | + +## Child Element: Transformation + +A connection transformation is optional, but can be needed to adjust the Excel files, output of +[ Export Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md) from Excel export connections, before +[ Prepare Synchronization Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md). The +following operations are possible: + +- filtering out given rows; +- adding/removing days from specific date properties; +- merging columns together. + +### Examples + +#### Edit dates + +The following example sets all users' end dates to the end of the day instead of the morning. This +way, the end dates of users' permissions will be managed more easily. + +Technically speaking, Identity Manager implements a sort of extra-task between the export and +prepare-synchronization tasks of HR synchronization. The CSV files produced by the export task of +the connection `Directory` are to be transformed: Identity Manager will add 1 day to all dates +between 1900 and 2100, contained in the `ContractEndDate`, `PositionEndDate` and `EndDate` columns +of the `Directory_UserRecord` table. + +This date edition goes the other way around when loading data back to your systems: if Identity +Manager adds a few days when synchronizing, then it removes the same few days when using the +synchronized data. + +``` + + + + + +``` + +#### Filter out rows + +The following example filters the CSV files produced by the export of the `Directory` connection, in +order to keep only German sites, i.e. the rows where `Identifier` starts with `DE_`. + +``` + + + + + +``` + +#### Merge columns together + +Consider the situation where users' organizations are defined in 4 levels. + +The following example merges the `Company`, `Subsidiary`, `Department` and `Team` columns of the +`Directory_UserRecord` table, output of the export of the `Directory` connection, in order to +concatenate the 4 properties into a single `FullOrganization` property. + +Setting `RemoveEmpty` to `true` means that rather than having an organization such as +`Contoso//HR/Payroll`, we will have `Contoso/HR/Payroll`. + +Setting `RemoveDuplicates` to `true` means that rather than having an organization such as +`Contoso/Contoso/HR/Payroll`, we will have `Contoso/HR/Payroll`. + +``` + + + + + +``` + +### Properties + +| Property | Details | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AddedDays optional | **Type** Float **Description** Number of days to add to the date column to be transformed, specified in `Column`, when the transformation type is `TransformDate`. The value can be negative, for example `-0.5` removes 12 hours from the date. | +| Column optional | **Type** String **Description** Column (case-sensitive) used as input of the filtering and the date editing transformations, and as output of the merging transformation. When defining an output, `Column` can be an existing column or a column to be created. | +| ConcatSeparator optional | **Type** String **Description** Separator used between the concatenated values, when the transformation type is `ConcatColumns`. | +| DatePattern optional | **Type** String **Description** Format of the transformed dates to be stored when the original object is not a date, when the transformation type is `TransformDate`. **Note:** for example we could need this property when using CSV files which store everything as strings, including dates. | +| InputColumn optional | **Type** String **Description** Column (case-sensitive) used as input when the transformation type is `TransformDate`, and as part of the input when the transformation type is `ConcatColumns`. **Note:** required for `ConcatColumns`. **Note:** when not specified for `TransformDate`, `Column` is used as input. | +| InputColumn2 optional | **Type** String **Description** Second (up to fifth) input column (case-sensitive) when the transformation type is `ConcatColumns`. | +| MaxYear optional | **Type** Int32 **Description** Year after which the date contained in the input of the transformation of type `TransformDate` is ignored by the transformation. | +| MinYear optional | **Type** Int32 **Description** Year before which the date contained in the input of the transformation of type `TransformDate` is ignored by the transformation. | +| RemoveDuplicates optional | **Type** Boolean **Description** `true` to keep only one of two identical and successive values, when the transformation type is `ConcatColumns`. | +| RemoveEmpty optional | **Type** Boolean **Description** `true` to ignore empty values, when the transformation type is `ConcatColumns`. | +| SortValues optional | **Type** Boolean **Description** `true` to sort the concatenated values by alphabetical order, when the transformation type is `ConcatColumns`. **Note:** concatenated values are sorted after duplicates are removed, when relevant. | +| Table optional | **Type** String **Description** Table on which the transformation is to be applied. **Note:** must be of the format `_` (case-sensitive). | +| Type required | **Type** ConnectionTransformationType **Description** Type of the transformation: **ConcatColumns**: concatenates `InputColumn` columns into `Column` with a separator defined in `ConcatSeparator`, potentially with additional transformation options among `RemoveDuplicates`, `RemoveEmpty`, `SortValues`. **TransformDate**: adds or removes a given number of days defined in `AddedDays` to/from the date stored in `InputColumn` or `Column`, only for dates between `MinYear` and `MaxYear`, in order to be stored in `Column` in the format defined by `DatePattern`. **WhereValue**: filters the rows based on a comparison with the `WhereOperator` and `WhereValue` arguments. | +| WhereOperator optional | **Type** ConnectionTransformationWhereValueOperator **Description** Operator of the comparison that filters out rows from the CSV file(s), when the transformation type is `WhereValue`: `Equals`; `NotEquals`; `Contains`; `CotContains`; `StartsWith`; `EndsWith`; `Regex`. | +| WhereValue optional | **Type** String **Description** Value (case-sensitive) that the content of `Column` will be compared to, when the transformation type is `WhereValue`. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md new file mode 100644 index 0000000000..99c309031f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md @@ -0,0 +1,70 @@ +# Connector + +Connectors provide the means by which Identity Manager communicates with managed platforms, +applications and systems. They describe how the data from these systems are mapped to the +[Entity Model](/docs/identitymanager/saas/identitymanager/integration-guide/entity-model/index.md). + +A connector in most case represents an application model. It is composed of entities and +associations. + +> For example we can define an HR connector, with the following entities: Person, Department, +> Function, Location, etc. and with the following associations: Person-Department, Person-Site, +> Person-Manager(Person), etc. + +A connector is used to synchronize each of its entities and associations in Identity Manager's +physical model. A connector is defined with: + +- [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md); +- [ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md); +- [ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) and + [ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) to link the entity types and + associations to the corresponding files and columns containing the exported data from the managed + system. + +## Examples + +The following example creates a `HR` connector on the agent called `Local` previously declared by an +[ Agent ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md) element. + +We create the right [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) to use the connector as a +[ CSV ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/csv/index.md)aiming to export HR CSV files into +new CSV files in Identity Manager's format. + +The [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) model the resources as `HR_Person` or +`HR_Organization`, defining properties. + +The [ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) link the entity types to the source +files. + +The [ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) creates a link between the two +entity types. + +The [ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) links the association to +the source files. + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Agent optional | **Type** Int64 **Description** Identifier of the agent where the connector's tasks are launched. | +| CompleteJob default value: 0 | **Type** JobIntegrationRule **Description** Indicates how the connector should be used in the complete job (scaffolding): `0` - Used `1` - NotUsed `2` - OnlySynchronization `3` - OnlyProvisioning Warning: The job scaffolding has priority over the connector's decision. For example, if your job scaffolding specifies that the Microsoft Entra ID is `NotUsed` for the complete job, setting that connector to `Used` for the complete job will not activate it. You should not only add the `Used` to the connector but also remove the `NotUsed` from the configuration of the job scaffolding. | +| DisplayName_L1 required | **Type** String **Description** Connector DisplayName. | +| Identifier required | **Type** String **Description** Connector Identifier. | +| IncrementalJob default value: 0 | **Type** JobIntegrationRule **Description** Indicates how the connector should be used in the incremental job (scaffolding): `0` - Used `1` - NotUsed `2` - OnlySynchronization `3` - OnlyProvisioning Warning: The job scaffolding has priority over the connector's decision. For example, if your job scaffolding specifies that the Microsoft Entra ID is `NotUsed` for the incremental job, setting that connector to `Used` for the incremental job will not activate it. You should not only add the `Used` to the connector but also remove the `NotUsed` from the configuration of the job scaffolding. | +| IsDeactivated default value: false | **Type** Boolean **Description** Indicates that the export and the provisioning are deactivated for this connector. | +| MaximumDeletedLines default value: 100 | **Type** Int32 **Description** Deleted lines threshold. Sets the maximum number of resources that can be removed from the connector when running the synchronization job. | +| MaximumInsertedLines default value: 100 | **Type** Int32 **Description** Inserted lines threshold. Sets the maximum number of resources that can be added into the connector when running the synchronization job. | +| MaximumLinkDeletedLines default value: 1000 | **Type** Int32 **Description** Deleted association links threshold. Sets the maximum number of navigation properties that can be removed from the connector when running the synchronization job. | +| MaximumLinkInsertedLines default value: 1000 | **Type** Int32 **Description** Inserted association links threshold. Sets the maximum number of navigation properties that can be added into the connector when running the synchronization job. | +| MaximumUpdatedLines default value: 100 | **Type** Int32 **Description** Updated lines threshold. Sets the maximum number of resources that can be modified within the connector when running the synchronization job. | +| MaxLinkPercentageDeletedLines default value: 5 | **Type** Int32 **Description** Deleted association links threshold in percent. | +| MaxLinkPercentageInsertedLines default value: 5 | **Type** Int32 **Description** Inserted association links threshold in percent. | +| MaxPercentageDeletedLines default value: 5 | **Type** Int32 **Description** Deleted lines threshold in percent. | +| MaxPercentageInsertedLines default value: 5 | **Type** Int32 **Description** Inserted lines threshold in percent. | +| MaxPercentageUpdatedLines default value: 5 | **Type** Int32 **Description** Updated lines threshold in percent. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md new file mode 100644 index 0000000000..f829b73762 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md @@ -0,0 +1,23 @@ +# Entity Association Mapping + +Contains all the [ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) that can be +materialized in the Identity Manager physical model. An association mapping can be established +between two properties of the same entity type mapping or between two properties of different entity +type mappings having the same connector. See the [ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) topic to learn +how to configure an EntityAssociationMapping. + +## Properties + +| Property | Details | +| ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| C0 optional | **Type** String **Description** In a ServiceNow connector, generic column used during provisioning to map the property to be provisioned (target property from the entity association mapping). This column stores the name of the table in ServiceNow in which the property exists. | +| Column1 required | **Type** String **Description** The column of EntityPropertyMapping1 in the association data source. | +| Column2 required | **Type** String **Description** The column of EntityPropertyMapping2 in the association data source. | +| ConnectionTable optional | **Type** String **Description** Association data source containing Column1 and Column2. Example: ConnectionTable="datasource" | +| Connector required | **Type** Int64 **Description** Id of the connector to which it is linked. | +| EntityPropertyMapping1 required | **Type** Int64 **Description** The ID of mapping of the property use to establish the association. The property must be a unique key. | +| EntityPropertyMapping2 required | **Type** Int64 **Description** The ID of mapping of the property use to establish the association. The property must be a unique key. | +| MaximumDeletedLines default value: 0 | **Type** Int32 **Description** Deleted association links threshold. Sets the maximum number of navigation properties that can be removed from the entity type when running the synchronization job. | +| MaximumInsertedLines default value: 0 | **Type** Int32 **Description** Inserted association links threshold. Sets the maximum number of navigation properties that can be added into the entity type when running the synchronization job. | +| MaxPercentageDeletedLines default value: 0 | **Type** Int32 **Description** Deleted association links threshold in percent. | +| MaxPercentageInsertedLines default value: 0 | **Type** Int32 **Description** Inserted association links threshold in percent. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md new file mode 100644 index 0000000000..52c83bea82 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md @@ -0,0 +1,40 @@ +# Entity Type Mapping + +An entity type mapping links a given [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)'s +properties with the source columns of the corresponding managed system. The entity type mapping +specifies the related [ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) and the path to the CSV source file which +contains, or will contain, the data exported from the managed system. Each of its Entity Type +Mapping properties will define the corresponding source column and specific options. + +An entity type mapping shares the same identifier as its related entity type. + +See the example of a whole [ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) containing an entity type mapping. + +## Properties + +| Property | Details | +| ------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| C0 optional | **Type** String **Description** In a Microsoft Entra ID connector (formerly Microsoft Azure AD), generic column used to map the entities to be exported. By default, Identity Manager exports: `user`; `group`; `directoryRole`; `servicePrincipal`. | +| ConnectionTable optional | **Type** String **Description** Name of the CSV file which contains, or will contain, the exported data from the corresponding entity type. | +| Connector optional | **Type** Int64 **Description** Identifier of the related connector. | +| MaximumDeletedLines default value: 0 | **Type** Int32 **Description** Deleted lines threshold. Sets the maximum number of resources that can be removed from the entity type when running the synchronization job. | +| MaximumInsertedLines default value: 0 | **Type** Int32 **Description** Inserted lines threshold. Sets the maximum number of resources that can be added into the entity type when running the synchronization job. | +| MaximumUpdatedLines default value: 0 | **Type** Int32 **Description** Updated lines threshold. Sets the maximum number of resources that can be modified within the entity type when running the synchronization job. | +| MaxPercentageDeletedLines default value: 0 | **Type** Int32 **Description** Deleted lines threshold in percent. | +| MaxPercentageInsertedLines default value: 0 | **Type** Int32 **Description** Inserted lines threshold in percent. | +| MaxPercentageUpdatedLines default value: 0 | **Type** Int32 **Description** Updated lines threshold in percent. | + +## Child Element: Property + +Contains all the [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) properties that can be +synchronized into Identity Manager physical model. Each mapping share the same id as its +corresponding property in the entity type. + +### Properties + +| Property | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ConnectionColumn optional | **Type** String **Description** Specifies the corresponding column in the entity type data source. | +| Format optional | **Type** String **Description** The format of the attribute in the external system. Ex: 1601date for LDAP Date. | +| IsPrimaryKey default value: false | **Type** Boolean **Description** `true` if the property is designated to be the unique and immutable key that uniquely identifies any resource from the entity type, during synchronization. Each entity type mapping must have a primary key. It prevents duplicates and null resources. | +| IsUniqueKey default value: false | **Type** Boolean **Description** `true` if the property is designated to be one of the unique keys that uniquely identify any resource from the entity type in an association/navigation, during synchronization. Each entity type mapping can have up to three unique keys, in addition to the mapping key that already acts as such. **Note:** AD synchronization requires the `dn` property to have either `IsUniqueKey` or `EntityType` > `Property` > `IsKey` set to `true` (key property in the UI). | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/index.md new file mode 100644 index 0000000000..3855d4d14b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/index.md @@ -0,0 +1,10 @@ +# Connectors + +- [ Agent ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/agent/index.md) +- [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +- [ Connection Table ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connectiontable/index.md) +- [ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +- [Resource Type Mappings](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md) +- [ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md) +- [ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) +- [ Password Reset Settings ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md new file mode 100644 index 0000000000..ebc7ddbcea --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md @@ -0,0 +1,79 @@ +# Password Reset Settings + +This set of password reset settings contains the configuration to perform password reset operations +such as change, reset, etc. + +## Examples + +The following example declares a password reset settings. + +``` + + + +``` + +### Password length and counts + +The following example makes Identity Manager generate a password with at least 12 characters in +total, at least 8 lowercase characters, 4 uppercase characters, 2 digits and 2 symbols. + +``` + + + +``` + +As the total of all counts (16) is greater than the length (12), the password length will be the +count total (16). + +The following example makes Identity Manager generate a password with at least 12 characters in +total, at least 8 lowercase characters, 4 uppercase characters, 2 digits and 2 symbols. + +``` + + + +``` + +As the total of all counts (4) is lower than the length (8), the password will be generated with 8 +characters, among them 1 lowercase character, 1 uppercase character, 1 digit, 1 symbol, and 4 more +random characters. + +The generated password's strength can also be checked via a regular expression (regex) through +`StrengthCheck`. Thus, the following example makes Identity Manager generate a password with at +least 9 characters including at least one digit, one lowercase letter, one uppercase and one special +character. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AutoGenerate default value: false | **Type** Boolean **Description** `true` to make Identity Manager generate the password automatically. | +| BeneficiaryEmailBinding optional | **Type** Int64 **Description** Binding to the email address property whose password is to be reset. | +| BeneficiaryFullNameBinding optional | **Type** Int64 **Description** Binding to the full name property of the user(s) whose password is to be reset. | +| DefaultPassword optional | **Type** String **Description** Default password to set when `AutoGenerate` is set to `false`. | +| DisableNotifications default value: false | **Type** Boolean **Description** `true` to disable the mailing of notifications concerning password reset. | +| GeneratedDigitCharsCount default value: 2 | **Type** Int32 **Description** Number of digit characters in the password generated by Identity Manager when `AutoGenerate` is set to `true`. | +| GeneratedLength default value: 12 | **Type** Int32 **Description** Length of the password generated by Identity Manager when `AutoGenerate` is set to `true`. | +| GeneratedLowerCaseCharsCount default value: 6 | **Type** Int32 **Description** Number of lower case characters in the password generated by Identity Manager when `AutoGenerate` is set to `true`. | +| GeneratedSymbolCharsCount default value: 2 | **Type** Int32 **Description** Number of symbol characters in the password generated by Identity Manager when `AutoGenerate` is set to `true`. | +| GeneratedUpperCaseCharsCount default value: 2 | **Type** Int32 **Description** Number of upper case characters in the password generated by Identity Manager when `AutoGenerate` is set to `true`. | +| Identifier required | **Type** String **Description** Identifier of the set of password reset settings. | +| Mode default value: 0 | **Type** Int64 **Description** Mode used by the password reset service. `0` - Disabled. `1` - One-Way. `2` - Two-Way. | +| MustChange default value: false | **Type** Boolean **Description** `true` to force users to modify their passwords on the first login. | +| NotificationCC optional | **Type** String **Description** Email address to set as CC recipient of all password reset notifications. | +| NotifiedEmailBinding optional | **Type** Int64 **Description** Binding to the email address property of the person to be notified. | +| NotifiedFullNameBinding optional | **Type** Int64 **Description** Binding to the full name property of the person to be notified. | +| StrengthCheck optional | **Type** String **Description** Regular expression (regex) that generated passwords must match, when `AutoGenerate` is set to `true`. **Note:** the strength of passwords set manually by users can be configured via [ Password Tests Setting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting/index.md). | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping/index.md new file mode 100644 index 0000000000..d48f4ed277 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping/index.md @@ -0,0 +1,26 @@ +# Easy Vista Resource Type Mapping + +Any resource type mapping must be configured with the same identifier as the related resource type. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +## Properties + +| Property | Type | Description | +| ------------------------------------------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CatalogCode required | String | Code of the catalog. It is possible to define three catalog codes, one for each provisioning action (add, modify, delete) by separating them with ¤, for example 42¤25¤43. | +| Connection required | String | Identifier of the corresponding connection. | +| RecipientId required | String | Identifier of the ticket's recipient. | +| Description optional | String | File path of the template used for the generation of the ticket description. | +| ImpactId optional | String | [Impact](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Service%20Manager%20-%20All%20Menus/References%20Tables/#impact) of the ticket. | +| SeverityId optional | String | [Severity level](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Service%20Manager%20-%20All%20Menus/References%20Tables/#severity-level) of the ticket. | +| TicketSynchroIsNotAvailable default value: false | Boolean | True to set synchronization as unavailable for this resource type. Once the ticket is closed and the resource is created, updated or deleted, then the assignment's status is directly set to Verified. Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | +| Title optional | String | File path of the template used for the generation of the ticket title. | +| UrgencyId optional | String | [Urgency level](https://wiki.easyvista.com/xwiki/bin/view/Documentation/Service%20Manager%20-%20All%20Menus/References%20Tables/#urgency-level) of the ticket. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md new file mode 100644 index 0000000000..558d758cd8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/index.md @@ -0,0 +1,53 @@ +# Resource Type Mappings + +A resource type mapping links resources sharing the same intent and the same authorization system +with the source columns of the corresponding managed system. The mapping specifies the related +connector and the path to the CSV source file which contains, or will contain, the data exported +from the managed system. + +Here is a list of ResourceType Mapings: + +- [Microsoft EntraID Resource Type Mapping](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/microsoftentraidresourcetypemapping/index.md) + + The set of parameters to map the properties of Microsoft Entra ID in Identity Manager, for + provisioning purposes. + +- [Easy Vista Resource Type Mapping](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/easyvistaresourcetypemapping/index.md) + + The set of parameters to map the properties of Easy Vista in Identity Manager, for provisioning + purposes. + +- [Ldap Resource Type Mapping](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping/index.md) + + The set of parameters to map the properties of Ldap in Identity Manager, for provisioning + purposes. + +- [Manual Provisioning Resource Type Mapping](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping/index.md) + + The set of parameters to map the properties of Manual Provisioning in Identity Manager, for + provisioning purposes. + +- [Okta Resource Type Mapping](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping/index.md) + + The set of parameters to map the properties of Okta in Identity Manager, for provisioning + purposes. + +- [Sap Resource Type Mapping](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md) + + The set of parameters to map the properties of Sap in Identity Manager, for provisioning + purposes. + +- [Scim Resource Type Mapping](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping/index.md) + + The set of parameters to map the properties of Scim in Identity Manager, for provisioning + purposes. + +- [Service Now Resource Type Mapping](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md) + + The set of parameters to map the properties of Service Now in Identity Manager, for provisioning + purposes. + +- [Share Point Resource Type Mapping](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping/index.md) + + The set of parameters to map the properties of Share Point in Identity Manager, for provisioning + purposes. diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/ldapresourcetypemapping/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping/index.md new file mode 100644 index 0000000000..5341a12a10 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/manualprovisioningresourcetypemapping/index.md @@ -0,0 +1,19 @@ +# Manual Provisioning Resource Type Mapping + +Any resource type mapping must be configured with the same identifier as the related resource type. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +## Properties + +| Property | Type | Description | +| ------------------------------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Connection required | String | Identifier of the corresponding connection. | +| TicketSynchroIsNotAvailable optional | Boolean | True to set synchronization as unavailable for this resource type. Once the ticket is closed and the resource is created, updated or deleted, then the assignment's status is directly set to Verified. Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/microsoftentraidresourcetypemapping/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/microsoftentraidresourcetypemapping/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/microsoftentraidresourcetypemapping/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/microsoftentraidresourcetypemapping/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/oktaresourcetypemapping/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sapresourcetypemapping/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/scimresourcetypemapping/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md new file mode 100644 index 0000000000..213dee7a2b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/index.md @@ -0,0 +1,37 @@ +# Service Now Resource Type Mapping + +Any resource type mapping must be configured with the same identifier as the related resource type. + +Any resource type linked to a ServiceNow connection must be configured with a set of parameters to +map the properties in Identity Manager with those in ServiceNow, for provisioning purposes. + +Below is an example of an incident ticket in ServiceNow, where relevant properties (from Identity +Manager's perspective) are emphasized: + +![ServiceNow Ticket Example](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/servicenowresourcetypemapping/servicenow_example.webp) + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +   + +``` + +## Properties + +| Property | Type | Description | +| ------------------------------------------------ | ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Connection required | String | Identifier of the corresponding connection. | +| DefaultObjectClass optional | String | Default object class used by the provisioner, for example person, organizationalPerson, and user, etc. Multiple default object classes are separated with
. | +| PasswordResetSetting optional | String | Identifier of the corresponding password reset setting. | +| TicketAdditionalInformation optional | String | Information to add at the end of the description for all tickets created for this resource type. Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | +| TicketCallerId optional | String | Attribute that corresponds to the identifier of the "caller" person in ServiceNow. Required when using the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | +| TicketCategory optional | String | Category in which new tickets will be created in ServiceNow for this resource type. **NOTE:** Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | +| TicketImpact default value: Low | TicketImpact | Impact of the ticket in ServiceNow: Low; Medium; or High. Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | +| TicketSubCategory optional | String | Subcategory in which new tickets will be created in ServiceNow for this resource type. Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | +| TicketSynchroIsNotAvailable default value: false | Boolean | True to set synchronization as unavailable for this resource type. Once the ticket is closed and the resource is created, updated or deleted, then the assignment's status is directly set to Verified. Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | +| TicketUrgency default value: Low | TicketUrgency | Urgency of the ticket in ServiceNow: Low; Medium; High. **NOTE:** Only used with the package for tickets. See the [ ServiceNow Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/servicenow-ticket/index.md) topic for additional information. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/resourcetypemappings/sharepointresourcetypemapping/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/index.md new file mode 100644 index 0000000000..81165fc51d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/index.md @@ -0,0 +1,22 @@ +# XML Configuration Schema + +## Overview + +The XML configuration schema shows some similarities with the database schema but they are not the +same. + +## Family Entity Listing + +- [ Access Certification ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/index.md) +- [ Connectors ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/index.md) +- [ Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/index.md) +- [ User Interface ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/index.md) +- [ Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/index.md) +- [ Metadata ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/index.md) +- [ Notifications ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/index.md) +- [ Provisioning ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/index.md) +- [ Reporting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/reporting/index.md) +- [ Resources ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/resources/index.md) +- [ Access Certification ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/index.md) +- [ Business Intelligence ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/index.md) +- [ Workflows ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/index.md) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/index.md new file mode 100644 index 0000000000..d35ae5fb5e --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/index.md @@ -0,0 +1,9 @@ +# Jobs + +A job is defined via the `Job` tag to orchestrate tasks together, in order to perform specific +actions. + +All [ Tasks ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md) types are child elements of jobs. + +- [ Job ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md) +- [ Tasks ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md) diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/job/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/job/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/job/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md new file mode 100644 index 0000000000..54adb9f2c8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md @@ -0,0 +1,40 @@ +# Agent Tasks + +- [ Activity Instance Actor Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md) + + Update the Actors for the workflows instances. + +- [ Create Database Views Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md) + + Generates entity model SQL views in the Identity Manager database. + +- [ Export Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md) + + Runs the specified connection's export. + +- [ Fulfill Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md) + + Retrieves provisioning orders from the informed connector generated by + GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is + possible to launch it with a list of TaskResourceTypes. + +- [ Invoke Api Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md) + + Tool to launch any Identity Manager API. + +- [ Invoke Aspects Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md) + + Call specific api in Identity Manager. + +- [ Invoke Expression Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md) + + Launches on agent side a powershell script given as input. + +- [Invoke Sql Command Task](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md) + + Takes as input an SQL file or an SQL command to output several CSV files that can be used by the + collection. + +- [ Prepare Synchronization Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) + + Cleanses exported CSV files. diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md new file mode 100644 index 0000000000..a740a041b4 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md @@ -0,0 +1,38 @@ +# Invoke Sql Command Task + +Takes as input an SQL file or an SQL command to output several CSV files that can be used by the +collection. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +**NOTE:** The database Identifier attribute has a specific location where the connection strings for +the database identifiers need to be defined. See the +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md)topic +for additional information. + +## Properties + +| Property | Type | Description | +| -------------------------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 required | String | Display name of the task in language 1 (up to 16). | +| Agent optional | String | Identifier of the agent on which the job will be launched. **NOTE:** When not specified, the task is to be launched on the server. _Remember,_ all jobs containing the task must be launched on the same agent or on the server. | +| ContinueOnError default value: false | Boolean | True if the execution of the Task returning an error should not stop the job machine state. | +| DatabaseIdentifier optional | String | Identifier of the Database to connect to | +| Encoding optional | String | Encoding for the output files. [See the list of available encodings](https://learn.microsoft.com/en-us/dotnet/api/system.text.encoding#see-the-list-of-available-encodings). | +| Identifier optional | String | Unique identifier of the task. | +| IsNotAQuery default value: false | Boolean | To know if the SQL command is a query or not. | +| IsolationLevel optional | String | Specifies the transaction locking behavior for the database connection. | +| OpenIdClient optional | String | Connection client for the task. | +| OutputPath optional | String | Path to save file. Alternative definition: If TaskType is: - ProvisioningPolicyTask: Path to save the LDIF file, - CollectorTask: Path of the working directory, - CollectorChangesTask: Path of the working directory, - CollectorADDirSyncTask: Path of the working directory, - ProvisionerDownloadTask: Path of the destination directory, | +| Provider optional | String | The database provider. | +| ProviderAssemblyQualifiedName optional | String | Database provider assembly qualified name. | +| SQLCommand optional | String | SQL Command to execute. | +| SQLInputFile optional | String | Path of the SQL file. | +| Timeout default value: 0 | Int32 | Specify the timeout if the query need more 30 sec. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md new file mode 100644 index 0000000000..e46911e1fb --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md @@ -0,0 +1,120 @@ +# Prepare Synchronization Task + +## View Behavior Details + +The task reads files from the source directory, usually the temp folder >Export Output folder. See +the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md)topic +for additional information. + +### Cleanse data + +The following actions are performed on the _CSV source files_: + +1. Remove columns that are not used in + [ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md) or + [ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md). +2. Remove entries that have a null primary key. +3. Remove duplicates. +4. Sort entries according to the primary key. + +The result of the _Prepare-Synchronization_ is stored in the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md)directory +as three files: + +- For every entity type of the relevant _Connector_ involved in an + [ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)> or an + [ Entity Association Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entityassociationmapping/index.md), a + `.sorted.csv` file is generated, containing the final, cleansed and sorted result. +- Duplicates are kept in a separate `.duplicates.csv` file. +- Null primary key entries are kept in a separate `.nullpk.csv` file. + +All files produced by the task are in the work folder > Collect directory. + +### Compute changes + +In _incremental_ mode, changes might need to be computed by the _Agent_: + +- If the Export step has provided computed changes, no further process is required. The changes will + be sent as-is to the server. +- If the Export step has provided a full extract of the managed systems, the + _Prepare-Synchronization_ step computes changes. This computation is based on the result of the + last data cleansing, generated by the previous _Prepare-Synchronization_, and stored in the + `previous` folder in the + [Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md)directory. + +For _incremental_ mode, it is recommended, whenever possible, to use managed systems to compute +changes. Dedicated workstations and knowledge of the inner data organization allow managed systems +to compute changes with performance that Identity Manager can't match. Using managed systems for +these operations avoids generating heavy files and alleviates Identity Manager's processing load. + +The result is a set of clean lists of changes stored as a `.sorted.delta` file containing a +_command_ column. The _command_ column can take the following values: + +- _insert_ +- _update_ +- _delete_ +- _merge_ + +These values are instructions for the _Synchronization_ step to apply the changes to the database. + +The `.sorted` file (that is, the **original** clean export file, **not** the changes) is stored in +the `previous` folder inside the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md)directory. +It will be used as a reference for the next _incremental_ Prepare-Synchronization to compute the +changes, if needed. + +Tampering with the `previous` folder content would result in false changes leading to false +computation. It would result in data corruption in the Identity Manager database. To restore the +Identity Manager database and reflect the managed system data updates, a _complete\_\_Sync Up_ would +be required. + +### Prepare the server + +At the beginning of every _Prepare-Synchronization_ process, the _Server_ is notified via HTTP. + +Upon receiving the notification, the server creates a directory on its host environment, identified +by a unique GUID, to contain `.sorted` or `.sorted.delta` files that will be sent by the agent. + +This is designed to prevent network errors that would cause an _incremental_ database update to +happen more than once. + +This means that several _Export_ and _Prepare-Synchronization_ tasks can be executed simultaneously. +These tasks will be processed by the server one at a time, in the right order. + +Any notification of a _complete_ Prepare-Synchronization would cancel the previous non-processed +_incremental_ Prepare-Synchronizations. As a _complete_ Prepare-Synchronization reloads the whole +database, it renders _incremental_ changes computation moot. + +### Send clean exports + +`.sorted` or `.sorted.delta` files are sent over HTTP to the _Server_ for the last step. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Agent required | **Type** String **Description** Identifier of the agent on which the job will be launched. **Warning:** all jobs containing the task must be launched on the same agent or on the server. | +| Connector required | **Type** String **Description** Identifier of the connector involved in the task. | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| OpenIdClient required | **Type** String **Description** Connection client for the task. | +| SynchronizationMode required | **Type** DataCollectType **Description** Synchronization mode for collect and synchronization Task. List of Modes: - Initial = 0, - Complete = 1, - Incremental = 2 | +| ColumnName optional | **Type** String **Description** If there is a delta in the synchronization, specifies the column name which stores the command | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | +| Type default value: None | **Type** PrepareSynchronizationType **Description** Define the type of PrepareSynchronization to launch the correct executable in job. | +| WorkingDirectory optional | **Type** String **Description** Path of the working directory | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md new file mode 100644 index 0000000000..ca2b50c7b8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/index.md @@ -0,0 +1,166 @@ +# Tasks + +- [Agent Tasks](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/index.md) + +- [ Activity Instance Actor Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/activityinstanceactortask/index.md) + + Update the Actors for the workflows instances. + +- [ Create Database Views Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/createdatabaseviewstask/index.md) + + Generates entity model SQL views in the Identity Manager database. + +- [ Export Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md) + + Runs the specified connection's export. + +- [ Fulfill Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/fulfilltask/index.md) + + Retrieves provisioning orders from the informed connector generated by + GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is + possible to launch it with a list of TaskResourceTypes. + +- [ Invoke Api Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeapitask/index.md) + + Tool to launch any Identity Manager API. + +- [ Invoke Aspects Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeaspectstask/index.md) + + Call specific api in Identity Manager. + +- [ Invoke Expression Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokeexpressiontask/index.md) + + Launches on agent side a powershell script given as input. + +- [Invoke Sql Command Task](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/invokesqlcommandtask/index.md) + + Takes as input an SQL file or an SQL command to output several CSV files that can be used by the + collection. + +- [ Prepare Synchronization Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md) + + Cleanses exported CSV files. + +- [ Server Tasks ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md) + +- [ Build Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md) + + Applies the role naming rules, i.e. generates single roles and navigation rules based on + resources matching a given pattern. + +- [ Compute Correlation Keys Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md) + + The Compute Role Model correlation keys will pre-calculate all the keys needed by the Compute + Role Model to match the resources. + +- [ Compute Risk Scores Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md) + + Update risk score with the risk settings. + +- [ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + + The Compute Role Model will calculate the role model of all whose EntityTypes sources are + included in the list of EntityTypes given in the start of this job. + +- [ Deploy Configuration Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md) + + From a folder, retrieves all configuration xml files to calculate the configuration items to + insert, update or delete. + +- [ Fulfill Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md) + + Retrieves provisioning orders from the informed connector generated by + GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is + possible to launch it with a list of TaskResourceTypes. + +- [Generate Provisioning Orders Task](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md) + + The provisioning task will recover all resources whose provisioningState is at 1 to build a list + of JSON files containing all provisioning orders. + +- [ Get Role Mining Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md) + + Role mining is the process of analyzing user-to-resource mapping data to determine or modify + user permissions for role-based access control (RBAC) in an enterprise. In a business setting, + roles are defined according to job competency, authority and responsibility. + +- [ Get Role Mining Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md) +- [ Invoke Expression Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md) + + Launches on agent side a powershell script given as input. + +- [ Invoke Sql Command Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md) + + Takes as input an SQL file or an SQL command to output several CSV files that can be used by the + collection. + +- [ Maintain Indexes Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md) + + Index maintenance and statistics update for all database tables. + +- [ Manage Configuration Indexes Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask/index.md) + + Manage indexes for items from configuration. + +- [ Process Access Certification Items Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md) + + Process decisions on access certification items. + +- [ Reset Valid From Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md) + + Initialize historization tables by setting each entity's first record `ValidFrom` value to + 0001-01-01 00:00:00.00. + +- [ Save Pre-Existing Access Rights Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md) + + During an initial installation of Identity Manager, data normally provided by Identity Manager + or through a derogation in the User Interface is already present in the application system. + +- [ Send Access Certification Notification Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md) + + Notify assigned users having pending access certification items in campaign marked with + `NotificationNeeded`. + +- [ Send Notifications Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md) + + Task that sends a notification to each configured recipient. + +- [ Send Role Model Notifications Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md) + + Task that sends a notification to all users who have pending roles to review, only for roles + with a simple approval workflow, i.e. pending the validation 1 out of 1. + +- [ Set Access Certification Reviewer Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md) + + Assign access certification items to users according to their profiles and the access control + rules. + +- [ Set Internal User Profiles Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) + + Will execute the profile rules of the different resource types given in parameters to create, + modify or delete profiles in automatic mode. + +- [ Set Recently Modified Flag Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md) + + When synchronizing in full or incremental mode, it is possible to optimize the compute + performance of the role model by taking into account only the changes made by the + synchronization. + +- [ Synchronize Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) + + Retrieves the files generated by the prepare-synchronization task to insert the data into the + Identity Manager database. + +- [ Update Access Certification Campaign Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md) + + Starts or stops the access certification campaigns according to their `StartDate` and `EndDate`. + +- [ Update Classification Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md) + + Classifies a list of resources that are part of the resourceType data targets as an argument to + this job. + +- [ Update Entity Property Expressions Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + + Calculates either for all entities or for a list of entities the expressions and inserts the + values in the database. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md new file mode 100644 index 0000000000..93c508dd2c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md @@ -0,0 +1,25 @@ +# Build Role Model Task + +Applies the [ Role Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md), also named +[ Create Roles in Bulk ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md), +i.e. generates single roles and navigation rules based on resources matching a given pattern. + +> For example, this task can transform AD groups with a special naming convention into roles. + +## Examples + +The following example applies all role naming rules linked to the AD connector. + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------- | ---------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| Connector optional | **Type** String **Description** Identifier of the connector whose role mappings / role naming rules are to be applied. | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md new file mode 100644 index 0000000000..62a6bae390 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md @@ -0,0 +1,80 @@ +# Compute Role Model Task + +This task applies all rules in the role model of all +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) whose source entity types are +specified as child elements of the task. + +## Behavior Details + +### Property creation/update + +If the resource or property needs to be created or changed, the policy inserts a new line in one of +the following 3 tables: + +- Assigned resource types +- Assigned resource scalars +- Assigned resource navigation + +Their provisioning state will therefore increase to either 1 or 5. + +If the resource already exists in the database, then the policy checks whether the existing value is +the same as the computed value. If the existing value is the same as the computed value, then the +provisioning state goes to 4. + +### Notifications + +Executing the `ComputeRoleModelTask` will modify some roles' workflow states, and it will send a +notification for each of these roles being: + +- pending approval (1/1, 1/2, 2/2, 1/3, 2/3, 3/3); +- blocked because of a risk. + +## Examples + +The following example applies all rules in the role model concerning the entity types `HR_Service`, +`HR_Category`, `HR_Site` and `HR_Person`. + +``` + + + +``` + +### Ignore Archiving + +While archiving data for audits is part of the main purposes of Identity Manager, some elements can +be prevented from being archived, for example during Identity Manager's installation and +initialization. + +The following example is similar to the previous one, except that the values prior to the changes on +assigned single roles, composite roles, resource types, scalar or navigation properties, or +binaries, will not be stored in the database. + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| BatchInsertSize default value: 0 | **Type** Int32 **Description** Defines the batch insert size. | +| BatchSelectSize default value: 0 | **Type** Int32 **Description** Defines the batch select size. | +| BlockAllResourceTypeProvisioning default value: false | **Type** Boolean **Description** `true` to force an additional mandatory review (on the **Provisioning Review** screen) of all provisioning orders for all resource types, no matter whether the resource types' `BlockProvisioning` boolean is set to `true` or `false`. | +| BlockProvisioning default value: false | **Type** Boolean **Description** `true` to block the provisioning policy orders. | +| Dirty default value: false | **Type** Boolean **Description** Initiate use only dirty resources. | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | +| IgnoreHistorization default value: false | **Type** Boolean **Description** `true` to prevent Identity Manager from archiving the changes (resource creation, update, deletion) performed by the task. Impacted tables are: `UP_AssignedSingleRoles`, `UP_AssignedCompositeRoles`, `UP_AssignedResourceTypes`, `UP_AssignedResourceScalars`, `UP_AssignedResourceNavigations`, `UP_AssignedResourceBinaries`. | +| LdifFilePath optional | **Type** String **Description** Path to save the ldif file | +| UseLdif default value: false | **Type** Boolean **Description** to simulate or not into a ldif file | + +## Child Element: TaskEntityType + +A task entity type defines the entity type on which the task is applied. + +| Property | Details | +| ------------------- | ----------------------------------------------------------------------------------------------- | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type that the task is to be applied on. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md new file mode 100644 index 0000000000..ff45e7aa24 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md @@ -0,0 +1,23 @@ +# Deploy Configuration Task + +From a folder, retrieves all configuration xml files to calculate the configuration items to insert, +update or delete. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | +| ConfigurationDirectory required | **Type** String **Description** Directory of the configuration to import | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| GeneratedCodeNamespace optional | **Type** String **Description** The namespace of the generated code (entities + writer). | +| GeneratedCodePath optional | **Type** String **Description** The path of the generated code (entities + writer). | +| GeneratedFile optional | **Type** String **Description** The path of the xml file in which all the configuration is generated by the scaffoldings. | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md new file mode 100644 index 0000000000..44a29cd5d2 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md @@ -0,0 +1,36 @@ +# Generate Provisioning Orders Task + +In the Assigned resource types, Assigned resource scalars, and Assigned resource navigation the +provisioning task will recover all resources whose provisioningState is at 1 to build a list of JSON +files containing all provisioning orders. This task can be started either with a connector or with a +resourceType list. Then changes the provisioningState of the resources concerned to 2. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +[Copy](javascript:void(0);) + +``` +   +``` + +## Properties + +| Property | Type | Description | +| -------------------------------------- | ------- | -------------------------------------------------- | +| DisplayName_L1 required | String | Display name of the task in language 1 (up to 16). | +| BatchInsertSize default value: 0 | Int32 | Specifies the number of orders by file. | +| BatchSelectSize default value: 0 | Int32 | Defines the batch select size. | +| Connector optional | String | Identifier of the connector involved in the task. | +| ForceProvisioning default value: false | Boolean | True to block the provisioning policy orders. | +| Identifier optional | String | Unique identifier of the task. | + +## Child Element: TaskResourceType + +The table TaskResourceTypes makes the link between the tasks and the Resourcetypes. + +| Property | Type | Description | +| --------------------- | ----- | ----------------------- | +| ResourceType required | Int64 | Linked resourceType id. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md new file mode 100644 index 0000000000..358d56f9e8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/index.md @@ -0,0 +1,122 @@ +# Server Tasks + +- [ Build Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md) + + Applies the role naming rules, i.e. generates single roles and navigation rules based on + resources matching a given pattern. + +- [ Compute Correlation Keys Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md) + + The Compute Role Model correlation keys will pre-calculate all the keys needed by the Compute + Role Model to match the resources. + +- [ Compute Risk Scores Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computeriskscorestask/index.md) + + Update risk score with the risk settings. + +- [ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + + The Compute Role Model will calculate the role model of all whose EntityTypes sources are + included in the list of EntityTypes given in the start of this job. + +- [ Deploy Configuration Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/deployconfigurationtask/index.md) + + From a folder, retrieves all configuration xml files to calculate the configuration items to + insert, update or delete. + +- [ Fulfill Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/fulfilltask/index.md) + + Retrieves provisioning orders from the informed connector generated by + GenerateProvisioningOrdersTask to make changes in a system. Instead of a connector it is + possible to launch it with a list of TaskResourceTypes. + +- [Generate Provisioning Orders Task](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/generateprovisioningorderstask/index.md) + + The provisioning task will recover all resources whose provisioningState is at 1 to build a list + of JSON files containing all provisioning orders. + +- [ Get Role Mining Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md) + + Role mining is the process of analyzing user-to-resource mapping data to determine or modify + user permissions for role-based access control (RBAC) in an enterprise. In a business setting, + roles are defined according to job competency, authority and responsibility. + +- [ Invoke Expression Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md) + + Launches on agent side a powershell script given as input. + +- [ Invoke Sql Command Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md) + + Takes as input an SQL file or an SQL command to output several CSV files that can be used by the + collection. + +- [ Maintain Indexes Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md) + + Index maintenance and statistics update for all database tables. + +- [ Manage Configuration Indexes Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask/index.md) + + Manage indexes for items from configuration. + +- [ Process Access Certification Items Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md) + + Process decisions on access certification items. + +- [ Reset Valid From Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md) + + Initialize historization tables by setting each entity's first record `ValidFrom` value to + 0001-01-01 00:00:00.00. + +- [ Save Pre-Existing Access Rights Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md) + + During an initial installation of Identity Manager, data normally provided by Identity Manager + or through a derogation in the User Interface is already present in the application system. + +- [ Send Access Certification Notification Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md) + + Notify assigned users having pending access certification items in campaign marked with + `NotificationNeeded`. + +- [ Send Notifications Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md) + + Task that sends a notification to each configured recipient. + +- [ Send Role Model Notifications Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md) + + Task that sends a notification to all users who have pending roles to review, only for roles + with a simple approval workflow, i.e. pending the validation 1 out of 1. + +- [ Set Access Certification Reviewer Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md) + + Assign access certification items to users according to their profiles and the access control + rules. + +- [ Set Internal User Profiles Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md) + + Will execute the profile rules of the different resource types given in parameters to create, + modify or delete profiles in automatic mode. + +- [ Set Recently Modified Flag Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md) + + When synchronizing in full or incremental mode, it is possible to optimize the compute + performance of the role model by taking into account only the changes made by the + synchronization. + +- [ Synchronize Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md) + + Retrieves the files generated by the prepare-synchronization task to insert the data into the + Identity Manager database. + +- [ Update Access Certification Campaign Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md) + + Starts or stops the access certification campaigns according to their `StartDate` and `EndDate`. + +- [ Update Classification Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md) + + Classifies a list of resources that are part of the resourceType data targets as an argument to + this job. + +- [ Update Entity Property Expressions Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + + Calculates either for all entities or for a list of entities the expressions and inserts the + values in the database. diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokeexpressiontask/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/invokesqlcommandtask/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/maintainindexestask/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask/index.md new file mode 100644 index 0000000000..b34316ab11 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/manageconfigurationindexestask/index.md @@ -0,0 +1,17 @@ +# Manage Configuration Indexes Task + +Manage indexes for configuration items with the +tool[ Usercube-Manage-Configuration Dependent Indexes ](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/manage-configurationdependantindexes/index.md). + +## Examples + +``` + +``` + +## Properties + +| Property | Details | +| ----------------------- | ---------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/processaccesscertificationitemstask/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/resetvalidfromtask/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendaccesscertificationnotificationtask/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md new file mode 100644 index 0000000000..1d9891074a --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md @@ -0,0 +1,35 @@ +# Send Notifications Task + +Task that sends all the custom notifications defined by the +[ Notification ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md) XML tag. + +## Examples + +The following example, included in a job potentially scheduled periodically, will send all custom +notifications defined via `Notification` such as the example below. The task will send the +notifications concerning the `Directory_User` entity type. + +``` + + + +Knowing that we have for example: + + +``` + +## Properties + +| Property | Details | +| -------------------------- | ---------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| BatchSize default value: 0 | **Type** Int32 **Description** Block size for batch calculation. | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | + +## Child Element: TaskEntityType + +A task entity type defines the entity type on which the task is applied. + +| Property | Details | +| ------------------- | ----------------------------------------------------------------------------------------------- | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type that the task is to be applied on. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendrolemodelnotificationstask/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setaccesscertificationreviewertask/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md new file mode 100644 index 0000000000..b5b85afafc --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setinternaluserprofilestask/index.md @@ -0,0 +1,41 @@ +# Set Internal User Profiles Task + +Will execute the profile rules of the different resource types given in parameters to create, modify +or delete profiles in automatic mode. + +It is necessary to set up [ Profile Context ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilecontext/index.md) as +well as [Profile Rule Context](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) to be able to +use this job. + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| -------------------------------- | ---------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| BatchInsertSize default value: 0 | **Type** Int32 **Description** Defines the batch insert size. | +| BatchSelectSize default value: 0 | **Type** Int32 **Description** Defines the batch select size. | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | + +## Child Element: TaskEntityType + +A task entity type defines the entity type on which the task is applied. + +| Property | Details | +| ------------------- | ----------------------------------------------------------------------------------------------- | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type that the task is to be applied on. | + +## Child Element: TaskResourceType + +The table TaskResourceTypes makes the link between the tasks and the Resourcetypes. + +| Property | Details | +| --------------------- | ------------------------------------------------------ | +| ResourceType required | **Type** Int64 **Description** Linked resourceType id. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md new file mode 100644 index 0000000000..6b32bd9b5e --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/setrecentlymodifiedflagtask/index.md @@ -0,0 +1,30 @@ +# Set Recently Modified Flag Task + +When synchronizing in full or incremental mode, it is possible to optimize the compute performance +of the role model by taking into account only the changes made by the synchronization. This +optimization is based on the `dirty` property of the entity +[ Resource ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/resources/resource/index.md). The task +[ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) with option `dirty` set to `true` will +treat only resources marked as dirty. + +This task is used to set the `dirty` flag on all resources based on +[ Resources ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/resources/index.md)Change, Resource Link Change and Resource File Change +entities. After this, it clears this changes tables. + +This task works correctly only if **previous synchronization tasks have not cleared the change +tables** (option `DoNotDeleteChanges` set to `true`). + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------- | ---------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md new file mode 100644 index 0000000000..33085320d9 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/synchronizetask/index.md @@ -0,0 +1,31 @@ +# Synchronize Task + +Retrieves the files generated by the +[ Upward Data Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) to +insert the data into the Identity Manager database. + +For more information on how the Synchronization works, see +[ Upward Data Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md). + +Collection must be done by the +[ Prepare Synchronization Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md). + +## Examples + +``` + + + +``` + +## Properties + +| Property | Details | +| ----------------------------------------- | ------------------------------------------------------------------------------------------- | +| Connector required | **Type** String **Description** Identifier of the connector involved in the task. | +| DisplayName_L1 required | **Type** String **Description** Display name of the task in language 1 (up to 16). | +| DoNotDeleteChanges default value: false | **Type** Boolean **Description** Do not delete change in the change tables. | +| ForceSynchronization default value: false | **Type** Boolean **Description** Force the synchronization | +| Identifier optional | **Type** String **Description** Unique identifier of the task. | +| Orphans default value: false | **Type** Boolean **Description** Save orphans in a CSV output file | +| Type default value: None | **Type** PrepareSynchronizationType **Description** Define type of prepare synchronization. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateaccesscertificationcampaigntask/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateclassificationtask/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/binding/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/binding/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md new file mode 100644 index 0000000000..c102255e55 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md @@ -0,0 +1,46 @@ +# Dimension + +A dimension is an [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) used to define an organizational filter +for the Identity Manager role model. + +## Examples + +The following XML fragment defines the dimension `Organization0`. The dimension values are of +`Directory_Organization` type. The `ColumnMapping` attribute specifies the column (0 to 127) used to +store the dimension value in the assignment rule tables. + +``` + + + +``` + +Some types of entities can be organized in a hierarchical tree structure. Thus, for example, +organizational units form a tree structure modeled by a `Parent` navigation property that links the +entity type to itself. It is possible to use the hierarchical aspect of a dimension in an assignment +rule criterion. For example, the assignment must be extended to the whole subunits of a department. +Such a dimension must be declared as a hierarchical dimension by specifying the attribute +`IsHierarchical="true"`. + +``` + +... + ... + + +``` + +The attribute `ParentProperty` specifies the navigational property defining the hierarchy (`Parent` +is the navigation property that links the `Directory_Organization` type to itself). + +## Properties + +| Property | Details | +| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ColumnMapping required | **Type** Int32 **Description** Specifies the corresponding column in the role model rules. | +| DisplayName_L1 optional | **Type** String **Description** Display name of the dimension in language 1 (up to 16). | +| EntityType required | **Type** Int64 **Description** References the linked entity type. | +| Identifier required | **Type** String **Description** Unique identifier of the dimension. | +| IsExcludedFromRoleMining default value: false | **Type** Boolean **Description** `true` to exclude the dimension from role mining. It means that the dimension is not used as a criteria in the generated rules. | +| IsHierarchical default value: false | **Type** Boolean **Description** `true` to define a hierarchical dimension. **Note:** Cannot be used without `ParentProperty`. | +| ParentProperty optional | **Type** Int64 **Description** Specifies the navigational property defining the hierarchy. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md new file mode 100644 index 0000000000..56d035ad35 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md @@ -0,0 +1,40 @@ +# Entity Association + +An entity association is used to model an association in Identity Manager's metadata. See the +[ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md)topic for additional information on a whole +connector with its entity properties and associations. + +## Examples + +The following example associates one title (as a property from the entity type +`Directory_UserRecord`) with several user records (as a property from the entity type +`Directory_Title`). + +``` + + + +``` + +### Many-to-many association + +The following example associates SAB users with groups, with the possibility to link one group to +several users, and one user to several groups. + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 optional | **Type** String **Description** Display name of the association in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Unique identifier of the association. It must be unique to the entity model scope. | +| IsProperty1Collection default value: false | **Type** Boolean **Description** `true` to define a many-to-one association. | +| IsProperty2Collection default value: false | **Type** Boolean **Description** `true` to define a one-to-many association. | +| Property1 required | **Type** Int64 **Description** Defines the first navigation property. A navigation property can be mono-valued or multi-valued (with its corresponding `IsPropertyCollection` set to `true`). Mono-valued navigation properties may be optimized (with a `TargetColumnIndex`) or not (without `TargetColumnIndex`). See more details under the TargetColumnIndex section of the [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) properties page. | +| Property2 required | **Type** Int64 **Description** Defines the second navigation property. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md new file mode 100644 index 0000000000..a8710ef258 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md @@ -0,0 +1,27 @@ +# Entity Property Expression + +An entity property expression is a property computed from a binding and/or C# or literal +expressions. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. + +## Examples + +The following example computes the record display name. + +``` + + + +``` + +## Properties + +| Property | Details | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Binding optional | **Type** Int64 **Description** References the binding used to compute the result. | +| EntityType required | **Type** Int64 **Description** Identifier of the referenced entity type | +| Expression optional | **Type** String **Description** References the C# or literal expression used to compute the result. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| Identifier required | **Type** String **Description** Unique identifier of the expression. | +| Priority default value: 0 | **Type** Int32 **Description** Specifies the execution priority. | +| Property required | **Type** Int64 **Description** Identifier of the referenced entity property | +| PropertyCriteria optional | **Type** Int64 **Description** References the property criteria used to compute navigation properties. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md new file mode 100644 index 0000000000..7b6cbb587b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md @@ -0,0 +1,78 @@ +# Entity Type + +Represents a conceptual model of a business object, such as a person entity or an organization +entity. See the [ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md)topic for additional information +on how to configure define an EntityType. + +## Properties + +| Property | Details | +| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 optional | **Type** String **Description** Display name of the entity type in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Unique identifier of the entity type. It must is be unique to the _entity model_ scope. Cannot be [ Reserved identifiers ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/reservedidentifiers/index.md). | +| LicenseTag optional | **Type** String **Description** Value of the `Tag` parameter of the license key (in `appsettings.json`) linked to the entity type. All the features allowed by the license key are enabled for this entity type, otherwise only default features are available. | +| TableName optional | **Type** String **Description** Represents the table name of hard coded entity types. Exclusively reserved to Identity Manager connector for Power BI. | + +## Child Element: Property + +An entity property represents a property of an Entity Type . See the +[Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information on how to +configure/define an EntityProperty. + +### Examples + +#### Populate navigational property from non primary key + +Some configuration elements will be linked to an entity whose id is not known at configuration time. +In this case, another key must be used. On each entity type property, the `IsKey` attribute +specifies that the property can be used as a key during configuration import. + +For example, the _Code_ property of the _Title_ entity type is marked as a key. + +``` + + ... + + +``` + +All _Title_ instances will be replicated from a managed system. So, at configuration time, Identity +Manager's internal primary key for this _Title_ is not known. + +We hence cannot write a _SingleRoleRule_ with a Dimension criteria based on _Title_ as the primary +key. + +We can however, use a non-primary key, that is known in advance, because it depends on the managed +system's data and not on Identity Manager. + +For example, the below `Dimension1` attribute references a _Title_ entity by its _Code_ value. + +``` + + + +``` + +#### Changing the multiplicity of a property + +It is sometimes necessary to change the multiplicity of a property (Scalar property to Navigation +property or vice-versa). As long as the property was not used in any workflow, this can be properly +handled by `Deploy-Configuration.exe`. If it _was_ used in one or more workflows, foreign key +conflicts (in UW_Changes database table) may occur, preventing the configuration from being +deployed. To solve this problem, references to this property must be manually cleaned up with SQL +queries directly in the database before deploying the configuration. + +### Properties + +| Property | Details | +| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 optional | **Type** String **Description** Display name of the property in language 1 (up to 16). **Note:** cannot be "Id". | +| FlexibleComparisonExpression optional | **Type** String **Description** Expression used to transform the query input value for comparison using a flexible operator. | +| GroupByProperty optional | **Type** Int64 **Description** Property used to regroup navigation resources (resources used in navigation rules) by value. When defined, the Evaluate policy will enforce that one and only one item of a group can be assigned to an identity on a given date range. **Warning:** whenever the value of this property changes for a resource used in the defined navigation rules, the server needs to be restarted in order for the changes to be taken into account. | +| HistoryPrecision default value: 0 | **Type** Int32 **Description** Defines the number of minutes to wait, after a property change, before triggering the record history mechanism. | +| Identifier required | **Type** String **Description** Unique identifier of the property. It must be unique to the parent entity type scope. Cannot be a [ Reserved identifiers ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/reservedidentifiers/index.md) and can only contain numbers (except the first character) and letters without accents. **Note:** cannot be "Id". | +| IsKey default value: false | **Type** Boolean **Description** `true` if the property is designated to be one of the keys that uniquely identify any resource from the entity type in the configuration. Each entity type must have at least one key. **Note:** AD synchronization requires the `dn` property to have either `IsKey` or `EntityTypeMapping` > `Property` > `IsUniqueKey` set to `true` (key property in the UI). | +| Language optional | **Type** Int64 **Description** Language associated to the property if it is localized (optional). | +| NeutralProperty optional | **Type** Int64 **Description** Neutral property associated to the property if it is localized (optional). | +| TargetColumnIndex default value: -1 | **Type** Int32 **Description** Specifies the corresponding column in the resource entity. `0` to `3`: scalar property whose value exceeds 443 characters. `4` to `127`: scalar property whose value does not exceed 443 characters (or optimized mono-valued navigation property : see note). `128` to `152`: optimized mono-valued navigation property only. `-1`: non-optimized mono or multi-valued navigation property (stored in `UR_ResourceLink`), or binary (stored in `UR_ResourceLink`). **Note:** optimized mono-valued navigation properties should have their `TargetColumnIndex` between 128 and 152 included to be fully optimized. However, if all are already taken, `TargetColumnIndex` from 0 to 127 included (usually for scalar properties) may also be used. In this case the first available `TargetColumnIndex` in ascending order should be used. | +| Type default value: 0 | **Type** EntityPropertyType **Description** Property type. `0` - **String**. `1` - **Bytes**. `2` - **Int32**. `3` - **Int64**. `4` - **DateTime**. `5` - **Bool**. `6` - **Guid**. `7` - **Double**. `8` - **Binary**. `9` - **Byte**. `10` - **Int16**. `12` - **ForeignKey**: indicates a navigation property, i.e. a property related to an association between entities. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/index.md new file mode 100644 index 0000000000..b0a02cc60c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/index.md @@ -0,0 +1,10 @@ +# Metadata + +- [ Access Control Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/accesscontrolentitytype/index.md) +- [ Binding ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) +- [ Dimension ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) +- [ Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entityassociation/index.md) +- [ Entity Property Expression ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitypropertyexpression/index.md) +- [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +- [ Language ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/language/index.md) +- [ Settings ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/index.md) diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/language/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/language/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/language/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/language/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md new file mode 100644 index 0000000000..f953bd38cf --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md @@ -0,0 +1,94 @@ +# App Display Setting + +This setting is used to customize the application display. + +## Examples + +Here are some examples of display settings that can be customized: + +### Set colors, logos and names + +The following example sets: + +- Netwrix Identity Manager (formerly Usercube) as name of the application visible on the tabs; +- The logo to be displayed in the top left corner; +- The favicon to be displayed on the tabs; +- The **banner color**, **banner gradient color**, **banner selected tab color**, **banner text + color**, **primary color** and **secondary color**. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +Colors, logo and name customization: + +![AppDisplay - Basic Screen](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_screen2_v603.webp) + +Display colors customization: + +![AppDisplay - Authentication](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_screen1_v603.webp) + +### Disable counters + +The following example disables the counters that are usually visible on the dashboard: + +![AppDisplay - Without Counters](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_counters_v603.webp) + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +![AppDisplay - Without Counters](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/appdisplaysetting_nocounters_v603.webp) + +### Features + +The feature **Only allow approving and refusing on access certifications items** gives the +administrator the option to limit the user's option to either **Approve** or **Deny** the Access +Certification items while making the **More** button unavailable. + +![allowapprovingdenyingaccesscertificationitems](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-global-settings/allowapprovingdenyingaccesscertificationitems.webp) + +The following example disables the **More** button that is usually visible on certification screen: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +  +``` + +If the feature **Only allow approving and denying on access certification items** is set to **Yes**, +the **More** button is disabled. + +![accesscertificationonlyapprovedeny-disabled](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedeny-disabled.webp) + +See the +[Configure Global Settings](/docs/identitymanager/saas/identitymanager/user-guide/set-up/configure-global-settings/index.md) +topic for additional information. + +## Properties + +| Property | Type | Description | +| ------------------------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApplicationName (optional) | String | Name of the application, visible on the application's tabs. | +| AccessCertificationOnlyApproveDeny (optional) | Boolean | True to hide the **More** button on the access certification screens, only allowing **Approve** and **Deny** actions. The default value is **false**. | +| BannerColor (optional) | String | HEX code of the color for the banner, i.e. the header displaying logo and navigation bar. | +| BannerGradientColor (optional) | String | HEX code of the color for the banner's gradient to be visible at the middle of the banner. | +| BannerSelectedTabColor (optional) | String | HEX code of the color for the line that emphasizes the selected tab. | +| BannerTextColor (optional) | String | HEX code of the color for the banner's text. | +| DisableProvisioningCounters (default value: false | String | True to disable the counters related to the administration screens: **Role Review**, **Provisioning Review**, **Role Reconciliation**, **Resource Reconciliation** and **Manual Provisioning**. | +| FaviconFile (optional) | String | Path of the favicon to be displayed in the application's tabs. | +| FaviconMimeType (optional) | String | Mime type of the favicon. | +| FullNameSeparator (default value: �) | String | Separator of the full name. | +| Identifier (default value: AppDisplay) | String | Unique identifier of the setting. | +| LogoFile (optional) | String | Path of the logo to be displayed in the top left corner. | +| LogoMimeType (optional) | String | Mime type of the logo. | +| Preview (optional) | String | Documentation unavailable. | +| PrimaryColor (optional) | String | HEX code of the color for the highlighted buttons. | +| SecondaryColor (optional) | String | HEX code of the color for the background of the authentication screen. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/index.md new file mode 100644 index 0000000000..94a4ac2cf8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/index.md @@ -0,0 +1,45 @@ +# Settings + +- [App Display Setting](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/appdisplaysetting/index.md) + + This setting is used to customize the application display. + +- [ Configuration Version Setting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/configurationversionsetting/index.md) + + Used to track the current configuration version. + +- [ Custom Link 1 Setting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink1setting/index.md) + + Used to display a given static HTML file to a custom URL address. + +- [ Custom Link 2 Setting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/customlink2setting/index.md) + + Used to display a given static HTML file to a custom URL address. + +- [ Dashboard Item Number Setting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/dashboarditemnumbersetting/index.md) + + Used to customize the number of links to display on each section on the Dashboard. If no value + is defined, the default value is 3. The value must be greater than 0 and less than or equal + to 5. + +- [ Mail Setting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md) +- [ Password Generation Setting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting/index.md) +- [ Password Tests Setting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting/index.md) + + This setting enables a check on the passwords set manually by users. + +- [ Scheduling Clean Database Setting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting/index.md) + + If the default value for the Task CleanDataBase needs to be overridden. + +- [ Select All Performed by Association Query Handler Setting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting/index.md) + + This setting enables task delegation to a group of people. + +- [Select Personas by Filter Query Handler Setting](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting/index.md) + + This setting is used to filter the entity type used by authentication mechanism. + +- [ Select User by Identity Query Handler Setting ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md) + + This attribute matches an end-user with a resource from the unified resource repository. diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/mailsetting/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordgenerationsetting/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting/index.md new file mode 100644 index 0000000000..5c6d07d1d4 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/passwordtestssetting/index.md @@ -0,0 +1,24 @@ +# Password Tests Setting + +This setting enables a check on the passwords set manually by users. + +The strength of passwords generated by Identity Manager can be configured via +[ Password Reset Settings ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/passwordresetsettings/index.md) StrengthCheck. + +## Examples + +The following example encourages users to choose a strong password with at least 9 characters +including at least one digit, one lowercase letter, one uppercase and one special character. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier default value: PasswordTests | **Type** String **Description** Unique identifier of the setting. | +| PasswordRegex optional | **Type** String **Description** Regular expression(s) (regex) that users' passwords must match to be acceptable when set manually. When setting several regex, passwords must match all of them to be considered strong, and 70% to be considered average. Below that, a password is considered weak and cannot be confirmed. **Default value:**`'^..*$', '^...*$', '^....*$', '^.....*$', '^......*$', '^.......*$', '^........*$', '^.........*$', '^..........*$', '^.*[0-9].*$', '^.*[a-z].*$', '^.*[A-Z].*$', '^.*[^A-Za-z0-9].*$'` | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/schedulingcleandatabasesetting/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectallperformedbyassociationqueryhandlersetting/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectpersonasbyfilterqueryhandlersetting/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md new file mode 100644 index 0000000000..4a9c784f7b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/settings/selectuserbyidentityqueryhandlersetting/index.md @@ -0,0 +1,59 @@ +# Select User by Identity Query Handler Setting + +This attribute matches an end-user with a resource from the central repository. + +Authorization mechanisms within Identity Manager rely on assigning a profile to a resource that +stands for the end-user digital identity. + +To that end, end-user authentication credentials are linked to such an identity using the following +pattern: + +1. authentication credentials are retrieved; +2. authentication credentials are trimmed using the `AfterToken` and/or `BeforeToken` attributes; +3. the trimmed result is matched against the `ResourceIdentityProperty` of resources with the entity + type specified by `OwnerEntityType`; +4. the matching resource is used to find a profile and authorization for that digital identity. + +After modifying the authentication mode via `SelectUserByIdentityQueryHandlerSetting`, Identity +Manager server must be restarted. On a SaaS environment, contact your Identity Manager +administrator. + +## Examples + +The following example links the authentication credentials of an end-user to its matching resource +of EntityType **Directory_User**. + +In this example, authentication has been set up using +[ End-User Authentication](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md). +In that case, the login used by the end-user is in the form `DOMAIN/userName`. + +The **AfterToken** attribute parses the `DOMAIN/userName` string into `userName`. + +The parsed result `userName` is compared with `AD_Entry:sAMAccountName` property value of +**Directory_User** resources. + +The matching **Directory_User** resource is the resource that stands for the end-user identity +within Identity Manager. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| AfterToken optional | **Type** String **Description** Second character used to trim the authentication login. The trimmed result is the content of the authentication login between `AfterToken` and `BeforeToken`. If `BeforeToken` is empty, trimmed result is everything after `AfterToken`. If `AfterToken` is empty, trimmed result is everything before `BeforeToken`. | +| BeforeToken optional | **Type** String **Description** First character used to trim the authentication login. The trimmed result is the content of the authentication login between `AfterToken` and `BeforeToken`. If `BeforeToken` is empty, trimmed result is everything after `AfterToken`. If `AfterToken` is empty, trimmed result is everything before `BeforeToken`. | +| Identifier default value: SelectUserByIdentityQueryHandler | **Type** String **Description** Unique identifier of the setting. | +| OwnerEntityType optional | **Type** String **Description** Entity type of the resources used to store digital identities within Identity Manager. | +| OwnerPhotoTagProperty optional | **Type** String **Description** Photo property for Identity Manager users. | +| ResourceDisplayNameProperty optional | **Type** String **Description** Property used for displaying login data at the top right of the application. | +| ResourceIdentityProperty optional | **Type** String **Description** Identity-resource property supposed to match the authentication login used by the end-user. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/index.md new file mode 100644 index 0000000000..6bcf81d3ff --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/index.md @@ -0,0 +1,5 @@ +# Notifications + +- [ Notification ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md) +- [ Notifications (Typed) ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md) +- [Notification Template](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md new file mode 100644 index 0000000000..fc5645a2fc --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notification/index.md @@ -0,0 +1,40 @@ +# Notification + +A notification can be configured to be sent to a given user on a regular basis at specified times, +through the [ Send Notifications Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/sendnotificationstask/index.md) as +part of a job. + +## Examples + +The following example defines a notification to inform/remind managers of the arrival of new +employees in their team. + +The notification is built based on: + +- the template `Notification.cshtml`; +- the styles `Notification.css`; +- the subject defined by `TitleExpression`. + +The notification is sent for each new user, i.e. each user whose contract start date is in the +future. The notification is sent to the new user's manager(s). + +The notification will be sent again as a reminder after 7 days, by the next `SendNotificationsTask`. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| CssTemplate optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** required when creating a customized notification with ``. | +| Identifier required | **Type** String **Description** Unique identifier of the notification. | +| OwnerEntityType required | **Type** Int64 **Description** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression` and `QueryFilterExpression`. | +| QueryFilterExpression optional | **Type** String **Description** C# expression that returns a Identity Manager Squery in order to define the sending condition of the notification. The expression's variable type is defined in `OwnerEntityType`. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| RazorTemplate optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** required when creating a customized notification with ``. | +| RecipientMailBinding optional | **Type** Int64 **Description** Binding of the property that corresponds to the email addresses that will receive the notification. | +| ReminderInterval default value: 0 | **Type** Int32 **Description** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type** String **Description** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification/index.md new file mode 100644 index 0000000000..f23cd94305 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification/index.md @@ -0,0 +1,36 @@ +# Access Certification Notification + +Reminder notification concerning access certification. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified +by the native notification for access certification (on resources from `Directory_User`) and have +not yet performed the action. The email's content and styles are those from the original +notification, but the subject is overridden by `TitleExpression` here. + +``` + + + +``` + +The following example sends the exact same notification as the previous example, but with different +templates for the content and the styles. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the notification. | +| OwnerEntityType required | **Type** String **Description** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression`. | +| CssTemplate optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type** Int32 **Description** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type** String **Description** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md new file mode 100644 index 0000000000..fdd6e45a84 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/index.md @@ -0,0 +1,21 @@ +# Notifications (Typed) + +- [ Access Certification Notification ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/accesscertificationnotification/index.md) + + Reminder notification concerning access certification. + +- [ Manual Provisioning Notification ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification/index.md) + + Reminder notification concerning manual provisioning. + +- [ Provisioning Review Notification ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification/index.md) + + Reminder notification concerning provisioning review. + +- [Role Policy Notification](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification/index.md) + + Reminder notification concerning role model tasks. + +- [ Role Review Notification ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification/index.md) + + Reminder notification concerning role review. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification/index.md new file mode 100644 index 0000000000..63dee9acfc --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/manualprovisioningnotification/index.md @@ -0,0 +1,36 @@ +# Manual Provisioning Notification + +Reminder notification concerning manual provisioning. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified +by the native notification for manual provisioning (on resources from `Directory_User`) and have not +yet performed the action. The email's content and styles are those from the original notification, +but the subject is overridden by `TitleExpression` here. + +``` + + + +``` + +The following example sends the exact same notification as the previous example, but with different +templates for the content and the styles. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the notification. | +| OwnerEntityType required | **Type** String **Description** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression`. | +| CssTemplate optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type** Int32 **Description** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type** String **Description** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification/index.md new file mode 100644 index 0000000000..563daf8fa9 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/provisioningreviewnotification/index.md @@ -0,0 +1,36 @@ +# Provisioning Review Notification + +Reminder notification concerning provisioning review. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified +by the native notification for provisioning review (on resources from `Directory_User`) and have not +yet performed the action. The email's content and styles are those from the original notification, +but the subject is overridden by `TitleExpression` here. + +``` + + + +``` + +The following example sends the exact same notification as the previous example, but with different +templates for the content and the styles. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the notification. | +| OwnerEntityType required | **Type** String **Description** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression`. | +| CssTemplate optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type** Int32 **Description** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type** String **Description** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolepolicynotification/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification/index.md new file mode 100644 index 0000000000..253bacee91 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notifications/rolereviewnotification/index.md @@ -0,0 +1,36 @@ +# Role Review Notification + +Reminder notification concerning role review. + +## Examples + +The following example sends after 2 days a reminder notification to users who were already notified +by the native notification for role review (on resources from `Directory_User`) and have not yet +performed the action. The email's content and styles are those from the original notification, but +the subject is overridden by `TitleExpression` here. + +``` + + + +``` + +The following example sends the exact same notification as the previous example, but with different +templates for the content and the styles. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the notification. | +| OwnerEntityType required | **Type** String **Description** Identifier of the entity type that represents the population affected by the notification, and the variable type used in `TitleExpression`. | +| CssTemplate optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| RazorTemplate optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template. **Note:** the path must be relative to the configuration folder, and the file must be inside it. **Note:** when no template is specified, the reminder notification will use the same template as the original notification. | +| ReminderInterval default value: 0 | **Type** Int32 **Description** Time period (in minutes) after which a reminder of the original notification should be sent. **Note:** the notification reminder will be sent by the first `SendNotificationsTask` after the reminder interval is exceeded. | +| TitleExpression optional | **Type** String **Description** C# expression that defines the email's subject. The expression's variable type is defined in `OwnerEntityType`. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md new file mode 100644 index 0000000000..b73fe6b98a --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/notifications/notificationtemplate/index.md @@ -0,0 +1,43 @@ +# Notification Template + +A notification template is used to overwrite the subject and/or body of a native notification with +personalized templates. + +Identity Manager natively sends notifications for usual cases. + +These native notifications are based on cshtml templates available inside the `Runtime` folder. If +the provided templates do not meet your exact needs, then they can be replaced by personalized +notification templates. See the +[ Native Notifications ](/docs/identitymanager/saas/identitymanager/integration-guide/notifications/native/index.md)topic for additional information. + +## Examples + +The following example overwrites the template of the notification provided by Identity Manager for +role review. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +The following example defines a template for the notification's subject. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +// WorkflowReviewRolesSummary_Subject.cshtml +@using Usercube.Application.DeltaProvisioning.Notification +@model WorkflowReviewRolesSummary +Review Roles - @(@Model.AssignedCompositeRoles.Any() ? @Model.AssignedCompositeRoles.FirstOrDefault().Owner.FullName : @Model.AssignedSingleRoles.FirstOrDefault().Owner.FullName) +``` + +## Properties + +| Property | Type | Description | +| --------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| BodyTemplate_L1 optional | String | Path to the Razor cshtml file that defines the email's body template in language 1 (up to 16). **NOTE:** The path must be relative to the configuration folder, and the file must be inside it. | +| Identifier required | String | Identifier of the native notification to adjust, among: - `BlockedProvisioningInformations` - `OneWayPasswordReset` - `PendingAccessCertificationModel` - `PerformManualProvisioningSummary` - `RolePolicySummary` - `RunJobNotification` - `TwoWayPasswordReset` - `WorkflowReviewProvisioningSummary` - `WorkflowReviewRolesSummary` | +| SubjectTemplate_L1 optional | String | Path to the Razor cshtml file that defines the email's subject template in language 1 (up to 16). **NOTE:** The path must be relative to the configuration folder, and the file must be inside it. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md new file mode 100644 index 0000000000..041436a151 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md @@ -0,0 +1,100 @@ +# Automation Rule + +Automation rules make automatic decisions instead of the reviewer on assignments that still need to +be reviewed after a given waiting period. + +There are distinct types of automation rules: + +- A composite role automation rule targets the assigned composite roles corresponding to a given + composite role. + + `CompositeRoleAutomationRule` is equivalent to `AutomationRule` with its `Type` set to + `CompositeRole`, and requires specifying the `CompositeRole` property; + +- A single role automation rule targets the assigned single roles corresponding to a given single + role. + + `SingleRoleAutomationRule` is equivalent to `AutomationRule` with its `Type` set to + `SingleRole`, and requires specifying the `SingleRole` property; + +- A resource type automation rule targets the assigned resource types corresponding to a given + resource type. + + `ResourceTypeAutomationRule` is equivalent to `AutomationRule` with its `Type` set to + `ResourceType`, and requires specifying the `ResourceType` property; + +- A category automation rule targets the assigned roles and resource types corresponding to a given + category and a given entity type. + + `CategoryAutomationRule` is equivalent to `AutomationRule` with its `Type` set to `Category`, + and requires specifying the `Category` and `EntityType` properties; + +- A policy automation rule targets the assigned roles and resource types corresponding to a given + policy and a given entity type. + + `PolicyAutomationRule` is equivalent to `AutomationRule` with its `Type` set to `Policy`, and + requires specifying the `Policy` and `EntityType` properties. + +_Remember,_ Netwrix recommends always using the typed syntax. + +For example, you should always use `SingleRoleAutomationRule`, rather than `AutomationRule` with +`Type` set to `CompositeRole`. + +All these rules target the assignments which have a specific workflow state which is specified in +the rule. + +Automation rules can also specify dimensions. + +One assignment should be involved in the decision of only one automation rule. However, one +assignment can easily be targeted by several automation rules. In this case, the Provisioning Policy +algorithm prioritizes the most specific rule. + +For example, considering an assigned composite role, Identity Manager's algorithm prioritizes a +composite role automation rule, before a category automation rule, before a policy automation rule. + +After this prioritization, when an assignment is still targeted by several rules due to dimensions, +then Identity Manager prioritizes a rule implying a decline decision. + +## Examples + +In the following example, the two first rules are equivalent (except for the workflow state's +value), but the second one shows the preferred syntax. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +    This rule approves all the assignments of the "FCT0070" composite role, which are waiting for the first of two required approvals for more than one hour: +     +    This rule approves all the assignments of the "FCT0070" composite role, which are waiting for the second of two required approvals for more than one hour: +     +    This rule approves all the assignments of the "BO028" single role, which are waiting for their required approval for more than one hour: +     +    This rule approves all the assignments of the "SAB_User_NominativeUser" resource type, which are waiting for their required approval for more than one hour: +     +    This rule declines all the assignments to the entity type "Directory_User" concerning the "IT Administration" category, which are waiting for the first of two required approvals for more than one hour: +     +    This rule declines all the assignments to the entity type "Directory_User" concerning the "Default" policy, which are found during a synchronization without a linked automatic rule, for more than one hour: +     +    This rule declines all the assignments to the entity type "Directory_User" concerning the "Default" policy, which are found during the first synchronization without a linked automatic rule, for more than one hour: +     + +``` + +## Properties + +| Property | Type | Description | +| ------------------------------ | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Category optional | Int64 | Identifier of the category targeted by the rule. | +| CompositeRole optional | Int64 | Identifier of the composite role targeted by the rule. | +| D0 optional | Int64 | Value of the dimension 0 (up to 127) that filters the assignments targeted by the rule. | +| Decision default value: 0 | AutomationRuleDecision | Decision to apply on the targeted assignments. 0 - Approve. 1 - Decline. | +| EntityType required | Int64 | Identifier of the entity type targeted by the rule. This property should not be specified when writing an automation rule among the following: composite role automation rule; single role automation rule; resource type automation rule. These rules imply the entity type. | +| HoursToWait default value: -1 | Int32 | Waiting period (in hours) from the most recent change in the workflow state of the assignments, before the decision can be applied. | +| L0 default value: false | Boolean | True to indicate that the rules targets the assignments with not only the dimension 0 (up to 127), but also this dimension's child elements. | +| Policy optional | Int64 | Identifier of the policy that the rule is part of. | +| ResourceType optional | Int64 | Identifier of the resource type targeted by the rule. | +| SingleRole optional | Int64 | Identifier of the single role targeted by the rule. | +| Type required | AutomationRuleType | Object type targeted by the rule. 0 - CompositeRole. 1 - SingleRole. 2 - ResourceType. 4 - Category. 5 - Policy. | +| WorkflowState default value: 0 | WorkflowState | Workflow state of the assignments targeted by the rule. `0` - **None**: used for Identity Manager's internal computation. `1` - **Non-conforming**: the assignment is not supported by a rule. ![Workflow State: Non-conforming](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp) `3` - **Pre-existing**: the assignment is not supported by a rule, and it existed before the production launch. ![Workflow State: Pre-existing](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp) `4` - **Requested**: the assignment is requested via a workflow, but not yet added. **NOTE:** Usually displayed in workflows' summaries. ![Workflow State: Pending Approval - Requested](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/4_requested_v603.webp) `5` - **Calculated - Missing Parameters**: the assignment was done by a rule which does not specify at least one required parameter for the role. ![Workflow State: Calculated - Missing Parameters](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/5_calculatedmissingparameters_v603.webp) `8` - **Pending Approval**: the assignment must be reviewed manually by a knowledgeable user. ![Workflow State: Pending Approval](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/8_pendingapproval_v603.webp) `9` - **Pending Approval 1 of 2**: the assignment is pending the first approval on a two-step workflow. `10` - **Pending Approval 2 of 2**: the assignment is pending the second approval on a two-step workflow. `11` - **Pending Approval 1 of 3**: the assignment is pending the first approval on a three-step workflow. `12` - **Pending Approval 2 of 3**: the assignment is pending the second approval on a three-step workflow. `13` - **Pending Approval 3 of 3**: the assignment is pending the third approval on a three-step workflow. `16` - **Approved**: the assignment has completed all approval steps. ![Workflow State: Approved](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp) `17` - **Declined**: the assignment is explicitly declined during one of the approval steps. ![Workflow State: Declined](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/17_declined_v603.webp) `18` - **Calculated**: the assignment is given by one of Identity Manager's rules. ![Workflow State: Calculated](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/18_calculated_v603.webp) `19` - **Inactive**: the assignment has expired and is not yet removed. Does not appear in the UI. `20` - **Cancellation**: the assignment is inferred by a role that was declined. See the [ Reconcile a Property ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) topic for additional information. ![Workflow State: Cancellation](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/20_cancellation_v603.webp) `21` - **Suggested**: the assignment comes from a rule of type `Suggested` and appears among suggested permissions in the owner's permission basket. See the [Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. ![Workflow State: Suggested](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/21_suggested_v603.webp) `22` - **Suggested**: the assignment comes from a rule of type `Automatic but with Validation` and appears among suggested permissions for a pre-existing user. See the [Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. _Remember,_ the states `21` and `22` are both displayed in the UI as **Suggested** but they do not mean the exact same thing. `23` - **Automatic but with Validation**: the assignment comes from a rule of type `Automatic but with Validation` and appears in a new user's permission basket. See the [Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. `24` - **Approved - Questioned**: the assignment was approved manually, then a change has been made in the assignment's source data via one of Identity Manager's workflows that should change the assignment but the manual approval is authoritative. See the [Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topic for additional information. ![Workflow State: Approved - Questioned](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/24_approvedquestioned_v603.webp) `25` - **Pending Approval - Risk**: the assignment must be reviewed due to a risk. ![Workflow State: Pending Approval (Risk)](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/25_pendingapprovalrisk_v603.webp) `26` - **Blocked**: the assignment is blocked due to a risk of type `Blocking`. Does not appear in the UI. `27` - **Prolonged**: the assignment has expired but it was set with a grace period. See the [Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) topic for additional information. ![Workflow State: Prolonged](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/27_prolonged_v603.webp) `116` - **Approved - Risk**: the assignment is approved despite a risk. ![Workflow State: Approved (Risk)](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/16_approved_v603.webp) `118` - **Given by a Role**: the assignment comes from the assignment of a role. For example, when a user is assigned a SAP entitlement without having a SAP account, the account is created automatically with this state. ![Workflow State: Given by a Role](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/118_givenbyarole_v603.webp) **Found** - Will match assignments not supported by a rule. ![Workflow State: Non-conforming](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/1_nonconforming_v603.webp) **Historic** - Will match assignments not supported by a rule, which existed before the production launch. ![Workflow State: Pre-existing](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/evaluate-policy/3_preexisting_v603.webp) | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md new file mode 100644 index 0000000000..19adc71d7a --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md @@ -0,0 +1,26 @@ +# Category + +A category is a classification of Composite Roles, Single Roles or/and +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md). It can be used to group multiple roles of the same +context. + +## Examples + +The following example declares a new category called "Shares - Public". + +``` + + + +``` + +## Properties + +| Property | Details | +| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Description_L1 optional | **Type** String **Description** Describe this category in detail. | +| DisplayName_L1 required | **Type** String **Description** Display name of the category in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Unique identifier of the category. | +| IsCollapsed default value: false | **Type** Boolean **Description** Defines if the category must be collapsed by default in the permission list of a resource (View Permissions popup and roles basket). | +| Parent optional | **Type** Int64 **Description** Represents the parent category definition. | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the category is part of. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md new file mode 100644 index 0000000000..7d1e8f4c0a --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md @@ -0,0 +1,54 @@ +# Composite Role + +Defines basic information about a composite role. Composite roles identify affiliations or job +functions by which users can be grouped. A composite role is a business role comprehensible by +managers. It provides a layer of abstraction above existing entitlements, technical roles and single +roles. + +Roles can be used to: + +- Grant various types and levels of access. +- Restrict access to sensitive information assets by grouping entitlements in a form that is + meaningful to the business. +- Grant the minimum privileges required by an individual to perform their job. + +Roles can be requested manually, or they can be configured to be assigned automatically via a +[Composite Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md). To further control access, roles can be +related via required, inherited, or permitted relationships. + +## Examples + +The following example declares a new composite role. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     + +``` + +## Properties + +| Property | Type | Description | +| ------------------------------------------------------------------------------------------ | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ApprovalWorkflowType default value: 0 | ProvisioningPolicyApprovalWorkflow | Number of validations required to assign manually the composite role (from `None` to `Three`). The value `ManualAssignmentNotAllowed` is used when a manual assignment cannot be performed. | +| Category optional | Int64 | Identifier of the category that the role is part of. | +| CommentActivationOnApproveInReview default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a request of the role and deciding to approve it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeclineInReview default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a request of the role and deciding to refuse it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeleteGapInReconciliation default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to delete it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnKeepGapInReconciliation default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to keep it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| Description_L1 optional | String | Detailed description of the single role in language 1 (up to 16). | +| DisplayName_L1 required | String | Display name of the composite role in language 1 (up to 16). | +| EntityType required | Int64 | Identifier of the entity type whose resources can receive the composite role. | +| GracePeriod optional | Int32 | Duration (in minutes) for which a lost automatic composite role is prolonged. The grace period is only applied if the loss of the entitlement is due to a change in the rules (rule deletion or criteria changes). A review will be required to validate or decline the entitlement prolongation. Inferred entitlements won't be lost unless the end of the grace period is reached or the prolongation is declined. If it is not defined, the value is inherited from the policy. | +| HideOnSimplifiedView default value: false | Boolean | `true` to show the role in a user's basket only in advanced view and not simplified view. This flag is applied only on automatic assignments. | +| Identifier required | String | Unique identifier of the composite role. | +| ImplicitApproval default value: 0 | Byte | Indicates if the validation steps of the composite role can be skipped. `0` - Inherited: implicit approval value in the associated policy. `1` - Explicit: all the workflow steps must be approved. `2` - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| ManualAssignmentEndDateLockedToContextMode default value: ExplicitNotContextBoundByDefault | ManualAssignmentEndDateLockedToContextModeRole | The values are: 0 - ExplicitNotContextBoundByDefault — By default, the assignment's end date will not be context bound in order to encourage the manual entry of an end date 1 - ExplicitContextBoundByDefault — By default, the assignment's end date will be context bound and therefore locked, but a manual date can be entered. 2 - Never — The assignment's end date will never be locked and needs to be specified manually 3 - Always — The assignment's end date is always locked according to the applicable context rule. | +| MaxDuration optional | Int32 | Duration (in minutes) after which the role will be automatically revoked, if no earlier end date is specified. It impacts only the roles which are manually assigned after the maximum duration is set. Pre-assigned roles are not impacted. If no duration is set on the role, the `MaxDuration` of the associated policy is applied. If the `MaxDuration` is set to 0 on the role, it prevents the associated policy from applying its `MaxDuration` to it. | +| Policy required | Int64 | Identifier of the policy that the role is part of. | +| ProlongationWithoutApproval default value: 0 | ProlongationWithoutApproval | Indicates whether the role can be extended without any validation. `0` - Inherited: gets the value from the policy. `1` - Enabled. `2` - Disabled. | +| R0 default value: false | Boolean | `true` to set the dimension 0 (up to 3V following the [ Base32 Parameter Names ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/parameter-names/index.md)) as a required parameter when assigning the role. | +| Tags optional | String | Tags of the roles targeted by the campaign filter. The tag separator is ¤. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/context/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/context/index.md new file mode 100644 index 0000000000..cfe5e96646 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/context/index.md @@ -0,0 +1,19 @@ +# Context + +A context is the result of the combination of all identity-related entities, for example personal +data, contracts or positions, so that all dimension values contained in a given context are valid +for a given user on a given period of time. + +Contexts define the resources' scopes of responsibility. They are used during provisioning to +simplify the application of the role model's rules based on dimensions. + +See the +[ Identity Lifecycle: Joiners, Movers and Leavers ](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md) +for additional information about context generation. + +## Properties + +| Property | Details | +| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | +| Automatic default value: false | **Type** Boolean **Description** Specifies the automatic assignments. | +| D0 optional | **Type** Int64 **Description** Dimension0 identifier, specifies the scope in which the assignment is restricted. Going from 0 to 127. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md new file mode 100644 index 0000000000..c418a5624f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md @@ -0,0 +1,191 @@ +# Context Rule + +A context rule configures, for the identities of a given entity type, the generation of contexts +which are used in provisioning to simplify the application of the role model's rules. + +A context rule should be created for each entity type for which we want to assign entitlements +automatically based on users' attributes. + +Without a context rule, automatic entitlements (assigned via the role model's rules): + +- cannot be assigned based on users' attributes; +- don't have specific start and end dates, so they are valid from the resource creation until its + deletion. + +See the +[ Identity Lifecycle: Joiners, Movers and Leavers ](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/index.md) +for additional information about context generation. + +A context rule can be configured with [ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) in situations +where a user needs to be modeled by several contexts over time or simultaneously. + +Without record sections, a context rule can generate only one context per user. This means that +users cannot have more than one contract, or position, at a time, and that data changes cannot be +anticipated. + +## Examples + +The following example generates contexts, i.e. sets of dimension-value pairs, for users from +`Directory_User` as resources of `Directory_User:Records`. + +Both the start and end dates of the future contexts are defined with C# expressions based on users' +contract and position start/end dates. + +All contexts are to be made of the properties specified by the bindings `B0` to `B7`. + +``` + + + +``` + +### ExcludeExpression + +The following example is similar to the previous one, except that we choose to exclude users +declared as "draft" from the role model and provisioning calculations. + +``` + + + +``` + +This option can exclude workers who are not validated yet, or who have left the company, for +example. + +### RiskFactorType + +The following example is similar to the previous one, except that we force the final risk score of a +user to be the maximum value of all their risk scores. + +``` + + + +``` + +### Role mining + +Context rules also contain some parameters for +[ Perform Role Mining ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md). + +Users are distributed in a hypercube made of all dimensions, like in the following table (left) when +we have only 2 dimensions, where for example `1`, `2`, `3`, etc. are users' possible locations, and +`A`, `B`, `C`, etc. are users' possible departments in the company. When considering one dimension +and sorting the dimension values per user percentage, we get the following table (right). + +![Role Mining Tables](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/contextrules_rolemining.webp) + +The tables here represent a simple situation with few dimensions. But the higher the number of +dimensions, the more complex are role mining's computations. This is known as the curse of +dimensionality. + +The following example is similar to the first one, except that we customize some role mining +parameters which help tackle the curse of dimensionality: + +- `MinIdentitiesCount` establishes that the role mining's engine will generate a role assignment + rule only when the rule is applicable to at least 5 users; +- `ReductionOutlierPercentage` establishes that the role mining's engine will consider the last 2.0% + dimension values (from `Y` to `Z` in the table above) to be grouped together in a single category + "Others". + + The definition of the outlier percentage is particularly useful when managing, for example a + services company with thousands of distinct organizations, where many organizations contain only + one or two users. We can safely choose to group into a single fictitious organization the 2% of + all users that involve the smallest organizations. + +``` + + + +``` + +### Certification items + +Unlike `ResourcesStartBinding` and `ResourcesEndBinding`, `ResourcesStartExpression` and +`ResourcesEndExpression` cannot be used to define the resources to include in the related +certification campaigns. Thus, when needing to define which resources to include with more than +start/end bindings, add a comparison based on `ResourceCertificationComparisonBinding`, +`ResourceCertificationComparisonOperator` and `ResourceCertificationComparisonValue`. + +The following example includes in certification campaigns only the resources that have their +`IsActivePosition` property set to `1`. + +``` + + + +``` + +**Note:** must be configured together with the other `ResourceCertificationComparison` properties. + +**Note:** when not specified, certification items are defined by `ResourcesStartBinding` and +`ResourcesStartBinding`. + +## Properties + +| Property | Details | +| ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| B0 optional | **Type** Int64 **Description** Binding of the dimension 0 (up to 3V in [ Base32 Parameter Names ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/parameter-names/index.md)). The dimension can then be used in rules to filter the rules' targets. | +| DisplayName_L1 required | **Type** String **Description** Display name of the context rule in language 1 (up to 16). | +| ExcludeExpression optional | **Type** String **Description** C# expression that defines the resources to exclude from context generation, because they should not be part of the role model and provisioning calculations. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| Identifier required | **Type** String **Description** Unique identifier of the context rule. | +| MinIdentitiesCount default value: 0 | **Type** Int32 **Description** Minimum number of identities to take into account to generate a rule by the role mining engine. | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the rule is part of. | +| ReductionOutlierPercentage default value: 0.0 | **Type** Float **Description** Proportion of identities that are grouped together by role mining to aggregate all the small entities in one "other" category. This is used to speed up the mining process as the number of groups can be greatly reduced. | +| ResourceCertificationComparisonBinding optional | **Type** Int64 **Description** Binding of the property whose value is to be compared to `ResourceCertificationComparisonValue` in order to specify the resources to include in the related certification campaigns. **Note:** must be configured together with the other `ResourceCertificationComparison...` properties. **Note:** when not specified, certification items are defined by `ResourcesStartBinding` and `ResourcesStartBinding`. And when they are not specified either, there is no filtering, so all valid resources (those with `ValidTo` later than today's date) are included. | +| ResourceCertificationComparisonOperator optional | **Type** QueryComparisonOperator **Description** Operator of the comparison that specifies the resources to include in the related certification campaigns. **Note:** must be configured together with the other `ResourceCertificationComparison...` properties. **Note:** when not specified, certification items are defined by `ResourcesStartBinding` and `ResourcesStartBinding`. And when they are not specified either, there is no filtering, so all valid resources (those with `ValidTo` later than today's date) are included. | +| ResourceCertificationComparisonValue optional | **Type** String **Description** Value to be compared to the value of `ResourcesCertificationComparisonBinding` in order to specify the resources to include in the related certification campaigns. **Note:** must be configured together with the other `ResourceCertificationComparison...` properties. **Note:** when not specified, certification items are defined by `ResourcesStartBinding` and `ResourcesStartBinding`. And when they are not specified either, there is no filtering, so all valid resources (those with `ValidTo` later than today's date) are included. | +| ResourcesBinding optional | **Type** Int64 **Description** Binding that represents the entity type of the contexts to be created from the `SourceEntityType`. It can also be defined via `ResourcesExpression`. | +| ResourcesEndBinding optional | **Type** Int64 **Description** Binding of the date property among those from `ResourcesBinding` which specifies the end of validity for all [ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) properties of the context. It can also be defined via `ResourcesEndExpression`. **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md). | +| ResourcesEndExpression optional | **Type** String **Description** Expression based on the `ResourcesBinding` entity type that defines the end of validity for all [ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) properties of the context. It can also be defined via `ResourcesEndBinding`. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md). | +| ResourcesExpression optional | **Type** String **Description** Expression based on `SourceEntityType` that defines the entity type of the contexts to be created. It can also be defined via `ResourcesBinding`. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| ResourcesStartBinding optional | **Type** Int64 **Description** Binding of the date property among those from `ResourcesBinding` which specifies the beginning of validity for all [ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) properties of the context. It can also be defined via `ResourcesStartExpression`. **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md). | +| ResourcesStartExpression optional | **Type** String **Description** Expression based on the `ResourcesBinding` entity type that defines the beginning of validity for all [ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) properties of the context. It can also be defined via `ResourcesStartBinding`. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. **Note:** a context rule's start and end dates are ignored when the related identities are also configured with [ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md). | +| RiskFactorType optional | **Type** RiskFactorType **Description** Operator used to aggregate a user's risk scores together to compute the user's global risk score. `0` - **None**. `1` - **Max**: a user's final risk score is the maximum value among all their risk scores. `2` - **Average**: a user's final risk score is the average value of all their risk scores. | +| SourceEntityType required | **Type** Int64 **Description** Identifier of the entity type of the parent resource. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/index.md new file mode 100644 index 0000000000..33504645ff --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/index.md @@ -0,0 +1,23 @@ +# Provisioning + +This section describes different entities that manages the process of granting, changing, or +removing user permissions to systems, applications and databases based on the security policy. + +- [Automation Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md) +- Bulk Change +- [ Category ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md) +- [ Composite Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) +- [Composite Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md) +- [ Context ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/context/index.md) +- [ Context Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) +- [ Indirect Resource Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md) +- [ Mining Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md) +- [Policy](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) +- [ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) +- [ Resource Classification Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md) +- [ Resource Correlation Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) +- [Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +- [ Risk ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) +- [ Role Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md) +- [ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) +- [Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/indirectresourcerule/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md new file mode 100644 index 0000000000..92da3427ec --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md @@ -0,0 +1,66 @@ +# Mining Rule + +After roles are assigned to users, Identity Manager can use mining rules to perform role mining. +Role mining means that Identity Manager analyzes existing assignments in order to suggest +[Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) which will assign +[ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) to certain users matching given criteria. + +The [ Build Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/buildrolemodeltask/index.md) replaces the +existing single role rules in the specified rule policy with the new generated ones. + +## Examples + +The following example set of mining rules targets the roles owned by users from `Directory_User`. +These mining rules are part of the `Default` policy while the role assignment rules are to be +generated to be part of the `Mining` policy. + +The following rules have a different impact whether they are applied individually, or all together. +Indeed, during role mining, the first mining rule of type `Required` applies to given roles with a +given precision, then the second mining rule applies to a larger group of roles but only to those +still with no linked single role rules. + +- The first rule will generate required rules (i.e. automatic assignments) for sensitive assignments + that require 2 or 3 validations, with a high precision (via `PrecisionMinPercentage` and + `FalsePositiveMaxPercentage`). + + ``` + + + + ``` + +- The second rule will generate required rules (i.e. automatic assignments) for all assignments, + with a lower precision. + + ``` + + + + ``` + +- The third rule will generate suggested rules (i.e. assignments listed as suggested in users' + permission baskets) for all assignments, with an even lower precision. + + ``` + + + + ``` + +## Properties + +| Property | Details | +| --------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Category optional | **Type** Int64 **Description** Identifier of the category containing the roles targeted by role mining's analysis. | +| EntityType required | **Type** Int64 **Description** Identifier of the entity type that represents the owners of the roles targeted by role mining's entitlement analysis. | +| ExcludeRole default value: false | **Type** Boolean **Description** `true` to ignore the specified roles during the mining process triggered by the next mining rules (in terms of priority). | +| FalsePositiveMaxPercentage default value: 0.0 | **Type** Float **Description** Maximum authorized percentage of false positive assignments, i.e. roles that are assigned to users who should not have them. Netwrix Identity Manager (formerly Usercube) recommends around 1%, to be lowered when working on a sensitive application and/or a large user population, and vice versa. | +| IncludeDoubleValidation default value: true | **Type** Boolean **Description** `true` to include in role mining's analysis the roles requiring two validations. | +| IncludeNoValidation default value: true | **Type** Boolean **Description** `true` to include in role mining's analysis the roles requiring zero validations. | +| IncludeSimpleValidation default value: true | **Type** Boolean **Description** `true` to include in role mining's analysis the roles requiring one validation. | +| IncludeTripleValidation default value: true | **Type** Boolean **Description** `true` to include in role mining's analysis the roles requiring three validations. | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the mining rule is part of. | +| PrecisionMinPercentage default value: 100.0 | **Type** Float **Description** Minimum authorized percentage of correct role assignments, considering both the roles that are assigned to users who should have them, and the roles that are not assigned to users who should not have them. NETWRIX recommends around 99.5%, to be lowered when working on a sensitive application and/or a large user population, and vice versa. | +| Priority default value: 0 | **Type** Int32 **Description** Priority order of the mining rule. Identity Manager applies mining rules one after the other in descending order. **Info:** a mining rule can generate single role rules only for the single roles that were not already associated with a single role rule by another mining rule during the same role mining task. | +| RulePolicy optional | **Type** Int64 **Description** Identifier of the policy that the generated single role rules are to be part of. **Note:** NETWRIX recommends using a policy dedicated to role mining in order not to remove existing assignment rules. | +| RuleType default value: 0 | **Type** Int32 **Description** Represents the type of the generated single role rules. `0` - **Required**: the role is automatically assigned to users matching the criteria. `1` - **RequestedAutomatically**: the role is listed in the permission basket of new workers. These assignments can still be modified. For existing workers, the rule's type is `Suggested`. `2` - **Suggested**: the role is listed among suggested permissions in the permission basket of users matching the criteria during an entitlement request. Suggested assignments must be selected manually to be requested, and will go through the validation process. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md new file mode 100644 index 0000000000..fa522639ea --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md @@ -0,0 +1,44 @@ +# Policy + +A policy is a next generation access control (NGAC) which works by assigning permissions to users +based on their roles within an organization, and other dimensions and attributes. A policy is a +sub-group of the role model, containing roles and rules, that allows an administrator to manage the +access specific to their applications. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +All `ResourceType`, `SingleRole`, `CompositeRole` and `Category` must belong to a Policy. This is +done by specifying the `Policy` attribute. See the [Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md), +[ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md), [ Composite Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) and +[ Category ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md) topics for additional information. + +``` + +``` + +## Properties + +| Property | Type | Details | +| ------------------------------------------------------------------------------------------ | ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| CommentActivationOnApproveInReview default value: Optional | CommentActivation | Indicates if a comment is enabled when reviewing a role request associated with the policy, and deciding to approve it. 0 - Disabled. 1 - Optional. 2 - Required. | +| CommentActivationOnDeclineInReview default value: Required | CommentActivation | Indicates if a comment is enabled when reviewing a role request associated with the policy, and deciding to refuse it. 0 - Disabled. 1 - Optional. 2 - Required. | +| CommentActivationOnDeleteGapInReconciliation default value: Optional | CommentActivation | Indicates if a comment is enabled when reviewing a non-conforming role assignment associated with the policy, and deciding to delete it. 0 - Disabled. 1 - Optional. 2 - Required. | +| CommentActivationOnKeepGapInReconciliation default value: Required | CommentActivation | Indicates if a comment is enabled when reviewing a non-conforming role assignment associated with the policy, and deciding to keep it. 0 - Disabled. 1 - Optional. 2 - Required. | +| D0 optional | Int64 | Value of the dimension 0 (up to 127) that filters the access to the policy and its roles. | +| DisplayName_L1 required | String | Display name of the policy in language 1 (up to 16). | +| GracePeriod default value: 0 | Int32 | Duration (in minutes) for which a lost automatic entitlement associated with this policy is prolonged. The grace period is only applied if the loss of the entitlement is due to a change in the rules (rule deletion or criteria changes). A review will be required to validate or decline the entitlement prolongation. Inferred entitlements won't be lost unless the end of the grace period is reached or the prolongation is declined. This value can be overwritten for each composite role and single role. | +| HasImplicitApproval default value: false | Boolean | True to skip the approval circuit when the requester has the appropriate review permissions. This value can be overwritten for each policy object (composite role, single role, resource type). | +| Identifier required | String | Unique identifier of the policy. | +| IsExternal default value: false | Boolean | True to indicate that the policy's roles are outside Identity Manager's scope. The roles are managed by an external source, and Identity Manager cannot add, update nor delete any role. | +| IsProvisioningEnabled default value: false | Boolean | True to enable the provisioning policy. | +| IsSimulationEnabled default value: false | Boolean | True to enable the provisioning policy simulation. | +| ManualAssignmentEndDateLockedToContextMode default value: ExplicitNotContextBoundByDefault | ManualAssignmentEndDateLockedToContextMode | The values are: 0 - ExplicitNotContextBoundByDefault — By default, the assignment's end date will not be context bound in order to encourage the manual entry of an end date 1 - ExplicitContextBoundByDefault — By default, the assignment's end date will be context bound and therefore locked, but a manual date can be entered. 2 - Never — The assignment's end date will never be locked and needs to be specified manually 3 - Always — The assignment's end date is always locked according to the applicable context rule. | +| MaxDuration default value: 0 | Int32 | Duration (in minutes) after which the assignments induced by the policy will be automatically revoked, if no earlier end date is specified. It impacts only the assignments which are performed after the maximum duration is set. Pre-existing assignments are not impacted. | +| ProlongationWithoutApproval default value: false | Boolean | True to allow the policy's roles to be extended without any validation. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md new file mode 100644 index 0000000000..344b8da91b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md @@ -0,0 +1,192 @@ +# Record Section + +Record sections shape identity data for a given entity type, by grouping properties into sections, +for example personal data, contract or position. + +Record sections impact the generation of identities' contexts which contain users' dimension values +valid on a given period of time. The aim is to simplify the application of the role model' rules for +provisioning. + +Thanks to this data organization in sections, the identities of a given entity type can be modeled +by more than one context over time, even simultaneously. This means that users can have more than +one contract, or position, at a time, and that data changes can be anticipated. + +See the +[ Position Change via Records ](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md)for +additional information on identity modeling. + +**Configuration recommendations:** + +As record sections cannot be configured without a [ Context Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md), Netwrix +Identity Manager (formerly Usercube) recommends starting with the configuration of the context rule +before configuring record sections. + +Netwrix Identity Manager (formerly Usercube)recommends defining at least two record sections: a +default section for the properties shared by all records, and another section for a given set of +properties which differentiate between records. The default section must contain zero properties, +the shared properties are those that are not defined in the other section(s). + +For example, to model several positions for a single user, we configure the default record section +to contain the properties shared by all positions such as personal data, and we configure the +position section to contain the properties specific to each position. Similar to the position +section, we can also typically configure a section for contracts. + +## Examples + +The following example models users from the `Directory_User` entity type with three sets of +properties: user properties, contract properties and position properties. All created records will +be resources from the `Directory_UserRecord` entity type. + +The properties from the contract (or position) section are the properties specific to each contract +(or position). The properties from `Directory_User` that are not specified in the record sections +are the properties shared between all records, here user properties. + +Each section must be defined with start and end dates, so that Identity Manager's engine is able to +combine all periods of validity and apply the rules with the right input at any time. + +``` + +Default section: + ... + + +Contract section: + ... + + +Position section: + ... + + +``` + +### InstanceKeyExpression + +The following example computes a unique key for each record section instance. This way, we can +distinguish between contracts thanks to their identifiers, same for positions, and between user +property sets thanks to a C# expression based on the start date. + +``` + +Default section: + + +Contract section: + ... + + +Position section: + ... + + +``` + +An instance key is required when we need to uniquely identify a context, i.e. when we may have +several simultaneous contexts. + +For example, an instance key is required for the position section when users can have overlapping +positions. + +### IsDefaultBoundariesSection + +The following example uses the contract start/end dates as default boundaries in users' validity +period, instead of those from the default section. See the +[ Onboarding and Offboarding ](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/on-offboarding/index.md) +topic for additional information. It may be because, for example, HR services do not enter an end +date for the personal data of users on permanent contracts. So we prefer to use the start and end +dates of their contracts. + +``` + +Contract section: + ... + + +``` + +### Context extension + +There can be some time gap where no context is defined, for example a time gap with a position but +no contract or vice versa. Identity Manager offers the possibility to choose whether an existing +context is to be extended to the period without context. And in case we decide to use another +context and extend its values, which context should it be? + +![Schema - ExtensionKind](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/recordsection_extensionkind.webp) + +Here, we decide to extend an existing contract to the gap, for example because users' email +addresses are built using the contract type to add `-ext` for external users. And we decide to not +extend the position. + +In the following example, the contract section uses `SortKeyExpression` to establish between +existing contracts a priority order that will determine which contract should be extended to the +gap. Based on this C# expression that returns a value `A`, `B` or `C`, the `ExtendedSortKey` +considers as extendable only the contract(s) whose expression returns `C`. + +The position section uses `ExtensionKind` set to `None` to block the extension mechanism. + +``` + +Contract section: + ... + + +Position section: + ... + + +``` + +When not specifying any sort key nor extended sort key, Identity Manager will select a context to +extend to the gap. However, it may not be functionally the most meaningful context. + +## Properties + +| Property | Details | +| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| BoundaryKind default value: 0 | **Type** RecordBoundaryKind **Description** Defines how the section dates are computed for a resource, when the current start/end dates are null. `0` - None: start date and end date are equal respectively to the minimum value of `StartProperty` and maximum value of `EndProperty` when comparing the default sections of all records. `1` - Kept: start and end dates are equal respectively to the default start date (1900/01/01 00:00:00) and end date (2079/06/06 00:00:00). **Info:** the boundary has no effect on the default section which is the reference to compute the default dates in other sections. When the default section's start/end dates are null, then they equal the default start/end dates. | +| DisplayName_L1 required | **Type** String **Description** Display name of the section in language 1 (up to 16). | +| EndProperty optional | **Type** Int64 **Description** Date property among those from the `ResourceEntityType` which specifies the end of validity for all the Record Section of the section. It cannot be a property computed by an `EntityPropertyExpression`. | +| ExtendedSortKey optional | **Type** String **Description** Value used as a threshold for `SortKeyExpression` values to determine whether the Record Section property values of a given record section can be extended from a context where the values are defined to another context where no properties from the section are defined. This extension is enabled only when the value of `SortKeyExpression` of the section is higher (with an ordinal comparison) than `ExtendedSortKey`. | +| ExtensionKind default value: 0 | **Type** RecordExtensionKind **Description** Defines whether the section's property values can be extended (copied) from a context where the properties are defined to another context where no properties from the section are defined. `0` - Default: the section's property values can be extended. `4` - None: the section's property values cannot be extended. | +| Identifier required | **Type** String **Description** Unique identifier of the section. | +| InstanceKeyExpression optional | **Type** String **Description** Expression returning a key to uniquely identify a context, i.e. distinguish between job positions for example when users can have several concurrent positions, or between contracts. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| IsDefaultBoundariesSection default value: false | **Type** Boolean **Description** `true` to use the start/end dates of this section as the default boundaries, i.e. the start/end dates of users' validity period. When no section has `IsDefaultBoundaries` set to `true`, the default section (the one without properties) is automatically selected. | +| ResourceEntityType required | **Type** Int64 **Description** Identifier of the entity type of the multiple records to be created. | +| SortKeyExpression optional | **Type** String **Description** C# expression used to compute a value for each record, to be used as a priority, following an ordinal comparison. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. When a record section has `ExtensionKind` set to `Default` and a priority value higher than `ExtendedSortKey`, then the record property values can be extended from a context where the values are defined to another context where no properties from the section are defined. | +| SourceEntityType required | **Type** Int64 **Description** Identifier of the entity type of the parent resource. | +| StartProperty optional | **Type** Int64 **Description** Date property among those from the `ResourceEntityType` which specifies the beginning of validity for all he Record Section properties of the section. It cannot be a property computed by an `EntityPropertyExpression`. | + +## Child Element: Property + +A record section is a set of record properties which belong to the resource entity type. + +### Examples + +In the following example, the position section gathers the properties `Organization`, `Location` and +`Title`, while the default section gathers all the other properties from `Directory_UserRecord`. + +The property `Location` can be extended from a context where the location is defined to a context +where it is not. The two other properties cannot be extended. + +See the Record Section topic for additional information. + +``` + +Default section: + + + +Position section: + + + + +``` + +### Properties + +| Property | Details | +| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ExtensionKind default value: 0 | **Type** RecordExtensionKind **Description** Defines whether the property value can be extended (copied) from a context where the section properties are defined to another context where no properties from the section are defined. `0` - Default: the property value can be extended. `4` - None: the property value cannot be extended. **Note:** a property value can be extended only if the section is extendable too. | +| IsExcluded default value: false | **Type** Boolean **Description** Excludes the given property from the section. This is used only in the default section to remove properties such as the RecordIdentifier that are always different between all the records and that are thus not interesting for the provisioning rules. | +| Property required | **Type** Int64 **Description** Identifier of the property from the record section's `ResourceEntityType` that is to be part of the section. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md new file mode 100644 index 0000000000..fd1b0a69b4 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md @@ -0,0 +1,25 @@ +# Resource Classification Rule + +In Identity Manager, this type of rule is used to classify the resources based on a C# expression. + +## Examples + +The following example declares a rule to classify the Active Directory accounts based on the dn +values. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the rule is part of. | +| ResourceType required | **Type** Int64 **Description** Represents the resource type definition. | +| ResourceTypeIdentificationConfidenceLevel default value: 0 | **Type** Int32 **Description** Defines the confidence level used to match the resources. | +| SourceMatchedConfidenceLevel default value: false | **Type** Boolean **Description** Defines the confidence level used to match the sources. | +| TargetExpression optional | **Type** String **Description** Defines the C# expression used to classify the resources. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md new file mode 100644 index 0000000000..1f6fa13ccd --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md @@ -0,0 +1,56 @@ +# Resource Correlation Rule + +A correlation rule is used to correlate the resources, i.e. link resources to their owners. See the +[ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +## Examples + +#### Correlation based on unchanged attributes + +The following example creates an Active Directory correlation rule based on the mail property: + +``` + + + +``` + +#### Correlation based on attributes changed by a function + +The following example copies the previous example (based on unchanged attributes), but using a +predefined function (`ToLower`) in source and target bindings' expressions, to compare the email +attributes: + +``` + + + +``` + +A list of [Predefined functions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/predefined-functions/index.md) is available. + +#### Correlation based on attributes within a C# expression + +The following example creates an Active Directory correlation rule based on the comparison between +the AD's simplified display name and an expression from the external system: + +``` + + + +``` + +This example also uses a confidence rate equals to 80%. + +## Properties + +| Property | Details | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the rule is part of. | +| ResourceType required | **Type** Int64 **Description** Identifier of the resource type. | +| SourceBinding optional | **Type** Int64 **Description** Binding property from the source system. | +| SourceExpression optional | **Type** String **Description** Binding expression based on properties from the source system. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| SourceMatchedConfidenceLevel default value: 0 | **Type** Int32 **Description** Defines the correlation confidence rate of this rule. If the value is less than 100, we process a manual review step to confirm the choice. | +| TargetBinding optional | **Type** Int64 **Description** Binding property from the target system. | +| TargetExpression optional | **Type** String **Description** Binding expression based on properties from the target system. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md new file mode 100644 index 0000000000..a8b463ede3 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md @@ -0,0 +1,672 @@ +# Resource Type + +In Identity Manager a resource type is a conceptual model used to categorize resources. It groups +together, with a meaningful name, resources sharing the same intent and the same authorization +system. Resource types are assigned directly to a resource rather than mapped to a role. A resource +type can be assigned manually, or configured to be assigned automatically via a resource type rule. + +## Examples + +The following example declares a new resource type to provision the LDAP service accounts: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +### ArgumentsExpression + +This option is used for provisioning orders to compute useful arguments. + +Most standard situations use only one workflow per action type on a resource (addition, update, +deletion). But in some more complex situations (like using multi records), several workflows are +available for one type of action. As the configuration JSON file of an InternalWorkflow connection +cannot contain expressions, a resource type can be configured with the ArgumentsExpression attribute +to explicit the arguments of provisioning orders, based on conditions and variables. See the +[InternalWorkflow](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md), +[ Compute a Resource Type's Provisioning Arguments ](/docs/identitymanager/saas/identitymanager/integration-guide/provisioning/how-tos/argumentsexpression/index.md), +and [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topics for additional information. + +The following example computes the identifier of the workflow to launch, based on the provisioning +order as a variable (the returned value depends here mostly on the type of change): + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +#### ResourceIdToCopy + +Now consider a record creation for a given identity, inside a multi-record organization. Suppose +that records are defined by their position and location, while other properties are the same for all +records (usually the identity's personal data like the name and birth date). When creating a new +record for an existing identity, you will want to copy an existing record from the database to +modify only the values specific to the new record. + +The following example computes the identifier of the record to copy, if the identity has already +any: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +("Select Id Where EmployeeId="\" + employeeId.ToString() + "\""); +  if (resources.Any()) { +    arguments.Add("ResourceIdToCopy", resources.FirstOrDefault().Id.ToString()); +  } +}   +return arguments;" /> +``` + +### DependsOn + +This option is used to configure another resource type as prerequisite for this resource type. + +For example, a Microsoft Exchange account requires the email address of a related Active Directory +account. + +In this case, we want to configure the Exchange Account resource type so that a user cannot own an +Exchange account when they do not own an AD account. + +The following example is meant to perform an automatic check to prevent the execution of any +provisioning order for the creation of an Exchange account when the user does not own an AD +nominative account. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +### DependsOnOwnerProperty + +This option is used to configure a property as prerequisite for the resource type. + +Consider an Active Directory administrator account which should be able to perform manual +provisioning to ServiceNow. Then it requires the random identifier computed by ServiceNow. + +In this case, we want to configure the AD_Entry_AdministrationUser resource type so that a user +cannot own an AD administrator account when they do not have an identifier in ServiceNow. + +**NOTE:** The DependsOnOwnerProperty of a resource type should only refer to scalar values that are +part of the properties of the SourceEntityType. + +The following example is meant to perform an automatic check to prevent the execution of any +provisioning order for the creation of an AD administrator account when the user does not have an +identifier in ServiceNow. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +### DiscardManualAssignments + +This option is used to set Identity Manager as authoritative following a manual change in a managed +system. + +Suppose a resource type managing the provisioning of Active Directory nominative accounts based on +users data in Identity Manager (Directory_User). Suppose a scalar rule that provisions the AD's sn +property based on users' last names. + +The following scenario is about a user named Cedric Blanc, whose AD's sn property is set by the +scalar rule to Blanc. + +![Example - State 0](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state0_v602.webp) + +Let's see what happens when the user's name is changed manually directly in the AD. + +Suppose that we change in the AD the last name to White. As the scalar rule computes the sn value +based on the user's data which still states the last name Blanc, such a change induces a difference +between the value calculated by the rule and the actual value in the AD. This difference is spotted +by the next synchronization, triggering a non-conforming assignment on the Resource Reconciliation +page. + +![Example - State 1](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state1_v602.webp) + +![Example - Step 1](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_step1_v602.webp) + +![Example - Step 2](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_step2_v602.webp) + +Once this manual new value is confirmed, the property is stated as **Approved**. + +![Example - State 2](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state2_v602.webp) + +Now suppose that the user's last name is changed to Black via Identity Manager's workflows. As the +source data is changed, the scalar rule computes a new value for sn. There are two options: + +- The default configuration (DiscardManualAssignments set to false) considers manual assignments, + i.e. changes made directly in the managed system, as authoritative. So there will be no + provisioning of the newly computed value for sn. The current sn value that was written manually in + the AD stays as is, no matter the changes in the source data (here the user's last name). Identity + Manager only states the property's value as Questioned. + + ![Example - State 3](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state3_v602.webp) + + **NOTE:** No change in the source data can affect the property's value. However, any manual + change made in the managed system will trigger a non-conforming assignment. Then, reconciling + the property by choosing to keep Identity Manager's suggested value will make the property's + value go back to Calculated and thus follow the changes in the source data. + + **NOTE:** If DiscardManualAssignments is changed from False to True, then the state of the + property's value does not matter. Identity Manager applies the rules of the role model, and + generates a provisioning order to overwrite the manual change White with the newly computed + value Black. + + ![Example - State 4](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_state4_v602.webp) + +In this scenario for Cedric Blanc, these behaviors can be summed up like the following: + +![Schema for DiscardManualAssignments](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/discardmanualassignments_schema.webp) + +### Correlate Multiple Resources + +With the **Correlation Multiple Resources** option, Identity Manager can link a single owner to +several existing target objects of the same resource type. This setting can be used in conjunction +with the **Suggest all resources** option to fine tune the behavior. + +Below, we illustrate the different scenarios that are possible, taking into consideration whether a +resource type has previously been correlated to the owner or not. + +![suggestallcorrelations-nnn](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nnn.webp) + +- The value for both **Correlate Multiple Resources** and **Suggest All Correlations** is **No** + there is no Resource already correlated so the first match with the highest confidence rate is + **Correlated** if it is > 100 or **Suggested** if it is < 100. As for all other matches with lower + confidence rate they will be ignored. + + ![suggestallcorrelations-nnn2](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nnn2.webp) + + If there are no Resources to be correlated with a confidence rate >100, the ones below with + confidence rate below 100 are Suggested or Ignored. + + ![suggestallcorrelations-nny](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nny.webp) + +- The value for both **Correlate Multiple Resources** and **Suggest All Correlations** is **No** + there is one Resource already correlated so due to this all future correlations will be ignored. + + ![suggestallcorrelations-nyn](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nyn.webp) + +- The value for **Correlate Multiple Resources** is **No**, **Suggest All Correlations** is **Yes** + there is no Resource already correlated so all Resource Types will be **Suggested**. + + ![suggestallcorrelations-nyy](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-nyy.webp) + +- The value for **Correlate Multiple Resources** is **No**, **Suggest All Correlations** **Yes** + there is one Resource already correlated so the Resource Types that have a confidence rate `>100` + will be **Suggested**. As for all other matches with lower confidence rate they will be ignored. + + ![suggestallcorrelations-ynn](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-ynn.webp) + +- The value for **Correlate Multiple Resources** is **Yes**, **Suggest All Correlations** **No**, + and there is no Resource already correlated so Resource Types that have a confidence rate `>100` + will be **Correlated** and the ones `<100` will be **Suggested** if there are no higher matches + otherwise they will be ignored. + + ![suggestallcorrelations-ynn2](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-ynn2.webp) + + If there are no Resources to be correlated with a confidence rate `>100`, the ones with + confidence rate below 100 are Suggested. + + ![suggestallcorrelations-yny](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-yny.webp) + +- The value for **Correlate Multiple Resources** is **Yes**, **Suggest All Correlations** **No** + there is one Resource already correlated so the matches with confidence rate `>100` will be + **Correlated** and the ones `<100` will be ignored. + + ![suggestallcorrelations-yyny](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/suggestallcorrelations-yyny.webp) + +- The value for **Correlate Multiple Resources** is **Yes**, **Suggest All Correlations** **Yes** + one Resource could be already correlated or not so the matches with confidence rate `>100` will be + **Correlated** and the ones `<100` will be **Suggested**. + +## Properties + +| Property | Type | Description | +| ------------------------------------------------------------------------------------------ | ------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AllowAdd default value: true | Boolean | Enables Identity Manager to automatically create new resources in the managed system when their owners are given the right entitlements. Otherwise, resource managers must create resources manually directly in the managed system. | +| AllowRemove default value: true | Boolean | Enables Identity Manager to automatically deprovision resources in the managed system when their owners are deprived of the right entitlements. Otherwise, Identity Manager is able to delete resources in the managed system only with a manual approval on the Resource Reconciliation screen. | +| ApprovalWorkflowType default value: 0 | ProvisioningPolicyApprovalWorkflow | Indicates the number of validation to give to a role given manually (from None to Three). The value ManualAssignmentNotAllowed is used when a manual assignment cannot be performed. **NOTE:** Netwrix recommends using ManualAssignmentNotAllowed for all resource types. | +| ArgumentsExpression optional | String | **NOTE:** C# expression used to compute the arguments of provisioning orders, for example a workflow identifier, in a situation where it is not obvious. The aim is to enable an InternalWorkflow connector to fulfill correctly a virtual managed system by launching the right workflows based on a given provisioning order. This expression must return a dictionary of string. **NOTE:** ArgumentsExpression is useful only when provisioning via the following packages: Active Directory, Apache Directory, Generic LDAP, Open LDAP, Oracle LDAP, Red Hat Directory Server and Workflow. | +| BlockProvisioning default value: true | Boolean | True to block the provisioning policy orders. | +| Category optional | Int64 | Resource type category. | +| CorrelateMultipleResources default value: false | Boolean | True to extend the QueryRule/CorrelationRule to match as many target resources as possible (no blocking like this is normally the case). | +| DependsOn optional | Int64 | Identifier of another resource type that must be provisioned for a given identity before the current resource type can be provisioned for said identity. | +| DependsOnOwnerProperty optional | Int64 | Identifier of one of the owner properties that must be filled before the current resource type can be provisioned for said identity. | +| Description_L1 optional | String | Describe this resource type in detail. | +| DiscardManualAssignments default value: false | Boolean | True to always allow the provisioning of a new property value, i.e. re-computed by a provisioning rule after a change in the source data, no matter the property's current workflow state. Set to false, any manual change of a property's value made directly in the target system will be "protected" (only after the change is approved in Identity Manager in Resource Reconciliation). It means that a future change in the source data will not trigger the provisioning of the new value to the target system. Instead, Identity Manager will keep the value of the manual change, and state the value as **Questioned**. This option should be set to true when: \* using multiple authoritative sources and the latest value should be provisioned; \* a source system is not often synchronized to Identity Manager but should stay the authoritative source. | +| DisplayName_L1 required | String | Display name of the resource type in language 1 (up to 16). | +| FulfillHoursAheadOfTime default value: 0 | Int32 | Anticipate resource fulfill order hours ahead of they start time. It is helpful for manual fulfillment and/or long fulfillment process. It differs from TimeOffset because the start date of the resource to fulfill is not impacted. | +| HideOnSimplifiedView default value: false | Boolean | True to hide this resource type in the basket simplified view. This flag is applied only on automatic assignments. | +| Identifier required | String | Unique identifier of the resource type. | +| ImplicitApproval default value: 0 | Byte | Indicates if the validation steps of the resource type can be skipped. 0 - Inherited: implicit approval value in the associated policy. 1 - Explicit: all the workflow steps must be approved. 2 - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| ManualAssignmentEndDateLockedToContextMode default value: ExplicitNotContextBoundByDefault | ManualAssignmentEndDateLockedToContextMode | The values are: 0 - ExplicitNotContextBoundByDefault — By default, the assignment's end date will not be context bound in order to encourage the manual entry of an end date 1 - ExplicitContextBoundByDefault — By default, the assignment's end date will be context bound and therefore locked, but a manual date can be entered. 2 - Never — The assignment's end date will never be locked and needs to be specified manually 3 - Always — The assignment's end date is always locked according to the applicable context rule. | +| MaximumDelete default value: 0 | Int32 | Deleted lines threshold. Sets the maximum number of resources that can be removed from the resource type when running the provisioning job. | +| MaximumDeletePercent default value: 30 | Int32 | Deleted lines threshold in percent. | +| MaximumInsert default value: 0 | Int32 | Inserted lines threshold. Sets the maximum number of resources that can be added into the resource type when running the provisioning job. | +| MaximumInsertPercent default value: 30 | Int32 | Inserted lines threshold in percent. | +| MaximumUpdate default value: 0 | Int32 | Updated lines threshold. Sets the maximum number of resources that can be modified within the resource type when running the provisioning job. | +| MaximumUpdatePercent default value: 30 | Int32 | Updated lines threshold in percent. | +| P0 default value: false | Boolean | True to indicate that the resource type is parametrized, i.e. there is at least one type rule configured to assign the resource type based on the dimension 0 (up to 3V following the base32hex convention). See the [ Base32 Parameter Names ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/parameter-names/index.md) topic for additional information. | +| Policy required | Int64 | Identifier of the policy that the resource type is part of. | +| ProlongationWithoutApproval default value: 0 | ProlongationWithoutApproval | Indicates whether the resource type can be extended without any validation. 0 - Inherited: gets the value from the policy. 1 - Enabled. 2 - Disabled. | +| R0 default value: false | Boolean | True to set the dimension 0 (up to 3V following the base32hex convention) as a required parameter when assigning the resource type. See the [ Base32 Parameter Names ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/parameter-names/index.md) topic for additional information. | +| RemoveOrphans default value: false | Boolean | True to authorize the deprovisioning of this resource when it does not have an owner. Can only be true when AllowRemove property is also true. | +| SourceEntityType required | Int64 | Identifier of the source entity type. | +| SuggestAllCorrelations optionalAttribute | Boolean | Allows correlation suggestions for rules with a confidence rate below 100, even if other correlations with a confidence rate above 100 have been found. | +| TargetEntityType required | Int64 | Identifier of the target entity type. | +| TransmittedStateValidityPeriod default value: 0 | Int32 | Time period (in minutes) after which fulfillment orders in Transmitted/Executed states are automatically set in Error state. **_RECOMMENDED:_** - when provisioning automatically, then set 1, 2 or 3 times the period between two synchronizations. - when provisioning manually and synchronizing regularly, then set around 15 days. - when provisioning manually with few synchronizations, then don't set it. | + +## Child Element: BinaryRule + +A ResourceBinaryRule allows to specify the file that must be set to an assigned resource binary +property. It is defined by a child element `` of the `` element. The +source file should already be synchronized and stored inside and reference as an EntityType +property. + +### Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +        ... +       +``` + +### Properties + +| Property | Type | Description | +| ------------------------------------------ | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding optional | Int64 | Defines the binding expression to get the file property. | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| Property required | Int64 | Identifier of the property used to represent the file on the target EntityType. | +| SingleRole optional | Int64 | Identifier of the single role. The single role must be assigned to the owner so that the file can be provisioned on the resource. See the [ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) topic for additional information. | +| TimeOffsetAfterReference default value: 0 | Int32 | Defines the offset after reference (in minutes). | +| TimeOffsetBeforeReference default value: 0 | Int32 | Defines the offset before reference (in minutes). | +| TimeOffsetReference default value: 0 | TimeOffsetReference | Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. 0 - Default: the offset inherited from the type rule. 1 - Around: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. 2 - Before: the offset before and after reference are both applied from the start date of the resource. 3 - After: the offset before and after reference are both applied from the end date of the resource. **NOTE:** in a situation with several binary rules, the order of application is: After, then Before, then Around, then Default. Each rule is able to overwrite those previously applied in case they overlap. _Remember,_ two offsets of the same mode should never overlap. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: NavigationRule + +A navigation rule computes the value of a given navigation property for target resources, based on +the properties of their owners (source resources and entitlements). These properties are to be +provisioned, i.e. written to the managed system. Contrary to query rules, navigation rules assign +resources regardless of the attributes of source resources. + +A navigation rule is defined by the child element `` of the `` +element. + +**NOTE:** Both navigation and query rules compute navigation properties. The value of one navigation +property should be computed by either navigation or query rules, not both. + +See the +[ Compute a Navigation Property ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md) +topic for additional information. + +### Examples + +Computation based on other properties + +The following example declares a new rule to give the SG_APP_SharePoint_HR_Owner group to all users +who had the SharePoint_HR_Owner role. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +The following rule will set users' Active Directory nominative account in the +CN=SG_APP_DL-INTERNET-Restricted,OU=Applications,DC=acme,DC=internal group for people having the +DL-INTERNET-Restricted role. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +     + +``` + +Parametrized roles + +The role catalog can be optimized by reducing the number of roles, by configuring parametrized +roles. See the +[Configure a Parametrized Role](/docs/identitymanager/saas/identitymanager/user-guide/optimize/parameterized-role/index.md)topic +for additional information. + +This optimization will simplify the functional understanding of the role catalog, and speed up +Identity Manager's calculations. + +Supposing that the 10th dimension (dimension A following the base32hex convention) is created for +time slots, the following example creates a single role Access/A_Brune_HR for all time slots. Each +time-slot-related entitlement will be assigned to users by configuring one navigation rule per +entitlement, using the dimension as a required parameter. See the +[ Dimension ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) and +[ Base32 Parameter Names ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/parameter-names/index.md)topics for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +             +``` + +### Properties + +| Property | Type | Description | +| ------------------------------------------ | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| D0 optional | Int64 | Value to match for the dimension D0 (up to D127) to trigger the rule. For example, considering that D0 corresponds to users' countries, then set D0 to France to compute the navigation property for users whose country is France. **NOTE:** Specifying at least one dimension makes the linked role parametrized. | +| IsDenied default value: false | Boolean | True to forbid the resource assignment instead of applying it. | +| L0 default value: false | Boolean | True to activate inheritance for D0 (up to 127). | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| Property required | Int64 | Identifier of the navigation property to be computed. | +| Resource required | Int64 | Identifier of the resource to be assigned as a value of the impacted navigation property. Said resource must be part of the entity type that the navigation property points to. | +| SingleRole optional | Int64 | Identifier of a single role, which users must have to trigger the property computation. | +| TimeOffsetAfterReference default value: 0 | Int32 | Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | Int32 | Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | TimeOffsetReference | _Remember,_ Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. 0 - Default: the offset inherited from the type rule. 1 - Around: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. 2 - Before: the offset before and after reference are both applied from the start date of the resource. 3 - After: the offset before and after reference are both applied from the end date of the resource. In a situation with several navigation rules, the order of application is descending (After-Before-Around-Default). Thus each time offset is able to overwrite those previously applied in case they overlap, for mono-valued properties. _Remember,_ two offsets of the same mode should never overlap for mono-valued properties. Overlapping rules on a multi-valued property do not conflict with each other, Identity Manager stores all computed values. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: QueryRule + +A query rule computes the value of a given navigation property for target resources, based on the +properties of their owners (source resources and entitlements). These properties are to be +provisioned, i.e. written to the managed system. Contrary to navigation rules, query rules assign +resources to target resources according to a query via a C# expression with conditions, based on the +attributes of the source resources. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for +additional information. + +A query rule is defined by the child element `` of the `` element. + +Both navigation and query rules compute navigation properties. The value of one navigation property +should be computed by either navigation or query rules, not both. + +See the +[ Compute a Navigation Property ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md) +topic for additional information. + +### Examples + +Computation based on other properties + +The following example declares a new rule to compute the parent distinguished name for guest users. +Here we do not use source properties, but a literal expression for all guest users. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +     + +``` + +### Properties + +| Property | Type | Description | +| --------------------------------------------- | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| Property required | Int64 | Identifier of the navigation property to be computed. | +| SourceBinding optional | Int64 | Binding of the property from the source entity type to be compared with the target binding/expression, in order to find a matching resource to be the value of Property. | +| SourceExpression optional | String | C# expression to compare with the target binding/expression in order to compute the value of Property with the matching resource. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| TargetBinding optional | Int64 | Binding of the property from the entity type pointed by Property, which will be the value of Property if it matches the source binding/expression. | +| TargetExpression optional | String | C# expression to compare with the source binding/expression in order to compute the value of Property with the matching resource.See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. **_RECOMMENDED:_** The TargetExpression must contain at least one target property, it cannot be a literal expression. | +| TargetMatchedConfidenceLevel default value: 0 | Int32 | Percentage rate expressing the confidence in the rule according to data quality and sensitivity. Identity Manager considers the rules in descending order of confidence rate, the first matching rule is applied. 0 to 99: imposes that a resource manager reviews the property computation on the Resource Reconciliation page. 100 to 150: computes the property automatically. | +| TimeOffsetAfterReference default value: 0 | Int32 | Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | Int32 | Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | TimeOffsetReference | TypeDescriptionOffset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. 0 - Default: the offset inherited from the type rule. 1 - Around: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. 2 - Before: the offset before and after reference are both applied from the start date of the resource. 3 - After: the offset before and after reference are both applied from the end date of the resource. In a situation with several query rules, the order of application is descending (After-Before-Around-Default). Thus each time offset is able to overwrite those previously applied in case they overlap, for mono-valued properties. two offsets of the same mode should never overlap for mono-valued properties. Overlapping rules on a multi-valued property do not conflict with each other, Identity Manager stores all computed values. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: ScalarRule + +A scalar rule computes the value of a given scalar property for target resources, based on the +properties of their owners (source resources and entitlements). These properties are to be +provisioned, i.e. written to the managed system. + +A scalar rule is defined by the child element `` of the `` element. + +See the +[Compute a Scalar Property](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md) +topic for additional information. + +### Examples + +Computation based on other properties + +The following example shows two scalar rules. The first one computes users' emails based on AD +values. The other one contains a C# expression to compute AccountExpires. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +       +     + +``` + +The next example computes the firstName property of a App1_Account from the resource type +App1_Standard_Account, indicating that it must be equal to the firstName of the source resource. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +     + +``` + +Computation via a literal expression + +The following example translates to "the userAccountControl property of a App1_Account of resource +type App1_Standard_Account must be equal to 66048. It uses a literal expression. See the +[Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +    ... +     + +``` + +Binding + +The Binding attribute complies with the binding expression syntax or the calculation expression +syntax. So, it can use the C# language to specify a more complex binding. See the +[ Bindings ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/bindings/index.md) and [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topics for +additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +IsMapped + +Consider a system that we want to connect to Identity Manager, let's call it SYST, using a title +property. Consider also that SYST needs to be provisioned with the value of title, but does not +allow any other system to retrieve the said value. + +In this case, we set `IsMapped` to false so that Identity Manager sends the adequate provisioning +order when needed, and then is able to change the provisioning state to **Executed** without +synchronization. See the [Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) +[ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md) topic for additional +information. + +The following example computes users' title in a given managed system, based on Identity Manager's +`PersonalTitle` property without ever retrieving the value: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +TimeOffset + +A scalar rule is applied according to reference start and end dates (configured through record +sections and context rules), usually users' arrival and departure days. It means that, for a user +matching the rule's criteria, a property is to be computed, by default, from the user's arrival day +until their departure day. See the [ Record Section ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/recordsection/index.md) and +[ Context Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) topics for additional information. + +![Schema - Default Application Period](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetdefault.webp) + +A time offset adjusts the period for which the rule applies and computes a property's value. + +The following example impacts the property for the activation of nominative AD accounts: + +- The first rule deactivates the account from its creation, i.e. 1 month before the user's arrival + day, until the arrival day; +- The second rule activates the account from the user's arrival day until their departure; +- The third rule deactivates the account from the user's departure day and until its deletion, i.e. + 6 months after the departure day. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                ... + +``` + +![Schema - Offset Application Period](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetexample.webp) + +If the time period of property computation exceeds the limits of the period of resource type +assignment, then the period of resource type assignment is extended accordingly. + +Note that the rules are applied in a specific order according to their offset reference: After, +Before, Around and Default. Each rule overwrites pre-existing values. Thus in case of overlapping +rules, Default-offset rules overwrite the values of Around-offset rules, which overwrite the values +of Before-offset rules, which overwrite the values of After-offset rules. We could have the +following: + +![Schema - Overlapping Offsets](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/datamodel_scalarrule_timeoffsetoverlap.webp) + +### Properties + +| Property | Type | Description | +| ------------------------------------------ | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding optional | Int64 | Defines the binding expression. | +| ComparisonType default value: 0 | ComparisonType | Defines the comparison type for the computed value, when Identity Manager retrieves it from the managed system during synchronization, and compares it to the value stored in Identity Manager's database. 0 - CaseSensitive: compares words exactly as they are. 1 - IgnoreCase: ignores the difference between upper and lower case. 2 - IgnoreDiacritics: considers all letters with diacritics (é, à, ç) to be equivalent to their base letters (e, a, c...). 3 - Simplified: ignores diacritics, case and characters which are not letters. 4 - Approximate: does the same as Simplified but also ignores some spelling mistakes. Some letters are considered equivalent (Z and S, Y and I, W and V, K and C, SS and C). All H can be missing. A T, D or S can be missing at the very end. Finally, it ignores all duplicate letters (other than SS). There is no comparison for unmapped properties (IsMapped set to false). | +| Expression optional | String | Expression used to compute the target property specified in Property. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. _Remember,_ for C# expressions, Identity Manager provides an implicit variable called "assignment" that contains basic information about the linked assigned resource type, i.e. StartDate, EndDate and ParametersValues. | +| IsMapped default value: true | Boolean | True to use the scalar rule's computation to both provision the managed system and synchronize the property back to Identity Manager, thus both create and update. Otherwise, the scalar rule's computation is used only to provision the managed system and the property will be ignored during synchronization, thus create only. This way the property can never be displayed as non-conforming. IsMapped is usually set to false in order to adapt the configuration to the constraints of the managed system, when Identity Manager does not retrieve and/or update the property value. | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| Property required | Int64 | Identifier of the scalar property to be computed. | +| SingleRole optional | Int64 | Identifier of a single role that users must have to trigger the property computation. _Remember,_ scalar rules must not be dependent on dimensions or role as far as possible as, according to Identity Manager, a good rights policy must be based on group membership and not on mono-valued properties. | +| TimeOffsetAfterReference default value: 0 | Int32 | Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | Int32 | Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | TimeOffsetReference | Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. 0 - Default: the offset inherited from the type rule. 1 - Around: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. 2 - Before: the offset before and after reference are both applied from the start date of the resource. 3 - After: the offset before and after reference are both applied from the end date of the resource. **NOTE:** in a situation with several scalar rules, the order of application is: After, then Before, then Around, then Default. Each rule is able to overwrite those previously applied in case they overlap. _Remember,_ two offsets of the same mode should never overlap. Resources' start and end dates can be configured through record sections and/or context rules. | + +## Child Element: TypeRule + +A resource type rule assigns resources to given users if they match specific criteria. These +resources are to be provisioned, i.e. written to the managed system. + +A resource type rule is defined by the child element `` of the `` element. + +**NOTE:** The specification of several resource type rules for one resource type implies the union +of all rules, i.e. the combination of all rules (and all sets of criteria) with an OR operator. + +### Examples + +With a dimension criterion + +The following rule will assign an App1_Standard_Account resource (resource of type App1_Account) to +any User whose organization dimension (dimension binded to column 0) identifier is Marketing. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +    ... + +``` + +With a single role criterion + +In addition to dimensions, a single role can be used as a criterion for a rule. + +The following rule will assign an App1_Standard_Account resource to all User whose organization +dimension identifier is Marketing and having the single role Multimedia_Designer. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +    ... + +``` + +Without any criterion + +Di and SingleRole conditions are not mandatory. A type rule with no condition entails the creation +of an AssignedResourceType, and hence of a target resource (from the target entity type), for every +source resource (from the source entity type). See the AssignedResourceType topic for additional +information. + +The following example declares a new rule to give the resource type "AD_Entry_NominativeUser" to all +users. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +    ... + +``` + +### Properties + +| Property | Type | Description | +| ------------------------------------------ | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| D0 optional | Int64 | Value to match for the dimension D0 (up to D127) to trigger the rule. For example, considering that D0 corresponds to users' countries, then set D0 to France to assign the resource type to users whose country is France. **NOTE:** specifying at least one dimension makes the linked resource type parametrized. | +| IsDenied default value: false | Boolean | True to forbid the assignment instead of applying it. | +| L0 default value: false | Boolean | True to activate inheritance for D0 (up to 127). | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| SingleRole optional | Int64 | Identifier of a single role, which users must have to trigger the resource type assignment. | +| TimeOffsetAfterReference default value: 0 | Int32 | Time period (in minutes) after the reference end date, which shifts the end of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetBeforeReference default value: 0 | Int32 | Time period (in minutes) after the reference start date, which shifts the start of the rule's application. A negative value for the time offset means that the time period is before the reference date. | +| TimeOffsetReference default value: 0 | TimeOffsetReference | Offset mode defining which dates to use as references, in order to apply the time offset. The time period for which the rule is applied is adjusted accordingly. 0 - Default: no offset. 1 - Around: the offset before reference is applied from the start date of the resource, and the offset after reference is applied from the end date. 2 - Before: the offset before and after reference are both applied from the start date of the resource. 3 - After: the offset before and after reference are both applied from the end date of the resource. In a situation with several resource type rules, the order of application is descending (After-Before-Around-Default). Thus each time offset is able to overwrite those previously applied in case they overlap. two offsets of the same mode should never overlap. Resources' start and end dates can be configured through record sections and/or context rules. | +| Type default value: 0 | RuleType | Represents the type of the rule. 0 - Required: the resource type is automatically assigned to users matching the criteria. 1 - Requested Automatically: the resource type is listed in the permission basket of new workers. These assignments can still be modified. For existing workers, the rule's type is Suggested. 2 - Suggested: the resource type is listed among suggested permissions in the permission basket of users matching the criteria during an entitlement request. Suggested assignments must be selected manually to be requested, and will go through the validation process. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md new file mode 100644 index 0000000000..309e5cb6c9 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md @@ -0,0 +1,69 @@ +# Role Mapping + +Defines a naming rule to create a single role in a specific category based on a property. A +navigation rule will also be created by the naming rule, giving the property to the target user when +the created single role is assigned to this user. + +## Examples + +### Additional condition + +The following example uses `WhereExpression` to condition the application of the rule. + +NETWRIX recommends using this property only when the properties from the rule items do not suffice. + +Here the naming convention says that we should create a single role for each group (`memberOf` +value) whose `dn` starts with `SG_`and whose dn's second part (between two `_`) is made of three +characters. + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ApprovalRequired default value: false | **Type** Boolean **Description** Indicates that the generated role must be approved before being used by a policy. | +| ApprovalWorkflowType default value: None | **Type** ProvisioningPolicyApprovalWorkflow **Description** Indicates the number of validation to give to a manual role (from 0 to 3 inclusive). The value 4 is used when a manual assignment cannot be performed. | +| Category optional | **Type** Int64 **Description** Identifier of the category. | +| CategoryDisplayNameBinding optional | **Type** Int64 **Description** Defines the binding used to compute the category display name. | +| CategoryDisplayNameExpression optional | **Type** String **Description** References the C# or literal expression used to compute the category display name. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| CategoryIdentifierBinding optional | **Type** Int64 **Description** Binding used to compute the category identifier. | +| CategoryIdentifierExpression optional | **Type** String **Description** C# or literal expression used to compute the category identifier. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| CommentActivationOnApproveInReview default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a request of the role and deciding to approve it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeclineInReview default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a request of the role and deciding to refuse it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeleteGapInReconciliation default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to delete it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnKeepGapInReconciliation default value: Inherited | **Type** CommentActivationWithInherited **Description** Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to keep it. `0` - Disabled `1` - Optional `2` - Required `3` - Inherited: comment activation in the associated policy. | +| DisplayNameBinding optional | **Type** Int64 **Description** Defines the binding used to compute the role display name. | +| DisplayNameExpression optional | **Type** String **Description** References the C# or literal expression used to compute the role display name. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| HideOnSimplifiedView default value: false | **Type** Boolean **Description** `true` to hide this role in the basket simplified view. This flag is applied only on automatic assignments. | +| Identifier required | **Type** String **Description** Identifier of the role mapping. | +| IdentifierBinding optional | **Type** Int64 **Description** Binding used to compute the role identifier. | +| IdentifierExpression optional | **Type** String **Description** C# or literal expression used to compute the role identifier. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| ImplicitApproval default value: 0 | **Type** Byte **Description** Indicates if the validation steps of the single role can be skipped. `0` - Inherited: implicit approval value in the associated policy. `1` - Explicit: all the workflow steps must be approved. `2` - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| ParentCategoryIdentifierBinding optional | **Type** Int64 **Description** Defines the binding used to compute the parent category. | +| ParentCategoryIdentifierExpression optional | **Type** String **Description** References the C# or literal expression used to compute the parent category. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| Policy required | **Type** Int64 **Description** Identifier of the policy that the rule is part of. | +| Property required | **Type** Int64 **Description** Property on which the naming rule will be applied. | +| ResourceType required | **Type** Int64 **Description** Resource type on which the naming rule will be applied. | +| RolePolicy optional | **Type** Int64 **Description** Identifier of the policy used for the roles created by the naming rule. | +| WhereExpression optional | **Type** String **Description** C# expression returning a boolean, used to condition the application of the naming convention. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | + +## Child Element: Rule + +Represent the sets of conditions which will determine the enforcement of the naming rule. + +## Child Element: Item + +Represents one of the conditions used to determine the enforcement of the naming rule. + +### Properties + +| Property | Details | +| ------------------------- | ---------------------------------------------------------------------------------------------------------------- | +| Operator default value: 0 | **Type** QueryComparisonOperator **Description** Operator used in the condition for the naming rule enforcement. | +| Property required | **Type** Int64 **Description** Property on which the condition for the naming rule enforcement is based. | +| Value optional | **Type** String **Description** Value used in the condition for the naming rule enforcement. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md new file mode 100644 index 0000000000..df28105cb3 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md @@ -0,0 +1,85 @@ +# Single Role + +A single role is a way to represent an entitlement that is to be assigned to an identity. It brings +a layer of abstraction through a user-friendly name, close to the business view. + +Roles can be used to: + +- grant accesses of various types and levels; +- restrict access to sensitive information assets, by grouping entitlements in a form that is + meaningful from a business point of view; +- grant the minimum privileges required by an individual to perform their job. + +Roles can be requested manually, or they can be configured to be assigned automatically via +[Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) depending on identities' attributes. + +## Examples + +The following example declares a new single role in the default policy; in the category `Internet`; +for resources from `Directory_User` with one approval needed. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +[Copy](javascript:void(0);) + +``` +   +``` + +### Parameterized roles + +The role catalog can be optimized by reducing the number of roles, by configuring parameterized +roles. + +This optimization will simplify the functional understanding of the role catalog, and speed up +Identity Manager's calculations. + +Supposing that the 10th [ Dimension ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) (dimension A following the +[ Base32 Parameter Names ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/parameter-names/index.md)) is created for time slots, the +following example creates a single role `Access/A_Brune_HR` for all time slots. Each +time-slot-related entitlement will be assigned to users by configuring one navigation rule per +entitlement, using the dimension as a required parameter. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +[Copy](javascript:void(0);) + +``` + + + +     +     +     + + +``` + +## Properties + +| Property | Type | Description | +| ------------------------------------------------------------------------------------------ | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ApprovalWorkflowType default value: 0 | ProvisioningPolicyApprovalWorkflow | Number of validations required to assign manually the single role (from `None` to `Three`). The value `ManualAssignmentNotAllowed` is used when a manual assignment cannot be performed. | +| Category optional | Int64 | Identifier of the category that the role is part of. | +| CommentActivationOnApproveInReview default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a request of the role and deciding to approve it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeclineInReview default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a request of the role and deciding to refuse it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnDeleteGapInReconciliation default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to delete it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| CommentActivationOnKeepGapInReconciliation default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to keep it. `0` - Disabled. `1` - Optional. `2` - Required. `3` - Inherited: comment activation in the associated policy. | +| D0 optional | Int64 | Value that will be set for the dimension 0 (up to 3V following the [ Base32 Parameter Names ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/parameter-names/index.md)) for all users with the role. | +| Description_L1 optional | String | Detailed description of the single role in language 1 (up to 16). | +| DisplayName_L1 required | String | Display name of the single role in language 1 (up to 16). | +| EntityType required | Int64 | Identifier of the entity type whose resources can receive the single role. | +| GracePeriod optional | Int32 | Duration (in minutes) for which a lost automatic single role is prolonged. The grace period is only applied if the loss of the entitlement is due to a change in the rules (rule deletion or criteria changes). A review will be required to validate or decline the entitlement prolongation. Inferred entitlements won't be lost unless the end of the grace period is reached or the prolongation is declined. If it is not defined, the value is inherited from the policy. | +| HideOnSimplifiedView default value: false | Boolean | `true` to show the role in a user's basket only in advanced view and not simplified view. This flag is applied only on automatic assignments. | +| Identifier required | String | Identifier of the single role. | +| ImplicitApproval default value: 0 | Byte | Indicates whether the validation steps of the single role can be skipped. `0` - Inherited: implicit approval value from the associated policy. `1` - Explicit: all the workflow steps must be approved. `2` - Implicit: the workflow steps can be skipped if the requester has enough permissions. | +| ManualAssignmentEndDateLockedToContextMode default value: ExplicitNotContextBoundByDefault | ManualAssignmentEndDateLockedToContextModeRole | The values are: 0 - ExplicitNotContextBoundByDefault — By default, the assignment's end date will not be context bound in order to encourage the manual entry of an end date 1 - ExplicitContextBoundByDefault — By default, the assignment's end date will be context bound and therefore locked, but a manual date can be entered. 2 - Never — The assignment's end date will never be locked and needs to be specified manually 3 - Always — The assignment's end date is always locked according to the applicable context rule. | +| MaxDuration optional | Int32 | Duration (in minutes) after which the role will be automatically revoked, if no earlier end date is specified. It impacts only the roles which are manually assigned after the maximum duration is set. Pre-assigned roles are not impacted. If no duration is set on the role, the `MaxDuration` of the associated policy is applied. If the `MaxDuration` is set to 0 on the role, it prevents the associated policy from applying its `MaxDuration` to it. | +| Policy required | Int64 | Identifier of the policy in which the role exists. | +| ProlongationWithoutApproval default value: 0 | ProlongationWithoutApproval | Indicates whether the role can be extended without any validation. `0` - Inherited: gets the value from the policy. `1` - Enabled. `2` - Disabled. | +| R0 default value: false | Boolean | `true` to set the dimension 0 (up to 3V following the [ Base32 Parameter Names ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/parameter-names/index.md)) as a required parameter when assigning the role. | +| State default value: Manual | RoleState | Mark that differentiates the roles analyzed in the role mining process. `0` - Manual: the role was created manually. `1` - Generated: the role was generated by a role mapping rule. | +| Tags optional | String | Label(s) that can later be used to filter the target roles of access certification campaigns. The tag separator is ¤. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md new file mode 100644 index 0000000000..c7eaa40b39 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md @@ -0,0 +1,30 @@ +# Single Role Rule + +A single role rule assigns a single role to users who match given criteria. + +## Examples + +The following example declares a new rule to give the single role to all the `"FCT0000"` users. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     + +``` + +## Properties + +| Property | Type | Description | +| ----------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| CompositeRole optional | Int64 | Identifier of a [ Composite Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) that users must have to trigger the rule. | +| D0 optional | Int64 | Value to match for the dimension `D0` (up to `D127`) to trigger the rule. For example, considering that `D0` corresponds to users' countries, then set `D0` to `France` to assign the single role to users whose country is `France`. | +| IsDenied default value: false | Boolean | `true` to forbid the assignment instead of applying it. | +| L0 default value: false | Boolean | `true` to activate inheritance for `D0` (up to 127). | +| Policy required | Int64 | Identifier of the policy that the rule is part of. | +| Priority default value: 0 | Int32 | Priority of the rule over the others. The highest priority is defined by the smallest number. This enables, for example, overriding "deny rules" that have a lower priority (higher number). | +| Role required | Int64 | Identifier of the single role to be assigned. | +| Type default value: 0 | RuleType | Type of the rule. `0` - Required — the role is automatically assigned to users matching the criteria. `1` - RequestedAutomatically — the role is listed in the permission basket of new workers, these assignments can still be modified. For existing workers, the rule's type is `Suggested`. `2` - Suggested — the role is listed among suggested permissions in the permission basket of users matching the criteria during an entitlement request, suggested assignments must be selected manually to be requested. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/reporting/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/reporting/index.md new file mode 100644 index 0000000000..62540b4c21 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/reporting/index.md @@ -0,0 +1,3 @@ +# Reporting + +- [ Report Query ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/reporting/reportquery/index.md) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/reporting/reportquery/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/reporting/reportquery/index.md new file mode 100644 index 0000000000..14ad29f253 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/reporting/reportquery/index.md @@ -0,0 +1,26 @@ +# Report Query + +Allows the user to define queries to generate a report in a CSV file. When creating a new +ReportQuery it is recommended to also create the linked +[ Menu Item ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md). + +## Examples + +``` + + + + + + + +``` + +## Properties + +| Property | Details | +| --------------------------- | --------------------------------------------------------------------------------------------------------------- | +| DisplayName_L1 required | **Type** String **Description** Display name of the report query in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Report query Identifier. | +| Query required | **Type** String **Description** The report query written following Identity Manager EBNF Grammar rules. | +| ReturnedEntityType required | **Type** Int64 **Description** Returned Entity Type ID. The entity type can be seen as the FROM of a sql query. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/resources/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/resources/index.md new file mode 100644 index 0000000000..1baa4671e7 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/resources/index.md @@ -0,0 +1,3 @@ +# Resources + +- [ Resource ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/resources/resource/index.md) diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/resources/resource/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/resources/resource/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/resources/resource/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/resources/resource/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md new file mode 100644 index 0000000000..3d381bab0a --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md @@ -0,0 +1,146 @@ +# Display Entity Type + +The `` element sets information about how an entity type is to be displayed by +the UI. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                                         +``` + +### Zoom on Priority + +The Priority property controls the order in which entity types are displayed in the entity type +selection dropdown of the following administration screens: + +- Role Review +- Provisioning Review +- Role Reconciliation +- Resource Reconciliation +- My Tasks (also known as Workflow Management) +- Workflow Overview +- Access Rules + +By default, the entity type with the highest priority is selected first. The end user can later +change the selection using the top-left dropdown. + +![Change Selection](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/ui_displaypriorities_changeselection_v521beta.webp) + +Priorities are integer values, positive or negative. The most important priority is assigned to the +lowest value. + +Entity Types with the same priority are sorted by `Identifier`, in the alphabetical order, where +relevant. + +Entity Types for which a priority isn't set by a `` configuration element are +assigned an equally less important priority than the least important priority set by a +`` element. + +Example + +This example shows how to define priorities between the main Entity Types of the organizational +model. The highest priority is assigned to `Directory_User` and the lowest priority to +`Directory_Application`. All other entity types are assigned an equally low priority, below +`Directory_Application`. In the dropdown they will be sorted by alphabetical order. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +dashboard.xml +         + +``` + +#### Priorities for workflows + +The dropdown in My Tasks (also known as Workflow Management) and Workflow Overview screens is +related to workflows, not to entity types per se. + +In Identity Manager, each workflow is associated with a workflow-entity type. + +To configure the priority order for elements in the dropdown in these screens, the user should +remember to take the workflow-entity types in the `` need to be replaced with a custom value before entering the +script in the command line. + +``` +dashboard.xml +     + +``` + +But the order in which "Workflow for Directory_User" and "Workflow for Directory_Guest" appear in +the My Tasks screen is configured like this: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +dashboard.xml +     + +``` + +## Properties + +| Property | Type | Description | +| ----------------------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AutocompleteBinding optional | Int64 | Defines the binding of the property used for search in the auto complete picker (this activates the auto complete picker). | +| Color optional | String | Defines the color used when displaying this entity type (it must be a 6 digit hexadecimal value, preceded by a #). | +| D0IsActive default value: false | Boolean | Is dimension0 active for this entity type (D0IsActive to D3VIsActive following the base32hex convention. | +| HideRoles default value: false | Boolean | True to skip the **Access Permissions** step (the one containing the roles) in the default forms for this entity type. | +| IconCode optional | String | Defines the icode code ("People", "MapPin", "Suitcase"...). | +| IsHierarchical default value: false | Boolean | Is hierarchical entity type. | +| MinSearchLength optional | Int32 | Defines the minimum number of characters from which the search in the auto complete picker starts - 4 if it is not defined (the AutocompleteBinding must be defined). | +| PluralDisplayName_L1 optional | String | Display name of the entity type in plural in language 1 (up to 16). | +| Priority default value: 2147483647 | Int32 | Sets the display priority of the Entity Type in the administration screens dropdown and the dashboard. A priority is an integer value, positive or negative. The highest priority is assigned to the lowest number. See the Priority section above. | + +## Child Element: Property + +Entity referencing the Entity properties (with which it share the same ID) that can be displayed in +the Identity Manager interface. + +### Properties + +| Property | Type | Description | +| ------------------------------- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AddedMinutes optional | Int32 | Add minutes to the date field with this property. Can be overwritten in every form control, display table column or tile item that displays the property. | +| AutocompleteBinding optional | Int64 | Defines the binding of the property used for search in the auto complete picker (this activates the auto complete picker if the input type of the display property is a picker). | +| DisplayOrder default value: 0 | Int32 | Defines the property display order. | +| DisplayTable optional | Int64 | Identifier of the display table. | +| Format optional | String | Defines a formatting method on the property values (`ParseSince1601Date`, `ToStringUserAccountControl`, `FormatDate` and `ParseBoolean`). | +| Group optional | Int64 | Identifier of the display property group, i.e. the fieldset, that the property is part of in the default UI form. | +| IconCode optional | String | Defines the icon code. | +| InputType default value: Auto | Enumeration | Identifier of the input type. See the [Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) topic for additional information. | +| IsHidden default value: false | Boolean | Property is hidden. | +| IsReadOnly default value: false | Boolean | Property is ReadOnly. | +| IsRequired default value: false | Boolean | Property is required. | +| MinSearchLength optional | Int32 | Defines the minimum number of characters from which the search in the auto complete picker starts - 4 if it is not defined (the input type of the display property must be a picker and the AutocompleteBinding must be defined). | +| NavigationBinding optional | Int64 | Defines the binding of the resource on which the user will be redirected when he clicks on an element of a BasicCollection. | +| OutputType default value: Auto | Enumeration | Identifier of the output type. | +| PlaceHolderText_L1 optional | String | Property place holder text. | +| Tile optional | Int64 | Identifier of the tile. | +| ToolTipText_L1 optional | String | Property tool tip text. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md new file mode 100644 index 0000000000..694f677068 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md @@ -0,0 +1,28 @@ +# Display Property Group + +A display property group bundles a list of entity properties together in a fieldset in the UI. + +## Examples + +The following example will group a specific set of properties together, when displaying AD entries. + +``` + + + +Knowing that we have the following properties: + ... + + +``` + +![Display Property Group - Example](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/displaypropertygroup_example_v603.webp) + +Any property without a value is not displayed. + +## Properties + +| Property | Details | +| ----------------------- | -------------------------------------------------------------------------------------- | +| DisplayName_L1 optional | **Type** String **Description** Display name of the fieldset in language 1 (up to 16). | +| Identifier required | **Type** String **Description** Unique identifier of the property group. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md new file mode 100644 index 0000000000..39c156c058 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md @@ -0,0 +1,103 @@ +# Display Table + +A table displays a collections of entity type data grouped into rows. + +See the [Customize Display Tables](/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md)topic for +additional information. + +## Examples + +Below there are a few examples of display tables. + +DisplayTableDesignElement table + +The following example displays sites as a table. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +             +``` + +![Example - DisplayTableDesignElement Set to Table](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_table_v602.webp) + +DisplayTableDesignElement list + +The following example displays users as a list. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +             +``` + +![Example - DisplayTableDesignElement Set to List](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_list_v602.webp) + +_Remember,_ for resources to be displayed as a list, the display table must also be configured with +tiles. + +DisplayTableDesignElement resourcetable + +The following example displays AD entries as a table, with an "Owner/Type" column. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                 +``` + +![Example - DisplayTableDesignElement Set to ResourceTable](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/displaytabledesignelement_resourcetable_v602.webp) + +## Properties + +Here is a list of properties of display tables. + +| Property | Type | Description | +| ---------------------------------------- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| DisplayTableDesignElement required | Enumeration | Design of the display table. -1 - table: resources are displayed in a table. -2 - list: resources are displayed in a list. -3 - resourcetable: resources are displayed in a table containing an "Owner/Type" column. -4 - adaptable: resources are displayed in a table with an "Owner/Type" column only if the entity type is the target of a resource type, otherwise the table is without said column. | +| EntityType required | Int64 | Represents the linked entity type. | +| HomonymEntityLink optional | Int64 | Defines the homonym display table. | +| Identifier required | String | Unique identifier of the table. | +| IsEntityTypeDefault default value: false | Boolean | Default display table used in the application. | +| LinesPerPage default value: 15 | Int32 | Defines the maximum lines per page. | +| ParentProperty optional | Int64 | Property to navigate to the parent level when the table displays a tree of values (for example Organization.ParentOrganization). | + +## Child Element: Column + +Contains all the display table columns. + +### Example + +Here is an example of a column child element. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                     +``` + +### Properties + +Here is a list of properties of column child element. + +| Property | Type | Description | +| -------------------------------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| AddedMinutes optional | Int32 | Add minutes to the date field with this property. If the value is not defined, the default value is the one defined for the associated display entity property. | +| CanBeFiltered default value: false | Boolean | Can filter the column data. | +| ColumnSize default value: 1 | Int32 | Defines the column size. | +| DefaultSortPriority optional | Int32 | Defines the default sort priority. | +| DisplayBinding optional | Int64 | Represents the linked binding path to a scalar property. | +| DisplayName_L1 optional | String | Display name of the column in language 1 (up to 16). | +| IsDisplayInDropDownList default value: false | Boolean | Is a drop down list column. | +| IsDisplayInSummaryView default value: false | Boolean | Is a summary view column. | +| IsResizable default value: false | Boolean | Is resizable column. | +| IsSortable default value: false | Boolean | Is sortable column. | +| OptimizedDisplayBinding optional | Int64 | Optimized Binding allows DisplayTables to be faster displayed. If it is filled in, it takes priority over the DisplayBinding located in the DisplayTableColumn. | +| OptimizedSortBinding optional | Int64 | An optimized sort binding allows display tables to be faster displayed. If it is filled in, it takes priority over the sort binding located in the display table column. | +| SearchOperator default value: 0 | QueryComparisonOperator | Defines the search operator (Equal, NotEqual, Contain, StartWith). | +| SortBinding optional | Int64 | Represents the sort binding path to a scalar property. | +| Tile optional | Int64 | Identifier of the tile. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md new file mode 100644 index 0000000000..95014313eb --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md @@ -0,0 +1,171 @@ +# Form + +A form contains a set of input fields (called controls) to be filled by a user, in a structured way. +A form must have a form type to be displayed and used in the UI. A form without a type can be called +in another form. + +## Examples + +The following example shows a form called `Directory_UserRecord_View` that involves resources from +the entity type `Directory_UserRecord` to collect personal data and contract information via some +structured fields to fill. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +
+                                                                                            ... +     + +``` + +### Display settings + +The display settings allow you to adjust the display. + +Hide the "Access Permissions" tab + +When `HideRoles` is set to `true`, then the **Access Permissions** tab is not accessible. + +![Access Permissions](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_hideroles_v603.webp) + +Adjust the request type + +When `WorkflowRequestType` is set to `Self`, then the finalization step looks like: + +![WorkflowRequestType = Self](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_requesttypeself_v603.webp) + +When `WorkflowRequestType` is set to `Helpdesk`, then the finalization step looks like: + +![WorkflowRequestType = Helpdesk](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_requesttypehelpdesk_v603.webp) + +Display records in a table + +![RecordTable Example](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/form_recordtable_v603.webp) + +InputType display + +The InputType represents the type of research property, attribute which supports only a predefined +set of values listed below: + +![inputtypeattachment](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypeattachment.webp) + +- Attachment — represents a control for adding an attachment +- Auto — takes by default the type of the EntityType property + + ![inputtypecheckbox](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypecheckbox.webp) + +- Checkbox — a boolean control which supports one of the two states + + ![inputtypecombobox](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypecombobox.webp) + +- Combobox — a dropdown which supports single selection + + ![inputtypecomboboxmultiselection](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypecomboboxmultiselection.webp) + +- ComboboxMultiSelection — a dropdown which supports multiple selection + + ![inputtypedate](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypedate.webp) + +- Date — Date control +- Hidden — Hides the input + + ![inputtypeimage](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypeimage.webp) + +- Image - Control to show / upload image +- Inherited —Control to get the InputType of the associated display entity property (when nothing is + specified in a Control of a Form, it's the default value). + + ![inputtypepicker](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypepicker.webp) + +- Picker — Opens a grid to select a resource + + ![inputtypetext](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypetext.webp) + +- Text — Displays a single-line of text + + ![inputtypetextarea](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/inputtypetextarea.webp) + +- TextArea — A textbox which supports carriage return character. + +## Properties + +| Property | Type | Description | +| -------------------------------------------- | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity optional | Int64 | Defines the linked activity template. | +| ActivityState optional | Enumeration | Defines the linked activity state template. | +| AddRowLabel_L1 optional | String | Defines the "add row" button label when using WorkflowUpdateSeveralRecordsEntityForm. | +| EntityType required | Int64 | Represents the linked entity type. | +| FormTitle_L1 optional | String | Title of the form in language 1 (up to 16). | +| FormType default value: Auto | FormType | Represents the linked form type. | +| HideRecordAddButton default value: false | Boolean | True to hide the button used to add a new record. | +| HideRecordRemoveButton default value: false | Boolean | True to hide the button used to remove an existing record. | +| HideRoles default value: false | Boolean | True to hide the **Access Permissions** tab. | +| Identifier required | String | Unique identifier of the form. | +| IsDefaultSelfForm default value: false | Boolean | Entity type default self form. | +| IsDefaultViewForm default value: false | Boolean | Entity type default view form. | +| IsDeleteForm default value: false | Boolean | Is a delete form. | +| MainProperty optional | Int64 | Represents the form main property. | +| MainPropertyLabel_L1 optional | String | Defines the main property label text. | +| Menu optional | Int64 | Defines the linked menu item. | +| RecordEndProperty optional | Int64 | Defines the workflow end date property. If not specified, the property EndDate of the record entity type is considered as RecordEndProperty. | +| RecordFilter default value: CurrentAndFuture | RecordFilter | Defines the record display option. 0 - Current: shows current positions. 1 - CurrentAndFuture: shows current and future positions. Recommended. 2 - All: shows past, present and future positions. Not recommended for clarity issues. | +| RecordProperty optional | Int64 | Defines the workflow record property. | +| RecordSortProperty optional | Int64 | Defines the workflow sort property. | +| RecordStartProperty optional | Int64 | Defines the workflow start date property. If not specified, the property StartDate of the record entity type is considered as RecordStartProperty. | +| RecordTable optional | Int64 | Identifier of the display table to be used to display resources' records in a workflow. | +| RemoveRowLabel_L1 optional | String | Defines the "remove row" button label when using WorkflowUpdateSeveralRecordsEntityForm. | +| TableTitle_L1 optional | String | Defines the table title when using WorkflowUpdateSeveralRecordsEntityForm. | +| WorkflowRequestType default value: 0 | WorkflowRequestType | Type of the request of the related workflow. 0 - None. 1 - Self. 2 - Helpdesk. 3 - Administration. | + +## Child Element: Control + +A form control is an input field to be filled by a user. Controls can be inserted in other controls +in order to display the form fields in a structured way. + +### Examples + +The following example shows a form called `Directory_UserRecord_View` that collects first personal +data via some controls, and then calls another form `Workflow_Directory_User_AddRecord_Base` to +collect record information. In this example is a tree control which defines the relationships +between a worker and their managers (N+1 to N+3). The aim is to display in the form (in the UI) the +organization chart made of the worker and their managers. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +
                                                                 +     +``` + +### Properties + +| Property | Type | Description | +| ----------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AddedMinutes optional | Int32 | Add minutes to the date field with this property. If the value is not defined, the default value is the one defined for the associated display entity property. | +| Binding optional | Int64 | Identifier of the binding property. **NOTE:** When displaying an organization chart, this binding is meant to represent the first manager level (N+1). In this case, it must be a mono-valued navigation. | +| Binding2 optional | Int64 | Identifier of the binding property used to represent the second manager level (N+2) in the organization chart. It must be a mono-valued navigation. Cannot be used when Binding is not defined. | +| Binding3 optional | Int64 | Identifier of the binding property used to represent the third manager level (N+3) in the organization chart. It must be a mono-valued navigation. Cannot be used when Binding2 is not defined. | +| ColumnSize optional | Int32 | Defines the control column size. | +| DefaultValueBinding optional | Int64 | Automatically sets the value in the control depending on this binding and the selected value in another corresponding picker. It's only available for controls with picker. For example: `` After a selection of an organization in another picker in the form, the field location will be automatically set by the main location of the manager of the selected organization. | +| DisplayName_L1 optional | String | Display name of the control in language 1 (up to 16). | +| DisplayTable optional | Int64 | Identifier of the table. | +| EmbeddedForm optional | Int64 | Identifier of the form to insert in the control. With this method, one form can be imported to several forms. _Remember,_ it can be used only with `OutputType` set to `TransformImport`. | +| EntityType optional | Int64 | Represents the linked entity type. | +| ExtensionIdentifier optional | String | This property is used to extend the Identity Manager UI. | +| FilterBinding1 optional | Int64 | Coupled with LinkedBinding1, it allows filtering on a list of items. FilterBinding1 defines the binding that determines the search value. Linked filters are only available for controls with the `Picker` InputType. | +| FilterBinding2 optional | Int64 | Coupled with LinkedBinding2, it allows filtering on a list of items. FilterBinding2 defines the binding that determines the search value. Linked filters are only available for controls with the `Picker`InputType. | +| HomonymEntityLink optional | Int64 | Defines the homonym form control. | +| InputType default value: Inherited | Enumeration | Input type of the control. | +| IsReadOnly optional | Boolean | Is a read only form control. | +| IsRequired optional | Boolean | Is a required form control. | +| LinkedBinding1 optional | Int64 | Coupled with FilterBinding1, it allows filtering on a list of items. LinkedBinding1 defines the binding on which the search will be carried out. Linked filters are only available for controls with the `Picker` InputType. | +| LinkedBinding2 optional | Int64 | Coupled with FilterBinding2, it allows filtering a list of items. LinkedBinding2 defines the binding on which the search will be carried out. Linked filters are only available for controls with the `Picker` InputType. | +| Name optional | String | Identifies the control inside the Form. This is used for translation files when a control cannot be identified by its binding such as for FieldSet. | +| NavigationBinding optional | Int64 | Defines the binding of the resource on which the user will be redirected when he clicks on an element of a BasicCollection. If not defined, the one defined in DisplayEntityProperty is used. | +| OutputType default value: Inherited | Enumeration | Output type of the control. | +| ParentControl optional | Int64 | Defines the parent form control. | +| PlaceHolderText_L1 optional | String | Defines the place holder text. | +| Tile optional | Int64 | Identifier of the tile. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/index.md new file mode 100644 index 0000000000..989b9a2a22 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/index.md @@ -0,0 +1,11 @@ +# User Interface + +- [ Display Entity Association ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentityassociation/index.md) +- [Display Entity Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displayentitytype/index.md) +- [ Display Property Group ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaypropertygroup/index.md) +- [Display Table](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +- [Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) +- [ Indicator ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/indicator/index.md) +- [ Menu Item ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) +- [Search Bar](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md) +- [ Tile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/indicator/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/indicator/index.md new file mode 100644 index 0000000000..a007e73fd1 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/indicator/index.md @@ -0,0 +1,75 @@ +# Indicator + +An Indicator displays a banner alongside the resource information whenever it meets a specific +criteria. + +More precisely, an indicator displays the appropriate banner whenever the _Binding_ matches the +_Item Value_ according to the _Comparison operator_, as can be seen on the example below. + +The banner is displayed wherever the associated resource appears. + +For example, if we create an indicator pointing out the risk score of a user, the banner will show +on the left-side of the user [ Tile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md) and the user [Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md). If we +create an indicator pointing out whether an AD account is unused or disabled, the banner will show +on the left-side of the AD Entries tile and form. + +One entity can show several banners, one for several different properties. They appear one above the +other if there are four banners or less, one next to the other if there are more. + +One indicator can possess several items, that define the information for the banner to be displayed. +The indicators order is important because the banner will get the information of the first item +matching the observed property. + +## Examples + +The following example entails the display of a red banner for a user with a high risk score and an +orange banner for a user with a medium risk. + +The XML file below states that if the risk score is greater than 75, only the indicator "High risk" +will be displayed and not "Medium risk". If it is lower than 75 and greater than 30, the indicator +will be "Medium risk". If it is lower than 30, there will be no indicator. + +``` + + + +``` + +Note that if you write the "Medium risk" item before the "High risk" one, even if the score if +greater than 75, the banner will be orange according to the first item: + +``` + + + +``` + +## Properties + +| Property | Details | +| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Binding optional | **Type** Int64 **Description** Defines the binding path to a scalar property. | +| ComparisonOperator required | **Type** QueryComparisonOperator **Description** Defines how to compare the given binding to an indicator item value. All possible values: - Auto: The SearchOperator is calculated by the engine according to the type of element. - NotEqual: finds the elements that are not equal to the desired value. - Equal: finds the elements that are strictly equal to the desired value. - Contain: finds the elements that contain the desired value. - StartWith: finds the elements that start with the desired value. - EndWith: finds the elements that end with the desired value. - NotContain: finds the elements that do not contain the desired value. - NotStartWith: finds the elements that do not start with the desired value. - NotEndWith: finds the elements that do not end with the desired value. - GreaterThan: finds the elements that are greater than the desired value. - LessThan: finds the elements that are less than the desired value. - GreaterThanOrEqual: finds the elements that are greater than or equal to the desired value. - LessThanOrEqual: finds the elements that are less than or equal to the desired value. - Flexible\*: The Flexible search operators transform the desired value according to the FlexibleComparisonExpression defined in Property then search. The flexible operators are: - FlexibleEqual. - FlexibleContain. - FlexibleStartWith. - FlexibleEndWith. | +| EntityType required | **Type** Int64 **Description** Represents the linked entity type. | +| OptimizedBinding optional | **Type** Int64 **Description** Optimized Binding allows Indicators to be faster displayed. If it is filled in, it takes priority over the Binding located in the Indicator. | +| Order required | **Type** Int32 **Description** Defines the order in which the banners are displayed. If there is no order needed, its value is zero for all indicators. | + +## Child Element: Item + +Defines the banner to be displayed information. + +### Examples + +``` + + + +``` + +### Properties + +| Property | Details | +| ----------------------- | ------------------------------------------------------------------------------------------------------- | +| Color required | **Type** String **Description** Defines the color of the item. | +| DisplayName_L1 optional | **Type** String **Description** Display name of the banner in language 1 (up to 16). | +| Value optional | **Type** String **Description** Defines the value with which the indicator binding will be compared to. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md new file mode 100644 index 0000000000..83745ff4af --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md @@ -0,0 +1,42 @@ +# Search Bar + +The SearchBar is an element of the user interface that allows you to search from a list of +properties of an EntityType. + +## Examples + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                 +``` + +## Properties + +| Property | Type | Description | +| ------------------------------- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| EntityType required | Int64 | References the linked entity type. | +| Menu optional | Int64 | References the linked Menu. Each Menu Item of this Menu is a link to an entity's workflow displayed under the search bar on the visualization page of the entity's resource list. | +| SearchBarDesignElement required | Enumeration | Defines the type of the searchBar (Block,Inline). | +| SearchedBinding optional | Int64 | Defines the binding on which the search will be applied. | +| SearchedEntityType required | Int64 | Defines the entity type on which the search will be applied. | + +## Child Element: Criterion + +A SearchBarCriteria defines a search criterion on a given property. See the Search Bar topic for +additional information. + +### Properties + +| Property | Type | Description | +| -------------------------------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ColumnSize required | Int32 | Size of the insertion or selection element of the property. | +| DefaultValue optional | String | Basic filter on the properties on the value or values entered in parameters. | +| DisplayName_L1 optional | String | Display name of the criteria in language 1 (up to 16). | +| InputType required | Enumeration | Type of the research property, supports only a predefined set of values listed below: - Attachment - Auto - Checkbox - Combobox - ComboboxMultiSelection - Date - Hidden - Image - Inherited - Picker - Text - TextArea See the [Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) topic for additional information. | +| IsVisibleInAdvancedView default value: false | Boolean | True to make the property visible in the advanced search but not in the main search properties. | +| Operator default value: 0 | QueryComparisonOperator | Defines how to do the research. All possible values: - Auto — The SearchOperator is calculated by the engine according to the type of element - NotEqual — finds the elements that are not equal to the desired value - Equal — finds the elements that are strictly equal to the desired value - Contain — finds the elements that contain the desired value - StartWith — finds the elements that start with the desired value - EndWith — finds the elements that end with the desired value - NotContain — finds the elements that do not contain the desired value - NotStartWith — finds the elements that do not start with the desired value - NotEndWith — finds the elements that do not end with the desired value - GreaterThan — finds the elements that are greater than the desired value - LessThan — finds the elements that are less than the desired value - GreaterThanOrEqual — finds the elements that are greater than or equal to the desired value - LessThanOrEqual — finds the elements that are less than or equal to the desired value - Flexible\* — The Flexible search operators transform the desired value according to the FlexibleComparisonExpression defined in Property then search. The flexible operators are: - FlexibleEqual - FlexibleContain - FlexibleStartWith - FlexibleEndWith | +| OptimizedBinding1 optional | Int64 | Represents the first optimized binding definition. An optimized binding allows searches to be faster displayed. If it is filled in, it takes priority over the binding located in the search bar criterion column. | +| PlaceHolderText_L1 optional | String | Overloads the DisplayName of the search property with this string. | +| ToolTipText_L1 optional | String | Text displayed in the tool tip. | diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md new file mode 100644 index 0000000000..1dcefbd96e --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md @@ -0,0 +1,59 @@ +# Add Change Aspect + +Modifies a given property value. + +## Examples + +The following example computes a new value for the property `IsDraft` from the `Directory_User` +entity type. The new value is always `true`. The pointcuts define when the value change must happen. + +``` + + + + +``` + +### Accept Null Value + +The following example computes a new value for the `Card` property in users' records, considering +`null` as a value. Instead of being ignored, a `null` value returned by `Expression` will replace +the old value. + +``` + + + +``` + +## Properties + +| Property | Details | +| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding required | **Type** String **Description** Binding whose difference with `ExpressionBinding` defines the property to be changed. | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| AcceptNullValueExpression optional | **Type** String **Description** C# expression returning a boolean, `true` to consider `null` for the new value returned by `Expression`. By default, `null` values are ignored. | +| Expression optional | **Type** String **Description** C# expression returning a new value for the property to be changed. **Note:** this property can also be defined by a binding via `ExpressionBinding`. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | **Type** String **Description** Expression that conditions the aspect execution. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Identity Manager when to execute the linked +[Aspects](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md new file mode 100644 index 0000000000..8bcbba2917 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md @@ -0,0 +1,80 @@ +# Assert Value Aspect + +Checks whether the value of a given property satisfies a given condition. + +## Examples + +The following example makes sure that, when creating a new employee, the contract end date is after +the contract start date. The pointcuts define when the value assertion must happen. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +         +``` + +### Assert a multi-valued object + +When asserting a multi-valued object, said object must not be called through a binding that goes +back and forth between entities. + +For example, to manage records, using the ExpressionBinding set to +``. Records and the Expression using C#:record:return +record.Directory_User.Records... will not work. + +Instead, the ExpressionBinding should be set to `` and the +Expression should use C#:user:return user.Records. + +The following example makes sure that a user's positions do not overlap. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +     +``` + +## Properties + +| Property | Type | Description | +| -------------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding required | String | Binding whose difference with ExpressionBinding defines the property to be validated by the aspect. | +| Identifier required | String | Unique identifier of the aspect. | +| Expression optional | String | C# expression returning a boolean, false to invalidate the property value. | +| ExpressionBinding optional | String | Binding: - Defines the variable type used in the potential expressions specified in the aspect; - Whose difference with Binding defines the property involved in the aspect **NOTE:** Required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | String | Expression that conditions the aspect execution. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| Message_L1 optional | String | Message in language 1 (up to 16) to be displayed when the property is invalidated by the condition specified in Expression. | +| Priority default value: 0 | Int32 | Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **NOTE:** The priority can be a negative value. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Identity Manager when to execute the linked aspect. See the +[Aspects](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md) topic for additional information. + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Type | Description | +| ---------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | Int64 | Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | Enumeration | Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | PointCutMode | Mode defining when exactly the aspect is triggered around the specified workflow's activity state. 0 - Before — the aspect will be executed on entry to the specified activity state, regardless of the transition used. 1 - After — the aspect will be executed on exit from the specified activity state, regardless of the transition used. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md new file mode 100644 index 0000000000..62bc75a041 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md @@ -0,0 +1,41 @@ +# Assert Value Required Aspect + +Checks whether a given property has a non-null value. + +## Examples + +The following example makes sure that the contract start date is specified for any new worker. The +pointcuts define when the value assertion must happen. + +``` + + + + +``` + +## Properties + +| Property | Details | +| -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Binding required | **Type** String **Description** Binding whose difference with `ExpressionBinding` defines the property to be validated by the aspect. | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | **Type** String **Description** Expression that conditions the aspect execution. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| Message_L1 optional | **Type** String **Description** Message in language 1 (up to 16) to be displayed when the property is empty. | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Identity Manager when to execute the linked +[Aspects](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md new file mode 100644 index 0000000000..dac3e48ffd --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md @@ -0,0 +1,216 @@ +# Build Unique Value Aspect + +Computes a unique value for a given property. + +## Examples + +The following example generates bots' logins during their creation. + +``` + + + + +``` + +## Properties + +| Property | Details | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Binding required | **Type** String **Description** Binding whose difference with `ExpressionBinding` defines the property to be computed. | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| Expression optional | **Type** String **Description** C# expression that computes the unique value. **Note:** the computation can be configured in SQL instead of C# via `SqlBuildExpression`. Decide whether to use either `Expression` or `SqlBuildExpression`, not both. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| HistorizeBinding optional | **Type** String **Description** Binding that stores all the old values computed by the aspect. | +| HistorizeSeparator default value: � | **Type** String **Description** Defines the character used as a separator in the `HistorizeBinding` property. | +| IfExpression optional | **Type** String **Description** Expression that conditions the aspect execution. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| IterationsCount default value: 0 | **Type** String **Description** Maximum number of computation attempts without finding a unique value. **Note:** a variable named `iteration` is available to use the attempt number in the expressions of the aspect and/or of the potential unicity check rules, for example to help manage homonyms. Hence, a custom variable cannot be declared with the name `iteration`. | +| Message_L1 default value: | **Type** String **Description** Message in language 1 (up to 16) to be displayed when the value generation failed, i.e. when `IterationsCount` is exceeded. | +| OnlyIfNew default value: false | **Type** String **Description** `true` to trigger the aspect only for the creation of new resources. | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | +| SimulationExpression optional | **Type** String **Description** Expression used instead of the `Expression` parameter when previewing the workflow result before its implementation. | +| SqlBuildExpression optional | **Type** String **Description** SQL command that computes the unique value. **Note:** the computation can be configured in C# instead of SQL via `Expression`. Decide whether to use either `SqlBuildExpression` or `Expression`, not both. | +| SqlCheckExpression optional | **Type** String **Description** SQL request that checks whether the value computed with the binding/expression is unique, i.e. not yet used by another resource.**Note:** required if zero unicity check rules are linked to the aspect.**Warning:** the SQL request must be efficient because a potential timeout may block the progress of the workflow. For example, when the database's state and indexes are not well known, prefer to use views rather than the whole tables, because views store way fewer elements than tables, which makes them faster to use in a request. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Identity Manager when to execute the linked +[Aspects](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | + +## Child Element: UnicityCheckRule + +A unicity check rule ensures that the expression computed by a `BuildUniqueValue`aspect for a given +property is unique, i.e. not yet used by another resource, in a given entity type. + +The comparison performed by these rules to check unicity can be configured in SQL instead of C# via +the `SqlCheckExpression` property of the aspect. See the Build Unique Value Aspect topic for +additional information. + +The value of the source binding/expression is computed based on the properties of the source +resource which is the resource whose property we compute via the `BuildUniqueValue` aspect. + +The rule compares the return value of the source binding/expression with the existing values of the +target binding/expression in the target entity type. + +![Schema: Unicity Check](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/aspects_unicitycheck.webp) + +> For example, we need to generate an email address for any new user joining the company. We +> configure in a `BuildUniqueValue` aspect that users' emails are computed with +> `{firstName}.{lastName}@{EmailDomain}`. +> +> Consider a new user called John Doe. We need to link to the aspect a unicity check rule that is +> going to compare the email core `john.doe` with the email cores of existing resources in a given +> entity type. Thus Identity Manager can ensure that the email core is unique, and finally build the +> unique email address. + +Both source and target bindings/expressions must be consistent with the binding/expression used in +the corresponding aspect which must not use a `SqlCheckExpression`. + +One `BuildUniqueValue` aspect can be linked to many unicity check rules, but should not be linked to +more than one rule per target entity type. + +The unicity check rules linked to a same aspect are combined with the AND operator. It means that +the aspect's iteration goes up when at least one of the rules detects non-unicity. + +When creating or updating a unicity check rule, launch the +[ Compute Correlation Keys Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computecorrelationkeystask/index.md) +before applying the role model and launching workflows. + +**For information:** Identity Manager needs to store the correlation keys linked to the expressions +defined in the unicity check rule, such as the return value, the entity type, etc. That's why the +task mentioned above must be launched before launching any workflow using a unicity check rule. + +### Examples + +#### Basic example + +The following example checks the unicity of the login of a new user. + +> In order to be able to write the source and target bindings/expressions of the unicity check rule, +> you must understand the binding/expression of the corresponding `BuildUniqueValue` aspect: +> +> ``` +> +> +> +> ``` + +We want to check the unicity of the new user's login, compared with the logins of existing users: + +``` + + + +``` + +Here the source binding and expression are those from the aspect. + +#### Multiple unicity checks + +With the same aspect as the previous example, we might want to compare the login of the new user +with the list of reserved logins too: + +``` + + + +``` + +#### Sophisticated example + +The following example checks the unicity of the email address of a new user. + +> In order to be able to write the source and target bindings/expressions of the unicity check rule, +> you must understand the binding/expression of the corresponding `BuildUniqueValue` aspect: +> +> ``` +> +> +> // We want an email address such as {firstName}.{lastName}@{EmailDomain}. +> +> Expression="C#:record:var firstName = record.FirstName.Simplify()?.ToLowerInvariant(); +> var lastName = record.LastName.Simplify()?.ToLowerInvariant(); +> if (string.IsNullOrEmpty(firstName) || string.IsNullOrEmpty(lastName)) +> { +> // Missing data +> return null; +> } +> +> var result = firstName + "." + lastName; +> +> // If the email core, i.e. {firstName}.{lastName}, is already used, then we try with {firstName}.{lastName}2, etc. +> if (iteration > 0) +> { +> result += iteration.ToString(); +> } +> +> result = result + '@' + record.Subsidiary?.EmailDomain; +> return result;" IterationsCount="10" /> +> +> ``` + +We want to include in the unicity check only the email's core `firstName.lastName` without the +`@EmailDomain` part. This is why the source expression starts like the aspect's expression but does +not add the domain part, and the target expression removes the domain part from existing values: + +``` + + + +``` + +| Property | Details | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| SourceBinding optional | **Type** Int64 **Description** Binding property (from the source entity type specified in the corresponding workflow) whose value is to be compared with the existing values of the target binding/expression. **Note:** when not specified, the unicity check rule uses the binding from the aspect. | +| SourceExpression optional | **Type** String **Description** Binding expression (based on properties from the source entity type specified in the corresponding workflow) whose value is to be compared with the existing values of the target binding/expression. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. **Note:** when not specified, the unicity check rule uses the expression from the aspect. | +| TargetBinding optional | **Type** Int64 **Description** Binding property (from the target entity type) whose values corresponding to existing resources are to be compared with the value of the source binding/expression. | +| TargetEntityType required | **Type** Int64 **Description** Identifier of the entity type for which the rule checks the property's unicity. | +| TargetExpression optional | **Type** String **Description** Binding expression (based on properties from the target entity type) whose values corresponding to existing resources are to be compared with the value of the source binding/expression. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md new file mode 100644 index 0000000000..8aa7f3009d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md @@ -0,0 +1,34 @@ +# Aspects + +An aspect is a modularization of a concern that cuts across multiple work flows. Identity Manager +uses aspects to perform some specific actions at given workflow steps. + +For example, an aspect can assert a given user's input is valid. + +- [ Add Change Aspect ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/index.md) + + Modifies a given property value. + +- [Assert Value Aspect](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvalueaspect/index.md) + + Checks whether the value of a given property satisfies a given condition. + +- [ Assert Value Required Aspect ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/assertvaluerequiredaspect/index.md) + + Checks whether a given property has a non-null value. + +- [ Build Unique Value Aspect ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/builduniquevalueaspect/index.md) + + Computes a unique value for a given property. + +- [Invoke Script Aspect](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md) + + Executes a customized script. + +- [ Invoke Workflow Aspect ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md) + + Launches a workflow. + +- [ Notification Aspect ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md) + + Sends a notification email to one or several users. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md new file mode 100644 index 0000000000..9655d1096f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokescriptaspect/index.md @@ -0,0 +1,47 @@ +# Invoke Script Aspect + +Runs a tailored script asynchronously, independent of the workflow event, necessitating the creation +and execution of a job using an InvokeAspectsTask task. + +## Examples + +The following example executes the script `aspect.ps1` on the local agent, when creating a new user. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + + + + + + +``` + +## Properties + +| Property | Type | Description | +| -------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | String | Unique identifier of the aspect. | +| Agent optional | String | Agent on which the script will be launched. | +| ExpressionBinding optional | String | Binding defines the variable type used in the potential expressions specified in the aspect. The difference with `Binding` defines the property involved in the aspect. **NOTE:** It is required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | String | Expression that conditions the aspect execution. See the [ C# utility functions ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md) topic for additional information. | +| Priority default value: 0 | Int32 | Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **NOTE:** The priority can be a negative value. | +| ScriptFile optional | String | Path of the script file to be executed by the aspect. | + +## ChildElement: PointCut + +A pointcut is a mechanism telling Identity Manager when to execute the linked aspect. See the +[Aspects](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md) topic for additional information. + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Type | Description | +| ---------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | Int64 | Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | Enumeration | Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | PointCutMode | Mode defining when exactly the aspect is triggered around the specified workflow's activity state. 0 - Before — The aspect will be executed on entry to the specified activity state, regardless of the transition used. 1 - After — The aspect will be executed on exit from the specified activity state, regardless of the transition used. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md new file mode 100644 index 0000000000..1145517322 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/invokeworkflowaspect/index.md @@ -0,0 +1,40 @@ +# Invoke Workflow Aspect + +Launches a workflow. + +## Examples + +The following example launches the workflow `Directory_User_VehicleRequest` when a vehicle is +requested for a new internal user. + +``` + + + + +``` + +## Properties + +| Property | Details | +| -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| Workflow required | **Type** String **Description** Identifier of the workflow to be launched. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| IfExpression optional | **Type** String **Description** Expression that conditions the aspect execution. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Identity Manager when to execute the linked +[Aspects](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md new file mode 100644 index 0000000000..bb02e4e8f7 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/notificationaspect/index.md @@ -0,0 +1,125 @@ +# Notification Aspect + +Sends a notification email to one or several users. + +## Examples + +The following example sends a notification email based on the template +`Notification_Directory_Guest.cshtml` and the subject computed by `SubjectExpression_L1`, which both +use data from `Workflow_Directory_Guest:Directory_Guest`, and on the styles from +`Notification_Directory_Guest.css`. + +``` + + + + +``` + +The notification will be sent after the `Request` activity of the `Directory_Guest_AdvancedStart` +workflow is executed. +The notification will be sent to all email addresses defined by `Directory_Guest:Mail`. + +## Properties + +| Property | Details | +| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Identifier required | **Type** String **Description** Unique identifier of the aspect. | +| Binding optional | **Type** String **Description** Binding whose difference with `ExpressionBinding` defines the property that corresponds to identities' email addresses, when `Type` is set to `Binding`. | +| CssFile optional | **Type** String **Description** Path to the css file that defines the styles for the email. **Note:** the path must be relative to the configuration folder, and the file must be inside it. | +| ExpressionBinding optional | **Type** String **Description** Binding: - that defines the variable type used in the potential expressions specified in the aspect; - whose difference with `Binding` defines the property involved in the aspect. **Note:** required when handling the property of multi-valued objects, for example records, to make sure to modify the property in all records and not only in one. | +| Priority default value: 0 | **Type** Int32 **Description** Execution priority among all aspects. At a given activity state, the aspect with the highest priority will be triggered first. **Note:** the priority can be a negative value. | +| RazorFile_L1 optional | **Type** String **Description** Path to the Razor cshtml file that defines the email's body template in language 1 (up to 16). **Note:** the path must be relative to the configuration folder, and the file must be inside it. | +| SubjectExpression_L1 optional | **Type** String **Description** C# expression that defines the email's subject in language 1 (up to 16). The expression's variable type is defined in `ExpressionBinding`. | + +## Child Element: PointCut + +A pointcut is a mechanism telling Identity Manager when to execute the linked +[Aspects](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md). + +The position of the pointcut is specified by an activity state and a mode (before or after). + +![pointcut Schema](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/addchangeaspect/pointcut.webp) + +| Property | Details | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity required | **Type** Int64 **Description** Identifier of the activity whose specified state triggers the aspect. | +| ActivityState required | **Type** Enumeration **Description** Identifier of the activity state that triggers the aspect. | +| Mode default value: 0 | **Type** PointCutMode **Description** Mode defining when exactly the aspect is triggered around the specified workflow's activity state. `0` - **Before**: the aspect will be executed on entry to the specified activity state, regardless of the transition used. `1` - **After**: the aspect will be executed on exit from the specified activity state, regardless of the transition used. | + +## Child Element: Recipient + +A recipient defines one or several identities who will receive a notification from +`NotificationAspect`. + +### Examples + +The following example sends a notification email to the actors of the next step of the workflow. + +``` + + + + + +``` + +The following example sends a notification email to the performers of the `Request` activity of the +`Directory_User_StartInternal` workflow when the state is `Executed`. + +``` + + + + + +``` + +The following example sends a notification email to the email address, stored in `Mail`, of the +user(s) from `Directory_User` targeted by the workflow, so here the new user created by the +`Directory_User_StartInternal` workflow. + +``` + + + + + +``` + +The following example sends a notification email to all identities whose email addresses are defined +as `{lastName}@company.com`. + +``` + + + + + +``` + +The following example sends a notification to all identities with a profile that includes the right +permission. + +``` + + + + + +Knowing that we also have: + + + + +``` + +| Property | Details | +| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Activity optional | **Type** Int64 **Description** Identifier of the activity whose last performers are to be notified, when `Type` is set to `Performer`. **Note:** must be set together with `ActivityState`. | +| ActivityState optional | **Type** Enumeration **Description** Identifier of the activity state whose last performers are to be notified, when `Type` is set to `Performer`. **Note:** must be set together with `Activity`. | +| Binding optional | **Type** Int64 **Description** Binding of the property that represents the notification's recipients, when `Type` is set to `Binding`. | +| EmailAddresses optional | **Type** String **Description** Email addresses of the notification's recipients, when `Type` is set to `Hardcoded`. | +| Expression optional | **Type** String **Description** C# expression that returns the email addresses of the notification's recipients, as strings or IEnumerable``, when `Type` is set to `Expression`. The expression's variable type is defined in `ExpressionBinding` in the associated `NotificationAspect`. See the [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional information. | +| IsCC default value: false | **Type** Boolean **Description** `true` to send the notification email to the recipient(s) as a carbon copy (CC). | +| Type required | **Type** RecipientType **Description** Type of recipients for the email notification. **Actor**: the identities with the permissions to act on the next step of the workflow specified in the pointcut. **Performer**: the actors of a past workflow step specified in `Activity` and `ActivityState`. **Binding**: the identities whose email addresses are designated by the property specified in `Binding`. **Hardcoded**: the identities whose email addresses are specified explicitly in `EmailAddresses`. **Expression**: the identities whose email addresses match the C# expression specified in `Expression`. **Profile**: the identities with the permission `/Custom/WorkflowsNotifications/{workflow_identifier}/` `{activity_identifier}/{activityTemplateState_shortIdentifier}`. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/index.md new file mode 100644 index 0000000000..7eaf15c0f8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/index.md @@ -0,0 +1,45 @@ +# Forms + +Workflows use forms to collect input data through the UI. A form is a set of fields, configured with +controls. A control can define a field to fill, a fields set, call an existing form, etc. depending +on its output type. + +Here is a list of forms: + +- [WorkflowAddandEndRecordEntityForm](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md) + + Displays a form to define the end date of an existing record, and replace it with a new record + at said date, by duplicating and adjusting the old record. + +- [WorkflowAddRecordEntityForm](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md) + + Displays a form to add a new record for an existing resource, by duplicating and adjusting an + existing record. + +- [WorkflowCreateEntityForm](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md) + + Displays a form to create a new resource, without a record. + +- [WorkflowCreateRecordEntityForm](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md) + + Displays a form to create a new resource with a record. + +- [WorkflowCreateSeveralRecordsEntityForm](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md) + + Displays a form to create a new resource with one or several records. + +- [WorkflowEditEntityForm](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md) + + Displays a form to update or delete an existing resource, without a record. + +- [WorkflowUpdateRecordEntitiesForm](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md) + + Displays a form to update data for several resources simultaneously. + +- [WorkflowUpdateRecordEntityForm](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md) + + Displays a form to select an existing record and update it. + +- [WorkflowUpdateSeveralRecordsEntityForm](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md) + + Displays a form to create, update or delete one or several records. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md new file mode 100644 index 0000000000..f1d2b24d86 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/index.md @@ -0,0 +1,64 @@ +# WorkflowAddandEndRecordEntityForm + +Displays a form to define the end date of an existing record, and replace it with a new record at +said date, by duplicating and adjusting the old record. + +## Examples + +The following example is a form to update a position. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +     +     +     +     +     + +With the following form for the resource data's content and summary: +
+     +     + +And with the following form for the record data's content and summary, and for the data that groups records together: +
+     +         +         +     +     +         +         +         +         +     + + +``` + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: + +![Form Example - Update Position](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/formexample_workflowaddandendrecordentityform_v603.webp) + +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same +values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially +modified, as one. + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's +execution: + +![Summary Form Example - Update Position](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddandendrecordentityform/formexample_workflowaddandendrecordentityform_summary_v603.webp) + +## Properties + +| Property | Description | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: RecordControl | Set of fields to collect data about the resource's record. | +| Child Element: RecordUniqueItemControl | Set of fields that group records together. All records with the same data in `RecordUniqueItemControl` are displayed in the workflow as only one record, and they will potentially be modified together. When not specified, records will be grouped by the data from `RecordControl`. | +| Child Element: MainSummaryControl | Set of fields to sum up the data collected by `MainControl` after the workflow's execution. | +| Child Element: RecordSummaryControl | Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md new file mode 100644 index 0000000000..57ec33eec4 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/index.md @@ -0,0 +1,68 @@ +# WorkflowAddRecordEntityForm + +Displays a form to add a new record for an existing resource, by duplicating and adjusting an +existing record. + +## Examples + +The following example is a form to request a computer. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +     +     +     +     +     + +With the following form for the resource data's content and summary: +
+     +     + +And with the following form for the record data's content and summary: +
+     +         +         +     +     +         +         +         +         +     + +And with the following form for the data that groups records together: +
+     + + +``` + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: + +![Form Example - Computer Request](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/formexample_workflowaddrecordentityform_v603.webp) + +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same +values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially +modified, as one. + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's +execution: + +![Summary Form Example - Computer Request](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowaddrecordentityform/formexample_workflowaddrecordentityform_summary_v603.webp) + +## Properties + +| Property | Description | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: RecordControl | Set of fields to collect data about the resource's record. | +| Child Element: RecordUniqueItemControl | Set of fields that group records together. All records with the same data in `RecordUniqueItemControl` are displayed in the workflow as only one record, and they will potentially be modified together. When not specified, records will be grouped by the data from `RecordControl`. | +| Child Element: MainSummaryControl | Set of fields to sum up the data collected by `MainControl` after the workflow's execution. | +| Child Element: RecordSummaryControl | Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md new file mode 100644 index 0000000000..348304fc5d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/index.md @@ -0,0 +1,67 @@ +# WorkflowCreateEntityForm + +Displays a form to create a new resource, without a record. + +## Examples + +The following example is a form to create a new site. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +     +     + +With the following form for the workflow's content: +
+     +         +         +         +         +         +         +         +         +         +         +     +     +         +         +         +     + +And with the following form for the workflow's summary: +
+     +         +         +         +         +     +     +         +         +     + + +``` + +The content of `MainControl` is visible during the workflow's execution: + +![Form Example - Site Creation](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/formexample_workflowcreateentityform_v603.webp) + +The content of `SummaryControl` is visible after the workflow's execution: + +![Summary Form Example - Site Creation](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateentityform/formexample_workflowcreateentityform_summary_v603.webp) + +## Properties + +| Property | Description | +| ----------------------------- | -------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: SummaryControl | Set of fields to sum up the collected data after the workflow's execution. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md new file mode 100644 index 0000000000..4444f61499 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/index.md @@ -0,0 +1,64 @@ +# WorkflowCreateRecordEntityForm + +Displays a form to create a new resource with a record. + +## Examples + +The following example is a form to create a new user from HR. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +     +     +     +     + +With the following form for the workflow's content and summary about resource data: +
+     +         +     + +And with the following form for the workflow's content about record data: +
+     +     +     +     +     +     +     +     +     + +And with the following form for the workflow's summary on record data: +
+     +         +         +         +         +         +     + + +``` + +The content of `MainControl` is visible during the workflow's execution: + +![Form Example - New User from HR](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreaterecordentityform/formexample_workflowcreaterecordentityform_v603.webp) + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's +execution. + +## Properties + +| Property | Description | +| ----------------------------------- | --------------------------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: RecordControl | Set of fields to collect data about the resource's record. | +| Child Element: MainSummaryControl | Set of fields to sum up the data collected by `MainControl` after the workflow's execution. | +| Child Element: RecordSummaryControl | Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md new file mode 100644 index 0000000000..e52d0e0242 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/index.md @@ -0,0 +1,77 @@ +# WorkflowCreateSeveralRecordsEntityForm + +Displays a form to create a new resource with one or several records. + +## Examples + +The following example is a form to request a computer. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +     +     +     + +With the following form for the resource's data: +
+     +     +     +     + +And with the following form for the data shared with all records: +
+     +         +         +         +         +         +         +         +         +     + +And with the following form for the data specific to each record: +
+     +         +         +     +     +         +         +         +         +         +         +     +     +         +         +         +         +         +         +         +     + + +``` + +The contents of `MainControl`, `RecordControl` and `RecordUniqueItemControl` are visible during the +workflow's execution: + +![Form Example - New User from Helpdesk](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowcreateseveralrecordsentityform/formexample_workflowcreateseveralrecordsentityform_v603.webp) + +## Properties + +| Property | Description | +| -------------------------------------- | ---------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: RecordControl | Set of fields to collect data about the resource's record. | +| Child Element: RecordUniqueItemControl | Set of fields to collect data specific to each record. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md new file mode 100644 index 0000000000..d36deb29cc --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/index.md @@ -0,0 +1,38 @@ +# WorkflowEditEntityForm + +Displays a form to update or delete an existing resource, without a record. + +## Examples + +The following example is a form to request a computer. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +     +     + +With the following form for the workflow's content and summary: +
+     + + +``` + +The content of `MainControl` is visible during the workflow's execution: + +![Form Example - Computer Request](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/formexample_workfloweditentityform_v603.webp) + +The content of `SummaryControl` is visible after the workflow's execution: + +![Summary Form Example - Computer Request](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workfloweditentityform/formexample_workfloweditentityform_summary_v603.webp) + +## Properties + +| Property | Description | +| ----------------------------- | -------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: SummaryControl | Set of fields to sum up the collected data after the workflow's execution. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md new file mode 100644 index 0000000000..b2a7ff2fa3 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/index.md @@ -0,0 +1,63 @@ +# WorkflowUpdateRecordEntitiesForm + +Displays a form to update data for several resources simultaneously. + +## Examples + +The following example is a form to update users' positions in bulk. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +     +     +     +     +     + +With the following form for the workflow's content and summary about resource data: +
+     + +And with the following form for the workflow's content and summary about record data: +
+         +     +         +         +         +         +         +         +         +     + +And with the following form for the data that groups records together: +
+     + + +``` + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: + +![Form Example - Mass Update](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentitiesform/formexample_workflowupdaterecordentitiesform_v603.webp) + +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same +values for all the properties in `RecordUniqueItemControl` will be modified as one. + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's +execution: + +## Properties + +| Property | Details | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: RecordControl | Set of fields to collect data about the resource's record. | +| Child Element: RecordUniqueItemControl | Set of fields that group records together. All records with the same data in `RecordUniqueItemControl` are displayed in the workflow as only one record, and they will potentially be modified together. When not specified, records will be grouped by the data from `RecordControl`. | +| Child Element: MainSummaryControl | Set of fields to sum up the data collected by `MainControl` after the workflow's execution. | +| Child Element: RecordSummaryControl | Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md new file mode 100644 index 0000000000..d237c54dd5 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/index.md @@ -0,0 +1,92 @@ +# WorkflowUpdateRecordEntityForm + +Displays a form to select an existing record and update it. + +## Examples + +The following example is a form to update a user's record from helpdesk: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +   +   +   +   +   + +With the following form for the resource's data and summary: +
+   +   + +And with the following form for the data shared with all records and for the summary: +
+   +     +       +       +     +     +     +     +     +       +       +     +     +     +     +   +   +     +     +     +     +     +   +   +     +     +     +     +     +     +     +   + +And with the following form for the data that groups records together: +
+   + + +``` + +**NOTE:** `WorkflowUpdateRecordEntity` used in config Delete mode (`IsDelete=True`) will delete +systematically the main resource and all the associated records. + +The contents of `MainControl` and `RecordControl` are visible during the workflow's execution: + +![Form Example - Update Data](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/formexample_workflowupdaterecordentityform_v603.webp) + +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same +values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially +modified, as one. + +The contents of `MainSummaryControl` and `RecordSummaryControl` are visible after the workflow's +execution: + +![Summary Form Example - Update Data](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/formexample_workflowupdaterecordentityform_summary_v603.webp) + +## Properties + +| Property | Details | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: RecordControl | Set of fields to collect data about the resource's record. | +| Child Element: RecordUniqueItemControl | Set of fields that group records together. All records with the same data in `RecordUniqueItemControl` are displayed in the workflow as only one record, and they will potentially be modified together. When not specified, records will be grouped by the data from `RecordControl`. | +| Child Element: MainSummaryControl | Set of fields to sum up the data collected by `MainControl` after the workflow's execution. | +| Child Element: RecordSummaryControl | Set of fields to sum up the data collected by `RecordControl` after the workflow's execution. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md new file mode 100644 index 0000000000..4b5a30311d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/index.md @@ -0,0 +1,89 @@ +# WorkflowUpdateSeveralRecordsEntityForm + +Displays a form to create, update or delete one or several records. + +## Examples + +The following example is a form to create, update and/or delete one or several positions for a given +user. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + +     +     +     +     +     + +With the following form for the resource's data: +
+     +     + +And with the following form for the data shared with all records: +
+     +     +     +     +     + +And with the following form for the data used to update existing records: +
+     +         +         +         +         +         +         +         +     + +And with the following form for the data used to add new records: +
+     +         +         +         +         +         +         +         +         +     + +And with the following form for the data that groups records together: +
+     + + +``` + +The contents of `MainControl`, `RecordControl`, `RecordSlaveUniqueItemControl` and +`RecordSlaveControl` are visible during the workflow's execution: + +![Summary Form Example - Update Data](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdaterecordentityform/formexample_workflowupdaterecordentityform_summary_v603.webp) + +When adding a new position, we decide to make `Title` available, in addition to the fields used to +update existing records: + +![Form Example - Manage a User's Positions - New Record](/img/product_docs/identitymanager/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/workflowupdateseveralrecordsentityform/formexample_workflowupdateseveralrecordsentityform_newrecord_v603.webp) + +The content of `RecordUniqueItemControl` is not visible. The user's records that have the same +values for all the properties in `RecordUniqueItemControl` will be displayed, and potentially +modified, as one. + +## Properties + +| Property | Details | +| ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Child Element: MainControl | Set of fields to collect data about the main resource. | +| Child Element: RecordControl | Set of fields to collect data when adding new records. | +| Child Element: RecordUniqueItemControl | Set of fields that group records together. All records with the same data in `RecordUniqueItemControl` are displayed in the workflow as only one record, and they will potentially be modified together. When not specified, records will be grouped by the data from `RecordControl`. | +| Child Element: RecordSlaveUniqueItemControl | Set of fields to collect the data shared with all the resource's records, for example contract information when managing positions. | +| Child Element: RecordSlaveControl | Set of fields to collect data when updating existing records. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md new file mode 100644 index 0000000000..84c4174ac1 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md @@ -0,0 +1,42 @@ +# Homonym Entity Link + +This entity is used to configure the homonym workflow. + +## Examples + +``` + + + +``` + +In this example the homonym is linked to a control [Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) and it +will be applied for the [ Binding ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) included in the Control where +the homonym is located. Read more about how to configure +[ Workflow Homonym ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/workflowhomonym/index.md). + +``` + +
+ +``` + +## Properties + +| Property | Details | +| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| FormEntityType required | **Type** Int64 **Description** In a [Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md), an [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) is defined and the [ Binding ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/binding/index.md) of this Form will be loaded from this EntityType. The FormEntityType property represents this EntityType. | +| Identifier required | **Type** String **Description** Unique identifier of the HomonymEntityLink. | + +## Child Element: Filter + +Defines combination of property comparison to use to find homonyms. + +### Properties + +| Property | Details | +| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| ComparisonProperty1 optional | **Type** Int64 **Description** Defines the property used to compare with the form control `Property`. It should not be defined if it the same as the property in the attribute `Property`. Going from 1 to 5. | +| Expression1 optional | **Type** String **Description** Defines the C# expression to apply on the homonymy form controls. The result of the expression evaluation will be compared with the corresponding `ComparisonProperty` using the defined `Operator`. If the `ComparisonProperty` is a computed property, no need to define the expression if it is the same as the one for the computed property. It will be automatically used when finding homonyms. Going from 1 to 5. See the [ C# utility functions ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/csharp-utility-functions/index.md) topic for additional information. | +| Operator1 default value: 2 | **Type** QueryComparisonOperator **Description** Defines the operator to use to compare between the `ComparisonProperty` and the `Property` or the `Expression` evaluation result. By default the `Equal` operator is used. Going from 1 to 5. All possible values: `0` - Auto: The `Operator` is calculated by the engine according to the type of element. `1` - NotEqual: finds the elements that are not equal to the desired value. `2` - Equal: finds the elements that are strictly equal to the desired value. `3` - Contain: finds the elements that contain the desired value. `4` - StartWith: finds the elements that start with the desired value. `5` - EndWith: finds the elements that end with the desired value. `6` - NotContain: finds the elements that do not contain the desired value. `7` - NotStartWith: finds the elements that do not start with the desired value. `8` - NotEndWith: finds the elements that do not end with the desired value. `9` - GreaterThan: finds the elements that are greater than the desired value. `10` - LessThan: finds the elements that are less than the desired value. `11` - GreaterThanOrEqual: finds the elements that are greater than or equal to the desired value. `12` - LessThanOrEqual: finds the elements that are less than or equal to the desired value. `*`- Flexible: The `Flexible` operators transform the desired value according to the `FlexibleComparisonExpression` defined in the `EntityProperty` then search. The flexible operators are: `13` - FlexibleEqual `14` - FlexibleContain `15` - FlexibleStartWith `16` - FlexibleEndWith | +| Property1 optional | **Type** Int64 **Description** Defines the form control property to use to compare with `ComparisonOperator` using the defined `Operator`. Going from 1 to 5. | diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/index.md new file mode 100644 index 0000000000..e86abede42 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/index.md @@ -0,0 +1,6 @@ +# Workflows + +- [Aspects](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md) +- [Forms](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/forms/index.md) +- [ Homonym Entity Link ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md) +- [ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) diff --git a/docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md new file mode 100644 index 0000000000..75ee5b52b6 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md @@ -0,0 +1,44 @@ +# Create Menu Items + +After creating a workflow as for the EntityTypes, is mandatory to create the MenuItems to create the +Navigation to this Workflow. + +### Create menu items for a workflow in a resource entity list + +To add a link to an entity's workflow displayed under the search bar on the visualization page of +the entity's resource list you need to create a menu containing the different workflows and put a +link to the entity's searchBar as below. + +[See available icons](https://uifabricicons.azurewebsites.net/). + +The first MenuItem is the main action displayed on the right. + +The other MenuItems are displayed from left to right. + +``` + + + +``` + +This XML element gives the following result: + +![Add workflow link in resource list entity](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinentitylist.webp) + +### Create menu items for a workflow in a resource view + +In the resource view it is also possible to create links to different workflows. + +These workflows will manipulate the selected resource in the view. + +``` + + + +``` + +This XML element gives the following result: + +![Workflow in resource view](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/create-menu-items/workflowinresourceview.webp) + +![All workflow in resource view*](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/create-menu-items/allworkflowinresourceview.webp) diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md new file mode 100644 index 0000000000..4360376f34 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md @@ -0,0 +1,68 @@ +# Customize Display Tables + +This part shows how to define a custom way to display entity types' data. + +## Table + +This display table with DisplayTableDesignElement set to table will display the list of resources as +a simple table filled with several columns. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                                     +``` + +Here is the visualization of this display table on the interface: + +![DisplayTable(Table)](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestable.webp) + +Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed +like a table) if a criterion linked to this column is already displayed in a search bar. This avoids +filter duplication. Thus, the `` property can be deleted in the `` argument. + +## Resource Table + +The property DisplayTableDesignElement set to resourcetable allows you to create a table similar to +the display table with DisplayTableDesignElement set to table but adds a column containing the owner +of the resource. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                           +``` + +Here is the visualization of this resource table on the interface: + +![ResourceTable](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablesresourcetable.webp) + +## Display Table with Tiles + +. + +Instead of creating a table, it is possible to create tiles to give another rendering of the user +interface. It is therefore necessary to create the different tiles first. After creating the tiles, +they must be imported into the display table with `` set to ``. +Display tables with other values of `` cannot display tiles. + +See the[ Tile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/tile/index.md) topic for +additional information. + +_Remember,_ if the display table uses tiles, then you can't use bindings. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` +                                                               +``` + +Here is the visualization of this display table on the interface: + +![DisplayTable with Tiles](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/custom-display-table/displaytablestiles.webp) + +See the [Display Table](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) +topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-forms/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-forms/index.md new file mode 100644 index 0000000000..34b1f89616 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-forms/index.md @@ -0,0 +1,80 @@ +# Customize Forms + +This guide shows how to define a custom way to display the input fields to be filled in a given +workflow. + +See the [Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) topic for additional +information. + +## Create a View Template for Entities Using Scaffoldings + +Two scaffoldings generate the view, the display table and the rights to access the entity's +resources. + +- [ View Template ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplate/index.md): + Creates the display table, the default view and access rights to the entity. +- [ View Template Adaptable ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/templates/viewtemplateadaptable/index.md): + Creates the entity view (designElement = ResourceTable), the report and the rights for a given + profile. + +These scaffoldings are not enough to access resources. You must add a menu item to define the +navigation in the view in the user interface. + +## Create an Entity View + +To create the entity view, you must manipulate a +[Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md). + +The view form doesn't give access to the view in the interface or the rights to access the +interface. + +The following elements must be in place: + +- [ Create Menu Items ](/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md) +- [ View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md) + +To create the view, you can manipulate one or more forms. The example below shows how to create a +view from several different forms. This will allow you to reuse some forms in workflows. + +``` + +
+ +``` + +It is also possible to create only one form that contains all the information: + +``` + +
+ +``` + +### Create an Entity View Using Records + +Some entities may have entity records. To view the entity in question with all the records attached +to it, it is necessary to fill in forms that will load the record data as well as forms for the +parent entity. + +The view form doesn't give access to the view in the interface or the rights to access it. + +The following elements must be in place: + +- [ Create Menu Items ](/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md) +- [ View Access Control Rules ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/resources/viewaccesscontrolrules/index.md) + +In the example below, the view form will display all records. To change the filter on the record +display, you must change the +[Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md). + +``` + +
+ +``` + +The record filter not only changes the display options of the record, but also changes the display +of the rights associated with this record. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-search-bar/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-search-bar/index.md new file mode 100644 index 0000000000..c1a6d7af8f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-search-bar/index.md @@ -0,0 +1,50 @@ +# Customize Search Bars + +This guide shows how to define a custom way to search from a list of a given entity type's +properties. + +See the [Search Bar](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/searchbar/index.md) topic for +additional information. + +## Default Search Bar + +To search on a resource list for an entity, you must enter a SearchBar tag for the given entity. + +``` + + + +``` + +Here is the visualization of this searchbar on the interface: + +![SearchBarWithoutFilters](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarwithoutfilter.webp) + +Ergonomically, it is recommended to hide the search symbol in a column header (in a list displayed +like a table) if a criterion linked to this column is already displayed in a searchbar. This avoids +filter duplication. Thus, the `` property can be deleted in the `` argument +in the display table. + +## Create Default Filters + +To add a default filter, you must add both of the following properties to a criterion: + +- DefaultValue +- Operator + +``` + + + +``` + +Here is the visualization of this criterion on the interface: + +![SearchBarFilter](/img/product_docs/identitymanager/identitymanager/integration-guide/ui/how-tos/custom-search-bar/searchbarfilters.webp) + +## Search Bar Menu + +Each menu item is a link to an entity's workflow displayed under the search bar on the visualization +page of the entity's resource list. + +See the [ Create Menu Items ](/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md)topic for additional information diff --git a/docs/usercube_saas/usercube/integration-guide/ui/how-tos/producttranslations/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/producttranslations/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/ui/how-tos/producttranslations/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/producttranslations/index.md diff --git a/docs/usercube_saas/usercube/integration-guide/ui/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/ui/index.md similarity index 100% rename from docs/usercube_saas/usercube/integration-guide/ui/index.md rename to docs/identitymanager/saas/identitymanager/integration-guide/ui/index.md diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/workflows/activity-templates/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/activity-templates/index.md new file mode 100644 index 0000000000..229b35a0a8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/activity-templates/index.md @@ -0,0 +1,136 @@ +# Activity Templates + +This section describes the activities that constitute and model a +[ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md). Each activity is assigned +a template, made of states and transitions. + +## Overview + +Going through an activity means going through states and transitions. + +![Activity Template - Example](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_example.webp) + +By default, Identity Manager's workflow engine implements the following activity templates: + +- `Action` +- `Action With Refine` +- `Review` +- `Review With Feedback` +- `Continue With` +- `Persist` +- `Persist OnlyResources` + +## Activity Templates + +### Action + +Awaits user modifications without another user's intervention. + +![Activity Template - Action](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_action.webp) + +### ActionWithRefine + +Awaits user modifications with the possibility to delegate the action to another user. + +![Activity Template - ActionWithRefine](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_actionwithrefine.webp) + +The `ActionWithRefine` activity can be translated into the following form: + +![ActionWithRefine in the UI](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/activity-templates/activity_actionwithrefine_v602.webp) + +### Review + +Awaits user approval without another user's intervention. + +![Activity Template - Review](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_review.webp) + +### ReviewWithFeedback + +Awaits user approval with the possiblity of getting feedback from another user before taking the +action. + +![Activity Template - ReviewWithFeedback](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/activity-templates/activitytemplates_reviewwithfeedback.webp) + +The `ReviewWithFeedback` activity can be translated into the following form: + +![ReviewWithFeedback in the UI](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/activity-templates/activity_reviewwithfeedback_v602.webp) + +### Persist + +Saves the workflow's collected data to the repository and triggers dependent processes (i.e. +computation of the role model and provisioning). This activity has only the transition +`Persist-Invoked-Invoke` and the state `Persist-Invoked`. It has no user interaction, and hence no +need for permissions. + +### PersistOnlyResources + +Saves the workflow's collected data to the repository without triggering the dependent processes +(i.e. computation of the role model and provisioning). This activity has only the transition +`PersistOnlyResources-Invoked-Invoke` and the state `PersistOnlyResources-Invoked`. It has no user +interaction, and hence no need for permissions. + +> For example, `PersistOnlyResources` can be used in a workflow to add a new user, as we first +> create a user sheet but without any account, etc. + +## States + +By default, Identity Manager's workflow engine implements the following state templates: + +- `Action-ActionPending` +- `Action-Executed` +- `Action-Aborted` +- `Action-Purged` +- `ActionWithRefine-ActionPending` +- `ActionWithRefine-Executed` +- `ActionWithRefine-RefinePending` +- `ActionWithRefine-Aborted` +- `ActionWithRefine-Purged` +- `Review-ReviewPending` +- `Review-Declined` +- `Review-Approved` +- `Review-Aborted` +- `Review-Purged` +- `ReviewWithFeedback-ReviewPending` +- `ReviewWithFeedback-Approved` +- `ReviewWithFeedback-Declined` +- `ReviewWithFeedback-RefinePending` +- `ReviewWithFeedback-Aborted` +- `ReviewWithFeedback-Purged` +- `ContinueWith-Invoked` +- `Persist-Invoked` +- `PersistOnlyResources-Invoked` + +## Transitions + +By default, Identity Manager's workflow engine implements the following transition templates: + +- `Action-ActionPending-Save` +- `Action-ActionPending-Execute` +- `Action-ActionPending-Abort` +- `Action-Aborted-Purge` +- `ActionWithRefine-ActionPending-Save` +- `ActionWithRefine-ActionPending-Execute` +- `ActionWithRefine-ActionPending-Delegate` +- `ActionWithRefine-ActionPending-Abort` +- `ActionWithRefine-RefinePending-Save` +- `ActionWithRefine-RefinePending-Delegate` +- `ActionWithRefine-RefinePending-Execute` +- `ActionWithRefine-RefinePending-Abort` +- `ActionWithRefine-Aborted-Purge` +- `Review-ReviewPending-Save` +- `Review-ReviewPending-Approve` +- `Review-ReviewPending-Decline` +- `Review-ReviewPending-Abort` +- `Review-Aborted-Purge` +- `ReviewWithFeedback-ReviewPending-Save` +- `ReviewWithFeedback-ReviewPending-Approve` +- `ReviewWithFeedback-ReviewPending-Decline` +- `ReviewWithFeedback-ReviewPending-Refine` +- `ReviewWithFeedback-ReviewPending-Abort` +- `ReviewWithFeedback-Aborted-Purge` +- `ReviewWithFeedback-RefinePending-Save` +- `ReviewWithFeedback-RefinePending-Delegate` +- `ReviewWithFeedback-RefinePending-Execute` +- `ContinueWith-Invoked-Invoke` +- `Persist-Invoked-Invoke` +- `PersistOnlyResources-Invoked-Invoke` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md new file mode 100644 index 0000000000..ec5d078029 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md @@ -0,0 +1,147 @@ +# Configure a Homonym Detection + +In this section we configure the homonym search that checks if a resource already exists in the +system, preventing duplicates. + +## Process + +1. Create a homonym entity link, either with a default filter or customized filters +2. Create a display table to display the homonym result _(optional)_ +3. Define the part of the workflow form where homonyms must be checked + +## Create a Homonym Entity Link + +A [ Homonym Entity Link ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md) +defines a new homonym search to be performed in a workflow form. It can be defined in different +ways. + +### With a default filter + +``` + + +``` + +When no filter is defined for the homonym entity link, the search for homonyms is performed +according to the homonym control form. See the Configure a Homonym Detection topic for additional +information. + +### With customized filters + +[ Homonym Entity Link ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md)filters +allow to define customized filters for a homonym search. + +#### Simple filter + +``` + + +``` + +Here, since the default operator is `Equal`, the search for homonyms is performed by comparing the +values of the `LastName` and `FirstName` properties with an exact spelling. + +_NB: This example matches the default filter that would be computed based on the homonym control +example in the section below._ + +#### Flexible filter + +A filter can be defined to compare the values in an approximate way. + +- A flexible operator must be used, such as `FlexibleEqual`, `FlexibleStartWith`, etc. +- A flexible expression must be defined on the comparison property. + +1. When the input search value is retrieved directly from the property value + + ``` + + + ``` + +Here, `Property1` is set, so the search for homonyms is performed by comparing the `LastName` value, +entered by the user in the workflow form, with the phonetic value of existing resources stored as +the `PhoneticLastName` property in the database. + +Before performing the comparison, the flexible expression of the comparison property is applied to +the input value. + +2. When the input search value is deducted + + ``` + + + ``` + +Here: + +- In the first filter, `Property1` and `Expression1` are not set, so the search value is computed by + applying the expression defined for `ComparisonProperty1` from the input values, eg. + `(record.FirstName + ' ' + record.LastName).Appproximate()`. +- In the second filter, `Expression1` is set, so the search value is computed by applying the + `Expression1` from the input values. This filter allows checking the homonyms on the reversed full + name (to manage the case where the user reverses the first and last name for example). + +The search for homonyms is performed by comparing the search values computed based on each filter +with the values stored in the database and retrieves all resources that match any of the filters. + +#### Filter on a language property + +If a filter is set on a language property, the search for homonyms is performed on the property +associated to the main language. + +``` + + +``` + +Here, the `Name` property is a neutral property associated with two localized properties `Name_en` +and `Name_fr`. + +If English is the main language, the search for homonyms is performed on the `Name_en` value. + +## Create a Display Table _(optional)_ + +A [Display Table](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) is used +to define how a list of the same entity type should be displayed. + +By default, the homonyms are displayed using the default display table of the related entity type. + +To display homonyms in a different way than the default, a specific display table must be created +where the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. + +``` + + + +``` + +See the [Customize Display Tables](/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md) for additional +information. + +## Define the Homonym Control in the Workflow Form + +The [Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) where the homonyms are +to be checked must contain a layout fieldset control where: + +- the properties to check are represented; +- the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. + +When the homonym entity link has no filter set and therefore the filter is calculated automatically, +the homonym control form must only contain up to 5 controls where `Binding` attribute is defined. +Indeed, a filter can only be defined on up to 5 properties. + +``` +
+ + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/index.md new file mode 100644 index 0000000000..eaadf11c56 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/index.md @@ -0,0 +1,52 @@ +# How To Create a Workflow + +This guide shows how to create a +[ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) through the XML +configuration. + +## Process + +1. Declare a new [ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) with + given activities following Identity Manager's activity templates. +2. Configure the input [Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) with the + right output type according to the purpose of the workflow. +3. Assign the adequate permissions via an + [Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md). +4. Add [ Menu Item ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md). +5. Add [Aspects](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md), according to the + purpose of the workflow. +6. Add optional elements if needed: [Workflows](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/index.md); a + [ Configure a Homonym Detection ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md); a + [Customize Display Tables](/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md)different from Identity + Manager's default one. + +## Examples + +You can also find configuration examples for several types of workflow: + +- [ For Resource Creation (Mono Record) ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/index.md) + + How to create a workflow to create a new resource with a unique record. + +- [ For Resource Creation (Multi Records) ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/index.md) + + How to create a workflow to create a new resource with several records. + +- [ For Resource Update (No Record) ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/index.md) + + How to create a workflow to update an existing simple resource, i.e. to update, within a given + existing resource, properties that do not involve records. + +- [ For Resource Update (Mono Record) ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/index.md) + + How to create a workflow to schedule the replacement of the unique record of an existing + resource with a new one. + +- [ For Resource Update (Multi Records) ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/index.md) + + Create a workflow to update an existing resource through its several records. + +- [ Configure a Homonym Detection ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md) + + How to configure the homonym search that checks if a resource already exists in the system, + preventing duplicates. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/index.md new file mode 100644 index 0000000000..afb5990fa9 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/index.md @@ -0,0 +1,204 @@ +# For Resource Creation (Mono Record) + +This section guides you through the procedure for the creation of a +[ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) to create a new +resource with a unique record. + +## Declare a Workflow + +This [ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) is made of four +activities: + +1. `Action With Refine`: sends the creation request with a possibility of delegation. +2. `Persist Only Resources`: saves the collected data to the repository without triggering + provisioning. +3. `Review With Feedback`: reviews the creation request with the possibility of getting feedback + from another user. +4. `Persist`: saves the collected data and triggers provisioning. + +See the [ Activity Templates ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/activity-templates/index.md) topic for additional information. + +The example below creates a workflow to create a new worker. + +``` + + + +``` + +## Create Forms + +The XML configuration below represents the creation of a +[Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) that defines the elements to +display in the workflow. + +Here we create two structured forms: the preliminary one is called inside the main one, and the main +one is to be called in our final workflow form. + +``` + +Preliminary form for user data: +
+ +Preliminary form for user's contract data: + + +Preliminary form for user's position data: +
+ +Main form for all data: +
+ Section calling the preliminary form for user data: + + Section calling the preliminary form for contract data: + + Section calling the preliminary form for position data: + + +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed +when launching the workflow. It has the type corresponding to a resource's creation with one record, +i.e. `WorkflowCreateRecordEntityForm` and it must specify the workflow's context (the entity type of +the involved resources, the main property, the activity when the form is called, etc): + +``` + + + +``` + +A `WorkflowCreateRecordEntityForm` requires the following child elements: + +- `MainControl` that defines user's data; + +``` + + + + + +``` + +The `MainControl` attribute is here an empty container because we configure all personal data, +contracts and positions as records to be able to anticipate changes for example. The line with the +empty `MainControl` is not mandatory. See the +[ Position Change via Records ](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md)topic +for additional information. + +- `RecordControl` that defines record data, and calls the form created previously. See the For + Resource Creation (Mono Record) topic for additional information. + +``` + + + + + +``` + +![UI Form](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/howto_resourcecreationmono_form_v602.webp) + +### Add a summary (Optional) + +Another child element `RecordSummaryControl` can be added to insert a summary part, i.e. the form +used after the workflow execution to show some values, most of the time those affected by the +workflow, typically the properties editable in the workflow or generated properties. So in our +situation, it displays the `EmployeeId` and `Mail` attributes that the workflow just computed: + +``` + +Summary form: +
+ + + +``` + +![UI Summary](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-create-mono/howto_resourcecreationmono_summary_v602.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right +users. See the [Workflows](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/index.md) topic for additional information. + +Below is an example of an access control rule where the `Administrator` profile gets the permissions +for the whole creation request and review from the previously created workflow: + +``` + + + + Permissions for the Request activity: + + + Permissions for the Review activity: + + +``` + +## Create Menu Items in the UI + +[ Menu Item ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md)must be defined to +make the workflow accessible in the UI. + +Creating a new resource, an interesting location for this workflow could be the users list page. + +![Workflow Menu Items - Users List](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/menuitems_userslist_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the +existing menu items list: + +``` + + ... + + +``` + +## Add Aspects + +For each workflow, it is possible to add aspects according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates see the +[ Configure a Homonym Detection ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md)topic for additional +information. + +When using records, the homonym detection displays the list of records and not just the list of +users. + +Below is an example where a homonym entity link, based on the user's name, is called in the workflow +form: + +``` + +Homonym detection: + + + +Partial form for user data: +... + ... + +``` + +![UI Homonym Detection](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmono_homonym_v603.webp) + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Identity Manager, see the +[Customize Display Tables](/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md) topic for additional +information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/index.md new file mode 100644 index 0000000000..08eea3c0eb --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/index.md @@ -0,0 +1,217 @@ +# For Resource Creation (Multi Records) + +This section guides you through the procedure for the creation of a workflow to create a new +resource with several records. + +## Declare a Workflow + +This [ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) is made of four +activities: + +1. `Action With Refine`: sends the creation request with a possibility of delegation. +2. `Persist Only Resources`: saves the collected data to the repository without triggering + provisioning. +3. `Review With Feedback`: reviews the creation request with the possibility of getting feedback + from another user. +4. `Persist`: saves the collected data and triggers provisioning. + +See the [ Activity Templates ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/activity-templates/index.md) topic for additional information. + +The example below creates a workflow to create a new helpdesk worker, with the possibility to create +several records at once for said worker. + +``` + + + +``` + +## Create Forms + +The XML configuration below represents the creation of a +[Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) that defines the elements to +display in the workflow. + +Here we create three structured forms, all to be called in our final workflow form. + +``` + +First form for the user's identification data: +
+ +Second form for the user's data shared with all records: +
+ + Section for user's personal data, here their name and phone numbers: + + + Section for user's contract data, here their contract's type, start and end dates: + + +Third form for the user's data specific to each record individually, so here position information: +
+ +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed +when launching the workflow. It has the type corresponding to a resource's creation with several +records, i.e. `WorkflowCreateSeveralRecordEntityForm` and it must specify the workflow's context +(the entity type of the involved resources, the main property, the activity when the form is called, +etc): + +``` + + + +``` + +A `WorkflowCreateSeveralRecordEntityForm` requires the following child elements: + +- `MainControl` that defines the user's data that never changes so identification data, and calls + the firstform created previously; + +``` + + + + + +``` + +- `RecordControl` that defines the record data shared with all records, and calls the secondform + created previously; + +``` + + + + + +``` + +In a situation where users can have several positions but also several contracts, then contract data +would be part of the form called by `RecordUniqueItemControl` instead of `RecordControl`. + +In a situation where positions, contracts and personal data are all configured as records because we +want to be able to anticipate changes for example, then there would not be any data shared by all +records. Then `RecordControl` would be empty. See the +[ Position Change via Records ](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md) +topic for additional information. + +> ``` +> +> ... +> +> ... +> +> +> ``` + +- `RecordUniqueItemControl` (optional but recommended) that defines the record data specific to each + record individually, and calls the thirdform created previously. + +``` + + + + + +``` + +![UI Form](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmulti_form_v603.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right +users. Read about [ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md)s +permissions. + +Below is an example of an access control rule where the `Administrator` profile gets the permissions +for the whole creation request and review from the previously created workflow: + +``` + + + + Permissions for the Request activity: + + + Permissions for the Review activity: + + +``` + +## Create Menu Items in the UI + +[ Menu Item ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) must be defined +to make the workflow accessible in the UI. + +Creating a new resource, an interesting location for this workflow could be the users list page. + +![Workflow Menu Items - Users List](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/menuitems_userslist_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the +existing menu items list: + +``` + + ... + + + +``` + +## Add Aspects + +For each workflow, it is possible to add aspects according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates see the +[ Configure a Homonym Detection ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md) topic for additional +information. + +When using records, the homonym detection displays the list of records and not just the list of +users. + +Below is an example where a homonym entity link, based on the user's name, is called in the workflow +form: + +``` + +Homonym detection: + + + +Partial form for user data: +... + ... + +``` + +![UI Homonym Detection](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-create-multi/howto_resourcecreationmono_homonym_v603.webp) + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Identity Manager, see the +[Customize Display Tables](/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md) topic for additional +information. + +Below is an example of a display table for our situation: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/index.md new file mode 100644 index 0000000000..0290a05ead --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/index.md @@ -0,0 +1,136 @@ +# For Resource Update (Mono Record) + +This section guides you through the procedure for the creation of a workflow to schedule the +replacement of the unique record of an existing resource with a new one. + +## Declare a Workflow + +This [ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) is made of two +activities: + +1. `Action With Refine`: sends the resource's record update request with a possibility of + delegation. +2. `Persist`: saves the collected data and triggers provisioning. + +See the [ Activity Templates ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/activity-templates/index.md) topic for additional information. + +The example below creates a workflow to update only the user's name. + +``` + + + +``` + +For now, our workflow works with an immediate validation and an immediate effect. + +## Create Forms + +The XML configuration below represents the creation of a +[Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) that defines the elements to +display in the workflow. + +Here we just have the full name field to update the corresponding attributes for a given user: + +``` + +
+ +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed +when launching the workflow. It has the type corresponding to a (unique) record's replacement, i.e. +`WorkflowAddAndEndRecordEntityForm` and it must specify the workflow's context (the entity type of +the involved resources, the main property, the activity when the form is called, etc): + +``` + + + +``` + +A `WorkflowAddAndEndRecordEntityForm` requires the following child elements: + +- `MainControl` that defines user's data; + +``` + + + + + +``` + +The `MainControl` attribute is here an empty container, because it is a mandatory attribute that is +not involved in the changes of this workflow. + +- `RecordControl` that defines record data, and call the form created previously. + +``` + + + + + +``` + +![UI Form](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/howto_resourceupdatemono_form_v603.webp) + +`End of transition` sets the date for the change of records scheduled by this form. + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right +users. Read about [ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md)s +permissions. + +Below is an example of an access control rule where the `Administrator` profile gets the permissions +for the whole update request from the previously created workflow: + +``` + + + +``` + +## Create Menu Items in the UI + +[ Menu Item ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) must be defined +to make the workflow accessible in the UI. + +Updating an existing resource, this workflow manages one given resource at a time. Hence an +interesting location for this workflow could be the individual view page of users. + +![Workflow Menu Items - User's Page](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the +existing menu items list: + +``` + + ... + + + +``` + +## Add Aspects + +For each workflow, it is possible to add aspects according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates, see the +[ Configure a Homonym Detection ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md) topic for additional +information. + +When using records, the homonym detection displays the list of records and not just the list of +users. + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Identity Manager, see the +[Customize Display Tables](/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md) topic for additional +information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/index.md new file mode 100644 index 0000000000..5670ed6ea2 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/index.md @@ -0,0 +1,181 @@ +# For Resource Update (Multi Records) + +This section guides you through the procedure for the creation of a workflow to update an existing +resource through its several records. + +## Declare a Workflow + +This [ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) is made of three +activities: + +1. `Action With Refine`: sends the resource's records update request with a possibility of + delegation. +2. `Review With Feedback`: reviews the update request with the possibility of getting feedback from + another user. +3. `Persist`: saves the collected data and triggers provisioning. + +See the [ Activity Templates ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/activity-templates/index.md) topic for additional information. + +The example below creates a workflow to update the records of an existing user: + +``` + + + +``` + +## Create Forms + +The XML configuration below represents the creation of a +[Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) that defines the elements to +display in the workflow. + +Here we create three structured forms, all to be called in our final workflow form: + +``` + +First form for the user's record data, shared with all records: +
+ +Second form for the user's record data, specific to each record individually: +
+ +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed +when launching the workflow. It has the type corresponding to a resource's update with several +records, i.e. `WorkflowUpdateSeveralRecordEntityForm` and it must specify the workflow's context +(the entity type of the involved resources, the main property, the activity when the form is called, +etc): + +``` + + + +``` + +`WorkflowUpdateSeveralRecordEntityForm` displays a date picker for the end of transition, to +schedule the record replacement. + +A `WorkflowUpdateSeveralRecordEntityForm` requires the following child elements: + +- `MainControl` that defines user's data; + +``` + + + + + +``` + +The `MainControl` attribute is here an empty container, because it is a mandatory attribute that is +not involved in the changes of this workflow. + +- `RecordControl` that defines the record data shared with all records and calls the firstform + created previously; + +``` + + + + + +``` + +- `RecordUniqueItemControl` that defines the record data specific to each record individually, and + calls the secondform created previously; + +``` + + + + + +``` + +- `RecordSlaveControl` that copies an existing record to be the base, i.e. pre-fill the fields, for + the update of record data specific to each record individually. Thus it calls the same form as + `RecordUniqueItemControl`. + +``` + + + + + +``` + +- `RecordSlaveUniqueItemControl` that copies an existing record to be the base, i.e. pre-fill the + fields, for the update of record data shared with all records. Thus it calls the same form as + `RecordControl`. + +``` + + + + + +``` + +The `RecordSlaveControl` attribute calls here the same form as `RecordUniqueControl`, because it +copies part of the main record to pre-fill the fields of `RecordUniqueControl`. + +![UI Form](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-update-multi/howto_resourceupdatemulti_form_v603.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right +users. Read about [ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md)s +permissions. + +Below is an example of an access control rule where the `Administrator` profile gets the permissions +for the whole update request from the previously created workflow: + +``` + + + +``` + +## Create Menu Items in the UI + +[ Menu Item ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) must be defined +to make the workflow accessible in the UI. + +Updating an existing resource, this workflow manages one given resource at a time. Hence an +interesting location for this workflow could be the individual view page of users. + +![Workflow Menu Items - User's Page](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the +existing menu items list: + +``` + + ... + + + +``` + +## Add Aspects + +For each workflow, it is possible to add aspects according to the workflow's purpose. + +## Homonym Detection (Optional) + +To perform a homonymy check on a workflow and thus prevent user duplicates,see the +[ Configure a Homonym Detection ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md) topic for additional +information. + +When using records, the homonym detection displays the list of records and not just the list of +users. + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Identity Manager, see the +[Customize Display Tables](/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md) topic for additional +information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/index.md new file mode 100644 index 0000000000..039c2b00b7 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/index.md @@ -0,0 +1,126 @@ +# For Resource Update (No Record) + +This section guides you through the procedure for the creation of a workflow to update a simple +resource, i.e. to update, within a given resource, properties that do not involve records. + +## Declare a Workflow + +This [ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) is made of two +activities: + +1. `Action With Refine`: sends the resource's update request with a possibility of delegation. +2. `Persist`: saves the collected data and triggers provisioning. + +See the [ Activity Templates ](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/activity-templates/index.md) topic for additional information. + +The example below creates a workflow to update only the user's `IsDraft` attribute. + +``` + + + +``` + +## Create Forms + +The XML configuration below represents the creation of a +[Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) that defines the elements to +display in the workflow. + +Here we just have one field called `IsDraft` to update the corresponding boolean attribute for a +given user: + +``` + +
+ +``` + +## Link the Forms to the Workflow + +After creating a workflow with given activities, it is necessary to create the form to be displayed +when launching the workflow. It has the type corresponding to a resource's update, i.e. +`WorkflowEditEntityForm` and it must specify the workflow's context (the entity type of the involved +resources, the main property, the activity when the form is called, etc): + +``` + + + +``` + +A `WorkflowEditEntityForm` requires one child element `MainControl` that defines the actual content +of the workflow's form and calls the form created previously: + +``` + + + + + +``` + +![UI Form](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/howto_resourceupdateno_form_v603.webp) + +### Add a summary (Optional) + +Another child element `SummaryControl` can be added to insert a summary part, i.e. the form used +after the workflow execution to show some values, most of the time those affected by the workflow, +typically the properties editable in the workflow or generated properties. So in our situation, it +displays the `IsDraft` attribute that the user just changed: + +``` + + + + + +``` + +![UI Summary](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-update-resource/howto_resourceupdateno_summary_v603.webp) + +## Assign the Right Permissions + +Some profiles must get specific permissions so that the workflow is visible and usable by the right +users. Read about the [ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) +permissions. + +Below is an example of an access control rule where the `Administrator` profile gets the permissions +for the whole update request from the previously created workflow: + +``` + + + +``` + +## Create Menu Items in the UI + +[ Menu Item ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) must be defined +to make the workflow accessible in the UI. + +Updating an existing resource, this workflow manages one given resource at a time. Hence an +interesting location for this workflow could be the individual view page of users. + +![Workflow Menu Items - User's Page](/img/product_docs/identitymanager/identitymanager/integration-guide/workflows/how-to/workflow-update-mono/menuitems_userview_v603.webp) + +To create a menu item here for the new workflow, you can add the following XML configuration to the +existing menu items list: + +``` + + ... + + + +``` + +## Add Aspects + +For each workflow, it is possible to add aspects according to the workflow's purpose. + +## Customize the Display Table (Optional) + +To configure a display table different from the default one provided by Identity Manager, see the +[Customize Display Tables](/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/custom-display-table/index.md) topic for additional +information. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/workflows/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/index.md new file mode 100644 index 0000000000..807b3713b8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/index.md @@ -0,0 +1,182 @@ +# Workflows + +In software business, a [Workflow](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) is a +series of specific actions taken by specific people to accomplish specific tasks. For Identity +Manager, workflows are models of business workflows, processes or procedures. + +## Overview + +Workflows model business processes and update data within Identity Manager, they handle managed +systems only indirectly through Identity Manager. They are engaged in order to complete a task, +assigning rights for instance. It is a way of getting work done, a series of steps that are required +to be completed sequentially. Most of the time, Identity Manager's workflows are made for: + +1. manual entitlement requests = request / send notification(s) / approve / assign entitlement. +2. addition/update/deletion of resources (used in practice for identities) = create / give basic + entitlements / review / apply changes. + +Workflows are very configurable objects with many available options. However, the most efficient way +to use workflows in IGA is to keep them simple. Identity Manager's demo workflows constitute +effective examples. + +A workflow is made of several elements: + +- a series of activities that constitutes the workflow; +- a form that collects input data; +- permissions required to realize the workflow's activities; +- menu items that make the workflow and its activities accessible; +- aspects that allow specific actions to be performed; +- a summary (optional) of the workflow's results; +- a homonym detection (optional) that prevents duplicates in resources; +- a display table (optional) that replaces Identity Manager's default table displaying the data of + the created/modified resource. + +### Technical principles + +- A workflow is linked to + one[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) and concerns only + resources from said entity type. For example, a workflow can be linked to `Directory_User` or + `Directory_Department` according to the workflow's purpose, but not both together. +- The aim of a workflow is to get input data (either a form or just an approval) from users involved + in the workflow, then build a change set, and finally apply said change set to the relevant + resource. +- Starting a workflow means starting its first activity. + +## Activities + +A workflow is made of successive activities, each of which is assigned an +[Activity Templates](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/activity-templates/index.md)that defines how transitions occur from a workflow +step to another. + +Activities never run in parallel in a workflow. Each activity can start once the previous one +reached its final state. + +## Forms + +Workflows use [Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) to collect input +data through the UI. + +A form is a set of fields, configured with controls. A control can define a field to fill, a fields +set, call an existing form, etc. depending on its output type. To be displayed in the UI, and +potentially filled by a given user with the appropriate data, a form must have a type. + +Forms without a type can be created in order to be called in other forms with a type. It can be +useful to structure your forms, and to avoid rewriting a part of form that is needed in most forms +for example. + +### Form types + +Identity Manager provides a few form types. Each form type implies the necessity of specific +controls as child elements with specific purposes. + +The following table presents the required child controls required for each form type applicable to a +workflow's input form: + +- **M** for `MainControl`(required) groups resource data apart from record data; +- **Su** for `SummaryControl`(optional when no/mono record) sums up resource data, mostly computed + properties, after the workflow's execution; +- **R** for `RecordControl`(required when handling records) groups the record data shared with all + records; +- **RUI** for `RecordUniqueItemControl`(recommended when handling records) groups the record data + specific to each record individually; +- **RSUI** for `RecordSlaveUniqueItemControl`(optional when updating multi records) appoints an + existing record to be the base of the fields' pre-filling, before the update of the record data + shared with all records; +- **RS** for `RecordSlaveControl`(recommended when updating multi records) appoints an existing + record to be the base of the fields' pre-filling, before the update of the record data specific to + each record individually; +- **RSu** for `RecordSummaryControl`(optional when handling mono record) sums up record data, mostly + computed properties, after the workflow's execution. + +| Form Type | M | Su | R | RUI | RSUI | RS | RSu | +| ------------------------------------------ | ---- | ---- | ---- | ----- | ----- | ---- | ---- | +| Workflow**Create**Entity Form | Req. | Opt. | | | | | | +| Workflow**Edit**Entity Form | Req. | Opt. | | | | | | +| Workflow**UpdateRecord**Entity Form | Req. | Opt. | Req. | Reco. | | | Opt. | +| Workflow**AddRecord**Entity Form | Req. | Opt. | Req. | Reco. | | | Opt. | +| Workflow**AddAndEndRecord**Entity Form | Req. | Opt. | Req. | Reco. | | | Opt. | +| Workflow**CreateRecord**Entity Form | Req. | Opt. | Req. | | | | Opt. | +| Workflow**CreateSeveralRecord**Entity Form | Req. | | Req. | Reco. | | | | +| Workflow**UpdateSeveralRecord**Entity Form | Req. | | Req. | Reco. | Reco. | Opt. | | +| Workflow**UpdateRecord**Entities Form | Req. | Opt. | Req. | Reco. | | | Opt. | + +## Permissions + +For each workflow, some permissions must be assigned to specific +[Profile](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profile/index.md) so that said profiles are +entitled to realize the workflow's actions. + +While assigning the specific permissions of a workflow, it is necessary to assign the involved +profiles a few essential rights via the +[Workflow Access Control Rules](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/configuration/scaffoldings/accesscontrolrules/workflows/workflowaccesscontrolrules/index.md) +scaffolding. + +A workflow needs a permission for each of all its activity states involving user interaction. This +means that, for example, the activities following the templates `Persist` and +`Persist Only Resources` do not require any permission. This also means that, in the example of the +`Action` template, a workflow would need permissions for the states `ActionPending`, `Aborted` and +`Purged` (because deletion requires an authorization), but not for the state `Executed` that does +not involve user interaction or special authorization. See the +[Activity Templates](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/activity-templates/index.md) topic for additional information. + +All these permissions can be shared and distributed among several profiles, according to the purpose +of the workflow. + +Identity Manager's permissions are assigned through +[Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) and +follow the naming rule: +`/Custom/workflows/{workflow_identifier}/{activity_identifier}/{activityTemplateState_shortIdentifier}`. + +> For example: `Permission="/Custom/Workflows/Directory_User_StartInternal/Request/ActionPending"` +> gives the right to act from the state `ActionPending` (so save, execute, etc.), inside a +> previously created activity `Request`, inside the workflow `Directory_User_StartInternal`. + +A permission specifying the activity without the activity state gives the permissions for all +activity states in this activity. + +For example: `Permission="/Custom/Workflows/Directory_User_StartInternal/Request"` +**Caution**: this way of writing permissions is unsafe in case of a modification in the activity. So +use it only for a "super admin" kind of profile if you are certain you want to give all rights. + +## Menu Items + +[Menu Item](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/menuitem/index.md) make workflows accessible +from the UI. + +Identity Manager's UI is configured so that workflows are accesible from: + +- the list of users accessible from the **Directory** section on the home page; +- the view page of a given user. In this case, the workflows manipulate the selected user. + +## Aspects + +An [Aspects](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md) definition allows an action to +be performed at a specific point in a workflow. Identity Manager provides a few +[Aspects](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/aspects/index.md) templates that give the +opportunity to delegate administration, to notify people of a request's progress and to compute +special values like unique logins or email addresses. + +## Summaries (Optional) + +A summary can be displayed at the end of a workflow to sum up the collected information. The +displayed data is configured through the `SummaryControl` or `RecordSummaryControl` introduced +previously. A summary is particularly useful for workflows that compute properties like the +`EmployeeId` or the email address. Thus calculated fields can be displayed after the workflow's +execution. + +## Homonym Detections (Optional) + +A homonym search checks if a resource already exists in the system before creating/modifying it, +preventing duplicates. It is configured through a +[Homonym Entity Link](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md). + +See the [Configure a Homonym Detection](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/how-to/configure-homonym-test/index.md)topic for additional +information. + +## Display Tables (Optional) + +Identity Manager provides a default display table to show the created/modified resource's data, but +you can configure your own. + +See the [Display Table](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) topic for +additional informatrion. diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/workflows/workflow-uses/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/workflow-uses/index.md new file mode 100644 index 0000000000..3158db1c1b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/workflow-uses/index.md @@ -0,0 +1,65 @@ +# Workflow Uses + +An Identity Manager [ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) is the +sequence of processes that a company has established to manage identities across the organization. +Workflows makes an approval business process more efficient by managing and tracking all of the +human tasks involved with the process and by providing a record of the process after it is +completed. + +The identity management [ Workflow ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/workflow/index.md) +can be broken into four key areas: + +## 1. Onboarding + +The initial creation of the user. This can occur manually within the identity management system or +it could be triggered from an HR system. Here is the xml configuration to create the user onboarding +Workflow in Identity Manager : + +``` + + + +``` + +The _"User_Onboarding"_ Workflow is composed of the following activities: + +- _"Request"_ to initialize the creation of an user in Identity Manager. +- _"PersistDraft"_ to save a preliminary version of the user object. +- _"Review"_ to validate or not the requested item. +- _"Persist"_ to take into account the requested item. + +## 2. User Modifications + +After the initial setup of access, there are ongoing changes. Those changes can center in on a +user's rights. These rights may need to be expanded or contracted. The user's information may need +to be modified. Here is an example to create the user change name Workflow in Identity Manager : + +``` + + + +``` + +## 3. IT Resource Modifications + +The other area of on-going changes is the addition and removal of various IT resources. These +resources can include devices, applications, and networks. Here is the xml configuration to create +the resource modifications Workflow in Identity Manager : + +``` + + + +``` + +## 4. Offboarding + +The end of the identity lifecycle is the offboarding of a user. Credentials are terminated and the +user's account access is terminated everywhere. Here is the xml configuration to create the user +offboarding Workflow in Identity Manager: + +``` + + + +``` diff --git a/docs/identitymanager/saas/identitymanager/integration-guide/workflows/workflowhomonym/index.md b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/workflowhomonym/index.md new file mode 100644 index 0000000000..c39424a9d0 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/integration-guide/workflows/workflowhomonym/index.md @@ -0,0 +1,183 @@ +# Workflow Homonym + +In this section we configure the homonym detection that checks if a resource already exists in the +system, preventing duplicates. + +## Process + +1. Create a homonym entity link, either with a default filter or customized filters +2. Create a display table to display the homonym result _(optional)_ +3. Define the part of the workflow form where homonyms must be checked + +## Create a Homonym Entity Link + +A [ Homonym Entity Link ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md) +defines a new homonym detection to be performed in a workflow form. It can be defined in different +ways. + +### With a default filter + +``` + + +``` + +When no filter is defined for the homonym entity link, the detection for homonyms is performed +according to the homonym control form. See section below. + +### With customized filters + +[ Homonym Entity Link ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md)filters +allow to define customized filters for a homonym detection. + +#### Simple filter + +``` + + +``` + +Here, since the default operator is `Equal`, the detection for homonyms is performed by comparing +the values of the `LastName` and `FirstName` properties with an exact spelling. + +_NB: This example matches the default filter that would be computed based on the homonym control +example in the section below._ + +#### Filters on several entities + +A homonym entity link can contain filters on the properties from several distinct entity types. + +> The following example searches for homonyms among usual workers (from `Directory_UserRecord`) but +> also the guests (from `Directory_Guest`): +> +> ``` +> +> Property1="LastName" +> Property2="FirstName" +> /> +> Property1="LastName" ComparisonProperty1="Directory_Guest:LastName" +> Property2="FirstName" ComparisonProperty2="Directory_Guest:FirstName" +> /> +> +> +> ``` + +In this case, a display table is required for the additional entity. + +#### Flexible filter + +A filter can be defined to compare the values in an approximate way. + +- A flexible operator must be used, such as `FlexibleEqual`, `FlexibleStartWith`, etc. +- A flexible expression must be defined on the comparison property. + +1. When the input detection value is retrieved directly from the property value + + ``` + + + ``` + +Here, `Property1` is set, so the detection for homonyms is performed by comparing the `LastName` +value, entered by the user in the workflow form, with the phonetic value of existing resources +stored as the `PhoneticLastName` property in the database. + +Before performing the comparison, the flexible expression of the comparison property is applied to +the input value. + +2. When the input detection value is deducted + + ``` + + + ``` + +Here: + +- In the first filter, `Property1` and `Expression1` are not set, so the detection value is computed + by applying the expression defined for `ComparisonProperty1` from the input values, eg. + `(record.FirstName + ' ' + record.LastName).Appproximate()`. +- In the second filter, `Expression1` is set, so the detection value is computed by applying the + `Expression1` from the input values. This filter allows checking the homonyms on the reversed full + name (to manage the case where the user reverses the first and last name for example). + +The detection for homonyms is performed by comparing the detection values computed based on each +filter with the values stored in the database and retrieves all resources that match any of the +filters. + +#### Filter on a language property + +If a filter is set on a language property, the detection for homonyms is performed on the property +associated to the main language. + +``` + + +``` + +Here, the `Name` property is a neutral property associated with two localized properties `Name_en` +and `Name_fr`. + +If English is the main language, the detection for homonyms is performed on the `Name_en` value. + +## Create a Display Table _(optional)_ + +A [Display Table](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/displaytable/index.md) is used to +define how a list of the same entity type should be displayed. + +By default, the homonyms are displayed using the default display table of the related entity type. + +To display homonyms in a different way than the default, a specific display table must be created +where the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. + +``` + + + +``` + +## Define the Homonym Control in the Workflow Form + +The [Form](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/user-interface/form/index.md) where the homonyms are to +be checked must contain a layout fieldset control where: + +- the `HomonymEntityLink` attribute is the identifier of the homonym entity link created above. +- the properties to check (defined in the homonym filters) are represented in the control bindings. +- the bindings are all represented in the homonym filters. + +When the homonym entity link has no filter set and therefore the filter is calculated automatically, +the homonym control form must only contain up to 5 controls where `Binding` attribute is defined. +Indeed, a filter can only be defined on up to 5 properties, see filter definition in +[ Homonym Entity Link ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/workflows/homonymentitylink/index.md). + +``` +
+ + +``` + +If a filter is declared with a `ComparisonProperty` attribute (and so without a `Property`), then +the properties used in the `Expression` (whether defined in the filter or elsewhere in the +configuration) to compute the `ComparisonProperty` must also be represented in the control bindings. + +In the example below, the properties used in the `Expression1` attribute that must be represented in +the control bindings are `LastName` and `FirstName`. + +``` + + +``` diff --git a/docs/identitymanager/saas/identitymanager/introduction-guide/architecture/index.md b/docs/identitymanager/saas/identitymanager/introduction-guide/architecture/index.md new file mode 100644 index 0000000000..34ac25d49c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/introduction-guide/architecture/index.md @@ -0,0 +1,41 @@ +# Architecture + +Identity Manager is built to work via a specific architecture made of a server, an agent and a +database. + +## Server, Agent and Database + +Identity Manager works via: + +- a server which operates computation, stores all applicative data in the database, and serves a web + User Interface; +- at least one agent which operates data flows to/from the managed systems. + + The managed systems' credentials are used only by the agent and are never disclosed to the + server. + +The agent can call the server, but the server cannot call the agent. The data flows' initiatives are +always from the agent. + +## Installation Types + +Identity Manager can be installed: + +- SaaS so that the server dwells in the cloud and is provided as a service; + + ![Architecture: SaaS](/img/product_docs/identitymanager/identitymanager/integration-guide/architecture/saas/architecture_saas.webp) + +- on-premises so that the server is installed on an isolated network within the company. + + ![Architecture: On-Premises](/img/product_docs/identitymanager/identitymanager/integration-guide/architecture/on-prem/architecture_onprem.webp) + +## Next Steps + +Let's learn about Identity Manager [Configuration](/docs/identitymanager/saas/identitymanager/introduction-guide/configuration/index.md). + +## Learn More + +Learn more on Identity Manager's Architecture . + +See the [Network Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/index.md) topic for +additional information. diff --git a/docs/identitymanager/saas/identitymanager/introduction-guide/configuration/index.md b/docs/identitymanager/saas/identitymanager/introduction-guide/configuration/index.md new file mode 100644 index 0000000000..b314cf17ad --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/introduction-guide/configuration/index.md @@ -0,0 +1,57 @@ +# Configuration + +There are several options for configuring Identity Manager. + +## Application Configuration + +### User Interface + +Netwrix Identity Manager (formerly Usercube) strongly recommends that Identity Manager be +configured, as much as possible, via the UI. + +### XML files + +For advanced users, if the UI is not enough, Identity Manager can also be configured via XML files. +These XML files should be placed in a `Conf` folder directly inside the working directory. + +### Database + +Identity Manager's application configuration, whether it is made from the UI or the XML files, is +stored in a database which should never be modified manually. + +## Network Configuration + +Identity Manager's server and agent(s) are configured via JSON files, mainly `appsettings.json` and +`appsettings.agent.json`. + +## Next Steps + +This is the end of the introduction guide, so you should now be able to dive into: + +- The [User Guide](/docs/identitymanager/saas/identitymanager/user-guide/index.md) to configure Identity Manager from scratch via the UI, + following the step-by-step procedures; +- The [Integration Guide](/docs/identitymanager/saas/identitymanager/integration-guide/index.md) to complete Identity Manager's + configuration in XML according to your needs; +- The [Installation Guide](/docs/identitymanager/saas/identitymanager/installation-guide/index.md) to install Identity Manager in a + production environment. + +## Learn More + +Learn more on how to +[ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md). + +See the [User Guide](/docs/identitymanager/saas/identitymanager/user-guide/index.md) topic to learn how to configure Identity Manager +from scratch via the UI. + +See how to +[ Export the Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/how-tos/export-configuration/index.md) +to XML files. + +See how to +[ Deploy the Configuration ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/how-tos/deploy-configuration/index.md). + +Learn more about the +[ XML Configuration Schema ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/index.md). + +Learn more about the +[Network Configuration](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/index.md). diff --git a/docs/identitymanager/saas/identitymanager/introduction-guide/index.md b/docs/identitymanager/saas/identitymanager/introduction-guide/index.md new file mode 100644 index 0000000000..5eac479d87 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/introduction-guide/index.md @@ -0,0 +1,25 @@ +# Introduction Guide + +This guide is designed to give a complete overview of Identity Manager's principles, main objectives +and capabilities. + +Netwrix Identity Manager (formerly Usercube) strongly recommends starting here to fully benefit from +the [Integration Guide](/docs/identitymanager/saas/identitymanager/integration-guide/index.md)'s or the +[User Guide](/docs/identitymanager/saas/identitymanager/user-guide/index.md)'s contents. + +## Target Audience + +This guide is meant to be read by: + +- integrators who configure Identity Manager to match their projects' needs; +- IGA project managers who want to get a better understanding of Identity Manager. + +## Prior Knowledge + +A basic knowledge of Identity and Access Management (IAM) and overview (IGA) is required to +understand this guide. + +## First Steps + +Let's dive in with an [IGA and Netwrix Identity Manager](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/index.md) of IGA and Identity +Manager. diff --git a/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md b/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md new file mode 100644 index 0000000000..cda095cea6 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md @@ -0,0 +1,189 @@ +# Entitlement Management + +Managing identities' entitlements requires managing entitlements and assigning them to identities. +This page is about the role model. + +## Role Model Overview + +A managed system's entitlements can have many forms. They authorize identities to access certain +data on a given system, or a physical location. + +> For example, entitlements in the Active Directory are usually group memberships. For example, to +> have administrator rights in the Iris application, a user must be part of the members of the group +> `SG_APP_IT/Development/Iris/Administrator`. + +Identity Manager is designed to help establish an exhaustive and reliable catalog of the +entitlements available in the managed systems, and assign the right entitlements to the right users. + +![Role Catalog and Users](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_rolecatalogusers.webp) + +Thus, the role model contains: + +- the entitlements, as roles, for all managed systems; +- the rules that trigger the assignment of entitlements to identities, and more broadly manage the + systems' resources. Some of them act as link between Identity Manager's roles and the systems' + accounts and permissions. Some of them are linked to, and thus apply only to, specific resource + types. + +![Role Model](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_rolemodel.webp) + +The role model is a subset of a policy that also includes [Governance](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/governance/index.md) data +such as risk definition. So, at a higher level, distinct policies can be used to implement distinct +behaviors. + +## A Role Catalog + +Identity Manager intends to represent IGA-related access right mechanisms by a +[role-based](https://en.wikipedia.org/wiki/Role-based_access_control) model. The goal of the role +catalog is contain an exhaustive list of entitlements from all managed systems. + +Entitlements from the managed systems are modeled by roles. For each entitlement, NETWRIX advises +creating a single role, with an easily understandable name, more functional than technical, so that +everyone knows what the role is for. + +![Single Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarole.webp) + +Each individual entitlement should usually be modeled by a single role, and single roles can be +grouped together into composite roles to be closer to real job positions. + +![Composite Roles](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_compositeroles.webp) + +## A Rule Set + +Roles alone are not enough to give identities the systems' technical entitlements. We need rules to +have Identity Manager write users' entitlements in the managed systems. Rules are further used to +automatically assign roles to users, or to categorize users and accounts, etc. + +### Provisioning rules + +Just like identities, accounts are represented in Identity Manager by an +[ Identity Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/identity-management/index.md) entity-relationship model. So Identity +Manager manages entitlements as resources' attribute values. + +> For example, giving specific Active Directory permissions to a new user means not only creating a +> new AD account, but also setting values for certain account properties like `cn`, +> `sAMaccountName`, `userAccountControl` or `dn`, etc. + +Provisioning rules write the actual entitlements to the managed systems, most often based on users' +roles. + +> For example, to give an AD entitlement to a user, we usually need to give them a group membership. +> Thus, we should have a rule that, when a user is assigned a specific role, adds the user to the +> member list of a specific AD group. + +![Provisioning Rules](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_provisioningrules.webp) + +Even when a role is manually assigned, provisioning rules will determine which account (and +permission groups) are given as entitlements. + +Identity Manager's provisioning rules are: + +- scalar rules to compute simple string properties; +- navigation rules and query rules to compute properties that act as foreign keys in a database; +- resource type rules to automatically create resources. + +### Assignment rules + +While the role catalog and provisioning rules are together enough to manually give users their +access rights, we often want Identity Manager to do this automatically. Assignment rules +automatically assign roles to identities based on specific criteria. + +> For example, we can choose to assign the role `Benefits Manager - FR` to any user whose job title +> is benefits manager and whose location is in France. + +![Assignment Rules](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_assignmentrules.webp) + +Once all assignment rules are created, Identity Manager is able to spot existing assignments that +are not supported by any rule, marking them as non-conforming. + +Identity Manager's assignment rules are: + +- single role rules and composite role rules to assign single and composite roles; +- resource type rules to assign accounts. + +### Categorization rules + +Different resources can be managed through different rules, by being part of different resource +types. So a resource type is a group a resources that have the same IGA-related purposes. +Categorization rules categorize resources into resource types and link identities to the accounts +they own. + +> For example, we might need to differentiate AD's standard accounts from administration accounts. +> This way, we can configure different email addresses for privileged accounts, for example +> [adm.john.smith@contoso.com](mailto:adm.john.smith@contoso.com). We can also add more approval +> steps in the workflows related to privileged accounts, for more security than for standard +> accounts. + +![Categorization Rules](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_categorizationrules.webp) + +Identity Manager's categorization rules are: + +- correlation rules to link identities to the accounts they own; +- classification rules to categorize resources into resource types. + +### More rules + +Identity Manager provides more kinds of rules for optimization purposes, for example role naming +conventions to help build the role catalog by generating roles and navigation rules based on the +entitlements' names, or automation rules to help with governance by automating the review of the +assignments that do not comply with the configured rules. + +### Dimensions + +Rules can be triggered based on users' assigned roles, but also based on user data. + +The [ Identity Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/identity-management/index.md) model can be refined by configuring +dimensions: criteria from among resources' +[attributes](https://en.wikipedia.org/wiki/Attribute-based_access_control) that will trigger the +application of the rules. Then Identity Manager applies the rule for any resource whose value for a +given attribute matches the reference value specified in the rule. + +> For example, a user can be assigned the role `Benefits Manager - FR` only if their job title is +> benefits manager and their location is in France. In this case, users' attributes "job title" and +> "location" are the dimensions that trigger the assignment rule. + +In a nutshell, dimensions determine who should be assigned the entitlements. + +Identity Manager's name and logo are based on this dimension concept: entitlement assignment is +governed by users' attributes defined as dimensions. Let's schematize users around these dimensions: + +- The schema for this with one dimension would be a line with all available values for the + dimension, and identities are distributed along the line. +- The schema with two dimensions would be a table, a square. +- The schema with three dimensions would be a 3D cube. And you can imagine 4D or 5D hypercubes, etc. + +![Dimensions - 1D](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension1.webp) + +#### 1D + +![Dimensions - 2D](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension2.webp) + +#### 2D + +![Dimensions - 3D](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/entitlement-management/entitlements_dimension3.webp) + +## Next Steps + +See the [Governance](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/governance/index.md) topic for additional information. + +## Learn More + +Learn more on the [ Role Model ](/docs/identitymanager/saas/identitymanager/integration-guide/role-model/index.md). + +Learn how to +[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md). + +Learn more on hoe to +[Create a Composite Role](/docs/identitymanager/saas/identitymanager/user-guide/optimize/composite-role-creation/index.md). + +Learn more on [Role Assignment](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/index.md). + +Learn more on +[ Create a Provisioning Rule ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md). + +Learn more on +[ Automate Role Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) +rules. + +Learn more on the rules of +[ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md). diff --git a/docs/identitymanager/saas/identitymanager/introduction-guide/overview/governance/index.md b/docs/identitymanager/saas/identitymanager/introduction-guide/overview/governance/index.md new file mode 100644 index 0000000000..fb422e2703 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/introduction-guide/overview/governance/index.md @@ -0,0 +1,42 @@ +# Governance + +Identity Manager not only gives the right entitlements to the right identities, but also makes sure +that, over time, every assignment still complies with the configured policy. + +## Enforcing the Policy + +By reading entitlement data from the managed systems, Identity Manager builds an exhaustive list of +existing assignments for all identities in all managed systems. + +Rules and roles define a policy. By definition, assignments not supported by a rule do not comply +with the policy. These assignments are identified as non-conforming in order to be acted upon by +knowledgeable users who can decide whether the assignment is warranted, such as security officers. + +![Non-Conforming Assignments](/img/product_docs/identitymanager/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/governance_nonconforming.webp) + +A non-conforming assignment must be reviewed in Identity Manager by a knowledgeable user, and is +therefore: + +- either removed if Identity Manager correctly spotted it and the owner should indeed not possess + this permission; +- or kept as an exception if the configured rules do not apply to this particular case. + +## Other Governance Tools + +Identity Manager provides a set of governance tools to help enforce the policy, like access +certification campaigns, risk management or reporting. + +## Next Steps + +Let's read some [ Use Case Stories ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/use-cases/index.md). + +## Learn More + +Learn more on [Governance](/docs/identitymanager/saas/identitymanager/integration-guide/governance/index.md). + +Learn more on how to [ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md). + +Learn more on +[ Perform Access Certification ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/index.md). + +Learn more on how to [ Manage Risks ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/risk-management/index.md). diff --git a/docs/identitymanager/saas/identitymanager/introduction-guide/overview/identity-management/index.md b/docs/identitymanager/saas/identitymanager/introduction-guide/overview/identity-management/index.md new file mode 100644 index 0000000000..2cfff228f9 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/introduction-guide/overview/identity-management/index.md @@ -0,0 +1,127 @@ +# Identity Management + +Managing identities' entitlements requires starting by managing identities themselves. + +## A Central Repository + +A company involves many sorts of identities: obviously employees, but also external workers like +contractors who are usually not tracked in the company's systems except for billing purposes, bots, +softwares, etc. All identity types that need to be assigned entitlements to work within the company +must be represented. + +Companies often use about one system for each identity type. Identity Manager capitalizes on +information from several source systems in order to build a central repository meant to contain all +the data necessary to manage all identities throughout their whole lifecycle. + +![Usercube's Repository](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/identity-management/identities_repository.webp) + +Identity Manager's central repository acts as an intermediary between the systems that provide data, +for example the HR system, and those that receive data, for example the Active Directory. This +greatly reduces the complexity in the links between all systems. + +Without an intermediary, adding one system to a set of n systems requires up to n sets of rules, one +for each reading/writing relationship that this system has with the others. The complexity is +quadratic. + +Now with the central repository as an intermediary, implementing a new system requires only one more +set of rules. The complexity becomes linear. + +![quadratic-linear-complexity](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/identity-management/quadratic-linear-complexity.webp) + +## An Entity Relationship Model + +Identities, along with any IGA-related data, are modeled in Identity Manager by an +[entity-relationship model](https://en.wikipedia.org/wiki/Entity%E2%80%93relationship_model?featherlight=true). + +All this data is organized and modeled by entities. This concept is quite similar to a database: an +entity is a set of properties, some are scalar so "simple" properties, and others are navigation +properties which make links between entities, quite like foreign keys in a database. + +> For example, consider an entity `Directory_User` with properties like `Name`, `Email`, `JobTitle`, +> `Department`. +> +> Another entity could be `Directory_Department`, linked to `Directory_User` through a navigation +> property. +> +> Another entity could be `SAB_User` to model SAB accounts owned by users from `Directory_User`. The +> accounts from `SAB_User` could be related to groups from another entity `SAB_Group`. + +![Entity Type - Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytypecreation_schema.webp) + +These entities' instances are called resources in Identity Manager. A resource can be the digital +identity of a user (human or bot), or an AD account or any other account, or an entry from the HR +system, or the representation of a department of the company, etc. + +> Consider once more the `Directory_User` entity with properties like `Name`, `Email`, `JobTitle`, +> `Department`. Then a resource could be the digital identity of an employee whose name is John +> Smith, with the email address [john.smith@contoso.com](mailto:john.smith@contoso.com) and working +> as an assistant manager in the accounting department. + +While Identity Manager provides a predefined model that should fit most organizations, it can still +be adjusted to your exact needs. Thus, Identity Manager provides a customizable model to organize a +company's data according to its IGA-related needs, which is also most reliable because it is kept +up-to-date. + +## Connectors + +Each entity is related to a managed system, for example the Active Directory or SAB or ServiceNow, +etc. The reading/writing data between the system and Identity Manager are ensured by connectors. So +Identity Manager can be configured with one connector for each managed system. + +![Connector Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp) + +For a given system, a connector contains: + +- the technology which enables data flows between the system and Identity Manager; +- the related entities which model the system's resources; +- the categories which group the system's resources together according to the rules that we want to + apply to manage entitlement assignment for this system. + +Thus, a connector enables synchronization, i.e. Identity Manager reading from a managed system via +an [extract, transform, load](https://en.wikipedia.org/wiki/Extract,_transform,_load) process. + +![Synchronization](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/overview_synchronization.webp) + +> A typical example is the synchronization of the HR system's data to retrieve employees' personal +> information. + +It also enables provisioning, i.e. Identity Manager writing to a managed system, but that is +something we will dig into later. + +![Provisioning](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/overview_provisioning.webp) + +## Repository Updates + +Once Identity Manager is configured, with not only connectors but also roles and rules, etc. (which +constitute a different topic), changes can be made to the repository through: + +- synchronization, when changes were made in the managed systems and then synchronized, so copied, + to Identity Manager; +- manual input, mostly used for a few resources/properties that rarely change such as contractors' + identities; +- workflows which contain approval steps to complete before the changes are actually applied; +- the policy's rules that trigger changes to the repository directly, and those that trigger changes + to managed systems and impact the repository indirectly after the next synchronization. + +See the [ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) topic for additional +information. + +## Next Steps + +Let's learn about [ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md). + +## Learn More + +Learn more on Identity Management . + +See how to +[ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md). + +Learn more on [Connectors](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/index.md). + +See how to create a +[ Connect to a Managed System ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/index.md). + +Learn more on [Synchronization](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/index.md). + +Learn more on [Workflows](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/index.md). diff --git a/docs/identitymanager/saas/identitymanager/introduction-guide/overview/index.md b/docs/identitymanager/saas/identitymanager/introduction-guide/overview/index.md new file mode 100644 index 0000000000..cc467a718b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/introduction-guide/overview/index.md @@ -0,0 +1,90 @@ +# IGA and Netwrix Identity Manager + +Identity Manager is a powerful tool for Identity Governance and Administration (IGA) automation. + +## Identity Governance and Administration (IGA) + +Identity Governance and Administration (IGA) is a combination of Identity Access Management (IAM) +and Identity Access Governance (IAG). + +- IAM is about allowing the right identities to have the right permissions at the right time for the + right reasons. +- IAG is about providing visibility regarding identities, user access, and for monitoring + compliance. + +[See Gartner's documentation on IGA](https://www.gartner.com/en/documents/3885381). + +## Why Identity Manager + +We could explain Identity Manager's purpose like this: + +Typically, Identity Manager manages entitlements automatically according to a user's needs, for +example Active Directory group memberships. + +--- + +**First, we need to manage identities.** + +To do so, Identity Manager capitalizes on information from several source systems in order to build +a central repository. This repository should contain all the organizational data relevant for access +management for all users, meaning not only employees but also contractors, bots, or any kind of +identity. + +![Synchronization](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/overview_synchronization.webp) + +**This implies involving external systems.** + +Access management requires reading/writing data to/from varied systems and applications, like the +Active Directory. Identity Manager provides an expanded set of connectors which contain the +technology required for IGA-related data flows. + +![Connectors](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/overview_connectors.webp) + +See more details on [ Identity Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/identity-management/index.md) and connection between +systems. + +--- + +**Then, we need to manage entitlements, in other words access rights, or permissions.** + +Identity Manager helps you build a role catalog that lists all entitlements from all managed +systems. The technical entitlements can then associated with new, functional names that more clearly +represent a business-oriented view point. + +In addition, Identity Manager helps you determine identities' expected entitlements by building a +role model. This model contains different kinds of rules that will suggest entitlement assignments, +or even assign them directly, based on the imported organizational data. + +As each working environment has its own particularities, you will be able to refine the identity +model by defining dimensions, i.e. criteria from among organizational data that will trigger the +rules. + +![Calculation](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/overview_calculation.webp) + +--- + +**Finally, we need to actually give identities their entitlements and then govern them.** + +Identity Manager can be configured to provision the managed systems in order to apply the changes +dictated by the role model. This provisioning can be done either directly, with automatic +provisioning, or by notifying system administrators of the needed changes. Thus, identities finally +get their entitlements. + +![Provisioning](/img/product_docs/identitymanager/identitymanager/introduction-guide/overview/overview_provisioning.webp) + +Furthermore, Identity Manager provides a few workflows for entitlement request or user data +modification, which often include approval from a third party, hence identities get their +entitlements securely. + +See the [ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) topic for additional +information. + +Thanks to the role model and data flows between Identity Manager and the managed systems, Identity +Manager ensures the compliance of existing permission assignments with the policy, pointing out +non-conforming assignments. + +See the [Governance](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/governance/index.md) topic for additional information. + +## Examples + +Let's read some [ Use Case Stories ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/use-cases/index.md). diff --git a/docs/identitymanager/saas/identitymanager/introduction-guide/overview/use-cases/index.md b/docs/identitymanager/saas/identitymanager/introduction-guide/overview/use-cases/index.md new file mode 100644 index 0000000000..3fce2fbea7 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/introduction-guide/overview/use-cases/index.md @@ -0,0 +1,59 @@ +# Use Case Stories + +Here is a basic use case story to explain how Identity Manager manages IGA. + +## Use Case + +Mr. James was just hired to join the Contoso company as a mechanical engineer. He will need access +to some of the company's most sensitive data, such as confidential blueprints, mechanical design +software licenses, and source files. + +### Identity management + +The central repository already exists, containing all workers, all departments, etc. + +Mr. James' manager uses one of Identity Manager's workflows to add Mr. James as a new employee, +filling in his first name, last name, job title ("Mechanical Engineer"), his contract type +("permanent") and his start date. + +The rest of Mr. James' personal information, such as his birth date, etc., can be filled later by +someone from the HR department. + +### Entitlement management + +As Mr. James is not the first mechanical engineer in Contoso, Identity Manager already contains a +composite role named "R&D Mechanical Engineer". This role is meant to give its owners access to the +company's sensitive data useful for mechanical engineers. Assigning this role will trigger the +assignment of several single roles, each one giving one access right. + +Technically speaking, each access right is granted via a membership to a specific Active Directory +group. Thus Identity Manager also contains a navigation rule that gives this group membership to any +user owning this single role. + +In our example, each access right corresponds to an AD group membership, but it could be any +entitlement in any external system. + +For Mr. James to get the access rights that he needs, there are several options: + +- either Mr. James' manager manually assigns the "R&D Mechanical Engineer" role to him via a + workflow before his arrival, for example setting the start date to two weeks after Mr. James' + first day as he will be in training before then; +- or there may be an assignment rule that automatically assigns the role to any user with the job + title "Mechanical Engineer", so Mr. James will get the role on his first day. + +As the needed access rights involve the AD, Mr. James also needs to own an AD account which will be +linked to its identity in Identity Manager via correlation rules. + +Once the requests for the role and the account are approved, Identity Manager can connect to the +Active Directory and create Mr. James' account and add it to the proper groups, via provisioning +rules. + +### Governance + +Once the role model is well underway, Identity Manager can compare existing access rights to +expected access rights. Thus, Identity Manager makes sure that Mr. James always has all the +entitlements he needs in order to work, but not more to prevent security breaches. + +## Next Steps + +Let's learn about Identity Manager [ Architecture ](/docs/identitymanager/saas/identitymanager/introduction-guide/architecture/index.md). diff --git a/docs/identitymanager/saas/identitymanager/migration-guide/index.md b/docs/identitymanager/saas/identitymanager/migration-guide/index.md new file mode 100644 index 0000000000..e3fee56746 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/migration-guide/index.md @@ -0,0 +1,56 @@ +# Migration Guide + +This guide is designed to provide step-by-step procedures in order to migrate Identity Manager from +your current version to the latest one. + +**NOTE:** For the latest SaaS versions, if you are using the administrator scaffolding the necessary +permissions for the update are added to the administrator scaffolding and they will be taken into +account the next time the configuration is deployed. + +## General Upgrade Instructions for the Server with Integrated Agent + +**Step 1 –** Download the `usercube-server-runtime` from the expected version from +[](https://extranet.usercube.com/)[Netwrix Portal](https://www.netwrix.com/sign_in.html?rf=my_products.html). + +**Step 2 –** Stop the existing server. + +**Step 3 –** Rename the `Runtime` folder to create a backup, for example `RuntimeOld`. + +**Step 4 –** Extract the content of the new `Runtime`to the same folder as `RuntimeOld`, inside a +new `Runtime` folder. + +**Step 5 –** Copy the original `appsettings.json` and `appsettings-agent.json` files from +`RuntimeOld` to the new `Runtime`. + +**Step 6 –** Restart the server. + +## General Upgrade Instructions for the Agent + +**Step 1 –** Download the `usercube-agent-runtime` from the expected version from +[](https://extranet.usercube.com/)[Netwrix Portal](https://www.netwrix.com/sign_in.html?rf=my_products.html). + +**Step 2 –** Stop the existing agent. + +**Step 3 –** Rename the `Runtime` folder to create a backup, for example `RuntimeOld`. + +**Step 4 –** Extract the content of the new `Runtime`to the same folder as `RuntimeOld`, inside a +new `Runtime` folder. + +**Step 5 –** Copy the original `web.config, appsettings.json` and `appsettings-agent.json` files +from `RuntimeOld` to the new `Runtime`. + +**Step 6 –** Restart the agent. + +## Specific Information to Migrate from v6.1 to v6.2 + +If you are looking to upgrade the Netwrix Identity Manager version from 6.1 to 6.2 you will not need +to take any action because the database will automatically be upgraded. If you have problems +importing your configuration into 6.2 related to C# expressions, please run the Identity +Manager-Check-ExpressionsConsistency tool. See the +[Usercube-Check-ExpressionsConsistency](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/check-expressionsconsistency/index.md) +topic for additional information. + +## Specific Information to Migrate from v6.0 to v6.1 + +If you are looking to upgrade the Netwrix Identity Manager version from 6.0 to 6.1 you will not need +to take any action because the database will automatically be upgraded. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/index.md new file mode 100644 index 0000000000..58c3d37665 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/index.md @@ -0,0 +1,113 @@ +# Execute a Certification Campaign + +How to execute access certification campaigns, i.e. review specific entitlement assignments and +deprovision inappropriate access. + +## Overview + +The aim of an access certification campaign is to review specific entitlement assignments for +specific identities, in order to certify them and express an audit opinion that justifies their +necessity. + +Once certification campaigns are scheduled, the assigned reviewers must decide for all relevant +assignments if they ought to be deleted or not. + +## Participants and Artifacts + +The execution part should be performed in cooperation with the staff who review access in the +campaign scheduling. + The monitoring part should be performed in cooperation with the staff in charge of campaign +scheduling. + +| Input | Output | +| ----------------------------------------------------------------------------------------------- | ---------------- | +| [ Schedule a Certification Campaign ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md) (required) | Certified access | + +## Execute Certification + +Execute certification by proceeding as follows: + +1. Access the ongoing campaigns by clicking on the **Access Certification** section on the home + page. + + ![Home - Access Certification](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/home_accesscertification_v523.webp) + + On this page, all assignments to be reviewed are listed. + + ![Access Certification](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_accesscertification_v602.webp) + + Each assignment can be commented by clicking on the corresponding icon. + + ![Comment Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconcomment_v522.svg) + +2. Choose one of the three possibilities to verify all assignments one by one: + + In order to help reviewers in the decision-making process, each assignment shows a + recommendation icon, indicating whether said assignment complies with the role model. + + See the icons below this note. + + The Recommended icon indicates that the entitlement has been automatically granted according to + the security policy. You can approve it because it is compliant. + The Not Recommended icon indicates that the entitlement does not comply with the security + policy. It is recommended to refuse it, unless the user really needs it. + + An absence of any icon indicates that the entitlement does not comply with the security policy. + However, it has been manually granted or denied. Thus there is no recommendation, please review + this entitlement carefully. + + ![Recommendation Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconrecommendation_v522.svg) + + ![Discouragement Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_icondiscouragement_v522.svg) + + - Either click on the approval icon to confirm that this entitlement is necessary for this + identity. + + ![Approval Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconapproval_v522.svg) + + - Or click on the decline icon to confirm that this entitlement is not necessary for this + identity. + + ![Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg) + + - Or click on the three dots icon to highlight that this entitlement is not part of your scope + of responsibility and forward it to the adequate person. + + ![Forward Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconforward_v522.svg) + +3. Click on **Confirm Decisions** on the left of the page. + + If you've made an erroneous decision, exiting the page before confirming offers the possibility + to quit without saving and start over from the last confirm. + +## Monitor a Certification Campaign + +Existing certification campaigns are listed on the page accessible via the **Access Certification +Campaigns** button on the home page in the **Administration** section. + +![Home - Access Certification Campaigns](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp) + +![Campaigns Page](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_campaigns_v602.webp) + +### Get reports + +A **Download** button is available for each campaign. It downloads a CSV report that lists all the +entitlement assignments to be reviewed, the corresponding reviewers and their decisions. + +![Report Example](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_decisions_v522.webp) + +### Send notifications + +The notification icon on the line of a given campaign offers the possibility to send reminder +notifications to the staff who has not finished processing the campaign. + +### Generate provisioning orders + +Once entitlement assignments have been reviewed, the final step is to apply these decisions. + +An **Apply Decisions** button is available for each campaign. It shows all the decisions made in the +campaign. The campaign administrator can then decide to actually apply said decisions and generate +the appropriate provisioning orders for deprovisioning unjustified entitlements. Said orders will be +considered during the next provisioning job. + +![Apply Decisions](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_applydecisions_v602.webp) diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md new file mode 100644 index 0000000000..b15dd333ad --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md @@ -0,0 +1,102 @@ +# Schedule a Certification Campaign + +How to create and schedule access certification campaigns, defining their scope. + +## Overview + +The aim of an access certification campaign is to review specific access and entitlements for +specific identities, in order to certify them and express an audit opinion that justifies their +necessity. + +Here, you will learn how to create and schedule a certification campaign, defining its scope via the +filters specifying the reviewers and items to be reviewed. + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of auditing, because they +know what entitlements need to be reviewed. + +| Input | Output | +| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| Identity Repository (required) [Create Roles in the Role Catalog](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md)
(optional) [Manage Risks](/docs/identitymanager/saas/identitymanager/user-guide/optimize/risk-management/index.md) | Scheduled certification campaign(s) | + +See the [Create the Workforce Repository](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) topic +for additional information. + +## Create a Certification Campaign + +Create an access certification campaign by proceeding as follows: + +1. Click on **Access Certification Campaigns** in the **Administration** section on the home page. + + ![Home - Access Certification Campaigns](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/home_accesscertificationcampaigns_v602.webp) + +2. Click on the addition button at the top right and fill in the fields. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + ![New Certification Campaign](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_newcertificationcampaign_v602.webp) + + - `Identifier`: Must be unique among certification campaigns and must not contain whitespace. + - `Name`: Will be displayed in the UI to identify the campaign. + - `Start Date`: Date when the campaign begins and becomes visible on the reviewers' **Access + Certification** screen. The campaign will review access existing at this date; changes after + this date are not included. + - `End Date`: Date when the campaign ends. + - `Target Entity Type`: Entity type targeted by the campaign. + - `Target Reviewers`: Set of identities responsible for the access review. Available reviewers + are configured via the + [Access Certification](/docs/identitymanager/saas/identitymanager/integration-guide/governance/accesscertification/index.md) + policies. + - `Target Specificities`: + [AccessCertificationDataFilter](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-certification/accesscertificationdatafilter/index.md) + defines the campaign scope (e.g., by object type, category, approval state). The campaign uses + the union of all specificities. + + ![Target Specificities](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetspecificities_v602.webp) + + The campaign will target permissions that meet the **intersection (AND)** of all criteria. + + When listing role tags, roles with **any matching tag (OR)** will be included. + + - `Target Owners`: Filters based on identity attributes for those whose access is being + reviewed. All filters are combined using **intersection (AND)** logic. + + ![Target Owner Filters](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetowners_v602.webp) + + Additional filters may be available depending on the target entity type. + + ![Target Owner Additional Filters](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_targetownersadditional_v603.webp) + + - `Individual Owner`: A single identity whose access is to be certified. + - `Active Target`: Identities with a specific property (from `Directory_UserRecord`) + modified since a given date. + + > Only properties not calculated by Identity Manager can be used to filter the target + > owners of the certification campaign. + + > The following campaign targets all assigned single roles for two specific users: + > + > ![Campaign Example](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_example_v602.webp) + +3. Click **Create** to add the campaign to the list. + + ![Campaigns Page](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_newlycreated_v603.webp) + +4. Apply changes by clicking **Launch** to run the access certification job. + + The job's logs are available via the **Job Results** button. + + > Example: + > + > ![Execute Access Reviews Job](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/certifcampaign_job_v522.webp) + +## Impact of Modifications + +You may modify any field of a certification campaign before its start date. After it starts, only +the name, identifier, and end date can be changed. Campaigns can be deleted at any time. + +## Verify Campaign Scheduling + +To verify the process, check the **Access Certification Campaigns** page to confirm the campaign’s +parameters are correct. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/index.md new file mode 100644 index 0000000000..80e85edaa4 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/index.md @@ -0,0 +1,44 @@ +# Perform Access Certification + +How to certify existing access by reviewing a specific range of assigned permissions for auditing +purposes. + +## Overview + +The aim of an access certification campaign is to review specific entitlement assignments for +specific identities, in order to certify them and express an audit opinion that justifies their +necessity. So, for all relevant permissions, the idea is to specify if these assignments ought to be +deleted or not. + +There are several ways to arrange an access certification campaign. Among others, through filters +you can choose to focus on: + +- a certain category of roles; +- a certain type of assignment; +- assignments not certified since a certain date; +- assignments presenting a certain level of risk. + +Certification campaigns can be +[Access Certification](/docs/identitymanager/saas/identitymanager/integration-guide/governance/accesscertification/index.md) but the +UI described in this guide can be enough on its own. See the +[Access Certification](/docs/identitymanager/saas/identitymanager/integration-guide/governance/accesscertification/index.md) topic for +additional information. + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of auditing because they +know which entitlements need to be reviewed. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------- | +| Identity repository (required) [ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md)(optional) [ Manage Risks ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/risk-management/index.md)(optional) | Certified access | + +See the[ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md)topic +for additional information. + +## Perform Access Certification + +Perform access certification by proceeding as follows: + +1. [ Schedule a Certification Campaign ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md). +2. [ Execute a Certification Campaign ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/index.md). diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/assigned-roles/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/assigned-roles/index.md new file mode 100644 index 0000000000..bc9a1d5b08 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/assigned-roles/index.md @@ -0,0 +1,58 @@ +# Review Assigned Roles + +How to review user permissions grouped by categories. + +**NOTE:** **Assigned Roles** is currently in a preview state and additional functionality will be +added in a future release. + +## Overview + +The **Assigned Roles** section displays a list of the users permissions grouped by categories. This +screen is visible for managers and displays the list of employees part of the team, their roles and +permissions. + +You can review all assigned single roles by category. Through filters you can choose to focus on: + +- **Entity Type** +- **Workflow State** +- **Policy** +- **Role** +- Other custom filters + +## Participants and Artifacts + +This operation should be performed by a user with the right permissions. See the +[ Configure a User Profile ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-configuration/index.md) topic for additional +information. + +The following example provides the rights for the Administrator profile to see the Assigned Roles +page on the **Entity Type** directory user. See the +[ Create a Provisioning Rule ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) and +[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topics for +additional information. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +## Review Assigned Roles + +Review the Assigned Roles by proceeding as follows: + +![assignedroles](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/assigned-roles/assignedroles.webp) + +**Step 1 –** On the home page, in the Administration section of the UI click on Assigned Roles. + +![assignedrolesscreen](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/assigned-roles/assignedrolesscreen.webp) + +**Step 2 –** View the list of users with different assigned roles and filter them by **Entity +Type**, **Workflow State**, **Policy**, **Role**or by using a custom filter. + +**Step 3 –** Download an .xlsx file list of the **Assigned Roles** users according to the selected +filters. + +Revisit the **Assigned Roles** section any time you need to review the information related to +Assigned roles. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/index.md new file mode 100644 index 0000000000..0bd41a840f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/index.md @@ -0,0 +1,74 @@ +# Administrate + +In the Admin section you can do the following: + +- [ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md) + + How to use Identity Manager's reporting modules to produce IGA reports for auditing and + governance purposes. + +- [Review Orphaned and Unused Accounts](/docs/identitymanager/saas/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md) + + How to remediate license and security issues caused by orphaned and/or unused accounts. + +- [Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) + + How to write to a managed system. + +- [ Review Provisioning ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md) + + How to review provisioning orders before generation. + +- [ Provision Manually ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md) + + How to use Identity Managerto manually write to the managed systems. + +- [ Provision Automatically ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md) + + How to use Identity Manager to automatically write to the managed systems. + +- [ Review Non-conforming Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md) + + How to review non-conforming assignments, i.e. approve or decline the suggestions made by + Identity Manager after every synchronization. The aim is to handle the differences between the + values from the managed systems and those computed by Identity Manager's role model. + +- [ Reconcile a Role ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md) + + How to review non-conforming permissions, i.e. approve or decline the role suggestions made by + Identity Manager after every synchronization. The aim is to handle the differences between the + navigation values from the managed systems and those computed by Identity Manager according to + the role catalog. + +- [ Reconcile a Property ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) + + How to review unreconciled properties. The aim is to handle the differences between the property + values from the managed systems and those computed by Identity Manager according to provisioning + rules. + +- [ Review an Unauthorized Account ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md) + + How to remediate unauthorized accounts. The aim is to review the accounts whose assignments + don't comply with the rules of the role model. + +- [ Perform Access Certification ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/index.md) + + How to certify existing access by reviewing a specific range of assigned permissions for + auditing purposes. + +- [ Schedule a Certification Campaign ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md) + + How to create and schedule access certification campaigns, defining their scope. + +- [ Execute a Certification Campaign ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/index.md) + + How to execute access certification campaigns, i.e. review specific entitlement assignments and + deprovision inappropriate access. + +- [ Request Entitlement Assignment ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/manual-assignment-request/index.md) + + How to send a manual request to add, update or remove an entitlement for an identity. + +- [Review Assigned Roles](/docs/identitymanager/saas/identitymanager/user-guide/administrate/assigned-roles/index.md) + + How to review user permissions grouped by roles. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/manual-assignment-request/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/manual-assignment-request/index.md new file mode 100644 index 0000000000..6cda781718 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/manual-assignment-request/index.md @@ -0,0 +1,87 @@ +# Request Entitlement Assignment + +How to send a manual request to add, update or remove an entitlement for an identity. + +## Overview + +Changes in an identity's entitlements can be handled using Identity Manager's predefined workflows +to: + +- View the list of the identity's entitlements with Identity Manager's suggestions according to the + identity's position; +- Modify the identity's entitlements (add, update, remove). + +## Participants and Artifacts + +An assignment can be requested for a user sometimes by said user themselves, most often by their +manager, and on some occasions by the involved application owner. + +| Input | Output | +| ------------------------------------------------------ | -------------------- | +| Identity repository (required) Role Catalog (required) | Updated entitlements | + +See the [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) and +[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topics for +additional information. + +## View Identity's Entitlements + +View the identity's entitlements by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Click on the user to be checked. + + ![Workflow - User](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp) + +3. Click on **View Permissions** to access the entitlement list. + + ![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +## Modify Identity's Entitlements + +Act on an existing identity by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Click on the user to be modified. + + ![Workflow - User](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp) + +3. Click on **Actions** > **Modify Permissions** to launch the workflow for a manual entitlement + request. + + ![Workflow - Modify Permissions](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_changeuser_v602.webp) + +4. Follow the workflow's instructions to select entitlements and the action to be performed. You + can: + + - select entitlements to add; + - modify the potential options of the entitlements you are adding; + - delete entitlements which were assigned or declined manually; + - deny entitlements which were assigned automatically; + - allow denied entitlements by assigning them back manually. + + If the request is about assigning an entitlement via a role which requires at least one + approval, then sending the request triggers the display of said request on the **Role Review** + screen. + + ```` + Home Page - Role Review + + ```In this case, the requested entitlement will be displayed in the user's \*\*View Permissions\*\* tab only after the request is reviewed. + ```` + +## Verify Entitlement Request + +In order to verify the process, check that the change you made in the user's entitlements is +displayed in their **View Permissions** tab in the directory. + +![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md new file mode 100644 index 0000000000..faa4d9197d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md @@ -0,0 +1,70 @@ +# Review Non-conforming Assignments + +How to review non-conforming assignments, i.e. approve or decline the suggestions made by Identity +Manager after every synchronization. The aim is to handle the differences between the values from +the managed systems and those computed by Identity Manager's role model. + +## Overview + +Integrators must review three main types of non-conforming entitlement assignments: + +- Non-conforming roles: Identity Manager finds roles assigned to users in the managed systems that + no rule in the role model can justify. +- Unreconciled properties: Identity Manager's role model computes property values that are different + from the values in the managed systems. +- Unauthorized accounts: no rule from the role model can justify their actual assignment to an + identity. + +Unreconciled properties, unauthorized accounts and non-conforming roles are part of +[Non-Conforming Assignments](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/nonconformingdetection/index.md). +The global aim of the review is to handle the gaps between the +[ Existing Assignments ](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/existingassignmentsdeduction/index.md) +(real values) and the +[ Conforming Assignments ](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md) +(theoretical values computed by Identity Manager from the role model rules). + +A high number of non-conforming assignments can come from an issue in configuration rules. + +Non-conforming roles and unauthorized accounts can be mass reviewed through +[Automate the Review of Non-conforming Assignments](/docs/identitymanager/saas/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md). +See the +[Automate the Review of Non-conforming Assignments](/docs/identitymanager/saas/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md) +topic for additional information. + +## Participants and Artifacts + +This operation should be performed in cooperation with application owners who are in charge of +applications' entitlements (technical side), and/or managers who know their team's entitlements +(functional side). + +| Input | Output | +| ---------------------------------------------------------------------------- | --------------------- | +| [](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md)[Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) (required) | Complying assignments | + +### Pre-existing assignments vs. non-conforming assignments + +The assignments specified as non-conforming during the very first execution of the role model are +called pre-existing assignments. Pre-existing assignments are tagged differently from other +non-conforming assignments by the +[ Save Pre-Existing Access Rights Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/savepreexistingaccessrightstask/index.md) +because they can indicate that: + +- The rules are not optimal yet. +- Data in the managed system needs more cleanup. + +Obviously, pre-existing assignments can also prove to be exceptions to the rules, like +non-conforming assignments, and need to be validated as such. + +## Review Non-conforming Assignments + +While there can be dependencies between the review of non-conforming roles and unreconciled +properties, there are no absolute requirements regarding the sequential order of the non-conforming +assignment review: + +- Review [ Reconcile a Role ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md). +- Review [ Reconcile a Property ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md). +- [ Review an Unauthorized Account ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md). + +[ Manage Risks ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/risk-management/index.md) can be defined to highlight the most +sensitive accounts/permissions, in order to establish a priority order in the review of +non-conforming assignments. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md new file mode 100644 index 0000000000..7f35d5c94b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md @@ -0,0 +1,171 @@ +# Reconcile a Property + +How to review unreconciled properties. The aim is to handle the differences between the property +values from the managed systems and those computed by Identity Manager according to +[ Create a Provisioning Rule ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md). + +## Overview + +Unreconciled properties are considered as non-conforming assignments because Identity Manager's role +model has computed property values that are different from the values in the managed systems. + +### Property reconciliation with role reconciliation + +For some managed systems, roles are tightly linked to navigation properties. + +> For example, the AD hosts groups for various applications, and a role is assigned through a group +> membership. An entitlement can be assigned to an identity by adding said identity's DN to the +> `member` property of the appropriate group. Identity Manager translates it by editing the +> identity's `memberOf` property with the new group. + +In this case, when a role is assigned in the managed system without an existing rule that justifies +the role, then new items appear on the **Role Reconciliation**and the **Resource Reconciliation** +screens. + +> In the case of the AD example, consider that we want to assign a specific role in SAP. Then, we +> find the corresponding group in the AD and add the identity's DN to its `member` property. +> +> The result is a new item on the **Role Reconciliation** screen for said SAP role, plus an item on +> the **Resource Reconciliation** screen for the new `memberOf` property for said identity. +> +> If the identity didn't have an AD account yet, then it is automatically created, and the item on +> the **Resource Reconciliation** screen displays also a modification of the `accountExpires` +> property. + +As roles and navigation properties are technically bonded together, their reviews are linked too: + +- If the role is reviewed (approved/declined), then the corresponding property is automatically + reconciled accordingly. +- If the property is reviewed (approved/declined), then the corresponding role is automatically + reviewed too, its workflow state transitioned to `Manual` (if approved) or `Cancellation` (if + declined, then a deprovisioning order is sent). + +> So let's say we add `Cedric Blanc` to the list of members of the SAP groups `SG_APP_SAP_1` and +> `SG_APP_SAP_211`. Then, after the next synchronization, Identity Manager displays one item for +> each role on the **Role Reconciliation** screen, and one item for all changes in the AD account on +> the **Resource Reconciliation** screen: +> +> ![Example - Role Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_examplerole_v602.webp) +> +> ![Example - Resource Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresource_v602.webp) +> +> ![Example - Resource Reconciliation - Properties](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresourceprop_v602.webp) + +## Participants and Artifacts + +This operation should be performed in cooperation with application owners in charge of applications' +entitlements. + +| Input | Output | +| --------------------------------------------------- | -------------------- | +| [Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) (required) | Complying properties | + +## Review an Unreconciled Property + +Review an unreconciled property by proceeding as follows: + +1. Ensure that the task for the computation of the role model was launched recently, through the + complete job on the **Job Execution** page + + ![Home Page - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + + Or through the connector's overview page, **Jobs** > **Compute Role Model**. + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +2. Get to the **Resource Reconciliation** page, accessible from the corresponding section on the + home page. + + ![Home Page - Resource Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + +3. Select `Unreconciled properties` as a `Workflow State`. + + ![Unreconciled Property](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewprop_unreconciled_v522.webp) + +4. Choose the default resource view or the property view with the top right toggle. See the + Reconcile a Property topic for additional information. +5. Select a property to review. + + > In the following example, the user `Nicolas Faure` is the owner of a given resource, here a + > nominative SAB account associated with his email address. In the **Resource Properties to be + > Verified** frame, there is one unreconciled property that happens to be `Group`. + > + > ![Unreconciled Property Example](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewprop_example_v602.webp) + + - `Name`: unreconciled property name. + - `Proposed Value`: value proposed by Identity Manager. + - `Current Value`: value currently in the managed system. + - `Provisioning State`: provisioning state. + - `Start Date`: date for the beginning of the property value existence. + - `End Date`: date for the end of the property value existence. + + The **Other Resource Properties** frame shows the complying properties associated with the + resource. + +6. Choose one of the three possibilities to verify the property: + + Decisions must be made with caution as they cannot be undone. + + - Either click on the approval icon to update the property with the proposed value. It discards + the whole property history. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + + ![Edition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg) + + ![Deletion Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/reviewrole_icondelete_v602.svg) + + Automatic changes are essential for frequently-changing attributes. However, saving history + information can sometimes be important for some attributes such as logins and emails. + + - Or click on the decline icon to not update the property and keep the resource value. In the + future, this property will no longer be changed automatically. + + ![Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + + Retaining manual control of changes for sensitive data (i.e. `SAMAccountName`) can be of + interest. Identity Manager won't be able to change this data and the service account manager + will avoid authentication errors. It can be interesting to keep manual some sensitive data + changes like `SAMAccountName` for example, so that Identity Manager does not change it and + the service account manager does not risk problems in authentication. + + - Or click on the postponement icon to delay the decision. An unreconciled property is ignored + by Identity Manager, and therefore cannot be modified. + + ![Postponement Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + +7. Click on **Confirm Property Values**. +8. Trigger provisioning by launching, on the appropriate connector's overview page, **Jobs** > + **Generate Provisioning Orders**, then, after this first task is done, **Jobs** > **Fulfill**. + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +### Use property view + +By default, non-conforming assignments are listed by resource. It is possible to click on a resource +and then access the list of all unreconciled properties for said resource. + +![Resource View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp) + +It can be helpful to have the non-conforming assignments regrouped by property, as some of the +changes can be similar, so very likely to be validated by the same user. This is why a property view +can be enabled by clicking on the `Property View` toggle at the top right corner. + +Once enabled, select a resource type to display all unreconciled properties linked to said resource +type. In addition, select a property to display only the unreconciled properties linked to said +resource type and property. + +![Property View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp) + +The review process is the same with both views. However with property view, reviewers don't click on +a given line, but choose a decision directly on the left of the property line. + +In addition, using property view enables bulk reconciliation to approve the proposed values or keep +the current values for several resources simultaneously. + +![Bulk Reconcile](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp) + +## Verify Property Reconciliation + +In order to verify the process, check that the changes you ordered appear on the corresponding +user's page in the directory. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md new file mode 100644 index 0000000000..1b7e27559c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md @@ -0,0 +1,121 @@ +# Reconcile a Role + +How to review non-conforming permissions, i.e. approve or decline the role suggestions made by +Identity Manager after every synchronization. The aim is to handle the differences between the +navigation values from the managed systems and those computed by Identity Manager according to the +role catalog. + +## Overview + +Non-conforming roles are considered as non-conforming assignments because no rule from Identity +Manager's model can justify their actual assignment to an identity. + +### Role reconciliation with property reconciliation + +For some managed systems, roles are tightly linked to navigation properties. + +> For example, the AD hosts groups dedicated to various applications, and a role is assigned through +> group membership. An entitlement can be assigned to an identity by adding said identity's DN to +> the `member` property of the appropriate group. Identity Manager translates it by editing the +> identity's `memberOf` property with the new group. + +In this case, when a role is assigned in the managed system without an existing rule that justifies +the role, then new items appear on the **Role Reconciliation**and the **Resource Reconciliation** +screens. + +> In the case of the AD example, consider that we want to assign a specific role in SAP. Then, we +> find the corresponding group in the AD and add the identity's DN to its `member` property. +> +> The result is a new item on the **Role Reconciliation** screen for said SAP role, plus an item on +> the **Resource Reconciliation** screen for the new `memberOf` property for said identity. +> +> If the identity didn't have an AD account yet, then it is automatically created, and the item on +> the **Resource Reconciliation** screen displays also a modification of the `accountExpires` +> property. + +As roles and navigation properties are technically bonded together, their reviews are linked too: + +- If the role is reviewed (approved/declined), then the corresponding property is automatically + reconciled accordingly. +- If the property is reviewed (approved/declined), then the corresponding role is automatically + reviewed too, its + [Entitlement Assignment](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) + workflow state transitioned to `Manual` (if approved) or `Cancellation` (if declined, then a + deprovisioning order is sent). + +> So let's say we add `Cedric Blanc` to the list of members of the SAP groups `SG_APP_SAP_1` and +> `SG_APP_SAP_211`. Then, after the next synchronization, Identity Manager displays one item for +> each role on the **Role Reconciliation** screen, and one item for all changes in the AD account on +> the **Resource Reconciliation** screen: +> +> ![Example - Role Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_examplerole_v602.webp) +> +> ![Example - Resource Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresource_v602.webp) +> +> ![Example - Resource Reconciliation - Properties](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/reviewrole_exampleresourceprop_v602.webp) + +## Participants and Artifacts + +This operation should be performed in cooperation with managers who know their team's expected +entitlements. + +| Input | Output | +| --------------------------------------------------- | --------------- | +| [Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) (required) | Complying roles | + +## Review a Non-conforming Permission + +Review a non-conforming permission by proceeding as follows: + +1. Ensure that the + [ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + was launched recently, through the complete job on the **Job Execution** page + + ![Home Page - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + + Or through the connector's overview page, **Jobs** > **Compute Role Model**. + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +2. On the home page, click on the entity type that you want to manage in the **Role Reconciliation** + section, to get to the non-conforming permissions page. + + ![Home Page - Role Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/home_rolereconciliation_v523.webp) + + ![Role Reconciliation Page](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/reviewrole_rolereconciliation_v603.webp) + + Each non-conforming permission can be commented by clicking on the corresponding icon. + + ![Comment Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/access-certification/certification-campaign-execution/certifcampaign_iconcomment_v522.svg) + +3. Choose one of the two possibilities to verify the permission: + + Contrary to resources, reviewed roles are then displayed on the **Role Review** page accessible + from the home page, and can be reviewed again. + + - Either click on the approval icon to keep the non-conforming permission. + + ![Approval Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/orphan_iconapprove_v602.svg) + + - Or click on the decline icon to delete the non-conforming permission. + + ![Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/orphan_icondecline_v522.svg) + +4. Trigger provisioning by launching, on the appropriate connector's overview page, **Jobs** > + **Generate Provisioning Orders**, then, after this first task is done, **Jobs** > **Fulfill**. + See the [Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) topic for additional information. + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +### Use bulk provisioning + +Several roles can be reconciled simultaneously by clicking on **Bulk Reconcile Roles**. + +![Bulk Reconcile Roles](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/reviewrole_rolereconciliationbulk_v603.webp) + +## Verify Role Reconciliation + +In order to verify the process, check that the changes you ordered appear on the corresponding +user's **View Permissions** tab. + +![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md new file mode 100644 index 0000000000..9015234a01 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md @@ -0,0 +1,109 @@ +# Review an Unauthorized Account + +How to remediate unauthorized accounts. The aim is to review the accounts whose assignments don't +comply with the rules of the role model. + +## Overview + +Unauthorized accounts are considered as non-conforming assignments because no rule from Identity +Manager's model can justify their actual assignment to an identity. + +## Participants and Artifacts + +This operation should be performed in cooperation with application owners in charge of applications' +entitlements. + +| Input | Output | +| --------------------------------------------------- | ------------------ | +| [Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) (required) | Complying accounts | + +## Review an Unauthorized Account + +Review an unauthorized account by proceeding as follows: + +1. Ensure that the + [ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + was launched recently, through the complete job on the **Job Execution** page: + + ![Home Page - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + + Or through the connector's overview page, **Jobs** > **Compute Role Model**. + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +2. Get to the **Resource Reconciliation** page, accessible from the corresponding section on the + home page. + + ![Home Page - Resource Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + +3. Select `Unauthorized account` as the `Workflow State`. Orphaned accounts appear with no owner. + + ![Resource Reconciliation Page](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/unauth_unauthorizedaccounts_v602.webp) + +4. Choose the default resource view or the property view with the top right toggle. +5. Click on the line of an account with an owner. + + In the following example, the nominative LDAP account linked to the resource + `U40897 / Internal Users / acme / com` has the owner `Maxime Guillot` with an 80% confidence + rate. + + ![Select Decision](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/unauth_reviewunauthorized_v602.webp) + + The displayed confidence rate means that a rule actually assigned the account to the identity, + but with a confidence rate too low to imply full automatic assignment. Approval will be + required. See the [ Classify Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/classification/index.md) + topic for additional information. + + The **Resource Properties** frame shows all the properties of the resources. They can be updated + by clicking on the edit button. See the + [ Reconcile a Property ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) topic for additional information. + + ![Edit Button](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/unauth_updateprop_v522.webp) + +6. Select the appropriate decision. + + Decisions must be made with caution as they cannot be undone. + +7. Click on **Confirm Account Deletion** or **Authorize Account** according to the previous + decision. +8. Trigger the [Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) by launching, on the appropriate connector's + overview page, **Jobs** > **Generate Provisioning Orders**, then, after this first task is done, + **Jobs** > **Fulfill**. + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +### Use property view + +By default, non-conforming assignments are listed by resource. It is possible to click on a resource +and then access the list of all unreconciled properties for said resource. + +![Resource View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp) + +It can be helpful to have the non-conforming assignments regrouped by property, as some of the +changes can be similar, so very likely to be validated by the same user. This is why a property view +can be enabled by clicking on the `Property View` toggle at the top right corner. + +Once enabled, select a resource type to display all unreconciled properties linked to said resource +type. In addition, select a property to display only the unreconciled properties linked to said +resource type and property. + +![Property View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp) + +The review process is the same with both views. However with property view, reviewers don't click on +a given line, but choose a decision directly on the left of the property line. + +In addition, using property view enables bulk reconciliation to approve the proposed values or keep +the current values for several resources simultaneously. + +![Bulk Reconcile](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp) + +Bulk keeping non-authorized accounts, by clicking on **Bulk Reconcile** then **Approve Current +Values**, does not approve their unreconciled properties which will still be displayed on this +screen. + +## Verify Review + +In order to verify the process, check that the changes you ordered appear on the corresponding +user's **View Permissions** tab. + +![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md new file mode 100644 index 0000000000..965b836529 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md @@ -0,0 +1,202 @@ +# Review Orphaned and Unused Accounts + +How to remediate license and security issues caused by orphaned and/or unused accounts. + +## Overview + +The review of unused and orphaned accounts is essential to solve security and license management +issues. Orphan accounts are without an owner, while unused accounts remain open without any +activity. + +### Orphaned accounts list + +A list of all orphaned accounts can be found on some entity type pages. Said pages can be accessed +through the menu items on the left of the home page, in the **Connectors** section. + +![Home - Entity Types](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp) + +These entity type pages can be configured via XML to customize all displayed columns and available +filters, especially the **Orphan** filter that spots uncorrelated resources, and the **Owner / +Resource Type** column that shows the owner of each resource. See +the[ Create Menu Items ](/docs/identitymanager/saas/identitymanager/integration-guide/ui/how-tos/create-menu-items/index.md) topic for +additional information on customization. + +![Owner / Resource Type Column](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/orphan_entitytype_v523.webp) + +In the **Orphan** field, select **Yes** to see all existing resources without an owner. + +In addition, filters can be configured in the reporting module to list orphaned accounts. See the +[ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md) topic for additional information. Choose to display +**User** and **AD User** (nominative) with a filter on void user's display names. + +**NOTE:** Some accounts are considered orphaned because of an error in the account data or +assignment rule. +For an entity that is never the target of a resource type, the concept of an orphan does not apply +because the **Owner / Resource Type** column will be hidden. +When using a display table to display these entities, use +DisplayTableDesignElement``({{< relref "/integration-guide/toolkit/xml-configuration/user-interface/displaytable#properties" >}}) `"table"`` +or `"adaptable"`. + +### Unused accounts list + +The way to identify activity in a managed system is highly dependent on said system. Thus, activity +identification cannot be generalized, and the absence of activity in accounts isn't recognizable +with the configuration as is. Integrators must configure a specific property fulfilling this +purpose. + +For example in the AD, we can compute a Boolean property **isUnused** based on other AD accounts' +properties. Below is an example that you can use and adjust to your specific configuration: + +Here we write an expression for isUnused based on the bits of userAccountControl, the value of +**accountExpires** and the value of LastLogonTimeStamp: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +Once this "unused" property is created, a list of all unused accounts can be displayed thanks to the +filters in the query module, based on said property. See the +[ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md) topic for additional information. + +The previous example about the AD's **isUnused** property can be complemented in the query module by +displaying this property alongside users' **EmployeeId**. + +![Query of Unused Accounts](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_unusedquery_v602.webp) + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate as indicated in the +table below. + +| Input | Output | +| ------------------------------------------------------------------------- | ------------------------------------ | +| [ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) (required) | Removed orphaned and unused accounts | + +## Review an Orphaned Account + +Review an orphaned account by proceeding as follows: + +![Home Page - Resource Reconciliation](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/home_resourcereconciliation_v523.webp) + +**Step 1 –** Go to the **Resource Reconciliation** page, accessible from the corresponding section +on the home page. + +![Resource Reconciliation Page](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/unauth_unauthorizedaccounts_v602.webp) + +**Step 2 –** Select **Unauthorized account** as the **Workflow State**. Orphaned accounts are those +appearing with no owner. + +**Step 3 –** Choose the default resource view or the property view with the top right toggle. + +**Step 4 –** Click on the line of an account without an owner. + +![Select Owner](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_revieworphans_v602.webp) + +In the following example, the nominative AD account linked to the email address +nathan.smith@acme.com has no owner. + +You can **Select owner** from the list by clicking on the check box. + +![Owners List](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_revieworphans-owners_v602.webp) + +**Step 5 –** Answer the following questions in order to understand the situation. + +- Has the account been used recently? +- Why is it orphan? +- Who is it supposed to belong to? +- If it is a service account, is it useful? Has it been used recently? + + - A used account must be connected to its rightful owner + - An unused account must be deleted + +- If this account belongs to a person, is the user still in the organization or did they leave? + + - If the owner has left for more than XXX (time period defined by the security officer's rules), + the account must be deleted + - If the owner has left for less than XXX, the account must be connected to its owner and + deactivated. + - If the owner is still in the organization, the account must be connected to its owner. Is + there a rule to change? + +**NOTE:** We said that useful service accounts must be connected to their owners due to the fact +that an orphaned account cannot be certified. .See the +[ Perform Access Certification ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/index.md) topic for additional information. +But a service account must not be linked to a person, for the departure of said person from the +company may trigger the loss of the service account. +This is why we create identities with **Application** as their **UserType**, each +application-identity linked to a person supposed to manage it. Thus,service accounts must be +connected to application identities, themselves owned by people. That way, if the owner of the +application leaves, the application-identity is not deleted, and the service accounts it owns are +not deprovisioned. + +See the schema below this note. + +![Schema - Service Accounts](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_serviceaccounts.webp) + +**Step 6 –** Select the appropriate owner or no owner at all, according to the previous analysis. + +_Remember,_ decisions must be made with caution as they cannot be undone. + +**NOTE:** When binding an orphaned account to an existing owner, properties might need to be +reconciled. + +**Step 7 –** Click on **Confirm Account Deletion** or **Authorize Account** according to the +previous decision. + +By taking the necessary steps the orphan account will be delete or authorized. + +### Use property view + +By default, non-conforming assignments are listed by resource. It is possible to click on a resource +and then access the list of all unreconciled properties for said resource. + +![Resource View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_resourceview_v523.webp) + +It can be helpful to have the non-conforming assignments regrouped by property, as some of the +changes can be similar, so very likely to be validated by the same user. This is why a property view +can be enabled by clicking on the **Property View** toggle at the top right corner. + +Once enabled, select a resource type to display all unreconciled properties linked to said resource +type. In addition, select a property to display only the unreconciled properties linked to said +resource type and property. + +![Property View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_propertyview_v603.webp) + +The review process is the same with both views. However with property view, reviewers don't click on +a given line, but choose a decision directly on the left of the property line. + +![Bulk Reconcile](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/orphan-unused-account-review/orphan_bulkreconcile_v603.webp) + +In addition, using property view enables bulk reconciliation to approve the proposed values or keep +the current values for several resources simultaneously. + +## Verify Review + +In order to verify the process, check that the line for your reviewed item has been removed from the +**Resource Reconciliation** screen. + +![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +In addition, if you reconciled an orphaned account with an owner, check the user's permissions to +see said account. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md new file mode 100644 index 0000000000..6760cd66d0 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md @@ -0,0 +1,56 @@ +# Provision Automatically + +How to make Identity Manager automatically write to the managed systems. + +## Overview + +In the lifecycle of a resource (entitlement assignment, resource creation, resource update, etc.), +automated provisioning is used to minimize human intervention and trust Identity Manager with role +model enforcement in external systems. + +### Provisioning states + +In an assignment request's lifecycle, provisioning automation implies skipping the `Transmitted` +state as Identity Manager no longer waits for a user to make changes anymore. For this reason, an +assignment request goes through the following provisioning states: + +![Provisioning State Schema](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/provauto_states_v523.webp) + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| [ Review Provisioning ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md) (required) Automated provisioning to [Create a Connection](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) (required) | Updated managed systems | + +## Implement Automated Provisioning + +automated provisioning is performed through a connection using a +[ References: Packages ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/index.md) for +fulfilling external systems. + +## Perform Automated Provisioning + +There is no procedure to perform automated provisioning, for it is automatic and thus handled by +Identity Manager in daily jobs. + +Make sure that the task used to compute and generate provisioning orders was launched after the +request (or the provisioning review, if any), through the complete job in the **Job Execution** +page. + +![Home Page - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + +## Verify Automated Provisioning + +In order to verify the process: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Follow the manual assignment workflow through + [ Request Entitlement Assignment ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/manual-assignment-request/index.md) to make a change in + one of their permissions, which involves automated provisioning. +3. Perform automated provisioning and check in Identity Manager that the change was effectively + made. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md new file mode 100644 index 0000000000..65b9fe2aa4 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md @@ -0,0 +1,112 @@ +# Provision + +How to write to an externally managed system. + +**A word about terminology** — Let's clarify the concept of writing to a managed system. + +There are two notions involved: + +- Fulfillment — writing to a managed system, manually or automatically +- Provisioning — writing automatically as provisioning is automated fulfillment + +But in everyday conversation, in the interface and in this documentation, we use the term +provisioning instead of fulfillment. + +## Overview + +When modeling your connectors, you had to decide what data you wanted Identity Manager to manage +within the external systems. You configured your connectors, and among other things you chose the +appropriate connections and packages, to manage identities and their entitlements by writing +directly to the managed systems. This is done through said connectors' provisioning capabilities. +See the [ Model the Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) and +[Create a Connection](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) topics for +additional information. + +When changes are performed on identity data, entitlements or the role model inside Identity Manager, +provisioning orders are generated in order to actually write said changes to the external systems. +These changes can be written automatically or manually. Manual provisioning is used to involve +humans and make them act on the external systems, instead of Identity Manager. Automatic +provisioning is used to minimize human intervention and trust Identity Manager with role model +enforcement in external systems. See the [ Provision Manually ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md) and +[ Provision Automatically ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/automatic-provisioning/index.md)topics for additional information. + +### Provisioning states + +Identity Manager handles provisioning by assigning a provisioning state to assignment requests. + +Here is the list of provisioning states and their description: + +| Provisioning state | Description | +| ------------------- | ------------------------------------------------------------------------- | +| 0—None | Used for Identity Manager's internal computation. | +| 1—Pending | The order is ready for provisioning but not sent to the agent. | +| 2—Transmitted | The agent has collected this order but no feedback has been received yet. | +| 3—Errored | The agent returned errors. | +| 4—Verified | The order is provisioned in the synchronized data. | +| 5—Awaiting Approval | The order is blocked until a review is performed. | +| 6—Inactive | The order is blocked as it is considered as useless (order in the past). | +| 7—Error | The role model threw an exception while evaluating the order. | +| 8—Executed | The agent returned OK. | + +These states are detailed with their transitions on the individual pages specific to provisioning +review, manual provisioning and automated provisioning. See the +[Entitlement Assignment](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +and [ Review Provisioning ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md) topics for additional information. + +### Provisioning review + +For security purposes, provisioning orders sometimes need to be reviewed before being propagated to +the managed system. Then, a user with the right entitlements accesses the **Provisioning Review** +page. Users can either approve provisioning orders that will then be unblocked and finally +propagated, or they can decline orders that will subsequently be ignored. See the +[ Configure a User Profile ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-configuration/index.md)topic for additional +information. + +The review prior to the provisioning of entitlement assignments is usually performed based on the +resource type of given identities. For example, the assignment of sensitive entitlements will +require a review before being provisioned, whereas basic rights can be assigned at once. Therefore, +resources must be carefully classified beforehand. See the +[ Classify Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/classification/index.md) topic for additional +information. + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of managed systems. + +| Input | Output | +| ----------------------------------------------------------------------------------------------------------------------- | ------------------ | +| Connector's data model (required) Classified resources (required) Provisioning Rules (required) Role catalog (required) | Provisioned system | + +See the [ Model the Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md), +[ Classify Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/classification/index.md), +[ Create a Provisioning Rule ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md), and +[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topics for +additional information. + +## Perform Provisioning + +In order to perform the provisioning you have to: + +- Choose whether to adjust your resource types to implement provisioning review +- Choose whether to adjust your connections to implement manual and/or automated provisioning + +## Verify Provisioning + +In order to verify the process: + +![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +**Step 1 –** Select a test user in the directory, accessible from the home page. + +**Step 2 –** Follow the manual assignment workflow to make a change in one of their entitlements, +which involves the type of provisioning that you want to test. + +![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +**Step 3 –** Check the provisioning state of the requested entitlement at every step, in the user's +**View Permissions** tab. + +![Provisioning State Schema](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/prov_stateschema_v523.webp) + +Whether your provisioning workflows trigger provisioning review, or whether they trigger manual or +automated provisioning, below is the global state schema. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md new file mode 100644 index 0000000000..8f2ed795cb --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/manual-provisioning/index.md @@ -0,0 +1,82 @@ +# Provision Manually + +How to use Identity Manager to manually write to the managed systems. + +## Overview + +In the lifecycle of a resource (entitlement assignment, resource creation, resource update, etc.), +manual provisioning is used to make humans intervene and act on the external systems, instead of +Identity Manager. + +### Provisioning states + +In its lifecycle, an assignment request goes through the following provisioning states: + +![Provisioning State Schema](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_states_v523.webp) + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of managed systems as +write permissions are required. + +| Input | Output | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| [ Review Provisioning ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md) (required) Manual provisioning through [Create a Connection](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) (required) | Updated managed systems | + +## Implement Manual Provisioning + +Manual provisioning is performed through a connection using the +[ Manual Ticket ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/manual-ticket/index.md). +Besides, for a resource to be manually provisioned, the corresponding resource type must be +configured with the manual connection set to `Provisioning Connection` in the **Fulfill Settings**. + +## Perform Manual Provisioning + +Perform manual provisioning by proceeding as follows: + +1. Ensure that the task to compute or generate provisioning orders was launched after the request + (or the provisioning review, if any), through the complete job in the **Job Execution** page. + + ![Home Page - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + + ![Manual Provisioning Screen](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_page_v603.webp) + +2. Access the manual provisioning orders page by clicking on the entity type that you want to manage + in the **Manual Provisioning** section. + + ![Home Page - Manual Provisioning](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp) + +3. Choose a line to handle the corresponding provisioning order. +4. Creation, edition and deletion orders follow the same process: read Identity Manager's + suggestions and create, edit or delete the appropriate resource directly in the managed system + (outside Identity Manager). + + ![Creation Provisioning Order](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_createresource_v522.webp) + + ![Creation Provisioning Order](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_editresource_v522.webp) + +5. Choose to confirm or report an error. + +### Use bulk provisioning + +Several orders can be provisioned simultaneously by clicking on **Bulk Provision**. + +![Bulk Provisioning](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/provmanual_bulk_v603.webp) + +## Verify Manual Provisioning + +In order to verify the process: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Follow the workflow through + [ Request Entitlement Assignment ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/manual-assignment-request/index.md) to make a change in + one of their permissions, which involves manual provisioning. +3. Perform manual provisioning and check the provisioning state of the requested entitlement at + every step, in the user's **View Permissions** tab. + +![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +4. Check in your managed system that the change was effectively made. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md new file mode 100644 index 0000000000..43d96a1e86 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md @@ -0,0 +1,242 @@ +# Review Provisioning + +How to review provisioning orders before generation. + +## Overview + +For security purposes, provisioning orders sometimes need to be reviewed before being computed and +actually generated. Then, a user with the right permissions accesses the **Provisioning Review** +page. They can either approve provisioning orders that will then be computed, generated and finally +ready for actual provisioning, or they can decline orders that will subsequently be ignored. See the +[ Configure a User Profile ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-configuration/index.md) topic for +additional information. + +### Provisioning states + +In an assignment request's lifecycle, provisioning review adds a few steps between the moment when +the request is issued and when provisioning orders are computed: + +![Provisioning State Schema](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_states_v523.webp) + +## Participants and Artifacts + +This operation should be performed in cooperation with the staff in charge of managed systems. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- | +| [ Create a Provisioning Rule ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) (required) [ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) (required) | Provisioning orders | + +## Implement Provisioning Review + +Provisioning review is configured for a given resource type. Therefore, you can decide to force the +review of provisioning orders when +you[ Create a Resource Type ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md). You +can choose to: + +- Set the number of required approvals by a + [ Manage Role Officers ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/role-officer-management/index.md), via the + `Approval Workflow` option. +- Enable a technical approval by the application owner, via the `Block provisioning orders` option. + +Provisioning review can also be triggered when a fulfillment error occurs. See +the[ Identity Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/identity-management/index.md)topic +for additional information. + +## Review Provisioning Orders + +Review provisioning orders by proceeding as follows: + +1. On the home page, click on the entity type that you want to manage in the **Provisioning Review** + section. + + ![Home Page - Provisioning Review](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/home_provisioningreview_v523.webp) + + ![Provisioning Review](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_provreview_v602.webp) + +2. Click on a line to access details and handle addition, association, update or deletion orders. + + Once reviewed, provisioning orders are to be executed by Identity Manager during the next + **Fulfill** task, accessible from the corresponding connector's overview page, in the **Resource + Types** frame. + + Automatic provisioning orders are directly executed, while manual provisioning orders are listed + on the **Manual Provisioning** page. + + ![Fulfill Task](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +### Handle an addition order + +Identity Manager shows all the properties of the new resource to be created: + +![Addition Order Review](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewaddition_v602.webp) + +- `Proposed Value`: value proposed by Identity Manager. +- [Entitlement Assignment](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +- `Start Date`: date for the beginning of the property value existence. +- `End Date`: date for the end of the property value existence. +- `Workflow State`: describes the origin or approval state of an assignment. +- `Confidence Rate`: rate expressing the confidence in the corresponding query rule. + +See the +[Entitlement Assignment](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +and [ Create a Provisioning Rule ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) topics for +additional information. + +Handle an addition order by proceeding as follows: + +1. For all resource properties to be verified, choose one of the possibilities: + + - Either click on the approval icon to order the property creation with the proposed value. + + ![Addition - Approval Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + + - Or click on the decline icon to refuse the property creation. + + ![Addition - Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + + - Or click on the postponement icon to delay the decision. + + ![Addition - Postponement Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + +2. Choose to confirm or ignore the creation. + +### Handle an association order + +Identity Manager displays a given owner and a given resource to be associated with a given +[ Classify Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/classification/index.md)and all resource +properties to be verified: + +![Association Order Review](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewassociation_v602.webp) + +- `Confidence rate of proposed resource`: rate expressing the confidence in this + [ Correlate Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/correlation/index.md). +- `Proposed Value`: value proposed by Identity Manager. +- `Current Value`: value currently in the managed system. +- `Provisioning State` +- `Start Date`: date for the beginning of the property value existence. +- `End Date`: date for the end of the property value existence. +- `Workflow State`: describes the origin or approval state of an assignment. +- `Confidence Rate`: rate expressing the confidence in the corresponding query rule. + +See the +[Entitlement Assignment](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +and [ Create a Provisioning Rule ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) topics for +additional information. + +Handle an association order by proceeding as follows: + +1. For all resource properties to be verified, choose one of the possibilities: + + - Either click on the approval icon to validate the proposed property value. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + + ![Edition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg) + + ![Deletion Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/reviewrole_icondelete_v602.svg) + + - Or click on the decline icon to refuse the property association. + + ![Addition - Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + + - Or click on the postponement icon to delay the decision. + + ![Addition - Postponement Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + +2. Choose to confirm or deny the association. + +### Handle an update order + +Identity Manager shows a given resource and all resource properties to be verified: + +![Edition Order Review](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewedition_v602.webp) + +- `Proposed Value`: value proposed by Identity Manager. +- `Current Value`: value currently in the managed system. +- `Provisioning State` +- `Start Date`: date for the beginning of the property value existence. +- `End Date`: date for the end of the property value existence. +- `Workflow State`: describes the origin or approval state of an assignment. +- `Confidence Rate`: rate expressing the confidence in the corresponding query rule. + +See the +[Entitlement Assignment](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +and [ Create a Provisioning Rule ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) topics for +additional information. + +Handle an update order by proceeding as follows: + +1. For all resource properties to be verified, choose one of the possibilities: + + - Either click on the approval icon to order the property update with the proposed value. + + ![Edition - Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconapprove_v602.svg) + + ![Edition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconedit_v602.svg) + + - Or click on the decline icon to refuse the property update. + + ![Addition - Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_icondecline_v522.svg) + + - Or click on the postponement icon to delay the decision. + + ![Addition - Postponement Icon](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_iconpostpone_v522.svg) + +2. Click on **Confirm Property Values**. + +### Handle a deletion order + +Identity Manager shows a given owner and their resources to be deleted: + +![Deletion Order Review](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provmanual_reviewdeletion_v602.webp) + +Handle a deletion order by choosing either to confirm the deletion or to keep the resource. + +### Use property view + +By default, provisioning orders are listed by resource. It is possible to click on a resource and +then access the list of all provisioning orders for that resource. + +![Resource View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_resourceview_v603.webp) + +In addition, using resource view enables bulk unblocking for provisioning orders with errors. + +![Bulk Unblock](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_bulkunblock_v603.webp) + +It can be helpful to have the provisioning orders regrouped by property, as some of the changes can +be similar, so very likely to be validated by the same user. This is why a property view can be +enabled by clicking on the `Property View` toggle at the top right corner. + +Once enabled, select a resource type to display all provisioning orders linked to that resource +type. In addition, select a property to display only the provisioning orders linked to these +resource type and property. + +![Property View](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/provisioning-review/provreview_propertyview_v603.webp) + +The review process is similar on both views. However with property view, reviewers don't click on a +given line, but choose a decision directly on the left of the property line. + +## Verify Provisioning Review + +In order to verify the process: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Follow the [ Request Entitlement Assignment ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/manual-assignment-request/index.md) workflow + to make a change in one of their permissions, which involves provisioning review. +3. Check that the provisioning state is `Pending` in the user's **View Permissions** tab. + + ![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +4. Click on **Jobs** > **Fulfill** on the corresponding connector's overview page, in the **Resource + Types** frame, to execute the provisioning orders. + + ![Home Page - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +5. The orders using automated provisioning should be automatically handled with their state + switching to `Executed`, while those using manual provisioning should appear on the **Manual + Provisioning** page with their state switching to `Transmitted`. + +![Home Page - Manual Provisioning](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/provisioning/manual-provisioning/home_manualprovisioning_v523.webp) diff --git a/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md b/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md new file mode 100644 index 0000000000..c04f43f1a4 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md @@ -0,0 +1,130 @@ +# Generate Reports + +How to use Identity Manager's reporting modules to produce IGA reports for auditing and governance +purposes. + +## Overview + +Reporting features help users produce reports for auditing and performance evaluation. The aim is to +be aware of the whole assignment landscape, display it for analysis, and act upon it if needed. +Governance also helps produce audit-ready reports. You can start to set up governance features +relatively early in your Identity Manager journey and measure your progress from the very start. + +A few reporting tools are already available in Identity Manager, used in other parts of your IGA +project, for example: + +- the list of entitlements for a given user in their **View Permissions** tab; + + ![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +- the list of all requests that you are authorized to see in **Workflow Overview** accessible from + the home page in the **Administration** section; + + ![Home - Workflow Overview](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/home_workflowoverview_v602.webp) + +- the list of [Review Orphaned and Unused Accounts](/docs/identitymanager/saas/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md). + + ![Orphaned Account List](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/orphan_entitytype_v523.webp) + +Identity Manager puts users in control of their reporting. Rich features help produce customizable +reports that can be used to check the assignment policy results, or gather information for an audit. + +Identity Manager provides several different levels of reporting according to your needs and +technical tools. You can: + +- download predefined reports for simple needs; +- add new reports to the predefined ones through XML configuration, for recurring needs that aren't + met by available reports (this requires XML configuration knowledge); +- create customized reports with the Query module and its universes configured beforehand, to meet + specific needs (this requires certain technical knowledge); +- create customized graphic reports with PowerBI, to meet specific needs (this requires certain + technical knowledge). + +## Participants and Artifacts + +This operation can be performed by any user interested in producing IGA reports. + +| Input | Output | +| ------------------ | ------- | +| Entries (required) | Reports | + +## Download Predefined Reports + +Identity Manager provides a selection of predefined reports available in the solution. They +represent the most common use cases. + +The accessibility of these predefined reports was configured during profile configuration. See the +[ Configure a User Profile ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-configuration/index.md)topic for additional +information. + +Download predefined reports by proceeding as follows: + +1. Click on **Reports** on the left of the home page to access the list of predefined reports. + + ![Home Page - Reports](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/home_reports_v602.webp) + + ![Reports](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/reporting_predefinedreports_v602.webp) + +2. Choose the appropriate report and click on **Download** to get an Excel report. The + downward-pointing arrow provides additional report formats. + +## Add New Reports to the List + +When facing frequent reporting requirements outside the scope of predefined reports, new reports can +be configured with XML via `Report Query` and specific query grammar. See the +[API query grammar](/docs/identitymanager/saas/identitymanager/integration-guide/api/squery/index.md) topic for additional +information. + +## Create Customized Reports + +When facing a one-time need for producing specific reports, Identity Manager's Query module helps +display attributes chosen from the data which is already synchronized and classified. See the +[ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md) and +[ Classify Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/classification/index.md) topics for additional +information. This module offers the possibility to customize reports and download them. + +The Query module is based on predefined +[ Universe ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) +that can be adjusted later on in XML configuration, just like the list of available query models. + +Create a custom report by proceeding as follows: + +1. Click on **Query** in the **Administration** section on the home page. + + ![Home Page - Query](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/home_query_v602.webp) + + ![Query Page](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/reporting_querypage_v602.webp) + +2. Choose a query model from among the list. +3. Click on **Fields to Display** and select the appropriate fields from among the database + [ Universe ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) + and click on **Confirm**. + + ![Fields to Display](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/reporting_fieldstodisplay_v522.webp) + + In cases where Identity Manager doesn't display correctly the information you need, you must try + to understand the entity instances and association instances that constitute the + [ Universe ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/business-intelligence/universe/index.md) + that you are working with. Perhaps the fields that you chose cannot be properly correlated. + +4. Click on **Filters**, write the appropriate condition and click on **Confirm**. + + ![Filters](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/reporting/reporting_filters_v602.webp) + + For example, a report could list user names and identifiers but only those with their + `Contract end date` less than today's date, so that we will see all the workers who have left + the organization and are still stored in Identity Manager. + +5. Once all report settings are defined, click on **Download** to get a CSV report. + +## Create Customized Graphic Reports with Power BI + +When facing a periodic need for producing specific reports, especially when a visual presentation is +required, Identity Manager offers the possibility to connect to the +[Power BI](https://powerbi.microsoft.com/en-us/what-is-power-bi) application. This application will +allow you to create customized reports with a vast range of display options (such as graphs, charts, +matrixes, etc.) using Identity Manager's universes. + +See the +[Connect Power BI to Identity Manager](/docs/identitymanager/saas/identitymanager/integration-guide/governance/reporting/how-tos/connect-powerbi/index.md) +topic for additional information on how to analyze Identity Manager's data with Power BI. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/deploy/authentication/index.md b/docs/identitymanager/saas/identitymanager/user-guide/deploy/authentication/index.md new file mode 100644 index 0000000000..d673e62bbf --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/deploy/authentication/index.md @@ -0,0 +1,5 @@ +# Set Up User Authentication + +How to allow end-users to authenticate and use the Identity Manager application. See the +[ End-User Authentication](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/end-users-authentication/index.md) +topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/deploy/change-management/index.md b/docs/identitymanager/saas/identitymanager/user-guide/deploy/change-management/index.md new file mode 100644 index 0000000000..314b7db72e --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/deploy/change-management/index.md @@ -0,0 +1,122 @@ +# Plan Change Management + +How to anticipate the deep changes in the organization's applications and processes due to Identity +Manager installation as a new IGA tool. + +Change management is not only part of any IGA project. It is a full project in itself that requires +its own project officer, objectives, success indicators, etc. It starts on the very first day with +the project kickoff, and runs alongside the technical project. + +## Overview + +The applications and processes of the organization are about to change deeply. Change management is +crucial because it determines the future proper use of the solution and the gain that can be +achieved by the organization. It requires an upstream impact analysis in order to define the +strategy to adopt. + +### Process + +A digital project follows two parallel processes: + +- The organizational and digital process used to design, build and deploy the solution. +- The human process urging staff to accept the solution, familiarize themselves with it, join and + interact with the project. + +Change management aims to support the teams throughout the human process. + +![Process of Change Management](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/change-management/changemanagement_process.webp) + +These processes include mandatory steps that all staff members have to go through, but not +necessarily at the same pace. For that reason, change managers can benefit from the use of personas, +i.e. creating characters that represent key populations. + +## Participants and Artifacts + +![Actors of Change Management](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/change-management/changemanagement_actors.webp) + +The aim of a Project Management Officer concerning critical stakeholders is to enable: + +- Decision makers to trigger holistic change in response to recurring factors in daily issues. This + can be translated into promoting efforts towards the broader enterprise strategy, focusing on + recurring challenges, identifying common denominators, not exceeding Project Management Office's + capacity and promoting PMO's shifting value proposition. +- Managers to grow maturity and confidence in change management because they allow responsibility + distribution throughout the organization. They need support in self-assessment and change + management at varying degrees according to the strategic importance and complexity level of + change. This can be translated into DIY change supports like templates, change coaches for + tailored guidance, or change drivers for end-to-end execution. +- The employees impacted by change to enter the decision-making process at an early stage, thus + improving change absorption. They must be engaged as active participants in shaping change + decisions, in order to avoid extreme leader-dictated or consensus-based strategies. + +| Input | Output | +| ----------------------------------- | ------------------------ | +| Upstream impact analysis (required) | Business ready to change | + +## Run Change Management for Identity Manager + +In order to profitably handle change management, any project should start with the question: **in +three years from now, what will be the (three to five) main facts attesting the success of this +project?** The answer will shape the strategy. + +Whether Identity Manager replaces manual processes or an existing IGA tool, change management +methods are going to be the same. Only the analysis of impacted populations and the effort made to +onboard them can define the appropriate response. + +IGA impact is based on data quality. Therefore, change management must encompass everything and +everyone that consumes and/or feeds data. All three population segments (decision makers, managers +and employees) are involved in data quality in one way or another. Hence, it is essential that they +understand IGA as an advantage instead of a constraint. + +Run change management by proceeding as follows: + +1. Identify the populations impacted by change. Below is an example of impacted populations that can + vary enormously. + + ![Usual Populations](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/change-management/changemanagement_populations.webp) + +2. For all listed populations, estimate their size and the expected impact on them, through + indicators like the frequency of their future use of the solution. Use personas to represent key + population members, such as VIP users that don't use the application much, or users not feeling + comfortable with computers. +3. According to the previous impact analysis, implement adjusted change management methods. You can + get inspiration from the following examples. + +| | Population | Size | Impact | Possible Actions | +| --- | ----------- | ---- | ---------------------- | ------------------------------------------------------------------------------------------------------------ | +| 1 | All | 500 | Low | Introduction email Public video Information article | +| 2 | End-Users | 50 | High | Coffee corner: coffee break with the local support team offering tutorials and exercises on Identity Manager | +| 3a | HR/Managers | 10 | High (daily use) | Tutorials and exercises with a support team to get started quickly with Identity Manager | +| 3b | HR/Managers | 10 | Medium (bimonthly use) | Step-by-step procedure video or flyer | + +##### Example 1 + +Informing relevant populations is essential. For large populations (ex.: 500 employees), an +introduction email can be sent to everyone or a video published on a public website or played on +screens visible in the workplace. + +##### Example 2 + +A medium or large population (i.e. the size of a department in your organization) might be receptive +to informal meetings such as a coffee break with the local support team offering tutorials and +exercises on Identity Manager. + +##### Example 3 + +Let us consider HR teams and managers which have a change impact depending on their frequency of use +of the application. + +###### Example 3a + +If they frequently use the application (i.e. daily use), they will benefit from tutorials and +exercises with a support team to get started quickly with Identity Manager. + +###### Example 3b + +If they infrequently use the application (i.e. bimonthly use), they may rather benefit from training +materials such as a step-by-step procedure video or flyer. + +## Verify Change Management + +In order to verify the process, change managers can rely on implemented indicators, in the same way +as for any project management situation. diff --git a/docs/usercube_saas/usercube/user-guide/deploy/implementation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/deploy/implementation/index.md similarity index 100% rename from docs/usercube_saas/usercube/user-guide/deploy/implementation/index.md rename to docs/identitymanager/saas/identitymanager/user-guide/deploy/implementation/index.md diff --git a/docs/identitymanager/saas/identitymanager/user-guide/deploy/index.md b/docs/identitymanager/saas/identitymanager/user-guide/deploy/index.md new file mode 100644 index 0000000000..d0702dd557 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/deploy/index.md @@ -0,0 +1,39 @@ +# Deploy + +- [ Plan Change Management ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/change-management/index.md) + + How to anticipate the deep changes in the organization's applications and processes due to + Identity Manager installation as a new IGA tool. + +- [ Install the Production Agent ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/index.md) + + How to install a local agent for production environment. + +- [ Configure the Agent's Settings ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/settings-files/index.md) + + How to configure the agent's application settings via the `web.config`, `appsettings.json` and + `appsettings.agent.json` files. + +- [ Install IIS via Server Manager ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md) + + How to configure the local server to install IIS via Server Manager. + +- [ Configure the Pool and Site ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md) + + How to configure the application pool and website via IIS. + +- [ Set the Working Directory's Permissions ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md) + + How to assign to the pool the right permissions on the working directory. + +- [ Finalize the Installation ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md) + + How to finalize the installation of the agent. + +- [Set Up User Authentication](/docs/identitymanager/saas/identitymanager/user-guide/deploy/authentication/index.md) + + How to allow end-users to authenticate and use the Identity Manager application. + +- [Implement Identity Manager](/docs/identitymanager/saas/identitymanager/user-guide/deploy/implementation/index.md) + + How to actually implement Identity Manager solution. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md b/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md new file mode 100644 index 0000000000..c349d445c1 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md @@ -0,0 +1,56 @@ +# Set the Working Directory's Permissions + +This guide shows how to assign to the pool the right permissions on the working directory. + +## Overview + +For Identity Manager to work correctly, the pool of the production agent must be configured with +specific permissions on the working directory. + +This page describes the optimal configuration of the pool's permissions on the working directory to +prepare the production agent's installation. + +## Set the Working Directory's Permissions + +Set the working directory's permissions by proceeding as follows: + +1. Right-click on the working directory, for example `C:/identitymanager`, to select **Properties**, and in + the **Security** tab, click on **Advanced**. + + ![Working Directory Properties: Step 1](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties1.webp) + +2. In the **Permissions** tab, click on **Add**, and in the pop-up window click on **Select a + principal**. + + ![Working Directory Properties: Step 2](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties2.webp) + +3. Click on **Locations** to choose the current computer, and in the text area enter + `iis apppool/identitymanager` (`Usercube` being the name of the previously created pool). + + ![Working Directory Properties: Step 3](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties3.webp) + + An error at this point should come either from a mistake in the pool's name or in the selected + location. + +4. Click on **OK** and make sure that only the **Read and execute**, **List folder contents** and + **Read** permissions are selected. + + ![Working Directory Properties: Step 4](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_directoryproperties4.webp) + +5. Click on **OK** in the windows until they are all closed. +6. Right-click on the `Temp` folder to select **Properties**, and in the **Security** tab, click on + **Edit**. + + ![Temp Folder Properties: Step 1](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_foldersproperties1.webp) + +7. Select the user corresponding to the pool and give them `Full control`. + + ![Temp Folder Properties: Step 2](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/prodagent_foldersproperties2.webp) + +8. Click on **OK** in the windows until they are all closed. +9. Repeat the last few steps (those concerning the `Temp` folder) to apply them to the `Work` and + `Mails` folders. + +## Next Steps + +To continue, [ Finalize the Installation ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md)in a few steps. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md b/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md new file mode 100644 index 0000000000..b190b1c076 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md @@ -0,0 +1,29 @@ +# Finalize the Installation + +This guide shows how finalize the installation of the agent. + +## Overview + +This page describes the last few steps that the production agent needs for Identity Manager to run +correctly. + +## Finalize the Installation + +Finalize the installation of the agent by proceeding as follows: + +1. Install + [Windows' hosting bundle for ASP.Net Runtime](https://dotnet.microsoft.com/en-us/download/dotnet/8.0). + + If the bundle was installed before + [ Configure the Pool and Site ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md), then IIS might not display the + AspNetCore module and Identity Manager will not run. In this case, relaunch the bundle's + installation executable to perform a repair. + +2. When using a proxy, adjust the configuration accordingly. See the + [ Reverse Proxy ](/docs/identitymanager/saas/identitymanager/installation-guide/reverse-proxy/index.md)topic for additional + information. + +## Next Steps + +To continue, follow the instructions to verify the agent's installation. See the +[ Install the Production Agent ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/index.md) topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md b/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md new file mode 100644 index 0000000000..942b0d4143 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md @@ -0,0 +1,67 @@ +# Configure the Pool and Site + +This guide shows how to configure the application pool and website via IIS. + +## Overview + +IIS provides a platform for hosting and managing websites. +[See more details](https://learn.microsoft.com/fr-fr/iis/get-started/introduction-to-iis/introduction-to-iis-architecture). + +To install the production agent, a website must be created and configured correctly, as part of an +application pool. + +This page describes the optimal configuration in IIS to prepare the production agent's installation. + +## Configure the Application Pool and Site + +Configure the application pool and site by proceeding as follows: + +1. Open IIS and remove the default site and pool. + + IIS can usually be found in Windows' search menu, or from Server Manager by accessing the + **Tools** menu. + + ![IIS: Step 1](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis1.webp) + +2. Right-click on **Application Pools** to add a new pool named `Usercube`. + + ![IIS: Step 2](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis2.webp) + +3. Right-click on **Sites** to add a new site named `Usercube`, make sure that the + selected application pool is `Usercube` and set the `path` field to the `Runtime` folder. + + ![IIS: Step 3](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis3.webp) + +4. Right-click on the application pool to open its advanced settings and make sure that the + following parameters are set as such: + + ![IIS: Step 4](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis4.webp) + + ![IIS: Step 5](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_iis5.webp) + +5. Make sure that IIS contains an SSL certificate, by accessing the home page of IIS server and + double-clicking on **Server Certificates**. + + If the certificate is not ready yet, generate an auto-signed certificate. + + ![IIS Server Certificate: Step 1](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate1.webp) + + If the certificate is not there yet, import it by clicking on **Import** in the right-side menu, + and specify the certificate's path and password. + + ![IIS Server Certificate: Step 2](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate2.webp) + +6. Add the certificate's URL to the site by right-clicking on the site, selecting **Edit Bindings** + and clicking on **Add**, then choosing `https` as type, `443` as port, specifying the server's + URL (without the `https` part) as host name, and finally selecting the server certificate. + + ![IIS Server Certificate: Step 3](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/prodagent_servercertificate3.webp) + + Click on **OK**. + + If the server's certificate is not available at this point, then make sure it was correctly + imported in the previous step. + +## Next Steps + +To continue, [ Set the Working Directory's Permissions ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md). diff --git a/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md new file mode 100644 index 0000000000..ff1d629cfe --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md @@ -0,0 +1,46 @@ +# Install IIS via Server Manager + +This guide shows how to configure the local server to install IIS via Server Manager. + +## Overview + +When running on Windows Server, Server Manager makes available parameters to configure the local +server at will. +[See more details](https://learn.microsoft.com/en-us/windows-server/administration/server-manager/manage-the-local-server-and-the-server-manager-console). + +This page describes the optimal configuration of the local server to install IIS in order to prepare +the production agent's installation. + +## Install IIS via Server Manager + +Install IIS via Server Manager by proceeding as follows: + +1. Open the Server Manager program and click on **Add roles and features**. + + ![Server Manager: Step 1](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager1.webp) + +2. Click on **Next**, then in **Installation Type** make sure that **Role-based or feature-based + installation** is selected and click on **Next**. + + ![Server Manager: Step 2](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager2.webp) + +3. In **Server Selection** tick **Select a server from the server pool** and click on **Next**. + + ![Server Manager: Step 3](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager3.webp) + +4. In **Server Roles** tick **Web Server (IIS)**. + + ![Server Manager: Step 4](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager4.webp) + +5. In **Features** select **Remote Server Administration Tools** > **Role Administration Tools** > + **AD DA and AD LDS Tools** > **AD DS Tools** > **AD DS Snap-Ins and Command-Line Tools**. + + ![Server Manager: Step 5](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager5.webp) + +6. In **Confirmation** click on **Install**. + + ![Server Manager: Step 6](/img/product_docs/identitymanager/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/prodagent_servermanager6.webp) + +## Next Steps + +To continue,[ Configure the Pool and Site ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md)and website via IIS. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/index.md new file mode 100644 index 0000000000..ef24cf69b3 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/index.md @@ -0,0 +1,70 @@ +# Install the Production Agent + +This guide shows how to install an agent separated from the server, for production environment. See +the [ Architecture ](/docs/identitymanager/saas/identitymanager/introduction-guide/architecture/index.md)topic for additional +information. + +## Overview + +Like all agents, the production agent aims to extract data from a given managed system, and transmit +said data to the Identity Manager server. If necessary, the agent also enables the managed system's +provisioning according to the orders computed by the Identity Manager server. See the +[ Architecture ](/docs/identitymanager/saas/identitymanager/introduction-guide/architecture/index.md) topic for additional +information. + +Identity Manager solution can use several agents, each of them manages a given system. This section +is about installing the agent managing the production environment. + +Once agents are configured in addition to the default one provided by SaaS, you need to think about +what agent to choose during each +[ Create the Connector ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md)declaration. The +appropriate agent has access to the managed system. + +## Requirements + +Ensure that all +[ Agent ](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/agent-requirements/index.md)requirements can be +met before starting the installation of the production agent. + +Requirements for the agent installation can change over the course of the project, according to the +project purpose. + +### Encryption certificates + +Ensure that your encryption certificates are valid by checking their: expiration date; signatory; +key size exceeding 2048; sha256 and not sha-1. + +### Server Manager + +Ensure that the device used for the installation has the Server Manager program. + +## Participants and Artifacts + +Integrators should have all the elements they need to operate. + +| Input | Output | +| -------------------------------------------------------------------------------------------------------- | ---------------- | +| [ Agent ](/docs/identitymanager/saas/identitymanager/installation-guide/requirements/agent-requirements/index.md) prerequisites (required) | Production agent | + +## Install the Production Agent + +Install the production agent by proceeding as follows: + +1. [ Create a Working Directory ](/docs/identitymanager/saas/identitymanager/installation-guide/production-ready/working-directory/index.md) + and make sure it contains the folders: `Mails`; `Sources`; `Temp`; `Work`. +2. [ Configure the Agent's Settings ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/settings-files/index.md) via the `web.config`, + `appsettings.json` and `appsettings.agent.json` files. +3. Configure the local server to [ Install IIS via Server Manager ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md). +4. [ Configure the Pool and Site ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/iis-configuration/index.md) via IIS. +5. [ Set the Working Directory's Permissions ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/directory-permissions/index.md). +6. [ Finalize the Installation ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/finalization/index.md). + +## Verify Agent Installation + +In order to verify the process: + +- make sure the website is accessible from IIS by clicking on **Browse** (in the menu on the right), + and from your browser; +- if logs are enabled, then stop the pool to make sure that no error is thrown; +- perform from a local device agent-side actions such as sending test emails, reading and/or writing + inside working folders, or launching/scheduling agent-side tasks. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/settings-files/index.md b/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/settings-files/index.md new file mode 100644 index 0000000000..9002680739 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/settings-files/index.md @@ -0,0 +1,264 @@ +# Configure the Agent's Settings + +This guide shows how to configure the agent's application settings via the `web.config`, +`appsettings.json` and `appsettings.agent.json` files. + +## Overview + +Identity Manager provides JSON files to configure varied application settings, named appsettings +json and appsettings.agent.json. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings/index.md) +and +[appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) +topics for additional information. + +This page describes the optimal configuration of the production agent's application settings. + +## Configure the Agent's Settings + +Configure the agent's settings by proceeding as follows: + +1. From the `Runtime/Agent` folder, copy the files `appsettings.json`, `appsettings.agent.json` and + `web.config` and paste them in the `Runtime` folder, thus replacing the pre-existing ones. +2. Open `web.config` and make sure that, in the `aspNetCore` tag, the value of `arguments` is set to + `./identitymanager-Agent.dll`. + + When needing to get the agent's logs, set also `stdoutLogEnabled` to `true`. See more details in + [Microsoft's documentation](https://learn.microsoft.com/fr-fr/aspnet/core/host-and-deploy/iis/logging-and-diagnostics?view=aspnetcore-7.0). + + ``` + + web.config + + ... + ... + ... + + ``` + +3. Open `appsettings.json` and make sure that: + + - **License** contains a valid license; + - **IdentityServer** contains the encryption certificate's path and password provided by Netwrix + Identity Manager (formerly Usercube) team, in order to secure agent/server identification; + + > For example: + > + > ``` + > + > appsettings.json + > + > "IdentityServer": { + > "X509KeyFilePath": "./identitymanager.pfx", + > "X509KeyFilePassword": "secret" + > } + > + > ``` + + - you get an encryption certificate which will be used to encrypt specific files such as logs or + temporary files, and that **EncryptionCertificate** contains its path and password; + + > For example: + > + > ``` + > + > appsettings.json + > + > "EncryptionCertificate": { + > "File": "./identitymanager-Files.pfx", + > "Password": "secret", + > "EncryptFile": true + > } + > + > ``` + + **EncryptFile** can stay set to `false` while verifying the agent installation, but for + security reasons it must be set to `true` afterwards. + + If the certificates' passwords contain `@`, then they must be escaped via the `@` as first + character of the strings. + + - **ApplicationUri** contains the server's address, provided by Netwrix Identity Manager + (formerly Usercube) team when working in a SaaS environment; + + > For example: + > + > ``` + > + > appsettings.json + > + > "ApplicationUri": "http://localhost:5000" + > + > ``` + + Do not write a `/` character at the end of the string. + + - **Cors** > **AllowAnyHeader**, **AllowAnyMethod** and **AllowCredentials** are set to `true`; + + ``` + + appsettings.json + + "Cors": { + "AllowAnyHeader": "true", + "AllowAnyMethod": "true", + "AllowCredentials": "true" + } + + ``` + +4. Open `appsettings.agent.json` and make sure that: + + - **OpenId** > **AgentIdentifier** specifies the agent's name which must match the XML + configuration. See the + [appsettings.agent](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/agent-configuration/appsettings-agent/index.md) + topic for additional information.. + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "OpenId": { + > "AgentIdentifier": "MyAgent" + > } + > + > ``` + > + > With the following configuration: + > + > ``` + > + > + > + > ``` + + - **OpenId** > **OpenIdClients** > **Job** contains the non-hashed value of the password of + "Job-Remote" provided by NETWRIX' team + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "OpenId": { + > "AgentIdentifier": "MyAgent", + > "OpenIdClients": { + > "Job": "secret" + > } + > } + > + > ``` + + and add the hashed value of this password to the `OpenIdClient` named `Job` from the XML + configuration; + + > For example: + > + > ``` + > + > + > + > ``` + + - **OpenId** > **DefaultOpenIdClient** is set to `Job`; + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "OpenId": { + > "AgentIdentifier": "MyAgent", + > "OpenIdClients": { + > "Job": "secret" + > }, + > "DefaultOpenIdClient": "Job" + > } + > + > ``` + + - **PasswordResetSettings** > **TwoFactorSettings** > **ApplicationUri** contains the server's + address, provided by NETWRIX' team when working in a SaaS environment; + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "PasswordResetSettings": { + > "TwoFactorSettings": { + > "ApplicationUri": "http://localhost:5000" + > } + > } + > + > ``` + + - **PasswordResetSettings** > **EncryptionCertificate** contains contains the path and password + of the certificate used to secure password tokens; + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "PasswordResetSettings": { + > "TwoFactorSettings": { + > "ApplicationUri": "http://localhost:5000" + > }, + > "EncryptionCertificate": { + > "File": "../identitymanager.pfx", + > "Password": "secret" + > } + > } + > + > ``` + + - **PasswordResetSettings** > **MailSettings** > **PickupDirectory** is set to the `Mails` + folder and **FromAddress** to `no-reply@.com`; + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "PasswordResetSettings": { + > "TwoFactorSettings": { + > "ApplicationUri": "http://localhost:5000" + > }, + > "EncryptionCertificate": { + > "File": "../identitymanager.pfx", + > "Password": "secret" + > }, + > "MailSettings": { + > "PickupDirectory": "../Mails", + > "FromAddress": "no-reply@contoso.com" + > } + > } + > + > ``` + + - **SourcesRootPaths** contains the path to the `Sources` folder. + + > For example: + > + > ``` + > + > appsettings.agent.json + > + > "SourcesRootPaths": [ + > "C:/identitymanager/Sources" + > ] + > + > ``` + +## Next Steps + +To continue,see the local server to +[ Install IIS via Server Manager ](/docs/identitymanager/saas/identitymanager/user-guide/deploy/production-agent-installation/iis-installation/index.md). diff --git a/docs/identitymanager/saas/identitymanager/user-guide/global-process/howto-maintaindirectory/index.md b/docs/identitymanager/saas/identitymanager/user-guide/global-process/howto-maintaindirectory/index.md new file mode 100644 index 0000000000..daed1f8b4e --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/global-process/howto-maintaindirectory/index.md @@ -0,0 +1,14 @@ +# How to Maintain the Workforce Directory + +How to keep the workforce directory up to date. + +## Overview + +![Process Schema - How to Implement a New System](/img/product_docs/identitymanager/identitymanager/user-guide/global-process/howto-maintaindirectory/globalprocess_schemamaintain.webp) + +## Process Details + +Be aware that the integration of an IGA tool is an iterative process. Thus, after following +the[ How to Start ](/docs/identitymanager/saas/identitymanager/user-guide/global-process/howto-start/index.md) process and creating the workforce directory, you can +come back at any time and complete the directory that you started +[ Update Identity Data ](/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/index.md). diff --git a/docs/identitymanager/saas/identitymanager/user-guide/global-process/howto-newsystem/index.md b/docs/identitymanager/saas/identitymanager/user-guide/global-process/howto-newsystem/index.md new file mode 100644 index 0000000000..c101241db9 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/global-process/howto-newsystem/index.md @@ -0,0 +1,79 @@ +# How to Implement a New System + +How to add a new system to the solution. + +## Overview + +When connecting Identity Manager to a new system, several process paths can be taken according to +your strategy. There is no option fundamentally better than the others, your decision must depend on +your needs. + +The **option A** leads quickly to the implementation in production environment, i.e. a new +application in Identity Manager's scope. With this, you can +[Review Orphaned and Unused Accounts](/docs/identitymanager/saas/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md), +[Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) the AD, +[ Reconcile a Property ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md), +and [ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md), for example the list of profiles +assigned to users. + +The **option B** takes more time as it goes through the creation of the role model based on the +system's entitlements, but it leads to even more gain as you can also +[ Reconcile a Role ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md), +[ Perform Access Certification ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/index.md)access +certification and +[ Request Entitlement Assignment ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/manual-assignment-request/index.md), and also +[ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md), for example the list of assigned single +roles. + +The option B is more complicated and time-consuming than the option A, but leads to more gain. Be +aware that you can go through the process options simultaneously. + +![Process Schema - How to Implement a New System](/img/product_docs/identitymanager/identitymanager/user-guide/global-process/howto-newsystem/globalprocess_schemaconnectsyst.webp) + +## Process Details + +### Common starting steps + +1. [ Connect to a Managed System ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/index.md): create the appropriate + connector with its connections and entity types. +2. [ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md) into Identity Manager. + + Based on this, you can [ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md), for example + the list of resources in the system. A few predefined reports are available from the start, you + can generate any report from this list as soon as it makes sense according to the integration + progress. + +3. [ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) in order to classify them + according to their intent, and correlate these resources with their owners. +4. [ Create a Provisioning Rule ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) to write to the + system in order to update the resources' properties directly in the system. +5. Adjust the rules by + [ Reconcile a Property ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) + resources, i.e. analyze the differences spotted between the reality of resources' properties and + those computed by the previously established rules. Especially, verify that accounts are + correlated to the right owners and that their properties have the right values. + + Either the integrator handles the customization of the rules and the review of non-conforming + resources, or they can assign an application administrator profile to a given user to perform + it. Assigning this profile requires profile configuration, see steps 11 and 12. + +After connecting Identity Manager to an external system, two process options are available according +to your needs: either aim directly to the implementation in production environment, or first build +the role model in order to enable more administration activities. Both options can be started +simultaneously. + +### Option A: Straight to production implementation + +Go directly to the common final steps (step 8). + +### Option B: First build the role model + +6. [ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) for + applications managed by the system. +7. [ Automate Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/index.md) if needed: use Role + Mining to create single role rules in bulk; adjust the generated rules individually and manually. + +### Common final steps + +8. Perform tests. +9. Deploy the pre-production configuration to the production environment. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/global-process/howto-start/index.md b/docs/identitymanager/saas/identitymanager/user-guide/global-process/howto-start/index.md new file mode 100644 index 0000000000..7175daa760 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/global-process/howto-start/index.md @@ -0,0 +1,116 @@ +# How to Start + +How to start integrating Identity Manager with your own needs. + +## Overview + +When starting with Identity Manager, several process paths can be taken according to your strategy. +There is no option fundamentally better than the others, your decision must depend on your needs. + +The **option 1** leads quickly to identity management, i.e. users' on-boarding/movement/off-boarding +without needing a periodic synchronization. See the +[ Update Identity Data ](/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/index.md) topic for additional +information. + +The **option 2A** takes more time as it requires the installation of an agent on your network in +order to connect Identity Manager to the system and use the AD's data, but it leads to more gain as +you can also +[Review Orphaned and Unused Accounts](/docs/identitymanager/saas/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md), +[Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) the AD, +[ Reconcile a Property ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md)properties, +and [ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md), for example the list of profiles +assigned to users. + +The **option 2B** takes even more time as it goes through the creation of the role model based on +the system's entitlements, but it leads to even more gain as you can also +[ Reconcile a Role ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md), +[ Perform Access Certification ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/index.md) and +[ Request Entitlement Assignment ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/manual-assignment-request/index.md), and also +[ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md), for example the list of assigned single +roles. + +The options 2A and 2B are more complicated and time-consuming than the option 1, but lead to more +gain. Be aware that you can go through the process options simultaneously. + +Netwrix Identity Manager (formerly Usercube) recommends the option 1 to be able to start IGA without +waiting for the installation of an agent in your network, and go through the option 2 +simultaneously. + +![Process Schema - How to Start with Usercube](/img/product_docs/identitymanager/identitymanager/user-guide/global-process/howto-start/globalprocess_schemastart.webp) + +## Process Details + +### Common starting steps + +1. [ Install the Development Environment ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/development-environment-installation/index.md). +2. [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md): configure + the generation of unique properties; load workforce identities to Identity Manager; adjust the + data model. + +After these first steps, two process options are available according to your needs: either aim +directly to identity management and the opening of Identity Manager to end-users, or first connect +Identity Manager to an external system in order to enable more administration activities. Both +options can be started simultaneously. + +### Option 1: Based on the workforce directory + +Starting with the workforce directory does not require the installation of a local agent. + +Go directly to the common final steps (step 10). + +### Option 2: Based on an external system + +Starting with an external system requires the installation of a local agent. + +3. Connect Identity Manager to the system by creating a connector. See the + [ Connect to a Managed System ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/index.md) topic for additional + information. +4. [ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md)the system's data into Identity + Manager. + + Based on this, you can [ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md), for example + the list of resources in the system. A few predefined reports are available from the start, you + can generate any report from this list as soon as it makes sense according to the integration + progress. + +5. [ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) in order to classify them + according to their intent, and correlate these resources with their owners. +6. [ Create a Provisioning Rule ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) to write to the + system in order to update the resources' properties directly in the system. +7. Adjust the rules by reconciling resources, i.e. analyze the differences spotted between the + reality of resources' properties and those computed by the previously established rules. + Especially, verify that accounts are correlated to the right owners and that their properties + have the right values. See the + [ Reconcile a Property ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) + topic for additional information. + + Either the integrator handles the customization of the rules and the review of non-conforming + resources, or they can assign an application administrator profile to a given user to perform + it. Assigning this profile requires profile configuration, see steps 11 and 12. + +After connecting Identity Manager to an external system, two process options are available according +to your needs: either aim directly to identity management and the opening of Identity Manager to +end-users, or first build the role model in order to enable more administration activities. Both +options can be started simultaneously. + +### Option 2A: Straight to identity management + +Go directly to the common final steps (step 10). + +### Option 2B: First build the role model + +8. [ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) for + applications managed by the system. +9. [ Automate Role Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) + if needed: use Role Mining to create single role rules in bulk; adjust the generated rules + individually and manually. + +### Common final steps + +10. Adjust HR workflows to keep the workforce directory updated (only in XML configuration). +11. Define the permissions for your user profiles. See the + [ Configure a User Profile ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-configuration/index.md) topic for + additional information. +12. Define the authentication mode by configuring `SelectUserByIdentityQueryHandlerSetting` (only in + XML configuration), and [Assign Users a Profile](/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-assignment/index.md) + to open the application to end-users. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/global-process/index.md b/docs/identitymanager/saas/identitymanager/user-guide/global-process/index.md new file mode 100644 index 0000000000..065cd7e4ce --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/global-process/index.md @@ -0,0 +1,22 @@ +# Global Process + +How do the process activities success each other. + +NETWRIX recommends working with a SaaS installation and with the User Interface as long as possible, +because identity management is optimized by mastering identities inside Identity Manager. + +Be aware that the integration of an IGA tool is an iterative process. There is no simple linear +process. This user guide provides the following processes that can follow one another and +intertwine. + +- [ How to Start ](/docs/identitymanager/saas/identitymanager/user-guide/global-process/howto-start/index.md) + + How to start integrating Identity Manager with your own needs. + +- [ How to Maintain the Workforce Directory ](/docs/identitymanager/saas/identitymanager/user-guide/global-process/howto-maintaindirectory/index.md) + + How to keep the workforce directory up to date. + +- [ How to Implement a New System ](/docs/identitymanager/saas/identitymanager/user-guide/global-process/howto-newsystem/index.md) + + How to add a new system to the solution. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/index.md b/docs/identitymanager/saas/identitymanager/user-guide/index.md new file mode 100644 index 0000000000..28b318ef0a --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/index.md @@ -0,0 +1,108 @@ +# User Guide + +Identity Manager's User Guide leads the reader through all the necessary steps to autonomously build +an IGA solution based on Identity Manager, either from scratch or using Identity Manager's IGA Core +Solution, with the aim of quickly delivering value. + +## Target Audience + +This guide is intended to be read by Identity Manager administrators, i.e. power users who configure +Identity Manager to match their company's needs. + +## Prior Knowledge + +This guide presumes some knowledge of Identity Manager on the part of the reader who should have +previously read the [Introduction Guide](/docs/identitymanager/saas/identitymanager/introduction-guide/index.md) in order to be aware of the +main purposes, principles and capabilities of Identity Manager. + +Using this guide does not require any advanced IT skills. All the configuration steps take place +through Identity Manager's UI or MS Excel files. + +Netwrix Identity Manager (formerly Usercube)strongly recommends starting from the +[Introduction Guide](/docs/identitymanager/saas/identitymanager/introduction-guide/index.md) to fully benefit from the User Guide's content. + +## Overview + +This guide is made of step-by-step procedures that take the reader through setting up Identity +Manager from scratch and creating IGA value as quickly as possible. + +The procedures are meant to guide the reader through a standard setup, based on Identity Manager's +IGA Core Solution, and with Netwrix Identity Manager (formerly Usercube) suggestions and +recommendations. Any advanced configuration can be performed later using the content of the +[Integration Guide](/docs/identitymanager/saas/identitymanager/integration-guide/index.md). + +Thus, even when having very specific needs, Netwrix Identity Manager (formerly Usercube) still +recommends starting the project with the basics presented in this guide. The IGA solution can be +enhanced later on with the help of our experts. This way, IGA value can already be delivered while +the project continues for optimization purposes. + +## Content + +This guide is organized into activities, each activity containing an overview, the input, output, +and participants as well as step-by-step procedures and a way to verify the outcome. + +Some activities are grouped together when they depend on each other to create value or when they +contribute to a same goal. + +While some activities must be carried out before others for technical and/or functional reasons, the +order is not absolute. Please follow the instructions and recommendations detailed with the +[ Global Process ](/docs/identitymanager/saas/identitymanager/user-guide/global-process/index.md). + +All activities are organized into bigger sections which are distinguishable by their functional +intent: set up; administrate; optimize; deploy and maintain. + +### Set up + +Learn how to configure a working environment, how to set up identity lifecycles, and how to build a +catalog of roles for entitlement management, in order to configure the Minimum Viable Product. + +### Administrate + +Learn how to enforce your security policies through access certification, or resource/role +reconciliation, provisioning review, etc. + +### Optimize + +Learn how to enhance the IGA solution through automation and model optimization. + +> For example, learn how to adjust the identity model and the role model in order to make them +> resemble the company's reality, learn how to improve the data quality by automating entitlement +> assignment decisions, or by automatically provisioning assignments to the managed systems. Learn +> how to push the automation wall thanks to Identity Manager's AI with role mining. + +### Deploy + +Learn how to deploy the solution to a production environment. + +### Maintain + +Learn how to maintain the solution, because the project is iterative. Learn how to keep the data +model up to date according to the company's changes, or how to add new systems to the loop, while +Identity Manager is already running in production. + +## How to Use this Guide + +Start by studying the [ Global Process ](/docs/identitymanager/saas/identitymanager/user-guide/global-process/index.md). that details every activity in +their respective sections and how they relate to one another. You will get a good view of the steps +to take from start to finish. + +Follow the path, stop at each activity, and go check out the details on the matching page of the +guide, in the corresponding section. There you will find recommendations and practical steps to +complete the activity and test it. Then you can resume following the path. + +At any step along the way, once you feel comfortable, you can decide to take another direction than +the recommended process, as long as you take into account the input artifacts specified in each +activity page, which represent actual technical dependencies. You can start an activity only if all +the previous technical dependencies are met. + +Keep in mind that completing sections one by one is the quickest way to deliver value. Nevertheless, +they are not rigorously dependent on each other. You do not have to complete one entirely in order +to go to the next. But they are not rigorously independent either. There are some activities in the +first one that are required for activities in the second. Read the input artifacts to choose the +correct order. + +> For example, if you are looking forward to fixing non authorized account (from the +> **Administrate** section) you do not have to complete the **Set Up** section entirely. You just +> have to complete the **Categorize Resources** activity, and all the activities connected to it +> upstream . You do not have to complete other activities such as the **Create Roles in the Role +> Catalog** activity. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/index.md b/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/index.md new file mode 100644 index 0000000000..69f1bcde4f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/index.md @@ -0,0 +1,42 @@ +# Update Identity Data + +How to perform modifications in the identity repository, to manage onboarding, offboarding and +position changes. + +This part is not about changing the data model, but data itself. + +## Overview + +After the identity repository is initiated, you will need to modify it for many possible reasons. +Among them: + +- update all identities with new attributes because you didn't have the required information during + the repository creation, or because it wasn't a priority for you then; +- perform onboarding: add new identities as new workers arrive in the company; +- modify identities' attributes to fix existing errors, or to reflect a real change in users' data, + or model a position change; +- remove identities' attributes, as they are no longer required to manage entitlements; +- perform offboarding: remove identities with all their attributes, as users leave the company. + +## Participants and Artifacts + +Integrators are able to perform an identity update if they master the new data. + +| Input | Output | +| ----------------------------------------------------------- | --------------------------- | +| Identity repository (required) New identity data (required) | Updated identity repository | + +See the [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) topic +for additional information. + +## Modify Identity Data + +Modify identity data by proceeding as follows, according to the changes to be made: + +- either update data individually by using predefined workflows in the UI; See the + [ Update an Individual Identity ](/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md) topic for additional information. +- or perform a same change on several identities simultaneously by using Identity Manager's + predefined workflow in the UI; See the [ Update Identities in Bulk ](/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md) topic + for additional information. +- or update data on a massive scale by uploading an external file into Identity Manager, as an + incremental version of the identity repository. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md b/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md new file mode 100644 index 0000000000..975ba99498 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md @@ -0,0 +1,75 @@ +# Update an Individual Identity + +How to manage onboarding, position changes and offboarding through the UI, for a single identity. + +This part is not about changing the data model, but data itself. + +## Overview + +Individual changes in identity data can be handled using Identity Manager's predefined workflows to: + +- declare a new identity (for an internal as well as an external worker); +- act on existing identities, including modify their data, manage their contract and/or positions, + suspend all accounts linked to them, or reactivate them, repair some data, or delete these + identities. + +## Participants and Artifacts + +A given user's data can be updated occasionally by their manager, but most often by the HR +department. + +| Input | Output | +| ----------------------------------------------------------- | --------------------------- | +| Identity repository (required) New identity data (required) | Updated identity repository | + +See the [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) +topic for additional information. + +## Declare a New Identity + +Declare a new worker by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. According to the type of the user to be declared, click on the corresponding button. + + ![Workflow - New User](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_newuser_v602.webp) + +3. Follow the workflow's instructions to fill the form with the user's data, choose the user's + entitlements from your role catalog and send the request. See the + [ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) + topic for additional information. + +## Act on an Existing Identity + +Act on an existing identity by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Click on the user to be modified. + + ![Workflow - User](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_user_v602.webp) + +3. Click on **Actions** or **Helpdesk** to select the action to perform. + + ![Workflow - Modify Permissions](/img/product_docs/identitymanager/identitymanager/user-guide/administrate/manual-assignment-request/datamodif_changeuser_v602.webp) + +4. Follow the workflow's instructions. + + If the workflow has been configured in this way, the update request may require a review. In + this case, sending the request triggers the display of said request on the **My Tasks** screen + for the reviewer, while the state of the request is pending. In this case, the requested updates + will be displayed in Identity Manager only after the request has been reviewed. + + ![Request - Review Pending](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_reviewpending_v523.webp) + +## Verify Data Update + +In order to verify the process, check that the right data is displayed in the directory for the +involved user. + +![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) diff --git a/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md b/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md new file mode 100644 index 0000000000..05008fc497 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md @@ -0,0 +1,131 @@ +# Update Identities in Bulk + +How to perform a mass change in identity data, by uploading an incremental version of the identity +repository. + +This part is not about changing the data model, but data itself. + +Here we describe the incremental update of identities, but the update of any other File/CSV works +the same. + +## Overview + +When the number of changes gets high, identity data update through the UI becomes tedious. +Therefore, Identity Manager offers the possibility to fill a predefined file with data to be +modified, in order to perform all changes simultaneously. + +Data update can be performed in complete mode or incremental mode. + +## Participants and Artifacts + +Identity data can be updated most often in cooperation with the HR department. + +| Input | Output | +| ----------------------------------------------------------- | --------------------------- | +| Identity repository (required) New identity data (required) | Updated identity repository | + +See the [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) +topic for additional information. + +## Update Data in Complete Mode + +Mass update identity data (in complete mode) by proceeding as follows: + +1. Access the directory connector from **Connectors** on the home page, in the **Configuration** + section. + + ![Home - Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + +2. On the connector's page, choose the connection corresponding to identities. +3. In the connection's settings, download the Excel template full of the data from your database. + + ![Download Full Template](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/mass-update/datamodif_downloadtemplatedata_v602.webp) + +4. Update the data that needs change. +5. Ensure that the field `Path (Complete mode)` is filled with the path of the source file. +6. Click on **Upload** and choose the file you modified with new data. + + ![Upload](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/mass-update/connection_upload_v602.webp) + +7. Click on **Check Connection** to verify the path. + + ![Check Connection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp) + +8. Click on **Save & Close**. +9. Back on the connector's page, launch synchronization. See the + [ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md) topic for additional information. + + Be cautious about thresholds. + +## Update Data in Incremental Mode + +Mass update identity data (in incremental mode) by proceeding as follows: + +1. Access the directory connector from **Connectors** on the home page, in the **Configuration** + section. + + ![Home - Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + +2. On the connector's page, choose the connection corresponding to identities. +3. In the connection's settings, download the empty Excel template. + + ![Download Full Template](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/mass-update/datamodif_downloadtemplateempty_v602.webp) + +4. Fill only the data to be modified, specify the unique identifier for each entry (for correlation + purposes), and fill the column `Command`, which can take a few available inputs: + + - `Add` to incorporate new attributes; + - `Modify` to change existing attributes; + + Attributes can be emptied using the value `NULL_NULL`. + + - `Delete` to remove attributes from the datamodel; + + Instead of using `Delete`, you can scan the data model to exclude unused attributes. See the + [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) + topic for additional information. + + - `Merge` to input an identity's data and modify the corresponding attributes if said identity + already exists, create a new identity otherwise. + > For example, if a few users switch working sites, then the modification is performed by + > filling the file only with said users' identifiers and new sites. Fill the column + > `Command` with `Modify`. The rest will not be changed. + +5. Ensure that the field `Path (Incremental mode)` is filled with the path of the source file. +6. Click on **Upload** and choose the file you modified with new data. + + ![Upload](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/mass-update/connection_upload_v602.webp) + +7. Click on **Check Connection** to verify the path. + + ![Check Connection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp) + +8. Click on **Save & Close**. +9. Back on the connector's page, launch synchronization. See the + [ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md) topic for additional information. + + Be cautious about thresholds. + +## Verify Data Update + +In order to verify the process: + +- Check manually a sample in the `User` directory accessible from the home page. You should verify + at least your own sheet and the sheets for your hierarchy. + + ![Home - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +- Check that every organization still has a manager. Organizations are accessible in the + `Department` directory accessible from the home page. + + ![Home - Directory Department](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + + ![List of Departments](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + + If the system contains many organizations, then it is also possible to list them with their + managers through the Query module. + +- Create reports with indicators on the workers number per type or per organization for example + (through Identity Manager' predefined reports, the Query module or Power BI), in order to ensure + that Identity Manager's content sticks to reality. See the + [ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md) topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/index.md b/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/index.md new file mode 100644 index 0000000000..86e19c2a74 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/index.md @@ -0,0 +1,69 @@ +# Update Multiple Identities + +How to perform a same change in data for several identities simultaneously. + +This part is not about changing the data model, but data itself. + +## Overview + +When a same change is needed by a high number of users, then Identity Manager provides a UI workflow +to perform this change for all selected identities simultaneously. + +> For example, if a whole department in the company is moved to a new working site, then all users +> working in said department must have their `Site` attribute updated. + +## Participants and Artifacts + +Given users' data can be updated occasionally by their managers, but most often by the HR +department. + +| Input | Output | +| ----------------------------------------------------------- | --------------------------- | +| Identity repository (required) New identity data (required) | Updated identity repository | + +See the [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) +topic for additional information. + +## Update + +Perform multiple updates by proceeding as follows: + +1. Click on **Multiple Updates**, accessible from the directory on the home page. + + ![Home Page - Multiple Updates](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/home_multipleupdates_v523.webp) + +2. Follow the workflow's instructions to perform the change, assign new entitlements if needed, and + send the request. + + ![Multiple Updates Form](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/datamodif_multipleform_v602.webp) + + If the workflow has been configured in this way, the update request may require a review. In + this case, sending the request triggers the display of said request on the **My Tasks** screen + for the reviewer, while the state of the request is pending. In this case, the requested updates + will be displayed in Identity Manager only after the request has been reviewed. + + ![Request - Review Pending](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/identity-data-modification/individual-update/datamodif_reviewpending_v523.webp) + +## Verify Data Update + +In order to verify the process: + +- Check manually a sample in the `User` directory accessible from the home page. You should verify + at least your own sheet and the sheets assigned to your hierarchy. + + ![Home - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +- Check that every organization still has a manager. Organizations are accessible in the + `Department` directory on the home page. + + ![Home - Directory Department](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + + ![List of Departments](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + + If the system contains numerous organizations, it is also possible to list them with their + managers through the Query module. + +- Create reports with indicators, for example, on the number of workers per type or per organization + (through Identity Manager's predefined reports, the Query module or Power BI), to ensure that + Identity Manager's content sticks to reality. See the + [ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md) topic for additional information. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/maintain/index.md b/docs/identitymanager/saas/identitymanager/user-guide/maintain/index.md new file mode 100644 index 0000000000..e09b9ddb90 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/maintain/index.md @@ -0,0 +1,23 @@ +# Maintain + +- [ Update Identity Data ](/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/index.md) + + How to perform modifications in the identity repository, to manage onboarding, offboarding and + position changes. + + - [ Update an Individual Identity ](/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md) + + How to perform changes in data for a single identity, through the UI. + + - [ Update Multiple Identities ](/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/multiple-update/index.md) + + How to perform a same change in data for several identities simultaneously, through the UI. + + - [ Update Identities in Bulk ](/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md) + + How to perform a mass change in identity data, by uploading a complete or incremental + version of the identity repository. + +- [ Troubleshoot ](/docs/identitymanager/saas/identitymanager/user-guide/maintain/troubleshooting/index.md) + + How to troubleshoot Identity Manager when facing technical issues. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/maintain/troubleshooting/index.md b/docs/identitymanager/saas/identitymanager/user-guide/maintain/troubleshooting/index.md new file mode 100644 index 0000000000..a7975ecf10 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/maintain/troubleshooting/index.md @@ -0,0 +1,145 @@ +# Troubleshoot + +How to troubleshoot Identity Manager when facing technical issues. + +## Overview + +Daily technical issues can lead to some unexpected results in Identity Manager. This page is meant +to give some clues and use cases in order to solve usual issues. + +> For example, the issues described below can happen when there is a network cut, or an application +> IP address is being changed, or an important password is being modified. + +See the +[ Troubleshoot Connector Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/troubleshoot-connector-jobs/index.md) +troubleshooting instructions concerning connector jobs. + +### Prerequisites + +In order to troubleshoot Identity Manager efficiently, the user, usually an application +administrator, must have access to: + +- the connector screens, especially the jobs available there; + + ![Connector Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_connectorjobs_v603.webp) + +- the resource screens (identities, accounts, etc.) with their data, and especially their history + and sources; + + ![User Data](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_userdata_v603.webp) + +- basic workflows, for example the usual helpdesk workflow, that give access to users' entitlements + and enable data modification and repair. + + ![Helpdesk Workflow](/img/product_docs/identitymanager/identitymanager/user-guide/maintain/troubleshooting/troubleshooting_helpdesk_v603.webp) + +## Participants and Artifacts + +Here integrators give way to managers to handle the solution by themselves. + +| Input | Output | +| ----------------------------------------------------------------------------- | ------------------- | +| [Implement Identity Manager](/docs/identitymanager/saas/identitymanager/user-guide/deploy/implementation/index.md) (required) | Working environment | + +## Troubleshoot Synchronization Issues + +### Errored export task + +If the export task ends with an error, then you should: + +- check the task's logs; +- check the export files' dates in the `Temp/ExportOutput` folder; +- if there was an external problem, then relaunch the export in complete mode. + +### Missing data after incremental synchronization + +If the data is incomplete after incremental synchronization, then you should relaunch +synchronization in complete mode. + +Netwrix Identity Manager (formerly Usercube) recommends scheduling an incremental synchronization +approximately every 15 minutes, and a complete synchronization once a day. + +### Exceeded thresholds + +If a synchronization threshold is exceeded, then check whether the threshold is legitimate. If not, +it means that the warning comes from a change in the managed system, so you should fix the data +directly in the managed system. + +See more details on [ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md) thresholds. + +## Troubleshoot Provisioning Issues + +### Blocked provisioning orders + +If provisioning orders are blocked while expected to be automatic, it can come from: + +- the **Require Provisioning Review** option being enabled in the related resource type; +- the role model being computed through the + [ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) + or the corresponding executable, with the block provisioning option; +- a provisioning order being already blocked for the same resource due to a prior operation; +- a correlation/classification rule with a confidence rate below 100%, which means that either + important data is missing or the rule is not right. + +**Verify:** After debugging the blocked-order situation, the related blocked orders must be reviewed +on the **Provisioning Review** screen to be unblocked. + +### Errored provisioning orders + +> For example, consider a provisioning task supposed to delete 150 accounts, while the relevant +> service account does not have the relevant writing rights. Thus it ends up with 150 errored +> provisioning orders. + +If provisioning orders end up with an error, then you should check the errors' details in +**Provisioning Review** to determine where the error comes from. + +**Verify:** After debugging the errored-order situation, unblock one provisioning order and relaunch +provisioning to make sure the fix gives the expected result. Only then, unblock all related errored +orders and relaunch provisioning. + +If the error comes from miscalculated properties, for example missing parent dn or duplicated +logins, then you should review scalar and/or query rules. + +**Verify:** After debugging the situation, recompute the role model for only one user to make sure +the fix gives the expected result. Only then, recompute the role model for all users through the +**Compute Role Model** job of connector screens. + +To recompute the role model for only one user, you can use the helpdesk workflow. It will give you +access to the user's entitlements via the workflow's **Access Permissions** step, where you can +check the changes without having to validate. + +### Incorrect provisioned values + +If provisioning orders produce incorrect values, then it can come from: + +- incorrect identity data, in which case you should select a test user, click on **View Sources** to + see which sources contributed to the data, and click on **View History** to see when the data + changed. +- wrong provisioning rules, i.e. scalar, navigation and/or query rules; + + **Verify:** After debugging the situation, use the helpdesk workflow to edit a field and check + the changes for only one user to make sure the fix gives the expected result. Only then, + recompute the role model for all users through the **Compute Role Model** job of connector + screens. See more details on how to use the Troubleshoot workflow for debug purposes. + +> For example, if identity data has changed and HR data has not, then it must come from the rules. + +### Exceeded thresholds + +If a provisioning threshold is exceeded, then check whether the threshold is legitimate. If not, it +means that the warning can come from: + +- incorrect identity data, in which case you should select a test user, click on **View Sources** to + see which sources contributed to the data, and click on **View History** to see when the data + changed. +- wrong provisioning rules, i.e. scalar, navigation and/or query rules; + + **Verify:** After debugging the situation, use the helpdesk workflow to edit a field and check + the changes for only one user to make sure the fix gives the expected result. Only then, + recompute the role model for all users through the **Compute Role Model** job of connector + screens. See more details on how to use the helpdesk Troubleshoot workflow for debug purposes. + +## Troubleshoot Entitlement Issues + +If users have unexpected entitlements, then you should click on an entitlement and/or access +**Workflow Overview** to see the entitlements' details, for example who requested them, etc. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md b/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md new file mode 100644 index 0000000000..89a37bad3d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md @@ -0,0 +1,116 @@ +# Automate Role Assignments + +How to manually build rules to automate the assignment of roles to identities. See +the[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +topic for additional information. + +## Overview + +Single role rules and composite role rules are assignment rules. Assignment rules are designed to +automatically assign respectively single roles and composite roles (based on specific criteria) to +identities. One rule must be created for every role to assign. See +the[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +topic for additional information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application's users, entitlements and data model. + +| Input | Output | +| ----------------------- | --------------------- | +| Role Catalog (required) | Role assignment rules | + +See the[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +topic for additional information. + +## Create a Role Assignment Rule + +Create a role assignment rule by proceeding as follows: + +1. Access the rules page by clicking on **Access Rules** on the home page in the **Configuration** + section. + + ![Home Page - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the source entity type for the future scalar rule. + + ![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +3. Click on the **Composite Roles** or **Single Roles** tab and on the addition button at the top + right corner. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create an Assignment Rule](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/assignmentrules_newsrolerule_v602.webp) + + - `Single Role`: single role to be automatically assigned in a single role rule. + `Composite Role` for a composite role rule. + - `Type`: assignment type that can be: `Suggested` so that the role is listed among suggested + permissions in the permission basket of users matching the criteria during an entitlement + request, suggested assignments must be selected manually to be requested; or `Automatic` so + that the role is automatically assigned to users matching the criteria; or + `Automatic but with validation` so that the role is listed in the permission basket of new + workers, these assignments can still be modified. + + The rule's type can be `Suggested` only if the related role is allowed to be requested + manually. + + - `Single role denied`: option that forbids the assignment instead of applying it. + - **Criteria**: conditions that, if met, trigger the single role automatic assignment. + + Role assignment rules can be based on identity dimensions. Moreover, single role rules can be + based on composite roles. + +5. Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a role assignment rule is taken into account when the next +[ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +runs to compute new assignments. Therefore, if a given rule's criterion is modified, then all +corresponding assignments are computed again. If a role was assigned automatically to an identity by +a role assignment rule, and if this assignment doesn't comply with the new version of the rule, then +the corresponding role is automatically removed. + +A modification in a role assignment rule can trigger the removal of a role only on the Identity +Manager side. There are several barriers to cross before said role is removed from the managed +system. + +> For example, consider a single role rule that assigns the single role +> `Business role: electronic banking` to all users in the `Tours` department. Let's say that we +> replace `Tours` with `Orleans`. Then, after the next launch of the complete job, all users in the +> `Orleans` department get said role, while the users in the `Tours` department are deprived of said +> role. + +[ Perform a Simulation ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/simulation/index.md) is available in order to anticipate the changes +induced by a creation/modification/deletion in role assignment rules. + +Assignment rules can sometimes give to users an entitlement that they had already received manually. +Hence, new assignment rules can imply redundancies between the entitlements assigned manually and +approved, and those calculated by a rule and assigned automatically. + +Netwrix Identity Manager (formerly Usercube) recommends removing redundant assignments after any +assignment rule is created or updated. + +## Verify Rule Creation + +In order to verify the process, start by checking the rule's details on the **Access Rules** page. +Then, you can: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Create a role assignment rule for a role that said user doesn't already have, and based on + criteria which the selected user satisfies. +3. Trigger the computation of the role model through the complete job on the **Job Execution** page + in the **Administration** section. + + ![Home - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + +4. See the new permission in the user's **View Permissions** tab. + + ![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) diff --git a/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/index.md new file mode 100644 index 0000000000..b958b8e277 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/index.md @@ -0,0 +1,219 @@ +# Automate Assignments + +How to automate entitlement assignment. + +## Overview + +Once you are able to assign manually the right entitlements to the right identities for the right +reasons, you realize how tedious and error-prone entitlement assignment is, and you want to automate +it. + +The strategy for the automation of entitlement assignment lies in the automatic making of assignment +decisions, based on several automation levels provided by Identity Manager: + +1. Automation of the creation of the role model, i.e. both roles and navigation rules that represent + entitlements in the managed systems, through + [ Create Roles in Bulk ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md) + based on resources' naming conventions in the managed systems. +2. Automation of entitlement assignment through assignment rules, which use identity criteria + (called dimensions, like identities' department or work location, etc.) to decide what + entitlements to assign automatically to identities. See the + [ Conforming Assignments ](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md) + topic for additional information. +3. Automation of the creation of said assignment rules through + [ Perform Role Mining ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md), based on existing data analysis. + +![Automation Concept](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_schema.webp) + +Assignment rules can sometimes give to users an entitlement that they had already received manually. +Hence, new assignment rules can imply redundancies between the entitlements assigned manually and +approved, and those calculated by a rule and assigned automatically. + +Netwrix Identity Manager (formerly Usercube) recommends +[Remove Redundant Assignments](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md) after any assignment rule is +created or updated. + +The main goal of automation is to reach the optimal cost, playing on assignment efficiency, quality +and quantity. + +### Assessment of manual assignment + +So far, Identity Manager's configuration has enabled users to use workflows to add and remove +entitlements to/from identities. These assignments can be fulfilled manually or automatically, but +the decision-making process that defines who gets what entitlement is still manual. Manual +assignment poses the following risks: + +- Delay can happen: on the day a worker joins an organization, they rely on a manual action to get + all the entitlements required for them to start working. Even with roles aiming to help managers + to understand actual entitlements, delay happens. See + the[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topic + for additional information.Errors can happen: human mistakes are expected in role distribution, + even though largely mitigated by the role review process and + [ Perform Access Certification ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/index.md). See the + [ Reconcile a Role ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md) + topic for additional information. +- It is time-consuming. + +The entitlement management cost mainly varies according to the number of managed entitlements. +Manual processing for entitlement requests implies a linear growth of the management cost according +to the number of managed entitlements. + +![Optimal Cost Chart - Manual Assignments](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_manual.webp) + +### Automation benefits + +There is a high potential gain coming with the automation of assignment decisions: + +- Machine Learning masters the error rate, as it is used as a parameter for Role Mining, i.e. + masters false positive assignments (entitlements assigned to a user while they ought not to) which + constitute a security breach, and false negative assignments (entitlements not assigned to a user + who needs it) which are functionnaly blocking; +- Machine Learning achieves lower error rates than people; +- Machine Learning can compute the role model way faster than a person. Consequently, the model can + be computed more frequently and thus sticks closer to reality. + +![Optimal Cost Chart - Automation Benefits](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_automationbenefits.webp) + +Automation helps integrators find basic assignment rules and face the previous risks, thus reducing +cost. + +### Automation precautions + +Assignments do not have to be automated all at once. + +On the one hand, before being automatically assigned, entitlements can be merely suggested by +Identity Manager and assigned manually. + +On the other hand, a distinction can be made between assignments according to their sensitivity, for +example using different error rates, or using simulation, or automating the assignment of basic +entitlements while suggesting sensitive entitlements, etc. + +This way, security can be improved for example by making certification target only the sensitive +entitlements that cannot be processed by Machine Learning. There is no need anymore to certify +automatic assignments. + +Plus, you can also use attributes as additional precautions, such as a grace period during which, +after the application of a rule revoking a resource/entitlement, managers can decide for each user +individually whether they need to keep said entitlement. + +In a way, maturity with Machine Learning in IGA is much like a GPS: once we traveled using only +paper maps, before the first navigation tools were commercialized. Then we learned how to use these +tools, while keeping a map to be able to verify the GPS instructions. We found secure methods to +navigate through all GPS evolutions, until we trusted GPS enough to guide us completely. + +### Automation limits + +However, automation implies an increasing number of rules. And a high number of rules implies a +certain complexity in rule model understanding, and consequently hiring expensive expert contractors +to write the right rules. It drives up costs considerably and draws you near the automation wall. + +![Optimal Cost Chart - Automation Limits](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_automationlimits.webp) + +The automation wall represents the automation threshold that cannot be overcome. It mostly comes +from the fact that with limited data, automation capabilities are also limited. Everything cannot be +automated. + +### Automation strategy + +The idea is to stop automation when the automatic cost curve increases faster than the manual cost +curve. The optimal profitability is represented on the chart and can be achieved via the optimal mix +of automatic and manual assignments. + +![Optimal Cost Chart](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost.webp) + +Automation strategy consists in using Machine Learning through Role Mining to get closer to the +automation wall. And, as Role Mining doesn't enable overcoming said wall, the goal is to move the +wall further away by improving data quality and quantity. + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate. + +| Input | Output | +| ----------------------- | ---------------------------- | +| Role Catalog (required) | Ideally automated role model | + +See the[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +topic for additional information. + +## Automate Entitlement Assignment + +The process of assignment automation is the following: + +1. [ Perform Role Mining ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) to approach the automation wall. + + Role Mining covers more use cases than writing assignment rules manually. It diminishes the + error rate and implies a lower execution cost. And thus, it brings the optimal cost closer to + the automation wall. + + ![Optimal Cost Chart - Role Mining](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_rolemining.webp) + + **Enlarge the number of managed entitlements by tolerating errors:** + + Automation reduces the error rate by avoiding human mistakes. Errors can still occur such as + "[false positives](https://en.wikipedia.org/wiki/Binary_classification)", i.e. users receiving + inappropriate entitlements, thus creating security issues. However, experience shows that a + slight error tolerance in Role Mining can highly benefit automation. + + NETWRIX recommends trying Role Mining with **1%** tolerated false positives, and **99.5%** + expected precision. Then adapt to your situation according to the reports. + + For example, suppose an organization working with many distinct departments. If you see that the + automation rate skyrockets when the error rate reaches the number of workers in one department, + then it probably means that Identity Manager misses data concerning one of the departments. Thus + the error rate allows Identity Manager to "ignore" one of the departments in the organization, + and optimize automation. + +2. [ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md)and analyze them with tools like Power + BI to assess the automation wall and identify improvement areas. + + > For example in the following Power BI chart, automation is, on average, highly implemented + > except for `SharePoint Projects`. This fact reveals a low level of awareness among the workers + > about their respective projects. This is a typical area for improvement in data quality. + > + > ![Data Quality Example](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex.webp) + + > For example, if charts show a high number of identities in the category `No Position`, + > integrators understand that the data model must be completed for role mining to be efficient. + > + > ![Data Quantity Example](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex2.webp) + + > For example, if charts show a high number of unused roles, integrators understand that the + > role model needs further improvement because roles are not adequate. + > + > ![Data Quality Example](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex3.webp) + + > For example, if charts show low automation rate per department, integrators will understand + > that many identities may have switched departments while keeping their previous entitlements. + > + > ![Data Quality Example](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_dataquality_ex4.webp) + +3. Improve data quality and quantity to move the automation wall. + + Whether automatic or manual, assignment decisions are based on existing data analysis. Data + quantity and quality therefore define the position of the wall. + + Improvement in existing data quantity and quality entails the possibility of managing a higher + number of entitlements. + + ![Optimal Cost Chart - Improved Data](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/automation_optimalcost_data.webp) + + A high quantity of data simplifies data analysis and inferences in assignment rules. + + A high quality of data also simplifies data analysis and enables better accuracy in assignment + rules. + + > For example, contractors' data is often less familiar to HR departments. Efforts can be made + > in this direction to enhance automation. + + Moreover, focus must be directed on actual and correct entitlements, using Identity Manager's + [ Perform Access Certification ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/index.md). + + Data reliability prevents integrators from easy extrapolation mistakes. + + > For example, consider the Netwrix Identity Manager (formerly Usercube) team in Marseilles + > mostly composed of R&D workers. If integrators miss information, they might inadvertently + > create a rule giving `R&D` group membership to all workers in Marseilles, while there are also + > workers from other departments. + +4. Repeat. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md b/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md new file mode 100644 index 0000000000..cd6a7b8529 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md @@ -0,0 +1,136 @@ +# Remove Redundant Assignments + +How to remove redundant assignments, i.e. manual assignments of roles and resource types that are +assigned by a rule too. See the +[Entitlement Assignment](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/assignments-of-entitlements/index.md) +topic for additional information. + +## Overview + +Assignment rules can sometimes give to users an entitlement that they had already received manually. +Hence, new assignment rules can imply redundancies between the entitlements assigned manually and +approved, and those calculated by a rule and assigned automatically. See the +[ Automate Role Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) topic for additional +information. + +Netwrix recommends removing redundant assignments after any assignment rule is created or updated. + +This guide is about switching the manual assignments, which are allowed by the role model, into +calculated automatic entitlements handled by the role model. Once automatic, an entitlement is fully +part of the role model and stops constituting an exception. + +### Assignment validity period + +All entitlements are assigned on a given validity period, i.e. from a given start date to a given +end date: + +- When assigning an entitlement to a user manually, the start and end dates are specified explicitly + unless the end date is locked. See the + [Create a Role Manually](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) + topic for additional information. +- When assigning entitlements to users via assignment rules, the start and end dates are based on + the owner's data, for example their contract or position start/end dates. These assignments are + automatic. + +Netwrix recommends always preferring calculated assignments over manual ones, because calculated +assignments follow the changes in their owners' data and are consequently more secure. + +For example, consider a user Helen who starts working as an architect with a given role. +When assigning the role manually, when Helen changes her job, her manager will have to remove the +role manually. When assigning the role via a rule, when Helen changes a job, the role will be +removed automatically. + +### Process + +This process is an optimization of the role model. It is part of the "compute role model" process +where all rules of the role model are applied. + +The classic behavior gives priority to approved manual entitlements over calculated automatic ones. +A manual assignment stays as is, even if the entitlement is also assigned by a rule. + +For example, consider a user who has a given entitlement which was assigned to them manually on +several distinct time periods. When creating a rule that assigns the same entitlement to them +automatically on a given time period, then we have: + +![Schema - Compute Role Model](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_examplewithout.webp) + +The redundant assignment analysis gives priority to the rules inside the role model and the policy. +When an entitlement is assigned via a rule, it is stated as calculated, even if it is also assigned +manually. Thus, manual assignments whose start and end dates overlap with the validity period are to +be truncated or deleted. + +For example, consider the same situation as before. Using the redundant assignments analysis, then +we have: + +![Schema - Redundant Assignment Analysis](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_examplewith.webp) + +Redundant assignments can be removed by Identity Manager only when the corresponding assigned items +are tagged as redundant and displayed in the most recent report. The manual assigned items that are +not tagged are still kept as discretionary entitlements and will not be removed. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application's users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------- | ---------------------- | +| Role catalog (required) Role assignment rules (required) Role mining (optional) | Minimized derogation’s | + +See the +[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md), +[ Automate Role Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md), and +[ Perform Role Mining ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) topics for additional information. + +## Remove Redundant Assignments + +Remove redundant assignments by proceeding as follows: + +![Home Page - Redundant Assignments](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/home_redundantassignments_v602.webp) + +**Step 1 –** Click on **Redundant Assignments** on the home page in the **Administration** section. + +![Redundant Assignments - Buttons](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_buttons_v602.webp) + +**Step 2 –** Click on **Analyze** to tag the manual roles and resource types from all policies +eligible for conversion to an automatic state. + +**NOTE:** Previous tags are cleared at each instance of this tagging process. + +**Step 3 –** Click on **Download Excel** to download a dedicated XLSX report which contains one tab +per entity type representing identities. + +![Redundant Assignments - Report Example](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_reportexample_v602.webp) + +The example states that in the entity type Directory_User, the user Nicholas Acosta had the single +role Banking/Sales/Eunomia/Administrator starting from February 28th 2023 (dateA) until May 16th +(dateD). A new single role rule assigns him this role from April 14th (dateB) until 25th 2023 +(dateC). + +It means that Nicholas Acosta will have the role in the **Calculated** state from dateB to dateC, +and he will keep the role in the **Approved** state from dateA to dateB and from dateC to dateD. + +**Step 4 –** If the report's content is satisfying, then click on **Apply** to actually switch +eligible manual roles to calculated. + +## Verify Redundant Assignment Removal + +In order to verify the process: + +![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +**Step 1 –** Access the user directory from the home page. + +![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + +**Step 2 –** For one of the users mentioned in the report, access their permissions. + +**Step 3 –** Check that their roles (mentioned in the report) have actually switched from approved +to calculated. + +![Redundant Assignments - Result](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/redundantassignments_reportexampleverif_v602.webp) + +When removing redundant assignments based on the previous report example the setting will be as +above. + +Once the steps above completed, the state changes to **Approved**. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md b/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md new file mode 100644 index 0000000000..989f1f3449 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md @@ -0,0 +1,182 @@ +# Perform Role Mining + +How to use role mining to suggest role assignment rules based on existing assignments, in order to +push the [ Automate Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/index.md) wall further. + +## Overview + +After the role catalog is established, the Compute Role Model Task task is able to assign single +roles to users according to their attributes which are used as assignment criteria. + +> For example, in the AD, entitlements are given through group membership. Integrators create a +> navigation rule to assign each group to the users who have the corresponding single role. Then, +> the +> [ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +> is able to assign single roles to users according to their existing group membership. +> +> In addition to group membership, the assignment of an entitlement to users could also depend on +> users' attributes like their location, position title, etc. + +Now that users received their roles, the role mining tool can analyze these assignments and deduce +[Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) +which will assign single roles to certain users matching given criteria. + +![Schema - Role Mining](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_schema.webp) + +Role mining is a Machine Learning process. It is a statistic tool used to emphasize the +[Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) +that constitute the key criteria for existing role assignments. It detects the most probable links +between identities dimensions and their roles in order to suggest the appropriate entitlement +assignment rules. + +> For example, suppose that 80% of NETWRIX workers in Marseilles have access to an application +> "App". Then, role mining is most likely to recognize the working site as a relevant dimension, and +> suggest to create a rule that gives the "App" access to users whose site is Marseilles. + +Role mining being a statistic tool based on existing entitlement assignments, it appears useless if +the role model contains fewer than 2,000 role assignments. Then, start by reinforcing the Role +Catalog. See +the[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +topic for additional information. + +### Technical Principles + +Role mining works through +[ Mining Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/miningrule/index.md) +that Identity Manager applies with the +[ Get Role Mining Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/getroleminingtask/index.md). + +### Entitlement differentiation with rule types + +Mining rules can be configured to generate: + +1. automatic rules, i.e. rules which assign roles automatically with or without a validation; +2. suggested rules, i.e. rules which don't assign roles directly, but suggest them during an + entitlement request for a user. + + ![Suggested](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_suggested_v602.webp) + +You can generate both automatic and suggested rules for the same role, with different precision +levels and different approval workflows. + +> Consider an organization where an unknown ratio of users have a given role. Using the precision +> settings, we can create a mining rule to generate automatic assignment rules when the ratio is +> above 95% and a second mining rule to generate suggested assignment rules when the ratio is +> between 75% and 95%. +> +> ![Rule Types](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype.webp) + +You can also differentiate entitlements according to their sensitivity, for example require +additional reviews following the request of a sensitive entitlement: + +![Rule Types - Sensitivity](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_ruletype-sensitivity.webp) + +The automation of entitlement assignments according to sensitivity brings greater confidence in +basic entitlements assignment which won't need to be certified anymore. Thus, automation lets +certification campaigns focus on more sensitive entitlements. + +Role mining should be performed first for automatic rules as they are stricter precision-wise. Thus, +automatic rules should always have priority over suggested rules (via the `Priority` setting). + +See more details about role mining. + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to operate. + +| Input | Output | +| ----------------------- | ----------------- | +| Role Catalog (required) | Single role rules | + +See the[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +topic for additional information. + +## Create a Mining Rule + +Create a mining rule by proceeding as follows: + +1. On the home page in the **Configuration** section, click on the **Role Mining** button. + + ![Home page - Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/home_rolemining_v60.webp) + + You will see all existing mining rules. + +2. Click on the addition button at the top right and fill in the fields. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + ![New Mining Rule](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_miningrule_v602.webp) + + - `Policy`: [Create a Policy](/docs/identitymanager/saas/identitymanager/user-guide/optimize/policy-creation/index.md) in which the mining rule exists. + - `Entity Type`: + [Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) on which + the mining rule is applied, i.e. the entity type targeted by role mining's entitlement + analysis. + - `Category`: + [ Create a Category ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md) + containing the roles targeted by role mining's analysis. + - `Include roles with specific validations`: includes in role mining's analysis the roles + requiring zero and/or one and/or two and/or three validations. + - `Exclude Role from Mining`: ignores the specified roles during the mining process triggered by + the next mining rules (in terms of priority). + - `Rule Policy`: [Create a Policy](/docs/identitymanager/saas/identitymanager/user-guide/optimize/policy-creation/index.md) in which the single role + rules will be generated. + + Netwrix Identity Manager (formerly Usercube) recommends using a policy dedicated to role + mining in order not to remove existing assignment rules. + + - `Rule Type`: type of the generated single role rules, which defines the type of role + assignment that can be: `Suggested` so that the resource type is listed among suggested + permissions in the permission basket of users matching the criteria during an entitlement + request, suggested assignments must be selected manually to be requested; or `Automatic` so + that the resource type is automatically assigned to users matching the criteria; or + `Automatic but with validation` so that the resource type is listed in the permission basket + of new workers, these assignments can still be modified. + - `Priority`: priority order of the mining rule. Identity Manager applies mining rules one after + the other in descending order. + - `Minimum Precision`: minimum authorized percentage of correct role assignments, considering + both the roles that are assigned to users who should have them, and the roles that are not + assigned to users who should not have them. + + NETWRIX recommends around 99.5%, to be lowered when working on a sensitive application + and/or a large user population, and vice versa. + + - `Maximum Allowed False Positives`: maximum authorized percentage of false positive + assignments, i.e. roles that are assigned to users who should not have them. + + NETWRIX recommends around 1%, to be lowered when working on a sensitive application and/or a + large user population, and vice versa. + + **Enlarge the number of managed entitlements by tolerating errors:** + + Automation reduces the error rate by avoiding human mistakes. Errors can still occur such as + "[false positives](https://en.wikipedia.org/wiki/Binary_classification)", i.e. users receiving + inappropriate entitlements, and thus creating security issues. However, experience shows that a + slight error tolerance in role mining can highly benefit automation. + +3. Click on **Create** and see a line added on the rules page. +4. Click on **Simulate** to perfom role mining in a simulation. See + the[ Perform a Simulation ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/simulation/index.md) topic for additional information. + + ![Role Mining Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/assignment-automation/role-mining/rolemining_launchjob_v602.webp) + + If you need to bypass the simulation process, clicking on **Launch** will perform role mining + and apply its results directly. NETWRIX recommends always performing role mining in simulation. + +## Impact of Modifications + +Assignment rules can sometimes give to users an entitlement that they had already received manually. +Hence, new assignment rules can imply redundancies between the entitlements assigned manually and +approved, and those calculated by a rule and assigned automatically. + +Netwrix Identity Manager (formerly Usercube) recommends +[Remove Redundant Assignments](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md) after any assignment rule +is created or updated. + +## Verify Role Mining + +In order to verify the process, access the rule list from the home page. + +![Home - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +Select **Single Roles** and check that the single role rules are created with the right parameters. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/optimize/composite-role-creation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/optimize/composite-role-creation/index.md new file mode 100644 index 0000000000..d7d1af367f --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/optimize/composite-role-creation/index.md @@ -0,0 +1,129 @@ +# Create a Composite Role + +How to define composite roles in order to create sets of single roles easy to assign. See the +[ Composite Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) +and [ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md)topics +for additional information. + +## Overview + +A composite role is a set of single roles that are usually assigned together, because they revolve +around the same application, or the same job, etc. Composite roles are aggregates of single roles, +they can help organize the role catalog. See the +[ Composite Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) +topic for additional information. + +![Schema](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_applicativeroles.webp) + +A composite role is a business role comprehensible by managers. It provides an additional layer of +abstraction above existing entitlements and single roles. We can say that if a single role allows a +user to perform a task, a composite role allows them to perform a job. + +### Composite roles and Role Mining + +Composite roles can also be created based on the rules provided by Role Mining. Rules link roles to +dimensions. See the [ Perform Role Mining ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) topic for +additional information. + +The following example shows single roles from A to F. Role Mining suggested the rules on the schema, +linking these single roles to the organizations R&D and Project as well as to the functions +developer, writer, contractor and project manager. The idea is to use these rules to create +composite roles. Here, we clearly have one role for R&D-developer, one for R&D-writer, +Project-contractor and Project-project manager. Thus, it is clear here that composite roles add an +abstraction layer. + +![Example](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_schema.webp) + +Single role rules link composite roles to single roles: a single role rule states that specific +single roles are assigned according to specific criteria, particularly composite roles. See the +[Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) +and [ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md)topics +for additional information. Thus, a composite role assignment can imply specific single role +assignments. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the +application's users, entitlements and data model. + +| Input | Output | +| ----------------------- | --------------- | +| Role catalog (required) | Composite roles | + +See the [ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) +topic for additional information. + +## Create a Composite Role + +Create a composite role by proceeding as follows: + +**Step 1 –** On the home page in the **Configuration** section, click on **Access Roles** to access +the roles page. + +![Home Page - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +**Step 2 –** On the roles page, click on the adequate category and create a role by clicking on **+ +New** at the top right corner. + +**Step 3 –** Fill in the fields. + +![singlerolescatalog_createcompositerole_v62](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/composite-role-creation/singlerolescatalog_createcompositerole_v62.webp) + +- **Identifier**: must be unique among roles and without any whitespace. +- **Name**: will be displayed in the UI to identify the single role. +- **Policy**: policy in which the role exists. +- **Entity Type**: entity type targeted by the role. +- **Category**: category assigned to the role. +- **Secondary Categories**: other potential categories assigned to the role. +- **Approval Workflow**: represents the number of validations required to assign the role. +- Lock the end date: locks manual permission at the end date. Has four options: + + - Inherited: the policy's setting will be used. + - Explicit: at the time of assignment, the end date can be specified manually or can be locked + to the applicable context rule. + - **Never**: the end date will never be locked and needs to be specified manually. + - **Always**: the end date is always locked according to the applicable context rule. + +- **Approve Role Implicitly**: needs at least a simple approval workflow. **Implicit** mode bypasses + the approval step(s) if the person who issues the role request is also the role officer. + **Explicit** refuses said bypass. **Inherited** follows the policy decision to approve roles + implicitly or not. +- **Hide in Simplified View**: hides the role from the users' **Simplified View** in **View + Permissions** dialog. This setting does not apply to roles which are either inferred or have + workflow states which require manual action. +- **Comment Management on Permission Review**: to change if different from the role policy. +- **Maximum Duration**: duration (in minutes) after which the role will be automatically revoked, if + no earlier end date is specified. It impacts only the roles which are manually assigned after the + maximum duration is set. Pre-assigned roles are not impacted. If no duration is set on the role, + the **MaxDuration** of the associated policy is applied. If the **MaxDuration** is set to 0 on the + role, it prevents the associated policy from applying its **MaxDuration** to it. + +**Step 4 –** Click on **Create** and see a line added on the roles page. + +**Step 5 –** Create at least one single role rule with the composite role as a criterion. + +## Impact of Modifications + +When deleting a composite role, caution must be used when deleting the corresponding single role +rules. Indeed, these rules thus lose their criteria and may be applied to far too many people after +that. + +Simulations are available in order to anticipate the changes induced by a +creation/modification/deletion in roles and single role rules. See the +[ Perform a Simulation ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/simulation/index.md)topic for additional information. + +## Verify Composite Role Creation + +In order to verify the process, check that the role and rule are created with the right parameters. + +For roles, click on **Access Roles** on the home page in the **Configuration** section. + +![Home Page - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +Select composite roles and find the role you created inside the right category and with the right +parameters. + +![Access Composite Roles](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/composite-role-creation/compositeroles_testroles_v602.webp) + +For rules, follow the instructions about assignment rules. See the +[ Automate Role Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) diff --git a/docs/identitymanager/saas/identitymanager/user-guide/optimize/hr-connector-creation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/optimize/hr-connector-creation/index.md new file mode 100644 index 0000000000..e7f06c2825 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/optimize/hr-connector-creation/index.md @@ -0,0 +1,120 @@ +# Create an HR Connector + +How to create a connector dedicated to the automation of identity management (creation, update, +deletion), via the synchronization of HR data into Identity Manager and internal provisioning. See +the[ Connect to a Managed System ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/index.md)provisioning. + +## Overview + +### HR connector in the global process + +The HR connector is no priority but rather an optimization, handled at the end of the configuration +cycle. + +The HR connector is sometimes the first created connector, used to develop the identity repository. + +However, the HR connector requires a specific IT infrastructure (agent, proxy, Virtual Machine, +etc.) which can take time to implement, and delay the project's progress. + +Moreover, in the long run it poses a few problems as HR data usually misses crucial information such +as contractor data, or the projects employees are working on. This can mean that: + +- the identity repository is filled using several sources. And when creating identities + automatically from HR data and other sources, you need to specify which properties of each + identity can be overwritten by a change in HR and which cannot. This is to avoid manually changed + attributes being overwritten by the HR data by mistake. This is very tedious. +- the HR data is rarely up to date early enough to be really useful as a trigger for identity + creation and deletion. As a result, identities end up being created manually through workflows + most of the time. + +Hence we choose to build the first iteration of the project upon a manual data upload to +[ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md). + +This way, we do not have to wait for the agent's implementation to create the first profiles and +start connecting systems (AD, SAB, SAP, etc.). Thus value is created faster and we can focus on IGA +activities such as the review of orphaned and unused accounts, eliminating risk earlier in the +process. + +We can still connect HR data, later on, to check consistency between our identity repository and HR +data, through a certification-like process. + +### Technical details + +An HR connector is considered an inbound connector, as it writes to the central identity repository +inside Identity Manager. + +![Inbound System=](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/hr-connector-creation/connectorcreation_inbound.webp) + +As Identity Manager is able to feed all managed systems, it can also feed itself thanks to specific +connections such as the +[InternalWorkflow](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-connectors/internalworkflow/index.md) +connection. It means that the corresponding connector is able to launch workflows within Identity +Manager and keep track. + +Typically, an HR connector with such a connection would be able to launch workflows inside Identity +Manager for identity creation, update and deletion, based on HR files. + +## Participants and Artifacts + +This operation should be performed in cooperation with HR staff who can access HR data. + +| Input | Output | +| ------------------------------- | ------------ | +| Identity Repository. (required) | HR connector | + +See the [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md)topic +for additional information. + +## Create an HR Connector + +Create an HR connector by proceeding as follows: + +1. Outside Identity Manager, + [ Model the Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md)of your connector. +2. Declare an HR connector using your local agent. See the + [ Create the Connector ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md) topic for + additional information. + + ![HR Connector Declaration](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/hr-connector-creation/hr_connectordeclaration_v602.webp) + +3. Create an Export CSV connection for each HR file to connect. See the + [Create a Connection](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) topic for + additional information. + + ![HR Connection](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/hr-connector-creation/hr_connection_v602.webp) + +4. [Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) corresponding + to your model. For example: + + ![HR Entity Type - Scalar Properties](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/hr-connector-creation/hr_entitytypes_v602.webp) + + ![HR Entity Type - Navigation Properties](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/hr-connector-creation/hr_entitytypen_v602.webp) + +5. Don't forget to reload and [ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md) to access + HR data within Identity Manager. + + ![Reload](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + + ![Synchronize Job](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs_v602.webp) + +## Verify HR Connector Creation + +In order to verify the process: + +1. Launch synchronization. +2. Access the connector's logs (from **Job Results** on the connector's dashboard) to ensure that + synchronization completed successfully. + + ![Jobs Results](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_results_v603.webp) + +3. Check that the entity types have been added to the left menu of the home page. + + ![Test Entity Type](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/hr-connector-creation/hr_validatemenu_v600.webp) + +4. Access the relevant entity types (from the menu items on the left of the home page) to check + synchronized resources, by navigating in the UI from the accounts through a sample of + associations, via the Eye icon: + + ![Eye Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg) + + You should seek configuration validation, not validation of the actual data being synchronized. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md b/docs/identitymanager/saas/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md new file mode 100644 index 0000000000..9d6c848a8d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md @@ -0,0 +1,117 @@ +# Modify the Identity Data Model + +How to make data model properties evolve according to the organization's needs. + +## Overview + +The identity data model must contain all the information needed to manage identities and their +permissions, and only the information strictly required for this purpose. + +You already considered the data needed for identity management during: + +- The initial identities loading and the creation of the identity repository; See the + [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) topic for + additional information. +- [ Model the Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md)through connector + modeling which is the analysis phase before connector creation; +- [Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) which is the + technical implementation of the connector model. + +The data model established during these steps might change to evolve alongside the needs of the +connected systems, the management strategy, and any change in the organization such as a change of +structure, a new division, etc. + +This part is about integrating these changes in the existing data model. + +### Dimensions + +Identity Manager calls dimensions the attributes that assignment rules rely on. They are essential +criteria that differentiate users in order to give them the appropriate roles. See the +[ Conforming Assignments ](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md) +topic for additional information. + +### Personal data security + +Only professional data should be used in the identity data model, not personal data. + +## Participants and Artifacts + +Integrators are able to perform an identity update if they master the new data model. + +| Input | Output | +| ------------------------------------------------------------------------ | --------------------------- | +| Initial identities loading (required) New identity data model (required) | Updated identity data model | + +See the [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) topic +for additional information. + +## Add or Modify Properties + +The data model can be updated in the UI via a feature scanning the data model. This scan performs an +analysis on the data previously imported through the Excel file. It detects properties which are +always empty and suggests to remove them from the data model, for clarity purposes. + +> For example, some systems don't store phone numbers. Then, scanning the data model will allow +> Identity Manager to suggest removing the property about phone numbers. Note that Identity Manager +> only provides suggestions but makes no decision. You could choose to keep the phone number +> property anyway in order to fill it later. + +NETWRIX recommends updating the data model through the scan feature, as this feature is driven by +Identity Manager's suggestions. + +However, the identity data model can also be updated through the directory's entity types, following +the previously given +[Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md). + +### Through a data model scan + +Add or modify properties within the identity data model by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. Access the data model on the **Workforce** > **Data Model** page. +3. Change the display option to show or hide properties in the identity repository. + + ![Scan Data Model - Display Option](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/identity-datamodel-modification/datamodelmodif_scan_v600.webp) + +4. After your changes are complete, click on the Save icon at the top. + + ![Save Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + +5. Click on the **Reload** button to apply the recent changes to the application. + + ![Reload Button](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp) + +## Delete Properties + +Integrators should keep in mind that the fields that they want to delete might be used in connectors +or other places they didn't think about. Existing assignments might be impacted. + +Identity Manager suggests the removal only of empty fields. In this case, there is nothing to worry +about. + +## Verify Data Model Modification + +In order to verify the process: + +- Check manually a sample in the user directory accessible from the home page. You should verify at + least your own sheet and the sheets assigned to your hierarchy. + + ![Home - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +- Check that every organization still has a manager. Organizations are accessible in the department + directory accessible from the home page. + + ![Home - Directory Department](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + + ![List of Departments](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + + If the system contains numerous organizations, it is also possible to list them with their + managers through the Query module. See + the[ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md) topic for additional information. + +- [ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md) with indicators, for example, on the + number of workers per type or per organization (through Identity Manager's predefined reports, the + Query module or Power BI), to ensure that Identity Manager's content sticks to reality. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/optimize/index.md b/docs/identitymanager/saas/identitymanager/user-guide/optimize/index.md new file mode 100644 index 0000000000..9026ba0809 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/optimize/index.md @@ -0,0 +1,54 @@ +# Optimize + +- [ Modify the Identity Data Model ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md) + + How to make data model properties evolve according to the organization's needs. + +- [ Create an HR Connector ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/hr-connector-creation/index.md) + + How to create a connector dedicated to the automation of identity management (creation, update, + deletion), via the synchronization of HR data into Identity Manager and internal provisioning. + +- [ Manage Risks ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/risk-management/index.md) + + How to use the risk management module to identify entitlement assignments that pose a security + risk, especially about segregation of duties and high privileges. + +- [Create a Policy](/docs/identitymanager/saas/identitymanager/user-guide/optimize/policy-creation/index.md) + + How to define policies to organize roles and rules. + +- [Automate the Review of Non-conforming Assignments](/docs/identitymanager/saas/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md) + + How to automate the review of non-conforming assignments through automation rules. + +- [ Automate Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/index.md) + + How to automate entitlement assignment. + +- [ Automate Role Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md) + + How to manually build rules to automate the assignment of roles to identities. + +- [ Perform Role Mining ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) + + How to use role mining to suggest role assignment rules based on existing assignments, in order + to push the automation wall further. + +- [Remove Redundant Assignments](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md) + + How to remove redundant assignments, i.e. manual assignments of roles and resource types that + are assigned by a rule too. + +- [Create a Composite Role](/docs/identitymanager/saas/identitymanager/user-guide/optimize/composite-role-creation/index.md) + + How to define composite roles in order to create sets of single roles easy to assign. + +- [Configure a Parametrized Role](/docs/identitymanager/saas/identitymanager/user-guide/optimize/parameterized-role/index.md) + + How to reduce the number of roles in the model by configuring roles with parameters. + +- [ Perform a Simulation ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/simulation/index.md) + + How to assess the impact of a modification on the role model, including the role catalog, role + assignment rules and resource correlation rules, using a dedicated policy. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md new file mode 100644 index 0000000000..b5905ddd00 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/index.md @@ -0,0 +1,103 @@ +# Automate the Review of Non-conforming Assignments + +How to automate the review of non-conforming assignments through automation rules. See the +[ Review Non-conforming Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md) +and +[Automation Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/automationrule/index.md) +topics for additional information. + +## Overview + +Non-conforming assignments can't be reviewed entirely automatically because this type of review +sometimes needs the intervention of a knowledgeable user. However, automation rules can help by +making automatic decisions (in place of the reviewer) on assignments that need to be reviewed after +a given waiting period. + +This type of rule is useful for example, when integrators intend to: + +- Decline all non-conforming assignments after X days to avoid accumulation. The waiting time can be + null if they need to delete non-conforming assignments as soon as they are detected; +- Automatically approve or decline discretionary requests if there is no validation after X days; +- Send notifications to validators before declining or approving pending approval assignments; +- Get information in order to deactivate an AD account if it hasn't been used in the past X days, + before deleting it. + +Integrators must show caution with pending approval assignments because this type of rule could +short-circuit the whole approval process. + +## Participants and Artifacts + +This operation should be performed in cooperation with managers who know the organization and their +team's entitlements. + +| Input | Output | +| ------------------------------------------------------------------------------------ | --------------------------- | +| Mastered non-conforming assignment review (required) Categorized accounts (optional) | Automated assignment review | + +See the +[ Review Non-conforming Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/index.md) +and [ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) topics for additional +information. + +## Create an Automation Rule + +Create an automation rule by proceeding as follows: + +![Home Page - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +**Step 1 –** On the home page in the **Configuration** section, click on **Access Rules**. + +![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +**Step 2 –** In the dropdown menu at the top left, choose the entity type to which the future rule +will be applied. + +![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) + +**Step 3 –** Click on the **Automations** tab and on the addition button at the top right corner. + +![New Automation Rule](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/reviewautomation_newrulefields_v602.webp) + +**Step 4 –** Fill in the fields. + +- Decision — Action to be taken on the described assignments. +- Criteria — Conditions that, if met, trigger the rule. + Currently, the criteria are used to match the context of an assignment and not the user data. + For example, if a single role is assigned based on a specific Department, then the context of the + assignment has the information about the Department. In that case, an automation rule having in + its dimensions that given Department will match this assignment and could Deny/Accept it. +- However, if a single role is assigned without any context on the Department (for example, a manual + assignment with no parameter on the role), the automation rule will never match this assignment. +- **NOTE:** No context will never be present for non-conforming or pre-existing roles +- Type — Assignment type concerned by the new rule. Once filled, a new field is displayed to select + precisely an object from the existing objects belonging to this type. +- Workflow State — Workflow state of the assignments that need a decision. +- Waiting Period — Time period since the last change in the assignments' workflow states. + +_Remember,_ in a nutshell, this rule applies Decision to all assignments of Type (and matching all +criteria), whose workflow state has been set to Workflow State for more than Waiting Period. + +## Impact of Modifications + +A modification in an automation rule doesn't impact the assignments affected by the previous version +of the rule. + +## Verify Review Automation + +In order to verify the process: + +**Step 1 –** On the **Role Review** or **Role Reconciliation** screen, spot an entitlement +assignment. + +**Step 2 –** Create an automation rule matching said assignment. + +![Home Page - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + +**Step 3 –** Compute the role model through the complete job on the **Job Execution** page. + +**Step 4 –** Check on the **Role Review** page that the assignment's workflow state changed +according to the rule's settings. + +![New Automation Rule](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/non-conforming-assignment-review-automation/reviewautomation_rulemessage_v522.webp) + +Any role affected by an automation rule shows a specific message on the **Role Review** page. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/optimize/parameterized-role/index.md b/docs/identitymanager/saas/identitymanager/user-guide/optimize/parameterized-role/index.md new file mode 100644 index 0000000000..91ff82f898 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/optimize/parameterized-role/index.md @@ -0,0 +1,126 @@ +# Configure a Parametrized Role + +How to reduce the number of roles in the model by configuring roles with parameters. + +## Overview + +The assignment of a role to a user gives them an entitlement, usually a group membership, thanks to +a navigation rule. See the +[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topic for +additional information. + +![Simple Role](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_simplerole.webp) + +To enable the assignment of all existing entitlements, the role model usually contains numerous +roles. + +For example, the SAP role can be given with slight differences according to the users' subsidiaries: + +> ![Role Matrix](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_numerousroles.webp) + +In order to reduce the number of roles, we can configure roles with parameters by inserting a +criterion in the navigation rules. Thus, instead of having as many roles as entitlements (left on +the schema), we can have way fewer roles (right on the schema). + +![With/Without Parameters](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameters.webp) + +In the previous example, with a parameter on the subsidiary, the number of roles would be divided by +three. + +By extension, a composite role that assigns a parametrized single role is parametrized too. + +This way, when assigning a parametrized role, a pop-up window is displayed where the parameter must +be specified. + +The same thing goes with type rules instead of navigation rules when we want to assign resource +types instead of entitlements. + +## Configure a Parametrized Role + +Configure a parametrized role by proceeding as follows: + +**Step 1 –** Create in XML a dimension corresponding to the parameter that will affect the role. See +the [ Dimension ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/dimension/index.md) +topic for additional information. + +For example, let's consider that we have many roles available on three different time slots: 8 hours +a day, 12 hours a day, or 24 hours a day. We create a dimension for these time slots. + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + +``` + +![Example - Role](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerole_v603.webp) + +**Step 2 –** Create a single role. See the +[Create a Role Manually](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) +topic for additional information. + +**Step 3 –** Create one navigation rule linked to the role for each available value of the +parameter. See the +[Create a Role Manually](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) +topic for additional information. + +Here we have three navigation rules, one for each distinct time slot (dimension A). For example: + +![Example - Rule](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerule_v603.webp) + +**NOTE:** Make sure that the corresponding dimension is specified in the right `DisplayEntityType` +in XML to be displayed in the UI. + +**NOTE:** It is important to note that for manually assigned roles, if a new dimension is added to +the definition of the role, the assignment's dimension will not be re-calculated, and will therefore +not be propagated to calculate automatic assignments. +Example Scenario — Role A was created as a composite role with no parameters a long time ago. Role A +was later updated to depend on the optional parameter X and a single role rule was created to assign +a single role B if a user had Role A and parameter X set to value Y. +If a user already manually had the role A, even if its dimension X (for example its department, +which could be calculated) was equal to value Y, got its permissions recalculated, that person would +not get the role B. Since the modification occurred after the assignment, it is understood as if the +role was assigned voluntarily with dimension X unset. +However, if a user got role A assigned after the modification, and its dimension X was equal to +value Y, then that user would get the role B. + +![Example - Role Parameter Required](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_exampleroleparameter_v603.webp) + +**Step 4 –** Go back to the roles page to edit the single role from step 2, if needing to set the +parameter required. + +If you want Identity Manager to provide suggestions to set the parameter's value, then make sure +that users' +[context rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/contextrule/index.md) +specifies the dimension. + +For example, with the `Title` dimension: + +Code attributes enclosed with `<>` need to be replaced with a custom value before entering the +script in the command line. + +``` + + + +``` + +## Verify the Parametrized Role + +In order to verify the process, request manually the parametrized role for a test user. Some +additional pop-ups are displayed to set a value for the role's parameter. See the +[ Request Entitlement Assignment ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/manual-assignment-request/index.md) topic for +additional information. + +In our example: + +![Example - Step 1](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameterexamplestep1_v603.webp) + +![Example - Step 2](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedroles_parameterexamplestep2_v603.webp) + +If the dimension is specified in the users' context rule, then Identity Manager will provide +suggestions. + +![Example - Suggestion](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/parameterized-role/parameterizedrole_examplerolesuggestion_v603.webp) + +For example, concerning the `Title` dimension mentioned above. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/optimize/policy-creation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/optimize/policy-creation/index.md new file mode 100644 index 0000000000..934cd4a5a8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/optimize/policy-creation/index.md @@ -0,0 +1,95 @@ +# Create a Policy + +How to define policies to organize roles and rules. See the +[Policy](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) topic +for additional information. + +## Overview + +A policy is a subgroup of the role model. It defines an ensemble of roles and assignment rules that +apply to specific identities. So policies are used to handle separately several sets of identities, +based on dimensions with different permissions and workflows. See the +[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) and +[ Conforming Assignments ](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md)topics +for additional information. + +Integrators must minimize the number of policies because it segments identities, and segmentation +implies high maintenance. Netwrix recommends using one policy per population. A population is a +group of people that can be managed following the same rules, role model, workflows, etc. This +means, for example, one policy for workers (meaning employees and contractors), another one for +partners, another one for clients. But sometimes partners are included in the same policy as +workers, it depends on the organization. + +**NOTE:** Netwrix Identity Manager (formerly Usercube) provides a default policy. Only when the +project is mature enough should integrators think about creating additional policies. + +## Participants and Artifacts + +Integrators must have the knowledge of the organization strategy towards identity management. + +| Input | Output | +| ------------------------ | ------ | +| Resource type (optional) | Policy | + +See the [ Create a Resource Type ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) +topic for additional information. + +## Create a Policy + +Create a policy by proceeding as follows: + +![Home - Access Policies](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/policy-creation/home_accesspolicies_v602.webp) + +**Step 1 –** Access the policies screen by clicking on **Access Policies** on the home page in the +**Configuration** section. + +![New Policy](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/policy-creation/policycreation_policies_v602.webp) + +**Step 2 –** Click on **+ New policy** at the top right corner. + +![createpolicy](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/policy-creation/createpolicy.webp) + +**Step 3 –** Fill in the information fields. + +The UI elements are identified as follows: + +- Identifier — Must be unique among policies and without any whitespace +- Name — Will be displayed in the UI to identify the resource type +- Provisioning — Allows provisioning for the policy +- Simulation — Allows simulation creation for the policy +- Approve Roles Implicitly — Can be enabled to bypass approval steps if the person who issues a + given role request is also the role officer +- Roles can be prolonged without a new approval workflow — Enables the policy's roles and resource + types to have their assignment's end dates postponed without any validation +- Is Managed by External Source — Can be enabled only during policy creation to indicate that its + permissions are managed by another IGA tool and are to be ignored by Identity Manager's role model + computation +- Maximum Duration — Duration (in minutes) after which the policy's roles and resource types will be + automatically revoked, if no earlier end date is specified. It impacts only the roles and resource + types which are manually assigned after the maximum duration is set. Pre-assigned items are not + impacted. +- Grace Period — Duration (in minutes) for which a lost automatic role or resource type is + prolonged. A review will be required to validate or decline the entitlement prolongation. Inferred + entitlements won't be lost unless the end of the grace period is reached or the prolongation is + declined. +- Lock the end date — locks manual permission's at the end date + + - Explicit, by default not context bound — By default, the assignment's end date will not be + context bound in order to encourage the manual entry of an end date + - Explicit, by default context bound — By default, the assignment's end date will be context + bound and therefore locked, but a manual date can be entered + - Never — The assignment's end date will never be locked and needs to be specified manually + - Always — The assignment's end date is always locked according to the applicable context rule + - Dimensions — Criteria that, if met, trigger the membership of given identities to the policy + +**NOTE:** What we call another IGA tool can be another application or even another version of +Identity Manager. + +**Step 4 –** Click on **Create**. + +Once you have completed the steps the policy is created. + +## Verify Policy Creation + +In order to verify the process, check that the policy has been added with the right options to the +list on the **Access Policies** page. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/optimize/risk-management/index.md b/docs/identitymanager/saas/identitymanager/user-guide/optimize/risk-management/index.md new file mode 100644 index 0000000000..8846fcb85b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/optimize/risk-management/index.md @@ -0,0 +1,178 @@ +# Manage Risks + +How to use the [ Risk Management ](/docs/identitymanager/saas/identitymanager/integration-guide/governance/risks/index.md) module to +identify entitlement assignments that pose a security risk, especially about segregation of duties +and high privileges. + +## Overview + +A [ Risk ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/risk/index.md) +describes a sensitive situation in which entitlement assignments need to be monitored for security +purposes. Examples include: + +- Segregation of duties: a situation where at least two entitlements pose a risk when assigned to + the same identity. +- High privilege: a particularly sensitive entitlement. + +[ Risk Management ](/docs/identitymanager/saas/identitymanager/integration-guide/governance/risks/index.md) is essential to auditing. +Among other things, it allows auditors to: + +- Identify the identities representing the highest security risk. +- Compute the corresponding risk score. +- Schedule and [ Perform Access Certification ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/index.md) + accordingly. + +Using risks involves three steps: + +1. Create a risk: declare the nature of the risk. +2. Create risk rules: create the rules that assign risks to identities, depending on identities' + entitlement assignments. +3. Monitor risks: via the **Identified Risks** screen or certification campaigns. + +## Participants and Artifacts + +Integrators may need the help of the application owner, security manager and role model officers to +assess risks inherent to entitlements. + +| Input | Output | +| ------------------------------------------------------ | ------------- | +| Identity repository (required) Role catalog (required) | Risks catalog | + +See the [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) and +[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topics for +additional information. + +## Create a Risk + +Create a risk by proceeding as follows: + +1. On the home page in the **Configuration** section, click on **Risks**. + + ![Home Page - Risks](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/risk-management/home_risks_v602.webp) + +2. On the risks page, click on the addition button at the top right corner. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +3. Fill in the fields. + + ![New Risk](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/risk-management/riskmanagement_newrisk_v602.webp) + + - `Identifier`: must be unique among risks and without any whitespace. + - `Name`: will be displayed in the UI to identify the risk. + - `Policy`: [Create a Policy](/docs/identitymanager/saas/identitymanager/user-guide/optimize/policy-creation/index.md) in which the risk exists. + - `Entity Type`: + [Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) targeted by + the risk. + - `Description`: explanation of the risk that will be displayed with the exemption policy + message. + - `Remediation`: potential alternative solutions that will be displayed with the exemption + policy message. + - `Exemption Policy` See the + [ Risk Management ](/docs/identitymanager/saas/identitymanager/integration-guide/governance/risks/index.md) topic for additional + information. + - `Type` + - `Level`: risk level that is used to compute risk scores. + - `Rules`: a risk is based on the union of rules, themselves based on the intersection of rule + items. A rule item specifies the risk-triggering resource(s). A high-privilege risk must + contain at least one rule with one rule item. A segregation-of-duties risk must contain at + least two rule items in the same rule. + + When risks are based on the exemption policy called **Approval required**, the corresponding + role requests appear on the **Role Review** screen with a specific workflow state. See below + this note. See the + [ Reconcile a Role ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md) + topic for additional information. + + ![Risk Icon](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/risk-management/riskmanagement_workflowstate_v523.webp) + + ### Write risk rules + + A risk rule is simply the condition that triggers the assignment of a risk to an identity, + depending on the identity's entitlements. + + Within Identity Manager, an entitlement assigned to an identity is represented by the value of a + given navigation property, in a resource owned by said identity. See the + [Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) topic for + additional information. + + > For example, imagine that we want to grant unlimited Internet access to the administrator + > profile of an identity. This entitlement won't be assigned directly to the identity but to + > their AD administration account. In our Active Directory, there is a resource called + > `DL-INTERNET-Restricted` identified from among AD entries as a group. Therefore, we need to + > add this group membership to the properties of the identity's AD account, using + > `DL-INTERNET-Restricted` as a value of the `memberOf` property. + +4. Choose the resource type to be targetted by the risk. See the + [ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) topic for additional information. + + > We choose `AD User (administration)` to prevent this situation from happening in our example. + +5. Choose the navigation property that corresponds to the situation. + + > `memberOf` in our example. + +6. Choose a value for this navigation property. The value would be a resource from the unified + resource repository. See the + [ Identity Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/identity-management/index.md) topic + for additional information. + + > The group `DL-INTERNET-Restricted` in our example. + + ![Risk Item Example](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/risk-management/riskmanagement_newriskitem_v602.webp) + + This final value is an entitlement, linked to the owner identity through the navigation property + and the ownership relationship. + + This final value is an entitlement, linked to the owner identity through the navigation property + and the ownership relationship. + + > In our example, a risk is identified for a person as soon as their administration AD account + > is part of the `DL-INTERNET-Restricted` group. + +7. Click on **Create**. + + Risks are taken into account from the moment the `Compute Resource Risk Scores` task runs (or + the complete job which contains said task). + + The `Compute Resource Risk Scores` task doesn't need to be launched right away, but new risks + can't be identified before it runs at least once. + +## Monitor Identified Risks + +After creating at least one risk and computing risk scores, identified risks are listed on the +**Identified Risks** screen, accessible from the home page in the **Administration** section. + +![Home Page - Identified Risks](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/risk-management/home_identifiedrisks_v602.webp) + +![Identified Risks](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/risk-management/riskmanagement_identifiedrisks_v522.webp) + +For a given identity in the list, user information can be viewed and accessed by clicking +respectively on the eye and arrow buttons on the right-hand side. + +## Impact of Modifications + +Modifications in a risk are taken into account only after running the `Compute Risk Scores` task. +Therefore, risk scores are computed according to the new parameters. + +**After a modification:** while risk scores are computed for all identities and assignments +(pre-existing and newly created), a modified exemption policy is applied only to future entitlement +assignments. For example, changing the exemption policy of a risk from warning to blocking won't +remove entitlements from the identities who already have them. But future assignments are going to +be blocked. + +The deletion of a risk simply triggers the computation of risk scores during the next +`Compute Risk Scores` task, and removes any exemption policy steps in an assignment request. See the +[ Risk Management ](/docs/identitymanager/saas/identitymanager/integration-guide/governance/risks/index.md) topic for additional +information. + +## Verify Risk Management + +In order to verify the process, assign to a fake identity a permission that is supposed to trigger +the created risk, and check the consequences: + +- The message displayed at the end of the entitlement request must correspond to the configuration + of the exemption policy. See the + [ Risk Management ](/docs/identitymanager/saas/identitymanager/integration-guide/governance/risks/index.md) topic for additional + information. +- Once the entitlement is assigned, a line must appear on the **Identified Risks** page. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/optimize/simulation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/optimize/simulation/index.md new file mode 100644 index 0000000000..ce4ae5c2ef --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/optimize/simulation/index.md @@ -0,0 +1,143 @@ +# Perform a Simulation + +How to assess the impact of a modification on the role model, including the role catalog, role +assignment rules and resource correlation rules, using a dedicated +[Create a Policy](/docs/identitymanager/saas/identitymanager/user-guide/optimize/policy-creation/index.md). See the +[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md), +[ Automate Role Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md)[ Correlate Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/correlation/index.md), +and [Create a Policy](/docs/identitymanager/saas/identitymanager/user-guide/optimize/policy-creation/index.md) topics for additional information. + +## Overview + +Identity Manager's simulations gather roles and rules which are to be created, modified or deleted, +without being inserted in the actual role model straight away. More specifically, a simulation can +involve: + +- Correlation rules and classification Rule; +- Scalar rules and navigation rules; +- Resource Type rules; +- [ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) + and + [ Composite Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md); +- [Single Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerolerule/index.md) + and + [Composite Role Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerolerule/index.md). + +See the [ Correlate Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/correlation/index.md) +[ Resource Classification Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md), +and +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +topics for additional information. + +A simulation can also be created by the +[ Perform Role Mining ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/role-mining/index.md) for the automation of role +assignments. + +Through simulation, integrators can: + +1. create, modify or delete roles and rules in a given policy; + + Only one simulation can be active per policy. + +2. observe via simulation reports the impact on the whole system, i.e. both assignments and + provisioning results, before the changes are applied; +3. decide to confirm or cancel changes. + +NETWRIX recommends using simulation whenever performing an action (creation/modification/deletion) +on the role model. + +## Participants and Artifacts + +Integrators are able to perform simulation if they master the new role model. + +| Input | Output | +| -------------------------------------------------------------------------------------------- | ------------------ | +| Role catalog (optional) Automate Role Assignments (optional) Categorize Resources (optional) | Updated role model | + +See the [ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md), +[ Automate Role Assignments ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/automate-role-assignment/index.md), and +[ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) topics for additional information. + +## Launch a Simulation + +Launch a simulation by proceeding as follows: + +1. Access the simulation list by clicking on **Simulations** on the home page, in the + **Configuration** section. + + ![Home - Simulations](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/home_simulations_v600.webp) + + ![Simulation List](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/simulation_list_v602.webp) + +2. Create a new simulation by clicking on the addition button at the top right corner. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +3. Fill in the fields. + + ![Simulation List](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/simulation_new_v602.webp) + +4. Click on **+ Create**. +5. Perform changes through the **Roles Changes** and **Rules Changes** tabs and the following icons, + respectively for addition, modification and deletion: + + ![Edition - Approval Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + ![Recommendation Icon](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/simulation_iconedit_v600.svg) + + ![Discouragement Icon](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/simulation_icondelete_v600.svg) + + At any time, you can click on the line of a previously made change to access its description, + even click on **Cancel** to erase it. + + ![Cancel Change](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/simulation_cancel_v602.webp) + +6. Click on **Start** to launch the simulation. + + ![Start Simulation](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/simulation_start_v602.webp) + +7. After a few seconds, click on **Refresh** to display the simulation results. +8. Observe the results in the overview and in the Excel report available via the Download button. + + ![Download Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/icondownload_v602.svg) + +## Shift from Simulation to Production + +After all needed changes have been simulated, you can decide to apply or cancel them. + +![Apply or Cancel Changes](/img/product_docs/identitymanager/identitymanager/user-guide/optimize/simulation/simulation_decision_v600.webp) + +Then, the simulation is no longer active. + +Clicking on **Apply** applies the simulated changes to the role model. You need to launch the +[ Compute Role Model Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/computerolemodeltask/index.md) +to observe the actual changes in users' entitlements. + +## Impact of Modifications + +Once you've applied or canceled the changes of a simulation, said simulation is no longer active. If +you still need to simulate changes on the same policy, you can create a new simulation. + +Deleting a simulation doesn't impact the role model. It simply undoes the simulated changes which +haven't been applied yet. + +## Verify Modification + +In order to verify the process, check that the roles and rules are created with the right +parameters. + +For roles, click on **Access Roles** on the home page in the **Configuration** section. + +![Home Page - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +Select the type of role that you want to check, and find the roles you created inside the right +category and with the right parameters. + +![Select Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/categorycreation_test_v602.webp) + +For rules, click on **Access Rules** on the home page in the **Configuration** section. + +![Home Page - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +Select the type of rule that you want to check, and find the rules you created with the right +parameters. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/classification/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/classification/index.md new file mode 100644 index 0000000000..c544b97ddc --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/classification/index.md @@ -0,0 +1,191 @@ +# Classify Resources + +How to define +[ Resource Classification Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourceclassificationrule/index.md) +in order to classify remaining uncorrelated resources, assigning them resource types. See the +[ Create a Resource Type ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) topic for additional information. + +## Overview + +### Classification purpose + +Classification is the process of putting on an existing resource a label called resource type, to +show its intent and/or purpose within the managed system. See the +[ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +Every resource type can be assigned a set of classification rules. + +### About the confidence rate + +As the aim here is to classify uncorrelated resources in a given managed system, classification +rules are going to rely on the patterns in resources' attributes, such as naming conventions. + +Sometimes, the managed system doesn't use rigorous rules and thus data quality isn't enough to allow +the creation of a single infallible correlation/classification rule for all resources. Hence, you +may need to create several correlation/classification rules. + +Each rule is configured with a confidence rate to express its reliability, according to data quality +and sensitivity. + +In our case, correlation/classification can be based on a first rule applicable to quality data +resources with a high confidence rate, and a second rule applicable to resources with a lower data +quality. This second rule is going to have a lower confidence rate, thus a lower priority, because +the strategy is to apply the first rule as much as possible. But the second rule is essential in +case the first one doesn't apply, though it cannot be trusted as much as the first rule. + +Hence correlation/classification rules are configured with a confidence rate: + +- from 100 to 150% to correlate resources automatically without a manual validation; +- from 0 to 99% to impose that a resource manager reviews the correlation/classification. + +Identity Manager considers the rules in descending order of confidence rate. The first matching rule +is applied. + +In other words: + +- if there is at least one matching rule with a confidence rate above 100%, then the one with the + highest rate is applied; +- if there isn't and there is at least one matching rule with a confidence rate below 100%, then the + one with the highest rate is suggested. + +There is no predefined priority order between two rules with the same confidence rate. + +### Focus on reviews + +When the confidence rate is below 100%, correlation and classification reviews are to be done: + +- on the **Provisioning Review** page when the owned resource is allowed by the role model, i.e. + requested manually or assigned automatically by a resource type rule; + + ![Correlation Review - Provisioning Review Screen](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsprovisioningreview_v603.webp) + +- on the **Resource Reconciliation** page when the owned resource is not allowed by the role model, + i.e. not requested manually nor assigned by a resource type rule. For example, the creation of a + correlation rule without a resource type rule triggers unauthorized accounts on the **Resource + Reconciliation** page. + + ![Correlation Review - Resource Reconciliation Screen](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsresourcereconciliation_v603.webp) + +Broadly speaking, the **Resource Reconciliation** page displays non-conforming assignments/values +(gaps), i.e. resources and property values from the managed systems that are not allowed by a rule +in Identity Manager. The **Provisioning Review** page displays the resource and property changes +whose workflows require a manual approval. + +### Classification rule example + +Classification rules are commonly based on logins or organizational units. Account types are usually +assigned specific strings to be easily recognized, such as for example `adm` for administrator +accounts. They can also include the employee identifier which includes specific digits according to +the account type. + +Consider an organization that places basic users in organizational units `Users` and `Locations` +with a CN starting with `U`. This means that a basic user should have a `dn` attribute different +from zero, containing `OU=Users` and `OU=Locations`, and starting with `CN=U`. Then, a +classification rule could take as a target expression: + +``` + +return resource.dn != null && resource.dn.Contains("OU=Users,") && resource.dn.Contains("OU=Locations,") && resource.dn.StartsWith("CN=U"); + +``` + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | +| [ Create a Resource Type ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) (required) [ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md) (required) [ Correlate Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/correlation/index.md) (recommended) | Classification rules | + +## Create a Classification Rule + +The principle of a classification rule is to use the expression of the target object, to assign (or +not), the resource type to said object. + +Fill a resource type with a classification rule by proceeding as follows: + +1. On the relevant resource type's page, click on **Classification Rules** and the addition icon. + + ![New Classification Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/resourcetype_newclassifrule_v602.webp) + + Classification rules can also be created through the **Access Rules** screen (accessible from + the home page, in the **Configuration** section), clicking on the **Classifications** tab and + the addition button at the top right corner. + + ![Home - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +2. Fill in the fields. + + ![New Classification Rule Fields](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/resourcetype_newclassifrulefields_v602.webp) + + - **Target Object** > `Expression`: C# expression based on the resource that needs to be + classified. + - `Confidence Rate`: rate expressing the rule's reliability, and its priority order.. + > Our overview example would look like: + > + > ![Classification Rule Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/classification_example_v602.webp) + +3. Click on **Create** and see a line added on the rules page. +4. On the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Classify + Resource Types** to apply the new classification rules. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +## Impact of Modifications + +An action (addition/modification/deletion) on a classification rule doesn't trigger a new +computation of classification for the resources that are already categorized, i.e. both classified +and correlated. The new version of said classification rule will be applied only to new resources +along with the existing resources whose correlation and/or classification was not yet reviewed (as +unauthorized accounts on the **Resource Reconciliation** screen). + +Thus only non-conforming resources (unauthorized accounts on the **Resource Reconciliation** screen) +can have their correlation and classification re-computed. + +Even without selecting an owner, reviewing unauthorized accounts on the **Resource Reconciliation** +screen "blocks" correlation and classification "as is". Neither will be re-computed. + +This also means that only non-conforming resources (displayed on the **Resource Reconciliation** +screen) can have their classification questioned and re-computed. + +Simulations are available in order to anticipate the changes induced by a +creation/modification/deletion in classification rules. See the +[ Perform a Simulation ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/simulation/index.md) topic for additional information. + +Any modification in classification rules is taken into account via the classification job: on the +connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Classify Resource +Types**. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +## Verify Classification + +In order to verify the process, analyze samples and check that all objects are classified, and well +classified. To do so, click on the target entity type(s) affected by your rule(s) in the left menu +of the home page. + +![Test Entity Type](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp) + +The entity type's page can be configured via XML to customize all displayed columns and available +filters, especially the **Uncategorized** filter that spots unclassified resources, and the **Owner +/ Resource Type** column that shows the resource type assigned to each resource. + +![Owner / Resource Type Column](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/classification_test_v522.webp) + +Therefore, check that all resources show here a resource type. Moreover, a knowledgeable person must +analyze a few samples to ensure that resources are classified in the right resource type. + +## Troubleshooting + +If a resource is not classified (or not correctly), then: + +![Unclassified Resource](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/classification_unclassified_v600.webp) + +- If the resource is correlated, check whether the corresponding correlation rule is in the right + resource type. +- If the resource is not correlated, check the validity of the classification rules. +- Check the resource's data quality. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/correlation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/correlation/index.md new file mode 100644 index 0000000000..c03370864d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/correlation/index.md @@ -0,0 +1,214 @@ +# Correlate Resources + +How to define the +[ Resource Correlation Rule ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcecorrelationrule/index.md) +to match up resources across systems, usually accounts with their owner. + +## Overview + +### Correlation purpose + +Correlation is the process of establishing an ownership relationship between a source resource +(usually an identity) and a target resource (usually an account). It is the basis of the link +between an identity and their fine-grained entitlements. See the +[ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +Every resource type can be assigned a set of correlation rules. + +Correlation rules must be created with caution as an error in the correlated attributes may result +in the unwanted assignment of a given account to an existing user. + +Correlation should be based on immutable attributes, for example codes that don't change during the +resource's lifecycle rather than display names that can vary in time. This method prevents +integrators from losing the history of the changes made to a resource after a correction. + +> In addition to display names, counter-examples for correlation properties are: positions; marital +> names; locations, etc. + +### About the confidence rate + +As the aim here is to correlate all resources in a given resource type, correlation rules are going +to rely on the patterns in resources' attributes, such as naming conventions. + +Sometimes, the managed system doesn't use rigorous rules and thus data quality isn't enough to allow +the creation of a single infallible correlation/classification rule for all resources. Hence, you +may need to create several correlation/classification rules. + +Each rule is configured with a confidence rate to express its reliability, according to data quality +and sensitivity. + +In our case, correlation/classification can be based on a first rule applicable to quality data +resources with a high confidence rate, and a second rule applicable to resources with a lower data +quality. This second rule is going to have a lower confidence rate, thus a lower priority, because +the strategy is to apply the first rule as much as possible. But the second rule is essential in +case the first one doesn't apply, though it cannot be trusted as much as the first rule. + +Hence correlation/classification rules are configured with a confidence rate: + +- from 100 to 150% to correlate resources automatically without a manual validation; +- from 0 to 99% to impose that a resource manager reviews the correlation/classification. + +Identity Manager considers the rules in descending order of confidence rate. The first matching rule +is applied. + +In other words: + +- if there is at least one matching rule with a confidence rate above 100%, then the one with the + highest rate is applied; +- if there isn't and there is at least one matching rule with a confidence rate below 100%, then the + one with the highest rate is suggested. + +There is no predefined priority order between two rules with the same confidence rate. + +### Focus on reviews + +When the confidence rate is below 100%, correlation and classification reviews are to be done: + +- on the **Provisioning Review** page when the owned resource is allowed by the role model, i.e. + requested manually or assigned automatically by a resource type rule; + + ![Correlation Review - Provisioning Review Screen](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsprovisioningreview_v603.webp) + +- on the **Resource Reconciliation** page when the owned resource is not allowed by the role model, + i.e. not requested manually nor assigned by a resource type rule. For example, the creation of a + correlation rule without a resource type rule triggers unauthorized accounts on the **Resource + Reconciliation** page. + + ![Correlation Review - Resource Reconciliation Screen](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/categorization_reviewsresourcereconciliation_v603.webp) + +Broadly speaking, the **Resource Reconciliation** page displays non-conforming assignments/values +(gaps), i.e. resources and property values from the managed systems that are not allowed by a rule +in Identity Manager. The **Provisioning Review** page displays the resource and property changes +whose workflows require a manual approval. + +### Correlation rule examples + +Consider AD accounts (target) and their owners (source). A classic example is to try and correlate +identities and AD accounts based on the first name and last name. We can write a correlation rule +that states that, for a given identity, Identity Manager looks for all AD accounts that bear the +same first name and the same last name. All AD accounts that match this description are said to be +correlated to the identity. The identity becomes the owner of the accounts. + +A set of correlation rules for a resource type could be: + +- a rule with 100% confidence on login + name + first name; +- a rule with 90% confidence on login only. + +Usual rules can also be made, for example, on: + +- name + first name using phonetics to avoid typos; +- first name + name + entry date if the entry date is known in the source systems; +- email address; +- Windows login. + +Correlation rules don't have to compare equivalent properties from Identity Manager and from the +managed system. A rule can compare for example users' `Login` from Identity Manager with their +`sAMAccountName` from the AD, even using C# expressions if needed. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| -------------------------------------------------------------------------------------------------------------------------- | ----------------- | +| Identity repository ( (required) Resource types (required) [ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md) (required) | Correlation rules | + +See the [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) and +[ Create a Resource Type ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) topics for additional information. + +## Create a Correlation Rule + +The principle of a correlation rule is to compare the expressions of the source and target objects. + +Fill a resource type with a correlation rule by proceeding as follows: + +1. On the relevant resource type's page, click on **Correlation Rules** and **+ New**. + + ![New Correlation Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/correlation/resourcetype_newcorrelrule_v602.webp) + + Correlation rules can also be created through the **Access Rules** screen (accessible from the + home page, in the **Configuration** section), clicking on the **Correlations** tab and the + addition button at the top right corner. + + ![Home - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +2. Fill in the fields. + + ![New Correlation Rule Fields](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/correlation/resourcetype_newcorrelrulefields_v602.webp) + + - **Source Object**: at least one property from the source system that is going to be linked to + a given target object. Can be defined by a property path and/or an + [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md). + - **Target Object**: one property from the managed system that is going to be linked to a given + source object. Can be defined by a property path and/or an + [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md). + - `Confidence Rate`: rate expressing the rule's reliability, and its priority order. + > In this example, a person via their login and name, is the owner of a nominative AD + > account via its `sAMAccountName` attribute and display name: + > + > ![Correlation Rule Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/correlation/correlation_example_v602.webp) + +3. Click on **Create** and see a line added on the rules page. +4. On the connector dashboard and in the **Resource Types** frame, click on **Jobs** > **Prepare + Correlation Keys** to compute the expressions used in the new correlation rule(s), and click on + **Jobs** > **Compute Role Model** to apply all correlation rules. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +## Impact of Modifications + +An action (addition/modification/deletion) on a correlation rule doesn't trigger a new computation +of correlation for the resources that are already correlated. The new version of said correlation +rule will be applied only to new resources, along with the existing resources whose correlation was +not yet reviewed (as unauthorized accounts on the **Resource Reconciliation** screen). + +Thus only non-conforming resources (unauthorized accounts on the **Resource Reconciliation** screen) +can have their correlation and classification re-computed. + +Even without selecting an owner, reviewing unauthorized accounts on the **Resource Reconciliation** +screen "blocks" correlation and classification "as is". Neither will be re-computed. + +Simulations are available in order to anticipate the changes induced by a +creation/modification/deletion in correlation rules. See the +[ Perform a Simulation ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/simulation/index.md) topic for additional information. + +Any modification in correlation rules is taken into account via the following jobs: on the connector +dashboard and in the **Resource Types** frame, click on **Jobs** > **Prepare Correlation Keys**, and +then on **Jobs** > **Compute Role Model**. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +## Verify Correlation + +In order to verify the process, check the list of +[Review Orphaned and Unused Accounts](/docs/identitymanager/saas/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md) +and analyze them to look for patterns revealing correlation issues. To do so, click on the target +entity type(s) affected by your rule(s) in the left menu of the home page. + +![Test Entity Type](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp) + +The entity type's page can be configured via XML to customize all displayed columns and available +filters, especially the **Orphan** filter that spots resources without an owner, and the **Owner / +Resource Type** column that shows the owner assigned to each resource. + +![Owner / Resource Type Column](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/correlation/correlation_test_v522.webp) + +A knowledgeable person must analyze a few samples to ensure that resources' owners can all be +justified, meaning that orphaned accounts are supposed to be so, and that correlated resources are +matched with the right owner. + +Another possibility of correlation validation is to compare the number of AD accounts to the number +of users. However, keep in mind that several accounts are sometimes assigned to a single user. + +## Troubleshooting + +If a resource is not correlated (or not correctly), then: + +![Uncorrelated Resource](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/correlation/correlation_uncorrelated_v600.webp) + +- Check the validity of correlation rules. +- Check the resource's data quality. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md new file mode 100644 index 0000000000..3bf12dc461 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md @@ -0,0 +1,155 @@ +# Categorize Resources + +How to correlate managed systems' resources with identities, classifying resources into +[ Create a Resource Type ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md). + +## Overview + +Managing resources can quickly become chaotic when the number of resources increases significantly. +You will need to manage orphaned (without an owner) and unused accounts through resource reviews, +and make sure that all accounts follow their owner's lifecycle. To do so, resources can be +categorized, which for our purposes means two things. They are: + +- correlated with their owners, so that accounts follow the corresponding identity's lifecycle. + > For example, if a user leaves the company, then their account is deactivated accordingly. +- classified according to their intents, in other words you need to specify resources' functions or + goals within the managed system, especially in terms of security; + > For example, a basic user account (low-privileged) and an administrator account + > (high-privileged) have different intents. These two distinct account types are handled in + > different ways security-wise, and they represent different entitlements with different + > security measures applied. + +Categorization is designed to help resource managers to easily identify a resource's owner and +purpose. + +> For example, when Identity Manager spots an orphaned account, resource managers must be able to +> determine whether the account should have an owner, or if it is a service/technical account and +> thus does not need an owner. + +### Technical principles + +Technically, Identity Manager uses the notion of resource types to categorize resources. A resource +type is, in fact, a way to gather similar resources under one meaningful name, because they have the +same intent. + +> Our example above would use a resource type `AD User (administration)` to group all AD +> administrator accounts, and `AD User (nominative)` to group all AD basic user accounts. + +Thus, a resource type is a name that informs users about the intent of a resource. As stated above, +it serves to implement our two elements of categorization. This happens with two distinct sets of +rules, one for correlation, and the other for classification. + +**Classification** is a process that simply aims to assign a resource type to specific resources. A +specific resource can only be assigned a single resource type. See the +[ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +![Classification Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/categorization_classifschema.webp) + +Any resource that is unclassified will not be available for review. + +**Correlation** is a process that aims to establish an ownership relationship between two resources. +In most cases, an identity resource that becomes the owner of an account resource. See the +[ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +![Correlation Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/categorization_correlschema.webp) + +While an owner can possess several resources, a resource can have only one owner. + +Some resources are orphaned (without an owner) for good reasons. For example service/technical +accounts are often used by applications to access data held in Identity Manager or other managed +systems and don't belong to a specific user. + +As stated previously, both classification and correlation work through sets of rules. + +> For basic users, we have in Identity Manager: +> +> ![Example - Basic Users in Usercube](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/categorization_examplebasicuser.webp) +> +> For basic users, we have in the AD: +> +> ![Example - Basic Users in AD](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/categorization_examplebasicad.webp) +> +> Thus our example could induce the following rules: | Classification Rules | Correlation Rules | | +> --- | --- | | all accounts from OU=Users | 1. mail (from AD) = user's email +> franck.antoine@acme.com = franck.antoine@acme.com 2. displayName = user's last name + user's first +> name Antoine Franck = Antoine + Franck | + +> For administrators, we have in Identity Manager: +> +> ![Example - Basic Users in Usercube](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/categorization_exampleadminuser.webp) +> +> For administrators, we have in the AD: +> +> ![Example - Admin Users in AD](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/categorization_exampleadminad.webp) +> +> Thus our example could induce the following rules: | Classification Rules | Correlation Rules | | +> --- | --- | | all accounts from OU=Administrators | 1. sAMAccountName = "A" + user's employee id +> A28022 = A + 28022 2. displayName = "ADM" + user's last name + user's first name ADM Colin Jean = +> ADM + Colin + Jean | + +Sometimes you may not know if your rules are always going to apply. Therefore, each rule expresses a +certain level of confidence. Identity Manager will establish a priority order between rules based on +the confidence rate, and will also act differently depending on whether the confidence rate is above +or below 100%. See the [ Correlate Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/correlation/index.md) topic for additional +information. + +A resource type can have zero correlation rules, since accounts can be without owners. But a +resource type with neither correlation nor classification rules serves no purpose. + +**Correlation triggers classification:** a matching correlation rule for a given resource type will +perform both actions of categorization: both correlating a resource with its owner, and classifying +the resource at the same time. + +See below this note. + +Hence, integrators should start with correlation rules, and then write classification rules for any +remaining uncorrelated resources. + +In the same way, Identity Manager will apply correlation rules before classification rules. + +![Categorization Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/categorization_categschema.webp) + +Now that you have created resource types and their correlation/classification rules, you have +created the first elements for your role model. See the +[ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. The role model contains all the roles and rules which drive the +entitlement assignment logic inside Identity Manager. + +A role model is made up of +[Policy](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) which +contain roles, rules and resource types. Most often the default policy is enough. However, in more +complex situations, additional policies can be created to separate groups of roles, rules and +resource types. See the [Create a Policy](/docs/identitymanager/saas/identitymanager/user-guide/optimize/policy-creation/index.md) topic for +additional information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application's users, entitlements and data model. + +| Input | Output | +| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | +| [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) [ Create a Resource Type ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) (required) [ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md) (required) | Categorized resources Correlated accounts Orphaned account list | + +## Categorize Resources + +Categorize resources by proceeding as follows: + +1. Create at least one [ Create a Resource Type ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md); +2. Create the appropriate [ Correlate Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/correlation/index.md); +3. Create the appropriate [ Classify Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/classification/index.md) for accounts that do not + have an owner. + +Netwrix Identity Manager (formerly Usercube) recommends creating/modifying/deleting correlation and +classification rules using [ Perform a Simulation ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/simulation/index.md) in order to +previsualize changes. + +## Next Steps + +Once accounts are categorized, integrators can start to +[ Create a Provisioning Rule ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md). + +Categorization also enables the +[Review Orphaned and Unused Accounts](/docs/identitymanager/saas/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md). diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md new file mode 100644 index 0000000000..f3236b1196 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md @@ -0,0 +1,223 @@ +# Create a Resource Type + +How to create the container for future correlation and classification rules inside a given managed +system. + +## Overview + +A +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +is created to highlight differences in intent between resources. It materializes the organization's +profiles. In a given managed system, different types of resources have different security needs. + +> For example, can usually be found: +> +> - nominative accounts for basic user accounts with low privileges; +> - administrator accounts for accounts with higher privileges, on several administration +> entitlements levels; +> - generic accounts, i.e. shared by a group of users (often for testing use); +> - old in opposition to new accounts because of potentially evolving naming conventions; +> - service accounts owned by applications instead of users. + +In practice, a specific resource type is created for a given resource when there are differences in: + +- the owner type (for example worker, partner, customer, application, robot, etc.); +- the required set of classification and/or correlation rules; See the + [ Classify Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/classification/index.md), and + [ Correlate Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/correlation/index.md) topics for additional information. +- the approval circuit for a resource's modification or assignment, i.e. the number of required + approvals, validators, etc.; +- the type of provisioning (manual or automatic). See the + [Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) topic for additional information. + +### Source vs. target resource + +Resource types are the vessel for ownership relationships. They involve the definition of source and +target objects chosen from among the properties of existing entity types. The source (usually +identities) is the owner of the target (usually resources from your managed systems, such as a +nominative AD account). This relationship is the basis for correlation as much as for future +provisioning. See the [Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md), +[ Correlate Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/correlation/index.md), +and[Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) topics for additional information. + +See the +[ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| --------------------------------------------------------------------------------------- | ------------- | +| Identity repository (optional) Target connector (required) Synchronized data (optional) | Resource type | + +See the +[ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md)[ Connect to a Managed System ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/index.md), +and [ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md) topics for additional information. + +## Create a Resource Type + +A new resource type requires an existing entity type. See the +[Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) topic for additional +information. + +Create a resource type by proceeding as follows: + +1. On the relevant connector page, click on the addition button in the **Resource Types** frame. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + Resource types can also be created through the **Access Roles** screen (accessible from the home + page, in the **Configuration** section), using the **+ New** button and selecting + `Resource Type` in the first field called `Type`. + + ![Home - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +2. Fill in the fields. + + ![New Resource Type](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/resourcetype_newresourcet_v603.webp) + + - `Identifier`: must be unique among resource types, without any whitespace, and be + C#-compatible. + [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + - `Name`: will be displayed in the UI to identify the resource type. + - `Policy`: [policy](/docs/identitymanager/saas/identitymanager/user-guide/optimize/policy-creation/index.md) in which the resource type + exists. + - `Source Entity Type`: entity type (from any existing connector) used to fill the target entity + type. + - `Target Entity Type`: entity type (part of the connector) to be filled with the source entity + type. + - `Category`: category assigned to the resource type. It can be chosen from among the existing + categories or [created](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) directly from the + categories list by clicking on the **+ Category** button. + - `Approval Workflow`: represents the number of validations required to assign a resource from + this type to an identity. + - `Approve Role Implicitly`: relevant only for workflows with at least a simple approval + process. `Implicit` mode bypasses the approval step(s) if the person who issues the role + request is also the role officer. `Explicit` refuses said bypass. `Inherited` follows the + policy decision to approve role implicitly or not. See the + [Create a Policy](/docs/identitymanager/saas/identitymanager/user-guide/optimize/policy-creation/index.md) topic for additional + information. + - `Prolongation without a new approval workflow`: enables the resource type to have its + assignment's end date postponed without any validation. `Inherited` follows the policy + decision to enable this option or not. See the + [Create a Policy](/docs/identitymanager/saas/identitymanager/user-guide/optimize/policy-creation/index.md) topic for additional + information. + - `Hide in Simplified View`: hides the role from the users' **Simplified View** in **View + Permissions** dialog. This setting does not apply to roles which are either inferred or have + workflow states which require manual action. + - `Arguments Expression`: when using a connection for automatic provisioning, C# expression used + to compute a dictionary of strings in order to compute the arguments of + [provisioning](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) orders, such as the identifier of + the workflow to launch within Identity Manager, or the identifier of the user's record to + copy. See the [Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) topic for additional + information. + - `Allow Addition`: enables Identity Manager to automatically create new resources in the + managed system when their owners are given the right entitlements. Otherwise, resource + managers must create resources manually directly in the managed system. + + > Consider a role `SAP` which assigns an SAP account to a user. Consider also that SAP + > accounts are configured with `Allow Addition` disabled. In this case, if we give the role + > `SAP` to a user, then said user doesn't automatically receive an SAP account. The relevant + > resource manager must create an account for said user in the SAP application. + + - `Allow Removal`: enables Identity Manager to automatically deprovision resources in the + managed system when their owners are deprived of the right entitlements. Otherwise, Identity + Manager is able to delete resources in the managed system only with a manual approval on the + **Resource Reconciliation** screen. + + > Consider a role `SAP` which assigns an SAP account to a user. Consider also that SAP + > accounts are configured with `Allow Removal` disabled. Finally, consider a given user who + > has the role `SAP` and the corresponding SAP account. In this case, if we deprive said + > user from the role `SAP`, then the SAP account isn't automatically deleted. Identity + > Manager displays this assignment as non-conforming on the **Resource Reconciliation** + > page, and the relevant resource manager must confirm the account deletion. + + **Allow Addition / Allow Removal:** + + These options set to `No` are interesting especially in testing mode when the role model + isn't entirely reliable yet. + + - `Remove If Orphaned`: enables Identity Manager to automatically deprovision resources when + their owner is deleted. Otherwise, said resources are displayed on the **Resource + Reconciliation** screen. Can be activated only if `Allow Removal` is activated too. + - `Require Provisioning Review`: forces an additional mandatory review of all provisioning + orders for the resource type (on the + [ Review Provisioning ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/provisioning-review/index.md) + screen). + + > Consider AD accounts. While nominative accounts can be provisioned without specific + > precautions (option set to `No`), administrator accounts sometimes require an additional + > review (option set to `Yes`). + + This option can be bypassed when computing the role model by clicking on the **Compute Role + Model, no provisioning review** job in the **Resource Type** frame on the connector's + overview page. + + - `Discard Manual Assignments`: allows the provisioning of a new value computed by a + provisioning rule for a property, based on a change in the source data, no matter the + property's current workflow state. + + Set to `No`, any manual change of a property's value made directly in the target system will + be "protected" (only after the change is approved in Identity Manager in **Resource + Reconciliation**). It means that a future change in the source data will not trigger the + provisioning of the new value. Instead, Identity Manager will keep the value of the manual + change, and state the value as `Questioned`. + + > Consider an HR system (source) whose data isn't often synchronized into Identity Manager. + > Let's say that a user marries and changes their name. In this case, the value in Identity + > Manager needs to be updated (via workflows) so that all managed systems are updated too + > with the new name. However, `Discard Manual Assignments` should be enabled because the HR + > system should still be the authoritative source in case of another change. + + - `Correlate Multiple Resources`: enables Identity Manager to link a single owner to several + existing target objects from this resource type. + + > Consider records, representing users' positions in the resource type + > `User Record (from HR)`. In some organizations, one user can have several records at once, + > or have several records that overlap, and these records can be created either via Identity + > Manager's workflows or via the upload of an HR file. Thus, on the one hand it is complex + > to anticipate the number of records created for an identity, on the other hand there + > shouldn't be records without an owner. In other words, when creating a new record via a + > workflow, we want the record to be linked to the right user, whether or not a record is + > already linked to the user's HR sheet. Therefore, the correlation of multiple resources + > (of the same resource type) to a single owner should be permitted. + + - `Transmitted State Validity`: The period in minutes during which fulfillment orders can stay + in Transmitted/Executed state. When the time is exceeded the orders are set in error state. + - `Depends On Resource Type`: potential resource type (other than the one presently created) + which must be provisioned for a given identity before this resource type can be created for + said identity. + + > This option can be used so that a user must have an AD account before they can own an + > Exchange account, because the Exchange account needs the AD account's address. + + - `Depends On Owner Property`: potential properties which must be filled for a given identity + before this resource type can be created for said identity. + + > This option can be used so that a user must have a ServiceNow identifier before they can + > own an AD administrator account, because the AD administrator account needs this random + > identifier computed by ServiceNow in order to be able to perform manual provisioning in + > ServiceNow. + +3. Fill the **Fulfill Settings** arguments according to the selected package. + + Integrators need to know the required provisioning connection, especially whether the connection + is about manual or automated provisioning. Automatic provisioning means that Identity Manager + writes in the managed system. Manual provisioning means that Identity Manager isn't allowed to + write directly inside the managed system, and thus it creates tickets so that resource managers + perform the needed changes. + +4. Click on **+ Create & Close** > **Create**. + +## Verify Resource Type Creation + +In order to verify the process, check that the resource type has been added with the right options +to the list on the **Access Roles** page, accessible from the home page in the **Administration** +section. + +![Home - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +![Test Connector](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/resourcetype_test_v602.webp) diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/configure-global-settings/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/configure-global-settings/index.md new file mode 100644 index 0000000000..ff8eedbc23 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/configure-global-settings/index.md @@ -0,0 +1,48 @@ +# Configure Global Settings + +This topic covers the customization in the application **Settings**. + +## Overview + +The Settings interface provides information and management options for the application. + +![accesscertificationonlyapprovedenysettings](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedenysettings.webp) + +### Look and Feel + +The **Look and Feel** section allows you to customize the application to your preferences. + +The customization includes the following: + +- **Application Title**as the name of the application visible on the tabs +- The **Primary Color**, **Secondary Color**, **Banner Color**, **Banner Gradient Color**, **Banner + Selected Tab Color**, and **Banner Text Color** +- The **Logo** to be displayed in the top left corner; + +### Languages + +It presents the languages in which the application can be displayed. In the above example you have +English-United States and French-France. + +See the [ Languages ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/languages/index.md) topic for additional +information. + +### Features + +The feature **Only allow approving and refusing on access certifications items** gives the +administrator the option to limit the user's option to either **Approve** or **Deny** the Access +Certification items while making the **More** button unavailable. + +![allowapprovingdenyingaccesscertificationitems](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-global-settings/allowapprovingdenyingaccesscertificationitems.webp) + +If the feature **Only allow approving and denying on access certification items** is set to **No** +the following will be visible on the certification screen: + +![accesscertificationonlyapprovedeny](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedeny.webp) + +If the feature **Only allow approving and denying on access certification items** is set to **Yes** +the following will be visible on the certification screen: + +![accesscertificationonlyapprovedeny-disabled](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-global-settings/accesscertificationonlyapprovedeny-disabled.webp) + +This is how the user's experience can be customized directly from the UI. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/configure-workflows/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/configure-workflows/index.md new file mode 100644 index 0000000000..1c619fe36c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/configure-workflows/index.md @@ -0,0 +1,111 @@ +# Configure Onboarding Workflows + +How to adjust the validation process and homonym detection of onboarding +[Workflows](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/index.md). + +## Overview + +Onboarding workflows are the processes that users follow in order to add in Identity Manager a new +user, as a new employee has arrived in the company. + +The most common situation consists in having two onboarding workflows: one for employees and one for +contractors. The Workforce Core Solution module provides these two workflows. + +Usually, using one of these workflows means: + +1. filling a form containing the new user's information, such as their name, first name, contract + type, job title, etc; +2. if needed, sending the request of user creation for review by a knowledgeable user. + +See how to +[ Update an Individual Identity ](/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/individual-update/index.md)in +Identity Manager. + +### User Creation Review + +Identity Manager provides the review step as optional, for its necessity depends on the situation. + +To perform the review of a user creation, one should have the right permissions. + +![Review Permissions](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/workflows_reviewpermissions_v601.webp) + +When a review is needed, a notification appears on the **MY TASKS** tab at the top. + +![My Tasks Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_topbar_v601.webp) + +The reviewer can then complete the creation request and finally approve it. + +### Homonym Detection + +User creation often benefits from a homonym detection that checks if the resource already exists in +the system, preventing duplicates. + +Identity Manager provides a homonym detection, whose parameters can be adjusted. + +See the [Workflows](/docs/identitymanager/saas/identitymanager/integration-guide/workflows/index.md) topic for additional information. + +## Participants and Artifacts + +Integrators must have the knowledge of the organization strategy towards the expected validation +process and homonym detection during users' onboarding. + +| Input | Output | +| ------------------------------ | ----------------------------- | +| Identity repository (required) | Adjusted Onboarding Workflows | + +See the [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) topic for +additional information. + +## Configure Onboarding Workflows + +Configure onboarding workflows by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section, then on **Workforce** > + **Onboarding Workflows** in the left menu. + + ![Home - Settings](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. For each workflow, choose whether a review step is required. + + ![Workflows Review Steps](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/workflows_reviewsteps_v601.webp) + + Netwrix Identity Manager (formerly Usercube) recommends enabling the review for the onboarding + of employees, and disabling the review for contractors. + + From experience, in most use cases, the onboarding of new workers is done by their managers, and + HR people review the creation of employees and not contractors. It also happens that HR people + are in full charge of employees, in which case they do the onboarding and don't need a review. + +3. Configure the homonym detection. + + ![Workflows Homonym Detection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/workflows_homonyms_v601.webp) + + Netwrix Identity Manager (formerly Usercube) recommends enabling the birth name comparison to + detect user duplicates due to name changes, when the GDPR supports it. + + The other parameters for homonym detection should be enabled/disabled according to your needs. + +4. Click on **Save** at the top of the page. + + ![Save Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + +## Verify Workflow Configuration + +Validate the process by proceeding as follows: + +1. Access the user directory from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Execute the workflows for a new employee and a new contractor. +3. Make sure that the homonym detection works in accordance with the specified options. + + > For example, if the inversion comparison is enabled between the first and last names: + > + > ![Workflows Homonym Detection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/workflows_verifyhomonyms_v601.webp) + +4. Make sure that the potential validation steps are in accordance with the specified options. + +## Next Steps + +Once onboarding workflows are configured, integrators can start configuring a connector. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md new file mode 100644 index 0000000000..f4023173c8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md @@ -0,0 +1,169 @@ +# Create a Connection + +How to create a +[ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) +inside a +[ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +and choose the appropriate package. + +## Overview + +A connection is the information that allows to connect to a managed system, which includes +credentials and path. + +There is a minimum of one connection per connector. In many cases, there is one connection +to[ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md)and one connection for +[Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md). + +A connection is associated with a package, representing the technology to use for the data transfer. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +purpose of the application. + +| Input | Output | +| ------------------------------------------------------- | ------------- | +| Connector container(required) Connector model(required) | Connection(s) | + +See the [ Create the Connector ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md) and +[ Model the Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) topics for additional information. + +## Create a Connection + +Create a connection by proceeding as follows: + +1. Click on the addition button in the **Connections** frame on the connector's summary page. + + ![Add a New Connection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connection_newconnection_v602.webp) + +2. Fill in the connection information fields on the left, then select a package (AD, CSV, etc.) and + fill the associated agent settings on the right. + + ![Connection Creation](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_connectioncreation_v602.webp) + + - `Identifier`: must be unique among connections, without any whitespace, start with a letter, + and contain only letters, numbers, `.` and/or `-`. + - `Name`: will be displayed in the UI to identify the connection. + - `Package`: the technology that enables the connection. Choose the package that fits best the + managed system. See details below. + - `Agent Settings`: depends on the selected package. + + Then click on **Create & Close**. + +### Select a package + +A package is chosen according to the following constraints: + +- What kind of technologies do we need? + + > An Active Directory, a plain CSV file, etc. + +- Do we need incremental or complete synchronizations, or both? + + Incremental synchronizations, usually launched approximately every two hours, are to be + performed for real-time needs, while complete synchronizations, scheduled no more than once a + day, will recover any changes that may have slipped through the cracks of the incremental + synchronizations. See the + [ Upward Data Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) + topic for additional information. + +- Do we need [Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md)? If so, should provisioning be + performed manually or automatically by Identity Manager? + +NETWRIX recommends starting by creating a connector that only does synchronization, and do not worry +yet about provisioning. It allows Identity Manager to read data from your managed system, without +writing to the system. + +One connector can contain several connections, and each connection contains one package. + +> For example, an `AD` connector, that will handle synchronization and provisioning between Identity +> Manager and an AD, would generally use the `Directory/Active Directory` package which can do +> synchronization and automated provisioning. A second package for manual provisioning, +> `Ticket/identitymanager` could be added to request manual provisioning of administration accounts that +> need more security. + +Each type of package needs its own settings, and secured options can be used to store sensitive +connection information. See the +[Connections](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/configuration-details/connections/index.md) +topic for additional information. + +## Refresh Schemas + +A schema is a snapshot of the data structure (metadata) retrieved by a connection. It needs to be +refreshed to enable the configuration of entity types and resource types. + +Identity Manager refreshes a connection's schema: + +- after the connection creation; +- when clicking on **Refresh Schema** on the connection's page: only the schema of the current + connection is refreshed; + + ![Refresh Schema of One Connection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshschema_v522.webp) + +- when clicking on **Refresh all schemas** on the connector's page: all schemas of the connector are + refreshed. + + ![Refresh all Schemas](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_refreshall_v602.webp) + +In the **Connections** frame, either the last successful schema update is indicated or an icon is +shown if the refresh schema failed. + +![Failed Refresh Schemas](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_failedindicator_v602.webp) + +Some packages don't generate a schema. For these packages, the **Refresh Schema** button isn't +displayed on the connection's page. On the connector's page, a connection without schema is +indicated by the sentence "_There is no schema for this connection_". + +![No Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_noschema_v522.webp) + +The connections' schemas must be refreshed before editing the connector's entity types via the UI, +whether the connections were created via the UI or XML configuration. Otherwise, there will be no +connection table available in the `Source` dropdown, so you will not be able to save anything. + +## Impact of Modifications + +Changes on a connection may imply changes in the connector's entity types. When a connection schema +changes, a warning may appear in the entity type screen indicating that a mapped property doesn't +exist anymore. + +## Verify the Connection + +In order to verify the process: + +1. click on **Check Connection** to ensure that Identity Manager can reach the managed system; + + ![Check Connection](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connectioncreation_checkconnection_v602.webp) + + Some connectors have both incremental and complete setting modes. See the + [ Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/jobs/index.md)topic for additional + information. They are relatively independent so they both need to be tested. + +2. check that the connection appears in the **Connections** frame with the right options, and + without the Failed icon. + +![Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg) + +## Troubleshooting + +If the Failed icon appears, then: + +![Decline Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/certifcampaign_icondecline_v522.svg) + +Ensure that the schema of the connection is refreshed. + +If the schema couldn't be recovered, then: + +![Schema Not Recovered](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connection-creation/connection_notrecovered_v523.webp) + +- Ensure that the managed system is properly connected. +- Check the connection's settings. + + > Example: For a CSV connection, ensure that the file paths are written correctly in full, such + > as `C:/identitymanagerDemo/Sources/Directory.xlsx`. + +You may have a schema that could not be recovered if you work with a system without a direct access +to the agent. In this case, schema refreshment will fail but that does not mean that there +necessarily is a problem. + +Try again from a system that can access the agent. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md new file mode 100644 index 0000000000..6bf7082d12 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md @@ -0,0 +1,66 @@ +# Create the Connector + +How to declare the technical container of a +[ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md). + +## Overview + +Here, you will learn how to create a connector: the shell that harbors entity types and connections +related to a single managed system. + +Keep in mind that a Identity Manager installation can have more than one agent. Connectors should be +created with a specific agent in mind since the agent needs to physically connect to the managed +system's data. Fortunately, you don't need to worry about that right now, since you are starting +with the agent provided with Identity Manager's SaaS environment. See the +[ Architecture ](/docs/identitymanager/saas/identitymanager/introduction-guide/architecture/index.md) topic for additional +information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +purpose of the application. + +| Input | Output | +| ----- | --------------- | +| - | Empty connector | + +## Create a Connector Container + +Create a connector container by proceeding as follows: + +1. On the home page in the **Configuration** section, click on the **Connectors** button. + + ![Home page - Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + + You will see all existing connectors. + +2. Click on the addition icon and fill in the information fields. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + ![Connector creation](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_declaration_v602.webp) + + - `Identifier`: must be unique among connectors, without any whitespace, start with a letter, + and contain only letters, numbers, `.` and/or `-`. + - `Name`: will be displayed in the UI to identify the connector. + - `Agent`: agent that the connector is supposed to use. + + Netwrix Identity Manager (formerly Usercube)recommends choosing the provided SaaS agent. + + - `Complete Job`: [ Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/jobs/index.md) scheduled to + perform a set of tasks, including completesynchronization and/or provisioning for all the + connectors, for which you selected the corresponding checkbox. + - `Incremental Job`: [ Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/jobs/index.md) scheduled + to perform frequently a set of tasks, including incrementalsynchronization and/or provisioning + for all the connectors, for which you selected the corresponding checkbox. + +3. Click on **+ Create** to get on the connector's overview page: + + ![Connector page](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_connectorpage_v602.webp) + +## Verify the Connector Declaration + +In order to verify the process, check that the connector has been added to the connectors list with +the right name and identifier. + +![Test Connector](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-declaration/connectorcreation_test_v602.webp) diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md new file mode 100644 index 0000000000..59174da380 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md @@ -0,0 +1,493 @@ +# Model the Data + +How to choose the appropriate model for a connector's data. + +## Overview + +In this part, you work outside Identity Manager to define the model that is going to be used in the +next steps to represent a managed system's resources and entitlements inside Identity Manager, as a +connector. + +This page is no technical procedure, but rather a guide aiming to give a global view on connectors +(with their components and their purpose), in order to help integrators choose the most appropriate +way to model the managed system in the form of a connector later inside Identity Manager. + +The aim is to think about said managed system in order to specify: + +- what data you need to import into Identity Manager; +- how you are going to organize this data together, and model it as a connector inside Identity + Manager. + +### Useful data + +Modeling the connector is a matter of identifying what data you want to get into Identity Manager. +You should not retrieve all the data from the managed system, but only two kinds of useful data: + +1. data that represents how the authorization system works in the managed system, i.e. data that + composes entitlements and their assignments; +2. data that you want to watch and/or control and/or fulfill. + +The model must take both into account. So both kinds of data must be extracted from the managed +system. + +> Let's take an example. An Active Directory manages authorization through group membership (using +> the user-group paradigm). +> +> So first we need to retrieve both groups and accounts, in order to manage the AD's assignments of +> entitlements for our users (in the AD language: manage their accounts and group memberships). +> +> Secondly, we want to control attributes such as the name or e-mail of the account, and ensure they +> are consistent with the correlated identity. Thus these attributes are the second kind of +> information that we want to retrieve. + +### Data models + +Fortunately, you won't have to design your connector model from scratch. NETWRIX has done a little +work ahead, and you are presented here with four model templates that have proven to work so far. +Experience shows that most managed systems can be shaped using one or a mix of the following: + +- the User model is the most simple model for a connector, where a user is directly associated with + a list of entitlements; +- the User-Group model represents typical + [Role-Based Access Control](https://en.wikipedia.org/wiki/Role-based_access_control) mechanisms, + where the ability to perform an action is granted through accounts' membership to a specific group + (also called role or profile according to the system); +- the Account-Profile-Transaction model represents a system, where the ability to perform an action + is granted through the assignment of fine-grained entitlements (called transactions) which are + packaged into profiles; +- the Star model represents a system, where the ability to perform an action is granted through the + assignment of entitlements which are based on at least two variable parameters. + +Each template presents a few objects and the relationships between them. To become the model of the +actual managed system, these objects must be renamed and their attributes defined according to the +reality of said managed system. + +This sheet guides you through choosing the right model template for your connector. The actual +technical implementation of the model will be tackled in the last part of the connector +configuration: [Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md). + +**Connector model and roles:** + +The design of a model must take into account what is really going on inside the managed system in +terms of entitlements, and be flexible enough to express it as roles in the context of the role +model. The role model is the universal RBAC/ABAC language used by Identity Manager to express all +entitlements. + +You don't have to worry about this "role" part right now. It is going to be tackled during single +role catalog creation. At this point, you will take a look at the way roles are defined and linked +to resources to represent entitlements. But the work starts here, by modeling the resources that +exist in the managed system. Some of those resources, such as Active Directory groups, include +interesting information about entitlements. + +Right now, you can see the connector's model as a precise description of the shape of the technical +resources and entitlements of the managed system. And, you can see roles as the higher-order +universal language in which entitlements and their assignments are expressed in Identity Manager for +all managed systems. + +**Connector model and provisioning**: + +After defining the useful data that you need to model a given system, you also have to decide what +data you need Identity Manager to write to the managed system. Identity Manager writing to an +external system is called provisioning. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +purpose of the application. + +| Input | Output | +| ----- | --------------- | +| - | Connector model | + +## Define the Connector Model + +Define your connector model by proceeding as follows: + +1. Use the advice and examples given about each model template to find the template that most + closely matches your use case. +2. Adapt the template to the reality of your managed system by renaming and adjusting the model's + objects. +3. Define your useful data, and thus the attributes of each object according to the reality of the + data in your managed system. +4. Ensure that all objects have at least one attribute that can serve as a key to be uniquely + identified within Identity Manager. You will get more details about keys during entity type + creation. +5. Ensure the following guidelines' enforcement: + + **Keep it simple** + + The model must stay as simple as possible. Embed just enough information. + + **Keep it readable for most users** + + The model must be easy to understand. For this, adopt a business approach, i.e. make the model + user-friendly and close to real activities. This functional approach is essential to the + efficiency of data flows (synchronization/provisioning loop). Keep in mind that the aim is to + define a model close to the reality of the system. + + **Keep it open to changes** + + The model is going to change and evolve during the life of the application, to account for new + needs or changes. This must be considered too in the initial model to make future changes less + painful. + +Find at the bottom a procedure example about modeling the Active Directory. + +## Model Templates + +All templates are detailed with examples and schemas with the following key: + +![Schemas' Key](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_key.webp) + +During the technical modeling inside Identity Manager, these objects will become entity types, their +attributes will become scalar properties, the links between them will become navigation properties. + +### User + +#### Authorization mechanisms + +The User template is the most simple model for a connector, and used to represent a user directly +associated with a list of entitlements. + +Users are represented by the accounts they own, and entitlements are represented by resources. + +Permissions can be managed: + +- by resource, with a list of authorized accounts for each resource; +- by account, with a list of authorized resources for each account. + +#### Model + +![User Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user.webp) + +Thus you need to create one entity type to represent either accounts or other resources. + +Each entity type needs to be shaped with properties, chosen according to the data useful for +entitlement assignment. + +The only sensitive and required properties are the keys and the property holding entitlements. It +means that: + +- if entitlements are managed by resource, then the entity type representing resources must have an + attribute (scalar property) containing the list of authorized accounts; +- if entitlements are managed by account, then the entity type representing accounts must have an + attribute (scalar property) containing the list of authorized resources. + +**Recommendation: categorize accounts in types** + +Some of the managed systems following this model offer predefined types of accounts, with a +pre-packaged set of authorizations (such as the `basic` user with read/write permissions on +non-sensitive resources, or the `admin` with higher privileges). + +Account types make modeling easier, as they bring another level of information about the +entitlements they contain. So we can embed more useful information in the model, thanks to an +attribute that represents the account type. + +In further steps, you will be able to define one resource type per account type and map each one to +a role for assignment and provisioning. + +#### Example - Canteen badges + +Canteen badges are a simple system handled with the User model. Indeed users can simply have among +their attributes the access authorization for a given building and a given time. Or also, instead of +creating an entity type for users, we can create an entity type for the badges. They would have in +their attributes their respective access location and time, and an attribute listing authorized +users. + +![User Model - Canteen Badges Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user-canteen.webp) + +#### Example - Mailboxes + +Mailboxes constitute a complex system, but IGA purposes require little information (only accounts) +so this system can too be handled with the User model, either through users and their entitlement +lists, or through mailbox entitlements and their lists of authorized users. + +![User Model - Mailboxes Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_user-mailbox.webp) + +### User-Group + +#### Authorization mechanisms + +The User-Group template is better suited to represent typical Role-Based Access Control +authorization mechanisms, where a user is authorized to perform an action according to their +account's membership to a specific group. Instead of groups, some systems talk about roles or +profiles: users are authorized to perform an action through a given role or profile which they are +assigned, instead of a group membership. It is all the same idea, and the User-Group template is +perfect for them too. + +Groups can also be categorized and grouped into larger groups. + +Users are represented by the accounts they own. + +#### Model + +![User-Group Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_usergroup.webp) + +Thus you need to create one entity type to represent groups (or roles or profiles) and one for +accounts. + +Each entity type needs to be shaped with properties, chosen according to the data useful for +entitlement assignment. + +The only sensitive and required properties are those constituting the link between both entity +types, i.e. the navigation properties representing the group membership. + +**Recommendation: categorize accounts in types** + +Many of the managed systems following this model, just like the User model, distinguish between +several types of accounts. + +In further steps, you will be able to define one resource type per account type and map each one to +a role for assignment and provisioning. + +#### Example - SAB + +The SAB system handles authorizations using users and groups. A user is authorized to perform an +action according to their group membership. + +We define two entity types `SAB - User` and `SAB - Group`. We fill them with a few attributes useful +to manage entitlements in the SAB application. Finally, we add a navigation property in both entity +types in order to link `User` with `Group` with an "n-to-n" relationship. + +![User-Group Example - SAB](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_sab.webp) + +#### Example - RACF + +The [RACF](https://www.ibm.com/docs/en/zos-basic-skills?topic=zos-what-is-racf) connector is used to +manage critical entitlements on the mainframe. RACF is a complex system, but IGA purposes only +require information about accounts and groups, as entitlements are given by group membership. Thus +the system can be simplified to be managed by Identity Manager following the User-Group model. + +![User-Group Example - RACF](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_racf.webp) + +For RACF, Identity Manager provisions only the link between accounts and groups. + +#### Example - TSS + +The TSS connector is similar to RACF in its use, but manages fine-grained entitlements at a higher +level than RACF. TSS is at least as complex as RACF, and its connector follows a similar +simplification as RACF's. + +Identity Manager manages users (with their accounts) and groups called here profiles. Both users and +profiles are grouped into departments, themselves grouped into partitions. Entitlements are called +authorizations, and are linked to users through group (profile) membership. + +![User-Group Example - TSS](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_tss.webp) + +For TSS, Identity Manager provisions only the link between users and profiles. + +Identity Manager receives a write access for users and profiles, only a read access for the rest of +the model. It is interesting to keep the whole model for query goals such as listing a given user's +entitlements. + +**Recommendation: categorize accounts in types** + +Many of the managed systems following this model, just like the User model, distinguish between +several types of accounts. + +In further steps, you will be able to define one resource type per account type and map each one to +a role for assignment and provisioning. + +**Roles:** During +the[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md)step for this +connector you can build roles based on the group-membership system represented by users and +profiles. Thus you will create navigation rules to represent the link between users and profiles. + +#### Example - SDGE + +The SDGE connector is used not to manage people but positions, so the application screens depend on +the user's position. In other words, Identity Manager is going to manage users' entitlements in SDGE +through their positions. + +The object `User` or `Account` from the template, which contains users' accounts, is called here +`Worker`. + +The object `Group` from the template is called here `Position` (grouped into organizations, +themselves grouped into organization types). It contains the way an entitlement is given, here +through a given position and wallet. + +![User-Group Example - SDGE](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_sdge.webp) + +For SDGE, Identity Manager provisions only workers and the link between workers and positions. + +### Account-Profile-Transaction + +#### Authorization mechanisms + +The Account-Profile-Transaction model is better suited to represent a system, with the following +basic characteristics: + +- To be able to perform an action or read a piece of data, a user must be granted one or several + transactions. Transactions represent fine-grained entitlements. They can be associated to a type + and conditions that restrict their use, such as a maximum per day or a context of validity. +- Transactions are not assigned directly to an account, but are packaged into profiles, which are + then assigned to accounts, which are owned by users. +- Profiles can sometimes be classified into categories representing the sensitivity of the + transactions they contain. + > For example, profile categories can be `Privilege Profiles` for high privilege transactions on + > sensitive data, and `Technical Profiles` for technical transactions related to system + > administration. + +#### Model + +![Account-Profile-Transaction Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_profiletransaction.webp) + +Thus you need to create one entity type to represent accounts, one for profiles, and one for +transactions. + +Each entity type needs to be shaped with properties, chosen according to the data useful for +entitlement assignment. + +The only sensitive and required properties are those constituting the link between entity types, +i.e. the navigation properties representing the packaging of transactions into profiles on the one +hand, and the assignment of profiles to accounts on the other hand. You can potentially add a +navigation property in the `Profile` entity type in order to categorize profiles within larger +profiles. + +Instead of creating as many `Profile` objects as there are categories of profile, NETWRIX recommends +shaping the `Profile` object with a `category` attribute. Indeed, a multiple-object model +complexifies the addition of new profiles in the future. And as new profiles can be created in the +future though, then you must plan for it. + +For example, instead of modeling two artificial types of profiles called `PP` for "Privilege +Profile" and `TP` for "Technical Profile", prefer a single object `P` that represents all profiles +using a specific attribute to differenciate technical from privilege profiles. This way, the model +sticks to the real capacity of the technical tool and all use-cases are considered. + +See the schema below this note. + +![Profiles Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_profiles.webp) + +Transactions are not mandatory in a model. Most of the time, the profile packages are predefined +once and for all, or are the responsibility of the application owner. Then Identity Manager doesn't +need to manage the specific transactions for a profile directly inside the managed system. You can +hence avoid modeling transactions altogether. In this case, you fall back on the User-Group model +with a twist: if profile categories are relevant in the system's authorization mechanism, then you +must take them into account. + +#### Example - TSS + +The TSS connector is actually a mix of the User-Group and Account-Profile-Transaction models. The +User-Group part is explained above. + +![User-Group Example - TSS](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_tss-prof-trans.webp) + +Transactions are called here authorizations. + +For TSS, Identity Manager provisions only the link between users and profiles. Transactions (and the +rest of the model) are only readable. + +### Star + +#### Authorization mechanisms + +The Star model is better suited to represent a system, where the ability to perform an action is +granted through the assignment of entitlements, based on several variable parameters, most often the +combination of a profile and at least one user data criteria. + +> For example, you might want to give certain entitlements only to users who have an administrator +> profile and work in Marseilles. + +As the parameter combination is not predetermined, the whole system can become highly complex with +the addition of data criteria. + +Users are represented by the accounts they own. + +**Comparison with other models:** while the User-Group model grants an entitlement via a group +membership, the Star model grants said entitlement via a special authorization linking the right +criteria altogether (i.e. the right profile and other user parameters). + +#### Model + +![Star Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_star.webp) + +Thus you need to create one entity type to represent accounts, one for each criterion, and another +one to represent the object linking acounts to criteria. + +Each entity type needs to be shaped with properties, chosen according to the data useful for +entitlement assignment. + +The difficulty of this model is to map everything to roles in the role model. In Identity Manager's +role model, one assignment is always one role. But in this case, in the managed system, an +assignment is a tuple of things. + +To map the tuple of things on a role, we have several choices: + +1. Create a role per possible combination of tuple of things. This can quickly get out of hand as + far as the number of created roles is concerned. +2. Use parametrized roles. The number of roles will be contained, but it is a little more + complicated to configure. + +The flexibility generated by parameters is particularly interesting for roles that incorporate +entitlements in a more complex way than application roles. If the information contained in a role is +complicated to deduce, then parameters can bring some clarity in the configuration. The objective is +always to minimize the number of distinct roles, and the number of roles that are assigned to one +given identity. + +#### Example + +Consider an application which manages entitlement assignment with different rules, according to +users' profiles, attachment areas and sites. Our example shows 4 profiles, 4 attachment areas and 3 +sites. So a user may be assigned a given entitlement for a given profile, attachment area and site. + +![Star Model Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_starmodel.webp) + +For this connector, Identity Manager provisions only the links between accounts and linking objects, +and the links between linking objects and each criterion. + +Concerning roles, integrators have two options: + +- either create a specific role for `Profile_i` with `AttachmentArea_j` and `Site_k` for all + available profiles, attachment areas and sites, which makes a total of 48 roles (for a quite + simple example); +- or create a single role with parameters for profiles, attachment areas and sites. + +## Procedure Example + +**Step 1: choose the connector model.** + +Let's say we are modeling an Active Directory, which handles authorization through the group +memberships of accounts. In other words, to assign an entitlement to an identity, we make the AD +account of said identity member of the corresponding AD group. That is exactly what the User-Group +template is designed to handle. See the Model the Data topic for additional information. + +![User-Group Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_usergroup.webp) + +**Step 2: adapt the model to your reality.** + +We start by renaming the `Account` object as `AD_User` and the `Group` object as `AD_Group`. + +![AD Example - Step 1](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_ad-step1.webp) + +**Step 3: define useful data close to your reality.** + +We shape these objects with the following attributes: + +![AD Example - Step 2](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_ad.webp) + +**Step 4: ensure that all objects have unique keys.** + +Indeed we defined `objectGuid` as a key for both accounts and groups. + +**Step 5: ensure the guidelines' enforcement.** + +We could content ourselves with this model. The main benefit of this model is to closely mimic the +reality of the AD authorization mechanism. But we'd like to go a bit further, applying a "keep it +open to changes" approach. + +Observe the similarities between `AD_User` and `AD_Group`. There are many attributes repeating +between the two entity types. + +We can simplify: prefer a single object `AD_Entry` that can represent both users and groups. The +difference between the two types of object will be made clear via specific properties like +`objectCategory`, `member` and `memberOf`. + +Beyond avoiding repetition, this makes the model easily adaptable if new elements pop up. + +> For example, we could want to include computers or organizational units in the model in the +> future. Instead of creating two new additional objects `AD_Computer` and `AD_OU`, the existing +> object `AD_Entry` can represent them both at no additional modeling cost. Even though we could add +> `AD_Computer` and `AD_OU` without merging groups with entries, designing `AD_Entry` with all these +> attributes provides the means to add objects without creating new entity types. +> +> ![AD_Entry Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connector-modeling/connectormodel_adentry.webp) diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md new file mode 100644 index 0000000000..2fe39257fe --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md @@ -0,0 +1,72 @@ +# Organize Resources' Datasheets + +How to change the default display of the resource data from this entity type, by creating display +groups. + +## Overview + +Here you will learn how to change how a resource's data is organized in the UI, by creating display +groups. + +If you do not add display groups, Identity Manager displays the data of this entity type's resources +in alphabetic order. + +> For example, for an HR user without any display groups: +> +> ![Without Display Groups](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_without_v603.webp) + +## Organize Resources' Datasheets + +Organize resources' datasheets by proceeding as follows: + +1. Start by creating the entity type with its scalar properties and keys. See the + [ Define Scalar Properties ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md) and + [ Select Primary Keys ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md) topics for additional information. +2. Ensure that the created properties are saved by clicking on **Save & Close** > **Save** at the + top right corner. +3. On the entity type's definition page, click on the **Display** tab. + + ![Display Groups](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_v603.webp) + +4. Click on the arrow to see the entity type's properties listed in the alphabetical order, and drag + and drop the properties to customize the order. + + > For example: + > + > ![Display Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example1_v603.webp) + +5. When needing to group properties together, click on **Add Display Group**, fill in the fields and + select from the pop-up window the properties to be grouped. + + ![Display Group Fields](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_fields_v603.webp) + + - `Identifier`: must be unique among display groups, without any whitespace, and be + C#-compatible. + [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + - `Name`: will be displayed in the UI to indicate the property group. + > For example: + > + > ![Display Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example2_v603.webp) + > + > The entity type's resources would look like: + > + > ![Display Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/entitytypecreation_displaygroups_example2results_v603.webp) + +6. Click on **Save & Close**. + + Changes in display groups won't take effect until the next + [ Update Entity Property Expressions Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + runs. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you +should reload the schema to implement the changes. You do not need to click on the button every +time. It is essential though to reload after the final changes are made. + +![Reload](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the +left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md new file mode 100644 index 0000000000..32f4b3ff77 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md @@ -0,0 +1,76 @@ +# Set Resources' Display Names + +How to change the value of the display name for resources of an +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +## Overview + +Here you will learn how to change a resource's display name, which is the name used by the UI to +identify a resource of an entity type. Its value is computed from existing properties. For example +for the entity type `HR - User`, integrators may set the display name to: +` - `. + +![Display Name - Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_displaynameexample_v600.webp) + +If you do not set your own display name, Identity Manager provides a default value based on the +first scalar property after alphabetizing all the properties whose name contains `name`. + +## Set the Resource's Display Name + +Set the resource's display name by proceeding as follows: + +1. Start by creating the entity type with its calar properties and keys. See the + [ Define Scalar Properties ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md) and + [ Select Primary Keys ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md) topics for additional information. +2. Ensure that the created properties are saved by clicking on **Save & Close** > **Save** at the + top right corner. +3. On the entity type's definition page, click on the **Settings** tab. + + ![Display Name - Property Path](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_displayname_v603.webp) + +4. Set the display name. As a display name, you can use either the value of an existing property, or + compute [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) based on + existing properties. + + > A resource from `AD - Entry` can be displayed using its `userPrincipalName` with predefined + > functions. + > + > ![AD Entity Type - Display Name](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplead4_v602.webp) + > + > ![AD Entity Type - Display Name Result](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplead4-result_v602.webp) + + > Another example from the HR connector (User entity type): + > + > ![HR User Entity Type - Display Name](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplehr_v602.webp) + > + > ![HR User Entity Type - Display Name Result](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_examplehr-result_v602.webp) + +5. Click on **Save & Close**. + + Changes inside connectors won't take effect until the next + [ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md). More specifically, changes in display + names won't take effect until the next + [ Update Entity Property Expressions Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/server/updateentitypropertyexpressionstask/index.md) + runs. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you +should reload the schema to implement the changes. You do not need to click on the button every +time. It is essential though to reload after the final changes are made. + +![Reload](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the +left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. + +## Troubleshooting + +If no property appears in the display name auto-completion, then: + +![No Property](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/entitytypecreation_troubleprop_v602.webp) + +Ensure that the created properties are saved by clicking on **Save & Close** > **Save** at the top +right corner of the screen. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md new file mode 100644 index 0000000000..4473fa5a63 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md @@ -0,0 +1,81 @@ +# Create the Entity Type + +How to create the technical container of an +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md). + +## Overview + +Here, you will learn how to create an +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md): +the shell that harbors the (scalar and navigation) properties which describe a given set of +resources related to one managed system. + +## Create the Entity Type + +Create the entity type by proceeding as follows: + +1. Access the connector's page by clicking on the **Connectors** button on the home page in the + **Configuration** section, then on the relevant connector. + + ![Home page - Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + +2. On the connector's page, in the **Entity Types** frame, click on the addition button. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +3. Fill in the information fields. + + ![Entity type creation](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_entitytypecreation_v602.webp) + + - `Identifier`: must be unique among entity types, without any whitespace, and be C#-compatible. + [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + NETWRIX recommends using `_` in the singular. + - `Name`: will be displayed in the UI to identify the entity type. + - `Icon`: can be chosen from [Microsoft's list](https://uifabricicons.azurewebsites.net/) and + will be displayed with the entity type in the left menu of the home page. + - `Auto Complete in Pickers`: can be set once properties are created (and saved) so that, when + using a searchbar for selected properties, Identity Manager suggests existing entries. + +4. In the entity type's **Properties** section, choose a source so that the connection provides the + source's data structure. + + ![Properties' source](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_propertiessource_v522.webp) + + > Let's use the example of an AD connector. We create an entity type `AD - Entry` to gather the + > valuable information from the AD, i.e. all the AD entries (groups and accounts) which we want + > to classify, with the properties that are useful for assignment management. + > + > The AD connector uses as a source `Connection Active Directory - entries`. Its structure was + > retrieved when we refreshed the schemas of the `Active Directory` > + > [Create a Connection](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md), thus retrieving the attributes from + > the Active Directory and storing them temporarily on the agent side, inside CSV files. + +## Next Steps + +To continue,[ Define Scalar Properties ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md)for this entity +type. + +## Troubleshooting + +If there are no connection tables available in the **Source** dropdown list of an entity type, then: + +![Properties' source](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_propertiessource_v522.webp) + +Ensure that there are existing connections: + +- if this is the case, then click on **Refresh all schemas** on the connector page, and verify that + there is no error. See the [Create a Connection](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) topic for + additional information. +- if not, then you must create at least one connection. + +If there is a message stating to refresh the connection's schema, then: + +![No Connection Table Error](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/entitytypecreation_troubleshootingschema_v603.webp) + +Start by making sure that the connection's schema is refreshed by clicking on **Refresh all +schemas** on the connector page, and verify that there is no error. + +If the message is still displayed, then it means that the previously selected connection table no +longer exists in the managed system. In this case, either the table's name simply changed, or the +table is not relevant anymore. Then you should find a relevant table in the **Source** dropdown +list. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md new file mode 100644 index 0000000000..2afe7695f2 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md @@ -0,0 +1,67 @@ +# Create an Entity Type + +How to create an +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) +that corresponds to the connector model. + +## Overview + +An entity type is a model of a managed system's data. It defines the shape of the associated +resources (instances of said model) and not the intent (that would be a resource type. See the +[ Create a Resource Type ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) topic for +additional information. It defines a set of properties describing said resources and linking them +together. + +In other words, an entity type is supposed to model the representation of a certain group of +resources inside Identity Manager. It is a relational model, made of properties +([ Define Scalar Properties ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md)) and links between entity types +([ Define Navigation Properties ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md)), both described later. + +![Entity Type - Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytypecreation_schema.webp) + +The configuration of entity types depends entirely on the previously established +by[ Model the Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md). + +Entity types will impact the import of the managed system's resources, and the way said resources +are displayed in the UI. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +purpose of the application. + +| Input | Output | +| --------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| Connection (required) Refreshed schemas (required) Connector's data [ Model the Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) (required) | Entity type | + +See the [Create a Connection](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) and +[ Model the Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) topics for additional information. + +## Create an Entity Type + +Create an entity type by proceeding as follows: + +1. [ Create the Entity Type ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md). +2. [ Define Scalar Properties ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md)to be used in the entity type. +3. Choose the [ Select Primary Keys ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md) and key properties which will identify + resources. +4. Define [ Define Navigation Properties ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md)if applicable. +5. Customize the [ Set Resources' Display Names ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md) for the entity + type's resources. +6. Organize the [ Organize Resources' Datasheets ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/datasheet-organization/index.md) for the entity + type's resources in Identity Manager. + +For some connectors, Identity Manager provides a template to automatically create a basic +configuration. See below this note. + +> For example, the Active Directory template automatically creates an AD entity type and two +> resource types for a standard AD connector. The template is available for a connector with an AD +> connection but no entity types. +> +> ![Entity Type - AD Template](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entitytype_template_v602.webp) + +## Verify the Entity Type + +Changes will take effect once you have launched synchronization. Therefore, in order to verify the +process, follow the verification procedure indicated +to[ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md). diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md new file mode 100644 index 0000000000..1e417ef534 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md @@ -0,0 +1,117 @@ +# Select Primary Keys + +How to choose its keys and an +[ Entity Type Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/entitytypemapping/index.md)key +in order to uniquely identify the +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)'s +resources at different points in a resource's lifecycle. + +## Overview + +Here you will learn how to select keys from among the entity type's scalar properties, in order to +ensure the unique identification of resources at different times. + +It is important to show caution when choosing the mapping key and key properties for a set of data. +Every extracted resource must have unique keys in order to be uniquely identified in all IGA actions +performed by Identity Manager. + +### Key properties + +The key property of an entity type is a property chosen from among scalar properties. A key property +is used only in the XML configuration, but required when working both from the UI or from the XML +configuration. + +The purpose of key properties is to uniquely identify a resource from the entity type in the XML +configuration. In particular, some rules need to fetch a resource, by querying the key property's +column in Identity Manager's database. + +> For example a navigation rule involving an AD group can be written: +> +> ``` +> +> +> +> ``` +> +> Identity Manager needs to know what column to query to find the right resource via +> `CN=SG_APP_AG002...`. In this example we must choose `dn` as a key property because it is the `dn` +> property we use to represent the AD resource. + +Key properties must be unique and immutable. They do not have to be immutable but they must enable +resources to be uniquely identifiable at t time. + +> The `dn` attribute of a resource in the Active Directory usually depends on the resource's +> position, which often changes during the resource's lifecycle. However, `dn` is unique at a given +> time, and rather useful to define for example query rules for `parentdn`. + +Only one key property is required, but using several key properties can sometimes help with the +rules in the XML configuration. Identity Manager will search the columns of each key property, one +by one, until a corresponding resource is found. + +> For example, the AD's unique identifier is `objectGuid`. However, integrators may prefer to use +> `dn` because it constitutes a clearer group identification from a user's point of view. Plus, +> `objectGuid` is environment-specific so using it can complexify a situation where we want to move +> the configuration from an environment to another. +> +> Since an `objectGuid` can still be an interesting identifier, we want to have both the `dn` and +> the `objectGuid` as key properties. In this case, Identity Manager will be able to fetch a +> resource in a rule using said resource's `dn` or `objectGuid`. + +### Mapping key + +The mapping key is also chosen from among scalar properties, and serves to uniquely identify any +resource during the[ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md). It must be unique and +immutable, i.e. must not change during the whole lifecycle of the resource. + +> A mapping key cannot be based on properties subject to change, such as the display name of any +> object, or users' title which could be renamed. +> +> For example, resources from the AD are usually identified through the `objectGuid` attribute which +> is therefore specified as mapping key. + +Commonly used mapping keys are: + +- `objectGuid` for the Active Directory +- `objectid` for Microsoft Entra ID +- `entryUuid` for LDAP +- `Identifier` for the directory +- `Login` for SAB +- `sapid` for SAP +- `sys_id` for ServiceNow +- `EmployeeId` for the HR + +Since the mapping is able to uniquely identify any resource, NETWRIX recommends that your mapping +key is always part of your key properties. + +## Select the Entity Type's Keys + +Create an entity type by proceeding as follows: + +1. Start by defining the entity type's scalar properties. See the + [ Define Scalar Properties ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md) topic for additional + information. + + ![Keys](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_keys_v522.webp) + +2. In the entity type's **Properties** section, choose the key properties. +3. Choose the mapping key. +4. Click on **Create & Close** > **Create** to save your changes. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you +should reload the schema to implement the changes. You do not need to click on the button every +time. It is essential though to reload after the final changes are made. + +![Reload](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the +left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. + +## Next Steps + +After the entity type is created with its scalar properties and keys, you can +[ Define Navigation Properties ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md) and/or +[ Set Resources' Display Names ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md). diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md new file mode 100644 index 0000000000..1511dc6706 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md @@ -0,0 +1,163 @@ +# Define Navigation Properties + +How to define the properties which describe the +[Entity Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)'s +relationships to other entity types. + +## Overview + +Here you will learn to define navigation properties, which contain scalar values just like scalar +properties, but which are also linked to and point to other properties—from the same entity type or +to another entity type. +See the [Define Scalar Properties](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md) topic for additional +information. + +> For example, `memberOf` can contain a list of groups, thus linking a user to groups, and a group +> to other groups. In the UI, `memberOf` is displayed just like scalar properties, but you can click +> its values to access each group in the list. Here for the AD entry `ADM Vidal Pierre`: +> +> ![Navigation Property - memberOf](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_memberof_v600.webp) +> +> Clicking on one of these groups will display the group’s properties, including the other side of +> the `memberOf` property—called `member`—which contains the list of users and groups who are +> members. Example: `SG_APP_RAY_0_LDAP_READLDSFEDE`: +> +> ![Navigation Property - member](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_member_v600.webp) + +> As another example, a department is linked to a manager who is an existing user. The user +> identifier is used in the `Manager` property to create the link between department and manager. In +> the UI, `Manager` is displayed like scalar properties, but you can click it to access the +> manager’s page: +> +> ![Navigation Property - Manager](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_manager_v600.webp) +> +> Clicking the manager displays their properties, including the `Department` property, which points +> back to the managed department: +> +> ![Navigation Property - Managed Department](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_managerof_v600.webp) + +Navigation properties can create a link: + +- inside an entity type; +- between two entity types from the same connector; +- between two entity types from different connectors. + +Inside Identity Manager, a navigation property has a flip side—one for each linked element. + +For example, in AD: + +- `member`: for groups (contains a list of users) +- `memberOf`: for users (contains a list of groups) + +Some systems only expose one side. +For example, AD only exposes `member` on groups. Users don’t have `memberOf`. +But Identity Manager links both sides, translating the info to simulate bidirectionality. + +When importing from AD, `member` updates Identity Manager's `member`, which then updates `memberOf`. + +Most properties in Identity Manager are linked to those in the managed system so data can be +imported and stored correctly. These mappings are configured in Step 3 below. + +If a property doesn’t exist in the source system, you can still create it using **+ Add a navigation +property**. +This is useful for storing internal-use data that the connected system can’t read or write. + +--- + +## Define the Entity Type's Navigation Properties + +Define navigation properties by following these steps: + +1. Start by declaring an [Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md). +2. In the entity type's **Properties** section, click on the **Navigation Properties** tab. +3. Click **Map a navigation property** to display existing columns from the external source, then + select the ones to use. +4. Fill in the information fields: + + ![Navigation Properties](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_navigationproperties_v602.webp) + + If you map a column from the source, the first line is for the source column, and the second is + the new navigation property in Identity Manager (always in the entity type). + +### Application Metadata Fields + +- `Identifier`: Unique, no whitespace, must be C#-compatible. + [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure) +- `Entity Type`: Always refers to the entity type of the second property. +- `Storage Indicator`: Describes the association: + + - **Mono-valued** (1:1 or many:1) + - **Multi-valued** (1:many or many:many) + + Identity Manager can store up to 25 optimized mono-valued nav properties. Prioritize: + + 1. Properties used in forms/search bars + 2. Properties used in expressions/role models + 3. Others + +- `Name`: Displayed in the UI. + + **Conventions:** + + - Mono-valued → singular + - Multi-valued → plural + - Names/IDs cannot be "Id" + +### External System Fields + +- `Source`: Source connection for the data. + + - Auto-select from the mapped source + - Choose from other entity types in the same connector + - Use the search icon to select across connectors + +- `Source Column`: Column where data comes from +- `Column Content`: Which attribute (e.g. `dn`, `id`) to use for matching resources + +> Example: If the source column `manager` contains user `dn`s, select `dn` as source content. + +> Common AD navigation properties: +> `Entries`, `assistant`, `assistantOf`, `manager`, `directReports`, `memberOf`, `member`, +> `parentdn`, `children` + +> ![AD Entity Type - Navigation Properties](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/entitytypecreation_examplead3_v603.webp) + +5. Click the gear icon to access advanced settings: + + ![Advanced Settings](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_propertiessettings_v602.webp) + + - `Icon`: Choose from [Microsoft icon set](https://uifabricicons.azurewebsites.net/) + - **Source Expression**: Define using a property path or + [expression](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) + + > Example: Scalar `isUnused` created by combining `accountExpires` and `lastLogonTimestamp` + > + > ![Source Expression Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_sourceexpressionexample_v60.webp) + + - `Flexible Comparison Expression`: Adds advanced search matching + - `History Precision`: Set how often property history is recorded + + > Example: `lastLogonTimestamp` changes often. Without limiting historization, the database + > fills quickly. + > Set `History Precision` to 1 week (10080 min) to only record weekly changes. + +Clicking **Continue** closes the window but **does not save** the configuration. + +--- + +## Reload + +After saving, a green banner reminds you to reload the schema. +It’s not necessary after every step—but is **required after the final step** to apply changes. + +![Reload](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + +The **Reload** button ensures updates appear in the menu links on the UI home page. +You’ll find it either in the banner or on the connector dashboard. + +--- + +## Next Steps + +Once the entity type is defined—with scalar properties, keys, and navigation properties—you can +[Set Resources' Display Names](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/display-name-setting/index.md). diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md new file mode 100644 index 0000000000..6371ff6ca0 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/index.md @@ -0,0 +1,156 @@ +# Define Scalar Properties + +How to define the simple, or scalar, properties of an +[ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md)'s +resources. + +## Overview + +Here you will learn how to define scalar properties, which contain scalar values, mostly based on +the properties from the corresponding managed system. + +> For example: `DisplayName`; `Email`; `Identifier`; `StartDate`; etc. +> +> ![Scalar Properties](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarex_v600.webp) + +Most often, properties inside Identity Manager are each linked to a property from the managed +system. This way, data from the managed system can be imported into Identity Manager and stored in +the corresponding property. These properties are mapped from the source (see step 2). + +If the property to be created does not exist in the external source, it is impossible to map the +property, but it can still be created with **+ Add a scalar property**. + +This can be used to store data needed for assignment management, but which you cannot write to the +connected system. Since these properties do not exist in the connected system, they cannot be +written or read. + +For example, we may need to create in the AD the property `isUnused` to spot unused accounts. It +would be configured with a C# expression based on other properties from the same entity type. These +properties, such as `accountExpires` and `lastLogonTimestamp`, are each linked to a property from +the AD, while `isUnused` is for governance and surveying AD accounts. + +Such properties do not exist in the AD, and thus will never be written to the AD, nor overwritten by +any property from the AD, but will be recalculated based on the other properties. + +## Define the Entity Type's Scalar Properties + +Define the entity type's scalar properties by proceeding as follows: + +1. Start by declaring the [ Create the Entity Type ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/entity-type-declaration/index.md). +2. In the entity type's **Properties** section, click on **Map scalar properties** to display + existing columns from the external source, and select the properties to be used in the entity + type. + + ![Map from source](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarpropertiesmap_v602.webp) + + You need to configure at least one property to be able to define primary keys later, and thus + create an entity type. + +3. Fill in the information fields. + + ![Scalar properties](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarproperties_v603.webp) + + - **APPLICATION METADATA**: fields about the future display of the properties inside Identity + Manager. + + - `Identifier`: must be unique among properties, without any whitespace, and be + C#-compatible. + [See Microsoft lexical structure](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/lexical-structure#see-microsoft-lexical-structure). + - `Name`: will be displayed in the UI to indicate the property. + + Entity properties' names and identifiers cannot be "Id". + + - `Format`: format used for the property's display in Identity Manager, for search tools and + computation based on said property. Do not keep the default string format if the property + is not a string. See the + [ References: Format for the EntityPropertyMapping ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/entitypropertymapping-format/index.md) + topic for additional information. + + > For example, dates, booleans, integers, etc. + + For one entity type, Identity Manager can store up to 128 scalar properties of any + format, and an unlimited number of binaries which are stored differently. Among these + 128 properties, only 4 can be formatted as more-than-443-character strings (with a limit + of 4,000 characters), and 124 as less-than-443-character strings. + + - **EXTERNAL SYSTEM**: fields about the corresponding properties inside the connected system. + + - `Source Column`: column in the external system where the property data comes from. + Advanced settings can be configured according to the description below. + - `Format`: for mapped properties, format used to convert a value during export and fulfill + from Identity Manager to the connected system, whenever different from a string. + > To continue with the `AD - Entry` entity type, we map all the properties we need: + > + > `accountExpires`; `c`; `cn`; `comment`; `company`; `department`; `description`; + > `displayName`; `division`; `dn`; `employeeId`; `employeeNumber`; `employeeType`; + > `extensionAttribute10`; `extensionAttribute11`; `givenName`; `groupType`; + > `homeDirectory`; `homeDrive`; `initials`; `l`; `lastLogonTimestamp`; `mail`; `mobile`; + > `objectCategory`; `objectGuid`; `objectSid`; `ou`; `pwdLastSet`; `rdn`; + > `sAMAccountName`; `scriptPath`; `sn`; `st`; `telephoneNumber`; `thumbnailPhoto`; + > `title`; `uid`; `userAccountControl`; `userPrincipalName`; `whenCreated`. + > + > We create the properties that do not exist in the external system: `AppName`; + > `businessCategory`; `isUnused`; `thumbnailPhotoTag`. + > + > Some of them have a specific format in case of provisioning to the managed AD like + > `thumbnailPhoto` of format `Binary` or `objectCategory` as `RDN` or `pwdLastSet` as + > `1601 Date`. + > + > ![AD Entity Type - Scalar Properties](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_examplead2_v602.webp) + +4. Click on the Gear symbol to add advanced settings if needed. + + ![Advanced Settings](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_propertiessettings_v602.webp) + + - `Icon`: can be chosen from [Microsoft's list](https://uifabricicons.azurewebsites.net/) and + will be displayed with the property among users' data. + - **Source Expression**: expression that defines the property based on at least one source + object. Can be defined by a property path and/or + [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md). + + > For example, `isUnused` is created to spot unused accounts via a combination of + > `accountExpires` and `lastLogonTimestamp`: + > + > ![Advanced Settings](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_sourceexpressionexample_v60.webp) + + - `Flexible Comparison Expression`: expression that inserts adaptable comparison flexibility + when using a searchbar for the property. + - `History Precision`: time period over which Identity Manager historically records only one + value. + + > For example, the `lastLogonTimestamp` property of an AD resource is modified every time + > the user connects to the application. Every modification triggers the historization of all + > properties for said resource inside the database. Hence, the database can quickly become + > full of data. In order to lighten the database, we can set the `History Precision` option + > to one week (10080 minutes) so that resources are historized once a week at most + > (concerning changes on `lastLogonTimestamp`). In the meantime, in case of a change, + > instead of historizing resources with all their properties, only `lastLogonTimestamp` is + > updated with the new value. + + Clicking on **Continue** closes the pop-up window so that you can continue the configuration of + the entity type. But it does not save anything. + +## Reload + +Every time an entity type mapping is modified and saved, a green pop-up appears saying that you +should reload the schema to implement the changes. You do not need to click on the button every +time. It is essential though to reload after the final changes are made. + +![Reload](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/entitytypecreation_reload_v522.webp) + +The **Reload** button mostly enables your changes to appear in the menu items, which configure the +left menu links on the UI's home page. + +You can find the **Reload** button either on the green warning, or on the connector's dashboard. + +## Next Steps + +Before saving, you must first[ Select Primary Keys ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/key-selection/index.md)for the entity type. + +## Troubleshooting + +If the Format column is not displayed in the External System part, then: + +![Scalar properties](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/entity-type-creation/scalar-property-definition/entitytypecreation_scalarpropertieswithoutformat_v522.webp) + +Refresh the connections' schemas. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/index.md new file mode 100644 index 0000000000..16b8c82b02 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/index.md @@ -0,0 +1,165 @@ +# Connect to a Managed System + +How to create a new +[ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +using the provided SaaS agent. See the +[ Architecture ](/docs/identitymanager/saas/identitymanager/introduction-guide/architecture/index.md) topic for additional +information. + +Identity Manager provides demo applications +([Run the Banking Demo Application](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/demoapp-banking/index.md) +and +[Run the HR Demo Application](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/how-tos/demoapp-hr/index.md)) to +help set up connectors, test them, and understand Identity Manager's abilities towards external +systems. + +## Overview + +Connectors are the mechanisms that enable Identity Manager to read and write data to/from your +organization's systems. The feedback mechanism ensures Identity Manager's reliability. + +In this documentation, we talk about managed systems (sometimes called external systems) to refer to +third-party applications, i.e. the applications used in your organization, such as Active Directory, +ServiceNow, EasyVista, SAP, SharePoint, etc. + +A connector, therefore, acts as an interface between Identity Manager and a managed system. + +![Connector Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectorschema.webp) + +NETWRIX strongly recommends the creation of one connector for one application. + +> For example, integrators may create an `AD` connector with the goal of importing an Active +> Directory's data into Identity Manager, and writing to the Active Directory from Identity Manager, +> either manually for administration accounts, or automatically for basic accounts. +> +> Integrators may create a `SharePoint` connector in order to manage read and write entitlements for +> users in SharePoint. + +### Data Flows + +In the early steps of a project, we'll consider most of our connectors to be outbound, i.e. Identity +Manager will feed data into connected managed systems. + +![Outbound System=](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connectorcreation_outbound.webp) + +In this case, data flows between Identity Manager and the managed system are also called: + +- synchronization in the "managed system-to-Identity Manager" direction; +- provisioning in the "Identity Manager-to-managed system" direction. + +For a connector's synchronization, Identity Manager provides tools to perform a basic extraction of +the system's data in the form of CSV files. These files are cleaned and loaded into Identity +Manager. In other words, synchronizing means taking a snapshot of the managed system's data and +loading into Identity Manager. + +For provisioning, Identity Manager generates provisioning orders and the connector provides tools to +either automatically write these orders to the managed system or to create a ticket for manual +provisioning. + +> For example, we can use the data from Identity Manager's Identity repository to fill in later the +> AD's fields, such as users' display names based on their first names and last names from the +> repository. See the [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) +> topic for additional information. + +Identity Manager can also benefit from inbound connectors, that will write data to Identity +Manager's central identity repository. While both inbound and outbound connectors allow data to flow +both ways, they do not work in the same manner. + +### Technical principles + +Identity Manager's connectors all operate on the same basic principles. Technically speaking: + +> For example, let's say that we want to connect Identity Manager to our Active Directory, or AD. + +- a connector must be created, first as a named container which will include the connections and + entity types related to one managed system; + + > We create a connector named `AD` (so far, an empty shell). + +- a + [ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) + is linked to an agent which acts as the go-between for Identity Manager's server and the managed + system; + + > Our `AD` connector uses the provided SaaS agent. + +- a + [ Connection ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connection/index.md) + describes the technology used that enables data to flow back and forth between Identity Manager + and the managed system; + + > We want to use a connection `Directory/Active Directory` to perform synchronization and + > automated provisioning, and a second connection `Ticket/identitymanager` to perform manual + > provisioning through Identity Manager. + + You can find standard connections dedicated to one application (AD, Microsoft Entra ID, etc.), + and generic connections to communicate with any application (CSV, Powershell, RobotFramework, + SQL, etc.). + +- the shape of the extracted managed system's data is modeled by + [ Entity Type ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/metadata/entitytype/index.md) + (we will use the term resource to refer to an entity type that has been instantiated); + + > We create a single entity type `AD - Entry` which contains all the attributes that will + > describe its resources, i.e. AD groups and users. The attributes include the department, the + > employee identifier, the manager, the group membership (`member`/`memberOf`), the dn, the + > parent dn, etc. + +- the intent of resources within the managed system is made clear by categorizing resources into + [ Create a Resource Type ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md). See the + [ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) topic for additional information. + + > We categorize AD resources into distinct resource types: `AD User (nominative)` for basic + > accounts, which we want Identity Manager to provision automatically; + > `AD User (administration)` for sensitive administration accounts, which we want to provision + > manually through Identity Manager. + +![Connector Technical Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/connect-system/connectorcreation_connectortechnicalschema.webp) + +A connector requires at least one connection and one entity type. + +When provisioning a managed system, the corresponding connector also needs at least one resource +type. + +**Local vs. Saas agents:** To simplify things, Identity Manager has made it possible to start +configuring connectors without installing a local agent in your organization's network. Instead, you +can use the agent integrated with Identity Manager's server in the Cloud (SaaS agent). + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +functional and technical details of the application. + +| Input | Output | +| ----------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| Administrator account for the Development Environment (required) Identity repository (required) User Profile (required) | Connector Connected System | + +See the [ Install the Development Environment ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/development-environment-installation/index.md) +[ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md), and +[ Configure a User Profile ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-configuration/index.md) topics for additional +information. + +## Create a Target Connector + +For one managed system, create a connector by proceeding as follows: + +1. Outside Identity Manager, [ Model the Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md). +2. [ Create the Connector ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md) for said managed system. +3. Enable the technical transfer of data by creating and configuring + [Create a Connection](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md). +4. Set up [Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) to represent the data model decided + upon in step 1. + +**Connector modification:** The process for modifying a connector is not so different from the +process for creating a connector, as you mainly modify the fields specified during creation. +However, keep in mind that a connector must be deactivated before modification, in order to withdraw +the connector's synchronization- and provisioning-related tasks from any jobs. See below this note. + +You can activate the connector again at any time using the same button. + +![Jobs Results Dashboard](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_dashboard_v522.webp) + +## Next Steps + +Once the connector has been created, you can start +to[ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md). diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/development-environment-installation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/development-environment-installation/index.md new file mode 100644 index 0000000000..83d8ffe73c --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/development-environment-installation/index.md @@ -0,0 +1,38 @@ +# Install the Development Environment + +How to connect to Identity Manager's SaaS environment to set up the development environment. + +When using Identity Manager's on-premise option, follow the procedure of installation of the +bootstrap version. See the [ Quick Start Guide](/docs/identitymanager/saas/identitymanager/installation-guide/quick-start/index.md) +topic or additional information. + +## Overview + +The installation of Identity Manager's production environment usually takes time, while we want to +start configuring at once. + +This is why Identity Manager offers a bootstrap version of the application, useful as a development +environment. + +## Participants and Artifacts + +Integrators must be in contact with Netwrix Identity Manager (formerly Usercube) to be able to get +infos about the SaaS tenant URL and authentication. + +| Input | Output | +| ----- | ----------------------- | +| - | Development environment | + +## Install the Development Environment + +The documentation is not yet available for this part and will be completed in the near future. + +## Verify Environment Installation + +In order to verify the process, try to authenticate to Identity Manager server, and access the +configuration screens. + +## Next Steps + +Once the development environment is ready, integrators can start to +[ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md). diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/index.md new file mode 100644 index 0000000000..59bab6841d --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/index.md @@ -0,0 +1,129 @@ +# Set Up + +- [ Install the Development Environment ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/development-environment-installation/index.md) + + How to connect to Identity Manager's SaaS environment to set up the development environment. + +- [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) + + How to initiate the repository for workforce identities by loading identities into Identity + Manager with the right attributes. + +- [ Configure Unique Property Generation ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md) + + How to configure Identity Manager to generate unique identifiers, mails and logins for any user + who does not have them already. + +- [Load Identities to Identity Manager](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md) + + How to load identities into Identity Manager for the first time using a basic data model in the + form of a template MS Excel file. + +- [Template Description](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md) + + Description of the MS Excel template for the creation of the identities repository. + +- [ Adjust the Workforce Data Model ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md) + + How to select the properties to be part of the data model for the workforce repository + (therefore displayed in the UI), and choose their optimal displaying mode. + +- [ Configure a User Profile ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-configuration/index.md) + + How to tweak the permissions for actions within Identity Manager, for a standard set of basic + Identity Manager profiles. + +- [ Configure Onboarding Workflows ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/configure-workflows/index.md) + + How to adjust the parameters of onboarding workflows. + +- [ Connect to a Managed System ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/index.md) + + How to create a new connector using the provided SaaS agent. + +- [ Model the Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) + + How to choose the appropriate model for a connector's data. + +- [ Create the Connector ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-declaration/index.md) + + How to create the technical container of a connector. + +- [Create a Connection](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connection-creation/index.md) + + How to create a connection inside a connector and choose the appropriate package. + +- [Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) + + How to create an entity type that corresponds to the connector model. + +- [ Synchronize Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md) + + How to launch data synchronization, i.e. read managed systems' data and load it into Identity + Manager. + +- [ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) + + How to correlate managed systems' resources with identities, classifying resources into resource + types. + +- [ Create a Resource Type ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) + + How to create the container for future correlation and classification rules inside a given + managed system. + +- [ Correlate Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/correlation/index.md) + + How to define correlation rules to match up resources across systems, usually accounts with + their owner. + +- [ Classify Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/classification/index.md) + + How to define classification rules in order to classify remaining uncorrelated resources, + assigning them resource types. + +- [ Create a Provisioning Rule ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) + + How to define scalar rules, navigation rules and/or query rules to compute and provision target + resources values from source resources values. + +- [ Create Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md) + + How to define resource type rules to create new (target) resources for given users, computing + and provisioning their properties based on source resources. + +- [Compute a Scalar Property](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md) + + How to define scalar rules to compute and provision the values of scalar properties for target + resources based on source resources. + +- [ Compute a Navigation Property ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md) + + How to define navigation rules and/or query rules to compute and provision the values of + navigation properties for target resources based on source resources. + +- [ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) + + How to define single roles to model entitlements, and organize them inside the role catalog, + basis of the role model. + +- [ Create Roles in Bulk ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md) + + How to create role naming rules, which create single roles using existing naming conventions + from the managed system. + +- [ Create a Category ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md) + + How to structure roles into categories. + +- [Create a Role Manually](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) + + How to create single roles manually. + +- [Assign Users a Profile](/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-assignment/index.md) + + How to assign Identity Manager's access permissions to users through profiles. + +- [ Manage Role Officers ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/role-officer-management/index.md) + + How to manage role officers in order to ensure the approval for entitlement assignments. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md new file mode 100644 index 0000000000..9408432aa6 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md @@ -0,0 +1,111 @@ +# Adjust the Workforce Data Model + +How to select the properties to be part of the data model for the workforce repository (therefore +displayed in the UI), and choose their optimal displaying mode. + +## Overview + +After you created the initial version of the workforce repository, Identity Manager provides an easy +method to optimize the structure of the data model, for example preventing empty fields in the UI. + +According to the number of resources in the organization, Identity Manager's analysis of the data +model's usage suggests: + +- to remove unused entity types (country, site, gender, subsidiary, etc.) from the data model and + from the UI; +- to remove unused properties (phone number of a user, position end date, town of a site, etc.) from + fields to fill in the workflows for entity creation, except for properties that are essential to + Identity Manager's operation and thus ensured to be part of the data model (e.g. the contract's + start date); +- an optimized display mode in the UI for all entity types, and for the fields which link to another + entity (manager of a department, contract type of a user, gender of a user, etc.) and thus require + a query tool (dropdown box, search bar, etc.). + +You can then make your own choice about activating/deactivating/re-activating any property, and you +will be able to make modifications at any time. + +## Participants and Artifacts + +Integrators may need the help of the HR department who know the organization. + +| Input | Output | +| ------------------------------------------------------------------------ | ----------------------------- | +| IdentityManagerServer (required) Initial workforce repository (required) | Adjusted workforce repository | + +See the [ Install the Development Environment ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/development-environment-installation/index.md) +and [Load Identities to Identity Manager](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md) topics for additional +information. + +## Adjust the Data Model + +Adjust the data model by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. On the **Workforce** > **Data Model** page, click on the following icon to adjust the data model + to your specific situation. + + ![Scan Data Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/iconscandatamodel_v602.svg) + + ![Scan Data Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scandatamodel_v60.webp) + + Identity Manager counts the entries for each attribute and suggests a quantification: + + - Empty attributes are deactivated as they should be excluded to simplify the data model. + - Non-empty attributes are quantified (e.g. small, large, etc.) to be displayed in the UI's + forms optimally (e.g. dropdown list, search tool, etc.). + + ![Scan Data Model - Result](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scandatamodel-result_v523.webp) + +3. Observe the result and adjust manually the data model if needed, by clicking on the properties. + + While Identity Manager suggests a structure for the data model, the choice is yours to + activate/deactivate any property. + + > For example, empty attributes should be excluded to simplify the data model. However, you can + > choose to keep an empty property anyway if you know that you want to fill it in later. + + Note that Identity Manager stays authoritative to activate some properties that are mandatory + for Identity Manager's operation. + + For example the contract's start date is necessary for Identity Manager's workflows. + + Modifications can be performed later, decisions can be reconsidered. See the + [ Modify the Identity Data Model ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/identity-datamodel-modification/index.md) + topic for additional information. + +4. Click on the Save icon at the top. + + ![Save Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + +5. Click on the **Reload** button to apply the recent changes to the application. + + ![Reload Button](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp) + +## Verify Identities Loading + +In order to validate the process: + +1. Choose a test field and note its displaying mode. + + > For example, our `Region` field in `Site` is sized as `large`. + > + > ![Scan Data Model - Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example_v523.webp) + +2. Navigate within Identity Manager to find a workflow using the test field. Observe the displaying + mode in the UI. + + > Our `State` field must be filled in during the creation of a new site. It can be filled by + > opening a pop-up and choosing the region in the list. + > + > ![Scan Data Model - Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example2_v523.webp) + > + > ![Scan Data Model - Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/initialload_scan-example3_v523.webp) + +3. Back on the scanning feature, change the displaying mode of your test field and save. + + > We change `large` to `extra small`. + +4. Verify the test field's displaying mode. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md new file mode 100644 index 0000000000..280ad38f9e --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md @@ -0,0 +1,117 @@ +# Configure Unique Property Generation + +How to configure Identity Manager to generate unique identifiers, mails and logins for any user who +does not have them already. + +## Overview + +All users need to: + +- be uniquely identifiable through an identifier, for example in order to link all accounts to their + owners; +- have a reserved unique email address, even if they do not need a mailbox; +- have a unique login that can be used as a seed for all users' accounts. + +For each unique property, Identity Manager provides a set of generation rules. You are free to +choose the most adequate method regarding your actual approach. + +An identifier/email/login suffix can be specified later according to users' contract types, when +loading identities through an Excel template. See the +[Load Identities to Identity Manager](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md) topic for additional +information. +For example, contractors can get `-ext` added automatically to their email addresses. +The unicity checks performed for identifiers/emails/logins do not consider prefixes nor suffixes. + +For example, `john.doe@acme.com` and `john.doe-ext@acme.com` cannot exist simultaneously. + +## Participants and Artifacts + +Integrators may need the help of the HR department to understand the actual approach of the +organization to compute these unique properties. + +| Input | Output | +| -------------------------------- | -------------------------------------- | +| IdentityManagerServer (required) | Generation rules for unique properties | + +See the [ Install the Development Environment ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/development-environment-installation/index.md) +topic for additional information. + +## Configure Unique Property Generation + +Configure the generation of unique properties by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. On the **Workforce** > **Identifiers, Mails & Logins** page, you can follow Identity Manager's + instructions to configure the generation of a unique identifier for new workers (if needed), + based on one of the available options. + + ![Unique Identifier Generation](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniqueidentifier_v602.webp) + + - `Based on Full Name`: replaces all diacritics by the non-accentuated variants; removes all + special characters; can add a separator between the first name and the last name if needed + (such as `.` most often); in case of homonyms, appends a sequence number to the full name. + - `Based on Last Name`: uses the first letter of the first name; in case of homonyms, uses more + letters of the first name up to the whole first name; in case of homonyms still, appends a + sequence number to the full name. + - `Random Number`: uses a random number with a default prefix which is used when no specific + prefix is specified on the user's contract type. + + Netwrix Identity Manager (formerly Usercube) recommends using random numbers, as they have + the advantage of not containing any personal information nor giving any hint about the + users' seniority. + + - `Sequence`: uses a sequence with a default prefix which is used when no specific prefix is + configured on the user's contract type. + +3. Follow Identity Manager's instructions to configure the generation of a unique email address for + all users (who do not have one), based on one of the available options. + + ![Unique Email Generation](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniqueemail_v602.webp) + + - `Based on Full Name`: replaces all diacritics by the non-accentuated variants; removes all + special characters; can add a separator between the first name and the last name if needed + (such as `.` most often); in case of homonyms, appends a sequence number to the full name. + - `Based on Last Name`: uses the first letter of the first name; in case of homonyms, uses more + letters of the first name up to the whole first name; in case of homonyms still, appends a + sequence number to the full name. + - `Based on Unique Identifier`: uses a combination of the unique identifier (defined on the same + page) and the email domain. + + No matter the strategy: + + - the default email domain is used when no specific domain is specified on the user's + subsidiary; + - emails are generated in a way that lets users keep their email address, even if they move + from contractors to employees, or change to another subsidiary. + +4. Follow Identity Manager's instructions to configure the generation of a unique login for new + workers (who do not have one), based on one of the available options. + + ![Unique Login Generation](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/initialload_uniquelogin_v602.webp) + + - `Based on Email`: uses the local part of the email, i.e. before `@`. + - `Based on Full Email`: uses the full email. + - `Based on Unique Identifier`: uses the unique identifier (defined on the same page) prepended + with the default prefix when no specific prefix is specified on the user's contract type. + +5. Click on the Save icon at the top. + + ![Save Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + +6. Click on the **Reload** button to apply the recent changes to the application. + + ![Reload Button](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/reload_v603.webp) + +## Verify Property Generation + +In order to verify the process, add a fictitious employee through the workflows from the UI. + +![Home - New Employee](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/home_newemployee_v600.webp) + +Verify in the directory that the employee's sheet displays the expected values for the configured +unique properties. + +![Home - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md new file mode 100644 index 0000000000..48de788730 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md @@ -0,0 +1,122 @@ +# Create the Workforce Repository + +How to initiate the repository for workforce identities by loading identities into Identity +Manager with the right attributes. + +## Overview + +Loading the digital identities into Identity Manager is the very first task you have to perform, +once you installed the development environment. + +The identity repository is supposed to contain the list of all kinds of identities in the company. +Each identity will be represented by a set of properties that are to be used in the calculations for +entitlement assignments. + +> For example, a user can be represented by an identifier and linked to their position which +> includes the user's employee id, last name and first name, email, user type, organization, etc. +> +> ![Identity Repository Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-example.webp) + +> In Identity Manager, the identity repository can look like the following: +> +> ![Identity Repository Result](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository_v602.webp) +> +> ![Identity Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/identityrepository-person_v602.webp) + +See the +[ Identity Repository ](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/identity-repository/index.md) +topic for additional information.. + +The initial workforce repository is going to be the first version of a comprehensive repository +containing all users in the organization. This repository is crucial in setting up the identity +lifecycle management features and managing assignments of entitlements. + +### Creation strategy for the workforce repository + +In a nutshell, Identity Manager has made it as easy as a copy-paste from employee and contractor HR +files into an MS Excel file. + +#### Special properties generation + +First, you have to choose rules about how email, login, and internal identifiers are going to be +built for new identities, and for existing identities who do not have these unique properties yet. + +#### Organizational model creation + +Then, you are going to need a model of the organization's structure where the identities fit in. +This model is supposed to provide valuable information for automation and governance features later. + +The model is where you are going to identify for example the type of identities you want to manage +(such as employees and contractors), the hierarchical relationships between them, the geographical +areas they work in, and so on. + +Identity Manager has already built a template model for you, in the form of an Excel file. This +basic model is customizable and will be adaptable to most organizations. You can customize it simply +by writing information from your organization into said Excel file. + +Even if you have more specific or exotic needs that aren't met by this model, it is still a good +starting point and a good way to quickly start delivering value. We recommend that you start +building your project using this model, identify its limits along the way, and enhance it down the +road to make it fit your needs more accurately. + +#### Organizational model filling + +Then, you write down the actual identities information, still using the same Excel file, using data +from HR extractions or other records of contractors and temporary workers. As simple as a +copy-paste. + +The data you are going to load is analyzed by the engine and some simplifications will be suggested. + +**HR synchronization is not enough:** + +Another way of handling a part of the initial data loading is to set up an automated synchronization +of HR data with Identity Manager. + +While it seems to be a good idea, it poses a few problems. Among them: + +- a specific IT infrastructure is required and its implementation is likely to delay the project's + progress; +- HR data usually misses crucial information (for example contractor data) and is rarely up to date + early enough to be really useful. + +Hence, in order to rather focus on awaited IGA activities, we choose to build the first iteration of +the project upon a manual data upload to create the initial workforce repository. . + +## Participants and Artifacts + +Integrators may need the help of the HR department and its assistants who know the organization in +order to get the identity and organizational data. After the initial loading, the HR department can +review the data to confirm its accuracy. + +| Input | Output | +| ---------------------------------------------------------------------------------------------------------------------- | ---------------------------- | +| IdentityManagerServer (required) Organizational chart (required)) HR data (required) Third-party staff data (optional) | Initial workforce repository | + +## Create the Workforce Repository + +Create the workforce repository by proceeding as follows: + +1. [ Configure Unique Property Generation ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/generate-unique-properties/index.md) for all users, + pre-existing and new, who do not have them yet. +2. [Load Identities to Identity Manager](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md) to Identity Manager based on the + recommended attributes from the provided organizational model + [Template Description](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md). +3. [ Adjust the Workforce Data Model ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/adjust-datamodel/index.md) following Identity Manager's + suggestions. +4. Continue with the next steps of this guide, and come back later to fill the organizational model + with additional data. + +## Next Steps + +Once the initial identities are loaded, integrators can start the User Profile configuration. See +the [ Configure a User Profile ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-configuration/index.md) topic for additional +information. + +From there you will be able to keep your repository up to date: + +- concerning identity data through workflows; +- concerning the data model + +The initial identities loading also enables: + +- HR connector creation. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md new file mode 100644 index 0000000000..776bd2e2d8 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/index.md @@ -0,0 +1,186 @@ +# Load Identities to Identity Manager + +How to load identities into Identity Manager for the first time using a basic data model in the form +of a template MS Excel file. + +## Overview + +Loading the digital identities into Identity Manager is the very first task you have to perform, +once you installed the development environment. + +The initial workforce repository is going to be the first version of a comprehensive directory +containing all users in the organization. This directory is crucial in setting up the identity +lifecycle management features and managing assignments of entitlements. + +Identity Manager contains a template model, downloadable as an Excel file. Below is an example of a +part of the `UserRecord` tab, used in Identity Manager's demo: + +![Template Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_templateexample_v602.webp) + +### Useful data + +Not all data is useful for identity governance and administration. Thus, to start designing the +repository, you must be aware of which data is necessary and which is unhelpful. Useful data is the +data that: + +- needs to be provisioned to the managed applications; + + > For example, if you need to provision users' phone numbers in a given application, then you + > should fill in the workforce repository's `Phone Number` property. + +- is needed to manage identities' lifecycles; + + > For example, consider that internal employees must be managed by HR officers only, then you'll + > need to identify whether users are internal employees or external contractors. Then you should + > make sure that you fill an `Employee Type` property with at least two values: one for internal + > employees, and one for external contractors. + +- is needed to automatically grant permissions. + + > For example, if a user's position title ("manager" for instance), defines what users currently + > do, and thus what permissions they need, then you should make sure to fill in a property + > storing the position's title in the workforce repository. + +## Participants and Artifacts + +Integrators may need the help of the HR department who knows the organization in order to get the +identity and organizational data. After the initial loading, the HR department can review the data +to confirm its accuracy. + +| Input | Output | +| ------------------------------------------------------------------------------------- | ---------------------------- | +| IdentityManagerServer (required) HR data (required) Third-party staff data (optional) | Initial workforce repository | + +See the [ Install the Development Environment ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/development-environment-installation/index.md) +topic for additional information + +## Load Identities + +Load identities for the first time by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section. + + ![Home Page - Configuration](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. On the **Workforce** > **Data Upload** page, download the empty Excel template. + + ![Upload Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/icondownload_v602.svg) + +3. Collect identity and organizational data. + + If you don't know where to start, identities most often include long-term employees, temporary + employees (such as interns and temps) and external contractors. The template contains a + `UserType` tab that lists all the types of workers that you want to include, i.e. the usual + identities listed just before, but also partners, clients, even applications. + + Workforce should include obviously all current workers, but also incoming workers, and those who + left the organization in the past XXX (time period defined by the rules of the security + officer). It is interesting to have past workers in order to understand the process and ensure + that they are supposed to be orphaned. See the + [Review Orphaned and Unused Accounts](/docs/identitymanager/saas/identitymanager/user-guide/administrate/orphan-unused-account-review/index.md) + topic for additional information. + + **Employees** + + The workers that are directly employed by the organization usually have their data stored in the + HR system. + + **Contractors** + + Often third-party workers like contractors are not part of the HR system. Then, there are a few + possible solutions to get their data: + + - through purchasing department if it doesn't imply any personal data security breach; + - manually with knowledgeable people, for example department managers and assistants; + - through a filter on data from available directories, for example on the email address if it + contains a specific string like `.ext@`; + - through an Active Directory extraction with a filter on an attribute that works with a + specific part, for example on the employee identifier. + +4. Fill said template with the data you collected. + + The Excel file contains several tabs which organize data, but not all tabs and columns are + mandatory. You can find **more details about the + [Template Description](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md)**. Below are the minimum recommended + attributes (mandatory in orange): + + ![Template Recommendations](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_templatereco_v600.webp) + + [**Click here to download a template example**](/static/files/identitymanager/user-guide/set-up/initial-identities-loading/Directory_example_V602.xlsx). + + Every object (so every tab) of the directory must have a **key**, which is an attribute: + + - unique, i.e. designed to uniquely identify an object/resource, one key can't be shared; + - immutable, i.e. must not change during the whole lifecycle of the object/resource, even for + renaming for example; + - consistent, i.e. identical everywhere the object/resource is specified. + + Among other things, a consistent key allows identities to use the same login in all + applications. A consistent key is also essential to form the link between identities and the + other objects (organizations, titles, etc.). + + **Create your initial workforce repository with only recommended attributes.** + + As we aim to quickly enable Identity Governance and Administration (IGA) actions (like the + review of orphaned and unused accounts, or access certification, etc.), Netwrix Identity Manager + (formerly Usercube) recommends loading identities with only necessary data. The model can be + completed later. + + Moreover, Identity Manager's Query module can help gather data from other systems. + + For example, let's say that contractors' phone numbers are found only in the AD. Then we can + wait for the connection of Identity Manager to the AD, and finally use the Query module to + collect missing data. In this case: + + 1. Upload the `Directory.xlsx` file with only recommended data, validate and synchronize as + explained on this page. + 2. Connect the AD, synchronize AD data, update correlation and classification. See the + [ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) topic for additional information. + 3. Follow the usual query procedure to request phone numbers from the AD. + 4. Ensure you display a key (for example `EmployeeId` or `email`) to master the order of the + displayed data. + 5. Download the report. + 6. Copy the report's columns one by one to paste them into the Directory.xlsx file. + 7. Synchronize directory data. + +5. Back on the **Workforce** > **Data Upload** page, upload the filled Excel file to the server in + order to feed the data back to Identity Manager. + + ![Upload Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/iconupload_v602.svg) + + The latest uploaded file overwrites the previous one. + +6. Click on **Verify and Synchronize** to check the file's consistency and import its data into + Identity Manager. + + ![Verify and Synchronize](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_dataupload-synchronize_v602.webp) + + Now you are able to view users' pages in the directory. + + ![Directory - Users](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_directoryusers_v602.webp) + +## Verify Identities Loading + +In order to validate the process: + +- Check manually a sample in the user directory accessible from the home page. You should verify at + least your own sheet and the sheets for your hierarchy. + + ![Home - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +- Check that every organization includes a manager. Organizations are accessible from the department + directory on the home page. + + ![Home - Directory Department](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/home_directorydepartment_v523.webp) + + ![List of Departments](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/load-identities/initialload_departments_v602.webp) + + If the system contains many organizations, then it is also possible to list each organization + with its manager through the Query module. + +- Create reports with indicators on the number of workers per type or per organization for example + (through Identity Manager's predefined reports, the Query module or Power BI), in order to ensure + that Identity Manager's content sticks to reality. + + See the [ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md) topic for additional + information. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md new file mode 100644 index 0000000000..b8fdcb1be5 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/template-description/index.md @@ -0,0 +1,258 @@ +# Template Description + +Description of the MS Excel template for the creation of the identities repository. + +[Click here to download a template example](/static/files/identitymanager/user-guide/set-up/initial-identities-loading/Directory_example_V602.xlsx). + +![Template Model](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/initial-identities-loading/template-description/initialload_templatemodel_v603.webp) + +All tabs contain a column `Command` only used at a later stage to modify (massively) identity data. +See the +[ Update Identities in Bulk ](/docs/identitymanager/saas/identitymanager/user-guide/maintain/identity-data-modification/mass-update/index.md) +topic for additional information. + +## User - Required + +An identity is split into two parts, the first one being the parent resource called `User` which +represents the user's identity card. It contains the few attributes which shall not change during +the identity's lifecycle. See the +[Identity Management](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/index.md) topic for +additional information. + +| Attribute | Type | Description | +| ---------------------------- | ------- | ----------- | +| Identifier (required) | String | | +| ConsentPhotoUsage (optional) | Boolean | | +| IsDraft (optional) | Boolean | | + +## UserRecord - Required + +An identity is split into two parts, the second one being the one or several child resources called +`UserRecord` which represent the user's positions. Records belong to users and help materialize: + +- several positions at once; +- validity periods for positions/assignments unrelated to the user itself; +- position changes. + +In other words, records represent the lifecycle of a user inside the company, i.e. multiple +contracts, mutation, etc. + +Thus, the `UserRecord` tab usually holds users' information that might change over time, while the +`User` tab groups all records of a given user around its identifier. + +| Attribute | Type | Description | +| ---------------------------------------------------------------------------------------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| RecordIdentifier (recommended) | String | Identifier of the Records. See the[ Position Change via Records ](/docs/identitymanager/saas/identitymanager/integration-guide/identity-management/joiners-movers-leavers/position-change/index.md). **Note:** it can be the same as `PositionIdentifier` when users can have no more than one contract simultaneously. **Note:** required when using records. | +| User (required) | ForeignKey | `Identifier` from the `User` tab. | +| EmployeeId (recommended) | String | | +| Gender (optional) | ForeignKey | `Identifier` from the `Gender` tab. | +| PersonalTitle (optional) | ForeignKey | `Identifier` from the `Personal Title` tab. | +| FirstName (recommended) | String | | +| LastName (recommended) | String | | +| BirthName (optional) | String | | +| BirthDate (optional) | DateTime | | +| Email (recommended) | String | | +| EmailAliases (optional) | String | Outdated, or any other email address associated with the user. This is used to prevent the re-assignment of a previously used address. | +| Login (optional) | String | | +| PhoneNumber (optional) | String | | +| MobileNumber (optional) | String | | +| VIP (optional) | Boolean | `True` to specify that the user is special/important. | +| ContractIdentifier (required) | String | | +| ContractStartDate (required) | DateTime | Start date of the user's contract in the company. | +| ContractEndDate (recommended for permanent contracts, required for fixed-term contracts) | DateTime | End date of the user's contract in the company. | +| AccessesExpirationDate (optional) | DateTime | Date when the user will be deprived of their access rights. | +| UserType (required) | ForeignKey | `Identifier` from the `User Type` tab. | +| Subsidiary (optional) | ForeignKey | `Identifier` from the `Subsidiary` tab. | +| ExternalCompany (optional) | ForeignKey | `Identifier` from the `External Company` tab. | +| PositionIdentifier (required) | String | | +| PositionStartDate (optional) | DateTime | | +| PositionEndDate (optional) | DateTime | | +| Organization (recommended) | ForeignKey | `Identifier` from the `Organization` tab. | +| Manager (recommended) | String | Line manager. `Identifier` from the `User` tab. | +| IGAManager (optional) | String | Validator of IGA requests. `Identifier` from the `User` tab. | +| JobTitle (optional) | String | | +| Title (optional) | ForeignKey | `Identifier` from the `Title` tab. | +| Site (optional) | ForeignKey | `Identifier` from the `Site` tab. | +| Office (optional) | ForeignKey | `Identifier` from the `Office` tab. | +| OfficeNumber (optional) | String | | +| IsMainPosition (optional) | Boolean | | +| Suspended (optional) | Boolean | | +| StartDate (optional) | DateTime | Start date of the record, used for changes that aren't related to contract and position information, for example a scheduled name change. | +| EndDate (optional) | DateTime | End date of the record, used for changes that aren't related to contract and position information, for example a scheduled name change. | + +See the Template Description topic for additional information. + +Recommendations: + +- There is no absolute need for a unique identifier, because Identity Manager can compute one in the + next steps. +- Be aware of the difference between a hierarchical manager and an IGA manager who approves + entitlement requests. They aren't necessarily the same person. + +## UserType - Required + +User types represent users' contract types, such as permanent contract, fixed term contract, +interim, contractor, trainee, etc. + +| Attribute | Type | Description | +| ------------------------------------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| Category (required) | ForeignKey | `Identifier` from the `User Category` tab. | +| EmailSuffix (optional) | String | Suffix to concatenate to the email string (immediately before the `@` character). | +| IsExternal (required) | Boolean | | +| LoginPrefix (optional) | String | | +| LoginSuffix (optional) | String | | +| UniqueIdentifierPrefix (optional) | String | | +| UniqueIdentifierRangeEnd (optional) | Int32 | Used to partition users' identifiers. For example, `UniqueIdentifierRangeEnd` set to 9999 means that no unique identifier should be greater than 9999. | +| UniqueIdentifierRangeStart (optional) | Int32 | Used to partition users' identifiers. For example, `UniqueIdentifierRangeStart` set to 1000 means that no unique identifier should be less than 1000. | +| UniqueIdentifierSuffix (optional) | String | | + +## UserCategory + +Categories constitute an additional layer to organize users who can be sorted by types and then +further by categories, and categories can be transverse or not. + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## Subsidiary + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| EmailDomain (optional) | String | | + +## ExternalCompany + +Including external workers into the workforce repository requires listing external companies. + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## Organization + +A company is divided into organizations, also called departments, such as the board of directors, +corporate banking, call center, USA operations, France operations, treasury, etc. + +| Attribute | Type | Description | +| ------------------------- | ---------- | ---------------------------------------------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| Manager (recommended) | ForeignKey | `Identifier` from the `User` tab. | +| Assistant (optional) | ForeignKey | `Identifier` from the `User` tab. | +| Parent (optional) | ForeignKey | `Identifier` of another organization. | +| Type (optional) | ForeignKey | `Identifier` from the `Organization Type` tab. | + +## OrganizationType + +Organizations can be categorized into organization types, if relevant. + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## Title + +Each position can be represented by a title which names said position, such as architect, CEO, +purchasing manager, recruiter, etc. + +| Attribute | Type | Description | +| ------------------------- | ---------- | ----------------------------------------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| JobCategory (optional) | ForeignKey | `Identifier` from the `Job Category` tab. | + +## JobCategory + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## Country + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| ISOCode (optional) | String | | + +## Region + +| Attribute | Type | Description | +| ------------------------- | ---------- | ------------------------------------ | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| Country (optional) | ForeignKey | `Identifier` from the `Country` tab. | + +## Site + +All positions specify a working site. + +| Attribute | Type | Description | +| ---------------------------- | ---------- | ----------------------------------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| Name (optional) | String | | +| StreetNumber (optional) | Int32 | | +| StreetName (optional) | String | | +| StreetType (optional) | String | | +| Floor (optional) | Int32 | | +| PostalCode (optional) | Int32 | | +| City (optional) | String | | +| Region (optional) | ForeignKey | `Identifier` from the `Region` tab. | +| PreferredLanguage (optional) | String | | +| TimeZone (optional) | Int32 | | +| Latitude (optional) | Int64 | | +| Longitude (optional) | Int64 | | +| Url (optional) | String | | + +## Office + +| Attribute | Type | Description | +| ------------------------- | ---------- | --------------------------------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | +| Site (recommended) | ForeignKey | `Identifier` from the `Site` tab. | + +## PersonalTitle + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## Gender + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Identifier (required) | String | | +| DisplayName (recommended) | String | | + +## ReservedEmail + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Description (recommended) | String | | +| Value (required) | String | | + +## ReservedIdentifier + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Description (recommended) | String | | +| Value (required) | String | | + +## ReservedLogin + +| Attribute | Type | Description | +| ------------------------- | ------ | ----------- | +| Description (recommended) | String | | +| Value (required) | String | | diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md new file mode 100644 index 0000000000..379f7d27cc --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md @@ -0,0 +1,62 @@ +# Create a Provisioning Rule + +How to define scalar rules, navigation rules and/or query rules to compute and provision target +resources values from source resources values. See the +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +topic for additional information. + +## Overview + +[ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) led to the grouping of resources into resource +types (classification), and the establishment of source-to-target relationships between these +resources (correlation). + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to compute the values of scalar and navigation properties for the target +resources used in entitlement management, based on source resources. We are going to +[Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) these properties, i.e. write them to the +managed system. + +The right tools for the job are provisioning rules: scalar rules, navigation rules, query rules. + +These provisioning rules are designed to: + +1. retrieve the input data in source objects; +2. compute the output value for target objects; +3. provision the corresponding properties in the managed system with the computation result. + +Another kind of provisioning rule is called resource type rule. Instead of computing existing +properties, resource type rules create automatically target resources to be owned by given source +resources (identities). + +In testing mode, the impacted resource types can be configured to block provisioning, by adding a +mandatory review before actually writing to the managed system. See the +[ Create a Resource Type ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/resource-type-creation/index.md) topic for additional +information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| ------------------------- | ----------------------------------------- | +| Categorization (required) | Scalar rules Navigation rules Query rules | + +See the [ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) topic for additional information. + +## Create Provisioning Rules + +- [ Create Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md)type rules to automatically create resources. +- [Compute a Scalar Property](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md) to compute scalar properties; +- Create navigation and/or query rules to compute navigation properties. + +Netwrix Identity Manager (formerly Usercube) recommends creating/modifying/deleting provisioning +rules using simulations in order to anticipate changes. See the +[ Perform a Simulation ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/simulation/index.md) topic for additional information. + +## Next Steps + +Once provisioning rules are created, integrators can start +to[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md). diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md new file mode 100644 index 0000000000..98a7a06416 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md @@ -0,0 +1,283 @@ +# Compute a Navigation Property + +How to define navigation rules and/or query rules to compute and provision the values of navigation +properties for target resources based on source resources. See the +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +topic for additional information. + +## Overview + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to compute the values of navigation properties for the target resources used in +entitlement management, based on source resources. See +the[ Define Navigation Properties ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/navigation-property-definition/index.md) +topic for additional information. We are going to provision these properties, i.e. write them to the +managed system. See the [Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) topic for +additional information. + +The right tools for the job are navigation and query rules. + +A navigation property's value can be computed by a navigation rule or a query rule, assigning a +given resource from the entity type pointed by the navigation property (which can be the target +entity type itself). Let's call this entity type the "other" one. + +- A Navigation rule assigns a fixed resource, which is chosen from among the "other" entity type's + resources during the rule's creation. The assigned resource is the same for all impacted accounts. + Use a navigation rule when a given resource must be assigned, regardless of users' attributes. +- A Query rule assigns a resource from the "other" entity type too. However, the resource is chosen + according to a query via a C# expression with conditions, based on the attributes of the source + objects (usually users). Hence, contrary to a navigation rule, a query rule can assign a different + resource for each impacted account, based on the attributes of the account's owner. Use a query + rule when there is the need to use variables from among users' attributes to select the resource + to assign. + +![Schema - Scalar Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_schemanavigation.webp) + +> A navigation rule could add the AD group `SG_APP_SQL` to the `memberOf` navigation property to all +> AD nominative accounts provided that the user has the single role `SQL Server Administration`. + +> A query rule could compute the value of the `department` navigation property for ServiceNow +> nominative accounts (entity type `ServiceNow_User`), with a query from among resources from the +> `ServiceNow_Department` entity type, where the name of the resource would match the display name +> of the organization specified for the user (owner of the ServiceNow account). +> +> We need here to query the `ServiceNow_Department` entity type in order to find the right +> department to update the value of `department`, which is specific to each ServiceNow account. +> +> Thus, each user owning a ServiceNow account will see the value of `department` in their account +> updated with the resource from `ServiceNow_Department` which corresponds to the department +> specified for this user. + +> Another query rule could compute the `parentdn` attribute for AD nominative accounts, with a query +> from among AD entries, where the `dn` attribute of the resource would match a complex expression +> based on the user's (owner of the AD account) presence state, employee type, location, etc. +> +> We need here to query the `AD - Entry` entity type in order to find the right dn to update the +> value of `parentdn`, which is specific to each AD nominative account. +> +> Thus, each AD nominative account will have the value of its `parentdn` set according to its +> owner's attributes (presence state, employee type, location, etc.). + +The application of a navigation rule can depend on the assignment of a single role, and/or user +dimensions. See +the[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topic for +additional information on the assignment of a single role and +[ Conforming Assignments ](/docs/identitymanager/saas/identitymanager/integration-guide/role-assignment/conformingassignmentcomputation/index.md) +topic for additional information on dimensions. + +A query rule does not use criteria as it is designed to compute a given navigation property for all +existing resources in a given resource type. However, in case of several query rules on a same +property, the application of a query rule depends on its confidence rate and the corresponding +priority it receives compared to other query rules. See the +[ Classify Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/classification/index.md) topic for additional +information. + +While both navigation and query rules compute navigation properties, the value of one navigation +property should be computed by either navigation or query rules, not both. + +In Identity Manager, a navigation property has two "sides", one for each linked element. + +For example in the AD, the group membership of a user is represented by the properties `member` for +groups (containing a list of users) and `memberOf` for users (containing a list of groups). +However, some managed systems only have one of these two sides. + +The AD only uses `member` from among groups' properties. Users do not have a `memberOf` property. As +Identity Manager uses and links both sides, it is able to "translate" the information, so that the +corresponding navigation property, which actually exists in the managed system, is modified by the +navigation/query rule. + +Identity Manager assigns an entitlement to a user by assigning a group-membership to an account. +Thus we can create a navigation rule which adds a group to the `memberOf` property of given +accounts. Identity Manager will update the `member` property of groups accordingly (in Identity +Manager), and then provision the `member` property of said groups in the AD, adding the impacted +accounts. + +A navigation rule will trigger the creation of a target resource for all impacted source resources +(so all users), which are not yet correlated with a resource of this resource type. + +**NOTE:** A query rule does not create resources, and only computes the navigation properties of +existing resources. + +## Guidelines + +Follow these guidelines when configuring navigation properties. + +Expression code must not contain too much data + +Once configured, a rule is a complicated object to modify. Therefore, you must keep business data in +the resource and out of the expression. It is easier to change data than to change a rule. + +> For example, consider an organization that manages email addresses according to the site with +> `.fr` for France and `.be` for Belgium. +> +> A working option could be to write an expression with a condition `if` on the site to assign the +> domain name. However, if the organization expands and needs to consider an additional country, +> then the rule requires change in the expression code. +> +> A better solution is to change the identity data model by adding a field `Domain Name` to describe +> the object `Site`, and to be used in the rule expression. In this case, if there is an additional +> country, then a new field is added in the data model for `Site` and `Domain Name`. Thus, the rule +> expression remains simple by using the new objects, for example +> `Email = FirstName + "." + LastName + "@" + Company + "." + DomainName`. + +Priority between navigation/query rules + +When creating navigation and query priorities, follow these rules: + +- Several rules computing the same property with different criteria should not coexist; +- The only reason to have several rules to compute a single property is when changing the property + value over time, via time offsets. See the + [Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) + topic for additional information. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. See the +[ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) topic for additional information. + +| Input | Output | +| ------------------------- | ---------------------------- | +| Categorization (required) | Navigation rules Query rules | + +## Create a Navigation Rule + +Fill an entity type with a navigation rule by proceeding as follows: + +**Step 1 –** Click on **Access Rules** on the home page in the **Configuration** section. + +![Home - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +**Step 2 –** In the dropdown menu at the top left, choose the source entity type for the future +navigation rule. + +![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +**Step 3 –** Click on the **Navigations** tab and on the addition button at the top right corner. + +![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) + +**Step 4 –** Fill in the fields. + +![Create a Navigation Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/singlerolescatalog_createnavrule_v602.webp) + +- `Join`: navigation property from the target entity type, whose value is to be impacted. +- `Resource`: resource from the entity type pointed by the `Join`, which is to be added to the + `Join` property. +- `Navigation denied`: option that forbids the resource assignment. +- `Offset of effective date`: time period that defines the actual effective date for property + computation according to the value's start and/or end date. + + > For example, account activation and deactivation can be managed according to the start and/or + > end dates. + +- **Criteria**: conditions that, if met, trigger the rule application. + +> Our example would look like: +> +> ![Scalar Rule Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplenav_v602.webp) + +**Step 5 –** Click on **Create** and see a line added on the rules page. + +The navigation rule is now configured and can be found in the Access Rules tab. + +## Create a Query Rule + +Fill an entity type with a query rule by proceeding as follows: + +**Step 1 –** Click on **Access Rules** on the home page in the **Configuration** section. + +![Home - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +**Step 2 –** In the dropdown menu at the top left, choose the source entity type for the future +query rule. + +![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +**Step 3 –** Click on the **Queries** tab and on the addition button at the top right corner. + +![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) + +Fill in the fields. + +![Create Query Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_queryrule_v522.webp) + +Once the `Resource Type` is provided, more fields appear. + +![Query Rule Fields](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_queryrulefields_v602.webp) + +- **Target Object** > `Property to fill`: navigation property from the target entity type, whose + value is to be impacted. +- **Target Object**: property (or expression of properties) from the entity type pointed by the + `Property to fill`, which will be the value of the `Property to fill` if it matches the source + object. Can be defined by a property path and/or an expression. See the + [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional + information. +- **Source Object**: property (or expression of properties) from the source entity type. Can be + defined by a property path and/or an expression. See the + [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) topic for additional + information. +- `Offset of effective date`: time period that defines the actual effective date according to the + value's start and/or end date. An offset of effective date can be useful for some attributes. For + example, account activation and deactivation can be managed according to the start and/or end + dates. +- `Confidence Rate`: rate expressing the confidence in this link, and its priority order. See + the[ Classify Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/classification/index.md) topic for additional + information. + +> Our examples would look like: +> +> ![Query Rule Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplequery_v602.webp) +> +> ![Query Rule Example 2](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/provrules_examplequerybis_v602.webp) + +Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a navigation or query rule is taken into account when launching the role model +computation task, in the **Resource Types** frame of the corresponding connector's overview page, +via **Jobs** > **Compute Role Model**. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +This task applies the rules and computes new properties. Therefore, if a given rule's criterion is +modified, then all corresponding assignments are computed again. If a resource was created +automatically for an identity through a navigation rule (and its criteria), and if the user's +criteria do not comply with the new version of the rule, then the corresponding resource is +automatically deleted. + +A modification in a provisioning rule can trigger the removal of a resource only on the Identity +Manager side. There are several barriers to cross before said resource is removed from the managed +system. + +Simulations are available in order to anticipate the changes induced by a +creation/modification/deletion in navigation and query rules. See the +[ Perform a Simulation ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/simulation/index.md) topic for additional information. + +## Verify Rule Creation + +In order to verify the process: + +**Step 1 –** On the corresponding connector's overview page, in the **Resource Types** frame click +on **Jobs** > **Compute Role Model** to apply all rules. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +Review unauthorized accounts (on the **Resource Reconciliation** screen) and roles (on the **Role +Reconciliation** screen) to help check query rules: if there are numerous properties to be +reconciled following the same pattern, then there may be a rule that needs to be changed. + +**Step 2 –** On the corresponding connector's overview page, in the **Resource Types** frame click +on **Jobs** > **Compute Role Model** to apply all rules. + +**Step 3 –** Review unauthorized accounts (on the **Resource Reconciliation** screen) and roles (on +the **Role Reconciliation** screen) to help check query rules: if there are numerous properties to +be reconciled following the same pattern, then there may be a rule that needs to be changed. + +See +the[ Review an Unauthorized Account ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/unauthorized-account-review/index.md) +and +the[ Reconcile a Role ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/role-reconciliation/index.md) +topics for additional information. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md new file mode 100644 index 0000000000..1e6d0bd417 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/index.md @@ -0,0 +1,120 @@ +# Create Resources + +How to define +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +rules to create new (target) resources for given users, computing and provisioning their properties +based on source resources. + +## Overview + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to create target resources and assign them to given users. We are going to +[Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md) these resources, i.e. write them to the +managed system. + +The right tools for the job are resource type rules. + +The application of a resource type rule can depend on the assignment of a single role, and/or user +dimensions. + +> A resource type rule could assign a SAP account to users working in Germany, and who already have +> the role `SAP: manager access`. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| ------------------------- | ------------------- | +| Categorization (required) | Resource type rules | + +See the [ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) topic for additional information. + +## Create a Resource Type Rule + +Create a resource type rule by proceeding as follows: + +1. Click on **Access Rules** on the home page in the **Configuration** section. + + ![Home - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the source entity type for the future scalar rule. + + ![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +3. Click on the **Resource Types** tab and on the addition button at the top right corner. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create a Resource Type Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/provrules_typerule_v602.webp) + + - `Resource Type`: resource type to be automatically assigned. + - `Type`: assignment type that can be: `Suggested` so that the resource type is listed among + suggested permissions in the permission basket of users matching the criteria during an + entitlement request, suggested assignments must be selected manually to be requested; or + `Automatic` so that the resource type is automatically assigned to users matching the + criteria; or `Automatic but with validation` so that the resource type is listed in the + permission basket of new workers, these assignments can still be modified. + - `Resource type denied`: option that forbids the assignment. + - `Offset of effective date`: time period that defines the actual effective date for resource + creation/deletion according to the value's start and/or end date. + - **Criteria**: conditions that, if met, trigger the resource creation. + > Our example would look like: + > + > ![Resource Type Rule Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/provrules_exampletype_v602.webp) + +5. Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a resource type rule is taken into account when launching the role model +computation task, in the **Resource Types** frame of the corresponding connector's overview page, +via **Jobs** > **Compute Role Model**. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +This task applies the rules and computes new assignments. Therefore, if a given rule's criterion is +modified, then all corresponding assignments are computed again. If a resource was created +automatically for an identity by a resource type rule, and if the user's criteria do not comply with +the new version of the rule, then the corresponding resource is automatically deleted. + +A modification in a resource type rule can trigger the removal of a resource only on the Identity +Manager side. There are several barriers to cross before said resource is removed from the managed +system: first before the creation of an Assigned Resource Type in Identity Manager's database, and +again before the actual action in the managed system. + +> In our example, let's say that we replace the country criterion `Germany` with `France`. Consider +> a user who had a SAP account assigned through this rule. Now that the country criterion has +> changed, our user working in Germany would be deprived of their account. + +Simulations are available in order to anticipate the changes induced by a +creation/modification/deletion in resource type rules. + +## Verify Rule Creation + +In order to verify the process, start by checking the rule's details on the **Access Rules** page. +Then, you can: + +1. Select a test user in the directory, accessible from the home page. + + ![Home Page - Directory User](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/configure-workflows/home_directoryuser_v523.webp) + +2. Create a resource type rule involving an account that said user doesn't already have, based on + criteria which the selected user satisfies. +3. Trigger the computation of the role model by clicking, on the corresponding connector's overview + page, in the **Resource Types** frame, on **Jobs** > **Compute Role Model** to apply all rules. + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +4. See the new account in the user's **View Permissions** tab. + + ![View Permissions Tab](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/resource-creation/viewpermissions_v602.webp) + + If the type rule uses a single role as a criterion, and the user has said role, then both the + resource type and the role will be displayed in the user's permissions, but only if the role is + related to a [ Compute a Navigation Property ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/navigation-property-computation/index.md). + Otherwise, only the resource type will be visible. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md new file mode 100644 index 0000000000..b761421e0b --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/index.md @@ -0,0 +1,204 @@ +# Compute a Scalar Property + +How to define scalar rules to compute and provision the values of scalar properties for target +resources based on source resources. See the +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) topic +for additional information. + +## Overview + +Sources are usually identities, and targets are usually accounts from the managed systems. + +Here, we are going to compute the values of scalar properties for the target resources used in +entitlement management, based on source resources. See the +[Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) topic for additional +information. We are going to provision these properties, i.e. write them to the managed system. See +the [Provision](/docs/identitymanager/saas/identitymanager/user-guide/administrate/provisioning/index.md)topic for additional information. + +The right tools for the job are scalar rules. + +A scalar property's value can be computed by a scalar rule, based on at least one scalar property +from the source entity type, possibly writing a C# expression. + +![Schema - Scalar Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_schemascalar.webp) + +A scalar rule could define the scalar property displayName of nominative AD accounts based on its +owner's name with the expression: + +return person.LastName + " " + person.FirstName; + +The application of a scalar rule can depend on the assignment of a single role. See the +[ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topic for +additional information. + +Sometimes we create in Identity Manager properties which are not directly linked to any real +property in the managed system. A scalar rule on this kind of property will not find a property to +provision in the managed system, and thus will not produce any result. + +For example, we may need to create in the AD the property isUnused (to spot unused accounts) with a +C# expression based on other properties from the same entity type. These properties, such as +accountExpires and lastLogonTimestamp, are each linked to a property from the AD, while isUnused is +for Identity Manager's use only. This scalar property isUnused does not exist in the AD, thus will +never be provisioned to the AD, and thus will not be computed by a scalar rule. + +Also some properties, like lastLogonTimestamp in the AD or identifiers from ServiceNow, must be +changed only by their application. Identity Manager can/must not change these properties, thus no +provisioning rule is appropriate for them. + +A scalar rule using a single role as criterion will trigger the creation of a target resource for +all impacted source resources (so all users), which are not yet correlated with a resource of this +resource type. + +Without a criterion, a scalar rule does not create resources, and only computes the scalar +properties of existing resources. + +## Guidelines + +Expression code must not contain too much data + +Once configured, a rule is a complicated object to modify. Therefore, you must keep business data in +the resource and out of the expression. It is easier to change data than to change a rule. + +For example, consider an organization that manages email addresses according to the site with .fr +for France and .be for Belgium. + +A working option could be to write an expression with a condition if on the site to assign the +domain name. However, if the organization expands and needs to consider an additional country, then +the rule requires change in the expression code. + +A better solution is to change the identity data model by adding a field Domain Name to describe the +object Site, and to be used in the rule expression. In this case, if there is an additional country, +then a new field is added in the data model for Site and Domain Name. Thus, the rule expression +remains simple by using the new objects, for example +`Email = FirstName + "." + LastName + "@" + Company + "." + DomainName`. + +Priority between scalar rules + +A scalar rule with a role as a criterion has a higher priority than a rule without a role criterion. + +For example, consider the situation where we want the login `` for users with the single role +``, and the login `` for the others. In this case, we can write two distinct scalar rules +where the first one has the role `` as a criterion. This rule will be applied before the other. + +Other than that, there should not be more than one rule meant to provision a given property on a +given time period. + +It means that: + +- Several rules computing the same property with different criteria should not coexist; +- The only reason to have several rules to compute a single property is when changing the property + value over time, via time offsets. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owner who knows the +application users, entitlements and data model. + +| Input | Output | +| ------------------------- | ------------ | +| Categorization (required) | Scalar rules | + +See the [ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) topic for additional information. + +## Create a Scalar Rule + +Fill an entity type with a scalar rule by proceeding as follows: + +![Home - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +**Step 1 –** Click on **Access Rules** on the home page in the **Configuration** section. + +![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +**Step 2 –** In the dropdown menu at the top left, choose the source entity type for the future +scalar rule. + +![iconadd_v602](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) + +**Step 3 –** Click on the **Scalars** tab and on the addition button at the top right corner. + +![Create Scalar Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_scalarrule_v522.webp) + +**Step 4 –** Fill in the fields. + +![Scalar Rule Fields](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_scalarrulefields_v602.webp) + +Once the Resource Type is provided, more fields appear. + +- Source Object: Scalar property (or expression of scalar properties) from the source entity type, + which constitutes the input for the computation of the target object. Can be defined by a property + path and/or an expression. +- Target Object: Scalar property from the target entity type, whose value is to be impacted. +- Offset of effective date: Time period that defines the actual effective date for property + computation according to the value's start and/or end date. + + For example, account activation and deactivation can be managed according to the start and/or + end dates. + +- Applicable: Create & Update to use this computation to both provision the managed system and + synchronize the property back to Identity Manager; **Create Only** to use this computation to only + provision the managed system and ignore this property during synchronization, this way the + property can never be displayed as non-conforming. + + **Create Only** is usually set to adapt the configuration to the constraints of the managed + system, when Identity Manager does not retrieve and/or update the property value. + + For example, consider a system, that we want to connect to Identity Manager (let's call it SYST) + using a title property. Consider also that SYST needs to be provisioned with the value of title, + but does not allow any other system to retrieve said value. + + In this case, we use **Create Only** so that Identity Manager sends the adequate provisioning + order upon creation, and then is able to change the provisioning state to **Executed** without + synchronization. If any changes impact that **Scalar Property** value the workflow state will be + modified to **PolicyApprovedWithChanges** meaning that the policy value is not equal to the + external system's value and that will not be provisioned. + +- Comparison type: Comparison type between the value of the target object computed by the rule and + its value from the managed system. Non-conforming values are displayed on the **Provisioning + Review** screen. +- Criteria: Conditions that, if met, trigger the rule application. + +Our example would look like: + +![Scalar Rule Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/provisioning-rule-creation/scalar-property-computation/provrules_examplescalar_v522.webp) + +**Step 5 –** Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +Any modification in a scalar rule is taken into account when launching the role model computation +task, in the **Resource Types** frame of the corresponding connector's overview page, via **Jobs** > +**Compute Role Model**. + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +This task applies the rules and computes new properties. Therefore, if a given rule's criterion is +modified, then all corresponding assignments are computed again. If a resource was created +automatically for an identity through a scalar rule (and its single role criterion), and if the +user's criteria do not comply with the new version of the rule, then the corresponding resource is +automatically deleted. + +A modification in a provisioning rule can trigger the removal of a resource only on the Identity +Manager side. There are several barriers to cross before said resource is removed from the managed +system. + +Simulations are available in order to anticipate the changes induced by a +creation/modification/deletion in scalar rules. See the +[ Perform a Simulation ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/simulation/index.md) topic for additional information. + +## Verify Rule Creation + +In order to verify the process: + +![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +**Step 1 –** On the corresponding connector's overview page, in the **Resource Types** frame click +on **Jobs** > **Compute Role Model** to apply all rules. + +**Step 2 –** Review unreconciled properties on the **Resource Reconciliation** screen to help check +scalar rules: if there are numerous properties to be reconciled following the same pattern, then +there may be a rule that needs to be changed. See the +[ Reconcile a Property ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/non-conforming-assignment-review/property-reconciliation/index.md) +topic for additional information. + +Once the steps completed the process is verified. diff --git a/docs/usercube_saas/usercube/user-guide/set-up/role-officer-management/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/role-officer-management/index.md similarity index 100% rename from docs/usercube_saas/usercube/user-guide/set-up/role-officer-management/index.md rename to docs/identitymanager/saas/identitymanager/user-guide/set-up/role-officer-management/index.md diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md new file mode 100644 index 0000000000..d137783014 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md @@ -0,0 +1,74 @@ +# Create a Category + +How to structure roles into categories. See the +[ Category ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md) +topic for additional information. + +## Overview + +A category is usually created to: + +- reflect the validation process, i.e. represent groups of roles that follow the same validation + process with the same validator(s); +- help users find intuitively the entitlement that they are looking for. + +> For example, creating one category per application often fulfills both requirements. + +There is usually one validator per category. + +There can be several category levels. For example, integrators can choose to create one category per +department, then one per position, and finally one per application. They usually gather roles by +application. Here are a few examples of categories: `AD`, `HR` , `SAP`, `IT Administration`, +`Test Environments`, etc. Some of these "application categories" are gathered into larger categories +by theme as long as their role owner is identical. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the +application's users, entitlements and data model. + +| Input | Output | +| ----------------------- | ---------- | +| Role Catalog (optional) | Categories | + +See the [ Create Roles in the Role Catalog ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md) topic for additional information. + +## Create a Category + +Categories are not mandatory to create roles, but they are highly recommended to organize single +roles. + +Create a category by proceeding as follows: + +1. On the home page in the **Configuration** section, click on **Access Roles** to access the roles + page. + + ![Home Page - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +2. All existing categories are shown in the menus on the left. To create a new category, click on + **+**. + + ![Add a New Category](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/singlerolescatalog_newcategory_v602.webp) + +3. Fill in the fields. + + ![Create a Category](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/singlerolescatalog_createcategory_v602.webp) + + - `Identifier`: must be unique among categories and without any whitespace. + - `Name`: will be displayed in the UI to identify the created category. + - `Collapsed in the role tree`: option that enables a collapsed view of the category in the role + tree. + - `Parent category`: optional link to an existing category that would contain the created + category. + +4. Click on **Create** and see the category added in the menus. + + When creating a category, you must be cautious about the associated validators that are not yet + defined. + +## Verify Category Creation + +In order to verify the process, check on the **Access Roles** screen that the category is created +with the right parameters. + +![Verify Category](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/categorycreation_test_v602.webp) diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md new file mode 100644 index 0000000000..cdc31fbedb --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/index.md @@ -0,0 +1,223 @@ +# Create Roles in the Role Catalog + +How to define +[ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) +to model entitlements, and organize them in the role catalog, basis of the role model. See the +[ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) +topic for additional information. + +The creation of the role catalog is a time-consuming part, with an important workload concerning the +description of the internal processes for all applications. Actors here need to really understand +the useful permissions within managed applications. + +## Overview + +The aim here is to establish and create the exhaustive list of +[ Role Model ](/docs/identitymanager/saas/identitymanager/integration-guide/role-model/index.md) needed by the organization. Roles are +a way to represent entitlements which are assigned to identities, so that said identities are able +to work with the managed systems. + +![Schema - Single Role](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarole.webp) + +In other words, establishing the role catalog aims to list exhaustively and explicitly all the roles +in the organization, hiding the technical complexity of entitlements behind the business vision of +user-friendly names and categories, in order to: + +- assign roles to users, by requesting them manually, or using rules that assign roles automatically + based on users' attributes; +- simplify the implementation of Segregation of Duties (SoD); +- simplify the implementation and execution of access certification campaigns. + +Roles are not chosen at random as they must correspond to the way entitlements were modeled during +connector modeling. + +### Technical Principles + +Identity Manager's roles are all built the same way. Technically speaking: + +- a role is part of a policy which is a subgroup of the role model. See the + [ Entitlement Management ](/docs/identitymanager/saas/identitymanager/introduction-guide/overview/entitlement-management/index.md) + topic for additional information. + + > Let's take the example of the unlimited Internet access, part of the default policy. + +- a role is created to be owned by users represented by a given entity type; + + > We choose users from `Directory_User`. + +- roles need to be structured so categories are created to: + + - represent groups of roles that follow the same validation process with the same validator(s); + - help users find intuitively the entitlement that they are looking for. + + NETWRIX recommends creating one category per application, as this method often fulfills both + requirements. + + Then single roles can be grouped together through + [ Composite Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/compositerole/index.md) + for applicative purposes, allowing users to be assigned several entitlements simultaneously. + Leave composite roles for later, when the system runs as is and would benefit from an additional + layer in the role model. + + > This role is part of the previously created `Internet` category. + +- a role is created with a given approval workflow according to the entitlement's sensitivity; + + ![Schema - Approval Workflow](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemaapprovals.webp) + + > We choose to require one manual validation from a knowledgeable user before the Internet role + > is assigned to a user. + +- to be effective, roles must be linked to actual entitlements in the managed systems. Technically + speaking, this means that for each entitlement that you want to assign through a given role, you + must create a navigation rule to build said link. A navigation rule is specific to one resource + type. See the [ Categorize Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/index.md) topic for additional + information. + + ![Schema - Single Role with Navigation Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarolerule.webp) + + > We link the role to the entitlement named `SG_APP_DL-INTERNET-ALL` in the AD, via a navigation + > rule that assigns this entitlement to the `memberOf` property of AD nominative accounts, for + > all users having the role. + + This part is about single roles, dealing with entitlements one-to-one. The idea is to associate + one single role with one fine-grained entitlement. + + ![Schema - Roles and Identities](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemarolesidentities.webp) + + > For example, an accountant needs read access to the accounting software, a project manager to + > their billable hours for their projects on SAP, etc. + + When roles are well-defined, one entitlement request must lead to the direct functional + entitlement assignment. No more, no less. + +## Strategy for Role Creation + +### Role structuring + +Functionally speaking, the main benefit of roles is to give entitlements user-friendly names, easily +understandable by managers. And to be understandable, roles must be structured. + +The strategy for role creation and structuring varies according to the +[ Model the Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) established for a given system. +Here, we will take as example the common use-case that organizes and categorizes roles by +application. Then, the strategy varies whether the system hosts a single application (like SAB or +SAP) or several (like the AD or LDAP). + +In any case, role creation and maintenance are made easier by entitlements' naming conventions. +Thus, no matter the kind of system that you are working with, if the system uses no naming +conventions, then you should start by creating some. They will be the basis for role structure in +Identity Manager, and will really simplify role creation. + +One system for one application + +A common and intuitive case is when a system is simply one application. Then, integrators can create +one role per entitlement in said application, and one category for the application. + +> The SAP application is about entitlements only for itself. Then, we create a single role per +> entitlement in SAP inside a category called `SAP`: +> +> ![Roles Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymono_v602.webp) + +One system hosting several applications with existing naming conventions + +If a given system is used to manage entitlements for several applications, then building categories +becomes more complicated. + +> For example, the Active Directory usually hosts many groups used to manage entitlements in several +> distinct applications. +> +> ![AD Groups](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymulti_v522.webp) + +The goal here is to find a way to clarify the link between each entitlement and the corresponding +application. + +If the system uses naming conventions for entitlements, then it is possible to deduce the +application it corresponds to, from the entitlements' names. + +> For example, a group is called `SG_APP_banking/digital/haumea/reader` in the AD. The membership to +> this group gives an entitlement. Knowing the organization, integrators understand that this +> entitlement is about the department `banking`, the position `digital`, the application `haumea` +> and the access right `reader`. + +Roles can be created accordingly, with one role per entitlement and a category per application. + +One system hosting several applications without existing naming conventions + +However, in the case of a connector for several applications, sometimes no information can be +deduced from the entitlements' names. It is still necessary to find a way to clarify the link +between each entitlement and the corresponding application. + +Then, the solution is to add information inside the managed system, creating a specific field or +filling an empty field. + +> For example in the Active Directory, integrators can modify the field called `description` to +> specify the application name (such as Outlook in this example). +> +> ![Appropriated Field](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_strategymultinoname_v522.webp) + +Thus, the needed information is added to the managed system. After the execution of synchronization, +said data is accessible inside Identity Manager database and can be used as a naming convention. + +In some cases, integrators are not allowed to create/modify fields in the external systems. Then, +the information can be added on Identity Manager side only. As the new field doesn't exist in the +external systems, it can't be overwritten. + +### Automation of role creation + +The UI provides tools to create single roles manually, working top-down from abstraction (role name) +to the technical aspects (navigation rule and technical entitlement). Most projects use thousands of +single roles, which makes role creation a long, tedious and repetitive process. See the +[Create a Role Manually](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) topic for additional information. + +![Schema - Role Creation Top-Down](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schematopdown.webp) + +Roles can also be created bottom-up via role naming rules. Instead of the previous process, you can +use the name of said entitlement in your managed system to create automatically the corresponding +single role and rule (and category if it does not already exist). In other words, Identity Manager's +naming rules are to be based on your existing naming conventions for entitlements. See the +[ Create Roles in Bulk ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md) topic for additional information. + +![Schema - Role Creation Top-Down](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/singlerolescatalog_schemabottomup.webp) + +One naming rule can generate many roles, so a few automatic rules can easily and faster create the +single role catalog. Naming rules prove particularly useful when you need to add multiple new +permissions in your external system. You won't have to create manually the corresponding categories, +roles and rules as long as said permissions are created with properties matching the conditions from +the rules. + +NETWRIX recommends starting the role catalog with as many naming rules as possible before creating +roles manually. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the +application's users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- | +| Connector's data [ Model the Data ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/connector-modeling/index.md) (required) [ Create a Provisioning Rule ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) (required) [ Classify Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/classification/index.md) (required) | Single role catalog | + +## Create the Single Role Catalog + +Create the single role catalog by proceeding as follows: + +1. Create as many single roles as possible (with their navigation rules and categories) via the + [ Create Roles in Bulk ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md) naming rules. +2. Complete the role catalog if needed by creating manually additional + [ Create a Category ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/category-creation/index.md) and single roles with their navigation rules. +3. Add [Create a Composite Role](/docs/identitymanager/saas/identitymanager/user-guide/optimize/composite-role-creation/index.md) to the single role + catalog only if the project is mature enough. Composite roles are more complex than single roles + and they are not mandatory. + +## Impact of Modifications + +[ Perform a Simulation ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/simulation/index.md) are available in order to anticipate +the changes induced by a creation/modification/deletion in roles and navigation rules. + +## Next Steps + +Once the role catalog is established, integrators can start role officer management. + +The role catalog is also a prerequisite for +[ Manage Risks ](/docs/identitymanager/saas/identitymanager/user-guide/optimize/risk-management/index.md)management. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md new file mode 100644 index 0000000000..c8f3593f5a --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md @@ -0,0 +1,192 @@ +# Create a Role Manually + +How to create single roles manually. + +## Overview + +A single role is a way to represent an entitlement that is to be assigned to an identity. It brings +a layer of abstraction through a user-friendly name, close to the business view. See the +[ Single Role ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/singlerole/index.md) +topic for additional information. + +To be effective, roles must be linked to actual entitlements in the managed systems. Within Identity +Manager, an entitlement assigned to an identity is in fact represented by the value of a given +navigation property, in a resource owned by said identity. See the +[Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md)topic for additional +information. Thus, each role is linked to one navigation rule per entitlement. See the +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +topic for additional information. + +**NOTE:** For example, imagine that we want to grant unlimited Internet access to the administrator +profile of an identity. This entitlement won't be assigned directly to the identity but to its AD +administration account. In our Active Directory, there is a resource called +`` identified from among AD entries as a group. So we need to add this group +membership to the properties of the identity's AD account, using `` as a +value of the **memberOf** property. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the +application's users, entitlements and data model. + +| Input | Output | +| ------------------------- | ------------ | +| Classification (required) | Single roles | + +See the[ Classify Resources ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/categorization/classification/index.md) topic for additional +information. + +## Create a Single Role + +Create a single role by proceeding as follows: + +![Home Page - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +**Step 1 –** On the home page in the **Configuration** section, click on **Access Roles** to access +the roles page. + +![createsinglerole](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/createsinglerole.webp) + +**Step 2 –** On the roles page, click on the adequate category and create a role by clicking on **+ +New** at the top right corner. + +**Step 3 –** Fill in the fields. + +- Identifier: Must be unique among roles and without any whitespace. +- Name: Will be displayed in the UI to identify the created single role. +- Policy: Policy in which the role exists. +- Entity Type: Entity type targeted by the role. +- Description: Description of the role. +- Tags: Label(s) that can later be used to filter the target roles of access certification + campaigns. See the + [ Schedule a Certification Campaign ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/access-certification/certification-campaign-scheduling/index.md) + topic for additional information. + + **NOTE:** Netwrix recommends using role tags when you want to perform an access certification on + a set of roles that are from several categories. + +- Category: Category which is to contain the created role. +- Secondary Categories: Other potential categories which are to contain the created role. +- Approval Workflow: Represents the number of validations required to assign the created role. +- Lock the end date: Locks or binds manual permission assignments to the identity's end date (as + defined by the context rule). + + It has five options: + + - Inherited:The policy's setting will be used. + - Explicit, by default not context bound: By default, the assignment's end date will not be + context bound in order to encourage the manual entry of an end date. + - Explicit, by default context bound: By default, the assignment's end date will be context + bound and therefore locked, but a manual date can be entered. + - Never: The assignment's end date will never be locked and needs to be specified manually. + - Always: The assignment's end date is always locked according to the applicable context rule. + +- Approve Role Implicitly: Needs at least the simple approval workflow. **Implicit** mode bypasses + the approval step(s) if the person who makes the role request is also the role officer. + **Explicit** refuses said bypass. **Inherited** follows the policy decision to approve roles + implicitly or not. See the [Create a Policy](/docs/identitymanager/saas/identitymanager/user-guide/optimize/policy-creation/index.md) topic for + additional information. +- Prolongation without a new approval workflow +- Hide in Simplified View: Hides the role from the users' **Simplified View** in **View + Permissions** dialog. This setting does not apply to roles which are either inferred or have + workflow states which require manual action. +- Maximum Duration: Duration (in minutes) after which the role will be automatically revoked, if no + earlier end date is specified. + + **NOTE:** The maximum duration impacts only the roles which are manually assigned after the + maximum duration is set. Pre-assigned roles are not impacted. + + - If no duration is set on the role, the maximum duration of the associated policy is applied. + - If the duration is set to 0 on the role, it prevents the associated policy from applying its + maximum duration to it. + +- Grace Period: Duration (in minutes) for which a lost automatic single role is prolonged. A review + will be required to validate or decline the entitlement prolongation. Inferred entitlements won't + be lost unless the end of the grace period is reached or the prolongation is declined. + + **NOTE:** The grace period is only applied if the loss of the entitlement is due to a change in + the rules, i.e. rule deletion or criteria changes. + + If the grace period is not defined, the value is inherited from the policy. + +**Step 4 –** Click on **Create** and see a line added on the roles page. + +**Step 5 –** Create at least one navigation rule with the single role as a criterion. + +Once you have completed the steps the single role is created. + +## Create a Navigation Rule + +Navigation rules aim to assign given resources to identities based on specific criteria. A +navigation rule sets the value of the navigation property on a specific resource, if a given +condition is met. It is linked to a parent resource type that sets the target entity type. One rule +creates one navigation. + +Create a navigation rule by proceeding as follows: + +![Home Page - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +**Step 1 –** On the home page in the **Configuration** section, click on **Access Rules** to access +the rules page. + +![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +**Step 2 –** In the drop down menu at the top left, choose the entity type to which the future +navigation rule will be applied. + +![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) + +**Step 3 –** Click on the **Navigations** tab and on the addition button at the top right corner. + +![Create a Navigation Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/singlerolescatalog_createnavrule_v602.webp) + +**Step 4 –** Fill in the fields. + +- Join: Target property whose value is impacted by the created rule. +- Resource: Value to be set on the JOIN. +- Navigation denied: Option that forbids the resource assignment. +- Offset of effective date: Time period that defines the actual effective date according to the + value's start and/or end date. An offset of effective date can be useful for some attributes. For + example, account activation and deactivation can be managed according to the start and/or end + dates. +- Criteria: Conditions that, if met, trigger the created navigation. + +**Step 5 –** Click on **Create** and see a line added on the rules page. + +Once you have completed the steps the navigation rule is created. + +## Impact of Modifications + +When deleting a single role, caution must be used when deleting the corresponding navigation rules. +Indeed, these rules thus lose their criteria and may be applied to far too many people after that. + +## Verify Single Role Creation + +In order to verify the process, check that the role and rule are created with the right parameters. + +![Home Page - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +**Step 1 –** For roles, click on **Access Roles** on the home page in the **Configuration** section. + +![Access Single Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testroles_v602.webp) + +**Step 2 –** Select single roles and find the role you created inside the right category and with +the right parameters. + +Our example would look like: + +![Example - Generated Role](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleroleresult_v602.webp) + +![Home Page - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +**Step 3 –** For rules, click on **Access Rules** on the home page in the **Configuration** section. + +![Access Navigation Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testrules_v602.webp) + +**Step 4 –** Select navigation rules and find the rule(s) you created with the right parameters. + +Our example would look like: + +![Example - Generated Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleruleresult_v523.webp) + +The verification of role creation has been completed. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md new file mode 100644 index 0000000000..f858befb63 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/index.md @@ -0,0 +1,165 @@ +# Create Roles in Bulk + +How to create role naming rules, which create single roles using existing naming conventions from +the managed system. See the +[ Role Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md) +topic for additional information. + +## Overview + +A role naming rule automatically creates single roles and the corresponding navigation rules based +on the name of the corresponding entitlements in the managed system. + +Role naming rules replace the tedious process of manual role creation. Instead of creating roles +individually with their navigation rules, you can use role naming rules to generate roles in bulk +and thus faster create the single role catalog. + +> For example, consider a naming convention in our organization that states that AD groups have +> their cn: `SG_APP_`. Then, we can create a naming rule that indicates that for +> all AD groups starting with `SG_APP_`, we create a role that gives the adequate user the +> corresponding group membership, with `` as a name. For example, we have the +> application Contoso and the group `SG_APP_Contoso`. + +Roles created via role naming rules can still be modified later in the UI, if needed. + +A role naming rule, for a given resource type, creates roles and rules only for resources which are +not yet linked to a role, nor a navigation rule of this resource type. This implies that: + +- role naming rules do not overwrite manual changes; +- role naming rules cannot link more than one resource (so one entitlement) to one role. + +If a role naming rule is supposed to create a role that already exists, then a corresponding +navigation rule is created only if the existing role has the same policy and category as specified +in the role naming rule. + +## Participants and Artifacts + +For a given managed system, integrators may need the help of the application owners who know the +application's users, entitlements and data model. + +| Input | Output | +| ------------------------------------------------------------------------------------ | --------------------------------------------------------- | +| [ Create a Provisioning Rule ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/provisioning-rule-creation/index.md) (required) | Role naming rule Single roles Navigation rules Categories | + +## Create a Role Naming Rule + +Create a role naming rule by proceeding as follows: + +1. On the home page, click on **Access Rules** in the **Configuration** section. + + ![Home Page - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +2. In the dropdown menu at the top left, choose the entity type to which the future naming rule will + be applied. + + ![Entity Type Choice](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/provrules_entitytype_v602.webp) + +3. Click on the **Role Naming Conventions** tab and on the addition button at the top right corner. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + +4. Fill in the fields. + + ![Create a Naming Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_newrule_v602.webp) + + - `Policy`: + [Policy](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/policy/index.md) + in which the rule exists. + - `Property`: navigation property which will define the actual entitlement in the future + navigation rule. + - `Identifier`: must be unique among rules and without any whitespace. + - **+ New Rule**: a naming rule is based on the union of rules, themselves based on the + intersection of rule items. A rule item specifies one of the conditions that will trigger the + enforcement of the naming rule. See the + [ Role Mapping ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/rolemapping/index.md) + topic for additional information. + - `Where Expression`: C# expression returning a boolean to condition the application of the + rule. + + Netwrix Identity Manager (formerly Usercube) recommends using this option only when the + options available in the rule items do not suffice. + + - **Single Role**: single role(s) to be created. See the + [Create a Role Manually](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md) topic for additional information. + + - `Identifier`: must be unique among roles and without any whitespace. If the defined + identifier is already used, then neither the role nor the rule is created. Can be defined + by a property path and/or + [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md) (mandatory). + - `Name`: will be displayed in the UI to identify the future single role. Can be defined by + a property path and/or an + [Expressions](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/expressions/index.md). + + - **Category**: the + [ Category ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/category/index.md) + for the future role(s). + + - `Identifier`: either matches an existing category and selects it, or doesn't match and + therefore a new category is created. Can be defined by a property path and/or an + expression. + - `Name`: will be displayed in the UI to identify the category. Ignored if the `Identifier` + attribute matches an existing category's identifier. Can be defined by a property path + and/or an expression. + - ` Parent Identifier`: for a potential parent category. Must match an existing category's + identifier. Can be defined by a property path and/or an expression. + - `Default Category`: category for the future role(s) if the category's `Identifier` + attribute isn't filled in or doesn't compute. + + - `Role Policy`: policy in which the future roles exist. + - `Approval Workflow`: represents the number of validations required to assign the future + role(s). + - `Approve Role Implicitly`: needs at least a simple approval workflow. `Implicit` mode bypasses + the approval step(s) if the person who issues the role request is also the role officer. + `Explicit` refuses said bypass. `Inherited` follows the policy decision to approve roles + implicitly or not. + - `Hide in Simplified View`: hides the role from the users' **Simplified View** in **View + Permissions** dialog. This setting does not apply to roles which are either inferred or have + workflow states which require manual action. + - `Comment Management on Permission Review`: to change if different from the role policy. + > Our example would look like: + > + > ![Example - Naming Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_example_v602.webp) + +5. Click on **Create** and see a line added on the rules page. + +## Impact of Modifications + +As naming rules are applied only to resources that aren't already linked to a role or a navigation +rule, neither deletion nor modification in a naming rule can affect the previously created roles and +rules. + +## Verify Naming Convention + +In order to verify the process: + +1. to take the changes into account, on the appropriate connector's overview page click on + **Jobs** > **Apply Naming Conventions**; + + ![Resource Type Jobs](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/synchro_resourcetype_v602.webp) + +2. check that the correct roles and rules were created. + +For roles, click on **Access Roles** on the home page in the **Configuration** section. + +![Home Page - Access Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/resource-type-creation/home_roles_v602.webp) + +Select single roles and find the role(s) you created inside the right category and with the right +parameters. + +![Access Single Roles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testroles_v602.webp) + +> Our example would look like: +> +> ![Example - Generated Role](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleroleresult_v602.webp) + +For rules, click on **Access Rules** on the home page in the **Configuration** section. + +![Home Page - Access Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/home_rules_v602.webp) + +Select navigation rules and find the rule(s) you created with the right parameters. + +![Access Navigation Rules](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_testrules_v602.webp) + +> Our example would look like: +> +> ![Example - Generated Rule](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-naming-rule-creation/namingrulecreation_exampleruleresult_v523.webp) diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md new file mode 100644 index 0000000000..d72cb78e7a --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/synchronization/index.md @@ -0,0 +1,280 @@ +# Synchronize Data + +How to launch data synchronization, i.e. read managed systems' data and load it into Identity +Manager. + +## Overview + +Data synchronization is a data flow from the managed systems into Identity Manager. + +### Process + +A connector's main purpose is to read and export the data previously mapped with +[Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) in order to synchronize it +with Identity Manager. Connectors provide tools to perform a basic extraction of the system's data +in the form of CSV/XLSX files. These files are cleansed and loaded into Identity Manager. +Synchronization is a three-step ETL process going through export, synchronization preparation and +the synchronization itself. + +![Synchronization Schema](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_schema.webp) + +#### Export + +The +[ Export Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/exporttask/index.md) +creates extractions, a snapshot of the managed system's data, used to insert and/or refresh the data +that is inside Identity Manager. Extractions are accessible when there is at least one connection +with an export-enabled +[ References: Packages ](/docs/identitymanager/saas/identitymanager/integration-guide/connectors/references-packages/index.md). +Extracted data becomes meaningful when it is loaded into resources as specified by the entity type +structure. + +Exported data is stored inside CSV files in the folder `/{InstallationFolder}/Temp/ExportOutput`. + +#### Prepare synchronization + +The +[ Prepare Synchronization Task ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/jobs/tasks/agent/preparesynchronizationtask/index.md)performs +a preparatory data cleansing to spot errors and list them in a generated file in the +`/{InstallationFolder}/Work/Synchronization` folder. + +> For example, this task spots an identity if it is linked to an organization code which doesn't +> exist. + +#### Synchronize + +The `Synchronize` task loads data into Identity Manager's database. + +See the +[ Upward Data Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/synchronization/upward-data-sync/index.md) +topic for additional information. + +### Prerequisites + +#### Extracted data must have keys + +Every extracted resource must have an attribute that serves as a primary key so that Identity +Manager can uniquely identify the resource to be added/updated/deleted during synchronization. You +must have defined keys during Entity Type creation. See the +[Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md) topic for additional +information. + +Extractions must not be modified before synchronization + +Extractions must not be modified manually, for it may induce synchronization issues. + +> For example, saving an XLSX file implies an automatic modification of format. + +Also, synchronization must not be disturbed by a change in the source format, such as the deletion +of a column in the middle of the file. + +Thresholds must never be deactivated + +Thresholds are essential safety guards that control all changes, for example preventing the +overwriting of important data by mistake. Thresholds are by default activated to warn users when +synchronization or provisioning triggers too many modifications. If the number of modifications +exceeds the specified threshold, Identity Manager stops the synchronization and displays a warning +_"Threshold Exceeded"_ on the log page described below. + +Once the changes have been reviewed, the blocked job can be resumed (or not). + +Thresholds are configured with default values using the following +[ Connector ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/connectors/connector/index.md) +attributes: + +- `MaximumDeletedLines`, `MaximumInsertedLines` and `MaximumUpdatedLines` for scalar properties; +- `MaxPercentageDeletedLines`, `MaxPercentageInsertedLines` and `MaxPercentageUpdatedLines` for + scalar properties by percentage; +- `MaximumLinkDeletedLines`, `MaximumLinkInsertedLines` and `MaximumLinkUpdatedLines` for navigation + properties; +- `MaxLinkPercentageDeletedLines`, `MaxLinkPercentageInsertedLines` and + `MaxLinkPercentageUpdatedLines` for navigation properties by percentage. + +## Participants and Artifacts + +At this point, integrators should have all the elements they need to perform synchronization. + +| Input | Output | +| ------------------------------------------ | ----------------- | +| Connector with its entity types (required) | Synchronized data | + +See the [ Connect to a Managed System ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/index.md) topic for additional +information. + +## Launch Synchronization + +Launch synchronization for a given managed system by proceeding as follows: + +1. Access the list of connectors by clicking on **Connectors** on the home page in the + **Configuration** section. + + ![Home - Connectors](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_connectors_v602.webp) + +2. On the relevant connector page, in the **Entity Types** frame, click on **Jobs**. + + Here are all the tasks available for synchronization. They synchronize all connections and + entity types for only this connector. It is possible to launch them individually in order to + test them and debug a situation, or all together with **All Tasks**. According to the created + connection(s) and package(s), all these tasks can be launched either in incremental or complete + mode. + + ![Synchronize Job](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs_v602.webp) + + - `Update Expressions`: computes the expressions used in the entity type mapping. + - `All Tasks`: launches all previous tasks in a row. + + Notice that some connectors, depending on their connections and packages, can't be synchronized + in incremental mode. As a consequence, when clicking on the **Jobs** button, you wouldn't have a + choice between `Complete` and `Incremental`. See below this note. + + ![Synchronize Job (Only Complete)](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_executionjobs-complete_v602.webp) + +## Manage Synchronization Automation + +Export and synchronization are executed manually from the connector screens. By default, they are +also part of scheduled [ Jobs ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/jobs/index.md) provided by +Identity Manager: + +- the complete job is scheduled to launch a synchronization once a day of all resources, modified or + not; +- the incremental job is scheduled to launch a synchronization several times a day only of the + resources modified since the last synchronization. + +See the +[ Set Up Incremental Synchronization ](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/jobfast/index.md) +and +[Set up Complete Synchronization](/docs/identitymanager/saas/identitymanager/integration-guide/tasks-jobs/how-tos/jobdaily/index.md) +topics for additional information. + +Scheduling the jobs avoids manually triggering them everyday. + +However, you can choose to withdraw a given connector from both the complete and incremental jobs by +clicking on **Deactivate** on the connector's dashboard. This is particularly useful when modifying +a connector. You can also re-insert it at any time with the same button which is now named +**Activate**. + +![Jobs Results Dashboard](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_dashboard_v522.webp) + +You can fine-tune the synchronization and/or provisioning of the connector by clicking on the +**Edit** button. + +![Edit button](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_edit_v600.webp) + +Click on **Job Results** to access the progress of this connector's jobs. + +All jobs are accessible on the **Job Execution** page in the **Administration** section. + +![Home - Job Execution](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_jobexecution_v602.webp) + +## Verify an Entity Type's Synchronization + +In order to verify both the synchronization configuration and +[Create an Entity Type](/docs/identitymanager/saas/identitymanager/user-guide/set-up/connect-system/entity-type-creation/index.md): + +1. Launch synchronization. +2. Access the connector's logs (from **Job Results** on the connector's dashboard) to ensure that + synchronization completed successfully. + + ![Jobs Results](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_results_v603.webp) + +3. Check that the entity types have been added to the left menu of the home page. + + ![Test Entity Type](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/entitytypecreation_test_v602.webp) + +4. Access the relevant entity types (from the menu items on the left of the home page) to check + synchronized resources, by navigating in the UI from the accounts through a sample of + associations, via the eye icon: + + ![Eye Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/iconeye_v600.svg) + + You should first look for configuration validation, and only later validation of the actual data + being synchronized. + + > For example, let's say we created a connector for SAB that contains two entity types called + > `SAB - Users` and `SAB - Groups`. Then, the home page shows them on the left. + > + > ![SAB Example - Home Page](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_examplesab_v522.webp) + > + > Clicking on `SAB - Users` displays the list of all synchronized resources. + > + > ![SAB Example - Data List](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_examplesab2_v602.webp) + > + > Clicking on any resource displays its detailed attributes, for example `Abbott Mark`: + > + > ![SAB Example - Resource Attributes](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_examplesab3_v602.webp) + > + > Clicking on any eye icon displays the corresponding resource. SAB was created here with a + > simple user-group schema that links n users to n groups. So here, we can check these links by + > navigating from a given user to one of their groups, to one of said group's users, to one of + > said user's groups, etc. + +## Troubleshooting + +Make sure you followed the prerequisite guidelines for synchronization. + +Keep in mind that a problem observed in synchronized data might also come from a mistake made +previously in the connector's configuration. Therefore, logs can give more details. Logs are +accessible from the **Job Results** button on the dashboard of a given connector. + +Don't hesitate to launch synchronization-related tasks individually and observe the corresponding +logs in order to debug a situation. + +If the connector and/or entity type doesn't appear in the menu items, then: + +![Test Entity Type](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/home_entitytypes_v602.webp) + +Access the relevant connector's page and click on the **Reload** button to take into account the +last changes in the entity type mappings. + +If a newly added property doesn't appear in users' data, then: + +Access the relevant connector's page to click on the **Reload** button to take into account the most +recent changes in the entity type mappings. + +If a synchronization is blocked by an exceeded threshold, then: + +![Threshold warning](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_threshold_v603.webp) + +Find out the reasons to decide whether or not to bypass the threshold. Proceed as follows: + +1. On the logs page (accessible from the **Job Results** button), click on the line of a task + instance to see its logs. +2. Study synchronization counters and the list of all synchronization changes. These tools help you + make a decision about whether to bypass synchronization thresholds. + + ![Job progress](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_thresholdlog_v603.webp) + + In most cases, the first synchronization exceeds thresholds because no data exists in Identity + Manager yet. Thus, a high quantity of modifications is expected and the synchronization is to be + resumed. + + Numerous modifications can also be triggered by: + + - a change in date format; + - the input of blank files by mistake, because it would overwrite and erase all existing data; + - a swap of two headers in an input file. + +3. If, after verifying, all changes are legitimate, click on the **Resume** button at the top of the + job progress page. This will restart the job and allow the changes to be synchronized. + + Be cautious, check twice for mistakes before resuming. + + ![Resumed Job](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/synchro_thresholdresumed_v602.webp) + +If an export doesn't complete, then: + +- Check the connection's settings. +- If you manually typed the source column of a property in the entity types, then make sure that the + source column exists in the corresponding managed system. + + ![Source Column](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/entitytype_sourcecolumn_v602.webp) + +If a given property from users' data is displayed in an unexpected way, then: + +Check the format of both the application metadata and the external system. + +![Property Format](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/synchronization/entitytype_format_v523.webp) + +> For example, if you find that a given date doesn't comply with what you set, then maybe the format +> in the External System section wasn't correctly selected, thus inducing a conversion error during +> the export computation. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-assignment/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-assignment/index.md new file mode 100644 index 0000000000..9453060436 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-assignment/index.md @@ -0,0 +1,128 @@ +# Assign Users a Profile + +How to assign Identity Manager's access permissions to users through profiles. + +## Overview + +All the permissions to access items in Identity Manager, and to perform given actions, are managed +by assigning profiles to users and permissions to profiles. See the +[ Assigned Profile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md) +and [References: Permissions](/docs/identitymanager/saas/identitymanager/integration-guide/profiles-permissions/permissions/index.md) +topics for additional information. + +![Schema - Profile Assignment](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/profiles_schema.webp) + +For example, the access to the list of users with their personal data is usually restricted to HR +people, and the possibility to modify personal data restricted to HR managers. + +We define here a permission as an entitlement within Identity Manager. See the +[ Configure a User Profile ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-configuration/index.md) topic for additional +information. + +Users are assigned profiles according to the permissions they need to work, at least one profile per +user. A user without a profile cannot access the application. Experience shows that most users have +one profile, sometimes two, and rare case have maximum three, or more. + +The goal here is to link users to basic profiles. + +The right time to assign profiles to users is just before they need it, so it depends on the +deployment strategy. +For example, we connected a given application and now we want to list orphaned accounts. Then we +need to assign a role officer. + +The priority is often about resource managers who will review orphaned and unused accounts. + +## Participants and Artifacts + +Integrators must have the knowledge of who must be able to access what within Identity Manager. + +| Input | Output | +| ------------------------------ | ----------------- | +| Configured profiles (required) | Assigned profiles | + +See the [ Configure a User Profile ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-configuration/index.md) topic for additional +information. + +## Assign a Profile to an Account + +In the following section you will read about how to assign a profile to an account. + +Manual assignment + +Assign manually a profile to a user by proceeding as follows: + +![Home Page - Assigned Profiles](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/home_assignedprofiles_v602.webp) + +**Step 1 –** Access the **Assigned Profiles** screen from the home page in the **Administration** +section. + +![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/iconadd_v602.webp) + +**Step 2 –** Click on the addition button at the top right corner. + +![New Profile](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/roleofficers_newprofile_v602.webp) + +**Step 3 –** Fill in the fields. + +- **Profile**: Profile chosen from among existing profiles. +- **Resource**: Identity chosen from among entries to be assigned said profile. +- **Profile's Email**: Email created in order to receive the corresponding approval requests. +- **Deny this Profile**: Option that forbids the profile assignment instead of applying it. +- **Start Date** and **End Date**: Particularly useful for profile delegation. + +**NOTE:** If filters are defined in the Access Rules, and are assigned to the profile, a +**Criteria** section will appear containing them. Filters are conditions that, if met, trigger the +Access Control Rule Application. +The only filters which can be displayed in this section are filters related to dimensions or hard +coded criteria (Single Role, Composite Role, Resource Type and Category). +The filters are defined in the XML configuration on the access control rules. The criteria displayed +are a fusion of the filters of all the rules associated with the profile. See the +[Access Control Rule](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/accesscontrolrule/index.md) +topic for additional information. + +Automatic assignment + +The largest profiles with the most basic permissions (like a simple access to the application) +concern many identities and are low-privileged. Thus integrators can set up profile assignment rules +through the XML configuration in order to assign profiles automatically, based on accounts' resource +type and potentially specific criteria. See the +[Profile Rule Context](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/profilerulecontext/index.md) +topic for additional information. + +![Launch Button](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-assignment/launch_v603.webp) + +Click on **Launch** to apply these profile rules. + +**NOTE:** Profile rules can also be applied through the same button on the **Profiles** page, by +clicking on **Settings** in the **Configuration** section, then on **General** > **Profiles** in the +left menu. + +## Delegate a Profile + +Sometimes, users need to lend their entitlements, while on leave for example. In this case, it is +interesting to create new profiles, identical to the initial ones but without the right to delegate +the corresponding entitlements. + +For example, let us consider the Manager profile which we appointed as request validator per +department. In order to ensure the presence of all validators at all times, we choose to create a +Assistant Manager profile which is to be assigned occasionally to another user by a manager. A user +with the Assistant Manager profile will receive exactly the same entitlements as someone with the +Manager profile, except for the ability to assign the Assistant Manager to another user. + +Thus no workflow in Identity Manager can be blocked by the absence of the workflow's actors, and +security is ensured by preventing unwanted entitlement delegation. + +## Verify Profile Configuration and Assignment + +In order to verify both profile configuration and assignment, check that a sample of users can +effectively perform the actions allowed by their profiles. See the +[ Configure a User Profile ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-configuration/index.md) topic for additional +information. + +A functioning and well-assigned profile must not trigger 403 errors in the server logs, nor in the +UI in the form of a red notification at the bottom right corner of the application. This kind of +error appears if an entitlement is incomplete, i.e. giving access to a button but not to the page +said button leads to. + +For example, you can check whether an ordinary user can access another user's personal data from the +**Directory** tile. diff --git a/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-configuration/index.md b/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-configuration/index.md new file mode 100644 index 0000000000..d530e527f9 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-configuration/index.md @@ -0,0 +1,114 @@ +# Configure a User Profile + +How to tweak the +[References: Permissions](/docs/identitymanager/saas/identitymanager/integration-guide/profiles-permissions/permissions/index.md) for +actions within Identity Manager, for a set of basic +[ Assigned Profile ](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/access-control/assignedprofile/index.md). + +## Overview + +All the permissions for accessing items and performing actions in Identity Manager are managed by +assigning profiles to users and permissions to profiles. + +![Schema - Profile Assignment](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/profiles_schema.webp) + +> For example, access to user lists with personal data is usually restricted to HR staff, and the +> modification of personal data would be restricted to HR managers. + +We define here a permission as an entitlement within Identity Manager. + +Permissions can be about: + +- administration, which gives access to [Administrate](/docs/identitymanager/saas/identitymanager/user-guide/administrate/index.md) actions, + accessible in the **Administration** section on the home page; +- directory, which gives access to users' data (with several available levels of access), and also + any other data accessible in the **Directory** section on the home page; +- workflows, which gives access to actions for users' lifecycle (onboarding-movement-offboarding), + through the workflows provided by Identity Manager within the **Directory** pages; +- reports, which gives access to Identity Manager's predefined reports about workforce. See the + [ Generate Reports ](/docs/identitymanager/saas/identitymanager/user-guide/administrate/reporting/index.md) topic for additional information. +- notifications, which enables notification reception when specific workflows are launched. + +Netwrix Identity Manager (formerly Usercube) recommends creating and using the following profiles: + +- `Administrator` for requesting entitlements, performing potential additional role reviews, and + updating user data, the role model and the settings; +- `Helpdesk` for requesting entitlements and updating user data only, not for updating the role + model or other settings; +- `HR` for managing internal users, i.e. creating, updating and deleting them; +- `Manager` for requesting their teams' entitlements and managing their external users, like + contractors; +- `RoleOfficer` for reviewing and approving roles; +- `User` for basic viewing of user and organizational information. + +A user can have up to 10 assigned profiles. + +The goal here is to create profiles and link specific permissions to the profiles, in order to build +a set of typical profiles that will later be assigned to users. See the +[Assign Users a Profile](/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-assignment/index.md) topic for additional information. +Instead of assigning permissions one by one to users, you will assign them sets of permissions (i.e. +profiles). + +### Responsibility scopes + +Each permission can be assigned a responsibility scope, which represents the scope of action of +users with said permission. + +> For example, managers can be assigned the `View Requests` and `Manage Accounts` permissions, but +> only for the teams in which they have the manager title. In this case they will handle the +> entitlement requests within the team they manage, having their scope of responsibility defined as +> their team. It means that the manager cannot see or do anything outside the identities included in +> their team. + +## Participants and Artifacts + +Integrators must have the knowledge of the organization strategy towards the IGA project. + +| Input | Output | +| -------------------------------------------------------------------------------------- | ------------- | +| [ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) (required) | User profiles | + +## Configure a User Profile + +Configure a user profile by proceeding as follows: + +1. On the home page, click on **Settings** in the **Configuration** section, then on **General** > + **Profiles** in the left menu. + + ![Home - Configuration](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/home_settings_v523.webp) + +2. Check whether the profile to configure is part of the provided list. If not, create it by + clicking on the addition button at the top right and fill in the fields. + + ![Addition Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/categorization/classification/iconadd_v602.svg) + + ![New Profile](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/profiles_creation_v602.webp) + + - `Identifier`: must be unique among profiles and without any whitespace. + - `Name`: will be displayed in the UI to identify the profile. + + Click on **Create**. + +3. Access the page for profile configuration by clicking on **Workforce** > **Profiles & + Permissions** in the left menu. +4. Follow Identity Manager's instructions for assigning permissions to the profile by clicking on + the appropriate permissions, one by one, selecting if needed their responsibility scope. + + ![Profile Configuration Example](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/profiles_example_v603.webp) + +5. Click on **Save** at the top of the page. + + ![Save Icon](/img/product_docs/identitymanager/identitymanager/user-guide/set-up/user-profile-configuration/iconsave_v602.svg) + +## Verify Profile Configuration + +Before you can see the profile in action, it needs to be assigned to a user. + +See the [Assign Users a Profile](/docs/identitymanager/saas/identitymanager/user-guide/set-up/user-profile-assignment/index.md) topic for additional +information. + +## Next Steps + +Once user profiles are configured, integrators can start configuring onboarding workflows. See the +[ Create the Workforce Repository ](/docs/identitymanager/saas/identitymanager/user-guide/set-up/initial-identities-loading/index.md) topic for additional +information. diff --git a/docs/identitymanager/saas/identitymanager/whatsnew/index.md b/docs/identitymanager/saas/identitymanager/whatsnew/index.md new file mode 100644 index 0000000000..e8f7f88646 --- /dev/null +++ b/docs/identitymanager/saas/identitymanager/whatsnew/index.md @@ -0,0 +1,98 @@ +# What's New + +## New Netwrix Community! + +All Netwrix product announcements and bug fix lists have moved to the new Netwrix Community. See +announcements for Netwrix Identity Manager (formerly Usercube) in the +[Identity Manager](https://community.netwrix.com/c/identitymanager/announcements/150) area of our new +community. + +The following information highlights the new and enhanced features introduced in this Netwrix +Identity Manager (formerly Usercube) version. + +## Netwrix Identity Manager (formerly Usercube) November 25, 2024 + +New: Assigned Roles View + +The new Assigned Roles page provides a role-centric view, displaying the list of users with +permissions in a specified role category and including a downloadable report. This feature is +currently in read-only preview, with additional functionality planned for the next release. See the +[Review Assigned Roles](/docs/identitymanager/saas/identitymanager/user-guide/administrate/assigned-roles/index.md) topic for additional +information. + +New: Context-Bound Manual Permissions + +Manual permission assignments can now be configured to be tied to a context end date using +‘ManualAssignmentEndDateLockedToContext’. For example, a contractor's manual permissions can be +configured to automatically extend when their contact is extended. See the +[Create a Role Manually](/docs/identitymanager/saas/identitymanager/user-guide/set-up/single-roles-catalog-creation/role-manual-creation/index.md), +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +and +[Remove Redundant Assignments](/docs/identitymanager/saas/identitymanager/user-guide/optimize/assignment-automation/remove-redundant-assignments/index.md) +topics for additional information. + +New: Suggested Multiple Correlations + +A new option allows multi-correlation resource types to propose correlations with less than 100% +confidence. This behavior is controlled by the new boolean ‘SuggestAllCorrellations’. The default +(false) only suggests correlations with 100% confidence, while setting it to true allows +lower-confidence suggestions. See the +[Resource Type](/docs/identitymanager/saas/identitymanager/integration-guide/toolkit/xml-configuration/provisioning/resourcetype/index.md) +topic for additional information. + +Enhancement: Access Control and Workflows + +The maximum number of workflow actors is now configurable via the ‘MaxActors’ key in the +‘appsettings.json’ file. The default value of 20 can now be increased up to 50. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +Enhancement: Certifications and Risks + +Extra options on certification screens (visible on the "..." button) can now be hidden by setting +**Only allow approving and refusing on access certifications items** to **Yes**. This will leave +only the **Approve** and **Deny** buttons visible. The default setting is **No**. See the +[Configure Global Settings](/docs/identitymanager/saas/identitymanager/user-guide/set-up/configure-global-settings/index.md) topic for +additional information. + +Enhancement: Connectors and Integrations + +Two new settings, ‘MaxPageSize’ and ‘DefaultPageSize’, have been introduced to control and optimize +API call sizes. See the +[Application Settings](/docs/identitymanager/saas/identitymanager/integration-guide/network-configuration/server-configuration/general-purpose/index.md) +topic for additional information. + +Enhancement: Jobs and Policy + +Manual correlations for resources with multiple correlations can now be performed from the Resource +Reconciliation screen. + +Enhancement: Logs / Performance / Security + +Incompatible C# expressions in the configuration will now be flagged during configuration imports. A +new tool, ‘Identity Manager-Check-ExpressionsConsistency’, has been introduced to help identify +incompatible expressions. See the +[Usercube-Check-ExpressionsConsistency](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/check-expressionsconsistency/index.md) +topic for additional information. + +Additional logging has been added to the SAP ERP6 provisioning process. + +For SaaS customers, there are new restrictions on scheduled jobs to enforce best practices. Jobs +that run frequently are blocked unless they follow practices such as using incremental modes instead +of full evaluation modes, evaluating only necessary entity types, and avoiding redundant task +executions. Existing jobs are whitelisted, but new non-compliant jobs will generate errors during +configuration imports. + +Enhancement: UI / UX + +Various user interface improvements, including better tooltips on the Role Review screen. + +Enhancement: Other + +The ‘Identity Manager-Export-Bacpac’ tool now allows finer control over data extraction and +anonymization options. See the +[Usercube-Export-Bacpac](/docs/identitymanager/saas/identitymanager/integration-guide/executables/references/export-bacpac/index.md) topic +for additional information. + +Additionally, the demo license is no longer included in the Runtime zip file. If you need a license, +please contact [Netwrix Support](https://www.netwrix.com/support.html). diff --git a/docs/usercube_saas/index.md b/docs/identitymanager/saas/index.md similarity index 100% rename from docs/usercube_saas/index.md rename to docs/identitymanager/saas/index.md diff --git a/docs/usercube_saas/resources/directory_example_v602.xlsx b/docs/identitymanager/saas/resources/directory_example_v602.xlsx similarity index 100% rename from docs/usercube_saas/resources/directory_example_v602.xlsx rename to docs/identitymanager/saas/resources/directory_example_v602.xlsx diff --git a/docs/passwordpolicyenforcer/10.2/password_policy_enforcer/administration/upgrading.md b/docs/passwordpolicyenforcer/10.2/password_policy_enforcer/administration/upgrading.md index 1e87c3e55e..6fd9c7261e 100644 --- a/docs/passwordpolicyenforcer/10.2/password_policy_enforcer/administration/upgrading.md +++ b/docs/passwordpolicyenforcer/10.2/password_policy_enforcer/administration/upgrading.md @@ -37,7 +37,7 @@ topic for additional information. The Password Policy Enforcer 10.2 Password Policy Server is backwards compatible with the V8.x Password Policy Client. You can benefit from most of the new features by upgrading the Password Policy Server on the domain controllers. Do this before deploying the 10.2 Password Policy Client. -See the [What's New](whatsnew.md) topic for additional information. +See the [What's New](/docs/passwordpolicyenforcer/10.2/password_policy_enforcer/administration/whatsnew.md) topic for additional information. ### Upgrading the Password Policy Server @@ -121,7 +121,7 @@ topic for additional information. The Password Policy Enforcer 10.2 Password Policy Server is backwards compatible with the V7.x Password Policy Client. You can benefit from most of the new features by upgrading the Password Policy Server on the domain controllers. Do this before deploying the 10.2 Password Policy Client. -See the [What's New](whatsnew.md) topic for additional information. +See the [What's New](/docs/passwordpolicyenforcer/10.2/password_policy_enforcer/administration/whatsnew.md) topic for additional information. ### Upgrading the Password Policy Server @@ -208,7 +208,7 @@ topic for complete installation instructions. The Password Policy Enforcer 10.2 Password Policy Server is backwards compatible with the V6.x Password Policy Client. You can benefit from most of the new features by upgrading the Password Policy Server on the domain controllers. Do this before deploying the 10.2 Password Policy Client. -See the [What's New](whatsnew.md) topic for additional information. +See the [What's New](/docs/passwordpolicyenforcer/10.2/password_policy_enforcer/administration/whatsnew.md) topic for additional information. ### Upgrading the Password Policy Server diff --git a/docs/passwordpolicyenforcer/10.2/password_policy_enforcer/web/securing_web.md b/docs/passwordpolicyenforcer/10.2/password_policy_enforcer/web/securing_web.md index 589618f048..3752096d80 100644 --- a/docs/passwordpolicyenforcer/10.2/password_policy_enforcer/web/securing_web.md +++ b/docs/passwordpolicyenforcer/10.2/password_policy_enforcer/web/securing_web.md @@ -25,7 +25,7 @@ Refer to the following documentation for more information: - Windows 2012 & 2008 - See the - [Configure Server Certificates in IIS 7]() + [Configure Server Certificates in IIS 7](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732230(v=ws.10)?redirectedfrom=MSDN) Microsoft knowledge base article for additional information. - Windows 2003 diff --git a/docs/passwordpolicyenforcer/10.2/password_reset/administration/securing_password_reset.md b/docs/passwordpolicyenforcer/10.2/password_reset/administration/securing_password_reset.md index 7cc9f33751..cb7a1fdecc 100644 --- a/docs/passwordpolicyenforcer/10.2/password_reset/administration/securing_password_reset.md +++ b/docs/passwordpolicyenforcer/10.2/password_reset/administration/securing_password_reset.md @@ -25,7 +25,7 @@ installation process. You can also learn more about using SSL certificates with below. - [http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis](http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis) -- [http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx]() +- [http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx](http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx) **NOTE:** Ensure that users only access Password Reset over an encrypted connection after the SSL certificate is installed. The Start address and Restricted path in the Password Reset Client diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/administration_overview.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/administration_overview.md index 59e9f405e0..4b833786b5 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/administration_overview.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/administration_overview.md @@ -4,7 +4,7 @@ Netwrix Password Policy Enforcer helps secure your network by ensuring users set When a user enters a password that does not comply with the password policy, Password Policy Enforcer immediately rejects the password and details why the password was rejected. -![introduction_2](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/introduction_3.webp) +![introduction_2](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/introduction_3.webp) Unlike password cracking products that check passwords after they are accepted by the operating system, Password Policy Enforcer checks new passwords immediately to ensure that weak passwords do @@ -13,7 +13,7 @@ not jeopardize network security. You can also use Password Policy Enforcer to ensure that passwords are compatible with other systems, and to synchronize passwords with other networks and applications. -**NOTE:** The [Evaluate Password Policy Enforcer](../evaluation/evaluation_overview.md) contains +**NOTE:** The [Evaluate Password Policy Enforcer](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/evaluation_overview.md) contains step-by-step instructions to help you quickly install, configure, and evaluate Password Policy Enforcer. Consider using the Evaluation Guide if you are using Password Policy Enforcer for the first time, prior to installing and deploying on your domains. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/character_rules.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/character_rules.md index eaca053b47..9c6f07aca3 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/character_rules.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/character_rules.md @@ -4,7 +4,7 @@ Password Policy Enforcer has seven Character rules that reject passwords if they contain certain characters. These rules can increase password strength or ensure password compatibility with other systems. -![Character (Granular) Rule](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/chargranular.webp) +![Character (Granular) Rule](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/chargranular.webp) All the Character rules work identically, but each has their own default character set. A character set is the collection of characters that each rule searches for when checking a password. You can @@ -34,14 +34,14 @@ Click the + sign by the character set. Select **In position**. -![Restricting Characters](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/chargranularrestrict.webp) +![Restricting Characters](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/chargranularrestrict.webp) If you want to restrict this rule to certain character positions, choose the starting position from the first entry box and the ending position from the second entry box. For example, you may want to enforce a rule that requires a numeric character in the second character position to maintain compatibility with some other system. -![Require a number in position 2](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/chargranularrestrict2.webp) +![Require a number in position 2](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/chargranularrestrict2.webp) Click the + sign by the character set. @@ -63,7 +63,7 @@ You can customize character sets with the Characters option for a selected set. **Step 2 –** Enter a **Name**. This example uses **vowels**. -![Set up custom character set](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/chargranularvowel.webp) +![Set up custom character set](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/chargranularvowel.webp) **Step 3 –** Enter the **Characters**. This example uses **AaEeIiOoUu**. @@ -83,8 +83,8 @@ This is done by using two of the Character rules: Set **Characters (Complexity)** to require 1 Numeric character. -![Require a numeric value](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/chargranularrestrict3.webp) +![Require a numeric value](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/chargranularrestrict3.webp) Set **Characters (Granular)** to not contain numeric values in the first two positions. -![Don't allow numeric values in first two positions](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/chargranularrestrict4.webp) +![Don't allow numeric values in first two positions](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/chargranularrestrict4.webp) diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppebulkpasswordtest.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppebulkpasswordtest.md index 54d0f1eb7f..00631626a9 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppebulkpasswordtest.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppebulkpasswordtest.md @@ -39,4 +39,4 @@ Bulk test is running... The report is created: "C:\PPE\password.txt_Result_2209222024122350.html". -![Results of the Get-PPEBulkPasswordTest cmdlet](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/cmdletgetppebulkpasswordtest.webp) +![Results of the Get-PPEBulkPasswordTest cmdlet](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/cmdletgetppebulkpasswordtest.webp) diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppeconfigreport.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppeconfigreport.md index 83f8f7782c..0a6b1f0fa6 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppeconfigreport.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppeconfigreport.md @@ -28,4 +28,4 @@ PS C:\> Get-PPEConfigReport -Folder C:\PPE The report is created: "C:\PPE\report.html". -![Creates the PPE Configuration report](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/cmdletgetppeconfigreport.webp) +![Creates the PPE Configuration report](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/cmdletgetppeconfigreport.webp) diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdlets.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdlets.md index 02f9c4fd67..f4cddc9881 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdlets.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdlets.md @@ -18,30 +18,30 @@ the **Run as Administrator** option. **Get-PPEHelp** with no parameters, displays a list of available cmdlets. Use the PowerShell **get-help** _Cmdlet_ for information about the cmdlet. -![PPE cmdlets Connect](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/cmdletconnect.webp) +![PPE cmdlets Connect](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/cmdletconnect.webp) Click a PPE cmdlet name for details. -- [Connect-PPE](cmdconnectppe.md) -- [Copy-PPEPolicy](cmdcopyppepolicy.md) -- [Export-PPEConfig](cmdexportppeconfig.md) -- [Export-PPEPolicy](cmdexportppepolicy.md) -- [Get-PPEBulkPasswordTest](cmdgetppebulkpasswordtest.md) -- [Get-PPEConfigReport](cmdgetppeconfigreport.md) -- [Get-PPEDefaultPolicy](cmdgetppedefaultpolicy.md) -- [Get-PPEEnabled](cmdgetppeenabled.md) -- [Get-PPEHelp](cmdgetppehelp.md) -- [Get-PPELicenseInfo](cmdgetppelicenseinfo.md) -- [Get-PPEPasswordTest](cmdgetppepasswordtest.md) -- [Get-PPEPolicies](cmdgetppepolicies.md) -- [Get-PPEPolicyEnabled](cmdgetppepolicyenabled.md) -- [Get-PPEServerVersion](cmdgetppeserverversion.md) -- [Get-PPEVersion](cmdgetppeversion.md) -- [Import-PPEConfig](cmdimportppeconfig.md) -- [Import-PPEPolicy](cmdimportppepolicy.md) -- [Remove-PPEPolicy](cmdremoveppepolicy.md) -- [Set-PPEDefaultPolicy](cmdsetppedefaultpolicy.md) -- [Set-PPEEnabled](cmdsetppeenabled.md) -- [Set-PPEPolicyEnabled](cmdsetppepolicyenabled.md) -- [Start-PPECompromisedPasswordChecker](cmdstartppecompromisedpasswordchecker.md) -- [Start-PPEHibpUpdater](cmdstartppehibpupdater.md) +- [Connect-PPE](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdconnectppe.md) +- [Copy-PPEPolicy](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdcopyppepolicy.md) +- [Export-PPEConfig](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdexportppeconfig.md) +- [Export-PPEPolicy](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdexportppepolicy.md) +- [Get-PPEBulkPasswordTest](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppebulkpasswordtest.md) +- [Get-PPEConfigReport](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppeconfigreport.md) +- [Get-PPEDefaultPolicy](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppedefaultpolicy.md) +- [Get-PPEEnabled](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppeenabled.md) +- [Get-PPEHelp](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppehelp.md) +- [Get-PPELicenseInfo](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppelicenseinfo.md) +- [Get-PPEPasswordTest](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppepasswordtest.md) +- [Get-PPEPolicies](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppepolicies.md) +- [Get-PPEPolicyEnabled](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppepolicyenabled.md) +- [Get-PPEServerVersion](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppeserverversion.md) +- [Get-PPEVersion](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdgetppeversion.md) +- [Import-PPEConfig](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdimportppeconfig.md) +- [Import-PPEPolicy](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdimportppepolicy.md) +- [Remove-PPEPolicy](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdremoveppepolicy.md) +- [Set-PPEDefaultPolicy](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdsetppedefaultpolicy.md) +- [Set-PPEEnabled](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdsetppeenabled.md) +- [Set-PPEPolicyEnabled](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdsetppepolicyenabled.md) +- [Start-PPECompromisedPasswordChecker](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdstartppecompromisedpasswordchecker.md) +- [Start-PPEHibpUpdater](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdstartppehibpupdater.md) diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdstartppehibpupdater.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdstartppehibpupdater.md index 4c8a51e713..e0436bab34 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdstartppehibpupdater.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/cmdstartppehibpupdater.md @@ -40,4 +40,4 @@ EXAMPLE PS C:\> Start-PPEHibpUpdater -Folder "C:\HIBP\DB" -File "C:\Users\Administrator\Desktop\db for HIBP Updater not real small\stealthintercept-hibp-database-1.0.0.zip -![HIBP Update](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/cmdletstartppehibpupdater.webp) +![HIBP Update](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/cmdletstartppehibpupdater.webp) diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/complexity_rule.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/complexity_rule.md index 80857b2855..da0e96c09d 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/complexity_rule.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/complexity_rule.md @@ -3,7 +3,7 @@ The Complexity rule rejects passwords that do not contain characters from a variety of character sets. Using several character types can make passwords more difficult to crack. -![Character Complexity Rule](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/charcomplexity.webp) +![Character Complexity Rule](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/charcomplexity.webp) Select the **Characters (Complexity)** checkbox to enable the Character Complexity rule. @@ -16,7 +16,7 @@ greater than the number of required character sets. Select the **Passwords must always comply with this rule** check box to make the Complexity rule mandatory. Password Policy Enforcer rules are mandatory by default, but can be made optional by changing the Reject passwords that do not comply with value in the Policy Properties page. A -mandatory rule can still be disabled when a passphrase is used. See the [Passphrase](passphrases.md) +mandatory rule can still be disabled when a passphrase is used. See the [Passphrase](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/passphrases.md) topic for additional information. **NOTE:** The Complexity rule uses custom character set definitions from the Character rules, even diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/compromised_rule.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/compromised_rule.md index c1c40f26d0..9b528e949a 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/compromised_rule.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/compromised_rule.md @@ -3,7 +3,7 @@ The Compromised rule rejects passwords from prior breaches. These passwords should not be used as they are vulnerable to credential stuffing attacks. -![Compromised password rule](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/compromised.webp) +![Compromised password rule](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/compromised.webp) Select the **Compromised** check box to enable the Compromised rule. @@ -13,5 +13,5 @@ can contain environment variables like **CAUTION:** %SystemRoot%. hash files should only be read from a local disk. Using shared hash files degrades performance, and could jeopardize security. -See the [HIBP Updater](hibpupdater.md) topic for the information about the Have I Been Pwnd (HIBP) +See the [HIBP Updater](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/hibpupdater.md) topic for the information about the Have I Been Pwnd (HIBP) database usage. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/compromisedpasswordcheck.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/compromisedpasswordcheck.md index 1defe47d71..373686dea5 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/compromisedpasswordcheck.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/compromisedpasswordcheck.md @@ -5,7 +5,7 @@ advised or forced to change their password. The check can be scheduled to check against a compromised hash list at any time. **NOTE:** Create the **Compromised Passwords Base** file prior to enabling the Compromised Password -Check. See the [HIBP Updater](hibpupdater.md) topic for instructions. +Check. See the [HIBP Updater](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/hibpupdater.md) topic for instructions. The Compromised Password Checker is launched from the Configuration Console: @@ -20,10 +20,10 @@ set to **None**. Click the **Compromised Password Check** toggle to enable/disable the feature. -![Compromised Password Check](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/compromisedpasswords.webp) +![Compromised Password Check](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/compromisedpasswords.webp) - **Compromised Passwords Base** specify the database to use when checking for compromised - passwords. Netwrix recommends using the [HIBP Updater](hibpupdater.md) to create this database. + passwords. Netwrix recommends using the [HIBP Updater](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/hibpupdater.md) to create this database. Click **Browse** to navigate to the folder. Default is **C:\HIBP\DB** - **Domain Controller (FQDN)** specify the fully qualified domain controller name where you want to run the password check. Click **Browse** and select from the list. @@ -38,7 +38,7 @@ Click the **Compromised Password Check** toggle to enable/disable the feature. - **Set up email** click to set up the email message for users. Enter the **From** address and edit the subject and body template as needed. Click **Apply** to save changes. - ![Email user notification of compromised password](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/emailusernotification.webp) + ![Email user notification of compromised password](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/emailusernotification.webp) Click **Save** to save your settings before running the check or setting up a schedule. @@ -58,7 +58,7 @@ Here is an example of the compromised passwords list: Click **Schedule** to set up a schedule to run the Compromised Password Check. -![Schedule the Compromised Password Policy Check](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/compromisedpasswordsschedule.webp) +![Schedule the Compromised Password Policy Check](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/compromisedpasswordsschedule.webp) Select the **Frequency**: diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configconsole.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configconsole.md index 911c17e6fa..f938a83416 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configconsole.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configconsole.md @@ -9,7 +9,7 @@ Click **Start** > **Netwrix Password Policy Enforcer** > **PPE Configuration** or Double click the **PPE Configuration** desktop shortcut. -![Configuration Console Dashboard](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/ppedashboard.webp) +![Configuration Console Dashboard](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/ppedashboard.webp) ## Dashboard Controls @@ -23,9 +23,9 @@ Enforcer. In addition, there are tiles to access Password Policy Enforcer major features: -- [Manage Policies](manage_policies.md) -- [Compromised Password Check](compromisedpasswordcheck.md) -- [System Audit and Support](systemaudit.md) - Version Tracker, Support Tools, Property Editor +- [Manage Policies](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/manage_policies.md) +- [Compromised Password Check](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/compromisedpasswordcheck.md) +- [System Audit and Support](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/systemaudit.md) - Version Tracker, Support Tools, Property Editor See the specific topics for details. @@ -34,15 +34,15 @@ See the specific topics for details. The toggle enables/disables Password Policy Enforcer on all domain controllers. It is enabled by default. -![Enable/Disable PPE](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/enabledisableppeconsole.webp) +![Enable/Disable PPE](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/enabledisableppeconsole.webp) Click the toggle to disable PPE: -![Disable PPE](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/disable.webp) +![Disable PPE](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/disable.webp) If PPE  is disabled, click the toggle to enable: -![Enable PPE](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/disabled.webp) +![Enable PPE](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/disabled.webp) ### Connected To @@ -66,7 +66,7 @@ Domain - Select a Domain Controller from the list of domain controllers where PPE is installed. - Configuration is replicated to all the domain controllers in the domain. -![Connect To Domain Configuration](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/connecttodomain.webp) +![Connect To Domain Configuration](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/connecttodomain.webp) Local @@ -75,9 +75,9 @@ Local - You can copy a local configuration to another computer by exporting the configuration from the registry, and then importing it into the registry of the other computer. You can also use Group Policy to distribute a local configuration to many computers. See the - [Domain and Local Policies](domain_and_local_policies.md) topic for additional information. + [Domain and Local Policies](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/domain_and_local_policies.md) topic for additional information. -![Connected To Local Configuration](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/connecttodomain.webp) +![Connected To Local Configuration](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/connecttodomain.webp) ### Help @@ -109,7 +109,7 @@ If you make changes, click **Save** to keep your changes or **Discard** to cance Here are the default settings. -![General Settings PPE](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/settingsgeneral.webp) +![General Settings PPE](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/settingsgeneral.webp) - **Default policy** sets the policy to be enforced on the domain or local computer unless users have a different policy assigned to them. @@ -119,11 +119,11 @@ Here are the default settings. - Minimum Age rule is never enforced during a reset. - History rule is enforced if this option is selected and the **Enforce this rule when a - password is reset** option is selected on the [History Rule](history_rule.md) Properties. + password is reset** option is selected on the [History Rule](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/history_rule.md) Properties. - **Accept encrypted client request only** specifies requests from Password Policy Client, Netwrix Password Reset and Password Policy/Web must be encrypted. Client requests do not contain passwords - or password hashes. See the [Password Policy Client](password_policy_client.md) topic for + or password hashes. See the [Password Policy Client](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/password_policy_client.md) topic for additional information. Default is checked. - **Log event when password not checked by service** adds an entry to the Windows Application Event Log whenever it accepts a password without checking it. Default is checked. This can occur if: @@ -151,7 +151,7 @@ Here are the default settings. - An event is only logged if the Password Policy Enforcer Client version is 9.0 or later. If a password is rejected by the Password Policy Server, then the event is logged. - Client logged events only show the local rules the password violated. For example, the - Compromised rule is only enforced by the Password Policy Server. See the [Rules](rules.md) + Compromised rule is only enforced by the Password Policy Server. See the [Rules](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/rules.md) topic for additional information. - Client rejections can be lost or duplicated if there are communication issues between the Password Policy Client and Password Policy Server. @@ -168,7 +168,7 @@ If you make changes, click **Save** to keep your changes or **Discard** to cance Here are the default settings. -![Notifications Settings](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/settingsnotifications.webp) +![Notifications Settings](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/settingsnotifications.webp) - **Send email reminders**: check this option to send reminders. Default is not checked. @@ -202,7 +202,7 @@ either the domain or to a local computer, depending on your Connected To configu To add or update your license, copy it from the email or file, then click **Paste license from clipboard**. -![License Settings Tab](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/settingslicense.webp) +![License Settings Tab](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/settingslicense.webp) - **License type** and **Licensed to** are set based on your sales agreement. - **Users** is the total number of available licenses. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configconsoleoverview.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configconsoleoverview.md index 8af9c90274..b27ade8382 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configconsoleoverview.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configconsoleoverview.md @@ -2,7 +2,7 @@ This Password Policy Enforcer configuration console configures and manages Password Policy Enforcer's global properties. It can be installed on any servers and workstations in your domain. -See the [Install the Configuration Console](../install/installationconfigconsole.md) topic for +See the [Install the Configuration Console](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationconfigconsole.md) topic for additional information. For security, you can disable/enable it as needed without uninstalling it. Open the Configuration Console: @@ -14,8 +14,8 @@ Double click the **PPE Configuration** desktop shortcut. If this is the first time you have launched the Configuration Console, you are prompted to click **Yes** to create a new configuration. -![First start](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppe1.webp) +![First start](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppe1.webp) -The [Configuration Console](configconsole.md) is displayed: +The [Configuration Console](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configconsole.md) is displayed: -![Configuration Console Dashboard](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/ppedashboard.webp) +![Configuration Console Dashboard](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/ppedashboard.webp) diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configuring_the_password_policy_client.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configuring_the_password_policy_client.md index bec4c18bcb..71179b068c 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configuring_the_password_policy_client.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configuring_the_password_policy_client.md @@ -1,7 +1,7 @@ # Configuring the Password Policy Client The Password Policy Client is self-configuring and does not require manual configuration in most -cases. See the [Install Password Policy Enforcer Client](../install/installationclient.md) topic for +cases. See the [Install Password Policy Enforcer Client](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationclient.md) topic for additional details. You may need to manually configure the Password Policy Client if: - You want to install it in a disabled state to be enabled later. @@ -24,17 +24,17 @@ have the group policy management console available. (x86)\Password Policy Enforcer) and copy the **PPEClt.adml** and **PPEClt.admx** files (highlighted in yellow): -![ppc_configuration](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppc_configuration.webp) +![ppc_configuration](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppc_configuration.webp) **Step 3 –** Go to C:\Windows\Policy Definitions and paste the .admx file in the root of this folder. -![ppc_configuration2](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppc_configuration2.webp) +![ppc_configuration2](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppc_configuration2.webp) **Step 4 –** Go to C:\Windows\Policy Definitions\en-US and paste the .adml file in the root of this folder. -![ppc_configuration1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppc_configuration1.webp) +![ppc_configuration1](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppc_configuration1.webp) **Step 5 –** Open **Group Policy Management** console and check if you have a GPO created for Client. If not, see the topic's section for additional information. @@ -45,18 +45,18 @@ it here. Once the GPO is configured, this view is available: -![ppc_configuration3](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppc_configuration3.webp) +![ppc_configuration3](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppc_configuration3.webp) **Step 7 –** Right-click the newly created GPO and select **Edit** from the pop-up menu. **Step 8 –** Expand **Computer Configuration** > **Policies** > **Administrative Templates** > **Netwrix Password Policy Enforcer** -![ppc_configuration4](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppc_configuration4.webp) +![ppc_configuration4](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppc_configuration4.webp) **Step 9 –** Click on **Netwrix Password Policy Client** to open a list of modification settings. -![ppc_configuration5](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppc_configuration5.webp) +![ppc_configuration5](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppc_configuration5.webp) **Step 10 –** Select the one you need, then modify and save it. @@ -70,7 +70,7 @@ The Password Policy Client for Windows 10 and 11 maximizes the available screen non-essential user interface elements on small screens. It can also display the Password Policy message in a message box to draw attention to the password policy. -![the_password_policy_client_3](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/the_password_policy_client_3.webp) +![the_password_policy_client_3](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/the_password_policy_client_3.webp) You can change the default display settings to control which user interface elements are hidden, and the point at which they are hidden. The display of the Password Policy message box is also diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/dictionary_rule.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/dictionary_rule.md index 7bc89eff0f..8646a8f45f 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/dictionary_rule.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/dictionary_rule.md @@ -4,7 +4,7 @@ The Dictionary rule rejects passwords that are vulnerable to guessing, hybrid, a attacks. These attacks can crack weak passwords in seconds, and they can be very effective if passwords are based on common words. -![Dicitonary Rule](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/dictionary.webp) +![Dicitonary Rule](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/dictionary.webp) There are two Dictionary rules in each password policy. You can use the second rule with a different dictionary file, or to enforce a more tolerant policy for passphrases by disabling the primary rule diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/disable_windows_rules.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/disable_windows_rules.md index 1487dec343..f4a4bfb660 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/disable_windows_rules.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/disable_windows_rules.md @@ -5,7 +5,7 @@ complexity. If you enable the Password Policy Enforcer rules and the Windows rul comply with both sets of rules. Password Policy Enforcer has its own history, minimum and maximum age, length, and complexity rules. -See the [Rules](rules.md) topic for additional information. You can use the Password Policy Enforcer +See the [Rules](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/rules.md) topic for additional information. You can use the Password Policy Enforcer and Windows rules together. A password is only accepted if it complies with the Windows and Password Policy Enforcer password policies. @@ -34,7 +34,7 @@ Settings**, **Account Policies**, and **Password Policy** items. **Step 10 –** Close the Group Policy Management Editor. -![installing_ppe_3](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/preparing_the_computer.webp) +![installing_ppe_3](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/preparing_the_computer.webp) **NOTE:** You do not have to disable all the Windows password policy rules to use Password Policy Enforcer. You can use a combination of Password Policy Enforcer and Windows rules together if you diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/domain_and_local_policies.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/domain_and_local_policies.md index f19666e4b0..32ac7af400 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/domain_and_local_policies.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/domain_and_local_policies.md @@ -18,7 +18,7 @@ policies for the domain accounts. To enforce password policies for domain user accounts, you should install Password Policy Enforcer onto all the domain controllers in the domain. If you have read-only domain controllers and aren't -using the [Rules](rules.md), [Password Policy Client](password_policy_client.md), or other software +using the [Rules](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/rules.md), [Password Policy Client](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/password_policy_client.md), or other software (such as [Netwrix Password Reset](https://www.netwrix.com/active_directory_password_reset_tool.html)) that uses the Password Policy Enforcer Client protocol, then you do not need to install Password Policy @@ -43,9 +43,9 @@ is also some information, such as the user's OU, which does not exist in the SAM limitations, the following rules and features cannot be used with local password policies: - The Minimum Age and Maximum Age rules (you can use the Windows version of these rules with - Password Policy Enforcer). See the [Rules](rules.md) topic for additional information. + Password Policy Enforcer). See the [Rules](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/rules.md) topic for additional information. - Policy assignments by groups and containers. See the - [Assign Policies to Users & Groups](usersgroups.md) topic for additional information. + [Assign Policies to Users & Groups](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/usersgroups.md) topic for additional information. Password Policy Enforcer's configuration is stored in Active Directory for domain password policies, and in the Windows registry for local password policies. The Connect To page in the Password Policy @@ -75,7 +75,7 @@ pane. **Step 5 –** Right-click the **Registry** item, and then select **New** > **Registry Wizard**. -![domain_and_local_policies](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/domain_and_local_policies.webp) +![domain_and_local_policies](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/domain_and_local_policies.webp) **Step 6 –** Select the computer that contains the Password Policy Enforcer local configuration that you want to distribute, and then click **Next**. @@ -85,7 +85,7 @@ you want to distribute, and then click **Next**. **Step 8 –** Click the **Password Policy Enforcer _version_** item, and then select the check boxes beside each item in the bottom pane of the window. -![domain_and_local_policies_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/domain_and_local_policies_1.webp) +![domain_and_local_policies_1](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/domain_and_local_policies_1.webp) **Step 9 –** Click **Finish**. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/hibpupdater.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/hibpupdater.md index 23b751b8d4..16c191c661 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/hibpupdater.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/hibpupdater.md @@ -4,7 +4,7 @@ Password Policy Enforcer can be configured to use the Have I Been Pwnd (HIBP) da this database is hosted on the Netwrix website. The HIBP database contains a list of the hashes of known compromised passwords. During password change operations, the application can be configured to reject passwords with a hash that matches a hash in the HIBP database. See the Password Policy -Enforcer [Compromised Password Check](compromisedpasswordcheck.md) topic for HIBP database +Enforcer [Compromised Password Check](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/compromisedpasswordcheck.md) topic for HIBP database information and configuration options. The HIBP database must be initially deployed to a server or workstation with an internet connection @@ -32,7 +32,7 @@ The HIBP Updater is installed when you install the Password Policy Enforcer Conf ...\Program Files\Password Policy Enforcer\HIBP\ -![hibpfolder](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/hibpfolder.webp) +![hibpfolder](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/hibpfolder.webp) **Step 2 –** Click HIBPWINUpdater. @@ -45,7 +45,7 @@ breach. **NOTE:** First-time configuration of this window requires downloading the HIBP database from the Netwrix website. -![HIBP Updater](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/hibpupdater.webp) +![HIBP Updater](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/hibpupdater.webp) **CAUTION:** Ensure the initial update of the database occurs during non-office hours. Due to the size of the hash file, this download takes up a significant amount of CPU and download time. @@ -98,7 +98,7 @@ Compromised rule to read the files from: \\127.0.0.1\sysvol\your.domain\filename.db -See the [Compromised Rule](compromised_rule.md) topic for additional information. +See the [Compromised Rule](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/compromised_rule.md) topic for additional information. The path above only works if the computer has a Sysvol share. This will not be the case if you are using a workstation for policy testing, or if you are using Password Policy Enforcer to enforce @@ -124,7 +124,7 @@ Follow the steps to schedule a task. **Step 2 –** Click **Add Schedule**. An Edit Schedule window appears that looks similar to the HIBP Updater window. -![editschedule](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/editschedule.webp) +![editschedule](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/editschedule.webp) **Step 3 –** Enter the Name and Description of the schedule. @@ -143,6 +143,6 @@ The HIBP database will be updated according to the configurations. The Schedule List window shows the names, run times, next run times, and whether the schedule is enabled or not. -![schedulelist](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/schedulelist.webp) +![schedulelist](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/schedulelist.webp) Use this window to Add, Edit, or Delete schedules for the HIBP Updater. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/history_rule.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/history_rule.md index e4cffecade..6916d18659 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/history_rule.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/history_rule.md @@ -5,7 +5,7 @@ should be avoided because it defeats the purpose of regular password changes. Pa Enforcer can stop users from reusing passwords for a specified number of password changes or a number of days. -![History rule](../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/history.webp) +![History rule](/img/product_docs/threatprevention/threatprevention/admin/policies/history.webp) Select the **History** check box to enable the History rule. @@ -108,7 +108,7 @@ Replacing the last parameter with your domain's DN. **Step 4 –** Press **ENTER** and check the output for errors. -![ppe_rules_8](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppe_rules_8.webp) +![ppe_rules_8](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppe_rules_8.webp) ## Using an Existing Attribute for the Password History diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/length_rule.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/length_rule.md index 2e59ce7ddc..8c053a04ae 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/length_rule.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/length_rule.md @@ -4,7 +4,7 @@ The Length rule rejects passwords that contain too few or too many characters. L generally stronger, so only specify a maximum password length if password compatibility must be maintained with a system that cannot accept long passwords. -![Length rule](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/length.webp) +![Length rule](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/length.webp) Select the **Length** check box to enable the Length rule. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/manage_policies.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/manage_policies.md index 1adfd54969..21e1162503 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/manage_policies.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/manage_policies.md @@ -2,7 +2,7 @@ Netwrix Password Policy Enforcer can enforce up to 256 different password policies. You can assign policies to users directly, or indirectly through Active Directory security groups and containers -(Organizational Units). See the [Assign Policies to Users & Groups](usersgroups.md) topic for +(Organizational Units). See the [Assign Policies to Users & Groups](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/usersgroups.md) topic for additional information. Open the Configuration Console: @@ -11,14 +11,14 @@ Click **Start** > **Netwrix Password Policy Enforcer** > **PPE Configuration** or Double click the **PPE Configuration** desktop shortcut. -![Configuration Console Dashboard](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/ppedashboard.webp) +![Configuration Console Dashboard](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/ppedashboard.webp) The Configuration Console dashboard shows **No password policies have been set up** when you are getting started with Password Policy Enforcer. Once you **Add a policy**, the dashboard shows the defined policies and tool links. In this example, the Default Password Policy and CIS Password Policy Guide have been added. -![Dashboard with Policies](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppedashboardpolicies.webp) +![Dashboard with Policies](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/ppedashboardpolicies.webp) The policy management links are all on the Password Policies tile: @@ -91,31 +91,31 @@ most popular regulatory frameworks. Once you add a policy, it needs to be set up or reviewed if you used a template. Click on the policy name to edit the policy. For each policy: -- Set up [Rules](rules.md). -- [Assign Policies to Users & Groups](usersgroups.md). -- Enable the use of an optional [Passphrase](passphrases.md). -- Set up [Policy Properties](policy_properties.md). -- Set up [Messages](messages.md) for your users. +- Set up [Rules](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/rules.md). +- [Assign Policies to Users & Groups](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/usersgroups.md). +- Enable the use of an optional [Passphrase](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/passphrases.md). +- Set up [Policy Properties](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/policy_properties.md). +- Set up [Messages](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/messages.md) for your users. ## Test Policy Launches the Test policy tool in a separate window. You can test **By user** and by **Password bulk -test**. See the [Test Policy](testpolicy.md) topic for additional information. +test**. See the [Test Policy](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/testpolicy.md) topic for additional information. ## Set Priorities Set priorities determines which policy to enforce if users have more than one policy. Click **Apply priorities** to save the new order. -![Set priorities](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/policypriority.webp) +![Set priorities](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/policypriority.webp) ### Policy Selection Flowchart This flowchart shows how Password Policy Enforcer determines a policy for each user. Use the -[Test Policy](testpolicy.md) tool to quickly determine which policy Password Policy Enforcer is +[Test Policy](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/testpolicy.md) tool to quickly determine which policy Password Policy Enforcer is enforced for a particular user. -![managing_policies](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/managing_policies.webp) +![managing_policies](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/managing_policies.webp) ## Export diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/maximum_age_rule.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/maximum_age_rule.md index 3974aac4a4..461c50ad3d 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/maximum_age_rule.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/maximum_age_rule.md @@ -4,7 +4,7 @@ The Maximum Age rule forces users to change their passwords regularly. This decr of an attacker discovering a password before it changes. This rule can only be enforced by domain policies. -![Maximum Age rule](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/agemax.webp) +![Maximum Age rule](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/agemax.webp) Select the **Age (Max)** checkbox to enable the Maximum Age rule. @@ -101,5 +101,5 @@ The email's subject and body can contain various macros. Use these macros to per ### Set up SMTP -Opens the Notification settings. See the [Configuration Console](configconsole.md) topic for +Opens the Notification settings. See the [Configuration Console](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configconsole.md) topic for additional details. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/messages.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/messages.md index a7c0b56305..2dc71ff421 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/messages.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/messages.md @@ -11,7 +11,7 @@ Password Policy Client messages. to see if their passwords meet the requirements of the policy set by the organization. Here is an example of a live policy message. - ![Messages](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/mesages2.webp) + ![Messages](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/mesages2.webp) **NOTE:** Start each custom message with two spaces, a hypen, and a space before your message so the X and checks can appear for the rule. For example: " **- Include an upper case alpha @@ -32,7 +32,7 @@ Double click the **PPE Configuration** desktop shortcut. **Step 3 –** Open the **Messages** tab. -![Set up messages](../../../../../static/img/product_docs/accessanalyzer/admin/jobs/messages.webp) +![Set up messages](/img/product_docs/accessanalyzer/admin/jobs/messages.webp) **Step 4 –** Select the message language from the drop-down list. You can set messages for multiple languages. You do not have to create a Password Policy Enforcer policy for each language. To set @@ -45,7 +45,7 @@ Reason, and Generic rejection messages for any of the components you want to use **Step 6 –** Insert the macros into your message. Click **Macro** and pick one to insert it. -![Use macros for your message](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/messagesmacros.webp) +![Use macros for your message](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/messagesmacros.webp) **Step 7 –** Click **Save** and review your changes in the Preview area. Click **Save** f you edit the message. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/minimum_age_rule.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/minimum_age_rule.md index ec773bd2f4..62c8f2e046 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/minimum_age_rule.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/minimum_age_rule.md @@ -3,7 +3,7 @@ The Minimum Age rule stops users from quickly cycling through a series of passwords in order to evade the History and Similarity rules. This rule can only be enforced by domain policies. -![Minimum age rule](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/agemin.webp) +![Minimum age rule](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/agemin.webp) Select the **Age (Min)** check box to enable the Minimum Age rule. @@ -13,7 +13,7 @@ Select the number of days before a user can change their password. password; they must wait until the required number of days has elapsed. The Password Policy Client consequently handles rejections by this rule differently to other rules. Rather than displaying the usual message components, the Password Policy Client only displays the Minimum Age rule's Reason -insert. See [Password Policy Client](password_policy_client.md) topic for additional information. +insert. See [Password Policy Client](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/password_policy_client.md) topic for additional information. The Rejection Reason template, macros, and inserts from other rules are not displayed when a password change is denied by the Minimum Age rule. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/passphrases.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/passphrases.md index 525f52c5dc..4ff98ee925 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/passphrases.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/passphrases.md @@ -18,7 +18,7 @@ Double click the **PPE Configuration** desktop shortcut. **Step 3 –** Open the **Passphrase** tab. -![Enable Passphrases](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/passphrase.webp) +![Enable Passphrases](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/passphrase.webp) **Step 4 –** Select the number of characters the password must contain before the selected rules are disabled. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/password_policy_client.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/password_policy_client.md index 44738f9e64..0168981931 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/password_policy_client.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/password_policy_client.md @@ -4,13 +4,13 @@ The Password Policy Client helps users to choose a compliant password. Detailed provided if their new password is rejected. The Password Policy Client is optional. If it is not installed, the -[Similarity Rule](similarity_rule.md) can not be enforced. Users only see the default Windows error +[Similarity Rule](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/similarity_rule.md) can not be enforced. Users only see the default Windows error message if their password is rejected, not the detailed help they receive from the Password Policy Client. -![the_password_policy_client](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/the_password_policy_client.webp) +![the_password_policy_client](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/the_password_policy_client.webp) -![the_password_policy_client_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/the_password_policy_client_1.webp) +![the_password_policy_client_1](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/the_password_policy_client_1.webp) The Password Policy Client displays the password policy during a password change so that users can see the policy while they choose their password. The Password Policy Client also displays a detailed diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/patterns.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/patterns.md index de1fefad79..a240d2ba8e 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/patterns.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/patterns.md @@ -3,7 +3,7 @@ The Patterns rule rejects passwords that contain character patterns such as "abcde". Character patterns weaken the password. -![Patterns rule](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/patterns.webp) +![Patterns rule](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/patterns.webp) Select the **Patterns** check box to enable the Patterns rule. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/policy_properties.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/policy_properties.md index 7688366fed..9011c7bce8 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/policy_properties.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/policy_properties.md @@ -12,7 +12,7 @@ Double click the **PPE Configuration** desktop shortcut. **Step 3 –** Open the **Properties** tab. -![Set the Policy Properties](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) +![Set the Policy Properties](/img/product_docs/activitymonitor/activitymonitor/install/agent/properties.webp) Each policy must have a unique name. To change the name of a policy, type the new name in the text box. @@ -41,10 +41,10 @@ Select the number of rules for **Passwords must comply with** from the drop-down the required compliance level for this policy. The default value **(all the rules**) requires users to comply with all enabled rules. Choose an alternative option if Password Policy Enforcer should enforce a more lenient password policy. The Minimum Age and Maximum Age rules are excluded from -compliance level calculations. See the [Rules](rules.md) topic for additional information. +compliance level calculations. See the [Rules](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/rules.md) topic for additional information. When setting the compliance level, consider that some rules may be disabled when a user enters a -passphrase. See the [Passphrase](passphrases.md) topic for additional information. Password Policy +passphrase. See the [Passphrase](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/passphrases.md) topic for additional information. Password Policy Enforcer accepts passphrases that comply with all enabled rules, irrespective of the compliance level. This ensures that passphrases can be used, even if they do not meet the compliance level when Password Policy Enforcer is configured to disable one or more rules for passphrases. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/repetition.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/repetition.md index 8a2bbe6246..93ff845125 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/repetition.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/repetition.md @@ -5,7 +5,7 @@ Reducing repetition increase resistance to both brute-force and dictionary crack Repetition rule is not case sensitive, so "mypaSssSword" contains four consecutive repeating characters (SssS). -![Repetition Rule](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/repetition.webp) +![Repetition Rule](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/repetition.webp) Select the **Repetition** check box to enable the repetition rule. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/rules.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/rules.md index f38006ebc8..9520ed75bd 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/rules.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/rules.md @@ -15,7 +15,7 @@ Double click the **PPE Configuration** desktop shortcut. The **Rules** tab opens by default. A check mark beside a rule indicates that the rule is enabled (being enforced). Click a rule to set the rule's properties. -![Enabled rules are checked](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/enabledrules.webp) +![Enabled rules are checked](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/enabledrules.webp) Review the sections on **Detecting Character Substitution** and **Tolerance** prior to setting up the rules for your policy. @@ -25,18 +25,18 @@ logging** on the **Test Policy** window to see which rules you have tested. Rules: -- [Age (Max) Rule](maximum_age_rule.md) -- [Age (Min) Rule](minimum_age_rule.md) -- [Characters (Complexity) Rule](complexity_rule.md) -- [Character (Granular) Rules](character_rules.md) -- [Compromised Rule](compromised_rule.md) -- [Dictionary Rule](dictionary_rule.md) -- [History Rule](history_rule.md) -- [Length Rule](length_rule.md) -- [Patterns Rule](patterns.md) -- [Repetition Rule](repetition.md) -- [Similarity Rule](similarity_rule.md) -- [Unique Characters Rule](unique_characters.md) +- [Age (Max) Rule](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/maximum_age_rule.md) +- [Age (Min) Rule](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/minimum_age_rule.md) +- [Characters (Complexity) Rule](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/complexity_rule.md) +- [Character (Granular) Rules](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/character_rules.md) +- [Compromised Rule](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/compromised_rule.md) +- [Dictionary Rule](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/dictionary_rule.md) +- [History Rule](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/history_rule.md) +- [Length Rule](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/length_rule.md) +- [Patterns Rule](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/patterns.md) +- [Repetition Rule](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/repetition.md) +- [Similarity Rule](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/similarity_rule.md) +- [Unique Characters Rule](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/unique_characters.md) ## Detecting Character Substitution diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/similarity_rule.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/similarity_rule.md index f6cd0a76d3..35802254df 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/similarity_rule.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/similarity_rule.md @@ -4,7 +4,7 @@ The Similarity rule rejects passwords that are similar to a user's current passw similarity may indicate that a user is serializing their passwords. For example, "password1", "password2", "password3". Password serialization allows an attacker to guess the new password. -![Similarity Rule](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/similarity.webp) +![Similarity Rule](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/similarity.webp) Select the **Similarity** check box to enable the Similarity rule. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/systemaudit.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/systemaudit.md index 2f2ec93621..fe6a1c570b 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/systemaudit.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/systemaudit.md @@ -15,14 +15,14 @@ configuration setting. System Audit and Support opens on the **Version Tracker** ## Version Tracker -![System Audit and Support Version Tracker tab](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/systemaudit.webp) +![System Audit and Support Version Tracker tab](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/systemaudit.webp) Click **Run test**. The audit reports the discovered domain controllers and versions. **NOTE:** If you do not see the **Configuration Timestamp**, contact your network administrator to set up the firewall to allow Password Policy Enforcer to communicate. -![System Audit results](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/systemauditversion.webp) +![System Audit results](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/systemauditversion.webp) You can click the export icon to download your results. The file name is **Audit\_\_**timestamp**\_.xlxs**, it is downloaded into the default **Downloads** folder. For large @@ -37,7 +37,7 @@ the logs. The **Support Tools** tab enables you to save a configuration report, export/import PPE settings, and open the property editor. -![System Audit Support Tools tab](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/systemaudittools.webp) +![System Audit Support Tools tab](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/systemaudittools.webp) - **Policies Configuration Report** saves the configuration as a text file. Browse to the folder where you want the report. The default filename is **PPEConfig.txt**. @@ -62,7 +62,7 @@ or **System Audit and Support** > **Support Tools** > **Open editor** -![Property Editor](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/propertyeditor.webp) +![Property Editor](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/propertyeditor.webp) - **Policy**: select the policy to edit. - **Property**: select the property to change. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/testpolicy.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/testpolicy.md index 8aab58b427..c30ebd3615 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/testpolicy.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/testpolicy.md @@ -7,7 +7,7 @@ testing. Test policy opens on the **By user** tab. -![Test by User](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testuser.webp) +![Test by User](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testuser.webp) ## By User @@ -21,14 +21,14 @@ up a policy. **Step 3 –** **Type in a password to simulate its change**. As you type, the new password is evaluated and the results are displayed. -![Failing Password](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testuserfail.webp) +![Failing Password](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testuserfail.webp) The entered password is failing in this example, due to not meeting the length requirement. There is a red x indicating the failure. You can hover over the requirements to see the rule name. In this example, the password passes. Notice the green check beside the entered password. -![Passing password](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testuserpass.webp) +![Passing password](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testuserpass.webp) Expand the **View log** for details: @@ -39,7 +39,7 @@ Expand the **View log** for details: Turn on **Verbose Logging** to view the performed tests and results. -![Verbose logging](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testuserverbose.webp) +![Verbose logging](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testuserverbose.webp) ## Bulk Password Test @@ -51,7 +51,7 @@ up a policy. **Step 2 –** Open the **Password bulk test** tab. -![Password bulk test](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testbulk.webp) +![Password bulk test](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testbulk.webp) **Step 3 –** Select a policy for the test. @@ -60,7 +60,7 @@ the file is not on a shared drive. **Step 5 –** Click **Test passwords**. The **Statistics** are displayed. -![Test results](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testbulkresult.webp) +![Test results](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testbulkresult.webp) | Statistics of the Bulk Password Testing | | | --------------------------------------- | --------------------------------------------------------------------------------------- | @@ -73,7 +73,7 @@ the file is not on a shared drive. Click **Show full report** to view the test details. -![Test Bulk Report](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testbulkreport.webp) +![Test Bulk Report](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testbulkreport.webp) You can use the **Report settings** to customize the report: diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/troubleshooting.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/troubleshooting.md index a56216c500..404b7e32ec 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/troubleshooting.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/troubleshooting.md @@ -11,7 +11,7 @@ them. Select the first (blank) item in the drop-down list if you do not want a d Open the Programs and Features list in Control Panel on the computer you are changing the password from, and check if the Password Policy Client is in the list of installed programs. If it is not, -then install the Password Policy Client. See the [Password Policy Client](password_policy_client.md) +then install the Password Policy Client. See the [Password Policy Client](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/password_policy_client.md) topic for additional information. If Password Policy Enforcer is enforcing a domain policy, then search the Windows Application Event @@ -30,10 +30,10 @@ Use the Test Policies page to test a password for the user. Click the **Log** ta password policy is assigned to the user. Make sure that the Password Policy Server is enabled. See the -[Configuration Console](configconsoleoverview.md) topic for additional information. +[Configuration Console](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configconsoleoverview.md) topic for additional information. Make sure that the Password Policy Client is enabled. See -[Password Policy Client](password_policy_client.md) topic for additional information. +[Password Policy Client](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/password_policy_client.md) topic for additional information. #### Accepting passwords that do not comply with the policy diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/unique_characters.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/unique_characters.md index f78d3257a8..c4fc5c7528 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/unique_characters.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/unique_characters.md @@ -7,7 +7,7 @@ in a password increases password strength by avoiding repetitive sequences that The Unique Characters rule is case sensitive, so "LoOpHole" contains seven unique characters (LoOpHle). -![Unique characters rule](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/unique.webp) +![Unique characters rule](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/unique.webp) Select the **Unique characters** check box to enable the Unique Characters rule. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/usersgroups.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/usersgroups.md index e08940c161..e538b18177 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/usersgroups.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/usersgroups.md @@ -3,7 +3,7 @@ Password Policy Enforcer uses policy assignments to decide which policy to enforce for each user. Domain policies can be assigned to users, groups, and containers (Organizational Units). Local policies can only be assigned to users. See the -[Domain and Local Policies](domain_and_local_policies.md) topic for additional information. +[Domain and Local Policies](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/domain_and_local_policies.md) topic for additional information. **Step 1 –** Open the Configuration Console: @@ -15,7 +15,7 @@ Double click the **PPE Configuration** desktop shortcut. **Step 3 –** Open the **Users & Groups** tab. -![Assign policies to Users and Groups](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/usersandgroups.webp) +![Assign policies to Users and Groups](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/usersandgroups.webp) When a domain policy is assigned to a user or group, Password Policy Enforcer stores the user or group SID in the configuration. The assignment remains valid even if the user or group is renamed. @@ -33,14 +33,14 @@ in the container as well as any child containers. For example, if the Helpdesk a children of the Info Tech OU, then any policy assigned to the Info Tech OU also applies to the two child OUs. If this behavior is not desired, then you can assign a different policy to a child OU. -![managing_policies_3](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/managing_policies_3.webp) +![managing_policies_3](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/managing_policies_3.webp) **NOTE:** Different assignment types can be used for a single policy. For example, you may assign users to a policy by both OU and group at the same time. As you assign users and groups to the policy, they are displayed on the page. -![Policy assignments](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/usersandgroups2.webp) +![Policy assignments](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/usersandgroups2.webp) To remove a policy assignment: @@ -73,4 +73,4 @@ representation of this algorithm. Click **Test Policy** and expand the **View log** to see which policy Password Policy Enforcer enforces for a particular user. -![Expand View log under Test to see which policy is enforced](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testviewlog.webp) +![Expand View log under Test to see which policy is enforced](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/testviewlog.webp) diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/windowseventviewer.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/windowseventviewer.md index 6bbc96a354..78218fdcfb 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/windowseventviewer.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/windowseventviewer.md @@ -4,7 +4,7 @@ Follow the steps below to view events logs in Windows Event Viewer. **Step 1 –** Open **Windows Event Viewer**. -![View Event Logs](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/vieweventlogs.webp) +![View Event Logs](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/vieweventlogs.webp) **Step 2 –** Navigate to **Windows Logs** > **Application**. @@ -17,6 +17,6 @@ The General tab shows details for the selected event. The Details tab shows... To view Log Properties, navigate to the Actions menu and select **Properties**. -![Log Properties Window](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/vieweventlogslogproperties.webp) +![Log Properties Window](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/vieweventlogslogproperties.webp) The Log Properties window displays. Settings for this log can be configured from this window. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/conclusion.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/conclusion.md index 3807482163..2884169753 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/conclusion.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/conclusion.md @@ -4,9 +4,9 @@ Congratulations! You have successfully installed, configured, and tested Netwrix Enforcer. This guide is an introduction to Password Policy Enforcer's capabilities. You can enforce almost any password policy imaginable with Password Policy Enforcer, customize the Password Policy Client messages, and even synchronize passwords with other networks and applications. The -[Administration](../administration/administration_overview.md) topic contains more information to +[Administration](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/administration_overview.md) topic contains more information to help you get the most out of Password Policy Enforcer. -The [Password Policy Enforcer Web](../web/web_overview.md) application enables users to securely +The [Password Policy Enforcer Web](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/web_overview.md) application enables users to securely manage their passwords from a web browser, ensuring passwords comply with the password policy, and helping users choose compliant passwords. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/configuring_policy_rules.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/configuring_policy_rules.md index 562bb2a3be..64fec8e76f 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/configuring_policy_rules.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/configuring_policy_rules.md @@ -12,7 +12,7 @@ the policy to enforce these rules: When you create a policy, the policy settings are opened. You can open the settings for a policy at any time by clicking the policy name on the Configuration Console dashboard. -![New policy open for settings](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/newpolicysettings.webp) +![New policy open for settings](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/newpolicysettings.webp) Requirement: Password must contain at least seven characters. @@ -25,7 +25,7 @@ This condition is set with the **Length** rule. **Step 3 –** Select **7** for the **At least...** value. Depending on the template, this might be the default. -![Set the Length](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evallength.webp) +![Set the Length](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evallength.webp) Requirement: Password must contain at least one lowercase alpha character. @@ -41,7 +41,7 @@ This condition is set with the **Characters (Complexity)** rule. **Step 5 –** Select **Upper Alpha (A-Z)** for the next requirement while you are here. -![Set upper and lower case requirements](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evalchars.webp) +![Set upper and lower case requirements](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evalchars.webp) Password must contain at least one uppercase character. @@ -57,7 +57,7 @@ This condition is set with the **Characters (Granular)** rule. **Step 5 –** Select **Lower Alpha (a-z)** **Contain** **1** or more characters. -![set character granularity](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evalcharsgran.webp) +![set character granularity](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evalcharsgran.webp) Requirement: Password must not be similar to the user's logon name. @@ -69,7 +69,7 @@ This condition is set with the **Similarity** rule. **Step 3 –** Select **User logon name**. -![Set Similarity rule](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evalsimilarity.webp) +![Set Similarity rule](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evalsimilarity.webp) Requirement: Password must not exist in a dictionary of common passwords. @@ -83,6 +83,6 @@ This condition is set with the **Dictionary** rule. **Step 4 –** Navigate to **\Program Files\Password Policy Enforcer** folder and select**Dict.txt**. -![Enable the sample dictionary](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaldict.webp) +![Enable the sample dictionary](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaldict.webp) When you have added all the rules, click **Save** to save your new policy. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/creating_a_password_policy.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/creating_a_password_policy.md index b2192b3691..9c59063b2c 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/creating_a_password_policy.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/creating_a_password_policy.md @@ -11,7 +11,7 @@ Click **Start** > **Netwrix Password Policy Enforcer** > **PPE Configuration** or Double click the **PPE Configuration** desktop shortcut. -![Configuration Console Dashboard](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/ppedashboard.webp) +![Configuration Console Dashboard](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/ppedashboard.webp) The Configuration Console dashboard shows **No password policies have been set up** when you are getting started with Password Policy Enforcer. @@ -22,14 +22,14 @@ getting started with Password Policy Enforcer. example. **Step 4 –** Select a Policy template or **None** if you are creating your own. For a list of -policies see [Policy Templates ](policy_templates.md). +policies see [Policy Templates ](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/policy_templates.md). **Step 5 –** Click **Create policy**. Your policy is created. The policy settings are opened, showing the first item on the **Rules** tab. -![New policy open for settings](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/newpolicysettings.webp) +![New policy open for settings](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/newpolicysettings.webp) **Step 6 –** Click the context menu (beside the policy name and select **Make default**. -![Make the policy the default](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaldefault.webp) +![Make the policy the default](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaldefault.webp) diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/enforcing_multiple_policies.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/enforcing_multiple_policies.md index 9544d4ea21..52fdd63cbf 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/enforcing_multiple_policies.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/enforcing_multiple_policies.md @@ -9,7 +9,7 @@ containers (Organizational Units). If you are in the settings for your first policy, click the left arrow beside the policy name to return to the Configuration Console dashboard. -![Return to the dashboard](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaldashboard.webp) +![Return to the dashboard](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaldashboard.webp) Create an additional password policy. @@ -17,20 +17,20 @@ Create an additional password policy. **Step 2 –** Enter **Admins Policy** for the Policy duplication. -![Enter Admins Policy](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evalcopypolicy2.webp) +![Enter Admins Policy](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evalcopypolicy2.webp) **Step 3 –** Click **Make copy**. **Step 4 –** Open the **Users & Groups** tab. -![Open the Users & Groups tab](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evalusergroups.webp) +![Open the Users & Groups tab](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evalusergroups.webp) **Step 5 –** Click the **+** in the **Groups** list and enter **Domain Admins**. Specify a Domain or local **Location** depending on your evaluation set up. **Step 6 –** Click **OK**. Domain Admins are added to the **Groups**. -![Domain Admins added](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaldomainadmins.webp) +![Domain Admins added](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaldomainadmins.webp) - Members of the Domain Admins group (or the PPETestAdmin user, if not using a domain controller) must now comply with the Administrators policy. All other users must comply with the Users policy. @@ -48,7 +48,7 @@ to nine characters. **Step 3 –** Select **9** from the **At Least** drop-down list. -![Set the length to 9](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evallength9.webp) +![Set the length to 9](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evallength9.webp) **Step 4 –** Click **Save**. @@ -57,13 +57,13 @@ to nine characters. **Step 6 –** Select the **PPETestAdmin** user. The results pane shows the **Admins Policy** is being applied, and the password must **contain at least 9 characters**. -![Admins policy is being tested](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaladmin.webp) +![Admins policy is being tested](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaladmin.webp) Use the Password Policy Enforcer configuration console, the Windows Change Password screen, the Active Directory Users and Computers console, or the Local Users and Groups console to test password changes and resets for the **PPETestUser** and **PPETestAdmin** accounts. Password Policy Enforcer should enforce the Eval policy for **PPETestUser**, and the Admins policy for **PPETestAdmin**. -**NOTE:** The [Set Priorities](../administration/manage_policies.md#set-priorities) topic contains +**NOTE:** The [Set Priorities](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/manage_policies.md#set-priorities) topic contains more information about policy assignments, and how Password Policy Enforcer resolves policy assignment conflicts that occur when more than one policy is assigned to a user. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/evaluation_overview.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/evaluation_overview.md index 49956aa8a1..03c5cbd3e5 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/evaluation_overview.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/evaluation_overview.md @@ -6,7 +6,7 @@ Password Policy Enforcer helps secure your network by ensuring users set strong user enters a password that does not comply with the password policy, Password Policy Enforcer immediately rejects the password and details why the password was rejected. -![introduction_3](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/introduction_3.webp) +![introduction_3](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/introduction_3.webp) Unlike password cracking products that check passwords after they are accepted by the operating system, Password Policy Enforcer checks new passwords immediately to ensure that weak passwords do diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/improving_the_password_policy.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/improving_the_password_policy.md index ca50875ff3..328fd7c63b 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/improving_the_password_policy.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/improving_the_password_policy.md @@ -17,7 +17,7 @@ Click on your policy name on the Configuration Console dashboard if needed. **Step 1 –** Open the **Dictionary** rule. -![Open the Dictionary rule](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaldict.webp) +![Open the Dictionary rule](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaldict.webp) **Step 2 –** Select the **Detect character substitution** and **Detect words typed backwards** check boxes. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/installforeval.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/installforeval.md index 1e05346791..d717a6ef33 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/installforeval.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/installforeval.md @@ -4,16 +4,16 @@ The evaluation installation uses the standard installation packages: - Server Installation: install on each server and domain controller in the domain you are evaluating. You can install manually using the procedure in - [Install Password Policy Enforcer on a Server](../install/installationserver.md) or automatically - with [Install with Group Policy Management](../install/installationgpm.md) procedure. Installing + [Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationserver.md) or automatically + with [Install with Group Policy Management](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationgpm.md) procedure. Installing Password Policy Enforcer does not extend the Active Directory schema. Be sure and install the **Configuration Console** feature on at least one server. - Client Installation: install on each workstation you are evaluating. The Password Policy Client is an optional Password Policy Enforcer component to help users choose compliant passwords. Follow - the [Install Password Policy Enforcer Client](../install/installationclient.md) procedure, or - [Install with Group Policy Management](../install/installationgpm.md). + the [Install Password Policy Enforcer Client](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationclient.md) procedure, or + [Install with Group Policy Management](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationgpm.md). You may need to create a firewall port exception on the domain controllers if you are evaluating the Password Policy Client on a domain with client computers. See the -[Password Policy Client](../administration/password_policy_client.md) topic for additional +[Password Policy Client](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/password_policy_client.md) topic for additional information. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/preparing_the_computer.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/preparing_the_computer.md index 56eb28db29..da3c2c9b71 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/preparing_the_computer.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/preparing_the_computer.md @@ -42,7 +42,7 @@ policies. **Step 7 –** Close the **Group Policy Management Editor**. -![preparing_the_computer](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/preparing_the_computer.webp) +![preparing_the_computer](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/preparing_the_computer.webp) **Step 8 –** Execute the `gpupdate/target:computer` command to refresh the Group Policy. @@ -50,7 +50,7 @@ policies. Create two user accounts for the evaluation, **PPETestUser** and **PPETestAdmin**. -![preparing_the_computer_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/preparing_the_computer_1.webp) +![preparing_the_computer_1](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/preparing_the_computer_1.webp) Make **PPETestAdmin** a member of the Domain Admins group if you are evaluating Password Policy Enforcer on a domain controller. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/testing_the_password_policy.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/testing_the_password_policy.md index c28efa3210..64bfa852b3 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/testing_the_password_policy.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/testing_the_password_policy.md @@ -14,7 +14,7 @@ option shows you the most information about the policy. **Step 2 –** Select the **PPETestUser** you created. The details pane displays the policy applied to the selected user. -![Enter user name for the test](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaltestuser.webp) +![Enter user name for the test](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaltestuser.webp) **Step 3 –** Enter a password to test. @@ -26,14 +26,14 @@ results pane. **mypassword** fails two requirements. You can hover over the requirements to view the associated rule. -![mypassword fails](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaltestuserfail.webp) +![mypassword fails](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/evaltestuserfail.webp) Click **View log** to expand Password Policy Enforcer's internal event log. The information in the event log can help you to understand why Password Policy Enforcer accepted or rejected a password. **NOTE:** Policy testing simulates a password change, but it may not always reflect what happens when a user changes their password. See the -[Policy Testing vs. Password Changes](../administration/testpolicy.md#policy-testing-vs-password-changes) +[Policy Testing vs. Password Changes](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/testpolicy.md#policy-testing-vs-password-changes) topic for additional information. ## Windows Change Password Screen @@ -59,13 +59,13 @@ the Password Policy Client is installed. This helps users to choose a compliant Password Policy Client also changes the message that users see when their password is rejected. Both these messages are customizable. -![introduction_3](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/introduction_3.webp) +![introduction_3](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/introduction_3.webp) The Password Policy Client does not modify any Windows system files, and you do not have to install it to enforce a Password Policy Enforcer password policy. Web browser based versions of the Password Policy Enforcer Client are also available. See the -[Administration](../../passwordreset/administration/administration_overview.md) and -[](http://www.anixis.com/products/ppeweb/)[Password Policy Enforcer Web](../web/web_overview.md) +[Administration](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/administration_overview.md) and +[](http://www.anixis.com/products/ppeweb/)[Password Policy Enforcer Web](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/web_overview.md) topics for more information. Password Reset and Password Policy Enforcer/Web are licensed separately. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/gettingstarted.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/gettingstarted.md index 1d29a87a9b..123f1ee57e 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/gettingstarted.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/gettingstarted.md @@ -1,38 +1,38 @@ # Getting Started -Review the [Requirements](requirements.md) and the -[Domain and Local Policies](administration/domain_and_local_policies.md) topics. +Review the [Requirements](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/requirements.md) and the +[Domain and Local Policies](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/domain_and_local_policies.md) topics. ## Install Products Password Policy Enforcer (PPE Server) is installed on every domain controller to enforce the password policy for domain user accounts, or on individual servers and workstations to enforce the password policy for local user accounts. See the -[Install Password Policy Enforcer on a Server](install/installationserver.md) or -[Install with Group Policy Management](install/installationgpm.md) topics for additional +[Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationserver.md) or +[Install with Group Policy Management](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationgpm.md) topics for additional information. The Configuration Console can be installed on what ever servers are convenient for you to access. It is a selectable feature in the server installation **msi** package. See the -[Install Password Policy Enforcer on a Server](install/installationserver.md) topic for additional +[Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationserver.md) topic for additional information. The Mailer Service is installed on a single server in each domain. See the -[Install Password Policy Enforcer on a Server](install/installationserver.md) topic for additional +[Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationserver.md) topic for additional information. Password Policy Enforcer client is optional, but recommended. Users receive immediate feedback when setting up their passwords. This saves your users time and frustration when picking compliant -passwords. See the [Install Password Policy Enforcer Client](install/installationclient.md) or -[Install with Group Policy Management](install/installationgpm.md) topics for additional +passwords. See the [Install Password Policy Enforcer Client](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationclient.md) or +[Install with Group Policy Management](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationgpm.md) topics for additional information. Password Policy Enforcer Web is a separate product enabling users to change their Windows domain -password from a web browser. See the [Password Policy Enforcer Web](web/web_overview.md) topic for +password from a web browser. See the [Password Policy Enforcer Web](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/web_overview.md) topic for additional information. Create the **Compromised Passwords Base** prior to enabling the Compromised Password Check. See the -[HIBP Updater](administration/hibpupdater.md) topic for additional information. +[HIBP Updater](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/hibpupdater.md) topic for additional information. ## Exclude PPE Files from AntiVirus Checks @@ -46,5 +46,5 @@ Clients ## Next Steps -You can work through the [Evaluate Password Policy Enforcer](evaluation/evaluation_overview.md) or -open the [Configuration Console](administration/configconsoleoverview.md). +You can work through the [Evaluate Password Policy Enforcer](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/evaluation/evaluation_overview.md) or +open the [Configuration Console](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configconsoleoverview.md). diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationclient.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationclient.md index cba0604b7a..4470fba33e 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationclient.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationclient.md @@ -1,9 +1,9 @@ # Install Password Policy Enforcer Client This procedure is used to install the client on your current workstation. See the -[Install with Group Policy Management](installationgpm.md) top for details on installing the client +[Install with Group Policy Management](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationgpm.md) top for details on installing the client across your network. You can also install/uninstall the products using command line -[Silent Installation](../administration/command_line_interface.md#silent-installation). +[Silent Installation](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/command_line_interface.md#silent-installation). **Step 1 –** Navigate to the folder where you extracted the installers downloaded from Netwrix. @@ -11,22 +11,22 @@ across your network. You can also install/uninstall the products using command l **Netwrix_PPE_Client**version**x86.msi** (32 bit OS) installation package. The installer is launched. -![Client Setup](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/clientsetup1.webp) +![Client Setup](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/clientsetup1.webp) **Step 3 –** Click **Next**. -![Client Setup](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/clientsetup2.webp) +![Client Setup](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/clientsetup2.webp) **Step 4 –** Review the End-User License Agreement. Click **I accept the terms in the License Agreement**. **Step 5 –** Click **Next**. -![Client Setup](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/clientsetup3.webp) +![Client Setup](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/clientsetup3.webp) **Step 6 –** Click **Install**. -![Client Setup](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/clientsetup4.webp) +![Client Setup](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/clientsetup4.webp) **Step 7 –** Click **Finish** when installation is complete. @@ -74,15 +74,15 @@ the Domain Controllers OU. **Step 4 –** Click **Domain Profile** in the left pane then double-click **Windows Firewall: Define inbound port exceptions** in the right pane. -![the_password_policy_client_3](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/the_password_policy_client_3.webp) +![the_password_policy_client_3](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/the_password_policy_client_3.webp) **Step 5 –** Select the **Enabled** option, and then click **Show...**. -![the_password_policy_client_4](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/the_password_policy_client_4.webp) +![the_password_policy_client_4](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/the_password_policy_client_4.webp) **Step 6 –** Select the **Enabled** option, and then click **Show...**. -![the_password_policy_client_5](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/the_password_policy_client_5.webp) +![the_password_policy_client_5](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/the_password_policy_client_5.webp) **Step 7 –** Click **OK** until you return to the Group Policy Management Editor. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationconfigconsole.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationconfigconsole.md index b1447a94e0..44daf6b13c 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationconfigconsole.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationconfigconsole.md @@ -13,9 +13,9 @@ The Configuration Console is a feature package included in the server installati - Configuration Console – manages policy configuration. Install where ever needed. - Mailer Service – sends email reminders. Install on any server. -Follow the procedure in [Install Password Policy Enforcer on a Server](installationserver.md), +Follow the procedure in [Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationserver.md), selecting the **Configuration Console** feature. You can select the other features if appropriate for the server. You can also install/uninstall the products using command line -[Silent Installation](../administration/command_line_interface.md#silent-installation). +[Silent Installation](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/command_line_interface.md#silent-installation). diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationgpm.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationgpm.md index 91d71e8e7c..08c8a1459f 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationgpm.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationgpm.md @@ -5,7 +5,7 @@ installation is recommended when you need to install Password Policy Enforcer on This section shows you how to install Password Policy Enforcer on domain controllers to enforce domain policies, but you can also use Group Policy to target member servers and workstations if you need to enforce local policies. See the -[Domain and Local Policies](../administration/domain_and_local_policies.md) topic for additional +[Domain and Local Policies](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/domain_and_local_policies.md) topic for additional information. ## Create a Distribution Point @@ -35,11 +35,11 @@ write access to authorized personnel only. **Step 3 –** Right-click the **Domain Controllers OU** in the left pane, and then click **Create a GPO in this domain, and Link it here...** -![GPM installation](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/gpm1.webp) +![GPM installation](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/gpm1.webp) **Step 4 –** Enter **Password Policy Enforcer** in the provided field, and then press **Enter**. -![GPM Install](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/gpm2.webp) +![GPM Install](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/gpm2.webp) ## Edit the Group Policy Object @@ -58,7 +58,7 @@ For example: \\file server\distribution point share\Netwrix*PPE\_\_version*.msi **Step 5 –** Click **Open**. -![installing_ppe_2](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/installing_ppe_2.webp) +![installing_ppe_2](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/installing_ppe_2.webp) **Step 6 –** Select **Assigned** as the deployment method. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationmailer.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationmailer.md index 8593f9650c..70b972369f 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationmailer.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationmailer.md @@ -4,7 +4,7 @@ Netwrix Password Policy Enforcer sends email reminders to domain users before th expire. This is especially useful for users who logon infrequently, and for remote users who access the network without logging on to the domain. You must install the Password Policy Enforcer Mailer and configure the email delivery and email message options to send email reminders to users. See the -[Notifications](../administration/configconsole.md#notifications) topic for additional information. +[Notifications](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configconsole.md#notifications) topic for additional information. Add your email address to a service account, and the Password Policy Enforcer Mailer reminds you to change the service account password before it expires. @@ -19,9 +19,9 @@ The mailer is a feature package included in the server installation **.msi** fil - Configuration Console – manages policy configuration. Install where ever needed. - Mailer Service – sends email reminders. Install on any server. -Follow the procedure in [Install Password Policy Enforcer on a Server](installationserver.md), +Follow the procedure in [Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationserver.md), selecting the **Mailer Service** feature. You can select the other features if appropriate for the server. You can also install/uninstall the products using command line -[Silent Installation](../administration/command_line_interface.md#silent-installation). +[Silent Installation](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/command_line_interface.md#silent-installation). diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationserver.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationserver.md index acf2b964d2..bc58fcf5fa 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationserver.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationserver.md @@ -7,10 +7,10 @@ password policy for local user accounts. If your domain contains some read-only domain controllers, then installation of Password Policy Enforcer on these servers is only necessary if you are using the following features: -- [Rules](../administration/rules.md) -- [Password Policy Client](../administration/password_policy_client.md) +- [Rules](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/rules.md) +- [Password Policy Client](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/password_policy_client.md) - [Netwrix Password Reset](https://helpcenter.netwrix.com/category/passwordreset) -- [](../web/web_overview.md)[Password Policy Enforcer Web](../web/web_overview.md) +- [](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/web_overview.md)[Password Policy Enforcer Web](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/web_overview.md) The Server installation package includes multiple features selected during installation: @@ -23,9 +23,9 @@ The Server installation package includes multiple features selected during insta **Step 2 –** Extract the installers from the compressed file. If you are going to use Group Policy Manager to install Netwrix Password Policy Enforcer, copy the **msi** files to a distribution -folder. See the [Install with Group Policy Management](installationgpm.md) topic for additional +folder. See the [Install with Group Policy Management](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationgpm.md) topic for additional details. You can also install/uninstall the products using command line -[Silent Installation](../administration/command_line_interface.md#silent-installation). +[Silent Installation](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/command_line_interface.md#silent-installation). **NOTE:** Continue with these steps to install one or more features on your current server or domain controller. You must repeat these steps for each server where the features are installed. @@ -33,18 +33,18 @@ controller. You must repeat these steps for each server where the features are i **Step 3 –** Click on the **Netwrix_PPE_Server**version**x64.msi** installation package. The installer is launched. -![Server Setup](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/serversetup1.webp) +![Server Setup](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/serversetup1.webp) **Step 4 –** Click **Next**. -![Server Setup](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/serversetup2.webp) +![Server Setup](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/serversetup2.webp) **Step 5 –** Review the End-User License Agreement. Click **I accept the terms in the License Agreement**. **Step 6 –** Click **Next**. -![Server Setup](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/serversetup3.webp) +![Server Setup](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/serversetup3.webp) **Step 7 –** Select the features to install. The required storage is shown for each selection. @@ -60,12 +60,12 @@ Agreement**. **Step 9 –** Click **Next**. -![Server Setup](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/serversetup4.webp) +![Server Setup](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/serversetup4.webp) **Step 10 –** Review your selections. Click **Back** to make any changes. When ready, click **Install**. -![Server Setup](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/serversetup5.webp) +![Server Setup](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/install/serversetup5.webp) **Step 11 –** Click **Finish** when installation is complete. You are prompted to restart your system for the changes to take effect. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationweb.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationweb.md index 487b0b4113..b4dfabc117 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationweb.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationweb.md @@ -1,7 +1,7 @@ # Install Password Policy Enforcer Web Password Policy Enforcer Web V7.11 is a web server enabling users to change their Windows domain -password from a web browser. Review the [Requirements](../requirements.md) prior to running the +password from a web browser. Review the [Requirements](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/requirements.md) prior to running the installation. Click the following link to download Password Policy Enforcer Web: diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/uninstall.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/uninstall.md index 4bc6f8e951..643e99dd85 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/uninstall.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/uninstall.md @@ -6,7 +6,7 @@ You can uninstall Password Policy Enforcer on every domain server and computer, Management to remove the PPE Server and PPE Client on all machines. You can also install/uninstall the products using command line -[Silent Installation](../administration/command_line_interface.md#silent-installation). +[Silent Installation](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/command_line_interface.md#silent-installation). **Step 1 –** Open **Start** > **Control Panel** > **Programs and Features** on each system where a PPE component is installed. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/upgrading.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/upgrading.md index cf1ba20bf5..cf8abc1550 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/upgrading.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/upgrading.md @@ -5,29 +5,29 @@ Upgrades are supported for versions 9.0 and above. Contact Customer Support at upgrading older versions You can also install/uninstall the products using command line -[Silent Installation](../administration/command_line_interface.md#silent-installation). +[Silent Installation](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/command_line_interface.md#silent-installation). Upgrading the Password Policy Server The Password Policy Enforcer installer detects existing installations and upgrades them to 11. See -the [Install Password Policy Enforcer on a Server](installationserver.md) topic for additional +the [Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationserver.md) topic for additional information. If you are performing an automated installation with Group Policy, then add the new **.msi** installer files to the same Group Policy Object used to install the older version. See the -[Install with Group Policy Management](installationgpm.md) topic for additional information. +[Install with Group Policy Management](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationgpm.md) topic for additional information. **NOTE:** Upgrade all your servers and domain controllers. Configuration changes performed with the new version do not affect servers running an older version. If you have multiple versions, you must make configuration changes in both configuration consoles until all domain controllers are upgraded to 11. Failure to do so may lead to inconsistent enforcement of the password policy. -Open the [License](../administration/configconsole.md#license) settings on the Configuration Console +Open the [License](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/configconsole.md#license) settings on the Configuration Console after an upgrade to check your license details. Password Policy Enforcer reverts to a 30-day evaluation license if it cannot import the license key. Upgrading the Password Policy Client The Password Policy Client installer detects existing installations and upgrades them to 11. See the -[Install Password Policy Enforcer Client](installationclient.md)[Install Password Policy Enforcer Client](installationclient.md) +[Install Password Policy Enforcer Client](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationclient.md)[Install Password Policy Enforcer Client](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationclient.md) topic for additional information. If you are distributing the Password Policy Client with Group Policy, then add the new client **.msi** file to the same Group Policy Object used to install the older version. Upgrade and reboot the Password Policy Servers before upgrading the clients. @@ -39,7 +39,7 @@ recommended. Upgrading the Mailer The Password Policy Enforcer installer detects existing installations of the Password Policy -Enforcer Mailer and upgrades them to 11. See the [Install Mailer Service](installationmailer.md) +Enforcer Mailer and upgrades them to 11. See the [Install Mailer Service](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationmailer.md) topic for additional information. Upgrade Notes diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/configuration.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/configuration.md index 7542ef6090..c4df02a9ea 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/configuration.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/configuration.md @@ -8,7 +8,7 @@ Enforcer Web Configuration Console. Use the General tab to maintain the list of managed domains, and to configure Password Policy Enforcer integration. See the Password Policy Enforcer topic for additional information. -![configuring_ppe_web](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/configuring_ppe_web.webp) +![configuring_ppe_web](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/configuring_ppe_web.webp) ### Domain List @@ -46,7 +46,7 @@ Password Policy Enforcer is a configurable password filter that enforces granula with many advanced features. Password Policy Enforcer Web can integrate with Password Policy Enforcer to help users choose a compliant password. -![configuring_ppe_web_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/configuring_ppe_web_1.webp) +![configuring_ppe_web_1](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/configuring_ppe_web_1.webp) Password Policy Enforcer Web displays the Password Policy Enforcer password policy message when a user is prompted for their new password, and the Password Policy Enforcer rejection message if the diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/editing_html_templates.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/editing_html_templates.md index b93e4e1048..1c506492b0 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/editing_html_templates.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/editing_html_templates.md @@ -10,7 +10,7 @@ a language code. The files for the US English language are: | Filename | Content | | --------------- | -------------------------------------------------------------------------------------------------------------------------------------- | -| en_default.htm | Static HTML for the Welcome page. See the [Launch Password Policy Enforcer Web](using_web.md) topic for additional information. | +| en_default.htm | Static HTML for the Welcome page. See the [Launch Password Policy Enforcer Web](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/using_web.md) topic for additional information. | | en_ppeweb.htm | Template for the Password Change page. See the [Change Password](using_web.md#change-password) topic for additional information. | | en_finished.htm | Template for the Finished page. | | en_error.htm | Template for the Password Critical Error page. See the [Error Messages](using_web.md#error-messages) topic for additional information. | @@ -58,7 +58,7 @@ Web deletes this range before sending the page to the user's web browser. **CAUTION:** You may rebrand the Password Policy Enforcer Web user interface, but it is a violation of the License Agreement to modify, remove or obscure any copyright notice. See the -[License Agreement](license_agreement.md) topic for additional information. +[License Agreement](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/license_agreement.md) topic for additional information. ## Examples @@ -107,7 +107,7 @@ or they may be displayed on the wrong page. Validation error messages are shown in a yellow box below the page instructions. Validation errors are normally caused by invalid user input. -![using_ppe_web_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/using_ppe_web_1.webp) +![using_ppe_web_1](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/using_ppe_web_1.webp) Validation error messages are defined in en_ppeweb.htm. The error messages are in the resource strings section near the end of the file. See the Resource Strings topic for additional information. @@ -124,7 +124,7 @@ All the critical error messages are defined in `en_error.htm`. The error message resource strings section near the end of the file. See the Resource Strings topic for additional information. -![using_ppe_web_2](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/using_ppe_web_2.webp) +![using_ppe_web_2](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/using_ppe_web_2.webp) You may see placeholders like %1 and %2 in some error messages. These are replaced with more information about the error. You should keep these as they provide important information about the @@ -152,7 +152,7 @@ If you want to display some text for all error messages, then insert your text a The finished message is shown after users successfully change their password. This message is defined in en_finished.htm. -![editing_the_html_templates_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/editing_the_html_templates_1.webp) +![editing_the_html_templates_1](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/editing_the_html_templates_1.webp) `

Finished

` diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/securing_web.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/securing_web.md index ac334f6984..9774d87f71 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/securing_web.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/securing_web.md @@ -21,7 +21,7 @@ server that already has an SSL certificate if you would rather not purchase anot The IIS documentation explains how request, install, and use SSL certificates. See the -[Configure Server Certificates in IIS 7]() +[Configure Server Certificates in IIS 7](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732230(v=ws.10)?redirectedfrom=MSDN) Microsoft knowledge base article for additional information. Ensure that users only access Password Policy Enforcer Web over an encrypted connection after the diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/using_web.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/using_web.md index a027c8fd3c..ba4059c1ac 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/using_web.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/using_web.md @@ -4,7 +4,7 @@ The default URL for Password Policy Enforcer Web is: `http://[server]/ppeweb/` Where [server] is the name or IP address of the server hosting Password Policy Enforcer Web. -![Web Welcome page](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/webwelcome.webp) +![Web Welcome page](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/webwelcome.webp) The default page is called the Welcome page. You can customize the information on this page by editing **en_default.htm**, or you can bypass this page and send users directly to the Password @@ -31,11 +31,11 @@ To change a password with Password Policy Enforcer Web: **Step 1 –** Click **Change Password** on the Welcome page. -![using_ppe_web](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/using_ppe_web.webp) +![using_ppe_web](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/using_ppe_web.webp) **Step 2 –** Enter a **Username** and **Domain**, then click **Next**. -![introduction_4](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/introduction_4.webp) +![introduction_4](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/introduction_4.webp) **Step 3 –** Enter the **Old Password**, **New Password**, and **Confirm Password**, then click **Next**. @@ -50,14 +50,14 @@ Validation errors are shown in a yellow box below the page instructions. Validat normally caused by invalid user input. They can often be overcome by changing the value of one or more input fields and resubmitting the form. -![using_ppe_web_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/using_ppe_web_1.webp) +![using_ppe_web_1](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/using_ppe_web_1.webp) Critical errors are shown on their own page. These errors are mostly a result of configuration or system errors. Users can sometimes overcome a critical error by following the instructions in the error message, but most critical errors are beyond the user's control. -![using_ppe_web_2](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/using_ppe_web_2.webp) +![using_ppe_web_2](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/using_ppe_web_2.webp) Validation and critical error messages are stored in the HTML templates. You can modify the default -messages by editing the templates. See the [Edit HTML Templates](editing_html_templates.md) topic +messages by editing the templates. See the [Edit HTML Templates](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/editing_html_templates.md) topic for additional information. diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/web_overview.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/web_overview.md index 99cbddb6f5..909e9684dc 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/web_overview.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/web_overview.md @@ -8,7 +8,7 @@ Download Password Policy Enforcer Web: [Password_Policy_Enforcer_WEB_7.11.zip](https://www.netwrix.com/download/commercial/Password_Policy_Enforcer_WEB_7.11.zip) -![introduction_4](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/introduction_4.webp) +![introduction_4](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/web/introduction_4.webp) Password Policy Enforcer Web communicates directly with the domain controllers, so it works best when both the web server and domain controllers are on the same network. If you need to put the web diff --git a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/what_new.md b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/what_new.md index eb70201779..a27c26cc87 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/what_new.md +++ b/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/web/what_new.md @@ -20,7 +20,7 @@ Other - The Configuration Console prompts for elevation to ensure that user has sufficient permissions to write configuration settings. - Imports PPE Web V6.x configuration settings. See the - [Install Password Policy Enforcer Web](../install/installationweb.md) topic for additional + [Install Password Policy Enforcer Web](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/install/installationweb.md) topic for additional information. **NOTE:** PPE Web V7.11 integrates with Password Policy Enforcer V7.0 or later. Disable Password diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/about_tab.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/about_tab.md index bf64fd5e7c..4e41d53827 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/about_tab.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/about_tab.md @@ -3,7 +3,7 @@ Use the **About** tab to check the version and license information, and to install a new license key. -![configuring_npr_10](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_10.webp) +![configuring_npr_10](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_10.webp) To install a new license key, copy the entire license e-mail to the clipboard, and then click Get license from clipboard. diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/administration_overview.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/administration_overview.md index e3fabf6092..74b8a5b166 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/administration_overview.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/administration_overview.md @@ -23,12 +23,12 @@ Identifying staff over the phone can be difficult, especially in large organizat identifies users by asking them to answer some questions about themselves, and optionally by sending a verification code to their mobile phone. Incorrect answers are logged, and you can configure Password Reset to automatically lock out users who give too many incorrect answers. See the -[Configuring Password Reset](configuring_password_reset.md) topic for additional information. +[Configuring Password Reset](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/configuring_password_reset.md) topic for additional information. ## Higher Availability Password Reset is ready to respond to password management requests at any hour of the day and night. It takes only minutes to install, and can handle thousands of requests every hour. -The [Evaluation](../evaluation/evaluation_overview.md) topic contains step-by-step instructions to +The [Evaluation](/docs/passwordpolicyenforcer/11.0/passwordreset/evaluation/evaluation_overview.md) topic contains step-by-step instructions to help you quickly install, configure, and evaluate Password Reset. diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/configuring_password_reset.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/configuring_password_reset.md index e66a3460df..33d35394a5 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/configuring_password_reset.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/configuring_password_reset.md @@ -5,14 +5,14 @@ Configuration Console to edit the configuration settings. Click **Start** > **Ne Reset** > **NPR Configuration Console**on the Password Reset Server computer to open the Configuration Console. -![configuring_npr](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr.webp) +![configuring_npr](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr.webp) Information about the configuration console tabs can be found in the following topics: -- [General Tab](general_tab.md) -- [Enroll Tab](enroll_tab.md) -- [E-mail Tab](email_tab.md) -- [Verification Tab](verification_tab.md) -- [Security Tab](security_tab.md) -- [Permissions Tab](permissions_tab.md) -- [About Tab](about_tab.md) +- [General Tab](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/general_tab.md) +- [Enroll Tab](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/enroll_tab.md) +- [E-mail Tab](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/email_tab.md) +- [Verification Tab](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/verification_tab.md) +- [Security Tab](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/security_tab.md) +- [Permissions Tab](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/permissions_tab.md) +- [About Tab](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/about_tab.md) diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/editing_the_html_templates.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/editing_the_html_templates.md index 69a6a16ee9..2bd20fadbd 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/editing_the_html_templates.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/editing_the_html_templates.md @@ -126,7 +126,7 @@ text_short classes are used in page instructions to tailor content to the screen Validation error messages are shown in a red box below the page instructions. Validation errors are normally caused by invalid user input. -![using_npr_12](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_12.webp) +![using_npr_12](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_12.webp) Validation error messages are defined in the relevant template (en_enroll.htm, en_reset.htm, en_unlock.htm, or en_change.htm). The error messages are in the resource strings section near the @@ -147,7 +147,7 @@ information about the error. You should keep these, but you can delete them if y All the critical error messages are defined in en_error.htm. The messages are in the resource strings section near the end of the file. See the Resource Strings topic for more information. -![using_npr_13](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_13.webp) +![using_npr_13](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_13.webp) You may see placeholders like %1 and %2 in some error messages. These are replaced with more information about the error. You should keep these, but you can delete them if you do not want them. @@ -172,7 +172,7 @@ Finished messages are shown after users successfully complete an enroll, reset, These messages are defined in the Resource Strings section near the end of `en_finished.htm`. See the Resource Strings topic for more information. -![using_npr_9](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_9.webp) +![using_npr_9](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_9.webp) `en_finished.htm` has two resource strings for password changes (RES_FINISHED_CHANGE and RES_FINISHED_CHANGE_INVITE). The first is shown when a user who has enrolled into NPR changes their diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/email_tab.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/email_tab.md index 2de3214f1b..c56d858120 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/email_tab.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/email_tab.md @@ -3,7 +3,7 @@ Use the **E-mail** tab to configure how e-mail is sent to users, when it is sent, and also to edit the e-mail templates. -![configuring_npr_3_709x772](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_3_709x772.webp) +![configuring_npr_3_709x772](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_3_709x772.webp) ### E-mail Delivery @@ -25,7 +25,7 @@ sends an e-mail when the event occurs. Enabled triggers are underlined. Click the name of an enabled trigger to edit the trigger's e-mail template. -![configuring_npr_4](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_4.webp) +![configuring_npr_4](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_4.webp) Type the name and e-mail address you wish to appear in the e-mail's From field in the **From** text box. The correct format is "Display Name" `` @@ -70,7 +70,7 @@ A warning icon is shown beside the language drop-down list if an e-mail template every language. You should define an e-mail template for every language to ensure that users can understand their e-mail alerts. -![configuring_npr_5](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_5.webp) +![configuring_npr_5](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_5.webp) **CAUTION:** An attacker may choose a specific language to avoid detection. E-mail alerts are sent in the Web Interface language chosen by the attacker if the target user has not enrolled or changed diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/enroll_tab.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/enroll_tab.md index 20c6be50dc..8b8ebf1dda 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/enroll_tab.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/enroll_tab.md @@ -2,7 +2,7 @@ Use the **Enroll** tab to maintain the list of enrollment questions and options. -![configuring_npr_2](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_2.webp) +![configuring_npr_2](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_2.webp) ### Question List @@ -35,7 +35,7 @@ Follow the steps below to remove a question from the list. **NOTE:** You can rearrange questions by dragging them. You can also replace question lists with text boxes so users can enter their own questions. See the -[Editing the HTML Templates](editing_the_html_templates.md) document for more information +[Editing the HTML Templates](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/editing_the_html_templates.md) document for more information ### Options diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/filter_editor.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/filter_editor.md index f4ad809352..30581772fc 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/filter_editor.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/filter_editor.md @@ -4,7 +4,7 @@ Use the Filter Editor to create complex filters, filters for hidden columns, or regularly used filters. Press **CTRL** + **F** to open the Filter Editor, or click the **Filter Editor** button in the lower right corner of the Data Console. -![using_the_data_console_9](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_9.webp) +![using_the_data_console_9](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_9.webp) A filter may contain several conditions. Conditions start with a column name, followed by an operator, and sometimes a value. Column names are shown in green, operators in maroon, and values in @@ -30,4 +30,4 @@ Some columns are hidden in the Data Console. You can use the Filter Editor to cr these columns. For example, the filter in the image below shows all users with an NPR v1 enrollment record. -![using_the_data_console_10](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_10.webp) +![using_the_data_console_10](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_10.webp) diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/filtering_data.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/filtering_data.md index e2682c253f..60e7485f9f 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/filtering_data.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/filtering_data.md @@ -5,14 +5,14 @@ any time. Filters let you focus on the important information. You can create simple filters by typing values directly into the filter row, or by selecting values from Filtering by Column Values. More complex filters are created with the Custom Filters and -[Filter Editor](filter_editor.md) windows. +[Filter Editor](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/filter_editor.md) windows. ### The Filter Row The top row in the **Audit Log** and **Users** tabs is called the Filter Row. You can type filter values directly into this row. -![using_the_data_console_3](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_3.webp) +![using_the_data_console_3](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_3.webp) The Filter Row is empty when you first open the Data Console. To create a filter, click the **Filter Row** in the column you wish to filter. A cursor will appear. Type a value, and then press **ENTER** @@ -22,7 +22,7 @@ Click the button to shown an editor or selector that helps you enter a value. Va wildcard characters. Use a ? to match any single character, or a \* to match more than one character. -![using_the_data_console_4](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_4.webp) +![using_the_data_console_4](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_4.webp) The image above shows a filter on the Date, Source, and Source IP columns. Only password reset events on 2/5/2015 originating from IP addresses starting with 192.168.115 are shown. The small blue @@ -35,19 +35,19 @@ or the filter editor windows for a logical OR filter. You can also create a filter by selecting values from a list in the column headers. -![using_the_data_console_5](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_5.webp) +![using_the_data_console_5](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_5.webp) Hover the mouse pointer over a column header until a small button appears on the right side of the header. -![using_the_data_console_6](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_6.webp) +![using_the_data_console_6](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_6.webp) Click the button to show a list of values in the column. Select one or more values from the list. Rows that do not match one of the selected values are hidden. -![using_the_data_console_7](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_7.webp) +![using_the_data_console_7](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_7.webp) The list of values for date and date/time columns also includes date ranges such as **Last 7 days**, **Today**, **Yesterday**, etc. @@ -60,7 +60,7 @@ filter. Use custom filters to search for partial matches, find a range of values, or to create more complex filters. Click **(Custom...)** in a column header's value list to create a custom filter. -![using_the_data_console_8](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_8.webp) +![using_the_data_console_8](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_8.webp) Custom filters can contain one or two conditions for each column. Select an operator for the first condition from the drop-down list below the column name. Only relevant operators are shown for each @@ -87,16 +87,16 @@ The Status Bar appears at the very bottom of the Data Console. It shows the numb records and the total record count. The Filter Bar appears above the Status Bar, and it shows the active filter. The button on the right side of the Filter Bar opens the Filter Editor. -![using_the_data_console_11](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_11.webp) +![using_the_data_console_11](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_11.webp) A button and a check box appear on the left side of the Filter Bar when a filter is active. Click the button to clear the filter. Toggle the check box to disable or enable the filter. -![using_the_data_console_12](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_12.webp) +![using_the_data_console_12](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_12.webp) A drop-down button appears to the right of the filter. Click it to select a recently used filter. -![using_the_data_console_13](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_13.webp) +![using_the_data_console_13](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_13.webp) ## Exporting Data diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/general_tab.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/general_tab.md index 96b0ef9716..35d7ac9e00 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/general_tab.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/general_tab.md @@ -4,7 +4,7 @@ Use the General tab to maintain the list of managed domains, set the database op the Password Policy Enforcer integration. See the Netwrix Password Policy Enforcer topic for additional information. -![configuring_npr](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr.webp) +![configuring_npr](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr.webp) ### Domain List @@ -62,10 +62,10 @@ files in their new location. **Step 8 –** Start the Password Reset service. **Step 9 –** Update the backup script to copy from the new folder. See the -[Working with the Database](working_with_the_database.md) topic for additional information. +[Working with the Database](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/working_with_the_database.md) topic for additional information. You can also move the database from SQL Server Compact to SQL Server. See the -[Working with the Database](working_with_the_database.md) topic for more information. +[Working with the Database](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/working_with_the_database.md) topic for more information. ### Netwrix Password Policy Enforcer @@ -73,7 +73,7 @@ Password Reset is a configurable password filter that enforces granular password advanced features. Password Reset can integrate with Password Policy Enforcer to help users choose a compliant password. -![configuring_npr_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_1.webp) +![configuring_npr_1](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_1.webp) Password Reset displays the Password Policy Enforcer policy message when users are prompted for their new password, and the Password Policy Enforcer rejection message if the new password does not @@ -98,14 +98,14 @@ policy, or no policy enforced if the queried server is not a domain controller i domain. Queries to the Password Policy Server are sent to UDP port 1333 by default. You may need to create firewall rules to open this port. See the -[Password Policy Client](../../passwordpolicyenforcer/administration/password_policy_client.md) +[Password Policy Client](/docs/passwordpolicyenforcer/11.0/passwordpolicyenforcer/administration/password_policy_client.md) topic for more information. **NOTE:** Due to a protocol upgrade, it is now recommended to enable protocol encryption for clients. To do so, please navigate to the PPS Properties in your Netwrix Password Policy Enforcer server configuration, and enable "Only accept encrypted client request". -![using_ppe_with_npr](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_ppe_with_npr.webp) +![using_ppe_with_npr](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_ppe_with_npr.webp) Please do not enable this option if you are using Netwrix Password Reset v3.3 with Netwrix Password Policy Enforcer v8.x or earlier versions, or with Netwrix Password Policy Enforcer/Web. If you are diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/installation.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/installation.md index 669968068b..a13639c85f 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/installation.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/installation.md @@ -30,12 +30,12 @@ The Password Reset Server is the component that performs requests on behalf of u requests from the Web Interface, checks the user's credentials, and performs the requested task if the credentials are valid. -![installing_npr_624x193](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/installing_npr_624x193.webp) +![installing_npr_624x193](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/installing_npr_624x193.webp) **NOTE:** Microsoft SQL Server Compact is installed with the Password Reset Server. SQL Server Compact is free to use, and should only be removed if you move the database to SQL Server. SQL Server Compact is an embedded database. Unlike SQL Server, you do not need to configure or manage -it. See the [Working with the Database](working_with_the_database.md) topic for additional +it. See the [Working with the Database](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/working_with_the_database.md) topic for additional information. ## Installation Types @@ -85,7 +85,7 @@ account. The account will be created and added to the Domain Admins group if it **NOTE:** You can remove the account from the Domain Admins group later. If using an existing account, make sure it has the required permissions. See the -[Securing Password Reset](securing_password_reset.md) topic for additional information. +[Securing Password Reset](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/securing_password_reset.md) topic for additional information. **Step 8 –** Click **Next**. @@ -148,7 +148,7 @@ account. The account will be created and added to the Domain Admins group if it **NOTE:** You can remove the account from the Domain Admins group later. If using an existing account, make sure it has the required permissions. See the -[Securing Password Reset](securing_password_reset.md) topic for additional information. +[Securing Password Reset](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/securing_password_reset.md) topic for additional information. **Step 7 –** Make sure the **Create Windows Firewall Exception for the NPR Server service** check box is selected, and then click **Next** twice. @@ -197,7 +197,7 @@ Reset**, and **3.0** registry keys. **Step 12 –** Set the **ServerIP** registry value to the IP address of the computer that you installed the Password Reset Server onto. -![installing_npr_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/installing_npr_1.webp) +![installing_npr_1](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/installing_npr_1.webp) The Password Reset Setup wizard only installs one Web Interface on each server, but you can copy the files to another directory and publish several Web Interfaces from one server. This allows you to @@ -263,13 +263,13 @@ between versions should be merged into your customized files. The Password Reset V3.30 data console does not read the VerificationCode or EnrollRecord columns from the User table on SQL Server. Access to these columns can be denied for Data Console users after upgrading all instances of the Data Console. See the -[Using the Data Console](using_the_data_console.md) topic for additional information. +[Using the Data Console](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/using_the_data_console.md) topic for additional information. ## Upgrading From NPR V2.x As this is a major upgrade with many changes, some planning is needed to ensure a smooth upgrade. A trial run on a lab network is recommended, especially if you are customizing the user interface. See -the [Editing the HTML Templates](editing_the_html_templates.md) topic for additional information. +the [Editing the HTML Templates](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/editing_the_html_templates.md) topic for additional information. **CAUTION:** Due to a protocol upgrade, Netwrix Password Reset v3.3 is not compatible with Netwrix Password Policy Enforcer v8.x and earlier versions. If you are using Netwrix Password Reset with any diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/moving_to_sql_server.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/moving_to_sql_server.md index 7fff56d125..b59b766f83 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/moving_to_sql_server.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/moving_to_sql_server.md @@ -19,7 +19,7 @@ Windows authentication. To identify the service account, open services.msc, doub Password Reset service, and then click the Log On tab. Password Reset logs on to SQL Server with this account. -![working_with_the_database](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/working_with_the_database.webp) +![working_with_the_database](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/working_with_the_database.webp) **Step 3 –** Create an SQL Server user, and map it to the service account login. @@ -65,7 +65,7 @@ information, and **Trust server certificate** must be selected if SQL Server is certificate. SQL Server uses a self-signed certificate if a trusted certificate is not installed. The SQL Server Native Client must be installed if **Trust server certificate** is selected. -![working_with_the_database_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/working_with_the_database_1.webp) +![working_with_the_database_1](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/working_with_the_database_1.webp) **Step 8 –** Click **Next**. diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/password_reset_client.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/password_reset_client.md index abd150f920..92290404e5 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/password_reset_client.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/password_reset_client.md @@ -4,7 +4,7 @@ The Password Reset Client allows users to securely reset their password or unloc the Windows Logon and Unlock Computer screens. Users click **Reset Password** to access the Password Reset system. -![the_password_reset_client_905x750](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_905x750.webp) +![the_password_reset_client_905x750](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_905x750.webp) **NOTE:** The Password Reset Client does not modify any Windows system files. @@ -61,7 +61,7 @@ this domain, and Link it here...** **Step 4 –** Enter **Password Reset Client**, then press **ENTER**. -![the_password_reset_client_1_895x652](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_1_895x652.webp) +![the_password_reset_client_1_895x652](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_1_895x652.webp) ### Edit the Group Policy Object @@ -122,7 +122,7 @@ installation folder. (`\Program Files\Netwrix Password Reset\` by default). **Step 7 –** Select **NPRClt.adm**, and then click **Open**. -![the_password_reset_client_2](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_2.webp) +![the_password_reset_client_2](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_2.webp) **Step 8 –** Click **Close**. @@ -139,12 +139,12 @@ domain level. Templates**, **Classic Administrative Templates (ADM)**, **Netwrix Password Reset**, and **Password Reset Client** items. -![the_password_reset_client_3](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_3.webp) +![the_password_reset_client_3](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_3.webp) **Step 4 –** Double-click the **Browser settings** item in the right pane of the Group Policy Management Editor. -![the_password_reset_client_4](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_4.webp) +![the_password_reset_client_4](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_4.webp) **Step 5 –** Select the **Enabled**option. @@ -227,7 +227,7 @@ Editor. **Step 10 –** Click inside the **License key** text box, then paste the license key. -![the_password_reset_client_5](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_5.webp) +![the_password_reset_client_5](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_5.webp) **Step 11 –** Click **OK**. diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/permissions_tab.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/permissions_tab.md index 0ade35164e..924502682f 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/permissions_tab.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/permissions_tab.md @@ -2,7 +2,7 @@ Use the **Permissions** tab to control which users can use Password Reset. -![configuring_npr_9](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_9.webp) +![configuring_npr_9](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_9.webp) ### Enroll diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/persuading_users_to_enroll.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/persuading_users_to_enroll.md index 657d3ab2d5..f5b473d489 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/persuading_users_to_enroll.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/persuading_users_to_enroll.md @@ -28,7 +28,7 @@ and **3.0** registry keys. **Step 3 –** Create a new **DWORD** value called **WebAPIState**, and set it to 1. -![persuading_users_to_enroll](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/persuading_users_to_enroll.webp) +![persuading_users_to_enroll](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/persuading_users_to_enroll.webp) ## Querying the API diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/securing_password_reset.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/securing_password_reset.md index d6cdc0714d..6dae8ba894 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/securing_password_reset.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/securing_password_reset.md @@ -10,7 +10,7 @@ Server. The Web Interface and Password Reset Server always communicate over a secure channel. You do not have to configure the encryption for this connection, but you do need to set up SSL (Secure Sockets Layer) encryption for the connection between the web browser (or Password Reset Client) and the web -server. See the [Password Reset Client](password_reset_client.md) topic for more information. +server. See the [Password Reset Client](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/password_reset_client.md) topic for more information. **CAUTION:** Do not use Password Reset on a production network without SSL encryption. @@ -23,7 +23,7 @@ installation process. You can also learn more about using SSL certificates with below. - [http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis](http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis) -- [http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx]() +- [http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx](http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx) **NOTE:** Ensure that users only access Password Reset over an encrypted connection after the SSL certificate is installed. The Start address and Restricted path in the Password Reset Client @@ -64,7 +64,7 @@ dsacls "dc=axs,dc=net" /I:S /G "axs\apr:CA;Reset Password;user" If Password Reset is configured to use an SQL Server Compact database, then give the service account read and write permissions to the database files. See the -[Moving to SQL Server](moving_to_sql_server.md) topic for more information. +[Moving to SQL Server](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/moving_to_sql_server.md) topic for more information. Remove the service account from the Domain Admins group and restart the Password Reset service after executing these commands. Check the Windows Application event log if the service does not start. diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/security_tab.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/security_tab.md index 6b9a9cfb3d..0c1798652e 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/security_tab.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/security_tab.md @@ -3,7 +3,7 @@ Use the **Security** tab to configure the inactivity timeout, password reset policies, and the lockout threshold. -![configuring_npr_8](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_8.webp) +![configuring_npr_8](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_8.webp) ### Inactivity Timeout diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/using_password_reset.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/using_password_reset.md index 5fc9f7c0a3..a181bdb717 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/using_password_reset.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/using_password_reset.md @@ -3,14 +3,14 @@ Netwrix Password Policy Enforcer is a web application. Users can access it from a web browser, or from the Password Reset Client. The default URL for the Web Interface is:` http://[server]/pwreset/` -See the [Password Reset Client](password_reset_client.md) topic for more information. +See the [Password Reset Client](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/password_reset_client.md) topic for more information. You can use URL parameters to open a specific page, and to set the user and domain names. For example: `http://[server]/pwreset/apr.dll? cmd=enroll&username=johnsmith&domain=CORP` Where [server] is the name or IP address of the server hosting the Web Interface. -![using_npr_866x634](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_866x634.webp) +![using_npr_866x634](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_866x634.webp) Users access the Enroll, Reset, Unlock, and Change features from the menu. These features are explained on the following pages. @@ -28,13 +28,13 @@ answering some questions about themselves, or they can be enrolled automatically enrollment is enabled. Users only need to enroll once, but they can enroll again if they are locked out of Password Reset, or if they want to change their questions or answers. See the [Verification Codes](verification_tab.md#verification-codes) and -[Verification Tab](verification_tab.md) topics for more information. +[Verification Tab](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/verification_tab.md) topics for more information. Follow the steps below to manually enroll into Password Reset. **Step 1 –** Click the **Enroll** item in the menu. -![using_npr_0_765x963](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_0_765x963.webp) +![using_npr_0_765x963](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_0_765x963.webp) **Step 2 –** Type a **Username**, **Domain**, and **Password**. @@ -59,25 +59,25 @@ Follow the steps below to reset an account password. **Step 1 –** Click the **Reset** item in the menu. -![using_npr_1_824x469](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_1_824x469.webp) +![using_npr_1_824x469](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_1_824x469.webp) **Step 2 –** Type a **Username** and **Domain**, and then click **Next**. -![using_npr_2_809x640](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_2_809x640.webp) +![using_npr_2_809x640](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_2_809x640.webp) **Step 3 –** Type the **Answer** to the first question, and then click **Next**. Repeat until all questions are answered correctly. -![using_npr_3](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_3.webp) +![using_npr_3](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_3.webp) **Step 4 –** You may be asked to enter a verification code. The verification code is sent to your phone by e-mail or SMS. Type the **Code**, and then click **Next**. -![using_npr_5](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_5.webp) +![using_npr_5](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_5.webp) **Step 5 –** Type the new **Password** into both text boxes, and then click **Next**. -![using_npr_6](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_6.webp) +![using_npr_6](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_6.webp) **Step 6 –** Click **OK** to return to the menu. @@ -90,21 +90,21 @@ Follow the steps below to unlock an account. **Step 1 –** Click the **Unlock** item in the menu. -![using_npr_7](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_7.webp) +![using_npr_7](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_7.webp) **Step 2 –** Type a **Username** and **Domain**, and then click **Next**. -![using_npr_4_842x816](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_4_842x816.webp) +![using_npr_4_842x816](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_4_842x816.webp) **Step 3 –** Type the **Answer** to the first question, and then click **Next**. Repeat until all questions are answered correctly. -![using_npr_8](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_8.webp) +![using_npr_8](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_8.webp) **Step 4 –** You may be asked to enter a verification code. The verification code is sent to your phone by e-mail or SMS. Type the **Code**, and then click **Next**. -![using_npr_9_789x276](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_9_789x276.webp) +![using_npr_9_789x276](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_9_789x276.webp) **Step 5 –** Click **OK** to return to the menu. @@ -120,11 +120,11 @@ Follow the steps below to change an account password. **Step 1 –** Click the **Change** item in the menu. -![using_npr_10_771x440](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_10_771x440.webp) +![using_npr_10_771x440](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_10_771x440.webp) **Step 2 –** Type a **Username** and **Domain**, and then click **Next**. -![using_npr_11_773x593](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_11_773x593.webp) +![using_npr_11_773x593](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_11_773x593.webp) **Step 3 –** Type the **Old Password**, **New Password**, and **Confirm Password**, and then click **Next**. @@ -141,7 +141,7 @@ Validation errors are shown in a red box below the page instructions. Validation caused by invalid user input. They can often be overcome by changing the value of one or more input fields and resubmitting the form. -![using_npr_12](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_12.webp) +![using_npr_12](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_12.webp) Critical errors are shown on their own page. These errors are mostly a result of configuration or system errors. An event may be written to the Windows Application event log on the Password Reset @@ -149,7 +149,7 @@ Server computer when a critical error occurs. Users can sometimes overcome a cri following the instructions in the error message, but most critical errors are beyond the user's control. -![using_npr_13](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_13.webp) +![using_npr_13](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_13.webp) Validation and critical error messages are stored in the HTML templates. You can modify the default messages by editing the templates. See the diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/using_the_data_console.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/using_the_data_console.md index eb39176992..d6a4803b9f 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/using_the_data_console.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/using_the_data_console.md @@ -7,13 +7,13 @@ The Data Console has three tabs. The **Recent Activity** tab shows a chart of re chart is empty when Password Reset is first installed, but it will populate itself as the system is used. -![using_the_data_console](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console.webp) +![using_the_data_console](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console.webp) The bars in the chart show how many successful enrollments, resets, unlocks, and changes occurred every day. You can click the bars to see a filtered view of the events for that day. For example, you could click the blue bar on 2/19/2015 to see all the password resets for that day. -![using_the_data_console_1_1393x772](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_1_1393x772.webp) +![using_the_data_console_1_1393x772](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_1_1393x772.webp) The resulting view shows only the 15 successful password resets on 2/19/2015. These are shown in the **Audit Log** tab. You can create your own filter to find events in this tab. See the @@ -35,7 +35,7 @@ The **Audit Log** tab has nine columns: The **Users** tab contains Information about each user. All users are shown by default, but you can create filters to find specific users. -![using_the_data_console_2_1317x725](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_2_1317x725.webp) +![using_the_data_console_2_1317x725](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_2_1317x725.webp) The **Users** tab has seven columns: diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/verification_tab.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/verification_tab.md index 77c102253b..a244da772c 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/verification_tab.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/verification_tab.md @@ -5,7 +5,7 @@ are used for two-factor authentication, and to authenticate users that have not verification code is sent to the user's mobile phone by e-mail and/or SMS, and the user enters the verification code to continue. -![configuring_npr_6](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_6.webp)7 +![configuring_npr_6](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_6.webp)7 #### Verification Codes @@ -52,7 +52,7 @@ hide parts of the e-mail address and phone number when requesting a verification especially important if automatic enrollment is enabled, as it stops an attacker from discovering information about the user. -![configuring_npr_0](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_0.webp) +![configuring_npr_0](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_0.webp) Verification codes are of a specified length, and may contain both alpha and numeric characters. Select the desired options from the **Create verification codes with...** drop-down lists. Longer, @@ -110,4 +110,4 @@ script could read the user's phone number from a database, or send a language-sp the value of the [LANG] macro. Put the path of the scripting engine executable in the **Command** text box, and the path to the script file and other parameters in the **Parameters** text box. -![configuring_npr_7](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_7.webp) +![configuring_npr_7](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_7.webp) diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/working_with_the_database.md b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/working_with_the_database.md index 82d175e3fa..5cdf79c71d 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/administration/working_with_the_database.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/administration/working_with_the_database.md @@ -17,7 +17,7 @@ using SQL Server include: - Improved availability if SQL Server is configured for high availability. - Increased security. -See solutions to these disadvantages in the [Moving to SQL Server](moving_to_sql_server.md) topic. +See solutions to these disadvantages in the [Moving to SQL Server](/docs/passwordpolicyenforcer/11.0/passwordreset/administration/moving_to_sql_server.md) topic. ## Backing up the Database diff --git a/docs/passwordpolicyenforcer/11.0/passwordreset/evaluation/evaluation_overview.md b/docs/passwordpolicyenforcer/11.0/passwordreset/evaluation/evaluation_overview.md index 86af08353a..e30f548e33 100644 --- a/docs/passwordpolicyenforcer/11.0/passwordreset/evaluation/evaluation_overview.md +++ b/docs/passwordpolicyenforcer/11.0/passwordreset/evaluation/evaluation_overview.md @@ -11,7 +11,7 @@ the first time. Please [contact Netwrix support](mailto:support@netwrix.com) if you have any questions, or if you encounter any problems during your evaluation. -![introduction_1_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/evaluation/introduction_1_1.webp) +![introduction_1_1](/img/product_docs/passwordpolicyenforcer/passwordreset/evaluation/introduction_1_1.webp) The Password Reset Administrator's Guide contains additional installation and configuration information. Refer to the Administrator's Guide for more detailed coverage of the topics discussed diff --git a/docs/passwordreset/3.23/password_policy_enforcer/administration/rules.md b/docs/passwordreset/3.23/password_policy_enforcer/administration/rules.md index 886585e6f1..73f206a774 100644 --- a/docs/passwordreset/3.23/password_policy_enforcer/administration/rules.md +++ b/docs/passwordreset/3.23/password_policy_enforcer/administration/rules.md @@ -135,7 +135,7 @@ to change it. Password Policy Client is not installed. Windows clients display the prompt 5 days before passwords expire by default. You can alter this behavior in the Windows Group Policy security settings. See the -[Interactive logon: Prompt user to change password before expiration]() +[Interactive logon: Prompt user to change password before expiration](http://technet.microsoft.com/en-us/library/jj852243(v%3Dws.10).aspx) Microsoft article for additional information. Password Policy Enforcer expires passwords at 1:00 AM every day on the domain controller holding the diff --git a/docs/passwordreset/3.23/password_reset/administration/securing_password_reset.md b/docs/passwordreset/3.23/password_reset/administration/securing_password_reset.md index 7ad0a0c24c..14949cf052 100644 --- a/docs/passwordreset/3.23/password_reset/administration/securing_password_reset.md +++ b/docs/passwordreset/3.23/password_reset/administration/securing_password_reset.md @@ -25,7 +25,7 @@ installation process. You can also learn more about using SSL certificates with below. - [http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis](http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis) -- [http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx]() +- [http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx](http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx) **NOTE:** Ensure that users only access Password Reset over an encrypted connection after the SSL certificate is installed. The Start address and Restricted path in the Password Reset Client diff --git a/docs/passwordreset/3.3/passwordpolicyenforcer/administration/administration_overview.md b/docs/passwordreset/3.3/passwordpolicyenforcer/administration/administration_overview.md index a0ca9fcfc1..87bdbebe76 100644 --- a/docs/passwordreset/3.3/passwordpolicyenforcer/administration/administration_overview.md +++ b/docs/passwordreset/3.3/passwordpolicyenforcer/administration/administration_overview.md @@ -8,7 +8,7 @@ Netwrix Password Policy Enforcer helps secure your network by ensuring users set When a user enters a password that does not comply with the password policy, Password Policy Enforcer immediately rejects the password and details why the password was rejected. -![introduction_2](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/introduction_3.webp) +![introduction_2](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/introduction_3.webp) Unlike password cracking products that check passwords after they are accepted by the operating system, Password Policy Enforcer checks new passwords immediately to ensure that weak passwords do @@ -17,7 +17,7 @@ not jeopardize network security. You can also use Password Policy Enforcer to ensure that passwords are compatible with other systems, and to synchronize passwords with other networks and applications. -**NOTE:** The [Evaluate Password Policy Enforcer](../evaluation/evaluation_overview.md) contains +**NOTE:** The [Evaluate Password Policy Enforcer](/docs/passwordreset/3.3/passwordpolicyenforcer/evaluation/evaluation_overview.md) contains step-by-step instructions to help you quickly install, configure, and evaluate Password Policy Enforcer. Consider using the Evaluation Guide if you are using Password Policy Enforcer for the first time, prior to installing and deploying on your domains. diff --git a/docs/passwordreset/3.3/passwordpolicyenforcer/administration/password_policy_client.md b/docs/passwordreset/3.3/passwordpolicyenforcer/administration/password_policy_client.md index 3fe87ff5d4..e1f0f67405 100644 --- a/docs/passwordreset/3.3/passwordpolicyenforcer/administration/password_policy_client.md +++ b/docs/passwordreset/3.3/passwordpolicyenforcer/administration/password_policy_client.md @@ -8,13 +8,13 @@ The Password Policy Client helps users to choose a compliant password. Detailed provided if their new password is rejected. The Password Policy Client is optional. If it is not installed, the -[Similarity Rule](similarity_rule.md) can not be enforced. Users only see the default Windows error +[Similarity Rule](/docs/passwordreset/3.3/passwordpolicyenforcer/administration/similarity_rule.md) can not be enforced. Users only see the default Windows error message if their password is rejected, not the detailed help they receive from the Password Policy Client. -![the_password_policy_client](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/the_password_policy_client.webp) +![the_password_policy_client](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/the_password_policy_client.webp) -![the_password_policy_client_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/the_password_policy_client_1.webp) +![the_password_policy_client_1](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/the_password_policy_client_1.webp) The Password Policy Client displays the password policy during a password change so that users can see the policy while they choose their password. The Password Policy Client also displays a detailed diff --git a/docs/passwordreset/3.3/passwordpolicyenforcer/administration/similarity_rule.md b/docs/passwordreset/3.3/passwordpolicyenforcer/administration/similarity_rule.md index d03af5392b..411195eceb 100644 --- a/docs/passwordreset/3.3/passwordpolicyenforcer/administration/similarity_rule.md +++ b/docs/passwordreset/3.3/passwordpolicyenforcer/administration/similarity_rule.md @@ -8,7 +8,7 @@ The Similarity rule rejects passwords that are similar to a user's current passw similarity may indicate that a user is serializing their passwords. For example, "password1", "password2", "password3". Password serialization allows an attacker to guess the new password. -![Similarity Rule](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/similarity.webp) +![Similarity Rule](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/administration/similarity.webp) Select the **Similarity** check box to enable the Similarity rule. diff --git a/docs/passwordreset/3.3/passwordpolicyenforcer/evaluation/evaluation_overview.md b/docs/passwordreset/3.3/passwordpolicyenforcer/evaluation/evaluation_overview.md index 859ec485dd..6078af24fd 100644 --- a/docs/passwordreset/3.3/passwordpolicyenforcer/evaluation/evaluation_overview.md +++ b/docs/passwordreset/3.3/passwordpolicyenforcer/evaluation/evaluation_overview.md @@ -10,7 +10,7 @@ Password Policy Enforcer helps secure your network by ensuring users set strong user enters a password that does not comply with the password policy, Password Policy Enforcer immediately rejects the password and details why the password was rejected. -![introduction_3](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/introduction_3.webp) +![introduction_3](/img/product_docs/passwordpolicyenforcer/passwordpolicyenforcer/evaluation/introduction_3.webp) Unlike password cracking products that check passwords after they are accepted by the operating system, Password Policy Enforcer checks new passwords immediately to ensure that weak passwords do diff --git a/docs/passwordreset/3.3/passwordreset/administration/about_tab.md b/docs/passwordreset/3.3/passwordreset/administration/about_tab.md index 0d83e81c61..d36b0d3640 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/about_tab.md +++ b/docs/passwordreset/3.3/passwordreset/administration/about_tab.md @@ -7,7 +7,7 @@ About Tab Use the **About** tab to check the version and license information, and to install a new license key. -![configuring_npr_10](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_10.webp) +![configuring_npr_10](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_10.webp) To install a new license key, copy the entire license e-mail to the clipboard, and then click Get license from clipboard. diff --git a/docs/passwordreset/3.3/passwordreset/administration/administration_overview.md b/docs/passwordreset/3.3/passwordreset/administration/administration_overview.md index 73cc892208..660da4b447 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/administration_overview.md +++ b/docs/passwordreset/3.3/passwordreset/administration/administration_overview.md @@ -27,12 +27,12 @@ Identifying staff over the phone can be difficult, especially in large organizat identifies users by asking them to answer some questions about themselves, and optionally by sending a verification code to their mobile phone. Incorrect answers are logged, and you can configure Password Reset to automatically lock out users who give too many incorrect answers. See the -[Configuring Password Reset](configuring_password_reset.md) topic for additional information. +[Configuring Password Reset](/docs/passwordreset/3.3/passwordreset/administration/configuring_password_reset.md) topic for additional information. ## Higher Availability Password Reset is ready to respond to password management requests at any hour of the day and night. It takes only minutes to install, and can handle thousands of requests every hour. -The [Evaluation](../evaluation/evaluation_overview.md) topic contains step-by-step instructions to +The [Evaluation](/docs/passwordreset/3.3/passwordreset/evaluation/evaluation_overview.md) topic contains step-by-step instructions to help you quickly install, configure, and evaluate Password Reset. diff --git a/docs/passwordreset/3.3/passwordreset/administration/configuring_password_reset.md b/docs/passwordreset/3.3/passwordreset/administration/configuring_password_reset.md index 58a72c0d95..24e94c3731 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/configuring_password_reset.md +++ b/docs/passwordreset/3.3/passwordreset/administration/configuring_password_reset.md @@ -9,14 +9,14 @@ Configuration Console to edit the configuration settings. Click **Start** > **Ne Reset** > **NPR Configuration Console**on the Password Reset Server computer to open the Configuration Console. -![configuring_npr](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr.webp) +![configuring_npr](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr.webp) Information about the configuration console tabs can be found in the following topics: -- [General Tab](general_tab.md) -- [Enroll Tab](enroll_tab.md) -- [E-mail Tab](email_tab.md) -- [Verification Tab](verification_tab.md) -- [Security Tab](security_tab.md) -- [Permissions Tab](permissions_tab.md) -- [About Tab](about_tab.md) +- [General Tab](/docs/passwordreset/3.3/passwordreset/administration/general_tab.md) +- [Enroll Tab](/docs/passwordreset/3.3/passwordreset/administration/enroll_tab.md) +- [E-mail Tab](/docs/passwordreset/3.3/passwordreset/administration/email_tab.md) +- [Verification Tab](/docs/passwordreset/3.3/passwordreset/administration/verification_tab.md) +- [Security Tab](/docs/passwordreset/3.3/passwordreset/administration/security_tab.md) +- [Permissions Tab](/docs/passwordreset/3.3/passwordreset/administration/permissions_tab.md) +- [About Tab](/docs/passwordreset/3.3/passwordreset/administration/about_tab.md) diff --git a/docs/passwordreset/3.3/passwordreset/administration/editing_the_html_templates.md b/docs/passwordreset/3.3/passwordreset/administration/editing_the_html_templates.md index c3087602fe..9782264806 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/editing_the_html_templates.md +++ b/docs/passwordreset/3.3/passwordreset/administration/editing_the_html_templates.md @@ -130,7 +130,7 @@ text_short classes are used in page instructions to tailor content to the screen Validation error messages are shown in a red box below the page instructions. Validation errors are normally caused by invalid user input. -![using_npr_12](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_12.webp) +![using_npr_12](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_12.webp) Validation error messages are defined in the relevant template (en_enroll.htm, en_reset.htm, en_unlock.htm, or en_change.htm). The error messages are in the resource strings section near the @@ -151,7 +151,7 @@ information about the error. You should keep these, but you can delete them if y All the critical error messages are defined in en_error.htm. The messages are in the resource strings section near the end of the file. See the Resource Strings topic for more information. -![using_npr_13](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_13.webp) +![using_npr_13](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_13.webp) You may see placeholders like %1 and %2 in some error messages. These are replaced with more information about the error. You should keep these, but you can delete them if you do not want them. @@ -176,7 +176,7 @@ Finished messages are shown after users successfully complete an enroll, reset, These messages are defined in the Resource Strings section near the end of `en_finished.htm`. See the Resource Strings topic for more information. -![using_npr_9](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_9.webp) +![using_npr_9](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_9.webp) `en_finished.htm` has two resource strings for password changes (RES_FINISHED_CHANGE and RES_FINISHED_CHANGE_INVITE). The first is shown when a user who has enrolled into NPR changes their diff --git a/docs/passwordreset/3.3/passwordreset/administration/email_tab.md b/docs/passwordreset/3.3/passwordreset/administration/email_tab.md index c06a100f8b..7112274314 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/email_tab.md +++ b/docs/passwordreset/3.3/passwordreset/administration/email_tab.md @@ -7,7 +7,7 @@ E-mail Tab Use the **E-mail** tab to configure how e-mail is sent to users, when it is sent, and also to edit the e-mail templates. -![configuring_npr_3](../../../../../static/img/product_docs/passwordreset/passwordreset/administration/configuring_npr_3.webp) +![configuring_npr_3](/img/product_docs/passwordreset/passwordreset/administration/configuring_npr_3.webp) ### E-mail Delivery @@ -29,7 +29,7 @@ sends an e-mail when the event occurs. Enabled triggers are underlined. Click the name of an enabled trigger to edit the trigger's e-mail template. -![configuring_npr_4](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_4.webp) +![configuring_npr_4](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_4.webp) Type the name and e-mail address you wish to appear in the e-mail's From field in the **From** text box. The correct format is "Display Name" `` @@ -74,7 +74,7 @@ A warning icon is shown beside the language drop-down list if an e-mail template every language. You should define an e-mail template for every language to ensure that users can understand their e-mail alerts. -![configuring_npr_5](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_5.webp) +![configuring_npr_5](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_5.webp) **CAUTION:** An attacker may choose a specific language to avoid detection. E-mail alerts are sent in the Web Interface language chosen by the attacker if the target user has not enrolled or changed diff --git a/docs/passwordreset/3.3/passwordreset/administration/enroll_tab.md b/docs/passwordreset/3.3/passwordreset/administration/enroll_tab.md index cf376f41dc..25063dcc22 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/enroll_tab.md +++ b/docs/passwordreset/3.3/passwordreset/administration/enroll_tab.md @@ -6,7 +6,7 @@ Enroll Tab Use the **Enroll** tab to maintain the list of enrollment questions and options. -![configuring_npr_2](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_2.webp) +![configuring_npr_2](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_2.webp) ### Question List @@ -39,7 +39,7 @@ Follow the steps below to remove a question from the list. **NOTE:** You can rearrange questions by dragging them. You can also replace question lists with text boxes so users can enter their own questions. See the -[Editing the HTML Templates](editing_the_html_templates.md) document for more information +[Editing the HTML Templates](/docs/passwordreset/3.3/passwordreset/administration/editing_the_html_templates.md) document for more information ### Options diff --git a/docs/passwordreset/3.3/passwordreset/administration/filter_editor.md b/docs/passwordreset/3.3/passwordreset/administration/filter_editor.md index 882fd4685d..17b8c02785 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/filter_editor.md +++ b/docs/passwordreset/3.3/passwordreset/administration/filter_editor.md @@ -8,7 +8,7 @@ Use the Filter Editor to create complex filters, filters for hidden columns, or regularly used filters. Press **CTRL** + **F** to open the Filter Editor, or click the **Filter Editor** button in the lower right corner of the Data Console. -![using_the_data_console_9](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_9.webp) +![using_the_data_console_9](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_9.webp) A filter may contain several conditions. Conditions start with a column name, followed by an operator, and sometimes a value. Column names are shown in green, operators in maroon, and values in @@ -34,4 +34,4 @@ Some columns are hidden in the Data Console. You can use the Filter Editor to cr these columns. For example, the filter in the image below shows all users with an NPR v1 enrollment record. -![using_the_data_console_10](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_10.webp) +![using_the_data_console_10](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_10.webp) diff --git a/docs/passwordreset/3.3/passwordreset/administration/filtering_data.md b/docs/passwordreset/3.3/passwordreset/administration/filtering_data.md index e8ef39aaa0..f755c25d17 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/filtering_data.md +++ b/docs/passwordreset/3.3/passwordreset/administration/filtering_data.md @@ -9,14 +9,14 @@ any time. Filters let you focus on the important information. You can create simple filters by typing values directly into the filter row, or by selecting values from Filtering by Column Values. More complex filters are created with the Custom Filters and -[Filter Editor](filter_editor.md) windows. +[Filter Editor](/docs/passwordreset/3.3/passwordreset/administration/filter_editor.md) windows. ### The Filter Row The top row in the **Audit Log** and **Users** tabs is called the Filter Row. You can type filter values directly into this row. -![using_the_data_console_3](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_3.webp) +![using_the_data_console_3](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_3.webp) The Filter Row is empty when you first open the Data Console. To create a filter, click the **Filter Row** in the column you wish to filter. A cursor will appear. Type a value, and then press **ENTER** @@ -26,7 +26,7 @@ Click the button to shown an editor or selector that helps you enter a value. Va wildcard characters. Use a ? to match any single character, or a \* to match more than one character. -![using_the_data_console_4](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_4.webp) +![using_the_data_console_4](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_4.webp) The image above shows a filter on the Date, Source, and Source IP columns. Only password reset events on 2/5/2015 originating from IP addresses starting with 192.168.115 are shown. The small blue @@ -39,19 +39,19 @@ or the filter editor windows for a logical OR filter. You can also create a filter by selecting values from a list in the column headers. -![using_the_data_console_5](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_5.webp) +![using_the_data_console_5](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_5.webp) Hover the mouse pointer over a column header until a small button appears on the right side of the header. -![using_the_data_console_6](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_6.webp) +![using_the_data_console_6](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_6.webp) Click the button to show a list of values in the column. Select one or more values from the list. Rows that do not match one of the selected values are hidden. -![using_the_data_console_7](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_7.webp) +![using_the_data_console_7](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_7.webp) The list of values for date and date/time columns also includes date ranges such as **Last 7 days**, **Today**, **Yesterday**, etc. @@ -64,7 +64,7 @@ filter. Use custom filters to search for partial matches, find a range of values, or to create more complex filters. Click **(Custom...)** in a column header's value list to create a custom filter. -![using_the_data_console_8](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_8.webp) +![using_the_data_console_8](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_8.webp) Custom filters can contain one or two conditions for each column. Select an operator for the first condition from the drop-down list below the column name. Only relevant operators are shown for each @@ -91,16 +91,16 @@ The Status Bar appears at the very bottom of the Data Console. It shows the numb records and the total record count. The Filter Bar appears above the Status Bar, and it shows the active filter. The button on the right side of the Filter Bar opens the Filter Editor. -![using_the_data_console_11](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_11.webp) +![using_the_data_console_11](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_11.webp) A button and a check box appear on the left side of the Filter Bar when a filter is active. Click the button to clear the filter. Toggle the check box to disable or enable the filter. -![using_the_data_console_12](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_12.webp) +![using_the_data_console_12](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_12.webp) A drop-down button appears to the right of the filter. Click it to select a recently used filter. -![using_the_data_console_13](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_13.webp) +![using_the_data_console_13](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_13.webp) ## Exporting Data diff --git a/docs/passwordreset/3.3/passwordreset/administration/general_tab.md b/docs/passwordreset/3.3/passwordreset/administration/general_tab.md index 87d221720e..a045c30e17 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/general_tab.md +++ b/docs/passwordreset/3.3/passwordreset/administration/general_tab.md @@ -8,7 +8,7 @@ Use the General tab to maintain the list of managed domains, set the database op the Password Policy Enforcer integration. See the Netwrix Password Policy Enforcer topic for additional information. -![configuring_npr](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr.webp) +![configuring_npr](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr.webp) ### Domain List @@ -66,10 +66,10 @@ files in their new location. **Step 8 –** Start the Password Reset service. **Step 9 –** Update the backup script to copy from the new folder. See the -[Working with the Database](working_with_the_database.md) topic for additional information. +[Working with the Database](/docs/passwordreset/3.3/passwordreset/administration/working_with_the_database.md) topic for additional information. You can also move the database from SQL Server Compact to SQL Server. See the -[Working with the Database](working_with_the_database.md) topic for more information. +[Working with the Database](/docs/passwordreset/3.3/passwordreset/administration/working_with_the_database.md) topic for more information. ### Netwrix Password Policy Enforcer @@ -77,7 +77,7 @@ Password Reset is a configurable password filter that enforces granular password advanced features. Password Reset can integrate with Password Policy Enforcer to help users choose a compliant password. -![configuring_npr_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_1.webp) +![configuring_npr_1](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_1.webp) Password Reset displays the Password Policy Enforcer policy message when users are prompted for their new password, and the Password Policy Enforcer rejection message if the new password does not @@ -102,14 +102,14 @@ policy, or no policy enforced if the queried server is not a domain controller i domain. Queries to the Password Policy Server are sent to UDP port 1333 by default. You may need to create firewall rules to open this port. See the -[Password Policy Client](../../passwordpolicyenforcer/administration/password_policy_client.md) +[Password Policy Client](/docs/passwordreset/3.3/passwordpolicyenforcer/administration/password_policy_client.md) topic for more information. **NOTE:** Due to a protocol upgrade, it is now recommended to enable protocol encryption for clients. To do so, please navigate to the PPS Properties in your Netwrix Password Policy Enforcer server configuration, and enable "Only accept encrypted client request". -![using_ppe_with_npr](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_ppe_with_npr.webp) +![using_ppe_with_npr](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_ppe_with_npr.webp) Please do not enable this option if you are using Netwrix Password Reset v3.3 with Netwrix Password Policy Enforcer v8.x or earlier versions, or with Netwrix Password Policy Enforcer/Web. If you are diff --git a/docs/passwordreset/3.3/passwordreset/administration/installation.md b/docs/passwordreset/3.3/passwordreset/administration/installation.md index 33b1cd9b7a..62748e4062 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/installation.md +++ b/docs/passwordreset/3.3/passwordreset/administration/installation.md @@ -34,12 +34,12 @@ The Password Reset Server is the component that performs requests on behalf of u requests from the Web Interface, checks the user's credentials, and performs the requested task if the credentials are valid. -![installing_npr](../../../../../static/img/product_docs/passwordreset/passwordreset/evaluation/installing_npr.webp) +![installing_npr](/img/product_docs/passwordreset/passwordreset/evaluation/installing_npr.webp) **NOTE:** Microsoft SQL Server Compact is installed with the Password Reset Server. SQL Server Compact is free to use, and should only be removed if you move the database to SQL Server. SQL Server Compact is an embedded database. Unlike SQL Server, you do not need to configure or manage -it. See the [Working with the Database](working_with_the_database.md) topic for additional +it. See the [Working with the Database](/docs/passwordreset/3.3/passwordreset/administration/working_with_the_database.md) topic for additional information. ## Installation Types @@ -89,7 +89,7 @@ account. The account will be created and added to the Domain Admins group if it **NOTE:** You can remove the account from the Domain Admins group later. If using an existing account, make sure it has the required permissions. See the -[Securing Password Reset](securing_password_reset.md) topic for additional information. +[Securing Password Reset](/docs/passwordreset/3.3/passwordreset/administration/securing_password_reset.md) topic for additional information. **Step 8 –** Click **Next**. @@ -152,7 +152,7 @@ account. The account will be created and added to the Domain Admins group if it **NOTE:** You can remove the account from the Domain Admins group later. If using an existing account, make sure it has the required permissions. See the -[Securing Password Reset](securing_password_reset.md) topic for additional information. +[Securing Password Reset](/docs/passwordreset/3.3/passwordreset/administration/securing_password_reset.md) topic for additional information. **Step 7 –** Make sure the **Create Windows Firewall Exception for the NPR Server service** check box is selected, and then click **Next** twice. @@ -201,7 +201,7 @@ Reset**, and **3.0** registry keys. **Step 12 –** Set the **ServerIP** registry value to the IP address of the computer that you installed the Password Reset Server onto. -![installing_npr_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/installing_npr_1.webp) +![installing_npr_1](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/installing_npr_1.webp) The Password Reset Setup wizard only installs one Web Interface on each server, but you can copy the files to another directory and publish several Web Interfaces from one server. This allows you to @@ -267,13 +267,13 @@ between versions should be merged into your customized files. The Password Reset V3.30 data console does not read the VerificationCode or EnrollRecord columns from the User table on SQL Server. Access to these columns can be denied for Data Console users after upgrading all instances of the Data Console. See the -[Using the Data Console](using_the_data_console.md) topic for additional information. +[Using the Data Console](/docs/passwordreset/3.3/passwordreset/administration/using_the_data_console.md) topic for additional information. ## Upgrading From NPR V2.x As this is a major upgrade with many changes, some planning is needed to ensure a smooth upgrade. A trial run on a lab network is recommended, especially if you are customizing the user interface. See -the [Editing the HTML Templates](editing_the_html_templates.md) topic for additional information. +the [Editing the HTML Templates](/docs/passwordreset/3.3/passwordreset/administration/editing_the_html_templates.md) topic for additional information. **CAUTION:** Due to a protocol upgrade, Netwrix Password Reset v3.3 is not compatible with Netwrix Password Policy Enforcer v8.x and earlier versions. If you are using Netwrix Password Reset with any diff --git a/docs/passwordreset/3.3/passwordreset/administration/moving_to_sql_server.md b/docs/passwordreset/3.3/passwordreset/administration/moving_to_sql_server.md index d32e0b304b..f1b29c1de1 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/moving_to_sql_server.md +++ b/docs/passwordreset/3.3/passwordreset/administration/moving_to_sql_server.md @@ -23,7 +23,7 @@ Windows authentication. To identify the service account, open services.msc, doub Password Reset service, and then click the Log On tab. Password Reset logs on to SQL Server with this account. -![working_with_the_database](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/working_with_the_database.webp) +![working_with_the_database](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/working_with_the_database.webp) **Step 3 –** Create an SQL Server user, and map it to the service account login. @@ -69,7 +69,7 @@ information, and **Trust server certificate** must be selected if SQL Server is certificate. SQL Server uses a self-signed certificate if a trusted certificate is not installed. The SQL Server Native Client must be installed if **Trust server certificate** is selected. -![working_with_the_database_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/working_with_the_database_1.webp) +![working_with_the_database_1](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/working_with_the_database_1.webp) **Step 8 –** Click **Next**. diff --git a/docs/passwordreset/3.3/passwordreset/administration/password_reset_client.md b/docs/passwordreset/3.3/passwordreset/administration/password_reset_client.md index 6b351fac0d..158fb7f45b 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/password_reset_client.md +++ b/docs/passwordreset/3.3/passwordreset/administration/password_reset_client.md @@ -8,7 +8,7 @@ The Password Reset Client allows users to securely reset their password or unloc the Windows Logon and Unlock Computer screens. Users click **Reset Password** to access the Password Reset system. -![the_password_reset_client](../../../../../static/img/product_docs/passwordreset/passwordreset/administration/the_password_reset_client.webp) +![the_password_reset_client](/img/product_docs/passwordreset/passwordreset/administration/the_password_reset_client.webp) **NOTE:** The Password Reset Client does not modify any Windows system files. @@ -65,7 +65,7 @@ this domain, and Link it here...** **Step 4 –** Enter **Password Reset Client**, then press **ENTER**. -![the_password_reset_client_1](../../../../../static/img/product_docs/passwordreset/passwordreset/evaluation/the_password_reset_client_1.webp) +![the_password_reset_client_1](/img/product_docs/passwordreset/passwordreset/evaluation/the_password_reset_client_1.webp) ### Edit the Group Policy Object @@ -126,7 +126,7 @@ installation folder. (`\Program Files\Netwrix Password Reset\` by default). **Step 7 –** Select **NPRClt.adm**, and then click **Open**. -![the_password_reset_client_2](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_2.webp) +![the_password_reset_client_2](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_2.webp) **Step 8 –** Click **Close**. @@ -143,12 +143,12 @@ domain level. Templates**, **Classic Administrative Templates (ADM)**, **Netwrix Password Reset**, and **Password Reset Client** items. -![the_password_reset_client_3](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_3.webp) +![the_password_reset_client_3](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_3.webp) **Step 4 –** Double-click the **Browser settings** item in the right pane of the Group Policy Management Editor. -![the_password_reset_client_4](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_4.webp) +![the_password_reset_client_4](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_4.webp) **Step 5 –** Select the **Enabled**option. @@ -231,7 +231,7 @@ Editor. **Step 10 –** Click inside the **License key** text box, then paste the license key. -![the_password_reset_client_5](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_5.webp) +![the_password_reset_client_5](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/the_password_reset_client_5.webp) **Step 11 –** Click **OK**. diff --git a/docs/passwordreset/3.3/passwordreset/administration/permissions_tab.md b/docs/passwordreset/3.3/passwordreset/administration/permissions_tab.md index 939b841d39..5dbac8798e 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/permissions_tab.md +++ b/docs/passwordreset/3.3/passwordreset/administration/permissions_tab.md @@ -6,7 +6,7 @@ Permissions Tab Use the **Permissions** tab to control which users can use Password Reset. -![configuring_npr_9](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_9.webp) +![configuring_npr_9](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_9.webp) ### Enroll diff --git a/docs/passwordreset/3.3/passwordreset/administration/persuading_users_to_enroll.md b/docs/passwordreset/3.3/passwordreset/administration/persuading_users_to_enroll.md index 3082ccc748..9a39cf3047 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/persuading_users_to_enroll.md +++ b/docs/passwordreset/3.3/passwordreset/administration/persuading_users_to_enroll.md @@ -32,7 +32,7 @@ and **3.0** registry keys. **Step 3 –** Create a new **DWORD** value called **WebAPIState**, and set it to 1. -![persuading_users_to_enroll](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/persuading_users_to_enroll.webp) +![persuading_users_to_enroll](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/persuading_users_to_enroll.webp) ## Querying the API diff --git a/docs/passwordreset/3.3/passwordreset/administration/securing_password_reset.md b/docs/passwordreset/3.3/passwordreset/administration/securing_password_reset.md index 2f6a0a4b14..04ce66da59 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/securing_password_reset.md +++ b/docs/passwordreset/3.3/passwordreset/administration/securing_password_reset.md @@ -14,7 +14,7 @@ Server. The Web Interface and Password Reset Server always communicate over a secure channel. You do not have to configure the encryption for this connection, but you do need to set up SSL (Secure Sockets Layer) encryption for the connection between the web browser (or Password Reset Client) and the web -server. See the [Password Reset Client](password_reset_client.md) topic for more information. +server. See the [Password Reset Client](/docs/passwordreset/3.3/passwordreset/administration/password_reset_client.md) topic for more information. **CAUTION:** Do not use Password Reset on a production network without SSL encryption. @@ -27,7 +27,7 @@ installation process. You can also learn more about using SSL certificates with below. - [http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis](http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis) -- [http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx]() +- [http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx](http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx) **NOTE:** Ensure that users only access Password Reset over an encrypted connection after the SSL certificate is installed. The Start address and Restricted path in the Password Reset Client @@ -68,7 +68,7 @@ dsacls "dc=axs,dc=net" /I:S /G "axs\apr:CA;Reset Password;user" If Password Reset is configured to use an SQL Server Compact database, then give the service account read and write permissions to the database files. See the -[Moving to SQL Server](moving_to_sql_server.md) topic for more information. +[Moving to SQL Server](/docs/passwordreset/3.3/passwordreset/administration/moving_to_sql_server.md) topic for more information. Remove the service account from the Domain Admins group and restart the Password Reset service after executing these commands. Check the Windows Application event log if the service does not start. diff --git a/docs/passwordreset/3.3/passwordreset/administration/security_tab.md b/docs/passwordreset/3.3/passwordreset/administration/security_tab.md index 5636d6c580..ab895e84e0 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/security_tab.md +++ b/docs/passwordreset/3.3/passwordreset/administration/security_tab.md @@ -7,7 +7,7 @@ Security Tab Use the **Security** tab to configure the inactivity timeout, password reset policies, and the lockout threshold. -![configuring_npr_8](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_8.webp) +![configuring_npr_8](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_8.webp) ### Inactivity Timeout diff --git a/docs/passwordreset/3.3/passwordreset/administration/using_password_reset.md b/docs/passwordreset/3.3/passwordreset/administration/using_password_reset.md index 5366429324..410d926c1e 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/using_password_reset.md +++ b/docs/passwordreset/3.3/passwordreset/administration/using_password_reset.md @@ -7,14 +7,14 @@ Using Password Reset Netwrix Password Policy Enforcer is a web application. Users can access it from a web browser, or from the Password Reset Client. The default URL for the Web Interface is:` http://[server]/pwreset/` -See the [Password Reset Client](password_reset_client.md) topic for more information. +See the [Password Reset Client](/docs/passwordreset/3.3/passwordreset/administration/password_reset_client.md) topic for more information. You can use URL parameters to open a specific page, and to set the user and domain names. For example: `http://[server]/pwreset/apr.dll? cmd=enroll&username=johnsmith&domain=CORP` Where [server] is the name or IP address of the server hosting the Web Interface. -![using_npr](../../../../../static/img/product_docs/passwordreset/passwordreset/evaluation/using_npr_1.webp) +![using_npr](/img/product_docs/passwordreset/passwordreset/evaluation/using_npr_1.webp) Users access the Enroll, Reset, Unlock, and Change features from the menu. These features are explained on the following pages. @@ -32,13 +32,13 @@ answering some questions about themselves, or they can be enrolled automatically enrollment is enabled. Users only need to enroll once, but they can enroll again if they are locked out of Password Reset, or if they want to change their questions or answers. See the [Verification Codes](verification_tab.md#verification-codes) and -[Verification Tab](verification_tab.md) topics for more information. +[Verification Tab](/docs/passwordreset/3.3/passwordreset/administration/verification_tab.md) topics for more information. Follow the steps below to manually enroll into Password Reset. **Step 1 –** Click the **Enroll** item in the menu. -![using_npr_0](../../../../../static/img/product_docs/passwordreset/passwordreset/evaluation/using_npr_1_1.webp) +![using_npr_0](/img/product_docs/passwordreset/passwordreset/evaluation/using_npr_1_1.webp) **Step 2 –** Type a **Username**, **Domain**, and **Password**. @@ -63,25 +63,25 @@ Follow the steps below to reset an account password. **Step 1 –** Click the **Reset** item in the menu. -![using_npr_1](../../../../../static/img/product_docs/passwordreset/passwordreset/evaluation/using_npr_1.webp) +![using_npr_1](/img/product_docs/passwordreset/passwordreset/evaluation/using_npr_1.webp) **Step 2 –** Type a **Username** and **Domain**, and then click **Next**. -![using_npr_2](../../../../../static/img/product_docs/passwordreset/passwordreset/administration/using_npr_2.webp) +![using_npr_2](/img/product_docs/passwordreset/passwordreset/administration/using_npr_2.webp) **Step 3 –** Type the **Answer** to the first question, and then click **Next**. Repeat until all questions are answered correctly. -![using_npr_3](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_3.webp) +![using_npr_3](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_3.webp) **Step 4 –** You may be asked to enter a verification code. The verification code is sent to your phone by e-mail or SMS. Type the **Code**, and then click **Next**. -![using_npr_5](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_5.webp) +![using_npr_5](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_5.webp) **Step 5 –** Type the new **Password** into both text boxes, and then click **Next**. -![using_npr_6](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_6.webp) +![using_npr_6](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_6.webp) **Step 6 –** Click **OK** to return to the menu. @@ -94,21 +94,21 @@ Follow the steps below to unlock an account. **Step 1 –** Click the **Unlock** item in the menu. -![using_npr_7](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_7.webp) +![using_npr_7](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_7.webp) **Step 2 –** Type a **Username** and **Domain**, and then click **Next**. -![using_npr_4](../../../../../static/img/product_docs/passwordreset/passwordreset/administration/using_npr_4.webp) +![using_npr_4](/img/product_docs/passwordreset/passwordreset/administration/using_npr_4.webp) **Step 3 –** Type the **Answer** to the first question, and then click **Next**. Repeat until all questions are answered correctly. -![using_npr_8](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_8.webp) +![using_npr_8](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_8.webp) **Step 4 –** You may be asked to enter a verification code. The verification code is sent to your phone by e-mail or SMS. Type the **Code**, and then click **Next**. -![using_npr_9](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_9.webp) +![using_npr_9](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_9.webp) **Step 5 –** Click **OK** to return to the menu. @@ -124,11 +124,11 @@ Follow the steps below to change an account password. **Step 1 –** Click the **Change** item in the menu. -![using_npr_10](../../../../../static/img/product_docs/passwordreset/passwordreset/administration/using_npr_10.webp) +![using_npr_10](/img/product_docs/passwordreset/passwordreset/administration/using_npr_10.webp) **Step 2 –** Type a **Username** and **Domain**, and then click **Next**. -![using_npr_11](../../../../../static/img/product_docs/passwordreset/passwordreset/administration/using_npr_11.webp) +![using_npr_11](/img/product_docs/passwordreset/passwordreset/administration/using_npr_11.webp) **Step 3 –** Type the **Old Password**, **New Password**, and **Confirm Password**, and then click **Next**. @@ -145,7 +145,7 @@ Validation errors are shown in a red box below the page instructions. Validation caused by invalid user input. They can often be overcome by changing the value of one or more input fields and resubmitting the form. -![using_npr_12](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_12.webp) +![using_npr_12](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_12.webp) Critical errors are shown on their own page. These errors are mostly a result of configuration or system errors. An event may be written to the Windows Application event log on the Password Reset @@ -153,7 +153,7 @@ Server computer when a critical error occurs. Users can sometimes overcome a cri following the instructions in the error message, but most critical errors are beyond the user's control. -![using_npr_13](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_13.webp) +![using_npr_13](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_npr_13.webp) Validation and critical error messages are stored in the HTML templates. You can modify the default messages by editing the templates. See the diff --git a/docs/passwordreset/3.3/passwordreset/administration/using_the_data_console.md b/docs/passwordreset/3.3/passwordreset/administration/using_the_data_console.md index eaf9ab9d6e..4266450971 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/using_the_data_console.md +++ b/docs/passwordreset/3.3/passwordreset/administration/using_the_data_console.md @@ -11,13 +11,13 @@ The Data Console has three tabs. The **Recent Activity** tab shows a chart of re chart is empty when Password Reset is first installed, but it will populate itself as the system is used. -![using_the_data_console](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console.webp) +![using_the_data_console](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console.webp) The bars in the chart show how many successful enrollments, resets, unlocks, and changes occurred every day. You can click the bars to see a filtered view of the events for that day. For example, you could click the blue bar on 2/19/2015 to see all the password resets for that day. -![using_the_data_console_1](../../../../../static/img/product_docs/passwordreset/passwordreset/administration/using_the_data_console_1.webp) +![using_the_data_console_1](/img/product_docs/passwordreset/passwordreset/administration/using_the_data_console_1.webp) The resulting view shows only the 15 successful password resets on 2/19/2015. These are shown in the **Audit Log** tab. You can create your own filter to find events in this tab. See the @@ -39,7 +39,7 @@ The **Audit Log** tab has nine columns: The **Users** tab contains Information about each user. All users are shown by default, but you can create filters to find specific users. -![using_the_data_console_2](../../../../../static/img/product_docs/passwordreset/passwordreset/administration/using_the_data_console_2.webp) +![using_the_data_console_2](/img/product_docs/passwordreset/passwordreset/administration/using_the_data_console_2.webp) The **Users** tab has seven columns: diff --git a/docs/passwordreset/3.3/passwordreset/administration/verification_tab.md b/docs/passwordreset/3.3/passwordreset/administration/verification_tab.md index f6d432f402..fa58de1fa2 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/verification_tab.md +++ b/docs/passwordreset/3.3/passwordreset/administration/verification_tab.md @@ -9,7 +9,7 @@ are used for two-factor authentication, and to authenticate users that have not verification code is sent to the user's mobile phone by e-mail and/or SMS, and the user enters the verification code to continue. -![configuring_npr_6](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_6.webp)7 +![configuring_npr_6](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_6.webp)7 #### Verification Codes @@ -56,7 +56,7 @@ hide parts of the e-mail address and phone number when requesting a verification especially important if automatic enrollment is enabled, as it stops an attacker from discovering information about the user. -![configuring_npr_0](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_0.webp) +![configuring_npr_0](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_0.webp) Verification codes are of a specified length, and may contain both alpha and numeric characters. Select the desired options from the **Create verification codes with...** drop-down lists. Longer, @@ -114,4 +114,4 @@ script could read the user's phone number from a database, or send a language-sp the value of the [LANG] macro. Put the path of the scripting engine executable in the **Command** text box, and the path to the script file and other parameters in the **Parameters** text box. -![configuring_npr_7](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_7.webp) +![configuring_npr_7](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_7.webp) diff --git a/docs/passwordreset/3.3/passwordreset/administration/what_new.md b/docs/passwordreset/3.3/passwordreset/administration/what_new.md index 4cb17531e1..9556e8785f 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/what_new.md +++ b/docs/passwordreset/3.3/passwordreset/administration/what_new.md @@ -20,7 +20,7 @@ version, and only then upgrade Netwrix Password Reset to v3.3 (or later). Older versions of Netwrix Password Policy Enforcer can still enforce the policy, but Netwrix Password Reset 3.3 will not get the policy and rejection messages or enforce the Similarity rule -from Netwrix Password Policy Enforcer versions older than 9.0. See the [General Tab](general_tab.md) +from Netwrix Password Policy Enforcer versions older than 9.0. See the [General Tab](/docs/passwordreset/3.3/passwordreset/administration/general_tab.md) topic for more information. • **Option to enable PPC protocol encryption** — Due to a protocol upgrade, it is now recommended to @@ -31,7 +31,7 @@ Please do not enable this option if you are using Netwrix Password Reset v3.3 wi Policy Enforcer v8.x or earlier versions, or with Netwrix Password Policy Enforcer/Web. If you are using Netwrix Password Reset v3.3 with any of those older versions of Netwrix Password Policy Enforcer, please consider upgrading first to a current and supported version. See the -[General Tab](general_tab.md) topic for more information. +[General Tab](/docs/passwordreset/3.3/passwordreset/administration/general_tab.md) topic for more information. • **Enabled ‘ServerMayChangeIPAddress’ for PPC queries** — This ensures that Netwrix Password Reset always displays the policy or rejection message if it queried a domain controller with more than one diff --git a/docs/passwordreset/3.3/passwordreset/administration/working_with_the_database.md b/docs/passwordreset/3.3/passwordreset/administration/working_with_the_database.md index 165d3f20ae..090f192fa3 100644 --- a/docs/passwordreset/3.3/passwordreset/administration/working_with_the_database.md +++ b/docs/passwordreset/3.3/passwordreset/administration/working_with_the_database.md @@ -21,7 +21,7 @@ using SQL Server include: - Improved availability if SQL Server is configured for high availability. - Increased security. -See solutions to these disadvantages in the [Moving to SQL Server](moving_to_sql_server.md) topic. +See solutions to these disadvantages in the [Moving to SQL Server](/docs/passwordreset/3.3/passwordreset/administration/moving_to_sql_server.md) topic. ## Backing up the Database diff --git a/docs/passwordreset/3.3/passwordreset/evaluation/configuring_password_reset.md b/docs/passwordreset/3.3/passwordreset/evaluation/configuring_password_reset.md index 60dcd53670..11b999aa64 100644 --- a/docs/passwordreset/3.3/passwordreset/evaluation/configuring_password_reset.md +++ b/docs/passwordreset/3.3/passwordreset/evaluation/configuring_password_reset.md @@ -8,7 +8,7 @@ In the previous section, you used Password Reset with a default configuration. Y Configuration Console to edit the configuration settings. Click Start > Netwrix Password Reset > NPR Configuration Console to open the console. -![configuring_npr_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_1.webp) +![configuring_npr_1](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/configuring_npr_1.webp) The Configuration Console has a tabbed layout. Click the tabs along the top to see the various settings. Most of the settings are self-explanatory. Press **F1** on any of the tabs to see the help diff --git a/docs/passwordreset/3.3/passwordreset/evaluation/data_console.md b/docs/passwordreset/3.3/passwordreset/evaluation/data_console.md index 35757913c9..36889cf755 100644 --- a/docs/passwordreset/3.3/passwordreset/evaluation/data_console.md +++ b/docs/passwordreset/3.3/passwordreset/evaluation/data_console.md @@ -10,7 +10,7 @@ Password Reset** > **NPRData Console** to open the console. The Data Console has three tabs. The Recent Activity tab shows a chart of recent requests. The chart is empty when Password Reset is first installed, but it will populate itself as the system is used. -![the_data_console](../../../../../static/img/product_docs/passwordreset/passwordreset/evaluation/the_data_console.webp) +![the_data_console](/img/product_docs/passwordreset/passwordreset/evaluation/the_data_console.webp) The bars in the chart show how many successful enrollments, resets, unlocks, and changes occurred every day. You can click the bars to see a filtered view of the events for that day. @@ -18,7 +18,7 @@ every day. You can click the bars to see a filtered view of the events for that The Audit Log tab contains all the events recorded by Password Reset. You can create filters to show only some of the events. Filters are very flexible and easy to create. -![the_data_console_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_9.webp) +![the_data_console_1](/img/product_docs/passwordpolicyenforcer/passwordreset/administration/using_the_data_console_9.webp) The Users tab contains information about each user. You can export the data in the Audit Log and Users tabs from the File menu. diff --git a/docs/passwordreset/3.3/passwordreset/evaluation/evaluation_overview.md b/docs/passwordreset/3.3/passwordreset/evaluation/evaluation_overview.md index 687bd82b95..1fe485f51a 100644 --- a/docs/passwordreset/3.3/passwordreset/evaluation/evaluation_overview.md +++ b/docs/passwordreset/3.3/passwordreset/evaluation/evaluation_overview.md @@ -15,7 +15,7 @@ the first time. Please [contact Netwrix support](mailto:support@netwrix.com) if you have any questions, or if you encounter any problems during your evaluation. -![introduction_1_1](../../../../../static/img/product_docs/passwordpolicyenforcer/passwordreset/evaluation/introduction_1_1.webp) +![introduction_1_1](/img/product_docs/passwordpolicyenforcer/passwordreset/evaluation/introduction_1_1.webp) The Password Reset Administrator's Guide contains additional installation and configuration information. Refer to the Administrator's Guide for more detailed coverage of the topics discussed diff --git a/docs/passwordreset/3.3/passwordreset/evaluation/installation.md b/docs/passwordreset/3.3/passwordreset/evaluation/installation.md index 4cddedb955..0f8fa34e25 100644 --- a/docs/passwordreset/3.3/passwordreset/evaluation/installation.md +++ b/docs/passwordreset/3.3/passwordreset/evaluation/installation.md @@ -5,7 +5,7 @@ Installation # Installation Password Reset has two server components, and an optional client. See the -[Password Reset Client](password_reset_client.md) topic for additional information. Both server +[Password Reset Client](/docs/passwordreset/3.3/passwordreset/evaluation/password_reset_client.md) topic for additional information. Both server components can be installed on one server, or they may be installed on separate servers if your web server is in a DMZ. As the evaluation server is not in a DMZ, we will install both components on one server. @@ -15,7 +15,7 @@ them, and sends them to the Password Reset Server. The Password Reset Server is performs requests on behalf of users. It receives requests from the Web Interface, checks the user's credentials, and performs the requested task if the credentials are valid. -![installing_npr](../../../../../static/img/product_docs/passwordreset/passwordreset/evaluation/installing_npr.webp) +![installing_npr](/img/product_docs/passwordreset/passwordreset/evaluation/installing_npr.webp) You only need one Windows 2008 to 2019 server for the evaluation. The server can be a domain controller or a member server. @@ -41,5 +41,5 @@ Click **Next** if you accept all terms. **NOTE:** The Setup wizard creates the aprsvc account and adds it to the Domain Admins group. You can remove the account from the Domain Admins group and grant the required permissions later. See -the [Securing Password Reset](../administration/securing_password_reset.md) topic of the Password +the [Securing Password Reset](/docs/passwordreset/3.3/passwordreset/administration/securing_password_reset.md) topic of the Password Reset Administrator's Guide for additional information. diff --git a/docs/passwordreset/3.3/passwordreset/evaluation/password_reset_client.md b/docs/passwordreset/3.3/passwordreset/evaluation/password_reset_client.md index 5332c0ed56..5d309133cb 100644 --- a/docs/passwordreset/3.3/passwordreset/evaluation/password_reset_client.md +++ b/docs/passwordreset/3.3/passwordreset/evaluation/password_reset_client.md @@ -8,7 +8,7 @@ The Password Reset Client allows users to securely reset their password or unloc the Windows Logon and Unlock Computer screens. Users click **Reset Password** to access the Password Reset system. -![the_password_reset_client_1](../../../../../static/img/product_docs/passwordreset/passwordreset/evaluation/the_password_reset_client_1.webp) +![the_password_reset_client_1](/img/product_docs/passwordreset/passwordreset/evaluation/the_password_reset_client_1.webp) The Password Reset Client does not modify any Windows system files. @@ -52,7 +52,7 @@ registry for the evaluation. **Step 3 –** Right-click **PRC_Config.reg**, then click **Edit**. -![the_password_reset_client_1_1](../../../../../static/img/product_docs/passwordreset/passwordreset/evaluation/the_password_reset_client_1_1.webp) +![the_password_reset_client_1_1](/img/product_docs/passwordreset/passwordreset/evaluation/the_password_reset_client_1_1.webp) **Step 4 –** Replace **127.0.0.1** in the .reg file with the IP address or hostname of your evaluation server. diff --git a/docs/passwordreset/3.3/passwordreset/evaluation/using.md b/docs/passwordreset/3.3/passwordreset/evaluation/using.md index 332a41797a..79d0536715 100644 --- a/docs/passwordreset/3.3/passwordreset/evaluation/using.md +++ b/docs/passwordreset/3.3/passwordreset/evaluation/using.md @@ -8,14 +8,14 @@ Password Policy Enforcer is a configurable password filter that enforces granula with many advanced features. Password Policy Enforcer helps to secure your network by ensuring that users choose strong passwords. -![using_npr_with_password_policy](../../../../../static/img/product_docs/passwordreset/passwordreset/evaluation/using_npr_with_password_policy.webp) +![using_npr_with_password_policy](/img/product_docs/passwordreset/passwordreset/evaluation/using_npr_with_password_policy.webp) Password Reset can integrate with Password Policy Enforcer to help users choose a compliant password. Password Reset displays the Password Policy Enforcer password policy message when a user is prompted for their new password, and the Password Policy Enforcer rejection message if the new password does not comply with the password policy. -![using_npr_with_password_policy_1](../../../../../static/img/product_docs/passwordreset/passwordreset/evaluation/using_npr_with_password_policy_1.webp) +![using_npr_with_password_policy_1](/img/product_docs/passwordreset/passwordreset/evaluation/using_npr_with_password_policy_1.webp) Select the **Password Policy Enforcer integration** check box in the General tab of the Password Reset Configuration Console if you have installed and configured Password Policy Enforcer. The @@ -23,5 +23,5 @@ Password Policy Enforcer Evaluator's Guide will help you to install and configur Enforcer if you are not currently using it. An Password Reset license does not include a Password Policy Enforcer license. See -[Administration](../../passwordpolicyenforcer/administration/administration_overview.md) in Password +[Administration](/docs/passwordreset/3.3/passwordpolicyenforcer/administration/administration_overview.md) in Password Policy Enforcer topic for additional information. diff --git a/docs/passwordreset/3.3/passwordreset/evaluation/using_password_reset.md b/docs/passwordreset/3.3/passwordreset/evaluation/using_password_reset.md index d739548249..8cf5928e2c 100644 --- a/docs/passwordreset/3.3/passwordreset/evaluation/using_password_reset.md +++ b/docs/passwordreset/3.3/passwordreset/evaluation/using_password_reset.md @@ -9,11 +9,11 @@ Password Reset is a web application. Open a web browser on the server and go to access Password Reset from another computer by replacing 127.0.0.1 in the URL with the IP address or hostname of the evaluation server. -![using_npr_1](../../../../../static/img/product_docs/passwordreset/passwordreset/evaluation/using_npr_1.webp) +![using_npr_1](/img/product_docs/passwordreset/passwordreset/evaluation/using_npr_1.webp) You should install an SSL certificate on the web server when using Password Reset on a production network with real passwords. See the -[Securing Password Reset](../administration/securing_password_reset.md) topic for additional +[Securing Password Reset](/docs/passwordreset/3.3/passwordreset/administration/securing_password_reset.md) topic for additional information. ## Enrolling into Password Reset @@ -26,7 +26,7 @@ Follow the steps below to manually enroll into Password Reset. **Step 1 –** Click the **Enroll** item in the menu. -![using_npr_1_1](../../../../../static/img/product_docs/passwordreset/passwordreset/evaluation/using_npr_1_1.webp) +![using_npr_1_1](/img/product_docs/passwordreset/passwordreset/evaluation/using_npr_1_1.webp) **Step 2 –** Enter a **Username**, **Domain**, and **Password** in the respective fields. @@ -84,5 +84,5 @@ respective field. Click **Next**. Password Reset's user interface is built with customizable templates. You can easily modify the user interface by editing the templates. Even the error messages are defined in the templates, so you can edit those too. See the -[Editing the HTML Templates](../administration/editing_the_html_templates.md) topic of the +[Editing the HTML Templates](/docs/passwordreset/3.3/passwordreset/administration/editing_the_html_templates.md) topic of the Administrator's Guide for additional information. diff --git a/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/requirements/requirements.md b/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/requirements/requirements.md index 8e9ae82702..a72c93231d 100644 --- a/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/requirements/requirements.md +++ b/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/requirements/requirements.md @@ -33,10 +33,10 @@ adding a **Network Scan**! - The service: “Windows Management Instrumentation” must have been started on the computer to be scanned (carried out by Windows as standard). - Help section for starting the service: - [Microsoft Website]() + [Microsoft Website](https://msdn.microsoft.com/de-de/library/aa826517(v=vs.85).aspx) - The firewall must not block WMI requests (not blocked as standard). - Help section for configuring the firewall: - [Microsoft Website]() + [Microsoft Website](https://msdn.microsoft.com/de-de/library/aa822854(v=vs.85).aspx) NOTE: Only **IPv4 addresses** can currently be scanned. diff --git a/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/entra_id_connection.md b/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/entra_id_connection.md index eaf298cee4..6f877d662a 100644 --- a/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/entra_id_connection.md +++ b/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/entra_id_connection.md @@ -49,7 +49,7 @@ NOTE: You need an account with administrative permissions - Write down your "Tenant ID" shown in the Azure console or by using PowerShell: -[Copy]() +[Copy](javascript:void(0);) ``` Connect-AzureAD @@ -79,7 +79,7 @@ have booked the Azure package Entra ID Premium P1! NOTE: Your Netwrix Password Secure user need the following permissions: -[Copy]() +[Copy](javascript:void(0);) ``` - Display organisational structure module diff --git a/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/user-defined_scripts/user-defined_scripts.md b/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/user-defined_scripts/user-defined_scripts.md index b37a8736af..f9d8c61d48 100644 --- a/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/user-defined_scripts/user-defined_scripts.md +++ b/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/user-defined_scripts/user-defined_scripts.md @@ -22,7 +22,7 @@ The PowerShell scripts must have the following structure: Netwrix Password Secure always calls the RunScript function. -[Copy]() +[Copy](javascript:void(0);) ``` function RunScript @@ -53,7 +53,7 @@ It is important in this case that you provide Netwrix Password Secure with feedb been changed via a **Write-Output**. The following example simply uses the outputs **true** or **false**. However, it is also conceivable that an error message or similar is output. -[Copy]() +[Copy](javascript:void(0);) ```     $scriptBlock = {param ($UserName, $Password) diff --git a/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_and_protective.md b/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_and_protective.md index b5fe6a43fb..114ba28705 100644 --- a/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_and_protective.md +++ b/docs/passwordsecure/9.1/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_and_protective.md @@ -58,7 +58,7 @@ significantly. NOTE: -[Copy]() +[Copy](javascript:void(0);) ``` Permissions are always granted to only one user or role! @@ -75,7 +75,7 @@ been authorized for the role. NOTE: -[Copy]() +[Copy](javascript:void(0);) ``` A small technical digression into the nature of the encryption can be very helpful with the basic understanding. Each role has a key pair. The first key is used to encrypt data. Access to this information is only possible with the second key. The membership in a role is equivalent to this second key. @@ -105,7 +105,7 @@ However, it cannot see any data that is assigned to sales. It lacks membership i NOTE: -[Copy]() +[Copy](javascript:void(0);) ``` As a member of a role, it must have at least the “read” right for the role! diff --git a/docs/passwordsecure/9.1/passwordsecure/installation/installation_client/installation_client.md b/docs/passwordsecure/9.1/passwordsecure/installation/installation_client/installation_client.md index 4cbff9d9bd..de9dc1ecc5 100644 --- a/docs/passwordsecure/9.1/passwordsecure/installation/installation_client/installation_client.md +++ b/docs/passwordsecure/9.1/passwordsecure/installation/installation_client/installation_client.md @@ -58,7 +58,7 @@ There is also an option to distribute database profiles. The profiles are specif corresponding registry entry. The next time Netwrix Password Secure is started, the profiles will be saved in the local configuration file. The database connection can be made with the following keys: -[Copy]() +[Copy](javascript:void(0);) ``` HKEY_CURRENT_USER\SOFTWARE\MATESO\Password Safe and Repository 8\DatabaseProfiles @@ -76,7 +76,7 @@ These keys are structured like this: Is the profile set with the following entries? -[Copy]() +[Copy](javascript:void(0);) ``` HKEY_LOCAL_MACHINE\SOFTWARE\MATESO\Password Safe and Repository 8\DatabaseProfiles @@ -86,7 +86,7 @@ HKEY_LOCAL_MACHINE\SOFTWARE\MATESO\Password Safe and Repository 8\DatabaseProfil Then the last used date base as well as the last registered user are created with the following ID, when you log in for the first time: -[Copy]() +[Copy](javascript:void(0);) ``` HKEY_CURRENT_USER\SOFTWARE\MATESO\Password Safe and Repository 8\DatabaseProfiles diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/applications.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/applications.md index 7a407738b2..33ee2b61a3 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/applications.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/applications.md @@ -9,28 +9,28 @@ available, such as Remote Desktop (**RDP**), Secure Shell (**SSH**), general app and web applications. The Single Sign On Engine offers countless configuration options to enable automatic logon to almost any kind of software. -![applications module](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_1-en.webp) +![applications module](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_1-en.webp) - Automatic logins to websites are covered by the - [Autofill Add-on](../../../autofill_add-on/autofill_add-on.md). + [Autofill Add-on](/docs/passwordsecure/9.2/passwordsecure/configuration/autofill_add-on/autofill_add-on.md). ## The four types of applications Netwrix Password Secure varies between four different types of applications: RDP, SSH, SSO and web applications. -![new application](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_2-en.webp) +![new application](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_2-en.webp) In terms of how they are handled, **RDP and SSH** applications can be covered together. Both types of application can be (optionally) "embedded" in Netwrix Password Secure. The relevant session then -opens in its own tab in the [Reading pane](../../operation_and_setup/readingpane/reading_pane.md). +opens in its own tab in the [Reading pane](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/reading_pane.md). All other forms of automatic logins are summarized in the **SSO applications** and **web applications** categories. How exactly these logins are created and used is covered in the next section and in the web applications chapter. They include all forms of Windows login masks and also applications for websites. In contrast to RDP and SSH applications, they cannot be started embedded in Netwrix Password Secure but are instead opened as usual in their own window. These SSO applications need to be defined in advance. In Netwrix Password Secure, this is also described as -[Learning the applications](learning_the_applications/learning_the_applications.md). In contrast, +[Learning the applications](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications.md). In contrast, RDP and SSH can be both completely defined and also started within Netwrix Password Secure. ## RDP and SSH @@ -39,7 +39,7 @@ A new RDP/SSH application can be created via the ribbon or also the context menu using the right mouse button. A corresponding form opens in each case where the variables for a connection can be defined. -![new application](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_3-en.webp) +![new application](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_3-en.webp) These variables also correspond precisely to those (using the example of RDP here) that can be configured when creating an RDP connection via “mstsc”. Whether the connections should be started in @@ -50,7 +50,7 @@ a tab, full screen mode or in a window can be defined in the field **"window mod If you have created e.g. an RDP connection, this can now also be directly started via the ribbon. The connection to the desired session can be established via the icon **Establish RDP connection**. -![estabish RDP](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_4-en.webp) +![estabish RDP](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_4-en.webp) Netwrix Password Secure now attempts to log in to the target system with the information available. Data that are not saved in the form will be directly requested when opening the session. It is thus @@ -58,7 +58,7 @@ also possible to only enter the IP address and/or the password after starting th Secure application. If all data has been retrieved, the RDP session will open in a tab – if so defined (Window mode field in the application): -![RDP session](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_5-en.webp) +![RDP session](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_5-en.webp) ## Logging in via SSH certificates @@ -76,18 +76,18 @@ the record now also supplies the user name and password, all of the information login is available. Applications and records are linked via the "Start" tab in the ribbon. If this link to a record is established, a 1-click login to the target system is possible. -![linking RDP](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_6-en.webp) +![linking RDP](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_6-en.webp) The following example illustrates this process using an RDP connection: -![RDP Connection](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_7-en.webp) +![RDP Connection](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_7-en.webp) A record can also be linked to multiple target systems in this manner. The user name and record are supplied by the record, while all other information necessary for the login is supplied by the different applications. In the following example, a record (user name and password) is linked to multiple access points. -![multiple access points](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_8-en.webp) +![multiple access points](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_8-en.webp) This is generally a very common scenario. Nevertheless, it should be noted that accessing multiple servers with one single password is questionable from a security standpoint. It is generally @@ -101,4 +101,4 @@ manually. Alternatively, it is possible to connect several records with one RDP connection. In this way, you can combine different users with an RDP connection and register them straightforward. -![connect RDP sessions](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_9-en.webp) +![connect RDP sessions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_9-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml.md index 6d8ff14537..3f695c1e8e 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml.md @@ -20,12 +20,12 @@ In order to create **SAML applications**, SAML must **first** be activated. This is implemented in the settings of the database in the Server Manager: -![activate SAML](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml_1-en.webp) +![activate SAML](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml_1-en.webp) As soon as the check box is ticked, the next step is to enter the URL of the Web Application. The SAML configuration screen should then look like this: -![SAML configuration ](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml_2-ewn.webp) +![SAML configuration ](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml_2-ewn.webp) The screen is left open and the configuration is continued at the Advanced view. To do this, log on to the client as usual and switch to the **Applications** module. Select a **new SAML application** @@ -34,7 +34,7 @@ and fill it with the relevant data from the service provider. NOTE: The data of the service provider, which are entered in the Advanced view, can be found at the respective provider. This differs from provider to provider. -![new SAML application](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml_3-en.webp) +![new SAML application](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml_3-en.webp) In addition, the data must be stored in the **Server Manager** at the service provider. @@ -42,7 +42,7 @@ After the successful entry of all data, the last necessary step is the verificat This is done by clicking on the tile. This gives the user an e-mail with which he can verify himself. -![SAML tile in LightClient](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml_4-en.webp) +![SAML tile in LightClient](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml_4-en.webp) After verification, the **SAML application** can be started from the Basic view view. @@ -50,6 +50,6 @@ After verification, the **SAML application** can be started from the Basic view application** with a password. NOTE: Setup and configuration instructions for -[SAML Application for Dropbox](../examples/saml_examples/saml_application_for_dropbox.md) and -[SAML application for Postman](../examples/saml_examples/saml_application_for_postman.md)can be +[SAML Application for Dropbox](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_application_for_dropbox.md) and +[SAML application for Postman](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_application_for_postman.md)can be found in the corresponding chapters. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/example_applications.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/example_applications.md index 37dd0376e1..a40ddecbbc 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/example_applications.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/example_applications.md @@ -2,6 +2,6 @@ In this section you'll find examples for applications. -- [SAP GUI logon - SSO Application](sap/sap_gui_logon_-_sso_application.md) -- [SAML Application for Dropbox](saml_examples/saml_application_for_dropbox.md) -- [SAML application for Postman](saml_examples/saml_application_for_postman.md) +- [SAP GUI logon - SSO Application](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_-_sso_application.md) +- [SAML Application for Dropbox](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_application_for_dropbox.md) +- [SAML application for Postman](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_application_for_postman.md) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_application_for_dropbox.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_application_for_dropbox.md index 7b987b2f4e..bf5eb1ad20 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_application_for_dropbox.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_application_for_dropbox.md @@ -3,30 +3,30 @@ ## SAML Configuration Example for Dropbox This chapter explains how to configure the SAML application for **Dropbox**. It is assumed that -[Configuration of SAML](../../configuration_of_saml/configuration_of_saml.md) has already been +[Configuration of SAML](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml.md) has already been activated in the Server Manager. - Log in as administrator at the **Dropbox** - Open the Admin Console -![Admin Console](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_dropbox_1-en.webp)s +![Admin Console](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_dropbox_1-en.webp)s - Open Settings -![settings dropbox](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_dropbox_2-en.webp) +![settings dropbox](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_dropbox_2-en.webp) - Single Sign On -![SSO dropbox](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_dropbox_3-en.webp) +![SSO dropbox](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_dropbox_3-en.webp) - This is where the data SSO URL and the certificate from the Server Manager must be deposited. -![database settings](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_dropbox_4-en.webp) +![database settings](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_dropbox_4-en.webp) - In the Advanced view, a new SAML application must be created in the Applications module. - Then the target page (login URL) and the XML file must be stored in the application. -![login with SAML](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_dropbox_5-en.webp) +![login with SAML](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_dropbox_5-en.webp) The XML file must look like [this](https://cdn.manula.com/user/3511/docs/dropbox.xml). diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_application_for_postman.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_application_for_postman.md index ed884969af..9eac1720b9 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_application_for_postman.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_application_for_postman.md @@ -3,21 +3,21 @@ ## SAML configuration example for Postman This chapter explains how to configure the SAML application for **Postman**. It is assumed that -[Configuration of SAML](../../configuration_of_saml/configuration_of_saml.md) has already been +[Configuration of SAML](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml.md) has already been activated in the Server Manager. - First, you register with Postman. - After logging in, click on the avatar and select "**Settings**". -![settings postman](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_postman_1-en.webp) +![settings postman](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_postman_1-en.webp) - Then click on **Authentication**. Select a new method in the upper right corner. -![option authentication postman](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_postman_2-en.webp) +![option authentication postman](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_postman_2-en.webp) - Here the Authentication Type must be defined with **SAML 2.0** and any useful Authentication Name. -![add authentication method](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_postman_3-en.webp) +![add authentication method](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_postman_3-en.webp) Then you come to the actual configuration. @@ -25,12 +25,12 @@ Then you come to the actual configuration. - **Identity Provider Details** The data from the Server Manager is uploaded as XML or stored manually. -![postman identity provider details](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_postman_4-en.webp) +![postman identity provider details](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_postman_4-en.webp) - **Service Provider Details** The service provider details are now copied to the application in the Netwrix Password Secure Client. -![postman service provider details](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_postman_5-en.webp) +![postman service provider details](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/saml_examples/saml_postman_5-en.webp) NOTE: Please note that a **Relay State** is required. This value can be created in the **Configure Identity Provider Details View**. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_-_sso_application.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_-_sso_application.md index 3800a23c56..6d5f043977 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_-_sso_application.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_-_sso_application.md @@ -3,26 +3,26 @@ ## Fundamental information Logging into SAP can be achieved via the usage of -[Start Parameter](../../learning_the_applications/start_parameter/start_parameter.md). The +[Start Parameter](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter.md). The prerequisite here is for the login process to be carried out via the "SAPshortcut". All available parameters are listed in the [SAP-Wiki](https://wiki.scn.sap.com/wiki/display/NWTech/SAPshortcut). -Form Firstly, a [Forms](../../../forms/forms.md) should be created with the required fields. This +Form Firstly, a [Forms](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/forms/forms.md) should be created with the required fields. This could look like this: -![SAP form](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_1-en.webp) +![SAP form](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_1-en.webp) ## Record A corresponding record is then created via the form: -![SAP record](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_2-en.webp) +![SAP record](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_2-en.webp) ## Application A corresponding SSO application now needs to be created. -![SAP Application](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_3-en.webp) +![SAP Application](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_3-en.webp) ## Link @@ -30,7 +30,7 @@ The record now needs to be linked with the application. To do this, open the con clicking on the record. The previously created application can then be selected here via **Applications** and **Connect application**. -![link record/application](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_4-en.webp) +![link record/application](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/examples/sap/sap_gui_logon_4-en.webp) The link is then displayed in the ribbon. Clicking on the link will now open SAP, whereby the parameters for logging in to the application are directly transferred. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications.md index a8f1fe771d..3031855dba 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications.md @@ -27,13 +27,13 @@ The following options are required. First, a new SSO application is created via the ribbon. -![new sso application](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_1-en.webp) +![new sso application](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_1-en.webp) Various properties for the application can now be defined in the tab that opens. The fields **Window title**, **Application** and **Application path** are not manually filled. This is done via the **Create application** button in the ribbon: -![new sso application](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_2-en.webp) +![new sso application](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_2-en.webp) A crosshair cursor now appears. It enables the actual "mapping" or assignment of the target fields. You can see the field assignment for the user name below using a login to an SQL server as an @@ -41,13 +41,13 @@ example. All of the other fields that should be automatically entered are assign The process is always the same. You select the field that needs to be automatically filled and then decide which information should be used to fill it. -![mapping fields](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_3-en.webp) +![mapping fields](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_3-en.webp) In parallel to the previous step, all of the already assigned fields will be displayed on the right edge of the screen. In this example, the VMware vSphere Client has a total of 4 assigned fields: IP, user name, password and clicking the button to subsequently confirm the login. -![connected fields](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_4-en.webp) +![connected fields](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_4-en.webp) NOTE: "Graphical recognition:" The graphical recognition function provides additional protection. It can be used to define other factors for the SSO. An area is defined that then serves as the output @@ -59,24 +59,24 @@ Once you have assigned all of the fields, you can exit the application process u button. The fields "Window title", "Application" and "Application path" mentioned at the beginning are now automatically filled. -![filled fields](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_5-en.webp) +![filled fields](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_5-en.webp) As you can see, the .exe file is directly referenced. If the application is saved to the same storage location for all users, it can then also be accessed by all other users. ## Linking records with applications -In the [Passwords](../../passwords/passwords.md), the newly created application can now be directly +In the [Passwords](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords.md), the newly created application can now be directly linked. To do this, mark the record to be linked and open the "Connect application" menu in the "Start" tab via the ribbon. This will open a list of all the available applications. It is now possible here to link to the previously created application "VMware". -![connect application with record](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_6-en.webp) +![connect application with record](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_6-en.webp) When the link has been established, this application can then be directly started via the ribbon in future. Pressing the button directly opens the linked application. -![start application](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_7-en.webp) +![start application](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/learning_the_applications_7-en.webp) **CAUTION:** With respect to permissions, applications are subject to the same rules as for passwords, roles or documents. It is possible to separately define which group of users is permitted diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter.md index 3b5e50701c..f831f732b2 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter.md @@ -12,11 +12,11 @@ manufacturer of the software or taken from the documentation. The parameters can be directly entered in the application in the corresponding field. Alternatively, a configuration window is also available for this purpose. -![parameters applications](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter_1-en.webp) +![parameters applications](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter_1-en.webp) The required elements can be moved here from the right side to the left side by drag & drop. -![edit parameters](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter_2-en.webp) +![edit parameters](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter_2-en.webp) Different categories are available here: @@ -31,11 +31,11 @@ example, the following start parameter have been defined for the Salamander appl For both parameters, the password fields with the names "Left Path" and "Right Path" are then transferred in each case. -![enter parameter](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter_3-en.webp) +![enter parameter](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter_3-en.webp) The application is then linked with the following password: -![linked password parameter](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter_4-en.webp) +![linked password parameter](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/learning_the_applications/start_parameter/start_parameter_4-en.webp) When the Salamander application is started, the placeholder is replaced by the field names. Therefore, instead of diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/rdp_and_ssh_applications.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/rdp_and_ssh_applications.md index f08d3ca087..c2937755c9 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/rdp_and_ssh_applications.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/rdp_and_ssh_applications.md @@ -8,7 +8,7 @@ those applications opens a new tab inside Netwrix Password Secure. A new RDP or SSH application can be created via the ribbon or the context menu. The corresponding form appears in which you define the variables for a connection. -![new rdp application](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/rdp_and_ssh_applications_1-en.webp) +![new rdp application](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/rdp_and_ssh_applications_1-en.webp) These variables correspond exactly to those that can be configured (here using the RDP example) when creating an RDP connection via "mstsc". The window mode defines whether the connection should be @@ -19,13 +19,13 @@ started in a tab, in full screen mode or in a separate window. For example, if you have created an RDP application, you can start it directly from the ribbon. With the icon "Establish RDP connection" the connection to the desired session will be established. -![establish RDP](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_4-en.webp) +![establish RDP](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/applications_4-en.webp) Netwrix Password Secure now tries to log in to the target system with the available information. All missing information will be requested directly after the connection is established. It is therefore also possible to enter the IP address and/or password after starting the application. -![RDP connection](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/rdp_and_ssh_applications_3-en.webp) +![RDP connection](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/rdp_and_ssh_applications_3-en.webp) ## Login via SSH certificates @@ -38,6 +38,6 @@ NOTE: The file extension may first have to be enabled via the settings. ## Keyboard shortcuts Netwrix Password Secure supports various -[Keyboard shortcuts](../../../operation_and_setup/dashboard_and_widgets/keyboard_shortcuts.md). For +[Keyboard shortcuts](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/keyboard_shortcuts.md). For example transferring user name and password to the corresponding application. However, it should be noted that this only works if the application is opened directly from Netwrix Password Secure diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session.md index e027dba09e..066e726b38 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session.md @@ -7,7 +7,7 @@ can then be subsequently viewed and evaluated. In this context, it is also possi functionality so that only the user themselves or an assigned person e.g. security officer can view and evaluate these recordings. -![notifications modul](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/notifications_1-en.webp) +![notifications modul](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/notifications_1-en.webp) ## Relevant rights @@ -27,11 +27,11 @@ can take place. RDP -![activating session recording](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session_2-en.webp) +![activating session recording](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session_2-en.webp) SSH -![activating session recording](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session_3-en.webp) +![activating session recording](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session_3-en.webp) If the setting has been activated, the recording will start automatically the next time a connection is established. @@ -45,19 +45,19 @@ immediately saved until the connection is terminated or until the end of the ses If recordings exist for an application, these can be called up and viewed in the Applications module. -![viewing session recording](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session_4-en.webp) +![viewing session recording](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session_4-en.webp) It is possible to search the session recordings using the filter as usual. It is also possible here to limit the search results based on the date and user. In the section on the right, it is also possible to further filter the searched list based on all column contents. -![session records](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session_5-en.webp) +![session records](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session_5-en.webp) Once a session recording has been selected, a new tab will open in which you can view the recording. The function "Skip inactivity" can be activated via the ribbon so that a recording can be effectively and quickly viewed so as only to see the relevant actions. -![viewing a session recording](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session_6-en.webp) +![viewing a session recording](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/recording_a_session_6-en.webp) When are indicators set? @@ -68,4 +68,4 @@ When are indicators set? If desired, recordings can be automatically cleaned up. This option can be configured on the **Server Manager**. Further information can be found in the section -[Managing databases](../../../../../server_manager/managing_databases/managing_databases.md)s. +[Managing databases](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/managing_databases.md)s. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/client_module.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/client_module.md index 348f36c0dc..309d60382e 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/client_module.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/client_module.md @@ -9,7 +9,7 @@ required by an administrator differs significantly from those of a normal user. structure** of Netwrix Password Secure supports this approach by showing only those specific areas that should actually be used by the respective user. -![modules](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/client_modules_1-en.webp) +![modules](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/client_modules_1-en.webp) ## Visibility of modules @@ -17,7 +17,7 @@ The modules are the gateway to various features of version 9. Similarly to the f modules have to be made available to all user layers. The **Visibility of modules** can be defined individually within the user rights. -![user settings](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/client_modules_2-en.webp) +![user settings](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/client_modules_2-en.webp) NOTE: The visibility of modules can always be adapted to the needs of individual user groups @@ -29,12 +29,12 @@ permissions to see in accordance with the visibility settings explained previous hidden e.g. due to the scaling of the size of the client (Application and Password Reset in the example). -![sorting modules](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/client_modules_3-en.webp) +![sorting modules](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/client_modules_3-en.webp) The navigation options enable you to define the maximum number of visible elements and also how they are sorted. -![sorting modules](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/client_modules_4-en.webp) +![sorting modules](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/client_modules_4-en.webp) NOTE: The previously described visibility of the modules is a basic requirement for viewing and sorting them in the navigation options diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_1.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_1.md index e3e9154d47..e97b9f8581 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_1.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_1.md @@ -4,20 +4,20 @@ When this module is opened in Netwrix Password Secure, **there are no entries displayed in the Discovery Service** module at the beginning. The entries need to be generated using a -[System tasks](../../../mainmenu/extras/system_tasks/system_tasks.md). +[System tasks](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/system_tasks.md). -![discovery service entries](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_ds-1-en.webp) +![discovery service entries](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_ds-1-en.webp) Once a **System Task** has been completed, the data discovered during the search is listed in a table: -![discovery service entries](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_ds-2-en.webp) +![discovery service entries](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_ds-2-en.webp) NOTE: The information can be grouped together using the column editor. ## Network Scan -A **Discovery Service Task** is used to add a new [Discovery Service](../discovery_service.md) and +A **Discovery Service Task** is used to add a new [Discovery Service](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/discovery_service.md) and is then correspondingly configured for a **Network Scan**. Depending on the configuration of the **Network Scan**, the following types are discovered: @@ -34,7 +34,7 @@ correspondingly configured for a **Network Scan**. The following image shows a newly added **Discovery Service Task**. -![new discovery task](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_ds-3-en.webp) +![new discovery task](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_ds-3-en.webp) 1. Shows information about the **Discovery Service Task**. 2. In the **General** section, the name of the **Discovery Service Task** is entered (optionally @@ -53,7 +53,7 @@ Password: This section is used for special entries for the **Discovery Service Task**. After it has been finished, the **Network Scan** scans the **network** according to these guidelines. -![task settings](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_ds-4-en.webp) +![task settings](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_ds-4-en.webp) 1. **Password** and **Computer scan variants**: The required password must already have been issued and it requires corresponding rights for the domain. Active Directory computer: Only those @@ -80,7 +80,7 @@ scanned! This section is used to enter information about the start of the task and other additional information. -![Interval / Executing server / Tags](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_ds-5-en.webp) +![Interval / Executing server / Tags](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/configuration/configuration_ds-5-en.webp) 1. **Interval**: The interval at which the **Discovery Service Task** should be executed is defined here. The default setting is hourly, one year after adding the **Discovery Service Task**. The @@ -91,7 +91,7 @@ information. is then automatically taken over and executed by the accessible servers on the list. The list is searched from top to bottom to find an accessible server. 3. **Tags**: The use of tags is described in more detail in the section - [Tag manager](../../../mainmenu/extras/tag_management/tag_manager.md). A special tag can be + [Tag manager](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/tag_management/tag_manager.md). A special tag can be entered here for the **Discovery Service Task**. After the **Discovery Service Task** has been configured, a connection test is performed when the diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries.md index c960a2a1e8..f954da2639 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries.md @@ -6,7 +6,7 @@ discovered **entries** and then creates corresponding **passwords** and **Passwo The **Conversion Wizard** is started in the Start ribbon and it is also possible to switch here to the **System Tasks**. -![ribbon](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_1-en.webp) +![ribbon](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_1-en.webp) After the **Discovery Service Task** has been successfully executed, the entries are available in the **Discovery Service**. Further processing of the entries is then carried out using the @@ -27,7 +27,7 @@ In the **Discovery Service** table, the user selects the entries for which he wa **Password Reset** or **password**. The user then clicks on the **Conversion Wizard** and the **Discovery Service Conversion Wizard** opens for further editing. -![data selection](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_2-en.webp) +![data selection](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_2-en.webp) 1. A **Discovery Service Task** first needs to be selected. This determines the context in which the new data will be created (for a new **Password Reset**, the **password for the domain @@ -47,7 +47,7 @@ NOTE: Logically, **every root node** corresponds to **one user** and all of its The following image shows the options **add new password** or retain **existing password**. -![associated password](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_3-en.webp) +![associated password](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_3-en.webp) In addition, the **organisational unit** in which the existing password is located is displayed. @@ -55,7 +55,7 @@ In addition, the **organisational unit** in which the existing password is locat The **Password Reset** is configured in the **Settings Ribbon**. -![reset setting](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_4-en.webp) +![reset setting](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_4-en.webp) The **settings** will be described in more detail below: @@ -76,7 +76,7 @@ and the **passwords changed!**. This also applies to **Windows passwords!** If option 1: **Do you also want to add a Password Reset?** is not selected, \*steps 4, 5 and 6 are not displayed for configuration. -![password reset option](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_5-en.webp) +![password reset option](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_5-en.webp) NOTE: After clicking on **Finish**, one or more **passwords will be created** but **no corresponding Password Resets will be created!** @@ -88,7 +88,7 @@ Service entries** is transferred to a password form. The following images shows the **Assignment (Active Directory user)** Ribbon -![Assignment (Active Directory user)](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_6-en.webp) +![Assignment (Active Directory user)](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_6-en.webp) ### Description @@ -98,7 +98,7 @@ The following images shows the **Assignment (Active Directory user)** Ribbon ### "Existing form" selected -![Assignment of the form field](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_7-en.webp) +![Assignment of the form field](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_7-en.webp) ### Procedure @@ -108,7 +108,7 @@ The following images shows the **Assignment (Active Directory user)** Ribbon ### "New form" selected -![New Form](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_8-en.webp) +![New Form](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_8-en.webp) ### Converting Procedure @@ -121,7 +121,7 @@ The following images shows the **Assignment (Active Directory user)** Ribbon A brief overview of the actions that will be carried out with the added configuration is displayed in the **Summary** Ribbon. These actions will then be carried out if you click on **Finish**. -![summary](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_9-en.webp) +![summary](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_9-en.webp) ## Confirmation prompt @@ -142,7 +142,7 @@ An **Overview** of which actions will be carried out is displayed for the user t note. The user can then still decide to **Cancel** the process. If you click on **OK**, an **additional confirmation warning** will be displayed. -![important note](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_10-en.webp) +![important note](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_10-en.webp) **Security level 2:** @@ -151,7 +151,7 @@ do. It will no longer be possible to reverse the actions afterwards! **CAUTION:** **Last chance to cancel the execution!** -![securtiy warning](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_11-en.webp) +![securtiy warning](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/converting_entries/converting_entries_11-en.webp) After **entering the displayed number** and **confirming with OK**, the process is **executed immediately** and the **Password Resets** are carried out and the **associated passwords changed**. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/created_password/created_passwords.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/created_password/created_passwords.md index 9e9a2cde7c..4785b6be1b 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/created_password/created_passwords.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/created_password/created_passwords.md @@ -6,7 +6,7 @@ in the following example. ## Password -![password list](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/created_password/created_passwords_1-en.webp) +![password list](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/created_password/created_passwords_1-en.webp) 1. The name of the created password 2. General data about the password @@ -17,7 +17,7 @@ in the following example. Another password is created in the **Password Reset module** and is required for an associated **Password Reset**. -![password reset list](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/created_password/created_passwords_2-en.webp) +![password reset list](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/created_password/created_passwords_2-en.webp) Points 1-7 are described below: diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/deleting_entries/deleting_entries.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/deleting_entries/deleting_entries.md index 961306b689..ebae287ab2 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/deleting_entries/deleting_entries.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/deleting_entries/deleting_entries.md @@ -17,7 +17,7 @@ Task** will be retained and must be deleted via the associated **Discovery Servi find out which **Discovery Service Task** found a particular entry by selecting the entry via the **Conversion Wizard**. -![Conversion Wizard.](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/deleting_entries/deleting_entries_1-en.webp) +![Conversion Wizard.](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/deleting_entries/deleting_entries_1-en.webp) ## Deleting entries by changing the settings in the System Task diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries.md index 1d0f4decf8..07e7db6b7b 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries.md @@ -6,7 +6,7 @@ be easily recognized by the **blue arrow** symbol on the **Discovery Service Tas corresponding message is also shown in the General display. Once the **Discovery Service Task** has been completed, the data will be shown in the **Discovery Service module**. -![new discovery service task](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries_1-en.webp) +![new discovery service task](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries_1-en.webp) The **Discovery Service Task** needs to be carefully configured. The configurable sections are described below. @@ -30,7 +30,7 @@ The successful execution of a **Discovery Service Task** is a requirement for th Service entries**. The discovered data is listed in table form in the **Discovery Service module** and can be correspondingly organized using the **Discovery Service System Task** filter. -![discovery service entries](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries_2-en.webp) +![discovery service entries](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries_2-en.webp) In this section, the **Discovery Service entries** that were discovered by the **Discovery Service Task** and selected for the **Conversion Wizard** are displayed. @@ -42,12 +42,12 @@ and **Password Resets** need to be added in the **Conversion Wizard**. Depending selected (service, Active Directory user, user account), it is necessary to carry out corresponding **assignments** in the **Conversion Wizard** for the **passwords**. -![Discovery service conversion wizard ](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries_3-en.webp) +![Discovery service conversion wizard ](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries_3-en.webp) Every line must be connected to a **password** in the end. Therefore, it is necessary to carry out an assignment process in the **Conversion Wizard** for every entry. -![Discovery service conversion wizard ](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries_4-en.webp) +![Discovery service conversion wizard ](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries_4-en.webp) For **Active Directory users**, it is possible to assign an existing **password**. @@ -60,7 +60,7 @@ A good filter is required for processing the discovered data. A **filter that ha this purpose** is available for processing the entries in the **Discovery Service module**. The options in the **filter** are described below: -![Filter for discovered data](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries_5-en.webp) +![Filter for discovered data](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/discovered_entries/discovered_entries_5-en.webp) Description of the **filter with the special options for the Discovery Service entries**: diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/logbook/logbook_1.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/logbook/logbook_1.md index 420e6e94f9..652b404bf8 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/logbook/logbook_1.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/logbook/logbook_1.md @@ -4,12 +4,12 @@ The logbook in the footer of the **Discovery Service Task** is extremely helpful **Discovery Service Task**. Information about the progress of the **Discovery Service Task** is displayed here. The data is displayed both in the **footer** and also in the **logbook module** (although in more detail here). To display the footer, the user requires the **user right**: Global -settings in the [User settings](../../../mainmenu/user_settings/user_settings.md) in the category: +settings in the [User settings](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/user_settings.md) in the category: "Footer area" - "Show logbook in the footer area (activated)" ## Show in footer -![logbook in footer](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/logbook/logbook_ds-1-en.webp) +![logbook in footer](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/logbook/logbook_ds-1-en.webp) The following **events** are displayed in the **logbook for the footer** and in the **logbook module**: @@ -23,16 +23,16 @@ module**: If an error occurs during the execution of the **Discovery Service Task**, this is also shown n the **logbook for the footer** with **additional information** about the error. -![ logbook for the footer](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/logbook/logbook_ds-2-en.webp) +![ logbook for the footer](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/logbook/logbook_ds-2-en.webp) ## Display in the logbook In general, the **logbook module** displays more detailed information about the **Discovery Service -Task**. The [Filter](../../../operation_and_setup/filter/filter.md) can be used to select which data +Task**. The [Filter](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/filter.md) can be used to select which data is displayed. The same **events** as for the footer for the **Discovery Service Task** are also used here. -![logbook entries](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/logbook/logbook_ds-3-en.webp) +![logbook entries](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/logbook/logbook_ds-3-en.webp) The column editor can be used to arrange and display the data in the table according to their importance. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/requirements/requirements.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/requirements/requirements.md index 8e9ae82702..a72c93231d 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/requirements/requirements.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/discoveryservice/requirements/requirements.md @@ -33,10 +33,10 @@ adding a **Network Scan**! - The service: “Windows Management Instrumentation” must have been started on the computer to be scanned (carried out by Windows as standard). - Help section for starting the service: - [Microsoft Website]() + [Microsoft Website](https://msdn.microsoft.com/de-de/library/aa826517(v=vs.85).aspx) - The firewall must not block WMI requests (not blocked as standard). - Help section for configuring the firewall: - [Microsoft Website]() + [Microsoft Website](https://msdn.microsoft.com/de-de/library/aa822854(v=vs.85).aspx) NOTE: Only **IPv4 addresses** can currently be scanned. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/documents/documents.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/documents/documents.md index 36f995ff63..3d9f702624 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/documents/documents.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/documents/documents.md @@ -11,7 +11,7 @@ version management system, which records all versions of a document that were sa thus enables you to revert back to historical versions. The configuration of visibility is explained in a similar way to the other modules in one place.. -![Document modul](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/documents/documents_1-en.webp) +![Document modul](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/documents/documents_1-en.webp) ## Relevant rights @@ -32,7 +32,7 @@ There are two ways to manage documents and files in Netwrix Password Secure v8: saved within the database and can be made available selectively to employees for further processing in the future based on their permissions. -![New document](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/documents/documents_2-en.webp) +![New document](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/documents/documents_2-en.webp) ## Document selection @@ -40,7 +40,7 @@ When selecting the file to be uploaded, you can either browse your file system v or add objects by drag & drop. The latter gives you the possibility to directly import several documents in one step. -![searching document](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/documents/documents_3-en.webp) +![searching document](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/documents/documents_3-en.webp) ## Versioning @@ -48,7 +48,7 @@ The heart of each document management system is the ability to capture and archi documents or files. All versions of a document can be compared with each other and historical versions can be restored if necessary. Netwrix Password Secure provides this functionality via the history in the ribbon, as well as in the footer area for ​​the detailed view of a document. This can -be used in the same way as the [History](../passwords/history.md). The interplay between the +be used in the same way as the [History](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/history.md). The interplay between the document-specific event logbook and the history provides a complete list of all information that is relevant to the handling of sensitive data. Version management can be used to restore any historical versions of a document. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/forms/change_form.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/forms/change_form.md index dca44656d5..6ecc2e7dcc 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/forms/change_form.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/forms/change_form.md @@ -6,13 +6,13 @@ It is necessary in some cases to change the form for a record. In these cases, t consolidate existing data or to adapt the form to match changes in the data structure. These functionalities are available under "Extras/Settings" in the ribbon. -![change form](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/change_form_1-en.webp) +![change form](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/change_form_1-en.webp) In the following screenshot, you can see the dialogue for "mapping" the form fields from the previously used form to the new form. In this example, a record that previously belonged to the "Website" form is being "mapped" to the "Password" form (right). -![change form](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/change_form_2-en.webp) +![change form](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/change_form_2-en.webp) The drop-down menu allows you to select the target form. The comparison of current and new form fields is shown in the lower section. @@ -44,7 +44,7 @@ If you press the "Change form" button (as mentioned in the previous section), th form will be used by default. If this form has been changed in the meantime, the new form field will be directly shown and adopted after it is saved. -![New Form](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/change_form_3-en.webp) +![New Form](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/change_form_3-en.webp) ### Apply form changes to passwords diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/forms/forms.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/forms/forms.md index 483f68237b..369a4bc5ca 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/forms/forms.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/forms/forms.md @@ -9,7 +9,7 @@ which have to be stored. Nevertheless, their use as an effective filter criterio ignored! Forms have a lasting impact on working withNetwrix Password Secure v8 and must be managed and maintained with the necessary care by the administration. -![form module](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_1-en.webp) +![form module](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_1-en.webp) ## Relevant rights @@ -26,11 +26,11 @@ Netwrix Password Secure is supplied with a series of standard forms – these sh all standard requirements. Naturally, it is still possible to adapt the standard forms to your individual requirements. -![forms](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_2-em.webp) +![forms](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_2-em.webp) The associated preview for the form selected in -[List view](../../operation_and_setup/listview/list_view.md) appears in the -[Reading pane](../../operation_and_setup/readingpane/reading_pane.md). Both the field name and also +[List view](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md) appears in the +[Reading pane](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/reading_pane.md). Both the field name and also the field type are visible. ## Creating new forms @@ -43,12 +43,12 @@ the example of the field type "Password". The sequence in which form fields are creating new records corresponds to the sequence within the form. This can be adapted using the relevant buttons in the ribbon. -![Creating new forms](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_3-en.webp) +![Creating new forms](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_3-en.webp) The following field settings thus appear for the field type "Password": "Mandatory field, reveal only with reason, check only generated passwords and password policy". These can now be defined as desired. (**Note**: It is possible to select -[Password rules](../../mainmenu/extras/password_rules/password_rules.md) within the field settings; +[Password rules](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/password_rules.md) within the field settings; they are defined as part of the options in the main menu) **CAUTION:** If a form has been created, it can then be selected for use when creating new records. @@ -69,7 +69,7 @@ Every record displays other information underneath the obligatory name of the re In the following example, the user name is also displayed in addition to the name of the password. The name of the form is displayed in between in a blue font. -![Configuring the info field](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_4-en.webp) +![Configuring the info field](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_4-en.webp) The name of the record (192.168.150.236) and the form (password) cannot be adjusted – these are always displayed. The user (Administrator) that is still saved for the record is currently @@ -78,7 +78,7 @@ define for each form what information for a record can be directly seen in list module, the info field is configured by opening the form which has to be edited in editing mode by double clicking on it and then pressing the \*Configure info field” button in the ribbon. -![Configuring the info field](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_5-en.webp) +![Configuring the info field](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_5-en.webp) This will open a separate tab that enables you to design the info section via drag & drop. The fields that are available on the right can be "dragged" onto the configuration window on the left. @@ -86,15 +86,15 @@ In the following example, "Start RDP session2 will be made visible in the info s the word "RDP" is assigned a function – namely to start the RDP manager. A preview is shown in the top section. -![preview form](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_6-en.webp) +![preview form](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_6-en.webp) The info field for the form is now updated. It is now possible to start the RDP session directly in the RDP session. -![updated form](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_7-en.webp) +![updated form](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_7-en.webp) NOTE: The **forms module** is based on the -[Web Application](../../../web_applicaiton/web_application.md) module of the same name. Both modules +[Web Application](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/web_application.md) module of the same name. Both modules have a different scope and design but are almost identical to use. ## Standard form @@ -103,8 +103,8 @@ There are two possible ways to define a standard form. ### Via the “standard form” user setting -![settings form](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_8-en.webp) +![settings form](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_8-en.webp) ### Via the form selection -![default form](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_9-en.webp) +![default form](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/forms/forms_9-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/logbook/logbook.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/logbook/logbook.md index 1b5fbc4704..8c4a5f0835 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/logbook/logbook.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/logbook/logbook.md @@ -7,7 +7,7 @@ logbook. The logbook records which user has made exactly what changes. This modu (theoretically) classified as uncritical. This is because the employee only has access to those logbook entries to which he is actually entitled. -![Logbook module](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/logbook/logbook_1-en.webp) +![Logbook module](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/logbook/logbook_1-en.webp) ## Relevant rights @@ -24,7 +24,7 @@ elements based on the defined criteria. In the following example, the user is se entries relating to the object type “Password” that also match the event criteria "Change". In short: The entries are being filtered based on changes to passwords. -![Logbook filter](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/logbook/logbook_2-en.webp) +![Logbook filter](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/logbook/logbook_2-en.webp) ## Grouping in the logbook @@ -32,7 +32,7 @@ This list can also be grouped together by dragging and dropping column headers grouping of the columns for **computer user**. The filtered results now show all changes to passwords carried out by the computer user "administrator". -![Logbook entries](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/logbook/logbook_3-en.webp) +![Logbook entries](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/logbook/logbook_3-en.webp) ## Revision-safe archiving @@ -43,10 +43,10 @@ completed in a traceable and audit-proof manner to prevent falsification. NOTE: If desired, the logbook can be automatically cleaned up. This option can be configured on the Server Manager. Further information can be found in the section -[Managing databases](../../../server_manager/managing_databases/managing_databases.md). +[Managing databases](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/managing_databases.md). ## Transferring to a Syslog server The logbook can also be completely transferred to a -[Syslog](../../../server_manager/database_properties/syslog.md) server. Further information on this +[Syslog](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/syslog.md) server. Further information on this subject can be found in the section Syslog. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/notifications/notifications.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/notifications/notifications.md index 83ae676b50..3741272b60 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/notifications/notifications.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/notifications/notifications.md @@ -8,9 +8,9 @@ for the currently registered Netwrix Password Secure user. It is not possible to notification for another user. Each user can and should define himself which passwords, which triggers as well as changes are important and informative for him. The configuration of visibility is explained in a similar way to the other modules in one place -[Visibility](../../permissionconcept/predefining_rights/protective_mechanisms/visibility/visibility.md) +[Visibility](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/visibility/visibility.md) -![Notifications modul](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/notifications_1-en.webp) +![Notifications modul](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/applications/rdp_and_ssh_applications/recording_a_session/notifications_1-en.webp) NOTE: The reading pane is deactivated in this module by default. It can be activated in the "Display" tab in the ribbon. @@ -21,7 +21,7 @@ There are also some ribbon functionalities that are exclusively available for th module. In particular, the function **Forward important notifications to email addresses** enables administrators and users to maintain control and transparency independent of the location. -![Ribbon notifications](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/notifications/notifications_2-en.webp) +![Ribbon notifications](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/notifications/notifications_2-en.webp) ### Mark notifications as read @@ -29,7 +29,7 @@ The two buttons on the ribbon enable you to mark notifications as read/unread. I filter criterion available in this context (see following screenshot) enables fast sorting according to current and also historical notifications. -![filter notifications](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/notifications/notifications_3-en.webp) +![filter notifications](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/notifications/notifications_3-en.webp) It is possible to mark the notifications as read/unread via the ribbon and also via the context menu that is accessed using the right mouse button. If the corresponding setting has been activated, @@ -40,7 +40,7 @@ opening a notification will also mean that it is marked as read. Irrespective of the selected module, permissions can be configured manually for objects. The following dialogue can be opened via the ribbon in the "Actions" tab: -![Manual configuration of notifications](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/notifications/notifications_5-en.webp) +![Manual configuration of notifications](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/notifications/notifications_5-en.webp) - **Notification**: Definition for the trigger - **Value**: Defines whether a notification should be created for the previously defined trigger. In @@ -56,17 +56,17 @@ that a notification is really only triggered for relevant events. As well as manually configurable notifications, there are other triggers in Netwrix Password Secure which will result in notifications. -- [Seals](../../permissionconcept/predefining_rights/protective_mechanisms/seals/seals.md): Requests +- [Seals](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals.md): Requests to release sealed records are handled via the notification system -- [System tasks](../../mainmenu/extras/system_tasks/system_tasks.md)s: If reports are automatically +- [System tasks](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/system_tasks.md)s: If reports are automatically created via the system tasks, these are also made available in the form of a notification. If this type of notification is selected, it can be directly opened via the corresponding button that appears on the ribbon. -![Ribbon functions notifications](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/notifications/notifications_6-en.webp) +![Ribbon functions notifications](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/notifications/notifications_6-en.webp) ## Automatic deletion of old notifications If desired, notifications can be automatically cleaned up. This option can be configured on the **Server Manager**. Further information can be found in the section -[Managing databases](../../../server_manager/managing_databases/managing_databases.md). +[Managing databases](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/managing_databases.md). diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end-to-end_encryption.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end-to-end_encryption.md index cc5a233583..8e2a941143 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end-to-end_encryption.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end-to-end_encryption.md @@ -2,7 +2,7 @@ ## Maximum encryption -[Active Directory link](active_directory_link.md) with active end-to-end encryption currently offers +[Active Directory link](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/active_directory_link.md) with active end-to-end encryption currently offers **maximum security**. Only users, organisational units and roles are imported. The permissions and the hierarchical relationship between the individual objects needs to be separately configured in Netwrix Password Secure. The advantage offered by end-to-end encryption is that Active Directory is @@ -26,7 +26,7 @@ The following options are required to add new profiles. The process for creating a new profile is started via the icon "manage profiles" on the ribbon. -![New AD profile](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_1-en.webp) +![New AD profile](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_1-en.webp) NOTE: "End-to-end" needs to be set in the "Encryption" field @@ -49,21 +49,21 @@ must have access to the AD. The import is started directly in the ribbon. A wizard guides the user through the entire operation. -![Import icon](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_2-en.webp) +![Import icon](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_2-en.webp) ## Organisational structure First, an organisational unit is selected for the import. If there are no organisational units in the database yet, as in this example, the data is imported into the **main organisational unit**. -![Import wizard/organisational structure](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_3-en.webp) +![Import wizard/organisational structure](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_3-en.webp) ## Active Directory objects In the next step, select the relevant profile that should be used for the import. Then, select the organisational units and/or users for the import. A search is available for this purpose. -![Import wizard/AD objects](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_4-en.webp) +![Import wizard/AD objects](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_4-en.webp) It can be seen that the organisational units **Jupiter** and **Contoso** contain items to be imported. The organisational units themselves will not be imported. The check next to the group @@ -78,7 +78,7 @@ There are different symbols which indicate the elements to be imported. A context menu that is accessed using the right mouse button is available within the list that provides helpful functions for selecting the individual elements. -![context menu](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_5-en.webp) +![context menu](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_5-en.webp) - Select sub-objects selects all sub-objects that are located directly below the current object - Deselect sub-objects removes tags from all sub-objects that are located directly below the current @@ -99,7 +99,7 @@ the elements along with their descriptions. The **Status** column specifies whet added, updated, or disabled. The last column specifies the organisational unit into which the element is imported. The number of objects is added together at the bottom. -![Import wizard/Summary](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_6-en.webp) +![Import wizard/Summary](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_6-en.webp) NOTE: Depending on the amount of data, it may take several minutes to create the summary. @@ -109,7 +109,7 @@ The import itself is carried out by the server in the background. The individual appear in the list one by one. This may take some time, depending on the amount of import data. If the import is terminated, you will receive a confirmation. -![confirmation](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_7-en.webp) +![confirmation](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_7-en.webp) NOTE: As end-to-end encryption is retained in this mode, the server does not receive a key to match already imported users with the AD. There is thus no synchronization with the AD. Similarly, no diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode.md index 620cff28cd..5a765a2c26 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode.md @@ -2,7 +2,7 @@ ## Maximum convenience -In contrast to [End-to-end encryption](end-to-end_encryption.md), which places the main focus on +In contrast to [End-to-end encryption](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end-to-end_encryption.md), which places the main focus on security, Masterkey mode provides the maximum level of convenience. It not only imports users, organisational units and roles but also their links and affiliations. It can be synchronized to update the information and affiliations. **In this scenario, Active Directory is used as a leading @@ -22,7 +22,7 @@ The following options are required to add new profiles. Profile management is started via the icon of the same name on the ribbon. -![AD profile](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode_1-en.webp) +![AD profile](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode_1-en.webp) The following information must be provided in the profile: @@ -73,31 +73,31 @@ connection is not possible, deactivate SecureSocketsLayer and try again. **CAUTION:** The master key is added in form of a certificate. It is **essential to back up** the generated certificate! If the database is being moved to another server, the certificate also needs to be transferred! Further information can be found in the section -[Certificates](../../../../../server_manager/certificates/certificates.md). +[Certificates](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/certificates.md). NOTE: You can now use the option to integrate a RADIUS server. Read more in -[RADIUS authentication](radius_authentication.md). +[RADIUS authentication](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/radius_authentication.md). ## Import You can start the import directly in the ribbon. A wizard guides the user through the entire operation. -![import icon](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_2-en.webp) +![import icon](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_2-en.webp) ## Organisational structure First, an organisational unit is selected for the import. If there are no organisational units in the database yet, as in this example, the data is imported into the **main organisational unit**. -![import wizard / organisational structure](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_3-en.webp) +![import wizard / organisational structure](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_3-en.webp) ### Active Directory objects In the next step, select the profile you will use to import the data. Then, select organisational units and/or users for the import. A search is available for this purpose. -![import wizard / AD objects](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_4-en.webp) +![import wizard / AD objects](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_4-en.webp) As you can see, the organisational units **Jupiter** and **Contoso** contain items to be imported. The organisational units themselves will not be imported. The group **1099 Contractor** is imported @@ -114,7 +114,7 @@ will be imported Right-clicking in the list will launch a context menu. It provides helpful functions for the selection of the individual elements. -![select subjects](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_5-en.webp) +![select subjects](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_5-en.webp) NOTE: If individual users cannot be selected for import, they have already been imported via an end-to-end encrypted profile. @@ -129,7 +129,7 @@ the elements along with their descriptions. The **Status** column specifies whet added, updated, or disabled. The last column specifies the organisational unit into which the element is imported. The number of objects can be seen at the bottom. -![import wizard / summary](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_6-en.webp) +![import wizard / summary](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_6-en.webp) ## Importing @@ -137,7 +137,7 @@ The server imports data in the background. The individual elements then appear i one. This may take some time, depending on the amount of import data. If the import was terminated, this is symbolized by a hint. -![Notification](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_7-en.webp) +![Notification](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end_to_end_encryption_7-en.webp) ## Imported users and organisational units @@ -177,7 +177,7 @@ roles already exist in Netwrix Password Secure or have also been imported. Users who are imported using this mode can log in with the domain password. Please note that no domain needs to be specified when logging in. Of course, the login process can also be supplemented with -[Multifactor Authentication](../../../../../server_manager/managing_databases/database_settings/multifactor_authentication_ac.md). +[Multifactor Authentication](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/multifactor_authentication_ac.md). NOTE: Logging on using Kerberos works "automatically". As long as the corresponding Kerberos server is accessible, the users in the domain authenticate themselves via Kerberos using their domain @@ -191,7 +191,7 @@ that have to be made on the domain controller and have nothing to do with Netwri The rights to be issued to imported users are explained in the following example: -![Permission MKM User](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode_7-en.webp) +![Permission MKM User](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode_7-en.webp) 1. In Master Key mode, **all** users will be issued with the **read** right. 2. The **responsible user** will be issued with all rights and the key. This ensures that he can @@ -218,7 +218,7 @@ made. The synchronization can be started manually at any time via the corresponding button in the ribbon. -![manual synchronization](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode_8-en.webp) +![manual synchronization](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode_8-en.webp) Select the required profile and start the synchronization. As is the case with the initial import, the synchronization runs in the background. A hint indicates that the process has been completed. @@ -226,7 +226,7 @@ the synchronization runs in the background. A hint indicates that the process ha ### Synchronization via system tasks The synchronization can also be carried out automatically. This is made possible via the -[System tasks](../../../../mainmenu/extras/system_tasks/system_tasks.md). +[System tasks](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/system_tasks.md). ### Deleting or removing users diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/radius_authentication.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/radius_authentication.md index fc5040cae1..8e0ac4b0b5 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/radius_authentication.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/radius_authentication.md @@ -22,7 +22,7 @@ met: The actual connection of the RADIUS server is simple: -![radius integration](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/radius_authentication_1-en.webp) +![radius integration](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/radius_authentication_1-en.webp) - **Use RADIUS** - First, the usage is activated. - **Host Address** - The address of the RADIUS server is stored here. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/directory_services.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/directory_services.md index 7f8783ab49..f8dbde6e11 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/directory_services.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/directory_services.md @@ -5,6 +5,6 @@ Password Secure. Choose your preferred integration method: -- [Microsoft Entra ID connection](entra_id/entra_id_connection.md) +- [Microsoft Entra ID connection](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/entra_id_connection.md) -- [Active Directory link](activedirectorylink/active_directory_link.md) +- [Active Directory link](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/active_directory_link.md) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/entra_id_connection.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/entra_id_connection.md index e715c84984..aee60a7007 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/entra_id_connection.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/entra_id_connection.md @@ -49,7 +49,7 @@ NOTE: You need an account with administrative permissions - Write down your "Tenant ID" shown in the Azure console or by using PowerShell: -[Copy]() +[Copy](javascript:void(0);) ``` Connect-AzureAD @@ -79,7 +79,7 @@ have booked the Azure package Entra ID Premium P1! NOTE: Your Netwrix Password Secure user need the following permissions: -[Copy]() +[Copy](javascript:void(0);) ``` - Display organisational structure module @@ -130,7 +130,7 @@ To enable the Azure login for your users, a few more steps are required: | Microsoft Edge Extension | `https://ahdfobpkkckhdhbmnpjehdkepaddfhek.chromiumapp.org` | | Firefox Extension | `https://28c91153e2d5b36394cfb1543c897e447d0f1017.extensions.allizom.org` | -![web_configuration_entra_id](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/web_configuration_entra_id.webp) +![web_configuration_entra_id](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/web_configuration_entra_id.webp) Click on "Add a platform", select "Mobile & desktop applications" and configure the required mobile-app URI: @@ -139,7 +139,7 @@ mobile-app URI: | ------------- | ------------------ | | iOS & Android | `psrmobile://auth` | -![mobile_and_desktop_applications](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/mobile_and_desktop_applications.webp) +![mobile_and_desktop_applications](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/mobile_and_desktop_applications.webp) #### Create client secret @@ -148,11 +148,11 @@ Client secret Create a client secret: -![certificates-secrets-en_1544x311](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/certificates-secrets-en_1544x311.webp) +![certificates-secrets-en_1544x311](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/certificates-secrets-en_1544x311.webp) Copy it over to the Netwrix Password Secure Entra ID profile: -![entra_id_client_secret](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/entra_id_client_secret.webp) +![entra_id_client_secret](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/entra_id/entra_id_client_secret.webp) #### Set API permissions diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor.md index 1cd90fb85b..73fdf4822a 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor.md @@ -9,7 +9,7 @@ It is a process that regulates access to our system. With the user setting **Edit first factor** you have the possibility to define another factor for authentication than the standard password. -![Edit first factor](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor_1-en.webp) +![Edit first factor](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor_1-en.webp) ## Factors @@ -17,7 +17,7 @@ authentication than the standard password. The configuration is done via the user setting **First factor**. -![Smartcard 1st factor](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor_2-en.webp) +![Smartcard 1st factor](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor_2-en.webp) NOTE: This option is only valid for users in master key mode @@ -38,21 +38,21 @@ In addition, the smartcard certificate must of course also be valid on the serve ## Requirement For Fido2 it is mandatory that -SMTP ([Advanced settings](../../../../server_manager/main_menu/advanced_settings.md)) is configured. +SMTP ([Advanced settings](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/advanced_settings.md)) is configured. In addition, an e-mail address must be stored for the AD users. Furthermore, the URL of the Web Application must be stored in the Server Manager: -![Edit WebClient URL](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor_3-en.webp) +![Edit WebClient URL](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor_3-en.webp) ### Configuration The configuration is done via the user setting **First Factor**. -![FIDO2](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor_4-en.webp) +![FIDO2](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor_4-en.webp) As soon as an AD user logs on to the Web Application, he gets the following prompt -![prompt](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor_5-en.webp) +![prompt](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/firstfactor/first_factor_5-en.webp) After clicking on **Setup Fido2 access** in the mail, Fido2 is configured. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/managing_users.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/managing_users.md index d2bdcaea24..a78edec52b 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/managing_users.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/managing_users.md @@ -23,7 +23,7 @@ only the differences will be covered below. ### Creating users -![create user](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/create-user-wc.webp) +![create user](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/create-user-wc.webp) - **Allocated roles**: New users can directly be allocated one or more rolls when they are created - **Change password on next login**: The user will be requested to change their user password on the diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_logging_in.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_logging_in.md index e7f6acc611..04d6c390c8 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_logging_in.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_logging_in.md @@ -27,7 +27,7 @@ right **Can display organisational structure module**. **Read** and **write** ri are also required. Finally, membership of the user is required. Normally, the user themselves and the user who created or imported the user have the right to change their password. -![Permission for user](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_1-en.webp) +![Permission for user](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_1-en.webp) ### Assigning and changing passwords @@ -39,7 +39,7 @@ passwords after the import. The passwords can be directly assigned or changed via the ribbon. Naturally, it is also possible to select multiple users if e.g. several imported users should be assigned the same password. -![change password](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_2-en.webp) +![change password](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_2-en.webp) ### Change password on next login @@ -49,12 +49,12 @@ users**, this can be activated during the creation of the user. In the case of * mode**, this option is directly activated during import for security reasons. This option is automatically deactivated after the user has successfully logged in and changed the password. -![change password next login](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_3-en.webp) +![change password next login](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_3-en.webp) ### Security of passwords To guarantee that passwords are sufficiently strong, it is recommended that corresponding -[Password rules](../../../mainmenu/extras/password_rules/password_rules.md) are created. It is +[Password rules](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/password_rules.md) are created. It is especially important to ensure here that user names are excluded. The password rule then still needs to be defined as a user password rule. @@ -66,9 +66,9 @@ The process for logging into the database differs depending on the type of user. Local users simply log in using their user name and the assigned password. -![login username](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_4-en_415x238.webp) +![login username](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_4-en_415x238.webp) -![login password](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_5-en.webp) +![login password](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_5-en.webp) ## AD user @@ -79,7 +79,7 @@ with the same name, the name of the domain must be entered in front of the user The name of the domain must be entered as it is configured in the AD profile under **Domains**. The option **Other domain names** can be used to save other forms of the domain name. -![AD User](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_6-en.webp) +![AD User](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/user_passwords_6-en.webp) NOTE: The logon to the client is automatically forwarded to the Autofill Add-on and other clients on the same computer. The same applies to logging on to the Autofill Add-on. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication.md index ede63f3088..78083d29f3 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication.md @@ -11,12 +11,12 @@ the user. To use multifactor authentication on a database, it must firstly have been activated on the Server Manager. In the database module, open the settings for the selected database via the ribbon. -![database settings](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_1-en.webp) +![database settings](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_1-en.webp) It is possible to separately define in the settings whether it is permitted to use each interface on the database. -![multifactor authentication](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_2-en.webp) +![multifactor authentication](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_2-en.webp) ### Other settings @@ -29,10 +29,10 @@ important that these rights exist before Multifactor Authentication is set up. ## Configuration of multifactor authentication -In the [Organisational structure](../organisational_structure.md) module, you select the user and +In the [Organisational structure](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organisational_structure.md) module, you select the user and the interface "Multifactor authentication" in the ribbon. -![TOTP](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_3-en.webp) +![TOTP](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_3-en.webp) The desired type of authentication is selected and given a title. This name is also displayed to the user when logging in. The subsequent process differs depending on the desired authentication type. @@ -43,7 +43,7 @@ The prerequisite for this is that the relevant app has been started on a smartph has been assigned for the authentication, you generate a new secret via the corresponding button. A QR code is displayed, which must be scanned using the Google Authenticator app on a smartphone. -![google authenticator](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_4-en.webp) +![google authenticator](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_4-en.webp) Once the Google Authenticator app has detected the QR code, it will return a 6-digit PIN. You must then enter it in the appropriate field. Finally, click on **Create** in the ribbon. @@ -53,7 +53,7 @@ then enter it in the appropriate field. Finally, click on **Create** in the ribb To set up multifactor authentication using RSA SecurID, simply enter the RSA user name and click **Create** directly in the ribbon. -![RSA SecurID Token](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_5-en.webp) +![RSA SecurID Token](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_5-en.webp) NOTE: The prerequisite for the use of RSA SecurID token is that the access data has been stored in the Database settings on the Server Manager. @@ -63,14 +63,14 @@ the Database settings on the Server Manager. For PKI setup, the **Select** button is used to open the menu for selecting the desired certificate. All eligible certificates are displayed. -![Public key infrastructure](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_7-en.webp) +![Public key infrastructure](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication_7-en.webp) Now just select the desired certificate from the list to confirm the process. ## Yubico One Time Password The configuration of multifactor authentication using Yubico One Time Password is described -in[Multifactor Authentication](../../../../server_manager/managing_databases/database_settings/multifactor_authentication_ac.md). +in[Multifactor Authentication](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/multifactor_authentication_ac.md). ## Delete Multifactor Authentication (MFA) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/otp/otp_(one-time-password).md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/otp/otp_(one-time-password).md index f416d5c128..4cf592b508 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/otp/otp_(one-time-password).md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/otp/otp_(one-time-password).md @@ -30,7 +30,7 @@ As soon as the secret has been deposited and the password saved, the setup is co 1. Set up OTP 2. Create - [HTML WebViewer export](../../../../mainmenu/export/html_webviewer-export/html_webviewer_export.md) + [HTML WebViewer export](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/html_webviewer_export.md) 3. Open the created HTML WebViewer How to use the HTML WebViewer can be read in the chapter with the same name. @@ -41,7 +41,7 @@ NOTE: The special feature of the Emergency WebViewer is that the stored OTP secr displayed. In order to use the One-Time-Password in the -[EmergencyWebViewer](../../../../mainmenu/extras/system_tasks/emergency_webviewer/emergency_webviewer.md) +[EmergencyWebViewer](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/emergency_webviewer.md) you have to proceed as follows: 1. Set up OTP diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubicoyubikey.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubicoyubikey.md index 3bba2884e5..13b8e9c7c0 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubicoyubikey.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubicoyubikey.md @@ -13,20 +13,20 @@ The following firewall release must be granted: An API key must be requested for configuration. For this purpose, use the following link and enter an e-mail address: [Yubico Website](https://upgrade.yubico.com/getapikey/) -![yubico setup](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_1-en.webp) +![yubico setup](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_1-en.webp) Yubikey will then generate a **One Time Password**. The Yubikey used must only be touched in the right place. -![yubico stick](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_2-en.webp) +![yubico stick](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_2-en.webp) The **One Time Password** is entered directly into the corresponding field. -![yubico OTP](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_3-en.webp) +![yubico OTP](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_3-en.webp) Once the general terms and conditions have been approved, the API Key can be requested. -![yubico key](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_4-en.webp) +![yubico key](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_4-en.webp) ### Configuring the Yubikey API @@ -34,7 +34,7 @@ The actual setting up of the multifactor authentication is carried out on the Se **Database** module. First select the required data base; then open the "Features" in the ribbon. The **Yubico Client ID** and the **Yubico Secret Key** must then be entered and saved. -![Configuration yubico](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_5-en.webp) +![Configuration yubico](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_5-en.webp) The interface is now ready and can be used. @@ -45,20 +45,20 @@ this endpoint. ## Configuring multifactor authentication for users Multifactor authentication can be configured in the Netwrix Password Secure client. It can be done -by the user themselves in **Backstage** in the [Account](../../../../mainmenu/account/account.md) +by the user themselves in **Backstage** in the [Account](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/account/account.md) menu. In order to configure the Yubikey, simply select **Yubico OTP**. -![setup second factor](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_6-en.webp) +![setup second factor](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_6-en.webp) Now click in the field for the token and create a token using the Yubikey. For **Yubikey NEO**, you only need to touch the touch panel. The same applies to **Yubikey Nano**. -![yubico stick](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_2-en.webp) +![yubico stick](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_2-en.webp) The token is entered directly into the corresponding field. The multifactor authentication is configured once you’ve clicked on configure. -![Configuration yubico](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_8-en.webp) +![Configuration yubico](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_8-en.webp) ## Logging in with the Yubikey @@ -67,10 +67,10 @@ To login with Multifactor Authentication, the database is first selected and the After the first password authentication, another window for the **Yubico Key** is displayed. -![Login yubico](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_10-en.webp) +![Login yubico](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_10-en.webp) Click on the field to highlight it, and enter the **Yubico Key** by touching the Yubikeys. -![yubico stick](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_2-en.webp) +![yubico stick](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/yubico/yubico_yubikey_2-en.webp) The user is now logged on. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organisational_structure.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organisational_structure.md index 27ec56a15a..500d7e46af 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organisational_structure.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organisational_structure.md @@ -9,7 +9,7 @@ organization diagrams for the company or department. It is also possible to use as the function / activity performed, as the basis for creating hierarchies. It is always up to the customer themselves to decide which structure is most useful for the purpose of the application. -![Organizational structure modul](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_1-en.webp) +![Organizational structure modul](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_1-en.webp) ## Relevant rights @@ -26,40 +26,40 @@ The operation of the ribbon differs fundamentally in a couple of aspects to how modules. The following section will focus on only those elements of the ribbon that differ. The remaining actions have already be explained for the password module. -![create new user/organisational unit](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_2-en.webp) +![create new user/organisational unit](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_2-en.webp) - **New organisational unit/user**: New organisational units or new users can be added via the ribbon, the keyboard shortcut "CTRL + N" or also the context menu that is accessed using the right mouse button. Due to its complexity, there is a separate section for this function: - [User management](../../../web_applicaiton/functional_scope/organisational_structure/user_management/user_management.md) + [User management](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/user_management/user_management.md) - **Drag & Drop**: If this option has been activated, it is possible to move users or organisational units in list view via drag & drop - **Permissions**: The configuration of permissions within the organisational structure is important both for the administration of the structure and also as the basis for the permissions in accordance with - [Inheritance from organisational structures](../../permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance_from_organizational.md). + [Inheritance from organisational structures](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance_from_organizational.md). The benefits of - [Predefining rights](../../permissionconcept/predefining_rights/predefining_rights.md) are + [Predefining rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefining_rights.md) are explained in a separate section. - **Settings**: The settings can be configured for both users and also organisational units. More - information on [User settings](../../mainmenu/user_settings/user_settings.md)… + information on [User settings](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/user_settings.md)… - **Active Directory**: The connection to Active Directory is explained in a dedicated section - [Active Directory link](directoryservices/activedirectorylink/active_directory_link.md) + [Active Directory link](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/active_directory_link.md) - **Microsoft Entra ID**: The connection to Microsoft Entra ID is explained in a dedicated section - **Multi Factor authentication**: Additional security during login is provided through positive authentication based on another factor. More on this subject… - **Reset password**: Administrators can reset the passwords with which users log in to Netwrix Password Secure to a defined value. Naturally, this is only possible if the connection to Active Directory is configured - via[End-to-end encryption](directoryservices/activedirectorylink/end-to-end_encryption.md). In the - alternative [Masterkey mode](directoryservices/activedirectorylink/masterkey_mode.md), the + via[End-to-end encryption](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/end-to-end_encryption.md). In the + alternative [Masterkey mode](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode.md), the authentication is linked to the correct entry of the AD password. NOTE: To reset a user password, membership for the user is a prerequisite. The example below shows the configuration of a user where only the user themselves is a member. -![permission for user](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_3-en.webp) +![permission for user](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_3-en.webp) This configuration means that the user password cannot be reset by administrators. The disadvantage is that if the password is lost there is no technical solution for "resetting" the password in the @@ -76,7 +76,7 @@ wizards. The example below shows the creation of a new organisational unit: ### Create organisational unit -![Add new organisational unit](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_4-en.webp) +![Add new organisational unit](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_4-en.webp) - **Allocated organisational unit**: If the new object is defined as a **main organisational unit**, it is not allocated to an existing organisational unit @@ -88,7 +88,7 @@ fields "allocated organisational unit" and also "rights template". ### Create role -![Create role](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_5-en.webp) +![Create role](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_5-en.webp) When creating a new organisational unit, the second tab in the wizard enables you to directly create a new role. This role will not only be created but also given "read permission" to the newly created @@ -96,7 +96,7 @@ organisational unit. ### Configuring rights -![Configuring rights](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_6-en.webp) +![Configuring rights](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organizational_structures_6-en.webp) The third tab of the wizard allows you to define the permissions for the newly created organisational unit. If an allocated organisational unit or a rights template group was defined in diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/inheriting_permissions.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/inheriting_permissions.md index cc9d60e2bd..32433f7a57 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/inheriting_permissions.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/inheriting_permissions.md @@ -6,7 +6,7 @@ If you open the permissions for an organisational structure, the currently confi will be visible. In the following example, there are a total of four roles with varying permissions for the organisational structure. -![inheriting permission](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/inheriting_permissions_1-en.webp) +![inheriting permission](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/inheriting_permissions_1-en.webp) ## Relevant rights diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/permissions_for_organisational.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/permissions_for_organisational.md index 6db0d0092a..e5803f0e45 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/permissions_for_organisational.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/permissions_for_organisational.md @@ -7,13 +7,13 @@ organisational structures. In addition, there are **two mechanisms** that direct permissions for organisational structures. 1. **Limiting visibility**: It was already explained in the section on - [Visibility](../../../permissionconcept/predefining_rights/protective_mechanisms/visibility/visibility.md) + [Visibility](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/visibility/visibility.md) that selectively withholding information is a very effective - [Protective mechanisms](../../../permissionconcept/predefining_rights/protective_mechanisms/protective_mechanisms.md). + [Protective mechanisms](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/protective_mechanisms.md). Configuration of the visibility is carried out directly when issuing permissions to organisational structures. 2. **Inheriting permissions for records**: - [Inheritance from organisational structures](../../../permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance_from_organizational.md) + [Inheritance from organisational structures](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance_from_organizational.md) is defined as a system standard. This means that there is no difference between the permissions for an organisational structure and the permissions for data that is stored in these organisational structures. @@ -22,7 +22,7 @@ The way in which permissions for organisational structures are designed thus eff work with Netwrix Password Secure in many ways. The following diagram describes the above-mentioned interfaces. -![Permissions for organizational structures](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/permissions_for_organizational_structures_1-en.webp) +![Permissions for organizational structures](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/permissions_for_organizational_structures_1-en.webp) ## Permissions @@ -32,7 +32,7 @@ have what form of permissions for a given organisational structure. Permissions structures can be defined via the ribbon or also the context menu that is accessed using the right mouse button. A permissions tab appears: -![Permissions for OU](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/permissions_for_organizational_structures_2-en.webp) +![Permissions for OU](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/permissions_for_organizational_structures_2-en.webp) NOTE: The basic mechanisms for setting permissions is described in detail in the Authorization concept. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/configuration/configuration_2.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/configuration/configuration_2.md index 09b52e6078..096bc73a33 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/configuration/configuration_2.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/configuration/configuration_2.md @@ -13,7 +13,7 @@ The configuration of a new Password Reset comprises four steps. All of the neces variables for the configuration are defined in the following areas: "General", "Trigger", "Scripts" and "Linked passwords". -![configuration password reset](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/configuration/configuration_1-en.webp) +![configuration password reset](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/configuration/configuration_1-en.webp) ### General @@ -43,7 +43,7 @@ applies. A new dialogue appears after the selection in which the type of system "to be reset2 can be defined. -![new script password reset](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/configuration/configuration_2-en.webp) +![new script password reset](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/configuration/configuration_2-en.webp) - **Script type**: You select here from the possible script types. - **Password**: The credentials for the record that will ultimately carry out the Password Reset. @@ -60,4 +60,4 @@ All records that should be reset with the Password Reset according to the select listed under “Linked passwords”. Multiple objects can be entered. The linked Password Reset is also visible in the footer of the reading pane once it has been successfully configured. -![new script password reset](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/configuration/configuration_2-en.webp) +![new script password reset](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/configuration/configuration_2-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/heartbeat/heartbeat.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/heartbeat/heartbeat.md index 1f21a2caa0..879b8780b9 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/heartbeat/heartbeat.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/heartbeat/heartbeat.md @@ -29,7 +29,7 @@ The testing process using the heartbeat can be executed via various methods. The heartbeat is always carried out before the first resetting process using a Password Reset. After the script has run, the testing process is carried out again. Further information on this process -can also be found in the section [Rollback](../rollback/rollback.md). +can also be found in the section [Rollback](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/rollback/rollback.md). ### Manual testing @@ -39,17 +39,17 @@ data**. The currently marked password is always tested. ### Automatic testing via the password settings It is also possible to configure the heartbeat to run cyclically. It can be configured either via -the [User settings](../../../mainmenu/user_settings/user_settings.md) or directly in the -[Password settings](../../passwords/password_settings.md). +the [User settings](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/user_settings.md) or directly in the +[Password settings](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/password_settings.md). ## Results of the tests The results of the test can be viewed in the **passwords module**. -![result heartbeat](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/heartbeat/heartbeat_1-en.webp) +![result heartbeat](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/heartbeat/heartbeat_1-en.webp) The date when it was last executed can be seen at the top of the -[Reading pane](../../../operation_and_setup/readingpane/reading_pane.md). The success of the testing +[Reading pane](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/reading_pane.md). The success of the testing process is indicated alongside using a coloured icon. Further information can be displayed by moving the mouse over the icon. @@ -64,4 +64,4 @@ to the one on the target system. The filter can be configured using the filter group **Status of the login data** so that the tested records can be selected. -![Filter heartbeat status](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/heartbeat/heartbeat_2-en.webp) +![Filter heartbeat status](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/heartbeat/heartbeat_2-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/password_reset.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/password_reset.md index bbf73ae1c0..0669a90dea 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/password_reset.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/password_reset.md @@ -7,13 +7,13 @@ a new and unknown value according to freely definable triggers. A trigger could interval or a certain action by the user. **The value of the password is changed in both Netwrix Password Secure and also on the target system.** -![Password reset diagram](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/password_reset_1-en.webp) +![Password reset diagram](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/password_reset_1-en.webp) This process will be explained below using a specific example. The password for the MSSQL user has expired. The Password Reset changes the password in Netwrix Password Secure and also in the target system to a new value. -![Password reset process diagram](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/password_reset_2-en.webp) +![Password reset process diagram](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/password_reset_2-en.webp) NOTE: If an error occurs during the execution of a password reset, the affected reset is blocked with all associated passwords. This is noted in the logbook with an entry "blocked". diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/rollback/rollback.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/rollback/rollback.md index f576c8e019..e22b9ceba2 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/rollback/rollback.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/rollback/rollback.md @@ -9,7 +9,7 @@ password is restored. The following diagram shows when and according to which criteria a rollback is initiated: -![rollback run](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/rollback/rollback_1-en.webp) +![rollback run](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/rollback/rollback_1-en.webp) ## Procedure diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/scripts.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/scripts.md index 062856aeae..fa1920b2f0 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/scripts.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/scripts.md @@ -10,25 +10,25 @@ system. This password thus requires administrative rights to the target system. A delay can also be configured in every script. This may be necessary, for example, if a password is changed in AD and it is firstly distributed to other controllers. -![new script](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_1-en.webp) +![new script](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_1-en.webp) ## Active Directory Password Reset This script is responsible for changing passwords for Active Directory users (domain users). Access to Active Directory is configured here under **Hostname**. -![Active Directory Password Reset](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_2-en.webp) +![Active Directory Password Reset](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_2-en.webp) ## Service accounts This script changes the access data within a service. Both the user and also the password can be changed. The **host name** – i.e. the target computer – and the **service name** are saved here. -![Service accounts scripts](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_3-en.webp) +![Service accounts scripts](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_3-en.webp) Please note that the **display name** for the **service** needs to be used. -![display name service](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_4-en.webp) +![display name service](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_4-en.webp) The access data in the associated password can be saved as follows: @@ -45,25 +45,25 @@ The access data in the associated password can be saved as follows: This script can be used to reset the passwords for local Windows users. Only the **host name** needs to be saved here. -![Windows user script](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_5-en.webp) +![Windows user script](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_5-en.webp) ## Linux user Linux users can also be reset in the same way as Windows users. It is also only necessary to enter the **host name** and the **port** here. -![Linux user script](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_6-en.webp) +![Linux user script](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_6-en.webp) ## MSSQL user This script resets passwords for local MSSQL users. It is only necessary to enter the **MSSQL instance** and the **port**. -![MSSQL user script](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_7-en.webp) +![MSSQL user script](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_7-en.webp) The name of the MSSQL instance can be taken from the login window for the SQL Management Studio. -![MSSQL user script](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_8-en.webp) +![MSSQL user script](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_8-en.webp) If a domain user is being used to log in to the SQL server, the user needs to be managed via the script **Active Directory user**. @@ -73,4 +73,4 @@ script **Active Directory user**. The passwords for users of Windows Task Scheduler can be changed using this script. The **host name** of the computer on which the task will run and the **name** of the task itself are entered. -![planned task](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_9-en.webp) +![planned task](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/password_safe_scripts_9-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/user-defined_scripts/user-defined_scripts.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/user-defined_scripts/user-defined_scripts.md index 4e59c1d81d..3cb25cce66 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/user-defined_scripts/user-defined_scripts.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/user-defined_scripts/user-defined_scripts.md @@ -2,7 +2,7 @@ ## Individual solutions using your own scripts -If your requirements cannot be met using the [Scripts](../scripts/scripts.md), it is also possible +If your requirements cannot be met using the [Scripts](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/scripts/scripts.md), it is also possible to create your own Powershell scripts. These scripts need to meet certain requirements to be used in Netwrix Password Secure. @@ -21,7 +21,7 @@ The PowerShell scripts must have the following structure: Netwrix Password Secure always calls the RunScript function. -[Copy]() +[Copy](javascript:void(0);) ``` function RunScript @@ -52,7 +52,7 @@ It is important in this case that you provide Netwrix Password Secure with feedb been changed via a **Write-Output**. The following example simply uses the outputs **true** or **false**. However, it is also conceivable that an error message or similar is output. -[Copy]() +[Copy](javascript:void(0);) ```     $scriptBlock = {param ($UserName, $Password) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/creating_new_passwords.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/creating_new_passwords.md index 9d690ddfb8..79ded81f02 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/creating_new_passwords.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/creating_new_passwords.md @@ -20,7 +20,7 @@ When creating a new record, it is possible to select from all the forms for whic has the required permissions. To make the selection process as easy as possible, a preview of the form fields included in the form is shown on the right hand side. -![Select form](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/creating_new_passwords_1-en.webp) +![Select form](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/creating_new_passwords_1-en.webp) In this example, you can see that the "Password" form marked on the left contains three form fields "Name", "User name" and "Password". Forms thus act as **templates** according to which their @@ -34,14 +34,14 @@ corresponding form fields for the previously selected form can now be filled. Pa deserve special mention here because they can be handled differently based on password rules. The record can be saved via the ribbon when all fields have been filled. -![new record](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/creating_new_passwords_2-en.webp) +![new record](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/creating_new_passwords_2-en.webp) ## Validity and tags Irrespective of the selected form, it is always possible to define the validity and tags for a record. Both values are optional. -![Validity and tags](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/creating_new_passwords_3-en.webp) +![Validity and tags](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/creating_new_passwords_3-en.webp) - The **validity** defines an end date until which the record is valid. This information can be evaluated e.g. in the logbook or in reports. It is thus possible to create a list of all expired @@ -58,7 +58,7 @@ that **manual setting of permissions is only possible after saving** a record. A are set before the record is saved. In this context, the selection of the organisational structure and the permissions for a record are important aspects. -![permissions new record](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/creating_new_passwords_4-en.webp) +![permissions new record](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/creating_new_passwords_4-en.webp) - **Manual setting of permissions**: If you want to manually set permissions for the record, select the organisational structure in which the record should be saved. After saving the record, the diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/form_field_permissions.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/form_field_permissions.md index afd653ad1a..8ab83b834e 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/form_field_permissions.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/form_field_permissions.md @@ -21,12 +21,12 @@ The following options are required to view "inherit" and "overwrite" icons. The associated form field permissions for the marked record can be opened via the ribbon using the drop-down menu under "Permissions". -![form field permissions](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/form_field_permissions_1-en.webp) +![form field permissions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/form_field_permissions_1-en.webp) The window that opens allows you to select the relevant form field for which you want to grant permissions. The following example focuses on the password field. -![permissions of password field](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/form_field_permissions_2-en.webp) +![permissions of password field](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/form_field_permissions_2-en.webp) The permissions configured here now exclusively apply to the password field. The other form fields remain unaffected. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/history.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/history.md index 9a97315b05..5c058da5ec 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/history.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/history.md @@ -13,24 +13,24 @@ is thus an indispensable component of every security concept. The optional footer area can be used to already display the history when in the reading pane. All of the historical entries are listed and sorted in chronological order. -![history in footer](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/history_1-en.webp) +![history in footer](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/history_1-en.webp) The different versions are displayed one below the other on the left. The info for each respective version can then be seen alongside on the right. A quick view can be displayed via the **History** in the ribbon or via a double click. -![quick view history](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/history_2-en.webp) +![quick view history](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/history_2-en.webp) ## Detailed history in the Extras The detailed history for the record marked in list view can be called up in the Start/Extras tab. -![History](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/history_3-en.webp) +![History](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/history_3-en.webp) The history for the marked record opens in a separate tab. In list view, all of the available versions with the date and time of their last change are sorted in chronological order. -![history list view](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/history_4-en.webp) +![history list view](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/history_4-en.webp) ## Comparison of versions @@ -38,11 +38,11 @@ At least two versions need to be selected in order to carry out a comparison. In first version and then add another version via the “Add” button on the right of the reading pane to compare with the first one. -![comparison of history versions](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/history_5-en.webp) +![comparison of history versions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/history_5-en.webp) If deviations exist between the two versions, these will be highlighted in color. -![difference between password history](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/history_6-en.webp) +![difference between password history](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/history_6-en.webp) ## Restoring versions diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/moving_passwords.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/moving_passwords.md index 8f6126347c..4740cab124 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/moving_passwords.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/moving_passwords.md @@ -12,7 +12,7 @@ search functions for records. The (marked) records are moved either via the ribbon or via the context menu that is accessed using the right mouse button. -![moving password](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/moving_passwords_1-en.webp) +![moving password](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/moving_passwords_1-en.webp) Multiple records can also be marked and moved. The selected permissions are then valid for all records in this case. @@ -22,11 +22,11 @@ records in this case. No special user rights/settings are required in order to move records. The “move” right for the record is the only deciding factor. -![required permissions](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/moving_passwords_2-en.webp) +![required permissions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/moving_passwords_2-en.webp) ## Effects on existing permissions -![effects on existing permissions](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/moving_passwords_3-en.webp) +![effects on existing permissions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/moving_passwords_3-en.webp) - **Retain permissions**: The permissions for the record are not changed by moving it and are retained diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/password_settings.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/password_settings.md index e6af3deb2f..d9a38af80d 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/password_settings.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/password_settings.md @@ -5,7 +5,7 @@ The password settings can be used to define a diverse range of options. These can be found in the ribbon in the subsection “Extras”. The settings open up in a new tab. -![password settings](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/password_settings_1-en.webp) +![password settings](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/password_settings_1-en.webp) ### Category: Browser diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords.md index ce659c9bd9..644dc422a7 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords.md @@ -9,7 +9,7 @@ combination with color-highlighted tags enable very focussed work. Various appro help apply the desired permissions to objects. Furthermore, the ergonomic structure of the module helps all users to use Netwrix Password Secure in an efficient and targeted manner. -![Password modul](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords_1-en.webp) +![Password modul](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords_1-en.webp) ## Prerequisite @@ -24,7 +24,7 @@ within the "Passwords" module, the ribbon plays a key role due to the numerous m functions. General information on the subject of the ribbon is available in the relevant section. The module-specific ribbon functions will be explained below. -![ribbon functions](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords_2-en.webp) +![ribbon functions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords_2-en.webp) ### New @@ -38,7 +38,7 @@ The module-specific ribbon functions will be explained below. passwords in the reading pane will be revealed. In the example, the passwords have been revealed and can be hidden again with the **Hide** button. -![hide password](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords_3-en.webp) +![hide password](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords_3-en.webp) ### Actions @@ -68,7 +68,7 @@ The module-specific ribbon functions will be explained below. The clipboard is a key element in the ribbon. This only exists in the "Passwords" module. **Clicking on the desired form field for a record in the ribbon** will copy it to the clipboard. -![Clipboard](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords_4-en.webp) +![Clipboard](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords_4-en.webp) The message in the style of the "Balloon Tips" in Windows shows that the password has now been saved in the clipboard for 300 seconds. (Note: the time until the clipboard is cleared is 60 seconds by @@ -90,7 +90,7 @@ via RDP, SSH, general Windows applications or websites. This makes it possible t - **Create external link**: This option creates an external link for the record marked in list view. A number of different options can be selected: -![external link](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords_5-en.webp) +![external link](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords_5-en.webp) **CAUTION:** If several sessions are opened on a client, an external link is always called in the first session. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/recycle_bin.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/recycle_bin.md index ed872a7bf8..934b5d6616 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/recycle_bin.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/recycle_bin.md @@ -8,13 +8,13 @@ To put passwords into the recycle bin there are 2 possible procedures. Select th to delete and click on **Move to bin (1)** or right-click on the passwords and select **Move to bin(2)**. -![bin_2](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/bin_2.webp) +![bin_2](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/bin_2.webp) You will then be asked if you actually want to perform this action. -![bin_3](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/bin_3.webp) +![bin_3](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/bin_3.webp) ## Managing the Recycle Bin The management of the recycle bin can be found in chapter -[Bin](../../mainmenu/extras/trash/trash.md). +[Bin](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/trash/trash.md). diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/revealing_passwords.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/revealing_passwords.md index 46301bc5e3..74e2ef6308 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/revealing_passwords.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/revealing_passwords.md @@ -19,7 +19,7 @@ thus be deduced that the user has at least a read right for the record. As can b authorization concept, the user thus also generally has a read right to the password itself. This means the user can view the value of the password using the "reveal" function. -![Show password](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/revealing_passwords_1-en.webp) +![Show password](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/revealing_passwords_1-en.webp) ## Revealing passwords – diagram @@ -28,7 +28,7 @@ this process. It creates the **incorrect** impression that the client already ha only needs to reveal it. However, the processes running in the background until the password are revealed are much more complex and will thus be described below. -![revealing password diagram](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/revealing_passwords_2-en.webp) +![revealing password diagram](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/passwords/revealing_passwords_2-en.webp) ### Saving the password on the server diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/roles/roles.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/roles/roles.md index b89f8fdfc3..cf348b3e25 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/roles/roles.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/roles/roles.md @@ -10,7 +10,7 @@ the visibility of the role management. It is also possible to delegate the manag or separate areas completely to third parties via the role concept. The authorization concept ensures that users are only granted access to those roles to which they are entitled. -![Roles module](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/roles/roles_1-en.webp) +![Roles module](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/roles/roles_1-en.webp) ## Relevant rights @@ -28,7 +28,7 @@ could also be set at a user level. However, the use of roles can dramatically re administrative workload, and it helps to keep an overview. In addition to the authorizations for data, user rights are also mapped in the best case via roles. -![Permissions meaning for Roles](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/roles/roles_2-en.webp) +![Permissions meaning for Roles](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/roles/roles_2-en.webp) Roles are the central objects within Netwrix Password Secure. They form the indispensable bridge between users and authorizations of any kind. @@ -36,14 +36,14 @@ between users and authorizations of any kind. ## Creating and granting permissions for new roles If you are in the **roles module**, the process for creating new roles is the same as for -[Creating new passwords](../passwords/creating_new_passwords.md). Roles can be created via the +[Creating new passwords](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/creating_new_passwords.md). Roles can be created via the ribbon and also via the context menu that is accessed using the right mouse button. -![creating new role](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/roles/roles_3-en.webp) +![creating new role](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/roles/roles_3-en.webp) ## Planning phase -Just like the [Organisational structure](../organisationalstructures/organisational_structure.md), +Just like the [Organisational structure](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organisational_structure.md), you should also familiarize yourself with the intended role concepts. The mapping of structures present in a company is the starting point for the success of Netwrix Password Secure. You should design the roles in Netwrix Password Secure only once a detailed design has been drawn up, and all @@ -63,11 +63,11 @@ NOTE: This architecture makes nesting of roles obsolete. As well as being able to view the **members** in the permissions dialogue, a list of all members for a role is already made available in the -[Reading pane](../../operation_and_setup/readingpane/reading_pane.md). All of the other users with +[Reading pane](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/reading_pane.md). All of the other users with permissions but without membership of the role are not taken into account. -![role overview](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/roles/roles_4-en.webp) +![role overview](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/clientmodule/roles/roles_4-en.webp) NOTE: The roles module is based on the -[Roles module](../../../web_applicaiton/functional_scope/roles_module/roles_module.md) of the Web +[Roles module](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/roles_module/roles_module.md) of the Web Application. Both modules have a different scope and design but are almost identical to use. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/account/account.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/account/account.md index d1ca5b5d0c..0583a12eb1 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/account/account.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/account/account.md @@ -3,17 +3,17 @@ ## What is an account? Users can configure all user-specific information in their account. It should be noted that if the -[Masterkey mode](../../clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode.md) +[Masterkey mode](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode.md) process is used, user data will always be taken from Active Directory – editing this information in Netwrix Password Secure is thus not possible. -![account](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/account/installation_with_parameters_123-ewn.webp) +![account](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/account/installation_with_parameters_123-ewn.webp) ## Edit profile All of the information in the contact and address sections can be defined under “Edit profile”. Some areas of the profile overlap with the **management of users.** This information is explained in -[Managing users](../../clientmodule/organisationalstructures/managingusers/managing_users.md). +[Managing users](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/managingusers/managing_users.md). NOTE: No changes can be made to users that were imported from AD using Master Key mode. In this case, all information will be imported from AD. @@ -45,9 +45,9 @@ terminated. Multifactor authentication provides additional protection through a second login authentication using a hardware token. The configuration is carried out via the ribbon in the “Security” section. See also in -[Multifactor authentication](../../clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication.md) +[Multifactor authentication](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/multifactorauthentication/multifactor_authentication.md) -![installation_with_parameters_124](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/account/installation_with_parameters_124.webp) +![installation_with_parameters_124](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/account/installation_with_parameters_124.webp) #### Configure autologin diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/administration/administration.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/administration/administration.md index a835df3636..96c24f9351 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/administration/administration.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/administration/administration.md @@ -5,7 +5,7 @@ Via the menu item **Sessions**, all users connected to the database can be displayed. This page is purely informative in character and thus no configurations can be made here. -![installation_with_parameters_120](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/administration/installation_with_parameters_120.webp) +![installation_with_parameters_120](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/administration/installation_with_parameters_120.webp) The session view starts in the currently active module in a separate tab. @@ -19,7 +19,7 @@ All currently locked users can also be retrieved. There are two scenarios here: In addition, the number of attempted logins and the length of time that the user was locked in each case can be seen. -![installation_with_parameters_121](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/administration/installation_with_parameters_121.webp) +![installation_with_parameters_121](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/administration/installation_with_parameters_121.webp) #### Default password rules @@ -27,7 +27,7 @@ Password rules can be defined for both user passwords and also for WebViewer exp to be fulfilled. In the following example, a user password must correspond to the “default password” rule in order to be valid -![Standard password rule](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/administration/installation_with_parameters_122-en_677x129.webp) +![Standard password rule](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/administration/installation_with_parameters_122-en_677x129.webp) #### Relevant right diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/export.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/export.md index 318edfd300..f3077f8029 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/export.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/export.md @@ -3,23 +3,23 @@ ## What is an export? An export is used for extracting the data saved in the MSSQL database. Both selective (manual) and -automated [System tasks](../extras/system_tasks/system_tasks.md) can extract information from +automated [System tasks](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/system_tasks.md) can extract information from Netwrix Password Secure in this manner. **CAUTION:** Please note that extracting passwords is always associated with a weakening of the security concept. The informative value of the logbook will suffer when data is exported because the revision of this data will no longer be logged. This aspect needs to be taken into account particularly in conjunction with the Netwrix Password Secure -[Export wizard](export_wizard/export_wizard.md) because the export result is not separately secured +[Export wizard](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/export_wizard/export_wizard.md) because the export result is not separately secured by a password. The export function is accessed via the Main menu/Export. There are two fundamental types of export – the WebViewer export and the export wizard. However, the latter is divided into four subcategories. -![installation_with_parameters_63](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/installation_with_parameters_63.webp) +![installation_with_parameters_63](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/installation_with_parameters_63.webp) -The [HTML WebViewer export](html_webviewer-export/html_webviewer_export.md) creates a HTML file +The [HTML WebViewer export](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/html_webviewer_export.md) creates a HTML file protected by a password. In contrast, the export wizard creates an open and unprotected .csv file. ## Requirements @@ -31,7 +31,7 @@ rights - **The permissions for the record:** The permissions for the record define whether a record can be exported -![Export in the ribbon](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/installation_with_parameters_64-en.webp) +![Export in the ribbon](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/installation_with_parameters_64-en.webp) In this example, the marked role IT employee does not have the required permissions to export the record. In contrast, the IT manager does have the required permissions. In addition, the diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/export_wizard/export_wizard.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/export_wizard/export_wizard.md index bfcc68ca3a..436c9074f7 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/export_wizard/export_wizard.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/export_wizard/export_wizard.md @@ -4,7 +4,7 @@ There are a total of four different export wizards. -![installation_with_parameters_74_548x283](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/export_wizard/installation_with_parameters_74_548x283.webp) +![installation_with_parameters_74_548x283](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/export_wizard/installation_with_parameters_74_548x283.webp) The functionality of these wizards only differs based on the data to be exported. A distinction is made between passwords, organisational structures, forms and applications. **As all four wizards are @@ -14,7 +14,7 @@ remaining three wizards function in the same way. ## What is the password export wizard? This wizard allows records to be exported in standard.csv format. In contrast to the -[HTML WebViewer export](../html_webviewer-export/html_webviewer_export.md), the resulting file is +[HTML WebViewer export](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/html_webviewer_export.md), the resulting file is not protected by a password. It goes without saying that this feature must be used carefully. ## Starting the password export wizard @@ -25,10 +25,10 @@ The export wizard can be accessed in a variety of different ways: for which the registered user has the required permissions. If the user is an administrator with permissions for all records, the export will include all passwords in the database. - **Starting via the ribbon:** The export can also be started via the - [Ribbon](../../../operation_and_setup/ribbon/ribbon.md) in the - [Passwords](../../../clientmodule/passwords/passwords.md) module. + [Ribbon](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/ribbon.md) in the + [Passwords](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords.md) module. -![Export ribbon](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/export_wizard/installation_with_parameters_75-en.webp) +![Export ribbon](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/export_wizard/installation_with_parameters_75-en.webp) The password export wizard can be started via the ribbon in two ways. **Selected passwords** exports only those passwords marked in list view, whereby **Passwords based on the filter** uses the @@ -39,7 +39,7 @@ The wizard A diverse range of variables for the export and the storage location can be defined in the wizard. A corresponding preview is also provided. -![installation_with_parameters_76](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/export_wizard/installation_with_parameters_76.webp) +![installation_with_parameters_76](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/export_wizard/installation_with_parameters_76.webp) Once the wizard has been completed, the desired export is created and saved to the defined storage location. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/html_webviewer_export.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/html_webviewer_export.md index 41c0121b6c..edea9e5349 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/html_webviewer_export.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/html_webviewer_export.md @@ -4,7 +4,7 @@ The **WebViewer** is an option inNetwrix Password Secure for exporting passwords in an encrypted **HTML file**. The records are selected using the -[Filter](../../../operation_and_setup/filter/filter.md) function. The passwords for which the user +[Filter](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/filter.md) function. The passwords for which the user has the corresponding permissions are exported. They are displayed in a current browse that has **JavaScript activated**. @@ -12,7 +12,7 @@ has the corresponding permissions are exported. They are displayed in a current - Naturally, the HTML WebViewer file is **encrypted** - The export of the file is protected using a corresponding - [User rights](../../user_rights/user_rights.md) + [User rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/user_rights.md) - The user requires the **export right** for the passwords ## Required rights @@ -25,14 +25,14 @@ User right The **export right** for the password is configured as normal via the ribbon: -![installation_with_parameters_65](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_65.webp) +![installation_with_parameters_65](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_65.webp) ## Exporting a HTML file The **HTML file** is created on the user\*s client and started in the **Main menu** under **Export WebViewer**. -![installation_with_parameters_66](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_66.webp) +![installation_with_parameters_66](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_66.webp) The **HTML WebViewer Wizard** carries out the \* WebViewer export\*. @@ -56,20 +56,20 @@ here. Export **WebViewer** with **user password** or new freely **definable password**: You can decide here whether to issue a new password for the export. -![installation_with_parameters_67](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_67.webp) +![installation_with_parameters_67](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_67.webp) - WebViewer export with an Active Directory user If an **Active Directory user** is carrying out the **WebViewer** export, a **password** needs to be explicitly entered. -![installation_with_parameters_68](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_68.webp) +![installation_with_parameters_68](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_68.webp) ###### Export filter The export filter works in the same way as the filters for the modules. -![installation_with_parameters_69](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_69.webp) +![installation_with_parameters_69](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_69.webp) #### Finish @@ -78,11 +78,11 @@ The information about the exported passwords is displayed in the **Finish** ribb button will then create the **HTML** **file** in the export path and close the window. -![installation_with_parameters_70](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_70.webp) +![installation_with_parameters_70](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_70.webp) A subsequent note provides you with information about the export process. -![installation_with_parameters_71](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_71.webp) +![installation_with_parameters_71](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_71.webp) ## Using the HTML WebViewer file @@ -97,7 +97,7 @@ name** are predefined. The user \*password is used for the login. 2. User: Predefined 3. Password: Entered by the user -![Login HTML WebViewer](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_72-en.webp) +![Login HTML WebViewer](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_72-en.webp) ###### Overview @@ -112,7 +112,7 @@ NOTE: Use the password search function in the event of more than 20 passwords! 4. Copytoclipboard 5. Reveal -![Entry in HTML WebViewer](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_73-en.webp) +![Entry in HTML WebViewer](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/export/html_webviewer-export/installation_with_parameters_73-en.webp) #### Closing the HTML WebViewer overview diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/extras.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/extras.md index 6d216782fd..b9c558023b 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/extras.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/extras.md @@ -6,12 +6,12 @@ Netwrix Password Secure provides a diverse range of supporting features that do added value but mostly build on existing approaches and expand their functionalities. They are work-saving features that in total simplify the process of working with Netwrix Password Secure. -![installation_with_parameters_77_517x414](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/installation_with_parameters_77_517x414.webp) +![installation_with_parameters_77_517x414](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/installation_with_parameters_77_517x414.webp) -- [Password rules](password_rules/password_rules.md) -- [Password generator](password_generator/password_generator.md) -- [Reports](reports/reports.md) -- [System tasks](system_tasks/system_tasks.md) -- [Seal templates](seal_templates/seal_templates.md) -- [Tag manager](tag_management/tag_manager.md) -- [Image management](image_management/image_manager.md) +- [Password rules](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/password_rules.md) +- [Password generator](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/password_generator/password_generator.md) +- [Reports](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/reports/reports.md) +- [System tasks](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/system_tasks.md) +- [Seal templates](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/seal_templates/seal_templates.md) +- [Tag manager](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/tag_management/tag_manager.md) +- [Image management](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/image_management/image_manager.md) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/image_management/image_manager.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/image_management/image_manager.md index 858b10749b..5fa988a13b 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/image_management/image_manager.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/image_management/image_manager.md @@ -6,7 +6,7 @@ All logos and icons are managed in the image management. They can then be linked corresponding data records. The images are then displayed in the Basic view as well as in the list view of the client. -![Icon/logos in NPS](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/image_management/installation_with_parameters_106-en.webp) +![Icon/logos in NPS](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/image_management/installation_with_parameters_106-en.webp) ## Relevant rights @@ -38,14 +38,14 @@ NOTE: If there are several deposited, always use the first one. 2. Manual filing -In the main menu in [Extras](../extras.md) you can find the image management. Here, you have the +In the main menu in [Extras](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/extras.md) you can find the image management. Here, you have the possibility to store icons and logos manually. -![Image management](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/image_management/installation_with_parameters_107-en.webp) +![Image management](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/image_management/installation_with_parameters_107-en.webp) Click on the + symbol to open the mask for creating images. -![add image](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/image_management/installation_with_parameters_108-en.webp) +![add image](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/image_management/installation_with_parameters_108-en.webp) - **Name** Name the picture here. @@ -55,7 +55,7 @@ Click on the + symbol to open the mask for creating images. password name -> names of connected applications - **Applications**: URL stored in the application -> attached tags -> application name -- ![icon_open_folder](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/image_management/icon_open_folder.webp) +- ![icon_open_folder](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/image_management/icon_open_folder.webp) This symbol can be used to upload locally saved icons and logos. NOTE: Please note that the icons and logos are not stored locally, but in the database. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/password_generator/password_generator.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/password_generator/password_generator.md index b7da714f7c..a29f53ec93 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/password_generator/password_generator.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/password_generator/password_generator.md @@ -7,7 +7,7 @@ The complexity of passwords is generally determined by their randomness. In orde indispensable. The password generator performs this function and is completely integrated into the software. -![installation_with_parameters_82](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/password_generator/installation_with_parameters_82.webp) +![installation_with_parameters_82](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/password_generator/installation_with_parameters_82.webp) ## Opening the password generator @@ -16,7 +16,7 @@ The password generator can be opened in different ways: - **Main menu/Extras/Password generator:** Here, the password generator is accessed directly. Passwords generated in the password generator can be copied to the clipboard. -![Password generator](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/password_generator/installation_with_parameters_83-en.webp) +![Password generator](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/password_generator/installation_with_parameters_83-en.webp) - **When creating new records:** Once the password field has been selected in the reading pane, the password generator can then be directly opened in the “Form field” tab via the ribbon. Passwords @@ -42,11 +42,11 @@ syllables and the total length are defined in this case. Options that can be set are how the syllables are separated and whether to use LeetSpeak. -![installation_with_parameters_84](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/password_generator/installation_with_parameters_84.webp) +![installation_with_parameters_84](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/password_generator/installation_with_parameters_84.webp) Password rule -Already defined[Password rules](../password_rules/password_rules.md) can be utilised for the +Already defined[Password rules](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/password_rules.md) can be utilised for the automatic generation of new passwords ## Multigenerator diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/password_rules.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/password_rules.md index 78d5ae65a1..b583af30c6 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/password_rules.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/password_rules.md @@ -7,7 +7,7 @@ complex and be automatically created. Rules set guidelines that can be made bind meaning that the use of passwords with a certain level of complexity is enforced. Existing rules can also be reused in other areas. -![Password rules](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/installation_with_parameters_97-en.webp) +![Password rules](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/installation_with_parameters_97-en.webp) ## Relevant right @@ -22,11 +22,11 @@ User right If “Password rules” is selected under Main menu/Extras, the available password rules will appear in a separate tab in the currently active module. -![installation_with_parameters_98](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/installation_with_parameters_98.webp) +![installation_with_parameters_98](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/installation_with_parameters_98.webp) In this screenshot, a total of 3 password rules are shown. As the rule “Very secure password” has -been selected in [List view](../../../operation_and_setup/listview/list_view.md), the -[Reading pane](../../../operation_and_setup/readingpane/reading_pane.md) on the right displays the +been selected in [List view](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md), the +[Reading pane](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/reading_pane.md) on the right displays the configuration for this rule: - **General:** The Password length of 25 is the minimum number of characters that a password needs @@ -46,7 +46,7 @@ configuration for this rule: Once password rules have been defined, they can be productively used in two different ways: -- Use within the [Password generator](../password_generator/password_generator.md) +- Use within the [Password generator](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/password_generator/password_generator.md) - Default for the password field in a form: When a password field is defined in a form, one of the defined password rules can be set as the @@ -54,13 +54,13 @@ default. This means that the default will always be used when a new password is way, it is possible to ensure that the required level of complexity is maintained for certain passwords. -![installation_with_parameters_99](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/installation_with_parameters_99.webp) +![installation_with_parameters_99](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/installation_with_parameters_99.webp) If one of these password rules is defined for a form, it is only possible to define a new random value for the password if a new password is created. The icon on the right hand side of the password field is used for this purpose. -![installation_with_parameters_100](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/installation_with_parameters_100.webp) +![installation_with_parameters_100](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/installation_with_parameters_100.webp) ## Defining standard rules for user passwords diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/reports/reports.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/reports/reports.md index e7ff0b0406..e91856b412 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/reports/reports.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/reports/reports.md @@ -4,14 +4,14 @@ Comprehensive reporting is an important component of the ongoing monitoring of processes in Netwrix Password Secure. Similar to selectively configurable -[Notifications](../../../clientmodule/notifications/notifications.md), reports also contain +[Notifications](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/notifications/notifications.md), reports also contain information that can be selectively defined. The difference is mainly the trigger. Notifications are linked to an event, which acts as the trigger for the notification. In contrast, reports enable tabular lists of freely definable actions to be produced at any selected time – the trigger is thus the creation of a report. This process can also be automated via -[System tasks](../system_tasks/system_tasks.md). +[System tasks](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/system_tasks.md). -![reports](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/reports/installation_with_parameters_78-en.webp) +![reports](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/reports/installation_with_parameters_78-en.webp) NOTE: Reports only ever contain information for which the user has the required permissions. @@ -19,11 +19,11 @@ A separate tab for managing existing reports and creating new reports can be ope module via the Main menu/Extras/Reports. The module in which the report is opened is irrelevant, the contents are always the same. -![installation_with_parameters_79](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/reports/installation_with_parameters_79.webp) +![installation_with_parameters_79](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/reports/installation_with_parameters_79.webp) The filter on the left has no relevance in relation to reports. Although reports can also be “tagged” in theory, filtering has no effect on the reports. In -[List view](../../../operation_and_setup/listview/list_view.md), there are currently three +[List view](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md), there are currently three configured report requests shown. #### Creating a report request @@ -33,7 +33,7 @@ accessed using the right mouse button. The form for creating a new report reques separate tab. Alongside a diverse range of variables, the report type can be defined using a drop-down list. There are currently dozens of report types available. -![installation_with_parameters_80](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/reports/installation_with_parameters_80.webp) +![installation_with_parameters_80](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/reports/installation_with_parameters_80.webp) The filter can be used to define the scope of the report e.g. to focus on a certain OU or simply a selection of tags. Once saved, the report will now be shown in the list of report requests. @@ -43,7 +43,7 @@ selection of tags. Once saved, the report will now be shown in the list of repor You can now create a manual report via the ribbon. This will open in a separate tab and can be displayed in the default web browser if desired. -![installation_with_parameters_81](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/reports/installation_with_parameters_81.webp) +![installation_with_parameters_81](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/reports/installation_with_parameters_81.webp) Automated sending of reports via system tasks diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/seal_templates/seal_templates.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/seal_templates/seal_templates.md index 27079dfc04..e39f05943a 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/seal_templates/seal_templates.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/seal_templates/seal_templates.md @@ -3,14 +3,14 @@ ## What are the seal templates? The configuration of -[Seals](../../../permissionconcept/predefining_rights/protective_mechanisms/seals/seals.md) must be +[Seals](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals.md) must be well-thought-out and error-free. It is absolutely essential to save the once-invested effort in the form of seal templates. The automation of ever-recurring tasks will, in this context, extremely speed up the timing of the work. Once defined, templates can be attached to data records in a few simple steps. The adaptation of already created stencils is presented in the seal templates as clear and very fast. -![Seal templates](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/seal_templates/installation_with_parameters_101-en.webp) +![Seal templates](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/seal_templates/installation_with_parameters_101-en.webp) NOTE: A separate tab opens in the active module in order to edit the default templates @@ -23,6 +23,6 @@ this way are listed in the overview of the seal templates. Furthermore, it is po existing templates directly or create new ones via the button in the ribbon. This is done in the same way as the seal assistant. -![installation_with_parameters_102](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/seal_templates/installation_with_parameters_102.webp) +![installation_with_parameters_102](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/seal_templates/installation_with_parameters_102.webp) Once templates have been added, they can be immediately used for the creation of new seals. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/emergency_webviewer.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/emergency_webviewer.md index b228071d1e..e41f4aaa70 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/emergency_webviewer.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/emergency_webviewer.md @@ -3,7 +3,7 @@ ## What is an Emergency WebViewer export? Safeguarding data is essential and this should be carried out using -[Backup management](../../../../../server_manager/main_menu/backup_settings/backup_management/backup_management.md). +[Backup management](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/backup_management.md). However, a backup is not sufficient in some cases e.g. if a backup cannot be directly restored due to a hardware problem. In these cases, **Netwrix Password Secure** offers the backup feature **Emergency WebViewer Export**. @@ -15,7 +15,7 @@ the core system of the backup mechanism. ## Creation of the file and key The **Emergency WebViewer Export** is created in Netwrix Password Secure as a -**[System tasks](../system_tasks.md)** and this task can be used to guarantee a regular backup of +**[System tasks](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/system_tasks.md)** and this task can be used to guarantee a regular backup of the records (passwords) by entering an interval. When setting up the system task, the user thus defines the cycle at which the **Emergency WebViewer.html file** is created on the Server Manager. The existing file is overwritten in each case by the latest version at the defined interval. The @@ -30,7 +30,7 @@ a secure medium (USB stick, HDD, CD/DVD, …) and kept in a secure location! • Naturally, the HTML WebViewer file is encrypted • The export of the file is protected using a corresponding -[User rights](../../../user_rights/user_rights.md) +[User rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/user_rights.md) • The file can only be encrypted using the **PrivateKey.prvkey** file @@ -40,7 +40,7 @@ a secure medium (USB stick, HDD, CD/DVD, …) and kept in a secure location! The user requires the following right to create a **Emergency WebViewer Export system task:** -![installation_with_parameters_89](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_89.webp) +![installation_with_parameters_89](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_89.webp) ## Emergency WebViewer.html and PrivateKey.prvkey @@ -54,25 +54,25 @@ The **Emergency WebViewer Export** creates two associated files. The Emergency WebViewer Export is set up as a **system task**. It can be called up in the main menu under **Extras -> System Tasks**. -![installation_with_parameters_90_831x487](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_90_831x487.webp) +![installation_with_parameters_90_831x487](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_90_831x487.webp) ## Creating a Emergency WebViewer Export file Clicking on New opens a new window and the **Emergency WebViewer Export** can be selected. The **configuration page** is then displayed. -![installation_with_parameters_91_578x390](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_91_578x390.webp) +![installation_with_parameters_91_578x390](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_91_578x390.webp) It is not possible to use the **Emergency WebViewer Export** with an **Active Directory user.** -![installation_with_parameters_92_467x103](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_92_467x103.webp) +![installation_with_parameters_92_467x103](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_92_467x103.webp) ## Configuration page for the Emergency WebViewer Export task A new tab is displayed: **New emergency HTML WebViewer export task** This now needs to be configured in accordance with the requirements. -![new emergend HTML](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_93-en_925x527.webp) +![new emergend HTML](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_93-en_925x527.webp) 1. **General** Name: Enter a unique name Description: Enter additional information Status: Execution: \*Activated\*/Deactivated @@ -93,7 +93,7 @@ the **System Tasks** tab. The user has the option of checking the data here -![installation_with_parameters_94_914x671](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_94_914x671.webp) +![installation_with_parameters_94_914x671](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_94_914x671.webp) ## Using the Emergency WebViewer.html file @@ -123,7 +123,7 @@ Login data - Password: User password (must be entered by the user) - Key: PrivateKey.prvkey -![emergency-webviewer](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/emergency-webviewer.webp) +![emergency-webviewer](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/emergency-webviewer.webp) ## Overview @@ -133,7 +133,7 @@ export. The passwords are now available to the user. Overview: Emergency HTML WebViewer / passwords -![password in emergency webviewer](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_96-en.webp) +![password in emergency webviewer](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/emergency_webviewer/installation_with_parameters_96-en.webp) The following data is displayed in the overview: diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/system_tasks.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/system_tasks.md index 8ae07de0d1..9d1bc5e6e7 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/system_tasks.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/system_tasks.md @@ -5,7 +5,7 @@ Netwrix Password Secure supports administrators and users by automating repetitive tasks. These are represented as system tasks. Predefined tasks can thus be carried out at freely defined intervals. -![System Tasks](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/installation_with_parameters_85-en.webp) +![System Tasks](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/installation_with_parameters_85-en.webp) ## Relevant rights @@ -38,7 +38,7 @@ System tasks can be initiated as usual via the ribbon or also the context menu t using the right mouse button. The desired process to be automated using system tasks is then selected from the four above-mentioned work processes. -![installation_with_parameters_86](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/installation_with_parameters_86.webp) +![installation_with_parameters_86](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/installation_with_parameters_86.webp) Naturally, the four work processes also share some similarities in their configuration. @@ -55,7 +55,7 @@ The differences between the four work processes to be automated are described be differences are always part of the task settings within the system task form – the example here shows an HTML WebViewer export to be configured. -![installation_with_parameters_87](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/installation_with_parameters_87.webp) +![installation_with_parameters_87](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/installation_with_parameters_87.webp) WebViewer generator @@ -89,4 +89,4 @@ Status A corresponding note will be displayed to indicate if a task is currently being executed. -![installation_with_parameters_88](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/installation_with_parameters_88.webp) +![installation_with_parameters_88](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/installation_with_parameters_88.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/tag_management/tag_manager.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/tag_management/tag_manager.md index 50da2d891f..c22d1159be 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/tag_management/tag_manager.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/tag_management/tag_manager.md @@ -4,18 +4,18 @@ All existing tags can be viewed, edited and deleted directly in the tag manager. This can be achieved via the filter, within the “Edit mode” of a data set as well as via the main menu under the -group [Extras](../extras.md). +group [Extras](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/extras.md). -![how to open the tag manager](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/tag_management/installation_with_parameters_103-en.webp) +![how to open the tag manager](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/tag_management/installation_with_parameters_103-en.webp) -![Tag management](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/tag_management/installation_with_parameters_104-en.webp) +![Tag management](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/tag_management/installation_with_parameters_104-en.webp) The tag manager itself is a clearly structured tool with which you can view and edit all relevant information. The colours can also be assigned here. The “Number used” column indicates how often an object has been tagged with the tag. In this way, you can keep track of and remove tags that are no longer needed. -![All tags](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/tag_management/installation_with_parameters_105-en.webp) +![All tags](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/tag_management/installation_with_parameters_105-en.webp) ## Relevant rights diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/trash/trash.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/trash/trash.md index b1d0f9ee46..9b1d4cfe97 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/trash/trash.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/trash/trash.md @@ -7,7 +7,7 @@ entitled are displayed. The following functions are available: -![bin_4](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/trash/bin_4.webp) +![bin_4](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/extras/trash/bin_4.webp) - **Restore**: The selected passwords are restored. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/import/import.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/import/import.md index 217ee29a3a..8fc9a7858c 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/import/import.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/import/import.md @@ -6,14 +6,14 @@ If another password management tool was used before Netwrix Password Secure, the imported into Netwrix Password Secure. The formats .csv and especially Keepass (.xml) are supported. Both variants can be set up in the import wizard, which is started via the Main menu/Import. -![Import](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/import/installation_with_parameters_57-en.webp) +![Import](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/import/installation_with_parameters_57-en.webp) ## Requirements Whether the user is permitted to import data is controlled by the corresponding -[User rights](../user_rights/user_rights.md). +[User rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/user_rights.md). -![installation_with_parameters_58](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/import/installation_with_parameters_58.webp) +![installation_with_parameters_58](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/import/installation_with_parameters_58.webp) ## The import wizard @@ -21,7 +21,7 @@ The wizard supports the import of data into Netwrix Password Secure in four step Select type -![installation_with_parameters_59](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/import/installation_with_parameters_59.webp) +![installation_with_parameters_59](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/import/installation_with_parameters_59.webp) The first step is to define the file that is to be used for the import. It is only possible to proceed to the second step when the defined type corresponds to the stated file to be imported. The @@ -29,7 +29,7 @@ second step is the settings. Settings -![installation_with_parameters_60](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/import/installation_with_parameters_60.webp) +![installation_with_parameters_60](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/import/installation_with_parameters_60.webp) 1. The settings are used to firstly define the level in the hierarchy for saving the imported structure. As can be seen in the example, the import will take place in the main organisational @@ -47,7 +47,7 @@ process is also used for the migration. Assignment of the form fields -![installation_with_parameters_61](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/import/installation_with_parameters_61.webp) +![installation_with_parameters_61](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/import/installation_with_parameters_61.webp) The third step is to assign the forms from the file to be imported to already existing forms. As form fields may also have different names, the assignment process must be carried out manually via @@ -57,7 +57,7 @@ create new forms. Finish -![installation_with_parameters_62](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/import/installation_with_parameters_62.webp) +![installation_with_parameters_62](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/import/installation_with_parameters_62.webp) In the final step, the configured settings are summarised as a list of the objects to be imported. The button “Finish” closes the wizard and starts the import. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/main_menu_fc.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/main_menu_fc.md index e1d20841e2..2436c16240 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/main_menu_fc.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/main_menu_fc.md @@ -5,13 +5,13 @@ All settings that are not linked to a particular module are defined in the Backstage (main menu). This makes it easy to access the settings at any time and in any module. -![Main menu](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/installation_with_parameters_56-en.webp) +![Main menu](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/installation_with_parameters_56-en.webp) -- [Extras](extras/extras.md) -- [Account](account/account.md) -- [General settings](../../server_manager/main_menu/general_settings.md) -- [User settings](user_settings/user_settings.md) -- [User rights](user_rights/user_rights.md) -- [Administration](administration/administration.md) -- [Import](import/import.md) -- [Export](export/export.md) +- [Extras](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/extras.md) +- [Account](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/account/account.md) +- [General settings](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/general_settings.md) +- [User settings](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/user_settings.md) +- [User rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/user_rights.md) +- [Administration](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/administration/administration.md) +- [Import](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/import/import.md) +- [Export](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/export/export.md) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/overview_user_rights/overview_of_all_user_rights.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/overview_user_rights/overview_of_all_user_rights.md index c092f2cfa7..315d7cacb7 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/overview_user_rights/overview_of_all_user_rights.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/overview_user_rights/overview_of_all_user_rights.md @@ -104,7 +104,7 @@ column. The rights are grouped according to categories to provide a better overv NOTE: There is a version selection box in the user rights. The options that were newly added in the selected version are correspondingly marked in the list. -![installation_with_parameters_115](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_rights/overview_user_rights/installation_with_parameters_115.webp) +![installation_with_parameters_115](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_rights/overview_user_rights/installation_with_parameters_115.webp) This makes it easier for administrators to correctly configure new options before they release the update for all employees. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/user_rights.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/user_rights.md index e8ace6ea9b..1da6a5ced3 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/user_rights.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/user_rights.md @@ -3,7 +3,7 @@ ## What are user rights? In the user rights, access to functionalities is configured. Amongst tother things, this category -includes both the visibility of individual [Client Module](../../clientmodule/client_module.md), as +includes both the visibility of individual [Client Module](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/client_module.md), as well as the use of the import, export or management of rights templates functions. A complete listing is directly visible in the user rights. @@ -11,22 +11,22 @@ listing is directly visible in the user rights. Managing all user rights exclusively at the level of the user would be a time intensive process and thus require a disproportionate amount of care and maintenance. In the same way as with the -[Authorization and protection mechanisms](../../../web_applicaiton/authorization_and_protection/authorization_and_protection_mechanisms.md), +[Authorization and protection mechanisms](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/authorization_and_protection/authorization_and_protection_mechanisms.md), an approach can be used in which several users are grouped together. Nevertheless, it must still be possible to additionally address the specific requirements of individual users. Some functionalities, on the other hand, should be available to all users. In order to do this, Netwrix Password Secure offers a three-step concept. -![installation_with_parameters_111](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_rights/installation_with_parameters_111.webp) +![installation_with_parameters_111](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_rights/installation_with_parameters_111.webp) When it comes to user rights, the focus is always on the user. The user can receive user rights in one of the following three ways: 1. The **personal user right** only applies to a specific user. This is always configured via - the[Organisational structure](../../clientmodule/organisationalstructures/organisational_structure.md). + the[Organisational structure](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organisational_structure.md). **User rights to role**s apply to all members of a role and are specified in the -[Roles](../../clientmodule/roles/roles.md) +[Roles](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/roles/roles.md) 1. The **global user right** applies to all users of a database without exception. You can configure it in the client settings. @@ -41,22 +41,22 @@ are assigned via roles and not via organisational units! NOTE: Only those user rights that the current user possesses themselves can be issued. However, all rights can be removed. -![installation_with_parameters_112](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_rights/installation_with_parameters_112.webp) +![installation_with_parameters_112](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_rights/installation_with_parameters_112.webp) ## Configuring the security level The **security level** is an essential element that is also specified in the user rights. This is -the basis for the configuration of the [User settings](../user_settings/user_settings.md). +the basis for the configuration of the [User settings](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/user_settings.md). -![installation_with_parameters_113](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_rights/installation_with_parameters_113.webp) +![installation_with_parameters_113](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_rights/installation_with_parameters_113.webp) ## Searching within user rights Due to the large number of possible configurations, the search function helps you to quickly find the desired configuration. This process is based as usual on the List -[Search](../../operation_and_setup/search/search.md). +[Search](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/search/search.md). -![installation_with_parameters_114](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_rights/installation_with_parameters_114.webp) +![installation_with_parameters_114](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_rights/installation_with_parameters_114.webp) #### Database administrator diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/overview_user_settings/overview_of_all_user_settings.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/overview_user_settings/overview_of_all_user_settings.md index f01d8b6561..4714696c81 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/overview_user_settings/overview_of_all_user_settings.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/overview_user_settings/overview_of_all_user_settings.md @@ -157,7 +157,7 @@ The settings are grouped according to categories to provide a better overview NOTE: There is a version selection box in the settings. The options that were newly added in the selected version are correspondingly marked in the list. -![installation_with_parameters_115](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_rights/overview_user_rights/installation_with_parameters_115.webp) +![installation_with_parameters_115](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_rights/overview_user_rights/installation_with_parameters_115.webp) This makes it easier for administrators to correctly configure new options before they release the update for all employees. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/user_settings.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/user_settings.md index eeb903f1c5..f5eb360310 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/user_settings.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/user_settings.md @@ -10,12 +10,12 @@ can thus be linked to the presence of the required security level. ## Managing user settings -You can configure user settings similarly to [User rights](../user_rights/user_rights.md). Here too, +You can configure user settings similarly to [User rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/user_rights.md). Here too, there are a total of three possibilities with which a user can define his settings or be configured from another location. For the sake of easy manageability, it is again a good idea to configure the users not individually, but to provide several equal users with settings. -![installation_with_parameters_116](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_settings/installation_with_parameters_116.webp) +![installation_with_parameters_116](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_settings/installation_with_parameters_116.webp) The focus is always on the user, also when it comes to user rights. It can obtain its settings in one of the following three ways: @@ -30,7 +30,7 @@ one of the following three ways: **CAUTION:** In addition to personal and global settings (as opposed to authorizations), settings are not assigned via roles, but via organisational units! -![installation_with_parameters_112](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_rights/installation_with_parameters_112.webp) +![installation_with_parameters_112](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_rights/installation_with_parameters_112.webp) ### Inheritance of user settings @@ -39,19 +39,19 @@ If you leave the personal settings on the outside, there are two ways to inherit 1. Global inheritance 2. Inheritance on the basis of membership in organisational units (OU) -Global settings are configured as usual in the [Main menu](../main_menu_fc.md). The organisational +Global settings are configured as usual in the [Main menu](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/main_menu_fc.md). The organisational units are inherited via the -[Organisational structure](../../clientmodule/organisationalstructures/organisational_structure.md). +[Organisational structure](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organisational_structure.md). All users who are assigned to an organisational unit inherit all user settings for this OU. In the present case, the users “Jones” and “Moore” inherit all settings from the “IT” organisational unit: -![inherit permissions](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_settings/installation_with_parameters_117-en.webp) +![inherit permissions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_settings/installation_with_parameters_117-en.webp) The “Settings” button in the ribbon allows you to see the settings for both organisational units and users. The many setting options can be restricted by the known -[Search](../../operation_and_setup/search/search.md) mechanisms. +[Search](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/search/search.md) mechanisms. -![installation_with_parameters_118](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_settings/installation_with_parameters_118.webp) +![installation_with_parameters_118](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_settings/installation_with_parameters_118.webp) The diagram shows the settings for the user “Jones”. The search has been filtered by the term “Detail”. The column **“Inherited from”** shows that some settings have been inherited globally, or @@ -66,8 +66,8 @@ Option groups were created in the global settings to ensure that users can contr settings for which they hold permissions. Categorising security levels from 1 to 5 allows you to combine similar options and thus make them available to the users. -![user settings](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_settings/installation_with_parameters_119-en.webp) +![user settings](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/mainmenu/user_settings/installation_with_parameters_119-en.webp) -The [User rights](../user_rights/user_rights.md) define who has the required permissions to change +The [User rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/user_rights.md) define who has the required permissions to change which security levels. As with all rights, this is achieved either through global inheritance, the role, or as a right granted directly to the user. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/dashboard_and_widgets.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/dashboard_and_widgets.md index 000d4caa21..19de0567fc 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/dashboard_and_widgets.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/dashboard_and_widgets.md @@ -6,14 +6,14 @@ In case of large installations, the amount of information provided by Netwrix Pa seem overwhelming. Dashboards expand the existing filter possibilities by an arbitrarily customizable info area, which visually prepares important events or facts -![Dashboard](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_50-en.webp) +![Dashboard](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_50-en.webp) -Dashboards are available in almost all [Client Module](../../clientmodule/client_module.md)s. A +Dashboards are available in almost all [Client Module](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/client_module.md)s. A separate dashboard can be set for each individual module. **Widgets** correspond to the individual modules of the dashboard. There are various widgets, which can be individually defined and can be configured separately. In the above example, three widgets are enabled and provide information about current notifications, password quality, and user activity. The **maximum number of possible -widgets** is managed in the[User settings](../../mainmenu/user_settings/user_settings.md). +widgets** is managed in the[User settings](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/user_settings.md). NOTE: You can close the dashboard using the button in the tab. You can open it again via **View** > **Show dashboard** in the ribbon. @@ -37,7 +37,7 @@ The following options are available in combination with the dashboard and widget If the dashboard tab is enabled, you can enable the dashboard editing mode via the ribbon. Adding and editing widgets is only possible in this mode. -![Adding and removing widgets](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_51-en.webp) +![Adding and removing widgets](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_51-en.webp) Use the drop-down menu to select the widget to be added \* (1) . **Then add the widget to the dashboard using the corresponding button in the ribbon** (2). The maximum number of widgets that can @@ -45,14 +45,14 @@ be added can be configured in the user settings. In editing mode, any widget can from the dashboard via the button on the upper right edge. The processing mode is ended by saving via the ribbon. -![Adding widgets](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_52-en.webp) +![Adding widgets](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_52-en.webp) ## Customizing widgets In the editing mode, you can customize each widget separately. To do this, select the widget and switch to the \* widget content tab \* in the ribbon. -![Customizing widgets](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_53-en.webp) +![Customizing widgets](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_53-en.webp) Separate variables can be customized for each widget. This example shows how often users have had passwords displayed. Naturally, the variables are distinct for each widget since other information @@ -66,11 +66,11 @@ the dashboard not only displays all activities, but also filters them according in the **Team List** widget. It therefore concerns all activities of the user “Moore”. These are filtered “live” and displayed in real-time. -![Widget event](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_54-en.webp) +![Widget event](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_54-en.webp) ## Arranging widgets In the edit mode, the layout of the widgets is user-defined. Drag & drop allows you to place a widget in the corresponding position on the dashboard (left, right, top, or bottom). -![Arranging widgets](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_55-en.webp) +![Arranging widgets](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/installation_with_parameters_55-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/keyboard_shortcuts.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/keyboard_shortcuts.md index 417513b1d0..d591547768 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/keyboard_shortcuts.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/keyboard_shortcuts.md @@ -4,7 +4,7 @@ Some actions can be executed very efficiently using keyboard shortcuts. These are configured in the section of the same name within the **global -[User settings](../../mainmenu/user_settings/user_settings.md)** +[User settings](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/user_settings.md)** The following keyboard shortcuts are available: diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/advanced_filter_settings.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/advanced_filter_settings.md index 422fe25493..fb32376311 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/advanced_filter_settings.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/advanced_filter_settings.md @@ -3,7 +3,7 @@ ## Linking filters The two options for linking the filter criteria are very easy to explain using the example of -[Tags](../../tags/tags.md). The following options are available: +[Tags](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/tags/tags.md). The following options are available: 1. Logical “Or operator” @@ -11,7 +11,7 @@ By default, the filter is active in this mode. In the following example, the use records with at least one of the tags ”**Important**” or ”**Development**”. This also means that records can either have one of the tags, or both. -![installation_with_parameters_17_839x376](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/installation_with_parameters_17_839x376.webp) +![installation_with_parameters_17_839x376](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/installation_with_parameters_17_839x376.webp) Due to the colour coding of the tags in the records, it can be seen that the first two records have one of the tags, while the third one has both tags. However, all three are included in the results. @@ -22,9 +22,9 @@ one of the tags, while the third one has both tags. However, all three are inclu This mode is activated directly by the checkbox in the filter. Each filter criterion has its own checkbox. -![installation_with_parameters_18](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/installation_with_parameters_18.webp) +![installation_with_parameters_18](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/installation_with_parameters_18.webp) -![installation_with_parameters_19_822x325](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/installation_with_parameters_19_822x325.webp) +![installation_with_parameters_19_822x325](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/installation_with_parameters_19_822x325.webp) **In contrast to the “OR link”, the “AND link” must fulfil both criteria**. Accordingly, only those records that have both the tag **”Important”** and the tag ”Development” are listed in the results @@ -32,11 +32,11 @@ for this example. ## Filter tab in the ribbon -The filter management can also be found in the [Ribbon](../../ribbon/ribbon.md). Here, it is +The filter management can also be found in the [Ribbon](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/ribbon.md). Here, it is possible e.g. to expand the currently configured filter criteria, save the filter, or simply clear all currently applied filters. -![installation_with_parameters_20](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/installation_with_parameters_20.webp) +![installation_with_parameters_20](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/installation_with_parameters_20.webp) #### Saving, editing, and deleting filters @@ -48,7 +48,7 @@ now be selected. Note that a selected filter selection is immediately applied to not automatically executed. The filter must be used for this purpose. Both the button in the ribbon, so also the counterpart in the filter, lead to the same result here. -![Filter settings](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/advanced-filter-settings-1-en.webp) +![Filter settings](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/advanced-filter-settings-1-en.webp) Deleting and overwriting existing filters is identical in the procedure. The filter, which has been marked in the selection field, is always deleted. If an existing filter is to be overwritten, the @@ -63,7 +63,7 @@ In the “Extended filter” category you can adjust the filter as desired, eg b filter groups. Clicking on **”Edit filter”** activates the processing mode. You can terminate it with **”Finish editing”.** -![Filter editing](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/advanced-filter-settings-2-en.webp) +![Filter editing](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/advanced-filter-settings-2-en.webp) New filter groups can now be added via the selection field. For this purpose, the desired filter type is selected (in the example, the filter group is the seal). The process is completed by @@ -75,7 +75,7 @@ the arrow buttons to adjust the order of the filter groups. The icons “Plus” to create additional instances of existing filter groups or to remove existing ones. In the following example, a content filter was added and all other filter groups removed. -![Filter](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/advanced-filter-settings-3-en_923x441.webp) +![Filter](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/advanced-filter-settings-3-en_923x441.webp) In this example, only the content filter is used – in two instances! \* The “And” link will now display all records that contain both the word “password” and the phrase “important”. \* @@ -88,13 +88,13 @@ Activation In the “Extended filter” category you have the possibility to activate the negation: -![allow negation](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/allow-negation-en.webp) +![allow negation](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/allow-negation-en.webp) It is thus possible to refine very precisely filter results even further. This becomes more and more important when there are a large number of records in the database and the resulting amount of data is still unmanageable despite the fact that filters has been appropriately defined. -![installation_with_parameters_25_752x412](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/installation_with_parameters_25_752x412.webp) +![installation_with_parameters_25_752x412](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/advancedfiltersettings/installation_with_parameters_25_752x412.webp) Negations are defined directly in the checkbox of an element within a filter group. Without negations, you can only search e.g. for a tag. Negations make the following queries possible: diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/displaymode/display_mode.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/displaymode/display_mode.md index 949709b41b..fc025c1ae7 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/displaymode/display_mode.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/displaymode/display_mode.md @@ -2,7 +2,7 @@ ## What display modes exist? -In addition to the already described [Filter](../filter.md), it is possible to switch to structure +In addition to the already described [Filter](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/filter.md), it is possible to switch to structure view. This alternative view enables you to filter solely on the basis of the organisational structure. Although this type of filtering is also possible in standard filter view, you are able to directly see the complete organisational structure in structure view. @@ -11,17 +11,17 @@ NOTE: As there are no longer any folders in Netwrix Password Secure version 9, t can not mirror all of the functionalities of the folder view in version 7. However, the structure view has been modelled on the folder view to make the changeover from the previous version easier. -![installation_with_parameters_15](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/displaymode/installation_with_parameters_15.webp) +![installation_with_parameters_15](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/displaymode/installation_with_parameters_15.webp) As you can see, only the organisational structure is visible in this view. This view is the ideal choice for users who want to work in a highly structural-based manner. ## Relevant options -There are three relevant [User settings](../../../mainmenu/user_settings/user_settings.md) +There are three relevant [User settings](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/user_settings.md) associated with the display mode: -![installation_with_parameters_16](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/displaymode/installation_with_parameters_16.webp) +![installation_with_parameters_16](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/displaymode/installation_with_parameters_16.webp) - **Display mode:** It is possible to define whether the standard filter, structure filter or both are displayed. If the last option is selected, you can switch between both views. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/filter.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/filter.md index a889e167a3..6227274068 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/filter.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/filter.md @@ -16,7 +16,7 @@ The following option is required for editing filters: - Can edit filter -![Filter](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/installation_with_parameters_10-en.webp) +![Filter](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/installation_with_parameters_10-en.webp) ## Who is allowed to use the filter? @@ -24,11 +24,11 @@ The filter is an indispensable working tool because of the possibility to restri according to individual requirements. Consequently, all users can use the filter. It is, of course, possible to place restrictions for filter criteria. This means that the filter criteria available to individual employees can be restricted by means of -[Authorization and protection mechanisms](../../../web_applicaiton/authorization_and_protection/authorization_and_protection_mechanisms.md). -For example, an employee can only filter for the [Forms](../../clientmodule/forms/forms.md) password +[Authorization and protection mechanisms](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/authorization_and_protection/authorization_and_protection_mechanisms.md). +For example, an employee can only filter for the [Forms](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/forms/forms.md) password if he has the read permission for that form. -**CAUTION:** There are no permissions for [Tags](../tags/tags.md). This means that any employee can +**CAUTION:** There are no permissions for [Tags](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/tags/tags.md). This means that any employee can use any tags. The display order in the filter is determined by the frequency of use. This process is not critical to security, since tags do not grant any permissions. They are merely a supportive measure for filtering. @@ -42,7 +42,7 @@ of all the records corresponding to the criteria is displayed in the list view. filter without criteria, you would obtain a list of all records to which you generally have authorization. -![editing criteria](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/installation_with_parameters_11-en.webp) +![editing criteria](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/installation_with_parameters_11-en.webp) As you can see, 133 records are not really manageable. In most situations you will need to reduce the number of records by adding filters. @@ -57,7 +57,7 @@ restrictions, which could be formulated as in the following sentence: “Deliver own passwords that were created with the form **password** and which contain the expression **2016** and the tag **Administrator**. -![Adding filter criteria](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/installation_with_parameters_12-en.webp) +![Adding filter criteria](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/installation_with_parameters_12-en.webp) As can be seen, the filter delivers the desired results. The extent to which the filter criteria match the three remaining data sets is assigned in colour. @@ -77,9 +77,9 @@ content filter configuration in a modal window. As can be seen, the content filt configured to only search in the form **password** and then only in the form field **Internet address:** -![installation_with_parameters_13](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/installation_with_parameters_13.webp) +![installation_with_parameters_13](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/installation_with_parameters_13.webp) -![Content filter](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/installation_with_parameters_14-en.webp) +![Content filter](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/filter/installation_with_parameters_14-en.webp) It is very easy to abstract, because of the present example, that the filter can be adapted to your personal requirements. It is thus the most important tool to be able to retrieve data once stored in diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md index 001b0333e8..fcaac49d36 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md @@ -12,7 +12,7 @@ filter. \* This always means that the list view is the result of a filtered filt currently marked record in list view, all existing form fields are output to the reading pane. With the two tabs “All” and “Favourites, the filter results can be further restricted. -![List view](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_26-en.webp) +![List view](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_26-en.webp) At the bottom of the list view, the number of loaded records and the time required for this are shown. @@ -29,7 +29,7 @@ you have entered the search term, the results are automatically limited to those correspond to the criteria (after about half a second). The search used for the search is highlighted in yellow. -![installation_with_parameters_27](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_27.webp) +![installation_with_parameters_27](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_27.webp) ## Detailed list view @@ -37,27 +37,27 @@ The default view displays only limited information about the records. However, t view is flexible and can be adjusted by mouse. At a certain point, the view automatically changes to the detailed list view, similar to the procedure in Microsoft Outlook. All form fields are displayed -![Table view](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_28-en.webp) +![Table view](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_28-en.webp) ## Favourites Regularly used records can be marked as favourites. This process is carried out directly in the -[Ribbon](../ribbon/ribbon.md). A record marked as a favourite is indicated with a star in list view. +[Ribbon](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/ribbon.md). A record marked as a favourite is indicated with a star in list view. -![Favourite](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_29-en.webp) +![Favourite](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_29-en.webp) You can filter for favourites directly in the list view. For this purpose, simply switch to the “Favourites” tab -![installation_with_parameters_30](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_30.webp) +![installation_with_parameters_30](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_30.webp) #### Othersymbols Every record displayed in list view has multiple icons on the right. These give feedback in colour -about both the password quality and the [Tags](../tags/tags.md) used. Mouseover tooltips provide +about both the password quality and the [Tags](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/tags/tags.md) used. Mouseover tooltips provide more precise details. -![installation_with_parameters_31](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_31.webp) +![installation_with_parameters_31](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_31.webp) NOTE: The information visible underneath the password name is taken from the info field for the associated form and will be explained separately @@ -69,7 +69,7 @@ opened, edited, or deleted via the ribbon. Many functions are also available dir context menu. You can do this by right-clicking the record. Multiple selection is also possible. To do this, simply highlight the desired objects by holding down the Ctrl key. -![installation_with_parameters_32](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_32.webp) +![installation_with_parameters_32](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_32.webp) #### Opening and editing data sets @@ -77,9 +77,9 @@ By double-clicking, as with the context menu (right mouse button), all records c the list view in a separate tab. Only in this view can you make changes. This detail view opens in a separate tab, the list view is completely hidden -![editing dataset](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_33-en.webp) +![editing dataset](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/listview/installation_with_parameters_33-en.webp) NOTE: Working with data records depends of course on the type of the data record. Whether passwords, documents or organisational structures: The handling is partly very different. For more information, please refer to the respective sections on the individual -[Client Module](../../clientmodule/client_module.md) +[Client Module](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/client_module.md) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/operation_and_setup.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/operation_and_setup.md index e16b8d46e1..a6d392a297 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/operation_and_setup.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/operation_and_setup.md @@ -7,23 +7,23 @@ place. Although the module selection gives access to the various areas of Netwri the control elements always remain at the positions specified for this purpose. This intuitive operating concept ensures efficient work and a minimum of training time. -![Operation](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/operation-and-setup-1-en.webp) +![Operation](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/operation-and-setup-1-en.webp) -![Dashboard](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/operation-and-setup-2-en.webp) +![Dashboard](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/operation-and-setup-2-en.webp) -1. [Ribbon](ribbon/ribbon.md) +1. [Ribbon](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/ribbon.md) -2. [Filter](filter/filter.md) +2. [Filter](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/filter.md) -3. [List view](listview/list_view.md) +3. [List view](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md) -4. [Reading pane](readingpane/reading_pane.md) +4. [Reading pane](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/reading_pane.md) -5. [Tags](tags/tags.md) +5. [Tags](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/tags/tags.md) -6. [Search](search/search.md) +6. [Search](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/search/search.md) -7. [Dashboard and widgets    ](dashboard_and_widgets/dashboard_and_widgets.md) +7. [Dashboard and widgets    ](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/dashboard_and_widgets.md) ## TABs @@ -36,14 +36,14 @@ when a new filter is applied. In parallel, detailed information about records ca their own tabs. It is of course possible to adjust the order of the tabs via drag & drop according to your individual requirements. -![Dashboard](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/installation_with_parameters_2-en.webp) +![Dashboard](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/installation_with_parameters_2-en.webp) #### Standard tab Depending on the active module, the All passwords tab will be renamed to the corresponding module by default. (All documents, all forms, etc.) -![Standard tab](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/standard-tab-en.webp) +![Standard tab](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/standard-tab-en.webp) Although the name suggests that all records in the database are displayed, the records displayed in list view correspond to the criteria that have been defined in the filter. The tab closes and can be @@ -59,33 +59,33 @@ information. - Feedback in case connection is insecure - Last name, first name (user name) of the logged-in user -![installation_with_parameters_4](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/installation_with_parameters_4.webp) +![installation_with_parameters_4](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/installation_with_parameters_4.webp) -- [Ribbon](ribbon/ribbon.md) -- [Filter](filter/filter.md) -- [List view](listview/list_view.md) -- [Reading pane](readingpane/reading_pane.md) -- [Tags](tags/tags.md) -- [Search](search/search.md) -- [Dashboard and widgets](dashboard_and_widgets/dashboard_and_widgets.md) -- [Shortcut key](dashboard_and_widgets/keyboard_shortcuts.md) +- [Ribbon](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/ribbon.md) +- [Filter](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/filter.md) +- [List view](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md) +- [Reading pane](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/reading_pane.md) +- [Tags](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/tags/tags.md) +- [Search](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/search/search.md) +- [Dashboard and widgets](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/dashboard_and_widgets.md) +- [Shortcut key](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/dashboard_and_widgets/keyboard_shortcuts.md) ## Orientation It is possible to change the alignment of the following objects: -- [Active Directory link](../clientmodule/organisationalstructures/directoryservices/activedirectorylink/active_directory_link.md) -- [Applications](../clientmodule/applications/applications.md) -- [Notifications](../clientmodule/notifications/notifications.md) -- [Reports](../mainmenu/extras/reports/reports.md) -- [Documents](../clientmodule/documents/documents.md) -- [Forms](../clientmodule/forms/forms.md) -- [Logbook](../clientmodule/logbook/logbook.md) -- [Organisational structure](../clientmodule/organisationalstructures/organisational_structure.md) -- [Password Reset](../clientmodule/passwordreset/password_reset.md) -- [Password rules](../mainmenu/extras/password_rules/password_rules.md) -- [Roles](../clientmodule/roles/roles.md) -- [Seal templates](../mainmenu/extras/seal_templates/seal_templates.md) -- [System tasks](../mainmenu/extras/system_tasks/system_tasks.md) +- [Active Directory link](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/active_directory_link.md) +- [Applications](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/applications.md) +- [Notifications](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/notifications/notifications.md) +- [Reports](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/reports/reports.md) +- [Documents](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/documents/documents.md) +- [Forms](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/forms/forms.md) +- [Logbook](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/logbook/logbook.md) +- [Organisational structure](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organisational_structure.md) +- [Password Reset](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/password_reset.md) +- [Password rules](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/password_rules/password_rules.md) +- [Roles](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/roles/roles.md) +- [Seal templates](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/seal_templates/seal_templates.md) +- [System tasks](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/system_tasks/system_tasks.md) - Forwarding Rules - Profil picture in the reading pane diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/print/print.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/print/print.md index bef2f27327..79e34fc021 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/print/print.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/print/print.md @@ -33,14 +33,14 @@ The print function is available in the following modules: The print function can be called up via the ribbon. -![installation_with_parameters_44](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_44.webp) +![installation_with_parameters_44](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_44.webp) Firstly, it is necessary to select whether you want to print a table or a detailed view. The amount of data can also be defined. The individual menu items are described in detail further down in this section. After making your selection, the data is firstly prepared for printing. Depending on the amount of data, this may take a few minutes. The print preview is then opened. -![print password](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_45-en.webp) +![print password](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_45-en.webp) NOTE: The print preview accesses the functions of the printer driver. Depending on the printer or driver being used, the appearance and functions offered by the print preview may vary. The @@ -60,18 +60,18 @@ passwords. All **selected** records will be printed out. In the following example, **Adobe** and **Anibis.ch** are thus printed out. -![selected data](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_46-en.webp) +![selected data](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_46-en.webp) The data is printed here in table form. -![print password](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_47-en.webp) +![print password](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_47-en.webp) #### Tableview (current filter) All currently **filtered** records will be printed out here. In this example, all seven records are thus printed out. -![filtered password](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_48-en.webp) +![filtered password](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_48-en.webp) They are printed out – as described above – in table form. @@ -80,7 +80,7 @@ They are printed out – as described above – in table form. This option also prints out the currently selected records. However, a detailed view is printed out in this case. -![print filtered passwords](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_49-en.webp) +![print filtered passwords](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/print/installation_with_parameters_49-en.webp) #### Detailed view (current filter) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/reading_pane.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/reading_pane.md index 0bc6d7e473..5ef82df93a 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/reading_pane.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/reading_pane.md @@ -5,9 +5,9 @@ The reading pane on the right side of the client always corresponds to the detailed view of the selected record in the list view and can be completely deactivated via the ribbon. In addition, you can configure here the arrangement of the reading pane – either on the right, or underneath the -[List view](../listview/list_view.md). +[List view](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md). -![Reading area](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/installation_with_parameters_34-en.webp) +![Reading area](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/installation_with_parameters_34-en.webp) ## Structure of the reading pane @@ -16,14 +16,14 @@ The reading pane is divided into two areas: 1. **Details area** 2. Footer area -![installation_with_parameters_35](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/installation_with_parameters_35.webp) +![installation_with_parameters_35](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/installation_with_parameters_35.webp) 1. Details area -Depending on which record you have selected in [List view](../listview/list_view.md), the -corresponding fields are displayed here. In the header, the assigned [Tags](../tags/tags.md), as +Depending on which record you have selected in [List view](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md), the +corresponding fields are displayed here. In the header, the assigned [Tags](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/tags/tags.md), as well as the -[Organisational structure](../../clientmodule/organisationalstructures/organisational_structure.md) +[Organisational structure](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organisational_structure.md) are displayed. **CAUTION:** It should be noted that the details area cannot be used for editing records! Although @@ -35,7 +35,7 @@ In the footer area of the reading pane, it is possible to display various inform currently selected record. The button can be activated via the button provided. It is hidden by default. -![Footer area](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/installation_with_parameters_36-en.webp) +![Footer area](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/installation_with_parameters_36-en.webp) The logbook, linked documents, history, notifications and password resets can be accessed separately here via the tabs. The individual elements can be viewed with a double-click, as well as by using @@ -43,9 +43,9 @@ the quick view (space bar). Double clicking always opens a separate tab, the qui a modal window Visibility of the individual tabs within the footer section is secured via separate -[User rights](../../mainmenu/user_rights/user_rights.md): +[User rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/user_rights.md): -![installation_with_parameters_37](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/installation_with_parameters_37.webp) +![installation_with_parameters_37](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/installation_with_parameters_37.webp) The same options can also be found in the settings. A tab is only displayed if it has been activated both in the rights and also in the settings. This makes it possible to specify (for example via the diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/ribbon.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/ribbon.md index ccfd9a4906..6e3eaa8961 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/ribbon.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/ribbon.md @@ -6,14 +6,14 @@ The ribbon is the central control element of Netwrix Password Secure version 9. all modules. Netwrix Password Secure is almost always operated via the ribbon in the header area of the PSR client. -![Ribbon](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/installation_with_parameters_5-en.webp) +![Ribbon](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/installation_with_parameters_5-en.webp) The features available within the ribbon are dynamic, and are based on the currently available actions. Various actions can be performed, depending on which object is selected. The module selected also affects the features that are available in the ribbon. Of course, the most important actions can also be controlled via the context menu (right mouse button). -![Ribbon - Item](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/ribbon-1-en.webp) +![Ribbon - Item](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/ribbon-1-en.webp) This mainly affects the very often used features such as opening, deleting or assigning tags. However, a complete listing of the possible actions is always only possible directly in the ribbon. @@ -22,26 +22,26 @@ This ensures that the context menu can be kept lean. ## Access to the client main menu (backstage) The button at the top left of the ribbon provides access to the -[Main menu](../../mainmenu/main_menu_fc.md): +[Main menu](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/main_menu_fc.md): -![installation_with_parameters_7](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/installation_with_parameters_7.webp) +![installation_with_parameters_7](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/installation_with_parameters_7.webp) ## Ribbon tabs There are tabs in the header area of the ribbon that summarize all available operations. By default, module-independent **Start, View, and Filter** is available. If the footer of the -[Reading pane](../readingpane/reading_pane.md) is opened (1), further tabs will be visible in the +[Reading pane](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/reading_pane.md) is opened (1), further tabs will be visible in the ribbon (2). These contain, according to the selection made in the footer, other possible actions. -![Ribbon Tabs](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/installation_with_parameters_8-en.webp) +![Ribbon Tabs](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/installation_with_parameters_8-en.webp) #### Content tabs -Double-clicking on an object in the [List view](../listview/list_view.md) opens a new tab with its +Double-clicking on an object in the [List view](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md) opens a new tab with its detailed view. Depending on which form field you have selected, the corresponding content tab opens in the ribbon. -![Content tabs](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/installation_with_parameters_9-en.webp) +![Content tabs](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/installation_with_parameters_9-en.webp) Depending on the selected form field, further actions are offered in the Content tab. In the Password field, this is, for example, calling the password generator or the screen keyboard, or the diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/search/search.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/search/search.md index ff41f0bbdb..f55ca151e9 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/search/search.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/search/search.md @@ -10,9 +10,9 @@ according to selected criteria. Basically, there are 2 search modes: In the upper right section of the ribbon, there is a search field, which scans the module that is currently open. This is a full-text search that scans all fields and tags except the password field. -![quick search](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/search/installation_with_parameters_41-en.webp) +![quick search](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/search/installation_with_parameters_41-en.webp) -The fast search is closely linked to the [Filter](../filter/filter.md), because search queries are +The fast search is closely linked to the [Filter](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/filter.md), because search queries are converted directly into one or several content filters. You can also separate search terms using spaces, for example, **Cook Daniel**. Note that this search creates two separate content filters, which are logically linked with “and” +. This means that both words must occur in the data record. @@ -28,17 +28,17 @@ Negations restrict the results to such an extent that certain criteria may not b example searches for all records that contain the expression \* Delphi , **but not the expression swiss. The notation, which must be entered in the quick search, is: Delphi -swiss** -![quick search](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/search/installation_with_parameters_42-en.webp) +![quick search](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/search/installation_with_parameters_42-en.webp) 2. List search -With the list search in the header of the [List view](../listview/list_view.md), the results of the +With the list search in the header of the [List view](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md), the results of the filter can be searched further. This type of search is available in almost every list. Scans only the currently filtered results. Password fields are not searched. The search is live, so the result is further refined with every additional character that is entered. Automatic “highlighting” takes place in yellow colour. -![list search](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/search/installation_with_parameters_43-en.webp) +![list search](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/search/installation_with_parameters_43-en.webp) A direct database query is performed when the filter is executed. The list search only searches within the query already made. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/tags/tags.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/tags/tags.md index a57e8d6c7b..ebc52efa97 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/tags/tags.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/tags/tags.md @@ -23,13 +23,13 @@ User rights Tags can be directly added when creating new records and also when editing records. The procedure is the same. In Edit mode, the tags are always at the bottom. -![Tags in dataset](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/tags/installation_with_parameters_38-en.webp) +![Tags in dataset](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/tags/installation_with_parameters_38-en.webp) The operation is intuitive. From the third entered letter, existing tags are searched for full text. If the desired tag has been found, it can be added. Both the navigation with mouse, thus also with keyboard, is possible. If a new tag is to be created, this can be done directly with “Return”. -![installation_with_parameters_39](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/tags/installation_with_parameters_39.webp) +![installation_with_parameters_39](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/tags/installation_with_parameters_39.webp) ## Tags in the ribbon @@ -37,7 +37,7 @@ If you edit a record and mark an existing or new tag, a corresponding content ta ribbon. Here, the tag manager can be opened as well as the colour and description of the tag can be adapted directly. -![Tags in password](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/tags/installation_with_parameters_40-en.webp) +![Tags in password](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/operation_and_setup/tags/installation_with_parameters_40-en.webp) ## Management of tags diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/automated_setting_of_permissions.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/automated_setting_of_permissions.md index 2afe809ecd..8ae52527a9 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/automated_setting_of_permissions.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/automated_setting_of_permissions.md @@ -17,7 +17,7 @@ Netwrix Password Secure generally differentiates between multiple methods for se The following diagram deals with the question: **How do users or roles receive the intended permissions?** -![manual vs automated settings](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/automated-setting-of-permissions-1-en.webp) +![manual vs automated settings](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/automated-setting-of-permissions-1-en.webp) NOTE: Inheritance from organisational structures is defined by default in the system. This can be configured in the settings. The relevant setting is “Inherit permissions for new objects (without diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance_from_organizational.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance_from_organizational.md index 2527206002..0cc7e0cf7f 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance_from_organizational.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance_from_organizational.md @@ -5,14 +5,14 @@ The aim of organisational structures is to reflect the hierarchies and dependencies amongst employees that exist in a company. Permissions are granted to these structures as usual via the ribbon. Further information on this subject can be found in the section -[Permissions for organisational structures](../../../clientmodule/organisationalstructures/permissionsous/permissions_for_organisational.md). +[Permissions for organisational structures](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/permissions_for_organisational.md). As a specific authorization concept is generally already used within organisational structures, this is also used as the basis for further permissions. This form of inheritance is technically equivalent to granting permissions based on **affiliations to a folder**. When creating a new record, the record receives the permissions in accordance with the defined permissions for the organisational unit. -![explanation of authorization](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-1-en.webp) +![explanation of authorization](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-1-en.webp) ## Relevant user settings @@ -25,7 +25,7 @@ organisational structures Inherit permissions for new objects (without rights template) This setting is relevant for newly created records. -![setting inherit permission](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-2-en.webp) +![setting inherit permission](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-2-en.webp) The following values can be configured: @@ -40,7 +40,7 @@ permissions for the user. Existing passwords inherit changes to the permissions for organisational units -![setting inherit from OU to password](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-3-en.webp) +![setting inherit from OU to password](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-3-en.webp) This option means that changes to permissions for an organisational unit will be inherited by all passwords for this organisational unit. This setting is active by default. When inheriting @@ -60,16 +60,16 @@ should be inherited by new objects in accordance with the organisational structu The permissions for the organisational unit “marketing” are shown below: -![example of permissions](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-4-en.webp) +![example of permissions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-4-en.webp) A new password is now created in the organisational unit “marketing”. -![new password](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-5-en.webp) +![new password](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-5-en.webp) It is important that no preset is defined for this organisational unit. The permissions for the record just created are now shown. -![permissions example](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-6-en.webp) +![permissions example](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-6-en.webp) ## Conclusion @@ -77,7 +77,7 @@ The permissions for the “storage location” are simply used when creating new apply here: The value “organisational unit” must be selected in the settings for the inheritance of permissions -There must be no [Predefining rights](../../predefining_rights/predefining_rights.md) for the +There must be no [Predefining rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefining_rights.md) for the affected organisational structure This process is illustrated in the following diagram: -![process for inheritance of permissions](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-7-en.webp) +![process for inheritance of permissions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance-7-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual_setting_of_permissions.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual_setting_of_permissions.md index cb7c0a8f18..220a71a116 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual_setting_of_permissions.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual_setting_of_permissions.md @@ -3,7 +3,7 @@ ## What is the manual setting of permissions for records? In contrast to the -[Automated setting of permissions](../automated_settings/automated_setting_of_permissions.md), the +[Automated setting of permissions](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/automated_setting_of_permissions.md), the manual approach does not utilize any automatic processes. This method of setting permissions is thus carried out separately for every record – this process is not as recommended for newly created data. If you want to work effectively in the long term, the automatic setting of permissions should be @@ -14,31 +14,31 @@ records. In the previous section, it was clarified that permissions are granted either directly to the user or to several users grouped in a role. With this knowledge, the permissions can be set manually. In -the [Passwords](../../clientmodule/passwords/passwords.md), there are three different ways to access +the [Passwords](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords.md), there are three different ways to access the permissions in the list view: 1. Icon in the ribbon 2. Context menu of a data record (right-click) 3. Icon at the right edge of the reading pane -![different ways to access the permissions](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-1-en.webp) +![different ways to access the permissions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-1-en.webp) NOTE: The icon on the right of the reading pane shows the information whether the record is personal or public. In case of personal data records, the user that is logged on is the only one who has permissions! The author is created with all permissions for the record. As described in the -[Permission concept and protective mechanisms](../permission_concept_and_protective.md), you can now +[Permission concept and protective mechanisms](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_and_protective.md), you can now add roles and users. 'Right click - Add' inside the userlist or use the ribbon "User and roles" to add a user. The filter helps you to quickly find those users who should be granted permissions for the record in just a few steps. -![add user and role](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-2-en.webp) +![add user and role](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-2-en.webp) -The search [Filter](../../operation_and_setup/filter/filter.md)opens in a separate tab and can be +The search [Filter](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/filter.md)opens in a separate tab and can be configured as usual. -![seach filter](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-3-en.webp) +![seach filter](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-3-en.webp) **Multiple selection** is also enabled. It allows to add several users via the Windows standard Ctrl/Shift + left mouse button. @@ -49,9 +49,9 @@ By default, all added users or roles receive only the “Read” permission on t permission at the beginning is sufficient to view the fields of the data record and to use the password. "Write" permission allows you to edit a data record. **The permission “Authorize” is necessary to authorize other users to the record**. This is also a requirement for -the[Seals](../predefining_rights/protective_mechanisms/seals/seals.md). +the[Seals](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals.md). -![setting all permissions example](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-4-en.webp) +![setting all permissions example](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-4-en.webp) ## Transferring permissions @@ -60,7 +60,7 @@ or roles to others in the context menu. In this context, the use of permission t very practical. In the “Template” area of ​​the ribbon, you can save configured permissions, including all users, and reuse them for other records. -![preset menu](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-5-en.webp) +![preset menu](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-5-en.webp) The transfer of permissions and their reuse can be an important building block to create and maintain entitlement integrity. This method cannot rule out misconfigurations, but it will minimize @@ -71,7 +71,7 @@ the risk significantly. Of course, the correct configuration of these templates The “add" permission holds a special position in the authorization concept. This permission controls whether a user/role is permitted e.g. to create a new record within an organisational structure. Consequently, this permission can only be set in the -[Organisational structure](../../clientmodule/organisationalstructures/organisational_structure.md). +[Organisational structure](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organisational_structure.md). ## The owner permission @@ -79,7 +79,7 @@ The "owner" permission can be set for a user. This permission is more of **a gua assigned, there is no way to remove the user or role. This is only possible by the user or the role itself, as well as by users with the permission “Is database administrator”. -![owner permission](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-6-en.webp) +![owner permission](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual-setting-of-permissions-6-en.webp) The owner permission prevents other users who have the “Authorize” permission from removing someone with the owner permission from the record. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple_editing_of_permissions.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple_editing_of_permissions.md index 1159069b4e..a6fb23d9c8 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple_editing_of_permissions.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple_editing_of_permissions.md @@ -4,7 +4,7 @@ As part of the manual modification of permissions, it is also possible to edit multiple records at the same time. Various mechanisms can be used to select the records to be edited. You are able to -select the records in [List view](../../../operation_and_setup/listview/list_view.md) or you can use +select the records in [List view](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md) or you can use the filter as part of the multiple editing function. Both scenarios are described below. ### User permissions for batch processing @@ -24,7 +24,7 @@ In list view, Shift or Ctrl + mouse click can be used to select multiple records also be granted for these records via the selection. The marked records are displayed in a different color. 6 records are marked in the following image. -![password list](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-1-en.webp) +![password list](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-1-en.webp) ## Dialogue for configuring the permissions @@ -32,7 +32,7 @@ A new tab will be opened in the ribbon above the "Permissions" button in which t be configured. The tab will display the number of records that will be affected by the defined changes. -![rights for selected passwords](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-2-en.webp) +![rights for selected passwords](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-2-en.webp) NOTE: As the already granted permissions for the selected records may differ, it is not possible to display the permissions here. @@ -59,14 +59,14 @@ removed from the permissions. In the following example, Mr. Steiner receives read permissions to all selected records. In contrast, Mr. Brewery receives all permissions: -![rights for selected passwords](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-3-en.webp) +![rights for selected passwords](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-3-en.webp) The read permission will be removed for Mr. Steiner. As removing the read permissions means that no other permissions exist for the record, Mr. Steiner is completely removed from the permissions. The authorize, move, export and print permissions are being removed from Mr. Brewery. Assuming that he previously had all permissions, he will then have read, write and delete permissions remaining: -![edit rights for selected passwords](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-4-en.webp) +![edit rights for selected passwords](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-4-en.webp) ## Batch processing using a filter @@ -75,7 +75,7 @@ hand, a maximum limit of 1000 records exists and on the other hand, handling a v records via list view is not always the best solution. The **Batch processing using a filter** mode has been developed for this purpose. This is directly initiated via the ribbon. -![Batch processing using a filter](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-5-en.webp) +![Batch processing using a filter](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-5-en.webp) In the subsequent dialogue, you define whether you want to expand, reduce or completely overwrite existing permissions. If you select **expand or reduce** at this stage, the same logic as for @@ -87,14 +87,14 @@ the newly defined permissions. **CAUTION:** It is important to proceed with great caution when overwriting permissions because this function can quickly lead to a large number of records becoming unusable. -![permissions adapted on a filter](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-6-en.webp) +![permissions adapted on a filter](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-6-en.webp) The filter itself defines the selection criteria for the records to be edited. The currently configured filter will be used as default. The records that will be affected by the changes are also not displayed in this view. Only the number of records is displayed. In the following example, 9 passwords are being edited to add the read permission the role "Sales". -![permissions change for selected records](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-7-en.webp) +![permissions change for selected records](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-7-en.webp) ## Seals and password masking @@ -102,13 +102,13 @@ Sealed or masked records cannot be edited using batch processing. If these types selected, a dialogue will be displayed when carrying out batch processing to inquire how these records should be handled. -![security warning because of sealed or masked passwords](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-8-en.webp) +![security warning because of sealed or masked passwords](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-8-en.webp) It is possible to select whether the affected records are skipped or whether the seal or password masking should be removed. If the **remove** option is selected, the process needs to be confirmed again by entering a PIN. -![security warning](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-9-en.webp) +![security warning](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple-editing-of-permissions-9-en.webp) **CAUTION:** The removal of seals and password masking cannot be reversed! diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/rights_templates/right_templates.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/rights_templates/right_templates.md index e31436bd0f..b408b63f99 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/rights_templates/right_templates.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/rights_templates/right_templates.md @@ -12,5 +12,5 @@ differentiated from other templates if you have a large number of right template Nevertheless, the use of right templates merely reduces the amount of work and still envisages the manual setting of permissions. Automatic process for the issuing of permissions also exist in Netwrix Password Secure and will be covered in the section -[Predefining rights](../../predefining_rights/predefining_rights.md) and also under -"[Inheritance from organisational structures](../../automated_settings/inheritance_from_organisational_structures/inheritance_from_organizational.md)". +[Predefining rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefining_rights.md) and also under +"[Inheritance from organisational structures](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/automated_settings/inheritance_from_organisational_structures/inheritance_from_organizational.md)". diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_and_protective.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_and_protective.md index 4681b8c27e..b0e64cb79b 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_and_protective.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_and_protective.md @@ -3,18 +3,18 @@ ## What is the permission concept? With Netwrix Password Secure version 9 we provide the right solution to all conceivable demands -placed on it with regards to permission management. [Roles](../clientmodule/roles/roles.md) are a +placed on it with regards to permission management. [Roles](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/roles/roles.md) are a great way to efficiently manage multiple users without losing the overview. We've created multiple methods to manually or automatically manage your permissions. More information can be seen in the chapter -[Multiple editing of permissions](manual_settings/multiple_editing_of_permissions/multiple_editing_of_permissions.md) +[Multiple editing of permissions](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/multiple_editing_of_permissions/multiple_editing_of_permissions.md) Alongside the definition of manual and automatic setting of permissions, the (optional) setting of -[Protective mechanisms](predefining_rights/protective_mechanisms/protective_mechanisms.md) forms +[Protective mechanisms](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/protective_mechanisms.md) forms part of the authorization concept. The protective mechanisms are thus downstream of the permissions. The interrelationships between all of these elements are illustrated in the following diagram. -![Authorisation concept](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_1-en.webp) +![Authorisation concept](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_1-en.webp) NOTE: Applying some form of permissions is **obligatory**. Applying a protective mechanism is **optional**. @@ -47,7 +47,7 @@ example, the role “Sales Assistance”. This role-based inheritance allows the maintain the overview in a larger corporate structure as well as a simple procedure when adding new employees. Instead of having to entitle him individually, this is simply added to his role. -![Permission only for users or roles](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_2-en.webp) +![Permission only for users or roles](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_2-en.webp) It is obvious to proceed with the organization of accesses using the concept of roles as a basis and only to grant rights individually to employees in exceptional cases. The unplanned absence of @@ -56,7 +56,7 @@ significantly. NOTE: -[Copy]() +[Copy](javascript:void(0);) ``` Permissions are always granted to only one user or role! @@ -69,11 +69,11 @@ The key point is membership in a role. If an employee can use the authorizations roles assigned to him, **he must be a member of the role**. Only members see the records that have been authorized for the role. -![Membership in roles](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_3-en.webp) +![Membership in roles](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_3-en.webp) NOTE: -[Copy]() +[Copy](javascript:void(0);) ``` A small technical digression into the nature of the encryption can be very helpful with the basic understanding. Each role has a key pair. The first key is used to encrypt data. Access to this information is only possible with the second key. The membership in a role is equivalent to this second key. @@ -87,7 +87,7 @@ users and roles. This dynamics is crucial for understanding the concept of autho to ensure maximum software adaptability to any corporate structure. The following diagram illustrates this with an example of two users. -![Membership vs permissions for roles](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/membership_permission.webp) +![Membership vs permissions for roles](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/membership_permission.webp) - **User 1** is a member of the role, and is therefore authorized for all records that are assigned to the role. However, it has only “read rights” for the role itself. This means, it can see the @@ -103,7 +103,7 @@ However, it cannot see any data that is assigned to sales. It lacks membership i NOTE: -[Copy]() +[Copy](javascript:void(0);) ``` As a member of a role, it must have at least the “read” right for the role! @@ -114,10 +114,10 @@ As a member of a role, it must have at least the “read” right for the role! Similar to the previous section Permission concept and protective mechanisms for roles, the configuration of a role will be illustrated using two users. The configuration is performed in the -[Roles](../clientmodule/roles/roles.md). By double-clicking on the role “IT-Consultants” in the -[List view](../operation_and_setup/listview/list_view.md), you can open their detailed view. +[Roles](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/roles/roles.md). By double-clicking on the role “IT-Consultants” in the +[List view](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md), you can open their detailed view. -![roles list view](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_5-en.webp) +![roles list view](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_5-en.webp) - The user “Holste” is a member of the role and can, therefore, access those records for which the role has permissions. He has the obligatory read right for the role, which is the basic @@ -127,7 +127,7 @@ configuration of a role will be illustrated using two users. The configuration i records that are authorized for the role. However, it has all rights to the role and can therefore print, assign other users to the role, and delete them. -![explanation of the authorization through a role](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_6-en.webp) +![explanation of the authorization through a role](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/permission_concept_6-en.webp) This example clearly shows the advantages of the concept. The complete separation of administrative users from regular users brings significant advantages. Of course, one does not necessarily exclude diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefining_rights.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefining_rights.md index 1cd2380dfa..138afccb34 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefining_rights.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefining_rights.md @@ -2,7 +2,7 @@ ## What are predefined rights? -[Permissions for organisational structures](../../clientmodule/organisationalstructures/permissionsous/permissions_for_organisational.md) +[Permissions for organisational structures](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/permissionsous/permissions_for_organisational.md) can be carried out separately for every record. Although this method enables you to very closely control every intended permission structure, it is not really efficient. On the one hand, there is too much configuration work involved, while on the other hand, there is a danger that people who @@ -10,18 +10,18 @@ should also receive permissions to access data are forgotten. In addition, many even have the right to set permissions. “Predefining rights” is a suitable method to simplify the permissions and reduce error rates by using automated processes. This page covers the configuration of predefined rights, please also refer to the sections -[Working with predefined rights](working_with_predefining_rights/working_with_predefined_rights.md) +[Working with predefined rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights.md) and their -[Scope of validity for predefined rights](scope_of_validity/scope_of_validity_for_predefined.md). +[Scope of validity for predefined rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/scope_of_validity/scope_of_validity_for_predefined.md). ## Organisational structures as a basis -[Organisational structure](../../clientmodule/organisationalstructures/organisational_structure.md) +[Organisational structure](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organisational_structure.md) can be very useful in many areas in Netwrix Password Secure. In this example, they provide the basic framework for the automated granting of rights. In the broadest sense, these organisational structures should always be entered in accordance with existing departments in a company. The following example specifically focuses on an IT department. The following 3 hierarchies -([Roles](../../clientmodule/roles/roles.md)) have been defined within this IT department: +([Roles](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/roles/roles.md)) have been defined within this IT department: - **IT employee** - **IT manager** @@ -31,26 +31,26 @@ following example specifically focuses on an IT department. The following 3 hier In general, a senior employee is granted more extensive rights than those granted to a trainee. This hierarchy and the associated permission structure can be predefined. In the -O[Organisational structure](../../clientmodule/organisationalstructures/organisational_structure.md) +O[Organisational structure](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/organisational_structure.md) module, we now select those OUs (departments) for which rights should be predefined and select \*predefine rights” in the ribbon. -![button of predefined rights](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefined-rights-1-en.webp) +![button of predefined rights](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefined-rights-1-en.webp) - **Creating the first template group:** A new window will appear after clicking on the icon for adding a new template group (green arrow) in which a meaningful name for the template group should be entered. -![add template](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefined-rights-2-en.webp) +![add template](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefined-rights-2-en.webp) Roles and users can now be added to this template via the ribbon or through the context menu (right mouse click). This was already completed in the example. The role **IT employee** only has the "read permission", the **IT manager** also has the "write permission" and the capability of managing permissions. **Administrators** possess all available permissions. Configuration of the permission structures is explained in -[Manual setting of permissions](../manual_settings/manual_setting_of_permissions.md). +[Manual setting of permissions](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual_setting_of_permissions.md). -![example permissions](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefined-rights-3-en.webp) +![example permissions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefined-rights-3-en.webp) ## Adding other template groups @@ -59,7 +59,7 @@ be necessary e.g. if there are several areas of competency within one department receive different permissions. Alongside the **IT general** area, the template groups **Exchange** and **Firewall** have also been defined below. -![Standard template](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefined-rights-4-en.webp) +![Standard template](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefined-rights-4-en.webp) A **default template group** can be defined directly next to the drop-down menu for selecting the template group (green arrow). This is always pre-configured when you select “IT” as the OU to save @@ -69,10 +69,10 @@ records. In the same way that permissions are defined within right templates, it is also possible to automatically set **tags**. Their configuration is carried out in the same way as issuing -[Tags](../../operation_and_setup/tags/tags.md) for records. +[Tags](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/tags/tags.md) for records. -![tags for predefining rights](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefined-rights-5-en.webp) +![tags for predefining rights](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefined-rights-5-en.webp) This process ensures that a special tag is automatically issued when using a certain template group. Example cases can be found in the -[Working with predefined rights](working_with_predefining_rights/working_with_predefined_rights.md). +[Working with predefined rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights.md). diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking.md index d0bfa92d3a..309dec2621 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking.md @@ -6,7 +6,7 @@ The safest passwords are those that you do not know. Password masking follows th prevents the password from being shown, while allowing the use of the automatic sign-on. You can apply it via the button of the same name in the ribbon. -![button password masking](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking_1-en.webp) +![button password masking](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking_1-en.webp) ## Relevant rights @@ -18,7 +18,7 @@ The following option is required to apply password masking. ### Required permissions -In the same way as for the [Seals](../seals/seals.md) configuration, the **authorize permission** +In the same way as for the [Seals](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals.md) configuration, the **authorize permission** for the record is required to apply or remove the masking. Users who have the **authorize permission** for a record can continue to use the record without limitations after applying password masking. Password masking only applies to users without the "can apply password masking" right. @@ -34,11 +34,11 @@ permission, but not the permission **authorize**. ### Password masking via form field permissions As an alternative, you can also apply password masking via the -[Form field permissions](../../../../clientmodule/passwords/form_field_permissions.md). In the -[List view](../../../../operation_and_setup/listview/list_view.md) of a record, there is a separate +[Form field permissions](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/form_field_permissions.md). In the +[List view](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md) of a record, there is a separate button in the ribbon for that purpose. Ensure that the password field is highlighted. -![form field permissions](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking_2-en.webp) +![form field permissions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking_2-en.webp) The special feature when setting or editing masking via the form field permissions is that you can individually select users to whom masking will be applied. In the following example, masking has @@ -46,7 +46,7 @@ been specified only for the role of “trainees”, although the “IT” role d permission** either. In addition to the name of the role or the user, the icon symbolizes the fact that visa protection applies to trainees. -![example password masking](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking_3-en.webp) +![example password masking](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking_3-en.webp) NOTE: Use the icon in the ribbon to apply password masking to all users who have read permission on the record, but not the **authorize permission**. If you wish to specify more precisely for which diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/protective_mechanisms.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/protective_mechanisms.md index 51bb21c332..c533f598fd 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/protective_mechanisms.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/protective_mechanisms.md @@ -9,25 +9,25 @@ certain information only available to selected employees. Nevertheless, it is st have protective mechanisms above and beyond the authorization concept in order to handle complex requirements. -- [Visibility](visibility/visibility.md) is not separately configured but is instead directly +- [Visibility](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/visibility/visibility.md) is not separately configured but is instead directly controlled via the authorization concept (read permission). Nevertheless, it represents an important component within the existing protective mechanisms and is why a separate section has been dedicated to this subject. -- By configuring [Temporary permissions](temporary_permissions/temporary_permissions.md), it is +- By configuring [Temporary permissions](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/temporary_permissions/temporary_permissions.md), it is possible to grant users or roles temporary access to data. -- [Password masking](password_masking/password_masking.md) enables access to the system without +- [Password masking](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking.md) enables access to the system without having to reveal the passwords of users. The value of the password remains constantly hidden. - To link the release of highly sensitive access data to a double-check principle, it is possible to - use [Seals](seals/seals.md). The configuration of users or roles with the permissions to issue a + use [Seals](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals.md). The configuration of users or roles with the permissions to issue a release is possible down to a granular level and is always adaptable to individual requirements. The following diagram shows a summary of how the existing protective mechanisms are integrated into the authorization concept. -![protective mechanism diagram](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/protective_mechanisms-en.webp) +![protective mechanism diagram](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/protective_mechanisms-en.webp) In the interplay of the -[Authorization and protection mechanisms](../../../../web_applicaiton/authorization_and_protection/authorization_and_protection_mechanisms.md), +[Authorization and protection mechanisms](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/authorization_and_protection/authorization_and_protection_mechanisms.md), almost all conceivable scenarios can be depicted. It is worth mentioning again that the authorization concept is already a very effective tool, with limited visibility of passwords and data records. This concept is present everywhere in Netwrix Password Secure, and will be explained diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism.md index 6cd72ce2bf..0b7c80c5bc 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism.md @@ -26,31 +26,31 @@ required permissions to issue the release. Within the Netwrix Password Secure cl done via the buttons **Reveal** and **Seal** in the ribbon, as well as via the **Icon in the password field** of the data record in the reading pane. -![seal protection](../../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism_1-en.webp) +![seal protection](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism_1-en.webp) A modal window opens, which can be used to request the seal. The reason for the entry will be displayed to the users with the required permissions to issue the release. -![start seal process](../../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism_2-en.webp) +![start seal process](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism_2-en.webp) All user with the required permissions to issue the release will be notified that the user has requested the seal. This can be viewed via the module -[Notifications](../../../../../clientmodule/notifications/notifications.md), as well as in the Seal +[Notifications](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/notifications/notifications.md), as well as in the Seal overview. ## 2. Granting a release -The [Seal overview](../seals_overview/seal_overview.md) can be opened via the seal symbol in the +The [Seal overview](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_overview/seal_overview.md) can be opened via the seal symbol in the ribbon directly from the mentioned notification. It is indicated by the corresponding icon that there is a need for action. All relevant data for a release are illustrated within the seal overview. The reason given in the release is also evident. -![seal overview](../../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism_3-en.webp) +![seal overview](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism_3-en.webp) If the release is granted, the Inquirer Im **Module Notifications** will be informed. You can also open the seal directly from the ribbon and see the now released state. -![notification seal status](../../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism_4-en.webp) +![notification seal status](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism_4-en.webp) ## 3. Breaking the seal @@ -58,4 +58,4 @@ As soon as the requesting user has received the number of the required releases, via the notifications as usual. The seal can now be broken. From this point on, the user will be able to see the password. -![broken seal](../../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism_5-en.webp) +![broken seal](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism_5-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals.md index bfe9cdd133..d481a234b1 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals.md @@ -3,7 +3,7 @@ ## What are seals? Passwords are selectively made available to the different user groups by means of the -[Authorization and protection mechanisms](../../../../../web_applicaiton/authorization_and_protection/authorization_and_protection_mechanisms.md). +[Authorization and protection mechanisms](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/authorization_and_protection/authorization_and_protection_mechanisms.md). Nevertheless, there are many scenarios in which the ability to view and use a record should be linked to a release issued in advance. In this context, the seal is an effective protective mechanism. This multi-eye principle protects passwords by securing them with granular release @@ -45,15 +45,15 @@ overview, which is accessible via the button in the ribbon. When the seal wizard ribbon, the wizard appears in the case of unsealed data sets, which runs in **four steps** through the configuration of the seal. -![seal button](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_1-en.webp) +![seal button](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_1-en.webp) #### 1. Apply seal -![multi-eye principe](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_2-en.webp) +![multi-eye principe](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_2-en.webp) All objects that are sealed are displayed at the beginning. Depending on the data record, this can be one object, or several. It is also possible to use existing -[Seal templates](../../../../mainmenu/extras/seal_templates/seal_templates.md). Optionally, you can +[Seal templates](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/seal_templates/seal_templates.md). Optionally, you can enter a reason for each seal. #### 2. Multi-eye principle @@ -63,7 +63,7 @@ users or roles the record should be sealed or released in the future. All those is to be sealed are displayed in red, while all users with the required permissions to issue a release are displayed in blue. -![example permissions](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_3-en.webp) +![example permissions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_3-en.webp) NOTE: All users and roles for which the data set is not sealed and which are not authorized for release are displayed in green. These can use the data record independently of the seal. @@ -72,7 +72,7 @@ To avoid having to perform any configuration manually, roles and users are copie authorizations of the data record. Compare with the "permissions" for the record (can be viewed via the ribbon). -![example permissions](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_4-en.webp) +![example permissions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_4-en.webp) Supervisors should issue the releases for their employees. Therefore, the checkbox also follows the existing authorizations. The following **scheme** is used: @@ -83,7 +83,7 @@ permissions** to the record are copied directly into the "Sealed for" column. Here is a closer look at the permissions of the role **Administrators** on the record: -![example multi-eye principe](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_5-en.webp) +![example multi-eye principe](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_5-en.webp) ## Adjusting the seal logic @@ -95,12 +95,12 @@ administrators has been marked in the mandatory column. This means that it must release. In summary: A total of three releases must be made, whereby the group of administrators must grant at least one release. -![edit seal](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_6-en.webp) +![edit seal](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_6-en.webp) In order to be not only dependent on existing authorizations on the data set, other users can also be added to the seal. The role accounting under "sealed for" has been added below. -![define permission for the seal](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_7-en.webp) +![define permission for the seal](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_7-en.webp) NOTE: When a role or a user is added to a seal, these users also receive permissions on the record according to the authorization granted in the seal. A role that is added under "Sealed for" receives @@ -120,24 +120,24 @@ Advanced seal settings allow you to adjust the multi-eye principle. Both the tim release request as well as a granted release can be configured. Multiple break defines whether after the breaking of a seal by a user, other users may still break it. -![advanced settings](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_8-en.webp) +![advanced settings](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_8-en.webp) #### 4. Saving the seal Before closing the wizard, it is possible to save the configuration for later use in the form of a -template. [Seal templates](../../../../mainmenu/extras/seal_templates/seal_templates.md) can be +template. [Seal templates](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/seal_templates/seal_templates.md) can be optionally provided with a description for the purpose of overview. -![save seal](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_9-en.webp) +![save seal](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_9-en.webp) ## Summary The permissions already present on the data set form the basis for any complex seal configurations. It is freely definable which users have to go through a release mechanism before accessing the password. The roles, which may be granted, are freely definable. An always accessible -[Seal overview](seals_overview/seal_overview.md) allows all authorized persons to view the current -state of the seals. The section on the[Release mechanism](release_mechanism/release_mechanism.md) +[Seal overview](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_overview/seal_overview.md) allows all authorized persons to view the current +state of the seals. The section on the[Release mechanism](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism.md) describes in detail the individual steps, from the initial release request to the final release. -- [Seal overview](seals_overview/seal_overview.md) -- [Release mechanism](release_mechanism/release_mechanism.md) +- [Seal overview](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_overview/seal_overview.md) +- [Release mechanism](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/release_mechanism/release_mechanism.md) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_overview/seal_overview.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_overview/seal_overview.md index a1fa382561..e8f1e4d784 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_overview/seal_overview.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_overview/seal_overview.md @@ -6,7 +6,7 @@ Users with the required permissions to issue the releases receive access to the existing seals at any time via the seal overview. The overview is accessible via the ribbon as well as the icon in the password field of the reading pane. -![button seal](../../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_overview/seal_overview_1-en.webp) +![button seal](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_overview/seal_overview_1-en.webp) ## The four states of a seal @@ -15,7 +15,7 @@ also the case when they receive the seal on the membership of a role. Functions removing existing seals are also available. In addition, the current state of the seal is displayed in the form of a release matrix. There are a total of **four states**, in which a seal can be: -![states of seal](../../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_overview/seal_overview_2-en.webp) +![states of seal](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals_overview/seal_overview_2-en.webp) #### 1. Sealed diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/temporary_permissions/temporary_permissions.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/temporary_permissions/temporary_permissions.md index 26c572aca2..934c92d6d4 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/temporary_permissions/temporary_permissions.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/temporary_permissions/temporary_permissions.md @@ -9,11 +9,11 @@ for a limited time, such as interns or trainees. ## Configuration When configuring the -[Manual setting of permissions](../../../manual_settings/manual_setting_of_permissions.md), you can +[Manual setting of permissions](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual_setting_of_permissions.md), you can specify a temporary release for each role. The start date as well as the end date is selected here. You can start the configuration using the **Extras** area in the ribbon. -![temporary permission](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/temporary_permissions/temporary_permissions-en.webp) +![temporary permission](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/temporary_permissions/temporary_permissions-en.webp) In this example, the role "trainees" was granted the read permission to a data set for two weeks. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/visibility/visibility.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/visibility/visibility.md index bacbbae020..e2fbb4bce8 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/visibility/visibility.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/visibility/visibility.md @@ -2,11 +2,11 @@ ## Visibility of data -The use of a [Filter](../../../../operation_and_setup/filter/filter.md) is generally the gateway to +The use of a [Filter](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/filter.md) is generally the gateway to displaying existing records. Nevertheless, this aspect of the visibility of the records is closely interwoven with the existing permissions structure. Naturally, a user can always only see those records for which they have at least a read Permission. This doctrine should always be taken into -consideration when handling records. [Tags](../../../../operation_and_setup/tags/tags.md) are not +consideration when handling records. [Tags](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/tags/tags.md) are not subject to any permissions and can thus always be used as filter criteria. Nevertheless, the delivered results will only contain those records for which the user themselves actually has permissions. A good example here is the tag “personal record”. Every user can mark their own record @@ -23,7 +23,7 @@ enables the creation of independently existing departments within a database. Th structure for the SAP form can be seen below. It shows that only the sales manager and the administrators are currently permitted to create new records of type SAP. -![example permissions on a form](../../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/visibility/visibility-en.webp) +![example permissions on a form](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/visibility/visibility-en.webp) In general, each department can independently use forms, create passwords and manage hierarchies in this way. Especially in very sensitive areas of a company, this type of compartmentalization is diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/relevant_user_rights/relevant_user_rights.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/relevant_user_rights/relevant_user_rights.md index 154f127a87..81be163768 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/relevant_user_rights/relevant_user_rights.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/relevant_user_rights/relevant_user_rights.md @@ -5,7 +5,7 @@ The user rights section provides all of the basic information required for handling user rights . Nevertheless, the four user rights related to “predefining rights” are explained below. -![global user rights](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/relevant_user_rights/relevant_user_rights_1-en.webp) +![global user rights](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/relevant_user_rights/relevant_user_rights_1-en.webp) - **Can switch default rights templates:** When selecting the rights template, a diverse range of rights template groups can be selected. To be able to select a different template to the default @@ -24,4 +24,4 @@ Nevertheless, the four user rights related to “predefining rights” are expla are always authorized for records in this organisational structure. If the user right is activated: The user can remove the roles via the “x” icon: -![Permissions](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/relevant_user_rights/relevant_user_rights_2-en.webp) +![Permissions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/relevant_user_rights/relevant_user_rights_2-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/scope_of_validity/scope_of_validity_for_predefined.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/scope_of_validity/scope_of_validity_for_predefined.md index f18fa8fc17..9935b6f2f2 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/scope_of_validity/scope_of_validity_for_predefined.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/scope_of_validity/scope_of_validity_for_predefined.md @@ -5,7 +5,7 @@ underlying objects. These objects could be passwords, forms, form fields documen applications or also other nested organisational structures in the hierarchy. In the following example, the rights template **IT general** has been defined for the organisational unit **IT**. -![rights template](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/scope_of_validity/scope_of_validity_1-en.webp) +![rights template](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/scope_of_validity/scope_of_validity_1-en.webp) If this type of “preset” has been defined, the corresponding icon is displayed at the corresponding level (= green arrow). As no other icons exist below this level, this means that the preset is valid @@ -15,7 +15,7 @@ The following example shows how a preset can be defined for when the “password not only grants the existing permissions to the roles but also provides the sales manager with read rights. -![working with rights template](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/scope_of_validity/scope_of_validity_2-en.webp) +![working with rights template](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/scope_of_validity/scope_of_validity_2-en.webp) As can be seen, the preset “IT general” is valid for all objects. An exception here is the “password” form because a unique preset has been defined for this form (blue arrow). As a result, diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights.md b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights.md index e945248be2..43bac1f500 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights.md @@ -2,7 +2,7 @@ ## Using predefined rights when creating passwords -After you have configured [Predefining rights](../predefining_rights.md), you can then use them to +After you have configured [Predefining rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefining_rights.md), you can then use them to create new records. Proceed here as follows: - Select the password module @@ -12,11 +12,11 @@ create new records. Proceed here as follows: In the next window to appear, the organisational unit “IT” and the template group “Exchange” are selected. -![predefined rights](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights_1-en.webp) +![predefined rights](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights_1-en.webp) Here is the underlying rights template as a comparison: -![example for predefined rights](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights_2-en.webp) +![example for predefined rights](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights_2-en.webp) The relationship between them is obvious. It can be immediately seen that by selecting the organisational unit “IT” based on the rights configured in the rights template, permissions are @@ -27,7 +27,7 @@ granted for the roles “IT management” and also “Administrators”. **The u When using rights templates, the permissions to be granted can be very quickly classified via a **color table**. The actual permissions can also be viewed as usual via the -[Ribbon](../../../operation_and_setup/ribbon/ribbon.md). The following color key is used with the +[Ribbon](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/ribbon/ribbon.md). The following color key is used with the associated permissions: | **Color** | **Permission** | @@ -42,20 +42,20 @@ ribbon can be used to see whether the “move”, “export” and “print” r permissions for the selected role/user are always displayed – in this case for the role “IT management”. -![predefined rights permiissions](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights_3-en.webp) +![predefined rights permiissions](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights_3-en.webp) ## Conclusion -The [Manual setting of permissions](../../manual_settings/manual_setting_of_permissions.md) enables +The [Manual setting of permissions](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/manual_settings/manual_setting_of_permissions.md) enables the configuration of rights for both existing and also new records. The option of -[Predefining rights](../predefining_rights.md) represents a very efficient alternative. Instead of +[Predefining rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefining_rights.md) represents a very efficient alternative. Instead of having to separately grant permissions for every record, a “preset” is defined once for each organisational structure. Once this has been done, it is sufficient in future to merely select the organisational structure when creating a record. The permissions are then set automatically. This process is particularly advantageous for those users who should not set their permissions themselves. -![predefined rights diagram](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights_4-en.webp) +![predefined rights diagram](/img/product_docs/passwordsecure/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/working_with_predefining_rights/working_with_predefined_rights_4-en.webp) **CAUTION:** The configuration of permissions can be carried out manually or automatically as described. If you want to change previously set permissions later, this has to be done manually. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/autofill_add-on/autofill_add-on.md b/docs/passwordsecure/9.2/passwordsecure/configuration/autofill_add-on/autofill_add-on.md index 168082237c..6d290af970 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/autofill_add-on/autofill_add-on.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/autofill_add-on/autofill_add-on.md @@ -5,9 +5,9 @@ The Autofill Add-on is responsible for the automatic entry of login data in applications. This enables logins without knowledge of the password, which can be a particularly valuable tool in combination with -[Password masking](../advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking.md). +[Password masking](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking.md). The -[Authorization and protection mechanisms](../web_applicaiton/authorization_and_protection/authorization_and_protection_mechanisms.md) +[Authorization and protection mechanisms](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/authorization_and_protection/authorization_and_protection_mechanisms.md) is used to define which users should receive access. However, the password remains hidden because it is entered by Netwrix Password Secure. @@ -28,10 +28,10 @@ NOTE: The agent can control multiple databases at the same time The functionality of the Autofill Add-on is illustrated in the following diagram. -![Automatic entries diagram](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/autofill_add-on/installation_with_parameters_125-en.webp) +![Automatic entries diagram](/img/product_docs/passwordsecure/passwordsecure/configuration/autofill_add-on/installation_with_parameters_125-en.webp) RDP and SSH -sessions(![1](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/autofill_add-on/1.webp) +sessions(![1](/img/product_docs/passwordsecure/passwordsecure/configuration/autofill_add-on/1.webp) ) are not automatically started via the Autofill Add-on. Applications are created for this purpose in the Netwrix Password Secure client. The creation and use of these connections is explained in detail in the corresponding section. @@ -41,7 +41,7 @@ following types of connections exist: - Entering login data in Windows applications: Alongside the above-mentioned RDP and SSH sessions, other Windows applications can also be automated - (![2](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/autofill_add-on/2.webp)). + (![2](/img/product_docs/passwordsecure/passwordsecure/configuration/autofill_add-on/2.webp)). A major difference is that the two above-mentioned connections are set up and “embedded” in a separate tab. Other applications, such as e.g. VMware, are directly started as usual. In these cases, the Autofill Add-on takes over the communication between the application server and the diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/autofill_add-on/configuration/configuration_autofill_add-on.md b/docs/passwordsecure/9.2/passwordsecure/configuration/autofill_add-on/configuration/configuration_autofill_add-on.md index 12f49716b8..e77f83a6fe 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/autofill_add-on/configuration/configuration_autofill_add-on.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/autofill_add-on/configuration/configuration_autofill_add-on.md @@ -5,7 +5,7 @@ The Autofill Add-on can be directly started via the desktop link that is automatically created when it is installed. The login data correspond to the normal user data for the client. -![Login SSO](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/autofill_add-on/configuration/installation_with_parameters_129-en.webp) +![Login SSO](/img/product_docs/passwordsecure/passwordsecure/configuration/autofill_add-on/configuration/installation_with_parameters_129-en.webp) To log in, the desired database and the associated login data are firstly selected. The Autofill makes all of the databases configured on the client available. It is also possible to create @@ -20,7 +20,7 @@ thus also affect the client. New profiles can thus also be created via the Autof After successfully logging in, the Autofill Add-on firstly runs in the background. Right click on the icon in the system tray to open the context menu. -![icon options](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/autofill_add-on/configuration/installation_with_parameters_130-en.webp) +![icon options](/img/product_docs/passwordsecure/passwordsecure/configuration/autofill_add-on/configuration/installation_with_parameters_130-en.webp) - **Disconnect**: Connect to database/disconnect from database. (All connections are shown for multiple databases) @@ -31,7 +31,7 @@ the icon in the system tray to open the context menu. Settings -![settings sso agent](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/autofill_add-on/configuration/installation_with_parameters_131-en.webp) +![settings sso agent](/img/product_docs/passwordsecure/passwordsecure/configuration/autofill_add-on/configuration/installation_with_parameters_131-en.webp) - The desktop notifications display various information, such as when data is entered - Start with Windows includes the Autofill Add-on in the autostart menu diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/administration/errorcodes/errorcodes_of_the_lightclient.md b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/administration/errorcodes/errorcodes_of_the_lightclient.md index b98951a174..9814904c34 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/administration/errorcodes/errorcodes_of_the_lightclient.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/administration/errorcodes/errorcodes_of_the_lightclient.md @@ -16,14 +16,14 @@ SavePasswordPlausibilityField The plausibility has not been fulfilled when saving a password. The mandatory fields of the deposited form should be checked. -![installation_with_parameters_156_795x595](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/administration/errorcodes/installation_with_parameters_156_795x595.webp) +![installation_with_parameters_156_795x595](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/administration/errorcodes/installation_with_parameters_156_795x595.webp) NoDefaultForm No standard form was selected. The form can be stored in the settings under **Standard form (for the Basic view).** -![installation_with_parameters_157](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/administration/errorcodes/installation_with_parameters_157.webp) +![installation_with_parameters_157](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/administration/errorcodes/installation_with_parameters_157.webp) DefaultFormNotFound diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/administration/to_do_for_administration.md b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/administration/to_do_for_administration.md index 1d37af4500..521253ffa9 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/administration/to_do_for_administration.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/administration/to_do_for_administration.md @@ -39,7 +39,7 @@ There are several ways to provide/create passwords in the Basic view. Predefined passwords have already been created on the FullClient. Basic view users must at least obtain the right to read a record in order to use the password. -![installation_with_parameters_154](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/administration/installation_with_parameters_154.webp) +![installation_with_parameters_154](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/administration/installation_with_parameters_154.webp) #### Creating passwords via applications @@ -48,9 +48,9 @@ FullClient. By clicking on the application, the end user can easily generate sec able to use the application, the user needs at least the authorization to **read**. Further information on this topic can be found in the chapter -[Applications](../../advanced_view/clientmodule/applications/applications.md). +[Applications](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/applications.md). -![installation_with_parameters_155](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/administration/installation_with_parameters_155.webp) +![installation_with_parameters_155](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/administration/installation_with_parameters_155.webp) #### Creating passwords via applications without applications diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/basic_view.md b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/basic_view.md index ed77fbc4af..5685673055 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/basic_view.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/basic_view.md @@ -1,6 +1,6 @@ # The Basic view -![light-client-en](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/light-client-en.webp) +![light-client-en](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/light-client-en.webp) ## What is the Basic view about? @@ -10,16 +10,16 @@ intuitively and without previous knowledge or training by any user. The Basic vi up to 50 passwords. The Basic view introduces to professional password management. It is also the ideal tool for the daily handling of passwords. -![image1](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/image1.webp) +![image1](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/image1.webp) ## Requirements & required rights You don’t need any special permission to use the Basic view. However, the handling of the Basic views can be set via rights and settings. Read more in chapter -[To do for Administration](administration/to_do_for_administration.md). +[To do for Administration](/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/administration/to_do_for_administration.md). #### Installation The Basic view is installed directly with the Web Application, so you don’t need any special installation. For further information, visit the -chapter[Installation Client](../../installation/installation_client/installation_client.md) +chapter[Installation Client](/docs/passwordsecure/9.2/passwordsecure/installation/installation_client/installation_client.md) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/checklist/checklist_of_the_basic_view.md b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/checklist/checklist_of_the_basic_view.md index c190590ee0..8ce293e012 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/checklist/checklist_of_the_basic_view.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/checklist/checklist_of_the_basic_view.md @@ -27,7 +27,7 @@ You can either define the user directly as Basic view user. This works by changi accordingly. Alternatively, you can activate the setting **Start Basic view at next login.** This will prompt the user to log in to the Basic view. -![image2](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/checklist/image2.webp) +![image2](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/checklist/image2.webp) 5. Add default applications (optional) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/password_management/password_management.md b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/password_management/password_management.md index aa0664a645..f6496fee6a 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/password_management/password_management.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/password_management/password_management.md @@ -13,18 +13,18 @@ can be found here: To do for the administration **Prerequisite:** An existing application is available. It does not matter whether this is an SSO, web, RDP, or SSH application. -![create password](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/create-password-en.webp) +![create password](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/create-password-en.webp) NOTE: Managing and creating the corresponding applications is the responsibility of the in-house administration. How to create an application can be read here and in the following chapters. Clicking on the existing application opens a window that asks for the user name and password. -![create-password-light](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/create-password-light.webp) +![create-password-light](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/create-password-light.webp) Once these fields are filled in, the record is created. -![created record](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/apple-icon-en.webp) +![created record](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/apple-icon-en.webp) Now the record can be opened by clicking on the corresponding tile. @@ -39,18 +39,18 @@ not matter in which tab the user is located. If a rights template is defined for organizational unit, then this template will take effect at this point. It is also possible to define one or more corresponding tags for the data set. -![create new password](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/create-new-password-en.webp) +![create new password](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/create-new-password-en.webp) -![create-light-client](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/create-light-client.webp) +![create-light-client](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/create-light-client.webp) In the next step, an application can be added to the newly created data record, if one already exists. To do this, go to the Linked Applications tab. -![linked applications](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/linked-applications-en.webp) +![linked applications](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/linked-applications-en.webp) Then the whole process is completed by clicking the "Finish" button. -![netwrix logo](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/netwrix-logo-en.webp) +![netwrix logo](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/netwrix-logo-en.webp) ## Changing and deleting passwords @@ -59,4 +59,4 @@ cursor. The control button will appear. When you click the button, you will be offered the "Edit" and "Delete" options, among others. -![options record light client](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/options-en.webp) +![options record light client](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/password_management/options-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/start_and_login/start_and_login_basic_view.md b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/start_and_login/start_and_login_basic_view.md index c6d8104ef7..216f08373b 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/start_and_login/start_and_login_basic_view.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/start_and_login/start_and_login_basic_view.md @@ -12,7 +12,7 @@ local user: e.g. administrator (user name administrator) -![image3](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/start_and_login/image3.webp) +![image3](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/start_and_login/image3.webp) AD User: @@ -22,7 +22,7 @@ There are 2 possibilities here: 2. domain and username (e.g. nps\administrator) -![image4](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/start_and_login/image4.webp) +![image4](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/start_and_login/image4.webp) **CAUTION:** Please ask your administrator if you are not sure which login details apply to you! @@ -37,10 +37,10 @@ or - in the Web Application. To switch from the Web Application to the Basic view web view, you have to click on your profile name. There you will be offered the option **"Switch to the Basic view"**. -![switch to lightclient](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/start_and_login/switch-to-lc-wc-en.webp) +![switch to lightclient](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/start_and_login/switch-to-lc-wc-en.webp) The Basic view web view is in no way inferior to the Basic view. The same functions are given except for the download of the favicons (icon, symbol or logo used by web browsers to mark a website in a recognizable way). -![LightClient in WebClient](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/start_and_login/wc-lc-en.webp) +![LightClient in WebClient](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/start_and_login/wc-lc-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/tab_system/tab_system.md b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/tab_system/tab_system.md index d5d648a6a8..3a554003f0 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/tab_system/tab_system.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/tab_system/tab_system.md @@ -5,7 +5,7 @@ The tab system helps to structure the passwords in order to manage and find them more easily. For this purpose, several tabs can be created and switched between them with a click. -![tabs LightClient](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/tab_system/tabs-lc-en.webp) +![tabs LightClient](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/tab_system/tabs-lc-en.webp) ## Personal and public tabs @@ -13,24 +13,24 @@ Basic view distinguishes between personal and public tabs. The personal tab cont that are exclusively in the organizational unit of the logged-in user. In Advanced view, these are the passwords assigned to the personal organizational unit -![tabs](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/tab_system/tab-lc-1-en.webp) +![tabs](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/tab_system/tab-lc-1-en.webp) Furthermore, public tabs are also available. These correspond to the public organizational units on the Advanced view. It is also possible to store all public organizational units as public tabs. No upper limit is set here. -![public tab](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/tab_system/public-tab-en.webp) +![public tab](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/tab_system/public-tab-en.webp) ## Showing and hiding tabs The public tabs can be shown and hidden as needed. The X closes the current tab. -![close tab](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/tab_system/close-tab-en.webp) +![close tab](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/tab_system/close-tab-en.webp) A public tab can be displayed again with a simple click on the +. -![select organisational unit](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/tab_system/select-ou-en.webp) +![select organisational unit](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/tab_system/select-ou-en.webp) In the subsequent dialog, only the desired organizational unit must be selected and confirmed with OK. All organizational units to which the user is authorized are available here. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/view/view.md b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/view/view.md index d661e3a313..d9511838fb 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/view/view.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/basic_view/view/view.md @@ -8,30 +8,30 @@ the password is not available, a reduced Outlook view is displayed. 1. view of a Basic view button with stored logo -![apple-logo](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/view/apple-logo.webp) +![apple-logo](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/view/apple-logo.webp) 2. view of a Basic view button without logo, but with deposited web address -![mindfactory-logo](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/view/mindfactory-logo.webp) +![mindfactory-logo](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/view/mindfactory-logo.webp) 3. view of a Basic view button without stored web address/logo -![sql-server-log](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/view/sql-server-log.webp) +![sql-server-log](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/view/sql-server-log.webp) Click on the tile to open the application. -![SSO LightClient](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/view/sso-lc-en.webp) +![SSO LightClient](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/view/sso-lc-en.webp) The tiles can be dragged and dropped to the desired position -![move tiles](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/view/move-tiles-en.webp) +![move tiles](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/view/move-tiles-en.webp) ## Mouseover As with add-ons, the control button is displayed as soon as you hover the mouse over the corresponding elements. This process is known as "mouseover". -![View LightClient](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/view/view-lc-en.webp) +![View LightClient](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/view/view-lc-en.webp) When you click the button, the following options become visible: @@ -54,5 +54,5 @@ Please point this out to your in-house administrator if this is not the case for Usually, the setup of logos/icons in the i**mage management** is done by the in-house administration. You can learn more about this in the FullClient -[Image management](../../advanced_view/mainmenu/extras/image_management/image_manager.md) +[Image management](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/extras/image_management/image_manager.md) documentation. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/browseradd-ons/applications/applications_add-on.md b/docs/passwordsecure/9.2/passwordsecure/configuration/browseradd-ons/applications/applications_add-on.md index 7f20b40f46..49f4605e2b 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/browseradd-ons/applications/applications_add-on.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/browseradd-ons/applications/applications_add-on.md @@ -9,7 +9,7 @@ application manually. These applications correspond to working guidelines that p which information should be entered into which target field. The full script that describes the assignment is called an “**application**”. -![registration with and without application](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/applications/installation_with_parameters_142-en.webp) +![registration with and without application](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/applications/installation_with_parameters_142-en.webp) The diagram starts with the user navigating to a website. The application server is then checked to see whether a record has been saved for this website for which the currently registered user also @@ -38,9 +38,9 @@ are used to enter information into the fields. It thus assigns fields in the rec associated fields on the website. This mapping process only needs to be configured once. The applications is responsible for entering data in the fields on the website from then on. In the following example, the data entry process is carried out from the client. Naturally, this is also -possible via [Browser Add-ons](../browser_add-ons.md). The procedure remains the same. +possible via [Browser Add-ons](/docs/passwordsecure/9.2/passwordsecure/configuration/browseradd-ons/browser_add-ons.md). The procedure remains the same. -![installation_with_parameters_143](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/applications/installation_with_parameters_143.webp) +![installation_with_parameters_143](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/applications/installation_with_parameters_143.webp) The URL is checked to see whether the record matches the web page. It is only necessary for the hostname including the domain suffix (“.de” or “.com”) to match. @@ -53,11 +53,11 @@ If the login mask on a website cannot be automatically completed, it is necessar an application. To create an application, the desired website is first called up. The add-on is then started via the relevant icon. The menu item “Create application\* can be found here -![create application](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/applications/installation_with_parameters_144-en.webp) +![create application](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/applications/installation_with_parameters_144-en.webp) A modal window now opens. The actual application is now created here. -![modal application window](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/applications/installation_with_parameters_145-en.webp) +![modal application window](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/applications/installation_with_parameters_145-en.webp) The following options are available: @@ -71,13 +71,13 @@ To capture, click on the first field to be filled on the website. It will be dir list in the modal window. For better identification, fields that belong together are marked in colour. -![choosed application field](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/applications/installation_with_parameters_146-en.webp) +![choosed application field](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/applications/installation_with_parameters_146-en.webp) The field type (e.g. INPUT) and the field label are displayed in the field itself. In addition, an action is proposed which fits the field type, such as e.g. entering the user name. The action can naturally be adjusted if required. Once all fields have been captured, the system checks whether the actions are correct. Finally, the application can be saved. -![example for a application](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/applications/installation_with_parameters_147-en.webp) +![example for a application](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/applications/installation_with_parameters_147-en.webp) The saved application is now available for the user and can be used via the add-on. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/browseradd-ons/browser_add-ons.md b/docs/passwordsecure/9.2/passwordsecure/configuration/browseradd-ons/browser_add-ons.md index 7af6cd2112..1aa775fffa 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/browseradd-ons/browser_add-ons.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/browseradd-ons/browser_add-ons.md @@ -14,7 +14,7 @@ Currently, add-ons are available for the following browsers: - Mozilla Firefox - Safari -![Add-on Browser](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/addon-connections-en.webp) +![Add-on Browser](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/addon-connections-en.webp) ## Installation @@ -27,7 +27,7 @@ browser. A window appears in which the security of the connection is confirmed. with a simple click. A new icon will also be displayed in the desired browser from this point onwards: -![Icon Add-on](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/addon-icon-en.webp) +![Icon Add-on](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/addon-icon-en.webp) If the icon is displayed as shown, it means that although the add-on has been installed. @@ -40,14 +40,14 @@ First, the database profile can be created manually. Therefore, he following inf required: IP address, Web Application URL and database name. Please note that /api is appended to the end of the IP address. -![database profil](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/manual-database-profile-en.webp) +![database profil](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/manual-database-profile-en.webp) It is also possible that the database profile is filled out automatically. For this, you need to log on to a database via Web Application. By clicking on the add-on in the Web Application, its profile can be taken over. Now all necessary information such as profile name, IP address, Web Application and database name are transferred. -![Adopt WebClient profile](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/adopt-database-profile-en.webp) +![Adopt WebClient profile](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/adopt-database-profile-en.webp) ## The server mode benefits @@ -61,7 +61,7 @@ mode and the Autofill Add-on has not been started, SSO applications do not work! After successful connection, the number of data records available for the current Internet page is displayed on the icon. -![record found](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/record-found-en.webp) +![record found](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/record-found-en.webp) ## Settings @@ -90,7 +90,7 @@ The subscript number mentioned in the previous section is only available with ac therefore already says a lot about the “Number of possible entries”. For example, if the number “2” is shown, you can directly select the account you want to log in with. -![Addon list](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/addon-records-list.webp) +![Addon list](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/addon-records-list.webp) Previously, the prerequisite was that you had to navigate manually to the precise website via the browser that you actually wanted to use. This navigation can now also be handled by Netwrix Password @@ -103,7 +103,7 @@ automatically enter login data. This way of working is possible but is not conve add-on can be used in a similar way to bookmarks. The search field can be used to search for the record in the database. The prerequisite is again that the record contains a URL. -![Record usage](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/addon-records-usage-en.webp) +![Record usage](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/addon-records-usage-en.webp) The screenshot shows that the URL and the name of the record (Wikipedia) are searched. The results for the search are displayed and can be selected using the arrow buttons or the mouse. The selected @@ -115,7 +115,7 @@ If a user opens a page and multiple passwords with the autofill function are pos website, no entries will be made unlike in older versions. Instead, the following message appears in a pop-up: -![Multiple entries](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/addon-multiple-passwords-en.webp) +![Multiple entries](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/addon-multiple-passwords-en.webp) However, if the autofill function is only activated for one password but multiple passwords are possible, the password with the autofill function is entered. If the user clicks on a record in the diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/browseradd-ons/how_to_save_passwords/how_to_save_passwords.md b/docs/passwordsecure/9.2/passwordsecure/configuration/browseradd-ons/how_to_save_passwords/how_to_save_passwords.md index fdf79c4ff7..5c1640e566 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/browseradd-ons/how_to_save_passwords/how_to_save_passwords.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/browseradd-ons/how_to_save_passwords/how_to_save_passwords.md @@ -10,13 +10,13 @@ With the setup and login via server mode, the access data can now be added autom visiting a website whose credentials have not yet been stored in Netwrix Password Secure, you get automatically asked whether they should be created. -![new password detected](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/how_to_save_passwords/addon-create-password-en.webp) +![new password detected](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/how_to_save_passwords/addon-create-password-en.webp) By confirming, you will be directly forwarded to the Web Application and registered there. If there are less fields in the deposited or selected form than in the login mask, the missing fields are automatically created as web form fields by default. -![WebClient prefilled](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/how_to_save_passwords/webclient-prefilled-form-en.webp) +![WebClient prefilled](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/how_to_save_passwords/webclient-prefilled-form-en.webp) Known access data @@ -25,13 +25,13 @@ this, log on to the login screen of the changed page as usual. Thereupon a messa access data has been recognized. Now you can optionally decide to create a new dataset or update an already known dataset. -![data was recognized](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/how_to_save_passwords/installation_with_parameters_151-en.webp) +![data was recognized](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/how_to_save_passwords/installation_with_parameters_151-en.webp) - **Save password**: The password will be exchanged without opening the Web Application. - **check changes**: The Web Application is opened and you are logged in. The previous password has been replaced by the new one. However, the storage must be carried out manually. -![data was recognized](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/how_to_save_passwords/installation_with_parameters_152-en.webp) +![data was recognized](/img/product_docs/passwordsecure/passwordsecure/configuration/browseradd-ons/how_to_save_passwords/installation_with_parameters_152-en.webp) The following prerequisites apply so that a data record is considered to already exist: diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/passwords/passwords_mobileapp.md b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/passwords/passwords_mobileapp.md index a2881b9b8f..d128aef290 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/passwords/passwords_mobileapp.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/passwords/passwords_mobileapp.md @@ -7,7 +7,7 @@ In principle, there are two types of passwords. **Global** and **personal** pass Global passwords are passwords that are assigned to an organizational unit. These passwords are usually used by more than one user. -![Mobile App - global passwords](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/global-passwords-ma-en.webp) +![Mobile App - global passwords](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/global-passwords-ma-en.webp) Prerequisites @@ -20,7 +20,7 @@ The following prerequisites must be met in order to create new global passwords: Personal passwords are passwords to which only the creating user is authorized. -![MobileApp - personal passwords](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/personal-passwords-ma-en.webp) +![MobileApp - personal passwords](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/personal-passwords-ma-en.webp) Requirement @@ -35,29 +35,29 @@ When creating a new record, it is necessary to know whether it is a personal or Because according to this criterion you should select the appropriate tab and click on the + located in the upper right corner. -![create new password](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/create-new-password-ma-en.webp) +![create new password](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/create-new-password-ma-en.webp) After that, select the required **form**. -![select form](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/select-form-ma-en.webp) +![select form](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/select-form-ma-en.webp) Then, once you have filled in all the relevant information of the selected form, one click on **Save** is enough to create the password. -![new entry MobileApp](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/new-entry-ma-en.webp) +![new entry MobileApp](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/new-entry-ma-en.webp) #### Editing passwords To edit a password, click on the corresponding password and select the pencil icon. -![editing password](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/new-entry-ma-2-en.webp) +![editing password](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/new-entry-ma-2-en.webp) As soon as you click on the pencil icon again in the new window, in the so-called read-only view, you can edit all existing fields. -![edit passwordfield MobileApp](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/edit-passwordfield-ma-en.webp) +![edit passwordfield MobileApp](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/edit-passwordfield-ma-en.webp) -![edit passwordfield](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/edit-entry-ma-2-en.webp) +![edit passwordfield](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/edit-entry-ma-2-en.webp) #### Delete @@ -67,7 +67,7 @@ Passwords can currently only be deleted via the Full- or Web Application. Tags can be added or removed both when creating and editing a password. -![MobileApp - Tags](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/edit-tag-ma-en.webp) +![MobileApp - Tags](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/edit-tag-ma-en.webp) It is also possible to create a completely new tag. @@ -76,4 +76,4 @@ already exist. You will then be offered the option of creating this previously non-existent tag. -![Mobileapp - select/create tag](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/select-tag-ma-en.webp) +![Mobileapp - select/create tag](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/passwords/select-tag-ma-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/settings/settings_mobileapp.md b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/settings/settings_mobileapp.md index 816b996a68..115d8aa703 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/settings/settings_mobileapp.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/settings/settings_mobileapp.md @@ -3,8 +3,8 @@ As soon as you are logged in to the **Netwrix Password Secure App**, you can access the **settings** via the three dots at the very top left of the screen. These will be briefly explained here. -![MobileApp - settings](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/settings/settings-ma-en.webp) -![MobileApp - settings](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/settings/settings-2-ma-en.webp) +![MobileApp - settings](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/settings/settings-ma-en.webp) +![MobileApp - settings](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/settings/settings-2-ma-en.webp) #### General @@ -46,7 +46,7 @@ Synchronize now Starts the synchronization. This can also be started outside the settings at any time by simply swiping down. More information can also be found in the chapter -[Synchronization](../synchronization/synchronization.md). +[Synchronization](/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/synchronization/synchronization.md). Fix sync errors diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/biometric_login/biometric_login.md b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/biometric_login/biometric_login.md index 29875b5ca6..e62b326669 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/biometric_login/biometric_login.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/biometric_login/biometric_login.md @@ -6,4 +6,4 @@ the app suggests (depending on the type of smartphone) the use of Touch ID or fi or facial recognition. Clicking **Yes** here is sufficient to log in to the database in the future using the respective biometric feature. -![setup face ID](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/biometric_login/setup-face-id-en.webp) +![setup face ID](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/biometric_login/setup-face-id-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/installation_app/installation_of_the_app.md b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/installation_app/installation_of_the_app.md index f1672d53c6..25571a80af 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/installation_app/installation_of_the_app.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/installation_app/installation_of_the_app.md @@ -3,9 +3,9 @@ The Netwrix Password Secure app is installed as usual via the Apple Store or Google Playstore. The apps can be found under the following links: -![App store](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/installation_app/appstore-icon.webp) +![App store](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/installation_app/appstore-icon.webp) -![Google Play](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/installation_app/android-icon.webp) +![Google Play](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/installation_app/android-icon.webp) #### Requirements @@ -17,12 +17,12 @@ The **Netwrix Password Secure Apps** can be installed on the following systems: **Web Application**: Since the app connects via the Web Application, it is mandatory to have it installed. The documentation of the Web Application installation can be seen in the chapter -[Installation Web Application](../../../../installation/installation_web_application/installation_web_application.md) +[Installation Web Application](/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/installation_web_application.md) **Port**: The connection is made via https port 443, which must be enabled on the server side. -[User rights](../../../advanced_view/mainmenu/user_rights/user_rights.md)**:** The users need the +[User rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/user_rights.md)**:** The users need the right **Can synchronize with mobile devices.** -[Database properties](../../../server_manager/database_properties/database_properties.md): It must +[Database properties](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/database_properties.md): It must be ensured that the Enable mobile synchronization option is set. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/linking_database/linking_the_database.md b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/linking_database/linking_the_database.md index b9070ad857..168968349c 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/linking_database/linking_the_database.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/linking_database/linking_the_database.md @@ -12,17 +12,17 @@ If the database is to be linked manually, the dialog for creating the link is fi the + in the top right-hand corner. Here the address of the Web Application is entered and confirmed with a click on Connect. -![Create link](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/linking_database/create-link-ma-en.webp) +![Create link](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/linking_database/create-link-ma-en.webp) In the next step, all available databases are displayed. The desired one can be selected by clicking on it. -![choose link](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/linking_database/choose-created-link-en.webp) +![choose link](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/linking_database/choose-created-link-en.webp) Finally, the login with user name and password takes place. In addition, a meaningful name can be assigned. -![log in with your data](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/linking_database/integration-ma-en.webp) +![log in with your data](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/linking_database/integration-ma-en.webp) #### Link via QR code @@ -31,21 +31,21 @@ Fulluser The quickest way to create a link is via a QR code. To do this, first log in to the client. You will find the corresponding QR code in the Backstage under Account: -![QR-code](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/linking_database/link-via-qr-code-en.webp) +![QR-code](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/linking_database/link-via-qr-code-en.webp) Then click on the button for the QR code in the app. In the following dialog, the QR code is simply photographed from the monitor. The mobile database is now created directly in the background and linked to the database on the server. In the next step, you can give the database profile a meaningful name and log in directly: -![log in with your data](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/linking_database/integration-ma-en.webp) +![log in with your data](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/linking_database/integration-ma-en.webp) LightUser Using the Light view, the user must click on their user account and click on the **Account** option -![Account LightClient](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/linking_database/account-lc-2-en.webp) +![Account LightClient](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/linking_database/account-lc-2-en.webp) This will open a window where you can use the QR code to scan the database. -![QR code lightclient](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/linking_database/account-lc-3-en.webp) +![QR code lightclient](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/linking_database/account-lc-3-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/setting_up_autofill/setting_up_autofill.md b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/setting_up_autofill/setting_up_autofill.md index 2c4bd66fd3..6eace572d0 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/setting_up_autofill/setting_up_autofill.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/setting_up_autofill/setting_up_autofill.md @@ -13,7 +13,7 @@ selects Netwrix Password Secure. RECOMMENDED: We recommend deactivating the **keychain (iOS)** as well as any other apps offered to prevent misunderstandings in usage. -![password options](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/setting_up_autofill/password-options-en.webp) +![password options](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/setup/setting_up_autofill/password-options-en.webp) #### Setting up automatic registration on Android diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/setup_mobile_device.md b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/setup_mobile_device.md index 740ab31f43..cc18401092 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/setup_mobile_device.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/setup_mobile_device.md @@ -3,16 +3,16 @@ ## Requirements Netwrix Password Secure Mobile Apps automatically synchronize with an existing Netwrix Password -Secure database. The [Web Application](../../web_applicaiton/web_application.md) is used as the +Secure database. The [Web Application](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/web_application.md) is used as the interface for this. This must therefore be installed. In addition, the database must be enabled for -use with mobile devices on the [Server Manager](../../server_manager/server_manger.md). +use with mobile devices on the [Server Manager](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/server_manger.md). #### Setup and configuration The setup and initial configuration of the **Netwrix Password Secure App** is explained in the following chapters: -- [Installation of the App / Requirements](installation_app/installation_of_the_app.md) -- [Linking the database](linking_database/linking_the_database.md) -- [Biometric login](biometric_login/biometric_login.md) -- [Setting up autofill](setting_up_autofill/setting_up_autofill.md) +- [Installation of the App / Requirements](/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/installation_app/installation_of_the_app.md) +- [Linking the database](/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/linking_database/linking_the_database.md) +- [Biometric login](/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/biometric_login/biometric_login.md) +- [Setting up autofill](/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/setup/setting_up_autofill/setting_up_autofill.md) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/synchronization/synchronization.md b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/synchronization/synchronization.md index 2e7b5c24bb..98b105a653 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/synchronization/synchronization.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/synchronization/synchronization.md @@ -7,7 +7,7 @@ automatically synchronized in the background. Synchronization logic First of all, it is important to note how the synchronization has been configured in the -[Settings](../settings/settings_mobileapp.md). A prerequisite for successful synchronization is that +[Settings](/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/settings/settings_mobileapp.md). A prerequisite for successful synchronization is that the configured connection is available. This is done via https port 443, which must be enabled on the server side. Once the prerequisites have been met, there are the following triggers for synchronization: @@ -31,4 +31,4 @@ on both devices. Settings for synchronization -The configuration is described in the chapter [Settings](../settings/settings_mobileapp.md) +The configuration is described in the chapter [Settings](/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/settings/settings_mobileapp.md) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/tabs/tabs.md b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/tabs/tabs.md index 0e076fad03..1ea6a80e4d 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/tabs/tabs.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/mobiledevices/tabs/tabs.md @@ -3,17 +3,17 @@ Once you have successfully logged in, you will find yourself in the view where all the user's passwords are located. -![all passwords in mobile app](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/tabs/all-passwords-ma-en.webp) +![all passwords in mobile app](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/tabs/all-passwords-ma-en.webp) Here you have the following options: Action menu With a click on -![three-points-en](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/tabs/three-points-en.webp) +![three-points-en](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/tabs/three-points-en.webp) the action menu is opened. -![actions mobile app](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/tabs/actions-ma-en.webp) +![actions mobile app](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/tabs/actions-ma-en.webp) The following actions are offered: @@ -27,11 +27,11 @@ Tabs Below the passwords there is a bar for managing tabs. -![manage tabs](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/tabs/all-passwords-ma-2-en.webp) +![manage tabs](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/tabs/all-passwords-ma-2-en.webp) By clicking on the plus sign there is a possibility to add more tabs. -![add tabs](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/tabs/add-tabs-ma.webp) +![add tabs](/img/product_docs/passwordsecure/passwordsecure/configuration/mobiledevices/tabs/add-tabs-ma.webp) These tabs are organizational units that the user can see. By default, the tabs **"All passwords"** and **"Personal"** are stored. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/offlineclient/offline_client.md b/docs/passwordsecure/9.2/passwordsecure/configuration/offlineclient/offline_client.md index d8ab57662c..c70c944f08 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/offlineclient/offline_client.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/offlineclient/offline_client.md @@ -4,7 +4,7 @@ The Offline Add-on enables you to work without an active connection to the Netwrix Password Secure server. If the corresponding setting has been configured -([Setup and sync](setup/setup_and_sync.md)), the local copy of the server database will be +([Setup and sync](/docs/passwordsecure/9.2/passwordsecure/configuration/offlineclient/setup/setup_and_sync.md)), the local copy of the server database will be automatically synchronized according to freely definable cycles. This ensures that you can always use a (relatively) up-to-date version of the database offline. @@ -25,22 +25,22 @@ together with the creation of the offline database. #### Operation Operation of the Offline Add-on is generally based on the -[Operation and setup](../server_manager/operation_and_setup/operation_and_setup_admin_client.md). +[Operation and setup](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/operation_and_setup/operation_and_setup_admin_client.md). Since the Offline Add-on only has a limited range of functions, the following must be taken into account with regards to its operation: - There is no dashboard - Only the password module is available - The filter is not available. Records are found using the - [Search](../advanced_view/operation_and_setup/search/search.md) + [Search](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/search/search.md) - The automatic login data entry can be performed via the - [Autofill Add-on](../autofill_add-on/autofill_add-on.md), independently of the Offline Add-on + [Autofill Add-on](/docs/passwordsecure/9.2/passwordsecure/configuration/autofill_add-on/autofill_add-on.md), independently of the Offline Add-on -![Offline Client](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/installation_with_parameters_264-en.webp) +![Offline Client](/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/installation_with_parameters_264-en.webp) #### What data is synchronised? -[Seals](../advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals.md) +[Seals](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals.md) enhance the security concept in Netwrix Password Secure to include a double-check principle that can be defined in fine detail. This means that releases for protected information are linked to the positive authentication of one or more users. Naturally, it is not possible to issue these releases diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/offlineclient/setup/setup_and_sync.md b/docs/passwordsecure/9.2/passwordsecure/configuration/offlineclient/setup/setup_and_sync.md index bcbd74e306..1f69f6a4d3 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/offlineclient/setup/setup_and_sync.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/offlineclient/setup/setup_and_sync.md @@ -13,18 +13,18 @@ is carried out separately for each database in the database view in the Server M “General settings” (right click on the database). This is also possible to do when the database is initially created. -![Properties](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/setup/installation_with_parameters_265-en.webp) +![Properties](/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/setup/installation_with_parameters_265-en.webp) You will find further information on this subject in the -sections:[ Creating databases](../../server_manager/creatingdatabase/creating_databases.md) and -[Managing databases](../../server_manager/managing_databases/managing_databases.md) +sections:[ Creating databases](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/creatingdatabase/creating_databases.md) and +[Managing databases](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/managing_databases.md) User rights The user requires the “offline mode” right. In addition, how long offline mode can be used without a server connection can be defined in the user rights. -![User rights](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/setup/installation_with_parameters_266-en.webp) +![User rights](/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/setup/installation_with_parameters_266-en.webp) Creating an offline database @@ -32,7 +32,7 @@ The synchronization with the offline database can generally be carried out autom **the first synchronization must be carried out manually**. The synchronization is started via the Main menu/Account. -![account-en](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/setup/account-en.webp) +![account-en](/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/setup/account-en.webp) NOTE: The offline databases are stored locally under the following path: %appdata%\MATESO\Password Safe and Repository Client\OfflineDB @@ -45,7 +45,7 @@ possible to use several offline databases with an Offline Add-on. In order to keep the data always consistent, the offline database must be synchronized regularly. Synchronization is automatically performed by the client in the background. The interval can be freely configured in the -[User settings](../../advanced_view/mainmenu/user_settings/user_settings.md). The synchronization is +[User settings](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/user_settings.md). The synchronization is completed every 30 minutes by default. When creating and editing records, it is also possible to synchronize outside of the synchronization cycle so that the changes are directly available offline. In addition, the synchronization can also be started manually in Backstage via “Account”. @@ -53,17 +53,17 @@ In addition, the synchronization can also be started manually in Backstage via A running synchronization is displayed in the icon in the task bar as well as by a status bar in the client: -![progress icon](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/setup/progress-icon-en_64x53.webp) +![progress icon](/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/setup/progress-icon-en_64x53.webp) -![installation_with_parameters_269](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/setup/installation_with_parameters_269.webp) +![installation_with_parameters_269](/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/setup/installation_with_parameters_269.webp) As soon as the synchronization is completed, this is indicated by a hint. -![notification "offline sync completed"](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/setup/offline-sync-completed-en_383x75.webp) +![notification "offline sync completed"](/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/setup/offline-sync-completed-en_383x75.webp) #### Relevant settings -![installation_with_parameters_271](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/setup/installation_with_parameters_271.webp) +![installation_with_parameters_271](/img/product_docs/passwordsecure/passwordsecure/configuration/offlineclient/setup/installation_with_parameters_271.webp) Offline mode can be configured and personalized using the four settings mentioned: diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/baseconfiguration/basic_configuration.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/baseconfiguration/basic_configuration.md index 2bff3c5741..3bd5b8b9cc 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/baseconfiguration/basic_configuration.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/baseconfiguration/basic_configuration.md @@ -6,13 +6,13 @@ Within the basic configuration, the connection to the SQL server or to the datab basic configuration appears the first time the Server Manager is started and can be called up at any time in the basic configuration. -![base configuration](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/baseconfiguration/installation_with_parameters_188-en.webp) +![base configuration](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/baseconfiguration/installation_with_parameters_188-en.webp) ## The basic configuration A special wizard is available to carry out the configuration: -![Baseconfig](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/baseconfiguration/installation_with_parameters_189-en.webp) +![Baseconfig](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/baseconfiguration/installation_with_parameters_189-en.webp) #### Service address @@ -35,7 +35,7 @@ server and create databases. Under “SQL Server instance” the database server must be specified, including the SQL instance. For simplicity, you can copy the server name from the login window of the SQL server. -![installation_with_parameters_190](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/baseconfiguration/installation_with_parameters_190.webp) +![installation_with_parameters_190](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/baseconfiguration/installation_with_parameters_190.webp) If the option “Service user” is selected, enter the user that logs on to the SQL Server. Please note that “dbCreator” rights are necessary to create a configuration database. “dbOwner” rights are diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/certificates.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/certificates.md index e1db7fb6d9..552873d315 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/certificates.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/certificates.md @@ -8,23 +8,23 @@ that they are carefully backed up. The individual certificates are described in the following sections: -- [SSL connection certificates](ssl_connection_certificates.md) -- [Database certificates](database_certificates.md) -- [Master Key certificates](master_key_certificates.md) -- [Discovery service certificates](discovery_service_certificates.md)s -- [Password Reset certificates](password_reset_certificates.md) +- [SSL connection certificates](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/ssl_connection_certificates.md) +- [Database certificates](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/database_certificates.md) +- [Master Key certificates](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/master_key_certificates.md) +- [Discovery service certificates](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/discovery_service_certificates.md)s +- [Password Reset certificates](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/password_reset_certificates.md) ## Calling up the certificate manager There are two ways to open the certificate manager. The certificates for each specific database can be managed via the ribbon: -![installation_with_parameters_196_647x73](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_196_647x73.webp) +![installation_with_parameters_196_647x73](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_196_647x73.webp) In the **Main menu**, it is also possible to start the certificate manager for all databases via the **basic configuration:** -![base configuration](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_197-en.webp) +![base configuration](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_197-en.webp) NOTE: Operation of the certificate manager is always the same. The only difference is whether the certificates are displayed for each database or for all databases. @@ -34,12 +34,12 @@ certificates are displayed for each database or for all databases. After opening the certificate manager, all certificates specific to Netwrix Password Secure will be displayed. Clicking on the certificate will display further information. -![installation_with_parameters_198](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_198.webp) +![installation_with_parameters_198](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_198.webp) Double clicking on a certificate will open the Windows Certificate Manger to provide more detailed information. -![installation_with_parameters_199_423x396](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_199_423x396.webp) +![installation_with_parameters_199_423x396](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_199_423x396.webp) #### Required certificates / deleting no longer required certificates @@ -48,7 +48,7 @@ required. Clicking on **All** will also display the no longer required certifica is possible that outdated certificates exist on the machine due to a test installation. These certificates can be easily deleted via the corresponding button in the ribbon. -![certificates-ac-4-en](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/certificates-ac-4-en.webp) +![certificates-ac-4-en](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/certificates-ac-4-en.webp) #### Importing certificates @@ -70,7 +70,7 @@ You can define whether every certificate should be saved to its own file in the this option has not been activated, all relevant certificates will be backed up in one file. In addition, the storage location is defined in the settings. -![installation_with_parameters_201_826x310](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_201_826x310.webp) +![installation_with_parameters_201_826x310](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_201_826x310.webp) #### Backing up certificates diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/database_certificates.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/database_certificates.md index 57a6920b7b..acfaa83ab5 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/database_certificates.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/database_certificates.md @@ -4,7 +4,7 @@ A unique certificate is created for each database. This has the name **psrDatabaseKey**: -![installation_with_parameters_207](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_207.webp) +![installation_with_parameters_207](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_207.webp) The database certificate **does not encrypt the database.** Rather, it is used for the encrypted transfer of passwords from the client to the server in the following cases: @@ -23,5 +23,5 @@ is also transferred! #### Exporting and importing the certificate -The section [Certificates](certificates.md) explains how to back up the certificate and link it +The section [Certificates](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/certificates.md) explains how to back up the certificate and link it again. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/discovery_service_certificates.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/discovery_service_certificates.md index d4fa3ee668..894721413d 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/discovery_service_certificates.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/discovery_service_certificates.md @@ -4,7 +4,7 @@ If a discovery service is created, a corresponding certificate is also created: -![installation_with_parameters_202](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_202.webp) +![installation_with_parameters_202](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_202.webp) NOTE: The discovery service certificate cannot be replaced by your own certificate. @@ -16,5 +16,5 @@ service certificate is also transferred!** #### Exporting and importing the certificate -The section [Certificates](certificates.md)explains how to back up the certificate and link it +The section [Certificates](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/certificates.md)explains how to back up the certificate and link it again. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/master_key_certificates.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/master_key_certificates.md index bb29a272ae..1fc3e19d3a 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/master_key_certificates.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/master_key_certificates.md @@ -3,12 +3,12 @@ #### What is a Master Key certificate? If Active Directory is accessed via -[Masterkey mode](../../advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode.md), +[Masterkey mode](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/masterkey_mode.md), a certificate will be created. This has the name Active Directory: Domain: -![installation_with_parameters_208](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_208.webp) +![installation_with_parameters_208](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_208.webp) NOTE: The Master Key certificate cannot be replaced by your own certificate. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/nps_server_encryption_certificate.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/nps_server_encryption_certificate.md index 5d4a2c1b45..182449565c 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/nps_server_encryption_certificate.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/nps_server_encryption_certificate.md @@ -3,7 +3,7 @@ With the update to the version 8.16.0 the Netwrix Password Secure Server Encryption Certificate will be added automatically. -![NPS Server Encryption](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/nps-server-encryption_1014x771.webp) +![NPS Server Encryption](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/nps-server-encryption_1014x771.webp) This certificate is important if you will activate an offline license. In future there will be more features for which this certificate is relevant. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/password_reset_certificates.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/password_reset_certificates.md index 760b704ee2..56d0c56661 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/password_reset_certificates.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/password_reset_certificates.md @@ -2,11 +2,11 @@ ## What is a Netwrix Password Secure certificate? -If a [Password Reset](../../advanced_view/clientmodule/passwordreset/password_reset.md) is created, +If a [Password Reset](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/password_reset.md) is created, a corresponding certificate is created. This ensures that the passwords are transferred in encrypted form. -![password-reset](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/password-reset.webp) +![password-reset](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/password-reset.webp) NOTE: The Password Reset certificate cannot be replaced by your own certificate. @@ -18,5 +18,5 @@ Reset certificate is also transferred! #### Exporting and importing the certificate -The section [Certificates](certificates.md)explains how to back up the certificate and link it +The section [Certificates](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/certificates.md)explains how to back up the certificate and link it again. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/ssl_connection_certificates.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/ssl_connection_certificates.md index 42937d7bf6..7f04407d6c 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/ssl_connection_certificates.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/ssl_connection_certificates.md @@ -13,7 +13,7 @@ Otherwise, the following message will appear when the client is started: The connection to the server is not considered secure. -![not_trusted_certificates](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/not_trusted_certificates.webp) +![not_trusted_certificates](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/not_trusted_certificates.webp) NOTE: Windows Server 2012 R2 requires the latest patch level, since it has been delivered with SSL3, and has been extended to include TLS 1.2 @@ -39,7 +39,7 @@ NOTE: All information (including the IP address) are stored as DNS name. #### Using the Netwrix Password Secure certificate The name of the PSR certificate is **PSR8Server**. This can be done via the -[Basic configuration](../baseconfiguration/basic_configuration.md) in the AdminConsole. The +[Basic configuration](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/baseconfiguration/basic_configuration.md) in the AdminConsole. The certificate is saved locally under: Local computer -> own certificates -> certificates @@ -63,16 +63,16 @@ the certificate. To do this, firstly open the certificate information. In the wa the Show server certificate button is available for this purpose. In the following dialogue, select the option Install certificate… -![installation_with_parameters_204_415x395](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_204_415x395.webp) +![installation_with_parameters_204_415x395](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_204_415x395.webp) A **Certificate import wizard** will open in which **Local computer** should be selected. -![installation_with_parameters_205_555x405](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_205_555x405.webp) +![installation_with_parameters_205_555x405](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_205_555x405.webp) In the next step, the storage location “trusted root certificate location” needs to be manually selected. -![installation_with_parameters_206_556x406](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_206_556x406.webp) +![installation_with_parameters_206_556x406](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/certificates/installation_with_parameters_206_556x406.webp) Finally, the installation needs to be confirmed once again. @@ -81,7 +81,7 @@ NOTE: The user logged in to the operating system requires rights to create certi #### Using your own certificate If a CA already exists, you can also use your own certificate. You can specify this within the -[Basic configuration](../baseconfiguration/basic_configuration.md). Please note that a server +[Basic configuration](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/baseconfiguration/basic_configuration.md). Please note that a server certificate for SSL encryption is used here. The CA must be configured so that all clients trust the certificate. It is necessary to adhere to the certification path. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/creatingdatabase/creating_databases.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/creatingdatabase/creating_databases.md index 77c304708a..b395937cab 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/creatingdatabase/creating_databases.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/creatingdatabase/creating_databases.md @@ -1,6 +1,6 @@ # Creating databases -![installation_with_parameters_216](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/creatingdatabase/installation_with_parameters_216.webp) +![installation_with_parameters_216](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/creatingdatabase/installation_with_parameters_216.webp) [https://www.youtube.com/embed/md7_VEdVuWM?rel=0](https://www.youtube.com/embed/md7_VEdVuWM?rel=0)[https://www.youtube.com/embed/md7_VEdVuWM?rel=0](https://www.youtube.com/embed/md7_VEdVuWM?rel=0) @@ -16,7 +16,7 @@ database management system is used in Netwrix Password Secure version 9. The creation of databases is supported by the database wizard, which is started directly from the ribbon. The individual tabs of the wizard are explained below: -![database wizard](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/creatingdatabase/installation_with_parameters_217-en.webp) +![database wizard](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/creatingdatabase/installation_with_parameters_217-en.webp) Database server @@ -49,4 +49,4 @@ Once a database has been created successfully, , provided it has been selected. has been selected, the new database is created directly, and will be displayed in the database overview. -![created new database](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/creatingdatabase/installation_with_parameters_218-en.webp) +![created new database](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/creatingdatabase/installation_with_parameters_218-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/database_firewall.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/database_firewall.md index 2f2223225d..76802bb447 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/database_firewall.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/database_firewall.md @@ -9,21 +9,21 @@ this process. Firewall rules are used to allow access to the database in individ The firewall can be directly activated in the database settings. -![database firewall](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/installation_with_parameters_226-en.webp) +![database firewall](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/installation_with_parameters_226-en.webp) Access to the firewall is blocked after it has been activated. Login attempts are directly blocked. -![installation_with_parameters_227](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/installation_with_parameters_227.webp) +![installation_with_parameters_227](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/installation_with_parameters_227.webp) #### Firewall rules The rules already set are displayed in the section on the right. The icons -![+](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/+.webp) +![+](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/+.webp) and -![-](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/-.webp) +![-](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/-.webp) can be used to add or also delete rules. Rules can be edited by double clicking on them. -![firewall rule](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/installation_with_parameters_230-en.webp) +![firewall rule](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/installation_with_parameters_230-en.webp) The following possibilities exist: @@ -48,7 +48,7 @@ this range then the rule blocking the computer is applied. The functionality of the firewall will be explained in more detail using the following rules: -![defined firewall rules](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/installation_with_parameters_231-en.webp) +![defined firewall rules](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/installation_with_parameters_231-en.webp) Approving an IP range (Rule 1) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/database_properties.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/database_properties.md index e0b088cd16..1bfa7f9aed 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/database_properties.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/database_properties.md @@ -3,15 +3,15 @@ The properties of a database can be opened by double-clicking on the database. No login to the database is required. -![installation_with_parameters_225](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/installation_with_parameters_225.webp) +![installation_with_parameters_225](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/installation_with_parameters_225.webp) #### Properties The following options can be edited: -- [General settings](../main_menu/general_settings.md) -- [Syslog](syslog.md) -- [Database firewall](database_firewall.md) +- [General settings](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/general_settings.md) +- [Syslog](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/syslog.md) +- [Database firewall](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/database_firewall.md) General Settings diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/general_settings_admin_client.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/general_settings_admin_client.md index 6fa21b4767..af8c3f03bc 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/general_settings_admin_client.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/general_settings_admin_client.md @@ -5,7 +5,7 @@ Within the general settings, surface settings regarding the colour scheme as well as the language used are configured. The password for logging in to the Server Manager can also be changed here. -![General settings](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/installation_with_parameters_254-en.webp) +![General settings](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/installation_with_parameters_254-en.webp) ## Determining the system hash diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/syslog.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/syslog.md index b4dd8ffa57..559114f596 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/syslog.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/syslog.md @@ -1,11 +1,11 @@ # Syslog If desired, the server logs and also the -**[Logbook](../../advanced_view/clientmodule/logbook/logbook.md)** can be transferred to a Syslog +**[Logbook](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/logbook/logbook.md)** can be transferred to a Syslog server. Double clicking on a database allows you to access its settings. The corresponding menu items can be found there. -![installation_with_parameters_232](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/installation_with_parameters_232.webp) +![installation_with_parameters_232](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/database_properties/installation_with_parameters_232.webp) After activating the Syslog interface via the corresponding option, it is possible to configure the Syslog server. If desired, the entire logbook can also be transferred via another option. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/ecc_migration/ecc_migration.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/ecc_migration/ecc_migration.md index 8d0458cfa0..763da8e63a 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/ecc_migration/ecc_migration.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/ecc_migration/ecc_migration.md @@ -3,5 +3,5 @@ For a better overview the ECC migration is organized in two sections. One for the administrators and one for the end user: -- [Admin Manual](ecc_migration_administrator_manual.md) -- [User Manual](ecc_migration_user_manual.md) +- [Admin Manual](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/ecc_migration/ecc_migration_administrator_manual.md) +- [User Manual](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/ecc_migration/ecc_migration_user_manual.md) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/ecc_migration/ecc_migration_administrator_manual.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/ecc_migration/ecc_migration_administrator_manual.md index b1873ef1c0..7430cf6de5 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/ecc_migration/ecc_migration_administrator_manual.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/ecc_migration/ecc_migration_administrator_manual.md @@ -5,7 +5,7 @@ Before you execute the migration, you must ensure that the following preparations have been made: - Installation of the latest Netwrix Password Secure-Server, Native Client and Web Client -- Check in the [Database properties](../database_properties/database_properties.md) if the **offline +- Check in the [Database properties](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/database_properties.md) if the **offline access** and the **mobile synchronization** are allowed If that should be the case, **contact your users and make sure that they have to synchronize the Offline Add-on and the mobile app**. @@ -17,9 +17,9 @@ the migration mode is enabled! **CAUTION:** Only certificate backups made through the Server Manager are valid! -![Certificates](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/certificates-ac-1-en.webp) +![Certificates](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/certificates-ac-1-en.webp) -![Export certificates](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/certificates-ac-2-en.webp) +![Export certificates](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/certificates-ac-2-en.webp) - Delete or restore all non “permanent deleted” users If you have deactivated or non “permanent deleted“ users it would make sense to delete them @@ -40,18 +40,18 @@ from the database, but it is not possible to add new or edit existing records. Clicking on the icon **“Start migration”** in the databases' module to start the migration process -![start migration](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/start-migration-en.webp) +![start migration](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/start-migration-en.webp) Select the database you want to migrate and enter the code-word. Remember, The code word is “Start”. Please make sure that you have read the whole documentation. Otherwise, data loss might occur! -![select database](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/start-migration-2-en.webp) +![select database](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/start-migration-2-en.webp) You should see the message, that the selected databases are now in migration mode: -![start migration](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/start-migration-3-en.webp) +![start migration](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/start-migration-3-en.webp) As written in the message, export all required certificates via the Netwrix Password Secure Server Manager. If you have multiple servers in use import the certificates via the Server Manager at the @@ -64,9 +64,9 @@ end of the migration process. In the migration process you find all information about the current process, what is already migrated and what still needs to be migrated -![migration progress](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/migration-progress-en.webp) +![migration progress](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/migration-progress-en.webp) After each user has logged into the database and has been successfully migrated, the migration is complete. -![migration finished](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/migration-finished-en.webp) +![migration finished](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/migration-finished-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/ecc_migration/ecc_migration_user_manual.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/ecc_migration/ecc_migration_user_manual.md index c933557f5f..601d165674 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/ecc_migration/ecc_migration_user_manual.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/ecc_migration/ecc_migration_user_manual.md @@ -13,7 +13,7 @@ migration! During the migration every E2EE-User of the database has to log in. Keep the client running until the message **„Userdata migration finished”** appears. -![userdata_migration_finished_en](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/userdata_migration_finished_en.webp) +![userdata_migration_finished_en](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/ecc_migration/userdata_migration_finished_en.webp) NOTE: The migration can only be carried out with the Web Application and NativeClient. A migration just using the Extension, Autofill Add-on or the Mobile App is not possible. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/advanced_settings.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/advanced_settings.md index ed7cffd629..c8e66efa4b 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/advanced_settings.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/advanced_settings.md @@ -4,7 +4,7 @@ Global standard default values are specified in the advanced settings. -![advanced settings](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/installation_with_parameters_263-en.webp) +![advanced settings](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/installation_with_parameters_263-en.webp) #### Database server diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/automatic_backup_cleanup/automated_deletion_of_backups.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/automatic_backup_cleanup/automated_deletion_of_backups.md index f96da94cab..f4160cc1eb 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/automatic_backup_cleanup/automated_deletion_of_backups.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/automatic_backup_cleanup/automated_deletion_of_backups.md @@ -3,7 +3,7 @@ It is possible to delete backups automatically after a certain period of time. This can be useful if you append date and time to the backups and thus generate new files daily. -![automatic cleanup](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/automatic_backup_cleanup/automated-deletion-of-backups-en.webp) +![automatic cleanup](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/automatic_backup_cleanup/automated-deletion-of-backups-en.webp) ###### Requirement @@ -20,4 +20,4 @@ For a proper function of the automatic deletion, the following must be defined: - the SQL instance - all paths where the automatic cleanup of the backup files is to be performed. -![setup automatic backup cleanup](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/automatic_backup_cleanup/automated-deletion-of-backups-2-en.webp) +![setup automatic backup cleanup](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/automatic_backup_cleanup/automated-deletion-of-backups-2-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/backup_management.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/backup_management.md index 545f95a3c7..973dd2fab2 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/backup_management.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/backup_management.md @@ -23,19 +23,19 @@ created once a week. Creating a backup schedule You can create a new schedule via the ribbon. This is facilitated by a wizard. All the information -entered under [Backup settings](../backup_settings.md) will be used by default. +entered under [Backup settings](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_settings.md) will be used by default. A profile name is entered first. The desired databases are also selected. You also need to specify the directory for the backups. -![new backup profile - base settings](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/installation_with_parameters_257-en.webp) +![new backup profile - base settings](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/installation_with_parameters_257-en.webp) NOTE: It must be a directory on the SQL server. Now set the time interval for creating the backups. A preview on the right will show when the backups will be created in future. An end date can be optionally entered. -![new backup profile - interval](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/installation_with_parameters_258-en.webp) +![new backup profile - interval](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/installation_with_parameters_258-en.webp) In the advanced settings, you can configure whether the backup should be activated directly. It is also possible to specify whether to create incremental backups. If the date and time are added to @@ -45,9 +45,9 @@ with a corresponding name and password. In addition, you can enter here whether the required certificates should be saved using a backup task. Further information can be found in the section -[Certificates](../../../certificates/certificates.md). +[Certificates](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/certificates.md). -![installation_with_parameters_259](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/installation_with_parameters_259.webp) +![installation_with_parameters_259](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/installation_with_parameters_259.webp) Backup run @@ -69,11 +69,11 @@ in the history. Restoring data from backups is performed using the database module. Data can only be restored to existing databases. Firstly, select the required database. You can now select Insert in the ribbon. -![restore backup](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/installation_with_parameters_260-en.webp) +![restore backup](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/installation_with_parameters_260-en.webp) If necessary, firstly enter login data for the user that logs in to the SQL server – although the service user is generally used here. Now select the backup file. All the backups contained in the file will then be displayed. Now simply click on Restore to restore the backup to the existing database. -![Database restore](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/installation_with_parameters_261-en.webp) +![Database restore](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/installation_with_parameters_261-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_settings.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_settings.md index 67d540dd6f..65b5961095 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_settings.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_settings.md @@ -4,11 +4,11 @@ Within the backup settings the default values for the execution of backups can be defined. -![Backup settings](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/installation_with_parameters_255-en.webp) +![Backup settings](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/installation_with_parameters_255-en.webp) #### Interval settings The interval for backups can be customized as needed. A separate assistant is available for this purpose. -![define interval in backup settings](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/installation_with_parameters_256-en.webp) +![define interval in backup settings](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/backup_settings/installation_with_parameters_256-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/disaster_recovery/disaster_recovery_scenarios.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/disaster_recovery/disaster_recovery_scenarios.md index 2167e79c99..4ae71ee8a1 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/disaster_recovery/disaster_recovery_scenarios.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/disaster_recovery/disaster_recovery_scenarios.md @@ -16,7 +16,7 @@ Creating backups It is of course essential in the event of a disaster that you can access a backup that is as up-to-date as possible. Therefore, it is necessary to regularly create -[Backup management](../backup_management/backup_management.md). +[Backup management](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/backup_management.md). Who is responsible in the event of a disaster? @@ -38,10 +38,10 @@ Furthermore, it must be ensured that the responsible user has access to these pa times. The following options are possible: - Store the passwords in the company safe -- Create corresponding [Offline Add-on](../../../../offlineclient/offline_client.md) +- Create corresponding [Offline Add-on](/docs/passwordsecure/9.2/passwordsecure/configuration/offlineclient/offline_client.md) - Periodically create a HTML WebViewer file with automatic delivery via a system task including e-mail forwarding which can be configured in - [Account](../../../../advanced_view/mainmenu/account/account.md) + [Account](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/account/account.md) #### Disaster scenarios diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/license_settings.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/license_settings.md index 64cb92b7e4..02eab5cd72 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/license_settings.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/license_settings.md @@ -5,7 +5,7 @@ Licenses for the Netwrix Password Secure are managed within the license settings. In addition, all current license details are displayed in the window provided for this purpose. -![License settings](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/installation_with_parameters_262-en.webp) +![License settings](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/installation_with_parameters_262-en.webp) ## Licenses @@ -43,6 +43,6 @@ connection problems, the firewall and, if relevant, the proxy should be checked. 3. Open the main menu and select the License settings area. 4. Open the License file tab. 5. Click Upload license file. - ![license_file_tab](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/license_file_tab.webp) + ![license_file_tab](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/license_file_tab.webp) 6. Select the file from this email and then click Open. - ![activated_license](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/activated_license.webp) + ![activated_license](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/main_menu/activated_license.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/main_menu.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/main_menu.md index e5a9a2ad42..3f49f60ba9 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/main_menu.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/main_menu.md @@ -3,10 +3,10 @@ ## What is the main menu? The operation and structure of the Main menu/Backstage menu is the same for the -[Main menu](../../advanced_view/mainmenu/main_menu_fc.md) on the client. This area can be used +[Main menu](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/main_menu_fc.md) on the client. This area can be used independently of the currently selected module. -- [General settings](../database_properties/general_settings_admin_client.md) -- [Backup settings](backup_settings/backup_settings.md) -- [License settings](license_settings.md) -- [Advanced settings](advanced_settings.md) +- [General settings](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/database_properties/general_settings_admin_client.md) +- [Backup settings](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_settings.md) +- [License settings](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/license_settings.md) +- [Advanced settings](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/advanced_settings.md) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/database_settings.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/database_settings.md index c19250a1c2..07c721087d 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/database_settings.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/database_settings.md @@ -10,9 +10,9 @@ open. You can now make the following settings: - Authentication -- [Multifactor Authentication](multifactor_authentication_ac.md) -- [Session timeout     ](session_timeout.md) -- [HSM connection via PKCS # 11](hsm_connection.md) +- [Multifactor Authentication](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/multifactor_authentication_ac.md) +- [Session timeout     ](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/session_timeout.md) +- [HSM connection via PKCS # 11](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/hsm_connection.md) - Automatic cleanup - SAML configuration - Deletion of users diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/hsm_connection.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/hsm_connection.md index bd7a5793b4..df783955b7 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/hsm_connection.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/hsm_connection.md @@ -26,7 +26,7 @@ out in a test position or a PoC beforehand. The installation is set up on the Server Manager via the database settings. -![installation_with_parameters_235](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/managing_databases/database_settings/installation_with_parameters_235.webp) +![installation_with_parameters_235](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/managing_databases/database_settings/installation_with_parameters_235.webp) - **Library path**: Here you can find the installed PKCS # 11 driver of the HSM. - **Token-Serial**: The serial number of the token is given here. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/multifactor_authentication_ac.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/multifactor_authentication_ac.md index a9acd878bb..61275ab033 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/multifactor_authentication_ac.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/multifactor_authentication_ac.md @@ -9,7 +9,7 @@ Activation of different factors In the Databases module, select a database and open its settings via the ribbon... -![Database settings](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/managing_databases/database_settings/mfa-de.webp) +![Database settings](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/managing_databases/database_settings/mfa-de.webp) In the settings you define which second factors can be used. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/session_timeout.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/session_timeout.md index 827aba43c5..ae8ba5fe95 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/session_timeout.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/session_timeout.md @@ -4,4 +4,4 @@ Here you can set individually for each client when an inactive connection to the is automatically terminated. Select the desired time period in the drop-down menu and save the setting by clicking on **"Save"**. -![session timeout](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/managing_databases/database_settings/session-timeout-en.webp) +![session timeout](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/managing_databases/database_settings/session-timeout-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/managing_databases.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/managing_databases.md index d6120da7f9..6b73fe5db2 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/managing_databases.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/managing_databases.md @@ -5,7 +5,7 @@ The available actions can be selected via the context menu that is accessed using the right mouse button or also via the ribbon. -![Managing databases](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/managing_databases/installation_with_parameters_234-en.webp) +![Managing databases](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/managing_databases/installation_with_parameters_234-en.webp) ## Database settings @@ -21,7 +21,7 @@ required service, specify the respective access data. You must also configure va this case, you can specify on the client which methods will be used by the individual users. Further information on this subject can be found in the -section[Multifactor Authentication](database_settings/multifactor_authentication_ac.md). +section[Multifactor Authentication](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/managing_databases/database_settings/multifactor_authentication_ac.md). PKCS#11 diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/msp/changes_in_ac/changes_in_the_adminclient.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/msp/changes_in_ac/changes_in_the_adminclient.md index 90b67c5411..9d87c045fc 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/msp/changes_in_ac/changes_in_the_adminclient.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/msp/changes_in_ac/changes_in_the_adminclient.md @@ -4,11 +4,11 @@ In the previous on-prem version, there are the modules Databases (1) and Backups (2). -![Modules in AdminClient](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/module-ac-en_606x403.webp) +![Modules in AdminClient](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/module-ac-en_606x403.webp) In the new MSP version these have been replaced by the modules Customers (1) and Cost Overview (2). -![AdminClient - MSP module](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/module-msp-ac-en.webp) +![AdminClient - MSP module](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/module-msp-ac-en.webp) In the MSP version, you will find the individual customer databases under the Customers module. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/msp/changes_in_ac/cost_overview/cost_overview_module.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/msp/changes_in_ac/cost_overview/cost_overview_module.md index c568fcd9d6..5034178bdf 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/msp/changes_in_ac/cost_overview/cost_overview_module.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/msp/changes_in_ac/cost_overview/cost_overview_module.md @@ -5,4 +5,4 @@ number of users and options (1) for the current month (forecast) and the past mo This view can be filtered by month (2). If you use your own billing system, you can export the displayed or filtered values as a CSV file (3). -![Cost overview](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/cost_overview/cost-overview-en_998x722.webp) +![Cost overview](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/cost_overview/cost-overview-en_998x722.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/customers_module.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/customers_module.md index be75b181b0..0100eb4f09 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/customers_module.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/customers_module.md @@ -6,7 +6,7 @@ Creating a new customer is done via the Customers module (1). Here, click on New left corner. This applies both to customers in a test phase and to customers who are to be billed immediately. -![create-new-customer-msp-en_1035x753](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/create-new-customer-msp-en_1035x753.webp) +![create-new-customer-msp-en_1035x753](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/create-new-customer-msp-en_1035x753.webp) When creating a new customer, the customer name is specified under **General** (1). @@ -19,7 +19,7 @@ the managed service provider for test customers as well as billed customers, for the test period or if the date of a possible termination of a billed customer should be known in advance. -![General settings new customer](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/general-new-customer-msp-en_1029x682.webp) +![General settings new customer](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/general-new-customer-msp-en_1029x682.webp) Under License (4) the maximum number of users can be specified. Here you have the possibility @@ -27,7 +27,7 @@ Under License (4) the maximum number of users can be specified. Here you have th customer (6) can be activated or deactivated by ticking them off. All other settings are identical to the on-prem version. -![License settings new customer](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/licence-new-customer-msp-en_1013x675.webp) +![License settings new customer](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/licence-new-customer-msp-en_1013x675.webp) After saving, the test customers are displayed under Test (1) and the customers to be billed under Billed (2). When you click on a (test) customer, you will see the associated @@ -38,7 +38,7 @@ adjustments can be made. The contract data can be adjusted by Edit (3). The options can be activated or deactivated by Edit (4). -![overview-1-msp-en](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/overview-1-msp-en.webp) +![overview-1-msp-en](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/overview-1-msp-en.webp) #### Test customer view @@ -52,7 +52,7 @@ billing data is available in the Forecast, Last Months and Cost History fields. Since no costs are incurred for test customers, no information is displayed here under User history (3), Forecast, Last months and Cost history. -![test-customer-view-msp-en_1024x742](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/test-customer-view-msp-en_1024x742.webp) +![test-customer-view-msp-en_1024x742](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/test-customer-view-msp-en_1024x742.webp) #### Billed customer view @@ -61,7 +61,7 @@ see the user history (4) of the last months, the forecast for the current month expected costs for the users and options, as well as the total amount. Furthermore, you will find the statements of the last months (6) and a graphical representation of the cost history (7). -![billed-customer-msp-en_1032x752](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/billed-customer-msp-en_1032x752.webp) +![billed-customer-msp-en_1032x752](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/billed-customer-msp-en_1032x752.webp) #### Deactivating and reactivating a customer @@ -71,29 +71,29 @@ deactivating, all data is retained and the customer can be completely restored. To deactivate a customer, select the database (1) and then Deactivate (2). -![deactivate-customer-msp](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/deactivate-customer-msp.webp) +![deactivate-customer-msp](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/deactivate-customer-msp.webp) A reason (3) can be specified for the deactivation and then the database can be deactivated (4). -![deactivate-customer-2-msp](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/deactivate-customer-2-msp.webp) +![deactivate-customer-2-msp](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/deactivate-customer-2-msp.webp) To reactivate a deactivated customer, select the deactivated database (1) and then Activate (2). -![reactivate-customer-msp-en](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/reactivate-customer-msp-en.webp) +![reactivate-customer-msp-en](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/reactivate-customer-msp-en.webp) #### Deleting a customer To delete a customer, select the database (1) and then Remove (2). Removal is possible with both active and deactivated customer databases. -![remove-customer-msp-en_947x686](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/remove-customer-msp-en_947x686.webp) +![remove-customer-msp-en_947x686](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/remove-customer-msp-en_947x686.webp) Deletion must be confirmed (3). -![confirm-delete-customer-msp-en](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/confirm-delete-customer-msp-en.webp) +![confirm-delete-customer-msp-en](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/confirm-delete-customer-msp-en.webp) The following dialog box (4) indicates that the database has been deleted in Netwrix Password Secure, but you as an MSP are responsible for deleting the database in the SQL server as well as any existing backups. -![successfull-deletion-msp-en](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/successfull-deletion-msp-en.webp) +![successfull-deletion-msp-en](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/msp/changes_in_ac/customers_module/successfull-deletion-msp-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/operation_and_setup/operation_and_setup_admin_client.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/operation_and_setup/operation_and_setup_admin_client.md index badfd30a4b..1799da7db8 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/operation_and_setup/operation_and_setup_admin_client.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/operation_and_setup/operation_and_setup_admin_client.md @@ -5,14 +5,14 @@ The structure of the Server Manager is based to a high degree on the structure of the actual client. The control elements such as the ribbon and the info and detail areas can be derived from the section dealing with the -client([Operation and Setup](../../advanced_view/operation_and_setup/operation_and_setup.md)). +client([Operation and Setup](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/operation_and_setup.md)). NOTE: An initial password is required for the first login on Server Manager. The password is “admin”. This password should be changed directly after login and carefully documented. #### Status module -![Status Admin Client](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/operation_and_setup/installation_with_parameters_248-en.webp) +![Status Admin Client](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/operation_and_setup/installation_with_parameters_248-en.webp) 1. Ribbon @@ -54,7 +54,7 @@ column headings. The period shown can be limited using . Databases are managed in a dedicated module. All relevant information on the existing databases can also be called up – completely without accessing the SQL server. -![Databases Admin Client](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/operation_and_setup/installation_with_parameters_252-en.webp) +![Databases Admin Client](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/operation_and_setup/installation_with_parameters_252-en.webp) 1. Ribbon @@ -85,7 +85,7 @@ carried out in the same way as the server log according to the colours applied. There is also a separate module for configuring the backups. This means that all backups can be configured and managed directly from the Server Manager. -![backup-ac](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/operation_and_setup/backup-ac.webp) +![backup-ac](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/operation_and_setup/backup-ac.webp) 1. Ribbon diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/server_manger.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/server_manger.md index b5447f52eb..149c5c927a 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/server_manger.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/server_manger.md @@ -6,9 +6,9 @@ The Server Manager takes care of the central administration of the databases as configuration of the backup profiles. In addition, it provides the very important interface to the Netwrix Password Secure license server. Furthermore, it is used for the administration of globally defined settings, as well as the configuration of profiles for sending emails. -[Installation Server Manager](../../installation/installation_server_manager/installation_server_manager.md) +[Installation Server Manager](/docs/passwordsecure/9.2/passwordsecure/installation/installation_server_manager/installation_server_manager.md) -![Admin Client](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/installation_with_parameters_187-en.webp) +![Admin Client](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/installation_with_parameters_187-en.webp) In this sense, the server service represents the interface between the client and the SQL server. The Server Manager is responsible for configuring the server service. It allows the central diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/settlement_right_key/settlement_right_key.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/settlement_right_key/settlement_right_key.md index 8d4fb6c627..03e90dbfbe 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/settlement_right_key/settlement_right_key.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/settlement_right_key/settlement_right_key.md @@ -6,7 +6,7 @@ In the version 8.3.0.13378 passwords which cannot be decrypted for other users c this case, individual users or even all users do not have the necessary legal key. If a user wants to reveal an affected password, the following message is displayed: -![installation_with_parameters_219_706x98](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/settlement_right_key/installation_with_parameters_219_706x98.webp) +![installation_with_parameters_219_706x98](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/settlement_right_key/installation_with_parameters_219_706x98.webp) #### Bugfix @@ -30,14 +30,14 @@ Reparable records Passwords in which users / roles with entitlement right and right key exist: -![installation_with_parameters_220_584x65](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/settlement_right_key/installation_with_parameters_220_584x65.webp) +![installation_with_parameters_220_584x65](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/settlement_right_key/installation_with_parameters_220_584x65.webp) Irreparable records Passwords in which users / roles without a legal key or with a legal key but without an authorization right exist: -![installation_with_parameters_221_697x40](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/settlement_right_key/installation_with_parameters_221_697x40.webp) +![installation_with_parameters_221_697x40](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/settlement_right_key/installation_with_parameters_221_697x40.webp) ###### Settlement of reparable records @@ -48,7 +48,7 @@ The right key can be checked using the form field permissions of password fields user has the right key, the password can be fixed. In the following example, only the user ‘white’ has the right key and thus only this user can discover and correct the password. -![installation_with_parameters_222_754x91](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/settlement_right_key/installation_with_parameters_222_754x91.webp) +![installation_with_parameters_222_754x91](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/settlement_right_key/installation_with_parameters_222_754x91.webp) When logging on to the database via the client, a cleanup task is started automatically. This task always runs with the logged in user. In this case – as far as it is possible with the user – all @@ -65,7 +65,7 @@ First case In the first case, no user / role has the right key on the password. Thus, no user can decrypt or correct the password. -![installation_with_parameters_223_757x69](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/settlement_right_key/installation_with_parameters_223_757x69.webp) +![installation_with_parameters_223_757x69](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/settlement_right_key/installation_with_parameters_223_757x69.webp) The affected passwords have to be recreated. For the security, a new database with an older backup can be included. From this database, the affected passwords / data can be taken over into the @@ -77,7 +77,7 @@ In the second case, there are users / roles who have the right key but not the r far as the number of irreparable passwords is limited, these can be used to check the form field permissions manually. -![installation_with_parameters_224_762x90](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/settlement_right_key/installation_with_parameters_224_762x90.webp) +![installation_with_parameters_224_762x90](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/settlement_right_key/installation_with_parameters_224_762x90.webp) For the passwords concerned, the user with the legal key must be given the right of authorization temporarily to correct. If the corresponding user has the entitlement right, he can reset the legal diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/setupwizard/setup_wizard.md b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/setupwizard/setup_wizard.md index 79121b4580..d852f9e560 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/setupwizard/setup_wizard.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/setupwizard/setup_wizard.md @@ -10,18 +10,18 @@ individual points can also be changed later on. Separate sections are available The first step is to define the authentication password for the Server Manager. The initial password is “admin”. A new password needs to be entered during startup – this new password should be securely and properly documented. It can be subsequently changed in the -[General settings](../main_menu/general_settings.md). +[General settings](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/general_settings.md). -![setup-wizard-ac-en](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/setupwizard/setup-wizard-ac-en.webp) +![setup-wizard-ac-en](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/setupwizard/setup-wizard-ac-en.webp) NOTE: The initial password is “admin”. #### License settings The second step is to complete the configuration for successively connecting to the licence server. -This step can also be carried out later “in the [License settings](../main_menu/license_settings.md) +This step can also be carried out later “in the [License settings](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/license_settings.md) -![setup-wizard-ac-2-en](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/setupwizard/setup-wizard-ac-2-en.webp) +![setup-wizard-ac-2-en](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/setupwizard/setup-wizard-ac-2-en.webp) “license.passwordsafe.de” should be entered in the field “Licence server”. The other access data (user name and password for the licence server will be sent to you by email). @@ -33,9 +33,9 @@ the corresponding button. #### Database server The configuration of the database server is also part of the -[Advanced settings](../main_menu/advanced_settings.md) and can also be edited there later on. +[Advanced settings](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/advanced_settings.md) and can also be edited there later on. -![setup-wizard-ac-3-en](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/setupwizard/setup-wizard-ac-3-en.webp) +![setup-wizard-ac-3-en](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/setupwizard/setup-wizard-ac-3-en.webp) The database server must be specified along with the associated SQL instance. For simplicity, you can copy the server name from the login window of the SQL server. @@ -47,10 +47,10 @@ The “Advanced” button allows you to specify a **Connection String.** #### SMTP server The last step is to configure the SMTP server via which all emails are sent. This is also part of -the [Advanced settings](../main_menu/advanced_settings.md) should it be necessary to make changes +the [Advanced settings](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/advanced_settings.md) should it be necessary to make changes later on. -![setup-wizard-ac-4-en](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/setupwizard/setup-wizard-ac-4-en.webp) +![setup-wizard-ac-4-en](/img/product_docs/passwordsecure/passwordsecure/configuration/server_manager/setupwizard/setup-wizard-ac-4-en.webp) Once the data has been entered and successfully tested, the wizard can be completed by clicking on “Finish”. @@ -64,5 +64,5 @@ module that need to be confirmed. **CAUTION:** It is recommended that you only confirm the security notes when the corresponding point has actually been carried out. It is absolutely essential to ensure that regular -[Backup management](../main_menu/backup_settings/backup_management/backup_management.md) are created -and the [Certificates](../certificates/certificates.md) are backed up. +[Backup management](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/backup_management.md) are created +and the [Certificates](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/certificates.md) are backed up. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/authorization_and_protection/authorization_and_protection_mechanisms.md b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/authorization_and_protection/authorization_and_protection_mechanisms.md index 0951cea1d3..f4bdbd0d6a 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/authorization_and_protection/authorization_and_protection_mechanisms.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/authorization_and_protection/authorization_and_protection_mechanisms.md @@ -17,29 +17,29 @@ Password masking The password masking follows the familiar logic of the client. Due to this function, reference should be made to the chapter of -[Password masking](../../advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking.md). +[Password masking](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/password_masking/password_masking.md). There are marginal differences in the operation. The privacy protection is fixed or edited via a button in the extended menu.. -![installation_with_parameters_183](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/authorization_and_protection/installation_with_parameters_183.webp) +![installation_with_parameters_183](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/authorization_and_protection/installation_with_parameters_183.webp) The corresponding button is only displayed if the logged in user has the sufficient rights. If a record is provided with a privacy protection, this is shown in the header of the password. -![installation_with_parameters_184](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/authorization_and_protection/installation_with_parameters_184.webp) +![installation_with_parameters_184](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/authorization_and_protection/installation_with_parameters_184.webp) Seal The seals also correspond in function to the known logic of the client. In the chapter seal further explanations can be found. The -[Seals](../../advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals.md) +[Seals](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/protective_mechanisms/seals/seals.md) are configured in the extended menu via a button. -![installation_with_parameters_185](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/authorization_and_protection/installation_with_parameters_185.webp) +![installation_with_parameters_185](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/authorization_and_protection/installation_with_parameters_185.webp) The button is only displayed for the users who have the rights to edit seals. If a record is sealed, this will be shown in the password field. -![seal_wc](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/authorization_and_protection/seal_wc.webp) +![seal_wc](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/authorization_and_protection/seal_wc.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/functional_scope.md b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/functional_scope.md index 99d36d6d0a..09a9b11a8f 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/functional_scope.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/functional_scope.md @@ -11,12 +11,12 @@ described in their own subsections. #### Functions in the individual modules -- [Password module](password_module/password_module.md) -- [Tag system](tag_system/tag_system.md) -- [Organisational structure module](organisational_structure/organisational_structure.md) -- [Roles module](roles_module/roles_module.md) -- [Forms module](forms_module/forms_module.md) -- [Notifications](notifications/notifications.md) -- [Logbook](logbook/logbook_web_application.md) -- [Application](applications/application.md) -- [Documents](documents/documents_web_application.md) +- [Password module](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/password_module/password_module.md) +- [Tag system](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/tag_system/tag_system.md) +- [Organisational structure module](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/organisational_structure.md) +- [Roles module](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/roles_module/roles_module.md) +- [Forms module](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/forms_module/forms_module.md) +- [Notifications](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/notifications/notifications.md) +- [Logbook](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/logbook/logbook_web_application.md) +- [Application](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/applications/application.md) +- [Documents](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/documents/documents_web_application.md) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/organisational_structure.md b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/organisational_structure.md index 80c0c91cd0..0b0869ef59 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/organisational_structure.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/organisational_structure.md @@ -18,10 +18,10 @@ name. Both modules have a different scope and design but are almost identical to ## AD connection in the Web Application The Active Directory connection in the Web Application works similiar to the Client. In the chapter -[Active Directory link](../../../advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/active_directory_link.md) +[Active Directory link](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/active_directory_link.md) you can find further information. -![Organisational structure WebClient](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_160-en.webp) +![Organisational structure WebClient](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_160-en.webp) The Web Application offers the following functions: @@ -34,34 +34,34 @@ The Web Application offers the following functions: You can reach the Radius server, if the import is in the Masterkey mode. The Radius server will be provided in the Active Directory profile and will therefore deliver the possible authentication methods in future. You will find further informations in the -[RADIUS authentication](../../../advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/radius_authentication.md) +[RADIUS authentication](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/organisationalstructures/directoryservices/activedirectorylink/radius_authentication.md) chapter. -![installation_with_parameters_161](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_161.webp) +![installation_with_parameters_161](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_161.webp) ###### Predefining rights To **predefine rights** in the Web Application, the procedure is the same as in the Client. -[Predefining rights](../../../advanced_view/permissionconcept/predefining_rights/predefining_rights.md)) +[Predefining rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/permissionconcept/predefining_rights/predefining_rights.md)) Go to the module organisational structure to choose the organisation unit for which the rights shall be predefined. Then choose **Predefine rights** in the menu bar. -![installation_with_parameters_162](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_162.webp) +![installation_with_parameters_162](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_162.webp) **Creating the first template group:** A modal window will appear after clicking on the icon for adding a new template group (green arrow) in which a meaningful name for the template group should be entered. -![installation_with_parameters_163](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_163.webp) +![installation_with_parameters_163](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_163.webp) Now you can add the appropriate roles and users. -![installation_with_parameters_164](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_164.webp) +![installation_with_parameters_164](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_164.webp) You can add users and roles in different ways: - Add the appropriate roles and users at the toolbar under **Search and add**. - Click on the loupe to see all the users and roles. -![installation_with_parameters_165](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_165.webp) +![installation_with_parameters_165](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/installation_with_parameters_165.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/user_management/user_management.md b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/user_management/user_management.md index 747c3029a6..bda2369cee 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/user_management/user_management.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/user_management/user_management.md @@ -11,4 +11,4 @@ administration is carried out via the organisational structure module. When creating new users, you must pay attention to whether it is a **User (Basic View)** or a **Advanced User (View)**. -![installation_with_parameters_166](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/user_management/installation_with_parameters_166.webp) +![installation_with_parameters_166](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/functional_scope/organisational_structure/user_management/installation_with_parameters_166.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/filter_or_structure/filter_or_structure_area.md b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/filter_or_structure/filter_or_structure_area.md index edf1a84923..7160fd5bec 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/filter_or_structure/filter_or_structure_area.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/filter_or_structure/filter_or_structure_area.md @@ -3,12 +3,12 @@ As is also the case on the client, it is possible to select between filter and structure. For this purpose, the following buttons are available on the navigation bar -![installation_with_parameters_169](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/filter_or_structure/installation_with_parameters_169.webp) +![installation_with_parameters_169](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/filter_or_structure/installation_with_parameters_169.webp) 1. Filter The filter on the Web Application is based on the -[Filter](../../../advanced_view/operation_and_setup/filter/filter.md). Therefore, only those +[Filter](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/filter/filter.md). Therefore, only those characteristics specific to the Web Application will be described here. Using the filter @@ -21,7 +21,7 @@ Configuring the filter The configuration for the filter can be displayed via the following buttons: -![installation_with_parameters_170](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/filter_or_structure/installation_with_parameters_170.webp) +![installation_with_parameters_170](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/filter_or_structure/installation_with_parameters_170.webp) New filter groups can be added using **Add filter groups** and the current filter can be reset using **Reset filter. Advanced mode** provides you with the possibility of deleting or moving individual diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/footer/footer.md b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/footer/footer.md index 4483d0ea42..254aa40293 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/footer/footer.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/footer/footer.md @@ -4,7 +4,7 @@ The footer displays various different information about the currently selected r tabs. It can be activated or deactivated using the small arrow on the far right. The footer is hidden by default. -![installation_with_parameters_178](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/footer/installation_with_parameters_178.webp) +![installation_with_parameters_178](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/footer/installation_with_parameters_178.webp) 1. Notification area diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/header/header.md b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/header/header.md index aa94d364f6..e0ad87fac9 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/header/header.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/header/header.md @@ -2,7 +2,7 @@ The header provides the following functions: -![Header](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/header/installation_with_parameters_171-en_679x38.webp) +![Header](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/header/installation_with_parameters_171-en_679x38.webp) 1. Logo @@ -35,4 +35,4 @@ clicking on it. The user who is currently logged in can be seen under account. You can log out by clicking on the account. It is also possible to call up the settings in -[Account](../../../advanced_view/mainmenu/account/account.md). +[Account](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/account/account.md). diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/list_view/list_view.md b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/list_view/list_view.md index 8f8eebfd89..0a48d35565 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/list_view/list_view.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/list_view/list_view.md @@ -5,9 +5,9 @@ The central element of the navigation in the Web Application is list view, which clearly presents the filtered elements. As list view in the Web Application provides the same functions as list view in the client, we refer you at this point to the -[List view](../../../advanced_view/operation_and_setup/listview/list_view.md) section. +[List view](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/listview/list_view.md) section. -![installation_with_parameters_176](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/list_view/installation_with_parameters_176.webp) +![installation_with_parameters_176](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/list_view/installation_with_parameters_176.webp) #### Special features diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/menu_bar/menu.md b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/menu_bar/menu.md index cad81f0cb7..dc3d822629 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/menu_bar/menu.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/menu_bar/menu.md @@ -12,7 +12,7 @@ depending on which view is currently being used. The menu can take on two forms. In general, the **menu bar** containing the **most important functions** is displayed. It will be described here using the example of the password module. -![menu bar](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/menu_bar/installation_with_parameters_174-en.webp) +![menu bar](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/menu_bar/installation_with_parameters_174-en.webp) 1. Expand menu @@ -44,7 +44,7 @@ If the menu – as described above – is maximised, **all functions** are then on the menu bar are repeated here. The menu is divided into a number of sections. These correspond 1 to 1 to the sections of the ribbon on the client. -![Menu](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/menu_bar/installation_with_parameters_175-en.webp) +![Menu](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/menu_bar/installation_with_parameters_175-en.webp) In our example, the menu looks like this: @@ -78,10 +78,10 @@ advanced menu contains all functions. All of the additional functions can be found here. These functions correspond to the main client and will be described in the next section: -[Passwords](../../../advanced_view/clientmodule/passwords/passwords.md) +[Passwords](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwords/passwords.md) 7. Password Reset The functions of the -[Password Reset](../../../advanced_view/clientmodule/passwordreset/password_reset.md) can be found +[Password Reset](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/passwordreset/password_reset.md) can be found here. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/navigation_bar.md b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/navigation_bar.md index 81275e964c..f01b09204e 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/navigation_bar.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/navigation_bar.md @@ -2,7 +2,7 @@ The navigation bar provides the following functions. -![navigation bar](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/installation_with_parameters_172-en_643x142.webp) +![navigation bar](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/installation_with_parameters_172-en_643x142.webp) 1. Filter @@ -16,4 +16,4 @@ will do a new tab will be opend. Example -![tab system](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/installation_with_parameters_173-en.webp) +![tab system](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/installation_with_parameters_173-en.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/settings/settings_wc.md b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/settings/settings_wc.md index 0797827d2f..e06d26f708 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/settings/settings_wc.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/settings/settings_wc.md @@ -1,6 +1,6 @@ # Settings -The settings are called up via the [Navigation bar](../navigation_bar.md). The following options are +The settings are called up via the [Navigation bar](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/navigation_bar.md). The following options are available: #### Language @@ -22,23 +22,23 @@ Image management With the image management, you can manage your icons and logos easily and quickly. -![image management](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/settings/installation_with_parameters_179-en.webp) +![image management](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/settings/installation_with_parameters_179-en.webp) #### Adding icons and logos By clicking on the **New** button, the input mask will open. -![new image](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/settings/installation_with_parameters_180-en.webp) +![new image](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/settings/installation_with_parameters_180-en.webp) After filling in and uploading the icon/logo, the process only needs to be saved. -![save new image](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/settings/installation_with_parameters_181-en.webp) +![save new image](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/settings/installation_with_parameters_181-en.webp) Edit / Delete icons and logos If an icon and/or logo is outdated, you can edit or even delete the stored icons/logos. -![manage image](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/settings/installation_with_parameters_182-en.webp) +![manage image](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/settings/installation_with_parameters_182-en.webp) #### Settings @@ -49,8 +49,8 @@ The following options can be managed via this menu item: - User settings The management of these settings is based on the client. Further information can be found under -global [User rights](../../../../advanced_view/mainmenu/user_rights/user_rights.md) and -[User settings](../../../../advanced_view/mainmenu/user_settings/user_settings.md) +global [User rights](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_rights/user_rights.md) and +[User settings](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/mainmenu/user_settings/user_settings.md) The following settings are not available on the Web Application: diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/user_menu/user_menu_wc.md b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/user_menu/user_menu_wc.md index 3d3fc70a92..9969b022fc 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/user_menu/user_menu_wc.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/user_menu/user_menu_wc.md @@ -5,7 +5,7 @@ logged in user opens it. #### Options in the user menu -![bin_1](../../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/user_menu/bin_1.webp) +![bin_1](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/user_menu/bin_1.webp) Settings diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/operation.md b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/operation.md index 760386de28..e8a3ee32d0 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/operation.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/operation.md @@ -18,7 +18,7 @@ User name Password -![Login WebClient](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/installation_with_parameters_167-en.webp) +![Login WebClient](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/installation_with_parameters_167-en.webp) After successfully logging in, the last database name used and the last registered user will be saved. You thus only need to enter the password for the next login. @@ -47,33 +47,33 @@ NOTE: It is possible to only transfer the database. The user name is not absolut The Web Application is split into a number of sections that are described below. -![Operation](../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/installation_with_parameters_168-en.webp) +![Operation](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/installation_with_parameters_168-en.webp) -1. [Header](header/header.md) +1. [Header](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/header/header.md) The header provides access to some essential functions. -2. [Navigation bar](navigation_bar/navigation_bar.md) +2. [Navigation bar](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/navigation_bar/navigation_bar.md) It is possible to switch between module and filter view on the navigation bar. -3. [Filter or structure area](filter_or_structure/filter_or_structure_area.md) +3. [Filter or structure area](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/filter_or_structure/filter_or_structure_area.md) As is also the case on the client, it is possible to select between filter and structure. -4. [Menu](menu_bar/menu.md) +4. [Menu](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/menu_bar/menu.md) The ribbon on the client has been replaced by a menu bar on the Web Application. -5. [List view](list_view/list_view.md) +5. [List view](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/list_view/list_view.md) The records currently selected using the filter can be viewed in list view. -6. [Reading pane](reading_pane/reading_pane_webclient.md) +6. [Reading pane](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/reading_pane/reading_pane_webclient.md) The reading pane shows you details about the relevantly selected element. -7. [Footer](footer/footer.md) +7. [Footer](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/footer/footer.md) Various information about the record is displayed in the footer. For example, logbook entries or the history. diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/reading_pane/reading_pane_webclient.md b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/reading_pane/reading_pane_webclient.md index fc4ad2d6c3..4cd5beb4bf 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/reading_pane/reading_pane_webclient.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/operation/reading_pane/reading_pane_webclient.md @@ -4,9 +4,9 @@ As with the list view, the reading pane on the Web Application is almost identical to that on the client. Therefore, we also refer you here to the corresponding -[Reading pane](../../../advanced_view/operation_and_setup/readingpane/reading_pane.md) section. +[Reading pane](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/operation_and_setup/readingpane/reading_pane.md) section. -![reading_pane](../../../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/reading_pane/reading_pane.webp) +![reading_pane](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/operation/reading_pane/reading_pane.webp) Various information is displayed on the header – as is the case with the client. For example, the tags for the records or information on whether the record is public or private. Password masking is diff --git a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/web_application.md b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/web_application.md index 4011768057..3318ca7817 100644 --- a/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/web_application.md +++ b/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/web_application.md @@ -7,9 +7,9 @@ Secure version** **8.3.0. The completely newly developed \*Web Application** wil for the constant enhancement of the functional scope. The desired objective is to also provide the full functional scope of the client in the Web Application. The **Web Application** will thus be constantly enhanced. All of the currently available functions can be viewed in the -[Functional scope](functional_scope/functional_scope.md) section. +[Functional scope](/docs/passwordsecure/9.2/passwordsecure/configuration/web_applicaiton/functional_scope/functional_scope.md) section. -![WebClient](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/installation_with_parameters_159.webp) +![WebClient](/img/product_docs/passwordsecure/passwordsecure/configuration/web_applicaiton/installation_with_parameters_159.webp) **Netwrix Password Secure Web Application** enables platform-independent access to the database via a browser. It is irrelevant whether you are using Microsoft Windows, macOS or Linux, it is only @@ -19,4 +19,4 @@ responsive design, it can also be used on all mobile devices such as tablets and The **Web Application** is based both optically and also in its operation on the Netwrix Password Secure client. As usual, users can only access the data for which they also have permissions. The installation is described in the section -[Installation Web Application](../../installation/installation_web_application/installation_web_application.md) +[Installation Web Application](/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/installation_web_application.md) diff --git a/docs/passwordsecure/9.2/passwordsecure/enduser/browserextension.md b/docs/passwordsecure/9.2/passwordsecure/enduser/browserextension.md index f386390281..d07f0de0e7 100644 --- a/docs/passwordsecure/9.2/passwordsecure/enduser/browserextension.md +++ b/docs/passwordsecure/9.2/passwordsecure/enduser/browserextension.md @@ -13,7 +13,7 @@ Step 1 – Is your browser extension already installed? You can find out by: find the download link in the footer. See the Download Edge Extension link in the bottom center of the screenshot below. -![downloadextension](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/downloadextension.webp) +![downloadextension](/img/product_docs/passwordsecure/passwordsecure/enduser/downloadextension.webp) NOTE: If you need more information about installing the browser extension, please visit the following topic in our documentation: @@ -22,22 +22,22 @@ following topic in our documentation: Step 2 – After downloading, the browser extension is simply dragged and dropped into the browser. See the Get button in the upper-right section of the screenshot below. -![getextension](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/getextension.webp) +![getextension](/img/product_docs/passwordsecure/passwordsecure/enduser/getextension.webp) Step 3 – After confirming a security question, it is installed, and an icon appears in the menu bar to "add the extension". -![addextension](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/addextension.webp) +![addextension](/img/product_docs/passwordsecure/passwordsecure/enduser/addextension.webp) Step 4 – Please open or reload the web application of Netwrix Password Secure (see link in email from your administrator) to connect your user profile with the extension. See the lock icon in the screenshot below. -![extensionadded](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/extensionadded.webp) +![extensionadded](/img/product_docs/passwordsecure/passwordsecure/enduser/extensionadded.webp) Step 5 – Now click on this icon in your browser to open the browser extension. See the Adopt Select **Adopt Web Application profile**. Done! -![nodatabaseprofile](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/nodatabaseprofile.webp) +![nodatabaseprofile](/img/product_docs/passwordsecure/passwordsecure/enduser/nodatabaseprofile.webp) RECOMMENDED: If not done yet, bookmark this page to have it quickly at hand! diff --git a/docs/passwordsecure/9.2/passwordsecure/enduser/cleanuppasswords.md b/docs/passwordsecure/9.2/passwordsecure/enduser/cleanuppasswords.md index 4c4a867609..570aeee2ff 100644 --- a/docs/passwordsecure/9.2/passwordsecure/enduser/cleanuppasswords.md +++ b/docs/passwordsecure/9.2/passwordsecure/enduser/cleanuppasswords.md @@ -16,12 +16,12 @@ Step 1 – Every time you login to a website now and your browser wants to autof Secure Pop-up will appear, asking you if you would like to save your secret in Netwrix Password Secure. Just click **Create new**. See the screenshot below. -![createnew](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/createnew.webp) +![createnew](/img/product_docs/passwordsecure/passwordsecure/enduser/createnew.webp) Step 2 – Now the Web Application will open and automatically transfer the recognized login data, including URL to a new data set. -![createpassword](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/createpassword.webp) +![createpassword](/img/product_docs/passwordsecure/passwordsecure/enduser/createpassword.webp) Step 3 – Choose an organizational unit in which you want to save it and give your new data set a meaningful name to find it again quickly. (You now also have the option to add further information @@ -38,7 +38,7 @@ checks the strength of your password and much more. Step 1 – Paste your password in the password field. See the box to the right of the Password field in the screenshot below. -![passwordfield](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/passwordfield.webp) +![passwordfield](/img/product_docs/passwordsecure/passwordsecure/enduser/passwordfield.webp) Step 2 – If it is not classified as "strong" (green), we strongly recommend using the integrated password generator to assign a new, secure password: Therefore, just click on the white password @@ -47,7 +47,7 @@ generator icon to the right of the password field. See the Strong button in the Step 3 – The password generator will open. A secure password is created automatically just click “Apply”. (Learn more about the possibilities of our password manager in the next chapter.) -![passwordgenerator](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/passwordgenerator.webp) +![passwordgenerator](/img/product_docs/passwordsecure/passwordsecure/enduser/passwordgenerator.webp) Step 4 – Now don't forget to replace your password in the target application as well. @@ -63,11 +63,11 @@ The password generator offers three possibilities to create a secure password. T Step 1 – Create a user defined password which gives you the most options such as including and excluding special characters or defining the length of the password. -![userdefined](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/userdefined.webp) +![userdefined](/img/product_docs/passwordsecure/passwordsecure/enduser/userdefined.webp) Step 2 – Create a phonetic password that is easier to pronounce, but still complex. -![phonetic](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/phonetic.webp) +![phonetic](/img/product_docs/passwordsecure/passwordsecure/enduser/phonetic.webp) NOTE: This option is best suited for passwords that must be read and typed in, such as operating machines without an internet connection. @@ -75,4 +75,4 @@ machines without an internet connection. Step 3 – Create a password according to a set password rule in your company: If your IT has already stored password guidelines for you, you can select them here and simply click on apply. -![rule](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/rule.webp) +![rule](/img/product_docs/passwordsecure/passwordsecure/enduser/rule.webp) diff --git a/docs/passwordsecure/9.2/passwordsecure/enduser/createnewentry.md b/docs/passwordsecure/9.2/passwordsecure/enduser/createnewentry.md index 9b14f5c9c8..7d2b698f52 100644 --- a/docs/passwordsecure/9.2/passwordsecure/enduser/createnewentry.md +++ b/docs/passwordsecure/9.2/passwordsecure/enduser/createnewentry.md @@ -4,48 +4,48 @@ Follow the steps to create a new entry from scratch. Step 1 – First, click _Create new password_ on the upper left in Netwrix Password Secure. -![createnewpassword](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/createnewpassword.webp) +![createnewpassword](/img/product_docs/passwordsecure/passwordsecure/enduser/createnewpassword.webp) Step 2 – A form will open. Now choose the form you need, such as "Website," on the upper right. See the form drop-down list in the screenshot below. -![selectform](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/selectform.webp) +![selectform](/img/product_docs/passwordsecure/passwordsecure/enduser/selectform.webp) Step 3 – Let`s fill out the website form in this example. - Choose the organization unit you want to save the password in like the department. -![selectou](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/selectou.webp) +![selectou](/img/product_docs/passwordsecure/passwordsecure/enduser/selectou.webp) - Choose a permission template to define who else can see your password. -![permissionstemplate](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/permissionstemplate.webp) +![permissionstemplate](/img/product_docs/passwordsecure/passwordsecure/enduser/permissionstemplate.webp) - Set a description for your stored password. -![description](../../../../../static/img/product_docs/accessanalyzer/admin/action/servicenow/description.webp) +![description](/img/product_docs/accessanalyzer/admin/action/servicenow/description.webp) - Enter the username or email address needed for login. -![username](../../../../../static/img/product_docs/threatprevention/threatprevention/eperestsite/username.webp) +![username](/img/product_docs/threatprevention/threatprevention/eperestsite/username.webp) - Enter the password manually or use the password generator by clicking on the button in the middle (high number). The password generator will open. NOTE: To learn more about the generating of passwords, see the -[Clean up Your Passwords](cleanuppasswords.md) topic for additional information. +[Clean up Your Passwords](/docs/passwordsecure/9.2/passwordsecure/enduser/cleanuppasswords.md) topic for additional information. -![password](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/password.webp) +![password](/img/product_docs/passwordsecure/passwordsecure/enduser/password.webp) NOTE: By clicking on the **lock icon** right to the password generator, you can mask and unmask your password. - Enter the website URL that leads to the login. -![websiteurl](../../../../../static/img/product_docs/accessanalyzer/admin/settings/websiteurl.webp) +![websiteurl](/img/product_docs/accessanalyzer/admin/settings/websiteurl.webp) - Add one or more tags to categorize your password and find it easier (i.e., "HR" or "Internet"). -![tags](../../../../../static/img/product_docs/threatprevention/threatprevention/admin/tags/tags.webp) +![tags](/img/product_docs/threatprevention/threatprevention/admin/tags/tags.webp) Step 4 – Click **Save**, and you are done! diff --git a/docs/passwordsecure/9.2/passwordsecure/enduser/organizepasswords.md b/docs/passwordsecure/9.2/passwordsecure/enduser/organizepasswords.md index d1cbbfd125..787daca07f 100644 --- a/docs/passwordsecure/9.2/passwordsecure/enduser/organizepasswords.md +++ b/docs/passwordsecure/9.2/passwordsecure/enduser/organizepasswords.md @@ -9,12 +9,12 @@ Follow the steps to add a team tab. Step 1 – Click on the **Plus** sign and a form will open. -![newform](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/newform.webp) +![newform](/img/product_docs/passwordsecure/passwordsecure/enduser/newform.webp) Step 2 – You can now search for a specific organizational unit by clicking on the tree on the left or use the search field to find the unit you need. -![search](../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/search.webp) +![search](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/search.webp) Step 3 – Click **OK** to close the form and your new team tab will open automatically. @@ -24,13 +24,13 @@ With a growing number of managed passwords, it becomes even more important to ma and overview. Therefore, Netwrix Password Secure works with tags instead of a folder system: You can assign any number of tags to your passwords to categorize and find them again quickly. -![assigntags](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/assigntags.webp) +![assigntags](/img/product_docs/passwordsecure/passwordsecure/enduser/assigntags.webp) To find a password, just use the search field and enter a tag like the department or position you are in (i.e., "Marketing"). Netwrix Password Secure now not only is searching for tags, but also for “Marketing” in all Netwrix Password Secure fields (i.e., Content Marketing). -![searchresults](../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/results/searchresults.webp) +![searchresults](/img/product_docs/activitymonitor/activitymonitor/admin/search/results/searchresults.webp) NOTE: Optimize your search results by using the **minus sign (-)** to exclude terms: Only results in which this word does not appear will be displayed (i.e., all social media accounts that are used @@ -45,19 +45,19 @@ List View The screenshot below shows the list view. -![listview](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/listview.webp) +![listview](/img/product_docs/passwordsecure/passwordsecure/enduser/listview.webp) Tile View The screenshot below shows the title view. -![switchbutton](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/switchbutton.webp) +![switchbutton](/img/product_docs/passwordsecure/passwordsecure/enduser/switchbutton.webp) When in **tile view**, you can also drag and drop the buttons on another position. By hovering over them with the mouse, you will see more information like the username, and you can login with one click. -![titleview](../../../../../static/img/product_docs/passwordsecure/passwordsecure/enduser/titleview.webp) +![titleview](/img/product_docs/passwordsecure/passwordsecure/enduser/titleview.webp) NOTE: The **list view** is suitable for many data sets while the tile view is particularly favorable for the most frequently used secrets. diff --git a/docs/passwordsecure/9.2/passwordsecure/installation/browser/installation_browser_add-on.md b/docs/passwordsecure/9.2/passwordsecure/installation/browser/installation_browser_add-on.md index a9733a6ade..9db61f5c57 100644 --- a/docs/passwordsecure/9.2/passwordsecure/installation/browser/installation_browser_add-on.md +++ b/docs/passwordsecure/9.2/passwordsecure/installation/browser/installation_browser_add-on.md @@ -2,7 +2,7 @@ Following browser extensions can be installed:  -- [Google Chrome](google_chrome.md) -- [Microsoft Edge](microsoft_edge.md) -- [Mozilla Firefox](mozilla_firefox.md) -- [Safari](safari.md) +- [Google Chrome](/docs/passwordsecure/9.2/passwordsecure/installation/browser/google_chrome.md) +- [Microsoft Edge](/docs/passwordsecure/9.2/passwordsecure/installation/browser/microsoft_edge.md) +- [Mozilla Firefox](/docs/passwordsecure/9.2/passwordsecure/installation/browser/mozilla_firefox.md) +- [Safari](/docs/passwordsecure/9.2/passwordsecure/installation/browser/safari.md) diff --git a/docs/passwordsecure/9.2/passwordsecure/installation/browser/microsoft_edge.md b/docs/passwordsecure/9.2/passwordsecure/installation/browser/microsoft_edge.md index b275efbab5..1f6f3c1d5e 100644 --- a/docs/passwordsecure/9.2/passwordsecure/installation/browser/microsoft_edge.md +++ b/docs/passwordsecure/9.2/passwordsecure/installation/browser/microsoft_edge.md @@ -6,7 +6,7 @@ The installation of the Edge Add-on is done directly from the official Store. Th downloaded from the following link: [Add-on for Edge](https://microsoftedge.microsoft.com/addons/detail/netwrix-password-secure/ahdfobpkkckhdhbmnpjehdkepaddfhek). -![Add-on Edge](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/browser/addon-edge-en.webp) +![Add-on Edge](/img/product_docs/passwordsecure/passwordsecure/installation/browser/addon-edge-en.webp) NOTE: It is also possible to find the Add-on link in the Web Application page footer, if it is not installed yet diff --git a/docs/passwordsecure/9.2/passwordsecure/installation/installation_client/installation_client.md b/docs/passwordsecure/9.2/passwordsecure/installation/installation_client/installation_client.md index 344b92d3ff..81b7047d39 100644 --- a/docs/passwordsecure/9.2/passwordsecure/installation/installation_client/installation_client.md +++ b/docs/passwordsecure/9.2/passwordsecure/installation/installation_client/installation_client.md @@ -3,10 +3,10 @@ ## Guide The MSI installation files and the associated -[Client configuration](../requirements/client_configuration.md) can be found in the corresponding +[Client configuration](/docs/passwordsecure/9.2/passwordsecure/installation/requirements/client_configuration.md) can be found in the corresponding sections. The following step-by-step guide will accompany you through the wizards. -![installation wizard page 1](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/installation-client-1-en.webp) +![installation wizard page 1](/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/installation-client-1-en.webp) You are required to read and accept the terms of service. These can also be printed. @@ -16,29 +16,29 @@ can also define whether additional components should be installed. **CAUTION:** Please only install the Terminal Server Service (for Autofill Add-on) if terminal server operation is intended! -![installation wizard page 2](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/installation-client-3-en.webp) +![installation wizard page 2](/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/installation-client-3-en.webp) The actual installation starts in the next step. -![installation wizard page 3](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/installation-client-4-en_339x265.webp) +![installation wizard page 3](/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/installation-client-4-en_339x265.webp) The last step closes the setup and opens (if desired) the Client. -![installation wizard page 4](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/installation-client-5-en.webp) +![installation wizard page 4](/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/installation-client-5-en.webp) ## Installed applications There are always several applications installed. -![client icon](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/cllient-en.webp) +![client icon](/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/cllient-en.webp) This is the regular Client. -![offline client icon](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/psrofflineclient-en.webp) +![offline client icon](/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/psrofflineclient-en.webp) The Offline Add-on allows access to the data without connection to Server Manager. -![icon_autofill_agent](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/icon_autofill_agent.webp) +![icon_autofill_agent](/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/icon_autofill_agent.webp) The Autofill Add-on is used for SSO applications. @@ -57,7 +57,7 @@ There is also an option to distribute database profiles. The profiles are specif corresponding registry entry. The next time Netwrix Password Secure is started, the profiles will be saved in the local configuration file. The database connection can be made with the following keys: -[Copy]() +[Copy](javascript:void(0);) ``` HKEY_CURRENT_USER\SOFTWARE\MATESO\Password Safe and Repository 8\DatabaseProfiles @@ -71,11 +71,11 @@ These keys are structured like this: - DatabaseName: Name of the database - LastUserName: The field for the user name can be specified here -![profil-registry](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/profil-registry-en.webp) +![profil-registry](/img/product_docs/passwordsecure/passwordsecure/installation/installation_client/profil-registry-en.webp) Is the profile set with the following entries? -[Copy]() +[Copy](javascript:void(0);) ``` HKEY_LOCAL_MACHINE\SOFTWARE\MATESO\Password Safe and Repository 8\DatabaseProfiles @@ -85,7 +85,7 @@ HKEY_LOCAL_MACHINE\SOFTWARE\MATESO\Password Safe and Repository 8\DatabaseProfil Then the last used date base as well as the last registered user are created with the following ID, when you log in for the first time: -[Copy]() +[Copy](javascript:void(0);) ``` HKEY_CURRENT_USER\SOFTWARE\MATESO\Password Safe and Repository 8\DatabaseProfiles diff --git a/docs/passwordsecure/9.2/passwordsecure/installation/installation_server_manager/installation_server_manager.md b/docs/passwordsecure/9.2/passwordsecure/installation/installation_server_manager/installation_server_manager.md index 49a178e207..a452680997 100644 --- a/docs/passwordsecure/9.2/passwordsecure/installation/installation_server_manager/installation_server_manager.md +++ b/docs/passwordsecure/9.2/passwordsecure/installation/installation_server_manager/installation_server_manager.md @@ -3,36 +3,36 @@ ## Guide The MSI installation files and the associated -[Application server](../requirements/application_server.md) can be found in the corresponding +[Application server](/docs/passwordsecure/9.2/passwordsecure/installation/requirements/application_server.md) can be found in the corresponding sections. The following step-by-step guide will accompany you through the wizards. -![Password Secure Server Setup](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_server_manager/installation-admin-client-1-en.webp) +![Password Secure Server Setup](/img/product_docs/passwordsecure/passwordsecure/installation/installation_server_manager/installation-admin-client-1-en.webp) First you are required to read and accept the license terms. These can also be printed. -![Password Secure Server Setup](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_server_manager/installation-admin-client-2-en.webp) +![Password Secure Server Setup](/img/product_docs/passwordsecure/passwordsecure/installation/installation_server_manager/installation-admin-client-2-en.webp) The next step is to define the location. The suggested location can be retained. If you want to use Netwrix Password Secure as an identity provider -[Configuration of SAML](../../configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml.md) +[Configuration of SAML](/docs/passwordsecure/9.2/passwordsecure/configuration/advanced_view/clientmodule/applications/configuration_of_saml/configuration_of_saml.md) must be selected. Otherwise, it will not be installed. -![Password Secure Server Setup](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_server_manager/installation-admin-client-3-en.webp) +![Password Secure Server Setup](/img/product_docs/passwordsecure/passwordsecure/installation/installation_server_manager/installation-admin-client-3-en.webp) Start the installation. -![Password Secure Server Setup](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_server_manager/installation-admin-client-4-en.webp) +![Password Secure Server Setup](/img/product_docs/passwordsecure/passwordsecure/installation/installation_server_manager/installation-admin-client-4-en.webp) The last step closes the setup and opens (if desired) the Server Manager. -![Password Secure Server Setup](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_server_manager/installation-admin-client-5-en.webp) +![Password Secure Server Setup](/img/product_docs/passwordsecure/passwordsecure/installation/installation_server_manager/installation-admin-client-5-en.webp) ## Authentication After the installation, you can login directly to the Server Manager. -![Server Authentication](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_server_manager/server-auth-en.webp) +![Server Authentication](/img/product_docs/passwordsecure/passwordsecure/installation/installation_server_manager/server-auth-en.webp) NOTE: The initial password for the first login is “admin”. It should be changed directly after the logon. diff --git a/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/apache.md b/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/apache.md index d4f95da457..76d2f663d8 100644 --- a/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/apache.md +++ b/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/apache.md @@ -16,7 +16,7 @@ It is necessary to enter the directory in which the certificate will be saved he Finally, it is necessary to enter where the certificate key is located here. -![apache-en](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/apache-en.webp) +![apache-en](/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/apache-en.webp) Once all of the settings have been entered, the Web Application can be created via the button in the ribbon. The folder in which the ZIP file is located will then open automatically. The archive is now @@ -25,7 +25,7 @@ unzipped and the contents copied to the document directory on the web server. The configuration for the Apache server has now also been created and can be viewed on the Server Manager. -![apache-en-2](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/apache-en-2.webp) +![apache-en-2](/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/apache-en-2.webp) The configuration can be selected using CTRL+A and copied. It is then directly integrated onto the Apache server. diff --git a/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/installation_web_application.md b/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/installation_web_application.md index 251e2e95dc..e6a4f3c981 100644 --- a/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/installation_web_application.md +++ b/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/installation_web_application.md @@ -7,7 +7,7 @@ relevant for further updates. ### System requirements -Please ensured that all [Webserver](../requirements/webserver.md)r requirements have been met. +Please ensured that all [Webserver](/docs/passwordsecure/9.2/passwordsecure/installation/requirements/webserver.md)r requirements have been met. ### SSL certificate @@ -64,7 +64,7 @@ request is available in the permitted domains. In order to add a domain, simply enter it at the bottom of the dialogue. Clicking on :material-plus-circle-outline: will add the entry to the list at the top. -![cors-en-new](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/cors-en-new.webp) +![cors-en-new](/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/cors-en-new.webp) NOTE: In general, it is sufficient to add the IP address which was also saved as the Web server host address. diff --git a/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/microsoft_iis.md b/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/microsoft_iis.md index ef81adb721..9cf1972651 100644 --- a/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/microsoft_iis.md +++ b/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/microsoft_iis.md @@ -16,7 +16,7 @@ IIS web sever. The name of the website then needs to be entered in the Server Ma necessary to enter the folder from which the Web Application should be operated under "website directory". The format here is "/Web Application" -![IIS installation](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/installation-webclient-3-en.webp) +![IIS installation](/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/installation-webclient-3-en.webp) Once all of the settings have been entered, the Web Application can be created via the corresponding button in the ribbon. When the ZIP archive containing the Web Application has been created, it is @@ -37,7 +37,7 @@ Protokoll. Afterwards, config.bat needs to be executed again. If the website has been correctly created, this will be correspondingly indicated by the notification IIS page created. -![IIS-creating page](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/installation-webclient-4-en.webp) +![IIS-creating page](/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/installation-webclient-4-en.webp) **CAUTION:** Following a successful installation, it is imperative that config.bat is deleted! The config.bat file should also not be used for an "update" @@ -47,11 +47,11 @@ config.bat file should also not be used for an "update" The certificate then needs to be saved. Select the newly created website on the IIS web server. The bindings can now be opened on the far right. -![IIS](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/installation-webclient-5-en.webp) +![IIS](/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/installation-webclient-5-en.webp) Select the https entry and open it for editing. The SSL certificate is then selected here. -![IIS](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/installation-webclient-6-en.webp) +![IIS](/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/installation-webclient-6-en.webp) In addition, the Netwrix Password Secure certificate needs to be exported from the Netwrix Password Secure Server and imported onto the ISS under local computer > trusted root certificate location -> diff --git a/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/nginx.md b/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/nginx.md index ea8334dd56..0b3d91282d 100644 --- a/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/nginx.md +++ b/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/nginx.md @@ -18,7 +18,7 @@ path here is /etc/nginx/certs/Web Application.crt. Finally, it is necessary to enter where the certificate key is located here. The default setting is /etc/nginx/certs/Web Application.key. -![ngnix installation](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/installation-webclient-9-en.webp) +![ngnix installation](/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/installation-webclient-9-en.webp) Once all of the settings have been entered, the Web Application can be created via the button in the ribbon. The folder in which the ZIP file is located will then immediately open. The archive is @@ -27,7 +27,7 @@ unzipped and its contents are copied to the document directory on the web server The configuration for the nginx server was also created together with the ZIP file. This can be directly viewed on the Server Manager. -![ngnix installation](../../../../../../static/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/installation-webclient-10-en.webp) +![ngnix installation](/img/product_docs/passwordsecure/passwordsecure/installation/installation_web_application/installation-webclient-10-en.webp) The configuration then still needs to be integrated onto the nginx server. It can be directly copied on the Server Manager for this purpose. diff --git a/docs/passwordsecure/9.2/passwordsecure/maintenance/moving_the_server.md b/docs/passwordsecure/9.2/passwordsecure/maintenance/moving_the_server.md index 2f693d7e56..77b98652f8 100644 --- a/docs/passwordsecure/9.2/passwordsecure/maintenance/moving_the_server.md +++ b/docs/passwordsecure/9.2/passwordsecure/maintenance/moving_the_server.md @@ -8,26 +8,26 @@ It is necessary to make some preparations so that the move can be completed with If the SQL server and the application server are on the same machine, the SQL server should be installed on the new machine first. It is necessary to observe the -[MSSQL Server](../installation/requirements/mssql_server.md) for this process. +[MSSQL Server](/docs/passwordsecure/9.2/passwordsecure/installation/requirements/mssql_server.md) for this process. #### 2. Installing the server The Netwrix Password Secure application server is installed next (see -[Application server](../installation/requirements/application_server.md)). The installation itself +[Application server](/docs/passwordsecure/9.2/passwordsecure/installation/requirements/application_server.md)). The installation itself is described under -[Installation Server Manager](../installation/installation_server_manager/installation_server_manager.md). +[Installation Server Manager](/docs/passwordsecure/9.2/passwordsecure/installation/installation_server_manager/installation_server_manager.md). #### 3. Basic configuration After the server has been installed, the -[Basic configuration](../configuration/server_manager/baseconfiguration/basic_configuration.md) is +[Basic configuration](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/baseconfiguration/basic_configuration.md) is completed. A new configuration database will be created on the SQL server as a result. If you want to retain the old SQL server, it is necessary to give the configuration database a new name. #### 4. Deactivating the old server The license first needs to be deactivated before it can be activated on the new server (see options -under [License settings](../configuration/server_manager/main_menu/license_settings.md). Now stop +under [License settings](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/license_settings.md). Now stop the server so that nothing more can be changed in the database. ## Backing up the data @@ -46,12 +46,12 @@ Although this is also possible via the Server Manager, we recommend carrying out SQL level: right click on the database, then on Tasks and Backup. The desired target folder is selected in the following window. -![insert backup](../../../../../static/img/product_docs/passwordsecure/passwordsecure/maintenance/sql-backup-en.webp) +![insert backup](/img/product_docs/passwordsecure/passwordsecure/maintenance/sql-backup-en.webp) #### 3. Backing up the server certificate It is essential that the all available -[Certificates](../configuration/server_manager/certificates/certificates.md) are backed up. +[Certificates](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/certificates/certificates.md) are backed up. Depending on the installation, a different number of certificates are required here. ## Configuring the new server @@ -65,13 +65,13 @@ Firstly, a new database is created on the SQL server. This option can be found i Studio after right clicking on Databases. It is usually sufficient to simply enter the database names. -![integrate the database](../../../../../static/img/product_docs/passwordsecure/passwordsecure/maintenance/sql-new-db-en.webp) +![integrate the database](/img/product_docs/passwordsecure/passwordsecure/maintenance/sql-new-db-en.webp) As soon as the database has been created, the option Restore (under Tasks) can be selected by right clicking on the server. The Database is thus selected here. The backup now needs to be selected. It is also essential to check whether the correct database has been selected in the field "Target". -![restore db](../../../../../static/img/product_docs/passwordsecure/passwordsecure/maintenance/sql-restore-en.webp) +![restore db](/img/product_docs/passwordsecure/passwordsecure/maintenance/sql-restore-en.webp) NOTE: This method can be also used to import backups that were directly created from the Server Manager. @@ -79,7 +79,7 @@ Manager. #### 2. Setting up the server After the backup has been installed on the new database, you can be start the Server Manager and run -the setup wizard. The [Setup wizard](../configuration/server_manager/setupwizard/setup_wizard.md) is +the setup wizard. The [Setup wizard](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/setupwizard/setup_wizard.md) is used for (amongst other things) reactivating the license. It is now possible to enter all of the desired configurations for the server. diff --git a/docs/passwordsecure/9.2/passwordsecure/maintenance/update.md b/docs/passwordsecure/9.2/passwordsecure/maintenance/update.md index 21d7a15aa3..0b1a6e370e 100644 --- a/docs/passwordsecure/9.2/passwordsecure/maintenance/update.md +++ b/docs/passwordsecure/9.2/passwordsecure/maintenance/update.md @@ -31,12 +31,12 @@ still active. If the software maintenance package has expired, you are only perm versions that were released during the term of the software maintenance package. Therefore, you should check whether the software maintenance package is still active before an update. This can be easily checked on the Server Manager under -[License settings](../configuration/server_manager/main_menu/license_settings.md). +[License settings](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/license_settings.md). ### Creating a backup An update always involves making a profound change to the existing software. A corresponding -[Backup management](../configuration/server_manager/main_menu/backup_settings/backup_management/backup_management.md) +[Backup management](/docs/passwordsecure/9.2/passwordsecure/configuration/server_manager/main_menu/backup_settings/backup_management/backup_management.md) should thus be created directly before the update to ensure that no data is lost if a serious problem arises. @@ -71,7 +71,7 @@ to be restarted. It is thus recommended that the Netwrix Password Secure service the update. Further information on the installation wizard can be found in the section -[Installation Server Manager](../installation/installation_server_manager/installation_server_manager.md). +[Installation Server Manager](/docs/passwordsecure/9.2/passwordsecure/installation/installation_server_manager/installation_server_manager.md). ### Patch level update for the databases @@ -90,7 +90,7 @@ be carried out using the installation parameters. ### Updating the Web Application The application server must firstly be updated. A new Web Application -([Installation Web Application](../installation/installation_web_application/installation_web_application.md) +([Installation Web Application](/docs/passwordsecure/9.2/passwordsecure/installation/installation_web_application/installation_web_application.md) is then created according to the instructions for the web server being used. The document directory on the web server should now be completely emptied. The Web Application is then unzipped and copied to the document directory on the corresponding web server. @@ -101,5 +101,5 @@ been installed and it must be deleted without fail after a successful update. NOTE: If the Web Application is used, the module: `proxy_wstunnel` must be installed when using Apache. With IIS the `WebSocket Protocol` becomes necessary. Further information can be found in the -chapter [Webserver](../installation/requirements/webserver.md). This applies to version 8.5.0.14896 +chapter [Webserver](/docs/passwordsecure/9.2/passwordsecure/installation/requirements/webserver.md). This applies to version 8.5.0.14896 or newer. diff --git a/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_history.md b/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_history.md index 3e8cb1d5da..a1e08fd222 100644 --- a/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_history.md +++ b/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_history.md @@ -3,31 +3,31 @@ The previously released versions and the corresponding changelogs can be found in the following sections. -- [Version 9.2.1.32530](version_9.2.1.32530.md) +- [Version 9.2.1.32530](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_9.2.1.32530.md) -- [Version 9.2.0.32454](version_9.2.0.32454.md) +- [Version 9.2.0.32454](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_9.2.0.32454.md) -- [Version 9.1.3.31365](version_9.1.3.31365.md) +- [Version 9.1.3.31365](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_9.1.3.31365.md) -- [Version 9.1.2.31276](version_9.1.2.31276.md) +- [Version 9.1.2.31276](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_9.1.2.31276.md) -- [Version 9.1.1.31138](version_9.1.1.31138.md) +- [Version 9.1.1.31138](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_9.1.1.31138.md) -- [Version 9.1.0.30996](version_9.1.0.30996.md) +- [Version 9.1.0.30996](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_9.1.0.30996.md) -- [Version 9.0.3.30606](version_9.0.3.30606.md) +- [Version 9.0.3.30606](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_9.0.3.30606.md) -- [Version 9.0.2.30602](version_9.0.2.30602.md) +- [Version 9.0.2.30602](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_9.0.2.30602.md) -- [Version 9.0.1.30479](version_9.0.1.30479.md) +- [Version 9.0.1.30479](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_9.0.1.30479.md) -- [Version 9.0.0.30423](version_9.0.0.30423.md) +- [Version 9.0.0.30423](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_9.0.0.30423.md) -- [Version 8.16.6.30233](version_8.16.6.30233.md) +- [Version 8.16.6.30233](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_8.16.6.30233.md) -- [Version 8.16.5.30226](version_8.16.5.30226.md) -- [Version 8.16.4.30125](version_8.16.4.30125.md) -- [Version 8.16.3.29968](version_8.16.3.29968.md) -- [Version 8.16.3.29968](version_8.16.3.29968.md) -- [Version 8.16.1.29875](version_8.16.1.29875.md) -- [Version 8.16.0.29823](version_8.16.0.29823.md) +- [Version 8.16.5.30226](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_8.16.5.30226.md) +- [Version 8.16.4.30125](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_8.16.4.30125.md) +- [Version 8.16.3.29968](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_8.16.3.29968.md) +- [Version 8.16.3.29968](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_8.16.3.29968.md) +- [Version 8.16.1.29875](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_8.16.1.29875.md) +- [Version 8.16.0.29823](/docs/passwordsecure/9.2/passwordsecure/welcome/version_history/version_8.16.0.29823.md) diff --git a/docs/policypak/policypak/adminstrativetemplates/comments.md b/docs/policypak/policypak/adminstrativetemplates/comments.md index 03c002c5e1..feaa4b2f93 100644 --- a/docs/policypak/policypak/adminstrativetemplates/comments.md +++ b/docs/policypak/policypak/adminstrativetemplates/comments.md @@ -4,4 +4,4 @@ You can add your own note or description to each policy directive. When you deci must open and edit the setting and then add the comment. The comments can be seen in the table view within the GPO. -![about_policypak_admin_templates_20](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_20.webp) +![about_policypak_admin_templates_20](/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_20.webp) diff --git a/docs/policypak/policypak/adminstrativetemplates/disableofficeelements.md b/docs/policypak/policypak/adminstrativetemplates/disableofficeelements.md index aa30e79580..704626708b 100644 --- a/docs/policypak/policypak/adminstrativetemplates/disableofficeelements.md +++ b/docs/policypak/policypak/adminstrativetemplates/disableofficeelements.md @@ -7,12 +7,12 @@ The detailed spreadsheet of the commands and corresponding IDs are listed in [Microsoft's Office 2013 Help Files: Office Fluent User Interface Control Identifiers](https://www.microsoft.com/en-us/download/details.aspx?id=36798) excel spreadsheet. -![493_1_image-20201229221751-1](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/493_1_image-20201229221751-1.webp) +![493_1_image-20201229221751-1](/img/product_docs/policypak/policypak/adminstrativetemplates/493_1_image-20201229221751-1.webp) In this example we are disabling the **Page Color** command of the Themes group from the **Options** tab. As such, we are showing only those steps. -![493_2_image-20201229221751-2_950x415](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/493_2_image-20201229221751-2_950x415.webp) +![493_2_image-20201229221751-2_950x415](/img/product_docs/policypak/policypak/adminstrativetemplates/493_2_image-20201229221751-2_950x415.webp) Here we can see the **Policy** ID for the Page Color command. @@ -26,11 +26,11 @@ Here we can see the **Policy** ID for the Page Color command. Follow the steps to disable the command bar buttons and menu items. -![493_3_image-20201229221751-3_950x434](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/493_3_image-20201229221751-3_950x434.webp) +![493_3_image-20201229221751-3_950x434](/img/product_docs/policypak/policypak/adminstrativetemplates/493_3_image-20201229221751-3_950x434.webp) **Step 1 –** Configure the setting inthe Endpoint Policy Manager Administrative Templates Manager. -![493_4_image-20201229221751-4](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/493_4_image-20201229221751-4.webp) +![493_4_image-20201229221751-4](/img/product_docs/policypak/policypak/adminstrativetemplates/493_4_image-20201229221751-4.webp) **Step 2 –** Set the command ID in this setting to disable `any/ Page Color` command. diff --git a/docs/policypak/policypak/adminstrativetemplates/existinggpos.md b/docs/policypak/policypak/adminstrativetemplates/existinggpos.md index 979a02b7d1..b52f14bdd9 100644 --- a/docs/policypak/policypak/adminstrativetemplates/existinggpos.md +++ b/docs/policypak/policypak/adminstrativetemplates/existinggpos.md @@ -8,7 +8,7 @@ Utility allows you to do just that. Identify the source GPOs that contain Micros settings (known as REG.POL settings), and then specify a target GPO, to create a collection. **NOTE:** See the -[Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](../video/mdm/exportgpos.md) +[Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](/docs/policypak/policypak/video/mdm/exportgpos.md) topic for more information. A secondary use for the Endpoint Policy Manager **Group Policy Merge Utility** is to merge multiple @@ -17,12 +17,12 @@ for use with Endpoint Policy Manager Cloud or an MDM service. This way, you can Group Policy settings and export them quickly and easily into one export file, which is uploaded into Endpoint Policy Manager Cloud or an MDM service for use later. -![merging_and_reducing_existing](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/merging_and_reducing_existing.webp) +![merging_and_reducing_existing](/img/product_docs/policypak/policypak/adminstrativetemplates/merging_and_reducing_existing.webp) To run the tool, locate the downloadable ISO file in the Endpoint Policy Manager Extras folder, as seen below. -![merging_and_reducing_existing_1](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/merging_and_reducing_existing_1.webp) +![merging_and_reducing_existing_1](/img/product_docs/policypak/policypak/adminstrativetemplates/merging_and_reducing_existing_1.webp) Currently, the Endpoint Policy Manager **Group Policy Merge Tool** can only migrate GPOs containing ADM/ADMX (REG.POL) items. In the future, more formats will be available for other scenarios. diff --git a/docs/policypak/policypak/adminstrativetemplates/export.md b/docs/policypak/policypak/adminstrativetemplates/export.md index 193d43b21d..46d019ff32 100644 --- a/docs/policypak/policypak/adminstrativetemplates/export.md +++ b/docs/policypak/policypak/adminstrativetemplates/export.md @@ -1,6 +1,6 @@ # Exporting Policies and Collections -The [Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md) topic explains how to +The [Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md) topic explains how to use the Endpoint Policy Manager Exporter to wrap up any Endpoint Policy Manager directives and deliver them using Microsoft Endpoint Manager (SCCM and Intune), KACE, your own MDM service, or Endpoint Policy Manager Cloud. To export a policy for later use using Endpoint Policy Manager @@ -9,5 +9,5 @@ Exporter or Endpoint Policy Manager Cloud, right-click the collection or the pol **NOTE:** For a video of Endpoint Policy Manager Admin Templates Manager delivering settings using Endpoint Policy Manager Exporter and Microsoft Endpoint Manager (SCCM and Intune), see the -[Endpoint Policy Manager Cloud: Deploy Group Policy Admin template settings over the internet](../video/administrativetemplates/deployinternet.md) +[Endpoint Policy Manager Cloud: Deploy Group Policy Admin template settings over the internet](/docs/policypak/policypak/video/administrativetemplates/deployinternet.md) topic for additional information. diff --git a/docs/policypak/policypak/adminstrativetemplates/gettoknow/collection.md b/docs/policypak/policypak/adminstrativetemplates/gettoknow/collection.md index 45300d0727..ef1eba2ce1 100644 --- a/docs/policypak/policypak/adminstrativetemplates/gettoknow/collection.md +++ b/docs/policypak/policypak/adminstrativetemplates/gettoknow/collection.md @@ -5,7 +5,7 @@ policies (or other collections) within it. By creating a collection, you are abl Targeting to ensure that the collection's directives only apply to users or machines when certain conditions are true. -![Administrative Template Manager Add New Collection](../../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_7.webp) +![Administrative Template Manager Add New Collection](/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_7.webp) To create a collection, follow these steps: @@ -15,23 +15,23 @@ To create a collection, follow these steps: **Step 2 –** Within Endpoint Policy Manager **Admin Templates Manager** editor, add a new collection. -![about_policypak_admin_templates_8](../../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_8.webp) +![about_policypak_admin_templates_8](/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_8.webp) Once this is done, you are prompted to name the collection. **Step 3 –** Keep the default name, or change it as needed. For instance, you may want to create a collection of Control Panel settings that only affect your East Sales Users. -![about_policypak_admin_templates_9](../../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_9.webp) +![about_policypak_admin_templates_9](/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_9.webp) **Step 4 –** To create a user defined name for a collection, double-click the collection field, and then add specific policies that you would like to apply only to your East Sales Users. -![about_policypak_admin_templates_10](../../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_10.webp) +![about_policypak_admin_templates_10](/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_10.webp) There are settings in the collection that affect only the specified users. Next, we'll ensure that only the East Sales Users get these policy settings while using Item-Level Targeting. See the -[Using Item-Level Targeting with Collections and Policies](../itemleveltargeting.md) topic for +[Using Item-Level Targeting with Collections and Policies](/docs/policypak/policypak/adminstrativetemplates/itemleveltargeting.md) topic for additional information on the next steps. diff --git a/docs/policypak/policypak/adminstrativetemplates/gettoknow/computerside.md b/docs/policypak/policypak/adminstrativetemplates/gettoknow/computerside.md index ec59c23d62..8e6612e377 100644 --- a/docs/policypak/policypak/adminstrativetemplates/gettoknow/computerside.md +++ b/docs/policypak/policypak/adminstrativetemplates/gettoknow/computerside.md @@ -3,14 +3,14 @@ When using Endpoint Policy Manager Admin Templates Manager to create a policy on the Computer side, you can tap into both Computer and User policy settings. -![about_policypak_admin_templates_6](../../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_6.webp) +![about_policypak_admin_templates_6](/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_6.webp) With both computer and user policy settings available in Endpoint Policy Manager Admin Templates Manager you can deliver user-side settings to any computer that has this GPO. **NOTE:** For more information on the Endpoint Policy Manager Admin Templates Manager delivering user-side settings to computers, see the -[Endpoint Policy Manager Admin Templates Manager: Switched Policies (without Loopback)](../../video/administrativetemplates/switchedpolicies.md) +[Endpoint Policy Manager Admin Templates Manager: Switched Policies (without Loopback)](/docs/policypak/policypak/video/administrativetemplates/switchedpolicies.md) topic for additional information. This feature allows you to avoid the complex process of Group Policy Loopback processing just for diff --git a/docs/policypak/policypak/adminstrativetemplates/gettoknow/overview.md b/docs/policypak/policypak/adminstrativetemplates/gettoknow/overview.md index 6e9cb189d3..c188e44320 100644 --- a/docs/policypak/policypak/adminstrativetemplates/gettoknow/overview.md +++ b/docs/policypak/policypak/adminstrativetemplates/gettoknow/overview.md @@ -4,4 +4,4 @@ The Endpoint Policy Manager Admin Templates Manager editor is found in the Endpo node. The Endpoint Policy Manager Admin Templates Manager allows you to create a new policy or collection. -![about_policypak_admin_templates_2](../../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_2.webp) +![about_policypak_admin_templates_2](/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_2.webp) diff --git a/docs/policypak/policypak/adminstrativetemplates/gettoknow/userside.md b/docs/policypak/policypak/adminstrativetemplates/gettoknow/userside.md index 33af9cbaf4..f3e46d5b41 100644 --- a/docs/policypak/policypak/adminstrativetemplates/gettoknow/userside.md +++ b/docs/policypak/policypak/adminstrativetemplates/gettoknow/userside.md @@ -7,14 +7,14 @@ that Microsoft has, and you can select to use the Microsoft Central Storage or l **NOTE:** The User side only displays user-side policies, and the Scope Filter section is grayed out and unchangeable. -![about_policypak_admin_templates_3](../../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_3.webp) +![about_policypak_admin_templates_3](/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_3.webp) -![about_policypak_admin_templates_4](../../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_4.webp) +![about_policypak_admin_templates_4](/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_4.webp) Selecting a particular policy setting opens the setting. This is similar to, but not exactly, what you would see if you edited the same policy using Microsoft's Admin Templates node. -![about_policypak_admin_templates_5](../../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_5.webp) +![about_policypak_admin_templates_5](/img/product_docs/policypak/policypak/adminstrativetemplates/gettoknow/about_policypak_admin_templates_5.webp) Similarities between the two windows include the same options (**Not Configured**, **Enabled**, and **Disabled**) and sub-options, like the **Comment** field, the **Supported on** field (read-only), diff --git a/docs/policypak/policypak/adminstrativetemplates/itemleveltargeting.md b/docs/policypak/policypak/adminstrativetemplates/itemleveltargeting.md index bce3b3c961..2cc402604f 100644 --- a/docs/policypak/policypak/adminstrativetemplates/itemleveltargeting.md +++ b/docs/policypak/policypak/adminstrativetemplates/itemleveltargeting.md @@ -6,13 +6,13 @@ or computers. In this example, we want the collection named **Control Panel Sett Users** to apply only to the East Sales Users. To do this, right-click the collection and then select **Change Item Level Targeting**, as seen below. -![about_policypak_admin_templates_11](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_11.webp) +![about_policypak_admin_templates_11](/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_11.webp) The **Edit Item Level Targeting** menu item brings up the **Targeting Editor**. You can select any combination of characteristics you want to test for. The interface is similar to that used in Group Policy Preferences' Item-Level Targeting. -![about_policypak_admin_templates_12](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_12.webp) +![about_policypak_admin_templates_12](/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_12.webp) You can apply one or more targeting items to a policy, which enables targeting items to be joined logically. You can also add targeting collections, which group together targeting items in much the @@ -38,20 +38,20 @@ Below are some real-world examples of how you can use Item-Level Targeting. - IP range — You can specify different settings for various IP ranges, like different settings for the home office and each field office -![about_policypak_admin_templates_13](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_13.webp) +![about_policypak_admin_templates_13](/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_13.webp) After you are done editing, close the editor. In the GP Management editor, you see that the collection's icon has changed to orange, which shows that it now has Item-Level Targeting on the whole collection. In other words, none of the items in the collection will apply unless the Item-Level Targeting on the collection evaluates to **True**. -![about_policypak_admin_templates_14](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_14.webp) +![about_policypak_admin_templates_14](/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_14.webp) You can also see that Item-Level Targeting is set on the collection when you click a higher node, where you'll see the name of the collection and a column designating if Item-Level Targeting is on (**Yes**) or off (**No**). -![about_policypak_admin_templates_15](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_15.webp) +![about_policypak_admin_templates_15](/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_15.webp) You may also right-click any policy directive and select **Edit Item Level Targeting**. @@ -62,7 +62,7 @@ or not you want Item-Level Targeting applied to the following settings: - Only apply the **Prevent Changing theme** policy setting (within the collection) to users on laptops -![about_policypak_admin_templates_16](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_16.webp) +![about_policypak_admin_templates_16](/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_16.webp) If you put Item-Level Targeting on a specific policy setting, you can see the icon's color change to orange, and the field **Item Level Targeting** will change to **Yes**. diff --git a/docs/policypak/policypak/adminstrativetemplates/overview.md b/docs/policypak/policypak/adminstrativetemplates/overview.md index 693f6b11f1..88490850ee 100644 --- a/docs/policypak/policypak/adminstrativetemplates/overview.md +++ b/docs/policypak/policypak/adminstrativetemplates/overview.md @@ -1,7 +1,7 @@ # Administrative Templates Manager **NOTE:** Before reading this section, please see the -[Installation Quick Start](../gettingstarted/quickstart/overviewinstall.md) topic  for more +[Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md) topic  for more information on the following: - Install the Admin MSI on your GPMC machine @@ -10,21 +10,21 @@ information on the following: - Set up a common OU structure Optionally, if you don't want to use Group Policy, see the -[Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md) topic for more +[Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md) topic for more information. Endpoint Policy Manager Admin Templates Manager enables administrators to harness the existing power of Microsoft's 3000+ Admin Template settings and a lot more. **NOTE:** See the -[Endpoint Policy Manager Admin Templates: Collections and Item Level Targeting](../video/administrativetemplates/collections.md) +[Endpoint Policy Manager Admin Templates: Collections and Item Level Targeting](/docs/policypak/policypak/video/administrativetemplates/collections.md) topic for more in formation on Endpoint Policy Manager Admin Templates Manager. -![about_policypak_admin_templates](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates.webp) +![about_policypak_admin_templates](/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates.webp) Here we can see some of Microsoft's Admin Template settings. -![about_policypak_admin_templates_1](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_1.webp) +![about_policypak_admin_templates_1](/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_1.webp) Endpoint Policy Manager Admin Templates Manager is a node you see within every Group Policy Object (GPO) you create. @@ -38,7 +38,7 @@ Endpoint Policy Manager Admin Templates Manager enables you to perform the follo - Search for policies that match certain words in their titles or help text - Export policies or collections as XML files (available with Endpoint Policy Manager Exporter and Endpoint Policy Manager Cloud). See the - [Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md) topic for more + [Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md) topic for more information on using Endpoint Policy Manager with MDM and UEM Tools. The basic way to use Endpoint Policy Manager Admin Templates Manager is as follows: diff --git a/docs/policypak/policypak/adminstrativetemplates/priority.md b/docs/policypak/policypak/adminstrativetemplates/priority.md index d99ab2cf23..279ff9d1e4 100644 --- a/docs/policypak/policypak/adminstrativetemplates/priority.md +++ b/docs/policypak/policypak/adminstrativetemplates/priority.md @@ -4,7 +4,7 @@ Endpoint Policy Manager Admin Templates Manager enables you to put policy direct GPO and within a single collection. This is most useful when used in conjunction with Item-Level Targeting, as described in the previous section. -![about_policypak_admin_templates_17](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_17.webp) +![about_policypak_admin_templates_17](/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_17.webp) Here you can see the same policy, **Screen saver timeout**, used three times within the same GPO. However, each policy directive has **Item-Level Targeting** turned on and specific conditions @@ -16,7 +16,7 @@ We recommend using Endpoint Policy Manager Admin Templates Manager in the follow - Use Item-Level Targeting to set the conditions - Set a description about that particular AppSet item (see the next section) -![about_policypak_admin_templates_18](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_18.webp) +![about_policypak_admin_templates_18](/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_18.webp) Occasionally there can be multiple AppSets that have overlapping settings. In that case, ensure that the delivery of those settings occur in a particular order. As we see above, Endpoint Policy Manager @@ -26,7 +26,7 @@ Policy settings within a GPO are processed in order from lowest to highest. **NOTE:** This is the same way Group Policy Preferences performs ordering as well. -![about_policypak_admin_templates_19](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_19.webp) +![about_policypak_admin_templates_19](/img/product_docs/policypak/policypak/adminstrativetemplates/about_policypak_admin_templates_19.webp) To change the priority of a particular AppSet, click on it and select ether **Raise Priority**, **Lower Priority**, **Maximum Priority**, or **Minimum Priority**. diff --git a/docs/policypak/policypak/adminstrativetemplates/settings.md b/docs/policypak/policypak/adminstrativetemplates/settings.md index 7ed9bbc46f..4991a52e44 100644 --- a/docs/policypak/policypak/adminstrativetemplates/settings.md +++ b/docs/policypak/policypak/adminstrativetemplates/settings.md @@ -4,7 +4,7 @@ Netwrix Endpoint Policy Manager (formerly PolicyPak) Admin Templates Manager del Group Policy Admin Template settings (User side or Computer side) to your Windows users and machines. -![688_1_ppatm-gpme-user_400x1188](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/688_1_ppatm-gpme-user_400x1188.webp) +![688_1_ppatm-gpme-user_400x1188](/img/product_docs/policypak/policypak/adminstrativetemplates/688_1_ppatm-gpme-user_400x1188.webp) The Administrative Templates for the User Configuration settings contains the following: @@ -15,7 +15,7 @@ The Administrative Templates for the User Configuration settings contains the fo - System - Windows Components -![688_2_ppatm-gpme-comp_400x1180](../../../../static/img/product_docs/policypak/policypak/adminstrativetemplates/688_2_ppatm-gpme-comp_400x1180.webp) +![688_2_ppatm-gpme-comp_400x1180](/img/product_docs/policypak/policypak/adminstrativetemplates/688_2_ppatm-gpme-comp_400x1180.webp) The Administrative Templates for the Computer Configuration settings contains the following: diff --git a/docs/policypak/policypak/applicationsettings/appsetfiles/findfixgpos.md b/docs/policypak/policypak/applicationsettings/appsetfiles/findfixgpos.md index 85c326632e..f0b03d9150 100644 --- a/docs/policypak/policypak/applicationsettings/appsetfiles/findfixgpos.md +++ b/docs/policypak/policypak/applicationsettings/appsetfiles/findfixgpos.md @@ -3,7 +3,7 @@ If someone deletes the DLL for a GPO (either within the Central Storage or Local Store), when you're editing the GPO you'll see the error shown in Figure 88. -![policypak_application_settings_3_26](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_26.webp) +![policypak_application_settings_3_26](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_26.webp) Figure 88. If the DLL is deleted for a GPO, an error will be shown. @@ -14,7 +14,7 @@ To help you quickly find all instances where this occurs, the Endpoint Policy Ma utility can locate all Endpoint Policy Manager DLL Orphans and rectify the situation. You can see the Endpoint Policy Manager GPOTouch utility in Figure 89. -![policypak_application_settings_3_27](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_27.webp) +![policypak_application_settings_3_27](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_27.webp) Figure 89. The Endpoint Policy Manager GPOTouch utility can find and repair orphaned Paks within GPOs. @@ -25,4 +25,4 @@ remediate the GPO. **NOTE:** To see an overview of the Endpoint Policy Manager GPOTouch utility repairing Endpoint Policy Manager DLL Orphans, please watch this video: -[Understanding and fixing Endpoint Policy Manager DLL Orphans](../../video/applicationsettings/dllorphans.md). +[Understanding and fixing Endpoint Policy Manager DLL Orphans](/docs/policypak/policypak/video/applicationsettings/dllorphans.md). diff --git a/docs/policypak/policypak/applicationsettings/appsetfiles/gpotouchutility.md b/docs/policypak/policypak/applicationsettings/appsetfiles/gpotouchutility.md index 1404328e06..e38110d336 100644 --- a/docs/policypak/policypak/applicationsettings/appsetfiles/gpotouchutility.md +++ b/docs/policypak/policypak/applicationsettings/appsetfiles/gpotouchutility.md @@ -12,7 +12,7 @@ DesignStudio setup MSI. To start the Endpoint Policy Manager GPOTouch utility, find it in the Start Menu, as seen in Figure 87. -![policypak_application_settings_3_25](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_25.webp) +![policypak_application_settings_3_25](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_25.webp) Figure 87. The Start Menu showing Endpoint Policy Manager GPOTouch. @@ -20,4 +20,4 @@ Then follow the prompts to specify the source for the latest AppSets that you wa Central Storage, Share-Based Storage, Local Store, or All GPOs with the latest AppSets. **NOTE:** To see an overview of the Endpoint Policy Manager GPOTouch utility, please watch this -tutorial video: [GPOTouch Utility](../../video/applicationsettings/touchutility.md). +tutorial video: [GPOTouch Utility](/docs/policypak/policypak/video/applicationsettings/touchutility.md). diff --git a/docs/policypak/policypak/applicationsettings/appsetfiles/storage/central.md b/docs/policypak/policypak/applicationsettings/appsetfiles/storage/central.md index c4049fb743..8ca8ba08ec 100644 --- a/docs/policypak/policypak/applicationsettings/appsetfiles/storage/central.md +++ b/docs/policypak/policypak/applicationsettings/appsetfiles/storage/central.md @@ -16,7 +16,7 @@ Storage—automatically. **NOTE:** If you are familiar with Group Policy's ADMX Central Storage, this feature is identical and accomplishes a similar task. For information on Microsoft's implementation of central storage, please read -[Understanding and fixing Endpoint Policy Manager DLL Orphans](../../../video/applicationsettings/dllorphans.md). +[Understanding and fixing Endpoint Policy Manager DLL Orphans](/docs/policypak/policypak/video/applicationsettings/dllorphans.md). Creating the Endpoint Policy Manager Central Storage is easy and only needs to be performed one time. The actions that a domain administrator needs to perform are: @@ -32,15 +32,15 @@ time. The actions that a domain administrator needs to perform are: Policy Manager folder at `c:\windows\SYSVOL\SYSVOL\policies\PolicyPak`. An example of this can be seen in Figure 70. -![policypak_application_settings_3_5](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_5.webp) +![policypak_application_settings_3_5](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_5.webp) Figure 68. The location of the SYSVOL folders. -![policypak_application_settings_3_6](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_6.webp) +![policypak_application_settings_3_6](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_6.webp) Figure 69. The newly created folder called "Endpoint Policy Manager." -![policypak_application_settings_3_7](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_7.webp) +![policypak_application_settings_3_7](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_7.webp) Figure 70. The Endpoint Policy Manager extension DLLs being moved to the newly created Endpoint Policy Manager folder. @@ -54,11 +54,11 @@ create a new GPO. You should immediately see your Endpoint Policy Manager extens the Endpoint Policy Manager | Applications flyout menu (as seen in Figure 71) and, when they're utilized, you'll see the Extension Location change to Central Storage, as seen in Figure 72. -![policypak_application_settings_3_8](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_8.webp) +![policypak_application_settings_3_8](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_8.webp) Figure 71. Endpoint Policy Manager extensions available in the flyout menu. -![policypak_application_settings_3_9](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_9.webp) +![policypak_application_settings_3_9](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_9.webp) Figure 72. The extension location has been changed to Central Storage. diff --git a/docs/policypak/policypak/applicationsettings/appsetfiles/storage/local.md b/docs/policypak/policypak/applicationsettings/appsetfiles/storage/local.md index 8a8f88aab0..0c05b58a2a 100644 --- a/docs/policypak/policypak/applicationsettings/appsetfiles/storage/local.md +++ b/docs/policypak/policypak/applicationsettings/appsetfiles/storage/local.md @@ -10,7 +10,7 @@ directories. In Figure 64, you can see the`%ProgramFiles%\PolicyPak\Extensions`directory and the compiled AppSets within it. -![policypak_application_settings_3_1](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_1.webp) +![policypak_application_settings_3_1](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_1.webp) Figure 64. The files that are contained in the` %ProgramFiles%\PolicyPak\Extensions` directory. @@ -26,7 +26,7 @@ trying to load them, which could cause an error. In Figure 65, you can see the extension DLL is being leveraged from Local Storage. -![policypak_application_settings_3_2](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_2.webp) +![policypak_application_settings_3_2](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_2.webp) Figure 65. The Local Storage is being leveraged by the extension DLL. @@ -72,7 +72,7 @@ Figure 66. editing a GPO, you need to install Endpoint Policy Manager Admin Console.msi on machines that use the GPMC. -![policypak_application_settings_3_3](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_3.webp) +![policypak_application_settings_3_3](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_3.webp) Figure 66. This message informs the adminstrator that they need to set up `c:\Program Files\PolicyPak\Extensions` directory on this computer. @@ -90,7 +90,7 @@ create a new GPO that contains Endpoint Policy Manager directives, as seen in Fi are no Endpoint Policy Manager extension DLLs on the machine that is running the GPMC, then there is no way to define an AppSet item. -![policypak_application_settings_3_4](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_4.webp) +![policypak_application_settings_3_4](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_4.webp) Figure 67. The application is unavailable because there is no way for the administrator to create a new GPO if the DLL isn't on the local machine. diff --git a/docs/policypak/policypak/applicationsettings/appsetfiles/storage/sharebased.md b/docs/policypak/policypak/applicationsettings/appsetfiles/storage/sharebased.md index ed07bf4a9e..373064a43e 100644 --- a/docs/policypak/policypak/applicationsettings/appsetfiles/storage/sharebased.md +++ b/docs/policypak/policypak/applicationsettings/appsetfiles/storage/sharebased.md @@ -18,7 +18,7 @@ DC. Simply copy the Endpoint Policy Manager extension DLLs into the shared folder (which must be readable by everyone). -![policypak_application_settings_3_10](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_10.webp) +![policypak_application_settings_3_10](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_10.webp) Locating the PAK123 folder. @@ -26,16 +26,16 @@ Once you do this, the AppSets are ready to be used. However, these AppSets will display in the MMC. By default, only AppSets in the Local or Central Storage will show up automatically. -![policypak_application_settings_3_11](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_11.webp) +![policypak_application_settings_3_11](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_11.webp) Paks in the Local and Central Storage are shown automatically. To enable the AppSets in the share to be seen by the MMC snap-in, you must manually select "Manage Share-Based Central Stores". -![policypak_application_settings_3_12](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_12.webp) +![policypak_application_settings_3_12](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_12.webp) -![policypak_application_settings_3_13](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_13.webp) +![policypak_application_settings_3_13](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_13.webp) Step 1 (left) select "Manage Share-Based Central Stores." Step 2 (right) specify which shares hold Endpoint Policy Manager DLL files. @@ -43,7 +43,7 @@ Endpoint Policy Manager DLL files. Once you specify the share, you will see the AppSets added. When any Share-Based AppSet is used, you will see its Extension Location display as Share-Based Storage. -![policypak_application_settings_3_14](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_14.webp) +![policypak_application_settings_3_14](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_14.webp) Any Share-Based Pak will show up in the Extension Location. @@ -53,7 +53,7 @@ Application Settings Manager administrators quickly and automatically using the Preferences Registry Extension. Simply specify the locations as REG_MULTI_SZ in the Paths value to` HKEY_CURRENT_USER\Software\ PolicyPak\Config\MMC\CentralStores`. -![policypak_application_settings_3_15](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_15.webp) +![policypak_application_settings_3_15](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/storage/policypak_application_settings_3_15.webp) In the Registry editor you can mass-deliver Share-Based Storage locations to other Endpoint Policy Manager administrators quickly and automatically. diff --git a/docs/policypak/policypak/applicationsettings/appsetfiles/versioncontrol.md b/docs/policypak/policypak/applicationsettings/appsetfiles/versioncontrol.md index a0afc75574..15694d8eb5 100644 --- a/docs/policypak/policypak/applicationsettings/appsetfiles/versioncontrol.md +++ b/docs/policypak/policypak/applicationsettings/appsetfiles/versioncontrol.md @@ -28,7 +28,7 @@ An AppSet is defined by its project name. You can see the project name when you and also when you're working with the project within Endpoint Policy Manager DesignStudio by selecting the Project Properties tab on the left (see Figure 78). -![policypak_application_settings_3_16](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_16.webp) +![policypak_application_settings_3_16](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_16.webp) Figure 78. The project name on the Project Properties tab in Endpoint Policy Manager DesignStudio. @@ -46,7 +46,7 @@ different name (`WinZipc.xml`). Finally, the project was compiled. The result is However, in both cases, the internal project name is WinZip, as seen in Figure 79, because it did not change between projects. -![policypak_application_settings_3_17](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_17.webp) +![policypak_application_settings_3_17](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_17.webp) Figure 79. An example showing that, while the file names may change, the project name remains the same. @@ -66,7 +66,7 @@ multiple Endpoint Policy Manager extension DLLs exists for the same project, you entry appears in the flyout menu. You can switch to different DLL at any time by right-clicking the item and selecting "Reconnect Endpoint Policy Manager DLL," as shown in Figure 80. -![policypak_application_settings_3_18](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_18.webp) +![policypak_application_settings_3_18](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_18.webp) Figure 80. You can connect to any version at any time when working with GPOs. @@ -74,13 +74,13 @@ Figure 80. You can connect to any version at any time when working with GPOs. local storage version you want based on compiled date and time. The file names are also shown as a convenience. -![policypak_application_settings_3_19](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_19.webp) +![policypak_application_settings_3_19](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_19.webp) Figure 81. Pick the version you want, either according to DLL name or date. Now the item is updated with the newer DLL as shown in Figure 82. -![policypak_application_settings_3_20](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_20.webp) +![policypak_application_settings_3_20](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_20.webp) Figure 82. Note the new version is listed now. @@ -109,7 +109,7 @@ Endpoint Policy Manager extension DLLs exist for the same project, you'll only s in the flyout menu. When you click the desired project, you'll be prompted for which version you want to use, as seen in Figure 83. -![policypak_application_settings_3_21](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_21.webp) +![policypak_application_settings_3_21](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_21.webp) Figure 83. For projects with the same name, you'll be prompted to choose which version you want to use while creating a new GPO. @@ -124,7 +124,7 @@ in the Central Storage. However, you can also upgrade an existing AppSet item wi do this, right-click the item and select "Update Endpoint Policy Manager DLL," as seen in Figure 84. If the newer DLL is selected, it will update the underlying GPO data. -![policypak_application_settings_3_22](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_22.webp) +![policypak_application_settings_3_22](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_22.webp) Figure 84. Upgrading an existing Pak item with a newer DLL. @@ -132,7 +132,7 @@ Figure 84. Upgrading an existing Pak item with a newer DLL. **NOTE:** If you would like to see a video overview of how to manually migrate to newer DLLs and update GPOs, please watch this tutorial video: -[Understanding and fixing Endpoint Policy Manager DLL Orphans](../../video/applicationsettings/dllorphans.md). +[Understanding and fixing Endpoint Policy Manager DLL Orphans](/docs/policypak/policypak/video/applicationsettings/dllorphans.md). With the versioning system, you will be able to create Endpoint Policy Manager DLLs locally and create and test GPOs, as needed, to make sure the new DLL works exactly as expected. Then, when @@ -148,7 +148,7 @@ Central Storage and You can see this in Figure 85. -![policypak_application_settings_3_23](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_23.webp) +![policypak_application_settings_3_23](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_23.webp) Figure 85. The process of removing old DLLs. @@ -156,7 +156,7 @@ When you complete this process, the next time you (or other administrators) crea be using the version contained in the Central Storage. If you (or other administrators) edit an existing GPO, you will get the familiar notice shown in Figure 86. -![policypak_application_settings_3_24](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_24.webp) +![policypak_application_settings_3_24](/img/product_docs/policypak/policypak/applicationsettings/appsetfiles/policypak_application_settings_3_24.webp) Figure 86. The notice received when editing an existing GPO. diff --git a/docs/policypak/policypak/applicationsettings/centralstore.md b/docs/policypak/policypak/applicationsettings/centralstore.md index db641ae206..8eb9f4dd4c 100644 --- a/docs/policypak/policypak/applicationsettings/centralstore.md +++ b/docs/policypak/policypak/applicationsettings/centralstore.md @@ -6,4 +6,4 @@ domain controllers within your network called "PolicPak". Then copy the Endpoint files that currently reside in your local storage and paste them into that folder. Here is the how-to video: -[Working with Others and using the Central Store](../video/applicationsettings/centralstorework.md) +[Working with Others and using the Central Store](/docs/policypak/policypak/video/applicationsettings/centralstorework.md) diff --git a/docs/policypak/policypak/applicationsettings/designstudio/advanced.md b/docs/policypak/policypak/applicationsettings/designstudio/advanced.md index 52917695a8..df14e85509 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/advanced.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/advanced.md @@ -11,7 +11,7 @@ values. Let's explore all these areas. By default, all elements show their basic view. You can see at a glance the most important items that the Configuration Wizard has configured, as shown in Figure 142. -![advanced_appset_design_and](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/advanced_appset_design_and.webp) +![advanced_appset_design_and](/img/product_docs/policypak/policypak/applicationsettings/designstudio/advanced_appset_design_and.webp) Figure 142. The basic properties of an element. @@ -23,7 +23,7 @@ the "…" (not shown), and then select the text on the page that most closely re box, spinbox, etc. is trying to configure. In Figure 143, the radio button group is being described by the text "Associated image viewer." -![advanced_appset_design_and_1](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/advanced_appset_design_and_1.webp) +![advanced_appset_design_and_1](/img/product_docs/policypak/policypak/applicationsettings/designstudio/advanced_appset_design_and_1.webp) Figure 143. Example of an element's label link. @@ -32,7 +32,7 @@ Figure 143. Example of an element's label link. You can also click the "Advanced" button within Properties to see more detailed information about an element, as shown in Figure 144.> -![advanced_appset_design_and_2](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/advanced_appset_design_and_2.webp) +![advanced_appset_design_and_2](/img/product_docs/policypak/policypak/applicationsettings/designstudio/advanced_appset_design_and_2.webp) Figure 144. The "Advanced" button in the Properties dialog. @@ -58,7 +58,7 @@ checkbox is checked. In Figure 145, you can see the following: It's possible to see (or set) second and third actions when an element changes. You can dictate values within any of the supported datatypes, as shown in Figure 145. -![advanced_appset_design_and_3](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/advanced_appset_design_and_3.webp) +![advanced_appset_design_and_3](/img/product_docs/policypak/policypak/applicationsettings/designstudio/advanced_appset_design_and_3.webp) Figure 145. Examples of second actions. @@ -69,20 +69,20 @@ After selecting the data type (Registry, INI, XML, etc.) you are then prompted f property (or registry key and registry value), which in Figure 146 are shown as "[MainFrame]" and "AdvertiseIndex." -![advanced_appset_design_and_4](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/advanced_appset_design_and_4.webp) +![advanced_appset_design_and_4](/img/product_docs/policypak/policypak/applicationsettings/designstudio/advanced_appset_design_and_4.webp) Figure 146. Selecting the section and property. Once the value is manually selected, you are able to place the value automatically within the On or Off values (or both or neither), as shown in Figure 147. -![advanced_appset_design_and_5](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/advanced_appset_design_and_5.webp) +![advanced_appset_design_and_5](/img/product_docs/policypak/policypak/applicationsettings/designstudio/advanced_appset_design_and_5.webp) Figure 147. Placing the value within the "On" or "Off" fields. After placing the items, you can further specify the On and Off values within the action itself, as shown in Figure 148. Checkboxes are only allowed three actions. -![advanced_appset_design_and_6](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/advanced_appset_design_and_6.webp) +![advanced_appset_design_and_6](/img/product_docs/policypak/policypak/applicationsettings/designstudio/advanced_appset_design_and_6.webp) Figure 148. Specifying "On" and "Off" values within the action. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/controlpanel.md b/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/controlpanel.md index 3ae80aedd9..4b1e502ec8 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/controlpanel.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/controlpanel.md @@ -8,14 +8,14 @@ Manager, and as such, there is special procedure in order to lock them down. In 64-bit machines to try to capture Control Panel applets. Figure 203 shows that Endpoint Policy Manager DesignStudio sees the process as rundll32.exe when it is running on a 64-bit machine. -![special_applications_and_project_3](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_3.webp) +![special_applications_and_project_3](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_3.webp) Figure 203. The Control Panel item when running DesignStudio on a 64-bit machine. When Endpoint Policy Manager DesignStudio is running on a 32-bit machine, can see that the Control Panel applet's name is being called by a CPL extension (see Figure 204). -![special_applications_and_project_4](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_4.webp) +![special_applications_and_project_4](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_4.webp) Figure 204. The Control Panel item when running DesignStudio on a 32-bit machine. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/hkeylocalmachine.md b/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/hkeylocalmachine.md index ad8c86c4f3..eeedaa1bfb 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/hkeylocalmachine.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/hkeylocalmachine.md @@ -5,14 +5,14 @@ Endpoint Policy Manager Application Settings Manager has a facility to deploy re a service and has entries only in `HKEY_Local_Machine`. You set the project up as shown in Figure 213, then define the data root with a node within `HKEY_Local_Machine`. -![special_applications_and_project_13](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_13.webp) +![special_applications_and_project_13](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_13.webp) Figure 213. Defining the data root as `HKEY_Local_Machine`. However, when you do, you'll be prompted with a message suggesting that this might or might not work as shown in Figure 214. -![special_applications_and_project_14](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_14.webp) +![special_applications_and_project_14](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_14.webp) Figure 214. The warning when defining the data root as `HKEY_Local_Machine`. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/javabased.md b/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/javabased.md index 124346c66d..a46a747eac 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/javabased.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/javabased.md @@ -17,13 +17,13 @@ The second step to capture the UIs of Java-based applications is to disable the control. To do this, select "Change User Account Control settings" from the Start Menu, as shown in Figure 199. -![special_applications_and_project](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project.webp) +![special_applications_and_project](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project.webp) Figure 199. Disabling the user account control settings. Then, slide the slider all the way to the bottom, as shown in Figure 200. -![special_applications_and_project_1](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_1.webp) +![special_applications_and_project_1](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_1.webp) Figure 200. Changing the slider to "Never notify." @@ -32,7 +32,7 @@ Policy Manager Application Settings Manager, the Tools|Options|Java tab will cha in Figure 201. This will indicate that the Java Access Bridge has been loaded successfully and remind you that UAC controls need to be off. -![using_the_grays_wizard_13](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_13.webp) +![using_the_grays_wizard_13](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_13.webp) Figure 201.  The Java Access Bridge has been loaded successfully. @@ -41,7 +41,7 @@ other similar applications. Note that some Java-based applications will only cap technology is turned on. In Figure 202, OpenOffice dialogs can be captured when this checkbox is checked first. -![special_applications_and_project_2](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_2.webp) +![special_applications_and_project_2](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_2.webp) Figure 202.; Turning on assistive technology. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/mozillabased.md b/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/mozillabased.md index 7b7db8766f..82438f652c 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/mozillabased.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/mozillabased.md @@ -13,7 +13,7 @@ For instance, on this computer with Firefox installed (Figure 205), we can open `%appdata%\Mozilla\FireFox\ folder`, open the Profiles.ini file, and learn that this specific machine will store user `settings within \Profiles\edk2qe8w.default`. -![special_applications_and_project_5](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_5.webp) +![special_applications_and_project_5](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_5.webp) Figure 205. The location where using settings will be stored. @@ -22,7 +22,7 @@ Seamonkey, or Evergreen profiles) is stored in a unique directory on each comput Figure 206 the random directory name, and inside it, the` prefs.js` file, which defines the Firefox settings. -![special_applications_and_project_6](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_6.webp) +![special_applications_and_project_6](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_6.webp) Figure 206. The `prefs.js` file location. @@ -45,7 +45,7 @@ Endpoint Policy Manager DesignStudio, we only need to teach DesignStudio where t lives. This file is not the file that contains our user settings. This is the file that points us to where the user settings (`prefs.js`) are stored (see Figure 207). -![special_applications_and_project_7](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_7.webp) +![special_applications_and_project_7](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_7.webp) Figure 207. The `profiles.ini `file. @@ -55,7 +55,7 @@ project type files, you must always point to the profiles.ini file of the Mozill example, with Firefox, you will likely want to specify what's shown in Figure 208. This is because the `profiles.ini` file for Firefox lives in `%appdata%\Mozilla\Firefox`. -![special_applications_and_project_8](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_8.webp) +![special_applications_and_project_8](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_8.webp) Figure 208. Pointing to the profiles.ini file location. @@ -84,7 +84,7 @@ Figure 209. This is because the Thunderbird profiles.ini file lives in `%appdata Thunderbird does not contain a "Mozilla" subdirectory like Firefox). Note also that the "Application name (optional)" field should be generic enough for all version of Mozilla Thunderbird. -![special_applications_and_project_9](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_9.webp) +![special_applications_and_project_9](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_9.webp) Figure 209. Filling in the "Application name" field for Mozilla Thunderbird. @@ -92,7 +92,7 @@ For Sunbird, the location is `%appdata%\Mozilla\Sunbird\profiles.ini`, as shown is because the Sunbird profiles.ini file lives in `%appdata%\Mozilla\Sunbird` (similar to Firefox). The "Application name (optional)" field should be "Mozilla Sunbird" (not shown in this screenshot). -![special_applications_and_project_10](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_10.webp) +![special_applications_and_project_10](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_10.webp) Figure 210. The location of the Sunbird `profiles.ini` file. @@ -113,7 +113,7 @@ application's settings, and will not modify the existing `prefs.js`. For example, before a Mozilla-based AppSet is written to a machine, the application's folder will usually only have a `prefs.js` file describing the user experience, as shown in Figure 211. -![special_applications_and_project_11](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_11.webp) +![special_applications_and_project_11](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_11.webp) Figure 211. The `prefs.js` file. @@ -121,7 +121,7 @@ After the AppSet successfully applies, Endpoint Policy Manager Application Setti write a new file, `user.js`, instead of changing the `prefs.js` file directly. You can see the new` user.js` file after the AppSet settings are deployed to Firefox on the machine in Figure 212. -![special_applications_and_project_12](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_12.webp) +![special_applications_and_project_12](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applicationsprojects/special_applications_and_project_12.webp) Figure 212. The `user.js `file. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/applockguids.md b/docs/policypak/policypak/applicationsettings/designstudio/applockguids.md index 8e261dde40..ac0ccf1e79 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/applockguids.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/applockguids.md @@ -5,20 +5,20 @@ tab hiding, but won't honor Endpoint Policy Manager AppLock™. For instance, Fi doesn't honor Endpoint Policy Manager AppLock™ in practice. For this reason, in the GPO, this would not be honored when affecting the client, as shown in Figure 149. -![removing_applock_guids](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/removing_applock_guids.webp) +![removing_applock_guids](/img/product_docs/policypak/policypak/applicationsettings/designstudio/removing_applock_guids.webp) Figure 149. An example of an application that does not honor Endpoint Policy Manager AppLock™. Another application that does not honor Endpoint Policy Manager AppLock™ is Acrobat Reader, as shown in Figure 150, since it doesn't have tabs at all. -![removing_applock_guids_1](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/removing_applock_guids_1.webp) +![removing_applock_guids_1](/img/product_docs/policypak/policypak/applicationsettings/designstudio/removing_applock_guids_1.webp) Figure 150. Example of an application without any tabs. For this reason, trying to disable the tab in the GPO doesn't make much sense (see Figure 151). -![removing_applock_guids_2](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/removing_applock_guids_2.webp) +![removing_applock_guids_2](/img/product_docs/policypak/policypak/applicationsettings/designstudio/removing_applock_guids_2.webp) Figure 151. Disabling tabs does not work for applications that do not have tabs. @@ -26,7 +26,7 @@ In these cases, you might want to remove the AppLock™ GUIDs from the project s possible to right-click on a tab in the Group Policy MMC. To do that, follow the steps presented in Figure 152. -![removing_applock_guids_3](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/removing_applock_guids_3.webp) +![removing_applock_guids_3](/img/product_docs/policypak/policypak/applicationsettings/designstudio/removing_applock_guids_3.webp) Figure 152. Disabling AppLock™ GUIDs. @@ -34,6 +34,6 @@ When you do this, each tab in the compiled project will no longer have the optio tab in target application" or "Force display of whole tab in target application," as shown in Figure 153. -![removing_applock_guids_4](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/removing_applock_guids_4.webp) +![removing_applock_guids_4](/img/product_docs/policypak/policypak/applicationsettings/designstudio/removing_applock_guids_4.webp) Figure 153. AppLock™ GUIDs have been removed. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/appdata.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/appdata.md index 89b65ec4c5..f9543d1f49 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/appdata.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/appdata.md @@ -24,11 +24,11 @@ with `C:\`. Endpoint Policy Manager DesignStudio will automatically detect if yo `%appdata%` or `%localappdata%` variables for you as needed, as shown in Figure 99 and Figure 100. -![discovering_configuration_12](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_12.webp) +![discovering_configuration_12](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_12.webp) Figure 99. DesignStudio detecting the data location. -![discovering_configuration_13](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_13.webp) +![discovering_configuration_13](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_13.webp) Figure 100. DesignStudio detecting the data location. @@ -42,7 +42,7 @@ Therefore, capture all the data from your application first as a standard user, compiling as a standard user. You can see the preview of your AppSet by selecting "Show test Endpoint Policy Manager when complete" within the Compilation tab, as shown in Figure 101 -![discovering_configuration_14](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_14.webp) +![discovering_configuration_14](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_14.webp) Figure 101. Choosing to preview the AppSet. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/overview.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/overview.md index 5a7ebd7102..212e060b0c 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/overview.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/overview.md @@ -4,7 +4,7 @@ Usually, it's quite easy to discover where an application has stored its configu times, applications store their data in` HKEY_Current_User\Software`. In Figure 87, you can see the data for many popular applications stored in the registry. -![discovering_configuration_624x429](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_624x429.webp) +![discovering_configuration_624x429](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_624x429.webp) Figure 87. Many applications store their data in the registry. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/programfiles.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/programfiles.md index 37b6f42d13..8a0ad1ae32 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/programfiles.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/programfiles.md @@ -4,14 +4,14 @@ Using Windows Explorer, you can look for INI files (expressed as "Configuration file type in Explorer), XML files, and other file types. In Figure 88, you can see an INI file for an application within Program Files (x86). -![discovering_configuration_1_624x213](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_1_624x213.webp) +![discovering_configuration_1_624x213](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_1_624x213.webp) Figure 88. Example of INI files. However, if you try to select this file using Netwrix Endpoint Policy Manager (formerly PolicyPak) DesignStudio, you will be provided a warning message, as shown in Figure 89. -![discovering_configuration_2](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_2.webp) +![discovering_configuration_2](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_2.webp) Figure 89. Warning message when selecting an INI file. @@ -46,7 +46,7 @@ When this application is run as a standard user, the configuration data is withi because this application was smart enough to know to use `%appdata% as its data store when run as a standard user.` -![discovering_configuration_3](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_3.webp) +![discovering_configuration_3](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_3.webp) `Figure 90. Configuration data stored within %appdata%\roaming.` diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/sysinternalsprocessmonitor.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/sysinternalsprocessmonitor.md index 7da34a0d1f..513c1bd20a 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/sysinternalsprocessmonitor.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/sysinternalsprocessmonitor.md @@ -20,25 +20,25 @@ capturing events by clicking on File|Capture Events (this should be on by defaul Scroll (which is not the default). You can see these configuration options in Figure 102 and Figure 103. -![discovering_configuration_15_499x277](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_15_499x277.webp) +![discovering_configuration_15_499x277](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_15_499x277.webp) Figure 102. Selecting the option to capture events. -![discovering_configuration_16](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_16.webp) +![discovering_configuration_16](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_16.webp) Figure 103. Selecting the option for autoscrolling. Next, you're going to create a filter automatically. To do this, use Process Monitor's Target Sight icon and drag it directly onto the target application's main window as shown in Figure 104. -![discovering_configuration_17](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_17.webp) +![discovering_configuration_17](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_17.webp) Figure 104. Dragging the Target Sight icon into the main window. Next, have the first two filter types selected, Registry and File, as shown in Figure 105. Unselect the remaining three items (Network Activity, Process & Thread, and Profiling Events). -![discovering_configuration_18_624x105](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_18_624x105.webp) +![discovering_configuration_18_624x105](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_18_624x105.webp) Figure 105. Selecting the "Registry" and "File" types. @@ -52,7 +52,7 @@ you can also try to close the application and see if it wrote any changes to the In Figure 106 you can see the deployment.properties file was changed after checkbox was unselected and the change was applied. -![discovering_configuration_19](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_19.webp) +![discovering_configuration_19](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_19.webp) Figure 106. Applying changes. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/virtualstore.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/virtualstore.md index 42f89374fc..892f429936 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/virtualstore.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/virtualstore.md @@ -8,7 +8,7 @@ its data to `c:\Program Files`, it was actually redirected to `%LocalAppData%\VirtualStore\Program Files (x86)\Foxit Software\Foxit Reader`. -![discovering_configuration_4](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_4.webp) +![discovering_configuration_4](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_4.webp) Figure 91. Application data that has been redirected. @@ -24,11 +24,11 @@ of this, even though we're finding the file in 92), the data file could also be found on 32-bit machines in `%LocalAppData%\VirtualStore\Program Files\Foxit Software\Foxit Reader` (as shown in Figure 93). -![discovering_configuration_5](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_5.webp) +![discovering_configuration_5](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_5.webp) Figure 92. The location for 64-bit machines is `%LocalAppData%\VirtualStore\Program Files (x86).` -![discovering_configuration_6](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_6.webp) +![discovering_configuration_6](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_6.webp) Figure 93. The location for 32-bit machiens is `%LocalAppData%\VirtualStore\Program Files.` @@ -37,7 +37,7 @@ recognizes this and provides two features to ensure proper delivery to clients. Figure 94, Endpoint Policy Manager DesignStudio will substitute the correct variable so it will work on client machines of the same type. -![discovering_configuration_7](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_7.webp) +![discovering_configuration_7](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_7.webp) Figure 94. Endpoint Policy Manager DesignStudio substituting the correct variable. @@ -48,14 +48,14 @@ get your directives. Note that this behavior is controllable within Endpoint Pol `DesignStudio in Tools|Options `in the VirtualStore tab, as shown in Figure 95. It is recommended that you keep this checkbox checked. -![discovering_configuration_8_624x322](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_8_624x322.webp) +![discovering_configuration_8_624x322](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_8_624x322.webp) Figure 95. The VirtualStore tab. If you want to see both actions, you can click on the element's "Advanced" button, as shown in Figure 96, and see the two actions created. -![discovering_configuration_9_312x592](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_9_312x592.webp) +![discovering_configuration_9_312x592](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_9_312x592.webp) Figure 96. The element's "Advanced" button. @@ -63,11 +63,11 @@ If you were to hover the mouse over each "File" location, you would see that the against each possible file location automatically (`\Program Files(x86)` and `\Program Files`), one for the first action and another for the second action, as shown in Figure 97 and Figure 98. -![discovering_configuration_10](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_10.webp) +![discovering_configuration_10](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_10.webp) Figure 97. The file location for the first action. -![discovering_configuration_11_624x79](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_11_624x79.webp) +![discovering_configuration_11_624x79](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/discover/discovering_configuration_11_624x79.webp) Figure 98. The file location for the second action. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/setup.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/setup.md index 10b7d69d42..576e98c801 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/setup.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationdata/setup.md @@ -3,14 +3,14 @@ When you create a new project (see Book 3: Application Settings Manager), you'll find that in the initial wizard windows, you can choose how the capture process occurs, as shown in Figure 85. -![setting_up_application_configuration](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/setting_up_application_configuration.webp) +![setting_up_application_configuration](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/setting_up_application_configuration.webp) Figure 85. Choosing how to capture the application. Choose to start a new project using the Capture Wizard. Then, select your project type, as shown in Figure 86. -![setting_up_application_configuration_1](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/setting_up_application_configuration_1.webp) +![setting_up_application_configuration_1](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationdata/setting_up_application_configuration_1.webp) Figure 86. Selecting your project type. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/additionalconfiguration.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/additionalconfiguration.md index 47b0c1ef5d..4d8f4ae6f6 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/additionalconfiguration.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/additionalconfiguration.md @@ -10,7 +10,7 @@ _Remember,_ the Configuration Wizard may find values that are new, changed, or d given capture. In the example in Figure 121, the "Name" text box field was configured by the wizard. A value of "Test" was entered into the application. -![configuring_elements_using_14](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_14.webp) +![configuring_elements_using_14](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_14.webp) Figure 121. A change to the Name textbox field. @@ -33,7 +33,7 @@ The Configuration Wizard might also occasionally ask you to re-try an item. This when an application starts out with no settings, then creates a setting, instead of changing one. In Figure 122, we can see that checking on the setting was changing "passwordreqlower" to 1. -![configuring_elements_using_15](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_15.webp) +![configuring_elements_using_15](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_15.webp) Figure 122. Re-trying a specific item with the Configuration Wizard. @@ -48,7 +48,7 @@ be, placing it into the appropriate checkbox. You have two choices here: known, the red color is removed from the value. No checkmarks are present to re-discover any specific values. An example is shown in Figure 123. -![configuring_elements_using_16](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_16.webp) +![configuring_elements_using_16](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_16.webp) Figure 123. Neither checkbox is selected after re-trying a specific state. @@ -64,7 +64,7 @@ best to pick the word or phrase that makes the most sense for what you are curre this first example, since we're configuring the text box called "Name," it seems logical to select the word "Name" on the Linked Label Selection page. -![configuring_elements_using_17](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_17.webp) +![configuring_elements_using_17](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_17.webp) Figure 124. Selecting the linked label for an element. @@ -73,6 +73,6 @@ In this case, it could be argued that either "Speed:" or "Double-click speed" wo label selections, because either one describes what the slider does. "Double-click speed" is likely a slightly better choice here for clarity. -![configuring_elements_using_18](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_18.webp) +![configuring_elements_using_18](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_18.webp) Figure 125. Choosing a linked label. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/commonerrors.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/commonerrors.md index f9c62ef8b9..2d05f58d01 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/commonerrors.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/commonerrors.md @@ -10,7 +10,7 @@ Figure 116, the Configuration Wizard detects both changes and asks you which one make. If you know which one you wanted to select, you can check the corresponding box in the wizard. In the example below, we want to choose "passwordreqlower," as shown in Figure 116. -![configuring_elements_using_9](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_9.webp) +![configuring_elements_using_9](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_9.webp) Figure 116. Selecting which of the two boxes was intended to be checked. @@ -23,7 +23,7 @@ Sometimes setting one element (checkbox, dropdown, etc.) will add a lot of unexp application. For instance, clicking this one checkbox in Figure 117 below added what appears to be five changes. -![configuring_elements_using_10](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_10.webp) +![configuring_elements_using_10](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_10.webp) Figure 117. Unexpected changes after selecting an element. @@ -36,7 +36,7 @@ Configuration Wizard. Doing so will isolate the one change that the checkbox (dr really changing. A successful attempt is shown in Figure 118. Instead of five changed values, there is only one. -![configuring_elements_using_11](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_11.webp) +![configuring_elements_using_11](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_11.webp) Figure 118. A successful attempt at making changes after the Configuration Wizard has been restarted. @@ -51,7 +51,7 @@ Sometimes one element (checkbox, dropdown, etc.) will actually control multiple time. In the example in Figure 119, "Default page layout" has four possible settings. When one of those settings, "Facing," is selected, the wizard detects two changes as shown. -![configuring_elements_using_12](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_12.webp) +![configuring_elements_using_12](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_12.webp) Figure 119. Two changes being detected for one element. @@ -61,7 +61,7 @@ continuing onward makes sense. In Figure 120, we can see the results of changing simultaneously. If only one checkmark was checked in the previous step, the dropdown would not have been configured correctly. -![configuring_elements_using_13](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_13.webp) +![configuring_elements_using_13](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_13.webp) Figure 120. Successfully changing two items simultaneously. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/defaultdataroots.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/defaultdataroots.md index ba70d0c13e..61bdd8a407 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/defaultdataroots.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/defaultdataroots.md @@ -13,18 +13,18 @@ data root in the previous section, "Setting Up Application Configuration Data." data root can be a registry key (as shown in Figure 108) or a specific file, like an INI or XML file (Figure 109). -![configuring_elements_using_1](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_1.webp) +![configuring_elements_using_1](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_1.webp) Figure 108. Data root selection with registry key. -![configuring_elements_using_2](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_2.webp) +![configuring_elements_using_2](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_2.webp) Figure 109. Data root selection with an INI file. This can be done at the start of any new project or later on in a project by selecting the Project Properties tab and changing the data root, as shown in Figure 110. -![configuring_elements_using_3](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_3.webp) +![configuring_elements_using_3](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_3.webp) Figure 110. Changing the data root. @@ -32,7 +32,7 @@ There is also another way to change the data root, which is inside the Configura While configuring items, if you realize that you need to make a change, it's easy to set a location for the data root, as shown in Figure 111. -![configuring_elements_using_4](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_4.webp) +![configuring_elements_using_4](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_4.webp) Figure 111. Changing the location of the data root. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/comboboxes.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/comboboxes.md index 9fd628d832..296498d897 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/comboboxes.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/comboboxes.md @@ -3,13 +3,13 @@ Combo boxes inside applications allow for you to choose one item in a set of many items. In this example, the combo box has four valid items, as shown in Figure 135. -![configuring_elements_using_28_624x275](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_28_624x275.webp) +![configuring_elements_using_28_624x275](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_28_624x275.webp) Figure 135. An example of a combo box. In the example in Figure 136, however, Endpoint Policy Manager DesignStudio brought in six entries. -![configuring_elements_using_29](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_29.webp) +![configuring_elements_using_29](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_29.webp) Figure 136. An incorrect number of entries has been brought in by DesignStudio. @@ -26,6 +26,6 @@ You can adjust for this in two ways: You can see the "Skip and remove this item" selection in Figure 137. This will remove the incorrect entry from the List Collection Editor for the combo box. -![configuring_elements_using_30](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_30.webp) +![configuring_elements_using_30](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_30.webp) Figure 137. Removing the incorrect entry. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/filefolderbrowsers.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/filefolderbrowsers.md index 951ec7d7b1..443a949390 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/filefolderbrowsers.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/filefolderbrowsers.md @@ -10,7 +10,7 @@ In the example below, a working folder item is shown. To configure the dialog as right-click the "…" and select "Change type to…." Then, select "Folder Browser," as shown in Figure 138. -![configuring_elements_using_31](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_31.webp) +![configuring_elements_using_31](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_31.webp) Figure 138. Configuring a dialog as a folder browser. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/fontbrowsers.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/fontbrowsers.md index 3ed7c1ffea..163a2d1cdd 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/fontbrowsers.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/fontbrowsers.md @@ -2,7 +2,7 @@ Buttons can also be converted to font browsers, as shown in Figure 139. -![configuring_elements_using_32](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_32.webp) +![configuring_elements_using_32](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_32.webp) Figure 139. Converting a dialog to a font browser. @@ -10,7 +10,7 @@ A font browser button requires at least one text box, or ideally two text boxes, boxes are available on the page, you are not allowed to configure the Font Browser button, as shown in Figure 140. -![configuring_elements_using_33](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_33.webp) +![configuring_elements_using_33](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_33.webp) Figure 140. Configuring a dialog to a font browser requires at least one text box. @@ -20,7 +20,7 @@ example below, the "Default font" text box will be used for the font name. Howev separate dropdown control for the size. In this case, the Font Browser Configuration Wizard will ask you which text box you want to use for the font name, as see in Figure 141. -![configuring_elements_using_34](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_34.webp) +![configuring_elements_using_34](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_34.webp) Figure 141. Selecting the font name. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/radiobuttons.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/radiobuttons.md index 9ba71e3400..07db2c79cb 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/radiobuttons.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/radiobuttons.md @@ -3,13 +3,13 @@ Radio buttons can only be configured in a group. If you use the Endpoint Policy Manager Capture Wizard, radio buttons are always grouped together automatically, as shown in Figure 126. -![configuring_elements_using_19](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_19.webp) +![configuring_elements_using_19](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_19.webp) Figure 126. Radio buttons are configured in a group. It's also possible to un-group radio buttons, as shown in Figure 127. -![configuring_elements_using_20](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_20.webp) +![configuring_elements_using_20](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_20.webp) Figure 127. Ungrouping radio buttons. @@ -24,14 +24,14 @@ this, press and hold the Ctrl key, then click on the first two radio button item both. Then right-click and select "Group," as shown in Figure 128. Repeat this proces for the second group. -![configuring_elements_using_21](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_21.webp) +![configuring_elements_using_21](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_21.webp) Figure 128. Grouping radio buttons. Then, once the buttons are grouped, you can run the Configuration Wizard over each group independently, as shown in Figure 129. -![configuring_elements_using_22](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_22.webp) +![configuring_elements_using_22](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_22.webp) Figure 129. Using the Configuration Wizard on each group of buttons. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/slidersspinboxes.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/slidersspinboxes.md index 433dc9ffb9..f62c8ccafb 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/slidersspinboxes.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/slidersspinboxes.md @@ -11,7 +11,7 @@ Usually, the left most value is a number that is less than the right most value. slider labeled "Volume," as shown in Figure 130, would have a lower value when slid to the left, and a higher value when slid to the right. -![configuring_elements_using_23_624x182](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_23_624x182.webp) +![configuring_elements_using_23_624x182](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_23_624x182.webp) Figure 130. A typical slider. @@ -21,7 +21,7 @@ process and suggests what is likely going on. In most cases, keeping the default thing to do, which will establish this as a reverse slider and correctly establish the minimum and maximum values. -![configuring_elements_using_24](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_24.webp) +![configuring_elements_using_24](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_24.webp) Figure 131. Discovering a reverse slider with DesignStudio. @@ -30,7 +30,7 @@ when the wizard was run, and suggest that value as the default value and the rev Slider Configuration Wizard might also detect a multiplier for some items. In the example in Figure 132, the slider itself goes from 0 to 100. But the recorded values are 0 to 254. -![configuring_elements_using_25](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_25.webp) +![configuring_elements_using_25](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_25.webp) Figure 132. Detecting a slider multiplier. @@ -46,7 +46,7 @@ Endpoint Policy Manager Application Settings Manager. Two examples of these kind sliders are items like Internet Explorer's security slider, shown in Figure 133 (left side) and User Account Control Settings, shown in Figure 133 (right side). -![configuring_elements_using_26](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_26.webp) +![configuring_elements_using_26](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_26.webp) Figure 133. Examples of unsupported sliders. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/textnumericboxes.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/textnumericboxes.md index bb5452d009..dc5adb1634 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/textnumericboxes.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/textnumericboxes.md @@ -5,6 +5,6 @@ detected. You are then able to select the default and revert values and also the can choose the default of what was originally captured in the text box, or select the value you changed to. See Figure 134 for an example of a numeric box. -![configuring_elements_using_27](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_27.webp) +![configuring_elements_using_27](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/elements/configuring_elements_using_27.webp) Figure 134. Numeric box example. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/knownvalues.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/knownvalues.md index 431bf0c95b..ed5bd7839d 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/knownvalues.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/knownvalues.md @@ -8,13 +8,13 @@ other element does. You can see the basic properties of an element just by click in Figure 112. The figure shows that the data key, data value, on value, and off value settings are not known. -![configuring_elements_using_5](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_5.webp) +![configuring_elements_using_5](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_5.webp) Figure 112. The basic properties of an element. Once you've run the Configuration Wizard for that element, however, all the known values are automatically put in place, as shown in Figure 113. -![configuring_elements_using_6](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_6.webp) +![configuring_elements_using_6](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_6.webp) Figure 113. The Configuration Wizard inputs the known property values. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/overview.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/overview.md index 0afa58c5f6..4de8f399cb 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/overview.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/overview.md @@ -7,6 +7,6 @@ is generally available to help you implement the details of what any element is Configuration Wizard, you can right-click over most elements and select "Configuration Wizard" or click on the wand, as shown in Figure 107. -![configuring_elements_using](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using.webp) +![configuring_elements_using](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using.webp) Figure 107. Starting the Configuration Wizard. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/usage.md b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/usage.md index 18f9237e26..db8d143405 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/usage.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/usage.md @@ -7,7 +7,7 @@ settings. To perform these tasks, the Configuration Wizard may ask you some ques current state of the application first. For instance, it may asked if a checkbox is currently checked or unchecked, as shown in Figure 114. -![configuring_elements_using_7](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_7.webp) +![configuring_elements_using_7](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_7.webp) Figure 114. Selecting whether a checkbox is checked or unchecked. @@ -34,7 +34,7 @@ is fully closed. This means you might have to open and close the application doz If you click "Next" in the wizard but the wizard was unable to detect any changes, it will tell you that no changes were detected, as shown in Figure 115. -![configuring_elements_using_8](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_8.webp) +![configuring_elements_using_8](/img/product_docs/policypak/policypak/applicationsettings/designstudio/configurationwizard/configuring_elements_using_8.webp) Figure 115. The message to indicate no changes were detected. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/deleteelements.md b/docs/policypak/policypak/applicationsettings/designstudio/deleteelements.md index 0decb31cce..a3a2e57ca4 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/deleteelements.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/deleteelements.md @@ -8,6 +8,6 @@ other undesired behavior is occurring. In this case, since the graphic isn't bei deleted. You can right-click on the element in the hierarchy on the right or on the tab and then delete it. -![deleting_stray_elements](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/deleting_stray_elements.webp) +![deleting_stray_elements](/img/product_docs/policypak/policypak/applicationsettings/designstudio/deleting_stray_elements.webp) Figure 158. Deleting stray elements with the Hierarchy tab. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/grayswizard.md b/docs/policypak/policypak/applicationsettings/designstudio/grayswizard.md index 6de6a4d12f..e516e5460b 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/grayswizard.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/grayswizard.md @@ -5,21 +5,21 @@ whether the checkboxes are checked or unchecked. For instance, in this applicati checkbox "Use fixed resolution for snapshots" is checked, the spinbox "Resolution:" is available for editing, as shown in Figure 185. -![using_the_grays_wizard](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard.webp) +![using_the_grays_wizard](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard.webp) Figure 185. When the checkbox "Use fixed resolution for snapshots" is checked, the spinbox "Resolution:" is available for editing. In Figure 186, when the checkbox is unchecked, the "Resolution:" element is uneditable. -![using_the_grays_wizard_1_624x213](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_1_624x213.webp) +![using_the_grays_wizard_1_624x213](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_1_624x213.webp) Figure 186. When the checkbox is unchecked, the "Resolution:" element is uneditable. You are able to perform the same function within your AppSet. To do this, right-click over the checkbox and select "Grays Wizard," as shown in Figure 187. -![using_the_grays_wizard_2_499x293](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_2_499x293.webp) +![using_the_grays_wizard_2_499x293](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_2_499x293.webp) Figure 187. Opening the Grays Wizard. @@ -34,7 +34,7 @@ when the checkbox is checked, the "Resolution:" spinbox can be edited. Therefore screen of the Grays Wizard, you would do nothing because when the checkmark is checked, "Resolution:" is editable. -![using_the_grays_wizard_3](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_3.webp) +![using_the_grays_wizard_3](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_3.webp) Figure 188. Using the Grays Wizard. @@ -42,14 +42,14 @@ However, on the next page of the Grays Wizard, you are asked what happens when t unchecked. We learned that the "Resolution:" item is grayed out. So, in this screen, click the "Resolution:" item to make it grayed out, as shown in Figure 189. -![using_the_grays_wizard_4](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_4.webp) +![using_the_grays_wizard_4](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_4.webp) Figure 189. Graying out the element. As shown in Figure 190, select the item or items that should be grayed out when the checkbox is unchecked. You'll see the Grays Wizard gray it out for demonstration purposes. -![using_the_grays_wizard_5](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_5.webp) +![using_the_grays_wizard_5](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_5.webp) Figure 190. Selecting the item to gray out. @@ -58,7 +58,7 @@ button set control a series of items that will be grayed out when checked and un instance, in Figure 191, we can see all the items are available when the "Replace Document Colors" checkbox is checked and the "Custom Color:" radio button is checked. -![using_the_grays_wizard_6](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_6.webp) +![using_the_grays_wizard_6](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_6.webp) Figure 191. All the items are available when the "Replace Document Colors" checkbox is checked and the "Custom Color:" radio button is checked. @@ -68,12 +68,12 @@ Colors" radio button is grayed out (see Figure 192). If we uncheck the "Replace checkbox, then all areas ("Use Windows Colors Scheme," "Custom Color," and "Change only the color of black / white content") are all grayed out, as shown in Figure 193. -![using_the_grays_wizard_7](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_7.webp) +![using_the_grays_wizard_7](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_7.webp) Figure 192. Selecting the "Use Windows Colors Scheme" radio button makes the "Custom Colors" radio button grayed out. -![using_the_grays_wizard_8](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_8.webp) +![using_the_grays_wizard_8](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_8.webp) Figure 193. All areas are grayed out when the "Replace Document Colors" checkbox is unchecked. @@ -81,7 +81,7 @@ To set up the correct behavior inside this application, you must first at least "Replace Document Colors" checkbox with the Configuration Wizard. Then, select the whole "Document Colors Options" frame. Right-click and select "Grays Wizard," as shown in Figure 194. -![using_the_grays_wizard_9](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_9.webp) +![using_the_grays_wizard_9](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_9.webp) Figure 194. Selecting the Grays Wizard. @@ -89,7 +89,7 @@ By selecting the whole frame, the Grays Wizard will ask you about each element i first page requires you to express what happens when the "Replace Document Colors" is selected (checked). In Figure 195, there are no changes, and everything is available. -![using_the_grays_wizard_10](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_10.webp) +![using_the_grays_wizard_10](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_10.webp) Figure 195. The first page of the wizard does not require any changes. @@ -97,7 +97,7 @@ On the next page, you are asked what happens when the "Replace Document Colors" that case, all items are grayed out. Select all items as grayed out if the Grays Wizard does not do this already for you (see Figure 196). -![using_the_grays_wizard_11](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_11.webp) +![using_the_grays_wizard_11](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_11.webp) Figure 196. Selecting all items to be grayed out. @@ -105,14 +105,14 @@ The next screen asks what happens when the "Use Windows Color Scheme" is selecte "Custom Color" block is grayed out, but the "Change only the color of black / white content" is available. Click on the elements in the Grays Wizard, and click "Next," as shown in Figure 197. -![using_the_grays_wizard_12](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_12.webp) +![using_the_grays_wizard_12](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_12.webp) Figure 197. Choosing which elements are grayed out and which are editable. Next you will be asked about "Custom Color." Be sure to clear out any gray items that will operate when "Custom color" is selected, as shown in Figure 198. -![using_the_grays_wizard_13](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_13.webp) +![using_the_grays_wizard_13](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_grays_wizard_13.webp) Figure 198. Choosing which elements are grayed out and which are editable. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/compilation.md b/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/compilation.md index 0607e60d38..0cd843fde9 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/compilation.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/compilation.md @@ -4,11 +4,11 @@ The Compilation tab enables you to set your project's DLL name, as shown in Figu enables you to save your current work and compile your AppSet to be used in Group Policy, as shown in Figure 56. -![getting_around_7](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_7.webp) +![getting_around_7](/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_7.webp) Figure 55. Setting the DLL name. -![getting_around_8_624x155](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_8_624x155.webp) +![getting_around_8_624x155](/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_8_624x155.webp) Figure 56. Compiling the AppSet. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/errorlist.md b/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/errorlist.md index 338b703d6a..452be24e35 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/errorlist.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/errorlist.md @@ -4,7 +4,7 @@ The Error List tab is only active after a compile error occurs (see Figure 57). generally rare, and we request that you send any pXMLs which do not properly compile to [support@policypak.com](mailto:support@policypak.com) for analysis. -![getting_around_9_624x460](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_9_624x460.webp) +![getting_around_9_624x460](/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_9_624x460.webp) Figure 57. A Endpoint Policy Manager DesignStudio compile error. @@ -12,7 +12,7 @@ When errors do occur, the error list pops up and suggests some fixes, as shown i Double-click the proposed fix (or right-click and select "Apply Default Fix") for any errors found, as shown in Figure 58. -![getting_around_10_624x671](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_10_624x671.webp) +![getting_around_10_624x671](/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_10_624x671.webp) Figure 58. Applying the default fix to errors. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/hierarchy.md b/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/hierarchy.md index d2f48f6b9f..9c1b713680 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/hierarchy.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/hierarchy.md @@ -4,7 +4,7 @@ The Hierarchy tab is similar to the Tabs tab, except it shows every element in a When you click on an element in the Hierarchy tab, the corresponding element in the main page will highlighted as well (see Figure 52). -![getting_around_3](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_3.webp) +![getting_around_3](/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_3.webp) Figure 52. The Hierarchy tab provides a granular view of each element. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/overview.md b/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/overview.md index 37a09e319a..b0c2e9bf19 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/overview.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/overview.md @@ -3,7 +3,7 @@ Endpoint Policy Manager DesignStudio has six main tabs that help you perform tasks in your project. You can see the tabs highlighted in Figure 50. -![getting_around_1](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_1.webp) +![getting_around_1](/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_1.webp) Figure 50. The DesignStudio tabs. @@ -26,6 +26,6 @@ the overall structure of your project and how all the major objects (tabs and su each other. When you click on a tab inside the Tabs area, the corresponding tab is automatically displayed in the main pane for quick navigation (see Figure 51). -![getting_around_2](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_2.webp) +![getting_around_2](/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_2.webp) Figure 51. Using the Tabs tab for quick navigation. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/properties.md b/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/properties.md index 21f28c3dcc..96028755ee 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/properties.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/properties.md @@ -3,6 +3,6 @@ The Properties tab shows how the element is set. It is automatically displayed when you use the main pane and select an element (see Figure 53). -![getting_around_4](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_4.webp) +![getting_around_4](/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_4.webp) Figure 53. Viewing the properties of an element in the Properties tab. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/propertiesproject.md b/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/propertiesproject.md index ee50de366c..2615dedbba 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/propertiesproject.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/propertiesproject.md @@ -7,17 +7,17 @@ The Project Properties tab shows overall project properties such as the followin - Data root, which is the top most entry for all data in the project - Predefined Item-Level Targeting conditions -![getting_around_5](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_5.webp) +![getting_around_5](/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_5.webp) Figure 53. The Project Properties tab. Video: To understand predefined Item-Level Targeting (ILT) conditions, please see this video: -[Predefined ILTs (Internal Filters)](../../../../video/applicationsettings/designstudio/itemleveltargeting.md). +[Predefined ILTs (Internal Filters)](/docs/policypak/policypak/video/applicationsettings/designstudio/itemleveltargeting.md). For instance, you might want to ensure that your special DogFoodMaker Pro 12 app only works on portable Windows 10 machine with IE version 11 present. -![getting_around_6](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_6.webp) +![getting_around_6](/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/tab/getting_around_6.webp) Figure 54. You can use Item-Level Targeting to narrow your target scope. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/navigation/vocabulary.md b/docs/policypak/policypak/applicationsettings/designstudio/navigation/vocabulary.md index c14bacce02..05089b3984 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/navigation/vocabulary.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/navigation/vocabulary.md @@ -11,7 +11,7 @@ Your goal with Endpoint Policy Manager DesignStudio is to bring in as much of th interface (UI) that you want to configure as possible. Then, you can use the DesignStudio to tweak the design and configure each setting (see Figure 49. -![getting_around](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/getting_around.webp) +![getting_around](/img/product_docs/policypak/policypak/applicationsettings/designstudio/navigation/getting_around.webp) Figure 49. Some of the main Endpoint Policy Manager DesignStudio components. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/overview.md b/docs/policypak/policypak/applicationsettings/designstudio/overview.md index f0f6544d56..fe5ca730bb 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/overview.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/overview.md @@ -14,4 +14,4 @@ applicable to many scenarios while building AppSets. Video: You may also wish to watch our DesignStudio videos, which cover some higher level details of Endpoint Policy Manager: Application Manager > -[DesignStudio How-To](../overview/videolearningcenter.md#designstudio-how-to). +[DesignStudio How-To](/docs/policypak/policypak/applicationsettings/overview/videolearningcenter.md#designstudio-how-to). diff --git a/docs/policypak/policypak/applicationsettings/designstudio/quickstart/createappset.md b/docs/policypak/policypak/applicationsettings/designstudio/quickstart/createappset.md index 6cfde41203..d52b4851ee 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/quickstart/createappset.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/quickstart/createappset.md @@ -19,7 +19,7 @@ Policy Manager AppLock™ data **Step 3 –** Run `PolicyPak `DesignStudio to tweak, complete, and compile the AppSet If you followed along in -[Troubleshooting](../../../troubleshooting/applicationsettings/overview.md), you installed WinZip on +[Troubleshooting](/docs/policypak/policypak/troubleshooting/applicationsettings/overview.md), you installed WinZip on your target machine, which is the kind of machine that regular users would run WinZip on. We will use WinZip in many of our later examples in this lesson. For these next steps, however, we are going to use PuTTY as our pilot application. We chose PuTTY because the interface has rarely changed over @@ -33,7 +33,7 @@ that fits your OS. Figure 6 shows the PuTTY interface. The settings outlined in red are the ones we can capture using Endpoint Policy Manager DesignStudio. -![policypak_application_settings_5](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_5.webp) +![policypak_application_settings_5](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_5.webp) Figure 6. The PuTTY interface. @@ -44,7 +44,7 @@ DesignStudio tool. Run` PolicyPak DesignStudio` by clicking Wizard will run, as shown in Figure 7. Choose to start a new project using the Capture Wizard. Then click "Next." -![policypak_application_settings_6](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_6.webp) +![policypak_application_settings_6](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_6.webp) Figure 7. The Endpoint Policy Manager Design Studio Wizard. @@ -53,7 +53,7 @@ the Endpoint Policy Manager Capture Wizard to capture, as shown in Figure 8. In (Processes), select "PuTTY Configuration [```putty.exe```]." You will then see "PuTTY Configuration" in the bottom pane (Windows). -![policypak_application_settings_7](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_7.webp) +![policypak_application_settings_7](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_7.webp) Figure 8. Selecting "PuTTY Configuration" from the list of running processes. @@ -66,7 +66,7 @@ config file types), `.xcu` files (`OpenOffice/LibreOffice config files`), and `. desktop settings) files. When capturing applications, you will need to know where the settings are stored. -![policypak_application_settings_8](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_8.webp) +![policypak_application_settings_8](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_8.webp) Figure 9. Selecting "Registry" as the project type. @@ -78,7 +78,7 @@ root is the topmost location where your application, in this case PuTTY, stores settings. Select "Simon Tatham," which is located in `HKEY_Current_USER\Software`. Then click "Finish." -![policypak_application_settings_9](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_9.webp) +![policypak_application_settings_9](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_9.webp) Figure 10. Selecting "Simon Tatham" as the data root. @@ -96,7 +96,7 @@ Manager DesignStudio can determine the checked status of the checkboxes, the con boxes, and the status of radio buttons. Since DesignStudio is large, instead of showing you everything now, we'll focus on what's most important during your project creation. -![policypak_application_settings_10](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_10.webp) +![policypak_application_settings_10](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_10.webp) Figure 11. The first tab of captured settings. @@ -106,7 +106,7 @@ prompted for another tab in PuTTY. Select the next setting category, which in th Once the tab is selected in the application, return to the Endpoint Policy Manager DesignStudio tool. When you do, the tab will be captured automatically. Click "OK" to capture the active tab. -![policypak_application_settings_11](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_11.webp) +![policypak_application_settings_11](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_11.webp) Figure 12. Capturing another tab of settings. @@ -114,14 +114,14 @@ Figure 12. Capturing another tab of settings. name for the captured tab, as shown in Figure 13. Click "Yes," and give the tab the same name as its category. -![policypak_application_settings_12](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_12.webp) +![policypak_application_settings_12](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_12.webp) Figure 13. Applying a new name for the captured tab. **Step 12 –** The new tab will be brought into the Endpoint Policy Manager Capture Wizard, as shown in Figure 14. Note the tab hierarchy listed on the right side of the screen. -![policypak_application_settings_13](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_13.webp) +![policypak_application_settings_13](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_13.webp) Figure 14. The new Logging tab. @@ -130,7 +130,7 @@ Follow the same procedure you did for the Logging tab. Also, note the arrow in t pointing to text that has been cut off. This is because the capture process doesn't always process cleanly. One option to fix this is to delete the tab and recapture it. -![policypak_application_settings_14](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_14.webp) +![policypak_application_settings_14](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_14.webp) Figure 15. The Keyboard tab. @@ -138,7 +138,7 @@ Figure 15. The Keyboard tab. Figure 16 shows a block of settings that are grouped together. As you can see, the block is covering up the text behind it. -![policypak_application_settings_15](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_15.webp) +![policypak_application_settings_15](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_15.webp) Figure 16. Settings grouped together that are blocking the text behind them. @@ -147,14 +147,14 @@ obstructed text and deleting it. Figure 17 shows the final result. You can add t of elements, such as checkboxes, radio buttons, etc., from the Endpoint Policy Manager DesignStudio menu. -![policypak_application_settings_16](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_16.webp) +![policypak_application_settings_16](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_16.webp) Figure 17. Using the DesignStudio menu. **Step 15 –** You can capture tabs in any order and reorder them using the up and down arrows in DesignStudio, as shown in Figure 18. -![policypak_application_settings_17](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_17.webp) +![policypak_application_settings_17](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_17.webp) Figure 18. Reordering the tabs. @@ -170,7 +170,7 @@ we'll work with the initial PuTTY Configuration tab settings. Let's begin with t setting which is the "Host Name (or IP address)" field. Right-click and select "Configuration Wizard…," as shown in Figure 19. -![policypak_application_settings_18](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_18.webp) +![policypak_application_settings_18](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_18.webp) Figure 19. Opening the Configuration Wizard. @@ -181,7 +181,7 @@ All elements for PuTTY live in the registry under the root path we configured ea will remember that root path each time you run the wizard. Figure 20 shows that the PuTTY wizard has automatically chosen registry as the place you want your registry items stored. -![policypak_application_settings_19](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_19.webp) +![policypak_application_settings_19](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_19.webp) Figure 20. Items will be stored in the Windows registry. @@ -191,7 +191,7 @@ within multiple subkeys within the data root. The closer you can point to the ac location, the easier it will be for you to find the assigned registry key for the designated element. In this case, we have selected the PuTTY subkey. -![policypak_application_settings_20](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_20.webp) +![policypak_application_settings_20](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_20.webp) Figure 21. Choosing the PuTTY subkey. @@ -204,7 +204,7 @@ Endpoint Policy Manager DesignStudio, ensure that the field is blank to begin wi the DesignStudio know what the current state is before moving to the next step. The wizard will prompt you to change the value at this point, as displayed in Figure 22. -![policypak_application_settings_21](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_21.webp) +![policypak_application_settings_21](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_21.webp) Figure 22. Changing the Host Name setting. @@ -213,7 +213,7 @@ changes. Type in 192.168.50.101 as the IP address. Then, click the "Save" button for the saved session. In Figure 23, we chose "Design Studio Capture" as the name. Now click "Save" again. -![policypak_application_settings_22](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_22.webp) +![policypak_application_settings_22](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_22.webp) Figure 23. Saving your session changes to preserve them within the registry. @@ -222,7 +222,7 @@ in the capture, the port setting was also captured as it underwent a change as w we want to work with the HostName setting. Click the radio button next to HostName to select it, and click "Next." -![policypak_application_settings_23](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_23.webp) +![policypak_application_settings_23](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_23.webp) Figure 24. Selecting the HostName setting. @@ -230,21 +230,21 @@ Figure 24. Selecting the HostName setting. value to be blank so delete the embedded value and click "Next," as shown in Figure 25. The next screen will prompt you for a revert value and you will do the same thing on that screen as well. -![policypak_application_settings_24](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_24.webp) +![policypak_application_settings_24](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_24.webp) Figure 25. Deleting the text in the HostName field. **Step 23 –** The last step is to choose the linked label for any GPMC reports you may run for the PuTTY application, as shown in Figure 26. Then, click "Next." -![policypak_application_settings_25](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_25.webp) +![policypak_application_settings_25](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_25.webp) Figure 26. Choosing the linked label. **Step 24 –** You have now completed your first setting capture using Endpoint Policy Manager DesignStudio. Figure 27 shows the congratulatory screen that you should see when you are finished. -![policypak_application_settings_26](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_26.webp) +![policypak_application_settings_26](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_26.webp) Figure 27. The completion of the Configuration Wizard process. @@ -253,7 +253,7 @@ a check element. For this example, we will capture the "Omit known password fiel that this setting is checked by default. Right-click on the element, and select "Configuration Wizard," as shown in Figure 28. -![policypak_application_settings_27](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_27.webp) +![policypak_application_settings_27](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_27.webp) Figure 28. Capturing the "Omit known password fields" setting. @@ -261,7 +261,7 @@ Figure 28. Capturing the "Omit known password fields" setting. checkbox state for the setting in the "Indicating the Current Checkbox State" step of the wizard. After selecting this, click "Next." -![policypak_application_settings_28](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_28.webp) +![policypak_application_settings_28](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_28.webp) Figure 29. Verifying the checkbox state. @@ -269,7 +269,7 @@ Figure 29. Verifying the checkbox state. 30). Remember that you have to save your session as you did previously in order to save the change you made. -![policypak_application_settings_29](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_29.webp) +![policypak_application_settings_29](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_29.webp) Figure 30. Returning to PuTTY to uncheck the setting. @@ -278,7 +278,7 @@ values for the checked and unchecked states. When the checkbox is checked the SS registry value is set to 1. When the checkbox is unchecked, the SSHLogOmitPasswords registry value is set to 0, as shown in Figure 31. -![policypak_application_settings_30](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_30.webp) +![policypak_application_settings_30](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_30.webp) Figure 31. The SSHLogOmitPasswords registry values have been discovered. @@ -291,14 +291,14 @@ as specified earlier, or try clicking "OK" in WinZip again if you didn't earlier Figure 32 shows how you can accept the checked value as is or uncheck it. You will do the same for the revert state before finishing. -![policypak_application_settings_31](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_31.webp) +![policypak_application_settings_31](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_31.webp) Figure 32. Check or uncheck the value as desired for the default state. **Step 30 –** Next, we'll work with a radio button. We will capture the registry settings for a radio button set called "Initial state of numeric keypad," as shown in Figure 33. -![policypak_application_settings_32](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_32.webp) +![policypak_application_settings_32](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_32.webp) Figure 33. Using the Configuration Wizard to capture radio button settings. @@ -308,14 +308,14 @@ button within the PuTTY application. After selecting it, save the session, retur Configuration Wizard, and click "Next." Here you will be asked to choose which captured data change applies to the radio button. Choose the "ApplicationKeypad" registry setting, as shown in Figure 34. -![policypak_application_settings_33](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_33.webp) +![policypak_application_settings_33](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_33.webp) Figure 34. Choosing the ApplicationKeypad registry setting. **Step 32 –** Click "Next." You will now be asked to select the NetHack radio button, as shown in Figure 35. Go to PuTTY, make the change, and save the session one more time. Then click "Next." -![policypak_application_settings_34](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_34.webp) +![policypak_application_settings_34](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_34.webp) Figure 35. Capturing the radio button called NetHack. @@ -323,7 +323,7 @@ Figure 35. Capturing the radio button called NetHack. Figure 36. You will then be asked to select the default and revert values. Once you've done that, you are finished. -![policypak_application_settings_35](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_35.webp) +![policypak_application_settings_35](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_35.webp) Figure 36. The completion of the process. @@ -337,7 +337,7 @@ to time. In this example, we will work with the "Minimum password length" under as shown in Figure 37. To work with this element, right-click it, and then select "Configuration Wizard." -![policypak_application_settings_36](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_36.webp) +![policypak_application_settings_36](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_36.webp) Figure 37. Using the Configuration Wizard with the "Minimum password length" setting. @@ -345,14 +345,14 @@ Figure 37. Using the Configuration Wizard with the "Minimum password length" set the selection for the "Registry" option that the wizard chooses automatically, and click "Next" to continue. -![policypak_application_settings_37](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_37.webp) +![policypak_application_settings_37](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_37.webp) Figure 38. Choosing the registry as the location to track changes. **Step 36 –** Next, you'll confirm the default data root, which should be configured to the "Niko Mak Computing" entry, as shown in Figure 39. Click "Next" to continue. -![policypak_application_settings_38](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_38.webp) +![policypak_application_settings_38](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_38.webp) Figure 39. Confirming the data root. @@ -360,7 +360,7 @@ Figure 39. Confirming the data root. password length" to 1, as shown in Figure 40, and click "OK" inside WinZip. Close WinZip's Configuration page, and then click "Next" to continue in the wizard. -![policypak_application_settings_39](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_39.webp) +![policypak_application_settings_39](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_39.webp) Figure 40. Setting the "Minimum password length" option to 1. @@ -369,7 +369,7 @@ prompts. That is, change "Minimum password length" to 2, as illustrated in Figur "OK" inside WinZip. After doing this, close WinZip's Configuration page, and then click "Next" in the wizard. -![policypak_application_settings_40](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_40.webp) +![policypak_application_settings_40](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_40.webp) Figure 41. Setting the "Minimum password length" option to 2. @@ -378,7 +378,7 @@ be 99 for most apps, but it could also be any other number. The maximum value fo 99, so enter this value into WinZip, as shown in Figure 42. Then, click "OK" in WinZip. Close the WinZip Configuration page, and click "Next" in the wizard. -![policypak_application_settings_41](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_41.webp) +![policypak_application_settings_41](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_41.webp) Figure 42. Setting the "Minimum password length" option to the maximum value. @@ -386,7 +386,7 @@ Figure 42. Setting the "Minimum password length" option to the maximum value. discovered values match the values you entered. If they don't, you can manually edit the cells to match. Once that's complete, click "Next" to continue. -![policypak_application_settings_42](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_42.webp) +![policypak_application_settings_42](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_42.webp) Figure 43. Confirming the discovered values. @@ -394,7 +394,7 @@ Figure 43. Confirming the discovered values. captured the values originally, so set the value to 8, as shown in Figure 44. Then, click "Next" to continue. -![policypak_application_settings_43](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_43.webp) +![policypak_application_settings_43](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_43.webp) Figure 44. Choosing the default value. @@ -402,7 +402,7 @@ Figure 44. Choosing the default value. be set when the policy no longer applies. You will usually want to keep the revert value the same as the default value, but you are welcome to change it. -![policypak_application_settings_44](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_44.webp) +![policypak_application_settings_44](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_44.webp) Figure 45. Setting the revert value. @@ -411,7 +411,7 @@ when we do Group Policy reporting. To set this selection, choose the words on th closely represent what we're configuring, which in this case is "Minimum password length." When this is set, click "Next" to continue. -![policypak_application_settings_45](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_45.webp) +![policypak_application_settings_45](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_45.webp) Figure 46. Selecting the words on the page that most closely represent what is being configured. @@ -426,14 +426,14 @@ to save your work before continuing. At this point, the AppSet is compiled (see that compiling only works when you have the Microsoft C++ Express Edition (2008 and later) compiler loaded on your Endpoint Policy Manager creation station. -![policypak_application_settings_46](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_46.webp) +![policypak_application_settings_46](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_46.webp) Figure 47. The wizard prompts the user to save their work. Tip: Use the "Show test Endpoint Policy Manager when complete" checkbox to see a preview of your AppSet. -![policypak_application_settings_47](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_47.webp) +![policypak_application_settings_47](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_47.webp) Figure 48. The successful compilation of the project. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/quickstart/creationstation.md b/docs/policypak/policypak/applicationsettings/designstudio/quickstart/creationstation.md index db1ea68fcf..94c086de0e 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/quickstart/creationstation.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/quickstart/creationstation.md @@ -12,7 +12,7 @@ creation station utilities on it before installing your package and producing an **Step 1 –** The `.NET` Framework can be introduced through `Add/Remove programs`, as shown in Figure 1. -![policypak_application_settings](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings.webp) +![policypak_application_settings](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings.webp) Figure 1. Installing the`.NET`Framework for Windows 10. @@ -26,18 +26,18 @@ creation station. Any edition later than 2008 will work; you only need one. [https://visualstudio.microsoft.com/vs/express/](https://visualstudio.microsoft.com/vs/express/). Figure 3 shows the installation options. -![policypak_application_settings_1](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_1.webp) +![policypak_application_settings_1](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_1.webp) Figure 2. The installation options for Visual C++ 2008 Express Edition. -![policypak_application_settings_2](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_2.webp) +![policypak_application_settings_2](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_2.webp) Figure 3. The installation options for 2019 Visual Studio Express Desktop Edition. **Step 3 –** For this demonstration, we have gone with the C++ 2008 Express Edition. You will see whichever version you choose to install in your Start menu once installed, as shown in Figure 4. -![policypak_application_settings_3](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_3.webp) +![policypak_application_settings_3](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_3.webp) Figure 4. Visual Studio will appear in your Start menu once installed. @@ -62,6 +62,6 @@ Policy Manager Admin `Console.msi` is also loaded. **Step 3 –** After installation is complete, your Start menu should have both the Microsoft Visual C++ Express Edition node and Endpoint Policy Manager DesignStudio node (see Figure 5). -![policypak_application_settings_4](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_4.webp) +![policypak_application_settings_4](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_4.webp) Figure 5. Endpoint Policy Manager DesignStudio appears in the Start menu once installed. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/quickstart/overview.md b/docs/policypak/policypak/applicationsettings/designstudio/quickstart/overview.md index 3fba6b9df0..f4ad347e09 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/quickstart/overview.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/quickstart/overview.md @@ -6,7 +6,7 @@ from your existing applications, such as WinZip, and bring them into the Endpoin format for later use inside Group Policy Objects (GPOs). Video: To see an overview of how to use Endpoint Policy Manager DesignStudio, watch this video: -[Creating Your First Pak using Endpoint Policy Manager Design Studio](../../../video/applicationsettings/designstudio/firstpak.md). +[Creating Your First Pak using Endpoint Policy Manager Design Studio](/docs/policypak/policypak/video/applicationsettings/designstudio/firstpak.md). **NOTE:** The Endpoint Policy Manager format is properly called "pXML" format. You most likely will never need to edit any pXML files by hand, but you're welcome to open up and explore the files that diff --git a/docs/policypak/policypak/applicationsettings/designstudio/regimporteruitility.md b/docs/policypak/policypak/applicationsettings/designstudio/regimporteruitility.md index bb1ad49c18..528048e7b1 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/regimporteruitility.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/regimporteruitility.md @@ -1,7 +1,7 @@ # Using the .reg Importer Utility **NOTE:** For an overview of this section, see this video: -[Use the DesignStudio to import existing registry keys](../../video/applicationsettings/designstudio/importregistry.md). +[Use the DesignStudio to import existing registry keys](/docs/policypak/policypak/video/applicationsettings/designstudio/importregistry.md). There might be times when you already have a` .reg` file (registry export) and want to use it within Netwrix Endpoint Policy Manager (formerly PolicyPak) Application Settings Manager. By using Endpoint @@ -12,16 +12,16 @@ anywhere and being able to revert when the setting no longer applies. The `.reg` importer utility is only available to use with checkboxes. When you select any checkbox, a special icon will appear, as shown in Figure 162. -![using_the_reg_importer_utility](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_reg_importer_utility.webp) +![using_the_reg_importer_utility](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_reg_importer_utility.webp) Figure 162. The .reg importer utility. Using the utility, you can import existing .reg files and specify which state (checked or unchecked) matches which .reg file (see Figure 163). -![using_the_reg_importer_utility_1](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_reg_importer_utility_1.webp) +![using_the_reg_importer_utility_1](/img/product_docs/policypak/policypak/applicationsettings/designstudio/using_the_reg_importer_utility_1.webp) Figure 163. The .reg importer utility interface. For a full end-to-end example on this mini-utility, please watch the video here: -[Use the DesignStudio to import existing registry keys](../../video/applicationsettings/designstudio/importregistry.md). +[Use the DesignStudio to import existing registry keys](/docs/policypak/policypak/video/applicationsettings/designstudio/importregistry.md). diff --git a/docs/policypak/policypak/applicationsettings/designstudio/registrykeys.md b/docs/policypak/policypak/applicationsettings/designstudio/registrykeys.md index e38d757769..d20b57761b 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/registrykeys.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/registrykeys.md @@ -5,7 +5,7 @@ capture. In the example in Figure 159, the "Mute Yahoo! Games" setting is discov application's registry keys of the specific user (JeremyM) where the capture was performed. The discovered key is within `\Profiles\JeremyM\Games`. -![applying_settings_within_multiple](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applying_settings_within_multiple.webp) +![applying_settings_within_multiple](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applying_settings_within_multiple.webp) Figure 159. Capturing a setting. @@ -17,7 +17,7 @@ registry with another user, JeremyM200, logged in using this application. This u new setting would be `\Profiles\JeremyM200\Games\`. The original path would be `\Profiles\JeremyM\Games`. -![applying_settings_within_multiple_1](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applying_settings_within_multiple_1.webp) +![applying_settings_within_multiple_1](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applying_settings_within_multiple_1.webp) Figure 160. The user's path to the mute setting. @@ -25,7 +25,7 @@ To teach DesignStudio to globally replace "JeremyM" with whatever is inside "pro an asterisk for the username, as shown in Figure 161. This will perform a special global replace operation on all subkeys within this application's "profiles" key. -![applying_settings_within_multiple_2](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/applying_settings_within_multiple_2.webp) +![applying_settings_within_multiple_2](/img/product_docs/policypak/policypak/applicationsettings/designstudio/applying_settings_within_multiple_2.webp) Figure 161. Replacing the username with an asterisk. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/scrollablepanels.md b/docs/policypak/policypak/applicationsettings/designstudio/scrollablepanels.md index 703031512c..8a8faf4241 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/scrollablepanels.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/scrollablepanels.md @@ -4,14 +4,14 @@ While editing your AppSets, you might want to put elements in a scrollable panel Endpoint Policy Manager (formerly PolicyPak) DesignStudio might capture a scrollable panel that you want to edit. In Figure 154, you can a frame being added with the "Frame" button. -![adding_space_to_scrollable](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/adding_space_to_scrollable.webp) +![adding_space_to_scrollable](/img/product_docs/policypak/policypak/applicationsettings/designstudio/adding_space_to_scrollable.webp) Figure 154. Adding a frame button. Frames can be changed to scrollable panels by selecting the "Advanced" button, and then changing the type to "Scrollable Panel" as shown in Figure 155. -![adding_space_to_scrollable_1](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/adding_space_to_scrollable_1.webp) +![adding_space_to_scrollable_1](/img/product_docs/policypak/policypak/applicationsettings/designstudio/adding_space_to_scrollable_1.webp) Figure 155. Changing the frame to a scrollable panel. @@ -21,10 +21,10 @@ are able to modify them. For instance, if you want to make a tall panel, change for more vertical space. You can also change the "Width" value and get more horizontal space. You can see an example of how to do this in Figure 157. -![adding_space_to_scrollable_2](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/adding_space_to_scrollable_2.webp) +![adding_space_to_scrollable_2](/img/product_docs/policypak/policypak/applicationsettings/designstudio/adding_space_to_scrollable_2.webp) Figure 156. A frame converted to a scrollable panel. -![adding_space_to_scrollable_3](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/adding_space_to_scrollable_3.webp) +![adding_space_to_scrollable_3](/img/product_docs/policypak/policypak/applicationsettings/designstudio/adding_space_to_scrollable_3.webp) Figure 157. Changing the dimensions of a scrollable panel. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/tools/batchcompile.md b/docs/policypak/policypak/applicationsettings/designstudio/tools/batchcompile.md index 4f50df7f5c..66619bf3b0 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/tools/batchcompile.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/tools/batchcompile.md @@ -5,18 +5,18 @@ can go back and compile any DesignStudio project at any time, and you can use th to compile multiple AppSets at once.  To do this, go to `Tools > Batch Compile`, as shown in Figure 180. -![using_designstudio_tools_16_624x300](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_16_624x300.webp) +![using_designstudio_tools_16_624x300](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_16_624x300.webp) Figure 180. Using the Batch Compile tool. Then, select the XML files you want to compile. In Figure 181, we have selected Putty and WinZip. -![using_designstudio_tools_17](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_17.webp) +![using_designstudio_tools_17](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_17.webp) Figure 181. Selecting the projects to compile. It is recommended that you perform the compiling processes in the background as shown in Figure 182. -![using_designstudio_tools_18](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_18.webp) +![using_designstudio_tools_18](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_18.webp) Figure 182. Selecting the option to perform the compile in the background. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/tools/globalsearchreplace.md b/docs/policypak/policypak/applicationsettings/designstudio/tools/globalsearchreplace.md index 994a410040..6cba129338 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/tools/globalsearchreplace.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/tools/globalsearchreplace.md @@ -3,13 +3,13 @@ Endpoint Policy Manager DesignStudio has a global search and replace function that can be accessed from the Tools menu (or Ctrl+R), as shown in Figure 175. -![using_designstudio_tools_11](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_11.webp) +![using_designstudio_tools_11](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_11.webp) Figure 175. The global search and replace function. In the example in Figure 176, we're replacing the text "JeremyM" (not case sensitive) with \* for actions. You can use this to replace words within text or actions. -![using_designstudio_tools_12_624x238](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_12_624x238.webp) +![using_designstudio_tools_12_624x238](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_12_624x238.webp) Figure 176. Replacing text with \* for actions. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/tools/options/compilation.md b/docs/policypak/policypak/applicationsettings/designstudio/tools/options/compilation.md index c096298294..482ffed4c6 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/tools/options/compilation.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/tools/options/compilation.md @@ -7,7 +7,7 @@ like. Additionally, the path for compiled DLLs is `C:\Program Files\PolicyPak\Ex the location where the Endpoint Policy Manager Application Settings Manager Group Policy Editor will look for compiled extensions, so it's best to leave this as it is. -![using_designstudio_tools_2](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/options/using_designstudio_tools_2.webp) +![using_designstudio_tools_2](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/options/using_designstudio_tools_2.webp) Figure 166. The Compilation tab. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/tools/options/java.md b/docs/policypak/policypak/applicationsettings/designstudio/tools/options/java.md index e4796a78f8..4376d18678 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/tools/options/java.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/tools/options/java.md @@ -9,7 +9,7 @@ applications. In order to capture Java-based applications, you will need to do t Without the Java Access Bridge installed, the Java tab will look like what's shown in Figure 169. -![using_designstudio_tools_5_624x224](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/options/using_designstudio_tools_5_624x224.webp) +![using_designstudio_tools_5_624x224](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/options/using_designstudio_tools_5_624x224.webp) Figure 169. The Java tab. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/tools/options/misc.md b/docs/policypak/policypak/applicationsettings/designstudio/tools/options/misc.md index d1701e4fbd..ad4215d202 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/tools/options/misc.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/tools/options/misc.md @@ -4,6 +4,6 @@ By default Endpoint Policy Manager DesignStudio doesn't run more than one copy o You can change this behavior in the Misc tab, as shown in Figure 170. This could be useful if you're copying and pasting between projects. -![using_designstudio_tools_6_624x175](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/options/using_designstudio_tools_6_624x175.webp) +![using_designstudio_tools_6_624x175](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/options/using_designstudio_tools_6_624x175.webp) Figure 170. The Misc tab. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/tools/options/overview.md b/docs/policypak/policypak/applicationsettings/designstudio/tools/options/overview.md index 1eeb106d90..d32c8e79f3 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/tools/options/overview.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/tools/options/overview.md @@ -4,7 +4,7 @@ Endpoint Policy Manager DesignStudio has a variety of options you can configure. these options using Tools|Options, as shown in Figure 165. There are six tabs within Options: Compilation, UI Capture, AppV (older versions of DesignStudio only), VirtualStore, Java, and Misc. -![using_designstudio_tools_1_624x111](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/options/using_designstudio_tools_1_624x111.webp) +![using_designstudio_tools_1_624x111](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/options/using_designstudio_tools_1_624x111.webp) Figure 165. DesignStudio Options. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/tools/options/uicapture.md b/docs/policypak/policypak/applicationsettings/designstudio/tools/options/uicapture.md index e4f5a538d9..526bbb37c5 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/tools/options/uicapture.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/tools/options/uicapture.md @@ -4,6 +4,6 @@ The UI Capture tab has one checkbox, which is on by default (see Figure 167). Wh tabs will auto-size to the page and the other captured tabs. It is recommended to keep this checked because, when unchecked, the captured tabs might not realign to the other tabs and fit the page. -![using_designstudio_tools_3_624x198](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/options/using_designstudio_tools_3_624x198.webp) +![using_designstudio_tools_3_624x198](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/options/using_designstudio_tools_3_624x198.webp) Figure 167. The UI Capture tab. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/tools/options/virtualstore.md b/docs/policypak/policypak/applicationsettings/designstudio/tools/options/virtualstore.md index cb128bcd46..85232716e2 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/tools/options/virtualstore.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/tools/options/virtualstore.md @@ -4,6 +4,6 @@ The VirtualStore tab has one setting, as shown in Figure 168. This setting is au on and is used when applications running as standard users try to write to locations that are not allowed. This setting was discussed in the section called "Configuration Data in VirtualStore." -![using_designstudio_tools_4_624x174](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/options/using_designstudio_tools_4_624x174.webp) +![using_designstudio_tools_4_624x174](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/options/using_designstudio_tools_4_624x174.webp) Figure 168. The VirtualStore tab. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/tools/overview.md b/docs/policypak/policypak/applicationsettings/designstudio/tools/overview.md index 632eb2e5d4..c7c6985d74 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/tools/overview.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/tools/overview.md @@ -14,6 +14,6 @@ PolicyPak) DesignStudio: You can see the list of items from the Endpoint Policy Manager DesignStudio Tools menu in Figure 164. -![using_designstudio_tools](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools.webp) +![using_designstudio_tools](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools.webp) Figure 164. DesignStudio Tools menu. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/tools/pakpreview.md b/docs/policypak/policypak/applicationsettings/designstudio/tools/pakpreview.md index a0b37fae5d..b66e21865a 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/tools/pakpreview.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/tools/pakpreview.md @@ -5,13 +5,13 @@ capture additional tabs and configuration settings.  You can even do this for e you have downloaded from the Endpoint Policy Manager Portal.  To do so, go to` Tools > Pak Preview`, as shown in Figure 183. -![using_designstudio_tools_19_624x304](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_19_624x304.webp) +![using_designstudio_tools_19_624x304](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_19_624x304.webp) Figure 183. Using Pak Preview to edit AppSets. Then, select the compiled DLL file you want to preview. Figure 184 shows a preview of Adobe Acrobat Pro settings. -![using_designstudio_tools_20](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_20.webp) +![using_designstudio_tools_20](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_20.webp) Figure 184. A preview of Adobe Acrobat Pro settings. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/tools/pxmlmergewizard.md b/docs/policypak/policypak/applicationsettings/designstudio/tools/pxmlmergewizard.md index 444ac5458b..a522f20f29 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/tools/pxmlmergewizard.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/tools/pxmlmergewizard.md @@ -31,7 +31,7 @@ You can use the PXML Merge Wizard in one of two ways (see Figure 177): - You can run the PXML Merge Wizard and perform a merge on the fly. You don't need to create a pXML file manually first if you don't want to. -![using_designstudio_tools_13](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_13.webp) +![using_designstudio_tools_13](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_13.webp) Figure 177. Using the PXML Merge Wizard. @@ -43,14 +43,14 @@ application and you have the pXML file handy. These two ways to perform the task equivalent. So, in this example, we have Endpoint Policy Manager DesignStudio running on Windows XP and capturing all the same items as the original project. -**NOTE:** [Troubleshooting](../../../troubleshooting/applicationsettings/overview.md), it was +**NOTE:** [Troubleshooting](/docs/policypak/policypak/troubleshooting/applicationsettings/overview.md), it was suggested that you should capture only three tabs for the first project. When you're merging pXML files, capture the same tabs you have in your original project. In this example, we're assuming that WinZip has two new elements, a slider and a label, as shown in Figure 178. We have re-captured all the tabs and saved the file as "`WinZip-XP-Capture.xml`." -![using_designstudio_tools_14](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_14.webp) +![using_designstudio_tools_14](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_14.webp) Figure 178. Saving the XML file. @@ -61,7 +61,7 @@ original project and the imported project. You'll be able to see which items hav AppLock™ data, UI elements, or actions data. In Figure 179, you can see where the wizard asks which of these items you'd like to import from the new project. -![using_designstudio_tools_15](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_15.webp) +![using_designstudio_tools_15](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_15.webp) Figure 179. Importing elements from the wizard. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/tools/showelementslist.md b/docs/policypak/policypak/applicationsettings/designstudio/tools/showelementslist.md index 2ae6f76064..806b28a28f 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/tools/showelementslist.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/tools/showelementslist.md @@ -13,7 +13,7 @@ To that end, Endpoint Policy Manager DesignStudio has a "Show Elements List" fea "List All Elements"), which is found by selecting `Tools|Show Element List`. You can also use the keyboard shortcut Ctrl+F to go to this list, as shown in Figure 171. -![using_designstudio_tools_7_624x330](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_7_624x330.webp) +![using_designstudio_tools_7_624x330](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_7_624x330.webp) Figure 171. Selecting the "Show Elements List" feature. @@ -24,7 +24,7 @@ Figure 172, you can see the search for the word "pass," and every result has the results in the Description field. You can also select the type of element, or search specifically on a specific Tab within your project. -![using_designstudio_tools_8](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_8.webp) +![using_designstudio_tools_8](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_8.webp) Figure 172. Searching by text in the "List All Elements" box. @@ -33,7 +33,7 @@ configured inside the AppSet. To do this, sort on the Configured column, then lo have "No" in that column, as shown in Figure 173. Double-click the item to zoom to the item, then right-click to run the Configuration Wizard to configure it. -![using_designstudio_tools_9](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_9.webp) +![using_designstudio_tools_9](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_9.webp) Figure 173. Determining which elements have not been configured. @@ -46,7 +46,7 @@ troubleshooting efforts by locating the ID number of the element that is causing 174, you can see compiler error list at the bottom showing an ID number with a problem. By sorting the "List all Elements" items by ID number, this element can be quickly found. -![using_designstudio_tools_10](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_10.webp) +![using_designstudio_tools_10](/img/product_docs/policypak/policypak/applicationsettings/designstudio/tools/using_designstudio_tools_10.webp) Figure 174. Sorting elements by ID number. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/capturewizard.md b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/capturewizard.md index e0f3a73770..999d2457ef 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/capturewizard.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/capturewizard.md @@ -12,7 +12,7 @@ Be sure to capture the Options or Configuration window of an application, and no which will often not capture at all and is likely not be what you wanted to capture. Remember that you will mostly be capturing options, properties, and configuration pages. -![crafting_the_user_interface](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface.webp) +![crafting_the_user_interface](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface.webp) Figure 59. Selecting the target application and window. @@ -22,13 +22,13 @@ how to manage Control Panel items, like the mouse properties shown in Figure 58. After the first tab of your application is captured, you'll be able to select more tabs using the "Capture another tab" button, as shown in Figure 60. -![crafting_the_user_interface_1](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_1.webp) +![crafting_the_user_interface_1](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_1.webp) Figure 60. Capturing additional tabs. In most cases, your application's look and feel is exactly captured, as shown in Figure 61. -![crafting_the_user_interface_2](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_2.webp) +![crafting_the_user_interface_2](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_2.webp) Figure 61. Capturing the look and feel of the application. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualadd.md b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualadd.md index d075a75749..b442bb7dcd 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualadd.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualadd.md @@ -5,7 +5,7 @@ more elements or replace the existing ones. To do this, select an element from t hover over it for a tooltip about what the element is. The element will be placed on the tab or subdialog you are editing and will be shown with a thick green line, as shown in Figure 77. -![crafting_the_user_interface_18_624x507](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_18_624x507.webp) +![crafting_the_user_interface_18_624x507](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_18_624x507.webp) Figure 77. Adding elements from the toolbar. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/elementmodifications.md b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/elementmodifications.md index b80b04538d..7fff8400f0 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/elementmodifications.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/elementmodifications.md @@ -6,10 +6,10 @@ the size of a tab, and more. You might also want to change captured graphics, fo the graphic and selecting the "…" icon allows you to select a new bitmap. This action is shown in Figure 75 and Figure 76. -![crafting_the_user_interface_16](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_16.webp) +![crafting_the_user_interface_16](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_16.webp) Figure 75. Modifying captured graphics. -![crafting_the_user_interface_17](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_17.webp) +![crafting_the_user_interface_17](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_17.webp) Figure 76. New graphic. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/elementtransformations.md b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/elementtransformations.md index e91602a030..af6bdab785 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/elementtransformations.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/elementtransformations.md @@ -3,14 +3,14 @@ In this example, the application we want to manage is using a spinbox (also called an up/down box) to set a value for a setting (see Figure 71). -![crafting_the_user_interface_12_624x317](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_12_624x317.webp) +![crafting_the_user_interface_12_624x317](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_12_624x317.webp) Figure 71. A spinbox element. However, occasionally Endpoint Policy Manager's Capture Wizard doesn't read this kind of element correctly and it must be manually changed (see Figure 72). -![crafting_the_user_interface_13_624x403](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_13_624x403.webp) +![crafting_the_user_interface_13_624x403](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_13_624x403.webp) Figure 72. Manually changing an element. @@ -19,7 +19,7 @@ assumes you will likely want to transform the numeric edit box to a trackbar, up text box. However, you are also permitted to transform the element to any other type, as shown in Figure 73. This would be an unusual transformation so it's tucked under "Advanced." -![crafting_the_user_interface_14](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_14.webp) +![crafting_the_user_interface_14](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_14.webp) Figure 73. Selecting the type of element to change to. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/hiddentext.md b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/hiddentext.md index dc0ea5a639..26eef7bdd6 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/hiddentext.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/hiddentext.md @@ -2,13 +2,13 @@ In Figure 69 the settings were captured, but the text was not fully shown. -![crafting_the_user_interface_10_624x265](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_10_624x265.webp) +![crafting_the_user_interface_10_624x265](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_10_624x265.webp) Figure 69. The text in the capture is not fully shown. To solve this problem, move the handles on the element to reveal the rest of the text, as shown in Figure 70. -![crafting_the_user_interface_11_624x235](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_11_624x235.webp) +![crafting_the_user_interface_11_624x235](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_11_624x235.webp) Figure 70. Moving the handles to reveal the text. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/nonstandard.md b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/nonstandard.md index bd2ea1313c..701d553e74 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/nonstandard.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/nonstandard.md @@ -4,7 +4,7 @@ Some applications have a non-standard interface. The interface can still be capt results may not be quite what you expect. In Figure 62, the left side of the screen shows the actual application, Adobe Reader, and the right side of the screen shows the first captured tab. -![crafting_the_user_interface_3](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_3.webp) +![crafting_the_user_interface_3](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_3.webp) Figure 62. Some applications may not be captured as expected. @@ -19,18 +19,18 @@ another tab, Endpoint Policy Manager DesignStudio realizes that this application tabs, so you are prompted to manually enter the name of each of this application's categories, as shown in Figure 63 and Figure 64. -![crafting_the_user_interface_4_624x410](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_4_624x410.webp) +![crafting_the_user_interface_4_624x410](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_4_624x410.webp) Figure 63. The prompt to manually enter the name of the categories. -![crafting_the_user_interface_5_624x185](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_5_624x185.webp) +![crafting_the_user_interface_5_624x185](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_5_624x185.webp) Figure 64. Manually adding the categories. You can see in Figure 65 that Endpoint Policy Manager Capture Wizard also captures the categories bar even though it is not an element we want on the page. -![crafting_the_user_interface_6](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_6.webp) +![crafting_the_user_interface_6](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_6.webp) Figure 65. The captured categories bar. @@ -41,14 +41,14 @@ want to delete all the elements in the frame. You can then reposition the other and manually align them. You can also use the Hierarchy tab's "Realign controls to fit the page" button to auto-place and center the items on the form, as shown in Figure 66. -![crafting_the_user_interface_7](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_7.webp) +![crafting_the_user_interface_7](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_7.webp) Figure 66. Centering the items on the form. The result is shown in Figure 67. However, there is a problem with the name of the category. It should be called General instead of Preferences. -![crafting_the_user_interface_8](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_8.webp) +![crafting_the_user_interface_8](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_8.webp) Figure 67. An incorrect tab name. @@ -56,6 +56,6 @@ To rename a tab (or any element), click on it (select the Properties tab) and th type in the correct name. In this example, you would replace the name "Preferences" with "General," as shown in Figure 68. -![crafting_the_user_interface_9](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_9.webp) +![crafting_the_user_interface_9](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_9.webp) Figure 68. Changing the tab name. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/notmanaged.md b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/notmanaged.md index 59807134d0..ace4243726 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/notmanaged.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/notmanaged.md @@ -12,7 +12,7 @@ three options: and unclickable when it is used within the Group Policy editor. - Leave the element as it is. -![crafting_the_user_interface_15_624x362](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_15_624x362.webp) +![crafting_the_user_interface_15_624x362](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/manualedits/crafting_the_user_interface_15_624x362.webp) Figure 74. Dealing with elements that cannot be controlled with Application Settings Manager. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/subdialogs.md b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/subdialogs.md index 63fb00b4d5..7a562cda55 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/subdialogs.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/subdialogs.md @@ -4,7 +4,7 @@ Some applications have subdialogs you can capture. For instance, in the Control the ClickLock entry has a subdialog that's available to configure. That is, when you click its "Settings" button, a "Settings for ClickLock" subdialog appears, as shown in Figure 78. -![crafting_the_user_interface_19_624x694](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_19_624x694.webp) +![crafting_the_user_interface_19_624x694](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_19_624x694.webp) Figure 78. The ClickLock subdialog box. @@ -12,25 +12,25 @@ Now that you know this, you can capture this subdialog. To do this, in DesignStu the button. You will be asked if you want to convert the button to a subdialog, as shown in Figure 79. -![crafting_the_user_interface_20_624x684](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_20_624x684.webp) +![crafting_the_user_interface_20_624x684](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_20_624x684.webp) Figure 79. Capturing a subdiaglog button. Click "Yes," and then click "OK," as shown in Figure 80. Next, open the subdialog you want to capture, as shown in Figure 81. -![crafting_the_user_interface_21_624x218](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_21_624x218.webp) +![crafting_the_user_interface_21_624x218](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_21_624x218.webp) Figure 80. The prompt to capture a subdialog. -![crafting_the_user_interface_22](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_22.webp) +![crafting_the_user_interface_22](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_22.webp) Figure 81. Selecting the subdialog button. Select the target window (the subdialog) to capture it. When the capture is complete, you'll see the tab for the subdialog shown next to its parent tab, as shown in Figure 82. -![crafting_the_user_interface_23](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_23.webp) +![crafting_the_user_interface_23](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_23.webp) Figure 82. The new tab for the subdialog. diff --git a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/unexpectedresults.md b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/unexpectedresults.md index 7fbeee352d..5ac39c602a 100644 --- a/docs/policypak/policypak/applicationsettings/designstudio/userinterface/unexpectedresults.md +++ b/docs/policypak/policypak/applicationsettings/designstudio/userinterface/unexpectedresults.md @@ -9,7 +9,7 @@ Capture Wizard performs a capture, but it may not look the way you expect. Some applications cannot be captured. In the example in Figure 83, the UI elements in Skype are not able to be captured in a useful way. -![crafting_the_user_interface_24](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_24.webp) +![crafting_the_user_interface_24](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_24.webp) Figure 83. Some applications prevent their UI elements from being captured. @@ -21,7 +21,7 @@ described earlier). Then you need to configure them (which we will describe late Occasionally, during a capture, you might see some captured items that are underlined in the capture but not in the application itself, as shown in Figure 84. -![crafting_the_user_interface_25](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_25.webp) +![crafting_the_user_interface_25](/img/product_docs/policypak/policypak/applicationsettings/designstudio/userinterface/crafting_the_user_interface_25.webp) Figure 84. Some elements appear underlined when captured. diff --git a/docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/appsetentry.md b/docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/appsetentry.md index 65751310fd..9db9723273 100644 --- a/docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/appsetentry.md +++ b/docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/appsetentry.md @@ -17,7 +17,7 @@ settings, but change the circumstances. Here are a few examples: You can see an example of Item-Level Targeting in Figures 46 and 47. -![policypak_application_settings_2_1](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/policypak_application_settings_2_1.webp) +![policypak_application_settings_2_1](/img/product_docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/policypak_application_settings_2_1.webp) Figure 46. Entering the Pak's Item Level Targeting dialog. @@ -30,12 +30,12 @@ enclosing equations in parentheses, which groups together targeting items. In th create fairly complex determinations about which users and computers an AppSet will apply to. Targeting Collections may be set to "And" or "Or" as well as "Is" or "Is Not," as seen in Figure 49. -![policypak_application_settings_2_2](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/policypak_application_settings_2_2.webp) +![policypak_application_settings_2_2](/img/product_docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/policypak_application_settings_2_2.webp) Figure 48. In this example, the Pak would only apply to Windows 10 machines when (1) the machine is portable and (2) the user is in the FABRIKAM\Traveling Sales Users group. -![policypak_application_settings_2_3](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/policypak_application_settings_2_3.webp) +![policypak_application_settings_2_3](/img/product_docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/policypak_application_settings_2_3.webp) Figure 49. In this example, the Pak would only apply to Windows 10 machines when either(1) the machine is portable and (2) the IP address between 192.168.5.1 - 192.168.7.254 OR (1) the machine @@ -69,6 +69,6 @@ to maintain different browser settings for the home office and each field office When Item-Level Targeting is used, it can be seen in the GPMC reports, as seen in Figure 50. -![policypak_application_settings_2_4](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/policypak_application_settings_2_4.webp) +![policypak_application_settings_2_4](/img/product_docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/policypak_application_settings_2_4.webp) Figure 50. The Item-Level Targeting shows up in the GPMC reports when it is being used. diff --git a/docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/appsetinternal.md b/docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/appsetinternal.md index ebb80cee4c..21fe516db4 100644 --- a/docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/appsetinternal.md +++ b/docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/appsetinternal.md @@ -18,7 +18,7 @@ the Endpoint Policy Manager DesignStudio at design time. Figure 51 shows an example of how you might configure an internal filter. -![policypak_application_settings_2_5](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/policypak_application_settings_2_5.webp) +![policypak_application_settings_2_5](/img/product_docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/policypak_application_settings_2_5.webp) Figure 51. Configuring an internal filter. @@ -33,7 +33,7 @@ regardless of whether the application is present on the machine. To do this, you AppSet entry's options and change the "Predefined Item-Level Targeting" switch, as seen in Figure 52. -![policypak_application_settings_2_6](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/policypak_application_settings_2_6.webp) +![policypak_application_settings_2_6](/img/product_docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/policypak_application_settings_2_6.webp) Figure 52.  Changing the Predefined Item-Level Targeting switch. @@ -48,6 +48,6 @@ Table 1: Internal Item-Level Targeting settings options. | On (Installed and Virtual Applications) | This forces Endpoint Policy Manager Application Settings Manager to evaluate internal Item-Level Targeting, even when the application is virtualized. You might want to set this setting if you would like to ensure that an internal filter for the operating system, IP range, or other system-specific setting is validated. | Typically, you wouldn't use this setting if you have internal filters that check for particular application-specific entries—such as Registry entries or file entries—since those cannot be evaluated inside the virtualized application. Remember that Endpoint Policy Manager Application Settings Manager can only evaluate the "real" machine and not the conditions within the virtualized application itself. | | Off | Set this to Off to bypass ANY internal filters. This is a good troubleshooting step if you're not seeing settings being applied on your target machine. | When this is set to Off, no internal Item-Level Targets will "interfere" with the application of the settings. | -![policypak_application_settings_2_7](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/policypak_application_settings_2_7.webp) +![policypak_application_settings_2_7](/img/product_docs/policypak/policypak/applicationsettings/extras/itemleveltargeting/policypak_application_settings_2_7.webp) Figure 53. One scenario for item-level targeting on installed applications only. diff --git a/docs/policypak/policypak/applicationsettings/extras/managedby.md b/docs/policypak/policypak/applicationsettings/extras/managedby.md index 56ad5959b8..8037c15ead 100644 --- a/docs/policypak/policypak/applicationsettings/extras/managedby.md +++ b/docs/policypak/policypak/applicationsettings/extras/managedby.md @@ -7,19 +7,19 @@ in charge of the application. You can accomplish this by selecting "Add ‘Managed by Endpoint Policy Manager' to Windows under management," as seen in Figure 60. -![policypak_application_settings_2_14](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_14.webp) +![policypak_application_settings_2_14](/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_14.webp) Figure 60. IT administrators can display to users that they are in control of the settings. When you do this, a window will pop up, giving you options for the setting. For most applications, these windows will look similar to what is displayed in Figure 61 and Figure 62. -![policypak_application_settings_2_15](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_15.webp) +![policypak_application_settings_2_15](/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_15.webp) Figure 61. An example of what you would see if you selected "Add ‘Managed by Endpoint Policy Manager' to Windows under management." -![policypak_application_settings_2_16_624x354](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_16_624x354.webp) +![policypak_application_settings_2_16_624x354](/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_16_624x354.webp) Figure 62. Another example of what you would see if you selected "Add ‘Managed by Endpoint Policy Manager' to Windows under management." @@ -28,7 +28,7 @@ Note that not every application will display "Managed by Endpoint Policy Manager sure to test with your specific application. Also, be aware that the GPMC reports will demonstrate if you have this feature enabled, as seen in Figure 63. -![policypak_application_settings_2_17](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_17.webp) +![policypak_application_settings_2_17](/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_17.webp) Figure 63. The GPMC report showing that "Add ‘Managed by Endpoint Policy Manager' to windows under management" was enabled. diff --git a/docs/policypak/policypak/applicationsettings/extras/multipleappsetspriority.md b/docs/policypak/policypak/applicationsettings/extras/multipleappsetspriority.md index 872679b90e..baef301132 100644 --- a/docs/policypak/policypak/applicationsettings/extras/multipleappsetspriority.md +++ b/docs/policypak/policypak/applicationsettings/extras/multipleappsetspriority.md @@ -6,7 +6,7 @@ In Figure 54, you can see the same AppSet (WinZip 14 and later) used three times GPO. However, each AppSet item has Item-Level Targeting turned on and specific conditions associated with it. -![policypak_application_settings_2_8](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_8.webp) +![policypak_application_settings_2_8](/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_8.webp) Figure 54. WinZip 14 being used multiple times in the same GPO. @@ -21,7 +21,7 @@ you've engaged. As a result, you might want to ensure that the delivery of those a particular order. As seen in Figure 55, Endpoint Policy Manager Application Settings Manager enables you to specify which AppSet is delivered in which order. -![policypak_application_settings_2_9](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_9.webp) +![policypak_application_settings_2_9](/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_9.webp) Figure 55. The order in which the Paks (in this scenario) are delivered. @@ -33,7 +33,7 @@ To change the priority of a particular AppSet, simply right-click on it within t either "Enable priority mode (press Enter to exit)" or "Set priority," which are both shown in Figure 56. -![policypak_application_settings_2_10](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_10.webp) +![policypak_application_settings_2_10](/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_10.webp) Figure 56. By clicking "Enable priority mode (press Enter to exit)," as shown here, you can change the priority of a specific Pak. @@ -45,7 +45,7 @@ edit. You can also select "Set priority," which will enable you to specify a numeric value, as shown in Figure 57. -![policypak_application_settings_2_11](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_11.webp) +![policypak_application_settings_2_11](/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_11.webp) Figure 57. By clicking "Set priority," as shown here, you can change the priority of a specific Pak by setting the numeric value. diff --git a/docs/policypak/policypak/applicationsettings/extras/settingdescription.md b/docs/policypak/policypak/applicationsettings/extras/settingdescription.md index f8f65011df..f664cf554b 100644 --- a/docs/policypak/policypak/applicationsettings/extras/settingdescription.md +++ b/docs/policypak/policypak/applicationsettings/extras/settingdescription.md @@ -2,12 +2,12 @@ You can add your own note or description to each AppSet, as shown in Figure 58. -![policypak_application_settings_2_12](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_12.webp) +![policypak_application_settings_2_12](/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_12.webp) Figure 58. Entering notes for each Pak. Notes are displayed within the GPMC reports, as seen in Figure 59. -![policypak_application_settings_2_13](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_13.webp) +![policypak_application_settings_2_13](/img/product_docs/policypak/policypak/applicationsettings/extras/policypak_application_settings_2_13.webp) Figure 59. Notes shown in the GPMC reports. diff --git a/docs/policypak/policypak/applicationsettings/modes/acllockdown.md b/docs/policypak/policypak/applicationsettings/modes/acllockdown.md index b95b8fc71d..20510411f7 100644 --- a/docs/policypak/policypak/applicationsettings/modes/acllockdown.md +++ b/docs/policypak/policypak/applicationsettings/modes/acllockdown.md @@ -1,11 +1,11 @@ # ACL Lockdown™ Mode **NOTE:** For a demonstration of the ACL Lockdown™ Mode feature, please see this video: -[ACL Lockdown for Registry Based Applications](../../video/applicationsettings/acllockdown.md). +[ACL Lockdown for Registry Based Applications](/docs/policypak/policypak/video/applicationsettings/acllockdown.md). ACL Lockdown mode can be seen when you right-click a setting within an AppSet (see Figure 34). -![policypak_application_settings_1_13](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_13.webp) +![policypak_application_settings_1_13](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_13.webp) Figure 34. Selecting the ACL Lockdown setting. @@ -36,14 +36,14 @@ that share the same location in the Registry (see Figure 35). If you right-click checkboxes in the Passwords tab, you can see that "Perform ACL Lockdown" will be already checked, because all the elements on this page are within the same portion of the Registry. -![policypak_application_settings_1_14](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_14.webp) +![policypak_application_settings_1_14](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_14.webp) Figure 35. With "Perform ACL Lockdown" selected, all password options are automatically checked. However, clicking on another tab—such as Cameras—and right-clicking a setting will show that "Perform ACL Lockdown" is not set (see Figure 36). -![policypak_application_settings_1_15](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_15.webp) +![policypak_application_settings_1_15](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_15.webp) Figure 36. If other tabs are selected, "Perform ACL Lockdown" will not be set. @@ -54,7 +54,7 @@ To reiterate, if an application's data is stored in a file, then usually ALL ite will be locked when "Perform ACL Lockdown" is selected. In the example shown in Figure 37, "Perform ACL Lockdown" is selected for one Firefox setting. -![policypak_application_settings_1_16](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_16.webp) +![policypak_application_settings_1_16](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_16.webp) Figure 37. "Perform ACL Lockdown" is selected for one Firefox setting. diff --git a/docs/policypak/policypak/applicationsettings/modes/applock.md b/docs/policypak/policypak/applicationsettings/modes/applock.md index 4ddeaadcd0..309e8daf19 100644 --- a/docs/policypak/policypak/applicationsettings/modes/applock.md +++ b/docs/policypak/policypak/applicationsettings/modes/applock.md @@ -38,7 +38,7 @@ If you right-click on any tab, you'll find two more settings. Figures 28, 30, and 32 illustrate the selection process for the various settings that can be enforced. Figures 29, 31, and 33 show the results of the settings on the target machines. -| ![policypak_application_settings_1_7](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_7.webp) Figure 28. Endpoint Policy Manager Application Settings Manager Applock™ hide mode. | ![policypak_application_settings_1_8](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_8.webp) Figure 29. The corresponding control in the target application has been hidden. | +| ![policypak_application_settings_1_7](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_7.webp) Figure 28. Endpoint Policy Manager Application Settings Manager Applock™ hide mode. | ![policypak_application_settings_1_8](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_8.webp) Figure 29. The corresponding control in the target application has been hidden. | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![policypak_application_settings_1_9](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_9.webp) Figure 30. Endpoint Policy Manager Application Settings Manager Applock™ disable mode. | ![policypak_application_settings_1_10](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_10.webp) Figure 31. The corresponding control in the target application has been grayed out. | -| ![policypak_application_settings_1_11](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_11.webp) Figure 32. In the Group Policy Editor, right-click below the tab you wish to disable, as seen here. | ![policypak_application_settings_1_12](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_12.webp) Figure 33. The target tab, Cameras, has been grayed out. Users cannot click it to see or modify any elements within this tab. | +| ![policypak_application_settings_1_9](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_9.webp) Figure 30. Endpoint Policy Manager Application Settings Manager Applock™ disable mode. | ![policypak_application_settings_1_10](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_10.webp) Figure 31. The corresponding control in the target application has been grayed out. | +| ![policypak_application_settings_1_11](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_11.webp) Figure 32. In the Group Policy Editor, right-click below the tab you wish to disable, as seen here. | ![policypak_application_settings_1_12](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_12.webp) Figure 33. The target tab, Cameras, has been grayed out. Users cannot click it to see or modify any elements within this tab. | diff --git a/docs/policypak/policypak/applicationsettings/modes/deliversettingsvalues.md b/docs/policypak/policypak/applicationsettings/modes/deliversettingsvalues.md index 3c7d1879ff..60ee579874 100644 --- a/docs/policypak/policypak/applicationsettings/modes/deliversettingsvalues.md +++ b/docs/policypak/policypak/applicationsettings/modes/deliversettingsvalues.md @@ -8,14 +8,14 @@ Endpoint Policy Manager will deliver settings once you click the setting. If you underline underneath the element, you know it's set to deliver the value, as shown in Figure 24. In the following examples, you can see how to enforce a checkbox's setting. -![policypak_application_settings_1_3](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_3.webp) +![policypak_application_settings_1_3](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_3.webp) Figure 24. Underline indicating that action will be taken on these settings. When you alter your settings to what is shown in Figure 25, the result will be NO enforcement action. Note that there is no underline underneath the element. -![policypak_application_settings_1_4](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_4.webp) +![policypak_application_settings_1_4](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_4.webp) Figure 25. The result of these settings will be that no reinforcement action will occur. @@ -30,7 +30,7 @@ Endpoint Policy Manager Application Settings Manager will deliver an uncheck set If the box is already checked in the client's application, Endpoint Policy Manager Application Settings Manager will forcefully uncheck (clear) the checkbox, as shown in Figure 26. -![policypak_application_settings_1_5](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_5.webp) +![policypak_application_settings_1_5](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_5.webp) Figure 26. Action will be taken to uncheck the box. diff --git a/docs/policypak/policypak/applicationsettings/modes/mouseshortcuts.md b/docs/policypak/policypak/applicationsettings/modes/mouseshortcuts.md index d10fca9adf..3ff45778d1 100644 --- a/docs/policypak/policypak/applicationsettings/modes/mouseshortcuts.md +++ b/docs/policypak/policypak/applicationsettings/modes/mouseshortcuts.md @@ -5,7 +5,7 @@ help you quickly configure each tab. To discover the mouse shortcuts, right-clic (i.e., not on any specific element like a checkbox or dropdown menu). You should see the flyout menu, shown in Figure 38. -![policypak_application_settings_1_17](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_17.webp) +![policypak_application_settings_1_17](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_17.webp) Figure 38. Application Settings Manager flyout menu. @@ -49,6 +49,6 @@ This menu reveals several shortcuts. Note that if there are no values in any of the elements on a tab, the first two sets of shortcuts will not be available, as seen in Figure 39. -![policypak_application_settings_1_18](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_18.webp) +![policypak_application_settings_1_18](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_18.webp) Figure 39. The visible options when there are no values in any of the elements on a tab. diff --git a/docs/policypak/policypak/applicationsettings/modes/overview.md b/docs/policypak/policypak/applicationsettings/modes/overview.md index b82f658551..e0ad7b1330 100644 --- a/docs/policypak/policypak/applicationsettings/modes/overview.md +++ b/docs/policypak/policypak/applicationsettings/modes/overview.md @@ -14,7 +14,7 @@ which elements to configure, enforce, and even disable or hide. In Figure 22, you can see which modes are available when right-clicking a Endpoint Policy Manager Application Settings Manager attribute with settings data inside. -![policypak_application_settings_1_1](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_1.webp) +![policypak_application_settings_1_1](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_1.webp) Figure 22. The modes available in Endpoint Policy Manager Application Settings Manager. @@ -26,7 +26,7 @@ highlighted the following modes: - Endpoint Policy Manager Application Settings Manager ACL Lockdown™ mode - Endpoint Policy Manager Application Settings Manager Applock™ modes -![policypak_application_settings_1_2](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_2.webp) +![policypak_application_settings_1_2](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_2.webp) Figure 23. The areas of control for an element. diff --git a/docs/policypak/policypak/applicationsettings/modes/reversion.md b/docs/policypak/policypak/applicationsettings/modes/reversion.md index fd2dcc0001..16f9d3ee68 100644 --- a/docs/policypak/policypak/applicationsettings/modes/reversion.md +++ b/docs/policypak/policypak/applicationsettings/modes/reversion.md @@ -17,6 +17,6 @@ which means that the value will be retained on the client—even though the GPO Note that when the reversion mode is set, the text in the Endpoint Policy Manager Application Settings Manager user interface changes to italics as a visual signal, as seen in Figure 27. -![policypak_application_settings_1_6](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_6.webp) +![policypak_application_settings_1_6](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_6.webp) Figure 27. Text in italics show that the reversion mode is in effect. diff --git a/docs/policypak/policypak/applicationsettings/modes/settingsdeliveryreinforcementoptions.md b/docs/policypak/policypak/applicationsettings/modes/settingsdeliveryreinforcementoptions.md index d0af02d4b3..aa5365f826 100644 --- a/docs/policypak/policypak/applicationsettings/modes/settingsdeliveryreinforcementoptions.md +++ b/docs/policypak/policypak/applicationsettings/modes/settingsdeliveryreinforcementoptions.md @@ -9,7 +9,7 @@ background refresh and get updated settings. But what happens if the client is o As seen in Figure 41, a client machine can detect that there is no network connectivity. With no network connectivity, Microsoft's built-in `gpupdate.exe `will fail when it is run. -![policypak_application_settings_1_20](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_20.webp) +![policypak_application_settings_1_20](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_20.webp) Figure 41. The error message that is received when `gpupdate.exe` is run while the client machine is offline. @@ -46,7 +46,7 @@ Whether the computer is online or offline, PolicyPak Application Settings Manage reapply settings using` ppupdate.exe`. In Figure 42, you can see `ppupdate.exe` being run to reinforce any changed settings. -![policypak_application_settings_1_21](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_21.webp) +![policypak_application_settings_1_21](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_21.webp) Figure 42. `Ppupdate.exe` being run. @@ -60,7 +60,7 @@ network connectivity is not needed to run this command. ## Automatic Reapplication of Settings at Application Launch **NOTE:** For a demonstration of this feature, please see this video: -[The Superpowers](../../video/applicationsettings/superpowers.md). +[The Superpowers](/docs/policypak/policypak/video/applicationsettings/superpowers.md). When an application is run, its settings are automatically reapplied before the application is launched. This feature is turned on for all AppSets by default. @@ -72,7 +72,7 @@ Inside the AppSet definition, find the Options button and deselect "Always re-ap application runs." As you can see in Figure 43, all applications are checked by default. You can uncheck the checkbox to stop the reapplication. -![policypak_application_settings_1_22](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_22.webp) +![policypak_application_settings_1_22](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_22.webp) Figure 43. Select or unselect the "Always re-apply settings when application runs" setting in the Options inside the Pak definition. @@ -88,7 +88,7 @@ Enabled (REG_DWORD) to 0. This is demonstrated in Figure 44. Note that you also should either reboot the machine to disable or re-enable the driver. -![policypak_application_settings_1_23](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_23.webp) +![policypak_application_settings_1_23](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_23.webp) Figure 44. Use the following Registry location to fully disable the Endpoint Policy Manager driver, which performs reapplication of settings for applications. @@ -123,7 +123,7 @@ Figure 45 (which is at the AppSet level), then the specific AppSet will NOT be r timer is supposed to apply it. In short, by setting this option, you bypass reapplication of the settings even when the enforcement timer is set. -![policypak_application_settings_1_24](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_24.webp) +![policypak_application_settings_1_24](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_24.webp) Figure 45. Enabling the "Do not re-apply settings with Reinforcement Timer" setting. diff --git a/docs/policypak/policypak/applicationsettings/modes/switched.md b/docs/policypak/policypak/applicationsettings/modes/switched.md index c0abb48b3b..515973117e 100644 --- a/docs/policypak/policypak/applicationsettings/modes/switched.md +++ b/docs/policypak/policypak/applicationsettings/modes/switched.md @@ -27,7 +27,7 @@ In Figure 40, you can see a GPO that affects Computer accounts. You use the AppS as you would on the User side; however, you configure it for the Computer side. The User-side policy settings will automatically affect every user who logs onto the targeted computer. -![policypak_application_settings_1_19](../../../../../static/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_19.webp) +![policypak_application_settings_1_19](/img/product_docs/policypak/policypak/applicationsettings/modes/policypak_application_settings_1_19.webp) Figure 40. A GPO that affects Computer accounts. diff --git a/docs/policypak/policypak/applicationsettings/overview/knowledgebase.md b/docs/policypak/policypak/applicationsettings/overview/knowledgebase.md index 8a2c1cd361..427258ef5e 100644 --- a/docs/policypak/policypak/applicationsettings/overview/knowledgebase.md +++ b/docs/policypak/policypak/applicationsettings/overview/knowledgebase.md @@ -4,129 +4,129 @@ See the following Knowledge Base articles for Application Manager. ## General Configuration & Operation -- [What if I am having trouble getting the Licensing GPO installed?](../../troubleshooting/applicationsettings/license/gpo.md) -- [What happens to Application Settings Manager settings when the Endpoint Policy Manager license expires / if my company chooses not to renew?](../../troubleshooting/applicationsettings/gpooutofscope.md) -- [Is there an easy way to back up the GPO's I configured with Application Manager?](../../troubleshooting/applicationsettings/backup/gpos.md) -- [Can I Export my GPO settings so that they can be used in the future to create similar GPOs?](../../troubleshooting/applicationsettings/export/gpos.md) -- [How many Endpoint Policy Manager policies can I create within one Group Policy Object?](../../troubleshooting/applicationsettings/limitations.md) -- [We upgraded our DLL files recently after creating a new Pak with Design Studio. After the implementation we would like to revert back to the original Pak. I have a local copy of the former DLL. Can I downgrade to the curre](../../troubleshooting/applicationsettings/downgrade.md) -- [Application Manager Roles and Responsibilities](../rolesresponsibilities.md) -- [I deselected the Applock feature, Disable whole tab in target application, but the elements are still grayed out. How can I fix this?](../../troubleshooting/applicationsettings/applock/feature.md) -- [I am selecting values for certain settings for the Lync client. On the Alerts tab, I am selecting and deselecting various radio buttons but none of these selections are being underlined. Why is this?](../../troubleshooting/applicationsettings/lyncclient.md) -- [I am configuring the values for some settings for an application. Many of these settings involve checkmarks which are unchecked by default. How can I tell if an unchecked checkbox is being delivered or not?](../../troubleshooting/applicationsettings/checkmarks.md) -- [How can I use the Endpoint Policy ManagerCentral store (if I was already using the Endpoint Policy Manager Local store?)](../centralstore.md) -- [How can I keep abreast of the latest Endpoint Policy Manager updates as they are released?](../../troubleshooting/latestupdates.md) -- [Should I create Endpoint Policy Application Manager policies on the USER or COMPUTER side?](../side.md) -- [What is the difference between running the gp update (Microsoft) and ppupdate (Endpoint Policy Manager) commands?](../../troubleshooting/applicationsettings/updatedcommands.md) -- [Does Application Manager work when the machine is NOT US-English (say, Italian or Russian?)](../../troubleshooting/applicationsettings/language.md) -- [Can Application Manager help me in pushing, assigning or configuring printers?](../printers.md) -- [Can I deploy the Application Manager settings I've configured as a one-time only deployment like Group Policy Preferences does?](../onetime.md) -- [Are there any required permission settings for a Endpoint Policy ManagerAdministrator to store Endpoint Policy Manager Suite DLL Extensions to the central store?](../../troubleshooting/applicationsettings/permissions.md) -- [Should I backup my Pak files?](../../troubleshooting/applicationsettings/backup/files.md) -- [I'm trying to find a particular font setting in one of your Word Paks but I can't find it. Is the setting not supported?](../../troubleshooting/applicationsettings/fontsetting.md) -- [Is there a particular naming scheme I need to use when compiling my Paks within Design Studio?](../../troubleshooting/applicationsettings/designstudio.md) -- [I need to modify the Pak (DLL file) of one of the applications I control with Application Manager. Will I lose my group policy settings after I modify the DLL file](../../troubleshooting/applicationsettings/modifydll.md) -- [I installed Design Studio on a Windows 7 Laptop but there are still some XP and Vista stations in our network. Will the Paks I create work for all three operating system?](../../requirements/support/applicationsettings/designstudiowindows7.md) -- [Should I put lots of Paks (or other PP directives into one GPO?)](../../troubleshooting/applicationsettings/onegpo.md) -- [How-to gain access of a remote computer using built-in Windows Remote Assistance application?](../windowsremoteassistance.md) -- [How do I upgrade Application Manager when I upgrade my DCs / servers?](../upgrade.md) +- [What if I am having trouble getting the Licensing GPO installed?](/docs/policypak/policypak/troubleshooting/applicationsettings/license/gpo.md) +- [What happens to Application Settings Manager settings when the Endpoint Policy Manager license expires / if my company chooses not to renew?](/docs/policypak/policypak/troubleshooting/applicationsettings/gpooutofscope.md) +- [Is there an easy way to back up the GPO's I configured with Application Manager?](/docs/policypak/policypak/troubleshooting/applicationsettings/backup/gpos.md) +- [Can I Export my GPO settings so that they can be used in the future to create similar GPOs?](/docs/policypak/policypak/troubleshooting/applicationsettings/export/gpos.md) +- [How many Endpoint Policy Manager policies can I create within one Group Policy Object?](/docs/policypak/policypak/troubleshooting/applicationsettings/limitations.md) +- [We upgraded our DLL files recently after creating a new Pak with Design Studio. After the implementation we would like to revert back to the original Pak. I have a local copy of the former DLL. Can I downgrade to the curre](/docs/policypak/policypak/troubleshooting/applicationsettings/downgrade.md) +- [Application Manager Roles and Responsibilities](/docs/policypak/policypak/applicationsettings/rolesresponsibilities.md) +- [I deselected the Applock feature, Disable whole tab in target application, but the elements are still grayed out. How can I fix this?](/docs/policypak/policypak/troubleshooting/applicationsettings/applock/feature.md) +- [I am selecting values for certain settings for the Lync client. On the Alerts tab, I am selecting and deselecting various radio buttons but none of these selections are being underlined. Why is this?](/docs/policypak/policypak/troubleshooting/applicationsettings/lyncclient.md) +- [I am configuring the values for some settings for an application. Many of these settings involve checkmarks which are unchecked by default. How can I tell if an unchecked checkbox is being delivered or not?](/docs/policypak/policypak/troubleshooting/applicationsettings/checkmarks.md) +- [How can I use the Endpoint Policy ManagerCentral store (if I was already using the Endpoint Policy Manager Local store?)](/docs/policypak/policypak/applicationsettings/centralstore.md) +- [How can I keep abreast of the latest Endpoint Policy Manager updates as they are released?](/docs/policypak/policypak/troubleshooting/latestupdates.md) +- [Should I create Endpoint Policy Application Manager policies on the USER or COMPUTER side?](/docs/policypak/policypak/applicationsettings/side.md) +- [What is the difference between running the gp update (Microsoft) and ppupdate (Endpoint Policy Manager) commands?](/docs/policypak/policypak/troubleshooting/applicationsettings/updatedcommands.md) +- [Does Application Manager work when the machine is NOT US-English (say, Italian or Russian?)](/docs/policypak/policypak/troubleshooting/applicationsettings/language.md) +- [Can Application Manager help me in pushing, assigning or configuring printers?](/docs/policypak/policypak/applicationsettings/printers.md) +- [Can I deploy the Application Manager settings I've configured as a one-time only deployment like Group Policy Preferences does?](/docs/policypak/policypak/applicationsettings/onetime.md) +- [Are there any required permission settings for a Endpoint Policy ManagerAdministrator to store Endpoint Policy Manager Suite DLL Extensions to the central store?](/docs/policypak/policypak/troubleshooting/applicationsettings/permissions.md) +- [Should I backup my Pak files?](/docs/policypak/policypak/troubleshooting/applicationsettings/backup/files.md) +- [I'm trying to find a particular font setting in one of your Word Paks but I can't find it. Is the setting not supported?](/docs/policypak/policypak/troubleshooting/applicationsettings/fontsetting.md) +- [Is there a particular naming scheme I need to use when compiling my Paks within Design Studio?](/docs/policypak/policypak/troubleshooting/applicationsettings/designstudio.md) +- [I need to modify the Pak (DLL file) of one of the applications I control with Application Manager. Will I lose my group policy settings after I modify the DLL file](/docs/policypak/policypak/troubleshooting/applicationsettings/modifydll.md) +- [I installed Design Studio on a Windows 7 Laptop but there are still some XP and Vista stations in our network. Will the Paks I create work for all three operating system?](/docs/policypak/policypak/requirements/support/applicationsettings/designstudiowindows7.md) +- [Should I put lots of Paks (or other PP directives into one GPO?)](/docs/policypak/policypak/troubleshooting/applicationsettings/onegpo.md) +- [How-to gain access of a remote computer using built-in Windows Remote Assistance application?](/docs/policypak/policypak/applicationsettings/windowsremoteassistance.md) +- [How do I upgrade Application Manager when I upgrade my DCs / servers?](/docs/policypak/policypak/applicationsettings/upgrade.md) ## Central Store and Sharing -- [Can I store the DLL extensions in a central location AND locally on the machine I create my Paks on and if so which one is utilized?](../dllstorage.md) +- [Can I store the DLL extensions in a central location AND locally on the machine I create my Paks on and if so which one is utilized?](/docs/policypak/policypak/applicationsettings/dllstorage.md) ## PreConfigured AppSets -- [Admin Console (Item Level Targeting): Why would I want to bypass Internal (pre-defined) Item Level Targeting?](../preconfigured/itemleveltargeting/bypassinternal.md) -- [Chrome: How to Configure Chrome HomePage using Application Manager](../preconfigured/chrome/home.md) -- [Chrome: How do I manage certificates with Google Chrome?](../preconfigured/chrome/certificates.md) -- [Chrome Policies don't appear to work when using Endpoint Policy Manager Cloud.](../../troubleshooting/applicationsettings/chrome/policies.md) -- [Chrome: How do I manage the Proxy settings for Google Chrome?](../preconfigured/chrome/proxysettings.md) -- [Chrome: How do I block Local File access to Google Chrome with Endpoint Policy Manager?](../preconfigured/chrome/localfileaccess.md) -- [Chrome: Why do I have extra tabs appear when I open Chrome on an endpoint?](../preconfigured/chrome/extratabs.md) -- [Chrome: Why Homepage button URL is not working for Google Chrome?](../../troubleshooting/applicationsettings/chrome/homebuttonurl.md) -- [Firefox: How do I make Application Settings Manager work with Firefox 115 and later (and how do I transition existing settings?](../preconfigured/firefox/transition.md) -- [Firefox: How do I troubleshoot adding Certificates with Endpoint Policy Manager and Firefox?](../../troubleshooting/applicationsettings/firefox/certificates.md) -- [Firefox: How can I deliver Certificates to "Certificate Authority" store and select "websites", "mail users" and "software makers"?](../preconfigured/firefox/certificate/authority.md) -- [Firefox: How can I prevent both automatic AND manual updates for Firefox?](../preconfigured/firefox/preventupdates.md) -- [Firefox: How can I use Endpoint Policy Manager to revert Firefox's Options back to the "Old Style" ?](../preconfigured/firefox/revertoptions.md) -- [Firefox: How do I use the NTLM passthru (URIS) settings in the Firefox / about:config AppSets?](../preconfigured/firefox/ntlmpassthru.md) -- [Firefox: What versions of the Endpoint Policy Manager CSE support managing certificates in what versions of Firefox?](../../requirements/support/applicationsettings/firefox/version.md) -- [Firefox: Can I enable / disable add-ons for Firefox?](../preconfigured/firefox/addons.md) -- [Firefox: Can I deliver, manage and/or revoke certificates directly to Firefox?](../preconfigured/firefox/certificate/certificates.md) -- [Can I use Security.enterprise_roots.enabled as an alternate method for FF + Certificates?](../preconfigured/firefox/securityenterpriseroots.md) -- [Firefox (and Java and Thunderbird): Why can't I seem to find (or perform) UI lockdown for Firefox, Java or Thunderbird ?](../preconfigured/firefox/javathunderbird.md) -- [Firefox: Is Endpoint Policy Manager compatible with the Frontmotion packaged MSI version of Firefox?](../../requirements/support/applicationsettings/firefox/frontmotion.md) -- [Firefox: Is Endpoint Policy Manager compatible with Firefox when installed to non-standard (and portable) locations?](../../requirements/support/applicationsettings/firefox/nonstandardlocation.md) -- [Firefox: Is Endpoint Policy Manager compatible with Firefox ESR?](../../requirements/support/applicationsettings/firefox/esr.md) -- [Firefox: How do I set "Allow Now", "Allow and Remember" or "Block Plugin" as plug-ins are requested?](../preconfigured/firefox/allowremember.md) -- [Firefox: How do I stop the "Firefox automatically sends some data to Mozilla so that we can improve your experience" message?](../preconfigured/firefox/stopsenddatamessage.md) -- [Firefox: How can I fix Dark Theme / Firefox 56 when using Endpoint Policy Manager?](../preconfigured/firefox/darktheme.md) -- [Firefox: Why doesn't the Firefox Applications Handler function work as expected?](../../troubleshooting/applicationsettings/firefox/applicationshandlerfunction.md) -- [Firefox: Why don't I see Bookmarks and Pop-Ups settings set when user has NEVER run Firefox before?](../../troubleshooting/applicationsettings/firefox/bookmarkpopups.md) -- [HowTo: What do I do if I find a problem with a preconfigured AppSet?](../../troubleshooting/applicationsettings/issue.md) -- [HowTo: One of my AppSet entry's settings is not getting delivered on target machines. What should be the first thing to look into?](../../troubleshooting/applicationsettings/entrysettings.md) -- [HowTo: Which "side" of GPO should I deploy AppSets to: User or Computer side?](../preconfigured/side.md) -- [Internet Explorer: I'm trying to use IE 11's Enterprise Mode, but it doesn't appear to be working?](../../troubleshooting/applicationsettings/internetexplorer/11enterprisemode.md) -- [Internet Explorer: Can I enable / disable add-ons for Internet Explorer?](../preconfigured/internetexplorer/addons.md) -- [Internet Explorer: Can I deliver, manage and/or revoke certificates directly to Internet Explorer?](../preconfigured/internetexplorer/certificates.md) -- [Internet Explorer: How do I deploy custom settings to zones?](../preconfigured/internetexplorer/customsettings.md) -- [Internet Explorer: When should I use Compatibility mode vs. Enterprise Mode for IE 11?](../preconfigured/internetexplorer/mode.md) -- [Internet Explorer: Why don't HTTP sites get added to the Trusted Site list?](../../troubleshooting/applicationsettings/internetexplorer/httpsites.md) -- [Internet Explorer: Why does IE fail to launch after I apply ACL lockdown or all of the IE AppSet STIG settings?](../../troubleshooting/applicationsettings/internetexplorer/launchfailstig.md) -- [Internet Explorer: Why Internet Explorer is not launching after I apply "Perform ACL Lockdown"?](../../troubleshooting/applicationsettings/internetexplorer/launchfail.md) -- [Java: Using the Pre-configured AppSet for Java, how do I prevent "Java has discovered application components that could indicate a security concern." Pop up?](../preconfigured/java/securitypopup.md) -- [Java: How to disable prompt "Your Java version is out of date."?](../preconfigured/java/versionoutofdate.md) -- [Java: How to disable prompt "You Java version is insecure"?](../preconfigured/java/versioninsecure.md) -- [Java: How to disable Java prompt "Do you want to run this application?"](../preconfigured/java/runapplication.md) -- [Java: How to disable User Account Control prompt for Java Auto Updater?](../preconfigured/java/useraccountcontrol.md) -- [Java: How to disable Task tray notification balloon events?](../preconfigured/java/tasktray.md) -- [Java: I don't see that any changes are working at all. What can I try first?](../../troubleshooting/applicationsettings/java/issue.md) -- [Java: Java Site List Exceptions just stopped working. What can I do to fix this?](../../troubleshooting/applicationsettings/java/sitelistexceptions.md) -- [Other: What is "Internal (pre-Defined)" Item Level Targeting?](../preconfigured/itemleveltargeting/internalpredefined.md) -- [Other: Is "Internal Item-Level Targeting" on by default?](../preconfigured/itemleveltargeting/bydefault.md) -- [Other: I added a AppSet and some items are grayed out / not available. In other AppSets, everything seems available. What's happening?](../../troubleshooting/applicationsettings/itemsunavailable.md) -- [AppSets: Why are there some areas of the pre-configured AppSet greyed out or not accessable?](../../troubleshooting/applicationsettings/appset/unavailable.md) -- [AppSets: Why do some AppSets have pre-defined Item Level Targeting for an EXACT version number, and others say "Version 7 to 99" (or similar)?](../../troubleshooting/applicationsettings/appset/versions.md) -- [AppSets: What is the official support policy for the pre-configured AppSets?](../../troubleshooting/applicationsettings/supportpolicy.md) -- [AppSets: How will I know that an existing AppSet will work with the version of the application I have today (and tomorrow)?](../../troubleshooting/applicationsettings/appset/versionsupport.md) -- [AppSets: How often do the AppSets for specific apps get updated?](../../troubleshooting/applicationsettings/appset/updates.md) +- [Admin Console (Item Level Targeting): Why would I want to bypass Internal (pre-defined) Item Level Targeting?](/docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/bypassinternal.md) +- [Chrome: How to Configure Chrome HomePage using Application Manager](/docs/policypak/policypak/applicationsettings/preconfigured/chrome/home.md) +- [Chrome: How do I manage certificates with Google Chrome?](/docs/policypak/policypak/applicationsettings/preconfigured/chrome/certificates.md) +- [Chrome Policies don't appear to work when using Endpoint Policy Manager Cloud.](/docs/policypak/policypak/troubleshooting/applicationsettings/chrome/policies.md) +- [Chrome: How do I manage the Proxy settings for Google Chrome?](/docs/policypak/policypak/applicationsettings/preconfigured/chrome/proxysettings.md) +- [Chrome: How do I block Local File access to Google Chrome with Endpoint Policy Manager?](/docs/policypak/policypak/applicationsettings/preconfigured/chrome/localfileaccess.md) +- [Chrome: Why do I have extra tabs appear when I open Chrome on an endpoint?](/docs/policypak/policypak/applicationsettings/preconfigured/chrome/extratabs.md) +- [Chrome: Why Homepage button URL is not working for Google Chrome?](/docs/policypak/policypak/troubleshooting/applicationsettings/chrome/homebuttonurl.md) +- [Firefox: How do I make Application Settings Manager work with Firefox 115 and later (and how do I transition existing settings?](/docs/policypak/policypak/applicationsettings/preconfigured/firefox/transition.md) +- [Firefox: How do I troubleshoot adding Certificates with Endpoint Policy Manager and Firefox?](/docs/policypak/policypak/troubleshooting/applicationsettings/firefox/certificates.md) +- [Firefox: How can I deliver Certificates to "Certificate Authority" store and select "websites", "mail users" and "software makers"?](/docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/authority.md) +- [Firefox: How can I prevent both automatic AND manual updates for Firefox?](/docs/policypak/policypak/applicationsettings/preconfigured/firefox/preventupdates.md) +- [Firefox: How can I use Endpoint Policy Manager to revert Firefox's Options back to the "Old Style" ?](/docs/policypak/policypak/applicationsettings/preconfigured/firefox/revertoptions.md) +- [Firefox: How do I use the NTLM passthru (URIS) settings in the Firefox / about:config AppSets?](/docs/policypak/policypak/applicationsettings/preconfigured/firefox/ntlmpassthru.md) +- [Firefox: What versions of the Endpoint Policy Manager CSE support managing certificates in what versions of Firefox?](/docs/policypak/policypak/requirements/support/applicationsettings/firefox/version.md) +- [Firefox: Can I enable / disable add-ons for Firefox?](/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons.md) +- [Firefox: Can I deliver, manage and/or revoke certificates directly to Firefox?](/docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates.md) +- [Can I use Security.enterprise_roots.enabled as an alternate method for FF + Certificates?](/docs/policypak/policypak/applicationsettings/preconfigured/firefox/securityenterpriseroots.md) +- [Firefox (and Java and Thunderbird): Why can't I seem to find (or perform) UI lockdown for Firefox, Java or Thunderbird ?](/docs/policypak/policypak/applicationsettings/preconfigured/firefox/javathunderbird.md) +- [Firefox: Is Endpoint Policy Manager compatible with the Frontmotion packaged MSI version of Firefox?](/docs/policypak/policypak/requirements/support/applicationsettings/firefox/frontmotion.md) +- [Firefox: Is Endpoint Policy Manager compatible with Firefox when installed to non-standard (and portable) locations?](/docs/policypak/policypak/requirements/support/applicationsettings/firefox/nonstandardlocation.md) +- [Firefox: Is Endpoint Policy Manager compatible with Firefox ESR?](/docs/policypak/policypak/requirements/support/applicationsettings/firefox/esr.md) +- [Firefox: How do I set "Allow Now", "Allow and Remember" or "Block Plugin" as plug-ins are requested?](/docs/policypak/policypak/applicationsettings/preconfigured/firefox/allowremember.md) +- [Firefox: How do I stop the "Firefox automatically sends some data to Mozilla so that we can improve your experience" message?](/docs/policypak/policypak/applicationsettings/preconfigured/firefox/stopsenddatamessage.md) +- [Firefox: How can I fix Dark Theme / Firefox 56 when using Endpoint Policy Manager?](/docs/policypak/policypak/applicationsettings/preconfigured/firefox/darktheme.md) +- [Firefox: Why doesn't the Firefox Applications Handler function work as expected?](/docs/policypak/policypak/troubleshooting/applicationsettings/firefox/applicationshandlerfunction.md) +- [Firefox: Why don't I see Bookmarks and Pop-Ups settings set when user has NEVER run Firefox before?](/docs/policypak/policypak/troubleshooting/applicationsettings/firefox/bookmarkpopups.md) +- [HowTo: What do I do if I find a problem with a preconfigured AppSet?](/docs/policypak/policypak/troubleshooting/applicationsettings/issue.md) +- [HowTo: One of my AppSet entry's settings is not getting delivered on target machines. What should be the first thing to look into?](/docs/policypak/policypak/troubleshooting/applicationsettings/entrysettings.md) +- [HowTo: Which "side" of GPO should I deploy AppSets to: User or Computer side?](/docs/policypak/policypak/applicationsettings/preconfigured/side.md) +- [Internet Explorer: I'm trying to use IE 11's Enterprise Mode, but it doesn't appear to be working?](/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/11enterprisemode.md) +- [Internet Explorer: Can I enable / disable add-ons for Internet Explorer?](/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/addons.md) +- [Internet Explorer: Can I deliver, manage and/or revoke certificates directly to Internet Explorer?](/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/certificates.md) +- [Internet Explorer: How do I deploy custom settings to zones?](/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/customsettings.md) +- [Internet Explorer: When should I use Compatibility mode vs. Enterprise Mode for IE 11?](/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/mode.md) +- [Internet Explorer: Why don't HTTP sites get added to the Trusted Site list?](/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/httpsites.md) +- [Internet Explorer: Why does IE fail to launch after I apply ACL lockdown or all of the IE AppSet STIG settings?](/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/launchfailstig.md) +- [Internet Explorer: Why Internet Explorer is not launching after I apply "Perform ACL Lockdown"?](/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/launchfail.md) +- [Java: Using the Pre-configured AppSet for Java, how do I prevent "Java has discovered application components that could indicate a security concern." Pop up?](/docs/policypak/policypak/applicationsettings/preconfigured/java/securitypopup.md) +- [Java: How to disable prompt "Your Java version is out of date."?](/docs/policypak/policypak/applicationsettings/preconfigured/java/versionoutofdate.md) +- [Java: How to disable prompt "You Java version is insecure"?](/docs/policypak/policypak/applicationsettings/preconfigured/java/versioninsecure.md) +- [Java: How to disable Java prompt "Do you want to run this application?"](/docs/policypak/policypak/applicationsettings/preconfigured/java/runapplication.md) +- [Java: How to disable User Account Control prompt for Java Auto Updater?](/docs/policypak/policypak/applicationsettings/preconfigured/java/useraccountcontrol.md) +- [Java: How to disable Task tray notification balloon events?](/docs/policypak/policypak/applicationsettings/preconfigured/java/tasktray.md) +- [Java: I don't see that any changes are working at all. What can I try first?](/docs/policypak/policypak/troubleshooting/applicationsettings/java/issue.md) +- [Java: Java Site List Exceptions just stopped working. What can I do to fix this?](/docs/policypak/policypak/troubleshooting/applicationsettings/java/sitelistexceptions.md) +- [Other: What is "Internal (pre-Defined)" Item Level Targeting?](/docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/internalpredefined.md) +- [Other: Is "Internal Item-Level Targeting" on by default?](/docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/bydefault.md) +- [Other: I added a AppSet and some items are grayed out / not available. In other AppSets, everything seems available. What's happening?](/docs/policypak/policypak/troubleshooting/applicationsettings/itemsunavailable.md) +- [AppSets: Why are there some areas of the pre-configured AppSet greyed out or not accessable?](/docs/policypak/policypak/troubleshooting/applicationsettings/appset/unavailable.md) +- [AppSets: Why do some AppSets have pre-defined Item Level Targeting for an EXACT version number, and others say "Version 7 to 99" (or similar)?](/docs/policypak/policypak/troubleshooting/applicationsettings/appset/versions.md) +- [AppSets: What is the official support policy for the pre-configured AppSets?](/docs/policypak/policypak/troubleshooting/applicationsettings/supportpolicy.md) +- [AppSets: How will I know that an existing AppSet will work with the version of the application I have today (and tomorrow)?](/docs/policypak/policypak/troubleshooting/applicationsettings/appset/versionsupport.md) +- [AppSets: How often do the AppSets for specific apps get updated?](/docs/policypak/policypak/troubleshooting/applicationsettings/appset/updates.md) ## Virtualized Applications -- [Do I need to do anything special to get Application Manager to deploy settings to Microsoft App-V Sequences?](../../requirements/support/applicationsettings/appvsequences.md) -- [A ThinApp throws an "Exception Error". What can I do to fix it?](../../troubleshooting/error/applicationsettings/exception.md) -- [Which application virtualization platforms are supported?](../../requirements/support/applicationsettings/applicationvirtualization.md) -- [How can I manage a version of Java inside a ThinApp package ?](../thinapp.md) -- [Are there any additional steps required to integrate Endpoint Policy Manager Software with XenAPP applications?](../../requirements/support/applicationsettings/xenapp.md) -- [Can Endpoint Policy Manager deliver settings for applications that are provided by XenAPP?](../xenapp.md) +- [Do I need to do anything special to get Application Manager to deploy settings to Microsoft App-V Sequences?](/docs/policypak/policypak/requirements/support/applicationsettings/appvsequences.md) +- [A ThinApp throws an "Exception Error". What can I do to fix it?](/docs/policypak/policypak/troubleshooting/error/applicationsettings/exception.md) +- [Which application virtualization platforms are supported?](/docs/policypak/policypak/requirements/support/applicationsettings/applicationvirtualization.md) +- [How can I manage a version of Java inside a ThinApp package ?](/docs/policypak/policypak/applicationsettings/thinapp.md) +- [Are there any additional steps required to integrate Endpoint Policy Manager Software with XenAPP applications?](/docs/policypak/policypak/requirements/support/applicationsettings/xenapp.md) +- [Can Endpoint Policy Manager deliver settings for applications that are provided by XenAPP?](/docs/policypak/policypak/applicationsettings/xenapp.md) ## Design Studio -- [Besides the installation of Design Studio, are there any additional components I need on my computer in order to create my own AppSets?](../../requirements/support/applicationsettings/designstudioadditional.md) -- [What must I do to prepare for Endpoint Policy Manager Tech Support to assist me with AppSet creation?](../../troubleshooting/applicationsettings/appset/creation.md) +- [Besides the installation of Design Studio, are there any additional components I need on my computer in order to create my own AppSets?](/docs/policypak/policypak/requirements/support/applicationsettings/designstudioadditional.md) +- [What must I do to prepare for Endpoint Policy Manager Tech Support to assist me with AppSet creation?](/docs/policypak/policypak/troubleshooting/applicationsettings/appset/creation.md) ## Troubleshooting -- [Are there any caveats about removing the Endpoint Policy Manager CSE after it is deployed?](../../troubleshooting/applicationsettings/removeclientsideextension.md) -- [I just upgraded my management station to 785. My LOCAL AppSets are now missing. What happened?](../../troubleshooting/applicationsettings/appset/localmissing.md) -- [Troubleshooting Group Policy Replication Problems](../../troubleshooting/applicationsettings/replication.md) -- [It appears that Endpoint Policy Manager is processing AppSet entries from another Group Policy Object. How is this possible?](../../troubleshooting/applicationsettings/appset/other.md) -- [Troubleshooting Application Manager – Basic Steps BEFORE calling or emailing Tech Support](../../troubleshooting/applicationsettings/basicsteps.md) -- [What are the two ways to export AppSet settings and why would I use one over the other?](../../troubleshooting/applicationsettings/export/appset.md) -- [Which log file should I consult in order to troubleshoot when one or more settings are not getting applied to the Computer?](../../troubleshooting/applicationsettings/logs/settings.md) -- [How do I know if Application Manager is not behaving properly versus the target application not behaving properly?](../../troubleshooting/applicationsettings/applicationissue.md) -- [How is Item Level Targeting handled in reports?](../../troubleshooting/applicationsettings/itemleveltargeting/reports.md) -- [I'm using redirected folders and get un-expected results.](../../troubleshooting/applicationsettings/redirectedfolder.md) -- [AppLock (UI lockdown) doesn't seem to work on some applications. Why?](../../troubleshooting/applicationsettings/applock/someapplications.md) -- [Endpoint Policy Manager should be reapplying my settings on application launch time. Why doesn't "reapply on launch" work ?](../../troubleshooting/applicationsettings/reapplylaunch.md) -- [Why does Symantec Endpoint Protection (or SEP for Small business) report that Endpoint Policy Manager is "tampering" ?](../../troubleshooting/applicationsettings/symantecendpointprotection.md) -- [Why does Windows Remote Assistance (MSRA) report "PPAppLockdr64.dll is not designed to run on Windows or it contains an error" 0xc000428 ?](../../troubleshooting/error/applicationsettings/code0xc000428.md) -- [How to use Scripts Manager to workaround the "PPAppLockdr64.dll is either not designed to run on Windows or it contains an error" message when running Microsoft Remote Assistance (MSRA.exe) and the Endpoint Policy Manager CSE is installed on Windows 10 1903](../../troubleshooting/applicationsettings/microsoftremoteassistance.md) -- [How do I turn AppLock off or on based upon the CSE version I'm using?](../../troubleshooting/applicationsettings/applock/disable.md) -- [How do I turn off "Reapply on Launch" for all applications if asked by tech support?](../../troubleshooting/applicationsettings/reapplylaunchdisable.md) -- [When I use Forcepoint, Firefox takes 15 minutes to open. How can I fix this?](../../troubleshooting/applicationsettings/forcepoint.md) -- [I do not have access or ability to create the Central Store. What should the best practice to store AppSets be?](../../troubleshooting/applicationsettings/appset/storage.md) -- [What happens to Application Settings Manager settings when the Endpoint Policy Manager license expires / if my company chooses not to renew?](../../troubleshooting/applicationsettings/gpooutofscope.md) -- [Why does Microsoft 365 Defender report suspicious encoded content in Endpoint Policy Manager Application Settings Manager values?](../../troubleshooting/applicationsettings/microsoftdefender.md) -- [Why do I see "Extra Registry Settings" in Endpoint Policy Manager Application Settings Manager items in the GPMC?](../../troubleshooting/applicationsettings/gpmc.md) +- [Are there any caveats about removing the Endpoint Policy Manager CSE after it is deployed?](/docs/policypak/policypak/troubleshooting/applicationsettings/removeclientsideextension.md) +- [I just upgraded my management station to 785. My LOCAL AppSets are now missing. What happened?](/docs/policypak/policypak/troubleshooting/applicationsettings/appset/localmissing.md) +- [Troubleshooting Group Policy Replication Problems](/docs/policypak/policypak/troubleshooting/applicationsettings/replication.md) +- [It appears that Endpoint Policy Manager is processing AppSet entries from another Group Policy Object. How is this possible?](/docs/policypak/policypak/troubleshooting/applicationsettings/appset/other.md) +- [Troubleshooting Application Manager – Basic Steps BEFORE calling or emailing Tech Support](/docs/policypak/policypak/troubleshooting/applicationsettings/basicsteps.md) +- [What are the two ways to export AppSet settings and why would I use one over the other?](/docs/policypak/policypak/troubleshooting/applicationsettings/export/appset.md) +- [Which log file should I consult in order to troubleshoot when one or more settings are not getting applied to the Computer?](/docs/policypak/policypak/troubleshooting/applicationsettings/logs/settings.md) +- [How do I know if Application Manager is not behaving properly versus the target application not behaving properly?](/docs/policypak/policypak/troubleshooting/applicationsettings/applicationissue.md) +- [How is Item Level Targeting handled in reports?](/docs/policypak/policypak/troubleshooting/applicationsettings/itemleveltargeting/reports.md) +- [I'm using redirected folders and get un-expected results.](/docs/policypak/policypak/troubleshooting/applicationsettings/redirectedfolder.md) +- [AppLock (UI lockdown) doesn't seem to work on some applications. Why?](/docs/policypak/policypak/troubleshooting/applicationsettings/applock/someapplications.md) +- [Endpoint Policy Manager should be reapplying my settings on application launch time. Why doesn't "reapply on launch" work ?](/docs/policypak/policypak/troubleshooting/applicationsettings/reapplylaunch.md) +- [Why does Symantec Endpoint Protection (or SEP for Small business) report that Endpoint Policy Manager is "tampering" ?](/docs/policypak/policypak/troubleshooting/applicationsettings/symantecendpointprotection.md) +- [Why does Windows Remote Assistance (MSRA) report "PPAppLockdr64.dll is not designed to run on Windows or it contains an error" 0xc000428 ?](/docs/policypak/policypak/troubleshooting/error/applicationsettings/code0xc000428.md) +- [How to use Scripts Manager to workaround the "PPAppLockdr64.dll is either not designed to run on Windows or it contains an error" message when running Microsoft Remote Assistance (MSRA.exe) and the Endpoint Policy Manager CSE is installed on Windows 10 1903](/docs/policypak/policypak/troubleshooting/applicationsettings/microsoftremoteassistance.md) +- [How do I turn AppLock off or on based upon the CSE version I'm using?](/docs/policypak/policypak/troubleshooting/applicationsettings/applock/disable.md) +- [How do I turn off "Reapply on Launch" for all applications if asked by tech support?](/docs/policypak/policypak/troubleshooting/applicationsettings/reapplylaunchdisable.md) +- [When I use Forcepoint, Firefox takes 15 minutes to open. How can I fix this?](/docs/policypak/policypak/troubleshooting/applicationsettings/forcepoint.md) +- [I do not have access or ability to create the Central Store. What should the best practice to store AppSets be?](/docs/policypak/policypak/troubleshooting/applicationsettings/appset/storage.md) +- [What happens to Application Settings Manager settings when the Endpoint Policy Manager license expires / if my company chooses not to renew?](/docs/policypak/policypak/troubleshooting/applicationsettings/gpooutofscope.md) +- [Why does Microsoft 365 Defender report suspicious encoded content in Endpoint Policy Manager Application Settings Manager values?](/docs/policypak/policypak/troubleshooting/applicationsettings/microsoftdefender.md) +- [Why do I see "Extra Registry Settings" in Endpoint Policy Manager Application Settings Manager items in the GPMC?](/docs/policypak/policypak/troubleshooting/applicationsettings/gpmc.md) diff --git a/docs/policypak/policypak/applicationsettings/overview/videolearningcenter.md b/docs/policypak/policypak/applicationsettings/overview/videolearningcenter.md index dc9af9bf87..129d484548 100644 --- a/docs/policypak/policypak/applicationsettings/overview/videolearningcenter.md +++ b/docs/policypak/policypak/applicationsettings/overview/videolearningcenter.md @@ -4,151 +4,151 @@ See the following Video topics for Application Manager. ## What does it do (and Why You Need It) -- [Endpoint Policy Manager Overview Video for Managers](../../video/applicationsettings/managers.md) -- [Endpoint Policy Application Manager Overview](../../video/applicationsettings/pak.md) -- [Endpoint Policy ManagerOn-Premise QuickStart for Endpoint Policy Application Manager](../../video/applicationsettings/onpremise.md) -- [Managing Application Settings on your MDM enrolled machines](../../video/applicationsettings/mdm.md) -- [What is Endpoint Policy Application Manager (Group Policy Edition)](../../video/applicationsettings/grouppolicy.md) -- [What is Endpoint Policy Application Manager (Cloud Edition)](../../video/applicationsettings/cloud.md) +- [Endpoint Policy Manager Overview Video for Managers](/docs/policypak/policypak/video/applicationsettings/managers.md) +- [Endpoint Policy Application Manager Overview](/docs/policypak/policypak/video/applicationsettings/pak.md) +- [Endpoint Policy ManagerOn-Premise QuickStart for Endpoint Policy Application Manager](/docs/policypak/policypak/video/applicationsettings/onpremise.md) +- [Managing Application Settings on your MDM enrolled machines](/docs/policypak/policypak/video/applicationsettings/mdm.md) +- [What is Endpoint Policy Application Manager (Group Policy Edition)](/docs/policypak/policypak/video/applicationsettings/grouppolicy.md) +- [What is Endpoint Policy Application Manager (Cloud Edition)](/docs/policypak/policypak/video/applicationsettings/cloud.md) ## Getting Started -- [Creating the Central Store for Group Policy andEndpoint Policy Manager ](../../video/applicationsettings/centralstorecreate.md) -- [Updating Endpoint Policy Manager Central Store](../../video/applicationsettings/centralstoreupdate.md) -- [PPGP Quick Rundown: Application Manager](../../video/applicationsettings/quickrundown.md) +- [Creating the Central Store for Group Policy andEndpoint Policy Manager ](/docs/policypak/policypak/video/applicationsettings/centralstorecreate.md) +- [Updating Endpoint Policy Manager Central Store](/docs/policypak/policypak/video/applicationsettings/centralstoreupdate.md) +- [PPGP Quick Rundown: Application Manager](/docs/policypak/policypak/video/applicationsettings/quickrundown.md) ## Central Store and Sharing -- [How to manually update Paks](../../video/applicationsettings/manualupdate.md) -- [Working with Others and using the Central Store](../../video/applicationsettings/centralstorework.md) -- [Using Shares to Store Your Paks (Share-Based Storage)](../../video/applicationsettings/shares.md) -- [Keeping Application Settings Manager and Paks up to date](../../video/applicationsettings/uptodate.md) -- [Understanding and fixing Endpoint Policy Manager DLL Orphans](../../video/applicationsettings/dllorphans.md) -- [Reconnecting DLLs](../../video/applicationsettings/dllreconnect.md) -- [GPOTouch Utility](../../video/applicationsettings/touchutility.md) +- [How to manually update Paks](/docs/policypak/policypak/video/applicationsettings/manualupdate.md) +- [Working with Others and using the Central Store](/docs/policypak/policypak/video/applicationsettings/centralstorework.md) +- [Using Shares to Store Your Paks (Share-Based Storage)](/docs/policypak/policypak/video/applicationsettings/shares.md) +- [Keeping Application Settings Manager and Paks up to date](/docs/policypak/policypak/video/applicationsettings/uptodate.md) +- [Understanding and fixing Endpoint Policy Manager DLL Orphans](/docs/policypak/policypak/video/applicationsettings/dllorphans.md) +- [Reconnecting DLLs](/docs/policypak/policypak/video/applicationsettings/dllreconnect.md) +- [GPOTouch Utility](/docs/policypak/policypak/video/applicationsettings/touchutility.md) ## Features, Tech Support and How-To -- [Using Item Level Targeting](../../video/applicationsettings/itemleveltargeting.md) -- [Bypassing Internal Item Level Targeting Filters](../../video/applicationsettings/itemleveltargetingbypass.md) -- [ACL Lockdown for Registry Based Applications](../../video/applicationsettings/acllockdown.md) -- [Re-Deploy Settings at application launch](../../video/applicationsettings/applicationlaunch.md) -- [The Superpowers](../../video/applicationsettings/superpowers.md) -- [Using Environment Variables in Paks](../../video/applicationsettings/variables.md) -- [Manage different proxy settings, even when offline](../../video/applicationsettings/proxysettings.md) -- [Endpoint Policy Manager Application Setting Manager (Understanding Trusted AppSets)](../../video/applicationsettings/trustedappsets.md) +- [Using Item Level Targeting](/docs/policypak/policypak/video/applicationsettings/itemleveltargeting.md) +- [Bypassing Internal Item Level Targeting Filters](/docs/policypak/policypak/video/applicationsettings/itemleveltargetingbypass.md) +- [ACL Lockdown for Registry Based Applications](/docs/policypak/policypak/video/applicationsettings/acllockdown.md) +- [Re-Deploy Settings at application launch](/docs/policypak/policypak/video/applicationsettings/applicationlaunch.md) +- [The Superpowers](/docs/policypak/policypak/video/applicationsettings/superpowers.md) +- [Using Environment Variables in Paks](/docs/policypak/policypak/video/applicationsettings/variables.md) +- [Manage different proxy settings, even when offline](/docs/policypak/policypak/video/applicationsettings/proxysettings.md) +- [Endpoint Policy Manager Application Setting Manager (Understanding Trusted AppSets)](/docs/policypak/policypak/video/applicationsettings/trustedappsets.md) ## Misc Tips and Tricks -- [Managing IE Proxy server with Advanced settings](../../video/applicationsettings/ieproxyserver.md) -- [Wipe Privdog (and other evil certificates) off your network using Group Policy and Endpoint Policy Manager.](../../video/applicationsettings/certificatesevil.md) -- [Endpoint Policy Manager and Invincea Integration Demo](../../video/applicationsettings/invincea.md) -- [Manage Firefox Plug-ins Per Website](../../video/applicationsettings/firefoxplugins.md) -- [Chrome Revert Tips (Pre-CSE 1260)](../../video/applicationsettings/chromerevert.md) -- [Fix Chrome Revert with PP CSE 1260 or later](../../video/applicationsettings/chromerevertfix.md) -- [Transitioning to the Universal Oracle Java AppSet (7 thru 9)](../../video/applicationsettings/oraclejava.md) -- [PPAM: Convert from 2 to 4 AppSet for Firefox About:Config AppSet](../../video/applicationsettings/firefoxabout.md) -- [Deliver pre-configured Bookmarks in Chrome](../../video/applicationsettings/chromebookmarks.md) -- [Endpoint Policy Manager App Settings Manager: Finding items in big Paks](../../video/applicationsettings/paksbig.md) +- [Managing IE Proxy server with Advanced settings](/docs/policypak/policypak/video/applicationsettings/ieproxyserver.md) +- [Wipe Privdog (and other evil certificates) off your network using Group Policy and Endpoint Policy Manager.](/docs/policypak/policypak/video/applicationsettings/certificatesevil.md) +- [Endpoint Policy Manager and Invincea Integration Demo](/docs/policypak/policypak/video/applicationsettings/invincea.md) +- [Manage Firefox Plug-ins Per Website](/docs/policypak/policypak/video/applicationsettings/firefoxplugins.md) +- [Chrome Revert Tips (Pre-CSE 1260)](/docs/policypak/policypak/video/applicationsettings/chromerevert.md) +- [Fix Chrome Revert with PP CSE 1260 or later](/docs/policypak/policypak/video/applicationsettings/chromerevertfix.md) +- [Transitioning to the Universal Oracle Java AppSet (7 thru 9)](/docs/policypak/policypak/video/applicationsettings/oraclejava.md) +- [PPAM: Convert from 2 to 4 AppSet for Firefox About:Config AppSet](/docs/policypak/policypak/video/applicationsettings/firefoxabout.md) +- [Deliver pre-configured Bookmarks in Chrome](/docs/policypak/policypak/video/applicationsettings/chromebookmarks.md) +- [Endpoint Policy Manager App Settings Manager: Finding items in big Paks](/docs/policypak/policypak/video/applicationsettings/paksbig.md) ## DesignStudio How-To -- [Creating Your First Pak using Endpoint Policy Manager Design Studio](../../video/applicationsettings/designstudio/firstpak.md) -- [Use the DesignStudio to import existing registry keys](../../video/applicationsettings/designstudio/importregistry.md) -- [Using DesignStudio to add elements from an alternate UI](../../video/applicationsettings/designstudio/addelements.md) -- [Predefined ILTs (Internal Filters)](../../video/applicationsettings/designstudio/itemleveltargeting.md) -- [Design Studio – FoxIT Printer Settings Tutorial](../../video/applicationsettings/designstudio/foxitprinter.md) -- [Manage Firefox Plug-ins using Endpoint Policy Managerand the Endpoint Policy Manager DesignStudio](../../video/applicationsettings/designstudio/firefox_plugins.md) +- [Creating Your First Pak using Endpoint Policy Manager Design Studio](/docs/policypak/policypak/video/applicationsettings/designstudio/firstpak.md) +- [Use the DesignStudio to import existing registry keys](/docs/policypak/policypak/video/applicationsettings/designstudio/importregistry.md) +- [Using DesignStudio to add elements from an alternate UI](/docs/policypak/policypak/video/applicationsettings/designstudio/addelements.md) +- [Predefined ILTs (Internal Filters)](/docs/policypak/policypak/video/applicationsettings/designstudio/itemleveltargeting.md) +- [Design Studio – FoxIT Printer Settings Tutorial](/docs/policypak/policypak/video/applicationsettings/designstudio/foxitprinter.md) +- [Manage Firefox Plug-ins using Endpoint Policy Managerand the Endpoint Policy Manager DesignStudio](/docs/policypak/policypak/video/applicationsettings/designstudio/firefox_plugins.md) ## Citrix & Terminal Servers -- [Endpoint Policy Manager and Citrix: Webster Seal of Approval](../../video/applicationsettings/citrix/sealapproval.md) -- [Endpoint Policy Manager and Citrix: Better Together.. A quick introduction!](../../video/applicationsettings/citrix/integration.md) -- [Endpoint Policy Manager on Citrix: You Gotta Try This](../../video/applicationsettings/citrix/demo.md) -- [CUGC Connect Endpoint Policy Manager + Citrix Demo You Gotta Try This!](../../video/applicationsettings/citrix/demo2.md) -- [Endpoint Policy Manager enhances XenApp with Group Policy](../../video/applicationsettings/citrix/xenapp.md) -- [Endpoint Policy Manager & Citrix XenDesktop](../../video/applicationsettings/citrix/xendesktop.md) -- [Endpoint Policy Manager and Microsoft RDS and RemoteApp – Better Together to Manage Applications' settings](../../video/applicationsettings/citrix/rds.md) +- [Endpoint Policy Manager and Citrix: Webster Seal of Approval](/docs/policypak/policypak/video/applicationsettings/citrix/sealapproval.md) +- [Endpoint Policy Manager and Citrix: Better Together.. A quick introduction!](/docs/policypak/policypak/video/applicationsettings/citrix/integration.md) +- [Endpoint Policy Manager on Citrix: You Gotta Try This](/docs/policypak/policypak/video/applicationsettings/citrix/demo.md) +- [CUGC Connect Endpoint Policy Manager + Citrix Demo You Gotta Try This!](/docs/policypak/policypak/video/applicationsettings/citrix/demo2.md) +- [Endpoint Policy Manager enhances XenApp with Group Policy](/docs/policypak/policypak/video/applicationsettings/citrix/xenapp.md) +- [Endpoint Policy Manager & Citrix XenDesktop](/docs/policypak/policypak/video/applicationsettings/citrix/xendesktop.md) +- [Endpoint Policy Manager and Microsoft RDS and RemoteApp – Better Together to Manage Applications' settings](/docs/policypak/policypak/video/applicationsettings/citrix/rds.md) ## Methods (Cloud, MDM, SCCM, PDQ) -- [Perform Desktop Lockdown using Microsoft Intune](../../video/applicationsettings/integration/microsoftintune.md) -- [Perform Desktop Lockdown using Microsoft SCCM and Endpoint Policy Manager ](../../video/applicationsettings/integration/sccmsoftwarecenter.md) -- [Endpoint Policy Manager Integrates with Specops Deploy](../../video/applicationsettings/integration/specops.md) -- [Deploy and Manage WinZip with PDQ Deploy and Endpoint Policy Manager ](../../video/applicationsettings/integration/pdqdeploy.md) -- [Deploy and Manage Firefox with PDQ Deploy and Endpoint Policy Manager ](../../video/applicationsettings/integration/pdqdeployfirefox.md) +- [Perform Desktop Lockdown using Microsoft Intune](/docs/policypak/policypak/video/applicationsettings/integration/microsoftintune.md) +- [Perform Desktop Lockdown using Microsoft SCCM and Endpoint Policy Manager ](/docs/policypak/policypak/video/applicationsettings/integration/sccmsoftwarecenter.md) +- [Endpoint Policy Manager Integrates with Specops Deploy](/docs/policypak/policypak/video/applicationsettings/integration/specops.md) +- [Deploy and Manage WinZip with PDQ Deploy and Endpoint Policy Manager ](/docs/policypak/policypak/video/applicationsettings/integration/pdqdeploy.md) +- [Deploy and Manage Firefox with PDQ Deploy and Endpoint Policy Manager ](/docs/policypak/policypak/video/applicationsettings/integration/pdqdeployfirefox.md) ## VDI -- [Endpoint Policy Manager and Microsoft VDI – Better Together to Manage Applications' settings](../../video/applicationsettings/vdi/integration.md) -- [Endpoint Policy Manager and VMWare Horizon View](../../video/applicationsettings/vdi/vmware.md) -- [Endpoint Policy Manager and VMware Horizon View – Dedicated VDI](../../video/applicationsettings/vdi/dedicated.md) -- [Endpoint Policy Manager and VMware Horizon View – Local Mode VDI](../../video/applicationsettings/vdi/localmode.md) -- [Endpoint Policy Manager and VMware Horizon View with ThinApp Assigned Packages](../../video/applicationsettings/vdi/thinapp.md) -- [Endpoint Policy Manager and VMware Horizon Workspace Applications and ThinApp Entitled Packages](../../video/applicationsettings/vdi/thinappworkspace.md) +- [Endpoint Policy Manager and Microsoft VDI – Better Together to Manage Applications' settings](/docs/policypak/policypak/video/applicationsettings/vdi/integration.md) +- [Endpoint Policy Manager and VMWare Horizon View](/docs/policypak/policypak/video/applicationsettings/vdi/vmware.md) +- [Endpoint Policy Manager and VMware Horizon View – Dedicated VDI](/docs/policypak/policypak/video/applicationsettings/vdi/dedicated.md) +- [Endpoint Policy Manager and VMware Horizon View – Local Mode VDI](/docs/policypak/policypak/video/applicationsettings/vdi/localmode.md) +- [Endpoint Policy Manager and VMware Horizon View with ThinApp Assigned Packages](/docs/policypak/policypak/video/applicationsettings/vdi/thinapp.md) +- [Endpoint Policy Manager and VMware Horizon Workspace Applications and ThinApp Entitled Packages](/docs/policypak/policypak/video/applicationsettings/vdi/thinappworkspace.md) ## Application Virtualization -- [Endpoint Policy Manager extends Group Policy to Microsoft App-V](../../video/applicationsettings/virtualization/appv.md) -- [Endpoint Policy Manager & Citrix XenApp](../../video/applicationsettings/virtualization/xenapp.md) -- [Microsoft User Experience Virtualization (UE-V) enhanced by Endpoint Policy Manager ](../../video/applicationsettings/virtualization/uev.md) -- [Manage ThinApp Packages on Physical or VDI machines using Endpoint Policy Manager ](../../video/applicationsettings/virtualization/thinapp.md) -- [Endpoint Policy Manager & Symantec](../../video/applicationsettings/virtualization/symantec.md) -- [Endpoint Policy Manager extends Group Policy to Spoon / Novell ZENworks App Virtualization](../../video/applicationsettings/virtualization/spoonnovell.md) +- [Endpoint Policy Manager extends Group Policy to Microsoft App-V](/docs/policypak/policypak/video/applicationsettings/virtualization/appv.md) +- [Endpoint Policy Manager & Citrix XenApp](/docs/policypak/policypak/video/applicationsettings/virtualization/xenapp.md) +- [Microsoft User Experience Virtualization (UE-V) enhanced by Endpoint Policy Manager ](/docs/policypak/policypak/video/applicationsettings/virtualization/uev.md) +- [Manage ThinApp Packages on Physical or VDI machines using Endpoint Policy Manager ](/docs/policypak/policypak/video/applicationsettings/virtualization/thinapp.md) +- [Endpoint Policy Manager & Symantec](/docs/policypak/policypak/video/applicationsettings/virtualization/symantec.md) +- [Endpoint Policy Manager extends Group Policy to Spoon / Novell ZENworks App Virtualization](/docs/policypak/policypak/video/applicationsettings/virtualization/spoonnovell.md) ## Troubleshooting -- [Endpoint Policy Manager and "Chrome Incompatible apps"](../../video/troubleshooting/applicationsettings/chrome.md) +- [Endpoint Policy Manager and "Chrome Incompatible apps"](/docs/policypak/policypak/video/troubleshooting/applicationsettings/chrome.md) ## Internet Explorer (all videos) -- [Getting Started Managing Internet Explorer](../../video/applicationsettings/internetexplorer/gettingstarted.md) -- [Manage IE Certificates](../../video/applicationsettings/internetexplorer/certificates.md) -- [Manage IE Connections tab](../../video/applicationsettings/internetexplorer/connectionstab.md) -- [Manage IE Content tab](../../video/applicationsettings/internetexplorer/contenttab.md) -- [Manage IE General tab](../../video/applicationsettings/internetexplorer/generaltab.md) -- [Manage IE Privacy tab](../../video/applicationsettings/internetexplorer/privacytab.md) -- [Manage IE Programs Tab](../../video/applicationsettings/internetexplorer/programstab.md) -- [Manage Internet Explorer Security tab](../../video/applicationsettings/internetexplorer/securitytab.md) -- [Manage Internet Explorer Settings With Endpoint Policy Manager Application Settings Manager](../../video/applicationsettings/internetexplorer/settings.md) -- [Managing Favorites in IE](../../video/applicationsettings/internetexplorer/favorites.md) +- [Getting Started Managing Internet Explorer](/docs/policypak/policypak/video/applicationsettings/internetexplorer/gettingstarted.md) +- [Manage IE Certificates](/docs/policypak/policypak/video/applicationsettings/internetexplorer/certificates.md) +- [Manage IE Connections tab](/docs/policypak/policypak/video/applicationsettings/internetexplorer/connectionstab.md) +- [Manage IE Content tab](/docs/policypak/policypak/video/applicationsettings/internetexplorer/contenttab.md) +- [Manage IE General tab](/docs/policypak/policypak/video/applicationsettings/internetexplorer/generaltab.md) +- [Manage IE Privacy tab](/docs/policypak/policypak/video/applicationsettings/internetexplorer/privacytab.md) +- [Manage IE Programs Tab](/docs/policypak/policypak/video/applicationsettings/internetexplorer/programstab.md) +- [Manage Internet Explorer Security tab](/docs/policypak/policypak/video/applicationsettings/internetexplorer/securitytab.md) +- [Manage Internet Explorer Settings With Endpoint Policy Manager Application Settings Manager](/docs/policypak/policypak/video/applicationsettings/internetexplorer/settings.md) +- [Managing Favorites in IE](/docs/policypak/policypak/video/applicationsettings/internetexplorer/favorites.md) ## Chrome (all videos) -- [Manage Google Chrome using Group Policy, SCCM or your own management utility](../../video/applicationsettings/chrome/gettingstarted.md) -- [Google Chrome: Clear Browsing History, Cookies, Password, Images and more](../../video/applicationsettings/chrome/clearbrowsing.md) -- [Manage Google Chrome Bookmarks](../../video/applicationsettings/chrome/bookmarks.md) +- [Manage Google Chrome using Group Policy, SCCM or your own management utility](/docs/policypak/policypak/video/applicationsettings/chrome/gettingstarted.md) +- [Google Chrome: Clear Browsing History, Cookies, Password, Images and more](/docs/policypak/policypak/video/applicationsettings/chrome/clearbrowsing.md) +- [Manage Google Chrome Bookmarks](/docs/policypak/policypak/video/applicationsettings/chrome/bookmarks.md) ## Firefox (all videos) -- [Manage Firefox using Group Policy, SCCM, or your own management tool](../../video/applicationsettings/firefox/gettingstarted.md) -- [Changing the Firefox Default Search Engine in one-click](../../video/applicationsettings/firefox/defaultsearch.md) -- [Manage Firefox Pop-Ups and Permissions using Group Policy](../../video/applicationsettings/firefox/popups.md) -- [Force Install Firefox Extensions (from URL or file).](../../video/applicationsettings/firefox/extensions.md) -- [Manage Firefox Bookmarks](../../video/applicationsettings/firefox/bookmarks.md) -- [Remove Firefox's Extra Tabs at First Launch](../../video/applicationsettings/firefox/extratabs.md) -- [Disable the following about:config, about:addons, pages, Developer Menu, and any Preferences in one click](../../video/applicationsettings/firefox/disable.md) -- [Firefox Remove Specific Elements from about:preferences panel](../../video/applicationsettings/firefox/removeelements.md) -- [Manage Firefox Misc Settings and Buttons Using Endpoint Policy Manager ](../../video/applicationsettings/firefox/miscsettings.md) -- [Manage Firefox Certificates](../../video/applicationsettings/firefox/certificates.md) -- [Change Firefox application handler (like PDF) to Adobe Reader](../../video/applicationsettings/firefox/adobe.md) -- [Manage Firefox Add-ons using Group Policy](../../video/applicationsettings/firefox/addons.md) -- [How to Add and Remove Bookmarks folders from the Firefox menu and toolbar](../../video/applicationsettings/firefox/bookmarksmodify.md) +- [Manage Firefox using Group Policy, SCCM, or your own management tool](/docs/policypak/policypak/video/applicationsettings/firefox/gettingstarted.md) +- [Changing the Firefox Default Search Engine in one-click](/docs/policypak/policypak/video/applicationsettings/firefox/defaultsearch.md) +- [Manage Firefox Pop-Ups and Permissions using Group Policy](/docs/policypak/policypak/video/applicationsettings/firefox/popups.md) +- [Force Install Firefox Extensions (from URL or file).](/docs/policypak/policypak/video/applicationsettings/firefox/extensions.md) +- [Manage Firefox Bookmarks](/docs/policypak/policypak/video/applicationsettings/firefox/bookmarks.md) +- [Remove Firefox's Extra Tabs at First Launch](/docs/policypak/policypak/video/applicationsettings/firefox/extratabs.md) +- [Disable the following about:config, about:addons, pages, Developer Menu, and any Preferences in one click](/docs/policypak/policypak/video/applicationsettings/firefox/disable.md) +- [Firefox Remove Specific Elements from about:preferences panel](/docs/policypak/policypak/video/applicationsettings/firefox/removeelements.md) +- [Manage Firefox Misc Settings and Buttons Using Endpoint Policy Manager ](/docs/policypak/policypak/video/applicationsettings/firefox/miscsettings.md) +- [Manage Firefox Certificates](/docs/policypak/policypak/video/applicationsettings/firefox/certificates.md) +- [Change Firefox application handler (like PDF) to Adobe Reader](/docs/policypak/policypak/video/applicationsettings/firefox/adobe.md) +- [Manage Firefox Add-ons using Group Policy](/docs/policypak/policypak/video/applicationsettings/firefox/addons.md) +- [How to Add and Remove Bookmarks folders from the Firefox menu and toolbar](/docs/policypak/policypak/video/applicationsettings/firefox/bookmarksmodify.md) ## Java (all videos) -- [How to quickly disable Java, everywhere (in an emergency)](../../video/applicationsettings/java/disable.md) -- [Manage and Lock down Java Site List Exceptions](../../video/applicationsettings/java/lockdown.md) -- [Manage Java JRE Control Panel applet with Group Policy](../../video/applicationsettings/java/jre.md) -- [How to Manage the security slider in Java](../../video/applicationsettings/java/securityslider.md) +- [How to quickly disable Java, everywhere (in an emergency)](/docs/policypak/policypak/video/applicationsettings/java/disable.md) +- [Manage and Lock down Java Site List Exceptions](/docs/policypak/policypak/video/applicationsettings/java/lockdown.md) +- [Manage Java JRE Control Panel applet with Group Policy](/docs/policypak/policypak/video/applicationsettings/java/jre.md) +- [How to Manage the security slider in Java](/docs/policypak/policypak/video/applicationsettings/java/securityslider.md) ## Other applications (all videos) -- [Netwrix Endpoint Policy Manager can manage Netwrix Password Secure](../../video/applicationsettings/passwordsecure.md) -- [Managing Teams Settings](../../video/applicationsettings/teams.md) -- [Endpoint Policy Manager for Adobe Acrobat](../../video/applicationsettings/acrobat.md) -- [Endpoint Policy Manager for Adobe Flash Player](../../video/applicationsettings/flashplayer.md) -- [Endpoint Policy Manager for IrfanView](../../video/applicationsettings/irfanview.md) -- [Endpoint Policy Manager for Microsoft Office 2013 and 2016](../../video/applicationsettings/office.md) -- [Endpoint Policy Manager for Microsoft Skype for Business (formerly Lync)](../../video/applicationsettings/skype.md) -- [Endpoint Policy Manager for Thunderbird](../../video/applicationsettings/thunderbird.md) +- [Netwrix Endpoint Policy Manager can manage Netwrix Password Secure](/docs/policypak/policypak/video/applicationsettings/passwordsecure.md) +- [Managing Teams Settings](/docs/policypak/policypak/video/applicationsettings/teams.md) +- [Endpoint Policy Manager for Adobe Acrobat](/docs/policypak/policypak/video/applicationsettings/acrobat.md) +- [Endpoint Policy Manager for Adobe Flash Player](/docs/policypak/policypak/video/applicationsettings/flashplayer.md) +- [Endpoint Policy Manager for IrfanView](/docs/policypak/policypak/video/applicationsettings/irfanview.md) +- [Endpoint Policy Manager for Microsoft Office 2013 and 2016](/docs/policypak/policypak/video/applicationsettings/office.md) +- [Endpoint Policy Manager for Microsoft Skype for Business (formerly Lync)](/docs/policypak/policypak/video/applicationsettings/skype.md) +- [Endpoint Policy Manager for Thunderbird](/docs/policypak/policypak/video/applicationsettings/thunderbird.md) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/chrome/certificates.md b/docs/policypak/policypak/applicationsettings/preconfigured/chrome/certificates.md index 567265ef6e..a943d932c8 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/chrome/certificates.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/chrome/certificates.md @@ -6,4 +6,4 @@ setting Chrome at the same time. Here's the how-to video in using the IE + Certs features (again, which should also set Chrome too): -[Manage IE Certificates](../../../video/applicationsettings/internetexplorer/certificates.md) +[Manage IE Certificates](/docs/policypak/policypak/video/applicationsettings/internetexplorer/certificates.md) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/chrome/extratabs.md b/docs/policypak/policypak/applicationsettings/preconfigured/chrome/extratabs.md index febad04e65..f50f220eaf 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/chrome/extratabs.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/chrome/extratabs.md @@ -4,4 +4,4 @@ Be sure to find the Set Pages area and uncheck "Always reapply this setting" in Netwrix Endpoint Policy Manager (formerly PolicyPak) is delivering "blank" when the "Always reapply this setting" is present upon items. So right-click and uncheck each unwanted page as seen here. -![282_1_faq-images7](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/chrome/282_1_faq-images7.webp) +![282_1_faq-images7](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/chrome/282_1_faq-images7.webp) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/chrome/home.md b/docs/policypak/policypak/applicationsettings/preconfigured/chrome/home.md index cf6e276ddd..3b88236dea 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/chrome/home.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/chrome/home.md @@ -12,4 +12,4 @@ Note that one way will set what happens when the "Home Button" is pressed. And the other way will specify what happens at launch. You need to set BOTH "Open a specific page or set of pages" and specify at least one "Set Pages" URL for this to work. -![211_1_image0012](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/chrome/211_1_image0012.webp) +![211_1_image0012](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/chrome/211_1_image0012.webp) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/chrome/localfileaccess.md b/docs/policypak/policypak/applicationsettings/preconfigured/chrome/localfileaccess.md index 950d5536bd..b72ab7dcd2 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/chrome/localfileaccess.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/chrome/localfileaccess.md @@ -9,8 +9,8 @@ three slashes after file like this. file:///c:/ ``` -![38_1_image001](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/chrome/38_1_image001.webp) +![38_1_image001](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/chrome/38_1_image001.webp) Result: -![38_2_image002](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/chrome/38_2_image002.webp) +![38_2_image002](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/chrome/38_2_image002.webp) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/chrome/proxysettings.md b/docs/policypak/policypak/applicationsettings/preconfigured/chrome/proxysettings.md index 29d2446136..cdeeb6bde4 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/chrome/proxysettings.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/chrome/proxysettings.md @@ -7,4 +7,4 @@ Explorer. See this video for more details, which will also set the Chrome Pak: -[Manage IE Connections tab](../../../video/applicationsettings/internetexplorer/connectionstab.md) +[Manage IE Connections tab](/docs/policypak/policypak/video/applicationsettings/internetexplorer/connectionstab.md) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons.md index ed7c2fdff1..129b034dbe 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons.md @@ -2,4 +2,4 @@ Yes. Here is a videos to demonstrate that. -[Manage Firefox Add-ons using Group Policy](../../../video/applicationsettings/firefox/addons.md) +[Manage Firefox Add-ons using Group Policy](/docs/policypak/policypak/video/applicationsettings/firefox/addons.md) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/discoveringids.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/discoveringids.md index 3b0333998b..103480e998 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/discoveringids.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/discoveringids.md @@ -3,7 +3,7 @@ **Step 1 –** Finding add-on IDs requires a little bit of work. To discover them, you need to click on "Add-ons" in Firefox on an example computer, as shown in Figure 18. -![add_ons](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons.webp) +![add_ons](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons.webp) Figure 18. The Add-ons tab in Firefox. @@ -17,14 +17,14 @@ Figure 18. The Add-ons tab in Firefox. **Step 3 –** Then, press F12 for developer tools. In the lowest row, paste the snippet of code supplied below, as shown in Figure 19. -![add_ons_3](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_3.webp) +![add_ons_3](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_3.webp) Figure 19. The Console tab. **NOTE:** You may get a warning saying you cannot paste until you say it's okay. To permit pasting, type allow pasting," as shown in Figure 20. -![add_ons_4](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_4.webp) +![add_ons_4](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_4.webp) Figure 20. Allowing pasting to occur. @@ -41,24 +41,24 @@ console.log(addonElement.attributes["name"].value + " = " + addonElement.value); **Step 5 –** Paste the snippet into the lowest place on the page, as shown in Figure 21. -![add_ons_5](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_5.webp) +![add_ons_5](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_5.webp) Figure 21. Copying the snippet to the Console tab. The result you will get (which is to the right of the equal sign within quotes) will be the name of the GUID or friendly name, as shown in Figure 22 and Figure 23. -![add_ons_6](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_6.webp) +![add_ons_6](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_6.webp) Figure 22. Example 1 showing only GUIDs. -![add_ons_7](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_7.webp) +![add_ons_7](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_7.webp) Figure 23. Example 2 showing the friendly name and GUID. **Step 6 –** Then, inside the Endpoint Policy Manager MMC console, you will add the ID you want (without quotes), as shown in Figure 24. -![add_ons_8](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_8.webp) +![add_ons_8](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_8.webp) Figure 24. Adding the ID within the Endpoint Policy Manager MMC console. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/enabledisable.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/enabledisable.md index fcaff5b1ac..762acfd07e 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/enabledisable.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/enabledisable.md @@ -10,7 +10,7 @@ Firefox has four categories of add-ons, as shown in Figure 16. - Themes - Plugins -![add_ons_1](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_1.webp) +![add_ons_1](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_1.webp) Figure 16. The Add-ons Manager. @@ -25,6 +25,6 @@ to manage Firefox add-ons: You can see the "Add-Ons" tab, and the "Enable or Disable" section within the Firefox AppSet as seen in Figure 17. -![add_ons_2](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_2.webp) +![add_ons_2](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_2.webp) Figure 17. The Add-Ons tab within Endpoint Policy Manager Application Settings Manager. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/forceinstallation.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/forceinstallation.md index e480c9bd42..8a0a86e285 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/forceinstallation.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/forceinstallation.md @@ -3,11 +3,11 @@ Endpoint Policy Manager also can install URL and file-based Firefox add-ons within Firefox. Video: To see a video of Endpoint Policy Manager forcing installation of Firefox's Add-Ons, go to -[Force Install Firefox Extensions (from URL or file).](../../../../video/applicationsettings/firefox/extensions.md). +[Force Install Firefox Extensions (from URL or file).](/docs/policypak/policypak/video/applicationsettings/firefox/extensions.md). Go to the Add-Ons tab within the Firefox AppSet, as shown in Figure 28. -![add_ons_12](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_12.webp) +![add_ons_12](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_12.webp) Figure 28. The Add-Ons tab within Endpoint Policy Manager Application Settings Manager. @@ -23,7 +23,7 @@ URL-based installation, you need to get the URL by following these steps (see Fi **Step 4 –** Convert to Endpoint Policy Manager syntax. -![add_ons_13](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_13.webp) +![add_ons_13](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_13.webp) Figure 29. Copying the link location. @@ -44,13 +44,13 @@ install. For using the file-based installation method, you would select "Save Link As" after right-clicking on the "Add to Firefox" botton, as shown in Figure 30. -![add_ons_14](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_14.webp) +![add_ons_14](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_14.webp) Figure 30. The file-based installation method. **Step 8 –** Then, you would save the file to a location to use later, as shown in Figure 31. -![add_ons_15](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_15.webp) +![add_ons_15](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_15.webp) Figure 31. Choosing where to save the file. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/overview.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/overview.md index af2b5afa88..4cd0b19622 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/overview.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/overview.md @@ -5,6 +5,6 @@ disabling add-ons of all types. Endpoint Policy Manager can also force the insta the removal of specific add-ons. To find Firefox's add-ons, select "Add-ons" within Firefox, as shown in Figure 15. -![add_ons](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons.webp) +![add_ons](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons.webp) Figure 15. The Add-ons tab. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/tipstricks.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/tipstricks.md index 8cef354c1d..8b6e466aee 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/tipstricks.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/tipstricks.md @@ -17,7 +17,7 @@ The Add-ons section in the Firefox AppSet has the following extra special checkb You can see these checkboxes below in Figure 25. -![add_ons_9](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_9.webp) +![add_ons_9](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_9.webp) Figure 25. Disabling and hiding add-ons. @@ -30,7 +30,7 @@ blocked from installing Firefox extensions manually. The result of selecting "Disable the installation of Firefox extensions" is that when users attempt to install any extension, in any manner, they are blocked, as shown in Figure 26. -![add_ons_10](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_10.webp) +![add_ons_10](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_10.webp) Figure 26. A disabled add-on. @@ -38,6 +38,6 @@ The result of selecting the checkbox, "Hide Firefox UI for installing extensions Figure 27 below. This makes it more difficult for user to use the Add-ons Manager and manipulate settings. -![add_ons_11](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_11.webp) +![add_ons_11](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/addons/add_ons_11.webp) Figure 27. Before (above) and after (below) hiding the Firefox UI for installing extensions. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/allowremember.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/allowremember.md index e68fb5bbe5..0de5187454 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/allowremember.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/allowremember.md @@ -3,7 +3,7 @@ If you have this dialog in Firefox, you can use Netwrix Endpoint Policy Manager (formerly PolicyPak) to specify Allow or Block Plugin. -![132_1_ff-kb-img-01](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/132_1_ff-kb-img-01.webp) +![132_1_ff-kb-img-01](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/132_1_ff-kb-img-01.webp) If the plug in you want to allow is Java, you can add one line to the PERMISSIONS section in the Endpoint Policy Manager Application Settings Manager Firefox Pak. @@ -12,7 +12,7 @@ Endpoint Policy Manager Application Settings Manager Firefox Pak. website.com, plugin:java, allow ``` -![132_2_ff-kb-img-02](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/132_2_ff-kb-img-02.webp) +![132_2_ff-kb-img-02](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/132_2_ff-kb-img-02.webp) **NOTE:** You might also need to add these lines as well, if adding the one line above doesn't work. It depends on the version of Firefox you have installed. Older versions require these lines: @@ -25,7 +25,7 @@ However, if the plug in you want is another plug-in and not Java, then you need name in the database. So, start out on your own machine and use Firefox to specify the ALLOW AND REMEMBER permission or BLOCK PLUGIN permission as seen here. -![132_3_ff-kb-img-03](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/132_1_ff-kb-img-01.webp) +![132_3_ff-kb-img-03](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/132_1_ff-kb-img-01.webp) Once this is done, you need to figure out what plug-in was just affected. The way to do this would be to use a tool called SQLLite Browser found here: @@ -41,9 +41,9 @@ C:\Users\AppData\Roaming\MozillaFilrefox\Profiles\permissions.sqllite Discover the name of the plug-in you just approved like what's seen in this example. In this example, it's still plugin:java. But in your case, it could be something else. -![132_4_ff-kb-img-04](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/132_4_ff-kb-img-04.webp) +![132_4_ff-kb-img-04](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/132_4_ff-kb-img-04.webp) Now that you know that, you can use Endpoint Policy Manager Application Settings Manager and the Firefox Pak to set this permission to Allow or Block. -![132_5_ff-kb-img-05](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/132_5_ff-kb-img-05.webp) +![132_5_ff-kb-img-05](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/132_5_ff-kb-img-05.webp) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/applicationhandlers.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/applicationhandlers.md index fdb6a0e4bc..63b7382c84 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/applicationhandlers.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/applicationhandlers.md @@ -5,7 +5,7 @@ Firefox. The most common use cases are to open Adobe Reader instead of the inter viewer, or launch WinZip when a ZIP file is encountered. These can be seen in Figure 51. The node only works with client-side extension (CSE) build 1560 or later. -![managing_application_handlers](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/managing_application_handlers.webp) +![managing_application_handlers](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/managing_application_handlers.webp) Figure 51. Settings for opening applications outside of Firefox. @@ -29,7 +29,7 @@ MODE=REPLACE     However, that doesn't happen because the UI doesn't change for the hard-coded items. Your list might look different from what is shown in Figure 52. -![managing_application_handlers_1](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/managing_application_handlers_1.webp) +![managing_application_handlers_1](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/managing_application_handlers_1.webp) Figure 52. Choosing how Firefox will handle downloaded files. @@ -42,7 +42,7 @@ Figure 52. Choosing how Firefox will handle downloaded files. usually uses the MIME type returned in the "content-type" response header, as shown in Figure 53. -![managing_application_handlers_2](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/managing_application_handlers_2.webp) +![managing_application_handlers_2](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/managing_application_handlers_2.webp) Figure 53. The MIME type is determined by the "content-type" response header. @@ -55,7 +55,7 @@ resources of such types internally. The general rule of thumb here is the follow no handler for the given type and Firefox normally shows an "Open with" dialog box for this type, it fires Application Handler for the same type when there is a handler, as shown in Figure 54. -![managing_application_handlers_3](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/managing_application_handlers_3.webp) +![managing_application_handlers_3](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/managing_application_handlers_3.webp) Figure 54. The "Open with" dialog box. @@ -68,7 +68,7 @@ type. If the returned MIME type is a generic type for binary resources (applicat or some type with no special meaning for Firefox, Firefox fires Application Handler to open files like this, as shown in Figure 55. -![managing_application_handlers_4](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/managing_application_handlers_4.webp) +![managing_application_handlers_4](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/managing_application_handlers_4.webp) Figure 55. The Firefox Application Handler. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/bookmarks.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/bookmarks.md index 7b75d23768..1d42627f69 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/bookmarks.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/bookmarks.md @@ -7,21 +7,21 @@ Firefox has two types of bookmarks: In Figure 3, you can see the bookmarks in the menu system. -![bookmarks](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/bookmarks.webp) +![bookmarks](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/bookmarks.webp) Figure 3. Bookmarks in the menu system. Bookmarks may also be stored in the toolbar by selecting "Bookmarks Toolbar," as seen in Figure 4. When users do this, they can see bookmarks on the toolbar. -![bookmarks_1](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/bookmarks_1.webp) +![bookmarks_1](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/bookmarks_1.webp) Figure 4. Bookmarks in the toolbar. Netwrix Endpoint Policy Manager (formerly PolicyPak) can manage bookmarks within Firefox, as shown in Figure 5. -![bookmarks_2](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/bookmarks_2.webp) +![bookmarks_2](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/bookmarks_2.webp) Figure 5. Endpoint Policy Manager managing permissions within Firefox. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/authority.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/authority.md index 6ca07de722..2bb2f5d9c5 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/authority.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/authority.md @@ -6,7 +6,7 @@ various Firefox stores. If you deliver a certificate to the ROOT store, then the following checkboxes are always pre-checked upon delivery by Endpoint Policy Manager. -![212_1_image00](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/212_1_image00.webp) +![212_1_image00](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/212_1_image00.webp) However, if you deliver a certificate to the CERTIFICATE AUTHORITY (CA) store, then NONE of these checkboxes are checked for you. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/overview.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/overview.md index 50029cfa1d..8b18b9a2ff 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/overview.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/overview.md @@ -11,7 +11,7 @@ Video: To see a video of Endpoint Policy Manager managing Firefox's add-ons, go You can see Firefox's certificates under` Options | Advanced | Certificates | View Certificates`, as shown in Figure 42. -![certificates](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/agent/certificates.webp) +![certificates](/img/product_docs/threatprevention/threatprevention/install/agent/certificates.webp) Figure 42. The Servers tab within the Certificate Manager. @@ -19,7 +19,7 @@ To manage Firefox's certificates, you need to specify the location of the certif (source) and the location where you want to deliver it (target). The source location can be local, on a file server, etc. -![certificates_1](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_1.webp) +![certificates_1](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_1.webp) Figure 43. Specifying the Firefox certificate location. @@ -43,7 +43,7 @@ certificate file every time Firefox starts. Note that if the file is unavailable location is offline, the launch of Firefox is not slowed down. Additionally, you might want to deliver certificates to all these stores, as shown in Figure 44. -![certificates_2](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_2.webp) +![certificates_2](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_2.webp) Figure 44. Editing the trust settings. @@ -60,7 +60,7 @@ To delete a certificate, you must know its SHA 1 fingerprint. You do not need to certificate is currently stored; if the fingerprint matches a certificate in any store, it is removed. -![certificates_3](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_3.webp) +![certificates_3](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_3.webp) Figure 45. SHA Fingerprint location. @@ -70,7 +70,7 @@ Endpoint Policy Manager can only work with binary-encoded DER certificates. If y certificate of another type, you may import it first into Firefox. Then, you can immediately export it as a DER file, as shown in Figure 46. -![certificates_4](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_4.webp) +![certificates_4](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_4.webp) Figure 46. Explorting a certificate as a DER. @@ -78,7 +78,7 @@ You can optionally perform the same type of export by looking at the file itself of Explorer, and then selecting the "Copy to File" button. Then, select "DER encoded binary X.509 (CER)," as shown in Figure 47. -![certificates_5](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_5.webp) +![certificates_5](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_5.webp) Figure 47. Exporting via Explorer. @@ -89,14 +89,14 @@ Book 3: Application Settings Manager for more information) as well as Firefox's Endpoint Policy Manager's log showing that certificates are correctly being added can be seen in Figure 48. -![certificates_6](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_6.webp) +![certificates_6](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_6.webp) Figure 48. The Endpoint Policy Manager log with certificate details. You can also use Firefox's log by clicking Ctrl+Shift+J on any page. In the log below (Figure 49), you can see certificates being added to the proper stores. -![certificates_7](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_7.webp) +![certificates_7](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_7.webp) Figure 49. The Firefox log with certificate details. @@ -123,6 +123,6 @@ The most common reasons for certificates not showing up the store you want are t `\\DC\Share\Fabrikam-CA.cer, CA, 2, add`. In the logs, you would see this transposition error as shown in Figure 50. -![certificates_8](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_8.webp) +![certificates_8](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_8.webp) Figure 50. Log showing a transposition error. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/darktheme.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/darktheme.md index 0c1e0365ea..7bb11d5d6d 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/darktheme.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/darktheme.md @@ -8,7 +8,7 @@ It seems the Firefox set the following settings in about:config ``` -![222_1_mff-about-config](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/222_1_mff-about-config.webp) +![222_1_mff-about-config](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/222_1_mff-about-config.webp) This can occur if you're using Netwrix Endpoint Policy Manager (formerly PolicyPak) Application Settings Manager (and the Firefox 23 and later Pak) to REMOVE all AddOns. @@ -21,7 +21,7 @@ Choice 1: Use Endpoint Policy Manager to force an Add-on which is a Theme that y Choice 2: In our lab, problem goes away when we set the settings as shown in this screenshot: -![222_2_2017-10-11_1526](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/222_2_2017-10-11_1526.webp) +![222_2_2017-10-11_1526](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/222_2_2017-10-11_1526.webp) ``` lightweightThemes.SelectedThemeID = empty @@ -31,4 +31,4 @@ lightweightThemes.usedThemes = true To fix this on all your client machines please use Firefox About:Config PAKs and set the above value as instructed. Here is just a reference screenshot: -![222_3_2017-10-11_1531](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/222_3_2017-10-11_1531.webp) +![222_3_2017-10-11_1531](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/222_3_2017-10-11_1531.webp) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/javathunderbird.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/javathunderbird.md index 080d31f7bc..fbad070a47 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/javathunderbird.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/javathunderbird.md @@ -10,11 +10,11 @@ Tip: To see a video of FireFox UI lockout in action, see the following video: Tip: To see a video of Thunderbird UI lockout in action, see the following video: -[Endpoint Policy Manager for Thunderbird](../../../video/applicationsettings/thunderbird.md) +[Endpoint Policy Manager for Thunderbird](/docs/policypak/policypak/video/applicationsettings/thunderbird.md) Tip: To see a video of Java UI lockout in action, see the following video: -[Endpoint Policy Manager for Thunderbird](../../../video/applicationsettings/thunderbird.md) +[Endpoint Policy Manager for Thunderbird](/docs/policypak/policypak/video/applicationsettings/thunderbird.md) Specifically, to perform UI lockout of FireFox, Thunderbird and Java, the GPO must be linked such that the computer is affected. Said another way, you cannot perform UI lockdown on FireFox, @@ -23,14 +23,14 @@ Java lockdown when affecting computers (when computers are in OUs.) In the picture below, you'll see an example of how to create and link a GPO against computers (instead of users) can be seen. -![148_1_ff1](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/148_1_ff1.webp) +![148_1_ff1](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/148_1_ff1.webp) In this example we've assumed you've put your target computers into the "East Sales Desktops" folder (or similar.) Then when you edit the GPO, edit it on the Computer side as seen here. At that point you can modify settings for FireFox, Thunderbird and Java and specify to "Lockdown this setting using the system-wide config file." -![148_2_ff2](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/148_2_ff2.webp) +![148_2_ff2](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/148_2_ff2.webp) System-Wide lockdown using config files is only available on the Computer side. @@ -39,6 +39,6 @@ user-side. If you try to edit these three Paks on the user side, you simply won' perform UI lockdown. An example of editing one of these Paks on the user side (and therefore not seeing the System-Wide lockdown) is shown in this figure. -![148_3_ff3](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/148_3_ff3.webp) +![148_3_ff3](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/148_3_ff3.webp) Note that the lockdown via System-Wide config file is not present on the user side. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/ntlmpassthru.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/ntlmpassthru.md index 033675cdde..aaa3a69f42 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/ntlmpassthru.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/ntlmpassthru.md @@ -33,4 +33,4 @@ configuration on ONE MACHINE (locally on Firefox) And see if you get the RESULT Then, if you do, then use Endpoint Policy Manager Application Manager to actually deliver the values you want to all your machines that you wish to get these values. -![82_1_image001](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/82_1_image001.webp) +![82_1_image001](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/82_1_image001.webp) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/overview.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/overview.md index cb845554c6..066460e164 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/overview.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/overview.md @@ -29,7 +29,7 @@ This AppSet is no different than other AppSets, in that it can be placed into Lo Central storage. (See Book 3: Application Settings Manager for details.) Once placed into the storage location, it will be available as seen in Figure 1. -![about_this_document_and_the](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/about_this_document_and_the.webp) +![about_this_document_and_the](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/about_this_document_and_the.webp) Figure 1. The Endpoint Policy Manager Mozilla Firefox Pak. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions.md index 2b04f19262..003b27253e 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions.md @@ -12,27 +12,27 @@ Starting recently in Firefox, you can only see permissions and pop-ups by doing **Step 5 –** After doing this, you will reach the Permissions tab, as shown in Figure 8. -![permissions_and_pop_ups](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups.webp) +![permissions_and_pop_ups](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups.webp) Figure 6. To see permissions and pop-ups click, one must click on the lock icon and then on the right arrow. -![permissions_and_pop_ups_1](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_1.webp) +![permissions_and_pop_ups_1](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_1.webp) Figure 7. The next step to see the permissions and pop-ups is to click on "More Information." -![permissions_and_pop_ups_2](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_2.webp) +![permissions_and_pop_ups_2](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_2.webp) Figure 8. The Permissions tab. You can see Firefox's pop-up exceptions using Options | Privacy & Security | Exceptions, as shown in Figure 9 and Figure 10. -![permissions_and_pop_ups_3](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_3.webp) +![permissions_and_pop_ups_3](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_3.webp) Figure 9. Firefox's pop-up exceptions. -![permissions_and_pop_ups_4](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_4.webp) +![permissions_and_pop_ups_4](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_4.webp) Figure 10. The pop-up exceptions page. @@ -40,7 +40,7 @@ Netwrix Endpoint Policy Manager (formerly PolicyPak) can manipulate most areas o pop-ups. Within the Firefox AppSet, you can use the Permissions tab to enter in the values you wish for the sites that are allowed to have pop-ups and you can set permissions, as shown in Figure 11. -![permissions_and_pop_ups_5](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_5.webp) +![permissions_and_pop_ups_5](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_5.webp) Figure 11. Using Endpoint Policy Manager to configure the Permissions tab. @@ -80,14 +80,14 @@ ICA plugin is always set to ALLOW for that site, you would need to know the Citr name, which is "npican." Then, you would enter http://site.com, plugin:npican, allow. This is illustrated in Figure 12. -![permissions_and_pop_ups_6](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_6.webp) +![permissions_and_pop_ups_6](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_6.webp) Figure 12. The plug in short name within the Permissions tab. This will ensure on the endpoint that Firefox will perform the ALLOW command on that plugin for that website, as shown in Figure 13. -![permissions_and_pop_ups_7](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_7.webp) +![permissions_and_pop_ups_7](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_7.webp) Figure 13. The plug in is allowed in Firefox. @@ -100,6 +100,6 @@ do the following: **Step 3 –** Locate the website and the type, as shown in Figure 14, to discover the short name. -![permissions_and_pop_ups_8](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_8.webp) +![permissions_and_pop_ups_8](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/permissions_and_pop_ups_8.webp) Figure 14. Finding the plug in short name. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/preferences.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/preferences.md index 42ab6908e4..494afbd94b 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/preferences.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/preferences.md @@ -5,18 +5,18 @@ sometimes with only one click. Video: To see a video of Endpoint Policy Manager disabling various Firefox user interface (UI) pages see -[Disable the following about:config, about:addons, pages, Developer Menu, and any Preferences in one click](../../../video/applicationsettings/firefox/disable.md). +[Disable the following about:config, about:addons, pages, Developer Menu, and any Preferences in one click](/docs/policypak/policypak/video/applicationsettings/firefox/disable.md). For instance, you can select "Hide about:config UI" in the About:Config tab, as shown in Figure 32. -![hiding_preferences_pages_and](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and.webp) +![hiding_preferences_pages_and](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and.webp) Figure 32. Hiding the about:config page. Endpoint Policy Manager can hide the about:addons page UI with a checkbox in the Add-Ons: Extensions, Appearance, Plugins, and Service page, as shown in Figure 33. -![hiding_preferences_pages_and_1](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_1.webp) +![hiding_preferences_pages_and_1](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_1.webp) Figure 33. Hiding the about:addons page. @@ -25,11 +25,11 @@ clicking the "Hide Australis button" in the Extras tab, as shown in Figure 35. E Manager can also provide you with the ability to disable the web developer menu and many other special pages, as shown in Figure 35. -![hiding_preferences_pages_and_2](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_2.webp) +![hiding_preferences_pages_and_2](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_2.webp) Figure 34. The Australis menu. -![hiding_preferences_pages_and_3](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_3.webp) +![hiding_preferences_pages_and_3](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_3.webp) Figure 35. Disabling the web developer menu and other special pages. @@ -40,7 +40,7 @@ Objects (GPOs) based on the Computer side can be locked with the Firefox AppSet. Lastly, Endpoint Policy Manager has another huge array of special things that can be hidden within the About:Preferences tab, as shown in Figure 36. -![hiding_preferences_pages_and_4](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_4.webp) +![hiding_preferences_pages_and_4](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_4.webp) Figure 36. Hiding preferences. @@ -49,20 +49,20 @@ box on the right can remove nearly every element in Firefox, but you need to kno element ID. Video: To see a video of Endpoint Policy Manager removing elements in about:prefrences, go to -[Firefox Remove Specific Elements from about:preferences panel](../../../video/applicationsettings/firefox/removeelements.md). +[Firefox Remove Specific Elements from about:preferences panel](/docs/policypak/policypak/video/applicationsettings/firefox/removeelements.md). For instance, let's imagine you wanted to hide the element "Play DRM-controlled content" in the Content section, as shown in Figure 37. In this example, we did a search for DRM rather than navigate to it through the menus. -![hiding_preferences_pages_and_5](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_5.webp) +![hiding_preferences_pages_and_5](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_5.webp) Figure 37. Hiding DRM-controlled content. Start by opening the Firefox web developer tools (press Ctrl + Shift + I) or select Options | Developer | Toggle Tools, as shown in Figure 38. -![hiding_preferences_pages_and_6](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_6.webp) +![hiding_preferences_pages_and_6](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_6.webp) Figure 38. Web developer menu. @@ -70,7 +70,7 @@ Then, as shown in Figure 39, click the selector icon all the way on the left sid "Play DRM content" element. The element will light up with a red dotted box, and in the Inspector pane, you'll see the element ID. -![hiding_preferences_pages_and_7](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_7.webp) +![hiding_preferences_pages_and_7](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_7.webp) Figure 39. Selecting the "Play DRM content" element. @@ -78,7 +78,7 @@ In this case, `checkbox id=" playDRMContent"`. Copy its value into the textbox i AppSet, as shown in Figure 40. You can also see another value, useMasterPassword, there as well to show how multiple values are separated by commas. -![hiding_preferences_pages_and_8](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_8.webp) +![hiding_preferences_pages_and_8](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_8.webp) Figure 40. Copying the value to the Firefox 23.0 textbox. @@ -86,7 +86,7 @@ Figure 40. Copying the value to the Firefox 23.0 textbox. The result once Group Policy applies and Firefox is restarted is that the element is hidden. -![hiding_preferences_pages_and_9](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_9.webp) +![hiding_preferences_pages_and_9](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/hiding_preferences_pages_and_9.webp) Figure 41. The DRM content setting is now hidden. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/preventupdates.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/preventupdates.md index a22b44a51b..95fa6b474d 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/preventupdates.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/preventupdates.md @@ -7,9 +7,9 @@ steps as follows: - Then click "Never check for updates" - AND perform "System wide lockdown" as seen here -![264_1_1111111111111](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/264_1_1111111111111.webp) +![264_1_1111111111111](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/264_1_1111111111111.webp) Then the result is that Firefox FORBIDS both automatic updated AND manual updates as well as seen here: -![264_2_2222222222222](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/264_2_2222222222222.webp) +![264_2_2222222222222](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/264_2_2222222222222.webp) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/securityenterpriseroots.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/securityenterpriseroots.md index aaf9086456..03a77b4217 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/securityenterpriseroots.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/securityenterpriseroots.md @@ -20,14 +20,14 @@ Security.enterprise_roots.enabled  Inside the main Firefox Pak itself -![161_1_2017-08-16_0820](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/161_1_2017-08-16_0820.webp) +![161_1_2017-08-16_0820](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/161_1_2017-08-16_0820.webp) ## Way #2: Using the Firefox About:Config Pak J thru Z. It is the last entry in the S: category -![2017-08-16_0800_(1)](<../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/2017-08-16_0800_(1).webp>) +![2017-08-16_0800_(1)](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/2017-08-16_0800_(1).webp) Note that if you're looking for general advice in how to get started with Windows certificates and browsers support, you diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/specialfeatures.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/specialfeatures.md index 41409803ae..5bf97be1df 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/specialfeatures.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/specialfeatures.md @@ -7,7 +7,7 @@ to modify and manage the overall Firefox experience for the end users. When you run Firefox for the first time, you see extra tabs, as shown in Figure 56. -![special_features_in_the_firefox](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/special_features_in_the_firefox.webp) +![special_features_in_the_firefox](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/special_features_in_the_firefox.webp) Figure 56. Extra tabs appear when starting Firefox for the first time. @@ -17,7 +17,7 @@ Video: Watch this video to see how to eliminate extra tabs on the first launch o To disable the extra tabs, you can use the Options menu, as shown in Figure 57, and check the four options for disabling extra tabs in Windows 10. -![special_features_in_the_firefox_1](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/special_features_in_the_firefox_1.webp) +![special_features_in_the_firefox_1](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/special_features_in_the_firefox_1.webp) Figure 57. Disabling extra tabs in the Options menu. @@ -29,6 +29,6 @@ the Extras tab as shown in Figure 58. Video: Watch this to see how to change the default search engine in Firefox [http://www.policypak.com/video/firefox-changing-the-firefox-default-search-engine-in-one-click.html](http://www.policypak.com/video/firefox-changing-the-firefox-default-search-engine-in-one-click.html) -![special_features_in_the_firefox_2](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/special_features_in_the_firefox_2.webp) +![special_features_in_the_firefox_2](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/special_features_in_the_firefox_2.webp) Figure 58. Specifying the search engine of your choice with Endpoint Policy Manager. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/specialsections.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/specialsections.md index 2f439e3832..266ef304f2 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/specialsections.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/specialsections.md @@ -8,7 +8,7 @@ values listed for how to use that section. Many also let you specify the first l In Figure 2, you can see Permissions tab has the default example set with `MODE=REPLACE` and shows some examples on how to use the special section. -![how_to_use_special_sections](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/how_to_use_special_sections.webp) +![how_to_use_special_sections](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/how_to_use_special_sections.webp) Figure 2. Site to Zone assignment special section. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/stopsenddatamessage.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/stopsenddatamessage.md index 34ace9db05..64f88936ad 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/stopsenddatamessage.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/stopsenddatamessage.md @@ -4,7 +4,7 @@ Netwrix Endpoint Policy Manager (formerly PolicyPak) Application Manager can rem "Firefox automatically sends some data to Mozilla so that we can improve your experience" as seen below. -![177_1_image001](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/177_1_image001.webp) +![177_1_image001](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/177_1_image001.webp) To do this, use the Endpoint Policy Manager Application Manager pak About:Config A-I Pak. Use the setting datareporting.policy.dataSubmissionPolicyBypassNotification and set to TRUE. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/transition.md b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/transition.md index b0be3e76d1..e9dca2a1e9 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/firefox/transition.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/firefox/transition.md @@ -14,7 +14,7 @@ The only supported configuration going forward for Firefox 128 support is CSE 24 the Firefox 115 and later pak, which is compiled (and signed) from Netwrix with date stamp 11/7/2024 and later. -![transition](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/transition.webp) +![transition](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/transition.webp) Previous Details (Pre 24.11 CSE) @@ -81,17 +81,17 @@ you must open each Group Policy Object one by one and manually look for FF23 App Overview of using the Endpoint Policy Manager PowerShell cmdlets to discover Endpoint Policy Manager data within GPOs see the -[Endpoint Policy Manager User PowerShell to find all Endpoint Policy Manager GPOs](../../../video/troubleshooting/powershell.md) +[Endpoint Policy Manager User PowerShell to find all Endpoint Policy Manager GPOs](/docs/policypak/policypak/video/troubleshooting/powershell.md) topic for additional information. -![939_1_image-20231101213809-1_950x372](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_1_image-20231101213809-1_950x372.webp) +![939_1_image-20231101213809-1_950x372](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_1_image-20231101213809-1_950x372.webp) The specific command you'll want to run is Get-PPGPOs -cse "application settings manager". Each Group Policy Object at this point will need to be opened to look for Firefox 23 AppSets. Here is an example of the FF23 AppSet on the Computer side, though it may also reside on the User side. -![939_2_image-20231101213809-2_950x458](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_2_image-20231101213809-2_950x458.webp) +![939_2_image-20231101213809-2_950x458](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_2_image-20231101213809-2_950x458.webp) Before making any modifications, you'll want to perform a few backup steps which are detailed in the next section. @@ -107,7 +107,7 @@ settings before continuing. ### Back up 1: Viewing the Group Policy Object Report and saving the HTML report. -![939_3_image-20231101213809-3_950x493](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_3_image-20231101213809-3_950x493.webp) +![939_3_image-20231101213809-3_950x493](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_3_image-20231101213809-3_950x493.webp) This won't be your only backup, but it will express exactly what is in your Group Policy Object with regards to your settings. @@ -115,7 +115,7 @@ regards to your settings. ### Back Up 2: Backing up the Group Policy Object (or all GPOs.) For backing up the GPO or all GPOs see the -[Endpoint Policy Manager Application Settings Manager: Backup, Restore, Export, Import](../../../video/troubleshooting/backup.md) +[Endpoint Policy Manager Application Settings Manager: Backup, Restore, Export, Import](/docs/policypak/policypak/video/troubleshooting/backup.md) topic for additional information. ### Back up 3: Export the settings for each FF23 AppSet you already have. @@ -123,10 +123,10 @@ topic for additional information. Open each FF23 AppSet and locate the Options button. Then click Export XML Settings Data and save the file out. -![939_4_image-20231101213809-4_950x761](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_4_image-20231101213809-4_950x761.webp) +![939_4_image-20231101213809-4_950x761](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_4_image-20231101213809-4_950x761.webp) See the -[What are the two ways to export AppSet settings and why would I use one over the other?](../../../troubleshooting/applicationsettings/export/appset.md) +[What are the two ways to export AppSet settings and why would I use one over the other?](/docs/policypak/policypak/troubleshooting/applicationsettings/export/appset.md) **NOTE:** You will use the resulting XML file in an upcoming step and not only for backup purposes. @@ -142,7 +142,7 @@ The file you are looking for is PP-Firefox23.DLL which is likely in one of three - SYSVOL (replicated to other domain controllers)\ `C:\Windows\SYSVOL\sysvol\fabrikam.com\Policies\PolicyPak ` - A share. (Tip: To locate the share you could be using see the - [Using Shares to Store Your Paks (Share-Based Storage)](../../../video/applicationsettings/shares.md)[Using Shares to Store Your Paks (Share-Based Storage)](../../../video/applicationsettings/shares.md)) + [Using Shares to Store Your Paks (Share-Based Storage)](/docs/policypak/policypak/video/applicationsettings/shares.md)[Using Shares to Store Your Paks (Share-Based Storage)](/docs/policypak/policypak/video/applicationsettings/shares.md)) So, in summary, before leaving this section and continuing onward, again we advise that you: @@ -169,7 +169,7 @@ EQUAL to this version will support only FF115 AppSet. Find your existing FF23 AppSet in your Group Policy Object(s) and select "Edit item-level targeting filters…" -![939_5_image-20231101213809-5_950x524](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_5_image-20231101213809-5_950x524.webp) +![939_5_image-20231101213809-5_950x524](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_5_image-20231101213809-5_950x524.webp) You can test for the presence or absence of Endpoint Policy Manager CSE version 23.09.0.0 with a Registry match query for: @@ -182,16 +182,16 @@ Registry match query for: - Value Type: REG_SZ - Version Range: GREATER THAN 0.0.0.0 and LESS THAN 23.9.0.0 -![939_6_image-20231101213809-6_950x743](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_6_image-20231101213809-6_950x743.webp) +![939_6_image-20231101213809-6_950x743](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_6_image-20231101213809-6_950x743.webp) When done save the values. You will know you have ILT set when you see the Targeting column change to ON. -![939_7_image-20231101213809-7_950x273](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_7_image-20231101213809-7_950x273.webp) +![939_7_image-20231101213809-7_950x273](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_7_image-20231101213809-7_950x273.webp) This is different than "Predefined Targeting". To understand the difference between ILT and Predefined Targeting see the -[Predefined ILTs (Internal Filters)](../../../video/applicationsettings/designstudio/itemleveltargeting.md) +[Predefined ILTs (Internal Filters)](/docs/policypak/policypak/video/applicationsettings/designstudio/itemleveltargeting.md) topic for additional information. ### Optional: Testing the ILT Filters on FF23 using the Endpoint Policy Manager Item Level Targeting Validation Tool @@ -200,34 +200,34 @@ Tip: You can also export the FF 23 settings to XMLdata File format and use part verify the Item Level Targeting will evaluate to TRUE or FALSE. To do this, right-click the entry and select Export settings to XMLData file and save the file. Then use the Endpoint Policy Manager Item Level Targeting Validation tool to test how ILT will operate. See the -[Troubleshooting ILT with the ILT Validator Tool](../../../video/troubleshooting/itemleveltargeting.md) +[Troubleshooting ILT with the ILT Validator Tool](/docs/policypak/policypak/video/troubleshooting/itemleveltargeting.md) topic for additional information. **NOTE:** You will have to trim the ILT part of the output to eliminate the `` at the beginning and `` at the end. -![939_8_image-20231101213809-8_950x453](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_8_image-20231101213809-8_950x453.webp) +![939_8_image-20231101213809-8_950x453](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_8_image-20231101213809-8_950x453.webp) Expected result on a machine with 23.10 and later CSE: -![939_9_image-20231101213809-9_950x523](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_9_image-20231101213809-9_950x523.webp) +![939_9_image-20231101213809-9_950x523](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_9_image-20231101213809-9_950x523.webp) ## Adding the FF 115 AppSet to an existing or new Group Policy Object After you download the FF 115 AppSet from the Endpoint Policy Manager portal, it will appear like this. You only need the .DLL file and not the XML file. -![939_10_image-20231101213809-10](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_10_image-20231101213809-10.webp) +![939_10_image-20231101213809-10](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_10_image-20231101213809-10.webp) Use these instructions to add the AppSet Locally or via Central Store: -[Working with Others and using the Central Store](../../../video/applicationsettings/centralstorework.md) +[Working with Others and using the Central Store](/docs/policypak/policypak/video/applicationsettings/centralstorework.md) Use these instructions to add the AppSet to a Share: -[Using Shares to Store Your Paks (Share-Based Storage)](../../../video/applicationsettings/shares.md) +[Using Shares to Store Your Paks (Share-Based Storage)](/docs/policypak/policypak/video/applicationsettings/shares.md) -![939_11_image-20231101213809-11_950x492](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_11_image-20231101213809-11_950x492.webp) +![939_11_image-20231101213809-11_950x492](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_11_image-20231101213809-11_950x492.webp) For example in the Endpoint Policy Manager Central Store you simply add the pp-Mozilla Firefox 115.DLL. @@ -235,7 +235,7 @@ For example in the Endpoint Policy Manager Central Store you simply add the pp-M **NOTE:** You may leave your existing pp-Mozilla Firefox 23 aboutconfig A to I and J to Z.DLL files in place without modification. -![939_12_image-20231101213809-12_950x406](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_12_image-20231101213809-12_950x406.webp) +![939_12_image-20231101213809-12_950x406](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_12_image-20231101213809-12_950x406.webp) Next time you open the Group Policy editor you should see Endpoint Policy Manager For Mozilla Firefox 115. @@ -248,14 +248,14 @@ computers with the latest Endpoint Policy Manager CSE. After creating the entry, double-click into it to open it up and select Import XML Settings Data. -![939_13_image-20231101213809-13_950x633](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_13_image-20231101213809-13_950x633.webp) +![939_13_image-20231101213809-13_950x633](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_13_image-20231101213809-13_950x633.webp) Then select the previously exported settings from the FF 23 AppSet. You should get a SUCCESS message. Next, set the Item-level targeting in the AppSet. -![939_14_image-20231101213809-14](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_14_image-20231101213809-14.webp) +![939_14_image-20231101213809-14](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_14_image-20231101213809-14.webp) FF AppSet 115 should be applied only to machines with Endpoint Policy Manager CSE version 23.10.3687 or Greater and can be determined with a Registry match query for: @@ -268,7 +268,7 @@ or Greater and can be determined with a Registry match query for: - Value Type: REG_SZ - Version Range: GREATER THAN OR EQUAL TO 23.10.0.0 and LESS THAN 99.0.0.0 -![939_15_image-20231101213809-15_950x815](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_15_image-20231101213809-15_950x815.webp) +![939_15_image-20231101213809-15_950x815](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_15_image-20231101213809-15_950x815.webp) Click OK and then close the AppSet entry to save it. @@ -278,7 +278,7 @@ You can also export the FF 115 settings to XMLdata File format and use part of t the Item Level Targeting will evaluate to TRUE or FALSE. To do this, right-click the entry and select Export settings to XMLData file and save the file. Then use the Endpoint Policy Manager Item Level Targeting Validation tool to test how ILT will operate. See the -[Troubleshooting ILT with the ILT Validator Tool](../../../video/troubleshooting/itemleveltargeting.md) +[Troubleshooting ILT with the ILT Validator Tool](/docs/policypak/policypak/video/troubleshooting/itemleveltargeting.md) topic for additional information. Note that you will have to trim the ILT part of the output to eliminate the `` at the @@ -287,12 +287,12 @@ beginning and `` at the end. You can test the ILT evaluation by using the Export settings to XMLData file for the Mozilla Firefox 115 entry. -![939_16_image-20231101213809-16_950x543](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_16_image-20231101213809-16_950x543.webp) +![939_16_image-20231101213809-16_950x543](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_16_image-20231101213809-16_950x543.webp) Then you can use the ILT Evaluator tool to ensure your ILT evaluation is properly crafted and the AppSet will only target machines with the latest Endpoint Policy Manager CSE. -![939_17_image-20231101213809-17_950x549](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_17_image-20231101213809-17_950x549.webp) +![939_17_image-20231101213809-17_950x549](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_17_image-20231101213809-17_950x549.webp) # HTML Settings Report Manual Comparison @@ -307,7 +307,7 @@ from FF23 and import to FF115 didn't work as expected. In such a case as case 2, please manually open the FF115 Pak and manually update your settings to correct for any non-imported settings. -![939_18_image-20231101213809-18_950x807](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_18_image-20231101213809-18_950x807.webp) +![939_18_image-20231101213809-18_950x807](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/939_18_image-20231101213809-18_950x807.webp) ## Final Thoughts diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/addons.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/addons.md index ce39f10fe0..9bfb07d26f 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/addons.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/addons.md @@ -2,4 +2,4 @@ Yes. Here is a videos to demonstrate that. -[Manage IE Programs Tab](../../../video/applicationsettings/internetexplorer/programstab.md) +[Manage IE Programs Tab](/docs/policypak/policypak/video/applicationsettings/internetexplorer/programstab.md) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/certificates.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/certificates.md index 7500c39970..daac84c466 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/certificates.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/certificates.md @@ -2,4 +2,4 @@ Yes, Here is a videos to demonstrate that. -[Manage IE Certificates](../../../video/applicationsettings/internetexplorer/certificates.md) +[Manage IE Certificates](/docs/policypak/policypak/video/applicationsettings/internetexplorer/certificates.md) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/customsettings.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/customsettings.md index 8bf923d42c..5bb960de96 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/customsettings.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/customsettings.md @@ -7,4 +7,4 @@ Sites" dropdown (for instance) set to nothing. This formula will deliver the specific custom settings you choose. -![313_1_2015-03-16_1607](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/313_1_2015-03-16_1607.webp) +![313_1_2015-03-16_1607](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/313_1_2015-03-16_1607.webp) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/normalsections.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/normalsections.md index c110d5d71c..642b80604d 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/normalsections.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/normalsections.md @@ -3,7 +3,7 @@ In the normal sections of the IE AppSet, you can click on items to select a setting. However, the IE AppSet also has some special sections. You can see an example of a special section in Figure 2. -![normal_sections_in_the_ie](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/normal_sections_in_the_ie.webp) +![normal_sections_in_the_ie](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/normal_sections_in_the_ie.webp) Figure 2. Special and normal sections in the IE AppSet. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/overview.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/overview.md index ddcc662db8..66cdc9ca26 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/overview.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/overview.md @@ -16,7 +16,7 @@ This AppSet is no different than other AppSets, in that it can be placed into Lo Central storage. (See Book 3: Application Settings Manager for details.) Once placed into the storage location, it will be available under the Application Settings Manager, as shown in Figure 1. -![about_this_document_and_the](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/about_this_document_and_the.webp) +![about_this_document_and_the](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/about_this_document_and_the.webp) Figure 1. The IE AppSet. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/specialsections.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/specialsections.md index c2a3ad2163..8453235958 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/specialsections.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/specialsections.md @@ -10,7 +10,7 @@ MODE=REPLACE or MODE=MERGE In Figure 3, you can see the Site to Zone Assignment in the Security tab has the default example set with MODE=REPLACE. The figure also shows some examples on how to use the special section. -![how_to_use_special_sections](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/how_to_use_special_sections.webp) +![how_to_use_special_sections](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/how_to_use_special_sections.webp) Figure 3. Using the Site to Zone Assignment special section. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/advanced.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/advanced.md index 5577bd7069..545660a2cc 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/advanced.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/advanced.md @@ -3,12 +3,12 @@ The Advanced tab has a lot of settings, and varies from version to version of IE. You can see the Advanced tab in IE 11 in Figure 27. -![ie_appset_tab_by_tab_23](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_23.webp) +![ie_appset_tab_by_tab_23](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_23.webp) Figure 27. The IE Advanced tab. Almost all of these settings are configurable in the IE AppSet, as shown in Figure 28. -![ie_appset_tab_by_tab_24](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_24.webp) +![ie_appset_tab_by_tab_24](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_24.webp) Figure 28. Configuring IE settings in the Advanced tab. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/compatibilityview.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/compatibilityview.md index e6e0399cea..ba671ed7ad 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/compatibilityview.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/compatibilityview.md @@ -3,7 +3,7 @@ Internet Explorer's Compatibility View tab lets you specify which websites go into a Compatibility View mode. This tab is shown in Figure 34. -![ie_appset_tab_by_tab_30](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_30.webp) +![ie_appset_tab_by_tab_30](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_30.webp) Figure 34. IE Compatibility View settings. @@ -11,6 +11,6 @@ While at one time it was only possible to manage Compatibility View settings usi Manager Browser Router, you can now manage these settings using the Compatibility View tab in the Endpoint Policy Manager Application Settings Manager IE AppSet. -![ie_appset_tab_by_tab_31](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_31.webp) +![ie_appset_tab_by_tab_31](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_31.webp) Figure 35. Managing Compatibility View settings. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/connections.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/connections.md index b1674e67d8..883e39e45f 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/connections.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/connections.md @@ -7,13 +7,13 @@ Application Settings Manager see the following video: The "LAN settings" button on Internet Explorer's Connections tab is configurable, as shown in Figure 18. -![ie_appset_tab_by_tab_14](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_14.webp) +![ie_appset_tab_by_tab_14](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_14.webp) Figure 18. IE LAN settings. The same dialog can be managed using the IE AppSet, as shown in Figure 19. -![ie_appset_tab_by_tab_15](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_15.webp) +![ie_appset_tab_by_tab_15](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_15.webp) Figure 19. Configuring the local LAN settings for IE. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/content.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/content.md index fd2b523e65..7e3ea31c65 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/content.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/content.md @@ -7,7 +7,7 @@ Application Settings Manager see the following video: The Content tab lets you specify various restrictions. The IE AppSet now has content advisor settings, as shown in Figure 14. -![ie_appset_tab_by_tab_10](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_10.webp) +![ie_appset_tab_by_tab_10](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_10.webp) Figure 14. Configuring IE content advisor settings. @@ -18,14 +18,14 @@ can be `MODE=REPLACE` or `MODE=MERGE`. If the mode is not specified, the behavio you can specify a website with a comma then the word "allow," "block," or "remove," as shown in Figure 15. -![ie_appset_tab_by_tab_11](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_11.webp) +![ie_appset_tab_by_tab_11](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_11.webp) Figure 15. The content advisor settings. This Endpoint Policy Manager dialog corresponds to the following IE 8 dialog as shown in Figure 16. Note IE 10 and 11 don't have this dialog, but the settings can be delivered anyway. -![ie_appset_tab_by_tab_12](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_12.webp) +![ie_appset_tab_by_tab_12](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_12.webp) Figure 16. The IE 8 dialog box. @@ -33,6 +33,6 @@ A certificates section is seen here, but in the AppSet, it's been moved to a tab will be described later. You can, however, disable or hide the certificates buttons using Endpoint Policy Manager, as shown in Figure 17. -![ie_appset_tab_by_tab_13](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_13.webp) +![ie_appset_tab_by_tab_13](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_13.webp) Figure 17. Disabling the Certificates button. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/enterprisemode.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/enterprisemode.md index 0f4a799108..5d128be303 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/enterprisemode.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/enterprisemode.md @@ -27,7 +27,7 @@ In short, Endpoint Policy Manager IE AppSet makes this process easy. You use the Manager Browser Router component and not the Endpoint Policy Manager Application Settings Manager component, as shown in Figure 36. -![ie_appset_tab_by_tab_32](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_32.webp) +![ie_appset_tab_by_tab_32](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_32.webp) Figure 36. Setting up a dynamic list in Enterprise Mode using Endpoint Policy Manager Browser Router. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/extras.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/extras.md index 761d202705..3dcd0b5ff8 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/extras.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/extras.md @@ -17,7 +17,7 @@ the Binary-Encoded DER Format." Examples of IE certificates are shown in Figure 29. -![ie_appset_tab_by_tab_25](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_25.webp) +![ie_appset_tab_by_tab_25](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_25.webp) Figure 29. IE Certificates. @@ -39,7 +39,7 @@ or Thumbprint, Certificate Store, remove ``` -![ie_appset_tab_by_tab_26](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_26.webp) +![ie_appset_tab_by_tab_26](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_26.webp) Figure 30. Adding or removing IE certificates. @@ -84,7 +84,7 @@ To remove certificates using the IE AppSet, you must know the thumbprint for the want to remove. You can find the thumbprint within IE by viewing the details for a certificate and selecting the thumbprint, as shown in Figure 31. Then, you can copy and paste it into the AppSet. -![ie_appset_tab_by_tab_27](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_27.webp) +![ie_appset_tab_by_tab_27](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_27.webp) Figure 31. Details and thumbprints of certificates in IE. @@ -108,7 +108,7 @@ Endpoint Policy Manager can only work with binary-formatted/DER certificates. If certificate of another type, you may import it first into Internet Explorer. Then you can immediately export it as a DER file, as shown in Figure 32. -![ie_appset_tab_by_tab_28](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_28.webp) +![ie_appset_tab_by_tab_28](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_28.webp) Figure 32. Exporting a certificate as a DER file. @@ -116,6 +116,6 @@ You can optionally perform the same type of export by finding the file itself in navigating to the Details tab, and then clicking on the "Copy to File..." button and selecting "`DER encoded binary X.509 (CER)`," as shown in Figure 33. -![ie_appset_tab_by_tab_29](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_5.webp) +![ie_appset_tab_by_tab_29](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/firefox/certificate/certificates_5.webp) Figure 33. Exporting a certificate using the "Copy to File..." button. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/favoriteslinks.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/favoriteslinks.md index 0d7c1cf5e8..3b9b2a7d34 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/favoriteslinks.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/favoriteslinks.md @@ -18,7 +18,7 @@ entry no longer applies, but it will leave the entries the user has put in place Internet Explorer can save favorites for users as shown in Figure 22. -![ie_appset_tab_by_tab_18](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_18.webp) +![ie_appset_tab_by_tab_18](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_18.webp) Figure 22. IE Favorites. @@ -46,7 +46,7 @@ Displayname, http://www.webpage.com, add `Displayname, Folder1/http://www.webpage.com, remove` -![ie_appset_tab_by_tab_19](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_19.webp) +![ie_appset_tab_by_tab_19](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_19.webp) Figure 23. Configuring IE Favorites. @@ -54,7 +54,7 @@ Figure 23. Configuring IE Favorites. You can manage and deliver IE Feeds. A screenshot of the Feeds tab from IE is shown in Figure 24. -![ie_appset_tab_by_tab_20](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_20.webp) +![ie_appset_tab_by_tab_20](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_20.webp) Figure 24. IE Feeds. @@ -62,7 +62,7 @@ Using the IE AppSet, you can add or remove a feed using the format shown in Figu specify a friendlyname, the URL of the XML feed, and an optional icon file. Then specify to add or remove. -![ie_appset_tab_by_tab_21](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_21.webp) +![ie_appset_tab_by_tab_21](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_21.webp) Figure 25. Configuring IE Feeds with Endpoint Policy Manager. @@ -73,6 +73,6 @@ Slices) section, as seen in Figure 26. The results are shown on the right side o `Links/MSFT NASDAQ, http://quotes.wsj.com/MSFT ?mod=DNH_S_cq#slice,add` -![ie_appset_tab_by_tab_22](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_22.webp) +![ie_appset_tab_by_tab_22](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_22.webp) Figure 26. Adding items to the Favorites bar. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/general.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/general.md index 346b46e709..da3df48b71 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/general.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/general.md @@ -6,7 +6,7 @@ Video: For a quick overview of how to manage the General tab using Netwrix Endpo The General tab for IE can be seen in Figure 4. -![ie_appset_tab_by_tab](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab.webp) +![ie_appset_tab_by_tab](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab.webp) Figure 4. IE General tab settings. @@ -15,6 +15,6 @@ shown in Figure 5. This lets you configure specific secondary start pages when I opens up. This section is always set to REPLACE. Entries here always overwrite what the user already has in place. -![ie_appset_tab_by_tab_1](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_1.webp) +![ie_appset_tab_by_tab_1](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_1.webp) Figure 5. IE AppSet Secondary Start Pages special section. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/privacy.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/privacy.md index af739b6562..84835c0764 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/privacy.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/privacy.md @@ -7,14 +7,14 @@ Application Settings Manager, see the following video: The Privacy tab, shown in Figure 10, lets you specify how cookies should be handled and which websites are allowed and blocked. -![ie_appset_tab_by_tab_6](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_6.webp) +![ie_appset_tab_by_tab_6](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_6.webp) Figure 10. Cookie settings in the Privacy tab. In the IE AppSet, the dropdown menu in Figure 11 can be used to set how cookies are handled for the Internet zone. It is important to read the note below the entry you select. -![ie_appset_tab_by_tab_7](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_7.webp) +![ie_appset_tab_by_tab_7](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_7.webp) Figure 11. Configuring cookie settings in the Privacy tab. @@ -29,13 +29,13 @@ This will place the site into the "Per Site Privacy Actions" list and will speci "Allow." You can also choose to turn on the Pop-Up Blocker within the IE Privacy tab, as shown in >Figure 12. -![ie_appset_tab_by_tab_8](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_8.webp) +![ie_appset_tab_by_tab_8](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_8.webp) Figure 12. Pop-up Blocker settings can be found in the Privacy tab. The corresponding dialog can be seen in the IE AppSet in Figure 13. -![ie_appset_tab_by_tab_9](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_9.webp) +![ie_appset_tab_by_tab_9](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_9.webp) Figure 13. Configuring the Pop-up Blocker settings in the Privacy tab. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/programs.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/programs.md index 2aa8187171..ed0556fb3c 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/programs.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/programs.md @@ -2,19 +2,19 @@ Video: For a quick overview of how to manage the Programs tab using Endpoint Policy Manager Application Settings Manager, see the following video: -[Manage IE Programs Tab](../../../../video/applicationsettings/internetexplorer/programstab.md). +[Manage IE Programs Tab](/docs/policypak/policypak/video/applicationsettings/internetexplorer/programstab.md). The Internet Explorer Programs tab is where you can specify to enable or disable plugins, toolbars, extensions, accelerators, and search providers. An example of add-ons that you can manage in Internet Explorer 11 under Programs|Manage add-ons is shown in Figure 20. -![ie_appset_tab_by_tab_16](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_16.webp) +![ie_appset_tab_by_tab_16](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_16.webp) Figure 20. Managing add-ons in Internet Explorer. The corresponding Endpoint Policy Manager dialog is shown in Figure 21. -![ie_appset_tab_by_tab_17](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_17.webp) +![ie_appset_tab_by_tab_17](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_17.webp) Figure 21. Managing IE add-ons in Endpoint Policy Manager. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/security.md b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/security.md index ddd9a9106c..f0de22adc6 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/security.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/security.md @@ -7,7 +7,7 @@ Application Settings Manager, see the following video: The Security tab lets you set levels for all four zone types. The dialog within IE can be seen in Figure 6. -![ie_appset_tab_by_tab_2](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_2.webp) +![ie_appset_tab_by_tab_2](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_2.webp) Figure 6. Custom security settings for all four zone types. @@ -15,19 +15,19 @@ Using the Endpoint Policy Manager IE AppSet, click on "Set Level" for the corres select your level (or select "Custom"). Do not set any custom settings when you select a standard option from the drop-down menu, such as Medium, Medium High, etc. -![ie_appset_tab_by_tab_3](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_3.webp) +![ie_appset_tab_by_tab_3](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_3.webp) Figure 7. Custom settings for the local intranet zone. Internet Explorer has a rich way of adding site to zone assignments, as shown in Figure 8. -![ie_appset_tab_by_tab_4](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_4.webp) +![ie_appset_tab_by_tab_4](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_4.webp) Figure 8. Adding site to zone assignments in Internet Explorer. The IE AppSet Security tab Site to Zone Assignment is shown in Figure 9. -![ie_appset_tab_by_tab_5](../../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_5.webp) +![ie_appset_tab_by_tab_5](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/internetexplorer/tab/ie_appset_tab_by_tab_5.webp) Figure 9. Setting site to zone assignments in the IE Pak. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/bydefault.md b/docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/bydefault.md index 47f03626e3..dce721196e 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/bydefault.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/bydefault.md @@ -5,4 +5,4 @@ Internal Item-Level Targeting is "On" by default since 557. From 603 onwards we have made this fact more obvious by showing the "Item-Level Targeting" in the MMC. -![368_1_pp-predefined-targeting](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/368_1_pp-predefined-targeting.webp) +![368_1_pp-predefined-targeting](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/368_1_pp-predefined-targeting.webp) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/bypassinternal.md b/docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/bypassinternal.md index 32bd4e9af4..8e09c2bef8 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/bypassinternal.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/bypassinternal.md @@ -24,4 +24,4 @@ You might want to do this for several reasons: For a video expressing how to bypass Internal ILT, see: -[Bypassing Internal Item Level Targeting Filters](../../../video/applicationsettings/itemleveltargetingbypass.md) +[Bypassing Internal Item Level Targeting Filters](/docs/policypak/policypak/video/applicationsettings/itemleveltargetingbypass.md) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/internalpredefined.md b/docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/internalpredefined.md index 1cad6013a0..7fb151266d 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/internalpredefined.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/internalpredefined.md @@ -23,11 +23,11 @@ FAQ in this section.) Way 2: Use the DesignStudio to open up a Pak and look. You can see an example of where Internal Item Level Targeting is within the DesignStudio in this example: -![257_1_pp-internal-ilt-in-design-studio](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/257_1_pp-internal-ilt-in-design-studio.webp) +![257_1_pp-internal-ilt-in-design-studio](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/257_1_pp-internal-ilt-in-design-studio.webp) Way 3: When you use MMC 603 or later, and make a Pak entry into a GPO, you'll see the column labeled "Predefined Targeting." If it says On or Off, then the Pak itself has Pre-defined Targeting. If the Column shows N/A, the Pak doesn't. You can see two entries without Internal ILT, and one entry that does in this example: -![257_2_pp-predefined-targeting](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/368_1_pp-predefined-targeting.webp) +![257_2_pp-predefined-targeting](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/itemleveltargeting/368_1_pp-predefined-targeting.webp) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/java/runapplication.md b/docs/policypak/policypak/applicationsettings/preconfigured/java/runapplication.md index 423bbb0a5d..1f084f024b 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/java/runapplication.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/java/runapplication.md @@ -3,7 +3,7 @@ Visiting a site with Java enabled content you may see this prompt, confirming if you want to run the JRE code located on that location. -![2_1_image005](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/2_1_image005.webp) +![2_1_image005](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/2_1_image005.webp) ## Solution: @@ -13,12 +13,12 @@ vs. Trusted Security verification". Java 7 Pak technique: -![2_2_image006](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/2_2_image006.webp) +![2_2_image006](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/2_2_image006.webp) -![2_3_image007](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/2_3_image007.webp) +![2_3_image007](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/2_3_image007.webp) Java 8 Pak technique: -![2_4_16a-8](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/2_4_16a-8.webp) +![2_4_16a-8](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/2_4_16a-8.webp) -![2_5_16b-8](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/2_5_16b-8.webp) +![2_5_16b-8](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/2_5_16b-8.webp) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/java/securitypopup.md b/docs/policypak/policypak/applicationsettings/preconfigured/java/securitypopup.md index 9be836b2bc..3ccd79dcf1 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/java/securitypopup.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/java/securitypopup.md @@ -2,7 +2,7 @@ If you get the following pop-up: -![158_1_uhae4](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/158_1_uhae4.webp) +![158_1_uhae4](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/158_1_uhae4.webp) the pre-configured Java AppSet can adjust for that. However, know that we are not magically "increasing" your security here, simply delivering the value that forces Java to stop the pop up. @@ -11,11 +11,11 @@ The setting located in our pre-configured AppSets for Java is: Java 7 Pak technique: -![158_2_2014-04-13_1737](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/158_2_2014-04-13_1737.webp) +![158_2_2014-04-13_1737](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/158_2_2014-04-13_1737.webp) Java 8 AppSet technique: -![158_3_13-8](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/158_3_13-8.webp) +![158_3_13-8](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/158_3_13-8.webp) More information from Oracle on the underlying issue can be found at this web page:  [http://java.com/en/download/help/error_mixedcode.xml](http://java.com/en/download/help/error_mixedcode.xml) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/java/tasktray.md b/docs/policypak/policypak/applicationsettings/preconfigured/java/tasktray.md index de513e0a61..e713a3dc8d 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/java/tasktray.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/java/tasktray.md @@ -3,7 +3,7 @@ In most cases when you are using an older version of Java you may see the Java icon in the system tray. -![225_1_image010](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/225_1_image010.webp) +![225_1_image010](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/225_1_image010.webp) ## Solution: @@ -12,8 +12,8 @@ pre-configuring PAK for Java. Check/Un-check "Check for Updates Automatically". Java 7 Pak technique: -![225_2_image009](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/105_2_image009.webp) +![225_2_image009](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/105_2_image009.webp) Java 8 Pak technique: -![225_3_18-8](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/225_3_18-8.webp) +![225_3_18-8](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/225_3_18-8.webp) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/java/useraccountcontrol.md b/docs/policypak/policypak/applicationsettings/preconfigured/java/useraccountcontrol.md index 3ab87b8429..63588b3c42 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/java/useraccountcontrol.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/java/useraccountcontrol.md @@ -2,7 +2,7 @@ Users might see prompts whenever Java tries to update automatically. -![105_1_image008](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/105_1_image008.webp) +![105_1_image008](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/105_1_image008.webp) ## Solution: @@ -11,8 +11,8 @@ different versions of Java pre-configured PAKs. Java 7 Pak technique: -![105_2_image009](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/105_2_image009.webp) +![105_2_image009](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/105_2_image009.webp) Java 8 Pak technique: -![105_3_17-8](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/105_3_17-8.webp) +![105_3_17-8](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/105_3_17-8.webp) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/java/versioninsecure.md b/docs/policypak/policypak/applicationsettings/preconfigured/java/versioninsecure.md index 538dd260ca..a735062668 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/java/versioninsecure.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/java/versioninsecure.md @@ -2,7 +2,7 @@ Visiting a website with Java enabled application you may see the warning as showing in screenshot. -![137_1_image003](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/137_1_image003.webp) +![137_1_image003](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/137_1_image003.webp) ## Solution: @@ -11,8 +11,8 @@ verification". The setting placement may vary depending on the version of Java P Java 7 Pak technique: -![137_2_image004](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/137_2_image004.webp) +![137_2_image004](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/137_2_image004.webp) Java 8 Pak technique: -![137_3_15-8](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/2_5_16b-8.webp) +![137_3_15-8](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/2_5_16b-8.webp) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/java/versionoutofdate.md b/docs/policypak/policypak/applicationsettings/preconfigured/java/versionoutofdate.md index 459843340c..7cfa428d0b 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/java/versionoutofdate.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/java/versionoutofdate.md @@ -3,15 +3,15 @@ If you are running an older version of Java JRE and you visited the java enabled application, it will give an annoying prompt as illustrated in below screenshot. -![45_1_image001](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/45_1_image001.webp) +![45_1_image001](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/45_1_image001.webp) With PolicyPak's Pre-configured PAK for Java, you can disable that prompt by un-checking this option "Prevent Users from "JRE out of date" warning pop-up". You want it un-checked and underlined. Java 7 Pak technique: -![45_2_image002](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/45_2_image002.webp) +![45_2_image002](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/45_2_image002.webp) Java 8 Pak technique: -![45_3_14-8](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/45_3_14-8.webp) +![45_3_14-8](/img/product_docs/policypak/policypak/applicationsettings/preconfigured/java/45_3_14-8.webp) diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/acllockdown.md b/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/acllockdown.md index 838aadaefd..190167c60d 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/acllockdown.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/acllockdown.md @@ -19,7 +19,7 @@ the effected pieces of the application. right-click "at least one lower case character (a-z)" and select "Perform ACL Lockdown," as seen in Figure 14. -![policypak_application_settings_13](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_13.webp) +![policypak_application_settings_13](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_13.webp) Figure 14. Selecting the "Perform ACL Lockdown" setting. @@ -40,7 +40,7 @@ On the client machine Options, select the Passwords tab, and uncheck the two checkboxes that are available, as shown in Figure 15. Then click OK. -![policypak_application_settings_14](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_14.webp) +![policypak_application_settings_14](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_14.webp) Figure 15. The Passwords tab in WinZip Options. @@ -48,7 +48,7 @@ Figure 15. The Passwords tab in WinZip Options. Figure 16 shows that the user's desired changes did not take effect because Endpoint Policy Manager Application Settings Manager has used ACL Lockdown™ to perform the lockout of the settings. -![policypak_application_settings_15](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_15.webp) +![policypak_application_settings_15](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_15.webp) Figure 16. Using ACL Lockdown, the user's changes have not taken effect because the settings have been locked. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/leverageexisting.md b/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/leverageexisting.md index dab48ee914..399df11ca7 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/leverageexisting.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/leverageexisting.md @@ -22,7 +22,7 @@ file to the `C:\Program` Files `(x86)\PolicyPak\Extensions` folder (on 64-bit ma `C:\Program Files\PolicyPak\Extensions (on 32-bit machines)`. You can see how this is done in Figure 1. -![policypak_application_settings](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings.webp) +![policypak_application_settings](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings.webp) Figure 1. Copying the `DLL` file to the C: drive. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/revertappset.md b/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/revertappset.md index 24d05efd4f..58964e9394 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/revertappset.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/revertappset.md @@ -6,7 +6,7 @@ Let's simulate what would happen if the user changes job roles or the GPO is no to move the account to another OU. Find the account, right-click on it, and select "Move," as seen in Figure 17. -![policypak_application_settings_16](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_16.webp) +![policypak_application_settings_16](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_16.webp) Figure 17. Moving user accounts to a different OU. @@ -24,7 +24,7 @@ be as follows: Results are shown in Figure 18. -![policypak_application_settings_17](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_17.webp) +![policypak_application_settings_17](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_17.webp) Figure 18. The settings have been reverted to their original values. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/specialnotes.md b/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/specialnotes.md index 2f3c4154bd..afb5f7c5d2 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/specialnotes.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/specialnotes.md @@ -6,7 +6,7 @@ similar to what we saw in the Quickstart with WinZip. However, UI lockout is implemented differently and, as such, comes with a caveat. **NOTE:** To see a video of Firefox UI lockout in action, watch the following video(s): -[Understanding and fixing Endpoint Policy Manager DLL Orphans](../../../video/applicationsettings/dllorphans.md). +[Understanding and fixing Endpoint Policy Manager DLL Orphans](/docs/policypak/policypak/video/applicationsettings/dllorphans.md). **NOTE:** To see a video of Thunderbird UI lockout in action, watch the following video(s): [http://www.policypak.com/products/manage-thunderbird-with-group-policy.html](https://www.policypak.com/video/policypak-the-superpowers.html). @@ -21,7 +21,7 @@ affecting only computers (not users). Figure 19 displays an example of how to create and link a GPO to computers. -![policypak_application_settings_18](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_18.webp) +![policypak_application_settings_18](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_18.webp) Figure 19. Creating and linking a GPO. @@ -32,9 +32,9 @@ can modify settings for Firefox, Thunderbird, and Java, including "Lockdown this system-wide config file," as seen in the top of the figure with Firefox and the bottom of the figure with Java. -![policypak_application_settings_19](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_19.webp) +![policypak_application_settings_19](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_19.webp) -![policypak_application_settings_20](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_20.webp) +![policypak_application_settings_20](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_20.webp) Figure 20. System-wide lockdown using config files is only available on the Computer side, as seen in the examples of Firefox (top) and Java (bottom). @@ -44,7 +44,7 @@ does not appear on the User side. If you try to edit these three AppSets on the not see an option to perform UI lockdown. An example of editing one of these AppSets (the Firefox AppSet) on the User side (and therefore, not seeing the system-wide lockdown) is shown in Figure 21. -![policypak_application_settings_19](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_19.webp) +![policypak_application_settings_19](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_19.webp) Figure 21. The lockdown via system-wide config file is not present on the User side. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/testapplication.md b/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/testapplication.md index bb101acdf9..f3fd37ff2f 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/testapplication.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/testapplication.md @@ -6,14 +6,14 @@ use it in the Group Policy Editor. **Step 1 –** The next step is to create and link a group policy object (GPO) for your organizational unit (OU), like East Sales Users, as seen in Figure 2. -![policypak_application_settings_1](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_1.webp) +![policypak_application_settings_1](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_1.webp) **Step 2 –** Edit the GPO, and then add in the AppSet for WinZip, as seen in Figure 3. To do this, scroll down to User Configuration | Endpoint Policy Manager | Application Settings Manager. Then right-click on "Application Settings Manager" and select "New Application," and then choose the Endpoint Policy Manager for WinZip. -![policypak_application_settings_2](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_2.webp) +![policypak_application_settings_2](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_2.webp) Figure 3. How to add the Pak for WinZip. @@ -28,7 +28,7 @@ WinZip interface. can see in Figure 4. The goal is to change some of WinZip's settings within the GPO, then see results within the endpoint. -![policypak_application_settings_3](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_3.webp) +![policypak_application_settings_3](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_3.webp) Figure 4. Location of the Passwords tab. @@ -43,14 +43,14 @@ changes: **Step 6 –** You can see the suggested test settings in Figure 5. -![policypak_application_settings_4](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_4.webp) +![policypak_application_settings_4](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_4.webp) Figure 5. Suggested test settings. **Step 7 –** When you right-click on any setting within Endpoint Policy Manager Application Settings Manager, you'll be given the options shown in Figure 6. -![policypak_application_settings_5](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_5.webp) +![policypak_application_settings_5](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_5.webp) Figure 6. Settings options. @@ -69,7 +69,7 @@ Manager Application Settings Manager Modes." "Minimum password length" should now be configured, as shown in Figure 7. -![policypak_application_settings_6](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_6.webp) +![policypak_application_settings_6](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_6.webp) Figure 7. The settings for "Minimum password length": the item is set to 11 and three options are selected. @@ -80,7 +80,7 @@ checkbox. Leave this setting as is. While you have the menu open, also select "R setting to "[the default value]" when it is no longer applied." You can see your final configuration in Figure 8. -![policypak_application_settings_7](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_7.webp) +![policypak_application_settings_7](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_7.webp) Figure 8. Configuration of "at least one lower case character (a-z)" settings. @@ -88,7 +88,7 @@ Figure 8. Configuration of "at least one lower case character (a-z)" settings. setting as is. Make no additional changes to "at least one upper case character (A-Z)." You can see the desired configuration in Figure 9. -![policypak_application_settings_8](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_8.webp) +![policypak_application_settings_8](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_8.webp) Figure 9. Configuration of "at least one upper case character (A-Z)" settings. @@ -97,7 +97,7 @@ Figure 9. Configuration of "at least one upper case character (A-Z)" settings. "Hide corresponding control in target application." You can see the desired configuration in Figure 10. -![policypak_application_settings_9](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_9.webp) +![policypak_application_settings_9](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_9.webp) Figure 10. Configuration of "at least one numeric character (0-9)" settings. @@ -106,7 +106,7 @@ one symbol character (!,@,#,$,%,^,&,\*...)." Leave "Always reapply this setting" selected "Always reapply this setting," you must also select "Disable corresponding control in target application." You can see the desired configuration in Figure 11. -![policypak_application_settings_10](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_10.webp) +![policypak_application_settings_10](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_10.webp) Figure 11. Configuration for "at least one symbol character (!,@,#,$,%,^,&,\*...)" settings. @@ -114,7 +114,7 @@ Figure 11. Configuration for "at least one symbol character (!,@,#,$,%,^,&,\*... target application." This is located right below the Cameras tab (but not directly on the Cameras tab), as seen in Figure 12. -![policypak_application_settings_11](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_11.webp) +![policypak_application_settings_11](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_11.webp) Figure 12. Finding and selecting "Disable whole tab in target application" in the Cameras tab. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/testclient.md b/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/testclient.md index bbd0d54a6a..984a6e9e9e 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/testclient.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/quickstart/testclient.md @@ -26,7 +26,7 @@ perform. You can see the results in Figure 13. -![policypak_application_settings_12](../../../../../../static/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_12.webp) +![policypak_application_settings_12](/img/product_docs/policypak/policypak/applicationsettings/designstudio/quickstart/policypak_application_settings_12.webp) Figure 13. The results of the Application Settings Manager setting changes. diff --git a/docs/policypak/policypak/applicationsettings/preconfigured/side.md b/docs/policypak/policypak/applicationsettings/preconfigured/side.md index 8fac39d829..de2e73f6fc 100644 --- a/docs/policypak/policypak/applicationsettings/preconfigured/side.md +++ b/docs/policypak/policypak/applicationsettings/preconfigured/side.md @@ -18,4 +18,4 @@ So, our general recommendation (if you're looking for one) is: For more information on this, see the following FAQ item. -[Firefox (and Java and Thunderbird): Why can't I seem to find (or perform) UI lockdown for Firefox, Java or Thunderbird ?](firefox/javathunderbird.md) +[Firefox (and Java and Thunderbird): Why can't I seem to find (or perform) UI lockdown for Firefox, Java or Thunderbird ?](/docs/policypak/policypak/applicationsettings/preconfigured/firefox/javathunderbird.md) diff --git a/docs/policypak/policypak/applicationsettings/rolesresponsibilities.md b/docs/policypak/policypak/applicationsettings/rolesresponsibilities.md index 2d735c5a56..12e934cf0e 100644 --- a/docs/policypak/policypak/applicationsettings/rolesresponsibilities.md +++ b/docs/policypak/policypak/applicationsettings/rolesresponsibilities.md @@ -18,4 +18,4 @@ Policy Manager piece fits in. In the table, you'll see which Active Directory el based upon operating system type, the role it plays, and which Endpoint Policy Manager component needs to be installed (if any). -![190_1_2014-09-22_0927](../../../../static/img/product_docs/policypak/policypak/applicationsettings/190_1_2014-09-22_0927.webp) +![190_1_2014-09-22_0927](/img/product_docs/policypak/policypak/applicationsettings/190_1_2014-09-22_0927.webp) diff --git a/docs/policypak/policypak/applicationsettings/thinapp.md b/docs/policypak/policypak/applicationsettings/thinapp.md index 35ec8a551c..fc152543a9 100644 --- a/docs/policypak/policypak/applicationsettings/thinapp.md +++ b/docs/policypak/policypak/applicationsettings/thinapp.md @@ -17,18 +17,18 @@ OpenOffice 4.0, the version is 8u40. Notepad. Note the AppID in the might be different than what is in this screenshot and/or have multiple AppIDs. Simply preserve the existing ID, and append as seen here. -![147_1_image0052](../../../../static/img/product_docs/policypak/policypak/applicationsettings/147_1_image0052.webp) +![147_1_image0052](/img/product_docs/policypak/policypak/applicationsettings/147_1_image0052.webp) **Step 5 –** Open the Java Pak XML in the Endpoint Policy Manager DesignStudio. Update the Project name so it's clear what it's doing. Then recompile. -![147_2_image003](../../../../static/img/product_docs/policypak/policypak/applicationsettings/147_2_image003.webp) +![147_2_image003](/img/product_docs/policypak/policypak/applicationsettings/147_2_image003.webp) **Step 6 –** Give the Pak a new DLL name and Recompile the Pak -![147_3_image004](../../../../static/img/product_docs/policypak/policypak/applicationsettings/147_3_image004.webp) +![147_3_image004](/img/product_docs/policypak/policypak/applicationsettings/147_3_image004.webp) **Step 7 –** Use the new Pak in Endpoint Policy Manager Application Settings Manager . Your ThinApp package's Java will automatically be configured at this point with the settings you dictate. -![147_4_image0061](../../../../static/img/product_docs/policypak/policypak/applicationsettings/147_4_image0061.webp) +![147_4_image0061](/img/product_docs/policypak/policypak/applicationsettings/147_4_image0061.webp) diff --git a/docs/policypak/policypak/applicationsettings/windowsremoteassistance.md b/docs/policypak/policypak/applicationsettings/windowsremoteassistance.md index 3fe8b9559c..f6a41c69f8 100644 --- a/docs/policypak/policypak/applicationsettings/windowsremoteassistance.md +++ b/docs/policypak/policypak/applicationsettings/windowsremoteassistance.md @@ -12,32 +12,32 @@ end-users computers. **Step 2 –** Right-click on a required OU and Create a new GPO. -![686_1_image-20200330200931-1](../../../../static/img/product_docs/policypak/policypak/applicationsettings/686_1_image-20200330200931-1.webp) +![686_1_image-20200330200931-1](/img/product_docs/policypak/policypak/applicationsettings/686_1_image-20200330200931-1.webp) **Step 3 –** Give the GPO a descriptive Name then click the OK button. -![686_3_image-20200330200932-2](../../../../static/img/product_docs/policypak/policypak/applicationsettings/686_3_image-20200330200932-2.webp) +![686_3_image-20200330200932-2](/img/product_docs/policypak/policypak/applicationsettings/686_3_image-20200330200932-2.webp) **Step 4 –** Right-click on the new GPO you just created, and select Edit option. -![686_5_image-20200330200932-3](../../../../static/img/product_docs/policypak/policypak/applicationsettings/686_5_image-20200330200932-3.webp) +![686_5_image-20200330200932-3](/img/product_docs/policypak/policypak/applicationsettings/686_5_image-20200330200932-3.webp) **Step 5 –** Expand the Endpoint Policy Manager node under Computer Configuration and select the pre-configured PAK named "Endpoint Policy Manager for Microsoft Windows 7 and Later for System Properties" -![686_7_image-20200330200932-4](../../../../static/img/product_docs/policypak/policypak/applicationsettings/686_7_image-20200330200932-4.webp) +![686_7_image-20200330200932-4](/img/product_docs/policypak/policypak/applicationsettings/686_7_image-20200330200932-4.webp) **Step 6 –** Right-click on the PAK entry and select the Properties option. -![686_9_image-20200330200932-5](../../../../static/img/product_docs/policypak/policypak/applicationsettings/686_9_image-20200330200932-5.webp) +![686_9_image-20200330200932-5](/img/product_docs/policypak/policypak/applicationsettings/686_9_image-20200330200932-5.webp) **Step 7 –** Select the Remote tab, and select the checkbox "Allow Remote Assistance connections to this computer" and then click the OK button. **NOTE:** Make sure that the selection is underlined as shown in the screenshot. -![686_11_image-20200330200932-6](../../../../static/img/product_docs/policypak/policypak/applicationsettings/686_11_image-20200330200932-6.webp) +![686_11_image-20200330200932-6](/img/product_docs/policypak/policypak/applicationsettings/686_11_image-20200330200932-6.webp) **Step 8 –** Lastly, run `GPUPDATE` on end-users computers to apply the policy immediately, or wait for the policy to apply during the normal group policy refresh interval. @@ -54,7 +54,7 @@ Firewall for incoming remote assistance connections. **Step 2 –** Proactively address possible issue with `MSRA.EXE` and `PPAppLockdr64.dll`: -![686_13_image-20201016161058-2](../../../../static/img/product_docs/policypak/policypak/applicationsettings/686_13_image-20201016161058-2.webp) +![686_13_image-20201016161058-2](/img/product_docs/policypak/policypak/applicationsettings/686_13_image-20201016161058-2.webp) Using Endpoint Policy Manager Scripts Manager you can execute the following script to configure custom Exploit Protection settings for Microsoft Remote Assistance (`MSRA.EXE`). @@ -65,16 +65,16 @@ Set-ProcessMitigation -Name msra.exe -Enable DisableExtensionPoints You can create two separate policy items: -![686_14_image-20201016162349-4](../../../../static/img/product_docs/policypak/policypak/applicationsettings/686_14_image-20201016162349-4.webp) +![686_14_image-20201016162349-4](/img/product_docs/policypak/policypak/applicationsettings/686_14_image-20201016162349-4.webp) Or you can combine both policies in one if you prefer: -![686_15_image-20201016162040-3](../../../../static/img/product_docs/policypak/policypak/applicationsettings/686_15_image-20201016162040-3.webp) +![686_15_image-20201016162040-3](/img/product_docs/policypak/policypak/applicationsettings/686_15_image-20201016162040-3.webp) For more information on Endpoint Policy Manager Scripts Manager please consult the below reference articles. Reference Article -- [How to use Scripts Manager to workaround the "PPAppLockdr64.dll is either not designed to run on Windows or it contains an error" message when running Microsoft Remote Assistance (MSRA.exe) and the Endpoint Policy Manager CSE is installed on Windows 10 1903](../troubleshooting/applicationsettings/microsoftremoteassistance.md) -- [Deploy any script via the Cloud to domain joined and non-domain joined machines](../video/scriptstriggers/gettingstarted/cloud.md) +- [How to use Scripts Manager to workaround the "PPAppLockdr64.dll is either not designed to run on Windows or it contains an error" message when running Microsoft Remote Assistance (MSRA.exe) and the Endpoint Policy Manager CSE is installed on Windows 10 1903](/docs/policypak/policypak/troubleshooting/applicationsettings/microsoftremoteassistance.md) +- [Deploy any script via the Cloud to domain joined and non-domain joined machines](/docs/policypak/policypak/video/scriptstriggers/gettingstarted/cloud.md) diff --git a/docs/policypak/policypak/archive/overview.md b/docs/policypak/policypak/archive/overview.md index 62e399f326..630f360d2a 100644 --- a/docs/policypak/policypak/archive/overview.md +++ b/docs/policypak/policypak/archive/overview.md @@ -3,31 +3,31 @@ See the following Knowledge Base articles and Video topics that have been archived. This is a list of archived Knowledge Base articles and video topics. -- [ADM/X Files – why they cannot prevent user shenanigans](admxfiles.md) -- [Manage Different Users In The Same OU (And Reduce Number of GPOs) With Endpoint Policy Manager ](differentusers.md) -- [Mass Deploy the Endpoint Policy Manager CSE using GPSI](massdeploy.md) -- [Upgrading the CSE using GPSI](upgrading.md) -- [Endpoint Policy Manager: Use the DesignStudio to manage FireFox's about:config settings](designstudiofirefox.md) -- [Deliver Group Policy to Domain Joined and non-Domain Joined machines thru the Cloud](cloud.md) -- [Understanding ADM-ADMX files Tattooing (and what to do about it)](tattooing.md) -- [Endpoint Policy Manager: Manage InfranView using Group Policy, SCCM or your own management utility](infranview.md) -- [Endpoint Policy Manager: Manage Opera Next using Group Policy, SCCM or your own management utility](operanext.md) -- [Endpoint Policy Manager: Manage GoToMeeting using Group Policy, SCCM or your own management utility](gotomeeting.md) -- [Endpoint Policy Manager Configure PARCC Testing Configuration Stations using Endpoint Policy Manager to prevent pop-ups](parcctesting.md) -- [Endpoint Policy Manager: Manage VMware Workstation Hardware and Options](vmware.md) -- [Endpoint Policy Manager: Manage and lockdown a specific VMware Workstation's VMX file settings](vmwarefilesettings.md) -- [Endpoint Policy Manager: Manage Java 7u45 using Group Policy](java.md) -- [Endpoint Policy Manager and VMware Horizon Mirage](vmwarehorizonmirage.md) -- [Lockdown Microsoft Office Suite 2013](office2013.md) -- [Endpoint Policy ManagerPreferences with Endpoint Policy Manager Exporter](preferencesexporter.md) -- [Endpoint Policy Manager Using Endpoint Policy Manager DesignStudio to modify the Java Paks for XP](designstudiojava.md) -- [Internet Explorer 10 and Internet Explorer Maintenance – the whole story](ie10.md) -- [Nuke mode, and why users can avoid your GPprefs settings](modenuke.md) -- [Endpoint Policy Manager: Manage Acrobat X Pro Using Group Policy](acrobatxpro.md) -- [Endpoint Policy Manager: Manage Internet Explorer (IE9) Using Group Policy](ie9.md) -- [Endpoint Policy Manager supplements VMware View](vmwaresupplements.md) -- [Endpoint Policy Manager: Manage Xenapp applications using Group Policy](xenapp.md) -- [Endpoint Policy Manager 3.5 Applock Update Behavior Change](applock.md) -- [Endpoint Policy Manager and Symantec Workspace Streaming and Virtualization](symantecworkspace.md) -- [The CSE auto-updater feature appears to not be working. What can I do?](autoupdater.md) -- [Group Policy Preferences: Item Level Targeting](itemleveltartgeting.md) +- [ADM/X Files – why they cannot prevent user shenanigans](/docs/policypak/policypak/archive/admxfiles.md) +- [Manage Different Users In The Same OU (And Reduce Number of GPOs) With Endpoint Policy Manager ](/docs/policypak/policypak/archive/differentusers.md) +- [Mass Deploy the Endpoint Policy Manager CSE using GPSI](/docs/policypak/policypak/archive/massdeploy.md) +- [Upgrading the CSE using GPSI](/docs/policypak/policypak/archive/upgrading.md) +- [Endpoint Policy Manager: Use the DesignStudio to manage FireFox's about:config settings](/docs/policypak/policypak/archive/designstudiofirefox.md) +- [Deliver Group Policy to Domain Joined and non-Domain Joined machines thru the Cloud](/docs/policypak/policypak/archive/cloud.md) +- [Understanding ADM-ADMX files Tattooing (and what to do about it)](/docs/policypak/policypak/archive/tattooing.md) +- [Endpoint Policy Manager: Manage InfranView using Group Policy, SCCM or your own management utility](/docs/policypak/policypak/archive/infranview.md) +- [Endpoint Policy Manager: Manage Opera Next using Group Policy, SCCM or your own management utility](/docs/policypak/policypak/archive/operanext.md) +- [Endpoint Policy Manager: Manage GoToMeeting using Group Policy, SCCM or your own management utility](/docs/policypak/policypak/archive/gotomeeting.md) +- [Endpoint Policy Manager Configure PARCC Testing Configuration Stations using Endpoint Policy Manager to prevent pop-ups](/docs/policypak/policypak/archive/parcctesting.md) +- [Endpoint Policy Manager: Manage VMware Workstation Hardware and Options](/docs/policypak/policypak/archive/vmware.md) +- [Endpoint Policy Manager: Manage and lockdown a specific VMware Workstation's VMX file settings](/docs/policypak/policypak/archive/vmwarefilesettings.md) +- [Endpoint Policy Manager: Manage Java 7u45 using Group Policy](/docs/policypak/policypak/archive/java.md) +- [Endpoint Policy Manager and VMware Horizon Mirage](/docs/policypak/policypak/archive/vmwarehorizonmirage.md) +- [Lockdown Microsoft Office Suite 2013](/docs/policypak/policypak/archive/office2013.md) +- [Endpoint Policy ManagerPreferences with Endpoint Policy Manager Exporter](/docs/policypak/policypak/archive/preferencesexporter.md) +- [Endpoint Policy Manager Using Endpoint Policy Manager DesignStudio to modify the Java Paks for XP](/docs/policypak/policypak/archive/designstudiojava.md) +- [Internet Explorer 10 and Internet Explorer Maintenance – the whole story](/docs/policypak/policypak/archive/ie10.md) +- [Nuke mode, and why users can avoid your GPprefs settings](/docs/policypak/policypak/archive/modenuke.md) +- [Endpoint Policy Manager: Manage Acrobat X Pro Using Group Policy](/docs/policypak/policypak/archive/acrobatxpro.md) +- [Endpoint Policy Manager: Manage Internet Explorer (IE9) Using Group Policy](/docs/policypak/policypak/archive/ie9.md) +- [Endpoint Policy Manager supplements VMware View](/docs/policypak/policypak/archive/vmwaresupplements.md) +- [Endpoint Policy Manager: Manage Xenapp applications using Group Policy](/docs/policypak/policypak/archive/xenapp.md) +- [Endpoint Policy Manager 3.5 Applock Update Behavior Change](/docs/policypak/policypak/archive/applock.md) +- [Endpoint Policy Manager and Symantec Workspace Streaming and Virtualization](/docs/policypak/policypak/archive/symantecworkspace.md) +- [The CSE auto-updater feature appears to not be working. What can I do?](/docs/policypak/policypak/archive/autoupdater.md) +- [Group Policy Preferences: Item Level Targeting](/docs/policypak/policypak/archive/itemleveltartgeting.md) diff --git a/docs/policypak/policypak/browserrouter/advancedblockingmessage.md b/docs/policypak/policypak/browserrouter/advancedblockingmessage.md index 83e6e7a381..0975d40d25 100644 --- a/docs/policypak/policypak/browserrouter/advancedblockingmessage.md +++ b/docs/policypak/policypak/browserrouter/advancedblockingmessage.md @@ -2,12 +2,12 @@ A customer blocking message is optional. If you don't make any changes, the default looks like this: -![953_1_thumbnail_image001](../../../../static/img/product_docs/policypak/policypak/browserrouter/953_1_thumbnail_image001.webp) +![953_1_thumbnail_image001](/img/product_docs/policypak/policypak/browserrouter/953_1_thumbnail_image001.webp) However, you can change the default Endpoint Policy Manager Browser Router Block policy and use variables we provide. -![953_2_image002](../../../../static/img/product_docs/policypak/policypak/browserrouter/953_2_image002.webp) +![953_2_image002](/img/product_docs/policypak/policypak/browserrouter/953_2_image002.webp) The advanced block message must support both the environment variables for the current user and the context variables listed below: diff --git a/docs/policypak/policypak/browserrouter/commandlinearguments.md b/docs/policypak/policypak/browserrouter/commandlinearguments.md index 5b39019b52..562cfdee53 100644 --- a/docs/policypak/policypak/browserrouter/commandlinearguments.md +++ b/docs/policypak/policypak/browserrouter/commandlinearguments.md @@ -11,7 +11,7 @@ this one: Below is an example of launching www.abc.com in Chrome's incognito mode. -![about_policypak_browser_router_21](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_21.webp) +![about_policypak_browser_router_21](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_21.webp) Note how you must specifically include **%url%** to specify where the URL will reside on the command line. Just selecting **incognito** by itself is not enough. The **%url%** will populate the correct @@ -28,4 +28,4 @@ To do this, select **Custom** for the browser type. Then set the **Command Line application you want to launch (as in, MSTSC) and the command line arguments to pass (as in, `c:\temp\file1.rdp /v:server1 8080`). -![about_policypak_browser_router_22](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_22.webp) +![about_policypak_browser_router_22](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_22.webp) diff --git a/docs/policypak/policypak/browserrouter/defaultbrowser/defined.md b/docs/policypak/policypak/browserrouter/defaultbrowser/defined.md index 8d51fb69dc..ff18f136d4 100644 --- a/docs/policypak/policypak/browserrouter/defaultbrowser/defined.md +++ b/docs/policypak/policypak/browserrouter/defaultbrowser/defined.md @@ -6,30 +6,30 @@ Endpoint Policy Manager Browser Router installed. A user on Windows 10 can then set his **Default Browser** from either within a browser, like Firefox, like this: -![218_1_ppbr-faq-3-pic-1](../../../../../static/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_1_ppbr-faq-3-pic-1.webp) +![218_1_ppbr-faq-3-pic-1](/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_1_ppbr-faq-3-pic-1.webp) Or, they can go directly into Windows **Default apps** and set the Web Browser like this… -![218_2_ppbr-faq-3-pic-2](../../../../../static/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_2_ppbr-faq-3-pic-2.webp) +![218_2_ppbr-faq-3-pic-2](/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_2_ppbr-faq-3-pic-2.webp) But as soon as you have Endpoint Policy Manager Browser Router licensed and with ANY Endpoint Policy Manager Browser Router rules enabled,you will see Endpoint Policy Manager Browser Router Agent as the **Web Browser** inside Windows 10. -![218_3_ppbr-faq-3-pic-3](../../../../../static/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_3_ppbr-faq-3-pic-3.webp) +![218_3_ppbr-faq-3-pic-3](/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_3_ppbr-faq-3-pic-3.webp) Then, using Endpoint Policy Manager Browser Router, you can set what the **Default Browser** policies. Below are two examples on how to do find that. -![218_4_ppbr-faq-3-pic-4](../../../../../static/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_4_ppbr-faq-3-pic-4.webp) +![218_4_ppbr-faq-3-pic-4](/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_4_ppbr-faq-3-pic-4.webp) -![218_5_ppbr-faq-3-pic-5](../../../../../static/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_5_ppbr-faq-3-pic-5.webp) +![218_5_ppbr-faq-3-pic-5](/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_5_ppbr-faq-3-pic-5.webp) When you set the **Default Browser** using Endpoint Policy Manager to IE, Edge, Chrome, or Firefox, the operating system will still showEndpoint Policy Manager **Browser Router Agent** as the **Web Browser**. -![218_6_ppbr-faq-3-pic-6](../../../../../static/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_3_ppbr-faq-3-pic-3.webp) +![218_6_ppbr-faq-3-pic-6](/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_3_ppbr-faq-3-pic-3.webp) But the user's perception of their Default Browser will be what you set here. @@ -37,7 +37,7 @@ So, when a user clicks on any URL which does not have a route, the default brows Endpoint Policy Manager Browser Router, will open up. **NOTE:** there is a special Default Browser option available, called **User Selectable** -[Endpoint Policy Manager Browser Router: Set the Windows 10 Default Browser (once) then drift](../../video/browserrouter/defaultwindows10.md). +[Endpoint Policy Manager Browser Router: Set the Windows 10 Default Browser (once) then drift](/docs/policypak/policypak/video/browserrouter/defaultwindows10.md). You can get more information on theUser Selectable in the Endpoint Policy Manager Browser Router manual. But in essence the steps are as follows: diff --git a/docs/policypak/policypak/browserrouter/defaultbrowser/overview.md b/docs/policypak/policypak/browserrouter/defaultbrowser/overview.md index c7b34a553b..b57cb7f261 100644 --- a/docs/policypak/policypak/browserrouter/defaultbrowser/overview.md +++ b/docs/policypak/policypak/browserrouter/defaultbrowser/overview.md @@ -7,9 +7,9 @@ browsers can be the default, but only one can be chosen as the default. Addition special browser called **User Selectable**. Below you can see how to select the default browser. **NOTE:** For an overview of the User Selectable option, see -[Endpoint Policy Manager Browser Router User-Selected Default](../../video/browserrouter/userselecteddefault.md). +[Endpoint Policy Manager Browser Router User-Selected Default](/docs/policypak/policypak/video/browserrouter/userselecteddefault.md). -![about_policypak_browser_router_11](../../../../../static/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/about_policypak_browser_router_11.webp) +![about_policypak_browser_router_11](/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/about_policypak_browser_router_11.webp) The **User Selectable** option enables the user to specify their desired default browser as Internet Explorer, Edge, Chrome, or Firefox. The Endpoint Policy Manager engine "learns" this setting at the @@ -24,9 +24,9 @@ is assigned a default browser the first time they open a URL but can then change to one of their own choosing. In this case, we select the same settings as last time except we choose to apply the rule only one time, as sown below -![about_policypak_browser_router_12](../../../../../static/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/about_policypak_browser_router_12.webp) +![about_policypak_browser_router_12](/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/about_policypak_browser_router_12.webp) Users can then change the default browser to their own liking, even though their settings show that the web browser is managed by their organization. -![about_policypak_browser_router_13](../../../../../static/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/about_policypak_browser_router_13.webp) +![about_policypak_browser_router_13](/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/about_policypak_browser_router_13.webp) diff --git a/docs/policypak/policypak/browserrouter/edgelegacybrowser.md b/docs/policypak/policypak/browserrouter/edgelegacybrowser.md index da126e2197..fab559c4a1 100644 --- a/docs/policypak/policypak/browserrouter/edgelegacybrowser.md +++ b/docs/policypak/policypak/browserrouter/edgelegacybrowser.md @@ -6,7 +6,7 @@ browser. This application can be found listed under Apps & Features -![907_1_image-20220403003715-1](../../../../static/img/product_docs/policypak/policypak/browserrouter/907_1_image-20220403003715-1.webp) +![907_1_image-20220403003715-1](/img/product_docs/policypak/policypak/browserrouter/907_1_image-20220403003715-1.webp) PPBREdgePackage is the legacy equivalent of the Netwrix Endpoint Policy Manager (formerly PolicyPak) Browser Router Chromium Extension and is not needed for Edge Chromium or any other browser. @@ -15,8 +15,8 @@ To verify Endpoint Policy Manager Browser Router Chromium Extension is installed look for the Endpoint Policy Manager icon, which can usually be seen in the top-right corner with the other extensions. -![907_2_image-20220403003715-2](../../../../static/img/product_docs/policypak/policypak/browserrouter/907_2_image-20220403003715-2.webp) +![907_2_image-20220403003715-2](/img/product_docs/policypak/policypak/browserrouter/907_2_image-20220403003715-2.webp) It can be managed by clicking on **Extensions** >**…** >, **Manage extension**. -![907_3_image-20220403003715-3](../../../../static/img/product_docs/policypak/policypak/browserrouter/907_3_image-20220403003715-3.webp) +![907_3_image-20220403003715-3](/img/product_docs/policypak/policypak/browserrouter/907_3_image-20220403003715-3.webp) diff --git a/docs/policypak/policypak/browserrouter/editpolicytemplate/browsermode.md b/docs/policypak/policypak/browserrouter/editpolicytemplate/browsermode.md index 46ab668b32..ff74b14678 100644 --- a/docs/policypak/policypak/browserrouter/editpolicytemplate/browsermode.md +++ b/docs/policypak/policypak/browserrouter/editpolicytemplate/browsermode.md @@ -4,12 +4,12 @@ Chromium Edition installed for these rules to function properly. Follow these steps to configure Browser Router: -![767_1_image-20210121211003-1](../../../../../static/img/product_docs/policypak/policypak/browserrouter/editpolicytemplate/767_1_image-20210121211003-1.webp) +![767_1_image-20210121211003-1](/img/product_docs/policypak/policypak/browserrouter/editpolicytemplate/767_1_image-20210121211003-1.webp) **Step 1 –** Create a new Browser Router collection, and add a new policy item to redirect the web site to IE in whichever mode you wish. -![767_2_image-20210121211003-2](../../../../../static/img/product_docs/policypak/policypak/browserrouter/editpolicytemplate/767_2_image-20210121211003-2.webp) +![767_2_image-20210121211003-2](/img/product_docs/policypak/policypak/browserrouter/editpolicytemplate/767_2_image-20210121211003-2.webp) **Step 2 –** Run `GPUPDATE` on the target machine to verify that the policy is working. You should see your site displayed in the required IE Mode. @@ -17,12 +17,12 @@ see your site displayed in the required IE Mode. **NOTE:** You can press F12 for Developer Tools while in IE, then look under the Emulation tab to see which mode the page is loaded in. -![767_3_image-20210121211003-3](../../../../../static/img/product_docs/policypak/policypak/browserrouter/editpolicytemplate/767_3_image-20210121211003-3.webp) +![767_3_image-20210121211003-3](/img/product_docs/policypak/policypak/browserrouter/editpolicytemplate/767_3_image-20210121211003-3.webp) **Step 3 –** Now that you have confirmed that the site works in the required IE mode, you can enable the "Open as IE in Edge tab" mode in the BR Policy. -![767_4_image-20210121211003-4](../../../../../static/img/product_docs/policypak/policypak/browserrouter/editpolicytemplate/767_4_image-20210121211003-4.webp) +![767_4_image-20210121211003-4](/img/product_docs/policypak/policypak/browserrouter/editpolicytemplate/767_4_image-20210121211003-4.webp) **Step 4 –** Run `GPUPDATE` on the target machine, open Internet Explorer, go to the site that should be redirected to IE in Edge tab mode, then wait 65 seconds or more, refresh page in IE to see @@ -31,4 +31,4 @@ in the required IE Document Mode. **NOTE:** IE Mode in Edge takes 65 seconds to take effect after Internet Explorer is running Please see this kb article for more -information: [Endpoint Policy Manager Browser Router: Internet Explorer in Edge mode](../../video/browserrouter/ieedgemode.md) +information: [Endpoint Policy Manager Browser Router: Internet Explorer in Edge mode](/docs/policypak/policypak/video/browserrouter/ieedgemode.md) diff --git a/docs/policypak/policypak/browserrouter/editpolicytemplate/commandlinearguments.md b/docs/policypak/policypak/browserrouter/editpolicytemplate/commandlinearguments.md index 9fc4af3198..bdbc76ce1e 100644 --- a/docs/policypak/policypak/browserrouter/editpolicytemplate/commandlinearguments.md +++ b/docs/policypak/policypak/browserrouter/editpolicytemplate/commandlinearguments.md @@ -17,7 +17,7 @@ PPBR rule as shown below. **NOTE:** Please note that the syntax `%url%` is case sensitive. -![881_1_image-20221228073914-1](../../../../../static/img/product_docs/policypak/policypak/browserrouter/editpolicytemplate/881_1_image-20221228073914-1.webp) +![881_1_image-20221228073914-1](/img/product_docs/policypak/policypak/browserrouter/editpolicytemplate/881_1_image-20221228073914-1.webp) **NOTE:** Please note that Chromium often removes a flag's support or replaces it with ADMX settings. diff --git a/docs/policypak/policypak/browserrouter/editpolicytemplate/securityzone.md b/docs/policypak/policypak/browserrouter/editpolicytemplate/securityzone.md index 29ec6f3f68..798e7a839e 100644 --- a/docs/policypak/policypak/browserrouter/editpolicytemplate/securityzone.md +++ b/docs/policypak/policypak/browserrouter/editpolicytemplate/securityzone.md @@ -5,9 +5,9 @@ This is possible, using the Netwrix Endpoint Policy Manager (formerly PolicyPak) **Step 1 –** Set up a rule (route as seen in this example. Specify that the Internet Security Zone is set to BLOCK. -![170_1_image001](../../../../../static/img/product_docs/policypak/policypak/browserrouter/editpolicytemplate/170_1_image001.webp) +![170_1_image001](/img/product_docs/policypak/policypak/browserrouter/editpolicytemplate/170_1_image001.webp) **Step 2 –** Then, make other rules which route to the websites you want. Finally, ensure your blocking policy is last in the list, so all whitelisted items will process before the blockitem. -![170_2_image002](../../../../../static/img/product_docs/policypak/policypak/browserrouter/editpolicytemplate/170_2_image002.webp) +![170_2_image002](/img/product_docs/policypak/policypak/browserrouter/editpolicytemplate/170_2_image002.webp) diff --git a/docs/policypak/policypak/browserrouter/exportcollections.md b/docs/policypak/policypak/browserrouter/exportcollections.md index 3f9503eb2b..d286e8fdec 100644 --- a/docs/policypak/policypak/browserrouter/exportcollections.md +++ b/docs/policypak/policypak/browserrouter/exportcollections.md @@ -7,12 +7,12 @@ your own MDM service, or Endpoint Policy Manager Cloud. To export a policy for later use using Endpoint Policy Manager Exporter or Endpoint Policy Manager Cloud, follow thee steps: -![about_policypak_browser_router_47](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_47.webp) +![about_policypak_browser_router_47](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_47.webp) **Step 1 –** Right-click the collection or the policy and select **Export to XML**. This enables you to save an XML file for later use. -![about_policypak_browser_router_48](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_48.webp) +![about_policypak_browser_router_48](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_48.webp) Choose a policy and select Export to XML. diff --git a/docs/policypak/policypak/browserrouter/forcebrowser.md b/docs/policypak/policypak/browserrouter/forcebrowser.md index b9c4560308..196e93c98a 100644 --- a/docs/policypak/policypak/browserrouter/forcebrowser.md +++ b/docs/policypak/policypak/browserrouter/forcebrowser.md @@ -9,22 +9,22 @@ Manager Browser Router) to set the following values. Firefox -![48_1_image001](../../../../static/img/product_docs/policypak/policypak/browserrouter/48_1_image001.webp) +![48_1_image001](/img/product_docs/policypak/policypak/browserrouter/48_1_image001.webp) Chrome -![48_2_image002](../../../../static/img/product_docs/policypak/policypak/browserrouter/48_2_image002.webp) +![48_2_image002](/img/product_docs/policypak/policypak/browserrouter/48_2_image002.webp) -![48_3_image003](../../../../static/img/product_docs/policypak/policypak/browserrouter/48_3_image003.webp) +![48_3_image003](/img/product_docs/policypak/policypak/browserrouter/48_3_image003.webp) Internet Explorer -![48_4_image004](../../../../static/img/product_docs/policypak/policypak/browserrouter/48_4_image004.webp) +![48_4_image004](/img/product_docs/policypak/policypak/browserrouter/48_4_image004.webp) Create a Policy that always opens a specific browser when a specific page is requested, for example, the home page configured above. -![48_5_image005](../../../../static/img/product_docs/policypak/policypak/browserrouter/48_5_image005.webp) +![48_5_image005](/img/product_docs/policypak/policypak/browserrouter/48_5_image005.webp) In this example,when Firefox or Internet Explorer is started, Browser Router will immediately close that browser and open Chrome. diff --git a/docs/policypak/policypak/browserrouter/install/chromemanual.md b/docs/policypak/policypak/browserrouter/install/chromemanual.md index a6b88036c5..9497374e32 100644 --- a/docs/policypak/policypak/browserrouter/install/chromemanual.md +++ b/docs/policypak/policypak/browserrouter/install/chromemanual.md @@ -16,13 +16,13 @@ for Google chrome manually from a local/network path, follow the below steps. Follow these steps to convert the Chrome Web Store link of any Extension to an `.CRX` File. **Step 1 –** Check the information here: -[What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](../../troubleshooting/browserrouter/clientsideextension/chromeextensionid.md) +[What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextensionid.md) Note down the Extension ID. You'll need this step every time we release updates for Software. **Step 2 –** Append the PPBR Chrome Extension ID with the following URL: [https://chrome.google.com/webstore/detail/policypak-browser-router/[PPBR-Extension-ID](https://chrome.google.com/webstore/detail/policypak-browser-router/[PPBR-Extension-ID)] -![535_1_image-20191222210303-1](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/535_1_image-20191222210303-1.webp) +![535_1_image-20191222210303-1](/img/product_docs/policypak/policypak/browserrouter/install/535_1_image-20191222210303-1.webp) **Step 3 –** ote the PPBR Chrome Extension's Version Number. @@ -30,11 +30,11 @@ Note down the Extension ID. You'll need this step every time we release updates **Step 5 –** Insert the updated PPBR Chrome Extension URL that you appended in step 1.2. -![535_3_image-20191222210303-2_457x162](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/535_3_image-20191222210303-2_457x162.webp) +![535_3_image-20191222210303-2_457x162](/img/product_docs/policypak/policypak/browserrouter/install/535_3_image-20191222210303-2_457x162.webp) **Step 6 –** Click **OK** -![535_5_image-20191222210303-3](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/535_5_image-20191222210303-3.webp) +![535_5_image-20191222210303-3](/img/product_docs/policypak/policypak/browserrouter/install/535_5_image-20191222210303-3.webp) **Step 7 –** Click on Get .CRX @@ -48,7 +48,7 @@ Copy the` .CRX` extension file using Group Policy Preference item. **Step 2 –** Right-click on the **Files** node and select **New** and then **File**. -![535_7_image-20191222210303-4](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/535_7_image-20191222210303-4.webp) +![535_7_image-20191222210303-4](/img/product_docs/policypak/policypak/browserrouter/install/535_7_image-20191222210303-4.webp) **Step 3 –** Configure this policy as shown below. Change **Source** and **Destination** paths as needed. @@ -65,7 +65,7 @@ Follow these steps to only install PPBR Chrome Extension. **Step 2 –** Right-click on **Registry node**, then click on **New** > **Registry Item** -![535_9_image-20191222210303-5](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/535_9_image-20191222210303-5.webp) +![535_9_image-20191222210303-5](/img/product_docs/policypak/policypak/browserrouter/install/535_9_image-20191222210303-5.webp) **Step 3 –** Configure the setting as shown below. The value's references are under Chrome REG section. @@ -97,20 +97,20 @@ VALUE: [version of your .crx as specified in the manifest This section has to be executed by the end-user. -![535_11_image-20191222210303-6](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/535_11_image-20191222210303-6.webp) +![535_11_image-20191222210303-6](/img/product_docs/policypak/policypak/browserrouter/install/535_11_image-20191222210303-6.webp) **Step 1 –** Relaunch Google Chrome and wait for the notification banner, thenclick the **Enable extension** button. -![535_13_image-20191222210303-7](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/535_13_image-20191222210303-7.webp) +![535_13_image-20191222210303-7](/img/product_docs/policypak/policypak/browserrouter/install/535_13_image-20191222210303-7.webp) If you aren't prompted forthe **Enable extension** window, look for this icon -in the Chrome Browser and follow the instructions in the next step to enable it. -![535_15_image-20191222210303-8](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/535_15_image-20191222210303-8.webp) +![535_15_image-20191222210303-8](/img/product_docs/policypak/policypak/browserrouter/install/535_15_image-20191222210303-8.webp) **Step 2 –** Select an option for Endpoint Policy Manager Browser Router Chrome Extension: -![535_17_image-20191222210303-9](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/535_17_image-20191222210303-9.webp) +![535_17_image-20191222210303-9](/img/product_docs/policypak/policypak/browserrouter/install/535_17_image-20191222210303-9.webp) **Step 3 –** Click on **Enable extension** button: diff --git a/docs/policypak/policypak/browserrouter/install/removeagent.md b/docs/policypak/policypak/browserrouter/install/removeagent.md index 5433f8a2e8..e2b080d199 100644 --- a/docs/policypak/policypak/browserrouter/install/removeagent.md +++ b/docs/policypak/policypak/browserrouter/install/removeagent.md @@ -5,7 +5,7 @@ environment and your environment does not have any Endpoint Policy Manager Brows policies enabled, you may still notice that you see the PPBR Agent as an available option under **Settings** > **Default Apps** > **Web Browser**. -![483_1_image-20190911221425-1](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/483_1_image-20190911221425-1.webp) +![483_1_image-20190911221425-1](/img/product_docs/policypak/policypak/browserrouter/install/483_1_image-20190911221425-1.webp) If you would like to remove the PPBR agent from this list please see the steps under the two scenarios below, and follow the steps in the scenario relevant to your environment. @@ -16,21 +16,21 @@ You can remove the PPBR Agent from this list by unlicensing the Endpoint Policy Router component and removing the PPBR Agent entry from the list of default Web Browsers utilizing the steps below. -![483_2_image-20190911221425-2](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/483_2_image-20190911221425-2.webp) +![483_2_image-20190911221425-2](/img/product_docs/policypak/policypak/browserrouter/install/483_2_image-20190911221425-2.webp) **Step 1 –** Add a new policy under **PolicyPak** > **Administrative Templates Manager**: -![483_3_image-20190911221425-3_950x559](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/483_3_image-20190911221425-3_950x559.webp) +![483_3_image-20190911221425-3_950x559](/img/product_docs/policypak/policypak/browserrouter/install/483_3_image-20190911221425-3_950x559.webp) **Step 2 –** Under **New Admin Templates Entry** select **Administrative Templates** > **Admin Templates (ADMX files)** > **PolicyPak** > **Browser Router** > Prevent PPBR component from being licensed then click **Add** to create the policy. -![483_4_image-20190911221425-4_950x354](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/483_4_image-20190911221425-4_950x354.webp) +![483_4_image-20190911221425-4_950x354](/img/product_docs/policypak/policypak/browserrouter/install/483_4_image-20190911221425-4_950x354.webp) **Step 3 –** Next set the policy as enabled, and click **OK**. -![483_5_image-20190911221425-5_950x150](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/483_5_image-20190911221425-5_950x150.webp) +![483_5_image-20190911221425-5_950x150](/img/product_docs/policypak/policypak/browserrouter/install/483_5_image-20190911221425-5_950x150.webp) **Step 4 –** Next, create a new policy item under **Group Policy Preferences** > **Windows Settings** > **Registry** that will delete the following registry key. @@ -48,25 +48,25 @@ level as needed (i.e. wherever your affected computers or users happen to live). **Step 7 –** Once GPUPDATE is successful, log off of the computer and then log back in. -![483_6_image-20190911221425-6](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/483_6_image-20190911221425-6.webp) +![483_6_image-20190911221425-6](/img/product_docs/policypak/policypak/browserrouter/install/483_6_image-20190911221425-6.webp) **Step 8 –** Now check under **Settings** > **Default Apps** > **Web Browser** and the option to select the PPBR Agent should no longer be present. ## SCENARIO 2: You HAVE used Endpoint Policy Manager Browser Router in Legacy Browser Mode (either currently or sometime in the past) but no longer wish to, AND currently have no PPBR policies enabled in your environment: -![483_7_image-20210105155954-1](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/483_7_image-20210105155954-1.webp) +![483_7_image-20210105155954-1](/img/product_docs/policypak/policypak/browserrouter/install/483_7_image-20210105155954-1.webp) **Step 1 –** Follow steps 1-4 above from Scenario 1 then continue with the steps below. -![483_8_image-20190911221425-7_950x315](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/483_8_image-20190911221425-7_950x315.webp) +![483_8_image-20190911221425-7_950x315](/img/product_docs/policypak/policypak/browserrouter/install/483_8_image-20190911221425-7_950x315.webp) **Step 2 –** Add a new GPPrefs Policy item to one of your existing GPOs above, or create a new GPO using **Group Policy** > **Policy Preferences** > **Windows Settings** to delete the following file: `C:\ProgramData\PolicyPak\Common\ppFileAssociations.xml` -![483_9_image-20190911221425-8](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/483_9_image-20190911221425-8.webp) +![483_9_image-20190911221425-8](/img/product_docs/policypak/policypak/browserrouter/install/483_9_image-20190911221425-8.webp) **Step 3 –** Set the GPO (or GPOs) containing these three policy items to apply to the OU or Domain level as needed (i.e. wherever your affected computers or users happen to live). @@ -79,7 +79,7 @@ under **Settings** > **Default Apps** > **Default Apps** > **Web Browser**, open **Step 5 –** Once `GPUDATE` is successful, log off of the computer and then log back in. -![483_10_image-20190911221425-9](../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/483_6_image-20190911221425-6.webp) +![483_10_image-20190911221425-9](/img/product_docs/policypak/policypak/browserrouter/install/483_6_image-20190911221425-6.webp) **Step 6 –** Now check under **Settings** > **Default Apps** > **Web Browser** and the option to select the PPBR Agent should no longer be present. diff --git a/docs/policypak/policypak/browserrouter/internetexplorer/convertxmls.md b/docs/policypak/policypak/browserrouter/internetexplorer/convertxmls.md index b3817e8971..c996aaab14 100644 --- a/docs/policypak/policypak/browserrouter/internetexplorer/convertxmls.md +++ b/docs/policypak/policypak/browserrouter/internetexplorer/convertxmls.md @@ -1,7 +1,7 @@ # Converting Existing IE Site List XMLs **NOTE:** To get an overview on how to convert existing IE site lists, please see: -[Internet Explorer to Endpoint Policy Manager Browser Router Site lists](../../video/browserrouter/iesitelists.md). +[Internet Explorer to Endpoint Policy Manager Browser Router Site lists](/docs/policypak/policypak/video/browserrouter/iesitelists.md). Now let's see how you can take a Microsoft Enterprise Mode Internet Explorer site list and quickly convert it to be used in Endpoint Policy Manager Browser Router. This saves you the time and trouble @@ -12,23 +12,23 @@ Microsoft has a tool you can use to create these lists that you can download at: [https://www.microsoft.com/en-us/download/details.aspx?id=49974](https://www.microsoft.com/en-us/download/details.aspx?id=49974). Simply run the tool and add the sites along with their necessary parameters as is shown below. -![about_policypak_browser_router_31](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_31.webp) +![about_policypak_browser_router_31](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_31.webp) When this is complete, save the list as an XML file. Once you have a list, create a **From Enterprise Mode Site List** rule using Endpoint Policy Manager Browser Router. -![about_policypak_browser_router_32](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_32.webp) +![about_policypak_browser_router_32](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_32.webp) You will then be prompted to point to the created list. Once selected, a pop-up will confirm the number of rules being imported. You can choose to import the rules into the existing collection or a new collection. -![about_policypak_browser_router_33](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_33.webp) +![about_policypak_browser_router_33](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_33.webp) The imported rules now appear. -![about_policypak_browser_router_34](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_34.webp) +![about_policypak_browser_router_34](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_34.webp) You can review any of the rules to confirm or change their settings. -![about_policypak_browser_router_35](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_35.webp) +![about_policypak_browser_router_35](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_35.webp) diff --git a/docs/policypak/policypak/browserrouter/internetexplorer/edgemod.md b/docs/policypak/policypak/browserrouter/internetexplorer/edgemod.md index 7274e6729b..a325ab4e3e 100644 --- a/docs/policypak/policypak/browserrouter/internetexplorer/edgemod.md +++ b/docs/policypak/policypak/browserrouter/internetexplorer/edgemod.md @@ -2,7 +2,7 @@ **NOTE:** To get an overview of Endpoint Policy Manager Browser Router and Internet Explorer in Edge Mode, please see: -[Endpoint Policy Manager Browser Router: Internet Explorer in Edge mode](../../video/browserrouter/ieedgemode.md). +[Endpoint Policy Manager Browser Router: Internet Explorer in Edge mode](/docs/policypak/policypak/video/browserrouter/ieedgemode.md). If you want to stay with a Microsoft browser, you want your user to use Edge rather than IE. But some intranet sites don't support Edge, so you are forced to use IE. However, instead of forcing @@ -17,7 +17,7 @@ Create a rule for [www.policypak.com](http://www.policypak.com/video/policypak-browser-router-and-ports.html) and assign it to IE. This time select **Open as IE in Edge tab** . -![about_policypak_browser_router_29](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_29.webp) +![about_policypak_browser_router_29](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_29.webp) When the user logs on and tries to access [www.policypak.com](http://www.policypak.com/) they should see it open as an IE tab in Edge. We say should because the rule will not work right away. There is @@ -28,12 +28,12 @@ From the first time a user accesses a period of 65 seconds or so has to transpire until the rule comes fully into effect. Here you can see that the Endpoint Policy Manager website now appears in IE mode within the Edge browser itself: -![about_policypak_browser_router_30](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_30.webp) +![about_policypak_browser_router_30](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_30.webp) ### Converting Existing IE Site List XMLs **NOTE:** To get an overview on how to convert existing IE site lists, please see -[Internet Explorer to Endpoint Policy Manager Browser Router Site lists](../../video/browserrouter/iesitelists.md). +[Internet Explorer to Endpoint Policy Manager Browser Router Site lists](/docs/policypak/policypak/video/browserrouter/iesitelists.md). See how you can take a Microsoft Enterprise Mode Internet Explorer site list and quickly convert it to be used in Endpoint Policy Manager Browser Router. This saves you the time and trouble of @@ -44,26 +44,26 @@ Microsoft has a tool you can use to create these lists that you can download at [https://www.microsoft.com/en-us/download/details.aspx?id=49974](https://www.microsoft.com/en-us/download/details.aspx?id=49974). Simply run the tool and add the sites along with their necessary parameters. -![about_policypak_browser_router_31](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_31.webp) +![about_policypak_browser_router_31](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_31.webp) When this is complete, save the list as an XML file. Once you have a list, create a **From Enterprise Mode Site List** rule using Endpoint Policy Manager Browser Router. -![about_policypak_browser_router_32](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_32.webp) +![about_policypak_browser_router_32](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_32.webp) You are then prompted to point to the created list. Once selected, a pop-up confirms the number of rules being imported. You can choose to import the rules into the existing collection or a new collection. -![about_policypak_browser_router_33](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_33.webp) +![about_policypak_browser_router_33](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_33.webp) The imported rules now appear. -![about_policypak_browser_router_34](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_34.webp) +![about_policypak_browser_router_34](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_34.webp) You can review any of the rules to confirm or change their settings. -![about_policypak_browser_router_35](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_35.webp) +![about_policypak_browser_router_35](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_35.webp) ### Using Special Policy Types for Internet Explorer @@ -72,11 +72,11 @@ the Windows 10 Edge browser functions alongside Internet Explorer 11. **NOTE:** To get an overview of Endpoint Policy Manager Browser Router's special policies for Microsoft Edge, please see -[Endpoint Policy Manager and Edge ‘Special' policies](../../video/browserrouter/edgespecial.md). +[Endpoint Policy Manager and Edge ‘Special' policies](/docs/policypak/policypak/video/browserrouter/edgespecial.md). The policies are **All intranet to IE** policy and **All Enterprise from Edge to I**E policy. -![about_policypak_browser_router_36](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_36.webp) +![about_policypak_browser_router_36](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_36.webp) The **All intranet to IE** policy will take all websites that are already defined in the Intranet zone and ensure that those sites open in Internet Explorer 11 whenever the user tries to use diff --git a/docs/policypak/policypak/browserrouter/internetexplorer/overview.md b/docs/policypak/policypak/browserrouter/internetexplorer/overview.md index 65bafb00ed..0f39cca712 100644 --- a/docs/policypak/policypak/browserrouter/internetexplorer/overview.md +++ b/docs/policypak/policypak/browserrouter/internetexplorer/overview.md @@ -17,7 +17,7 @@ Enterprise and Document Modes, please see **NOTE:** To learn more about Internet Explorer 11 Enterprise and Document Modes, see the following Microsoft websites: Enterprise Mode is at: -[Internet Explorer to Endpoint Policy Manager Browser Router Site lists](../../video/browserrouter/iesitelists.md) +[Internet Explorer to Endpoint Policy Manager Browser Router Site lists](/docs/policypak/policypak/video/browserrouter/iesitelists.md) and Document Modes is at: [https://technet.microsoft.com/en-us/library/dn321432.aspx](http://www.policypak.com/video/policypak-using-pp-browser-router-on-citrix-or-rds-servers-with-published-browser-applications.html). @@ -29,7 +29,7 @@ Policy Manager Browser Router to perform this function. Using Endpoint Policy Manager Browser Router, you can require particular websites to use a specific Internet Explorer Enterprise Mode or Document Mode. -![about_policypak_browser_router_25](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_25.webp) +![about_policypak_browser_router_25](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_25.webp) Internet Explorer 11's Enterprise Mode has two specifications: v1 and v2. Endpoint Policy Manager Browser Router automatically detectsthe version of Internet Explorer installed on your endpoint @@ -52,19 +52,19 @@ You can easily see if Endpoint Policy Manager Browser Router and the Internet Ex Mode are working. There's an Internet Explorer 11 EM icon in the title bar next to the address bar that demonstrates that EM is active. -![about_policypak_browser_router_26](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_26.webp) +![about_policypak_browser_router_26](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_26.webp) If you've chosen to use one of the Internet Explorer Document Modes, you might have a hard time locating them if they are applying correctly since they are difficult to see. For instance, here we've set a page to display in IE5 Document Mode using Endpoint Policy Manager Browser Router. -![about_policypak_browser_router_27](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_27.webp) +![about_policypak_browser_router_27](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_27.webp) When users visit the website at this point, Endpoint Policy Manager Browser Router correctly sets the IE Document Mode accordingly. To see the DM, you need to press F12 within Internet Explorer 11 for **Developer Tools**, and then click the Emulation tab. -![about_policypak_browser_router_28](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_28.webp) +![about_policypak_browser_router_28](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_28.webp) In this way, you can easily create routes for all webpages that need special rendering modes using Endpoint Policy Manager Browser Router. diff --git a/docs/policypak/policypak/browserrouter/internetexplorer/specialtypes.md b/docs/policypak/policypak/browserrouter/internetexplorer/specialtypes.md index 639ee885d8..c9aa39bb99 100644 --- a/docs/policypak/policypak/browserrouter/internetexplorer/specialtypes.md +++ b/docs/policypak/policypak/browserrouter/internetexplorer/specialtypes.md @@ -6,11 +6,11 @@ Explorer 11. **NOTE:** To get an overview of Endpoint Policy Manager Browser Router's special policies for Microsoft Edge, please see -[Endpoint Policy Manager and Edge ‘Special' policies](../../video/browserrouter/edgespecial.md). +[Endpoint Policy Manager and Edge ‘Special' policies](/docs/policypak/policypak/video/browserrouter/edgespecial.md). The policies are **All intranet to IE** policy and **All Enterprise from Edge to IE** policy. -![about_policypak_browser_router_36](../../../../../static/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_36.webp) +![about_policypak_browser_router_36](/img/product_docs/policypak/policypak/browserrouter/internetexplorer/about_policypak_browser_router_36.webp) The **All intranet to IE** policy takes all websites that are already defined in the Intranet zone and ensure that those sites open in Internet Explorer 11 if the user tries to use Microsoft Edge. In diff --git a/docs/policypak/policypak/browserrouter/itemleveltargeting.md b/docs/policypak/policypak/browserrouter/itemleveltargeting.md index f439d10055..e388051382 100644 --- a/docs/policypak/policypak/browserrouter/itemleveltargeting.md +++ b/docs/policypak/policypak/browserrouter/itemleveltargeting.md @@ -7,12 +7,12 @@ within collections. To do this, right-click **Collection** and select **Change Item Level Targeting** -![about_policypak_browser_router_37](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_37.webp) +![about_policypak_browser_router_37](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_37.webp) Alternatively, within a Browser Router policy, you can dictate when a policy will apply by clicking **Item Level Targeting**. -![about_policypak_browser_router_38](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_38.webp) +![about_policypak_browser_router_38](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_38.webp) The **Edit Item Level Targeting** menu item brings up the **Targeting Editor**. You can select any combination of characteristics you want to test for. Administrators familiar with Group Policy @@ -25,7 +25,7 @@ same way parentheses are used in an equation. In this way, you can create a comp about where a policy will be applied. Collections may be set to **And**, **Or**, **Is**, or **Is Not**. -![about_policypak_browser_router_39](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_39.webp) +![about_policypak_browser_router_39](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_39.webp) In this example, the Pak would only apply to Windows 10 machines when the machine is portable and the user is in the FABRIKAM\Traveling Sales Users group. @@ -52,13 +52,13 @@ shows that it now has Item-Level Targeting on the whole collection. In other wor items in the collection will apply unless the Item-Level Targeting on the collection evaluates to **True**. -![about_policypak_browser_router_40](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_40.webp) +![about_policypak_browser_router_40](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_40.webp) Within the collection, if you set Item-Level Targeting within any policy, you'll see the icon turn orange, and the Item-Level Targeting column will indicate if Item-Level Targeting is on **Yes** or off **No**. -![about_policypak_browser_router_41](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_41.webp) +![about_policypak_browser_router_41](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_41.webp) This feature allows you toadd very granular filters. First, filter with Item-Level Targeting in a collection, and then filter on any specific rule if any Item-Level Targeting is applied there. diff --git a/docs/policypak/policypak/browserrouter/navigation.md b/docs/policypak/policypak/browserrouter/navigation.md index 2cc6c4ebd0..c5b8344b17 100644 --- a/docs/policypak/policypak/browserrouter/navigation.md +++ b/docs/policypak/policypak/browserrouter/navigation.md @@ -7,18 +7,18 @@ Router policy or collection. **NOTE:** The Browser Router node is only visible with the latest Admin Console MSI installed on your management station. -![about_policypak_browser_router](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router.webp) +![about_policypak_browser_router](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router.webp) All Endpoint Policy Manager Browser Router policies must always reside within collections. There are two steps for this. -![about_policypak_browser_router_1](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_1.webp) +![about_policypak_browser_router_1](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_1.webp) **Step 1 –** Create and name a collection. **Step 2 –** Put Browser Router policies (or other collections) inside the collection. -![about_policypak_browser_router_2](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_2.webp) +![about_policypak_browser_router_2](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_2.webp) You can create collections and policies within collections on either the User or Computer side (or both). Endpoint Policy Manager Browser Router has a precedence order if you decide to have multiple @@ -26,41 +26,41 @@ policies, collections, or GPOs, or when you choose to use a "on-Group Policy met settings. For more in formation on this, please see the section on -[Understanding Processing Order and Precedence](processorderprecedence.md). +[Understanding Processing Order and Precedence](/docs/policypak/policypak/browserrouter/processorderprecedence.md). To complete the Quickstart examples, we recommend creating a collection on the User side. Next,, create a new Browser Router policy, similar to the one shown below. In this example, we are routing all requests for www.microsoft.com to Internet Explorer. -![about_policypak_browser_router_3](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_3.webp) +![about_policypak_browser_router_3](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_3.webp) Once you click **OK**, you'll get an entry such as the one shown below. -![about_policypak_browser_router_4](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_4.webp) +![about_policypak_browser_router_4](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_4.webp) If you'd like to follow along, create two more Browser Router policies in the same collection. In the next example, we will route www.GPanswers.com to Firefox. -![about_policypak_browser_router_5](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_5.webp) +![about_policypak_browser_router_5](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_5.webp) Click OK to save the entry. Create another policy to route \*.policypak.com to Edge. -![about_policypak_browser_router_6](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_6.webp) +![about_policypak_browser_router_6](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_6.webp) Last, create an entry for **New Default Browser**. -![about_policypak_browser_router_7](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_7.webp) +![about_policypak_browser_router_7](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_7.webp) After you do this, a dialog box with limited options appear. You can only choose a default browser, which will be Chrome. -![about_policypak_browser_router_8](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_8.webp) +![about_policypak_browser_router_8](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_8.webp) When you've finished these actions, your entries will resemble these. -![about_policypak_browser_router_9](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_9.webp) +![about_policypak_browser_router_9](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_9.webp) Below is an explanation of each column in the editor: @@ -83,7 +83,7 @@ Wordpad document, and typed in each URL (www.microsoft.com, www.gpanswers.com, that is unrelated to anything, such as www.abc.com. Based on the rules, the correct browser is opened for each URL. -![about_policypak_browser_router_10](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_10.webp) +![about_policypak_browser_router_10](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_10.webp) Notice that since there was no rule for www.abc.com, the overriding Default Browser rule took effect and launched Internet Explorer. diff --git a/docs/policypak/policypak/browserrouter/osweb.md b/docs/policypak/policypak/browserrouter/osweb.md index 0c718652f5..300d2bf241 100644 --- a/docs/policypak/policypak/browserrouter/osweb.md +++ b/docs/policypak/policypak/browserrouter/osweb.md @@ -5,12 +5,12 @@ Browser Router has a policy called OS Web Browser Look & Feel. The **OS Web Browser Look & Feel** policy post the display used in the Windows settings for Default Web browser. -![about_policypak_browser_router_44](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_44.webp) +![about_policypak_browser_router_44](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_44.webp) There are two options available: -![about_policypak_browser_router_45](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_45.webp)> +![about_policypak_browser_router_45](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_45.webp)> The end result looks like this. Note that the default browser is also displayed. -![about_policypak_browser_router_46](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_46.webp) +![about_policypak_browser_router_46](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_46.webp) diff --git a/docs/policypak/policypak/browserrouter/overview.md b/docs/policypak/policypak/browserrouter/overview.md index 7da0881632..ee195c6e90 100644 --- a/docs/policypak/policypak/browserrouter/overview.md +++ b/docs/policypak/policypak/browserrouter/overview.md @@ -1,7 +1,7 @@ # Browser Router **NOTE:** Before reading this section, please ensure you have read -[Installation Quick Start](../gettingstarted/quickstart/overviewinstall.md), which explain how to: +[Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md), which explain how to: - Install the Admin MSI on your GPMC machine - Install the CSE on a test Windows machine @@ -11,11 +11,11 @@ Optionally, if you don't want to use Group Policy, read the sectionon **Advanced Concepts on Group Policy and non-Group Policy methods** (MEMCM, KACE, and MDM service or Netwrix Endpoint Policy Manager (formerly PolicyPak) Cloud), located -in[Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md). This information on +in[Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md). This information on how to deploy your directives. **NOTE:** Watch this video for an overview of Endpoint Policy Manager Browser Router: -[](http://www.policypak.com/video/policypak-browser-router-ensure-users-utilize-the-right-browser-for-the-right-website.html)[Ensure users utilize the RIGHT browser for the right website !](../video/browserrouter/rightbrowser.md). +[](http://www.policypak.com/video/policypak-browser-router-ensure-users-utilize-the-right-browser-for-the-right-website.html)[Ensure users utilize the RIGHT browser for the right website !](/docs/policypak/policypak/video/browserrouter/rightbrowser.md). Let's say you wanted to apply the following routing policies: @@ -35,7 +35,7 @@ Browser Router enables you to perform the following functions: - Create exact criteria for when specific websites should open, and in which browser. - Export policies or collections as XML files (which can be used with Endpoint Policy Manager Exporter and Endpoint Policy Manager Cloud). See - [Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md) for more details. + [Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md) for more details. - Set custom messages when you have blocked a website. - Dynamically set Internet Explorer 11 Enterprise Mode (IE 11 EM) and Document Modes site lists. - Automatically write Internet Explorer 11 EM version 1 or version 2 site lists, based on the @@ -71,7 +71,7 @@ settings over the Internet, even to non-domain-joined machines. **NOTE:** You can also use Endpoint Policy Manager Browser Router with your Citrix or RDS servers. See the following video for more information: -[Using PP Browser Router on Citrix or RDS servers with published browser applications](../video/browserrouter/citrix.md). +[Using PP Browser Router on Citrix or RDS servers with published browser applications](/docs/policypak/policypak/video/browserrouter/citrix.md). ## Endpoint Policy Manager Browser Router Moving Parts diff --git a/docs/policypak/policypak/browserrouter/overview/knowledgebase.md b/docs/policypak/policypak/browserrouter/overview/knowledgebase.md index 1ee53c757f..8a575d1921 100644 --- a/docs/policypak/policypak/browserrouter/overview/knowledgebase.md +++ b/docs/policypak/policypak/browserrouter/overview/knowledgebase.md @@ -4,53 +4,53 @@ The following is a list of Knowledge Base articles for Browser Router. ## Installation and Uninstallation -- [Why does Windows 8 and 10 ask me "How do you want to open this?" and how do I make it go away?](../../troubleshooting/browserrouter/install/windowsopenprompt.md) -- [I'm using SCCM to deploy the PP CSE. I want to ensure that Internet Explorer is closed during the installation of PPBR to prevent IE questions of users if they are logged in. What should I do?](../../troubleshooting/browserrouter/install/preventiequestions.md) -- [I launched IE and saw "PPBRAGENTIExIE_01.dll" or "PPBRExplorerExtension.dll" prompted for the user. What should I do?](../../troubleshooting/browserrouter/install/iepromptdll.md) -- [When I unlicense or remove Endpoint Policy ManagerBrowser Router from scope,Endpoint Policy Manager Browser Router Agent still shows as OS "default browser". Why is that and is there a workaround?](../../troubleshooting/browserrouter/install/defaultbrowser.md) -- [Why doesn't Endpoint Policy Manager Browser Router routes take effect the first time I log on to Windows 8.1 or Windows 10?](../../troubleshooting/browserrouter/install/twologons.md) -- [How-to manually install and enable Endpoint Policy Manager Browser Router (PPBR) extension for Google Chrome?](../install/chromemanual.md) +- [Why does Windows 8 and 10 ask me "How do you want to open this?" and how do I make it go away?](/docs/policypak/policypak/troubleshooting/browserrouter/install/windowsopenprompt.md) +- [I'm using SCCM to deploy the PP CSE. I want to ensure that Internet Explorer is closed during the installation of PPBR to prevent IE questions of users if they are logged in. What should I do?](/docs/policypak/policypak/troubleshooting/browserrouter/install/preventiequestions.md) +- [I launched IE and saw "PPBRAGENTIExIE_01.dll" or "PPBRExplorerExtension.dll" prompted for the user. What should I do?](/docs/policypak/policypak/troubleshooting/browserrouter/install/iepromptdll.md) +- [When I unlicense or remove Endpoint Policy ManagerBrowser Router from scope,Endpoint Policy Manager Browser Router Agent still shows as OS "default browser". Why is that and is there a workaround?](/docs/policypak/policypak/troubleshooting/browserrouter/install/defaultbrowser.md) +- [Why doesn't Endpoint Policy Manager Browser Router routes take effect the first time I log on to Windows 8.1 or Windows 10?](/docs/policypak/policypak/troubleshooting/browserrouter/install/twologons.md) +- [How-to manually install and enable Endpoint Policy Manager Browser Router (PPBR) extension for Google Chrome?](/docs/policypak/policypak/browserrouter/install/chromemanual.md) ## Troubleshooting -- [Troubleshooting routing between browsers.](../../troubleshooting/browserrouter/betweenbrowsers.md) -- [I'm having a "Browser Router Emergency" or some kind of critical website incompatibility. What can I do?](../../troubleshooting/browserrouter/criticalwebsiteincompatibility.md) -- [When does Endpoint Policy Manager Browser Router write v1 or v2 Enterprise Mode site lists?](../../troubleshooting/browserrouter/versions.md) -- [PPBRAgentExeIE_01.DLL error message occurs about Internet Explorer enhanced security. What should I do?](../../troubleshooting/error/browserrouter/dllcompatible.md) -- [Endpoint Policy Manager Browser Router removes other Chrome ‘force installed' extensions. How can I work around this?](../../troubleshooting/browserrouter/chrome/forceinstall.md) -- [Why don't routes work from Firefox to other browsers (in Firefox 49+) ?](../../troubleshooting/browserrouter/firefox.md) -- [Why don't routes work from IE to other browsers?](../../troubleshooting/browserrouter/internetexplorer/fromtootherbrowsers.md) -- [Chrome and Citrix problems](../../troubleshooting/browserrouter/chrome/citrixproblems.md) -- [Why doesn't Edge to Other browser support work as expected?](../../troubleshooting/browserrouter/edge/fromtootherbroswers.md) -- [Browser router doesn't seem to work when I use a pattern, and the URL has multiple redirects.](../../troubleshooting/browserrouter/pattern.md) -- [What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](../../troubleshooting/browserrouter/clientsideextension/chromeextensionid.md) -- [What does it mean when Endpoint Policy Manager Browser Router gives a pop-up saying to contact support to my end-users?](../../troubleshooting/error/browserrouter/contactsupport.md) -- [I see the Endpoint Policy Manager Browser Router Chrome Extension is being installed, but it's not active. What can I do?](../../troubleshooting/browserrouter/chrome/extensioninactive.md) -- [How do I revert to "Legacy Browser Router Method & Features" if directed?](../../troubleshooting/browserrouter/revertlegacy.md) -- [What is the PPBR "Keep original tab open when routing / Experimental Feature" checkbox, and why must I turn it OFF for ALL routes if I'm having trouble with ONE website?](../../troubleshooting/browserrouter/editpolicytemplate/keeporiginaltab.md) -- [Why is my Wildcard rule not applying to top level WWW site?](../../troubleshooting/browserrouter/wildcardrule.md) -- [I'm attempting to use an older CSE but routing from Edge / Chrome to other browsers is not working. Why is this?](../../troubleshooting/browserrouter/chrome/routing.md) -- [How do I fix "">Endpoint Policy Manager Browser Router Chromium Extension" was automatically disabled." message in Chrome or Edge?](../../troubleshooting/error/browserrouter/automaticallydisabled.md) -- [An older CSE isn't routing from Chrome or Edge to other browsers, because the older CSE isn't downloading the latest Chrome extension. What can I do?](../../troubleshooting/browserrouter/clientsideextension/chromerouting.md) -- [How can I use the only remaining Endpoint Policy Manager published Chrome Extension with my older CSE? (CSE 18.7.1779.937 - 19.12.2283.849)](../../troubleshooting/browserrouter/clientsideextension/chromeextension.md) -- [How can I stop websites automatically routing to Edge when I expect them to be shown in IE (and/or I get an endless loop). Why is this?](../../troubleshooting/browserrouter/edge/stop.md) -- [Hyperlinks in Adobe documents do not work when Browser Router is set as the Default Browser](../../troubleshooting/browserrouter/adobelinks.md) -- [Why does Endpoint Policy Manager PPExtensionService.exe make a call out to DNS?](../../troubleshooting/browserrouter/dnscall.md) -- [How to fix the Chrome / Edge Chromium launch issues?](../../troubleshooting/browserrouter/chrome/launch.md) -- [How does Browser Router function when Internet Explorer is removed from the machine?](../../troubleshooting/browserrouter/internetexplorer/removed.md) -- [How to set "Choose which browser opens web links in Office365" so that Browser Router properly routes web links in Outlook](../../troubleshooting/browserrouter/office365.md) -- [How to quickly troubleshoot Endpoint Policy Manager Browser Router](../../troubleshooting/browserrouter/quick.md) +- [Troubleshooting routing between browsers.](/docs/policypak/policypak/troubleshooting/browserrouter/betweenbrowsers.md) +- [I'm having a "Browser Router Emergency" or some kind of critical website incompatibility. What can I do?](/docs/policypak/policypak/troubleshooting/browserrouter/criticalwebsiteincompatibility.md) +- [When does Endpoint Policy Manager Browser Router write v1 or v2 Enterprise Mode site lists?](/docs/policypak/policypak/troubleshooting/browserrouter/versions.md) +- [PPBRAgentExeIE_01.DLL error message occurs about Internet Explorer enhanced security. What should I do?](/docs/policypak/policypak/troubleshooting/error/browserrouter/dllcompatible.md) +- [Endpoint Policy Manager Browser Router removes other Chrome ‘force installed' extensions. How can I work around this?](/docs/policypak/policypak/troubleshooting/browserrouter/chrome/forceinstall.md) +- [Why don't routes work from Firefox to other browsers (in Firefox 49+) ?](/docs/policypak/policypak/troubleshooting/browserrouter/firefox.md) +- [Why don't routes work from IE to other browsers?](/docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/fromtootherbrowsers.md) +- [Chrome and Citrix problems](/docs/policypak/policypak/troubleshooting/browserrouter/chrome/citrixproblems.md) +- [Why doesn't Edge to Other browser support work as expected?](/docs/policypak/policypak/troubleshooting/browserrouter/edge/fromtootherbroswers.md) +- [Browser router doesn't seem to work when I use a pattern, and the URL has multiple redirects.](/docs/policypak/policypak/troubleshooting/browserrouter/pattern.md) +- [What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextensionid.md) +- [What does it mean when Endpoint Policy Manager Browser Router gives a pop-up saying to contact support to my end-users?](/docs/policypak/policypak/troubleshooting/error/browserrouter/contactsupport.md) +- [I see the Endpoint Policy Manager Browser Router Chrome Extension is being installed, but it's not active. What can I do?](/docs/policypak/policypak/troubleshooting/browserrouter/chrome/extensioninactive.md) +- [How do I revert to "Legacy Browser Router Method & Features" if directed?](/docs/policypak/policypak/troubleshooting/browserrouter/revertlegacy.md) +- [What is the PPBR "Keep original tab open when routing / Experimental Feature" checkbox, and why must I turn it OFF for ALL routes if I'm having trouble with ONE website?](/docs/policypak/policypak/troubleshooting/browserrouter/editpolicytemplate/keeporiginaltab.md) +- [Why is my Wildcard rule not applying to top level WWW site?](/docs/policypak/policypak/troubleshooting/browserrouter/wildcardrule.md) +- [I'm attempting to use an older CSE but routing from Edge / Chrome to other browsers is not working. Why is this?](/docs/policypak/policypak/troubleshooting/browserrouter/chrome/routing.md) +- [How do I fix "">Endpoint Policy Manager Browser Router Chromium Extension" was automatically disabled." message in Chrome or Edge?](/docs/policypak/policypak/troubleshooting/error/browserrouter/automaticallydisabled.md) +- [An older CSE isn't routing from Chrome or Edge to other browsers, because the older CSE isn't downloading the latest Chrome extension. What can I do?](/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromerouting.md) +- [How can I use the only remaining Endpoint Policy Manager published Chrome Extension with my older CSE? (CSE 18.7.1779.937 - 19.12.2283.849)](/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextension.md) +- [How can I stop websites automatically routing to Edge when I expect them to be shown in IE (and/or I get an endless loop). Why is this?](/docs/policypak/policypak/troubleshooting/browserrouter/edge/stop.md) +- [Hyperlinks in Adobe documents do not work when Browser Router is set as the Default Browser](/docs/policypak/policypak/troubleshooting/browserrouter/adobelinks.md) +- [Why does Endpoint Policy Manager PPExtensionService.exe make a call out to DNS?](/docs/policypak/policypak/troubleshooting/browserrouter/dnscall.md) +- [How to fix the Chrome / Edge Chromium launch issues?](/docs/policypak/policypak/troubleshooting/browserrouter/chrome/launch.md) +- [How does Browser Router function when Internet Explorer is removed from the machine?](/docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/removed.md) +- [How to set "Choose which browser opens web links in Office365" so that Browser Router properly routes web links in Outlook](/docs/policypak/policypak/troubleshooting/browserrouter/office365.md) +- [How to quickly troubleshoot Endpoint Policy Manager Browser Router](/docs/policypak/policypak/troubleshooting/browserrouter/quick.md) ## Tips and Tricks -- [Which variables can I use in the Browser Router Advanced Blocking Message?](../advancedblockingmessage.md) -- [How can I use Endpoint Policy Manager Browser router to force people to always use the SAME browser?](../forcebrowser.md) -- [Is it possible to prevent all Internet websites, but allow just a few? (Blacklist websites, whitelist some?)](../editpolicytemplate/securityzone.md) -- [What is meant by "Default Browser" within Endpoint Policy Manager Browser router?](../defaultbrowser/defined.md) -- [How do I suppress the pop-up of the Browser Router Chrome Extension at First run?](../suppresspopup.md) -- [How to remove the Endpoint Policy Manager Browser Router Agent from the list of available Web Browser handlers under Default Apps in Windows 10](../install/removeagent.md) -- [Where does Browser Router store user selected browser (and how can I fake it if I need to) in versions 2536 and later?](../useselectablebrowser.md) -- [How to Configure Browser Router to use IE Document Modes in Edge IE TAB](../editpolicytemplate/browsermode.md) -- [How do I change the default icon for user-created shortcuts for my default browser?](../shortcuticons.md) -- [Does Endpoint Policy Manager Manage Chrome or Edge "Flags"?](../editpolicytemplate/commandlinearguments.md) -- [What is PPBREdgePackage and When is it used?](../edgelegacybrowser.md) +- [Which variables can I use in the Browser Router Advanced Blocking Message?](/docs/policypak/policypak/browserrouter/advancedblockingmessage.md) +- [How can I use Endpoint Policy Manager Browser router to force people to always use the SAME browser?](/docs/policypak/policypak/browserrouter/forcebrowser.md) +- [Is it possible to prevent all Internet websites, but allow just a few? (Blacklist websites, whitelist some?)](/docs/policypak/policypak/browserrouter/editpolicytemplate/securityzone.md) +- [What is meant by "Default Browser" within Endpoint Policy Manager Browser router?](/docs/policypak/policypak/browserrouter/defaultbrowser/defined.md) +- [How do I suppress the pop-up of the Browser Router Chrome Extension at First run?](/docs/policypak/policypak/browserrouter/suppresspopup.md) +- [How to remove the Endpoint Policy Manager Browser Router Agent from the list of available Web Browser handlers under Default Apps in Windows 10](/docs/policypak/policypak/browserrouter/install/removeagent.md) +- [Where does Browser Router store user selected browser (and how can I fake it if I need to) in versions 2536 and later?](/docs/policypak/policypak/browserrouter/useselectablebrowser.md) +- [How to Configure Browser Router to use IE Document Modes in Edge IE TAB](/docs/policypak/policypak/browserrouter/editpolicytemplate/browsermode.md) +- [How do I change the default icon for user-created shortcuts for my default browser?](/docs/policypak/policypak/browserrouter/shortcuticons.md) +- [Does Endpoint Policy Manager Manage Chrome or Edge "Flags"?](/docs/policypak/policypak/browserrouter/editpolicytemplate/commandlinearguments.md) +- [What is PPBREdgePackage and When is it used?](/docs/policypak/policypak/browserrouter/edgelegacybrowser.md) diff --git a/docs/policypak/policypak/browserrouter/overview/videolearningcenter.md b/docs/policypak/policypak/browserrouter/overview/videolearningcenter.md index a2fce51146..883b03405d 100644 --- a/docs/policypak/policypak/browserrouter/overview/videolearningcenter.md +++ b/docs/policypak/policypak/browserrouter/overview/videolearningcenter.md @@ -4,32 +4,32 @@ See the following Video topics for Browser Router. ## Getting started -- [Ensure users utilize the RIGHT browser for the right website !](../../video/browserrouter/rightbrowser.md) -- [Browser Router now with support for MS Edge](../../video/browserrouter/edgesupport.md) -- [Block web sites from opening in all browsers.](../../video/browserrouter/blockwebsites.md) -- [Endpoint Policy Manager and Edge ‘Special' policies](../../video/browserrouter/edgespecial.md) -- [Endpoint Policy Manager Browser Router and Ports](../../video/browserrouter/ports.md) -- [Endpoint Policy Manager Browser Router User-Selected Default](../../video/browserrouter/userselecteddefault.md) -- [Manage Internet Explorer 11 and Edge Compatibility, Enterprise Modes and IE-in-Edge Mode](../../video/browserrouter/ie.md) +- [Ensure users utilize the RIGHT browser for the right website !](/docs/policypak/policypak/video/browserrouter/rightbrowser.md) +- [Browser Router now with support for MS Edge](/docs/policypak/policypak/video/browserrouter/edgesupport.md) +- [Block web sites from opening in all browsers.](/docs/policypak/policypak/video/browserrouter/blockwebsites.md) +- [Endpoint Policy Manager and Edge ‘Special' policies](/docs/policypak/policypak/video/browserrouter/edgespecial.md) +- [Endpoint Policy Manager Browser Router and Ports](/docs/policypak/policypak/video/browserrouter/ports.md) +- [Endpoint Policy Manager Browser Router User-Selected Default](/docs/policypak/policypak/video/browserrouter/userselecteddefault.md) +- [Manage Internet Explorer 11 and Edge Compatibility, Enterprise Modes and IE-in-Edge Mode](/docs/policypak/policypak/video/browserrouter/ie.md) ## Methods: Cloud, MDM, and SCCM -- [Map the Right Website to the Right Browser using your MDM service](../../video/browserrouter/mdm.md) -- [Use PP Cloud to Manage your browsers and manage your routes to domain joined and non domain joined machines](../../video/browserrouter/cloud.md) +- [Map the Right Website to the Right Browser using your MDM service](/docs/policypak/policypak/video/browserrouter/mdm.md) +- [Use PP Cloud to Manage your browsers and manage your routes to domain joined and non domain joined machines](/docs/policypak/policypak/video/browserrouter/cloud.md) ## Citrix & Virtual applications -- [Using PP Browser Router on Citrix or RDS servers with published browser applications](../../video/browserrouter/citrix.md) -- [Browser Router with Custom Browsers](../../video/browserrouter/custombrowsers.md) +- [Using PP Browser Router on Citrix or RDS servers with published browser applications](/docs/policypak/policypak/video/browserrouter/citrix.md) +- [Browser Router with Custom Browsers](/docs/policypak/policypak/video/browserrouter/custombrowsers.md) ## Tips and Tricks -- [Endpoint Policy Manager Browser Router: Set the Windows 10 Default Browser (once) then drift](../../video/browserrouter/defaultwindows10.md) -- [Browser Router now supports Chrome on Non-Domain Joined machines](../../video/browserrouter/chromenondomainjoined.md) -- [Force all websites to IE (but have some exceptions)](../../video/browserrouter/ieforce.md) -- [Use Firefox as default for ALL pages, except some pages](../../video/browserrouter/firefox.md) -- [Route all sites to Chrome, with some exceptions](../../video/browserrouter/chrome.md) -- [Route all sites to Edge (with some exceptions)](../../video/browserrouter/edge.md) -- [Internet Explorer to Endpoint Policy Manager Browser Router Site lists](../../video/browserrouter/iesitelists.md) -- [Endpoint Policy Manager Browser Router: Internet Explorer in Edge mode](../../video/browserrouter/ieedgemode.md) -- [Set the links to icons to actually show the default browser.](../../video/browserrouter/browsericon.md) +- [Endpoint Policy Manager Browser Router: Set the Windows 10 Default Browser (once) then drift](/docs/policypak/policypak/video/browserrouter/defaultwindows10.md) +- [Browser Router now supports Chrome on Non-Domain Joined machines](/docs/policypak/policypak/video/browserrouter/chromenondomainjoined.md) +- [Force all websites to IE (but have some exceptions)](/docs/policypak/policypak/video/browserrouter/ieforce.md) +- [Use Firefox as default for ALL pages, except some pages](/docs/policypak/policypak/video/browserrouter/firefox.md) +- [Route all sites to Chrome, with some exceptions](/docs/policypak/policypak/video/browserrouter/chrome.md) +- [Route all sites to Edge (with some exceptions)](/docs/policypak/policypak/video/browserrouter/edge.md) +- [Internet Explorer to Endpoint Policy Manager Browser Router Site lists](/docs/policypak/policypak/video/browserrouter/iesitelists.md) +- [Endpoint Policy Manager Browser Router: Internet Explorer in Edge mode](/docs/policypak/policypak/video/browserrouter/ieedgemode.md) +- [Set the links to icons to actually show the default browser.](/docs/policypak/policypak/video/browserrouter/browsericon.md) diff --git a/docs/policypak/policypak/browserrouter/policy/block.md b/docs/policypak/policypak/browserrouter/policy/block.md index 1c0fac7d96..f7bdf34ef4 100644 --- a/docs/policypak/policypak/browserrouter/policy/block.md +++ b/docs/policypak/policypak/browserrouter/policy/block.md @@ -5,15 +5,15 @@ choose to provide **Block Text**, which will appear in a pop-up for the user, ex cannot visit the website. **NOTE:** For an overview of using Block policies, see the following video: -[Block web sites from opening in all browsers.](../../video/browserrouter/blockwebsites.md) +[Block web sites from opening in all browsers.](/docs/policypak/policypak/video/browserrouter/blockwebsites.md) -![about_policypak_browser_router_16](../../../../../static/img/product_docs/policypak/policypak/browserrouter/policy/about_policypak_browser_router_16.webp) +![about_policypak_browser_router_16](/img/product_docs/policypak/policypak/browserrouter/policy/about_policypak_browser_router_16.webp) When you include text in the **Block Text** field, the endpoint will react in all browsers with a pop-up like this one. -![about_policypak_browser_router_17](../../../../../static/img/product_docs/policypak/policypak/browserrouter/policy/about_policypak_browser_router_17.webp) +![about_policypak_browser_router_17](/img/product_docs/policypak/policypak/browserrouter/policy/about_policypak_browser_router_17.webp) **NOTE:** If you leave the **Block Text** field empty, default text is automatically provided. -![about_policypak_browser_router_18](../../../../../static/img/product_docs/policypak/policypak/browserrouter/policy/about_policypak_browser_router_18.webp) +![about_policypak_browser_router_18](/img/product_docs/policypak/policypak/browserrouter/policy/about_policypak_browser_router_18.webp) diff --git a/docs/policypak/policypak/browserrouter/policy/custom.md b/docs/policypak/policypak/browserrouter/policy/custom.md index e0e9f0d441..38eb3d2f12 100644 --- a/docs/policypak/policypak/browserrouter/policy/custom.md +++ b/docs/policypak/policypak/browserrouter/policy/custom.md @@ -6,18 +6,18 @@ instance, Opera and Vivaldi are two browsers you may have installed on endpoints route to. **NOTE:** For an overview of using custom policies, see the following video: -[Browser Router with Custom Browsers](../../video/browserrouter/custombrowsers.md). +[Browser Router with Custom Browsers](/docs/policypak/policypak/video/browserrouter/custombrowsers.md). You might also want to route websites to virtualized browsers. In this example you can see a virtualized Firefox. To route to virtualized browsers, simply take the icon's launch target and copy it. -![about_policypak_browser_router_19](../../../../../static/img/product_docs/policypak/policypak/browserrouter/policy/about_policypak_browser_router_19.webp) +![about_policypak_browser_router_19](/img/product_docs/policypak/policypak/browserrouter/policy/about_policypak_browser_router_19.webp) Then, using Endpoint Policy Manager Browser Router, make a custom route and paste the target path into the **Custom Browser Path** field. -![about_policypak_browser_router_20](../../../../../static/img/product_docs/policypak/policypak/browserrouter/policy/about_policypak_browser_router_20.webp) +![about_policypak_browser_router_20](/img/product_docs/policypak/policypak/browserrouter/policy/about_policypak_browser_router_20.webp) This technique works for most virtualized browsers such as Microsoft App-V, VMware ThinApp, etc. Note that once a virtualized browser is opened, Endpoint Policy Manager Browser Router cannot route diff --git a/docs/policypak/policypak/browserrouter/ports.md b/docs/policypak/policypak/browserrouter/ports.md index b85c88f340..8f02c3cd9b 100644 --- a/docs/policypak/policypak/browserrouter/ports.md +++ b/docs/policypak/policypak/browserrouter/ports.md @@ -4,18 +4,18 @@ Endpoint Policy Manager Browser Router can open a specific website when a partic specific port. In the example below we have `www.portquiz.net:1001` being used for a specific Google Chrome website. -![about_policypak_browser_router_23](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_23.webp) +![about_policypak_browser_router_23](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_23.webp) **NOTE:** For a video on using Endpoint Policy Manager Browser Router and ports, see -[Endpoint Policy Manager Browser Router and Ports](../video/browserrouter/ports.md). +[Endpoint Policy Manager Browser Router and Ports](/docs/policypak/policypak/video/browserrouter/ports.md). In this way, you can have granular control over which browser is opened for which website. Additionally, for Internet Explorer 11, Endpoint Policy Manager Browser Router will automatically insert the port into Internet Explorer 11 Enterprise Mode v2 site lists. All you need to do is add a route similar to the one shown below. -![about_policypak_browser_router_24](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_24.webp) +![about_policypak_browser_router_24](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_24.webp) **NOTE:** Not every version of Internet Explorer 11 is ready to receive v2 site lists. For a list of which versions of Internet Explorer 11 use v1 vs v2, see -[When does Endpoint Policy Manager Browser Router write v1 or v2 Enterprise Mode site lists?](../troubleshooting/browserrouter/versions.md). +[When does Endpoint Policy Manager Browser Router write v1 or v2 Enterprise Mode site lists?](/docs/policypak/policypak/troubleshooting/browserrouter/versions.md). diff --git a/docs/policypak/policypak/browserrouter/processorderprecedence.md b/docs/policypak/policypak/browserrouter/processorderprecedence.md index 081ea5b9a6..d4b39e739a 100644 --- a/docs/policypak/policypak/browserrouter/processorderprecedence.md +++ b/docs/policypak/policypak/browserrouter/processorderprecedence.md @@ -10,11 +10,11 @@ Within a particular GPO (Computer or User side), the processing order is counted So, lower-numbered collections attempt to process first, and higher-numbered collections attempt to process last. -![about_policypak_browser_router_42](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_42.webp) +![about_policypak_browser_router_42](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_42.webp) Within any collection, each policy is processed in numerical order from lowest to highest. -![about_policypak_browser_router_43](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_43.webp) +![about_policypak_browser_router_43](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_43.webp) ## Precedence @@ -52,7 +52,7 @@ same collection. Endpoint Policy Manager Browser Router has four rule types. -![about_policypak_browser_router_14](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_14.webp) +![about_policypak_browser_router_14](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_14.webp) The following precedence order applies to these rule types. diff --git a/docs/policypak/policypak/browserrouter/rules.md b/docs/policypak/policypak/browserrouter/rules.md index 7376c640b7..9891fc5e0b 100644 --- a/docs/policypak/policypak/browserrouter/rules.md +++ b/docs/policypak/policypak/browserrouter/rules.md @@ -3,7 +3,7 @@ When you make a new Browser Router policy, you have several ways to make site rules: **URL**, **Wildcard**, **RegEx**, and **Internet Security Zone**. -![about_policypak_browser_router_14](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_14.webp) +![about_policypak_browser_router_14](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_14.webp) ## Examples @@ -21,7 +21,7 @@ to match against Host. When a pattern matches, it is routed to the correct browser, blocked, or delivered to a custom browser. -![about_policypak_browser_router_15](../../../../static/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_15.webp) +![about_policypak_browser_router_15](/img/product_docs/policypak/policypak/browserrouter/about_policypak_browser_router_15.webp) **NOTE:** For specific URL strings, **Apply to child URLs** is set to **yes** by default. This means that any website that falls underneath that URL will also be affected. diff --git a/docs/policypak/policypak/browserrouter/shortcuticons.md b/docs/policypak/policypak/browserrouter/shortcuticons.md index 5d6fa15af8..27a791cde7 100644 --- a/docs/policypak/policypak/browserrouter/shortcuticons.md +++ b/docs/policypak/policypak/browserrouter/shortcuticons.md @@ -1,20 +1,20 @@ # How do I change the default icon for user-created shortcuts for my default browser? For a good general overview of the topic, please watch this video: -[Set the links to icons to actually show the default browser.](../video/browserrouter/browsericon.md) +[Set the links to icons to actually show the default browser.](/docs/policypak/policypak/video/browserrouter/browsericon.md) The most common concern is that the FireFox default icon appears like this: -![835_1_hfkb-1127-img-01_950x761](../../../../static/img/product_docs/policypak/policypak/browserrouter/835_1_hfkb-1127-img-01_950x761.webp) +![835_1_hfkb-1127-img-01_950x761](/img/product_docs/policypak/policypak/browserrouter/835_1_hfkb-1127-img-01_950x761.webp) When you typically want user shortcuts to look like this: -![835_2_hfkb-1127-img-02](../../../../static/img/product_docs/policypak/policypak/browserrouter/835_2_hfkb-1127-img-02.webp) +![835_2_hfkb-1127-img-02](/img/product_docs/policypak/policypak/browserrouter/835_2_hfkb-1127-img-02.webp) Netwrix Endpoint Policy Manager (formerly PolicyPak) Browser Router's DEFAULT BROWSER function uses the registered icon for the default browser as the icon. -![835_3_hfkb-1127-img-03_950x747](../../../../static/img/product_docs/policypak/policypak/browserrouter/835_3_hfkb-1127-img-03_950x747.webp) +![835_3_hfkb-1127-img-03_950x747](/img/product_docs/policypak/policypak/browserrouter/835_3_hfkb-1127-img-03_950x747.webp) This might be required, either per user or per machine, depending on which browsers you actually have installed on the machine and how they were installed. @@ -36,26 +36,26 @@ one, making changing this much harder en-mass. So if you wanted to change Firefox's default icon you could change it from this… -![835_4_hfkb-1127-img-04_950x499](../../../../static/img/product_docs/policypak/policypak/browserrouter/835_4_hfkb-1127-img-04_950x499.webp) +![835_4_hfkb-1127-img-04_950x499](/img/product_docs/policypak/policypak/browserrouter/835_4_hfkb-1127-img-04_950x499.webp) To this… -![835_5_hfkb-1127-img-05_950x643](../../../../static/img/product_docs/policypak/policypak/browserrouter/835_5_hfkb-1127-img-05_950x643.webp) +![835_5_hfkb-1127-img-05_950x643](/img/product_docs/policypak/policypak/browserrouter/835_5_hfkb-1127-img-05_950x643.webp) A second example could be with Google Chrome and setting it as the Default Browser. -![835_6_hfkb-1127-img-06_950x684](../../../../static/img/product_docs/policypak/policypak/browserrouter/835_6_hfkb-1127-img-06_950x684.webp) +![835_6_hfkb-1127-img-06_950x684](/img/product_docs/policypak/policypak/browserrouter/835_6_hfkb-1127-img-06_950x684.webp) The default icons will be from ChromeHTML Index 0. -![835_7_hfkb-1127-img-07_950x496](../../../../static/img/product_docs/policypak/policypak/browserrouter/835_7_hfkb-1127-img-07_950x496.webp) +![835_7_hfkb-1127-img-07_950x496](/img/product_docs/policypak/policypak/browserrouter/835_7_hfkb-1127-img-07_950x496.webp) But if you change it to 4 and run GPupdate, you will see updated icons. -![835_8_hfkb-1127-img-08_950x467](../../../../static/img/product_docs/policypak/policypak/browserrouter/835_8_hfkb-1127-img-08_950x467.webp) +![835_8_hfkb-1127-img-08_950x467](/img/product_docs/policypak/policypak/browserrouter/835_8_hfkb-1127-img-08_950x467.webp) The quickest way to mass update this would be a Group Policy Preferences Registry item. An example can be seen here. You want to do this on the computer side, which will change the value for both user and computer browsers. -![835_9_hfkb-1127-img-09_950x455](../../../../static/img/product_docs/policypak/policypak/browserrouter/835_9_hfkb-1127-img-09_950x455.webp) +![835_9_hfkb-1127-img-09_950x455](/img/product_docs/policypak/policypak/browserrouter/835_9_hfkb-1127-img-09_950x455.webp) diff --git a/docs/policypak/policypak/browserrouter/useselectablebrowser.md b/docs/policypak/policypak/browserrouter/useselectablebrowser.md index 16c69448ef..d3996eb9a0 100644 --- a/docs/policypak/policypak/browserrouter/useselectablebrowser.md +++ b/docs/policypak/policypak/browserrouter/useselectablebrowser.md @@ -8,9 +8,9 @@ this KB. Endpoint Policy Manager Browser Router has a function called **User Selectable browser**. Learn more about this feature first here: -[Endpoint Policy Manager Browser Router User-Selected Default](../video/browserrouter/userselecteddefault.md) +[Endpoint Policy Manager Browser Router User-Selected Default](/docs/policypak/policypak/video/browserrouter/userselecteddefault.md) -[What is meant by "Default Browser" within Endpoint Policy Manager Browser router?](defaultbrowser/defined.md) +[What is meant by "Default Browser" within Endpoint Policy Manager Browser router?](/docs/policypak/policypak/browserrouter/defaultbrowser/defined.md) You might need to have Endpoint Policy Manager Browser Router indicate that a user specifically chose a particular browser, even if they did not. @@ -33,7 +33,7 @@ browser. For instance, in this example, after the Admin has chosen User Selectable, the User chooses Edge (UWP version), with the following results: -![507_1_image-20201229224350-1_950x136](../../../../static/img/product_docs/policypak/policypak/browserrouter/507_1_image-20201229224350-1_950x136.webp) +![507_1_image-20201229224350-1_950x136](/img/product_docs/policypak/policypak/browserrouter/507_1_image-20201229224350-1_950x136.webp) Supported values in ProgID are: @@ -55,7 +55,7 @@ custom ProgId value: `HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\ProgId` For Example: -![507_2_image-20201229224350-2](../../../../static/img/product_docs/policypak/policypak/browserrouter/507_2_image-20201229224350-2.webp) +![507_2_image-20201229224350-2](/img/product_docs/policypak/policypak/browserrouter/507_2_image-20201229224350-2.webp) Example: If a user has not yet selected a Browser, or if MS Edge Chromium is the perceived browser, then specify the default as Chrome (one time) and allow the user to select a different browser if @@ -79,7 +79,7 @@ is used during this operation. - `Key Path: SOFTWARE\PolicyPak\Client-Side Extensions\{1659C456-08FC-4359-B125-BB70EE34DD55}\PPBRAgent\SavedOldValues\Software/Microsoft/Windows/Shell/Associations/UrlAssociations/http/UserChoice` - Value Name: ProgID - Value Type: REG_SZ - ![507_3_image-20201229224350-3](../../../../static/img/product_docs/policypak/policypak/browserrouter/507_3_image-20201229224350-3.webp)- + ![507_3_image-20201229224350-3](/img/product_docs/policypak/policypak/browserrouter/507_3_image-20201229224350-3.webp)- ValueData: ChromeHTML **Step 2 –** (But only if the value below is absent...: @@ -90,14 +90,14 @@ is used during this operation. `HKCU\ Software\PolicyPak\Client-Side Extensions\{1659C456-08FC-4359-B125-BB70EE34DD55}\PPBRAgent\SavedOldValues\Software/Microsoft/Windows/Shell/Associations/UrlAssociations/http/UserChoice\ProgId\` -![507_4_image-20201229224350-4](../../../../static/img/product_docs/policypak/policypak/browserrouter/507_4_image-20201229224350-4.webp) +![507_4_image-20201229224350-4](/img/product_docs/policypak/policypak/browserrouter/507_4_image-20201229224350-4.webp) -![507_5_image-20201229224350-5_950x366](../../../../static/img/product_docs/policypak/policypak/browserrouter/507_5_image-20201229224350-5_950x366.webp) +![507_5_image-20201229224350-5_950x366](/img/product_docs/policypak/policypak/browserrouter/507_5_image-20201229224350-5_950x366.webp) Be sure to have entries which set HTTP and HTTPS like these two values here (i.e., Repeat Steps 1 & 2 above for HTTPS value) -![507_6_image-20201229224350-6](../../../../static/img/product_docs/policypak/policypak/browserrouter/507_6_image-20201229224350-6.webp) +![507_6_image-20201229224350-6](/img/product_docs/policypak/policypak/browserrouter/507_6_image-20201229224350-6.webp) _Remember,_ You need two entries. One for HTTP and one for HTTPS. diff --git a/docs/policypak/policypak/cloud/add/administrator.md b/docs/policypak/policypak/cloud/add/administrator.md index 2fdceea6fe..6c5993723f 100644 --- a/docs/policypak/policypak/cloud/add/administrator.md +++ b/docs/policypak/policypak/cloud/add/administrator.md @@ -21,7 +21,7 @@ tab. When adding new administrators, the following dialog displays: -![956_1_image-20230706150906-5_454x421](../../../../../static/img/product_docs/policypak/policypak/cloud/add/956_1_image-20230706150906-5_454x421.webp) +![956_1_image-20230706150906-5_454x421](/img/product_docs/policypak/policypak/cloud/add/956_1_image-20230706150906-5_454x421.webp) Once you click **Create Request**, all existing administrators with the Company Admin Manager role will receive an email notifying them of the request.  Any one of these persons can approve or reject @@ -30,14 +30,14 @@ the request. In addition to the email, these administrators can also log into the Cloud Portal to view any pending request and approve/reject from there. -![956_2_image-20230706151053-6_807x369](../../../../../static/img/product_docs/policypak/policypak/cloud/add/956_2_image-20230706151053-6_807x369.webp) +![956_2_image-20230706151053-6_807x369](/img/product_docs/policypak/policypak/cloud/add/956_2_image-20230706151053-6_807x369.webp) **Step 3 –** Locate/select the **New** request and click **View**. -![956_3_image-20230706151217-7_855x235](../../../../../static/img/product_docs/policypak/policypak/cloud/add/956_3_image-20230706151217-7_855x235.webp) +![956_3_image-20230706151217-7_855x235](/img/product_docs/policypak/policypak/cloud/add/956_3_image-20230706151217-7_855x235.webp) **Step 4 –** Verify the details and either **Accept** or **Reject** the request. -![956_4_image-20230706151408-8_663x573](../../../../../static/img/product_docs/policypak/policypak/cloud/add/956_4_image-20230706151408-8_663x573.webp) +![956_4_image-20230706151408-8_663x573](/img/product_docs/policypak/policypak/cloud/add/956_4_image-20230706151408-8_663x573.webp) The requester will receive an email indicating if the request was approved or rejected. diff --git a/docs/policypak/policypak/cloud/adduser.md b/docs/policypak/policypak/cloud/adduser.md index 6845a4b60d..8f244ecab8 100644 --- a/docs/policypak/policypak/cloud/adduser.md +++ b/docs/policypak/policypak/cloud/adduser.md @@ -2,7 +2,7 @@ **NOTE:** This article pertains to portal.policypak.com.  If you need to manage users in the Netwrix Endpoint Policy Manager (formerly PolicyPak) Cloud Portal (cloud.policypak.com) -see [Endpoint Policy Manager Cloud: Adding New Admins](../video/cloud/add/administrator.md) +see [Endpoint Policy Manager Cloud: Adding New Admins](/docs/policypak/policypak/video/cloud/add/administrator.md) There are three steps in the process: @@ -14,9 +14,9 @@ There are three steps in the process: **Step 3 –** You can then select **Invitation** to send Invites to new Secondaries or Accounting people. -![819_1_hfkb-1067-01_950x324](../../../../static/img/product_docs/policypak/policypak/cloud/819_1_hfkb-1067-01_950x324.webp) +![819_1_hfkb-1067-01_950x324](/img/product_docs/policypak/policypak/cloud/819_1_hfkb-1067-01_950x324.webp) -![819_2_hfkb-1067-02_950x279](../../../../static/img/product_docs/policypak/policypak/cloud/819_2_hfkb-1067-02_950x279.webp) +![819_2_hfkb-1067-02_950x279](/img/product_docs/policypak/policypak/cloud/819_2_hfkb-1067-02_950x279.webp) - Secondaries get technical AND renewal emails - Accounting people get ONLY renewal emails diff --git a/docs/policypak/policypak/cloud/cheksum.md b/docs/policypak/policypak/cloud/cheksum.md index 007983102e..7b16cfd415 100644 --- a/docs/policypak/policypak/cloud/cheksum.md +++ b/docs/policypak/policypak/cloud/cheksum.md @@ -8,7 +8,7 @@ scripts. After you download the software, use the build-in windows command line to validate the SHA256 checksum. -![912_1_image001_950x439](../../../../static/img/product_docs/policypak/policypak/cloud/912_1_image001_950x439.webp) +![912_1_image001_950x439](/img/product_docs/policypak/policypak/cloud/912_1_image001_950x439.webp) An example would be: @@ -21,4 +21,4 @@ and/or **NOTE:** You must put the SHA256 at the end, or the command is interpreted as SHA1, which will produce a different result. -![912_2_image002_950x217](../../../../static/img/product_docs/policypak/policypak/cloud/912_2_image002_950x217.webp) +![912_2_image002_950x217](/img/product_docs/policypak/policypak/cloud/912_2_image002_950x217.webp) diff --git a/docs/policypak/policypak/cloud/concepts.md b/docs/policypak/policypak/cloud/concepts.md index 29bc9c0151..3ca4afbcf7 100644 --- a/docs/policypak/policypak/cloud/concepts.md +++ b/docs/policypak/policypak/cloud/concepts.md @@ -17,9 +17,9 @@ Endpoint Policy Manager Cloud service to client machines, where they are receive the directives you have licensed. Endpoint Policy Manager Cloud can be used with or without Active Directory. -![concepts_logons_and_downloads_437x399](../../../../static/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_437x399.webp) +![concepts_logons_and_downloads_437x399](/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_437x399.webp) -![concepts_logons_and_downloads_1_436x375](../../../../static/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_1_436x375.webp) +![concepts_logons_and_downloads_1_436x375](/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_1_436x375.webp) Below are some Endpoint Policy Manager Cloud concepts: diff --git a/docs/policypak/policypak/cloud/creditcard.md b/docs/policypak/policypak/cloud/creditcard.md index 7b2c35281c..07665589b3 100644 --- a/docs/policypak/policypak/cloud/creditcard.md +++ b/docs/policypak/policypak/cloud/creditcard.md @@ -7,4 +7,4 @@ Then when you're there, click on **SaaS Billing**, then **Start Subscription**. Follow the directions after that. -![936_1_image001](../../../../static/img/product_docs/policypak/policypak/cloud/936_1_image001.webp) +![936_1_image001](/img/product_docs/policypak/policypak/cloud/936_1_image001.webp) diff --git a/docs/policypak/policypak/cloud/downloads.md b/docs/policypak/policypak/cloud/downloads.md index 2e923f5ecb..e4b2a7155c 100644 --- a/docs/policypak/policypak/cloud/downloads.md +++ b/docs/policypak/policypak/cloud/downloads.md @@ -21,7 +21,7 @@ then exported for use with Endpoint Policy Manager cloud. The main menu for the Endpoint Policy Manager Customer Portal is shown below. -![concepts_logons_and_downloads_10_374x437](../../../../static/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_10_374x437.webp) +![concepts_logons_and_downloads_10_374x437](/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_10_374x437.webp) Video: For an overview on how to use the Endpoint Policy Manager Customer Portal, please watch this video: [http://www.policypak.com/customerportal](http://www.policypak.com/customerportal). @@ -42,7 +42,7 @@ the download in virtual environments (which can easily mount ISO files) or to bu Below you can see the list of files and directories that are inside the Endpoint Policy Manager ISO download. -![concepts_logons_and_downloads_11_624x287](../../../../static/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_11_624x287.webp) +![concepts_logons_and_downloads_11_624x287](/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_11_624x287.webp) You won't need most of these items for Endpoint Policy Manager Cloud. Indeed, the only folders you need are the **Admin Console MSI** folder and the **Client Side Extension (CSE)** folder, as diff --git a/docs/policypak/policypak/cloud/eventcollection/childgroups.md b/docs/policypak/policypak/cloud/eventcollection/childgroups.md index e4295becf8..d64888e6ed 100644 --- a/docs/policypak/policypak/cloud/eventcollection/childgroups.md +++ b/docs/policypak/policypak/cloud/eventcollection/childgroups.md @@ -19,4 +19,4 @@ settings, then the following rules apply: - If any group of which a computer is a member has the **Collect Events** filter set to **All**, then the previous rule doesn't apply. All always takes precedence. -![940_1_image002_950x536](../../../../../static/img/product_docs/policypak/policypak/cloud/eventcollection/940_1_image002_950x536.webp) +![940_1_image002_950x536](/img/product_docs/policypak/policypak/cloud/eventcollection/940_1_image002_950x536.webp) diff --git a/docs/policypak/policypak/cloud/eventcollection/report.md b/docs/policypak/policypak/cloud/eventcollection/report.md index 62f46b6204..6e1ceea7c2 100644 --- a/docs/policypak/policypak/cloud/eventcollection/report.md +++ b/docs/policypak/policypak/cloud/eventcollection/report.md @@ -22,32 +22,32 @@ The steps are as follows: **Step 1 –** Select the company group you want to pull events from the computers. -![1331_1_596df1241c37a16d07ab1a0112189b90](../../../../../static/img/product_docs/policypak/policypak/cloud/eventcollection/1331_1_596df1241c37a16d07ab1a0112189b90.jpeg) +![1331_1_596df1241c37a16d07ab1a0112189b90](/img/product_docs/policypak/policypak/cloud/eventcollection/1331_1_596df1241c37a16d07ab1a0112189b90.jpeg) **Step 2 –** Navigate to Company Group and Click **Edit Group**. -![1331_2_669b3e1fe0433c37d3167839136d8706](../../../../../static/img/product_docs/policypak/policypak/cloud/eventcollection/1331_2_669b3e1fe0433c37d3167839136d8706.webp) +![1331_2_669b3e1fe0433c37d3167839136d8706](/img/product_docs/policypak/policypak/cloud/eventcollection/1331_2_669b3e1fe0433c37d3167839136d8706.webp) **Step 3 –** Select the Event Collector **Refresh interval for computers** time setting. -![1331_3_ad00e7dbb30a04f1f0870f28a6bc6255](../../../../../static/img/product_docs/policypak/policypak/cloud/eventcollection/1331_3_ad00e7dbb30a04f1f0870f28a6bc6255.webp) +![1331_3_ad00e7dbb30a04f1f0870f28a6bc6255](/img/product_docs/policypak/policypak/cloud/eventcollection/1331_3_ad00e7dbb30a04f1f0870f28a6bc6255.webp) **Step 4 –** Select the **Event IDs** you want to collect. -![1331_4_7343ac11bad81555a0df4d9b989c7992](../../../../../static/img/product_docs/policypak/policypak/cloud/eventcollection/1331_4_7343ac11bad81555a0df4d9b989c7992.webp) +![1331_4_7343ac11bad81555a0df4d9b989c7992](/img/product_docs/policypak/policypak/cloud/eventcollection/1331_4_7343ac11bad81555a0df4d9b989c7992.webp) **Step 5 –** You can select the drop-down option to select the **Event IDs**. See the -[List of Endpoint Policy Manager Event Categories and IDs](../../tips/eventcategories.md) topic for +[List of Endpoint Policy Manager Event Categories and IDs](/docs/policypak/policypak/tips/eventcategories.md) topic for additional information on the event categories and IDs. -![1331_5_1abd34538213d5d2da7bf97cdc936d01](../../../../../static/img/product_docs/policypak/policypak/cloud/eventcollection/1331_5_1abd34538213d5d2da7bf97cdc936d01.webp) +![1331_5_1abd34538213d5d2da7bf97cdc936d01](/img/product_docs/policypak/policypak/cloud/eventcollection/1331_5_1abd34538213d5d2da7bf97cdc936d01.webp) **Step 6 –** Go to the **Reports** tab to see the events that have been generated. -![1331_6_b02b2b1b225df20c25a38f3315efde31](../../../../../static/img/product_docs/policypak/policypak/cloud/eventcollection/1331_6_b02b2b1b225df20c25a38f3315efde31.webp) +![1331_6_b02b2b1b225df20c25a38f3315efde31](/img/product_docs/policypak/policypak/cloud/eventcollection/1331_6_b02b2b1b225df20c25a38f3315efde31.webp) **Step 7 –** Create policies through the events that are being generated. -![1331_7_1836b2dba9db9365124356840324b8d1](../../../../../static/img/product_docs/policypak/policypak/cloud/eventcollection/1331_7_1836b2dba9db9365124356840324b8d1.webp) +![1331_7_1836b2dba9db9365124356840324b8d1](/img/product_docs/policypak/policypak/cloud/eventcollection/1331_7_1836b2dba9db9365124356840324b8d1.webp) **Step 8 –** You can edit the policy name and the policy conditions if needed. diff --git a/docs/policypak/policypak/cloud/eventcollection/splunk.md b/docs/policypak/policypak/cloud/eventcollection/splunk.md index 869fc157e8..37bcf78509 100644 --- a/docs/policypak/policypak/cloud/eventcollection/splunk.md +++ b/docs/policypak/policypak/cloud/eventcollection/splunk.md @@ -26,9 +26,9 @@ Internet. **Step 2 –** Navigate to [https://cloud.policypak.com/,](https://cloud.policypak.com/) go to **Company details** > **Event Forwarder List** > **Add Event Forwarder** . -![976_1_1](../../../../../static/img/product_docs/policypak/policypak/cloud/eventcollection/976_1_1.webp) +![976_1_1](/img/product_docs/policypak/policypak/cloud/eventcollection/976_1_1.webp) -![976_3_3](../../../../../static/img/product_docs/policypak/policypak/cloud/eventcollection/976_3_3.webp) +![976_3_3](/img/product_docs/policypak/policypak/cloud/eventcollection/976_3_3.webp) **Step 3 –** Configure and save the new **Event Forwarder**. Please be aware that you must be a **Notification Option Admin**' role member. One-time Password is required for saving **Event @@ -40,7 +40,7 @@ You may may usethe **Validate** button to check the credentials before saving. **Step 5 –** InEndpoint Policy Manager Cloud confirm that events are forwarded as expected. -![976_2_2](../../../../../static/img/product_docs/policypak/policypak/cloud/eventcollection/976_2_2.webp) +![976_2_2](/img/product_docs/policypak/policypak/cloud/eventcollection/976_2_2.webp) **Step 6 –** In Endpoint Policy Manager Cloud, go to **Report** > **Computers (Collected Events)** > **Show event**, and check **Forwarded** state (Scheduled, Forwarded, Error). @@ -53,14 +53,14 @@ the user name and password. **Step 9 –** Click **Search & Reporting** enter index=**history** filter, then click the **Search** icon. -![976_4_4](../../../../../static/img/product_docs/policypak/policypak/cloud/eventcollection/976_4_4.webp) +![976_4_4](/img/product_docs/policypak/policypak/cloud/eventcollection/976_4_4.webp) **Step 10 –** Click **Datasets**. -![976_5_5](../../../../../static/img/product_docs/policypak/policypak/cloud/eventcollection/976_5_5.webp) +![976_5_5](/img/product_docs/policypak/policypak/cloud/eventcollection/976_5_5.webp) **Step 11 –** Click **raw_data**. -![976_6_6](../../../../../static/img/product_docs/policypak/policypak/cloud/eventcollection/976_6_6.webp) +![976_6_6](/img/product_docs/policypak/policypak/cloud/eventcollection/976_6_6.webp) **Step 12 –** View the event data diff --git a/docs/policypak/policypak/cloud/fakedc.md b/docs/policypak/policypak/cloud/fakedc.md index 2e8e64ea6d..4737486af4 100644 --- a/docs/policypak/policypak/cloud/fakedc.md +++ b/docs/policypak/policypak/cloud/fakedc.md @@ -16,7 +16,7 @@ station. For a good overview, you can check our videos on Endpoint Policy ManagerCloud, particularly the ones on requirements and procedures to get started. You can find the videos at the -[Video Learning Center](../license/overview/videolearningcenter.md) +[Video Learning Center](/docs/policypak/policypak/license/overview/videolearningcenter.md) ## Part 2: MMC vs in-cloud editors @@ -55,7 +55,7 @@ Here’s an example. Black text are policy types which are available. Grayed out available yet. Some policy types might be some percent complete, or might never be ported over at all. -![622_1_sadf_950x462](../../../../static/img/product_docs/policypak/policypak/cloud/622_1_sadf_950x462.webp) +![622_1_sadf_950x462](/img/product_docs/policypak/policypak/cloud/622_1_sadf_950x462.webp) Lastly, here is the table of what’s currently in Endpoint Policy Manager Cloud editors and our own self-assessed ranking of Percent complete. diff --git a/docs/policypak/policypak/cloud/groups.md b/docs/policypak/policypak/cloud/groups.md index 48740c3b67..3d239d7ec6 100644 --- a/docs/policypak/policypak/cloud/groups.md +++ b/docs/policypak/policypak/cloud/groups.md @@ -9,4 +9,4 @@ Information on creating jointokens: - Manual: [https://helpcenter.netwrix.com/bundle/PolicyPak_AppendixE/page/Tools.html](https://helpcenter.netwrix.com/bundle/PolicyPak_AppendixE/page/Tools.html) and - Video: - [Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](../video/cloud/jointoken.md) + [Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](/docs/policypak/policypak/video/cloud/jointoken.md) diff --git a/docs/policypak/policypak/cloud/install/mac/client.md b/docs/policypak/policypak/cloud/install/mac/client.md index 94088f8124..a1664f1f67 100644 --- a/docs/policypak/policypak/cloud/install/mac/client.md +++ b/docs/policypak/policypak/cloud/install/mac/client.md @@ -1,6 +1,6 @@ # What are the step by step instructions to install the MacOS Client for Endpoint Policy Manager Cloud manually? -![888_1_image001_950x671](../../../../../../static/img/product_docs/policypak/policypak/cloud/install/mac/888_1_image001_950x671.webp) +![888_1_image001_950x671](/img/product_docs/policypak/policypak/cloud/install/mac/888_1_image001_950x671.webp) **Step 1 –** First download the MacOS Client for Netwrix Endpoint Policy Manager (formerly PolicyPak) Cloud as seen here. @@ -8,22 +8,22 @@ PolicyPak) Cloud as seen here. **Step 2 –** Download the Endpoint Policy Manager Cloud PFX file like what's seen here (requires a password) and keep the file and password handy. -![888_2_image002_950x256](../../../../../../static/img/product_docs/policypak/policypak/cloud/install/mac/888_2_image002_950x256.webp) +![888_2_image002_950x256](/img/product_docs/policypak/policypak/cloud/install/mac/888_2_image002_950x256.webp) **Step 3 –** Next, double-click on the installer to run. When the installer finishes, the Endpoint Policy Manager command will be installed for all users. -![888_3_image_10_950x461](../../../../../../static/img/product_docs/policypak/policypak/cloud/install/mac/888_3_image_10_950x461.webp) +![888_3_image_10_950x461](/img/product_docs/policypak/policypak/cloud/install/mac/888_3_image_10_950x461.webp) **Step 4 –** After installation completes you will be asked to "Open Preferences" like what's seen here. -![888_4_image_11_950x745](../../../../../../static/img/product_docs/policypak/policypak/cloud/install/mac/888_4_image_11_950x745.webp) +![888_4_image_11_950x745](/img/product_docs/policypak/policypak/cloud/install/mac/888_4_image_11_950x745.webp) **Step 5 –** Select Privacy, then Unlock, and then grant Endpoint Policy Manager access to the Disk like what's seen here. -![888_5_image_12_950x864](../../../../../../static/img/product_docs/policypak/policypak/cloud/install/mac/888_5_image_12_950x864.webp) +![888_5_image_12_950x864](/img/product_docs/policypak/policypak/cloud/install/mac/888_5_image_12_950x864.webp) At this point the MacOS Client for Endpoint Policy Manager Cloud is installed, but it is not yet enrolled in Endpoint Policy Manager Cloud. @@ -45,12 +45,12 @@ certificate you downloaded earlier. **Step 7 –** After completing the operation, the message "`Registered: YES` " should appear in the terminal window. -![888_6_image_13_950x238](../../../../../../static/img/product_docs/policypak/policypak/cloud/install/mac/888_6_image_13_950x238.webp) +![888_6_image_13_950x238](/img/product_docs/policypak/policypak/cloud/install/mac/888_6_image_13_950x238.webp) Now the `PolicyPak` command is registered and available to use, but it must be run as root (or under sudo.) -![888_7_image_14_950x292](../../../../../../static/img/product_docs/policypak/policypak/cloud/install/mac/888_7_image_14_950x292.webp) +![888_7_image_14_950x292](/img/product_docs/policypak/policypak/cloud/install/mac/888_7_image_14_950x292.webp) **Step 8 –** Sync with Endpoint Policy Manager Cloud with the command @@ -58,8 +58,8 @@ sudo.) When you see Synchronized: Yes you are ready to make rules in Endpoint Policy Manager Cloud. -![888_8_image_15_950x267](../../../../../../static/img/product_docs/policypak/policypak/cloud/install/mac/888_8_image_15_950x267.webp) +![888_8_image_15_950x267](/img/product_docs/policypak/policypak/cloud/install/mac/888_8_image_15_950x267.webp) You should see your Mac in the MacOS | All group like what's seen here. -![888_9_image_16_950x511](../../../../../../static/img/product_docs/policypak/policypak/cloud/install/mac/888_9_image_16_950x511.webp) +![888_9_image_16_950x511](/img/product_docs/policypak/policypak/cloud/install/mac/888_9_image_16_950x511.webp) diff --git a/docs/policypak/policypak/cloud/install/mac/signature.md b/docs/policypak/policypak/cloud/install/mac/signature.md index 5b5b9c6ad5..df3c7eacb9 100644 --- a/docs/policypak/policypak/cloud/install/mac/signature.md +++ b/docs/policypak/policypak/cloud/install/mac/signature.md @@ -50,15 +50,15 @@ Certificate Chain: In this example, you can pull signed details in three ways: -![909_1_image-20230406154820-1](../../../../../../static/img/product_docs/policypak/policypak/cloud/install/mac/909_1_image-20230406154820-1.webp) +![909_1_image-20230406154820-1](/img/product_docs/policypak/policypak/cloud/install/mac/909_1_image-20230406154820-1.webp) **Step 1 –** CN=Developer ID installer: Microsoft Corporation (UBF8T346G9) -![909_2_image-20230406155008-2](../../../../../../static/img/product_docs/policypak/policypak/cloud/install/mac/909_2_image-20230406155008-2.webp) +![909_2_image-20230406155008-2](/img/product_docs/policypak/policypak/cloud/install/mac/909_2_image-20230406155008-2.webp) **Step 2 –** OU=UBF8T346G9 -![909_3_image-20230406155059-3](../../../../../../static/img/product_docs/policypak/policypak/cloud/install/mac/909_3_image-20230406155059-3.webp) +![909_3_image-20230406155059-3](/img/product_docs/policypak/policypak/cloud/install/mac/909_3_image-20230406155059-3.webp) **Step 3 –** O=Microsoft Corporation diff --git a/docs/policypak/policypak/cloud/install/uninstall.md b/docs/policypak/policypak/cloud/install/uninstall.md index 080942e73d..12b2df5d2b 100644 --- a/docs/policypak/policypak/cloud/install/uninstall.md +++ b/docs/policypak/policypak/cloud/install/uninstall.md @@ -9,4 +9,4 @@ following happens: - All XML data files that are in the Cloud folder are removed. - Any Endpoint Policy Manager component will become unlicensed. Different licenses have different behaviors when they become unlicensed. Check the KB article here for more information: - [What happens to each component when Endpoint Policy Manager gets unlicensed or the GPO or policy no longer applies?](../../license/unlicense/components.md). + [What happens to each component when Endpoint Policy Manager gets unlicensed or the GPO or policy no longer applies?](/docs/policypak/policypak/license/unlicense/components.md). diff --git a/docs/policypak/policypak/cloud/interface/companydetails/addcompanyadmin.md b/docs/policypak/policypak/cloud/interface/companydetails/addcompanyadmin.md index 328727df79..04af325a0c 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/addcompanyadmin.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/addcompanyadmin.md @@ -4,7 +4,7 @@ If there is currently only one admin at a company, a second one can be added usi admin** action. After selecting this action, enter the details of the user and the roles the admin should have, and then click **Create and Send Welcome Letter**. -![web_interface_and_controls_88_499x270](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_88_499x270.webp) +![web_interface_and_controls_88_499x270](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_88_499x270.webp) **NOTE:** Once there are two admins already set up, additional admins must be agreed upon by the two admins who have the **Customer Admin Manager** role. diff --git a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/changeemail.md b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/changeemail.md index 8b2c40efc1..3938557441 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/changeemail.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/changeemail.md @@ -4,28 +4,28 @@ Email changes are not instantaneous. They must be confirmed by the original emai target (changed) email address. Once you submit the new email address, you get a request sent by email to that address. -![web_interface_and_controls_76_624x438](../../../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_76_624x438.webp) +![web_interface_and_controls_76_624x438](/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_76_624x438.webp) Next you must select **Pre-Accept**. -![web_interface_and_controls_77_499x393](../../../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_77_499x393.webp) +![web_interface_and_controls_77_499x393](/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_77_499x393.webp) The new email address will get a confirmation email with a two-factor authentication (2FA) style code. -![web_interface_and_controls_78_624x315](../../../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_78_624x315.webp) +![web_interface_and_controls_78_624x315](/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_78_624x315.webp) Enter the code in the dialog box to continue. -![web_interface_and_controls_79_624x232](../../../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_79_624x232.webp) +![web_interface_and_controls_79_624x232](/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_79_624x232.webp) Next, the original email address also needs to be confirmed. -![web_interface_and_controls_80_624x260](../../../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_80_624x260.webp) +![web_interface_and_controls_80_624x260](/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_80_624x260.webp) Once accepted, another email is sent to the original email address with a 2FA style code. That code needs to be entered as well to confirm the change. -![web_interface_and_controls_81_499x312](../../../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_81_499x312.webp) +![web_interface_and_controls_81_499x312](/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_81_499x312.webp) You will then be immediately logged out and must log on with the new email to continue. diff --git a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/loginrestrictionseditor.md b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/loginrestrictionseditor.md index 1596084905..a121e7c29e 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/loginrestrictionseditor.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/loginrestrictionseditor.md @@ -4,4 +4,4 @@ The login restrictions, also known as IP restrictions, that we discussed already section were applied per company. The login restrictions that we are referring here are applied per admin. You can set a specific IP address or IP range to allow, as well as block, logins. -![web_interface_and_controls_83_624x528](../../../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_83_624x528.webp) +![web_interface_and_controls_83_624x528](/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_83_624x528.webp) diff --git a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/notificationeditor.md b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/notificationeditor.md index ea092a3706..909e009579 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/notificationeditor.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/notificationeditor.md @@ -1,4 +1,4 @@ # Notification Editor -See the topic [Edit Notification Configuration](../../editnotificationconfiguration.md) for details +See the topic [Edit Notification Configuration](/docs/policypak/policypak/cloud/interface/companydetails/editnotificationconfiguration.md) for details on this operation. diff --git a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/overview.md b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/overview.md index 3400d3dbdd..9616fb3525 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/overview.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/overview.md @@ -2,12 +2,12 @@ On the **General Info** tab, you have a few actions to select from. -![web_interface_and_controls_75_624x208](../../../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_75_624x208.webp) +![web_interface_and_controls_75_624x208](/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_75_624x208.webp) The actions you can take are listed below and explained in the following sections: -- [Change Email](changeemail.md) +- [Change Email](/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/changeemail.md) - Change Password (No further information needed, therefore not addressed in the sections below.) -- [Resend Welcome Letter](resendwelcomeletter.md) -- [Login Restrictions Editor](loginrestrictionseditor.md) -- [N](../../editnotificationconfiguration.md)[Notification Editor](notificationeditor.md)ditor +- [Resend Welcome Letter](/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/resendwelcomeletter.md) +- [Login Restrictions Editor](/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/loginrestrictionseditor.md) +- [N](/docs/policypak/policypak/cloud/interface/companydetails/editnotificationconfiguration.md)[Notification Editor](/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/notificationeditor.md)ditor diff --git a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/resendwelcomeletter.md b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/resendwelcomeletter.md index 48ae295e47..ea409c2ecd 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/resendwelcomeletter.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/resendwelcomeletter.md @@ -4,4 +4,4 @@ The **Resend Welcome Letter** action is typically performed when one admin canno another admin to reset his password. In this case, the helping admin would select Resend Welcome Letter, which would send a new welcome letter to the other admin, thus enabling access again. -![web_interface_and_controls_82_499x294](../../../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_82_499x294.webp) +![web_interface_and_controls_82_499x294](/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/generalinfo/web_interface_and_controls_82_499x294.webp) diff --git a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/overview.md b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/overview.md index 48e9fa3980..b568ef9064 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/overview.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/overview.md @@ -1,13 +1,13 @@ # Company Administrators For an overview of security features, including roles, watch this video: -[Endpoint Policy Manager Cloud: Immutable Log](../../../../video/cloud/security/immutablelog.md). +[Endpoint Policy Manager Cloud: Immutable Log](/docs/policypak/policypak/video/cloud/security/immutablelog.md). Your company may have one or more administrators who share access. Those admins may have the same roles, or different roles that enable different interactions with Endpoint Policy Manager Cloud. Any specific admin's properties and roles can be accessed via the **Edit** button next to their name. -![web_interface_and_controls_74_624x169](../../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/web_interface_and_controls_74_624x169.webp) +![web_interface_and_controls_74_624x169](/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/web_interface_and_controls_74_624x169.webp) In this window, you can specify the following: diff --git a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/rolemanagement.md b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/rolemanagement.md index 21305d3bf3..a8c561a0bf 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/rolemanagement.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/rolemanagement.md @@ -3,17 +3,17 @@ Endpoint Policy Manager Cloud has a few roles that can be assigned to other admins. Each user's assigned roles can be seen in the **Role Management** tab. -![web_interface_and_controls_85_624x118](../../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/web_interface_and_controls_85_624x118.webp) +![web_interface_and_controls_85_624x118](/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/web_interface_and_controls_85_624x118.webp) The following roles are available: - Authentication Options Admin: An admin with this role can specify which admins can have which 2FA options. Additionally, they may also set customer-level portal policies as described in the - [Edit Customer-Level Portal Policies](../editcustomerlevelportalpolicies.md) section. + [Edit Customer-Level Portal Policies](/docs/policypak/policypak/cloud/interface/companydetails/editcustomerlevelportalpolicies.md) section. Specifically, they can force email-based or application-based 2FA for all admins. They can also set the 2FA one-time password lifetime, as well as the automatic log off on idle time. - Notification & Logging Options Admin: An admin with this role can use the **Notifications Editor** For more information, see the - [Edit Notification Configuration](../editnotificationconfiguration.md) section). + [Edit Notification Configuration](/docs/policypak/policypak/cloud/interface/companydetails/editnotificationconfiguration.md) section). - Customer Admin Manager: An admin with this role can approve newly created admins when other admins initiate the request. diff --git a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/twofactoroptions.md b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/twofactoroptions.md index d85069b81c..9f6cf82227 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/twofactoroptions.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/twofactoroptions.md @@ -4,4 +4,4 @@ Each user starts off with at least one 2FA option enabled. Users must have at le method. If you want to force an admin to use a different method (email-based versus application-based or vice versa) or both methods, you can do that here. -![web_interface_and_controls_84_625x94](../../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/web_interface_and_controls_84_625x94.webp) +![web_interface_and_controls_84_625x94](/img/product_docs/policypak/policypak/cloud/interface/companydetails/companyadministrators/web_interface_and_controls_84_625x94.webp) diff --git a/docs/policypak/policypak/cloud/interface/companydetails/configureentraidaccess.md b/docs/policypak/policypak/cloud/interface/companydetails/configureentraidaccess.md index d6a904b8e7..d68e70d0f5 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/configureentraidaccess.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/configureentraidaccess.md @@ -1,23 +1,23 @@ # Configure Azure AD Access For an overview of this section, please watch the following video: -[Endpoint Policy Manager Cloud + Azure AD: Better Together for Computer ILT and Computer Policy Targeting](../../../video/cloud/integration/entraid.md). +[Endpoint Policy Manager Cloud + Azure AD: Better Together for Computer ILT and Computer Policy Targeting](/docs/policypak/policypak/video/cloud/integration/entraid.md). You can link your Endpoint Policy Manager Cloud to one or more Azure AD tenants. When you do this, you will be able to enumerate user membership within Item-Level Targeting. To begin, enter a configuration name (which can be anything), and then the Azure AD tenant name. -![web_interface_and_controls_104_624x249](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_104_624x249.webp) +![web_interface_and_controls_104_624x249](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_104_624x249.webp) Next, you are prompted to activate the configuration by entering in your Azure AD credentials. -![web_interface_and_controls_105_623x376](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_105_623x376.webp) +![web_interface_and_controls_105_623x376](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_105_623x376.webp) After you do this, the connection is complete and successful. -![web_interface_and_controls_106_623x252](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_106_623x252.webp) +![web_interface_and_controls_106_623x252](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_106_623x252.webp) The results are that Item-Level Targeting evaluations can now be performed directly on specific users in Azure AD. -![web_interface_and_controls_107_623x361](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_107_623x361.webp) +![web_interface_and_controls_107_623x361](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_107_623x361.webp) diff --git a/docs/policypak/policypak/cloud/interface/companydetails/customerlog.md b/docs/policypak/policypak/cloud/interface/companydetails/customerlog.md index c428eeacd0..5780f7bcc4 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/customerlog.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/customerlog.md @@ -1,7 +1,7 @@ # Customer Log For an overview of this section, see this video: -[Endpoint Policy Manager Cloud: Immutable Log](../../../video/cloud/security/immutablelog.md). +[Endpoint Policy Manager Cloud: Immutable Log](/docs/policypak/policypak/video/cloud/security/immutablelog.md). The customer log, also known as the immutable log, is a very powerful security feature within Endpoint Policy Manager Cloud. @@ -13,24 +13,24 @@ Nearly every step of every configuration is audited and stored in this log forev see a sample log where each row explains an action that was taken within your Endpoint Policy Manager Cloud instance. -![web_interface_and_controls_98_624x161](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_98_624x161.webp) +![web_interface_and_controls_98_624x161](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_98_624x161.webp) **NOTE:** You can also push your immutable log to your on-prem SIEM (log management) system via an automated email push. To set this up, watch the following video: -[Endpoint Policy Manager Cloud Logs and Automatically Pushing via Email](../../../video/cloud/security/emaillogs.md). +[Endpoint Policy Manager Cloud Logs and Automatically Pushing via Email](/docs/policypak/policypak/video/cloud/security/emaillogs.md). The Immutable Log Viewer has very powerful filtering that enables you to see what actions were performed, when, and by whom. -![web_interface_and_controls_99_624x286](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_99_624x286.webp) +![web_interface_and_controls_99_624x286](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_99_624x286.webp) Depending on the event type, double-clicking on any line may provide more information. Particularly interesting is the **EditPolicy** type, which has a special button called **Compare**. -![web_interface_and_controls_100_624x416](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_100_624x416.webp) +![web_interface_and_controls_100_624x416](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_100_624x416.webp) Clicking the **Compare** button performs a straight XML demonstration of output between the policy before and after editing. If you discover that a change is unwanted, you can immediately roll back to the previous version by selecting **Revert**. -![web_interface_and_controls_101_623x491](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_101_623x491.webp) +![web_interface_and_controls_101_623x491](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_101_623x491.webp) diff --git a/docs/policypak/policypak/cloud/interface/companydetails/downloads.md b/docs/policypak/policypak/cloud/interface/companydetails/downloads.md index 49cfb031a4..32d491e442 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/downloads.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/downloads.md @@ -6,15 +6,15 @@ machine joins your Endpoint Policy Manager Cloud instance. This is the process t download directives, auto-install the CSE, and perform other cloud-specific operations. Typically you would download the 32-bit or 64-bit versions, or both as a bundled ZIP. -![web_interface_and_controls_86_624x192](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_86_624x192.webp) +![web_interface_and_controls_86_624x192](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_86_624x192.webp) **CAUTION:** Clients will continue to use the Endpoint Policy Manager Cloud client version they started with until you specifically tell them to use a later version. Please watchthe following videoto see how to use groups to keep clients updated: -[Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](../../../video/cloud/groups.md). +[Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](/docs/policypak/policypak/video/cloud/groups.md). From time to time you may be asked by Endpoint Policy Manager Support to attempt to use an older version of the client. In this case, you can click on Download other versions and select an older version. -![web_interface_and_controls_87_624x282](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_87_624x282.webp) +![web_interface_and_controls_87_624x282](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_87_624x282.webp) diff --git a/docs/policypak/policypak/cloud/interface/companydetails/editcustomerlevelportalpolicies.md b/docs/policypak/policypak/cloud/interface/companydetails/editcustomerlevelportalpolicies.md index 904201cd90..892f9197fa 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/editcustomerlevelportalpolicies.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/editcustomerlevelportalpolicies.md @@ -3,7 +3,7 @@ Customer-level portal policies are only available for admins with the **Authentication Options Admin** role. -![web_interface_and_controls_102_624x172](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_102_624x172.webp) +![web_interface_and_controls_102_624x172](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_102_624x172.webp) Someone with this role may set the following values: @@ -15,4 +15,4 @@ Someone with this role may set the following values: - Set email-based 2Fa OTP lifetime: If email 2FA is used, the one-time password has a lifetime of 10 minutes. This can be changed here. -![web_interface_and_controls_103_625x304](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_103_625x304.webp) +![web_interface_and_controls_103_625x304](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_103_625x304.webp) diff --git a/docs/policypak/policypak/cloud/interface/companydetails/editnotificationconfiguration.md b/docs/policypak/policypak/cloud/interface/companydetails/editnotificationconfiguration.md index 2a1c3d574c..7e7d3a8c8f 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/editnotificationconfiguration.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/editnotificationconfiguration.md @@ -8,7 +8,7 @@ Admin** role. This role enables the admin to perform two functions: - Actions Configuration: Specify special emails when certain conditions exist within the Endpoint Policy Manager Cloud instance. -![web_interface_and_controls_91_624x157](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_91_624x157.webp) +![web_interface_and_controls_91_624x157](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_91_624x157.webp) ## Add Rules @@ -21,15 +21,15 @@ notification, you need tospecify the following: - Notification: This is the delivery method of the notification. Currently only email is supported, but there may be additional methods added in the future. -![web_interface_and_controls_92_499x345](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_92_499x345.webp) +![web_interface_and_controls_92_499x345](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_92_499x345.webp) If you want to quickly set up all notifications for all admins, click all three check boxes. -![web_interface_and_controls_93_499x337](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_93_499x337.webp) +![web_interface_and_controls_93_499x337](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_93_499x337.webp) When you set up notifications, you will see a list of the added rules. -![web_interface_and_controls_94_498x221](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_94_498x221.webp) +![web_interface_and_controls_94_498x221](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_94_498x221.webp) ## Actions Configuration @@ -43,14 +43,14 @@ The **Actions Configuration Editor** has two settings that can be selected: Neither of these are turned on by default and may only be enabled by an admin with the **Notification & Logging Options Admin** role. -![web_interface_and_controls_95_623x429](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_95_623x429.webp) +![web_interface_and_controls_95_623x429](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_95_623x429.webp) When the weekly report of inactive computers is turned on, admins will get an email like yjos on Mondays. -![web_interface_and_controls_96_625x341](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_96_625x341.webp) +![web_interface_and_controls_96_625x341](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_96_625x341.webp) When the check box for remaining license notification threshold is set and the pool of licenses dips below the reporting threshold, all admins get a notification. -![web_interface_and_controls_97_624x209](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_97_624x209.webp) +![web_interface_and_controls_97_624x209](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_97_624x209.webp) diff --git a/docs/policypak/policypak/cloud/interface/companydetails/loginrestrictions.md b/docs/policypak/policypak/cloud/interface/companydetails/loginrestrictions.md index 6527a62297..d4d23b9e05 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/loginrestrictions.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/loginrestrictions.md @@ -5,8 +5,8 @@ accessed from a single IP address or specific range of allowed IP addresses. Alt also expressly deny specific IP addresses with a range if desired. This is recommended if you know you only want a connection to be allowed from your on-prem network, which remains consistent. -![web_interface_and_controls_72_625x253](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_72_625x253.webp) +![web_interface_and_controls_72_625x253](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_72_625x253.webp) This is the result of a blocked login: -![web_interface_and_controls_73_312x450](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_73_312x450.webp) +![web_interface_and_controls_73_312x450](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_73_312x450.webp) diff --git a/docs/policypak/policypak/cloud/interface/companydetails/overview.md b/docs/policypak/policypak/cloud/interface/companydetails/overview.md index 6f6897c617..6de6a13f17 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/overview.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/overview.md @@ -5,9 +5,9 @@ and feel of things, but many others are security related. For an overview of the major Endpoint Policy Manager Cloud security features (2FA, admin roles, notifications, IP block restrictions, etc.) check out this video: -[Endpoint Policy Manager Cloud: Security Features](../../../video/cloud/security/features.md). +[Endpoint Policy Manager Cloud: Security Features](/docs/policypak/policypak/video/cloud/security/features.md). -![web_interface_and_controls_70_624x296](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_70_624x296.webp) +![web_interface_and_controls_70_624x296](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_70_624x296.webp) In the sections that follow,we cover the following items: @@ -31,13 +31,13 @@ Additionally, we'll explore the actions available to us in the **Company Details ## Company Details Section Video: For an overview of this section, see this video: -[Endpoint Policy Manager Cloud: Strict vs. Loose Computer Registration Mode](../../../video/cloud/registrationmode.md). +[Endpoint Policy Manager Cloud: Strict vs. Loose Computer Registration Mode](/docs/policypak/policypak/video/cloud/registrationmode.md). The **Company Details** section under the **Company Details** tab allows you to change your company display name and time zone, which is used for reporting on log files. However, the most important setting in this section is the **Computer registration mode**, which has four options. -![web_interface_and_controls_71_624x518](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/web_interface_and_controls_71_624x518.webp) +![web_interface_and_controls_71_624x518](/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/web_interface_and_controls_71_624x518.webp) This setting directs Endpoint Policy Manager Cloud on how to act when an endpoint computer is already joined to Endpoint Policy Manager Cloud and attempts to re-register or claim another diff --git a/docs/policypak/policypak/cloud/interface/companydetails/revokecompanycertificate.md b/docs/policypak/policypak/cloud/interface/companydetails/revokecompanycertificate.md index 37f433d1b6..46bbfafd46 100644 --- a/docs/policypak/policypak/cloud/interface/companydetails/revokecompanycertificate.md +++ b/docs/policypak/policypak/cloud/interface/companydetails/revokecompanycertificate.md @@ -1,14 +1,14 @@ # Revoke Company's Certificate Endpoint machines join Endpoint Policy Manager Cloud via the Cloud client MSI download (see the -[Downloads](downloads.md) section ). Inside the Cloud client MSI (for each company) is a unique x509 +[Downloads](/docs/policypak/policypak/cloud/interface/companydetails/downloads.md) section ). Inside the Cloud client MSI (for each company) is a unique x509 certificate. This identifies your MSI among all other Endpoint Policy Manager customers. This way, only your Endpoint Policy Manager Cloud client MSI can be used to join computers to your Endpoint Policy Manager Cloud account. If your MSI is lost, you see unexpected machines in your Endpoint Policy Manager Cloud, or you want to replace the MSI, you have the option to select **Revoke company's certificate**. -![web_interface_and_controls_89_499x212](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_89_499x212.webp) +![web_interface_and_controls_89_499x212](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_89_499x212.webp) This is a security mechanism that will re-issue the x509 certificate, which has the following effects: @@ -24,4 +24,4 @@ start using your new MSI (encoded with a new x509 certificate). As soon as you p existing MSIs will stop functioning. Attempts to use them will fail and the installer gets a message:. -![web_interface_and_controls_90_624x510](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_90_624x510.webp) +![web_interface_and_controls_90_624x510](/img/product_docs/policypak/policypak/cloud/interface/companydetails/web_interface_and_controls_90_624x510.webp) diff --git a/docs/policypak/policypak/cloud/interface/computergroups/overview.md b/docs/policypak/policypak/cloud/interface/computergroups/overview.md index 21feb6a2a8..16dacf412d 100644 --- a/docs/policypak/policypak/cloud/interface/computergroups/overview.md +++ b/docs/policypak/policypak/cloud/interface/computergroups/overview.md @@ -13,11 +13,11 @@ the following features **NOTE:** The actions that appear on the right when you click on a group are context sensitive. -![web_interface_and_controls_50_593x200](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_50_593x200.webp) +![web_interface_and_controls_50_593x200](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_50_593x200.webp) This is an example of items and actions that are available when you click a policy. -![web_interface_and_controls_51_593x184](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_51_593x184.webp) +![web_interface_and_controls_51_593x184](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_51_593x184.webp) In the next sections, we cover the following: @@ -43,7 +43,7 @@ In the example below, we clicked on the **All** group, then selected **Create an Policy....** When you do this, the **Create policy** dialog appears, and you can select the in-cloud editor of your choice. -![web_interface_and_controls_52_624x291](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_52_624x291.webp) +![web_interface_and_controls_52_624x291](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_52_624x291.webp) For details and guidance on using the in-cloud editors, refer back to the previous section on creating policies. @@ -56,4 +56,4 @@ more information, refer to the **Creating a Endpoint Policy Manager Cloud On-Pre Once you have your exported policy XML data file, you can select the group, then select Upload and link a new XML here and then, paste the XML data. -![web_interface_and_controls_53_623x265](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_53_623x265.webp) +![web_interface_and_controls_53_623x265](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_53_623x265.webp) diff --git a/docs/policypak/policypak/cloud/interface/computergroups/workingwith.md b/docs/policypak/policypak/cloud/interface/computergroups/workingwith.md index 9daaf4aeca..620f8734f9 100644 --- a/docs/policypak/policypak/cloud/interface/computergroups/workingwith.md +++ b/docs/policypak/policypak/cloud/interface/computergroups/workingwith.md @@ -24,7 +24,7 @@ action pane at any time. You can add company groups by clicking on the **Company by clicking on any existing company group and making a sub-group, as shown below where multiple company groups and sub-company groups have been created as examples. -![web_interface_and_controls_54_624x228](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_54_624x228.webp) +![web_interface_and_controls_54_624x228](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_54_624x228.webp) Unlike Microsoft Group Policy, a computer may be a member of multiple groups in Endpoint Policy Manager Cloud. Click on the company group, then select **Add/Remove Computers from Group** and click @@ -32,11 +32,11 @@ Manager Cloud. Click on the company group, then select **Add/Remove Computers fr this group) or **Available Computers** (meaning computers not yet in this group). You can select or un-select computers as needed. -![web_interface_and_controls_55_624x229](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_55_624x229.webp) +![web_interface_and_controls_55_624x229](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_55_624x229.webp) You can also perform other context-sensitive actions after you click on a company group. -![web_interface_and_controls_56_624x214](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_56_624x214.webp) +![web_interface_and_controls_56_624x214](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_56_624x214.webp) The context-sensitive actions are described below: @@ -75,12 +75,12 @@ Built-in groups enable you to perform actions on computers that meet certain cri Here you can see XML data files linked to the **All** group. Note that anytime policies are linked to the **All** group, they are always enforced. -![web_interface_and_controls_57_500x169](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_57_500x169.webp) +![web_interface_and_controls_57_500x169](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_57_500x169.webp) ## Company Groups Video: For an overview of this section, watch -[Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](../../../video/cloud/groups.md). +[Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](/docs/policypak/policypak/video/cloud/groups.md). The Endpoint Policy Manager CSE and the Endpoint Policy Manager Cloud client get updated from time to time for bug fixes as well as for features. For instance, whenever a new component is released, a @@ -125,19 +125,19 @@ Testers**. Then we are configuring it to use the latest CSE and the latest Endpo Cloud client version. In addition, if you want to change how often these computers check-in for new policies, you may also do that here. -![web_interface_and_controls_58_623x226](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_58_623x226.webp) +![web_interface_and_controls_58_623x226](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_58_623x226.webp) Now the sub-group appears. The computers in Friendly Testers would now get the latest CSE and Endpoint Policy Manager Cloud client version. -![web_interface_and_controls_59_624x236](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_59_624x236.webp) +![web_interface_and_controls_59_624x236](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_59_624x236.webp) After you are satisfied that everything is working as expected, you can apply this to more and more groups. When you are satisfied that you have good results, you can use the **All** group to force the latest version everywhere. When you do this, no groups can deliver a CSE or Endpoint Policy Manager Cloud client version that is lower than what is set in the **All** group. -![web_interface_and_controls_60_624x215](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_60_624x215.webp) +![web_interface_and_controls_60_624x215](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_60_624x215.webp) ## Policy Forecast/Modeling Report @@ -150,7 +150,7 @@ expect on an endpoint. Policies are cumulative in the following manner: The Policy Forecast/Modeling Report is a way to determine which policies to expect on the endpoint. -![web_interface_and_controls_61_623x288](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_61_623x288.webp) +![web_interface_and_controls_61_623x288](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_61_623x288.webp) Below you can see there are eight policies applied. Three are from the built-in **All** group, which cannot be avoided, and the rest are inherited (directly) from the group itself. If you click on a @@ -159,7 +159,7 @@ see its policies also appear in the report. **NOTE:** The report shows precedence order, meaning the lowest number will win in a conflict. -![web_interface_and_controls_62_623x298](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_62_623x298.webp) +![web_interface_and_controls_62_623x298](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_62_623x298.webp) A warning about the Policy Forecast/Modeling Report: if a computer is in two or more groups, the Policy Forecast/Modeling Report will not show the expected result. It can only model one group at a @@ -170,7 +170,7 @@ time and cannot account for a computer being in multiple groups at the same time Policy XML files linked at any level are displayed in two ways. In the left pane, they are displayed alphabetically. In the middle pane, the XML files are displayed by link order. -![web_interface_and_controls_63_624x225](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_63_624x225.webp) +![web_interface_and_controls_63_624x225](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_63_624x225.webp) Link order is a way to order and prioritize policies. The lowest link order number gets the highest overall precedence. In this way, within a particular level, if you had conflicts you needed to @@ -184,7 +184,7 @@ the display list, wins. To see this, first select a group, then select **Change Policy Link Order** in the action pane to get the **Order linked XML data files** window. -![web_interface_and_controls_64_624x228](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_64_624x228.webp) +![web_interface_and_controls_64_624x228](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_64_624x228.webp) ## Block Inheritance and Enforcement @@ -192,21 +192,21 @@ Like Group Policy, Endpoint Policy Manager Cloud has the same concepts of block enforce. Block inheritance will stop upper-level policies from affecting machines in sub-groups. It is only available for sub-groups and not for top-level parent groups. -![web_interface_and_controls_65_624x238](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_65_624x238.webp) +![web_interface_and_controls_65_624x238](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_65_624x238.webp) When block inheritance on a child group is enabled, a blue exclamation mark signifies it is on. It can be removed by selecting the group and selecting **Unblock Inheritance**. -![web_interface_and_controls_66_625x232](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_66_625x232.webp) +![web_interface_and_controls_66_625x232](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_66_625x232.webp) The net result of block inheritance is that XML policies from above will not flow down. Below, you can see the policies when there is no block inheritance. -![web_interface_and_controls_67_623x288](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_67_623x288.webp) +![web_interface_and_controls_67_623x288](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_67_623x288.webp) Policies are not applied from up above when block inheritance is active. -![web_interface_and_controls_68_625x286](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_68_625x286.webp) +![web_interface_and_controls_68_625x286](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_68_625x286.webp) When a policy is selected it may be chosen for enforcement. Enforcement means that the policy will break through a block inheritance if that policy is higher in the hierarchy. @@ -217,4 +217,4 @@ It is easy to use the search box to look for policies and groups that match a wo see we are searching for the word "fire" and finding policies and groups with that word in them very quickly. -![web_interface_and_controls_69_312x320](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_69_312x320.webp) +![web_interface_and_controls_69_312x320](/img/product_docs/policypak/policypak/cloud/interface/computergroups/web_interface_and_controls_69_312x320.webp) diff --git a/docs/policypak/policypak/cloud/interface/filebox.md b/docs/policypak/policypak/cloud/interface/filebox.md index 51047799cc..2667cfb0f7 100644 --- a/docs/policypak/policypak/cloud/interface/filebox.md +++ b/docs/policypak/policypak/cloud/interface/filebox.md @@ -7,16 +7,16 @@ The **File Box** tab provides access to two features: - ADMX Files - files with your own ADMX settings for custom applications that you can upload and that Endpoint Policy Manager (the company) doesn't automatically provide for you. -![web_interface_and_controls_44_625x138](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_44_625x138.webp) +![web_interface_and_controls_44_625x138](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_44_625x138.webp) ## External Links Video: You can learn more about external links and Endpoint Policy Manager Remote Work Delivery Manager from this video: -[Deploy software with Endpoint Policy Manager Cloud](../../video/remoteworkdelivery/cloud.md). +[Deploy software with Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/remoteworkdelivery/cloud.md). You can learn more about the external links function in -[How to use Remote Work Delivery Manager to apply Firewall policies](../remoteworkdeliverymanager.md). +[How to use Remote Work Delivery Manager to apply Firewall policies](/docs/policypak/policypak/cloud/remoteworkdeliverymanager.md). But in short, you can use public web services, like Amazon S3, to house software and then deploy it to your remote PCs. However, Endpoint Policy Manager Cloud needs to know about this link before it can be used. For this reason, you need to select the **Add external link** action and then specify @@ -25,12 +25,12 @@ After you do this, click **Validate Link**. Finally, click **Save** to continue, be available within the in-cloud editor for Endpoint Policy Manager Cloud Remote Work Delivery Manager. -![web_interface_and_controls_45_499x230](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_45_499x230.webp) +![web_interface_and_controls_45_499x230](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_45_499x230.webp) ## ADMX Files Video: You can see an overview of this section in the video: -[Endpoint Policy ManagerCloud: Upload and use your own ADMX files to Endpoint Policy Manager Cloud](../../video/cloud/admxfiles.md). +[Endpoint Policy ManagerCloud: Upload and use your own ADMX files to Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/cloud/admxfiles.md). While Endpoint Policy Manager (the company) automatically keeps many important ADMX settings automatically updated for you, there could be a time when you have a third-party or custom @@ -44,21 +44,21 @@ In this example, we'll use the v10.1 templates, but you can do the same process which has both ADMX and ADML formatted files. In short, you need to ensure that your ZIP file has exactly two files in it: an ADMX file and an ADML file. -![web_interface_and_controls_46_624x346](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_46_624x346.webp) +![web_interface_and_controls_46_624x346](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_46_624x346.webp) Once you have this ZIP file downloaded from your manufacturer or compiled on your own, you are ready to use it with the **Upload ADMX Files** action. After selecting **Upload ADMX Files**, select the file. Then, change the display path to describe the ADMX file, and trim anything not useful in the name. -![web_interface_and_controls_47_624x396](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_47_624x396.webp) +![web_interface_and_controls_47_624x396](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_47_624x396.webp) Click **Save** to continue. Now you can see your ADMX settings, and you can also peruse your upload to see all the settings. -![web_interface_and_controls_48_625x200](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_48_625x200.webp) +![web_interface_and_controls_48_625x200](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_48_625x200.webp) Now you're ready to use the uploaded ADMX and ADML files when using the Endpoint Policy Manager Cloud in-cloud ADMX editors to create administrative template policies. -![web_interface_and_controls_49_624x318](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_49_624x318.webp) +![web_interface_and_controls_49_624x318](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_49_624x318.webp) diff --git a/docs/policypak/policypak/cloud/interface/licensestatus.md b/docs/policypak/policypak/cloud/interface/licensestatus.md index c0e4753266..c7f5d04cfb 100644 --- a/docs/policypak/policypak/cloud/interface/licensestatus.md +++ b/docs/policypak/policypak/cloud/interface/licensestatus.md @@ -10,7 +10,7 @@ unlicensed products you might have that are available for purchase. Additionally columns listed as **Consumed** and **Waiting**. When you click on the number within the cell, a pop-up window appears showing the computers that are consumed or waiting. -![web_interface_and_controls_1_624x138](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_1_624x138.webp) +![web_interface_and_controls_1_624x138](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_1_624x138.webp) When you click the number in the **Consumed** column, you can see the computers which are actively taking on a Endpoint Policy Manager Cloud license. You can then determine the first and last check @@ -18,7 +18,7 @@ in. Additionally, you can click **Show state changes** to see every time a compu re-claimed a license, or Show linked policies to get a quick report of which policies are affecting the specific computer. -![web_interface_and_controls_2_624x190](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_2_624x190.webp) +![web_interface_and_controls_2_624x190](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_2_624x190.webp) For instance, clicking on **COMPUTERMDM64** and then **how linked policies** would return the window shown below. Note that you can sort by the product name (component name), as well as the policy name @@ -26,7 +26,7 @@ shown below. Note that you can sort by the product name (component name), as wel time for each policy. Or, if the policy has never been received, you can see a blank value. We'll go into further detail on reporting in a separate section on reports. -![web_interface_and_controls_3_624x247](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_3_624x247.webp) +![web_interface_and_controls_3_624x247](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_3_624x247.webp) Computers may transition from a licensed state of **consumed** to a state of **waiting**. The Endpoint Policy Manager Cloud waiting list is used to describe two conditions: @@ -49,4 +49,4 @@ and those licenses becomes available. Below you can see that nine computers have transitioned from consumed to waiting. The switch to waiting for all of those nine computers was due to inactivity, not because of oversubscription. -![web_interface_and_controls_4_625x326](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_4_625x326.webp) +![web_interface_and_controls_4_625x326](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_4_625x326.webp) diff --git a/docs/policypak/policypak/cloud/interface/overview.md b/docs/policypak/policypak/cloud/interface/overview.md index 93ec896898..6b19a79a3e 100644 --- a/docs/policypak/policypak/cloud/interface/overview.md +++ b/docs/policypak/policypak/cloud/interface/overview.md @@ -12,7 +12,7 @@ Netwrix Endpoint Policy Manager (formerly PolicyPak) Cloud has several roles: The Endpoint Policy Manager Cloud web interface contains the following sections: -![web_interface_and_controls_624x229](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_624x229.webp) +![web_interface_and_controls_624x229](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_624x229.webp) In this section, we will go over the tabs in the following order (not the order in which they actually appear) diff --git a/docs/policypak/policypak/cloud/interface/reports.md b/docs/policypak/policypak/cloud/interface/reports.md index 5c9e83b885..b100a4a25a 100644 --- a/docs/policypak/policypak/cloud/interface/reports.md +++ b/docs/policypak/policypak/cloud/interface/reports.md @@ -10,7 +10,7 @@ a specific status, as shown below. This report shows a table of results with dat currently connected to Endpoint Policy Manager Cloud. The following data is available: computer name, installed OS, IP address, and computer status for Cloud. -![web_interface_and_controls_112_624x332](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_112_624x332.webp) +![web_interface_and_controls_112_624x332](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_112_624x332.webp) The status selector on the upper left of the table allows you to filter the results. @@ -18,28 +18,28 @@ Currently you can sort by thefollowin g criteria: **Acquired** (active), **Waiti **Revoked**, and **Revoked by Endpoint Policy Manager Software**. The table can be exported and saved in MS Excel or Word format by clicking the **Save** button and selecting Excel or Word. -![web_interface_and_controls_114_624x196](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_114_624x196.webp) +![web_interface_and_controls_114_624x196](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_114_624x196.webp) ## Policy Reports (XML Delivery) Report Video: For an overview of this section, check out this video: -[Endpoint Policy Manager Cloud Reporting Demo](../../video/cloud/reports.md) +[Endpoint Policy Manager Cloud Reporting Demo](/docs/policypak/policypak/video/cloud/reports.md) Policy Reports (XML Delivery) Report is a very powerful feature. This report enables you to know which computers received which XML files. To see this report, select **Add Report**, then pick a computer group. -![web_interface_and_controls_115_624x355](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_115_624x355.webp) +![web_interface_and_controls_115_624x355](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_115_624x355.webp) Next, select the scope you would like to examine. The recommended selection is **Select all XML data files linked to this folder and all parent folders (recommended)**. -![web_interface_and_controls_116_468x353](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_116_468x353.webp) +![web_interface_and_controls_116_468x353](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_116_468x353.webp) You could also select the option **Select all XML data files linked ONLY to this folder**, which could select fewer XML data files. -![web_interface_and_controls_117_468x354](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_117_468x354.webp) +![web_interface_and_controls_117_468x354](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_117_468x354.webp) You can also select **Manually select XML data files from XML repository** and specify specific XML files to test for. @@ -54,6 +54,6 @@ The intersection between computer and XML file demonstrates the date and time th most recent XML file (in green), the date and time the computer got an old version of the XML file (in yellow), and if the XML file was not received at all (in red). -![web_interface_and_controls_118_499x373](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_118_499x373.webp) +![web_interface_and_controls_118_499x373](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_118_499x373.webp) This allows you to precisely knows which XML policy files were embraced by what machine and when. diff --git a/docs/policypak/policypak/cloud/interface/tools.md b/docs/policypak/policypak/cloud/interface/tools.md index 59f154dfa1..cb26ace499 100644 --- a/docs/policypak/policypak/cloud/interface/tools.md +++ b/docs/policypak/policypak/cloud/interface/tools.md @@ -1,12 +1,12 @@ # Tools Video: For an overview of this section, see -[Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](../../video/cloud/jointoken.md). +[Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](/docs/policypak/policypak/video/cloud/jointoken.md). Video: For an advanced installation routine where you can use another tool like an MDM tool, such as Intune, or an RMM tool to bootstrap the installation of the Endpoint Policy Manager Cloud client and also immediately join the computer to specific groups, see -[Endpoint Policy Manager Cloud + MDM Services: Install Cloud Client + automatically join PPC Groups and get policy.](../../video/cloud/mdm.md). +[Endpoint Policy Manager Cloud + MDM Services: Install Cloud Client + automatically join PPC Groups and get policy.](/docs/policypak/policypak/video/cloud/mdm.md). The Tools tab has a special tool called **Join Tokens**. The **Join Tokens** function enables you to create a unique string to append at the end of the Cloud client installation file. When you do, the @@ -18,21 +18,21 @@ Cloud client will do the following: group/911-policypak-cloud-automatically-join-groups-with-jointoken/ - Automatically upgrade to the latest Cloud client directed to that group -![web_interface_and_controls_108_625x221](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_108_625x221.webp) +![web_interface_and_controls_108_625x221](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_108_625x221.webp) **Step 1 –** To do this, go to the Tools tab, then click on the Join Tokens action. -![web_interface_and_controls_109_624x306](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_109_624x306.webp) +![web_interface_and_controls_109_624x306](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_109_624x306.webp) **Step 2 –** Click on **Add Join Token**. For a new join token add a description and expiry time. Then, click on **Select Groups** and pick a specific group or groups that you want the computer to automatically join from the Cloud client. -![web_interface_and_controls_110_312x333](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_110_312x333.webp) +![web_interface_and_controls_110_312x333](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_110_312x333.webp) **Step 3 –** Click **Save**. -![web_interface_and_controls_111_623x205](../../../../../static/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_111_623x205.webp) +![web_interface_and_controls_111_623x205](/img/product_docs/policypak/policypak/cloud/interface/web_interface_and_controls_111_623x205.webp) **Step 4 –** You can click on the button within the Show column to get a display of your actual join token value. diff --git a/docs/policypak/policypak/cloud/interface/xmldatafiles/createpolicy.md b/docs/policypak/policypak/cloud/interface/xmldatafiles/createpolicy.md index b91edb7974..12cabc77dc 100644 --- a/docs/policypak/policypak/cloud/interface/xmldatafiles/createpolicy.md +++ b/docs/policypak/policypak/cloud/interface/xmldatafiles/createpolicy.md @@ -8,19 +8,19 @@ for the policy type, the editor will enable you to create the policy but you wil it to any groups. For the items which do not have in-cloud editors, you must use the steps described in the -**[Upload XML Data File](upload.md)** section. In this case, you must create the policy on-prem +**[Upload XML Data File](/docs/policypak/policypak/cloud/interface/xmldatafiles/upload.md)** section. In this case, you must create the policy on-prem first, then export and upload it manually. -![web_interface_and_controls_18_625x627](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_18_625x627.webp) +![web_interface_and_controls_18_625x627](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_18_625x627.webp) The goal is to make the in-cloud editors as user-friendly as possible and closely resembling the on-prem editors. below you have the RDP Manager on-prem editor. -![web_interface_and_controls_19_624x352](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_19_624x352.webp) +![web_interface_and_controls_19_624x352](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_19_624x352.webp) Below is an example of the in-cloud editor of the same policy type. -![web_interface_and_controls_20_498x384](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_20_498x384.webp) +![web_interface_and_controls_20_498x384](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_20_498x384.webp) We cannot detail all the editors here, but we will explore one more important one, the Microsoft Admin Templates editor. To use this editor, select it from the top-level list, then select **+ @@ -29,7 +29,7 @@ Endpoint Policy Manager, and Windows 10. Endpoint Policy Manager keeps these up Video: To see how to use in-cloud ADMX settings maintained by Endpoint Policy Manager, watch this video: -[Endpoint Policy ManagerCloud: Use in-cloud ADMX settings maintained by Endpoint Policy Manager for Windows, Office, Chrome and more](../../../video/cloud/admxsettings.md). +[Endpoint Policy ManagerCloud: Use in-cloud ADMX settings maintained by Endpoint Policy Manager for Windows, Office, Chrome and more](/docs/policypak/policypak/video/cloud/admxsettings.md). However, you may also upload your own ADMX templates for your own applications. To learn how to do that, see the "File Box" section later in this guide. @@ -37,20 +37,20 @@ that, see the "File Box" section later in this guide. Using the Admin Templates editor is a lot like using the familiar on-prem Group Policy editor. Once you find the setting you want, just select it. -![web_interface_and_controls_21_624x373](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_21_624x373.webp) +![web_interface_and_controls_21_624x373](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_21_624x373.webp) Next, specify the state and any other available options. -![web_interface_and_controls_22_625x441](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_22_625x441.webp) +![web_interface_and_controls_22_625x441](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_22_625x441.webp) Additionally, to learn how to use the in-cloud Microsoft Security Settings editors, we recommend this video: -[Endpoint Policy Manager Cloud and Security Settings (More examples)](../../../video/cloud/securitysettings.md). +[Endpoint Policy Manager Cloud and Security Settings (More examples)](/docs/policypak/policypak/video/cloud/securitysettings.md). One sub-editor type for Microsoft Security Settings is the Restricted Groups Editor. You can learn how to use this editor in this video: -[Endpoint Policy Manager Cloud: Restricted Groups Editor](../../../video/cloud/restricted_groups_editor.md). +[Endpoint Policy Manager Cloud: Restricted Groups Editor](/docs/policypak/policypak/video/cloud/restricted_groups_editor.md). To learn how to use the in-cloud Microsoft Group Policy Preferences editors, we recommend this video: -[Endpoint Policy Manager Cloud + GPPrefs (More examples)](../../../video/cloud/preferences.md). +[Endpoint Policy Manager Cloud + GPPrefs (More examples)](/docs/policypak/policypak/video/cloud/preferences.md). diff --git a/docs/policypak/policypak/cloud/interface/xmldatafiles/createpolicytemplate.md b/docs/policypak/policypak/cloud/interface/xmldatafiles/createpolicytemplate.md index 7093342b7d..656bb41707 100644 --- a/docs/policypak/policypak/cloud/interface/xmldatafiles/createpolicytemplate.md +++ b/docs/policypak/policypak/cloud/interface/xmldatafiles/createpolicytemplate.md @@ -7,10 +7,10 @@ which you can read about at the following link: If you want to quickly implement these templates, you can use the **Create Policy from Template** action. -![web_interface_and_controls_33_624x193](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_33_624x193.webp) +![web_interface_and_controls_33_624x193](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_33_624x193.webp) Once selected, all the policies from that level are implemented, but are changeable. -![web_interface_and_controls_34_624x344](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_34_624x344.webp) +![web_interface_and_controls_34_624x344](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_34_624x344.webp) Once saved, the policy is like any other XML data file. diff --git a/docs/policypak/policypak/cloud/interface/xmldatafiles/delete.md b/docs/policypak/policypak/cloud/interface/xmldatafiles/delete.md index 5ae648ff94..36faaca383 100644 --- a/docs/policypak/policypak/cloud/interface/xmldatafiles/delete.md +++ b/docs/policypak/policypak/cloud/interface/xmldatafiles/delete.md @@ -2,4 +2,4 @@ You can delete any XML data file by clicking on the **Delete** icon. -![web_interface_and_controls_13_624x476](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_13_624x476.webp) +![web_interface_and_controls_13_624x476](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_13_624x476.webp) diff --git a/docs/policypak/policypak/cloud/interface/xmldatafiles/download.md b/docs/policypak/policypak/cloud/interface/xmldatafiles/download.md index 35c7fc8d17..b557192ce3 100644 --- a/docs/policypak/policypak/cloud/interface/xmldatafiles/download.md +++ b/docs/policypak/policypak/cloud/interface/xmldatafiles/download.md @@ -18,14 +18,14 @@ Application Settings Manager, to edit the policy you would need to do the follow Click on the download icon to take an existing XML data file and begin the download. -![web_interface_and_controls_10_624x122](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_10_624x122.webp) +![web_interface_and_controls_10_624x122](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_10_624x122.webp) Then, in the corresponding on-prem MMC editor, you would click on **Import settings from XMLData File** -![web_interface_and_controls_11_562x273](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_11_562x273.webp) +![web_interface_and_controls_11_562x273](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_11_562x273.webp) **NOTE:** Different MMC snap-ins and editors could have somewhat different options for importing from XML. -![web_interface_and_controls_12_562x337](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_12_562x337.webp) +![web_interface_and_controls_12_562x337](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_12_562x337.webp) diff --git a/docs/policypak/policypak/cloud/interface/xmldatafiles/duplicate.md b/docs/policypak/policypak/cloud/interface/xmldatafiles/duplicate.md index 9390bd930b..9a4a62778f 100644 --- a/docs/policypak/policypak/cloud/interface/xmldatafiles/duplicate.md +++ b/docs/policypak/policypak/cloud/interface/xmldatafiles/duplicate.md @@ -4,4 +4,4 @@ You can duplicate any policy, which will safely copy the XML data file and enabl Note that the XML is not changeable on this screen and is shown only for reference. Newly created policies have a unique name. -![web_interface_and_controls_14_624x418](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_14_624x418.webp) +![web_interface_and_controls_14_624x418](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_14_624x418.webp) diff --git a/docs/policypak/policypak/cloud/interface/xmldatafiles/importpolicies.md b/docs/policypak/policypak/cloud/interface/xmldatafiles/importpolicies.md index ba3f5ba73f..8dd9d7bbae 100644 --- a/docs/policypak/policypak/cloud/interface/xmldatafiles/importpolicies.md +++ b/docs/policypak/policypak/cloud/interface/xmldatafiles/importpolicies.md @@ -1,46 +1,46 @@ # Import Policies from GPO Backup Video: For a video overview on this section, see: -[How to import GPOs to Endpoint Policy Manager Cloud](../../../video/cloud/import.md). +[How to import GPOs to Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/cloud/import.md). You might have the need to take existing on-prem Group Policy Objects (GPOs) and import their contents into Endpoint Policy Manager Cloud. With the **Import Policies from GPO Backup** action, this can be performed very quickly by following these steps: -![web_interface_and_controls_35_312x477](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_35_312x477.webp) +![web_interface_and_controls_35_312x477](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_35_312x477.webp) -![web_interface_and_controls_36_312x166](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_36_312x166.webp) +![web_interface_and_controls_36_312x166](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_36_312x166.webp) **Step 1 –** Create a GPO backup. A GPO backup can be either a specific, single GPO backed up, or multiple GPOs backed up at once Either way the maximum file size must be less than 3 MB. -![web_interface_and_controls_37_499x451](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_37_499x451.webp) +![web_interface_and_controls_37_499x451](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_37_499x451.webp) **Step 2 –** Back up the GPOs as a compressed (zipped) file to a folder of your choice. . -![web_interface_and_controls_38_624x294](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_38_624x294.webp) +![web_interface_and_controls_38_624x294](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_38_624x294.webp) **Step 3 –** To start the import process, select **Import Policies from GPO Backup**, then click **Select file** and open the ZIP file. Finally, click **Upload** to continue. -![web_interface_and_controls_39_624x453](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_39_624x453.webp) +![web_interface_and_controls_39_624x453](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_39_624x453.webp) **Step 4 –** When the upload process is completed, you get the number of GPOs and the number of policies you can create from them. -![web_interface_and_controls_40_499x257](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_40_499x257.webp) +![web_interface_and_controls_40_499x257](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_40_499x257.webp) **Step 5 –** You will see a list of each GPOs, which you can then expand to see a report about each policy within the GPO and to see what each policy's type is. -![web_interface_and_controls_41_499x273](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_41_499x273.webp) +![web_interface_and_controls_41_499x273](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_41_499x273.webp) **Step 6 –** You need to select the checkbox next to the GPOs you want to process (not shown) to continue. When you do, you are presented with a list of all the policies you could import, and their types. Then deselect the ones you wish to avoid importing. Every GPO is imported with a name prefix based on the date, but this can be changed. -![web_interface_and_controls_42_499x305](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_42_499x305.webp) +![web_interface_and_controls_42_499x305](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_42_499x305.webp) **Step 7 –** Next, click **Import** to continue. The number of items selected will be imported and confirmed. If you want to cycle through the process with the same uploaded ZIP and import more @@ -49,4 +49,4 @@ settings, you can click **Yes**. Otherwise, click **No**. When the process is completed you can see each selected policy to import with its own name and appearing in the XML Data Files section like any other policy you create. -![web_interface_and_controls_43_500x301](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_43_500x301.webp) +![web_interface_and_controls_43_500x301](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_43_500x301.webp) diff --git a/docs/policypak/policypak/cloud/interface/xmldatafiles/itemleveltargetingcollections.md b/docs/policypak/policypak/cloud/interface/xmldatafiles/itemleveltargetingcollections.md index b9627fefbb..ff73336637 100644 --- a/docs/policypak/policypak/cloud/interface/xmldatafiles/itemleveltargetingcollections.md +++ b/docs/policypak/policypak/cloud/interface/xmldatafiles/itemleveltargetingcollections.md @@ -20,11 +20,11 @@ Privilege Manager policies so they can act together. For instance, you might cre East Sales Users and another for West Sales Users. Then, you can perform Item-Level Targeting on the collections you create. -![web_interface_and_controls_23_624x220](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_23_624x220.webp) +![web_interface_and_controls_23_624x220](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_23_624x220.webp) Item-Level Targeting can also be performed at the policy level. -![web_interface_and_controls_24_624x264](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_24_624x264.webp) +![web_interface_and_controls_24_624x264](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_24_624x264.webp) The **Edit Item Level Targeting** menu item brings up the **Targeting Editor**. You can select any combination of characteristics you want to test for. Administrators familiar with Group Policy @@ -37,7 +37,7 @@ same way parentheses are used in an equation. In this way, you can create a comp about where a policy will be applied. Collections may be set to **And**, **Or**, **Is**, or **Is Not**. -![web_interface_and_controls_25_624x294](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_25_624x294.webp) +![web_interface_and_controls_25_624x294](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_25_624x294.webp) In this example, the Pak would only apply to Windows 10 machines when the machine is portable and the user is in the FABRIKAM\Traveling Sales Users group. @@ -63,7 +63,7 @@ orange, which shows that it now has Item-Level Targeting. In other words, none o policy or collection will apply unless the Item-Level Targeting on the policy or collection evaluates to **True**. -![web_interface_and_controls_26_624x163](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_26_624x163.webp) +![web_interface_and_controls_26_624x163](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_26_624x163.webp) ## Item-Level Targeting with In-Cloud Editors @@ -72,26 +72,26 @@ used with the on-prem editors, we will explain the equivalent usage within in-cl XML data files (in-cloud policies) can be joined in a collection, to which you could then apply Item-Level Targeting. -![web_interface_and_controls_27_499x288](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_27_499x288.webp) +![web_interface_and_controls_27_499x288](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_27_499x288.webp) You can also put Item-Level Targeting on a policy itself. Just click the policy and select **Item Level Targeting**. -![web_interface_and_controls_28_624x188](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_28_624x188.webp) +![web_interface_and_controls_28_624x188](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_28_624x188.webp) In both cases, the in-cloud Targeting Editor appears. -![web_interface_and_controls_29_624x389](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_29_624x389.webp) +![web_interface_and_controls_29_624x389](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_29_624x389.webp) You can use the in-cloud Targeting Editor to specify conditions when the collection or the policy will perform. -![web_interface_and_controls_30_624x168](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_30_624x168.webp) +![web_interface_and_controls_30_624x168](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_30_624x168.webp) Once Item-Level Targeting is applied to the policy or the collection, you can see the value in the ILT column change from **No** to **Yes**. -![web_interface_and_controls_31_623x127](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_31_623x127.webp) +![web_interface_and_controls_31_623x127](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_31_623x127.webp) One final note about Item-Level Targeting within the Endpoint Policy Manager in-cloud editor: although it appears to be possible to edit Item-Level Targeting in two places, that is really not @@ -100,4 +100,4 @@ collection or policy. The other relates to the entire entity, and is considered root node Item-Level Targeting must evaluate to "True" first, and only then will items inside the root node be evaluated for additional policy and collection Item-Level Targeting. -![web_interface_and_controls_32_624x277](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_32_624x277.webp) +![web_interface_and_controls_32_624x277](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_32_624x277.webp) diff --git a/docs/policypak/policypak/cloud/interface/xmldatafiles/modify.md b/docs/policypak/policypak/cloud/interface/xmldatafiles/modify.md index f08df34401..4f9414042b 100644 --- a/docs/policypak/policypak/cloud/interface/xmldatafiles/modify.md +++ b/docs/policypak/policypak/cloud/interface/xmldatafiles/modify.md @@ -3,11 +3,11 @@ If you attempt to edit an XML data file that Endpoint Policy Manager Cloud has an in-cloud editor for, you will be able to immediately edit the item. -![web_interface_and_controls_6_624x329](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_6_624x329.webp) +![web_interface_and_controls_6_624x329](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_6_624x329.webp) However, since Endpoint Policy Manager Cloud doesn't have in-cloud editors for all items, some items will not be available for editing, but will be available for updating. In these cases, you would take an existing Endpoint Policy Manager XML export from the MMC console and enter it into the box. . -![web_interface_and_controls_7_624x431](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_7_624x431.webp) +![web_interface_and_controls_7_624x431](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_7_624x431.webp) diff --git a/docs/policypak/policypak/cloud/interface/xmldatafiles/overview.md b/docs/policypak/policypak/cloud/interface/xmldatafiles/overview.md index 0cd74a28ee..550426d7d1 100644 --- a/docs/policypak/policypak/cloud/interface/xmldatafiles/overview.md +++ b/docs/policypak/policypak/cloud/interface/xmldatafiles/overview.md @@ -19,6 +19,6 @@ Additionally, you can perform the following actions, which create new policies: - Create Policy From Template - Import Policies From GPO Backup -![web_interface_and_controls_5_624x199](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_5_624x199.webp) +![web_interface_and_controls_5_624x199](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_5_624x199.webp) These functions and actions are described in more detail in the sections that follow. diff --git a/docs/policypak/policypak/cloud/interface/xmldatafiles/showreport.md b/docs/policypak/policypak/cloud/interface/xmldatafiles/showreport.md index 07f4d78ffa..9f8dc20b71 100644 --- a/docs/policypak/policypak/cloud/interface/xmldatafiles/showreport.md +++ b/docs/policypak/policypak/cloud/interface/xmldatafiles/showreport.md @@ -4,6 +4,6 @@ Clicking on the **Show Report** icon generates a human readable report about the XML data file. Note that Endpoint Policy Manager XML data files can contain only one setting, multiple settings, and collections of settings. -![web_interface_and_controls_8_624x164](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_8_624x164.webp) +![web_interface_and_controls_8_624x164](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_8_624x164.webp) -![web_interface_and_controls_9_624x317](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_9_624x317.webp) +![web_interface_and_controls_9_624x317](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_9_624x317.webp) diff --git a/docs/policypak/policypak/cloud/interface/xmldatafiles/upload.md b/docs/policypak/policypak/cloud/interface/xmldatafiles/upload.md index a17f195443..11c506dd80 100644 --- a/docs/policypak/policypak/cloud/interface/xmldatafiles/upload.md +++ b/docs/policypak/policypak/cloud/interface/xmldatafiles/upload.md @@ -1,7 +1,7 @@ # Upload XML Data File Video: For an overview of this section, see the following video: -[Endpoint Policy Manager Cloud: General Tips about On-Prem to PP Cloud Export](../../../video/cloud/integration/onpremiseexport.md). +[Endpoint Policy Manager Cloud: General Tips about On-Prem to PP Cloud Export](/docs/policypak/policypak/video/cloud/integration/onpremiseexport.md). You can use the **Upload XML Data File** action to create XML data files when you have used an on-prem MMC editor, have exported the policy, and are ready to use the policy in Endpoint Policy @@ -9,26 +9,26 @@ Manager Cloud. Most on-prem editors have an **Export as XML** option, which will you can save. Otherwise, you can select **View as XML in Notepad**. Once you have the XML file in either format, you're ready for the next step. -![web_interface_and_controls_15_624x263](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_15_624x263.webp) +![web_interface_and_controls_15_624x263](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_15_624x263.webp) Using the "Upload XML Data File" action in Endpoint Policy Manager cloud, you can then click on "Choose XML Policy File to add..." and select an XML file. Or you can paste in valid formatted text from Endpoint Policy Manager or Microsoft Group Policy Preferences. -![web_interface_and_controls_16_624x277](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_16_624x277.webp) +![web_interface_and_controls_16_624x277](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_16_624x277.webp) Then you can edit the description and click **Add** to save your policy as an XML data file within Endpoint Policy Manager Cloud. -![web_interface_and_controls_17_312x396](../../../../../../static/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_17_312x396.webp) +![web_interface_and_controls_17_312x396](/img/product_docs/policypak/policypak/cloud/interface/xmldatafiles/web_interface_and_controls_17_312x396.webp) Video: We recommend you watch the following video to understand how to export all the various Microsoft Group Policy settings for import into Endpoint Policy Manager Cloud: -[Endpoint Policy ManagerCloud: How to deploy Microsoft Group Policy Settings using Endpoint Policy Manager Cloud](../../../video/cloud/deploy/grouppolicysettings.md). +[Endpoint Policy ManagerCloud: How to deploy Microsoft Group Policy Settings using Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/cloud/deploy/grouppolicysettings.md). Video: We recommend you watch the following video to understand how to export Endpoint Policy Manager settings to Endpoint Policy Manager Cloud: -[Endpoint Policy ManagerCloud: How to deploy Endpoint Policy Manager specific settings (using in-cloud editors and exporting from on-prem)](../../../video/cloud/deploy/policypaksettings.md). +[Endpoint Policy ManagerCloud: How to deploy Endpoint Policy Manager specific settings (using in-cloud editors and exporting from on-prem)](/docs/policypak/policypak/video/cloud/deploy/policypaksettings.md). _Remember,_ after XML data files are uploaded, they do not automatically enforce any settings on users' PCs. In order for settings to be enforced, those XML files should be linked to appropriate diff --git a/docs/policypak/policypak/cloud/licensing/computeraccountdeletion.md b/docs/policypak/policypak/cloud/licensing/computeraccountdeletion.md index 89f489ea70..1576accd5f 100644 --- a/docs/policypak/policypak/cloud/licensing/computeraccountdeletion.md +++ b/docs/policypak/policypak/cloud/licensing/computeraccountdeletion.md @@ -4,7 +4,7 @@ When a computer account is deleted, its acquired license is immediately returned available license pool. To delete a computer, click on a group and go to the computer in the Computers section. Then, select **Delete computer**. -![licensing_with_policypak_cloud_4_499x277](../../../../../static/img/product_docs/policypak/policypak/cloud/licensing/licensing_with_policypak_cloud_4_499x277.webp) +![licensing_with_policypak_cloud_4_499x277](/img/product_docs/policypak/policypak/cloud/licensing/licensing_with_policypak_cloud_4_499x277.webp) The computer account then goes to the **Deleted** group. From there, you have two options: @@ -14,4 +14,4 @@ The computer account then goes to the **Deleted** group. From there, you have tw and Endpoint Policy Manager client-side extension (CSE) from the Windows machine (during the next connection). -![licensing_with_policypak_cloud_5_499x266](../../../../../static/img/product_docs/policypak/policypak/cloud/licensing/licensing_with_policypak_cloud_5_499x266.webp) +![licensing_with_policypak_cloud_5_499x266](/img/product_docs/policypak/policypak/cloud/licensing/licensing_with_policypak_cloud_5_499x266.webp) diff --git a/docs/policypak/policypak/cloud/licensing/licensemanagement.md b/docs/policypak/policypak/cloud/licensing/licensemanagement.md index ebe0079ccd..3d2961f601 100644 --- a/docs/policypak/policypak/cloud/licensing/licensemanagement.md +++ b/docs/policypak/policypak/cloud/licensing/licensemanagement.md @@ -4,11 +4,11 @@ If you want to prohibit a computer from participating in Endpoint Policy Manager specific component, you may revoke its license. To do this, select one or more computers and click on **License Management**. Next, pick the product and select **Revoke License**. -![licensing_with_policypak_cloud_2_624x244](../../../../../static/img/product_docs/policypak/policypak/cloud/licensing/licensing_with_policypak_cloud_2_624x244.webp) +![licensing_with_policypak_cloud_2_624x244](/img/product_docs/policypak/policypak/cloud/licensing/licensing_with_policypak_cloud_2_624x244.webp) You can see that only that component's license is revoked. -![licensing_with_policypak_cloud_3_624x226](../../../../../static/img/product_docs/policypak/policypak/cloud/licensing/licensing_with_policypak_cloud_3_624x226.webp) +![licensing_with_policypak_cloud_3_624x226](/img/product_docs/policypak/policypak/cloud/licensing/licensing_with_policypak_cloud_3_624x226.webp) The next time this computer connects, it will stop participating with the specified Endpoint Policy Manager Cloud component. The license, however, is immediately recovered and available to the license diff --git a/docs/policypak/policypak/cloud/licensing/otherpolicydeliverymechanisms.md b/docs/policypak/policypak/cloud/licensing/otherpolicydeliverymechanisms.md index 7c29999af1..993fcce3a9 100644 --- a/docs/policypak/policypak/cloud/licensing/otherpolicydeliverymechanisms.md +++ b/docs/policypak/policypak/cloud/licensing/otherpolicydeliverymechanisms.md @@ -8,7 +8,7 @@ your purchase. also receive Endpoint Policy Manager directives via GPOs as well, without needing an explicit Endpoint Policy Manager on-premise license. A description of this scenario can be found at the following link: - [Endpoint Policy ManagerCloud and Endpoint Policy Manager OnPremise – Together using PPCloud Licenses](../../video/cloud/integration/onpremise.md). + [Endpoint Policy ManagerCloud and Endpoint Policy Manager OnPremise – Together using PPCloud Licenses](/docs/policypak/policypak/video/cloud/integration/onpremise.md). - For Endpoint Policy Manager Enterprise and Endpoint Policy Manager Professional Editions, when a computer acquires a Endpoint Policy Manager Cloud license, the computer will not process on-prem or MDM directives as well, unless a corresponding license for that method is acquired as part of @@ -20,4 +20,4 @@ If the computer is licensed for Endpoint Policy Manager Cloud and Endpoint Polic Directory, for example, then all directives are merged together. In the case of a conflict, Group Policy always wins. -![licensing_with_policypak_cloud_1_624x574](../../../../../static/img/product_docs/policypak/policypak/cloud/licensing/licensing_with_policypak_cloud_1_624x574.webp) +![licensing_with_policypak_cloud_1_624x574](/img/product_docs/policypak/policypak/cloud/licensing/licensing_with_policypak_cloud_1_624x574.webp) diff --git a/docs/policypak/policypak/cloud/licensing/overview.md b/docs/policypak/policypak/cloud/licensing/overview.md index 5dd1410486..46885a6ee3 100644 --- a/docs/policypak/policypak/cloud/licensing/overview.md +++ b/docs/policypak/policypak/cloud/licensing/overview.md @@ -25,7 +25,7 @@ more licenses. For this reason, we strongly advise you to work with our team to SaaS Edition, Professional Edition, or Enterprise Edition licenses, where you will enjoy post-pay billing instead of having to work with a ceiling for the number of licenses you can use. -![licensing_with_policypak_cloud_623x164](../../../../../static/img/product_docs/policypak/policypak/cloud/licensing/licensing_with_policypak_cloud_623x164.webp) +![licensing_with_policypak_cloud_623x164](/img/product_docs/policypak/policypak/cloud/licensing/licensing_with_policypak_cloud_623x164.webp) ### SaaS Edition (Monthly Post-Pay Licenses) diff --git a/docs/policypak/policypak/cloud/licensing/reconnectionperiod.md b/docs/policypak/policypak/cloud/licensing/reconnectionperiod.md index 71e2e9a28e..11e4c2c577 100644 --- a/docs/policypak/policypak/cloud/licensing/reconnectionperiod.md +++ b/docs/policypak/policypak/cloud/licensing/reconnectionperiod.md @@ -5,7 +5,7 @@ period within which all customers must re-connect with Endpoint Policy Manager C which enables them to keep using the service and get new policies. A computer that is offline for more than 14 days will transition to a state of being unlicensed. To see what happens when a computer becomes unlicensed (per component), see this KB article: -[What happens to each component when Endpoint Policy Manager gets unlicensed or the GPO or policy no longer applies?](../../license/unlicense/components.md). +[What happens to each component when Endpoint Policy Manager gets unlicensed or the GPO or policy no longer applies?](/docs/policypak/policypak/license/unlicense/components.md). However, as soon as the computer re-connects to Endpoint Policy Manager Cloud and claims an available license, the computer picks up right where it left off. Having a computer return a license diff --git a/docs/policypak/policypak/cloud/licensing/serversessionvirtualization.md b/docs/policypak/policypak/cloud/licensing/serversessionvirtualization.md index 64041a47ec..3867926346 100644 --- a/docs/policypak/policypak/cloud/licensing/serversessionvirtualization.md +++ b/docs/policypak/policypak/cloud/licensing/serversessionvirtualization.md @@ -11,7 +11,7 @@ your purchase. server, instead of handling actual usage to the maximum extent of the server. If you need to do this, you must also have a corresponding Endpoint Policy Manager Group Policy Edition license where the number of sessions is expressly counted. You can read more about this in this KB: - [How do I license my Citrix, RDS, WVD, VDI or other multi-session Windows version with Endpoint Policy Manager Cloud ?](../../license/virtualization/multisession.md). + [How do I license my Citrix, RDS, WVD, VDI or other multi-session Windows version with Endpoint Policy Manager Cloud ?](/docs/policypak/policypak/license/virtualization/multisession.md). - For Endpoint Policy Manager Enterprise and Endpoint Policy Manager Professional customers, when a computer acquires a Endpoint Policy Manager Cloud license, the computer will not process on-prem or MDM directives as well, unless a corresponding license for that method is acquired as part of diff --git a/docs/policypak/policypak/cloud/licensing/vdi.md b/docs/policypak/policypak/cloud/licensing/vdi.md index 1c2bddc31e..6f4328edc9 100644 --- a/docs/policypak/policypak/cloud/licensing/vdi.md +++ b/docs/policypak/policypak/cloud/licensing/vdi.md @@ -24,6 +24,6 @@ Use the following KB articles for tips to install Endpoint Policy Manager Cloud scenarios: - Endpoint Policy Manager Cloud and Windows Virtual Desktop: - [How to install the Endpoint Policy Manager Cloud Client for use in an Azure Virtual Desktop image](../../integration/azurevirutaldesktop.md). + [How to install the Endpoint Policy Manager Cloud Client for use in an Azure Virtual Desktop image](/docs/policypak/policypak/integration/azurevirutaldesktop.md). - Endpoint Policy Manager Cloud and VMware Horizon: - [How to install and configure the PPC Client for a Non-Persistent VDI Image in VMware Horizon](../../integration/vdisolutions.md). + [How to install and configure the PPC Client for a Non-Persistent VDI Image in VMware Horizon](/docs/policypak/policypak/integration/vdisolutions.md). diff --git a/docs/policypak/policypak/cloud/logons.md b/docs/policypak/policypak/cloud/logons.md index aa68419003..71767397b9 100644 --- a/docs/policypak/policypak/cloud/logons.md +++ b/docs/policypak/policypak/cloud/logons.md @@ -5,7 +5,7 @@ the Endpoint Policy Manager home page and click **Customer Login**. Then, select Endpoint Policy Manager Cloud path on the right side of the screen. You may also go to and bookmark cloud.policypak.com if you want a specific link. -![concepts_logons_and_downloads_2](../../../../static/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_2.webp) +![concepts_logons_and_downloads_2](/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_2.webp) Tip: At the actual Endpoint Policy Manager Cloud login page, you may request a forgotten password. If you're still having trouble, contact your Endpoint Policy Manager sales person. @@ -13,7 +13,7 @@ If you're still having trouble, contact your Endpoint Policy Manager sales perso You will be placed into **Restricted Mode** in Endpoint Policy Manager Cloud. You must accept the EULA and also set up two-factor authentication (2FA). -![concepts_logons_and_downloads_3](../../../../static/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_3.webp) +![concepts_logons_and_downloads_3](/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_3.webp) You will be prompted and required to perform two-factor authentication. You can use email-based or application-based authentication (or both). While Google and Microsoft authenticator apps are both @@ -25,28 +25,28 @@ free. The steps to perform 2FA are shown below. You can select email-based or application-based authentication. -![concepts_logons_and_downloads_4](../../../../static/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_4.webp) +![concepts_logons_and_downloads_4](/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_4.webp) If you select email-based authentication, you will need to verify the 2FA code sent via email. -![concepts_logons_and_downloads_5](../../../../static/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_5.webp) +![concepts_logons_and_downloads_5](/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_5.webp) If you select application-based 2FA, then you must use an application like Authy to scan the QR code and enter in the six-digit password. -![concepts_logons_and_downloads_6](../../../../static/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_6.webp) +![concepts_logons_and_downloads_6](/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_6.webp) If you do not complete 2FA, you will not be able to log on to Endpoint Policy Manager Cloud. -![concepts_logons_and_downloads_7](../../../../static/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_7.webp) +![concepts_logons_and_downloads_7](/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_7.webp) Once 2FA is completed, you can click **Close**. -![concepts_logons_and_downloads_8](../../../../static/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_8.webp) +![concepts_logons_and_downloads_8](/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_8.webp) Finally, once you're logged in to Endpoint Policy Manager Cloud, you'll see the interface. -![concepts_logons_and_downloads_9](../../../../static/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_9.webp) +![concepts_logons_and_downloads_9](/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_9.webp) This manual will explore all areas of the Endpoint Policy Manager Cloud interface, but you can see some details called out above. If you are trying out Endpoint Policy Manager Cloud or you purchased diff --git a/docs/policypak/policypak/cloud/overview.md b/docs/policypak/policypak/cloud/overview.md index 811d2a82fa..070adf2d96 100644 --- a/docs/policypak/policypak/cloud/overview.md +++ b/docs/policypak/policypak/cloud/overview.md @@ -11,13 +11,13 @@ action. Here's the fastest way to get started: **Step 1 –** Check out our **Two minute introduction** video then our Quickstart video here: Getting -Started with Cloud > [Video Learning Center](overview/videolearningcenter.md). Work through the +Started with Cloud > [Video Learning Center](/docs/policypak/policypak/cloud/overview/videolearningcenter.md). Work through the videos one-by-one to try out all the main features. **Step 2 –** Additionally, we strongly recommend you have a mini on-prem test lab for editing and testing purposes. You should work through each of the videos on the Test Lab Best Practices page and make sure you have your free-to-use test lab working: Getting Started with Cloud > -[Video Learning Center](overview/videolearningcenter.md). +[Video Learning Center](/docs/policypak/policypak/cloud/overview/videolearningcenter.md). **Step 3 –** Use the rest of the manual to understand the finer points of Endpoint Policy Manager Cloud including some key security settings. diff --git a/docs/policypak/policypak/cloud/overview/knowledgebase.md b/docs/policypak/policypak/cloud/overview/knowledgebase.md index 8ad2752cfe..68a8165778 100644 --- a/docs/policypak/policypak/cloud/overview/knowledgebase.md +++ b/docs/policypak/policypak/cloud/overview/knowledgebase.md @@ -4,81 +4,81 @@ See the following Knowledge Base articles for getting started with Cloud. ## Getting Started -- [How do I transition from Endpoint Policy Managerusing Group Policy or SCCM method to Endpoint Policy Manager Cloud](../transition.md) -- [What are the OS requirements for Endpoint Policy Manager Cloud?](../../requirements/cloud.md) -- [When must I use the Endpoint Policy ManagerCloud Client installer versus the on-prem Endpoint Policy Manager CSE?](../../install/cloud/client.md) -- [Can I use an Endpoint Policy Manager Cloud installer and license for domain-joined and non-domain joined machines?](../../install/cloud/clientdomainnondomain.md) -- [Is there an "Active Directory Connector" to map on-prem OUs and Groups to Endpoint Policy Manager Cloud?](../../install/cloud/activedirectory.md) -- [What editors are there in Endpoint Policy Manager Cloud (and when would I need a "Fake DC" to do editing?)](../fakedc.md) -- [What are the ways I can install the Endpoint Policy Manager Cloud Client on Remote Machines?](../../install/cloud/clientremote.md) -- [How can I best install Endpoint Policy Manager Cloud for remote clients over a slow link/internet connection?](../../install/cloud/slowinternet.md) -- [How do I start credit card billing with Endpoint Policy Manager SaaS Edition?](../creditcard.md) +- [How do I transition from Endpoint Policy Managerusing Group Policy or SCCM method to Endpoint Policy Manager Cloud](/docs/policypak/policypak/cloud/transition.md) +- [What are the OS requirements for Endpoint Policy Manager Cloud?](/docs/policypak/policypak/requirements/cloud.md) +- [When must I use the Endpoint Policy ManagerCloud Client installer versus the on-prem Endpoint Policy Manager CSE?](/docs/policypak/policypak/install/cloud/client.md) +- [Can I use an Endpoint Policy Manager Cloud installer and license for domain-joined and non-domain joined machines?](/docs/policypak/policypak/install/cloud/clientdomainnondomain.md) +- [Is there an "Active Directory Connector" to map on-prem OUs and Groups to Endpoint Policy Manager Cloud?](/docs/policypak/policypak/install/cloud/activedirectory.md) +- [What editors are there in Endpoint Policy Manager Cloud (and when would I need a "Fake DC" to do editing?)](/docs/policypak/policypak/cloud/fakedc.md) +- [What are the ways I can install the Endpoint Policy Manager Cloud Client on Remote Machines?](/docs/policypak/policypak/install/cloud/clientremote.md) +- [How can I best install Endpoint Policy Manager Cloud for remote clients over a slow link/internet connection?](/docs/policypak/policypak/install/cloud/slowinternet.md) +- [How do I start credit card billing with Endpoint Policy Manager SaaS Edition?](/docs/policypak/policypak/cloud/creditcard.md) ## Cloud Portal Security -- [What data is stored in Endpoint Policy Manager Cloud, and how is that data safely communicated and stored ?](../security/datasafety.md) -- [Endpoint Policy Manager Cloud Portal - Adding new company admins - Quickstart](../add/administrator.md) +- [What data is stored in Endpoint Policy Manager Cloud, and how is that data safely communicated and stored ?](/docs/policypak/policypak/cloud/security/datasafety.md) +- [Endpoint Policy Manager Cloud Portal - Adding new company admins - Quickstart](/docs/policypak/policypak/cloud/add/administrator.md) ## Cloud Licensing -- [How is Endpoint Policy Manager Cloud usage counted and calculated toward my True-Up?](../../license/cloud/usage.md) +- [How is Endpoint Policy Manager Cloud usage counted and calculated toward my True-Up?](/docs/policypak/policypak/license/cloud/usage.md) ## Client Troubleshooting -- [How can I see the result of Endpoint Policy Manager Cloud inside the Group Policy Editors?](../../troubleshooting/cloud/grouppolicyeditors.md) -- [Troubleshoot communication from the Cloud Client and Cloud Service](../../troubleshooting/cloud/servicecommunication.md) -- [How can I see if an Endpoint Policy Manager Cloud joined computer is syncing in the background, even if PPCLOUD /Sync appears to fail?](../../troubleshooting/cloud/syncfail.md) -- [How do I transition from Endpoint Policy ManagerCloud to Endpoint Policy Manager Group Policy Edition?](../../troubleshooting/cloud/transition.md) -- [How must my Proxy Server be configured to allow Endpoint Policy Manager Cloud communication?](../../troubleshooting/cloud/proxyserver.md) -- [How to resolve error message "Could not sync with cloud…" caused by disabling TLS 1.0](../../troubleshooting/error/cloud/sync.md) -- [I always use a proxy and the cloud client cannot seem to make contact with the services (see FAQ Item #3 above first.) What else can I try?](../../troubleshooting/cloud/proxyservices.md) -- [I get the message "At least one security token in the message could not be validated" during PPCloud client installation. How do I work around this?](../../troubleshooting/error/cloud/securitytoken.md) -- [I am getting an error about "GPSVC failed at sign-in". This error occurs exactly one time. What does this mean?](../../troubleshooting/error/gpsvcfailed.md) -- [I'm using Cisco Anyconnect and all the computers I register via Endpoint Policy Manager Cloud are being overwritten. Why is this and what can I do?](../../troubleshooting/cloud/integration/ciscoanyconnect.md) -- [My cloud client lost it's join to Endpoint Policy Manager Cloud , and a re-install of the cloud MSI I previously downloaded isn't working / re-syncing. What should I do?](../../troubleshooting/cloud/autoupdates.md) -- [Endpoint Policy Manager Cloud Client: Why are computers appearing in WAITING LIST and how can I fix it?](../../troubleshooting/cloud/waitinglist.md) -- [Endpoint Policy Manager Cloud shows "The license certificate has expired". Why is this?](../../troubleshooting/cloud/expired.md) -- [Two-factor Authentication: You're not receiving code for email-based two-factor authentication](../../troubleshooting/cloud/twofactorauthenticationcode.md) -- [What happens if there is an outage on Endpoint Policy Manager Cloud ?](../../troubleshooting/cloud/outage.md) -- [What is the Endpoint Policy Manager Cloud client installation error "The remote certificate is invalid according to the validation procedure."](../../troubleshooting/error/cloud/invalidcertificate.md) -- [When rolling out Endpoint Policy Manager Cloud, the Client Side Extension does not get installed with the Cloud Client on initial rollout](../../troubleshooting/cloud/install/clientsideextension.md) -- [Why do I see duplicate computer entries in Endpoint Policy Manager Cloud (Or, what is Loose, Strict and Advanced Registration)?](../../troubleshooting/cloud/registrationmode.md) -- [The Incorrect (non-matching) version of PPPUPDATE is installed on a PPC endpoint](../../troubleshooting/cloud/versions.md) -- [How to enable verbose MSIEXEC logging for the installation of Endpoint Policy Manager Cloud Client MSI/Client Side Extension MSI?](../../troubleshooting/cloud/log/verbose.md) -- [Understanding and working within Endpoint Policy Manager Clouds Computer registration limit.](../../troubleshooting/cloud/registrationlimit.md) -- [My Endpoint Policy Manager Cloud Client or Client Side Extension isn't completing the installation; How do I fix it?](../../troubleshooting/cloud/install/incomplete.md) +- [How can I see the result of Endpoint Policy Manager Cloud inside the Group Policy Editors?](/docs/policypak/policypak/troubleshooting/cloud/grouppolicyeditors.md) +- [Troubleshoot communication from the Cloud Client and Cloud Service](/docs/policypak/policypak/troubleshooting/cloud/servicecommunication.md) +- [How can I see if an Endpoint Policy Manager Cloud joined computer is syncing in the background, even if PPCLOUD /Sync appears to fail?](/docs/policypak/policypak/troubleshooting/cloud/syncfail.md) +- [How do I transition from Endpoint Policy ManagerCloud to Endpoint Policy Manager Group Policy Edition?](/docs/policypak/policypak/troubleshooting/cloud/transition.md) +- [How must my Proxy Server be configured to allow Endpoint Policy Manager Cloud communication?](/docs/policypak/policypak/troubleshooting/cloud/proxyserver.md) +- [How to resolve error message "Could not sync with cloud…" caused by disabling TLS 1.0](/docs/policypak/policypak/troubleshooting/error/cloud/sync.md) +- [I always use a proxy and the cloud client cannot seem to make contact with the services (see FAQ Item #3 above first.) What else can I try?](/docs/policypak/policypak/troubleshooting/cloud/proxyservices.md) +- [I get the message "At least one security token in the message could not be validated" during PPCloud client installation. How do I work around this?](/docs/policypak/policypak/troubleshooting/error/cloud/securitytoken.md) +- [I am getting an error about "GPSVC failed at sign-in". This error occurs exactly one time. What does this mean?](/docs/policypak/policypak/troubleshooting/error/gpsvcfailed.md) +- [I'm using Cisco Anyconnect and all the computers I register via Endpoint Policy Manager Cloud are being overwritten. Why is this and what can I do?](/docs/policypak/policypak/troubleshooting/cloud/integration/ciscoanyconnect.md) +- [My cloud client lost it's join to Endpoint Policy Manager Cloud , and a re-install of the cloud MSI I previously downloaded isn't working / re-syncing. What should I do?](/docs/policypak/policypak/troubleshooting/cloud/autoupdates.md) +- [Endpoint Policy Manager Cloud Client: Why are computers appearing in WAITING LIST and how can I fix it?](/docs/policypak/policypak/troubleshooting/cloud/waitinglist.md) +- [Endpoint Policy Manager Cloud shows "The license certificate has expired". Why is this?](/docs/policypak/policypak/troubleshooting/cloud/expired.md) +- [Two-factor Authentication: You're not receiving code for email-based two-factor authentication](/docs/policypak/policypak/troubleshooting/cloud/twofactorauthenticationcode.md) +- [What happens if there is an outage on Endpoint Policy Manager Cloud ?](/docs/policypak/policypak/troubleshooting/cloud/outage.md) +- [What is the Endpoint Policy Manager Cloud client installation error "The remote certificate is invalid according to the validation procedure."](/docs/policypak/policypak/troubleshooting/error/cloud/invalidcertificate.md) +- [When rolling out Endpoint Policy Manager Cloud, the Client Side Extension does not get installed with the Cloud Client on initial rollout](/docs/policypak/policypak/troubleshooting/cloud/install/clientsideextension.md) +- [Why do I see duplicate computer entries in Endpoint Policy Manager Cloud (Or, what is Loose, Strict and Advanced Registration)?](/docs/policypak/policypak/troubleshooting/cloud/registrationmode.md) +- [The Incorrect (non-matching) version of PPPUPDATE is installed on a PPC endpoint](/docs/policypak/policypak/troubleshooting/cloud/versions.md) +- [How to enable verbose MSIEXEC logging for the installation of Endpoint Policy Manager Cloud Client MSI/Client Side Extension MSI?](/docs/policypak/policypak/troubleshooting/cloud/log/verbose.md) +- [Understanding and working within Endpoint Policy Manager Clouds Computer registration limit.](/docs/policypak/policypak/troubleshooting/cloud/registrationlimit.md) +- [My Endpoint Policy Manager Cloud Client or Client Side Extension isn't completing the installation; How do I fix it?](/docs/policypak/policypak/troubleshooting/cloud/install/incomplete.md) ## Cloud Portal Troubleshooting -- [How do I fully reset my Azure AD connection between Azure and Endpoint Policy Manager Cloud to start over?](../../troubleshooting/cloud/entraid.md) +- [How do I fully reset my Azure AD connection between Azure and Endpoint Policy Manager Cloud to start over?](/docs/policypak/policypak/troubleshooting/cloud/entraid.md) ## Mac Integration -- [What are the step by step instructions to install the MacOS Client for Endpoint Policy Manager Cloud manually?](../install/mac/client.md) -- [How to get signature info from pkg installer?](../install/mac/signature.md) -- [Where are log files for the Endpoint Policy Manager MacOS?](../../troubleshooting/cloud/log/mac.md) -- [How to get SHA of the package](../install/mac/sha.md) -- [How to get SigningID of the package?](../install/mac/signingid.md) +- [What are the step by step instructions to install the MacOS Client for Endpoint Policy Manager Cloud manually?](/docs/policypak/policypak/cloud/install/mac/client.md) +- [How to get signature info from pkg installer?](/docs/policypak/policypak/cloud/install/mac/signature.md) +- [Where are log files for the Endpoint Policy Manager MacOS?](/docs/policypak/policypak/troubleshooting/cloud/log/mac.md) +- [How to get SHA of the package](/docs/policypak/policypak/cloud/install/mac/sha.md) +- [How to get SigningID of the package?](/docs/policypak/policypak/cloud/install/mac/signingid.md) ## Client Tips, Tricks, and FAQs -- [What are the most common questions about editing policies using the Endpoint Policy ManagerCloud policy editor (instead of using the MMC to upload to Endpoint Policy Manager Cloud?)](../policy/edit.md) -- [How to remove (unlink) all Example policies at once from the All-Built-in Group](../unlink.md) -- [How to use Remote Work Delivery Manager to apply Firewall policies](../remoteworkdeliverymanager.md) -- [If I want to totally stop using Endpoint Policy ManagerCloud on an endpoint, how would I remove the Endpoint Policy Manager Cloud client pieces remotely?](../../install/cloud/removeendpoint.md) -- [How often does the Endpoint Policy Manager cloud client pull down new or updated directives?](../updatefrequency.md) -- [When does Endpoint Policy Managersync to Endpoint Policy Manager Cloud?](../syncfrequency.md) -- [How do I configure Security Settings | Public Key Policies using Endpoint Policy Manager Cloud?](../security/publickeypoliciessettings.md) -- [Printers won't come back once removed by user](../../troubleshooting/cloud/printers.md) -- [Using Targeting Editor in Endpoint Policy Manager Cloud Settings](../targetingeditor.md) -- [How to install the Endpoint Policy Manager Cloud Client for use in an Azure Virtual Desktop image](../../integration/azurevirutaldesktop.md) -- [How to install and configure the PPC Client for a Non-Persistent VDI Image in VMware Horizon](../../integration/vdisolutions.md) -- [How do I deploy the Endpoint Policy Manager Cloud Client via command line silently?](../../install/cloud/clientsilent.md) -- [Are Endpoint Policy Manager Cloud policies processed on User or Computer side (and why do I only sometimes see User or Computer side ILT?)](../policy/type.md) -- [How can I move a computer from one Endpoint Policy Manager Cloud group to another via command line?](../groups.md) -- [How to find which PPCloud Client version & CSE version a registered computer is running from within the Endpoint Policy Manager Cloud portal](../version.md) +- [What are the most common questions about editing policies using the Endpoint Policy ManagerCloud policy editor (instead of using the MMC to upload to Endpoint Policy Manager Cloud?)](/docs/policypak/policypak/cloud/policy/edit.md) +- [How to remove (unlink) all Example policies at once from the All-Built-in Group](/docs/policypak/policypak/cloud/unlink.md) +- [How to use Remote Work Delivery Manager to apply Firewall policies](/docs/policypak/policypak/cloud/remoteworkdeliverymanager.md) +- [If I want to totally stop using Endpoint Policy ManagerCloud on an endpoint, how would I remove the Endpoint Policy Manager Cloud client pieces remotely?](/docs/policypak/policypak/install/cloud/removeendpoint.md) +- [How often does the Endpoint Policy Manager cloud client pull down new or updated directives?](/docs/policypak/policypak/cloud/updatefrequency.md) +- [When does Endpoint Policy Managersync to Endpoint Policy Manager Cloud?](/docs/policypak/policypak/cloud/syncfrequency.md) +- [How do I configure Security Settings | Public Key Policies using Endpoint Policy Manager Cloud?](/docs/policypak/policypak/cloud/security/publickeypoliciessettings.md) +- [Printers won't come back once removed by user](/docs/policypak/policypak/troubleshooting/cloud/printers.md) +- [Using Targeting Editor in Endpoint Policy Manager Cloud Settings](/docs/policypak/policypak/cloud/targetingeditor.md) +- [How to install the Endpoint Policy Manager Cloud Client for use in an Azure Virtual Desktop image](/docs/policypak/policypak/integration/azurevirutaldesktop.md) +- [How to install and configure the PPC Client for a Non-Persistent VDI Image in VMware Horizon](/docs/policypak/policypak/integration/vdisolutions.md) +- [How do I deploy the Endpoint Policy Manager Cloud Client via command line silently?](/docs/policypak/policypak/install/cloud/clientsilent.md) +- [Are Endpoint Policy Manager Cloud policies processed on User or Computer side (and why do I only sometimes see User or Computer side ILT?)](/docs/policypak/policypak/cloud/policy/type.md) +- [How can I move a computer from one Endpoint Policy Manager Cloud group to another via command line?](/docs/policypak/policypak/cloud/groups.md) +- [How to find which PPCloud Client version & CSE version a registered computer is running from within the Endpoint Policy Manager Cloud portal](/docs/policypak/policypak/cloud/version.md) ## Event Collection -- [How can I keep the same or specify different parameters for Event Collection for child groups? How does a computer behave if a member of multiple groups?](../eventcollection/childgroups.md) -- [ Endpoint Policy Manager Cloud Event Forwarding to Splunk](../eventcollection/splunk.md) +- [How can I keep the same or specify different parameters for Event Collection for child groups? How does a computer behave if a member of multiple groups?](/docs/policypak/policypak/cloud/eventcollection/childgroups.md) +- [ Endpoint Policy Manager Cloud Event Forwarding to Splunk](/docs/policypak/policypak/cloud/eventcollection/splunk.md) diff --git a/docs/policypak/policypak/cloud/overview/videolearningcenter.md b/docs/policypak/policypak/cloud/overview/videolearningcenter.md index ba9fbd4188..b338f04813 100644 --- a/docs/policypak/policypak/cloud/overview/videolearningcenter.md +++ b/docs/policypak/policypak/cloud/overview/videolearningcenter.md @@ -4,46 +4,46 @@ See the following Video topics for all things installation and upkeep. ## Getting Started -- [Endpoint Policy Manager Cloud: Two minute introduction](../../video/cloud/introduction.md) -- [Endpoint Policy Manager Cloud: QuickStart](../../video/cloud/quickstart.md) -- [Endpoint Policy ManagerCloud: How to deploy Microsoft Group Policy Settings using Endpoint Policy Manager Cloud](../../video/cloud/deploy/grouppolicysettings.md) -- [Endpoint Policy ManagerCloud: How to deploy Endpoint Policy Manager specific settings (using in-cloud editors and exporting from on-prem)](../../video/cloud/deploy/policypaksettings.md) -- [Endpoint Policy ManagerCloud: Use in-cloud ADMX settings maintained by Endpoint Policy Manager for Windows, Office, Chrome and more](../../video/cloud/admxsettings.md) -- [Endpoint Policy ManagerCloud: Upload and use your own ADMX files to Endpoint Policy Manager Cloud](../../video/cloud/admxfiles.md) -- [Endpoint Policy Manager Cloud: General Tips about On-Prem to PP Cloud Export](../../video/cloud/integration/onpremiseexport.md) -- [Endpoint Policy Manager Cloud and Security Settings (More examples)](../../video/cloud/securitysettings.md) -- [Endpoint Policy Manager Cloud + GPPrefs (More examples)](../../video/cloud/preferences.md) +- [Endpoint Policy Manager Cloud: Two minute introduction](/docs/policypak/policypak/video/cloud/introduction.md) +- [Endpoint Policy Manager Cloud: QuickStart](/docs/policypak/policypak/video/cloud/quickstart.md) +- [Endpoint Policy ManagerCloud: How to deploy Microsoft Group Policy Settings using Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/cloud/deploy/grouppolicysettings.md) +- [Endpoint Policy ManagerCloud: How to deploy Endpoint Policy Manager specific settings (using in-cloud editors and exporting from on-prem)](/docs/policypak/policypak/video/cloud/deploy/policypaksettings.md) +- [Endpoint Policy ManagerCloud: Use in-cloud ADMX settings maintained by Endpoint Policy Manager for Windows, Office, Chrome and more](/docs/policypak/policypak/video/cloud/admxsettings.md) +- [Endpoint Policy ManagerCloud: Upload and use your own ADMX files to Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/cloud/admxfiles.md) +- [Endpoint Policy Manager Cloud: General Tips about On-Prem to PP Cloud Export](/docs/policypak/policypak/video/cloud/integration/onpremiseexport.md) +- [Endpoint Policy Manager Cloud and Security Settings (More examples)](/docs/policypak/policypak/video/cloud/securitysettings.md) +- [Endpoint Policy Manager Cloud + GPPrefs (More examples)](/docs/policypak/policypak/video/cloud/preferences.md) ## Test Lab Best Practices -- [Endpoint Policy Manager Cloud: What you need to get Started](../../video/cloud/testlab/start.md) -- [How to create a DC for editing purposes](../../video/cloud/testlab/createdc.md) -- [Testing and Troubleshooting By Renaming an endpoint Computer](../../video/cloud/testlab/renameendpoint.md) -- [Endpoint Policy Manager Cloud: On-Prem Test Lab (tying it all together)](../../video/cloud/testlab/onpremise.md) +- [Endpoint Policy Manager Cloud: What you need to get Started](/docs/policypak/policypak/video/cloud/testlab/start.md) +- [How to create a DC for editing purposes](/docs/policypak/policypak/video/cloud/testlab/createdc.md) +- [Testing and Troubleshooting By Renaming an endpoint Computer](/docs/policypak/policypak/video/cloud/testlab/renameendpoint.md) +- [Endpoint Policy Manager Cloud: On-Prem Test Lab (tying it all together)](/docs/policypak/policypak/video/cloud/testlab/onpremise.md) ## Using with other METHODS (MDM and Group Policy) -- [Endpoint Policy Manager Cloud + MDM Services: Install Cloud Client + automatically join PPC Groups and get policy.](../../video/cloud/mdm.md) -- [Endpoint Policy ManagerCloud and Endpoint Policy Manager OnPremise – Together using PPCloud Licenses](../../video/cloud/integration/onpremise.md) +- [Endpoint Policy Manager Cloud + MDM Services: Install Cloud Client + automatically join PPC Groups and get policy.](/docs/policypak/policypak/video/cloud/mdm.md) +- [Endpoint Policy ManagerCloud and Endpoint Policy Manager OnPremise – Together using PPCloud Licenses](/docs/policypak/policypak/video/cloud/integration/onpremise.md) ## Security -- [Endpoint Policy Manager Cloud: Security Features](../../video/cloud/security/features.md) -- [Endpoint Policy Manager Cloud: Immutable Log](../../video/cloud/security/immutablelog.md) -- [Endpoint Policy Manager Cloud Logs and Automatically Pushing via Email](../../video/cloud/security/emaillogs.md) -- [Endpoint Policy Manager Cloud: Adding New Admins](../../video/cloud/add/administrator.md) +- [Endpoint Policy Manager Cloud: Security Features](/docs/policypak/policypak/video/cloud/security/features.md) +- [Endpoint Policy Manager Cloud: Immutable Log](/docs/policypak/policypak/video/cloud/security/immutablelog.md) +- [Endpoint Policy Manager Cloud Logs and Automatically Pushing via Email](/docs/policypak/policypak/video/cloud/security/emaillogs.md) +- [Endpoint Policy Manager Cloud: Adding New Admins](/docs/policypak/policypak/video/cloud/add/administrator.md) ## Tips and Tricks -- [Install the PP Cloud client with a PP Least Priv Manager Rule](../../video/cloud/install/leastprivilegemanagerrule.md) -- [Endpoint Policy Manager Cloud + Azure AD: Better Together for Computer ILT and Computer Policy Targeting](../../video/cloud/integration/entraid.md) -- [PP Cloud + File Info Viewer: Get file info, without the MMC console](../../video/cloud/integration/fileinfoviewer.md) -- [Endpoint Policy Manager Cloud: Restricted Groups Editor](../../video/cloud/restricted_groups_editor.md) +- [Install the PP Cloud client with a PP Least Priv Manager Rule](/docs/policypak/policypak/video/cloud/install/leastprivilegemanagerrule.md) +- [Endpoint Policy Manager Cloud + Azure AD: Better Together for Computer ILT and Computer Policy Targeting](/docs/policypak/policypak/video/cloud/integration/entraid.md) +- [PP Cloud + File Info Viewer: Get file info, without the MMC console](/docs/policypak/policypak/video/cloud/integration/fileinfoviewer.md) +- [Endpoint Policy Manager Cloud: Restricted Groups Editor](/docs/policypak/policypak/video/cloud/restricted_groups_editor.md) ## Upkeep and Daily Use -- [Endpoint Policy Manager Cloud Reporting Demo](../../video/cloud/reports.md) -- [Endpoint Policy Manager Cloud: Strict vs. Loose Computer Registration Mode](../../video/cloud/registrationmode.md) -- [Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](../../video/cloud/groups.md) -- [Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](../../video/cloud/jointoken.md) -- [How to import GPOs to Endpoint Policy Manager Cloud](../../video/cloud/import.md) +- [Endpoint Policy Manager Cloud Reporting Demo](/docs/policypak/policypak/video/cloud/reports.md) +- [Endpoint Policy Manager Cloud: Strict vs. Loose Computer Registration Mode](/docs/policypak/policypak/video/cloud/registrationmode.md) +- [Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](/docs/policypak/policypak/video/cloud/groups.md) +- [Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](/docs/policypak/policypak/video/cloud/jointoken.md) +- [How to import GPOs to Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/cloud/import.md) diff --git a/docs/policypak/policypak/cloud/policy/type.md b/docs/policypak/policypak/cloud/policy/type.md index 1cff1b8c35..1ce97db07a 100644 --- a/docs/policypak/policypak/cloud/policy/type.md +++ b/docs/policypak/policypak/cloud/policy/type.md @@ -11,7 +11,7 @@ Cloud: The distinction can be seen below. Items in redare Top-Level Policies and Items in purpleare Internal Policies to the specific Top-Level policy type. -![913_1_image001_950x505](../../../../../static/img/product_docs/policypak/policypak/cloud/policy/913_1_image001_950x505.webp) +![913_1_image001_950x505](/img/product_docs/policypak/policypak/cloud/policy/913_1_image001_950x505.webp) The processing of all Top Level Policies is always done on the Computer side, which means all users on the computer will be affected by all policies (initially.). @@ -19,7 +19,7 @@ on the computer will be affected by all policies (initially.). This is because all Cloud policies are downloaded to` \programdata\policypak\Xmldata\cloud` folder, like what's seen here. -![913_2_image002_950x906](../../../../../static/img/product_docs/policypak/policypak/cloud/policy/913_2_image002_950x906.webp) +![913_2_image002_950x906](/img/product_docs/policypak/policypak/cloud/policy/913_2_image002_950x906.webp) Then in the case for some policies, you can perform some settings user side only, others computer side only, and others you can switch. @@ -27,13 +27,13 @@ side only, and others you can switch. Endpoint Policy Manager Admin Templates Manager is a good example. After you look at the entries, you will get the following example settings. -![913_3_image003_950x419](../../../../../static/img/product_docs/policypak/policypak/cloud/policy/913_3_image003_950x419.webp) +![913_3_image003_950x419](/img/product_docs/policypak/policypak/cloud/policy/913_3_image003_950x419.webp) The result of the downloaded XML looks like this. Here, the Top-Level policy will always come in on the Computer (Machine) side.The Internal policy is what is set in the configuratio,n or what the CSE might be hardcoded to. -![913_4_image004_950x387](../../../../../static/img/product_docs/policypak/policypak/cloud/policy/913_4_image004_950x387.webp) +![913_4_image004_950x387](/img/product_docs/policypak/policypak/cloud/policy/913_4_image004_950x387.webp) Therefore, to see and understand what ILT types will be available, it comes down to how the CSE operates. Some CSEs will operate in either USER or COMPUTER modes. @@ -45,20 +45,20 @@ geared toward a USER. This way you can deliver the main policy to the computer, then filter by which user(s) or which group(s) you want to limit the policy to affect. -![913_5_image005_950x610](../../../../../static/img/product_docs/policypak/policypak/cloud/policy/913_5_image005_950x610.webp) +![913_5_image005_950x610](/img/product_docs/policypak/policypak/cloud/policy/913_5_image005_950x610.webp) -![913_6_image006_950x569](../../../../../static/img/product_docs/policypak/policypak/cloud/policy/913_6_image006_950x569.webp) +![913_6_image006_950x569](/img/product_docs/policypak/policypak/cloud/policy/913_6_image006_950x569.webp) There is one exception to the rules above. Note the small difference between a policy which is created onlytusing Endpoint Policy Manager Cloud editor. The Top-Level policy will show Machine like what's seen here: -![913_7_image007_950x316](../../../../../static/img/product_docs/policypak/policypak/cloud/policy/913_7_image007_950x316.webp) +![913_7_image007_950x316](/img/product_docs/policypak/policypak/cloud/policy/913_7_image007_950x316.webp) But if a policy is uploaded from on-prem MMC, specifically the USER side, the XML will look like this: -![913_8_image008_950x443](../../../../../static/img/product_docs/policypak/policypak/cloud/policy/913_8_image008_950x443.webp) +![913_8_image008_950x443](/img/product_docs/policypak/policypak/cloud/policy/913_8_image008_950x443.webp) This does not affect the operation of the policy in any way. The policy is still downloaded by Endpoint Policy Manager Cloud to `\programdata\policypak\Xmldata\cloud`, and processed by a licensed diff --git a/docs/policypak/policypak/cloud/profileupdate.md b/docs/policypak/policypak/cloud/profileupdate.md index 9972eabf71..a42c1bed82 100644 --- a/docs/policypak/policypak/cloud/profileupdate.md +++ b/docs/policypak/policypak/cloud/profileupdate.md @@ -17,17 +17,17 @@ how: **Step 1 –** Log in to the portal as the Primary and navigate to the Contacts tab. Locate the contact whose email address you wish to change and click **Edit**. -![950_1_image-20230404104104-1_871x83](../../../../static/img/product_docs/policypak/policypak/cloud/950_1_image-20230404104104-1_871x83.webp) +![950_1_image-20230404104104-1_871x83](/img/product_docs/policypak/policypak/cloud/950_1_image-20230404104104-1_871x83.webp) **Step 2 –** Update the email address and click **Save**. -![950_2_image-20230404104342-2_668x395](../../../../static/img/product_docs/policypak/policypak/cloud/950_2_image-20230404104342-2_668x395.webp) +![950_2_image-20230404104342-2_668x395](/img/product_docs/policypak/policypak/cloud/950_2_image-20230404104342-2_668x395.webp) **Step 3 –** Once the **Contacts** page refreshes you will see the email status of the contact you updated has changed to **Get verified**. In order to initiate the verification process click here and acknowledge. -![950_3_image-20230404104641-3_902x79](../../../../static/img/product_docs/policypak/policypak/cloud/950_3_image-20230404104641-3_902x79.webp) +![950_3_image-20230404104641-3_902x79](/img/product_docs/policypak/policypak/cloud/950_3_image-20230404104641-3_902x79.webp) **Step 4 –** Afterward, the contact will receive an email at the new address where they can click to confirm the email address. diff --git a/docs/policypak/policypak/cloud/quickstart.md b/docs/policypak/policypak/cloud/quickstart.md index a2a2637b0c..0a3d4f92f3 100644 --- a/docs/policypak/policypak/cloud/quickstart.md +++ b/docs/policypak/policypak/cloud/quickstart.md @@ -28,11 +28,11 @@ test client computer. Your account has some pre-configured policies linked to th After you log on you can see the pre-configured examples within the **Computer Groups** tab. -![policypak_cloud_quickstart_625x186](../../../../static/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_625x186.webp) +![policypak_cloud_quickstart_625x186](/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_625x186.webp) You can also see the pre-configured examples within the XML Data Files tab. -![policypak_cloud_quickstart_1_499x241](../../../../static/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_1_499x241.webp) +![policypak_cloud_quickstart_1_499x241](/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_1_499x241.webp) Note that the Endpoint Policy Manager Cloud client requires .Net Framework 4.0 or later to be installed first. You can download and install.Net Framework 4.5 for Windows from Microsoft here: @@ -44,7 +44,7 @@ Each Endpoint Policy Manager Cloud customer has their own specific Endpoint Poli client that must be downloaded. This is how your PCs join your Endpoint Policy Manager Cloud instance. You can find the client installer within the **Company Details** tab. -![policypak_cloud_quickstart_2_623x338](../../../../static/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_2_623x338.webp) +![policypak_cloud_quickstart_2_623x338](/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_2_623x338.webp) Select the Endpoint Policy Manager Cloud client that makes sense for you (32-bit or 64-bit) and keep it handy for the next steps. @@ -55,12 +55,12 @@ You downloaded the Endpoint Policy Manager Cloud client for your company from th Manager Cloud service. Now, you need to install the Endpoint Policy Manager Cloud client to join Endpoint Policy Manager Cloud. To do this, run the Endpoint Policy Manager Cloud MS. -![policypak_cloud_quickstart_3_499x366](../../../../static/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_3_499x366.webp) +![policypak_cloud_quickstart_3_499x366](/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_3_499x366.webp) A window displays indicating hte installation is completed. The computer will join Endpoint Policy Manager Cloud and will be part of the special built-in groups named **All** and **Unassigned**. -![policypak_cloud_quickstart_4_437x361](../../../../static/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_4_437x361.webp) +![policypak_cloud_quickstart_4_437x361](/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_4_437x361.webp) The Endpoint Policy Manager Cloud client then immediately downloads any Endpoint Policy Manager XML directives for the computer's groups. All directives should be downloaded and active within 10 diff --git a/docs/policypak/policypak/cloud/remoteworkdeliverymanager.md b/docs/policypak/policypak/cloud/remoteworkdeliverymanager.md index 3a7f1a0403..f2791481a1 100644 --- a/docs/policypak/policypak/cloud/remoteworkdeliverymanager.md +++ b/docs/policypak/policypak/cloud/remoteworkdeliverymanager.md @@ -16,7 +16,7 @@ Azure, Amazon S3, or Dropbox. For this example, we are using Dropbox. automatically download the file when used in a browser, note if your public link ends in a "0" you may need to change the "0" to "1" for testing in a browser. -![788_1_image-20210309203819-1](../../../../static/img/product_docs/policypak/policypak/cloud/788_1_image-20210309203819-1.webp) +![788_1_image-20210309203819-1](/img/product_docs/policypak/policypak/cloud/788_1_image-20210309203819-1.webp) **Step 5 –** From your Netwrix Endpoint Policy Manager (formerly PolicyPak) Cloud portal go to the **File Box** tab, then click **Add external link**. Fill out the following fields with the relevant @@ -26,8 +26,8 @@ message stating **Link is valid**". **NOTE:** Clicking **Validate Link** also updates the "0" in your public download link to a "1" if needed. -![788_2_image-20210309203819-2](../../../../static/img/product_docs/policypak/policypak/cloud/788_2_image-20210309203819-2.webp)            -![788_3_image-20210309203819-3](../../../../static/img/product_docs/policypak/policypak/cloud/788_3_image-20210309203819-3.webp) +![788_2_image-20210309203819-2](/img/product_docs/policypak/policypak/cloud/788_2_image-20210309203819-2.webp)            +![788_3_image-20210309203819-3](/img/product_docs/policypak/policypak/cloud/788_3_image-20210309203819-3.webp) **Step 6 –** Once you receive the message **Link is valid**, click **Save** and move onto the next step of creating the RWDM policy. @@ -35,18 +35,18 @@ step of creating the RWDM policy. **Step 7 –** Create a new RWDM policy, give the policy a descriptive name, and click the **+Policy** dropdown then select **+Delivery** to define the policy. -![788_4_image-20210309203819-4](../../../../static/img/product_docs/policypak/policypak/cloud/788_4_image-20210309203819-4.webp) +![788_4_image-20210309203819-4](/img/product_docs/policypak/policypak/cloud/788_4_image-20210309203819-4.webp) -![788_5_image-20210309203819-5](../../../../static/img/product_docs/policypak/policypak/cloud/788_5_image-20210309203819-5.webp) +![788_5_image-20210309203819-5](/img/product_docs/policypak/policypak/cloud/788_5_image-20210309203819-5.webp) -![788_6_image-20210309203819-6](../../../../static/img/product_docs/policypak/policypak/cloud/788_6_image-20210309203819-6.webp) +![788_6_image-20210309203819-6](/img/product_docs/policypak/policypak/cloud/788_6_image-20210309203819-6.webp) **Step 8 –** Under the **General** tab click the folder icon next to **Source File** to select the external link to the firewall policy file you defined earlier, then fill out the rest of the tab with your desired settings. See the example below and pay special attention to the **Destination File Path**. This value must be the full path, including the destination file name and extension. -![788_7_image-20210309203819-7](../../../../static/img/product_docs/policypak/policypak/cloud/788_7_image-20210309203819-7.webp) +![788_7_image-20210309203819-7](/img/product_docs/policypak/policypak/cloud/788_7_image-20210309203819-7.webp) **Step 9 –** Under the **Post-copy actions** tab choose **Run PowerShell script** and paste in the following command line before optionally defining a **Revert action** and saving the policy. @@ -58,7 +58,7 @@ netsh advfirewall import "C:\Temp\firewall-rules.wfw" **Step 10 –** Since it is only one command, you could have alternatively used the **Run Process** field and pasted in the same single command line. -![788_8_image-20210309203819-8](../../../../static/img/product_docs/policypak/policypak/cloud/788_8_image-20210309203819-8.webp) +![788_8_image-20210309203819-8](/img/product_docs/policypak/policypak/cloud/788_8_image-20210309203819-8.webp) **Step 11 –** That's it, you are all done. Now apply the policy to a computer group in PPC and test the policy on a PPC joined machine by running "`ppcloud /sync`" from a CMD prompt. You should see @@ -67,12 +67,12 @@ rules should be reflected in the Advanced Firewall GUI. See below for examples. The policy shows as applied after running "`PPCLoud /sync`" from CMD: -![788_9_image-20210309203819-9](../../../../static/img/product_docs/policypak/policypak/cloud/788_9_image-20210309203819-9.webp) +![788_9_image-20210309203819-9](/img/product_docs/policypak/policypak/cloud/788_9_image-20210309203819-9.webp) Endpoint Firewall settings BEFORE import: -![788_10_image-20210309203819-10](../../../../static/img/product_docs/policypak/policypak/cloud/788_10_image-20210309203819-10.webp) +![788_10_image-20210309203819-10](/img/product_docs/policypak/policypak/cloud/788_10_image-20210309203819-10.webp) Endpoint Firewall settings AFTER import: -![788_11_image-20210309203819-11](../../../../static/img/product_docs/policypak/policypak/cloud/788_11_image-20210309203819-11.webp) +![788_11_image-20210309203819-11](/img/product_docs/policypak/policypak/cloud/788_11_image-20210309203819-11.webp) diff --git a/docs/policypak/policypak/cloud/security/datasafety.md b/docs/policypak/policypak/cloud/security/datasafety.md index 7f21eb910c..ce274c203a 100644 --- a/docs/policypak/policypak/cloud/security/datasafety.md +++ b/docs/policypak/policypak/cloud/security/datasafety.md @@ -40,9 +40,9 @@ endpoint data For example Endpoint Policy Manager Least Privilege Manager events which can be stored for a time in Endpoint Policy Manager Cloud Service (not enabled for all customers.) Details of this feature can be seen - at[Endpoint Policy Manager Cloud + PPLPM + Events: Collect Events in the Cloud](../../video/leastprivilege/cloudevents.md) + at[Endpoint Policy Manager Cloud + PPLPM + Events: Collect Events in the Cloud](/docs/policypak/policypak/video/leastprivilege/cloudevents.md) and details about specific event types (for example) can be found here: - [List of Endpoint Policy Manager Event Categories and IDs](../../tips/eventcategories.md) + [List of Endpoint Policy Manager Event Categories and IDs](/docs/policypak/policypak/tips/eventcategories.md) #### How is data is stored at rest with Endpoint Policy Manager Cloud: diff --git a/docs/policypak/policypak/cloud/security/publickeypoliciessettings.md b/docs/policypak/policypak/cloud/security/publickeypoliciessettings.md index 5749485ab4..5cedc2f26a 100644 --- a/docs/policypak/policypak/cloud/security/publickeypoliciessettings.md +++ b/docs/policypak/policypak/cloud/security/publickeypoliciessettings.md @@ -2,13 +2,13 @@ Below is an example of how you can configure Security Settings. You start by creating a real GPO: -![580_1_q10-img-1](../../../../../static/img/product_docs/policypak/policypak/cloud/security/580_1_q10-img-1.webp) +![580_1_q10-img-1](/img/product_docs/policypak/policypak/cloud/security/580_1_q10-img-1.webp) To configure Security Settings, start by opening the Group Policy Management Editor and create a real GPO. Then export using PP Settings Manager to an -XML. [Endpoint Policy ManagerCloud: How to deploy Microsoft Group Policy Settings using Endpoint Policy Manager Cloud](../../video/cloud/deploy/grouppolicysettings.md) +XML. [Endpoint Policy ManagerCloud: How to deploy Microsoft Group Policy Settings using Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/cloud/deploy/grouppolicysettings.md) Then, upload it to PPCloud. This would make the specified cert a Trusted Root CA on the target machines. @@ -21,4 +21,4 @@ you export, then deploy using PPCloud or Netwrix Endpoint Policy Manager (former Inside the exported XML you can see the certificate embedded like this and ready for use. -![580_2_q10-img-2](../../../../../static/img/product_docs/policypak/policypak/cloud/security/580_2_q10-img-2.webp) +![580_2_q10-img-2](/img/product_docs/policypak/policypak/cloud/security/580_2_q10-img-2.webp) diff --git a/docs/policypak/policypak/cloud/targetingeditor.md b/docs/policypak/policypak/cloud/targetingeditor.md index 56b457529e..173bf409ef 100644 --- a/docs/policypak/policypak/cloud/targetingeditor.md +++ b/docs/policypak/policypak/cloud/targetingeditor.md @@ -34,7 +34,7 @@ There are two options available to accomplish this. **Step 2 –** Run a command `whoami /user`. Note down the long code: -![732_1_image-20200213172020-1](../../../../static/img/product_docs/policypak/policypak/cloud/732_1_image-20200213172020-1.webp) +![732_1_image-20200213172020-1](/img/product_docs/policypak/policypak/cloud/732_1_image-20200213172020-1.webp) ##### Option 2: For Another user: @@ -44,7 +44,7 @@ There are two options available to accomplish this. **Step 3 –** Copy the output SID of another user for next step: -![732_3_image-20200213172020-2](../../../../static/img/product_docs/policypak/policypak/cloud/732_3_image-20200213172020-2.webp) +![732_3_image-20200213172020-2](/img/product_docs/policypak/policypak/cloud/732_3_image-20200213172020-2.webp) **NOTE:** All commands in these steps are tested on Microsoft Windows Version 1909 (OS Build 18363.592). @@ -63,7 +63,7 @@ The logged-in user has to be an administrator. **Step 3 –** Copy the SID information for later user. -![732_5_image-20200213172020-3](../../../../static/img/product_docs/policypak/policypak/cloud/732_5_image-20200213172020-3.webp) +![732_5_image-20200213172020-3](/img/product_docs/policypak/policypak/cloud/732_5_image-20200213172020-3.webp) **NOTE:** The command in this step is tested on Microsoft Windows Server 2012 R2 (Build 9600). @@ -75,7 +75,7 @@ The logged-in user has to be an administrator. **Step 1 –** Copy the SID information to use for next step. -![732_7_image-20200213172020-4](../../../../static/img/product_docs/policypak/policypak/cloud/732_7_image-20200213172020-4.webp) +![732_7_image-20200213172020-4](/img/product_docs/policypak/policypak/cloud/732_7_image-20200213172020-4.webp) **NOTE:** The command in this step is on Microsoft Windows Version 1909 (OS Build 18363.592) @@ -88,21 +88,21 @@ Policy Manager Cloud based Internal Item-Level Targeting Filter window. **Step 2 –** Create a New Policy and select a i.e. Drive Maps from Microsoft Policy Preferences. -![732_9_image-20200213172020-5](../../../../static/img/product_docs/policypak/policypak/cloud/732_9_image-20200213172020-5.webp) +![732_9_image-20200213172020-5](/img/product_docs/policypak/policypak/cloud/732_9_image-20200213172020-5.webp) **Step 3 –** Click on **Mapped Drive** drop-down and select **Drive** option. -![732_11_image-20200213172020-6_950x630](../../../../static/img/product_docs/policypak/policypak/cloud/732_11_image-20200213172020-6_950x630.webp) +![732_11_image-20200213172020-6_950x630](/img/product_docs/policypak/policypak/cloud/732_11_image-20200213172020-6_950x630.webp) **Step 4 –** After filling out the details select the **ILT** button. -![732_13_image-20200213172020-7](../../../../static/img/product_docs/policypak/policypak/cloud/732_13_image-20200213172020-7.webp) +![732_13_image-20200213172020-7](/img/product_docs/policypak/policypak/cloud/732_13_image-20200213172020-7.webp) **Step 5 –** Click on **New Item** drop-down in the **Targeting Editor** window. **Step 6 –** Select **User** and fill-in the SID from the clipboard. -![732_15_sid_950x589](../../../../static/img/product_docs/policypak/policypak/cloud/732_15_sid_950x589.webp) +![732_15_sid_950x589](/img/product_docs/policypak/policypak/cloud/732_15_sid_950x589.webp) **Step 7 –** Click the **Ok** button. @@ -110,6 +110,6 @@ Policy Manager Cloud based Internal Item-Level Targeting Filter window. **Step 9 –** Fill in the SID detail of a Group from the clipboard. -![732_16_image-20200213172020-9_950x629](../../../../static/img/product_docs/policypak/policypak/cloud/732_16_image-20200213172020-9_950x629.webp) +![732_16_image-20200213172020-9_950x629](/img/product_docs/policypak/policypak/cloud/732_16_image-20200213172020-9_950x629.webp) **Step 10 –** Click the **OK** button. diff --git a/docs/policypak/policypak/cloud/testlab.md b/docs/policypak/policypak/cloud/testlab.md index d4b94c3a2d..0c1c95c5c4 100644 --- a/docs/policypak/policypak/cloud/testlab.md +++ b/docs/policypak/policypak/cloud/testlab.md @@ -7,13 +7,13 @@ the other editors. To get yourself set up perfectly with a small on-prem test la the steps in the following videos: - Endpoint Policy Manager Cloud: What You Need to Get Started: - [Endpoint Policy Manager Cloud: What you need to get Started](../video/cloud/testlab/start.md) + [Endpoint Policy Manager Cloud: What you need to get Started](/docs/policypak/policypak/video/cloud/testlab/start.md) - How to Create a DC for Editing Purposes: - [How to create a DC for editing purposes](../video/cloud/testlab/createdc.md). + [How to create a DC for editing purposes](/docs/policypak/policypak/video/cloud/testlab/createdc.md). - Testing and Troubleshooting by Renaming an Endpoint Computer: - [Testing and Troubleshooting By Renaming an endpoint Computer](../video/cloud/testlab/renameendpoint.md) + [Testing and Troubleshooting By Renaming an endpoint Computer](/docs/policypak/policypak/video/cloud/testlab/renameendpoint.md) - Endpoint Policy Manager Cloud: On-Prem Test Lab: Tying it all Together: - [Endpoint Policy Manager Cloud: On-Prem Test Lab (tying it all together)](../video/cloud/testlab/onpremise.md) + [Endpoint Policy Manager Cloud: On-Prem Test Lab (tying it all together)](/docs/policypak/policypak/video/cloud/testlab/onpremise.md) By the time you have completed the videos, you will have a mini, free-to-use on-prem test lab with the ability to create and edit all Endpoint Policy Manager directives and test out that they are @@ -25,8 +25,8 @@ machines (each one within a "tab" in VMware Workstation): - Representative cloud machine: Typically non-domain-joined, but ready to install the Endpoint Policy Manager Cloud client for continuous testing -![concepts_logons_and_downloads_12_625x534](../../../../static/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_12_625x534.webp) +![concepts_logons_and_downloads_12_625x534](/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_12_625x534.webp) -![concepts_logons_and_downloads_13_624x282](../../../../static/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_13_624x282.webp) +![concepts_logons_and_downloads_13_624x282](/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_13_624x282.webp) -![concepts_logons_and_downloads_14_623x372](../../../../static/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_14_623x372.webp) +![concepts_logons_and_downloads_14_623x372](/img/product_docs/policypak/policypak/cloud/concepts_logons_and_downloads_14_623x372.webp) diff --git a/docs/policypak/policypak/cloud/transition.md b/docs/policypak/policypak/cloud/transition.md index beeecd4eaa..773d7cefea 100644 --- a/docs/policypak/policypak/cloud/transition.md +++ b/docs/policypak/policypak/cloud/transition.md @@ -43,7 +43,7 @@ Endpoint Policy Manager Cloud Groups. ## Pre-testing that Endpoint Policy Manager Cloud is working at all with the built-in policies. Start by verifying that your Endpoint Policy Manager Cloud account is generally working. See the -[Endpoint Policy Manager Cloud: QuickStart](../video/cloud/quickstart.md) topic for additional +[Endpoint Policy Manager Cloud: QuickStart](/docs/policypak/policypak/video/cloud/quickstart.md) topic for additional information. You will be verifying that your Endpoint Policy Manager Cloud account is licensed, operational and @@ -55,32 +55,32 @@ Continue to export your existing invested Endpoint Policy Manager settings into You can export one setting at a time like this: -![941_1_image-20230521113923-1_950x502](../../../../static/img/product_docs/policypak/policypak/cloud/941_1_image-20230521113923-1_950x502.webp) +![941_1_image-20230521113923-1_950x502](/img/product_docs/policypak/policypak/cloud/941_1_image-20230521113923-1_950x502.webp) You can export a Collection like this: -![941_2_image-20230521113923-2_950x589](../../../../static/img/product_docs/policypak/policypak/cloud/941_2_image-20230521113923-2_950x589.webp) +![941_2_image-20230521113923-2_950x589](/img/product_docs/policypak/policypak/cloud/941_2_image-20230521113923-2_950x589.webp) Or you can export a whole category like this: -![941_3_image-20230521113923-3](../../../../static/img/product_docs/policypak/policypak/cloud/941_3_image-20230521113923-3.webp) +![941_3_image-20230521113923-3](/img/product_docs/policypak/policypak/cloud/941_3_image-20230521113923-3.webp) You can also export settings en-mass across multiple GPOs using the Endpoint Policy Manager Exporter Utility. The steps to do that are here -[Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](../video/methods/exporterutility.md) +[Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](/docs/policypak/policypak/video/methods/exporterutility.md) Then you can upload them straight into Endpoint Policy Manager cloud using the Upload and link a new XML here. Or you can go to the XML Settings tab (not shown) and also upload them there for later use. -![941_4_image-20230521113923-4_950x326](../../../../static/img/product_docs/policypak/policypak/cloud/941_4_image-20230521113923-4_950x326.webp) +![941_4_image-20230521113923-4_950x326](/img/product_docs/policypak/policypak/cloud/941_4_image-20230521113923-4_950x326.webp) You may also view the XML in notepad and copy/paste the XML straight into Endpoint Policy Manager cloud using the same setting, Upload and link a new XML here as seen around the 5 minute and 20 second mark continuing onward. See the -[Endpoint Policy ManagerCloud: How to deploy Endpoint Policy Manager specific settings (using in-cloud editors and exporting from on-prem)](../video/cloud/deploy/policypaksettings.md) topic +[Endpoint Policy ManagerCloud: How to deploy Endpoint Policy Manager specific settings (using in-cloud editors and exporting from on-prem)](/docs/policypak/policypak/video/cloud/deploy/policypaksettings.md) topic for additional information. ## Optional: Backup and Restore entire GPO to Endpoint Policy Manager cloud @@ -89,12 +89,12 @@ You might also have a GPO with a lot of settings, which contain Microsoft and/or Manager settings. You can transfer the whole contents of that GPO with a GPO Backup and Endpoint Policy Manager Cloud Import. -![941_5_image-20230521113923-5_950x386](../../../../static/img/product_docs/policypak/policypak/cloud/941_5_image-20230521113923-5_950x386.webp) +![941_5_image-20230521113923-5_950x386](/img/product_docs/policypak/policypak/cloud/941_5_image-20230521113923-5_950x386.webp) The result will be a de-constructed GPO with all relevant parts as XML, available to re-link later to Company or Azure groups. -See the [How to import GPOs to Endpoint Policy Manager Cloud](../video/cloud/import.md) topic for +See the [How to import GPOs to Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/cloud/import.md) topic for additional information. ## Use In-Cloud Editors to create and update rules (for most policies) @@ -102,50 +102,50 @@ additional information. Now that all your rules are lifted and shifted from GPO Editor to XML to Cloud, you can use the in-cloud editors to perform most new policy types and edit existing policies. -![941_6_image-20230521113923-6_950x448](../../../../static/img/product_docs/policypak/policypak/cloud/941_6_image-20230521113923-6_950x448.webp) +![941_6_image-20230521113923-6_950x448](/img/product_docs/policypak/policypak/cloud/941_6_image-20230521113923-6_950x448.webp) Here’s an example of how to use the Endpoint Policy Manager Cloud in-cloud editors to create and edit Endpoint Policy Manager Least Privilege Manager items. -![941_7_image-20230521113923-7_950x1063](../../../../static/img/product_docs/policypak/policypak/cloud/941_7_image-20230521113923-7_950x1063.webp) +![941_7_image-20230521113923-7_950x1063](/img/product_docs/policypak/policypak/cloud/941_7_image-20230521113923-7_950x1063.webp) See the -[Use Endpoint Policy Manager Cloud to deploy PP Least Privilege Manager rules](../video/leastprivilege/cloudrules.md) topic +[Use Endpoint Policy Manager Cloud to deploy PP Least Privilege Manager rules](/docs/policypak/policypak/video/leastprivilege/cloudrules.md) topic for additional information. You are advised to maintain a Windows based MMC editing station for testing because not every editing function may be available in the Endpoint Policy Manager Cloud editors. Most items are, but a few are not. Details about Endpoint Policy Manager Cloud and Test Lab Best Practices are here: -Getting Started with Cloud > [Knowledge Base](overview/knowledgebase.md). +Getting Started with Cloud > [Knowledge Base](/docs/policypak/policypak/cloud/overview/knowledgebase.md). ## Using Endpoint Policy Manager Cloud to create company groups and/or use the Endpoint Policy Manager Cloud to Azure connector Now you can craft your Company Group assignment and then adding computers to it. -See the [Working with Groups](interface/computergroups/workingwith.md) topic for additional +See the [Working with Groups](/docs/policypak/policypak/cloud/interface/computergroups/workingwith.md) topic for additional information. An example of crafting your own Company groups, linking existing XMLs, creating new policies and Adding/Removing computers from these Company Groups can be seen here. -![941_8_image-20230521113923-8_950x503](../../../../static/img/product_docs/policypak/policypak/cloud/941_8_image-20230521113923-8_950x503.webp) +![941_8_image-20230521113923-8_950x503](/img/product_docs/policypak/policypak/cloud/941_8_image-20230521113923-8_950x503.webp) Another option is the ability to mate your Endpoint Policy Manager Cloud instance with your Azure Instance and use Azure Groups as well. You can establish a connection between Endpoint Policy Manager Cloud and Azure using these steps: -![941_9_image-20230521113923-9_950x491](../../../../static/img/product_docs/policypak/policypak/cloud/941_9_image-20230521113923-9_950x491.jpeg) +![941_9_image-20230521113923-9_950x491](/img/product_docs/policypak/policypak/cloud/941_9_image-20230521113923-9_950x491.jpeg) Then Azure groups will appear at the same level as Company Groups and you can link XML to those Azure groups. -![941_10_image-20230521113923-10_950x286](../../../../static/img/product_docs/policypak/policypak/cloud/941_10_image-20230521113923-10_950x286.jpeg) +![941_10_image-20230521113923-10_950x286](/img/product_docs/policypak/policypak/cloud/941_10_image-20230521113923-10_950x286.jpeg) Provided the Endpoint Policy Manager Cloud Client is on the machine (one of the next steps), the computer will pick up the policies in either the Computer Group or Azure Group. (`PPCLOUD /sync` will show these details.) -![941_11_image-20230521113923-11_950x295](../../../../static/img/product_docs/policypak/policypak/cloud/941_11_image-20230521113923-11_950x295.jpeg) +![941_11_image-20230521113923-11_950x295](/img/product_docs/policypak/policypak/cloud/941_11_image-20230521113923-11_950x295.jpeg) ## Linking Endpoint Policy Manager Cloud XML to Endpoint Policy Manager Cloud Company Groups or Azure Groups @@ -159,7 +159,7 @@ Cloud acts nearly the same as on-prem GPO with the following attributes: - Enforced is available - Precedence is available -See the [Working with Groups](interface/computergroups/workingwith.md) topic for additional +See the [Working with Groups](/docs/policypak/policypak/cloud/interface/computergroups/workingwith.md) topic for additional information. ## Deploying the Endpoint Policy Manager Cloud Client and/or CSE to endpoints @@ -167,7 +167,7 @@ information. Now you’re ready to deliver the Endpoint Policy Manager Cloud client to your machines, which will join the machines to Endpoint Policy Manager Cloud. -![941_12_image-20230521113923-12_950x461](../../../../static/img/product_docs/policypak/policypak/cloud/941_12_image-20230521113923-12_950x461.webp) +![941_12_image-20230521113923-12_950x461](/img/product_docs/policypak/policypak/cloud/941_12_image-20230521113923-12_950x461.webp) **NOTE:** If the machines already have the Endpoint Policy Manager CSE installed, there is no need to uninstall the Endpoint Policy Manager CSE. It is permitted to pre-install the CSE on the machine @@ -178,7 +178,7 @@ There are a myriad of ways to install the Endpoint Policy Manager Cloud client, MSI. When the Cloud Client is installed it will automatically install the Endpoint Policy Manager CSE if it is not present on the machine like what’s seen here. -![941_13_image-20230521113923-13_950x691](../../../../static/img/product_docs/policypak/policypak/cloud/941_13_image-20230521113923-13_950x691.webp) +![941_13_image-20230521113923-13_950x691](/img/product_docs/policypak/policypak/cloud/941_13_image-20230521113923-13_950x691.webp) **NOTE:** The machine may also upgrade to a later CSE if a Endpoint Policy Manager Cloud group dictates a later CSE; but the CSE will never downgrade. (See the last section in this guide for more @@ -188,8 +188,8 @@ Additionally, you may wish to investigate the idea of having computers automatic Endpoint Policy Manager Cloud group of your choice with the Jointoken property. Two videos on that topic are: -- [Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](../video/cloud/jointoken.md) -- [Endpoint Policy Manager Cloud + MDM Services: Install Cloud Client + automatically join PPC Groups and get policy.](../video/cloud/mdm.md) +- [Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](/docs/policypak/policypak/video/cloud/jointoken.md) +- [Endpoint Policy Manager Cloud + MDM Services: Install Cloud Client + automatically join PPC Groups and get policy.](/docs/policypak/policypak/video/cloud/mdm.md) **NOTE:** There are some other KB topicswith advanced scenarios on installing the Endpoint Policy Manager Cloud client for Azure Virtual Desktops, VDI and other scenarios. Please open a ticket at @@ -198,7 +198,7 @@ trouble locating those articles. **NOTE:** Here's some command line examples to help install the Endpoint Policy Manager Cloud client silently. See the -[How do I deploy the Endpoint Policy Manager Cloud Client via command line silently?](../install/cloud/clientsilent.md) topic +[How do I deploy the Endpoint Policy Manager Cloud Client via command line silently?](/docs/policypak/policypak/install/cloud/clientsilent.md) topic for additional information. ## Removing existing settings to machines (GPO and Non-GPO method) @@ -212,7 +212,7 @@ method of deploying policy. - For SCCM and MDM/Intune, perform an uninstall of the wrapped up XMLs / MSIs. You can also verify the XML settings are removed from your endpoint from the Users or Groups or Computer folder. See the - [What is the processing order of all policies and how are conflicts resolved (and how can I see the final RsOP) of those policies (between GPO, Cloud, XML, etc)?](../troubleshooting/conflictresolved.md) topic + [What is the processing order of all policies and how are conflicts resolved (and how can I see the final RsOP) of those policies (between GPO, Cloud, XML, etc)?](/docs/policypak/policypak/troubleshooting/conflictresolved.md) topic for additional information. ## Report using Endpoint Policy Manager Cloud to verify expected settings are achieved @@ -225,7 +225,7 @@ Method one is akin to GP update and you simply run `PPCLOUD /sync` (performs a S or Endpoint Policy Manager Cloud /status (no sync, just displays), and you can see any specific machines' current state and policies. -![941_14_image-20230521113923-14_950x823](../../../../static/img/product_docs/policypak/policypak/cloud/941_14_image-20230521113923-14_950x823.webp) +![941_14_image-20230521113923-14_950x823](/img/product_docs/policypak/policypak/cloud/941_14_image-20230521113923-14_950x823.webp) See the [Manually Syncing with PolicyPak Cloud](verify.md#manually-syncing-with-policypak-cloud) topic for additional information.[](https://helpcenter.netwrix.com/en-US/bundle/Endpoint Policy @@ -236,9 +236,9 @@ On the server Additionally, you may mass report upon machines using the Endpoint Policy Manager Cloud reporting mechanism. -![941_15_image-20230521113923-15_950x386](../../../../static/img/product_docs/policypak/policypak/cloud/941_15_image-20230521113923-15_950x386.webp) +![941_15_image-20230521113923-15_950x386](/img/product_docs/policypak/policypak/cloud/941_15_image-20230521113923-15_950x386.webp) -See the [Endpoint Policy Manager Cloud Reporting Demo](../video/cloud/reports.md) topic for +See the [Endpoint Policy Manager Cloud Reporting Demo](/docs/policypak/policypak/video/cloud/reports.md) topic for additional information. Either method will inform you if the settings you lifted and shifted to Endpoint Policy Manager @@ -250,17 +250,17 @@ Finally, it is important to keep the Endpoint Policy Manager Cloud Client and th Manager CSE up to date. Endpoint Policy Manager Company Groups control the versions of the Endpoint Policy Manager Cloud Client and Endpoint Policy Manager CSE. -![941_16_image-20230521113923-16_950x529](../../../../static/img/product_docs/policypak/policypak/cloud/941_16_image-20230521113923-16_950x529.webp) +![941_16_image-20230521113923-16_950x529](/img/product_docs/policypak/policypak/cloud/941_16_image-20230521113923-16_950x529.webp) You should always do small scale testing of upgrades of the Endpoint Policy Manager CSE and Endpoint Policy Manager Cloud Client version to ensure safety before you roll it out to everyone via the All group. See the -[Using Rings to Test and Update the Endpoint Policy Manager Client-Side Extension and/or Cloud Client (And How to Stay Supported)](../install/rings.md) topic +[Using Rings to Test and Update the Endpoint Policy Manager Client-Side Extension and/or Cloud Client (And How to Stay Supported)](/docs/policypak/policypak/install/rings.md) topic for additional information on the Microsoft Ring methodology, which aligns to Endpoint Policy Manager best practices. See the -[Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](../video/cloud/groups.md) topic +[Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](/docs/policypak/policypak/video/cloud/groups.md) topic for additional information on how to perform small scale testing before large scale upgrades. diff --git a/docs/policypak/policypak/cloud/twofactorauthentication.md b/docs/policypak/policypak/cloud/twofactorauthentication.md index efd2648ca4..f29338fcd2 100644 --- a/docs/policypak/policypak/cloud/twofactorauthentication.md +++ b/docs/policypak/policypak/cloud/twofactorauthentication.md @@ -13,23 +13,23 @@ enabled, resetting 2FA settings, and requesting that it be disabled for every us Here's what to expect the first time (as a Primary or Secondary user) you will be prompted for a code which will be emailed to the address you used to log in with: -![461_1_image-20220908114735-1_541x257](../../../../static/img/product_docs/policypak/policypak/cloud/461_1_image-20220908114735-1_541x257.webp) +![461_1_image-20220908114735-1_541x257](/img/product_docs/policypak/policypak/cloud/461_1_image-20220908114735-1_541x257.webp) And the email to loo for: -![461_2_image-20210507112848-3_560x180](../../../../static/img/product_docs/policypak/policypak/cloud/461_2_image-20210507112848-3_560x180.webp) +![461_2_image-20210507112848-3_560x180](/img/product_docs/policypak/policypak/cloud/461_2_image-20210507112848-3_560x180.webp) **Step 1 –** It is recommended that the Primary user then enable **App** 2FA for the account.  This will provide everyone with the ability to choose either email or an app (such as Authy or Google Authenticator) to authenticate their login. -![461_3_image-20220908115257-2_636x390](../../../../static/img/product_docs/policypak/policypak/cloud/461_3_image-20220908115257-2_636x390.webp) +![461_3_image-20220908115257-2_636x390](/img/product_docs/policypak/policypak/cloud/461_3_image-20220908115257-2_636x390.webp) **Step 2 –** Here's how to do that. -![461_4_image-20220908115629-4_734x303](../../../../static/img/product_docs/policypak/policypak/cloud/461_4_image-20220908115629-4_734x303.webp) +![461_4_image-20220908115629-4_734x303](/img/product_docs/policypak/policypak/cloud/461_4_image-20220908115629-4_734x303.webp) -![461_11_image-20220908134421-9_640x396](../../../../static/img/product_docs/policypak/policypak/cloud/461_11_image-20220908134421-9_640x396.webp) +![461_11_image-20220908134421-9_640x396](/img/product_docs/policypak/policypak/cloud/461_11_image-20220908134421-9_640x396.webp) **Step 3 –** Navigate to Your Contacts > 2FA Config For Your Company tabLocate the 2FA Config tab under Your Contacts, then click **App 2FA** and click **Apply**. @@ -47,30 +47,30 @@ yet setup their authenticator app, they will be prompted to do so.  Scan the c supply the code shown in the app.  If for any reason the QR code is not displayed properly, most apps allow the use of the alternate code that you will see displayed. -![461_5_image-20220908160453-12_782x451](../../../../static/img/product_docs/policypak/policypak/cloud/461_5_image-20220908160453-12_782x451.webp) +![461_5_image-20220908160453-12_782x451](/img/product_docs/policypak/policypak/cloud/461_5_image-20220908160453-12_782x451.webp) **Step 8 –** After supplying the code from the app they'll be returned to the logon screen where they will see an acknowledgment if the Authenticator app setup was successful. -![461_6_image-20220908160820-13_625x427](../../../../static/img/product_docs/policypak/policypak/cloud/461_6_image-20220908160820-13_625x427.webp) +![461_6_image-20220908160820-13_625x427](/img/product_docs/policypak/policypak/cloud/461_6_image-20220908160820-13_625x427.webp) **Step 9 –** When they log in and choose the authentication app method, they will be prompted to enter the code from their authenticator app. -![461_7_image-20220908121115-5_763x335](../../../../static/img/product_docs/policypak/policypak/cloud/461_7_image-20220908121115-5_763x335.webp) +![461_7_image-20220908121115-5_763x335](/img/product_docs/policypak/policypak/cloud/461_7_image-20220908121115-5_763x335.webp) ## Resetting 2FA for an Individual Secondary If an individual needs to have their App 2FA reset, they can request that when logging in. Clicking the link send a notification to the Primary on the account. -![461_8_image-20220908121906-6_736x356](../../../../static/img/product_docs/policypak/policypak/cloud/461_8_image-20220908121906-6_736x356.webp) +![461_8_image-20220908121906-6_736x356](/img/product_docs/policypak/policypak/cloud/461_8_image-20220908121906-6_736x356.webp) The Primary can then log in to the Portal and perform the reset as shown below.  Navigate to **Contacts**, select either **Secondary** or **Billing**, locate the individual and click **Reset App 2FA**. -![461_9_image-20220908134018-7_918x317](../../../../static/img/product_docs/policypak/policypak/cloud/461_9_image-20220908134018-7_918x317.webp) +![461_9_image-20220908134018-7_918x317](/img/product_docs/policypak/policypak/cloud/461_9_image-20220908134018-7_918x317.webp) ## Resetting 2FA for the Primary @@ -84,7 +84,7 @@ If you ever need to reset 2FA, you can do this by clicking **Reset 2FA**. **NOTE:** This will reset the 2FA setting for all users. Everyone will need to re-setup their authenticator app. -![461_10_image-20220908134312-8_862x390](../../../../static/img/product_docs/policypak/policypak/cloud/461_10_image-20220908134312-8_862x390.webp) +![461_10_image-20220908134312-8_862x390](/img/product_docs/policypak/policypak/cloud/461_10_image-20220908134312-8_862x390.webp) ## Disable 2FA @@ -92,12 +92,12 @@ Though we strongly advise against it, you can disable 2FA completely on your acc clicking **Disable 2FA** and confirming your request.  The request will be submitted on your behalf and handled by the support team.  You will hear from them when the request is completed. -![461_11_image-20220908134421-9_640x396](../../../../static/img/product_docs/policypak/policypak/cloud/461_11_image-20220908134421-9_640x396.webp) +![461_11_image-20220908134421-9_640x396](/img/product_docs/policypak/policypak/cloud/461_11_image-20220908134421-9_640x396.webp) You will get a confirmation email anytime 2FA is disabled for your account.  Please note that this is for the entire account so 2FA will be disabled for ALL users/contacts as indicated below. -![461_12_image-20210507115645-15_631x225](../../../../static/img/product_docs/policypak/policypak/cloud/461_12_image-20210507115645-15_631x225.webp) +![461_12_image-20210507115645-15_631x225](/img/product_docs/policypak/policypak/cloud/461_12_image-20210507115645-15_631x225.webp) Looking in your portal afterwards, you'll see that 2FA is entirely disabled, as neither box is checked. You can re-enable it at any time by simply selecting the 2FA you want to enable and diff --git a/docs/policypak/policypak/cloud/unlink.md b/docs/policypak/policypak/cloud/unlink.md index fe53d96c09..3203f2227a 100644 --- a/docs/policypak/policypak/cloud/unlink.md +++ b/docs/policypak/policypak/cloud/unlink.md @@ -1,12 +1,12 @@ # How to remove (unlink) all Example policies at once from the All-Built-in Group -![799_1_image-20201230211039-1](../../../../static/img/product_docs/policypak/policypak/cloud/799_1_image-20201230211039-1.webp) +![799_1_image-20201230211039-1](/img/product_docs/policypak/policypak/cloud/799_1_image-20201230211039-1.webp) To remove all the Example policies at once perform the following steps. **Step 1 –** Select the **All** group. -![799_2_image-20201230211039-2](../../../../static/img/product_docs/policypak/policypak/cloud/799_2_image-20201230211039-2.webp) +![799_2_image-20201230211039-2](/img/product_docs/policypak/policypak/cloud/799_2_image-20201230211039-2.webp) **Step 2 –** Under **Actions** select **Link XML Here**. @@ -14,4 +14,4 @@ To remove all the Example policies at once perform the following steps. **Step 4 –** Click **Remove**. -![799_3_image-20201230211039-3](../../../../static/img/product_docs/policypak/policypak/cloud/799_3_image-20201230211039-3.webp) +![799_3_image-20201230211039-3](/img/product_docs/policypak/policypak/cloud/799_3_image-20201230211039-3.webp) diff --git a/docs/policypak/policypak/cloud/verify.md b/docs/policypak/policypak/cloud/verify.md index 1c1d4ebc3d..d19c6ffa08 100644 --- a/docs/policypak/policypak/cloud/verify.md +++ b/docs/policypak/policypak/cloud/verify.md @@ -12,7 +12,7 @@ We have pre-loaded a Group Policy Preferences shortcut item to display a shortcu the [www.policypak.com](http://www.policypak.com/) icon on the desktop of your client machine immediately after successfully joining Endpoint Policy Manager Cloud. -![policypak_cloud_quickstart_5_624x496](../../../../static/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_5_624x496.webp) +![policypak_cloud_quickstart_5_624x496](/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_5_624x496.webp) ## Endpoint Policy Manager Admin Templates Manager @@ -27,7 +27,7 @@ saver (rolled up into one XML file directive): **NOTE:** **Personalization** window might show **Screen Saver: None**, but in reality you can see that the screen saver is being set in the **Screen Saver Settings** window. -![policypak_cloud_quickstart_6_624x426](../../../../static/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_6_624x426.webp) +![policypak_cloud_quickstart_6_624x426](/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_6_624x426.webp) ## Endpoint Policy Manager Security Settings Manager @@ -37,7 +37,7 @@ value to **policypakGuest**. To verify this occurred, you need to run an elevate then run GPedit.MSC. Then you can go to **Local Computer** > **Computer Configuration** > **Security Settings** > **Security Options** to see the results. -![policypak_cloud_quickstart_7_499x259](../../../../static/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_7_499x259.webp) +![policypak_cloud_quickstart_7_499x259](/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_7_499x259.webp) ## Endpoint Policy Manager Application Settings Manager @@ -45,7 +45,7 @@ If you pre-loaded WinZip 14.5 as instructed, a Endpoint Policy Manager Applicati XML data file is pre-populated to demonstrate managing applications. Just run WinZip 14, and you should see the configuration settings. -![policypak_cloud_quickstart_8_499x245](../../../../static/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_8_499x245.webp) +![policypak_cloud_quickstart_8_499x245](/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_8_499x245.webp) Endpoint Policy Manager Application Settings Manager's WinZip has directives for the Passwords and Cameras tabs, which were pre-populated from an example file in Endpoint Policy Manager Cloud. @@ -57,12 +57,12 @@ For a very quick test, run Chrome and see the Endpoint Policy Manager Browser Ro loaded. Note this pop-up should only happen one time per user. Then, in the search bar, type [www.policypak.com](http://www.policypak.com/) and hit enter. -![policypak_cloud_quickstart_9_624x391](../../../../static/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_9_624x391.webp) +![policypak_cloud_quickstart_9_624x391](/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_9_624x391.webp) When you do, Chrome l automatically closes and IE automatically opens because of the route set in the policy. An example is shown below. -![policypak_cloud_quickstart_10_624x238](../../../../static/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_10_624x238.webp) +![policypak_cloud_quickstart_10_624x238](/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_10_624x238.webp) ## Manually Syncing with PolicyPak Cloud @@ -70,15 +70,15 @@ The final way to verify your client machine's connection to Endpoint Policy Mana ppcloud /sync. You should get something like what is shown below. Here you can see which groups the computer is a member of. -![policypak_cloud_quickstart_11_624x384](../../../../static/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_11_624x384.webp) +![policypak_cloud_quickstart_11_624x384](/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_11_624x384.webp) Below you can see which components are licensed and how long each each one is valid. -![policypak_cloud_quickstart_12_468x336](../../../../static/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_12_468x336.webp) +![policypak_cloud_quickstart_12_468x336](/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_12_468x336.webp) Here you can see which XML data files (directives) are being delivered to this computer. -![policypak_cloud_quickstart_13_468x265](../../../../static/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_13_468x265.webp) +![policypak_cloud_quickstart_13_468x265](/img/product_docs/policypak/policypak/cloud/policypak_cloud_quickstart_13_468x265.webp) **NOTE:** By default your computer is only a member of two special built-in groups named **All** and **Unassigned**. diff --git a/docs/policypak/policypak/cloud/version.md b/docs/policypak/policypak/cloud/version.md index a5c1657510..9636e68bc3 100644 --- a/docs/policypak/policypak/cloud/version.md +++ b/docs/policypak/policypak/cloud/version.md @@ -1,6 +1,6 @@ # How to find which PPCloud Client version & CSE version a registered computer is running from within the Endpoint Policy Manager Cloud portal -![975_1_image-20230526004959-1_950x398](../../../../static/img/product_docs/policypak/policypak/cloud/975_1_image-20230526004959-1_950x398.webp) +![975_1_image-20230526004959-1_950x398](/img/product_docs/policypak/policypak/cloud/975_1_image-20230526004959-1_950x398.webp) **Step 1 –** Login to the Netwrix Endpoint Policy Manager (formerly PolicyPak) Cloud Portal and select the **Company Details** tab. diff --git a/docs/policypak/policypak/device/devicemanager/devicemanagerpolicies.md b/docs/policypak/policypak/device/devicemanager/devicemanagerpolicies.md index 02c9b52be0..a33d413373 100644 --- a/docs/policypak/policypak/device/devicemanager/devicemanagerpolicies.md +++ b/docs/policypak/policypak/device/devicemanager/devicemanagerpolicies.md @@ -14,19 +14,19 @@ policy: In this section you will create USB Storage policies which are suitable for USB and also CD-ROM and DVDs. -![device07](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/device07.webp) +![device07](/img/product_docs/policypak/policypak/device/devicemanager/device07.webp) Without a Global Settings policy in place, creating a new USB policy will ask you some questions to guide you down a path to configure both a Global Settings policy and USB policy at the same time. -![device08](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/device08.webp) +![device08](/img/product_docs/policypak/policypak/device/devicemanager/device08.webp) With a Global Settings policy already in place, when you create a USB policy, you will be prompted to select between two options, as shown on the Welcome window. Without going into every permutation of what's possible in Endpoint Policy Manager Device Manager with regard to USB policy, we will explore the most popular path, which is Allow Users to use specific devices. -![usb1](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/usb1.webp) +![usb1](/img/product_docs/policypak/policypak/device/devicemanager/usb1.webp) This path lets you configure who will use what devices, and what kind of access will they have on those devices. @@ -37,7 +37,7 @@ Allow specific devices with details gained from: - The Endpoint Policy Manager Device Manager Helper Tool - Other Methods like Windows Device Manager or vendor documentation -![device09](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/device09.webp) +![device09](/img/product_docs/policypak/policypak/device/devicemanager/device09.webp) The most reliable way to get what you need is either from the Endpoint Policy Manager Pop-Up on the endpoint or from the Endpoint Policy Manager Device Manager Helper Utility. @@ -58,7 +58,7 @@ Serial Number are all auto-detected. Manager Device Manager UI. Typically, Endpoint Policy Manager is sold in Enterprise or SaaS editions and in those configurations you get **COMPLETE** (meaning all the features). -![device10](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/device10.webp) +![device10](/img/product_docs/policypak/policypak/device/devicemanager/device10.webp) At this point, you may use: @@ -74,7 +74,7 @@ At this point, you may use: For this walkthrough, we suggest you use: Vendor ID and ProductID and in the Product Rev, you replace it with a \* meaning all revisions. -![device11](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/device11.webp) +![device11](/img/product_docs/policypak/policypak/device/devicemanager/device11.webp) On the next screen, you can **Add domain member** meaning an Active Directory user or group. Alternatively you can select **Add member...** and select a specific SID which can be useful if @@ -82,11 +82,11 @@ you're adding users not-joined to Active Directory, and only using an MDM servi **NOTE:** To get an overview of how to acquire SIDs with your MDM service and then use them with Endpoint Policy Manager Device Manager, see the -[How do I get Azure AD SIDs and use them with Item Level Targeting?](../../itemleveltargeting/entraidsids.md) -and [Block and Allow USB and CD-ROMs with your MDM solution](../../video/device/mdm.md) topics for +[How do I get Azure AD SIDs and use them with Item Level Targeting?](/docs/policypak/policypak/itemleveltargeting/entraidsids.md) +and [Block and Allow USB and CD-ROMs with your MDM solution](/docs/policypak/policypak/video/device/mdm.md) topics for additional information. -![usb2](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/usb2.webp) +![usb2](/img/product_docs/policypak/policypak/device/devicemanager/usb2.webp) In this way you're specifying which user gets what permission. For this example, select **Read Only**. @@ -96,12 +96,12 @@ and/or use **Item Level Targeting**. The final screen shows the writing of the policy. You can click **Finish**. -![usb3](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/usb3.webp) +![usb3](/img/product_docs/policypak/policypak/device/devicemanager/usb3.webp) After the policy is delivered to the endpoint and refreshed (using GPupdate for domain joined machines for example), the results can be seen on the endpoint. -![usb4](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/usb4.webp) +![usb4](/img/product_docs/policypak/policypak/device/devicemanager/usb4.webp) Now, reading from this USB is allowed, but other operations (like Write and Execute) will produce errors. @@ -111,15 +111,15 @@ However, as a reminder you may also use Endpoint Policy Manager Device Manager t - Allow specific user(s) to use all devices. This is useful if you want some people to have blanked access to all devices. Not usually advised. See the - [Allow ONE user (or group) access to USB and/or CD-ROM and DVDs](../../video/device/usbdriveallowuser.md) + [Allow ONE user (or group) access to USB and/or CD-ROM and DVDs](/docs/policypak/policypak/video/device/usbdriveallowuser.md) topic for additional information. - Allow specific devices based upon Serial Number(s). See the - [Permit specific devices by serial number](../../video/device/serialnumber.md) topic for + [Permit specific devices by serial number](/docs/policypak/policypak/video/device/serialnumber.md) topic for additional information. - Allow specific devices based upon BitLocker Key ID (restricts a specific BitLocker device) or Allow ANY BitLocker encrypted volume (useful if you just want to make sure users are using Bitlocker to keep data always encrypted). See the - [Restrict access only to Bitlocker drives](../../video/device/bitlockerdrives.md) topic for + [Restrict access only to Bitlocker drives](/docs/policypak/policypak/video/device/bitlockerdrives.md) topic for additional information. ## Phone / WPD Policies @@ -135,11 +135,11 @@ support your unique Phone/WPD device. If creating a Phone/WPD policy in place with no Global Settings policy, a Wizard will help guide you to configure both a Global Settings policy and a Phone/WPDpolicy at the same time. -![upd1](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/upd1.webp) +![upd1](/img/product_docs/policypak/policypak/device/devicemanager/upd1.webp) If you already have a Global Settings policy in place, the editor will ask what's seen below, which is similar to the questions when adding a USB device earlier. The typical route is Allow Users to use specific phones or other WPDs. -![wpd3](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/wpd3.webp) +![wpd3](/img/product_docs/policypak/policypak/device/devicemanager/wpd3.webp) diff --git a/docs/policypak/policypak/device/devicemanager/globaldevicemanager.md b/docs/policypak/policypak/device/devicemanager/globaldevicemanager.md index 8417758afe..0c6f45a136 100644 --- a/docs/policypak/policypak/device/devicemanager/globaldevicemanager.md +++ b/docs/policypak/policypak/device/devicemanager/globaldevicemanager.md @@ -5,7 +5,7 @@ Configuration** > **Netwrix PolicyPak** > **Device Management Security Pak** > Add a new global settings policy by selecting **Add** > **New Global settings policy**. -![device04](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/device04.webp) +![device04](/img/product_docs/policypak/policypak/device/devicemanager/device04.webp) Configure what device types to manage. For this example, you might want to set the recurring notifications to a higher number to test what happens if you plug and unplug in a device. In this @@ -14,11 +14,11 @@ example, the value is set to 20. By default, Endpoint Policy Manager Device Manager has a simple notification message to the user, but that is customizable as well. -![device05](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/device05.webp) +![device05](/img/product_docs/policypak/policypak/device/devicemanager/device05.webp) Your Global policy is now set in the GPO. -![device06](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/device06.webp) +![device06](/img/product_docs/policypak/policypak/device/devicemanager/device06.webp) Once the policy is applied to the endpoint, the immediate result of creating a Global Settings policy can be seen here on an endpoint when a USB device is inserted. @@ -28,7 +28,7 @@ The users' access to the USB device Read:No, Write:No, Execute:No, can be seen. A user is presented with the following information and a 60 second countdown which will auto-close unless the user clicks **More Information**. -![global1](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/global1.webp) +![global1](/img/product_docs/policypak/policypak/device/devicemanager/global1.webp) If an end user tries to read or write data or execute an application, they will get a variety of error messages. The following screenshots are examples of what end-users may expect. @@ -36,11 +36,11 @@ error messages. The following screenshots are examples of what end-users may exp **NOTE:** There is no customization of the errors at this time. Errors may vary depending on how the system responds. -![read1](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/read1.webp) +![read1](/img/product_docs/policypak/policypak/device/devicemanager/read1.webp) -![execute](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/execute.webp) +![execute](/img/product_docs/policypak/policypak/device/devicemanager/execute.webp) -![writeattemppt](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/writeattemppt.webp) +![writeattemppt](/img/product_docs/policypak/policypak/device/devicemanager/writeattemppt.webp) Selecting More information shows Device Info which may be used in the next steps to allow a device type. It is recommended to copy these details to Notepad to keep them handy for use during the diff --git a/docs/policypak/policypak/device/devicemanager/helpertool.md b/docs/policypak/policypak/device/devicemanager/helpertool.md index 0641fb8c15..042c621adf 100644 --- a/docs/policypak/policypak/device/devicemanager/helpertool.md +++ b/docs/policypak/policypak/device/devicemanager/helpertool.md @@ -8,7 +8,7 @@ policy for them. The Endpoint Policy Manager Device Manager Help Tool can be found in the download in the Endpoint Policy Manager Extras folder. -![helper1](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/helper1.webp) +![helper1](/img/product_docs/policypak/policypak/device/devicemanager/helper1.webp) **NOTE:** The Endpoint Policy Manager Device Manager Helper tool may need local administrative rights to run and also needs the WinRM service started. @@ -17,7 +17,7 @@ rights to run and also needs the WinRM service started. Follow the steps to generate a device list that can be used for creating Device Manager policies. -![helper2](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/helper2.webp) +![helper2](/img/product_docs/policypak/policypak/device/devicemanager/helper2.webp) **Step 1 –** Open the Endpoint Policy Manager Device Manager Helper. @@ -27,12 +27,12 @@ and/or CD-ROMs. Only pages for detected devices are shown. The Device Manager Helper tool enables you to quickly gather Instance Paths for connected and non-connected devices. -![helper3](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/helper3.webp) +![helper3](/img/product_docs/policypak/policypak/device/devicemanager/helper3.webp) **Step 2 –** On the Select Disk Devices window, right-click to automatically copy the detail to the buffer for later pasting. -![helper4](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/helper4.webp) +![helper4](/img/product_docs/policypak/policypak/device/devicemanager/helper4.webp) You can also save the list of all devices at the end of the Wizard using the **Save application list to this XML** option. @@ -40,4 +40,4 @@ to this XML** option. Then, you may use this list using the previously described wizard pages such as Allow Device by Serial Number and Allow Device by BitLocker Key, as shown in the example screen below. -![helper5](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/helper5.webp) +![helper5](/img/product_docs/policypak/policypak/device/devicemanager/helper5.webp) diff --git a/docs/policypak/policypak/device/devicemanager/overview.md b/docs/policypak/policypak/device/devicemanager/overview.md index 2f30eae0a2..8367bf23e6 100644 --- a/docs/policypak/policypak/device/devicemanager/overview.md +++ b/docs/policypak/policypak/device/devicemanager/overview.md @@ -17,17 +17,17 @@ will help you learn to do the following: Optionally, this manual demonstrates how to use on-prem Active Directory and Group Policy to deploy Endpoint Policy Manager Device Manager directives. If you don't want to use Group Policy, see the -[MDM & UEM Tools](../../mdm/overview.md) topic to deploy directives for additional information. +[MDM & UEM Tools](/docs/policypak/policypak/mdm/overview.md) topic to deploy directives for additional information. **NOTE:** For an overview of Endpoint Policy Manager Device Manager see the -[Video Learning Center](../overview/videolearningcenter.md) topic for additional information. +[Video Learning Center](/docs/policypak/policypak/device/overview/videolearningcenter.md) topic for additional information. Endpoint Policy Manager Device Manager will manage USB and other removable media devices like CD-ROMs, DVD ROMs, and phones which plug in and have storage when attached to Windows. For an overview of managing USB and other removeable media devices using Endpoint Policy Manager Device Manager, see the -[Instantly Put the smackdown on USB sticks and CD-ROMs](../../video/device/usbdrive.md) topic for +[Instantly Put the smackdown on USB sticks and CD-ROMs](/docs/policypak/policypak/video/device/usbdrive.md) topic for additional information. The basic way to use Endpoint Policy Manager Device Manager is as follows: @@ -43,11 +43,11 @@ these ways: System! topic for additional information - Microsoft Intune — See the - [Block and Allow USB and CD-ROMs with your MDM solution](../../video/device/mdm.md) video overview + [Block and Allow USB and CD-ROMs with your MDM solution](/docs/policypak/policypak/video/device/mdm.md) video overview for additional information - PolicyPak Cloud service — See the - [Block USB sticks using Endpoint Policy Manager Cloud](../../video/device/cloud.md) topic for + [Block USB sticks using Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/device/cloud.md) topic for additional information Then allow the client machine with the Endpoint Policy Manager client-side extension (CSE) to @@ -78,7 +78,7 @@ Endpoint Policy Manager Cloud enables you to create Endpoint Policy Manager Devi directives using the in-cloud editors and connect endpoints to get Endpoint Policy Manager Device Manager directives. -![ppcloud](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/ppcloud.webp) +![ppcloud](/img/product_docs/policypak/policypak/device/devicemanager/ppcloud.webp) While this manual mostly demonstrates concepts using the Group Policy editor, nearly everything can be done using the Endpoint Policy Manager Cloud editors. Additionally, you can take on-prem MMC @@ -92,7 +92,7 @@ Endpoint Policy Manager Admin Templates Manager and our other products’ XML fi a portable MSI file for deployment using Microsoft Endpoint Manager (SCCM and Intune) or your own systems management software. -The [MDM & UEM Tools](../../mdm/overview.md) topic explains how to use the Endpoint Policy Manager +The [MDM & UEM Tools](/docs/policypak/policypak/mdm/overview.md) topic explains how to use the Endpoint Policy Manager Exporter to wrap up any Endpoint Policy Manager directives and deliver them using Microsoft Endpoint Manager (SCCM and Intune), KACE, your own MDM service, or Endpoint Policy Manager Cloud. @@ -107,15 +107,15 @@ simply GPO or MDM setting that can accomplished. Here is exactly how to do that (without using Endpoint Policy Manager Device Manager) when using ADMX settings via GPOs. -![device01](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/device01.webp) +![device01](/img/product_docs/policypak/policypak/device/devicemanager/device01.webp) The same may be performed using and MDM service like Intune using similar settings. -![device02](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/device02.webp) +![device02](/img/product_docs/policypak/policypak/device/devicemanager/device02.webp) The result will be the same where Removable Devices will be stopped. -![device03](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/device03.webp) +![device03](/img/product_docs/policypak/policypak/device/devicemanager/device03.webp) In this way you can completely shut out all devices for all users for all times. diff --git a/docs/policypak/policypak/device/devicemanager/rules.md b/docs/policypak/policypak/device/devicemanager/rules.md index 8b5698b562..0d32809067 100644 --- a/docs/policypak/policypak/device/devicemanager/rules.md +++ b/docs/policypak/policypak/device/devicemanager/rules.md @@ -4,7 +4,7 @@ Admin Approval enables you to anticipate devices without rules and enable users desk to help authorize sanctioned devices - temporarily or permanently. See the -[Device Manager Admin Approval and Automatic Rules Creation](../../video/device/dmapprovalautorules.md) +[Device Manager Admin Approval and Automatic Rules Creation](/docs/policypak/policypak/video/device/dmapprovalautorules.md) topic for additional information on Admin Approval & Branding and Customization. This document refers to the person doing the approval as an Approver. This can be someone on your @@ -22,7 +22,7 @@ Start out by creating an Admin Approval policy, as shown below. **NOTE:** You can only have one Admin Approval entry per collection and only one will ultimately apply. -![aa15](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/aa15.webp) +![aa15](/img/product_docs/policypak/policypak/device/devicemanager/aa15.webp) Admin Approval has four tabs: @@ -54,7 +54,7 @@ Admin Approval has four tabs: - Custom Message — Optional message to customers about what to do, who to call, what is permitted etc, to override the default Endpoint Policy Manager Device Manager behavior. -![aa14](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/aa14.webp) +![aa14](/img/product_docs/policypak/policypak/device/devicemanager/aa14.webp) ## Brand Dialog Using Global Settings (Optional) @@ -64,7 +64,7 @@ type you saw earlier. Below you can see some example of what you may configure. You can even run a pre-test to see what the user will see before implementation. -![aa4](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/aa4.webp) +![aa4](/img/product_docs/policypak/policypak/device/devicemanager/aa4.webp) ## Test Admin Approval @@ -73,7 +73,7 @@ to call the service desk and/or send email requests. Requests are then fielded by the Device Manager Admin Approval tool. -![aa3](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/aa3.webp) +![aa3](/img/product_docs/policypak/policypak/device/devicemanager/aa3.webp) ## Device Manager Admin Approval Tool @@ -82,12 +82,12 @@ pre-installed whenever the Endpoint Policy Manager Admin Console MSI is installe available as a standalone portable application and found in the Endpoint Policy Manager Extras folder in the download. -![aa5](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/aa5.webp) +![aa5](/img/product_docs/policypak/policypak/device/devicemanager/aa5.webp) The first time set up for an Approver requires that the Secret Key found in the policy is placed into the tool. The Approver also has his own password to sign into the app to open it up. -![aa6](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/aa6.webp) +![aa6](/img/product_docs/policypak/policypak/device/devicemanager/aa6.webp) ## Admin Approval Tool in Simple Mode @@ -103,14 +103,14 @@ An Approver can set: - Expires — Amount of time the Response code is valid for Never (Default), 10 minutes, 1 hour, 12 hours -![aa7](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/aa7.webp) +![aa7](/img/product_docs/policypak/policypak/device/devicemanager/aa7.webp) The Response code will change based upon the Approver inputs. **NOTE:** Anytime TimeFrame is set to **Permanent**, it overrides all Uses limits and generates a warning. For example: Uses set to **Once** and TimeFrame set to **Permanent**. -![aa8](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/aa8.webp) +![aa8](/img/product_docs/policypak/policypak/device/devicemanager/aa8.webp) In this combination, Timeframe overrides Uses, meaning that whatever access you give the device is actually Permanent and not Once. @@ -120,19 +120,19 @@ To get out of this problem if you get into it, you have two choices: - Update the policy by disabling the Global Policy or turning off Device Manager. - Or on a single machine you may erase the value for the device you granted Permanent access to. See the - [What are the registry settings for Device Manager (and how do I reset Device Manager Admin Approval)?](../registry.md) + [What are the registry settings for Device Manager (and how do I reset Device Manager Admin Approval)?](/docs/policypak/policypak/device/registry.md) topic for additional information. ## Admin Approval Using Email Method You can use Admin Approval requests to go through your service desk as email requests. See the -[Endpoint Policy Device Manager and End-User Emails to Support](../../video/device/enduser.md) topic +[Endpoint Policy Device Manager and End-User Emails to Support](/docs/policypak/policypak/video/device/enduser.md) topic for additional information. The email method will attempt to use your registered mail application. Your email app must be registered with the .EML extension for this to work as expected. -## ![aa9](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/aa9.webp) +## ![aa9](/img/product_docs/policypak/policypak/device/devicemanager/aa9.webp) The Approver would then field this request, generate a Response code and send it back via email or copy paste. @@ -140,7 +140,7 @@ copy paste. The Email method has details about what the device actually is, versus the Simple method which cannot provide those details. -![aa10](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/aa10.webp) +![aa10](/img/product_docs/policypak/policypak/device/devicemanager/aa10.webp) ## Admin Approval Create Rule Button @@ -150,14 +150,14 @@ use permanently and deliver using Group Policy, MDM or Endpoint Policy Manager C Because the Device Details are now known via the Email method, you can create a permanent rule similar to the Wizard we saw earlier. -![aa11](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/aa11.webp) +![aa11](/img/product_docs/policypak/policypak/device/devicemanager/aa11.webp) In the Wizard you can use the default settings or change the Members and Permissions. Finally, save your XML and import it into the MMC editor as a policy or use with Endpoint Policy Manager Exporter or Endpoint Policy Manager Cloud. -![aa12](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/aa12.webp) +![aa12](/img/product_docs/policypak/policypak/device/devicemanager/aa12.webp) ## Making a rule directly from an Email Request Code @@ -168,13 +168,13 @@ Copy the code and then select **New Policy from Audit Event or Admin Approval Co Paste in the Request code and follow the Wizard to generate the rule which you need. -![aa13](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/aa13.webp) +![aa13](/img/product_docs/policypak/policypak/device/devicemanager/aa13.webp) ## Make a Rule Directly from an Event on the Endpoint You can take Event IDs generated from Endpoint Policy Manager Device Manager, such as this and use it as the basis to start a rule. -![event1](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/event1.webp) +![event1](/img/product_docs/policypak/policypak/device/devicemanager/event1.webp) -# ![event2](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/event2.webp) +# ![event2](/img/product_docs/policypak/policypak/device/devicemanager/event2.webp) diff --git a/docs/policypak/policypak/device/devicemanager/troubleshooting.md b/docs/policypak/policypak/device/devicemanager/troubleshooting.md index 671ac088f7..e3026c04c2 100644 --- a/docs/policypak/policypak/device/devicemanager/troubleshooting.md +++ b/docs/policypak/policypak/device/devicemanager/troubleshooting.md @@ -2,7 +2,7 @@ Logging occurs on the endpoint. Use the Event Log first to look for events. -![trouble2](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/trouble2.webp) +![trouble2](/img/product_docs/policypak/policypak/device/devicemanager/trouble2.webp) In addition, you can use Endpoint Policy Manager's text based logs. @@ -11,4 +11,4 @@ You will need admin access to see `c:\ProgramData\PolicyPak\PolicyPak` Device Ma Each log occurs when different policy triggering events occur. Special log is ppComputer_Operational.log which explains what's happening in real-time on the machine. -![logging1](../../../../../static/img/product_docs/policypak/policypak/device/devicemanager/logging1.webp) +![logging1](/img/product_docs/policypak/policypak/device/devicemanager/logging1.webp) diff --git a/docs/policypak/policypak/device/overview/knowledgebase.md b/docs/policypak/policypak/device/overview/knowledgebase.md index ebbad49f4e..57d2357c30 100644 --- a/docs/policypak/policypak/device/overview/knowledgebase.md +++ b/docs/policypak/policypak/device/overview/knowledgebase.md @@ -2,6 +2,6 @@ See the following Knowledge Base articles for Device Manager. -- [How to add Devices when serial numbers contain extra characters in the device instance path](../serialnumber.md) -- [Why can MSIs be installed from a USB drive when the only access granted to users is READ access](../usbdrive.md) -- [What are the registry settings for Device Manager (and how do I reset Device Manager Admin Approval)?](../registry.md) +- [How to add Devices when serial numbers contain extra characters in the device instance path](/docs/policypak/policypak/device/serialnumber.md) +- [Why can MSIs be installed from a USB drive when the only access granted to users is READ access](/docs/policypak/policypak/device/usbdrive.md) +- [What are the registry settings for Device Manager (and how do I reset Device Manager Admin Approval)?](/docs/policypak/policypak/device/registry.md) diff --git a/docs/policypak/policypak/device/overview/videolearningcenter.md b/docs/policypak/policypak/device/overview/videolearningcenter.md index b9b6c73ae2..5f7506a986 100644 --- a/docs/policypak/policypak/device/overview/videolearningcenter.md +++ b/docs/policypak/policypak/device/overview/videolearningcenter.md @@ -4,16 +4,16 @@ See the following Video topics for Device Manager. ## Getting Started -- [Instantly Put the smackdown on USB sticks and CD-ROMs](../../video/device/usbdrive.md) -- [Allow ONE user (or group) access to USB and/or CD-ROM and DVDs](../../video/device/usbdriveallowuser.md) -- [Authorize USB Sticks by VENDOR type](../../video/device/usbdriveallowvendor.md) -- [Permit specific devices by serial number](../../video/device/serialnumber.md) -- [Restrict access only to Bitlocker drives](../../video/device/bitlockerdrives.md) -- [Endpoint Policy Device Manager and End-User Emails to Support](../../video/device/enduser.md) -- [Device Manager Helper Tool](../../video/device/dmhelpertool.md) -- [Device Manager Admin Approval and Automatic Rules Creation](../../video/device/dmapprovalautorules.md) +- [Instantly Put the smackdown on USB sticks and CD-ROMs](/docs/policypak/policypak/video/device/usbdrive.md) +- [Allow ONE user (or group) access to USB and/or CD-ROM and DVDs](/docs/policypak/policypak/video/device/usbdriveallowuser.md) +- [Authorize USB Sticks by VENDOR type](/docs/policypak/policypak/video/device/usbdriveallowvendor.md) +- [Permit specific devices by serial number](/docs/policypak/policypak/video/device/serialnumber.md) +- [Restrict access only to Bitlocker drives](/docs/policypak/policypak/video/device/bitlockerdrives.md) +- [Endpoint Policy Device Manager and End-User Emails to Support](/docs/policypak/policypak/video/device/enduser.md) +- [Device Manager Helper Tool](/docs/policypak/policypak/video/device/dmhelpertool.md) +- [Device Manager Admin Approval and Automatic Rules Creation](/docs/policypak/policypak/video/device/dmapprovalautorules.md) ## Methods: Cloud, MDM and SCCM -- [Block USB sticks using Endpoint Policy Manager Cloud](../../video/device/cloud.md) -- [Block and Allow USB and CD-ROMs with your MDM solution](../../video/device/mdm.md) +- [Block USB sticks using Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/device/cloud.md) +- [Block and Allow USB and CD-ROMs with your MDM solution](/docs/policypak/policypak/video/device/mdm.md) diff --git a/docs/policypak/policypak/device/registry.md b/docs/policypak/policypak/device/registry.md index 2851e15ac6..59cef1f024 100644 --- a/docs/policypak/policypak/device/registry.md +++ b/docs/policypak/policypak/device/registry.md @@ -8,7 +8,7 @@ Extensions\{7FA1BDCB-818A-4EF6-A1B7-EF5F85C2D702}\Admin Approval\ApprovedDevices Here is an example of a device which was approved via the Admin Approval tool. -![aa1](../../../../static/img/product_docs/policypak/policypak/device/aa1.webp) +![aa1](/img/product_docs/policypak/policypak/device/aa1.webp) ## To determine the Admin Approval End Time for any device: @@ -23,7 +23,7 @@ $my_time = 1725537001291 An example can be seen here: -![aa2](../../../../static/img/product_docs/policypak/policypak/device/aa2.webp) +![aa2](/img/product_docs/policypak/policypak/device/aa2.webp) ## To Determine the Permissions within the Registry: diff --git a/docs/policypak/policypak/device/serialnumber.md b/docs/policypak/policypak/device/serialnumber.md index 90121430d1..6af617d0ea 100644 --- a/docs/policypak/policypak/device/serialnumber.md +++ b/docs/policypak/policypak/device/serialnumber.md @@ -14,7 +14,7 @@ SCSI\Disk&Ven__USB&Prod__SanDisk_3.2Gen1\6&1262c329&0&000000 When copying these instance paths to create a policy for this device, the serial numbers are not correctly applied in the MMC console view. -![980_2_image-20230725212441-2](../../../../static/img/product_docs/policypak/policypak/device/980_2_image-20230725212441-2.webp) +![980_2_image-20230725212441-2](/img/product_docs/policypak/policypak/device/980_2_image-20230725212441-2.webp) This would not properly target the USB device in question as the serial is configured as **0** in the policy. @@ -23,7 +23,7 @@ the policy. Instead of adding the Device Instance Path **As Serial Number**, use **As Instance Path** instead. -![devicepath](../../../../static/img/product_docs/policypak/policypak/device/devicepath.webp) +![devicepath](/img/product_docs/policypak/policypak/device/devicepath.webp) ## Result @@ -31,6 +31,6 @@ This will result in a configuration that will use the entire Device Instance Pat instead of trying to break out the individual parts and force the targeted USB device to get the permissions as configured in the policy. -![deviceinstancepath](../../../../static/img/product_docs/policypak/policypak/device/deviceinstancepath.webp) +![deviceinstancepath](/img/product_docs/policypak/policypak/device/deviceinstancepath.webp) The Device Manager policy now works as expected. diff --git a/docs/policypak/policypak/device/usbdrive.md b/docs/policypak/policypak/device/usbdrive.md index 8b2c209e48..c398463356 100644 --- a/docs/policypak/policypak/device/usbdrive.md +++ b/docs/policypak/policypak/device/usbdrive.md @@ -25,15 +25,15 @@ There are a few ways you can do this using Endpoint Policy Manager Least Privile 1. You can block MSIEXEC directly from an .EXE rule with a DENY Executable policy. - ![984_1_image-20230725214430-5_950x637](../../../../static/img/product_docs/policypak/policypak/device/984_1_image-20230725214430-5_950x637.webp) + ![984_1_image-20230725214430-5_950x637](/img/product_docs/policypak/policypak/device/984_1_image-20230725214430-5_950x637.webp) 2. You can block all .MSIs with a DENY Windows Installer Policy. - ![984_2_image-20230725214430-6_950x580](../../../../static/img/product_docs/policypak/policypak/device/984_2_image-20230725214430-6_950x580.webp) + ![984_2_image-20230725214430-6_950x580](/img/product_docs/policypak/policypak/device/984_2_image-20230725214430-6_950x580.webp) 3. You can turn on Admin Approval. - ![984_3_image-20230725214430-7_950x691](../../../../static/img/product_docs/policypak/policypak/device/984_3_image-20230725214430-7_950x691.webp) + ![984_3_image-20230725214430-7_950x691](/img/product_docs/policypak/policypak/device/984_3_image-20230725214430-7_950x691.webp) Why is an extra step in Least Privilege Manager needed? Because Endpoint Policy Manager Least Privilege Manager is a process driver which handles processes. If you specify what to do on a diff --git a/docs/policypak/policypak/editions/paks.md b/docs/policypak/policypak/editions/paks.md index 6fb23cf620..04f9c42b9e 100644 --- a/docs/policypak/policypak/editions/paks.md +++ b/docs/policypak/policypak/editions/paks.md @@ -12,4 +12,4 @@ they get. Pak offerings change from time to time when new components are added. Below we see a list of the available Paks from the Endpoint Policy Manager home page at time of publication of this manual. -![editions_solutions_paks_and_7](../../../../static/img/product_docs/policypak/policypak/editions/editions_solutions_paks_and_7.webp) +![editions_solutions_paks_and_7](/img/product_docs/policypak/policypak/editions/editions_solutions_paks_and_7.webp) diff --git a/docs/policypak/policypak/editions/policies.md b/docs/policypak/policypak/editions/policies.md index faf6990b65..d05f5dbf1c 100644 --- a/docs/policypak/policypak/editions/policies.md +++ b/docs/policypak/policypak/editions/policies.md @@ -22,7 +22,7 @@ Policy Manager Application Settings Manager directives over the Internet, even t machines. **Note**: For more information on this topic, please see this video: -[What is Endpoint Policy Application Manager (Cloud Edition)](../video/applicationsettings/cloud.md). +[What is Endpoint Policy Application Manager (Cloud Edition)](/docs/policypak/policypak/video/applicationsettings/cloud.md). ## Least Privilege Manager @@ -36,7 +36,7 @@ Manager Least Privilege Manager can deploy directives over the Internet, even to machines. For more information on this topic, please see this video: -[Video Learning Center](../leastprivilege/overview/videolearningcenter.md) > Privilege Manager. +[Video Learning Center](/docs/policypak/policypak/leastprivilege/overview/videolearningcenter.md) > Privilege Manager. **NOTE:** Note that Endpoint Policy Manager Least Privilege Manager has two versions: Standard and Complete. If a customer is a Endpoint Policy Manager Enterprise or SaaS customer, they get Least @@ -59,7 +59,7 @@ service, you can also deliver these Endpoint Policy Manager Browser Router setti Internet to domain-joined and non-domain-joined machines. **Note**: For more information on this topic, please see this video: -[Video Learning Center](../browserrouter/overview/videolearningcenter.md) > Browser Router +[Video Learning Center](/docs/policypak/policypak/browserrouter/overview/videolearningcenter.md) > Browser Router ## Java Enterprise Rules Manager @@ -72,7 +72,7 @@ Enterprise Rules Manager can deploy most Microsoft Security settings to computer even to non-domain-joined machines. **Note**: For more information on this topic, please see this -video:[Video Learning Center](../javaenterpriserules/overview/videolearningcenter.md) > Java +video:[Video Learning Center](/docs/policypak/policypak/javaenterpriserules/overview/videolearningcenter.md) > Java Enterprise Rules Manager . ## Admin Templates Manager @@ -89,7 +89,7 @@ Template (or third-party ADMX setting) to computers over the Internet, even to n machines. **Note**: For more information on this topic, please see this -video:[Administrative Templates Manager](../adminstrativetemplates/overview.md). +video:[Administrative Templates Manager](/docs/policypak/policypak/adminstrativetemplates/overview.md). ## File Associations Manager @@ -98,7 +98,7 @@ as .pdf) to specific applications, like Acrobat Reader (standard apps and Window apps), and handling applications with protocols (such as MAILTO:). **Note**: For more information on this topic, please see this video: -[Video Learning Center](../fileassociations/overview/videolearningcenter.md) > File Associations +[Video Learning Center](/docs/policypak/policypak/fileassociations/overview/videolearningcenter.md) > File Associations Manager. ## Preferences Manager @@ -114,10 +114,10 @@ deploys Group Policy Preference items over the Internet, even to non-domain-join **NOTE:** The license for this policy is not provided unless specifically requested by the customer when Endpoint Policy Manager is used with the Group Policy delivery mechanism. For more details on why the license is not automatically provided, please see the following link: -[Where is my Endpoint Policy Manager Preferences Component license and how do I request one?](../preferences/componentlicense.md). +[Where is my Endpoint Policy Manager Preferences Component license and how do I request one?](/docs/policypak/policypak/preferences/componentlicense.md). **Note**: For more information on this topic, please see this -video:[Preferences Manager](../preferences/overview.md) +video:[Preferences Manager](/docs/policypak/policypak/preferences/overview.md) ## Security Settings Manager @@ -130,7 +130,7 @@ Security Manager can deploy most Microsoft Security settings to computers over t non-domain-joined machines. **Note**: For more information on this topic, please see this video: -[Security Settings Manager](../securitysettings/overview.md). +[Security Settings Manager](/docs/policypak/policypak/securitysettings/overview.md). ## Start Screen & Taskbar Manager @@ -142,10 +142,10 @@ Additionally, you can use this component to pin items to the Windows 10 taskbar. **NOTE:** You may wish to watch our Quickstart videos of Endpoint Policy Manager Start Screen & Taskbar Manager: Start Screen & Task Bar Manager > -[Video Learning Center](../startscreentaskbar/overview/videolearningcenter.md). +[Video Learning Center](/docs/policypak/policypak/startscreentaskbar/overview/videolearningcenter.md). **Note**: For more information on this topic, please see this video: -[Video Learning Center](../startscreentaskbar/overview/videolearningcenter.md) > Start Screen & Task +[Video Learning Center](/docs/policypak/policypak/startscreentaskbar/overview/videolearningcenter.md) > Start Screen & Task Bar Manager ## Scripts & Triggers Manager @@ -157,7 +157,7 @@ In conjunction with Endpoint Policy Manager Cloud or your own MDM service, you c deploy software over the Internet, even to non-domain-joined machines. **Note**: For more information on this topic, please see this -video:[Video Learning Center](../scriptstriggers/overview/videolearningcenter.md) > Scripts & +video:[Video Learning Center](/docs/policypak/policypak/scriptstriggers/overview/videolearningcenter.md) > Scripts & Triggers Manager. ## Remote Work Delivery Manager @@ -169,7 +169,7 @@ In conjunction with Endpoint Policy Manager Cloud or your own MDM service, you c connections over the Internet, even to non-domain-joined machines. **Note**: For more information on this topic, please see this video: Remote Work Delivery Manager > -[Video Learning Center](../feature/overview/videolearningcenter.md). +[Video Learning Center](/docs/policypak/policypak/feature/overview/videolearningcenter.md). ## Feature Manager for Windows @@ -181,7 +181,7 @@ Cloud or your own MDM service, Endpoint Policy Manager Feature Manager for Windo the Windows features and options on machines over the Internet, even to non-domain-joined machines. **Note**: For more information on this topic, please see this -video:[Video Learning Center](../feature/overview/videolearningcenter.md) > Feature Manager for +video:[Video Learning Center](/docs/policypak/policypak/feature/overview/videolearningcenter.md) > Feature Manager for Windows . ## Remote Desktop Protocol Manager @@ -193,7 +193,7 @@ In conjunction with Endpoint Policy Manager Cloud or your own MDM service, you c that add or remove .rdp file connections over the Internet, even to non-domain-joined machines. **Note**: For more information on this topic, please see this -video:[Video Learning Center](../video/remotedesktopprotocol/videolearningcenter.md)[Video Learning Center](../video/remotedesktopprotocol/videolearningcenter.md)[Video Learning Center](../video/remotedesktopprotocol/videolearningcenter.md). +video:[Video Learning Center](/docs/policypak/policypak/video/remotedesktopprotocol/videolearningcenter.md)[Video Learning Center](/docs/policypak/policypak/video/remotedesktopprotocol/videolearningcenter.md)[Video Learning Center](/docs/policypak/policypak/video/remotedesktopprotocol/videolearningcenter.md). ## Network Security Manager @@ -201,7 +201,7 @@ You can use Network Security Manager to specify which processes and applications what IP, web addresses and over what protocols. **Note**: For more information on this topic, please see this -video:[Video Learning Center](../video/networksecurity/videolearningcenter.md) > Network Security +video:[Video Learning Center](/docs/policypak/policypak/video/networksecurity/videolearningcenter.md) > Network Security Manager ## Software Package Manager @@ -214,5 +214,5 @@ which add or remove Microsoft Store application connections over the Internet, e non-domain-joined machines. **Note**: For more information on this topic, please see this video: -[Video Learning Center](../softwarepackage/overview/videolearningcenter.md) > Software Package +[Video Learning Center](/docs/policypak/policypak/softwarepackage/overview/videolearningcenter.md) > Software Package Manager. diff --git a/docs/policypak/policypak/editions/solutions.md b/docs/policypak/policypak/editions/solutions.md index c308a33aa3..5ad30b76fe 100644 --- a/docs/policypak/policypak/editions/solutions.md +++ b/docs/policypak/policypak/editions/solutions.md @@ -24,13 +24,13 @@ details of where Endpoint Policy Manager data is stored. The most popular method of using Endpoint Policy Manager is via Group Policy. **Note**: For more information on this topic, please see this -video:[Knowledge Base](../grouppolicy/overview/knowledgebase.md) > Group Policy +video:[Knowledge Base](/docs/policypak/policypak/grouppolicy/overview/knowledgebase.md) > Group Policy When you use the Group Policy method, you are 100% in control of your data because it is all contained within your Active Directory.The image below shows what Endpoint Policy Manager looks like whenusing Group Policy. -![editions_solutions_paks_and](../../../../static/img/product_docs/policypak/policypak/editions/editions_solutions_paks_and.webp) +![editions_solutions_paks_and](/img/product_docs/policypak/policypak/editions/editions_solutions_paks_and.webp) Group Policy is automatically stored in Active Directory on all domain controllers (DCs), so you don't have to install anything on any DCs or extend the Active Directory schema. Because GPOs are @@ -45,7 +45,7 @@ directives must have the Endpoint Policy Manager admin console on it, enabling y Endpoint Policy Manager policies within GPOs. Below you can see how Endpoint Policy Manager works with Group Policy. -![editions_solutions_paks_and_1](../../../../static/img/product_docs/policypak/policypak/editions/editions_solutions_paks_and_1.webp) +![editions_solutions_paks_and_1](/img/product_docs/policypak/policypak/editions/editions_solutions_paks_and_1.webp) When using Group Policy to deploy Endpoint Policy Manager directives, Endpoint Policy Manager will leverage Group Policy to the fullest extent possible. That is, Endpoint Policy Manager honors (at a @@ -72,10 +72,10 @@ URLs to Group Policy management videos. | Product Name | Video link to Endpoint Policy Manager and the Group Policy Management Product | | ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | -| Microsoft AGPM (Advanced Group Policy Management) | [Endpoint Policy Manager and AGPM](../video/changemanagementutilities/advancedgrouppolicymanagement.md) | -| Quest GPO Administrator | [Endpoint Policy Manager and Quest's GPOADmin Tool](../video/changemanagementutilities/gpoadmintool.md) | -| Quest Active Administrator | [Endpoint Policy Manager and Quest (ScriptLogic) ActiveAdministrator](../video/changemanagementutilities/scriptlogicactiveadministrator.md) | -| NetIQ Group Policy Administrator | [Endpoint Policy Manager Integrates with NetIQ GPA](../video/changemanagementutilities/netiq.md) | +| Microsoft AGPM (Advanced Group Policy Management) | [Endpoint Policy Manager and AGPM](/docs/policypak/policypak/video/changemanagementutilities/advancedgrouppolicymanagement.md) | +| Quest GPO Administrator | [Endpoint Policy Manager and Quest's GPOADmin Tool](/docs/policypak/policypak/video/changemanagementutilities/gpoadmintool.md) | +| Quest Active Administrator | [Endpoint Policy Manager and Quest (ScriptLogic) ActiveAdministrator](/docs/policypak/policypak/video/changemanagementutilities/scriptlogicactiveadministrator.md) | +| NetIQ Group Policy Administrator | [Endpoint Policy Manager Integrates with NetIQ GPA](/docs/policypak/policypak/video/changemanagementutilities/netiq.md) | ## MDM Method @@ -83,7 +83,7 @@ You can use Endpoint Policy Manager with your mobile device management (MDM) ser as Microsoft Endpoint Manager (SCCM and Intune), MobileIron, or VMware Workspace ONE. **Note**: For more information on this topic, please see this -video:[Video Learning Center](../mdm/overview/videolearningcenter.md) > Started with MDM. +video:[Video Learning Center](/docs/policypak/policypak/mdm/overview/videolearningcenter.md) > Started with MDM. To get started, create directives using the Endpoint Policy Manager MMC, follow these steps: @@ -95,16 +95,16 @@ exporter). **Step 3 –** Upload your finished MSI files into your MDM service. Below is a diagram of the process. -![editions_solutions_paks_and_2](../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_1.webp) +![editions_solutions_paks_and_2](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_1.webp) Below is an example of an uploaded Endpoint Policy Manager MSI file containing XML directives along with the MDM service deploying the Endpoint Policy Manager CSE and license files. -![editions_solutions_paks_and_3](../../../../static/img/product_docs/policypak/policypak/editions/editions_solutions_paks_and_3.webp) +![editions_solutions_paks_and_3](/img/product_docs/policypak/policypak/editions/editions_solutions_paks_and_3.webp) If you plan to use Endpoint Policy Manager with your MDM service, you can find more information about the Endpoint Policy Manager exporter in this topic: -[Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md)Using with MDM and UEM +[Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md)Using with MDM and UEM Tools. ## Cloud Method @@ -113,16 +113,16 @@ You can use the Endpoint Policy Manager Cloud service to create Microsoft Group Policy Manager directives and deliver them through the Internet. **NOTE:** For a video overview of Endpoint Policy Manager Cloud, see -[Endpoint Policy Manager Cloud: QuickStart](../video/cloud/quickstart.md). +[Endpoint Policy Manager Cloud: QuickStart](/docs/policypak/policypak/video/cloud/quickstart.md). The diagram below shows how Endpoint Policy Manager Cloud works to deliver directives. Computers can be domain-joined or non-domain-joined. When you are a Endpoint Policy Manager SaaS customer, the Cloud method is the only method available to you. -![editions_solutions_paks_and_4](../../../../static/img/product_docs/policypak/policypak/editions/editions_solutions_paks_and_4.webp) +![editions_solutions_paks_and_4](/img/product_docs/policypak/policypak/editions/editions_solutions_paks_and_4.webp) For a more detailed coverage of Endpoint Policy Manager Cloud see the quick start topic:  Endpoint -Policy Manager [Setup, Download, Install, and Verify](../cloud/quickstart.md). +Policy Manager [Setup, Download, Install, and Verify](/docs/policypak/policypak/cloud/quickstart.md). ## Cloud Hybrid Method @@ -131,11 +131,11 @@ installed on the endpoint. Once this is done, it claims a license. Then, Endpoin performs the work. Some customers may want to bootstrap the installation of the Endpoint Policy Manager Cloud client using an RMM or MDM tool they already have hooked into the client. More details on how to do this can be found in the quick start topic: -[Setup, Download, Install, and Verify](../cloud/quickstart.md) +[Setup, Download, Install, and Verify](/docs/policypak/policypak/cloud/quickstart.md) **NOTE:** For a video overview of using Endpoint Policy Manager with an MDM or RMM tool to bootstrap the Endpoint Policy Manager Cloud installer, see: -[Endpoint Policy Manager Cloud + MDM Services: Install Cloud Client + automatically join PPC Groups and get policy.](../video/cloud/mdm.md). +[Endpoint Policy Manager Cloud + MDM Services: Install Cloud Client + automatically join PPC Groups and get policy.](/docs/policypak/policypak/video/cloud/mdm.md). ## Unified Endpoint Management Method @@ -148,13 +148,13 @@ KACE) visit: Below we can see what Endpoint Policy Manager would look like using a tool like SCCM. -![editions_solutions_paks_and_5](../../../../static/img/product_docs/policypak/policypak/mdm/using_policypak_with_mdm_and.webp) +![editions_solutions_paks_and_5](/img/product_docs/policypak/policypak/mdm/using_policypak_with_mdm_and.webp) We provide the Endpoint Policy Manager Exporter Tool. This topic is not discussed in this section but you can get more information here: -[Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md). +[Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md). -![editions_solutions_paks_and_6](../../../../static/img/product_docs/policypak/policypak/editions/editions_solutions_paks_and_6.webp) +![editions_solutions_paks_and_6](/img/product_docs/policypak/policypak/editions/editions_solutions_paks_and_6.webp) The job of Endpoint Policy Manager Exporter Tool is to enable you to make Endpoint Policy Manager directives and wrap them in an MSI file that you can then deploy using whatever technique you wish. @@ -178,4 +178,4 @@ Directory and it's active, it counts your Endpoint Policy Manager licensing. In use it with Endpoint Policy Manager SaaS/Cloud. For more answers about licensing Endpoint Policy Manager with virtualized systems, see: -[Knowledge Base](../license/overview/knowledgebase.md) > All Things Licensing. +[Knowledge Base](/docs/policypak/policypak/license/overview/knowledgebase.md) > All Things Licensing. diff --git a/docs/policypak/policypak/feature/addremove/collections.md b/docs/policypak/policypak/feature/addremove/collections.md index 77d62287ad..c4d0a529d3 100644 --- a/docs/policypak/policypak/feature/addremove/collections.md +++ b/docs/policypak/policypak/feature/addremove/collections.md @@ -8,11 +8,11 @@ settings. Start out by going to **Add** > **New Collection**. From there you can configure the collection settings. -![quickstart_adding_and_removing_1](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_1.webp) +![quickstart_adding_and_removing_1](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_1.webp) The only item you might want to change regularly is the **Reboot Mode**. For now, change it to **Asks User**. In your own environment, you might want to select **Prevent**, but don't do this now. You can see your collection added. -![quickstart_adding_and_removing_2](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_2.webp) +![quickstart_adding_and_removing_2](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_2.webp) diff --git a/docs/policypak/policypak/feature/addremove/overview.md b/docs/policypak/policypak/feature/addremove/overview.md index 03e6ab2779..57afe1b94f 100644 --- a/docs/policypak/policypak/feature/addremove/overview.md +++ b/docs/policypak/policypak/feature/addremove/overview.md @@ -24,7 +24,7 @@ bullet lists above are currently installed. Then, create and link a group policy location that contains computers. In the example below, created a GPO and linked it to the East Sales Desktops. -![quickstart_adding_and_removing](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing.webp) +![quickstart_adding_and_removing](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing.webp) Then click **Edit** to edit the GPO. diff --git a/docs/policypak/policypak/feature/addremove/policies.md b/docs/policypak/policypak/feature/addremove/policies.md index 5ab504b54d..a190ad8a67 100644 --- a/docs/policypak/policypak/feature/addremove/policies.md +++ b/docs/policypak/policypak/feature/addremove/policies.md @@ -4,7 +4,7 @@ Double-click to go into your collection, where you can now create policies. Go t Policies**. Once there you are prompted by the Endpoint Policy Manager Feature Manager for Windows wizard. -![quickstart_adding_and_removing_3](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_3.webp) +![quickstart_adding_and_removing_3](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_3.webp) Here you can select an install rule, an uninstall rule, or a mixed rule. @@ -14,7 +14,7 @@ Here you can select an install rule, an uninstall rule, or a mixed rule. For this example, select **Install Rule**, which brings you to the **Select package type** page. -![quickstart_adding_and_removing_4](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_4.webp) +![quickstart_adding_and_removing_4](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_4.webp) The next screen allows you to turn on Windows features. Select the items you want, such as .Net Framework 3.5 (either, both, or neither of the sub-options) as well as the Telnet Client. @@ -24,29 +24,29 @@ Additionally you should take note of some special items: - Feature details - Explains which features depend on the selected feature (and will automatically be installed), as well as whether a reboot is required or possible. -![quickstart_adding_and_removing_5](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_5.webp) +![quickstart_adding_and_removing_5](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_5.webp) Click **Next** to continue. Then, click on **Add policies to the existing collection**. -![quickstart_adding_and_removing_6](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_6.webp) +![quickstart_adding_and_removing_6](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_6.webp) In The Policies settings window shows which policy items you are about to create. You can optionally add Item-Level Targeting to any item, so that item will only be installed when the conditions are true. In the example below you can see that the Telnet Client will only be installed on portable computers. -![quickstart_adding_and_removing_7](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_7.webp) +![quickstart_adding_and_removing_7](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_7.webp) **NOTE:** You do not need to add Item-Level Targeting for this example, it is just shown here for future reference. The final page of the wizard displays:. -![quickstart_adding_and_removing_8](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_8.webp) +![quickstart_adding_and_removing_8](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_8.webp) Click **Finish**. Thee two items are added to your collection. -![quickstart_adding_and_removing_9](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_9.webp) +![quickstart_adding_and_removing_9](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_9.webp) Now, repeat the process again, this time selecting: @@ -55,16 +55,16 @@ Now, repeat the process again, this time selecting: The **Turn Windows optional features ON** page appears. **Select** **Graphics Tools**. -![quickstart_adding_and_removing_10](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_10.webp) +![quickstart_adding_and_removing_10](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_10.webp) Scroll down and find the RSAT category and select **RSAT: Group Policy Management Tools**. -![quickstart_adding_and_removing_11](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_11.webp) +![quickstart_adding_and_removing_11](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_11.webp) Continue, leaving the remainder of the default settings. You can see the policies added to the collection. -![quickstart_adding_and_removing_12](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_12.webp) +![quickstart_adding_and_removing_12](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_12.webp) Now, let's remove some features and optional features. @@ -75,7 +75,7 @@ We will add more policies, this time selecting: Select the items to uninstall, like Microsoft XPS Document Writer and SMB 1.0. -![quickstart_adding_and_removing_13](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_13.webp) +![quickstart_adding_and_removing_13](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_13.webp) Click **Next** through the remainder of the wizard, accepting the defaults. @@ -86,10 +86,10 @@ Run through the wizard one more time, selecting: Then you can select to turn off XPS Viewer. -![quickstart_adding_and_removing_14](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_14.webp) +![quickstart_adding_and_removing_14](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_14.webp) Click **Next** through the remainder of the wizard, accepting the defaults. At this point you should have seven policies. -![quickstart_adding_and_removing_15](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_15.webp) +![quickstart_adding_and_removing_15](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_15.webp) diff --git a/docs/policypak/policypak/feature/addremove/test.md b/docs/policypak/policypak/feature/addremove/test.md index d05bf6066b..de88526497 100644 --- a/docs/policypak/policypak/feature/addremove/test.md +++ b/docs/policypak/policypak/feature/addremove/test.md @@ -5,16 +5,16 @@ log on as any user. Run GPupdateto push the computer-side GPO changes. This woul the background between 90 and 120 minutes later. After the computer gets the GPO, the user is prompted to reboot. -![quickstart_adding_and_removing_16](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_16.webp) +![quickstart_adding_and_removing_16](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_16.webp) The reboot prompt only occurs because of the setting within the collection. The computer will finish installing or uninstalling the features upon reboot. -![quickstart_adding_and_removing_17](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_17.webp) +![quickstart_adding_and_removing_17](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_17.webp) Now you can go back and verify those items are added or removed. Below are examples of the final result. -![quickstart_adding_and_removing_18](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_18.webp) +![quickstart_adding_and_removing_18](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_18.webp) -![quickstart_adding_and_removing_19](../../../../../static/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_19.webp) +![quickstart_adding_and_removing_19](/img/product_docs/policypak/policypak/feature/addremove/quickstart_adding_and_removing_19.webp) diff --git a/docs/policypak/policypak/feature/advanced/createcollection.md b/docs/policypak/policypak/feature/advanced/createcollection.md index 59f4714eaf..810ef727b3 100644 --- a/docs/policypak/policypak/feature/advanced/createcollection.md +++ b/docs/policypak/policypak/feature/advanced/createcollection.md @@ -5,4 +5,4 @@ the existing collection**, or **Create a new collection**. If you create a new c the screen shown below. This process is the same as creating a collection manually, and the same options are available. -![advanced_manipulations_of_6](../../../../../static/img/product_docs/policypak/policypak/feature/advanced/advanced_manipulations_of_6.webp) +![advanced_manipulations_of_6](/img/product_docs/policypak/policypak/feature/advanced/advanced_manipulations_of_6.webp) diff --git a/docs/policypak/policypak/feature/advanced/deletepolicies.md b/docs/policypak/policypak/feature/advanced/deletepolicies.md index a4439a0bc7..3fd471899d 100644 --- a/docs/policypak/policypak/feature/advanced/deletepolicies.md +++ b/docs/policypak/policypak/feature/advanced/deletepolicies.md @@ -2,7 +2,7 @@ You can delete a policy by right-clicking it and selecting **Delete Policy**. -![advanced_manipulations_of](../../../../../static/img/product_docs/policypak/policypak/feature/advanced/advanced_manipulations_of.webp) +![advanced_manipulations_of](/img/product_docs/policypak/policypak/feature/advanced/advanced_manipulations_of.webp) **NOTE:** This will not revert the current state on the machine. That is, a policy set to install a feature, upon deletion, will not uninstall a feature. And a policy set to uninstall a feature, when diff --git a/docs/policypak/policypak/feature/advanced/editcollection.md b/docs/policypak/policypak/feature/advanced/editcollection.md index e0bc7fa1ca..b024cb3c8f 100644 --- a/docs/policypak/policypak/feature/advanced/editcollection.md +++ b/docs/policypak/policypak/feature/advanced/editcollection.md @@ -2,12 +2,12 @@ Collections can be edited as well and their properties changed. -![advanced_manipulations_of_3](../../../../../static/img/product_docs/policypak/policypak/feature/advanced/advanced_manipulations_of_3.webp) +![advanced_manipulations_of_3](/img/product_docs/policypak/policypak/feature/advanced/advanced_manipulations_of_3.webp) The collection editor enables you to add a comment and change the state of the collection. It also allows you to change three settings. -![advanced_manipulations_of_4](../../../../../static/img/product_docs/policypak/policypak/feature/advanced/advanced_manipulations_of_4.webp) +![advanced_manipulations_of_4](/img/product_docs/policypak/policypak/feature/advanced/advanced_manipulations_of_4.webp) - **Existing Features Option** diff --git a/docs/policypak/policypak/feature/advanced/editpolicy.md b/docs/policypak/policypak/feature/advanced/editpolicy.md index af48f38197..a18d3ee8c7 100644 --- a/docs/policypak/policypak/feature/advanced/editpolicy.md +++ b/docs/policypak/policypak/feature/advanced/editpolicy.md @@ -2,7 +2,7 @@ You can edit a policy by right-clicking the policy and selecting **Edit policy**. -![advanced_manipulations_of_1](../../../../../static/img/product_docs/policypak/policypak/feature/advanced/advanced_manipulations_of_1.webp) +![advanced_manipulations_of_1](/img/product_docs/policypak/policypak/feature/advanced/advanced_manipulations_of_1.webp) Inside the Edit Policy window, you can add comments, and change the install type from **Install** to **Uninstall** or vice versa. Additionally, you can change the state so that the policy doesn't apply @@ -12,4 +12,4 @@ the policy. In the bottom left corner, you can see the Item-Level Targeting button. This is explained in the next section in more detail. -![advanced_manipulations_of_2](../../../../../static/img/product_docs/policypak/policypak/feature/advanced/advanced_manipulations_of_2.webp) +![advanced_manipulations_of_2](/img/product_docs/policypak/policypak/feature/advanced/advanced_manipulations_of_2.webp) diff --git a/docs/policypak/policypak/feature/advanced/mixedrule.md b/docs/policypak/policypak/feature/advanced/mixedrule.md index a5f3d7559b..baa342dfa3 100644 --- a/docs/policypak/policypak/feature/advanced/mixedrule.md +++ b/docs/policypak/policypak/feature/advanced/mixedrule.md @@ -5,7 +5,7 @@ check out the Mixed Rule. The **Mixed Rule** wizard presents a combination of al **Install Rule** and **Uninstall Rule** along with all the screens for features and optional features. -![advanced_manipulations_of_5](../../../../../static/img/product_docs/policypak/policypak/feature/advanced/advanced_manipulations_of_5.webp) +![advanced_manipulations_of_5](/img/product_docs/policypak/policypak/feature/advanced/advanced_manipulations_of_5.webp) We recommend first getting the hang of **Install Rule** and **Uninstall Rule**. Once you get a better understand of the UI, you can start using the **Mixed Rule**. diff --git a/docs/policypak/policypak/feature/gettoknow.md b/docs/policypak/policypak/feature/gettoknow.md index 0b6ea7dbed..cae67102d4 100644 --- a/docs/policypak/policypak/feature/gettoknow.md +++ b/docs/policypak/policypak/feature/gettoknow.md @@ -7,7 +7,7 @@ allows you to create new Endpoint Policy Manager Feature Manager collections or **NOTE:** You will only see the Endpoint Policy Manager Feature Manager for Windows node when the latest Admin Console MSI is installed on the management station. -![getting_to_know_feature_manager](../../../../static/img/product_docs/policypak/policypak/feature/getting_to_know_feature_manager.webp) +![getting_to_know_feature_manager](/img/product_docs/policypak/policypak/feature/getting_to_know_feature_manager.webp) The functions of collections and policies are as follows: diff --git a/docs/policypak/policypak/feature/itemleveltargeting/exportcollections.md b/docs/policypak/policypak/feature/itemleveltargeting/exportcollections.md index b90393090a..1a109f38a2 100644 --- a/docs/policypak/policypak/feature/itemleveltargeting/exportcollections.md +++ b/docs/policypak/policypak/feature/itemleveltargeting/exportcollections.md @@ -1,7 +1,7 @@ # Exporting Collections In -[Using Item-Level Targeting with Collections and Policies](../../remotedesktopprotocol/itemleveltargeting/overview.md) +[Using Item-Level Targeting with Collections and Policies](/docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/overview.md) we explain how to use the Endpoint Policy Manager Exporter to wrap up any Endpoint Policy Manager directives and deliver them using Microsoft Endpoint Manager (SCCM and Intune), KACE, your own MDM service, or Endpoint Policy Manager Cloud. To export a policy for later use using Endpoint Policy @@ -16,7 +16,7 @@ Remember that Endpoint Policy Manager Feature Manager for Windows policies can b exported on the Computer side. For instance, below, you can see a setting being exported. You can also do this for an entire collection (not shown). -![using_item_level_targeting_5](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_5.webp) +![using_item_level_targeting_5](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_5.webp) **NOTE:** For a video showing how to export policies and use Endpoint Policy Manager Exporter, watch [https://www.policypak.com/video/deploying-policypak-directives-without-group-policy-policypak-exporter-utility.html](https://www.policypak.com/video/deploying-policypak-directives-without-group-policy-policypak-exporter-utility.html). @@ -27,4 +27,4 @@ function when the machine is domain-joined. For more information on how to use exported policies with Endpoint Policy Manager Cloud or Endpoint Policy Manager MDM see -[Using Endpoint Policy Manager with MDM and UEM Tools](../../mdm/uemtools.md). +[Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md). diff --git a/docs/policypak/policypak/feature/itemleveltargeting/overview.md b/docs/policypak/policypak/feature/itemleveltargeting/overview.md index c5839a62c1..ff905dbfc4 100644 --- a/docs/policypak/policypak/feature/itemleveltargeting/overview.md +++ b/docs/policypak/policypak/feature/itemleveltargeting/overview.md @@ -10,12 +10,12 @@ policies so they can act together. For instance, you might create a collection f Computers and another for West Sales Computers. Or you might create one for Windows Server 2016 servers with Exchange, and one for Windows 10 laptops in Sales. -![using_item_level_targeting](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting.webp) +![using_item_level_targeting](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting.webp) You can also right-click any Endpoint Policy Manager Feature Manager for Windows policy, and select **Edit Item Level Targeting**. -![using_item_level_targeting_1](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_1.webp) +![using_item_level_targeting_1](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_1.webp) You can also select Item-Level Targeting when a policy is created using the wizard. @@ -30,7 +30,7 @@ same way parentheses are used in an equation. In this way, you can create a comp about where a policy will be applied. Collections may be set to **And**, **Or** **Is**, or **Is Not**. -![using_item_level_targeting_2](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_2.webp) +![using_item_level_targeting_2](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_2.webp) Below are some real-world examples of how you can use Item-Level Targeting. @@ -52,7 +52,7 @@ Below are some real-world examples of how you can use Item-Level Targeting. After you're done editing, close the editor. Note that the icon of the policy or collection has changed to orange, which shows that it now has Item-Level Targeting. -![using_item_level_targeting_3](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_3.webp) +![using_item_level_targeting_3](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_3.webp) When Item-Level Targeting is on, the policy won't apply unless the conditions are **True**. If Item-Level Targeting is on a collection, then none of the items in the collection will apply unless diff --git a/docs/policypak/policypak/feature/itemleveltargeting/processorderprecedence.md b/docs/policypak/policypak/feature/itemleveltargeting/processorderprecedence.md index c4695d3533..2ab56b433a 100644 --- a/docs/policypak/policypak/feature/itemleveltargeting/processorderprecedence.md +++ b/docs/policypak/policypak/feature/itemleveltargeting/processorderprecedence.md @@ -6,7 +6,7 @@ process last. Then, within any collection, each policy is processed in numerical to highest. Below we can see a potential conflict within a collection. Item #4 is installing the Telnet Client, while Item #11 is uninstalling it. -![using_item_level_targeting_4](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_4.webp) +![using_item_level_targeting_4](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_4.webp) The net effect of this scenario would be that the Telnet Client would be uninstalled because it is processed later. diff --git a/docs/policypak/policypak/feature/overview.md b/docs/policypak/policypak/feature/overview.md index b833aaae7d..b00334fbda 100644 --- a/docs/policypak/policypak/feature/overview.md +++ b/docs/policypak/policypak/feature/overview.md @@ -1,7 +1,7 @@ # Feature Manager for Windows **NOTE:** Before reading this section, please ensure you have read -[Installation Quick Start](../gettingstarted/quickstart/overviewinstall.md), which will help you +[Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md), which will help you with the following: - Install the Admin MSI on your GPMC machine @@ -10,7 +10,7 @@ with the following: - Set up a common OU structure Optionally, if you don't want to use Group Policy, read the section on -[MDM & UEM Tools](../mdm/overview.md)[MDM & UEM Tools](../mdm/overview.md). +[MDM & UEM Tools](/docs/policypak/policypak/mdm/overview.md)[MDM & UEM Tools](/docs/policypak/policypak/mdm/overview.md). Endpoint Policy Manager Feature Manager for Windows allows you to perform the following operations on Windows 10 or Windows Server (2016 and later): @@ -73,24 +73,24 @@ There is an in-box method of managing features and optional features on each mac you to address each feature one by one. On any given machine, you can manage features and optional features. -![about_policypak_feature_manager](../../../../static/img/product_docs/policypak/policypak/feature/about_policypak_feature_manager.webp) +![about_policypak_feature_manager](/img/product_docs/policypak/policypak/feature/about_policypak_feature_manager.webp) There are two ways to manage features: with the Windows Features Control Pane, or the Windows Settings page . These options can be accessed through the Start Menu. -![about_policypak_feature_manager_1](../../../../static/img/product_docs/policypak/policypak/feature/about_policypak_feature_manager_1.webp) +![about_policypak_feature_manager_1](/img/product_docs/policypak/policypak/feature/about_policypak_feature_manager_1.webp) -![about_policypak_feature_manager_2](../../../../static/img/product_docs/policypak/policypak/feature/about_policypak_feature_manager_2.webp) +![about_policypak_feature_manager_2](/img/product_docs/policypak/policypak/feature/about_policypak_feature_manager_2.webp) With optional features, you can add or subtract the feature you want. Below is an example of what this looks like. -![about_policypak_feature_manager_3](../../../../static/img/product_docs/policypak/policypak/feature/about_policypak_feature_manager_3.webp) +![about_policypak_feature_manager_3](/img/product_docs/policypak/policypak/feature/about_policypak_feature_manager_3.webp) An alternate way to perform similar functions is via the DISM command on the command line. For example, to install the Hyper-V feature on a machine, you would use the DISM command. -![about_policypak_feature_manager_4](../../../../static/img/product_docs/policypak/policypak/feature/about_policypak_feature_manager_4.webp) +![about_policypak_feature_manager_4](/img/product_docs/policypak/policypak/feature/about_policypak_feature_manager_4.webp) This process can be scripted, but the challenge is that the system will typically reboot when it wants to, perhaps during a user's session. Additionally, scripts will typically run over and over diff --git a/docs/policypak/policypak/feature/overview/knowledgebase.md b/docs/policypak/policypak/feature/overview/knowledgebase.md index 935417807d..8d6bc7515c 100644 --- a/docs/policypak/policypak/feature/overview/knowledgebase.md +++ b/docs/policypak/policypak/feature/overview/knowledgebase.md @@ -4,4 +4,4 @@ See the following Knowledge Base articles for Feature Manager for Windows. ## Troubleshooting -- [Endpoint Policy Feature Manager for Windows doesn't appear to be working and we're getting error code 0x800f0954. What can I try?](../../troubleshooting/error/feature/code0x800f0954.md) +- [Endpoint Policy Feature Manager for Windows doesn't appear to be working and we're getting error code 0x800f0954. What can I try?](/docs/policypak/policypak/troubleshooting/error/feature/code0x800f0954.md) diff --git a/docs/policypak/policypak/feature/overview/videolearningcenter.md b/docs/policypak/policypak/feature/overview/videolearningcenter.md index 6a341a7a8f..bc60746b77 100644 --- a/docs/policypak/policypak/feature/overview/videolearningcenter.md +++ b/docs/policypak/policypak/feature/overview/videolearningcenter.md @@ -4,7 +4,7 @@ See the following Video topics for Scripts and Feature Manager for Windows. ## All Videos -- [Feature Manager For Windows](../../video/feature/windows.md) -- [Feature Manager For Windows Servers](../../video/feature/windowsservers.md) -- [Feature Manager for Windows + Endpoint Policy Manager Cloud](../../video/feature/cloud.md) -- [Feature Manager for Windows + MDM](../../video/feature/mdm.md) +- [Feature Manager For Windows](/docs/policypak/policypak/video/feature/windows.md) +- [Feature Manager For Windows Servers](/docs/policypak/policypak/video/feature/windowsservers.md) +- [Feature Manager for Windows + Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/feature/cloud.md) +- [Feature Manager for Windows + MDM](/docs/policypak/policypak/video/feature/mdm.md) diff --git a/docs/policypak/policypak/feature/windowsservers.md b/docs/policypak/policypak/feature/windowsservers.md index c7ef55df76..2472c2e929 100644 --- a/docs/policypak/policypak/feature/windowsservers.md +++ b/docs/policypak/policypak/feature/windowsservers.md @@ -7,19 +7,19 @@ snap-in. If you want to configure a selection of servers to turn on Network Load off SMB 1.0, it is easy to do. The server defaults are below, followed by the steps for the configuration. -![using_feature_manager_for](../../../../static/img/product_docs/policypak/policypak/feature/using_feature_manager_for.webp) +![using_feature_manager_for](/img/product_docs/policypak/policypak/feature/using_feature_manager_for.webp) **Step 1 –** Select Server as the OS type from within Endpoint Policy Manager Feature Manager MMC console. -![using_feature_manager_for_1](../../../../static/img/product_docs/policypak/policypak/feature/using_feature_manager_for_1.webp) +![using_feature_manager_for_1](/img/product_docs/policypak/policypak/feature/using_feature_manager_for_1.webp) **Step 2 –** Pick the server version from the drop-down. -![using_feature_manager_for_2](../../../../static/img/product_docs/policypak/policypak/feature/using_feature_manager_for_2.webp) +![using_feature_manager_for_2](/img/product_docs/policypak/policypak/feature/using_feature_manager_for_2.webp) **Step 3 –** Make your selection as usual. You can turn a feature on or turn a feature off . -![using_feature_manager_for_3](../../../../static/img/product_docs/policypak/policypak/feature/using_feature_manager_for_3.webp) +![using_feature_manager_for_3](/img/product_docs/policypak/policypak/feature/using_feature_manager_for_3.webp) -![using_feature_manager_for_4](../../../../static/img/product_docs/policypak/policypak/feature/using_feature_manager_for_4.webp) +![using_feature_manager_for_4](/img/product_docs/policypak/policypak/feature/using_feature_manager_for_4.webp) diff --git a/docs/policypak/policypak/fileassociations/applymode.md b/docs/policypak/policypak/fileassociations/applymode.md index 47e8236035..27065547f9 100644 --- a/docs/policypak/policypak/fileassociations/applymode.md +++ b/docs/policypak/policypak/fileassociations/applymode.md @@ -4,25 +4,25 @@ You can also create policies that will enforce a given file association one time then drift from your configuration and choose their own application. **NOTE:** For a video on applying policies only once, see -[Endpoint Policy Manager File Associations Manager: Apply once (and drift)](../video/fileassociations/applyonce.md). +[Endpoint Policy Manager File Associations Manager: Apply once (and drift)](/docs/policypak/policypak/video/fileassociations/applyonce.md). Let's create a file association policy on the User side so that Adobe Acrobat Reader is the assigned application for all its associated files. -![about_policypak_file_associations_27](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_27.webp) +![about_policypak_file_associations_27](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_27.webp) Notice that you get a popup message alerting you that user-side file and protocol associations are ignored on Endpoint Policy Manager CSE versions older than 20.2.2361. -![about_policypak_file_associations_28](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_28.webp) +![about_policypak_file_associations_28](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_28.webp) You can then choose all of the possible file types for Adobe Acrobat Reader. -![about_policypak_file_associations_29](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_29.webp) +![about_policypak_file_associations_29](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_29.webp) Next choose the **Apply once (for policies)** option. -![about_policypak_file_associations_30](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_30.webp) +![about_policypak_file_associations_30](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_30.webp) Once the policy has been enforced one time, users can then drift away from the deployed configuration to make their own choices. @@ -30,4 +30,4 @@ configuration to make their own choices. You can use this Apply once and drift approach for a single policy as well. Simply go to **Add** > **New Policy** and click the **Apply** drop down menu and select **Once**. -![about_policypak_file_associations_31](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_31.webp) +![about_policypak_file_associations_31](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_31.webp) diff --git a/docs/policypak/policypak/fileassociations/collections/policies.md b/docs/policypak/policypak/fileassociations/collections/policies.md index c26b9090c1..b3fdbedb25 100644 --- a/docs/policypak/policypak/fileassociations/collections/policies.md +++ b/docs/policypak/policypak/fileassociations/collections/policies.md @@ -15,7 +15,7 @@ The functions of collections and policies are as follows: Below you can see how to add a new collection or policy. -![about_policypak_file_associations_4](../../../../../static/img/product_docs/policypak/policypak/fileassociations/collections/about_policypak_file_associations_4.webp) +![about_policypak_file_associations_4](/img/product_docs/policypak/policypak/fileassociations/collections/about_policypak_file_associations_4.webp) If you want to follow along with the Quickstart for Endpoint Policy Manager File Associations Manager in the next section, we suggest you download some applications on your Windows 10 management @@ -31,7 +31,7 @@ following files: Below is an example of all four types of files on the sample Desktop. -![about_policypak_file_associations_5](../../../../../static/img/product_docs/policypak/policypak/fileassociations/collections/about_policypak_file_associations_5.webp) +![about_policypak_file_associations_5](/img/product_docs/policypak/policypak/fileassociations/collections/about_policypak_file_associations_5.webp) Endpoint Policy Manager File Associations Manager is the quickest way to set up, test, and manage file associations on your machine (the Group Policy Editor machine) if it has the same applications @@ -49,11 +49,11 @@ Acrobat Reader asks if it can be the default PDF viewe. Yet, after the installat is not associated with Acrobat Reader. Instead, Windows 10 Edge is typically the default program to open PDF files, or Edge is recommended, and the user must make a choice. -![about_policypak_file_associations_6](../../../../../static/img/product_docs/policypak/policypak/fileassociations/collections/about_policypak_file_associations_6.webp) +![about_policypak_file_associations_6](/img/product_docs/policypak/policypak/fileassociations/collections/about_policypak_file_associations_6.webp) When installing Adobe Acrobat Reader DC, the installer asks to be the default PDF viewer. -![about_policypak_file_associations_7](../../../../../static/img/product_docs/policypak/policypak/fileassociations/collections/about_policypak_file_associations_7.webp) +![about_policypak_file_associations_7](/img/product_docs/policypak/policypak/fileassociations/collections/about_policypak_file_associations_7.webp) Edge generally becomes the default when a user opens a PDF file. @@ -63,18 +63,18 @@ installed, it is not actually correctly set as the default for `MAILTO: emails`. test this by opening up Wordpad and typing `MAILTO:you@email.com`, . Click the link, and you will see that it will launch the Windows 10 default mail application instead of Outlook or Claws Mail. -![about_policypak_file_associations_8](../../../../../static/img/product_docs/policypak/policypak/fileassociations/collections/about_policypak_file_associations_8.webp) +![about_policypak_file_associations_8](/img/product_docs/policypak/policypak/fileassociations/collections/about_policypak_file_associations_8.webp) After installing Claws Mail, the program tries to make itself the default for opening emails. -![about_policypak_file_associations_9](../../../../../static/img/product_docs/policypak/policypak/fileassociations/collections/about_policypak_file_associations_9.webp) +![about_policypak_file_associations_9](/img/product_docs/policypak/policypak/fileassociations/collections/about_policypak_file_associations_9.webp) Opening Wordpad and typing `MAILTO:you@email.com` shows that Outlook or Claws Mail is not actually the default email program. The UWP (Windows Universal App in the Windows store) for Metro Media Player Pro is shown below. -![about_policypak_file_associations_10](../../../../../static/img/product_docs/policypak/policypak/fileassociations/collections/about_policypak_file_associations_10.webp) +![about_policypak_file_associations_10](/img/product_docs/policypak/policypak/fileassociations/collections/about_policypak_file_associations_10.webp) In order to successfully complete the Quickstart with Endpoint Policy Manager File Associations Manager in the next section, make sure you have the following machines set up with the programs and diff --git a/docs/policypak/policypak/fileassociations/collections/preconfigured.md b/docs/policypak/policypak/fileassociations/collections/preconfigured.md index 5102eacf0f..973927947e 100644 --- a/docs/policypak/policypak/fileassociations/collections/preconfigured.md +++ b/docs/policypak/policypak/fileassociations/collections/preconfigured.md @@ -7,7 +7,7 @@ usual settings). **NOTE:** For a video overview demonstrating how to use preconfigured Endpoint Policy Manager File Associations Manager items, see -[Endpoint Policy Manager File Associations Manager: Use our preconfigured advice](../../video/fileassociations/preconfiguredadvice.md) +[Endpoint Policy Manager File Associations Manager: Use our preconfigured advice](/docs/policypak/policypak/video/fileassociations/preconfiguredadvice.md) topic for additional information. For instance, for all the common Adobe products, Adobe has some advice that we have we've repackaged @@ -16,33 +16,33 @@ article [Setting the Default PDF Viewer](https://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/pdfviewer.html)[ for additional information.](https://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/pdfviewer.html). The image below shows their guidance on associating file types to ProgIDs. -![using_preconfigured_collections](../../../../../static/img/product_docs/policypak/policypak/fileassociations/collections/using_preconfigured_collections.webp) +![using_preconfigured_collections](/img/product_docs/policypak/policypak/fileassociations/collections/using_preconfigured_collections.webp) You could try to set all of this yourself, but here at Endpoint Policy Manager, we've done the work so you don't have to. To locate the Endpoint Policy Manager File Associations Manager preconfigured settings based on the manufacturer's guidance, follow these steps: -![using_preconfigured_collections_1](../../../../../static/img/product_docs/policypak/policypak/fileassociations/collections/using_preconfigured_collections_1.webp) +![using_preconfigured_collections_1](/img/product_docs/policypak/policypak/fileassociations/collections/using_preconfigured_collections_1.webp) **Step 1 –** Go to the Endpoint Policy Manager Portal and locate the Guidance XMLs ZIP file. -![using_preconfigured_collections_2](../../../../../static/img/product_docs/policypak/policypak/fileassociations/collections/using_preconfigured_collections_2.webp) +![using_preconfigured_collections_2](/img/product_docs/policypak/policypak/fileassociations/collections/using_preconfigured_collections_2.webp) **Step 2 –** Download and unpack the ZIP file. Look for the folder called Endpoint Policy Manager File Associations Manager XMLs. -![using_preconfigured_collections_3](../../../../../static/img/product_docs/policypak/policypak/fileassociations/collections/using_preconfigured_collections_3.webp) +![using_preconfigured_collections_3](/img/product_docs/policypak/policypak/fileassociations/collections/using_preconfigured_collections_3.webp) **Step 3 –** Inside that folder, you'll see XMLs, which are ready for immediate import into Endpoint Policy Manager File Associations Manager. -![using_preconfigured_collections_4](../../../../../static/img/product_docs/policypak/policypak/fileassociations/collections/using_preconfigured_collections_4.webp) +![using_preconfigured_collections_4](/img/product_docs/policypak/policypak/fileassociations/collections/using_preconfigured_collections_4.webp) **Step 4 –** To import the XML files, drag and drop them into the Endpoint Policy Manager File Associations Manager console. This creates a collection for applications such as Adobe Reader DC, Adobe Reader 11, and others. -![using_preconfigured_collections_5](../../../../../static/img/product_docs/policypak/policypak/fileassociations/collections/using_preconfigured_collections_5.webp) +![using_preconfigured_collections_5](/img/product_docs/policypak/policypak/fileassociations/collections/using_preconfigured_collections_5.webp) **Step 5 –** The orange color of the icon denotes that the collections have Item-Level Targeting on them to ensure that they will only apply when the application is actually present on the machine. If diff --git a/docs/policypak/policypak/fileassociations/helperutility.md b/docs/policypak/policypak/fileassociations/helperutility.md index 025a3018c2..1f4a7d6f66 100644 --- a/docs/policypak/policypak/fileassociations/helperutility.md +++ b/docs/policypak/policypak/fileassociations/helperutility.md @@ -13,12 +13,12 @@ already installed and to which you want to make a policy association with later. **NOTE:** For a video overview demonstrating how to use the Endpoint Policy Manager File Associations Manager Helper utility, watch this video: -[Endpoint Policy Manager File Associations Manager: Helper Application](../video/fileassociations/helperapplication.md). +[Endpoint Policy Manager File Associations Manager: Helper Application](/docs/policypak/policypak/video/fileassociations/helperapplication.md). The Endpoint Policy Manager File Associations Manager Helper is found in the Endpoint Policy Manager ISO or ZIP download in the Endpoint Policy Manager Extras folder. -![using_the_helper_utility](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility.webp) +![using_the_helper_utility](/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility.webp) Follow these steps to setup the Endpoint Policy ManagerPolicyPak File Associations Manager Helper utility: @@ -26,25 +26,25 @@ utility: **Step 1 –** Launch the 11,000 kB EXE. When you do, the Endpoint Policy Manager File Associations Manager Export wizard appears. -![using_the_helper_utility_1](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_1.webp) +![using_the_helper_utility_1](/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_1.webp) **Step 2 –** Find a particular file association that already exists on the machine, such as 3mf, and the application it is already associated with. The application must be registered in order to see it in the list. -![using_the_helper_utility_2](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_2.webp) +![using_the_helper_utility_2](/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_2.webp) **Step 3 –** Select **Include icons in the file (Can dramatically increase file size)**. This setting is recommended even though the XML might be bigger. You must also choose to **Show file in folder after finished** and **Open XML in Notepad when save is complete** for examination. -![using_the_helper_utility_3](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_3.webp) +![using_the_helper_utility_3](/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_3.webp) **Step 4 –** Take the exported file and import it into a Endpoint Policy Manager File Associations Manager Group Policy Object (GPO). Note that the option to import from an XML is available when you create a new entry and click **Select Program**. -![using_the_helper_utility_4](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_4.webp) +![using_the_helper_utility_4](/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_4.webp) To import the exported file into a Endpoint Policy Manager File Associations Manager GPO, pull up the Select Program Association window, and then click on **From XML file** under Import. diff --git a/docs/policypak/policypak/fileassociations/insouts/advantages.md b/docs/policypak/policypak/fileassociations/insouts/advantages.md index f1b01e574a..8110dcaf61 100644 --- a/docs/policypak/policypak/fileassociations/insouts/advantages.md +++ b/docs/policypak/policypak/fileassociations/insouts/advantages.md @@ -40,5 +40,5 @@ Group Policy update. **NOTE:** For a video demonstrating how neither Endpoint Policy Manager File Associations Manager nor Microsoft's method can affect a user until the second login, see the -[Endpoint Policy Manager File Associations Manager: Understanding the First Login](../../video/fileassociations/firstlogin.md) +[Endpoint Policy Manager File Associations Manager: Understanding the First Login](/docs/policypak/policypak/video/fileassociations/firstlogin.md) topic for additional information.. diff --git a/docs/policypak/policypak/fileassociations/insouts/windows10.md b/docs/policypak/policypak/fileassociations/insouts/windows10.md index c2d3ed7455..54ff3e999a 100644 --- a/docs/policypak/policypak/fileassociations/insouts/windows10.md +++ b/docs/policypak/policypak/fileassociations/insouts/windows10.md @@ -26,12 +26,12 @@ Dism /Online /Export-DefaultAppAssociations:\AppAssoc.xml The exported file from this process might look something like this: -![about_policypak_file_associations_2](../../../../../static/img/product_docs/policypak/policypak/fileassociations/insouts/about_policypak_file_associations_2.webp) +![about_policypak_file_associations_2](/img/product_docs/policypak/policypak/fileassociations/insouts/about_policypak_file_associations_2.webp) **Step 5 –** Next, you would use the Group Policy setting called **Set a default associations configuration file**. -![about_policypak_file_associations_3](../../../../../static/img/product_docs/policypak/policypak/fileassociations/insouts/about_policypak_file_associations_3.webp) +![about_policypak_file_associations_3](/img/product_docs/policypak/policypak/fileassociations/insouts/about_policypak_file_associations_3.webp) The disadvantages of using the in-box method for Windows 10 are as follows: diff --git a/docs/policypak/policypak/fileassociations/insouts/windows7.md b/docs/policypak/policypak/fileassociations/insouts/windows7.md index cc2688904a..70749b3597 100644 --- a/docs/policypak/policypak/fileassociations/insouts/windows7.md +++ b/docs/policypak/policypak/fileassociations/insouts/windows7.md @@ -6,7 +6,7 @@ applications. This is still available within the Microsoft Group Policy Editor b Configuration** > **Preferences** > **Control Panel Settings** > **Folder Options** > **New** > **Open With**. -![about_policypak_file_associations](../../../../../static/img/product_docs/policypak/policypak/fileassociations/insouts/about_policypak_file_associations.webp) +![about_policypak_file_associations](/img/product_docs/policypak/policypak/fileassociations/insouts/about_policypak_file_associations.webp) This older method of setting file associations is still available in the Microsoft Group Policy Editor on the User side with Windows 7 and 8. @@ -14,7 +14,7 @@ Editor on the User side with Windows 7 and 8. Next, select the file extension and the associated program. You can also choose to **Set as Default**. -![about_policypak_file_associations_1](../../../../../static/img/product_docs/policypak/policypak/fileassociations/insouts/about_policypak_file_associations_1.webp) +![about_policypak_file_associations_1](/img/product_docs/policypak/policypak/fileassociations/insouts/about_policypak_file_associations_1.webp) This method worked well on Windows XP to Windows 8, but stopped working with Windows 8.1. diff --git a/docs/policypak/policypak/fileassociations/itemleveltargeting/exportcollection.md b/docs/policypak/policypak/fileassociations/itemleveltargeting/exportcollection.md index bbeae9f6d3..bfb7763914 100644 --- a/docs/policypak/policypak/fileassociations/itemleveltargeting/exportcollection.md +++ b/docs/policypak/policypak/fileassociations/itemleveltargeting/exportcollection.md @@ -1,6 +1,6 @@ # Exporting Collections -[Using Endpoint Policy Manager with MDM and UEM Tools](../../mdm/uemtools.md) explains how to use +[Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md) explains how to use the Endpoint Policy Manager Exporter to wrap up any Endpoint Policy Manager directives and deliver them using Microsoft Endpoint Manager (SCCM and Intune), KACE, you own MDM service, or Endpoint Policy Manager Cloud. However, we recommend NOT using Endpoint Policy Manager File Associations @@ -11,11 +11,11 @@ File Associations Manager, so if you decide to use Endpoint Policy Manager Cloud domain-joined machines, Endpoint Policy Manager File Associations Manager will function as expected using Endpoint Policy Manager Cloud. -![using_item_level_targeting_8](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_8.webp) +![using_item_level_targeting_8](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_8.webp) **NOTE:** For a video demonstrating the use of Endpoint Policy Manager Cloud with domain-joined machines. See the -[Endpoint Policy ManagerCloud and Endpoint Policy Manager OnPremise – Together using PPCloud Licenses](../../video/cloud/integration/onpremise.md) +[Endpoint Policy ManagerCloud and Endpoint Policy Manager OnPremise – Together using PPCloud Licenses](/docs/policypak/policypak/video/cloud/integration/onpremise.md) topic for additional information. To export a policy for later use with Endpoint Policy Manager Exporter or Endpoint Policy Manager @@ -23,12 +23,12 @@ Cloud, right-click the collection or the policy, and select **Export to XML**. **NOTE:** For a video showing how to export policies and how to use Endpoint Policy Manager Exporter.See the -[Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](../../video/mdm/exporterutility.md) +[Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](/docs/policypak/policypak/video/mdm/exporterutility.md) topic for additional information. -![using_item_level_targeting_9](../../../../../static/img/product_docs/policypak/policypak/fileassociations/itemleveltargeting/using_item_level_targeting_9.webp) +![using_item_level_targeting_9](/img/product_docs/policypak/policypak/fileassociations/itemleveltargeting/using_item_level_targeting_9.webp) -![using_item_level_targeting_10](../../../../../static/img/product_docs/policypak/policypak/fileassociations/itemleveltargeting/using_item_level_targeting_10.webp) +![using_item_level_targeting_10](/img/product_docs/policypak/policypak/fileassociations/itemleveltargeting/using_item_level_targeting_10.webp) **NOTE:** Exported collections or policies maintain any Item-Level Targeting set within them. If you've used items that represent Group Membership in Active Directory, then those items will only diff --git a/docs/policypak/policypak/fileassociations/itemleveltargeting/overview.md b/docs/policypak/policypak/fileassociations/itemleveltargeting/overview.md index e8f661451b..5baedd61c5 100644 --- a/docs/policypak/policypak/fileassociations/itemleveltargeting/overview.md +++ b/docs/policypak/policypak/fileassociations/itemleveltargeting/overview.md @@ -12,19 +12,19 @@ targets only your East Sales computers, and another collection that targets your computers. Or you might want to create a collection for Windows 10 machines and one for Windows Server 2016 RDS. -![using_item_level_targeting](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting.webp) +![using_item_level_targeting](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting.webp) -![using_item_level_targeting_1](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_1.webp) +![using_item_level_targeting_1](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_1.webp) Below you can see the two collections that we have created that can hold other collections or policies. It also shows how you can apply Item-Level Targeting for a collection. -![using_item_level_targeting_2](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_2.webp) +![using_item_level_targeting_2](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_2.webp) To change the Item-Level Targeting, right-click any Endpoint Policy Manager File Associations Manager policy, and select **Edit Item Level Targeting**. -![using_item_level_targeting_3](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_3.webp) +![using_item_level_targeting_3](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_3.webp) The Edit Item Level Targeting menu item brings up the Targeting Editor. You can select any combination of characteristics you want to test for. Administrators familiar with Group Policy @@ -42,7 +42,7 @@ Endpoint Policy Manager File Associations Manager cannot filter by user group si available on the Computer side, and Endpoint Policy Manager File Associations Manager is only valid for Windows 8.1 and later. -![using_item_level_targeting_4](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_4.webp) +![using_item_level_targeting_4](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_4.webp) In this example, the Pak would only apply to Windows 10 machines when the machine is portable, and the user is in the FABRIKAM\Traveling Sales Users group. @@ -67,7 +67,7 @@ Below are some real-world examples of how you can use Item-Level Targeting. Close the editor when you are done. Note that the icon for the policy or collection has changed to orange, which shows that it now has Item-Level Targeting. -![using_item_level_targeting_5](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_5.webp) +![using_item_level_targeting_5](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_5.webp) When Item-Level Targeting is on, the policy won't apply unless the conditions evaluate to True, and if Item-Level Targeting is on for a collection, then none of the items in the collection will apply diff --git a/docs/policypak/policypak/fileassociations/itemleveltargeting/processorderprecedence.md b/docs/policypak/policypak/fileassociations/itemleveltargeting/processorderprecedence.md index be13ef989c..90e39ee640 100644 --- a/docs/policypak/policypak/fileassociations/itemleveltargeting/processorderprecedence.md +++ b/docs/policypak/policypak/fileassociations/itemleveltargeting/processorderprecedence.md @@ -5,9 +5,9 @@ So lower-numbered collections attempt to process first, and higher-numbered coll process last. Then, within any collection, each policy is processed in numerical order from lowest to highest. -![using_item_level_targeting_6](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_6.webp) +![using_item_level_targeting_6](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_6.webp) -![using_item_level_targeting_7](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_7.webp) +![using_item_level_targeting_7](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_7.webp) ## Merging and Conflicts diff --git a/docs/policypak/policypak/fileassociations/mapextensions.md b/docs/policypak/policypak/fileassociations/mapextensions.md index 750f0c9015..2f8371d946 100644 --- a/docs/policypak/policypak/fileassociations/mapextensions.md +++ b/docs/policypak/policypak/fileassociations/mapextensions.md @@ -1,7 +1,7 @@ # Quick Start - Mapping Extensions to Applications **NOTE:** For some video overviews of Endpoint Policy Manager File Associations Manager, see the -[Endpoint Policy Manager Cloud: Managing File Assocations](../video/fileassociations/cloud.md) topic +[Endpoint Policy Manager Cloud: Managing File Assocations](/docs/policypak/policypak/video/fileassociations/cloud.md) topic for additional information. Even after applications such as Acrobat, Metro Media Player, and Outlook are installed, those @@ -21,7 +21,7 @@ Policies is linked to the East Sales Computers OU. **Step 2 –** In **Computer Configuration** > **PolicyPak** > **File Associations Manager**, select **Add** > **New Policy**. -![about_policypak_file_associations_11](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_11.webp) +![about_policypak_file_associations_11](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_11.webp) **Step 3 –** The Endpoint Policy Manager File Associations Manager policy editor displays, showing the most common configuration. For this Quickstart, make the following selections: @@ -35,22 +35,22 @@ the most common configuration. For this Quickstart, make the following selection **Step 4 –** The Associated Program (ProgID) and Application Name are automatically filled in. -![about_policypak_file_associations_12](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_12.webp) +![about_policypak_file_associations_12](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_12.webp) **Step 5 –** When you click **OK** to save the policy, the entry looks like this: -![about_policypak_file_associations_13](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_13.webp) +![about_policypak_file_associations_13](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_13.webp) **Step 6 –** Create another policy to map MAILTO: to Outlook or Claws Mail (your machine must have Outlook or Claws Mail already installed). Go to **Add** > **New Policy**. For this policy, choose **Network Protocol** as the filter type, then type in `mailto` (using either lowercase or uppercase) in the **Network Protocol** field. Click **Select Program** and locate Claws Mail. -![about_policypak_file_associations_14](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_14.webp) +![about_policypak_file_associations_14](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_14.webp) You now have two entries, one for PDF and one for MAILTO: -![about_policypak_file_associations_15](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_15.webp) +![about_policypak_file_associations_15](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_15.webp) Now we create a map from MP4 to the UWP version of Metro Media Player. You must have the UWP (Windows Universal/Windows store) version of Metro Media Player on your management station for these @@ -61,11 +61,11 @@ this, click the **Windows 10 Category** radio button, and then select **Video Pl **Select Program**, find an instance of Metro Media Player (UWP), and select it. When you do, the Associated Program (Progid) and Application Name are automatically filled in. -![about_policypak_file_associations_16](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_16.webp) +![about_policypak_file_associations_16](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_16.webp) Now, you'll have a new entry. -![about_policypak_file_associations_17](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_17.webp) +![about_policypak_file_associations_17](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_17.webp) Make sure the endpoint has the same programs installed as the management station and also has the Endpoint Policy Manager CSE installed. @@ -74,10 +74,10 @@ Endpoint Policy Manager CSE installed. effect until that user logs off and then logs on again. Also note that after `GPupdate `is run there is no discernible change in the icons of the newly registered file types. -![about_policypak_file_associations_18](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_18.webp) +![about_policypak_file_associations_18](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_18.webp) Once you run `GPupdate` you should see the PDF icon change. After this, double-clicking on a PDF should open Acrobat Reader, double-clicking on the MP4 should open Metro Media Player, and opening your Wordpad doc, which has a MAILTO: email address, should open Claws Mail (or Outlook). -![about_policypak_file_associations_19](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_19.webp) +![about_policypak_file_associations_19](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_19.webp) diff --git a/docs/policypak/policypak/fileassociations/oemdefaultassociations.md b/docs/policypak/policypak/fileassociations/oemdefaultassociations.md index 8be38343a2..e9e3f9fe8b 100644 --- a/docs/policypak/policypak/fileassociations/oemdefaultassociations.md +++ b/docs/policypak/policypak/fileassociations/oemdefaultassociations.md @@ -13,4 +13,4 @@ Therefore, use only Endpoint Policy Manager File Associations Manager and not th achieve File Associations goals. Remove any in-box Group Policy settings, etc, which are attempting to set File Associations and use only Endpoint Policy Manager to do it. -![660_1_faq4-img1](../../../../static/img/product_docs/policypak/policypak/fileassociations/660_1_faq4-img1.webp) +![660_1_faq4-img1](/img/product_docs/policypak/policypak/fileassociations/660_1_faq4-img1.webp) diff --git a/docs/policypak/policypak/fileassociations/overview.md b/docs/policypak/policypak/fileassociations/overview.md index 616d507317..168ca0434b 100644 --- a/docs/policypak/policypak/fileassociations/overview.md +++ b/docs/policypak/policypak/fileassociations/overview.md @@ -10,7 +10,7 @@ This is a self-imposed limitation by Microsoft on this Windows 10 feature. ## About File Associations Manager **NOTE:** Before reading this section, please ensure you have read -[Installation Quick Start](../gettingstarted/quickstart/overviewinstall.md), which will help you +[Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md), which will help you learn to do the following: - Install the Admin MSI on your GPMC machine @@ -21,7 +21,7 @@ learn to do the following: Optionally, if you don't want to use Group Policy, read the section on Advanced Concepts on Group Policy and non–Group Policy methods (MEMCM, KACE, and MDM service or Netwrix Endpoint Policy Manager (formerly PolicyPak) Cloud), located in the -[Endpoint Privilege Manager Implementation QuickStart Guide](../leastprivilege/pplpmimplementationguide.md) +[Endpoint Privilege Manager Implementation QuickStart Guide](/docs/policypak/policypak/leastprivilege/pplpmimplementationguide.md) to deploy your directives. Endpoint Policy Manager File Associations Manager enables you to perform the following operations in diff --git a/docs/policypak/policypak/fileassociations/overview/knowledgebase.md b/docs/policypak/policypak/fileassociations/overview/knowledgebase.md index 6e04fb2276..e5f7bf6d13 100644 --- a/docs/policypak/policypak/fileassociations/overview/knowledgebase.md +++ b/docs/policypak/policypak/fileassociations/overview/knowledgebase.md @@ -4,14 +4,14 @@ See the following Knowledge Base articles for File Associations Manager. ## Troubleshooting -- [Can I use Endpoint Policy ManagerBrowser Router and/or Endpoint Policy Manager File Associations Manager to set the default browser?](../defaultbrowser.md) -- [How does PP File Associations Manager merge between GPOs and/or Collections?](../collections/gpos.md) -- [What happens if I use MDT, or in-box Group Policy or MDM to set OEMDefaultAssociations.XML BEFORE Endpoint Policy Manager File Associations Manager ?](../oemdefaultassociations.md) -- [Why is Browser Router's "Default Browser" or File Associations Manager's configuration not working when I also have a Default Associations Configuration file?](../../troubleshooting/fileassociations/defaultassociationsconfiguration.md) -- [How do I revert to "Legacy File Associations Methods & Features" if directed (especially for LTSB/LTSC)?](../../troubleshooting/fileassociations/legacy.md) +- [Can I use Endpoint Policy ManagerBrowser Router and/or Endpoint Policy Manager File Associations Manager to set the default browser?](/docs/policypak/policypak/fileassociations/defaultbrowser.md) +- [How does PP File Associations Manager merge between GPOs and/or Collections?](/docs/policypak/policypak/fileassociations/collections/gpos.md) +- [What happens if I use MDT, or in-box Group Policy or MDM to set OEMDefaultAssociations.XML BEFORE Endpoint Policy Manager File Associations Manager ?](/docs/policypak/policypak/fileassociations/oemdefaultassociations.md) +- [Why is Browser Router's "Default Browser" or File Associations Manager's configuration not working when I also have a Default Associations Configuration file?](/docs/policypak/policypak/troubleshooting/fileassociations/defaultassociationsconfiguration.md) +- [How do I revert to "Legacy File Associations Methods & Features" if directed (especially for LTSB/LTSC)?](/docs/policypak/policypak/troubleshooting/fileassociations/legacy.md) ## Tips and Tricks -- [How can I make Cortana and other web searches to use system default browser instead of Microsoft Edge?](../../troubleshooting/fileassociations/cortana.md) -- [How can I associate .HTM files with a specific browser, like Internet Explorer?](../../troubleshooting/fileassociations/specificbrowser.md) -- [How can I open images with Windows Photo Viewer?](../../troubleshooting/fileassociations/windowsphotoviewer.md) +- [How can I make Cortana and other web searches to use system default browser instead of Microsoft Edge?](/docs/policypak/policypak/troubleshooting/fileassociations/cortana.md) +- [How can I associate .HTM files with a specific browser, like Internet Explorer?](/docs/policypak/policypak/troubleshooting/fileassociations/specificbrowser.md) +- [How can I open images with Windows Photo Viewer?](/docs/policypak/policypak/troubleshooting/fileassociations/windowsphotoviewer.md) diff --git a/docs/policypak/policypak/fileassociations/overview/videolearningcenter.md b/docs/policypak/policypak/fileassociations/overview/videolearningcenter.md index 9f4019e166..9e90efa466 100644 --- a/docs/policypak/policypak/fileassociations/overview/videolearningcenter.md +++ b/docs/policypak/policypak/fileassociations/overview/videolearningcenter.md @@ -4,26 +4,26 @@ For more information on File Associations Manager see the following videos. ## Getting Started -- [Endpoint Policy Manager File Associations Manager: Manage Windows 10 & 11 File Associations](../../video/fileassociations/windows10.md) -- [Endpoint Policy Manager File Associations Manager: Apply once (and drift)](../../video/fileassociations/applyonce.md) -- [Associate Programs to Universal Windows Apps (Metro Apps)](../../video/fileassociations/universalwindowsapps.md) -- [Manage all File Associations with the PPFAM Wizard](../../video/fileassociations/wizard.md) -- [Endpoint Policy Manager File Associations Manager: Use our preconfigured advice](../../video/fileassociations/preconfiguredadvice.md) +- [Endpoint Policy Manager File Associations Manager: Manage Windows 10 & 11 File Associations](/docs/policypak/policypak/video/fileassociations/windows10.md) +- [Endpoint Policy Manager File Associations Manager: Apply once (and drift)](/docs/policypak/policypak/video/fileassociations/applyonce.md) +- [Associate Programs to Universal Windows Apps (Metro Apps)](/docs/policypak/policypak/video/fileassociations/universalwindowsapps.md) +- [Manage all File Associations with the PPFAM Wizard](/docs/policypak/policypak/video/fileassociations/wizard.md) +- [Endpoint Policy Manager File Associations Manager: Use our preconfigured advice](/docs/policypak/policypak/video/fileassociations/preconfiguredadvice.md) ## Methods: Cloud, MDM, SCCM, PDQ, etc. -- [Managing File Associations with an MDM service](../../video/fileassociations/mdm.md) -- [Endpoint Policy Manager Cloud: Managing File Assocations](../../video/fileassociations/cloud.md) -- [Setting Default File Associations with Endpoint Policy Manager and PDQ Deploy](../../video/fileassociations/pdqdeploy.md) -- [Using File Association Manager in the Endpoint Policy Manager Cloud environment](../../video/fileassociations/cloudusage.md) +- [Managing File Associations with an MDM service](/docs/policypak/policypak/video/fileassociations/mdm.md) +- [Endpoint Policy Manager Cloud: Managing File Assocations](/docs/policypak/policypak/video/fileassociations/cloud.md) +- [Setting Default File Associations with Endpoint Policy Manager and PDQ Deploy](/docs/policypak/policypak/video/fileassociations/pdqdeploy.md) +- [Using File Association Manager in the Endpoint Policy Manager Cloud environment](/docs/policypak/policypak/video/fileassociations/cloudusage.md) ## Tips and Tricks -- [Force IE to use Adobe Reader for PDFs](../../video/fileassociations/adobereader.md) -- [Endpoint Policy Manager: How to get mailto: to open in Office 365](../../video/fileassociations/mailto.md) -- [Windows 10 File Associations: Set, Change and Remove Easily](../../video/fileassociations/windows10modify.md) -- [File Associations Manager Helper Tool](../../video/fileassociations/helpertool.md) -- [Endpoint Policy Manager File Associations Manager: Understanding the First Login](../../video/fileassociations/firstlogin.md) -- [Endpoint Policy Manager File Associations Manager: Helper Application](../../video/fileassociations/helperapplication.md) -- [Endpoint Policy Manager File Associations Trick: Acro Reader AND Writer](../../video/fileassociations/acroreader.md) -- [Endpoint Policy Manager File Associations: Don't ask questions (even when you did it right)](../../video/fileassociations/windows10questions.md) +- [Force IE to use Adobe Reader for PDFs](/docs/policypak/policypak/video/fileassociations/adobereader.md) +- [Endpoint Policy Manager: How to get mailto: to open in Office 365](/docs/policypak/policypak/video/fileassociations/mailto.md) +- [Windows 10 File Associations: Set, Change and Remove Easily](/docs/policypak/policypak/video/fileassociations/windows10modify.md) +- [File Associations Manager Helper Tool](/docs/policypak/policypak/video/fileassociations/helpertool.md) +- [Endpoint Policy Manager File Associations Manager: Understanding the First Login](/docs/policypak/policypak/video/fileassociations/firstlogin.md) +- [Endpoint Policy Manager File Associations Manager: Helper Application](/docs/policypak/policypak/video/fileassociations/helperapplication.md) +- [Endpoint Policy Manager File Associations Trick: Acro Reader AND Writer](/docs/policypak/policypak/video/fileassociations/acroreader.md) +- [Endpoint Policy Manager File Associations: Don't ask questions (even when you did it right)](/docs/policypak/policypak/video/fileassociations/windows10questions.md) diff --git a/docs/policypak/policypak/fileassociations/productwizard.md b/docs/policypak/policypak/fileassociations/productwizard.md index 377c6adb5f..41f6e0bf86 100644 --- a/docs/policypak/policypak/fileassociations/productwizard.md +++ b/docs/policypak/policypak/fileassociations/productwizard.md @@ -6,10 +6,10 @@ MP4 files, it can open several dozen kinds of files. In these cases you might wa Policies for Product wizard. **NOTE:** For more information on the Add Policies for Product wizard, see the -[Manage all File Associations with the PPFAM Wizard](../video/fileassociations/wizard.md) topic for +[Manage all File Associations with the PPFAM Wizard](/docs/policypak/policypak/video/fileassociations/wizard.md) topic for additional information.. -![about_policypak_file_associations_24](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_24.webp) +![about_policypak_file_associations_24](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_24.webp) The Add Policies for Product wizard allows you to adjust policies for one program (in Simple mode), or multiple programs (in Combo mode). It also lets you to quickly specify which extensions you want @@ -18,9 +18,9 @@ to associate with which applications. Simply locate the application or applications, and then select the extensions. In the examples below we have selected VLC Media Player and specified all of the extensions it has tried to register for. -![about_policypak_file_associations_25](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_25.webp) +![about_policypak_file_associations_25](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_25.webp) When you are done, you have , a collection that contains all the selected extensions you want VLC Media Player to use. -![about_policypak_file_associations_26](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_26.webp) +![about_policypak_file_associations_26](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_26.webp) diff --git a/docs/policypak/policypak/fileassociations/registeredextensions.md b/docs/policypak/policypak/fileassociations/registeredextensions.md index 506b370a3e..99e247cc1c 100644 --- a/docs/policypak/policypak/fileassociations/registeredextensions.md +++ b/docs/policypak/policypak/fileassociations/registeredextensions.md @@ -37,18 +37,18 @@ file extension to this custom application. `Notepad++Portable.exe` program. When that file is selected, the **Application Icon field**is automatically filled in. -![about_policypak_file_associations_20](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_20.webp) +![about_policypak_file_associations_20](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_20.webp) **Step 4 –** Now you should have a total of four file association policies. -![about_policypak_file_associations_21](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_21.webp) +![about_policypak_file_associations_21](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_21.webp) **NOTE:** The XML file type on the endpoint has no icon in particular. -![about_policypak_file_associations_23](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_23.webp) +![about_policypak_file_associations_23](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_23.webp) **Step 5 –** To continue, run `GPupdate` on the endpoint. Then, to see it take effect, log off and log on again. When you do, you'll see the XML file icon change to Notepad++. Double-clicking the icon will launch Notepad++ Portable. -![about_policypak_file_associations_22](../../../../static/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_22.webp) +![about_policypak_file_associations_22](/img/product_docs/policypak/policypak/fileassociations/about_policypak_file_associations_22.webp) diff --git a/docs/policypak/policypak/gettingstarted.md b/docs/policypak/policypak/gettingstarted.md index 786c6fe46f..0d1030c428 100644 --- a/docs/policypak/policypak/gettingstarted.md +++ b/docs/policypak/policypak/gettingstarted.md @@ -9,7 +9,7 @@ In order to get the latest Endpoint Policy Manager downloads, you need access to Manager Customer Portal (shown in Figure 1). You can only get access to the portal from a Endpoint Policy Manager sales associate. -![getting_started_right_away](../../../static/img/product_docs/policypak/policypak/getting_started_right_away.webp) +![getting_started_right_away](/img/product_docs/policypak/policypak/getting_started_right_away.webp) Figure 1. Inside the Endpoint Policy Manager Customer Portal. @@ -32,7 +32,7 @@ You may also want to utilize the free 7-Zip program to open ZIP or ISO downloads files. Download 7-Zip from [http://www.7-zip.org/](http://www.7-zip.org/). In Figure 2, you can see the list of files and directories that are inside the Endpoint Policy Manager ZIP or ISO download. -![getting_started_right_away_1](../../../static/img/product_docs/policypak/policypak/getting_started_right_away_1.webp) +![getting_started_right_away_1](/img/product_docs/policypak/policypak/getting_started_right_away_1.webp) Figure 2. The folders that are inside the download. @@ -89,22 +89,22 @@ the following: **Step 1 –** Request a license and send that key to Sales for processing. You can watch a video on how to request a license at the following link: -[How to Request Licenses from Endpoint Policy Manager by Creating a "License Request Key"](video/license/licenserequestkey.md). +[How to Request Licenses from Endpoint Policy Manager by Creating a "License Request Key"](/docs/policypak/policypak/video/license/licenserequestkey.md). **Step 2 –** Receive a license and install it. You can watch a video on how to install the license you receive at the following -link:[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](video/license/installuniversal.md). +link:[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md). ## Get Started with the GPO Method Most customers want to use Endpoint Policy Manager with Group Policy. You can watch the getting started video on how to install and run some initial tests at the following link: -[Endpoint Policy Manager with Group Policy Method: Getting Started](video/grouppolicy/gettingstarted.md). +[Endpoint Policy Manager with Group Policy Method: Getting Started](/docs/policypak/policypak/video/grouppolicy/gettingstarted.md). ## GetStarted with the Endpoint Policy Manager Cloud Method If you want to get started right away with Endpoint Policy Manager Cloud, watch this video for a -quick overview: [Endpoint Policy Manager Cloud: QuickStart](video/cloud/quickstart.md). +quick overview: [Endpoint Policy Manager Cloud: QuickStart](/docs/policypak/policypak/video/cloud/quickstart.md). ## Get Started with Your MDM Provider or UEM Tool @@ -114,7 +114,7 @@ of the videos at the links below in order to get prepared to use Endpoint Policy MDM provider. - For video overviews of using Endpoint Policy Manager with an MDM service see: Getting Started with - MDM > [Video Learning Center](mdm/overview/videolearningcenter.md). + MDM > [Video Learning Center](/docs/policypak/policypak/mdm/overview/videolearningcenter.md). - For video overviews of using Endpoint Policy Manager with a UEM tool like SCCM see: Getting Started with Endpoint Policy Manager (Misc) > - [Knowledge Base](gettingstarted/overview/knowledgebase.md). + [Knowledge Base](/docs/policypak/policypak/gettingstarted/overview/knowledgebase.md). diff --git a/docs/policypak/policypak/gettingstarted/fastest.md b/docs/policypak/policypak/gettingstarted/fastest.md index af04c881fe..e49cfaed06 100644 --- a/docs/policypak/policypak/gettingstarted/fastest.md +++ b/docs/policypak/policypak/gettingstarted/fastest.md @@ -11,7 +11,7 @@ The most important thing you can do to become quickly oriented with Endpoint Pol watch our daily webinar. The webinar is oriented to your delivery scenario: On-Prem, Intune/MDM or Cloud. -![gs3](../../../../static/img/product_docs/policypak/policypak/gettingstarted/gs3.webp) +![gs3](/img/product_docs/policypak/policypak/gettingstarted/gs3.webp) If you were added as a Primary or Secondary, you were automatically provided a link which will get you directly to the Overview/On-Prem webinar. If you are using Endpoint Policy Manager with @@ -34,7 +34,7 @@ Login page at Endpoint Policy Manager.com: Bootcamp (Free Training), Payment location for monthly usage - [Cloud](http://cloud.policypak.com/) — The Endpoint Policy Manager Cloud service -![gs1](../../../../static/img/product_docs/policypak/policypak/gettingstarted/gs1.webp) +![gs1](/img/product_docs/policypak/policypak/gettingstarted/gs1.webp) - If you are unable to logon as expected during a trial, contact your Endpoint Policy Manager Sales person for credentials. @@ -50,40 +50,40 @@ Endpoint Policy Manager has a few Quick start topics to provide specific guidanc Quick tart topics for delivery method of policies you plan to use: -- [Group Policy Delivery Quick Start](quickstart/grouppolicy.md) -- [MDM / Intune Delivery Quick Start](quickstart/mdm.md) -- [Endpoint Policy Manager Cloud Delivery Quick Start](quickstart/cloud.md) +- [Group Policy Delivery Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/grouppolicy.md) +- [MDM / Intune Delivery Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/mdm.md) +- [Endpoint Policy Manager Cloud Delivery Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/cloud.md) A detailed Installation Guide for On-Prem scenarios that takes you from download to verified. -- [Step 1: Get the download and inspect its contents](quickstart/downloadcontents.md) +- [Step 1: Get the download and inspect its contents](/docs/policypak/policypak/gettingstarted/quickstart/downloadcontents.md) A detailed topic is available if you're in a hurry to get started with Endpoint Policy Manager Cloud. -- [Endpoint Policy Manager Cloud Quick Start](../cloud/overview.md) +- [Endpoint Policy Manager Cloud Quick Start](/docs/policypak/policypak/cloud/overview.md) A detailed MDM & UEM tools (like Intune) topic can be found here: -- [MDM & UEM Tools](../mdm/overview.md) +- [MDM & UEM Tools](/docs/policypak/policypak/mdm/overview.md) A detailed PolicyPak Least Privilege Manager Implementation Quickstart Guide that is project oriented to get you to the success line quickly. -[Endpoint Privilege Manager Implementation QuickStart Guide](../leastprivilege/pplpmimplementationguide.md) +[Endpoint Privilege Manager Implementation QuickStart Guide](/docs/policypak/policypak/leastprivilege/pplpmimplementationguide.md) ## Refer to Documentation in the Netwrix Technical Knowledge Center Endpoint Policy Manager has an extensive library of detailed manuals and Knowledge Base and Videos. Consider bookmarking these important pages: -- [Netwrix Endpoint Policy Manager (formerly PolicyPak) Knowledge Base Articles](../knowledgebase.md) -- [Netwrix Endpoint Policy Manager (formerly PolicyPak) User Manuals](../manuals.md) +- [Netwrix Endpoint Policy Manager (formerly PolicyPak) Knowledge Base Articles](/docs/policypak/policypak/knowledgebase.md) +- [Netwrix Endpoint Policy Manager (formerly PolicyPak) User Manuals](/docs/policypak/policypak/manuals.md) Finding what youare looking for comes down to Knowledge Base & Videos and User Manuals. Here is a way to get oriented on the navigation. -![gs2](../../../../static/img/product_docs/policypak/policypak/gettingstarted/gs2.webp) +![gs2](/img/product_docs/policypak/policypak/gettingstarted/gs2.webp) ## Get Help from Support diff --git a/docs/policypak/policypak/gettingstarted/history.md b/docs/policypak/policypak/gettingstarted/history.md index f229a88380..9be33e790c 100644 --- a/docs/policypak/policypak/gettingstarted/history.md +++ b/docs/policypak/policypak/gettingstarted/history.md @@ -14,9 +14,9 @@ Before 2017 - New Component: File Associations Manager: Quickly map PDF, MAILTO:, and others to the right apps. - Reduce GPOs and convert them to use for MDM: - [Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](../video/administrativetemplates/reducegpos.md) + [Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](/docs/policypak/policypak/video/administrativetemplates/reducegpos.md) - Least Privilege Manager: SecureRun(TM) blocks Ransomware - [Events](../video/leastprivilege/events.md) + [Events](/docs/policypak/policypak/video/leastprivilege/events.md) - New Component: New Endpoint Policy Manager Start Screen & Taskbar Manager: Manage Windows 10 tile layouts perfectly. @@ -26,7 +26,7 @@ Before 2017 PowerShell - Least Privilege Manager Helper Tools: Enable Standard users to update Network Card and Printer settings, plus uninstall applications - [Overcome Network Card, Printer, and Remove Programs UAC prompts](../video/leastprivilege/uacprompts.md) + [Overcome Network Card, Printer, and Remove Programs UAC prompts](/docs/policypak/policypak/video/leastprivilege/uacprompts.md) 2019 @@ -34,7 +34,7 @@ Before 2017 Processes - IE Sitelist to Browser Router import - Least Privilege Manager Block PowerShell Malware - attacks:[Block PowerShell in General, Open up for specific items](../video/leastprivilege/bestpractices/powershellblock.md) + attacks:[Block PowerShell in General, Open up for specific items](/docs/policypak/policypak/video/leastprivilege/bestpractices/powershellblock.md) - New Component — Endpoint Policy Manager Feature Manager for Windows. Quickly add / remove features from Windows 10 & Windows Server. @@ -43,20 +43,20 @@ Before 2017 - New Component — Endpoint Policy Manager RDP Manager: Enable remote work users to have .RDP files to connect to your resources. - Browser Router - New Edge Support / IE In Edge Mode - [Manage Internet Explorer 11 and Edge Compatibility, Enterprise Modes and IE-in-Edge Mode](../video/browserrouter/ie.md) + [Manage Internet Explorer 11 and Edge Compatibility, Enterprise Modes and IE-in-Edge Mode](/docs/policypak/policypak/video/browserrouter/ie.md) - Browser Router Apply Once then Drift - [Endpoint Policy Manager Browser Router: Set the Windows 10 Default Browser (once) then drift](../video/browserrouter/defaultwindows10.md) + [Endpoint Policy Manager Browser Router: Set the Windows 10 Default Browser (once) then drift](/docs/policypak/policypak/video/browserrouter/defaultwindows10.md) - File Associations Manager Apply Once then Drift - [Endpoint Policy Manager File Associations Manager: Apply once (and drift)](../video/fileassociations/applyonce.md) + [Endpoint Policy Manager File Associations Manager: Apply once (and drift)](/docs/policypak/policypak/video/fileassociations/applyonce.md) - File Associations Manager Apply settings on USER side - Added Triggers to Endpoint Policy Manager Scripts & Triggers: Run a script at VPN launch or many other events - Added Email method for PPLPM Admin Approval - [Using Email / Long Codes](../video/leastprivilege/longcodes.md) + [Using Email / Long Codes](/docs/policypak/policypak/video/leastprivilege/longcodes.md) - New Component — Remote Work Delivery Manager: Deliver software to Windows 10 via SMB share, Amazon S3 or other cloud services - Least Privlege Manager: Automatically block unsigned Applications - [Least Privilege Manager: Block All Unsigned with SecureRun](../video/leastprivilege/securerun/preventunsigned.md) + [Least Privilege Manager: Block All Unsigned with SecureRun](/docs/policypak/policypak/video/leastprivilege/securerun/preventunsigned.md) - Compliance Reporter now 10x faster 2021 diff --git a/docs/policypak/policypak/gettingstarted/overview/knowledgebase.md b/docs/policypak/policypak/gettingstarted/overview/knowledgebase.md index d8731a0c8f..b9fa249811 100644 --- a/docs/policypak/policypak/gettingstarted/overview/knowledgebase.md +++ b/docs/policypak/policypak/gettingstarted/overview/knowledgebase.md @@ -4,81 +4,81 @@ The following topics can help you getting started with Endpoint Policy Manager ( ## Getting Started -- [Endpoint Policy Manager Support and Resources](../fastest.md) -- [Does Endpoint Policy Manager have a Quick Start Guide?](../quickstart/guide.md) -- [Does Endpoint Policy Manager have an Installation Quick Start Guide?](../quickstart/guideinstall.md) -- [How has Endpoint Policy Manager Evolved over the years?](../history.md) -- [How does Endpoint Policy Manager support (and not support) Windows 11?](../../requirements/support/windows11.md) -- [How does Endpoint Policy Manager support (and not support) Windows 7?](../../requirements/support/windows7.md) -- [Endpoint Policy Manager ARM Support Supportability Statement](../../requirements/support/arm.md) -- [How does Endpoint Policy Managerhandle right-click menus in Windows 11 / Why does "Copy with Endpoint Policy Manager SecureCopy™" always show in Windows 11?](../rightclick.md) -- [How must I prepare for my Endpoint Policy Manager QuickStart / Onboarding?](../prepare.md) +- [Endpoint Policy Manager Support and Resources](/docs/policypak/policypak/gettingstarted/fastest.md) +- [Does Endpoint Policy Manager have a Quick Start Guide?](/docs/policypak/policypak/gettingstarted/quickstart/guide.md) +- [Does Endpoint Policy Manager have an Installation Quick Start Guide?](/docs/policypak/policypak/gettingstarted/quickstart/guideinstall.md) +- [How has Endpoint Policy Manager Evolved over the years?](/docs/policypak/policypak/gettingstarted/history.md) +- [How does Endpoint Policy Manager support (and not support) Windows 11?](/docs/policypak/policypak/requirements/support/windows11.md) +- [How does Endpoint Policy Manager support (and not support) Windows 7?](/docs/policypak/policypak/requirements/support/windows7.md) +- [Endpoint Policy Manager ARM Support Supportability Statement](/docs/policypak/policypak/requirements/support/arm.md) +- [How does Endpoint Policy Managerhandle right-click menus in Windows 11 / Why does "Copy with Endpoint Policy Manager SecureCopy™" always show in Windows 11?](/docs/policypak/policypak/gettingstarted/rightclick.md) +- [How must I prepare for my Endpoint Policy Manager QuickStart / Onboarding?](/docs/policypak/policypak/gettingstarted/prepare.md) ## Tips, Tricks, and FAQs -- [How can use Item Level Targeting to apply a Group Policy Preferences or Endpoint Policy Manager item when the user is not a member of Domain Admins and also is not a member of the local Admin group?](../../itemleveltargeting/applypreferences.md) -- [Is the Security Group Item Level Targeting (ILT) option recursive or not?](../../itemleveltargeting/securitygroup.md) -- [Which Endpoint Policy Manager emails can / can't I opt out of ?](../../tips/emailoptout.md) -- [How can I use Item Level Targeting to specify a specific Windows 10 build and/or LTSC/LTSB?](../../itemleveltargeting/windows11.md) -- [How can I fix MMC display problems when my admin console uses high DPI?](../../tips/mmcdisplay.md) -- [How do I make an Item Level Target for Server 2016 or Server 2019 (on-prem, MDM or Endpoint Policy Manager Cloud) ?](../../itemleveltargeting/windowsserver2019.md) -- [How can I use Item Level Targeting to query Azure AD Groups?](../../itemleveltargeting/entraidgroups.md) -- [Can I use both Endpoint Policy ManagerOn Premise mode and Endpoint Policy Manager Cloud simultaneously? Do they clash?](../../tips/onpremisecloud.md) -- [How does Endpoint Policy Manager perform Folder Redirection or OneDrive Known Folder Move (KFM) with Endpoint Policy Manager Group Policy, Endpoint Policy ManagerMDM or Endpoint Policy Manager Cloud?](../../tips/folderredirection.md) -- [Can I embed the Endpoint Policy ManagerClient Side Extension and/or Endpoint Policy Manager Cloud client into a master image for VDI, MDT, Ghost, Citrix, etc?](../../tips/embedclient.md) -- [Which components within the Endpoint Policy Manager product family will work with what operating system?](../../requirements/support/operatingsystem.md) -- [How do I get Azure AD SIDs and use them with Item Level Targeting?](../../itemleveltargeting/entraidsids.md) -- [How does Endpoint Policy Manager handle STIGs and/or CIS Benchmarks and/or other 3rd party Advice?](../../tips/thirdpartyadvice.md) -- [Are the services installed with Endpoint Policy Manager required? Can I disable them if I'm only using a single component?](../../tips/services.md) -- [Which Windows Client and Server are currently supported by Endpoint Policy Manager?](../../requirements/support/windows.md) -- [Windows 10 (and Server) Event Logs to Azure Log Analytics Walkthru](../../tips/eventlogs.md) -- [How can I use Item Level Targeting to specify Windows Virtual Desktops (WVD) Multi-session Windows?](../../itemleveltargeting/virtualdesktops.md) -- [List of Endpoint Policy Manager Event Categories and IDs](../../tips/eventcategories.md) -- [How do I make an Item Level Target for Windows 10 or Windows 11 endpoints](../../itemleveltargeting/windowsendpoint.md) +- [How can use Item Level Targeting to apply a Group Policy Preferences or Endpoint Policy Manager item when the user is not a member of Domain Admins and also is not a member of the local Admin group?](/docs/policypak/policypak/itemleveltargeting/applypreferences.md) +- [Is the Security Group Item Level Targeting (ILT) option recursive or not?](/docs/policypak/policypak/itemleveltargeting/securitygroup.md) +- [Which Endpoint Policy Manager emails can / can't I opt out of ?](/docs/policypak/policypak/tips/emailoptout.md) +- [How can I use Item Level Targeting to specify a specific Windows 10 build and/or LTSC/LTSB?](/docs/policypak/policypak/itemleveltargeting/windows11.md) +- [How can I fix MMC display problems when my admin console uses high DPI?](/docs/policypak/policypak/tips/mmcdisplay.md) +- [How do I make an Item Level Target for Server 2016 or Server 2019 (on-prem, MDM or Endpoint Policy Manager Cloud) ?](/docs/policypak/policypak/itemleveltargeting/windowsserver2019.md) +- [How can I use Item Level Targeting to query Azure AD Groups?](/docs/policypak/policypak/itemleveltargeting/entraidgroups.md) +- [Can I use both Endpoint Policy ManagerOn Premise mode and Endpoint Policy Manager Cloud simultaneously? Do they clash?](/docs/policypak/policypak/tips/onpremisecloud.md) +- [How does Endpoint Policy Manager perform Folder Redirection or OneDrive Known Folder Move (KFM) with Endpoint Policy Manager Group Policy, Endpoint Policy ManagerMDM or Endpoint Policy Manager Cloud?](/docs/policypak/policypak/tips/folderredirection.md) +- [Can I embed the Endpoint Policy ManagerClient Side Extension and/or Endpoint Policy Manager Cloud client into a master image for VDI, MDT, Ghost, Citrix, etc?](/docs/policypak/policypak/tips/embedclient.md) +- [Which components within the Endpoint Policy Manager product family will work with what operating system?](/docs/policypak/policypak/requirements/support/operatingsystem.md) +- [How do I get Azure AD SIDs and use them with Item Level Targeting?](/docs/policypak/policypak/itemleveltargeting/entraidsids.md) +- [How does Endpoint Policy Manager handle STIGs and/or CIS Benchmarks and/or other 3rd party Advice?](/docs/policypak/policypak/tips/thirdpartyadvice.md) +- [Are the services installed with Endpoint Policy Manager required? Can I disable them if I'm only using a single component?](/docs/policypak/policypak/tips/services.md) +- [Which Windows Client and Server are currently supported by Endpoint Policy Manager?](/docs/policypak/policypak/requirements/support/windows.md) +- [Windows 10 (and Server) Event Logs to Azure Log Analytics Walkthru](/docs/policypak/policypak/tips/eventlogs.md) +- [How can I use Item Level Targeting to specify Windows Virtual Desktops (WVD) Multi-session Windows?](/docs/policypak/policypak/itemleveltargeting/virtualdesktops.md) +- [List of Endpoint Policy Manager Event Categories and IDs](/docs/policypak/policypak/tips/eventcategories.md) +- [How do I make an Item Level Target for Windows 10 or Windows 11 endpoints](/docs/policypak/policypak/itemleveltargeting/windowsendpoint.md) ## Portal Questions -- [How do I create a Secondary (or Accounting) contact within the Portal to enable another person to participate in Endpoint Policy Manager (including downloads, updates, etc.)?](../../cloud/adduser.md) -- [Two-Factor Authentication in the Endpoint Policy Manager Portal](../../cloud/twofactorauthentication.md) -- [Why can't I opt out of Emails when I'm an Endpoint Policy Manager Customer?](../../cloud/emailoptout.md) -- [How can I use a checksum to validate the Endpoint Policy Manager download?](../../cloud/cheksum.md) -- [Portal login troubleshooting](../../troubleshooting/cloud/login.md) -- [Changing a portal users information](../../cloud/profileupdate.md) +- [How do I create a Secondary (or Accounting) contact within the Portal to enable another person to participate in Endpoint Policy Manager (including downloads, updates, etc.)?](/docs/policypak/policypak/cloud/adduser.md) +- [Two-Factor Authentication in the Endpoint Policy Manager Portal](/docs/policypak/policypak/cloud/twofactorauthentication.md) +- [Why can't I opt out of Emails when I'm an Endpoint Policy Manager Customer?](/docs/policypak/policypak/cloud/emailoptout.md) +- [How can I use a checksum to validate the Endpoint Policy Manager download?](/docs/policypak/policypak/cloud/cheksum.md) +- [Portal login troubleshooting](/docs/policypak/policypak/troubleshooting/cloud/login.md) +- [Changing a portal users information](/docs/policypak/policypak/cloud/profileupdate.md) ## Troubleshooting (General) -- [What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](../../troubleshooting/fastsupport.md) -- [Why does my mail anti-virus service claim that the Endpoint Policy Manager download ISO or ZIP has a virus?](../../troubleshooting/antivirus.md) -- [During CSE installation on a VM the following message is displayed indicating a reboot will be needed](../../troubleshooting/install/clientsideextension.md) -- [What is the processing order of all policies and how are conflicts resolved (and how can I see the final RsOP) of those policies (between GPO, Cloud, XML, etc)?](../../troubleshooting/conflictresolved.md) -- [Why do I get ">Endpoint Policy ManagerBrowser Router couldn't connect to Endpoint Policy Manager extension service. Please contact support"?](../../troubleshooting/browserrouter.md) -- [How do I submit a process dump (PROCDUMP) and Process Monitor (PROCMON) capture of a hanging process?](../../troubleshooting/hangingprocess.md) -- [How do I manually collect logs if PPLOGS as User or Admin does not launch?](../../troubleshooting/log/manual.md) -- [How do I ensure that settings will revert when the policy no longer applies (by Group Policy, File, or Endpoint Policy Manager Cloud)?](../../troubleshooting/settingsrevert.md) -- [What are the services installed by Endpoint Policy Manager?](../../install/services.md) -- [I see many instances of the Endpoint Policy Manager Watcher service running on my clients, is that normal?](../../troubleshooting/watcherservice.md) -- [What CSEs are contained within Endpoint Policy Manager, what are their CSE GUIDs, and in what release did they appear?](../../install/clientsideextension/guids.md) -- [How do I turn on Debug logging if asked?](../../troubleshooting/log/debug.md) -- [How do I turn on Item Level Targeting (ILT) logging if asked by Endpoint Policy Manager Tech Support?](../../troubleshooting/log/itemleveltargeting.md) -- [How can I increase the depth of what Endpoint Policy Manager reports (minidump files).](../../troubleshooting/log/minidumpfiles.md) -- [What are the advanced CSE troubleshooting registry debugging items?](../../troubleshooting/clientsideextension/registrydebug.md) -- [How can I present a custom dialog (or no dialog) if Browser Router (or the CSE) stops working or crashes?](../../troubleshooting/customdialog.md) -- [Troubleshooting Item Level Targeting (ILT) Evaluations when using the Endpoint Policy Manager ILT Engine](../../troubleshooting/itemleveltargeting/evaluations.md) -- [How to use ProcMon to track changes over time to specific registry keys](../../troubleshooting/procmon.md) -- [How can I use Powershell to automatically say yes to the PPLOGS prompt?](../../troubleshooting/powershell/pplogsprompt.md) -- [Why do I get crashes and blue screens when using Endpoint Policy Manager with Forcepoint DLP?](../../troubleshooting/forepointdlp.md) +- [What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](/docs/policypak/policypak/troubleshooting/fastsupport.md) +- [Why does my mail anti-virus service claim that the Endpoint Policy Manager download ISO or ZIP has a virus?](/docs/policypak/policypak/troubleshooting/antivirus.md) +- [During CSE installation on a VM the following message is displayed indicating a reboot will be needed](/docs/policypak/policypak/troubleshooting/install/clientsideextension.md) +- [What is the processing order of all policies and how are conflicts resolved (and how can I see the final RsOP) of those policies (between GPO, Cloud, XML, etc)?](/docs/policypak/policypak/troubleshooting/conflictresolved.md) +- [Why do I get ">Endpoint Policy ManagerBrowser Router couldn't connect to Endpoint Policy Manager extension service. Please contact support"?](/docs/policypak/policypak/troubleshooting/browserrouter.md) +- [How do I submit a process dump (PROCDUMP) and Process Monitor (PROCMON) capture of a hanging process?](/docs/policypak/policypak/troubleshooting/hangingprocess.md) +- [How do I manually collect logs if PPLOGS as User or Admin does not launch?](/docs/policypak/policypak/troubleshooting/log/manual.md) +- [How do I ensure that settings will revert when the policy no longer applies (by Group Policy, File, or Endpoint Policy Manager Cloud)?](/docs/policypak/policypak/troubleshooting/settingsrevert.md) +- [What are the services installed by Endpoint Policy Manager?](/docs/policypak/policypak/install/services.md) +- [I see many instances of the Endpoint Policy Manager Watcher service running on my clients, is that normal?](/docs/policypak/policypak/troubleshooting/watcherservice.md) +- [What CSEs are contained within Endpoint Policy Manager, what are their CSE GUIDs, and in what release did they appear?](/docs/policypak/policypak/install/clientsideextension/guids.md) +- [How do I turn on Debug logging if asked?](/docs/policypak/policypak/troubleshooting/log/debug.md) +- [How do I turn on Item Level Targeting (ILT) logging if asked by Endpoint Policy Manager Tech Support?](/docs/policypak/policypak/troubleshooting/log/itemleveltargeting.md) +- [How can I increase the depth of what Endpoint Policy Manager reports (minidump files).](/docs/policypak/policypak/troubleshooting/log/minidumpfiles.md) +- [What are the advanced CSE troubleshooting registry debugging items?](/docs/policypak/policypak/troubleshooting/clientsideextension/registrydebug.md) +- [How can I present a custom dialog (or no dialog) if Browser Router (or the CSE) stops working or crashes?](/docs/policypak/policypak/troubleshooting/customdialog.md) +- [Troubleshooting Item Level Targeting (ILT) Evaluations when using the Endpoint Policy Manager ILT Engine](/docs/policypak/policypak/troubleshooting/itemleveltargeting/evaluations.md) +- [How to use ProcMon to track changes over time to specific registry keys](/docs/policypak/policypak/troubleshooting/procmon.md) +- [How can I use Powershell to automatically say yes to the PPLOGS prompt?](/docs/policypak/policypak/troubleshooting/powershell/pplogsprompt.md) +- [Why do I get crashes and blue screens when using Endpoint Policy Manager with Forcepoint DLP?](/docs/policypak/policypak/troubleshooting/forepointdlp.md) ## Endpoint Policy Manager & Netwrix Auditor -- [How do I configure the MMC snap-in to open GPOs in Netwrix Auditor?](../../integration/auditor/mmcsnapin.md) -- [How can I minimize or eliminate requests to authenticate to Netwrix Auditor (and what permissions are needed to see Endpoint Policy Manager's Netwrix Auditor Reports?)](../../integration/auditor/permissions.md) +- [How do I configure the MMC snap-in to open GPOs in Netwrix Auditor?](/docs/policypak/policypak/integration/auditor/mmcsnapin.md) +- [How can I minimize or eliminate requests to authenticate to Netwrix Auditor (and what permissions are needed to see Endpoint Policy Manager's Netwrix Auditor Reports?)](/docs/policypak/policypak/integration/auditor/permissions.md) ## Non-Domain Joined Troubleshooting -- [Which Endpoint Policy Manager items will not work when the computer is non-domain joined (or the computer is NEVER connected to the Internet)?](../../troubleshooting/nondomain/limitations.md) -- [Which items in Chrome will, and will not work when non-domain joined?](../../troubleshooting/nondomain/chrome.md) -- [How to use Scripts Manager to manually install and enable Endpoint Policy Manager Browser Router for new Edge Chromium?](../../troubleshooting/nondomain/edge.md) +- [Which Endpoint Policy Manager items will not work when the computer is non-domain joined (or the computer is NEVER connected to the Internet)?](/docs/policypak/policypak/troubleshooting/nondomain/limitations.md) +- [Which items in Chrome will, and will not work when non-domain joined?](/docs/policypak/policypak/troubleshooting/nondomain/chrome.md) +- [How to use Scripts Manager to manually install and enable Endpoint Policy Manager Browser Router for new Edge Chromium?](/docs/policypak/policypak/troubleshooting/nondomain/edge.md) ## Endpoint Policy Manager & Change Management Utilities -- [Understanding the Difference Between Endpoint Policy Manager and GPO Change Management Tools](../../troubleshooting/changemanagementtools.md) +- [Understanding the Difference Between Endpoint Policy Manager and GPO Change Management Tools](/docs/policypak/policypak/troubleshooting/changemanagementtools.md) diff --git a/docs/policypak/policypak/gettingstarted/overview/videolearningcenter.md b/docs/policypak/policypak/gettingstarted/overview/videolearningcenter.md index 799fca0a02..4af502678b 100644 --- a/docs/policypak/policypak/gettingstarted/overview/videolearningcenter.md +++ b/docs/policypak/policypak/gettingstarted/overview/videolearningcenter.md @@ -4,73 +4,73 @@ See the following Video topics for getting started with Endpoint Policy Manager ## Getting Started (Misc) -- [Endpoint Policy ManagerPortal: How to download Endpoint Policy Manager and get free training](../../video/gettingstarted/freetraining.md) -- [Endpoint Policy ManagerSolution Methods: Group Policy, MDM, UEM Tools, and Endpoint Policy Manager Cloud compared.](../../video/gettingstarted/solutionmethods.md) -- [Endpoint Policy Manager Extras: SID EXPORTER](../../video/gettingstarted/sidexporter.md) -- [Endpoint Policy Manager CSE and Admin console with ARM machines](../../video/gettingstarted/arm.md) -- [Endpoint Policy Manager Standalone Editor Introduction](../../video/gettingstarted/editor.md) +- [Endpoint Policy ManagerPortal: How to download Endpoint Policy Manager and get free training](/docs/policypak/policypak/video/gettingstarted/freetraining.md) +- [Endpoint Policy ManagerSolution Methods: Group Policy, MDM, UEM Tools, and Endpoint Policy Manager Cloud compared.](/docs/policypak/policypak/video/gettingstarted/solutionmethods.md) +- [Endpoint Policy Manager Extras: SID EXPORTER](/docs/policypak/policypak/video/gettingstarted/sidexporter.md) +- [Endpoint Policy Manager CSE and Admin console with ARM machines](/docs/policypak/policypak/video/gettingstarted/arm.md) +- [Endpoint Policy Manager Standalone Editor Introduction](/docs/policypak/policypak/video/gettingstarted/editor.md) ## Troubleshooting -- [Troubleshooting with ADMX files](../../video/troubleshooting/admxfiles.md) -- [Gathering and Uploading Logs](../../video/troubleshooting/logs.md) -- [Process Monitor 101](../../video/troubleshooting/processmonitor.md) -- [How to make a GPO backup for us to use atEndpoint Policy Manager ](../../video/troubleshooting/gpobackup.md) -- [Endpoint Policy Manager User PowerShell to find all Endpoint Policy Manager GPOs](../../video/troubleshooting/powershell.md) -- [Endpoint Policy Manager CSE Troubleshooting: Unlicense all components, and re-license the one to isolate](../../video/troubleshooting/unlicense.md) -- [Troubleshooting ILT with the ILT Validator Tool](../../video/troubleshooting/itemleveltargeting.md) -- [Endpoint Policy Manager: Exclude Processes via ADMX](../../video/gettingstarted/admx.md) +- [Troubleshooting with ADMX files](/docs/policypak/policypak/video/troubleshooting/admxfiles.md) +- [Gathering and Uploading Logs](/docs/policypak/policypak/video/troubleshooting/logs.md) +- [Process Monitor 101](/docs/policypak/policypak/video/troubleshooting/processmonitor.md) +- [How to make a GPO backup for us to use atEndpoint Policy Manager ](/docs/policypak/policypak/video/troubleshooting/gpobackup.md) +- [Endpoint Policy Manager User PowerShell to find all Endpoint Policy Manager GPOs](/docs/policypak/policypak/video/troubleshooting/powershell.md) +- [Endpoint Policy Manager CSE Troubleshooting: Unlicense all components, and re-license the one to isolate](/docs/policypak/policypak/video/troubleshooting/unlicense.md) +- [Troubleshooting ILT with the ILT Validator Tool](/docs/policypak/policypak/video/troubleshooting/itemleveltargeting.md) +- [Endpoint Policy Manager: Exclude Processes via ADMX](/docs/policypak/policypak/video/gettingstarted/admx.md) ## Upgrading and Maintenance -- [Endpoint Policy Manager: Backup and Restore Options to Recover from nearly any problem](../../video/troubleshooting/backupoptions.md) -- [Endpoint Policy Manager Application Settings Manager: Backup, Restore, Export, Import](../../video/troubleshooting/backup.md) +- [Endpoint Policy Manager: Backup and Restore Options to Recover from nearly any problem](/docs/policypak/policypak/video/troubleshooting/backupoptions.md) +- [Endpoint Policy Manager Application Settings Manager: Backup, Restore, Export, Import](/docs/policypak/policypak/video/troubleshooting/backup.md) ## Endpoint Policy Manager & Netwrix Auditor -- [Endpoint Policy Manager and Netwrix Auditor - Demo](../../video/integration/auditordemo.md) -- [Endpoint Policy Manager and Netwrix Auditor - Setup Steps](../../video/integration/auditorsetup.md) +- [Endpoint Policy Manager and Netwrix Auditor - Demo](/docs/policypak/policypak/video/integration/auditordemo.md) +- [Endpoint Policy Manager and Netwrix Auditor - Setup Steps](/docs/policypak/policypak/video/integration/auditorsetup.md) ## Methods: SCCM (and Other On-prem Tools) - Deploying Real Microsoft GPO and Endpoint Policy Manager Settings -- [Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](../../video/methods/exporterutility.md) -- [Deploy Real Group Policy using SCCM or Other Management System!](../../video/methods/sccmgrouppolicy.md) +- [Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](/docs/policypak/policypak/video/methods/exporterutility.md) +- [Deploy Real Group Policy using SCCM or Other Management System!](/docs/policypak/policypak/video/methods/sccmgrouppolicy.md) - Deploy Endpoint Policy Manager Settings Using SCCM or Other Management System! ## Endpoint Policy Manager and Windows Virtual Desktops (WVD) -- [Endpoint Policy Manager & WVD (Windows Virtual Desktop) Getting Started](../../video/windowsvirtualdesktops/gettingstarted.md) -- [Endpoint Policy Manager + WVD: Elevate the installation of the Remote Deskop app](../../video/windowsvirtualdesktops/elevateinstall.md) -- [Endpoint Policy Manager + WVD: Elevate application inside WVD and bypass UAC prompts](../../video/windowsvirtualdesktops/elevateapplication.md) -- [Endpoint Policy Manager + WVD: Manage the Start Screen and Taskbar](../../video/windowsvirtualdesktops/startscreen.md) -- [Endpoint Policy Manager + WVD: Manage Applications Settings](../../video/windowsvirtualdesktops/applicationsettings.md) -- [Endpoint Policy Manager + WVD: Reducing number of GPOs and using "GPOs with Brains"](../../video/windowsvirtualdesktops/admintemplatemanager.md) -- [Endpoint Policy Manager + WVD: Browser Router ... the right browser for the right website.](../../video/windowsvirtualdesktops/browserrouter.md) -- [Endpoint Policy Manager + Windows Virtual Desktop .. Better Together Tour](../../video/windowsvirtualdesktops/tour.md) -- [Endpoint Privilege Manager + Windows Virtual Desktop](../../video/windowsvirtualdesktops/leastprivilege.md) +- [Endpoint Policy Manager & WVD (Windows Virtual Desktop) Getting Started](/docs/policypak/policypak/video/windowsvirtualdesktops/gettingstarted.md) +- [Endpoint Policy Manager + WVD: Elevate the installation of the Remote Deskop app](/docs/policypak/policypak/video/windowsvirtualdesktops/elevateinstall.md) +- [Endpoint Policy Manager + WVD: Elevate application inside WVD and bypass UAC prompts](/docs/policypak/policypak/video/windowsvirtualdesktops/elevateapplication.md) +- [Endpoint Policy Manager + WVD: Manage the Start Screen and Taskbar](/docs/policypak/policypak/video/windowsvirtualdesktops/startscreen.md) +- [Endpoint Policy Manager + WVD: Manage Applications Settings](/docs/policypak/policypak/video/windowsvirtualdesktops/applicationsettings.md) +- [Endpoint Policy Manager + WVD: Reducing number of GPOs and using "GPOs with Brains"](/docs/policypak/policypak/video/windowsvirtualdesktops/admintemplatemanager.md) +- [Endpoint Policy Manager + WVD: Browser Router ... the right browser for the right website.](/docs/policypak/policypak/video/windowsvirtualdesktops/browserrouter.md) +- [Endpoint Policy Manager + Windows Virtual Desktop .. Better Together Tour](/docs/policypak/policypak/video/windowsvirtualdesktops/tour.md) +- [Endpoint Privilege Manager + Windows Virtual Desktop](/docs/policypak/policypak/video/windowsvirtualdesktops/leastprivilege.md) ## Endpoint Policy Manager and FSLogix -- [Endpoint Policy Manager + FSLogix ... Managing your Browsers with App Masking.](../../video/fslogix/appmasking.md) -- [Endpoint Policy Manager and FSLogix Profiles: Better Together](../../video/fslogix/profiles.md) -- [Endpoint Policy Manager + FSLogix: Manage the Windows 10 Start Menu](../../video/fslogix/startmenu.md) -- [Endpoint Policy Manager + FSLogix: Set default browser based upon if the browser is masked or revealed](../../video/fslogix/browserdefault.md) -- [Endpoint Policy Manager + FSLogix: The Right Browser for the Right Website](../../video/fslogix/broswerright.md) -- [Endpoint Policy Manager + FSLogix: Setting browser configuration based upon which browser you actually have.](../../video/fslogix/browserconfiguration.md) -- [Endpoint Policy Manager + FSLogix: Elevating applications when needed (and available by FSLogix)](../../video/fslogix/elevatingapplications.md) +- [Endpoint Policy Manager + FSLogix ... Managing your Browsers with App Masking.](/docs/policypak/policypak/video/fslogix/appmasking.md) +- [Endpoint Policy Manager and FSLogix Profiles: Better Together](/docs/policypak/policypak/video/fslogix/profiles.md) +- [Endpoint Policy Manager + FSLogix: Manage the Windows 10 Start Menu](/docs/policypak/policypak/video/fslogix/startmenu.md) +- [Endpoint Policy Manager + FSLogix: Set default browser based upon if the browser is masked or revealed](/docs/policypak/policypak/video/fslogix/browserdefault.md) +- [Endpoint Policy Manager + FSLogix: The Right Browser for the Right Website](/docs/policypak/policypak/video/fslogix/broswerright.md) +- [Endpoint Policy Manager + FSLogix: Setting browser configuration based upon which browser you actually have.](/docs/policypak/policypak/video/fslogix/browserconfiguration.md) +- [Endpoint Policy Manager + FSLogix: Elevating applications when needed (and available by FSLogix)](/docs/policypak/policypak/video/fslogix/elevatingapplications.md) ## Endpoint Policy Manager & Cameyo -- [Endpoint Policy Manager + Cameyo: Overcoming UAC prompts for Published Applications](../../video/cameyo/uacprompts.md) -- [Endpoint Policy Manager Browser Router + Cameyo: Right Browser for the Right Website](../../video/cameyo/browserright.md) -- [Endpoint Policy Manager and Cameyo: Start Screen and Taskbar Magic Tricks](../../video/cameyo/startscreen.md) -- [Cameyo and Endpoint Policy Manager Application Settings Manager](../../video/cameyo/applicationsettings.md) +- [Endpoint Policy Manager + Cameyo: Overcoming UAC prompts for Published Applications](/docs/policypak/policypak/video/cameyo/uacprompts.md) +- [Endpoint Policy Manager Browser Router + Cameyo: Right Browser for the Right Website](/docs/policypak/policypak/video/cameyo/browserright.md) +- [Endpoint Policy Manager and Cameyo: Start Screen and Taskbar Magic Tricks](/docs/policypak/policypak/video/cameyo/startscreen.md) +- [Cameyo and Endpoint Policy Manager Application Settings Manager](/docs/policypak/policypak/video/cameyo/applicationsettings.md) ## Endpoint Policy Manager & Change Management Utilities -- [Endpoint Policy Manager MMC: Showing History of items you create](../../video/changemanagementutilities/history.md) -- [Endpoint Policy Manager and AGPM](../../video/changemanagementutilities/advancedgrouppolicymanagement.md) -- [Endpoint Policy Manager and Quest's GPOADmin Tool](../../video/changemanagementutilities/gpoadmintool.md) -- [Endpoint Policy Manager Integrates with NetIQ GPA](../../video/changemanagementutilities/netiq.md) -- [Endpoint Policy Manager and Quest (ScriptLogic) ActiveAdministrator](../../video/changemanagementutilities/scriptlogicactiveadministrator.md) -- [Endpoint Policy Manager and SDM CHANGE MANAGER](../../video/changemanagementutilities/sdmchangemanager.md) +- [Endpoint Policy Manager MMC: Showing History of items you create](/docs/policypak/policypak/video/changemanagementutilities/history.md) +- [Endpoint Policy Manager and AGPM](/docs/policypak/policypak/video/changemanagementutilities/advancedgrouppolicymanagement.md) +- [Endpoint Policy Manager and Quest's GPOADmin Tool](/docs/policypak/policypak/video/changemanagementutilities/gpoadmintool.md) +- [Endpoint Policy Manager Integrates with NetIQ GPA](/docs/policypak/policypak/video/changemanagementutilities/netiq.md) +- [Endpoint Policy Manager and Quest (ScriptLogic) ActiveAdministrator](/docs/policypak/policypak/video/changemanagementutilities/scriptlogicactiveadministrator.md) +- [Endpoint Policy Manager and SDM CHANGE MANAGER](/docs/policypak/policypak/video/changemanagementutilities/sdmchangemanager.md) diff --git a/docs/policypak/policypak/gettingstarted/prepare.md b/docs/policypak/policypak/gettingstarted/prepare.md index 2f8757af72..925d8551ec 100644 --- a/docs/policypak/policypak/gettingstarted/prepare.md +++ b/docs/policypak/policypak/gettingstarted/prepare.md @@ -34,7 +34,7 @@ is access to a Domain Controller necessary.. If you happen to use a DC for the G but not mandatory. **NOTE:** Check this link on how to install the GPMC on your Admin / GPMC machine: -[What are the two ways that can I install the GPMC on my Admin Station (Server or Windows 10) machine?](../install/methods.md) +[What are the two ways that can I install the GPMC on my Admin Station (Server or Windows 10) machine?](/docs/policypak/policypak/install/methods.md) Here are the options for remote viewing of the Admin/GPMC machine: @@ -51,7 +51,7 @@ is ready on your side: ([http://www.policypak.com/customerportal](http://www.policypak.com/customerportal)) to download Everything. -![289_1_image-20240111131924-2](../../../../static/img/product_docs/policypak/policypak/gettingstarted/289_1_image-20240111131924-2.webp) +![289_1_image-20240111131924-2](/img/product_docs/policypak/policypak/gettingstarted/289_1_image-20240111131924-2.webp) **NOTE:** If you cannot remember your password, you can reset it right on this page. @@ -68,7 +68,7 @@ location. Any unzip tool can be used for this task. When you are done, your server should look like this: -![289_2_image-20240111133126-3](../../../../static/img/product_docs/policypak/policypak/gettingstarted/289_2_image-20240111133126-3.webp) +![289_2_image-20240111133126-3](/img/product_docs/policypak/policypak/gettingstarted/289_2_image-20240111133126-3.webp) For all versions of Endpoint Policy Manager (Group Policy, MDM, and Cloud), you need access to a Domain Controller (DC) running Active Directory to create real GPOs. This DC can be a real or fake @@ -82,7 +82,7 @@ do anything. [https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016/](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016/) **Step 2 –** Then be sure to run these steps on this video to make your first domain controller in a -new domain: [How to create a DC for editing purposes](../video/cloud/testlab/createdc.md) +new domain: [How to create a DC for editing purposes](/docs/policypak/policypak/video/cloud/testlab/createdc.md) **NOTE:** The domain controller name and domain name do no matter. @@ -97,7 +97,7 @@ first tests. - If you can do without a special Antivirus or special security software on this example machine, that will be best. If you MUST use A/V or security software, please perform these steps: - [How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](../install/antivirus.md) + [How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](/docs/policypak/policypak/install/antivirus.md) For Endpoint Policy Manager Group Policy Edition: @@ -117,7 +117,7 @@ For Endpoint Policy Manager Cloud and Endpoint Policy Manager MDM: First, know that Endpoint Policy Manager and other security software may not play nicely together right away. As such, please review and follow these guidelines first: -[How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](../install/antivirus.md) +[How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](/docs/policypak/policypak/install/antivirus.md) Second, please install all of the following software on your example endpoint(s): @@ -138,7 +138,7 @@ on the endpoint. **Step 5 –** (Recommended): Endpoint Policy Manager's engine can be controlled via ADMX settings and having these pre-staged and ready to go can help us workaround issues from time to time. To pre-install the ADMX settings please watch this video: -[Troubleshooting with ADMX files](../video/troubleshooting/admxfiles.md) +[Troubleshooting with ADMX files](/docs/policypak/policypak/video/troubleshooting/admxfiles.md) **Step 6 –** (Recommended): If you want to perform some Endpoint Policy Manager Least Privilege base hits: Install any software you want to see magically work with Endpoint Policy Manager Least @@ -176,7 +176,7 @@ To run Endpoint Policy Manager Licensed: - Endpoint Policy Manager Group Policy Edition: - Please pre-install the LICENSE FILES you received. See - [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](../video/license/installuniversal.md) + [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md) We generally recommend Way #2. - The computer should be placed in one of your licensed OUs ahead of our meeting. @@ -197,11 +197,11 @@ To run Endpoint Policy Manager Un-licensed (any version): **NOTE:** When a computer has COMPUTER in the name it pretends to be fully licensed for trial purposes. More details on this topic: - [Testing and Troubleshooting By Renaming an endpoint Computer](../video/troubleshooting/mdm.md) + [Testing and Troubleshooting By Renaming an endpoint Computer](/docs/policypak/policypak/video/troubleshooting/mdm.md) Example machine renamed to work UN-licensed: -![289_3_image-20191022200736-3](../../../../static/img/product_docs/policypak/policypak/gettingstarted/289_3_image-20191022200736-3.webp) +![289_3_image-20191022200736-3](/img/product_docs/policypak/policypak/gettingstarted/289_3_image-20191022200736-3.webp) ## Part 6: Preparing for Endpoint Policy ManagerCloud @@ -227,7 +227,7 @@ Endpoint Policy Manager MDM Licensing can be a little tricky. - If you rename the computer to have COMPUTER in the name, the computer will act fully licensed. - If we supplied a license file to you, we'd like for you to pre-test that out. Here's the video to demonstrate exactly how to verify the MDM license file (sent as an MSI file) will work. - [Endpoint Policy Manager and MDM walk before you run](../video/mdm/testsample.md) + [Endpoint Policy Manager and MDM walk before you run](/docs/policypak/policypak/video/mdm/testsample.md) ## Part 8: Final thoughts for Endpoint Policy Manager Cloud and Endpoint Policy Manager MDM @@ -247,10 +247,10 @@ Endpoint Policy Manager MDM. If you do not have a “real” or “not real domain” please see and perform these steps: -**Step 1 –** [How to create a DC for editing purposes](../video/cloud/testlab/createdc.md) +**Step 1 –** [How to create a DC for editing purposes](/docs/policypak/policypak/video/cloud/testlab/createdc.md) **Step 2 –** -[Testing and Troubleshooting By Renaming an endpoint Computer](../video/cloud/testlab/renameendpoint.md) +[Testing and Troubleshooting By Renaming an endpoint Computer](/docs/policypak/policypak/video/cloud/testlab/renameendpoint.md) ## Part 9: Converting from another least-privilege tool to Endpoint Privilege Manager diff --git a/docs/policypak/policypak/gettingstarted/quickstart/cloud.md b/docs/policypak/policypak/gettingstarted/quickstart/cloud.md index 468f11ffc7..627959dc53 100644 --- a/docs/policypak/policypak/gettingstarted/quickstart/cloud.md +++ b/docs/policypak/policypak/gettingstarted/quickstart/cloud.md @@ -1,7 +1,7 @@ # Endpoint Policy Manager Cloud Delivery Quick Start For an overview of delivery via PolicyPak Cloud, see the -[Endpoint Policy Manager Cloud: QuickStart](../../video/cloud/quickstart.md) video . +[Endpoint Policy Manager Cloud: QuickStart](/docs/policypak/policypak/video/cloud/quickstart.md) video . Follow the steps below to carry out the Endpoint Policy Manager cloud delivery: @@ -13,7 +13,7 @@ PolicyPak Cloud tenant. Install it by hand on a few Windows 10 or Windows 11 endpoints. Alternatively, use your software deployment tool (like Intune) to deliver the CSE to a few endpoints. See the -[Endpoint Policy Manager Cloud + MDM Services: Install Cloud Client + automatically join PPC Groups and get policy.](../../video/cloud/mdm.md) +[Endpoint Policy Manager Cloud + MDM Services: Install Cloud Client + automatically join PPC Groups and get policy.](/docs/policypak/policypak/video/cloud/mdm.md) video of using Intune to bootstrap the PolicyPak cloud client install. The Endpoint Policy Manager Cloud Client automatically installs the PolicyPak CSE at the same time. @@ -27,7 +27,7 @@ management machine with the GPMC pre-installed In the download, find the **Admin Console MSI**. Install it by hand on your machine. Your machine needs to also have the GPMC pre-installed from Microsoft. We recommend you have both the Endpoint Policy Manager Admin Console and the GPMC installed on a “fake DC” exclusively for editing purposes. -See the [How to create a DC for editing purposes](../../video/cloud/testlab/createdc.md) video for +See the [How to create a DC for editing purposes](/docs/policypak/policypak/video/cloud/testlab/createdc.md) video for details and how to do this. **NOTE:** If you bypass this step, you can still use the Endpoint Policy Manager in-cloud editors, @@ -36,9 +36,9 @@ but some options may not be available to you for editing without an on-prem edit **Step 3 –** Start creating policies using Endpoint Policy Manager Cloud If you want to make Microsoft Group Policy settings via Endpoint Policy Manager Cloud, see the -[Endpoint Policy ManagerCloud: How to deploy Microsoft Group Policy Settings using Endpoint Policy Manager Cloud](../../video/cloud/deploy/grouppolicysettings.md)video. +[Endpoint Policy ManagerCloud: How to deploy Microsoft Group Policy Settings using Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/cloud/deploy/grouppolicysettings.md)video. If you want to make Endpoint Policy Manager specific settings (like Endpoint Policy Manager Least Privilege Manager, etc.) via Endpoint Policy Manager Cloud, see the -[Endpoint Policy ManagerCloud: How to deploy Endpoint Policy Manager specific settings (using in-cloud editors and exporting from on-prem)](../../video/cloud/deploy/policypaksettings.md) +[Endpoint Policy ManagerCloud: How to deploy Endpoint Policy Manager specific settings (using in-cloud editors and exporting from on-prem)](/docs/policypak/policypak/video/cloud/deploy/policypaksettings.md) video. diff --git a/docs/policypak/policypak/gettingstarted/quickstart/downloadcontents.md b/docs/policypak/policypak/gettingstarted/quickstart/downloadcontents.md index eb51a63754..e8b01d8d7d 100644 --- a/docs/policypak/policypak/gettingstarted/quickstart/downloadcontents.md +++ b/docs/policypak/policypak/gettingstarted/quickstart/downloadcontents.md @@ -2,18 +2,18 @@ Once the Endpoint Policy Manager ZIP is downloaded, Extract all and keep things organized. -![downloadcontents1](../../../../../static/img/product_docs/policypak/policypak/gettingstarted/quickstart/downloadcontents1.webp) +![downloadcontents1](/img/product_docs/policypak/policypak/gettingstarted/quickstart/downloadcontents1.webp) The result will be three more ZIP files like what is seen here. **NOTE:** Your ZIP file name(s) may be somewhat different. -![downloadcontents2](../../../../../static/img/product_docs/policypak/policypak/gettingstarted/quickstart/downloadcontents2.webp) +![downloadcontents2](/img/product_docs/policypak/policypak/gettingstarted/quickstart/downloadcontents2.webp) Extract All against each ZIP and keep things organized. You may delete the ZIP files since you won’t need them past this point. The result will be three unpacked folders looking like this:. -![downloadcontents3](../../../../../static/img/product_docs/policypak/policypak/gettingstarted/quickstart/downloadcontents3.webp) +![downloadcontents3](/img/product_docs/policypak/policypak/gettingstarted/quickstart/downloadcontents3.webp) **TIP**: For getting started you only need the software installation bits but don’t need the AppSets for Application Manager or Production-Guidance. diff --git a/docs/policypak/policypak/gettingstarted/quickstart/grouppolicy.md b/docs/policypak/policypak/gettingstarted/quickstart/grouppolicy.md index 0f5cb1ed4d..11f9577d34 100644 --- a/docs/policypak/policypak/gettingstarted/quickstart/grouppolicy.md +++ b/docs/policypak/policypak/gettingstarted/quickstart/grouppolicy.md @@ -1,7 +1,7 @@ # Group Policy Delivery Quick Start For an overview of Group Policy Quick Start, the -[Admin Console And CSE Installation](../../video/grouppolicy/install.md) video. +[Admin Console And CSE Installation](/docs/policypak/policypak/video/grouppolicy/install.md) video. **Step 1 –** Install the Endpoint Policy Manager Client on an example endpoint @@ -15,7 +15,7 @@ pre-installed In the download, find the **Admin Console MSI**and install it by hand on your machine. Your machine needs to also have the GPMC pre-installed from Microsoft. We recommend you have both the Endpoint Policy Manager Admin Console and the GPMC installed on a “fake DC” exclusively for editing purposes. -See the [How to create a DC for editing purposes](../../video/cloud/testlab/createdc.md) video for +See the [How to create a DC for editing purposes](/docs/policypak/policypak/video/cloud/testlab/createdc.md) video for details and how to do this. **Step 3 –** Install your license key or rename your example endpoint to have computer in the name @@ -25,9 +25,9 @@ computers in the locations (scope) you requested. Alternatively, you can merely have the word Computer in the name, and the computer will act fully licensed. Follow the -[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](../../video/license/installuniversal.md) +[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md) video to install a license file. Check the -[What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](../../license/trial.md) +[What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](/docs/policypak/policypak/license/trial.md) topic to see how to rename a computer or perform alternative licensing. diff --git a/docs/policypak/policypak/gettingstarted/quickstart/guide.md b/docs/policypak/policypak/gettingstarted/quickstart/guide.md index 974774d76c..a208ed392b 100644 --- a/docs/policypak/policypak/gettingstarted/quickstart/guide.md +++ b/docs/policypak/policypak/gettingstarted/quickstart/guide.md @@ -1,4 +1,4 @@ # Does Endpoint Policy Manager have a Quick Start Guide? -Yes, see the [Netwrix Endpoint Policy Manager Quick Start](overview.md) topic to help you get +Yes, see the [Netwrix Endpoint Policy Manager Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overview.md) topic to help you get started with Netwrix Endpoint Policy Manager (formerly PolicyPak) immediately. diff --git a/docs/policypak/policypak/gettingstarted/quickstart/guideinstall.md b/docs/policypak/policypak/gettingstarted/quickstart/guideinstall.md index 94696fc3a5..50c088ea5d 100644 --- a/docs/policypak/policypak/gettingstarted/quickstart/guideinstall.md +++ b/docs/policypak/policypak/gettingstarted/quickstart/guideinstall.md @@ -1,4 +1,4 @@ # Does Endpoint Policy Manager have an Installation Quick Start Guide? -Yes, see the [Installation Quick Start](overviewinstall.md) topic for information on how to install +Yes, see the [Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md) topic for information on how to install Netwrix Endpoint Policy Manager (formerly PolicyPak) . diff --git a/docs/policypak/policypak/gettingstarted/quickstart/mdm.md b/docs/policypak/policypak/gettingstarted/quickstart/mdm.md index 075c131e9a..44cc8400a6 100644 --- a/docs/policypak/policypak/gettingstarted/quickstart/mdm.md +++ b/docs/policypak/policypak/gettingstarted/quickstart/mdm.md @@ -1,7 +1,7 @@ # MDM / Intune Delivery Quick Start For a video overview of MDM delivery via Intune, see the -[Endpoint Policy Manager and Microsoft Intune](../../video/mdm/microsoftintune.md). The installation +[Endpoint Policy Manager and Microsoft Intune](/docs/policypak/policypak/video/mdm/microsoftintune.md). The installation steps are below. **Step 1 –** Install the Endpoint Policy Manager Client on an example endpoint. @@ -17,7 +17,7 @@ In the download, find the **Admin Console MSI** and install it manually on your machine needs to also have the GPMC pre-installed from Microsoft. It is recommended that you have both the Endpoint Policy Manager Admin Console and the GPMC installed on a “fake DC” exclusively for editing purposes. See the -[How to create a DC for editing purposes](../../video/cloud/testlab/createdc.md) video for details +[How to create a DC for editing purposes](/docs/policypak/policypak/video/cloud/testlab/createdc.md) video for details and how to do this. **Step 3 –** Install your license key or rename your example endpoint to have computer in the name. @@ -26,9 +26,9 @@ and how to do this. computers in the locations (scope) you requested. Alternatively, you can merely rename an endpoint have the word Computer in the name, and the computer will act fully licensed. -Follow the [Endpoint Policy Manager and MDM walk before you run](../../video/mdm/testsample.md) +Follow the [Endpoint Policy Manager and MDM walk before you run](/docs/policypak/policypak/video/mdm/testsample.md) video to install an MDM license file. Check the -[What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](../../license/trial.md) +[What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](/docs/policypak/policypak/license/trial.md) topic to see how to rename a computer or perform alternative licensing. diff --git a/docs/policypak/policypak/gettingstarted/quickstart/overview.md b/docs/policypak/policypak/gettingstarted/quickstart/overview.md index 77a081cd75..b0a3a7af2c 100644 --- a/docs/policypak/policypak/gettingstarted/quickstart/overview.md +++ b/docs/policypak/policypak/gettingstarted/quickstart/overview.md @@ -4,7 +4,7 @@ Getting Started First, download the Netwrix Endpoint Policy Manager (formerly PolicyPak) software from the portal at policypak.com. See the -[Endpoint Policy ManagerPortal: How to download Endpoint Policy Manager and get free training](../../video/gettingstarted/freetraining.md) +[Endpoint Policy ManagerPortal: How to download Endpoint Policy Manager and get free training](/docs/policypak/policypak/video/gettingstarted/freetraining.md) topic for video details on downloading. Next, Netwrix Endpoint Policy Manager (formerly PolicyPak) enables you to deliver settings via Group diff --git a/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md b/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md index 254523f54e..9dfeed51d6 100644 --- a/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md +++ b/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md @@ -12,14 +12,14 @@ overview of the process you need to follow: **NOTE:** This guide provides you with the most basic steps to get Endpoint Policy Manager unpacked and installed and ready to use. See the other topics in the parent publication, as well as the -[Knowledge Base](../../install/overview/knowledgebase.md) > All Things Installation & Upkeep and the +[Knowledge Base](/docs/policypak/policypak/install/overview/knowledgebase.md) > All Things Installation & Upkeep and the All Things Installation & Upkeep -[Video Learning Center](../../install/overview/videolearningcenter.md) topics for additional +[Video Learning Center](/docs/policypak/policypak/install/overview/videolearningcenter.md) topics for additional information. If you are unfamiliar with what Endpoint Policy Manager even does, consider watching this two minute overview: -[Endpoint Policy Manager Explained: In about two minutes](../../video/grouppolicy/explained.md). +[Endpoint Policy Manager Explained: In about two minutes](/docs/policypak/policypak/video/grouppolicy/explained.md). For this trial, Endpoint Policy Manager endpoints may be: diff --git a/docs/policypak/policypak/gettingstarted/quickstart/prepareendpoint.md b/docs/policypak/policypak/gettingstarted/quickstart/prepareendpoint.md index e0336b7105..a09a128b09 100644 --- a/docs/policypak/policypak/gettingstarted/quickstart/prepareendpoint.md +++ b/docs/policypak/policypak/gettingstarted/quickstart/prepareendpoint.md @@ -25,27 +25,27 @@ on this computer. Here are the two methods of how to rename a computer in Windows to have Computer in the name. -![prepareendpoint1](../../../../../static/img/product_docs/policypak/policypak/gettingstarted/quickstart/prepareendpoint1.webp) +![prepareendpoint1](/img/product_docs/policypak/policypak/gettingstarted/quickstart/prepareendpoint1.webp) After the example computer is renamed and rebooted, you are ready to install the Endpoint Policy Manager CSE (Client Side Extension.) Locate the Endpoint Policy Manager Build folder and the Client Side Extension (CSE) folder. -![prepareendpoint2](../../../../../static/img/product_docs/policypak/policypak/gettingstarted/quickstart/prepareendpoint2.webp) +![prepareendpoint2](/img/product_docs/policypak/policypak/gettingstarted/quickstart/prepareendpoint2.webp) Next, install the Endpoint Policy Manager CSE on the endpoint. Use x64 for 64 bit and x86 for 32 bit machines. **NOTE:** See the -[Endpoint Policy Manager ARM Support Supportability Statement](../../requirements/support/arm.md) +[Endpoint Policy Manager ARM Support Supportability Statement](/docs/policypak/policypak/requirements/support/arm.md) topic about Endpoint Policy Manager Support on Arm processors. After the Endpoint Policy Manager CSE is installed, you can test verify that the license is valid because you renamed the computer to have COMPUTER in the name. Open a new command prompt and type the command ppupdate. You should see something similar to the output shown here. -![prepareendpoint3](../../../../../static/img/product_docs/policypak/policypak/gettingstarted/quickstart/prepareendpoint3.webp) +![prepareendpoint3](/img/product_docs/policypak/policypak/gettingstarted/quickstart/prepareendpoint3.webp) The important points to look for are: @@ -58,8 +58,8 @@ days after you perform the installation. Therefore, be aware of your Expiration be sooner than expected. See the -[How can I tell how a machine is licensed (by GPO, MDM, or XML file), and also know for what components it is licensed?](../../troubleshooting/license/components.md) +[How can I tell how a machine is licensed (by GPO, MDM, or XML file), and also know for what components it is licensed?](/docs/policypak/policypak/troubleshooting/license/components.md) topic for further details on validating licensing. See also the -[Testing and Troubleshooting By Renaming an endpoint Computer](../../video/troubleshooting/mdm.md) +[Testing and Troubleshooting By Renaming an endpoint Computer](/docs/policypak/policypak/video/troubleshooting/mdm.md) topic for further details showing what happens when you rename a computer and how Endpoint Policy Manager reacts. diff --git a/docs/policypak/policypak/gettingstarted/quickstart/preparemanagementstation.md b/docs/policypak/policypak/gettingstarted/quickstart/preparemanagementstation.md index 4c0bf11ea5..240f15aa4f 100644 --- a/docs/policypak/policypak/gettingstarted/quickstart/preparemanagementstation.md +++ b/docs/policypak/policypak/gettingstarted/quickstart/preparemanagementstation.md @@ -7,7 +7,7 @@ wish (Windows 10 or later or Server 2019 or later) as your management station. The Endpoint Policy Manager Admin Console MSI can be found in the download. There is one for 32-bit machines, one for 64-bit machines, and one for Arm machines. -![preparemanagementstation1](../../../../../static/img/product_docs/policypak/policypak/gettingstarted/quickstart/preparemanagementstation1.webp) +![preparemanagementstation1](/img/product_docs/policypak/policypak/gettingstarted/quickstart/preparemanagementstation1.webp) ## Option 1 @@ -17,19 +17,19 @@ Console (GPMC) installed on it. Therefore, good candidates are your own manageme box” or, if you wish, you may install on a Domain Controller. **TIP**: Use the instructions in the -[What are the two ways that can I install the GPMC on my Admin Station (Server or Windows 10) machine?](../../install/methods.md) +[What are the two ways that can I install the GPMC on my Admin Station (Server or Windows 10) machine?](/docs/policypak/policypak/install/methods.md) topic if you do not yet have the GPMC on your management station. **NOTE:** The Endpoint Policy Manager MMC Group Policy Snap-In does NOT require installation on a Domain Controller, it is simply an option. See the -[Does Endpoint Policy Manager admin console need to be installed on Domain Controller (DC)?](../../install/adminconsole.md) +[Does Endpoint Policy Manager admin console need to be installed on Domain Controller (DC)?](/docs/policypak/policypak/install/adminconsole.md) topic for details. The result of installing the Endpoint Policy Manager MMC Group Policy Snap-In on a management station joined to Active Directory will look like the example below. You’ll see the extra Netwrix nodes alongside the Microsoft nodes. -![preparemanagementstation2](../../../../../static/img/product_docs/policypak/policypak/gettingstarted/quickstart/preparemanagementstation2.webp) +![preparemanagementstation2](/img/product_docs/policypak/policypak/gettingstarted/quickstart/preparemanagementstation2.webp) ## Option 2 @@ -44,9 +44,9 @@ The result of installing the Endpoint Policy Manager MMC Group Policy Snap-In on looks similar to the example below. When you run GPEDIT.MSC with an Administrator command prompt, you’ll see the extra Netwrix nodes alongside the Microsoft nodes. -![preparemanagementstation3](../../../../../static/img/product_docs/policypak/policypak/gettingstarted/quickstart/preparemanagementstation3.webp) +![preparemanagementstation3](/img/product_docs/policypak/policypak/gettingstarted/quickstart/preparemanagementstation3.webp) Additional resources you may be interested in: -- [How to create a DC for editing purposes](../../video/cloud/testlab/createdc.md) -- [Admin Console And CSE Installation](../../video/grouppolicy/install.md) +- [How to create a DC for editing purposes](/docs/policypak/policypak/video/cloud/testlab/createdc.md) +- [Admin Console And CSE Installation](/docs/policypak/policypak/video/grouppolicy/install.md) diff --git a/docs/policypak/policypak/gettingstarted/quickstart/specificcomponents.md b/docs/policypak/policypak/gettingstarted/quickstart/specificcomponents.md index b0e63eec61..b9fb74e205 100644 --- a/docs/policypak/policypak/gettingstarted/quickstart/specificcomponents.md +++ b/docs/policypak/policypak/gettingstarted/quickstart/specificcomponents.md @@ -3,21 +3,21 @@ Endpoint Policy Manager is now installed on an endpoint (which is temporarily licensed) and you have a management station from which to create policies. To get a quick rundown of Endpoint Policy Manager using the Group Policy Method, watch the -[Endpoint Policy Manager with Group Policy Method: Getting Started](../../video/grouppolicy/gettingstarted.md) +[Endpoint Policy Manager with Group Policy Method: Getting Started](/docs/policypak/policypak/video/grouppolicy/gettingstarted.md) video. To get a quick rundown of Endpoint Policy Manager using the MDM / Intune Method, watch the -[Endpoint Policy Manager and MDM walk before you run](../../video/mdm/testsample.md) video. +[Endpoint Policy Manager and MDM walk before you run](/docs/policypak/policypak/video/mdm/testsample.md) video. TIPS: - You won’t need a license file because you’re licensed with COMPUTER in the computer name. - See the Getting Started with MDM > Video Learning Center > - [Getting Started](../../mdm/overview/videolearningcenter.md#getting-started) topic for additional + [Getting Started](/docs/policypak/policypak/mdm/overview/videolearningcenter.md#getting-started) topic for additional demonstrations using specific MDM services like Intune and VMware Workspace one. If you want to go beyond the basics and really dive in to each component, like Endpoint Policy Manager Least Privilege Manager or Endpoint Policy Manager Device Manager, or any of our components, see the -[Netwrix Endpoint Policy Manager (formerly PolicyPak) Knowledge Base Articles](../../knowledgebase.md) +[Netwrix Endpoint Policy Manager (formerly PolicyPak) Knowledge Base Articles](/docs/policypak/policypak/knowledgebase.md) topic, then locate the component of interest and its corresponding Knowledge Base articles and Video Learning Center topics. For true mastery on the basics of a component, you should watch all the videos in order within the Getting Started section of the Video Learning Center topics. These answer diff --git a/docs/policypak/policypak/gettingstarted/rightclick.md b/docs/policypak/policypak/gettingstarted/rightclick.md index 16fe630ba5..3c1e76223f 100644 --- a/docs/policypak/policypak/gettingstarted/rightclick.md +++ b/docs/policypak/policypak/gettingstarted/rightclick.md @@ -8,18 +8,18 @@ regardless if the Endpoint Policy Manager SecureCopy function is used or not. In are no rules at all, you will still see the Netwrix Endpoint Policy Manager menu and Copy with Endpoint Policy Manager SecureCopy™. -![997_1_image-20240202201306-1_950x729](../../../../static/img/product_docs/policypak/policypak/gettingstarted/997_1_image-20240202201306-1_950x729.webp) +![997_1_image-20240202201306-1_950x729](/img/product_docs/policypak/policypak/gettingstarted/997_1_image-20240202201306-1_950x729.webp) If you add other options which use the Netwrix Endpoint Policy Manager right-click menu, you will see those correct (available, un-gray) options and also the Un-used (un-available, grayed) **Copy with** Endpoint Policy Manager **SecureCopy** option. -![997_2_image-20240202201306-2_950x683](../../../../static/img/product_docs/policypak/policypak/gettingstarted/997_2_image-20240202201306-2_950x683.webp) +![997_2_image-20240202201306-2_950x683](/img/product_docs/policypak/policypak/gettingstarted/997_2_image-20240202201306-2_950x683.webp) Only after Endpoint Policy Manager SecureCopy™ is available, will that option become un-gray and usable. -![997_3_image-20240202201306-3_950x776](../../../../static/img/product_docs/policypak/policypak/gettingstarted/997_3_image-20240202201306-3_950x776.webp) +![997_3_image-20240202201306-3_950x776](/img/product_docs/policypak/policypak/gettingstarted/997_3_image-20240202201306-3_950x776.webp) In other words, **Copy with** Endpoint Policy Manager **SecureCopy** will always show in Windows 11, whether it is available (Ungray) or unavailable (Gray.) diff --git a/docs/policypak/policypak/gpoexport/delivercertificates.md b/docs/policypak/policypak/gpoexport/delivercertificates.md index 255bccfbac..028403ae38 100644 --- a/docs/policypak/policypak/gpoexport/delivercertificates.md +++ b/docs/policypak/policypak/gpoexport/delivercertificates.md @@ -5,10 +5,10 @@ example, by following thse steps: **Step 1 –** Create a real GPO. -![663_1_q10-img-1](../../../../static/img/product_docs/policypak/policypak/cloud/security/580_1_q10-img-1.webp) +![663_1_q10-img-1](/img/product_docs/policypak/policypak/cloud/security/580_1_q10-img-1.webp) **Step 2 –** Export it using PP Settings Manager to an XML. See the -[Endpoint Policy ManagerCloud: How to deploy Microsoft Group Policy Settings using Endpoint Policy Manager Cloud](../video/cloud/deploy/grouppolicysettings.md) topic +[Endpoint Policy ManagerCloud: How to deploy Microsoft Group Policy Settings using Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/cloud/deploy/grouppolicysettings.md) topic for additional information. **Step 3 –** Uplaod it to Endpoint Policy Manager Cloud. This would make the specified cert Trusted @@ -23,4 +23,4 @@ MDM. Inside the exported XML you can see the certificate embedded like this and ready for use. -![663_2_q10-img-2](../../../../static/img/product_docs/policypak/policypak/cloud/security/580_2_q10-img-2.webp) +![663_2_q10-img-2](/img/product_docs/policypak/policypak/cloud/security/580_2_q10-img-2.webp) diff --git a/docs/policypak/policypak/gpoexport/overview/knowledgebase.md b/docs/policypak/policypak/gpoexport/overview/knowledgebase.md index 94f3b2337c..2be81787ce 100644 --- a/docs/policypak/policypak/gpoexport/overview/knowledgebase.md +++ b/docs/policypak/policypak/gpoexport/overview/knowledgebase.md @@ -5,35 +5,35 @@ See the following Knowledge Base articles for GPO Export Merge, Admin Templates ## GPO Export Manager: Getting Started -- [Which security settings can be exported by GPO Export Manager?](../securitysettings.md) -- [Why must some GPPreferences items be run in User Context?](../usercontext.md) +- [Which security settings can be exported by GPO Export Manager?](/docs/policypak/policypak/gpoexport/securitysettings.md) +- [Why must some GPPreferences items be run in User Context?](/docs/policypak/policypak/gpoexport/usercontext.md) ## Admin Templates Manager: Tips and Tricks -- [Which settings can be managed with the Admin Templates Manager component?](../../adminstrativetemplates/settings.md) -- [How do I disable elements in Office (Outlook, etc.) using Endpoint Policy Manager and ADMX files?](../../adminstrativetemplates/disableofficeelements.md) +- [Which settings can be managed with the Admin Templates Manager component?](/docs/policypak/policypak/adminstrativetemplates/settings.md) +- [How do I disable elements in Office (Outlook, etc.) using Endpoint Policy Manager and ADMX files?](/docs/policypak/policypak/adminstrativetemplates/disableofficeelements.md) ## Admin Templates Manager: Troubleshooting -- [What Admin Console MSI and CSE versions are supported for Endpoint Policy Manager Admin Templates Manager ?](../../adminstrativetemplates/versions.md) -- [I created a Collection and/or items, but I don't see them in the Group Policy settings report. Why and how can I fix it?](../../troubleshooting/administrativetemplates/settingsreport.md) -- [I've created a collection in the Administrative Templates Manager and I've added policies to that collection. However, they are not showing up in the main window.](../../troubleshooting/administrativetemplates/missingcollections.md) -- [I get a "Policy Duplicates" error when adding new policies using Endpoint Policy Manager Admin Templates Manager. What should I do?](../../troubleshooting/error/admintemplates/policyduplicates.md) -- [I get a "Namespace already defined" error when making new Endpoint Policy Manager Admin Templates Manager policies. What is this?](../../troubleshooting/error/admintemplates/namespacealreadydefined.md) -- [How to Mitigate Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527)](../../troubleshooting/administrativetemplates/vulnerability/windowsprintspooler.md) +- [What Admin Console MSI and CSE versions are supported for Endpoint Policy Manager Admin Templates Manager ?](/docs/policypak/policypak/adminstrativetemplates/versions.md) +- [I created a Collection and/or items, but I don't see them in the Group Policy settings report. Why and how can I fix it?](/docs/policypak/policypak/troubleshooting/administrativetemplates/settingsreport.md) +- [I've created a collection in the Administrative Templates Manager and I've added policies to that collection. However, they are not showing up in the main window.](/docs/policypak/policypak/troubleshooting/administrativetemplates/missingcollections.md) +- [I get a "Policy Duplicates" error when adding new policies using Endpoint Policy Manager Admin Templates Manager. What should I do?](/docs/policypak/policypak/troubleshooting/error/admintemplates/policyduplicates.md) +- [I get a "Namespace already defined" error when making new Endpoint Policy Manager Admin Templates Manager policies. What is this?](/docs/policypak/policypak/troubleshooting/error/admintemplates/namespacealreadydefined.md) +- [How to Mitigate Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527)](/docs/policypak/policypak/troubleshooting/administrativetemplates/vulnerability/windowsprintspooler.md) ## Exporting Group Policy Preferences / Using Endpoint Policy Preferences Manager -- [Where is my Endpoint Policy Manager Preferences Component license and how do I request one?](../../preferences/componentlicense.md) -- [Which settings can be managed with the Preferences Manager component?](../../preferences/settings.md) -- [How To deploy a TCP/IP Printer using Group Policy Preferences in Endpoint Policy Manager Cloud ](../../preferences/printerdeploy.md) -- [Why do I see slowdowns on my machines when Endpoint Policy Manager Preferences is licensed and computers domain joined? Can this be worked around?](../../troubleshooting/preferences/domainjoined.md) -- [How to deliver network drive mappings using Group Policy Preferences on the computer side](../../preferences/drivemappings.md) -- [How to enable and start a service using Group Policy Preferences](../../preferences/startservice.md) -- [How do I use passwords with Group Policy Preferences items within Endpoint Policy Manager Cloud?](../../preferences/passwords.md) +- [Where is my Endpoint Policy Manager Preferences Component license and how do I request one?](/docs/policypak/policypak/preferences/componentlicense.md) +- [Which settings can be managed with the Preferences Manager component?](/docs/policypak/policypak/preferences/settings.md) +- [How To deploy a TCP/IP Printer using Group Policy Preferences in Endpoint Policy Manager Cloud ](/docs/policypak/policypak/preferences/printerdeploy.md) +- [Why do I see slowdowns on my machines when Endpoint Policy Manager Preferences is licensed and computers domain joined? Can this be worked around?](/docs/policypak/policypak/troubleshooting/preferences/domainjoined.md) +- [How to deliver network drive mappings using Group Policy Preferences on the computer side](/docs/policypak/policypak/preferences/drivemappings.md) +- [How to enable and start a service using Group Policy Preferences](/docs/policypak/policypak/preferences/startservice.md) +- [How do I use passwords with Group Policy Preferences items within Endpoint Policy Manager Cloud?](/docs/policypak/policypak/preferences/passwords.md) ## Exporting Group Policy Security Settings / Using Endpoint Policy Manager Security Settings Manager -- [Can I use Endpoint Policy Manager Cloud to deliver certificates ?](../delivercertificates.md) -- [Why Won't my Windows Security Settings Export using GPO Export Manager](../../troubleshooting/gpoexport/securitysettings.md) -- [Why do I sometimes see Endpoint Policy Manager Cloud security settings and sometimes see on-prem GPO security settings?](../../troubleshooting/gpoexport/onpremisecloud.md) +- [Can I use Endpoint Policy Manager Cloud to deliver certificates ?](/docs/policypak/policypak/gpoexport/delivercertificates.md) +- [Why Won't my Windows Security Settings Export using GPO Export Manager](/docs/policypak/policypak/troubleshooting/gpoexport/securitysettings.md) +- [Why do I sometimes see Endpoint Policy Manager Cloud security settings and sometimes see on-prem GPO security settings?](/docs/policypak/policypak/troubleshooting/gpoexport/onpremisecloud.md) diff --git a/docs/policypak/policypak/gpoexport/overview/videolearningcenter.md b/docs/policypak/policypak/gpoexport/overview/videolearningcenter.md index 827cf16ffe..74c7f89fca 100644 --- a/docs/policypak/policypak/gpoexport/overview/videolearningcenter.md +++ b/docs/policypak/policypak/gpoexport/overview/videolearningcenter.md @@ -4,34 +4,34 @@ See the following Video topics for GPO Export Merge, Admin Templates, and Prefe ## Exporting to Cloud, MDM, and SCCM: Getting Started -- [Export Real GPO settings for use with PP Cloud or any MDM Service.](../../video/gpoexport/realgposettings.md) -- [Use your GPOs with Endpoint Policy Manager Cloud](../../video/gpoexport/cloudimport.md) -- [Endpoint Policy Export Manager with MDM (like Intune)](../../video/gpoexport/mdm.md) -- [Endpoint Policy Manager Exporter and SCCM: Deploy real GPOs via SCCM](../../video/gpoexport/sccm.md) -- [GPO MERGE TOOL REVERSE](../../video/gpoexport/mergetool.md) +- [Export Real GPO settings for use with PP Cloud or any MDM Service.](/docs/policypak/policypak/video/gpoexport/realgposettings.md) +- [Use your GPOs with Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/gpoexport/cloudimport.md) +- [Endpoint Policy Export Manager with MDM (like Intune)](/docs/policypak/policypak/video/gpoexport/mdm.md) +- [Endpoint Policy Manager Exporter and SCCM: Deploy real GPOs via SCCM](/docs/policypak/policypak/video/gpoexport/sccm.md) +- [GPO MERGE TOOL REVERSE](/docs/policypak/policypak/video/gpoexport/mergetool.md) ## Admin Templates Manager: Getting Started -- [Endpoint Policy Manager Admin Templates: Collections and Item Level Targeting](../../video/administrativetemplates/collections.md) -- [Endpoint Policy Manager Admin Templates Manager: Switched Policies (without Loopback)](../../video/administrativetemplates/switchedpolicies.md) +- [Endpoint Policy Manager Admin Templates: Collections and Item Level Targeting](/docs/policypak/policypak/video/administrativetemplates/collections.md) +- [Endpoint Policy Manager Admin Templates Manager: Switched Policies (without Loopback)](/docs/policypak/policypak/video/administrativetemplates/switchedpolicies.md) ## Admin Templates Methods: Cloud, MDM, SCCM, etc. -- [Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](../../video/mdm/exportgpos.md) -- [Endpoint Policy Manager Cloud: Deploy Group Policy Admin template settings over the internet](../../video/administrativetemplates/deployinternet.md) +- [Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](/docs/policypak/policypak/video/mdm/exportgpos.md) +- [Endpoint Policy Manager Cloud: Deploy Group Policy Admin template settings over the internet](/docs/policypak/policypak/video/administrativetemplates/deployinternet.md) ## Admin Templates: Tips & Tricks -- [The Ultimate Guide to Managing Screensavers](../../video/administrativetemplates/screensavers.md) +- [The Ultimate Guide to Managing Screensavers](/docs/policypak/policypak/video/administrativetemplates/screensavers.md) ## Getting Started: Preferences 2.0 -- [Endpoint Policy Manager Preferences: Printers (Consolidate GPOs and also deploy them via PP Cloud and your MDM service)](../../video/preferences/consolidateprinter.md) -- [Endpoint Policy Manager Preferences: Drive Maps (Consolidate GPOs and also deploy them via PP Cloud and your MDM service)](../../video/preferences/drivemaps.md) -- [Endpoint Policy Manager Preferences: Registry Items (Consolidate GPOs and also deploy them via PP Cloud and your MDM service)](../../video/preferences/consolidateregistry.md) -- [Endpoint Policy Manager Preferences: Shortcuts (Consolidate GPOs and also deploy them via PP Cloud and your MDM service)](../../video/preferences/shortcuts.md) +- [Endpoint Policy Manager Preferences: Printers (Consolidate GPOs and also deploy them via PP Cloud and your MDM service)](/docs/policypak/policypak/video/preferences/consolidateprinter.md) +- [Endpoint Policy Manager Preferences: Drive Maps (Consolidate GPOs and also deploy them via PP Cloud and your MDM service)](/docs/policypak/policypak/video/preferences/drivemaps.md) +- [Endpoint Policy Manager Preferences: Registry Items (Consolidate GPOs and also deploy them via PP Cloud and your MDM service)](/docs/policypak/policypak/video/preferences/consolidateregistry.md) +- [Endpoint Policy Manager Preferences: Shortcuts (Consolidate GPOs and also deploy them via PP Cloud and your MDM service)](/docs/policypak/policypak/video/preferences/shortcuts.md) ## Exporting Group Policy Preferences / Using Endpoint Policy Preferences Manager -- [Deliver GPPrefs items without using loopback mode](../../video/preferences/delivergpprefs.md) -- [Endpoint Policy Manager Cloud: Use PP Cloud to create a new local user on your endpoints](../../video/preferences/cloudlocaluser.md) +- [Deliver GPPrefs items without using loopback mode](/docs/policypak/policypak/video/preferences/delivergpprefs.md) +- [Endpoint Policy Manager Cloud: Use PP Cloud to create a new local user on your endpoints](/docs/policypak/policypak/video/preferences/cloudlocaluser.md) diff --git a/docs/policypak/policypak/gpoexport/usercontext.md b/docs/policypak/policypak/gpoexport/usercontext.md index 6853a7a4cf..01ff1101d6 100644 --- a/docs/policypak/policypak/gpoexport/usercontext.md +++ b/docs/policypak/policypak/gpoexport/usercontext.md @@ -19,19 +19,19 @@ that this might change the expected behavior in production for existing Group Po items. But you can at least perform this action on one or two items to verify if this is actually the problem. -![403_1_hfkb-1131-img-01_950x470](../../../../static/img/product_docs/policypak/policypak/gpoexport/403_1_hfkb-1131-img-01_950x470.webp) +![403_1_hfkb-1131-img-01_950x470](/img/product_docs/policypak/policypak/gpoexport/403_1_hfkb-1131-img-01_950x470.webp) ## Hand edit the setting within the XML after export Group Policy Preferences items can be viewed as XML and then hand-edited. Items in the SYSTEM context will appear as `userContext = "0"`. -![403_2_hfkb-1131-img-02_950x173](../../../../static/img/product_docs/policypak/policypak/gpoexport/403_2_hfkb-1131-img-02_950x173.webp) +![403_2_hfkb-1131-img-02_950x173](/img/product_docs/policypak/policypak/gpoexport/403_2_hfkb-1131-img-02_950x173.webp) You may hand-edit them to `userContext = "1"` like what's seen here, to use them with non-domain joined machines. -![403_3_hfkb-1131-img-03_950x147](../../../../static/img/product_docs/policypak/policypak/gpoexport/403_3_hfkb-1131-img-03_950x147.webp) +![403_3_hfkb-1131-img-03_950x147](/img/product_docs/policypak/policypak/gpoexport/403_3_hfkb-1131-img-03_950x147.webp) ## Use the GPO Export Manager to automatically detect and change the setting (works for Printers items only) @@ -41,7 +41,7 @@ you which would flip any / all of them to the User context. The GPO Export Manag for Printer items at this time and will make this recommendation if you have items on the USER or COMPUTER side, and when the context is SYSTEM and should be USER. -![403_4_hfkb-1131-img-04_950x466](../../../../static/img/product_docs/policypak/policypak/gpoexport/403_4_hfkb-1131-img-04_950x466.webp) +![403_4_hfkb-1131-img-04_950x466](/img/product_docs/policypak/policypak/gpoexport/403_4_hfkb-1131-img-04_950x466.webp) ## More details: @@ -54,4 +54,4 @@ user might be, and can use his pass-thru credentials to make that shared printer If you fail to change the context from System to User and attempt to map a printer, you will get the following in the Group Policy Preferences Trace logs, which show the Access Denied details. -![403_5_hfkb-1131-img-05_950x612](../../../../static/img/product_docs/policypak/policypak/gpoexport/403_5_hfkb-1131-img-05_950x612.webp) +![403_5_hfkb-1131-img-05_950x612](/img/product_docs/policypak/policypak/gpoexport/403_5_hfkb-1131-img-05_950x612.webp) diff --git a/docs/policypak/policypak/grouppolicy/insertuserinfo.md b/docs/policypak/policypak/grouppolicy/insertuserinfo.md index 93e4468777..a3fbd40094 100644 --- a/docs/policypak/policypak/grouppolicy/insertuserinfo.md +++ b/docs/policypak/policypak/grouppolicy/insertuserinfo.md @@ -14,7 +14,7 @@ Preferences. This topic demonstrates how to read that information from Active Directory User Object attributes, and insert that data for the Identity tab in Adobe Acrobat. -![687_1_image-20200219090943-1_680x434](../../../../static/img/product_docs/policypak/policypak/grouppolicy/687_1_image-20200219090943-1_680x434.webp) +![687_1_image-20200219090943-1_680x434](/img/product_docs/policypak/policypak/grouppolicy/687_1_image-20200219090943-1_680x434.webp) ## Solution @@ -35,27 +35,27 @@ Reg Location: `HKEY_CUIRRENT_USER\Software\Adobe\Adobe Acrobat\DC\Identity` Reg Value:`tEMail – tFirstName – tLastName – tName – tTitle` -![687_2_image-20200219090943-2_787x233](../../../../static/img/product_docs/policypak/policypak/grouppolicy/687_2_image-20200219090943-2_787x233.webp) +![687_2_image-20200219090943-2_787x233](/img/product_docs/policypak/policypak/grouppolicy/687_2_image-20200219090943-2_787x233.webp) **Step 4 –** Click on the **Common** tab, under each Reg item, and select **Run** in the logged-on user's security context **Step 5 –** Check the Item-level targeting box and click **Targeting**. -![687_3_image-20200219090943-3_388x184](../../../../static/img/product_docs/policypak/policypak/grouppolicy/687_3_image-20200219090943-3_388x184.webp) +![687_3_image-20200219090943-3_388x184](/img/product_docs/policypak/policypak/grouppolicy/687_3_image-20200219090943-3_388x184.webp) **Step 6 –** From the **New Item** drop-down, select LDAP and define the filter as below. `&(objectClass=User)(sAMAccountName=%USERNAME%)` -![687_4_image-20200219090943-4_674x261](../../../../static/img/product_docs/policypak/policypak/grouppolicy/687_4_image-20200219090943-4_674x261.webp) +![687_4_image-20200219090943-4_674x261](/img/product_docs/policypak/policypak/grouppolicy/687_4_image-20200219090943-4_674x261.webp) **NOTE:** This step lets you access the AD user object attribute for the logged-on user, and turn them into variables for use within the Registry Preferences. **Step 7 –** Use both variables to get the user's First and Last name and save them in a Reg Item. -![687_5_image-20200219090943-5_405x314](../../../../static/img/product_docs/policypak/policypak/grouppolicy/687_5_image-20200219090943-5_405x314.webp) +![687_5_image-20200219090943-5_405x314](/img/product_docs/policypak/policypak/grouppolicy/687_5_image-20200219090943-5_405x314.webp) This will read First and Last Name values from AD User Object's attribute and save it for tName registry value for Adobe Acrobat. diff --git a/docs/policypak/policypak/grouppolicy/itemleveltargeting/cachepreferences.md b/docs/policypak/policypak/grouppolicy/itemleveltargeting/cachepreferences.md index 0a8aa1f4e0..5caf19c370 100644 --- a/docs/policypak/policypak/grouppolicy/itemleveltargeting/cachepreferences.md +++ b/docs/policypak/policypak/grouppolicy/itemleveltargeting/cachepreferences.md @@ -24,4 +24,4 @@ use the results. If it does not complete in time, we use cached results and cont If you want to manipulate how long the ILT timeout occurs, we have a policy setting in the Endpoint Policy Manager ADMX settings here: -![499_1_q15-img1](../../../../../static/img/product_docs/policypak/policypak/grouppolicy/itemleveltargeting/499_1_q15-img1.webp) +![499_1_q15-img1](/img/product_docs/policypak/policypak/grouppolicy/itemleveltargeting/499_1_q15-img1.webp) diff --git a/docs/policypak/policypak/grouppolicy/overview/knowledgebase.md b/docs/policypak/policypak/grouppolicy/overview/knowledgebase.md index 01f8568afb..ac534efe5a 100644 --- a/docs/policypak/policypak/grouppolicy/overview/knowledgebase.md +++ b/docs/policypak/policypak/grouppolicy/overview/knowledgebase.md @@ -4,17 +4,17 @@ See the following Knowledge Base articles for getting started with Group Policy. ## Troubleshooting -- [How can I find the name of a GPO located within a PP Log file?](../../troubleshooting/log/grouppolicy/guid.md) -- [How does caching of item level targeting work when Microsoft ILT (Preferences ILT) is used?](../itemleveltargeting/cachepreferences.md) -- [How does caching of Item Level Targeting work when Endpoint Policy Manager ILT (ILT 2.0 Engine) is used?](../itemleveltargeting/cacheengine.md) -- [How do I turn on Item Level Targeting (ILT) logging if asked by Endpoint Policy Manager Tech Support (when using Preferences ILT engine)?](../../troubleshooting/log/itemleveltargeting/preferences.md) -- [Microsoft August 2024 Updates Breaking New Item-Level Targeting in GPOs](../../troubleshooting/log/itemleveltargeting/itemleveltargeting.md) -- [The Group Policy "Reporting ADM" appears to stop functioning in one GPO. What can I do to fix it?](../../troubleshooting/reportingadm.md) +- [How can I find the name of a GPO located within a PP Log file?](/docs/policypak/policypak/troubleshooting/log/grouppolicy/guid.md) +- [How does caching of item level targeting work when Microsoft ILT (Preferences ILT) is used?](/docs/policypak/policypak/grouppolicy/itemleveltargeting/cachepreferences.md) +- [How does caching of Item Level Targeting work when Endpoint Policy Manager ILT (ILT 2.0 Engine) is used?](/docs/policypak/policypak/grouppolicy/itemleveltargeting/cacheengine.md) +- [How do I turn on Item Level Targeting (ILT) logging if asked by Endpoint Policy Manager Tech Support (when using Preferences ILT engine)?](/docs/policypak/policypak/troubleshooting/log/itemleveltargeting/preferences.md) +- [Microsoft August 2024 Updates Breaking New Item-Level Targeting in GPOs](/docs/policypak/policypak/troubleshooting/log/itemleveltargeting/itemleveltargeting.md) +- [The Group Policy "Reporting ADM" appears to stop functioning in one GPO. What can I do to fix it?](/docs/policypak/policypak/troubleshooting/reportingadm.md) ## Tips, Tricks and FAQs -- [How to insert User information in any Application via Group Policies?](../insertuserinfo.md) +- [How to insert User information in any Application via Group Policies?](/docs/policypak/policypak/grouppolicy/insertuserinfo.md) ## Endpoint Policy Manager Group Policy -- [How to use PDQ Deploy to collect PPLOGS from remote computers then save them to a network location](../pdqdeploy.md) +- [How to use PDQ Deploy to collect PPLOGS from remote computers then save them to a network location](/docs/policypak/policypak/grouppolicy/pdqdeploy.md) diff --git a/docs/policypak/policypak/grouppolicy/overview/videolearningcenter.md b/docs/policypak/policypak/grouppolicy/overview/videolearningcenter.md index 4c22a93eba..2106cfa78e 100644 --- a/docs/policypak/policypak/grouppolicy/overview/videolearningcenter.md +++ b/docs/policypak/policypak/grouppolicy/overview/videolearningcenter.md @@ -4,17 +4,17 @@ See the following Video topics for getting started with Group Policy. ## Getting Started -- [Endpoint Policy Manager Explained: In about two minutes](../../video/grouppolicy/explained.md) -- [How to create a DC for editing purposes](../../video/cloud/testlab/createdc.md) -- [Admin Console And CSE Installation](../../video/grouppolicy/install.md) -- [Endpoint Policy Manager with Group Policy Method: Getting Started](../../video/grouppolicy/gettingstarted.md) -- [Testing and Troubleshooting By Renaming an endpoint Computer](../../video/grouppolicy/renameendpoint.md) -- [Integration with Group Policy (Basics: Installation, Backup, Restore and Reporting !)](../../video/grouppolicy/integration.md) +- [Endpoint Policy Manager Explained: In about two minutes](/docs/policypak/policypak/video/grouppolicy/explained.md) +- [How to create a DC for editing purposes](/docs/policypak/policypak/video/cloud/testlab/createdc.md) +- [Admin Console And CSE Installation](/docs/policypak/policypak/video/grouppolicy/install.md) +- [Endpoint Policy Manager with Group Policy Method: Getting Started](/docs/policypak/policypak/video/grouppolicy/gettingstarted.md) +- [Testing and Troubleshooting By Renaming an endpoint Computer](/docs/policypak/policypak/video/grouppolicy/renameendpoint.md) +- [Integration with Group Policy (Basics: Installation, Backup, Restore and Reporting !)](/docs/policypak/policypak/video/grouppolicy/integration.md) ## Tips and Tricks -- [Manual editing Item Level Targeting to affect local Admins and other local accounts](../../video/grouppolicy/itemleveltargeting/editmanual.md) -- [Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](../../video/mdm/exportgpos.md) -- [Expand Modular View of Endpoint Policy Manager Components in the GPMC back to the Flat Legacy View](../../video/grouppolicy/flatlegacyview.md) -- [Trim the MMC console for OU admins](../../video/grouppolicy/mmcconsole.md) -- [Prevent a Remote Desktop Connection Drop During GP Update](../../video/troubleshooting/grouppolicy/remotedesktopconnection.md) +- [Manual editing Item Level Targeting to affect local Admins and other local accounts](/docs/policypak/policypak/video/grouppolicy/itemleveltargeting/editmanual.md) +- [Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](/docs/policypak/policypak/video/mdm/exportgpos.md) +- [Expand Modular View of Endpoint Policy Manager Components in the GPMC back to the Flat Legacy View](/docs/policypak/policypak/video/grouppolicy/flatlegacyview.md) +- [Trim the MMC console for OU admins](/docs/policypak/policypak/video/grouppolicy/mmcconsole.md) +- [Prevent a Remote Desktop Connection Drop During GP Update](/docs/policypak/policypak/video/troubleshooting/grouppolicy/remotedesktopconnection.md) diff --git a/docs/policypak/policypak/grouppolicy/pdqdeploy.md b/docs/policypak/policypak/grouppolicy/pdqdeploy.md index f9b135fcd3..ad9ee62478 100644 --- a/docs/policypak/policypak/grouppolicy/pdqdeploy.md +++ b/docs/policypak/policypak/grouppolicy/pdqdeploy.md @@ -6,7 +6,7 @@ **Step 2 –** Under Steps choose **Command**. -![784_1_hf-faq-914-img-01](../../../../static/img/product_docs/policypak/policypak/grouppolicy/784_1_hf-faq-914-img-01.webp) +![784_1_hf-faq-914-img-01](/img/product_docs/policypak/policypak/grouppolicy/784_1_hf-faq-914-img-01.webp) **Step 3 –** Give the Step a descriptive name, like Collect PPLOGS as User, then, under **Details tab** > **Command** type or paste in the command below. Replace \\server\share with a valid network @@ -15,16 +15,16 @@ choose. `echo y|pplogs /out:\\server\share\pplogs\%computername%\pplogs-%computername%-%username%.zip` -![784_3_hf-faq-914-img-02_950x110](../../../../static/img/product_docs/policypak/policypak/grouppolicy/784_3_hf-faq-914-img-02_950x110.webp) +![784_3_hf-faq-914-img-02_950x110](/img/product_docs/policypak/policypak/grouppolicy/784_3_hf-faq-914-img-02_950x110.webp) **Step 4 –** Under the **Options** tab set the **Run As** to **Logged on User**, then click **Save** to save your progress so far. -![784_5_hf-faq-914-img-03_950x134](../../../../static/img/product_docs/policypak/policypak/grouppolicy/784_5_hf-faq-914-img-03_950x134.webp) +![784_5_hf-faq-914-img-03_950x134](/img/product_docs/policypak/policypak/grouppolicy/784_5_hf-faq-914-img-03_950x134.webp) **Step 5 –** Select the **New Step** dropdown and choose **Command** from the dropdown list. -![784_7_hf-faq-914-img-04](../../../../static/img/product_docs/policypak/policypak/grouppolicy/784_7_hf-faq-914-img-04.webp) +![784_7_hf-faq-914-img-04](/img/product_docs/policypak/policypak/grouppolicy/784_7_hf-faq-914-img-04.webp) **Step 6 –** Give the Step a descriptive name, like. Collect PPLOGS as Admin), and then under **Details tab** > **Command** type or paste in the command below, replacing \\server\share with a @@ -35,4 +35,4 @@ valid network path for your environment. **Step 7 –** Click **Save**, then test your deployment. Once the deployment has executed successfully check your network share to see the results. -![784_9_hf-faq-914-img-05](../../../../static/img/product_docs/policypak/policypak/grouppolicy/784_9_hf-faq-914-img-05.webp) +![784_9_hf-faq-914-img-05](/img/product_docs/policypak/policypak/grouppolicy/784_9_hf-faq-914-img-05.webp) diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/deliveryreports.md b/docs/policypak/policypak/grouppolicycompliancereporter/deliveryreports.md index bb67f6c3d4..096878d19f 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/deliveryreports.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/deliveryreports.md @@ -20,7 +20,7 @@ mechanism." [https://www.policypak.com/products/policypak-compliance-reporter.h To answer question #2: Use the free Endpoint Policy Manager Cloud reporting tool. The Endpoint Policy Manager Cloud reporting tool can tell you "Did your Endpoint Policy Manager cloud directives make it there, when using Endpoint Policy Manager Cloud as the settings deliver -mechanism." [Endpoint Policy Manager Cloud Reporting Demo](../video/cloud/reports.md) +mechanism." [Endpoint Policy Manager Cloud Reporting Demo](/docs/policypak/policypak/video/cloud/reports.md) To answer question #3: Use your MDM service to tell you if your MSI package made it there. [https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Troubleshooting-MSI-App-deployments-in-Microsoft/ba-p/359125](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Troubleshooting-MSI-App-deployments-in-Microsoft/ba-p/359125) @@ -30,11 +30,11 @@ Policy Compliance reporter? When you acquire a Endpoint Policy Manager Cloud license, you can get directives from Endpoint Policy Manager Cloud -or- Group Policy (or both.) -[[Can I use both Endpoint Policy ManagerOn Premise mode and Endpoint Policy Manager Cloud simultaneously? Do they clash?](../tips/onpremisecloud.md)] +[[Can I use both Endpoint Policy ManagerOn Premise mode and Endpoint Policy Manager Cloud simultaneously? Do they clash?](/docs/policypak/policypak/tips/onpremisecloud.md)] As such, you might want to deliver some settings via Endpoint Policy Manager Cloud and other settings using Group -Policy.[Endpoint Policy ManagerCloud and Endpoint Policy Manager OnPremise – Together using PPCloud Licenses](../video/cloud/integration/onpremise.md) +Policy.[Endpoint Policy ManagerCloud and Endpoint Policy Manager OnPremise – Together using PPCloud Licenses](/docs/policypak/policypak/video/cloud/integration/onpremise.md) In this scenario: @@ -53,4 +53,4 @@ reporter… To report on the Group Policy delivered GPOs. In Endpoint Policy Manager Cloud, the on-prem Endpoint Policy Manager Group Policy Compliance Reporter license will look like this… and this is a paid extra for Endpoint Policy Manager Cloud. -![684_1_gpcr-faq-2-img-1](../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/684_1_gpcr-faq-2-img-1.webp) +![684_1_gpcr-faq-2-img-1](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/684_1_gpcr-faq-2-img-1.webp) diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/domainmultiple.md b/docs/policypak/policypak/grouppolicycompliancereporter/domainmultiple.md index 69b763d247..3a62616113 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/domainmultiple.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/domainmultiple.md @@ -11,12 +11,12 @@ you recently downloaded the BITS from the portal **Step 3 –** Work through this video to install Compliance Reporter -- [Installing Compliance Reporter Server and Client](../video/gpocompilancereporter/install.md) +- [Installing Compliance Reporter Server and Client](/docs/policypak/policypak/video/gpocompilancereporter/install.md) **Step 4 –** Work through this video to setup Compliance Reporter and for machines to report in (this is the Server version) -- [Setting up Client-less Endpoint Auditing (Push Mode with Server)](../video/gpocompilancereporter/modepush.md) +- [Setting up Client-less Endpoint Auditing (Push Mode with Server)](/docs/policypak/policypak/video/gpocompilancereporter/modepush.md) ## From within the videos above, here is a summary of some important steps: @@ -77,7 +77,7 @@ that are representative of the site and its population (and how the AD group pla 2. Will need the server name (shortname or FQDN) for this step 3. Will need to be able to create a GPO or export and import later for this step -![758_1_image-20200130171300-1_950x485](../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/758_1_image-20200130171300-1_950x485.webp) +![758_1_image-20200130171300-1_950x485](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/758_1_image-20200130171300-1_950x485.webp) ## Enabling Other Domains to connect to GPCR @@ -105,4 +105,4 @@ Domain 2 and deploy it there - Therefore the workaround as noted above is to create the corresponding local domain group of the same name as the primary GPCR domain - ![758_3_image-20200130171300-2](../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/758_3_image-20200130171300-2.webp) + ![758_3_image-20200130171300-2](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/758_3_image-20200130171300-2.webp) diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/grouppolicyresults.md b/docs/policypak/policypak/grouppolicycompliancereporter/grouppolicyresults.md index 1eb1984f98..96590c233d 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/grouppolicyresults.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/grouppolicyresults.md @@ -7,7 +7,7 @@ Figure 1). The Microsoft report tells the administrator what one user on any one does. It does not describe whether that user or system is actually in compliance with an established IT baseline. -![gpcr_concepts_and_quickstart](../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/gpcr_concepts_and_quickstart.webp) +![gpcr_concepts_and_quickstart](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/gpcr_concepts_and_quickstart.webp) Figure 1. Microsoft Group Policy Results Report targets a single user on a single machine. @@ -15,7 +15,7 @@ In order to assess compliance with the in-box Group Policy Results Report, the r must be reviewed manually. Admins must go through the reports for each machine and user combination to determine whether specific settings have been applied. -![gpcr_concepts_and_quickstart_1](../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/gpcr_concepts_and_quickstart_1.webp) +![gpcr_concepts_and_quickstart_1](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/gpcr_concepts_and_quickstart_1.webp) Figure 2. The Group Policy Results Report. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/install.md b/docs/policypak/policypak/grouppolicycompliancereporter/install.md index b61371909d..6e73316307 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/install.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/install.md @@ -28,7 +28,7 @@ Authentication must be set to allow both SQL and windows authentication **Step 3 –** On the Server Properties page click on the "Security" tab and set the Server authentication to "SQL Server and Windows Authentication" -![673_1_image-20200430140138-1](../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/673_1_image-20200430140138-1.webp) +![673_1_image-20200430140138-1](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/673_1_image-20200430140138-1.webp) **Step 4 –** Click OK to Close @@ -46,11 +46,11 @@ Create an administrative SQL account within SSMS to own and access the GPCR data 2. Select radio button "SQL Server authentication" and set password 3. Uncheck "Enforce password policy" - ![673_3_image-20200430140138-2](../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/673_3_image-20200430140138-2.webp) + ![673_3_image-20200430140138-2](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/673_3_image-20200430140138-2.webp) **Step 3 –** Click on "Server Roles" tab and select "public" and "sysadmin" roles -![673_5_image-20200430140138-3](../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/673_5_image-20200430140138-3.webp) +![673_5_image-20200430140138-3](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/673_5_image-20200430140138-3.webp) **Step 4 –** Save and close @@ -60,7 +60,7 @@ GPCR requires an empty SQL database be present during the installation **Step 1 –** In Microsoft SSMS, right-click on "Databases" and select "New Database" -![673_7_image-20200430140138-4_471x171](../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/673_7_image-20200430140138-4_471x171.webp) +![673_7_image-20200430140138-4_471x171](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/673_7_image-20200430140138-4_471x171.webp) **Step 2 –** Enter name for database (e.g. GPCR) @@ -83,12 +83,12 @@ computer (Where the Admin Console is installed) and the remote SQL Server 1. Open the "run" box (Win-R), type `"dcomcnfg"` and click OK -![673_9_image-20200430140138-5](../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_3_image-20200327172830-3.webp) +![673_9_image-20200430140138-5](/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_3_image-20200327172830-3.webp) **Step 2 –** Expand Console Root -> Component Services -> Computers -> My Computer -> Distributed Transaction Coordinator, Right-Click on Local DTC and click Properties -![673_11_image-20200430140138-6](../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_5_image-20200327172830-4.webp) +![673_11_image-20200430140138-6](/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_5_image-20200327172830-4.webp) **Step 3 –** On the Security tab -> Security Settings and Configure as follows: @@ -98,7 +98,7 @@ Transaction Coordinator, Right-Click on Local DTC and click Properties 4. Check "Enable SNA LU 6.2 Transactions" 5. Click OK - ![673_13_image-20200430140138-7](../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_7_image-20200327172830-5.webp) + ![673_13_image-20200430140138-7](/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_7_image-20200327172830-5.webp) **Step 4 –** The MSDTC service will need to be restarted for the changes to take affect – Click YES to restart now or NO to restart manually later. @@ -112,12 +112,12 @@ Server **Step 2 –** Click on "Allow an app or feature through Windows Defender Firewall" -![673_15_image-20200430140138-8](../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_9_image-20200327172830-6.webp) +![673_15_image-20200430140138-8](/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_9_image-20200327172830-6.webp) **Step 3 –** Find "Distributed Transaction Coordinator", check and check the appropriate Network profile (e.g. Domain). -![673_17_image-20200430140138-9](../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_11_image-20200327172830-7.webp) +![673_17_image-20200430140138-9](/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_11_image-20200327172830-7.webp) **Step 4 –** Click OK to save and close @@ -149,11 +149,11 @@ minimum. select "Yes, I confirm" and "Next >" to continue **Step 6 –** Click "Change" and find domain security group created earlier (GPCR Admin in example) and click "Next >" -![673_19_image-20200430140138-10](../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/673_19_image-20200430140138-10.webp) +![673_19_image-20200430140138-10](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/673_19_image-20200430140138-10.webp) **Step 7 –** Select "Microsoft SQL Server and "Next >" -![673_21_image-20200430140138-11](../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/673_21_image-20200430140138-11.webp) +![673_21_image-20200430140138-11](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/673_21_image-20200430140138-11.webp) **Step 8 –** Configure Connection to SQL Server @@ -163,7 +163,7 @@ and click "Next >" 4. Click "Refresh" to get list of Databases on SQL server and select empty DB created earlier 5. Next > - ![673_23_image-20200430140138-12](../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/673_23_image-20200430140138-12.webp) + ![673_23_image-20200430140138-12](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/673_23_image-20200430140138-12.webp) **Step 9 –** Install -> click yes if prompted for \*.msi @@ -195,4 +195,4 @@ higher. Select "Yes, I confirm" and "Next >" to continue For information on completing the GPCR configuration wizard, setting up Auditing and Licensing, and for general usage, please refer to the manual. In addition, review the KB video -[Installing Compliance Reporter Server and Client](../video/gpocompilancereporter/install.md) +[Installing Compliance Reporter Server and Client](/docs/policypak/policypak/video/gpocompilancereporter/install.md) diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/license/types.md b/docs/policypak/policypak/grouppolicycompliancereporter/license/types.md index a919cbab2f..40802531e7 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/license/types.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/license/types.md @@ -7,13 +7,13 @@ All endpoints must have a Endpoint Policy Manager Group Policy Compliance Report license for GPCR Server to light up and report back anything. An example screenshot of a licensed GPO report is below. -![447_1_image-20230404065639-1_799x472](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/license/447_1_image-20230404065639-1_799x472.webp) +![447_1_image-20230404065639-1_799x472](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/license/447_1_image-20230404065639-1_799x472.webp) If you rename a computer to have COMPUTER in the name, then that is a Trial License. Please note that this type is for testing only and is Not Recommended for production roll-out. More about Trial License is in this KB: -[What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](../../license/trial.md) +[What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](/docs/policypak/policypak/license/trial.md) The software is contained within the standard BITS download from the portal. You simply set it up as seen in the Endpoint Policy Manager Group Policy Compliance diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/overview.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/overview.md index 9846b2593a..bc1d3ef510 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/overview.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/overview.md @@ -3,7 +3,7 @@ Figure 3 below demonstrates how the pull and push modes work in GPCR. The details of each mode are discussed in the following sections. -![gpcr_concepts_and_quickstart_2](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/gpcr_concepts_and_quickstart_2.webp) +![gpcr_concepts_and_quickstart_2](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/gpcr_concepts_and_quickstart_2.webp) Figure 3. Endpoint Policy Manager GPCR working in pull mode (gray arrows) and in push mode (black arrows). diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/history.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/history.md index 77a5e10876..5405b7559c 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/history.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/history.md @@ -5,6 +5,6 @@ button, click "OK." The tests (in the defined order) and snapshot you used will into the Results pane, as shown in Figure 32. This can be handy when you want to repeat a test and don't want to have to populate the tests or the snapshot again. -![gpcr_concepts_and_quickstart_33](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_33.webp) +![gpcr_concepts_and_quickstart_33](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_33.webp) Figure 32. The "History" button populates the Results pane with a test scenario you used before. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/overview.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/overview.md index 5d449fef07..3f954230fe 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/overview.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/overview.md @@ -1,7 +1,7 @@ # Standalone (Pull) Mode Quick Start **NOTE:** For an overview of Endpoint Policy Manager GPCR in pull mode, watch this video -[Using Pull Mode (with or without PPGPCR server)](../../../video/gpocompilancereporter/modepull.md). +[Using Pull Mode (with or without PPGPCR server)](/docs/policypak/policypak/video/gpocompilancereporter/modepull.md). Endpoint Policy Manager GPCR has three panes in which you can perform work: @@ -9,7 +9,7 @@ Endpoint Policy Manager GPCR has three panes in which you can perform work: - Tests: This is where you define tests that you want to validate. - Results: This is where you select a specific snapshot and a test and get results (see Figure 11) -![gpcr_concepts_and_quickstart_12](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_12.webp) +![gpcr_concepts_and_quickstart_12](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_12.webp) Figure 11. The Results pane of the GPCR client (admin console). diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/results.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/results.md index ef4028989c..a92cabd739 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/results.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/results.md @@ -9,13 +9,13 @@ opportunity to use it once or twice. On this pane you can do the following (see - Generate results - Review historical results -![gpcr_concepts_and_quickstart_25](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_25.webp) +![gpcr_concepts_and_quickstart_25](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_25.webp) Figure 24. The GPCR Results pane. To start using the Results pane, add a test, as shown in Figure 25. -![gpcr_concepts_and_quickstart_26](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_26.webp) +![gpcr_concepts_and_quickstart_26](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_26.webp) Figure 25. Adding a test. @@ -23,7 +23,7 @@ The test's report will appear in the Resultant Compliance Test (RCT) report wind Figure 26. There you will see the test name and the various elements that will be tested for in the RCT. -![gpcr_concepts_and_quickstart_27](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_27.webp) +![gpcr_concepts_and_quickstart_27](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_27.webp) Figure 26. The test name appears in the Resultant Compliance Test (RCT). @@ -32,7 +32,7 @@ highlighting in the RCT report. Next, you can click "Select Snapshot…" and select the snapshot you created earlier. -![gpcr_concepts_and_quickstart_28](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_28.webp) +![gpcr_concepts_and_quickstart_28](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_28.webp) Figure 27. Selecting the snapshot. @@ -45,7 +45,7 @@ Manager GPCR helps you to discover. In Figure 28, we can see that the computer n something specified in the RCT did not match. Double-clicking either the user-side warning status or the computer-side OK status will indicate which part is out of compliance. -![gpcr_concepts_and_quickstart_29](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_29.webp) +![gpcr_concepts_and_quickstart_29](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_29.webp) Figure 28. Checking the status of a particular computer. @@ -55,7 +55,7 @@ than those that were tested for. Specifically, the Group Policy Preferences "Act index" types were different on the computer than what was desired in the test. These values are expressed with a "#" and blue highlighting in the compliance report, as shown in Figure 29. -![gpcr_concepts_and_quickstart_30](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_30.webp) +![gpcr_concepts_and_quickstart_30](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_30.webp) Figure 29. Values that don't match are expressed with a "#" and blue highlighting in the compliance report. @@ -65,7 +65,7 @@ that is, everything you are testing for, and compare it to what is on the machin matches will be in green with an "=." Everything that is present, but does not match will be in blue with a "#," as shown in Figure 30. -![gpcr_concepts_and_quickstart_31](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_31.webp) +![gpcr_concepts_and_quickstart_31](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_31.webp) Figure 30. Values that match appear in green and values that don't match appear in blue. @@ -73,7 +73,7 @@ Anything that is in the test, but is completely absent on the machine, will be e a "–" and declared as "Missing." Figure 31 shows an example of a test for [www.GPanswers.com](http://www.GPanswers.com), which isn't present on Win7Computer-32. -![gpcr_concepts_and_quickstart_32](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_32.webp) +![gpcr_concepts_and_quickstart_32](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_32.webp) Figure 31. Anything completely absent from the computer appears in red. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/snapshots.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/snapshots.md index 5f936a82ce..f7aec526b2 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/snapshots.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/snapshots.md @@ -4,28 +4,28 @@ When you click on the Snapshots pane, the other two panes move to the right side the Snapshots pane, you can right-click within the "Computer Sets and Snapshots" space and select "Create computer set," as shown in Figure 12. -![gpcr_concepts_and_quickstart_13](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_13.webp) +![gpcr_concepts_and_quickstart_13](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_13.webp) Figure 12. Creating a computer set. A computer set is a specific set of OUs (or the entire domain) that contains computers. A computer set named "All my computers" could be used for the whole domain, as shown in Figure 13. -![gpcr_concepts_and_quickstart_14](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_14.webp) +![gpcr_concepts_and_quickstart_14](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_14.webp) Figure 13. Selecting the entire domain as a computer set. Alternatively, you can select specific OUs or sub-OUs, as shown in Figure 14. However, note that when a child is selected, its parents are always selected (and cannot be unselected). -![gpcr_concepts_and_quickstart_15](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_15.webp) +![gpcr_concepts_and_quickstart_15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_15.webp) Figure 14. Selecting a child OU. Once you've defined a computer set, right-click on it and select "Create snapshot," as shown in Figure 15. -![gpcr_concepts_and_quickstart_16](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_16.webp) +![gpcr_concepts_and_quickstart_16](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_16.webp) Figure 15. Creating a snapshot of the computer set. @@ -43,7 +43,7 @@ to acquire that license (file-based, GPO-based, cloud-based, or trial). Addition data is pulled, you can double-click any row in the Snapshot Contents (RSOPs) pane and immediately obtain a report of the computer and last logged-in user, as shown in Figure 16. -![gpcr_concepts_and_quickstart_17](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_17.webp) +![gpcr_concepts_and_quickstart_17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_17.webp) Figure 16. Obtaining a report from the Snapshot Contents pane. @@ -64,14 +64,14 @@ computers," as shown in Figure 17. If all your computers return a status of "Con typical problem is that the Windows firewall does not permit remote requests from administrators. This can be easily fixed using Group Policy (see the troubleshooting section for details). -![gpcr_concepts_and_quickstart_18](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_18.webp) +![gpcr_concepts_and_quickstart_18](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_18.webp) Figure 17. Retrying failed computers. After a snapshot is created, you can right-click on it and rename it if you wish. In Figure 18, you can see a renamed snapshot after it is taken. -![gpcr_concepts_and_quickstart_19](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_19.webp) +![gpcr_concepts_and_quickstart_19](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_19.webp) Figure 18. Renaming a snapshot once taken. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/tests.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/tests.md index 4d29682f5f..58c86bbb13 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/tests.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/tests.md @@ -22,7 +22,7 @@ query. Begin a test by creating a root folder to contain your tests. Then, create a new test by right-clicking on the "All tests" container and selecting "Create test," as shown in Figure 19. -![gpcr_concepts_and_quickstart_20](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_20.webp) +![gpcr_concepts_and_quickstart_20](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_20.webp) Figure 19. Creating a root folder to contain tests. @@ -41,7 +41,7 @@ tests are the following: When you create or edit a test, a temporary GPO is created in the domain, and the Group Policy Management Editor appears, as shown in Figure 20. -![gpcr_concepts_and_quickstart_21](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_21.webp) +![gpcr_concepts_and_quickstart_21](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_21.webp) Figure 20. A temporary Group Policy Object is created. @@ -56,14 +56,14 @@ domain. If the Group Policy Management Editor is closed but fails to tell Endpoi GPCR that it has closed, you have the option to select "Force save" using the "Waiting..." dialog box. -![gpcr_concepts_and_quickstart_22](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_22.webp) +![gpcr_concepts_and_quickstart_22](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_22.webp) Figure 21. The option to force save. Once the editor is closed, the test is saved, and you can see the test contents, as shown in Figure 22. -![gpcr_concepts_and_quickstart_23](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_23.webp) +![gpcr_concepts_and_quickstart_23](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_23.webp) Figure 22. Viewing the test contents once the test is saved. @@ -79,7 +79,7 @@ Redirection (on the User side). You can see the resulting error that occurred. **NOTE:** If a test contains supported and unsupported data, the supported data will work and the unsupported data is will be ignored during testing. -![gpcr_concepts_and_quickstart_24](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_24.webp) +![gpcr_concepts_and_quickstart_24](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/pull/gpcr_concepts_and_quickstart_24.webp) Figure 23. Unsupported data within tests show up within the test contents reports. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/clientlessauditing.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/clientlessauditing.md index 5b19517fd0..6813864817 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/clientlessauditing.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/clientlessauditing.md @@ -14,7 +14,7 @@ auditing data. In Figure 54, the report entitled "Computers Reporting Auditing D computers that are in the security group and have successfully delivered auditing data to the server. -![gpcr_server_with_push_mode_18](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_18.webp) +![gpcr_server_with_push_mode_18](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_18.webp) Figure 54. Computers reporting auditing data. @@ -22,7 +22,7 @@ The report entitled "Computers Attempting to Report Audit Data (Not in Group)" w that ran PPGPCR.Auditor.exe and had their data received by the server but dumped because they were not in the security group, as shown in Figure 55. -![gpcr_server_with_push_mode_19](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_19.webp) +![gpcr_server_with_push_mode_19](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_19.webp) Figure 55. Data is dumped for computers not in the security group. @@ -33,6 +33,6 @@ There is a final report entitled "Users Reporting Audit Data," as shown in Figur you to quickly view which users' data you have on file and which computer they last used to log in with. -![gpcr_server_with_push_mode_20](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_20.webp) +![gpcr_server_with_push_mode_20](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_20.webp) Figure 56. Users reporting audit data. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/concepts.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/concepts.md index 22f8f72b85..e27a9bcaee 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/concepts.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/concepts.md @@ -8,7 +8,7 @@ query machines anytime because the last known Group Policy data is always up-to- server. See Figure 42 for a diagram of how Endpoint Policy Manager GPCR Server with push mode receives information from Endpoint Policy Manager GPCR endpoints. -![gpcr_server_with_push_mode_6](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_6.webp) +![gpcr_server_with_push_mode_6](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_6.webp) Figure 42. Auditing with GPCR Server in push mode. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/install.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/install.md index 887308442a..c08e6aff75 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/install.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/install.md @@ -5,14 +5,14 @@ However, Endpoint Policy Manager GPCR in push mode doesn't need to be installed and could be installed on any machine (Windows 7 or higher). To start the installation, find the Endpoint Policy Manager GP Compliance Reporter (Server).msi file, as shown in Figure 36. -![gpcr_server_with_push_mode](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode.webp) +![gpcr_server_with_push_mode](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode.webp) Figure 36. GPCR server MSI. **Step 1 –** To install Endpoint Policy Manager GP Compliance Reporter, click on the MSI file and start the wizard (Figure 37). -![gpcr_server_with_push_mode_1](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_1.webp) +![gpcr_server_with_push_mode_1](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_1.webp) Figure 37. The Endpoint Policy Manager Group Policy Compliance Reporter Server Setup Wizard. @@ -21,9 +21,9 @@ server as shown in Figure 38. **NOTE:** To see a video on Compliance Reporter and specific group membership requirements, see the following link: -[Enhanced Security for Server](../../../video/gpocompilancereporter/securityenhanced.md). +[Enhanced Security for Server](/docs/policypak/policypak/video/gpocompilancereporter/securityenhanced.md). -![gpcr_server_with_push_mode_2](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_2.webp) +![gpcr_server_with_push_mode_2](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_2.webp) Figure 38. Choosing the domain group that will have access to the GPCR server. @@ -31,7 +31,7 @@ Figure 38. Choosing the domain group that will have access to the GPCR server. Microsoft SQL Server Compact if you only expect a small amount of data for processing and testing. However, in most cases, Microsoft SQL Server is recommended. -![gpcr_server_with_push_mode_3](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_3.webp) +![gpcr_server_with_push_mode_3](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_3.webp) Figure 39. Selecting the type of database. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/resultsreports.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/resultsreports.md index 1ba533de5d..ad45177937 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/resultsreports.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/resultsreports.md @@ -7,7 +7,7 @@ Auditing Data." This will query all computers at once and give you a report. Alt have any sets defined, you may pick a set and see the results of only the computers in that set, as shown in Figure 57. -![gpcr_server_with_push_mode_21](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_21.webp) +![gpcr_server_with_push_mode_21](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_21.webp) Figure 57. Viewing the results for computers within a specific set. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/auditorpath.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/auditorpath.md index 90f040e635..54d87beb8d 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/auditorpath.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/auditorpath.md @@ -6,14 +6,14 @@ Manager GPCR Server the Auditor folder is created within `c:\ProgramFiles(x86)\PolicyPak\PolicyPak Group Policy Compliance Reporter Server`, as shown in Figure 48. Share that folder as Read::Everyone. -![gpcr_server_with_push_mode_12](../../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_12.webp) +![gpcr_server_with_push_mode_12](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_12.webp) Figure 48. Sharing the Auditor folder. **Step 2 –** Next, in the wizard, specify the UNC path to `PPGPCR.Auditor.exe`, as shown in Figure 49. -![gpcr_server_with_push_mode_13](../../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_13.webp) +![gpcr_server_with_push_mode_13](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_13.webp) Figure 49. Entering the UNC path for the auditor EXE. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/overview.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/overview.md index 3418e6e51e..a9022be19b 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/overview.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/overview.md @@ -6,7 +6,7 @@ Figure 43. **NOTE:** For a video overview of this section, see the following link: Setup and Clientless Auditing. -![gpcr_server_with_push_mode_7](../../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_7.webp) +![gpcr_server_with_push_mode_7](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_7.webp) Figure 43. Setting up clientless auditing. @@ -14,13 +14,13 @@ Figure 43. Setting up clientless auditing. or change the security group (see Figure 44). Choose the option, "Create and deploy a scheduled task to run the auditor executable and submit audit data." -![gpcr_server_with_push_mode_8](../../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_8.webp) +![gpcr_server_with_push_mode_8](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_8.webp) Figure 44. Two options for setting up clientless auditing. **Step 3 –** Then you can perform each step in the Audit Setup Wizard, as shown in Figure 45. These steps are covered in the following sections. -![gpcr_server_with_push_mode_9](../../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_9.webp) +![gpcr_server_with_push_mode_9](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_9.webp) Figure 45. The Audit Setup Wizard. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/selectauditedcomputers.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/selectauditedcomputers.md index b6ea9c39b3..8d8eb11f16 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/selectauditedcomputers.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/selectauditedcomputers.md @@ -7,7 +7,7 @@ they are explicitly in a group of your choosing. The quickest way to set up a gr "Choose..." and enter "Domain Computers," in the "Audited computers" section (see Figure 46), which will accept data from any computer that is licensed and runs PPGPCR.Auditor.exe. -![gpcr_server_with_push_mode_10](../../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_10.webp) +![gpcr_server_with_push_mode_10](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_10.webp) Figure 46. Selecting which computers to audit. @@ -15,6 +15,6 @@ An example of a more limiting group is shown in Figure 47 with a self-made Activ In this case, you can add the computers you want to the group, then name the group, as shown in Figure 47. -![gpcr_server_with_push_mode_11](../../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_11.webp) +![gpcr_server_with_push_mode_11](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_11.webp) Figure 47. Choosing a self-made Active Directory group containing the computers to audit. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/specifyserver.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/specifyserver.md index 45a74344df..f1f9da99c7 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/specifyserver.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/specifyserver.md @@ -4,6 +4,6 @@ In this step, you need to specify where the endpoint's data will be delivered. N requires the specified port to be open. By installing Endpoint Policy Manager GPCR Server, Port 50022 is automatically opened if the firewall is also on the server, as shown in Figure 50. -![gpcr_server_with_push_mode_14](../../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_14.webp) +![gpcr_server_with_push_mode_14](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_14.webp) Figure 50. Specifing the PolicyPak GPCR server name and port. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/taskdelivery.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/taskdelivery.md index 5e6fe13c77..37695c9b53 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/taskdelivery.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/taskdelivery.md @@ -3,7 +3,7 @@ **Step 1 –** At this point, you're ready to create the scheduled task. The easiest method is to create a new GPO and deliver a Group Policy Preference scheduled task item, as shown in Figure 51. -![gpcr_server_with_push_mode_15](../../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_15.webp) +![gpcr_server_with_push_mode_15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_15.webp) Figure 51. Creating a new GPO to deliver a Group Policy Preference scheduled task item. @@ -11,7 +11,7 @@ Figure 51. Creating a new GPO to deliver a Group Policy Preference scheduled tas created in the Group Policy Objects node within the GPMC, as shown in Figure 52. In this example, the GPO is called "\_PPGPCR Auditor Scheduled Task." -![gpcr_server_with_push_mode_16](../../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_16.webp) +![gpcr_server_with_push_mode_16](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_16.webp) Figure 52. The newly created GPO. @@ -19,7 +19,7 @@ Figure 52. The newly created GPO. scheduled task will run as SYSTEM when Group Policy events occur. It will run PPGPCR.Auditor.exe one minute after Group Policy processes and will send results to the server, as shown in Figure 53. -![gpcr_server_with_push_mode_17](../../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_17.webp) +![gpcr_server_with_push_mode_17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/setup/gpcr_server_with_push_mode_17.webp) Figure 53. The Group Policy Settings Report. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/switchmode.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/switchmode.md index ea19697c66..628e0b4f87 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/switchmode.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/push/switchmode.md @@ -7,7 +7,7 @@ becomes unavailable at this point because multi-user mode is enabled. Restart th Manager GPCR client (admin console) to start using Endpoint Policy Manager GPCR in multi-user mode as shown in Figure 40. -![gpcr_server_with_push_mode_4](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_4.webp) +![gpcr_server_with_push_mode_4](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_4.webp) Figure 40. Switching to server mode. @@ -15,6 +15,6 @@ Figure 40. Switching to server mode. means the server is not found or is not responding. For troubleshooting, see the section "Tuning and Troubleshooting." -![gpcr_server_with_push_mode_5](../../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_5.webp) +![gpcr_server_with_push_mode_5](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/mode/push/gpcr_server_with_push_mode_5.webp) Figure 41. The server connection error. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/mode/trial.md b/docs/policypak/policypak/grouppolicycompliancereporter/mode/trial.md index d506d0bd09..cd24ddbfcc 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/mode/trial.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/mode/trial.md @@ -1,4 +1,4 @@ # How does Trial mode for Endpoint Policy Manager Group Policy Compliance Reporter work? See this -article: [What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](../../license/trial.md) +article: [What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](/docs/policypak/policypak/license/trial.md) diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/overview.md b/docs/policypak/policypak/grouppolicycompliancereporter/overview.md index 3b48721294..27643c3259 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/overview.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/overview.md @@ -18,4 +18,4 @@ to license Endpoint Policy Manager GPCR, send an email to [sales@policypak.com](mailto:sales@policypak.com) or call (800) 883-8002. **NOTE:** You may also wish to watch our Quickstart videos of Endpoint Policy Manager GPCR if you're -in a hurry: [Concepts and Quick Start](concepts.md). +in a hurry: [Concepts and Quick Start](/docs/policypak/policypak/grouppolicycompliancereporter/concepts.md). diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/overview/knowledgebase.md b/docs/policypak/policypak/grouppolicycompliancereporter/overview/knowledgebase.md index 361423d524..c358b761ab 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/overview/knowledgebase.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/overview/knowledgebase.md @@ -4,32 +4,32 @@ See the following Knowledge Base articles for Endpoint Policy Manager GP Complia ## Getting Started -- [What scenarios is PPGPCR not well suited for today?](../scenarios.md) -- [Do I need the Group Policy Compliance Reporter product if I use Endpoint Policy ManagerCloud or Endpoint Policy Manager MDM? (Or, how do I get delivery reports for Group Policy, Cloud or MDM directives?)](../deliveryreports.md) -- [What are the storage requirements when using PPGPCR with SQL server?](../../requirements/gpocompilancereporter/sqlserver.md) -- [Installing and Configuring Endpoint Policy Manager GPCR for use with SQL Server using SQL Authentication](../install.md) +- [What scenarios is PPGPCR not well suited for today?](/docs/policypak/policypak/grouppolicycompliancereporter/scenarios.md) +- [Do I need the Group Policy Compliance Reporter product if I use Endpoint Policy ManagerCloud or Endpoint Policy Manager MDM? (Or, how do I get delivery reports for Group Policy, Cloud or MDM directives?)](/docs/policypak/policypak/grouppolicycompliancereporter/deliveryreports.md) +- [What are the storage requirements when using PPGPCR with SQL server?](/docs/policypak/policypak/requirements/gpocompilancereporter/sqlserver.md) +- [Installing and Configuring Endpoint Policy Manager GPCR for use with SQL Server using SQL Authentication](/docs/policypak/policypak/grouppolicycompliancereporter/install.md) ## Getting Licensed -- [Is Endpoint Policy Manager Group Policy Compliance Reporter licensed on a per-user basis or a per-computer basis?](../license/basis.md) -- [What kinds of licenses are there for Endpoint Policy Manager Group Policy Compliance Reporter?](../license/types.md) -- [How many people can use Endpoint Policy Manager Group Policy Compliance Reporter?](../license/userlimit.md) -- [I want to generate Compliance reports on Microsoft GP Preferences/Admin Templates and/or Security Settings. Which license do I need?](../license/compliancereports.md) -- [Can I share Compliance Reports, tests and history across my team?](../shareacrossteam.md) -- [What's the difference between Pull Mode, Push Mode and Standalone and Server components in the Group Policy Compliance Reporter?](../mode/difference.md) -- [How does Trial mode for Endpoint Policy Manager Group Policy Compliance Reporter work?](../mode/trial.md) -- [Is there a minimum purchase for Endpoint Policy Manager Group Policy Compliance Reporter?](../license/minimum.md) -- [What happens if I try to use Endpoint Policy ManagerGroup Policy Compliance Reporter in unlicensed places? What happens if the Endpoint Policy Manager Group Policy Compliance Reporter license expires?](../license/expire.md) -- [What is "Truing Up" for On-Premise products?](../license/trueup.md) -- [What if I don't run the license tool to "True-Up" my Endpoint Policy Manager Group Policy Compliance Reporter every year?](../license/tool.md) -- [What if I pay for multiple years of Endpoint Policy Manager Group Policy Compliance Reporter in advance?](../license/multiyear.md) +- [Is Endpoint Policy Manager Group Policy Compliance Reporter licensed on a per-user basis or a per-computer basis?](/docs/policypak/policypak/grouppolicycompliancereporter/license/basis.md) +- [What kinds of licenses are there for Endpoint Policy Manager Group Policy Compliance Reporter?](/docs/policypak/policypak/grouppolicycompliancereporter/license/types.md) +- [How many people can use Endpoint Policy Manager Group Policy Compliance Reporter?](/docs/policypak/policypak/grouppolicycompliancereporter/license/userlimit.md) +- [I want to generate Compliance reports on Microsoft GP Preferences/Admin Templates and/or Security Settings. Which license do I need?](/docs/policypak/policypak/grouppolicycompliancereporter/license/compliancereports.md) +- [Can I share Compliance Reports, tests and history across my team?](/docs/policypak/policypak/grouppolicycompliancereporter/shareacrossteam.md) +- [What's the difference between Pull Mode, Push Mode and Standalone and Server components in the Group Policy Compliance Reporter?](/docs/policypak/policypak/grouppolicycompliancereporter/mode/difference.md) +- [How does Trial mode for Endpoint Policy Manager Group Policy Compliance Reporter work?](/docs/policypak/policypak/grouppolicycompliancereporter/mode/trial.md) +- [Is there a minimum purchase for Endpoint Policy Manager Group Policy Compliance Reporter?](/docs/policypak/policypak/grouppolicycompliancereporter/license/minimum.md) +- [What happens if I try to use Endpoint Policy ManagerGroup Policy Compliance Reporter in unlicensed places? What happens if the Endpoint Policy Manager Group Policy Compliance Reporter license expires?](/docs/policypak/policypak/grouppolicycompliancereporter/license/expire.md) +- [What is "Truing Up" for On-Premise products?](/docs/policypak/policypak/grouppolicycompliancereporter/license/trueup.md) +- [What if I don't run the license tool to "True-Up" my Endpoint Policy Manager Group Policy Compliance Reporter every year?](/docs/policypak/policypak/grouppolicycompliancereporter/license/tool.md) +- [What if I pay for multiple years of Endpoint Policy Manager Group Policy Compliance Reporter in advance?](/docs/policypak/policypak/grouppolicycompliancereporter/license/multiyear.md) ## Troubleshooting -- [How can I use Group Policy Compliance Reporter with multiple domains?](../domainmultiple.md) -- [What Server-side items should I send to Tech Support if asked?](../../troubleshooting/grouppolicycompliancereporter/serverside.md) -- [What does "Unsupported item" mean in PPGPCR reports and tests?](../../troubleshooting/grouppolicycompliancereporter/unsupporteditem.md) -- [GPCR Snapshot fails with error "System.InvalidOperationException" when using a remote SQL server and one is a clone of the other](../../troubleshooting/error/gpocompilancereporter/systeminvalidoperationexception.md) -- [When using a remote SQL Server, GPCR Snapshot fails with error "System.InvalidOperationException" and "MSDTC has been disabled" in Debug log](../../troubleshooting/error/gpocompilancereporter/systeminvalidoperationexceptionmsdtc.md) -- [When does the Auditor process send up events to the server?](../../troubleshooting/grouppolicycompliancereporter/processauditor.md) -- [How do I turn on enhanced logging for Endpoint Policy Manager Group Policy Compliance Reporter if asked to do so?](../../troubleshooting/grouppolicycompliancereporter/logenhanced.md) +- [How can I use Group Policy Compliance Reporter with multiple domains?](/docs/policypak/policypak/grouppolicycompliancereporter/domainmultiple.md) +- [What Server-side items should I send to Tech Support if asked?](/docs/policypak/policypak/troubleshooting/grouppolicycompliancereporter/serverside.md) +- [What does "Unsupported item" mean in PPGPCR reports and tests?](/docs/policypak/policypak/troubleshooting/grouppolicycompliancereporter/unsupporteditem.md) +- [GPCR Snapshot fails with error "System.InvalidOperationException" when using a remote SQL server and one is a clone of the other](/docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/systeminvalidoperationexception.md) +- [When using a remote SQL Server, GPCR Snapshot fails with error "System.InvalidOperationException" and "MSDTC has been disabled" in Debug log](/docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/systeminvalidoperationexceptionmsdtc.md) +- [When does the Auditor process send up events to the server?](/docs/policypak/policypak/troubleshooting/grouppolicycompliancereporter/processauditor.md) +- [How do I turn on enhanced logging for Endpoint Policy Manager Group Policy Compliance Reporter if asked to do so?](/docs/policypak/policypak/troubleshooting/grouppolicycompliancereporter/logenhanced.md) diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/overview/videolearningcenter.md b/docs/policypak/policypak/grouppolicycompliancereporter/overview/videolearningcenter.md index d1c5800095..90065bddfa 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/overview/videolearningcenter.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/overview/videolearningcenter.md @@ -4,24 +4,24 @@ See the following Video topics for Endpoint Policy Manager GP Compliance Reporte ## What does it do, and why do I need it? -- [2 Minute Quick Overview for Managers](../../video/gpocompilancereporter/overviewmanager.md) -- [7 Minute Technical Overview for IT Pros](../../video/gpocompilancereporter/overviewtechnical.md) -- [Standalone Mode](../../video/gpocompilancereporter/modestandalone.md) -- [Server Mode](../../video/gpocompilancereporter/modeserver.md) +- [2 Minute Quick Overview for Managers](/docs/policypak/policypak/video/gpocompilancereporter/overviewmanager.md) +- [7 Minute Technical Overview for IT Pros](/docs/policypak/policypak/video/gpocompilancereporter/overviewtechnical.md) +- [Standalone Mode](/docs/policypak/policypak/video/gpocompilancereporter/modestandalone.md) +- [Server Mode](/docs/policypak/policypak/video/gpocompilancereporter/modeserver.md) ## Getting Started -- [Installing Compliance Reporter Server and Client](../../video/gpocompilancereporter/install.md) -- [Using Pull Mode (with or without PPGPCR server)](../../video/gpocompilancereporter/modepull.md) -- [Setting up Client-less Endpoint Auditing (Push Mode with Server)](../../video/gpocompilancereporter/modepush.md) -- [Enhanced Security for Server](../../video/gpocompilancereporter/securityenhanced.md) +- [Installing Compliance Reporter Server and Client](/docs/policypak/policypak/video/gpocompilancereporter/install.md) +- [Using Pull Mode (with or without PPGPCR server)](/docs/policypak/policypak/video/gpocompilancereporter/modepull.md) +- [Setting up Client-less Endpoint Auditing (Push Mode with Server)](/docs/policypak/policypak/video/gpocompilancereporter/modepush.md) +- [Enhanced Security for Server](/docs/policypak/policypak/video/gpocompilancereporter/securityenhanced.md) ## Using Endpoint Policy Manager Group Policy Compliance Reporter -- [Endpoint Policy Manager GP Compliance Reporter: Using an Existing GPO as a test](../../video/gpocompilancereporter/existinggpos.md) -- [Take existing GPOs and quickly bring them into PPGPCR (and keep them updated)](../../video/gpocompilancereporter/importgpos.md) -- [Import STIG files to make your applications more secure](../../video/gpocompilancereporter/importstig.md) +- [Endpoint Policy Manager GP Compliance Reporter: Using an Existing GPO as a test](/docs/policypak/policypak/video/gpocompilancereporter/existinggpos.md) +- [Take existing GPOs and quickly bring them into PPGPCR (and keep them updated)](/docs/policypak/policypak/video/gpocompilancereporter/importgpos.md) +- [Import STIG files to make your applications more secure](/docs/policypak/policypak/video/gpocompilancereporter/importstig.md) ## Troubleshooting -- [Open required firewall ports](../../video/gpocompilancereporter/firewallports.md) +- [Open required firewall ports](/docs/policypak/policypak/video/gpocompilancereporter/firewallports.md) diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/prepare/client.md b/docs/policypak/policypak/grouppolicycompliancereporter/prepare/client.md index 79dcad5a47..d160f40bd6 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/prepare/client.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/prepare/client.md @@ -12,20 +12,20 @@ Manager GPCR. To get started, run the Endpoint Policy Manager GPCR client (admin console) installation MSI and go through the wizard, as shown in Figure 5. -![gpcr_concepts_and_quickstart_6](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_6.webp) +![gpcr_concepts_and_quickstart_6](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_6.webp) Figure 5. Using the wizard to install the Endpoint Policy Manager GPCR admin console. Beginning with version 21.1.2693.656, you cannot connect to an older version of the server. To progress to the next step in the wizard you must accept this condition, as shown in Figure 6. -![gpcr_concepts_and_quickstart_7](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_7.webp) +![gpcr_concepts_and_quickstart_7](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_7.webp) Figure 6. The confirmation window. When you do this, the Endpoint Policy Manager GPCR client will appear on the Windows 10 or Windows Server Start menu, as shown in Figure 7. -![gpcr_concepts_and_quickstart_8](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_8.webp) +![gpcr_concepts_and_quickstart_8](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_8.webp) Figure 7. Endpoint Policy Manager GPCR in the Start menu. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/prepare/configurationwizard.md b/docs/policypak/policypak/grouppolicycompliancereporter/prepare/configurationwizard.md index 7e09aa2d9c..ed0552dc88 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/prepare/configurationwizard.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/prepare/configurationwizard.md @@ -3,7 +3,7 @@ The first time you run the Endpoint Policy Manager GPCR client (admin console) you are presented with a wizard, as shown in Figure 8. -![gpcr_concepts_and_quickstart_9](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_9.webp) +![gpcr_concepts_and_quickstart_9](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_9.webp) Figure 8. The GPCR Configuration Wizard. @@ -11,7 +11,7 @@ In the wizard, you can select if you want to use Endpoint Policy Manager GPCR in (Pull Mode only)" or "Server mode (Pull Mode or Push Mode using Audit)," as shown in Figure 9. For this Quickstart, select standalone mode. -![gpcr_concepts_and_quickstart_10](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_10.webp) +![gpcr_concepts_and_quickstart_10](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_10.webp) Figure 9. Selecting between "Standalone mode" or "Server mode." @@ -20,7 +20,7 @@ Figure 9. Selecting between "Standalone mode" or "Server mode." You can also select where you want to store Endpoint Policy Manager GPCR data in the wizard. The default is shown in Figure 10. -![gpcr_concepts_and_quickstart_11](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_11.webp) +![gpcr_concepts_and_quickstart_11](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_11.webp) Figure 10. Choosing the location for Endpoint Policy Manager GPCR data. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/prepare/licensing.md b/docs/policypak/policypak/grouppolicycompliancereporter/prepare/licensing.md index ad3efb9217..101303e3bb 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/prepare/licensing.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/prepare/licensing.md @@ -4,11 +4,11 @@ Neither the Endpoint Policy Manager GPCR server nor the client (admin console) r but the endpoint does. **NOTE:** Watch this video to see how to request a license: -[How to Request Licenses from Endpoint Policy Manager by Creating a "License Request Key"](../../video/license/licenserequestkey.md). +[How to Request Licenses from Endpoint Policy Manager by Creating a "License Request Key"](/docs/policypak/policypak/video/license/licenserequestkey.md). **NOTE:** To install the license file received from Endpoint Policy Manager, see the following video: -[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](../../video/license/installuniversal.md). +[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md). Note that since the Endpoint Policy Manager client (admin console) does not need to be licensed, you may run unlimited numbers of it in any organizational unit (OU). The Endpoint Policy Manager client @@ -41,48 +41,48 @@ Table 2: Group Policy supported and unsupported settings. | Data type | User Policies | Computer Policies | | ----------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Endpoint Policy Manager settings (all) | ![gpcr_concepts_and_quickstart_4_17x17](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | ![gpcr_concepts_and_quickstart_4_17x17](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | -| Group Policy Admin Templates (all ADM(X) templates and settings) | ![gpcr_concepts_and_quickstart_4_17x17](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | ![gpcr_concepts_and_quickstart_4_17x17](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | +| Endpoint Policy Manager settings (all) | ![gpcr_concepts_and_quickstart_4_17x17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | ![gpcr_concepts_and_quickstart_4_17x17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | +| Group Policy Admin Templates (all ADM(X) templates and settings) | ![gpcr_concepts_and_quickstart_4_17x17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | ![gpcr_concepts_and_quickstart_4_17x17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | | Group Policy Security Settings | | | | Windows | Security | | | -| Account Policies | Password Policy | n/a | ![gpcr_concepts_and_quickstart_4_17x17](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | -| Account Policies | Account Lockout Policy | n/a | ![gpcr_concepts_and_quickstart_4_17x17](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | -| Account Policies | Kerberos Policy | n/a | ![gpcr_concepts_and_quickstart_4_17x17](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | -| Local Policies | Audit Policy | n/a | ![gpcr_concepts_and_quickstart_4_17x17](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | -| Local Policies | User Rights Assignment | n/a | ![gpcr_concepts_and_quickstart_4_17x17](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | -| Local Policies | Security Options | n/a | ![gpcr_concepts_and_quickstart_4_17x17](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | -| Event log | n/a | ![gpcr_concepts_and_quickstart_4_17x17](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | +| Account Policies | Password Policy | n/a | ![gpcr_concepts_and_quickstart_4_17x17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | +| Account Policies | Account Lockout Policy | n/a | ![gpcr_concepts_and_quickstart_4_17x17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | +| Account Policies | Kerberos Policy | n/a | ![gpcr_concepts_and_quickstart_4_17x17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | +| Local Policies | Audit Policy | n/a | ![gpcr_concepts_and_quickstart_4_17x17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | +| Local Policies | User Rights Assignment | n/a | ![gpcr_concepts_and_quickstart_4_17x17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | +| Local Policies | Security Options | n/a | ![gpcr_concepts_and_quickstart_4_17x17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | +| Event log | n/a | ![gpcr_concepts_and_quickstart_4_17x17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | | Windows Settings | | | -| Name resolution policy | n/a | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Scripts | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Policy-based QoS | n/a | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Public key policies | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | n/a | -| Software restriction policies | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | n/a | -| Restricted groups | n/a | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| System services | n/a | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Registry | n/a | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| File | n/a | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Wired network (IEEE 802.3) policies | n/a | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Windows firewall with advanced security | n/a | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Network list manager policies | n/a | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Wireless network (IEEE 802.11) policies | n/a | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Network access protection | n/a | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Application control policies (Applocker) | n/a | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| IP security policies on Active Directory | n/a | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Advanced audit policy configuration | n/a | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Group Policy Preferences (all are supported except those listed below) | ![gpcr_concepts_and_quickstart_4_17x17](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | ![gpcr_concepts_and_quickstart_4_17x17](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | -| Group Policy Preference data sources | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Scheduled tasks (immediate XP, scheduled XP) | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Power options and scheme (for Windows XP) | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| ODBC data source | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Folder options | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_4_17x17](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp)\* | -| Start menu (for XP) | n/a | ![gpcr_concepts_and_quickstart_4_17x17](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | -| Internet Explorer (5, 6, and 7) | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Registry collection (special registry item type) | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Folder redirection | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | n/a | -| Internet Explorer maintenance | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | n/a | -| Group Policy software install | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | -| Any third-party Group Policy Extension not from Endpoint Policy Manager | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Name resolution policy | n/a | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Scripts | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Policy-based QoS | n/a | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Public key policies | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | n/a | +| Software restriction policies | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | n/a | +| Restricted groups | n/a | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| System services | n/a | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Registry | n/a | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| File | n/a | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Wired network (IEEE 802.3) policies | n/a | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Windows firewall with advanced security | n/a | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Network list manager policies | n/a | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Wireless network (IEEE 802.11) policies | n/a | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Network access protection | n/a | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Application control policies (Applocker) | n/a | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| IP security policies on Active Directory | n/a | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Advanced audit policy configuration | n/a | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Group Policy Preferences (all are supported except those listed below) | ![gpcr_concepts_and_quickstart_4_17x17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | ![gpcr_concepts_and_quickstart_4_17x17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | +| Group Policy Preference data sources | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Scheduled tasks (immediate XP, scheduled XP) | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Power options and scheme (for Windows XP) | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| ODBC data source | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Folder options | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_4_17x17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp)\* | +| Start menu (for XP) | n/a | ![gpcr_concepts_and_quickstart_4_17x17](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_4_17x17.webp) | +| Internet Explorer (5, 6, and 7) | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Registry collection (special registry item type) | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Folder redirection | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | n/a | +| Internet Explorer maintenance | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | n/a | +| Group Policy software install | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | +| Any third-party Group Policy Extension not from Endpoint Policy Manager | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | ![gpcr_concepts_and_quickstart_5_15x15](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_5_15x15.webp) | \*File type actions are not in the RSOP and thus show as "missing" in PPGPCR. @@ -96,4 +96,4 @@ the future. Endpoint Policy Manager Sales can send you a working Endpoint Policy Manager GPCR key. To install the key, follow these instructions: -[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](../../video/license/installuniversal.md). +[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md). diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/prepare/trialmode.md b/docs/policypak/policypak/grouppolicycompliancereporter/prepare/trialmode.md index 424337d26e..8b19c62a4c 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/prepare/trialmode.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/prepare/trialmode.md @@ -6,7 +6,7 @@ enable trial mode, start out by renaming one Windows 10 endpoint computer to hav "computer" in the name, as shown in Figure 4. Ensure it is properly joined to the domain and getting Group Policy. Endpoints act fully licensed when they have "computer" in the name. -![gpcr_concepts_and_quickstart_3](../../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_3.webp) +![gpcr_concepts_and_quickstart_3](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/prepare/gpcr_concepts_and_quickstart_3.webp) Figure 4. The word "computer" must appear within the name for the test machine. diff --git a/docs/policypak/policypak/grouppolicycompliancereporter/testsrctorder.md b/docs/policypak/policypak/grouppolicycompliancereporter/testsrctorder.md index 2148fa1065..44b92a1a11 100644 --- a/docs/policypak/policypak/grouppolicycompliancereporter/testsrctorder.md +++ b/docs/policypak/policypak/grouppolicycompliancereporter/testsrctorder.md @@ -8,7 +8,7 @@ Items that are not conflicting and are in different tests are sorted alphabetica category. This is why you see [www.GPanswers.com](http://www.GPanswers.com) appear before [www.PolicyPak.com](http://www.PolicyPak.com) in the example in Figure 33. -![gpcr_concepts_and_quickstart_34](../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/gpcr_concepts_and_quickstart_34.webp) +![gpcr_concepts_and_quickstart_34](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/gpcr_concepts_and_quickstart_34.webp) Figure 33. Items in different tests that do not conflict are sorted alphabetically within a category. @@ -19,7 +19,7 @@ possibly other values). Because they are testing for precisely the same value on the example, "Test for WinZip Password Length = 14" is set as Test Order #1. Because it has a higher precedence order than Test Order #2, the value that will be tested is Minimum Password Length = 14. -![gpcr_concepts_and_quickstart_35](../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/gpcr_concepts_and_quickstart_35.webp) +![gpcr_concepts_and_quickstart_35](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/gpcr_concepts_and_quickstart_35.webp) Figure 34. Test Order #1 has a higher precedence order over those below it. @@ -28,6 +28,6 @@ buttons, as shown in Figure 35. In the figure, "Test for Winzip Password Length shifted to have higher precedence. As such, the RCT changes to test for Minimum Password Length = 15. -![gpcr_concepts_and_quickstart_36](../../../../static/img/product_docs/policypak/policypak/grouppolicycompliancereporter/gpcr_concepts_and_quickstart_36.webp) +![gpcr_concepts_and_quickstart_36](/img/product_docs/policypak/policypak/grouppolicycompliancereporter/gpcr_concepts_and_quickstart_36.webp) Figure 35. You can shift a test to a higher precedence. diff --git a/docs/policypak/policypak/install/adminconsole.md b/docs/policypak/policypak/install/adminconsole.md index f9493e1398..ee853553f4 100644 --- a/docs/policypak/policypak/install/adminconsole.md +++ b/docs/policypak/policypak/install/adminconsole.md @@ -17,9 +17,9 @@ users actually log on to or use - Locally to YOUR management station machine, - To the Endpoint Policy Manager Central Store - [Working with Others and using the Central Store](../video/applicationsettings/centralstorework.md) + [Working with Others and using the Central Store](/docs/policypak/policypak/video/applicationsettings/centralstorework.md) - A share - [Using Shares to Store Your Paks (Share-Based Storage)](../video/applicationsettings/shares.md). + [Using Shares to Store Your Paks (Share-Based Storage)](/docs/policypak/policypak/video/applicationsettings/shares.md). **NOTE:** Point 3 is needed for Endpoint Policy Manager Application Settings Manager (PPASM) only. diff --git a/docs/policypak/policypak/install/antivirus.md b/docs/policypak/policypak/install/antivirus.md index ea664b0034..d86ad54330 100644 --- a/docs/policypak/policypak/install/antivirus.md +++ b/docs/policypak/policypak/install/antivirus.md @@ -72,7 +72,7 @@ The basic approach is to rename these files and then reboot to see if conflicts FortiNet / FortiClient version 6.0.8.0261 will not install the latest CSE and displays the following error message during installation: -![54_1_image](../../../../static/img/product_docs/policypak/policypak/install/54_1_image.webp) +![54_1_image](/img/product_docs/policypak/policypak/install/54_1_image.webp) Symptom: Error message when installing CSE: Could not write value `ExplorerCommandHandler` to key `\SOFTWARE\Classes\exefile\shell\runasspecial` @@ -89,18 +89,18 @@ For more details on Windows Defender exclusions in general, please see During the installation of the Endpoint Policy Manager  CSE, you may encounter the following error message: -![54_2_image-20230330120114-2](../../../../static/img/product_docs/policypak/policypak/install/54_2_image-20230330120114-2.webp) +![54_2_image-20230330120114-2](/img/product_docs/policypak/policypak/install/54_2_image-20230330120114-2.webp) To work around this issue please add the following BYPASS policies for Endpoint Policy Manager as shown below. -![54_3_image-2](../../../../static/img/product_docs/policypak/policypak/install/54_3_image-2.webp) +![54_3_image-2](/img/product_docs/policypak/policypak/install/54_3_image-2.webp) ## DEFENDER Customers During installation or removal of the Endpoint Policy Manager CSE you may run into this error: -![defendererror](../../../../static/img/product_docs/policypak/policypak/install/defendererror.webp) +![defendererror](/img/product_docs/policypak/policypak/install/defendererror.webp) The Windows Application log will also show the following Error: @@ -108,7 +108,7 @@ Product: Netwrix Endpoint Policy Manager (formerly PolicyPak) Client-Side Extens There is a problem with this Windows Installer package. A program required for this install to complete could not be run. -![defendererrorevent](../../../../static/img/product_docs/policypak/policypak/install/defendererrorevent.webp) +![defendererrorevent](/img/product_docs/policypak/policypak/install/defendererrorevent.webp) To work around this issue you need to add the following folder exclusions under **Attack Surface Reduction** > **Attack Surface Rules**: @@ -116,7 +116,7 @@ Reduction** > **Attack Surface Rules**: - `C:\Program Files\PolicyPak\` - `C:\ProgramData\PolicyPak\` -![defendereditpolicy](../../../../static/img/product_docs/policypak/policypak/install/defendereditpolicy.webp) +![defendereditpolicy](/img/product_docs/policypak/policypak/install/defendereditpolicy.webp) See the Cloudbrothers article [The Hitchhiker's Guide to Microsoft Defender for Endpoint exclusions](https://cloudbrothers.info/en/guide-to-defender-exclusions/) @@ -129,7 +129,7 @@ your circumstance. If when installing the Endpoint Policy Manager Cloud client, you get the experience below: -![netskopeandcloud](../../../../static/img/product_docs/policypak/policypak/install/netskopeandcloud.webp) +![netskopeandcloud](/img/product_docs/policypak/policypak/install/netskopeandcloud.webp) Follow the steps to resolve Netskope errors. diff --git a/docs/policypak/policypak/install/clientsideextension.md b/docs/policypak/policypak/install/clientsideextension.md index 200fdee613..281ec81105 100644 --- a/docs/policypak/policypak/install/clientsideextension.md +++ b/docs/policypak/policypak/install/clientsideextension.md @@ -34,7 +34,7 @@ In the next section, we will discuss the following three main ideas: Our recommended tool of choice to get the Endpoint Policy Manager CSE deployed to multiple machines is PDQ Deploy. PDQ Deploy has a free mode and a paid mode, which is reasonably priced. You can see how to deploy a package with PDQ Deploy please see the -[Managing Group Policy using Endpoint Policy Manager and PDQ Deploy](../integration/pdqdeploy.md) +[Managing Group Policy using Endpoint Policy Manager and PDQ Deploy](/docs/policypak/policypak/integration/pdqdeploy.md) topic for additional information. ## MDM, UEM, or RMM Tools @@ -64,33 +64,33 @@ containing the target computers. **Step 4 –** Use Group Policy Software Installation to deploy that file to all target computers. **NOTE:** To see a demonstration of this section, please watch these two tutorial videos: -[Mass Deploy the Endpoint Policy Manager CSE using GPSI](../archive/massdeploy.md) and -[Upgrading the CSE using GPSI](../archive/upgrading.md). In this example, we've created a GPO named +[Mass Deploy the Endpoint Policy Manager CSE using GPSI](/docs/policypak/policypak/archive/massdeploy.md) and +[Upgrading the CSE using GPSI](/docs/policypak/policypak/archive/upgrading.md). In this example, we've created a GPO named Deploy PP Client and linked it to East Sales Desktops. -![Deploying Client Side](../../../../static/img/product_docs/policypak/policypak/install/deploying_the_client_side_350x474.webp) +![Deploying Client Side](/img/product_docs/policypak/policypak/install/deploying_the_client_side_350x474.webp) **Step 5 –** Next, right-click the GPO and select **Edit**. Once you're inside the Group Policy Editor, scroll down to **Computer** > **Configuration** > **Software Settings** > **Software Installation**. Right-click, and select **New** > **Package**. -![deploying_the_client_side_1_620x359](../../../../static/img/product_docs/policypak/policypak/install/deploying_the_client_side_1_620x359.webp) +![deploying_the_client_side_1_620x359](/img/product_docs/policypak/policypak/install/deploying_the_client_side_1_620x359.webp) **Step 6 –** Once this is complete, type in the server and share names you used. In our example, our server is `\\DC-Computer` and our share is Endpoint Policy Manager. Then select the Endpoint Policy Manager CSE Setup x64.msi file, and click **Open**. Next, choose **Assigned**, and select **OK**. -![deploying_the_client_side_2_620x389](../../../../static/img/product_docs/policypak/policypak/install/deploying_the_client_side_2_620x389.webp) +![deploying_the_client_side_2_620x389](/img/product_docs/policypak/policypak/install/deploying_the_client_side_2_620x389.webp) -![deploying_the_client_side_3_550x381](../../../../static/img/product_docs/policypak/policypak/install/deploying_the_client_side_3_550x381.webp) +![deploying_the_client_side_3_550x381](/img/product_docs/policypak/policypak/install/deploying_the_client_side_3_550x381.webp) When you're done, the GPO should look like this:. -![deploying_the_client_side_4_1200x309](../../../../static/img/product_docs/policypak/policypak/install/deploying_the_client_side_4_1200x309.webp) +![deploying_the_client_side_4_1200x309](/img/product_docs/policypak/policypak/install/deploying_the_client_side_4_1200x309.webp) **Step 7 –** Repeat this process until both the x86 and x64 MSIs appear. -![deploying_the_client_side_5_1200x240](../../../../static/img/product_docs/policypak/policypak/install/deploying_the_client_side_5_1200x240.webp) +![deploying_the_client_side_5_1200x240](/img/product_docs/policypak/policypak/install/deploying_the_client_side_5_1200x240.webp) **NOTE:** Be sure that the source field is pointing to a network path (e.g., `\\server\share`) and not a local path (e.g., `c:\something\`). @@ -99,4 +99,4 @@ If you have an older version of the Endpoint Policy Manager CSE and wish to upda Policy Software Installation, it's easy to do. For more information on how to perform an upgrade using Group Policy Software Installation. See the -[Upgrading the CSE using GPSI](../archive/upgrading.md) topic for additional information. +[Upgrading the CSE using GPSI](/docs/policypak/policypak/archive/upgrading.md) topic for additional information. diff --git a/docs/policypak/policypak/install/cloud/client.md b/docs/policypak/policypak/install/cloud/client.md index 2ff65c6d90..27cdf936c1 100644 --- a/docs/policypak/policypak/install/cloud/client.md +++ b/docs/policypak/policypak/install/cloud/client.md @@ -19,4 +19,4 @@ Please see this article for keeping things proactive: This video also has some important information on how to perform updates: -[Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](../../video/cloud/groups.md) +[Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](/docs/policypak/policypak/video/cloud/groups.md) diff --git a/docs/policypak/policypak/install/cloud/clientremote.md b/docs/policypak/policypak/install/cloud/clientremote.md index 2b0db4c91a..d6cc3642e5 100644 --- a/docs/policypak/policypak/install/cloud/clientremote.md +++ b/docs/policypak/policypak/install/cloud/clientremote.md @@ -16,7 +16,7 @@ because the installation must be performed as a local admin. Here are some strat **NOTE:** You can also use Endpoint Policy Manager Least Privilege Manager to enable non-Admins to be able to install the Endpoint Policy Manager Cloud client themselves (provided the Endpoint Policy Manager CSE is pre-installed.) See this video for more details: -[Install the PP Cloud client with a PP Least Priv Manager Rule](../../video/cloud/install/leastprivilegemanagerrule.md) +[Install the PP Cloud client with a PP Least Priv Manager Rule](/docs/policypak/policypak/video/cloud/install/leastprivilegemanagerrule.md) If the user is an admin (Not recommended) diff --git a/docs/policypak/policypak/install/cloud/clientsilent.md b/docs/policypak/policypak/install/cloud/clientsilent.md index afa52632dc..50454d2484 100644 --- a/docs/policypak/policypak/install/cloud/clientsilent.md +++ b/docs/policypak/policypak/install/cloud/clientsilent.md @@ -17,7 +17,7 @@ msiexec /i "C:\Temp\PolicyPak Cloud Client for company name.msi" JOINTOKEN="AXBC **NOTE:** Replace `JOINTOKEN="AXBCDeVXbieqP9WUWQwnYM="` with the relevant JOINTOKEN string for your environment. See this video for more information on how to use JOINTOKEN: -[Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](../../video/cloud/jointoken.md) +[Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](/docs/policypak/policypak/video/cloud/jointoken.md) For more information on the MSIEXEC command line switches, see this article: [Microsoft Standard Installer command-line options](https://docs.microsoft.com/en-us/windows/win32/msi/standard-installer-command-line-options) @@ -33,4 +33,4 @@ set logfile="%d%_%t%.log" msiexec /i %1 /norestart /quiet /lv*x %logfile% ``` -![530_1_image-20230330095004-1](../../../../../static/img/product_docs/policypak/policypak/install/cloud/530_1_image-20230330095004-1.webp) +![530_1_image-20230330095004-1](/img/product_docs/policypak/policypak/install/cloud/530_1_image-20230330095004-1.webp) diff --git a/docs/policypak/policypak/install/cloud/removeendpoint.md b/docs/policypak/policypak/install/cloud/removeendpoint.md index f5e2e0a4f8..23ce653904 100644 --- a/docs/policypak/policypak/install/cloud/removeendpoint.md +++ b/docs/policypak/policypak/install/cloud/removeendpoint.md @@ -4,4 +4,4 @@ If you use Netwrix Endpoint Policy Manager (formerly PolicyPak) Cloud UI and use permanently** command, the next time the Cloud Client syncs to the Cloud Service all cloud pieces (Cloud agent and Cloud CSE) are physically removed from the endpoint automatically. -![588_1_image001](../../../../../static/img/product_docs/policypak/policypak/install/cloud/588_1_image001.webp) +![588_1_image001](/img/product_docs/policypak/policypak/install/cloud/588_1_image001.webp) diff --git a/docs/policypak/policypak/install/cloud/slowinternet.md b/docs/policypak/policypak/install/cloud/slowinternet.md index 0839f83bb1..f8b6de2e71 100644 --- a/docs/policypak/policypak/install/cloud/slowinternet.md +++ b/docs/policypak/policypak/install/cloud/slowinternet.md @@ -15,7 +15,7 @@ CSE is available for download within the Customer Portal only. Go to [https://portal.policypak.com](https://portal.policypak.com/) and download **Latest Bits**. You'll find the Endpoint Policy Manager Client-Side Extension folder in the archive. -![image1](../../../../../static/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/image1.webp) +![image1](/img/product_docs/passwordsecure/passwordsecure/configuration/basic_view/image1.webp) Follow these steps to install both MSIs: @@ -33,6 +33,6 @@ Support for a download link. For more details about setting up machines for VDI environments please check the following topics. -[Can I embed the Endpoint Policy ManagerClient Side Extension and/or Endpoint Policy Manager Cloud client into a master image for VDI, MDT, Ghost, Citrix, etc?](../../tips/embedclient.md) +[Can I embed the Endpoint Policy ManagerClient Side Extension and/or Endpoint Policy Manager Cloud client into a master image for VDI, MDT, Ghost, Citrix, etc?](/docs/policypak/policypak/tips/embedclient.md) -[How to install the Endpoint Policy Manager Cloud Client for use in an Azure Virtual Desktop image](../../integration/azurevirutaldesktop.md) +[How to install the Endpoint Policy Manager Cloud Client for use in an Azure Virtual Desktop image](/docs/policypak/policypak/integration/azurevirutaldesktop.md) diff --git a/docs/policypak/policypak/install/methods.md b/docs/policypak/policypak/install/methods.md index 2ec9c06a20..06f8c3bb9e 100644 --- a/docs/policypak/policypak/install/methods.md +++ b/docs/policypak/policypak/install/methods.md @@ -10,7 +10,7 @@ not require that you install the admin console MSI into a DC. On a server, go into Server Manager and select it as a featureto add. -![268_1_img-01_950x550](../../../../static/img/product_docs/policypak/policypak/install/268_1_img-01_950x550.webp) +![268_1_img-01_950x550](/img/product_docs/policypak/policypak/install/268_1_img-01_950x550.webp) You can also install the GPMC on a Windows 10 client,which is preferred method. If you want to do this, there are two ways. @@ -22,7 +22,7 @@ This is the most reliable way to get the GPMC installed. First, download them fr Next, verify that the GPMC gets installed and checked on automatically. -![268_3_img-02](../../../../static/img/product_docs/policypak/policypak/install/268_3_img-02.webp) +![268_3_img-02](/img/product_docs/policypak/policypak/install/268_3_img-02.webp) ## 2: Use PowerShell in Windows 10 (Windows 10 1809 and later) @@ -32,9 +32,9 @@ If you install Windows 10 1809 or later, you can install the GPMC with a DISM co The result will look like this. -![268_5_img-03_950x237](../../../../static/img/product_docs/policypak/policypak/install/268_5_img-03_950x237.webp) +![268_5_img-03_950x237](/img/product_docs/policypak/policypak/install/268_5_img-03_950x237.webp) Now you are ready to install the Endpoint Policy Manager Admin Console MSI, which then gets you the Endpoint Policy Manager node within the Group Policy Editor. -![268_7_img-04_950x743](../../../../static/img/product_docs/policypak/policypak/install/268_7_img-04_950x743.webp) +![268_7_img-04_950x743](/img/product_docs/policypak/policypak/install/268_7_img-04_950x743.webp) diff --git a/docs/policypak/policypak/install/overview/knowledgebase.md b/docs/policypak/policypak/install/overview/knowledgebase.md index 125c7d611b..299dacf33e 100644 --- a/docs/policypak/policypak/install/overview/knowledgebase.md +++ b/docs/policypak/policypak/install/overview/knowledgebase.md @@ -4,67 +4,67 @@ See the following Knowledge Base articles for all things installation and upkeep ## Method GPO: Initial Install -- [Does Endpoint Policy Manager admin console need to be installed on Domain Controller (DC)?](../adminconsole.md) -- [I installed the Admin Console MSI, but I don't see the Endpoint Policy Manager node when I go to edit a GPO. Why?](../node.md) -- [What are the two ways that can I install the GPMC on my Admin Station (Server or Windows 10) machine?](../methods.md) -- [When I edit the GPO, the settings don't seem to "stick"](../../troubleshooting/savesettings.md) +- [Does Endpoint Policy Manager admin console need to be installed on Domain Controller (DC)?](/docs/policypak/policypak/install/adminconsole.md) +- [I installed the Admin Console MSI, but I don't see the Endpoint Policy Manager node when I go to edit a GPO. Why?](/docs/policypak/policypak/install/node.md) +- [What are the two ways that can I install the GPMC on my Admin Station (Server or Windows 10) machine?](/docs/policypak/policypak/install/methods.md) +- [When I edit the GPO, the settings don't seem to "stick"](/docs/policypak/policypak/troubleshooting/savesettings.md) ## Method SCCM: Initial Install (or other systems) -- [How do I deploy the Endpoint Policy Manager CSE via SCCM (or other systems management system) ?](../sccm.md) +- [How do I deploy the Endpoint Policy Manager CSE via SCCM (or other systems management system) ?](/docs/policypak/policypak/install/sccm.md) ## Method PDQ Deploy (recommended) -- [Managing Group Policy using Endpoint Policy Manager and PDQ Deploy](../../integration/pdqdeploy.md) +- [Managing Group Policy using Endpoint Policy Manager and PDQ Deploy](/docs/policypak/policypak/integration/pdqdeploy.md) ## AntiVirus and other System Software -- [I want to use Endpoint Policy Managerwith Citrix App Layering (aka Unidesk). At which layer should I implement the Endpoint Policy Manager Client Side Extension?](../citrixapplayering.md) -- [How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](../antivirus.md) -- [Why am I prompted about a Digitally Signed Driver for Endpoint Policy Manager CSE (and how do I work around it)?](../../troubleshooting/install/digitallysigneddriver.md) -- [Why won't the Endpoint Policy Manager services start, with an error like (or similar to) "Verify that you have sufficient privileges to start system services."?](../../troubleshooting/error/install/sufficientprivileges.md) +- [I want to use Endpoint Policy Managerwith Citrix App Layering (aka Unidesk). At which layer should I implement the Endpoint Policy Manager Client Side Extension?](/docs/policypak/policypak/install/citrixapplayering.md) +- [How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](/docs/policypak/policypak/install/antivirus.md) +- [Why am I prompted about a Digitally Signed Driver for Endpoint Policy Manager CSE (and how do I work around it)?](/docs/policypak/policypak/troubleshooting/install/digitallysigneddriver.md) +- [Why won't the Endpoint Policy Manager services start, with an error like (or similar to) "Verify that you have sufficient privileges to start system services."?](/docs/policypak/policypak/troubleshooting/error/install/sufficientprivileges.md) ## Performance Related Questions -- [I see many instances of the Endpoint Policy Manager Watcher (ppWatcher) service running on my clients, is that normal? And how can I check memory usage?](../../troubleshooting/watcherservicememoryusage.md) -- [How would I verify if Endpoint Policy Manager Client Side Extension is / is not causing high or CPU disk slowdowns?](../../troubleshooting/cpuslowdown.md) +- [I see many instances of the Endpoint Policy Manager Watcher (ppWatcher) service running on my clients, is that normal? And how can I check memory usage?](/docs/policypak/policypak/troubleshooting/watcherservicememoryusage.md) +- [How would I verify if Endpoint Policy Manager Client Side Extension is / is not causing high or CPU disk slowdowns?](/docs/policypak/policypak/troubleshooting/cpuslowdown.md) ## Install and Upgrade Troubleshooting -- [The CSE won't uninstall or allow in-place upgrade. What should I do?](../../troubleshooting/install/uninstall.md) -- [How do I troubleshoot slow logins (or other login problems), user profile issues, explorer.exe or other Windows problems? What if I'm having problems on ONE (or very few PCs)?](../../troubleshooting/slowlogins.md) -- [What can I do if I installed a new CSE version and it's causing problems (slowdowns or other issues?)](../../troubleshooting/install/newversionissues.md) -- [How do I enable a STANDARD USER to see the COMPUTER SIDE RsOP ?](../../troubleshooting/computersidersop.md) -- [I am getting an error about "GPSVC failed at sign-in". This error occurs exactly one time. What does this mean?](../../troubleshooting/error/gpsvcfailed.md) -- [The removal of the assignment of application Endpoint Policy Manager Client-Side Extension (32bit) from policy failed](../../troubleshooting/assignmentremovalfailed.md) +- [The CSE won't uninstall or allow in-place upgrade. What should I do?](/docs/policypak/policypak/troubleshooting/install/uninstall.md) +- [How do I troubleshoot slow logins (or other login problems), user profile issues, explorer.exe or other Windows problems? What if I'm having problems on ONE (or very few PCs)?](/docs/policypak/policypak/troubleshooting/slowlogins.md) +- [What can I do if I installed a new CSE version and it's causing problems (slowdowns or other issues?)](/docs/policypak/policypak/troubleshooting/install/newversionissues.md) +- [How do I enable a STANDARD USER to see the COMPUTER SIDE RsOP ?](/docs/policypak/policypak/troubleshooting/computersidersop.md) +- [I am getting an error about "GPSVC failed at sign-in". This error occurs exactly one time. What does this mean?](/docs/policypak/policypak/troubleshooting/error/gpsvcfailed.md) +- [The removal of the assignment of application Endpoint Policy Manager Client-Side Extension (32bit) from policy failed](/docs/policypak/policypak/troubleshooting/assignmentremovalfailed.md) ## Misc Installation questions -- [What if I accidentally install the 32 bit version of Endpoint Policy Manager on a 64 bit machine or vice versa?](../../troubleshooting/bitversion.md) -- [Why does Endpoint Policy Manager require a CSE / client installation piece? I want to do it all using what Microsoft ships in the box but don't want to install anything else.](../clientsideextension/why.md) -- [How can I fix Outlook To-Do bar flashing when GP or Endpoint Policy Manager does a background refresh?](../../troubleshooting/outlook.md) -- [What must I install on Windows 7 to make Endpoint Policy Manager work as expected?](../../requirements/windows7.md) +- [What if I accidentally install the 32 bit version of Endpoint Policy Manager on a 64 bit machine or vice versa?](/docs/policypak/policypak/troubleshooting/bitversion.md) +- [Why does Endpoint Policy Manager require a CSE / client installation piece? I want to do it all using what Microsoft ships in the box but don't want to install anything else.](/docs/policypak/policypak/install/clientsideextension/why.md) +- [How can I fix Outlook To-Do bar flashing when GP or Endpoint Policy Manager does a background refresh?](/docs/policypak/policypak/troubleshooting/outlook.md) +- [What must I install on Windows 7 to make Endpoint Policy Manager work as expected?](/docs/policypak/policypak/requirements/windows7.md) ## Best Practices / Keeping up to Date with releases -- [Using Rings to Test and Update the Endpoint Policy Manager Client-Side Extension and/or Cloud Client (And How to Stay Supported)](../rings.md) -- [What are the Endpoint Policy Manager Build and Version numbers?](../../troubleshooting/versions.md) -- [When should I upgrade or not upgrade the Endpoint Policy Manager CSE?](../upgrade/frequency.md) -- [How often is Endpoint Policy Manager updated? And, must I update to the latest version? Are all versions supported?](../update/frequency.md) -- [How to trigger an update of the Endpoint Policy ManagerClient Side Extension and Cloud Client via command line using Endpoint Policy Manager Cloud versus Group Policy (OnPrem) Edition](../update/commandline.md) +- [Using Rings to Test and Update the Endpoint Policy Manager Client-Side Extension and/or Cloud Client (And How to Stay Supported)](/docs/policypak/policypak/install/rings.md) +- [What are the Endpoint Policy Manager Build and Version numbers?](/docs/policypak/policypak/troubleshooting/versions.md) +- [When should I upgrade or not upgrade the Endpoint Policy Manager CSE?](/docs/policypak/policypak/install/upgrade/frequency.md) +- [How often is Endpoint Policy Manager updated? And, must I update to the latest version? Are all versions supported?](/docs/policypak/policypak/install/update/frequency.md) +- [How to trigger an update of the Endpoint Policy ManagerClient Side Extension and Cloud Client via command line using Endpoint Policy Manager Cloud versus Group Policy (OnPrem) Edition](/docs/policypak/policypak/install/update/commandline.md) ## Updating Endpoint Policy Manager with Active Directory / GPOs -- [How can I roll out the latest Endpoint Policy Manager CSE with Active Directory in a controlled manner using Rings ?](../ringsupgrade.md) -- [CSE Autoupdate Update.Config file Usage and Parameters (before CSE 2725)](../update/config.md) -- [How can I use the Endpoint Policy ManagerPowerShell module to know which GPOs have any Endpoint Policy Manager data or directives?](../../troubleshooting/powershell/datadirectives.md) +- [How can I roll out the latest Endpoint Policy Manager CSE with Active Directory in a controlled manner using Rings ?](/docs/policypak/policypak/install/ringsupgrade.md) +- [CSE Autoupdate Update.Config file Usage and Parameters (before CSE 2725)](/docs/policypak/policypak/install/update/config.md) +- [How can I use the Endpoint Policy ManagerPowerShell module to know which GPOs have any Endpoint Policy Manager data or directives?](/docs/policypak/policypak/troubleshooting/powershell/datadirectives.md) ## Backup and Restore -- [Endpoint Policy Manager details with GPO contents appear deleted. How can I restore them?](../../troubleshooting/restoredetails.md) +- [Endpoint Policy Manager details with GPO contents appear deleted. How can I restore them?](/docs/policypak/policypak/troubleshooting/restoredetails.md) ## Uninstallation or Rollback of Endpoint Policy Manager -- [How do I uninstall Endpoint Policy Manager?](../uninstall.md) -- [How to Rollback CSE version from newer to older using PowerShell](../../troubleshooting/clientsideextension/rollback.md) -- [How can I uninstall the Least Privilege Manager client for MacOS?](../../troubleshooting/leastprivilege/uninstall.md) +- [How do I uninstall Endpoint Policy Manager?](/docs/policypak/policypak/install/uninstall.md) +- [How to Rollback CSE version from newer to older using PowerShell](/docs/policypak/policypak/troubleshooting/clientsideextension/rollback.md) +- [How can I uninstall the Least Privilege Manager client for MacOS?](/docs/policypak/policypak/troubleshooting/leastprivilege/uninstall.md) diff --git a/docs/policypak/policypak/install/overview/videolearningcenter.md b/docs/policypak/policypak/install/overview/videolearningcenter.md index 19f122b921..3a0409f4d9 100644 --- a/docs/policypak/policypak/install/overview/videolearningcenter.md +++ b/docs/policypak/policypak/install/overview/videolearningcenter.md @@ -4,4 +4,4 @@ See the following Video topics for all things installation and upkeep. ## Method GPO (and Active Directory): Keeping up to date -- [Auto-updating the CSE](../../video/install/autoupdate.md) +- [Auto-updating the CSE](/docs/policypak/policypak/video/install/autoupdate.md) diff --git a/docs/policypak/policypak/install/powershell.md b/docs/policypak/policypak/install/powershell.md index 684fd6808f..975d15ac93 100644 --- a/docs/policypak/policypak/install/powershell.md +++ b/docs/policypak/policypak/install/powershell.md @@ -5,7 +5,7 @@ key tasks. As of the writing of this manual, the PowerShell cmdlets can perform discover Endpoint Policy Manager items within a Group Policy Object (GPO). The Endpoint Policy Manager PowerShell module is located in the Endpoint Policy Manager Extras folder you downloaded. -![policypak_and_powershell_1200x787](../../../../static/img/product_docs/policypak/policypak/install/policypak_and_powershell_1200x787.webp) +![policypak_and_powershell_1200x787](/img/product_docs/policypak/policypak/install/policypak_and_powershell_1200x787.webp) Run the Endpoint Policy Manager PowerShell Tools installer. The Endpoint Policy Manager PowerShell modules will be installed to `>c:\Program Files\PolicyPak1\Tools\Modules\PolicyPak`. @@ -13,7 +13,7 @@ modules will be installed to `>c:\Program Files\PolicyPak1\Tools\Modules\PolicyP At a Powershell prompt run the command `>Import-Module PolicyPak.psd1.` If you add the `>-verbose `command you will see all of the available cmdlets. -![policypak_and_powershell_1_1200x974](../../../../static/img/product_docs/policypak/policypak/install/policypak_and_powershell_1_1200x974.webp) +![policypak_and_powershell_1_1200x974](/img/product_docs/policypak/policypak/install/policypak_and_powershell_1_1200x974.webp) ## Endpoint Policy Manager PowerShell and Licensing Endpoint Policy Manager @@ -49,10 +49,10 @@ using the existing Microsoft cmdlet Get-ADOrganizationalUnit as shown below. The request output is shownbelow. -![policypak_and_powershell_2](../../../../static/img/product_docs/policypak/policypak/install/policypak_and_powershell_2.webp) +![policypak_and_powershell_2](/img/product_docs/policypak/policypak/install/policypak_and_powershell_2.webp) **NOTE:** To understand scope versus SOM, see -[Why does License Tool ask Who am I and Where do I want to use Endpoint Policy Manager?](../license/activedirectory/scope.md). +[Why does License Tool ask Who am I and Where do I want to use Endpoint Policy Manager?](/docs/policypak/policypak/license/activedirectory/scope.md). Method 2 requires indicating specific organizational units (OUs), as shown below. In this example, the scope is the whole domain, but the SOM is the Sales OU within the Fabrikam.com domain. Below is @@ -72,7 +72,7 @@ an example script which requests a new license file from a specific SOM and scop `>#---` -![policypak_and_powershell_3_1200x833](../../../../static/img/product_docs/policypak/policypak/install/policypak_and_powershell_3_1200x833.webp) +![policypak_and_powershell_3_1200x833](/img/product_docs/policypak/policypak/install/policypak_and_powershell_3_1200x833.webp) The next cmdlet enables you to determine how many computers are not active. @@ -86,7 +86,7 @@ The next cmdlet enables you to determine how many computers are not active. The result from this cmdlet is shown below. -![policypak_and_powershell_4_950x333](../../../../static/img/product_docs/policypak/policypak/install/policypak_and_powershell_4_950x333.webp) +![policypak_and_powershell_4_950x333](/img/product_docs/policypak/policypak/install/policypak_and_powershell_4_950x333.webp) ``` >The next cmdlet disables inactive computers.># Disable-InactiveComputers @@ -97,7 +97,7 @@ The result from this cmdlet is shown below. You can then see the machines are disabled: -![policypak_and_powershell_5_1200x561](../../../../static/img/product_docs/policypak/policypak/install/policypak_and_powershell_5_1200x561.webp) +![policypak_and_powershell_5_1200x561](/img/product_docs/policypak/policypak/install/policypak_and_powershell_5_1200x561.webp) When the next cmdlet is run, you can see if the license file you got from Endpoint Policy Manager was valid. Note that you might have to run the cmdlet on each Endpoint Policy Manager license file @@ -118,7 +118,7 @@ you get. You can then see that the license is valid: -![policypak_and_powershell_6_950x148](../../../../static/img/product_docs/policypak/policypak/install/policypak_and_powershell_6_950x148.webp) +![policypak_and_powershell_6_950x148](/img/product_docs/policypak/policypak/install/policypak_and_powershell_6_950x148.webp) When the next cmdlet is run, you can create a new GPO and link it to the scope. @@ -130,7 +130,7 @@ When the next cmdlet is run, you can create a new GPO and link it to the scope. You can then see the successful installation: -![policypak_and_powershell_7_1200x328](../../../../static/img/product_docs/policypak/policypak/install/policypak_and_powershell_7_1200x328.webp) +![policypak_and_powershell_7_1200x328](/img/product_docs/policypak/policypak/install/policypak_and_powershell_7_1200x328.webp) The next cmdlet will specify a GPO by GUID. @@ -146,7 +146,7 @@ The next cmdlet will specify a GPO by GUID. The result is shown below. You can see the GPO name, scope, expiration date of the license, Endpoint Policy Manager license version type, and validation status of the license. -![policypak_and_powershell_8_1200x803](../../../../static/img/product_docs/policypak/policypak/install/policypak_and_powershell_8_1200x803.webp) +![policypak_and_powershell_8_1200x803](/img/product_docs/policypak/policypak/install/policypak_and_powershell_8_1200x803.webp) ## Endpoint Policy Manager PowerShell and Discovery @@ -169,4 +169,4 @@ PolicyPak, you can use cmdlets like the following examples: ![Text Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/install/policypak_and_powershell_9_850x594.webp) +generated](/img/product_docs/policypak/policypak/install/policypak_and_powershell_9_850x594.webp) diff --git a/docs/policypak/policypak/install/rings.md b/docs/policypak/policypak/install/rings.md index 6492223024..15bd9205c6 100644 --- a/docs/policypak/policypak/install/rings.md +++ b/docs/policypak/policypak/install/rings.md @@ -71,7 +71,7 @@ The basic idea is that you put a delay between your rings. - Fast Ring (10-50%): 5-day delay. - Slow Ring (51-100%): 10-day delay. -![71_1_hfkb-1094-img-01](../../../../static/img/product_docs/policypak/policypak/install/71_1_hfkb-1094-img-01.webp) +![71_1_hfkb-1094-img-01](/img/product_docs/policypak/policypak/install/71_1_hfkb-1094-img-01.webp) Microsoft updates can be a little complicated because they also deal with channels, or the types of versions you want to install. Additionally, Microsoft's model is more complex than Endpoint Policy @@ -137,7 +137,7 @@ the latest CSE and/or Cloud Client to opt-in more groups. remaining PCs all at once (again, after you've done some pre-testing.) See the -[Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](../video/cloud/groups.md) topic +[Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](/docs/policypak/policypak/video/cloud/groups.md) topic for additional information and a video on this process. ## Recommendations when using Endpoint Policy Manager with your Active Directory: Rings and Rollouts @@ -203,7 +203,7 @@ of the CSE Auto-Updater. The CSE Auto-Updater will honor one of two types of rin you will set your rings apart with number of hours between updates. See the -[How can I roll out the latest Endpoint Policy Manager CSE with Active Directory in a controlled manner using Rings ?](ringsupgrade.md) topic +[How can I roll out the latest Endpoint Policy Manager CSE with Active Directory in a controlled manner using Rings ?](/docs/policypak/policypak/install/ringsupgrade.md) topic for additional information. ### Active Directory Option 3: Using the Built-in Endpoint Policy Manager CSE Update mechanism in an alternate manner. @@ -230,9 +230,9 @@ Manager Remote Work Delivery Manager. You could create the rings using Active D any other targeting, then, shoot down a CSE update to specific machines as you saw fit. See the -[How do I use Endpoint Policy Manager Remote Work Delivery Manager to update the Client Side Extension?](../remoteworkdelivery/updateclientsideextension.md) +[How do I use Endpoint Policy Manager Remote Work Delivery Manager to update the Client Side Extension?](/docs/policypak/policypak/remoteworkdelivery/updateclientsideextension.md) and -[Using Remote Work Delivery Manager to Update the Endpoint Policy Manager Client Side Extension](../video/remoteworkdelivery/updateclientsideextension.md) topics +[Using Remote Work Delivery Manager to Update the Endpoint Policy Manager Client Side Extension](/docs/policypak/policypak/video/remoteworkdelivery/updateclientsideextension.md) topics for additional information. ## Recommendations when using Endpoint Policy Manager with your MDM: Rings and Rollouts diff --git a/docs/policypak/policypak/install/ringsupgrade.md b/docs/policypak/policypak/install/ringsupgrade.md index db1611648f..3e98cd4087 100644 --- a/docs/policypak/policypak/install/ringsupgrade.md +++ b/docs/policypak/policypak/install/ringsupgrade.md @@ -5,13 +5,13 @@ patches. As such, Netwrix Endpoint Policy Manager (formerly PolicyPak) also stro do the same. Please familiarize yourself with this article before continuing: -[Using Rings to Test and Update the Endpoint Policy Manager Client-Side Extension and/or Cloud Client (And How to Stay Supported)](rings.md) +[Using Rings to Test and Update the Endpoint Policy Manager Client-Side Extension and/or Cloud Client (And How to Stay Supported)](/docs/policypak/policypak/install/rings.md) If you wish to configure or fine-tune the CSE auto-download process, you may create a file called `update.config`, which must be placed within the Endpoint Policy Manager Central Storage CSE folder, as seen below. -![640_1_hfkb-1128-img-01](../../../../static/img/product_docs/policypak/policypak/install/640_1_hfkb-1128-img-01.webp) +![640_1_hfkb-1128-img-01](/img/product_docs/policypak/policypak/install/640_1_hfkb-1128-img-01.webp) This file can be manually created in order to configure or fine-tune the CSE auto-download process. This file should be created in the Endpoint Policy Manager Central Storage CSE folder, and the file @@ -140,12 +140,12 @@ The share for reports should have the following permissions: 2. Domain Computers should be set to Read, Write, Create (but not Delete) 3. NTFS permissions should allow for All. -![640_2_hfkb-1128-img-02](../../../../static/img/product_docs/policypak/policypak/install/640_2_hfkb-1128-img-02.webp) +![640_2_hfkb-1128-img-02](/img/product_docs/policypak/policypak/install/640_2_hfkb-1128-img-02.webp) NTFS permissions should be set up as shown below, where Domain Computers has all rights, except Full Control. -![640_3_hfkb-1128-img-03_950x424](../../../../static/img/product_docs/policypak/policypak/install/640_3_hfkb-1128-img-03_950x424.webp) +![640_3_hfkb-1128-img-03_950x424](/img/product_docs/policypak/policypak/install/640_3_hfkb-1128-img-03_950x424.webp) This way, domain computers (that is, endpoints) will be able to write reports but not delete reports that they create. When enabled and configured, inside the share, you'll see log files named in the @@ -182,7 +182,7 @@ Endpoint Policy Manager products have four command-line commands to help with up **NOTE:** This is necessary only when the` update.config` file's enabled variable is set to "False" and, thus, not performing any updates normally. -![640_4_hfkb-1128-img-04](../../../../static/img/product_docs/policypak/policypak/install/640_4_hfkb-1128-img-04.webp) +![640_4_hfkb-1128-img-04](/img/product_docs/policypak/policypak/install/640_4_hfkb-1128-img-04.webp) ## Troubleshooting CSE Automatic Updates diff --git a/docs/policypak/policypak/install/services.md b/docs/policypak/policypak/install/services.md index fc90a6e850..e74396362d 100644 --- a/docs/policypak/policypak/install/services.md +++ b/docs/policypak/policypak/install/services.md @@ -6,7 +6,7 @@ initiated manually or on a defined interval. You can see the Group Policy Client Service from Microsoft here. This is what downloads GPOs, which may or may not contain Netwrix Endpoint Policy Manager (formerly PolicyPak) data. -![322_1_grouppolicyclient](../../../../static/img/product_docs/policypak/policypak/install/322_1_grouppolicyclient.webp) +![322_1_grouppolicyclient](/img/product_docs/policypak/policypak/install/322_1_grouppolicyclient.webp) Endpoint Policy Manager provides (via Group Policy, Endpoint Policy Manager Cloud or MDM delivery) a vast array of powerful and unique policies not possible with Group Policy alone. Many of these @@ -18,7 +18,7 @@ There are 3 services created by the CSE. - Endpoint Policy Manager Watcher Service (64-bit) - Endpoint Policy Manager Watcher Service (32-bit) -![322_2_policypakservices](../../../../static/img/product_docs/policypak/policypak/install/322_2_policypakservices.webp) +![322_2_policypakservices](/img/product_docs/policypak/policypak/install/322_2_policypakservices.webp) The Endpoint Policy Manager services provide this real-time enforcement of policies. For instance, when you use Endpoint Policy Manager to perform the following: @@ -39,7 +39,7 @@ We need three services because we support both 32 & 64 bit applications (on 64-b The Watcher Service is also involved in the PolicyPak CSE Auto-Updater. When the Watcher Service is disabled, you cannot perform the automatic on-prem update of the CSE. For more information on the automatic update feature, see the -[Rings with Endpoint Policy Manager and Active Directory](upgrade/rings/activedirectory.md) topic. +[Rings with Endpoint Policy Manager and Active Directory](/docs/policypak/policypak/install/upgrade/rings/activedirectory.md) topic. The Helper Service is required, handles a variety of functions, and is used across all of PP's components. We need more services than just Group Policy because we do much more than Group Policy diff --git a/docs/policypak/policypak/install/uninstall.md b/docs/policypak/policypak/install/uninstall.md index fe8568bb12..7dfbc01df9 100644 --- a/docs/policypak/policypak/install/uninstall.md +++ b/docs/policypak/policypak/install/uninstall.md @@ -34,12 +34,12 @@ to expressly declare in advance what the revert behavior should be. By default, Policy Manager Application Manager nor the Group Policy Preferences will automatically revert when you uninstall the Client Side Extension. You would be leaving the last written data behind. For more information, please see -[How do I ensure that settings will revert when the policy no longer applies (by Group Policy, File, or Endpoint Policy Manager Cloud)?](../troubleshooting/settingsrevert.md) +[How do I ensure that settings will revert when the policy no longer applies (by Group Policy, File, or Endpoint Policy Manager Cloud)?](/docs/policypak/policypak/troubleshooting/settingsrevert.md) Then, beyond that, most Endpoint Policy Manager specific settings will stop working and let you continue onward. For more information on this process, please see -[What happens to each component when Endpoint Policy Manager gets unlicensed or the GPO or policy no longer applies?](../license/unlicense/components.md) +[What happens to each component when Endpoint Policy Manager gets unlicensed or the GPO or policy no longer applies?](/docs/policypak/policypak/license/unlicense/components.md) Finally, there is a specific cosmetic issue with regards to Endpoint Policy Manager Browser Router removal and Default Browser. For more information on this issue and how to deal with it, please see -[When I unlicense or remove Endpoint Policy ManagerBrowser Router from scope,Endpoint Policy Manager Browser Router Agent still shows as OS "default browser". Why is that and is there a workaround?](../troubleshooting/browserrouter/install/defaultbrowser.md). +[When I unlicense or remove Endpoint Policy ManagerBrowser Router from scope,Endpoint Policy Manager Browser Router Agent still shows as OS "default browser". Why is that and is there a workaround?](/docs/policypak/policypak/troubleshooting/browserrouter/install/defaultbrowser.md). diff --git a/docs/policypak/policypak/install/update/commandline.md b/docs/policypak/policypak/install/update/commandline.md index cfc93a127d..6190feeedb 100644 --- a/docs/policypak/policypak/install/update/commandline.md +++ b/docs/policypak/policypak/install/update/commandline.md @@ -8,7 +8,7 @@ Check for updated cloud client and client-side extensions and install them, if a From more information seeRecommendations when using Netwrix Endpoint Policy Manager (formerly PolicyPak) Cloud: Rings and Rollouts in the topic below. -- [Using Rings to Test and Update the Endpoint Policy Manager Client-Side Extension and/or Cloud Client (And How to Stay Supported)](../rings.md) +- [Using Rings to Test and Update the Endpoint Policy Manager Client-Side Extension and/or Cloud Client (And How to Stay Supported)](/docs/policypak/policypak/install/rings.md) **NOTE:** When using the commands above both the CSE and PPC client will be updated if new versions are available. @@ -20,7 +20,7 @@ From a CMD prompt run `ppupdate`followed by one of the switches in the examples **NOTE:** These switches are dependent on having the CSE MSI files present in the Central Store See Active Directory Options 2 & 3 in the KB below for more information. -[Using Rings to Test and Update the Endpoint Policy Manager Client-Side Extension and/or Cloud Client (And How to Stay Supported)](../rings.md) +[Using Rings to Test and Update the Endpoint Policy Manager Client-Side Extension and/or Cloud Client (And How to Stay Supported)](/docs/policypak/policypak/install/rings.md) Examples: diff --git a/docs/policypak/policypak/install/update/config.md b/docs/policypak/policypak/install/update/config.md index 6f7169fe4e..cf86aff901 100644 --- a/docs/policypak/policypak/install/update/config.md +++ b/docs/policypak/policypak/install/update/config.md @@ -5,7 +5,7 @@ If you wish to configure or fine-tune the CSE auto-download process, you may cre `update.config`, which must be placed within the Netwrix Endpoint Policy Manager (formerly PolicyPak) Central Storage CSE folder, as seen below. -![714_1_image-20201229220359-1](../../../../../static/img/product_docs/policypak/policypak/install/update/714_1_image-20201229220359-1.webp) +![714_1_image-20201229220359-1](/img/product_docs/policypak/policypak/install/update/714_1_image-20201229220359-1.webp) This file can be manually created in order to configure or fine-tune the CSE auto-download process. This file should be created in the Endpoint Policy Manager Central Storage CSE folder, and the file @@ -14,7 +14,7 @@ this file once every 90 minutes, but that is configurable in the `update.config` **NOTE:** The interval in our example below is set to 1 minute. -![714_2_image-20201229220359-2](../../../../../static/img/product_docs/policypak/policypak/install/update/714_2_image-20201229220359-2.webp) +![714_2_image-20201229220359-2](/img/product_docs/policypak/policypak/install/update/714_2_image-20201229220359-2.webp) Breakdown of the parameters for the `update.config` file and how to use them: @@ -42,12 +42,12 @@ The share for reports should have the following permissions: - Domain Computers should be set to Read, Write, Create (but not Delete) - NTFS permissions should allow for All. -![714_3_image-20201229220359-3](../../../../../static/img/product_docs/policypak/policypak/install/update/714_3_image-20201229220359-3.webp) +![714_3_image-20201229220359-3](/img/product_docs/policypak/policypak/install/update/714_3_image-20201229220359-3.webp) NTFS permissions should be set up as shown below, where Domain Computers has all rights, except **Full Control**. -![714_4_image-20201229220359-4](../../../../../static/img/product_docs/policypak/policypak/install/update/714_4_image-20201229220359-4.webp) +![714_4_image-20201229220359-4](/img/product_docs/policypak/policypak/install/update/714_4_image-20201229220359-4.webp) This way, domain computers (that is, endpoints) will be able to write reports but not delete reports that they create. When enabled and configured, inside the share, you'll see log files named in the @@ -82,7 +82,7 @@ Endpoint Policy Manager products have three command-line commands to help with u **NOTE:** This is necessary only when the `update.config` file's enabled variable is set to `False` and, thus, not performing any updates normally. -![714_5_image-20201229220359-5](../../../../../static/img/product_docs/policypak/policypak/install/update/714_5_image-20201229220359-5.webp) +![714_5_image-20201229220359-5](/img/product_docs/policypak/policypak/install/update/714_5_image-20201229220359-5.webp) ## Troubleshooting CSE Automatic Updates: diff --git a/docs/policypak/policypak/install/update/frequency.md b/docs/policypak/policypak/install/update/frequency.md index 732f0e1aaf..e50a07a651 100644 --- a/docs/policypak/policypak/install/update/frequency.md +++ b/docs/policypak/policypak/install/update/frequency.md @@ -1,13 +1,13 @@ # How often is Endpoint Policy Manager updated? And, must I update to the latest version? Are all versions supported? There are several parts to Netwrix Endpoint Policy Manager (formerly PolicyPak) -[What items and components are licensed, and what components are free?](../../license/components.md) +[What items and components are licensed, and what components are free?](/docs/policypak/policypak/license/components.md) When people ask us how often Endpoint Policy Manager is updated, they usually want to know when Paks and/or the CSE are updated. The Paks are updated as needed. See -[AppSets: What is the official support policy for the pre-configured AppSets?](../../troubleshooting/applicationsettings/supportpolicy.md) +[AppSets: What is the official support policy for the pre-configured AppSets?](/docs/policypak/policypak/troubleshooting/applicationsettings/supportpolicy.md) The CSE is updated for emergency bug fixes right away. The CSE is updated for low-priority bug fixes about 3 to 4 times a year. We typically launch new features at the same time. diff --git a/docs/policypak/policypak/install/upgrade/overview.md b/docs/policypak/policypak/install/upgrade/overview.md index 96dab4d402..5fc450591c 100644 --- a/docs/policypak/policypak/install/upgrade/overview.md +++ b/docs/policypak/policypak/install/upgrade/overview.md @@ -6,7 +6,7 @@ Only the latest client-side extension (CSE) in the Portal or Netwrix Endpoint Po (formerly PolicyPak) Cloud, the one with the most fixes and features, is fully supported. **NOTE:** To better understand Endpoint Policy Manager build and version numbers, see the -[What are the Endpoint Policy Manager Build and Version numbers?](../../troubleshooting/versions.md) +[What are the Endpoint Policy Manager Build and Version numbers?](/docs/policypak/policypak/troubleshooting/versions.md) topic for additional information. Just because you are unable to stay current (or nearly current) with the Endpoint Policy Manager CSE diff --git a/docs/policypak/policypak/install/upgrade/rings/activedirectory.md b/docs/policypak/policypak/install/upgrade/rings/activedirectory.md index f2c628a331..b509eaf5a7 100644 --- a/docs/policypak/policypak/install/upgrade/rings/activedirectory.md +++ b/docs/policypak/policypak/install/upgrade/rings/activedirectory.md @@ -65,7 +65,7 @@ Auto-Updater. The CSE Auto-Updater will honor one of two types of rings procedur you separate your rings by the number of hours between updates. See the -[How can I roll out the latest Endpoint Policy Manager CSE with Active Directory in a controlled manner using Rings ?](../../ringsupgrade.md) topic +[How can I roll out the latest Endpoint Policy Manager CSE with Active Directory in a controlled manner using Rings ?](/docs/policypak/policypak/install/ringsupgrade.md) topic for additional information. ## Endpoint Policy Manager CSE Auto-Updater in Reverse @@ -96,9 +96,9 @@ on your situation. In this process you can create the rings using Active Directo other targeting, and then sending a CSE update to specific machines as you see fit. **NOTE:** See the -[How do I use Endpoint Policy Manager Remote Work Delivery Manager to update the Client Side Extension?](../../../remoteworkdelivery/updateclientsideextension.md) +[How do I use Endpoint Policy Manager Remote Work Delivery Manager to update the Client Side Extension?](/docs/policypak/policypak/remoteworkdelivery/updateclientsideextension.md) topic for additional information. See the -[Using Remote Work Delivery Manager to Update the Endpoint Policy Manager Client Side Extension](../../../video/remoteworkdelivery/updateclientsideextension.md)video for +[Using Remote Work Delivery Manager to Update the Endpoint Policy Manager Client Side Extension](/docs/policypak/policypak/video/remoteworkdelivery/updateclientsideextension.md)video for additional information. diff --git a/docs/policypak/policypak/install/upgrade/rings/cloud.md b/docs/policypak/policypak/install/upgrade/rings/cloud.md index a70cd6c01d..ffda51da45 100644 --- a/docs/policypak/policypak/install/upgrade/rings/cloud.md +++ b/docs/policypak/policypak/install/upgrade/rings/cloud.md @@ -24,7 +24,7 @@ select the latest CSE and/or Endpoint Policy Manager Cloud client to opt-in more the remaining PCs all at once (after completing some testing). See the -[Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](../../../video/cloud/groups.md) +[Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](/docs/policypak/policypak/video/cloud/groups.md) topic for additional information on this process. **NOTE:** Update the CSE first or the Cloud Client first in the test groups and let each part of the diff --git a/docs/policypak/policypak/install/upgrade/rings/overview.md b/docs/policypak/policypak/install/upgrade/rings/overview.md index 771fe1b0fd..d3453be529 100644 --- a/docs/policypak/policypak/install/upgrade/rings/overview.md +++ b/docs/policypak/policypak/install/upgrade/rings/overview.md @@ -49,7 +49,7 @@ The basic idea is that you put a delay between your rings. - Fast Ring (10-50%): 5-day delay. - Slow Ring (51-100%): 10-day delay. -![71_1_hfkb-1094-img-01](../../../../../../static/img/product_docs/policypak/policypak/install/71_1_hfkb-1094-img-01.webp) +![71_1_hfkb-1094-img-01](/img/product_docs/policypak/policypak/install/71_1_hfkb-1094-img-01.webp) Microsoft updates can be a little complicated because they also deal with channels, or the types of versions you want to install. Additionally, Microsoft's model is more complex than Endpoint Policy diff --git a/docs/policypak/policypak/install/upgrade/settings.md b/docs/policypak/policypak/install/upgrade/settings.md index b431d2498b..51985c198f 100644 --- a/docs/policypak/policypak/install/upgrade/settings.md +++ b/docs/policypak/policypak/install/upgrade/settings.md @@ -5,7 +5,7 @@ Manager (formerly PolicyPak) the client-side extension (CSE) and tools are updat those specific parts in the following sections. For a video overview of this topic, see -[Keeping Application Settings Manager and Paks up to date](../../video/applicationsettings/uptodate.md). +[Keeping Application Settings Manager and Paks up to date](/docs/policypak/policypak/video/applicationsettings/uptodate.md). ## Updating the AppSets @@ -40,7 +40,7 @@ For extra protection within each Endpoint Policy Manager Application Settings Ma you can choose to open the definition and then click the **Options** button. Then, select **Export XML Settings Data**. -![specific_upgrades_for_application_624x386](../../../../../static/img/product_docs/policypak/policypak/install/upgrade/specific_upgrades_for_application_624x386.webp) +![specific_upgrades_for_application_624x386](/img/product_docs/policypak/policypak/install/upgrade/specific_upgrades_for_application_624x386.webp) **NOTE:** This step is optional but will provide a second backup of your Endpoint Policy Manager Application Settings Manager definitions in case of a mishap and is therefore recommended. @@ -54,4 +54,4 @@ Endpoint Policy Manager GPOTouch. It is recommended to use the Endpoint Policy M utility to update each GPO automatically with the latest version of the AppSet DLL file. To see a video overview of how to manually touch a GPO, see -[GPOTouch Utility](../../video/applicationsettings/touchutility.md). +[GPOTouch Utility](/docs/policypak/policypak/video/applicationsettings/touchutility.md). diff --git a/docs/policypak/policypak/install/upgrade/tips.md b/docs/policypak/policypak/install/upgrade/tips.md index 9b8dbf1f1c..81b38213bc 100644 --- a/docs/policypak/policypak/install/upgrade/tips.md +++ b/docs/policypak/policypak/install/upgrade/tips.md @@ -25,7 +25,7 @@ You should familiarize yourself with the idea of rings, which is a Microsoft con controlled rollouts. Endpoint Policy Manager aligns with this ring philosophy and as such, getting familiar with those concepts is well advised. This idea is applicable for all delivery methods: Group Policy, MDM, SCCM, or Cloud. This manual will examine the concept of rings. See the -[Using Rings to Test and Update the Endpoint Policy Manager Client-Side Extension and/or Cloud Client (And How to Stay Supported)](../rings.md) topic +[Using Rings to Test and Update the Endpoint Policy Manager Client-Side Extension and/or Cloud Client (And How to Stay Supported)](/docs/policypak/policypak/install/rings.md) topic for additional information In general, the best route to take for upgrading from any previous version is the following: @@ -42,11 +42,11 @@ distribute those to your admin team. Sometimes the latest helper tool must match the MMC editor. **Step 4 –** Update the Endpoint Policy Manager ADMX (troubleshooting) files. (Video tip: -[Troubleshooting with ADMX files](../../video/troubleshooting/admxfiles.md)) +[Troubleshooting with ADMX files](/docs/policypak/policypak/video/troubleshooting/admxfiles.md)) **Step 5 –** Roll out the CSE in a controlled fashion to your endpoints using the ring methodology. -![upgrading_tips_624x267](../../../../../static/img/product_docs/policypak/policypak/install/upgrade/upgrading_tips_624x267.webp) +![upgrading_tips_624x267](/img/product_docs/policypak/policypak/install/upgrade/upgrading_tips_624x267.webp) **CAUTION:** Do not attempt to roll out the CSE to 100% of your computer population at once. If Endpoint Policy Manager fails to operate in an expected manner and locks up, or otherwise makes your @@ -57,7 +57,7 @@ the CSE to endpoint machines gradually. be making backups from time to time. Inside the GPMC, find the Group Policy Objects node, right-click, select Backup, and then follow the prompts. For additional information on how to preform a Group Policy backup, see the -[Endpoint Policy Manager: Backup and Restore Options to Recover from nearly any problem](../../video/troubleshooting/backupoptions.md) +[Endpoint Policy Manager: Backup and Restore Options to Recover from nearly any problem](/docs/policypak/policypak/video/troubleshooting/backupoptions.md) and -[Endpoint Policy Manager Application Settings Manager: Backup, Restore, Export, Import](../../video/troubleshooting/backup.md) +[Endpoint Policy Manager Application Settings Manager: Backup, Restore, Export, Import](/docs/policypak/policypak/video/troubleshooting/backup.md) video demos. diff --git a/docs/policypak/policypak/integration/applocker.md b/docs/policypak/policypak/integration/applocker.md index 65b797110f..dd522ebf84 100644 --- a/docs/policypak/policypak/integration/applocker.md +++ b/docs/policypak/policypak/integration/applocker.md @@ -10,21 +10,21 @@ Microsoft Applocker deployment. Here is a Endpoint Policy Manager Least Privilege Manager direct rule which would take effect when a user double-clicks an application, like Procmon, which would normally throw a UAC prompt. -![947_1_image-20230714222620-1_950x537](../../../../static/img/product_docs/policypak/policypak/integration/947_1_image-20230714222620-1_950x537.webp) +![947_1_image-20230714222620-1_950x537](/img/product_docs/policypak/policypak/integration/947_1_image-20230714222620-1_950x537.webp) The result is that a double-click of the application is still blocked by Applocker as shown here. -![947_2_image-20230714222621-2_950x527](../../../../static/img/product_docs/policypak/policypak/integration/947_2_image-20230714222621-2_950x527.webp) +![947_2_image-20230714222621-2_950x527](/img/product_docs/policypak/policypak/integration/947_2_image-20230714222621-2_950x527.webp) However, the user may be taught to right-click and **Run with PolicyPak** which will then perform the direct rule operation and elevate the application. An example of the steps can be seen here. -![947_3_image-20230714222621-3_950x565](../../../../static/img/product_docs/policypak/policypak/integration/947_3_image-20230714222621-3_950x565.webp) +![947_3_image-20230714222621-3_950x565](/img/product_docs/policypak/policypak/integration/947_3_image-20230714222621-3_950x565.webp) **NOTE:** The **Apply on demand** checkbox for direct rules will have no effect while Applocker is running. -![947_4_image-20230714222621-4_950x548](../../../../static/img/product_docs/policypak/policypak/integration/947_4_image-20230714222621-4_950x548.webp) +![947_4_image-20230714222621-4_950x548](/img/product_docs/policypak/policypak/integration/947_4_image-20230714222621-4_950x548.webp) ## Endpoint Policy Manager Admin Approval and AppLocker @@ -33,18 +33,18 @@ When Endpoint Policy Manager Admin Approval is on, once again, double-click is b However, right-clicking **Run with PolicyPak** provides the Admin Approval prompt. Both Short codes and Long codes work as expected. -![947_5_image-20230714222621-5_950x498](../../../../static/img/product_docs/policypak/policypak/integration/947_5_image-20230714222621-5_950x498.webp) +![947_5_image-20230714222621-5_950x498](/img/product_docs/policypak/policypak/integration/947_5_image-20230714222621-5_950x498.webp) ## Endpoint Policy Manager and Self Elevate -![947_6_image-20230714222621-6_950x693](../../../../static/img/product_docs/policypak/policypak/integration/947_6_image-20230714222621-6_950x693.webp) +![947_6_image-20230714222621-6_950x693](/img/product_docs/policypak/policypak/integration/947_6_image-20230714222621-6_950x693.webp) ## Endpoint Policy Manager SecureRun and Microsoft AppLocker Endpoint Policy Manager SecureRun is different from AppLocker because it can key off the file ownership / SecureRun member. -![947_7_image-20230714222621-7_950x550](../../../../static/img/product_docs/policypak/policypak/integration/947_7_image-20230714222621-7_950x550.webp) +![947_7_image-20230714222621-7_950x550](/img/product_docs/policypak/policypak/integration/947_7_image-20230714222621-7_950x550.webp) When SecureRun™ run alongside Applocker, there is no difference to the statements above, except that you also get all the added benefits of SecureRun. This is not a recommended configuration but diff --git a/docs/policypak/policypak/integration/appv.md b/docs/policypak/policypak/integration/appv.md index 46eb154fd3..0f286eb6b5 100644 --- a/docs/policypak/policypak/integration/appv.md +++ b/docs/policypak/policypak/integration/appv.md @@ -11,25 +11,25 @@ Steps to create App-V icon in Windows Starts Screen via GPO: **Step 2 –** Create Collection, create Group and then right-click and select **Add Desktop Application Tile**. -![808_1_image-20201121192420-1](../../../../static/img/product_docs/policypak/policypak/integration/808_1_image-20201121192420-1.webp) +![808_1_image-20201121192420-1](/img/product_docs/policypak/policypak/integration/808_1_image-20201121192420-1.webp) **Step 3 –** Select the **Registered Application (Recommended)** option and click **Next**. -![808_2_image-20201121192420-2](../../../../static/img/product_docs/policypak/policypak/integration/808_2_image-20201121192420-2.webp) +![808_2_image-20201121192420-2](/img/product_docs/policypak/policypak/integration/808_2_image-20201121192420-2.webp) **Step 4 –** Wait for the wizard to discover all registered applications including App-V application packages. **Step 5 –** Select the App-V application and verify the path by moving your cursor over the Icon. -![808_3_image-20201121192420-3](../../../../static/img/product_docs/policypak/policypak/integration/808_3_image-20201121192420-3.webp) +![808_3_image-20201121192420-3](/img/product_docs/policypak/policypak/integration/808_3_image-20201121192420-3.webp) **Step 6 –** Complete the remaining steps and apply group policy updates on the target machine. **NOTE:** The target application path must exist in the client machine. -![808_4_image-20201121192420-4](../../../../static/img/product_docs/policypak/policypak/integration/808_4_image-20201121192420-4.webp) +![808_4_image-20201121192420-4](/img/product_docs/policypak/policypak/integration/808_4_image-20201121192420-4.webp) **Step 7 –** Log-off and log back on to see the required Starts Screen items. -![808_5_image-20201121192420-5](../../../../static/img/product_docs/policypak/policypak/integration/808_5_image-20201121192420-5.webp) +![808_5_image-20201121192420-5](/img/product_docs/policypak/policypak/integration/808_5_image-20201121192420-5.webp) diff --git a/docs/policypak/policypak/integration/auditor/mmcsnapin.md b/docs/policypak/policypak/integration/auditor/mmcsnapin.md index 1fb47b643b..09309c0835 100644 --- a/docs/policypak/policypak/integration/auditor/mmcsnapin.md +++ b/docs/policypak/policypak/integration/auditor/mmcsnapin.md @@ -1,7 +1,7 @@ # How do I configure the MMC snap-in to open GPOs in Netwrix Auditor? For a video overview of this process see -[Endpoint Policy Manager and Netwrix Auditor - Setup Steps](../../video/integration/auditorsetup.md) +[Endpoint Policy Manager and Netwrix Auditor - Setup Steps](/docs/policypak/policypak/video/integration/auditorsetup.md) **NOTE:** Only the latest Endpoint Policy Manager MMC console supports the Endpoint Policy Manager → Netwrix Auditor. Make sure to use the Endpoint Policy Manager download and install the latest MMC @@ -12,28 +12,28 @@ console. **Step 1 –** In Netwrix Auditor, determine where you Report Manager URL is. The item is found in Netwrix Auditor under **Settings** > **Audit Database** > **Report Manager UR**. -![970_1_image-20231016154007-8_950x412](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/970_1_image-20231016154007-8_950x412.webp) +![970_1_image-20231016154007-8_950x412](/img/product_docs/policypak/policypak/integration/auditor/970_1_image-20231016154007-8_950x412.webp) **Step 2 –** Click on the link to open up Report Manager in SQL Server Reporting Services (SSRS). **Step 3 –** Create a new SSRS Folder and give it any name you like. -![970_2_image-20231016154007-9_950x454](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/970_2_image-20231016154007-9_950x454.webp) +![970_2_image-20231016154007-9_950x454](/img/product_docs/policypak/policypak/integration/auditor/970_2_image-20231016154007-9_950x454.webp) **Step 4 –** Enter the folder you just created then upload the` .RDL` file provided from the Endpoint Policy Manager Extras Folder. -![970_3_image-20231016154007-10_950x605](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/970_3_image-20231016154007-10_950x605.webp) +![970_3_image-20231016154007-10_950x605](/img/product_docs/policypak/policypak/integration/auditor/970_3_image-20231016154007-10_950x605.webp) **Step 5 –** The result after the upload is shown below.. -![970_4_image-20231016154007-11](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/970_4_image-20231016154007-11.webp) +![970_4_image-20231016154007-11](/img/product_docs/policypak/policypak/integration/auditor/970_4_image-20231016154007-11.webp) **Step 6 –** Click the report to get the reference string you'll use in future steps. This will contain the Netwrix Auditor server, up to and including the specific URL which expresses just before the report name. -![970_5_image-20231016154007-12_950x839](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/970_5_image-20231016154007-12_950x839.webp) +![970_5_image-20231016154007-12_950x839](/img/product_docs/policypak/policypak/integration/auditor/970_5_image-20231016154007-12_950x839.webp) As an example, the string should look like this: http://NetwrixAuditorServer/Reports_SQLEXPRESS/report/PolicyPak @@ -46,7 +46,7 @@ http://NetwrixAuditorServer/Reports_SQLEXPRESS/report/PolicyPak Netwrix Auditor . Left click on the Netwrix Endpoint Policy Manager node, then right-click to **Open in Netwrix Auditor**.  Input the string you collected earlier. -![970_6_image-20231016154007-13_950x582](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/970_6_image-20231016154007-13_950x582.webp) +![970_6_image-20231016154007-13_950x582](/img/product_docs/policypak/policypak/integration/auditor/970_6_image-20231016154007-13_950x582.webp) ## Optional Configuration: Use PolicyPak ADMX to configure the value automatically @@ -56,7 +56,7 @@ wish to mass-configure this value, you may do so via the Endpoint Policy Manager Always use the latest Endpoint Policy Manager ` ADMX` files, are available in the Endpoint Policy Manager download. -Please see [Troubleshooting with ADMX files](../../video/troubleshooting/admxfiles.md) to begin +Please see [Troubleshooting with ADMX files](/docs/policypak/policypak/video/troubleshooting/admxfiles.md) to begin using, or update the Endpoint Policy Manager ADMX settings **Step 2 –** After the ` ADMX` files are in place, create a Group Policy Object and target it for @@ -65,7 +65,7 @@ your MMC management stations. **NOTE:** Endpoint Policy Manager CSE will ignore this policy because it is exclusively regarding the MMC snap-in. -![970_7_image-20231016154007-14_950x683](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/970_7_image-20231016154007-14_950x683.webp) +![970_7_image-20231016154007-14_950x683](/img/product_docs/policypak/policypak/integration/auditor/970_7_image-20231016154007-14_950x683.webp) **Step 3 –** Going forward, the ADMX setting will command the MMC snap-in and it will be unconfigurable. diff --git a/docs/policypak/policypak/integration/auditor/permissions.md b/docs/policypak/policypak/integration/auditor/permissions.md index 63d8868eb7..36969c4e59 100644 --- a/docs/policypak/policypak/integration/auditor/permissions.md +++ b/docs/policypak/policypak/integration/auditor/permissions.md @@ -4,12 +4,12 @@ While using the Netwrix Endpoint Policy Manager (formerly PolicyPak) MMC to view data, you might be prompted for Username and Password credentials. There are a few things you need to do to minimize or eliminate these requests. An example authentication request can be seen here. -![969_1_image-20231017185713-1_950x344](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/969_1_image-20231017185713-1_950x344.webp) +![969_1_image-20231017185713-1_950x344](/img/product_docs/policypak/policypak/integration/auditor/969_1_image-20231017185713-1_950x344.webp) **NOTE:** First, note that if your browser is Firefox you must set the "URIS / SPNEGO" settings to passthru authentication requests. One way to do this is via Endpoint Policy Manager Application Settings Manager with these instructions: -[Firefox: How do I use the NTLM passthru (URIS) settings in the Firefox / about:config AppSets?](../../applicationsettings/preconfigured/firefox/ntlmpassthru.md). +[Firefox: How do I use the NTLM passthru (URIS) settings in the Firefox / about:config AppSets?](/docs/policypak/policypak/applicationsettings/preconfigured/firefox/ntlmpassthru.md). You may also use the Firefox ADMX settings to perform a similar option. If you are using Edge as your default browser, these steps are un-necessary and you will likely not @@ -18,7 +18,7 @@ be prompted for credentials. However, you might also be denied access to the specific Endpoint Policy Manager report, like what's seen here. -![969_2_image-20231017185713-2_950x355](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/969_2_image-20231017185713-2_950x355.webp) +![969_2_image-20231017185713-2_950x355](/img/product_docs/policypak/policypak/integration/auditor/969_2_image-20231017185713-2_950x355.webp) **Step 1 –** To correct for this and ensure the highlighted user in the previous screenshot (or group the person is a member of) has access, you there are a few ways to accomplish the task. @@ -34,16 +34,16 @@ You will need main credentials to SQL Server Reporting Services before beginning reporting folder (note it could have a different name if it was set up in a unique fashion.) Then click Manage. -![969_3_image-20231017185713-3_950x439](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/969_3_image-20231017185713-3_950x439.webp) +![969_3_image-20231017185713-3_950x439](/img/product_docs/policypak/policypak/integration/auditor/969_3_image-20231017185713-3_950x439.webp) **Step 3 –** Then add in your DOMAIN\GROUP or DOMAIN\USER like what's seen here and select Browser role and select OK (figure on the left). The result can be seen in the figure on the right. -![969_4_image-20231017185713-4_950x351](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/969_4_image-20231017185713-4_950x351.webp) +![969_4_image-20231017185713-4_950x351](/img/product_docs/policypak/policypak/integration/auditor/969_4_image-20231017185713-4_950x351.webp) Final result can be seen here where the user is now permitted to see the Endpoint Policy Manager report. -![969_5_image-20231017185713-5_950x730](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/969_5_image-20231017185713-5_950x730.webp) +![969_5_image-20231017185713-5_950x730](/img/product_docs/policypak/policypak/integration/auditor/969_5_image-20231017185713-5_950x730.webp) diff --git a/docs/policypak/policypak/integration/auditor/reports.md b/docs/policypak/policypak/integration/auditor/reports.md index 71881501a4..860711cb61 100644 --- a/docs/policypak/policypak/integration/auditor/reports.md +++ b/docs/policypak/policypak/integration/auditor/reports.md @@ -5,11 +5,11 @@ event logs, that you can then use to create LPM policies as needed. ## Report -![1325_1](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_1.webp) +![1325_1](/img/product_docs/policypak/policypak/integration/auditor/1325_1.webp) Policy created in LPM using the report details above. -![1325_2](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_2.webp) +![1325_2](/img/product_docs/policypak/policypak/integration/auditor/1325_2.webp) ## Getting Started @@ -28,34 +28,34 @@ Navigate to **Start** > Netwrix Auditor > Netwrix Auditor **Event Log Manager**. On the main page, you are prompted to select a monitoring plan. Click **Add** to add new plan. -![1325_3](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_3.webp) +![1325_3](/img/product_docs/policypak/policypak/integration/auditor/1325_3.webp) **Step 1 –** Give the new plan a descriptive name and select **Enable event log collection**. Then add a **Notification recipient** email address. You can specify one or more email addresses for users to receive daily Event Log collection status notifications. Use a semicolon to separate addresses. -![1325_4](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_4.webp) +![1325_4](/img/product_docs/policypak/policypak/integration/auditor/1325_4.webp) **Step 2 –** In the **General** tab enter credentials for the account that will be used to collect data from the endpoints. Use an account that has local admin rights on the endpoints, and one that can also read Active directory. Then click the **Add** button next to the Monitored computers section. -![1325_5](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_5.webp) +![1325_5](/img/product_docs/policypak/policypak/integration/auditor/1325_5.webp) **Step 3 –** Choose how you would like to add monitored computers, either by Computer name, by Active Directory container, or via IP Range. -![1325_6](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_6.webp) +![1325_6](/img/product_docs/policypak/policypak/integration/auditor/1325_6.webp) **NOTE:** You can add multiple types of computer items to your monitoring plan. -![1325_7](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_7.webp) +![1325_7](/img/product_docs/policypak/policypak/integration/auditor/1325_7.webp) **Step 4 –** In the **Notifications** tab you can configure SMTP settings. -![1325_8](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_8.webp) +![1325_8](/img/product_docs/policypak/policypak/integration/auditor/1325_8.webp) **Step 5 –** Under the **Audit Database** tab you can review and verify your database settings. Netwrix Auditor Event Log Manager synchronizes Audit Database and reports settings with the default @@ -65,17 +65,17 @@ Netwrix Auditor Server. See the Audit Database topic in the [Netwrix Auditor > Configuration Documentation](https://helpcenter.netwrix.com/category/auditor_configuration) for additional information. -![1325_9](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_9.webp) +![1325_9](/img/product_docs/policypak/policypak/integration/auditor/1325_9.webp) **Step 6 –** In the **Advanced** tab you can check if Network traffic compression is enabled (recommended). Also, you can specify the notification delivery time. -![1325_10](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_10.webp) +![1325_10](/img/product_docs/policypak/policypak/integration/auditor/1325_10.webp) **Step 7 –** Filter out the desired events and get them into the Netwrix Auditor Reports. To do so, get back to the **General** tab and configure the **Audit archiving filters**. -![1325_11](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_11.webp) +![1325_11](/img/product_docs/policypak/policypak/integration/auditor/1325_11.webp) **Step 8 –** Once there, you can add the filtering in the Inclusive filters section. Click **Add** to proceed. @@ -89,17 +89,17 @@ In the next window, we need to specify the following parameters: - Write to – here you can select the location to store filtered events, either a long-term archive or a database. It is recommended to use both locations. -![1325_12](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_12.webp) +![1325_12](/img/product_docs/policypak/policypak/integration/auditor/1325_12.webp) **Step 9 –** Depending on targeted events, in the **Event Fields** tab you may enlist the event IDs to capture. See the -[List of Endpoint Policy Manager Event Categories and IDs](../../tips/eventcategories.md) topic for +[List of Endpoint Policy Manager Event Categories and IDs](/docs/policypak/policypak/tips/eventcategories.md) topic for additional information on event IDs. For example, here is the list of event IDs related to Endpoint Policy Manager Least Privilege Manager Global Audit events: -![1325_13](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_13.webp) +![1325_13](/img/product_docs/policypak/policypak/integration/auditor/1325_13.webp) You may adjust the settings in the**Events Fields filtering** section according to your needs. @@ -108,11 +108,11 @@ Once the configuration is done, you may click **OK** and save all your progress **Step 10 –** Go back to the main monitoring plan configuration window for Netwrix Auditor Event Log Manager, and click **Configure** under alerts filtering: -![1325_14](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_14.webp) +![1325_14](/img/product_docs/policypak/policypak/integration/auditor/1325_14.webp) Then click **Add** to add a new alert. -![1325_15](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_15.webp) +![1325_15](/img/product_docs/policypak/policypak/integration/auditor/1325_15.webp) **Step 11 –** In the next window add alerts for any event IDs as needed using the screenshots below as a guide. @@ -121,15 +121,15 @@ as a guide. Single Event Alert Example: -![1325_16](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_16.webp) +![1325_16](/img/product_docs/policypak/policypak/integration/auditor/1325_16.webp) -![1325_17](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_17.webp) +![1325_17](/img/product_docs/policypak/policypak/integration/auditor/1325_17.webp) Group of Specific Events Alert Example: -![1325_18](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_18.webp) +![1325_18](/img/product_docs/policypak/policypak/integration/auditor/1325_18.webp) -![1325_19](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_19.webp) +![1325_19](/img/product_docs/policypak/policypak/integration/auditor/1325_19.webp) This is all the configuration required for Netwrix Auditor Event Log Manager to report on Endpoint Policy Manager Events. @@ -138,13 +138,13 @@ Policy Manager Events. software and go to the **Reports** section. There, navigate to the following report path: **Predefined** > **Windows Server**> **Event Log** > **All events by Computer** and click **View**. -![1325_20](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_20.webp) +![1325_20](/img/product_docs/policypak/policypak/integration/auditor/1325_20.webp) Here you can specify the conditions and filters to represent in the report, such as date range, Event level etc. -![1325_21](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_21.webp) +![1325_21](/img/product_docs/policypak/policypak/integration/auditor/1325_21.webp) **NOTE:** You can click on the interactive link in the **Date** column to see event details: -![1325_22](../../../../../static/img/product_docs/policypak/policypak/integration/auditor/1325_22.webp) +![1325_22](/img/product_docs/policypak/policypak/integration/auditor/1325_22.webp) diff --git a/docs/policypak/policypak/integration/azurevirutaldesktop.md b/docs/policypak/policypak/integration/azurevirutaldesktop.md index 8cf8a4b5dd..b583f69a29 100644 --- a/docs/policypak/policypak/integration/azurevirutaldesktop.md +++ b/docs/policypak/policypak/integration/azurevirutaldesktop.md @@ -28,7 +28,7 @@ following page under the Downloads section, by clicking on the Download other versions link at the bottom of the page. -![332_1_image-20210529214259-1](../../../../static/img/product_docs/policypak/policypak/integration/555_1_image-20200603123515-1.webp) +![332_1_image-20210529214259-1](/img/product_docs/policypak/policypak/integration/555_1_image-20200603123515-1.webp) **Step 3 –** On the Master Desktop Image, while logged in as a local administrator, install the Endpoint Policy Manager Cloud Client MSI that you saved under `C:\PPC Client`, by using MSIEXEC and @@ -40,7 +40,7 @@ For Example: For more information on creating and using a JOINTOKEN to automatically assign computers to computer groups in PPC please see this video KB: -[Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](../video/cloud/jointoken.md) +[Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](/docs/policypak/policypak/video/cloud/jointoken.md) **NOTE:** For Persistent VMs skip steps 4-7 below. @@ -57,13 +57,13 @@ fileby adding the following commands to the script. When done, save the file. **NOTE:** To see details on PPCloud.exe switches run "`PPCloud /?`" from CMD. -![332_2_image-20210529214259-2_950x215](../../../../static/img/product_docs/policypak/policypak/integration/332_2_image-20210529214259-2_950x215.webp) +![332_2_image-20210529214259-2_950x215](/img/product_docs/policypak/policypak/integration/332_2_image-20210529214259-2_950x215.webp) **Step 6 –** Run `GPEDIT.MSC` and add an entry under **Computer Configuration** > **Windows Settings** > **Scripts (Startup/Shutdown)**. Select the `shutdown.ps1` file for the PowerShell Shutdown script, then click **OK** to save the settings. -![332_3_image-20210529214259-3](../../../../static/img/product_docs/policypak/policypak/integration/332_3_image-20210529214259-3.webp) +![332_3_image-20210529214259-3](/img/product_docs/policypak/policypak/integration/332_3_image-20210529214259-3.webp) **Step 7 –** If you like you can reboot the Master Desktop image machine at this point and log in as a regular user account to verify that everything works, that is,the computer is unregistered at @@ -91,7 +91,7 @@ following page under the **Downloads** section, by clicking on the Download other versions link at the bottom of the page. -![332_4_image-20210529214259-4](../../../../static/img/product_docs/policypak/policypak/integration/555_1_image-20200603123515-1.webp) +![332_4_image-20210529214259-4](/img/product_docs/policypak/policypak/integration/555_1_image-20200603123515-1.webp) **Step 3 –** On the Master Desktop Image, while logged in as a local administrator, install the Endpoint Policy Manager Cloud Client MSI that you saved under `C:\PPC Client`, by using MSIEXEC and @@ -103,13 +103,13 @@ For Example: For more information on creating and using a JOINTOKEN to automatically assign computers to computer groups in PPC please see this video: -[Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](../video/cloud/jointoken.md) +[Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](/docs/policypak/policypak/video/cloud/jointoken.md) OPTIONAL: Run `PPCloud /sync` from a command prompt to verify that you see the correct groups assigned. In my example I am using a JOINTOKEN for a computer group called Testing so I see the following when I run `PPCloud /sync`. -![332_5_image-20210529214259-5](../../../../static/img/product_docs/policypak/policypak/integration/332_5_image-20210529214259-5.webp) +![332_5_image-20210529214259-5](/img/product_docs/policypak/policypak/integration/332_5_image-20210529214259-5.webp) **NOTE:** All Computers in PPC will be members of the **All** group in addition to any other groups they are added to. @@ -123,7 +123,7 @@ environment before saving and closing the file. `msiexec /i "C:\PPC Client\PolicyPak Cloud Client for [Customer name] x64.msi" JOINTOKEN="AZAEllLPLTY9XKUA3CYO+ths=" /qn` -![332_6_image-20210529214259-6_950x107](../../../../static/img/product_docs/policypak/policypak/integration/332_6_image-20210529214259-6_950x107.webp) +![332_6_image-20210529214259-6_950x107](/img/product_docs/policypak/policypak/integration/332_6_image-20210529214259-6_950x107.webp) **Step 6 –** Edit the` shutdown.bat` file adding the command line below, remembering to substitute the MSI name in the example below with the corresponding value needed for your environment before @@ -131,15 +131,15 @@ saving and closing the file. `msiexec /x "C:\PPC Client\PolicyPak Cloud Client for [Customer name] x64.msi" ` -![332_7_image-20210529214259-7](../../../../static/img/product_docs/policypak/policypak/integration/332_7_image-20210529214259-7.webp) +![332_7_image-20210529214259-7](/img/product_docs/policypak/policypak/integration/332_7_image-20210529214259-7.webp) **Step 7 –** Run `GPEDIT.MSC`  and add an entry under **Computer Configuration** > **Windows Settings** > **Scripts (Startup/Shutdown)**. Select the `startup.bat` file for Startup script and select the `shutdown.bat` for the Shutdown script, then click **OK** to save the settings. -![332_8_image-20210529214259-8](../../../../static/img/product_docs/policypak/policypak/integration/332_8_image-20210529214259-8.webp) +![332_8_image-20210529214259-8](/img/product_docs/policypak/policypak/integration/332_8_image-20210529214259-8.webp) -![332_9_image-20210529214259-9](../../../../static/img/product_docs/policypak/policypak/integration/332_9_image-20210529214259-9.webp) +![332_9_image-20210529214259-9](/img/product_docs/policypak/policypak/integration/332_9_image-20210529214259-9.webp) **Step 8 –** At this point the Master Desktop image should already be registered in the PPC Portal. As a best practice, launch the PPC portal to verify that the machine is listed under the correct @@ -177,7 +177,7 @@ Could not sync with the cloud.  A network error occurred during sending RegisterComputer to https://cloudsvc.policypak.com/Services/Registration: Keyset does not exist ``` -![332_10_image-20210529214259-11](../../../../static/img/product_docs/policypak/policypak/integration/332_10_image-20210529214259-11.webp) +![332_10_image-20210529214259-11](/img/product_docs/policypak/policypak/integration/332_10_image-20210529214259-11.webp) If you receive a blank screen at login on the Master image machine or VDI, you can try logging out and back in, or you can try the following to see if it resolves the issue. @@ -185,4 +185,4 @@ and back in, or you can try the following to see if it resolves the issue. Using `GPEDIT.MSC`, verify that the following setting **Run startup scripts asynchronously** is enabled under **Local Computer Policy** > **Administrative Templates** > **System**. -![332_11_image-20210529214259-10](../../../../static/img/product_docs/policypak/policypak/integration/332_11_image-20210529214259-10.webp) +![332_11_image-20210529214259-10](/img/product_docs/policypak/policypak/integration/332_11_image-20210529214259-10.webp) diff --git a/docs/policypak/policypak/integration/createpolicies.md b/docs/policypak/policypak/integration/createpolicies.md index 52551d2128..d5983c2f67 100644 --- a/docs/policypak/policypak/integration/createpolicies.md +++ b/docs/policypak/policypak/integration/createpolicies.md @@ -12,23 +12,23 @@ First, you need to configure the Endpoint Policy Manager CSE using Global Netwri Configuration Policy and have it affect endpoints. This is the switch which turns on Privilege Secure on the Endpoints when the Endpoint Policy Manager CSE is installed. -![965_1_image-20230627091218-5_950x515](../../../../static/img/product_docs/policypak/policypak/integration/965_1_image-20230627091218-5_950x515.webp) +![965_1_image-20230627091218-5_950x515](/img/product_docs/policypak/policypak/integration/965_1_image-20230627091218-5_950x515.webp) When that is done you can create policies which affect endpoints such as Executable, Windows Installer, etc. and have them work unlicensed. Rememberthat this only works when used in conjunction with Netwrix Privilege Secure. For example, an Executable policy may be started like this: -![965_2_image-20230627091218-6_950x566](../../../../static/img/product_docs/policypak/policypak/integration/965_2_image-20230627091218-6_950x566.webp) +![965_2_image-20230627091218-6_950x566](/img/product_docs/policypak/policypak/integration/965_2_image-20230627091218-6_950x566.webp) But one of the first screens you will encounter is this. Here you must select **Use with Netwrix Privilege Secure**as shown below. -![965_3_image-20230627091218-7_950x672](../../../../static/img/product_docs/policypak/policypak/integration/965_3_image-20230627091218-7_950x672.webp) +![965_3_image-20230627091218-7_950x672](/img/product_docs/policypak/policypak/integration/965_3_image-20230627091218-7_950x672.webp) The remaining screens will work unlicensed, because the policy is conjoined with Netwrix Privilege Secure. -![965_4_image-20230627091218-8_950x910](../../../../static/img/product_docs/policypak/policypak/integration/965_4_image-20230627091218-8_950x910.webp) +![965_4_image-20230627091218-8_950x910](/img/product_docs/policypak/policypak/integration/965_4_image-20230627091218-8_950x910.webp) However, if you attempt to create Endpoint Policy Manager Least Privilege Manager policies without conjoining them with Netwrix Privilege Secure, the policy will be saved and delivered. But the @@ -41,4 +41,4 @@ Manager CSE is unlicensed. Those which do not have this listed means that the po when the Endpoint Policy Manager CSE is licensed for Endpoint Policy Manager Least Privilege Manager. -![965_5_image-20230627091218-9_950x211](../../../../static/img/product_docs/policypak/policypak/integration/965_5_image-20230627091218-9_950x211.webp) +![965_5_image-20230627091218-9_950x211](/img/product_docs/policypak/policypak/integration/965_5_image-20230627091218-9_950x211.webp) diff --git a/docs/policypak/policypak/integration/privilegesecure/credentialbased/releaseresults.md b/docs/policypak/policypak/integration/privilegesecure/credentialbased/releaseresults.md index cb7a28407c..e78c596845 100644 --- a/docs/policypak/policypak/integration/privilegesecure/credentialbased/releaseresults.md +++ b/docs/policypak/policypak/integration/privilegesecure/credentialbased/releaseresults.md @@ -3,15 +3,15 @@ To see the action, right-click on the application and choose **Run with Netwrix Privilege Secure** (or double-click it if the **Apply on demand** option was unchecked. -![credential_release_results](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/credentialbased/credential_release_results.webp) +![credential_release_results](/img/product_docs/policypak/policypak/integration/privilegesecure/credentialbased/credential_release_results.webp) You’ll launch the process as `EastSalesUser1`, and give your Active Directory credentials, Two-Factor (brokered by Netwrix Privilege Secure) and wait for the Activity Session to be created. -![credential_release_results_1](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/credentialbased/credential_release_results_1.webp) +![credential_release_results_1](/img/product_docs/policypak/policypak/integration/privilegesecure/credentialbased/credential_release_results_1.webp) The result is that NotepadP is launched as `EastSalesAdmin9`. Because Netwrix Privilege Secure is brokering the operation and the Netwrix Endpoint Policy Manager (formerly PolicyPak) Least Privilege Manager client is changing the context to that user. -![credential_release_results_2](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/credentialbased/credential_release_results_2.webp) +![credential_release_results_2](/img/product_docs/policypak/policypak/integration/privilegesecure/credentialbased/credential_release_results_2.webp) diff --git a/docs/policypak/policypak/integration/privilegesecure/credentialbased/setuppolicy.md b/docs/policypak/policypak/integration/privilegesecure/credentialbased/setuppolicy.md index 3aad16ed6f..689918c4df 100644 --- a/docs/policypak/policypak/integration/privilegesecure/credentialbased/setuppolicy.md +++ b/docs/policypak/policypak/integration/privilegesecure/credentialbased/setuppolicy.md @@ -2,7 +2,7 @@ After **Selecting Credential Based Policy**, fill in **Domain** and **User Name**. -![setting_up_the_policypak_policy](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/credentialbased/setting_up_the_policypak_policy.webp) +![setting_up_the_policypak_policy](/img/product_docs/policypak/policypak/integration/privilegesecure/credentialbased/setting_up_the_policypak_policy.webp) - Domain – Enter the name of the domain of the Netwrix Privilege Secure managed user to perform the activity. @@ -12,7 +12,7 @@ After **Selecting Credential Based Policy**, fill in **Domain** and **User Name* At the end of the policy you have some settings for **Action** and **Options**. -![setting_up_the_policypak_policy_1](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/credentialbased/setting_up_the_policypak_policy_1.webp) +![setting_up_the_policypak_policy_1](/img/product_docs/policypak/policypak/integration/privilegesecure/credentialbased/setting_up_the_policypak_policy_1.webp) In **Action**, you can select **Run with elevated privileges** or simply Allow and log if you just want it brokered. @@ -25,4 +25,4 @@ issued via **Enable video recording (Netwrix Privilege Secure)**. Back on the Netwrix Privilege Secure server, you need to make sure there is a matching **Credential Based** policy. -![setting_up_the_policypak_policy_2](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/credentialbased/setting_up_the_policypak_policy_2.webp) +![setting_up_the_policypak_policy_2](/img/product_docs/policypak/policypak/integration/privilegesecure/credentialbased/setting_up_the_policypak_policy_2.webp) diff --git a/docs/policypak/policypak/integration/privilegesecure/gettingstarted/client.md b/docs/policypak/policypak/integration/privilegesecure/gettingstarted/client.md index 02403cdd5b..4e0cfce617 100644 --- a/docs/policypak/policypak/integration/privilegesecure/gettingstarted/client.md +++ b/docs/policypak/policypak/integration/privilegesecure/gettingstarted/client.md @@ -10,7 +10,7 @@ either within the Netwrix Privilege Secure download, or the Netwrix Endpoint Pol (formerly PolicyPak) CSE found in the Netwrix Endpoint Policy Manager (formerly PolicyPak) download. **NOTE:** See the -[Netwrix Privilege Secure Client - Getting Started with MMC with/without Endpoint Policy Manager ](../../../video/leastprivilege/integration/privilegesecure.md)video +[Netwrix Privilege Secure Client - Getting Started with MMC with/without Endpoint Policy Manager ](/docs/policypak/policypak/video/leastprivilege/integration/privilegesecure.md)video for a demo on the relationship of the Netwrix Privilege Secure and Netwrix Endpoint Policy Manager (formerly PolicyPak) downloads and their moving parts. @@ -33,7 +33,7 @@ install any specific endpoint license. You can see the difference in the list view as seen here. -![getting_started_client](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/gettingstarted/getting_started_client.webp) +![getting_started_client](/img/product_docs/policypak/policypak/integration/privilegesecure/gettingstarted/getting_started_client.webp) In the next section we will see how to create Netwrix Endpoint Policy Manager (formerly PolicyPak) + Netwrix Privilege Secure policies which will not need an endpoint license to work out of the box. diff --git a/docs/policypak/policypak/integration/privilegesecure/gettingstarted/gui.md b/docs/policypak/policypak/integration/privilegesecure/gettingstarted/gui.md index fa9d39e29b..11bef5745d 100644 --- a/docs/policypak/policypak/integration/privilegesecure/gettingstarted/gui.md +++ b/docs/policypak/policypak/integration/privilegesecure/gettingstarted/gui.md @@ -12,7 +12,7 @@ download and proceed onward. In the Netwrix Privilege Secure download you will find NPS for Endpoint Group Policy Snap-in x64 and x86 installers. -![getting_started_gui](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/972_1_image.webp) +![getting_started_gui](/img/product_docs/policypak/policypak/integration/privilegesecure/972_1_image.webp) This MSI is meant to increase what is possible with a Group Policy editor and let you create NPS Endpoint rules (aka Endpoint Policy Manager Least Privilege Manager) rules. @@ -22,24 +22,24 @@ Editor and/or Group Policy Management Console, you will see the Netwrix Privileg Endpoint Policy Manager Least Privilege Manager within it. All GPOs have the same look and feel and editing ability. -![getting_started_gui_1](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/gettingstarted/getting_started_gui_1.webp) +![getting_started_gui_1](/img/product_docs/policypak/policypak/integration/privilegesecure/gettingstarted/getting_started_gui_1.webp) If you want to upgrade to Endpoint Policy Manager and see both Netwrix Privilege Secure and all the other Endpoint Policy Manager nodes, you need to install the Endpoint Policy Manager Admin Console. This can be installed on top of the Netwrix Privilege Secure Admin Console, or, installed directly. -![getting_started_gui_2](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/gettingstarted/getting_started_gui_2.webp) +![getting_started_gui_2](/img/product_docs/policypak/policypak/integration/privilegesecure/gettingstarted/getting_started_gui_2.webp) The result can be seen here with Netwrix Privilege Secure / Least Privilege Manager and all the Endpoint Policy Manager nodes. -![getting_started_gui_3](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/gettingstarted/getting_started_gui_3.webp) +![getting_started_gui_3](/img/product_docs/policypak/policypak/integration/privilegesecure/gettingstarted/getting_started_gui_3.webp) In other words, the Endpoint Policy Manager Admin Console MSI is a superset of the Netwrix Privilege Secure Console MSI. **NOTE:** See the -[Netwrix Privilege Secure Client - Getting Started with MMC with/without Endpoint Policy Manager ](../../../video/leastprivilege/integration/privilegesecure.md) +[Netwrix Privilege Secure Client - Getting Started with MMC with/without Endpoint Policy Manager ](/docs/policypak/policypak/video/leastprivilege/integration/privilegesecure.md) video for a demo on the relationship between the Netwrix Privilege Secure and Endpoint Policy Manager downloads and moving parts. diff --git a/docs/policypak/policypak/integration/privilegesecure/gettingstarted/together.md b/docs/policypak/policypak/integration/privilegesecure/gettingstarted/together.md index 7ed677e98a..86551a2b1a 100644 --- a/docs/policypak/policypak/integration/privilegesecure/gettingstarted/together.md +++ b/docs/policypak/policypak/integration/privilegesecure/gettingstarted/together.md @@ -1,7 +1,7 @@ # Getting Started: Netwrix Privilege Secure + Endpoint Policy Manager **NOTE:** See the -[Netwrix Privilege Secure and the NPS/Endpoint Policy Manager Client](../../../video/leastprivilege/integration/privilegesecureclient.md) +[Netwrix Privilege Secure and the NPS/Endpoint Policy Manager Client](/docs/policypak/policypak/video/leastprivilege/integration/privilegesecureclient.md) video for an overview of Netwrix Privilege Secure + Endpoint Policy Manager better together. The first policy type to enable theNetwrix Privilege Secure server and Endpoint Policy Manager @@ -22,7 +22,7 @@ for additional information on which port is used. 6500 is the default port. Other settings in the Global Netwrix Privilege Secure pane are optional and self explanatory. -![getting_started_netwrix_privilege](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/gettingstarted/getting_started_netwrix_privilege.webp) +![getting_started_netwrix_privilege](/img/product_docs/policypak/policypak/integration/privilegesecure/gettingstarted/getting_started_netwrix_privilege.webp) Next, you’ll create a Endpoint Policy Manager rule like you did earlier to perform an operation. @@ -38,4 +38,4 @@ On the **Least Privilege Manager – Configure Netwrix Privilege Secure Access P check the checkbox and configure the setting for **Resource Based Policy** or **Credential Based Policy**. -![getting_started_netwrix_privilege_1](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/gettingstarted/getting_started_netwrix_privilege_1.webp) +![getting_started_netwrix_privilege_1](/img/product_docs/policypak/policypak/integration/privilegesecure/gettingstarted/getting_started_netwrix_privilege_1.webp) diff --git a/docs/policypak/policypak/integration/privilegesecure/mmc.md b/docs/policypak/policypak/integration/privilegesecure/mmc.md index f3a35d9850..ada374079a 100644 --- a/docs/policypak/policypak/integration/privilegesecure/mmc.md +++ b/docs/policypak/policypak/integration/privilegesecure/mmc.md @@ -3,7 +3,7 @@ In the Netwrix Privilege Secure download you will find NPS for Endpoint Group Policy Snap-in x64 and x86 installers. -![972_1_image](../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/972_1_image.webp) +![972_1_image](/img/product_docs/policypak/policypak/integration/privilegesecure/972_1_image.webp) This MSI is meant to increase what is possible with a Group Policy editor and let you create NPS Endpoint rules (aka Netwrix Endpoint Policy Manager (formerly PolicyPak) Least Privilege Manager) @@ -13,18 +13,18 @@ When you install the NPS Endpoint Group Policy Snap-In on a machine (which has t Editor and/or Group Policy Management Console) you will see the Netwrix Privilege Secure node and Least Privilege Manager within it. All GPOs l have the same look and feel and editing ability. -![972_2_image-20230627090846-2_950x515](../../../../../static/img/product_docs/policypak/policypak/integration/965_1_image-20230627091218-5_950x515.webp) +![972_2_image-20230627090846-2_950x515](/img/product_docs/policypak/policypak/integration/965_1_image-20230627091218-5_950x515.webp) If you want to upgrade to Endpoint Policy Manager and see both Netwrix Privilege Secure and all the other Endpoint Policy Manager nodes, you need to install the Endpoint Policy Manager Admin Console. This can be installed on top of the Privilege Secure Admin Console, or installed directly. -![972_3_image-20230627090846-3_950x70](../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/972_3_image-20230627090846-3_950x70.webp) +![972_3_image-20230627090846-3_950x70](/img/product_docs/policypak/policypak/integration/privilegesecure/972_3_image-20230627090846-3_950x70.webp) The result can be seen here with Netwrix Privilege Secure / Least Privilege Manager and all the Endpoint Policy Manager nodes. -![972_4_image-20230627090846-4_950x534](../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/972_4_image-20230627090846-4_950x534.webp) +![972_4_image-20230627090846-4_950x534](/img/product_docs/policypak/policypak/integration/privilegesecure/972_4_image-20230627090846-4_950x534.webp) The Endpoint Policy Manager Admin Console MSI is a superset of the Privilege Secure Console MSI. diff --git a/docs/policypak/policypak/integration/privilegesecure/overview.md b/docs/policypak/policypak/integration/privilegesecure/overview.md index 0e09347803..183f641860 100644 --- a/docs/policypak/policypak/integration/privilegesecure/overview.md +++ b/docs/policypak/policypak/integration/privilegesecure/overview.md @@ -22,7 +22,7 @@ along but, if you are using Netwrix Privilege Secure and want to try out the pow Policy Manager, that is included in your Netwrix Privilege Secure license. **NOTE:** See the -[Netwrix Privilege Secure Client - Getting Started with MMC with/without Endpoint Policy Manager ](../../video/leastprivilege/integration/privilegesecure.md)video +[Netwrix Privilege Secure Client - Getting Started with MMC with/without Endpoint Policy Manager ](/docs/policypak/policypak/video/leastprivilege/integration/privilegesecure.md)video for a demo on the relationship of the Netwrix Privilege Secure and Endpoint Policy Manager downloads and moving parts. diff --git a/docs/policypak/policypak/integration/privilegesecure/resourcebased/closingbrokeredprocesses.md b/docs/policypak/policypak/integration/privilegesecure/resourcebased/closingbrokeredprocesses.md index f8251b362b..2e1cefd8ee 100644 --- a/docs/policypak/policypak/integration/privilegesecure/resourcebased/closingbrokeredprocesses.md +++ b/docs/policypak/policypak/integration/privilegesecure/resourcebased/closingbrokeredprocesses.md @@ -2,7 +2,7 @@ When the activity / process is terminated, you get the following message. -![closing_brokered_processes](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/resourcebased/closing_brokered_processes.webp) +![closing_brokered_processes](/img/product_docs/policypak/policypak/integration/privilegesecure/resourcebased/closing_brokered_processes.webp) Additionally, if the **Enable Video Recording (Netwrix Privilege Secure**) option was checked, a video session recording is sent to the server for processing. diff --git a/docs/policypak/policypak/integration/privilegesecure/resourcebased/policymatch.md b/docs/policypak/policypak/integration/privilegesecure/resourcebased/policymatch.md index 3cfe5f6fe9..b3c85f60c5 100644 --- a/docs/policypak/policypak/integration/privilegesecure/resourcebased/policymatch.md +++ b/docs/policypak/policypak/integration/privilegesecure/resourcebased/policymatch.md @@ -9,12 +9,12 @@ admin. Resource Based Policy Matches tie back to a specific Netwrix Privilege Secure Activity Name. -![resource_based_policy_match](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/resourcebased/resource_based_policy_match.webp) +![resource_based_policy_match](/img/product_docs/policypak/policypak/integration/privilegesecure/resourcebased/resource_based_policy_match.webp) Here on the Netwrix Privilege Secure server, locate the Policy and verify that the name is an exact match. -![resource_based_policy_match_1](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/resourcebased/resource_based_policy_match_1.webp) +![resource_based_policy_match_1](/img/product_docs/policypak/policypak/integration/privilegesecure/resourcebased/resource_based_policy_match_1.webp) Then, to match a specific process configure the Endpoint Policy Manager Least Privilege Manager policy as a Combo rule: @@ -22,7 +22,7 @@ policy as a Combo rule: - Path condition: %SYSTEMROOT%\System32\mmc.exe - Command-line condition: Strict Equality for dsa.msc -![resource_based_policy_match_2](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/resourcebased/resource_based_policy_match_2.webp) +![resource_based_policy_match_2](/img/product_docs/policypak/policypak/integration/privilegesecure/resourcebased/resource_based_policy_match_2.webp) Now whenever mmc.exe dsa.msc is run from the command line, Endpoint Policy Manager Least Privilege Manager will send the connection back to Netwrix Privilege Secure for processing. @@ -30,8 +30,8 @@ Manager will send the connection back to Netwrix Privilege Secure for processing You’ll run the command as `EastSalesUser1`, and give your Active Directory credentials, Two-Factor (brokered by Netwrix Privilege Secure), and wait for the Activity Session to be created. -![resource_based_policy_match_3](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/resourcebased/resource_based_policy_match_3.webp) +![resource_based_policy_match_3](/img/product_docs/policypak/policypak/integration/privilegesecure/resourcebased/resource_based_policy_match_3.webp) The result is that a new Domain Admin account is created for this one session and deleted after use. -![resource_based_policy_match_4](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/resourcebased/resource_based_policy_match_4.webp) +![resource_based_policy_match_4](/img/product_docs/policypak/policypak/integration/privilegesecure/resourcebased/resource_based_policy_match_4.webp) diff --git a/docs/policypak/policypak/integration/privilegesecure/resourcebased/storedvideos.md b/docs/policypak/policypak/integration/privilegesecure/resourcebased/storedvideos.md index d0c762c152..738dc83b45 100644 --- a/docs/policypak/policypak/integration/privilegesecure/resourcebased/storedvideos.md +++ b/docs/policypak/policypak/integration/privilegesecure/resourcebased/storedvideos.md @@ -6,4 +6,4 @@ Secure server, can you review your videos. Back at the Netwrix Privilege Secure server, your videos are found in the **Dashboard** > **Historical videos** section. -![watching_stored_videos](../../../../../../static/img/product_docs/policypak/policypak/integration/privilegesecure/resourcebased/watching_stored_videos.webp) +![watching_stored_videos](/img/product_docs/policypak/policypak/integration/privilegesecure/resourcebased/watching_stored_videos.webp) diff --git a/docs/policypak/policypak/integration/servicenow.md b/docs/policypak/policypak/integration/servicenow.md index 2b9597d0c2..2aee5bb61d 100644 --- a/docs/policypak/policypak/integration/servicenow.md +++ b/docs/policypak/policypak/integration/servicenow.md @@ -1,7 +1,7 @@ # How can I integrate Endpoint Privilege Manager and Servicenow (or any other help desk) via email? Please consider watching this video before continuing: -[Using Email / Long Codes](../video/leastprivilege/longcodes.md) +[Using Email / Long Codes](/docs/policypak/policypak/video/leastprivilege/longcodes.md) Netwrix Endpoint Policy Manager (formerly PolicyPak) doesn't have an API integration with Servicenow, but you can make a nice workflow with Endpoint Policy Manager Least Privilege Manager @@ -10,20 +10,20 @@ and ServiceNow or whatever help desk system you are using. Basically, you configure Endpoint Policy Manager Least Privilege Manager's Email Admin Approval method to go to your inbox of Servicenow. -![915_1_image002_950x567](../../../../static/img/product_docs/policypak/policypak/integration/915_1_image002_950x567.webp) +![915_1_image002_950x567](/img/product_docs/policypak/policypak/integration/915_1_image002_950x567.webp) Then have someone on your Service desk use the Admin Approval tool to generate the response. Click @ in the tool to automatically create the email. The only thing that needs to be entered in is the TO: field. -![915_2_image003_950x509](../../../../static/img/product_docs/policypak/policypak/integration/915_2_image003_950x509.webp) +![915_2_image003_950x509](/img/product_docs/policypak/policypak/integration/915_2_image003_950x509.webp) Additionally, if you want to give your end-users tips on what to do, you can add URL links which appear like this to the end user. -![915_3_image004_950x614](../../../../static/img/product_docs/policypak/policypak/integration/915_3_image004_950x614.webp) +![915_3_image004_950x614](/img/product_docs/policypak/policypak/integration/915_3_image004_950x614.webp) Setting this up is as easy as specifying a URL for them to click upon in the Custom message location in the Admin Approval policy. -![915_4_image005_950x582](../../../../static/img/product_docs/policypak/policypak/integration/915_4_image005_950x582.webp) +![915_4_image005_950x582](/img/product_docs/policypak/policypak/integration/915_4_image005_950x582.webp) diff --git a/docs/policypak/policypak/integration/vdisolutions.md b/docs/policypak/policypak/integration/vdisolutions.md index 796712fe88..e4897f4275 100644 --- a/docs/policypak/policypak/integration/vdisolutions.md +++ b/docs/policypak/policypak/integration/vdisolutions.md @@ -21,9 +21,9 @@ Portal on the following page under the Downloads section, by clicking on the **Download other versions** link at the bottom of the page. -![555_1_image-20200603123515-1](../../../../static/img/product_docs/policypak/policypak/integration/555_1_image-20200603123515-1.webp) +![555_1_image-20200603123515-1](/img/product_docs/policypak/policypak/integration/555_1_image-20200603123515-1.webp) -![555_3_image-20200603094325-1_1231x309](../../../../static/img/product_docs/policypak/policypak/integration/555_3_image-20200603094325-1_1231x309.webp) +![555_3_image-20200603094325-1_1231x309](/img/product_docs/policypak/policypak/integration/555_3_image-20200603094325-1_1231x309.webp) **Step 4 –** On the Gold Image VM, while logged in as a local administrator, install the Endpoint Policy Manager Cloud Client MSI that you copied under "`C:\PPC Client`", (double-click MSI to @@ -37,7 +37,7 @@ groups, you should install the PPC Client using the command line instead, for ex The JOINTOKEN value is specific to each environment, the value used above is provided as an example only. For more information on using JOINTOKEN to automatically assign computers to computer groups in PPC please see this video: -[Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](../video/cloud/jointoken.md) +[Endpoint Policy Manager Cloud: Automatically Join Groups with JOINTOKEN](/docs/policypak/policypak/video/cloud/jointoken.md) **Step 5 –** Next, create an empty text file named `logoff.bat` under the same folder where we saved the PPC Client MSI earlier (`C:\PPC Client`). Edit `logoff.bat` using notepad and add the line @@ -61,7 +61,7 @@ PPCloud /sysprep user logging off is not an Administrator of the computer. If you need help with creating this LPM policy please contact support. -![555_4_image-20230130144125-1](../../../../static/img/product_docs/policypak/policypak/integration/555_4_image-20230130144125-1.webp) +![555_4_image-20230130144125-1](/img/product_docs/policypak/policypak/integration/555_4_image-20230130144125-1.webp) The **ppcloud /sysprep** switch was intended to be used on the golden image. It can be used only after the PPCloud Client is installed. There's no need to use the full path, and you can run @@ -77,23 +77,23 @@ not. **Scripts (Logon/Logoff)** under **Logoff** that points to the `logoff.bat` file you previously created, then click **OK** to save the settings. -![555_5_image-20200603123515-3](../../../../static/img/product_docs/policypak/policypak/integration/555_5_image-20200603123515-3.webp) +![555_5_image-20200603123515-3](/img/product_docs/policypak/policypak/integration/555_5_image-20200603123515-3.webp) **Step 7 –** Shutdown the Gold Image VM. **Step 8 –** Take a snapshot to be used for new VDIs, then import your updated Gold Image into your VDI solution (update the Desktop Pool settings to use the new snapshot etc.). -![555_7_image-20200603123515-4](../../../../static/img/product_docs/policypak/policypak/integration/555_7_image-20200603123515-4.webp) +![555_7_image-20200603123515-4](/img/product_docs/policypak/policypak/integration/555_7_image-20200603123515-4.webp) -![555_9_image-20200603123515-5](../../../../static/img/product_docs/policypak/policypak/integration/555_9_image-20200603123515-5.webp) +![555_9_image-20200603123515-5](/img/product_docs/policypak/policypak/integration/555_9_image-20200603123515-5.webp) **Step 9 –** Deploy two VDIs, then check in your PPC portal to ensure the newly created VDIs are registered successfully and have different Unique IDs. The VDIs by default will show up in the **All** computer group. Take note of the Unique IDs for these VDIs (screenshot etc.). You can use the **Columns** button to change which columns are visible so you can see the **Unique ID** column. -![555_11_image-20200603123515-6](../../../../static/img/product_docs/policypak/policypak/integration/555_11_image-20200603123515-6.webp) +![555_11_image-20200603123515-6](/img/product_docs/policypak/policypak/integration/555_11_image-20200603123515-6.webp) **Step 10 –** Log into both VDIs using the VMware Horizon Client, wait for the OS to load completely, then logoff or shutdown both VDIs. Within the PPC portal you should see the two machines @@ -106,4 +106,4 @@ to see if both of the VDIs received new Unique IDs. If they did, then the proces process failed. Revisit the steps above to see if anything was missed. If after verifying all steps you find that this process still did not work for you please contact support for further assistance. -![555_13_image-20200603123515-7_950x260](../../../../static/img/product_docs/policypak/policypak/integration/555_13_image-20200603123515-7_950x260.webp) +![555_13_image-20200603123515-7_950x260](/img/product_docs/policypak/policypak/integration/555_13_image-20200603123515-7_950x260.webp) diff --git a/docs/policypak/policypak/itemleveltargeting/applypreferences.md b/docs/policypak/policypak/itemleveltargeting/applypreferences.md index b5378bc345..aa4af4f3cf 100644 --- a/docs/policypak/policypak/itemleveltargeting/applypreferences.md +++ b/docs/policypak/policypak/itemleveltargeting/applypreferences.md @@ -6,7 +6,7 @@ Group Policy Preferences or Netwrix Endpoint Policy Manager (formerly PolicyPak) For example, you may wish to **Prevent access to the command prompt** for all standard users, as in the example below, and you want to use Item Level Targeting (ITM) to do it. -![139_1_overall-faq-01-img-01](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/139_1_overall-faq-01-img-01.webp) +![139_1_overall-faq-01-img-01](/img/product_docs/policypak/policypak/itemleveltargeting/139_1_overall-faq-01-img-01.webp) **NOTE:** Item Level Targeting is a Microsoft technology provided as part of the their Group Policy Preferences CSE for Group Policy.See @@ -33,9 +33,9 @@ Here are some facts to help you understand the challenges: This is the combination that appears to work: -![139_2_overall-faq-01-img-03](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/139_2_overall-faq-01-img-03.webp) +![139_2_overall-faq-01-img-03](/img/product_docs/policypak/policypak/itemleveltargeting/139_2_overall-faq-01-img-03.webp) -![139_3_overall-faq-01-img-03](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/139_2_overall-faq-01-img-03.webp) +![139_3_overall-faq-01-img-03](/img/product_docs/policypak/policypak/itemleveltargeting/139_2_overall-faq-01-img-03.webp) There are three important things to note from the examples above. @@ -53,8 +53,8 @@ DC. This is the sequence after clicking the three dots: -![139_4_overall-faq-01-img-04](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/139_4_overall-faq-01-img-04.webp) +![139_4_overall-faq-01-img-04](/img/product_docs/policypak/policypak/itemleveltargeting/139_4_overall-faq-01-img-04.webp) -![139_5_overall-faq-01-img-05](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/139_5_overall-faq-01-img-05.webp) +![139_5_overall-faq-01-img-05](/img/product_docs/policypak/policypak/itemleveltargeting/139_5_overall-faq-01-img-05.webp) -![139_6_overall-faq-01-img-06](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/139_6_overall-faq-01-img-06.webp) +![139_6_overall-faq-01-img-06](/img/product_docs/policypak/policypak/itemleveltargeting/139_6_overall-faq-01-img-06.webp) diff --git a/docs/policypak/policypak/itemleveltargeting/entraidgroups.md b/docs/policypak/policypak/itemleveltargeting/entraidgroups.md index 1b99784422..f5715d4486 100644 --- a/docs/policypak/policypak/itemleveltargeting/entraidgroups.md +++ b/docs/policypak/policypak/itemleveltargeting/entraidgroups.md @@ -4,7 +4,7 @@ You cannot do this directly. However, we have a set of unsupported scripts which this. We have videos for each scenario, which can be found here: Getting Started with MDM > -[Video Learning Center](../mdm/overview/videolearningcenter.md) We recommend you watch all three +[Video Learning Center](/docs/policypak/policypak/mdm/overview/videolearningcenter.md) We recommend you watch all three videos 1. Using Netwrix Endpoint Policy Manager (formerly PolicyPak) Scripts to determine Azure AD Group diff --git a/docs/policypak/policypak/itemleveltargeting/entraidsids.md b/docs/policypak/policypak/itemleveltargeting/entraidsids.md index e4aba844a0..9e5e397f30 100644 --- a/docs/policypak/policypak/itemleveltargeting/entraidsids.md +++ b/docs/policypak/policypak/itemleveltargeting/entraidsids.md @@ -18,12 +18,12 @@ SID you can: AAD User: [EastSalesUser1@Fabrikam1000.com](mailto:EastSalesUser1@Fabrikam1000.com) - ![1_1_image](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/1_1_image.webp) + ![1_1_image](/img/product_docs/policypak/policypak/itemleveltargeting/1_1_image.webp) 2. Have the Azure user run "WHOAMI /User" from a CMD prompt once logged in to the computer, then copy the SID text and send itto you. - ![1_2_image](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/1_2_image.webp) + ![1_2_image](/img/product_docs/policypak/policypak/itemleveltargeting/1_2_image.webp) 3. Use PowerShell to connect to Azure, then use a function to convert Object IDs to SIDs: @@ -47,27 +47,27 @@ SID you can: **Step 2 –** Once you have the SID, you should be all set. Edit your Netwrix Endpoint Policy Manager (formerly PolicyPak) Policy rule and enable Item Level Targeting, then click **Edit…**. -![1_3_image-20200129215924-2](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/1_3_image-20200129215924-2.webp) +![1_3_image-20200129215924-2](/img/product_docs/policypak/policypak/itemleveltargeting/1_3_image-20200129215924-2.webp) **Step 3 –** Expand the drop-down list under New Item ,select **User** then put in any onprem user and select **Match by SID**, then save the policy. -![1_5_image-20200129215924-3](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/1_5_image-20200129215924-3.webp) +![1_5_image-20200129215924-3](/img/product_docs/policypak/policypak/itemleveltargeting/1_5_image-20200129215924-3.webp) **Step 4 –** Right click the policy and then export it as XML. -![1_7_image-20200129215924-4](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/1_7_image-20200129215924-4.webp) +![1_7_image-20200129215924-4](/img/product_docs/policypak/policypak/itemleveltargeting/1_7_image-20200129215924-4.webp) **Step 5 –** Open the XML in notepad, notepad++, etc. Then carefully replace the SID in the XML with what you got in step 1 (optionally replace name as well). Before: -![1_9_image-20200129215924-5](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/1_9_image-20200129215924-5.webp) +![1_9_image-20200129215924-5](/img/product_docs/policypak/policypak/itemleveltargeting/1_9_image-20200129215924-5.webp) After: -![1_11_image-20200129215924-6](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/1_11_image-20200129215924-6.webp) +![1_11_image-20200129215924-6](/img/product_docs/policypak/policypak/itemleveltargeting/1_11_image-20200129215924-6.webp) **Step 6 –** Now save the edited XML with a descriptive name. The new XML file can now be used normally l within Endpoint Policy Manager for the module the policy was created for. In the example @@ -77,7 +77,7 @@ MDM, or the GPO version of Endpoint Policy Manager. After importing the new XML into Endpoint Policy Manager the ILT will show the correct values for the Azure account. -![1_13_image-20200129215924-7](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/1_13_image-20200129215924-7.webp) +![1_13_image-20200129215924-7](/img/product_docs/policypak/policypak/itemleveltargeting/1_13_image-20200129215924-7.webp) **NOTE:** Azure Groups don't have SID translations at all, so you would need to add multiple user SIDS if you want multiple people to be able to do the activity. @@ -87,15 +87,15 @@ Other Considerations: For MDM, when using an XML created this way in the Exporter Tool, you must change the Install For option to **Computer**. -![1_15_image-20200129215924-8](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/1_15_image-20200129215924-8.webp) +![1_15_image-20200129215924-8](/img/product_docs/policypak/policypak/itemleveltargeting/1_15_image-20200129215924-8.webp) -![1_17_image-20200129215924-9](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/1_17_image-20200129215924-9.webp) +![1_17_image-20200129215924-9](/img/product_docs/policypak/policypak/itemleveltargeting/1_17_image-20200129215924-9.webp) Once the policy is applied you can launch the application, run task manager, and add the Elevated column to verify that the policy applied. -![1_19_image-20200129215924-10](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/1_19_image-20200129215924-10.webp) +![1_19_image-20200129215924-10](/img/product_docs/policypak/policypak/itemleveltargeting/1_19_image-20200129215924-10.webp) Alternatively, check the Endpoint Policy Manager event log: -![1_21_image-20200129215924-11](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/1_21_image-20200129215924-11.webp) +![1_21_image-20200129215924-11](/img/product_docs/policypak/policypak/itemleveltargeting/1_21_image-20200129215924-11.webp) diff --git a/docs/policypak/policypak/itemleveltargeting/securitygroup.md b/docs/policypak/policypak/itemleveltargeting/securitygroup.md index e755bd0085..20b40478be 100644 --- a/docs/policypak/policypak/itemleveltargeting/securitygroup.md +++ b/docs/policypak/policypak/itemleveltargeting/securitygroup.md @@ -3,4 +3,4 @@ The Security Group Item Level Targeting (ILT) option is Direct by default, when Primary Group is unchecked, but Recursive when it is checked. -![561_1_overall-faq-s1p5](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/561_1_overall-faq-s1p5.webp) +![561_1_overall-faq-s1p5](/img/product_docs/policypak/policypak/itemleveltargeting/561_1_overall-faq-s1p5.webp) diff --git a/docs/policypak/policypak/itemleveltargeting/virtualdesktops.md b/docs/policypak/policypak/itemleveltargeting/virtualdesktops.md index e09daeb745..0e56901975 100644 --- a/docs/policypak/policypak/itemleveltargeting/virtualdesktops.md +++ b/docs/policypak/policypak/itemleveltargeting/virtualdesktops.md @@ -1,6 +1,6 @@ # How can I use Item Level Targeting to specify Windows Virtual Desktops (WVD) Multi-session Windows? -![642_1_1](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/642_1_1.webp) +![642_1_1](/img/product_docs/policypak/policypak/itemleveltargeting/642_1_1.webp) The query you want is: @@ -10,7 +10,7 @@ The query you want is: The result will look like this: -![642_2_2](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/642_2_2.webp) +![642_2_2](/img/product_docs/policypak/policypak/itemleveltargeting/642_2_2.webp) **NOTE:** For other unusual SKUs and information on how to get the ID, see the Microsoft article on [OperatingSystemSKU Enum.](https://learn.microsoft.com/en-us/dotnet/api/microsoft.powershell.commands.operatingsystemsku?view=powershellsdk-1.1.0) diff --git a/docs/policypak/policypak/itemleveltargeting/windows11.md b/docs/policypak/policypak/itemleveltargeting/windows11.md index a1f3a3522f..5b4489a836 100644 --- a/docs/policypak/policypak/itemleveltargeting/windows11.md +++ b/docs/policypak/policypak/itemleveltargeting/windows11.md @@ -8,7 +8,7 @@ selecting Windows 10. - WMI Query, or - Registry match. -![14_1_faq-4-rev-1-img-1](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/14_1_faq-4-rev-1-img-1.webp) +![14_1_faq-4-rev-1-img-1](/img/product_docs/policypak/policypak/itemleveltargeting/14_1_faq-4-rev-1-img-1.webp) **Step 3 –** If you choose WMI Query to detect the build number, enter the following in the Query field: @@ -19,7 +19,7 @@ SELECT * FROM Win32_OperatingSystem WHERE BuildNumber = "15063" This would select Windows 1703, which is that build number. -![14_2_faq-4-rev-1-img-2](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/14_2_faq-4-rev-1-img-2.webp) +![14_2_faq-4-rev-1-img-2](/img/product_docs/policypak/policypak/itemleveltargeting/14_2_faq-4-rev-1-img-2.webp) **CAUTION:** Note that you want to place a whole number and not a number with decimal places. The BUILDNUMBER field is actually nota numeric value, but a stringvalue and must match exactly. @@ -31,11 +31,11 @@ in the Registry: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | CurrentBuildNumber ``` -![14_3_faq-4-rev-1-img-3](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/14_3_faq-4-rev-1-img-3.webp) +![14_3_faq-4-rev-1-img-3](/img/product_docs/policypak/policypak/itemleveltargeting/14_3_faq-4-rev-1-img-3.webp) **Step 5 –** Use the Registry Match item as follows for a specific Build number. -![14_4_faq-4-rev-1-img-4](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/14_4_faq-4-rev-1-img-4.webp) +![14_4_faq-4-rev-1-img-4](/img/product_docs/policypak/policypak/itemleveltargeting/14_4_faq-4-rev-1-img-4.webp) Other build numbers you can use are: @@ -63,11 +63,11 @@ You can see examples of the first and second Windows 1809 releases below. First release of Windows 1809 build 17763: -![14_5_faq-4-rev-1-img-5](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/14_5_faq-4-rev-1-img-5.webp) +![14_5_faq-4-rev-1-img-5](/img/product_docs/policypak/policypak/itemleveltargeting/14_5_faq-4-rev-1-img-5.webp) Second release of Windows 1809 build 17763: -![14_6_faq-4-rev-1-img-6](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/14_6_faq-4-rev-1-img-6.webp) +![14_6_faq-4-rev-1-img-6](/img/product_docs/policypak/policypak/itemleveltargeting/14_6_faq-4-rev-1-img-6.webp) The Value you want to match with an ILT Registry Match is this: @@ -84,7 +84,7 @@ When Machine is Windows 10, and - When build is 17763 (Windows 1809) and - When build's UBR is .1 (first version of 1809). -![14_7_faq-4-rev-1-img-7](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/14_7_faq-4-rev-1-img-7.webp) +![14_7_faq-4-rev-1-img-7](/img/product_docs/policypak/policypak/itemleveltargeting/14_7_faq-4-rev-1-img-7.webp) ## How to Query for CB/CBB vs. LTSB/LTSC @@ -104,4 +104,4 @@ SELECT OperatingSystemSKU FROM Win32_OperatingSystem WHERE OperatingSystemSKU = Here's an example: -![14_8_faq-4-rev-1-img-8](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/14_8_faq-4-rev-1-img-8.webp) +![14_8_faq-4-rev-1-img-8](/img/product_docs/policypak/policypak/itemleveltargeting/14_8_faq-4-rev-1-img-8.webp) diff --git a/docs/policypak/policypak/itemleveltargeting/windowsendpoint.md b/docs/policypak/policypak/itemleveltargeting/windowsendpoint.md index 6f81a3127c..bcf6fbcf49 100644 --- a/docs/policypak/policypak/itemleveltargeting/windowsendpoint.md +++ b/docs/policypak/policypak/itemleveltargeting/windowsendpoint.md @@ -8,9 +8,9 @@ Currently Item Level Target (ILT) does not have a separate drop-down option spec You want to target both Windows 10 and Windows 11 computers inclusively. To target both Windows 10 and 11 endpoints, simply filter by Operating System and select Windows 10. This will target both. -![803_1_image-20230207212701-2](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/803_1_image-20230207212701-2.webp) +![803_1_image-20230207212701-2](/img/product_docs/policypak/policypak/itemleveltargeting/803_1_image-20230207212701-2.webp) -![803_2_image-20230207212701-3](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/803_2_image-20230207212701-3.webp) +![803_2_image-20230207212701-3](/img/product_docs/policypak/policypak/itemleveltargeting/803_2_image-20230207212701-3.webp) ## Option 2 @@ -18,7 +18,7 @@ You want to target Windows 10 or Windows 11 computers separately. If you only wa operating system, we need to take a different approach. For this we will utilize Registry Match and target the CurrentBuild or CurrentBuildNumber value. -![803_3_image-20230207212701-4](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/803_3_image-20230207212701-4.webp) +![803_3_image-20230207212701-4](/img/product_docs/policypak/policypak/itemleveltargeting/803_3_image-20230207212701-4.webp) On your current Windows computers, find the registry value(s) for CurrentBuildNumber @@ -26,7 +26,7 @@ On your current Windows computers, find the registry value(s) for CurrentBuildNu HKLM:Software\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber ``` -![803_4_image-20230207212701-5](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/803_4_image-20230207212701-5.webp) +![803_4_image-20230207212701-5](/img/product_docs/policypak/policypak/itemleveltargeting/803_4_image-20230207212701-5.webp) Currently, the value for Windows 11 build is 21996. This will change as new builds are introduced. It is necessary to use CurrentBuild or CurrentBuildNumber, as ReleaseID, that would normally be @@ -36,4 +36,4 @@ used, is currently the same for both Windows 10 and 11 installations (current va To add additional targets, simply add another Registry Match option for CurrentBuildNumber to specify the additional value and change the separator option from AND to OR. -![803_5_image-20230207212701-6](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/803_5_image-20230207212701-6.webp) +![803_5_image-20230207212701-6](/img/product_docs/policypak/policypak/itemleveltargeting/803_5_image-20230207212701-6.webp) diff --git a/docs/policypak/policypak/itemleveltargeting/windowsserver2019.md b/docs/policypak/policypak/itemleveltargeting/windowsserver2019.md index b4c90a9404..df172810dd 100644 --- a/docs/policypak/policypak/itemleveltargeting/windowsserver2019.md +++ b/docs/policypak/policypak/itemleveltargeting/windowsserver2019.md @@ -3,13 +3,13 @@ Depending on the editor you are using, your Item Level Target (ILT) editor may show one of either these two: -![88_1_image007](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/88_1_image007.webp) +![88_1_image007](/img/product_docs/policypak/policypak/itemleveltargeting/88_1_image007.webp) -![88_2_image008](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/88_2_image008.webp) +![88_2_image008](/img/product_docs/policypak/policypak/itemleveltargeting/88_2_image008.webp) In both cases, they produce the same Item Level Targeting Filter in XML, like this: -![88_3_image009](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/88_3_image009.webp) +![88_3_image009](/img/product_docs/policypak/policypak/itemleveltargeting/88_3_image009.webp) In this way, there is no distinction between 2016 and 2019 servers. This is not a Netwrix Endpoint Policy Manager (formerly PolicyPak) bug, because Endpoint Policy Manager is using the underlying @@ -30,11 +30,11 @@ You would use 1809 to match for Server 2019 and 1607 to match for Server 2016. Therefore you can match on Server 2016 when you make your ILT exactly like this: -![88_4_image010](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/88_4_image010.webp) +![88_4_image010](/img/product_docs/policypak/policypak/itemleveltargeting/88_4_image010.webp) And match on Server 2019 like this: -![88_5_image012](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/88_5_image012.webp) +![88_5_image012](/img/product_docs/policypak/policypak/itemleveltargeting/88_5_image012.webp) Additionally, if you wanted to limit your targeting to only affect server core installations, you can use this registry match: @@ -46,10 +46,10 @@ following technique: **Step 1 –** Locate the CurrentBuildNumber using the registry. -![88_6_image-20190927143735-1](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/88_6_image-20190927143735-1.webp) +![88_6_image-20190927143735-1](/img/product_docs/policypak/policypak/itemleveltargeting/88_6_image-20190927143735-1.webp) **Step 2 –** Then set your ILT to something similar to this: Windows 10 and BuildNumber \<= 17704 -![88_7_image](../../../../static/img/product_docs/policypak/policypak/itemleveltargeting/88_7_image.webp) +![88_7_image](/img/product_docs/policypak/policypak/itemleveltargeting/88_7_image.webp) diff --git a/docs/policypak/policypak/javaenterpriserules/exportcollections.md b/docs/policypak/policypak/javaenterpriserules/exportcollections.md index ff476a5abb..89b9cc1e46 100644 --- a/docs/policypak/policypak/javaenterpriserules/exportcollections.md +++ b/docs/policypak/policypak/javaenterpriserules/exportcollections.md @@ -6,7 +6,7 @@ own MDM service, or Endpoint Policy Manager Cloud. To export a policy for later Policy Manager Exporter or Endpoint Policy Manager Cloud, right-click the collection or the policy and select **Export to XML**. This will enable you to save an XML file, which you can use later. -![using_policypak_java_rules_13](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_13.webp) +![using_policypak_java_rules_13](/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_13.webp) **NOTE:** Exported collections or policies maintain any Item-Level Targeting that has already been set. Also, note that Endpoint Policy Manager Java Rules Manager policies are always contained within diff --git a/docs/policypak/policypak/javaenterpriserules/gettingstarted.md b/docs/policypak/policypak/javaenterpriserules/gettingstarted.md index 452c86904b..d3bc7e9d41 100644 --- a/docs/policypak/policypak/javaenterpriserules/gettingstarted.md +++ b/docs/policypak/policypak/javaenterpriserules/gettingstarted.md @@ -1,7 +1,7 @@ # Quick Start **NOTE:** Watch this video for an overview of Java Rules Manager: See -[Use Endpoint Policy Manager Cloud to choose which version of Java for what website](../video/javaenterpriserules/cloud.md) +[Use Endpoint Policy Manager Cloud to choose which version of Java for what website](/docs/policypak/policypak/video/javaenterpriserules/cloud.md) Netwrix Endpoint Policy Manager (formerly PolicyPak). Endpoint Policy Manager Java Rules Manager editor is within the Endpoint Policy Manager node. @@ -11,7 +11,7 @@ Rules Manager policy or collection. **NOTE:** You will only see the Java Rules Manager node when you have the latest Endpoint Policy Manager Admin Console MSI installed on your management station. -![quickstart_policypak_java](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java.webp) +![quickstart_policypak_java](/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java.webp) Endpoint Policy Manager Java Rules Manager rules can only be created on the Computer side. If you attempt to use the user-side configuration node, you will receive a message explaining that you need @@ -24,9 +24,9 @@ Endpoint Policy Manager Java Rules Manager policies can use collections. If you organized, you can create a collectioni Endpoint Policy Manager and then put Java Rules policies (or other collections) inside the collection. -![quickstart_policypak_java_1](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_1.webp) +![quickstart_policypak_java_1](/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_1.webp) -![quickstart_policypak_java_2](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_2.webp) +![quickstart_policypak_java_2](/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_2.webp) Endpoint Policy Manager Java Rules Manager has a precedence order. This happens if you decide to have multiple policies, collections, and Group Policy Objects (GPOs), or if you choose to use @@ -37,29 +37,29 @@ that collection, create a new Endpoint Policy Manager Java Rules Manager policy, shown below. In this example, we are making a rule for [https://java.com ](https://java.com)by using Java 7 U 51. (Note that this is https, notjust http). -![quickstart_policypak_java_3](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_3.webp) +![quickstart_policypak_java_3](/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_3.webp) **Step 2 –** Once you click **OK** you will receive an entry similar to the one shown below. -![quickstart_policypak_java_4](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_4.webp) +![quickstart_policypak_java_4](/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_4.webp) **Step 3 –** If you would like to follow along with this Quickstart, create two more Endpoint Policy Manager Java Rules Manager policies in the same collection. The next one will make a rule so that [http://javatester.org ](http://javatester.org)will run with Java 8 U 25. (Note that this URL is http, nothttps). -![quickstart_policypak_java_5](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_5.webp) +![quickstart_policypak_java_5](/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_5.webp) **Step 4 –** Click **OK** to save the entry.. **Step 5 –** Create another policy that will block `https://*.nasa.gov/`.Note that this URL is https. -![quickstart_policypak_java_6](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_6.webp) +![quickstart_policypak_java_6](/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_6.webp) **Step 6 –** When complete, your entries will look like this:. -![quickstart_policypak_java_7](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_7.webp) +![quickstart_policypak_java_7](/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_7.webp) Here is what each column in the above figure means: @@ -71,7 +71,7 @@ Here is what each column in the above figure means: - Enabled (True/False) — A policy entry can be enabled, which means it will go to work. If you need to temporarily stop a policy entry from applying, you can disable it (set it to False). - Item-Level Targeting (No/Yes) — We will describe this column later on in the section - [Using Item-Level Targeting with Collections and Policies](itemleveltargeting.md). + [Using Item-Level Targeting with Collections and Policies](/docs/policypak/policypak/javaenterpriserules/itemleveltargeting.md). - Comment — Any entry can have a comment option, which is used to explain why you made the decision. **Step 7 –** On the endpoint, reboot the computer or run GPupdate so the GPO with the policies that @@ -89,7 +89,7 @@ GPupdate). - Open Firefox and visit [www.javatester.org](http://www.javatester.org/). Then click **Test this version of Java**. You should see Java 1.8.0_25, that is, Java 8 U 25. -![quickstart_policypak_java_8](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_8.webp) +![quickstart_policypak_java_8](/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_8.webp) **Step 9 –** On either browser, visit [https://atcsim.arc.nasa.gov/version/index.html](https://atcsim.arc.nasa.gov/version/index.html). @@ -97,14 +97,14 @@ When you visit the NASA website, you will receive a prompt warning you that the out of date and will be received (which is not related to Java). Continue to run the applet. The result is shown below. -![quickstart_policypak_java_9](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_9.webp) +![quickstart_policypak_java_9](/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_9.webp) **Step 10 –** Click **OK**. Next, click the **Error: Click for details** message. When you do this, another message will pop-up. -![quickstart_policypak_java_10](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_10.webp) +![quickstart_policypak_java_10](/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_10.webp) This ends the Endpoint Policy Manager Java Rules Manager Quickstart, which demonstrated the power of Endpoint Policy Manager Java Enterprise Rules Manager in the fastest amount of time. Note that prompts for various Java-related items might be received during your Quickstart. To overcome this, -please see section on [Overcoming Java Prompts](prompts/overview.md). +please see section on [Overcoming Java Prompts](/docs/policypak/policypak/javaenterpriserules/prompts/overview.md). diff --git a/docs/policypak/policypak/javaenterpriserules/itemleveltargeting.md b/docs/policypak/policypak/javaenterpriserules/itemleveltargeting.md index 8f18af371c..4591a3deab 100644 --- a/docs/policypak/policypak/javaenterpriserules/itemleveltargeting.md +++ b/docs/policypak/policypak/javaenterpriserules/itemleveltargeting.md @@ -7,12 +7,12 @@ policies within collections. **Step 1 –** To start, right-click the collection, and select **Change Item Level Targeting**. -![quickstart_policypak_java_2](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_2.webp) +![quickstart_policypak_java_2](/img/product_docs/policypak/policypak/javaenterpriserules/quickstart_policypak_java_2.webp) **Step 2 –** Within a Java Rules Manager policy, you can dictate an Item-Level Targeting policy by clicking on **Item-Level Targeting**. -![using_policypak_java_rules_7](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_7.webp) +![using_policypak_java_rules_7](/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_7.webp) **Step 3 –** The Edit Item Level Targeting menu item brings up the Targeting Editor. You can select any combination of characteristics you want to test for. Administrators familiar with Group Policy @@ -25,7 +25,7 @@ much the same way parentheses are used in an equation. In this way, you can crea determination about where a policy will be applied. Collections may be set to **And**, **Or**, **Is**, or **Is Not**. -![using_policypak_java_rules_8](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_8.webp) +![using_policypak_java_rules_8](/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_8.webp) Below are some real-world examples of how you can use Item-Level Targeting. @@ -48,13 +48,13 @@ Below are some real-world examples of how you can use Item-Level Targeting. indicates it now has Item-Level Targeting on the whole collection. In other words, none of the items in the collection will apply unless the Item-Level Targeting on the collection evaluates to True. -![using_policypak_java_rules_9](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_9.webp) +![using_policypak_java_rules_9](/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_9.webp) Within the collection, setting Item-Level Targeting within any policy results in the icon turning orange. The Item-Level Targeting column will indicate if Item-Level Targeting is on (Yes) or off (No). -![using_policypak_java_rules_10](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_10.webp) +![using_policypak_java_rules_10](/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_10.webp) In this way, you can have granular control over policies and collections. First, filter with Item-Level Targeting on a collection, and then filter any specific rule if any Item-Level Targeting diff --git a/docs/policypak/policypak/javaenterpriserules/manageria.md b/docs/policypak/policypak/javaenterpriserules/manageria.md index c13ad4511c..4b23010984 100644 --- a/docs/policypak/policypak/javaenterpriserules/manageria.md +++ b/docs/policypak/policypak/javaenterpriserules/manageria.md @@ -28,13 +28,13 @@ location, such as [https://java.com](https://java.com), and then enter the name for specificity. You can find the Java applet's name by running it without any rules first. It is important that only signed Java applets have a name. -![using_policypak_java_rules](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules.webp) +![using_policypak_java_rules](/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules.webp) Once you know this, your rule will display the properties shown below. **NOTE:** In this instance, the **Latest in family** option has been chosen for Java 8. -![using_policypak_java_rules_1](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_1.webp) +![using_policypak_java_rules_1](/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_1.webp) ## Managing RIAs Based on Certificate @@ -44,7 +44,7 @@ method works exclusively for digitally signed Java applets. To determine whether digitally signed, or if it contains the SHA256 of the certificate for the applet, see the example below. -![using_policypak_java_rules_2](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_2.webp) +![using_policypak_java_rules_2](/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_2.webp) To get the certificate information using Firefox: @@ -74,7 +74,7 @@ steps: The first three steps areseen here. -![using_policypak_java_rules_3](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_3.webp) +![using_policypak_java_rules_3](/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_3.webp) After you've saved the file, continue with the following steps, which are shown below. @@ -92,15 +92,15 @@ After you've saved the file, continue with the following steps, which are shown **Step 6 –** Type `keytool -printcert -jarfile pathtojar\javadetection.jar | more`. -![using_policypak_java_rules_4](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_4.webp) +![using_policypak_java_rules_4](/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_4.webp) At this point, the SHA256 Hash appears, which you can copy and paste into the MMC. It is valid only with 32 pairs of hexadecimal numbers, with colons for separation. -![using_policypak_java_rules_5](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_5.webp) +![using_policypak_java_rules_5](/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_5.webp) Be sure to use only the first SHA256 displayed and not the others listed in the output. Note that when you paste it into the Endpoint Policy Manager Java Rules Manager MMC snap in, the colons are automatically stripped. -![using_policypak_java_rules_6](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_6.webp) +![using_policypak_java_rules_6](/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_6.webp) diff --git a/docs/policypak/policypak/javaenterpriserules/overview.md b/docs/policypak/policypak/javaenterpriserules/overview.md index a3b8d43c89..f591e68d17 100644 --- a/docs/policypak/policypak/javaenterpriserules/overview.md +++ b/docs/policypak/policypak/javaenterpriserules/overview.md @@ -1,7 +1,7 @@ # Java Enterprise Rules Manager **NOTE:** Before reading this section, please ensure you have read Book 2: -[Installation Quick Start](../gettingstarted/quickstart/overviewinstall.md), which will help you +[Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md), which will help you learn to do the following: - Install the Admin MSI on your GPMC machine @@ -10,7 +10,7 @@ learn to do the following: - Set up a common OU structure Optionally, if you don't want to use Group Policy, read the section in Appendix A: -[Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md) to deploy your +[Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md) to deploy your directives. The goals of Netwrix Endpoint Policy Manager (formerly PolicyPak) Java Rules Manager are as follows: @@ -26,7 +26,7 @@ will be explained later). PolicyPak is not reinventing the wheel or tricking Jav alongside Oracle's sanctioned method for the mapping of Java versions to Java applets. **NOTE:** See this video -[Use Endpoint Policy Manager Cloud to choose which version of Java for what website](../video/javaenterpriserules/cloud.md) for +[Use Endpoint Policy Manager Cloud to choose which version of Java for what website](/docs/policypak/policypak/video/javaenterpriserules/cloud.md) for an overview of Endpoint Policy Manager Java Rules Manager. For instance, you might want to ensure that the following policies are running on your machine: @@ -43,7 +43,7 @@ PolicyPak Java Rules Manager enables you to perform the following functions: - Deliver policies to the Computer side (without Group Policy Loopback mode). - Create exact criteria for when specific Java versions should open in a browser. - Export policies or collections as XML files for use with PolicyPak Exporter and PolicyPak Cloud. - See [Exporting Collections](exportcollections.md) for additional information. + See [Exporting Collections](/docs/policypak/policypak/javaenterpriserules/exportcollections.md) for additional information. - Set custom messages when blocking a Java applet. To use the Quickstart for PolicyPak Java Rules Manager, we recommend you have one endpoint (Windows @@ -59,7 +59,7 @@ To use the Quickstart for PolicyPak Java Rules Manager, we recommend you have on It is recommended that you test the endpoint (Windows 7 or later) with all these versions of Java, as well as Internet Explorer, Firefox, and Chrome. -![about_policypak_java_rules](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/about_policypak_java_rules.webp) +![about_policypak_java_rules](/img/product_docs/policypak/policypak/javaenterpriserules/about_policypak_java_rules.webp) Even though there are more advanced scenarios, this will get you going quickly. diff --git a/docs/policypak/policypak/javaenterpriserules/overview/knowledgebase.md b/docs/policypak/policypak/javaenterpriserules/overview/knowledgebase.md index 8ed6b322a4..46e8198ecb 100644 --- a/docs/policypak/policypak/javaenterpriserules/overview/knowledgebase.md +++ b/docs/policypak/policypak/javaenterpriserules/overview/knowledgebase.md @@ -4,10 +4,10 @@ See the following Knowledge Base articles for Java Enterprise Rules Manager. ## Getting Started -- [I'm using Endpoint Policy Manager Java Rules Manager, but I still get Java prompts when visiting a webpage, or attempting to run a Java applet. What can I do?](../../troubleshooting/javaenterpriserules/javaprompts.md) -- [How are wildcards supported when used with IP addresses in the Java Rules Manager MMC console?](../wildcards.md) -- [How does Endpoint Policy Manager Java Rules Manager work with Virtualized Browsers and/or Java?](../virtualizedbrowsers.md) -- [How are URLs evaluated within Endpoint Policy Manager Java Rules Manager?](../evaluateurls.md) -- [Does Endpoint Policy Manager Java Rules Manager work with 64-bit versions of Java?](../../requirements/support/javaenterpriserules/version64bit.md) -- [What is the earliest version / what versions of Java are required for Java Rules Manager to work with?](../../requirements/support/javaenterpriserules/versionjava.md) -- [Why is the latest Java version installed being used instead of the version specified by Java Rules Manager?](../../troubleshooting/javaenterpriserules/versionlatest.md) +- [I'm using Endpoint Policy Manager Java Rules Manager, but I still get Java prompts when visiting a webpage, or attempting to run a Java applet. What can I do?](/docs/policypak/policypak/troubleshooting/javaenterpriserules/javaprompts.md) +- [How are wildcards supported when used with IP addresses in the Java Rules Manager MMC console?](/docs/policypak/policypak/javaenterpriserules/wildcards.md) +- [How does Endpoint Policy Manager Java Rules Manager work with Virtualized Browsers and/or Java?](/docs/policypak/policypak/javaenterpriserules/virtualizedbrowsers.md) +- [How are URLs evaluated within Endpoint Policy Manager Java Rules Manager?](/docs/policypak/policypak/javaenterpriserules/evaluateurls.md) +- [Does Endpoint Policy Manager Java Rules Manager work with 64-bit versions of Java?](/docs/policypak/policypak/requirements/support/javaenterpriserules/version64bit.md) +- [What is the earliest version / what versions of Java are required for Java Rules Manager to work with?](/docs/policypak/policypak/requirements/support/javaenterpriserules/versionjava.md) +- [Why is the latest Java version installed being used instead of the version specified by Java Rules Manager?](/docs/policypak/policypak/troubleshooting/javaenterpriserules/versionlatest.md) diff --git a/docs/policypak/policypak/javaenterpriserules/overview/videolearningcenter.md b/docs/policypak/policypak/javaenterpriserules/overview/videolearningcenter.md index 52c484591c..7e5a2acd4b 100644 --- a/docs/policypak/policypak/javaenterpriserules/overview/videolearningcenter.md +++ b/docs/policypak/policypak/javaenterpriserules/overview/videolearningcenter.md @@ -4,24 +4,24 @@ See the following Video topics for Java Enterprise Rules Manager. ## Getting Started -- [Use Group Policy to dictate which version of Java for what website](../../video/javaenterpriserules/gettingstarted.md) +- [Use Group Policy to dictate which version of Java for what website](/docs/policypak/policypak/video/javaenterpriserules/gettingstarted.md) -- [Endpoint Policy ManagerJava Rules Manager and Endpoint Policy Manager Browser Router: Better Together](../../video/javaenterpriserules/browserrouter.md) +- [Endpoint Policy ManagerJava Rules Manager and Endpoint Policy Manager Browser Router: Better Together](/docs/policypak/policypak/video/javaenterpriserules/browserrouter.md) -- [Block ALL Java (with some exceptions)](../../video/javaenterpriserules/block.md) +- [Block ALL Java (with some exceptions)](/docs/policypak/policypak/video/javaenterpriserules/block.md) -- [Using item Level Targeting to Specify which version of Java to use](../../video/javaenterpriserules/itemleveltargeting.md) +- [Using item Level Targeting to Specify which version of Java to use](/docs/policypak/policypak/video/javaenterpriserules/itemleveltargeting.md) -- [Endpoint Policy Manager Java Rules Manager... Import from Oracle's Deployment Rule Sets](../../video/javaenterpriserules/oracledeploymentrulesets.md) +- [Endpoint Policy Manager Java Rules Manager... Import from Oracle's Deployment Rule Sets](/docs/policypak/policypak/video/javaenterpriserules/oracledeploymentrulesets.md) ## Methods: SCCM, XML, MDM, Cloud, PDQ, Citrix, etc. -- [Deploy and Manage Java with PDQ Deploy and Endpoint Policy Manager ](../../video/javaenterpriserules/integration/pdqdeploy.md) -- [Deploying Multiple Versions of Java to the Same Endpoint Using Endpoint Policy Manager and PDQ Deploy](../../video/javaenterpriserules/versionsmultiple.md) -- [Use Endpoint Policy Manager Cloud to choose which version of Java for what website](../../video/javaenterpriserules/cloud.md) -- [Use SCCM, KACE, etc to specify different websites for different Java](../../video/javaenterpriserules/sccm.md) -- [Manage Java with Java Rules Manager and your MDM service](../../video/javaenterpriserules/mdm.md) +- [Deploy and Manage Java with PDQ Deploy and Endpoint Policy Manager ](/docs/policypak/policypak/video/javaenterpriserules/integration/pdqdeploy.md) +- [Deploying Multiple Versions of Java to the Same Endpoint Using Endpoint Policy Manager and PDQ Deploy](/docs/policypak/policypak/video/javaenterpriserules/versionsmultiple.md) +- [Use Endpoint Policy Manager Cloud to choose which version of Java for what website](/docs/policypak/policypak/video/javaenterpriserules/cloud.md) +- [Use SCCM, KACE, etc to specify different websites for different Java](/docs/policypak/policypak/video/javaenterpriserules/sccm.md) +- [Manage Java with Java Rules Manager and your MDM service](/docs/policypak/policypak/video/javaenterpriserules/mdm.md) ## Troubleshooting -- [Endpoint Policy Manager Java Rules Manager: XML Surgery](../../video/javaenterpriserules/xmlsurgery.md) +- [Endpoint Policy Manager Java Rules Manager: XML Surgery](/docs/policypak/policypak/video/javaenterpriserules/xmlsurgery.md) diff --git a/docs/policypak/policypak/javaenterpriserules/processorderprecedence.md b/docs/policypak/policypak/javaenterpriserules/processorderprecedence.md index 4842ca9c14..06b993f4c2 100644 --- a/docs/policypak/policypak/javaenterpriserules/processorderprecedence.md +++ b/docs/policypak/policypak/javaenterpriserules/processorderprecedence.md @@ -11,9 +11,9 @@ So, lower-numbered collections attempt to process first, and higher-numbered col process last. Then, within any collection, each policy is processed in numerical order from lowest to highest. -![using_policypak_java_rules_11](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_11.webp) +![using_policypak_java_rules_11](/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_11.webp) -![using_policypak_java_rules_12](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_12.webp) +![using_policypak_java_rules_12](/img/product_docs/policypak/policypak/javaenterpriserules/using_policypak_java_rules_12.webp) ## Precedence diff --git a/docs/policypak/policypak/javaenterpriserules/prompts/firefox.md b/docs/policypak/policypak/javaenterpriserules/prompts/firefox.md index f10091998f..fd25484a57 100644 --- a/docs/policypak/policypak/javaenterpriserules/prompts/firefox.md +++ b/docs/policypak/policypak/javaenterpriserules/prompts/firefox.md @@ -3,9 +3,9 @@ When an end user encounters a Java applet on a website, they are asked to Activate Java, and to Allow Now or Allow and Remember appear -![overcoming_java_prompts_1](../../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/prompts/overcoming_java_prompts_1.webp) +![overcoming_java_prompts_1](/img/product_docs/policypak/policypak/javaenterpriserules/prompts/overcoming_java_prompts_1.webp) -![overcoming_java_prompts_2](../../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/prompts/overcoming_java_prompts_2.webp) +![overcoming_java_prompts_2](/img/product_docs/policypak/policypak/javaenterpriserules/prompts/overcoming_java_prompts_2.webp) See [Firefox: How do I set "Allow Now", "Allow and Remember" or "Block Plugin" as plug-ins are requested?](https://helpcenter.netwrix.com/bundle/PolicyPak/page/Content/PolicyPak/ApplicationSettings/Preconfigured/Firefox/AllowRemember.htm) diff --git a/docs/policypak/policypak/javaenterpriserules/prompts/firefoxinternetexplorer.md b/docs/policypak/policypak/javaenterpriserules/prompts/firefoxinternetexplorer.md index 3f35edb774..c75730b5ce 100644 --- a/docs/policypak/policypak/javaenterpriserules/prompts/firefoxinternetexplorer.md +++ b/docs/policypak/policypak/javaenterpriserules/prompts/firefoxinternetexplorer.md @@ -4,13 +4,13 @@ If the message Application Blocked by Java Security appears when working in Inte Firefox, then add the site to the Java Site List Exceptions to automate and work around this message. -![overcoming_java_prompts](../../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/prompts/overcoming_java_prompts.webp) +![overcoming_java_prompts](/img/product_docs/policypak/policypak/javaenterpriserules/prompts/overcoming_java_prompts.webp) The fastest way to automate this is with Netwrix Endpoint Policy Manager (formerly PolicyPak) Application Settings Manager Java AppSets. Starting with Java 7 U 25 they all have this feature. **NOTE:** See -[Manage and Lock down Java Site List Exceptions](../../video/applicationsettings/java/lockdown.md) +[Manage and Lock down Java Site List Exceptions](/docs/policypak/policypak/video/applicationsettings/java/lockdown.md) for additional information. Here are some other Endpoint Policy Manager Application Settings Manager Java prompts you may diff --git a/docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/message1.md b/docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/message1.md index a1415b2775..ec2b0e8297 100644 --- a/docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/message1.md +++ b/docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/message1.md @@ -8,23 +8,23 @@ Mode for this site and allow the control to run. This Java message pops-up when you try to access an IE website that has a Java applet on it. -![overcoming_java_prompts_3](../../../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_3.webp) +![overcoming_java_prompts_3](/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_3.webp) This message occurs when certain settings are applied manually or with Group Policy, as shown below. -![overcoming_java_prompts_4](../../../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_4.webp) +![overcoming_java_prompts_4](/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_4.webp) To remove the prompt when running the Java applet, make the site a Trusted Site in IE. Below you can see how to remove a Java message and make the website a trusted site. -![overcoming_java_prompts_5](../../../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_5.webp) +![overcoming_java_prompts_5](/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_5.webp) Another way to remove the message is by using Endpoint Policy Manager Application Settings Manager, as shown below. -![overcoming_java_prompts_6](../../../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_6.webp) +![overcoming_java_prompts_6](/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_6.webp) You can also use Endpoint Policy Manager Application Settings Manager to merge your site with the user's. -![overcoming_java_prompts_7](../../../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_7.webp) +![overcoming_java_prompts_7](/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_7.webp) diff --git a/docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/message2.md b/docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/message2.md index 109f0b4b58..84d0818c30 100644 --- a/docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/message2.md +++ b/docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/message2.md @@ -9,11 +9,11 @@ _Name:_ `icacls.exe` Publisher: Microsoft Windows -![overcoming_java_prompts_8](../../../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_8.webp) +![overcoming_java_prompts_8](/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_8.webp) This specific prompt is received when the message is set manually or via Group Policy/PolicyPak. -![overcoming_java_prompts_9](../../../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_9.webp) +![overcoming_java_prompts_9](/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_9.webp) This prompt can be made to automatically never occur again using Group Policy Preferences: @@ -32,6 +32,6 @@ table below.. By creating these registry values, you can make the Java messages automatically never pop-up again. -![overcoming_java_prompts_10](../../../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_10.webp) +![overcoming_java_prompts_10](/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_10.webp) The result is that the prompt for iCacls is no longer received, but the Java applet will not run. diff --git a/docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/message3.md b/docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/message3.md index 4c6e05bc2a..ba40130e30 100644 --- a/docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/message3.md +++ b/docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/message3.md @@ -9,11 +9,11 @@ Name: Java SE Runtime Environment 8 Update… Publisher: Oracle America, Inc. -![overcoming_java_prompts_11](../../../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_11.webp) +![overcoming_java_prompts_11](/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_11.webp) You can also set this message manually, or by usign Group Policy. -![overcoming_java_prompts_12](../../../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_12.webp) +![overcoming_java_prompts_12](/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_12.webp) To make this prompt automatically never occur again, use Group Policy Preferences: @@ -30,7 +30,7 @@ values as shown in the table below: | AppPath | REG_SZ | C:\Program Files (x86)\Java\jre1.8.0_111\bin | Or the path to the latest version of Java | | Policy | REG_DWord | 3 | | -![overcoming_java_prompts_13](../../../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_13.webp) +![overcoming_java_prompts_13](/img/product_docs/policypak/policypak/javaenterpriserules/prompts/internetexplorer/overcoming_java_prompts_13.webp) The result is that the Java applet is allowed. Since Endpoint Policy Manager Application Settings Manager does not yet have a way to set this dynamically, we suggest Group Policy Preferences be used diff --git a/docs/policypak/policypak/javaenterpriserules/theory.md b/docs/policypak/policypak/javaenterpriserules/theory.md index d81bd39f3f..bde484eb44 100644 --- a/docs/policypak/policypak/javaenterpriserules/theory.md +++ b/docs/policypak/policypak/javaenterpriserules/theory.md @@ -20,7 +20,7 @@ enterprise-wide. The essence of the feature is a rule set, which must be created package must be digitally signed and deployed to endpoints. When the rule set is executed correctly (manually), the result looks similar to what is shown below. -![theory_of_operation_and_moving](../../../../static/img/product_docs/policypak/policypak/javaenterpriserules/theory_of_operation_and_moving.webp) +![theory_of_operation_and_moving](/img/product_docs/policypak/policypak/javaenterpriserules/theory_of_operation_and_moving.webp) Automating and updating deployment rule sets anytime a site requires updating can be painful. Fortunately, Endpoint Policy Manager Java Rules Manager automates the whole process. It reduces diff --git a/docs/policypak/policypak/knowledgebase.md b/docs/policypak/policypak/knowledgebase.md index bf557cd48c..2dfb19ab4d 100644 --- a/docs/policypak/policypak/knowledgebase.md +++ b/docs/policypak/policypak/knowledgebase.md @@ -5,25 +5,25 @@ Learning Center sessions: | | | | | --------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![allthingslicensing](../../../static/img/product_docs/policypak/policypak/allthingslicensing.webp) | All Things Licensing | - [Knowledge Base](license/overview/knowledgebase.md) - [Video Learning Center](license/overview/videolearningcenter.md) | -| ![gettingstartedmisc](../../../static/img/product_docs/policypak/policypak/gettingstartedmisc.webp) | Getting Started with Endpoint Policy Manager (Misc) | - [Knowledge Base](gettingstarted/overview/knowledgebase.md) - [Video Learning Center](gettingstarted/overview/videolearningcenter.md) | -| ![gettingstartedcloud](../../../static/img/product_docs/policypak/policypak/gettingstartedcloud.webp) | Getting Started with Cloud | - [Knowledge Base](cloud/overview/knowledgebase.md) - [Video Learning Center](cloud/overview/videolearningcenter.md) | -| ![allthingsinstallationupkeep](../../../static/img/product_docs/policypak/policypak/allthingsinstallationupkeep.webp) | All Thinks Installation & Upkeep | - [Knowledge Base](install/overview/knowledgebase.md) - [Video Learning Center](install/overview/videolearningcenter.md) | -| ![gettingstartedgrouppolicy](../../../static/img/product_docs/policypak/policypak/gettingstartedmisc.webp) | Getting Started with Group Policy | - [Knowledge Base](grouppolicy/overview/knowledgebase.md) - [Video Learning Center](grouppolicy/overview/videolearningcenter.md) | -| ![gettingstartedmdm](../../../static/img/product_docs/policypak/policypak/gettingstartedmdm.webp) | Getting Started with MDM | - [Knowledge Base](mdm/overview/knowledgebase.md) - [Video Learning Center](mdm/overview/videolearningcenter.md) | -| ![gpoexportmergeadmintemplatespreferences](../../../static/img/product_docs/policypak/policypak/gpoexportmergeadmintemplatespreferences.webp) | GPO Export Merge, Admin Templates & Preferences 2.0 | - [Knowledge Base](gpoexport/overview/knowledgebase.md) - [Video Learning Center](gpoexport/overview/videolearningcenter.md) | -| ![fileassociationsmanager](../../../static/img/product_docs/policypak/policypak/fileassociationsmanager.webp) | File Associations Manager | - [Knowledge Base](fileassociations/overview/knowledgebase.md) - [Video Learning Center](fileassociations/overview/videolearningcenter.md) | -| ![browserrouter](../../../static/img/product_docs/policypak/policypak/browserrouter.webp) | Browser Router | - [Knowledge Base](browserrouter/overview/knowledgebase.md) - [Video Learning Center](browserrouter/overview/videolearningcenter.md) | -| ![leastprivilegemanager](../../../static/img/product_docs/policypak/policypak/leastprivilegemanager.webp) | Least Privilege Manager Windows and Mac | - [Knowledge Base](leastprivilege/overview/knowledgebase.md) - [Video Learning Center](leastprivilege/overview/videolearningcenter.md) | -| ![devicemanager](../../../static/img/product_docs/policypak/policypak/devicemanager.webp) | Device Manager | - [Knowledge Base](device/overview/knowledgebase.md) - [Video Learning Center](device/overview/videolearningcenter.md) | -| ![networksecuritymanager](../../../static/img/product_docs/policypak/policypak/networksecuritymanager.webp) | Network Security Manager | - [Video Learning Center](video/networksecurity/videolearningcenter.md) | -| ![javaenterpriserulesmanager](../../../static/img/product_docs/policypak/policypak/javaenterpriserulesmanager.webp) | Java Enterprise Rules Manager | - [Knowledge Base](javaenterpriserules/overview/knowledgebase.md) - [Video Learning Center](javaenterpriserules/overview/videolearningcenter.md) | -| ![startscreentaskbarmanager](../../../static/img/product_docs/policypak/policypak/startscreentaskbarmanager.webp) | Start Screen & Task Bar Manager | - [Knowledge Base](startscreentaskbar/overview/knowledgebase.md) - [Video Learning Center](startscreentaskbar/overview/videolearningcenter.md) | -| ![scriptstriggersmanager](../../../static/img/product_docs/policypak/policypak/scriptstriggersmanager.webp) | Scripts & Triggers Manager | - [Knowledge Base](scriptstriggers/overview/knowledgebase.md) - [Video Learning Center](scriptstriggers/overview/videolearningcenter.md) | -| ![featuremanagerwindows](../../../static/img/product_docs/policypak/policypak/featuremanagerwindows.webp) | Feature Manager for Windows | - [Knowledge Base](feature/overview/knowledgebase.md) - [Video Learning Center](feature/overview/videolearningcenter.md) | -| ![remoteworkdeliverymanager](../../../static/img/product_docs/policypak/policypak/remoteworkdeliverymanager.webp) | Remote Work Delivery Manager | - [Knowledge Base](feature/overview/knowledgebase.md) - [Video Learning Center](feature/overview/videolearningcenter.md) | -| ![rdpmanager](../../../static/img/product_docs/policypak/policypak/rdpmanager.webp) | Endpoint Policy Manager RDP Manager | - [Video Learning Center](video/remotedesktopprotocol/videolearningcenter.md) | -| ![softwarepackagemanager](../../../static/img/product_docs/policypak/policypak/softwarepackagemanager.webp) | Software Package Manager | - [Knowledge Base](softwarepackage/overview/knowledgebase.md) - [Video Learning Center](softwarepackage/overview/videolearningcenter.md) | -| ![applicationmanager](../../../static/img/product_docs/policypak/policypak/applicationmanager.webp) | Application Manager | - [Knowledge Base](applicationsettings/overview/knowledgebase.md) - [Video Learning Center](applicationsettings/overview/videolearningcenter.md) | -| ![gpcompliancereporter](../../../static/img/product_docs/policypak/policypak/gpcompliancereporter.webp) | Endpoint Policy Manager GP Compliance Reporter | - [Knowledge Base](grouppolicycompliancereporter/overview/knowledgebase.md) - [Video Learning Center](grouppolicycompliancereporter/overview/videolearningcenter.md) | -| ![archive](../../../static/img/product_docs/strongpointfornetsuite/clean_up/archive.webp) | Archive | - [Archive](archive/overview.md) | +| ![allthingslicensing](/img/product_docs/policypak/policypak/allthingslicensing.webp) | All Things Licensing | - [Knowledge Base](/docs/policypak/policypak/license/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/license/overview/videolearningcenter.md) | +| ![gettingstartedmisc](/img/product_docs/policypak/policypak/gettingstartedmisc.webp) | Getting Started with Endpoint Policy Manager (Misc) | - [Knowledge Base](/docs/policypak/policypak/gettingstarted/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/gettingstarted/overview/videolearningcenter.md) | +| ![gettingstartedcloud](/img/product_docs/policypak/policypak/gettingstartedcloud.webp) | Getting Started with Cloud | - [Knowledge Base](/docs/policypak/policypak/cloud/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/cloud/overview/videolearningcenter.md) | +| ![allthingsinstallationupkeep](/img/product_docs/policypak/policypak/allthingsinstallationupkeep.webp) | All Thinks Installation & Upkeep | - [Knowledge Base](/docs/policypak/policypak/install/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/install/overview/videolearningcenter.md) | +| ![gettingstartedgrouppolicy](/img/product_docs/policypak/policypak/gettingstartedmisc.webp) | Getting Started with Group Policy | - [Knowledge Base](/docs/policypak/policypak/grouppolicy/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/grouppolicy/overview/videolearningcenter.md) | +| ![gettingstartedmdm](/img/product_docs/policypak/policypak/gettingstartedmdm.webp) | Getting Started with MDM | - [Knowledge Base](/docs/policypak/policypak/mdm/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/mdm/overview/videolearningcenter.md) | +| ![gpoexportmergeadmintemplatespreferences](/img/product_docs/policypak/policypak/gpoexportmergeadmintemplatespreferences.webp) | GPO Export Merge, Admin Templates & Preferences 2.0 | - [Knowledge Base](/docs/policypak/policypak/gpoexport/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/gpoexport/overview/videolearningcenter.md) | +| ![fileassociationsmanager](/img/product_docs/policypak/policypak/fileassociationsmanager.webp) | File Associations Manager | - [Knowledge Base](/docs/policypak/policypak/fileassociations/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/fileassociations/overview/videolearningcenter.md) | +| ![browserrouter](/img/product_docs/policypak/policypak/browserrouter.webp) | Browser Router | - [Knowledge Base](/docs/policypak/policypak/browserrouter/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/browserrouter/overview/videolearningcenter.md) | +| ![leastprivilegemanager](/img/product_docs/policypak/policypak/leastprivilegemanager.webp) | Least Privilege Manager Windows and Mac | - [Knowledge Base](/docs/policypak/policypak/leastprivilege/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/leastprivilege/overview/videolearningcenter.md) | +| ![devicemanager](/img/product_docs/policypak/policypak/devicemanager.webp) | Device Manager | - [Knowledge Base](/docs/policypak/policypak/device/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/device/overview/videolearningcenter.md) | +| ![networksecuritymanager](/img/product_docs/policypak/policypak/networksecuritymanager.webp) | Network Security Manager | - [Video Learning Center](/docs/policypak/policypak/video/networksecurity/videolearningcenter.md) | +| ![javaenterpriserulesmanager](/img/product_docs/policypak/policypak/javaenterpriserulesmanager.webp) | Java Enterprise Rules Manager | - [Knowledge Base](/docs/policypak/policypak/javaenterpriserules/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/javaenterpriserules/overview/videolearningcenter.md) | +| ![startscreentaskbarmanager](/img/product_docs/policypak/policypak/startscreentaskbarmanager.webp) | Start Screen & Task Bar Manager | - [Knowledge Base](/docs/policypak/policypak/startscreentaskbar/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/startscreentaskbar/overview/videolearningcenter.md) | +| ![scriptstriggersmanager](/img/product_docs/policypak/policypak/scriptstriggersmanager.webp) | Scripts & Triggers Manager | - [Knowledge Base](/docs/policypak/policypak/scriptstriggers/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/scriptstriggers/overview/videolearningcenter.md) | +| ![featuremanagerwindows](/img/product_docs/policypak/policypak/featuremanagerwindows.webp) | Feature Manager for Windows | - [Knowledge Base](/docs/policypak/policypak/feature/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/feature/overview/videolearningcenter.md) | +| ![remoteworkdeliverymanager](/img/product_docs/policypak/policypak/remoteworkdeliverymanager.webp) | Remote Work Delivery Manager | - [Knowledge Base](/docs/policypak/policypak/feature/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/feature/overview/videolearningcenter.md) | +| ![rdpmanager](/img/product_docs/policypak/policypak/rdpmanager.webp) | Endpoint Policy Manager RDP Manager | - [Video Learning Center](/docs/policypak/policypak/video/remotedesktopprotocol/videolearningcenter.md) | +| ![softwarepackagemanager](/img/product_docs/policypak/policypak/softwarepackagemanager.webp) | Software Package Manager | - [Knowledge Base](/docs/policypak/policypak/softwarepackage/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/softwarepackage/overview/videolearningcenter.md) | +| ![applicationmanager](/img/product_docs/policypak/policypak/applicationmanager.webp) | Application Manager | - [Knowledge Base](/docs/policypak/policypak/applicationsettings/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/applicationsettings/overview/videolearningcenter.md) | +| ![gpcompliancereporter](/img/product_docs/policypak/policypak/gpcompliancereporter.webp) | Endpoint Policy Manager GP Compliance Reporter | - [Knowledge Base](/docs/policypak/policypak/grouppolicycompliancereporter/overview/knowledgebase.md) - [Video Learning Center](/docs/policypak/policypak/grouppolicycompliancereporter/overview/videolearningcenter.md) | +| ![archive](/img/product_docs/strongpointfornetsuite/clean_up/archive.webp) | Archive | - [Archive](/docs/policypak/policypak/archive/overview.md) | diff --git a/docs/policypak/policypak/leastprivilege/accountelevatedprocess.md b/docs/policypak/policypak/leastprivilege/accountelevatedprocess.md index fd9490bb50..5bead5d5c0 100644 --- a/docs/policypak/policypak/leastprivilege/accountelevatedprocess.md +++ b/docs/policypak/policypak/leastprivilege/accountelevatedprocess.md @@ -11,4 +11,4 @@ But the process is elevated. Here is an example running UAC-Required PowerPointV with EastSalesUser1 when a Endpoint Policy Manager Least Privilege Manager rule is in place to affect EastSalesUser1. -![649_1_img-1_950x524](../../../../static/img/product_docs/policypak/policypak/leastprivilege/649_1_img-1_950x524.webp) +![649_1_img-1_950x524](/img/product_docs/policypak/policypak/leastprivilege/649_1_img-1_950x524.webp) diff --git a/docs/policypak/policypak/leastprivilege/acltraverse.md b/docs/policypak/policypak/leastprivilege/acltraverse.md index 90c3babbc9..f3b0910dca 100644 --- a/docs/policypak/policypak/leastprivilege/acltraverse.md +++ b/docs/policypak/policypak/leastprivilege/acltraverse.md @@ -14,7 +14,7 @@ registry**. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_acl_manage_file.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_acl_manage_file.webp) Next, specify the path(s) to files or registry and change the Permission (using the dropdown or **Edit permissions** button.) @@ -22,24 +22,24 @@ Next, specify the path(s) to files or registry and change the Permission (using ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_acl_manage_file_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_acl_manage_file_1.webp) As a result, when Notepadis run from the specified location it can edit the `c:\windows\system32\drivers\etc\hosts` file. **NOTE:** See the -[Endpoint Policy Manager and ACL Traverse: How to give rights to modify HOSTS files and similar](../video/leastprivilege/acltraverse/modifyhosts.md) +[Endpoint Policy Manager and ACL Traverse: How to give rights to modify HOSTS files and similar](/docs/policypak/policypak/video/leastprivilege/acltraverse/modifyhosts.md) video for a demo on how to use ACL Traverse to modify the hosts file. **NOTE:** See the -[Endpoint Policy Manager: ACL Traverse to enable users to delete icons on desktop](../video/leastprivilege/acltraverse/deleteicons.md) +[Endpoint Policy Manager: ACL Traverse to enable users to delete icons on desktop](/docs/policypak/policypak/video/leastprivilege/acltraverse/deleteicons.md) video for a demo on how to use ACL Traverse to delete icons on the desktop. **NOTE:** See the -[Endpoint Policy Manager ACL and File Traverse: Let any application in Programfiles overcome NTFS permissions](../video/leastprivilege/acltraverse/ntfspermissions.md) +[Endpoint Policy Manager ACL and File Traverse: Let any application in Programfiles overcome NTFS permissions](/docs/policypak/policypak/video/leastprivilege/acltraverse/ntfspermissions.md) video for a demo on how to use ACL Traverse to let any application in Programfiles overcome NTFS permissions. **NOTE:** See the -[Endpoint Policy Manager: Overcome ACLs in Registry even as Standard User](../video/leastprivilege/acltraverse/registry.md) +[Endpoint Policy Manager: Overcome ACLs in Registry even as Standard User](/docs/policypak/policypak/video/leastprivilege/acltraverse/registry.md) video for a demo of ACL Traverse and Registry. diff --git a/docs/policypak/policypak/leastprivilege/adminapproval/avoidpopups.md b/docs/policypak/policypak/leastprivilege/adminapproval/avoidpopups.md index 6d0f0d7456..39f9ba61b9 100644 --- a/docs/policypak/policypak/leastprivilege/adminapproval/avoidpopups.md +++ b/docs/policypak/policypak/leastprivilege/adminapproval/avoidpopups.md @@ -4,7 +4,7 @@ You might find that end users report that the Admin Approval pop-up appears even click on anything. **NOTE:** See the -[Understand "Enforce Admin Approval for all installers" behavior](../../video/leastprivilege/adminapproval/enforce.md) +[Understand "Enforce Admin Approval for all installers" behavior](/docs/policypak/policypak/video/leastprivilege/adminapproval/enforce.md) video to learn how to avoid pop-ups with Admin Approval. This will generally happen when two things are true: @@ -18,7 +18,7 @@ still come up.. Two examples of pop-ups that users might see, OneDrive and Java, ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/avoid_pop_ups_with_admin_approval.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/avoid_pop_ups_with_admin_approval.webp) There are two ways to overcome these messages: @@ -45,7 +45,7 @@ Least Privilege Manager, and open ppUser_operational.log. ![A screenshot of a computer program Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/avoid_pop_ups_with_admin_approval_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/avoid_pop_ups_with_admin_approval_1.webp) **NOTE:** Some applications may have different ways to self-update, possibly calling more than one upgrade application. Thiscould result in more than one pop-up. Be sure you are noting them all @@ -60,7 +60,7 @@ canceled dialogs, like the one shown here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/avoid_pop_ups_with_admin_approval.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/avoid_pop_ups_with_admin_approval.webp) There is more information on using Event Viewer with Endpoint Policy Manager at the end of this guide, with specific event IDs to search for. diff --git a/docs/policypak/policypak/leastprivilege/adminapproval/gettingstarted.md b/docs/policypak/policypak/leastprivilege/adminapproval/gettingstarted.md index 91827ce9ab..d69e50614b 100644 --- a/docs/policypak/policypak/leastprivilege/adminapproval/gettingstarted.md +++ b/docs/policypak/policypak/leastprivilege/adminapproval/gettingstarted.md @@ -4,7 +4,7 @@ If there’s no Endpoint Policy ManagerLeast Privilege Manager rule to automatic application (or allow it to bypass SecureRun™), the user is prompted with a special dialog to request access. -**NOTE:** See the [Admin Approval demo](../../video/leastprivilege/adminapproval/demo.md) video for +**NOTE:** See the [Admin Approval demo](/docs/policypak/policypak/video/leastprivilege/adminapproval/demo.md) video for Endpoint Policy Manager (formerly PolicyPak) Least Privilege Manager Admin Approval mode setup and in action. diff --git a/docs/policypak/policypak/leastprivilege/adminapproval/secretkey.md b/docs/policypak/policypak/leastprivilege/adminapproval/secretkey.md index 28945d128f..cd157242ee 100644 --- a/docs/policypak/policypak/leastprivilege/adminapproval/secretkey.md +++ b/docs/policypak/policypak/leastprivilege/adminapproval/secretkey.md @@ -6,7 +6,7 @@ Privilege Manager node to create a new Admin Approval Policy. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/creating_the_secret_key.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/creating_the_secret_key.webp) You’ll now see the Admin Approval Settings, as shown in here. Change the Admin Approval State from **Not Configured** to **Enabled**. @@ -14,7 +14,7 @@ You’ll now see the Admin Approval Settings, as shown in here. Change the Admin ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/creating_the_secret_key_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/creating_the_secret_key_1.webp) You also can change two other settings: @@ -31,14 +31,14 @@ Notepad. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/creating_the_secret_key_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/creating_the_secret_key_2.webp) Click on the **Misc** tab, which enables you to configure the two policies shown here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/creating_the_secret_key_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/creating_the_secret_key_3.webp) - Custom Message - Configure the pop-up the user will see when Admin Approval kicks in. - Display name - Configure the right-click menu item the user will which will invoke Admin Approval. diff --git a/docs/policypak/policypak/leastprivilege/adminapproval/secretkeysecure.md b/docs/policypak/policypak/leastprivilege/adminapproval/secretkeysecure.md index a97e61953b..a77001ffcf 100644 --- a/docs/policypak/policypak/leastprivilege/adminapproval/secretkeysecure.md +++ b/docs/policypak/policypak/leastprivilege/adminapproval/secretkeysecure.md @@ -5,7 +5,7 @@ The secret key of Admin Approval is stored within the XML inside the GPO, as see ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/securing_the_secret_key_when.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/securing_the_secret_key_when.webp) If you look closely, you will see it is not the same key that was used earlier. Indeed, it is re-hashed or re-encrypted before it is placed within the XML within the GPO. Even so, it is best @@ -34,7 +34,7 @@ but never expose it to a User). ![A screenshot of a computer screen Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/securing_the_secret_key_when_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/securing_the_secret_key_when_1.webp) This immediately prevents Standard Users from reading the Computer side of the GPO, as shown in here. @@ -42,7 +42,7 @@ here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/securing_the_secret_key_when.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/securing_the_secret_key_when.webp) Again, if you choose to place computers into an Active Directory security group, you will need to reboot the computer so it will pick up the new computer group membership and then the GPO. @@ -54,4 +54,4 @@ shown here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/securing_the_secret_key_when_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/securing_the_secret_key_when_2.webp) diff --git a/docs/policypak/policypak/leastprivilege/adminapproval/test.md b/docs/policypak/policypak/leastprivilege/adminapproval/test.md index 02b8cdb2b0..9a021a7855 100644 --- a/docs/policypak/policypak/leastprivilege/adminapproval/test.md +++ b/docs/policypak/policypak/leastprivilege/adminapproval/test.md @@ -8,7 +8,7 @@ here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/testing_admin_approval.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/testing_admin_approval.webp) The user needs to present this **Request Code**, typically over the phone, to an Admin who can create a **Response Code**. @@ -29,7 +29,7 @@ requires you to enter in the same secret key from the GPO you used earlier. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/testing_admin_approval_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/testing_admin_approval_1.webp) You can save the secret key in the Registry of this Admin’s machine, secured with his own encrypted password. You could also require that the key cannot be viewed ever again when this tool is run by @@ -54,7 +54,7 @@ in the **Request Code**, then pick the option that makes sense. The items you ca ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/testing_admin_approval_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/testing_admin_approval_2.webp) **NOTE:** The Admin Approval Tool may be branded. See the section **Branding and Customization** in this guide. @@ -65,7 +65,7 @@ launch. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/testing_admin_approval_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/testing_admin_approval_3.webp) In our example, we specified that the code could be used one time, so if the user tries to rerun the same application, they are prompted again. @@ -76,7 +76,7 @@ installed. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/testing_admin_approval.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/testing_admin_approval.webp) You can also see and launch the Admin Approval Tool from within a GPO, provided you have the secret key inside the GPO, as seen here. @@ -84,4 +84,4 @@ key inside the GPO, as seen here. ![A computer screen shot of a computer screen Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/testing_admin_approval_4.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/testing_admin_approval_4.webp) diff --git a/docs/policypak/policypak/leastprivilege/adminapproval/useemail.md b/docs/policypak/policypak/leastprivilege/adminapproval/useemail.md index 3b04dfd731..b9481b0a0b 100644 --- a/docs/policypak/policypak/leastprivilege/adminapproval/useemail.md +++ b/docs/policypak/policypak/leastprivilege/adminapproval/useemail.md @@ -6,13 +6,13 @@ ServiceNow or support personnel, rather than initiating a phone call. Using the policy we created earlier, open the policy up and click on the **Email** tab. Change the **Use of email** field to **Enabled** and insert an email address that will handle the admin approvals. -**NOTE:** See the [Using Email / Long Codes](../../video/leastprivilege/longcodes.md) video for +**NOTE:** See the [Using Email / Long Codes](/docs/policypak/policypak/video/leastprivilege/longcodes.md) video for using email for Admin Approval. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/using_email_for_admin_approval.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/using_email_for_admin_approval.webp) The two options are: @@ -20,7 +20,7 @@ The two options are: - Open the message in Notepad instead - Instead of opening an email, it will open in Notepad. This is useful if you don’t have any locally installed email client and wish to copy / paste the details into Gmail, Office 365 Web mail, or similar. See the - [Endpoint Privilege Manager: Admin Approval Email method (with Notepad instead)](../../video/leastprivilege/adminapproval/email.md) + [Endpoint Privilege Manager: Admin Approval Email method (with Notepad instead)](/docs/policypak/policypak/video/leastprivilege/adminapproval/email.md) video for a demonstration. Now when users click on an install or run an application, they receive a slightly different prompt. @@ -32,14 +32,14 @@ approval request using their email application. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/using_email_for_admin_approval_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/using_email_for_admin_approval_1.webp) Here you can see the generated email containing the request code. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/using_email_for_admin_approval_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/using_email_for_admin_approval_2.webp) When the email is received, a support admin can copy the request code and paste it into the Admin Approval Tool. Once pasted into the tool, all of the task information about the application appears @@ -51,4 +51,4 @@ board and/or send an email back to the user. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/using_email_for_admin_approval_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/using_email_for_admin_approval_3.webp) diff --git a/docs/policypak/policypak/leastprivilege/allow/nonadminuser.md b/docs/policypak/policypak/leastprivilege/allow/nonadminuser.md index da34a1520b..f5601060c1 100644 --- a/docs/policypak/policypak/leastprivilege/allow/nonadminuser.md +++ b/docs/policypak/policypak/leastprivilege/allow/nonadminuser.md @@ -10,24 +10,24 @@ Follow the steps to start the service using the command line. **Step 2 –** Create an LPM Combo rule using Path and Command line. -![1318_1_6c12a201fa0efabb0ac290a16ff6cc0d](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/allow/1318_1_6c12a201fa0efabb0ac290a16ff6cc0d.webp) +![1318_1_6c12a201fa0efabb0ac290a16ff6cc0d](/img/product_docs/policypak/policypak/leastprivilege/allow/1318_1_6c12a201fa0efabb0ac290a16ff6cc0d.webp) **Step 3 –** For the Path, use: C:\Windows\System32\sc.exe -![1318_2_8beafda62e37494f1c8002167898f88f](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/allow/1318_2_8beafda62e37494f1c8002167898f88f.webp) +![1318_2_8beafda62e37494f1c8002167898f88f](/img/product_docs/policypak/policypak/leastprivilege/allow/1318_2_8beafda62e37494f1c8002167898f88f.webp) **Step 4 –** For the Command line use the syntax: `` (\*space``\*). For example:`RemoteRegistry`. Ensure that both **Strict equality** and **Ignore arguments** case options are checked. -![1318_3_68d25dd7a6203dc388177e40b10e567d](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/allow/1318_3_68d25dd7a6203dc388177e40b10e567d.webp) +![1318_3_68d25dd7a6203dc388177e40b10e567d](/img/product_docs/policypak/policypak/leastprivilege/allow/1318_3_68d25dd7a6203dc388177e40b10e567d.webp) **NOTE:** You can use services.msc and look at the properties of an individual service to get the ServiceName, or you can use the `sc query` command from CMD to get the ServiceName. **Step 5 –** Apply the policy to the user(s) or computer(s) that need to receive the policy. -![1318_4_eb4a951261c6175e4bc5cf6755973f0e](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/allow/1318_4_eb4a951261c6175e4bc5cf6755973f0e.webp) +![1318_4_eb4a951261c6175e4bc5cf6755973f0e](/img/product_docs/policypak/policypak/leastprivilege/allow/1318_4_eb4a951261c6175e4bc5cf6755973f0e.webp) **Step 6 –** Test from a CMD prompt as a standard non-admin user to see if you can manage the Remote Registry service using the SC.EXE command. `SC Config RemoteRegistry Start=Auto` @@ -35,15 +35,15 @@ Registry service using the SC.EXE command. `SC Config RemoteRegistry Start=Auto` **NOTE:** Since the Remote Registry service is disabled by default we need to enable the service and choose its startup type. -![1318_5_508183dde00c40d462fb07efa2b16d71](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/allow/1318_5_508183dde00c40d462fb07efa2b16d71.webp) +![1318_5_508183dde00c40d462fb07efa2b16d71](/img/product_docs/policypak/policypak/leastprivilege/allow/1318_5_508183dde00c40d462fb07efa2b16d71.webp) **Step 7 –** Start the service using the following command: `SC Start RemoteRegistry`. -![1318_6_5f4b0a5c9b2a2991bb671fa5353a3f8f](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/allow/1318_6_5f4b0a5c9b2a2991bb671fa5353a3f8f.webp) +![1318_6_5f4b0a5c9b2a2991bb671fa5353a3f8f](/img/product_docs/policypak/policypak/leastprivilege/allow/1318_6_5f4b0a5c9b2a2991bb671fa5353a3f8f.webp) **Step 8 –** Stop the service with the following command: `SC Stop RemoteRegistry`. -![1318_7_97c635953212043da712525588cec2d0](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/allow/1318_7_97c635953212043da712525588cec2d0.webp) +![1318_7_97c635953212043da712525588cec2d0](/img/product_docs/policypak/policypak/leastprivilege/allow/1318_7_97c635953212043da712525588cec2d0.webp) **Step 9 –** Disable the service with the following command: `SC Config RemoteRegistry Start=Disabled`. diff --git a/docs/policypak/policypak/leastprivilege/allow/uipathassistant.md b/docs/policypak/policypak/leastprivilege/allow/uipathassistant.md index 81c9bd6812..4b9a6ed9c3 100644 --- a/docs/policypak/policypak/leastprivilege/allow/uipathassistant.md +++ b/docs/policypak/policypak/leastprivilege/allow/uipathassistant.md @@ -4,18 +4,18 @@ Blocking PowerShell for everyone can also cause applications that depend on Powe properly. For example, when using the UiPath Assistant application with PowerShell blocked, the two UiPath Assistant commands below are also be blocked. -![1320_1_5c7b0bb711837088e14ba56fe0191b4e](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/allow/1320_1_5c7b0bb711837088e14ba56fe0191b4e.webp) +![1320_1_5c7b0bb711837088e14ba56fe0191b4e](/img/product_docs/policypak/policypak/leastprivilege/allow/1320_1_5c7b0bb711837088e14ba56fe0191b4e.webp) -![1320_2_2b07a73f4f7ad9bd4005effc11de64c9](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/allow/1320_2_2b07a73f4f7ad9bd4005effc11de64c9.webp) +![1320_2_2b07a73f4f7ad9bd4005effc11de64c9](/img/product_docs/policypak/policypak/leastprivilege/allow/1320_2_2b07a73f4f7ad9bd4005effc11de64c9.webp) -![1320_3_e63350e252dcfbfbbe47a6949ab99f53](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/allow/1320_3_e63350e252dcfbfbbe47a6949ab99f53.webp) +![1320_3_e63350e252dcfbfbbe47a6949ab99f53](/img/product_docs/policypak/policypak/leastprivilege/allow/1320_3_e63350e252dcfbfbbe47a6949ab99f53.webp) -![1320_4_129d10341515bde5b5cc94db70557eba](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/allow/1320_4_129d10341515bde5b5cc94db70557eba.webp) +![1320_4_129d10341515bde5b5cc94db70557eba](/img/product_docs/policypak/policypak/leastprivilege/allow/1320_4_129d10341515bde5b5cc94db70557eba.webp) To work around this issue you need to create two LPM Path and Command line Executable Policies using the settings below. -![1320_5_0c63e13faa75539ef18a64527e8fc5c7](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/allow/1320_5_0c63e13faa75539ef18a64527e8fc5c7.webp) +![1320_5_0c63e13faa75539ef18a64527e8fc5c7](/img/product_docs/policypak/policypak/leastprivilege/allow/1320_5_0c63e13faa75539ef18a64527e8fc5c7.webp) For Policy # 1 use these settings: @@ -23,7 +23,7 @@ Path: `C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe` Arguments: `*"$assemblies=(\"System\");$source=\"*` -![1320_6_53331fee44652a08986eec464b49ee4e](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/allow/1320_6_53331fee44652a08986eec464b49ee4e.webp) +![1320_6_53331fee44652a08986eec464b49ee4e](/img/product_docs/policypak/policypak/leastprivilege/allow/1320_6_53331fee44652a08986eec464b49ee4e.webp) For Policy #2 use these settings: @@ -32,12 +32,12 @@ Path: `C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe` Arguments: `"$FileContent = Get-Content -Encoding unicode %Temp%\shortcuts-params.txt; Invoke-Expression $FileContent"` -![1320_7_ee314a383e4b4e2d6f0723c6562c2fff](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/allow/1320_7_ee314a383e4b4e2d6f0723c6562c2fff.webp) +![1320_7_ee314a383e4b4e2d6f0723c6562c2fff](/img/product_docs/policypak/policypak/leastprivilege/allow/1320_7_ee314a383e4b4e2d6f0723c6562c2fff.webp) **NOTE:** For both policies above be sure to set **Ignore arguments** case to **True**, and **Comparison mode** to **Strict Equality**. -[Copy]() +[Copy](javascript:void(0);) Allowed with Path Rule 1 @@ -70,7 +70,7 @@ Allowed with Path Rule 1
``` -[Copy]() +[Copy](javascript:void(0);) Allowed with Path Rule 2 diff --git a/docs/policypak/policypak/leastprivilege/bestpractices/childprocesses.md b/docs/policypak/policypak/leastprivilege/bestpractices/childprocesses.md index a5a1626ffc..a5595f0200 100644 --- a/docs/policypak/policypak/leastprivilege/bestpractices/childprocesses.md +++ b/docs/policypak/policypak/leastprivilege/bestpractices/childprocesses.md @@ -1,14 +1,14 @@ # When to Use “Apply to Child Processes” **NOTE:** See the -[Security and Child Processes](../../video/leastprivilege/bestpractices/securitychildprocesses.md) +[Security and Child Processes](/docs/policypak/policypak/video/leastprivilege/bestpractices/securitychildprocesses.md) video for an overview of using Endpoint Policy Manager (formerly PolicyPak) Least Privilege Manager and Child Processes rules. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/when_to_use_apply_to_child.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/when_to_use_apply_to_child.webp) We suggest leaving the checkbox on for **Apply to Child Processes** when installing software. This will enable a `Setup.exe` to elevate anything it unpacks and needs to continue to install. However, diff --git a/docs/policypak/policypak/leastprivilege/bestpractices/dontelevate.md b/docs/policypak/policypak/leastprivilege/bestpractices/dontelevate.md index 9aa4976ee4..fb61560ded 100644 --- a/docs/policypak/policypak/leastprivilege/bestpractices/dontelevate.md +++ b/docs/policypak/policypak/leastprivilege/bestpractices/dontelevate.md @@ -1,7 +1,7 @@ # When to Use “Don’t Elevate Open/Save Dialog” **NOTE:** For more information see the -[Increase security by reducing rights on Open/Save dialogs](../../video/leastprivilege/bestpractices/opensavedialogs.md) +[Increase security by reducing rights on Open/Save dialogs](/docs/policypak/policypak/video/leastprivilege/bestpractices/opensavedialogs.md) video on this topic. The default on all rules is **Don’t Elevate the Open/Save dialog**. @@ -9,6 +9,6 @@ The default on all rules is **Don’t Elevate the Open/Save dialog**. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/when_to_use_don_t_elevate.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/when_to_use_don_t_elevate.webp) In general it should be left as is, unless there is a reason to change it. diff --git a/docs/policypak/policypak/leastprivilege/bestpractices/examplesavoid.md b/docs/policypak/policypak/leastprivilege/bestpractices/examplesavoid.md index 97c1a90e2a..c661a00c6a 100644 --- a/docs/policypak/policypak/leastprivilege/bestpractices/examplesavoid.md +++ b/docs/policypak/policypak/leastprivilege/bestpractices/examplesavoid.md @@ -7,7 +7,7 @@ processes** (which is the default. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/what_not_to_do_some_examples.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/what_not_to_do_some_examples.webp) While these settings would ensure that the install would run uninhibited without UAC prompt interruptions, you would also be allowing all applications that have that signature to install as @@ -20,7 +20,7 @@ warning and a recommendation against attempting this. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/what_not_to_do_some_examples_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/what_not_to_do_some_examples_1.webp) Saying **Yes** generates an additional rule match for File info condition enabling you to get more specific than just **Signature** alone. This is the Endpoint Policy Manager (formerly PolicyPak) @@ -31,7 +31,7 @@ Policy Manager (formerly PolicyPak) Least Privilege Manager UI is requesting you ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/what_not_to_do_some_examples_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/what_not_to_do_some_examples_2.webp) Therefore, it is important not to take shortcuts. Size your privilege levels accordingly, allocating the least amount of privilege possible in order to get the job done. @@ -47,7 +47,7 @@ instance, a developer package, Cygwin has hundreds of little utilities in it lik ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/what_not_to_do_some_examples_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/what_not_to_do_some_examples_3.webp) But very few require elevation. A common mistake is to elevate all files in the folder making it easy for the admin and for the user. @@ -55,7 +55,7 @@ easy for the admin and for the user. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/what_not_to_do_some_examples_4.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/what_not_to_do_some_examples_4.webp) However, giving full admin rights on all these utilities, without understanding the ramifications, could open the door to attacks. diff --git a/docs/policypak/policypak/leastprivilege/bestpractices/fileinfo.md b/docs/policypak/policypak/leastprivilege/bestpractices/fileinfo.md index 22a16c370e..32cd08902d 100644 --- a/docs/policypak/policypak/leastprivilege/bestpractices/fileinfo.md +++ b/docs/policypak/policypak/leastprivilege/bestpractices/fileinfo.md @@ -7,7 +7,7 @@ populated. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info.webp) The MMC-based File Info editor can read file attributes and perform work depending on the internal values of the program. @@ -22,14 +22,14 @@ values of the program. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info_1.webp) This screen shot shows an older iTunes Setup as an additional example. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info_2.webp) MSI files have different characteristics than EXE files, so Endpoint Policy Manager Least Privilege Manager has a different GUI when you are using the **File Match** condition. Here you can see the @@ -38,7 +38,7 @@ MSI and File Match GUI after Skype Installer MSI has been selected. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info_3.webp) Getting the product code from the file system isn’t possible, which is why you need the Endpoint Policy Manager File Information Viewer. @@ -46,7 +46,7 @@ Policy Manager File Information Viewer. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info_4.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info_4.webp) To get to the information you need, use the Endpoint Policy Manager File Information Viewer (found in the Extras folder in the Download) and select the application to see some of the MSI internals, @@ -62,7 +62,7 @@ Product Info match for MSI files will match on all the fields highlighted in red ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info_5.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info_5.webp) One way to use File Info match could be to make a rule that says, "Allow install of Skype Setup .MSI, provided it is version 7 or later." In order to do that, you would make an MSI Combo rule with @@ -71,7 +71,7 @@ three conditions, as shown here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info_6.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info_6.webp) The three conditions could be: @@ -85,6 +85,6 @@ for matching MSI product codes. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info_7.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/deeper_dive_on_file_info_7.webp) This makes the **Product Info Condition** a powerful tool, when used alone or with a Combo rule. diff --git a/docs/policypak/policypak/leastprivilege/bestpractices/overview.md b/docs/policypak/policypak/leastprivilege/bestpractices/overview.md index 5f8f824f42..8ceebab460 100644 --- a/docs/policypak/policypak/leastprivilege/bestpractices/overview.md +++ b/docs/policypak/policypak/leastprivilege/bestpractices/overview.md @@ -1,7 +1,7 @@ # Best Practices **NOTE:** See the -[Best Practices for Elevating User-Based Installs](../../video/leastprivilege/bestpractices/elevatinguserbasedinstalls.md) +[Best Practices for Elevating User-Based Installs](/docs/policypak/policypak/video/leastprivilege/bestpractices/elevatinguserbasedinstalls.md) video for an overview of Endpoint Policy Manager Least Privilege Manager best practices. Endpoint Policy Manager (formerly PolicyPak) Least Privilege Manager’s job is to overcome UAC diff --git a/docs/policypak/policypak/leastprivilege/bestpractices/rules/commandline.md b/docs/policypak/policypak/leastprivilege/bestpractices/rules/commandline.md index 4f73a47153..1a9719c8af 100644 --- a/docs/policypak/policypak/leastprivilege/bestpractices/rules/commandline.md +++ b/docs/policypak/policypak/leastprivilege/bestpractices/rules/commandline.md @@ -6,7 +6,7 @@ could occur in day-to-day use or with items that must run from a logon script an with elevated rights. **NOTE:** See the -[Prevent Users Running some commands with command lines](../../../video/leastprivilege/preventusercommands.md) +[Prevent Users Running some commands with command lines](/docs/policypak/policypak/video/leastprivilege/preventusercommands.md) video for an overview of using Endpoint Policy Manager (formerly PolicyPak) Least Privilege Manager and command-line arguments. @@ -18,7 +18,7 @@ A Combo rule addresses this issue, by using Path and Command-line argument rules ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_command.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_command.webp) The first step, as shown here, is to specify the Path Condition, such as `%SYSTEMROOT%\System32\sc.exe`. @@ -26,7 +26,7 @@ The first step, as shown here, is to specify the Path Condition, such as ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_command_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_command_1.webp) For the command-line arguments in this example, the argument **stop wsearch**, which stops the Windows Search Service, is specified. @@ -34,7 +34,7 @@ Windows Search Service, is specified. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_command_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_command_2.webp) For **Check Mode**, there are four choices: @@ -58,7 +58,7 @@ elevated rights. ![A computer screen with a black and white text Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_command_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_command_3.webp) Another example would be to enable Standard Users to perform their own Registry merge. To do this, make a Combo rule, which starts with the Path Condition running `%SYSTEMROOT%\System32\reg.exe` (not @@ -70,7 +70,7 @@ For the Command-line Arguments, select **Strict equality**, and then specify the ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_command_4.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_command_4.webp) Since the arguments are being specified, a user cannot add their own .REG files; they can only add those specified by the admin (e.g., on a server where they could only read and not modify it). diff --git a/docs/policypak/policypak/leastprivilege/bestpractices/rules/executablecombo.md b/docs/policypak/policypak/leastprivilege/bestpractices/rules/executablecombo.md index 30a93d1d46..c5e7814d9c 100644 --- a/docs/policypak/policypak/leastprivilege/bestpractices/rules/executablecombo.md +++ b/docs/policypak/policypak/leastprivilege/bestpractices/rules/executablecombo.md @@ -19,20 +19,20 @@ file is digitally signed by a publisher. Combo rules exist for this reason. However, you can start off on the right foot by making your own Combo rules. **NOTE:** See the -[More security with Combo Rules](../../../video/leastprivilege/securitycomborules.md) video for an +[More security with Combo Rules](/docs/policypak/policypak/video/leastprivilege/securitycomborules.md) video for an overview of using Endpoint Policy Manager Least Privilege Manager and Combo rules. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_executable.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_executable.webp) With Combo rules turned on, you can match more than one condition. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_executable_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_executable_1.webp) Combo rules are useful in a variety of situations. The most common situation occurs when you want to elevate an application to allow it to run or install. You can do this based on its digital signature @@ -45,7 +45,7 @@ the most secure method is **Signature** and **File Info**. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_executable_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_executable_2.webp) The Combo rule wizard is different from the Simple rule wizard. For this combo rule we will need to complete two steps. As you can see, a specific file as a reference file for Signature Condition. @@ -53,7 +53,7 @@ complete two steps. As you can see, a specific file as a reference file for Sign ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_executable_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_executable_3.webp) In the next step of the wizard for File Info, select the same file. You could also select a different file, but this isn’t normally done. @@ -61,7 +61,7 @@ different file, but this isn’t normally done. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_executable_4.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_executable_4.webp) Then choose the same actions as before, such as **Run with elevated privileges**. When the wizard is complete, the MMC list will demonstrate the multiple conditions in the **Condition** column with @@ -70,4 +70,4 @@ complete, the MMC list will demonstrate the multiple conditions in the **Conditi ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_executable_5.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/bestpractices/rules/creating_and_using_executable_5.webp) diff --git a/docs/policypak/policypak/leastprivilege/brandcustomize.md b/docs/policypak/policypak/leastprivilege/brandcustomize.md index 7fab910d14..081425569a 100644 --- a/docs/policypak/policypak/leastprivilege/brandcustomize.md +++ b/docs/policypak/policypak/leastprivilege/brandcustomize.md @@ -1,6 +1,6 @@ # Branding and Customization -**NOTE:** See the [Branding the UI and Dialogs](../video/leastprivilege/branding.md) video for an +**NOTE:** See the [Branding the UI and Dialogs](/docs/policypak/policypak/video/leastprivilege/branding.md) video for an overview of Branding and Customization. You can customized many of the dialogs presented to users. You start out by creating a Global @@ -9,7 +9,7 @@ Settings Policy on the Computer side. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/branding_and_customization.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/branding_and_customization.webp) The settings contained here are Global, meaning that if there are conflicting settings from multiple policies only the final (last written) set is honored. Here are some example changes to the defaults @@ -32,11 +32,11 @@ Hereis an example of changing the Admin Approval Client Branding using Global Se ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/branding_and_customization_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/branding_and_customization_1.webp) A result of changing the Admin Approval Dialog with the changed settings looks like this. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/branding_and_customization_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/branding_and_customization_2.webp) diff --git a/docs/policypak/policypak/leastprivilege/deny/dlls.md b/docs/policypak/policypak/leastprivilege/deny/dlls.md index 9ece5b609c..883381cb94 100644 --- a/docs/policypak/policypak/leastprivilege/deny/dlls.md +++ b/docs/policypak/policypak/leastprivilege/deny/dlls.md @@ -8,17 +8,17 @@ First you must turn on the option with a Global DLL policy, which may only be en ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/deny/denying_dlls_within_applications.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/deny/denying_dlls_within_applications.webp) Then create a matching rule with **New DLL Policy**. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/deny/denying_dlls_within_applications_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/deny/denying_dlls_within_applications_1.webp) Then you can **Deny execution** of the DLL when it is encountered. **NOTE:** Some additional details and examples can be found in the -[How to Defend against malicious PowerShell attacks (DLLs)?](../powershell/maliciousattacks.md) +[How to Defend against malicious PowerShell attacks (DLLs)?](/docs/policypak/policypak/leastprivilege/powershell/maliciousattacks.md) topic. diff --git a/docs/policypak/policypak/leastprivilege/deny/standard.md b/docs/policypak/policypak/leastprivilege/deny/standard.md index d44598be13..49e763424b 100644 --- a/docs/policypak/policypak/leastprivilege/deny/standard.md +++ b/docs/policypak/policypak/leastprivilege/deny/standard.md @@ -1,7 +1,7 @@ # Denying Standard Applications **NOTE:** For an overview of Endpoint Policy Manager performing Application control see the -[Endpoint Policy Manager Application Control with PP Least Privilege Manager](../../video/leastprivilege/applicationcontrol.md) +[Endpoint Policy Manager Application Control with PP Least Privilege Manager](/docs/policypak/policypak/video/leastprivilege/applicationcontrol.md) video. To do this, first create a rule type which matches your scenario. Then pick the condition to match. @@ -11,21 +11,21 @@ seen here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/deny/denying_standard_applications.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/deny/denying_standard_applications.webp) Then select the **Action** type **Deny execution**. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/deny/denying_standard_applications_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/deny/denying_standard_applications_1.webp) The MMC will take action to deny the desired user rights. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/deny/denying_standard_applications_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/deny/denying_standard_applications_2.webp) The result is that Firefox and every other application signed by this publisher would not run on the endpoint no matter how it made it there (even if it was properly installed). The result of a @@ -38,4 +38,4 @@ corporate policies. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/deny/denying_standard_applications_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/deny/denying_standard_applications_3.webp) diff --git a/docs/policypak/policypak/leastprivilege/deny/windowsuniversal.md b/docs/policypak/policypak/leastprivilege/deny/windowsuniversal.md index 97fa253192..6f95ecebc0 100644 --- a/docs/policypak/policypak/leastprivilege/deny/windowsuniversal.md +++ b/docs/policypak/policypak/leastprivilege/deny/windowsuniversal.md @@ -1,7 +1,7 @@ # Denying UWP Applications **NOTE:** For an overview of how to manage UWP applications, see the -[Manage, block and allow Windows Universal (UWP) applications](../../video/leastprivilege/windowsuniversalapplications.md) +[Manage, block and allow Windows Universal (UWP) applications](/docs/policypak/policypak/video/leastprivilege/windowsuniversalapplications.md) video. Endpoint Policy Manager can be used to manage Universal Windows Platform (UWP) applications, @@ -10,7 +10,7 @@ allowing you to block one or more applications. To do this, select **Add** > **N ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/deny/denying_uwp_applications.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/deny/denying_uwp_applications.webp) There are several options for managing UWP apps: @@ -23,14 +23,14 @@ Here we have chosen the option for **All UWP apps**. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/deny/denying_uwp_applications_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/deny/denying_uwp_applications_1.webp) Next, you can deny execution for all of the apps at one time, or allow and log them, as shown here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/deny/denying_uwp_applications_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/deny/denying_uwp_applications_2.webp) If you choose to deny the apps, you must select your desired deny action. In this example, the default Windows block message will pop up when a user attempts to open any UWP application. @@ -38,7 +38,7 @@ default Windows block message will pop up when a user attempts to open any UWP a ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/deny/denying_uwp_applications_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/deny/denying_uwp_applications_3.webp) Using the other options for managing apps, you can block all Microsoft Store apps, or all Enterprise UWP apps at one time in a similar fashion. You can also allow or block specific UWP apps as well. @@ -49,7 +49,7 @@ To choose to block only designated apps, select the **Specific UWP apps** option ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/deny/denying_uwp_applications_4.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/deny/denying_uwp_applications_4.webp) Next, you will need to provide some information about the app, such as the Package Name and Publisher. You can retrieve this information by either pointing to it using the **Select an @@ -60,7 +60,7 @@ required information to manage the Microsoft Xbox app has been entered. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/deny/denying_uwp_applications_5.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/deny/denying_uwp_applications_5.webp) Next, finish creating the policy by selecting the block/allow action and further targeting the policy. @@ -73,4 +73,4 @@ the publisher are allowed to run as shown below. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/deny/denying_uwp_applications_6.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/deny/denying_uwp_applications_6.webp) diff --git a/docs/policypak/policypak/leastprivilege/digitalsignature.md b/docs/policypak/policypak/leastprivilege/digitalsignature.md index a54ad9925b..fa0eb4a04d 100644 --- a/docs/policypak/policypak/leastprivilege/digitalsignature.md +++ b/docs/policypak/policypak/leastprivilege/digitalsignature.md @@ -4,7 +4,7 @@ Digital Signature is signed by the application vendor and it is nearly impossibl malicious content with a valid digital signature of a known application like Autodesk, Adob, etc. However, we strongly suggest securing your environment with combo rules like **Signature** with **File Info**. For more information on this topic please check this link -[More security with Combo Rules](../video/leastprivilege/securitycomborules.md). +[More security with Combo Rules](/docs/policypak/policypak/video/leastprivilege/securitycomborules.md). Certificates are generated by CA (Certification authority), such as Thawte, DigiCert, etc. Though it is possible and valid to generate more than one certificate with the same Subject Name, all trusted diff --git a/docs/policypak/policypak/leastprivilege/editrights.md b/docs/policypak/policypak/leastprivilege/editrights.md index 11acadd841..8346e58c5b 100644 --- a/docs/policypak/policypak/leastprivilege/editrights.md +++ b/docs/policypak/policypak/leastprivilege/editrights.md @@ -14,11 +14,11 @@ enabled. Should look like this: -![949_1_image-20230719020305-1_950x641](../../../../static/img/product_docs/policypak/policypak/leastprivilege/949_1_image-20230719020305-1_950x641.webp) +![949_1_image-20230719020305-1_950x641](/img/product_docs/policypak/policypak/leastprivilege/949_1_image-20230719020305-1_950x641.webp) -![949_2_image-20230719020305-2_950x635](../../../../static/img/product_docs/policypak/policypak/leastprivilege/949_2_image-20230719020305-2_950x635.webp) +![949_2_image-20230719020305-2_950x635](/img/product_docs/policypak/policypak/leastprivilege/949_2_image-20230719020305-2_950x635.webp) -![949_3_image-20230719020305-3_950x638](../../../../static/img/product_docs/policypak/policypak/leastprivilege/949_3_image-20230719020305-3_950x638.webp) +![949_3_image-20230719020305-3_950x638](/img/product_docs/policypak/policypak/leastprivilege/949_3_image-20230719020305-3_950x638.webp) **NOTE:** Keep in mind you are elevating the Application (Notepad in this case), not the file itself. diff --git a/docs/policypak/policypak/leastprivilege/elevate/activexitems.md b/docs/policypak/policypak/leastprivilege/elevate/activexitems.md index a47ea11237..8418b20928 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/activexitems.md +++ b/docs/policypak/policypak/leastprivilege/elevate/activexitems.md @@ -1,7 +1,7 @@ # Elevating ActiveX Items **NOTE:** For an overview of Elevating ActiveX Items see the -[Overcome UAC prompts for Active X controls](../../video/leastprivilege/uacpromptsactivex.md) video. +[Overcome UAC prompts for Active X controls](/docs/policypak/policypak/video/leastprivilege/uacpromptsactivex.md) video. ActiveX items are still important to many organizations who rely upon them. Even though Internet Explorer isn’t available anymore, ActiveX controls still work in IE Mode for Windows 10 and 11 with @@ -12,12 +12,12 @@ Trying to install ActiveX controls as a Standard User is not allowed. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_activex_items.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_activex_items.webp) ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_activex_items_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_activex_items_1.webp) You can use ActiveX rules and specify the CAB file you want to permit. diff --git a/docs/policypak/policypak/leastprivilege/elevate/allfiles.md b/docs/policypak/policypak/leastprivilege/elevate/allfiles.md index 0c61cc3f0a..d18c0536e8 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/allfiles.md +++ b/docs/policypak/policypak/leastprivilege/elevate/allfiles.md @@ -13,7 +13,7 @@ For FILE target type, you have to specify a file path. For instance: **Method 2: Using FOLDER and/or Folder+ Recurse type**. -![478_1_2018-10-11_1352](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/478_1_2018-10-11_1352.webp) +![478_1_2018-10-11_1352](/img/product_docs/policypak/policypak/leastprivilege/elevate/478_1_2018-10-11_1352.webp) you should specify a folder path, such as diff --git a/docs/policypak/policypak/leastprivilege/elevate/applicationextension.md b/docs/policypak/policypak/leastprivilege/elevate/applicationextension.md index 08b30707ff..354beab7f8 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/applicationextension.md +++ b/docs/policypak/policypak/leastprivilege/elevate/applicationextension.md @@ -5,21 +5,21 @@ **Step 1 –** Look in the Netwrix Endpoint Policy Manager (formerly PolicyPak) Event log for the blocked event to findthe name of the EXE being blocked. -![451_1_image-20200210223130-1_950x326](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/451_1_image-20200210223130-1_950x326.webp) +![451_1_image-20200210223130-1_950x326](/img/product_docs/policypak/policypak/leastprivilege/elevate/451_1_image-20200210223130-1_950x326.webp) **Step 2 –** Create an EXE elevation combo rule in Least Privilege Manager for the EXE being blocked. -![451_3_image-20200210223130-2_950x592](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/451_3_image-20200210223130-2_950x592.webp) +![451_3_image-20200210223130-2_950x592](/img/product_docs/policypak/policypak/leastprivilege/elevate/451_3_image-20200210223130-2_950x592.webp) **NOTE:** The more conditions evaluated, the more secure the rule will be. See this video for more details: -[Best Practices for Elevating User-Based Installs](../../video/leastprivilege/bestpractices/elevatinguserbasedinstalls.md) +[Best Practices for Elevating User-Based Installs](/docs/policypak/policypak/video/leastprivilege/bestpractices/elevatinguserbasedinstalls.md) **Step 3 –** Apply the policy and then verify using the Endpoint Policy Manager event log of the application being Elevated. -![451_5_image-20200210223130-3_950x270](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/451_5_image-20200210223130-3_950x270.webp) +![451_5_image-20200210223130-3_950x270](/img/product_docs/policypak/policypak/leastprivilege/elevate/451_5_image-20200210223130-3_950x270.webp) Method 2: Elevating RUNDLL32.exe and the .APPLICATION exactly @@ -30,7 +30,7 @@ default: `%programdata%\PolicyPak\PolicyPak Least Privilege Manager\ppService.log` (i.e. `C:\ProgramData\PolicyPak\PolicyPak Least Privilege Manager\ppService.log`) -![451_7_image-20200210223130-4](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/451_7_image-20200210223130-4.webp) +![451_7_image-20200210223130-4](/img/product_docs/policypak/policypak/leastprivilege/elevate/451_7_image-20200210223130-4.webp) **NOTE:** The reason to look immediately in the log is so that we know which ppservice().log file to look in, ppservice.log is the latest log, and ppservice(n).log files are the rolled over logs. @@ -38,12 +38,12 @@ look in, ppservice.log is the latest log, and ppservice(n).log files are the rol **Step 2 –** Open the ppservice.log in notepad (or any text editor) and scroll all the way to the bottom. Start searching from the bottom upwards for the text ".application". -![451_9_image-20200210223130-5](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/451_9_image-20200210223130-5.webp) +![451_9_image-20200210223130-5](/img/product_docs/policypak/policypak/leastprivilege/elevate/451_9_image-20200210223130-5.webp) **Step 3 –** What we are looking for is the entire command-line used to launch the .application. See below for example: -![451_11_image-20200210223130-6](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/451_11_image-20200210223130-6.webp) +![451_11_image-20200210223130-6](/img/product_docs/policypak/policypak/leastprivilege/elevate/451_11_image-20200210223130-6.webp) Using the example above our entire command-line would be: @@ -55,14 +55,14 @@ Using the example above our entire command-line would be: the two settings for **Command-line arguments** and **Apply to child processes** before clicking **Next**. -![451_13_image-20200210223130-7](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/451_13_image-20200210223130-7.webp) +![451_13_image-20200210223130-7](/img/product_docs/policypak/policypak/leastprivilege/elevate/451_13_image-20200210223130-7.webp) **Step 5 –** Enter "\*\EXE" for the PATH, replace EXE with the name of the executable mentioned in the command-line from the ppservice.log relevant to your environment, then click **Next**. In this example, the EXE name is **Rundll32.exe**. -![451_15_image-20200210223130-8](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/451_15_image-20200210223130-8.webp) +![451_15_image-20200210223130-8](/img/product_docs/policypak/policypak/leastprivilege/elevate/451_15_image-20200210223130-8.webp) **Step 6 –** At the next screen, copy and paste the entire command-line from the ppservice.log file into the **Command-line Arguments** section. Ensure that **Strict Equality** and **Ignore Arguments @@ -72,9 +72,9 @@ case** are both selected. **Step 7 –** Click **Next** then **Finish** to save the rule. -![451_17_image-20200210223130-9](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/451_17_image-20200210223130-9.webp) +![451_17_image-20200210223130-9](/img/product_docs/policypak/policypak/leastprivilege/elevate/451_17_image-20200210223130-9.webp) **Step 8 –** Apply the policy and then verify using the Endpoint Policy Manager event log for the application being Elevated. -![451_19_image-20200210223130-10_950x266](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/451_19_image-20200210223130-10_950x266.webp) +![451_19_image-20200210223130-10_950x266](/img/product_docs/policypak/policypak/leastprivilege/elevate/451_19_image-20200210223130-10_950x266.webp) diff --git a/docs/policypak/policypak/leastprivilege/elevate/com_cslidclass.md b/docs/policypak/policypak/leastprivilege/elevate/com_cslidclass.md index efd5d9f783..ad9eaa2f42 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/com_cslidclass.md +++ b/docs/policypak/policypak/leastprivilege/elevate/com_cslidclass.md @@ -1,7 +1,7 @@ # Elevating COM / CSLID Class Items **NOTE:** For an overview of COM Class Policies, see the -[COM Support](../../video/leastprivilege/comsupport.md) video. +[COM Support](/docs/policypak/policypak/video/leastprivilege/comsupport.md) video. COM items are a special type of Windows process and Endpoint Policy Manager can typically elevate them if needed. Start out by understanding the CSLID value you need to overcome. For instance the @@ -12,14 +12,14 @@ Carefully take note of the CSLID ID before proceeding. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_com_cslid_class.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_com_cslid_class.webp) Then create the policy to overcome the UAC prompt by using New > COM Class Policy. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_com_cslid_class_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_com_cslid_class_1.webp) You can then use three methods to provide the CSLID number: @@ -33,7 +33,7 @@ Those choices can be seen here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_com_cslid_class_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_com_cslid_class_2.webp) In this example we will **Add well-known COM class**. Be sure to select the exact match or the function will not work as expected. @@ -41,6 +41,6 @@ function will not work as expected. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_com_cslid_class_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_com_cslid_class_3.webp) After the policy applies, the COM item will have its UAC prompt overcome. diff --git a/docs/policypak/policypak/leastprivilege/elevate/controlpanelapplets.md b/docs/policypak/policypak/leastprivilege/elevate/controlpanelapplets.md index c35508210b..0165eca4db 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/controlpanelapplets.md +++ b/docs/policypak/policypak/leastprivilege/elevate/controlpanelapplets.md @@ -6,7 +6,7 @@ Endpoint Policy Manager can also be used to elevate situations within Windows it ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_control_panel_applets.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_control_panel_applets.webp) Next, consider a situation in which a Standard User may need access to the Device Manager and the Disk Defragmenter Control Panel applets. Make two policies (going through the wizard twice). The @@ -16,21 +16,21 @@ privileges** as the action. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_control_panel_applets_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_control_panel_applets_1.webp) The second time you run through the wizard, choose **Optimize Drives**,. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_control_panel_applets_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_control_panel_applets_2.webp) The result of having gone through the wizard twice is the two MMC entries shown here. ![A screenshot of a calendar Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_control_panel_applets_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_control_panel_applets_3.webp) At this point, GPupdate can be run and tested on the endpoint. You should bypass the UAC prompt and be prompted for Device Manager and the Disk Defragmenter, as shown here. @@ -38,4 +38,4 @@ be prompted for Device Manager and the Disk Defragmenter, as shown here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_control_panel_applets_4.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_control_panel_applets_4.webp) diff --git a/docs/policypak/policypak/leastprivilege/elevate/dragdrop.md b/docs/policypak/policypak/leastprivilege/elevate/dragdrop.md index d04c712321..5d2e10d2f2 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/dragdrop.md +++ b/docs/policypak/policypak/leastprivilege/elevate/dragdrop.md @@ -4,7 +4,7 @@ When Netwrix Endpoint Policy Manager (formerly PolicyPak) elevates a process it Integrity level. **NOTE:** To learn more about this topic please see the Microsoft article on -[What is the Windows Integrity Mechanism?]() +[What is the Windows Integrity Mechanism?](https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/bb625957(v=msdn.10)?redirectedfrom=MSDN) As such, a newly elevated process may not be able to communicate with a normally running process. @@ -15,6 +15,6 @@ token**. This enables you to change the Integrity level. You'll want to try Medium-High first, then fall back to Medium or Low, stopping at the first one which works. -![402_1_q3-img-1](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/402_1_q3-img-1.webp) +![402_1_q3-img-1](/img/product_docs/policypak/policypak/leastprivilege/elevate/402_1_q3-img-1.webp) -![402_2_q3-img-2](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/402_2_q3-img-2.webp) +![402_2_q3-img-2](/img/product_docs/policypak/policypak/leastprivilege/elevate/402_2_q3-img-2.webp) diff --git a/docs/policypak/policypak/leastprivilege/elevate/executables.md b/docs/policypak/policypak/leastprivilege/elevate/executables.md index 5595d2de51..3e89c38aac 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/executables.md +++ b/docs/policypak/policypak/leastprivilege/elevate/executables.md @@ -1,7 +1,7 @@ # Elevating Executables **NOTE:** For an overview of how to elevate applications that need admin rights, see the -[Kill Local Admin Rights (Run applications with Least Privilege)](../../video/leastprivilege/localadminrights.md) +[Kill Local Admin Rights (Run applications with Least Privilege)](/docs/policypak/policypak/video/leastprivilege/localadminrights.md) video. In the previous section, we observed that when a Standard User tries to run Process Monitor, they @@ -20,14 +20,14 @@ Privilege Manager** section, select **Add** > **New Executable Policy**. ![A computer screen shot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables.webp) An executable rule can be one of two types: ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_1.webp) Simple rules match on a specific piece of criteria, which could include the name or location (Path), the fingerprint of the file (Hash), the company that digitally signed the file (Signature), or @@ -39,13 +39,13 @@ by using two conditions. You’ll then be asked if you want this policy to be related to an action within Netwrix Privilege Secure. For now, we’ll skip this (leave unchecked) and we’ll return back to it in the -[Endpoint Policy Manager & Netwrix Privilege Secure](../../integration/privilegesecure/overview.md) +[Endpoint Policy Manager & Netwrix Privilege Secure](/docs/policypak/policypak/integration/privilegesecure/overview.md) topic. Future examples will purposely omit this step until we need it. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_2.webp) In this case, use a Hash condition, which indicates, "Run ProcMon.exe with elevated rights because of the Hash (fingerprint) of the file." Select **Hash** and click **Next**. @@ -53,7 +53,7 @@ of the Hash (fingerprint) of the file." Select **Hash** and click **Next**. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_3.webp) Additionally, this is where you set the settings for **Apply to child processes**. For now, leave as-is. You can learn more about this in ” in the section on“Best Practices and Miscellaneous @@ -66,7 +66,7 @@ Algorithm to use. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_4.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_4.webp) The next screen, as shown here, demonstrates possible action types and options for Endpoint Policy Manager Least Privilege Manager. @@ -74,7 +74,7 @@ Manager Least Privilege Manager. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_5.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_5.webp) These action types are: @@ -92,16 +92,16 @@ These action types are: These Options are: - **Apply on demand**. Enables the elevation only when application is right-clicked. For more - information on this, see[Apply on Demand Rules](../rules/apply/ondemand.md). + information on this, see[Apply on Demand Rules](/docs/policypak/policypak/leastprivilege/rules/apply/ondemand.md). - **Do not generate events**. PolicyPak logs items in the Windows event log. Setting this item configured (checked) means that events will not be logged when this process is run. - **Do not elevate Open/Save dialog**. By default Endpoint Policy Manager will prevent child processes from gaining elevation thru the Open/Save dialogs. See the - [Best Practices and Miscellaneous Topics](../bestpractices/overviewmisc.md) topic for additional + [Best Practices and Miscellaneous Topics](/docs/policypak/policypak/leastprivilege/bestpractices/overviewmisc.md) topic for additional information. - **Show popup message**. Optional requirement to either force the user to reauthenticate and/or put in Justification text before the process starts. See the - [Best Practices and Miscellaneous Topics](../bestpractices/overviewmisc.md) for additional + [Best Practices and Miscellaneous Topics](/docs/policypak/policypak/leastprivilege/bestpractices/overviewmisc.md) for additional information. The next page provides the opportunity to enhance this policy with these final touches: @@ -109,19 +109,19 @@ The next page provides the opportunity to enhance this policy with these final t - **Name** - **Comment** - **State** (default is enabled) -- **Scope**. See the [Best Practices and Miscellaneous Topics](../bestpractices/overviewmisc.md) for +- **Scope**. See the [Best Practices and Miscellaneous Topics](/docs/policypak/policypak/leastprivilege/bestpractices/overviewmisc.md) for additional information. - **Item-Level Targeting**. See the - [Best Practices and Miscellaneous Topics](../bestpractices/overviewmisc.md) for additional + [Best Practices and Miscellaneous Topics](/docs/policypak/policypak/leastprivilege/bestpractices/overviewmisc.md) for additional information. - **Parent Process filter**. See the - [Best Practices and Miscellaneous Topics](../bestpractices/overviewmisc.md) for additional + [Best Practices and Miscellaneous Topics](/docs/policypak/policypak/leastprivilege/bestpractices/overviewmisc.md) for additional information. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_6.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_6.webp) Once you have made your selections, an entry in the Group Policy Management Editor is obtained, as shown in here. @@ -129,7 +129,7 @@ shown in here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_7.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_7.webp) To re-edit the policy, it is not necessary to use the wizard again. Instead, just double-click the policy entry to view it in a flat list, as shown here. Then click on any of the numbered items to @@ -138,9 +138,9 @@ make any changes. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_8.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_8.webp) On your endpoint, log on as the user who will obtain the GPO (e.g., EastSalesUser1), or run GPupdate. Once the GPO applies, Process Monitor will run without a UAC prompt, as demonstrated here. -![elevating_executables_9](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_9.webp) +![elevating_executables_9](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_executables_9.webp) diff --git a/docs/policypak/policypak/leastprivilege/elevate/installers.md b/docs/policypak/policypak/leastprivilege/elevate/installers.md index 539e05252d..5b50bccc4f 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/installers.md +++ b/docs/policypak/policypak/leastprivilege/elevate/installers.md @@ -2,7 +2,7 @@ The problem is when you elevating an application but it keeps giving the UAC prompt. -![723_1_uac](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/723_1_uac.webp) +![723_1_uac](/img/product_docs/policypak/policypak/leastprivilege/elevate/723_1_uac.webp) Netwrix Endpoint Policy Manager (formerly PolicyPak) Least Privilege Manager detects Application Installers by searching for default keywords in FileDescription, ProductName, OriginalFileName, @@ -14,14 +14,14 @@ Default keywords are **Setup**, **Installer**, **Install**, **Upgrade**, **Updat You can extend this list by enabling the Endpoint Policy Manager ADMX setting and entering required keywords. If you don't know how to enable Endpoint Policy Manager ADMX settings then see this link: -[Troubleshooting with ADMX files](../../video/troubleshooting/admxfiles.md) +[Troubleshooting with ADMX files](/docs/policypak/policypak/video/troubleshooting/admxfiles.md) In this example we are going to show you how to set Ninite installer as an elevated Application Executable. **Step 1 –** Open **Properties** to view Ninite installer File Description keyword. -![723_2_image-20201103180355-1](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/723_2_image-20201103180355-1.webp) +![723_2_image-20201103180355-1](/img/product_docs/policypak/policypak/leastprivilege/elevate/723_2_image-20201103180355-1.webp) **Step 2 –** Browse the following location under Endpoint Policy Manager ADMX Setting and set it as shown in the screenshot: @@ -34,4 +34,4 @@ shown in the screenshot: Use additional keywords to detect Application Installers -![723_3_image-20201103180355-2](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/723_3_image-20201103180355-2.webp) +![723_3_image-20201103180355-2](/img/product_docs/policypak/policypak/leastprivilege/elevate/723_3_image-20201103180355-2.webp) diff --git a/docs/policypak/policypak/leastprivilege/elevate/installfonts.md b/docs/policypak/policypak/leastprivilege/elevate/installfonts.md index c9d2ba451d..265d35d271 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/installfonts.md +++ b/docs/policypak/policypak/leastprivilege/elevate/installfonts.md @@ -14,7 +14,7 @@ you install fonts by using the either method. **Step 3 –** Select **Use Simple Rule** and click on **Next** -![467_1_img-1](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/467_1_img-1.webp) +![467_1_img-1](/img/product_docs/policypak/policypak/leastprivilege/elevate/467_1_img-1.webp) **NOTE:** Consider choosing **Use combo rule** option for extra security. @@ -25,7 +25,7 @@ shown below. **Step 6 –** Run `GPUPDATE `on the client machine and verify the results. You can also view theabove steps in this video: -[Enable end-users to install their own fonts](../../video/leastprivilege/elevate/installfonts.md) +[Enable end-users to install their own fonts](/docs/policypak/policypak/video/leastprivilege/elevate/installfonts.md) ## Installing fonts for end-users (FOR ADMINS) @@ -46,7 +46,7 @@ Endpoint Policy Manager Scripts Manager. **Step 4 –** Select PowerShell Script from the drop-down and paste the script to install fonts. -![467_5_img-3](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/467_5_img-3.webp) +![467_5_img-3](/img/product_docs/policypak/policypak/leastprivilege/elevate/467_5_img-3.webp) This script to Add Fonts from PowerShell is acquired from Microsoft Doc website. For more information see the Microsoft article on @@ -227,15 +227,15 @@ $fontsFolderPath = Get-SpecialFolder($CSIDL_FONTS)    Process-Arguments **Step 5 –** Insert the folder path for the required fonts and click **Next**. -![467_7_img-5](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/467_7_img-5.webp) +![467_7_img-5](/img/product_docs/policypak/policypak/leastprivilege/elevate/467_7_img-5.webp) **Step 6 –** Select **Once or when forced** and click **Next** . -![467_9_img-6](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/467_9_img-6.webp) +![467_9_img-6](/img/product_docs/policypak/policypak/leastprivilege/elevate/467_9_img-6.webp) **Step 7 –** Name the policy and click **Finish**. -![467_11_img-7](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/467_11_img-7.webp) +![467_11_img-7](/img/product_docs/policypak/policypak/leastprivilege/elevate/467_11_img-7.webp) **Step 8 –** Run `GPUPDATE /FORCE` on theclient machine. @@ -245,21 +245,21 @@ $fontsFolderPath = Get-SpecialFolder($CSIDL_FONTS)    Process-Arguments Select **PowerShell Script** from the drop-down and paste the script to install fonts. - ![467_5_img-3](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/467_5_img-3.webp) + ![467_5_img-3](/img/product_docs/policypak/policypak/leastprivilege/elevate/467_5_img-3.webp) 4. This script to Add Fonts from PowerShell is acquired from Microsoft Doc website. For more information see the Microsoft article on [Adding and Removing Fonts with Windows PowerShell](https://learn.microsoft.com/en-us/archive/blogs/deploymentguys/adding-and-removing-fonts-with-windows-powershell). 5. Insert the folder path for the required fonts and click **Next**. - ![467_7_img-5](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/467_7_img-5.webp) + ![467_7_img-5](/img/product_docs/policypak/policypak/leastprivilege/elevate/467_7_img-5.webp) 6. Select **Once or when forced** radio button and click **Next** . - ![467_9_img-6](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/467_9_img-6.webp) + ![467_9_img-6](/img/product_docs/policypak/policypak/leastprivilege/elevate/467_9_img-6.webp) 7. Name the policy and click **Finish**. - ![467_11_img-7](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/467_11_img-7.webp) + ![467_11_img-7](/img/product_docs/policypak/policypak/leastprivilege/elevate/467_11_img-7.webp) 8. Run `GPUPDATE /FORCE` on the client machine. diff --git a/docs/policypak/policypak/leastprivilege/elevate/javajarfiles.md b/docs/policypak/policypak/leastprivilege/elevate/javajarfiles.md index 9ea33d485b..f73bf49fe6 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/javajarfiles.md +++ b/docs/policypak/policypak/leastprivilege/elevate/javajarfiles.md @@ -2,7 +2,7 @@ **NOTE:** For an overview on elevating JAR files and also preventing .JAR files from running, which could need admin rights, see the -[Elevate (or smack down) scripts and Java JAR files](../../video/leastprivilege/elevate/scripts.md) +[Elevate (or smack down) scripts and Java JAR files](/docs/policypak/policypak/video/leastprivilege/elevate/scripts.md) video. You can use Endpoint Policy Manager (formerly PolicyPak) Least Privilege Manager to elevate a Java @@ -15,4 +15,4 @@ To start making rules for Java JAR files right-click in the window and select ** ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_java_jar_files.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_java_jar_files.webp) diff --git a/docs/policypak/policypak/leastprivilege/elevate/mmcsnapin.md b/docs/policypak/policypak/leastprivilege/elevate/mmcsnapin.md index f40e2843ed..175054804d 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/mmcsnapin.md +++ b/docs/policypak/policypak/leastprivilege/elevate/mmcsnapin.md @@ -13,34 +13,34 @@ similar to this. **Step 3 –** Create a new **New Executable Policy**. -![203_1_image-20200229095829-1](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/203_1_image-20200229095829-1.webp) +![203_1_image-20200229095829-1](/img/product_docs/policypak/policypak/leastprivilege/elevate/203_1_image-20200229095829-1.webp) **Step 4 –** Select **Use combo rule (advanced)** and click **NEXT**. -![203_3_image-20200229095829-2](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/203_3_image-20200229095829-2.webp) +![203_3_image-20200229095829-2](/img/product_docs/policypak/policypak/leastprivilege/elevate/203_3_image-20200229095829-2.webp) **Step 5 –** Select **Apply command-line arguments**, leaving everything else as-is and click **NEXT**. -![203_5_image-20200229095829-3](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/203_5_image-20200229095829-3.webp) +![203_5_image-20200229095829-3](/img/product_docs/policypak/policypak/leastprivilege/elevate/203_5_image-20200229095829-3.webp) **Step 6 –** Under **Path Condition**, click **Add** > **Add file** **...** -![203_7_image-20200229095829-4](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/203_7_image-20200229095829-4.webp) +![203_7_image-20200229095829-4](/img/product_docs/policypak/policypak/leastprivilege/elevate/203_7_image-20200229095829-4.webp) **Step 7 –** In the Path field, type in `*\mmc.exe"` and click **OK**. -![203_9_image-20200229095829-5](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/203_9_image-20200229095829-5.webp) +![203_9_image-20200229095829-5](/img/product_docs/policypak/policypak/leastprivilege/elevate/203_9_image-20200229095829-5.webp) **Step 8 –** Click on **Command-line Arguments**, select **Strict equality**, and under **Arguments** type in the exact path to `services.msc` ("`C:\Windows\system32\services.msc`") and click **NEXT**. -![203_11_image-20210521112229-2](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/203_11_image-20210521112229-2.webp) +![203_11_image-20210521112229-2](/img/product_docs/policypak/policypak/leastprivilege/elevate/203_11_image-20210521112229-2.webp) **Step 9 –** Ensure "**Run with elevated privileges**" is selected and click **NEXT**. -![203_12_image-20200229095829-7](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/203_12_image-20200229095829-7.webp) +![203_12_image-20200229095829-7](/img/product_docs/policypak/policypak/leastprivilege/elevate/203_12_image-20200229095829-7.webp) **Step 10 –** Name it according to your conventions (e.g. "`Elevate Services.msc`") and click **FINISH**. @@ -53,28 +53,28 @@ either through automatic or manual means. To test this out, you can use the RUN command.Be sure to type in the exact command you've specified in step 8. Only then will elevation occur. -![203_14_image001_950x730](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/203_14_image001_950x730.webp) +![203_14_image001_950x730](/img/product_docs/policypak/policypak/leastprivilege/elevate/203_14_image001_950x730.webp) Additionally, you can test with a command prompt. Again, the command has to match exactly. -![203_15_image002_950x541](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/203_15_image002_950x541.webp) +![203_15_image002_950x541](/img/product_docs/policypak/policypak/leastprivilege/elevate/203_15_image002_950x541.webp) **NOTE:** If you attempt other avenues, like from the Start menu or alternate command lines, they will not work. In the example below it does not work because it is notthe exact same command line. -![203_16_image003_950x496](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/203_16_image003_950x496.webp) +![203_16_image003_950x496](/img/product_docs/policypak/policypak/leastprivilege/elevate/203_16_image003_950x496.webp) In order to make this work, you need to specify a second policy with alternate approved command lines. For instance, you could do this, which removes the requirement for `c:\windows\system32\services.msc` -![203_17_image004_950x475](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/203_17_image004_950x475.webp) +![203_17_image004_950x475](/img/product_docs/policypak/policypak/leastprivilege/elevate/203_17_image004_950x475.webp) The result would be that the shorter command line:` mmc services.msc` is accepted and runs elevated. -![203_18_image005_950x579](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/203_18_image005_950x579.webp) +![203_18_image005_950x579](/img/product_docs/policypak/policypak/leastprivilege/elevate/203_18_image005_950x579.webp) However, at no time would the shortest expression, of only "`services.msc`" work. The required MMC must appear before the command line. -![203_19_image006_950x612](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/203_19_image006_950x612.webp) +![203_19_image006_950x612](/img/product_docs/policypak/policypak/leastprivilege/elevate/203_19_image006_950x612.webp) diff --git a/docs/policypak/policypak/leastprivilege/elevate/msiinstallerfiles.md b/docs/policypak/policypak/leastprivilege/elevate/msiinstallerfiles.md index 5ed52574d3..94cdbf84e7 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/msiinstallerfiles.md +++ b/docs/policypak/policypak/leastprivilege/elevate/msiinstallerfiles.md @@ -11,7 +11,7 @@ Installer Policy** from the drop-down menu, as shown here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_msi_installer_files.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_msi_installer_files.webp) At this point, a prompt will appear for a Simple rule or a Combo rule. For the Quick Start, we suggest choosing **Use Simple rule (recommended)** as we have shown previously. Then, on the @@ -20,7 +20,7 @@ available. For this Quick Start, we suggest you select **Hash**. **NOTE:** We realize that hash values often change for installers, but using Hash is only for the Quick Start. To learn how to authorize users to keep applications up to do date, learn about Combo -rules in [Best Practices and Miscellaneous Topics](../bestpractices/overviewmisc.md). +rules in [Best Practices and Miscellaneous Topics](/docs/policypak/policypak/leastprivilege/bestpractices/overviewmisc.md). On the next page, click **Select windows installer** and select the SkypeSetup.MSI package (previously downloaded). @@ -28,7 +28,7 @@ On the next page, click **Select windows installer** and select the SkypeSetup.M ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_msi_installer_files_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_msi_installer_files_1.webp) You will then see the Hash information automatically entered. Click **Next**. On the Select Action page, select **Run with elevated privileges** and click **Next**. On the Settings page, enter a name @@ -37,7 +37,7 @@ for the policy and click **Finish**. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_msi_installer_files_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_msi_installer_files_2.webp) Now you will see an entry in the Endpoint Policy Manager (formerly PolicyPak) Least Privilege Manager MMC. @@ -45,7 +45,7 @@ Manager MMC. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_msi_installer_files_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_msi_installer_files_3.webp) Run GPupdate on the endpoint, and then, as a Standard User, try to run the Skype MSI installer again. This time the UAC prompt is removed from the Install icon, and the MSI application should @@ -54,4 +54,4 @@ install as expected. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_msi_installer_files.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_msi_installer_files.webp) diff --git a/docs/policypak/policypak/leastprivilege/elevate/mspfiles.md b/docs/policypak/policypak/leastprivilege/elevate/mspfiles.md index c38a865073..13d7529dc8 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/mspfiles.md +++ b/docs/policypak/policypak/leastprivilege/elevate/mspfiles.md @@ -26,7 +26,7 @@ Process is being created (2023/11/27, 12:12:23.586, PID: 6540, TID: 10096) As an example, this is how executable rules should look like. You should have **Path Condition** and **Command-Line Condition** arguments selected: -![1313_1_0f8b910ebf561185bd3320c186e39922_950x494](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/1313_1_0f8b910ebf561185bd3320c186e39922_950x494.webp) +![1313_1_0f8b910ebf561185bd3320c186e39922_950x494](/img/product_docs/policypak/policypak/leastprivilege/elevate/1313_1_0f8b910ebf561185bd3320c186e39922_950x494.webp) To achieve this result, please create a combo executable LPM rule for msiexec.exe executable: @@ -34,7 +34,7 @@ To achieve this result, please create a combo executable LPM rule for msiexec.ex PATH: %SYSTEMROOT%\System32\msiexec.exe ``` -![993_2_image-20231214011321-2_950x298](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/993_2_image-20231214011321-2_950x298.webp) +![993_2_image-20231214011321-2_950x298](/img/product_docs/policypak/policypak/leastprivilege/elevate/993_2_image-20231214011321-2_950x298.webp) Then, go to **Command-Line Condition** and make the following configuration: @@ -44,7 +44,7 @@ Arguments: /p "%UserProfile%\Downloads\AcrobatDCx64*.msp" Use **Strict equality** check mode. -![993_3_image-20231214011321-3_950x499](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/993_3_image-20231214011321-3_950x499.webp) +![993_3_image-20231214011321-3_950x499](/img/product_docs/policypak/policypak/leastprivilege/elevate/993_3_image-20231214011321-3_950x499.webp) For other Adobe packages (or any other software vendors) you must adjust the path to your .MSP file within your **Arguments** field. MSIEXEC.EXE should be elevated at all times while you are elevating diff --git a/docs/policypak/policypak/leastprivilege/elevate/printerdriverinstall.md b/docs/policypak/policypak/leastprivilege/elevate/printerdriverinstall.md index aebb2b6094..1f47fd2fb5 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/printerdriverinstall.md +++ b/docs/policypak/policypak/leastprivilege/elevate/printerdriverinstall.md @@ -4,11 +4,11 @@ These directions should only be performed if asked by support. The normal method driver installation is to use the Netwrix Endpoint Policy Manager (formerly PolicyPak) Helper tools. The following videos provide you with step by step instructions: -- [Overcome Network Card, Printer, and Remove Programs UAC prompts](../../video/leastprivilege/uacprompts.md) -- [Endpoint Policy Manager Least Priv Manager Tools Setup](../../video/leastprivilege/toolssetup.md) -- [Getting the helper tools as desktop shortcuts](../../video/leastprivilege/helperdesktopshortcut.md) -- [Endpoint Privilege Manager: Install Printers via Native NTPRINT Dialog](../../video/leastprivilege/ntprintdialog.md) -- [Endpoint Privilege Manager: Edit IP SETTINGS EDIT VIA WIN GUI](../../video/leastprivilege/wingui.md) +- [Overcome Network Card, Printer, and Remove Programs UAC prompts](/docs/policypak/policypak/video/leastprivilege/uacprompts.md) +- [Endpoint Policy Manager Least Priv Manager Tools Setup](/docs/policypak/policypak/video/leastprivilege/toolssetup.md) +- [Getting the helper tools as desktop shortcuts](/docs/policypak/policypak/video/leastprivilege/helperdesktopshortcut.md) +- [Endpoint Privilege Manager: Install Printers via Native NTPRINT Dialog](/docs/policypak/policypak/video/leastprivilege/ntprintdialog.md) +- [Endpoint Privilege Manager: Edit IP SETTINGS EDIT VIA WIN GUI](/docs/policypak/policypak/video/leastprivilege/wingui.md) Printui.dll is the executable file that contains the functions to install a Print driver. Currently Endpoint Policy Manager can elevate a Control Panel applet, and it can be `.CPL` or `.DLL` files. @@ -20,7 +20,7 @@ elevating a` rundll32.exe` process using `PPLPM`. Using Endpoint Policy Manager , elevate the `rundll32.exe`, and include a command-line argument to elevate a specific DLL. Just like shown in below screenshot. -![362_1_rundll](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/362_1_rundll.webp) +![362_1_rundll](/img/product_docs/policypak/policypak/leastprivilege/elevate/362_1_rundll.webp) Rule to elevate` rundll32.exe` by PATH and COMMAND LINE (when `rundll32.exe `runs a `DLL`, the `DLL `path is specified on the command line) diff --git a/docs/policypak/policypak/leastprivilege/elevate/registry.md b/docs/policypak/policypak/leastprivilege/elevate/registry.md index f7374f1ca0..307b4daef4 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/registry.md +++ b/docs/policypak/policypak/leastprivilege/elevate/registry.md @@ -16,25 +16,25 @@ User Configuration side, and click ,**Least Privilege Manager**. **Step 3 –** Add new EXE Policy (a or b). -![621_1_image-20200510100624-1](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/621_1_image-20200510100624-1.webp) +![621_1_image-20200510100624-1](/img/product_docs/policypak/policypak/leastprivilege/elevate/621_1_image-20200510100624-1.webp) **Step 4 –** Select **Use Combo Rule …** and click **NEXT**. -![621_3_image-20200510100625-2](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/621_3_image-20200510100625-2.webp) +![621_3_image-20200510100625-2](/img/product_docs/policypak/policypak/leastprivilege/elevate/621_3_image-20200510100625-2.webp) **Step 5 –** Under **Conditions** check **Path**, and under Settings check **Command-line arguments** and **Apply to child processes** . Click **Next**. -![621_5_image-20200510100625-3](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/621_5_image-20200510100625-3.webp) +![621_5_image-20200510100625-3](/img/product_docs/policypak/policypak/leastprivilege/elevate/621_5_image-20200510100625-3.webp) **Step 6 –** Under **Path Condition** click the **Add** drop-down and select **Add file ...**. -![621_7_image-20200510100625-4](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/621_7_image-20200510100625-4.webp) +![621_7_image-20200510100625-4](/img/product_docs/policypak/policypak/leastprivilege/elevate/621_7_image-20200510100625-4.webp) **Step 7 –** Either browse for `regedit.exe`, or type in "`%SYSTEMROOT%\regedit.exe`" and click **OK**. -![621_9_po_950x46](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/621_9_po_950x46.webp) +![621_9_po_950x46](/img/product_docs/policypak/policypak/leastprivilege/elevate/621_9_po_950x46.webp) **Step 8 –** Click on **Command-line Arguments** @@ -44,11 +44,11 @@ arguments** and **Apply to child processes** . Click **Next**. 3. Check **Ignore arguments case** 4. Click **Next**. - ![621_11_image-20200510100625-6](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/621_11_image-20200510100625-6.webp) + ![621_11_image-20200510100625-6](/img/product_docs/policypak/policypak/leastprivilege/elevate/621_11_image-20200510100625-6.webp) **Step 9 –** Select **Run with elevated privileges** and Click **Next**. -![621_13_image-20200510100625-7](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/621_13_image-20200510100625-7.webp) +![621_13_image-20200510100625-7](/img/product_docs/policypak/policypak/leastprivilege/elevate/621_13_image-20200510100625-7.webp) **Step 10 –** Rename and set Item Level Targeting if required and click **Finish**. @@ -69,18 +69,18 @@ Regedit.exe /s \\server\share\NewRegValue.reg **Step 3 –** Create new SCRIPT Policy (a or b). -![621_15_image-20200510100625-8](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/621_15_image-20200510100625-8.webp) +![621_15_image-20200510100625-8](/img/product_docs/policypak/policypak/leastprivilege/elevate/621_15_image-20200510100625-8.webp) **Step 4 –** Select **Use Combo Rule …** and click **Next**. **NOTE:** Although you can use a simple rule and simply use path as the qualifying factor, for security purposes it is recommended you have multiple qualifying factors. -![621_17_image-20200510100625-9](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/621_3_image-20200510100625-2.webp) +![621_17_image-20200510100625-9](/img/product_docs/policypak/policypak/leastprivilege/elevate/621_3_image-20200510100625-2.webp) **Step 5 –** Under Conditions check **Path** and **Hash** and click **Next**. -![621_19_image-20200510100625-10](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/621_19_image-20200510100625-10.webp) +![621_19_image-20200510100625-10](/img/product_docs/policypak/policypak/leastprivilege/elevate/621_19_image-20200510100625-10.webp) **NOTE:** If you make changes to the script, the Hash value will need to be updated for the policy to remain valid. Alternatively, if you digitally sign your script, Signature can be used instead of @@ -88,22 +88,22 @@ Hash as the second method of validation. **Step 6 –** Under Path Condition click the **Add** drop-down and select .**Add file ...**. -![621_21_image-20200510100625-11](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/621_21_image-20200510100625-11.webp) +![621_21_image-20200510100625-11](/img/product_docs/policypak/policypak/leastprivilege/elevate/621_21_image-20200510100625-11.webp) **Step 7 –** Browse to the location of the` PowerShell script -> When Prompted`, allow to automatically fill in Hash value, -![621_23_image-20200510100625-12](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/621_23_image-20200510100625-12.webp) +![621_23_image-20200510100625-12](/img/product_docs/policypak/policypak/leastprivilege/elevate/621_23_image-20200510100625-12.webp) -![621_25_image-20200510100625-13](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/621_25_image-20200510100625-13.webp) +![621_25_image-20200510100625-13](/img/product_docs/policypak/policypak/leastprivilege/elevate/621_25_image-20200510100625-13.webp) **Step 8 –** Click on **Hash Condition** to confirm Value has been `set -> If desired`, and change algorithm to setting of . -![621_27_image-20200510100625-14](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/621_27_image-20200510100625-14.webp) +![621_27_image-20200510100625-14](/img/product_docs/policypak/policypak/leastprivilege/elevate/621_27_image-20200510100625-14.webp) **Step 9 –** Select "**Run with elevated privileges**and click **Next**. -![621_29_image-20200510100625-15](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/621_13_image-20200510100625-7.webp) +![621_29_image-20200510100625-15](/img/product_docs/policypak/policypak/leastprivilege/elevate/621_13_image-20200510100625-7.webp) **Step 10 –** Rename and set Item Level Targeting if required and click **Finish**. diff --git a/docs/policypak/policypak/leastprivilege/elevate/scripts.md b/docs/policypak/policypak/leastprivilege/elevate/scripts.md index a14bdf7764..9ef1620fac 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/scripts.md +++ b/docs/policypak/policypak/leastprivilege/elevate/scripts.md @@ -2,7 +2,7 @@ **NOTE:** For an overview on elevating scripts and preventing scripts from running, which could need admin rights, see the -[Elevate (or smack down) scripts and Java JAR files](../../video/leastprivilege/elevate/scripts.md) +[Elevate (or smack down) scripts and Java JAR files](/docs/policypak/policypak/video/leastprivilege/elevate/scripts.md) video. You might need to elevate a script that has contents that would perform admin-only functions, like @@ -16,7 +16,7 @@ Kick off the process to create a policy for scripts by going to **Add** > **New ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_scripts.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/elevate/elevating_scripts.webp) The script types that are supported for elevation and for blocking are: diff --git a/docs/policypak/policypak/leastprivilege/elevate/singlelinecommands.md b/docs/policypak/policypak/leastprivilege/elevate/singlelinecommands.md index ee49d710fd..3d768402d8 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/singlelinecommands.md +++ b/docs/policypak/policypak/leastprivilege/elevate/singlelinecommands.md @@ -8,8 +8,8 @@ Abc.exe /switch1 parameter=XYZ /switch2 An example of elevating the SCCM computer setup can be seen below: -![479_1_pplpm-faq2-image001](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/479_1_pplpm-faq2-image001.webp) +![479_1_pplpm-faq2-image001](/img/product_docs/policypak/policypak/leastprivilege/elevate/479_1_pplpm-faq2-image001.webp) -![479_2_pplpm-faq2-image002](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/479_2_pplpm-faq2-image002.webp) +![479_2_pplpm-faq2-image002](/img/product_docs/policypak/policypak/leastprivilege/elevate/479_2_pplpm-faq2-image002.webp) -![479_3_pplpm-faq2-image003](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/479_3_pplpm-faq2-image003.webp) +![479_3_pplpm-faq2-image003](/img/product_docs/policypak/policypak/leastprivilege/elevate/479_3_pplpm-faq2-image003.webp) diff --git a/docs/policypak/policypak/leastprivilege/elevate/windowsdefender.md b/docs/policypak/policypak/leastprivilege/elevate/windowsdefender.md index e4f085b15e..3a7d92c42e 100644 --- a/docs/policypak/policypak/leastprivilege/elevate/windowsdefender.md +++ b/docs/policypak/policypak/leastprivilege/elevate/windowsdefender.md @@ -4,31 +4,31 @@ For detailed steps on how to elevate the Windows Defender Firewall snap-in, replacing Services.msc with WF.msc, see -[How do I elevate MMC snap ins without granting administrative rights?](mmcsnapin.md) +[How do I elevate MMC snap ins without granting administrative rights?](/docs/policypak/policypak/leastprivilege/elevate/mmcsnapin.md) ## Option 2: **Step 1 –** Identify the Windows Defender Firewall CLSID you need to elevate based on the UAC message. -![577_1_image-20230927113514-1_387x437](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/577_1_image-20230927113514-1_387x437.webp) +![577_1_image-20230927113514-1_387x437](/img/product_docs/policypak/policypak/leastprivilege/elevate/577_1_image-20230927113514-1_387x437.webp) **Step 2 –** Create a Least Privilege Manager COM Class policy. -![577_2_image-20230927113655-2_403x344](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/577_2_image-20230927113655-2_403x344.webp) +![577_2_image-20230927113655-2_403x344](/img/product_docs/policypak/policypak/leastprivilege/elevate/577_2_image-20230927113655-2_403x344.webp) **Step 3 –** Choose the well-known COM Class option from the drop-down. -![577_3_image-20230927113824-3_527x314](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/577_3_image-20230927113824-3_527x314.webp) +![577_3_image-20230927113824-3_527x314](/img/product_docs/policypak/policypak/leastprivilege/elevate/577_3_image-20230927113824-3_527x314.webp) **Step 4 –** Select the COM Class needed, then click **Add selected**. -![577_4_image-20230927113909-4_724x208](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/577_4_image-20230927113909-4_724x208.webp) +![577_4_image-20230927113909-4_724x208](/img/product_docs/policypak/policypak/leastprivilege/elevate/577_4_image-20230927113909-4_724x208.webp) **Step 5 –** Ensure the **Run with elevated privileges** option is selected, then click **Next**. -![577_5_image-20230927114034-5_592x320](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/577_5_image-20230927114034-5_592x320.webp) +![577_5_image-20230927114034-5_592x320](/img/product_docs/policypak/policypak/leastprivilege/elevate/577_5_image-20230927114034-5_592x320.webp) **Step 6 –** Click **Finish** to save the policy. -![577_6_image-20230927114305-7_599x423](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/elevate/577_6_image-20230927114305-7_599x423.webp) +![577_6_image-20230927114305-7_599x423](/img/product_docs/policypak/policypak/leastprivilege/elevate/577_6_image-20230927114305-7_599x423.webp) diff --git a/docs/policypak/policypak/leastprivilege/events/auditingsettings/localadmins.md b/docs/policypak/policypak/leastprivilege/events/auditingsettings/localadmins.md index 721ec568c0..15c2e25b95 100644 --- a/docs/policypak/policypak/leastprivilege/events/auditingsettings/localadmins.md +++ b/docs/policypak/policypak/leastprivilege/events/auditingsettings/localadmins.md @@ -12,7 +12,7 @@ as shown here. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/auditingsettings/discovery_for_elevated_apps.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/events/auditingsettings/discovery_for_elevated_apps.webp) With the auditing information, you can make a Endpoint Policy Manager (formerly PolicyPak) Least Privilege Manager Elevate rule to overcome this when the user is transitioning from being a local diff --git a/docs/policypak/policypak/leastprivilege/events/auditingsettings/overview.md b/docs/policypak/policypak/leastprivilege/events/auditingsettings/overview.md index 1c15bc6e71..18723f6ac4 100644 --- a/docs/policypak/policypak/leastprivilege/events/auditingsettings/overview.md +++ b/docs/policypak/policypak/leastprivilege/events/auditingsettings/overview.md @@ -23,14 +23,14 @@ either user or computer side. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/auditingsettings/auditing_settings.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/events/auditingsettings/auditing_settings.webp) When you create a Global Settings Policy, you can choose to turn on the settings shown here. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/auditingsettings/auditing_settings_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/events/auditingsettings/auditing_settings_1.webp) Enabling these settings will write special events to the event logs. diff --git a/docs/policypak/policypak/leastprivilege/events/auditingsettings/standardusers.md b/docs/policypak/policypak/leastprivilege/events/auditingsettings/standardusers.md index f928c13ac5..92c1a7ab06 100644 --- a/docs/policypak/policypak/leastprivilege/events/auditingsettings/standardusers.md +++ b/docs/policypak/policypak/leastprivilege/events/auditingsettings/standardusers.md @@ -11,7 +11,7 @@ off**. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/auditingsettings/discovery_for_elevated_apps_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/events/auditingsettings/discovery_for_elevated_apps_1.webp) **NOTE:** At this time, Endpoint Policy Manager (formerly PolicyPak) Least Privilege Managerr Discovery cannot detect some scenarios that may trigger UAC prompts which should be recorded. These diff --git a/docs/policypak/policypak/leastprivilege/events/auditingsettings/standardusersuntrusted.md b/docs/policypak/policypak/leastprivilege/events/auditingsettings/standardusersuntrusted.md index e785871913..5fb7846722 100644 --- a/docs/policypak/policypak/leastprivilege/events/auditingsettings/standardusersuntrusted.md +++ b/docs/policypak/policypak/leastprivilege/events/auditingsettings/standardusersuntrusted.md @@ -14,7 +14,7 @@ SecureRun™ was enabled. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/auditingsettings/discovery_of_untrusted_standard.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/events/auditingsettings/discovery_of_untrusted_standard.webp) The audit is only triggered when one of the following is true: diff --git a/docs/policypak/policypak/leastprivilege/events/client.md b/docs/policypak/policypak/leastprivilege/events/client.md index 78ec138e20..afe18c0ab1 100644 --- a/docs/policypak/policypak/leastprivilege/events/client.md +++ b/docs/policypak/policypak/leastprivilege/events/client.md @@ -7,4 +7,4 @@ Privilege Manager policies. An example of this kind of event can be seen here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/client_events.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/events/client_events.webp) diff --git a/docs/policypak/policypak/leastprivilege/events/createpolicy/audit.md b/docs/policypak/policypak/leastprivilege/events/createpolicy/audit.md index 7493a3dd60..4e3194887b 100644 --- a/docs/policypak/policypak/leastprivilege/events/createpolicy/audit.md +++ b/docs/policypak/policypak/leastprivilege/events/createpolicy/audit.md @@ -5,20 +5,20 @@ automatically create rules from events. If you are using Endpoint Policy Manager Cloud you can store events from endpoints and then automatically transition those events to rules. See the -[Endpoint Policy Manager Cloud + PPLPM + Events: Collect Events in the Cloud](../../../video/leastprivilege/cloudevents.md) +[Endpoint Policy Manager Cloud + PPLPM + Events: Collect Events in the Cloud](/docs/policypak/policypak/video/leastprivilege/cloudevents.md) video for additional information. If you have stored Windows events, you can use the details from those events to make rules using the MMC snap-in. **NOTE:** See the -[Auto-Create Policy from Global Audit event](../../../video/leastprivilege/globalauditevent.md)video +[Auto-Create Policy from Global Audit event](/docs/policypak/policypak/video/leastprivilege/globalauditevent.md)video for a demonstration of this. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_audit.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_audit.webp) Then you can follow the wizard and paste in Event log details for supported Endpoint Policy Manager Event IDs. @@ -26,14 +26,14 @@ Event IDs. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_audit_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_audit_1.webp) In this example, a 6301 (SecureRun) event can be made into a rule with Copy / Paste like this. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_audit_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_audit_2.webp) After pasting it in, the Wizard recommends some Actions, Conditions and Settings. You’re welcome to change these as you need to for your situation. @@ -41,11 +41,11 @@ change these as you need to for your situation. ![A screenshot of a computer screen Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_audit_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_audit_3.webp) The result is a policy which performs the action (Elevate or Allow and Log). ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_audit_4.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_audit_4.webp) diff --git a/docs/policypak/policypak/leastprivilege/events/createpolicy/cloud.md b/docs/policypak/policypak/leastprivilege/events/createpolicy/cloud.md index 796c51b6ea..301a18b847 100644 --- a/docs/policypak/policypak/leastprivilege/events/createpolicy/cloud.md +++ b/docs/policypak/policypak/leastprivilege/events/createpolicy/cloud.md @@ -10,29 +10,29 @@ Event Collector, you will need to complete the following steps: **Step 1 –** Select the Company Group you want to push events to Endpoint Policy Manager Cloud and select **Edit Group**. -![creating_policy_from_policypak](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_policypak.webp) +![creating_policy_from_policypak](/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_policypak.webp) **Step 2 –** Select the **Event Collector**,Refresh interval for computers time setting. -![creating_policy_from_policypak_1](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_policypak_1.webp) +![creating_policy_from_policypak_1](/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_policypak_1.webp) **Step 3 –** Select the Event IDs you want to collect. -![creating_policy_from_policypak_2](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_policypak_2.webp) +![creating_policy_from_policypak_2](/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_policypak_2.webp) **NOTE:** You can select the drop-down option to select the Event IDs. See the -[List of Endpoint Policy Manager Event Categories and IDs](../../../tips/eventcategories.md) topic +[List of Endpoint Policy Manager Event Categories and IDs](/docs/policypak/policypak/tips/eventcategories.md) topic for a list of Endpoint Policy Manager Event IDs. **Step 4 –** Go to the Reports section to see the events that have been generated. -![creating_policy_from_policypak_3](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_policypak_3.webp) +![creating_policy_from_policypak_3](/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_policypak_3.webp) **Step 5 –** Use the Generate Rule(s) wizard to create policies from forwarded events. -![creating_policy_from_policypak_4](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_policypak_4.webp) +![creating_policy_from_policypak_4](/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_policypak_4.webp) **Step 6 –** Final Result: a Rule is created and you can edit the policy name and/or change the conditions if needed. -![creating_policy_from_policypak_5](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_policypak_5.webp) +![creating_policy_from_policypak_5](/img/product_docs/policypak/policypak/leastprivilege/events/createpolicy/creating_policy_from_policypak_5.webp) diff --git a/docs/policypak/policypak/leastprivilege/events/operational.md b/docs/policypak/policypak/leastprivilege/events/operational.md index 62139d3eea..2b0506489a 100644 --- a/docs/policypak/policypak/leastprivilege/events/operational.md +++ b/docs/policypak/policypak/leastprivilege/events/operational.md @@ -7,7 +7,7 @@ Events in section are divided into the following categories: - Audit/Discovery events (Event ID 6200+) - Admin Approval events (Event ID 6300+) -See the [List of Endpoint Policy Manager Event Categories and IDs](../../tips/eventcategories.md) +See the [List of Endpoint Policy Manager Event Categories and IDs](/docs/policypak/policypak/tips/eventcategories.md) topic for all event IDs. Each event ID will have the following fields: @@ -50,11 +50,11 @@ chooses a reason code, as seen here, that is what is recorded within the event o ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/operational_events.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/events/operational_events.webp) An example of Event 613 can be seen here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/operational_events_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/events/operational_events_1.webp) diff --git a/docs/policypak/policypak/leastprivilege/events/overview.md b/docs/policypak/policypak/leastprivilege/events/overview.md index 8090636df1..f42010d886 100644 --- a/docs/policypak/policypak/leastprivilege/events/overview.md +++ b/docs/policypak/policypak/leastprivilege/events/overview.md @@ -3,7 +3,7 @@ Endpoint Policy ManagerLeast Privilege Manager uses Windows event logs to generate interesting events that you can audit. You can use these events to audit what has occurred. -**NOTE:** See the [Events](../../video/leastprivilege/events.md) video for a demo of the Endpoint +**NOTE:** See the [Events](/docs/policypak/policypak/video/leastprivilege/events.md) video for a demo of the Endpoint Policy Manager Least Privilege Manager Events in action. You can also use these events, before you fully roll out Endpoint Policy Manager Least Privilege @@ -11,7 +11,7 @@ Manager, to discover what rules you would need to make when you transition from to SecureRun™. **NOTE:** See the -[Use Discovery to know what rules to make as you transition from Local Admin rights](../../video/leastprivilege/discovery.md) +[Use Discovery to know what rules to make as you transition from Local Admin rights](/docs/policypak/policypak/video/leastprivilege/discovery.md) video for a demo of Endpoint Policy Manager Least Privilege Manager Discovery in action. Events are logged on each endpoint machine and only when the interesting event occurs. You can find @@ -22,19 +22,19 @@ forwarding to capture and forward events from multiple machines. In this way you multiple users are doing and look through the events for interesting ideas to convert into rules. - See the - [How to forward interesting events for Least Privilege Manager (or anything else) to a centralized location using Windows Event Forwarding.](../windowseventforwarding.md) + [How to forward interesting events for Least Privilege Manager (or anything else) to a centralized location using Windows Event Forwarding.](/docs/policypak/policypak/leastprivilege/windowseventforwarding.md) topic to learn more about event forwarding. - You can also use Netwrix Auditor to capture events from endpoints to bring them to a centralized source for investigation. See the - [How to use Netwrix Auditor to Report on Endpoint Policy Manager events](../../integration/auditor/reports.md) + [How to use Netwrix Auditor to Report on Endpoint Policy Manager events](/docs/policypak/policypak/integration/auditor/reports.md) topic for additional information. - You can use Azure Log Analytics to store Endpoint Policy Manager Least Privilege Manager events. See the - [Windows 10 (and Server) Event Logs to Azure Log Analytics Walkthru](../../tips/eventlogs.md) + [Windows 10 (and Server) Event Logs to Azure Log Analytics Walkthru](/docs/policypak/policypak/tips/eventlogs.md) topic for additional information. - You can use Endpoint Policy Manager Cloud to store Endpoint Policy ManagerLeast Privilege Manager events and make rules from stored events. See the - [Endpoint Policy Manager Cloud + PPLPM + Events: Collect Events in the Cloud](../../video/leastprivilege/cloudevents.md)video + [Endpoint Policy Manager Cloud + PPLPM + Events: Collect Events in the Cloud](/docs/policypak/policypak/video/leastprivilege/cloudevents.md)video for additional information. Endpoint Policy Manager Least Privilege Manager has two event sources, which can be seen in Event @@ -46,4 +46,4 @@ Viewer. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/events/discovery_auditing_and_events.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/events/discovery_auditing_and_events.webp) diff --git a/docs/policypak/policypak/leastprivilege/export.md b/docs/policypak/policypak/leastprivilege/export.md index 73533cafb1..f559b038ea 100644 --- a/docs/policypak/policypak/leastprivilege/export.md +++ b/docs/policypak/policypak/leastprivilege/export.md @@ -1,6 +1,6 @@ # Exporting Policies and Collections -The [MDM & UEM Tools](../mdm/overview.md) topics explain how to use the Endpoint Policy Manager +The [MDM & UEM Tools](/docs/policypak/policypak/mdm/overview.md) topics explain how to use the Endpoint Policy Manager Exporter to wrap up any Endpoint Policy Manager directives and deliver them using Microsoft Endpoint Manager (SCCM and Intune), KACE, your own MDM service, or Endpoint Policy Manager Cloud. To export a policy for later use using Endpoint Policy Manager Exporter or Endpoint Policy Manager Cloud, @@ -9,13 +9,13 @@ an XML file, which you can use later. **NOTE:** For more information on how to use Endpoint Policy Manager Least Privilege Manager and Endpoint Policy Manager Cloud, please see the -[Use Endpoint Policy Manager Cloud to deploy PP Least Privilege Manager rules](../video/leastprivilege/cloudrules.md) -and the [Using Least Privilege Manager with your MDM service](../video/leastprivilege/mdm.md) +[Use Endpoint Policy Manager Cloud to deploy PP Least Privilege Manager rules](/docs/policypak/policypak/video/leastprivilege/cloudrules.md) +and the [Using Least Privilege Manager with your MDM service](/docs/policypak/policypak/video/leastprivilege/mdm.md) videos, ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/exporting_policies_and_collections.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/exporting_policies_and_collections.webp) **NOTE:** Exported collections or policies maintain any Item-Level Targeting set within them. diff --git a/docs/policypak/policypak/leastprivilege/itemleveltargeting.md b/docs/policypak/policypak/leastprivilege/itemleveltargeting.md index 33ea1b9cc5..1f31a848c0 100644 --- a/docs/policypak/policypak/leastprivilege/itemleveltargeting.md +++ b/docs/policypak/policypak/leastprivilege/itemleveltargeting.md @@ -2,7 +2,7 @@ **NOTE:** For more information on Endpoint Policy Manager Least Privilege Manager and Item Level Targeting, please see the -[Endpoint Privilege Manager: Use Item Level Targeting to hone in when rules apply.](../video/leastprivilege/itemleveltargeting.md) +[Endpoint Privilege Manager: Use Item Level Targeting to hone in when rules apply.](/docs/policypak/policypak/video/leastprivilege/itemleveltargeting.md) video. Item-Level Targeting is used in Microsoft Group Policy Preferences and other areas of Endpoint @@ -17,14 +17,14 @@ another for West Sales Users. . ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/item_level_targeting_with.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/item_level_targeting_with.webp) Below you can see two created collections that can hold other collections or policies. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/item_level_targeting_with_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/item_level_targeting_with_1.webp) Right-click any Endpoint Policy Manager Least Privilege Manager Collection or Policy and select **Change Item-Level Targeting**, to set filtering conditions on when the policy will apply. @@ -32,14 +32,14 @@ Right-click any Endpoint Policy Manager Least Privilege Manager Collection or Po ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/item_level_targeting_with_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/item_level_targeting_with_2.webp) The **Change Item Level Targeting** menu item brings up the Targeting Editor. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/item_level_targeting_with_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/item_level_targeting_with_3.webp) You can select any combination of characteristics you want to test for. Administrators familiar with Group Policy Preferences’ Item-Level Targeting will be at home in this interface as it is @@ -53,7 +53,7 @@ Not**. **NOTE:** Additionally, Endpoint Policy Manager Least Privilege Manager allows you to target users or user groups, even if the policy is on the computer side. See the -[Link to Computer, Filter by User](../video/leastprivilege/userfilter.md) video for details on this +[Link to Computer, Filter by User](/docs/policypak/policypak/video/leastprivilege/userfilter.md) video for details on this superpower. Below are some real-world examples of how you can use Item-Level Targeting. @@ -79,7 +79,7 @@ Level Targeting, as seen below. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/item_level_targeting_with_4.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/item_level_targeting_with_4.webp) When Item-Level Targeting is on, the policy won’t apply unless the conditions are true. If Item-Level Targeting is applied to a collection, then none of the items in the collection will apply diff --git a/docs/policypak/policypak/leastprivilege/license.md b/docs/policypak/policypak/leastprivilege/license.md index 51f4b008c3..c5608dd9e2 100644 --- a/docs/policypak/policypak/leastprivilege/license.md +++ b/docs/policypak/policypak/leastprivilege/license.md @@ -3,7 +3,7 @@ The Netwrix Endpoint Policy Manager (formerly PolicyPak) Least Privilege Manager UI has designations for Standard and Complete licenses. -![839_1_img-01](../../../../static/img/product_docs/policypak/policypak/leastprivilege/839_1_img-01.webp) +![839_1_img-01](/img/product_docs/policypak/policypak/leastprivilege/839_1_img-01.webp) The breakdown of functions is as follows: @@ -28,8 +28,8 @@ Complete: You can look in your license file and see which license you are granted. -![839_3_img-02](../../../../static/img/product_docs/policypak/policypak/leastprivilege/839_3_img-02.webp) +![839_3_img-02](/img/product_docs/policypak/policypak/leastprivilege/839_3_img-02.webp) You can also see the license type within the MMC console if you have this type of license installed. -![839_5_img-03](../../../../static/img/product_docs/policypak/policypak/leastprivilege/839_5_img-03.webp) +![839_5_img-03](/img/product_docs/policypak/policypak/leastprivilege/839_5_img-03.webp) diff --git a/docs/policypak/policypak/leastprivilege/mac/logs.md b/docs/policypak/policypak/leastprivilege/mac/logs.md index e2c46fe857..59c56a851d 100644 --- a/docs/policypak/policypak/leastprivilege/mac/logs.md +++ b/docs/policypak/policypak/leastprivilege/mac/logs.md @@ -9,7 +9,7 @@ The Endpoint Policy Manager logs are located in /Library/Application Support/Pol requested by Support, zip up these three logs. As the customer, you can find useful information within policypakd.log and cloud.log (details below). -![1329_1_6e10551394ec326177434ffc228df475](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_1_6e10551394ec326177434ffc228df475.webp) +![1329_1_6e10551394ec326177434ffc228df475](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_1_6e10551394ec326177434ffc228df475.webp) ### Understanding Endpoint Policy ManagerD.Log @@ -20,11 +20,11 @@ is a policy. No Existing Policy -![1329_2_d6a33d883a790b8367004838c34e770f](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_2_d6a33d883a790b8367004838c34e770f.webp) +![1329_2_d6a33d883a790b8367004838c34e770f](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_2_d6a33d883a790b8367004838c34e770f.webp) Policy Exists -![1329_3_4b3667fda4b8ee8bc6b9d9a09ef88ee8](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_3_4b3667fda4b8ee8bc6b9d9a09ef88ee8.webp) +![1329_3_4b3667fda4b8ee8bc6b9d9a09ef88ee8](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_3_4b3667fda4b8ee8bc6b9d9a09ef88ee8.webp) ### Understanding Cloud.log @@ -35,7 +35,7 @@ were either Allowed, Elevated or Blocked by Endpoint Policy Manager policies. policypakd.log will tell not only what processes were affected by policies, but also what processes weren’t – and maybe should have been. -![1329_4_30c21b2015b47e5d92143f82a31997eb](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_4_30c21b2015b47e5d92143f82a31997eb.webp) +![1329_4_30c21b2015b47e5d92143f82a31997eb](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_4_30c21b2015b47e5d92143f82a31997eb.webp) ## Setting up Endpoint Policy Manager Cloud Groups for Event Collection @@ -70,11 +70,11 @@ group. **Step 2 –** Click on **Add/Remove Computer from Group** (under Actions). -![1329_5_cd439679970dd94379dc97da3de13756](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_5_cd439679970dd94379dc97da3de13756.webp) +![1329_5_cd439679970dd94379dc97da3de13756](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_5_cd439679970dd94379dc97da3de13756.webp) **Step 3 –** Click **Available Computers**. -![1329_6_89a9d67a0c348b5ab03d304ea9392884](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_6_89a9d67a0c348b5ab03d304ea9392884.webp) +![1329_6_89a9d67a0c348b5ab03d304ea9392884](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_6_89a9d67a0c348b5ab03d304ea9392884.webp) **Step 4 –** Check the ones to add and click **Add**. @@ -83,7 +83,7 @@ Event Collection Configuration To configure Event Collection, highlight the group and click **Edit Group** under Actions. On the resulting pop-up window, click on the **Event Collector** tab. -![1329_7_44a2bef19cdb90973520bb3702397eb4](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_7_44a2bef19cdb90973520bb3702397eb4.webp) +![1329_7_44a2bef19cdb90973520bb3702397eb4](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_7_44a2bef19cdb90973520bb3702397eb4.webp) The **Event submission interval** dictates how often the logs get uploaded to the cloud. This is separate and distinct from the **Refresh interval for computers** on the previous tab, which @@ -97,7 +97,7 @@ When **Selected Events** is selected, clicking on the Info icon brings up a list can be selected. In the image below are highlighted the two Event types that shown in the cloud.log example above. -![1329_8_464e110a1254c22ecac8a612b13ffc76](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_8_464e110a1254c22ecac8a612b13ffc76.webp) +![1329_8_464e110a1254c22ecac8a612b13ffc76](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_8_464e110a1254c22ecac8a612b13ffc76.webp) Notes on Collection configuration: @@ -108,7 +108,7 @@ Notes on Collection configuration: all selected IDs will be included and uploaded in the shortest interval set. See the -[How can I keep the same or specify different parameters for Event Collection for child groups? How does a computer behave if a member of multiple groups?](../../cloud/eventcollection/childgroups.md) +[How can I keep the same or specify different parameters for Event Collection for child groups? How does a computer behave if a member of multiple groups?](/docs/policypak/policypak/cloud/eventcollection/childgroups.md) topic for additional information. Forcing Event submission @@ -118,7 +118,7 @@ cloud.log file with the following command: `policypak cloud-push-logs` -![1329_9_e5dddf2ba28a115aa5782c49a21fbac6](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_9_e5dddf2ba28a115aa5782c49a21fbac6.webp) +![1329_9_e5dddf2ba28a115aa5782c49a21fbac6](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_9_e5dddf2ba28a115aa5782c49a21fbac6.webp) **NOTE:** This command can be run by a standard user. It does not require elevated or administrative rights to perform. @@ -128,20 +128,20 @@ rights to perform. All the collected events can be accessed through the **Computers (Collected Events)** report on the Reports tab and selecting **Endpoint Policy Manager Least Privilege Manager for macOS**. -![1329_10_2ab64dc549729d2f51cdf61ab7d88108](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_10_2ab64dc549729d2f51cdf61ab7d88108.webp) +![1329_10_2ab64dc549729d2f51cdf61ab7d88108](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_10_2ab64dc549729d2f51cdf61ab7d88108.webp) Next, configure the time period you want to report on. The default is the beginning of the day, but this can be altered to the desired start and stop time and date. Click **Show** to see the results. -![1329_11_7135ed6ab54692983796dd995a2517e4](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_11_7135ed6ab54692983796dd995a2517e4.webp) +![1329_11_7135ed6ab54692983796dd995a2517e4](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_11_7135ed6ab54692983796dd995a2517e4.webp) The results can be filtered to show only the desired information. For example, show only specific computers or only Elevation events. Every column can be filtered by clicking on the ellipsis within the column header. -![1329_12_3996f6bea2016ba07eaf96f5c05b43c0](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_12_3996f6bea2016ba07eaf96f5c05b43c0.webp) +![1329_12_3996f6bea2016ba07eaf96f5c05b43c0](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_12_3996f6bea2016ba07eaf96f5c05b43c0.webp) For offline analysis, the report can be exported to either Excel or, if very large, CSV format. This can be done before or after filtering. -![1329_13_50b225886bba8747a9460411f4662cc9](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_13_50b225886bba8747a9460411f4662cc9.webp) +![1329_13_50b225886bba8747a9460411f4662cc9](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_13_50b225886bba8747a9460411f4662cc9.webp) diff --git a/docs/policypak/policypak/leastprivilege/overview.md b/docs/policypak/policypak/leastprivilege/overview.md index f667081f76..68847ab579 100644 --- a/docs/policypak/policypak/leastprivilege/overview.md +++ b/docs/policypak/policypak/leastprivilege/overview.md @@ -3,7 +3,7 @@ About Netwrix Endpoint Policy Manager (formerly PolicyPak) Least Privilege Manager Before reading this section, please ensure you have read the -[Installation Quick Start](../gettingstarted/quickstart/overviewinstall.md) topics, which will help +[Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md) topics, which will help you learn to do the following: - Install the Admin MSI on your GPMC machine @@ -13,7 +13,7 @@ you learn to do the following: Optionally, this manual demonstrates how to use on-prem Active Directory and Group Policy to deploy Endpoint Policy Manager Least Privilege Manager directives. If you don't want to use Group Policy, -read the [MDM & UEM Tools](../mdm/overview.md) topics for additional information on how to deploy +read the [MDM & UEM Tools](/docs/policypak/policypak/mdm/overview.md) topics for additional information on how to deploy your directives. Endpoint Policy Manager Least Privilege Manager enables you to do the following: @@ -30,7 +30,7 @@ prompt. A Standard User doesn’t have the right permissions, and that’s where Least Privilege Manager can come in. **NOTE:** For more information on this issue, watch the -[Kill Local Admin Rights (Run applications with Least Privilege)](../video/leastprivilege/localadminrights.md) +[Kill Local Admin Rights (Run applications with Least Privilege)](/docs/policypak/policypak/video/leastprivilege/localadminrights.md) video. The basic way to use Endpoint Policy Manager Least Privilege Manager is as follows: @@ -48,13 +48,13 @@ The basic way to use Endpoint Policy Manager Least Privilege Manager is as follo - Microsoft SCCM (See theDeploy Endpoint Policy Manager Settings Using SCCM or Other Management System! video overview for additional information.) - Microsoft Intune (See the - [Using Least Privilege Manager with your MDM service](../video/leastprivilege/mdm.md) video + [Using Least Privilege Manager with your MDM service](/docs/policypak/policypak/video/leastprivilege/mdm.md) video overview for additional information.) - Your own systems management software (PDQ Deploy or similar) (See the - [Deploying Apps that Require Admin Rights Using Endpoint Policy Manager and PDQ Deploy](../video/leastprivilege/integration/pdqdeploy.md) + [Deploying Apps that Require Admin Rights Using Endpoint Policy Manager and PDQ Deploy](/docs/policypak/policypak/video/leastprivilege/integration/pdqdeploy.md) video overview for additional information.) - Endpoint Policy Manager Cloud service (See the - [Use Endpoint Policy Manager Cloud to deploy PP Least Privilege Manager rules](../video/leastprivilege/cloudrules.md) + [Use Endpoint Policy Manager Cloud to deploy PP Least Privilege Manager rules](/docs/policypak/policypak/video/leastprivilege/cloudrules.md) video overview for additional information.) Then allow the client machine with the Endpoint Policy Manager client-side extension (CSE) to @@ -88,7 +88,7 @@ Endpoint Policy Manager Cloud enables you to create Endpoint Policy ManagerLeast directives using the in-cloud editors and connect endpoints (Windows and Mac) to get Endpoint Policy Manager Least Privilege Manager directives. -![overview1](../../../../static/img/product_docs/policypak/policypak/leastprivilege/overview1.webp) +![overview1](/img/product_docs/policypak/policypak/leastprivilege/overview1.webp) While this manual mostly demonstrates concepts using the Group Policy editor, nearly everything can be done using the in-Endpoint Policy Manager-Cloud editors. Additionally, you can take on-prem MMC @@ -103,7 +103,7 @@ Templates Manager and our other products’ XML files and wrap them into a porta deployment using Microsoft Endpoint Manager (SCCM and Intune), or your own systems management software. -The [MDM & UEM Tools](../mdm/overview.md) topics explain how to use the Endpoint Policy Manager +The [MDM & UEM Tools](/docs/policypak/policypak/mdm/overview.md) topics explain how to use the Endpoint Policy Manager Exporter to wrap up any Endpoint Policy Manager directives and deliver them using Microsoft Endpoint Manager (SCCM and Intune), KACE, your own MDM service, or Endpoint Policy Manager Cloud. diff --git a/docs/policypak/policypak/leastprivilege/overview/knowledgebase.md b/docs/policypak/policypak/leastprivilege/overview/knowledgebase.md index 24b65e8095..aaee5369c9 100644 --- a/docs/policypak/policypak/leastprivilege/overview/knowledgebase.md +++ b/docs/policypak/policypak/leastprivilege/overview/knowledgebase.md @@ -4,85 +4,85 @@ See the following Knowledge Base articles for Least Privilege Manager. ## Licensing -- [What is the difference between Endpoint Privilege Manager Standard and Complete licenses?](../license.md) +- [What is the difference between Endpoint Privilege Manager Standard and Complete licenses?](/docs/policypak/policypak/leastprivilege/license.md) ## Tips (How does PPLPM work?) -- [Which account does an elevated process run within?](../accountelevatedprocess.md) -- [Does Endpoint Privilege Manager block Macro attacks?](../macroattacks.md) -- [How secure is it just to use the digital signature? Can someone spoof a digital signature?](../digitalsignature.md) -- [Is Endpoint Privilege Manager compatible alongside an existing installation of Microsoft Applocker?](../../integration/applocker.md) -- [How can I change the behavior of "Run as Admin" with Endpoint Privilege Manager and how has it changed from previous versions?](../runasadmin.md) +- [Which account does an elevated process run within?](/docs/policypak/policypak/leastprivilege/accountelevatedprocess.md) +- [Does Endpoint Privilege Manager block Macro attacks?](/docs/policypak/policypak/leastprivilege/macroattacks.md) +- [How secure is it just to use the digital signature? Can someone spoof a digital signature?](/docs/policypak/policypak/leastprivilege/digitalsignature.md) +- [Is Endpoint Privilege Manager compatible alongside an existing installation of Microsoft Applocker?](/docs/policypak/policypak/integration/applocker.md) +- [How can I change the behavior of "Run as Admin" with Endpoint Privilege Manager and how has it changed from previous versions?](/docs/policypak/policypak/leastprivilege/runasadmin.md) ## Tips (Specific Workaround for Apps and Scenarios) -- [How to create an LPM Policy for (SynTPEnh.exe) Synaptics Pointing Device Driver](../synapticspointingdevicedriver.md) -- [Install Windows Fonts for users or Elevate end-users to install fonts themselves](../elevate/installfonts.md) -- [How do I elevate MMC snap ins without granting administrative rights?](../elevate/mmcsnapin.md) -- [How do I use Least Privilege Manager to Elevate .reg files to allow import by standard users](../elevate/registry.md) -- [How-to elevate Windows Defender Firewall in Endpoint Privilege Manager?](../elevate/windowsdefender.md) -- [How do I elevate installers that are classified as Installers but not Applications? Like Ninite, 7z, or Self-Extract?](../elevate/installers.md) -- [Allowing access/edit rights to specific files for standard users](../editrights.md) -- [How to Elevate applications with a .application extension using Least Privilege Manager](../elevate/applicationextension.md) -- [How do I elevate .MSP files such as Adobe Acrobat updates?](../elevate/mspfiles.md) -- [FTK Imager crashes with 'Server Busy' dialog box when "Image Mounting" while running elevated](../../troubleshooting/error/leastprivilege/serverbusy.md) +- [How to create an LPM Policy for (SynTPEnh.exe) Synaptics Pointing Device Driver](/docs/policypak/policypak/leastprivilege/synapticspointingdevicedriver.md) +- [Install Windows Fonts for users or Elevate end-users to install fonts themselves](/docs/policypak/policypak/leastprivilege/elevate/installfonts.md) +- [How do I elevate MMC snap ins without granting administrative rights?](/docs/policypak/policypak/leastprivilege/elevate/mmcsnapin.md) +- [How do I use Least Privilege Manager to Elevate .reg files to allow import by standard users](/docs/policypak/policypak/leastprivilege/elevate/registry.md) +- [How-to elevate Windows Defender Firewall in Endpoint Privilege Manager?](/docs/policypak/policypak/leastprivilege/elevate/windowsdefender.md) +- [How do I elevate installers that are classified as Installers but not Applications? Like Ninite, 7z, or Self-Extract?](/docs/policypak/policypak/leastprivilege/elevate/installers.md) +- [Allowing access/edit rights to specific files for standard users](/docs/policypak/policypak/leastprivilege/editrights.md) +- [How to Elevate applications with a .application extension using Least Privilege Manager](/docs/policypak/policypak/leastprivilege/elevate/applicationextension.md) +- [How do I elevate .MSP files such as Adobe Acrobat updates?](/docs/policypak/policypak/leastprivilege/elevate/mspfiles.md) +- [FTK Imager crashes with 'Server Busy' dialog box when "Image Mounting" while running elevated](/docs/policypak/policypak/troubleshooting/error/leastprivilege/serverbusy.md) ## Tips (Files, Folders and Dialogs) -- [How can I make all files in a folder, or all files in all recursive folders Elevated, Blocked, or Allow & Log?](../elevate/allfiles.md) +- [How can I make all files in a folder, or all files in all recursive folders Elevated, Blocked, or Allow & Log?](/docs/policypak/policypak/leastprivilege/elevate/allfiles.md) ## Tips and SecureRun (TM) -- [How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](../securerun/allowinlinecommands.md) -- [How do I setup SecureRun when there are so many variables and still ensure my rules work no matter what version of the software I have I installed?](../securerun/setup.md) -- [When Endpoint Policy Manager SecureRun(TM) is turned on, PowerShell won't run. How can I re-enable this?](../securerun/enablepowershell.md) -- [What is the supported list of BLOCKED script types for Endpoint Policy Manager SecureRun™ ?](../securerun/blockedscripttypes.md) -- [How to run WebEx Meeting as regular user when SecureRun is enabled](../securerun/webex.md) -- [How to install and run MYKI Password Manager as regular user when SecureRun is enabled](../securerun/mykipasswordmanager.md) -- [How do I allow a Chrome extension blocked by SecureRun to be installed?](../securerun/chromeextension.md) -- [Least Privilege Manager and SecureRun Implementation Best Practices](../securerun/bestpractices.md) -- [How does the option "Show Admin Approval dialog for untrusted application" in Admin Approval work?](../securerun/adminapprovalwork.md) +- [How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](/docs/policypak/policypak/leastprivilege/securerun/allowinlinecommands.md) +- [How do I setup SecureRun when there are so many variables and still ensure my rules work no matter what version of the software I have I installed?](/docs/policypak/policypak/leastprivilege/securerun/setup.md) +- [When Endpoint Policy Manager SecureRun(TM) is turned on, PowerShell won't run. How can I re-enable this?](/docs/policypak/policypak/leastprivilege/securerun/enablepowershell.md) +- [What is the supported list of BLOCKED script types for Endpoint Policy Manager SecureRun™ ?](/docs/policypak/policypak/leastprivilege/securerun/blockedscripttypes.md) +- [How to run WebEx Meeting as regular user when SecureRun is enabled](/docs/policypak/policypak/leastprivilege/securerun/webex.md) +- [How to install and run MYKI Password Manager as regular user when SecureRun is enabled](/docs/policypak/policypak/leastprivilege/securerun/mykipasswordmanager.md) +- [How do I allow a Chrome extension blocked by SecureRun to be installed?](/docs/policypak/policypak/leastprivilege/securerun/chromeextension.md) +- [Least Privilege Manager and SecureRun Implementation Best Practices](/docs/policypak/policypak/leastprivilege/securerun/bestpractices.md) +- [How does the option "Show Admin Approval dialog for untrusted application" in Admin Approval work?](/docs/policypak/policypak/leastprivilege/securerun/adminapprovalwork.md) ## Tips for Admin Approval, Self Elevate, Apply on Demand, SecureCopy and UI Branding -- [Can I use Endpoint Privilege Manager to LOWER / remove admin rights from Administrators from an application or process, like Internet Explorer?](../reduceadminrights.md) -- [I elevated an application, but drag and drop between the elevated and other non-elevated applications isn't working anymore. What can I try?](../elevate/dragdrop.md) -- [How do I use the Filter section in Endpoint Privilege Manager ?](../policyeditor/scope.md) -- [How do I install an Active X control if it is not digitally signed?](../policyeditor/activexcontrol.md) -- [How to Defend against malicious PowerShell attacks (DLLs)?](../powershell/maliciousattacks.md) -- [How can I integrate Endpoint Privilege Manager and Servicenow (or any other help desk) via email?](../../integration/servicenow.md) -- [Least Privilege Manager - How to create a Self-Elevation policy for local groups of Standalone computers](../policyeditor/selfelevation.md) -- [How does the "Show Pop-Up" message checkbox work along side "Force user re-authenticate" and "Justification text required" checkboxes?](../policyeditor/optionsshowpopupmessage.md) -- [How does custom menu item text work after builds 23.8 and later?](../custommenuitemtext.md) +- [Can I use Endpoint Privilege Manager to LOWER / remove admin rights from Administrators from an application or process, like Internet Explorer?](/docs/policypak/policypak/leastprivilege/reduceadminrights.md) +- [I elevated an application, but drag and drop between the elevated and other non-elevated applications isn't working anymore. What can I try?](/docs/policypak/policypak/leastprivilege/elevate/dragdrop.md) +- [How do I use the Filter section in Endpoint Privilege Manager ?](/docs/policypak/policypak/leastprivilege/policyeditor/scope.md) +- [How do I install an Active X control if it is not digitally signed?](/docs/policypak/policypak/leastprivilege/policyeditor/activexcontrol.md) +- [How to Defend against malicious PowerShell attacks (DLLs)?](/docs/policypak/policypak/leastprivilege/powershell/maliciousattacks.md) +- [How can I integrate Endpoint Privilege Manager and Servicenow (or any other help desk) via email?](/docs/policypak/policypak/integration/servicenow.md) +- [Least Privilege Manager - How to create a Self-Elevation policy for local groups of Standalone computers](/docs/policypak/policypak/leastprivilege/policyeditor/selfelevation.md) +- [How does the "Show Pop-Up" message checkbox work along side "Force user re-authenticate" and "Justification text required" checkboxes?](/docs/policypak/policypak/leastprivilege/policyeditor/optionsshowpopupmessage.md) +- [How does custom menu item text work after builds 23.8 and later?](/docs/policypak/policypak/leastprivilege/custommenuitemtext.md) ## Tips (Old, use only if asked) -- [Endpoint Privilege Manager: How do I elevate single line commands (second batch file method)?](../elevate/singlelinecommands.md) -- [How to elevate Print driver installation using Endpoint Privilege Manager? (alternate method)](../elevate/printerdriverinstall.md) +- [Endpoint Privilege Manager: How do I elevate single line commands (second batch file method)?](/docs/policypak/policypak/leastprivilege/elevate/singlelinecommands.md) +- [How to elevate Print driver installation using Endpoint Privilege Manager? (alternate method)](/docs/policypak/policypak/leastprivilege/elevate/printerdriverinstall.md) ## Troubleshooting -- [What log can help me determine why an application (MSI, etc.) was ALLOWED, ELEVATED or BLOCKED?](../../troubleshooting/log/leastprivilege/determinewhy.md) -- [Why doesn't Endpoint Privilege Manager work Windows 7 + SHA256 signed.JS and .VBS files ?](../../troubleshooting/leastprivilege/supportedenvironments.md) -- [I want all the files in a folder to be ALLOWED when SecureRun is used. What is the correct syntax?](../../troubleshooting/leastprivilege/securerun/correctsyntax.md) -- [If multiple Endpoint Privilege Manager rules would apply, which rule takes precedence?](../../troubleshooting/leastprivilege/ruleprecedence.md) -- [How are DRIVE MAPS and UNC paths supported in Endpoint Privilege Manager?](../../troubleshooting/leastprivilege/drivemaps.md) -- [Why does Endpoint Policy Manager SecureRun block "inline commands" and what can I do to overcome or revert the behavior ?](../../troubleshooting/leastprivilege/securerun/inlinecommands.md) -- [How are wildcards supported when used with Path and Command-line arguments in Least Privilege Manager?](../../troubleshooting/leastprivilege/wildcards.md) -- [How do I overcome OneDrive block prompts when SecureRun is on?](../../troubleshooting/leastprivilege/securerun/onedrive.md) -- [Why is my File Info Deny rule for SQL MGMT Studio version 14.x and lower not working?](../../troubleshooting/leastprivilege/fileinfodeny/ssms.md) -- [Why is my File Info Deny rule for WinSCP Setup 17.x and lower not working?](../../troubleshooting/leastprivilege/fileinfodeny/winscp.md) -- [How-to Fix EXPLORER.EXE crash when right-clicking document files, pdf, docx, xlsx, etc.?](../../troubleshooting/leastprivilege/explorercrash.md) -- [Error message The element 'emailSettings' in namespace "…AdminApproval" has incomplete content encountered when editing Admin Approval policy](../../troubleshooting/error/leastprivilege/emailsettings.md) -- [How-to troubleshoot LPM rules for Kaseya Agent Service?](../../troubleshooting/leastprivilege/kaseyaagentservice.md) +- [What log can help me determine why an application (MSI, etc.) was ALLOWED, ELEVATED or BLOCKED?](/docs/policypak/policypak/troubleshooting/log/leastprivilege/determinewhy.md) +- [Why doesn't Endpoint Privilege Manager work Windows 7 + SHA256 signed.JS and .VBS files ?](/docs/policypak/policypak/troubleshooting/leastprivilege/supportedenvironments.md) +- [I want all the files in a folder to be ALLOWED when SecureRun is used. What is the correct syntax?](/docs/policypak/policypak/troubleshooting/leastprivilege/securerun/correctsyntax.md) +- [If multiple Endpoint Privilege Manager rules would apply, which rule takes precedence?](/docs/policypak/policypak/troubleshooting/leastprivilege/ruleprecedence.md) +- [How are DRIVE MAPS and UNC paths supported in Endpoint Privilege Manager?](/docs/policypak/policypak/troubleshooting/leastprivilege/drivemaps.md) +- [Why does Endpoint Policy Manager SecureRun block "inline commands" and what can I do to overcome or revert the behavior ?](/docs/policypak/policypak/troubleshooting/leastprivilege/securerun/inlinecommands.md) +- [How are wildcards supported when used with Path and Command-line arguments in Least Privilege Manager?](/docs/policypak/policypak/troubleshooting/leastprivilege/wildcards.md) +- [How do I overcome OneDrive block prompts when SecureRun is on?](/docs/policypak/policypak/troubleshooting/leastprivilege/securerun/onedrive.md) +- [Why is my File Info Deny rule for SQL MGMT Studio version 14.x and lower not working?](/docs/policypak/policypak/troubleshooting/leastprivilege/fileinfodeny/ssms.md) +- [Why is my File Info Deny rule for WinSCP Setup 17.x and lower not working?](/docs/policypak/policypak/troubleshooting/leastprivilege/fileinfodeny/winscp.md) +- [How-to Fix EXPLORER.EXE crash when right-clicking document files, pdf, docx, xlsx, etc.?](/docs/policypak/policypak/troubleshooting/leastprivilege/explorercrash.md) +- [Error message The element 'emailSettings' in namespace "…AdminApproval" has incomplete content encountered when editing Admin Approval policy](/docs/policypak/policypak/troubleshooting/error/leastprivilege/emailsettings.md) +- [How-to troubleshoot LPM rules for Kaseya Agent Service?](/docs/policypak/policypak/troubleshooting/leastprivilege/kaseyaagentservice.md) ## Eventing -- [How to forward interesting events for Least Privilege Manager (or anything else) to a centralized location using Windows Event Forwarding.](../windowseventforwarding.md) -- [How to use Netwrix Auditor to Report on Endpoint Policy Manager events](../../integration/auditor/reports.md) +- [How to forward interesting events for Least Privilege Manager (or anything else) to a centralized location using Windows Event Forwarding.](/docs/policypak/policypak/leastprivilege/windowseventforwarding.md) +- [How to use Netwrix Auditor to Report on Endpoint Policy Manager events](/docs/policypak/policypak/integration/auditor/reports.md) ## Netwrix Privilege Secure for Access Management Integration -- [How to Resolve Could not establish trust relationship for the SSL or TLS Secure Channel error message](../../troubleshooting/error/leastprivilege/establishtrust.md) -- [How does the Netwrix Privilege Secure MMC UI relate to the Endpoint Policy Manager MMC UI?](../../integration/privilegesecure/mmc.md) -- [How can I create Endpoint Policy ManagerLeast Privilege Manager policies with Netwrix Privilege Secure (even when the Endpoint Policy Manager Client Side Extension is unlicensed?)](../../integration/createpolicies.md) +- [How to Resolve Could not establish trust relationship for the SSL or TLS Secure Channel error message](/docs/policypak/policypak/troubleshooting/error/leastprivilege/establishtrust.md) +- [How does the Netwrix Privilege Secure MMC UI relate to the Endpoint Policy Manager MMC UI?](/docs/policypak/policypak/integration/privilegesecure/mmc.md) +- [How can I create Endpoint Policy ManagerLeast Privilege Manager policies with Netwrix Privilege Secure (even when the Endpoint Policy Manager Client Side Extension is unlicensed?)](/docs/policypak/policypak/integration/createpolicies.md) diff --git a/docs/policypak/policypak/leastprivilege/overview/videolearningcenter.md b/docs/policypak/policypak/leastprivilege/overview/videolearningcenter.md index 13c4a21026..ae61a188fd 100644 --- a/docs/policypak/policypak/leastprivilege/overview/videolearningcenter.md +++ b/docs/policypak/policypak/leastprivilege/overview/videolearningcenter.md @@ -4,112 +4,112 @@ See the following Video topics for more information on Least Privilege Manager. ## Basics and Getting Started -- [Kill Local Admin Rights (Run applications with Least Privilege)](../../video/leastprivilege/localadminrights.md) -- [Use Group Policy to remove local admin rights (then Endpoint Policy Manager to enable Least Privilege)](../../video/leastprivilege/removelocaladmin.md) -- [Link to Computer, Filter by User](../../video/leastprivilege/userfilter.md) -- [Installing applications-and-Preconfigured-Rules](../../video/leastprivilege/installapplications.md) -- [Auto Rules Generator Tool (with SecureRun)](../../video/leastprivilege/autorulesgeneratortool.md) -- [Endpoint Policy Manager Application Control with PP Least Privilege Manager](../../video/leastprivilege/applicationcontrol.md) -- [Using Least Privilege Manager's SecureRun Feature](../../video/leastprivilege/securerun/feature.md) -- [COM Support](../../video/leastprivilege/comsupport.md) -- [Overcome UAC prompts for Active X controls](../../video/leastprivilege/uacpromptsactivex.md) +- [Kill Local Admin Rights (Run applications with Least Privilege)](/docs/policypak/policypak/video/leastprivilege/localadminrights.md) +- [Use Group Policy to remove local admin rights (then Endpoint Policy Manager to enable Least Privilege)](/docs/policypak/policypak/video/leastprivilege/removelocaladmin.md) +- [Link to Computer, Filter by User](/docs/policypak/policypak/video/leastprivilege/userfilter.md) +- [Installing applications-and-Preconfigured-Rules](/docs/policypak/policypak/video/leastprivilege/installapplications.md) +- [Auto Rules Generator Tool (with SecureRun)](/docs/policypak/policypak/video/leastprivilege/autorulesgeneratortool.md) +- [Endpoint Policy Manager Application Control with PP Least Privilege Manager](/docs/policypak/policypak/video/leastprivilege/applicationcontrol.md) +- [Using Least Privilege Manager's SecureRun Feature](/docs/policypak/policypak/video/leastprivilege/securerun/feature.md) +- [COM Support](/docs/policypak/policypak/video/leastprivilege/comsupport.md) +- [Overcome UAC prompts for Active X controls](/docs/policypak/policypak/video/leastprivilege/uacpromptsactivex.md) ## How-To & Tech Support -- [Elevate (or smack down) scripts and Java JAR files](../../video/leastprivilege/elevate/scripts.md) -- [Enable end-users to install their own fonts](../../video/leastprivilege/elevate/installfonts.md) -- [Manage, block and allow Windows Universal (UWP) applications](../../video/leastprivilege/windowsuniversalapplications.md) -- [More security with Combo Rules](../../video/leastprivilege/securitycomborules.md) -- [Least Privilege Manager: Deny Messages](../../video/leastprivilege/denymessages.md) -- [Prevent Edge from Launching](../../video/leastprivilege/preventedge.md) -- [Stop Ransomware and other unknown zero day attacks with Endpoint Policy Manager SecureRun(TM)](../../video/leastprivilege/securerun/stopransomware.md) -- [Least Privilege Manager: Block All Unsigned with SecureRun](../../video/leastprivilege/securerun/preventunsigned.md) -- [Endpoint Privilege Manager: Use Item Level Targeting to hone in when rules apply.](../../video/leastprivilege/itemleveltargeting.md) +- [Elevate (or smack down) scripts and Java JAR files](/docs/policypak/policypak/video/leastprivilege/elevate/scripts.md) +- [Enable end-users to install their own fonts](/docs/policypak/policypak/video/leastprivilege/elevate/installfonts.md) +- [Manage, block and allow Windows Universal (UWP) applications](/docs/policypak/policypak/video/leastprivilege/windowsuniversalapplications.md) +- [More security with Combo Rules](/docs/policypak/policypak/video/leastprivilege/securitycomborules.md) +- [Least Privilege Manager: Deny Messages](/docs/policypak/policypak/video/leastprivilege/denymessages.md) +- [Prevent Edge from Launching](/docs/policypak/policypak/video/leastprivilege/preventedge.md) +- [Stop Ransomware and other unknown zero day attacks with Endpoint Policy Manager SecureRun(TM)](/docs/policypak/policypak/video/leastprivilege/securerun/stopransomware.md) +- [Least Privilege Manager: Block All Unsigned with SecureRun](/docs/policypak/policypak/video/leastprivilege/securerun/preventunsigned.md) +- [Endpoint Privilege Manager: Use Item Level Targeting to hone in when rules apply.](/docs/policypak/policypak/video/leastprivilege/itemleveltargeting.md) ## Methods: Cloud, MDM, SCCM, PDQ -- [Use Endpoint Policy Manager Cloud to deploy PP Least Privilege Manager rules](../../video/leastprivilege/cloudrules.md) -- [Using Least Privilege Manager with your MDM service](../../video/leastprivilege/mdm.md) -- [Deploying Apps that Require Admin Rights Using Endpoint Policy Manager and PDQ Deploy](../../video/leastprivilege/integration/pdqdeploy.md) -- [Blocking Malware with Endpoint Policy Manager and PDQ Deploy](../../video/leastprivilege/integration/pdqdeployblockmalware.md) +- [Use Endpoint Policy Manager Cloud to deploy PP Least Privilege Manager rules](/docs/policypak/policypak/video/leastprivilege/cloudrules.md) +- [Using Least Privilege Manager with your MDM service](/docs/policypak/policypak/video/leastprivilege/mdm.md) +- [Deploying Apps that Require Admin Rights Using Endpoint Policy Manager and PDQ Deploy](/docs/policypak/policypak/video/leastprivilege/integration/pdqdeploy.md) +- [Blocking Malware with Endpoint Policy Manager and PDQ Deploy](/docs/policypak/policypak/video/leastprivilege/integration/pdqdeployblockmalware.md) ## Best Practices -- [Best Practices for Elevating User-Based Installs](../../video/leastprivilege/bestpractices/elevatinguserbasedinstalls.md) -- [PPLPM Elevating UWP Applications](../../video/leastprivilege/bestpractices/elevateuwp.md) -- [Best Practices of MSI installations from the Windows Store (UWP Applications) ](../../video/leastprivilege/bestpractices/msi.md) -- [Security and Child Processes](../../video/leastprivilege/bestpractices/securitychildprocesses.md) -- [Increase security by reducing rights on Open/Save dialogs](../../video/leastprivilege/bestpractices/opensavedialogs.md) -- [Endpoint Privilege Manager and Wildcards](../../video/leastprivilege/bestpractices/wildcards.md) -- [Reduce or specify Service Account Rights](../../video/leastprivilege/bestpractices/serviceaccountrights.md) -- [Block PowerShell in General, Open up for specific items](../../video/leastprivilege/bestpractices/powershellblock.md) -- [SecureRun to block User AND System executables](../../video/leastprivilege/bestpractices/securerun/usersystemexecutables.md) -- [Elevate apps as standard user, BLOCK other Admins](../../video/leastprivilege/bestpractices/appblock.md) -- [Endpoint Policy Manager Least Priv Manager: Self Elevate Mode](../../video/leastprivilege/bestpractices/selfelevatemode.md) +- [Best Practices for Elevating User-Based Installs](/docs/policypak/policypak/video/leastprivilege/bestpractices/elevatinguserbasedinstalls.md) +- [PPLPM Elevating UWP Applications](/docs/policypak/policypak/video/leastprivilege/bestpractices/elevateuwp.md) +- [Best Practices of MSI installations from the Windows Store (UWP Applications) ](/docs/policypak/policypak/video/leastprivilege/bestpractices/msi.md) +- [Security and Child Processes](/docs/policypak/policypak/video/leastprivilege/bestpractices/securitychildprocesses.md) +- [Increase security by reducing rights on Open/Save dialogs](/docs/policypak/policypak/video/leastprivilege/bestpractices/opensavedialogs.md) +- [Endpoint Privilege Manager and Wildcards](/docs/policypak/policypak/video/leastprivilege/bestpractices/wildcards.md) +- [Reduce or specify Service Account Rights](/docs/policypak/policypak/video/leastprivilege/bestpractices/serviceaccountrights.md) +- [Block PowerShell in General, Open up for specific items](/docs/policypak/policypak/video/leastprivilege/bestpractices/powershellblock.md) +- [SecureRun to block User AND System executables](/docs/policypak/policypak/video/leastprivilege/bestpractices/securerun/usersystemexecutables.md) +- [Elevate apps as standard user, BLOCK other Admins](/docs/policypak/policypak/video/leastprivilege/bestpractices/appblock.md) +- [Endpoint Policy Manager Least Priv Manager: Self Elevate Mode](/docs/policypak/policypak/video/leastprivilege/bestpractices/selfelevatemode.md) ## ACL Traverse: NTFS and Registry -- [Endpoint Policy Manager: ACL Traverse to enable users to delete icons on desktop](../../video/leastprivilege/acltraverse/deleteicons.md) -- [Endpoint Policy Manager and ACL Traverse: How to give rights to modify HOSTS files and similar](../../video/leastprivilege/acltraverse/modifyhosts.md) -- [Endpoint Policy Manager ACL and File Traverse: Let any application in Programfiles overcome NTFS permissions](../../video/leastprivilege/acltraverse/ntfspermissions.md) -- [Endpoint Policy Manager: Overcome ACLs in Registry even as Standard User](../../video/leastprivilege/acltraverse/registry.md) +- [Endpoint Policy Manager: ACL Traverse to enable users to delete icons on desktop](/docs/policypak/policypak/video/leastprivilege/acltraverse/deleteicons.md) +- [Endpoint Policy Manager and ACL Traverse: How to give rights to modify HOSTS files and similar](/docs/policypak/policypak/video/leastprivilege/acltraverse/modifyhosts.md) +- [Endpoint Policy Manager ACL and File Traverse: Let any application in Programfiles overcome NTFS permissions](/docs/policypak/policypak/video/leastprivilege/acltraverse/ntfspermissions.md) +- [Endpoint Policy Manager: Overcome ACLs in Registry even as Standard User](/docs/policypak/policypak/video/leastprivilege/acltraverse/registry.md) ## Admin Approval, Self Elevate, Apply on Demand, SecureCopy(TM), and UI Branding -- [Admin Approval demo](../../video/leastprivilege/adminapproval/demo.md) -- [Using Email / Long Codes](../../video/leastprivilege/longcodes.md) -- [Understand "Enforce Admin Approval for all installers" behavior](../../video/leastprivilege/adminapproval/enforce.md) -- [Endpoint Privilege Manager: Admin Approval Email method (with Notepad instead)](../../video/leastprivilege/adminapproval/email.md) -- [Self Elevate Mode](../../video/leastprivilege/selfelevatemode/demo.md) -- [Endpoint Privilege: Re-Authenticate with Self Elevate](../../video/leastprivilege/selfelevatemode/reauthenticate.md) -- [Least Privilege Manager: Apply On Demand](../../video/leastprivilege/applyondemand.md) -- [SecureCopy(TM). Empower users to copy then elevate items](../../video/leastprivilege/securecopy.md) -- [Branding the UI and Dialogs](../../video/leastprivilege/branding.md) -- [Endpoint Privilege Manager Automatic Rules Creation from Admin Approval Requests](../../video/leastprivilege/autorulesfromadmin.md) +- [Admin Approval demo](/docs/policypak/policypak/video/leastprivilege/adminapproval/demo.md) +- [Using Email / Long Codes](/docs/policypak/policypak/video/leastprivilege/longcodes.md) +- [Understand "Enforce Admin Approval for all installers" behavior](/docs/policypak/policypak/video/leastprivilege/adminapproval/enforce.md) +- [Endpoint Privilege Manager: Admin Approval Email method (with Notepad instead)](/docs/policypak/policypak/video/leastprivilege/adminapproval/email.md) +- [Self Elevate Mode](/docs/policypak/policypak/video/leastprivilege/selfelevatemode/demo.md) +- [Endpoint Privilege: Re-Authenticate with Self Elevate](/docs/policypak/policypak/video/leastprivilege/selfelevatemode/reauthenticate.md) +- [Least Privilege Manager: Apply On Demand](/docs/policypak/policypak/video/leastprivilege/applyondemand.md) +- [SecureCopy(TM). Empower users to copy then elevate items](/docs/policypak/policypak/video/leastprivilege/securecopy.md) +- [Branding the UI and Dialogs](/docs/policypak/policypak/video/leastprivilege/branding.md) +- [Endpoint Privilege Manager Automatic Rules Creation from Admin Approval Requests](/docs/policypak/policypak/video/leastprivilege/autorulesfromadmin.md) ## Helpers Tools & Tips and Tricks -- [Overcome Network Card, Printer, and Remove Programs UAC prompts](../../video/leastprivilege/uacprompts.md) -- [Endpoint Policy Manager Least Priv Manager Tools Setup](../../video/leastprivilege/toolssetup.md) -- [Getting the helper tools as desktop shortcuts](../../video/leastprivilege/helperdesktopshortcut.md) -- [Endpoint Privilege Manager: Install Printers via Native NTPRINT Dialog](../../video/leastprivilege/ntprintdialog.md) -- [Endpoint Privilege Manager: Edit IP SETTINGS EDIT VIA WIN GUI](../../video/leastprivilege/wingui.md) +- [Overcome Network Card, Printer, and Remove Programs UAC prompts](/docs/policypak/policypak/video/leastprivilege/uacprompts.md) +- [Endpoint Policy Manager Least Priv Manager Tools Setup](/docs/policypak/policypak/video/leastprivilege/toolssetup.md) +- [Getting the helper tools as desktop shortcuts](/docs/policypak/policypak/video/leastprivilege/helperdesktopshortcut.md) +- [Endpoint Privilege Manager: Install Printers via Native NTPRINT Dialog](/docs/policypak/policypak/video/leastprivilege/ntprintdialog.md) +- [Endpoint Privilege Manager: Edit IP SETTINGS EDIT VIA WIN GUI](/docs/policypak/policypak/video/leastprivilege/wingui.md) ## Eventing -- [Events](../../video/leastprivilege/events.md) -- [Use Discovery to know what rules to make as you transition from Local Admin rights](../../video/leastprivilege/discovery.md) -- [Endpoint Policy Manager Cloud + PPLPM + Events: Collect Events in the Cloud](../../video/leastprivilege/cloudevents.md) -- [Using Windows Event Forwarding to search for interesting events](../../video/leastprivilege/windowseventforwarding.md) -- [Auto-Create Policy from Global Audit event](../../video/leastprivilege/globalauditevent.md) +- [Events](/docs/policypak/policypak/video/leastprivilege/events.md) +- [Use Discovery to know what rules to make as you transition from Local Admin rights](/docs/policypak/policypak/video/leastprivilege/discovery.md) +- [Endpoint Policy Manager Cloud + PPLPM + Events: Collect Events in the Cloud](/docs/policypak/policypak/video/leastprivilege/cloudevents.md) +- [Using Windows Event Forwarding to search for interesting events](/docs/policypak/policypak/video/leastprivilege/windowseventforwarding.md) +- [Auto-Create Policy from Global Audit event](/docs/policypak/policypak/video/leastprivilege/globalauditevent.md) ## Business Solutions -- [Endpoint Policy Manager and WinGet: Overcome UAC prompts when standard users use Windows Package Manager](../../video/leastprivilege/winget.md) -- [Overcome Print Nightmare Standard User UAC Prompts](../../video/leastprivilege/printeruacprompts.md) -- [Microsoft WDAC recommended block rules Guidance](../../video/leastprivilege/microsoftrecommendations.md) -- [PPLPM: Deny Wins Over Self Elevate (using Java installation as example)](../../video/leastprivilege/denyselfelevate.md) +- [Endpoint Policy Manager and WinGet: Overcome UAC prompts when standard users use Windows Package Manager](/docs/policypak/policypak/video/leastprivilege/winget.md) +- [Overcome Print Nightmare Standard User UAC Prompts](/docs/policypak/policypak/video/leastprivilege/printeruacprompts.md) +- [Microsoft WDAC recommended block rules Guidance](/docs/policypak/policypak/video/leastprivilege/microsoftrecommendations.md) +- [PPLPM: Deny Wins Over Self Elevate (using Java installation as example)](/docs/policypak/policypak/video/leastprivilege/denyselfelevate.md) ## Netwrix Privilege Secure for Access Management Integration -- [Netwrix Privilege Secure Client - Getting Started with MMC with/without Endpoint Policy Manager ](../../video/leastprivilege/integration/privilegesecure.md) -- [Netwrix Privilege Secure and the NPS/Endpoint Policy Manager Client](../../video/leastprivilege/integration/privilegesecureclient.md) -- [Endpoint Privilege Manager: NPS Self Elevate Mode (Paid Feature)](../../video/leastprivilege/integration/selfelevatemode.md) -- [Netwrix Privilege Secure and LICENSING](../../video/leastprivilege/integration/license.md) +- [Netwrix Privilege Secure Client - Getting Started with MMC with/without Endpoint Policy Manager ](/docs/policypak/policypak/video/leastprivilege/integration/privilegesecure.md) +- [Netwrix Privilege Secure and the NPS/Endpoint Policy Manager Client](/docs/policypak/policypak/video/leastprivilege/integration/privilegesecureclient.md) +- [Endpoint Privilege Manager: NPS Self Elevate Mode (Paid Feature)](/docs/policypak/policypak/video/leastprivilege/integration/selfelevatemode.md) +- [Netwrix Privilege Secure and LICENSING](/docs/policypak/policypak/video/leastprivilege/integration/license.md) ## Mac Integration -- [Endpoint Policy Managerfor MacOS Installation (using Endpoint Policy Manager Cloud)](../../video/leastprivilege/mac/cloudinstall.md) -- [Mac and Jointoken](../../video/leastprivilege/mac/macjointoken.md) -- [Endpoint Policy Manager Least Priv Manager for Macs Application Package Support](../../video/leastprivilege/mac/applicationpackage.md) -- [Endpoint Policy Manager for Mac / Least Priv Manager: System Settings policy](../../video/leastprivilege/mac/systemsettings.md) -- [Endpoint Policy Manager Cloud and SUDO support](../../video/leastprivilege/mac/sudosupport.md) -- [Endpoint Policy Manager Cloud Mac + SUDO Using Wildcard Example](../../video/leastprivilege/mac/wildcards.md) -- [Application Launch Approval](../../video/leastprivilege/mac/applicationlaunch.md) -- [Endpoint Policy Manager Cloud +Least Privilege Manager for Mac Events collector](../../video/leastprivilege/mac/eventscollector.md) -- [Endpoint Policy Manager for Mac and Admin Approval](../../video/leastprivilege/mac/adminapproval.md) -- [Endpoint Privilege Manager for Mac: Mount / Unmount Part I](../../video/leastprivilege/mac/mountunmountpart1.md) -- [Endpoint Privilege Manager for Mac: Mount / Unmount Part II](../../video/leastprivilege/mac/mountunmounpart2.md) -- [Endpoint Policy Manager MacOS: Mac Finder Policies](../../video/leastprivilege/mac/finder.md) -- [Endpoint Policy Manager LPM for MacOS: Privilege Policies (for Helper Apps)](../../video/leastprivilege/mac/privilege.md) -- [Collect Diagnostics](../../video/leastprivilege/mac/collectdiagnostics.md) +- [Endpoint Policy Managerfor MacOS Installation (using Endpoint Policy Manager Cloud)](/docs/policypak/policypak/video/leastprivilege/mac/cloudinstall.md) +- [Mac and Jointoken](/docs/policypak/policypak/video/leastprivilege/mac/macjointoken.md) +- [Endpoint Policy Manager Least Priv Manager for Macs Application Package Support](/docs/policypak/policypak/video/leastprivilege/mac/applicationpackage.md) +- [Endpoint Policy Manager for Mac / Least Priv Manager: System Settings policy](/docs/policypak/policypak/video/leastprivilege/mac/systemsettings.md) +- [Endpoint Policy Manager Cloud and SUDO support](/docs/policypak/policypak/video/leastprivilege/mac/sudosupport.md) +- [Endpoint Policy Manager Cloud Mac + SUDO Using Wildcard Example](/docs/policypak/policypak/video/leastprivilege/mac/wildcards.md) +- [Application Launch Approval](/docs/policypak/policypak/video/leastprivilege/mac/applicationlaunch.md) +- [Endpoint Policy Manager Cloud +Least Privilege Manager for Mac Events collector](/docs/policypak/policypak/video/leastprivilege/mac/eventscollector.md) +- [Endpoint Policy Manager for Mac and Admin Approval](/docs/policypak/policypak/video/leastprivilege/mac/adminapproval.md) +- [Endpoint Privilege Manager for Mac: Mount / Unmount Part I](/docs/policypak/policypak/video/leastprivilege/mac/mountunmountpart1.md) +- [Endpoint Privilege Manager for Mac: Mount / Unmount Part II](/docs/policypak/policypak/video/leastprivilege/mac/mountunmounpart2.md) +- [Endpoint Policy Manager MacOS: Mac Finder Policies](/docs/policypak/policypak/video/leastprivilege/mac/finder.md) +- [Endpoint Policy Manager LPM for MacOS: Privilege Policies (for Helper Apps)](/docs/policypak/policypak/video/leastprivilege/mac/privilege.md) +- [Collect Diagnostics](/docs/policypak/policypak/video/leastprivilege/mac/collectdiagnostics.md) diff --git a/docs/policypak/policypak/leastprivilege/parentprocessfilter.md b/docs/policypak/policypak/leastprivilege/parentprocessfilter.md index aff39d33c1..0a2c423d1d 100644 --- a/docs/policypak/policypak/leastprivilege/parentprocessfilter.md +++ b/docs/policypak/policypak/leastprivilege/parentprocessfilter.md @@ -14,4 +14,4 @@ being checked first before the child application is launched elevated.) ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_parent_process.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_parent_process.webp) diff --git a/docs/policypak/policypak/leastprivilege/policyeditor/activexcontrol.md b/docs/policypak/policypak/leastprivilege/policyeditor/activexcontrol.md index 8c86e1a6bc..53971ba47a 100644 --- a/docs/policypak/policypak/leastprivilege/policyeditor/activexcontrol.md +++ b/docs/policypak/policypak/leastprivilege/policyeditor/activexcontrol.md @@ -5,17 +5,17 @@ PolicyPak) Least Privilege Manager to deliver a rule to enable the ActiveX insta Explorer (or IE mode in Edge) will permit the install. Here's an example of a rule where the item has a rule for the URL and for the Signature. -![859_1_image001_950x422](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_1_image001_950x422.webp) +![859_1_image001_950x422](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_1_image001_950x422.webp) _Remember,_ When your ActiveX items are signed, you should have no problem. However, if you attempt an ActiveX rule where there the ActiveX item is not signed (see below)… -![859_2_image003_950x429](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_2_image003_950x429.webp) +![859_2_image003_950x429](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_2_image003_950x429.webp) You will get an experience like this… -![859_3_image004_950x557](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_3_image004_950x557.webp) +![859_3_image004_950x557](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_3_image004_950x557.webp) To overcome this, you need to decrease the security for Internet Explorer. You do this with Group Policy or Endpoint Policy Manager Cloud. @@ -23,14 +23,14 @@ Policy or Endpoint Policy Manager Cloud. Go to **User** (or Computer) **Admin templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** -![859_4_image005_950x656](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_4_image005_950x656.webp) +![859_4_image005_950x656](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_4_image005_950x656.webp) Then locate pick the Trusted Sites Zone. **CAUTION:** Note that you are explicitly telling Internet Explorer to reducethe security here in order to enable your unsigned ActiveX control to be installed. -![859_5_image007_950x362](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_5_image007_950x362.webp) +![859_5_image007_950x362](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_5_image007_950x362.webp) Lastly, you have to add the site to be trusted. You have a few options on how to perform this: @@ -53,8 +53,8 @@ Lastly, you have to add the site to be trusted. You have a few options on how to The goal is to get IE to recognize the URL to get into the Trusted Zone like this. (This is the RESULT of performing Option 1, Option 2 or Option 3 above.) -![859_6_image008_450x602](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_6_image008_450x602.webp) +![859_6_image008_450x602](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_6_image008_450x602.webp) -![859_7_image009_950x363](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_7_image009_950x363.webp) +![859_7_image009_950x363](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_7_image009_950x363.webp) -![859_8_image010_950x541](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_8_image010_950x541.webp) +![859_8_image010_950x541](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/859_8_image010_950x541.webp) diff --git a/docs/policypak/policypak/leastprivilege/policyeditor/optionsshowpopupmessage.md b/docs/policypak/policypak/leastprivilege/policyeditor/optionsshowpopupmessage.md index fdb24c13c5..42e1c78d3f 100644 --- a/docs/policypak/policypak/leastprivilege/policyeditor/optionsshowpopupmessage.md +++ b/docs/policypak/policypak/leastprivilege/policyeditor/optionsshowpopupmessage.md @@ -2,7 +2,7 @@ In CSEs 23.6 and later, there are several options you may select:. -![942_1_image-20230602145013-1](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/942_1_image-20230602145013-1.webp) +![942_1_image-20230602145013-1](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/942_1_image-20230602145013-1.webp) The four cases below illustrate how these work. @@ -10,44 +10,44 @@ Case 1 **Show popup message** is selected, but neither sub-option are checked. -![942_2_image-20230602145013-2](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_1.webp) +![942_2_image-20230602145013-2](/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_1.webp) When the application launches, the pop up is presented as shown below. Text input from the user is optional. The User must at least click **OK** to continue and launch the application. -![942_3_image-20230602145013-3](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_2.webp) +![942_3_image-20230602145013-3](/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_2.webp) Case 2 **Show popup message** and **Justification text required** are selected, but **Force user re-authenticate** is not. -![942_4_image-20230602145013-4](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_3.webp) +![942_4_image-20230602145013-4](/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_3.webp) The pop-up box appears, and the user must type in something before continuing onward by clicking **OK**. -![942_5_image-20230602145013-5](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_4.webp) +![942_5_image-20230602145013-5](/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_4.webp) **Case 3** **Show popup message** and **Force user re-authenticate** is selected, but **Justification text required** is not. -![942_6_image-20230602145013-6](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_5.webp) +![942_6_image-20230602145013-6](/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_5.webp) The User is required to re-authenticate, but then when the pop-up occurs, no text input is required by the user. -![942_7_image-20230602145013-7](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/942_7_image-20230602145013-7.webp) +![942_7_image-20230602145013-7](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/942_7_image-20230602145013-7.webp) **Case 4** -![942_8_image-20230602145013-8](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_7.webp) +![942_8_image-20230602145013-8](/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_7.webp) The User must re-authenticate. When the pop-up is shown, the user must type in something before **OK** is allowed and the application proceeds. -![942_9_image-20230602145013-9](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/942_9_image-20230602145013-9.webp) +![942_9_image-20230602145013-9](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/942_9_image-20230602145013-9.webp) diff --git a/docs/policypak/policypak/leastprivilege/policyeditor/scope.md b/docs/policypak/policypak/leastprivilege/policyeditor/scope.md index f802653240..a39a21d52a 100644 --- a/docs/policypak/policypak/leastprivilege/policyeditor/scope.md +++ b/docs/policypak/policypak/leastprivilege/policyeditor/scope.md @@ -4,11 +4,11 @@ The Scope filter section can be found in various rule types in Netwrix Endpoint (formerly PolicyPak) Least Privilege Manager. For instance, it exists in every explicit rule, like this: -![319_1_faq-img-01_950x578](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_1_faq-img-01_950x578.webp) +![319_1_faq-img-01_950x578](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_1_faq-img-01_950x578.webp) And also in SecureRun™ rules like this: -![319_2_faq-img-02_950x537](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_2_faq-img-02_950x537.webp) +![319_2_faq-img-02_950x537](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_2_faq-img-02_950x537.webp) **NOTE:** At this time, Policy Scope rules are not yet available for: @@ -22,7 +22,7 @@ it is greyed out because this setting is only meant to express to the COMPUTER ( with User, and User and System Processes. On the User side, the processes are always in the context of the User. -![319_3_faq-img-03_950x571](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_3_faq-img-03_950x571.webp) +![319_3_faq-img-03_950x571](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_3_faq-img-03_950x571.webp) In this topic, we are going over various use cases when you might use the Policy Scope option (which again, will only be un-gray / valid on the Computer side.) @@ -34,13 +34,13 @@ executables started by users." But this does not, by default, block the attack v performing the attack. You can see the example below where the Standard User is blocked from an executable attempt, but System is still allowed. -![319_4_faq-img-04_950x647](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_4_faq-img-04_950x647.webp) +![319_4_faq-img-04_950x647](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_4_faq-img-04_950x647.webp) However, you can switch SecureRun on the computer side to now say "Block all untrusted executables started by users or LOCAL SYSTEM." You would do this on the Computer side, and specify User and System Processes, as shown below. -![319_5_faq-img-05_950x547](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_5_faq-img-05_950x547.webp) +![319_5_faq-img-05_950x547](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_5_faq-img-05_950x547.webp) The result is that both User and System attempts to run un-trusted executables will be prevented. @@ -61,7 +61,7 @@ its work as LOCAL SYSTEM and tries to run an un-trusted file. Therefore, when th list, the attack attempt will fail. For a video demo of this scenario, -see [SecureRun to block User AND System executables](../../video/leastprivilege/bestpractices/securerun/usersystemexecutables.md) +see [SecureRun to block User AND System executables](/docs/policypak/policypak/video/leastprivilege/bestpractices/securerun/usersystemexecutables.md) ## Scenario 2: Specific rule to block an app from being run, even as local System. @@ -69,15 +69,15 @@ You might want to explicitly block attack vectors such as PSEXEC (which was used entirely block PowerShell.  If you specify to do this only on the User side (or set Computer side scope to User processed only), then only user processes will be affected: -![319_6_faq-img-06_950x195](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_6_faq-img-06_950x195.webp) +![319_6_faq-img-06_950x195](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_6_faq-img-06_950x195.webp) You can shore up this attack vector by making the explicit deny rule on the Computer side: -![319_7_faq-img-07_950x381](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_7_faq-img-07_950x381.webp) +![319_7_faq-img-07_950x381](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_7_faq-img-07_950x381.webp) When you do,  this happens: -![319_8_faq-img-08_950x183](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_8_faq-img-08_950x183.webp) +![319_8_faq-img-08_950x183](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_8_faq-img-08_950x183.webp) ### Scenario 2B: Block Powershell.exe completely, but allow Local System to run a specific .PS1 script @@ -87,19 +87,19 @@ However, you might need to run some Powershell scripts as SYSTEM to perform some Since PowerShell is now being blocked for all Computer side processes, you cannot run a specific script with PowerShel: -![319_9_faq-img-09_950x271](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_9_faq-img-09_950x271.webp) +![319_9_faq-img-09_950x271](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_9_faq-img-09_950x271.webp) To enable this, simply add another rule to ALLOW AND LOG, for example, `C:\SCRIPTS\ITSCRIPT1.ps1`, and set the scope to User and System processes, but use the scope Filter to SYSTEM. -![319_10_faq-img-10_950x453](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_10_faq-img-10_950x453.webp) +![319_10_faq-img-10_950x453](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_10_faq-img-10_950x453.webp) Result: -![319_11_faq-img-11_950x375](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_11_faq-img-11_950x375.webp) +![319_11_faq-img-11_950x375](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_11_faq-img-11_950x375.webp) For more information on this issue, see - [Block PowerShell in General, Open up for specific items](../../video/leastprivilege/bestpractices/powershellblock.md) + [Block PowerShell in General, Open up for specific items](/docs/policypak/policypak/video/leastprivilege/bestpractices/powershellblock.md) ## Scenario 3: Running or Elevating applications or installers, but blocking other admins from running them. @@ -118,20 +118,20 @@ If you want toblock only LOCAL admins (but not domain admins) then Rule #1 needs (Note that this group is not available when editing a GPO from a DC, and only available when creating the GPO from a Windows 10 computer): -![319_12_faq-img-12_950x482](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_12_faq-img-12_950x482.webp) +![319_12_faq-img-12_950x482](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_12_faq-img-12_950x482.webp) If you want toblock both local admins and domain administrators, then Rule #1 needs to look like this. -![319_13_faq-img-13_950x534](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_13_faq-img-13_950x534.webp) +![319_13_faq-img-13_950x534](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_13_faq-img-13_950x534.webp) _Remember,_ rule 2, the rule that does the ELEVATE or ALLOW, is just a standard rule, and can be done on the user or computer side, like this: -![319_14_faq-img-14_950x458](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_14_faq-img-14_950x458.webp) +![319_14_faq-img-14_950x458](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_14_faq-img-14_950x458.webp) video -3: [Elevate apps as standard user, BLOCK other Admins](../../video/leastprivilege/bestpractices/appblock.md) +3: [Elevate apps as standard user, BLOCK other Admins](/docs/policypak/policypak/video/leastprivilege/bestpractices/appblock.md) ## Scenario 4:  Elevating a Service account @@ -163,7 +163,7 @@ Scope Filter should be trimmed to the specific account you specified to run the **NOTE:** It's also possible to use Scope Filter = SERVICES to make the rule apply to all services that run from the specified `.exe `regardless of the user. -![319_15_faq-img-15_950x467](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_15_faq-img-15_950x467.webp) +![319_15_faq-img-15_950x467](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/319_15_faq-img-15_950x467.webp) video: -[Reduce or specify Service Account Rights](../../video/leastprivilege/bestpractices/serviceaccountrights.md) +[Reduce or specify Service Account Rights](/docs/policypak/policypak/video/leastprivilege/bestpractices/serviceaccountrights.md) diff --git a/docs/policypak/policypak/leastprivilege/policyeditor/selfelevation.md b/docs/policypak/policypak/leastprivilege/policyeditor/selfelevation.md index 71fba21a36..542c2bf1ad 100644 --- a/docs/policypak/policypak/leastprivilege/policyeditor/selfelevation.md +++ b/docs/policypak/policypak/leastprivilege/policyeditor/selfelevation.md @@ -4,30 +4,30 @@ and choose whichever Executable types you wish the members of the local group to be able to execute, and also whether or not the policy should apply to child processes. -![959_1_image-20230522075042-1](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/959_1_image-20230522075042-1.jpeg) +![959_1_image-20230522075042-1](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/959_1_image-20230522075042-1.jpeg) **Step 2 –** When you get to the **Allowed Users** section be sure to use the **Add custom user/group by SID as member** option. -![959_2_image-20230522075042-2](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/959_2_image-20230522075042-2.webp) +![959_2_image-20230522075042-2](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/959_2_image-20230522075042-2.webp) **Step 3 –** At this point you will need to look up the SID for the local group you wish to have the Self Elevation policy apply to. This can be done by running the command "whoami /groups" on the computer where the local group exists. -![959_3_image-20230522075042-3](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/959_3_image-20230522075042-3.webp) +![959_3_image-20230522075042-3](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/959_3_image-20230522075042-3.webp) **Step 4 –** In this example, I will be using the SID for the BUILTIN\Users group "S-1-5-32-545" -![959_4_image-20230522075042-4](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/959_4_image-20230522075042-4.webp) +![959_4_image-20230522075042-4](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/959_4_image-20230522075042-4.webp) **Step 5 –** Your policy should look similar to the example below. -![959_5_image-20230522075042-5](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/959_5_image-20230522075042-5.webp) +![959_5_image-20230522075042-5](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/959_5_image-20230522075042-5.webp) **Step 6 –** Lastly, deploy the policy and test if Self Elevation works. If the LPM Self Elevation policy applies successfully to the local group then when you right click on any of the Executable types you selected in the policy, you should see the **Run Self Elevated with PolicyPak** option available. -![959_6_image-20230522075042-6](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/policyeditor/959_6_image-20230522075042-6.webp) +![959_6_image-20230522075042-6](/img/product_docs/policypak/policypak/leastprivilege/policyeditor/959_6_image-20230522075042-6.webp) diff --git a/docs/policypak/policypak/leastprivilege/powershell/block.md b/docs/policypak/policypak/leastprivilege/powershell/block.md index 1ca398689a..a1876678a4 100644 --- a/docs/policypak/policypak/leastprivilege/powershell/block.md +++ b/docs/policypak/policypak/leastprivilege/powershell/block.md @@ -6,7 +6,7 @@ Blocking PowerShell Version 2 using a traditional command line rule in Endpoint Privilege Manager results in multiple block events being generated every second in the Endpoint Policy Manager event log. -![1319_1_61042bd4123a78ef7686b114b9eea335](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/powershell/1319_1_61042bd4123a78ef7686b114b9eea335.webp) +![1319_1_61042bd4123a78ef7686b114b9eea335](/img/product_docs/policypak/policypak/leastprivilege/powershell/1319_1_61042bd4123a78ef7686b114b9eea335.webp) Cause: @@ -35,9 +35,9 @@ Since we cannot alter the internal PowerShell logic that attempts to restart the overcome the failure, we have to use the two scripts below to work around the issue. The two policies below are also attached as XML for your convenience. -![1319_2_d3a2208d260469bdbfdfc7edaf6848ba](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/powershell/1319_2_d3a2208d260469bdbfdfc7edaf6848ba.webp) +![1319_2_d3a2208d260469bdbfdfc7edaf6848ba](/img/product_docs/policypak/policypak/leastprivilege/powershell/1319_2_d3a2208d260469bdbfdfc7edaf6848ba.webp) -![1319_3_5745adb2d8b01ee9555aa6db772eae6a](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/powershell/1319_3_5745adb2d8b01ee9555aa6db772eae6a.webp) +![1319_3_5745adb2d8b01ee9555aa6db772eae6a](/img/product_docs/policypak/policypak/leastprivilege/powershell/1319_3_5745adb2d8b01ee9555aa6db772eae6a.webp) Lastly, test using the command directly below to ensure that PowerShell Version 2.0 is now successfully blocked and that there are no longer multiple block events being created in the @@ -45,7 +45,7 @@ Endpoint Policy Manager event log. PowerShell -version 2.0 -[Copy]() +[Copy](javascript:void(0);) PowerShell V2 Workaround diff --git a/docs/policypak/policypak/leastprivilege/powershell/maliciousattacks.md b/docs/policypak/policypak/leastprivilege/powershell/maliciousattacks.md index ada61e26e1..5323f36520 100644 --- a/docs/policypak/policypak/leastprivilege/powershell/maliciousattacks.md +++ b/docs/policypak/policypak/leastprivilege/powershell/maliciousattacks.md @@ -17,12 +17,12 @@ all PowerShell executables are blocked. Below we have enabled the Default Block PowerShell collection from the PolicyPak Support Guidance download. -![765_1_image-20211223014445-1](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/powershell/765_1_image-20211223014445-1.webp) +![765_1_image-20211223014445-1](/img/product_docs/policypak/policypak/leastprivilege/powershell/765_1_image-20211223014445-1.webp) But as you can see in the screenshot below, this alone does not stop the DLL from running, and the console window still opens, and is ready for PowerShell commands. -![765_2_image-20211223014445-2](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/powershell/765_2_image-20211223014445-2.webp) +![765_2_image-20211223014445-2](/img/product_docs/policypak/policypak/leastprivilege/powershell/765_2_image-20211223014445-2.webp) These are the steps to block DLL processing: @@ -36,15 +36,15 @@ Global DLL policy: Enabling the DLL processing. DLL policy: To block the execution of a DLL -![765_3_image-20211223014445-3](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/powershell/765_3_image-20211223014445-3.webp) +![765_3_image-20211223014445-3](/img/product_docs/policypak/policypak/leastprivilege/powershell/765_3_image-20211223014445-3.webp) Now when a user tries to launch PowerShdll.DLL using Rundll32.exe, it will be blocked and they should see the following block messages: Windows: -![765_4_image-20211223014445-4](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/powershell/765_4_image-20211223014445-4.webp) +![765_4_image-20211223014445-4](/img/product_docs/policypak/policypak/leastprivilege/powershell/765_4_image-20211223014445-4.webp) Netwrix Endpoint Policy Manager (formerly PolicyPak) message: -![765_5_image-20211223014445-5](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/powershell/765_5_image-20211223014445-5.webp) +![765_5_image-20211223014445-5](/img/product_docs/policypak/policypak/leastprivilege/powershell/765_5_image-20211223014445-5.webp) diff --git a/docs/policypak/policypak/leastprivilege/pplpmimplementationguide.md b/docs/policypak/policypak/leastprivilege/pplpmimplementationguide.md index bdc4efbfe7..841962b3dd 100644 --- a/docs/policypak/policypak/leastprivilege/pplpmimplementationguide.md +++ b/docs/policypak/policypak/leastprivilege/pplpmimplementationguide.md @@ -30,22 +30,22 @@ Portal.policypak.com. **NOTE:** Endpoint Policy Manager Cloud has its own URL, which is Cloud.policypak.com, and is considered the Endpoint Policy Manager Cloud Service. Please see the -[Installation Quick Start](../gettingstarted/quickstart/overviewinstall.md) for an overview of what +[Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md) for an overview of what is in the download, how to download, unpack, and get organized and quick licensed. Here’s the Endpoint Policy Manager QuickStart Guide with specific steps and ideas for Endpoint Policy Manager with On-Prem Active Directory and GPOs, an MDM service like Intune or with Endpoint Policy Manager Cloud: -[Netwrix Endpoint Policy Manager Quick Start](../gettingstarted/quickstart/overview.md) +[Netwrix Endpoint Policy Manager Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overview.md) When done you will have the Endpoint Policy Manager MMC Console installed, your endpoints prepared and be ready to go. -![poc1](../../../../static/img/product_docs/policypak/policypak/leastprivilege/poc1.webp) +![poc1](/img/product_docs/policypak/policypak/leastprivilege/poc1.webp) **NOTE:** If you’re confused about which method you want to use to get Endpoint Policy Manager policies deployed (GPO, MDM or Cloud) this video can help you make an informed decision: -[Endpoint Policy ManagerSolution Methods: Group Policy, MDM, UEM Tools, and Endpoint Policy Manager Cloud compared.](../video/gettingstarted/solutionmethods.md) +[Endpoint Policy ManagerSolution Methods: Group Policy, MDM, UEM Tools, and Endpoint Policy Manager Cloud compared.](/docs/policypak/policypak/video/gettingstarted/solutionmethods.md) ## Licensing some trial machines (or many machines) for Endpoint Privilege Manager and other Endpoint Policy Manager Components @@ -56,14 +56,14 @@ licensing on those machines. It’s easy to put one or a few machines into Trial mode with Endpoint Policy Manager without a license. For more information on this, please see these steps: -[What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](../license/trial.md) +[What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](/docs/policypak/policypak/license/trial.md) If you need to request a license, please follow the steps outlined in this video: [How to Request Licenses fromPolicyPak by Creating a "License Request Key"](https://helpcenter.netwrix.com/bundle/PolicyPak/page/Content/PolicyPak/Video/License/LicenseRequestKey.html) If you have a trial or full license for Endpoint Policy Manager and you wish to deploy it to all your computers, please follow these steps: -[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](../video/license/installuniversal.md) +[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md) ## (Optional, Recommended) Endpoint Policy Manager Cloud or Endpoint Policy Manager via MDM Test Lab Creation @@ -83,7 +83,7 @@ service like Intune, having a small-scale on-prem test lab is required. For a video review on how to get organized and create a small-scale on-prem test lab to use in conjunction with Endpoint Policy Manager Cloud or Endpoint Policy Manager alongside an MDM service like Intune, see: -[Endpoint Policy Manager Cloud: What you need to get Started](../video/cloud/testlab/start.md) +[Endpoint Policy Manager Cloud: What you need to get Started](/docs/policypak/policypak/video/cloud/testlab/start.md) ## (Optional, Recommended) Endpoint Policy Manager with an MDM service like Intune “Walk before you run.” @@ -91,11 +91,11 @@ If you’re using Endpoint Policy Manager with an MDM service like Intune, you w kind of management station and to pre-test your MDM license before you get going. The best place to start for these instructions is here: -[Video Learning Center](../mdm/overview/videolearningcenter.md) +[Video Learning Center](/docs/policypak/policypak/mdm/overview/videolearningcenter.md) Additionally, get to know the details of how to create Endpoint Policy Manager Least Privilege Manager XMLs, export them, and wrap them up into MSIs for deployment with any MDM service with this -video: [Using Least Privilege Manager with your MDM service](../video/leastprivilege/mdm.md) +video: [Using Least Privilege Manager with your MDM service](/docs/policypak/policypak/video/leastprivilege/mdm.md) ## Endpoint Privilege Manager “Base Hits” / “Walk Before You Run” @@ -107,7 +107,7 @@ don’t need to perform the other steps in this video, you just want to verify t be overcome when Endpoint Policy ManagerLeast Privilege Manager is engaged. Remember to test this step as a proposed end-user who is running as a Standard User and doesn’t have Local Admin Rights. -Video: [Kill Local Admin Rights (Run applications with Least Privilege)](../video/leastprivilege/localadminrights.md) +Video: [Kill Local Admin Rights (Run applications with Least Privilege)](/docs/policypak/policypak/video/leastprivilege/localadminrights.md) ## Setting up Common Scenarios Most Customers need right away @@ -121,14 +121,14 @@ customers to perform: As such we have some Helper Tools for these specific scenarios and pre-configured guidance to get them set up. -![poc2](../../../../static/img/product_docs/policypak/policypak/leastprivilege/poc2.webp) +![poc2](/img/product_docs/policypak/policypak/leastprivilege/poc2.webp) For an overview, please see -[Overcome Network Card, Printer, and Remove Programs UAC prompts](../video/leastprivilege/uacprompts.md) +[Overcome Network Card, Printer, and Remove Programs UAC prompts](/docs/policypak/policypak/video/leastprivilege/uacprompts.md) and watch all videos in that section. And because there’s an additional way to change Network Card Settings, you’ll want to also add an -extra rule which you can learn how to do here: [COM Support](../video/leastprivilege/comsupport.md) +extra rule which you can learn how to do here: [COM Support](/docs/policypak/policypak/video/leastprivilege/comsupport.md) ## (Optional, Recommended): Creating an “example machine” with applications you know you need to overcome and (Part 3B) using Endpoint Policy Manager recommended rules @@ -144,9 +144,9 @@ software won’t work as expected and should present UAC prompts. For more in formation on Endpoint Policy Manager Least Privilege Manager Pre-Configured rules, and to to see how many you can use right away, without having to generate your own rules, please see -[Installing applications-and-Preconfigured-Rules](../video/leastprivilege/installapplications.md) +[Installing applications-and-Preconfigured-Rules](/docs/policypak/policypak/video/leastprivilege/installapplications.md) -![poc3](../../../../static/img/product_docs/policypak/policypak/leastprivilege/poc3.webp) +![poc3](/img/product_docs/policypak/policypak/leastprivilege/poc3.webp) For the remaining applications where Endpoint Policy Manager Least Privilege Manager doesn’t have pre-configured rules, you’ll have to create your own rules. @@ -155,10 +155,10 @@ You need to get familiar with the Best Practices, so you don’t “over permiss Therefore, as you go to create rules for your remaining applications on your test machine, please be familiar with the following video content: -- [Best Practices for Elevating User-Based Installs](../video/leastprivilege/bestpractices/elevatinguserbasedinstalls.md) -- [Security and Child Processes](../video/leastprivilege/bestpractices/securitychildprocesses.md) -- [Increase security by reducing rights on Open/Save dialogs](../video/leastprivilege/bestpractices/opensavedialogs.md) -- [Endpoint Privilege Manager and Wildcards](../video/leastprivilege/bestpractices/wildcards.md) +- [Best Practices for Elevating User-Based Installs](/docs/policypak/policypak/video/leastprivilege/bestpractices/elevatinguserbasedinstalls.md) +- [Security and Child Processes](/docs/policypak/policypak/video/leastprivilege/bestpractices/securitychildprocesses.md) +- [Increase security by reducing rights on Open/Save dialogs](/docs/policypak/policypak/video/leastprivilege/bestpractices/opensavedialogs.md) +- [Endpoint Privilege Manager and Wildcards](/docs/policypak/policypak/video/leastprivilege/bestpractices/wildcards.md) The more rules you can create to overcome your UAC prompts in these test machined, the easier it will be down the line, so users are only left with the UAC prompts you didn’t know about. @@ -168,7 +168,7 @@ will be down the line, so users are only left with the UAC prompts you didn’t If you are already a Netwrix Privilege Secure customer, you might want to also tie in Endpoint Policy Manager to Netwrix Privilege Secure. If you wish to perform these steps, please refer to this video: -[Netwrix Privilege Secure and the NPS/Endpoint Policy Manager Client](../video/leastprivilege/integration/privilegesecureclient.md) +[Netwrix Privilege Secure and the NPS/Endpoint Policy Manager Client](/docs/policypak/policypak/video/leastprivilege/integration/privilegesecureclient.md) ## Turn on Global Auditing & Discovery to generate Interesting Events @@ -177,17 +177,17 @@ on endpoint machines. You can turn on Auditing & Discovery to generate interesti run (or attempt to run) many applications with Local Admin Rights. The two items you should turn on for starters are below. -![poc4](../../../../static/img/product_docs/policypak/policypak/leastprivilege/poc4.webp) +![poc4](/img/product_docs/policypak/policypak/leastprivilege/poc4.webp) The way you do this is a little different from Group Policy vs. Endpoint Policy Manager Cloud. We recommend getting familiar with Eventing in general, and then turning on Discovery. Additionally, you can Auto-Create Policy from Global Audit Events once you’ve learned which applications require elevation. For more information on this issue, please see: -[Events](../video/leastprivilege/events.md) +[Events](/docs/policypak/policypak/video/leastprivilege/events.md) Resulting events on endpoints look similar to an item like this: -![poc5](../../../../static/img/product_docs/policypak/policypak/leastprivilege/poc5.webp) +![poc5](/img/product_docs/policypak/policypak/leastprivilege/poc5.webp) List of Endpoint Policy Manager Event Categories and IDs: @@ -203,7 +203,7 @@ List of Endpoint Policy Manager Event Categories and IDs: If you are using Endpoint Policy Manager Cloud, this is enabled automatically for you. However, you need to turn it on for each Cloud group. For more information on this issue, please see: -[Endpoint Policy Manager Cloud + PPLPM + Events: Collect Events in the Cloud](../video/leastprivilege/cloudevents.md) +[Endpoint Policy Manager Cloud + PPLPM + Events: Collect Events in the Cloud](/docs/policypak/policypak/video/leastprivilege/cloudevents.md) **NOTE:** Endpoint Policy Manager Cloud Trailers and Customers get 24-hours of rolling logs stored. You can talk with Endpoint Policy Manager Sales about how to increase the number of days stored in @@ -212,20 +212,20 @@ Endpoint Policy Manager Cloud. If you are already a Netwrix Auditor Customer, you can forward interesting Endpoint Policy Manager Least Privilege Manager events from endpoint computers to Netwrix Auditor so you can take action. This is recommended if you already own Netwrix Auditor For more information on this, please see: -[How to use Netwrix Auditor to Report on Endpoint Policy Manager events](../integration/auditor/reports.md). +[How to use Netwrix Auditor to Report on Endpoint Policy Manager events](/docs/policypak/policypak/integration/auditor/reports.md). An example of the kind of data you get back can be seen here. -![poc12](../../../../static/img/product_docs/policypak/policypak/leastprivilege/poc12.webp) +![poc12](/img/product_docs/policypak/policypak/leastprivilege/poc12.webp) You may also use the in-box Windows Event System to forward interesting Endpoint Policy Manager Least Privilege Manager events from endpoint computers to a central source. The steps to do this are found here: -[How to forward interesting events for Least Privilege Manager (or anything else) to a centralized location using Windows Event Forwarding.](windowseventforwarding.md) +[How to forward interesting events for Least Privilege Manager (or anything else) to a centralized location using Windows Event Forwarding.](/docs/policypak/policypak/leastprivilege/windowseventforwarding.md) You may also use Azure Log Analytics if you wish to store interesting Endpoint Policy Manager Least Privilege Manager events from endpoints in Azure. For more information on this issue, please see: -[Windows 10 (and Server) Event Logs to Azure Log Analytics Walkthru](../tips/eventlogs.md). +[Windows 10 (and Server) Event Logs to Azure Log Analytics Walkthru](/docs/policypak/policypak/tips/eventlogs.md). ## Removing End-Users’ Local Admin Rights (if they still have them) @@ -234,7 +234,7 @@ your users are still running with Local Admin Rights. However, we often get the perform this as a bulk task to remove Local Admin Rights from end-users. For information on how to perform this, please see -[Use Group Policy to remove local admin rights (then Endpoint Policy Manager to enable Least Privilege)](../video/leastprivilege/removelocaladmin.md). +[Use Group Policy to remove local admin rights (then Endpoint Policy Manager to enable Least Privilege)](/docs/policypak/policypak/video/leastprivilege/removelocaladmin.md). While you can remove end-users local admin rights all at once, we recommend you proceed gradually. This will avoid potential issues with an increase in requests for help as users may need access in some situations. @@ -244,17 +244,17 @@ some situations. Once you have events generating on endpoints and you have access to those events (directly or via Event Forwarding, Netwrix Auditor, or another source), you can auto-create rules from those events. -![poc10](../../../../static/img/product_docs/policypak/policypak/leastprivilege/poc10.webp) +![poc10](/img/product_docs/policypak/policypak/leastprivilege/poc10.webp) For details on how to do this on-prem, please see -[Auto-Create Policy from Global Audit event](../video/leastprivilege/globalauditevent.md)[Auto-Create Policy from Global Audit event](../video/leastprivilege/globalauditevent.md) +[Auto-Create Policy from Global Audit event](/docs/policypak/policypak/video/leastprivilege/globalauditevent.md)[Auto-Create Policy from Global Audit event](/docs/policypak/policypak/video/leastprivilege/globalauditevent.md) For details on how to do it with Endpoint Policy Manager Cloud, please see -[Endpoint Policy Manager Cloud + PPLPM + Events: Collect Events in the Cloud](../video/leastprivilege/cloudevents.md). +[Endpoint Policy Manager Cloud + PPLPM + Events: Collect Events in the Cloud](/docs/policypak/policypak/video/leastprivilege/cloudevents.md). Note there is a new (not shown in the video) Generate Rule(s) button in Endpoint Policy Manager Cloud. -![poc11](../../../../static/img/product_docs/policypak/policypak/leastprivilege/poc11.webp) +![poc11](/img/product_docs/policypak/policypak/leastprivilege/poc11.webp) ## Turn on Admin Approval @@ -262,10 +262,10 @@ You’ve already created the rules for the applications you know, and turned on the applications you don’t know. However, you can also enable end users to be proactive and request one-time workarounds for UAC prompts without an automatic rule in place. -![poc6](../../../../static/img/product_docs/policypak/policypak/leastprivilege/poc6.webp) +![poc6](/img/product_docs/policypak/policypak/leastprivilege/poc6.webp) For more in formation on the Endpoint Policy Manager Admin Approval feature, please see -[Admin Approval demo](../video/leastprivilege/adminapproval/demo.md) (all the videos in that +[Admin Approval demo](/docs/policypak/policypak/video/leastprivilege/adminapproval/demo.md) (all the videos in that section). The goal is to minimize the times when users need one-off approval where you can implement automatic @@ -276,10 +276,10 @@ rules from the details you gather. Admin Approval and other Endpoint Policy Manager Least Privilege Manager dialogs that appear to users can be branded with your company logo, colors, and text messages. -![poc7](../../../../static/img/product_docs/policypak/policypak/leastprivilege/poc7.webp) +![poc7](/img/product_docs/policypak/policypak/leastprivilege/poc7.webp) For more information on branding, please see -[Branding the UI and Dialogs](../video/leastprivilege/branding.md). +[Branding the UI and Dialogs](/docs/policypak/policypak/video/leastprivilege/branding.md). ## (Optional): Turn on Self Elevate @@ -287,15 +287,15 @@ Use Endpoint Policy Manager Least Privilege Manager Self Elevate mode to overcom without requiring specific rules. This is useful if you want to take away local admin rights, but still give users the ability to "break the glass" if they have an emergency. -![poc9](../../../../static/img/product_docs/policypak/policypak/leastprivilege/poc9.webp) +![poc9](/img/product_docs/policypak/policypak/leastprivilege/poc9.webp) This technique isn't generally recommended due to a potential lowering of your security posture, but it can be especially useful in the right circumstances. For more information see:: -- [Self Elevate Mode](../video/leastprivilege/selfelevatemode/demo.md) -- [Endpoint Privilege: Re-Authenticate with Self Elevate](../video/leastprivilege/selfelevatemode/reauthenticate.md) +- [Self Elevate Mode](/docs/policypak/policypak/video/leastprivilege/selfelevatemode/demo.md) +- [Endpoint Privilege: Re-Authenticate with Self Elevate](/docs/policypak/policypak/video/leastprivilege/selfelevatemode/reauthenticate.md) ## (Optional) Turning on Endpoint Policy Manager SecureRun(TM) @@ -307,7 +307,7 @@ flash drive, they own the file, and since they aren't on the SecureRun™ Member Policy Manager Least Privilege Manager will block all applications that you (the admin on the machine) didn’t install. -![poc13](../../../../static/img/product_docs/policypak/policypak/leastprivilege/poc13.webp) +![poc13](/img/product_docs/policypak/policypak/leastprivilege/poc13.webp) However, if users were accustomed to downloading their applications, when Endpoint Policy Manager SecureRun is enabled you could get an increase in helpdesk calls from users unable to run @@ -324,7 +324,7 @@ Computername\Administrator, the SYSTEM, TrustedInstaller, or other Administrator Refer to the Global Auditing step to re-enable these settings to turn on Events for Untrusted and optionally unsigned applications. -![poc15](../../../../static/img/product_docs/policypak/policypak/leastprivilege/poc15.webp) +![poc15](/img/product_docs/policypak/policypak/leastprivilege/poc15.webp) Endpoint Policy Manager Least Privilege Manager Discovery Audit Policy Events Additional Notes @@ -338,10 +338,10 @@ Then you can investigate those Event IDs that come in and create Allow and Log a more about how Endpoint Policy Manager Least Privilege Manager SecureRun helps you keep ransomware and unknown applications at bay, but open up specific applications as needed with Allow and Log actions, please see -[Using Least Privilege Manager's SecureRun Feature](../video/leastprivilege/securerun/feature.md) +[Using Least Privilege Manager's SecureRun Feature](/docs/policypak/policypak/video/leastprivilege/securerun/feature.md) For general tips on how to use SecureRun™ please see -[How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](securerun/allowinlinecommands.md) +[How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](/docs/policypak/policypak/leastprivilege/securerun/allowinlinecommands.md) ## Final Thoughts @@ -362,11 +362,11 @@ Estimated Milestone Details and Target Dates | Milestone | Details & Tasks | | | ----------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -| M1 Pre-Requisites | - Verify you actually want to use Endpoint Policy Manager + Group Policy method and not some other method or some kind of hybrid approach: See [PolicyPak Solution Methods: Group Policy, MDM, UEM Tools, and PolicyPak Cloud compared](https://helpcenter.netwrix.com/bundle/PolicyPak/page/Content/PolicyPak/Video/GettingStarted/SolutionMethods.html). - Identify 3 friendly developers for this project. - Identify the remaining devices for POC, but focus on first three. - Download Endpoint Policy Manager from portal.policypak.com and get organized. See [Netwrix Endpoint Policy Manager Quick Start](../gettingstarted/quickstart/overview.md) . - Get the Endpoint Policy Manager Quickstart Guide. See [Netwrix Endpoint Policy Manager Quick Start](../gettingstarted/quickstart/overview.md) . - Get familiar with Endpoint Policy Manager + Group Policy Basics . See [Endpoint Policy Manager Explained: In about two minutes](../video/grouppolicy/explained.md) - On three developer machines perform the quick-licensing method via rename method. See [What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](../license/trial.md) or run licensing tool. After receiving your trial keys from sales, install your trial or full licenses for your on-prem Active Directory. See [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](../video/license/installuniversal.md) - Install the Endpoint Policy Manager CSE on the three developer stations. - Move 3 developers into Active Directory OU named “Endpoint Policy Manager Test Devs” . - Verify Endpoint Policy Manager Least Privilege Manager is working with the “Device Manager” test. See [Kill Local Admin Rights (Run applications with Least Privilege)](../video/leastprivilege/localadminrights.md) - Create a Group Policy Object which turns on PPLPM Global Auditing. See [Use Discovery to know what rules to make as you transition from Local Admin rights](../video/leastprivilege/discovery.md) . - Identify KNOWN applications for Development stations which require Admin rights. | Day 1 - 3 | -| M2 Install PolicyPak CSE, common scenarios and known applications | - Install Endpoint Policy Manager CSE on the remaining 27 endpoints; ensure success (NO POLICIES, just the Endpoint Policy Manager moving parts) - (Optional) Set up Common Scenarios: - Printers, Remove Programs and IP Address changes. See [Overcome Network Card, Printer, and Remove Programs UAC prompts](../video/leastprivilege/uacprompts.md) - Second Method for Network Cards: [COM Support](../video/leastprivilege/comsupport.md) - Create rules for KNOWN applications which require ADMIN Rights. - [Best Practices for Elevating User-Based Installs](../video/leastprivilege/bestpractices/elevatinguserbasedinstalls.md) - [Security and Child Processes](../video/leastprivilege/bestpractices/securitychildprocesses.md) - [Increase security by reducing rights on Open/Save dialogs](../video/leastprivilege/bestpractices/opensavedialogs.md) - [Endpoint Privilege Manager and Wildcards](../video/leastprivilege/bestpractices/wildcards.md) - Use Endpoint Policy Manager Preconfigured rules when you can. See [Installing applications-and-Preconfigured-Rules](../video/leastprivilege/installapplications.md) | Day 4 -6 | -| M3 Set up Event Forwarding | - Pick one (or choose another method, like Splunk, etc.) . - Event Forwarding with Netwrix Auditor. See [How to use Netwrix Auditor to Report on Endpoint Policy Manager events](../integration/auditor/reports.md) - Event Forwarding with Windows Eventing. See [How to forward interesting events for Least Privilege Manager (or anything else) to a centralized location using Windows Event Forwarding.](windowseventforwarding.md) - Event Forwarding with Azure Log Analytics. See [Windows 10 (and Server) Event Logs to Azure Log Analytics Walkthru](../tips/eventlogs.md) | Day 7 -9 | -| M4 Begin Test | - Remove local admin rights for 3 developer endpoints. One suggested method / demo is here (there are other ways to perform this task): [Use Group Policy to remove local admin rights (then Endpoint Policy Manager to enable Least Privilege)](../video/leastprivilege/removelocaladmin.md) - Start to Generate Rules from Auditing Events. See [Auto-Create Policy from Global Audit event](../video/leastprivilege/globalauditevent.md). - Set up Admin Approval (Secret / policy). See [Auto-Create Policy from Global Audit event](../video/leastprivilege/globalauditevent.md) and [Admin Approval demo](../video/leastprivilege/adminapproval/demo.md) - Set up Endpoint Policy Manager Least Privilege Manager “Approvers” workflow (Identify APPROVER(s), get the AA tool up and going). - Optionally: Set up Endpoint Policy Manager Least Privilege Manager UI branding. See [Branding the UI and Dialogs](../video/leastprivilege/branding.md) - Deploy Admin Approval to existing systems. - Optional: Deploy Endpoint Policy Manager Least Privilege Manager Branding to existing systems. - Look at incoming EVENTS to determine the issues to make more rules. | Day 10 | -| M5 Review Events | - Turn on Self Elevate for existing 3 developers. - Create documentation for Developers on how to interact with Endpoint Policy Manager Self Elevate method. ([Self Elevate Mode](../video/leastprivilege/selfelevatemode/demo.md)). - Review EVENTS to determine the issues to create rules. | Day 11 | +| M1 Pre-Requisites | - Verify you actually want to use Endpoint Policy Manager + Group Policy method and not some other method or some kind of hybrid approach: See [PolicyPak Solution Methods: Group Policy, MDM, UEM Tools, and PolicyPak Cloud compared](https://helpcenter.netwrix.com/bundle/PolicyPak/page/Content/PolicyPak/Video/GettingStarted/SolutionMethods.html). - Identify 3 friendly developers for this project. - Identify the remaining devices for POC, but focus on first three. - Download Endpoint Policy Manager from portal.policypak.com and get organized. See [Netwrix Endpoint Policy Manager Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overview.md) . - Get the Endpoint Policy Manager Quickstart Guide. See [Netwrix Endpoint Policy Manager Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overview.md) . - Get familiar with Endpoint Policy Manager + Group Policy Basics . See [Endpoint Policy Manager Explained: In about two minutes](/docs/policypak/policypak/video/grouppolicy/explained.md) - On three developer machines perform the quick-licensing method via rename method. See [What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](/docs/policypak/policypak/license/trial.md) or run licensing tool. After receiving your trial keys from sales, install your trial or full licenses for your on-prem Active Directory. See [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md) - Install the Endpoint Policy Manager CSE on the three developer stations. - Move 3 developers into Active Directory OU named “Endpoint Policy Manager Test Devs” . - Verify Endpoint Policy Manager Least Privilege Manager is working with the “Device Manager” test. See [Kill Local Admin Rights (Run applications with Least Privilege)](/docs/policypak/policypak/video/leastprivilege/localadminrights.md) - Create a Group Policy Object which turns on PPLPM Global Auditing. See [Use Discovery to know what rules to make as you transition from Local Admin rights](/docs/policypak/policypak/video/leastprivilege/discovery.md) . - Identify KNOWN applications for Development stations which require Admin rights. | Day 1 - 3 | +| M2 Install PolicyPak CSE, common scenarios and known applications | - Install Endpoint Policy Manager CSE on the remaining 27 endpoints; ensure success (NO POLICIES, just the Endpoint Policy Manager moving parts) - (Optional) Set up Common Scenarios: - Printers, Remove Programs and IP Address changes. See [Overcome Network Card, Printer, and Remove Programs UAC prompts](/docs/policypak/policypak/video/leastprivilege/uacprompts.md) - Second Method for Network Cards: [COM Support](/docs/policypak/policypak/video/leastprivilege/comsupport.md) - Create rules for KNOWN applications which require ADMIN Rights. - [Best Practices for Elevating User-Based Installs](/docs/policypak/policypak/video/leastprivilege/bestpractices/elevatinguserbasedinstalls.md) - [Security and Child Processes](/docs/policypak/policypak/video/leastprivilege/bestpractices/securitychildprocesses.md) - [Increase security by reducing rights on Open/Save dialogs](/docs/policypak/policypak/video/leastprivilege/bestpractices/opensavedialogs.md) - [Endpoint Privilege Manager and Wildcards](/docs/policypak/policypak/video/leastprivilege/bestpractices/wildcards.md) - Use Endpoint Policy Manager Preconfigured rules when you can. See [Installing applications-and-Preconfigured-Rules](/docs/policypak/policypak/video/leastprivilege/installapplications.md) | Day 4 -6 | +| M3 Set up Event Forwarding | - Pick one (or choose another method, like Splunk, etc.) . - Event Forwarding with Netwrix Auditor. See [How to use Netwrix Auditor to Report on Endpoint Policy Manager events](/docs/policypak/policypak/integration/auditor/reports.md) - Event Forwarding with Windows Eventing. See [How to forward interesting events for Least Privilege Manager (or anything else) to a centralized location using Windows Event Forwarding.](/docs/policypak/policypak/leastprivilege/windowseventforwarding.md) - Event Forwarding with Azure Log Analytics. See [Windows 10 (and Server) Event Logs to Azure Log Analytics Walkthru](/docs/policypak/policypak/tips/eventlogs.md) | Day 7 -9 | +| M4 Begin Test | - Remove local admin rights for 3 developer endpoints. One suggested method / demo is here (there are other ways to perform this task): [Use Group Policy to remove local admin rights (then Endpoint Policy Manager to enable Least Privilege)](/docs/policypak/policypak/video/leastprivilege/removelocaladmin.md) - Start to Generate Rules from Auditing Events. See [Auto-Create Policy from Global Audit event](/docs/policypak/policypak/video/leastprivilege/globalauditevent.md). - Set up Admin Approval (Secret / policy). See [Auto-Create Policy from Global Audit event](/docs/policypak/policypak/video/leastprivilege/globalauditevent.md) and [Admin Approval demo](/docs/policypak/policypak/video/leastprivilege/adminapproval/demo.md) - Set up Endpoint Policy Manager Least Privilege Manager “Approvers” workflow (Identify APPROVER(s), get the AA tool up and going). - Optionally: Set up Endpoint Policy Manager Least Privilege Manager UI branding. See [Branding the UI and Dialogs](/docs/policypak/policypak/video/leastprivilege/branding.md) - Deploy Admin Approval to existing systems. - Optional: Deploy Endpoint Policy Manager Least Privilege Manager Branding to existing systems. - Look at incoming EVENTS to determine the issues to make more rules. | Day 10 | +| M5 Review Events | - Turn on Self Elevate for existing 3 developers. - Create documentation for Developers on how to interact with Endpoint Policy Manager Self Elevate method. ([Self Elevate Mode](/docs/policypak/policypak/video/leastprivilege/selfelevatemode/demo.md)). - Review EVENTS to determine the issues to create rules. | Day 11 | | M6 Addition | - Add 7 more developer PCs to existing 3 and remove local admin rights using existing rules. (Don’t use Self elevate on new 7 endpoint, just the first three.) | Day 12 | | M7 Review Events | - Look at EVENTS to determine the issues to make more rules. - Investigate if SELF ELEVATE is being used or not by the 3 first developers (vs. Admin approval vs Direct Rules). - The is to get to as many direct rules as possible in the fastest amount of time. | Day 13 | | M8 Make Rules | Make more Direct rules from 10 endpoints | Day 14 | @@ -379,7 +379,7 @@ Estimated Milestone Details and Target Dates | M15 Addition | Add +5 endpoints Endpoint Policy Manager Active Directory OU and remove their local admin rights. | Day 21 | | M16 Review Events | Look at EVENTS to determine the issues to make more rules. | Day 22 | | M17 Remaining | Add Remaining endpoints to Endpoint Policy Manager Active Directory OU and remove their local admin rights. | Day 23 | -| M18 SecureRun (Optional) | • Turn on Global Auditing for Untrusted and Unsigned applications. • Try turning on SecureRun for three developers. - [Using Least Privilege Manager's SecureRun Feature](../video/leastprivilege/securerun/feature.md) - [How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](securerun/allowinlinecommands.md) | Day 24 | +| M18 SecureRun (Optional) | • Turn on Global Auditing for Untrusted and Unsigned applications. • Try turning on SecureRun for three developers. - [Using Least Privilege Manager's SecureRun Feature](/docs/policypak/policypak/video/leastprivilege/securerun/feature.md) - [How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](/docs/policypak/policypak/leastprivilege/securerun/allowinlinecommands.md) | Day 24 | | M19 SecureRun Rollout (Optional) | Add +5 endpoints per day and triage incoming SecureRun blocks with “Allow and Log” rules. Repeat each day with +5 endpoints. | Day 25+ | ## Appendix B: Sample Endpoint Privilege Manager Project POC Plan for Endpoint Policy Manager Cloud, removing local admin rights for 30 Developers. @@ -388,10 +388,10 @@ Estimated Milestone Details and Target Dates | Milestone | Details & Tasks | | | ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| M1 Pre-Requisites | - Verify you actually want to use Endpoint Policy Manager + Cloud method and not some other method or some kind of hybrid approach. See [Endpoint Policy ManagerSolution Methods: Group Policy, MDM, UEM Tools, and Endpoint Policy Manager Cloud compared.](../video/gettingstarted/solutionmethods.md) - Identify 3 friendly developers for this project. - Identify the remaining devices for POC, but focus on first three. - Get familiar with Endpoint Policy Manager Cloud Basics. See [Endpoint Policy Manager Cloud: Two minute introduction](../video/cloud/introduction.md) - Download Endpoint Policy Manager bits from portal.policypak.com and Cloud MSI from cloud.policypak.com and get organized [Installation Quick Start](../gettingstarted/quickstart/overviewinstall.md). - Get the Endpoint Policy Manager Quickstart Guide. See [Netwrix Endpoint Policy Manager Quick Start](../gettingstarted/quickstart/overview.md) - Set up on prem test lab, even though we’re using Endpoint Policy Manager Cloud (Best Practice). See [Endpoint Policy Manager Cloud: What you need to get Started](../video/cloud/testlab/start.md). - Install Endpoint Policy Manager Cloud Client which automatically installs the Endpoint Policy Manager CSE on 3 devices. - Identify the remaining devices for POC, but focus on first three. - Move 3 Endpoint Policy Manager cloud joined devices to Endpoint Policy Manager Cloud Company “GROUP1”. - Verify Endpoint Policy Manager Least Privilege Manager is working with the “Device Manager” test. See [Kill Local Admin Rights (Run applications with Least Privilege)](../video/leastprivilege/localadminrights.md) - Turn on PPLPM Global Auditing for Cloud. See [Endpoint Policy Manager Cloud + PPLPM + Events: Collect Events in the Cloud](../video/leastprivilege/cloudevents.md) - Test to make sure PPC Events are seen in Endpoint Policy Manager Cloud. - Identify KNOWN applications for Development stations which require Admin rights. | Day 1-3 | -| M2 Install PPC | - Install Endpoint Policy Manager CSE on the remaining 27 endpoints; ensure success. (NO POLICIES, just the Endpoint Policy Manager moving parts.). - (Optional) Set up Common Scenarios for Printers, Remove Programs and IP Address changes. - [Overcome Network Card, Printer, and Remove Programs UAC prompts](../video/leastprivilege/uacprompts.md) - [COM Support](../video/leastprivilege/comsupport.md) - Create rules for KNOWN applications which require ADMIN Rights. - [Best Practices for Elevating User-Based Installs](../video/leastprivilege/bestpractices/elevatinguserbasedinstalls.md) - [Security and Child Processes](../video/leastprivilege/bestpractices/securitychildprocesses.md) - [Increase security by reducing rights on Open/Save dialogs](../video/leastprivilege/bestpractices/opensavedialogs.md) - [Endpoint Privilege Manager and Wildcards](../video/leastprivilege/bestpractices/wildcards.md) - Use Endpoint Policy Manager Preconfigured rules when you can. See [Installing applications-and-Preconfigured-Rules](../video/leastprivilege/installapplications.md) | Day 4-6 | -| M3 Begin Test | - Remove local admin rights for 3 developer endpoints. One suggested method / demo is here (there are other ways to perform this task): [Use Group Policy to remove local admin rights (then Endpoint Policy Manager to enable Least Privilege)](../video/leastprivilege/removelocaladmin.md) - Start to Generate Rules from Auditing Events [Auto-Create Policy from Global Audit event](../video/leastprivilege/globalauditevent.md) - Set up Admin Approval (Secret / policy): [Auto-Create Policy from Global Audit event](../video/leastprivilege/globalauditevent.md) and [Admin Approval demo](../video/leastprivilege/adminapproval/demo.md) - Set up Endpoint Policy Manager Least Privilege Manager “Approvers” workflow (Identify APPROVER(s), get the AA tool up and going.) - Optionally: Set up Endpoint Policy Manager Least Privilege Manager UI branding: [Branding the UI and Dialogs](../video/leastprivilege/branding.md) - Deploy Admin Approval to existing systems. - Optional: Deploy Endpoint Policy Manager Least Privilege Manager Branding to existing systems. - Look at incoming EVENTS in Endpoint Policy Manager Cloud to determine the issues to make more rules. | Day 7-8 | -| M4 Review Events | - Turn on Self Elevate for existing 3 developers. - Create documentation for Developers on how to interact with Endpoint Policy Manager Self Elevate method. See [Self Elevate Mode](../video/leastprivilege/selfelevatemode/demo.md) - Review EVENTS to determine the issues to create rules. | Day 9 | +| M1 Pre-Requisites | - Verify you actually want to use Endpoint Policy Manager + Cloud method and not some other method or some kind of hybrid approach. See [Endpoint Policy ManagerSolution Methods: Group Policy, MDM, UEM Tools, and Endpoint Policy Manager Cloud compared.](/docs/policypak/policypak/video/gettingstarted/solutionmethods.md) - Identify 3 friendly developers for this project. - Identify the remaining devices for POC, but focus on first three. - Get familiar with Endpoint Policy Manager Cloud Basics. See [Endpoint Policy Manager Cloud: Two minute introduction](/docs/policypak/policypak/video/cloud/introduction.md) - Download Endpoint Policy Manager bits from portal.policypak.com and Cloud MSI from cloud.policypak.com and get organized [Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md). - Get the Endpoint Policy Manager Quickstart Guide. See [Netwrix Endpoint Policy Manager Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overview.md) - Set up on prem test lab, even though we’re using Endpoint Policy Manager Cloud (Best Practice). See [Endpoint Policy Manager Cloud: What you need to get Started](/docs/policypak/policypak/video/cloud/testlab/start.md). - Install Endpoint Policy Manager Cloud Client which automatically installs the Endpoint Policy Manager CSE on 3 devices. - Identify the remaining devices for POC, but focus on first three. - Move 3 Endpoint Policy Manager cloud joined devices to Endpoint Policy Manager Cloud Company “GROUP1”. - Verify Endpoint Policy Manager Least Privilege Manager is working with the “Device Manager” test. See [Kill Local Admin Rights (Run applications with Least Privilege)](/docs/policypak/policypak/video/leastprivilege/localadminrights.md) - Turn on PPLPM Global Auditing for Cloud. See [Endpoint Policy Manager Cloud + PPLPM + Events: Collect Events in the Cloud](/docs/policypak/policypak/video/leastprivilege/cloudevents.md) - Test to make sure PPC Events are seen in Endpoint Policy Manager Cloud. - Identify KNOWN applications for Development stations which require Admin rights. | Day 1-3 | +| M2 Install PPC | - Install Endpoint Policy Manager CSE on the remaining 27 endpoints; ensure success. (NO POLICIES, just the Endpoint Policy Manager moving parts.). - (Optional) Set up Common Scenarios for Printers, Remove Programs and IP Address changes. - [Overcome Network Card, Printer, and Remove Programs UAC prompts](/docs/policypak/policypak/video/leastprivilege/uacprompts.md) - [COM Support](/docs/policypak/policypak/video/leastprivilege/comsupport.md) - Create rules for KNOWN applications which require ADMIN Rights. - [Best Practices for Elevating User-Based Installs](/docs/policypak/policypak/video/leastprivilege/bestpractices/elevatinguserbasedinstalls.md) - [Security and Child Processes](/docs/policypak/policypak/video/leastprivilege/bestpractices/securitychildprocesses.md) - [Increase security by reducing rights on Open/Save dialogs](/docs/policypak/policypak/video/leastprivilege/bestpractices/opensavedialogs.md) - [Endpoint Privilege Manager and Wildcards](/docs/policypak/policypak/video/leastprivilege/bestpractices/wildcards.md) - Use Endpoint Policy Manager Preconfigured rules when you can. See [Installing applications-and-Preconfigured-Rules](/docs/policypak/policypak/video/leastprivilege/installapplications.md) | Day 4-6 | +| M3 Begin Test | - Remove local admin rights for 3 developer endpoints. One suggested method / demo is here (there are other ways to perform this task): [Use Group Policy to remove local admin rights (then Endpoint Policy Manager to enable Least Privilege)](/docs/policypak/policypak/video/leastprivilege/removelocaladmin.md) - Start to Generate Rules from Auditing Events [Auto-Create Policy from Global Audit event](/docs/policypak/policypak/video/leastprivilege/globalauditevent.md) - Set up Admin Approval (Secret / policy): [Auto-Create Policy from Global Audit event](/docs/policypak/policypak/video/leastprivilege/globalauditevent.md) and [Admin Approval demo](/docs/policypak/policypak/video/leastprivilege/adminapproval/demo.md) - Set up Endpoint Policy Manager Least Privilege Manager “Approvers” workflow (Identify APPROVER(s), get the AA tool up and going.) - Optionally: Set up Endpoint Policy Manager Least Privilege Manager UI branding: [Branding the UI and Dialogs](/docs/policypak/policypak/video/leastprivilege/branding.md) - Deploy Admin Approval to existing systems. - Optional: Deploy Endpoint Policy Manager Least Privilege Manager Branding to existing systems. - Look at incoming EVENTS in Endpoint Policy Manager Cloud to determine the issues to make more rules. | Day 7-8 | +| M4 Review Events | - Turn on Self Elevate for existing 3 developers. - Create documentation for Developers on how to interact with Endpoint Policy Manager Self Elevate method. See [Self Elevate Mode](/docs/policypak/policypak/video/leastprivilege/selfelevatemode/demo.md) - Review EVENTS to determine the issues to create rules. | Day 9 | | M5 Addition | Add 7 more developer PCs to existing 3 and remove local admin rights using existing rules. (Don’t use Self elevate on new 7 endpoint, just the first three). | Day 10 | | M6 Review Events | - Look at EVENTS to determine the issues to make more rules. - Investigate if SELF ELEVATE is being used or not by the 3 first developers (vs. Admin approval vs Direct Rules.) - Goal is to get to as many direct rules as possible in the fastest amount of time. | Day 11 | | M7 Make Rules | Make more Direct rules from 10 endpoints. | Day 12 | @@ -404,7 +404,7 @@ Estimated Milestone Details and Target Dates | M14 Addition | Add +5 endpoints to Endpoint Policy Manager Cloud and remove their local admin rights. | Day 19 | | M15 Review Events | Look at EVENTS to determine the issues to make more rules. | Day 20 | | M16 Remaining | Add Remaining endpoints to Endpoint Policy Manager Cloud and remove their local admin rights. | Day 21 | -| M17 SecureRun Setup | - Turn on Global Auditing for Untrusted and Unsigned applications. - Try turning on SecureRun for three developers. - [Using Least Privilege Manager's SecureRun Feature](../video/leastprivilege/securerun/feature.md) - [How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](securerun/allowinlinecommands.md) | Day 22 | +| M17 SecureRun Setup | - Turn on Global Auditing for Untrusted and Unsigned applications. - Try turning on SecureRun for three developers. - [Using Least Privilege Manager's SecureRun Feature](/docs/policypak/policypak/video/leastprivilege/securerun/feature.md) - [How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](/docs/policypak/policypak/leastprivilege/securerun/allowinlinecommands.md) | Day 22 | | M18+ SecureRun Rollout | Add +5 endpoints per day and triage incoming SecureRun blocks with “Allow and Log” rules. Repeat each day with +5 endpoints. | Day 23+ | ## Appendix C: Sample Endpoint Privilege Manager Project POC Plan for Endpoint Policy Manager with an MDM service like Intune, removing local admin rights for 30 Developers. @@ -413,11 +413,11 @@ Estimated Milestone Details and Target Dates | Milestones | Details & Tasks | | | ------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| M1 Pre-Requisites | - Verify you actually want to use Endpoint Policy Manager + Cloud method and not some other method or some kind of hybrid approach. See [Endpoint Policy ManagerSolution Methods: Group Policy, MDM, UEM Tools, and Endpoint Policy Manager Cloud compared.](../video/gettingstarted/solutionmethods.md) - Identify 3 friendly developers for this project. - Identify the remaining devices for POC, but focus on first three. - Download Endpoint Policy Manager bits from portal.policypak.com and Cloud MSI from cloud.policypak.com and get organized. See the [Installation Quick Start](../gettingstarted/quickstart/overviewinstall.md). - Get the Endpoint Policy Manager Quickstart Guide. See [Netwrix Endpoint Policy Manager Quick Start](../gettingstarted/quickstart/overview.md) - On ONE machine (any machine) perform the MDM “Walk before you run” test. See [Endpoint Policy Manager and MDM walk before you run](../video/mdm/testsample.md) - On three developer machines perform the quick-licensing method via rename (see[What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](../license/trial.md) or run licensing tool and after receiving your trial keys from sales, install your trial or full licenses for your MDM licenses. See [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](../video/license/installuniversal.md) - Install the Endpoint Policy Manager CSE on the three developer stations. - Move 3 developers into an Azure/MDM group named “Endpoint Policy Manager Test Devs”. - Target deploy the Endpoint Policy Manager CSE to the group. - Get to understand Endpoint Policy Manager Least Privilege Manager + MDM Service (Exporting policies, then wrapping up XMLs into MSIs). See [Using Least Privilege Manager with your MDM service](../video/leastprivilege/mdm.md) - Verify Endpoint Policy Manager Least Privilege Manager is working wit the “Device Manager” test. See [Kill Local Admin Rights (Run applications with Least Privilege)](../video/leastprivilege/localadminrights.md) - Create a policy which turns on PPLPM Global Auditing, export as XML and wrap up as MSI for deployment via MDM. See [Use Discovery to know what rules to make as you transition from Local Admin rights](../video/leastprivilege/discovery.md) - Identify KNOWN applications for Development stations which require Admin rights. | Day 1-3 | -| M2 Install Endpoint Policy Manager CSE, common scenarios and known applications | - Install Endpoint Policy Manager CSE on the remaining 27 endpoints; ensure success. (NO POLICIES, just the PolicyPak moving parts). - (Optional) Set up Common Scenarios for Printers, Remove Programs and IP Address changes. See [Overcome Network Card, Printer, and Remove Programs UAC prompts](../video/leastprivilege/uacprompts.md) and [COM Support](../video/leastprivilege/comsupport.md) - Create rules for KNOWN applications which require ADMIN Rights. - [Best Practices for Elevating User-Based Installs](../video/leastprivilege/bestpractices/elevatinguserbasedinstalls.md) - [Security and Child Processes](../video/leastprivilege/bestpractices/securitychildprocesses.md) - [Increase security by reducing rights on Open/Save dialogs](../video/leastprivilege/bestpractices/opensavedialogs.md) - [Endpoint Privilege Manager and Wildcards](../video/leastprivilege/bestpractices/wildcards.md) - Use Endpoint Policy Manager Preconfigured rules when you can. See [Installing applications-and-Preconfigured-Rules](../video/leastprivilege/installapplications.md) | Day 4-6 | -| M3 Set up Event Forwarding | - Pick one (or choose another method, like Splunk, etc.) - Event Forwarding with Netwrix Auditor. See [How to use Netwrix Auditor to Report on Endpoint Policy Manager events](../integration/auditor/reports.md) - Event Forwarding with Windows Eventing. See [How to forward interesting events for Least Privilege Manager (or anything else) to a centralized location using Windows Event Forwarding.](windowseventforwarding.md) - Event Forwarding with Azure Log Analytics (likely best scenario for MDM environments). See [Windows 10 (and Server) Event Logs to Azure Log Analytics Walkthru](../tips/eventlogs.md) | Day 7-9 | -| M4 Begin Test | - Remove local admin rights for 3 developer endpoints. One suggested method / demo is here (there are other ways to perform this task): [Use Group Policy to remove local admin rights (then Endpoint Policy Manager to enable Least Privilege)](../video/leastprivilege/removelocaladmin.md) - Start to Generate Rules from Auditing Events. See [Auto-Create Policy from Global Audit event](../video/leastprivilege/globalauditevent.md). - Set up Admin Approval (Secret / policy). See [Auto-Create Policy from Global Audit event](../video/leastprivilege/globalauditevent.md) and [Admin Approval demo](../video/leastprivilege/adminapproval/demo.md) - Optionally: Set up Endpoint Policy Manager Least Privilege Manager UI branding. See [Branding the UI and Dialogs](../video/leastprivilege/branding.md) - Deploy Admin Approval to existing systems. - Optional: Deploy Endpoint Policy Manager Least Privilege Manager Branding to existing systems. - Look at incoming EVENTS to determine the issues to make more rules. | Day 10 | -| M5 Review Events | - Turn on Self Elevate for existing 3 developers. - Create documentation for Developers on how to interact with Endpoint Policy Manager Self Elevate method. See [Self Elevate Mode](../video/leastprivilege/selfelevatemode/demo.md) - Review EVENTS to determine the issues to create rules. | Day 11 | +| M1 Pre-Requisites | - Verify you actually want to use Endpoint Policy Manager + Cloud method and not some other method or some kind of hybrid approach. See [Endpoint Policy ManagerSolution Methods: Group Policy, MDM, UEM Tools, and Endpoint Policy Manager Cloud compared.](/docs/policypak/policypak/video/gettingstarted/solutionmethods.md) - Identify 3 friendly developers for this project. - Identify the remaining devices for POC, but focus on first three. - Download Endpoint Policy Manager bits from portal.policypak.com and Cloud MSI from cloud.policypak.com and get organized. See the [Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md). - Get the Endpoint Policy Manager Quickstart Guide. See [Netwrix Endpoint Policy Manager Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overview.md) - On ONE machine (any machine) perform the MDM “Walk before you run” test. See [Endpoint Policy Manager and MDM walk before you run](/docs/policypak/policypak/video/mdm/testsample.md) - On three developer machines perform the quick-licensing method via rename (see[What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](/docs/policypak/policypak/license/trial.md) or run licensing tool and after receiving your trial keys from sales, install your trial or full licenses for your MDM licenses. See [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md) - Install the Endpoint Policy Manager CSE on the three developer stations. - Move 3 developers into an Azure/MDM group named “Endpoint Policy Manager Test Devs”. - Target deploy the Endpoint Policy Manager CSE to the group. - Get to understand Endpoint Policy Manager Least Privilege Manager + MDM Service (Exporting policies, then wrapping up XMLs into MSIs). See [Using Least Privilege Manager with your MDM service](/docs/policypak/policypak/video/leastprivilege/mdm.md) - Verify Endpoint Policy Manager Least Privilege Manager is working wit the “Device Manager” test. See [Kill Local Admin Rights (Run applications with Least Privilege)](/docs/policypak/policypak/video/leastprivilege/localadminrights.md) - Create a policy which turns on PPLPM Global Auditing, export as XML and wrap up as MSI for deployment via MDM. See [Use Discovery to know what rules to make as you transition from Local Admin rights](/docs/policypak/policypak/video/leastprivilege/discovery.md) - Identify KNOWN applications for Development stations which require Admin rights. | Day 1-3 | +| M2 Install Endpoint Policy Manager CSE, common scenarios and known applications | - Install Endpoint Policy Manager CSE on the remaining 27 endpoints; ensure success. (NO POLICIES, just the PolicyPak moving parts). - (Optional) Set up Common Scenarios for Printers, Remove Programs and IP Address changes. See [Overcome Network Card, Printer, and Remove Programs UAC prompts](/docs/policypak/policypak/video/leastprivilege/uacprompts.md) and [COM Support](/docs/policypak/policypak/video/leastprivilege/comsupport.md) - Create rules for KNOWN applications which require ADMIN Rights. - [Best Practices for Elevating User-Based Installs](/docs/policypak/policypak/video/leastprivilege/bestpractices/elevatinguserbasedinstalls.md) - [Security and Child Processes](/docs/policypak/policypak/video/leastprivilege/bestpractices/securitychildprocesses.md) - [Increase security by reducing rights on Open/Save dialogs](/docs/policypak/policypak/video/leastprivilege/bestpractices/opensavedialogs.md) - [Endpoint Privilege Manager and Wildcards](/docs/policypak/policypak/video/leastprivilege/bestpractices/wildcards.md) - Use Endpoint Policy Manager Preconfigured rules when you can. See [Installing applications-and-Preconfigured-Rules](/docs/policypak/policypak/video/leastprivilege/installapplications.md) | Day 4-6 | +| M3 Set up Event Forwarding | - Pick one (or choose another method, like Splunk, etc.) - Event Forwarding with Netwrix Auditor. See [How to use Netwrix Auditor to Report on Endpoint Policy Manager events](/docs/policypak/policypak/integration/auditor/reports.md) - Event Forwarding with Windows Eventing. See [How to forward interesting events for Least Privilege Manager (or anything else) to a centralized location using Windows Event Forwarding.](/docs/policypak/policypak/leastprivilege/windowseventforwarding.md) - Event Forwarding with Azure Log Analytics (likely best scenario for MDM environments). See [Windows 10 (and Server) Event Logs to Azure Log Analytics Walkthru](/docs/policypak/policypak/tips/eventlogs.md) | Day 7-9 | +| M4 Begin Test | - Remove local admin rights for 3 developer endpoints. One suggested method / demo is here (there are other ways to perform this task): [Use Group Policy to remove local admin rights (then Endpoint Policy Manager to enable Least Privilege)](/docs/policypak/policypak/video/leastprivilege/removelocaladmin.md) - Start to Generate Rules from Auditing Events. See [Auto-Create Policy from Global Audit event](/docs/policypak/policypak/video/leastprivilege/globalauditevent.md). - Set up Admin Approval (Secret / policy). See [Auto-Create Policy from Global Audit event](/docs/policypak/policypak/video/leastprivilege/globalauditevent.md) and [Admin Approval demo](/docs/policypak/policypak/video/leastprivilege/adminapproval/demo.md) - Optionally: Set up Endpoint Policy Manager Least Privilege Manager UI branding. See [Branding the UI and Dialogs](/docs/policypak/policypak/video/leastprivilege/branding.md) - Deploy Admin Approval to existing systems. - Optional: Deploy Endpoint Policy Manager Least Privilege Manager Branding to existing systems. - Look at incoming EVENTS to determine the issues to make more rules. | Day 10 | +| M5 Review Events | - Turn on Self Elevate for existing 3 developers. - Create documentation for Developers on how to interact with Endpoint Policy Manager Self Elevate method. See [Self Elevate Mode](/docs/policypak/policypak/video/leastprivilege/selfelevatemode/demo.md) - Review EVENTS to determine the issues to create rules. | Day 11 | | M6 Addition | Add 7 more developer PCs to existing 3 and remove local admin rights using existing rules. (Don’t use Self elevate on new 7 endpoint, just the first three.) | Day 12 | | M7 Review Events | - Look at EVENTS to determine the issues to make more rules. - Investigate if SELF ELVATE is being used or not by the 3 first developers (vs. Admin approval vs Direct Rules). - Goal is to get to as many direct rules as possible in the fastest amount of time. | Day 13 | | M8 Make Rules | Make more Direct rules from 10 endpoints. | Day 14 | @@ -430,5 +430,5 @@ Estimated Milestone Details and Target Dates | M15 Addition | Add +5 endpoints to Endpoint Policy Manager group and remove their local admin rights. | Day 21 | | M16 Review Events | Look at EVENTS to determine the issues to make more rules. | Day 22 | | M17 Remaining | Add Remaining endpoints to Endpoint Policy Manager group and remove their local admin rights. | Day 23 | -| M18 SecureRun Setup | - Turn on Global Auditing for Untrusted and Unsigned applications. - Try turning on SecureRun for three developers. - [Using Least Privilege Manager's SecureRun Feature](../video/leastprivilege/securerun/feature.md) - [How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](securerun/allowinlinecommands.md) | Day 24 | +| M18 SecureRun Setup | - Turn on Global Auditing for Untrusted and Unsigned applications. - Try turning on SecureRun for three developers. - [Using Least Privilege Manager's SecureRun Feature](/docs/policypak/policypak/video/leastprivilege/securerun/feature.md) - [How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](/docs/policypak/policypak/leastprivilege/securerun/allowinlinecommands.md) | Day 24 | | M19 SecureRun Rollout | Add +5 endpoints per day and triage incoming SecureRun blocks with “Allow and Log” rules. Repeat each day with +5 endpoints. | Day 25+ | diff --git a/docs/policypak/policypak/leastprivilege/preconfiguredxmls.md b/docs/policypak/policypak/leastprivilege/preconfiguredxmls.md index 3124d3cb93..4c9ae7a80f 100644 --- a/docs/policypak/policypak/leastprivilege/preconfiguredxmls.md +++ b/docs/policypak/policypak/leastprivilege/preconfiguredxmls.md @@ -4,16 +4,16 @@ Endpoint Policy Manager Least Privilege Manager comes with some preconfigured XM get you started quickly with a variety of common situations and applications. - See the - [Installing applications-and-Preconfigured-Rules](../video/leastprivilege/installapplications.md) + [Installing applications-and-Preconfigured-Rules](/docs/policypak/policypak/video/leastprivilege/installapplications.md) video for an overview of how to use preconfigured Endpoint Policy ManagerLeast Privilege Manager XML examples. - A common request is to overcome the Print dialog. As such we have a preconfigured rule to help with that. See the - [Endpoint Privilege Manager: Install Printers via Native NTPRINT Dialog](../video/leastprivilege/ntprintdialog.md) + [Endpoint Privilege Manager: Install Printers via Native NTPRINT Dialog](/docs/policypak/policypak/video/leastprivilege/ntprintdialog.md) video for an example. - Another common request is to overcome the Windows Ethernet & IP address GUI. As such we have a preconfigured rule to help with that. See the - [Endpoint Privilege Manager: Edit IP SETTINGS EDIT VIA WIN GUI](../video/leastprivilege/wingui.md) + [Endpoint Privilege Manager: Edit IP SETTINGS EDIT VIA WIN GUI](/docs/policypak/policypak/video/leastprivilege/wingui.md) video for an example. First, to download the preconfigured XMLs, log onto the PolicyPak Portal, and click **Guidance XMLs @@ -22,7 +22,7 @@ and Scripts (PPLPM, PPBR, PPFAM, & PPSCRIPTS)**. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/preconfigured_xmls.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/preconfigured_xmls.webp) Once these files are downloaded and unpacked, you’ll see a folder named \_PolicyPak Least Privilege Manager XMLs. @@ -30,7 +30,7 @@ Manager XMLs. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/preconfigured_xmls_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/preconfigured_xmls_1.webp) If you want to enable users to install CutePDF Reader, you can use the preconfigured XML found in the above folder and drag and drop it to the MMC editor. @@ -38,7 +38,7 @@ the above folder and drag and drop it to the MMC editor. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/preconfigured_xmls_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/preconfigured_xmls_2.webp) After that, the application will install on the endpoints without requiring Admin rights for installation. diff --git a/docs/policypak/policypak/leastprivilege/preferences.md b/docs/policypak/policypak/leastprivilege/preferences.md index 96a1a595b5..97c4e3a6af 100644 --- a/docs/policypak/policypak/leastprivilege/preferences.md +++ b/docs/policypak/policypak/leastprivilege/preferences.md @@ -1,7 +1,7 @@ # Using Group Policy Preferences to Manage Local Admin Groups **NOTE:** See the -[Use Group Policy to remove local admin rights (then Endpoint Policy Manager to enable Least Privilege)](../video/leastprivilege/removelocaladmin.md) +[Use Group Policy to remove local admin rights (then Endpoint Policy Manager to enable Least Privilege)](/docs/policypak/policypak/video/leastprivilege/removelocaladmin.md) video for an overview of using Group Policy preference with Endpoint Policy Manager Least Privilege Manager. @@ -22,7 +22,7 @@ Groups** and select **Local Group** . ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/using_group_policy_preferences.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/using_group_policy_preferences.webp) Next, you’ll use the **Update** action which has been selected by default along with the check box to **Delete all member users**.  You may also want to select **Delete all member groups** as well.  @@ -35,7 +35,7 @@ user account should be members. This is achieved by clicking the **Add** button ![A screenshot of a group Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/using_group_policy_preferences_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/using_group_policy_preferences_1.webp) Once the policy is deployed, you will have removed all non-privileged users from the local admins group of all targeted desktops. diff --git a/docs/policypak/policypak/leastprivilege/processorderprecedence.md b/docs/policypak/policypak/leastprivilege/processorderprecedence.md index 8468cf7aca..8b2e5aeeec 100644 --- a/docs/policypak/policypak/leastprivilege/processorderprecedence.md +++ b/docs/policypak/policypak/leastprivilege/processorderprecedence.md @@ -8,7 +8,7 @@ to highest. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/processing_order_and_precedence.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/processing_order_and_precedence.webp) Within any collection, each policy is processed in numerical order from lowest to highest. diff --git a/docs/policypak/policypak/leastprivilege/reauthentication.md b/docs/policypak/policypak/leastprivilege/reauthentication.md index 581e422d0a..87cf6c3358 100644 --- a/docs/policypak/policypak/leastprivilege/reauthentication.md +++ b/docs/policypak/policypak/leastprivilege/reauthentication.md @@ -11,14 +11,14 @@ reauthenticate**. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication.webp) **NOTE:** See the -[Endpoint Policy Manager Least Priv Manager: Self Elevate Mode](../video/leastprivilege/bestpractices/selfelevatemode.md) +[Endpoint Policy Manager Least Priv Manager: Self Elevate Mode](/docs/policypak/policypak/video/leastprivilege/bestpractices/selfelevatemode.md) video for a demonstration of Justification text for Self Elevate. **NOTE:** See the -[Endpoint Privilege: Re-Authenticate with Self Elevate](../video/leastprivilege/selfelevatemode/reauthenticate.md) +[Endpoint Privilege: Re-Authenticate with Self Elevate](/docs/policypak/policypak/video/leastprivilege/selfelevatemode/reauthenticate.md) video for a demonstration of re-authentication for Self Elevate. You can force a user to **Require Justification Text** for normal elevation actions, as well as Self @@ -30,46 +30,46 @@ The following cases highlight how this might work. **Show popup message** is selected, but neither sub-option are checked. -![A screen shot of a computer Description automatically generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_1.webp) +![A screen shot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_1.webp) When the application launches, the pop up is presented. Text input from the user is optional. The user must at least click **OK** to continue and launch the application. -![A screenshot of a computer monitor Description automatically generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_2.webp) +![A screenshot of a computer monitor Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_2.webp) ## Case 2 **Show popup message** and **Justification text required** are selected, but **Force user re-authenticate** is not. -![A screen shot of a message Description automatically generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_3.webp) +![A screen shot of a message Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_3.webp) The pop-up box appears, and user must type in something before continuing onward by pressing **OK** button. -![A screenshot of a computer error message Description automatically generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_4.webp) +![A screenshot of a computer error message Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_4.webp) ## Case 3 **Show popup message** and **Force user re-authenticate** is selected, but **Justification text required** is not. -![A screenshot of a computer screen Description automatically generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_5.webp) +![A screenshot of a computer screen Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_5.webp) The user is required to re-authenticate, but then the pop-up occurs, no text input is required by the user. -![A screenshot of a computer Description automatically generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_6.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_6.webp) ## Case 4 **Force user re-authenticate** and **Justification text required** are both selected. -![A screenshot of a computer Description automatically generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_7.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_7.webp) The User must re-authenticate, then when a pop-up is shown, theuser must type in something before **OK** is allowed an application proceeds. -![A screenshot of a computer Description automatically generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_8.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_re_authentication_8.webp) diff --git a/docs/policypak/policypak/leastprivilege/reduceadminrights.md b/docs/policypak/policypak/leastprivilege/reduceadminrights.md index e7e8936a83..3d533b86dc 100644 --- a/docs/policypak/policypak/leastprivilege/reduceadminrights.md +++ b/docs/policypak/policypak/leastprivilege/reduceadminrights.md @@ -2,11 +2,11 @@ Yes. The basic steps are in these two screenshots: -![464_1_img-001](../../../../static/img/product_docs/policypak/policypak/leastprivilege/464_1_img-001.webp) +![464_1_img-001](/img/product_docs/policypak/policypak/leastprivilege/464_1_img-001.webp) And -![464_2_img-002](../../../../static/img/product_docs/policypak/policypak/leastprivilege/464_2_img-002.webp) +![464_2_img-002](/img/product_docs/policypak/policypak/leastprivilege/464_2_img-002.webp) This will work when an Administrator attempts to run something, and you want to force it to be run with Standard User rights. @@ -14,19 +14,19 @@ with Standard User rights. That being said, Internet Explorer is a special case. When IE is run normally as an Admin, IE will self-reduce the rights to Low as seen here. -![464_3_img-003](../../../../static/img/product_docs/policypak/policypak/leastprivilege/464_3_img-003.webp) +![464_3_img-003](/img/product_docs/policypak/policypak/leastprivilege/464_3_img-003.webp) If, however, an Administrator Runs as Administrator then IE will run Elevated. -![464_4_img-004](../../../../static/img/product_docs/policypak/policypak/leastprivilege/464_4_img-004.webp) +![464_4_img-004](/img/product_docs/policypak/policypak/leastprivilege/464_4_img-004.webp) Using a Netwrix Endpoint Policy Manager (formerly PolicyPak) Least Privilege ManagerLeast Privilege Manager rule like in the example below, it is possible to force it so that an Admin who attempts to run IE eleavted will be preventedfrom doing so. -![464_5_img-005](../../../../static/img/product_docs/policypak/policypak/leastprivilege/464_5_img-005.webp) +![464_5_img-005](/img/product_docs/policypak/policypak/leastprivilege/464_5_img-005.webp) As a result, even when IE is launched / told to Run as Admin, it will not , and instead run Standard. -![464_6_img-006](../../../../static/img/product_docs/policypak/policypak/leastprivilege/464_6_img-006.webp) +![464_6_img-006](/img/product_docs/policypak/policypak/leastprivilege/464_6_img-006.webp) diff --git a/docs/policypak/policypak/leastprivilege/rules/apply/ondemand.md b/docs/policypak/policypak/leastprivilege/rules/apply/ondemand.md index 6dcf035a9b..53023b2136 100644 --- a/docs/policypak/policypak/leastprivilege/rules/apply/ondemand.md +++ b/docs/policypak/policypak/leastprivilege/rules/apply/ondemand.md @@ -1,7 +1,7 @@ # Apply on Demand Rules **NOTE:** See the -[Least Privilege Manager: Apply On Demand](../../../video/leastprivilege/applyondemand.md) video for +[Least Privilege Manager: Apply On Demand](/docs/policypak/policypak/video/leastprivilege/applyondemand.md) video for information on Endpoint Policy ManagerLeast Privilege Manager Apply on Demand. The Apply on Demand feature enables advanced users to know when they should self-elevate their own @@ -19,7 +19,7 @@ and set the action to **Apply on Demand**. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/apply/apply_on_demand_rules.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/apply/apply_on_demand_rules.webp) The result of this change (after running GPupdate) is that when the end-user tries to run Procmon, they will see the standard UAC prompt. @@ -31,7 +31,7 @@ prompt (if the application requires UAC), like the one shown here. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/apply/apply_on_demand_rules.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/apply/apply_on_demand_rules.webp) The user will now need to right-click the application and choose **Run with Endpoint Policy Manager On-Demand**. @@ -39,11 +39,11 @@ On-Demand**. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/apply/apply_on_demand_rules_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/apply/apply_on_demand_rules_1.webp) **NOTE:** You can change the name of the menu item from **Run with** Endpoint Policy Manager **On-Demand** via Global Settings Policy.. See the -[Best Practices and Miscellaneous Topics](../../bestpractices/overviewmisc.md) topic for additional +[Best Practices and Miscellaneous Topics](/docs/policypak/policypak/leastprivilege/bestpractices/overviewmisc.md) topic for additional information on Global Settings Policy. When the user does this, the application launches, bypassing the UAC prompt. diff --git a/docs/policypak/policypak/leastprivilege/rules/apply/selfelevation.md b/docs/policypak/policypak/leastprivilege/rules/apply/selfelevation.md index 8c0c618046..24254e70fb 100644 --- a/docs/policypak/policypak/leastprivilege/rules/apply/selfelevation.md +++ b/docs/policypak/policypak/leastprivilege/rules/apply/selfelevation.md @@ -1,7 +1,7 @@ # Self-Elevation Rules **NOTE:** See the -[Endpoint Policy Manager Least Priv Manager: Self Elevate Mode](../../../video/leastprivilege/bestpractices/selfelevatemode.md) +[Endpoint Policy Manager Least Priv Manager: Self Elevate Mode](/docs/policypak/policypak/video/leastprivilege/bestpractices/selfelevatemode.md) video for information on Endpoint Policy Manager Least Privilege Manager self-elevation rules. There is a self-elevation mode for special situations as well. Although this mode is normally not @@ -27,7 +27,7 @@ Start by creating a new self-elevation policy as seen here. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules.webp) You can then select which types of executables you will allow for self-elevation. Here, we have chosen EXE and MSI applications. @@ -35,7 +35,7 @@ chosen EXE and MSI applications. ![A screenshot of a computer screen Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_1.webp) You must specify at least one group or user for the policy, even if the policy is targeted at the organizational unit (OU) level. Unless you choose someone to direct the policy to, the policy will @@ -44,7 +44,7 @@ not apply to anyone. In this example, the EastSalesUsers has been chosen. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_2.webp) In order for a user to self-elevate an application, they have to right-click the application and choose the self-elevation command from the context menu. You can choose to create a custom name for @@ -54,7 +54,7 @@ remind users that all self-elevated actions are audited, as is seen here. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_3.webp) The final screen requires you to name the policy. You can also require justification text and/or re-authentication to Windows (which works with Windows Hello, etc.) @@ -65,7 +65,7 @@ re-authenticate before the application is launched. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_4.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_4.webp) So in this scenario, let us say that EastSalesUser1 operating as a standard user wants to run Procmon, which requires local admin rights. While they cannot run the application normally, they can @@ -74,7 +74,7 @@ right-click on the application and select **Run Self Elevated with Endpoint Poli ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_5.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_5.webp) Here you can see the Endpoint Policy Manager Self Elevation prompt that the user will see. The customized message created earlier appears here. Because justification text was required, the user @@ -84,14 +84,14 @@ application will open. ![A screenshot of a computer error Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_6.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_6.webp) If Force Reauthentication is selected, the behavior is like what is seen here. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_7.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_7.webp) Self-elevated application requests are audited in Windows Event Viewer. There are two Event IDs associated with Endpoint Policy Manager Self Elevation. Note that the username and application are @@ -100,4 +100,4 @@ included in the log information. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_8.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/apply/self_elevation_rules_8.webp) diff --git a/docs/policypak/policypak/leastprivilege/rules/customizedtoken.md b/docs/policypak/policypak/leastprivilege/rules/customizedtoken.md index e61378136a..42c28296df 100644 --- a/docs/policypak/policypak/leastprivilege/rules/customizedtoken.md +++ b/docs/policypak/policypak/leastprivilege/rules/customizedtoken.md @@ -7,7 +7,7 @@ rule. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/run_with_customized_token.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/run_with_customized_token.webp) Here you can change a variety of functions about the token including its permissions, privileges and security, as well as Integrity level. @@ -15,8 +15,8 @@ security, as well as Integrity level. The common use cases for needing to manage a customized token are: - Handling service accounts’ permissions.For more in formation, see the - [Reduce or specify Service Account Rights](../../video/leastprivilege/bestpractices/serviceaccountrights.md) + [Reduce or specify Service Account Rights](/docs/policypak/policypak/video/leastprivilege/bestpractices/serviceaccountrights.md) video demonstration. - Drag-and-drop issues between applications. For ore information, see the - [I elevated an application, but drag and drop between the elevated and other non-elevated applications isn't working anymore. What can I try?](../elevate/dragdrop.md) + [I elevated an application, but drag and drop between the elevated and other non-elevated applications isn't working anymore. What can I try?](/docs/policypak/policypak/leastprivilege/elevate/dragdrop.md) topic. diff --git a/docs/policypak/policypak/leastprivilege/rules/overview.md b/docs/policypak/policypak/leastprivilege/rules/overview.md index 90b8f04d4d..87e672184f 100644 --- a/docs/policypak/policypak/leastprivilege/rules/overview.md +++ b/docs/policypak/policypak/leastprivilege/rules/overview.md @@ -5,7 +5,7 @@ Endpoint Policy ManagerLeast Privilege Manager is located within the Netwrix Pri ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/rules_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/rules_1.webp) **NOTE:** You will only see all components of Endpoint Policy Manager if you download the Endpoint Policy Manager Admin Console from Portal.PolicyPak.com, but not if you are using only the Netwrix @@ -16,7 +16,7 @@ within the Netwrix Endpoint Policy Manager (formerly PolicyPak) node to demonstr between Endpoint Policy Manager and Netwrix Privilege Secure. That is, you can use all of Endpoint Policy Manager (all Endpoint Policy Manager components) or you may wish to use Endpoint Policy Manager alongside Netwrix Privilege Secure. For more information, see the -[Endpoint Policy Manager & Netwrix Privilege Secure](../../integration/privilegesecure/overview.md) +[Endpoint Policy Manager & Netwrix Privilege Secure](/docs/policypak/policypak/integration/privilegesecure/overview.md) topic. Endpoint Policy Manager MMC snap-in enables you to create new Endpoint Policy Manager Least @@ -28,7 +28,7 @@ create collections, and policies within collections, on the User side, the Compu ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/rules_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/rules_2.webp) Endpoint Policy ManagerLeast Privilege Manager can elevate (or block) the following: @@ -56,7 +56,7 @@ permitted. The application requires local admin rights, resulting in a prompt fo ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/rules_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/rules_3.webp) To participate in the Quick Start exercises, [download](http://go.skype.com/msi-download) Skype MSI for Windows via their website. @@ -68,7 +68,7 @@ When a Standard User attempts to install Skype MSI installer, they are not allow ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/rules_4.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/rules_4.webp) The final example is downloading a portable app. A portable app is an application that can be downloaded anytime by a user. Sometimes it requires no installation; other times, it must be @@ -84,7 +84,7 @@ Notepad2. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/rules_5.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/rules_5.webp) The Standard User can now open the folder and immediately run the EXE file and use the app. Despite the fact that this application could be a virus or crypto-malware, the user with standard rights can @@ -93,7 +93,7 @@ still run it. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/rules_6.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/rules_6.webp) In the Quick Start examples with Endpoint Policy Manager Least Privilege Manager, the goals are as follows: @@ -118,7 +118,7 @@ The examples we will look at are: ![A computer screen shot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/rules/rules_7.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/rules/rules_7.webp) For these examples, keep copies of Process Monitor and NotePad2 Portable handy to serve as a reference from your management station. These are not installed apps; you will be attempting to run diff --git a/docs/policypak/policypak/leastprivilege/runasadmin.md b/docs/policypak/policypak/leastprivilege/runasadmin.md index 7d2020d3f9..17dfc30be2 100644 --- a/docs/policypak/policypak/leastprivilege/runasadmin.md +++ b/docs/policypak/policypak/leastprivilege/runasadmin.md @@ -5,9 +5,9 @@ users to elevate the native printers’ dialog, known as elevating NTPRINT.EXE, Windows Settings control (SystemSettingsAdminFlows.exe). You can review examples of these changes in these two videos: -[Endpoint Privilege Manager: Install Printers via Native NTPRINT Dialog](../video/leastprivilege/ntprintdialog.md) +[Endpoint Privilege Manager: Install Printers via Native NTPRINT Dialog](/docs/policypak/policypak/video/leastprivilege/ntprintdialog.md) -[Endpoint Privilege Manager: Edit IP SETTINGS EDIT VIA WIN GUI](../video/leastprivilege/wingui.md) +[Endpoint Privilege Manager: Edit IP SETTINGS EDIT VIA WIN GUI](/docs/policypak/policypak/video/leastprivilege/wingui.md) When we added this functionality, we also had to also change the behavior for any explicit elevation request normally handled by **Run As Administrator** requests. @@ -15,17 +15,17 @@ request normally handled by **Run As Administrator** requests. Starting in Endpoint Policy Manager CSE 3425, you can modify the Run As Administrator behavior depending on the goal you would like to accomplish. You can use Endpoint Policy Manager ADMX settings to control it. Use this reference to get familiar with the Endpoint Policy Manager ADMX -first: [Troubleshooting with ADMX files](../video/troubleshooting/admxfiles.md) +first: [Troubleshooting with ADMX files](/docs/policypak/policypak/video/troubleshooting/admxfiles.md) -![862_1_image-20230228200619-1_950x319](../../../../static/img/product_docs/policypak/policypak/leastprivilege/862_1_image-20230228200619-1_950x319.webp) +![862_1_image-20230228200619-1_950x319](/img/product_docs/policypak/policypak/leastprivilege/862_1_image-20230228200619-1_950x319.webp) **NOTE:** These ADMX settings are also built into Endpoint Policy Manager Cloud and you're welcome to use those as well.  The policy screen shots below in this article were all taken from Endpoint Policy Manager Cloud. -![1243_2_232bf02612716c9cb1420ae8801dbfd2](../../../../static/img/product_docs/policypak/policypak/leastprivilege/1243_2_232bf02612716c9cb1420ae8801dbfd2.webp) +![1243_2_232bf02612716c9cb1420ae8801dbfd2](/img/product_docs/policypak/policypak/leastprivilege/1243_2_232bf02612716c9cb1420ae8801dbfd2.webp) -![1243_3_850e299116b6ef01db03df49923a61df](../../../../static/img/product_docs/policypak/policypak/leastprivilege/1243_3_850e299116b6ef01db03df49923a61df.webp) +![1243_3_850e299116b6ef01db03df49923a61df](/img/product_docs/policypak/policypak/leastprivilege/1243_3_850e299116b6ef01db03df49923a61df.webp) The corresponding Registry location for this setting is: @@ -40,15 +40,15 @@ administrator**. All three of these methods will perform default Endpoint Policy Below are examples showing this (using Endpoint Policy Manager Cloud). -![862_2_image-20230228200619-2](../../../../static/img/product_docs/policypak/policypak/leastprivilege/862_2_image-20230228200619-2.webp) +![862_2_image-20230228200619-2](/img/product_docs/policypak/policypak/leastprivilege/862_2_image-20230228200619-2.webp) -![862_3_image-20230228200619-3](../../../../static/img/product_docs/policypak/policypak/leastprivilege/862_3_image-20230228200619-3.webp) +![862_3_image-20230228200619-3](/img/product_docs/policypak/policypak/leastprivilege/862_3_image-20230228200619-3.webp) OR -![862_4_image-20230228200619-4](../../../../static/img/product_docs/policypak/policypak/leastprivilege/862_4_image-20230228200619-4.webp) +![862_4_image-20230228200619-4](/img/product_docs/policypak/policypak/leastprivilege/862_4_image-20230228200619-4.webp) -![862_5_image-20230601152059-6](../../../../static/img/product_docs/policypak/policypak/leastprivilege/862_5_image-20230601152059-6.webp) +![862_5_image-20230601152059-6](/img/product_docs/policypak/policypak/leastprivilege/862_5_image-20230601152059-6.webp) ## Scenario 2: I don't need to use the native tools to elevate printers (aka NTPRINT.EXE) or Windows Settings (aka SystemSettingsAdminFlows.exe) and I'm having some issues with shortcuts and Run as administrator. @@ -59,7 +59,7 @@ users normally interact with Run as administrator commands. Here’s an example When right-clicking an executable and selecting Run as administrator, you receive the following error: “There are no more endpoints available from the endpoint mapper”. -![862_6_image-20230228200619-5](../../../../static/img/product_docs/policypak/policypak/leastprivilege/862_6_image-20230228200619-5.webp) +![862_6_image-20230228200619-5](/img/product_docs/policypak/policypak/leastprivilege/862_6_image-20230228200619-5.webp) If you want to work around this issue, you could specify Configure processing Explicit-Elevation requests for processes: **Enabled + Disable intercept Explicit-Elevation**. @@ -68,25 +68,25 @@ This will turn off the new Intercept Explicit-Elevation behavior in LPM and reve administrator to Windows default behavior. As a result,Run as administrator requests will be handled by Windows OS and not Endpoint Policy Manager. -![862_7_image-20230601150106-3_723x496](../../../../static/img/product_docs/policypak/policypak/leastprivilege/862_7_image-20230601150106-3_723x496.webp) +![862_7_image-20230601150106-3_723x496](/img/product_docs/policypak/policypak/leastprivilege/862_7_image-20230601150106-3_723x496.webp) -![862_8_image-20230601145346-1](../../../../static/img/product_docs/policypak/policypak/leastprivilege/862_8_image-20230601145346-1.webp) +![862_8_image-20230601145346-1](/img/product_docs/policypak/policypak/leastprivilege/862_8_image-20230601145346-1.webp) **NOTE:** Because this method will ALSO turn off NTPRINT.EXE elevations, you can still use the legacy Printer elevation method within “Endpoint Policy Manager Helper Tools” to perform Printer operations in this mode, because it doesn’t rely on the updated functionality to perform elevation directly upon NTPRINT.EXE. To see the Endpoint Policy Manager Helper Tools in action to add printers, please refer to these videos: Least Privilege Manager > -[Video Learning Center](overview/videolearningcenter.md). +[Video Learning Center](/docs/policypak/policypak/leastprivilege/overview/videolearningcenter.md). ## Scenario 3: I want to use the native tools to elevate printers (aka NTPRINT.EXE) AND Windows Settings (aka SystemSettingsAdminFlows.exe) and I also sometimes need to perform Run as administrator operations. In this case, use **Enabled + Enable and use alternative context menu "Run as administrator with Netwrix PolicyPak"**. -![862_9_image-20230601150335-4_723x495](../../../../static/img/product_docs/policypak/policypak/leastprivilege/862_9_image-20230601150335-4_723x495.webp) +![862_9_image-20230601150335-4_723x495](/img/product_docs/policypak/policypak/leastprivilege/862_9_image-20230601150335-4_723x495.webp) -![862_10_image-20230601151700-5](../../../../static/img/product_docs/policypak/policypak/leastprivilege/862_10_image-20230601151700-5.webp) +![862_10_image-20230601151700-5](/img/product_docs/policypak/policypak/leastprivilege/862_10_image-20230601151700-5.webp) This will allow you to elevate NTPRINT.EXE operations. However, when a user selects the original Run as administrator menu option, it will be intercepted by Endpoint Policy Manager (formerly PolicyPak) @@ -97,7 +97,7 @@ menu to ensure UAC works. Here’s an example when this option is selected: -![862_11_image-20230228200619-6_950x146](../../../../static/img/product_docs/policypak/policypak/leastprivilege/862_11_image-20230228200619-6_950x146.webp) +![862_11_image-20230228200619-6_950x146](/img/product_docs/policypak/policypak/leastprivilege/862_11_image-20230228200619-6_950x146.webp) Now users can perform the same Run as administrator type of operation, but they will need to use the Endpoint Policy Manager-supplied Run as administrator with Netwrix PolicyPak. diff --git a/docs/policypak/policypak/leastprivilege/scopefilters/blockadmins.md b/docs/policypak/policypak/leastprivilege/scopefilters/blockadmins.md index dc469c21df..4e5d81edf8 100644 --- a/docs/policypak/policypak/leastprivilege/scopefilters/blockadmins.md +++ b/docs/policypak/policypak/leastprivilege/scopefilters/blockadmins.md @@ -1,7 +1,7 @@ # Scenario 3: Running or Elevating Applications or Installers, but Blocking Other Admins from Running Them **NOTE:** For an overview video of this section, see the -[Elevate apps as standard user, BLOCK other Admins](../../video/leastprivilege/bestpractices/appblock.md) +[Elevate apps as standard user, BLOCK other Admins](/docs/policypak/policypak/video/leastprivilege/bestpractices/appblock.md) video . In this scenario you want to do work with Endpoint Policy Manager Least Privilege Manager (Elevate, @@ -22,14 +22,14 @@ this. **NOTE:** This group is not available when editing a GPO from a DC, and only available when creating the GPO from a Windows endpoint computer.) -![A screenshot of a computer Description automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_3_running_or_elevating.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_3_running_or_elevating.webp) If you want toblock both local admins and domain administrators, then Rule #1 needs to look like this. -![A screenshot of a computer Description automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_3_running_or_elevating_1.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_3_running_or_elevating_1.webp) Again, rule 2, the rule that does the ELEVATE or ALLOW, is just a standard rule, and can be done on the user or computer side. -![A screenshot of a computer Description automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_3_running_or_elevating_2.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_3_running_or_elevating_2.webp) diff --git a/docs/policypak/policypak/leastprivilege/scopefilters/blockapp.md b/docs/policypak/policypak/leastprivilege/scopefilters/blockapp.md index 8e5daafcfa..fdebe1919b 100644 --- a/docs/policypak/policypak/leastprivilege/scopefilters/blockapp.md +++ b/docs/policypak/policypak/leastprivilege/scopefilters/blockapp.md @@ -1,19 +1,19 @@ # Scenario 2: Specific Rule to Block an App from Being Run, Even as Local System **NOTE:** For an overview of this scenario, see the -[Block PowerShell in General, Open up for specific items](../../video/leastprivilege/bestpractices/powershellblock.md) +[Block PowerShell in General, Open up for specific items](/docs/policypak/policypak/video/leastprivilege/bestpractices/powershellblock.md) video demo. You might want to explicitly block attack vectors such as PSEXEC (which was used in WannaCry) or entirely block PowerShell.  If you specify to do this only on the User side (or set Computer side scope to User processed only), then only user processes will be affected. -![A screenshot of a computer Description automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_2_specific_rule_to.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_2_specific_rule_to.webp) You can shore up this attack vector by making the explicit deny rule on the Computer side. -![A screenshot of a computer Description automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_2_specific_rule_to_1.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_2_specific_rule_to_1.webp) When you do, PowerShell is blocked for Standard and System. -![A screenshot of a computer Description automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_2_specific_rule_to_2.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_2_specific_rule_to_2.webp) diff --git a/docs/policypak/policypak/leastprivilege/scopefilters/blockpowershell.md b/docs/policypak/policypak/leastprivilege/scopefilters/blockpowershell.md index ebe5988baa..7e9c87ab26 100644 --- a/docs/policypak/policypak/leastprivilege/scopefilters/blockpowershell.md +++ b/docs/policypak/policypak/leastprivilege/scopefilters/blockpowershell.md @@ -6,13 +6,13 @@ However, you might need to run some PowerShell scripts as SYSTEM to perform some Since PowerShell is now being blocked for all Computer side processes, you cannot run a specific script with PowerShel. -![A screen shot of a computer Description automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_2b_block_powershell.webp) +![A screen shot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_2b_block_powershell.webp) To enable this, simply add another rule to ALLOW AND LOG, for example, C:\SCRIPTS\ITSCRIPT1.ps1, and set the scope to User and System processes, but use the scope Filter to SYSTEM. -![A screenshot of a computer Description automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_2b_block_powershell_1.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_2b_block_powershell_1.webp) Result: -![A screenshot of a computer Description automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_2b_block_powershell_2.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_2b_block_powershell_2.webp) diff --git a/docs/policypak/policypak/leastprivilege/scopefilters/elevateserviceaccount.md b/docs/policypak/policypak/leastprivilege/scopefilters/elevateserviceaccount.md index 2415fe8e90..2a063c424e 100644 --- a/docs/policypak/policypak/leastprivilege/scopefilters/elevateserviceaccount.md +++ b/docs/policypak/policypak/leastprivilege/scopefilters/elevateserviceaccount.md @@ -1,14 +1,14 @@ # Scenario 4: Elevating a Service Account **NOTE:** For an overview of this scenario see the -[Reduce or specify Service Account Rights](../../video/leastprivilege/bestpractices/serviceaccountrights.md) +[Reduce or specify Service Account Rights](/docs/policypak/policypak/video/leastprivilege/bestpractices/serviceaccountrights.md) video. You might have a service which requires specific privileges. Maybe your service, by default, uses Local System, and you want to give it lessrights. With Endpoint Policy Manager -[Reduce or specify Service Account Rights](../../video/leastprivilege/bestpractices/serviceaccountrights.md), +[Reduce or specify Service Account Rights](/docs/policypak/policypak/video/leastprivilege/bestpractices/serviceaccountrights.md), you can remove the powerful privileges of the service account and strip out LOCAL SYSTEM and grant a specific user the permissions required. @@ -29,4 +29,4 @@ should be trimmed to the specific account you specified to run the service runs Tip: It's also possible to use Scope Filter = SERVICES to make the rule apply to all services that run from the specified .exe, regardless of the user. -![A screenshot of a computer Description automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_4_elevating_a_service.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_4_elevating_a_service.webp) diff --git a/docs/policypak/policypak/leastprivilege/scopefilters/enhancedsecurerun.md b/docs/policypak/policypak/leastprivilege/scopefilters/enhancedsecurerun.md index bc4c08583e..ad923d0719 100644 --- a/docs/policypak/policypak/leastprivilege/scopefilters/enhancedsecurerun.md +++ b/docs/policypak/policypak/leastprivilege/scopefilters/enhancedsecurerun.md @@ -1,7 +1,7 @@ # Scenario 1: Enhanced SecureRun / Prevent Untrusted Executables and Scripts from Running Even by LOCAL SYSTEM **NOTE:** For an overview of this scenario, see the -[SecureRun to block User AND System executables](../../video/leastprivilege/bestpractices/securerun/usersystemexecutables.md) +[SecureRun to block User AND System executables](/docs/policypak/policypak/video/leastprivilege/bestpractices/securerun/usersystemexecutables.md) video demo. When you apply SecureRun on the user or computer side, you’re saying “Block all untrusted @@ -9,7 +9,7 @@ executables started by users.” This doesn’t (by default) block the attack ve performing the attack. You can see the example below where the Standard User is blocked from an executable attempt, but System is still allowed. -![A screenshot of a computer Description automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_1_enhanced_securerun.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_1_enhanced_securerun.webp) However, you can switch SecureRun on the computer side to now say “Block all untrusted executables started by users or LOCAL SYSTEM.” You would do this on the Computer side, and specify User and @@ -18,7 +18,7 @@ System Processes. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_1_enhanced_securerun_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/scopefilters/scenario_1_enhanced_securerun_1.webp) The result is that both User and System attempts to run un-trusted executables will be prevented. diff --git a/docs/policypak/policypak/leastprivilege/scopefilters/overview.md b/docs/policypak/policypak/leastprivilege/scopefilters/overview.md index ac1505ef3f..e49aa5afe8 100644 --- a/docs/policypak/policypak/leastprivilege/scopefilters/overview.md +++ b/docs/policypak/policypak/leastprivilege/scopefilters/overview.md @@ -6,14 +6,14 @@ Privilege Manager. For instance, it exists in every explicit rule, like this: ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/scopefilters/understanding_process_scoping.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/scopefilters/understanding_process_scoping.webp) And also in SecureRun™ rules: ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/scopefilters/understanding_process_scoping_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/scopefilters/understanding_process_scoping_1.webp) **NOTE:** The Policy Scope option for Processes is only available when used on the Computer side; on the User side it is greyed out because this setting is only meant to express to the COMPUTER @@ -24,7 +24,7 @@ User side. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/scopefilters/understanding_process_scoping_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/scopefilters/understanding_process_scoping_2.webp) In this topic, we will explore various use cases when you might use the Policy Scope option (which again, will only be un-gray / valid on the Computer side.) diff --git a/docs/policypak/policypak/leastprivilege/securecopy.md b/docs/policypak/policypak/leastprivilege/securecopy.md index 45ba62c12c..a65b8cf4d4 100644 --- a/docs/policypak/policypak/leastprivilege/securecopy.md +++ b/docs/policypak/policypak/leastprivilege/securecopy.md @@ -1,7 +1,7 @@ # Understanding SecureCopy **NOTE:** See the -[SecureCopy(TM). Empower users to copy then elevate items](../video/leastprivilege/securecopy.md) +[SecureCopy(TM). Empower users to copy then elevate items](/docs/policypak/policypak/video/leastprivilege/securecopy.md) for a video overview demonstration. Endpoint Policy Manager Least Privilege Manager SecureCopy feature lets you create your own store @@ -13,35 +13,35 @@ to a location of your (or their) choice, and perform the installation or running ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_securecopy.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_securecopy.webp) **Step 2 –** Specify a read only share for users. Pay careful attention to the warning here. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_securecopy_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_securecopy_1.webp) **Step 3 –** Specify the target folder location. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_securecopy_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_securecopy_2.webp) **Step 4 –** Specify the options. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_securecopy_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_securecopy_3.webp) **Step 5 –** Finish the policy. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_securecopy_4.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_securecopy_4.webp) The result is that users can now use the Copy with Endpoint Policy Manager SecureCopy™ feature to copy items from your store to their locations and then perform automatic elevation on those items. @@ -49,4 +49,4 @@ copy items from your store to their locations and then perform automatic elevati ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/understanding_securecopy_5.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/understanding_securecopy_5.webp) diff --git a/docs/policypak/policypak/leastprivilege/securerun/adminapprovalwork.md b/docs/policypak/policypak/leastprivilege/securerun/adminapprovalwork.md index 8a981633f8..24429af555 100644 --- a/docs/policypak/policypak/leastprivilege/securerun/adminapprovalwork.md +++ b/docs/policypak/policypak/leastprivilege/securerun/adminapprovalwork.md @@ -18,4 +18,4 @@ SCENARIO 2: If SecureRun is enabled: - If elevation is required, then Admin Approval will be shown, regardless if the file is owned by a trusted principal or not. -![977_1_image-20230824223216-1_950x550](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/977_1_image-20230824223216-1_950x550.webp) +![977_1_image-20230824223216-1_950x550](/img/product_docs/policypak/policypak/leastprivilege/securerun/977_1_image-20230824223216-1_950x550.webp) diff --git a/docs/policypak/policypak/leastprivilege/securerun/allowinlinecommands.md b/docs/policypak/policypak/leastprivilege/securerun/allowinlinecommands.md index 24b1957205..c6455facd1 100644 --- a/docs/policypak/policypak/leastprivilege/securerun/allowinlinecommands.md +++ b/docs/policypak/policypak/leastprivilege/securerun/allowinlinecommands.md @@ -8,7 +8,7 @@ cmd /c C:\temp\Random014\camplay.exe With Secure run enabled, the following message is displayed: -![804_1_image-20210819150136-1](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/804_1_image-20210819150136-1.webp) +![804_1_image-20210819150136-1](/img/product_docs/policypak/policypak/leastprivilege/securerun/804_1_image-20210819150136-1.webp) To allow this process to work and CamPlay to run, it's not camplay.exe that must be allowed in this example, it's cmd.exe. @@ -24,16 +24,16 @@ run with a random path. **Step 1 –** Add a **New Executable Policy** -![804_2_image-20210819150136-2](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/804_2_image-20210819150136-2.webp) +![804_2_image-20210819150136-2](/img/product_docs/policypak/policypak/leastprivilege/securerun/804_2_image-20210819150136-2.webp) **Step 2 –** Select **Combo Rule** -![804_3_image-20210819150136-3](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/804_3_image-20210819150136-3.webp) +![804_3_image-20210819150136-3](/img/product_docs/policypak/policypak/leastprivilege/securerun/804_3_image-20210819150136-3.webp) **Step 3 –** Select **Path**, **Command line**, and at least one other Condition to guard against a fraudulent parent process (cmd.exe in this case). -![804_4_image-20210819150136-4](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/804_4_image-20210819150136-4.webp) +![804_4_image-20210819150136-4](/img/product_docs/policypak/policypak/leastprivilege/securerun/804_4_image-20210819150136-4.webp) **NOTE:** Either **Hash** or **File Info** may be used in addition to, or instead of, **Signature**, but it is recommended at least one or more conditions be used in addition @@ -44,27 +44,27 @@ the scope further. For this example, however, it was required. **Step 4 –** Set up your **Path Condition**: be as specific as possible -![804_5_image-20210819150136-5](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/804_5_image-20210819150136-5.webp) +![804_5_image-20210819150136-5](/img/product_docs/policypak/policypak/leastprivilege/securerun/804_5_image-20210819150136-5.webp) **Step 5 –** Set your secondary conditions: **Signature**, in this example -![804_6_image-20210819150136-6](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/804_6_image-20210819150136-6.webp) +![804_6_image-20210819150136-6](/img/product_docs/policypak/policypak/leastprivilege/securerun/804_6_image-20210819150136-6.webp) **Step 6 –** Set your **Command-line Condition**: Use **Strict equality** and set the Arguments using the wildcard character "\*" to replace any randomized, or user-specific sections of the path or filename. Be as specific as possible while still allowing for any variation that may come up in the path. In this example, \Random014\ was replaced by \Random\*\ -![804_7_image-20210819150136-7](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/804_7_image-20210819150136-7.webp) +![804_7_image-20210819150136-7](/img/product_docs/policypak/policypak/leastprivilege/securerun/804_7_image-20210819150136-7.webp) **NOTE:** "\*" is the only supported wildcard character. **NOTE:** **Ignore arguments case** should be checked by -default![804_8_image-20210819150136-8](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/804_8_image-20210819150136-8.webp) +default![804_8_image-20210819150136-8](/img/product_docs/policypak/policypak/leastprivilege/securerun/804_8_image-20210819150136-8.webp) **Step 7 –** Set action as needed: generally, either **Allow and Log** (this example) or **Run with elevated Privileges** (if needed) -![804_9_image-20210819150136-9](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/804_9_image-20210819150136-9.webp) +![804_9_image-20210819150136-9](/img/product_docs/policypak/policypak/leastprivilege/securerun/804_9_image-20210819150136-9.webp) **NOTE:** For security and compatibility reasons, only elevate if necessary to do so. diff --git a/docs/policypak/policypak/leastprivilege/securerun/avoiduac.md b/docs/policypak/policypak/leastprivilege/securerun/avoiduac.md index e6918151dd..5d37d1048f 100644 --- a/docs/policypak/policypak/leastprivilege/securerun/avoiduac.md +++ b/docs/policypak/policypak/leastprivilege/securerun/avoiduac.md @@ -14,22 +14,22 @@ rule to Allow and Log a command line. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/creating_rules_to_avoid_uac.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/securerun/creating_rules_to_avoid_uac.webp) The example below show a Combo rule enabling OneDriveSetup.exe to keep running (**Path Condition** and **Command-line Condition**) with the Allow and Log action. For more information on Combo rules, see -[Creating and Using Executable Combo Rules](../bestpractices/rules/executablecombo.md) +[Creating and Using Executable Combo Rules](/docs/policypak/policypak/leastprivilege/bestpractices/rules/executablecombo.md) ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/creating_rules_to_avoid_uac.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/securerun/creating_rules_to_avoid_uac.webp) ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/creating_rules_to_avoid_uac_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/securerun/creating_rules_to_avoid_uac_1.webp) After the rules are created, you should not see pop-ups from installers with rules in place. diff --git a/docs/policypak/policypak/leastprivilege/securerun/bestpractices.md b/docs/policypak/policypak/leastprivilege/securerun/bestpractices.md index a1d45423a6..d63318f14c 100644 --- a/docs/policypak/policypak/leastprivilege/securerun/bestpractices.md +++ b/docs/policypak/policypak/leastprivilege/securerun/bestpractices.md @@ -15,10 +15,10 @@ interact with any applications on the endpoint, so it can safely be distributed as you see fit. For more information on Using Global Settings Policy, see -[Use Discovery to know what rules to make as you transition from Local Admin rights](../../video/leastprivilege/discovery.md) +[Use Discovery to know what rules to make as you transition from Local Admin rights](/docs/policypak/policypak/video/leastprivilege/discovery.md) For more information on using the Global Settings audit events to create LPM Policies, see -[Auto-Create Policy from Global Audit event](../../video/leastprivilege/globalauditevent.md) +[Auto-Create Policy from Global Audit event](/docs/policypak/policypak/video/leastprivilege/globalauditevent.md) ## Auto Rules Generator @@ -30,7 +30,7 @@ to run through SecureRun. It will create the required allow and elevate policies create policies to block applications that would otherwise be automatically allowed. For more information on using the Auto-Rules Generator Tool, see -[Auto Rules Generator Tool (with SecureRun)](../../video/leastprivilege/autorulesgeneratortool.md) +[Auto Rules Generator Tool (with SecureRun)](/docs/policypak/policypak/video/leastprivilege/autorulesgeneratortool.md) ## Post-installation Options @@ -45,7 +45,7 @@ Instead of an outright denial, the end-user is presented with a request code. Wh administrator, a response code can be created to allow the process to run. This can allow infrequent or new processes to be run without a specific rule being created. -[Admin Approval demo](../../video/leastprivilege/adminapproval/demo.md) +[Admin Approval demo](/docs/policypak/policypak/video/leastprivilege/adminapproval/demo.md) ### Self Elevation @@ -54,4 +54,4 @@ specific policy. You can be specific to whom this is allowed, and for what types each time this is invoked, it is logged in the event log along with the option of requiring the user's justification for running the process -For more information, see [Self Elevate Mode](../../video/leastprivilege/selfelevatemode/demo.md) +For more information, see [Self Elevate Mode](/docs/policypak/policypak/video/leastprivilege/selfelevatemode/demo.md) diff --git a/docs/policypak/policypak/leastprivilege/securerun/blockedscripttypes.md b/docs/policypak/policypak/leastprivilege/securerun/blockedscripttypes.md index 77aea2eade..65cb2e30e3 100644 --- a/docs/policypak/policypak/leastprivilege/securerun/blockedscripttypes.md +++ b/docs/policypak/policypak/leastprivilege/securerun/blockedscripttypes.md @@ -13,4 +13,4 @@ The official list is as follows and might increase without notice. **NOTE:** For .PS1, in order to enable Powershell at all, you need to make an express (ALLOW rule for powershell.exe). That rule can be found in -[When Endpoint Policy Manager SecureRun(TM) is turned on, PowerShell won't run. How can I re-enable this?](enablepowershell.md) +[When Endpoint Policy Manager SecureRun(TM) is turned on, PowerShell won't run. How can I re-enable this?](/docs/policypak/policypak/leastprivilege/securerun/enablepowershell.md) diff --git a/docs/policypak/policypak/leastprivilege/securerun/chromeextension.md b/docs/policypak/policypak/leastprivilege/securerun/chromeextension.md index 9122a943df..8d03edde7d 100644 --- a/docs/policypak/policypak/leastprivilege/securerun/chromeextension.md +++ b/docs/policypak/policypak/leastprivilege/securerun/chromeextension.md @@ -17,25 +17,25 @@ To allow the extensions to be installed, create a New Executable Policy for each being blocked. This can be done on either the Computer or User side, depending on who is a member of the OU. -![700_1_image-20211111230736-1](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/700_1_image-20211111230736-1.webp) +![700_1_image-20211111230736-1](/img/product_docs/policypak/policypak/leastprivilege/securerun/700_1_image-20211111230736-1.webp) **Step 1 –** Create a Combo Rule. -![700_2_image-20211111230736-2](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/700_2_image-20211111230736-2.webp) +![700_2_image-20211111230736-2](/img/product_docs/policypak/policypak/leastprivilege/securerun/700_2_image-20211111230736-2.webp) **Step 2 –** Select **Path**, **Command-line arguments** and **Apply to child processes**. -![700_3_image-20211111230736-3](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/700_3_image-20211111230736-3.webp) +![700_3_image-20211111230736-3](/img/product_docs/policypak/policypak/leastprivilege/securerun/700_3_image-20211111230736-3.webp) **Step 3 –** Under Path Condition, add file `%SYSTEMROOT%\System32\cmd.exe`. -![700_4_image-20211111230736-4](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/700_4_image-20211111230736-4.webp) +![700_4_image-20211111230736-4](/img/product_docs/policypak/policypak/leastprivilege/securerun/700_4_image-20211111230736-4.webp) **Step 4 –** Under Command-line Arguments, select **Strict equality**; check **Ignore arguments case**; under Arguments, we are going to take the first part of the installation command, after `cmd.exe`, and replace the last part with asterisks. -![700_5_image-20211111230736-5](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/700_5_image-20211111230736-5.webp) +![700_5_image-20211111230736-5](/img/product_docs/policypak/policypak/leastprivilege/securerun/700_5_image-20211111230736-5.webp) ``` /d /c "C:\Program Files (x86)\Power Automate Desktop\PAD.EdgeMessageHost.exe" chrome-extension://*/* @@ -47,8 +47,8 @@ case**; under Arguments, we are going to take the first part of the installation **Step 5 –** Set action as .Allow and Log. -![700_6_image-20211111230736-6](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/700_6_image-20211111230736-6.webp) +![700_6_image-20211111230736-6](/img/product_docs/policypak/policypak/leastprivilege/securerun/700_6_image-20211111230736-6.webp) **Step 6 –** Rename, set ILT if required and click **Finish**. -![700_7_image-20211111230736-7](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/700_7_image-20211111230736-7.webp) +![700_7_image-20211111230736-7](/img/product_docs/policypak/policypak/leastprivilege/securerun/700_7_image-20211111230736-7.webp) diff --git a/docs/policypak/policypak/leastprivilege/securerun/inlinecommands.md b/docs/policypak/policypak/leastprivilege/securerun/inlinecommands.md index 0235933c5b..499e247cee 100644 --- a/docs/policypak/policypak/leastprivilege/securerun/inlinecommands.md +++ b/docs/policypak/policypak/leastprivilege/securerun/inlinecommands.md @@ -11,7 +11,7 @@ cmd /c "mkdir C:\TEST & copy c:\Windows\notepad.exe C:\TEST" ![A screenshot of a computer error Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/securerun_and_inline_commands.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/securerun/securerun_and_inline_commands.webp) Normally, users don’t do this. But it could be valid during an application installation or program setup. You can see an example of this used in the Microsoft @@ -20,5 +20,5 @@ article. SecureRun will automatically try to block such attempts. For more information on how to deal wit this issue, please see -[Why does Endpoint Policy Manager SecureRun block "inline commands" and what can I do to overcome or revert the behavior ?](../../troubleshooting/leastprivilege/securerun/inlinecommands.md) +[Why does Endpoint Policy Manager SecureRun block "inline commands" and what can I do to overcome or revert the behavior ?](/docs/policypak/policypak/troubleshooting/leastprivilege/securerun/inlinecommands.md) for guidance and details. diff --git a/docs/policypak/policypak/leastprivilege/securerun/mykipasswordmanager.md b/docs/policypak/policypak/leastprivilege/securerun/mykipasswordmanager.md index f15d8440ec..72aece28aa 100644 --- a/docs/policypak/policypak/leastprivilege/securerun/mykipasswordmanager.md +++ b/docs/policypak/policypak/leastprivilege/securerun/mykipasswordmanager.md @@ -6,33 +6,33 @@ Use Least Privilege Manager to Elevate the install of MyKi Password Manager for **NOTE:** This option requires less rules to be created than option 2. -![844_1_image-20210705210753-1_950x127](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_1_image-20210705210753-1_950x127.webp) +![844_1_image-20210705210753-1_950x127](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_1_image-20210705210753-1_950x127.webp) **Step 1 –** Create a new Least Privilege Manager policy on either the Computer or User side and add a new Executable policy for the downloaded MyKi installation EXE (i.e., `MYKI-latest.exe`).  Choose the **use combo rule (advanced)** option, then select only **Signature** and **File Info** before clicking **Next**. -![844_2_image-20210705210753-2](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_2_image-20210705210753-2.webp) +![844_2_image-20210705210753-2](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_2_image-20210705210753-2.webp) **Step 2 –** Under the **Combo condition** > **Select reference file** drop down, choose **From EXE file** and browse to and select the `MYKI-latest.exe` file. Answer **Yes** when prompted then click **Next** to continue. -![844_3_image-20210705210753-3](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_3_image-20210705210753-3.webp) +![844_3_image-20210705210753-3](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_3_image-20210705210753-3.webp) **Step 3 –** In the Select Action window leave the defaults in place then click **Next**. -![844_4_image-20210705210753-4](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_4_image-20210705210753-4.webp) +![844_4_image-20210705210753-4](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_4_image-20210705210753-4.webp) **Step 4 –** In the Settings window select **User and System processes** and click **Finish**. -![844_5_image-20210705210753-5](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_5_image-20210705210753-5.webp) +![844_5_image-20210705210753-5](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_5_image-20210705210753-5.webp) **Step 5 –** Add a new Executable policy and select the **use combo rule (advanced)** option, then select only **Signature** and **File Info** before clicking **Next**. -![844_6_image-20210705210753-6](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_2_image-20210705210753-2.webp) +![844_6_image-20210705210753-6](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_2_image-20210705210753-2.webp) **Step 6 –** Under the **Combo condition** > **Select reference file** drop down, choose From EXE file, then browse to and select `%LocalAppData%\myki\MYKI.exe`. @@ -42,15 +42,15 @@ installation. **Step 7 –** Click **Yes** when prompted, then click **Next** to continue. -![844_7_image-20210705210753-7](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_3_image-20210705210753-3.webp) +![844_7_image-20210705210753-7](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_3_image-20210705210753-3.webp) **Step 8 –** In the Select action window , select **Allow and log** and click **Next**. -![844_8_image-20210705210753-8](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_8_image-20210705210753-8.webp) +![844_8_image-20210705210753-8](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_8_image-20210705210753-8.webp) **Step 9 –** In the Settings windowselect **User and System processes**  and click **Finish**. -![844_9_image-20210705210753-9](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_9_image-20210705210753-9.webp) +![844_9_image-20210705210753-9](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_9_image-20210705210753-9.webp) ## Option2: @@ -59,28 +59,28 @@ Create Allow and Log rules for a Standard user to be able to install and run MyK **NOTE:** If the user has already installed MyKi using their standard user account, then use this option. -![844_10_image-20210705210753-10_950x133](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_10_image-20210705210753-10_950x133.webp) +![844_10_image-20210705210753-10_950x133](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_10_image-20210705210753-10_950x133.webp) **Step 1 –** Create a new Least Privilege Manager policy on either the Computer or User side, then add a new Executable policy for the downloaded MIKY installation EXE (i.e.`, MYKI-latest.exe`).Select the **use combo rule (advanced)** option, then select only **Signature** and **File Info** before clicking **Next**. -![844_11_image-20210705210753-11](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_2_image-20210705210753-2.webp) +![844_11_image-20210705210753-11](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_2_image-20210705210753-2.webp) **Step 2 –** Under the **Combo condition** > **Select reference file** drop down, choose **From EXE file**, then browse to and select the `MYKI-latest.exe` file. Click **Yes** when prompted, then click **Next** to continue. -![844_12_image-20210705210753-12](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_3_image-20210705210753-3.webp) +![844_12_image-20210705210753-12](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_3_image-20210705210753-3.webp) **Step 3 –** In the Select action window, select **Allow and log**and click **Next**. -![844_13_image-20210705210753-13](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_8_image-20210705210753-8.webp) +![844_13_image-20210705210753-13](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_8_image-20210705210753-8.webp) **Step 4 –** In the Settings window select **User and System processes**  and click **Finish**. -![844_14_image-20210705210753-14](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_14_image-20210705210753-14.webp) +![844_14_image-20210705210753-14](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_14_image-20210705210753-14.webp) **Step 5 –** Next, add a new executable policy. Select the **use combo rule (advanced)** option, but this time select **Path** and **Signature** conditions before clicking **Next**. @@ -97,22 +97,22 @@ continue. Your screen should look similar to what is shown below for **Path Condition** and **Signature Condition** respectively. -![844_15_image-20210705210753-15](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_15_image-20210705210753-15.webp) +![844_15_image-20210705210753-15](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_15_image-20210705210753-15.webp) -![844_16_image-20210705210753-16](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_16_image-20210705210753-16.webp) +![844_16_image-20210705210753-16](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_16_image-20210705210753-16.webp) **Step 7 –** In the Select Action window select**Allow and log** then click **Next**. -![844_17_image-20210705210753-17](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_8_image-20210705210753-8.webp) +![844_17_image-20210705210753-17](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_8_image-20210705210753-8.webp) **Step 8 –** In the Settings window select **User and System processes**, then click **Finish**. -![844_18_image-20210705210753-18](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_18_image-20210705210753-18.webp) +![844_18_image-20210705210753-18](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_18_image-20210705210753-18.webp) **Step 9 –** Add a new Executable policyand select the **use combo rule (advanced)** option, then select only **Signature** and **File Info** before clicking **Next**. -![844_19_image-20210705210753-19](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_2_image-20210705210753-2.webp) +![844_19_image-20210705210753-19](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_2_image-20210705210753-2.webp) **Step 10 –** Under the **Combo condition** > **Select reference file** drop-down, choose **From EXE file** then browse to and select `%LocalAppData%\myki\MYKI.exe`. @@ -122,25 +122,25 @@ installation. **Step 11 –** Click **Yes** when prompted, then click **Next** to continue. -![844_20_image-20210705210753-20](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_3_image-20210705210753-3.webp) +![844_20_image-20210705210753-20](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_3_image-20210705210753-3.webp) **Step 12 –** In the Select window, select **Allow and log**, then click **Next**. -![844_21_image-20210705210753-21](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_8_image-20210705210753-8.webp) +![844_21_image-20210705210753-21](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_8_image-20210705210753-8.webp) **Step 13 –** In the Settings windows select **User and System processes** and click **Finish**. -![844_22_image-20210705210753-22](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_9_image-20210705210753-9.webp) +![844_22_image-20210705210753-22](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_9_image-20210705210753-9.webp) **Step 14 –** Add a new Executable policy and choose the **use combo rule (advanced)** option, then select only **Path** and **Command-line arguments** before clicking **Next**. -![844_23_image-20210705210753-23](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_23_image-20210705210753-23.webp) +![844_23_image-20210705210753-23](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_23_image-20210705210753-23.webp) **Step 15 –** In the Configure Conditions windowenter `%SYSTEMROOT%\System32\cmd.exe` under Path Condition. -![844_24_image-20210705210753-24](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_24_image-20210705210753-24.webp) +![844_24_image-20210705210753-24](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_24_image-20210705210753-24.webp) **Step 16 –** Then under Command-line Arguments select the **Strict equality** and **Ignore arguments case** boxes and also paste in the following text within the Arguments box before clicking @@ -152,12 +152,12 @@ arguments case** boxes and also paste in the following text within the Arguments Your screen should look identical to the one below. -![844_25_image-20210705210753-25](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_25_image-20210705210753-25.webp) +![844_25_image-20210705210753-25](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_25_image-20210705210753-25.webp) **Step 17 –** In the **Select action** window, select **Allow and log** then click **Next**. -![844_26_image-20210705210753-26](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_8_image-20210705210753-8.webp) +![844_26_image-20210705210753-26](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_8_image-20210705210753-8.webp) **Step 18 –** In the Settings window select**User and System processes**  and click **Finish**. -![844_27_image-20210705210753-27](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/844_27_image-20210705210753-27.webp) +![844_27_image-20210705210753-27](/img/product_docs/policypak/policypak/leastprivilege/securerun/844_27_image-20210705210753-27.webp) diff --git a/docs/policypak/policypak/leastprivilege/securerun/overview.md b/docs/policypak/policypak/leastprivilege/securerun/overview.md index 0a3927d46a..e27f6af770 100644 --- a/docs/policypak/policypak/leastprivilege/securerun/overview.md +++ b/docs/policypak/policypak/leastprivilege/securerun/overview.md @@ -2,7 +2,7 @@ **NOTE:** For an overview of how to block threats and unknown software like malware and similar applicates, see the -[Using Least Privilege Manager's SecureRun Feature](../../video/leastprivilege/securerun/feature.md) +[Using Least Privilege Manager's SecureRun Feature](/docs/policypak/policypak/video/leastprivilege/securerun/feature.md) video. In the previous section, we established that users with Standard rights and admin rights can end up @@ -23,7 +23,7 @@ create a new SecureRun™ policy in the GPO. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun.webp) This will result in a new SecureRun™ policy editor, as displayed here. To turn on SecureRun click **Enable** and then, if desired, , change the messaging from Default to Customized (or Silently.) @@ -31,7 +31,7 @@ This will result in a new SecureRun™ policy editor, as displayed here. To turn ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_1.webp) In the SecureRun™ Members list, you can review who and what has been added, including the defaults members: @@ -60,7 +60,7 @@ enabled and is checking for file ownership (aka “Trusted”), as shown here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_2.webp) At the endpoint, run GPupdate or log on as a user who will receive the policy. The result is that all unknown applications are blocked (like previously downloaded Notepad2), and all properly @@ -69,7 +69,7 @@ installed applications are allowed. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_3.webp) Additionally, MSI files that attempt to launch are also subjected to Endpoint Policy Manager SecureRun™. If an application already has an Allow rule in place (similar to what we saw earlier @@ -79,7 +79,7 @@ installers that don't have an Allow rule in place will be prevented from running ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_4.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_4.webp) This works because Endpoint Policy Manager Least Privilege Manager is enforcing the SecureRun™ Members list. If we look at who owns the file for the properly installed application, we can see the @@ -89,7 +89,7 @@ Internet, we can see the owner is EastSalesUser1. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_5.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_5.webp) If you review the list of users allowed to run applications, you will notice that EastSalesUser1 is not on the list and, therefore, is not permitted to run Untrusted applications. @@ -97,7 +97,7 @@ not on the list and, therefore, is not permitted to run Untrusted applications. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_6.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_6.webp) If you decide you want to enable an application, such as Notepad2, to run, create a new Executable rule (Path, Hash, Signature, or File) as shown in the previous section. This time, select **Allow @@ -106,14 +106,14 @@ and log**. This will run the application with Standard User rights. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_7.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_7.webp) The result can be seen in the MMC list view. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_8.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_8.webp) As a test, run GPupdate on the endpoint, and then run Notepad2, which will run with Standard User rights and bypass SecureRun™ as seen here. @@ -121,7 +121,7 @@ rights and bypass SecureRun™ as seen here. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_9.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/securerun/quick_start_using_securerun_9.webp) To recap, Endpoint Policy ManagerLeast Privilege Manager SecureRun™ operates under the following criteria: @@ -138,11 +138,11 @@ downloads and tries to run but continues to let properly installed applications **NOTE:** An additional way to use Endpoint Policy Manager SecureRum™ is to also trap for anything that is unsigned. See the -[Least Privilege Manager: Block All Unsigned with SecureRun](../../video/leastprivilege/securerun/preventunsigned.md) +[Least Privilege Manager: Block All Unsigned with SecureRun](/docs/policypak/policypak/video/leastprivilege/securerun/preventunsigned.md) video for a demonstration. **NOTE:** Remember, all Endpoint Policy Manager Least Privilege Manager rules, including SecureRun, may be used with an MDM service, or your own management system like PDQ deploy For more information on this topic, please see the -[Blocking Malware with Endpoint Policy Manager and PDQ Deploy](../../video/leastprivilege/integration/pdqdeployblockmalware.md) +[Blocking Malware with Endpoint Policy Manager and PDQ Deploy](/docs/policypak/policypak/video/leastprivilege/integration/pdqdeployblockmalware.md) video demonstration. diff --git a/docs/policypak/policypak/leastprivilege/securerun/setup.md b/docs/policypak/policypak/leastprivilege/securerun/setup.md index 41f201311e..7dc330ce64 100644 --- a/docs/policypak/policypak/leastprivilege/securerun/setup.md +++ b/docs/policypak/policypak/leastprivilege/securerun/setup.md @@ -5,12 +5,12 @@ #### Getting Started Watch this quick video for tips on setting up Secure Run: -[Stop Ransomware and other unknown zero day attacks with Endpoint Policy Manager SecureRun(TM)](../../video/leastprivilege/securerun/stopransomware.md). +[Stop Ransomware and other unknown zero day attacks with Endpoint Policy Manager SecureRun(TM)](/docs/policypak/policypak/video/leastprivilege/securerun/stopransomware.md). In addition we have a tool called Auto Rules Generator for generating rules from a machine that has all your apps. It is in the Extras folder of the main Netwrix Endpoint Policy Manager (formerly PolicyPak) download. For more information on this issue, please see -[Auto Rules Generator Tool (with SecureRun)](../../video/leastprivilege/autorulesgeneratortool.md). +[Auto Rules Generator Tool (with SecureRun)](/docs/policypak/policypak/video/leastprivilege/autorulesgeneratortool.md). #### How do we setup SecureRun when each version of the software references more than one .exe to start the program? @@ -19,14 +19,14 @@ PolicyPak) download. For more information on this issue, please see - If you do not use this option, you have to create rules for each process. But you can use the Auto Rules Generator to find all those .exe's and generate rules for all quickly. -![315_1_lpm-faq-03-img-01](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/315_1_lpm-faq-03-img-01.webp) +![315_1_lpm-faq-03-img-01](/img/product_docs/policypak/policypak/leastprivilege/securerun/315_1_lpm-faq-03-img-01.webp) #### How do we setup SecureRun when there are so many variables and make them work no matter what version of the software was installed? - Start with the AutoRules Generator to try to mass generate the rules you need. - In You can do a Single rule or a Combo -![315_2_lpm-faq-03-img-02](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/315_2_lpm-faq-03-img-02.webp) +![315_2_lpm-faq-03-img-02](/img/product_docs/policypak/policypak/leastprivilege/securerun/315_2_lpm-faq-03-img-02.webp) - For a Single many customers will use Hashto ensure only that specific file is elevated. However this doesn't allow for future versions to be allowed. @@ -34,9 +34,9 @@ PolicyPak) download. For more information on this issue, please see That way you ensure that it is always that Vendor with the Signature, and with File Info you can specify to allow Higher or Equals, thereby allowing future versions to be elevated. -![315_3_lpm-faq-03-img-03](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/315_3_lpm-faq-03-img-03.webp) +![315_3_lpm-faq-03-img-03](/img/product_docs/policypak/policypak/leastprivilege/securerun/315_3_lpm-faq-03-img-03.webp) -![315_4_lpm-faq-03-img-04](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/315_4_lpm-faq-03-img-04.webp) +![315_4_lpm-faq-03-img-04](/img/product_docs/policypak/policypak/leastprivilege/securerun/315_4_lpm-faq-03-img-04.webp) ### Summary diff --git a/docs/policypak/policypak/leastprivilege/securerun/webex.md b/docs/policypak/policypak/leastprivilege/securerun/webex.md index 33a9e0b568..74ba703f40 100644 --- a/docs/policypak/policypak/leastprivilege/securerun/webex.md +++ b/docs/policypak/policypak/leastprivilege/securerun/webex.md @@ -3,7 +3,7 @@ You need to create a new Least Privilege Manager policy on either the Computer or User side, and then create the following Elevate and Allow policies. The steps below show you how to do this. -![575_1_image-20200826125733-1](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/575_1_image-20200826125733-1.webp) +![575_1_image-20200826125733-1](/img/product_docs/policypak/policypak/leastprivilege/securerun/575_1_image-20200826125733-1.webp) **Step 1 –** Executable policy for `Webex.exe` Elevated by **Signature** and **File Info**. @@ -41,9 +41,9 @@ Manager (formerly PolicyPak) Event log to see if `WebEx.exe` is being blocked by Publisher being unknown. If it is, you can edit the policy item for` WebEx.exe` and uncheck the signature requirement to work around this issue. -![575_3_image-20200826125733-2](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/575_3_image-20200826125733-2.webp) +![575_3_image-20200826125733-2](/img/product_docs/policypak/policypak/leastprivilege/securerun/575_3_image-20200826125733-2.webp) -![575_5_image-20200826125733-3](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/575_5_image-20200826125733-3.webp) +![575_5_image-20200826125733-3](/img/product_docs/policypak/policypak/leastprivilege/securerun/575_5_image-20200826125733-3.webp) ### Method 2: @@ -53,20 +53,20 @@ Export the intermediate certificate from the `Webex.exe` file. **Step 2 –** Select the Digital Signature tab and click **Details**. -![575_7_01_321x213](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/575_7_01_321x213.webp) +![575_7_01_321x213](/img/product_docs/policypak/policypak/leastprivilege/securerun/575_7_01_321x213.webp) **Step 3 –** Click **View Certificate**. -![575_8_02_323x239](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/575_8_02_323x239.webp) +![575_8_02_323x239](/img/product_docs/policypak/policypak/leastprivilege/securerun/575_8_02_323x239.webp) **Step 4 –** Click the **Certification Path** tab and select the second certificate from the chain. Click **View Certificate**. -![575_9_03_319x130](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/575_9_03_319x130.webp) +![575_9_03_319x130](/img/product_docs/policypak/policypak/leastprivilege/securerun/575_9_03_319x130.webp) **Step 5 –** Click on the **Details** tab and select **Copy to File**. -![575_10_04_243x307](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/575_10_04_243x307.webp) +![575_10_04_243x307](/img/product_docs/policypak/policypak/leastprivilege/securerun/575_10_04_243x307.webp) **Step 6 –** Click **Next** on the Export Certificate Wizard and select DER encoded binary X.509 (.CER) format. @@ -76,7 +76,7 @@ steps. **NOTE:** You can also use Endpoint Policy Manager Remote Work Delivery Manager to deliver the certificate file at the desired location of the remote computer. For more information on this issue, -please see  Remote Work Delivery Manager > [Knowledge Base](../../feature/overview/knowledgebase.md) +please see  Remote Work Delivery Manager > [Knowledge Base](/docs/policypak/policypak/feature/overview/knowledgebase.md) Use Endpoint Policy Manager Scripts Manager to deliver the Certificate in Intermediate Certification Authorities for a Computer. @@ -96,4 +96,4 @@ LocalMachine$certificateStore.Open('ReadWrite')$certificateStore.Add($pathInterm **Step 2 –** Wait for the policy refresh and you should see the certificate in the Intermediate Certification Authorities folder -![575_11_05_549x169](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/securerun/575_11_05_549x169.webp) +![575_11_05_549x169](/img/product_docs/policypak/policypak/leastprivilege/securerun/575_11_05_549x169.webp) diff --git a/docs/policypak/policypak/leastprivilege/subprocesses.md b/docs/policypak/policypak/leastprivilege/subprocesses.md index c70ac91a48..6c2fd7fc4c 100644 --- a/docs/policypak/policypak/leastprivilege/subprocesses.md +++ b/docs/policypak/policypak/leastprivilege/subprocesses.md @@ -3,7 +3,7 @@ Yes. In the example below, an elevated command prompt (perhaps elevated by Self Elevate), you can see the command net stop spooler logged in the event log. -![1335_1_3cd9340de297397c581bc79215cfae2d](../../../../static/img/product_docs/policypak/policypak/leastprivilege/1335_1_3cd9340de297397c581bc79215cfae2d.webp) +![1335_1_3cd9340de297397c581bc79215cfae2d](/img/product_docs/policypak/policypak/leastprivilege/1335_1_3cd9340de297397c581bc79215cfae2d.webp) **NOTE:** If you are not seeing this be sure to upgrade to latest CSE. diff --git a/docs/policypak/policypak/leastprivilege/synapticspointingdevicedriver.md b/docs/policypak/policypak/leastprivilege/synapticspointingdevicedriver.md index 92364dc66a..754d2b8684 100644 --- a/docs/policypak/policypak/leastprivilege/synapticspointingdevicedriver.md +++ b/docs/policypak/policypak/leastprivilege/synapticspointingdevicedriver.md @@ -4,7 +4,7 @@ Problem: The application Synaptics Pointing Device Driver (SynTPEnh.exe) is repo Settings (Audit) policy in the Netwrix Endpoint Policy Manager (formerly PolicyPak) Event log as needing elevation. -![703_1_image-20210206004430-1](../../../../static/img/product_docs/policypak/policypak/leastprivilege/703_1_image-20210206004430-1.webp) +![703_1_image-20210206004430-1](/img/product_docs/policypak/policypak/leastprivilege/703_1_image-20210206004430-1.webp) SynTPEnh.exe does not actually need to be elevated, but since it is considered a driver it is assumed to require elevation. @@ -13,11 +13,11 @@ To work around this issue you should use **Allow and log** instead of **Run with privileges** when creating a Least Privilege Manager rule for this application to pass safely through SecureRun. -![703_2_image-20210206004430-2](../../../../static/img/product_docs/policypak/policypak/leastprivilege/703_2_image-20210206004430-2.webp) +![703_2_image-20210206004430-2](/img/product_docs/policypak/policypak/leastprivilege/703_2_image-20210206004430-2.webp) **NOTE:** This policy (SYNAPTICS-Allow-AND-log.xml ) is provided in the [https://portal.policypak.com/downloads/guidance](https://portal.policypak.com/downloads/guidance) download, and can be found in the extracted contents under the PolicyPak Least Privilege Manager XMLs folder. -![703_3_image-20210206004430-3](../../../../static/img/product_docs/policypak/policypak/leastprivilege/703_3_image-20210206004430-3.webp) +![703_3_image-20210206004430-3](/img/product_docs/policypak/policypak/leastprivilege/703_3_image-20210206004430-3.webp) diff --git a/docs/policypak/policypak/leastprivilege/tool/helper/admx.md b/docs/policypak/policypak/leastprivilege/tool/helper/admx.md index c933588201..a29cb117c1 100644 --- a/docs/policypak/policypak/leastprivilege/tool/helper/admx.md +++ b/docs/policypak/policypak/leastprivilege/tool/helper/admx.md @@ -9,14 +9,14 @@ Manager Helper Tools via the included ADMX files: ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/helper/using_the_policypak_least.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/helper/using_the_policypak_least.webp) ## ADMX Settings with the Printer Tool The ADMX setting prevents users from configuring Print Server Properties using the Endpoint Policy Manager Printers tool, and will block access to the button and window highlighted here. -![using_the_policypak_least](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/helper/using_the_policypak_least.webp) +![using_the_policypak_least](/img/product_docs/policypak/policypak/leastprivilege/tool/helper/using_the_policypak_least.webp) ## ADMX Settings with the Remove Programs Tool @@ -27,7 +27,7 @@ Netwrix or Endpoint Policy Manager-signed installed applications or components. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/helper/using_the_policypak_least_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/helper/using_the_policypak_least_1.webp) However, using the Endpoint Policy Manager Least Privilege Manager ADMX settings you can hide or reveal which applications are available for users to uninstall. This is possible by using one the @@ -56,7 +56,7 @@ named Oracle and Oracle Corporation. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/helper/using_the_policypak_least_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/helper/using_the_policypak_least_1.webp) Next, using the same tool, you specify a value name of "\*Java\*" as the program name and a value of 1. Since we also want to hide programs with 171 in the name, you’ll need to specify a value name @@ -65,7 +65,7 @@ of \*171\* with a value of 0 to specifically hide programs with this value in th ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/helper/using_the_policypak_least_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/helper/using_the_policypak_least_2.webp) The result of these settings can be seen here, where only a limited number of programs are available for removal. @@ -73,4 +73,4 @@ for removal. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/helper/using_the_policypak_least_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/helper/using_the_policypak_least_2.webp) diff --git a/docs/policypak/policypak/leastprivilege/tool/helper/elevate.md b/docs/policypak/policypak/leastprivilege/tool/helper/elevate.md index e33e5a9c9d..9e04562f4f 100644 --- a/docs/policypak/policypak/leastprivilege/tool/helper/elevate.md +++ b/docs/policypak/policypak/leastprivilege/tool/helper/elevate.md @@ -6,13 +6,13 @@ their goals through standard Windows processes. The result with one tool (the Ne tool) is shown here; the other tools will have the same result. **NOTE:** See the -[Endpoint Policy Manager Least Priv Manager Tools Setup](../../../video/leastprivilege/toolssetup.md) +[Endpoint Policy Manager Least Priv Manager Tools Setup](/docs/policypak/policypak/video/leastprivilege/toolssetup.md) video for an overview how to set up elevation for the Least Privilege Manager Helper Tools. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/helper/elevating_least_privilege.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/helper/elevating_least_privilege.webp) In order to elevate the Endpoint Policy Manager Least Privilege Manager Helper Tools so that they will function correctly on your endpoints, you can use our preconfigured rules, which are part of @@ -21,12 +21,12 @@ the guidance on the Endpoint Policy Manager Portal. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/helper/elevating_least_privilege.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/helper/elevating_least_privilege.webp) After that, when the client is updated to acquire the new rules, the Endpoint Policy Manager Least Privilege Manager Helper Tools will run as expected. **NOTE:** For more information on how to get the Helper Tools as shortcuts to Desktops and other locations, please see -the[Getting the helper tools as desktop shortcuts](../../../video/leastprivilege/helperdesktopshortcut.md) +the[Getting the helper tools as desktop shortcuts](/docs/policypak/policypak/video/leastprivilege/helperdesktopshortcut.md) video. diff --git a/docs/policypak/policypak/leastprivilege/tool/helper/uacprompts.md b/docs/policypak/policypak/leastprivilege/tool/helper/uacprompts.md index d44ef547f5..9b50620a72 100644 --- a/docs/policypak/policypak/leastprivilege/tool/helper/uacprompts.md +++ b/docs/policypak/policypak/leastprivilege/tool/helper/uacprompts.md @@ -1,7 +1,7 @@ # Overcoming Common UAC Prompts with Helper Tools **NOTE:** See the -[Overcome Network Card, Printer, and Remove Programs UAC prompts](../../../video/leastprivilege/uacprompts.md) +[Overcome Network Card, Printer, and Remove Programs UAC prompts](/docs/policypak/policypak/video/leastprivilege/uacprompts.md) video for an overview of using Endpoint Policy Manager Least Privilege Manager Helper Tools in action. @@ -20,7 +20,7 @@ quickly going to encounter a UAC prompt, as seen here. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/helper/overcoming_common_uac_prompts.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/helper/overcoming_common_uac_prompts.webp) **NOTE:** We used COM / CSLID rules earlier to overcome this concern, but this section and solution gives you another option. @@ -31,7 +31,7 @@ here. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/helper/overcoming_common_uac_prompts.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/helper/overcoming_common_uac_prompts.webp) Finally, if Standard Users try to manage their own Apps and Features by uninstalling an application that they no longer need, they will also be prevented by a UAC prompt, seen here. @@ -39,6 +39,6 @@ that they no longer need, they will also be prevented by a UAC prompt, seen here ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/helper/overcoming_common_uac_prompts_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/helper/overcoming_common_uac_prompts_1.webp) After setting up Endpoint Policy Manager’s Helper Tools, you can overcome all three of these issues. diff --git a/docs/policypak/policypak/leastprivilege/tool/rulesgenerator/automatic.md b/docs/policypak/policypak/leastprivilege/tool/rulesgenerator/automatic.md index a218f56fd8..abba481f88 100644 --- a/docs/policypak/policypak/leastprivilege/tool/rulesgenerator/automatic.md +++ b/docs/policypak/policypak/leastprivilege/tool/rulesgenerator/automatic.md @@ -8,7 +8,7 @@ as necessary. This tool operates on one machine at a time, and it is typically u representative machines. **NOTE:** See the -[Auto Rules Generator Tool (with SecureRun)](../../../video/leastprivilege/autorulesgeneratortool.md) +[Auto Rules Generator Tool (with SecureRun)](/docs/policypak/policypak/video/leastprivilege/autorulesgeneratortool.md) video for a demo of Endpoint Policy Manager Automatic Rules Generator Tool in action. Following are the basic steps for operating the tool: @@ -21,7 +21,7 @@ Following are the basic steps for operating the tool: ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules.webp) On the opening page, pick a location or locations to run the tool. The tool offers standard or custom locations (**Other Locations**) such as the User’s Desktop, and other unusual locations, as @@ -30,14 +30,14 @@ shown here. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_1.webp) Next, select which types of items to search for. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_2.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_2.webp) Next, you have the option to turn on the SecureRun™ Simulator. The SecureRun™ Simulator will simulate what would happen if SecureRun™ was turned on, so you can know which applications would be @@ -48,7 +48,7 @@ with SecureRun™. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_3.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_3.webp) Then, you’ll be presented with all the applications and their default state and will have the opportunity to create rules that will automatically change the state. For instance, when SecureRun™ @@ -67,7 +67,7 @@ You can select the drop-down in the Action column next to any program and change ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_4.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_4.webp) To save a little time, you can also hide items that are automatically allowed or blocked by SecureRun™, as seen here, to reduce the number of items shown. @@ -75,14 +75,14 @@ SecureRun™, as seen here, to reduce the number of items shown. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_5.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_5.webp) Next, you are presented with a summary of the rules you will be creating. ![A screenshot of a computer program Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_6.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_6.webp) Now you can create the conditions automatically. The most secure settings are automatically checked, but you may change them to other settings if desired. @@ -90,7 +90,7 @@ but you may change them to other settings if desired. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_7.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_7.webp) The final page, shown in here, enables you to export the rules directly into a GPO (provided you have Group Policy Create/Edit rights) or into an XML file that you can import into a Group Policy @@ -99,15 +99,15 @@ Object. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_8.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_8.webp) Rules are now exported. ![A screenshot of a computer Description automatically -generated](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_9.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_9.webp) The result after looking at the GPO is shown here, with your rules ready to go. -![policypak_automatic_rules_10](../../../../../../static/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_10.webp) +![policypak_automatic_rules_10](/img/product_docs/policypak/policypak/leastprivilege/tool/rulesgenerator/policypak_automatic_rules_10.webp) diff --git a/docs/policypak/policypak/leastprivilege/wildcards.md b/docs/policypak/policypak/leastprivilege/wildcards.md index c3b2ca5640..40da865e2c 100644 --- a/docs/policypak/policypak/leastprivilege/wildcards.md +++ b/docs/policypak/policypak/leastprivilege/wildcards.md @@ -1,12 +1,12 @@ # Using Wildcards with Endpoint Privilege Manager and Certificates **NOTE:** See the -[Endpoint Privilege Manager and Wildcards](../video/leastprivilege/bestpractices/wildcards.md) video +[Endpoint Privilege Manager and Wildcards](/docs/policypak/policypak/video/leastprivilege/bestpractices/wildcards.md) video on how to use Endpoint Policy Manager Least Privilege Manager and Certificate Wildcards. Applications like Zoom, GotoMeeting, Webex and others often have certificates which change from time to time. So even if you’ve set up the best practice of Certificate + File Info rules (like we -discussed in the [Best Practices](bestpractices/overview.md) section), those automatic rules can go +discussed in the [Best Practices](/docs/policypak/policypak/leastprivilege/bestpractices/overview.md) section), those automatic rules can go out of date quickly. To allow Endpoint Policy Manager Least Privilege Manager to permit Wildcards in Certificate @@ -18,7 +18,7 @@ Now you can address the fields you need as Wildcards; in this example, we’ve s ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/using_wildcards_with_policypak.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/using_wildcards_with_policypak.webp) Endpoint Policy Manager Least Privilege Manager will continue to check all the intermediary certificates along the way before it gets to the one you modified. @@ -26,7 +26,7 @@ certificates along the way before it gets to the one you modified. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/leastprivilege/using_wildcards_with_policypak_1.webp) +generated](/img/product_docs/policypak/policypak/leastprivilege/using_wildcards_with_policypak_1.webp) **CAUTION:** You want to try to be as restrictive as possible when using Wildcards; the more you open up, the less secure you will be. diff --git a/docs/policypak/policypak/leastprivilege/windowseventforwarding.md b/docs/policypak/policypak/leastprivilege/windowseventforwarding.md index f3d7efbf83..f3a2b9f016 100644 --- a/docs/policypak/policypak/leastprivilege/windowseventforwarding.md +++ b/docs/policypak/policypak/leastprivilege/windowseventforwarding.md @@ -12,16 +12,16 @@ Forwarding Setup). **Step 2 –** Edit the GPO, expand **Computer Configuration** > **Preferences** > **Control Panel Settings** > **Services**, then right click .**Services**. and choose .**New** > **Service**. -![381_1_image-20191023214431-1](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_1_image-20191023214431-1.webp) +![381_1_image-20191023214431-1](/img/product_docs/policypak/policypak/leastprivilege/381_1_image-20191023214431-1.webp) **Step 3 –** Under .**New Service Properties** > **General** > **Service name:** click the ellipses (**…**) and browse for the WinRM service, then with the WinRM service highlighted, click **Select**. -![381_3_image-20191023214431-2](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_3_image-20191023214431-2.webp) +![381_3_image-20191023214431-2](/img/product_docs/policypak/policypak/leastprivilege/381_3_image-20191023214431-2.webp) **Step 4 –** Set the **Service action:**to **"Start service**", then click **Ok**. -![381_5_image-20191023214431-3](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_5_image-20191023214431-3.webp) +![381_5_image-20191023214431-3](/img/product_docs/policypak/policypak/leastprivilege/381_5_image-20191023214431-3.webp) #### Allow the "Local Network Service" to access the event logs. @@ -29,12 +29,12 @@ Settings** > **Services**, then right click .**Services**. and choose .**New** > Security Settings > Restricted Groups, then right-click "Restricted Groups" and select "Add Group", then type in "Event Log Readers" and click "Ok". -![381_7_image-20191023214431-4](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_7_image-20191023214431-4.webp) +![381_7_image-20191023214431-4](/img/product_docs/policypak/policypak/leastprivilege/381_7_image-20191023214431-4.webp) **Step 2 –** Right-click on the Event Log Readers group and select **Properties**, then add **NETWORK SERVICE** under Members of this group:, and click **Ok**. -![381_8_image-20191023214431-5](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_8_image-20191023214431-5.webp) +![381_8_image-20191023214431-5](/img/product_docs/policypak/policypak/leastprivilege/381_8_image-20191023214431-5.webp) #### Setting up the Event Forwarding Subscription @@ -43,11 +43,11 @@ then type in "Event Log Readers" and click "Ok". Configure target Subscription Manager, select the radio button for **Enabled** then click **Show...**. -![381_10_image-20191023214431-6](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_10_image-20191023214431-6.webp) +![381_10_image-20191023214431-6](/img/product_docs/policypak/policypak/leastprivilege/381_10_image-20191023214431-6.webp) **Step 2 –** Under Show Contents configure the following: -![381_12_image-20191023214431-7](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_12_image-20191023214431-7.webp) +![381_12_image-20191023214431-7](/img/product_docs/policypak/policypak/leastprivilege/381_12_image-20191023214431-7.webp) - **NOTE:** Replace YourServerFQDN with the Fully Qualified Domain Name (FQDN) of your central collection machine (the one you want to forward events to). For example, if your server name was @@ -72,25 +72,25 @@ Configure target Subscription Manager, select the radio button for **Enabled** t **Step 3 –** On the central collection machine or server (the one you want to forward events to) open Event Viewer and click on **Subscriptions**. If shown the message below, click **Yes**. -![381_14_image-20191023214431-8](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_14_image-20191023214431-8.webp) +![381_14_image-20191023214431-8](/img/product_docs/policypak/policypak/leastprivilege/381_14_image-20191023214431-8.webp) **Step 4 –** Now right click **Subscriptions** and choose **Create Subscription…**. -![381_16_image-20191023214431-9](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_16_image-20191023214431-9.webp) +![381_16_image-20191023214431-9](/img/product_docs/policypak/policypak/leastprivilege/381_16_image-20191023214431-9.webp) **Step 5 –** Give the Subscription a name (i.e. Endpoint Policy Manager Interesting Events), then select the **Source computer initiated** radio button, and click **Select Computer Groups**. -![381_18_image-20191023214431-10](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_18_image-20191023214431-10.webp) +![381_18_image-20191023214431-10](/img/product_docs/policypak/policypak/leastprivilege/381_18_image-20191023214431-10.webp) **Step 6 –** Under Select Computer Groups click "Add Domain Computers…" then add the **Domain Computers** group, and click **Ok**. -![381_20_image-20191023214431-11](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_20_image-20191023214431-11.webp) +![381_20_image-20191023214431-11](/img/product_docs/policypak/policypak/leastprivilege/381_20_image-20191023214431-11.webp) **Step 7 –** Click **Select Events…**. -![381_22_image-20191023214431-12](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_22_image-20191023214431-12.webp) +![381_22_image-20191023214431-12](/img/product_docs/policypak/policypak/leastprivilege/381_22_image-20191023214431-12.webp) **Step 8 –** If you happen to have the Endpoint Policy Manager Client Side Extensions (CSE) installed, under Select Events you can select the **By Log** button, then use the drop down under @@ -98,7 +98,7 @@ Event Sources: to find **PolicyPak Least Privilege Manager Client – Operationa box next to it. Click**Ok**. You should now see a screen similar to this one: -![381_24_image-20191023214431-13](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_24_image-20191023214431-13.webp) +![381_24_image-20191023214431-13](/img/product_docs/policypak/policypak/leastprivilege/381_24_image-20191023214431-13.webp) **NOTE:** If you don't have the CSE installed, select the **XML** tab, then check the **Edit query manually** check box at the bottom before pasting in the query below, and clicking **Ok**. You will @@ -108,7 +108,7 @@ not be able to use the Filter tab after editing the XML query manually.                  ``` -![381_26_image-20191023214431-14](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_26_image-20191023214431-14.webp) +![381_26_image-20191023214431-14](/img/product_docs/policypak/policypak/leastprivilege/381_26_image-20191023214431-14.webp) **NOTE:** Once you click **Ok** the text will be formatted correctly and aligned on the left. @@ -119,6 +119,6 @@ and everything else is working, you should start to see computers showing up und Computers column in the subscription, and start to see events from the source computers showing up under the Forwarded Events log. -![381_28_image-20191023214431-15](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_28_image-20191023214431-15.webp) +![381_28_image-20191023214431-15](/img/product_docs/policypak/policypak/leastprivilege/381_28_image-20191023214431-15.webp) -![381_30_image-20191023214431-16_950x303](../../../../static/img/product_docs/policypak/policypak/leastprivilege/381_30_image-20191023214431-16_950x303.webp) +![381_30_image-20191023214431-16_950x303](/img/product_docs/policypak/policypak/leastprivilege/381_30_image-20191023214431-16_950x303.webp) diff --git a/docs/policypak/policypak/license/activedirectory/domainmultiple.md b/docs/policypak/policypak/license/activedirectory/domainmultiple.md index b5b1d5ca26..58d1c74ec1 100644 --- a/docs/policypak/policypak/license/activedirectory/domainmultiple.md +++ b/docs/policypak/policypak/license/activedirectory/domainmultiple.md @@ -10,4 +10,4 @@ Here is the general process: We then create licensing keys, one for each domain. See -[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](../../video/license/installuniversal.md) +[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md) diff --git a/docs/policypak/policypak/license/activedirectory/domainou.md b/docs/policypak/policypak/license/activedirectory/domainou.md index 8e9db17136..e86626dbd5 100644 --- a/docs/policypak/policypak/license/activedirectory/domainou.md +++ b/docs/policypak/policypak/license/activedirectory/domainou.md @@ -11,5 +11,5 @@ company's Active Directory, you can easily license Endpoint Policy Manager. You don not need approval of domain or enterprise admins; you can get started right away. **NOTE:** See -[Using Shares to Store Your Paks (Share-Based Storage)](../../video/applicationsettings/shares.md) +[Using Shares to Store Your Paks (Share-Based Storage)](/docs/policypak/policypak/video/applicationsettings/shares.md) how PP Application Manager Paks can be stored in a share. diff --git a/docs/policypak/policypak/license/activedirectory/enforced.md b/docs/policypak/policypak/license/activedirectory/enforced.md index 8361ce17b4..89988254c4 100644 --- a/docs/policypak/policypak/license/activedirectory/enforced.md +++ b/docs/policypak/policypak/license/activedirectory/enforced.md @@ -13,4 +13,4 @@ license files are installed into the GPO. Below all Endpoint Policy Manager Licenses are contained within one GPO. But you might have multiple licensing GPOs, all which need to be enforced. -![168_1_image0013](../../../../../static/img/product_docs/policypak/policypak/license/activedirectory/168_1_image0013.webp) +![168_1_image0013](/img/product_docs/policypak/policypak/license/activedirectory/168_1_image0013.webp) diff --git a/docs/policypak/policypak/license/activedirectory/gpoedit.md b/docs/policypak/policypak/license/activedirectory/gpoedit.md index 2e7b2cbf66..f631a2809a 100644 --- a/docs/policypak/policypak/license/activedirectory/gpoedit.md +++ b/docs/policypak/policypak/license/activedirectory/gpoedit.md @@ -5,7 +5,7 @@ Yes. And here is why. First, you will need to import Netwrix Endpoint Policy Manager (formerly PolicyPak) licensing files. After a GPO is created (not by you), and you edit it, see -[The License Tool (LT) isn't permitting me to install License Files (or I am using AGPM, GPA, or GPOAdmin.) What should I try?](wizard.md) +[The License Tool (LT) isn't permitting me to install License Files (or I am using AGPM, GPA, or GPOAdmin.) What should I try?](/docs/policypak/policypak/license/activedirectory/wizard.md) for additional information. You will import the license files while editing the GPO. Next, all normal operations in Endpoint Policy Manager are available to you, like Endpoint Policy @@ -15,5 +15,5 @@ Manager Application Manager and Endpoint Policy Manager Admin Templates Manager. regular shares, and don't need to be stored in the Central Store, which would require domain controllers. -See[Using Shares to Store Your Paks (Share-Based Storage)](../../video/applicationsettings/shares.md) +See[Using Shares to Store Your Paks (Share-Based Storage)](/docs/policypak/policypak/video/applicationsettings/shares.md) for additional information on using shares with Endpoint Policy Manager Admin Templates Manager. diff --git a/docs/policypak/policypak/license/activedirectory/scope.md b/docs/policypak/policypak/license/activedirectory/scope.md index 961575ee83..f1ced66aec 100644 --- a/docs/policypak/policypak/license/activedirectory/scope.md +++ b/docs/policypak/policypak/license/activedirectory/scope.md @@ -10,12 +10,12 @@ Scope is where you might ever possibly use Netwrix Endpoint Policy Manager (form Typically, this is (and should be) the whole domain. This doesn't mean you will be using Endpoint Policy Manager anywhere/everywhere in the whole domain. You select the Scope in this window: -![317_1_licfaq1](../../../../../static/img/product_docs/policypak/policypak/license/activedirectory/317_1_licfaq1.webp) +![317_1_licfaq1](/img/product_docs/policypak/policypak/license/activedirectory/317_1_licfaq1.webp) SOM_Name is the specific places you will be licensing Endpoint Policy Manager. This is what you are selecting here: -![317_2_licfaq2](../../../../../static/img/product_docs/policypak/policypak/license/activedirectory/317_2_licfaq2.webp) +![317_2_licfaq2](/img/product_docs/policypak/policypak/license/activedirectory/317_2_licfaq2.webp) So, here are some examples from some License Request Key files. @@ -81,7 +81,7 @@ some facts: contained within the licensing GPO (which is nothing but licensing data). But then nothing special happens after that, especially since they're out of Scope of Management. -![317_3_licfaq3](../../../../../static/img/product_docs/policypak/policypak/license/activedirectory/317_3_licfaq3.webp) +![317_3_licfaq3](/img/product_docs/policypak/policypak/license/activedirectory/317_3_licfaq3.webp) That being said, there are two ways to proceed if your license file's Scope is the whole domain, but you don't want to link it over to the whole domain : diff --git a/docs/policypak/policypak/license/activedirectory/wizard.md b/docs/policypak/policypak/license/activedirectory/wizard.md index 4df84bd143..fb40f5a4d7 100644 --- a/docs/policypak/policypak/license/activedirectory/wizard.md +++ b/docs/policypak/policypak/license/activedirectory/wizard.md @@ -10,12 +10,12 @@ importing the license (more on this later), ## Option 1: Using LT to install licenses. -![69_1_image005](../../../../../static/img/product_docs/policypak/policypak/license/activedirectory/69_1_image005.webp) +![69_1_image005](/img/product_docs/policypak/policypak/license/activedirectory/69_1_image005.webp) If you are encountering problems, first try to copy and paste the license ininstead of browsing for the file. Then click **Validate** and continue. -![69_2_image0011](../../../../../static/img/product_docs/policypak/policypak/license/activedirectory/69_2_image0011.webp) +![69_2_image0011](/img/product_docs/policypak/policypak/license/activedirectory/69_2_image0011.webp) ## Option 2: Importing a license directly into an existing GPO @@ -30,21 +30,21 @@ later. **NOTE:** This node will NOT appear when using NetIQ GPA!! -![69_3_image0021](../../../../../static/img/product_docs/policypak/policypak/license/activedirectory/69_3_image0021.webp) +![69_3_image0021](/img/product_docs/policypak/policypak/license/activedirectory/69_3_image0021.webp) Alternatively, click **Computer Configuration** > Endpoint Policy Manager > **Admin Templates Manager** > **License Management**. This is an alternate way to get to License Management, and which does work for NetIQ GPA). -![69_4_2015-06-03_2227](../../../../../static/img/product_docs/policypak/policypak/license/activedirectory/69_4_2015-06-03_2227.webp) +![69_4_2015-06-03_2227](/img/product_docs/policypak/policypak/license/activedirectory/69_4_2015-06-03_2227.webp) **Step 2 –** Then import the licenses received from Endpoint Policy Manager sales. -![69_5_image0071](../../../../../static/img/product_docs/policypak/policypak/license/activedirectory/69_5_image0071.webp) +![69_5_image0071](/img/product_docs/policypak/policypak/license/activedirectory/69_5_image0071.webp) **Step 3 –** Verify that the licenses are in the GPO by looking at the GPMC settings report: -![69_6_image010](../../../../../static/img/product_docs/policypak/policypak/license/activedirectory/69_6_image010.webp) +![69_6_image010](/img/product_docs/policypak/policypak/license/activedirectory/69_6_image010.webp) **Step 4 –** Finally, link the GPO to where the computers are. @@ -54,4 +54,4 @@ example, we are linking the GPO to Sales OU, where the GPO will flow downward an **NOTE:** Endpoint Policy Manager will not work in un-licensed locations. Those must be selected when providing your license request key before your licenses are cut. -![69_7_image011](../../../../../static/img/product_docs/policypak/policypak/license/activedirectory/69_7_image011.webp) +![69_7_image011](/img/product_docs/policypak/policypak/license/activedirectory/69_7_image011.webp) diff --git a/docs/policypak/policypak/license/cloud/licensestatus.md b/docs/policypak/policypak/license/cloud/licensestatus.md index 6e78a3d8d1..f57e921a62 100644 --- a/docs/policypak/policypak/license/cloud/licensestatus.md +++ b/docs/policypak/policypak/license/cloud/licensestatus.md @@ -6,7 +6,7 @@ When you log into your Cloud account, you land on the License Status tab. This t things: how many license you bought, how many you are using, and how many machines are on the waiting list. -![547_1_license_status](../../../../../static/img/product_docs/policypak/policypak/license/cloud/547_1_license_status.webp) +![547_1_license_status](/img/product_docs/policypak/policypak/license/cloud/547_1_license_status.webp) The number in the Total Purchased column tells you how many licenses you purchased from us here at Netwrix Endpoint Policy Manager (formerly PolicyPak). That is the maximum number of computers you @@ -31,7 +31,7 @@ pool, where a computer on the waiting list could consume it. To find out which of your machines have consumed a license, and which ones are on the waiting list, go to the Reports tab, located next to the License Status tab. -![547_2_reports_tab](../../../../../static/img/product_docs/policypak/policypak/license/cloud/547_2_reports_tab.webp) +![547_2_reports_tab](/img/product_docs/policypak/policypak/license/cloud/547_2_reports_tab.webp) The chart displays in graphic form the information from the License Status tab. diff --git a/docs/policypak/policypak/license/cloud/notifications.md b/docs/policypak/policypak/license/cloud/notifications.md index 4b9a6add6c..5674c271e7 100644 --- a/docs/policypak/policypak/license/cloud/notifications.md +++ b/docs/policypak/policypak/license/cloud/notifications.md @@ -3,9 +3,9 @@ The Notifications admin may make this change. Go to Company Details > Edit Notifications Configuration. -![613_1_hfkb-1089-img-01_950x242](../../../../../static/img/product_docs/policypak/policypak/license/cloud/613_1_hfkb-1089-img-01_950x242.webp) +![613_1_hfkb-1089-img-01_950x242](/img/product_docs/policypak/policypak/license/cloud/613_1_hfkb-1089-img-01_950x242.webp) Uncheck **Send a weekly report of inactive computers to all company admins**. Alternatively, you can also change the Threshold. -![613_2_hfkb-1089-img-02_950x609](../../../../../static/img/product_docs/policypak/policypak/license/cloud/613_2_hfkb-1089-img-02_950x609.webp) +![613_2_hfkb-1089-img-02_950x609](/img/product_docs/policypak/policypak/license/cloud/613_2_hfkb-1089-img-02_950x609.webp) diff --git a/docs/policypak/policypak/license/components.md b/docs/policypak/policypak/license/components.md index c1e50ff740..080247648d 100644 --- a/docs/policypak/policypak/license/components.md +++ b/docs/policypak/policypak/license/components.md @@ -20,7 +20,7 @@ components such as: Those license files look like this: -![172_1_image001](../../../../static/img/product_docs/policypak/policypak/license/172_1_image001.webp) +![172_1_image001](/img/product_docs/policypak/policypak/license/172_1_image001.webp) For PP Group Policy Compliance Reporter: @@ -37,7 +37,7 @@ For PP Group Policy Compliance Reporter: To enable PPGPCR Endpoints for Microsoft items, this is the right license: -![172_2_image002](../../../../static/img/product_docs/policypak/policypak/license/172_2_image002.webp) +![172_2_image002](/img/product_docs/policypak/policypak/license/172_2_image002.webp) Also note what is not required to be licensed: diff --git a/docs/policypak/policypak/license/editpolicies.md b/docs/policypak/policypak/license/editpolicies.md index 28e7e0633b..faee716e2d 100644 --- a/docs/policypak/policypak/license/editpolicies.md +++ b/docs/policypak/policypak/license/editpolicies.md @@ -21,7 +21,7 @@ you automatically. Q: How is this kept up to date? A: We do it for you. For Windows, Office and Endpoint Policy Manager ADMX settings. See -[Endpoint Policy ManagerCloud: Use in-cloud ADMX settings maintained by Endpoint Policy Manager for Windows, Office, Chrome and more](../video/cloud/admxsettings.md) +[Endpoint Policy ManagerCloud: Use in-cloud ADMX settings maintained by Endpoint Policy Manager for Windows, Office, Chrome and more](/docs/policypak/policypak/video/cloud/admxsettings.md) Q: Do you have Windows 10 and 11 settings in Endpoint Policy Manager Cloud? A: Yes. See @@ -30,7 +30,7 @@ for additional information. Q: What about Custom ADMX, like Acrobat and Chrome? Can I upload those myself? A: Yes. See -[Endpoint Policy ManagerCloud: Upload and use your own ADMX files to Endpoint Policy Manager Cloud](../video/cloud/admxfiles.md) +[Endpoint Policy ManagerCloud: Upload and use your own ADMX files to Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/cloud/admxfiles.md) Q: Why don't you have editors for all the other types: GPPrefs, Security, and Endpoint Policy Manager Settings? diff --git a/docs/policypak/policypak/license/mdm/autopilot.md b/docs/policypak/policypak/license/mdm/autopilot.md index 88a7f3965b..a7cb1aa388 100644 --- a/docs/policypak/policypak/license/mdm/autopilot.md +++ b/docs/policypak/policypak/license/mdm/autopilot.md @@ -12,4 +12,4 @@ An example, taken from [FooUser@ meets the Cosmic Autopilot@ user](https://call4cloud.nl/foouser-autopilot-preprovisoning-fake-user/), can be seen here. -![1336_1_f6195331f68904f96c183fe8a7dfdd29](../../../../../static/img/product_docs/policypak/policypak/license/mdm/1336_1_f6195331f68904f96c183fe8a7dfdd29.webp) +![1336_1_f6195331f68904f96c183fe8a7dfdd29](/img/product_docs/policypak/policypak/license/mdm/1336_1_f6195331f68904f96c183fe8a7dfdd29.webp) diff --git a/docs/policypak/policypak/license/mdm/domainmultiple.md b/docs/policypak/policypak/license/mdm/domainmultiple.md index 38e1077542..15f383dee4 100644 --- a/docs/policypak/policypak/license/mdm/domainmultiple.md +++ b/docs/policypak/policypak/license/mdm/domainmultiple.md @@ -14,4 +14,4 @@ asked. available on VMware Workspace One (Airwatch). It may or may not be available with other MDM services. -![356_1_image_950x402](../../../../../static/img/product_docs/policypak/policypak/license/mdm/356_1_image_950x402.webp) +![356_1_image_950x402](/img/product_docs/policypak/policypak/license/mdm/356_1_image_950x402.webp) diff --git a/docs/policypak/policypak/license/mdm/entraid.md b/docs/policypak/policypak/license/mdm/entraid.md index 860b483dac..b5cb6f07b0 100644 --- a/docs/policypak/policypak/license/mdm/entraid.md +++ b/docs/policypak/policypak/license/mdm/entraid.md @@ -7,7 +7,7 @@ below (borrowed from [https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid](https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid) ). -![200_1_image-20200723102952-1](../../../../../static/img/product_docs/policypak/policypak/license/mdm/200_1_image-20200723102952-1.webp) +![200_1_image-20200723102952-1](/img/product_docs/policypak/policypak/license/mdm/200_1_image-20200723102952-1.webp) In this case, if you had exactly one machine like this ,you would need to: @@ -55,9 +55,9 @@ There is no easy button for this, but it is a straightforward procedure. Typically, you do this with the Endpoint Policy Manager on-prem licensing tool (preferred), or if you need to, you can use PowerShell. -See[My organization doesn't permit me to run the LT (Endpoint Policy Manager Licensing Tool) or provide the XML information it produces. What are my other options?](../unlicense/options.md) +See[My organization doesn't permit me to run the LT (Endpoint Policy Manager Licensing Tool) or provide the XML information it produces. What are my other options?](/docs/policypak/policypak/license/unlicense/options.md) -![200_3_image-20200723102952-2](../../../../../static/img/product_docs/policypak/policypak/license/mdm/200_3_image-20200723102952-2.webp) +![200_3_image-20200723102952-2](/img/product_docs/policypak/policypak/license/mdm/200_3_image-20200723102952-2.webp) ### Preparing for Steps 2 and 3: Before we count the Azure only, machines and before we count the Hybrid Azure AD joined machines @@ -71,7 +71,7 @@ possible fields: - Hybrid Azure AD Joined — This means the machine is joined both to Azure AD and to on-prem AD. - Blank: Unknown. -![200_5_image-20200723102952-3](../../../../../static/img/product_docs/policypak/policypak/license/mdm/200_5_image-20200723102952-3.webp) +![200_5_image-20200723102952-3](/img/product_docs/policypak/policypak/license/mdm/200_5_image-20200723102952-3.webp) The problem is that you cannot count each type with this interface unless you have just a few machines. Instead you need to use Powershell and have it do the counting for you. @@ -94,24 +94,24 @@ if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module Here is the result. -![200_7_image-20200723102952-4](../../../../../static/img/product_docs/policypak/policypak/license/mdm/200_7_image-20200723102952-4.webp) +![200_7_image-20200723102952-4](/img/product_docs/policypak/policypak/license/mdm/200_7_image-20200723102952-4.webp) Start out with the Connect-AZAccount cmdlet (not shown). You will get prompted for credentials the first time. -![200_9_image-20200724004807-5](../../../../../static/img/product_docs/policypak/policypak/license/mdm/200_9_image-20200724004807-5.webp) +![200_9_image-20200724004807-5](/img/product_docs/policypak/policypak/license/mdm/200_9_image-20200724004807-5.webp) The command should finish and return you with a result like this: -![200_11_image-20200724004807-6](../../../../../static/img/product_docs/policypak/policypak/license/mdm/200_11_image-20200724004807-6.webp) +![200_11_image-20200724004807-6](/img/product_docs/policypak/policypak/license/mdm/200_11_image-20200724004807-6.webp) Then use the connect-azuread command and provide credentials again, for a second time. -![200_13_image-20200723102952-5](../../../../../static/img/product_docs/policypak/policypak/license/mdm/200_13_image-20200723102952-5.webp) +![200_13_image-20200723102952-5](/img/product_docs/policypak/policypak/license/mdm/200_13_image-20200723102952-5.webp) Results of connection are then seen here: -![200_15_image-20200723102952-6](../../../../../static/img/product_docs/policypak/policypak/license/mdm/200_15_image-20200723102952-6.webp) +![200_15_image-20200723102952-6](/img/product_docs/policypak/policypak/license/mdm/200_15_image-20200723102952-6.webp) You can then list all Windows 10 devices with the following command: @@ -119,7 +119,7 @@ You can then list all Windows 10 devices with the following command: Get-AzureADDevice -all $true | select displayname, DeviceOSType, DeviceTrustType ``` -![200_17_image-20200723102952-7](../../../../../static/img/product_docs/policypak/policypak/license/mdm/200_17_image-20200723102952-7.webp) +![200_17_image-20200723102952-7](/img/product_docs/policypak/policypak/license/mdm/200_17_image-20200723102952-7.webp) ## Step 2: Count your Joined to Azure AD only (but not on-prem domain joined machines) @@ -141,7 +141,7 @@ Get-AzureADDevice -All $true | Where-Object {$_.DeviceTrustType -eq "ServerAd"} Results examples are seen here: -![200_19_image-20200723102952-8](../../../../../static/img/product_docs/policypak/policypak/license/mdm/200_19_image-20200723102952-8.webp) +![200_19_image-20200723102952-8](/img/product_docs/policypak/policypak/license/mdm/200_19_image-20200723102952-8.webp) ## A final example with Math diff --git a/docs/policypak/policypak/license/mdm/hybrid.md b/docs/policypak/policypak/license/mdm/hybrid.md index 452b32c5aa..7fb0d53543 100644 --- a/docs/policypak/policypak/license/mdm/hybrid.md +++ b/docs/policypak/policypak/license/mdm/hybrid.md @@ -13,21 +13,21 @@ Active Directory running Domain Controllers, which comes with Group Policy. Typi always, these servers are on-prem. We will explore the the idea that they don't have to be on-prem a little later. -![515_1_image-20191025230525-1](../../../../../static/img/product_docs/policypak/policypak/license/mdm/515_1_image-20191025230525-1.webp) +![515_1_image-20191025230525-1](/img/product_docs/policypak/policypak/license/mdm/515_1_image-20191025230525-1.webp) In this case, you can license Endpoint Policy Manager with Endpoint Policy Manager Group Policy Edition or Endpoint Policy Manager Cloud Edition. -- See All Things Licensing > [Knowledge Base](../overview/knowledgebase.md) -- See Cloud edition: [Endpoint Policy Manager Cloud: QuickStart](../../video/cloud/quickstart.md) -- See[Endpoint Policy ManagerCloud and Endpoint Policy Manager OnPremise – Together using PPCloud Licenses](../../video/cloud/integration/onpremise.md) +- See All Things Licensing > [Knowledge Base](/docs/policypak/policypak/license/overview/knowledgebase.md) +- See Cloud edition: [Endpoint Policy Manager Cloud: QuickStart](/docs/policypak/policypak/video/cloud/quickstart.md) +- See[Endpoint Policy ManagerCloud and Endpoint Policy Manager OnPremise – Together using PPCloud Licenses](/docs/policypak/policypak/video/cloud/integration/onpremise.md) ## Azure Active Directory (also known as AAD) with or without an MDM service. Azure Active Directory (AAD) is not the traditional AD in the cloud. It is a directory service which has a job to create identity to services. -![515_3_image-20191025230525-2](../../../../../static/img/product_docs/policypak/policypak/license/mdm/515_3_image-20191025230525-2.webp) +![515_3_image-20191025230525-2](/img/product_docs/policypak/policypak/license/mdm/515_3_image-20191025230525-2.webp) It has no Group Policy and has no real device management. There are two ways you can use Azure AD: with and without an MDM service. @@ -40,7 +40,7 @@ CEM to do more Windows management, but it is not Group Policy. Here is what a machine looks like when it is MDM enrolled and registered in your Azure Active Directory. -![515_5_image-20191025230525-3](../../../../../static/img/product_docs/policypak/policypak/license/mdm/515_5_image-20191025230525-3.webp) +![515_5_image-20191025230525-3](/img/product_docs/policypak/policypak/license/mdm/515_5_image-20191025230525-3.webp) As such, you might want to add Endpoint Policy Manager to your existing MDM service to give you the ability to take existing traditional AD Group Policy settings and migrate them to MDM. Additionally, @@ -49,11 +49,11 @@ you get all the Endpoint Policy Manager features as well. For this method, you are not licensing Azure Active Directory, but rather your MDM service. - See - [When licensing Endpoint Policy Managerwith an MDM provider, what do I need to send in to Endpoint Policy Manager? ](setup.md)for + [When licensing Endpoint Policy Managerwith an MDM provider, what do I need to send in to Endpoint Policy Manager? ](/docs/policypak/policypak/license/mdm/setup.md)for additional information on how to express the UPN and number of licenses needed for licensing your MDM service -- [Endpoint Policy Manager and MDM walk before you run](../../video/mdm/testsample.md) -- See Getting Started with MDM > [Video Learning Center](../../mdm/overview/videolearningcenter.md) +- [Endpoint Policy Manager and MDM walk before you run](/docs/policypak/policypak/video/mdm/testsample.md) +- See Getting Started with MDM > [Video Learning Center](/docs/policypak/policypak/mdm/overview/videolearningcenter.md) 2 — Azure AD with no MDM service @@ -64,7 +64,7 @@ cost and moving parts. To do this, you would need to add Endpoint Policy Manager Cloud to your Azure AD by installing the Endpoint Policy Manager Cloud client on your . -See [Endpoint Policy Manager Cloud: QuickStart](../../video/cloud/quickstart.md) for additional +See [Endpoint Policy Manager Cloud: QuickStart](/docs/policypak/policypak/video/cloud/quickstart.md) for additional information on getting started and licensing with Endpoint Policy Manager Cloud edition ## AD Domain Controllers as VMs in Azure @@ -81,10 +81,10 @@ You would typically use Group Policy edition and license a whole domain, OU or O Alternatively, you can use Endpoint Policy Manager Cloud edition and license each machine. -- See All Things Licensing > [Knowledge Base](../overview/knowledgebase.md) -- [Endpoint Policy Manager Cloud: QuickStart](../../video/cloud/quickstart.md) +- See All Things Licensing > [Knowledge Base](/docs/policypak/policypak/license/overview/knowledgebase.md) +- [Endpoint Policy Manager Cloud: QuickStart](/docs/policypak/policypak/video/cloud/quickstart.md) - See - [Endpoint Policy ManagerCloud and Endpoint Policy Manager OnPremise – Together using PPCloud Licenses](../../video/cloud/integration/onpremise.md) + [Endpoint Policy ManagerCloud and Endpoint Policy Manager OnPremise – Together using PPCloud Licenses](/docs/policypak/policypak/video/cloud/integration/onpremise.md) ## Azure AD Domain Services (AS DS) diff --git a/docs/policypak/policypak/license/mdm/intune.md b/docs/policypak/policypak/license/mdm/intune.md index 750befcd1c..7dea437627 100644 --- a/docs/policypak/policypak/license/mdm/intune.md +++ b/docs/policypak/policypak/license/mdm/intune.md @@ -11,7 +11,7 @@ the same result. Please follow the steps in the following article to acquire the number of Computers in Intune. Please send us screenshots like the ones in the article to let us know the number of machines. -[If I have both Azure joined and Hybrid Azure AD joined machines, how do I count the exact number of licenses I need?](entraid.md) +[If I have both Azure joined and Hybrid Azure AD joined machines, how do I count the exact number of licenses I need?](/docs/policypak/policypak/license/mdm/entraid.md) ## Part 2: Getting the Intune Company Name @@ -25,7 +25,7 @@ Connect-MSGraph -AdminConsent Get-Organization | Select @{N = 'CompanyName'; E = { $_.displayName } } | out-file INTUNECOMPANYNAME.TXT ``` -See [MDM Intune company name troubleshooting](../../video/license/mdm.md) +See [MDM Intune company name troubleshooting](/docs/policypak/policypak/video/license/mdm.md) ## Final Thoughts: Number of computers + Company Name diff --git a/docs/policypak/policypak/license/mdm/jointype.md b/docs/policypak/policypak/license/mdm/jointype.md index 5a1705151a..becd59e9f7 100644 --- a/docs/policypak/policypak/license/mdm/jointype.md +++ b/docs/policypak/policypak/license/mdm/jointype.md @@ -8,7 +8,7 @@ You can see these as items 1, 2 and 3 below. - Case Item 2 — Azure Active Directory Joined, and MDM = Intune - Case Item 3 — Azure Active Directory Registered and MDM = Intune -![754_1_1_950x287](../../../../../static/img/product_docs/policypak/policypak/license/mdm/754_1_1_950x287.webp) +![754_1_1_950x287](/img/product_docs/policypak/policypak/license/mdm/754_1_1_950x287.webp) In all these cases, the computers are counted toward Intune licensing. This is because: @@ -26,4 +26,4 @@ In all these cases, the computers are counted toward Intune licensing. This is b Using LT, you can see all computers noted above would be counted within LT for licensing purposes, as seen here. -![754_2_2_950x795](../../../../../static/img/product_docs/policypak/policypak/license/mdm/754_2_2_950x795.webp) +![754_2_2_950x795](/img/product_docs/policypak/policypak/license/mdm/754_2_2_950x795.webp) diff --git a/docs/policypak/policypak/license/mdm/name.md b/docs/policypak/policypak/license/mdm/name.md index 3a7c862a75..46c2966d73 100644 --- a/docs/policypak/policypak/license/mdm/name.md +++ b/docs/policypak/policypak/license/mdm/name.md @@ -10,11 +10,11 @@ OlderNetwrix Endpoint Policy Manager (formerly PolicyPak) CSEs were licensed onl Modern Endpoint Policy Manager CSEs can be licensed by either UPN or company name. We recommend that you use Azure / Intune Company name. -![662_1_1_950x815](../../../../../static/img/product_docs/policypak/policypak/license/mdm/662_1_1_950x815.webp) +![662_1_1_950x815](/img/product_docs/policypak/policypak/license/mdm/662_1_1_950x815.webp) Company name equates to this value in Azure, which Intune also uses. -![662_2_2_950x687](../../../../../static/img/product_docs/policypak/policypak/license/mdm/662_2_2_950x687.webp) +![662_2_2_950x687](/img/product_docs/policypak/policypak/license/mdm/662_2_2_950x687.webp) When you license theEndpoint Policy Manager CSE by company name, it doesn't matter how the Windows 10 device was enrolled. @@ -22,12 +22,12 @@ When you license theEndpoint Policy Manager CSE by company name, it doesn't matt On the other hand, you could use UPN names (aka Custom domain names) to license Endpoint Policy Manager with Intune, but this isn't recommended. -![662_3_3_950x448](../../../../../static/img/product_docs/policypak/policypak/license/mdm/662_3_3_950x448.webp) +![662_3_3_950x448](/img/product_docs/policypak/policypak/license/mdm/662_3_3_950x448.webp) When you use UPN name, then the UPN suffix of the person enrolling the computer must match what we license. -![662_4_4_950x740](../../../../../static/img/product_docs/policypak/policypak/license/mdm/662_4_4_950x740.webp) +![662_4_4_950x740](/img/product_docs/policypak/policypak/license/mdm/662_4_4_950x740.webp) Since someone's email and UPN can change, but typically the Intune / Azure Company name does not, we recommend: @@ -40,12 +40,12 @@ recommend: Then use ppupdate to verify that your computers are correctly licensed by company name. This is the preferred state for all Endpoint Policy Manager customers using Intune. -![662_5_5_950x747](../../../../../static/img/product_docs/policypak/policypak/license/mdm/662_5_5_950x747.webp) +![662_5_5_950x747](/img/product_docs/policypak/policypak/license/mdm/662_5_5_950x747.webp) In this example you can see an attempt to use a license using UPN name, but the name of the person who enrolled the machine does not match what is in the license file. -![662_6_6_950x694](../../../../../static/img/product_docs/policypak/policypak/license/mdm/662_6_6_950x694.webp) +![662_6_6_950x694](/img/product_docs/policypak/policypak/license/mdm/662_6_6_950x694.webp) See the Microsoft article on how to [Plan and troubleshoot User Principal Name changes in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/howto-troubleshoot-upn-changes) diff --git a/docs/policypak/policypak/license/mdm/setup.md b/docs/policypak/policypak/license/mdm/setup.md index ee714d056a..56ecc5b525 100644 --- a/docs/policypak/policypak/license/mdm/setup.md +++ b/docs/policypak/policypak/license/mdm/setup.md @@ -5,7 +5,7 @@ MDM service. Use this table below to determine how to get licensed: - Intune (Automatic) — Use the Endpoint Policy Manager Portal and download the BITS. Then run the Licensing Tool (LT) to acquire the information and save it to your License Request Key. See - [How to Request Licenses from Endpoint Policy Manager by Creating a "License Request Key"](../../video/license/licenserequestkey.md) + [How to Request Licenses from Endpoint Policy Manager by Creating a "License Request Key"](/docs/policypak/policypak/video/license/licenserequestkey.md) - Intune (Alternate) — Only if asked, follow the directions on this page. - VMware Workspace One — Follow the directions on this page. - Citrix CEM — Follow the directions on this page. @@ -24,7 +24,7 @@ When you enroll machines into your MDM, you do so with a UPN name. Start out by name you use, @fabrikam.com in our example. We recommend you take a screenshot of this page from an enrolled Windows 10 machine, then continue. -![44_1_sdfg](../../../../../static/img/product_docs/policypak/policypak/license/812_4_sdfg.webp) +![44_1_sdfg](/img/product_docs/policypak/policypak/license/812_4_sdfg.webp) ## License count @@ -36,7 +36,7 @@ information: If you have a mix of on-prem AD machines, Azure joined machines and Hybrid Azure AD machines please see - [If I have both Azure joined and Hybrid Azure AD joined machines, how do I count the exact number of licenses I need?](entraid.md) + [If I have both Azure joined and Hybrid Azure AD joined machines, how do I count the exact number of licenses I need?](/docs/policypak/policypak/license/mdm/entraid.md) for additional information on how to express your count. ## The Billing Process @@ -51,11 +51,11 @@ for additional information on how to express your count. If in the Azure portal, ensure you are in the Intune section. -![44_2_image-20200815220310-23](../../../../../static/img/product_docs/policypak/policypak/license/mdm/44_2_image-20200815220310-23.jpeg) +![44_2_image-20200815220310-23](/img/product_docs/policypak/policypak/license/mdm/44_2_image-20200815220310-23.jpeg) The device Screenshot will demonstrate the total Windows Devices and Tenant ownership: -![44_4_image-20200815220310-24](../../../../../static/img/product_docs/policypak/policypak/license/mdm/44_4_image-20200815220310-24.jpeg) +![44_4_image-20200815220310-24](/img/product_docs/policypak/policypak/license/mdm/44_4_image-20200815220310-24.jpeg) ### Workplace One (Airwatch) @@ -64,7 +64,7 @@ In your Airwatch portal: - Click on the **Devices** icon - In Platforms, locate the Windows Desktops section and take a screenshot of the entire window -![44_6_image-20200815220310-25](../../../../../static/img/product_docs/policypak/policypak/license/mdm/44_6_image-20200815220310-25.jpeg) +![44_6_image-20200815220310-25](/img/product_docs/policypak/policypak/license/mdm/44_6_image-20200815220310-25.jpeg) ### MobileIron @@ -72,12 +72,12 @@ Log into your MobileIron Portal. Your dashboard should show you the number of de enrolled if Device by OS Type is on your dashboard. If the Pie Chart is shown, click the icon in the lower-left corner of the Device by OS Type window to change to the Bar Chart. -![44_8_image-20200815220310-26](../../../../../static/img/product_docs/policypak/policypak/license/mdm/44_8_image-20200815220310-26.jpeg) +![44_8_image-20200815220310-26](/img/product_docs/policypak/policypak/license/mdm/44_8_image-20200815220310-26.jpeg) Take a screen shot of the device count and account ownership as per the screenshots below (it may take 2 captures) -![44_10_image-20200815220310-27_950x711](../../../../../static/img/product_docs/policypak/policypak/license/mdm/44_10_image-20200815220310-27_950x711.jpeg) +![44_10_image-20200815220310-27_950x711](/img/product_docs/policypak/policypak/license/mdm/44_10_image-20200815220310-27_950x711.jpeg) ### Citrix Endpoint Management (CEM – formally XenMobile) @@ -86,11 +86,11 @@ Option 1: On the Analyze page of the CEM Portal, click on the Dashboard. Take a screenshot showing Managed devices by Platform and the ownership in the top right-hand corner -![44_12_image-20200815220310-28](../../../../../static/img/product_docs/policypak/policypak/license/mdm/44_12_image-20200815220310-28.webp) +![44_12_image-20200815220310-28](/img/product_docs/policypak/policypak/license/mdm/44_12_image-20200815220310-28.webp) Option 2: From the Analyze page, go to Reporting > Devices & Apps and take a screenshot showing the Device count and Ownership: -![44_14_image-20200815220310-29](../../../../../static/img/product_docs/policypak/policypak/license/mdm/44_14_image-20200815220310-29.webp) +![44_14_image-20200815220310-29](/img/product_docs/policypak/policypak/license/mdm/44_14_image-20200815220310-29.webp) diff --git a/docs/policypak/policypak/license/mdm/tool.md b/docs/policypak/policypak/license/mdm/tool.md index 73670a2ce2..763aebb18a 100644 --- a/docs/policypak/policypak/license/mdm/tool.md +++ b/docs/policypak/policypak/license/mdm/tool.md @@ -51,7 +51,7 @@ function Get-MgGraphAllPages {                 }             }         }  -        while (-Not ([string]::IsNullOrWhiteSpace($currentNextLink))) +        while (-Not ([string]::IsNullOrWhiteSpace($currentNextLink)         {             # Make the call to get the next page             try { @@ -109,5 +109,5 @@ Out-Both @($devices).Count Disconnect-MgGraph | Out-Null ``` -See the [MDM Intune company name troubleshooting](../../video/license/mdm.md) video for additional +See the [MDM Intune company name troubleshooting](/docs/policypak/policypak/video/license/mdm.md) video for additional information. diff --git a/docs/policypak/policypak/license/overview/knowledgebase.md b/docs/policypak/policypak/license/overview/knowledgebase.md index 039803151a..3736e70dc5 100644 --- a/docs/policypak/policypak/license/overview/knowledgebase.md +++ b/docs/policypak/policypak/license/overview/knowledgebase.md @@ -5,83 +5,83 @@ licensing. ## Licenses FAQ for Active Directory (GPO and SCCM) -- [Will I need a license server to manage my Endpoint Policy Manager licenses?](../activedirectory/server.md) -- [What if we license one OU, say, Sales Computers OU, then during the year we also want to license a peer OU, like Marketing Computers OU?](../activedirectory/ou.md) -- [We purchased our Endpoint Policy Manager license for a parent OU in our Active Directory structure. What happens if we need to add additional sub-OUs inside of the parent one? How will this affect our licensing?](../activedirectory/ousub.md) -- [We purchased our Endpoint Policy Manager license for a parent OU in our Active Directory structure. What happens if we need to add additional sub-OUs inside of the parent one? How will this affect our licensing?](../activedirectory/ousub.md) -- [I'm an OU admin and not a domain administrator. Can I use Endpoint Policy Manager in my OU and not the whole domain?](../activedirectory/domainou.md) -- [I can only EDIT GPOs and not create them. Can I still use Endpoint Policy Manager?](../activedirectory/gpoedit.md) -- [I want to license the whole domain (or main OU), but I don't want to pay for every computer in that domain (or main OU)](../activedirectory/domain.md) -- [I have multiple domains. How is that licensed?](../activedirectory/domainmultiple.md) -- [Why does License Tool ask Who am I and Where do I want to use Endpoint Policy Manager?](../activedirectory/scope.md) -- [Does the Licensing Tool (LT.exe) count disabled Active Directory computer accounts ?](../activedirectory/disabledcomputer.md) -- [Does LT count users?](../activedirectory/users.md) -- [The License Tool (LT) isn't permitting me to install License Files (or I am using AGPM, GPA, or GPOAdmin.) What should I try?](../activedirectory/wizard.md) -- [Licence Tool recommends I enforce the links on the licensing GPOs. Should I do this, and why is this recommended?](../activedirectory/enforced.md) +- [Will I need a license server to manage my Endpoint Policy Manager licenses?](/docs/policypak/policypak/license/activedirectory/server.md) +- [What if we license one OU, say, Sales Computers OU, then during the year we also want to license a peer OU, like Marketing Computers OU?](/docs/policypak/policypak/license/activedirectory/ou.md) +- [We purchased our Endpoint Policy Manager license for a parent OU in our Active Directory structure. What happens if we need to add additional sub-OUs inside of the parent one? How will this affect our licensing?](/docs/policypak/policypak/license/activedirectory/ousub.md) +- [We purchased our Endpoint Policy Manager license for a parent OU in our Active Directory structure. What happens if we need to add additional sub-OUs inside of the parent one? How will this affect our licensing?](/docs/policypak/policypak/license/activedirectory/ousub.md) +- [I'm an OU admin and not a domain administrator. Can I use Endpoint Policy Manager in my OU and not the whole domain?](/docs/policypak/policypak/license/activedirectory/domainou.md) +- [I can only EDIT GPOs and not create them. Can I still use Endpoint Policy Manager?](/docs/policypak/policypak/license/activedirectory/gpoedit.md) +- [I want to license the whole domain (or main OU), but I don't want to pay for every computer in that domain (or main OU)](/docs/policypak/policypak/license/activedirectory/domain.md) +- [I have multiple domains. How is that licensed?](/docs/policypak/policypak/license/activedirectory/domainmultiple.md) +- [Why does License Tool ask Who am I and Where do I want to use Endpoint Policy Manager?](/docs/policypak/policypak/license/activedirectory/scope.md) +- [Does the Licensing Tool (LT.exe) count disabled Active Directory computer accounts ?](/docs/policypak/policypak/license/activedirectory/disabledcomputer.md) +- [Does LT count users?](/docs/policypak/policypak/license/activedirectory/users.md) +- [The License Tool (LT) isn't permitting me to install License Files (or I am using AGPM, GPA, or GPOAdmin.) What should I try?](/docs/policypak/policypak/license/activedirectory/wizard.md) +- [Licence Tool recommends I enforce the links on the licensing GPOs. Should I do this, and why is this recommended?](/docs/policypak/policypak/license/activedirectory/enforced.md) ## Licensing FAQ and Troubleshooting: Endpoint Policy Manager Cloud -- [How do I license machines to work on-premise if I'm an Endpoint Policy Manager Cloud Customer?](../cloud/onpremise.md) -- [How do I stop getting emails which say : "You have less than X% of your Endpoint Policy Manager licenses available for your company"](../cloud/notifications.md) -- [How do I understand my cloud licenses?](../cloud/licensestatus.md) -- [How exactly does monthly billing work with Endpoint Policy Manager SaaS Edition?](../cloud/billing.md) -- [ What happens if PPCloud computers are offline for more than 7 days?](../cloud/reclaimed.md) +- [How do I license machines to work on-premise if I'm an Endpoint Policy Manager Cloud Customer?](/docs/policypak/policypak/license/cloud/onpremise.md) +- [How do I stop getting emails which say : "You have less than X% of your Endpoint Policy Manager licenses available for your company"](/docs/policypak/policypak/license/cloud/notifications.md) +- [How do I understand my cloud licenses?](/docs/policypak/policypak/license/cloud/licensestatus.md) +- [How exactly does monthly billing work with Endpoint Policy Manager SaaS Edition?](/docs/policypak/policypak/license/cloud/billing.md) +- [ What happens if PPCloud computers are offline for more than 7 days?](/docs/policypak/policypak/license/cloud/reclaimed.md) ## Requesting Licenses FAQ and Troubleshooting (all Methods) -- [What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](../trial.md) -- [Why do I have to run the licensing tool / what information is gathered and sent to Endpoint Policy Manager for my trial (or becoming a customer?)](../tool.md) -- [What Logs do I need to send for troubleshooting LT (License Tool) or other MMC / .Net related functions?](../../troubleshooting/license/logs.md) -- [How do I manually count the number of computers in Intune, and manually acquire the Intune "Company Name?"](../mdm/intune.md) -- [What are the most common questions about editing policies using the Endpoint Policy ManagerCloud policy editor (instead of using the MMC to upload to Endpoint Policy Manager Cloud?)](../../cloud/policy/edit.md) +- [What is the fastest way to get started in an Endpoint Policy Manager trial, without running the License Request Tool?](/docs/policypak/policypak/license/trial.md) +- [Why do I have to run the licensing tool / what information is gathered and sent to Endpoint Policy Manager for my trial (or becoming a customer?)](/docs/policypak/policypak/license/tool.md) +- [What Logs do I need to send for troubleshooting LT (License Tool) or other MMC / .Net related functions?](/docs/policypak/policypak/troubleshooting/license/logs.md) +- [How do I manually count the number of computers in Intune, and manually acquire the Intune "Company Name?"](/docs/policypak/policypak/license/mdm/intune.md) +- [What are the most common questions about editing policies using the Endpoint Policy ManagerCloud policy editor (instead of using the MMC to upload to Endpoint Policy Manager Cloud?)](/docs/policypak/policypak/cloud/policy/edit.md) ## Requesting Licenses FAQ and Troubleshooting (Virtualization, Citrix, WVD, etc.) -- [How are Terminal Services and/or Citrix connections licensed?](../virtualization/terminalservices.md) -- [How do I license my Citrix, RDS, WVD, VDI or other multi-session Windows version with Endpoint Policy Manager Cloud ?](../virtualization/multisession.md) -- [Why must I run LT from a Windows Server if I want to properly count Citrix / Terminal Services / RDS connections?](../virtualization/tool.md) -- [What must I show to prove my current RDS and/or Citrix, or other Multi-Session windows concurrent license count for Endpoint Policy Manager Cloud (or if on-prem LT cannot auto-discover them)?](../virtualization/count.md) -- [Are there any special Endpoint Policy Manager licensing issues for virtual desktops?](../virtualization/desktops.md) +- [How are Terminal Services and/or Citrix connections licensed?](/docs/policypak/policypak/license/virtualization/terminalservices.md) +- [How do I license my Citrix, RDS, WVD, VDI or other multi-session Windows version with Endpoint Policy Manager Cloud ?](/docs/policypak/policypak/license/virtualization/multisession.md) +- [Why must I run LT from a Windows Server if I want to properly count Citrix / Terminal Services / RDS connections?](/docs/policypak/policypak/license/virtualization/tool.md) +- [What must I show to prove my current RDS and/or Citrix, or other Multi-Session windows concurrent license count for Endpoint Policy Manager Cloud (or if on-prem LT cannot auto-discover them)?](/docs/policypak/policypak/license/virtualization/count.md) +- [Are there any special Endpoint Policy Manager licensing issues for virtual desktops?](/docs/policypak/policypak/license/virtualization/desktops.md) ## Licensing: Requesting Licenses: MDM -- [When licensing Endpoint Policy Managerwith an MDM provider, what do I need to send in to Endpoint Policy Manager? ](../mdm/setup.md) -- [If I have both Azure joined and Hybrid Azure AD joined machines, how do I count the exact number of licenses I need?](../mdm/entraid.md) -- [What if I have multiple domain names within the MDM I want to license?](../mdm/domainmultiple.md) -- [How do I license Endpoint Policy Manager if I use Azure / Azure Active Directory / Azure Active Directory Domain Services / AD Domain Controllers in Azure?](../mdm/hybrid.md) -- [How are BYOD "Workplace Joined" (aka Intune Registered) counted toward licensing?](../mdm/jointype.md) -- [I'm having trouble running the Licensing Tool (LT) and counting computers with Intune. What troubleshooting information can I send Endpoint Policy Manager support?](../mdm/tool.md) -- [What is the difference if I license my MDM machines' CSE using COMPANY NAME vs. UPN name?](../mdm/name.md) -- [Why does the Endpoint Policy Manager Licensing Tool (LT.EXE) require admin rights to query for Intune / Azure data?](../mdm/adminrights.md) +- [When licensing Endpoint Policy Managerwith an MDM provider, what do I need to send in to Endpoint Policy Manager? ](/docs/policypak/policypak/license/mdm/setup.md) +- [If I have both Azure joined and Hybrid Azure AD joined machines, how do I count the exact number of licenses I need?](/docs/policypak/policypak/license/mdm/entraid.md) +- [What if I have multiple domain names within the MDM I want to license?](/docs/policypak/policypak/license/mdm/domainmultiple.md) +- [How do I license Endpoint Policy Manager if I use Azure / Azure Active Directory / Azure Active Directory Domain Services / AD Domain Controllers in Azure?](/docs/policypak/policypak/license/mdm/hybrid.md) +- [How are BYOD "Workplace Joined" (aka Intune Registered) counted toward licensing?](/docs/policypak/policypak/license/mdm/jointype.md) +- [I'm having trouble running the Licensing Tool (LT) and counting computers with Intune. What troubleshooting information can I send Endpoint Policy Manager support?](/docs/policypak/policypak/license/mdm/tool.md) +- [What is the difference if I license my MDM machines' CSE using COMPANY NAME vs. UPN name?](/docs/policypak/policypak/license/mdm/name.md) +- [Why does the Endpoint Policy Manager Licensing Tool (LT.EXE) require admin rights to query for Intune / Azure data?](/docs/policypak/policypak/license/mdm/adminrights.md) ## Licensing: Installing Licenses: All Methods -- [What is the best way to roll out New Universal licenses if I already have Original licenses?](../universal.md) -- [I received multiple license files back from the Sales team (one for each Endpoint Policy Manager component.) Should I install all of them?](../filemultiple.md) +- [What is the best way to roll out New Universal licenses if I already have Original licenses?](/docs/policypak/policypak/license/universal.md) +- [I received multiple license files back from the Sales team (one for each Endpoint Policy Manager component.) Should I install all of them?](/docs/policypak/policypak/license/filemultiple.md) ## Licensing Troubleshooting: All Methods -- [How can I tell how a machine is licensed (by GPO, MDM, or XML file), and also know for what components it is licensed?](../../troubleshooting/license/components.md) -- [I have a pop-up saying "License expires soon" or "Licenses expire in X days" when editing a GPO. What do I do?](../../troubleshooting/license/expires.md) -- [How do I turn on MMC Snap in Logs (for troubleshooting MMC Editing or Licensing Import)?](../../troubleshooting/license/mmcsnapinlogs.md) -- [I unlicensed my machine by removing a universal license, my machine still appears licensed. Why is this?](../../troubleshooting/license/universal.md) -- [Action Required for Endpoint Policy Manager Customers using Legacy Licenses](../../troubleshooting/license/legacy.md) -- [How do I make the Grace Period licensing pop-up go away?](../../troubleshooting/license/graceperiod.md) -- [Action Recommended Endpoint Policy Manager Customers to transition from "Enterprise" Licenses to "Enterprise Full" licenses.](../../troubleshooting/license/enterprisefull.md) -- [Gathering License Tool logs (LT.exe)](../../troubleshooting/license/toollogs.md) +- [How can I tell how a machine is licensed (by GPO, MDM, or XML file), and also know for what components it is licensed?](/docs/policypak/policypak/troubleshooting/license/components.md) +- [I have a pop-up saying "License expires soon" or "Licenses expire in X days" when editing a GPO. What do I do?](/docs/policypak/policypak/troubleshooting/license/expires.md) +- [How do I turn on MMC Snap in Logs (for troubleshooting MMC Editing or Licensing Import)?](/docs/policypak/policypak/troubleshooting/license/mmcsnapinlogs.md) +- [I unlicensed my machine by removing a universal license, my machine still appears licensed. Why is this?](/docs/policypak/policypak/troubleshooting/license/universal.md) +- [Action Required for Endpoint Policy Manager Customers using Legacy Licenses](/docs/policypak/policypak/troubleshooting/license/legacy.md) +- [How do I make the Grace Period licensing pop-up go away?](/docs/policypak/policypak/troubleshooting/license/graceperiod.md) +- [Action Recommended Endpoint Policy Manager Customers to transition from "Enterprise" Licenses to "Enterprise Full" licenses.](/docs/policypak/policypak/troubleshooting/license/enterprisefull.md) +- [Gathering License Tool logs (LT.exe)](/docs/policypak/policypak/troubleshooting/license/toollogs.md) ## Licensing Troubleshooting and Un-Licensing: Active Directory (GPO and SCCM) -- [What happens to each component when Endpoint Policy Manager gets unlicensed or the GPO or policy no longer applies?](../unlicense/components.md) -- [My organization doesn't permit me to run the LT (Endpoint Policy Manager Licensing Tool) or provide the XML information it produces. What are my other options?](../unlicense/options.md) -- [What if I want to unlicense specific components via ADMX or Endpoint Policy Manager Cloud?](../unlicense/componentscloud.md) -- [I just installed new license files / new GPOs. Should I keep or delete the old license files / GPOs?](../unlicense/fileold.md) -- [How do I specifically exclude or prevent a component from performing processing by modifying the license file?](../unlicense/componentsexclude.md) -- [How can I verify, test and/or reset my Domain Join (aka SecureChannel) from the endpoint to domain controller?](../unlicense/reset.md) -- [Why is Endpoint Policy Manager Preferences (original version) "forced disabled" by default?](../unlicense/forceddisabled.md) +- [What happens to each component when Endpoint Policy Manager gets unlicensed or the GPO or policy no longer applies?](/docs/policypak/policypak/license/unlicense/components.md) +- [My organization doesn't permit me to run the LT (Endpoint Policy Manager Licensing Tool) or provide the XML information it produces. What are my other options?](/docs/policypak/policypak/license/unlicense/options.md) +- [What if I want to unlicense specific components via ADMX or Endpoint Policy Manager Cloud?](/docs/policypak/policypak/license/unlicense/componentscloud.md) +- [I just installed new license files / new GPOs. Should I keep or delete the old license files / GPOs?](/docs/policypak/policypak/license/unlicense/fileold.md) +- [How do I specifically exclude or prevent a component from performing processing by modifying the license file?](/docs/policypak/policypak/license/unlicense/componentsexclude.md) +- [How can I verify, test and/or reset my Domain Join (aka SecureChannel) from the endpoint to domain controller?](/docs/policypak/policypak/license/unlicense/reset.md) +- [Why is Endpoint Policy Manager Preferences (original version) "forced disabled" by default?](/docs/policypak/policypak/license/unlicense/forceddisabled.md) ## Misc Licensing Questions -- [When and why would I license Endpoint Policy Manager on servers?](../whenwhy.md) -- [What items and components are licensed, and what components are free?](../components.md) -- [Why must I transition from Legacy to Universal licenses (and what are the differences?)](../transition.md) +- [When and why would I license Endpoint Policy Manager on servers?](/docs/policypak/policypak/license/whenwhy.md) +- [What items and components are licensed, and what components are free?](/docs/policypak/policypak/license/components.md) +- [Why must I transition from Legacy to Universal licenses (and what are the differences?)](/docs/policypak/policypak/license/transition.md) diff --git a/docs/policypak/policypak/license/overview/videolearningcenter.md b/docs/policypak/policypak/license/overview/videolearningcenter.md index aacccdbb24..b05842d471 100644 --- a/docs/policypak/policypak/license/overview/videolearningcenter.md +++ b/docs/policypak/policypak/license/overview/videolearningcenter.md @@ -4,19 +4,19 @@ See the following Video topics for more information on Endpoint Policy Manager l ## Licensing Request: All Methods -- [How to Request Licenses from Endpoint Policy Manager by Creating a "License Request Key"](../../video/license/licenserequestkey.md) +- [How to Request Licenses from Endpoint Policy Manager by Creating a "License Request Key"](/docs/policypak/policypak/video/license/licenserequestkey.md) ## Licensing Install: All Methods (Universal Licenses for customers after 2021) -- [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](../../video/license/installuniversal.md) +- [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md) ## Licensing Install: All Methods (Universal Licenses for customers before 2021) -- [Endpoint Policy Manager: Universal and Original Licensing Installation and Upgrades for Existing Customers](../../video/license/upgrades.md) +- [Endpoint Policy Manager: Universal and Original Licensing Installation and Upgrades for Existing Customers](/docs/policypak/policypak/video/license/upgrades.md) ## Troubleshooting and Un-Licensing -- [Legacy License Retirement Guidance (for Feb 28, 2023)](../../video/license/legacy.md) -- [How to Un-License any Endpoint Policy ManagerComponent via ADMX or Endpoint Policy Manager Cloud](../../video/license/unlicense.md) -- [Using LT for license cleanup](../../video/license/cleanup.md) -- [MDM Intune company name troubleshooting](../../video/license/mdm.md) +- [Legacy License Retirement Guidance (for Feb 28, 2023)](/docs/policypak/policypak/video/license/legacy.md) +- [How to Un-License any Endpoint Policy ManagerComponent via ADMX or Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/license/unlicense.md) +- [Using LT for license cleanup](/docs/policypak/policypak/video/license/cleanup.md) +- [MDM Intune company name troubleshooting](/docs/policypak/policypak/video/license/mdm.md) diff --git a/docs/policypak/policypak/license/tool.md b/docs/policypak/policypak/license/tool.md index 80c4a7041b..37b2e391fe 100644 --- a/docs/policypak/policypak/license/tool.md +++ b/docs/policypak/policypak/license/tool.md @@ -11,7 +11,7 @@ acquire the following information: Here's an example file you would send to us: -![197_1_licensing_faq_pic](../../../../static/img/product_docs/policypak/policypak/license/197_1_licensing_faq_pic.webp) +![197_1_licensing_faq_pic](/img/product_docs/policypak/policypak/license/197_1_licensing_faq_pic.webp) Without this file, we cannot know what your computer and Terminal Services count is, and hence, how much to quote you or where to license you. diff --git a/docs/policypak/policypak/license/transition.md b/docs/policypak/policypak/license/transition.md index 1c5324a4ac..a6a44b8bfb 100644 --- a/docs/policypak/policypak/license/transition.md +++ b/docs/policypak/policypak/license/transition.md @@ -13,17 +13,17 @@ Legacy licenses take the form of multiple keys, one for each component. Whenever we have a new component, we would issue your company a new legacy license for that component. -![861_1_hfkb-1130-img-01](../../../../static/img/product_docs/policypak/policypak/license/861_1_hfkb-1130-img-01.webp) +![861_1_hfkb-1130-img-01](/img/product_docs/policypak/policypak/license/861_1_hfkb-1130-img-01.webp) An individual legacy license XML looks like this and contains the product (component) and the scope of where it is licensed to: -![861_2_hfkb-1130-img-02_950x238](../../../../static/img/product_docs/policypak/policypak/license/861_2_hfkb-1130-img-02_950x238.webp) +![861_2_hfkb-1130-img-02_950x238](/img/product_docs/policypak/policypak/license/861_2_hfkb-1130-img-02_950x238.webp) You then use the Group Policy editor to consume the license and the result would look something like this. -![861_3_hfkb-1130-img-03_950x447](../../../../static/img/product_docs/policypak/policypak/license/861_3_hfkb-1130-img-03_950x447.webp) +![861_3_hfkb-1130-img-03_950x447](/img/product_docs/policypak/policypak/license/861_3_hfkb-1130-img-03_950x447.webp) Additionally, if you wanted to use Endpoint Policy Manager with an MDM service, we needed to cut a second set of keys just for that scenario. That second set of licenses is an .MSI which also contain @@ -31,7 +31,7 @@ the XMLs which enable Endpoint Policy Manager to work with an MDM service. Tip: You can use 7zip to open an MSI and see the licenses, like this.: -![861_4_hfkb-1130-img-04_950x320](../../../../static/img/product_docs/policypak/policypak/license/861_4_hfkb-1130-img-04_950x320.webp) +![861_4_hfkb-1130-img-04_950x320](/img/product_docs/policypak/policypak/license/861_4_hfkb-1130-img-04_950x320.webp) ## Understanding Universal Licenses @@ -45,21 +45,21 @@ Universal licenses solve a lot of problems around key generation: - Some components which have capabilities may be specified with those capabilities. This is not available in Legacy license type. - For MDM customers, we can specify EITHER Intune Company name or UPN name. - [What is the difference if I license my MDM machines' CSE using COMPANY NAME vs. UPN name?](mdm/name.md) + [What is the difference if I license my MDM machines' CSE using COMPANY NAME vs. UPN name?](/docs/policypak/policypak/license/mdm/name.md) This is not available for Legacy license type. - Administrators may disable a specifically licensed component, without having to request Endpoint Policy Manager support to re-cut the license. - [How do I specifically exclude or prevent a component from performing processing by modifying the license file?](unlicense/componentsexclude.md) + [How do I specifically exclude or prevent a component from performing processing by modifying the license file?](/docs/policypak/policypak/license/unlicense/componentsexclude.md) - The license may be wrapped up by the admin as a .MSI and re-deployed without contacting Endpoint Policy Manager support to make a .MSI. - [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](../video/license/installuniversal.md) + [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md) -![861_5_hfkb-1130-img-05_950x431](../../../../static/img/product_docs/policypak/policypak/license/861_5_hfkb-1130-img-05_950x431.webp) +![861_5_hfkb-1130-img-05_950x431](/img/product_docs/policypak/policypak/license/861_5_hfkb-1130-img-05_950x431.webp) In the Group Policy editor you can consume the Universal license and it will look like this. -![861_6_hfkb-1130-img-06_950x670](../../../../static/img/product_docs/policypak/policypak/license/861_6_hfkb-1130-img-06_950x670.webp) +![861_6_hfkb-1130-img-06_950x670](/img/product_docs/policypak/policypak/license/861_6_hfkb-1130-img-06_950x670.webp) And finally using` PPUPDATE` command on the endpoint, you can see how you are licensed : -![861_7_hfkb-1130-img-07_950x984](../../../../static/img/product_docs/policypak/policypak/license/861_7_hfkb-1130-img-07_950x984.webp) +![861_7_hfkb-1130-img-07_950x984](/img/product_docs/policypak/policypak/license/861_7_hfkb-1130-img-07_950x984.webp) diff --git a/docs/policypak/policypak/license/trial.md b/docs/policypak/policypak/license/trial.md index 00d619c6da..866abf445d 100644 --- a/docs/policypak/policypak/license/trial.md +++ b/docs/policypak/policypak/license/trial.md @@ -14,7 +14,7 @@ with only: computers, which means we cannot get you a formal quote. Only when you count the computers are we able to provide you a formal quote. This process is slower and optional, but does mean we can get you a formal quote. -See [How to Request Licenses from Endpoint Policy Manager by Creating a "License Request Key"](../video/license/licenserequestkey.md) +See [How to Request Licenses from Endpoint Policy Manager by Creating a "License Request Key"](/docs/policypak/policypak/video/license/licenserequestkey.md) for additional information. Then send your License Request Key XML to your sales person to get a formal quote generated. @@ -40,17 +40,17 @@ Simply rename a computer to have Computer in the name, and that's it. You're don methods of how to do that in Windows. Here's a video showing what happens when you rename a computer and how Endpoint Policy Manager -reacts:[Testing and Troubleshooting By Renaming an endpoint Computer](../video/cloud/testlab/renameendpoint.md) +reacts:[Testing and Troubleshooting By Renaming an endpoint Computer](/docs/policypak/policypak/video/cloud/testlab/renameendpoint.md) -![812_1_image001](../../../../static/img/product_docs/policypak/policypak/license/812_1_image001.webp) +![812_1_image001](/img/product_docs/policypak/policypak/license/812_1_image001.webp) After you rename your computer to have Computer in the name, then: - Follow these directions to get started with on-Prem Active Directory/ Group Policy: Getting - Started with Group Policy > [Knowledge Base](../grouppolicy/overview/knowledgebase.md) and/or + Started with Group Policy > [Knowledge Base](/docs/policypak/policypak/grouppolicy/overview/knowledgebase.md) and/or - Follow these directions to get started with Endpoint Policy Manager and Intune or another MDM (making sure to follow the "Walk Before You Run" video): Getting Started with MDM > - [Video Learning Center](../mdm/overview/videolearningcenter.md) + [Video Learning Center](/docs/policypak/policypak/mdm/overview/videolearningcenter.md) ## Option 2: Licenses coming automatically from PolicyPak Cloud @@ -65,10 +65,10 @@ Endpoint Policy Manager Cloud (and also the Endpoint Policy Manager Client Side installed.) You install a new machine into Endpoint Policy Manager cloud by installing the Endpoint Policy Manager Cloud Client, as shown below. -![812_2_image002](../../../../static/img/product_docs/policypak/policypak/license/812_2_image002.webp) +![812_2_image002](/img/product_docs/policypak/policypak/license/812_2_image002.webp) To get started immediately with Endpoint Policy Manager Cloud, check out the Getting Started with -Cloud > [Video Learning Center](../cloud/overview/videolearningcenter.md). +Cloud > [Video Learning Center](/docs/policypak/policypak/cloud/overview/videolearningcenter.md). ## Option 3: On-Prem / GPO Method: You give us your domain name, we give you back a Trial License File. @@ -85,12 +85,12 @@ $env:userdnsdomain It will then produce the output of the domain name, which is the minimum requirement to make you a license key. -![812_3_get-fqdn-with-powershell](../../../../static/img/product_docs/policypak/policypak/license/812_3_get-fqdn-with-powershell.webp) +![812_3_get-fqdn-with-powershell](/img/product_docs/policypak/policypak/license/812_3_get-fqdn-with-powershell.webp) Once we generate the key, it will be in the Endpoint Policy Manager -Portal.[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](../video/license/installuniversal.md)Then +Portal.[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md)Then follow these directions to get started with on-Prem Active Directory/ Group Policy: Group -Policy > [Knowledge Base](../grouppolicy/overview/knowledgebase.md) +Policy > [Knowledge Base](/docs/policypak/policypak/grouppolicy/overview/knowledgebase.md) ## Option 4: Intune-specific method: You give us your INTUNE company name, and we give you back a Trial License File. @@ -108,11 +108,11 @@ Get-Organization | Select @{N = 'CompanyName'; E = { $_.displayName } } | out-fi Once we generate the key, it will be in the Endpoint Policy Manager Portal. Download the key and install it using theinstructions found -here: [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](../video/license/installuniversal.md) +here: [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md) Then follow these directions to get started with Endpoint Policy Manager and Intune (making sure to follow the "Walk Before You Run" video): Getting Started with MDM > -[Video Learning Center](../mdm/overview/videolearningcenter.md) +[Video Learning Center](/docs/policypak/policypak/mdm/overview/videolearningcenter.md) ## Option 5: Non-Intune/Other-MDM Method: You give us your UPN name, and we give you back a Trial License File. @@ -120,12 +120,12 @@ When you enroll machines into your MDM, you do so with a UPN name. Start out by name you use, such as [\*@fabrikam.com,](mailto:*@fabrikam.com) or whatever yours is. We recommend you take a screenshot of this page from an enrolled Windows 10 machine, and then continue. -![812_4_sdfg](../../../../static/img/product_docs/policypak/policypak/license/812_4_sdfg.webp) +![812_4_sdfg](/img/product_docs/policypak/policypak/license/812_4_sdfg.webp) Once we generate the key, it will be in the Endpoint Policy Manager Portal. Download the key and install it using these -instructions: [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](../video/license/installuniversal.md) +instructions: [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md) Then follow these directions to get started with Endpoint Policy Manager and your MDM service, making sure to follow the "Walk Before You Run" video: Getting Started with MDM > -[Video Learning Center](../mdm/overview/videolearningcenter.md) +[Video Learning Center](/docs/policypak/policypak/mdm/overview/videolearningcenter.md) diff --git a/docs/policypak/policypak/license/unlicense/components.md b/docs/policypak/policypak/license/unlicense/components.md index cd32eb1458..3d50c29ccf 100644 --- a/docs/policypak/policypak/license/unlicense/components.md +++ b/docs/policypak/policypak/license/unlicense/components.md @@ -15,10 +15,10 @@ An endpoint can become unlicensed due to a variety of reasons. Examples include: **NOTE:** You may encounter a pop-up like this if you are using pre-CSE 24.4. Note the pop-up is opt-in only from 24.4. You won't see any pop up if you're using 24.4 or later. -![29_1_2202cm3yx](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/29_1_2202cm3yx.webp) +![29_1_2202cm3yx](/img/product_docs/policypak/policypak/license/unlicense/29_1_2202cm3yx.webp) See -[How do I make the Grace Period licensing pop-up go away?](../../troubleshooting/license/graceperiod.md) +[How do I make the Grace Period licensing pop-up go away?](/docs/policypak/policypak/troubleshooting/license/graceperiod.md) for additional information on Pop-Up behavior. **NOTE:** The actual behavior may be somewhat different than what is described here. An endpoint can @@ -49,26 +49,26 @@ component is listed here (current as of January 2018). Unlicensed or Policy Reverts -![29_2_faq-01-04-pp-01](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/29_2_faq-01-04-pp-01.webp) +![29_2_faq-01-04-pp-01](/img/product_docs/policypak/policypak/license/unlicense/29_2_faq-01-04-pp-01.webp) A setting may be set to **Do Nothing at Revert**, which is the default policy, or -![29_3_faq-01-04-pp-02](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/29_3_faq-01-04-pp-02.webp) +![29_3_faq-01-04-pp-02](/img/product_docs/policypak/policypak/license/unlicense/29_3_faq-01-04-pp-02.webp) If the setting is set to **Revert**, the policy setting is reverted. The value displayed will be performed at revert time. -![29_4_faq-01-04-pp-03](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/29_4_faq-01-04-pp-03.webp) +![29_4_faq-01-04-pp-03](/img/product_docs/policypak/policypak/license/unlicense/29_4_faq-01-04-pp-03.webp) For Win32 apps where AppLock (UI restrictions) are used, like in this example, the UI becomes unrestricted. -![29_5_faq-01-04-pp-04](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/29_5_faq-01-04-pp-04.webp) +![29_5_faq-01-04-pp-04](/img/product_docs/policypak/policypak/license/unlicense/29_5_faq-01-04-pp-04.webp) When NTFS / ACL Lockdown is used, the end-user will be free to change these settings inside the (previously restricted) registry. -![29_6_faq-01-04-pp-05](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/29_6_faq-01-04-pp-05.webp) +![29_6_faq-01-04-pp-05](/img/product_docs/policypak/policypak/license/unlicense/29_6_faq-01-04-pp-05.webp) **NOTE:** Some Paks may be set to System Wide Lockdown, like Java and Firefox, as seen above. In those cases, all users on the system are free to make changes after the GPO no longer applies. @@ -93,7 +93,7 @@ When Endpoint Policy Manager Browser Router is uninstalled or becomes unlicensed Additionally, and/or when the GPO / XML no longer applies, any Endpoint Policy Manager Browser Router "routes" are no longer honored. See -[Why doesn't Endpoint Policy Manager Browser Router routes take effect the first time I log on to Windows 8.1 or Windows 10?](../../troubleshooting/browserrouter/install/twologons.md) +[Why doesn't Endpoint Policy Manager Browser Router routes take effect the first time I log on to Windows 8.1 or Windows 10?](/docs/policypak/policypak/troubleshooting/browserrouter/install/twologons.md) ## Endpoint Policy Manager Admin Templates Manager @@ -126,14 +126,14 @@ When the GPO no longer applies, or Policy XML no longer applies: - Endpoint Policy Manager will leave the Microsoft GPPrefs item intact / alone on revert when the item's **Common**> **Options** tab is set like this: - ![29_7_faq-01-04-pp-06](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/29_7_faq-01-04-pp-06.webp) + ![29_7_faq-01-04-pp-06](/img/product_docs/policypak/policypak/license/unlicense/29_7_faq-01-04-pp-06.webp) - ![29_8_faq-01-04-pp-07-1](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/29_8_faq-01-04-pp-07-1.webp) + ![29_8_faq-01-04-pp-07-1](/img/product_docs/policypak/policypak/license/unlicense/29_8_faq-01-04-pp-07-1.webp) - Or Endpoint Policy Manager will delete the Microsoft GPPRefs item when the item's **Option** tab is set like this: - ![29_9_faq-01-04-pp-08](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/29_9_faq-01-04-pp-08.webp) + ![29_9_faq-01-04-pp-08](/img/product_docs/policypak/policypak/license/unlicense/29_9_faq-01-04-pp-08.webp) ## Java Rules Manager diff --git a/docs/policypak/policypak/license/unlicense/componentscloud.md b/docs/policypak/policypak/license/unlicense/componentscloud.md index 9ce0fdcc31..1bd0bed10a 100644 --- a/docs/policypak/policypak/license/unlicense/componentscloud.md +++ b/docs/policypak/policypak/license/unlicense/componentscloud.md @@ -5,30 +5,30 @@ There are three ways to unlicense an individual component. ## 1 — When using Group Policy Objects to license Endpoint Policy Manager See -[How to Un-License any Endpoint Policy ManagerComponent via ADMX or Endpoint Policy Manager Cloud](../../video/license/unlicense.md) +[How to Un-License any Endpoint Policy ManagerComponent via ADMX or Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/license/unlicense.md) for additional information on this topic. **NOTE:** You need to first install the Endpoint Policy Manager ADMX files as seen in -[Troubleshooting with ADMX files](../../video/troubleshooting/admxfiles.md). +[Troubleshooting with ADMX files](/docs/policypak/policypak/video/troubleshooting/admxfiles.md). The basic gist is that you'll be using Group Policy to deliver a setting which un-licenses a specific component like this. -![188_1_zxcxvxvxv](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/188_1_zxcxvxvxv.webp) +![188_1_zxcxvxvxv](/img/product_docs/policypak/policypak/license/unlicense/188_1_zxcxvxvxv.webp) ## 2 — When using Endpoint Policy Manager Cloud You can deliver the same setting via Endpoint Policy Manager Cloud as an Admin Template entry. Find the Endpoint Policy Manager Admin Templates, then find the setting. -![188_3_ertyetyur](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/188_3_ertyetyur.webp) +![188_3_ertyetyur](/img/product_docs/policypak/policypak/license/unlicense/188_3_ertyetyur.webp) Once enabled, the component will be de-activated. -![188_5_zzsgdfhfghjk](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/188_5_zzsgdfhfghjk.webp) +![188_5_zzsgdfhfghjk](/img/product_docs/policypak/policypak/license/unlicense/188_5_zzsgdfhfghjk.webp) When you unlicense via ADMX you can test your results with the `PPUPDATE` command. The expected result should be similar to this example, where you can see the license is valid, but the component (in this case Browser Router) is prevented from being licensed by a policy. -![188_7_img-2_950x649](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/188_7_img-2_950x649.webp) +![188_7_img-2_950x649](/img/product_docs/policypak/policypak/license/unlicense/188_7_img-2_950x649.webp) diff --git a/docs/policypak/policypak/license/unlicense/componentsexclude.md b/docs/policypak/policypak/license/unlicense/componentsexclude.md index 71ada43fe4..20d15575e7 100644 --- a/docs/policypak/policypak/license/unlicense/componentsexclude.md +++ b/docs/policypak/policypak/license/unlicense/componentsexclude.md @@ -3,7 +3,7 @@ Before you decide you wish to use this method, consider first using the ADMX method to disable specific components. The ADMX method is recommended over hand-editing the license file, and has the same effect. Therefore please consider this method first. See -[What if I want to unlicense specific components via ADMX or Endpoint Policy Manager Cloud?](componentscloud.md) +[What if I want to unlicense specific components via ADMX or Endpoint Policy Manager Cloud?](/docs/policypak/policypak/license/unlicense/componentscloud.md) However, if you wish to hard-unlicense a component via the license file, you may do that inside your Universal License file. @@ -13,12 +13,12 @@ of Universal Licenses. First identify what kind of universal license you have: Type 1: Licenses which express specific components you are licensed for. For example: -![748_1_image-20230820022159-1_950x514](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/748_1_image-20230820022159-1_950x514.webp) +![748_1_image-20230820022159-1_950x514](/img/product_docs/policypak/policypak/license/unlicense/748_1_image-20230820022159-1_950x514.webp) Type 2: Licenses type which express that you are licensed for Enterprise Full and therefore licensed for all components. -![748_2_image-20230820022159-2_950x364](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/748_2_image-20230820022159-2_950x364.webp) +![748_2_image-20230820022159-2_950x364](/img/product_docs/policypak/policypak/license/unlicense/748_2_image-20230820022159-2_950x364.webp) ## How to modify Type 1 Licenses: @@ -65,7 +65,7 @@ accept the `` block. Additionally, only MMC snap-ins 23.8 and later wi Full licenses with the `` block. First, identify which component(s) you wish to unlicense. -[What CSEs are contained within Endpoint Policy Manager, what are their CSE GUIDs, and in what release did they appear?](../../install/clientsideextension/guids.md) +[What CSEs are contained within Endpoint Policy Manager, what are their CSE GUIDs, and in what release did they appear?](/docs/policypak/policypak/install/clientsideextension/guids.md) For instance, if you wanted to unlicense Netwrix Endpoint Policy Manager (formerly PolicyPak) Browser Router and also Endpoint Policy Manager Preferences 2.0 you would create an XML block like @@ -117,11 +117,11 @@ MDM provider like Intune. Note that the 23.8 and later MMC is preferred for any modified licenses that you've created. The MMC console will express which components you have placed in the `` blocks. -![748_3_image-20230820022159-3_950x561](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/748_3_image-20230820022159-3_950x561.webp) +![748_3_image-20230820022159-3_950x561](/img/product_docs/policypak/policypak/license/unlicense/748_3_image-20230820022159-3_950x561.webp) The Group Policy Settings Report will also express this as well. -![748_4_image-20230820022159-4_950x560](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/748_4_image-20230820022159-4_950x560.webp) +![748_4_image-20230820022159-4_950x560](/img/product_docs/policypak/policypak/license/unlicense/748_4_image-20230820022159-4_950x560.webp) ## Result of unlicensing specific component(s): @@ -130,4 +130,4 @@ After the computer picks up the new license (via GPO, MDM, etc.) you can verify The result of modified components via blocked license can be seen in this example. -![748_5_image-20230820022159-5_950x814](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/748_5_image-20230820022159-5_950x814.webp) +![748_5_image-20230820022159-5_950x814](/img/product_docs/policypak/policypak/license/unlicense/748_5_image-20230820022159-5_950x814.webp) diff --git a/docs/policypak/policypak/license/unlicense/fileold.md b/docs/policypak/policypak/license/unlicense/fileold.md index 24b8a1ae4e..486d3612ee 100644 --- a/docs/policypak/policypak/license/unlicense/fileold.md +++ b/docs/policypak/policypak/license/unlicense/fileold.md @@ -5,15 +5,15 @@ You do not need to keep every license GPO around that is created by LT. You can delete old/ expired licensing GPOs, as well as anything else you do not need found in this screen: -![275_1_lt-faq-111](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/275_1_lt-faq-111.webp) +![275_1_lt-faq-111](/img/product_docs/policypak/policypak/license/unlicense/275_1_lt-faq-111.webp) You have two options: - Option 1 — One GPO per component license, the latest license you have. - Option 2 — A single GPO with the latest component licenses you have. -See [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](../../video/license/installuniversal.md) for +See [How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md) for instructions on how to install your new license. -See [Using LT for license cleanup](../../video/license/cleanup.md) for additional information on how +See [Using LT for license cleanup](/docs/policypak/policypak/video/license/cleanup.md) for additional information on how to use our LT to help you do a Deep search for licenses and help you automatically clean up diff --git a/docs/policypak/policypak/license/unlicense/forceddisabled.md b/docs/policypak/policypak/license/unlicense/forceddisabled.md index 3c2c487c4a..0da24310c7 100644 --- a/docs/policypak/policypak/license/unlicense/forceddisabled.md +++ b/docs/policypak/policypak/license/unlicense/forceddisabled.md @@ -22,15 +22,15 @@ But when the machine is domain joined and GPPreferences policies are being deliv Policy, the Endpoint Policy Manager Preferences component can cause an issue because of timing outside of our control between the Group Policy / GPPreferences engine and Endpoint Policy Manager. This has been a known issue for years. You can -see[Why do I see slowdowns on my machines when Endpoint Policy Manager Preferences is licensed and computers domain joined? Can this be worked around?](../../troubleshooting/preferences/domainjoined.md) +see[Why do I see slowdowns on my machines when Endpoint Policy Manager Preferences is licensed and computers domain joined? Can this be worked around?](/docs/policypak/policypak/troubleshooting/preferences/domainjoined.md) In order to minimize conflicts, we have, in the past, suggested that customers un-license Endpoint Policy Manager Preferences when the machine is domain joined. See -[How to Un-License any Endpoint Policy ManagerComponent via ADMX or Endpoint Policy Manager Cloud](../../video/license/unlicense.md)/ +[How to Un-License any Endpoint Policy ManagerComponent via ADMX or Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/license/unlicense.md)/ for additional information. There is also a video you can watch on -[Troubleshooting with ADMX files](../../video/troubleshooting/admxfiles.md) +[Troubleshooting with ADMX files](/docs/policypak/policypak/video/troubleshooting/admxfiles.md) More recently, Universal licenses are delivered with Endpoint Policy Manager Preferences disabled (for customers which have domain joined machines), and you need to specifically enable it. In this @@ -50,7 +50,7 @@ Customers must change this value if they wish to enable this component (which th explained later.) See -[How do I specifically exclude or prevent a component from performing processing by modifying the license file?](componentsexclude.md) +[How do I specifically exclude or prevent a component from performing processing by modifying the license file?](/docs/policypak/policypak/license/unlicense/componentsexclude.md) In logs, CSE shows a message: @@ -69,7 +69,7 @@ Therefore, as an additional precaution to prevent conflicts in domain joined mac build 2682 this license must be set to ENABLED=TRUE (or omitted) and we now require this component (and only this component) to be explicitly enabled via ADMX setting, as seen below: -![655_1_image001_950x529](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/655_1_image001_950x529.webp) +![655_1_image001_950x529](/img/product_docs/policypak/policypak/license/unlicense/655_1_image001_950x529.webp) Starting with build 2682, it will now take two steps for Endpoint Policy Manager Preferences to be enabled: @@ -154,7 +154,7 @@ away from on-prem GPPreferences and use CLOUD or MDM with Endpoint Policy Manage then PolicyPak Preferences will always be unlicensed and disabled (even if the aforementioned **Specifically enable PolicyPak Preferences (Original version) if licensed** ADMX setting is set. -![forcedisabled1](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/forcedisabled1.webp) +![forcedisabled1](/img/product_docs/policypak/policypak/license/unlicense/forcedisabled1.webp) In the future, we plan for Endpoint Policy Manager Preferences to evolve to enable co-existence from multiple sources. diff --git a/docs/policypak/policypak/license/unlicense/options.md b/docs/policypak/policypak/license/unlicense/options.md index 68dc28a801..437abbd605 100644 --- a/docs/policypak/policypak/license/unlicense/options.md +++ b/docs/policypak/policypak/license/unlicense/options.md @@ -3,7 +3,7 @@ Before reading the full answer to this question, please go over this FAQ question and see if that answers your question: -[Why do I have to run the licensing tool / what information is gathered and sent to Endpoint Policy Manager for my trial (or becoming a customer?)](../tool.md) +[Why do I have to run the licensing tool / what information is gathered and sent to Endpoint Policy Manager for my trial (or becoming a customer?)](/docs/policypak/policypak/license/tool.md) In short, we don't collect any critical information at all. The LT only collects the number of computers and where the licenses are used. Because of this, we recommend you use the LT utility as @@ -30,7 +30,7 @@ Get-ADComputer -filter {(enabled -eq 'True') -and (name -notlike '*computer*') - (Must be typed / copied / pasted on one line) -![144_1_lt-and-powershell-counts](../../../../../static/img/product_docs/policypak/policypak/license/mdm/200_3_image-20200723102952-2.webp) +![144_1_lt-and-powershell-counts](/img/product_docs/policypak/policypak/license/mdm/200_3_image-20200723102952-2.webp) **Step 2 –** As you can see, this Powershell command simply reports back the same count that LT would report if you were using it. @@ -51,7 +51,7 @@ Get-ADComputer -SearchBase 'OU=West Sales,OU=Sales,DC=fabrikam,DC=com' -Filter { ## Example PowerShell output: -![144_2_image001](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/144_2_image001.webp) +![144_2_image001](/img/product_docs/policypak/policypak/license/unlicense/144_2_image001.webp) Run this additional PowerShell command (cut and paste): @@ -60,14 +60,14 @@ Run this additional PowerShell command (cut and paste): It will then produce the output of the domain name, which we absolutely need to make you a license key. Without this, we cannot cut you a key. -![144_3_get-fqdn-with-powershell](../../../../../static/img/product_docs/policypak/policypak/license/812_3_get-fqdn-with-powershell.webp) +![144_3_get-fqdn-with-powershell](/img/product_docs/policypak/policypak/license/812_3_get-fqdn-with-powershell.webp) So, to recap: **Step 1 –** If you use our Endpoint Policy Manager On-Prem Licensing tool (LT), we collect only information about where you want to use it and how much you want to use it. We do not collect usernames, computer names, passwords or anything else. Again, see -[Why do I have to run the licensing tool / what information is gathered and sent to Endpoint Policy Manager for my trial (or becoming a customer?)](../tool.md)for additional +[Why do I have to run the licensing tool / what information is gathered and sent to Endpoint Policy Manager for my trial (or becoming a customer?)](/docs/policypak/policypak/license/tool.md)for additional information **Step 2 –** If you are unable to use our LT, that's fine. The alternative is to use these diff --git a/docs/policypak/policypak/license/unlicense/reset.md b/docs/policypak/policypak/license/unlicense/reset.md index ad9e3c23b3..5028db2cb7 100644 --- a/docs/policypak/policypak/license/unlicense/reset.md +++ b/docs/policypak/policypak/license/unlicense/reset.md @@ -5,15 +5,15 @@ You can use `PPUPDATE` to show the current domain joined status. Here is an example of` PPUPDATE` command showing a correctly joined on-prem Active Directory joined machine: -![542_1_hfkb-1123-img-01](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/542_1_hfkb-1123-img-01.webp) +![542_1_hfkb-1123-img-01](/img/product_docs/policypak/policypak/license/unlicense/542_1_hfkb-1123-img-01.webp) When not domain joined: -![542_2_hfkb-1123-img-02](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/542_2_hfkb-1123-img-02.webp) +![542_2_hfkb-1123-img-02](/img/product_docs/policypak/policypak/license/unlicense/542_2_hfkb-1123-img-02.webp) When the secure channel has been broken and needs to be re-established: -![542_3_hfkb-1123-img-03](../../../../../static/img/product_docs/policypak/policypak/license/unlicense/542_3_hfkb-1123-img-03.webp) +![542_3_hfkb-1123-img-03](/img/product_docs/policypak/policypak/license/unlicense/542_3_hfkb-1123-img-03.webp) See this Microsoft article on [Resetting computer accounts in Windows](https://support.microsoft.com/en-us/topic/resetting-computer-accounts-in-windows-762e3208-0e05-1696-75fa-333d90717d1e) diff --git a/docs/policypak/policypak/license/virtualization/count.md b/docs/policypak/policypak/license/virtualization/count.md index 864617a495..d5b9895ff9 100644 --- a/docs/policypak/policypak/license/virtualization/count.md +++ b/docs/policypak/policypak/license/virtualization/count.md @@ -45,17 +45,17 @@ Option 1: Microsoft RDS licensing tool Option 2: Citrix License Admin Console -![154_1_image0021](../../../../../static/img/product_docs/policypak/policypak/license/virtualization/154_1_image0021.webp) +![154_1_image0021](/img/product_docs/policypak/policypak/license/virtualization/154_1_image0021.webp) If you choose option 1, please take this screenshot and return it to us: -![154_2_image004](../../../../../static/img/product_docs/policypak/policypak/license/virtualization/154_2_image004.webp) +![154_2_image004](/img/product_docs/policypak/policypak/license/virtualization/154_2_image004.webp) **NOTE:** In this example this would be counted as 50 + 50 or, 100 concurrent RDS licenses. If you choose option 2, please take this screenshot and send it to us -![154_3_image005](../../../../../static/img/product_docs/policypak/policypak/license/virtualization/154_3_image005.webp) +![154_3_image005](/img/product_docs/policypak/policypak/license/virtualization/154_3_image005.webp) **NOTE:** In this example the count of licenses would be 10 (Presentation) + 10 (XenDesktop System) + 10 (User), or 30 concurrent licenses. @@ -69,7 +69,7 @@ the Microsoft CSP (Cloud Solution Provider) Program, you might find that these l Manager License Request Tool (LT) will think you have purchased 500 licenses, where you might have bought only 10, 20, etc. -![154_4_image001_950x198](../../../../../static/img/product_docs/policypak/policypak/license/virtualization/154_4_image001_950x198.webp) +![154_4_image001_950x198](/img/product_docs/policypak/policypak/license/virtualization/154_4_image001_950x198.webp) If this is your situation, simply express the raw number of purchased licenses to your sales or renewals person. diff --git a/docs/policypak/policypak/license/virtualization/tool.md b/docs/policypak/policypak/license/virtualization/tool.md index 6b84e194f3..ae393a1075 100644 --- a/docs/policypak/policypak/license/virtualization/tool.md +++ b/docs/policypak/policypak/license/virtualization/tool.md @@ -8,11 +8,11 @@ report on your maximum inbound connections. In short, LT can only look for these when running on a Windows server and not a Windows client machine. That is what this message is about. -![352_2_image001](<../../../../../static/img/product_docs/policypak/policypak/license/virtualization/352_1_image001_(1).webp>) +![352_2_image001](/img/product_docs/policypak/policypak/license/virtualization/352_1_image001_(1).webp) **NOTE:** Sometimes LT can acquired the correct number of RDS connections, and sometimes it cannot. -![352_2_image002](../../../../../static/img/product_docs/policypak/policypak/license/virtualization/352_2_image002.webp) +![352_2_image002](/img/product_docs/policypak/policypak/license/virtualization/352_2_image002.webp) To be compliant with our EULA, if the count returned by LT shows zero, or otherwise fails to acquire the number of Citrix / Terminal Services / RDS licenses, you must manually declare them to your @@ -21,5 +21,5 @@ sales representative. There are also multiple ways the Endpoint Policy Manager On-Prem suite can be licensed for Citrix. For understanding all the scenarios, please see the following additional technotes: -- [How are Terminal Services and/or Citrix connections licensed?](terminalservices.md) +- [How are Terminal Services and/or Citrix connections licensed?](/docs/policypak/policypak/license/virtualization/terminalservices.md) - [Citrix & WVD Multi-session Windows Licensing Scenarios](https://www.policypak.com/purchasing/vdi-licensing-scenarios/) diff --git a/docs/policypak/policypak/license/whenwhy.md b/docs/policypak/policypak/license/whenwhy.md index 80be1fc661..fa9a498e7d 100644 --- a/docs/policypak/policypak/license/whenwhy.md +++ b/docs/policypak/policypak/license/whenwhy.md @@ -8,7 +8,7 @@ two FAQs for details: - General Citrix & Multi-Session Windows Licensing: [Citrix & WVD Multi-session Windows Licensing Scenarios](https://www.policypak.com/purchasing/citrix-licensing-scenarios.html) - For Citrix + Cloud: - [How do I license my Citrix, RDS, WVD, VDI or other multi-session Windows version with Endpoint Policy Manager Cloud ?](virtualization/multisession.md) + [How do I license my Citrix, RDS, WVD, VDI or other multi-session Windows version with Endpoint Policy Manager Cloud ?](/docs/policypak/policypak/license/virtualization/multisession.md) That being said, you might want to license your normal, everyday servers for a variety of reasons. Here are some examples: @@ -19,32 +19,32 @@ Here are some examples: down to one. See this blog for details: [https://www.policypak.com/pp-blog/windows-update-business](https://www.policypak.com/pp-blog/windows-update-business). Then, here's the video on how to perform reduction of existing GPOs: - [Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](../video/administrativetemplates/reducegpos.md) + [Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](/docs/policypak/policypak/video/administrativetemplates/reducegpos.md) 2. You can use Endpoint Policy Manager Admin Templates Manager to specify and lockdown settings for browsers and other applications when an admin logs on. Quick examples: - [What is Endpoint Policy Application Manager (Group Policy Edition)](../video/applicationsettings/grouppolicy.md) + [What is Endpoint Policy Application Manager (Group Policy Edition)](/docs/policypak/policypak/video/applicationsettings/grouppolicy.md) and - [Manage Internet Explorer Settings With Endpoint Policy Manager Application Settings Manager](../video/applicationsettings/internetexplorer/settings.md) + [Manage Internet Explorer Settings With Endpoint Policy Manager Application Settings Manager](/docs/policypak/policypak/video/applicationsettings/internetexplorer/settings.md) 3. You can use Endpoint Policy Manager Least Privilege Manager to block items that admins shouldn't run. Example of blocking - applications: [Endpoint Policy Manager Application Control with PP Least Privilege Manager](../video/leastprivilege/applicationcontrol.md) + applications: [Endpoint Policy Manager Application Control with PP Least Privilege Manager](/docs/policypak/policypak/video/leastprivilege/applicationcontrol.md) 4. You can use Endpoint Policy Manager Least Privilege Manager to reduce service account rights: - [Reduce or specify Service Account Rights](../video/leastprivilege/bestpractices/serviceaccountrights.md) + [Reduce or specify Service Account Rights](/docs/policypak/policypak/video/leastprivilege/bestpractices/serviceaccountrights.md) 5. You can use Endpoint Policy Manager Least Privilege Manager to block PowerShell except for where absolutely needed: - [Block PowerShell in General, Open up for specific items](../video/leastprivilege/bestpractices/powershellblock.md) + [Block PowerShell in General, Open up for specific items](/docs/policypak/policypak/video/leastprivilege/bestpractices/powershellblock.md) 6. You can use Endpoint Policy Manager Least Privilege Manager to reduce the admin rights on specific processes or applications, like IE and - others:[Can I use Endpoint Privilege Manager to LOWER / remove admin rights from Administrators from an application or process, like Internet Explorer?](../leastprivilege/reduceadminrights.md) + others:[Can I use Endpoint Privilege Manager to LOWER / remove admin rights from Administrators from an application or process, like Internet Explorer?](/docs/policypak/policypak/leastprivilege/reduceadminrights.md) 7. You can use Endpoint Policy Manager Scripts Manager to perform specific logon scripts for specific servers using Triggers: - [Endpoint Policy Manager Scripts and Triggers: Get to understand login script trigger with GP and MDM systems !](../video/scriptstriggers/scripttriggers.md) + [Endpoint Policy Manager Scripts and Triggers: Get to understand login script trigger with GP and MDM systems !](/docs/policypak/policypak/video/scriptstriggers/scripttriggers.md) 8. You can use Endpoint Policy Manager Scripts Manager to perform specific scripts like mapping a drive, or running another process when a parent process is launched: - [Endpoint Policy Manager Scripts + Triggers: Map a printer or drive when a process runs and un-map it when closed.](../video/scriptstriggers/mapdrivetriggers.md) + [Endpoint Policy Manager Scripts + Triggers: Map a printer or drive when a process runs and un-map it when closed.](/docs/policypak/policypak/video/scriptstriggers/mapdrivetriggers.md) 9. You can use Endpoint Policy Manager Admin Templates Manager and remove Loopback and specify specific user side settings for specific machines when any user (admin or otherwise) logs on to the machine: - [Endpoint Policy Manager Admin Templates Manager: Switched Policies (without Loopback)](../video/administrativetemplates/switchedpolicies.md) + [Endpoint Policy Manager Admin Templates Manager: Switched Policies (without Loopback)](/docs/policypak/policypak/video/administrativetemplates/switchedpolicies.md) There are other uses, but those are the ones that most customers use. diff --git a/docs/policypak/policypak/licensing.md b/docs/policypak/policypak/licensing.md index 2831db3e32..c6bbaa2b6f 100644 --- a/docs/policypak/policypak/licensing.md +++ b/docs/policypak/policypak/licensing.md @@ -4,7 +4,7 @@ Licensing Netwrix Endpoint Policy Manager (formerly PolicyPak) is easy. We have information about Active Directory and Intune. **NOTE:** For a video overview of the process, watch this tutorial: -[How to Request Licenses from Endpoint Policy Manager by Creating a "License Request Key"](video/license/licenserequestkey.md) +[How to Request Licenses from Endpoint Policy Manager by Creating a "License Request Key"](/docs/policypak/policypak/video/license/licenserequestkey.md) Here are the basics: @@ -77,7 +77,7 @@ We only want you to pay for the computers you're actually going to use with the Manager. Endpoint Policy Manager's LT has an option, "Find and Disable unused computers," as seen in Figure 12. -![licensing_policypak](../../../static/img/product_docs/policypak/policypak/licensing_policypak.webp) +![licensing_policypak](/img/product_docs/policypak/policypak/licensing_policypak.webp) Figure 12. The option to disable unused computers. @@ -85,7 +85,7 @@ When you select this option, you are led through an wizard that finds any comput been logged into for 90 days (or any other number of days you select). You can then select the computers you want to disable and click "Next," as shown in Figure 13. -![licensing_policypak_1](../../../static/img/product_docs/policypak/policypak/licensing_policypak_1.webp) +![licensing_policypak_1](/img/product_docs/policypak/policypak/licensing_policypak_1.webp) Figure 13. Selecting the unused computers. @@ -171,7 +171,7 @@ The licensing modes are: enabled when your test computers' names have the word "computer" in them. For instance, a computer named "COMPUTER1" would automatically be in Trial Mode and act as if fully licensed. To see an example of how and why this works, see this video: - [Testing and Troubleshooting By Renaming an endpoint Computer](video/cloud/testlab/renameendpoint.md) + [Testing and Troubleshooting By Renaming an endpoint Computer](/docs/policypak/policypak/video/cloud/testlab/renameendpoint.md) We want you to use this Endpoint Policy Manager in your testing similarly to how you would use it in the real world. So in Trial Mode, we allow you to do the following: @@ -194,13 +194,13 @@ with your sales team to declare the number of Windows 10 machines you want to li you would use the MDM reporting system to express how many Windows 10 machines you have enrolled and the number you plan add in the current year. All the details on exactly how to perform a count and what to send back to Endpoint Policy Manager Sales can be found here: -[When licensing Endpoint Policy Managerwith an MDM provider, what do I need to send in to Endpoint Policy Manager? ](license/mdm/setup.md). +[When licensing Endpoint Policy Managerwith an MDM provider, what do I need to send in to Endpoint Policy Manager? ](/docs/policypak/policypak/license/mdm/setup.md). An example of an MDM system account with a very low number of machines can be seen in Figure 14. Note that the company information is obscured in this demonstration, but you would have to provide it. -![licensing_policypak_2](../../../static/img/product_docs/policypak/policypak/licensing_policypak_2.webp) +![licensing_policypak_2](/img/product_docs/policypak/policypak/licensing_policypak_2.webp) Figure 14. An example of an MDM system account. @@ -220,7 +220,7 @@ You may receive multiple license files for Endpoint Policy Manager: To deploy your licenses, you can use the following: Use these key installation instructions (which demonstrate Active Directory, SCCM, and MDM methods): -[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](video/license/installuniversal.md) +[How to install UNIVERSAL licenses for NEW Customers (via GPO, SCCM or MDM)](/docs/policypak/policypak/video/license/installuniversal.md) ## Licensing Endpoint Policy Manager Through Endpoint Policy Manager Cloud @@ -239,7 +239,7 @@ mechanism is automatic because the client has consumed the Cloud license. In thi free on-premise (Group Policy Edition) license automatically when a client has consumed a license with Endpoint Policy Manager Cloud (and continues to check in within the check-in period). For information on how to do this, see this video: -[Endpoint Policy ManagerStart Screen & Taskbar Manager: Manage non-domain joined machines using Endpoint Policy Manager Cloud](video/startscreentaskbar/nondomainjoined.md). +[Endpoint Policy ManagerStart Screen & Taskbar Manager: Manage non-domain joined machines using Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/startscreentaskbar/nondomainjoined.md). ### Endpoint Policy Manager Professional and Endpoint Policy Manager Enterprise Edition customers: diff --git a/docs/policypak/policypak/mac/applicationlaunch.md b/docs/policypak/policypak/mac/applicationlaunch.md index b9d243b314..600038e313 100644 --- a/docs/policypak/policypak/mac/applicationlaunch.md +++ b/docs/policypak/policypak/mac/applicationlaunch.md @@ -1,7 +1,7 @@ # Using MacOS + Admin Approval (aka Application Launch + Challenge) **NOTE:** See the -[Endpoint Policy Manager for Mac and Admin Approval](../video/leastprivilege/mac/adminapproval.md) +[Endpoint Policy Manager for Mac and Admin Approval](/docs/policypak/policypak/video/leastprivilege/mac/adminapproval.md) video for an overview of this section. You might want users to only be able to run applications (normally or those which require admin @@ -14,12 +14,12 @@ has multiple executables. ![A screen shot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/mac/using_macos_admin_approval.webp) +generated](/img/product_docs/policypak/policypak/mac/using_macos_admin_approval.webp) ![A computer screen with a screen showing a login page Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/mac/using_macos_admin_approval_1.webp) +generated](/img/product_docs/policypak/policypak/mac/using_macos_admin_approval_1.webp) **NOTE:** The Endpoint Policy Manager Least Privilege Admin Approval tool for Windows must be used to perform approval requests. @@ -29,4 +29,4 @@ The following options are honored in the Mac (and Windows) client: ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/mac/using_macos_admin_approval_2.webp) +generated](/img/product_docs/policypak/policypak/mac/using_macos_admin_approval_2.webp) diff --git a/docs/policypak/policypak/mac/installclient.md b/docs/policypak/policypak/mac/installclient.md index c9a0d91037..a64261fd26 100644 --- a/docs/policypak/policypak/mac/installclient.md +++ b/docs/policypak/policypak/mac/installclient.md @@ -6,7 +6,7 @@ Cloud Client for MacOS Installer, and follow the directions. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak.webp) +generated](/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak.webp) Then follow the directions on the Mac and the Endpoint Policy Manager Least Privilege Manager pieces contained within the Endpoint Policy Manager Cloud Client. @@ -14,7 +14,7 @@ contained within the Endpoint Policy Manager Cloud Client. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak_1.webp) +generated](/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak_1.webp) Then use the details provided earlier to install the certificate and register with the Endpoint Policy Manager Cloud service. @@ -22,7 +22,7 @@ Policy Manager Cloud service. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak_2.webp) +generated](/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak_2.webp) ## Endpoint Policy Manager Commands after Installation @@ -32,7 +32,7 @@ Endpoint Policy Manager on Mac has a variety of commands you can perform.  Star ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak_3.webp) +generated](/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak_3.webp) A few important commands to try out would be: @@ -42,18 +42,18 @@ run by any user (without Sudo / admin rights.) ![A black screen with white text Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak_4.webp) +generated](/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak_4.webp) `Policypak license-list –verbose` to get the license list from Cloud service. ![A computer screen with white text Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak_5.webp) +generated](/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak_5.webp) And `policypak policy-list` to get a total list of what is happening on the machine. -![Inserting image...](../../../../static/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak_6.webp) +![Inserting image...](/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak_6.webp) Mac policies are then created in the in-cloud editors against the All | MacOS groups or any Company Groups’ macOS group like what’s seen here. @@ -61,4 +61,4 @@ Groups’ macOS group like what’s seen here. ![A screenshot of a computer Description automatically -generated](../../../../static/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak_7.webp) +generated](/img/product_docs/policypak/policypak/mac/how_to_install_the_policypak_7.webp) diff --git a/docs/policypak/policypak/mac/scenarios/conditions.md b/docs/policypak/policypak/mac/scenarios/conditions.md index 648b0cd9e9..da0716321b 100644 --- a/docs/policypak/policypak/mac/scenarios/conditions.md +++ b/docs/policypak/policypak/mac/scenarios/conditions.md @@ -5,7 +5,7 @@ To make a match you need to match one or more Conditions: Path, Hash or Signatur ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/conditions_1.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/conditions_1.webp) - Path – The name of the file and/or the location. This is the least secure method so use it with caution. You may also provide a folder or folder recursively. @@ -17,18 +17,18 @@ You can see the dialogs for Path, Hash and Signature condition here: ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/conditions_2.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/conditions_2.webp) To acquire the Path, you may use the Finder. -![conditions_3](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/conditions_3.webp) +![conditions_3](/img/product_docs/policypak/policypak/mac/scenarios/conditions_3.webp) To acquirethe application's Hash or Signature, you can use the `ppfileinfo` tool: ![A computer screen with white text Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/conditions_4.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/conditions_4.webp) Actions: @@ -41,7 +41,7 @@ Actions: ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/conditions_5.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/conditions_5.webp) Additional Approve settings may be: @@ -58,4 +58,4 @@ Teacher2, etc.) to perform the work. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/conditions_6.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/conditions_6.webp) diff --git a/docs/policypak/policypak/mac/scenarios/launchcontrol.md b/docs/policypak/policypak/mac/scenarios/launchcontrol.md index 34abd891e7..9d36441b68 100644 --- a/docs/policypak/policypak/mac/scenarios/launchcontrol.md +++ b/docs/policypak/policypak/mac/scenarios/launchcontrol.md @@ -1,17 +1,17 @@ # Application Launch Approval (aka Launch Control) -**NOTE:** See the [Application Launch Approval](../../video/leastprivilege/mac/applicationlaunch.md) +**NOTE:** See the [Application Launch Approval](/docs/policypak/policypak/video/leastprivilege/mac/applicationlaunch.md) video for an overview of this section. You might have an application which is part of your deployment, but you want to prevent it from running. In this example Firefox is on the machine and runs as expected as a standard user. -![Inserting image...](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/application_launch_approval.webp) +![Inserting image...](/img/product_docs/policypak/policypak/mac/scenarios/application_launch_approval.webp) To block Firefox from running you can specify a condition. You may use the PPFILEINFO tool to get the SigningID (or other attributes) for a match. -![application_launch_approval_1](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/application_launch_approval_1.webp) +![application_launch_approval_1](/img/product_docs/policypak/policypak/mac/scenarios/application_launch_approval_1.webp) In this example we are using a Signing Identifier: `org.mozilla.firefox`. @@ -20,21 +20,21 @@ Then use that as your condition: ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/application_launch_approval_2.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/application_launch_approval_2.webp) The result of the policy is that the application will be blocked on launch. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/application_launch_approval_3.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/application_launch_approval_3.webp) Other actions besides Deny Execution are Allow Execution, with some options: ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/application_launch_approval_4.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/application_launch_approval_4.webp) - No Confirmation — Application launches - Confirmation — Provides a pop-up asking user to confirm the actual launch @@ -47,4 +47,4 @@ Examples of the dialog boxes may be seen here: ![Screens screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/application_launch_approval_5.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/application_launch_approval_5.webp) diff --git a/docs/policypak/policypak/mac/scenarios/macfinder.md b/docs/policypak/policypak/mac/scenarios/macfinder.md index 3e87ffe1dc..9a47235fb0 100644 --- a/docs/policypak/policypak/mac/scenarios/macfinder.md +++ b/docs/policypak/policypak/mac/scenarios/macfinder.md @@ -1,23 +1,23 @@ # Finder Policy **NOTE:** See -[Endpoint Policy Manager MacOS: Mac Finder Policies](../../video/leastprivilege/mac/finder.md) video +[Endpoint Policy Manager MacOS: Mac Finder Policies](/docs/policypak/policypak/video/leastprivilege/mac/finder.md) video for an overview of this section. ## Finder Install / Uninstall Overview If Standard Users attempt to install applications as a user, this is the common experience. -![macfinder01](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/macfinder01.webp) +![macfinder01](/img/product_docs/policypak/policypak/mac/scenarios/macfinder01.webp) Standard Users also get similar behavior if they attempt to remove an application from the machine. -![macfinder02](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/macfinder02.webp) +![macfinder02](/img/product_docs/policypak/policypak/mac/scenarios/macfinder02.webp) Additionally, if the Standard User has to perform some special operations in a folder (like a file copy), this is not permitted: -![macfinder03](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/macfinder03.webp) +![macfinder03](/img/product_docs/policypak/policypak/mac/scenarios/macfinder03.webp) Additionally, when duplicating files, creating folders, etc., in all cases the Finder will stop the standard user from performing the action. @@ -27,31 +27,31 @@ standard user from performing the action. This policy type enables all of the above scenarios. Start out by creating a new Finder policy like this: -![macfinder04](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/macfinder04.webp) +![macfinder04](/img/product_docs/policypak/policypak/mac/scenarios/macfinder04.webp) This first example policy will allow users to add/remove applications to the `/Applications` folder. -![macfinder05](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/macfinder05.webp) +![macfinder05](/img/product_docs/policypak/policypak/mac/scenarios/macfinder05.webp) This policy will enable end-users to Add or Remove files and folders to the example `/Users/test` folder (a place they would not normally have access). -![macfinder06](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/macfinder06.webp) +![macfinder06](/img/product_docs/policypak/policypak/mac/scenarios/macfinder06.webp) ## Testing your Policies First synchronize your policies with Endpoint Policy Manager Cloud using the `policypak cloud-sync` command. -![macfinder07](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/macfinder07.webp) +![macfinder07](/img/product_docs/policypak/policypak/mac/scenarios/macfinder07.webp) An example of the results for the first policy which enabled installation are seen below. -![macfinder08](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/macfinder08.webp) +![macfinder08](/img/product_docs/policypak/policypak/mac/scenarios/macfinder08.webp) And copying a file to `/Users/Test` also succeeds: -![macfinder09](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/macfinder09.webp) +![macfinder09](/img/product_docs/policypak/policypak/mac/scenarios/macfinder09.webp) ## Understanding Action Types @@ -63,5 +63,5 @@ The three action types on a rule are: - Elevate — Perform the overcome action required to perform the task See the -[Endpoint Policy Manager MacOS: Mac Finder Policies](../../video/leastprivilege/mac/finder.md) video +[Endpoint Policy Manager MacOS: Mac Finder Policies](/docs/policypak/policypak/video/leastprivilege/mac/finder.md) video for examples of Action types with Finder policies diff --git a/docs/policypak/policypak/mac/scenarios/macprivhelper.md b/docs/policypak/policypak/mac/scenarios/macprivhelper.md index cb0a6863d6..5d6f0b9d65 100644 --- a/docs/policypak/policypak/mac/scenarios/macprivhelper.md +++ b/docs/policypak/policypak/mac/scenarios/macprivhelper.md @@ -1,7 +1,7 @@ # Privilege Elevation (aka Helper Policies) **NOTE:** See -[Endpoint Policy Manager LPM for MacOS: Privilege Policies (for Helper Apps)](../../video/leastprivilege/mac/privilege.md) +[Endpoint Policy Manager LPM for MacOS: Privilege Policies (for Helper Apps)](/docs/policypak/policypak/video/leastprivilege/mac/privilege.md) for a video overview of this section. ## Privilege Elevation / Helper Policies Overview @@ -10,7 +10,7 @@ Some applications require special Helper Applications to get installed. In this to install the Xcitium application you can see that it requires admin rights to install its helper tool. -![helper01](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/helper01.webp) +![helper01](/img/product_docs/policypak/policypak/mac/scenarios/helper01.webp) ## Creating Privilege Elevation / Helper Policies @@ -21,11 +21,11 @@ Path (file name), along with a digital signature. In this test example, we'll use the simplest (least secure) method, which is a filename name with wildcards. -![helper02](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/helper02.webp) +![helper02](/img/product_docs/policypak/policypak/mac/scenarios/helper02.webp) Then choose the Action and Additional approve options. -![helper03](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/helper03.webp) +![helper03](/img/product_docs/policypak/policypak/mac/scenarios/helper03.webp) For now, click **Elevate** with **Not Configured**. @@ -36,12 +36,12 @@ Finish up by providing a Name to the policy and clicking **Finish**. First synchronize your policies with Endpoint Policy Manager Cloud, using the `policypak cloud-sync` command. -![helper04](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/macfinder07.webp) +![helper04](/img/product_docs/policypak/policypak/mac/scenarios/macfinder07.webp) At this point, if your policies match your application you will be able to overcome the helper application requesting local admin rights. -![helper05](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/helper05.webp) +![helper05](/img/product_docs/policypak/policypak/mac/scenarios/helper05.webp) ## Understanding Action Types @@ -61,6 +61,6 @@ The three action types on a rule are: - Reason — User must put in rationale code then before the task is performed. - Challenge — User must requests an Admin Approval code for the task to be accepted and performed. See - [Endpoint Policy Manager for Mac and Admin Approval](../../video/leastprivilege/mac/adminapproval.md) + [Endpoint Policy Manager for Mac and Admin Approval](/docs/policypak/policypak/video/leastprivilege/mac/adminapproval.md) for additional information on this topic. - Credentials — User must re-enter credentials for the task to be performed diff --git a/docs/policypak/policypak/mac/scenarios/mountunmount.md b/docs/policypak/policypak/mac/scenarios/mountunmount.md index 2140ff5379..248eee47dc 100644 --- a/docs/policypak/policypak/mac/scenarios/mountunmount.md +++ b/docs/policypak/policypak/mac/scenarios/mountunmount.md @@ -1,9 +1,9 @@ # Mount / Unmount for USB and .DMG Files **NOTE:** See the -[Endpoint Privilege Manager for Mac: Mount / Unmount Part I](../../video/leastprivilege/mac/mountunmountpart1.md) +[Endpoint Privilege Manager for Mac: Mount / Unmount Part I](/docs/policypak/policypak/video/leastprivilege/mac/mountunmountpart1.md) video and the -[Endpoint Privilege Manager for Mac: Mount / Unmount Part II](../../video/leastprivilege/mac/mountunmounpart2.md) +[Endpoint Privilege Manager for Mac: Mount / Unmount Part II](/docs/policypak/policypak/video/leastprivilege/mac/mountunmounpart2.md) video for an overview of this section. You might want to manage when USB devices and/or .DMG disk files can be mounted (or unmounted). @@ -11,7 +11,7 @@ You might want to manage when USB devices and/or .DMG disk files can be mounted ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/mount_unmount_for_usb_and.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/mount_unmount_for_usb_and.webp) You can perform the following functions: @@ -43,7 +43,7 @@ For a simple demo, let's Block All USB and DMG devices. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/mount_unmount_for_usb_and_1.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/mount_unmount_for_usb_and_1.webp) The result of trying to attach a new device by USB can be seen here, as Endpoint Policy Manager has blocked it. @@ -51,4 +51,4 @@ blocked it. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/mount_unmount_for_usb_and_2.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/mount_unmount_for_usb_and_2.webp) diff --git a/docs/policypak/policypak/mac/scenarios/overview.md b/docs/policypak/policypak/mac/scenarios/overview.md index c2579f4ebb..d24c60665c 100644 --- a/docs/policypak/policypak/mac/scenarios/overview.md +++ b/docs/policypak/policypak/mac/scenarios/overview.md @@ -13,4 +13,4 @@ Endpoint Policy Manager for Mac supports a variety of scenarios: ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/supported_scenarios_and_policy.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/supported_scenarios_and_policy.webp) diff --git a/docs/policypak/policypak/mac/scenarios/packageinstallation.md b/docs/policypak/policypak/mac/scenarios/packageinstallation.md index eaa4c53dc0..d1df221d64 100644 --- a/docs/policypak/policypak/mac/scenarios/packageinstallation.md +++ b/docs/policypak/policypak/mac/scenarios/packageinstallation.md @@ -1,7 +1,7 @@ # Package Installation Policy **NOTE:** See the -[Endpoint Policy Manager Least Priv Manager for Macs Application Package Support](../../video/leastprivilege/mac/applicationpackage.md) +[Endpoint Policy Manager Least Priv Manager for Macs Application Package Support](/docs/policypak/policypak/video/leastprivilege/mac/applicationpackage.md) video for an overview of this section. When a standard user attempts to install a .PKG file they are not allowed to do so. In this example, @@ -10,4 +10,4 @@ Skype for Business prompts the user for admin credentials before installing. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/package_installation_policy.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/package_installation_policy.webp) diff --git a/docs/policypak/policypak/mac/scenarios/sudo.md b/docs/policypak/policypak/mac/scenarios/sudo.md index c2556edf2e..3e5ef519b0 100644 --- a/docs/policypak/policypak/mac/scenarios/sudo.md +++ b/docs/policypak/policypak/mac/scenarios/sudo.md @@ -1,9 +1,9 @@ # SUDO **NOTE:** See the -[Endpoint Policy Manager Cloud and SUDO support](../../video/leastprivilege/mac/sudosupport.md) +[Endpoint Policy Manager Cloud and SUDO support](/docs/policypak/policypak/video/leastprivilege/mac/sudosupport.md) video and the -[Endpoint Policy Manager Cloud Mac + SUDO Using Wildcard Example](../../video/leastprivilege/mac/wildcards.md) +[Endpoint Policy Manager Cloud Mac + SUDO Using Wildcard Example](/docs/policypak/policypak/video/leastprivilege/mac/wildcards.md) video for an overview of this section. The point of SUDO policies is to enable a standard user to perform SUDO commands without needing to @@ -16,14 +16,14 @@ Sudo mkdir /Users/Sudo/test1 but is blocked with a password request. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/sudo.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/sudo.webp) To overcome this, create a SUDO rule like this one: :![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/sudo_1.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/sudo_1.webp) The Actions are: @@ -41,4 +41,4 @@ runs without password requirement. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/sudo_2.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/sudo_2.webp) diff --git a/docs/policypak/policypak/mac/scenarios/systemsettings.md b/docs/policypak/policypak/mac/scenarios/systemsettings.md index 0103fcc0dd..df77aa0d0e 100644 --- a/docs/policypak/policypak/mac/scenarios/systemsettings.md +++ b/docs/policypak/policypak/mac/scenarios/systemsettings.md @@ -1,7 +1,7 @@ # System Settings Policy **NOTE:** See the -[Endpoint Policy Manager for Mac / Least Priv Manager: System Settings policy](../../video/leastprivilege/mac/systemsettings.md) +[Endpoint Policy Manager for Mac / Least Priv Manager: System Settings policy](/docs/policypak/policypak/video/leastprivilege/mac/systemsettings.md) video for an overview of this section. Standard Users are prompted when they access System Settings in MacOS. For instance, trying to @@ -10,7 +10,7 @@ modify Date&Time or Wi-Fi settings prompts standard users for admin credentials. ![Screens screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/system_settings_policy.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/system_settings_policy.webp) System Settings Policy enables you to: @@ -25,7 +25,7 @@ Wi-Fi System Settings. ![A screenshot of a computer Description automatically -generated](../../../../../static/img/product_docs/policypak/policypak/mac/scenarios/system_settings_policy_1.webp) +generated](/img/product_docs/policypak/policypak/mac/scenarios/system_settings_policy_1.webp) Without Endpoint Policy Manager policy, the system asks for administrator confirmation to change system settings for the standard user. With Endpoint Policy Manager you are able to provide the diff --git a/docs/policypak/policypak/manuals.md b/docs/policypak/policypak/manuals.md index 4be21dfb1c..a1b99e1edf 100644 --- a/docs/policypak/policypak/manuals.md +++ b/docs/policypak/policypak/manuals.md @@ -4,52 +4,52 @@ The following topics provide information on using Endpoint Policy Manager: - Introduction & Quick Start Manuals - - [Introduction and Basic Concepts](basicconcepts.md) - - [Netwrix Endpoint Policy Manager Quick Start](gettingstarted/quickstart/overview.md) - - [Installation Quick Start](gettingstarted/quickstart/overviewinstall.md) - - [Endpoint Policy Manager Cloud Quick Start](cloud/overview.md) - - [MDM & UEM Tools](mdm/overview.md) - - [Upgrade Guidance](install/upgrade/overview.md) + - [Introduction and Basic Concepts](/docs/policypak/policypak/basicconcepts.md) + - [Netwrix Endpoint Policy Manager Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overview.md) + - [Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md) + - [Endpoint Policy Manager Cloud Quick Start](/docs/policypak/policypak/cloud/overview.md) + - [MDM & UEM Tools](/docs/policypak/policypak/mdm/overview.md) + - [Upgrade Guidance](/docs/policypak/policypak/install/upgrade/overview.md) - Least Privilege Security Pak - - [Least Privilege Manager (Windows)](leastprivilege/overview.md) - - [Endpoint Privilege Manager Implementation QuickStart Guide](leastprivilege/pplpmimplementationguide.md) - - [Endpoint Policy Manager Cloud for MacOS Client](mac/overview.md) + - [Least Privilege Manager (Windows)](/docs/policypak/policypak/leastprivilege/overview.md) + - [Endpoint Privilege Manager Implementation QuickStart Guide](/docs/policypak/policypak/leastprivilege/pplpmimplementationguide.md) + - [Endpoint Policy Manager Cloud for MacOS Client](/docs/policypak/policypak/mac/overview.md) - Device Management Pak - - [Device Manager](device/devicemanager/overview.md) + - [Device Manager](/docs/policypak/policypak/device/devicemanager/overview.md) - Apps, Browsers, & Java Security Pak - - [Application Settings Manager ](applicationsettings/overview.md) - - [Browser Router](browserrouter/overview.md) - - [Java Enterprise Rules Manager](javaenterpriserules/overview.md) - - [Security Settings Manager](securitysettings/overview.md) + - [Application Settings Manager ](/docs/policypak/policypak/applicationsettings/overview.md) + - [Browser Router](/docs/policypak/policypak/browserrouter/overview.md) + - [Java Enterprise Rules Manager](/docs/policypak/policypak/javaenterpriserules/overview.md) + - [Security Settings Manager](/docs/policypak/policypak/securitysettings/overview.md) - GPO Compliance Pak - - [Group Policy Compliance Reporter](grouppolicycompliancereporter/overview.md) + - [Group Policy Compliance Reporter](/docs/policypak/policypak/grouppolicycompliancereporter/overview.md) - Windows 10 & 11 Management Pak - - [File Associations Manager](fileassociations/overview.md) - - [Feature Manager for Windows](feature/overview.md) - - [Start Screen & Taskbar Manager](startscreentaskbar/overview.md) + - [File Associations Manager](/docs/policypak/policypak/fileassociations/overview.md) + - [Feature Manager for Windows](/docs/policypak/policypak/feature/overview.md) + - [Start Screen & Taskbar Manager](/docs/policypak/policypak/startscreentaskbar/overview.md) - GPO Reduction and Transitions Pak - - [Administrative Templates Manager](adminstrativetemplates/overview.md) - - [Preferences Manager](preferences/overview.md) + - [Administrative Templates Manager](/docs/policypak/policypak/adminstrativetemplates/overview.md) + - [Preferences Manager](/docs/policypak/policypak/preferences/overview.md) - App Delivery & Patching Pak - - [Remote Work Delivery Manager](remoteworkdelivery/overview.md) - - [Software Package Manager](softwarepackage/overview.md) + - [Remote Work Delivery Manager](/docs/policypak/policypak/remoteworkdelivery/overview.md) + - [Software Package Manager](/docs/policypak/policypak/softwarepackage/overview.md) - Desktop Automation & Connectivity Pak - - [Scripts & Triggers Manager](scriptstriggers/overview.md) - - [Remote Desktop Protocol Manager](remotedesktopprotocol/overview.md) - - [Endpoint Policy Manager Network Security Manager](scriptstriggers/networksecuritymanager.md) + - [Scripts & Triggers Manager](/docs/policypak/policypak/scriptstriggers/overview.md) + - [Remote Desktop Protocol Manager](/docs/policypak/policypak/remotedesktopprotocol/overview.md) + - [Endpoint Policy Manager Network Security Manager](/docs/policypak/policypak/scriptstriggers/networksecuritymanager.md) diff --git a/docs/policypak/policypak/mdm/gettingstarted.md b/docs/policypak/policypak/mdm/gettingstarted.md index 340959a9d0..bbd78157b3 100644 --- a/docs/policypak/policypak/mdm/gettingstarted.md +++ b/docs/policypak/policypak/mdm/gettingstarted.md @@ -3,16 +3,16 @@ You might want to use Endpoint Policy Manager along with the following UEM tools: - MEMCM (formerly known as SCCM) (video: - [Perform Desktop Lockdown using Microsoft SCCM and Endpoint Policy Manager ](../video/applicationsettings/integration/sccmsoftwarecenter.md)) + [Perform Desktop Lockdown using Microsoft SCCM and Endpoint Policy Manager ](/docs/policypak/policypak/video/applicationsettings/integration/sccmsoftwarecenter.md)) - Microsoft Intune (video: - [Endpoint Policy Manager and Microsoft Intune](../video/mdm/microsoftintune.md)) + [Endpoint Policy Manager and Microsoft Intune](/docs/policypak/policypak/video/mdm/microsoftintune.md)) - Symantec Altiris - Dell KACE - LabTech - PDQ Deploy (videos: - [Deploy and Manage Firefox with PDQ Deploy and Endpoint Policy Manager ](../video/applicationsettings/integration/pdqdeployfirefox.md) + [Deploy and Manage Firefox with PDQ Deploy and Endpoint Policy Manager ](/docs/policypak/policypak/video/applicationsettings/integration/pdqdeployfirefox.md) and - [Deploy and Manage WinZip with PDQ Deploy and Endpoint Policy Manager ](../video/applicationsettings/integration/pdqdeploy.md)) + [Deploy and Manage WinZip with PDQ Deploy and Endpoint Policy Manager ](/docs/policypak/policypak/video/applicationsettings/integration/pdqdeploy.md)) - Specops Deploy - Microsoft Group Policy Software Installation - Manual installation (when running with admin privileges) @@ -27,14 +27,14 @@ components will receive their directives. We've provided a handful of XML files find them in the Endpoint Policy Manager Portal in the "Latest Manuals" section, as shown in Figure 1. -![deploying_policypak_directives](../../../../static/img/product_docs/policypak/policypak/mdm/deploying_policypak_directives.webp) +![deploying_policypak_directives](/img/product_docs/policypak/policypak/mdm/deploying_policypak_directives.webp) Figure 1. The list of XML files in the Endpoint Policy Manager Portal. Once unpacked, you should see a list of example XML files, displayed in Figure 2, which are wrapped into an example MSI. -![deploying_policypak_directives_1](../../../../static/img/product_docs/policypak/policypak/mdm/deploying_policypak_directives_1.webp) +![deploying_policypak_directives_1](/img/product_docs/policypak/policypak/mdm/deploying_policypak_directives_1.webp) Figure 2. The wrapped XML file example. @@ -59,7 +59,7 @@ than if you try other items, so we suggest you start with these examples. Below are two videos you can use to get familiar with how to export settings and then use them with a UEM tool. -- [Deploy Real Group Policy using SCCM or Other Management System!](../video/methods/sccmgrouppolicy.md) +- [Deploy Real Group Policy using SCCM or Other Management System!](/docs/policypak/policypak/video/methods/sccmgrouppolicy.md) - Deploy Endpoint Policy Manager Settings Using SCCM or Other Management System! ## Quick Start with MSI files and an MDM Tool @@ -67,7 +67,7 @@ a UEM tool. To get started quickly with our sample MSI files and an MDM tool, we recommend watching the following video: -- [Endpoint Policy Manager and MDM walk before you run](../video/mdm/testsample.md) +- [Endpoint Policy Manager and MDM walk before you run](/docs/policypak/policypak/video/mdm/testsample.md) Then, you can learn more about how to use Endpoint Policy Manager with your own MDM tool on this -page: Getting Started with MDM > [Video Learning Center](overview/videolearningcenter.md). +page: Getting Started with MDM > [Video Learning Center](/docs/policypak/policypak/mdm/overview/videolearningcenter.md). diff --git a/docs/policypak/policypak/mdm/overview.md b/docs/policypak/policypak/mdm/overview.md index 82073c492a..21478eb7c8 100644 --- a/docs/policypak/policypak/mdm/overview.md +++ b/docs/policypak/policypak/mdm/overview.md @@ -24,7 +24,7 @@ Manager, and all the others) without using Group Policy as the delivery mechanis **NOTE:** For an overview of using Endpoint Policy Manager Exporter with the Endpoint Policy Manager components, please see the following video: -[Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](../video/methods/exporterutility.md). +[Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](/docs/policypak/policypak/video/methods/exporterutility.md). **CAUTION:** Note that non-domain-joined machines are not supported with Endpoint Policy Manager products, unless you are using the MDM method. That is, the machine must have been previously diff --git a/docs/policypak/policypak/mdm/overview/knowledgebase.md b/docs/policypak/policypak/mdm/overview/knowledgebase.md index 506297c39a..7667708e5b 100644 --- a/docs/policypak/policypak/mdm/overview/knowledgebase.md +++ b/docs/policypak/policypak/mdm/overview/knowledgebase.md @@ -4,4 +4,4 @@ See the following Knowledge Base articles for getting started with MDM. ## Troubleshooting & Tips and Tricks -- [How can I "stack" Endpoint Policy Manager MSIs so the XML items inside the MSI execute in a predictable order?](../stackmsi.md) +- [How can I "stack" Endpoint Policy Manager MSIs so the XML items inside the MSI execute in a predictable order?](/docs/policypak/policypak/mdm/stackmsi.md) diff --git a/docs/policypak/policypak/mdm/overview/videolearningcenter.md b/docs/policypak/policypak/mdm/overview/videolearningcenter.md index 7a15d6587a..26778339e1 100644 --- a/docs/policypak/policypak/mdm/overview/videolearningcenter.md +++ b/docs/policypak/policypak/mdm/overview/videolearningcenter.md @@ -4,26 +4,26 @@ See the following Video topics for getting started with MDM. ## Getting Started -- [Deploying Real Group Policy (and Extra Endpoint Policy Manager Settings) Overview](../../video/mdm/realgrouppolicy.md) -- [How to create a DC for editing purposes](../../video/cloud/testlab/createdc.md) -- [Endpoint Policy Manager and MDM walk before you run](../../video/mdm/testsample.md) -- [Endpoint Policy Manager and Microsoft Intune](../../video/mdm/microsoftintune.md) -- [Endpoint Policy Manager and MobileIron MDM](../../video/mdm/mobileiron.md) -- [Endpoint Policy Managerand Workspace One (Airwatch) MDM: Deploy Group Policy and Endpoint Policy Manager superpowers today](../../video/mdm/workspaceone.md) -- [Endpoint Policy Managerand Citrix Endpoint Manager: Deploy real Group Policy and Endpoint Policy Manager settings via CEM](../../video/mdm/citrixendpointmanager.md) +- [Deploying Real Group Policy (and Extra Endpoint Policy Manager Settings) Overview](/docs/policypak/policypak/video/mdm/realgrouppolicy.md) +- [How to create a DC for editing purposes](/docs/policypak/policypak/video/cloud/testlab/createdc.md) +- [Endpoint Policy Manager and MDM walk before you run](/docs/policypak/policypak/video/mdm/testsample.md) +- [Endpoint Policy Manager and Microsoft Intune](/docs/policypak/policypak/video/mdm/microsoftintune.md) +- [Endpoint Policy Manager and MobileIron MDM](/docs/policypak/policypak/video/mdm/mobileiron.md) +- [Endpoint Policy Managerand Workspace One (Airwatch) MDM: Deploy Group Policy and Endpoint Policy Manager superpowers today](/docs/policypak/policypak/video/mdm/workspaceone.md) +- [Endpoint Policy Managerand Citrix Endpoint Manager: Deploy real Group Policy and Endpoint Policy Manager settings via CEM](/docs/policypak/policypak/video/mdm/citrixendpointmanager.md) ## Exporting, Tips, and Tricks -- [Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](../../video/mdm/exportgpos.md) -- [Deliver Group Policy Admin Templates Using Your MDM Service](../../video/mdm/admintemplates.md) -- [Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](../../video/mdm/exporterutility.md) +- [Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](/docs/policypak/policypak/video/mdm/exportgpos.md) +- [Deliver Group Policy Admin Templates Using Your MDM Service](/docs/policypak/policypak/video/mdm/admintemplates.md) +- [Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](/docs/policypak/policypak/video/mdm/exporterutility.md) ## Troubleshooting -- [Testing and Troubleshooting By Renaming an endpoint Computer](../../video/grouppolicy/renameendpoint.md) +- [Testing and Troubleshooting By Renaming an endpoint Computer](/docs/policypak/policypak/video/grouppolicy/renameendpoint.md) ## ILT (with Scripts) -- [Determine the Azure AAD Group Membership for User or Computers](../../video/mdm/itemleveltargeting/entraid.md) -- [Use Endpoint Policy Manager cloud + Azure AAD Group Membership for User or Computers](../../video/mdm/itemleveltargeting/entraidgroupmembership.md) -- [Use PP MDM to determine the Azure AAD Group Membership for User or Computers](../../video/mdm/itemleveltargeting/entraidgroupdetermine.md) +- [Determine the Azure AAD Group Membership for User or Computers](/docs/policypak/policypak/video/mdm/itemleveltargeting/entraid.md) +- [Use Endpoint Policy Manager cloud + Azure AAD Group Membership for User or Computers](/docs/policypak/policypak/video/mdm/itemleveltargeting/entraidgroupmembership.md) +- [Use PP MDM to determine the Azure AAD Group Membership for User or Computers](/docs/policypak/policypak/video/mdm/itemleveltargeting/entraidgroupdetermine.md) diff --git a/docs/policypak/policypak/mdm/service/microsoftintune.md b/docs/policypak/policypak/mdm/service/microsoftintune.md index 358b0e42ba..3656d6a9ac 100644 --- a/docs/policypak/policypak/mdm/service/microsoftintune.md +++ b/docs/policypak/policypak/mdm/service/microsoftintune.md @@ -1,13 +1,13 @@ # Endpoint Policy Manager and Microsoft Intune MDM -**NOTE:** See [Endpoint Policy Manager and Microsoft Intune](../../video/mdm/microsoftintune.md) for +**NOTE:** See [Endpoint Policy Manager and Microsoft Intune](/docs/policypak/policypak/video/mdm/microsoftintune.md) for an overview video of Endpoint Policy Manager and Microsoft Intune MDM. To start, log onto your Microsoft Intune instance and select Apps. Add the Endpoint Policy Manager CSE, the Endpoint Policy Manager license file, and the Endpoint Policy Manager settings MSI files, and deploy them to your machine. -![using_policypak_with_mdm_and_3](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_3.webp) +![using_policypak_with_mdm_and_3](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_3.webp) Next, make assignments to computers. For each application you have to target, you can specify All Devices (which will automatically address only Windows 10 machines), or you can pick a specific @@ -17,4 +17,4 @@ item from the Add/Remove Programs options to prevent uninstallation. Using the f Once you select the group, you can change the Deployment Action to Required Install. Be sure the computer is MDM-joined and in the correct group. If the MSIs do not download as expected, see the -[Troubleshooting](../../troubleshooting/mdm/overview.md) section. +[Troubleshooting](/docs/policypak/policypak/troubleshooting/mdm/overview.md) section. diff --git a/docs/policypak/policypak/mdm/service/mobileiron.md b/docs/policypak/policypak/mdm/service/mobileiron.md index 379cc31e08..c9f5fd0c2b 100644 --- a/docs/policypak/policypak/mdm/service/mobileiron.md +++ b/docs/policypak/policypak/mdm/service/mobileiron.md @@ -1,56 +1,56 @@ # Endpoint Policy Manager and MobileIron MDM -**NOTE:** [Endpoint Policy Manager and MobileIron MDM](../../video/mdm/mobileiron.md) for a video +**NOTE:** [Endpoint Policy Manager and MobileIron MDM](/docs/policypak/policypak/video/mdm/mobileiron.md) for a video overview of Endpoint Policy Manager and MobileIron. **Step 1 –** To use MobileIron with Endpoint Policy Manager, go to the Apps section within MobileIron, and click In-House to add an application. Next, add the Endpoint Policy Manager CSE MSI file, Endpoint Policy Manager license MSI file, and the Endpoint Policy Manager settings MSI file. -![using_policypak_with_mdm_and_9](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_9.webp) +![using_policypak_with_mdm_and_9](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_9.webp) **Step 2 –** Once uploaded, click Next. -![using_policypak_with_mdm_and_10](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_10.webp) +![using_policypak_with_mdm_and_10](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_10.webp) Sometimes MobileIron will ask you for the MSI product code of each MSI you upload. This is not a Endpoint Policy Manager problem but rather a MobileIron idiosyncrasy. -![using_policypak_with_mdm_and_11](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_11.webp) +![using_policypak_with_mdm_and_11](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_11.webp) **Step 3 –** To overcome this, Endpoint Policy Manager has provided a utility in the Endpoint Policy Manager download (in the Endpoint Policy Manager Extras folder) called Endpoint Policy Manager File Information Viewer, which you can use to quickly get this information. -![using_policypak_with_mdm_and_12](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_12.webp) +![using_policypak_with_mdm_and_12](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_12.webp) **Step 4 –** Once the Endpoint Policy Manager File Information Viewer is run, you can open an MSI (e.g., the Endpoint Policy Manager CSE MSI) and quickly output the MSI product code to copy. Once you have copied the product code, you can paste it into MobileIron. -![using_policypak_with_mdm_and_13](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_13.webp) +![using_policypak_with_mdm_and_13](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_13.webp) -![using_policypak_with_mdm_and_14](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_14.webp) +![using_policypak_with_mdm_and_14](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_14.webp) Additionally, each MSI must be assigned to a category and a location must be selected for the installation. -![using_policypak_with_mdm_and_15](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_15.webp) +![using_policypak_with_mdm_and_15](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_15.webp) **Step 5 –** At this point, you must specify to install the application MSIs silently. That is done by clicking Install Application configuration settings. -![using_policypak_with_mdm_and_16](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_16.webp) +![using_policypak_with_mdm_and_16](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_16.webp) **Step 6 –** Once you've clicked on Install Application configuration settings, turn on the option Silently install on Windows devices. -![using_policypak_with_mdm_and_17](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_17.webp) +![using_policypak_with_mdm_and_17](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_17.webp) **Step 7 –** As a test, on an example client, perform your MDM enrollment to your MobileIron service. -![using_policypak_with_mdm_and_18](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_18.webp) +![using_policypak_with_mdm_and_18](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_18.webp) Be sure the computer is MDM-joined and in the correct group (if any). If the MSIs do not download as -expected, see [Troubleshooting](../../troubleshooting/mdm/overview.md). +expected, see [Troubleshooting](/docs/policypak/policypak/troubleshooting/mdm/overview.md). diff --git a/docs/policypak/policypak/mdm/service/overview.md b/docs/policypak/policypak/mdm/service/overview.md index e8fb554de6..a2872c903c 100644 --- a/docs/policypak/policypak/mdm/service/overview.md +++ b/docs/policypak/policypak/mdm/service/overview.md @@ -4,10 +4,10 @@ You can use Endpoint Policy Manager with any MDM service you already have, like Workspace ONE (formerly Airwatch), MobileIron, etc. Below we see a systems hierarchical breakdown when using Endpoint Policy Manager with any MDM system. -![using_policypak_with_mdm_and_1](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_1.webp) +![using_policypak_with_mdm_and_1](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_1.webp) **NOTE:** -[Deploying Real Group Policy (and Extra Endpoint Policy Manager Settings) Overview](../../video/mdm/realgrouppolicy.md)a +[Deploying Real Group Policy (and Extra Endpoint Policy Manager Settings) Overview](/docs/policypak/policypak/video/mdm/realgrouppolicy.md)a video overview of Endpoint Policy Manager and MDM. The ultimate goal is to upload the following Endpoint Policy Manager items to your MDM service and @@ -33,7 +33,7 @@ On one machine proceed in the following manner: This will ensure all the correct parts are working in concert before you attempt to use an MDM service to deliver these components. -**NOTE:** See [Endpoint Policy Manager and MDM walk before you run](../../video/mdm/testsample.md) a +**NOTE:** See [Endpoint Policy Manager and MDM walk before you run](/docs/policypak/policypak/video/mdm/testsample.md) a video of this process. Once you've completed these procedures, you're ready to actually perform the steps needed to get the @@ -45,7 +45,7 @@ system. Optionally, you can view or hide these components by using the Add/Remove Programs applet in the Control Panel. An example of a final deployment would look something like this: -![using_policypak_with_mdm_and_2](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_2.webp) +![using_policypak_with_mdm_and_2](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_2.webp) The typical command you want your MDM service to run for each component would be something like this: diff --git a/docs/policypak/policypak/mdm/service/vmwareworkspaceone.md b/docs/policypak/policypak/mdm/service/vmwareworkspaceone.md index 49bcf16ce2..8db989de34 100644 --- a/docs/policypak/policypak/mdm/service/vmwareworkspaceone.md +++ b/docs/policypak/policypak/mdm/service/vmwareworkspaceone.md @@ -1,19 +1,19 @@ # Endpoint Policy Manager and VMware Workspace ONE MDM **NOTE:** See -[Endpoint Policy Managerand Workspace One (Airwatch) MDM: Deploy Group Policy and Endpoint Policy Manager superpowers today](../../video/mdm/workspaceone.md) +[Endpoint Policy Managerand Workspace One (Airwatch) MDM: Deploy Group Policy and Endpoint Policy Manager superpowers today](/docs/policypak/policypak/video/mdm/workspaceone.md) for a video overview of Endpoint Policy Manager and VMware Workspace ONE MDM **Step 1 –** To use VMware Workspace ONE (formerly known as AirWatch) with Endpoint Policy Manager, use the Apps & Books section, and click **Add Application** to add the Endpoint Policy Manager CSE MSI file, Endpoint Policy Manager license MSI file, and Endpoint Policy Manager settings MSI file. -![using_policypak_with_mdm_and_4](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_4.webp) +![using_policypak_with_mdm_and_4](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_4.webp) **Step 2 –** Choose the designated MSI file. In the example below we are installing the Endpoint Policy Manager CSE. -![using_policypak_with_mdm_and_5](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_5.webp) +![using_policypak_with_mdm_and_5](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_5.webp) **Step 3 –** The Add Application Wizard should be run three times (not shown) in order to import each file. As you do, specify the following deployment options: @@ -24,13 +24,13 @@ each file. As you do, specify the following deployment options: - App Delivery Method should be set to **Auto** so it becomes a forced installation . - Assignment Groups can be **All Devices** or **Targeted**, depending on what you need. -![using_policypak_with_mdm_and_6](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_6.webp) +![using_policypak_with_mdm_and_6](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_6.webp) -![using_policypak_with_mdm_and_7](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_7.webp) +![using_policypak_with_mdm_and_7](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_7.webp) This is the final result in VMware Workspace ONE: -![using_policypak_with_mdm_and_8](../../../../../static/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_8.webp) +![using_policypak_with_mdm_and_8](/img/product_docs/policypak/policypak/mdm/service/using_policypak_with_mdm_and_8.webp) **Step 4 –** As a test, on an example client, perform your MDM enrollment to your VMware Workspace ONE service. diff --git a/docs/policypak/policypak/mdm/stackmsi.md b/docs/policypak/policypak/mdm/stackmsi.md index 99129cdfbd..b358c69f86 100644 --- a/docs/policypak/policypak/mdm/stackmsi.md +++ b/docs/policypak/policypak/mdm/stackmsi.md @@ -5,7 +5,7 @@ MSI. Please get familiar with this tool before continuing to read this article. -[Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](../video/methods/exporterutility.md) +[Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](/docs/policypak/policypak/video/methods/exporterutility.md) From time to time you might want a precise processing order of the XML items. You can do this in TWO ways. @@ -16,7 +16,7 @@ When you add items to your MSI, you can right-click an item to "Enable Priority item up or down (with the arrow keys) and click Enter to change the order. Items are then written in the order as seen here. -![749_1_1111_691x581](../../../../static/img/product_docs/policypak/policypak/mdm/749_1_1111_691x581.webp) +![749_1_1111_691x581](/img/product_docs/policypak/policypak/mdm/749_1_1111_691x581.webp) Way #2: Managing the order of the execution of the MSIs themselves @@ -26,7 +26,7 @@ one MSI's contents are processed BEFORE or AFTER another MSI's contents. Before you write the MSI you can use the "Policy Layer" field as seen here. The default value is 50000. -![749_2_222](../../../../static/img/product_docs/policypak/policypak/mdm/749_2_222.webp) +![749_2_222](/img/product_docs/policypak/policypak/mdm/749_2_222.webp) The idea is that if you have multiple MSIs, they are unpacked and then processed alphabetically. This value is pre-pended to all items in the XML. @@ -42,4 +42,4 @@ In this example, we have two MSIs.. one with Policy Layer ID of 50000 and one wi As you can see, LOWER numbered Policy Layer items will process before HIGHER numbered Policy Layer items. -![749_3_image009_950x433](../../../../static/img/product_docs/policypak/policypak/mdm/749_3_image009_950x433.webp) +![749_3_image009_950x433](/img/product_docs/policypak/policypak/mdm/749_3_image009_950x433.webp) diff --git a/docs/policypak/policypak/mdm/tips/copypaste.md b/docs/policypak/policypak/mdm/tips/copypaste.md index 7aabc35f91..2ea26dff68 100644 --- a/docs/policypak/policypak/mdm/tips/copypaste.md +++ b/docs/policypak/policypak/mdm/tips/copypaste.md @@ -5,7 +5,7 @@ to an MSI. In addition to this option, you can also select Paste XMLdata from Cl first exporting items as files from the MMC editor. You can see the general steps for this option below. -![policypak_exporter_tips_tricks_3](../../../../../static/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_3.webp) +![policypak_exporter_tips_tricks_3](/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_3.webp) **Step 1 –** As for Group Policy Preference item content, you can right-click the content inside the Group Policy Preferences editor, and select Display XML. As shown below, the first line must always @@ -18,4 +18,4 @@ Explorer includes in order to make it easier to read. **Step 4 –** Click **Validate**. If successful, the **Validate** button will change to Save. -![policypak_exporter_tips_tricks_4](../../../../../static/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_4.webp) +![policypak_exporter_tips_tricks_4](/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_4.webp) diff --git a/docs/policypak/policypak/mdm/tips/enableprioritymode.md b/docs/policypak/policypak/mdm/tips/enableprioritymode.md index f72c55395c..eecc3f3888 100644 --- a/docs/policypak/policypak/mdm/tips/enableprioritymode.md +++ b/docs/policypak/policypak/mdm/tips/enableprioritymode.md @@ -6,13 +6,13 @@ added using the Endpoint Policy Manager Exporter, right-click an item and select Mode**. Then move the item item up or down (with the arrow keys) and click Enter to change the order. -![policypak_exporter_tips_tricks](../../../../../static/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks.webp) +![policypak_exporter_tips_tricks](/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks.webp) Another approach is to create a separate MSI for one or more XMLs. The objective then is to ensure that one MSI's contents are processed before or after another MSI's contents. Before completing the MSI process you can use the Process Layer field. The default value is 50000. -![policypak_exporter_tips_tricks_7](../../../../../static/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_7.webp) +![policypak_exporter_tips_tricks_7](/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_7.webp) The idea is that if you have multiple MSIs, they are unpacked and then processed alphabetically. This value is prepended to all items in the XML. The result is that if you have multiple MSIs, you @@ -24,4 +24,4 @@ Below we have two MSIs, one with a Policy Layer ID of 50000 and one with a Polic As you can see in the figure, items with lower numbered Policy Layer IDs will process before those with higher numbered Policy Layer IDs. -![policypak_exporter_tips_tricks_1](../../../../../static/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_1.webp) +![policypak_exporter_tips_tricks_1](/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_1.webp) diff --git a/docs/policypak/policypak/mdm/tips/manual.md b/docs/policypak/policypak/mdm/tips/manual.md index e01322c10e..01c62a151e 100644 --- a/docs/policypak/policypak/mdm/tips/manual.md +++ b/docs/policypak/policypak/mdm/tips/manual.md @@ -18,7 +18,7 @@ who has logged on to that machine. Within Groups, you will see a subdirectory wi every group of every user who has logged on to that machine (both local and Active Directory groups). -![policypak_exporter_tips_tricks_8](../../../../../static/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_8.webp) +![policypak_exporter_tips_tricks_8](/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_8.webp) To license (or extend the license) of an existing machine that is domain-joined, place the license file you received from Endpoint Policy Manager in the computer folder. To make the client computer @@ -33,13 +33,13 @@ use` OBJ::SID`, which can be downloaded for free at copy and paste the SID folder name into the OBJ::SID tool, which is automatically generated. The output will reveal the name: -![policypak_exporter_tips_tricks_9](../../../../../static/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_9.webp) +![policypak_exporter_tips_tricks_9](/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_9.webp) Alternatively, you can type in the user or group name to receive the SID name: -![policypak_exporter_tips_tricks_10](../../../../../static/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_10.webp) +![policypak_exporter_tips_tricks_10](/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_10.webp) -![policypak_exporter_tips_tricks_11](../../../../../static/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_11.webp) +![policypak_exporter_tips_tricks_11](/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_11.webp) The reason Endpoint Policy Manager uses the SID and not the actual user or group name is because SIDs are permanent, whereas the underlying name in Active Directory can be changed. Once the diff --git a/docs/policypak/policypak/mdm/tips/modify.md b/docs/policypak/policypak/mdm/tips/modify.md index 388f09a772..2f62f6ff2e 100644 --- a/docs/policypak/policypak/mdm/tips/modify.md +++ b/docs/policypak/policypak/mdm/tips/modify.md @@ -4,7 +4,7 @@ Endpoint Policy Manager Exporter enables you to quickly open and edit previously To do this, select "Open an existing MSI installer previously generated by this tool for editing," as shown in Figure 51, when running Endpoint Policy Manager Exporter. -![policypak_exporter_tips_tricks](../../../../../static/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks.webp) +![policypak_exporter_tips_tricks](/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks.webp) Figure 51. Endpoint Policy Manager Exporter allows the user to open and edit existing MSI files. @@ -16,14 +16,14 @@ You can manually add or delete users and add or replace XML data files and Endpo licensing files. In Figure 52, we've added another user to Winzip01.xml, added the file Winzip03.xml, and specified a set of users for that file. -![policypak_exporter_tips_tricks_1](../../../../../static/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_1.webp) +![policypak_exporter_tips_tricks_1](/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_1.webp) Figure 52. In this example, the user has specified which users can access the Winzip01.xml and Winzip03.xml files. When you click "Next", you'll be able to update your MSI information, as shown in Figure 53. -![policypak_exporter_tips_tricks_2](../../../../../static/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_2.webp) +![policypak_exporter_tips_tricks_2](/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_2.webp) Figure 53. In the Installer Properties, the user can edit the specific MSI files they are working on. @@ -36,7 +36,7 @@ automatically for you. You're welcome to change the New Product Version field to **NOTE:** You can learn more about how the product version attribute is used within MSI files in this technical note from Microsoft: -[http://msdn.microsoft.com/en-us/library/windows/desktop/aa370579(v=vs.85).aspx](). +[http://msdn.microsoft.com/en-us/library/windows/desktop/aa370579(v=vs.85).aspx](http://msdn.microsoft.com/en-us/library/windows/desktop/aa370579(v=vs.85).aspx). In short, when you open and utilize the MSI, save it again (using the same name or a different name), and update the product version, the resulting MSI will correctly remove any old references diff --git a/docs/policypak/policypak/mdm/tips/recycle.md b/docs/policypak/policypak/mdm/tips/recycle.md index 1667a3b6b6..5c56bf68dd 100644 --- a/docs/policypak/policypak/mdm/tips/recycle.md +++ b/docs/policypak/policypak/mdm/tips/recycle.md @@ -5,7 +5,7 @@ utility for later use. For instance, you might have a list of 30 users you want data file to deploy to. Instead of recreating this list each time, you can export it in the "Select Users" dialog, as shown in Figure 56. -![policypak_exporter_tips_tricks_5](../../../../../static/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_5.webp) +![policypak_exporter_tips_tricks_5](/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_5.webp) Figure 56. Copying previously selected users by exporting the list with the "Select Users" option. @@ -15,6 +15,6 @@ dialog by selecting "Copy From," which will allow you to select an existing XML soon as this is complete, the selected file's user list will quickly populate with an existing list, as shown in Figure 57. -![policypak_exporter_tips_tricks_6](../../../../../static/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_6.webp) +![policypak_exporter_tips_tricks_6](/img/product_docs/policypak/policypak/mdm/tips/policypak_exporter_tips_tricks_6.webp) Figure 57. The steps to copy an existing user list by working in the "Select Users" dialog. diff --git a/docs/policypak/policypak/mdm/uemtools.md b/docs/policypak/policypak/mdm/uemtools.md index 30d1818cdf..114ae66125 100644 --- a/docs/policypak/policypak/mdm/uemtools.md +++ b/docs/policypak/policypak/mdm/uemtools.md @@ -22,11 +22,11 @@ etc. Figure 30 shows a systems flow when using Endpoint Policy Manager with any management utility, like Microsoft Endpoint Configuration Manager (MEMCM) (formerly known as SCCM), KACE, etc. -![using_policypak_with_mdm_and](../../../../static/img/product_docs/policypak/policypak/mdm/using_policypak_with_mdm_and.webp) +![using_policypak_with_mdm_and](/img/product_docs/policypak/policypak/mdm/using_policypak_with_mdm_and.webp) Figure 30. The correlation between applications and systems when using Endpoint Policy Manager with any systems management utility. **NOTE:** For a series of videos to get started with Endpoint Policy Manager and any UEM tool, like SCCM, KACE, etc., see the following link: Getting Started with Endpoint Policy Manager (Misc) > -[Knowledge Base](../gettingstarted/overview/knowledgebase.md). +[Knowledge Base](/docs/policypak/policypak/gettingstarted/overview/knowledgebase.md). diff --git a/docs/policypak/policypak/mdm/xmldatafiles/administrativetemplates.md b/docs/policypak/policypak/mdm/xmldatafiles/administrativetemplates.md index f2b573868f..80b47942ff 100644 --- a/docs/policypak/policypak/mdm/xmldatafiles/administrativetemplates.md +++ b/docs/policypak/policypak/mdm/xmldatafiles/administrativetemplates.md @@ -5,10 +5,10 @@ right-click the policy and select "Export to XML" (as shown in Figure 15), or ri collection and select "Export Collection as XML" (as shown in Figure 16). Note that exported policies or collections maintain the Item-Level Targeting set within them. -![deploying_policypak_directives_15](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_15.webp) +![deploying_policypak_directives_15](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_15.webp) Figure 15. Exporting the policy as an XML file. -![deploying_policypak_directives_16](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_16.webp) +![deploying_policypak_directives_16](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_16.webp) Figure 16. Exporting the collection as an XML file. diff --git a/docs/policypak/policypak/mdm/xmldatafiles/applicationssettings.md b/docs/policypak/policypak/mdm/xmldatafiles/applicationssettings.md index 31eb5df043..ab7eb5afca 100644 --- a/docs/policypak/policypak/mdm/xmldatafiles/applicationssettings.md +++ b/docs/policypak/policypak/mdm/xmldatafiles/applicationssettings.md @@ -11,7 +11,7 @@ next). directive, right-click the directive containing your existing settings and select "Export settings to XMLData File," as shown in Figure 11. Then save the XML file for the next step. -![deploying_policypak_directives_10](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_10.webp) +![deploying_policypak_directives_10](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_10.webp) Figure 11. Using an existing GPO with a Endpoint Policy Manager Application Settings Manager directive to select "Export settings to XMLData File." diff --git a/docs/policypak/policypak/mdm/xmldatafiles/browserrouter.md b/docs/policypak/policypak/mdm/xmldatafiles/browserrouter.md index dce8ad9354..d8ac912a2c 100644 --- a/docs/policypak/policypak/mdm/xmldatafiles/browserrouter.md +++ b/docs/policypak/policypak/mdm/xmldatafiles/browserrouter.md @@ -4,8 +4,8 @@ Endpoint Policy Manager Browser Router settings can be exported as an XML file. Right-click` Computer Configuration | PolicyPak | Browser Router` or `User Configuration | PolicyPak | Browser Router`, and pick the collection you wish to export, as shown in Figure 13. For full details on the Endpoint Policy Manager Browser Router, see Book 5: -[Browser Router](../../browserrouter/overview.md). +[Browser Router](/docs/policypak/policypak/browserrouter/overview.md). -![deploying_policypak_directives_12](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_12.webp) +![deploying_policypak_directives_12](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_12.webp) Figure 13. Exporting a collection as an XML file via Endpoint Policy Manager Browser Router. diff --git a/docs/policypak/policypak/mdm/xmldatafiles/feature.md b/docs/policypak/policypak/mdm/xmldatafiles/feature.md index 6569a83e16..8833fdba8b 100644 --- a/docs/policypak/policypak/mdm/xmldatafiles/feature.md +++ b/docs/policypak/policypak/mdm/xmldatafiles/feature.md @@ -6,7 +6,7 @@ this example, we have created an install rule and an uninstall rule, and we are collection by right-clicking `Computer Configuration | PolicyPak | Feature Manager` for Windows 10 and Windows Server and picking the collection we wish to export. -![deploying_policypak_directives_28](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_28.webp) +![deploying_policypak_directives_28](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_28.webp) Figure 28. Exporting a whole collection using Endpoint Policy Manager Feature Manager. @@ -14,6 +14,6 @@ Alternatively, we could select a designated setting to export as well. Right-cli `Computer Configuration | PolicyPak | Security Manager`, and select the setting that is available in the menu, as shown in Figure 29. -![deploying_policypak_directives_29](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_29.webp) +![deploying_policypak_directives_29](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_29.webp) Figure 29. Exporting a single Endpoint Policy Manager Feature Manager entry. diff --git a/docs/policypak/policypak/mdm/xmldatafiles/fileassociations.md b/docs/policypak/policypak/mdm/xmldatafiles/fileassociations.md index 99c43825c1..37eee7f024 100644 --- a/docs/policypak/policypak/mdm/xmldatafiles/fileassociations.md +++ b/docs/policypak/policypak/mdm/xmldatafiles/fileassociations.md @@ -5,10 +5,10 @@ Figure 17. Or alternatively, you can export a whole collection, as shown in Figu right-clicking `Computer Configuration | PolicyPak | Browser Router `and picking the collection you wish to export. -![deploying_policypak_directives_17](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_17.webp) +![deploying_policypak_directives_17](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_17.webp) Figure 17. Exporting a single Endpoint Policy Manager File Associations Manager entry. -![deploying_policypak_directives_18](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_18.webp) +![deploying_policypak_directives_18](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_18.webp) Figure 18. Exporting a whole collection. diff --git a/docs/policypak/policypak/mdm/xmldatafiles/javaenterpriserules.md b/docs/policypak/policypak/mdm/xmldatafiles/javaenterpriserules.md index 9362d43fc2..09b52d2e79 100644 --- a/docs/policypak/policypak/mdm/xmldatafiles/javaenterpriserules.md +++ b/docs/policypak/policypak/mdm/xmldatafiles/javaenterpriserules.md @@ -6,13 +6,13 @@ C`omputer Configuration | PolicyPak | Taskbar Manager `for Windows 10 or `User Configuration | PolicyPak | Taskbar Manager` for Windows 10, and pick the root node or collection you wish to export, as shown in Figure 14. -![deploying_policypak_directives_13](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_13.webp) +![deploying_policypak_directives_13](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_13.webp) Figure 13. Exporting a whole collection using Endpoint Policy Manager Java Enterprise Rules Manager. Alternatively, you can export a single Endpoint Policy Manager Java Enterprise Rules Manager entry, as is shown in Figure 14. -![deploying_policypak_directives_14](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_14.webp) +![deploying_policypak_directives_14](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_14.webp) Figure 14. Exporting a single Endpoint Policy Manager Java Enterprise Rules Manager entry. diff --git a/docs/policypak/policypak/mdm/xmldatafiles/leastprivilegemanager.md b/docs/policypak/policypak/mdm/xmldatafiles/leastprivilegemanager.md index 5b0be9af59..85490dc627 100644 --- a/docs/policypak/policypak/mdm/xmldatafiles/leastprivilegemanager.md +++ b/docs/policypak/policypak/mdm/xmldatafiles/leastprivilegemanager.md @@ -6,6 +6,6 @@ Configuration | Endpoint Policy Manager | Least Privilege Manager or User Config Policy Manager | Least Privilege Manager, and pick the root node or collection you wish to export, as shown in Figure 12. -![deploying_policypak_directives_11](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_11.webp) +![deploying_policypak_directives_11](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_11.webp) Figure 12. Exporting a collection as an XML file via Least Privilege Manager. diff --git a/docs/policypak/policypak/mdm/xmldatafiles/overview.md b/docs/policypak/policypak/mdm/xmldatafiles/overview.md index a490e611cc..263817ba21 100644 --- a/docs/policypak/policypak/mdm/xmldatafiles/overview.md +++ b/docs/policypak/policypak/mdm/xmldatafiles/overview.md @@ -11,7 +11,7 @@ which are somewhat different than the others. **NOTE:** For a video overview of how to wrap up XML data and license files into MSI files, see the following link: -[Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](../../video/mdm/exporterutility.md). +[Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](/docs/policypak/policypak/video/mdm/exporterutility.md). Now that you have your XML data files, you're ready to bundle them up and make them into an MSI for easy deployment using any software distribution utility, such as Microsoft Endpoint Configuration @@ -23,7 +23,7 @@ install the Endpoint Policy Manager Exporter utility. In order to launch it, loc icon in the Start menu within Endpoint Policy Manager Application Settings Manager, as shown in Figure 3. -![deploying_policypak_directives_2](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_2.webp) +![deploying_policypak_directives_2](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_2.webp) Figure 3. The Endpoint Policy Manager Exporter utility icon in the Start menu. @@ -56,7 +56,7 @@ Table 1: Example files. When Endpoint Policy Manager Exporter is launched, you'll be able to perform the actions shown in Figure 4. -![deploying_policypak_directives_3](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_3.webp) +![deploying_policypak_directives_3](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_3.webp) Figure 4. The Endpoint Policy Manager Exporter tool helps the user create XML data files and package the files into an MSI installer. @@ -66,7 +66,7 @@ Endpoint Policy Manager licensing files or open up an existing MSI that you crea this tool. For now, select "Create a new MSI installer." Then, you'll see the option, "Add Existing Files," as shown in Figure 5. -![deploying_policypak_directives_4](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_4.webp) +![deploying_policypak_directives_4](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_4.webp) Figure 5. The option to add existing files. @@ -85,7 +85,7 @@ The "Add Existing Files" button lets you bring in the following types of files: With Endpoint Policy Manager Exporter you can wrap these up into an MSI. In Figure 6, we have added a variety of exported XML settings. -![deploying_policypak_directives_5](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_5.webp) +![deploying_policypak_directives_5](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_5.webp) Figure 6. Exported XML settings. @@ -105,7 +105,7 @@ delivered to EastSalesUser1 and EastSalesUser2. Therefore, use the dropdown menu For," and change it from "Computer" to "Users & Groups." After you do this, the Target column populates with "0 Users," as illustrated in Figure 7. -![deploying_policypak_directives_6](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_6.webp) +![deploying_policypak_directives_6](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_6.webp) Figure 7. Selecting which group will get the XML data files. @@ -113,7 +113,7 @@ Figure 7. Selecting which group will get the XML data files. the Select Users or Groups dialog, click "Add Users / Groups," and specify the users (or groups) you want this XML data file to apply to (see Figure 8). Then click "OK." -![deploying_policypak_directives_7](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_7.webp) +![deploying_policypak_directives_7](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_7.webp) Figure 8. Selecting the targeted users. @@ -121,7 +121,7 @@ Notice that `theWinZip1.xml` file is now set to be delivered to two users (see F also specify Active Directory groups instead of just users. To help specify these types of users, the Target column will express how many users and how many groups are being targeted. -![deploying_policypak_directives_8](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_8.webp) +![deploying_policypak_directives_8](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_8.webp) Figure 9. The Target column shows how many users and how many groups are being targeted. @@ -132,7 +132,7 @@ Existing Files" and then specifying which users you want the directives to apply done, click "Next" to continue. This will initiate the Installer Properties page where you can name the MSI and manufacturer however you wish (as shown in Figure 10). -![deploying_policypak_directives_9](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_9.webp) +![deploying_policypak_directives_9](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_9.webp) Figure 10. Naming the MSI. diff --git a/docs/policypak/policypak/mdm/xmldatafiles/preferences.md b/docs/policypak/policypak/mdm/xmldatafiles/preferences.md index eaee2d2a21..ddc161b1cc 100644 --- a/docs/policypak/policypak/mdm/xmldatafiles/preferences.md +++ b/docs/policypak/policypak/mdm/xmldatafiles/preferences.md @@ -3,11 +3,11 @@ To make an XML file from a Group Policy Preference item, first create the item. Be sure to embed any Group Policy Preference Item-Level Targeting within your item to limit when the item will apply. For instance, you may want to limit by operating system, IP address range, the presence of a file, and -so on. Refer to Book 9: [Preferences Manager](../../preferences/overview.md), for more details. +so on. Refer to Book 9: [Preferences Manager](/docs/policypak/policypak/preferences/overview.md), for more details. Then, drag the Group Policy Preference item from the MMC console to create the XML data file. You can drag this file to a folder or your desktop, as shown in Figure 19. -![deploying_policypak_directives_19](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_19.webp) +![deploying_policypak_directives_19](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_19.webp) Figure 19. Dragging the the Group Policy Preference item from the MMC console to the desktop in order to create a XML data file. @@ -16,7 +16,7 @@ Alternatively, the Endpoint Policy Manager management console can also export ex Preference items from within an existing GPO (without you needing to drag and drop items one by one). You can see an example of this in Figure 20. -![deploying_policypak_directives_20](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_20.webp) +![deploying_policypak_directives_20](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_20.webp) Figure 20. The user can export an existing GPO through the Endpoint Policy Manager management console. diff --git a/docs/policypak/policypak/mdm/xmldatafiles/scripts.md b/docs/policypak/policypak/mdm/xmldatafiles/scripts.md index b79b227611..4d6f440cd0 100644 --- a/docs/policypak/policypak/mdm/xmldatafiles/scripts.md +++ b/docs/policypak/policypak/mdm/xmldatafiles/scripts.md @@ -2,13 +2,13 @@ You can export a single Endpoint Policy Manager Script Manager entry, as shown in Figure 26. -![deploying_policypak_directives_26](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_26.webp) +![deploying_policypak_directives_26](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_26.webp) Figure 26. Exporting a single Endpoint Policy Manager Scripts Manager entry. Alternatively, you can export a whole collection, as shown in Figure 27, by right-clicking `Computer Configuration | PolicyPak | Browser Router` and picking the collection you wish to export. -![deploying_policypak_directives_27](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_27.webp) +![deploying_policypak_directives_27](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_27.webp) Figure 27. Exporting a whole collection using Endpoint Policy Manager Scripts Manager. diff --git a/docs/policypak/policypak/mdm/xmldatafiles/securitysettings.md b/docs/policypak/policypak/mdm/xmldatafiles/securitysettings.md index e73e614597..fb63612e5e 100644 --- a/docs/policypak/policypak/mdm/xmldatafiles/securitysettings.md +++ b/docs/policypak/policypak/mdm/xmldatafiles/securitysettings.md @@ -4,8 +4,8 @@ Endpoint Policy Manager Security Settings Manager will export the computer-side GPO as an XML file. Right-click `Computer Configuration | PolicyPak | Security Manager`, and select the only setting that is available in the menu, as shown in Figure 21. For full details on the Endpoint Policy Manager Security Settings Manager Export Wizard, see Book 10: -[Security Settings Manager](../../securitysettings/overview.md). +[Security Settings Manager](/docs/policypak/policypak/securitysettings/overview.md). -![deploying_policypak_directives_21](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_21.webp) +![deploying_policypak_directives_21](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_21.webp) Figure 21. Exporting the computer-side security within a GPO as an XML file. diff --git a/docs/policypak/policypak/mdm/xmldatafiles/startscreen.md b/docs/policypak/policypak/mdm/xmldatafiles/startscreen.md index e60c83c524..e01edb5d36 100644 --- a/docs/policypak/policypak/mdm/xmldatafiles/startscreen.md +++ b/docs/policypak/policypak/mdm/xmldatafiles/startscreen.md @@ -6,12 +6,12 @@ You can export a single policy, a collection, or the whole node. For example, ri `User Configuration | PolicyPak | Start Screen Manager` for Windows 10, and pick the root node or collection you wish to export, as shown in Figure 22. -![deploying_policypak_directives_22](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_22.webp) +![deploying_policypak_directives_22](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_22.webp) Figure 22. Exporting a whole collection using Endpoint Policy Manager Start Screen Manager. You can export a single Endpoint Policy Manager Start Screen Manager entry, as shown in Figure 23. -![deploying_policypak_directives_23](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_23.webp) +![deploying_policypak_directives_23](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_23.webp) Figure 23. Exporting a single Endpoint Policy Manager Start Screen Manager entry. diff --git a/docs/policypak/policypak/mdm/xmldatafiles/taskbar.md b/docs/policypak/policypak/mdm/xmldatafiles/taskbar.md index 42f9cbb810..cf22d05d5f 100644 --- a/docs/policypak/policypak/mdm/xmldatafiles/taskbar.md +++ b/docs/policypak/policypak/mdm/xmldatafiles/taskbar.md @@ -6,13 +6,13 @@ single policy, a collection, or the whole node. For example, right-click `User Configuration | PolicyPak | Taskbar Manager` for Windows 10, and pick the root node or collection you wish to export, as shown in Figure 24. -![deploying_policypak_directives_24](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_24.webp) +![deploying_policypak_directives_24](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_24.webp) Figure 24. Exporting a whole collection using Endpoint Policy Manager Taskbar Manager. You can also export a single Endpoint Policy Manager Taskbar Manager entry, as as shown in Figure 25. -![deploying_policypak_directives_25](../../../../../static/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_25.webp) +![deploying_policypak_directives_25](/img/product_docs/policypak/policypak/mdm/xmldatafiles/deploying_policypak_directives_25.webp) Figure 25. Exporting a single Endpoint Policy Manager Taskbar Manager entry. diff --git a/docs/policypak/policypak/preferences/componentlicense.md b/docs/policypak/policypak/preferences/componentlicense.md index b129236dd6..98a707e1d4 100644 --- a/docs/policypak/policypak/preferences/componentlicense.md +++ b/docs/policypak/policypak/preferences/componentlicense.md @@ -12,7 +12,7 @@ Here are the scenarios for which you should request a PPPrefs license: - You want to use Endpoint Policy Manager over MDM. (This is automatically included when we issue an MDM license) - You want to deliver user-side-only Microsoft's GPPreferences items to computers, that is, - [Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](../video/methods/exporterutility.md) + [Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](/docs/policypak/policypak/video/methods/exporterutility.md) - You want to deliver GPPrefs items using SCCM or some other non-GP method. In those cases, or if you think you have another rason why you need it, open a support ticket at diff --git a/docs/policypak/policypak/preferences/deploymsis.md b/docs/policypak/policypak/preferences/deploymsis.md index 07fe400fcf..90eb8df2d2 100644 --- a/docs/policypak/policypak/preferences/deploymsis.md +++ b/docs/policypak/policypak/preferences/deploymsis.md @@ -7,7 +7,7 @@ Quickstart, you won't be using these deployment options. You'll be coping the fi machine in whatever method you wish. IBelow you can see the file is copied to the desktop of the target machine. It is done here only for demonstration purposes. -![quickstart_using_policypak_9](../../../../static/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_9.webp) +![quickstart_using_policypak_9](/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_9.webp) By running the `Deploy GPP MSI.msi` file (providing credentials as needed), you will be installing your MSI, which is simply the Group Policy Preferences XML file. @@ -19,7 +19,7 @@ Next, the Group Policy Preferences XML file is placed within a Endpoint Policy M the machine, to be read and processed. Within 10 seconds, you should see the Group Policy Preference item apply the www.PolicyPak.com shortcut URL on the desktop. -![quickstart_using_policypak_10](../../../../static/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_10.webp) +![quickstart_using_policypak_10](/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_10.webp) **NOTE:** This demonstration will only work successfully when the computer is in Licensed or Trial mode (with "computer" in the name) and the Endpoint Policy Manager Preferences Manager client-side diff --git a/docs/policypak/policypak/preferences/drivemappings.md b/docs/policypak/policypak/preferences/drivemappings.md index 0cf3eae321..a4027a6469 100644 --- a/docs/policypak/policypak/preferences/drivemappings.md +++ b/docs/policypak/policypak/preferences/drivemappings.md @@ -3,7 +3,7 @@ Normally, when you configure network drive mappings using Group Policy Preferences, this is done on the user side since there is no Drive Maps option on the computer side. -![106_1_img-1](../../../../static/img/product_docs/policypak/policypak/preferences/106_1_img-1.webp) +![106_1_img-1](/img/product_docs/policypak/policypak/preferences/106_1_img-1.webp) However, there is a way to deliver network drive mappings on the computer side using Group Policy Preferences. @@ -19,32 +19,32 @@ expand` User Configuration > Preferences > Windows Settings > Drive Maps`. **Step 4 –** Right click on Drive Maps and choose `New > Mapped Drive` -![106_2_img-2](../../../../static/img/product_docs/policypak/policypak/preferences/106_2_img-2.webp) +![106_2_img-2](/img/product_docs/policypak/policypak/preferences/106_2_img-2.webp) **Step 5 –** Create the new drive mapping policy as you would normally, but with one difference: be sure to check **Run in logged-on user's security context (user policy option)** under the Common tab. -![106_3_img-3](../../../../static/img/product_docs/policypak/policypak/preferences/106_3_img-3.webp) +![106_3_img-3](/img/product_docs/policypak/policypak/preferences/106_3_img-3.webp) **Step 6 –** Once you have everything configured correctly and the policy item is saved, export the policy item to the desktop. You can just drag it to the desktop. -![106_4_img-4](../../../../static/img/product_docs/policypak/policypak/preferences/106_4_img-4.webp) +![106_4_img-4](/img/product_docs/policypak/policypak/preferences/106_4_img-4.webp) **Step 7 –** Once you have successfully exported the policy file to the desktop, go ahead and delete the drive maps policy item under `User Configuration > Preferences > Windows Settings > Drive Maps`. -![106_5_img-5](../../../../static/img/product_docs/policypak/policypak/preferences/106_5_img-5.webp) +![106_5_img-5](/img/product_docs/policypak/policypak/preferences/106_5_img-5.webp) **Step 8 –** Now copy the drive map policy (`H_.xml`) from your desktop to a server share that is accessible by all users, who should all have a minimum of READ access to this share. -![106_6_img-6](../../../../static/img/product_docs/policypak/policypak/preferences/106_6_img-6.webp) +![106_6_img-6](/img/product_docs/policypak/policypak/preferences/106_6_img-6.webp) **Step 9 –** Expand `Computer Configuration > Preferences > Windows Settings > Files ` -![106_7_img-7](../../../../static/img/product_docs/policypak/policypak/preferences/106_7_img-7.webp) +![106_7_img-7](/img/product_docs/policypak/policypak/preferences/106_7_img-7.webp) **Step 10 –** Right-click on **Files** and choose New File, then configure it using the image below as a guide. @@ -52,9 +52,9 @@ as a guide. - Source = UNC path to the file on the server share (i.e.` \\Server\share\H_.xml`) - Destination = `%ProgramData%\PolicyPak\XmlData\Computer\H_.XML` - ![106_8_img-8](../../../../static/img/product_docs/policypak/policypak/preferences/106_8_img-8.webp) + ![106_8_img-8](/img/product_docs/policypak/policypak/preferences/106_8_img-8.webp) **Step 11 –** Run `gpupdate` on one of the computers that live in an OU or domain where you applied the policy, to verify that they get the drive mapping. -![106_9_img-9](../../../../static/img/product_docs/policypak/policypak/preferences/106_9_img-9.webp) +![106_9_img-9](/img/product_docs/policypak/policypak/preferences/106_9_img-9.webp) diff --git a/docs/policypak/policypak/preferences/gettingstarted.md b/docs/policypak/policypak/preferences/gettingstarted.md index 10f582b5d3..706ddf3d32 100644 --- a/docs/policypak/policypak/preferences/gettingstarted.md +++ b/docs/policypak/policypak/preferences/gettingstarted.md @@ -9,7 +9,7 @@ introduce the following: (regardless of how they are deployed). **NOTE:** See Appendix E: -[Installation Quick Start](../gettingstarted/quickstart/overviewinstall.md) and User Guide for +[Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md) and User Guide for additoinal information on Endpoint Policy Manager Preferences Manager in use with Endpoint Policy Manager Cloud @@ -25,12 +25,12 @@ Currently the file is called `ppprefs-shortcut.xml`.  You can get to it by acce portal and navigating to Latest Manuals.  Then, click on Endpoint Policy Manager Examples (to be used with PP Cloud-MDM-SCCM-etc).zip. -![quickstart_using_policypak](../../../../static/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak.webp) +![quickstart_using_policypak](/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak.webp) Inside the download of the Endpoint Policy Manager preferences and Endpoint Policy Manager Cloud XML examples, you'll see a file named `ppprefs-shortcut.xml`. -![quickstart_using_policypak_1](../../../../static/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_1.webp) +![quickstart_using_policypak_1](/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_1.webp) Remove the file from the ZIP archive, and put it in a handy place for the deployment step. @@ -52,7 +52,7 @@ These are the settings used to make the Group Policy Preference item: - Icon file path: `%SystemRoot%\system32\SHELL32.dll` - Icon index: 47 -![quickstart_using_policypak_2](../../../../static/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_2.webp) +![quickstart_using_policypak_2](/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_2.webp) When you click **OK**, it will save the data within the Group Policy Object (GPO). However, you can drag and drop a Group Policy Preference item to the desktop or a folder, which makes an XML file. @@ -63,6 +63,6 @@ which will export the Group Policy Preference items from the GPO. **NOTE:** The Group Policy Preference Export wizard will only export settings for the User side or Computer side, depending on which side on are on. -![quickstart_using_policypak_3](../../../../static/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_3.webp) +![quickstart_using_policypak_3](/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_3.webp) Keep the Group Policy Preference item file you created handy for the next step. diff --git a/docs/policypak/policypak/preferences/itemleveltargeting.md b/docs/policypak/policypak/preferences/itemleveltargeting.md index ce1a8a5aa0..c768d7d98b 100644 --- a/docs/policypak/policypak/preferences/itemleveltargeting.md +++ b/docs/policypak/policypak/preferences/itemleveltargeting.md @@ -3,7 +3,7 @@ One of the best features of Microsoft Group Policy Preferences is its Item-Level Targeting. It enables you to filter where a particular Group Policy Preference item will take effect. -**NOTE:** See [Group Policy Preferences: Item Level Targeting](../archive/itemleveltartgeting.md) +**NOTE:** See [Group Policy Preferences: Item Level Targeting](/docs/policypak/policypak/archive/itemleveltartgeting.md) for a video of Group Policy Preferences and Item-Level targeting If you followed the Quickstart guide in the previous section, then you deployed a Group Policy @@ -30,11 +30,11 @@ In this example, the net result of using these methods is that your Group Policy will only apply to Windows 10 machines that are laptops and within a specific IP address range (192.168.2.0–192.168.3.0), and when the user is a member of the Sales Active Directory group. -![group_policy_preferences_item](../../../../static/img/product_docs/policypak/policypak/preferences/group_policy_preferences_item.webp) +![group_policy_preferences_item](/img/product_docs/policypak/policypak/preferences/group_policy_preferences_item.webp) You can then choose which item you want to target: -![group_policy_preferences_item_1](../../../../static/img/product_docs/policypak/policypak/preferences/group_policy_preferences_item_1.webp) +![group_policy_preferences_item_1](/img/product_docs/policypak/policypak/preferences/group_policy_preferences_item_1.webp) You can apply one or more targeting items to a Microsoft Group Policy Preference item, which enables targeting items to be joined logically. You can also add targeting collections, which group together @@ -42,7 +42,7 @@ targeting items in much the same way parentheses are used in an equation. In thi create a complex determination about where a policy will be applied. Collections may be set to And, Or, Is, or Is Not. -![group_policy_preferences_item_2](../../../../static/img/product_docs/policypak/policypak/preferences/group_policy_preferences_item_2.webp) +![group_policy_preferences_item_2](/img/product_docs/policypak/policypak/preferences/group_policy_preferences_item_2.webp) In the example above the Pak would only apply to (1) Windows 10 machines when (2) the machine is portable and (3) the user is in the FABRIKAM\Traveling Sales Users group. @@ -65,8 +65,8 @@ When Item-Level Targeting is used, it can be seen and verified in the XML view o Preference item by choosing the Display Xml option. The Item-Level Targeting is highlighted in the Filters section. -![group_policy_preferences_item_3](../../../../static/img/product_docs/policypak/policypak/preferences/group_policy_preferences_item_3.webp) +![group_policy_preferences_item_3](/img/product_docs/policypak/policypak/preferences/group_policy_preferences_item_3.webp) -![group_policy_preferences_item_4](../../../../static/img/product_docs/policypak/policypak/preferences/group_policy_preferences_item_4.webp) +![group_policy_preferences_item_4](/img/product_docs/policypak/policypak/preferences/group_policy_preferences_item_4.webp) The XML of the Group Policy Preference item verifies that Item-Level Targeting is being used. diff --git a/docs/policypak/policypak/preferences/makemsis.md b/docs/policypak/policypak/preferences/makemsis.md index 8469fb83c4..7893fcb9e8 100644 --- a/docs/policypak/policypak/preferences/makemsis.md +++ b/docs/policypak/policypak/preferences/makemsis.md @@ -1,7 +1,7 @@ # Using the Endpoint Policy Manager Exporter to Make MSIs **NOTE:** For an overview of the Endpoint Policy Manager Exporter utility, please watch this video: -[](http://www.policypak.com/video/policypak-preferences-with-policypak-exporter.html)[Endpoint Policy ManagerPreferences with Endpoint Policy Manager Exporter](../archive/preferencesexporter.md)l. +[](http://www.policypak.com/video/policypak-preferences-with-policypak-exporter.html)[Endpoint Policy ManagerPreferences with Endpoint Policy Manager Exporter](/docs/policypak/policypak/archive/preferencesexporter.md)l. Endpoint Policy Manager Exporter's job is to take Microsoft or Endpoint Policy Manager items and wrap them up into an MSI. This MSI can then be deployed using whatever technique you want: Microsoft @@ -32,28 +32,28 @@ Endpoint Policy Manager Cloud or Endpoint Policy Manager MDM. **Step 1 –** Run the Endpoint Policy Manager Exporter utility on your management station. You can find it on the Start Menu (for pre-Windows 8 systems). -![quickstart_using_policypak_4](../../../../static/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_4.webp) +![quickstart_using_policypak_4](/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_4.webp) **Step 2 –** In the Endpoint Policy Manager Exporter tool, select **Create a new MSI installer** and click **Next**. -![quickstart_using_policypak_5](../../../../static/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_5.webp) +![quickstart_using_policypak_5](/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_5.webp) **Step 3 –** Click **Add Existing Files**. Then select the Group Policy Preferences XML file from the downloadable example, or the one you created. It will look similar to what is seen below. -![quickstart_using_policypak_6](../../../../static/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_6.webp) +![quickstart_using_policypak_6](/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_6.webp) **Step 4 –** At this point, leave all other options and settings the same as shown in Figure 10 and then click **Next**. Once you've done this, look for the informational screen about the Windows Installer package that was just created, and click **Next**. -![quickstart_using_policypak_7](../../../../static/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_7.webp) +![quickstart_using_policypak_7](/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_7.webp) **Step 5 –** Click **Next** and save the MSI file to a location of your choosing. In this example we've saved it to the desktop as Deploy GPP MSI.msi. -![quickstart_using_policypak_8](../../../../static/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_8.webp) +![quickstart_using_policypak_8](/img/product_docs/policypak/policypak/preferences/quickstart_using_policypak_8.webp) -See Appendix A: [Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md) for +See Appendix A: [Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md) for additional information on the Endpoint Policy Manager Exporter utility diff --git a/docs/policypak/policypak/preferences/overview.md b/docs/policypak/policypak/preferences/overview.md index 93b1c82abf..9e69fc50b9 100644 --- a/docs/policypak/policypak/preferences/overview.md +++ b/docs/policypak/policypak/preferences/overview.md @@ -1,7 +1,7 @@ # Preferences Manager **NOTE:** Before reading this section, please ensure you have read Book 2: -[Installation Quick Start](../gettingstarted/quickstart/overviewinstall.md), which will help you +[Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md), which will help you learn to do the following: - Install the Admin MSI on your GPMC machine @@ -9,7 +9,7 @@ learn to do the following: - Set up a computer in Trial mode or Licensed mode - Set up a common OU structure - Optionally, if you don't want to use Group Policy, read the section in Appendix A: - [Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md) on Group Policy and + [Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md) on Group Policy and non–Group Policy methods (MEMCM, KACE, and MDM service or Netwrix Endpoint Policy Manager (formerly PolicyPak) Cloud) to deploy your directives. @@ -23,7 +23,7 @@ including the following a,nd many more. - Device lock-down - Regional settings -![about_policypak_gpo_export](../../../../static/img/product_docs/policypak/policypak/preferences/about_policypak_gpo_export.webp) +![about_policypak_gpo_export](/img/product_docs/policypak/policypak/preferences/about_policypak_gpo_export.webp) Despite these advantages, Microsoft's Group Policy Preferences have some issues that cannot be overcome without a little help. That's where Endpoint Policy Manager Preferences Manager comes in. @@ -41,15 +41,15 @@ Endpoint Policy Manager Preferences Manager does the following jobs: management (MDM) service, you can deliver Group Policy Preference items to computers over the Internet (to both domain-joined and non-domain-joined machines). For more information on Endpoint Policy Manager Cloud, see Appendix E: - [Setup, Download, Install, and Verify](../cloud/quickstart.md) and User Guide. For more + [Setup, Download, Install, and Verify](/docs/policypak/policypak/cloud/quickstart.md) and User Guide. For more information about using Endpoint Policy Manager with an MDM service, see Appendix A: - [Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md). + [Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md). **NOTE:** If you use the Endpoint Policy Manager Cloud service, you can deliver Group Policy Preferences directives even to non-domain-joined machines. **NOTE:** See -[Which settings can be managed with the Preferences Manager component?](settings.md)for additional +[Which settings can be managed with the Preferences Manager component?](/docs/policypak/policypak/preferences/settings.md)for additional information on Endpoint Policy Manager Preferences Manager used with SCCM, Endpoint Policy Manager Cloud, or an MDM service, @@ -89,7 +89,7 @@ Endpoint Policy Manager Preferences Manager has the following main components: portable MSI file for deployment using Microsoft Endpoint Manager (SCCM and Intune), or your own systems management software. -![about_policypak_gpo_export_1](../../../../static/img/product_docs/policypak/policypak/preferences/about_policypak_gpo_export_1.webp) +![about_policypak_gpo_export_1](/img/product_docs/policypak/policypak/preferences/about_policypak_gpo_export_1.webp) Endpoint Policy Manager Preferences Manager does not require any particular type of domain controllers (DCs). Nothing is installed on any DC, and you don't need to extend the Active Directory diff --git a/docs/policypak/policypak/preferences/passwords.md b/docs/policypak/policypak/preferences/passwords.md index 16b189d85d..8b3d3f6507 100644 --- a/docs/policypak/policypak/preferences/passwords.md +++ b/docs/policypak/policypak/preferences/passwords.md @@ -14,14 +14,14 @@ you. by populating your Preferences item (on-prem recommended) with as much data as you can, noting that the Connect as (or other fields) are not changeable in the MMC editor. Below are two examples. -![916_1_image001](../../../../static/img/product_docs/policypak/policypak/preferences/916_1_image001.webp) +![916_1_image001](/img/product_docs/policypak/policypak/preferences/916_1_image001.webp) -![916_2_image003](../../../../static/img/product_docs/policypak/policypak/preferences/916_2_image003.webp) +![916_2_image003](/img/product_docs/policypak/policypak/preferences/916_2_image003.webp) **Step 2 –** Once you have the item, drag it to the desktop and open it for editing.  The goal is to enter the missing details by hand, typically the cPassword field. -![916_3_image004](../../../../static/img/product_docs/policypak/policypak/preferences/916_3_image004.webp) +![916_3_image004](/img/product_docs/policypak/policypak/preferences/916_3_image004.webp) **Step 3 –** To do get a cPassword, you need to provide an encrypted value in quotes. @@ -65,4 +65,4 @@ All well-formed XML will be accepted and should process on the endpoint. Cloud. In domain-joined scenarios that component is automatically disabled until expressly enabled. See -[Why is Endpoint Policy Manager Preferences (original version) "forced disabled" by default?](../license/unlicense/forceddisabled.md) +[Why is Endpoint Policy Manager Preferences (original version) "forced disabled" by default?](/docs/policypak/policypak/license/unlicense/forceddisabled.md) diff --git a/docs/policypak/policypak/preferences/printerdeploy.md b/docs/policypak/policypak/preferences/printerdeploy.md index 3e4b96f974..67508c0b9c 100644 --- a/docs/policypak/policypak/preferences/printerdeploy.md +++ b/docs/policypak/policypak/preferences/printerdeploy.md @@ -11,15 +11,15 @@ etc.) **Step 3 –** Expand Microsoft & Endpoint Policy Manager Preferences from the options presented, select Printer, and click **Ok**. -![191_1_pppref-faq4-img1](../../../../static/img/product_docs/policypak/policypak/preferences/191_1_pppref-faq4-img1.webp) +![191_1_pppref-faq4-img1](/img/product_docs/policypak/policypak/preferences/191_1_pppref-faq4-img1.webp) **Step 4 –** Next, click Printer to expand the list of options and select TCP/IP Printer before clicking **Ok**. -![191_2_pppref-faq4-img2_950x312](../../../../static/img/product_docs/policypak/policypak/preferences/191_2_pppref-faq4-img2_950x312.webp) +![191_2_pppref-faq4-img2_950x312](/img/product_docs/policypak/policypak/preferences/191_2_pppref-faq4-img2_950x312.webp) **Step 5 –** At the next screen fill in the following values: IP Address, Local name, Printer path and click on Common to expand the section and check the box next to Run in logged-in user's security context (user policy option) before clicking **Ok** to save. -![191_3_pppref-faq4-img3](../../../../static/img/product_docs/policypak/policypak/preferences/191_3_pppref-faq4-img3.webp) +![191_3_pppref-faq4-img3](/img/product_docs/policypak/policypak/preferences/191_3_pppref-faq4-img3.webp) diff --git a/docs/policypak/policypak/preferences/settings.md b/docs/policypak/policypak/preferences/settings.md index 5fb916ea28..02ae5f4b16 100644 --- a/docs/policypak/policypak/preferences/settings.md +++ b/docs/policypak/policypak/preferences/settings.md @@ -3,6 +3,6 @@ Netwrix Endpoint Policy Manager (formerly PolicyPak) Preferences Manager handles every single one of the Group Policy Preferences, with more than twenty configurable options. -![626_1_pppm-gpme-user_299x531](../../../../static/img/product_docs/policypak/policypak/preferences/626_1_pppm-gpme-user_299x531.webp) +![626_1_pppm-gpme-user_299x531](/img/product_docs/policypak/policypak/preferences/626_1_pppm-gpme-user_299x531.webp) -![626_2_pppm-gpme-comp_297x472](../../../../static/img/product_docs/policypak/policypak/preferences/626_2_pppm-gpme-comp_297x472.webp) +![626_2_pppm-gpme-comp_297x472](/img/product_docs/policypak/policypak/preferences/626_2_pppm-gpme-comp_297x472.webp) diff --git a/docs/policypak/policypak/preferences/startservice.md b/docs/policypak/policypak/preferences/startservice.md index 93f579964e..48eb3bce06 100644 --- a/docs/policypak/policypak/preferences/startservice.md +++ b/docs/policypak/policypak/preferences/startservice.md @@ -6,21 +6,21 @@ **Step 3 –**  Right-click on Services and choose `New > Service`. -![7_1_image-20190916224004-1](../../../../static/img/product_docs/policypak/policypak/preferences/7_1_image-20190916224004-1.webp) +![7_1_image-20190916224004-1](/img/product_docs/policypak/policypak/preferences/7_1_image-20190916224004-1.webp) **Step 4 –** Under the General tab set the **Startup:** to **Automatic**, then click the ellipsis under Service Name: and select the service you would like to enable. In this example, I selected the RPC service. -![7_2_image-20190916224004-2](../../../../static/img/product_docs/policypak/policypak/preferences/7_2_image-20190916224004-2.webp) +![7_2_image-20190916224004-2](/img/product_docs/policypak/policypak/preferences/7_2_image-20190916224004-2.webp) **Step 5 –** .Under Service action: select **Start service** **Step 6 –** Under the Recovery tab, select **Restart the Service** for all 3 recovery options, then click **OK**. -![7_3_image-20190916224005-3](../../../../static/img/product_docs/policypak/policypak/preferences/7_3_image-20190916224005-3.webp) +![7_3_image-20190916224005-3](/img/product_docs/policypak/policypak/preferences/7_3_image-20190916224005-3.webp) **Step 7 –** Now apply the GPO to the Computer OU where the computers live and where you want this setting, and the next time `GPUPDATE` runs the service will be enabled. diff --git a/docs/policypak/policypak/remotedesktopprotocol/importrdpfile.md b/docs/policypak/policypak/remotedesktopprotocol/importrdpfile.md index 2051242ff4..7039a15510 100644 --- a/docs/policypak/policypak/remotedesktopprotocol/importrdpfile.md +++ b/docs/policypak/policypak/remotedesktopprotocol/importrdpfile.md @@ -2,9 +2,9 @@ If you already have existing RDP files configured and saved, you can import them. -![getting_to_know_policypak_6](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_6.webp) +![getting_to_know_policypak_6](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_6.webp) Then browse to the saved RDP file. Below you can see the imported path of the RDP file. Note that the file path setting was automatically imported, as are all other settings. -![getting_to_know_policypak_7](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_7.webp) +![getting_to_know_policypak_7](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_7.webp) diff --git a/docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/exportcollections.md b/docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/exportcollections.md index 6465475d66..0c363359c3 100644 --- a/docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/exportcollections.md +++ b/docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/exportcollections.md @@ -7,9 +7,9 @@ use using Endpoint Policy Manager Exporter or Endpoint Policy Manager Cloud, rig collection or the policy and select **Export to XML**. This will enable you to save an XML file, which you can use later. -![using_item_level_targeting_7](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_7.webp) +![using_item_level_targeting_7](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_7.webp) Remember that Endpoint Policy Manager RDP policies can be created and exported on the User or Computer side. For instance, below we have a collection being exported. -![using_item_level_targeting_8](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_8.webp) +![using_item_level_targeting_8](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_8.webp) diff --git a/docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/overview.md b/docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/overview.md index b20e0ac607..1d4944d15b 100644 --- a/docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/overview.md +++ b/docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/overview.md @@ -9,17 +9,17 @@ A collection enables you to group together Endpoint Policy Manager RDP Manager p act together. For instance, you might create a collection for only East Sales users and another for HR Users. -![using_item_level_targeting](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting.webp) +![using_item_level_targeting](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting.webp) Below you can see the two collections we have created which can hold other collections or policies. You can also see how you can apply Item-Level Targeting for a collection. -![using_item_level_targeting_1](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_1.webp) +![using_item_level_targeting_1](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_1.webp) To change the Item-Level Targeting, right-click any Endpoint Policy Manager RDP Manager policy, and select **Edit Item Level Targeting**. -![using_item_level_targeting_2](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_2.webp) +![using_item_level_targeting_2](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_2.webp) The Edit Item Level Targeting menu item brings up the Targeting Editor. You can select any combination of characteristics you want to test for. Administrators familiar with Group Policy @@ -35,7 +35,7 @@ When targeting policies and collections for Endpoint Policy Manager RDP Manager good idea to target portable computers and mobile user security groups. You can also require that users not be on the corporate LAN as well. -![using_item_level_targeting_3](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_3.webp) +![using_item_level_targeting_3](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_3.webp) In this example, the Pak would only apply to Windows 10 machines when the machine is portable and not on the corporate LAN subnet, and the user is in the FABRIKAM\Traveling Sales Users group. @@ -45,4 +45,4 @@ policy no longer applies** option to delete the RDP file when the policy no long example, using the example below, the policy would no longer apply whenever the computer obtains an address from the corporate LAN. -![using_item_level_targeting_4](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_4.webp) +![using_item_level_targeting_4](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_4.webp) diff --git a/docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/processorderprecedence.md b/docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/processorderprecedence.md index a47d92d0f4..21397814c7 100644 --- a/docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/processorderprecedence.md +++ b/docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/processorderprecedence.md @@ -5,6 +5,6 @@ So, lower-numbered collections attempt to process first, and higher-numbered col process last. Then, within any collection, each policy is processed in numerical order from lowest to highest. -![using_item_level_targeting_5](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_5.webp) +![using_item_level_targeting_5](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_5.webp) -![using_item_level_targeting_6](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_6.webp) +![using_item_level_targeting_6](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_6.webp) diff --git a/docs/policypak/policypak/remotedesktopprotocol/overview.md b/docs/policypak/policypak/remotedesktopprotocol/overview.md index 8711686a1f..11d6a92448 100644 --- a/docs/policypak/policypak/remotedesktopprotocol/overview.md +++ b/docs/policypak/policypak/remotedesktopprotocol/overview.md @@ -10,5 +10,5 @@ scenarios: - Specify which RDP files should go on which machines based on conditional settings **NOTE:** See -[Create and update .RDP files for end-users for Remote Work and VDI scenarios](../video/remotedesktopprotocol/vdiscenarios.md) +[Create and update .RDP files for end-users for Remote Work and VDI scenarios](/docs/policypak/policypak/video/remotedesktopprotocol/vdiscenarios.md) for an overview of Endpoint Policy Manager Remote Desktop Protocol Manager diff --git a/docs/policypak/policypak/remotedesktopprotocol/policiessettings.md b/docs/policypak/policypak/remotedesktopprotocol/policiessettings.md index 99ac0f610e..7be57b6dd1 100644 --- a/docs/policypak/policypak/remotedesktopprotocol/policiessettings.md +++ b/docs/policypak/policypak/remotedesktopprotocol/policiessettings.md @@ -7,13 +7,13 @@ Start out on your GPMC management station by creating a group policy object (GPO your users. In this example we have a GPO created and linked to the East Sales Users organizational unit (OU). -![getting_to_know_policypak](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/getting_to_know_policypak.webp) +![getting_to_know_policypak](/img/product_docs/policypak/policypak/remoteworkdelivery/getting_to_know_policypak.webp) Next, you need to configure settings, starting with the general settings. Under the General tab, enter the file path, which is the destination location for the RDP file. In most cases, you will probably want it delivered to the user desktop. -![getting_to_know_policypak_1](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_1.webp) +![getting_to_know_policypak_1](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_1.webp) You also need to select an action from the following list. In most cases you will choose **Create** or **Update**. @@ -29,20 +29,20 @@ or **Update**. You should configure the logon settings next. You can use the browse button to search for designated servers in AD. Then use the user name variable `%domainname%\%username%` . -![getting_to_know_policypak_2](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_2.webp) +![getting_to_know_policypak_2](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_2.webp) You can then begin to choose the granular settings you want. For instance, you can use the slider to set your display configuration and choose your color depth from the drop down menu . -![getting_to_know_policypak_3](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_3.webp) +![getting_to_know_policypak_3](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_3.webp) An underlined variable means that it will be delivered within the policy. As we can see below, there is one checked box and two underlined, unchecked boxes in the Local devices and resources section. That means that these checked and unchecked values will be delivered. When a check box is solid green it means that no value has been assigned to that variable. -![getting_to_know_policypak_4](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_4.webp) +![getting_to_know_policypak_4](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_4.webp) You can also configure experience settings such as optimized performance speed. -![getting_to_know_policypak_5](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_5.webp) +![getting_to_know_policypak_5](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_5.webp) diff --git a/docs/policypak/policypak/remoteworkdelivery/advanced/standard/multiplefiles.md b/docs/policypak/policypak/remoteworkdelivery/advanced/standard/multiplefiles.md index 92d02456a0..cfc7c0780d 100644 --- a/docs/policypak/policypak/remoteworkdelivery/advanced/standard/multiplefiles.md +++ b/docs/policypak/policypak/remoteworkdelivery/advanced/standard/multiplefiles.md @@ -2,19 +2,19 @@ The second type of standard policy you can create is called Copy multiple files from same directory. -![getting_to_know_policypak_22](../../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_22.webp) +![getting_to_know_policypak_22](/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_22.webp) Many of the screens in this wizard are the same as those in the Copy a single file wizard, but the main difference is the Specify the copy source page. -![getting_to_know_policypak_23](../../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_23.webp) +![getting_to_know_policypak_23](/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_23.webp) This page enables you to specify presets and filters, and then lets you show a preview to determine which files from the folder will be copied to the destination. The other main difference is the ability to specify the overwrite mode. -![getting_to_know_policypak_24](../../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_24.webp) +![getting_to_know_policypak_24](/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_24.webp) Your options for specifying the file overwrite mode are as follows: diff --git a/docs/policypak/policypak/remoteworkdelivery/advanced/standard/recursion.md b/docs/policypak/policypak/remoteworkdelivery/advanced/standard/recursion.md index be29f0202e..84d2594332 100644 --- a/docs/policypak/policypak/remoteworkdelivery/advanced/standard/recursion.md +++ b/docs/policypak/policypak/remoteworkdelivery/advanced/standard/recursion.md @@ -3,11 +3,11 @@ The final standard policy type is Copy multiple files based on criteria (Recursive and Advanced). **NOTE:** See -[Mass copy folders and files (with filters and recursion)](../../../video/remoteworkdelivery/masscopy.md) +[Mass copy folders and files (with filters and recursion)](/docs/policypak/policypak/video/remoteworkdelivery/masscopy.md) a video overview of Endpoint Policy Manager Remote Work Delivery Manager with Advanced and Recursive options. -![getting_to_know_policypak_25](../../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_25.webp) +![getting_to_know_policypak_25](/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_25.webp) This wizard has many of the same screens as the previous wizards. With that being said, there are two screens that are different. The first is the Specify the copy source screen. On this screen, you @@ -15,7 +15,7 @@ can specify paths where you want to copy a whole share, or you can specify that the middle of a share and then work recursively forward. Below you can see an example of a valid syntax for copying a single folder and all of its contents. -![getting_to_know_policypak_26](../../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_26.webp) +![getting_to_know_policypak_26](/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_26.webp) Using \*\* will turn recursion on. Next, you can specify the number of levels down in the Recursion field. Using the same information as shown previously take all files from all folders with Demos in @@ -29,12 +29,12 @@ the name. For example: You can also specify \*\* at the end of a path, and all subfolders will be delivered, as well. -![getting_to_know_policypak_27](../../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_27.webp) +![getting_to_know_policypak_27](/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_27.webp) On the next screen you can use the Show Preview button, which will show you which folders and files are going to be copied. You can see an example of this below. -![getting_to_know_policypak_28](../../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_28.webp) +![getting_to_know_policypak_28](/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_28.webp) **NOTE:** There are other Wildcards available beyond \*\*. See the section on Wildcards and Variables later in the manual. @@ -43,8 +43,8 @@ The other unique screen in this wizard is the one that provides the ability to s size, creation date and time, and modified date and time. When you change these settings, it reduces the number of files copied during an operation. -![getting_to_know_policypak_29](../../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_29.webp) +![getting_to_know_policypak_29](/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_29.webp) You can also require that files be only copied when an attribute is set or not set. -![getting_to_know_policypak_30](../../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_30.webp) +![getting_to_know_policypak_30](/img/product_docs/policypak/policypak/remoteworkdelivery/advanced/standard/getting_to_know_policypak_30.webp) diff --git a/docs/policypak/policypak/remoteworkdelivery/cloudmdm.md b/docs/policypak/policypak/remoteworkdelivery/cloudmdm.md index 51d1168579..314d7dcb71 100644 --- a/docs/policypak/policypak/remoteworkdelivery/cloudmdm.md +++ b/docs/policypak/policypak/remoteworkdelivery/cloudmdm.md @@ -10,7 +10,7 @@ automatically updated on endpoints. We'll explore both of these options in the f **NOTE:** For a video showing how to create and use Endpoint Policy Manager Cloud Lite policies with Endpoint Policy Manager Remote Work Delivery Manager, watch: -[Deploy software with Endpoint Policy Manager Cloud](../video/remoteworkdelivery/cloud.md). +[Deploy software with Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/remoteworkdelivery/cloud.md). You may recall from other components' manuals that you must always do the following: @@ -25,7 +25,7 @@ of the policy you just created. ## Remote Work Delivery Manager and MDM Services **NOTE:** See -[Copy files and keep them up to date with your MDM service](../video/remoteworkdelivery/mdm.md)for additional +[Copy files and keep them up to date with your MDM service](/docs/policypak/policypak/video/remoteworkdelivery/mdm.md)for additional information on how to use Endpoint Policy Manager Remote Work Delivery Manager and your MDM service to keep files up to date @@ -38,13 +38,13 @@ can make a web policy to deliver that file, which will periodically look for cha those changes are made automatically on endpoints. For instance, if you created a web policy, and used a .zip file, then you can select **Archived folder**. -![pprwdm_with_policypak_cloud](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/pprwdm_with_policypak_cloud.webp) +![pprwdm_with_policypak_cloud](/img/product_docs/policypak/policypak/remoteworkdelivery/pprwdm_with_policypak_cloud.webp) -![pprwdm_with_policypak_cloud_1](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/pprwdm_with_policypak_cloud_1.webp) +![pprwdm_with_policypak_cloud_1](/img/product_docs/policypak/policypak/remoteworkdelivery/pprwdm_with_policypak_cloud_1.webp) Next, specify the overwrite mode. -![pprwdm_with_policypak_cloud_2](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/pprwdm_with_policypak_cloud_2.webp) +![pprwdm_with_policypak_cloud_2](/img/product_docs/policypak/policypak/remoteworkdelivery/pprwdm_with_policypak_cloud_2.webp) After the Endpoint Policy Manager Remote Work Delivery Manager policy setting is delivered one time using your MDM service, all you need to do is update the ZIP file as needed. Endpoint Policy Manager diff --git a/docs/policypak/policypak/remoteworkdelivery/collections.md b/docs/policypak/policypak/remoteworkdelivery/collections.md index bad7a0b82a..7cd119a4f9 100644 --- a/docs/policypak/policypak/remoteworkdelivery/collections.md +++ b/docs/policypak/policypak/remoteworkdelivery/collections.md @@ -4,7 +4,7 @@ When you make a Endpoint Policy Manager Remote Work Delivery Manager collection, group together policy settings for the sake of organization, perform Item-Level Targeting (discussed next), and specify advanced options. -![getting_to_know_policypak_35](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/getting_to_know_policypak_35.webp) +![getting_to_know_policypak_35](/img/product_docs/policypak/policypak/remoteworkdelivery/getting_to_know_policypak_35.webp) By default, Endpoint Policy Manager Remote Work Delivery Manager will attempt to process policies at the root node, or within any collection, at the same time, without letting one job finish before diff --git a/docs/policypak/policypak/remoteworkdelivery/computerside.md b/docs/policypak/policypak/remoteworkdelivery/computerside.md index b7c5fd7c49..b6077e82c7 100644 --- a/docs/policypak/policypak/remoteworkdelivery/computerside.md +++ b/docs/policypak/policypak/remoteworkdelivery/computerside.md @@ -5,7 +5,7 @@ deliver scripts on the Computer side. There are two options when you create a script policy from the Computer side. -![getting_to_know_policypak_34](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/getting_to_know_policypak_34.webp) +![getting_to_know_policypak_34](/img/product_docs/policypak/policypak/remoteworkdelivery/getting_to_know_policypak_34.webp) The two options to select from are: diff --git a/docs/policypak/policypak/remoteworkdelivery/exportcollections.md b/docs/policypak/policypak/remoteworkdelivery/exportcollections.md index ed42a66637..6261a6aa56 100644 --- a/docs/policypak/policypak/remoteworkdelivery/exportcollections.md +++ b/docs/policypak/policypak/remoteworkdelivery/exportcollections.md @@ -1,19 +1,19 @@ # Exporting Collections -In Appendix A:[Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md), you can +In Appendix A:[Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md), you can learn how to use the Netwrix Endpoint Policy Manager (formerly PolicyPak) Exporter to wrap up Endpoint Policy Manager directives and deliver them using Endpoint Policy Manager Cloud, an MDM service, or a non-Group Policy method such as MEMCM, KACE, and so on. **NOTE:** For a video demonstrating the use of Endpoint Policy Manager Remote Work Delivery Manager with Endpoint Policy Manager MDM see -[Copy files and keep them up to date with your MDM service](../video/remoteworkdelivery/mdm.md). +[Copy files and keep them up to date with your MDM service](/docs/policypak/policypak/video/remoteworkdelivery/mdm.md). Remember that Endpoint Policy Manager Remote Work Delivery Manager policies can be created and exported on the User side or Computer side. In the example below you can see an export from the User side. -![exporting_collections](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/exporting_collections.webp) +![exporting_collections](/img/product_docs/policypak/policypak/remoteworkdelivery/exporting_collections.webp) Choosing this option from the User side will allow the user to export the policy or collection for later use with Endpoint Policy Manager Cloud or an MDM service. @@ -21,7 +21,7 @@ later use with Endpoint Policy Manager Cloud or an MDM service. Below you can see an Export of Endpoint Policy Manager Remote Work Delivery Manager XML from the Computer side. -![exporting_collections_1](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/exporting_collections_1.webp) +![exporting_collections_1](/img/product_docs/policypak/policypak/remoteworkdelivery/exporting_collections_1.webp) Choosing this option from the Computer side will allow the user to export the Policy or collection for later use with Endpoint Policy Manager Cloud or an MDM service. @@ -37,7 +37,7 @@ Here are some helpful tips to decide which side to use: switched mode). **NOTE:** See -[Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](../video/mdm/exporterutility.md) +[Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](/docs/policypak/policypak/video/mdm/exporterutility.md) for additional information on how to export policies and use Endpoint Policy Manager Exporter Note that exported collections or policies maintain any Item-Level Targeting set within them. If diff --git a/docs/policypak/policypak/remoteworkdelivery/gettingstarted/policiesstandard.md b/docs/policypak/policypak/remoteworkdelivery/gettingstarted/policiesstandard.md index a69f9546b6..818f08a7e6 100644 --- a/docs/policypak/policypak/remoteworkdelivery/gettingstarted/policiesstandard.md +++ b/docs/policypak/policypak/remoteworkdelivery/gettingstarted/policiesstandard.md @@ -7,33 +7,33 @@ Work Delivery Manager, using `\\DC2016\share` as the share. [https://notepad-plus-plus.org/](https://notepad-plus-plus.org/), and put the installer file, which should be named something similar to npp.7.5.6.Installer.exe, in your share. -![getting_to_know_policypak_1](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_1.webp) +![getting_to_know_policypak_1](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_1.webp) **Step 2 –** On your GPMC management station, create a GPO and link it to your users. In this example we have a GPO created and linked to the East Sales Users organizational unit (OU). -![getting_to_know_policypak_2](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_2.webp) +![getting_to_know_policypak_2](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_2.webp) **Step 3 –** Edit the GPO, then go to `User Configuration > PolicyPak > Remote Work Delivery Manager`, as shown below, and select `Add ``````>`````` New Standard Policy`. -![getting_to_know_policypak_3](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_3.webp) +![getting_to_know_policypak_3](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_3.webp) When you do this, the Endpoint Policy Manager Remote Work Delivery Manager Wizard appears. -![getting_to_know_policypak_4](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_4.webp) +![getting_to_know_policypak_4](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_4.webp) **Step 4 –** Click **Next** and specify the file from the file path. -![getting_to_know_policypak_5](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_5.webp) +![getting_to_know_policypak_5](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_5.webp) **Step 5 –** Click **Next** to continue. On the next page, specify the destination directory, which can be any folder you like. Folders that don't exist will be automatically created. In the example below, the folder is located two directories down. At this point, you can also change the destination name of the file. -![getting_to_know_policypak_6](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_6.webp) +![getting_to_know_policypak_6](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_6.webp) **Step 6 –** On the next screen, you can Specify file access settings,. On this screen, you can specify which security context is used for the reading and writing of the files. When reading from @@ -44,12 +44,12 @@ location you specify. When writing to the destination as Computer, the files are As such, files can be replaced where standard users cannot normally go, such as the Program Files folder and other system-restricted locations. -![getting_to_know_policypak_7](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_7.webp) +![getting_to_know_policypak_7](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_7.webp) **Step 7 –** On the next screen you can decide which file attributes will be copied. Note that not all attributes are available, depending on which options have been previously selected. -![getting_to_know_policypak_8](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_8.webp) +![getting_to_know_policypak_8](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_8.webp) **Step 8 –** On the next screen decide when to process the policy. @@ -59,14 +59,14 @@ are only brought down when the policy is set to **Always run (recommended)**. For this example, you can select **Once**. -![getting_to_know_policypak_9](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_9.webp) +![getting_to_know_policypak_9](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_9.webp) **Step 9 –** After the file is copied, we want to run it so that it installs. To do this, select **Run process** and specify the path and the filename. Note that installation programs typically need to run as System, so be sure to uncheck **Run process or script as user**, which will force it to process as System. -![getting_to_know_policypak_10](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_10.webp) +![getting_to_know_policypak_10](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_10.webp) **Step 10 –** You can also specify what to do when the policy is reverted or no longer applies. For that we can run the Notepad++ uninstall command, @@ -78,26 +78,26 @@ that we can run the Notepad++ uninstall command, Additionally, you can specify what to do with the files or folders that are not needed when the policy no longer applies. -![getting_to_know_policypak_11](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_11.webp) +![getting_to_know_policypak_11](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_11.webp) **Step 11 –** The last page of the wizard enables you to provide a Policy Name, enter notes into the Comment field, enable or disable the State field, or use the Item Level Targeting field to specify where this policy should apply (more on this later). -![getting_to_know_policypak_12](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_12.webp) +![getting_to_know_policypak_12](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_12.webp) **Step 12 –** Click **Finish** to close the wizard and see the entry in the Group Policy Editor . You can also double-click the entry to see all of the settings in a flat list, instead of the wizard. -![getting_to_know_policypak_13](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_13.webp) +![getting_to_know_policypak_13](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_13.webp) **Step 13 –** Finally, on the target machine, run `GPupdate `or log on as the user. You will see Notepad++ appear under the Recently added heading. -![getting_to_know_policypak_14](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_14.webp) +![getting_to_know_policypak_14](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_14.webp) **Step 14 –** If you want to test it out, you can un-link enable GPO by removing the checkmark next to Link Enabled, or delete the GPO, and see Notepad++ go away. -![getting_to_know_policypak_15](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_15.webp) +![getting_to_know_policypak_15](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_15.webp) diff --git a/docs/policypak/policypak/remoteworkdelivery/gettingstarted/policiesweb.md b/docs/policypak/policypak/remoteworkdelivery/gettingstarted/policiesweb.md index 5b105eb7f2..c1cc407425 100644 --- a/docs/policypak/policypak/remoteworkdelivery/gettingstarted/policiesweb.md +++ b/docs/policypak/policypak/remoteworkdelivery/gettingstarted/policiesweb.md @@ -4,7 +4,7 @@ Web policies enable you to copy a file from an HTTP source, like Dropbox or Amaz **NOTE:** For a video overview of using Endpoint Policy Manager Remote Work Delivery Manager to install software using web-based shares, see -[Install software using web-based shares](../../video/remoteworkdelivery/webbasedshares.md). +[Install software using web-based shares](/docs/policypak/policypak/video/remoteworkdelivery/webbasedshares.md). Web policies provide a specialized functionality that leverages Microsoft Background Intelligent Transfer Service (BITS) to facilitate the efficient transfer of files in the background. Microsoft @@ -31,12 +31,12 @@ compatibility (there may be others): **Step 1 –** Create a web policy for Endpoint Policy Manager Remote Work Delivery Manager by adding a new policy. -![getting_to_know_policypak_16](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_16.webp) +![getting_to_know_policypak_16](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_16.webp) **Step 2 –** Next, on the Specify the copy source page, add the URL of a file that exists on a compatible web service. In the example below we have a movie file on Amazon S3. -![getting_to_know_policypak_17](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_17.webp) +![getting_to_know_policypak_17](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_17.webp) At this point, the file has been validated against the server for full compatibility. Compatibility means that the service reports success in both the Head and Get methods. If the service fails, you @@ -46,23 +46,23 @@ do not get an error and are able to continue. **Step 3 –** You are asked if the file is a single file (which should be copied as a straight file) or a ZIP archive you want to unpack. For this Quickstart, select **File** and click **Next**. -![getting_to_know_policypak_18](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_18.webp) +![getting_to_know_policypak_18](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_18.webp) **Step 4 –** Select your destination directory and replacement file name. -![getting_to_know_policypak_19](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_19.webp) +![getting_to_know_policypak_19](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_19.webp) **Step 5 –** Complete the remaining pages of the wizard as described earlier. Then, click **Finish** to see the policy in the editor. -![getting_to_know_policypak_20](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_20.webp) +![getting_to_know_policypak_20](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_20.webp) The files should start copying within 10 or 20 seconds. After that, the file size, bandwidth speed, and policy settings regarding BITS usage will determine the final download time. The success of the web file copy can be seen here: -![getting_to_know_policypak_21](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_21.webp) +![getting_to_know_policypak_21](/img/product_docs/policypak/policypak/remoteworkdelivery/gettingstarted/getting_to_know_policypak_21.webp) There is a little more to understanding web policies, which will be explained in the section titled Advanced Web Policies: Unpacking and Using ZIP Archives. There is also a security concern about web diff --git a/docs/policypak/policypak/remoteworkdelivery/gettoknow.md b/docs/policypak/policypak/remoteworkdelivery/gettoknow.md index 48926ebcbb..d9b47d8035 100644 --- a/docs/policypak/policypak/remoteworkdelivery/gettoknow.md +++ b/docs/policypak/policypak/remoteworkdelivery/gettoknow.md @@ -8,7 +8,7 @@ policy, web policy, or collection. **NOTE:** You will only see the Endpoint Policy Manager Remote Work Delivery Manager node when the latest Admin Console MSI is installed on the management station. -![getting_to_know_policypak](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/getting_to_know_policypak.webp) +![getting_to_know_policypak](/img/product_docs/policypak/policypak/remoteworkdelivery/getting_to_know_policypak.webp) The functions of collections and policies are as follows: diff --git a/docs/policypak/policypak/remoteworkdelivery/insouts.md b/docs/policypak/policypak/remoteworkdelivery/insouts.md index d8cebfdde5..9ad826ac75 100644 --- a/docs/policypak/policypak/remoteworkdelivery/insouts.md +++ b/docs/policypak/policypak/remoteworkdelivery/insouts.md @@ -15,13 +15,13 @@ limitations. The File Copy settings are found in the Group Policy Editor under User Configuration > Preferences > Files node and Computer Configuration > Preferences > Files node. -![about_policypak_remote_work](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/about_policypak_remote_work.webp) +![about_policypak_remote_work](/img/product_docs/policypak/policypak/remoteworkdelivery/about_policypak_remote_work.webp) Using Group Policy Preferences will copy exactly one file and place it where you want it. You can also add an asterisk (\*) in the source file entry, which changes the Destination File field to a Destination folder field. -![about_policypak_remote_work_1](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/about_policypak_remote_work_1.webp) +![about_policypak_remote_work_1](/img/product_docs/policypak/policypak/remoteworkdelivery/about_policypak_remote_work_1.webp) When you add the asterisk (\*), Group Policy Preferences will attempt to copy all the files from that source folder down to the client. Note that this file copy is not recursive, making it a common diff --git a/docs/policypak/policypak/remoteworkdelivery/installsequentially.md b/docs/policypak/policypak/remoteworkdelivery/installsequentially.md index c27b2d57ea..b19f811f2f 100644 --- a/docs/policypak/policypak/remoteworkdelivery/installsequentially.md +++ b/docs/policypak/policypak/remoteworkdelivery/installsequentially.md @@ -3,19 +3,19 @@ By default, Netwrix Endpoint Policy Manager (formerly PolicyPak) Remote Work Delivery Manager will install applications in any order, not the order specified in the precedence list. -![757_1_image_1_950x408](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/757_1_image_1_950x408.webp) +![757_1_image_1_950x408](/img/product_docs/policypak/policypak/remoteworkdelivery/757_1_image_1_950x408.webp) However, you can change this behavior by making a Collection. Then on the Collection you may select the **Process policies sequentially** checkbox: -![757_2_img-02-6sd54v5sd4f_950x553](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/757_2_img-02-6sd54v5sd4f_950x553.webp) +![757_2_img-02-6sd54v5sd4f_950x553](/img/product_docs/policypak/policypak/remoteworkdelivery/757_2_img-02-6sd54v5sd4f_950x553.webp) This will ensure the processing order within the collection. That being said, you do need to be careful around this when you specify a post-copy **Run process** or **Run PowerShell Script**. -![757_4_img-03-65sd4f5sd4f_950x499](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/757_4_img-03-65sd4f5sd4f_950x499.webp) +![757_4_img-03-65sd4f5sd4f_950x499](/img/product_docs/policypak/policypak/remoteworkdelivery/757_4_img-03-65sd4f5sd4f_950x499.webp) Endpoint Policy Manager Remote Work Delivery Manager guarantees that it will wait for the Run Process to exit, or wait until the post-action PowerShell script is complete before it starts diff --git a/docs/policypak/policypak/remoteworkdelivery/installuwp.md b/docs/policypak/policypak/remoteworkdelivery/installuwp.md index 2e4a584d75..498698d3c4 100644 --- a/docs/policypak/policypak/remoteworkdelivery/installuwp.md +++ b/docs/policypak/policypak/remoteworkdelivery/installuwp.md @@ -16,11 +16,11 @@ bundle:  [https://store.rg-adguard.net/](https://store.rg-adguard.net/) Copy the Microsoft Store link for the UWP Application:  [https://www.microsoft.com/en-us/p/azure-vpn-client/9np355qt2sqb?activetab=pivot:overviewtab](https://www.microsoft.com/en-us/p/azure-vpn-client/9np355qt2sqb?activetab=pivot:overviewtab) -![722_1_image-20201105183910-1](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_1_image-20201105183910-1.webp) +![722_1_image-20201105183910-1](/img/product_docs/policypak/policypak/remoteworkdelivery/722_1_image-20201105183910-1.webp) Then use the link at [https://store.rg-adguard.net/:](https://store.rg-adguard.net/:) -![722_2_image-20201105183910-2](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_2_image-20201105183910-2.webp) +![722_2_image-20201105183910-2](/img/product_docs/policypak/policypak/remoteworkdelivery/722_2_image-20201105183910-2.webp) **Step 2 –** Download the UWP application bundle, and store it on a UNC path that is accessible from your endpoint computers, i.e. @@ -33,37 +33,37 @@ your endpoint computers, i.e. Endpoint Policy Manager (formerly PolicyPak) RWDM Standard Policy on either the Computer or User side. -![722_3_image-20201105183910-3](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_3_image-20201105183910-3.webp) +![722_3_image-20201105183910-3](/img/product_docs/policypak/policypak/remoteworkdelivery/722_3_image-20201105183910-3.webp) **Step 4 –** At the Welcome to the Endpoint Policy Manager Remote Work Delivery Manager wizard! screen choose Copy a single file, then click **Next**. -![722_4_image-20201105183910-4](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_4_image-20201105183910-4.webp) +![722_4_image-20201105183910-4](/img/product_docs/policypak/policypak/remoteworkdelivery/722_4_image-20201105183910-4.webp) **Step 5 –** At the Specify policy target screen choose **Apply this policy to all users who log on to the computer** **(switched mode)**, then click **Next**. -![722_5_image-20201105183910-5](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_5_image-20201105183910-5.webp) +![722_5_image-20201105183910-5](/img/product_docs/policypak/policypak/remoteworkdelivery/722_5_image-20201105183910-5.webp) **Step 6 –** At the Specify the copy source screen use the UNC path for the UWP application bundle from Step 2 above, then click **Next**. -![722_6_image-20201105183910-6](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_6_image-20201105183910-6.webp) +![722_6_image-20201105183910-6](/img/product_docs/policypak/policypak/remoteworkdelivery/722_6_image-20201105183910-6.webp) **Step 7 –** At the Specify the copy destination specify the target folder on the endpoint(s) where you would like the UWP application to be downloaded to, leave the File name field as is, then click **Next**.  The target folder will be created if it does not exist. -![722_7_image-20201105183910-7](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_7_image-20201105183910-7.webp) +![722_7_image-20201105183910-7](/img/product_docs/policypak/policypak/remoteworkdelivery/722_7_image-20201105183910-7.webp) **Step 8 –** At the Specify file access settings screen accept the default values and click **Next**. -![722_8_image-20201105183910-8](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_8_image-20201105183910-8.webp) +![722_8_image-20201105183910-8](/img/product_docs/policypak/policypak/remoteworkdelivery/722_8_image-20201105183910-8.webp) **Step 9 –** At the Specify when to process this policy screen select **Once** and click **Next**. -![722_9_image-20201105183910-9](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_9_image-20201105183910-9.webp) +![722_9_image-20201105183910-9](/img/product_docs/policypak/policypak/remoteworkdelivery/722_9_image-20201105183910-9.webp) **Step 10 –** At the Post-copy actions" screen select the **Run PowerShell script**, and **Run process or script as user** options and add the command line below @@ -72,7 +72,7 @@ process or script as user** options and add the command line below Add-AppPackage -path "C:\Installers\Microsoft.AzureVpn_1.1069.25.0_neutral___8wekyb3d8bbwe.Msixbundle" ``` -![722_10_image-20201105183911-10](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_10_image-20201105183911-10.webp) +![722_10_image-20201105183911-10](/img/product_docs/policypak/policypak/remoteworkdelivery/722_10_image-20201105183911-10.webp) **Step 11 –** Optional: At the Revert actions screen add a revert action, otherwise click **Next** to skip. @@ -88,11 +88,11 @@ bundle:  [https://store.rg-adguard.net/](https://store.rg-adguard.net/) Copy the Microsoft Store link for the UWP Application:  [https://www.microsoft.com/en-us/p/azure-vpn-client/9np355qt2sqb?activetab=pivot:overviewtab](https://www.microsoft.com/en-us/p/azure-vpn-client/9np355qt2sqb?activetab=pivot:overviewtab) -![722_11_image-20201105183911-11](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_1_image-20201105183910-1.webp) +![722_11_image-20201105183911-11](/img/product_docs/policypak/policypak/remoteworkdelivery/722_1_image-20201105183910-1.webp) Then use the link at [https://store.rg-adguard.net/:](https://store.rg-adguard.net/:) -![722_12_image-20201105183911-12](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_2_image-20201105183910-2.webp) +![722_12_image-20201105183911-12](/img/product_docs/policypak/policypak/remoteworkdelivery/722_2_image-20201105183910-2.webp) **Step 2 –** Download the UWP application bundle, then upload it to a Endpoint Policy Manager supported web storage source. The following web sources are currently supported: @@ -104,12 +104,12 @@ supported web storage source. The following web sources are currently supported: **Step 3 –** Using the Microsoft Group Policy Management Console (GPMC) create a new Endpoint Policy Manager RWDM Web Policy on either the Computer or User side. -![722_13_image-20201105183911-13](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_13_image-20201105183911-13.webp) +![722_13_image-20201105183911-13](/img/product_docs/policypak/policypak/remoteworkdelivery/722_13_image-20201105183911-13.webp) **Step 4 –** At the Specify policy target screen select **Apply this policy to all users who log on to the computer (switched mode)**, then click **Next**. -![722_14_image-20201105183911-14](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_5_image-20201105183910-5.webp) +![722_14_image-20201105183911-14](/img/product_docs/policypak/policypak/remoteworkdelivery/722_5_image-20201105183910-5.webp) **Step 5 –** At the Specify the copy source window add the direct download link for the UWP application, then click **Next**. @@ -119,31 +119,31 @@ https://www.dropbox.com/s/gvzushhyu2qz9i/Microsoft.AzureVpn_1.1069.25.0_neutral_ Do not use this link, it is provided only as an example and will not work, please create a new link to use. -![722_15_image-20201105183911-15](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_15_image-20201105183911-15.webp) +![722_15_image-20201105183911-15](/img/product_docs/policypak/policypak/remoteworkdelivery/722_15_image-20201105183911-15.webp) **Step 6 –** Wait for the link to be validated. If it fails, verify that you are using a direct download link, that is, paste the link into a browser to see if the file auto-downloads. -![722_16_image-20201105183911-16](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_16_image-20201105183911-16.webp) +![722_16_image-20201105183911-16](/img/product_docs/policypak/policypak/remoteworkdelivery/722_16_image-20201105183911-16.webp) **Step 7 –** In the Specify the copy source window select **File** and click **Next**. -![722_17_image-20201105183911-17](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_17_image-20201105183911-17.webp) +![722_17_image-20201105183911-17](/img/product_docs/policypak/policypak/remoteworkdelivery/722_17_image-20201105183911-17.webp) **Step 8 –** In the Specify the copy destination window, specify the target folder on the endpoint(s) where you would like the UWP application to be downloaded to, leave the File name as is, then click **Next**.  The target folder will be created if it does not exist. -![722_18_image-20201105183911-18](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_7_image-20201105183910-7.webp) +![722_18_image-20201105183911-18](/img/product_docs/policypak/policypak/remoteworkdelivery/722_7_image-20201105183910-7.webp) **Step 9 –** In the pecify file access settings window accept the defaults and click **Next**. -![722_19_image-20201105183911-19](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_19_image-20201105183911-19.webp) +![722_19_image-20201105183911-19](/img/product_docs/policypak/policypak/remoteworkdelivery/722_19_image-20201105183911-19.webp) **Step 10 –** In the Specify when to process this policy window select **Once**, then click **Next**. -![722_20_image-20201105183911-20](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_9_image-20201105183910-9.webp) +![722_20_image-20201105183911-20](/img/product_docs/policypak/policypak/remoteworkdelivery/722_9_image-20201105183910-9.webp) **Step 11 –** In the Post-copy actions window choose the Run PowerShell script, and **Run process or script as user** options, then add the command line below @@ -152,7 +152,7 @@ script as user** options, then add the command line below Add-AppPackage -path "C:\Installers\Microsoft.AzureVpn_1.1069.25.0_neutral___8wekyb3d8bbwe.Msixbundle" ``` -![722_21_image-20201105183911-21](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_10_image-20201105183911-10.webp) +![722_21_image-20201105183911-21](/img/product_docs/policypak/policypak/remoteworkdelivery/722_10_image-20201105183911-10.webp) **Step 12 –** Optional: At the Revert actions screen add a revert action, otherwise click **Next** to skip. diff --git a/docs/policypak/policypak/remoteworkdelivery/itemleveltargeting.md b/docs/policypak/policypak/remoteworkdelivery/itemleveltargeting.md index 315ac33c25..c7a1951004 100644 --- a/docs/policypak/policypak/remoteworkdelivery/itemleveltargeting.md +++ b/docs/policypak/policypak/remoteworkdelivery/itemleveltargeting.md @@ -8,12 +8,12 @@ collections. A collection enables you to group together Endpoint Policy Manager Manager policies so they can act together. For instance, you might create a collection for only East Sales computers and another for West Sales computers. -![using_item_level_targeting](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting.webp) +![using_item_level_targeting](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting.webp) You can also right-click any Endpoint Policy Manager Remote Work Delivery Manager policy, and select **Edit Item Level Targeting**. -![using_item_level_targeting_1](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_1.webp) +![using_item_level_targeting_1](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_1.webp) You can also select Item-Level Targeting when a policy is created using the wizard. @@ -28,7 +28,7 @@ it allows you to group together targeting items. In this way, a fairly complex d created for the computers the policy applies to. Collections may be set to And or Or, as well as Is or Is Not. -![using_item_level_targeting_2](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_2.webp) +![using_item_level_targeting_2](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_2.webp) Here are some real-world examples of Item-Level Targeting used with Endpoint Policy Manager Remote Work Delivery Manager: @@ -52,7 +52,7 @@ Work Delivery Manager: After editing is completed, close the editor. Note that the policy or collection's icon has changed to orange, which shows that it now has Item-Level Targeting. -![using_item_level_targeting_3](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_3.webp) +![using_item_level_targeting_3](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_3.webp) **NOTE:** When Item-Level Targeting is on, the policy won't apply unless the conditions are True. If Item-Level Targeting is applied to a collection, then none of the items in the collection will apply diff --git a/docs/policypak/policypak/remoteworkdelivery/overview.md b/docs/policypak/policypak/remoteworkdelivery/overview.md index 55dc26ae3d..db73e023b1 100644 --- a/docs/policypak/policypak/remoteworkdelivery/overview.md +++ b/docs/policypak/policypak/remoteworkdelivery/overview.md @@ -1,7 +1,7 @@ # Remote Work Delivery Manager **NOTE:** Before reading this section, please ensure you have read Book 2: -[Installation Quick Start](../gettingstarted/quickstart/overviewinstall.md), which will help you +[Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md), which will help you learn to do the following: - Install the Admin MSI on your GPMC machine @@ -10,7 +10,7 @@ learn to do the following: - Set up a common OU structure Optionally, if you don't want to use Group Policy, read the section in Appendix A: -[Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md) to deploy your +[Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md) to deploy your directives. Netwrix Endpoint Policy Manager (formerly PolicyPak) Remote Work Delivery Manager (PPRWDM) enables @@ -22,7 +22,7 @@ you to perform the following operations on Windows: - Copy files from an HTTP(S) source, like OneDrive, Dropbox, Amazon S3, and some other services, to a desktop -**NOTE:** See [Install software with SMB (standard share)](../video/remoteworkdelivery/smb.md)for an +**NOTE:** See [Install software with SMB (standard share)](/docs/policypak/policypak/video/remoteworkdelivery/smb.md)for an overview of PolicyPak Remote Work Delivery Manager. Endpoint Policy Manager Remote Work Delivery Manager allows you to do the following: @@ -55,7 +55,7 @@ even to non-domain-joined machines over the Internet. Manager directives via Group Policy, or when using MEMCM, KACE, MDM, or similar utilities. - Endpoints — In order to use these, they must be licensed for Endpoint Policy Manager Remote Work Delivery Manager using one of the licensing methods, which are described in Book 1: - [Introduction and Basic Concepts](../basicconcepts.md). + [Introduction and Basic Concepts](/docs/policypak/policypak/basicconcepts.md). - PolicyPak Exporter (optional) — A free utility that lets you take Endpoint Policy Manager Admin Templates Manager and our other products' XML files and wrap them into a portable MSI file for deployment using MEMCM, an MDM service, or your own systems management software. diff --git a/docs/policypak/policypak/remoteworkdelivery/overview/knowledgebase.md b/docs/policypak/policypak/remoteworkdelivery/overview/knowledgebase.md index e775921b41..2979b8e945 100644 --- a/docs/policypak/policypak/remoteworkdelivery/overview/knowledgebase.md +++ b/docs/policypak/policypak/remoteworkdelivery/overview/knowledgebase.md @@ -4,12 +4,12 @@ See the following Knowledge Base articles for Remote Work Delivery Manager. ## Tips and Tricks -- [How can I make applications install sequentially / in order (and how does it work?)](../installsequentially.md) -- [How to Install UWP applications using Endpoint Policy Manager Remote Work Delivery Manager](../installuwp.md) -- [How do I use Endpoint Policy Manager Remote Work Delivery Manager to update the Client Side Extension?](../updateclientsideextension.md) -- [What variables can I use in place for source or destination in Remote Work Delivery Manager?](../variables.md) -- [How To deploy a TCP/IP Printer using Endpoint Policy Manager Remote Work Delivery Manager](../printers.md) +- [How can I make applications install sequentially / in order (and how does it work?)](/docs/policypak/policypak/remoteworkdelivery/installsequentially.md) +- [How to Install UWP applications using Endpoint Policy Manager Remote Work Delivery Manager](/docs/policypak/policypak/remoteworkdelivery/installuwp.md) +- [How do I use Endpoint Policy Manager Remote Work Delivery Manager to update the Client Side Extension?](/docs/policypak/policypak/remoteworkdelivery/updateclientsideextension.md) +- [What variables can I use in place for source or destination in Remote Work Delivery Manager?](/docs/policypak/policypak/remoteworkdelivery/variables.md) +- [How To deploy a TCP/IP Printer using Endpoint Policy Manager Remote Work Delivery Manager](/docs/policypak/policypak/remoteworkdelivery/printers.md) ## Troubleshooting -- [My Dropbox link won't verify in Remote Work Delivery Manager](../../troubleshooting/remoteworkdelivery/dropboxlink.md) +- [My Dropbox link won't verify in Remote Work Delivery Manager](/docs/policypak/policypak/troubleshooting/remoteworkdelivery/dropboxlink.md) diff --git a/docs/policypak/policypak/remoteworkdelivery/overview/videolearningcenter.md b/docs/policypak/policypak/remoteworkdelivery/overview/videolearningcenter.md index a6456a7cd1..c4f2f18c21 100644 --- a/docs/policypak/policypak/remoteworkdelivery/overview/videolearningcenter.md +++ b/docs/policypak/policypak/remoteworkdelivery/overview/videolearningcenter.md @@ -4,18 +4,18 @@ See the following Video topics for Remote Work Delivery Manager. ## Getting Started -- [Install software with SMB (standard share)](../../video/remoteworkdelivery/smb.md) -- [Install software using web-based shares](../../video/remoteworkdelivery/webbasedshares.md) -- [Mass copy folders and files (with filters and recursion)](../../video/remoteworkdelivery/masscopy.md) -- [Automatic Patching and Updates](../../video/remoteworkdelivery/patching.md) +- [Install software with SMB (standard share)](/docs/policypak/policypak/video/remoteworkdelivery/smb.md) +- [Install software using web-based shares](/docs/policypak/policypak/video/remoteworkdelivery/webbasedshares.md) +- [Mass copy folders and files (with filters and recursion)](/docs/policypak/policypak/video/remoteworkdelivery/masscopy.md) +- [Automatic Patching and Updates](/docs/policypak/policypak/video/remoteworkdelivery/patching.md) ## Methods: Cloud, MDM, SCCM, etc. -- [Deploy software with Endpoint Policy Manager Cloud](../../video/remoteworkdelivery/cloud.md) -- [Copy files and keep them up to date with your MDM service](../../video/remoteworkdelivery/mdm.md) +- [Deploy software with Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/remoteworkdelivery/cloud.md) +- [Copy files and keep them up to date with your MDM service](/docs/policypak/policypak/video/remoteworkdelivery/mdm.md) ## Tips and Tricks -- [Endpoint Policy Manager: Remote Work Delivery Manager Local File Copy Magic](../../video/remoteworkdelivery/localfilecopy.md) -- [Endpoint Policy Manager: Use Azure Blob Storage to Deploy and Patch your software](../../video/remoteworkdelivery/azureblobstorage.md) -- [Using Remote Work Delivery Manager to Update the Endpoint Policy Manager Client Side Extension](../../video/remoteworkdelivery/updateclientsideextension.md) +- [Endpoint Policy Manager: Remote Work Delivery Manager Local File Copy Magic](/docs/policypak/policypak/video/remoteworkdelivery/localfilecopy.md) +- [Endpoint Policy Manager: Use Azure Blob Storage to Deploy and Patch your software](/docs/policypak/policypak/video/remoteworkdelivery/azureblobstorage.md) +- [Using Remote Work Delivery Manager to Update the Endpoint Policy Manager Client Side Extension](/docs/policypak/policypak/video/remoteworkdelivery/updateclientsideextension.md) diff --git a/docs/policypak/policypak/remoteworkdelivery/printers.md b/docs/policypak/policypak/remoteworkdelivery/printers.md index e65ef9b878..19c01f0069 100644 --- a/docs/policypak/policypak/remoteworkdelivery/printers.md +++ b/docs/policypak/policypak/remoteworkdelivery/printers.md @@ -5,45 +5,45 @@ users that need to have the printer installed. For Example: -![571_1_image-20210320020022-1](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/571_1_image-20210320020022-1.webp) +![571_1_image-20210320020022-1](/img/product_docs/policypak/policypak/remoteworkdelivery/571_1_image-20210320020022-1.webp) **NOTE:** This zip should contain the driver INF file for the printer to be installed. -![571_2_image-20210320020022-2](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/571_2_image-20210320020022-2.webp) +![571_2_image-20210320020022-2](/img/product_docs/policypak/policypak/remoteworkdelivery/571_2_image-20210320020022-2.webp) **Step 2 –** Using the Microsoft Group Policy Management Console (GPMC), create a new Netwrix Endpoint Policy Manager (formerly PolicyPak) RWDM Standard Policy on either the Computer side (using Switched-Mode), or the User side. -![571_3_image-20210320020022-3](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_3_image-20201105183910-3.webp) +![571_3_image-20210320020022-3](/img/product_docs/policypak/policypak/remoteworkdelivery/722_3_image-20201105183910-3.webp) **Step 3 –** At the Welcome screen select Copy a single file, and click **Next**. -![571_4_image-20210320020022-4](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/722_4_image-20201105183910-4.webp) +![571_4_image-20210320020022-4](/img/product_docs/policypak/policypak/remoteworkdelivery/722_4_image-20201105183910-4.webp) **Step 4 –** Select Apply this policy to all users who log on to the computer (switched mode), then click **Next**. -![571_5_image-20210320020022-5](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/571_5_image-20210320020022-5.webp) +![571_5_image-20210320020022-5](/img/product_docs/policypak/policypak/remoteworkdelivery/571_5_image-20210320020022-5.webp) **Step 5 –** Enter the UNC path to the printer zip file from step 1 above, then click **Next**. -![571_6_image-20210320020022-6](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/571_6_image-20210320020022-6.webp) +![571_6_image-20210320020022-6](/img/product_docs/policypak/policypak/remoteworkdelivery/571_6_image-20210320020022-6.webp) **Step 6 –** Specify the target folder on the endpoint(s) where you would like the zip to be downloaded to, provide the file name for the destination, then click **Next**.  **NOTE:** The target folder will be created if it does not exist -![571_7_image-20210320020022-7](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/571_7_image-20210320020022-7.webp) +![571_7_image-20210320020022-7](/img/product_docs/policypak/policypak/remoteworkdelivery/571_7_image-20210320020022-7.webp) **Step 7 –** Accept the default values and click **Next**. -![571_8_image-20210320020022-8](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/571_8_image-20210320020022-8.webp) +![571_8_image-20210320020022-8](/img/product_docs/policypak/policypak/remoteworkdelivery/571_8_image-20210320020022-8.webp) **Step 8 –** Select **Once** then click **Next**. -![571_9_image-20210320020022-9](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/571_9_image-20210320020022-9.webp) +![571_9_image-20210320020022-9](/img/product_docs/policypak/policypak/remoteworkdelivery/571_9_image-20210320020022-9.webp) At the Post-copy actions screen select the **Run PowerShell script**, and **Run process or script as user** options, then add/edit the command lines below as needed to reflect what is needed for your @@ -55,23 +55,23 @@ TIP:[ Go to https://www.pdq.com/blog/using-powershell-to-install-printers/ for m Expand-Archive -LiteralPath 'c:\temp\canon.zip' -DestinationPath C:\Temp    pnputil.exe /a "C:\Temp\Canon\Driver\CNS30MA64.INF"    Start-Sleep -s 10    Add-PrinterDriver -Name "Canon Generic Plus PS3"    Add-PrinterPort -Name "IP Port" -PrinterHostAddress "192.168.1.27"    Add-Printer -DriverName "Canon Generic Plus PS3" -Name "Canon Generic Plus PS3" -PortName "IP Port"  ``` -![571_10_image-20210320020022-10](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/571_10_image-20210320020022-10.webp) +![571_10_image-20210320020022-10](/img/product_docs/policypak/policypak/remoteworkdelivery/571_10_image-20210320020022-10.webp) **Important**: The Add-PrinterDriver -Name section above the name specified (i.e., "Canon Generic Plus PS3" in this example) must match one of the names in the INF file! -![571_11_image-20210320020022-11](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/571_11_image-20210320020022-11.webp) +![571_11_image-20210320020022-11](/img/product_docs/policypak/policypak/remoteworkdelivery/571_11_image-20210320020022-11.webp) **Step 9 –** Skip the Revert actions screen unless you wish to add a revert action. **Step 10 –** At the Policy settings screen give the policy a descriptive name, then click **Finish**. -![571_12_image-20210320020022-12](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/571_12_image-20210320020022-12.webp) +![571_12_image-20210320020022-12](/img/product_docs/policypak/policypak/remoteworkdelivery/571_12_image-20210320020022-12.webp) **Step 11 –** Run GPUPDATE on an endpoint that receives this policy to test, then verify under Printers & Scanners that you see the printer installed. **NOTE:** The printer may take around 30 seconds to install. -![571_13_image-20210320020022-13](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/571_13_image-20210320020022-13.webp) +![571_13_image-20210320020022-13](/img/product_docs/policypak/policypak/remoteworkdelivery/571_13_image-20210320020022-13.webp) diff --git a/docs/policypak/policypak/remoteworkdelivery/processorderprecedence.md b/docs/policypak/policypak/remoteworkdelivery/processorderprecedence.md index 39caafc684..e93f118418 100644 --- a/docs/policypak/policypak/remoteworkdelivery/processorderprecedence.md +++ b/docs/policypak/policypak/remoteworkdelivery/processorderprecedence.md @@ -5,7 +5,7 @@ order. So, lower-numbered policies attempt to process first, and higher-numbered process last. Then, lower-numbered collections attempt to process first, and higher-numbered collections attempt to process last. -![understanding_processing_order](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/understanding_processing_order.webp) +![understanding_processing_order](/img/product_docs/policypak/policypak/remoteworkdelivery/understanding_processing_order.webp) Within any collection, there may be other collections, as well as policies. As such, each policy and collection is also processed in numerical order, starting at each level with the lowest-numbered diff --git a/docs/policypak/policypak/remoteworkdelivery/updateclientsideextension.md b/docs/policypak/policypak/remoteworkdelivery/updateclientsideextension.md index fc30410715..ca80154f4c 100644 --- a/docs/policypak/policypak/remoteworkdelivery/updateclientsideextension.md +++ b/docs/policypak/policypak/remoteworkdelivery/updateclientsideextension.md @@ -25,11 +25,11 @@ This article will cover creating a policy to cover both. **Step 3 –** Add a **New Collection**, rename it, enable and click **OK**. -![778_1_image-20210113000713-1](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/778_1_image-20210113000713-1.webp) +![778_1_image-20210113000713-1](/img/product_docs/policypak/policypak/remoteworkdelivery/778_1_image-20210113000713-1.webp) **Step 4 –** Add a New Standard Policy. -![778_2_image-20210113000713-2](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/778_2_image-20210113000713-2.webp) +![778_2_image-20210113000713-2](/img/product_docs/policypak/policypak/remoteworkdelivery/778_2_image-20210113000713-2.webp) **Step 5 –** Select **Copy a single File** and click **Next**. @@ -38,12 +38,12 @@ and click **Next**. **Step 7 –** Enter the UNC path to the MSI file (32 or 64 bit) and click **Next**. -![778_3_image-20210113000713-3](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/778_3_image-20210113000713-3.webp) +![778_3_image-20210113000713-3](/img/product_docs/policypak/policypak/remoteworkdelivery/778_3_image-20210113000713-3.webp) **Step 8 –** Set the directory that you want to place the downloaded file and ensure the file name is correct. Click **Next**. -![778_4_image-20210113000713-4](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/778_4_image-20210113000713-4.webp) +![778_4_image-20210113000713-4](/img/product_docs/policypak/policypak/remoteworkdelivery/778_4_image-20210113000713-4.webp) **NOTE:** You can use Environment Variables. @@ -52,32 +52,32 @@ is correct. Click **Next**. **Step 10 –** Select **Always**. This will allow the application to stay up to date as the source file is updated and replaced. Click **Next**. -![778_5_image-20210113000713-5](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/778_5_image-20210113000713-5.webp) +![778_5_image-20210113000713-5](/img/product_docs/policypak/policypak/remoteworkdelivery/778_5_image-20210113000713-5.webp) **Step 11 –** Under Post-copy actions, select **Run process** and Type/copy in the installation command `(msiexec.exe /qb /i %destination%)`. Click **Next**. -![778_6_image-20210113000713-6](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/778_6_image-20210113000713-6.webp) +![778_6_image-20210113000713-6](/img/product_docs/policypak/policypak/remoteworkdelivery/778_6_image-20210113000713-6.webp) **NOTE:** `%Destination% = destination path + filename` (`%Systemdrive\temp\CSE\PPx54.MSI`) **Step 12 –** Under Revert actions, select **Do Nothing** (the application cannot uninstall itself). Click **Next**. -![778_7_image-20210113000713-7](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/778_7_image-20210113000713-7.webp) +![778_7_image-20210113000713-7](/img/product_docs/policypak/policypak/remoteworkdelivery/778_7_image-20210113000713-7.webp) **Step 13 –** Rename the Policy if desired (e.g. Update PolicyPak CSE – 64bit) **Step 14 –** Enable **Item Level Targeting** and click **Edit**. -![778_8_image-20210113000713-8](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/778_8_image-20210113000713-8.webp) +![778_8_image-20210113000713-8](/img/product_docs/policypak/policypak/remoteworkdelivery/778_8_image-20210113000713-8.webp) - Click on **New Item** and select **Environment Variable** - Name = Processor_Architecture - Value = AMD64 (for 64-bit) OR x86 (for 32-bit) - Click **OK** to close -![778_9_image-20210113000713-9](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/778_9_image-20210113000713-9.webp) +![778_9_image-20210113000713-9](/img/product_docs/policypak/policypak/remoteworkdelivery/778_9_image-20210113000713-9.webp) **Step 15 –** Click **Finish**. diff --git a/docs/policypak/policypak/remoteworkdelivery/variables.md b/docs/policypak/policypak/remoteworkdelivery/variables.md index 4544bd9c9c..5455c8deae 100644 --- a/docs/policypak/policypak/remoteworkdelivery/variables.md +++ b/docs/policypak/policypak/remoteworkdelivery/variables.md @@ -8,7 +8,7 @@ Using the list below you can use these variables as sources or destinations. For instance to copy files from `\\server2016\share` to `%DesktopDir%` simply put in `%DesktopDir%` in the Destination slo: -![806_1_img](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/806_1_img.webp) +![806_1_img](/img/product_docs/policypak/policypak/remoteworkdelivery/806_1_img.webp) The acceptable variables are below. Be sure to encapsulate them all with %, like %DestopDir% diff --git a/docs/policypak/policypak/requirements/gpocompilancereporter/sqlserver.md b/docs/policypak/policypak/requirements/gpocompilancereporter/sqlserver.md index 440582777c..90674deaf3 100644 --- a/docs/policypak/policypak/requirements/gpocompilancereporter/sqlserver.md +++ b/docs/policypak/policypak/requirements/gpocompilancereporter/sqlserver.md @@ -25,14 +25,14 @@ By default Endpoint Policy Manager Group Policy Compliance Reporter will keep 99 You are generally advised to tune this down. General recommendation would be like 5 or so. -![762_1_image-20191028221305-1_950x522](../../../../../static/img/product_docs/policypak/policypak/requirements/gpocompilancereporter/762_1_image-20191028221305-1_950x522.webp) +![762_1_image-20191028221305-1_950x522](/img/product_docs/policypak/policypak/requirements/gpocompilancereporter/762_1_image-20191028221305-1_950x522.webp) ## Estimates for Auditor Scheduled Task When computers send data to the PPGPCR Server via the Scheduled Task, you will see computers checking in here: -![762_3_image-20191028221305-2_950x504](../../../../../static/img/product_docs/policypak/policypak/requirements/gpocompilancereporter/762_3_image-20191028221305-2_950x504.webp) +![762_3_image-20191028221305-2_950x504](/img/product_docs/policypak/policypak/requirements/gpocompilancereporter/762_3_image-20191028221305-2_950x504.webp) Endpoint Policy Manager Group Policy Compliance Server stores multiple pushes of data for historical purposes, althought this data is not exposed for customers at this time, and is not tunable. @@ -43,7 +43,7 @@ per day. The maximum the auditor can run by default is 20 times. This is configurable via the PPGPCR Auditor Endpoints: Maximum check-ins per day policy setting. -![762_5_image-20191028221305-3_950x623](../../../../../static/img/product_docs/policypak/policypak/requirements/gpocompilancereporter/762_5_image-20191028221305-3_950x623.webp) +![762_5_image-20191028221305-3_950x623](/img/product_docs/policypak/policypak/requirements/gpocompilancereporter/762_5_image-20191028221305-3_950x623.webp) For very large environments we recommend you tune this to 1 time per day, so the database doesn't grow unnecessarily. The database will grow (essentially) as follows: @@ -55,4 +55,4 @@ Old auditor data is auto-expunged every 36 hours, where all the previous auditor most current is marked for future deletion. You can tune when this occurs with this PPGPCR ADMX setting: -![762_7_image-20191028221305-4_950x726](../../../../../static/img/product_docs/policypak/policypak/requirements/gpocompilancereporter/762_7_image-20191028221305-4_950x726.webp) +![762_7_image-20191028221305-4_950x726](/img/product_docs/policypak/policypak/requirements/gpocompilancereporter/762_7_image-20191028221305-4_950x726.webp) diff --git a/docs/policypak/policypak/requirements/support/applicationsettings/applicationvirtualization.md b/docs/policypak/policypak/requirements/support/applicationsettings/applicationvirtualization.md index d768d939bd..3f6d0e7478 100644 --- a/docs/policypak/policypak/requirements/support/applicationsettings/applicationvirtualization.md +++ b/docs/policypak/policypak/requirements/support/applicationsettings/applicationvirtualization.md @@ -5,4 +5,4 @@ Virtualization, Spoon.Net, and Symantec Workspace Virtualization are all support Endpoint Policy Manager (formerly PolicyPak). To see videos on these solutions watch go to Application Manager > -[Video Learning Center](../../../applicationsettings/overview/videolearningcenter.md). +[Video Learning Center](/docs/policypak/policypak/applicationsettings/overview/videolearningcenter.md). diff --git a/docs/policypak/policypak/requirements/support/applicationsettings/firefox/version.md b/docs/policypak/policypak/requirements/support/applicationsettings/firefox/version.md index f99541eae5..90252594fb 100644 --- a/docs/policypak/policypak/requirements/support/applicationsettings/firefox/version.md +++ b/docs/policypak/policypak/requirements/support/applicationsettings/firefox/version.md @@ -4,7 +4,7 @@ Here is a table to help you understand what is supported. Note that Firefox versions not listed on this table are not yet tested and may or may not work -![image001](../../../../../../../static/img/product_docs/policypak/policypak/requirements/support/applicationsettings/firefox/image001.webp) +![image001](/img/product_docs/policypak/policypak/requirements/support/applicationsettings/firefox/image001.webp) The reason you need to upgrade the CSE to support the various levels of Firefox is because the Firefox methods for accepting certificates changed, and therefore we changed with them to support diff --git a/docs/policypak/policypak/requirements/support/arm.md b/docs/policypak/policypak/requirements/support/arm.md index 45355b27f0..fe4d6a595a 100644 --- a/docs/policypak/policypak/requirements/support/arm.md +++ b/docs/policypak/policypak/requirements/support/arm.md @@ -21,9 +21,9 @@ may not be able to be run based upon the processor you are using. For instance, Surface Pro X can run `c:\windows\SysArm32\Calc.exe`, but a Mac M1 cannot run that same problem (both examples are below). -![992_1_image-20231203190233-1_950x681](../../../../../static/img/product_docs/policypak/policypak/requirements/support/992_1_image-20231203190233-1_950x681.webp) +![992_1_image-20231203190233-1_950x681](/img/product_docs/policypak/policypak/requirements/support/992_1_image-20231203190233-1_950x681.webp) -![992_2_image-20231203190233-2_950x744](../../../../../static/img/product_docs/policypak/policypak/requirements/support/992_2_image-20231203190233-2_950x744.webp) +![992_2_image-20231203190233-2_950x744](/img/product_docs/policypak/policypak/requirements/support/992_2_image-20231203190233-2_950x744.webp) **NOTE:** When Endpoint Policy Manager CSE is installed we will not install some components which don't apply when the processor is determined to be unable to run ARM32 applications. diff --git a/docs/policypak/policypak/requirements/support/startscreentaskbar/mappeddrives.md b/docs/policypak/policypak/requirements/support/startscreentaskbar/mappeddrives.md index 3f5350e22d..4531127b41 100644 --- a/docs/policypak/policypak/requirements/support/startscreentaskbar/mappeddrives.md +++ b/docs/policypak/policypak/requirements/support/startscreentaskbar/mappeddrives.md @@ -7,4 +7,4 @@ If you receive a text message similar to the one below when clicking on the appl the Start Screen, then it means that either the Application is not present at the physical path, or it is configured with a Mapped Drive instead of the UNC Path. -![841_1_image-20201201090844-1](../../../../../../static/img/product_docs/policypak/policypak/requirements/support/startscreentaskbar/841_1_image-20201201090844-1.webp) +![841_1_image-20201201090844-1](/img/product_docs/policypak/policypak/requirements/support/startscreentaskbar/841_1_image-20201201090844-1.webp) diff --git a/docs/policypak/policypak/requirements/support/windows11.md b/docs/policypak/policypak/requirements/support/windows11.md index c7cbc29262..705c1b7776 100644 --- a/docs/policypak/policypak/requirements/support/windows11.md +++ b/docs/policypak/policypak/requirements/support/windows11.md @@ -41,7 +41,7 @@ An example can be seen below. Note it doesn't matter if the pulldown is set for IE** or **Open as IE in Edge tab** is set. Those settings only matter for Windows 10 and are ignored in Windows 11. -![736_1_image-20220128125242-1](../../../../../static/img/product_docs/policypak/policypak/requirements/support/736_1_image-20220128125242-1.webp) +![736_1_image-20220128125242-1](/img/product_docs/policypak/policypak/requirements/support/736_1_image-20220128125242-1.webp) ## Example 2: Using Wildcards (or RegEx or Internet Security Zone) and attempting to set the browser to Internet Explorer @@ -51,7 +51,7 @@ expected. Starting with Endpoint Policy Manager CSE 3068 on Windows 11, Endpoint Policy Manager Browser Router will route these to the Default Browser. -![736_2_image-20220128125242-2](../../../../../static/img/product_docs/policypak/policypak/requirements/support/736_2_image-20220128125242-2.webp) +![736_2_image-20220128125242-2](/img/product_docs/policypak/policypak/requirements/support/736_2_image-20220128125242-2.webp) ## How are Default Browser Policies handled (With Windows 11)? @@ -61,7 +61,7 @@ and make a decision accordingly if you've set this to Internet Explorer. **NOTE:** Windows 10 will honor the Internet explorer setting, but Windows 11 needs to have a plan. -![736_3_image-20220128125242-3](../../../../../static/img/product_docs/policypak/policypak/requirements/support/736_3_image-20220128125242-3.webp) +![736_3_image-20220128125242-3](/img/product_docs/policypak/policypak/requirements/support/736_3_image-20220128125242-3.webp) - If you use Endpoint Policy Manager Browser Router to specify a Default Browser (Edge, Chrome, Firefox, Custom, or User Selectable), you will get what you expect. diff --git a/docs/policypak/policypak/requirements/support/windows7.md b/docs/policypak/policypak/requirements/support/windows7.md index 0d6a85690b..c4b22ff8ba 100644 --- a/docs/policypak/policypak/requirements/support/windows7.md +++ b/docs/policypak/policypak/requirements/support/windows7.md @@ -5,7 +5,7 @@ not supported with Netwrix Endpoint Policy Manager (formerly PolicyPak) installe Endpoint Policy Manager only supports versions of the operating system which are actively supported by Microsoft. This is covered in this -FAQ:[Which Windows Client and Server are currently supported by Endpoint Policy Manager?](windows.md) +FAQ:[Which Windows Client and Server are currently supported by Endpoint Policy Manager?](/docs/policypak/policypak/requirements/support/windows.md) That being said, Endpoint Policy Manager and unsupported operating systems are BEST EFFORT. diff --git a/docs/policypak/policypak/scriptstriggers/bitlockerdeployment.md b/docs/policypak/policypak/scriptstriggers/bitlockerdeployment.md index b3808cb12c..d181b7e40c 100644 --- a/docs/policypak/policypak/scriptstriggers/bitlockerdeployment.md +++ b/docs/policypak/policypak/scriptstriggers/bitlockerdeployment.md @@ -28,7 +28,7 @@ Templates Manager **Step 3 –** Add a new collection -![66_1_image-20200725154035-1](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/66_1_image-20200725154035-1.webp) +![66_1_image-20200725154035-1](/img/product_docs/policypak/policypak/scriptstriggers/66_1_image-20200725154035-1.webp) **Step 4 –** Give the Collection a descriptive name and, if required, set Item Level Targeting (ILT can filter the policy based on many different criteria including computer type (e.g. laptops), @@ -38,7 +38,7 @@ Operating System (e.g. Windows 10) or Security Group (e.g. Sales)) **Step 6 –** Add a new Policy -![66_3_image-20200725154035-2_626x151](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/66_3_image-20200725154035-2_626x151.webp) +![66_3_image-20200725154035-2_626x151](/img/product_docs/policypak/policypak/scriptstriggers/66_3_image-20200725154035-2_626x151.webp) **Step 7 –** Browse to Windows Components and click on BitLocker Drive Encryption @@ -50,7 +50,7 @@ Server 2008 and Windows Vista)" and set the following configuration 3. Set Select BitLocker recovery information to store: "Recovery passwords and key packages" 4. Click OK - ![66_5_image-20200725154035-3_493x143](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/66_5_image-20200725154035-3_493x143.webp) + ![66_5_image-20200725154035-3_493x143](/img/product_docs/policypak/policypak/scriptstriggers/66_5_image-20200725154035-3_493x143.webp) **Step 9 –** In the same location, open "Choose drive encryption method and cipher strength (Windows 10 [version 1511] and later) and set the following configuration @@ -60,11 +60,11 @@ Server 2008 and Windows Vista)" and set the following configuration non-Windows 10 computers) 3. Click OK - ![66_7_image-20200725154035-4](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/66_7_image-20200725154035-4.webp) + ![66_7_image-20200725154035-4](/img/product_docs/policypak/policypak/scriptstriggers/66_7_image-20200725154035-4.webp) **Step 10 –** Click CLOSE -![66_9_image-20200725154035-5](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/66_9_image-20200725154035-5.webp) +![66_9_image-20200725154035-5](/img/product_docs/policypak/policypak/scriptstriggers/66_9_image-20200725154035-5.webp) **NOTE:** If deploying different BitLocker configurations for different groups of users or computers, repeat steps 4 through 10 for each different configuration, setting the ILT on the @@ -77,7 +77,7 @@ collection to target your desired groupings. 1. Click NEXT 2. Select "Apply this policy to computer (default) and click NEXT - ![66_11_image-20200725154035-6_489x65](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/66_11_image-20200725154035-6_489x65.webp) + ![66_11_image-20200725154035-6_489x65](/img/product_docs/policypak/policypak/scriptstriggers/66_11_image-20200725154035-6_489x65.webp) 3. Configure "On apply action" @@ -85,7 +85,7 @@ collection to target your desired groupings. `Manage-bde -on %systemdrive% -Used` - ![66_13_image-20200814161653-2](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/66_13_image-20200814161653-2.webp) + ![66_13_image-20200814161653-2](/img/product_docs/policypak/policypak/scriptstriggers/66_13_image-20200814161653-2.webp) 2. Click NEXT @@ -95,13 +95,13 @@ collection to target your desired groupings. `Manage-bde -off %systemdrive%` - ![66_14_image-20200725154035-8](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/66_14_image-20200725154035-8.webp) + ![66_14_image-20200725154035-8](/img/product_docs/policypak/policypak/scriptstriggers/66_14_image-20200725154035-8.webp) 2. Click NEXT 5. Select either "Once" or "Once or when forced" and click NEXT - ![66_16_image-20200725154035-9](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/66_16_image-20200725154035-9.webp) + ![66_16_image-20200725154035-9](/img/product_docs/policypak/policypak/scriptstriggers/66_16_image-20200725154035-9.webp) 6. Give the policy a descriptive name and set Item Level Targeting if required 7. Click FINISH diff --git a/docs/policypak/policypak/scriptstriggers/edgefirstlogon.md b/docs/policypak/policypak/scriptstriggers/edgefirstlogon.md index e19311bb6b..8909dee0de 100644 --- a/docs/policypak/policypak/scriptstriggers/edgefirstlogon.md +++ b/docs/policypak/policypak/scriptstriggers/edgefirstlogon.md @@ -6,7 +6,7 @@ Mode or on the User side. **Step 2 –** Use the script below and be sure to check the option to run the script interactively and as the user. -![868_1_image-20220225024809-1_950x457](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/868_1_image-20220225024809-1_950x457.webp) +![868_1_image-20220225024809-1_950x457](/img/product_docs/policypak/policypak/scriptstriggers/868_1_image-20220225024809-1_950x457.webp) ``` $path = "$env:LOCALAPPDATA\temp\1stlogon.flg" @@ -30,7 +30,7 @@ else **Step 3 –** At the "Specify process mode" screen select "On trigger" and choose "Logon" from the drop-down, then click "Next". -![868_2_image-20220225024809-2](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/868_2_image-20220225024809-2.webp) +![868_2_image-20220225024809-2](/img/product_docs/policypak/policypak/scriptstriggers/868_2_image-20220225024809-2.webp) **Step 4 –** At the Trigger settings" screen set a delay if desired otherwise click "Next" the skip this option. @@ -40,4 +40,4 @@ this option. **Step 6 –** Lastly, apply the policy, and test with a new user logon, if all goes well you will see the screen below after a successful 1st logon. -![868_3_image-20220225024809-3_900x490](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/868_3_image-20220225024809-3_900x490.webp) +![868_3_image-20220225024809-3_900x490](/img/product_docs/policypak/policypak/scriptstriggers/868_3_image-20220225024809-3_900x490.webp) diff --git a/docs/policypak/policypak/scriptstriggers/gettoknow/computerside.md b/docs/policypak/policypak/scriptstriggers/gettoknow/computerside.md index 8aaf913373..16cda91c04 100644 --- a/docs/policypak/policypak/scriptstriggers/gettoknow/computerside.md +++ b/docs/policypak/policypak/scriptstriggers/gettoknow/computerside.md @@ -4,7 +4,7 @@ In the Quickstart example, we delivered scripts to users, but Endpoint Policy Ma deliver scripts on the Computer side. There are two options when you create a scripts policy from the Computer side, which can be seen in Figure 17. -![getting_to_know_scripts_triggers_13](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_13.webp) +![getting_to_know_scripts_triggers_13](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_13.webp) Figure 17. Using Endpoint Policy Manager Scripts & Triggers Manager Wizard on the Computer side. diff --git a/docs/policypak/policypak/scriptstriggers/gettoknow/overview.md b/docs/policypak/policypak/scriptstriggers/gettoknow/overview.md index d9da0f7b2d..5dc5c2e88a 100644 --- a/docs/policypak/policypak/scriptstriggers/gettoknow/overview.md +++ b/docs/policypak/policypak/scriptstriggers/gettoknow/overview.md @@ -8,7 +8,7 @@ collection. **NOTE:** You will only see the Endpoint Policy Manager Scripts & Triggers Manager node when the latest Admin Console MSI is installed on the management station. -![getting_to_know_scripts_triggers](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers.webp) +![getting_to_know_scripts_triggers](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers.webp) Figure 4. The location of the Endpoint Policy Manager Scripts & Triggers Manager. @@ -22,7 +22,7 @@ We suggest you download the sample scripts that we've provided on our website to station and follow along. Select the Guidance XMLs and Scripts category, then download them, as seen in Figure 5. -![getting_to_know_scripts_triggers_1](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_1.webp) +![getting_to_know_scripts_triggers_1](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_1.webp) Figure 5. Download the Endpoint Policy Manager scripts from the Guidance XMLs location in the Endpoint Policy Manager Portal. @@ -30,6 +30,6 @@ Endpoint Policy Manager Portal. Before continuing, make sure you have the downloaded script examples unpacked and ready to go. You should have a folder that looks similar to what's seen in Figure 6. -![getting_to_know_scripts_triggers_2](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_2.webp) +![getting_to_know_scripts_triggers_2](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_2.webp) Figure 6. Endpoint Policy Manager script examples unpacked. diff --git a/docs/policypak/policypak/scriptstriggers/gettoknow/shortcuts.md b/docs/policypak/policypak/scriptstriggers/gettoknow/shortcuts.md index 07faeffbcc..8cc32293d6 100644 --- a/docs/policypak/policypak/scriptstriggers/gettoknow/shortcuts.md +++ b/docs/policypak/policypak/scriptstriggers/gettoknow/shortcuts.md @@ -11,14 +11,14 @@ when it "falls out of scope"). link it to your users. In this example (Figure 7) we have a GPO created and linked it to the East Sales Users OU. -![getting_to_know_scripts_triggers_3](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_3.webp) +![getting_to_know_scripts_triggers_3](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_3.webp) Figure 7. Using Group Policy to create and link a GPO to East Sales Users. **Step 2 –** Edit the GPO, then go to User Configuration | Endpoint Policy Manager | Scripts & Triggers Manager as shown in Figure 8 and select Add | New Policy. -![getting_to_know_scripts_triggers_4](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_4.webp) +![getting_to_know_scripts_triggers_4](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_4.webp) Figure 8. Using the Group Policy Editor to make a new Endpoint Policy Manager Scripts & Triggers Manager policy. @@ -30,7 +30,7 @@ appears. Click "Next" to continue. from the PS\Create_PolicyPak_Shortcut.ps1 file from the PS folder included in the downloaded examples. The result can be seen in Figure 9. -![getting_to_know_scripts_triggers_5](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_5.webp) +![getting_to_know_scripts_triggers_5](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_5.webp) Figure 9. Using Endpoint Policy Manager Scripts & Trigger Manager to deliver a PowerShell script. @@ -44,14 +44,14 @@ meant for computers. **Step 5 –** On the "On revert action" page, select "PowerShell script," then copy in the Remove_PolicyPak_Shortcut.ps1 script contents, as seen in Figure 10. -![getting_to_know_scripts_triggers_6](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_6.webp) +![getting_to_know_scripts_triggers_6](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_6.webp) Figure 10. Setting up a Revert Action script when the policy no longer applies. **Step 6 –** Click "Next" to continue. You will encounter the "Specify process mode" screen seen in Figure 11. -![getting_to_know_scripts_triggers_7](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_7.webp) +![getting_to_know_scripts_triggers_7](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_7.webp) Figure 11. Specifying when the script should run. @@ -77,20 +77,20 @@ The "Specify process mode" page enables you to dictate when a script will apply. settings" page, give the policy a name like "Desktop icon on and off." Leave the State and Item-Level Targeting fields set with the defaults, as shown in Figure 12, and click "Finish." -![getting_to_know_scripts_triggers_8](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_8.webp) +![getting_to_know_scripts_triggers_8](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_8.webp) Figure 12. Endpoint Policy Manager Scripts & Triggers Manager Wizard final settings page. The result of the policy you created can be seen in an entry like the one shown in Figure 13. -![getting_to_know_scripts_triggers_9](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_9.webp) +![getting_to_know_scripts_triggers_9](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_9.webp) Figure 13. The new Endpoint Policy Manager scripts policy in the Group Policy Editor. You can also validate that your settings are contained within the GPO by looking at the Group Policy HTML settings report in the GPMC, as shown in Figure 14. -![getting_to_know_scripts_triggers_10](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_10.webp) +![getting_to_know_scripts_triggers_10](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_10.webp) Figure 14. Endpoint Policy Manager Scripts & Triggers Manager items appear in the GPMC reports. @@ -98,7 +98,7 @@ Figure 14. Endpoint Policy Manager Scripts & Triggers Manager items appear in th applies. In this example, we'll log in as EastSalesUser8. When logging in, you'll see the policy apply the script and an icon like the one shown in Figure 15 will be visible. -![getting_to_know_scripts_triggers_11](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_11.webp) +![getting_to_know_scripts_triggers_11](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_11.webp) Figure 15. An example of a Endpoint Policy Manager Scripts & Triggers Manager PowerShell script on the endpoint. @@ -106,7 +106,7 @@ the endpoint. **Step 9 –** To complete testing, go back to the GPMC, and un-link the GPO to make it stop applying, as seen in Figure 16. -![getting_to_know_scripts_triggers_12](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_12.webp) +![getting_to_know_scripts_triggers_12](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_12.webp) Figure 16. Make a policy stop applying by removing the "Link Enabled" settings in the GPMC. diff --git a/docs/policypak/policypak/scriptstriggers/gettoknow/usage.md b/docs/policypak/policypak/scriptstriggers/gettoknow/usage.md index e248de5249..1e11e5ad93 100644 --- a/docs/policypak/policypak/scriptstriggers/gettoknow/usage.md +++ b/docs/policypak/policypak/scriptstriggers/gettoknow/usage.md @@ -6,7 +6,7 @@ once the VPN connection or application is closed. You can do this through the us Manager scripts and triggers. **NOTE:** For an overview of Endpoint Policy Manager scripts and triggers see -[Endpoint Policy Manager Scripts + Triggers: Map a printer or drive when a process runs and un-map it when closed.](../../video/scriptstriggers/mapdrivetriggers.md). +[Endpoint Policy Manager Scripts + Triggers: Map a printer or drive when a process runs and un-map it when closed.](/docs/policypak/policypak/video/scriptstriggers/mapdrivetriggers.md). **Step 1 –** Let's use an example in which you want to map a printer for your users whenever they use Acrobat Reader. There are a couple of script options we can use to map a printer. It is highly @@ -15,21 +15,21 @@ will prevent you from having to troubleshoot issues down the road when you deplo Figure 18 we are using a simple PowerShell script to map the printer. (If the PowerShell script doesn't work for your environment then you can use a traditional batch script to map it.) -![getting_to_know_scripts_triggers_14](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_14.webp) +![getting_to_know_scripts_triggers_14](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_14.webp) Figure 18. Using a PowerShell script to map a printer. **Step 2 –** There are no revert scripts when using triggers so this section is not applicable as shown in Figure 19. -![getting_to_know_scripts_triggers_15](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_15.webp) +![getting_to_know_scripts_triggers_15](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_15.webp) Figure 19. There are no revert scripts when using triggers. **Step 3 –** You then need to select your desired trigger type. In Figure 20 we are selecting "Process start."  Notice the other trigger options available. -![getting_to_know_scripts_triggers_16](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_16.webp) +![getting_to_know_scripts_triggers_16](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_16.webp) Figure 20. Choosing the desired trigger type. @@ -37,7 +37,7 @@ Figure 20. Choosing the desired trigger type. to the application process itself if it is currently running. In Figure 21 we have selected the Acrobat Reader file. -![getting_to_know_scripts_triggers_17](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_17.webp) +![getting_to_know_scripts_triggers_17](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_17.webp) Figure 21. Selecting the application file. @@ -46,13 +46,13 @@ Figure 21. Selecting the application file. **Step 6 –** Now you need to create another policy that will remove the printer mapping once the user closes Acrobat Reader. To do this, we will use a PowerShell script, shown in Figure 22. -![getting_to_know_scripts_triggers_18](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_18.webp) +![getting_to_know_scripts_triggers_18](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_18.webp) Figure 22. Using a PowerShell script to remove a printer connection. **Step 7 –** Now you need to select "Process close" for the trigger type, as shown in Figure 23. -![getting_to_know_scripts_triggers_19](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_19.webp) +![getting_to_know_scripts_triggers_19](/img/product_docs/policypak/policypak/scriptstriggers/gettoknow/getting_to_know_scripts_triggers_19.webp) Figure 23. Choosing "Process close" as the trigger type to remove the printer when the user closes Acrobat Reader. diff --git a/docs/policypak/policypak/scriptstriggers/insouts.md b/docs/policypak/policypak/scriptstriggers/insouts.md index 177853a7f4..142dd55638 100644 --- a/docs/policypak/policypak/scriptstriggers/insouts.md +++ b/docs/policypak/policypak/scriptstriggers/insouts.md @@ -30,7 +30,7 @@ Document, for example. **Step 5 –** Enter a name for the file, such as myscript.bat. -![about_policypak_scripts_triggers](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/about_policypak_scripts_triggers.webp) +![about_policypak_scripts_triggers](/img/product_docs/policypak/policypak/scriptstriggers/about_policypak_scripts_triggers.webp) Figure 1. Adding a script. @@ -50,7 +50,7 @@ Policies | Windows Settings | Scripts (Logon/Logoff). Similar settings for the c Computer Configuration | Policies | Windows Settings | Scripts (Startup/Shutdown). The dialog can be seen in Figure 2. -![about_policypak_scripts_triggers_1](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/about_policypak_scripts_triggers_1.webp) +![about_policypak_scripts_triggers_1](/img/product_docs/policypak/policypak/scriptstriggers/about_policypak_scripts_triggers_1.webp) Figure 2. Using the in-box Group Policy method to deploy PowerShell scripts. @@ -77,7 +77,7 @@ Management extension. For more information on this extension see [https://docs.microsoft.com/en-us/intune/intune-management-extension](https://docs.microsoft.com/en-us/intune/intune-management-extension). Figure 3 shows the available options for adding a PowerShell script with Intune. -![about_policypak_scripts_triggers_2](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/about_policypak_scripts_triggers_2.webp) +![about_policypak_scripts_triggers_2](/img/product_docs/policypak/policypak/scriptstriggers/about_policypak_scripts_triggers_2.webp) Figure 3. Deploying a PowerShell script using Microsoft Endpoint Manager. diff --git a/docs/policypak/policypak/scriptstriggers/itemleveltargeting/exportcollections.md b/docs/policypak/policypak/scriptstriggers/itemleveltargeting/exportcollections.md index 235fde0b40..b21d31e8c8 100644 --- a/docs/policypak/policypak/scriptstriggers/itemleveltargeting/exportcollections.md +++ b/docs/policypak/policypak/scriptstriggers/itemleveltargeting/exportcollections.md @@ -1,28 +1,28 @@ # Exporting Collections -Appendix A: [Using Endpoint Policy Manager with MDM and UEM Tools](../../mdm/uemtools.md) explains +Appendix A: [Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md) explains how to use the Endpoint Policy Manager Exporter to wrap up any Endpoint Policy Manager directive and deliver it using an MDM service such as Microsoft Endpoint Manager (SCCM and Intune), KACE, and so on, as well as via Endpoint Policy Manager Cloud. **NOTE:** For a video demonstrating the use of Endpoint Policy Manager scripts with Endpoint Policy Manager Cloud and an MDM service see -[Endpoint Policy ManagerScripts .. Deploy Software via VPN or with Endpoint Policy Manager Cloud](../../video/scriptstriggers/cloud.md) +[Endpoint Policy ManagerScripts .. Deploy Software via VPN or with Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/scriptstriggers/cloud.md) and -[Endpoint Policy Manager Scripts and YOUR MDM service: Un-real power](../../video/scriptstriggers/mdm.md) +[Endpoint Policy Manager Scripts and YOUR MDM service: Un-real power](/docs/policypak/policypak/video/scriptstriggers/mdm.md) Remember that Endpoint Policy Manager Scripts & Triggers Manager policies can be created and exported on the User or Computer side. For instance, in Figure 30, you can see an export from the User side. -![using_item_level_targeting_6](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_6.webp) +![using_item_level_targeting_6](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_6.webp) Figure 30. Exporting a policy from the User side. In Figure 31, you can see an export of a Endpoint Policy Manager Scripts & Triggers Manager XML file from the Computer side. -![using_item_level_targeting_7](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_7.webp) +![using_item_level_targeting_7](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_7.webp) Figure 31. Exporting a collection from the Computer side. @@ -41,9 +41,9 @@ Cloud, right-click the collection or the policy and select "Export as XML," as d Figure 32. **NOTE:** For a video showing how to export policies and use Endpoint Policy Manager Exporter, watch -[Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](../../video/mdm/exporterutility.md). +[Deploying Endpoint Policy Managerdirectives without Group Policy (Endpoint Policy Manager Exporter Utility)](/docs/policypak/policypak/video/mdm/exporterutility.md). -![using_item_level_targeting_8](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_8.webp) +![using_item_level_targeting_8](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_8.webp) Figure 32. Choosing this option will allow the user to export the policy for later use. diff --git a/docs/policypak/policypak/scriptstriggers/itemleveltargeting/overview.md b/docs/policypak/policypak/scriptstriggers/itemleveltargeting/overview.md index 7e77b5dd19..e0482f24dc 100644 --- a/docs/policypak/policypak/scriptstriggers/itemleveltargeting/overview.md +++ b/docs/policypak/policypak/scriptstriggers/itemleveltargeting/overview.md @@ -11,7 +11,7 @@ policies so they can act together. For instance, you might create a collection f computers and another for West Sales computers. Or you might create a collection for Windows 10 machines and one for Windows Server 2016 RDS, as seen in Figure 24. -![using_item_level_targeting](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting.webp) +![using_item_level_targeting](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting.webp) Figure 24. Scripts & Triggers Manger allows the user to create collections and then set Item-Level Targeting upon the collections. @@ -19,7 +19,7 @@ Targeting upon the collections. Right-click any Endpoint Policy Manager Scripts & Triggers Manager policy, and select "Edit Item Level Targeting," as demonstrated in Figure 25. -![using_item_level_targeting_1](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_1.webp) +![using_item_level_targeting_1](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_1.webp) Figure 25. Setting Item-Level Targeting for policy entries themselves. @@ -34,7 +34,7 @@ targeting items in much the same way parentheses are used in an equation. In thi create a complex determination about where a policy will be applied. Collections may be set to "And", "Or", "Is", or "Is Not." -![using_item_level_targeting_2](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_2.webp) +![using_item_level_targeting_2](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_2.webp) Figure 26. In this example, the Pak would only apply to Windows 10 machines when the machine is portable and the user is in the FABRIKAM\Traveling Sales Users group. @@ -58,7 +58,7 @@ Below are some real-world examples of of how you can use Item-Level Targeting. After editing is completed, close the editor. Note that the icon for the policy or collection has changed to orange, which shows that it now has Item-Level Targeting, as seen in Figure 27. -![using_item_level_targeting_3](../../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_3.webp) +![using_item_level_targeting_3](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_3.webp) Figure 27. When the policy or collection's icon is orange, the entry has Item-Level Targeting. diff --git a/docs/policypak/policypak/scriptstriggers/itemleveltargeting/processorderprecedence.md b/docs/policypak/policypak/scriptstriggers/itemleveltargeting/processorderprecedence.md index 7a310fe0c4..4888a95981 100644 --- a/docs/policypak/policypak/scriptstriggers/itemleveltargeting/processorderprecedence.md +++ b/docs/policypak/policypak/scriptstriggers/itemleveltargeting/processorderprecedence.md @@ -5,11 +5,11 @@ So lower-numbered collections attempt to process first, and higher-numbered coll process last as shown in Figure 28. Then, within any collection, each policy is processed in numerical order from lowest to highest, as seen in Figure 29. -![using_item_level_targeting_4](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_4.webp) +![using_item_level_targeting_4](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_4.webp) Figure 28. The order collections are processed in. -![using_item_level_targeting_5](../../../../../static/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_5.webp) +![using_item_level_targeting_5](/img/product_docs/policypak/policypak/remotedesktopprotocol/itemleveltargeting/using_item_level_targeting_5.webp) Figure 29. The order policies are processed in. diff --git a/docs/policypak/policypak/scriptstriggers/localaccountpassword.md b/docs/policypak/policypak/scriptstriggers/localaccountpassword.md index 33dedcb4dc..586bf9285f 100644 --- a/docs/policypak/policypak/scriptstriggers/localaccountpassword.md +++ b/docs/policypak/policypak/scriptstriggers/localaccountpassword.md @@ -29,21 +29,21 @@ If using PowerShell ISE: Enter the password in the window that appears when the script above is run. -![923_1_image-20221221103111-1](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/923_1_image-20221221103111-1.webp) +![923_1_image-20221221103111-1](/img/product_docs/policypak/policypak/scriptstriggers/923_1_image-20221221103111-1.webp) If running PowerShell from CMD: -![923_2_image-20221221103111-2](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/923_2_image-20221221103111-2.webp) +![923_2_image-20221221103111-2](/img/product_docs/policypak/policypak/scriptstriggers/923_2_image-20221221103111-2.webp) The resulting encrypted password is then stored at a secure location that is accessible from the endpoints (in this case a file on a secure network share `(\\server\share\file.txt)`. -![923_3_image-20221221103111-3](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/923_3_image-20221221103111-3.webp) +![923_3_image-20221221103111-3](/img/product_docs/policypak/policypak/scriptstriggers/923_3_image-20221221103111-3.webp) The next step is to create a computer side PowerShell policy in Endpoint Policy Manager Scripts & Triggers. -![923_4_image-20221221103111-4](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/923_4_image-20221221103111-4.webp) +![923_4_image-20221221103111-4](/img/product_docs/policypak/policypak/scriptstriggers/923_4_image-20221221103111-4.webp) Then at the "On Apply action" screen choose PowerShell script for the type of script from the dropdown, and then paste in the script below after editing it to reflect your Security Key, and the @@ -65,7 +65,7 @@ update any local user account you have defined in your script. In the example below we are setting the password for a local user called "EastSalesUser1", see $user below). -![923_5_image-20221221103111-5](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/923_5_image-20221221103111-5.webp) +![923_5_image-20221221103111-5](/img/product_docs/policypak/policypak/scriptstriggers/923_5_image-20221221103111-5.webp) **CAUTION:** The targeted endpoint must have rights to read the share and file used above (i.e., `\\server\share\file.txt`). diff --git a/docs/policypak/policypak/scriptstriggers/localscheduledtask.md b/docs/policypak/policypak/scriptstriggers/localscheduledtask.md index d43dfd1c0f..22bc6de4eb 100644 --- a/docs/policypak/policypak/scriptstriggers/localscheduledtask.md +++ b/docs/policypak/policypak/scriptstriggers/localscheduledtask.md @@ -3,15 +3,15 @@ **Step 1 –** Create a Netwrix Endpoint Policy Manager (formerly PolicyPak) Scripts policy on the computer side. -![879_1_image-20220916231626-1](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/879_1_image-20220916231626-1.webp) +![879_1_image-20220916231626-1](/img/product_docs/policypak/policypak/scriptstriggers/879_1_image-20220916231626-1.webp) **Step 2 –** When creating the Policy choose the option to Apply this policy to computer (default). -![879_2_image-20220916231626-2](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/879_2_image-20220916231626-2.webp) +![879_2_image-20220916231626-2](/img/product_docs/policypak/policypak/scriptstriggers/879_2_image-20220916231626-2.webp) **Step 3 –** Choose PowerShell from the dropdown. -![879_3_image-20220916231626-3](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/879_3_image-20220916231626-3.webp) +![879_3_image-20220916231626-3](/img/product_docs/policypak/policypak/scriptstriggers/879_3_image-20220916231626-3.webp) **Step 4 –** Then paste in the following script to the text field. @@ -33,16 +33,16 @@ Register-ScheduledTask -TaskName $taskName -Action $taskAction -Trigger $taskTri Your policy should look similar to the one below: -![879_4_image-20220916231626-4_950x517](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/879_4_image-20220916231626-4_950x517.webp) +![879_4_image-20220916231626-4_950x517](/img/product_docs/policypak/policypak/scriptstriggers/879_4_image-20220916231626-4_950x517.webp) **Step 5 –** Skip the on revert action screen by clicking next. -![879_5_image-20220916231626-5](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/879_5_image-20220916231626-5.webp) +![879_5_image-20220916231626-5](/img/product_docs/policypak/policypak/scriptstriggers/879_5_image-20220916231626-5.webp) **Step 6 –** At the Specify process mode screen choose "Once or when forced" and then click next to continue. -![879_6_image-20220916231626-6](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/879_6_image-20220916231626-6.webp) +![879_6_image-20220916231626-6](/img/product_docs/policypak/policypak/scriptstriggers/879_6_image-20220916231626-6.webp) **Step 7 –** You're done, lastly, test your policy to ensure it runs as expected. diff --git a/docs/policypak/policypak/scriptstriggers/mappeddrives/eventlogtriggers.md b/docs/policypak/policypak/scriptstriggers/mappeddrives/eventlogtriggers.md index 822e115f4a..2d1e217e19 100644 --- a/docs/policypak/policypak/scriptstriggers/mappeddrives/eventlogtriggers.md +++ b/docs/policypak/policypak/scriptstriggers/mappeddrives/eventlogtriggers.md @@ -6,7 +6,7 @@ be used. **Step 1 –** Create a new Scripts & Triggers policy on the computer side, choose switched mode like in the screenshot below. -![848_1_image-20210801230156-1](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_1_image-20210801230156-1.webp) +![848_1_image-20210801230156-1](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_1_image-20210801230156-1.webp) **Step 2 –** At the "On apply action" screen select "PowerShell script" from the dropdown, then in the main text window, paste in the script below, check the option "Run script as user, then click @@ -20,21 +20,21 @@ if((Test-Path -LiteralPath "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Expl New-ItemProperty -LiteralPath 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced' -Name 'SeparateProcess' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue; ``` -![848_2_image-20210801230156-2](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_2_image-20210424015614-2.webp) +![848_2_image-20210801230156-2](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_2_image-20210424015614-2.webp) **Step 3 –** Then click "Next" at the "On revert action" screen to skip that screen, then at the "Specify process mode" screen choose the "Once" option. -![848_3_image-20210801230156-3](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_3_image-20210424015614-3.webp) +![848_3_image-20210801230156-3](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_3_image-20210424015614-3.webp) **Step 4 –** At the "Policy settings" screen give the policy a descriptive name then click "Finish". -![848_4_image-20210801230156-4](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_4_image-20210424015614-4.webp) +![848_4_image-20210801230156-4](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_4_image-20210424015614-4.webp) **Step 5 –** Now create another policy (Map drives when VPN Connect Event ID is Detected) using Scripts & Triggers on the computer side, choose switched-mode like in the screenshot below. -![848_5_image-20210801230156-5](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_1_image-20210801230156-1.webp) +![848_5_image-20210801230156-5](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_1_image-20210801230156-1.webp) **Step 6 –** At the "On apply action" screen select "PowerShell script" from the dropdown, then in the main text window, paste in the script below then change the drive mappings to match the settings @@ -53,13 +53,13 @@ if (-not(get-psdrive -name "H" -ErrorAction SilentlyContinue)) { } ``` -![848_6_image-20210801230156-6](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_6_image-20210424015614-6.webp) +![848_6_image-20210801230156-6](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_6_image-20210424015614-6.webp) **Step 7 –** Click "Next" at the "On revert action" screen to skip that screen, then at the "Specify process mode" screen choose the "On trigger" option, then choose "Event log" from the drop down before clicking "Next" to continue. -![848_7_image-20210801230156-7](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_7_image-20210801230156-7.webp) +![848_7_image-20210801230156-7](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_7_image-20210801230156-7.webp) **Step 8 –** Before continuing Connect to the VPN then open the Windows application log and locate the successful VPN Connection event, take note of the Level, the source, and the Event ID number for @@ -68,46 +68,46 @@ that event as you will need them in the next step. For this example I used an Azure Point-to-Site VPN connection, and the successful connection Event ID number is 20225 -![848_8_image-20210801230156-8](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_8_image-20210801230156-8.webp) +![848_8_image-20210801230156-8](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_8_image-20210801230156-8.webp) **Step 9 –** Now continue onward from Step 7 above using the information you gathered in Step 8, ensure your Trigger settings look similar to mine below, before clicking "Next". -![848_9_image-20210801230156-9](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_9_image-20210801230156-9.webp) +![848_9_image-20210801230156-9](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_9_image-20210801230156-9.webp) **Step 10 –** At the next Trigger settings screen click "Next" without editing the query. -![848_10_image-20210801230156-10](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_10_image-20210801230156-10.webp) +![848_10_image-20210801230156-10](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_10_image-20210801230156-10.webp) **Step 11 –** At the Policy Settings screen provide a descriptive name for the policy and then click "Finish". -![848_11_image-20210801230156-11](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_11_image-20210801230156-11.webp) +![848_11_image-20210801230156-11](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_11_image-20210801230156-11.webp) **NOTE:** You should have two policies now: -![848_12_image-20210801230156-12](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_12_image-20210801230156-12.webp) +![848_12_image-20210801230156-12](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_12_image-20210801230156-12.webp) **Step 12 –** Lastly, test the policy by logging into a computer, (or run gpupdate if already logged in) and then connect to a VPN as a user who should receive the policy. If everything works you should see the network drives show up in File Explorer -![848_13_image-20210801230156-13](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_11_image-20210424015614-11.webp) +![848_13_image-20210801230156-13](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_11_image-20210424015614-11.webp) **Step 13 –** Optionally, create a new Scripts and Triggers policy that disconnects the drives when the VPN disconnects by using the script below and also changing the trigger to "Event log", and configuring the correct settings for the successful VPN disconnect event. Please see below for a VPN disconnect example using Azure Point-to-Site VPN. -![848_14_image-20210801230156-14](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_12_image-20210424015614-12.webp) +![848_14_image-20210801230156-14](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_12_image-20210424015614-12.webp) -![848_15_image-20210801230156-15](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_7_image-20210801230156-7.webp) +![848_15_image-20210801230156-15](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_7_image-20210801230156-7.webp) VPN disconnect example using Azure Point-to-Site VPN -![848_16_image-20210801230156-16](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_16_image-20210801230156-16.webp) +![848_16_image-20210801230156-16](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_16_image-20210801230156-16.webp) -![848_17_image-20210801230156-17](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_17_image-20210801230156-17.webp) +![848_17_image-20210801230156-17](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/848_17_image-20210801230156-17.webp) **NOTE:** "On trigger" does not work with Revert action script which is why you need to create a new policy to disconnect the drives. diff --git a/docs/policypak/policypak/scriptstriggers/mappeddrives/powershell.md b/docs/policypak/policypak/scriptstriggers/mappeddrives/powershell.md index aeaff00ae1..4aab41c2db 100644 --- a/docs/policypak/policypak/scriptstriggers/mappeddrives/powershell.md +++ b/docs/policypak/policypak/scriptstriggers/mappeddrives/powershell.md @@ -6,7 +6,7 @@ need to receive the drive mapping. **Step 2 –** Edit the GPO and expand the User Configuration > Netwrix Endpoint Policy Manager (formerly PolicyPak) > Scripts Manager Section. -![216_1_image-20200220185019-1](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/216_1_image-20200220185019-1.webp) +![216_1_image-20200220185019-1](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/216_1_image-20200220185019-1.webp) **Step 3 –** With the Scripts Manager section selected click "ADD NEW COLLECTION" then give the collection a descriptive name, and click OK. @@ -16,7 +16,7 @@ double-click on the collection name to open the collection. **Step 5 –** With the collection name selected click "ADD NEW POLICY". -![216_3_image-20200220185019-2](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/216_3_image-20200220185019-2.webp) +![216_3_image-20200220185019-2](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/216_3_image-20200220185019-2.webp) **Step 6 –** Click Next to get to the "On apply action" screen, then choose "PowerShell script" from the dropdown menu. @@ -34,7 +34,7 @@ replace \\server\share with the UNC path of the share you wish to map. The "On apply action" screen should look similar to below: -![216_5_image-20200220185019-3](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/216_5_image-20200220185019-3.webp) +![216_5_image-20200220185019-3](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/216_5_image-20200220185019-3.webp) **Step 8 –** Then click Next, then Next again (skipping the "On revert action"screen) until you get to the "Specify process mode" screen. Ensure that the "Always" radio button is selected then click @@ -44,7 +44,7 @@ Next, give the policy a descriptive name, then click Finish. from the (User) OU or Domain where this GPO is linked then run `"gpupdate"`, afterward open File Explorer and verify that you see the new drive mapping. -![216_7_image-20200220185019-9](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/216_7_image-20200220185019-9.webp) +![216_7_image-20200220185019-9](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/216_7_image-20200220185019-9.webp) **NOTE:** If using Endpoint Policy Manager Scripts Manager VPN Triggers to map drives on VPN connect you may need to add a delay to allow DNS to be updated before the drives are mapped, (i.e. to wait @@ -54,4 +54,4 @@ If you do not see the drive mapping in File Explorer but can see the drive mapp Use" from the CMD prompt try enabling the "Launch folder windows in a separate process" option (see image below) to see if that resolves the issue. -![216_9_image-20210204105234-1](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/216_9_image-20210204105234-1.webp) +![216_9_image-20210204105234-1](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/216_9_image-20210204105234-1.webp) diff --git a/docs/policypak/policypak/scriptstriggers/mappeddrives/vpn.md b/docs/policypak/policypak/scriptstriggers/mappeddrives/vpn.md index ca87df82b0..31af5603bd 100644 --- a/docs/policypak/policypak/scriptstriggers/mappeddrives/vpn.md +++ b/docs/policypak/policypak/scriptstriggers/mappeddrives/vpn.md @@ -4,12 +4,12 @@ - VPN used must be in the list of supported VPNs in the article below. - [Which VPN Solutions are currently supported for use with Scripts Manager VPN Triggers?](../../requirements/support/scriptstriggers/vpnsolutions.md) + [Which VPN Solutions are currently supported for use with Scripts Manager VPN Triggers?](/docs/policypak/policypak/requirements/support/scriptstriggers/vpnsolutions.md) **Step 1 –** Create a new policy (Set Launch Folder Windows in a Separate Process to Enabled) using Scripts & Triggers on the computer side, choose switched-mode like in the screenshot below. -![639_1_image-20210424015614-1](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/579_1_image-20190918135807-1.webp) +![639_1_image-20210424015614-1](/img/product_docs/policypak/policypak/scriptstriggers/579_1_image-20190918135807-1.webp) **Step 2 –** At the "On apply action" screen select "PowerShell script" from the dropdown, then in the main text window, paste in the script below, check the option "Run script as user, then click @@ -24,21 +24,21 @@ New-ItemProperty -LiteralPath 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\E ``` -![639_2_image-20210424015614-2](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_2_image-20210424015614-2.webp) +![639_2_image-20210424015614-2](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_2_image-20210424015614-2.webp) **Step 3 –** Then click "Next" at the "On revert action" screen to skip that screen, then at the "Specify process mode" screen choose the "Once" option. -![639_3_image-20210424015614-3](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_3_image-20210424015614-3.webp) +![639_3_image-20210424015614-3](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_3_image-20210424015614-3.webp) **Step 4 –** At the "Policy settings" screen give the policy a descriptive name then click "Finish. -![639_4_image-20210424015614-4](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_4_image-20210424015614-4.webp) +![639_4_image-20210424015614-4](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_4_image-20210424015614-4.webp) **Step 5 –** Now create another policy (Map drives when VPN connects) using Scripts & Triggers on the computer side, choose switched-mode like in the screenshot below. -![639_5_image-20210424015614-5](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/579_1_image-20190918135807-1.webp) +![639_5_image-20210424015614-5](/img/product_docs/policypak/policypak/scriptstriggers/579_1_image-20190918135807-1.webp) **Step 6 –** At the "On apply action" screen select "PowerShell script" from the dropdown, then in the main text window, paste in the script below then change the drive mappings to match the settings @@ -58,40 +58,40 @@ if (-not(get-psdrive -name "H" -ErrorAction SilentlyContinue)) { ``` -![639_6_image-20210424015614-6](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_6_image-20210424015614-6.webp) +![639_6_image-20210424015614-6](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_6_image-20210424015614-6.webp) **Step 7 –** Click "Next" at the "On revert action" screen to skip that screen, then at the "specify process mode" screen choose the "On trigger" option, then choose "VPN connect" from the drop down before clicking "Next" to continue. -![639_7_image-20210424015614-7](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_7_image-20210424015614-7.webp) +![639_7_image-20210424015614-7](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_7_image-20210424015614-7.webp) **Step 8 –** At the "Trigger settings" screen enter an asterisk (wildcard, etc.) for the server name, then click "Next". -![639_8_image-20210424015614-8](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_8_image-20210424015614-8.webp) +![639_8_image-20210424015614-8](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_8_image-20210424015614-8.webp) **Step 9 –** At the "Policy settings" screen give the policy a descriptive name then click "Finish. -![639_9_image-20210424015614-9](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_9_image-20210424015614-9.webp) +![639_9_image-20210424015614-9](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_9_image-20210424015614-9.webp) **NOTE:** You should have two policies now: -![639_10_image-20210424015614-10](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_10_image-20210424015614-10.webp) +![639_10_image-20210424015614-10](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_10_image-20210424015614-10.webp) **Step 10 –** Lastly, test the policy by logging into a computer, (or run `gpupdate `if already logged in) and then connect to a VPN as a user that should receive the policy. If everything works you should see the network drives show up in File Explorer, you may need to click refresh if you had File Explorer already open to update the window contents. -![639_11_image-20210424015614-11](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_11_image-20210424015614-11.webp) +![639_11_image-20210424015614-11](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_11_image-20210424015614-11.webp) **Step 11 –** Optionally, create a new Scripts and Triggers policy that disconnects the drives when the VPN disconnects by using the script below and also changing the trigger to "VPN disconnect". -![639_12_image-20210424015614-12](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_12_image-20210424015614-12.webp) +![639_12_image-20210424015614-12](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_12_image-20210424015614-12.webp) -![639_13_image-20210424015614-13](../../../../../static/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_13_image-20210424015614-13.webp) +![639_13_image-20210424015614-13](/img/product_docs/policypak/policypak/scriptstriggers/mappeddrives/639_13_image-20210424015614-13.webp) **Step 12 –** "On trigger" does not work with Revert action script which is why you need to create a new policy to disconnect the drives. diff --git a/docs/policypak/policypak/scriptstriggers/networksecuritymanager.md b/docs/policypak/policypak/scriptstriggers/networksecuritymanager.md index 1b1a9c24c2..1ca720c36e 100644 --- a/docs/policypak/policypak/scriptstriggers/networksecuritymanager.md +++ b/docs/policypak/policypak/scriptstriggers/networksecuritymanager.md @@ -15,7 +15,7 @@ Some examples of use are: ## Getting started with Endpoint Policy Manager Network Security Manager **_RECOMMENDED:_** For an overview of this section, see this video: See -[Endpoint Policy Manager Network Security Manager - The Basics](../video/networksecurity/basics.md) +[Endpoint Policy Manager Network Security Manager - The Basics](/docs/policypak/policypak/video/networksecurity/basics.md) topic for additional information. Pick an application you wish to restrict, like a browser (such as Edge, Firefox, PaleMoon, etc) or a @@ -34,11 +34,11 @@ Security Manager. Your first stop is to create a **New Global settings policy** like what's seen here. -![nsm01](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/nsm01.webp) +![nsm01](/img/product_docs/policypak/policypak/scriptstriggers/nsm01.webp) Once selected you can see your configurable options for the machines. -![nsm02](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/nsm02.webp) +![nsm02](/img/product_docs/policypak/policypak/scriptstriggers/nsm02.webp) - Enable Network Security Manager – This is the master ON switch for the feature. - Show Management Notifications – You can choose to show if the processes are being managed by @@ -57,7 +57,7 @@ Microsoft Edge. Create a New Policy like what's seen here. -![nsm03](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/nsm03.webp) +![nsm03](/img/product_docs/policypak/policypak/scriptstriggers/nsm03.webp) Next you'll want to match a specific application. You can do this via Simple or Combo rules. This example will use a Simple rule. @@ -68,24 +68,24 @@ Manager Least Privilege Manager Manual (as they won't be repeated here). Specify the location for Microsoft Edge via Path rule which is `C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe` -![nsm04](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/nsm04.webp) +![nsm04](/img/product_docs/policypak/policypak/scriptstriggers/nsm04.webp) Then in the **Add Connections Conditions** dialog, specify the following values to Allow Any activity to www.Netwrix.com by Domain Name. -![nsm05](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/nsm05.webp) +![nsm05](/img/product_docs/policypak/policypak/scriptstriggers/nsm05.webp) Then click **Add** and make policy #2 a Block policy which blocks everything else. -![nsm06](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/nsm06.webp) +![nsm06](/img/product_docs/policypak/policypak/scriptstriggers/nsm06.webp) Results should look like this. -![nsm07](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/nsm07.webp) +![nsm07](/img/product_docs/policypak/policypak/scriptstriggers/nsm07.webp) Click **Next** to continue. Accept the defaults on the final Wizard page and click **Finish**. -![nsm08](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/nsm08.webp) +![nsm08](/img/product_docs/policypak/policypak/scriptstriggers/nsm08.webp) ### Testing your Policy Out @@ -95,27 +95,27 @@ reboot the machine to acquire the policies. The results will be that when Edge is launched, end users cannot go to any network location, like Microsoft.com, but are restricted to the specific network location you specified, www.Netwrix.com. -![nsm09](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/nsm09.webp) +![nsm09](/img/product_docs/policypak/policypak/scriptstriggers/nsm09.webp) ## Auditing Events **_RECOMMENDED:_** See the -[Endpoint Policy Manager Network Security Manager - Auditing Events](../video/networksecurity/auditingevents.md) +[Endpoint Policy Manager Network Security Manager - Auditing Events](/docs/policypak/policypak/video/networksecurity/auditingevents.md) topic for additional information. Auditing Events can be useful if you want to determine if your rules are working. Each rule may be individually enabled like what's seen here. -![nsm10](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/nsm10.webp) +![nsm10](/img/product_docs/policypak/policypak/scriptstriggers/nsm10.webp) In this example I'll have both rules set to Log. -![nsm11](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/nsm11.webp) +![nsm11](/img/product_docs/policypak/policypak/scriptstriggers/nsm11.webp) The results can be pretty noisy depending on the application. In this case whenever Edge is run you will get a myriad of Blocked events like what's seen here. -![nsm12](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/nsm12.webp) +![nsm12](/img/product_docs/policypak/policypak/scriptstriggers/nsm12.webp) You may wish to audit for blocks for a while then change gears to audit only for successes later to reduce the amount of noise. @@ -125,13 +125,13 @@ reduce the amount of noise. Because Network Security Manager uses the same basic UI as Endpoint Policy Manager Least Privilege Manager, you can learn more about Simple rules here: -- [Elevating Executables](../leastprivilege/elevate/executables.md) -- [Creating and Using Executable Combo Rules](../leastprivilege/bestpractices/rules/executablecombo.md) +- [Elevating Executables](/docs/policypak/policypak/leastprivilege/elevate/executables.md) +- [Creating and Using Executable Combo Rules](/docs/policypak/policypak/leastprivilege/bestpractices/rules/executablecombo.md) You can learn more about the following additional Endpoint Policy Manager Network Security manager topics via our How-To videos: - Understanding Applications & Ports: - [Endpoint Policy Manager Network Security Manager - Applications and Ports](../video/networksecurity/applicationsports.md) + [Endpoint Policy Manager Network Security Manager - Applications and Ports](/docs/policypak/policypak/video/networksecurity/applicationsports.md) - Deeper Dive into Customizations & Notifications: - [Endpoint Policy Manager Network Security Manager - Global settings](../video/networksecurity/globalsettings.md) + [Endpoint Policy Manager Network Security Manager - Global settings](/docs/policypak/policypak/video/networksecurity/globalsettings.md) diff --git a/docs/policypak/policypak/scriptstriggers/overview.md b/docs/policypak/policypak/scriptstriggers/overview.md index 73e94993cf..e88d894779 100644 --- a/docs/policypak/policypak/scriptstriggers/overview.md +++ b/docs/policypak/policypak/scriptstriggers/overview.md @@ -1,7 +1,7 @@ # Scripts & Triggers Manager **NOTE:** Before reading this section, please ensure you have read Book 2: -[Installation Quick Start](../gettingstarted/quickstart/overviewinstall.md), which will help you +[Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md), which will help you learn to do the following: - Install the Admin MSI on your GPMC machine @@ -10,7 +10,7 @@ learn to do the following: - Set up a common OU structure Optionally, if you don't want to use Group Policy, read the section in Appendix A: -[Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md) to deploy your +[Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md) to deploy your directives. Netwrix Endpoint Policy Manager (formerly PolicyPak) Scripts & Triggers Manager enables you to @@ -21,7 +21,7 @@ perform the following operations on Windows 10: - Deliver an "On" script when conditions are true, and an "Off" script when conditions are false. **NOTE:** Watch this video for an overview of Endpoint Policy Manager Scripts & Triggers Manager: -[Use with on-prem Group Policy](../video/scriptstriggers/gettingstarted/onpremise.md) +[Use with on-prem Group Policy](/docs/policypak/policypak/video/scriptstriggers/gettingstarted/onpremise.md) The basic way to use Scripts & Triggers Manager is as follows: diff --git a/docs/policypak/policypak/scriptstriggers/overview/knowledgebase.md b/docs/policypak/policypak/scriptstriggers/overview/knowledgebase.md index bd02ebc403..95f724f7a2 100644 --- a/docs/policypak/policypak/scriptstriggers/overview/knowledgebase.md +++ b/docs/policypak/policypak/scriptstriggers/overview/knowledgebase.md @@ -4,33 +4,33 @@ See the following Knowledge Base articles for Scripts and Triggers Manager. ## Troubleshooting -- [What must I do in Cylance such that it will run Powershell scripts via Endpoint Policy Scripts Manager?](../cylance.md) -- [What is the expected behavior after an Endpoint Policy Manager Script "ON/APPLY" script is modified?](../onapplyscript.md) -- [Where do scripts run? How are they protected from unauthorized access? How can I change the location of where scripts are stored?](../scriptlocation.md) -- [Which VPN Solutions are currently supported for use with Scripts Manager VPN Triggers?](../../requirements/support/scriptstriggers/vpnsolutions.md) -- [How do Endpoint Policy Scripts Manager PowerShell Scripts behave when PowerShell is blocked or disabled using the following methods?](../powershellscripts.md) -- [Why don't Batch and PowerShell scripts get blocked when SYSTEM processes are blocked](../../troubleshooting/scriptstriggers/systemprocesses.md) -- [How do I update Windows 7 machines to TLS 1.2 such that they work with Endpoint Policy Manager Cloud?](../windows7tls.md) -- [Upgrading MS Teams to latest version displays prompts for Admin Approval](../../troubleshooting/scriptstriggers/adminapproval.md) +- [What must I do in Cylance such that it will run Powershell scripts via Endpoint Policy Scripts Manager?](/docs/policypak/policypak/scriptstriggers/cylance.md) +- [What is the expected behavior after an Endpoint Policy Manager Script "ON/APPLY" script is modified?](/docs/policypak/policypak/scriptstriggers/onapplyscript.md) +- [Where do scripts run? How are they protected from unauthorized access? How can I change the location of where scripts are stored?](/docs/policypak/policypak/scriptstriggers/scriptlocation.md) +- [Which VPN Solutions are currently supported for use with Scripts Manager VPN Triggers?](/docs/policypak/policypak/requirements/support/scriptstriggers/vpnsolutions.md) +- [How do Endpoint Policy Scripts Manager PowerShell Scripts behave when PowerShell is blocked or disabled using the following methods?](/docs/policypak/policypak/scriptstriggers/powershellscripts.md) +- [Why don't Batch and PowerShell scripts get blocked when SYSTEM processes are blocked](/docs/policypak/policypak/troubleshooting/scriptstriggers/systemprocesses.md) +- [How do I update Windows 7 machines to TLS 1.2 such that they work with Endpoint Policy Manager Cloud?](/docs/policypak/policypak/scriptstriggers/windows7tls.md) +- [Upgrading MS Teams to latest version displays prompts for Admin Approval](/docs/policypak/policypak/troubleshooting/scriptstriggers/adminapproval.md) ## Tip and Tricks -- [How to import a WLAN / 802.11 / Wireless profile from a Network Share using Endpoint Policy Scripts Manager?](../wlannetwork.md) -- [How to import a WLAN / 802.11 / Wireless profile from Dropbox using Endpoint Policy Scripts Manager](../wlandropbox.md) -- [How to silently install Firefox ESR, Chrome and WinZip 14.5 using Endpoint Policy Scripts Manager](../silentbrowserinstall.md) -- [How to create a shortcut under the Public Desktop using Endpoint Policy Scripts Manager](../shortcutpublicdesktop.md) -- [How to deliver network drive mappings with PowerShell using Scripts Manager](../mappeddrives/powershell.md) -- [How do I use Scripts Manager to update the Registry on end-user workstations](../updateregistry.md) -- [How to Reset Secure Channel for computers that have fallen out of sync with domain while working remotely by using Scripts Manager in Endpoint Policy Manager Cloud](../resetsecurechannel.md) -- [How-to change Temperature Unit from Fahrenheit to Celsius in Microsoft Outlook Calendar via Group Policy?](../temperatureunit.md) -- [How do I automate BitLocker deployment for my enterprise with Group Policy and Endpoint Policy Manager?](../bitlockerdeployment.md) -- [What is the expected behavior on Windows 10 when you MODIFY an existing Endpoint Policy Manager Scripts script?](../windows10modifyscript.md) -- [How to run Microsoft Teams minimized to systray using PPScripts and PPAM](../teamsminimized.md) -- [How does Endpoint Policy Manager Scripts & Triggers know when the VPN connection is made or lost?](../vpnconnection.md) -- [How to use Scripts Manager Event Log Triggers to Map Network Drives when a VPN is Connected](../mappeddrives/eventlogtriggers.md) -- [How to Set the Password for a Local Account using Scripts Manager](../localaccountpassword.md) -- [How to use Scripts Manager Triggers to Map Network Drives when a VPN is Connected](../mappeddrives/vpn.md) -- [How do I user Endpoint Policy Manager to set the screensaver to a custom slideshow?](../screensavers.md) -- [Can I get more details on how Endpoint Policy Scripts Manager processes run?](../processesdetails.md) -- [How to Run Microsoft Edge Once at a User's 1st Logon using Scripts and Triggers Manager](../edgefirstlogon.md) -- [How to Create a Local Scheduled Task to Reboot a PC every day at 9 AM](../localscheduledtask.md) +- [How to import a WLAN / 802.11 / Wireless profile from a Network Share using Endpoint Policy Scripts Manager?](/docs/policypak/policypak/scriptstriggers/wlannetwork.md) +- [How to import a WLAN / 802.11 / Wireless profile from Dropbox using Endpoint Policy Scripts Manager](/docs/policypak/policypak/scriptstriggers/wlandropbox.md) +- [How to silently install Firefox ESR, Chrome and WinZip 14.5 using Endpoint Policy Scripts Manager](/docs/policypak/policypak/scriptstriggers/silentbrowserinstall.md) +- [How to create a shortcut under the Public Desktop using Endpoint Policy Scripts Manager](/docs/policypak/policypak/scriptstriggers/shortcutpublicdesktop.md) +- [How to deliver network drive mappings with PowerShell using Scripts Manager](/docs/policypak/policypak/scriptstriggers/mappeddrives/powershell.md) +- [How do I use Scripts Manager to update the Registry on end-user workstations](/docs/policypak/policypak/scriptstriggers/updateregistry.md) +- [How to Reset Secure Channel for computers that have fallen out of sync with domain while working remotely by using Scripts Manager in Endpoint Policy Manager Cloud](/docs/policypak/policypak/scriptstriggers/resetsecurechannel.md) +- [How-to change Temperature Unit from Fahrenheit to Celsius in Microsoft Outlook Calendar via Group Policy?](/docs/policypak/policypak/scriptstriggers/temperatureunit.md) +- [How do I automate BitLocker deployment for my enterprise with Group Policy and Endpoint Policy Manager?](/docs/policypak/policypak/scriptstriggers/bitlockerdeployment.md) +- [What is the expected behavior on Windows 10 when you MODIFY an existing Endpoint Policy Manager Scripts script?](/docs/policypak/policypak/scriptstriggers/windows10modifyscript.md) +- [How to run Microsoft Teams minimized to systray using PPScripts and PPAM](/docs/policypak/policypak/scriptstriggers/teamsminimized.md) +- [How does Endpoint Policy Manager Scripts & Triggers know when the VPN connection is made or lost?](/docs/policypak/policypak/scriptstriggers/vpnconnection.md) +- [How to use Scripts Manager Event Log Triggers to Map Network Drives when a VPN is Connected](/docs/policypak/policypak/scriptstriggers/mappeddrives/eventlogtriggers.md) +- [How to Set the Password for a Local Account using Scripts Manager](/docs/policypak/policypak/scriptstriggers/localaccountpassword.md) +- [How to use Scripts Manager Triggers to Map Network Drives when a VPN is Connected](/docs/policypak/policypak/scriptstriggers/mappeddrives/vpn.md) +- [How do I user Endpoint Policy Manager to set the screensaver to a custom slideshow?](/docs/policypak/policypak/scriptstriggers/screensavers.md) +- [Can I get more details on how Endpoint Policy Scripts Manager processes run?](/docs/policypak/policypak/scriptstriggers/processesdetails.md) +- [How to Run Microsoft Edge Once at a User's 1st Logon using Scripts and Triggers Manager](/docs/policypak/policypak/scriptstriggers/edgefirstlogon.md) +- [How to Create a Local Scheduled Task to Reboot a PC every day at 9 AM](/docs/policypak/policypak/scriptstriggers/localscheduledtask.md) diff --git a/docs/policypak/policypak/scriptstriggers/overview/videolearningcenter.md b/docs/policypak/policypak/scriptstriggers/overview/videolearningcenter.md index f94fbe1368..487cb5a0fd 100644 --- a/docs/policypak/policypak/scriptstriggers/overview/videolearningcenter.md +++ b/docs/policypak/policypak/scriptstriggers/overview/videolearningcenter.md @@ -4,36 +4,36 @@ See the following Video topics for Scripts and Triggers Manager. ## Getting Started -- [Use with on-prem Group Policy](../../video/scriptstriggers/gettingstarted/onpremise.md) -- [Deploy any script via the Cloud to domain joined and non-domain joined machines](../../video/scriptstriggers/gettingstarted/cloud.md) +- [Use with on-prem Group Policy](/docs/policypak/policypak/video/scriptstriggers/gettingstarted/onpremise.md) +- [Deploy any script via the Cloud to domain joined and non-domain joined machines](/docs/policypak/policypak/video/scriptstriggers/gettingstarted/cloud.md) ## Tips and Tricks -- [Endpoint Policy Manager Scripts: Automate Software deployments with PP Scripts and Chocolaty.org](../../video/scriptstriggers/integration/chocolaty.md) -- [Replace the Windows 10 PRO Professional Lock screen](../../video/scriptstriggers/windows10prolockscreen.md) -- [Policy Scripts Manager: Set Custom Default File Associations in Windows 10](../../video/scriptstriggers/customdefaultfileassociations.md) -- [Removing Unwanted Windows Apps Using Endpoint Policy Manager Scripts & Triggers Manager](../../video/scriptstriggers/unwantedapps.md) -- [Shared Printers without Loopback: Use Endpoint Policy Manager Scripts and PowerShell to deploy and remove printers](../../video/scriptstriggers/printers.md) -- [Implementing BitLocker through Group Policy Using Endpoint Policy Scripts Manager and Administrative Templates Manager](../../video/scriptstriggers/bitlocker.md) +- [Endpoint Policy Manager Scripts: Automate Software deployments with PP Scripts and Chocolaty.org](/docs/policypak/policypak/video/scriptstriggers/integration/chocolaty.md) +- [Replace the Windows 10 PRO Professional Lock screen](/docs/policypak/policypak/video/scriptstriggers/windows10prolockscreen.md) +- [Policy Scripts Manager: Set Custom Default File Associations in Windows 10](/docs/policypak/policypak/video/scriptstriggers/customdefaultfileassociations.md) +- [Removing Unwanted Windows Apps Using Endpoint Policy Manager Scripts & Triggers Manager](/docs/policypak/policypak/video/scriptstriggers/unwantedapps.md) +- [Shared Printers without Loopback: Use Endpoint Policy Manager Scripts and PowerShell to deploy and remove printers](/docs/policypak/policypak/video/scriptstriggers/printers.md) +- [Implementing BitLocker through Group Policy Using Endpoint Policy Scripts Manager and Administrative Templates Manager](/docs/policypak/policypak/video/scriptstriggers/bitlocker.md) ## Scripts & Triggers with Cloud -- [Endpoint Policy Manager Cloud Scripts Manager: Distribute and Import X.509 certificates](../../video/scriptstriggers/x509certificates.md) -- [Endpoint Policy ManagerScripts .. Deploy Software via VPN or with Endpoint Policy Manager Cloud](../../video/scriptstriggers/cloud.md) -- [Endpoint Policy Manager Cloud TCP/IP Printer setup using Scripts Manager](../../video/scriptstriggers/printersetup.md) -- [Using Endpoint Policy Manager Cloud and Auditpol.exe to enable Advanced Auditing on non-domain joined computers](../../video/scriptstriggers/integration/auditpol.md) +- [Endpoint Policy Manager Cloud Scripts Manager: Distribute and Import X.509 certificates](/docs/policypak/policypak/video/scriptstriggers/x509certificates.md) +- [Endpoint Policy ManagerScripts .. Deploy Software via VPN or with Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/scriptstriggers/cloud.md) +- [Endpoint Policy Manager Cloud TCP/IP Printer setup using Scripts Manager](/docs/policypak/policypak/video/scriptstriggers/printersetup.md) +- [Using Endpoint Policy Manager Cloud and Auditpol.exe to enable Advanced Auditing on non-domain joined computers](/docs/policypak/policypak/video/scriptstriggers/integration/auditpol.md) ## Triggers Specific Examples -- [Endpoint Policy Manager Scripts and Triggers: Get to understand login script trigger with GP and MDM systems !](../../video/scriptstriggers/scripttriggers.md) -- [Endpoint Policy Manager Scripts + Triggers: Map a printer or drive when a process runs and un-map it when closed.](../../video/scriptstriggers/mapdrivetriggers.md) -- [Endpoint Policy Manager Scripts + Triggers: Perform actions at LOCK and UNLOCK of session](../../video/scriptstriggers/lockunlocksession.md) -- [Endpoint Policy Manager Scripts + Triggers: Shutdown scripts on computer side](../../video/scriptstriggers/shutdownscripts.md) -- [Endpoint Policy Manager Scripts & Triggers: Perform Scripts on VPN Connect and VPN Disconnect](../../video/scriptstriggers/vpnconnect.md) -- [Endpoint Policy Manager Scripts and AnyConnect: Run a script after you connect via VPN](../../video/scriptstriggers/integration/anyconnect.md) -- [Endpoint Policy Manager Scripts & Triggers: Events !](../../video/scriptstriggers/events.md) +- [Endpoint Policy Manager Scripts and Triggers: Get to understand login script trigger with GP and MDM systems !](/docs/policypak/policypak/video/scriptstriggers/scripttriggers.md) +- [Endpoint Policy Manager Scripts + Triggers: Map a printer or drive when a process runs and un-map it when closed.](/docs/policypak/policypak/video/scriptstriggers/mapdrivetriggers.md) +- [Endpoint Policy Manager Scripts + Triggers: Perform actions at LOCK and UNLOCK of session](/docs/policypak/policypak/video/scriptstriggers/lockunlocksession.md) +- [Endpoint Policy Manager Scripts + Triggers: Shutdown scripts on computer side](/docs/policypak/policypak/video/scriptstriggers/shutdownscripts.md) +- [Endpoint Policy Manager Scripts & Triggers: Perform Scripts on VPN Connect and VPN Disconnect](/docs/policypak/policypak/video/scriptstriggers/vpnconnect.md) +- [Endpoint Policy Manager Scripts and AnyConnect: Run a script after you connect via VPN](/docs/policypak/policypak/video/scriptstriggers/integration/anyconnect.md) +- [Endpoint Policy Manager Scripts & Triggers: Events !](/docs/policypak/policypak/video/scriptstriggers/events.md) ## Methods: MDM, PDQ, etc. -- [Endpoint Policy Manager Scripts and YOUR MDM service: Un-real power](../../video/scriptstriggers/mdm.md) -- [Removing Unwanted Windows Apps Using Endpoint Policy Manager and PDQ Deploy](../../video/scriptstriggers/integration/pdqdeploy.md) +- [Endpoint Policy Manager Scripts and YOUR MDM service: Un-real power](/docs/policypak/policypak/video/scriptstriggers/mdm.md) +- [Removing Unwanted Windows Apps Using Endpoint Policy Manager and PDQ Deploy](/docs/policypak/policypak/video/scriptstriggers/integration/pdqdeploy.md) diff --git a/docs/policypak/policypak/scriptstriggers/powershellscripts.md b/docs/policypak/policypak/scriptstriggers/powershellscripts.md index 33e5218aa9..24f4218766 100644 --- a/docs/policypak/policypak/scriptstriggers/powershellscripts.md +++ b/docs/policypak/policypak/scriptstriggers/powershellscripts.md @@ -8,7 +8,7 @@ blocked. Result: Endpoint Policy Manager Logs will show similar error messages to below when Endpoint Policy Manager attempts to run a PowerShell script. -![867_1_image-20210721211958-1](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/867_1_image-20210721211958-1.webp) +![867_1_image-20210721211958-1](/img/product_docs/policypak/policypak/scriptstriggers/867_1_image-20210721211958-1.webp) **NOTE:** Endpoint Policy Manager Scripts and Triggers Manager logs can be found here on the endpoint(s): @@ -22,11 +22,11 @@ the following Endpoint Policy Manager ADMX setting. "Endpoint Policy Manager ADMX Settings > Client-Side Extensions > Least Privilege Manager > Block Processes created by Endpoint Policy Manager Scripts Manager" -![867_2_image-20210721211958-2](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/867_2_image-20210721211958-2.webp) +![867_2_image-20210721211958-2](/img/product_docs/policypak/policypak/scriptstriggers/867_2_image-20210721211958-2.webp) ## Scenario 2: PowerShell is disabled via a Software Restriction policy using Group Policy on User Configuration side as in image below. -![867_3_image-20210721211958-3](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/867_3_image-20210721211958-3.webp) +![867_3_image-20210721211958-3](/img/product_docs/policypak/policypak/scriptstriggers/867_3_image-20210721211958-3.webp) **NOTE:** If you have a Software Restriction policy in place that blocks PowerShell. @@ -34,7 +34,7 @@ Result: Any Endpoint Policy Manager Scripts & Triggers Manager policies will sti execute PowerShell Scripts successfully, and the Endpoint Policy Manager Logs will show a successful run message similar to below when Endpoint Policy Manager runs a PowerShell script. -![867_4_image-20210721211958-4](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/867_4_image-20210721211958-4.webp) +![867_4_image-20210721211958-4](/img/product_docs/policypak/policypak/scriptstriggers/867_4_image-20210721211958-4.webp) **NOTE:** Endpoint Policy Manager Scripts and Triggers Manager logs can be found here on the endpoint(s): @@ -44,14 +44,14 @@ endpoint(s): ## Scenario 3: PowerShell is disabled via a Software Restriction Policy (SRP) using Group Policy on Computer Configuration side as in the image below. -![867_5_image-20210721211958-5](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/867_5_image-20210721211958-5.webp) +![867_5_image-20210721211958-5](/img/product_docs/policypak/policypak/scriptstriggers/867_5_image-20210721211958-5.webp) If you have a Software Restriction Policy in place that blocks PowerShell. Result: Any Endpoint Policy Manager Scripts & Triggers Manager policies that do not run as SYSTEM will be blocked from running, and Endpoint Policy Manager Logs for the user will show blocked events messages similar to below. -![867_6_image-20210721211958-6](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/867_6_image-20210721211958-6.webp) +![867_6_image-20210721211958-6](/img/product_docs/policypak/policypak/scriptstriggers/867_6_image-20210721211958-6.webp) **NOTE:** Endpoint Policy Manager Scripts and Triggers Manager logs can be found here on the endpoint(s): @@ -63,6 +63,6 @@ endpoint(s): manually from CMD as a standard user under either scenario 2 or 3 and if the SRP is applied properly then PowerShell will be blocked. -![867_7_image-20210721211958-7](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/867_7_image-20210721211958-7.webp) +![867_7_image-20210721211958-7](/img/product_docs/policypak/policypak/scriptstriggers/867_7_image-20210721211958-7.webp) -![867_8_image-20210721211958-8](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/867_8_image-20210721211958-8.webp) +![867_8_image-20210721211958-8](/img/product_docs/policypak/policypak/scriptstriggers/867_8_image-20210721211958-8.webp) diff --git a/docs/policypak/policypak/scriptstriggers/resetsecurechannel.md b/docs/policypak/policypak/scriptstriggers/resetsecurechannel.md index 0de05d0b0b..629607eb54 100644 --- a/docs/policypak/policypak/scriptstriggers/resetsecurechannel.md +++ b/docs/policypak/policypak/scriptstriggers/resetsecurechannel.md @@ -2,21 +2,21 @@ Symptoms: -![300_1_image-20200623000029-1](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/300_1_image-20200623000029-1.webp) +![300_1_image-20200623000029-1](/img/product_docs/policypak/policypak/scriptstriggers/300_1_image-20200623000029-1.webp) -![300_2_image-20200623000029-2](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/300_2_image-20200623000029-2.webp) +![300_2_image-20200623000029-2](/img/product_docs/policypak/policypak/scriptstriggers/300_2_image-20200623000029-2.webp) Prerequisite: Users need to have the "Reset password" right on the computer objects they will be resetting the Secure Channel for. -![300_3_image-20200623000029-3](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/300_3_image-20200623000029-3.webp) +![300_3_image-20200623000029-3](/img/product_docs/policypak/policypak/scriptstriggers/300_3_image-20200623000029-3.webp) **NOTE:** If the user does not have the right to "Reset password" on the computer object then they will receive the following error when they attempt to reset the Secure Channel: -![300_4_image-20200623000029-4_950x67](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/300_4_image-20200623000029-4_950x67.webp) +![300_4_image-20200623000029-4_950x67](/img/product_docs/policypak/policypak/scriptstriggers/300_4_image-20200623000029-4_950x67.webp) Once the "Reset password" right is in place for the user on the computer object the only remaining issue will be to run the reset Secure Channel command with elevated rights and that is where Netwrix @@ -26,7 +26,7 @@ If a domain user (who has been granted the "Reset password" right) tries to rese for a computer previously joined to the domain and they do not run the command elevated then they will receive the error below: -![300_5_image-20200623000029-5](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/300_5_image-20200623000029-5.webp) +![300_5_image-20200623000029-5](/img/product_docs/policypak/policypak/scriptstriggers/300_5_image-20200623000029-5.webp) To work around this, we are going to use Endpoint Policy Manager Scripts Manager (PPSM). @@ -43,7 +43,7 @@ the "Apply action" to run the following PowerShell Script as the user and elevat #End of Script ``` -![300_6_image-20200623000029-6_950x698](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/300_6_image-20200623000029-6_950x698.webp) +![300_6_image-20200623000029-6_950x698](/img/product_docs/policypak/policypak/scriptstriggers/300_6_image-20200623000029-6_950x698.webp) **Step 2 –** Skip the "Revert action" screen, then for "Policy process mode configuration" choose either "Once" or the "Once or when forced" radio button then click "Save" to save the policy. @@ -51,11 +51,11 @@ either "Once" or the "Once or when forced" radio button then click "Save" to sav **Step 3 –** Export the policy as XML then upload and link the policy to the Computer group in Endpoint Policy Manager Cloud that needs to receive the policy. -![300_7_image-20200623000029-7_950x162](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/300_7_image-20200623000029-7_950x162.webp) +![300_7_image-20200623000029-7_950x162](/img/product_docs/policypak/policypak/scriptstriggers/300_7_image-20200623000029-7_950x162.webp) Should look similar to below after import: -![300_8_image-20200623000029-8_950x274](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/300_8_image-20200623000029-8_950x274.webp) +![300_8_image-20200623000029-8_950x274](/img/product_docs/policypak/policypak/scriptstriggers/300_8_image-20200623000029-8_950x274.webp) **Step 4 –** For testing, you can either wait for the policy to process on its own automatically, or manually test from a computer that is currently connected to the company network via VPN and is @@ -66,4 +66,4 @@ PowerShell to verify the Secure Channel is working again. Example of successful result in log file (`c:\temp\SecureChannel_PS.log` ) is below: -![300_9_image-20200623000029-9_950x181](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/300_9_image-20200623000029-9_950x181.webp) +![300_9_image-20200623000029-9_950x181](/img/product_docs/policypak/policypak/scriptstriggers/300_9_image-20200623000029-9_950x181.webp) diff --git a/docs/policypak/policypak/scriptstriggers/screensavers.md b/docs/policypak/policypak/scriptstriggers/screensavers.md index ea463485e0..695a204a2b 100644 --- a/docs/policypak/policypak/scriptstriggers/screensavers.md +++ b/docs/policypak/policypak/scriptstriggers/screensavers.md @@ -36,9 +36,9 @@ In this example the source directory is `\\dccore\share\SSImages\*` and the dest **Step 3 –** Add a new Collection, giving it a descriptive name (e.g. Screensaver scripts or Houston Screensaver…) and click OK -![207_1_image-20200819181623-1](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_1_image-20200819181623-1.webp) +![207_1_image-20200819181623-1](/img/product_docs/policypak/policypak/scriptstriggers/207_1_image-20200819181623-1.webp) -![207_3_image-20200819181623-2](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_3_image-20200819181623-2.webp) +![207_3_image-20200819181623-2](/img/product_docs/policypak/policypak/scriptstriggers/207_3_image-20200819181623-2.webp) **NOTE:** If rolling out different images for different sets of users, ILT may be set on collection to specified different groups of users or computers. @@ -47,20 +47,20 @@ to specified different groups of users or computers. **Step 5 –** Click on "Add New Policy" and NEXT on first page -![207_5_image-20200819181623-3](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_5_image-20200819181623-3.webp) +![207_5_image-20200819181623-3](/img/product_docs/policypak/policypak/scriptstriggers/207_5_image-20200819181623-3.webp) **Step 6 –** On the "On apply action" screen, either click File -> Open and browse for a preconfigured script or click down-arrow by "(None)", select the appropriate type of script and either paste or type in the script to copy the image files. -![207_7_image-20200819181623-4](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_7_image-20200819181623-4.webp)  +![207_7_image-20200819181623-4](/img/product_docs/policypak/policypak/scriptstriggers/207_7_image-20200819181623-4.webp)  OR -![207_9_image-20200819181623-5](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_9_image-20200819181623-5.webp) +![207_9_image-20200819181623-5](/img/product_docs/policypak/policypak/scriptstriggers/207_9_image-20200819181623-5.webp) Sample script using powershell that will 1; check for the existence of the destination, 2; Create the destination if it does not exist and 3; copy the files over. -![207_11_image-20200819181623-6](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_11_image-20200819181623-6.webp) +![207_11_image-20200819181623-6](/img/product_docs/policypak/policypak/scriptstriggers/207_11_image-20200819181623-6.webp) ``` if (!(Test-Path -Path $env:userprofile\pictures\SSImages\))    {    New-item -path $env:userprofile\pictures\ -Name SSImages -Itemtype directory    }     @@ -71,7 +71,7 @@ Copy-Item \\dccore\share\SSImages\* -Destination $env:userprofile\pictures\SSIma **Step 8 –** Ensure "Always" is selected and click NEXT -![207_13_image-20200819181623-7](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_13_image-20200819181623-7.webp) +![207_13_image-20200819181623-7](/img/product_docs/policypak/policypak/scriptstriggers/207_13_image-20200819181623-7.webp) **Step 9 –** Give a descriptive name to the policy, set item-level targeting if required and click FINISH @@ -84,7 +84,7 @@ to create the path, export the value, and make it usable. **Step 1 –** On your reference computer, set the screensaver to use "Photos", click on Settings and Browse to the location of the Screensaver images -![207_15_image-20200819181623-8](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_15_image-20200819181623-8.webp) +![207_15_image-20200819181623-8](/img/product_docs/policypak/policypak/scriptstriggers/207_15_image-20200819181623-8.webp) **Step 2 –** Click SAVE to close the Photo Screen Saver settings window and then OK to finish @@ -98,11 +98,11 @@ larger maximum line size) and edit the following: - Delete lines for "Speed" and "Shuffle" configuration - Remove all line-breaks for `"EncryptedPIDL"` – data must be on one line - ![207_17_image-20200819181623-9](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_17_image-20200819181623-9.webp) + ![207_17_image-20200819181623-9](/img/product_docs/policypak/policypak/scriptstriggers/207_17_image-20200819181623-9.webp) It will end up looking something like this… -![207_19_image-20200819181623-10](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_19_image-20200819181623-10.webp) +![207_19_image-20200819181623-10](/img/product_docs/policypak/policypak/scriptstriggers/207_19_image-20200819181623-10.webp) ## Create Group Policy Object @@ -118,12 +118,12 @@ Here we are configuring the Screensaver options to your requirements. **Step 2 –** Expand Computer Configuration -> Endpoint Policy Manager and click on Administrative Templates Manager -![207_21_image-20200819181623-11](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_21_image-20200819181623-11.webp) +![207_21_image-20200819181623-11](/img/product_docs/policypak/policypak/scriptstriggers/207_21_image-20200819181623-11.webp) **Step 3 –** Add a new Collection, giving it a descriptive name (e.g. Screensaver scripts or Houston Screensaver…) and click OK -![207_23_image-20200819181623-12](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_23_image-20200819181623-12.webp) +![207_23_image-20200819181623-12](/img/product_docs/policypak/policypak/scriptstriggers/207_23_image-20200819181623-12.webp) **NOTE:** If rolling out different images for different sets of users, ILT may be set on collection to specified different groups of users or computers. @@ -132,11 +132,11 @@ to specified different groups of users or computers. **Step 5 –** Add new policy -![207_25_image-20200819181623-13](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_25_image-20200819181623-13.webp) +![207_25_image-20200819181623-13](/img/product_docs/policypak/policypak/scriptstriggers/207_25_image-20200819181623-13.webp) **Step 6 –** Set the Scope Filter to "User Policy" or "All Policy" -![207_27_image-20200819181623-14](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_27_image-20200819181623-14.webp) +![207_27_image-20200819181623-14](/img/product_docs/policypak/policypak/scriptstriggers/207_27_image-20200819181623-14.webp) **Step 7 –** Create required policies – Screensaver Policies are kept under Users -> Admin Templates -> Control Panel -> Personalization. @@ -147,7 +147,7 @@ Setting Policies in Endpoint Policy Manager land is the same as Group Policy - Enable, set any configuration Options - OK to close -![207_29_image-20200819181623-15](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_29_image-20200819181623-15.webp) +![207_29_image-20200819181623-15](/img/product_docs/policypak/policypak/scriptstriggers/207_29_image-20200819181623-15.webp) The following are the minimum policies required @@ -171,7 +171,7 @@ collection created earlier **Step 3 –** Select "Apply this policy to all users who log on to the computer (switched Mode)" and click NEXT -![207_31_image-20200819181623-16](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_31_image-20200819181623-16.webp) +![207_31_image-20200819181623-16](/img/product_docs/policypak/policypak/scriptstriggers/207_31_image-20200819181623-16.webp) **Step 4 –** Select "Batch script" from the drop-down menu and either type in or copy the script below to import the .REG file, replacing the /D value (LongEncryptedText…) with the very long @@ -185,15 +185,15 @@ reg add HKCU\Software\Microsoft\Windows Photo Viewer\Slideshow\Screensaver /v En **Step 5 –** Select "Run Script as user" and "With elevated rights" and click NEXT -![207_33_image-20200819181623-17](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_33_image-20200819181623-17.webp) +![207_33_image-20200819181623-17](/img/product_docs/policypak/policypak/scriptstriggers/207_33_image-20200819181623-17.webp) **Step 6 –** NEXT again **Step 7 –** Select "Once" and click NEXT -![207_35_image-20200819181623-18](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_35_image-20200819181623-18.webp) +![207_35_image-20200819181623-18](/img/product_docs/policypak/policypak/scriptstriggers/207_35_image-20200819181623-18.webp) **Step 8 –** Give it a descriptive name (e.g. "Screensaver Path"), ensure it is enabled and click FINISH -![207_37_image-20200819181623-19](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/207_37_image-20200819181623-19.webp) +![207_37_image-20200819181623-19](/img/product_docs/policypak/policypak/scriptstriggers/207_37_image-20200819181623-19.webp) diff --git a/docs/policypak/policypak/scriptstriggers/scriptlocation.md b/docs/policypak/policypak/scriptstriggers/scriptlocation.md index 25ed906f41..5d6197a1f0 100644 --- a/docs/policypak/policypak/scriptstriggers/scriptlocation.md +++ b/docs/policypak/policypak/scriptstriggers/scriptlocation.md @@ -5,7 +5,7 @@ before running in the following folder: `\ProgramData\PolicyPak\PolicyPak Scripts Manager\Temporary Scripts` -![827_1_image002_950x293](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/827_1_image002_950x293.webp) +![827_1_image002_950x293](/img/product_docs/policypak/policypak/scriptstriggers/827_1_image002_950x293.webp) During script processing time: @@ -25,4 +25,4 @@ Find the setting Computer Configuration | Admin Templates Manager | PolicyPak AD Client-Side Extensions | Scripts Manager | Use custom location for temporary script files like what's seen here. -![827_3_image004](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/827_3_image004.webp) +![827_3_image004](/img/product_docs/policypak/policypak/scriptstriggers/827_3_image004.webp) diff --git a/docs/policypak/policypak/scriptstriggers/shortcutpublicdesktop.md b/docs/policypak/policypak/scriptstriggers/shortcutpublicdesktop.md index 200bb0953a..59bbe43296 100644 --- a/docs/policypak/policypak/scriptstriggers/shortcutpublicdesktop.md +++ b/docs/policypak/policypak/scriptstriggers/shortcutpublicdesktop.md @@ -15,7 +15,7 @@ PolicyPak) > Scripts Manager". **Step 5 –** At the "Specify policy target" screen be sure to select the 2nd radio button that states "Apply this policy to all users who log on to the computer (switched mode) then click "Next". -![579_1_image-20190918135807-1](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/579_1_image-20190918135807-1.webp) +![579_1_image-20190918135807-1](/img/product_docs/policypak/policypak/scriptstriggers/579_1_image-20190918135807-1.webp) **Step 6 –** At the "On apply action" screen select "PowerShell script" from the dropdown. @@ -35,7 +35,7 @@ $Shortcut.Save() **Step 8 –** Before clicking "Next" make sure that the "Run script as user" option is unchecked. -![579_2_image-20190918135807-2](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/579_2_image-20190918135807-2.webp) +![579_2_image-20190918135807-2](/img/product_docs/policypak/policypak/scriptstriggers/579_2_image-20190918135807-2.webp) **Step 9 –** Then click "Next" again on the "On revert action" screen. diff --git a/docs/policypak/policypak/scriptstriggers/teamsminimized.md b/docs/policypak/policypak/scriptstriggers/teamsminimized.md index b041bfb108..3742a7a9c5 100644 --- a/docs/policypak/policypak/scriptstriggers/teamsminimized.md +++ b/docs/policypak/policypak/scriptstriggers/teamsminimized.md @@ -7,7 +7,7 @@ Prerequisites: - User needs to have logged in completely at least once to MS Teams, (the status icon will be visible). - ![364_1_image-20210414013029-6](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/364_1_image-20210414013029-6.webp) + ![364_1_image-20210414013029-6](/img/product_docs/policypak/policypak/scriptstriggers/364_1_image-20210414013029-6.webp) **Step 1 –** Create a new Application Settings Manager policy for MS Teams on either the Computer or User side, depending on whether the GPO applies to computer or user objects. If the GPO applies to @@ -20,7 +20,7 @@ Ok to save the settings. **NOTE:** Only the underlined settings are being reapplied when the policy processes, the other options are not being changed. -![364_2_image-20210414013029-7](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/364_2_image-20210414013029-7.webp) +![364_2_image-20210414013029-7](/img/product_docs/policypak/policypak/scriptstriggers/364_2_image-20210414013029-7.webp) **Step 3 –** Next, create a new Scripts & Triggers policy within the same GPO, under the same configuration side, user or computer that you used in Step 1. @@ -28,7 +28,7 @@ configuration side, user or computer that you used in Step 1. **NOTE:** If applying the policy on the computer side choose switched mode like in the screenshot below. -![364_3_image-20210414013029-8](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/579_1_image-20190918135807-1.webp) +![364_3_image-20210414013029-8](/img/product_docs/policypak/policypak/scriptstriggers/579_1_image-20190918135807-1.webp) **Step 4 –** At the "On apply action" screen select "PowerShell script" from the dropdown, then in the main text window, paste in the script below, check the two options "Run script as user" and "Run @@ -76,13 +76,13 @@ Elseif (Test-Path -Path $machineTeamsX64) ``` -![364_4_image-20210414013029-9](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/364_4_image-20210414013029-9.webp) +![364_4_image-20210414013029-9](/img/product_docs/policypak/policypak/scriptstriggers/364_4_image-20210414013029-9.webp) **Step 5 –** Click "Next" at the "On revert action" screen to skip that screen, then at the "specify process mode" screen choose the "On trigger" option, then choose "Logon" from the drop down before clicking "Next" to continue. -![364_5_image-20210414013029-10_724x538](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/364_5_image-20210414013029-10_724x538.webp) +![364_5_image-20210414013029-10_724x538](/img/product_docs/policypak/policypak/scriptstriggers/364_5_image-20210414013029-10_724x538.webp) **Step 6 –** At the "Policy settings" screen give the policy a descriptive name then click "Finish." diff --git a/docs/policypak/policypak/scriptstriggers/temperatureunit.md b/docs/policypak/policypak/scriptstriggers/temperatureunit.md index d77780ff35..3b3e295f0f 100644 --- a/docs/policypak/policypak/scriptstriggers/temperatureunit.md +++ b/docs/policypak/policypak/scriptstriggers/temperatureunit.md @@ -8,14 +8,14 @@ at: `%userprofile%\AppData\Local\Microsoft\Outlook\RoamCache` **Step 2 –** Create it manually by, Clicking on a little drop-down button in the Weather Bar and Add another city. Then change it back to the one you want. -![438_1_sc-kb-o16](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/438_1_sc-kb-o16.webp) +![438_1_sc-kb-o16](/img/product_docs/policypak/policypak/scriptstriggers/438_1_sc-kb-o16.webp) Set Temperature Unit via GPO using PolicyPak Scripts Manager: You will be able to set Celsius as default temperature (as shown in following screenshot), instead of Fahrenheit. -![438_2_image-20200626100413-1_950x129](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/438_2_image-20200626100413-1_950x129.webp) +![438_2_image-20200626100413-1_950x129](/img/product_docs/policypak/policypak/scriptstriggers/438_2_image-20200626100413-1_950x129.webp) Temperature unit information appears to be controlled via `Stream_Weather_2_.dat` file at this @@ -27,7 +27,7 @@ Scripts Manager. **Step 1 –** Right-click and Add Policy for PolicyPak Scripts Manager under User Configuration -![438_3_image-20200626100413-2](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/438_3_image-20200626100413-2.webp) +![438_3_image-20200626100413-2](/img/product_docs/policypak/policypak/scriptstriggers/438_3_image-20200626100413-2.webp) **Step 2 –** Click Next on the Wizard and Select PowerShell script from the drop-down. Insert the following script. Then select both checkboxes, Run script as user and With elevated rights. @@ -36,7 +36,7 @@ following script. Then select both checkboxes, Run script as user and With el $Path = "$env:USERPROFILE\AppData\Local\Microsoft\Outlook\RoamCache\*"$FileName   = (Get-Item   -Path   $Path   -Filter   "Stream_Weather*.dat").FullName$Content   =   Get-Content   -path   $FileNameStop-Process   -Name   outlook   -Force -ErrorAction   SilentlyContinueSet-Content   $FileName $content.Replace("DegreeType"" v=""9-1""",   "DegreeType"" v=""9-0""") ``` -![438_4_image-20200626100413-3](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/438_4_image-20200626100413-3.webp) +![438_4_image-20200626100413-3](/img/product_docs/policypak/policypak/scriptstriggers/438_4_image-20200626100413-3.webp) **NOTE:** Outlook has to be closed to make this change, so be sure to add the "stop-process" line before the "set-content". @@ -44,4 +44,4 @@ before the "set-content". **Step 3 –** Finally, select an option to apply Once or when forced, and complete the remaining steps on the wizard. -![438_5_image-20200626100413-4](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/438_5_image-20200626100413-4.webp) +![438_5_image-20200626100413-4](/img/product_docs/policypak/policypak/scriptstriggers/438_5_image-20200626100413-4.webp) diff --git a/docs/policypak/policypak/scriptstriggers/updateregistry.md b/docs/policypak/policypak/scriptstriggers/updateregistry.md index 1bb5350ed8..2c601524b7 100644 --- a/docs/policypak/policypak/scriptstriggers/updateregistry.md +++ b/docs/policypak/policypak/scriptstriggers/updateregistry.md @@ -14,24 +14,24 @@ User Configuration side and click on "Scripts Manager" **Step 3 –** Add new Policy (a or b) -![654_1_image-20200510105609-16_620x371](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/654_1_image-20200510105609-16_620x371.webp) +![654_1_image-20200510105609-16_620x371](/img/product_docs/policypak/policypak/scriptstriggers/654_1_image-20200510105609-16_620x371.webp) **Step 4 –** Enter script by either a) Importing the file or b) entering or copying the comman - Click File -> Open and browse for the script to enter - ![654_3_image-20200510105609-17](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/654_3_image-20200510105609-17.webp) + ![654_3_image-20200510105609-17](/img/product_docs/policypak/policypak/scriptstriggers/654_3_image-20200510105609-17.webp) - Click down-arrow by (None), select type of script and enter the script command(s) in the windows below - ![654_5_image-20200510105609-18](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/654_5_image-20200510105609-18.webp) + ![654_5_image-20200510105609-18](/img/product_docs/policypak/policypak/scriptstriggers/654_5_image-20200510105609-18.webp) Sample Script: `regedit.exe /s \\server\share\NewRegValue.reg` **Step 5 –** Select "Run Script as User" and "With elevated rights" -> NEXT -![654_7_image-20200510105609-19](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/654_7_image-20200510105609-19.webp) +![654_7_image-20200510105609-19](/img/product_docs/policypak/policypak/scriptstriggers/654_7_image-20200510105609-19.webp) **Step 6 –** If the entry is to be reverted, i.e. the registry should become something else if the policy is no longer linked or enabled, repeat steps 4 and 5 within this window specifying the @@ -42,7 +42,7 @@ appropriate commands to set the registry as required -> NEXT **NOTE:** "Always" will ensure that if the value is every updated, it will be returned to the value specified each time Group Policy is processed -![654_9_image-20200510105609-20](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/654_9_image-20200510105609-20.webp) +![654_9_image-20200510105609-20](/img/product_docs/policypak/policypak/scriptstriggers/654_9_image-20200510105609-20.webp) **Step 8 –** Give a descriptive name to the policy and set Item Level Targeting if required -> FINISH diff --git a/docs/policypak/policypak/scriptstriggers/windows7tls.md b/docs/policypak/policypak/scriptstriggers/windows7tls.md index f3e107c417..c0bef0574a 100644 --- a/docs/policypak/policypak/scriptstriggers/windows7tls.md +++ b/docs/policypak/policypak/scriptstriggers/windows7tls.md @@ -5,7 +5,7 @@ PolicyPak) and may or may not work for all functions. Pre-read the following to know what is known to NOT work in Windows 7 before continuing: -[How does Endpoint Policy Manager support (and not support) Windows 11?](../requirements/support/windows11.md) +[How does Endpoint Policy Manager support (and not support) Windows 11?](/docs/policypak/policypak/requirements/support/windows11.md) Then after that, if you still wish to use Endpoint Policy Manager with Windows 7 and Endpoint Policy Manager Cloud, you must update Windows 7 to be TLS 1.2 complaint. diff --git a/docs/policypak/policypak/scriptstriggers/wlandropbox.md b/docs/policypak/policypak/scriptstriggers/wlandropbox.md index b1e6532fa3..277c96fdd2 100644 --- a/docs/policypak/policypak/scriptstriggers/wlandropbox.md +++ b/docs/policypak/policypak/scriptstriggers/wlandropbox.md @@ -25,11 +25,11 @@ should look similar to below: Endpoint Policy Manager (formerly PolicyPak) Scripts Manager > on the Computer side to create a new policy it -![658_1_img-1](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/497_1_img-1.webp) +![658_1_img-1](/img/product_docs/policypak/policypak/scriptstriggers/497_1_img-1.webp) **Step 5 –** At the "Specify policy target screen be sure to use switched mode for the policy. -![658_2_img-2](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/497_2_img-2.webp) +![658_2_img-2](/img/product_docs/policypak/policypak/scriptstriggers/497_2_img-2.webp) **Step 6 –** For the Apply action use the script below (remember to use the PowerShell Script option from the drop down). @@ -63,12 +63,12 @@ dl.dropboxusercontent.com **Step 7 –** Verify that "Run script as user" check box is checked, then click next. -![658_3_img-3_950x601](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/658_3_img-3_950x601.webp) +![658_3_img-3_950x601](/img/product_docs/policypak/policypak/scriptstriggers/658_3_img-3_950x601.webp) **Step 8 –** For the "Policy process mode configuration" screen specify "Once or when forced", then click save. -![658_4_img-4](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/658_4_img-4.webp) +![658_4_img-4](/img/product_docs/policypak/policypak/scriptstriggers/658_4_img-4.webp) **NOTE:** The same policy will work if applied to user side and user OU as well. diff --git a/docs/policypak/policypak/scriptstriggers/wlannetwork.md b/docs/policypak/policypak/scriptstriggers/wlannetwork.md index 6b92b78993..f8ea57d4ac 100644 --- a/docs/policypak/policypak/scriptstriggers/wlannetwork.md +++ b/docs/policypak/policypak/scriptstriggers/wlannetwork.md @@ -23,11 +23,11 @@ Create the WLAN GPO and apply it to the OU where the Computers live, next use Ne Policy Manager (formerly PolicyPak) Scripts Manager > on the Computer side to create a new policy item. -![497_1_img-1](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/497_1_img-1.webp) +![497_1_img-1](/img/product_docs/policypak/policypak/scriptstriggers/497_1_img-1.webp) At the "Specify policy target screen be sure to use switched mode for the policy. -![497_2_img-2](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/497_2_img-2.webp) +![497_2_img-2](/img/product_docs/policypak/policypak/scriptstriggers/497_2_img-2.webp) For the Apply action use the command below (remember to use the PowerShell Script option from the drop down). @@ -36,7 +36,7 @@ drop down). Verify that "Run script as user" check box is checked then click "Save" -![497_3_img-3](../../../../static/img/product_docs/policypak/policypak/scriptstriggers/497_3_img-3.webp) +![497_3_img-3](/img/product_docs/policypak/policypak/scriptstriggers/497_3_img-3.webp) **NOTE:** If needed you can delete this WLAN profile from a computer using an elevated PowerShell command prompt. diff --git a/docs/policypak/policypak/securitysettings/exportwizard.md b/docs/policypak/policypak/securitysettings/exportwizard.md index bbb1c01e88..4f5eedf689 100644 --- a/docs/policypak/policypak/securitysettings/exportwizard.md +++ b/docs/policypak/policypak/securitysettings/exportwizard.md @@ -4,12 +4,12 @@ Click on **Export this GPO's Computer-Side Security Settings forEndpoint Policy Endpoint Policy Manager Cloud**. The Endpoint Policy Manager Security Settings Manager export wizard will appear. -![about_policypak_security_settings_2](../../../../static/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings_2.webp) +![about_policypak_security_settings_2](/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings_2.webp) When you click **Next**, the Export Wizard analyzes the current GPO's security settings and presents the security categories currently used within the GPO. -![about_policypak_security_settings_3](../../../../static/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings_3.webp) +![about_policypak_security_settings_3](/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings_3.webp) **NOTE:** Currently, all supported security settings within the GPO will be exported when you click **Next**.  Note that some settings are interlocked and others are not. so not all may be @@ -17,12 +17,12 @@ individually selected for exporting. Clicking **Next** brings up the Item-Level Targeting filters screen. -![about_policypak_security_settings_4](../../../../static/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings_4.webp) +![about_policypak_security_settings_4](/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings_4.webp) Below you can see the basic capabilities of the Targeting Editor. Item-Level Targeting is being applied to members of the Traveling Sales Users group that have a portable computer with Windows 10. -![about_policypak_security_settings_5](../../../../static/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings_5.webp) +![about_policypak_security_settings_5](/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings_5.webp) Setting Item-Level Targeting is completely optional. If desired, when the exported XML file is used with Endpoint Policy Manager Exporter or Endpoint Policy Manager Cloud, these filters will specify @@ -30,13 +30,13 @@ exactly which users and computers will get these exported settings. If you chang don't wish to use any targeting filters, simply uncheck Enable Targeting Filters, which will then remove any filters you put in place. -![about_policypak_security_settings_6](../../../../static/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings_6.webp) +![about_policypak_security_settings_6](/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings_6.webp) On the final page of the Endpoint Policy Manager Security Settings Manager Export Wizard, provide a location and filename to save your XML file. -![about_policypak_security_settings_7](../../../../static/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings_7.webp) +![about_policypak_security_settings_7](/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings_7.webp) Keep this file handy since you'll use it with Endpoint Policy Manager Exporter or Endpoint Policy Manager Cloud. To learn more about how to deliver settings outside of Group Policy, be sure to read -Appendix A, [Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md). +Appendix A, [Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md). diff --git a/docs/policypak/policypak/securitysettings/gettoknow.md b/docs/policypak/policypak/securitysettings/gettoknow.md index 90d1a0ec47..43ad785819 100644 --- a/docs/policypak/policypak/securitysettings/gettoknow.md +++ b/docs/policypak/policypak/securitysettings/gettoknow.md @@ -4,7 +4,7 @@ Endpoint Policy Manager Security Settings Manager is a node you see within every While Endpoint Policy Manager Security Settings Manager is listed on both the Computer and User sides, it only functions on the the computer side. Below you can see the export option available. -![about_policypak_security_settings_1](../../../../static/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings_1.webp) +![about_policypak_security_settings_1](/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings_1.webp) The only job of the Endpoint Policy Manager Security Settings Manager node is to export the computer-side security settings as an XML file. This XML file can be used with Endpoint Policy diff --git a/docs/policypak/policypak/securitysettings/overview.md b/docs/policypak/policypak/securitysettings/overview.md index 01c10bea4b..7310864069 100644 --- a/docs/policypak/policypak/securitysettings/overview.md +++ b/docs/policypak/policypak/securitysettings/overview.md @@ -1,7 +1,7 @@ # Security Settings Manager **NOTE:** Before reading this section, please ensure you have read Book 2: -[Installation Quick Start](../gettingstarted/quickstart/overviewinstall.md), which will help you +[Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md), which will help you learn to do the following: - Install the Admin MSI on your GPMC machine @@ -10,7 +10,7 @@ learn to do the following: - Set up a common OU structure Optionally, if you don't want to use Group Policy, read the section in Appendix A: -[Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md) to deploy your +[Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md) to deploy your directives. Netwrix Endpoint Policy Manager (formerly PolicyPak) Security Settings Manager enables @@ -19,7 +19,7 @@ settings without Group Policy (via Microsoft Endpoint Manager [SCCM], KACE, or E Manager Cloud). The supported Microsoft security settings can be seen below.  Red lines indicate these items are not supported by Endpoint Policy Manager. -![about_policypak_security_settings](../../../../static/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings.webp) +![about_policypak_security_settings](/img/product_docs/policypak/policypak/securitysettings/about_policypak_security_settings.webp) **NOTE:** The following items are NOT supported by Endpoint Policy Manager Security Settings Manager: diff --git a/docs/policypak/policypak/softwarepackage/appx/addremovepackages.md b/docs/policypak/policypak/softwarepackage/appx/addremovepackages.md index f7e82c5017..63ea596b0a 100644 --- a/docs/policypak/policypak/softwarepackage/appx/addremovepackages.md +++ b/docs/policypak/policypak/softwarepackage/appx/addremovepackages.md @@ -7,13 +7,13 @@ Windows itself will request unwanted applications for the user from the Microsof can see pre-installed applications like Duolingo, Pandora, and Skype. Windows versions before 20H1 very often have quite cluttered Start menus, as shown in the figure. -![appx_policies_and_settings_2](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_2.webp) +![appx_policies_and_settings_2](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_2.webp) However, even newer versions of Windows still have some store applications , installed, like Skype, even though the default Start menu is cleaner. In both cases you might want to remove applications that are not needed.. -![appx_policies_and_settings_3](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_3.webp) +![appx_policies_and_settings_3](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_3.webp) We'll discuss how to install or remove AppX packages in the next two sections. diff --git a/docs/policypak/policypak/softwarepackage/appx/helpertool.md b/docs/policypak/policypak/softwarepackage/appx/helpertool.md index f047736fa7..1ba61eede0 100644 --- a/docs/policypak/policypak/softwarepackage/appx/helpertool.md +++ b/docs/policypak/policypak/softwarepackage/appx/helpertool.md @@ -7,12 +7,12 @@ Helper tool to determine which packages on a machine could be removed by Endpoin Software Package Manager (AppX) policies. The tool is found in the Endpoint Policy Manager Extras folder within the download. -![appx_policies_and_settings_11](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_11.webp) +![appx_policies_and_settings_11](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_11.webp) When you run the Helper tool, you can see all available packages for removal and the publisher names. -![appx_policies_and_settings_12](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_12.webp) +![appx_policies_and_settings_12](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_12.webp) **NOTE:** You can generate this same list via PowerShell by using the following command.: @@ -24,18 +24,18 @@ Inc.,L=Media,S=Pennsylvania,C=US' | Format-Table -Property Name, Publisher -Auto You can see the list in PowerShell is the same as the list from the Helper tool, as shown below. -![appx_policies_and_settings_13](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_13.webp) +![appx_policies_and_settings_13](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_13.webp) You can right-click on the Publisher ID and copy it to the clipboard. Then, you can paste the value into the publisher field after selecting **Remove Package**. -![appx_policies_and_settings_14](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_14.webp) +![appx_policies_and_settings_14](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_14.webp) The Helper tool also enables you to export one or more applications' details to XML. Once you've done this, you can then use the Import button in the Remove Package Policy Mode. -![appx_policies_and_settings_15](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_15.webp) +![appx_policies_and_settings_15](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_15.webp) Next, select an application from the list to be populated into the policy. -![appx_policies_and_settings_16](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_16.webp) +![appx_policies_and_settings_16](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_16.webp) diff --git a/docs/policypak/policypak/softwarepackage/appx/installpackage.md b/docs/policypak/policypak/softwarepackage/appx/installpackage.md index 398624d8b9..706d8898ce 100644 --- a/docs/policypak/policypak/softwarepackage/appx/installpackage.md +++ b/docs/policypak/policypak/softwarepackage/appx/installpackage.md @@ -5,23 +5,23 @@ example, we will install WinZip Microsoft Store Edition, but you're welcome to u from the Windows 10 Microsoft Store instead. To get the store link you need to first go to an example machine and open the Windows 10 Microsoft Store to look for the application. -![appx_policies_and_settings_4](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_4.webp) +![appx_policies_and_settings_4](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_4.webp) Select the application, and find the Share section. Then click on **Copy link** -![appx_policies_and_settings_5](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_5.webp) +![appx_policies_and_settings_5](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_5.webp) When you paste the link into the Netwrix Endpoint Policy Manager (formerly PolicyPak) Software Package Manager AppX policy to install an application, the link will be verified before allowing you to continue. You can then also verify that the App Store ID, name, and publisher all look correct. -![appx_policies_and_settings_6](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_6.webp) +![appx_policies_and_settings_6](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_6.webp) On the client machine, login as a user who would get the GPO and run GPUpdate. While the AppX packages that are queued might not be available for immediate download, very often they download nearly instantly. -![appx_policies_and_settings_7](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_7.webp) +![appx_policies_and_settings_7](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_7.webp) You can now run your newly deployed Microsoft Store application. diff --git a/docs/policypak/policypak/softwarepackage/appx/overview.md b/docs/policypak/policypak/softwarepackage/appx/overview.md index c859acd84e..0e2d087138 100644 --- a/docs/policypak/policypak/softwarepackage/appx/overview.md +++ b/docs/policypak/policypak/softwarepackage/appx/overview.md @@ -11,13 +11,13 @@ organizational unit (OU). **Step 2 –** Next, within the GPO Editor, go to User Configuration > Endpoint Policy Manager > App Delivery & Patching Pak > Software Package Manager. Right-click on New Windows Store (AppX) Policy. -![appx_policies_and_settings](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings.webp) +![appx_policies_and_settings](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings.webp) **Step 3 –** Next, you will need to choose if you want to install a package or remove a package. These options will be explained further in the "AppX: Install Package" and "AppX: Remove Package" sections. -![appx_policies_and_settings_1](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_1.webp) +![appx_policies_and_settings_1](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_1.webp) Get-AppxPackage | Where-Object -Property 'Publisher' -NE -Value 'CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US' | Where-Object -Property 'Publisher' -NE -Value diff --git a/docs/policypak/policypak/softwarepackage/appx/removepackage.md b/docs/policypak/policypak/softwarepackage/appx/removepackage.md index 646d97ff6f..4520dbce80 100644 --- a/docs/policypak/policypak/softwarepackage/appx/removepackage.md +++ b/docs/policypak/policypak/softwarepackage/appx/removepackage.md @@ -9,14 +9,14 @@ Skype app, which is typically pre-installed in all versions of Windows 10. The f this would be to use the **Remove Package** function, then select **Name** and type in \*skype\* which will match on anything with the word Skype in the name. -![appx_policies_and_settings_8](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_8.webp) +![appx_policies_and_settings_8](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_8.webp) Then on the endpoint run GPUpdate to acquire the policy change. You should see Skype go from present to removed. -![appx_policies_and_settings_9](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_9.webp) +![appx_policies_and_settings_9](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_9.webp) -![appx_policies_and_settings_10](../../../../../static/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_10.webp) +![appx_policies_and_settings_10](/img/product_docs/policypak/policypak/softwarepackage/appx/appx_policies_and_settings_10.webp) Get-AppxPackage | Where-Object -Property 'Publisher' -NE -Value 'CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US' | Where-Object -Property 'Publisher' -NE -Value diff --git a/docs/policypak/policypak/softwarepackage/exportcollections.md b/docs/policypak/policypak/softwarepackage/exportcollections.md index 3a0ccf9c7b..42428fea46 100644 --- a/docs/policypak/policypak/softwarepackage/exportcollections.md +++ b/docs/policypak/policypak/softwarepackage/exportcollections.md @@ -1,6 +1,6 @@ # Exporting Collections -Appendix A: [Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md) explains how +Appendix A: [Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md) explains how to use the Netwrix Endpoint Policy Manager (formerly PolicyPak) Exporter to wrap up any Endpoint Policy Manager directives and deliver them using Microsoft Endpoint Manager (SCCM and Intune), KACE, your own MDM service, or Endpoint Policy Manager Cloud. @@ -9,9 +9,9 @@ To export a policy for later use using Endpoint Policy Manager Exporter or Endpo Cloud, right-click the collection or the policy and select **Export to XML**. This will enable you to save an XML file, which you can use later. -![exporting_collections](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/exporting_collections.webp) +![exporting_collections](/img/product_docs/policypak/policypak/remoteworkdelivery/exporting_collections.webp) Remember that Endpoint Policy Manager RDP policies can be created and exported on the User or Computer side. For instance, below you can see an item being exported from the Computer side. -![exporting_collections_1](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/exporting_collections_1.webp) +![exporting_collections_1](/img/product_docs/policypak/policypak/remoteworkdelivery/exporting_collections_1.webp) diff --git a/docs/policypak/policypak/softwarepackage/itemleveltargeting.md b/docs/policypak/policypak/softwarepackage/itemleveltargeting.md index 11e6d6b6a6..b8d65007de 100644 --- a/docs/policypak/policypak/softwarepackage/itemleveltargeting.md +++ b/docs/policypak/policypak/softwarepackage/itemleveltargeting.md @@ -9,17 +9,17 @@ A collection enables you to group together Endpoint Policy Manager Software Pack so they can act together. For instance, you might create a collection for only East Sales users, and another for HR Users. -![using_item_level_targeting](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting.webp) +![using_item_level_targeting](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting.webp) Below you can see the two collections we have created. These collections can hold other collections or policies. Next we will apply Item-Level Targeting for a collection. -![using_item_level_targeting_1](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_1.webp) +![using_item_level_targeting_1](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_1.webp) To change the Item-Level Targeting, right-click any Endpoint Policy Manager Software Package Manager policy, and select **Edit Item Level Targeting**. -![using_item_level_targeting_2](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_2.webp) +![using_item_level_targeting_2](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_2.webp) The Edit Item Level Targeting menu item brings up the Targeting Editor. You can select any combination of characteristics you want to test for. Administrators familiar with Group Policy @@ -35,7 +35,7 @@ When targeting policies and collections for Endpoint Policy Manager Software Pac a good idea to target portable computers and mobile user security groups. You can also require that users not be on the corporate LAN. -![using_item_level_targeting_3](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_3.webp) +![using_item_level_targeting_3](/img/product_docs/policypak/policypak/remoteworkdelivery/using_item_level_targeting_3.webp) In this example, the Pak would only apply to Windows 10 machines when the machine is portable and not on the corporate LAN subnet, and the user is in the FABRIKAM\Traveling Sales Users group. diff --git a/docs/policypak/policypak/softwarepackage/overview.md b/docs/policypak/policypak/softwarepackage/overview.md index 36e7b7a971..dcee0a2eed 100644 --- a/docs/policypak/policypak/softwarepackage/overview.md +++ b/docs/policypak/policypak/softwarepackage/overview.md @@ -13,5 +13,5 @@ For AppX packages, you can do the following with Software Package Manager: Windows applications can and cannot run. Watch this video for an overview of See Endpoint Policy Manager Software Package Manager: -[Endpoint Policy Manager Software Package Manager: AppX Manager](../video/softwarepackage/appxmanager.md) +[Endpoint Policy Manager Software Package Manager: AppX Manager](/docs/policypak/policypak/video/softwarepackage/appxmanager.md) for additional information. diff --git a/docs/policypak/policypak/softwarepackage/overview/knowledgebase.md b/docs/policypak/policypak/softwarepackage/overview/knowledgebase.md index fa220cd0a0..419365a1fe 100644 --- a/docs/policypak/policypak/softwarepackage/overview/knowledgebase.md +++ b/docs/policypak/policypak/softwarepackage/overview/knowledgebase.md @@ -4,4 +4,4 @@ See the following Knowledge Base article for Software Package Manager. ## Getting Started -- [How to install WinGet on a server that you are using as a management station (unsupported)?](../winget.md) +- [How to install WinGet on a server that you are using as a management station (unsupported)?](/docs/policypak/policypak/softwarepackage/winget.md) diff --git a/docs/policypak/policypak/softwarepackage/overview/videolearningcenter.md b/docs/policypak/policypak/softwarepackage/overview/videolearningcenter.md index f55409dd4f..577afdf62d 100644 --- a/docs/policypak/policypak/softwarepackage/overview/videolearningcenter.md +++ b/docs/policypak/policypak/softwarepackage/overview/videolearningcenter.md @@ -4,19 +4,19 @@ See the following Video topics for Software Package Manager. ## AppX policies Items for AppX -- [Endpoint Policy Manager Software Package Manager: AppX Manager](../../video/softwarepackage/appxmanager.md) -- [Endpoint Policy Manager: Remove built-in Windows 10 / 11 apps (including those in-the-box) included with Windows!](../../video/softwarepackage/removeapps.md) -- [Endpoint Policy Manager Software Package Manager PLUS Least Privilege Manager: Block any unwanted store apps !](../../video/softwarepackage/blockapps.md) +- [Endpoint Policy Manager Software Package Manager: AppX Manager](/docs/policypak/policypak/video/softwarepackage/appxmanager.md) +- [Endpoint Policy Manager: Remove built-in Windows 10 / 11 apps (including those in-the-box) included with Windows!](/docs/policypak/policypak/video/softwarepackage/removeapps.md) +- [Endpoint Policy Manager Software Package Manager PLUS Least Privilege Manager: Block any unwanted store apps !](/docs/policypak/policypak/video/softwarepackage/blockapps.md) ## WinGet policies -- [Software Package Manager + Deploying Applications via WinGet](../../video/softwarepackage/winget/deployapplications.md) -- [Endpoint Policy Manager and WinGet-Run](../../video/softwarepackage/winget/run.md) +- [Software Package Manager + Deploying Applications via WinGet](/docs/policypak/policypak/video/softwarepackage/winget/deployapplications.md) +- [Endpoint Policy Manager and WinGet-Run](/docs/policypak/policypak/video/softwarepackage/winget/run.md) ## Tips and Tricks -- [Software Package Manager - Extras Tool](../../video/softwarepackage/extrastool.md) +- [Software Package Manager - Extras Tool](/docs/policypak/policypak/video/softwarepackage/extrastool.md) ## Using with other METHODS (Cloud, MDM, etc.) -- [Endpoint Policy Package Manager (AppX Policies): Add or Remove Microsoft Store using your MDM service.](../../video/softwarepackage/mdm.md) +- [Endpoint Policy Package Manager (AppX Policies): Add or Remove Microsoft Store using your MDM service.](/docs/policypak/policypak/video/softwarepackage/mdm.md) diff --git a/docs/policypak/policypak/softwarepackage/processorderprecedence.md b/docs/policypak/policypak/softwarepackage/processorderprecedence.md index 933d5d806a..86fdc43751 100644 --- a/docs/policypak/policypak/softwarepackage/processorderprecedence.md +++ b/docs/policypak/policypak/softwarepackage/processorderprecedence.md @@ -5,7 +5,7 @@ This means that lower-numbered collections attempt to process first, and higher- attempt to process last. Then, within any collection, each policy is processed in numerical order from lowest to highest. -![understanding_processing_order](../../../../static/img/product_docs/policypak/policypak/remoteworkdelivery/understanding_processing_order.webp) +![understanding_processing_order](/img/product_docs/policypak/policypak/remoteworkdelivery/understanding_processing_order.webp) Therefore, you might want to organize your policies such that removal policies come first, since those operations are faster. Then, order the installation policies by length of installation time, diff --git a/docs/policypak/policypak/softwarepackage/winget.md b/docs/policypak/policypak/softwarepackage/winget.md index cf39591f03..64b3c545f7 100644 --- a/docs/policypak/policypak/softwarepackage/winget.md +++ b/docs/policypak/policypak/softwarepackage/winget.md @@ -9,7 +9,7 @@ do. Simply have the latest Netwrix Endpoint Policy Manager (formerly PolicyPak) you're ready to go. You can verify this by opening any command prompt and typing Winget.  If Winget returns with its help text, you're ready to go. -![820_1_image-20230824192325-1_950x534](../../../../static/img/product_docs/policypak/policypak/softwarepackage/820_1_image-20230824192325-1_950x534.webp) +![820_1_image-20230824192325-1_950x534](/img/product_docs/policypak/policypak/softwarepackage/820_1_image-20230824192325-1_950x534.webp) However, Winget is not present on Windows Servers, which you may be using as your Group Policy Object creation / management station. As such you might wish to install Winget on a server to then @@ -31,8 +31,8 @@ installs Chocolaty on your server. **Step 2 –** Run the command  `choco install winget-cli` -![820_2_image-20230824192325-2_950x262](../../../../static/img/product_docs/policypak/policypak/softwarepackage/820_2_image-20230824192325-2_950x262.webp) +![820_2_image-20230824192325-2_950x262](/img/product_docs/policypak/policypak/softwarepackage/820_2_image-20230824192325-2_950x262.webp) -![820_3_image-20230824192325-3_950x265](../../../../static/img/product_docs/policypak/policypak/softwarepackage/820_3_image-20230824192325-3_950x265.webp) +![820_3_image-20230824192325-3_950x265](/img/product_docs/policypak/policypak/softwarepackage/820_3_image-20230824192325-3_950x265.webp) -![820_4_image-20230824192325-4_950x521](../../../../static/img/product_docs/policypak/policypak/softwarepackage/820_4_image-20230824192325-4_950x521.webp) +![820_4_image-20230824192325-4_950x521](/img/product_docs/policypak/policypak/softwarepackage/820_4_image-20230824192325-4_950x521.webp) diff --git a/docs/policypak/policypak/startscreentaskbar/addlink.md b/docs/policypak/policypak/startscreentaskbar/addlink.md index 701d7632d9..721f3e3f9b 100644 --- a/docs/policypak/policypak/startscreentaskbar/addlink.md +++ b/docs/policypak/policypak/startscreentaskbar/addlink.md @@ -5,4 +5,4 @@ we recommend you choose a Shortcut Icon from Shell32.DLL. The other fields may be left blank. -![914_1_image001](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/914_1_image001.webp) +![914_1_image001](/img/product_docs/policypak/policypak/startscreentaskbar/914_1_image001.webp) diff --git a/docs/policypak/policypak/startscreentaskbar/expectedbehavior.md b/docs/policypak/policypak/startscreentaskbar/expectedbehavior.md index bf0544841a..dc7acb1db3 100644 --- a/docs/policypak/policypak/startscreentaskbar/expectedbehavior.md +++ b/docs/policypak/policypak/startscreentaskbar/expectedbehavior.md @@ -5,7 +5,7 @@ your settings. However, when the GPO (or other policy delivery method) applying longer applies, reverts, or is deleted, the groups will remain with icons intact, as seen in Figure 49. -![collections_policy_settings_16](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/collections_policy_settings_16.webp) +![collections_policy_settings_16](/img/product_docs/policypak/policypak/startscreentaskbar/collections_policy_settings_16.webp) Figure 49. After a policy no longer applies, users are free to manage their Start Menu groups. diff --git a/docs/policypak/policypak/startscreentaskbar/explorer.md b/docs/policypak/policypak/startscreentaskbar/explorer.md index 27ca16e7fa..fee8e37535 100644 --- a/docs/policypak/policypak/startscreentaskbar/explorer.md +++ b/docs/policypak/policypak/startscreentaskbar/explorer.md @@ -1,3 +1,3 @@ # How do I add Explorer.exe to the taskbar using Endpoint Policy Manager Start Screen & Taskbar Manager ? -![731_1_sss](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/731_1_sss.webp) +![731_1_sss](/img/product_docs/policypak/policypak/startscreentaskbar/731_1_sss.webp) diff --git a/docs/policypak/policypak/startscreentaskbar/exportcollections.md b/docs/policypak/policypak/startscreentaskbar/exportcollections.md index d83cae20d5..24c82c6fd1 100644 --- a/docs/policypak/policypak/startscreentaskbar/exportcollections.md +++ b/docs/policypak/policypak/startscreentaskbar/exportcollections.md @@ -1,20 +1,20 @@ # Exporting Collections -Appendix A: [Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md) explains how +Appendix A: [Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md) explains how to use the Endpoint Policy Manager Exporter to wrap up any Endpoint Policy Manager directive and deliver it using Microsoft Endpoint Manager (SCCM and Intune), KACE, your own MDM service, or Endpoint Policy Manager Cloud. For Endpoint Policy Manager Cloud, you should automatically acquire a license as seen in Figure 50. For Endpoint Policy Manager with an MDM service, the license should come in your MSI license bundle. -![collections_policy_settings_17](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/collections_policy_settings_17.webp) +![collections_policy_settings_17](/img/product_docs/policypak/policypak/startscreentaskbar/collections_policy_settings_17.webp) Figure 50. Endpoint Policy Manager Cloud customers are licensed for Endpoint Policy Manager Start Screen & Taskbar Manager. **NOTE:** For a video demonstrating the use of Endpoint Policy Manager Cloud with Endpoint Policy Manager Start Screen & Taskbar Manager, see -[Endpoint Policy ManagerStart Screen & Taskbar Manager: Manage non-domain joined machines using Endpoint Policy Manager Cloud](../video/startscreentaskbar/nondomainjoined.md). +[Endpoint Policy ManagerStart Screen & Taskbar Manager: Manage non-domain joined machines using Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/startscreentaskbar/nondomainjoined.md). To export a policy for later use with Endpoint Policy Manager Exporter or Endpoint Policy Manager Cloud, right-click the Start Screen Manager node, or a collection, and select "Export Collections as @@ -22,13 +22,13 @@ XML," as demonstrated in Figure 51 and Figure 52. **NOTE:** For a video of exporting Endpoint Policy Manager Start Screen & Taskbar Manager and using Endpoint Policy Manager Exporter with an MDM service, watch -[Endpoint Policy Manager and MDM walk before you run](../video/mdm/testsample.md). +[Endpoint Policy Manager and MDM walk before you run](/docs/policypak/policypak/video/mdm/testsample.md). -![collections_policy_settings_18](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/collections_policy_settings_18.webp) +![collections_policy_settings_18](/img/product_docs/policypak/policypak/startscreentaskbar/collections_policy_settings_18.webp) Figure 51. Exporting all collections for later use. -![collections_policy_settings_19](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/collections_policy_settings_19.webp) +![collections_policy_settings_19](/img/product_docs/policypak/policypak/startscreentaskbar/collections_policy_settings_19.webp) Figure 52. Exporting the policy for later use. @@ -36,4 +36,4 @@ Note that exported collections or policies maintain any Item-Level Targeting set you've used items that represent Group Membership in Active Directory, then those items will only function when the machine is domain-joined. For more information about exporting settings and using Endpoint Policy Manager Exporter utility, see Appendix A: -[Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md). +[Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md). diff --git a/docs/policypak/policypak/startscreentaskbar/foldershortcut.md b/docs/policypak/policypak/startscreentaskbar/foldershortcut.md index 4f20dc84cd..f46c88223a 100644 --- a/docs/policypak/policypak/startscreentaskbar/foldershortcut.md +++ b/docs/policypak/policypak/startscreentaskbar/foldershortcut.md @@ -5,4 +5,4 @@ Replace the command-line argument (RED text-color) as per your requirement. `%systemroot%\explorer.exe "%userprofile%\Desktop\New Folder"` -![824_1_image-20210304053215-1](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/824_1_image-20210304053215-1.webp) +![824_1_image-20210304053215-1](/img/product_docs/policypak/policypak/startscreentaskbar/824_1_image-20210304053215-1.webp) diff --git a/docs/policypak/policypak/startscreentaskbar/gettoknow.md b/docs/policypak/policypak/startscreentaskbar/gettoknow.md index 3cdaaa04ab..1e74f8d1c6 100644 --- a/docs/policypak/policypak/startscreentaskbar/gettoknow.md +++ b/docs/policypak/policypak/startscreentaskbar/gettoknow.md @@ -8,7 +8,7 @@ Taskbar Manager policy or collection. **NOTE:** You will only see the Start Screen Manager and Taskbar Manager nodes when the latest Admin Console MSI is installed on the management station. -![about_policypak_start_screen_2](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/about_policypak_start_screen_2.webp) +![about_policypak_start_screen_2](/img/product_docs/policypak/policypak/startscreentaskbar/about_policypak_start_screen_2.webp) Figure 3. The Start Screen Manager and Taskbar Manager nodes. @@ -20,7 +20,7 @@ The functions of policies, collections, and groups are as follows: To see how to add new collections and policies, see Figure 4. -![about_policypak_start_screen_3](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/about_policypak_start_screen_3.webp) +![about_policypak_start_screen_3](/img/product_docs/policypak/policypak/startscreentaskbar/about_policypak_start_screen_3.webp) Figure 4. Adding collections and policies. diff --git a/docs/policypak/policypak/startscreentaskbar/helpertools.md b/docs/policypak/policypak/startscreentaskbar/helpertools.md index b935f00e27..5cfebbd476 100644 --- a/docs/policypak/policypak/startscreentaskbar/helpertools.md +++ b/docs/policypak/policypak/startscreentaskbar/helpertools.md @@ -8,10 +8,10 @@ This article will explain the process of adding the helper to the Windows Start right side. For more information on the Helper Tools, click -[Overcome Network Card, Printer, and Remove Programs UAC prompts](../video/leastprivilege/uacprompts.md). +[Overcome Network Card, Printer, and Remove Programs UAC prompts](/docs/policypak/policypak/video/leastprivilege/uacprompts.md). To enable the helper tools and give the power to the users, click -[Endpoint Policy Manager Least Priv Manager Tools Setup](../video/leastprivilege/toolssetup.md), and +[Endpoint Policy Manager Least Priv Manager Tools Setup](/docs/policypak/policypak/video/leastprivilege/toolssetup.md), and follow the directions. The helper tool must be enabled to work. ## Adding the LPM Helper Tools to the Right Start Menu @@ -28,24 +28,24 @@ PolicyPak) -> Windows 10 & Server Management and click on Start Screen Manager (this example will use the user configuration) -![773_1_image-20201225195625-1](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/773_1_image-20201225195625-1.webp) +![773_1_image-20201225195625-1](/img/product_docs/policypak/policypak/startscreentaskbar/773_1_image-20201225195625-1.webp) **Step 3 –** Add a new Collection -![773_2_image-20201225195625-2](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/773_2_image-20201225195625-2.webp) +![773_2_image-20201225195625-2](/img/product_docs/policypak/policypak/startscreentaskbar/773_2_image-20201225195625-2.webp) **Step 4 –** Name the Collection and under Layout Mode, select either Full (Replacement of the user's start menu) and Partial (Preserving the user's start menu). Partial Preserve is generally recommended as the end users still have access to modify the rest of the start menu. -![773_3_image-20201225195625-3](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/773_3_image-20201225195625-3.webp) +![773_3_image-20201225195625-3](/img/product_docs/policypak/policypak/startscreentaskbar/773_3_image-20201225195625-3.webp) **NOTE:** Item Level Targeting may be used to filter who or what gets the policies within this collection **Step 5 –** Open the collection and add a New Group -![773_4_image-20201225195625-4](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/773_4_image-20201225195625-4.webp) +![773_4_image-20201225195625-4](/img/product_docs/policypak/policypak/startscreentaskbar/773_4_image-20201225195625-4.webp) **Step 6 –** Complete Group information @@ -61,7 +61,7 @@ collection - Placeholder: If an application / link is missing and the tile cannot be created, do you want a Gap in its place, or an Edge Link (a tile that will open in the Edge Browser)? - ![773_5_image-20201225195625-5](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/773_5_image-20201225195625-5.webp) + ![773_5_image-20201225195625-5](/img/product_docs/policypak/policypak/startscreentaskbar/773_5_image-20201225195625-5.webp) **NOTE:** ILT can also be implemented here instead of at, or in addition too, the collection level. @@ -69,16 +69,16 @@ collection **Step 8 –** Add new Desktop Application -![773_6_image-20201225195625-6](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/773_6_image-20201225195625-6.webp) +![773_6_image-20201225195625-6](/img/product_docs/policypak/policypak/startscreentaskbar/773_6_image-20201225195625-6.webp) **Step 9 –** Select Custom Application -![773_7_image-20201225195625-7](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/773_7_image-20201225195625-7.webp) +![773_7_image-20201225195625-7](/img/product_docs/policypak/policypak/startscreentaskbar/773_7_image-20201225195625-7.webp) **Step 10 –** Click "Select application" and browse to "C:\Program Files\PolicyPak\Least Privilege Manager\Tools" and select one of the three EXEs -![773_8_image-20201225195625-8](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/773_8_image-20201225195625-8.webp) +![773_8_image-20201225195625-8](/img/product_docs/policypak/policypak/startscreentaskbar/773_8_image-20201225195625-8.webp) **Step 11 –** Complete Application data page @@ -86,11 +86,11 @@ Manager\Tools" and select one of the three EXEs - Shortcut Icon: If path is not complete, click on Change icon… and browse back to EXE directory and select the same file -![773_9_image-20201225195625-9](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/773_9_image-20201225195625-9.webp) +![773_9_image-20201225195625-9](/img/product_docs/policypak/policypak/startscreentaskbar/773_9_image-20201225195625-9.webp) **Step 12 –** Set icon size and position as desired, if different from default -![773_10_image-20201225195625-10](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/773_10_image-20201225195625-10.webp) +![773_10_image-20201225195625-10](/img/product_docs/policypak/policypak/startscreentaskbar/773_10_image-20201225195625-10.webp) **Step 13 –** Confirm settings and Finish @@ -121,11 +121,11 @@ the helper tools. **Step 2 –** Expand User or Computer Configuration -> Preferences -> Windows Settings and click on Shortcuts -![773_11_image-20201225195625-11](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/773_11_image-20201225195625-11.webp) +![773_11_image-20201225195625-11](/img/product_docs/policypak/policypak/startscreentaskbar/773_11_image-20201225195625-11.webp) **Step 3 –** Right-click and create a New -> Shortcut -![773_12_image-20201225195625-12_339x107](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/773_12_image-20201225195625-12_339x107.webp) +![773_12_image-20201225195625-12_339x107](/img/product_docs/policypak/policypak/startscreentaskbar/773_12_image-20201225195625-12_339x107.webp) **Step 4 –** Fill in the shortcut properties page as follows @@ -139,13 +139,13 @@ Shortcuts Manager\Tools" and select one of the three EXEs (e.g. C:\Program Files\PolicyPak\Least Privilege Manager\Tools\PolicyPak.Tools.NetworkConnections.exe) - ![773_13_image-20201225195625-13](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/773_13_image-20201225195625-13.webp) + ![773_13_image-20201225195625-13](/img/product_docs/policypak/policypak/startscreentaskbar/773_13_image-20201225195625-13.webp) - Common Tab - Check "Remove this item when it is no longer applied" - ![773_14_image-20201225195625-14_409x165](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/773_14_image-20201225195625-14_409x165.webp) + ![773_14_image-20201225195625-14_409x165](/img/product_docs/policypak/policypak/startscreentaskbar/773_14_image-20201225195625-14_409x165.webp) **Step 5 –** Click OK to close the window diff --git a/docs/policypak/policypak/startscreentaskbar/helperutility.md b/docs/policypak/policypak/startscreentaskbar/helperutility.md index c4333de91f..0cef71b427 100644 --- a/docs/policypak/policypak/startscreentaskbar/helperutility.md +++ b/docs/policypak/policypak/startscreentaskbar/helperutility.md @@ -11,19 +11,19 @@ installed; however, you should make sure it is one you want to associate a polic **NOTE:** For a video overview demonstrating the use of the Start Screen & Taskbar Manager Helper utility, watch this video: -[Endpoint Policy Manager Start Screen and Taskbar Manager Helper Utility](../video/startscreentaskbar/helperutility.md) +[Endpoint Policy Manager Start Screen and Taskbar Manager Helper Utility](/docs/policypak/policypak/video/startscreentaskbar/helperutility.md) The Start Screen & Taskbar Manager Helper utility is found in the Netwrix Endpoint Policy Manager (formerly PolicyPak) ISO or ZIP download in the PolicyPak Extras folder, as seen in Figure 53. -![using_the_helper_utility](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility.webp) +![using_the_helper_utility](/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility.webp) Figure 53. The Start Screen & Taskbar Manager Helper utility is located in the Extras folder. **Step 1 –** When you run the wizard you can choose whether to export registered (desktop) applications or universal (UWP) applications, as shown in Figure 54. -![using_the_helper_utility_1](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_1.webp) +![using_the_helper_utility_1](/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_1.webp) Figure 54. The PolicyPak Start Screen & Taskbar Manager Helper utility lets you export registered and UWP applications. @@ -31,14 +31,14 @@ and UWP applications. **Step 2 –** Then on the "Select registered programs" page, shown in Figure 55, you can leave the default settings as they are and click "Next." -![using_the_helper_utility_2](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_2.webp) +![using_the_helper_utility_2](/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_2.webp) Figure 55. The default settings to select all registered applications on the endpoint. **Step 3 –** Then on the next screen, shown in Figure 56, you can export the IDs for all the UWP applications on a machine and click "Next." -![using_the_helper_utility_3](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_3.webp) +![using_the_helper_utility_3](/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_3.webp) Figure 56. The defaults to select all UWP applications on the endpoint. @@ -46,7 +46,7 @@ Figure 56. The defaults to select all UWP applications on the endpoint. machine. On your GPMC machine, as you're creating new PolicyPak Start Screen or PolicyPak Taskbar Manager policies, you can then import from the XML file, as shown in Figure 57. -![using_the_helper_utility_4](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_4.webp) +![using_the_helper_utility_4](/img/product_docs/policypak/policypak/startscreentaskbar/using_the_helper_utility_4.webp) Figure 57. On the management station you can import from the XML file. diff --git a/docs/policypak/policypak/startscreentaskbar/insouts/windows10.md b/docs/policypak/policypak/startscreentaskbar/insouts/windows10.md index e304798dcc..3bb95bfb5f 100644 --- a/docs/policypak/policypak/startscreentaskbar/insouts/windows10.md +++ b/docs/policypak/policypak/startscreentaskbar/insouts/windows10.md @@ -15,14 +15,14 @@ The following is a Microsoft-sanctioned way to establish the Start Screen and Ta The exported file from this process might look something like what's seen in Figure 1. -![about_policypak_start_screen](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/insouts/about_policypak_start_screen.webp) +![about_policypak_start_screen](/img/product_docs/policypak/policypak/startscreentaskbar/insouts/about_policypak_start_screen.webp) Figure 1. An exported XML file using the Microsoft-sanctioned way to establish the Start Screen and Taskbar for Windows 10. Next, you would configure the Group Policy setting called "Start Layout," seen in Figure 2. -![about_policypak_start_screen_1](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/insouts/about_policypak_start_screen_1.webp) +![about_policypak_start_screen_1](/img/product_docs/policypak/policypak/startscreentaskbar/insouts/about_policypak_start_screen_1.webp) Figure 2. Configuring Group Policy settings after establishing the Start Screen and Taskbar using the in-box, Microsoft-sanctioned way. diff --git a/docs/policypak/policypak/startscreentaskbar/modes.md b/docs/policypak/policypak/startscreentaskbar/modes.md index 7989aeac3a..226d5160e5 100644 --- a/docs/policypak/policypak/startscreentaskbar/modes.md +++ b/docs/policypak/policypak/startscreentaskbar/modes.md @@ -4,7 +4,7 @@ In the image below you can see that there are 3 types of items: -![719_1_image-20200212183953-1](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/719_1_image-20200212183953-1.webp) +![719_1_image-20200212183953-1](/img/product_docs/policypak/policypak/startscreentaskbar/719_1_image-20200212183953-1.webp) 1. Windows default apps to the left (blue circle). 2. Apps pinned by the user in the center (orange triangle). @@ -16,7 +16,7 @@ the same application using Netwrix Endpoint Policy Manager (formerly PolicyPak) will end up with two copies of that application on the Taskbar, one pinned by the user and the other pinned by Endpoint Policy Manager. -![719_3_image-20200212183953-2](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/719_3_image-20200212183953-2.webp) +![719_3_image-20200212183953-2](/img/product_docs/policypak/policypak/startscreentaskbar/719_3_image-20200212183953-2.webp) More info: [https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbar](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbar) @@ -25,34 +25,34 @@ More info: If we started with the Taskbar layout below: -![719_5_image-20200212183953-3](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/719_5_image-20200212183953-3.webp) +![719_5_image-20200212183953-3](/img/product_docs/policypak/policypak/startscreentaskbar/719_5_image-20200212183953-3.webp) Then created a REPLACE PP TBM policy with the following settings: -![719_7_image-20200212183953-4_834x93](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/719_7_image-20200212183953-4_834x93.webp) +![719_7_image-20200212183953-4_834x93](/img/product_docs/policypak/policypak/startscreentaskbar/719_7_image-20200212183953-4_834x93.webp) -![719_9_image-20201007144149-1_619x269](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/719_9_image-20201007144149-1_619x269.webp) +![719_9_image-20201007144149-1_619x269](/img/product_docs/policypak/policypak/startscreentaskbar/719_9_image-20201007144149-1_619x269.webp) **NOTE:** When creating a REPLACE policy you are shown the warning screen below: -![719_10_image-20200212183953-6_756x226](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/719_10_image-20200212183953-6_756x226.webp) +![719_10_image-20200212183953-6_756x226](/img/product_docs/policypak/policypak/startscreentaskbar/719_10_image-20200212183953-6_756x226.webp) The result of applying this policy is that All Default Applications not mentioned in the policy are removed, User pinned applications are ignored, then any remaining applications from the PP TBM REPLACE policy are pinned. -![719_12_image-20200212183953-7_500x38](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/719_12_image-20200212183953-7_500x38.webp) +![719_12_image-20200212183953-7_500x38](/img/product_docs/policypak/policypak/startscreentaskbar/719_12_image-20200212183953-7_500x38.webp) Now, if we edited the same policy and set the REPLACE policy as in the screenshot below: -![719_14_image-20200212183953-8](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/719_14_image-20200212183953-8.webp) +![719_14_image-20200212183953-8](/img/product_docs/policypak/policypak/startscreentaskbar/719_14_image-20200212183953-8.webp) -![719_16_image-20200212183953-9](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/719_16_image-20200212183953-9.webp) +![719_16_image-20200212183953-9](/img/product_docs/policypak/policypak/startscreentaskbar/719_16_image-20200212183953-9.webp) Then applied the policy (remember to logout out and back in after running gpupdate) the result would be: -![719_18_image-20200212183953-10_541x36](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/719_18_image-20200212183953-10_541x36.webp) +![719_18_image-20200212183953-10_541x36](/img/product_docs/policypak/policypak/startscreentaskbar/719_18_image-20200212183953-10_541x36.webp) Since 7-Zip was not installed on the target machine, it was ignored, since CMD was pinned by the User it was also ignored. The remaining applications were then removed and the new applications were @@ -62,20 +62,20 @@ pinned. If we started with the Taskbar layout below: -![719_20_image-20200212183953-11_470x38](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/719_20_image-20200212183953-11_470x38.webp) +![719_20_image-20200212183953-11_470x38](/img/product_docs/policypak/policypak/startscreentaskbar/719_20_image-20200212183953-11_470x38.webp) Then created a MERGE PP TBM policy with the following settings: -![719_22_image-20200212183953-12_834x93](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/719_7_image-20200212183953-4_834x93.webp) +![719_22_image-20200212183953-12_834x93](/img/product_docs/policypak/policypak/startscreentaskbar/719_7_image-20200212183953-4_834x93.webp) -![719_24_image-20200212183953-13_618x256](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/719_24_image-20200212183953-13_618x256.webp) +![719_24_image-20200212183953-13_618x256](/img/product_docs/policypak/policypak/startscreentaskbar/719_24_image-20200212183953-13_618x256.webp) The result of applying this policy would be that only "Chrome" gets added since the other applications (Edge and Internet Explorer) were already present. In MERGE mode, any applications from the PP TBM policy that are already present (pinned) are ignored and then any new applications are pinned. -![719_26_image-20200212183953-14_468x38](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/719_26_image-20200212183953-14_468x38.webp) +![719_26_image-20200212183953-14_468x38](/img/product_docs/policypak/policypak/startscreentaskbar/719_26_image-20200212183953-14_468x38.webp) **NOTE:** After running gpupdate to apply policy you must logout then back in to receive the new PP TBM policy settings. diff --git a/docs/policypak/policypak/startscreentaskbar/overview.md b/docs/policypak/policypak/startscreentaskbar/overview.md index 062ee34062..7fccd861e1 100644 --- a/docs/policypak/policypak/startscreentaskbar/overview.md +++ b/docs/policypak/policypak/startscreentaskbar/overview.md @@ -1,7 +1,7 @@ # Start Screen & Taskbar Manager **NOTE:** Before reading this section, please ensure you have read -[Installation Quick Start](../gettingstarted/quickstart/overviewinstall.md), which will help you +[Installation Quick Start](/docs/policypak/policypak/gettingstarted/quickstart/overviewinstall.md), which will help you learn to do the following: - Install the Admin MSI on your GPMC machine @@ -11,7 +11,7 @@ learn to do the following: Optionally, if you don't want to use Group Policy, read the section in Appendix A: Advanced Concepts on Group Policy and non-Group Policy methods (MEMCM, KACE, and MDM service or Endpoint Policy -Manager Cloud) ([Using Endpoint Policy Manager with MDM and UEM Tools](../mdm/uemtools.md)) to +Manager Cloud) ([Using Endpoint Policy Manager with MDM and UEM Tools](/docs/policypak/policypak/mdm/uemtools.md)) to deploy your directives. Netwrix Endpoint Policy Manager (formerly PolicyPak) Start Screen & Taskbar Manager enables you to diff --git a/docs/policypak/policypak/startscreentaskbar/overview/knowledgebase.md b/docs/policypak/policypak/startscreentaskbar/overview/knowledgebase.md index 65069fe74e..b402a32405 100644 --- a/docs/policypak/policypak/startscreentaskbar/overview/knowledgebase.md +++ b/docs/policypak/policypak/startscreentaskbar/overview/knowledgebase.md @@ -4,28 +4,28 @@ See the following Knowledge Base articles for Start Screen and Task Bar Manager. ## Troubleshooting -- [Why aren't Taskbar manager policies working as expected on my Windows 10 machine?](../../troubleshooting/startscreentaskbar/windows10.md) -- [When does Endpoint Policy Manager Start Screen & Taskbar Manager work on Server 2019, 2016, 2012 R2?](../../requirements/support/startscreentaskbar/windowserver.md) -- [I use Partial/Merge mode, and expected existing icons to be maintained, but instead they were wiped out. What happened?](../../troubleshooting/startscreentaskbar/existingicons.md) -- [How can I revert / rollback the Windows 10 Start Screen after I make an error (using Partial or Replace mode)?](../../troubleshooting/startscreentaskbar/rollback.md) -- [Endpoint Policy Manager Start Screen & Taskbar Manager crashes, hangs or is slow when running Group Policy update. Why?](../../troubleshooting/startscreentaskbar/crash.md) -- [Why do I see a group named ">Endpoint Policy ManagerStart Screen manager" on the left side in Endpoint Policy Manager Start Screen & Taskbar Manager ?](../../troubleshooting/startscreentaskbar/pinnedcollection.md) -- [Why do I get the error "This app can't run on your PC" ?](../../troubleshooting/error/startscreentaskbar/appcantrun.md) -- [Why am I seeing an Endpoint Policy Manager "advertisement" tile on my Start Screen (when I only use the TaskBar manager and NOT the Start Screen Manager?)](../../troubleshooting/startscreentaskbar/linked.md) -- [Windows default applications are not showing in Start Menu](../../troubleshooting/startscreentaskbar/windowsdefault.md) -- [Endpoint Policy Manager Task Bar Manager differences between MERGE and REPLACE modes](../modes.md) -- [Custom icons for Endpoint Policy Manager Start Screen & Taskbar Manager aren't working as expected. What can I do?](../../troubleshooting/startscreentaskbar/customicons.md) -- [How to Disable the "How do you want to open this? Keep using this app" Notification in Windows 10](../../troubleshooting/startscreentaskbar/windows10disablenotification.md) -- [Why would it sometimes takes two logoffs and logons to see Start Screen or Taskbar changes?](../../troubleshooting/startscreentaskbar/logons.md) -- [Does Endpoint Policy Manager Start Screen Manager support pinning application icons in Windows Start Screen or Taskbar from a network location, i.e. Mapped Drives or UNC Paths?](../../requirements/support/startscreentaskbar/mappeddrives.md) -- [Why don't I see Office 2016, Office 2019, or Office 365 icons or tiles using Start Screen Manager?](../../troubleshooting/startscreentaskbar/office365.md) +- [Why aren't Taskbar manager policies working as expected on my Windows 10 machine?](/docs/policypak/policypak/troubleshooting/startscreentaskbar/windows10.md) +- [When does Endpoint Policy Manager Start Screen & Taskbar Manager work on Server 2019, 2016, 2012 R2?](/docs/policypak/policypak/requirements/support/startscreentaskbar/windowserver.md) +- [I use Partial/Merge mode, and expected existing icons to be maintained, but instead they were wiped out. What happened?](/docs/policypak/policypak/troubleshooting/startscreentaskbar/existingicons.md) +- [How can I revert / rollback the Windows 10 Start Screen after I make an error (using Partial or Replace mode)?](/docs/policypak/policypak/troubleshooting/startscreentaskbar/rollback.md) +- [Endpoint Policy Manager Start Screen & Taskbar Manager crashes, hangs or is slow when running Group Policy update. Why?](/docs/policypak/policypak/troubleshooting/startscreentaskbar/crash.md) +- [Why do I see a group named ">Endpoint Policy ManagerStart Screen manager" on the left side in Endpoint Policy Manager Start Screen & Taskbar Manager ?](/docs/policypak/policypak/troubleshooting/startscreentaskbar/pinnedcollection.md) +- [Why do I get the error "This app can't run on your PC" ?](/docs/policypak/policypak/troubleshooting/error/startscreentaskbar/appcantrun.md) +- [Why am I seeing an Endpoint Policy Manager "advertisement" tile on my Start Screen (when I only use the TaskBar manager and NOT the Start Screen Manager?)](/docs/policypak/policypak/troubleshooting/startscreentaskbar/linked.md) +- [Windows default applications are not showing in Start Menu](/docs/policypak/policypak/troubleshooting/startscreentaskbar/windowsdefault.md) +- [Endpoint Policy Manager Task Bar Manager differences between MERGE and REPLACE modes](/docs/policypak/policypak/startscreentaskbar/modes.md) +- [Custom icons for Endpoint Policy Manager Start Screen & Taskbar Manager aren't working as expected. What can I do?](/docs/policypak/policypak/troubleshooting/startscreentaskbar/customicons.md) +- [How to Disable the "How do you want to open this? Keep using this app" Notification in Windows 10](/docs/policypak/policypak/troubleshooting/startscreentaskbar/windows10disablenotification.md) +- [Why would it sometimes takes two logoffs and logons to see Start Screen or Taskbar changes?](/docs/policypak/policypak/troubleshooting/startscreentaskbar/logons.md) +- [Does Endpoint Policy Manager Start Screen Manager support pinning application icons in Windows Start Screen or Taskbar from a network location, i.e. Mapped Drives or UNC Paths?](/docs/policypak/policypak/requirements/support/startscreentaskbar/mappeddrives.md) +- [Why don't I see Office 2016, Office 2019, or Office 365 icons or tiles using Start Screen Manager?](/docs/policypak/policypak/troubleshooting/startscreentaskbar/office365.md) ## Tips and Tricks -- [How do I add Explorer.exe to the taskbar using Endpoint Policy Manager Start Screen & Taskbar Manager ?](../explorer.md) -- [How do I add the SCCM Software Center to the Start Screen or Taskbar?](../sccmsoftwarecenter.md) -- [Can Microsoft App-V applications work with Endpoint Policy Manager Starts Screen and Taskbar Manager?](../../integration/appv.md) -- [How do I add the Least Privilege Manager Helper tools to the Left and Right side of the Start Menu?](../helpertools.md) -- [How-To create a folder shortcut in Windows 10 Start Menu using Endpoint Policy Manager Starts Screen Manager?](../foldershortcut.md) -- [How can I add a link to the Control Panel to the Start Screen or Taskbar using Endpoint Policy Manager Start Screen Manager?](../addlink.md) -- [How to automatically kill explorer at 1st Logon to Bypass needing to logout and back in for Start Screen Manager to apply](../../troubleshooting/startscreentaskbar/logonworkaround.md) +- [How do I add Explorer.exe to the taskbar using Endpoint Policy Manager Start Screen & Taskbar Manager ?](/docs/policypak/policypak/startscreentaskbar/explorer.md) +- [How do I add the SCCM Software Center to the Start Screen or Taskbar?](/docs/policypak/policypak/startscreentaskbar/sccmsoftwarecenter.md) +- [Can Microsoft App-V applications work with Endpoint Policy Manager Starts Screen and Taskbar Manager?](/docs/policypak/policypak/integration/appv.md) +- [How do I add the Least Privilege Manager Helper tools to the Left and Right side of the Start Menu?](/docs/policypak/policypak/startscreentaskbar/helpertools.md) +- [How-To create a folder shortcut in Windows 10 Start Menu using Endpoint Policy Manager Starts Screen Manager?](/docs/policypak/policypak/startscreentaskbar/foldershortcut.md) +- [How can I add a link to the Control Panel to the Start Screen or Taskbar using Endpoint Policy Manager Start Screen Manager?](/docs/policypak/policypak/startscreentaskbar/addlink.md) +- [How to automatically kill explorer at 1st Logon to Bypass needing to logout and back in for Start Screen Manager to apply](/docs/policypak/policypak/troubleshooting/startscreentaskbar/logonworkaround.md) diff --git a/docs/policypak/policypak/startscreentaskbar/overview/videolearningcenter.md b/docs/policypak/policypak/startscreentaskbar/overview/videolearningcenter.md index 9a97e69643..6988fcae0a 100644 --- a/docs/policypak/policypak/startscreentaskbar/overview/videolearningcenter.md +++ b/docs/policypak/policypak/startscreentaskbar/overview/videolearningcenter.md @@ -4,25 +4,25 @@ See the following Video topics for Start Screen and Task Bar Manager. ## Getting Started -- [Endpoint Policy Manager Start Screen and Taskbar Manager Helper Utility](../../video/startscreentaskbar/helperutility.md) -- [Endpoint Policy Manager Start Screen Manager: Own the Win10 Start Menu](../../video/startscreentaskbar/windows10startmenu.md) -- [Endpoint Policy Taskbar Manager: Quick Demo](../../video/startscreentaskbar/demotaskbar.md) -- [Endpoint Policy Manager Start Screen Manager: Using Item Level Targeting](../../video/startscreentaskbar/itemleveltargeting.md) -- [Endpoint Policy Manager Start Screen Manager: Add IE links](../../video/startscreentaskbar/linksie.md) +- [Endpoint Policy Manager Start Screen and Taskbar Manager Helper Utility](/docs/policypak/policypak/video/startscreentaskbar/helperutility.md) +- [Endpoint Policy Manager Start Screen Manager: Own the Win10 Start Menu](/docs/policypak/policypak/video/startscreentaskbar/windows10startmenu.md) +- [Endpoint Policy Taskbar Manager: Quick Demo](/docs/policypak/policypak/video/startscreentaskbar/demotaskbar.md) +- [Endpoint Policy Manager Start Screen Manager: Using Item Level Targeting](/docs/policypak/policypak/video/startscreentaskbar/itemleveltargeting.md) +- [Endpoint Policy Manager Start Screen Manager: Add IE links](/docs/policypak/policypak/video/startscreentaskbar/linksie.md) ## Troubleshooting -- [Endpoint Policy Manager Start Screen Manager and Special Custom Icons](../../video/startscreentaskbar/customicons.md) -- [Using PP SCRIPTS to Revert Start Menu](../../video/troubleshooting/startscreentaskbar/revertstartmenu.md) +- [Endpoint Policy Manager Start Screen Manager and Special Custom Icons](/docs/policypak/policypak/video/startscreentaskbar/customicons.md) +- [Using PP SCRIPTS to Revert Start Menu](/docs/policypak/policypak/video/troubleshooting/startscreentaskbar/revertstartmenu.md) ## Methods: SCCM, XML, MDM, Cloud, PDQ, Citrix, etc. -- [Endpoint Policy ManagerStart Screen & Taskbar Manager: Manage non-domain joined machines using Endpoint Policy Manager Cloud](../../video/startscreentaskbar/nondomainjoined.md) -- [Endpoint Policy Manager Start Screen & Taskbar Manager: Manage Windows 10 Start Screen & Taskbar with your MDM service (Basics with MDM)](../../video/startscreentaskbar/mdm.md) -- [Endpoint Policy Manager Start Screen Manager: Manage Windows 10 Start Screen & Taskbar with your MDM (Advanced scenarios with ILT)](../../video/startscreentaskbar/mdmitemleveltargeting.md) -- [PP Start Screen and Taskbar manager with Citrix XenApp and XenDesktop](../../video/startscreentaskbar/integration/citrix.md) -- [Taking Control of Your Taskbar and Start Menu with Endpoint Policy Manager and PDQ Deploy](../../video/startscreentaskbar/integration/pdqdeploy.md) +- [Endpoint Policy ManagerStart Screen & Taskbar Manager: Manage non-domain joined machines using Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/startscreentaskbar/nondomainjoined.md) +- [Endpoint Policy Manager Start Screen & Taskbar Manager: Manage Windows 10 Start Screen & Taskbar with your MDM service (Basics with MDM)](/docs/policypak/policypak/video/startscreentaskbar/mdm.md) +- [Endpoint Policy Manager Start Screen Manager: Manage Windows 10 Start Screen & Taskbar with your MDM (Advanced scenarios with ILT)](/docs/policypak/policypak/video/startscreentaskbar/mdmitemleveltargeting.md) +- [PP Start Screen and Taskbar manager with Citrix XenApp and XenDesktop](/docs/policypak/policypak/video/startscreentaskbar/integration/citrix.md) +- [Taking Control of Your Taskbar and Start Menu with Endpoint Policy Manager and PDQ Deploy](/docs/policypak/policypak/video/startscreentaskbar/integration/pdqdeploy.md) ## Extras -- [Endpoint Policy ManagerStart Screen and Endpoint Policy Manager Scripts: Specify exact Start Menu experience one time](../../video/startscreentaskbar/onetime.md) +- [Endpoint Policy ManagerStart Screen and Endpoint Policy Manager Scripts: Specify exact Start Menu experience one time](/docs/policypak/policypak/video/startscreentaskbar/onetime.md) diff --git a/docs/policypak/policypak/startscreentaskbar/processorderprecedence.md b/docs/policypak/policypak/startscreentaskbar/processorderprecedence.md index c991afd335..315f57179b 100644 --- a/docs/policypak/policypak/startscreentaskbar/processorderprecedence.md +++ b/docs/policypak/policypak/startscreentaskbar/processorderprecedence.md @@ -5,11 +5,11 @@ So lower-numbered collections attempt to process first, and higher-numbered coll process last as shown in Figure 46. Then, within any collection, each policy is processed in numerical order from lowest to highest, as seen in Figure 47. -![collections_policy_settings_13](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/collections_policy_settings_13.webp) +![collections_policy_settings_13](/img/product_docs/policypak/policypak/startscreentaskbar/collections_policy_settings_13.webp) Figure 46. The order in which collections are processed. -![collections_policy_settings_14](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/collections_policy_settings_14.webp) +![collections_policy_settings_14](/img/product_docs/policypak/policypak/startscreentaskbar/collections_policy_settings_14.webp) Figure 47. Within collections, group policies are processed in order, starting with the lowest number. @@ -19,7 +19,7 @@ by row). Note the final placement might not be exactly as expected because of th might need to adjust the Position fields to get it to look precisely how you want (as shown in Figure 48). -![collections_policy_settings_15](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/collections_policy_settings_15.webp) +![collections_policy_settings_15](/img/product_docs/policypak/policypak/startscreentaskbar/collections_policy_settings_15.webp) Figure 48. The processing order of multiple policy items within a group contained within a collection. diff --git a/docs/policypak/policypak/startscreentaskbar/sccmsoftwarecenter.md b/docs/policypak/policypak/startscreentaskbar/sccmsoftwarecenter.md index 7654b4c628..049f4e5d51 100644 --- a/docs/policypak/policypak/startscreentaskbar/sccmsoftwarecenter.md +++ b/docs/policypak/policypak/startscreentaskbar/sccmsoftwarecenter.md @@ -1,6 +1,6 @@ # How do I add the SCCM Software Center to the Start Screen or Taskbar? -![724_1_hf-936-img-01](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/724_1_hf-936-img-01.webp) +![724_1_hf-936-img-01](/img/product_docs/policypak/policypak/startscreentaskbar/724_1_hf-936-img-01.webp) The normal shortcut for the SCCM Software Center looks like this; but Netwrix Endpoint Policy Manager (formerly PolicyPak) Start Screen & Taskbar Manager doesn't support this kind of link. @@ -9,7 +9,7 @@ However, you can perform the following steps instead to get the same effect. Using Endpoint Policy Manager Start Screen or Endpoint Policy Manager Taskbar Manager, create a link for a Custom application like this… -![724_3_hf-936-img-02](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/724_3_hf-936-img-02.webp) +![724_3_hf-936-img-02](/img/product_docs/policypak/policypak/startscreentaskbar/724_3_hf-936-img-02.webp) Then, point it toward @@ -17,15 +17,15 @@ Then, point it toward Like what's seen here. -![724_5_hf-936-img-03](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/724_5_hf-936-img-03.webp) +![724_5_hf-936-img-03](/img/product_docs/policypak/policypak/startscreentaskbar/724_5_hf-936-img-03.webp) **NOTE:** If you don't like that page, you can pick a page… (NOT TESTED, but should work.) Special keywords can be found at this link. [https://www.prajwaldesai.com/create-shortcuts-for-configmgr-software-center/#:~:text=By%20default%20you%20will%20find,%5CCCM%5CSCClient.exe](https://www.prajwaldesai.com/create-shortcuts-for-configmgr-software-center/#httpswwwprajwaldesaicomcreate-shortcuts-for-configmgr-software-centertextby20default20you20will20find5cccm5cscclientexe). Finally, take the defaults… and/or change the ShortCut name to suit. -![724_7_hf-936-img-04](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/724_7_hf-936-img-04.webp) +![724_7_hf-936-img-04](/img/product_docs/policypak/policypak/startscreentaskbar/724_7_hf-936-img-04.webp) Final results should look like this… -![724_9_hf-936-img-05](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/724_9_hf-936-img-05.webp) +![724_9_hf-936-img-05](/img/product_docs/policypak/policypak/startscreentaskbar/724_9_hf-936-img-05.webp) diff --git a/docs/policypak/policypak/startscreentaskbar/settings/startscreen/overview.md b/docs/policypak/policypak/startscreentaskbar/settings/startscreen/overview.md index a912e2d0a5..b680f9f736 100644 --- a/docs/policypak/policypak/startscreentaskbar/settings/startscreen/overview.md +++ b/docs/policypak/policypak/startscreentaskbar/settings/startscreen/overview.md @@ -4,7 +4,7 @@ In the Quickstart, we created a collection by right-clicking within Endpoint Pol Screen Manager or Endpoint Policy Manager Taskbar Manager and selecting Add | New Collection as seen in Figure 32. -![collections_policy_settings](../../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings.webp) +![collections_policy_settings](/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings.webp) Figure 32. Creating collections with Endpoint Policy Manager Start Screen & Taskbar Manager. @@ -13,7 +13,7 @@ previously, they hold policies that create Windows 10 groups. But a Endpoint Pol Screen Manager collection also defines how those groups will react. The two options for a Endpoint Policy Manager Start Screen Manager collection can be seen in Figure 33. -![quickstart_start_screen_manager_3](../../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/quickstart_start_screen_manager_3.webp) +![quickstart_start_screen_manager_3](/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/quickstart_start_screen_manager_3.webp) Figure 33. Collections hold policies and specify the layout mode. @@ -26,7 +26,7 @@ your new groups. Users will not be able to modify the groups you assign. There are two layout size options for a Endpoint Policy Manager Start Screen Manager collection as shown in Figure 34. If you do not specify a layout size, the default will be Medium (Two Columns). -![collections_policy_settings_1](../../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_1.webp) +![collections_policy_settings_1](/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_1.webp) Figure 34. Choosing a layout size. @@ -50,7 +50,7 @@ the Targeting Editor. Endpoint Policy Manager Start Screen & Taskbar Manager can group since the node is only available on the Computer side. In addition, Endpoint Policy Manager Start Screen & Taskbar Manager is only valid for Windows 8.1 and later. -![collections_policy_settings_2](../../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_2.webp) +![collections_policy_settings_2](/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_2.webp) Figure 35. In this example, the Pak would only apply to Windows 10 machines when the machine is portable and the user is in the FABRIKAM\Traveling Sales Users group. @@ -74,7 +74,7 @@ Below are some real-world examples of of how you can use Item-Level Targeting. Close the editor when you are done. Note in Figure 36 that the icon for the policy or collection has changed to orange, which shows that it now has Item-Level Targeting. -![collections_policy_settings_3](../../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_3.webp) +![collections_policy_settings_3](/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_3.webp) Figure 36. When the icon is orange, the entry has Item-Level Targeting. @@ -87,13 +87,13 @@ a Group Policy earlier called "My Important Apps." You can select "Change Group jump right into the Item-Level Targeting Editor, or click "Edit Group," as shown in Figure 37 to see all Group options (including Item-Level Targeting). -![collections_policy_settings_4](../../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_4.webp) +![collections_policy_settings_4](/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_4.webp) Figure 37. Clicking on "Edit Group" will enable you to see all group level options. The group level options can be seen in Figure 38. -![collections_policy_settings_5](../../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_5.webp) +![collections_policy_settings_5](/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_5.webp) Figure 38. Endpoint Policy Manager Start Screen Manager groups have various options you can configure. diff --git a/docs/policypak/policypak/startscreentaskbar/settings/startscreen/placeholder.md b/docs/policypak/policypak/startscreentaskbar/settings/startscreen/placeholder.md index e14e2974d8..76fdb9b4d1 100644 --- a/docs/policypak/policypak/startscreentaskbar/settings/startscreen/placeholder.md +++ b/docs/policypak/policypak/startscreentaskbar/settings/startscreen/placeholder.md @@ -11,21 +11,21 @@ exist on the endpoint. Option 1 - Gap: In Figure 39 blank areas that have been "gapped" are highlighted in red. This is where the icons would go when the application is correctly deployed to the endpoint. -![collections_policy_settings_6](../../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_6.webp) +![collections_policy_settings_6](/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_6.webp) Figure 39. Using the gap placeholder mode. Option 2 - Edge Link: In Figure 40, missing applications are noted with the words "Missing Application" (highlighted in red). -![collections_policy_settings_7](../../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_7.webp) +![collections_policy_settings_7](/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_7.webp) Figure 40. Using the Edge link placeholder mode. When you click the Missing Application tile, you are alerted to the nature of the error, as shown in Figure 41. -![collections_policy_settings_8](../../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_8.webp) +![collections_policy_settings_8](/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_8.webp) Figure 41. Details of an error when Edge tiles are used. @@ -38,7 +38,7 @@ application icon, and it evaluates to FALSE, then the result is always a gap. Fo wanted Adobe Reader to only appear when the machine was a laptop, but you were really using a desktop (evaluated with Item-Level Targeting), then the result would be as shown in Figure 42. -![collections_policy_settings_9](../../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_9.webp) +![collections_policy_settings_9](/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/collections_policy_settings_9.webp) Figure 42. Applications with Item-Level Targeting evaluating to FALSE will always have a gap. diff --git a/docs/policypak/policypak/startscreentaskbar/settings/taskbar.md b/docs/policypak/policypak/startscreentaskbar/settings/taskbar.md index dc524fb718..2cb5bde9c7 100644 --- a/docs/policypak/policypak/startscreentaskbar/settings/taskbar.md +++ b/docs/policypak/policypak/startscreentaskbar/settings/taskbar.md @@ -6,13 +6,13 @@ Manager or Endpoint Policy Manager Taskbar Manager and selecting Add | New Colle collection options, you can right-click on the name of the collection and select "Edit Collection," as seen in Figure 43. -![collections_policy_settings_10](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/settings/collections_policy_settings_10.webp) +![collections_policy_settings_10](/img/product_docs/policypak/policypak/startscreentaskbar/settings/collections_policy_settings_10.webp) Figure 43. Editing collections for Taskbar Manager. The Endpoint Policy Manager Taskbar Manager Pinned Collection Editor can be seen in Figure 44. -![collections_policy_settings_11](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/settings/collections_policy_settings_11.webp) +![collections_policy_settings_11](/img/product_docs/policypak/policypak/startscreentaskbar/settings/collections_policy_settings_11.webp) Figure 44. Endpoint Policy Manager Taskbar Manager Pinned Collection Editor options. @@ -30,7 +30,7 @@ The fields inside the Taskbar Manager Pinned Collection Editor are as follows: changed. If no pinned applications are also in Start Menu groups, then a URL is used as a fallback display. The icon is then simply a URL within an advertised group. -![collections_policy_settings_12](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/settings/collections_policy_settings_12.webp) +![collections_policy_settings_12](/img/product_docs/policypak/policypak/startscreentaskbar/settings/collections_policy_settings_12.webp) Figure 45. Pinned desktop icons will appear in the Endpoint Policy Manager Start Screen Manager advertisement group, or a group of your choice. diff --git a/docs/policypak/policypak/startscreentaskbar/startscreen/desktopapplications.md b/docs/policypak/policypak/startscreentaskbar/startscreen/desktopapplications.md index 8e0445a0ba..3f8a1145e4 100644 --- a/docs/policypak/policypak/startscreentaskbar/startscreen/desktopapplications.md +++ b/docs/policypak/policypak/startscreentaskbar/startscreen/desktopapplications.md @@ -6,7 +6,7 @@ Next, you'll add a desktop application. you add a new desktop application tile, you'll get a wizard asking you the source of the desktop application, as shown in Figure 18. -![quickstart_start_screen_manager_13](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_13.webp) +![quickstart_start_screen_manager_13](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_13.webp) Figure 18. The Endpoint Policy Manager Start Screen Manager Desktop Application Tile wizard has three methods you can choose. @@ -24,14 +24,14 @@ three methods you can choose. For this Quickstart, select "Registered application (recommended)," and then click "Next." Then select Adobe Acrobat from the list (shown in Figure 19) and click "Next." -![quickstart_start_screen_manager_14](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_14.webp) +![quickstart_start_screen_manager_14](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_14.webp) Figure 19. Selecting a registered application from the machine. **Step 3 –** Then you can select the specifics for the tile, namely the tile position and the tile size, as seen in Figure 20. -![quickstart_start_screen_manager_15](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_15.webp) +![quickstart_start_screen_manager_15](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_15.webp) Figure 20. Desktop Applications can have two tile sizes. @@ -48,13 +48,13 @@ place your tile within the group with a little experimentation. sizes.) For this Quickstart, select the "Medium" size and then click "Next." On the Finish page, choose a policy name, such as "Acro Reader," as shown in Figure 21, and click "Finish." -![quickstart_start_screen_manager_16](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_16.webp) +![quickstart_start_screen_manager_16](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_16.webp) Figure 21. The policy name you select is the internal "display name" of the policy you just created. The Start Screen icon policy you created can be seen in Figure 22. -![quickstart_start_screen_manager_17](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_17.webp) +![quickstart_start_screen_manager_17](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_17.webp) Figure 22. The Endpoint Policy Manager Start Screen Manager policy is contained within the collection. diff --git a/docs/policypak/policypak/startscreentaskbar/startscreen/edgetiles.md b/docs/policypak/policypak/startscreentaskbar/startscreen/edgetiles.md index 148a29de14..94c656b5dd 100644 --- a/docs/policypak/policypak/startscreentaskbar/startscreen/edgetiles.md +++ b/docs/policypak/policypak/startscreentaskbar/startscreen/edgetiles.md @@ -6,25 +6,25 @@ Next, you'll add an Edge tile. 23.  Note that this is a legacy feature and is scheduled to be depreciated as it is for the old version of Edge. -![quickstart_start_screen_manager_18](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_18.webp) +![quickstart_start_screen_manager_18](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_18.webp) Figure 23. Adding Edge tile policies. **Step 2 –** You can type in a URL or click "Select from favorites," as shown in Figure 24. -![quickstart_start_screen_manager_19](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_19.webp) +![quickstart_start_screen_manager_19](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_19.webp) Figure 24. Specifying the display name and URL for an Edge tile. **Step 3 –** You can change the size and color as you wish, as shown in Figure 25. -![quickstart_start_screen_manager_20](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_20.webp) +![quickstart_start_screen_manager_20](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_20.webp) Figure 25. Changing the background color of the icon. **Step 4 –** The result of adding an Edge tile can be seen in Figure 26. -![quickstart_start_screen_manager_21](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_21.webp) +![quickstart_start_screen_manager_21](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_21.webp) Figure 26. The Edge tile appears in the policy list. @@ -33,6 +33,6 @@ The result of adding three Start Screen Manager icons in your Start Screen Manag Figure 27. Note that recent builds of Endpoint Policy Manager Start Screen & Taskbar Manager require you to log off and log on again to see the Start Menu changes. -![quickstart_start_screen_manager_22](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_22.webp) +![quickstart_start_screen_manager_22](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_22.webp) Figure 27. The application tiles inside the new group. diff --git a/docs/policypak/policypak/startscreentaskbar/startscreen/overview.md b/docs/policypak/policypak/startscreentaskbar/startscreen/overview.md index 07192e1bb7..9ac363279f 100644 --- a/docs/policypak/policypak/startscreentaskbar/startscreen/overview.md +++ b/docs/policypak/policypak/startscreentaskbar/startscreen/overview.md @@ -1,7 +1,7 @@ # Quick Start - Start Screen Manager **NOTE:** For some video overviews of Start Screen & Taskbar Manager, see Start Screen & Task Bar -Manager > [Video Learning Center](../overview/videolearningcenter.md). +Manager > [Video Learning Center](/docs/policypak/policypak/startscreentaskbar/overview/videolearningcenter.md). If you want to follow along with this Quickstart guide for Start Screen Manager, we suggest you first download some applications on your Windows 10 management station and your endpoint. Start @@ -16,7 +16,7 @@ endpoint. You should be able to see Acrobat Reader in the Start Menu, as shown in Figure 5. -![quickstart_start_screen_manager](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager.webp) +![quickstart_start_screen_manager](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager.webp) Figure 5. Adobe Reader is installed on the GPMC machine and the Windows 10 Endpoint. diff --git a/docs/policypak/policypak/startscreentaskbar/startscreen/uwpapplications.md b/docs/policypak/policypak/startscreentaskbar/startscreen/uwpapplications.md index fd7920eb88..94719292d8 100644 --- a/docs/policypak/policypak/startscreentaskbar/startscreen/uwpapplications.md +++ b/docs/policypak/policypak/startscreentaskbar/startscreen/uwpapplications.md @@ -14,7 +14,7 @@ two things: server with few UWP applications, click "Include common apps" to see many Windows 10 built-in apps. For this Quickstart example, select Calculator, as seen in Figure 14. -![quickstart_start_screen_manager_9](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_9.webp) +![quickstart_start_screen_manager_9](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_9.webp) Figure 14. Picking UWP applications from a common list or from your machine. @@ -25,18 +25,18 @@ can select "Custom Universal Windows Platform application," then input the ID. **Step 3 –** Next, in the tile settings window, you'll see that UWP applications have four possible sizes. For this Quickstart, select the largest tile size, as shown in Figure 15, and click "Next." -![quickstart_start_screen_manager_10](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_10.webp) +![quickstart_start_screen_manager_10](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_10.webp) Figure 15. UWP applications have four icon tile sizes. **Step 4 –** Next, type a policy name, as seen in Figure 16, and click "Finish." -![quickstart_start_screen_manager_11](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_11.webp) +![quickstart_start_screen_manager_11](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_11.webp) Figure 16. Specifying the UWP policy name. **Step 5 –** You'll see the UWP application icon entry, as shown in Figure 17. -![quickstart_start_screen_manager_12](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_12.webp) +![quickstart_start_screen_manager_12](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_12.webp) Figure 17. The UWP application icon entry. diff --git a/docs/policypak/policypak/startscreentaskbar/startscreen/windows10.md b/docs/policypak/policypak/startscreentaskbar/startscreen/windows10.md index 1db19f70a7..5bd2d32232 100644 --- a/docs/policypak/policypak/startscreentaskbar/startscreen/windows10.md +++ b/docs/policypak/policypak/startscreentaskbar/startscreen/windows10.md @@ -5,13 +5,13 @@ which is linked to the Sales OU, which contains user accounts. Now, in User Conf Policy Manager | Start Screen Manager for Windows 10, select Add | New Collection, as seen in Figure 6. -![quickstart_start_screen_manager_1](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_1.webp) +![quickstart_start_screen_manager_1](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_1.webp) Figure 6. Creating a new collection using Endpoint Policy Manager Start Screen Manager. **Step 2 –** Next, you'll see the "Add new collection" dialog, as shown in Figure 7. -![quickstart_start_screen_manager_2](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_2.webp) +![quickstart_start_screen_manager_2](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_2.webp) Figure 7. Endpoint Policy Manager Start Screen Manager collections are used to group together policies and configure the layout mode of all the groups. @@ -25,13 +25,13 @@ assign. **Step 3 –** Let's select the "Partial (Preserve)" layout mode and click "OK" as shown in Figure 8. -![quickstart_start_screen_manager_3](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/quickstart_start_screen_manager_3.webp) +![quickstart_start_screen_manager_3](/img/product_docs/policypak/policypak/startscreentaskbar/settings/startscreen/quickstart_start_screen_manager_3.webp) Figure 8. Selecting the "Partial (Preserve)" layout mode. You'll see the collection created in both panels in Figure 9. -![quickstart_start_screen_manager_4](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_4.webp) +![quickstart_start_screen_manager_4](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_4.webp) Figure 9. A Endpoint Policy Manager Start Screen Manager collection can be seen in both MMC pane views. @@ -39,13 +39,13 @@ views. **Step 4 –** Double-click "Collection 1" to enter it. Then, right-click and select Add | New Group, as shown in Figure 10. -![quickstart_start_screen_manager_5](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_5.webp) +![quickstart_start_screen_manager_5](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_5.webp) Figure 10. Endpoint Policy Manager Start Screen groups must be added to collections. **Step 5 –** Next, you'll see the Start Screen Tile Group Editor, shown in Figure 11. -![quickstart_start_screen_manager_6](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_6.webp) +![quickstart_start_screen_manager_6](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_6.webp) Figure 11. The Start Screen Tile Group Editor is used to edit the Windows 10 Start Screen group. @@ -74,7 +74,7 @@ The fields inside the Group Editor are as follows: the remainder of the details as shown, click "OK" to continue. Now you'll see a policy entry for the group "My important apps" as shown in Figure 12. -![quickstart_start_screen_manager_7](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_7.webp) +![quickstart_start_screen_manager_7](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_7.webp) Figure 12. A Start Screen group called "My important apps" is created on the end user's machine. @@ -82,7 +82,7 @@ Figure 12. A Start Screen group called "My important apps" is created on the end you'll add one of each of the icon types (universal [UWP] application tile, desktop application tile, and Edge tile), by right-clicking and selecting "Add to Group," as seen in Figure 13. -![quickstart_start_screen_manager_8](../../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_8.webp) +![quickstart_start_screen_manager_8](/img/product_docs/policypak/policypak/startscreentaskbar/startscreen/quickstart_start_screen_manager_8.webp) Figure 13. Use the MMC editor to add a new universal (UWP) application tile, desktop application tile, and new Edge tile. diff --git a/docs/policypak/policypak/startscreentaskbar/taskbar.md b/docs/policypak/policypak/startscreentaskbar/taskbar.md index 626ba1a1cf..7c158271da 100644 --- a/docs/policypak/policypak/startscreentaskbar/taskbar.md +++ b/docs/policypak/policypak/startscreentaskbar/taskbar.md @@ -3,7 +3,7 @@ Now you're ready to create Netwrix Endpoint Policy Manager (formerly PolicyPak) Taskbar policies. **NOTE:** For a video overview of Taskbar Manager, see -[](https://www.policypak.com/products/policypak-start-screen-manager.html)[Endpoint Policy Taskbar Manager: Quick Demo](../video/startscreentaskbar/demotaskbar.md). +[](https://www.policypak.com/products/policypak-start-screen-manager.html)[Endpoint Policy Taskbar Manager: Quick Demo](/docs/policypak/policypak/video/startscreentaskbar/demotaskbar.md). Like the Endpoint Policy Manager Start Menu policies, Endpoint Policy Manager Taskbar Manager policies also must reside within collections. @@ -12,7 +12,7 @@ policies also must reside within collections. Manager nodes in the Group Policy Editor. Then right-click to open the Taskbar Manager to create your first Endpoint Policy Manager Taskbar Manager collection, as shown in Figure 28. -![quickstart_taskbar_manager](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/quickstart_taskbar_manager.webp) +![quickstart_taskbar_manager](/img/product_docs/policypak/policypak/startscreentaskbar/quickstart_taskbar_manager.webp) Figure 28. The Endpoint Policy Manager Taskbar Manager Collection Editor. @@ -26,7 +26,7 @@ the Action field values are the following: **Step 3 –** Next, within the collection, you can add items like those shown in Figure 29. -![quickstart_taskbar_manager_1](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/quickstart_taskbar_manager_1.webp) +![quickstart_taskbar_manager_1](/img/product_docs/policypak/policypak/startscreentaskbar/quickstart_taskbar_manager_1.webp) Figure 29. Adding universal (UWP) or desktop application policies. @@ -36,14 +36,14 @@ application. For testing purposes, you should select Calculator or Alarms & Cloc you'll see the two items inside the Endpoint Policy Manager Taskbar Manager collection shown in Figure 30. -![quickstart_taskbar_manager_2](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/quickstart_taskbar_manager_2.webp) +![quickstart_taskbar_manager_2](/img/product_docs/policypak/policypak/startscreentaskbar/quickstart_taskbar_manager_2.webp) Figure 30. Taskbar policies are contained within collections. **Step 5 –** On the endpoint, run GPUpdate and then log off and log on again to get the policy settings. The result can be seen in Figure 31. -![quickstart_taskbar_manager_3](../../../../static/img/product_docs/policypak/policypak/startscreentaskbar/quickstart_taskbar_manager_3.webp) +![quickstart_taskbar_manager_3](/img/product_docs/policypak/policypak/startscreentaskbar/quickstart_taskbar_manager_3.webp) Figure 31. Policy settings applied after using PolicyPak Taskbar Manager "Replace" mode. diff --git a/docs/policypak/policypak/tips/emailoptout.md b/docs/policypak/policypak/tips/emailoptout.md index 6a6941a210..2b4e51f236 100644 --- a/docs/policypak/policypak/tips/emailoptout.md +++ b/docs/policypak/policypak/tips/emailoptout.md @@ -30,4 +30,4 @@ establish another email address and use that. We at Endpoint Policy Manager have a responsibility for ensuring that some communications get to you, and agree to do our best. It's up to you if you wish to actively block these emails. -![693_1_faq2](../../../../static/img/product_docs/policypak/policypak/tips/693_1_faq2.webp) +![693_1_faq2](/img/product_docs/policypak/policypak/tips/693_1_faq2.webp) diff --git a/docs/policypak/policypak/tips/embedclient.md b/docs/policypak/policypak/tips/embedclient.md index 64403a02f9..36cfccee07 100644 --- a/docs/policypak/policypak/tips/embedclient.md +++ b/docs/policypak/policypak/tips/embedclient.md @@ -14,7 +14,7 @@ improvements and fixes. - If you are using VDI, you will have to keep the master image updated from time to time. - If you're using standard machines you will have to use SCCM, PDQ Deploy, or Netwrix Endpoint Policy Manager (formerly PolicyPak)'s own auto-updater mechanism. You can see this in action in - this video ([Auto-updating the CSE](../video/install/autoupdate.md)) and read more about it in + this video ([Auto-updating the CSE](/docs/policypak/policypak/video/install/autoupdate.md)) and read more about it in Appendix Book A in the Endpoint Policy Manager Manuals. ## For Endpoint Policy Manager Cloud Edition: @@ -24,7 +24,7 @@ Endpoint Policy Manager Cloud. You use your company's Endpoint Policy Manager Cl installs the Endpoint Policy Manager Cloud Client, consumes a Endpoint Policy Manager Cloud license, and then installs the latest Endpoint Policy Manager Client Side Extension (or whatever the Client Side Extension level you have set the GROUP membership to, as explained in this video: -[Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](../video/cloud/groups.md)) +[Endpoint Policy Manager Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates](/docs/policypak/policypak/video/cloud/groups.md)) You cannot pre-install the Endpoint Policy Manager Cloud client, because future machines based upon the image will get confused and NOT consume a new license from Endpoint Policy Manager Cloud. @@ -55,9 +55,9 @@ have it work. If you want to use Endpoint Policy Manager with VDI, you must foll of the knowledgebase articles directly below, or use the Endpoint Policy Manager Group Policy Edition and license an on-prem domain / OU. -[How to install the Endpoint Policy Manager Cloud Client for use in an Azure Virtual Desktop image](../integration/azurevirutaldesktop.md) +[How to install the Endpoint Policy Manager Cloud Client for use in an Azure Virtual Desktop image](/docs/policypak/policypak/integration/azurevirutaldesktop.md) -[How to install and configure the PPC Client for a Non-Persistent VDI Image in VMware Horizon](../integration/vdisolutions.md) +[How to install and configure the PPC Client for a Non-Persistent VDI Image in VMware Horizon](/docs/policypak/policypak/integration/vdisolutions.md) While it will technically work, you are expressly forbidden by the EULA to attempt to install the Endpoint Policy Manager Cloud client (which will install the Endpoint Policy Manager Client Side diff --git a/docs/policypak/policypak/tips/eventlogs.md b/docs/policypak/policypak/tips/eventlogs.md index 63b2e6339a..3753682055 100644 --- a/docs/policypak/policypak/tips/eventlogs.md +++ b/docs/policypak/policypak/tips/eventlogs.md @@ -6,9 +6,9 @@ event logs, and maybe you already know about on-prem Event Forwarding. **NOTE:** If you want to learn more about on-prem Event Forwarding, you can see my Walkthrough of that here -[Using Windows Event Forwarding to search for interesting events](../video/leastprivilege/windowseventforwarding.md) +[Using Windows Event Forwarding to search for interesting events](/docs/policypak/policypak/video/leastprivilege/windowseventforwarding.md) and -[How to forward interesting events for Least Privilege Manager (or anything else) to a centralized location using Windows Event Forwarding.](../leastprivilege/windowseventforwarding.md). +[How to forward interesting events for Least Privilege Manager (or anything else) to a centralized location using Windows Event Forwarding.](/docs/policypak/policypak/leastprivilege/windowseventforwarding.md). But how do we take on-prem events from Windows 10 (or Windows Server) and get the up to the cloud for later analysis? If you have 24, 250, or 25,000 domain joined (or even NON-domain joined) @@ -46,13 +46,13 @@ or whatever … they'll send their event logs to their workspaces. **Step 1 –** To get started use the big search thingie to find "Log Analytics workspaces" like what's seen here. -![f5f03570b7ec45-img-01](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570b7ec45-img-01.webp) +![f5f03570b7ec45-img-01](/img/product_docs/policypak/policypak/tips/f5f03570b7ec45-img-01.webp) Then, there's a little Wizard (not shown) to help you get started. Basically it's asking you for names and which Azure region you want to keep the data in. Then after it gets going you'll see "Your deployment is underway" like what's seen here. -![f5f03570bb83ef-img-02](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570bb83ef-img-02.webp) +![f5f03570bb83ef-img-02](/img/product_docs/policypak/policypak/tips/f5f03570bb83ef-img-02.webp) **Step 2 –** Then you should be thrown into the Advanced settings like what's seen here. If not, find the Workspace you just created and click Advanced in the left-side menu. It should get you to @@ -60,7 +60,7 @@ this place. Note then the "WORKSPACE ID" and "PRIMARY KEY" like what's seen here you'll need these in a bit. Then also download the Windows Agent 64-bit or 32-bit to get started for your example machines. -![f5f03570bb8f55-img-03](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570bb8f55-img-03.webp) +![f5f03570bb8f55-img-03](/img/product_docs/policypak/policypak/tips/f5f03570bb8f55-img-03.webp) In this example, we'll be installing the LA Agent by hand on a test machine. In real life you could use, say Windows Intune to deploy it with command line options to just chuck in your Workspace ID @@ -73,43 +73,43 @@ magical connector to accept event logs to LA; and you shouldn't need to use this a blog [https://www.mdmandgpanswers.com/blogs/view-blog/windows-10-and-server-event-logs-to-azure-log-analytics-walkthru](https://www.mdmandgpanswers.com/blogs/view-blog/windows-10-and-server-event-logs-to-azure-log-analytics-walkthru)) -![f5f03570bc2bfc-img-04](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570bc2bfc-img-04.webp) +![f5f03570bc2bfc-img-04](/img/product_docs/policypak/policypak/tips/f5f03570bc2bfc-img-04.webp) **Step 4 –** Then, Up, Up and away. Launch the agent.. which requires admin rights. (Or, pro tip: Use Endpoint Policy Manager Scripts to install it automatically where the script is -elevated.[Endpoint Policy ManagerScripts .. Deploy Software via VPN or with Endpoint Policy Manager Cloud](../video/scriptstriggers/cloud.md) +elevated.[Endpoint Policy ManagerScripts .. Deploy Software via VPN or with Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/scriptstriggers/cloud.md) **Step 5 –** You'll need to select "Connect the agent to Azure Log Analytics (OMS)" like what's seen here. -![f5f03570bad3be-img-05](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570bad3be-img-05.webp) +![f5f03570bad3be-img-05](/img/product_docs/policypak/policypak/tips/f5f03570bad3be-img-05.webp) **Step 6 –** Then, it's time to chuck in your Workspace ID and Workspace Key. And you'll likely keep the default of Azure Cloud: Azure Commercial. Pull the pulldown if you have something unusual to select here. -![f5f03570bbca1c-img-06](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570bbca1c-img-06.webp) +![f5f03570bbca1c-img-06](/img/product_docs/policypak/policypak/tips/f5f03570bbca1c-img-06.webp) **Step 7 –** Yes, you want to check for updates when MS Update kicks in…. -![f5f03570bc37d5-img-07](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570bc37d5-img-07.webp) +![f5f03570bc37d5-img-07](/img/product_docs/policypak/policypak/tips/f5f03570bc37d5-img-07.webp) **Step 8 –** And.. you're basically done. -![f5f03570be8938-img-08](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570be8938-img-08.webp) +![f5f03570be8938-img-08](/img/product_docs/policypak/policypak/tips/f5f03570be8938-img-08.webp) **Step 9 –** Now let's make sure we're talking in both directions. The Microsoft Monitoring Agent is found in Control Panel… which is a weird place, but, hey… that's okay. -![f5f03570be4088-img-09](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570be4088-img-09.webp) +![f5f03570be4088-img-09](/img/product_docs/policypak/policypak/tips/f5f03570be4088-img-09.webp) **Step 10 –** Then click the Azure Log Analytics (OMS) tab and … see you're talking outbound. -![f5f03570bec541-img-10](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570bec541-img-10.webp) +![f5f03570bec541-img-10](/img/product_docs/policypak/policypak/tips/f5f03570bec541-img-10.webp) **Step 11 –** Back in Azure, in the Advanced Settings page, the zero should be one ! -![f5f03570bdece8-img-11](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570bdece8-img-11.webp) +![f5f03570bdece8-img-11](/img/product_docs/policypak/policypak/tips/f5f03570bdece8-img-11.webp) **Step 12 –** Now it's time to add in the actual event logs you want to capture. Note that the more you capture, the more you pay. Strictly speaking for the Endpoint Policy Manager customer I made @@ -118,48 +118,48 @@ But just for completeness and testing, I'll capture some more too, since you mig Endpoint Policy Manager Log. (And, why don't you!? Come on over and check out Endpoint Policy Manager for Pete's sake. Really, your sake to be honest.) -![f5f03570bc37d5-img-12](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570bc37d5-img-12.webp) +![f5f03570bc37d5-img-12](/img/product_docs/policypak/policypak/tips/f5f03570bc37d5-img-12.webp) **Step 13 –** So just type Application then +. Then System and + and bingo. Those are "well known" logs which LA knows about and pre-populates this list. But Endpoint Policy Manager? Not as common.. (Yet !) Therefore you could take a guess that our event logs are named Endpoint Policy Manager (they are…). But how would you know? -![f5f03570be8938-img-13](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570be8938-img-13.webp) +![f5f03570be8938-img-13](/img/product_docs/policypak/policypak/tips/f5f03570be8938-img-13.webp) **Step 14 –** The trick is to find the log you want to capture in Windows, and go to its properties and get its Full Name like what's seen here. Yeah, this one was easy. -![f5f03570be4088-img-14](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570be4088-img-14.webp) +![f5f03570be4088-img-14](/img/product_docs/policypak/policypak/tips/f5f03570be4088-img-14.webp) But some are harder. I also wanted to capture the MDM event log which has a goofy and weird name. To get it, I went into an Event inside that log and captured its name microsoft-windows-devicemanagement-enterprise-diagnostics-provider/Operational and its brother microsoft-windows-devicemanagement-enterprise-diagnostics-provider/admin. -![f5f03570bec541-img-15](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570bec541-img-15.webp) +![f5f03570bec541-img-15](/img/product_docs/policypak/policypak/tips/f5f03570bec541-img-15.webp) You can see that second log here… -![f5f03570bdece8-img-16](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570bdece8-img-16.webp) +![f5f03570bdece8-img-16](/img/product_docs/policypak/policypak/tips/f5f03570bdece8-img-16.webp) **Step 15 –** Once I pasted in all the logs and added them, I clicked Save and got this! -![f5f03570b7ec3c-img-17](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570b7ec3c-img-17.webp) +![f5f03570b7ec3c-img-17](/img/product_docs/policypak/policypak/tips/f5f03570b7ec3c-img-17.webp) ## Data.. data? Do we have data ? **Step 1 –** Click on Logs and close the sample queries. Let's just see what have. All of it (which shouldn't be much.) -![f5f03570b7ee5e-img-18](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570b7ee5e-img-18.webp) +![f5f03570b7ee5e-img-18](/img/product_docs/policypak/policypak/tips/f5f03570b7ee5e-img-18.webp) **Step 2 –** In the top box, type SEARCH **Step 3 –** Then click Run. Bingo.. out should pop all the events that have been captured. You can change the Display Time to make sure that you're getting the right events, right now. -![f5f03570b7e690-img-19](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570b7e690-img-19.webp) +![f5f03570b7e690-img-19](/img/product_docs/policypak/policypak/tips/f5f03570b7e690-img-19.webp) **Step 4 –** It took a little while for the non-well-known logs to show up. But maybe it will work faster for you than for me. If you want to give it a shot and try your non-well-known logs, like @@ -171,12 +171,12 @@ this, give it a go. Pow! Here come your logs. -![f5f03570b7ed35-img-20](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570b7ed35-img-20.webp) +![f5f03570b7ed35-img-20](/img/product_docs/policypak/policypak/tips/f5f03570b7ed35-img-20.webp) Then I can also dig into an event, and … hey look ! EastSalesUser1 ran Procmon, and Endpoint Policy Manager did the elevation ! Amazeballs ! -![f5f03570b7e4f0-img-21](../../../../static/img/product_docs/policypak/policypak/tips/f5f03570b7e4f0-img-21.webp) +![f5f03570b7e4f0-img-21](/img/product_docs/policypak/policypak/tips/f5f03570b7e4f0-img-21.webp) That's it. Well, that's basics anyway. diff --git a/docs/policypak/policypak/tips/folderredirection.md b/docs/policypak/policypak/tips/folderredirection.md index cdc4d97962..e1b7e7fc9c 100644 --- a/docs/policypak/policypak/tips/folderredirection.md +++ b/docs/policypak/policypak/tips/folderredirection.md @@ -78,12 +78,12 @@ Video tip for adding ADMX files to your Central Store: [https://www.youtube.com/watch?v=Op7hAvc5a0M](https://www.youtube.com/watch?v=Op7hAvc5a0M) Video tip for adding ADMX files to your Endpoint Policy Manager -Cloud:[Endpoint Policy ManagerCloud: Upload and use your own ADMX files to Endpoint Policy Manager Cloud](../video/cloud/admxfiles.md) +Cloud:[Endpoint Policy ManagerCloud: Upload and use your own ADMX files to Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/cloud/admxfiles.md) The policy settings you might want to use are… -![590_1_img-1](../../../../static/img/product_docs/policypak/policypak/tips/590_1_img-1.webp) +![590_1_img-1](/img/product_docs/policypak/policypak/tips/590_1_img-1.webp) and / or -![590_2_img-2](../../../../static/img/product_docs/policypak/policypak/tips/590_2_img-2.webp) +![590_2_img-2](/img/product_docs/policypak/policypak/tips/590_2_img-2.webp) diff --git a/docs/policypak/policypak/tips/mmcdisplay.md b/docs/policypak/policypak/tips/mmcdisplay.md index 632cb2c5e3..b24869f21d 100644 --- a/docs/policypak/policypak/tips/mmcdisplay.md +++ b/docs/policypak/policypak/tips/mmcdisplay.md @@ -7,4 +7,4 @@ station. This policy doesn't need to hit the end-points.. just the admin machine. -![603_1_faq-5-img-1](../../../../static/img/product_docs/policypak/policypak/tips/603_1_faq-5-img-1.webp) +![603_1_faq-5-img-1](/img/product_docs/policypak/policypak/tips/603_1_faq-5-img-1.webp) diff --git a/docs/policypak/policypak/tips/onpremisecloud.md b/docs/policypak/policypak/tips/onpremisecloud.md index 562cbe07d0..9ffb274db3 100644 --- a/docs/policypak/policypak/tips/onpremisecloud.md +++ b/docs/policypak/policypak/tips/onpremisecloud.md @@ -9,4 +9,4 @@ Group Policy or SCCM to deliver your setting. All policies are simply merged together. If there's a conflict, the on-premise directive (say, using Group Policy) wins. -![609_1_img19-deliveryconflict005-resized-450px](../../../../static/img/product_docs/policypak/policypak/tips/609_1_img19-deliveryconflict005-resized-450px.webp) +![609_1_img19-deliveryconflict005-resized-450px](/img/product_docs/policypak/policypak/tips/609_1_img19-deliveryconflict005-resized-450px.webp) diff --git a/docs/policypak/policypak/tips/thirdpartyadvice.md b/docs/policypak/policypak/tips/thirdpartyadvice.md index 94d2b082b1..5fd1f8988e 100644 --- a/docs/policypak/policypak/tips/thirdpartyadvice.md +++ b/docs/policypak/policypak/tips/thirdpartyadvice.md @@ -13,15 +13,15 @@ guidance. **NOTE:** That note all STIG guidance is convertible into Endpoint Policy Manager Application Manager format, so we only convert the ones that make sense. -![539_1_image-20200219201318-1_950x682](../../../../static/img/product_docs/policypak/policypak/tips/539_1_image-20200219201318-1_950x682.webp) +![539_1_image-20200219201318-1_950x682](/img/product_docs/policypak/policypak/tips/539_1_image-20200219201318-1_950x682.webp) You can investigate this whole process end-to-end by watching -[Import STIG files to make your applications more secure](../video/gpocompilancereporter/importstig.md) +[Import STIG files to make your applications more secure](/docs/policypak/policypak/video/gpocompilancereporter/importstig.md) on how to consume the converted STIG information: Then, you can also use Endpoint Policy Manager Group Policy Compliance Reporter (Free version) to verify that your settings delivered via Endpoint Policy Manager Application Manager were delivered -correctly.[Endpoint Policy Manager GP Compliance Reporter: Using an Existing GPO as a test](../video/gpocompilancereporter/existinggpos.md) +correctly.[Endpoint Policy Manager GP Compliance Reporter: Using an Existing GPO as a test](/docs/policypak/policypak/video/gpocompilancereporter/existinggpos.md) on that process. As already explained though, STIG conversion from its downloadable form from the DoD into Endpoint @@ -79,7 +79,7 @@ see if those settings actually applied. **Step 1 –** Use the Endpoint Policy Manager Merge Utility to locate CIS Benchmark GPOs with ADMX settings, and converting them to Endpoint Policy Manager Admin Templates Manager format. -([Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](../video/administrativetemplates/reducegpos.md)) +([Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](/docs/policypak/policypak/video/administrativetemplates/reducegpos.md)) **Step 2 –** Once in Endpoint Policy Manager Admin Templates Manager format, use the Endpoint Policy Manager Group Policy Compliance Reporter (Free Version) to report on those converted settings. @@ -94,11 +94,11 @@ specific Users or Groups, on specific IP addresses, etc etc.). **Step 1 –** Use the Endpoint Policy Manager Merge Utility to locate CIS Benchmark GPOs with ADMX settings, and converting them to Endpoint Policy Manager Admin Templates Manager format. -([Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](../video/administrativetemplates/reducegpos.md)) +([Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](/docs/policypak/policypak/video/administrativetemplates/reducegpos.md)) **Step 2 –** Once in Endpoint Policy Manager Admin Templates Manager format, take advantage of Item Level Targeting to specifically dictate where settings should be used -([Endpoint Policy Manager Admin Templates: Collections and Item Level Targeting](../video/administrativetemplates/collections.md)) +([Endpoint Policy Manager Admin Templates: Collections and Item Level Targeting](/docs/policypak/policypak/video/administrativetemplates/collections.md)) ### Endpoint Policy Manager + CIS Benchmarks Item #4: Export CIS Benchmarks for use with Endpoint Policy Manager Cloud or Endpoint Policy Manager MDM (for domain joined or non-domain joined machines.) @@ -117,9 +117,9 @@ MDM. The basics for how to take existing Group Policy settings (from CIS Benchmarks or any source) and use with Endpoint Policy Manager Cloud -[Endpoint Policy ManagerCloud: How to deploy Microsoft Group Policy Settings using Endpoint Policy Manager Cloud](../video/cloud/deploy/grouppolicysettings.md). +[Endpoint Policy ManagerCloud: How to deploy Microsoft Group Policy Settings using Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/cloud/deploy/grouppolicysettings.md). The basics for how to take existing Group Policy settings (from CIS Benchmarks or any source) and use with Endpoint Policy Manager MDM can be found -[Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](../video/mdm/exportgpos.md) -and [Endpoint Policy Manager and Microsoft Intune](../video/mdm/microsoftintune.md). +[Reduce GPOs (and/or export them for use with Endpoint Policy Manager Cloud or with MDM)](/docs/policypak/policypak/video/mdm/exportgpos.md) +and [Endpoint Policy Manager and Microsoft Intune](/docs/policypak/policypak/video/mdm/microsoftintune.md). diff --git a/docs/policypak/policypak/troubleshooting/administrativetemplates/missingcollections.md b/docs/policypak/policypak/troubleshooting/administrativetemplates/missingcollections.md index a1dc29d791..156f6349e9 100644 --- a/docs/policypak/policypak/troubleshooting/administrativetemplates/missingcollections.md +++ b/docs/policypak/policypak/troubleshooting/administrativetemplates/missingcollections.md @@ -1,6 +1,6 @@ # I've created a collection in the Administrative Templates Manager and I've added policies to that collection. However, they are not showing up in the main window. -![705_1_2015-05-04_1402](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/administrativetemplates/705_1_2015-05-04_1402.webp) +![705_1_2015-05-04_1402](/img/product_docs/policypak/policypak/troubleshooting/administrativetemplates/705_1_2015-05-04_1402.webp) If your Admin Station is Windows 7, ensure you have .Net Framework 3.5 specifically installed on your management station. Later versions of .Net Framework are not compatible with Netwrix Endpoint diff --git a/docs/policypak/policypak/troubleshooting/administrativetemplates/settingsreport.md b/docs/policypak/policypak/troubleshooting/administrativetemplates/settingsreport.md index 948332bd31..c4d7094901 100644 --- a/docs/policypak/policypak/troubleshooting/administrativetemplates/settingsreport.md +++ b/docs/policypak/policypak/troubleshooting/administrativetemplates/settingsreport.md @@ -4,7 +4,7 @@ If you use Netwrix Endpoint Policy Manager (formerly PolicyPak) Admin Templates Collections or Items, you might not see them in the Group Policy Settings report, like what's seen here. -![494_1_image002](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/administrativetemplates/494_1_image002.webp) +![494_1_image002](/img/product_docs/policypak/policypak/troubleshooting/administrativetemplates/494_1_image002.webp) This is because the Endpoint Policy Manager Admin Console MSI (MMC snap-in) needs to be upgraded to at least version 753.Once you upgrade to Endpoint Policy Manager @@ -13,4 +13,4 @@ Admin Console MSI 753 you need to open and save each collection and policy. After that, reporting is written as seen here. (An example of a Policy in a Collection.) -![494_2_image0041](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/administrativetemplates/494_2_image0041.webp) +![494_2_image0041](/img/product_docs/policypak/policypak/troubleshooting/administrativetemplates/494_2_image0041.webp) diff --git a/docs/policypak/policypak/troubleshooting/antivirus.md b/docs/policypak/policypak/troubleshooting/antivirus.md index 7b6b3878a3..79f4724363 100644 --- a/docs/policypak/policypak/troubleshooting/antivirus.md +++ b/docs/policypak/policypak/troubleshooting/antivirus.md @@ -7,9 +7,9 @@ The VBscript examples we use are being detected...as just that. VBscripts in a z They are in this location, and sometimes they are caught, and sometimes they are not. -![756_1_img1](../../../../static/img/product_docs/policypak/policypak/troubleshooting/756_1_img1.webp) +![756_1_img1](/img/product_docs/policypak/policypak/troubleshooting/756_1_img1.webp) The example files we provide are examples to use or ignore. And, we even put it into the readme of the folder about the possibility of this file being seen by download filters. -![756_3_img2](../../../../static/img/product_docs/policypak/policypak/troubleshooting/756_3_img2.webp) +![756_3_img2](/img/product_docs/policypak/policypak/troubleshooting/756_3_img2.webp) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/applock/disable.md b/docs/policypak/policypak/troubleshooting/applicationsettings/applock/disable.md index 5bdc6981a5..73e525a3ce 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/applock/disable.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/applock/disable.md @@ -7,15 +7,15 @@ applets), and Firefox. An example of hiding or disabling elements in a Win32 application can be seen here. -![applock9](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/applock9.webp) +![applock9](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/applock9.webp) AppLock works by hooking all processes and looking for a policy match and attempting to perform the UI hiding operation. You can learn more about AppLock at: -- [AppLock™ Modes](../../../applicationsettings/modes/applock.md) -- [The Superpowers](../../../video/applicationsettings/superpowers.md) +- [AppLock™ Modes](/docs/policypak/policypak/applicationsettings/modes/applock.md) +- [The Superpowers](/docs/policypak/policypak/video/applicationsettings/superpowers.md) It is generally advised to turn off AppLock if you are not using this feature as it can interfere with security software you might have on your endpoints. @@ -31,26 +31,26 @@ You can witness PPAppLockLdr64.dll injected into processes by using Process Expl be seen here with Win32 app NotepadP. Using the Process Explorer Search you may also look for other hooked processes with PPAppLockLdr64.dll. -![applock1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/applock1.webp) +![applock1](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/applock1.webp) - For CSEs before 24.9, AppLock is ON, and you might want to turn it off because of interference or because you are directed by Endpoint Policy Manager support. - Starting with CSE 24.9, AppLock is OFF, and if you want to turn it on you may do so to restore the functionality if needed. -![applock4](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/applock4.webp) +![applock4](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/applock4.webp) In all cases AppLock is turned ON or OFF using the same ADMX setting. However, the ADMX setting has gone through a rename and a state change. Before continuing, please get familiar with how to use the Endpoint Policy Manager ADMX settings and also how to update them: -[Troubleshooting with ADMX files](../../../video/troubleshooting/admxfiles.md) +[Troubleshooting with ADMX files](/docs/policypak/policypak/video/troubleshooting/admxfiles.md) If you're using an older set of ADMX settings, you will find a setting named "Disable Endpoint Policy Manager AppLock" (which exists on both User and Computer Side): -![applock5](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/applock5.webp) +![applock5](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/applock5.webp) When the "Disable Endpoint Policy Manager Applock(TM)" setting is set to "Enabled" this will TURN OFF the AppLock service for any CSEs. However, the state status of "Enabled" makes it unclear @@ -72,14 +72,14 @@ change better reflecting the goals for disabling the AppLock service. You will see this in a few places. When you edit the policy, you will notice the old policy is absent and replaced with the new policy name like what's seen here. -![applock3](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/applock3.webp) +![applock3](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/applock3.webp) And, any existing GPOs with the old policy name will automatically start using the new policy name and new state. Here's an example GPO with the old name and old state: -![applock7](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/applock7.webp) +![applock7](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/applock7.webp) -![applock8](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/applock8.webp) +![applock8](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/applock8.webp) **NOTE:** You might need to close the GPMC and re-open it to have the GPMC refresh the ADMX / ADML files and reflect a change. Then re-run the GPO setting report to verify your change. diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/applock/extendedlogs.md b/docs/policypak/policypak/troubleshooting/applicationsettings/applock/extendedlogs.md index bd84195fcb..6e0b283ffa 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/applock/extendedlogs.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/applock/extendedlogs.md @@ -4,7 +4,7 @@ Technical support may ask you to turn on extended AppLock™ logging if the lock working as expected. Navigate to `HKLM\SOFTWARE\PolicyPak\Config\AppLock` and set `ExtendedLogs `to a `REG_DWORD` value 1 of as seen in Figure 97. -![troubleshooting_policypak_1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/javaenterpriserules/troubleshooting_policypak_1.webp) +![troubleshooting_policypak_1](/img/product_docs/policypak/policypak/troubleshooting/javaenterpriserules/troubleshooting_policypak_1.webp) Figure 97. The AppLock key will not exist by default and must be created before the value is set within it. diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/applock/someapplications.md b/docs/policypak/policypak/troubleshooting/applicationsettings/applock/someapplications.md index a52cfdd98c..64bf10c992 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/applock/someapplications.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/applock/someapplications.md @@ -12,11 +12,11 @@ AppLock for Win32 applications AppLock can be managed on individual settings for applications like what's seen here. -![195_1_image003](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/195_1_image003.webp) +![195_1_image003](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/195_1_image003.webp) And also here. -![195_2_image004](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/195_2_image004.webp) +![195_2_image004](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/195_2_image004.webp) Note that Endpoint Policy Manager AppLock options can only work on well-behaved Win32 applications. @@ -57,7 +57,7 @@ using ACL Lockdown. Video: -[ACL Lockdown for Registry Based Applications](../../../video/applicationsettings/acllockdown.md) +[ACL Lockdown for Registry Based Applications](/docs/policypak/policypak/video/applicationsettings/acllockdown.md) If you do this, it should prevent users from working around the item, even if the AppLock doesn't work. @@ -71,11 +71,11 @@ Java and Thunderbird. With all three applications, when you perform UI lockout, ALL users. And as such the Pak MUST be used on the COMPUTER Side (as seen here) or else the "Lockdown this setting using the system-wide config file" does not appear. -![195_3_image009](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/195_3_image009.webp) +![195_3_image009](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/195_3_image009.webp) This same option with the Java Paks. -![195_4_image010](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/195_4_image010.webp) +![195_4_image010](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/applock/195_4_image010.webp) The UI lockout mechanism is completely different for these applications versus Win32 applications and as such is treated differently. diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/appset/creation.md b/docs/policypak/policypak/troubleshooting/applicationsettings/appset/creation.md index e8b9b0ffe7..c47fc52650 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/appset/creation.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/appset/creation.md @@ -16,7 +16,7 @@ Manager Creation Station utilities before installing your package and producing If you're using Windows 7 or Windows 8, the .NET Framework can be introduced through Add/Remove programs, as seen in Figure 1.1. -![387_1_image001](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/387_1_image001.webp) +![387_1_image001](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/387_1_image001.webp) Figure 1.1: Installing .NET Framework for Windows 7 (left) and Windows 8 (right) @@ -35,11 +35,11 @@ Manager Creation Station workstation. Any edition later than 2008 will work; you prerequisites onto your admin workstation. Note that this can take a long time. Also, if prompted, you do not need to install Silverlight, nor do you need the SQL Express Edition. -![387_2_image002](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/387_2_image002.webp) +![387_2_image002](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/387_2_image002.webp) Figure ‎1.2: You can download C++ 2010 Express Edition… -![387_3_image003](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/387_3_image003.webp) +![387_3_image003](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/387_3_image003.webp) Figure ‎1.3: …or Visual Studio 2013 Express. Be sure to select only the "Visual Studio Express 2013 for Windows Desktop" option. @@ -68,4 +68,4 @@ for Windows Desktop" option. Visual C++ Express Edition node and Endpoint Policy Manager Application Settings Manager nodes within the Start Menu, as seen here in this example station. -![387_4_image004](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/387_4_image004.webp) +![387_4_image004](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/387_4_image004.webp) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/appset/localmissing.md b/docs/policypak/policypak/troubleshooting/applicationsettings/appset/localmissing.md index 33a2c1e7cd..5bc076058e 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/appset/localmissing.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/appset/localmissing.md @@ -22,7 +22,7 @@ c:\Program Files\PolicyPak\Extensions (on 32-bit machines) If both conditions are true the DLL extensions stored at the location mentioned above may get deleted and you will see the error below. -![409_1_image002](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/409_1_image002.webp) +![409_1_image002](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/409_1_image002.webp) To Workaround: @@ -33,7 +33,7 @@ back after the upgrade CENTRAL STORE or SHARED STORE method. **Step 3 –** -[How can I use the Endpoint Policy ManagerCentral store (if I was already using the Endpoint Policy Manager Local store?)](../../../applicationsettings/centralstore.md). +[How can I use the Endpoint Policy ManagerCentral store (if I was already using the Endpoint Policy Manager Local store?)](/docs/policypak/policypak/applicationsettings/centralstore.md). This issue is fixed for any upgrade FROM 785 onwards, but it's not possible to fix "retroactively" as you upgrade to 785. diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/appset/other.md b/docs/policypak/policypak/troubleshooting/applicationsettings/appset/other.md index 003b2bf522..56d3c61083 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/appset/other.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/appset/other.md @@ -6,7 +6,7 @@ Here's an example that can illustrate the problem and the resolution. Assume you have a Group Policy Object named ORIG. When you do this, a GPO gets GUID like this. -![445_1_image001](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/445_1_image001.webp) +![445_1_image001](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/445_1_image001.webp) When you make a Netwrix Endpoint Policy Manager (formerly PolicyPak) entry, data is stored in the Group Policy Object. @@ -14,7 +14,7 @@ Group Policy Object. Then if you copy the Group Policy Object that data is copied with the Group Policy Object, but is now pointing to the original Group Policy Object. -![445_2_image003](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/445_2_image003.webp) +![445_2_image003](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/445_2_image003.webp) This is not a supported scenario using Endpoint Policy Manager Application Manager. @@ -28,11 +28,11 @@ The correct supported scenario using Endpoint Policy Manager Application Manager When you look at the settings report, what you want to see is that the REAL Group Policy Object's GUID… -![445_3_image004](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/445_3_image004.webp) +![445_3_image004](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/445_3_image004.webp) That now matches the Group Policy Object's guts: -![445_4_image005](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/445_4_image005.webp) +![445_4_image005](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/445_4_image005.webp) If you already have this situation and need to get out of it, it's an easy fix: diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/appset/storage.md b/docs/policypak/policypak/troubleshooting/applicationsettings/appset/storage.md index 949a261048..aec25f268b 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/appset/storage.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/appset/storage.md @@ -9,4 +9,4 @@ Here's the rule of thumb: Here's a video on how to do that (using Netwrix Endpoint Policy Manager (formerly PolicyPak) Application Manager) -[Using Shares to Store Your Paks (Share-Based Storage)](../../../video/applicationsettings/shares.md) +[Using Shares to Store Your Paks (Share-Based Storage)](/docs/policypak/policypak/video/applicationsettings/shares.md) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/appset/unavailable.md b/docs/policypak/policypak/troubleshooting/applicationsettings/appset/unavailable.md index e5662c24df..a9bc815308 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/appset/unavailable.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/appset/unavailable.md @@ -6,11 +6,11 @@ settings, but not all settings in every application. For instance, in this AppSet (Microsoft Word 2010) you can see some areas which are not configurable. -![296_1_image001](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/296_1_image001.webp) +![296_1_image001](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/296_1_image001.webp) Sometimes, you might encounter a button that doesn't open another Window or have any function. -![296_2_image0051](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/296_2_image0051.webp) +![296_2_image0051](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/appset/296_2_image0051.webp) In these cases, Endpoint Policy Manager cannot manage these settings. diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/appset/updates.md b/docs/policypak/policypak/troubleshooting/applicationsettings/appset/updates.md index 25b2012f95..177c654dbe 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/appset/updates.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/appset/updates.md @@ -6,7 +6,7 @@ needed. We typically update Java and Firefox and Internet Explorer right away as Most of the time, AppSets doesn't need any updates at all, even if the application's version number changes -[AppSets: How will I know that an existing AppSet will work with the version of the application I have today (and tomorrow)?](versionsupport.md) +[AppSets: How will I know that an existing AppSet will work with the version of the application I have today (and tomorrow)?](/docs/policypak/policypak/troubleshooting/applicationsettings/appset/versionsupport.md) Other times, an AppSet does need to be updated or fully re-made depending on the app (rare). diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/backup/overview.md b/docs/policypak/policypak/troubleshooting/applicationsettings/backup/overview.md index 92fbb6673d..0fcf7b9279 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/backup/overview.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/backup/overview.md @@ -16,7 +16,7 @@ Let's recall the three pieces that constitute Endpoint Policy Manager Applicatio ## Backup and Restore **NOTE:** Video: For an overview video of how to backup and restore, please see this -video:[Endpoint Policy Manager Application Settings Manager: Backup, Restore, Export, Import](../../../video/troubleshooting/backup.md). +video:[Endpoint Policy Manager Application Settings Manager: Backup, Restore, Export, Import](/docs/policypak/policypak/video/troubleshooting/backup.md). The three pieces that constitute Endpoint Policy Manager Application Settings Manager should be backed up in case of loss, failure, overwriting, or some other damage. Below, we describe some @@ -37,7 +37,7 @@ stored. The Endpoint Policy Manager Application Settings Manager data inside a GPO is backed up and restored with normal GPMC backup procedures, as seen in Figure 90. -![backup_restore_and_xml_export](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/backup/backup_restore_and_xml_export.webp) +![backup_restore_and_xml_export](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/backup/backup_restore_and_xml_export.webp) Figure 90. Backing up data with normal GPMC backup procedures. @@ -50,7 +50,7 @@ When restoring, the Endpoint Policy Manager Application Settings Manager data an ## Settings for XML Export and Import **NOTE:** For an overview of exporting and importing settings, please see this video: -[Endpoint Policy Manager Application Settings Manager: Backup, Restore, Export, Import](../../../video/troubleshooting/backup.md) +[Endpoint Policy Manager Application Settings Manager: Backup, Restore, Export, Import](/docs/policypak/policypak/video/troubleshooting/backup.md) (at the 2 minute and 50 second mark). The exact settings you specified inside an AppSet within a GPO can be exported and imported. This @@ -62,7 +62,7 @@ administrator for later implementation. The idea of exporting is simple: use your AppSet, set your settings, click on the Options button, and then select "Export" to export the data, as seen in Figure 91. -![backup_restore_and_xml_export_1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/backup/backup_restore_and_xml_export_1.webp) +![backup_restore_and_xml_export_1](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/backup/backup_restore_and_xml_export_1.webp) Figure 91. The exact settings you specified inside a Pak within a GPO can be exported and, later, imported by selecting one of these options. diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/basicsteps.md b/docs/policypak/policypak/troubleshooting/applicationsettings/basicsteps.md index 1841ff9084..7ee2075a2e 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/basicsteps.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/basicsteps.md @@ -55,7 +55,7 @@ Remember: Most pre-configured Paks ship with Pre-Defined Item Level Targeting. - This means the Pak is designed to only affect a specific version of the application. - You can bypass Internal Item Level Targeting in the Pak. - Refer to the following video - [Bypassing Internal Item Level Targeting Filters](../../video/applicationsettings/itemleveltargetingbypass.md) + [Bypassing Internal Item Level Targeting Filters](/docs/policypak/policypak/video/applicationsettings/itemleveltargetingbypass.md) to see how to bypass Internal Item Level Targeting. **Step 8 –** Did you use BLOCK INHERITENCE to block the Licensing GPO or block the GPO which is diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/chrome/homebuttonurl.md b/docs/policypak/policypak/troubleshooting/applicationsettings/chrome/homebuttonurl.md index 90270a28f8..cd143f0741 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/chrome/homebuttonurl.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/chrome/homebuttonurl.md @@ -9,4 +9,4 @@ the New Tab Page, then this policy does not take effect. For Home Button URL to work, check and uncheck Use New Tab Page as homepage setting like shown in below screenshot: -![68_1_faq-pre-configured-pak-8](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/chrome/68_1_faq-pre-configured-pak-8.webp) +![68_1_faq-pre-configured-pak-8](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/chrome/68_1_faq-pre-configured-pak-8.webp) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/entrysettings.md b/docs/policypak/policypak/troubleshooting/applicationsettings/entrysettings.md index 9f29b8b87b..474bfc1432 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/entrysettings.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/entrysettings.md @@ -11,4 +11,4 @@ specific. See this video to bypass the ILT: -[Bypassing Internal Item Level Targeting Filters](../../video/applicationsettings/itemleveltargetingbypass.md) +[Bypassing Internal Item Level Targeting Filters](/docs/policypak/policypak/video/applicationsettings/itemleveltargetingbypass.md) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/export/appset.md b/docs/policypak/policypak/troubleshooting/applicationsettings/export/appset.md index 86e25200b7..c4cfa0b8a8 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/export/appset.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/export/appset.md @@ -10,11 +10,11 @@ There are two ways to export AppSet settings. Here is what to do: -![358_1_image004](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/128_4_image002.webp) +![358_1_image004](/img/product_docs/policypak/policypak/troubleshooting/128_4_image002.webp) ## Way #2 use when: - Exporting to be used with PPExporter (then on to SCCM, Intune, etc.) - Exporting to be used with Endpoint Policy Manager Cloud. -![358_2_image0022](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/export/358_2_image0022.webp) +![358_2_image0022](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/export/358_2_image0022.webp) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/firefox/applicationshandlerfunction.md b/docs/policypak/policypak/troubleshooting/applicationsettings/firefox/applicationshandlerfunction.md index 61b8eacc2d..9e246aa3cc 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/firefox/applicationshandlerfunction.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/firefox/applicationshandlerfunction.md @@ -4,7 +4,7 @@ Managing Firefox with Netwrix Endpoint Policy Manager (formerly PolicyPak) enabl what external applications will open outside of Firefox. For instance opening up Adobe Reader instead of the internal reader, and so on. -![163_1_asdcvvfgfg](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/163_1_asdcvvfgfg.webp) +![163_1_asdcvvfgfg](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/163_1_asdcvvfgfg.webp) Here are some nuances of Firefox Application Handlers. @@ -13,7 +13,7 @@ Here are some nuances of Firefox Application Handlers. Here is the list of hard-coded handlers: -![163_2_2017-11-15_1433](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/163_2_2017-11-15_1433.webp) +![163_2_2017-11-15_1433](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/163_2_2017-11-15_1433.webp) For example, if you set PPAM FF Pak handler setting to the following value: @@ -38,7 +38,7 @@ some special meaning in Web (CSS, JS, etc.). The actual decision is made based o type, and not on file extension. In case of HTTP/HTTP surfing, Firefox usually uses MIME type returned in "Content-Type" response header: -![163_3_2017-12-13_1413](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/163_3_2017-12-13_1413.webp) +![163_3_2017-12-13_1413](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/163_3_2017-12-13_1413.webp) If MIME type is "text/plain", "text/html", "text/css", "image/jpeg", or any other special type file is opened internally. Even if "Content-Type" header is not set in web response, Firefox uses some @@ -52,7 +52,7 @@ The general rule of thumb here is the following: when there is no handler for th Firefox normally shows "Open with dialog" for this type, it fires Application Handler for the same type when there is a handler: -![163_4_2017-12-13_1422](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/163_4_2017-12-13_1422.webp) +![163_4_2017-12-13_1422](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/163_4_2017-12-13_1422.webp) 3. The actual behavior during Web surfing depends on MIME type for resource returned by Web-server. @@ -61,7 +61,7 @@ or whatever, it might not work for resources returned with non-standard MIME typ types is generic type for binary resources (application/octet stream), or some type with no special meaning for Firefox (see #2), Firefox fires handler to open file like this: -![163_5_2017-12-13_1433](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/163_5_2017-12-13_1433.webp) +![163_5_2017-12-13_1433](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/163_5_2017-12-13_1433.webp) Otherwise file will be opened internally. diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/firefox/certificates.md b/docs/policypak/policypak/troubleshooting/applicationsettings/firefox/certificates.md index 013bb2f3ed..6220936317 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/firefox/certificates.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/firefox/certificates.md @@ -21,7 +21,7 @@ must do these step by step.) **Step 1 –** Check the compatibility chart first -[Firefox: What versions of the Endpoint Policy Manager CSE support managing certificates in what versions of Firefox?](../../../requirements/support/applicationsettings/firefox/version.md) +[Firefox: What versions of the Endpoint Policy Manager CSE support managing certificates in what versions of Firefox?](/docs/policypak/policypak/requirements/support/applicationsettings/firefox/version.md) **Step 2 –** Watch the Netwrix Endpoint Policy Manager (formerly PolicyPak) and Firefox cert video for a how-to @@ -41,7 +41,7 @@ BINARY DER. If the CERT is a-ok inside Firefox ALREADY, you can then EXPORT it like this to ensure it is a BINARY DER file. -![214_1_image002](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/214_1_image002.webp) +![214_1_image002](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/214_1_image002.webp) When you save, save it as a .DER extension. @@ -66,7 +66,7 @@ You can also use Firefox's log by being on any page and clicking Ctrl+Shift+J. In the log below certificates being added to the proper stores. You can also see ERROR CONDITIONS as well which are helpful for troubleshooting. -![214_2_image007](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/214_2_image007.webp) +![214_2_image007](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/214_2_image007.webp) **Step 6 –** Other reasons your cert just isn't working @@ -83,7 +83,7 @@ well which are helpful for troubleshooting. \DCShareFabrikam-CA.cer, CA, 2, add In the logs, you would see this transposition error demonstrated as: -![214_3_image008](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/214_3_image008.webp) +![214_3_image008](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/firefox/214_3_image008.webp) **Step 7 –** Send us your cert, and we'll send you ours. diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/forcepoint.md b/docs/policypak/policypak/troubleshooting/applicationsettings/forcepoint.md index af3db39be3..943027942e 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/forcepoint.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/forcepoint.md @@ -23,7 +23,7 @@ here. Additionally, if you have MULTIPLE Paks for the same application, INCLUDING, say the Firefox ABOUT:config Paks, you ALSO need to perform this same UN-check in ALL those Paks. -![568_1_img-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/568_1_img-1.webp) +![568_1_img-1](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/568_1_img-1.webp) ## Method 2 @@ -32,4 +32,4 @@ Block all applications from performing settings re-application using ADMX This method causes a universal block to Reapply of application settings. You can try this method if the first method doesn't operate as expected. -[How do I turn off "Reapply on Launch" for all applications if asked by tech support?](reapplylaunchdisable.md) +[How do I turn off "Reapply on Launch" for all applications if asked by tech support?](/docs/policypak/policypak/troubleshooting/applicationsettings/reapplylaunchdisable.md) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/gpmc.md b/docs/policypak/policypak/troubleshooting/applicationsettings/gpmc.md index 859cbf6bb6..2cb231d258 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/gpmc.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/gpmc.md @@ -8,7 +8,7 @@ something else. Settings you generate will have nice GPMC reporting via ADM settings reporting like what's seen here. -![943_1_image001_950x624](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/943_1_image001_950x624.webp) +![943_1_image001_950x624](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/943_1_image001_950x624.webp) But items which control other settings will not have any reporting and will appear as "Extra Registry Settings" like what's seen here. @@ -16,4 +16,4 @@ Registry Settings" like what's seen here. This is expected Endpoint Policy Manager Application Settings Manager behavior and is not changeable. -![943_2_image002_950x758](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/943_2_image002_950x758.webp) +![943_2_image002_950x758](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/943_2_image002_950x758.webp) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/11enterprisemode.md b/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/11enterprisemode.md index bbccbfe769..8270ec6624 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/11enterprisemode.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/11enterprisemode.md @@ -7,7 +7,7 @@ what's seen here. If your machines don't have Enterprise mode from the Tools opt this out FIRST. For instance, on Windows 7 and IE 11 you might need to update and patch using KB2929437 . -![162_1_image0012](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/162_1_image0012.webp) +![162_1_image0012](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/162_1_image0012.webp) **Step 2 –** When trying Netwrix Endpoint Policy Manager (formerly PolicyPak) Application Manager and the IE Pak's Enterprise Mode, you should decide if you want to use it on the USER or COMPUER @@ -19,7 +19,7 @@ HKCUSoftwarePoliciesMicrosoftInternet ExplorerMainEnterpriseModeEnable. Unless t exists, you won't see Enterprise Mode on the menu or on the F12 emulation tab's "browser profile" section. -![162_2_image0031](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/162_2_image0031.webp) +![162_2_image0031](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/162_2_image0031.webp) In this section example, you're delivering Endpoint Policy Manager IE Explorer Maintenance settings using the COMPUTER side. @@ -28,4 +28,4 @@ Check for the existence of HKCUSoftwarePoliciesMicrosoftInternet ExplorerMainEnt Unless the enable key exists, you won't see Enterprise Mode on the menu or on the F12 emulation tab's "browser profile" section. -![162_3_image007](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/162_3_image007.webp) +![162_3_image007](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/162_3_image007.webp) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/httpsites.md b/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/httpsites.md index ce94705e2f..8c4e817bef 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/httpsites.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/httpsites.md @@ -9,4 +9,4 @@ server verification https" are both UNDERLINED and UN-Checked. This will deliver "un-check" to these settings, allowing for HTTP zones. -![240_1_image002](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/240_1_image002.webp) +![240_1_image002](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/240_1_image002.webp) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/launchfail.md b/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/launchfail.md index df120f7353..34bea1f46d 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/launchfail.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/launchfail.md @@ -8,8 +8,8 @@ That's because, currently we have limitation with that feature support in IE. So Example 1: -![299_1_image004](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/299_1_image004.webp) +![299_1_image004](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/299_1_image004.webp) Example 2: -![299_2_image005](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/299_2_image005.webp) +![299_2_image005](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/299_2_image005.webp) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/launchfailstig.md b/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/launchfailstig.md index 268d899149..18bfcb799d 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/launchfailstig.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/launchfailstig.md @@ -4,7 +4,7 @@ There are some settings, which when you use ACL lockdown, will prevent IE from l Removing ACL lockdown on either of these settings permits IE to launch: -![284_1_ghjgdffhykui88dr](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/284_1_ghjgdffhykui88dr.webp) +![284_1_ghjgdffhykui88dr](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/internetexplorer/284_1_ghjgdffhykui88dr.webp) Under the hood, the keys that are edited are in diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/itemleveltargeting/tuningbypassing.md b/docs/policypak/policypak/troubleshooting/applicationsettings/itemleveltargeting/tuningbypassing.md index 8b4224bb0c..60010192f1 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/itemleveltargeting/tuningbypassing.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/itemleveltargeting/tuningbypassing.md @@ -33,6 +33,6 @@ An example of using one of these entries—the `BypassAllILT `entry, which would processing—can be seen in Figure 102. Note that the ILT key will not exist by default and must be created before the value is set within it. -![troubleshooting_policypak_6](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/javaenterpriserules/troubleshooting_policypak_6.webp) +![troubleshooting_policypak_6](/img/product_docs/policypak/policypak/troubleshooting/javaenterpriserules/troubleshooting_policypak_6.webp) Figure 102. An example of a `BypassAllILT `entry. diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/java/issue.md b/docs/policypak/policypak/troubleshooting/applicationsettings/java/issue.md index a6377451f9..44f34d5109 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/java/issue.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/java/issue.md @@ -10,8 +10,8 @@ So if we have a different version on the target machine that doesn't mean there the changes. We can still get Netwrix Endpoint Policy Manager (formerly PolicyPak) to deliver the setting by disabling the internal item-level targeting. -![323_1_image011dftyrty](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/java/323_1_image011dftyrty.webp) +![323_1_image011dftyrty](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/java/323_1_image011dftyrty.webp) To see a demonstration video about Internal Filters and bypassing them, please see this -[Bypassing Internal Item Level Targeting Filters](../../../video/applicationsettings/itemleveltargetingbypass.md) +[Bypassing Internal Item Level Targeting Filters](/docs/policypak/policypak/video/applicationsettings/itemleveltargetingbypass.md) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/java/sitelistexceptions.md b/docs/policypak/policypak/troubleshooting/applicationsettings/java/sitelistexceptions.md index b4b59688a8..5a91362863 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/java/sitelistexceptions.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/java/sitelistexceptions.md @@ -13,4 +13,4 @@ For manual testing on one machine, delete that file, then run GPupdate to refres See if Java Site exceptions starts to work. -![46_1_tip-if-java-site-lists-stop-working](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/java/46_1_tip-if-java-site-lists-stop-working.webp) +![46_1_tip-if-java-site-lists-stop-working](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/java/46_1_tip-if-java-site-lists-stop-working.webp) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/logs/client.md b/docs/policypak/policypak/troubleshooting/applicationsettings/logs/client.md index 9001acece8..278b1502b1 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/logs/client.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/logs/client.md @@ -40,6 +40,6 @@ Table 2: Endpoint Policy Manager Application Settings Manager log files. You can see an example of the contents of the logs in Figure 101. -![troubleshooting_policypak_5](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/javaenterpriserules/troubleshooting_policypak_5.webp) +![troubleshooting_policypak_5](/img/product_docs/policypak/policypak/troubleshooting/javaenterpriserules/troubleshooting_policypak_5.webp) Figure 101. An example of the logs. diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/microsoftremoteassistance.md b/docs/policypak/policypak/troubleshooting/applicationsettings/microsoftremoteassistance.md index c55b49059f..73e3f499d0 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/microsoftremoteassistance.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/microsoftremoteassistance.md @@ -1,6 +1,6 @@ # How to use Scripts Manager to workaround the "PPAppLockdr64.dll is either not designed to run on Windows or it contains an error" message when running Microsoft Remote Assistance (MSRA.exe) and the Endpoint Policy Manager CSE is installed on Windows 10 1903 -![280_1_image-20191015113622-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_1_image-20191015113622-1.webp) +![280_1_image-20191015113622-1](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_1_image-20191015113622-1.webp) **Step 1 –** Create the Scripts Manager policy in PolicyPak. @@ -10,20 +10,20 @@ rights (to create and link GPOs at that level) and then create a new GPO and lin For example: -![280_2_image-20191015113622-4](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_2_image-20191015113622-4.webp) +![280_2_image-20191015113622-4](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_2_image-20191015113622-4.webp) 2. Next Edit the newly created GPO and expand the User Configuration > PolicyPak > Scripts Manager section. 3. Then click "ADD NEW COLLECTION" to add a new collection, give it any descriptive name you like, then click "OK". -![280_3_image-20191015113622-5](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_3_image-20191015113622-5.webp) +![280_3_image-20191015113622-5](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_3_image-20191015113622-5.webp) 4. Next, double click on the collection you just created to open the collection. 5. Then right-click anywhere in the right pane and choose "Add > New Policy", (or alternatively click on the "ADD NEW POLICY" button) to create a new policy item within the collection. -![280_4_image-20191015113622-6](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_4_image-20191015113622-6.webp) +![280_4_image-20191015113622-6](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_4_image-20191015113622-6.webp) 6. The "PolicyPak Scripts Manager Wizard" will then open. 7. At the "On apply action" screen choose "PowerShell script" from the drop down. @@ -44,9 +44,9 @@ For example: 1. Log in as a domain user within the OU or Domain where the policy is applied and verify under Windows Settings that the custom Exploit Protection settings are present. -![280_5_image-20191015113622-7](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_5_image-20191015113622-7.webp) +![280_5_image-20191015113622-7](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_5_image-20191015113622-7.webp) -![280_6_image-20191015113622-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_6_image-20191015113622-2.webp) +![280_6_image-20191015113622-2](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_6_image-20191015113622-2.webp) More Info: How to configure custom Exploit Protection settings under Windows 10 GUI  to resolve this issue. @@ -66,4 +66,4 @@ settings **Step 7 –** Lastly, click "Apply" to save your changes -![280_6_image-20191015113622-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_6_image-20191015113622-2.webp) +![280_6_image-20191015113622-2](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_6_image-20191015113622-2.webp) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/mmc.md b/docs/policypak/policypak/troubleshooting/applicationsettings/mmc.md index ea1f50411b..7e099df59b 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/mmc.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/mmc.md @@ -5,7 +5,7 @@ Problem: The Endpoint Policy Manager Application Settings Manager (ASM) node is not visible or working properly in Group Policy Management Console (GPMC) and/or Group Policy Editor (GPEDIT). -![1322_1_7fee40aeea669ba543a9c29a3570029a](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/1322_1_7fee40aeea669ba543a9c29a3570029a.webp) +![1322_1_7fee40aeea669ba543a9c29a3570029a](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/1322_1_7fee40aeea669ba543a9c29a3570029a.webp) Cause: @@ -16,7 +16,7 @@ the installation process. Although there were no explicit indications of such du Resolution: Perform and confirm the steps as outlined in the following KB: -[How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](../../install/antivirus.md) +[How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](/docs/policypak/policypak/install/antivirus.md) If the issue persists, proceed with the following troubleshooting steps. @@ -40,4 +40,4 @@ user and confirm that the ASM node remained operational in both GPEDIT and GPMC. The ASM node should look similar to screen shot below. -![1322_2_d34f038d53ae47ca403950284e354cdd](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/1322_2_d34f038d53ae47ca403950284e354cdd.webp) +![1322_2_d34f038d53ae47ca403950284e354cdd](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/1322_2_d34f038d53ae47ca403950284e354cdd.webp) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/onegpo.md b/docs/policypak/policypak/troubleshooting/applicationsettings/onegpo.md index 536222a148..2dd78e037f 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/onegpo.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/onegpo.md @@ -1,6 +1,6 @@ # Should I put lots of Paks (or other PP directives into one GPO?) -[How many Endpoint Policy Manager policies can I create within one Group Policy Object?](limitations.md) +[How many Endpoint Policy Manager policies can I create within one Group Policy Object?](/docs/policypak/policypak/troubleshooting/applicationsettings/limitations.md) Then, as a suggestion, the best practice for Netwrix Endpoint Policy Manager (formerly PolicyPak) is to have one GPO for each "thing" you want to do. @@ -10,7 +10,7 @@ Targeting to specify the conditions of WHO would get the settings WHEN. Here is an example: -![345_1_2015-09-01_1047](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/345_1_2015-09-01_1047.webp) +![345_1_2015-09-01_1047](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/345_1_2015-09-01_1047.webp) Then you would do the same for another GPO, say, for Firefox, and another GPO for Internet Explorer settings, and so on. diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/reapplylaunch.md b/docs/policypak/policypak/troubleshooting/applicationsettings/reapplylaunch.md index cbfb645972..486be38ea1 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/reapplylaunch.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/reapplylaunch.md @@ -8,4 +8,4 @@ Reapply on Launch (up to build 901.) 64-bit patch. 32-bit patch is found here: After Netwrix Endpoint Policy Manager (formerly PolicyPak) CSE build 901, this patch is no longer required. -![518_1_image0011](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/518_1_image0011.webp) +![518_1_image0011](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/518_1_image0011.webp) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/reapplylaunchdisable.md b/docs/policypak/policypak/troubleshooting/applicationsettings/reapplylaunchdisable.md index 1010cd6228..c44775ad36 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/reapplylaunchdisable.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/reapplylaunchdisable.md @@ -2,7 +2,7 @@ First, install the Netwrix Endpoint Policy Manager (formerly PolicyPak) ADMX files as seen here: -[Troubleshooting with ADMX files](../../video/troubleshooting/admxfiles.md) +[Troubleshooting with ADMX files](/docs/policypak/policypak/video/troubleshooting/admxfiles.md) Then use the following Computer side Group Policy setting to "Disable Reapply on Launch for all applications." @@ -10,4 +10,4 @@ applications." When this is set, this will stop applications from attempting to apply settings again, which could increase compatibility with some antivirus and security software. -![290_1_img-1_950x551](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/290_1_img-1_950x551.webp) +![290_1_img-1_950x551](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/290_1_img-1_950x551.webp) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/redirectedfolder.md b/docs/policypak/policypak/troubleshooting/applicationsettings/redirectedfolder.md index b52cd263b9..c565750418 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/redirectedfolder.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/redirectedfolder.md @@ -9,4 +9,4 @@ This is indicative of Folder Redirection in use. Try to change the Pak properties so it runs as USER as seen here: -![484_1_2015-02-20_1513](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/484_1_2015-02-20_1513.webp) +![484_1_2015-02-20_1513](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/484_1_2015-02-20_1513.webp) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/replication.md b/docs/policypak/policypak/troubleshooting/applicationsettings/replication.md index 4f6b0123a3..5b28e335ca 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/replication.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/replication.md @@ -42,7 +42,7 @@ Here are some great troubleshooting tips however. results. If you get a failure notice such as the one below, than there is a GPO delivery problem at large. -![3_1_troubleshooting-grou-policy-replication2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/3_1_troubleshooting-grou-policy-replication2.webp) +![3_1_troubleshooting-grou-policy-replication2](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/3_1_troubleshooting-grou-policy-replication2.webp) **NOTE:** @@ -53,7 +53,7 @@ directives. But it's equally likely that it's another GPO as well. you do not have these two folders, you have an AD problem and GPOs will not be delivered from it properly. -![3_2_troubleshooting-grou-policy-replication1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/3_2_troubleshooting-grou-policy-replication1.webp) +![3_2_troubleshooting-grou-policy-replication1](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/3_2_troubleshooting-grou-policy-replication1.webp) - DCDIAG.exe – The DCDiag (Domain Controller Diagnostic) tool will analyse the state of the domain controllers and services in an Active Directory forest. DCDiag is a very good general-purpose @@ -100,6 +100,6 @@ You may also refer to these other articles as well. [http://technet.microsoft.com/en-us/library/cc978394.aspx](http://technet.microsoft.com/en-us/library/cc978394.aspx) -[http://technet.microsoft.com/en-us/library/cc816596(v=ws.10).aspx]() +[http://technet.microsoft.com/en-us/library/cc816596(v=ws.10).aspx](http://technet.microsoft.com/en-us/library/cc816596(v=ws.10).aspx) [http://support.microsoft.com/kb/2218556](http://support.microsoft.com/kb/2218556) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/support/enhancedclientlogging.md b/docs/policypak/policypak/troubleshooting/applicationsettings/support/enhancedclientlogging.md index d3c2b4199b..f6a2f46cfb 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/support/enhancedclientlogging.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/support/enhancedclientlogging.md @@ -6,6 +6,6 @@ enough troubleshooting information. Only enable these logs when working with tec Go to `HKLM\SOFTWARE\Policies\PolicyPak\Config\CSE\` and create a` REG_DWORD` named `ExtendedLogs` to a value of 1. An example can be seen in Figure 96. -![troubleshooting_policypak_624x284](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/support/troubleshooting_policypak_624x284.webp) +![troubleshooting_policypak_624x284](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/support/troubleshooting_policypak_624x284.webp) Figure 96. The creation and naming of `REG_DWORD`. diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/supportpolicy.md b/docs/policypak/policypak/troubleshooting/applicationsettings/supportpolicy.md index 8f5da798c0..19b61bcb52 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/supportpolicy.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/supportpolicy.md @@ -20,5 +20,5 @@ Again, the AppSets themselves are not officially supported. Those are "examples" we provide "best effort" support on those if a problem is found. (See the FAQ question -"[HowTo: What do I do if I find a problem with a preconfigured AppSet?](issue.md)" for more +"[HowTo: What do I do if I find a problem with a preconfigured AppSet?](/docs/policypak/policypak/troubleshooting/applicationsettings/issue.md)" for more information.) diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/underhood/reporting.md b/docs/policypak/policypak/troubleshooting/applicationsettings/underhood/reporting.md index 6b8dda2f03..4c03eb1ec2 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/underhood/reporting.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/underhood/reporting.md @@ -15,14 +15,14 @@ GPA, AGPM, etc, see Whenever you add a new AppSet to a GPO and create settings, those settings appear in the GPMC reports. In Figure 92, you can see the report generated when one AppSet is listed inside the GPO. -![reporting_and_what_s_happening](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/underhood/reporting_and_what_s_happening.webp) +![reporting_and_what_s_happening](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/underhood/reporting_and_what_s_happening.webp) Figure 92. The GPMC reports showing the new Pak that was added to a GPO. In Figure 93, you can see what is reported inside the GPMC when three AppSets have settings within a GPO. -![reporting_and_what_s_happening_1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/underhood/reporting_and_what_s_happening_1.webp) +![reporting_and_what_s_happening_1](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/underhood/reporting_and_what_s_happening_1.webp) Figure 93. Three Paks reported within the GPMC. @@ -32,7 +32,7 @@ Figure 94. This section also shows the description field (if used) version of En Manager DesignStudio that compiled the AppSet and any special flags on the AppSet, including whether Item-Level Targeting is enabled or not. -![reporting_and_what_s_happening_2](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/underhood/reporting_and_what_s_happening_2.webp) +![reporting_and_what_s_happening_2](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/underhood/reporting_and_what_s_happening_2.webp) Figure 94. The settings in a Pak's report. @@ -40,7 +40,7 @@ As you can see in Figure 95, the settings themselves are reported, as well as an the data settings. For instance, you can see that the value of "Minimum password length" is set to 11, the Enforcement mode is set to "Always reapply," and the AppLock™ state is set to "Grayed" -![reporting_and_what_s_happening_3](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/underhood/reporting_and_what_s_happening_3.webp) +![reporting_and_what_s_happening_3](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/underhood/reporting_and_what_s_happening_3.webp) Figure 95. Examples of special settings displayed in the settings details. diff --git a/docs/policypak/policypak/troubleshooting/applicationsettings/versionnumbers.md b/docs/policypak/policypak/troubleshooting/applicationsettings/versionnumbers.md index b5c94b5105..671cd8eedd 100644 --- a/docs/policypak/policypak/troubleshooting/applicationsettings/versionnumbers.md +++ b/docs/policypak/policypak/troubleshooting/applicationsettings/versionnumbers.md @@ -19,16 +19,16 @@ every system (or at least a test system where you want to perform troubleshootin If those steps fail, and your problem reoccurs, please be prepared with the version information from the following areas, shown in Figure 98, Figure 99, and Figure 100. -![troubleshooting_policypak_2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/javaenterpriserules/troubleshooting_policypak_2.webp) +![troubleshooting_policypak_2](/img/product_docs/policypak/policypak/troubleshooting/javaenterpriserules/troubleshooting_policypak_2.webp) Figure 98. Endpoint Policy Manager DesignStudio: Help | About. -![troubleshooting_policypak_3](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/javaenterpriserules/troubleshooting_policypak_3.webp) +![troubleshooting_policypak_3](/img/product_docs/policypak/policypak/troubleshooting/javaenterpriserules/troubleshooting_policypak_3.webp) Figure 99. Pak compiled version. With any Pak, open in the Group Policy Editor, and click Endpoint Policy Manager and then About. The About dialog shows the version number used to compile your Pak. -![troubleshooting_policypak_4](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/javaenterpriserules/troubleshooting_policypak_4.webp) +![troubleshooting_policypak_4](/img/product_docs/policypak/policypak/troubleshooting/javaenterpriserules/troubleshooting_policypak_4.webp) Figure 100. On Windows 7, you can see the version number of the CSE in the "Uninstall or change a program" applet in Control Panel. diff --git a/docs/policypak/policypak/troubleshooting/assignmentremovalfailed.md b/docs/policypak/policypak/troubleshooting/assignmentremovalfailed.md index 50c4796f92..1c61f08c57 100644 --- a/docs/policypak/policypak/troubleshooting/assignmentremovalfailed.md +++ b/docs/policypak/policypak/troubleshooting/assignmentremovalfailed.md @@ -7,7 +7,7 @@ message is generated in the System Event log: "The removal of the assignment of application Policypak Client-Side Extension (32bit) from policy … failed. The error was : %%2" ``` -![336_1_image-20200111180227-1_950x451](../../../../static/img/product_docs/policypak/policypak/troubleshooting/336_1_image-20200111180227-1_950x451.webp) +![336_1_image-20200111180227-1_950x451](/img/product_docs/policypak/policypak/troubleshooting/336_1_image-20200111180227-1_950x451.webp) To resolve this error, uncheck "Make this 32-bit X86 application available to Win64 computers" checkbox for the 32bit Endpoint Policy Manager Client-Side Extension in the Group Policy Software diff --git a/docs/policypak/policypak/troubleshooting/browserrouter.md b/docs/policypak/policypak/troubleshooting/browserrouter.md index 5d0fc350ff..335d68a25d 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter.md @@ -4,7 +4,7 @@ If your users get this message, this means that the Netwrix Endpoint Policy Mana PolicyPak) Helper Service has crashed. Typically, the service will automatically restart. But if it doesn’t, and then Endpoint Policy Manager Browser Router is used, you might see a problem like this. -![378_1_img-01-image002](../../../../static/img/product_docs/policypak/policypak/troubleshooting/378_1_img-01-image002.webp) +![378_1_img-01-image002](/img/product_docs/policypak/policypak/troubleshooting/378_1_img-01-image002.webp) That being said, that message is old, and has been replaced in more recent CSEs. The first order of business is to update the Client Side Extension to the LATEST version. @@ -13,11 +13,11 @@ If the problem still occurs, you would see a message similar to this. Note in th are instructed to contact you, and not [Netwrix Support.](https://www.netwrix.com/sign_in.html?rf=tickets.html#netwrix-support) -![378_3_img-02-image004](../../../../static/img/product_docs/policypak/policypak/troubleshooting/378_3_img-02-image004.webp) +![378_3_img-02-image004](/img/product_docs/policypak/policypak/troubleshooting/378_3_img-02-image004.webp) Again, what specifically causes this error is when the Endpoint Policy Manager Helper Service is stopped like what's seen here. If you want to open an investigation on WHY a machine's Endpoint Policy Manager Helper Service is crashing, open a support ticket and prepare to generate both user and admin logs for investigation. -![378_5_img-03-image009_950x1116](../../../../static/img/product_docs/policypak/policypak/troubleshooting/378_5_img-03-image009_950x1116.webp) +![378_5_img-03-image009_950x1116](/img/product_docs/policypak/policypak/troubleshooting/378_5_img-03-image009_950x1116.webp) diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/adobelinks.md b/docs/policypak/policypak/troubleshooting/browserrouter/adobelinks.md index cb0906a6a7..833d516b82 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/adobelinks.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/adobelinks.md @@ -9,15 +9,15 @@ Manager (formerly PolicyPak) Browser Router (PPBR) is set as the default browser There is a Windows Defender Attack Surface Reduction Rule in place for Adobe: -![892_1_image-20211223020010-6](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/892_1_image-20211223020010-6.webp) +![892_1_image-20211223020010-6](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/892_1_image-20211223020010-6.webp) -![892_2_image-20211223020010-7](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/892_2_image-20211223020010-7.webp) +![892_2_image-20211223020010-7](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/892_2_image-20211223020010-7.webp) ## RESOLUTION: ### Option 1: Remove the Attack Surface Reduction Rule for Adobe by deleting the rule highlighted below. -![892_3_image-20211223020010-8](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/892_3_image-20211223020010-8.webp) +![892_3_image-20211223020010-8](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/892_3_image-20211223020010-8.webp) ### Option 2: (Recommended) Add exclusions for Endpoint Policy Manager under "Exclude files and paths from Attack Surface Reduction Rules" policy. @@ -28,9 +28,9 @@ Excluding the "`C:\Program Files\PolicyPak"` folder, (or if you prefer just `"C:\Program Files\PolicyPak\Browser Router\Client\PPBRAgent.exe") `should be enough to resolve the issue with Adobe and Browser Router. -![892_4_image-20211223020010-9](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/892_4_image-20211223020010-9.webp) +![892_4_image-20211223020010-9](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/892_4_image-20211223020010-9.webp) For a list of additional Endpoint Policy Manager items that may need to be excluded please see the KB below: -[How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](../../install/antivirus.md) +[How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](/docs/policypak/policypak/install/antivirus.md) diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/betweenbrowsers.md b/docs/policypak/policypak/troubleshooting/browserrouter/betweenbrowsers.md index 9ca6fb8dd3..93225b058b 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/betweenbrowsers.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/betweenbrowsers.md @@ -9,7 +9,7 @@ doesn't, then this is the guide for you. **Step 1 –** This troubleshooting guide assumes you have already performed the steps in this initial troubleshooting guide: Browser Router > -[Knowledge Base](../../browserrouter/overview/knowledgebase.md). This will demonstrate that you are: +[Knowledge Base](/docs/policypak/policypak/browserrouter/overview/knowledgebase.md). This will demonstrate that you are: - Getting the GPOs involved in Netwrix Endpoint Policy Manager (formerly PolicyPak) Browser Router and @@ -26,7 +26,7 @@ correctly licensed. WORDPAD (not notepad!) to create a simple document which will open up the browser based upon your rules (routes.) -![267_1_img1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/267_1_img1.webp) +![267_1_img1](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/267_1_img1.webp) Does clicking on each link open the correct expected browser? @@ -61,26 +61,26 @@ the endpoint. So, some examples where Endpoint Policy Manager Browser Router will not work instantly: -![267_2_img2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/267_2_img2.webp) +![267_2_img2](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/267_2_img2.webp) -![267_3_img3](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/267_3_img3.webp) +![267_3_img3](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/267_3_img3.webp) To ensure each browser is ready to route BETWEEN BROWSERS, you are looking for the following. Inside IE: (Gear | Manage Add-ons) -![267_4_img4-1024x325](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/267_4_img4-1024x325.webp) +![267_4_img4-1024x325](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/267_4_img4-1024x325.webp) FF: The Firefox plugin for Endpoint Policy Manager Browser Router will ONLY install into Firefox ESR. When using Firefox ESR, you can then see this after you launch Firefox ESR and then press Ctrl+Shift+J . Then look for the text the following entry: -![267_5_pp-ff-img-01](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/267_5_pp-ff-img-01.webp) +![267_5_pp-ff-img-01](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/267_5_pp-ff-img-01.webp) If you are ATTEMPTING to use Firefox RR, then it will not work and you will get the following (expected) error. -![267_6_image_1000x626](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/267_6_image_1000x626.webp) +![267_6_image_1000x626](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/267_6_image_1000x626.webp) Chrome: (Gear | Extensions) @@ -89,7 +89,7 @@ Another Browser is not functioning, you need to ensure you have Internet connect time) to get the Endpoint Policy Manager Browser Router Chrome Extension automatically downloaded and installed on your machine. -![267_7_img6](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/267_7_img6.webp) +![267_7_img6](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/267_7_img6.webp) If you don't see the Extension listed, try: @@ -107,4 +107,4 @@ webstore): [https://chrome.google.com/webstore/category/extensions?hl=en-US](ht **Step 6 –** Did our Chrome extension appear? **Step 7 –** Related.. If you see ONLY Chrome, and not any FORCED extensions, -[Endpoint Policy Manager Browser Router removes other Chrome ‘force installed' extensions. How can I work around this?](chrome/forceinstall.md) +[Endpoint Policy Manager Browser Router removes other Chrome ‘force installed' extensions. How can I work around this?](/docs/policypak/policypak/troubleshooting/browserrouter/chrome/forceinstall.md) diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/chrome/citrixproblems.md b/docs/policypak/policypak/troubleshooting/browserrouter/chrome/citrixproblems.md index b8e70e8026..95cfad007a 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/chrome/citrixproblems.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/chrome/citrixproblems.md @@ -17,4 +17,4 @@ screenshot. Chrome is keeping itself alive, even though it should not. This will fix the problem. -![253_1_image0015](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/253_1_image0015.webp) +![253_1_image0015](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/253_1_image0015.webp) diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/chrome/extensioninactive.md b/docs/policypak/policypak/troubleshooting/browserrouter/chrome/extensioninactive.md index 68ee29c19a..c6c71cc727 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/chrome/extensioninactive.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/chrome/extensioninactive.md @@ -3,7 +3,7 @@ From time to time it's possible that the Netwrix Endpoint Policy Manager (formerly PolicyPak) Browser Router extension for Chrome will be installed, but not active, like in this example. -![489_1_dfg_950x593](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/489_1_dfg_950x593.webp) +![489_1_dfg_950x593](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/489_1_dfg_950x593.webp) This can occur if you are attempting to force deploy the extension via Group Policy or Endpoint Policy Manager Application Manager or if there is some kind of error. diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/chrome/forceinstall.md b/docs/policypak/policypak/troubleshooting/browserrouter/chrome/forceinstall.md index 991dabb035..e84ebecab8 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/chrome/forceinstall.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/chrome/forceinstall.md @@ -12,7 +12,7 @@ RESULT: You only see Endpoint Policy Manager Browser Router's extension and NOT user-side extensions for Chrome.. Workaround: Endpoint Policy Manager Provides ADMX settings to work around various items in Endpoint Policy Manager On-Prem. See this video to implement the ADMX: -[Troubleshooting with ADMX files](../../../video/troubleshooting/admxfiles.md) +[Troubleshooting with ADMX files](/docs/policypak/policypak/video/troubleshooting/admxfiles.md) **NOTE:** You shouldn't need to perform these steps (any of them) if you want to dictate Chrome "forced installed" extensions on the COMPUTER side. On the COMPUTER side... when you force install @@ -23,17 +23,17 @@ extensions on the USER side. Then, the policy setting which must be applied to the computer side which is called PREVENT COMPUTER SIDED INSTALLATION OF CHROME EXTENSION -![171_1_image004](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/171_1_image004.webp) +![171_1_image004](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/171_1_image004.webp) Then… Using Chrome's own ADMX setting named "Configure the list of force-installed apps and extensions" (seen below) to manually add the Endpoint Policy Manager Browser Router using Chrome's ADMX setting on USER or COMPUTER side. -![171_2_image006](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/171_2_image006.webp) +![171_2_image006](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/171_2_image006.webp) Use this string found in this article: -[What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](../clientsideextension/chromeextensionid.md) +[What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextensionid.md) For instance, an example string might look like … @@ -45,7 +45,7 @@ Which will manually install the Endpoint Policy Manager Browser Router Chrome Ex Endpoint Policy Manager Application Settings Manager and our Chrome Pak, you can use this field (user or computer side.) -![171_3_image009](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/171_3_image009.webp) +![171_3_image009](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/171_3_image009.webp) Use the same string: @@ -59,4 +59,4 @@ the optional extensions you wish for Chrome. Again, the example extension ID above is just an example. Please use the correct one based upon your CSE. -[What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](../clientsideextension/chromeextensionid.md) +[What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextensionid.md) diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/chrome/launch.md b/docs/policypak/policypak/troubleshooting/browserrouter/chrome/launch.md index 4308b15748..14da4e9261 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/chrome/launch.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/chrome/launch.md @@ -64,17 +64,17 @@ will be removed when PS script is deployed with PP Scripts Manager. **Step 1 –** BR Extension folder location. -![870_1_image-20220217002324-1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/870_1_image-20220217002324-1.webp) +![870_1_image-20220217002324-1](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/870_1_image-20220217002324-1.webp) **Step 2 –** Create a User-side PP Scripts Manager policy. Use the Google Chrome PS script from PS Scripts section. -![870_2_image-20220217002324-2](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/870_2_image-20220217002324-2.webp) +![870_2_image-20220217002324-2](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/870_2_image-20220217002324-2.webp) **Step 3 –** Create a User-side PP Scripts Manager policy. Use the Microsoft Edge PS script from PS Scripts section. -![870_3_image-20220217002324-3](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/870_3_image-20220217002324-3.webp) +![870_3_image-20220217002324-3](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/870_3_image-20220217002324-3.webp) **Step 4 –** At next `GPUPDATE `or when`/FORCE`switch is used the respective folders for the extension will be removed. @@ -87,10 +87,10 @@ below. Microsoft Edge: -![870_4_image-20220217002324-4](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/870_4_image-20220217002324-4.webp) +![870_4_image-20220217002324-4](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/870_4_image-20220217002324-4.webp) Google Chrome: -![870_5_image-20220217002324-5](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/870_5_image-20220217002324-5.webp) +![870_5_image-20220217002324-5](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/chrome/870_5_image-20220217002324-5.webp) Use this Endpoint Policy Manager Scripts Manager policy to mass deploy for any future issues. diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/chrome/routing.md b/docs/policypak/policypak/troubleshooting/browserrouter/chrome/routing.md index 75e6256b9e..06bf3adb99 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/chrome/routing.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/chrome/routing.md @@ -37,7 +37,7 @@ is not working any longer. The typical ways you could encounter this are: How would I know if I'm affected by Endpoint Policy Manager being forced to take down some older Endpoint Policy Manager Browser Router Chrome Extensions? We have the list of extensions which ARE and WERE valid on this list -[What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](../clientsideextension/chromeextensionid.md) +[What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextensionid.md) What should you do now? diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextension.md b/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextension.md index 457f5856df..383df25190 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextension.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextension.md @@ -21,7 +21,7 @@ C:\Program Files\PolicyPak\Browser Router\Client On machines with the CSE (CSE 18.7.1779.937 - 19.12.2283.849)That you CANNOT upgrade to latest CSE for now. -![774_1_img-01](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/774_1_img-01.webp) +![774_1_img-01](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/774_1_img-01.webp) You can use a variety of methods to get the file copied. Options include: @@ -36,11 +36,11 @@ To show one example, using Group Policy Preferences Files… Here's the `Com.policypak.chromehost.json` file stored in the file in the share called `\\dc2016\share` -![774_3_img-02_950x542](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/774_3_img-02_950x542.webp) +![774_3_img-02_950x542](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/774_3_img-02_950x542.webp) Using Group Policy Preferences Files, on the Computer side… -![774_5_img-03_950x650](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/774_5_img-03_950x650.webp) +![774_5_img-03_950x650](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/774_5_img-03_950x650.webp) #### Specify: @@ -63,4 +63,4 @@ Note that upgrading to modern CSE versions will have a SIMIILARLY named file in These two files can sit side by side without issue if you need to use an OLDER CSE for now, then UPGRADE to latest CSE later. -![774_7_img-05_950x675](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/774_7_img-05_950x675.webp) +![774_7_img-05_950x675](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/774_7_img-05_950x675.webp) diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextensionid.md b/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextensionid.md index bccf20eb38..10f6268a05 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextensionid.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextensionid.md @@ -3,7 +3,7 @@ Below is the ID list from Chrome. If you need to, you can force-install an Extension ID via ADMX or Netwrix Endpoint Policy Manager (formerly PolicyPak) Application Manager Pak using this article: -[Endpoint Policy Manager Browser Router removes other Chrome ‘force installed' extensions. How can I work around this?](../chrome/forceinstall.md) +[Endpoint Policy Manager Browser Router removes other Chrome ‘force installed' extensions. How can I work around this?](/docs/policypak/policypak/troubleshooting/browserrouter/chrome/forceinstall.md) Note that Endpoint Policy Manager does not guarantee that the version you are using is definitely in the chrome store. We are only allowed to publish 20 items, as such, the oldest items will be removed @@ -21,7 +21,7 @@ This will indicate to you if the extension is still published or not. **NOTE:** Edge Chromium uses the same PPBR Chrome Extension.You can see the extension ID in Edge Chromium by visiting edge://extensions from within Edge Chromium. -![202_1_image-20220105135628-1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/202_1_image-20220105135628-1.webp) +![202_1_image-20220105135628-1](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/202_1_image-20220105135628-1.webp) | DATE | CSE VERSION | VERSION OF EXTENSION | EXTENSION ID | Still available in Chrome Store? | | ---------- | ---------------- | -------------------- | -------------------------------- | -------------------------------- | diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromerouting.md b/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromerouting.md index 5a860f4df5..3769999a6b 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromerouting.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromerouting.md @@ -44,7 +44,7 @@ olderEndpoint Policy Manager Browser Router Chrome Extensions? A: We have the list of extensions which ARE VALID (now, it is exactly ONE extension) and which WERE valid (100% of the older ones are now turned off) which are on this list -[What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](chromeextensionid.md) +[What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextensionid.md) Q: What should I now? @@ -63,7 +63,7 @@ Q: I cannot update to the latest extension, but I am using builds CSE 18.7.1779. A: We have a KB article about it here: "How can I use the onlyEndpoint Policy Manager published Chrome Extension with my older CSE? (CSE 18.7.1779.937 - 19.12.2283.849)" -[How can I use the only remaining Endpoint Policy Manager published Chrome Extension with my older CSE? (CSE 18.7.1779.937 - 19.12.2283.849)](chromeextension.md) +[How can I use the only remaining Endpoint Policy Manager published Chrome Extension with my older CSE? (CSE 18.7.1779.937 - 19.12.2283.849)](/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextension.md) Q: I'm using a CSE before 18.7.1779.937. What is the workaround? diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/criticalwebsiteincompatibility.md b/docs/policypak/policypak/troubleshooting/browserrouter/criticalwebsiteincompatibility.md index 64a9c60ceb..5a1d84fe45 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/criticalwebsiteincompatibility.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/criticalwebsiteincompatibility.md @@ -15,24 +15,24 @@ away? route into another website. This setting is not supported, and as such you might have to remove it from all routes. -![814_1_img-01](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/814_1_img-01.webp) +![814_1_img-01](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/814_1_img-01.webp) **Step 4 –** After steps 1, 2 and 3… if you can REPRODUCE using latest CSE... then and only then.. send us log files (user and computer) via Sharefile (do not attach.) -[What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](../fastsupport.md) +[What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](/docs/policypak/policypak/troubleshooting/fastsupport.md) **Step 5 –** AFTER you install the latest CSE, you might want to attempt to disable the in-Browser Extensions for the affected browser, but keep Browser Router operating. Here's how to do that (see screenshot below.) -![814_3_img-02](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/814_3_img-02.webp) +![814_3_img-02](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/814_3_img-02.webp) **Step 6 –** AFTER you install the latest CSE and the in-browser Extension, and are STILL able to reproduce the issue, you could kill JUST the affected component like Browser Router. Use these instructions: -[What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](clientsideextension/chromeextensionid.md) +[What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextensionid.md) (KB shows killing PPPreferences, but in this case you would kill Endpoint Policy Manager Browser Router.) diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/default.md b/docs/policypak/policypak/troubleshooting/browserrouter/default.md index e215cff78b..3a8e2e254a 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/default.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/default.md @@ -25,13 +25,13 @@ What won’t work: Browser” will be passed onward to Edge (instead of what you might have set it to, say, Firefox, Chrome, etc). Use this article to understand “Endpoint Policy Manager Browser Router Default Policy” type - [What is meant by "Default Browser" within Endpoint Policy Manager Browser router?](../../browserrouter/defaultbrowser/defined.md) + [What is meant by "Default Browser" within Endpoint Policy Manager Browser router?](/docs/policypak/policypak/browserrouter/defaultbrowser/defined.md) - Delivering File Associations specifically for PDF for Endpoint Policy Manager File Associations Manager You will also get the same experience if you attempt to use PolicyPak File Associations Manager to change HTTP or HTTPS, even if you’re not using PolicyPak Browser Router. See the -[Can I use Endpoint Policy ManagerBrowser Router and/or Endpoint Policy Manager File Associations Manager to set the default browser?](../../fileassociations/defaultbrowser.md) +[Can I use Endpoint Policy ManagerBrowser Router and/or Endpoint Policy Manager File Associations Manager to set the default browser?](/docs/policypak/policypak/fileassociations/defaultbrowser.md) topic for additional information. Troubleshooting: @@ -78,9 +78,9 @@ only using an MDM service like Intune. Legacy mode only works when the machine i **NOTE:** After setting these settings and the policy refresh occurs to get these policies, endpoints may still need two logoffs and/or reboots for this to kick in. -![1326_1_2c5259c2472101dd55c56da8d1dbdb33](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/1326_1_2c5259c2472101dd55c56da8d1dbdb33.webp) +![1326_1_2c5259c2472101dd55c56da8d1dbdb33](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/1326_1_2c5259c2472101dd55c56da8d1dbdb33.webp) -![1326_2_8f4ae9cf7f0bba8ddccb128640467c25](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/1326_2_8f4ae9cf7f0bba8ddccb128640467c25.webp) +![1326_2_8f4ae9cf7f0bba8ddccb128640467c25](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/1326_2_8f4ae9cf7f0bba8ddccb128640467c25.webp) Update 4/8/2024: @@ -115,7 +115,7 @@ To fix the issue, you need to perform two steps: **Step 2 –** Deploy the script via Endpoint Policy Manager Scripts Manager using the hints from the screen shot below. -![1326_3_3e0331eadab3e6c272573b5c3b67e23c](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/1326_3_3e0331eadab3e6c272573b5c3b67e23c.webp) +![1326_3_3e0331eadab3e6c272573b5c3b67e23c](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/1326_3_3e0331eadab3e6c272573b5c3b67e23c.webp) Workaround 2 using fsLogix (Microsoft Tools) @@ -124,4 +124,4 @@ following redirect rules which should overcome the concern. **NOTE:** Do not use both Workaround 1 and 2 at the same time. -![1326_4_3a4d59894f3cd6623b958202447b1136](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/1326_4_3a4d59894f3cd6623b958202447b1136.webp) +![1326_4_3a4d59894f3cd6623b958202447b1136](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/1326_4_3a4d59894f3cd6623b958202447b1136.webp) diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/dnscall.md b/docs/policypak/policypak/troubleshooting/browserrouter/dnscall.md index 86d35d526a..7e60cf1ea4 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/dnscall.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/dnscall.md @@ -10,14 +10,14 @@ that is querying that dead host computer' FQDN. Like in an example screenshot below. -![878_1_image-20211223234143-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/878_1_image-20211223234143-1.webp) +![878_1_image-20211223234143-1](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/878_1_image-20211223234143-1.webp) ## Cause: The cause of the problem is a Netwrix Endpoint Policy Manager (formerly PolicyPak) Browser Router (PPBR) rule that has an Item-level Targeting (ILT) filter of the decommissioned host computer. -![878_2_image-20211223234143-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/878_2_image-20211223234143-2.webp) +![878_2_image-20211223234143-2](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/878_2_image-20211223234143-2.webp) ## Resolution: diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/edge/stop.md b/docs/policypak/policypak/troubleshooting/browserrouter/edge/stop.md index 1a1bcc6a07..d21456e21b 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/edge/stop.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/edge/stop.md @@ -30,4 +30,4 @@ You can also use Intune / other MDM as explained in the URL above to stop this b Then, Endpoint Policy Manager Browser Router will be 100% in charge of your URLs and the routing / redirection. -![456_1_image001_950x573](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/edge/456_1_image001_950x573.webp) +![456_1_image001_950x573](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/edge/456_1_image001_950x573.webp) diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/editpolicytemplate/keeporiginaltab.md b/docs/policypak/policypak/troubleshooting/browserrouter/editpolicytemplate/keeporiginaltab.md index 263d4a4583..f93c6a1f56 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/editpolicytemplate/keeporiginaltab.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/editpolicytemplate/keeporiginaltab.md @@ -18,11 +18,11 @@ Browser Router problems. Problems which might arise are typically websites with "multiple tabs" like this: -![589_1_img-01_950x137](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/editpolicytemplate/589_1_img-01_950x137.webp) +![589_1_img-01_950x137](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/editpolicytemplate/589_1_img-01_950x137.webp) In these cases, you would need to go through EACHEndpoint Policy Manager Browser Router entry and UN-check the Experimental flag checkbox. Then you issues should be resolved. -![589_3_img-02_950x665](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/editpolicytemplate/589_3_img-02_950x665.webp) +![589_3_img-02_950x665](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/editpolicytemplate/589_3_img-02_950x665.webp) diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/firefox.md b/docs/policypak/policypak/troubleshooting/browserrouter/firefox.md index b2f3a7a57c..63511af41f 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/firefox.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/firefox.md @@ -8,18 +8,18 @@ Firefox to compensate. New releases of Firefox comes with the setting where we can enable multi-process windows for the browsers. See the following screenshot: -![492_1_image001](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/492_1_image001.webp) +![492_1_image001](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/492_1_image001.webp) The above screenshot means that its enabled and you should expect the Endpoint Policy Manager Browser Router will have problem in routing. To make it working please disable the setting using Endpoint Policy Manager's pre-configured Pak for Firefox about:config as illustrated in the screenshot: -![492_2_image002](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/492_2_image002.webp) +![492_2_image002](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/492_2_image002.webp) So once you check and uncheck the above option it will set the value as false like shown in below screenshot: -![492_3_image003](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/492_3_image003.webp) +![492_3_image003](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/492_3_image003.webp) You should be all set for now with Endpoint Policy Manager Browser Router. Let us know if otherwise. diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/install/defaultbrowser.md b/docs/policypak/policypak/troubleshooting/browserrouter/install/defaultbrowser.md index c3b8a84105..1c1a16f0ef 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/install/defaultbrowser.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/install/defaultbrowser.md @@ -3,7 +3,7 @@ On Windows 8.1 or later, once Netwrix Endpoint Policy Manager (formerly PolicyPak) Browser Router is licensed, it becomes the "default browser" in the operating system, like what is seen here. -![141_1_img-01](../../../../../../static/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_3_ppbr-faq-3-pic-3.webp) +![141_1_img-01](/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_3_ppbr-faq-3-pic-3.webp) However, if you are using the Legacy Browser Router mode and unlicense Endpoint Policy Manager Browser Router or remove the computer from the scope of any Endpoint Policy Manager Browser Router @@ -18,12 +18,12 @@ longer. Therefore, (when Endpoint Policy Manager Browser Router is not present.) … an end-user could open up Firefox, Chrome, IE or Edge … like what is seen here… -![141_2_img-02](../../../../../../static/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_1_ppbr-faq-3-pic-1.webp) +![141_2_img-02](/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_1_ppbr-faq-3-pic-1.webp) And manually set the default browser, or use the operating system itself to specify the desired default browser .. like what is seen here… -![141_3_img-03](../../../../../../static/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_2_ppbr-faq-3-pic-2.webp) +![141_3_img-03](/img/product_docs/policypak/policypak/browserrouter/defaultbrowser/218_2_ppbr-faq-3-pic-2.webp) Afterward, they should see the OS default web browser change accordingly and be maintained correctly at the next login. @@ -49,17 +49,17 @@ For either or all of these options… to Enabled, (aka Legacy Browser Router mode), OR if Client-Side Extensions version 2535 or older was ever installed on the machine. -![141_4_image-20210104150503-1](../../../../../../static/img/product_docs/policypak/policypak/browserrouter/install/483_7_image-20210105155954-1.webp) +![141_4_image-20210104150503-1](/img/product_docs/policypak/policypak/browserrouter/install/483_7_image-20210105155954-1.webp) You have to delete this file first…as a one time action using GPPPrefs if -![141_5_img-04](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/install/141_5_img-04.webp) +![141_5_img-04](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/install/141_5_img-04.webp) **Step 2 –** Step 2. Then if you want to FORCE A PARTICULAR BROWSER VIA POLICY … (pick ONE) - Use Endpoint Policy Manager File Associations Manager to set HTTP and HTTPS to Internet Explorer. This is supported as long as you are NOT using Endpoint Policy Manager Browser Router any - longer. [Can I use Endpoint Policy ManagerBrowser Router and/or Endpoint Policy Manager File Associations Manager to set the default browser?](../../../fileassociations/defaultbrowser.md) + longer. [Can I use Endpoint Policy ManagerBrowser Router and/or Endpoint Policy Manager File Associations Manager to set the default browser?](/docs/policypak/policypak/fileassociations/defaultbrowser.md) - Use the in-box Group Policy method for File / Protocol Associations (not recommended, since you have Endpoint Policy Manager File Associations Manager, and this method is not dynamic NOR can you use it ALONGSIDEEndpoint Policy Manager File Associations Manager, so it is NOT @@ -85,7 +85,7 @@ When it runs.. it works instantly.. and sets the default browser. In this examp And then it was later changeable by the user. -![141_6_img-05](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/install/141_6_img-05.webp) +![141_6_img-05](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/install/141_6_img-05.webp) **NOTE:** If you uninstall the Endpoint Policy Manager Client Side Extensions on a machine where Endpoint Policy Manager Browser Router was set as the default browser then Microsoft Edge will @@ -93,6 +93,6 @@ become the default browser immediately after the Endpoint Policy Manager Client uninstalled. You will see the notification below on your screen and if you check the default apps you will see that Edge has become the default browser. -![141_7_image](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/install/141_7_image.webp) +![141_7_image](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/install/141_7_image.webp) -![141_8_image](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/install/141_8_image.webp) +![141_8_image](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/install/141_8_image.webp) diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/install/iepromptdll.md b/docs/policypak/policypak/troubleshooting/browserrouter/install/iepromptdll.md index ffab15a683..65f64130f1 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/install/iepromptdll.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/install/iepromptdll.md @@ -14,7 +14,7 @@ It is named (old version) `PPBRAGENTIExIE_01.DLL` or `PPBRExplorerExtension.dll` But if Interenet Explorer is running WHILE the installation of theEndpoint Policy Manager CSE occurs, you might get this message the next time you launch Internet Explorer. -![524_1_unnamed-1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/install/524_1_unnamed-1.webp) +![524_1_unnamed-1](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/install/524_1_unnamed-1.webp) Even if users select DON'T ENABLE, theEndpoint Policy Manager CSE will fix it at the next login. diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/install/windowsopenprompt.md b/docs/policypak/policypak/troubleshooting/browserrouter/install/windowsopenprompt.md index 43d3fc5a11..5032d5d45c 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/install/windowsopenprompt.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/install/windowsopenprompt.md @@ -3,7 +3,7 @@ Immediately after installing the Netwrix Endpoint Policy Manager (formerly PolicyPak) CSE on an endpoint, you might see something like this. -![531_1_image001](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/install/531_1_image001.webp) +![531_1_image001](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/install/531_1_image001.webp) This scenario is common when: diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/fromtootherbrowsers.md b/docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/fromtootherbrowsers.md index b0b0b67c4e..86c24139c5 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/fromtootherbrowsers.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/fromtootherbrowsers.md @@ -15,7 +15,7 @@ Said another way, ONE, TWO or THREE values may need to be tested to encompass a **Step 2 –** Reboot the machine and see if Endpoint Policy Manager Browser Router will route from IE to other browsers -![415_1_image0014](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/415_1_image0014.webp) +![415_1_image0014](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/415_1_image0014.webp) (Old: Not needed anymore; here for archival purposes… @@ -26,7 +26,7 @@ to other browsers **Step 2 –** Reboot the machine and see if Endpoint Policy Manager Browser Router will route from IE to other browsers. -![415_2_image003](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/415_2_image003.webp) +![415_2_image003](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/415_2_image003.webp) (Old: Not needed anymore; here for archival purposes…) . @@ -37,7 +37,7 @@ to other browsers. **Step 2 –** Reboot the machine and see if Endpoint Policy Manager Browser Router will route from IE to other browsers. -![415_3_image005](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/415_3_image005.webp) +![415_3_image005](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/415_3_image005.webp) Once you learn what combination works, then set these settings in Group Policy . You can do this on USER or COMPUTER side. We recommend COMPUTER. @@ -55,7 +55,7 @@ Turn on 64-bit tab processes when running in Enhanced Protection Mode :: Set to _Remember,_ Remember that each machine needs to be rebooted after it receives these directives; just like you did in your manual tests. -![415_4_image0061](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/415_4_image0061.webp) +![415_4_image0061](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/415_4_image0061.webp) Note also that the settings can be hiding in one ore more GPOs, so use GPresult to look for those values. @@ -67,14 +67,14 @@ An example GPresult /h report will show a Group Policy Preferences setting demon required "Enable third-party browser extensions (requires restart)" as DISABLING the ability to use third-party extensions. -![415_5_faq-asdf-01](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/415_5_faq-asdf-01.webp) +![415_5_faq-asdf-01](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/415_5_faq-asdf-01.webp) In these cases, you need to find the Group Policy Preferences item within the GPO and set the value to GREEN and CHECK which will "Enable third-party browser extensions". -![415_6_faq-asdf-02](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/415_6_faq-asdf-02.webp) +![415_6_faq-asdf-02](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/415_6_faq-asdf-02.webp) Only then will the GPO's GPresult report demonstrate that the required item is Enabled like what's seen here. -![415_7_faq-asdf-03](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/415_7_faq-asdf-03.webp) +![415_7_faq-asdf-03](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/415_7_faq-asdf-03.webp) diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/tabissue.md b/docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/tabissue.md index f08d8ac036..dd9b7d4fff 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/tabissue.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/tabissue.md @@ -9,7 +9,7 @@ Other Symptoms: Visiting Edge:compat in Edge from an affected system may show a screen similar to below. -![1323_1_a7ea1a5fea27b5af1303c5cae8c549cd](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/1323_1_a7ea1a5fea27b5af1303c5cae8c549cd.webp) +![1323_1_a7ea1a5fea27b5af1303c5cae8c549cd](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/1323_1_a7ea1a5fea27b5af1303c5cae8c549cd.webp) Possible Causes: @@ -33,4 +33,4 @@ of websites to Edge in IE-tab mode. Or visit Edge:compat in Edge and click the Force update button, the screen should now look similar to below. -![1323_2_faaa54cf16d85c909ec4de3a83505ac9](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/1323_2_faaa54cf16d85c909ec4de3a83505ac9.webp) +![1323_2_faaa54cf16d85c909ec4de3a83505ac9](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/internetexplorer/1323_2_faaa54cf16d85c909ec4de3a83505ac9.webp) diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/office365.md b/docs/policypak/policypak/troubleshooting/browserrouter/office365.md index b8a20ef33a..41a9b32d71 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/office365.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/office365.md @@ -14,7 +14,7 @@ section in the table at the link below: [https://learn.microsoft.com/en-us/office365/servicedescriptions/office-applications-service-description/office-applications-service-description](https://learn.microsoft.com/en-us/office365/servicedescriptions/office-applications-service-description/office-applications-service-description) -![966_1_image-20231114102807-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/966_1_image-20231114102807-2.webp) +![966_1_image-20231114102807-2](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/966_1_image-20231114102807-2.webp) 11 Limited to policies for web apps and privacy policies for client apps. @@ -23,29 +23,29 @@ section in the table at the link below: Create a new Admin Template policy with the appropriate setting from the ADMX template (use Keyword section to search): -![966_2_image-20230922212443-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/966_2_image-20230922212443-1.webp) +![966_2_image-20230922212443-1](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/966_2_image-20230922212443-1.webp) Now set the value to "System default browser" instead of "Microsoft Edge" in the policy: -![966_3_image-20230922212443-2_950x650](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/966_3_image-20230922212443-2_950x650.webp) +![966_3_image-20230922212443-2_950x650](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/966_3_image-20230922212443-2_950x650.webp) ## SCENARIO 2: Using Endpoint Policy Manager On-Prem Once Office ADMX is deployed, create a new Admin Template policy with the appropriate setting from the ADMX template (use Keyword section to search): -![966_4_image-20230922212443-3_950x397](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/966_4_image-20230922212443-3_950x397.webp) +![966_4_image-20230922212443-3_950x397](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/966_4_image-20230922212443-3_950x397.webp) Now set the value to "System default browser" instead of "Microsoft Edge" in the policy: -![966_5_image-20230922212443-4](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/966_5_image-20230922212443-4.webp) +![966_5_image-20230922212443-4](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/966_5_image-20230922212443-4.webp) ## Verification: ### BEFORE: -![966_6_image-20230922212443-5](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/966_6_image-20230922212443-5.webp) +![966_6_image-20230922212443-5](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/966_6_image-20230922212443-5.webp) ### AFTER: -![966_7_image-20230922212443-6](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/966_7_image-20230922212443-6.webp) +![966_7_image-20230922212443-6](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/966_7_image-20230922212443-6.webp) diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/overview.md b/docs/policypak/policypak/troubleshooting/browserrouter/overview.md index 8a7868e7fe..5e40ad1397 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/overview.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/overview.md @@ -5,17 +5,17 @@ We have two guides online to help you troubleshoot Endpoint Policy Manager Brows If you're having problems getting Endpoint Policy Manager Browser Router to work, see the following guide: -[How to quickly troubleshoot Endpoint Policy Manager Browser Router](quick.md). +[How to quickly troubleshoot Endpoint Policy Manager Browser Router](/docs/policypak/policypak/troubleshooting/browserrouter/quick.md). If you're having problems getting Endpoint Policy Manager Browser Router to route between browsers as expected, see the following guide: -[Troubleshooting routing between browsers.](betweenbrowsers.md). +[Troubleshooting routing between browsers.](/docs/policypak/policypak/troubleshooting/browserrouter/betweenbrowsers.md). Additionally, Endpoint Policy Manager Browser Router has extensive logging, which needs to be turned on. You can do this using the Endpoint Policy Manager Browser Router ADMX templates and turning on logging. A video of the process can be found here: -[Troubleshooting with ADMX files](../../video/troubleshooting/admxfiles.md). +[Troubleshooting with ADMX files](/docs/policypak/policypak/video/troubleshooting/admxfiles.md). Log files for Endpoint Policy Manager Browser Router are found in the two following places: diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/quick.md b/docs/policypak/policypak/troubleshooting/browserrouter/quick.md index 402637aada..ac04aef678 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/quick.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/quick.md @@ -28,7 +28,7 @@ You need a GPO to make the routes. Make sure the following is true: In this example, the GPO has data / routes on the user side and is correctly linked to where users reside (West Sales Users.) -![55_1_image007](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_1_image007.webp) +![55_1_image007](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_1_image007.webp) **Step 3 –** Verifying you GOT the GPOs… one for licensing and one for the routes. @@ -37,7 +37,7 @@ Run `GPresult /R `two times: - AS an ADMIN and verify that you got the LICENSING GPO. - As the USER and verify you got the GPO with the Endpoint Policy Manager Browser Router data. -![55_2_image008-1024x395](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_2_image008-1024x395.webp) +![55_2_image008-1024x395](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_2_image008-1024x395.webp) **Step 4 –** Is Endpoint Policy Manager Browser Router the "default browser" ? @@ -47,17 +47,17 @@ In DEFAULT PROGRAMS, verify that PPBRAgent is the Default Browser for HTTP and H **CAUTION:** For Non-Domain Joined machines, we (PolicyPak) cannot set this automatically. For more information on this -problem, [Which Endpoint Policy Manager items will not work when the computer is non-domain joined (or the computer is NEVER connected to the Internet)?](../nondomain/limitations.md) +problem, [Which Endpoint Policy Manager items will not work when the computer is non-domain joined (or the computer is NEVER connected to the Internet)?](/docs/policypak/policypak/troubleshooting/nondomain/limitations.md) For Domain joined Windows 10, Look at Default Programs here, -![55_3_image](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_3_image.webp) +![55_3_image](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_3_image.webp) For Domain Joined Windows 7, check Default Programs as seen here, -![55_4_image013](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_4_image013.webp) +![55_4_image013](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_4_image013.webp) -![55_5_image014](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_5_image014.webp) +![55_5_image014](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_5_image014.webp) CHECKPOINT: If PPBRAGENT is not the default for HTTP and HTTPS then, run `GPupdate /force` then REBOOT the computer. @@ -78,11 +78,11 @@ Common reasons: As the USER, go to `Appdata\Local\PolicyPak\PolicyPak Browser Router` and verify that ANY logs exist as seen here. -![55_6_image009](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_6_image009.webp) +![55_6_image009](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_6_image009.webp) Open the LATEST-created file (by date) for inspection. -![55_7_image010](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_7_image010.webp) +![55_7_image010](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_7_image010.webp) **Step 6 –** Checking what Endpoint Policy Manager Browser Router thinks are your routes. Endpoint Policy Manager Browser Router can take routes from various sources and multiple GPOs and/or files @@ -92,7 +92,7 @@ Ultimately those rules are boiled down to one file: `ppBRresults.xml.` You should manually inspect this to verify that routes are generated as expected. -![55_8_image011-1024x487](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_8_image011-1024x487.webp) +![55_8_image011-1024x487](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_8_image011-1024x487.webp) **Step 7 –** Getting more help (exactly what to do and attach THREE THINGS). @@ -101,7 +101,7 @@ You should manually inspect this to verify that routes are generated as expected - It’s good to take a screen shot too, so we can see what you’re trying to; computer or user side. - Attach / send both your SCREEN SHOT and your XML EXPORT file to your support case. -![55_9_image001-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_9_image001-1.webp) +![55_9_image001-1](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_9_image001-1.webp) Then, run `PPLOGS` twice: @@ -110,7 +110,7 @@ Then, run `PPLOGS` twice: - Use a NORMAL command prompt and run `PPLOGS`. Rename to` ppLogs-as-USER.zip`. Attach to your support case. -![55_10_image0012-1024x593](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_10_image0012-1024x593.webp) +![55_10_image0012-1024x593](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/55_10_image0012-1024x593.webp) **NOTE:** If your email system strips ZIP files, rename it to `.ZIPP` or `.TXT` or whatever you want. diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/revertlegacy.md b/docs/policypak/policypak/troubleshooting/browserrouter/revertlegacy.md index 7a41befc5a..7fced91318 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/revertlegacy.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/revertlegacy.md @@ -8,10 +8,10 @@ First, be sure you are eligible to use this function by copying the latest Endpo `ADMX` files to your Central Store or using Endpoint Policy Manager Cloud. Directions for Central Store: -[Troubleshooting with ADMX files](../../video/troubleshooting/admxfiles.md) +[Troubleshooting with ADMX files](/docs/policypak/policypak/video/troubleshooting/admxfiles.md) Directions for Endpoint Policy Manager Cloud (if they are not already pre-placed -there):[Endpoint Policy ManagerCloud: Upload and use your own ADMX files to Endpoint Policy Manager Cloud](../../video/cloud/admxfiles.md) +there):[Endpoint Policy ManagerCloud: Upload and use your own ADMX files to Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/cloud/admxfiles.md) Then, the setting you should use if directed by support is entitled: @@ -19,7 +19,7 @@ Computer Configuration | Policies | Admin Templates | Endpoint Policy Manager AD Client-side Extensions | Browser Router | Revert to Legacy Browser Router Method & Features and set to enabled to return back to the legacy behavior. -![764_1_image-20201027210325-1_950x612](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/764_1_image-20201027210325-1_950x612.webp) +![764_1_image-20201027210325-1_950x612](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/764_1_image-20201027210325-1_950x612.webp) ## What does "Revert to Legacy Browser Router Method & Features" mean? @@ -39,4 +39,4 @@ original methods. What this essentially means is: An example of the user required to manually specify Endpoint Policy Manager Browser Router can be seen here. -![764_3_image-20201027210423-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/764_3_image-20201027210423-2.webp) +![764_3_image-20201027210423-2](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/764_3_image-20201027210423-2.webp) diff --git a/docs/policypak/policypak/troubleshooting/browserrouter/wildcardrule.md b/docs/policypak/policypak/troubleshooting/browserrouter/wildcardrule.md index d57c1e44c5..def806690d 100644 --- a/docs/policypak/policypak/troubleshooting/browserrouter/wildcardrule.md +++ b/docs/policypak/policypak/troubleshooting/browserrouter/wildcardrule.md @@ -16,7 +16,7 @@ to visit http://www.microsoft.com that the site still opens in Internet Explorer instead of Edge. The website http://docs.microsoft.com however, opens correctly in Edge. -![712_1_image-20201230005141-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/712_1_image-20201230005141-1.webp) +![712_1_image-20201230005141-1](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/712_1_image-20201230005141-1.webp) Assuming that the Browser Router Policy and prerequisites are all configured correctly, (i.e., the Default Browser policy, and/or other BR policies are working as expected) the reason this is @@ -33,8 +33,8 @@ policy for \*Microsoft\*. Either of the policies below will resolve this issue. **NOTE:** There is no "www" in the URL rule below. -![712_2_image-20201230005141-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/712_2_image-20201230005141-2.webp) +![712_2_image-20201230005141-2](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/712_2_image-20201230005141-2.webp) OR -![712_3_image-20201230005141-3](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/browserrouter/712_3_image-20201230005141-3.webp) +![712_3_image-20201230005141-3](/img/product_docs/policypak/policypak/troubleshooting/browserrouter/712_3_image-20201230005141-3.webp) diff --git a/docs/policypak/policypak/troubleshooting/changemanagementtools.md b/docs/policypak/policypak/troubleshooting/changemanagementtools.md index 29324aa6d8..6aa36ce8a5 100644 --- a/docs/policypak/policypak/troubleshooting/changemanagementtools.md +++ b/docs/policypak/policypak/troubleshooting/changemanagementtools.md @@ -63,18 +63,18 @@ Endpoint Policy Manager-specific GPO settings: - What was changed - History and differences of the changes -![921_1_image-1](../../../../static/img/product_docs/policypak/policypak/troubleshooting/921_1_image-1.webp) +![921_1_image-1](/img/product_docs/policypak/policypak/troubleshooting/921_1_image-1.webp) -![921_2_image-2](../../../../static/img/product_docs/policypak/policypak/troubleshooting/921_2_image-2.webp) +![921_2_image-2](/img/product_docs/policypak/policypak/troubleshooting/921_2_image-2.webp) However, Endpoint Policy Manager’s history and differences function applies only to its own settings. For instance, Microsoft Group Policy Preferences (like "Services") do not have a history function, as they are not managed by Endpoint Policy Manager. -![921_2_image-3](../../../../static/img/product_docs/policypak/policypak/troubleshooting/921_2_image-3.webp) +![921_2_image-3](/img/product_docs/policypak/policypak/troubleshooting/921_2_image-3.webp) You can watch a demo of how Endpoint Policy Manager stores and tracks changes in this video: -[Endpoint Policy Manager MMC: Showing History of items you create](../video/changemanagementutilities/history.md). +[Endpoint Policy Manager MMC: Showing History of items you create](/docs/policypak/policypak/video/changemanagementutilities/history.md). ## Summary of Endpoint Policy Manager vs. GPO Change Management Tools @@ -93,22 +93,22 @@ Endpoint Policy Manager-specific settings. Here are examples of Endpoint Policy Manager working alongside popular GPO Change Management tools: - Endpoint Policy Manager with AGPM, see the - [Endpoint Policy Manager and AGPM](../video/changemanagementutilities/advancedgrouppolicymanagement.md) + [Endpoint Policy Manager and AGPM](/docs/policypak/policypak/video/changemanagementutilities/advancedgrouppolicymanagement.md) topic for additional information. - Endpoint Policy Manager with Quest's GPOADmin Tool, see the - [Endpoint Policy Manager and Quest's GPOADmin Tool](../video/changemanagementutilities/gpoadmintool.md) + [Endpoint Policy Manager and Quest's GPOADmin Tool](/docs/policypak/policypak/video/changemanagementutilities/gpoadmintool.md) topic for additional information. - Endpoint Policy Manager integrated with NetIQ GPA, see the - [Endpoint Policy Manager Integrates with NetIQ GPA](../video/changemanagementutilities/netiq.md) topic + [Endpoint Policy Manager Integrates with NetIQ GPA](/docs/policypak/policypak/video/changemanagementutilities/netiq.md) topic for additional information. - Endpoint Policy Manager with Quest (ScriptLogic) Active Administrator, see the - [Endpoint Policy Manager and Quest (ScriptLogic) ActiveAdministrator](../video/changemanagementutilities/scriptlogicactiveadministrator.md) topic + [Endpoint Policy Manager and Quest (ScriptLogic) ActiveAdministrator](/docs/policypak/policypak/video/changemanagementutilities/scriptlogicactiveadministrator.md) topic for additional information. - Endpoint Policy Manager with SDM Change Manager, see the - [Endpoint Policy Manager and SDM CHANGE MANAGER](../video/changemanagementutilities/sdmchangemanager.md) topic + [Endpoint Policy Manager and SDM CHANGE MANAGER](/docs/policypak/policypak/video/changemanagementutilities/sdmchangemanager.md) topic for additional information. Additionally, tools like Netwrix Auditor can monitor all GPO changes for both Microsoft and Endpoint Policy Manager-specific and alert you to unwanted changes. -![921_3_image-20230207205126-1](../../../../static/img/product_docs/policypak/policypak/troubleshooting/921_3_image-20230207205126-1.webp) +![921_3_image-20230207205126-1](/img/product_docs/policypak/policypak/troubleshooting/921_3_image-20230207205126-1.webp) diff --git a/docs/policypak/policypak/troubleshooting/clientsideextension/syspreperror.md b/docs/policypak/policypak/troubleshooting/clientsideextension/syspreperror.md index 8c42f55265..7731771d66 100644 --- a/docs/policypak/policypak/troubleshooting/clientsideextension/syspreperror.md +++ b/docs/policypak/policypak/troubleshooting/clientsideextension/syspreperror.md @@ -10,7 +10,7 @@ IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE. Actual image state is IMAGE_STATE_Complet In setupcat.log you’ll find the following error: -[Copy]() +[Copy](javascript:void(0);) setupcat.log error @@ -35,7 +35,7 @@ Resolution: To fix the error please remove the LPM appx package prior to SYSPREP with the following PowerShell command: -[Copy]() +[Copy](javascript:void(0);) Remove LPM appx package diff --git a/docs/policypak/policypak/troubleshooting/clientsideextension/uninstallpassword.md b/docs/policypak/policypak/troubleshooting/clientsideextension/uninstallpassword.md index fdbb6126b8..99d74de148 100644 --- a/docs/policypak/policypak/troubleshooting/clientsideextension/uninstallpassword.md +++ b/docs/policypak/policypak/troubleshooting/clientsideextension/uninstallpassword.md @@ -42,7 +42,7 @@ Example Password If you use the password “HelloWorld” and Base64 encrypt it, you will get `SGVsbG9Xb3JsZA==` as the result. You can use an encoder like [Base64 Encode](https://www.base64encode.org/), shown below. -![base64format](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/clientsideextension/base64format.webp) +![base64format](/img/product_docs/policypak/policypak/troubleshooting/clientsideextension/base64format.webp) Example Use of the Feature @@ -52,12 +52,12 @@ Example Use of the Feature See the interactive example shown in the screenshot. -![csewizard](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/clientsideextension/csewizard.webp) +![csewizard](/img/product_docs/policypak/policypak/troubleshooting/clientsideextension/csewizard.webp) If you try to uninstall the CSE by hand without a password, the following error message is displayed. -![cseuninstallpw](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/clientsideextension/cseuninstallpw.webp) +![cseuninstallpw](/img/product_docs/policypak/policypak/troubleshooting/clientsideextension/cseuninstallpw.webp) ## Uninstall CSE When a Password Is Set @@ -67,7 +67,7 @@ Example Command `msiexec /x "PolicyPak Client-Side Extension x64.msi" UNPASSWORD=SGVsbG9Xb3JsZA==` -![csepassword](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/clientsideextension/csepassword.webp) +![csepassword](/img/product_docs/policypak/policypak/troubleshooting/clientsideextension/csepassword.webp) Uninstallation Rules @@ -112,7 +112,7 @@ Registry value details The password is encrypted with the Windows Data Protection API (DAPI) and not in plain text. -![editbinary](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/clientsideextension/editbinary.webp) +![editbinary](/img/product_docs/policypak/policypak/troubleshooting/clientsideextension/editbinary.webp) This registry key is protected and accessible only by Administrators and the Local System account. The password cannot be copied to another machine. If the registry value is transferred, CSE will not @@ -123,13 +123,13 @@ recognize it on a different system. As an emergency method of uninstallation, you may use the Endpoint Policy Manager ADMX Troubleshooting files which contains a policy named “Force disable uninstall password”. -See the [Troubleshooting with ADMX files](../../video/troubleshooting/admxfiles.md) topic for +See the [Troubleshooting with ADMX files](/docs/policypak/policypak/video/troubleshooting/admxfiles.md) topic for additional information about the ADMX troubleshooting files. When this ADMX setting is set locally or targeted to a machine, the CSE will uninstall without a password. -![disableuninstallpw](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/clientsideextension/disableuninstallpw.webp) +![disableuninstallpw](/img/product_docs/policypak/policypak/troubleshooting/clientsideextension/disableuninstallpw.webp) **CAUTION:** Again as stated in the introduction of this document, someone with access rights to change the KHLM part of the registry or use the Endpoint Policy Manager ADMX files could circumvent diff --git a/docs/policypak/policypak/troubleshooting/cloud/entraid.md b/docs/policypak/policypak/troubleshooting/cloud/entraid.md index a8ca462d88..38c647c7db 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/entraid.md +++ b/docs/policypak/policypak/troubleshooting/cloud/entraid.md @@ -14,9 +14,9 @@ between Endpoint Policy Manager Cloud and Azure. **Step 5 –** Click "Revoke permissions" -![951_1_image-20230318014644-1_950x496](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/951_1_image-20230318014644-1_950x496.webp) +![951_1_image-20230318014644-1_950x496](/img/product_docs/policypak/policypak/troubleshooting/cloud/951_1_image-20230318014644-1_950x496.webp) -![951_2_image-20230318014644-2_950x298](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/951_2_image-20230318014644-2_950x298.webp) +![951_2_image-20230318014644-2_950x298](/img/product_docs/policypak/policypak/troubleshooting/cloud/951_2_image-20230318014644-2_950x298.webp) **Step 6 –** Then in PPC Portal: @@ -24,7 +24,7 @@ between Endpoint Policy Manager Cloud and Azure. - Activate Azure AD configuration - Sync Azure AD configuration -![951_3_image-20230318014644-3_950x521](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/951_3_image-20230318014644-3_950x521.webp) +![951_3_image-20230318014644-3_950x521](/img/product_docs/policypak/policypak/troubleshooting/cloud/951_3_image-20230318014644-3_950x521.webp) If that still doesn't work, you can force Azure to remove the Endpoint Policy Manager application. The steps from Microsoft are here: @@ -36,7 +36,7 @@ block #6 as seen here. Afterward, back in Endpoint Policy Manager Cloud re-create the connection. -![951_4_image-20230318014644-4_950x350](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/951_4_image-20230318014644-4_950x350.webp) +![951_4_image-20230318014644-4_950x350](/img/product_docs/policypak/policypak/troubleshooting/cloud/951_4_image-20230318014644-4_950x350.webp) Connect-AzureAD diff --git a/docs/policypak/policypak/troubleshooting/cloud/expired.md b/docs/policypak/policypak/troubleshooting/cloud/expired.md index f94e9dbf83..01faf0a9e9 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/expired.md +++ b/docs/policypak/policypak/troubleshooting/cloud/expired.md @@ -7,6 +7,6 @@ This computer then transitions to the WAITING LIST and can pick up a new license available. To learn more about the WAITING LIST, -[Endpoint Policy Manager Cloud Client: Why are computers appearing in WAITING LIST and how can I fix it?](waitinglist.md). +[Endpoint Policy Manager Cloud Client: Why are computers appearing in WAITING LIST and how can I fix it?](/docs/policypak/policypak/troubleshooting/cloud/waitinglist.md). -![308_1_jhhj](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/308_1_jhhj.webp) +![308_1_jhhj](/img/product_docs/policypak/policypak/troubleshooting/cloud/308_1_jhhj.webp) diff --git a/docs/policypak/policypak/troubleshooting/cloud/grouppolicyeditors.md b/docs/policypak/policypak/troubleshooting/cloud/grouppolicyeditors.md index 4d2d1a7e1d..7146aaf817 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/grouppolicyeditors.md +++ b/docs/policypak/policypak/troubleshooting/cloud/grouppolicyeditors.md @@ -7,7 +7,7 @@ But this will only show you the items which are coming from on-prem Group Policy Endpoint Policy Manager (formerly PolicyPak) Cloud. To see Endpoint Policy Manager Cloud results on a Endpoint Policy Manager cloud joined machine, use -the[Endpoint Policy Manager Cloud Reporting Demo](../../video/cloud/reports.md). +the[Endpoint Policy Manager Cloud Reporting Demo](/docs/policypak/policypak/video/cloud/reports.md). You can also see the policies on the machine by running `PPCLOUD /SYNC` and seeing the itemized list, like what is in the two screenshots below. @@ -15,14 +15,14 @@ list, like what is in the two screenshots below. That being said, if you deploy Security Settings, then some of those settings will come thru and be seen in the local Group Policy Editor, like what's seen here. -![611_1_hf-935-img-01](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/611_1_hf-935-img-01.webp) +![611_1_hf-935-img-01](/img/product_docs/policypak/policypak/troubleshooting/cloud/611_1_hf-935-img-01.webp) Even this is not guaranteed for all the settings within Security; this is a rare example. And, in no cases can you see Group Policy Admin Templates appear in the local `GPEDIT.MSC` or `RSOP.MSC` Group Policy editor or results reporting. -![611_3_hf-935-img-02](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/611_3_hf-935-img-02.webp) +![611_3_hf-935-img-02](/img/product_docs/policypak/policypak/troubleshooting/cloud/611_3_hf-935-img-02.webp) This also holds true for Endpoint Policy Manager -specific settings, like Endpoint Policy Manager Browser Router or Endpoint Policy Manager Least Privilege Manager. Even if you have the Admin @@ -63,14 +63,14 @@ Here's an end to end example of how to check and perform this verification: Start off with a policy in Endpoint Policy Manager Cloud Admin Template item, like "Prohibit access to Control Panel and PC settings" like this: -![611_5_image-20200923174350-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/611_5_image-20200923174350-1.webp) +![611_5_image-20200923174350-1](/img/product_docs/policypak/policypak/troubleshooting/cloud/611_5_image-20200923174350-1.webp) If you want to verify the value, you would use the GP Spreadhseet and find the same policy like this. -![611_6_image-20200923150026-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/611_6_image-20200923150026-2.webp) +![611_6_image-20200923150026-2](/img/product_docs/policypak/policypak/troubleshooting/cloud/611_6_image-20200923150026-2.webp) Finally, on the endpoint, use Regedit to verify the final value is or is not present. This means Endpoint Policy Manager did the work you expect. -![611_7_image-20200923152313-3](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/611_7_image-20200923152313-3.webp) +![611_7_image-20200923152313-3](/img/product_docs/policypak/policypak/troubleshooting/cloud/611_7_image-20200923152313-3.webp) diff --git a/docs/policypak/policypak/troubleshooting/cloud/install/clientsideextension.md b/docs/policypak/policypak/troubleshooting/cloud/install/clientsideextension.md index eaa80625f5..30c67560b7 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/install/clientsideextension.md +++ b/docs/policypak/policypak/troubleshooting/cloud/install/clientsideextension.md @@ -25,7 +25,7 @@ the same file on other computers - There will sometimes be multiple logs files for each attempt -![608_1_image-20201029193618-1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/install/608_1_image-20201029193618-1.webp) +![608_1_image-20201029193618-1](/img/product_docs/policypak/policypak/troubleshooting/cloud/install/608_1_image-20201029193618-1.webp) ## Resolution @@ -40,7 +40,7 @@ Delete the malformed file and re-run the installation **Step 2 –** Uninstall the "Endpoint Policy Manager Cloud Client" -![608_2_image-20201029193618-2](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/install/608_2_image-20201029193618-2.webp) +![608_2_image-20201029193618-2](/img/product_docs/policypak/policypak/troubleshooting/cloud/install/608_2_image-20201029193618-2.webp) **Step 3 –** Rerun the installation of the Cloud Client @@ -58,7 +58,7 @@ Download the CSE from the Endpoint Policy Manager Portal **Step 2 –** On the Home page, download the "Latest Bits" in the form of either a ZIP or ISO file -![608_3_image-20201029193618-3](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/install/608_3_image-20201029193618-3.webp) +![608_3_image-20201029193618-3](/img/product_docs/policypak/policypak/troubleshooting/cloud/install/608_3_image-20201029193618-3.webp) - Follow the prompts to complete the download. diff --git a/docs/policypak/policypak/troubleshooting/cloud/install/incomplete.md b/docs/policypak/policypak/troubleshooting/cloud/install/incomplete.md index c6e9ffcf85..e3826741e2 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/install/incomplete.md +++ b/docs/policypak/policypak/troubleshooting/cloud/install/incomplete.md @@ -15,7 +15,7 @@ As the PPC Client is already downloaded, it's the CSE that would be the issue he indication something is wrong when the Installation complete. You may end up with a message something like this: -![968_1_image-20230925200947-1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/install/968_1_image-20230925200947-1.webp) +![968_1_image-20230925200947-1](/img/product_docs/policypak/policypak/troubleshooting/cloud/install/968_1_image-20230925200947-1.webp) Note missing group membership. @@ -78,5 +78,5 @@ September or October 2023. __NOTE:__ If you have a slow connection on the endpoint, the CSE can be downloaded from our customer portal and pre-installed. Please refer to the following KB article -> -[How can I best install Endpoint Policy Manager Cloud for remote clients over a slow link/internet connection?](../../../install/cloud/slowinternet.md) +[How can I best install Endpoint Policy Manager Cloud for remote clients over a slow link/internet connection?](/docs/policypak/policypak/install/cloud/slowinternet.md) ```` diff --git a/docs/policypak/policypak/troubleshooting/cloud/integration/ciscoanyconnect.md b/docs/policypak/policypak/troubleshooting/cloud/integration/ciscoanyconnect.md index da302e4ce1..09f0003ed3 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/integration/ciscoanyconnect.md +++ b/docs/policypak/policypak/troubleshooting/cloud/integration/ciscoanyconnect.md @@ -13,4 +13,4 @@ seen below. This is dump MAC as a matching criteria and use only UUID which is somewhat less aggressive. -![817_1_image001_950x578](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/integration/817_1_image001_950x578.webp) +![817_1_image001_950x578](/img/product_docs/policypak/policypak/troubleshooting/cloud/integration/817_1_image001_950x578.webp) diff --git a/docs/policypak/policypak/troubleshooting/cloud/log/verbose.md b/docs/policypak/policypak/troubleshooting/cloud/log/verbose.md index ea69d8e47f..4a8283ee04 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/log/verbose.md +++ b/docs/policypak/policypak/troubleshooting/cloud/log/verbose.md @@ -11,6 +11,6 @@ location and level of log messages. `msiexec /i "PathToMSIfile.msi" /L*v "C:/your_folder/LogFilename.txt"` More parameters for msiexec command may be found at -[https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759262(v=ws.10)?redirectedfrom=MSDN]() +[https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759262(v=ws.10)?redirectedfrom=MSDN](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759262(v=ws.10)?redirectedfrom=MSDN) -![928_1_image-20230207215348-7_950x351](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/log/928_1_image-20230207215348-7_950x351.webp) +![928_1_image-20230207215348-7_950x351](/img/product_docs/policypak/policypak/troubleshooting/cloud/log/928_1_image-20230207215348-7_950x351.webp) diff --git a/docs/policypak/policypak/troubleshooting/cloud/login.md b/docs/policypak/policypak/troubleshooting/cloud/login.md index 5711e61254..2eeebdbdc3 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/login.md +++ b/docs/policypak/policypak/troubleshooting/cloud/login.md @@ -18,7 +18,7 @@ clear the browser cache. Here's how to go incognito for different browsers. -![926_1_image-20230913000135-1_781x183](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/926_1_image-20230913000135-1_781x183.webp) +![926_1_image-20230913000135-1_781x183](/img/product_docs/policypak/policypak/troubleshooting/cloud/926_1_image-20230913000135-1_781x183.webp) ## Cookies @@ -28,11 +28,11 @@ Here's how to access cookie settings in different browsers. In Firefox you have to make your way into Browser Settings and locate Privacy & Security. -![926_2_image-20230104094340-6_657x242](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/926_2_image-20230104094340-6_657x242.webp) +![926_2_image-20230104094340-6_657x242](/img/product_docs/policypak/policypak/troubleshooting/cloud/926_2_image-20230104094340-6_657x242.webp) -![926_3_image-20230104094423-7_613x558](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/926_3_image-20230104094423-7_613x558.webp) +![926_3_image-20230104094423-7_613x558](/img/product_docs/policypak/policypak/troubleshooting/cloud/926_3_image-20230104094423-7_613x558.webp) -![926_4_image-20230104094459-8_610x360](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/926_4_image-20230104094459-8_610x360.webp) +![926_4_image-20230104094459-8_610x360](/img/product_docs/policypak/policypak/troubleshooting/cloud/926_4_image-20230104094459-8_610x360.webp) ### Chrome @@ -40,15 +40,15 @@ Chrome makes is a little easier to identify and clear cookies for a specific sit the login page and follow the sequence below.  In the example below we click Remove 4 times since there are 4 cookies in use for this specific site. -![926_5_image-20230104092841-2_535x582](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/926_5_image-20230104092841-2_535x582.webp) +![926_5_image-20230104092841-2_535x582](/img/product_docs/policypak/policypak/troubleshooting/cloud/926_5_image-20230104092841-2_535x582.webp) ### Edge Edge makes it even easier, similar to Chrome but only 3 steps. -![926_6_image-20230104093408-4_491x233](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/926_6_image-20230104093408-4_491x233.webp) +![926_6_image-20230104093408-4_491x233](/img/product_docs/policypak/policypak/troubleshooting/cloud/926_6_image-20230104093408-4_491x233.webp) -![926_7_image-20230104093448-5_527x138](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/926_7_image-20230104093448-5_527x138.webp) +![926_7_image-20230104093448-5_527x138](/img/product_docs/policypak/policypak/troubleshooting/cloud/926_7_image-20230104093448-5_527x138.webp) ## Browser Cache @@ -58,4 +58,4 @@ images and files is checked. All 3 browsers have the Ctrl-Shift-Del shortcut that provides quick access to this setting. -![926_8_image-20230104100124-9_370x346](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/926_8_image-20230104100124-9_370x346.webp) ![926_9_image-20230104100144-10_322x350](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/926_9_image-20230104100144-10_322x350.webp) ![926_10_image-20230104100211-11_294x358](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/926_10_image-20230104100211-11_294x358.webp) +![926_8_image-20230104100124-9_370x346](/img/product_docs/policypak/policypak/troubleshooting/cloud/926_8_image-20230104100124-9_370x346.webp) ![926_9_image-20230104100144-10_322x350](/img/product_docs/policypak/policypak/troubleshooting/cloud/926_9_image-20230104100144-10_322x350.webp) ![926_10_image-20230104100211-11_294x358](/img/product_docs/policypak/policypak/troubleshooting/cloud/926_10_image-20230104100211-11_294x358.webp) diff --git a/docs/policypak/policypak/troubleshooting/cloud/outage.md b/docs/policypak/policypak/troubleshooting/cloud/outage.md index 05e5d120d2..00f3f216cb 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/outage.md +++ b/docs/policypak/policypak/troubleshooting/cloud/outage.md @@ -5,7 +5,7 @@ unavailable or "goes down". This is rare, but it can happen. First, to verify and ensure the problem is with the Endpoint Policy Manager Cloud service, and not something on your end, please see the following article -[Troubleshoot communication from the Cloud Client and Cloud Service](servicecommunication.md) (and +[Troubleshoot communication from the Cloud Client and Cloud Service](/docs/policypak/policypak/troubleshooting/cloud/servicecommunication.md) (and the sub-KB articles at the end). However, if the Endpoint Policy Manager Cloud service itself is down, you might see the following @@ -13,7 +13,7 @@ behavior: **Step 1 –** Computers cannot be joined / re-joined to Endpoint Policy Manager Cloud -![612_1_rt](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/612_1_rt.webp) +![612_1_rt](/img/product_docs/policypak/policypak/troubleshooting/cloud/612_1_rt.webp) **Step 2 –** Endpoint Policy Manager Cloud /sync might show the following message… diff --git a/docs/policypak/policypak/troubleshooting/cloud/printers.md b/docs/policypak/policypak/troubleshooting/cloud/printers.md index 0233a69339..e8ef7d21b7 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/printers.md +++ b/docs/policypak/policypak/troubleshooting/cloud/printers.md @@ -22,4 +22,4 @@ cloud and sync it locally. Then PPC will be able to install that Printer back We've edited the value for Printer's location in the PPC Pref Object. -![747_1_front-desk-retry](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/747_1_front-desk-retry.webp) +![747_1_front-desk-retry](/img/product_docs/policypak/policypak/troubleshooting/cloud/747_1_front-desk-retry.webp) diff --git a/docs/policypak/policypak/troubleshooting/cloud/proxyservices.md b/docs/policypak/policypak/troubleshooting/cloud/proxyservices.md index f11bb40c57..60ab788ccd 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/proxyservices.md +++ b/docs/policypak/policypak/troubleshooting/cloud/proxyservices.md @@ -28,4 +28,4 @@ and ` SavedLegacySettings.` You should see the proxy information like what is seen here in the binary value. -![373_1_image005sdfggrt](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/373_1_image005sdfggrt.webp) +![373_1_image005sdfggrt](/img/product_docs/policypak/policypak/troubleshooting/cloud/373_1_image005sdfggrt.webp) diff --git a/docs/policypak/policypak/troubleshooting/cloud/registrationlimit.md b/docs/policypak/policypak/troubleshooting/cloud/registrationlimit.md index 3e6b64844b..d7624d095b 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/registrationlimit.md +++ b/docs/policypak/policypak/troubleshooting/cloud/registrationlimit.md @@ -5,7 +5,7 @@ The maximum number of computers you can register per hour with Netwrix Endpoint denied during installation of the Endpoint Policy Manager Cloud Client.  You can view your status in the portal on the Company Details page. -![963_1_image-20230425212744-1_950x534](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/963_1_image-20230425212744-1_950x534.webp) +![963_1_image-20230425212744-1_950x534](/img/product_docs/policypak/policypak/troubleshooting/cloud/963_1_image-20230425212744-1_950x534.webp) If you have reached the limit, the Installer will give a Prompt that you are not allowed to register more than X computers per hour. X is the number of computers you're allowed to register /hr. in your @@ -13,7 +13,7 @@ Tenant. You'll find similar reason in the Installer logs if you're using a software deployment tool. -![963_2_image-20230425212744-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/963_2_image-20230425212744-2.webp) +![963_2_image-20230425212744-2](/img/product_docs/policypak/policypak/troubleshooting/cloud/963_2_image-20230425212744-2.webp) The recommended option is to Exit Installation and try again 1 hour later.  Note as shown earlier, you can check your limit status in the portal. diff --git a/docs/policypak/policypak/troubleshooting/cloud/registrationmode.md b/docs/policypak/policypak/troubleshooting/cloud/registrationmode.md index 50591ed0f9..ff36d8b202 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/registrationmode.md +++ b/docs/policypak/policypak/troubleshooting/cloud/registrationmode.md @@ -11,7 +11,7 @@ the computer accounts and memberships are handled. ## Mode Definitions -![709_1_image-20210319185612-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/709_1_image-20210319185612-1.webp) +![709_1_image-20210319185612-1](/img/product_docs/policypak/policypak/troubleshooting/cloud/709_1_image-20210319185612-1.webp) Strict: Strict will always create a new secure certificate connection and treat the computer as if it has never been seen before. The computer will lose any group memberships that may exist, leaving diff --git a/docs/policypak/policypak/troubleshooting/cloud/servicecommunication.md b/docs/policypak/policypak/troubleshooting/cloud/servicecommunication.md index 4f069e3561..bf7bfeac9a 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/servicecommunication.md +++ b/docs/policypak/policypak/troubleshooting/cloud/servicecommunication.md @@ -5,7 +5,7 @@ To test the connection between the client and service, start by entering the the Netwrix Endpoint Policy Manager (formerly PolicyPak) Cloud client cannot communicate with Endpoint Policy Manager Cloud Server. -![256_1_pp-faq-000001](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/256_1_pp-faq-000001.webp) +![256_1_pp-faq-000001](/img/product_docs/policypak/policypak/troubleshooting/cloud/256_1_pp-faq-000001.webp) The main reasons for this connection issue are: @@ -25,14 +25,14 @@ information. **Step 2 –** At a command prompt, type in the following: `telnet cloud-agent.policypak.com 443` -![Telnet Cloud Agent Script](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/telnetcloudagent.webp) +![Telnet Cloud Agent Script](/img/product_docs/policypak/policypak/troubleshooting/cloud/telnetcloudagent.webp) - If the command just hangs and takes a long time to complete, then comes back with Connection failed, then the communication failed i. - If the command clears the screen and the cursor goes to the top, then the communication passes. See the image below for example. -![Communication Passes](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/communicationpasses.webp) +![Communication Passes](/img/product_docs/policypak/policypak/troubleshooting/cloud/communicationpasses.webp) **Step 3 –** You can also try `telnet cloud-agent.policypak.com 80` @@ -44,10 +44,10 @@ Additional Considerations - If the connection fails, that could mean there is some kind of proxy. To configure the proxy for the system, see the - [I always use a proxy and the cloud client cannot seem to make contact with the services (see FAQ Item #3 above first.) What else can I try?](proxyservices.md) topic + [I always use a proxy and the cloud client cannot seem to make contact with the services (see FAQ Item #3 above first.) What else can I try?](/docs/policypak/policypak/troubleshooting/cloud/proxyservices.md) topic for additional information. - If the connection passes, that could mean the Date and Time are wrong on the machine. First manually try to correct the date and time. Then run `PPCLOUD /SYNC` command and see if it succeeds. If that still fails to work, see the - [I am getting an error about "GPSVC failed at sign-in". This error occurs exactly one time. What does this mean?](../error/gpsvcfailed.md) topic + [I am getting an error about "GPSVC failed at sign-in". This error occurs exactly one time. What does this mean?](/docs/policypak/policypak/troubleshooting/error/gpsvcfailed.md) topic for additional information on alternative time fix instructions. diff --git a/docs/policypak/policypak/troubleshooting/cloud/syncfail.md b/docs/policypak/policypak/troubleshooting/cloud/syncfail.md index 61e3831245..1258d56834 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/syncfail.md +++ b/docs/policypak/policypak/troubleshooting/cloud/syncfail.md @@ -6,11 +6,11 @@ is occurring. A manual sync with Cloud Client 23.5 might fail to operate and present errors like this: -![887_1_image-20230525200517-1_950x212](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/887_1_image-20230525200517-1_950x212.webp) +![887_1_image-20230525200517-1_950x212](/img/product_docs/policypak/policypak/troubleshooting/cloud/887_1_image-20230525200517-1_950x212.webp) A manual PPCLOUD /sync pre-23.5 might look like this on a failed manual sync attempt: -![887_2_image_950x371](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/887_2_image_950x371.webp) +![887_2_image_950x371](/img/product_docs/policypak/policypak/troubleshooting/cloud/887_2_image_950x371.webp) We are actively working on the issues as they come up. @@ -35,30 +35,30 @@ events will be for Endpoint Policy Manager Cloud. **NOTE:** Future versions of Endpoint Policy Manager Cloud client are slated to have its own event log. -![887_3_image-20230525200517-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/887_3_image-20230525200517-2.webp) +![887_3_image-20230525200517-2](/img/product_docs/policypak/policypak/troubleshooting/cloud/887_3_image-20230525200517-2.webp) Here's an example of a machine when syncs happen in the background, across a few log events (from earliest to latest event on an automatic, background sync.) -![887_4_image-20230525200517-3_950x169](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/887_4_image-20230525200517-3_950x169.webp) +![887_4_image-20230525200517-3_950x169](/img/product_docs/policypak/policypak/troubleshooting/cloud/887_4_image-20230525200517-3_950x169.webp) To look at them in order we have… -![887_5_image-20230525200517-4_950x172](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/887_5_image-20230525200517-4_950x172.webp) +![887_5_image-20230525200517-4_950x172](/img/product_docs/policypak/policypak/troubleshooting/cloud/887_5_image-20230525200517-4_950x172.webp) -![887_6_image-20230525200517-5_950x161](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/887_6_image-20230525200517-5_950x161.webp) +![887_6_image-20230525200517-5_950x161](/img/product_docs/policypak/policypak/troubleshooting/cloud/887_6_image-20230525200517-5_950x161.webp) -![887_7_image-20230525200517-6_950x184](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/887_7_image-20230525200517-6_950x184.webp) +![887_7_image-20230525200517-6_950x184](/img/product_docs/policypak/policypak/troubleshooting/cloud/887_7_image-20230525200517-6_950x184.webp) -![887_8_image-20230525200517-7_950x179](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/887_8_image-20230525200517-7_950x179.webp) +![887_8_image-20230525200517-7_950x179](/img/product_docs/policypak/policypak/troubleshooting/cloud/887_8_image-20230525200517-7_950x179.webp) -![887_9_image-20230525200517-8_950x217](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/887_9_image-20230525200517-8_950x217.webp) +![887_9_image-20230525200517-8_950x217](/img/product_docs/policypak/policypak/troubleshooting/cloud/887_9_image-20230525200517-8_950x217.webp) -![887_10_image-20230525200517-9_950x199](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/887_10_image-20230525200517-9_950x199.webp) +![887_10_image-20230525200517-9_950x199](/img/product_docs/policypak/policypak/troubleshooting/cloud/887_10_image-20230525200517-9_950x199.webp) -![887_11_image-20230525200517-10_950x226](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/887_11_image-20230525200517-10_950x226.webp) +![887_11_image-20230525200517-10_950x226](/img/product_docs/policypak/policypak/troubleshooting/cloud/887_11_image-20230525200517-10_950x226.webp) -![887_12_image-20230525200517-11_950x267](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/887_12_image-20230525200517-11_950x267.webp) +![887_12_image-20230525200517-11_950x267](/img/product_docs/policypak/policypak/troubleshooting/cloud/887_12_image-20230525200517-11_950x267.webp) **NOTE:** Only when you see the message "...has been proceeded successfully" is an indication of a truly successful sync and policy update. @@ -69,11 +69,11 @@ There is less detail in the event logs in previous versions. On Pre-23.5 machines, you can see similar events like this for success. -![887_13_image-20230525200517-12_950x586](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/887_13_image-20230525200517-12_950x586.webp) +![887_13_image-20230525200517-12_950x586](/img/product_docs/policypak/policypak/troubleshooting/cloud/887_13_image-20230525200517-12_950x586.webp) And like this for failure during a background sync. -![887_14_image-20230525200517-13_950x437](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/887_14_image-20230525200517-13_950x437.webp) +![887_14_image-20230525200517-13_950x437](/img/product_docs/policypak/policypak/troubleshooting/cloud/887_14_image-20230525200517-13_950x437.webp) # Final Thoughts: PPCLOUD /status @@ -81,4 +81,4 @@ In all cases, using Endpoint Policy Manager CLOUD /status will NOT perform a syn the final result of policies upon the machine. This is helpful so you can know what the machine's current state actually is. Example with some text removed to save space… -![887_15_image-20230525200517-14_950x1022](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/887_15_image-20230525200517-14_950x1022.webp) +![887_15_image-20230525200517-14_950x1022](/img/product_docs/policypak/policypak/troubleshooting/cloud/887_15_image-20230525200517-14_950x1022.webp) diff --git a/docs/policypak/policypak/troubleshooting/cloud/transition.md b/docs/policypak/policypak/troubleshooting/cloud/transition.md index b89c641bd1..886b7ca556 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/transition.md +++ b/docs/policypak/policypak/troubleshooting/cloud/transition.md @@ -3,7 +3,7 @@ **Step 1 –** Uninstall the Netwrix Endpoint Policy Manager (formerly PolicyPak) Cloud Client on the endpoints.  This will MAINTAIN the Endpoint Policy Manager Client Side Extension . -![585_1_jm-1_900x536](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/585_1_jm-1_900x536.webp) +![585_1_jm-1_900x536](/img/product_docs/policypak/policypak/troubleshooting/cloud/585_1_jm-1_900x536.webp) **Step 2 –** Leave in place -or- Upgrade to the LATEST Endpoint Policy Manager Client Side Extension using SCCM or PDQ Deploy Example: @@ -18,4 +18,4 @@ Manager on-prem GPO. Note that some items might be restricted to COMPUTER or USER side, and may be actively prohibited on the "wrong" side. For those, you will have to recreate the policies. -![585_2_jm-2_900x438](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/585_2_jm-2_900x438.webp) +![585_2_jm-2_900x438](/img/product_docs/policypak/policypak/troubleshooting/cloud/585_2_jm-2_900x438.webp) diff --git a/docs/policypak/policypak/troubleshooting/cloud/twofactorauthenticationcode.md b/docs/policypak/policypak/troubleshooting/cloud/twofactorauthenticationcode.md index f3a9288f4e..95cf3d40f4 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/twofactorauthenticationcode.md +++ b/docs/policypak/policypak/troubleshooting/cloud/twofactorauthenticationcode.md @@ -10,17 +10,17 @@ service will unable to send the email-based two-factor authentication code via e To be sure, this highlighted function on PP website doesn't work when NoScript is enabled for either Mozilla Firefox or Google Chrome. -![674_1_kb-problem](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/674_1_kb-problem.webp) +![674_1_kb-problem](/img/product_docs/policypak/policypak/troubleshooting/cloud/674_1_kb-problem.webp) ## Reason: This is a screenshot of NoScript plug-in Mozilla Firefox as on October-2019. It may look different now. -![674_2_kb-reason](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/674_2_kb-reason.webp) +![674_2_kb-reason](/img/product_docs/policypak/policypak/troubleshooting/cloud/674_2_kb-reason.webp) ## Resolution: Add URL Endpoint Policy Manager.com website in the trusted site section of NoScript plug-in. -![674_3_kb-resolution](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/674_3_kb-resolution.webp) +![674_3_kb-resolution](/img/product_docs/policypak/policypak/troubleshooting/cloud/674_3_kb-resolution.webp) diff --git a/docs/policypak/policypak/troubleshooting/cloud/underhood/clientcommands.md b/docs/policypak/policypak/troubleshooting/cloud/underhood/clientcommands.md index 2ec1fa1617..744c06ff1d 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/underhood/clientcommands.md +++ b/docs/policypak/policypak/troubleshooting/cloud/underhood/clientcommands.md @@ -15,9 +15,9 @@ The Endpoint Policy Manager Cloud client can be invoked from an elevated command within groups. - `/sysprep`: Used to install the Endpoint Policy Manager Cloud client on a virtual desktop image. See "Option 2" in this KB article: - [How to install the Endpoint Policy Manager Cloud Client for use in an Azure Virtual Desktop image](../../../integration/azurevirutaldesktop.md). + [How to install the Endpoint Policy Manager Cloud Client for use in an Azure Virtual Desktop image](/docs/policypak/policypak/integration/azurevirutaldesktop.md). Or see this article: - [How to install and configure the PPC Client for a Non-Persistent VDI Image in VMware Horizon](../../../integration/vdisolutions.md). + [How to install and configure the PPC Client for a Non-Persistent VDI Image in VMware Horizon](/docs/policypak/policypak/integration/vdisolutions.md). - `/unregister`: Used to un-register a machine from Endpoint Policy Manager Cloud and reclaim a license. Used with a virtual desktops scenario. - `/jointoken:value`: Used in conjunction with the `/sysprep `switch to automatically join a diff --git a/docs/policypak/policypak/troubleshooting/cloud/underhood/installation.md b/docs/policypak/policypak/troubleshooting/cloud/underhood/installation.md index 8e35c7f9e3..fd873dadcc 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/underhood/installation.md +++ b/docs/policypak/policypak/troubleshooting/cloud/underhood/installation.md @@ -4,13 +4,13 @@ If you choose an interactive installation of the Endpoint Policy Manager Cloud c success or failure messages that occur when connecting to Endpoint Policy Manager Cloud will be shown on the final window during installation, as shown in Figure 156. -![underneath_the_hood_and_troubleshooting_2_624x343](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_2_624x343.webp) +![underneath_the_hood_and_troubleshooting_2_624x343](/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_2_624x343.webp) Figure 156. The final window of the installation process. There are some common issues that occur during installation, and these client troubleshooting errors are documented in one place: Getting Started with Cloud > -[Knowledge Base](../../../cloud/overview/knowledgebase.md). However, three of our most common errors +[Knowledge Base](/docs/policypak/policypak/cloud/overview/knowledgebase.md). However, three of our most common errors are presented in the next few pages. ## No Internet Connection During Installation @@ -28,7 +28,7 @@ Policy Manager Cloud for a maximum of 60 seconds. If it is able to make a connec license within 60 seconds, you'll get a success message. If the Endpoint Policy Manager Cloud client cannot locate Endpoint Policy Manager Cloud you'll get an error message, as shown in Figure 157. -![underneath_the_hood_and_troubleshooting_3_406x302](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_3_406x302.webp) +![underneath_the_hood_and_troubleshooting_3_406x302](/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_3_406x302.webp) Figure 157. The error message when the Endpoint Policy Manager Cloud client cannot connect to Endpoint Policy Manager Cloud. @@ -36,7 +36,7 @@ Endpoint Policy Manager Cloud. If you click "Continue," you'll see a success message, but no results of the connection to Endpoint Policy Manager Cloud, as shown in Figure 158. -![underneath_the_hood_and_troubleshooting_4_406x336](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_4_406x336.webp) +![underneath_the_hood_and_troubleshooting_4_406x336](/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_4_406x336.webp) Figure 158. The success message indicating installation is complete. @@ -50,7 +50,7 @@ A common error occurs when the system time is off. If you get the error shown in that the system time on the client system is correct. If the time significantly off, the cloud client cannot talk with the cloud server. -![underneath_the_hood_and_troubleshooting_5](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_5.webp) +![underneath_the_hood_and_troubleshooting_5](/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_5.webp) Figure 159. System time error message. @@ -58,7 +58,7 @@ To check the time, do the following: **Step 1 –** Change the time zone to UTC, as shown in Figure 160. -![underneath_the_hood_and_troubleshooting_6](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_6.webp) +![underneath_the_hood_and_troubleshooting_6](/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_6.webp) Figure 160. Selecting UTC as the time zone. @@ -81,7 +81,7 @@ then the computer will, by default, be seen as unique (see Figure 161). This is the computer registration modes, and it can typically happen when the computer is a VDI machine that gets destroyed and rebuilt often. To compensate for this, refer to the section "Company Details." -![underneath_the_hood_and_troubleshooting_7_624x277](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_7_624x277.webp) +![underneath_the_hood_and_troubleshooting_7_624x277](/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_7_624x277.webp) Figure 161. A computer is seen as being unique after the OS is re-installed. @@ -89,6 +89,6 @@ The registration mode you likely want to use is "Loose (allow computers to recov or MAC Address)" for normal machines (as shown in Figure 162), and "Advanced (always register a new computer and keep existing records)" for VDI machines. -![web_interface_and_controls_71_624x518](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/web_interface_and_controls_71_624x518.webp) +![web_interface_and_controls_71_624x518](/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/web_interface_and_controls_71_624x518.webp) Figure 162. Selecting the registration mode. diff --git a/docs/policypak/policypak/troubleshooting/cloud/underhood/xmldatastorage.md b/docs/policypak/policypak/troubleshooting/cloud/underhood/xmldatastorage.md index 93e556ca0a..381581addc 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/underhood/xmldatastorage.md +++ b/docs/policypak/policypak/troubleshooting/cloud/underhood/xmldatastorage.md @@ -8,14 +8,14 @@ produced on the client `%programdata%\PolicyPak\XMLdata `folder, as shown in Fig - Groups - Users -![underneath_the_hood_and_troubleshooting_624x238](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_624x238.webp) +![underneath_the_hood_and_troubleshooting_624x238](/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_624x238.webp) Figure 154. Directories in the XmlData folder. When the Endpoint Policy Manager Cloud client downloads XML data files from the Endpoint Policy Manager Cloud service, it puts those files in the Cloud directory, as shown in Figure 155. -![underneath_the_hood_and_troubleshooting_1_624x170](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_1_624x170.webp) +![underneath_the_hood_and_troubleshooting_1_624x170](/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_1_624x170.webp) Figure 155. Downloaded XML data files. diff --git a/docs/policypak/policypak/troubleshooting/cloud/versions.md b/docs/policypak/policypak/troubleshooting/cloud/versions.md index 7967e42a17..5fe71670aa 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/versions.md +++ b/docs/policypak/policypak/troubleshooting/cloud/versions.md @@ -9,9 +9,9 @@ displayed does not match the version of the Endpoint Policy Manager Client-Side In the screenshots below the CSE version installed is 21.11.2984 but the PPUPDATE version is showing as 20.1.2317. -![897_1_image-20220125020029-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/897_1_image-20220125020029-1.webp) +![897_1_image-20220125020029-1](/img/product_docs/policypak/policypak/troubleshooting/cloud/897_1_image-20220125020029-1.webp) -![897_2_image-20220125020029-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/897_2_image-20220125020029-2.webp) +![897_2_image-20220125020029-2](/img/product_docs/policypak/policypak/troubleshooting/cloud/897_2_image-20220125020029-2.webp) ## CAUSE: diff --git a/docs/policypak/policypak/troubleshooting/cloud/waitinglist.md b/docs/policypak/policypak/troubleshooting/cloud/waitinglist.md index 5b1756ff46..00258bde9e 100644 --- a/docs/policypak/policypak/troubleshooting/cloud/waitinglist.md +++ b/docs/policypak/policypak/troubleshooting/cloud/waitinglist.md @@ -33,4 +33,4 @@ available licenses. what's seen here. Note that the report is "per component" even though we do not license components separately. -![382_1_ppcloud-status1-300x88](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/382_1_ppcloud-status1-300x88.webp) +![382_1_ppcloud-status1-300x88](/img/product_docs/policypak/policypak/troubleshooting/cloud/382_1_ppcloud-status1-300x88.webp) diff --git a/docs/policypak/policypak/troubleshooting/computersidersop.md b/docs/policypak/policypak/troubleshooting/computersidersop.md index efaaf80e05..1b26b12152 100644 --- a/docs/policypak/policypak/troubleshooting/computersidersop.md +++ b/docs/policypak/policypak/troubleshooting/computersidersop.md @@ -6,7 +6,7 @@ Active Directory is to only show the USER SIDE of the RSOP, and not the COMPUTER If you attempt to grab BOTH, or explicitly try to grab the COMPUTER side, you will NOT see the COMPUTER SIDE and/or get ACCESS DENIED like this. -![560_1_img-01_950x275](../../../../static/img/product_docs/policypak/policypak/troubleshooting/560_1_img-01_950x275.webp) +![560_1_img-01_950x275](/img/product_docs/policypak/policypak/troubleshooting/560_1_img-01_950x275.webp) There is an easy temporary (or, if you wish) a permanent workaround. @@ -16,18 +16,18 @@ computer is fine.) In my example, the computer is in East Sales Desktops. Then in the GPMC click DELEGATION, choose READ GROUP POLICY RESULTS DATA, then click ADD. -![560_3_img-02](../../../../static/img/product_docs/policypak/policypak/troubleshooting/560_3_img-02.webp) +![560_3_img-02](/img/product_docs/policypak/policypak/troubleshooting/560_3_img-02.webp) Then add the USER or a GROUP the user is in. In this case I'm added EASTSALESUSER1 or you can add, for instance, AUTHENTICATED USERS. -![560_5_img-03](../../../../static/img/product_docs/policypak/policypak/troubleshooting/560_5_img-03.webp) +![560_5_img-03](/img/product_docs/policypak/policypak/troubleshooting/560_5_img-03.webp) The final results before testing should look like this (where the USER (or GROUP) can now see the COMPUTER side RSOP..) -![560_7_img-04](../../../../static/img/product_docs/policypak/policypak/troubleshooting/560_7_img-04.webp) +![560_7_img-04](/img/product_docs/policypak/policypak/troubleshooting/560_7_img-04.webp) The final result will be that THIS USER can now see the COMPUTER SIDE RSOP. -![560_9_img-05](../../../../static/img/product_docs/policypak/policypak/troubleshooting/560_9_img-05.webp) +![560_9_img-05](/img/product_docs/policypak/policypak/troubleshooting/560_9_img-05.webp) diff --git a/docs/policypak/policypak/troubleshooting/conflictresolved.md b/docs/policypak/policypak/troubleshooting/conflictresolved.md index 329ea8b665..ef86163126 100644 --- a/docs/policypak/policypak/troubleshooting/conflictresolved.md +++ b/docs/policypak/policypak/troubleshooting/conflictresolved.md @@ -13,7 +13,7 @@ Other sources are XML files placement; which happens automatically when you use: Those policy XML files get unwrapped to` c:\programData\PolicyPak\XMLData` into various folders seen here: Cloud, Computer, Groups, Users. -![717_1_img-01](../../../../static/img/product_docs/policypak/policypak/troubleshooting/717_1_img-01.webp) +![717_1_img-01](/img/product_docs/policypak/policypak/troubleshooting/717_1_img-01.webp) Again the only time you have to really worry about conflicts is when you attempt to set the EXACT same value would you have a problem. For instance, you decide to create an RDP File on the desktop @@ -41,4 +41,4 @@ individual policies. As such you might see an undesired "flip flop" behavior whe Security Settings are delivered from multiple sources like Group Policy and Endpoint Policy Manager Cloud. For details on this particular problem see this existing KB: -[Why do I sometimes see Endpoint Policy Manager Cloud security settings and sometimes see on-prem GPO security settings?](gpoexport/onpremisecloud.md) +[Why do I sometimes see Endpoint Policy Manager Cloud security settings and sometimes see on-prem GPO security settings?](/docs/policypak/policypak/troubleshooting/gpoexport/onpremisecloud.md) diff --git a/docs/policypak/policypak/troubleshooting/cpuslowdown.md b/docs/policypak/policypak/troubleshooting/cpuslowdown.md index 3b11264109..c122966238 100644 --- a/docs/policypak/policypak/troubleshooting/cpuslowdown.md +++ b/docs/policypak/policypak/troubleshooting/cpuslowdown.md @@ -5,7 +5,7 @@ Policy Manager (formerly PolicyPak) causing it. Here's an example scenario… -![369_1_faq-913-01](../../../../static/img/product_docs/policypak/policypak/troubleshooting/369_1_faq-913-01.webp) +![369_1_faq-913-01](/img/product_docs/policypak/policypak/troubleshooting/369_1_faq-913-01.webp) First:There are known bugs which push the utilization up to 100% from MS. Example:[https://support.microsoft.com/en-us/help/3083595/task-manager-might-show-100-disk-utilization-on-windows-10-devices-wit](https://support.microsoft.com/en-us/help/3083595/task-manager-might-show-100-disk-utilization-on-windows-10-devices-wit) @@ -32,19 +32,19 @@ and Create dump file. We can analyze this and it tells us a lot. **Step 3 –** Run `perfmon.exe` to see a relationship graph. Clear out any existing counters. -![369_2_faq-913-02](../../../../static/img/product_docs/policypak/policypak/troubleshooting/369_2_faq-913-02.webp) +![369_2_faq-913-02](/img/product_docs/policypak/policypak/troubleshooting/369_2_faq-913-02.webp) **Step 4 –** Next you need to add new counters for PPExtensionSvc disk usage. To do this, find PROCESS then EXPAND. -![369_3_faq-913-03](../../../../static/img/product_docs/policypak/policypak/troubleshooting/369_3_faq-913-03.webp) +![369_3_faq-913-03](/img/product_docs/policypak/policypak/troubleshooting/369_3_faq-913-03.webp) **Step 5 –** Expand the Process item from the top list, select only: - I/O Data Operations/sec and - I/O Other Operations/sec then from the bottom list select -![369_4_faq-913-04](../../../../static/img/product_docs/policypak/policypak/troubleshooting/369_4_faq-913-04.webp) +![369_4_faq-913-04](/img/product_docs/policypak/policypak/troubleshooting/369_4_faq-913-04.webp) **Step 6 –** From Logical Disk, you want to add the following items (only ONE of which is shown in the screenshot). @@ -55,11 +55,11 @@ the screenshot). **NOTE:** Ensure \_Total selected in the bottom list. -![369_5_faq-913-05](../../../../static/img/product_docs/policypak/policypak/troubleshooting/369_5_faq-913-05.webp) +![369_5_faq-913-05](/img/product_docs/policypak/policypak/troubleshooting/369_5_faq-913-05.webp) Your total counters should look like this.. when sorted by OBJECT: -![369_6_faq-913-06](../../../../static/img/product_docs/policypak/policypak/troubleshooting/369_6_faq-913-06.webp) +![369_6_faq-913-06](/img/product_docs/policypak/policypak/troubleshooting/369_6_faq-913-06.webp) **Step 7 –** Optionally, add anything else that could be getting in the way or adding to high disk activity, like `DISM.EXE` which was seen in the first screenshot which is known for high disk @@ -81,7 +81,7 @@ Data Operations/sec is high at the same time. If you still think Endpoint Policy Manager is causing high disk usage / slowdowns we need: **Step 1 –** -[What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](fastsupport.md) +[What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](/docs/policypak/policypak/troubleshooting/fastsupport.md) **Step 2 –** Screenshot of the perfmon as configured above running for a full minute. diff --git a/docs/policypak/policypak/troubleshooting/customdialog.md b/docs/policypak/policypak/troubleshooting/customdialog.md index 5592d7f791..3de1beddf0 100644 --- a/docs/policypak/policypak/troubleshooting/customdialog.md +++ b/docs/policypak/policypak/troubleshooting/customdialog.md @@ -12,4 +12,4 @@ Note that when the setting is: or the CSE has a problem. This could be desirable, but also means that functions will just stop with no notification. -![780_1_img-01_950x653](../../../../static/img/product_docs/policypak/policypak/troubleshooting/780_1_img-01_950x653.webp) +![780_1_img-01_950x653](/img/product_docs/policypak/policypak/troubleshooting/780_1_img-01_950x653.webp) diff --git a/docs/policypak/policypak/troubleshooting/error/admintemplates/policyduplicates.md b/docs/policypak/policypak/troubleshooting/error/admintemplates/policyduplicates.md index 3a4da3b463..e82e52473d 100644 --- a/docs/policypak/policypak/troubleshooting/error/admintemplates/policyduplicates.md +++ b/docs/policypak/policypak/troubleshooting/error/admintemplates/policyduplicates.md @@ -14,4 +14,4 @@ Option 2 is to clean up the underlying issue in your Central (or Local) store. article on that: [https://support.microsoft.com/en-us/help/3077013/-microsoft-policies-sensors-windowslocationprovider-is-already-defined](https://support.microsoft.com/en-us/help/3077013/-microsoft-policies-sensors-windowslocationprovider-is-already-defined) -![733_1_gfhjghj](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/admintemplates/733_1_gfhjghj.webp) +![733_1_gfhjghj](/img/product_docs/policypak/policypak/troubleshooting/error/admintemplates/733_1_gfhjghj.webp) diff --git a/docs/policypak/policypak/troubleshooting/error/applicationsettings/code0xc000428.md b/docs/policypak/policypak/troubleshooting/error/applicationsettings/code0xc000428.md index a247ddfeb6..d27349e745 100644 --- a/docs/policypak/policypak/troubleshooting/error/applicationsettings/code0xc000428.md +++ b/docs/policypak/policypak/troubleshooting/error/applicationsettings/code0xc000428.md @@ -7,9 +7,9 @@ see one of the following error messages. Error message seen is below and says "`PPAppLockdr64.dll` is either not designed to run on Windows or it contains an error. Error status 0xc0000428. -![23_1_image](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_1_image-20191015113622-1.webp) +![23_1_image](/img/product_docs/policypak/policypak/troubleshooting/applicationsettings/280_1_image-20191015113622-1.webp) -![23_2_image](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/applicationsettings/23_2_image.webp) +![23_2_image](/img/product_docs/policypak/policypak/troubleshooting/error/applicationsettings/23_2_image.webp) This is a problem with Microsoft Remote Assistance (MSRA) and/or Palo Alto Cortex XDR Tray Process (cytray.exe) on Windows 10 1903 and later and also on Windows 11 when the Endpoint Policy ManagerCSE @@ -31,7 +31,7 @@ Endpoint Policy ManagerAppLock is the feature in PP App Manager which GRAYS or H Here is the Endpoint Policy Manager side workaround if you are encountering this error: -[How do I turn AppLock off or on based upon the CSE version I'm using?](../../applicationsettings/applock/disable.md) +[How do I turn AppLock off or on based upon the CSE version I'm using?](/docs/policypak/policypak/troubleshooting/applicationsettings/applock/disable.md) **NOTE:** IIn general it is NOT recommended to stop Endpoint Policy Manager AppLock. @@ -63,4 +63,4 @@ error. Optional: FoFor Workaround 2 you can use Endpoint Policy ManagerScripts Manager to apply these settings to multiple computers/users via PowerShell, for steps please see the KB below: -[How to use Scripts Manager to workaround the "PPAppLockdr64.dll is either not designed to run on Windows or it contains an error" message when running Microsoft Remote Assistance (MSRA.exe) and the Endpoint Policy Manager CSE is installed on Windows 10 1903](../../applicationsettings/microsoftremoteassistance.md) +[How to use Scripts Manager to workaround the "PPAppLockdr64.dll is either not designed to run on Windows or it contains an error" message when running Microsoft Remote Assistance (MSRA.exe) and the Endpoint Policy Manager CSE is installed on Windows 10 1903](/docs/policypak/policypak/troubleshooting/applicationsettings/microsoftremoteassistance.md) diff --git a/docs/policypak/policypak/troubleshooting/error/applicationsettings/exception.md b/docs/policypak/policypak/troubleshooting/error/applicationsettings/exception.md index eea3fbca2a..44d6f0cb02 100644 --- a/docs/policypak/policypak/troubleshooting/error/applicationsettings/exception.md +++ b/docs/policypak/policypak/troubleshooting/error/applicationsettings/exception.md @@ -3,7 +3,7 @@ If you encounter the following error (or something like it) when launching a ThinApp packaged application, there is a workaround. -![242_1_image001-2](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/applicationsettings/242_1_image001-2.webp) +![242_1_image001-2](/img/product_docs/policypak/policypak/troubleshooting/error/applicationsettings/242_1_image001-2.webp) You can fully isolate PolicyPak from trying to manage a specific ThinApp application, thus working around the exception error. diff --git a/docs/policypak/policypak/troubleshooting/error/browserrouter/automaticallydisabled.md b/docs/policypak/policypak/troubleshooting/error/browserrouter/automaticallydisabled.md index f7e487b17d..a3ac2baad8 100644 --- a/docs/policypak/policypak/troubleshooting/error/browserrouter/automaticallydisabled.md +++ b/docs/policypak/policypak/troubleshooting/error/browserrouter/automaticallydisabled.md @@ -4,31 +4,31 @@ If you get the message ""Netwrix Endpoint Policy Manager (formerly PolicyPak) Br Chromium Extension" was automatically disabled" like this… This article will show you the workaround. -![759_1_img-01_950x299](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/759_1_img-01_950x299.webp) +![759_1_img-01_950x299](/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/759_1_img-01_950x299.webp) To adjust for this, make sure that the Endpoint Policy Manager Browser Router extension(s) you use are explicitly added to the policy named "Allow specific extensions to be installed". You can use this chart to see the Endpoint Policy Manager Browser Router Extension you should allow to install: -[What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](../../browserrouter/clientsideextension/chromeextensionid.md) +[What is the Chrome Extension ID for all the published versions of Endpoint Policy Manager Browser Router Client Side Extension?](/docs/policypak/policypak/troubleshooting/browserrouter/clientsideextension/chromeextensionid.md) In this screenshot, the Endpoint Policy Manager Extension is the third one listed. Note in this screenshot this is being done on the USER side for EDGE: -![759_3_img-02](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/759_3_img-02.webp) +![759_3_img-02](/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/759_3_img-02.webp) But you may also perform the operation per computer on the COMPUTER side (For EDGE) as follows. -![759_5_img-03](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/759_5_img-03.webp) +![759_5_img-03](/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/759_5_img-03.webp) Additionally, this same problem can occur in Chrome and hence, you would use the same value, but using the Chrome ADMX setting. Here is the setting "Configure extension installation allow list" on the Computer side. -![759_7_img-04](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/759_7_img-04.webp) +![759_7_img-04](/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/759_7_img-04.webp) And here is "Configure extension installation allow list" on the User side. -![759_9_img-05](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/759_9_img-05.webp) +![759_9_img-05](/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/759_9_img-05.webp) diff --git a/docs/policypak/policypak/troubleshooting/error/browserrouter/contactsupport.md b/docs/policypak/policypak/troubleshooting/error/browserrouter/contactsupport.md index c23a99e912..6dd4162872 100644 --- a/docs/policypak/policypak/troubleshooting/error/browserrouter/contactsupport.md +++ b/docs/policypak/policypak/troubleshooting/error/browserrouter/contactsupport.md @@ -5,7 +5,7 @@ If you see a message like what's seen below… "Please contact your support personnel who can gather logs and work with Netwrix Endpoint Policy Manager (formerly PolicyPak) support." -![206_1_image](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/206_1_image.webp) +![206_1_image](/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/206_1_image.webp) This could happen for a variety of reasons. @@ -28,7 +28,7 @@ Tips: [https://community.ivanti.com/docs/DOC-59389](https://community.ivanti.com/docs/DOC-59389) - For your AV / other software, see your own vendor's exclusions. - Endpoint Policy Manager AV Exclusions: - [How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](../../../install/antivirus.md) + [How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](/docs/policypak/policypak/install/antivirus.md) - If you have a FEW or ONE machine showing the issue: FAQ. **Step 3 –** After that, it could still be a bug. But it would typically appear on MANY machines and @@ -36,6 +36,6 @@ not just a SINGLE or a FEW machines. That being said, if you would like for us t logs, in these cases, we need AT LEAST TWO machines to see a PATTERN in the logs. So be prepared to get logs from multiple machines showing the issue so we can do some deeper investigation. -[What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](../../fastsupport.md) +[What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](/docs/policypak/policypak/troubleshooting/fastsupport.md) _Remember,_ We need AT LEAST two machines of logs to check in this case. diff --git a/docs/policypak/policypak/troubleshooting/error/browserrouter/dllcompatible.md b/docs/policypak/policypak/troubleshooting/error/browserrouter/dllcompatible.md index ee46b508a1..7ef52ac679 100644 --- a/docs/policypak/policypak/troubleshooting/error/browserrouter/dllcompatible.md +++ b/docs/policypak/policypak/troubleshooting/error/browserrouter/dllcompatible.md @@ -3,12 +3,12 @@ When running IE and Netwrix Endpoint Policy Manager (formerly PolicyPak) Browser Router, the following error could occur: -![441_1_image004](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/441_1_image004.webp) +![441_1_image004](/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/441_1_image004.webp) This message is caused by IE Enhanced Security mode. To get Endpoint Policy Manager Browser Router to work properly, set IE specifically to have these two checkboxes unchecked. -![441_2_image0012](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/441_2_image0012.webp) +![441_2_image0012](/img/product_docs/policypak/policypak/troubleshooting/error/browserrouter/441_2_image0012.webp) Then, restart IE (a reboot is not required). diff --git a/docs/policypak/policypak/troubleshooting/error/cloud/securitytoken.md b/docs/policypak/policypak/troubleshooting/error/cloud/securitytoken.md index 997295d686..05fd3e3f40 100644 --- a/docs/policypak/policypak/troubleshooting/error/cloud/securitytoken.md +++ b/docs/policypak/policypak/troubleshooting/error/cloud/securitytoken.md @@ -3,19 +3,19 @@ During Netwrix Endpoint Policy Manager (formerly PolicyPak) Cloud client installation you might get a message which looks like this. -![209_1_img-1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/cloud/209_1_img-1.webp) +![209_1_img-1](/img/product_docs/policypak/policypak/troubleshooting/error/cloud/209_1_img-1.webp) What's happened here is that your company's certificate (which lives in Endpoint Policy Manager Cloud servers) has expired. This can happen after being a Endpoint Policy Manager Cloud customer for a few years. -![209_2_img-2](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/cloud/209_2_img-2.webp) +![209_2_img-2](/img/product_docs/policypak/policypak/troubleshooting/error/cloud/209_2_img-2.webp) There is an easy workaround though. Simply revoke (which automatically re-issues) the company certificate like this. -![209_3_img-3](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/cloud/209_3_img-3.webp) +![209_3_img-3](/img/product_docs/policypak/policypak/troubleshooting/error/cloud/209_3_img-3.webp) Then re-download the MSIs here, and re-attempt your Endpoint Policy Manager Cloud join. -![209_4_img-4](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/cloud/209_4_img-4.webp) +![209_4_img-4](/img/product_docs/policypak/policypak/troubleshooting/error/cloud/209_4_img-4.webp) diff --git a/docs/policypak/policypak/troubleshooting/error/cloud/sync.md b/docs/policypak/policypak/troubleshooting/error/cloud/sync.md index bcff8c41b9..e693577e19 100644 --- a/docs/policypak/policypak/troubleshooting/error/cloud/sync.md +++ b/docs/policypak/policypak/troubleshooting/error/cloud/sync.md @@ -48,11 +48,11 @@ Please see below for examples: `[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] ` -![189_1_image-20190913212621-1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/cloud/189_1_image-20190913212621-1.webp) +![189_1_image-20190913212621-1](/img/product_docs/policypak/policypak/troubleshooting/error/cloud/189_1_image-20190913212621-1.webp) `[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]` -![189_2_image-20190913212621-2](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/cloud/189_2_image-20190913212621-2.webp) +![189_2_image-20190913212621-2](/img/product_docs/policypak/policypak/troubleshooting/error/cloud/189_2_image-20190913212621-2.webp) If you prefer you can create a .REG file using the text below, then import the script on any computers experiencing the issue. Then REBOOT the computer(s). After the REBOOT the sync should be diff --git a/docs/policypak/policypak/troubleshooting/error/cloud/verifysecurity.md b/docs/policypak/policypak/troubleshooting/error/cloud/verifysecurity.md index 0bddac9554..19a72d81b4 100644 --- a/docs/policypak/policypak/troubleshooting/error/cloud/verifysecurity.md +++ b/docs/policypak/policypak/troubleshooting/error/cloud/verifysecurity.md @@ -6,13 +6,13 @@ to have the computer re-sync its time with an online source. An example of the error can be seen here: -![113_1_dtyeryrtyy](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_5.webp) +![113_1_dtyeryrtyy](/img/product_docs/policypak/policypak/troubleshooting/cloud/underhood/underneath_the_hood_and_troubleshooting_5.webp) Please follow the following steps **Step 1 –** Change the timezone to UTC like what is shown here: -![20_1_sdgdfhfgnfjfghjfghjfghjfghj](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/20_1_sdgdfhfgnfjfghjfghjfghjfghj.webp) +![20_1_sdgdfhfgnfjfghjfghjfghjfghj](/img/product_docs/policypak/policypak/troubleshooting/error/20_1_sdgdfhfgnfjfghjfghjfghjfghj.webp) **Step 2 –** Verify the time on the computer is now the same as what is seen [http://www.worldtimeserver.com/current_time_in_UTC.aspx](http://www.worldtimeserver.com/current_time_in_UTC.aspx) diff --git a/docs/policypak/policypak/troubleshooting/error/feature/code0x800f0954.md b/docs/policypak/policypak/troubleshooting/error/feature/code0x800f0954.md index c3ca56115a..5912cabac4 100644 --- a/docs/policypak/policypak/troubleshooting/error/feature/code0x800f0954.md +++ b/docs/policypak/policypak/troubleshooting/error/feature/code0x800f0954.md @@ -40,7 +40,7 @@ This will be a little harder to do a small scale test… but by the time you're sure the test machine is not getting the ORIGINAL WSUS setting, and instead is getting this updated setting. -![648_1_2019-03-13_1112](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/feature/648_1_2019-03-13_1112.webp) +![648_1_2019-03-13_1112](/img/product_docs/policypak/policypak/troubleshooting/error/feature/648_1_2019-03-13_1112.webp) Then REBOOT.. and retry. diff --git a/docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/systeminvalidoperationexception.md b/docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/systeminvalidoperationexception.md index 0518abd713..b623565267 100644 --- a/docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/systeminvalidoperationexception.md +++ b/docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/systeminvalidoperationexception.md @@ -4,7 +4,7 @@ When using a remote SQL server as the database for Netwrix Endpoint Policy Manag PolicyPak) Group Policy Compliance Reporter, the snapshot operation may fail with the following error. -![794_1_image-20200327171540-1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_1_image-20200327172830-2.jpeg) +![794_1_image-20200327171540-1](/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_1_image-20200327172830-2.jpeg) The Server debug log will contain the following error as well: @@ -15,7 +15,7 @@ The MSDTC transaction manager was unable to pull the transaction from the source ``` To enable diagnostic logging, follow the directions in the article -[How do I turn on enhanced logging for Endpoint Policy Manager Group Policy Compliance Reporter if asked to do so?](../../grouppolicycompliancereporter/logenhanced.md)g-for-ppgpcr-server-if-asked/ +[How do I turn on enhanced logging for Endpoint Policy Manager Group Policy Compliance Reporter if asked to do so?](/docs/policypak/policypak/troubleshooting/grouppolicycompliancereporter/logenhanced.md)g-for-ppgpcr-server-if-asked/ The resulting GPCR Server log can be found in: `C:\ProgramData\PolicyPak\PolicyPak Group Policy Compliance Reporter Server\Diagnostics` diff --git a/docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/systeminvalidoperationexceptionmsdtc.md b/docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/systeminvalidoperationexceptionmsdtc.md index c4fa5fc4e1..d8eec49892 100644 --- a/docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/systeminvalidoperationexceptionmsdtc.md +++ b/docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/systeminvalidoperationexceptionmsdtc.md @@ -3,7 +3,7 @@ When using a remote SQL as the database for Netwrix Endpoint Policy Manager (formerly PolicyPak) Group Policy Compliance Reporter, the snapshot operation may fail with the following error. -![669_1_image-20200327172830-2](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_1_image-20200327172830-2.jpeg) +![669_1_image-20200327172830-2](/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_1_image-20200327172830-2.jpeg) The Server Log will contain the following error as well: @@ -14,7 +14,7 @@ tool.` ---> System.Runtime.InteropServices.COMException`: The transaction manage support for remote/network transactions. (Exception from HRESULT: 0x8004D024) To enable diagnostic logging, follow the directions in the article -[How do I turn on enhanced logging for Endpoint Policy Manager Group Policy Compliance Reporter if asked to do so?](../../grouppolicycompliancereporter/logenhanced.md) +[How do I turn on enhanced logging for Endpoint Policy Manager Group Policy Compliance Reporter if asked to do so?](/docs/policypak/policypak/troubleshooting/grouppolicycompliancereporter/logenhanced.md) The resulting GPCR Server log can be found in: `C:\ProgramData\PolicyPak\PolicyPak Group Policy Compliance Reporter Server\Diagnostics` @@ -33,12 +33,12 @@ Console is installed) and the remote SQL Server 1. Open the "run" box (Win-R), type `"dcomcnfg"` and click OK - ![669_3_image-20200327172830-3](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_3_image-20200327172830-3.webp) + ![669_3_image-20200327172830-3](/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_3_image-20200327172830-3.webp) **Step 2 –** Expand Console Root -> Component Services -> Computers -> My Computer -> Distributed Transaction Coordinator, Right-Click on Local DTC and click Properties -![669_5_image-20200327172830-4](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_5_image-20200327172830-4.webp) +![669_5_image-20200327172830-4](/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_5_image-20200327172830-4.webp) **Step 3 –** On the Security tab -> Security Settings and Configure as follows: @@ -48,7 +48,7 @@ Transaction Coordinator, Right-Click on Local DTC and click Properties 4. Check "Enable SNA LU 6.2 Transactions" 5. Click OK - ![669_7_image-20200327172830-5](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_7_image-20200327172830-5.webp) + ![669_7_image-20200327172830-5](/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_7_image-20200327172830-5.webp) **Step 4 –** The MSDTC service will need to be restarted for the changes to take affect – Click YES to restart now or NO to restart manually later. @@ -62,11 +62,11 @@ Server **Step 2 –** Click on "Allow an app or feature through Windows Defender Firewall" -![669_9_image-20200327172830-6](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_9_image-20200327172830-6.webp) +![669_9_image-20200327172830-6](/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_9_image-20200327172830-6.webp) **Step 3 –** Find "Distributed Transaction Coordinator", check and check the appropriate Network profile (e.g. Domain). -![669_11_image-20200327172830-7](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_11_image-20200327172830-7.webp) +![669_11_image-20200327172830-7](/img/product_docs/policypak/policypak/troubleshooting/error/gpocompilancereporter/669_11_image-20200327172830-7.webp) **Step 4 –** Click OK to save and close diff --git a/docs/policypak/policypak/troubleshooting/error/gpsvcfailed.md b/docs/policypak/policypak/troubleshooting/error/gpsvcfailed.md index d3f4a145f7..5293c82bf0 100644 --- a/docs/policypak/policypak/troubleshooting/error/gpsvcfailed.md +++ b/docs/policypak/policypak/troubleshooting/error/gpsvcfailed.md @@ -12,4 +12,4 @@ The error is saying the "Group Policy Service failed at sign-in". There is more information at the Microsoft website: [https://support.microsoft.com/en-us/help/2976660/first-logon-fails-with-the-universal-unique-identifier-uuid-type-is-no](https://support.microsoft.com/en-us/help/2976660/first-logon-fails-with-the-universal-unique-identifier-uuid-type-is-no) -![20_1_sdgdfhfgnfjfghjfghjfghjfghj](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/20_1_sdgdfhfgnfjfghjfghjfghjfghj.webp) +![20_1_sdgdfhfgnfjfghjfghjfghjfghj](/img/product_docs/policypak/policypak/troubleshooting/error/20_1_sdgdfhfgnfjfghjfghjfghjfghj.webp) diff --git a/docs/policypak/policypak/troubleshooting/error/install/sufficientprivileges.md b/docs/policypak/policypak/troubleshooting/error/install/sufficientprivileges.md index 74e286fc0c..157f54591f 100644 --- a/docs/policypak/policypak/troubleshooting/error/install/sufficientprivileges.md +++ b/docs/policypak/policypak/troubleshooting/error/install/sufficientprivileges.md @@ -11,8 +11,8 @@ It's likely your Antivirus is preventing Endpoint Policy Manager from operating. Carbon Black will prevent Endpoint Policy Manager from running unless it's exempted. For more information -[How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](../../../install/antivirus.md). +[How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](/docs/policypak/policypak/install/antivirus.md). Example of error and results in Event log: -![97_1_carbonblack1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/install/97_1_carbonblack1.webp) +![97_1_carbonblack1](/img/product_docs/policypak/policypak/troubleshooting/error/install/97_1_carbonblack1.webp) diff --git a/docs/policypak/policypak/troubleshooting/error/leastprivilege/emailsettings.md b/docs/policypak/policypak/troubleshooting/error/leastprivilege/emailsettings.md index b67b67f399..ab27a41112 100644 --- a/docs/policypak/policypak/troubleshooting/error/leastprivilege/emailsettings.md +++ b/docs/policypak/policypak/troubleshooting/error/leastprivilege/emailsettings.md @@ -8,14 +8,14 @@ The element ‘emailSettings'in namespace ‘http://www.policypak.com/2017/LPM/A incomplete content. List of possible elements expected: ‘sendTo' in namespace ‘http://www.policypak.com/2017/LPM/AdminApproval'. -![994_1_image-20230926224931-1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/994_1_image-20230926224931-1.webp) +![994_1_image-20230926224931-1](/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/994_1_image-20230926224931-1.webp) ## CAUSE: The Admin Approval policy XML has become corrupt, and now contains an incomplete ‘emailSettings' section. See below for an example. -![994_2_image-20230926224931-2](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/994_2_image-20230926224931-2.webp) +![994_2_image-20230926224931-2](/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/994_2_image-20230926224931-2.webp) A correct email settings section would look like this: @@ -66,6 +66,6 @@ Console (MMC) and set the Email option "Use of email:" under the Email tab to "N save the policy.  Afterward, you can edit the AA policy again to add in the correct email settings if needed. -![994_3_image-20230926224931-3](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/994_3_image-20230926224931-3.webp) +![994_3_image-20230926224931-3](/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/994_3_image-20230926224931-3.webp) After one of these actions all will be good. diff --git a/docs/policypak/policypak/troubleshooting/error/leastprivilege/establishtrust.md b/docs/policypak/policypak/troubleshooting/error/leastprivilege/establishtrust.md index 74b1fc57a6..af5686a8f6 100644 --- a/docs/policypak/policypak/troubleshooting/error/leastprivilege/establishtrust.md +++ b/docs/policypak/policypak/troubleshooting/error/leastprivilege/establishtrust.md @@ -8,14 +8,14 @@ SbPAM policy. “There was an error while signing in. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS Secure Channel.” -![898_1_image-20230706164728-1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/898_1_image-20230706164728-1.webp) +![898_1_image-20230706164728-1](/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/898_1_image-20230706164728-1.webp) OR “The communication with the NPS server requires trusted communication. Enable certificate bypass in NPS Global Settings to override.” -![898_2_image-20230706164728-2_950x461](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/898_2_image-20230706164728-2_950x461.webp) +![898_2_image-20230706164728-2_950x461](/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/898_2_image-20230706164728-2_950x461.webp) CAUSE: @@ -32,7 +32,7 @@ verification on the endpoints. Admin Templates > PolicyPak ADMX Settings > Client-Side Extensions > Least Privilege Manager > Bypass SbPAM server SSL certificate verification: ENABLED -![898_3_image-20230706164728-3_950x560](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/898_3_image-20230706164728-3_950x560.webp) +![898_3_image-20230706164728-3_950x560](/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/898_3_image-20230706164728-3_950x560.webp) For CSE versions AFTER 23.7.3583 @@ -45,14 +45,14 @@ PolicyPak download. Then in the Least Privilege Manager node, in the Global Netwrix Privilege Secure Settings, select YES to Enable Certificate bypass like what’s seen here. -![898_4_image-20230706164728-4_950x525](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/898_4_image-20230706164728-4_950x525.webp) +![898_4_image-20230706164728-4_950x525](/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/898_4_image-20230706164728-4_950x525.webp) Endpoint Policy Manager Cloud also has this setting available in the in-cloud editor. You perform the same operation using these steps seen here. -![1216_5_47173880d07636048c2dabd919e8b2ce](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/1216_5_47173880d07636048c2dabd919e8b2ce.webp) +![1216_5_47173880d07636048c2dabd919e8b2ce](/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/1216_5_47173880d07636048c2dabd919e8b2ce.webp) In all cases the endpoint is instructed to Bypass SSL Certification Verification check. You can see the results on any particular endpoint like this. -![898_5_image-20231204145244-1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/898_5_image-20231204145244-1.webp) +![898_5_image-20231204145244-1](/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/898_5_image-20231204145244-1.webp) diff --git a/docs/policypak/policypak/troubleshooting/error/leastprivilege/serverbusy.md b/docs/policypak/policypak/troubleshooting/error/leastprivilege/serverbusy.md index 3fa456ea26..0c2a75fa44 100644 --- a/docs/policypak/policypak/troubleshooting/error/leastprivilege/serverbusy.md +++ b/docs/policypak/policypak/troubleshooting/error/leastprivilege/serverbusy.md @@ -3,7 +3,7 @@ When attempting to mount an image with an elevated "FTK Imager" application, a "Server Busy" dialogue box will present itself a moment after starting to browse for the image. -![998_1_image-20240201214648-1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/998_1_image-20240201214648-1.webp) +![998_1_image-20240201214648-1](/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/998_1_image-20240201214648-1.webp) When this appears, the only way to get out of this is to end the task through Task Manager. @@ -13,13 +13,13 @@ To get around this error, we need to deselect the **Don't elevate Open/Save** di creating the elevation policy for the application **FTK Imager**. This is selected by default on all new policies. -![998_2_image-20240201214648-2](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/998_2_image-20240201214648-2.webp) +![998_2_image-20240201214648-2](/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/998_2_image-20240201214648-2.webp) This checked by default to prevent users from gaining unauthorized administrative rights through the Open/Save dialog box to their endpoint. Unchecked, you open up the possibility for a knowledgeable operator to gain administrative access to the computer. For more information in this, please refer to this KB video -->[Increase security by reducing rights on Open/Save dialogs](../../../video/leastprivilege/bestpractices/opensavedialogs.md) +->[Increase security by reducing rights on Open/Save dialogs](/docs/policypak/policypak/video/leastprivilege/bestpractices/opensavedialogs.md) ## Optional @@ -28,10 +28,10 @@ box option is deselected, changing the Action to **Run with customized token** a the integrity level of the process, thereby reducing the rights given to the process and, by extension, the end-user. -![998_3_image-20240201214648-3](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/998_3_image-20240201214648-3.webp) +![998_3_image-20240201214648-3](/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/998_3_image-20240201214648-3.webp) Under Token, set the Base Token to **Always create and use an elevated token** and Integrity level to **Medium-plus**. This will allow the application to run as desired, but not give access to the end-user to change system files. -![998_4_image-20240201214648-4](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/998_4_image-20240201214648-4.webp) +![998_4_image-20240201214648-4](/img/product_docs/policypak/policypak/troubleshooting/error/leastprivilege/998_4_image-20240201214648-4.webp) diff --git a/docs/policypak/policypak/troubleshooting/error/startscreentaskbar/appcantrun.md b/docs/policypak/policypak/troubleshooting/error/startscreentaskbar/appcantrun.md index dd85678774..0738e2881b 100644 --- a/docs/policypak/policypak/troubleshooting/error/startscreentaskbar/appcantrun.md +++ b/docs/policypak/policypak/troubleshooting/error/startscreentaskbar/appcantrun.md @@ -5,13 +5,13 @@ PolicyPak) Start Screen & Taskbar Manager. Example of error: -![699_1_img1_950x233](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/startscreentaskbar/699_1_img1_950x233.webp) +![699_1_img1_950x233](/img/product_docs/policypak/policypak/troubleshooting/error/startscreentaskbar/699_1_img1_950x233.webp) Reason 1: You are pointing toward a 64-bit executable on a 32-bit machine. Reason 2: You are not pointing toward the .EXE itself, but the .LNK (shortcut.) This is not supported. -![699_2_img2_950x396](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/startscreentaskbar/699_2_img2_950x396.webp) +![699_2_img2_950x396](/img/product_docs/policypak/policypak/troubleshooting/error/startscreentaskbar/699_2_img2_950x396.webp) -![699_3_img3_950x368](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/error/startscreentaskbar/699_3_img3_950x368.webp) +![699_3_img3_950x368](/img/product_docs/policypak/policypak/troubleshooting/error/startscreentaskbar/699_3_img3_950x368.webp) diff --git a/docs/policypak/policypak/troubleshooting/fastsupport.md b/docs/policypak/policypak/troubleshooting/fastsupport.md index 87ae10a6db..3f0c613332 100644 --- a/docs/policypak/policypak/troubleshooting/fastsupport.md +++ b/docs/policypak/policypak/troubleshooting/fastsupport.md @@ -6,7 +6,7 @@ Follow theses steps in order for support to troubleshoot most issues. concerns and issues on the latest CSE. If you haven’t verified your problem exists with the latest CSE (and latest MMC or with Cloud), ensure to download the latest CSE before opening a support ticket. See the -[Using Rings to Test and Update the Endpoint Policy Manager Client-Side Extension and/or Cloud Client (And How to Stay Supported)](../install/rings.md) +[Using Rings to Test and Update the Endpoint Policy Manager Client-Side Extension and/or Cloud Client (And How to Stay Supported)](/docs/policypak/policypak/install/rings.md) topic for additional information. **Step 2 –** After the problem is reproduced on the latest CSE, open a @@ -26,19 +26,19 @@ the problem statement: **Step 4 –** Provide the logs from the affected machine. **CAUTION:** Support cannot assist without the correctly generated logs. See the -[Gathering and Uploading Logs](../video/troubleshooting/logs.md) topic on how to gather logs +[Gathering and Uploading Logs](/docs/policypak/policypak/video/troubleshooting/logs.md) topic on how to gather logs properly and use the ticket ID generated in Step 2. ## Gathering and Uploading Logs This section provides a summary of the steps for gathering and uploading logs. See the -[Gathering and Uploading Logs](../video/troubleshooting/logs.md) topic for additional information. +[Gathering and Uploading Logs](/docs/policypak/policypak/video/troubleshooting/logs.md) topic for additional information. **NOTE:** If you do not see the GUI version of pplogs, you are not using the latest CSE. Endpoint Policy Manager support only accepts logs from machines with the latest CSE and latest pplogs zip files. -![Running the PPLOGS tool](../../../../static/img/product_docs/policypak/policypak/troubleshooting/runninglogs.webp) +![Running the PPLOGS tool](/img/product_docs/policypak/policypak/troubleshooting/runninglogs.webp) Follow the steps for gathering and uploading logs. @@ -50,12 +50,12 @@ gathering the logs. **Step 3 –** Collect the logs. -![exportonexml](../../../../static/img/product_docs/policypak/policypak/troubleshooting/exportonexml.webp) -![exportcollectionxml](../../../../static/img/product_docs/policypak/policypak/troubleshooting/exportcollectionxml.webp) +![exportonexml](/img/product_docs/policypak/policypak/troubleshooting/exportonexml.webp) +![exportcollectionxml](/img/product_docs/policypak/policypak/troubleshooting/exportcollectionxml.webp) **Step 4 –** If using the Group Policy Method, export policies and/or collections as XML files. -![exportfromappmanager](../../../../static/img/product_docs/policypak/policypak/troubleshooting/exportfromappmanager.webp) +![exportfromappmanager](/img/product_docs/policypak/policypak/troubleshooting/exportfromappmanager.webp) **Step 5 –** If using Application Manager, export the XML settings data of the AppSet. @@ -96,13 +96,13 @@ the problem statement: **Step 3 –** Your PPLOGS from an affected machine. **CAUTION:** Support cannot assist without the correctly generated logs. See the -[Gathering and Uploading Logs](../video/troubleshooting/logs.md) topic on how to gather logs +[Gathering and Uploading Logs](/docs/policypak/policypak/video/troubleshooting/logs.md) topic on how to gather logs properly. ## Gathering and Uploading Logs This section provides a summary of the steps for gathering and uploading logs. See the -[Gathering and Uploading Logs](../video/troubleshooting/logs.md) topic for additional information. +[Gathering and Uploading Logs](/docs/policypak/policypak/video/troubleshooting/logs.md) topic for additional information. **Step 1 –** On an affected endpoint, run `PPLogs` twice. @@ -111,7 +111,7 @@ Example how to: - Use an admin command prompt and run `PPLOGS`. Rename to `SRX01234-ppLogs-as-Admin.zip` - Use a normal command prompt and run `PPLOGS`. Rename to `SRX01234-ppLogs-as-USER.zip` -![128_1_command-prompt](../../../../static/img/product_docs/policypak/policypak/troubleshooting/128_1_command-prompt.webp) +![128_1_command-prompt](/img/product_docs/policypak/policypak/troubleshooting/128_1_command-prompt.webp) **Step 2 –** Run `GPRESULT` to get the following results: @@ -124,15 +124,15 @@ Example how to: - Most Endpoint Policy Manager settings are simply **right-click** > **Export as XML**. See the examples below for exporting as a collection and an individual policy. -![128_2_export-collection-as-xml](../../../../static/img/product_docs/policypak/policypak/troubleshooting/128_2_export-collection-as-xml.webp) +![128_2_export-collection-as-xml](/img/product_docs/policypak/policypak/troubleshooting/128_2_export-collection-as-xml.webp) -![128_3_export-as-xml](../../../../static/img/product_docs/policypak/policypak/troubleshooting/128_3_export-as-xml.webp) +![128_3_export-as-xml](/img/product_docs/policypak/policypak/troubleshooting/128_3_export-as-xml.webp) **Step 4 –** For Endpoint Policy Manager Application Manager (most common) this is what you want to do: There are two ways to export settings but the following is the type of export the support team requires. Select the **Options** button within the Pak, then select **Export XML Settings Data**. -![128_4_image002](../../../../static/img/product_docs/policypak/policypak/troubleshooting/128_4_image002.webp) +![128_4_image002](/img/product_docs/policypak/policypak/troubleshooting/128_4_image002.webp) **Step 5 –** Rename your XML file(s) to not only include the SRX number but to also contain hints as to their content. For example: diff --git a/docs/policypak/policypak/troubleshooting/feature/events.md b/docs/policypak/policypak/troubleshooting/feature/events.md index 8dbb5a7053..3052df13d8 100644 --- a/docs/policypak/policypak/troubleshooting/feature/events.md +++ b/docs/policypak/policypak/troubleshooting/feature/events.md @@ -5,14 +5,14 @@ Endpoint Policy Manager Feature Manager for Windows places events in the Endpoin Policy Manager Feature Manager for Windows client source type. In Figure 47, you can see an example of a feature attempting to be installed. This is Event ID 600. -![troubleshooting_5](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/adminapproval/avoid_pop_ups_with_admin_approval_1.webp) +![troubleshooting_5](/img/product_docs/policypak/policypak/leastprivilege/adminapproval/avoid_pop_ups_with_admin_approval_1.webp) Figure 47. Endpoint Policy Manager Feature Manager for Windows events can be found in the Endpoint Policy Manager node within Application and Services. Then, after it is successfully installed, it shows Event ID 602, as shown in Figure 48. -![troubleshooting_6](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/feature/troubleshooting_6.webp) +![troubleshooting_6](/img/product_docs/policypak/policypak/troubleshooting/feature/troubleshooting_6.webp) Figure 48. Logged events in Endpoint Policy Manager event log for Endpoint Policy Manager Feature Manager for Windows. diff --git a/docs/policypak/policypak/troubleshooting/feature/logs.md b/docs/policypak/policypak/troubleshooting/feature/logs.md index 411487e46d..cb301a7765 100644 --- a/docs/policypak/policypak/troubleshooting/feature/logs.md +++ b/docs/policypak/policypak/troubleshooting/feature/logs.md @@ -39,11 +39,11 @@ Start troubleshooting by verifying that you are set up with the following scenar Figure 45 shows an example of a Endpoint Policy Manager Feature Manager for Windows log with some annotations during a single run/GPupdate. -![troubleshooting](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting.webp) +![troubleshooting](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting.webp) -![troubleshooting_1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_1.webp) +![troubleshooting_1](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_1.webp) -![troubleshooting_2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_2.webp) +![troubleshooting_2](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_2.webp) Figure 45. An example of a Endpoint Policy Manager Feature Manager for Windows log. @@ -51,9 +51,9 @@ Then, to see details of what Endpoint Policy Manager Feature Manager for Windows you can open up the PPComputerOperational.log (see Figure 46) located at `Programdata\PolicyPak\PolicyPak Feature Manager for Windows`. -![troubleshooting_3](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_3.webp) +![troubleshooting_3](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_3.webp) -![troubleshooting_4](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_4.webp) +![troubleshooting_4](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_4.webp) Figure 46. Log files showing when a policy installs and uninstalls items. diff --git a/docs/policypak/policypak/troubleshooting/fileassociations/cortana.md b/docs/policypak/policypak/troubleshooting/fileassociations/cortana.md index ae092068e6..0f492f9d45 100644 --- a/docs/policypak/policypak/troubleshooting/fileassociations/cortana.md +++ b/docs/policypak/policypak/troubleshooting/fileassociations/cortana.md @@ -12,11 +12,11 @@ How to solve it? You will need to install EdgeDeflector before you can send search queries from Cortana to the default browser, set through Endpoint Policy Manager software. More -info: [What is meant by "Default Browser" within Endpoint Policy Manager Browser router?](../../browserrouter/defaultbrowser/defined.md) +info: [What is meant by "Default Browser" within Endpoint Policy Manager Browser router?](/docs/policypak/policypak/browserrouter/defaultbrowser/defined.md) Then set the Policy for PPFAM as shown in the following screenshot: -![730_1_ddfgdsfgfg](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/fileassociations/730_1_ddfgdsfgfg.webp) +![730_1_ddfgdsfgfg](/img/product_docs/policypak/policypak/troubleshooting/fileassociations/730_1_ddfgdsfgfg.webp) **NOTE:** The path for EdgeDeflector. That has to be same on client computers. Apply the policy on the client computers and reboot. diff --git a/docs/policypak/policypak/troubleshooting/fileassociations/defaultassociationsconfiguration.md b/docs/policypak/policypak/troubleshooting/fileassociations/defaultassociationsconfiguration.md index aa507bfd10..369da8b0d5 100644 --- a/docs/policypak/policypak/troubleshooting/fileassociations/defaultassociationsconfiguration.md +++ b/docs/policypak/policypak/troubleshooting/fileassociations/defaultassociationsconfiguration.md @@ -4,19 +4,19 @@ If you're using Netwrix Endpoint Policy Manager (formerly PolicyPak) Browser Rou using Endpoint Policy Manager File Associations Manager to make associations, you CANNOT also use the Group Policy or MDM method for setting default associations files, like what's seen here. -![523_1_faq-03-img-01](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/fileassociations/523_1_faq-03-img-01.webp) +![523_1_faq-03-img-01](/img/product_docs/policypak/policypak/troubleshooting/fileassociations/523_1_faq-03-img-01.webp) Underneath the hood, you are "fighting" with Endpoint Policy Manager Browser Router and/or File Associations manager, like this. -![523_2_faq-03-img-02](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/fileassociations/523_2_faq-03-img-02.webp) +![523_2_faq-03-img-02](/img/product_docs/policypak/policypak/troubleshooting/fileassociations/523_2_faq-03-img-02.webp) For Endpoint Policy Manager Browser Router, Endpoint Policy Manager Browser Router must "become" the default OS browser like what's seen here. If Endpoint Policy Manager Browser Router is not set as the Default Browser (automatically, using Endpoint Policy Manager …) then you will get unusual behavior. -![523_3_faq-03-img-03](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/fileassociations/523_3_faq-03-img-03.webp) +![523_3_faq-03-img-03](/img/product_docs/policypak/policypak/troubleshooting/fileassociations/523_3_faq-03-img-03.webp) For Endpoint Policy Manager File Associations Manager, you must remove any Group Policy File Associations file for it to work reliably. diff --git a/docs/policypak/policypak/troubleshooting/fileassociations/legacy.md b/docs/policypak/policypak/troubleshooting/fileassociations/legacy.md index 9e6e835578..2a8efaf2b2 100644 --- a/docs/policypak/policypak/troubleshooting/fileassociations/legacy.md +++ b/docs/policypak/policypak/troubleshooting/fileassociations/legacy.md @@ -12,17 +12,17 @@ First, be sure you are eligible to use this function by copying the latest Endpo ADMX files to your Central Store or using Endpoint Policy Manager Cloud. Directions for Central Store: -[Troubleshooting with ADMX files](../../video/troubleshooting/admxfiles.md) +[Troubleshooting with ADMX files](/docs/policypak/policypak/video/troubleshooting/admxfiles.md) Directions for Endpoint Policy Manager Cloud (if they are not already pre-placed there): -[PolicyPak Cloud: Upload and use your own ADMX files to PolicyPak Cloud](../../video/cloud/admxfiles.md) +[PolicyPak Cloud: Upload and use your own ADMX files to PolicyPak Cloud](/docs/policypak/policypak/video/cloud/admxfiles.md) Then, the setting you should use if directed by support is entitled: `Computer Configuration | Policies | Admin Templates | PolicyPak ADMX Settings | Client-side Extensions | File Associations Manager | Revert to Legacy File Assoc Method & Features` and set to Enabled to return back to the legacy behavior. -![837_1_image-20201027212337-3](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/fileassociations/837_1_image-20201027212337-3.webp) +![837_1_image-20201027212337-3](/img/product_docs/policypak/policypak/troubleshooting/fileassociations/837_1_image-20201027212337-3.webp) ## What does "Revert to Legacy File Assoc Method & Features" mean? diff --git a/docs/policypak/policypak/troubleshooting/fileassociations/logs.md b/docs/policypak/policypak/troubleshooting/fileassociations/logs.md index 31eac0318a..ad34ebc0c8 100644 --- a/docs/policypak/policypak/troubleshooting/fileassociations/logs.md +++ b/docs/policypak/policypak/troubleshooting/fileassociations/logs.md @@ -29,11 +29,11 @@ Start troubleshooting by verifying that the following conditions are true: Figure 55 and Figure 56 are examples of Endpoint Policy Manager File Associations Manager logs with some important items highlighted. -![troubleshooting_1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_1.webp) +![troubleshooting_1](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_1.webp) Figure 55. An example of a Endpoint Policy Manager File Associations Manager log. -![troubleshooting_2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_2.webp) +![troubleshooting_2](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_2.webp) Figure 56. Highlights from the Endpoint Policy Manager k File Associations Manager log. diff --git a/docs/policypak/policypak/troubleshooting/fileassociations/windowsphotoviewer.md b/docs/policypak/policypak/troubleshooting/fileassociations/windowsphotoviewer.md index 463583b98c..9f00b64f71 100644 --- a/docs/policypak/policypak/troubleshooting/fileassociations/windowsphotoviewer.md +++ b/docs/policypak/policypak/troubleshooting/fileassociations/windowsphotoviewer.md @@ -30,6 +30,6 @@ Application Icon: C:\Program Files\Windows Photo Viewer\PhotoViewer.dll,0 Command Line: `"%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1` -![715_1_image-20210421203400-1_950x594](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/fileassociations/715_1_image-20210421203400-1_950x594.jpeg) +![715_1_image-20210421203400-1_950x594](/img/product_docs/policypak/policypak/troubleshooting/fileassociations/715_1_image-20210421203400-1_950x594.jpeg) -![715_2_image-20210421203400-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/fileassociations/715_2_image-20210421203400-2.jpeg) +![715_2_image-20210421203400-2](/img/product_docs/policypak/policypak/troubleshooting/fileassociations/715_2_image-20210421203400-2.jpeg) diff --git a/docs/policypak/policypak/troubleshooting/fileassociations/xmlfile.md b/docs/policypak/policypak/troubleshooting/fileassociations/xmlfile.md index ab943522c9..8e2cadfa4c 100644 --- a/docs/policypak/policypak/troubleshooting/fileassociations/xmlfile.md +++ b/docs/policypak/policypak/troubleshooting/fileassociations/xmlfile.md @@ -4,7 +4,7 @@ Endpoint Policy Manager File Associations Manager will dynamically write the fil to make the file associations. This file is called FileAssociations.XML, and there will be one file per computer located in `%programdata%\PolicyPak\Common`, as seen in Figure 54. -![troubleshooting](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting.webp) +![troubleshooting](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting.webp) Figure 54. FileAssocations.xml shows the actions taken by Endpoint Policy Manager File Associations Manager. diff --git a/docs/policypak/policypak/troubleshooting/forepointdlp.md b/docs/policypak/policypak/troubleshooting/forepointdlp.md index 423f74350b..7d1ef7ed1a 100644 --- a/docs/policypak/policypak/troubleshooting/forepointdlp.md +++ b/docs/policypak/policypak/troubleshooting/forepointdlp.md @@ -4,4 +4,4 @@ You must upgrade to the latest Forepoint DLP client of at least 23.10.5661. This was a bug in Forcepoint. -![982_1_oct-11](../../../../static/img/product_docs/policypak/policypak/troubleshooting/982_1_oct-11.webp) +![982_1_oct-11](/img/product_docs/policypak/policypak/troubleshooting/982_1_oct-11.webp) diff --git a/docs/policypak/policypak/troubleshooting/gpoexport/onpremisecloud.md b/docs/policypak/policypak/troubleshooting/gpoexport/onpremisecloud.md index 7d22d6eb20..08f57c7b7c 100644 --- a/docs/policypak/policypak/troubleshooting/gpoexport/onpremisecloud.md +++ b/docs/policypak/policypak/troubleshooting/gpoexport/onpremisecloud.md @@ -26,13 +26,13 @@ policy applies it will overwrite ALL Security Settings that were coming from the When the Domain policy applies (gpupdate etc.) the computer will get these settings below, note that the "Rename administrator account" policy is set to "Not Defined" for the Domain policy. -![698_1_image-20200511225437-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/gpoexport/698_1_image-20200511225437-1.webp) +![698_1_image-20200511225437-1](/img/product_docs/policypak/policypak/troubleshooting/gpoexport/698_1_image-20200511225437-1.webp) When Endpoint Policy Manager Cloud settings are applied (PPCloud /sync, ppupdate etc.) the computer will receive these settings below, note that there is nothing defined for "Enforce password history" within the PPC policy. -![698_3_image-20200511225437-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/gpoexport/698_3_image-20200511225437-2.webp) +![698_3_image-20200511225437-2](/img/product_docs/policypak/policypak/troubleshooting/gpoexport/698_3_image-20200511225437-2.webp) Video example below shows the result of having Security Settings Policy set in both PPC and in On-Premises Group Policy, the policies will continuously replace each other every time they apply. diff --git a/docs/policypak/policypak/troubleshooting/gpoexport/securitysettings.md b/docs/policypak/policypak/troubleshooting/gpoexport/securitysettings.md index 9ba5f5536e..1e3fdd4f1a 100644 --- a/docs/policypak/policypak/troubleshooting/gpoexport/securitysettings.md +++ b/docs/policypak/policypak/troubleshooting/gpoexport/securitysettings.md @@ -2,22 +2,22 @@ First, check to see if you're creating your Windows security settings on your local machine. -![617_1_ppsec-kb-01-img-01](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/gpoexport/617_1_ppsec-kb-01-img-01.webp) +![617_1_ppsec-kb-01-img-01](/img/product_docs/policypak/policypak/troubleshooting/gpoexport/617_1_ppsec-kb-01-img-01.webp) If you are working with your local group policy editor, and then you try to export your settings using Netwrix Endpoint Policy Manager (formerly PolicyPak) Security Settings Manager, you're going to get this error message: -![617_2_ppsec-kb-01-img-02](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/gpoexport/617_2_ppsec-kb-01-img-02.webp) +![617_2_ppsec-kb-01-img-02](/img/product_docs/policypak/policypak/troubleshooting/gpoexport/617_2_ppsec-kb-01-img-02.webp) Instead, manage your Windows security settings using the GPMC within a domain-based GPO as seen here: -![617_3_ppsec-kb-01-img-03](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/gpoexport/617_3_ppsec-kb-01-img-03.webp) +![617_3_ppsec-kb-01-img-03](/img/product_docs/policypak/policypak/troubleshooting/gpoexport/617_3_ppsec-kb-01-img-03.webp) Then use Endpoint Policy Manager Security Settings Manager to export your settings as XML for use with the cloud or MDM service, as seen here. -![617_4_ppsec-kb-01-img-04](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/gpoexport/617_4_ppsec-kb-01-img-04.webp) +![617_4_ppsec-kb-01-img-04](/img/product_docs/policypak/policypak/troubleshooting/gpoexport/617_4_ppsec-kb-01-img-04.webp) You'll be managing your Windows Security Settings through the cloud or MDM service in no time! diff --git a/docs/policypak/policypak/troubleshooting/grouppolicycompliancereporter/admxregistry.md b/docs/policypak/policypak/troubleshooting/grouppolicycompliancereporter/admxregistry.md index 9bad020837..a7894ebabe 100644 --- a/docs/policypak/policypak/troubleshooting/grouppolicycompliancereporter/admxregistry.md +++ b/docs/policypak/policypak/troubleshooting/grouppolicycompliancereporter/admxregistry.md @@ -5,10 +5,10 @@ happens. There are two ways to turn on extended logging: downloadable REG files would use the downloadable REG files when you want to enable extended logging on just one machine, and you would use the ADMX/ADML files to enable extended logging on multiple machines. The downloadable REG files are found on our website at: PolicyPak GP Compliance Reporter > -[Knowledge Base](../../grouppolicycompliancereporter/overview/knowledgebase.md). The ADMX files are +[Knowledge Base](/docs/policypak/policypak/grouppolicycompliancereporter/overview/knowledgebase.md). The ADMX files are in the download of Endpoint Policy Manager GPCR, as shown in Figure 77. -![tuning_and_troubleshooting_18](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/grouppolicycompliancereporter/tuning_and_troubleshooting_18.webp) +![tuning_and_troubleshooting_18](/img/product_docs/policypak/policypak/troubleshooting/grouppolicycompliancereporter/tuning_and_troubleshooting_18.webp) Figure 77. Downloaded ADMX files. @@ -26,7 +26,7 @@ administrator, install the files to enable them. When enabled correctly, the com diagnostics folder, and logs will be placed inside it. In Figure 78 you can see the enhanced logging enabled for the endpoint. -![tuning_and_troubleshooting_19](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/grouppolicycompliancereporter/tuning_and_troubleshooting_19.webp) +![tuning_and_troubleshooting_19](/img/product_docs/policypak/policypak/troubleshooting/grouppolicycompliancereporter/tuning_and_troubleshooting_19.webp) Figure 78. Enhanced logging enabled. @@ -37,7 +37,7 @@ ADMX/ADML files. First, copy the PolicyDefinitions folder into `\\\sysvol\ Policies > Administrative Templates > System > Group Policy > Logging and tracing", then double-click on "Registry Policy Processing". -![215_1_image-20190726083343-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/215_1_image-20190726083343-1.webp) +![215_1_image-20190726083343-1](/img/product_docs/policypak/policypak/troubleshooting/log/215_1_image-20190726083343-1.webp) **Step 2 –** Then enable "Registry Policy Processing" and turn "Tracing" on as shown below. -![215_2_image-20190726083343-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/215_2_image-20190726083343-2.webp) +![215_2_image-20190726083343-2](/img/product_docs/policypak/policypak/troubleshooting/log/215_2_image-20190726083343-2.webp) **NOTE:** If "Logging and tracing" are missing then you first need to download and install the "preferences.msi" from [https://www.microsoft.com/en-us/download/details.aspx?id=14355](https://www.microsoft.com/en-us/download/details.aspx?id=14355) -![215_3_image-20190726083343-3](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/215_3_image-20190726083343-3.webp) +![215_3_image-20190726083343-3](/img/product_docs/policypak/policypak/troubleshooting/log/215_3_image-20190726083343-3.webp) After installing the `"preferences.msi"` copy `"C:\Program Files (x86)\Microsoft Group Policy\Preferences\PolicyDefinitions\GroupPolicyPreferences.admx"` @@ -46,18 +46,18 @@ should be present. assigned to the Computer OU where the computers live that you need to enable logging for, or create a new GPO at that level specifically to enable logging. -![215_4_image-20190726083343-4](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/215_4_image-20190726083343-4.webp) +![215_4_image-20190726083343-4](/img/product_docs/policypak/policypak/troubleshooting/log/215_4_image-20190726083343-4.webp) **Step 2 –** Expand "Computer Configuration > Policies > Administrative Templates > System > Group Policy > Logging and tracing", then double-click on "Configure Registry preference logging and tracing" -![215_5_image-20190726083343-5](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/215_5_image-20190726083343-5.webp) +![215_5_image-20190726083343-5](/img/product_docs/policypak/policypak/troubleshooting/log/215_5_image-20190726083343-5.webp) **Step 3 –** Then enable "Configure Registry preference logging and tracing", and turn "Tracing" on as shown below. -![215_6_image-20190726083343-6](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/215_6_image-20190726083343-6.webp) +![215_6_image-20190726083343-6](/img/product_docs/policypak/policypak/troubleshooting/log/215_6_image-20190726083343-6.webp) **NOTE:** The default location for all three log files is `"%COMMONAPPDATA%\GroupPolicy\Preference\Trace" `however, the variable `%COMMONAPPDATA% `is not @@ -66,7 +66,7 @@ recognized within Windows, it is only used by GPPrefs client side extensions. To verify TRACING is enabled for the GPPrefs Registry extension, log on to a computer where the logging policy you just created/edited is applied, then run `CMD`, then run `GPUPDATE.` -![215_7_image-20190726083343-7](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/215_7_image-20190726083343-7.webp) +![215_7_image-20190726083343-7](/img/product_docs/policypak/policypak/troubleshooting/log/215_7_image-20190726083343-7.webp) Then verify the Group Policy Preferences logs are present at: @@ -74,16 +74,16 @@ Then verify the Group Policy Preferences logs are present at: ``` -![215_8_image-20190726083343-8](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/215_8_image-20190726083343-8.webp) +![215_8_image-20190726083343-8](/img/product_docs/policypak/policypak/troubleshooting/log/215_8_image-20190726083343-8.webp) **NOTE:** You can also run "`GPRESULT /R /SCOPE COMPUTER`" to see if the Group Policy applied to the computer. -![215_9_image-20190726083343-9](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/215_9_image-20190726083343-9.webp) +![215_9_image-20190726083343-9](/img/product_docs/policypak/policypak/troubleshooting/log/215_9_image-20190726083343-9.webp) When done you can turn it off by setting the policy setting back to "Not Configured". -![215_10_image-20190726083343-10](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/215_10_image-20190726083343-10.webp) +![215_10_image-20190726083343-10](/img/product_docs/policypak/policypak/troubleshooting/log/215_10_image-20190726083343-10.webp) ``` diff --git a/docs/policypak/policypak/troubleshooting/log/itemleveltargeting/itemleveltargeting.md b/docs/policypak/policypak/troubleshooting/log/itemleveltargeting/itemleveltargeting.md index 94de228407..b13723f3eb 100644 --- a/docs/policypak/policypak/troubleshooting/log/itemleveltargeting/itemleveltargeting.md +++ b/docs/policypak/policypak/troubleshooting/log/itemleveltargeting/itemleveltargeting.md @@ -9,7 +9,7 @@ is applied to a system with the Group Policy Editor. In short, the “User in Gr available when editing new Group Policy Preferences or Endpoint Policy Manager items or when editing old items. -![itemleveltargeting1](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/itemleveltargeting1.webp) +![itemleveltargeting1](/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/itemleveltargeting1.webp) ## Workaround options @@ -40,4 +40,4 @@ Group). **NOTE:** The modified policy will process correctly, but the editor still wont magically show “User in group.” -![itemleveltargeting2](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/itemleveltargeting2.webp) +![itemleveltargeting2](/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/itemleveltargeting2.webp) diff --git a/docs/policypak/policypak/troubleshooting/log/itemleveltargeting/preferences.md b/docs/policypak/policypak/troubleshooting/log/itemleveltargeting/preferences.md index 6edacac6ad..8ad603642e 100644 --- a/docs/policypak/policypak/troubleshooting/log/itemleveltargeting/preferences.md +++ b/docs/policypak/policypak/troubleshooting/log/itemleveltargeting/preferences.md @@ -7,12 +7,12 @@ ILT: The editor and the evaluation within the Client Side Extension. The ILT editor in Group Policy Preferences can be seen in every Group Policy Preferences item, like what's seen here. -![196_1_img-01](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/196_1_img-01.webp) +![196_1_img-01](/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/196_1_img-01.webp) The ILT editor in Endpoint Policy Manager can be seen in nearly all Endpoint Policy Manager items, like what's seen here. -![196_3_img-02](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/196_3_img-02.webp) +![196_3_img-02](/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/196_3_img-02.webp) If you think your Item Level Targeting isn't working, we ask that you first "backtrack" to a quick Group Policy Preferences test and try it there first. @@ -32,7 +32,7 @@ not. So, again, use Group Policy Preferences and create a new Group Policy Preferences shortcut to www.1.com , on the DESKTOP, with TARGET URL being www.1.com and pick any icon you want. -![196_5_img-03](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/196_5_img-03.webp) +![196_5_img-03](/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/196_5_img-03.webp) ## Part 2: @@ -40,17 +40,17 @@ Use Group Policy Preferences to create a Group Policy Preferences shortcut to ww DESKTOP, with TARGET URL being www.2.com and pick any icon you want.. then click in the COMMON tab and select Item Level Targeting, and put in your proposed ILT. -![196_7_img-04](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/196_7_img-04.webp) +![196_7_img-04](/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/196_7_img-04.webp) -![196_9_img-05](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/196_9_img-05.webp) +![196_9_img-05](/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/196_9_img-05.webp) Before you test, let's make sure we fully understand the experiment… -![196_11_img-06](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/196_11_img-06.webp) +![196_11_img-06](/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/196_11_img-06.webp) Then on the endpoint run GPupdate… Here is the result you should get: -![196_13_img-07](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/196_13_img-07.webp) +![196_13_img-07](/img/product_docs/policypak/policypak/troubleshooting/log/itemleveltargeting/196_13_img-07.webp) So: @@ -69,6 +69,6 @@ doesn't work. Then we can attempt to investigate it. That being said if you're really sure an ILT evaluation functions correctly in Group Policy Preferences (see above) but not in Endpoint Policy Manager … you can continue to troubleshoot by turning on ILT logging for Endpoint Policy Manager items using this -KB:[How do I turn on Item Level Targeting (ILT) logging if asked by Endpoint Policy Manager Tech Support?](../itemleveltargeting.md) +KB:[How do I turn on Item Level Targeting (ILT) logging if asked by Endpoint Policy Manager Tech Support?](/docs/policypak/policypak/troubleshooting/log/itemleveltargeting.md) All log files require a support case to analyze. diff --git a/docs/policypak/policypak/troubleshooting/log/leastprivilege/determinewhy.md b/docs/policypak/policypak/troubleshooting/log/leastprivilege/determinewhy.md index 801ed5b662..d76f011207 100644 --- a/docs/policypak/policypak/troubleshooting/log/leastprivilege/determinewhy.md +++ b/docs/policypak/policypak/troubleshooting/log/leastprivilege/determinewhy.md @@ -4,7 +4,7 @@ The log file you want to look in is` %LOCALAPPDATA%\PolicyPak\PolicyPak` [https://www.policypak.com/products/policypak-least-privilege-manager.html](https://www.policypak.com/products/policypak-least-privilege-manager.html) and is called `ppUser_Operational.log.` -![544_1_dfdhdghjkhjkl](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/leastprivilege/544_1_dfdhdghjkhjkl.webp) +![544_1_dfdhdghjkhjkl](/img/product_docs/policypak/policypak/troubleshooting/log/leastprivilege/544_1_dfdhdghjkhjkl.webp) Once you locate and open the Netwrix Endpoint Policy Manager (formerly PolicyPak) Least Privilege Manager Operational Log… you are looking for the following highlighted items: @@ -16,9 +16,9 @@ Manager Operational Log… you are looking for the following highlighted items: Manager). 5. The RESULT. -![544_2_second](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/leastprivilege/544_2_second.webp) +![544_2_second](/img/product_docs/policypak/policypak/troubleshooting/log/leastprivilege/544_2_second.webp) Below, the top entry shows an application being denied (because SecureRun is enabled) and the bottom entry shows an application being allowed by using an EXE policy. -![544_3_third](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/leastprivilege/544_3_third.webp) +![544_3_third](/img/product_docs/policypak/policypak/troubleshooting/log/leastprivilege/544_3_third.webp) diff --git a/docs/policypak/policypak/troubleshooting/log/leastprivilege/restorecontextmenu.md b/docs/policypak/policypak/troubleshooting/log/leastprivilege/restorecontextmenu.md index 0ff47e3784..5725733c43 100644 --- a/docs/policypak/policypak/troubleshooting/log/leastprivilege/restorecontextmenu.md +++ b/docs/policypak/policypak/troubleshooting/log/leastprivilege/restorecontextmenu.md @@ -8,7 +8,7 @@ The workaround is to run as Admin or System (or using Endpoint Policy Manager Sc perform this workaround once. It will restore the Windows 11 Start Menu for the Least Privilege Manager. -![Restoring the Right-Click Context Menu](../../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/leastprivilege/restorecontextmenu.webp) +![Restoring the Right-Click Context Menu](/img/product_docs/policypak/policypak/troubleshooting/log/leastprivilege/restorecontextmenu.webp) Use Endpoint Policy Manager Scripts Manager to perform this action, one time, on the computer side. diff --git a/docs/policypak/policypak/troubleshooting/log/minidumpfiles.md b/docs/policypak/policypak/troubleshooting/log/minidumpfiles.md index ce17853e9b..4949265ce1 100644 --- a/docs/policypak/policypak/troubleshooting/log/minidumpfiles.md +++ b/docs/policypak/policypak/troubleshooting/log/minidumpfiles.md @@ -12,4 +12,4 @@ But note that this change only takes affect after the computer is rebooted. The mindump file is automatically created by CSE 750 and later if any of our components should encounter a crash.Having the minidump file turned on automatically is a pretty good idea anyway. -![473_1_image007](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/log/473_1_image007.webp) +![473_1_image007](/img/product_docs/policypak/policypak/troubleshooting/log/473_1_image007.webp) diff --git a/docs/policypak/policypak/troubleshooting/mac/cloudlog.md b/docs/policypak/policypak/troubleshooting/mac/cloudlog.md index d5ea6b1ab4..a25c257c14 100644 --- a/docs/policypak/policypak/troubleshooting/mac/cloudlog.md +++ b/docs/policypak/policypak/troubleshooting/mac/cloudlog.md @@ -7,4 +7,4 @@ Please note, however, that to get a better understanding of how your policies ar working, policypakd.log will give tell not only what processes were affected by policies, but also what processes weren’t – and may should have been. -![A screenshot of a computer Description automatically generated](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/mac/understanding_cloud_log.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/troubleshooting/mac/understanding_cloud_log.webp) diff --git a/docs/policypak/policypak/troubleshooting/mac/eventcollectiion.md b/docs/policypak/policypak/troubleshooting/mac/eventcollectiion.md index a984cabd6c..08b43cfe17 100644 --- a/docs/policypak/policypak/troubleshooting/mac/eventcollectiion.md +++ b/docs/policypak/policypak/troubleshooting/mac/eventcollectiion.md @@ -31,11 +31,11 @@ group. - Highlight the group you want to add the computer(s) to. Click on Add/Remove Computer from Group (under Actions). - ![setting_up_policypak_cloud](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_5_cd439679970dd94379dc97da3de13756.webp) + ![setting_up_policypak_cloud](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_5_cd439679970dd94379dc97da3de13756.webp) - Click “Available Computers”. - ![setting_up_policypak_cloud_1](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_6_89a9d67a0c348b5ab03d304ea9392884.webp) + ![setting_up_policypak_cloud_1](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_6_89a9d67a0c348b5ab03d304ea9392884.webp) - Check the ones to add and click “Add”. @@ -44,7 +44,7 @@ Event Collection Configuration To configure Event Collection, highlight the group and click “Edit Group” under Actions. On the resulting pop-up window, click on the “Event Collector” tab. -![A screenshot of a computer Description automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_7_44a2bef19cdb90973520bb3702397eb4.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_7_44a2bef19cdb90973520bb3702397eb4.webp) The “Event submission interval” dictates how often the logs get uploaded to the cloud. This is separate and distinct from the “Refresh interval for computers” on the previous tab that dictates @@ -59,7 +59,7 @@ When “Selected” is selected, clicking on the Info icon will bring up a list selected. In the image below I’ve highlighted the two Event types that I highlighted in the cloud.log example above. -![A screenshot of a computer Description automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_8_464e110a1254c22ecac8a612b13ffc76.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_8_464e110a1254c22ecac8a612b13ffc76.webp) Notes on Collection Configuration: @@ -70,7 +70,7 @@ Notes on Collection Configuration: all selected IDs will be included and uploaded at the shortest interval set. **NOTE:** See the -[How can I keep the same or specify different parameters for Event Collection for child groups? How does a computer behave if a member of multiple groups?](../../cloud/eventcollection/childgroups.md) +[How can I keep the same or specify different parameters for Event Collection for child groups? How does a computer behave if a member of multiple groups?](/docs/policypak/policypak/cloud/eventcollection/childgroups.md) topic for more information. Forcing Event Submission @@ -82,7 +82,7 @@ cloud.log file with the following command: Policypak cloud-push-logs ``` -![setting_up_policypak_cloud_4](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_9_e5dddf2ba28a115aa5782c49a21fbac6.webp) +![setting_up_policypak_cloud_4](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_9_e5dddf2ba28a115aa5782c49a21fbac6.webp) **NOTE:** This command can be run by a standard user. It does not require elevated or administrative rights to perform. diff --git a/docs/policypak/policypak/troubleshooting/mac/logs.md b/docs/policypak/policypak/troubleshooting/mac/logs.md index f1cfdec554..59cb701bc6 100644 --- a/docs/policypak/policypak/troubleshooting/mac/logs.md +++ b/docs/policypak/policypak/troubleshooting/mac/logs.md @@ -4,4 +4,4 @@ The PolicyPak logs are located in `/Library/Application Support/PolicyPak/Logs` Support, zip up these three logs. As the customer, you can find useful information within policypakd.log and cloud.log (details later in this document). -![A screenshot of a computer Description automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_1_6e10551394ec326177434ffc228df475.webp) +![A screenshot of a computer Description automatically generated](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_1_6e10551394ec326177434ffc228df475.webp) diff --git a/docs/policypak/policypak/troubleshooting/mac/reports.md b/docs/policypak/policypak/troubleshooting/mac/reports.md index 92db0b8e63..756a5aef3d 100644 --- a/docs/policypak/policypak/troubleshooting/mac/reports.md +++ b/docs/policypak/policypak/troubleshooting/mac/reports.md @@ -3,20 +3,20 @@ All the collected events can be accessed through the “Computers (Collected Events)” report on the Reports tab and selecting “Endpoint Policy Manager Least Privilege Manager for macOS”. -![A screenshot of a computerDescription automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_10_2ab64dc549729d2f51cdf61ab7d88108.webp) +![A screenshot of a computerDescription automatically generated](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_10_2ab64dc549729d2f51cdf61ab7d88108.webp) Next, configure the time period you want to report on. The default is the beginning of the day, but this can be altered to the desired start and stop time and date. Click “Show” to see the results. -![A screenshot of a computerDescription automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_11_7135ed6ab54692983796dd995a2517e4.webp) +![A screenshot of a computerDescription automatically generated](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_11_7135ed6ab54692983796dd995a2517e4.webp) The results can be filtered to show only the desired information. For example, show only specific computers or only Elevation events. Every column can be filtered by click on the ellipsis within the column header. -![A screenshot of a computerDescription automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_12_3996f6bea2016ba07eaf96f5c05b43c0.webp) +![A screenshot of a computerDescription automatically generated](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_12_3996f6bea2016ba07eaf96f5c05b43c0.webp) For offline analysis, the report can be exported to either Excel or, if very large, CSV format. This can be done before or after filtering. -![A screenshot of a loginDescription automatically generated](../../../../../static/img/product_docs/policypak/policypak/leastprivilege/mac/1329_13_50b225886bba8747a9460411f4662cc9.webp) +![A screenshot of a loginDescription automatically generated](/img/product_docs/policypak/policypak/leastprivilege/mac/1329_13_50b225886bba8747a9460411f4662cc9.webp) diff --git a/docs/policypak/policypak/troubleshooting/mdm/ensuringenrollment.md b/docs/policypak/policypak/troubleshooting/mdm/ensuringenrollment.md index 2a2975382e..ab4632ff22 100644 --- a/docs/policypak/policypak/troubleshooting/mdm/ensuringenrollment.md +++ b/docs/policypak/policypak/troubleshooting/mdm/ensuringenrollment.md @@ -3,7 +3,7 @@ Make sure your machine is actually MDM enrolled and not workplace joined. Figure 49 shows how to verify this. In the figure, the machine is not MDM enrolled, and therefore cannot participate. -![using_policypak_with_mdm_and_19](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/mdm/using_policypak_with_mdm_and_19.webp) +![using_policypak_with_mdm_and_19](/img/product_docs/policypak/policypak/troubleshooting/mdm/using_policypak_with_mdm_and_19.webp) Figure 49. Verifying if the computer is MDM enrolled. In this example, the machine is not MDM enrolled. diff --git a/docs/policypak/policypak/troubleshooting/mdm/successevents.md b/docs/policypak/policypak/troubleshooting/mdm/successevents.md index 0e6cca89bc..b3c7360835 100644 --- a/docs/policypak/policypak/troubleshooting/mdm/successevents.md +++ b/docs/policypak/policypak/troubleshooting/mdm/successevents.md @@ -9,7 +9,7 @@ file MSI, and the Endpoint Policy Manager wrapped up policies MSI. However, if 1 appear, it does not necessarily mean something has gone wrong. MDM could be taking a long time to install the MSIs. -![using_policypak_with_mdm_and_20](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/mdm/using_policypak_with_mdm_and_20.webp) +![using_policypak_with_mdm_and_20](/img/product_docs/policypak/policypak/troubleshooting/mdm/using_policypak_with_mdm_and_20.webp) If you want to take Endpoint Policy Manager out of the picture and verify that your MDM service is correctly deploying any MSI, we recommend the following free MSI, called Terminals MSI. The starting diff --git a/docs/policypak/policypak/troubleshooting/nondomain/chrome.md b/docs/policypak/policypak/troubleshooting/nondomain/chrome.md index abb8fe5e48..ef9cc4a101 100644 --- a/docs/policypak/policypak/troubleshooting/nondomain/chrome.md +++ b/docs/policypak/policypak/troubleshooting/nondomain/chrome.md @@ -9,89 +9,89 @@ In our testing, here are the settings which will and will not work when non-doma | BASICS TAB | | | ------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- | | SETTING NAME | WORKS IN NON-DOMAIN | -| Show Home button | ![517_1_thick](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Always show the bookmarks bar | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| On startup open the following page(s) | ![517_3_cross](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Set Pages | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Use New Tab Page as homepage | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Check to disable auto-update Google Chrome | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Show Home button | ![517_1_thick](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Always show the bookmarks bar | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| On startup open the following page(s) | ![517_3_cross](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Set Pages | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Use New Tab Page as homepage | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Check to disable auto-update Google Chrome | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | | IMPORT BOOKMARKS AND SETTINGS TAB | | | --- | --- | | SETTING NAME | WORKS IN NON-DOMAIN | -| Browsing history | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Favorites/Bookmarks | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Saved Passwords | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Search engines | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Browsing history | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Favorites/Bookmarks | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Saved Passwords | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Search engines | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | | ADVANCED TAB | | | --- | --- | | SETTING NAME | WORKS IN NON-DOMAIN | -| Use a prediction service to help complete searches and URLs typed in the address bar | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Use a web service to help resolve spelling errors | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Offer to save passwords I enter on the web | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Offer to translate pages that aren't in a language I read | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Download location | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Continue running background apps when Google Chrome is closed | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Use hardware acceleration when available | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Predict network actions to improve page load performance | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Enable phishing and malware protection | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Automatically send usage statistics and crash reports to Google | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Show notifications when new printers are detected on the network | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Check for server certificate revocation | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Enable Autofill to fill out web forms in a single click. | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross_29x29.webp) | +| Use a prediction service to help complete searches and URLs typed in the address bar | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Use a web service to help resolve spelling errors | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Offer to save passwords I enter on the web | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Offer to translate pages that aren't in a language I read | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Download location | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Continue running background apps when Google Chrome is closed | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Use hardware acceleration when available | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Predict network actions to improve page load performance | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Enable phishing and malware protection | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Automatically send usage statistics and crash reports to Google | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Show notifications when new printers are detected on the network | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Check for server certificate revocation | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Enable Autofill to fill out web forms in a single click. | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross_29x29.webp) | | CONTENT SETTINGS TAB | | | --- | --- | | SETTING NAME | WORKS IN NON-DOMAIN | -| Cookies | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Block third-party cookies and site data | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Images | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Pop-ups | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Location | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Notifications | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Media | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Ads | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| USB devices | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| PDF documents | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| JavaScript | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Plug-ins | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Handlers | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Mouse cursor | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Protected content | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Unsandboxed plug-in access | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Automatic Downloads | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| MIDI devices full control | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Cookies | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Block third-party cookies and site data | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Images | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Pop-ups | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Location | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Notifications | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Media | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Ads | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| USB devices | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| PDF documents | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| JavaScript | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Plug-ins | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Handlers | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Mouse cursor | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Protected content | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Unsandboxed plug-in access | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Automatic Downloads | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| MIDI devices full control | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | | CLEAR BROWSING DATA TAB | | | --- | --- | | SETTING NAME | WORKS IN NON-DOMAIN | -| Browsing history | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Download history | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Cookies and other site and plugin data | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Cached images and files | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Passwords | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| Autofill form data | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Browsing history | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Download history | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Cookies and other site and plugin data | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Cached images and files | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Passwords | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Autofill form data | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | | SITES TAB | | | --- | --- | | SETTING NAME | WORKS IN NON-DOMAIN | -| Allow cookies on these sites | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Block cookies on these sites | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Allow session only cookies on these sites | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Allow images on these sites | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Block images on these sites | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Allow JavaScript on these sites | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Block JavaScript on these sites | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Allow popups on these sites | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Block popups on these sites | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Allow notifications on these sites | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Block notifications on these sites | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Allow plugins on these sites | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Block plugins on these sites | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Automatically select client certificates for these sites | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | -| List of URLs | ![Short white line](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| Allow cookies on these sites | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Block cookies on these sites | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Allow session only cookies on these sites | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Allow images on these sites | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Block images on these sites | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Allow JavaScript on these sites | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Block JavaScript on these sites | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Allow popups on these sites | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Block popups on these sites | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Allow notifications on these sites | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Block notifications on these sites | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Allow plugins on these sites | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Block plugins on these sites | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Automatically select client certificates for these sites | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | +| List of URLs | ![Short white line](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_3_cross.webp) | | EXTENSIONS | | | --- | --- | | SETTING NAME | WORKS IN NON-DOMAIN | -| Extension-Install-Blacklist | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Extension-Install-Forcelist | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Extension-Install-Whitelist | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | -| Extension-Install-Sources | ![Checkmark Icon](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Extension-Install-Blacklist | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Extension-Install-Forcelist | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Extension-Install-Whitelist | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | +| Extension-Install-Sources | ![Checkmark Icon](/img/product_docs/policypak/policypak/troubleshooting/nondomain/517_1_thick.webp) | If you have questions about our results, please use the Endpoint Policy Manager Forums. diff --git a/docs/policypak/policypak/troubleshooting/nondomain/edge.md b/docs/policypak/policypak/troubleshooting/nondomain/edge.md index b135008dec..a8dcb889af 100644 --- a/docs/policypak/policypak/troubleshooting/nondomain/edge.md +++ b/docs/policypak/policypak/troubleshooting/nondomain/edge.md @@ -27,7 +27,7 @@ Steps: **Step 6 –** Paste the below script in to the window -![856_1_image-20211130230540-1_950x555](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/856_1_image-20211130230540-1_950x555.webp) +![856_1_image-20211130230540-1_950x555](/img/product_docs/policypak/policypak/troubleshooting/nondomain/856_1_image-20211130230540-1_950x555.webp) **Step 7 –** Wait for Policy refresh or run PPCLOUD /SYNC at endpoint @@ -35,10 +35,10 @@ Steps: **Step 9 –** Users will be presented with the following screen. Click Turn on extension -![856_2_image-20211130230540-2_950x436](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/856_2_image-20211130230540-2_950x436.webp) +![856_2_image-20211130230540-2_950x436](/img/product_docs/policypak/policypak/troubleshooting/nondomain/856_2_image-20211130230540-2_950x436.webp) \*\*\*\*\* PowerShell Script to apply using Scripts Manager: Scripts & Triggers Manager > -[Knowledge Base](../../scriptstriggers/overview/knowledgebase.md) +[Knowledge Base](/docs/policypak/policypak/scriptstriggers/overview/knowledgebase.md) ``` #Download the latest PPBR extension from shareFile/PolicyPak Support - Inbox/ppbr_crx/ppbr_21_2_0_0.crx diff --git a/docs/policypak/policypak/troubleshooting/nondomain/limitations.md b/docs/policypak/policypak/troubleshooting/nondomain/limitations.md index 109e214f8c..5302d1a396 100644 --- a/docs/policypak/policypak/troubleshooting/nondomain/limitations.md +++ b/docs/policypak/policypak/troubleshooting/nondomain/limitations.md @@ -19,16 +19,16 @@ There are some items which will not work if the computer is not domain joined… 1. Chrome's plug SHOULD work and activate automatically, but in might need to be activated if it doesn't operate as expected. - [Browser Router now supports Chrome on Non-Domain Joined machines](../../video/browserrouter/chromenondomainjoined.md). + [Browser Router now supports Chrome on Non-Domain Joined machines](/docs/policypak/policypak/video/browserrouter/chromenondomainjoined.md). 2. Endpoint Policy Manager Application Manager will work as expected, except managing some areas of CHROME when non-domain joined. Chrome simply has a self-imposed limitation for non-domain joined machines. The list of settings which WILL and WON'T work is documented - [Which items in Chrome will, and will not work when non-domain joined?](chrome.md). + [Which items in Chrome will, and will not work when non-domain joined?](/docs/policypak/policypak/troubleshooting/nondomain/chrome.md). 3. Windows Edge (original) will report at each launch "We've turned off extensions from unknown sources. They might be risky so we recommend keeping them off." (See picture below.) There is NO workaround at this time. - ![359_1_tyr](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/nondomain/359_1_tyr.webp) + ![359_1_tyr](/img/product_docs/policypak/policypak/troubleshooting/nondomain/359_1_tyr.webp) 4. Windows Edge + Chromium: The Browser Router Extension will not install automatically. There is NO workaround at this time except to manually install the Chrome Extension on Edge by hand. diff --git a/docs/policypak/policypak/troubleshooting/powershell/datadirectives.md b/docs/policypak/policypak/troubleshooting/powershell/datadirectives.md index 93d30eb88a..c703d07684 100644 --- a/docs/policypak/policypak/troubleshooting/powershell/datadirectives.md +++ b/docs/policypak/policypak/troubleshooting/powershell/datadirectives.md @@ -3,7 +3,7 @@ Start by installing the Netwrix Endpoint Policy Manager (formerly PolicyPak) PowerShell module, found in the Endpoint Policy Manager Extras Folder in the DOWNLOAD… -![548_1_gpe-fag-06-img-01](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/powershell/548_1_gpe-fag-06-img-01.webp) +![548_1_gpe-fag-06-img-01](/img/product_docs/policypak/policypak/troubleshooting/powershell/548_1_gpe-fag-06-img-01.webp) The Endpoint Policy Manager PowerShell modules are installed to: `C:\Program Files (x86)\PolicyPak\Tools\Modules\PolicyPak.` @@ -18,4 +18,4 @@ commands: An example output can be seen below, which returns all the GPOs and which Endpoint Policy Manager Client Side Extension data types are inside them. -![548_2_gpe-fag-06-img-02](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/powershell/548_2_gpe-fag-06-img-02.webp) +![548_2_gpe-fag-06-img-02](/img/product_docs/policypak/policypak/troubleshooting/powershell/548_2_gpe-fag-06-img-02.webp) diff --git a/docs/policypak/policypak/troubleshooting/powershell/pplogsprompt.md b/docs/policypak/policypak/troubleshooting/powershell/pplogsprompt.md index d07770be4f..2fc17fdeae 100644 --- a/docs/policypak/policypak/troubleshooting/powershell/pplogsprompt.md +++ b/docs/policypak/policypak/troubleshooting/powershell/pplogsprompt.md @@ -2,7 +2,7 @@ Remember that two different logs are required to get on a computer in order to get Netwrix Endpoint Policy Manager (formerly PolicyPak) Support. Please review -[What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](../fastsupport.md). +[What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](/docs/policypak/policypak/troubleshooting/fastsupport.md). Then, when you're ready to automatically grab the logs from the machine please use the following commands (and see a sample result below.) @@ -14,4 +14,4 @@ where the command will execute on the machine itself. `echo y|pplogs /out:"c:\temp\pplogs_"$env:computername"_"$env:username".zip"` `echo y|pplogs /out:"c:\temp\pplogs_"$env:computername"_admin.zip"` -![934_1_image001_950x736](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/powershell/934_1_image001_950x736.webp) +![934_1_image001_950x736](/img/product_docs/policypak/policypak/troubleshooting/powershell/934_1_image001_950x736.webp) diff --git a/docs/policypak/policypak/troubleshooting/preferences/clientmachines.md b/docs/policypak/policypak/troubleshooting/preferences/clientmachines.md index 6a96b4e309..a7f6b65abb 100644 --- a/docs/policypak/policypak/troubleshooting/preferences/clientmachines.md +++ b/docs/policypak/policypak/troubleshooting/preferences/clientmachines.md @@ -16,7 +16,7 @@ installation of the MSI? **Step 4 –** Is your computer licensed? All computers must be licensed in order for Endpoint Policy Manager Preferences Manager to work properly (see Book 1: -[Introduction and Basic Concepts](../../basicconcepts.md) for more information). Alternatively, try +[Introduction and Basic Concepts](/docs/policypak/policypak/basicconcepts.md) for more information). Alternatively, try renaming the computer to "Computer1" (or a similar name) such that "computer" is in the name. When you do this, the Endpoint Policy Manager Preferences Manager CSE will act as if it's fully licensed. If Endpoint Policy Manager Preferences Manager starts to work, you have a licensing issue. diff --git a/docs/policypak/policypak/troubleshooting/preferences/domainjoined.md b/docs/policypak/policypak/troubleshooting/preferences/domainjoined.md index bb3c034211..4a79ee9b3f 100644 --- a/docs/policypak/policypak/troubleshooting/preferences/domainjoined.md +++ b/docs/policypak/policypak/troubleshooting/preferences/domainjoined.md @@ -16,4 +16,4 @@ licensed. To that end, here is the documentation to un-license a single component, like Endpoint Policy Manager Preferences: If you're an on-Prem cloud or MDM customer. -[What if I want to unlicense specific components via ADMX or Endpoint Policy Manager Cloud?](../../license/unlicense/componentscloud.md) +[What if I want to unlicense specific components via ADMX or Endpoint Policy Manager Cloud?](/docs/policypak/policypak/license/unlicense/componentscloud.md) diff --git a/docs/policypak/policypak/troubleshooting/preferences/logs.md b/docs/policypak/policypak/troubleshooting/preferences/logs.md index 1d7f7ac382..5ad1dc52e2 100644 --- a/docs/policypak/policypak/troubleshooting/preferences/logs.md +++ b/docs/policypak/policypak/troubleshooting/preferences/logs.md @@ -5,11 +5,11 @@ Endpoint Policy Manager Preferences Manager can affect the Computer side and Use computer-side log files can be seen in Figure 19, and the user-side log files can be seen in Figure 20. -![troubleshooting](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting.webp) +![troubleshooting](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting.webp) Figure 19. Computer-side log files. -![troubleshooting_1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_1.webp) +![troubleshooting_1](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_1.webp) Figure 20. User-side log files. @@ -35,6 +35,6 @@ Table 1: Log files. You can see an example of the contents of the logs in Figure 21. -![troubleshooting_2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_2.webp) +![troubleshooting_2](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_2.webp) Figure 21. The contents of the logs that are required for troubleshooting. diff --git a/docs/policypak/policypak/troubleshooting/preferences/logsenhanced.md b/docs/policypak/policypak/troubleshooting/preferences/logsenhanced.md index d858d0671e..2df334ea3f 100644 --- a/docs/policypak/policypak/troubleshooting/preferences/logsenhanced.md +++ b/docs/policypak/policypak/troubleshooting/preferences/logsenhanced.md @@ -5,7 +5,7 @@ normal logs aren't producing enough troubleshooting information. Only enable the with technical support. To enable these logs, go to` HKLM\SOFTWARE\Policies\PolicyPak\Config\CSE\` and create a` REG_DWORD` named extendedlogs with a value of 1 as seen in Figure 22. -![troubleshooting_3](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_3.webp) +![troubleshooting_3](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_3.webp) Figure 22. Turning on enhanced client logging. @@ -15,7 +15,7 @@ support, you would change the log level of the `ppService.log` by first creating logs called `Service`. Then within `Service` add a `Reg_DWORD` called Verbose and set it to `0xFFFFFFFF`, as seen in Figure 23. -![troubleshooting_4](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_4.webp) +![troubleshooting_4](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting_4.webp) Figure 23. The Service key will not exist by default and must be created before the value is set within it. diff --git a/docs/policypak/policypak/troubleshooting/procmon.md b/docs/policypak/policypak/troubleshooting/procmon.md index 8c95d8bcc7..aed53123eb 100644 --- a/docs/policypak/policypak/troubleshooting/procmon.md +++ b/docs/policypak/policypak/troubleshooting/procmon.md @@ -5,7 +5,7 @@ More info: For this example, we will be monitoring the following Registry Key and values. -![630_1_image-20220507212307-1](../../../../static/img/product_docs/policypak/policypak/troubleshooting/630_1_image-20220507212307-1.webp) +![630_1_image-20220507212307-1](/img/product_docs/policypak/policypak/troubleshooting/630_1_image-20220507212307-1.webp) **Step 1 –** Download and install ProcMon from: @@ -18,7 +18,7 @@ For this example, we will be monitoring the following Registry Key and values. **Step 4 –** Next, in the Regedit window go to the path you wish to monitor, highlight the desired path in the address bar and copy the text. -![630_2_image-20220507212307-2](../../../../static/img/product_docs/policypak/policypak/troubleshooting/630_2_image-20220507212307-2.webp) +![630_2_image-20220507212307-2](/img/product_docs/policypak/policypak/troubleshooting/630_2_image-20220507212307-2.webp) **Step 5 –** Back in ProcMon click on the filter icon, select the values "Path" and "is" as shown in the screenshot below, then paste in the registry path you saved to your clipboard earlier in step 4 @@ -28,14 +28,14 @@ then "Ok" to save and apply the filter. **NOTE:** Edit the reg path and replace the text `"Computer\HKEY_CURRENT_USER"` with `"HKCU"`, or `"Computer\HKEY_LOCAL_MACHINE"` with `"HKLM"` as needed. See screenshots below for examples. -![630_3_image-20220507212307-3](../../../../static/img/product_docs/policypak/policypak/troubleshooting/630_3_image-20220507212307-3.webp) +![630_3_image-20220507212307-3](/img/product_docs/policypak/policypak/troubleshooting/630_3_image-20220507212307-3.webp) -![630_4_image-20220507212307-4](../../../../static/img/product_docs/policypak/policypak/troubleshooting/630_4_image-20220507212307-4.webp) +![630_4_image-20220507212307-4](/img/product_docs/policypak/policypak/troubleshooting/630_4_image-20220507212307-4.webp) **Step 6 –** Test that the filter is working by click clear results in ProcMon, then selecting the reg key in regedit window, you should see read events in the ProcMon capture window. -![630_5_image-20220507212307-5](../../../../static/img/product_docs/policypak/policypak/troubleshooting/630_5_image-20220507212307-5.webp) +![630_5_image-20220507212307-5](/img/product_docs/policypak/policypak/troubleshooting/630_5_image-20220507212307-5.webp) Note for this example I used the following path: @@ -46,11 +46,11 @@ Preferences. Default Browser Selection via System Preferences. -![630_6_image-20220507212307-6](../../../../static/img/product_docs/policypak/policypak/troubleshooting/630_6_image-20220507212307-6.webp) +![630_6_image-20220507212307-6](/img/product_docs/policypak/policypak/troubleshooting/630_6_image-20220507212307-6.webp) **Step 7 –** Next, and most importantly enable the "Drop Filtered Events" option on the Filter menu. -![630_7_image-20220507212307-7](../../../../static/img/product_docs/policypak/policypak/troubleshooting/630_7_image-20220507212307-7.webp) +![630_7_image-20220507212307-7](/img/product_docs/policypak/policypak/troubleshooting/630_7_image-20220507212307-7.webp) **Step 8 –** Now all that is left, is to wait until the issue reoccurs. @@ -68,4 +68,4 @@ on SHAREFILE: And remember to click the UPLOAD button! -Video KB:[Gathering and Uploading Logs](../video/troubleshooting/logs.md) +Video KB:[Gathering and Uploading Logs](/docs/policypak/policypak/video/troubleshooting/logs.md) diff --git a/docs/policypak/policypak/troubleshooting/remotedesktopprotocol/overview.md b/docs/policypak/policypak/troubleshooting/remotedesktopprotocol/overview.md index 898e85129e..801b466668 100644 --- a/docs/policypak/policypak/troubleshooting/remotedesktopprotocol/overview.md +++ b/docs/policypak/policypak/troubleshooting/remotedesktopprotocol/overview.md @@ -21,6 +21,6 @@ There are also several files to check in the User folder: Start troubleshooting by verifying the licensing, GPO name, and collection or policy name, as shown in Figure 18. -![troubleshooting](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting.webp) +![troubleshooting](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting.webp) Figure 18. The ppuser log file. diff --git a/docs/policypak/policypak/troubleshooting/remoteworkdelivery/dropboxlink.md b/docs/policypak/policypak/troubleshooting/remoteworkdelivery/dropboxlink.md index e02f0ab1f2..0490a96805 100644 --- a/docs/policypak/policypak/troubleshooting/remoteworkdelivery/dropboxlink.md +++ b/docs/policypak/policypak/troubleshooting/remoteworkdelivery/dropboxlink.md @@ -15,7 +15,7 @@ Create the policy to be used as a template **Step 2 –** Under either Computer or User Configuration, expand "PolicyPak -> App Delivery & Patching Pak" and select "Remote Work Delivery Manager" -![800_1_image-20210602100219-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_1_image-20210602100219-1.webp) +![800_1_image-20210602100219-1](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_1_image-20210602100219-1.webp) **Step 3 –** Add a "New Web Policy" @@ -25,12 +25,12 @@ Patching Pak" and select "Remote Work Delivery Manager" this link below can be used. [https://z_deleteme.s3.amazonaws.com/7z.msi](https://z_deleteme.s3.amazonaws.com/7z.msi) -![800_2_image-20210602100219-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_2_image-20210602100219-2.webp) +![800_2_image-20210602100219-2](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_2_image-20210602100219-2.webp) **Step 6 –** On the "Specify the Copy Destination" page, enter in the directory to copy the file to and set the file name as it should be for the destination file. -![800_3_image-20210602100219-3](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_3_image-20210602100219-3.webp) +![800_3_image-20210602100219-3](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_3_image-20210602100219-3.webp) **Step 7 –** If this an application distribution and installation, fill in the appropriate Post-copy and Revert actions @@ -43,7 +43,7 @@ In this next step we need to grab the XML and manually update it with the correc **Step 1 –** Export to XML -![800_4_image-20210602100219-4](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_4_image-20210602100219-4.webp) +![800_4_image-20210602100219-4](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_4_image-20210602100219-4.webp) **Step 2 –** Open the saved XML file in your text editor @@ -52,11 +52,11 @@ link. Example: -![800_5_image-20210602100219-5](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_5_image-20210602100219-5.webp) +![800_5_image-20210602100219-5](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_5_image-20210602100219-5.webp) TO -![800_6_image-20210602100219-6](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_6_image-20210602100219-6.webp) +![800_6_image-20210602100219-6](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_6_image-20210602100219-6.webp) **NOTE:** by default, when you create a DropBox link it ends with [dl=0]. If it does, it must be changed it to [dl=1] to work. This would normally be done by the application automatically. @@ -65,14 +65,14 @@ changed it to [dl=1] to work. This would normally be done by the application aut configured within Netwrix Endpoint Policy Manager (formerly PolicyPak) (e.g. destination, afterApply (post-copy action) or beforeRevert (revert action), then save the file -![800_7_image-20210602100219-7](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_7_image-20210602100219-7.webp) +![800_7_image-20210602100219-7](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_7_image-20210602100219-7.webp) **Step 5 –** If importing back into the same server as the originating template, and the policy still exists, on the policy line (usually line 2), find "id" and change at least one of the characters, any one of them will do. Endpoint Policy Manager will not allow the policy to be imported if a policy already exists with the same ID. -![800_8_image-20210602100219-8](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_8_image-20210602100219-8.webp) +![800_8_image-20210602100219-8](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/800_8_image-20210602100219-8.webp) **Step 6 –** Save and close. diff --git a/docs/policypak/policypak/troubleshooting/remoteworkdelivery/events.md b/docs/policypak/policypak/troubleshooting/remoteworkdelivery/events.md index 1babdefb47..d93a16bbfc 100644 --- a/docs/policypak/policypak/troubleshooting/remoteworkdelivery/events.md +++ b/docs/policypak/policypak/troubleshooting/remoteworkdelivery/events.md @@ -5,7 +5,7 @@ in the Endpoint Policy Manager log (within Applications and Services Log). All E Manager Remote Work Delivery Manager events will have the Endpoint Policy Manager Remote Work Delivery Manager Client source type. -![tips_security_and_troubleshooting_8](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_8.webp) +![tips_security_and_troubleshooting_8](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_8.webp) Figure 57. Endpoint Policy Manager Remote Work Delivery Manager events can be found in the Endpoint Policy Manager node within Application and Services. diff --git a/docs/policypak/policypak/troubleshooting/remoteworkdelivery/logs.md b/docs/policypak/policypak/troubleshooting/remoteworkdelivery/logs.md index 76d299d0a2..550530c282 100644 --- a/docs/policypak/policypak/troubleshooting/remoteworkdelivery/logs.md +++ b/docs/policypak/policypak/troubleshooting/remoteworkdelivery/logs.md @@ -34,7 +34,7 @@ Start troubleshooting by verifying that you are set up with the following scenar Figure 55 is an example of a Endpoint Policy Manager Remote Work Delivery Manager log with some annotations. -![tips_security_and_troubleshooting_6](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_6.webp) +![tips_security_and_troubleshooting_6](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_6.webp) Figure 55. An example of a Endpoint Policy Manager Remote Work Delivery Manager log. @@ -46,7 +46,7 @@ Manager Remote Work Delivery Manager (see Figure 56): `\appdata\\PolicyPak\PolicyPak Remote Work Delivery Manager` - One for the Computer side in `Programdata\PolicyPak\PolicyPak Remote Work Delivery Manager` -![tips_security_and_troubleshooting_7](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_7.webp) +![tips_security_and_troubleshooting_7](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_7.webp) Figure 56. Log files showing when a policy applies and when a policy reverts. diff --git a/docs/policypak/policypak/troubleshooting/remoteworkdelivery/securityconcerns.md b/docs/policypak/policypak/troubleshooting/remoteworkdelivery/securityconcerns.md index 8b589738b6..5effb407ae 100644 --- a/docs/policypak/policypak/troubleshooting/remoteworkdelivery/securityconcerns.md +++ b/docs/policypak/policypak/troubleshooting/remoteworkdelivery/securityconcerns.md @@ -7,11 +7,11 @@ to all authenticated users. In Figure 49 and Figure 50, you can see a Group Policy HTML report of the source file path of an SMB file and a web-based file. -![tips_security_and_troubleshooting](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting.webp) +![tips_security_and_troubleshooting](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting.webp) Figure 49. By default, Standard Users can see the source path you have specified. -![tips_security_and_troubleshooting_1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_1.webp) +![tips_security_and_troubleshooting_1](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_1.webp) Figure 50. Standard Users can see your HTTP source URLs by default. @@ -25,7 +25,7 @@ know-how, use their own user access to read the underlying XML within the GPO it we can see Standard User EastSalesUser1 reading the XML contents of a GPO within SYSVOL and seeing the location of the web file. -![tips_security_and_troubleshooting_2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_2.webp) +![tips_security_and_troubleshooting_2](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_2.webp) Figure 51. Standard Users can read the contents of the GPOs that apply to them. @@ -46,14 +46,14 @@ Figure 52 shows an example of a hardened GPO within the Delegation tab of the GP EastSalesUser1 would be able to determine the contents of the GPO (and hence, see the HTML report or read the GPO data). -![tips_security_and_troubleshooting_3](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_3.webp) +![tips_security_and_troubleshooting_3](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_3.webp) Figure 52. Hardening a GPO. Note that on the Scope tab (see Figure 53), you will only see the name of the group with read rights and "Apply group policy" rights, which is in this case, EastSalesUsers. -![tips_security_and_troubleshooting_4](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_4.webp) +![tips_security_and_troubleshooting_4](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_4.webp) Figure 53. The Security Filtering section will only show you who has read rights and "Apply group policy" rights. @@ -63,6 +63,6 @@ user-side portion of the GPO. In Figure 54, WestSalesUser1 attempts to read the because authenticated users are removed, and only EastSalesUser1 Active Directory Group has permissions, the user cannot read the User side of the GPO's contents. -![tips_security_and_troubleshooting_5](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_5.webp) +![tips_security_and_troubleshooting_5](/img/product_docs/policypak/policypak/troubleshooting/remoteworkdelivery/tips_security_and_troubleshooting_5.webp) Figure 54. The result of hardening a GPO. diff --git a/docs/policypak/policypak/troubleshooting/reportingadm.md b/docs/policypak/policypak/troubleshooting/reportingadm.md index 917f4656d5..6b168ac029 100644 --- a/docs/policypak/policypak/troubleshooting/reportingadm.md +++ b/docs/policypak/policypak/troubleshooting/reportingadm.md @@ -2,7 +2,7 @@ From time to time a GPO's GPMC report might get damaged. An example looks something like this: -![616_1_img-01](../../../../static/img/product_docs/policypak/policypak/troubleshooting/616_1_img-01.webp) +![616_1_img-01](/img/product_docs/policypak/policypak/troubleshooting/616_1_img-01.webp) To repair this, take the following steps to reset the ADM generation part. In the same GPO... on the side that is giving you a problem: @@ -12,20 +12,20 @@ side that is giving you a problem: **Step 2 –** Remove the reporting ADM from the SIDE of the GPO which has the issue like this. And press CLOSE. This un-hinges the ADM and forces a re-write. -![616_3_img-02](../../../../static/img/product_docs/policypak/policypak/troubleshooting/616_3_img-02.webp) +![616_3_img-02](/img/product_docs/policypak/policypak/troubleshooting/616_3_img-02.webp) **Step 3 –** When you do, it should all "go wrongly" in the GPMC HTML report. This is GOOD and Don't panic. -![616_5_img-03](../../../../static/img/product_docs/policypak/policypak/troubleshooting/616_5_img-03.webp) +![616_5_img-03](/img/product_docs/policypak/policypak/troubleshooting/616_5_img-03.webp) **Step 4 –** Make & force any change again in the Netwrix Endpoint Policy Manager (formerly PolicyPak) editor. For instance, if the problem was in Endpoint Policy Manager Browser Router ADM report, make any change at all anything at all. For instance, change a policy to something, click OK and then edit it back again, etc. -![616_7_img-04](../../../../static/img/product_docs/policypak/policypak/troubleshooting/616_7_img-04.webp) +![616_7_img-04](/img/product_docs/policypak/policypak/troubleshooting/616_7_img-04.webp) **Step 5 –** We should automatically re-write the whole ADM. -![616_9_img-05](../../../../static/img/product_docs/policypak/policypak/troubleshooting/616_9_img-05.webp) +![616_9_img-05](/img/product_docs/policypak/policypak/troubleshooting/616_9_img-05.webp) diff --git a/docs/policypak/policypak/troubleshooting/restoredetails.md b/docs/policypak/policypak/troubleshooting/restoredetails.md index c7d0b00787..367f18f809 100644 --- a/docs/policypak/policypak/troubleshooting/restoredetails.md +++ b/docs/policypak/policypak/troubleshooting/restoredetails.md @@ -2,7 +2,7 @@ First, you can always restore ANY GPO if you have a full GPO backup.  If you have a GPO backup, then follow these steps: Here's our video on it..  -[Integration with Group Policy (Basics: Installation, Backup, Restore and Reporting !)](../video/grouppolicy/integration.md) +[Integration with Group Policy (Basics: Installation, Backup, Restore and Reporting !)](/docs/policypak/policypak/video/grouppolicy/integration.md) However, if you do not have a full GPO backup, but only have an Active Directory backup you can still use this as a restore point. @@ -12,11 +12,11 @@ The way to do this is to find the file that will be in the backup, like this. Note the path, in this case, LPM is about Netwrix Endpoint Policy Manager (formerly PolicyPak) Least Privilege Manager. -![896_1_image002_950x151](../../../../static/img/product_docs/policypak/policypak/troubleshooting/896_1_image002_950x151.webp) +![896_1_image002_950x151](/img/product_docs/policypak/policypak/troubleshooting/896_1_image002_950x151.webp) Then you can use this file from the backup, and perform an "Import from XML" like this. -![896_2_image003_950x650](../../../../static/img/product_docs/policypak/policypak/troubleshooting/896_2_image003_950x650.webp) +![896_2_image003_950x650](/img/product_docs/policypak/policypak/troubleshooting/896_2_image003_950x650.webp) Note this might not work for all types of Endpoint Policy Manager items, like Endpoint Policy Manager Application Settings Manager; but should work in most cases. diff --git a/docs/policypak/policypak/troubleshooting/scriptstriggers/adminapproval.md b/docs/policypak/policypak/troubleshooting/scriptstriggers/adminapproval.md index d0cfd23d4f..85a064bdfd 100644 --- a/docs/policypak/policypak/troubleshooting/scriptstriggers/adminapproval.md +++ b/docs/policypak/policypak/troubleshooting/scriptstriggers/adminapproval.md @@ -5,13 +5,13 @@ PROBLEM: When updating Microsoft Teams to the latest version you receive an Admin Approval message like the one below. -![927_1_image-20231116160521-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/927_1_image-20231116160521-2.webp) +![927_1_image-20231116160521-2](/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/927_1_image-20231116160521-2.webp) CAUSE: Customer has enabled AA + Enforce Admin Approval for installers -![1306_2_02a0661341d87f03cca56ccbf243d833](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_2_02a0661341d87f03cca56ccbf243d833.webp) +![1306_2_02a0661341d87f03cca56ccbf243d833](/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_2_02a0661341d87f03cca56ccbf243d833.webp) But when MS Teams attempts to update, Windows runs a helper process (msiexec.exe without any arguments as SYSTEM). This msiexec.exe creates another child process (msiexec -embedding `{GUID}`), @@ -26,28 +26,28 @@ Endpoint Policy Manager Least Privilege Manager explicit policy. Therefore you c Policy Manager Least Privilege Manager to securely to elevate a command like msiexec -embedding \*, if it is known that its parent is also msiexec.exe, and signed by Microsoft. -![1306_3_c1ba4f8f05b21e5d6adf327d817593e9](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_3_c1ba4f8f05b21e5d6adf327d817593e9.webp) +![1306_3_c1ba4f8f05b21e5d6adf327d817593e9](/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_3_c1ba4f8f05b21e5d6adf327d817593e9.webp) The manual steps to generate the XML are: -![1306_4_0db039eed39f20ab325fac0ca5b30a6c](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_4_0db039eed39f20ab325fac0ca5b30a6c.webp) +![1306_4_0db039eed39f20ab325fac0ca5b30a6c](/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_4_0db039eed39f20ab325fac0ca5b30a6c.webp) -![1306_5_23eaaa42422c8cfce3e46d27a9dddbb2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_5_23eaaa42422c8cfce3e46d27a9dddbb2.webp) +![1306_5_23eaaa42422c8cfce3e46d27a9dddbb2](/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_5_23eaaa42422c8cfce3e46d27a9dddbb2.webp) -![1306_6_ad797e8b1ecf0b43d8f8a388ffedcde5](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_6_ad797e8b1ecf0b43d8f8a388ffedcde5.webp) +![1306_6_ad797e8b1ecf0b43d8f8a388ffedcde5](/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_6_ad797e8b1ecf0b43d8f8a388ffedcde5.webp) -![1306_7_f8c69edce2b216b5a2e1e3238a79c2e9](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_7_f8c69edce2b216b5a2e1e3238a79c2e9.webp) +![1306_7_f8c69edce2b216b5a2e1e3238a79c2e9](/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_7_f8c69edce2b216b5a2e1e3238a79c2e9.webp) -![1306_8_4af3ffdd4277ec275d61a4aeb4adb125](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_8_4af3ffdd4277ec275d61a4aeb4adb125.webp) +![1306_8_4af3ffdd4277ec275d61a4aeb4adb125](/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_8_4af3ffdd4277ec275d61a4aeb4adb125.webp) Additionally, you will need a Endpoint Policy Manager Least Privilege Manager UWP Policy which specifies that "Any UWP app allowed" as follows: -![1306_9_85037c3c83c955ec3a44d5631189d585](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_9_85037c3c83c955ec3a44d5631189d585.webp) +![1306_9_85037c3c83c955ec3a44d5631189d585](/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_9_85037c3c83c955ec3a44d5631189d585.webp) Or you can specify some applications which appear to be required during a Teams upgrade. -![1306_10_4188230b3e50a95465a6cf8a84abb867](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_10_4188230b3e50a95465a6cf8a84abb867.webp) +![1306_10_4188230b3e50a95465a6cf8a84abb867](/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/1306_10_4188230b3e50a95465a6cf8a84abb867.webp) You can use this XML which is coded for Computer-side policy to accomplish the goals stated in this Workaround #1. @@ -63,7 +63,7 @@ Code Snippet: Using PolicyPak Scripts and Triggers, create the 2 separate PowerShell policies as shown in the screen shots below. -![927_2_2_950x130](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/927_2_2_950x130.webp) +![927_2_2_950x130](/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/927_2_2_950x130.webp) **NOTE:** If you are not licensed for Endpoint Policy Manager Scripts & Triggers you can still use Workaround 1 by creating the policies below in Microsoft Group policy using regular computer or user @@ -80,7 +80,7 @@ Code Snippet: **NOTE:** You will need to update the path to the latest version of MS Teams file for your environment in policy #2, see below. -![927_3_3_950x296](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/927_3_3_950x296.webp) +![927_3_3_950x296](/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/927_3_3_950x296.webp) [https://www.policypak.com/pp-files/PPScripts\_\_MS_Teams_update_to_resolve_issue_with_Admin_Approval_prompts.xml](https://www.policypak.com/pp-files/PPScripts__MS_Teams_update_to_resolve_issue_with_Admin_Approval_prompts.xml) @@ -89,4 +89,4 @@ environment in policy #2, see below. Using Endpoint Policy Manager Least Privilege Manager create the 2 separate policies as shown in the screen shot below. -![927_4_image-20231213102010-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/927_4_image-20231213102010-1.webp) +![927_4_image-20231213102010-1](/img/product_docs/policypak/policypak/troubleshooting/scriptstriggers/927_4_image-20231213102010-1.webp) diff --git a/docs/policypak/policypak/troubleshooting/scriptstriggers/overview.md b/docs/policypak/policypak/troubleshooting/scriptstriggers/overview.md index a395ee9f9a..31c82155f1 100644 --- a/docs/policypak/policypak/troubleshooting/scriptstriggers/overview.md +++ b/docs/policypak/policypak/troubleshooting/scriptstriggers/overview.md @@ -36,7 +36,7 @@ There are several files to check in the folder: Figure 33 shows an example of a Endpoint Policy Manager Scripts & Triggers Manager log with some annotations. -![troubleshooting](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting.webp) +![troubleshooting](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting.webp) Figure 33. An example of a Endpoint Policy Manager Scripts & Triggers Manager log. diff --git a/docs/policypak/policypak/troubleshooting/scriptstriggers/systemprocesses.md b/docs/policypak/policypak/troubleshooting/scriptstriggers/systemprocesses.md index da0cfffc75..1b9eb464dc 100644 --- a/docs/policypak/policypak/troubleshooting/scriptstriggers/systemprocesses.md +++ b/docs/policypak/policypak/troubleshooting/scriptstriggers/systemprocesses.md @@ -1,7 +1,7 @@ # Why don't Batch and PowerShell scripts get blocked when SYSTEM processes are blocked When implementing SecureRun to block both User and System processes (as demonstrated in -[SecureRun to block User AND System executables](../../video/leastprivilege/bestpractices/securerun/usersystemexecutables.md) +[SecureRun to block User AND System executables](/docs/policypak/policypak/video/leastprivilege/bestpractices/securerun/usersystemexecutables.md) video) we find that EXEs, MSIs and VB scripts get smacked down as expected when running as the USER, ADMIN or SYSTEM account. However, Batch and PowerShell scripts that are started from within a previously opened cmd.exe or powershell.exe window do not get blocked when running as a system diff --git a/docs/policypak/policypak/troubleshooting/settingsrevert.md b/docs/policypak/policypak/troubleshooting/settingsrevert.md index 939fbda45d..f6ae5c02e4 100644 --- a/docs/policypak/policypak/troubleshooting/settingsrevert.md +++ b/docs/policypak/policypak/troubleshooting/settingsrevert.md @@ -12,11 +12,11 @@ choices: 1. Revert a specific element back when it no longer applies as seen here. - ![417_1_image005](../../../../static/img/product_docs/policypak/policypak/troubleshooting/417_1_image005.webp) + ![417_1_image005](/img/product_docs/policypak/policypak/troubleshooting/417_1_image005.webp) 2. Revert all elements back when they no longer apply as seen here. - ![417_2_image007](../../../../static/img/product_docs/policypak/policypak/troubleshooting/417_2_image007.webp) + ![417_2_image007](/img/product_docs/policypak/policypak/troubleshooting/417_2_image007.webp) ## Endpoint Policy Manager Admin Templates Manager @@ -41,4 +41,4 @@ Here's an example of how to specify to "Remove the item when it is no longer app This flag must be set or Endpoint Policy Manager cannot revert the item when the policy no longer applies -![417_3_image008](../../../../static/img/product_docs/policypak/policypak/troubleshooting/417_3_image008.webp) +![417_3_image008](/img/product_docs/policypak/policypak/troubleshooting/417_3_image008.webp) diff --git a/docs/policypak/policypak/troubleshooting/slowlogins.md b/docs/policypak/policypak/troubleshooting/slowlogins.md index 9d4888b4d8..5c2500d3e8 100644 --- a/docs/policypak/policypak/troubleshooting/slowlogins.md +++ b/docs/policypak/policypak/troubleshooting/slowlogins.md @@ -66,7 +66,7 @@ an older Client Side Extension, we won't ever fix that one. We only ever fix the sure BEFORE YOU CONTINUE that you've tested the problem out with the LATEST Client Side Extension. **Step 2 –** Perform an exclusion to your AntiVirus/Antimalware using -[How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](../install/antivirus.md) +[How must I configure my Anti-virus or system-level software to work with Endpoint Policy Manager CSE?](/docs/policypak/policypak/install/antivirus.md) **Step 3 –** Uninstall (not just disable) your AntiVirus/Antimalware. Does that clear it up? @@ -83,7 +83,7 @@ We can take a "first look" at your log files… but there are no guarantees here jump out and just tell us what it is. Do NOT attach this to an EMAIL. You must get an SRX first by emailing support, then, in the AUTORESPONSE, you'll get directions for how to UPLOAD your log files. Here is how to get us log files and results reports (perform EVERY step): -L[Why does my mail anti-virus service claim that the Endpoint Policy Manager download ISO or ZIP has a virus?](antivirus.md) +L[Why does my mail anti-virus service claim that the Endpoint Policy Manager download ISO or ZIP has a virus?](/docs/policypak/policypak/troubleshooting/antivirus.md) The items above are generally the causes of change and problems. Therefore, to get us close to the goal, your team will have to narrow it down. @@ -92,7 +92,7 @@ One thing to TRY (but this is not a solution, this just narrows it down for us) Policy Manager DRIVER. Sometimes the DRIVER can get in the way of things. Knowing the DRIVER is a problem can be helpful. Only test this out if installing the LATEST Client Side Extension doesn't clear up the -problem.[What can I do if I installed a new CSE version and it's causing problems (slowdowns or other issues?)](install/newversionissues.md). +problem.[What can I do if I installed a new CSE version and it's causing problems (slowdowns or other issues?)](/docs/policypak/policypak/troubleshooting/install/newversionissues.md). ## Troubleshooting Scenario 1 (best): Bring up a new machine and triangulate where the problem is @@ -109,7 +109,7 @@ APPLICATIONS AT ALL.. Warning / - If YES, then the problem is likely something in Group Policy; some security setting which is preventing Endpoint Policy Manager from performing it's function. Provide us with PPLOGS and GPRESULT reports from - [How to import GPOs to Endpoint Policy Manager Cloud](../video/cloud/import.md). Do not miss any + [How to import GPOs to Endpoint Policy Manager Cloud](/docs/policypak/policypak/video/cloud/import.md). Do not miss any steps - If NO.. then you need to BUILD UP the machine until you find the cause. - Remember: If this was a problem / bug affecting all customers, we would know it immediately. So @@ -139,7 +139,7 @@ extensions). result? **Step 5 –** Here is how to get us log files and results reports (perform EVERY step): -[What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](fastsupport.md) +[What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](/docs/policypak/policypak/troubleshooting/fastsupport.md) ## Troubleshooting Scenario 3 (also less good): Bring up a "deployed" machine and install old Endpoint Policy Manager CSEs to reveal the problem @@ -159,4 +159,4 @@ anymore we can look to see what changed on OUR side and then build a new Client version for you to test. **Step 4 –** Here is how to get us log files and results reports (perform EVERY -step):[What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](fastsupport.md) +step):[What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](/docs/policypak/policypak/troubleshooting/fastsupport.md) diff --git a/docs/policypak/policypak/troubleshooting/startscreentaskbar/crash.md b/docs/policypak/policypak/troubleshooting/startscreentaskbar/crash.md index ce40eb5718..c33fc6cf67 100644 --- a/docs/policypak/policypak/troubleshooting/startscreentaskbar/crash.md +++ b/docs/policypak/policypak/troubleshooting/startscreentaskbar/crash.md @@ -5,4 +5,4 @@ Running for Netwrix Endpoint Policy Manager (formerly PolicyPak) Start Screen & function. Do not disable this dmwappushservice service. -![537_1_asdfghkyhj](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/537_1_asdfghkyhj.webp) +![537_1_asdfghkyhj](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/537_1_asdfghkyhj.webp) diff --git a/docs/policypak/policypak/troubleshooting/startscreentaskbar/customicons.md b/docs/policypak/policypak/troubleshooting/startscreentaskbar/customicons.md index 4a4bd18068..cc5c810464 100644 --- a/docs/policypak/policypak/troubleshooting/startscreentaskbar/customicons.md +++ b/docs/policypak/policypak/troubleshooting/startscreentaskbar/customicons.md @@ -11,14 +11,14 @@ a manifest file which overrides the ability for Endpoint Policy Manager Start Sc Manager to deliver the icon as expected. Watch this video first: -[Endpoint Policy Manager Start Screen Manager and Special Custom Icons](../../video/startscreentaskbar/customicons.md). +[Endpoint Policy Manager Start Screen Manager and Special Custom Icons](/docs/policypak/policypak/video/startscreentaskbar/customicons.md). ## Problem 2: You are attempting to use UNC paths for icons Do not attempt to use UNC paths (`\\server\share\app.exe` ) when pointing to an item containing your alternate icons. -![735_1_image-20200723210823-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_1_image-20200723210823-1.webp) +![735_1_image-20200723210823-1](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_1_image-20200723210823-1.webp) The application must reside locally on the machine (`c:\temp\app1.exe`) for the icons to appear as expected. @@ -36,24 +36,24 @@ application itself when it does so to For instance, you cannot use alternate icon for anything listed here…. (`%programdata%\Microsoft\Windows\Start Menu`) -![735_3_image-20200723210823-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_3_image-20200723210823-2.webp) +![735_3_image-20200723210823-2](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_3_image-20200723210823-2.webp) Or here… -![735_5_image-20200723210823-3](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_5_image-20200723210823-3.webp) +![735_5_image-20200723210823-3](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_5_image-20200723210823-3.webp) Or here… (`%AppData%\Microsoft\Windows\Start Menu\Programs`) -![735_7_image-20200723210823-4](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_7_image-20200723210823-4.webp) +![735_7_image-20200723210823-4](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_7_image-20200723210823-4.webp) or -![735_9_image-20200723210823-5](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_9_image-20200723210823-5.webp) +![735_9_image-20200723210823-5](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_9_image-20200723210823-5.webp) If you attempt to make a Endpoint Policy Manager Start Screen & Taskbar item and attempt to use an alternate shortcut… it will not work. -![735_11_image-20200723210823-6](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_11_image-20200723210823-6.webp) +![735_11_image-20200723210823-6](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_11_image-20200723210823-6.webp) You will only get the Chrome's default icon, because it already exists as a shortcut in `Start menu | Programs`. @@ -61,10 +61,10 @@ You will only get the Chrome's default icon, because it already exists as a shor To overcome this, you must delete (manually or using Group Policy Prefs, etc.) the file which is being used by the application. Here's an example using Chrome. -![735_13_image-20200723210823-7](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_13_image-20200723210823-7.webp) +![735_13_image-20200723210823-7](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_13_image-20200723210823-7.webp) The final result AFTER you delete the shortcut within `%programdata%\Microsoft\Windows\Start` Menu or `%AppData%\Microsoft\Windows\Start Menu\Programs` will get you the results you are seeking like this. -![735_15_image-20200723210823-8_950x998](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_15_image-20200723210823-8_950x998.webp) +![735_15_image-20200723210823-8_950x998](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/735_15_image-20200723210823-8_950x998.webp) diff --git a/docs/policypak/policypak/troubleshooting/startscreentaskbar/linked.md b/docs/policypak/policypak/troubleshooting/startscreentaskbar/linked.md index 2a7dc91ace..5bb465e5a2 100644 --- a/docs/policypak/policypak/troubleshooting/startscreentaskbar/linked.md +++ b/docs/policypak/policypak/troubleshooting/startscreentaskbar/linked.md @@ -4,7 +4,7 @@ You might have noticed when you try to deliver NOTHING (aka. a blank start scree using the Taskbar Manager), you will still see a Netwrix Endpoint Policy Manager (formerly PolicyPak) advertisement tile even you didn't put it there. -![692_1_img-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/692_1_img-1.webp) +![692_1_img-1](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/692_1_img-1.webp) The Taskbar Manager and Start Screen Manager are actually interlinked, even if you’re only using one of them. @@ -23,18 +23,18 @@ Use the PolicyPak Start Screen PARTIAL/MERGE function which will let you add one Here is an example of us setting a URL to a home page in a group called **Company Apps**. -![692_2_img-2_950x669](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/692_2_img-2_950x669.webp) +![692_2_img-2_950x669](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/692_2_img-2_950x669.webp) Alternatively, use the FULL/REPLACE mode to deliver a single tile of your choosing, your users will still have no ability to change the Start Screen, and the Endpoint Policy Manager tile will go away. Note that the Advertisement group is still present on the LEFT side. -![692_3_img-3](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/692_3_img-3.webp) +![692_3_img-3](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/692_3_img-3.webp) The name of this group is changeable using Endpoint Policy Manager TaskBar manager as seen here. -![692_4_img-4](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/692_4_img-4.webp) +![692_4_img-4](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/692_4_img-4.webp) ## Second Workaround @@ -49,4 +49,4 @@ Rd /s /q "%APPDATA%\Microsoft\Windows\Start Menu\PolicyPak Start Screen Manager\ It will remove the Endpoint Policy Manager tile from the Start Menu. The example screen shot and sample script is below. -![819_5_c4b607f18774d1a207d45cbd8a96b426](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/819_5_c4b607f18774d1a207d45cbd8a96b426.webp) +![819_5_c4b607f18774d1a207d45cbd8a96b426](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/819_5_c4b607f18774d1a207d45cbd8a96b426.webp) diff --git a/docs/policypak/policypak/troubleshooting/startscreentaskbar/logonworkaround.md b/docs/policypak/policypak/troubleshooting/startscreentaskbar/logonworkaround.md index ac4ede4f99..6a5f062031 100644 --- a/docs/policypak/policypak/troubleshooting/startscreentaskbar/logonworkaround.md +++ b/docs/policypak/policypak/troubleshooting/startscreentaskbar/logonworkaround.md @@ -25,23 +25,23 @@ REM Put your code here, which will be executed once Your settings should look similar to the screenshot below: -![929_1_image-20221021235430-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/929_1_image-20221021235430-1.webp) +![929_1_image-20221021235430-1](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/929_1_image-20221021235430-1.webp) **Step 3 –** For the Revert action screen, click Next and do not set a revert action as Triggers do not support Revert actions. -![929_2_image-20221021235430-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/929_2_image-20221021235430-2.webp) +![929_2_image-20221021235430-2](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/929_2_image-20221021235430-2.webp) **Step 4 –** For the Trigger type setting choose "Logon" -![929_3_image-20221021235430-3](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/929_3_image-20221021235430-3.webp) +![929_3_image-20221021235430-3](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/929_3_image-20221021235430-3.webp) **Step 5 –** Optional: Set the Triger settings wait period for 1 minute after login if desired.  Note, you can also uncheck this setting here and then programmatically in your BATCH script set a wait period for seconds if desired, (i.e., to wait 20 seconds before running the next command you could use "SLEEP 20"). -![929_4_image-20221021235430-4](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/929_4_image-20221021235430-4.webp) +![929_4_image-20221021235430-4](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/929_4_image-20221021235430-4.webp) **Step 6 –** Lastly, save and apply the policy, then test from an endpoint, the result will be that Scripts and Triggers will look for the flag file at EVERY login… one minute after login (using the diff --git a/docs/policypak/policypak/troubleshooting/startscreentaskbar/office365.md b/docs/policypak/policypak/troubleshooting/startscreentaskbar/office365.md index 99b173a381..66c54e5dad 100644 --- a/docs/policypak/policypak/troubleshooting/startscreentaskbar/office365.md +++ b/docs/policypak/policypak/troubleshooting/startscreentaskbar/office365.md @@ -5,25 +5,25 @@ PolicyPak) Start Screen Manager, you might find blank tiles like what is experie On LTSC machines, you won't see any tiles at all, because there is no Microsoft Edge installed. -![910_1_image001_950x879](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/910_1_image001_950x879.webp) +![910_1_image001_950x879](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/910_1_image001_950x879.webp) When you click on a tile, you should see some indication of the issue like what's seen here. -![910_2_image002_950x308](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/910_2_image002_950x308.webp) +![910_2_image002_950x308](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/910_2_image002_950x308.webp) Upon inspection of one of the tiles, you might see the target application shown like this: -![910_3_image003_950x697](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/910_3_image003_950x697.webp) +![910_3_image003_950x697](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/910_3_image003_950x697.webp) However, the correct details should be entered as follows: -![910_4_image004_950x690](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/910_4_image004_950x690.webp) +![910_4_image004_950x690](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/910_4_image004_950x690.webp) To get this to work, you should use the Endpoint Policy Manager Start Screen Helper Tool on a machine with the version of Office 2016, 2019, or Office 365 you want to add icons for. Here's the video on this -tool:[Endpoint Policy Manager Start Screen and Taskbar Manager Helper Utility](../../video/startscreentaskbar/helperutility.md)/ +tool:[Endpoint Policy Manager Start Screen and Taskbar Manager Helper Utility](/docs/policypak/policypak/video/startscreentaskbar/helperutility.md)/ Summary to get Office icons to appear on endpoints: diff --git a/docs/policypak/policypak/troubleshooting/startscreentaskbar/pinnedcollection.md b/docs/policypak/policypak/troubleshooting/startscreentaskbar/pinnedcollection.md index b0d6700587..8b78b6fa18 100644 --- a/docs/policypak/policypak/troubleshooting/startscreentaskbar/pinnedcollection.md +++ b/docs/policypak/policypak/troubleshooting/startscreentaskbar/pinnedcollection.md @@ -8,6 +8,6 @@ Items which are delivered to the TASK BAR must also have items that exist on the items do not exist, we will create a group JUST for the Task Bar. That is configurable, and you can see how to do it in the second screenshot. -![623_1_faq-07-img-01](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/623_1_faq-07-img-01.webp) +![623_1_faq-07-img-01](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/623_1_faq-07-img-01.webp) -![623_2_faq-07-img-02](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/623_2_faq-07-img-02.webp) +![623_2_faq-07-img-02](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/623_2_faq-07-img-02.webp) diff --git a/docs/policypak/policypak/troubleshooting/startscreentaskbar/rollback.md b/docs/policypak/policypak/troubleshooting/startscreentaskbar/rollback.md index 92a33ef25b..c6ca94f4d6 100644 --- a/docs/policypak/policypak/troubleshooting/startscreentaskbar/rollback.md +++ b/docs/policypak/policypak/troubleshooting/startscreentaskbar/rollback.md @@ -4,4 +4,4 @@ Use Netwrix Endpoint Policy Manager (formerly PolicyPak) Script manager to run a re-trigger the initial start menu layout. Note you may not get an EXACT revert; but it's pretty close. -[Endpoint Policy ManagerStart Screen and Endpoint Policy Manager Scripts: Specify exact Start Menu experience one time](../../video/startscreentaskbar/onetime.md) +[Endpoint Policy ManagerStart Screen and Endpoint Policy Manager Scripts: Specify exact Start Menu experience one time](/docs/policypak/policypak/video/startscreentaskbar/onetime.md) diff --git a/docs/policypak/policypak/troubleshooting/startscreentaskbar/windows10disablenotification.md b/docs/policypak/policypak/troubleshooting/startscreentaskbar/windows10disablenotification.md index c18817ef1b..ad292826ee 100644 --- a/docs/policypak/policypak/troubleshooting/startscreentaskbar/windows10disablenotification.md +++ b/docs/policypak/policypak/troubleshooting/startscreentaskbar/windows10disablenotification.md @@ -7,11 +7,11 @@ notifications. Notification Examples: -![76_1_image-20200728223133-1](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_1_image-20200728223133-1.webp) +![76_1_image-20200728223133-1](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_1_image-20200728223133-1.webp) -![76_3_image-20200728223133-2](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_3_image-20200728223133-2.webp) +![76_3_image-20200728223133-2](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_3_image-20200728223133-2.webp) -![76_5_image-20200728223134-3](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_5_image-20200728223134-3.webp) +![76_5_image-20200728223134-3](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_5_image-20200728223134-3.webp) ## OPTION1: Using Group Policy Preferences > Registry @@ -29,11 +29,11 @@ Value name: NoNewAppAlert Value type: REG_DWORD Value data: 00000001 -![76_7_image-20200728223134-4](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_7_image-20200728223134-4.webp) +![76_7_image-20200728223134-4](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_7_image-20200728223134-4.webp) Policy should look like below when created: -![76_9_image-20200728223134-5_950x59](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_9_image-20200728223134-5_950x59.webp) +![76_9_image-20200728223134-5_950x59](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_9_image-20200728223134-5_950x59.webp) **Step 5 –** Lastly, apply policy to computer OU or domain where you want New App notifications to be disabled. @@ -47,12 +47,12 @@ Manager and give it a descriptive name. **Step 3 –** Right-click on Scripts Manager and select "Add Policy…" -![76_11_image-20200728223134-6](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_11_image-20200728223134-6.webp) +![76_11_image-20200728223134-6](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_11_image-20200728223134-6.webp) **Step 4 –** At the "Specify policy target" screen stick with the default "Apply this policy to the computer (default)" then click "Next". -![76_13_image-20200728223134-7](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_13_image-20200728223134-7.webp) +![76_13_image-20200728223134-7](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_13_image-20200728223134-7.webp) **Step 5 –** At the "On apply action" screen select "PowerShell script" from the dropdown and then copy in the text below then click "Next". @@ -67,7 +67,7 @@ copy in the text below then click "Next".                 -ea SilentlyContinue; ``` -![76_15_image-20200728223134-8](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_15_image-20200728223134-8.webp) +![76_15_image-20200728223134-8](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_15_image-20200728223134-8.webp) **Step 6 –** OPTIONAL: At the "On revert action" screen select "PowerShell script" from the dropdown and then copy in the text below then click "Next". @@ -80,12 +80,12 @@ and then copy in the text below then click "Next".                 SilentlyContinue; ``` -![76_17_image-20200728223134-9](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_17_image-20200728223134-9.webp) +![76_17_image-20200728223134-9](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_17_image-20200728223134-9.webp) **Step 7 –** At the "Specify process mode" screen select the "Once or when forced" option then click next. -![76_19_image-20200728223134-10](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_19_image-20200728223134-10.webp) +![76_19_image-20200728223134-10](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/76_19_image-20200728223134-10.webp) **Step 8 –** Give the policy a descriptive name and then click finish. diff --git a/docs/policypak/policypak/troubleshooting/startscreentaskbar/windowsdefault.md b/docs/policypak/policypak/troubleshooting/startscreentaskbar/windowsdefault.md index f8552c6944..d390328307 100644 --- a/docs/policypak/policypak/troubleshooting/startscreentaskbar/windowsdefault.md +++ b/docs/policypak/policypak/troubleshooting/startscreentaskbar/windowsdefault.md @@ -10,7 +10,7 @@ The problem we observe is with the following two Windows Applications: Your start menu has missing icons of the above programs, as shown in the following screenshot. -![678_1_image-20191219082753-5](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/678_1_image-20191219082753-5.webp) +![678_1_image-20191219082753-5](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/678_1_image-20191219082753-5.webp) The icons should come back after you apply the following workaround. @@ -24,4 +24,4 @@ Workaround for many computers using GPPref Item: - Use Group Policy Preferences Item to remove those folders from the location. -![678_2_image-20191219082753-6](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/678_2_image-20191219082753-6.webp) +![678_2_image-20191219082753-6](/img/product_docs/policypak/policypak/troubleshooting/startscreentaskbar/678_2_image-20191219082753-6.webp) diff --git a/docs/policypak/policypak/troubleshooting/startscreentaskbar/xmlfiles.md b/docs/policypak/policypak/troubleshooting/startscreentaskbar/xmlfiles.md index ddc991a8e8..04aa2ec070 100644 --- a/docs/policypak/policypak/troubleshooting/startscreentaskbar/xmlfiles.md +++ b/docs/policypak/policypak/troubleshooting/startscreentaskbar/xmlfiles.md @@ -7,7 +7,7 @@ in `%programdata%\PolicyPak\PolicyPak Start Screen Manager\RSoP\User\`, as seen in Figure 58. A good first troubleshooting step would be to see what the file contains. -![troubleshooting](../../../../../static/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting.webp) +![troubleshooting](/img/product_docs/policypak/policypak/troubleshooting/preferences/troubleshooting.webp) Figure 58. The ssmResults.xml file shows what Start Screen & Taskbar Manager has performed. diff --git a/docs/policypak/policypak/troubleshooting/versions.md b/docs/policypak/policypak/troubleshooting/versions.md index c11cff4864..f485010015 100644 --- a/docs/policypak/policypak/troubleshooting/versions.md +++ b/docs/policypak/policypak/troubleshooting/versions.md @@ -11,7 +11,7 @@ Policy Manager Application Manager). In the Customer Portal, you'll see the BUILD number demonstrated like this … in this example the build is 834.. -![217_1_image002](../../../../static/img/product_docs/policypak/policypak/troubleshooting/217_1_image002.webp) +![217_1_image002](/img/product_docs/policypak/policypak/troubleshooting/217_1_image002.webp) Here's how to read it: @@ -32,15 +32,15 @@ You'll only see the CSE ID which should match the build number. Older builds, like 761 will show it like this: -![217_2_image0011](../../../../static/img/product_docs/policypak/policypak/troubleshooting/217_2_image0011.webp) +![217_2_image0011](/img/product_docs/policypak/policypak/troubleshooting/217_2_image0011.webp) Newer builds, like 834 will show it like this: -![217_3_image004](../../../../static/img/product_docs/policypak/policypak/troubleshooting/217_3_image004.webp) +![217_3_image004](/img/product_docs/policypak/policypak/troubleshooting/217_3_image004.webp) You can also see the same number in Programs / Features in Windows like this: -![217_4_image005](../../../../static/img/product_docs/policypak/policypak/troubleshooting/217_4_image005.webp) +![217_4_image005](/img/product_docs/policypak/policypak/troubleshooting/217_4_image005.webp) What do the numbers BEFORE the build mean? @@ -57,4 +57,4 @@ In this screenshot, you can see the original style and the new style: - Original style (4.2.785.1) means build 785 of the DesignStudio compiled the Pak. - New Style (15.12.827.19) means build 827 of the DesignStudio compiled the Pak. -![217_5_image006](../../../../static/img/product_docs/policypak/policypak/troubleshooting/217_5_image006.webp) +![217_5_image006](/img/product_docs/policypak/policypak/troubleshooting/217_5_image006.webp) diff --git a/docs/policypak/policypak/troubleshooting/watcherservice.md b/docs/policypak/policypak/troubleshooting/watcherservice.md index dc0da18652..23446fe91a 100644 --- a/docs/policypak/policypak/troubleshooting/watcherservice.md +++ b/docs/policypak/policypak/troubleshooting/watcherservice.md @@ -19,11 +19,11 @@ x64 For example, an x64 machine with a single user logged in would have 5 instances. -![670_1_2017-11-13_2259](../../../../static/img/product_docs/policypak/policypak/troubleshooting/490_1_2017-11-13_2259.webp) +![670_1_2017-11-13_2259](/img/product_docs/policypak/policypak/troubleshooting/490_1_2017-11-13_2259.webp) If another user logged in, it would add another pair of PPWatcherSvc (32/64) instances for a total of 7 processes. An x86 system with TWO users logged in would look like this. -![670_2_2017-11-13_2302](../../../../static/img/product_docs/policypak/policypak/troubleshooting/490_2_2017-11-13_2302.webp) +![670_2_2017-11-13_2302](/img/product_docs/policypak/policypak/troubleshooting/490_2_2017-11-13_2302.webp) diff --git a/docs/policypak/policypak/troubleshooting/watcherservicememoryusage.md b/docs/policypak/policypak/troubleshooting/watcherservicememoryusage.md index 1fe21c731d..8c4ccb98a9 100644 --- a/docs/policypak/policypak/troubleshooting/watcherservicememoryusage.md +++ b/docs/policypak/policypak/troubleshooting/watcherservicememoryusage.md @@ -19,14 +19,14 @@ x64 For example, an x64 machine with a single user logged in would have 5 instances. -![490_1_2017-11-13_2259](../../../../static/img/product_docs/policypak/policypak/troubleshooting/490_1_2017-11-13_2259.webp) +![490_1_2017-11-13_2259](/img/product_docs/policypak/policypak/troubleshooting/490_1_2017-11-13_2259.webp) If another user logged in, it would add another pair of PPWatcherSvc (32/64) instances for a total of 7 processes. An x86 system with TWO users logged in would look like this. -![490_2_2017-11-13_2302](../../../../static/img/product_docs/policypak/policypak/troubleshooting/490_2_2017-11-13_2302.webp) +![490_2_2017-11-13_2302](/img/product_docs/policypak/policypak/troubleshooting/490_2_2017-11-13_2302.webp) As for memory usage, you can expect there to be around 5MB per session; split between the 32bit and 64bit processes. @@ -42,4 +42,4 @@ Details column, like what's seen here. Then you can add up the RAM used. For this example with three logged on users the total PPWatcherSvc memory is 13.92 MB. -![490_3_hf-kb-img-001](../../../../static/img/product_docs/policypak/policypak/troubleshooting/490_3_hf-kb-img-001.webp) +![490_3_hf-kb-img-001](/img/product_docs/policypak/policypak/troubleshooting/490_3_hf-kb-img-001.webp) diff --git a/docs/policypak/policypak/video/applicationsettings/acrobat.md b/docs/policypak/policypak/video/applicationsettings/acrobat.md index c2b8375e73..24da02f0fb 100644 --- a/docs/policypak/policypak/video/applicationsettings/acrobat.md +++ b/docs/policypak/policypak/video/applicationsettings/acrobat.md @@ -51,17 +51,17 @@ Our PolicyPak software snaps-in to the Group Policy Editor and mimics the user i Acrobat Reader application itself. You can set key settings (like turning off Acrobat Reader updates), like what is seen here: -![33_1_acrobat-group-policy-policypak-3](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/33_1_acrobat-group-policy-policypak-3.webp) +![33_1_acrobat-group-policy-policypak-3](/img/product_docs/policypak/policypak/video/applicationsettings/33_1_acrobat-group-policy-policypak-3.webp) You can ensure that Adobe's Javascript support is truly disabled, which makes your whole company more secure, like what is seen here. -![33_2_acrobat-group-policy-policypak-4](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/33_2_acrobat-group-policy-policypak-4.webp) +![33_2_acrobat-group-policy-policypak-4](/img/product_docs/policypak/policypak/video/applicationsettings/33_2_acrobat-group-policy-policypak-4.webp) Or ensure your users are forced to use the "big guns" with "Enable Enhanced Security" and ensure users can't work around it. -![33_3_acrobat-group-policy-policypak-5](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/33_3_acrobat-group-policy-policypak-5.webp) +![33_3_acrobat-group-policy-policypak-5](/img/product_docs/policypak/policypak/video/applicationsettings/33_3_acrobat-group-policy-policypak-5.webp) Without PolicyPak, you're on the losing side, because users are going to simply steamroll over you. @@ -81,11 +81,11 @@ Policy and enterprise software deployments and desktop lockdown. When you're ready to get serious about managing Acrobat Reader today, PolicyPak is ready for you. Unless you want your users to see this. -![33_4_acrobat-group-policy-policypak-1](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/33_4_acrobat-group-policy-policypak-1.webp) +![33_4_acrobat-group-policy-policypak-1](/img/product_docs/policypak/policypak/video/applicationsettings/33_4_acrobat-group-policy-policypak-1.webp) Or this: -![33_5_acrobat-group-policy-policypak-2](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/33_5_acrobat-group-policy-policypak-2.webp) +![33_5_acrobat-group-policy-policypak-2](/img/product_docs/policypak/policypak/video/applicationsettings/33_5_acrobat-group-policy-policypak-2.webp) ### Manage Acrobat Reader with Group Policy video transcript diff --git a/docs/policypak/policypak/video/applicationsettings/chrome/bookmarks.md b/docs/policypak/policypak/video/applicationsettings/chrome/bookmarks.md index f73f2ca3d9..193538a548 100644 --- a/docs/policypak/policypak/video/applicationsettings/chrome/bookmarks.md +++ b/docs/policypak/policypak/video/applicationsettings/chrome/bookmarks.md @@ -6,7 +6,7 @@ can deliver Chrome bookmarks. - Launch Google Chrome PAK properties - Select Extras tab and find an option Managed Bookmarks - ![491_1_gg_900x644](../../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/chrome/491_1_gg_900x644.webp) + ![491_1_gg_900x644](/img/product_docs/policypak/policypak/video/applicationsettings/chrome/491_1_gg_900x644.webp) - Insert string as following. Change the URL and Name to reflect your required bookmarks. diff --git a/docs/policypak/policypak/video/applicationsettings/flashplayer.md b/docs/policypak/policypak/video/applicationsettings/flashplayer.md index 37d0f1b21f..9e63093fc4 100644 --- a/docs/policypak/policypak/video/applicationsettings/flashplayer.md +++ b/docs/policypak/policypak/video/applicationsettings/flashplayer.md @@ -42,17 +42,17 @@ Our PolicyPak software snaps-in to the Group Policy Editor and mimics the user i Player itself. We've even added a few things you can't normally do – unless you know the tricks !Here, you can see how to prevent Flash from being updated. -![130_1_flash-player-group-policy-policypak-1](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/130_1_flash-player-group-policy-policypak-1.webp) +![130_1_flash-player-group-policy-policypak-1](/img/product_docs/policypak/policypak/video/applicationsettings/130_1_flash-player-group-policy-policypak-1.webp) And you can prevent users from picking up dangerous Flash super cookies, by performing this simple step. -![130_2_flash-player-group-policy-policypak-2](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/130_2_flash-player-group-policy-policypak-2.webp) +![130_2_flash-player-group-policy-policypak-2](/img/product_docs/policypak/policypak/video/applicationsettings/130_2_flash-player-group-policy-policypak-2.webp) Or, you can prevent users from using cameras and microphones! A serious Privacy "no-no" ! Poof..there goes cameras and microphones for the user. -![130_3_flash-player-group-policy-policypak-3](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/130_3_flash-player-group-policy-policypak-3.webp) +![130_3_flash-player-group-policy-policypak-3](/img/product_docs/policypak/policypak/video/applicationsettings/130_3_flash-player-group-policy-policypak-3.webp) With PolicyPak and the free Pre-Configured PolicyPak for Flash Player, you get full control over Flash Player, and granular control for each OU or users – using normal Group Policy controls. What's diff --git a/docs/policypak/policypak/video/applicationsettings/office.md b/docs/policypak/policypak/video/applicationsettings/office.md index f92c0c150c..a775820606 100644 --- a/docs/policypak/policypak/video/applicationsettings/office.md +++ b/docs/policypak/policypak/video/applicationsettings/office.md @@ -21,31 +21,31 @@ about formulas, which is why there are so many configuration settings based arou PolicyPak to configure the "Error checking rules" such as "Cells containing formulas that result in an error" to ensure that the spreadsheets your users are creating are accurate. -![94_1_manage-microsoft-excel-2016-using-group-policy-policypak-1](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/94_1_manage-microsoft-excel-2016-using-group-policy-policypak-1.webp) +![94_1_manage-microsoft-excel-2016-using-group-policy-policypak-1](/img/product_docs/policypak/policypak/video/applicationsettings/94_1_manage-microsoft-excel-2016-using-group-policy-policypak-1.webp) Now let's look at Microsoft Word 2013 or 2016. Not only do you users constantly create Word files, they also download them as well, many times from the Internet. Make sure that "Enable Protected view for files originating from the Internet" is enabled. -![94_2_manage-microsoft-word-2016-using-group-policy-policypak-2](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/94_2_manage-microsoft-word-2016-using-group-policy-policypak-2.webp) +![94_2_manage-microsoft-word-2016-using-group-policy-policypak-2](/img/product_docs/policypak/policypak/video/applicationsettings/94_2_manage-microsoft-word-2016-using-group-policy-policypak-2.webp) So you think you can manage "Formulas" settings for Microsoft Excel 2013 and 2016 using Group Policy and the ADMX files alone. Think again. The ADMX files only allot you a single setting configuration option. PolicyPak covers all of them. -![94_3_graph](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/94_3_graph.webp) +![94_3_graph](/img/product_docs/policypak/policypak/video/applicationsettings/94_3_graph.webp) And of course there is Outlook, your business communication lifeline that needs to work properly every time it is launched. Security for this application is. Use PolicyPak to configure the "Don't download pictures automatically in HTML email messages or RSS items." -![94_4_manage-outook-2016-using-group-policy-policypak-1](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/94_4_manage-outook-2016-using-group-policy-policypak-1.webp) +![94_4_manage-outook-2016-using-group-policy-policypak-1](/img/product_docs/policypak/policypak/video/applicationsettings/94_4_manage-outook-2016-using-group-policy-policypak-1.webp) PowerPoint doesn't seem like a security minded application, but like all of the Office 2013 and 2016 Suite applications, you can configure the "Privacy Options" and opt out of the "Customer Experience Improvement Program." -![94_5_manage-powerpoint-2016-using-group-policy-policypak-2](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/94_5_manage-powerpoint-2016-using-group-policy-policypak-2.webp) +![94_5_manage-powerpoint-2016-using-group-policy-policypak-2](/img/product_docs/policypak/policypak/video/applicationsettings/94_5_manage-powerpoint-2016-using-group-policy-policypak-2.webp) With PolicyPak, you're the one in control. diff --git a/docs/policypak/policypak/video/applicationsettings/skype.md b/docs/policypak/policypak/video/applicationsettings/skype.md index 84a61f35e8..a13697e215 100644 --- a/docs/policypak/policypak/video/applicationsettings/skype.md +++ b/docs/policypak/policypak/video/applicationsettings/skype.md @@ -21,16 +21,16 @@ ensure users cannot work around your set policies. You can deliver key settings and lock users out of scary Lync Client settings, as seen here. -![50_1_manage-lync-with-group-policy-fig1](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/50_1_manage-lync-with-group-policy-fig1.webp) +![50_1_manage-lync-with-group-policy-fig1](/img/product_docs/policypak/policypak/video/applicationsettings/50_1_manage-lync-with-group-policy-fig1.webp) You can dictate the Inactive and Away times for the Lync Client, like what is seen here. -![50_2_manage-lync-with-group-policy-fig2](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/50_2_manage-lync-with-group-policy-fig2.webp) +![50_2_manage-lync-with-group-policy-fig2](/img/product_docs/policypak/policypak/video/applicationsettings/50_2_manage-lync-with-group-policy-fig2.webp) Or ensure your users don't mess with settings which are dictated from the Lync server by completely disabling a whole tab, like what is seen here. -![50_3_manage-lync-with-group-policy-fig3](../../../../../static/img/product_docs/policypak/policypak/video/applicationsettings/50_3_manage-lync-with-group-policy-fig3.webp) +![50_3_manage-lync-with-group-policy-fig3](/img/product_docs/policypak/policypak/video/applicationsettings/50_3_manage-lync-with-group-policy-fig3.webp) Getting Lync server deployed isn't easy. And when it is deployed, make sure your users are using it the way you intended, instead of working around your settings. With PolicyPak, you can deliver lots diff --git a/docs/policypak/policypak/video/applicationsettings/trustedappsets.md b/docs/policypak/policypak/video/applicationsettings/trustedappsets.md index 4b4048d7c6..53be9f3cc5 100644 --- a/docs/policypak/policypak/video/applicationsettings/trustedappsets.md +++ b/docs/policypak/policypak/video/applicationsettings/trustedappsets.md @@ -7,5 +7,5 @@ this feature. **NOTE:** Before heading down this path please watch the backup / restore videos: -- [Endpoint Policy Manager Application Settings Manager: Backup, Restore, Export, Import](../troubleshooting/backup.md) -- [Endpoint Policy Manager: Backup and Restore Options to Recover from nearly any problem](../troubleshooting/backupoptions.md) +- [Endpoint Policy Manager Application Settings Manager: Backup, Restore, Export, Import](/docs/policypak/policypak/video/troubleshooting/backup.md) +- [Endpoint Policy Manager: Backup and Restore Options to Recover from nearly any problem](/docs/policypak/policypak/video/troubleshooting/backupoptions.md) diff --git a/docs/policypak/policypak/video/cloud/add/administrator.md b/docs/policypak/policypak/video/cloud/add/administrator.md index 8599e5c3d3..ab212488c9 100644 --- a/docs/policypak/policypak/video/cloud/add/administrator.md +++ b/docs/policypak/policypak/video/cloud/add/administrator.md @@ -4,7 +4,7 @@ The process of adding new admins to your cloud service couldn't be easier. Watch out how. See -also:  [Endpoint Policy Manager Cloud Portal - Adding new company admins - Quickstart](../../../cloud/add/administrator.md) +also:  [Endpoint Policy Manager Cloud Portal - Adding new company admins - Quickstart](/docs/policypak/policypak/cloud/add/administrator.md) Hi, this is Whitney with PolicyPak Software. In this video, we are talking about adding a new admin to your cloud service. There are a few different scenarios in which this could happen, so we'll walk diff --git a/docs/policypak/policypak/video/fileassociations/acroreader.md b/docs/policypak/policypak/video/fileassociations/acroreader.md index ebed60f36a..e2b6da3cbc 100644 --- a/docs/policypak/policypak/video/fileassociations/acroreader.md +++ b/docs/policypak/policypak/video/fileassociations/acroreader.md @@ -153,7 +153,7 @@ just prove that real fast. Let's go ahead and "Sign out." When we log back on, a interesting should happen. That's the whole point. It should just keep on working. There we go. Just to lay it out one more time, using Endpoint Policy Manager -for [Endpoint Policy Manager File Associations Manager: Manage Windows 10 & 11 File Associations](windows10.md) with +for [Endpoint Policy Manager File Associations Manager: Manage Windows 10 & 11 File Associations](/docs/policypak/policypak/video/fileassociations/windows10.md) with collections, the collections have the brains. The brains are you're going to use "Change Item Level Targeting" and say do the stuff in the collection when I see the application I want to manage. For instance, this one is Acrobat Reader. This one is Acrobat Writer. Once you have that, you've diff --git a/docs/policypak/policypak/video/fileassociations/windows10modify.md b/docs/policypak/policypak/video/fileassociations/windows10modify.md index f2ac3b4e55..8c10e3393e 100644 --- a/docs/policypak/policypak/video/fileassociations/windows10modify.md +++ b/docs/policypak/policypak/video/fileassociations/windows10modify.md @@ -19,11 +19,11 @@ two very similar machines. This first machine is going to represent your machine machine. The second machine represents Mr. or Ms. endpoint machine, the person who actually uses stuff. -![21_1_windows-10-file-association-demo-admin-machine](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_1_windows-10-file-association-demo-admin-machine.webp) +![21_1_windows-10-file-association-demo-admin-machine](/img/product_docs/policypak/policypak/video/fileassociations/21_1_windows-10-file-association-demo-admin-machine.webp) Figure 1: Admin Machine -![21_2_windows-10-file-association-endpoint-machine](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_2_windows-10-file-association-endpoint-machine.webp) +![21_2_windows-10-file-association-endpoint-machine](/img/product_docs/policypak/policypak/video/fileassociations/21_2_windows-10-file-association-endpoint-machine.webp) #### Common Windows 10 File Association Issues @@ -32,7 +32,7 @@ issues that you've probably seen and have driven you crazy. #### Problem #1: Change Windows 10 File Associations for PDF -![21_3_windows-10-file-association-pdf-edge](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_3_windows-10-file-association-pdf-edge.webp) +![21_3_windows-10-file-association-pdf-edge](/img/product_docs/policypak/policypak/video/fileassociations/21_3_windows-10-file-association-pdf-edge.webp) Figure 3: Trying to set Windows 10 file associations for PDF to Adobe Reader always reverts back to Microsoft Edge @@ -49,7 +49,7 @@ one that you have likely seen. #### Problem #2: Change Windows 10 File Associations for MP4 -![21_4_windows-10-file-association-for-mp4-files](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_4_windows-10-file-association-for-mp4-files.webp) +![21_4_windows-10-file-association-for-mp4-files](/img/product_docs/policypak/policypak/video/fileassociations/21_4_windows-10-file-association-for-mp4-files.webp) Figure 4: Windows 10 file association for MP4 defaults to Microsoft's movie player @@ -60,11 +60,11 @@ installed. How do you automatically get users to connect to that? That's another #### Problem #3: Change Windows 10 File Associations for MAILTO -![21_5_windows-10-file-association-mailto-default](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_5_windows-10-file-association-mailto-default.webp) +![21_5_windows-10-file-association-mailto-default](/img/product_docs/policypak/policypak/video/fileassociations/21_5_windows-10-file-association-mailto-default.webp) Figure 5: Prompt for MAILTO asking if you want to email this person -![21_6_windows-10-file-association-mailto-mailer](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_6_windows-10-file-association-mailto-mailer.webp) +![21_6_windows-10-file-association-mailto-mailer](/img/product_docs/policypak/policypak/video/fileassociations/21_6_windows-10-file-association-mailto-mailer.webp) Figure 6: The Windows 10 file association for MAILTO is Microsoft's built-in mailer @@ -74,7 +74,7 @@ likely. #### Problem #4: Set Windows 10 File Associations for Unknown Applications -![21_7_windows-10-file-association-unknown-application](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_7_windows-10-file-association-unknown-application.webp) +![21_7_windows-10-file-association-unknown-application](/img/product_docs/policypak/policypak/video/fileassociations/21_7_windows-10-file-association-unknown-application.webp) Figure 7: Set Windows 10 file associations for unknown applications @@ -91,13 +91,13 @@ there. ### How to Change Windows 10 File Associations with Endpoint Policy Manager File Associations Manager -![21_8_policy-pak-file-association-manager-for-windows-10](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_8_policy-pak-file-association-manager-for-windows-10.webp) +![21_8_policy-pak-file-association-manager-for-windows-10](/img/product_docs/policypak/policypak/video/fileassociations/21_8_policy-pak-file-association-manager-for-windows-10.webp) Figure 8: Endpoint Policy Manager File Associations Manager for Windows 10 #### Step #1: Start with the Group Policy Management Console (GPMC) -![21_9_start-with-gpmc-policypak-file-association-manager](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_9_start-with-gpmc-policypak-file-association-manager.webp) +![21_9_start-with-gpmc-policypak-file-association-manager](/img/product_docs/policypak/policypak/video/fileassociations/21_9_start-with-gpmc-policypak-file-association-manager.webp) Figure 9: Using the Group Policy Management Console to create a new GPO @@ -113,7 +113,7 @@ out all four problems. #### Step 2: Create Windows 10 File Association Policy for PDF to Acrobat -![21_10_create-windows-10-file-association-policy-with-policypak](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_10_create-windows-10-file-association-policy-with-policypak.webp) +![21_10_create-windows-10-file-association-policy-with-policypak](/img/product_docs/policypak/policypak/video/fileassociations/21_10_create-windows-10-file-association-policy-with-policypak.webp) Figure 10: Creating a Policy with Endpoint Policy Manager File Associations Manager @@ -121,7 +121,7 @@ Endpoint Policy Manager File Associations Manager is on the computer side, and w below. The first thing we want to do is associate Acrobat with PDF. We'll right-click, "Add/New Policy" here. We'll call this "PDF to Acrobat." -![21_11_windows-10-file-association-pdf-to-acrobat](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_11_windows-10-file-association-pdf-to-acrobat.webp) +![21_11_windows-10-file-association-pdf-to-acrobat](/img/product_docs/policypak/policypak/video/fileassociations/21_11_windows-10-file-association-pdf-to-acrobat.webp) Figure 11: Creating a Windows 10 File Association Policy for PDF to Acrobat @@ -133,7 +133,7 @@ simple as that. You can click "OK," and there we go. You've solved that problem. #### Step 3: Change Windows 10 File Association Policy for MP4 to VLC Media Player -![21_12_create-windows-10-file-association-policy-for-mp4-with-policypak-file-associations-manager](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_12_create-windows-10-file-association-policy-for-mp4-with-policypak-file-associations-manager.webp) +![21_12_create-windows-10-file-association-policy-for-mp4-with-policypak-file-associations-manager](/img/product_docs/policypak/policypak/video/fileassociations/21_12_create-windows-10-file-association-policy-for-mp4-with-policypak-file-associations-manager.webp) Figure 12: Change Windows 10 File Association for MP4 to VLC Player @@ -143,13 +143,13 @@ just say the "Video Player" itself will be a "Registered application." We have " this machine, so we'll go ahead and "Select Program." There we go. We'll just go ahead and pick "VLC media player," and you've solved that problem. -![21_13_windows-10-file-association-for-mp4-changed-to-vlc-player](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_13_windows-10-file-association-for-mp4-changed-to-vlc-player.webp) +![21_13_windows-10-file-association-for-mp4-changed-to-vlc-player](/img/product_docs/policypak/policypak/video/fileassociations/21_13_windows-10-file-association-for-mp4-changed-to-vlc-player.webp) Figure 13: MP4 is now associated with VLC Media Player #### Step 4: Set Windows 10 File Association Policy for Mailto to Outlook -![21_14_windows-10-file-association-changed-mailto-outlook](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_14_windows-10-file-association-changed-mailto-outlook.webp) +![21_14_windows-10-file-association-changed-mailto-outlook](/img/product_docs/policypak/policypak/video/fileassociations/21_14_windows-10-file-association-changed-mailto-outlook.webp) Figure 14: Use Network protocol MAILTO and set Windows 10 file association to Outlook @@ -162,7 +162,7 @@ This protocol is called "MAILTO." If somebody clicks on a link that says "mailto run another "Registered application." Which one? I happen to have Outlook already preinstalled on this machine. -![21_15_windows-10-file-association-for-mailto-set-with-policypak](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_15_windows-10-file-association-for-mailto-set-with-policypak.webp) +![21_15_windows-10-file-association-for-mailto-set-with-policypak](/img/product_docs/policypak/policypak/video/fileassociations/21_15_windows-10-file-association-for-mailto-set-with-policypak.webp) Figure 15: Setting Windows 10 File Association from MAILTO to Outlook with Endpoint Policy Manager @@ -174,7 +174,7 @@ click "OK," and you've solved that problem right there. Then the last Windows 10 file association we want to do is to "Add Policy" that says "XML to Notepad++." -![21_16_windows-10-file-association-custome-application](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_16_windows-10-file-association-custome-application.webp) +![21_16_windows-10-file-association-custome-application](/img/product_docs/policypak/policypak/video/fileassociations/21_16_windows-10-file-association-custome-application.webp) Figure 17: Use a custom application to set Windows 10 File Associations for Notepad++ @@ -187,7 +187,7 @@ endpoint or this isn't going to work. I'm going to "Browse" for it on my machine the target machine: "c:Notepad++PortableNotepad++Portable.exe." We automatically put in "%SYSTEMDRIVE%" and all that stuff. You can see, we have the "Path" all settled in. -![21_17_windows-10-file-association-notepad-confirmation](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_17_windows-10-file-association-notepad-confirmation.webp) +![21_17_windows-10-file-association-notepad-confirmation](/img/product_docs/policypak/policypak/video/fileassociations/21_17_windows-10-file-association-notepad-confirmation.webp) Figure 18: Change Windows 10 File Associations for Notepad++ to XML @@ -199,7 +199,7 @@ that requires command line arguments, you can put in your own things here. Just #### Step 6: Run GP Update to Set Windows 10 File Associations Changes -![21_18_windows-10-file-association-group-policy-update-successful](../../../../../static/img/product_docs/policypak/policypak/video/fileassociations/21_18_windows-10-file-association-group-policy-update-successful.webp) +![21_18_windows-10-file-association-group-policy-update-successful](/img/product_docs/policypak/policypak/video/fileassociations/21_18_windows-10-file-association-group-policy-update-successful.webp) Run GP Update to set Windows 10 file associations changes diff --git a/docs/policypak/policypak/video/leastprivilege/preventevents.md b/docs/policypak/policypak/video/leastprivilege/preventevents.md index 67c2652dd1..6e5c972485 100644 --- a/docs/policypak/policypak/video/leastprivilege/preventevents.md +++ b/docs/policypak/policypak/video/leastprivilege/preventevents.md @@ -8,4 +8,4 @@ before turning on SecureRun to know what to expect before SecureRun is used. See this video for additional information. -![Prevent Events](../../../../../static/img/product_docs/policypak/policypak/video/leastprivilege/preventevents.webp) +![Prevent Events](/img/product_docs/policypak/policypak/video/leastprivilege/preventevents.webp) diff --git a/docs/policypak/policypak/video/leastprivilege/selfelevatemode/justificationandauthentication.md b/docs/policypak/policypak/video/leastprivilege/selfelevatemode/justificationandauthentication.md index 5c17897f00..dedda3c353 100644 --- a/docs/policypak/policypak/video/leastprivilege/selfelevatemode/justificationandauthentication.md +++ b/docs/policypak/policypak/video/leastprivilege/selfelevatemode/justificationandauthentication.md @@ -7,4 +7,4 @@ the number of times executed to remember. See this video for additional information. -![Remember Justification and Authentication](../../../../../../static/img/product_docs/policypak/policypak/video/leastprivilege/selfelevatemode/rememberjustificationandauthentication.webp) +![Remember Justification and Authentication](/img/product_docs/policypak/policypak/video/leastprivilege/selfelevatemode/rememberjustificationandauthentication.webp) diff --git a/docs/policypak/policypak/video/leastprivilege/windowseventforwarding.md b/docs/policypak/policypak/video/leastprivilege/windowseventforwarding.md index 8c83c62283..ab7609e093 100644 --- a/docs/policypak/policypak/video/leastprivilege/windowseventforwarding.md +++ b/docs/policypak/policypak/video/leastprivilege/windowseventforwarding.md @@ -188,4 +188,4 @@ throwing UAC prompts and help you create rules to bypass them, you can do that r Thank you very much for watching, and talk to you soon. Related -article: [How to forward interesting events for Least Privilege Manager (or anything else) to a centralized location using Windows Event Forwarding.](../../leastprivilege/windowseventforwarding.md) +article: [How to forward interesting events for Least Privilege Manager (or anything else) to a centralized location using Windows Event Forwarding.](/docs/policypak/policypak/leastprivilege/windowseventforwarding.md) diff --git a/docs/policypak/policypak/video/networksecurity/videolearningcenter.md b/docs/policypak/policypak/video/networksecurity/videolearningcenter.md index 26462438ed..a6675fec22 100644 --- a/docs/policypak/policypak/video/networksecurity/videolearningcenter.md +++ b/docs/policypak/policypak/video/networksecurity/videolearningcenter.md @@ -4,8 +4,8 @@ See the following Video topics for Network Security Manager. ## Getting Started -- [Endpoint Policy Manager Network Security Manager - The Basics](basics.md) -- [Endpoint Policy Manager Network Security Manager - Using Domain Names](domainnames.md) -- [Endpoint Policy Manager Network Security Manager - Applications and Ports](applicationsports.md) -- [Endpoint Policy Manager Network Security Manager - Global settings](globalsettings.md) -- [Endpoint Policy Manager Network Security Manager - Auditing Events](auditingevents.md) +- [Endpoint Policy Manager Network Security Manager - The Basics](/docs/policypak/policypak/video/networksecurity/basics.md) +- [Endpoint Policy Manager Network Security Manager - Using Domain Names](/docs/policypak/policypak/video/networksecurity/domainnames.md) +- [Endpoint Policy Manager Network Security Manager - Applications and Ports](/docs/policypak/policypak/video/networksecurity/applicationsports.md) +- [Endpoint Policy Manager Network Security Manager - Global settings](/docs/policypak/policypak/video/networksecurity/globalsettings.md) +- [Endpoint Policy Manager Network Security Manager - Auditing Events](/docs/policypak/policypak/video/networksecurity/auditingevents.md) diff --git a/docs/policypak/policypak/video/remotedesktopprotocol/videolearningcenter.md b/docs/policypak/policypak/video/remotedesktopprotocol/videolearningcenter.md index 56bc96fb5d..d6f1a0375a 100644 --- a/docs/policypak/policypak/video/remotedesktopprotocol/videolearningcenter.md +++ b/docs/policypak/policypak/video/remotedesktopprotocol/videolearningcenter.md @@ -4,7 +4,7 @@ See the following Video topics for Endpoint Policy Manager RDP Manager. ## Remote Work and VDI Scenarios -- [Create and update .RDP files for end-users for Remote Work and VDI scenarios](vdiscenarios.md) -- [Create and update .RDP files for end-users using Endpoint Policy Manager Cloud Edition](cloud.md) -- [Create and update .RDP files for end-users using Endpoint Policy Manager MDM Edition](mdm.md) -- [Use Item Level Targeting to Deliver Targeted .RDP Files](itemleveltargeting.md) +- [Create and update .RDP files for end-users for Remote Work and VDI scenarios](/docs/policypak/policypak/video/remotedesktopprotocol/vdiscenarios.md) +- [Create and update .RDP files for end-users using Endpoint Policy Manager Cloud Edition](/docs/policypak/policypak/video/remotedesktopprotocol/cloud.md) +- [Create and update .RDP files for end-users using Endpoint Policy Manager MDM Edition](/docs/policypak/policypak/video/remotedesktopprotocol/mdm.md) +- [Use Item Level Targeting to Deliver Targeted .RDP Files](/docs/policypak/policypak/video/remotedesktopprotocol/itemleveltargeting.md) diff --git a/docs/policypak/policypak/video/startscreentaskbar/windows10startmenu.md b/docs/policypak/policypak/video/startscreentaskbar/windows10startmenu.md index 1f6cfd6aca..0ccfcdb6ce 100644 --- a/docs/policypak/policypak/video/startscreentaskbar/windows10startmenu.md +++ b/docs/policypak/policypak/video/startscreentaskbar/windows10startmenu.md @@ -130,7 +130,7 @@ right where you want to in the right group of your choice. Endpoint Policy Manager Start Screen Manager is a real game changer. Continue to watch the other videos, like how to change -[Endpoint Policy Manager File Associations Manager: Manage Windows 10 & 11 File Associations](../fileassociations/windows10.md) settings, +[Endpoint Policy Manager File Associations Manager: Manage Windows 10 & 11 File Associations](/docs/policypak/policypak/video/fileassociations/windows10.md) settings, to see how you can easily open PDFs, MAILTO and MP4s with the programs you want. Thanks so much for watching, and talk to you soon. diff --git a/docs/policypak/policypak/video/troubleshooting/logs.md b/docs/policypak/policypak/video/troubleshooting/logs.md index a31e219e8a..e899e26700 100644 --- a/docs/policypak/policypak/video/troubleshooting/logs.md +++ b/docs/policypak/policypak/video/troubleshooting/logs.md @@ -5,7 +5,7 @@ step is to collect logs for support to review. Follow the steps in this video to logs of the issue so support can troubleshoot it quickly. See the -[What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](../../troubleshooting/fastsupport.md) +[What must I send to Endpoint Policy Manager support in order to get the FASTEST support?](/docs/policypak/policypak/troubleshooting/fastsupport.md) topic for additional information on current support policies and how to get the fastest support. ## Troubleshooting Previous Versions of Endpoint Policy Manager diff --git a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/auditreporting/tab/entitlements.md b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/auditreporting/tab/entitlements.md index 8c92eb74d7..bbe159ee80 100644 --- a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/auditreporting/tab/entitlements.md +++ b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/auditreporting/tab/entitlements.md @@ -85,7 +85,7 @@ attribute so that it can be re-enabled in the future. **Step 6 –** When the entitlements have been reviewed, click Close. Changes are saved to the selected access certification task and shown on the -[Entitlements Tab for Access Certification](entitlements.md). +[Entitlements Tab for Access Certification](/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/auditreporting/tab/entitlements.md). **NOTE:** It is not necessary to review all entitlements at once. Changes are automatically saved to the selected access certification task and can be returned to at any time (the Status will show as diff --git a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/auditreporting/tab/users.md b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/auditreporting/tab/users.md index c6c829c72d..6764be907d 100644 --- a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/auditreporting/tab/users.md +++ b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/auditreporting/tab/users.md @@ -64,7 +64,7 @@ certification task. **Step 7 –** Click Add to add the selected user(s) or group(s). The new user(s) and group(s) are added to the certification task and are shown on the -[Users Tab for Access Certification](users.md). +[Users Tab for Access Certification](/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/auditreporting/tab/users.md). **Step 8 –** Click Close to return to the Access Certification page. diff --git a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/configuration/add/byovconnectorconfig.md b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/configuration/add/byovconnectorconfig.md index 243847aea3..7fdce717dc 100644 --- a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/configuration/add/byovconnectorconfig.md +++ b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/configuration/add/byovconnectorconfig.md @@ -48,7 +48,7 @@ the **Integration Connectors** submenu. **Step 4 –** Copy and paste the following script into the "Checkout Script Block" field. (The "Checkin Script Block" field may be left blank.) -[Copy]() +[Copy](javascript:void(0);) Checkout Script Block diff --git a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/dashboard/active.md b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/dashboard/active.md index 48790e7385..1f17f5f179 100644 --- a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/dashboard/active.md +++ b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/dashboard/active.md @@ -44,7 +44,7 @@ topic for additional information. The table has the following columns: - Checkbox — Check to select one or more items -- Expand icon — Click the expand (>) icon to show additional information for the session: +- Expand icon — Click the expand () icon to show additional information for the session: - The live session viewer allows an admin to watch a remote session that is in progress for another user. See the diff --git a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/dashboard/historical.md b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/dashboard/historical.md index 81cc8b6a4c..77ccae011e 100644 --- a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/dashboard/historical.md +++ b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/dashboard/historical.md @@ -31,7 +31,7 @@ The table has the following columns: - Actions — Contains icons for available actions: - - Expand icon — Click the expand (>) icon to show additional information for the session: + - Expand icon — Click the expand () icon to show additional information for the session: - If a recording of the session is available, the replay viewer allows an admin to watch a replay of the remote session. See the diff --git a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/users.md b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/users.md index 6fee98d62b..bd4e29ac31 100644 --- a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/users.md +++ b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/users.md @@ -26,7 +26,7 @@ The Users tab has the following features: The table has the following columns: - Checkbox — Check to select one or more items -- Expand — Click the expand (>) icon to show additional information about the activities and +- Expand — Click the expand () icon to show additional information about the activities and resources authorized for the selected user or group - Name — Displays the name of the account. Click the link to view additional details.See the [User, Group, & Application Details Page](/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) diff --git a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/policy/tab/policyresource/users.md b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/policy/tab/policyresource/users.md index 4a050b7bb5..edbb9208c7 100644 --- a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/policy/tab/policyresource/users.md +++ b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/policy/tab/policyresource/users.md @@ -26,7 +26,7 @@ The Users tab has the following features: The table has the following columns: - Checkbox — Check to select one or more items -- Expand — Click the expand (>) icon to show additional information about the activities and +- Expand — Click the expand () icon to show additional information about the activities and resources authorized for the selected user or group - Name — Displays the name of the account. See the [User, Group, & Application Details Page](/docs/privilegesecure/4.1/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) diff --git a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/enduser/dashboard/active.md b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/enduser/dashboard/active.md index bfc8d27602..6586261c92 100644 --- a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/enduser/dashboard/active.md +++ b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/enduser/dashboard/active.md @@ -22,7 +22,7 @@ The Active Sessions table has the following features: The table has the following columns: - Checkbox — Check to select one or more items -- Expand icon — Click the expand (>) icon to show additional information for the session +- Expand icon — Click the expand () icon to show additional information for the session - Status — Shows status information for the session: - Provisioning — Pre-Session stage of the Activity is processing and assigning permissions to diff --git a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/enduser/dashboard/historical.md b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/enduser/dashboard/historical.md index 1cd023be52..5a47579147 100644 --- a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/enduser/dashboard/historical.md +++ b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/enduser/dashboard/historical.md @@ -21,7 +21,7 @@ The table has the following columns: - Actions — Contains icons for available actions: - - Expand icon — Click the expand (>) icon to show additional information + - Expand icon — Click the expand () icon to show additional information - Rocket icon — Launches the same session (same activity on the same resource with the same connection profile) for any historical session that is not a Credential-based session - View logs icon — Opens the Session Logs window to view the action log for the selected diff --git a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/install/actionservice.md b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/install/actionservice.md index 53f38879ec..2c22d19d7d 100644 --- a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/install/actionservice.md +++ b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/install/actionservice.md @@ -63,7 +63,7 @@ Follow the steps to configure the key exchange. **Step 2 –** Type the following commands to export the encryption keys for the secondary: -[Copy]() +[Copy](javascript:void(0);) Encryption Key Export @@ -84,7 +84,7 @@ server. **Step 6 –** Type the following commands to import the encryption keys: -[Copy]() +[Copy](javascript:void(0);) Encryption Key Import diff --git a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/install/schedulerservice.md b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/install/schedulerservice.md index 0c91c19a4d..7d1abe306c 100644 --- a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/install/schedulerservice.md +++ b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/install/schedulerservice.md @@ -56,7 +56,7 @@ Follow the steps to configure the key exchange. **Step 2 –** Type the following commands to export the encryption keys for the secondary: -[Copy]() +[Copy](javascript:void(0);) Encryption Key Export @@ -77,7 +77,7 @@ server. **Step 6 –** Type the following commands to import the encryption keys: -[Copy]() +[Copy](javascript:void(0);) Encryption Key Import diff --git a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/revieweruser/dashboard/active.md b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/revieweruser/dashboard/active.md index 8227602077..19ad5c1ea2 100644 --- a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/revieweruser/dashboard/active.md +++ b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/revieweruser/dashboard/active.md @@ -22,7 +22,7 @@ The Active Sessions table has the following features: The table has the following columns: - Checkbox — Check to select one or more items -- Expand icon — Click the expand (>) icon to show additional information for the session +- Expand icon — Click the expand () icon to show additional information for the session - Status — Shows status information for the session: - Provisioning — Pre-Session stage of the Activity is processing and assigning permissions to diff --git a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/revieweruser/dashboard/historical.md b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/revieweruser/dashboard/historical.md index 9289cf5ba4..f8317d6be7 100644 --- a/docs/privilegesecure/4.1/privilegesecure/accessmanagement/revieweruser/dashboard/historical.md +++ b/docs/privilegesecure/4.1/privilegesecure/accessmanagement/revieweruser/dashboard/historical.md @@ -21,7 +21,7 @@ The table has the following columns: - Actions — Contains icons for available actions: - - Expand icon — Click the expand (>) icon to show additional information + - Expand icon — Click the expand () icon to show additional information - Rocket icon — Launches the same session (same activity on the same resource with the same connection profile) for any historical session that is not a Credential-based session - View logs icon — Opens the Session Logs window to view the action log for the selected diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/aboutpage.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/aboutpage.md index 5b48b68552..1854446639 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/aboutpage.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/aboutpage.md @@ -3,11 +3,11 @@ The About page is accessed by selecting About from the User Options menu (icon beside the logged in user name). -![About page](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/aboutpage.webp) +![About page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/aboutpage.webp) It displays your license information and details about the third party components used by the application. It also allows you to upload a new license file. See the -[Import the License File](importlicense.md) topic for additional information. +[Import the License File](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/importlicense.md) topic for additional information. ## License Information @@ -24,7 +24,7 @@ At the top of the About page, the following license information is displayed: **NOTE:** Licensing is done according to user count. Any user who has provisioned access will consume a license after their first login. This is true for all users, regardless of role. -![About page showing additional Customer Info details](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/aboutcustomerdetails.webp) +![About page showing additional Customer Info details](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/aboutcustomerdetails.webp) Click the arrow icon beside the Customer Info information to view additional customer details: @@ -39,6 +39,6 @@ Click the arrow icon beside the Customer Info information to view additional cus Click About third party components to open the About third party components window. -![About third party components window](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/thirdpartycomponents.webp) +![About third party components window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/thirdpartycomponents.webp) This window displays detailed information about all third party components used by the application. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/access/createsession.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/access/createsession.md index 4c31eec4fd..a2b27e9be9 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/access/createsession.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/access/createsession.md @@ -4,7 +4,7 @@ Follow the steps to create an activity session. **Step 1 –** Select an **Activity** to expand the session ribbon. -![myactivityuser](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/myactivityuser.webp) +![myactivityuser](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/myactivityuser.webp) **Step 2 –** Click **Create Session** to start a new activity session. @@ -17,7 +17,7 @@ Follow the steps to create an activity session. - **CAUTION:** If your license is expired and you can still log in, you will not be able to create activity sessions. -![configuresessionuser](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/configuresessionuser.webp) +![configuresessionuser](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/configuresessionuser.webp) **Step 3 –** Enter the following information: @@ -30,12 +30,12 @@ Follow the steps to create an activity session. resource list. - Click **Start Session** to start the provisioning process. -![startsessionuser](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/startsessionuser.webp) +![startsessionuser](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/startsessionuser.webp) **NOTE:** If an approval is required, the Waiting for approval message will display until it has been granted. -![stopsession](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/stopsession.webp) +![stopsession](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/stopsession.webp) **Step 4 –** When provisioned, an activity session will display an Available status with a green icon. Click **Available** to launch the session. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/access/myactivities.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/access/myactivities.md index 5f70323365..c68ab42701 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/access/myactivities.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/access/myactivities.md @@ -3,7 +3,7 @@ The Access > My Activities page displays activities mapped to the user as individual cards, organized alphabetically or by Access Policy. -![My Activities Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/myactivities.webp) +![My Activities Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/myactivities.webp) To access the My Activities page, open the Access interface. If there is only a single activity card present on this page that activity will open automatically. @@ -18,4 +18,4 @@ one Access Policy. When sorted by Access Policy, the list of resources displayed the resource list of the Access Policy. To create an Activity Session, click the **plus** button to begin. See the -[Create My Activity Session](createsession.md) topic for additional information. +[Create My Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/access/createsession.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/add/accesscertificationtask.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/add/accesscertificationtask.md index 1d0f968a99..e99d8adea2 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/add/accesscertificationtask.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/add/accesscertificationtask.md @@ -7,14 +7,14 @@ steps to add an access certification task. **Step 2 –** In the Access Certification Task list, click the Add Access Cert. Task icon. -![addtask](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/add/addtask.webp) +![addtask](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/add/addtask.webp) **Step 3 –** Enter the following information: - New Cert. Task – Displays the name of the task. - Description – (Optional) Description of the policy. - Reviewer – Select a reviewer from the drop-down menu. Only users with the Reviewer role can be - assigned as reviewer. See the [Role Management Page](../../policy/page/rolemanagement.md) topic + assigned as reviewer. See the [Role Management Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/rolemanagement.md) topic for additional information. **Step 4 –** Click Save to create the new access certification task. @@ -22,6 +22,6 @@ steps to add an access certification task. **Step 5 –** With the new access certification task selected, configure the following settings: - Users – Add users or groups to the access certification task. See the - [Add Users to Review](../tab/users.md#add-users-to-review) section for more information. + [Add Users to Review](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/tab/users.md#add-users-to-review) section for more information. The new task is added to the Access Certification Task list. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/interface.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/interface.md index 81706e7693..1c4787927d 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/interface.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/interface.md @@ -4,14 +4,14 @@ The Audit and Reporting interface provides auditing and reporting tools to inter activity data in the Privilege Secure Console. This chapter explains the interface features and how to use them. -![interface](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) +![interface](/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) Click Audit and Reporting to expand the menu. Settings can be configured for: -- [Access Certification Page](page/accesscertification.md) — Audit and remediate user access -- [Activity Log Page](page/activitylog.md) — View activity logs for users and resources -- [DB Change History Page](page/dbchangehistory.md) — View records of database additions, updates, +- [Access Certification Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/accesscertification.md) — Audit and remediate user access +- [Activity Log Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/activitylog.md) — View activity logs for users and resources +- [DB Change History Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/dbchangehistory.md) — View records of database additions, updates, and deletions -- [Events Page](page/events.md) — View the console event log -- [Log Files Page](page/logfiles.md) — View the log files from within the console -- [Reporting](page/reporting.md) – View reports on activity +- [Events Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/events.md) — View the console event log +- [Log Files Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/logfiles.md) — View the log files from within the console +- [Reporting](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/reporting.md) – View reports on activity diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/accesscertification.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/accesscertification.md index 0044b018a7..d51cdb6e78 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/accesscertification.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/accesscertification.md @@ -5,7 +5,7 @@ user access. Only User(s) / group member(s) assigned the Admin Role can create a tasks. User(s) / group member(s) with the Reviewer role will see the access certification task(s) assigned to them here. -![Access Certification Page](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Access Certification Page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) On the left of the page, the Access Certification Task list shows the different access certification tasks and has the following features: @@ -13,7 +13,7 @@ tasks and has the following features: - Search – Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Add Access Cert. Task icon – Add an access certification task to the list. See the - [Add Access Certification Task](../add/accesscertificationtask.md) topic for additional + [Add Access Certification Task](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/add/accesscertificationtask.md) topic for additional information. - List of access certification tasks – Select a task from the list to view and edit settings: @@ -36,10 +36,10 @@ features: - Description – (Optional)Description of the policy. - Reviewer – The reviewer that the access certification task is assigned to. Only users with the Reviewer role can be assigned as a reviewer. See the - [Role Management Page](../../policy/page/rolemanagement.md) topic for additional information + [Role Management Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/rolemanagement.md) topic for additional information - Status – Shows status information for the task - Date Started (only visible once review is started) – Date the reviewer begins to review the access entitlements - Date Completed – Date the reviewer finished reviewing the access elements -- [Users Tab for Access Certification](../tab/users.md) -- [Entitlements Tab for Access Certification](../tab/entitlements.md) +- [Users Tab for Access Certification](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/tab/users.md) +- [Entitlements Tab for Access Certification](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/tab/entitlements.md) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/activitylog.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/activitylog.md index 693719a098..d44b8d0113 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/activitylog.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/activitylog.md @@ -3,7 +3,7 @@ The Activity Log page shows the activity logs for users and resources. From here, search and investigate the records. -![activitylogpage](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/activitylogpage.webp) +![activitylogpage](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/activitylogpage.webp) The Activity Log page has the following features: @@ -38,7 +38,7 @@ The Top 5 Users for the Date Range table lists the users with the most sessions: - Column headers can be resized and sorted in ascending or descending order: - User — The user logged in to the session. Click to open the - [User, Group, & Application Details Page](../../policy/page/details/usergroupapplication.md). + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md). - Sessions — Number of sessions per user - Total Duration — Total duration of all sessions per user - Average — The average duration of a session per user @@ -50,15 +50,15 @@ The Sessions by All Users table lists all user sessions: - Column headers can be resized and sorted in ascending or descending order: - Session User — The user logged in to the session. See the - [User, Group, & Application Details Page](../../policy/page/details/usergroupapplication.md) + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - Host — The resource the session is using. The details vary based on the type of resource. See - the [Resources Page](../../policy/page/resources.md) topic for additional information. + the [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md) topic for additional information. - Login Account — Account user is logged in with - Policy — Policy associated with the session. See the - [Access Policy Page](../../policy/page/accesspolicy.md) topic for additional information. + [Access Policy Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/accesspolicy.md) topic for additional information. - Activity — Activity associated with the session. See the - [Activities Page](../../policy/page/activities.md) topic for additional information. + [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. - Start — Start time of the session - Duration — Duration of the session - End — End time of the session diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/dbchangehistory.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/dbchangehistory.md index dec026d2ba..eecafbafd1 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/dbchangehistory.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/dbchangehistory.md @@ -3,7 +3,7 @@ The DB Change History page shows the database entries (Additions, Updates, Deletes). From here, search and investigate the records. -![Database Change History Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/dbchangehistorypage.webp) +![Database Change History Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/dbchangehistorypage.webp) The DB Changes page has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/events.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/events.md index 1c1a5c29a8..272b04be8f 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/events.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/events.md @@ -2,7 +2,7 @@ The Events page shows event logs for the Privilege Secure Console. -![Audit and Reporting Events Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/eventspage.webp) +![Audit and Reporting Events Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/eventspage.webp) The Events page has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/logfileoptions.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/logfileoptions.md index 9cc8928849..19a527ee87 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/logfileoptions.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/logfileoptions.md @@ -16,7 +16,7 @@ The right of the page shows details of the selected option. Configure the Log File Options for the selected service. The recommended log level is Informational. -![logfileoptionspage](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/logfileoptionspage.webp) +![logfileoptionspage](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/logfileoptionspage.webp) The right of the page shows details of the selected service and has the following features: @@ -42,4 +42,4 @@ The right of the page shows details of the selected service and has the followin - Save button (only visible when editing) – Saves changes - Cancel button (only visible when editing) – Discards changes -See the [Log Files Page](logfiles.md) topic for additional information. +See the [Log Files Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/logfiles.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/logfiles.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/logfiles.md index 3b4acf9cef..5fd4bf4ba0 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/logfiles.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/logfiles.md @@ -2,7 +2,7 @@ The Logs page shows the log files. From here, search and investigate the records. -![Audit and Reporting Log Files Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/logfilespage.webp) +![Audit and Reporting Log Files Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/logfilespage.webp) On the left of the page, the Log list shows the log files: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/reporting.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/reporting.md index 05c8493b23..44bc283ec2 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/reporting.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/reporting.md @@ -13,7 +13,7 @@ report name. Each report has a Filters tab (which allows the report to be run, d configured) and a Subscriptions tab (which allows the Privilege Secure user to Subscribe to the report via email). -![Reports Tree](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/reportstree.webp) +![Reports Tree](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/reportstree.webp) The Search Reports box will search all report names, both predefined and custom, for the specified report name. The report tree will then be filtered down to the matching reports. @@ -62,7 +62,7 @@ new report in the Enter Report Name box. The Filters tab provides customization options for the new report. -![Reporting Filters Tab](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/filterstab.webp) +![Reporting Filters Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/filterstab.webp) The Filters tab has the following configuration options: @@ -139,7 +139,7 @@ identically. Customize the desired configuration settings in the Filters tab. -![Reporting Filters Tab](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/filterstab.webp) +![Reporting Filters Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/filterstab.webp) The Filters tab has the following configuration options: @@ -166,13 +166,13 @@ The Filters tab has the following configuration options: The Subscriptions tab allows the Privilege Secure user to Subscribe to the report via email. -![Reporting Subscriptions Tab](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/subscriptionstab.webp) +![Reporting Subscriptions Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/page/subscriptionstab.webp) The report will be emailed to the Email value for the user, which is populated based on Active Directory attributes and can be confirmed for a given user by checking the Users and Groups page. If a new custom schedule is needed for a Subscription, one can be created under the **Policy** > **Platforms** > **Schedule Policies** menu. All Schedule Policies will show up in the list when you -Subscribe to a report. See the [Schedule Policies Page](../../policy/page/schedulepolicies.md) topic +Subscribe to a report. See the [Schedule Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md) topic for additional information. The Subscriptions tab has the following configuration options: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/tab/entitlements.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/tab/entitlements.md index 038ecda629..672870e885 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/tab/entitlements.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/tab/entitlements.md @@ -3,7 +3,7 @@ The Entitlements tab shows the activities associated with the users in the selected access certification task. -![entitlementstab](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/tab/entitlementstab.webp) +![entitlementstab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/tab/entitlementstab.webp) The Entitlements table has the following features: @@ -48,7 +48,7 @@ Entitlements tab. **Step 3 –** Click Review to open the Review Activity Details window. -![Review Entitlements window](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/tab/reviewentitlementswindow.webp) +![Review Entitlements window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/tab/reviewentitlementswindow.webp) The Review Activity Details window has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/tab/users.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/tab/users.md index 7ce83dc00d..87deb5f672 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/tab/users.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/tab/users.md @@ -3,7 +3,7 @@ The Users tab shows the users and groups in the selected access certification task for which the reviewer must certify access entitlement. -![userstab](../../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) +![userstab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) The Users table has the following features: @@ -12,7 +12,7 @@ The Users table has the following features: - Column headers can be resized and sorted by ascending or descending order: - Name – Click to open the Users and Groups Details page. See the - [User, Group, & Application Details Page](../../policy/page/details/usergroupapplication.md) + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - User Name – Displays the name of the account - Email – Displays the associated email address, if available @@ -34,7 +34,7 @@ tab **Step 3 –** Click Add to open the Add Users and Groups window. -![addusers](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/tab/addusers.webp) +![addusers](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/auditreporting/tab/addusers.webp) The Add Users and Groups window has the following features: @@ -70,5 +70,5 @@ Access Certification. certification task is created. The reviewer can now log in to see the access certification task(s) assigned to them and begin the -review process. See the [Entitlements Tab for Access Certification](entitlements.md) topic for +review process. See the [Entitlements Tab for Access Certification](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/tab/entitlements.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/authenticationconnector.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/authenticationconnector.md index 97078f6f3f..eb14811c9f 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/authenticationconnector.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/authenticationconnector.md @@ -6,7 +6,7 @@ Follow the steps to add an authentication connector to the console. **Step 2 –** In the Connectors list, click the **Plus** icon. -![addauthentication](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addauthentication.webp) +![addauthentication](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addauthentication.webp) **Step 3 –** Enter the following information: @@ -18,13 +18,13 @@ Follow the steps to add an authentication connector to the console. fields will change depending on the selection. **Step 4 –** Enter the information from the applicable authentication connector provider. See the -[Authentication Page](../page/authentication.md) section for detailed descriptions of the fields. +[Authentication Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/authentication.md) section for detailed descriptions of the fields. - For OpenID Connect, open the - [OpenID Connect Configuration Wizard](../wizard/openidconnectconfiguration.md) -- For SAML, open the [SAML Configuration Wizard](../wizard/samlconfiguration.md) + [OpenID Connect Configuration Wizard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/wizard/openidconnectconfiguration.md) +- For SAML, open the [SAML Configuration Wizard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfiguration.md) -See the [OpenID Connect Authentication](../integrationdetails/openidconnectauthentication.md) +See the [OpenID Connect Authentication](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/integrationdetails/openidconnectauthentication.md) appendices for additional information on how to configure third party Authentication Connectors. **Step 5 –** Click **Save** to create the new authentication connector. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/byovconnectorconfig.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/byovconnectorconfig.md index 1e026e53fe..b71d6361ce 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/byovconnectorconfig.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/byovconnectorconfig.md @@ -43,12 +43,12 @@ the **Integration Connectors** submenu. the Checkin Script Block or Skip the Certificate Check. - Skip Certificate Check – Select the checkbox -![BYOV Connector for Privilege Secure](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovconnectornps.webp) +![BYOV Connector for Privilege Secure](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovconnectornps.webp) **Step 4 –** Copy and paste the following script into the "Checkout Script Block" field. (The "Checkin Script Block" field may be left blank.) -[Copy]() +[Copy](javascript:void(0);) Checkout Script Block @@ -165,7 +165,7 @@ else { **Step 5 –** Click **Save** to create the BYOV connector. -See the [Bring Your Own Vault (BYOV) Integration](integrationbyov.md) topic for additional +See the [Bring Your Own Vault (BYOV) Integration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationbyov.md) topic for additional information on configuring a BYOV connector. ### Create a User @@ -176,19 +176,19 @@ Follow the steps to create a manually-managed user. **Step 1 –** Navigate to **Dashboard** > **Credentials** tab. -![Select a User to manage account](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovmanageuser.webp) +![Select a User to manage account](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovmanageuser.webp) **Step 2 –** Search or scroll to find the user you wish to manage. Once identified, check the box next to the account name. -![Select Manual manage account](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovmanualmanageaccount.webp) +![Select Manual manage account](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovmanualmanageaccount.webp) **Step 3 –** Click on the **Manage** button that becomes available above the list, and select **Manual**. **NOTE:** Ensure the user is not already managed or added into Privilege Secure. -See the [Credentials Dashboard](../../dashboard/credentials.md) topic for additional information on +See the [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) topic for additional information on creating a managed account. ### Set the Account Password @@ -202,11 +202,11 @@ Follow the steps to set an account password. **Step 1 –** Navigate to **Dashboard** > **Credentials** tab and locate the manually managed account. -![Managed User Wrench Icon](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovmanageuserwrench.webp) +![Managed User Wrench Icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovmanageuserwrench.webp) **Step 2 –** Click on the **Wrench** icon to set the password. -![Set password for the credential window](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovsetpassword.webp) +![Set password for the credential window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovsetpassword.webp) **Step 3 –** Enter a password to match the AD password, then click **Save**. @@ -214,7 +214,7 @@ account. Password feature is not available. See the -[Manage Internal Service Accounts](../../policy/window/credentials/manageinternalserviceaccount.md) +[Manage Internal Service Accounts](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/manageinternalserviceaccount.md) topic for additional information on manually managing an account. ### Create an Activity @@ -243,14 +243,14 @@ Follow the steps to create an activity. created. Also, you may apply domain or other local accounts managed by Netwrix Privilege Secure, but the password must be rotated once prior to use with an activity. -![BYOV create an Activity](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovconnectoractivity.webp) +![BYOV create an Activity](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovconnectoractivity.webp) **Step 4 –** Click Save to create the Activity. **NOTE:** Ensure the Login Account Template uses the format DOMAIN\samAccountName (e.g., NWXTECH\dgrayson). -See the [Add Activity](../../policy/add/activity.md) topic for additional information on creating an +See the [Add Activity](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activity.md) topic for additional information on creating an Activity. ### Configure a New Policy @@ -261,10 +261,10 @@ Follow the steps to create a Policy. **Step 1 –** Navigate to the **Policy** tab > **Access Policy**. -![Create a new policy for the BYOV Connector](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovconnectorpolicy.webp) +![Create a new policy for the BYOV Connector](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovconnectorpolicy.webp) **Step 2 –** Click the **Plus** icon and create a new Policy. See the -[Add Access Policy](../../policy/add/accesspolicy.md) topic for additional information. +[Add Access Policy](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/accesspolicy.md) topic for additional information. - Set the Type as **Resource Based** and select a Connection Profile, with **Default** being sufficient for most setups. @@ -274,16 +274,16 @@ Follow the steps to create a Policy. **Step 4 –** Once the Access Policy is created, add the following: - Users to the Policy. See the - [Users Tab for Resource Based Access Policies](../../policy/tab/policyresource/users.md) topic for + [Users Tab for Resource Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/users.md) topic for additional information. - Activity created for the BYOV Connector. See the - [Activities Tab for Resource Based Access Policies](../../policy/tab/policyresource/activities.md) + [Activities Tab for Resource Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/activities.md) topic for additional information. - Associated resources intended for this Activity. See the - [Resources Tab for Resource Based Access Policies](../../policy/tab/policyresource/resources.md) + [Resources Tab for Resource Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/resources.md) topic for additional information. -See the [Add Access Policy](../../policy/add/accesspolicy.md) topic for additional information on +See the [Add Access Policy](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/accesspolicy.md) topic for additional information on creating an Access Policy. After completing these steps, you can use the specified manually-managed user on the resources @@ -291,7 +291,7 @@ outlined in the policy. This setup is ideal for scenarios where a single account multiple resources but needs to be managed through Privilege Secure for enhanced security and management. -![My Activities BYOV Connector](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovconnectormyactivities.webp) +![My Activities BYOV Connector](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/byovconnectormyactivities.webp) _Remember,_ Always verify configurations and permissions, especially when integrating with systems like AD and using specific user accounts for critical operations. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationbyov.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationbyov.md index af86ef48c5..d8c6bc9c94 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationbyov.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationbyov.md @@ -11,7 +11,7 @@ Follow the steps to add the BYOV Connector. **Step 2 –** In the Integration Connectors list, click the Add Integration Connector icon. -![Add Build your own vault Connector Integration](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addbyov.webp) +![Add Build your own vault Connector Integration](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addbyov.webp) **Step 3 –** Enter the following information: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationcyberark.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationcyberark.md index f985b05cf3..85bd8f8998 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationcyberark.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationcyberark.md @@ -21,7 +21,7 @@ Follow the steps to add the CyberArk Connector. **Step 2 –** In the Integration Connectors list, click the Add Integration Connector icon. -![Add CyberArk Connector Integration](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addcyberark.webp) +![Add CyberArk Connector Integration](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addcyberark.webp) **Step 3 –** Enter the following information: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationenterpriseauditor.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationenterpriseauditor.md index 94e79c175c..494afbdb2b 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationenterpriseauditor.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationenterpriseauditor.md @@ -69,7 +69,7 @@ used to get data from the Access Analyzer endpoint. ## Add Service Account for Enterprise Auditor Connector Follow the steps to add the service accounts for the Access Analyzer integration connector. See the -[Add Service Account](serviceaccount.md) topic for additional information. +[Add Service Account](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/serviceaccount.md) topic for additional information. **Step 1 –** In the Privilege Secure Console, navigate to the Configuration > Service Accounts page. @@ -107,7 +107,7 @@ page. **Step 2 –** In the Integration Connector list, click the Add Integration Connector icon. -![Add Enterprise Auditor Integration Connector](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addenterpriseauditor.webp) +![Add Enterprise Auditor Integration Connector](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addenterpriseauditor.webp) **Step 3 –** Enter the following information: @@ -136,9 +136,9 @@ page in the menu. **Step 2 –** In the Integration Connector list, select the previously created Enterprise Auditor Import connector. -![enterpriseauditorconnector](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/enterpriseauditorconnector.webp) +![enterpriseauditorconnector](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/enterpriseauditorconnector.webp) **Step 3 –** Click **Sync** **StealthAUDIT** to begin the data collection. This may take some time. To view the import progress, navigate to **Service Nodes** > Action Services. See the -[Action Service](../servicetype/action.md) topic for additional information. +[Action Service](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/action.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationhashicorp.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationhashicorp.md index 2b3255f797..048b15e91f 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationhashicorp.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationhashicorp.md @@ -25,7 +25,7 @@ Follow the steps to add a vault connector for HashiCorp. **Step 2 –** In the Integration Connector list, click the Add Integration Connector icon. -![Add HashiCorp Connector Integration](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addhashicorp.webp) +![Add HashiCorp Connector Integration](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addhashicorp.webp) **Step 3 –** Enter the following information: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationlaps.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationlaps.md index ea5849608a..618bad81ad 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationlaps.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationlaps.md @@ -23,7 +23,7 @@ Follow the steps to add a vault connector for LAPS. **Step 2 –** In the Integration Connector list, click the Add Integration Connector icon. -![Add a LAPS Vault connector](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addlaps.webp) +![Add a LAPS Vault connector](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addlaps.webp) **Step 3 –** Enter the following information: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/secretvaultconfig.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/secretvaultconfig.md index 59db037773..eb51e5babf 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/secretvaultconfig.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/secretvaultconfig.md @@ -11,7 +11,7 @@ Follow the steps below to add a new Secret Vault. **Step 2 –** Click the Plus icon and select New Secret Vault from the drop-down list. -![Add secrete Vault Resource](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addsecretvault.webp) +![Add secrete Vault Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addsecretvault.webp) **Step 3 –** Enter the following information: @@ -34,13 +34,13 @@ Follow the steps below to add a new Secret Vault. **Step 8 –** Click **Okay** to add the account to the Secret Vault. A secret vault has been created, and a secret added to the vault. See the -[Secret Vault Details Page](../../policy/page/details/secretvault.md) topic for additional +[Secret Vault Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/secretvault.md) topic for additional information. **NOTE:** Vaulted credentials must be manually entered and updated. See the -[Credentials Tab for Credential Based Access Policies](../../policy/tab/policycredentials/credentials.md) +[Credentials Tab for Credential Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/credentials.md) topic for additional information. ## Create an Access Policy @@ -48,14 +48,14 @@ topic for additional information. Follow these steps to add a credential-based access policy to Privilege Secure. _Remember,_ a connection profile is required to create an access policy. You can create one ahead of -time on the [Connection Profiles Page](../../policy/page/connectionprofiles.md) page or use the +time on the [Connection Profiles Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/connectionprofiles.md) page or use the arrow button to create one during these steps. **Step 1 –** Navigate to the Policy > Access Policies page. **Step 2 –** In the Access Policy list, click the Plus icon. -![Add Access Policy](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addaccesspolicy.webp) +![Add Access Policy](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addaccesspolicy.webp) **Step 3 –** Enter the following information: @@ -69,14 +69,14 @@ arrow button to create one during these steps. **Step 5 –** On the new access policy, select the **Users** tab. **Step 6 –** Click the **Add** button to add users to the access policy. See the -[Users Tab for Credential Based Access Policies](../../policy/tab/policycredentials/users.md) for +[Users Tab for Credential Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/users.md) for additional information. **Step 7 –** Once the users have been added, select the **Credentials** tab. **Step 8 –** Click the **Add** button to add the necessary credentials to access the Secrete Vault. See the -[Credentials Tab for Credential Based Access Policies](../../policy/tab/policycredentials/credentials.md) +[Credentials Tab for Credential Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/credentials.md) for additional information. The new Secret Vault access policy has been created. Users added to the policy will now have a diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/serviceaccount.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/serviceaccount.md index 9c60a783c1..57a8d2c0cd 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/serviceaccount.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/serviceaccount.md @@ -6,14 +6,14 @@ Follow the steps to add a service account to the console. **Step 2 –** In the Service Account list, click the Plus icon. -![Add Service Account](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addserviceaccount.webp) +![Add Service Account](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addserviceaccount.webp) **Step 3 –** Enter the applicable information. See the -[Service Accounts Page](../page/serviceaccounts.md) section for detailed descriptions of the fields. +[Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) section for detailed descriptions of the fields. - For service accounts checked out through a vault connector, select a previously added vault connector from the drop-down list. See the - [Bring Your Own Vault (BYOV) Integration](integrationbyov.md) topic for additional information. + [Bring Your Own Vault (BYOV) Integration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationbyov.md) topic for additional information. **Step 4 –** Click Save to create the new service account. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/integrationdetails/entraidappregistration.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/integrationdetails/entraidappregistration.md index 9af38d1d54..2910bee4d1 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/integrationdetails/entraidappregistration.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/integrationdetails/entraidappregistration.md @@ -78,11 +78,11 @@ registration instead of User Administrator. clicking **Assign**. The service account can now be added to Privilege Secure, using the Application (Client) ID and -Client Secret. See the [Service Accounts Page](../page/serviceaccounts.md) topic for additional +Client Secret. See the [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. Add the Microsoft Entra ID Tenant resource to Privilege Secure using the Tenant ID. See the -[Add New Microsoft Entra ID Tenant](../../policy/add/entraidtenant.md) topic for additional +[Add New Microsoft Entra ID Tenant](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/entraidtenant.md) topic for additional information. ## Rotate a Microsoft Entra ID Account Password in a Hybrid Tenant diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/integrationdetails/openidconnectauthentication.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/integrationdetails/openidconnectauthentication.md index 78ba9d1586..d3031be0a1 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/integrationdetails/openidconnectauthentication.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/integrationdetails/openidconnectauthentication.md @@ -15,14 +15,14 @@ from the Config->Role Management screen. To create a new user click the Directory menu item and select People from the drop-down. You should see this screen. -![Okta Menu](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/integrationdetails/oktamenu.webp) +![Okta Menu](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/integrationdetails/oktamenu.webp) If your screen doesn’t look like this then you’re probably in Developer Console view. Click in the top left corner (where it says Developer Console) and choose Classic UI. To add a new user, click the Add Person button: -![Add person to Okta](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/integrationdetails/oktaaddperson.webp) +![Add person to Okta](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/integrationdetails/oktaaddperson.webp) Privilege Secure will use the ‘Username’ value to search the host-user table for the matching user. @@ -40,7 +40,7 @@ Users in sbpam.local are all set up with both UPN and Email Address – but they The two Okta users below both map to the same sbpam.local user -![Okta login format](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/integrationdetails/oktaloginformat.webp) +![Okta login format](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/integrationdetails/oktaloginformat.webp) To use the first account the Privilege Secure OpenID Connector Login Format should be set to Email, for the second UPN. @@ -57,7 +57,7 @@ always be the case, so… When the user has been created click on their name and you will see the User Details screen: -![Assign Apps top users](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/integrationdetails/oktaassignapps.webp) +![Assign Apps top users](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/integrationdetails/oktaassignapps.webp) If the application you want to use is not listed, click the ‘Assign Applications’ button and select it. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/interface.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/interface.md index 5ecdab05b7..43172a7f43 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/interface.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/interface.md @@ -3,32 +3,32 @@ The Configuration interface provides information and management options for advanced configuration settings. -![Configuration Interface](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) +![Configuration Interface](/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) Expand the Configuration menu in the Navigation pane for related pages: -- [Service Accounts Page](page/serviceaccounts.md) — Add or modify service accounts +- [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) — Add or modify service accounts - Service Nodes: - - [Service Nodes Page](page/servicenodes.md) — View the status and details of Privilege Secure + - [Service Nodes Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/servicenodes.md) — View the status and details of Privilege Secure Services - - [Scheduled Tasks Page](page/scheduledtasks.md) — View or modify recurring tasks + - [Scheduled Tasks Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/scheduledtasks.md) — View or modify recurring tasks - System Settings — Modify the system settings: - - [Action Service Settings Page](page/actionservicesettings.md) - - [Database Page](page/database.md) - - [Email Configuration Page](page/emailconfiguration.md) - - [Global Settings Page](page/globalsettings.md) - - [Local Account Password Options Page](page/localaccountpasswordoptions.md) - - [Password History Options Page](page/passwordhistoryoptions.md) - - [Local Account Password Options Page](page/localaccountpasswordoptions.md) - - [Services Page](page/services.md) - -- [Authentication Page](page/authentication.md) — Add or modify multi-factor authentication (MFA) -- [Integration Connectors Page](page/integrationconnectors.md) — Configure settings for integration + - [Action Service Settings Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/actionservicesettings.md) + - [Database Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/database.md) + - [Email Configuration Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/emailconfiguration.md) + - [Global Settings Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/globalsettings.md) + - [Local Account Password Options Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/localaccountpasswordoptions.md) + - [Password History Options Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/passwordhistoryoptions.md) + - [Local Account Password Options Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/localaccountpasswordoptions.md) + - [Services Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/services.md) + +- [Authentication Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/authentication.md) — Add or modify multi-factor authentication (MFA) +- [Integration Connectors Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/integrationconnectors.md) — Configure settings for integration with other applications - SIEM: - - [SIEM Server Page](page/siemserver.md) — Add or modify SIEM servers - - [SIEM Templates Page](page/siemtemplates.md) — Add or modify SIEM templates + - [SIEM Server Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/siemserver.md) — Add or modify SIEM servers + - [SIEM Templates Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/siemtemplates.md) — Add or modify SIEM templates diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/actionservicesettings.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/actionservicesettings.md index edd9e2c9c2..ac0ceebbd1 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/actionservicesettings.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/actionservicesettings.md @@ -3,7 +3,7 @@ The Action Service Settings page is accessible from the Navigation pane under Configuration > System Settings. It shows all action service settings to customize or override action timeout. -![settingspage](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/settingspage.webp) +![settingspage](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/settingspage.webp) The Action Service Settings page has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/authentication.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/authentication.md index 6e52811888..c9f9a32427 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/authentication.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/authentication.md @@ -6,10 +6,10 @@ OpenID Connect and SAML. Once configured, an authentication method may be assigned to any users who will use the method for accessing the application. See the -[Authentication Connector Tab](../../policy/tab/usersgroups/authenticationconnector.md) topic for +[Authentication Connector Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/authenticationconnector.md) topic for additional information. -![Authentication Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/authenticationpage.webp) +![Authentication Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/authenticationpage.webp) The pane on the left side of the page displays a list of the configured authentication connectors. This pane has the following features: @@ -17,7 +17,7 @@ This pane has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - - button — Create a new connector. See the - [Add Authentication Connector](../add/authenticationconnector.md) topic for additional + [Add Authentication Connector](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/authenticationconnector.md) topic for additional information. - Default icon — Indicates if connector is set as default. Icon appears when activity is hovered over. Click the icon to change or clear the default. @@ -71,7 +71,7 @@ The following fields apply to the MFA Connector Type: The following fields apply to the OpenID Connect Connector Type: - Configuration Wizard button — Opens the Configuration Wizard for the selected type of connector. - See the [OpenID Connect Configuration Wizard](../wizard/openidconnectconfiguration.md) topic for + See the [OpenID Connect Configuration Wizard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/wizard/openidconnectconfiguration.md) topic for additional information. - Show / Hide Data link — Click the link to view or hide additional details - Issuer — Displays the OpenID Connect provider issuer URI @@ -86,7 +86,7 @@ The following fields apply to the OpenID Connect Connector Type: The following fields apply to the SAML Connector Type: - Configuration Wizard button — Opens the Configuration Wizard for the selected type of connector. - See the [SAML Configuration Wizard](../wizard/samlconfiguration.md) topic for additional + See the [SAML Configuration Wizard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfiguration.md) topic for additional information. - Show / Hide Data link — Click the link to view or hide additional details - Login URI — Displays the SAML provider issuer URI @@ -105,15 +105,15 @@ Once a third-party authentication connector is configured, it can be set as the authentication, or it can be set as the exclusive form of authentication. Hover over the authentication connector to display the configuration options. -![Authentication Connector Options](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/authenticationoptions.webp) +![Authentication Connector Options](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/authenticationoptions.webp) There are two options that can be configured for the authentication connector, Set as Default and Set as Exclusive. | Description | Option | Login Screen | | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Set as Default — Sets the authentication connector as the default login option and includes the option to login with Active Directory credentials | ![Set authentication connector as Default](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/authenticationsetdefault.webp) | ![Set authentication connector as Default Login Screen](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/authenticationsetdefaultlogin.webp) | -| Set as Exclusive — Sets the authentication connector as the only option to login and the option to login with Active Directory credentials is removed | ![Set authentication connector as Exclusive](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/authenticationsetexclusive.webp) | ![Set authentication connector as Exclusive Login Screen](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/authenticationsetexclusivelogin.webp) | +| Set as Default — Sets the authentication connector as the default login option and includes the option to login with Active Directory credentials | ![Set authentication connector as Default](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/authenticationsetdefault.webp) | ![Set authentication connector as Default Login Screen](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/authenticationsetdefaultlogin.webp) | +| Set as Exclusive — Sets the authentication connector as the only option to login and the option to login with Active Directory credentials is removed | ![Set authentication connector as Exclusive](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/authenticationsetexclusive.webp) | ![Set authentication connector as Exclusive Login Screen](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/authenticationsetexclusivelogin.webp) | Once the authentication connector is set to Default or Exclusive, the login will be updated to reflect the configuration selected. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/database.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/database.md index dd086b3df9..02cfefd220 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/database.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/database.md @@ -6,7 +6,7 @@ configured during installation. ## PostgreSQL Database Settings -![Configuration system settings Database Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/databasepage.webp) +![Configuration system settings Database Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/databasepage.webp) The Database Settings page displays the following settings for PostgreSQL: @@ -19,7 +19,7 @@ The Database Settings page displays the following settings for PostgreSQL: ## SQL Server Database Settings -![SQL Server Database Settings Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/sqldatabasepage.webp) +![SQL Server Database Settings Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/sqldatabasepage.webp) The Database Settings page displays the following settings for SQL Server: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/emailconfiguration.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/emailconfiguration.md index 40e61c802f..bfd30e266f 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/emailconfiguration.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/emailconfiguration.md @@ -3,7 +3,7 @@ The Email Configuration page is accessible from the Navigation pane under Configuration > System Settings. -![systemsettingsemailconfig](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/systemsettingsemailconfig.webp) +![systemsettingsemailconfig](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/systemsettingsemailconfig.webp) The right of the page shows details of the email configuration settings and has the following features: @@ -15,4 +15,4 @@ features: Example Email -![Emailed link](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/emailedlink.webp) +![Emailed link](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/emailedlink.webp) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/globalsettings.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/globalsettings.md index ea4f013740..c5f1cabe08 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/globalsettings.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/globalsettings.md @@ -3,7 +3,7 @@ The Global Settings page is accessible from the Navigation pane under **Configuration** > **System Settings**. It shows all global RDP session settings. -![globalsettingspage](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/globalsettingspage.webp) +![globalsettingspage](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/globalsettingspage.webp) The right of the page shows details of the RDP file settings and has the following features: @@ -12,7 +12,7 @@ The right of the page shows details of the RDP file settings and has the followi - Allowed Resolutions — Check the boxes to enable those resolutions for the RDP session - Default Resolution — The resolution the RDP session will use when first connected - Certificate Thumbprint — The hexadecimal certificate (or thumbprint) value. See the - [Sign RDP Files to Prevent Publisher Warning](../../troubleshooting.md#sign-rdpfiles-to-prevent-publisher-warning) + [Sign RDP Files to Prevent Publisher Warning](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/troubleshooting.md#sign-rdpfiles-to-prevent-publisher-warning) topic for additional information. - WinRM HTTP Setting– This setting governs the HTTP encryption settings that will be used for WinRM connections. The following options are available: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/integrationconnectors.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/integrationconnectors.md index 9ed72210ab..0ce62fa334 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/integrationconnectors.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/integrationconnectors.md @@ -3,7 +3,7 @@ The Integration Connectors page is accessible from the Navigation pane under Configuration. It shows the configured integration settings with other products. -![Integration Connectors Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/integrationconnectorspage.webp) +![Integration Connectors Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/integrationconnectorspage.webp) The pane on the left side of the page displays a list of the configured integration connectors. This pane has the following features: @@ -21,16 +21,16 @@ The selected connector details display at the top of the main pane: - Connector Type — Indicates the type of integration: - BYOV — Configure integration with any vault, or Bring Your Own Vault. See the - [Bring Your Own Vault (BYOV) Integration](../add/integrationbyov.md) topic for additional + [Bring Your Own Vault (BYOV) Integration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationbyov.md) topic for additional information. - CyberArk — Configure integration with CyberArk. See the - [CyberArk Integration](../add/integrationcyberark.md) topic for additional information. + [CyberArk Integration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationcyberark.md) topic for additional information. - HashiCorp — Configure integration with HashiCorp. See the - [HashiCorp Integration](../add/integrationhashicorp.md) topic for additional information. - - LAPS — Configure integration with LAPS. See the [LAPS Integration](../add/integrationlaps.md) + [HashiCorp Integration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationhashicorp.md) topic for additional information. + - LAPS — Configure integration with LAPS. See the [LAPS Integration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationlaps.md) topic for additional information. - StealthAUDIT — Configure integration with Netwrix Access Analyzer (formerly Enterprise - Auditor). See the [Enterprise Auditor Integration](../add/integrationenterpriseauditor.md) + Auditor). See the [Enterprise Auditor Integration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationenterpriseauditor.md) topic for additional information. **NOTE:** The remaining fields vary based on the type selected. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/localaccountpasswordoptions.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/localaccountpasswordoptions.md index e1744833f7..eb3714c24b 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/localaccountpasswordoptions.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/localaccountpasswordoptions.md @@ -3,7 +3,7 @@ The Local Account Password Options page is accessible from the Navigation pane under Configuration > System Settings. -![localaccountpasswordoptionspage](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/localaccountpasswordoptionspage.webp) +![localaccountpasswordoptionspage](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/localaccountpasswordoptionspage.webp) Provide the following information for the local accounts: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/passwordhistoryoptions.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/passwordhistoryoptions.md index c2ec8dbfe0..3c8606e420 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/passwordhistoryoptions.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/passwordhistoryoptions.md @@ -3,7 +3,7 @@ The Password History Options page is accessible from the Navigation pane under Configuration > System Settings. -![passwordhistoryoptionspage](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/passwordhistoryoptionspage.webp) +![passwordhistoryoptionspage](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/passwordhistoryoptionspage.webp) The page shows details of the password history settings and has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/scheduledtasks.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/scheduledtasks.md index 88f9dd9e42..a064c8f0f1 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/scheduledtasks.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/scheduledtasks.md @@ -2,7 +2,7 @@ On the Scheduled Tasks page, view scheduled tasks run by the console. -![Scheduled Tasks Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/scheduledtaskspage.webp) +![Scheduled Tasks Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/scheduledtaskspage.webp) The Scheduled Tasks page has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md index 71c38c8516..d8e9f25742 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md @@ -3,7 +3,7 @@ The Service Accounts page is accessible from the Navigation pane under Configuration. It shows the configured service accounts required by Privilege Secure services. -![serviceaccountpage](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/serviceaccountpage.webp) +![serviceaccountpage](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/serviceaccountpage.webp) The pane on the left side of the page displays a list of the configured service accounts. This pane has the following features: @@ -11,7 +11,7 @@ has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Green + button — Create a new service account. See the - [Add Service Account](../add/serviceaccount.md) topic for additional information. + [Add Service Account](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/serviceaccount.md) topic for additional information. - Trashcan icon — Deletes the service account. Icon appears when activity is hovered over. A confirmation window will display. @@ -27,12 +27,12 @@ The selected service account details display at the top of the main pane: ID platforms. - App ID — Displays the globally unique identifier for the targeted app registered in the Active Directory tenant. This field only applies to Microsoft Entra ID platforms. See the - [Microsoft Entra ID App Registration](../integrationdetails/entraidappregistration.md) for + [Microsoft Entra ID App Registration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/integrationdetails/entraidappregistration.md) for additional information. - Elevation Command — Displays the elevation mechanism for the host, such as: sudo, pbrun, pmrun, dzdo, etc.. This field only applies to Linux platforms. - Vault Connector — Displays the name of the assigned vault connector. See the - [Bring Your Own Vault (BYOV) Integration](../add/integrationbyov.md) topic for additional + [Bring Your Own Vault (BYOV) Integration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/add/integrationbyov.md) topic for additional information. - Authentication: @@ -58,7 +58,7 @@ The selected service account details display at the top of the main pane: are selected. - App Secret — Displays the security token for the targeted app registered in the tenant. This field only applies to Microsoft Entra ID platforms. See the - [Microsoft Entra ID App Registration](../integrationdetails/entraidappregistration.md) for + [Microsoft Entra ID App Registration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/integrationdetails/entraidappregistration.md) for additional information. - Safe — Displays the CyberArk safe where the login account is stored. This field only applies to CyberArk vault connectors. @@ -71,5 +71,5 @@ If any of these settings are modified, Save and Cancel buttons are displayed. Cl commit the modifications. Click **Cancel** to discard the modifications. Th "Service Account is Managed by Privilege Secure when the account has been configured to be -managed by the application. See the [Credentials Page](../../policy/page/credentials.md) topic for +managed by the application. See the [Credentials Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentials.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/servicenodes.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/servicenodes.md index 52a310ba22..75690b0c0e 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/servicenodes.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/servicenodes.md @@ -2,7 +2,7 @@ On the Service Nodes page, configure the services for each installed service node. -![Service Nodes Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/servicenodespage.webp) +![Service Nodes Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/servicenodespage.webp) The left of the page lists the Service Nodes and the services running on them: @@ -19,8 +19,8 @@ The left of the page lists the Service Nodes and the services running on them: The right of the page shows details of the selected service: -- [Action Service](../servicetype/action.md) -- [Email Service](../servicetype/email.md) -- [Proxy Service](../servicetype/proxy.md) -- [Scheduler Service](../servicetype/scheduler.md) -- [SIEM Service](../servicetype/siem.md) +- [Action Service](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/action.md) +- [Email Service](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/email.md) +- [Proxy Service](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/proxy.md) +- [Scheduler Service](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/scheduler.md) +- [SIEM Service](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/siem.md) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/services.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/services.md index 5c180d8204..36a0b6ef92 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/services.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/services.md @@ -7,7 +7,7 @@ After a website certificate is installed in IIS, it is necessary to update the N Secure web services to ensure they are calling the correct URL. If the Web Services are set to the wrong address, the services will show offline in the Services Node area. -![Service Settings page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/servicessettingspage.webp) +![Service Settings page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/servicessettingspage.webp) **NOTE:** Make sure that the web certificate is updated in IIS prior to setting a new value in Netwrix Privilege Secure. It is important to ensure the Binding Hostname in IIS, the certificate diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/siemserver.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/siemserver.md index 7719d4a1b2..bebe0d1df4 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/siemserver.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/siemserver.md @@ -10,7 +10,7 @@ template to define the format/data to be sent. **Step 1 –** Navigate to the **Configuration** > **SIEM** > **SIEM Templates** page. -![siemservers](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/siemservers.webp) +![siemservers](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/siemservers.webp) **Step 2 –** Enter the following information: @@ -28,7 +28,7 @@ Events destined for SIEM Servers are sent to a queue. The SIEM service is respon events out the queue and processing them. Multiple SIEM services may be used to process high volumes of events. -![SIEM Serivce Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/siemservice.webp) +![SIEM Serivce Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/siemservice.webp) Events processed may be viewed by selecting the SIEM service in the Service Node page. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/siemtemplates.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/siemtemplates.md index 30dd623e1a..d164e13998 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/siemtemplates.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/siemtemplates.md @@ -8,7 +8,7 @@ Two out of the box templates are provided for most common use cases, CEF and LEE be configured according to the requirements of the target SIEM solution, and the specific event data that needs to be sent. Privilege Secure supports 1.0 versions of CEF and LEEF. -![SIEM Templates Page](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/siemtemplates.webp) +![SIEM Templates Page](/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/siemtemplates.webp) ## Custom SIEM Templates @@ -18,7 +18,7 @@ Follow the steps to add a custom SIEM template to the Privilege Secure Console. **Step 2 –** Click the Plus icon. -![Add SIEM Template](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/siemtemplate.webp) +![Add SIEM Template](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/page/siemtemplate.webp) **Step 3 –** Enter the following information: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/action.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/action.md index 9a91d4f215..54e111b17d 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/action.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/action.md @@ -2,7 +2,7 @@ On the Action Services page, view or modify action services. -![Action Service Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/actionservicepage.webp) +![Action Service Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/actionservicepage.webp) The Action Service page shows details of the selected action service and has the following features: @@ -15,7 +15,7 @@ The Action Service page shows details of the selected action service and has the The Action Logs tab shows the event logs for the action service. -![Action Logs Tab](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/actionlogstab.webp) +![Action Logs Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/actionlogstab.webp) The Action Logs table has the following features: @@ -43,7 +43,7 @@ The Action Logs table has the following features: The Action Queue tab shows the tasks to be executed by the action service. -![Action Queue Tab](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/actionqueuetab.webp) +![Action Queue Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/actionqueuetab.webp) The Action Queue table has the following features: @@ -71,7 +71,7 @@ The Action Queue table has the following features: The Properties tab shows additional information about the action service. -![Action Service Properties Tab](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/propertiestab.webp) +![Action Service Properties Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/propertiestab.webp) The Properties table has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/email.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/email.md index 4a3edcff4d..f257709cd8 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/email.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/email.md @@ -2,7 +2,7 @@ On the Email Services page, add and configure the settings used for email notifications. -![Email Services Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/emailservicepage.webp) +![Email Services Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/emailservicepage.webp) The Email Service page shows details of the selected email service and has the following features: @@ -13,7 +13,7 @@ The Email Service page shows details of the selected email service and has the f On the Email Settings tab, view and edit the email service settings. -![emailsettingstab](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/emailsettingstab.webp) +![emailsettingstab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/emailsettingstab.webp) The Email Settings tab has the following features: @@ -28,7 +28,7 @@ The Email Settings tab has the following features: The Email Queue tab shows all outgoing mail notifications. -![Email Service Queue Tab](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/emailqueuetab.webp) +![Email Service Queue Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/emailqueuetab.webp) The Email Queue table has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/proxy.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/proxy.md index 7ff0186baa..b5544d2da7 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/proxy.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/proxy.md @@ -2,7 +2,7 @@ The Proxy Service page shows the details of the selected service on the host. -![Proxy Service Page](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Proxy Service Page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The Proxy Service page lists the properties for the selected proxy service: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/scheduler.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/scheduler.md index d4f53f1b7b..6cc8e26fca 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/scheduler.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/scheduler.md @@ -2,7 +2,7 @@ On the Scheduler Service page, view information for scheduled services. -![Scheduler service Page](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Scheduler service Page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The Scheduler Service page shows details of the selected service and has the following features: @@ -13,7 +13,7 @@ The Scheduler Service page shows details of the selected service and has the fol The Statistics tab shows an overview of the actions for the past 24 hours. -![statisticstab](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/statisticstab.webp) +![statisticstab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/statisticstab.webp) The Statistics tab shows the total number of actions for each of the following statuses: @@ -31,7 +31,7 @@ The Statistics tab shows the total number of actions for each of the following s The Action Queues tab shows all scheduled services. -![actionqueuestab](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/actionqueuestab.webp) +![actionqueuestab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/actionqueuestab.webp) The Action Queues table has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/siem.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/siem.md index c20565d8f4..bafa594e5a 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/siem.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/siem.md @@ -2,7 +2,7 @@ The SIEM Service shows the SIEM-specific details for the selected service. -![servicenodes_siemservice](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/servicenodes_siemservice.webp) +![servicenodes_siemservice](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/servicetype/servicenodes_siemservice.webp) The SIEM Service page has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/wizard/openidconnectconfiguration.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/wizard/openidconnectconfiguration.md index df27a5fe55..6dbb7ca72e 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/wizard/openidconnectconfiguration.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/wizard/openidconnectconfiguration.md @@ -1,10 +1,10 @@ # OpenID Connect Configuration Wizard The OpenID Connect Configuration wizard is opened with the **Configuration Wizard** button in the -Configuration > [Authentication Page](../page/authentication.md) for an OpenID Connect +Configuration > [Authentication Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/authentication.md) for an OpenID Connect Authentication Connector Type. -![configureclient](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/configureclient.webp) +![configureclient](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/configureclient.webp) It contains three pages: @@ -55,7 +55,7 @@ page in the browser. Do NOT sign in. **Step 6 –** If the Sign In page displayed as expected, click Next. -![OpenID Connection wizard, Test Login page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/chapter_4_configuration_interface_5.webp) +![OpenID Connection wizard, Test Login page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/chapter_4_configuration_interface_5.webp) **Step 7 –** On the Test Login page, click Login. The Sign In page opens in the browser. @@ -66,7 +66,7 @@ to the UserTokenController so that the user information can be extracted. Click **Step 10 –** On the Configure ID Mapping page, click **Get User Data**. -![chapter_4_configuration_interface_6](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/chapter_4_configuration_interface_6.webp) +![chapter_4_configuration_interface_6](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/chapter_4_configuration_interface_6.webp) Privilege Secure will use the access token to retrieve user data from the OpenId Connect provider. The OpenID Connect provider requires a User Id Field for sign in. It is necessary to specify which @@ -110,7 +110,7 @@ from the provider and will vary: **Step 11 –** Select a field to use for the User Id Field and click Select. -![chapter_4_configuration_interface_7](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/chapter_4_configuration_interface_7.webp) +![chapter_4_configuration_interface_7](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/chapter_4_configuration_interface_7.webp) **Step 12 –** The selected Source and User ID fields from the previous table are shown. Now map the applicable AD field to the User Id Field. This is the value that will be used to sign in to the MFA @@ -119,7 +119,7 @@ Field. **Step 13 –** Click Finish. A window will display the updated configuration settings. -![chapter_4_configuration_interface_8](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/chapter_4_configuration_interface_8.webp) +![chapter_4_configuration_interface_8](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/chapter_4_configuration_interface_8.webp) **Step 14 –** Click Okay to close the wizard and click **Save** on the Authentication page to accept the changes. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfiguration.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfiguration.md index 6dbbe495ac..ea6620cc27 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfiguration.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfiguration.md @@ -1,10 +1,10 @@ # SAML Configuration Wizard The SAML Configuration wizard is opened with the **Configuration Wizard** button in the -Configuration > [Authentication Page](../page/authentication.md) for an SAML Authentication +Configuration > [Authentication Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/authentication.md) for an SAML Authentication Connector Type. -![configureclient](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/configureclient.webp) +![configureclient](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/configureclient.webp) It contains four pages: @@ -52,7 +52,7 @@ page in the browser. Do NOT sign in. **Step 6 –** If the Sign In page displayed as expected, click Next. -![SAML Configuration wizard, Test Login page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfigtestlogin.webp) +![SAML Configuration wizard, Test Login page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfigtestlogin.webp) When the SAML provider authenticates a user login, it will optionally sign that authentication using a certificate (available from the SAML provider). Privilege Secure can be configured to validate the @@ -71,7 +71,7 @@ authentication using the certificate. **Step 10 –** If the sign in was successful, the Provider User Name/Id will display. This is passed to the UserTokenController so that the user information can be extracted. Click Next. -![SAML Configuration Wizard, Retrieved Data](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfigidmapping.webp) +![SAML Configuration Wizard, Retrieved Data](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfigidmapping.webp) SpPAM will use the access token to retrieve user data from the SAML provider. The SAML provider requires a User Id Field for sign in. It is necessary to specify which field in Active Directory @@ -104,7 +104,7 @@ from the provider and will vary: **Step 11 –** Select a field to use for the User Id Field and click Select. -![SAML Configuration wizard, Map Id](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfigidmapping2.webp) +![SAML Configuration wizard, Map Id](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfigidmapping2.webp) **Step 12 –** The selected Source and User ID fields from the previous table are shown. Now map the applicable AD field to the User Id Field. This is the value that will be used to sign in to the MFA @@ -113,7 +113,7 @@ Field. **Step 13 –** Click **Next** to proceed. -![SAML Configuration wizard, Test Logout page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfigtestlogout.webp) +![SAML Configuration wizard, Test Logout page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfigtestlogout.webp) **Step 14 –** On the Test Logout page, enter the following information: @@ -146,7 +146,7 @@ and logs out of the SAML Provider. **Step 17 –** If the logout was successful, click Finish. A window will display the updated configuration settings. -![SAML Configuration updating connector settings](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfigupdateconnector.webp) +![SAML Configuration updating connector settings](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/wizard/samlconfigupdateconnector.webp) **Step 18 –** Click Okay to close the wizard and click **Save** on the Authentication page to accept the changes. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/active.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/active.md index ca747070fc..1496f158f5 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/active.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/active.md @@ -2,10 +2,10 @@ The Active sessions dashboard shows all currently active sessions. Create an Activity Session to grant temporary privileges and gain access to the resources defined by a previously created Access -Policy. See the [Access Policy Page](../policy/page/accesspolicy.md) topic for additional +Policy. See the [Access Policy Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/accesspolicy.md) topic for additional information. -![Active Dashboard page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/active.webp) +![Active Dashboard page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/active.webp) The dashboard has the following features: @@ -16,17 +16,17 @@ The dashboard has the following features: - All Active tab — Shows all sessions for all users - Mine tab — Shows sessions for the logged in user - Recording data — Filter by keystroke data and, when enabled, RDP Windows event activity. See - the [Install Remote Desktop Monitor Service on Target RDP Hosts](../../install/rdpmonitor.md) + the [Install Remote Desktop Monitor Service on Target RDP Hosts](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/rdpmonitor.md) topic for additional information. - Create Session — Open the Activity Request window. See the - [Create Activity Session](../../enduser/dashboard/createsession.md) topic for additional + [Create Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/createsession.md) topic for additional information. - End Session — Cancel the selected session(s) - View Logs — Opens the Session Logs window to view the action log for the selected session. See the - [Session Logs Window](window/sessionlogs.md) topic for additional information. + [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md) topic for additional information. - Lock Activity — Opens the Lock Session window to prevent the user from interacting with the host - but keeps the session active. See the [Lock Session](window/locksession.md) topic for additional + but keeps the session active. See the [Lock Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/locksession.md) topic for additional information. - Unlock Activity — Unlocks a session to allow the user to interact with the host - Refresh — Reload the information displayed @@ -34,14 +34,14 @@ The dashboard has the following features: The table has the following columns: - Checkbox — Check to select one or more items -- Expand icon — Click the expand (>) icon to show additional information for the session: +- Expand icon — Click the expand () icon to show additional information for the session: - The live session viewer allows an admin to watch a remote session that is in progress for - another user. See the [Live Session Viewer Window](window/liveviewer.md) topic for additional + another user. See the [Live Session Viewer Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/liveviewer.md) topic for additional information. - If the user has logged into the remote session more than once, multiple session recordings will display. If a recording of the session is available, the replay viewer allows an admin to - watch a replay of the remote session. See the [Replay Viewer Window](window/replayviewer.md) + watch a replay of the remote session. See the [Replay Viewer Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/replayviewer.md) topic for additional information. - Status — Shows status information for the session: @@ -59,26 +59,26 @@ The table has the following columns: - Canceling — The session is either expired or was canceled manually by the user or an Privilege Secure administrator. - Locked — The session has been locked by an Privilege Secure administrator. See the - [Lock Session](window/locksession.md) topic for additional information. + [Lock Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/locksession.md) topic for additional information. - Requested — Date and time of when the session was created - Requested By — User who requested the session. Click the link to view additional details. See the - [User, Group, & Application Details Page](../policy/page/details/usergroupapplication.md) topic + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - Host — Resource that the user will run the activity on. Click the link to view additional details.The details vary based on the type of resource. See the following topics for additional information: - - [Host Details Page](../policy/page/details/host.md) - - [Domain Details Page](../policy/page/details/domain.md) - - [Website Details Page](../policy/page/details/website.md) - - [Microsoft Entra ID Details Page](../policy/page/details/entraid.md) - - [Secret Vault Details Page](../policy/page/details/secretvault.md) - - [Database Details Page](../policy/page/details/databases.md) + - [Host Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/host.md) + - [Domain Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/domain.md) + - [Website Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/website.md) + - [Microsoft Entra ID Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/entraid.md) + - [Secret Vault Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/secretvault.md) + - [Database Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/databases.md) - Login Account — Displays the account used to log onto the resource - Activity — Displays the name of the activity. Click the link to view additional details. See the - [Activities Page](../policy/page/activities.md) topic for additional information. + [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. - Start — Indicates when the activity started. This refers to when the activity’s actions were executed and not when the user was logged on to the resource. - End — Indicates when the session is scheduled to end the activity, which is determined by the diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/approvals.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/approvals.md index 4a84eacf55..334ceb36cc 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/approvals.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/approvals.md @@ -3,10 +3,10 @@ The Approvals Dashboard displays requested sessions that require approval. Users and group members designated as approvers will see the pending sessions queued here. The session must be approved before the requestor can log in to the session. See the -[Connection Profiles Page](../policy/page/connectionprofiles.md) topic for additional information on +[Connection Profiles Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/connectionprofiles.md) topic for additional information on Approval Workflows. -![Dashboard Approvals Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/approvals.webp) +![Dashboard Approvals Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/approvals.webp) The Approvals Dashboard has the following features: @@ -30,7 +30,7 @@ The table has the following columns: - Host — Resource that the user will run the activity on - Login Account — Displays the account used to log onto the resource - Activity — Displays the name of the activity. Click the link to view additional details. See the - [Activities Page](../policy/page/activities.md) topic for additional information. + [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. - Start — Indicates when the activity starts. This refers to when the activity’s actions will be executed and not when the user logs on to the resource. - End — Indicates when the session is scheduled to end the activity, which is determined by the diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/createsession.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/createsession.md index 8176f36cb7..78ddd29b67 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/createsession.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/createsession.md @@ -6,7 +6,7 @@ Follow the steps to create an activity session. **Step 2 –** In the Active Session table, click Create Session to open the Activity Request window. -![Create Activity Session Interface](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionuser.webp) +![Create Activity Session Interface](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionuser.webp) **Step 3 –** On the Request Type page, enter the following information: @@ -14,7 +14,7 @@ Follow the steps to create an activity session. **Step 4 –** Click Next to go to the Resource Selection page. -![Create Session window Resource Selection](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionresourceselection.webp) +![Create Session window Resource Selection](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionresourceselection.webp) **Step 5 –** On the Resource Selection page, enter the following information: @@ -23,7 +23,7 @@ Follow the steps to create an activity session. **Step 6 –** Click **Next** to go to the Notes page. -![Create Session Notes Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionnotes.webp) +![Create Session Notes Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionnotes.webp) **Step 7 –** On the Notes page, enter the following information: @@ -32,7 +32,7 @@ Follow the steps to create an activity session. **Step 8 –** Click Next to go to the Scheduling page. -![Create Session Schedule Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionscheduling.webp) +![Create Session Schedule Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionscheduling.webp) **Step 9 –** On the Scheduling page, enter the following information: @@ -40,7 +40,7 @@ Follow the steps to create an activity session. **Step 10 –** Click Next to go to the Review page. -![Create Session Review Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionreview.webp) +![Create Session Review Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionreview.webp) **Step 11 –** On the Review page, review the summary of the new session. @@ -53,4 +53,4 @@ session until the request is approved and the status changes to Available. When the status Available is shown, the remote session is ready. Click the Connection icon to begin the session, or log in through a client. -See the [Start Activity Session](startsession.md) topic for additional information. +See the [Start Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/startsession.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md index ee0ea4659f..932bcabff8 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md @@ -4,9 +4,9 @@ The Credentials dashboard shows all accounts discovered within your environment. focused on managing service account password rotation. A managed account is any host local account, domain account, or Privilege Secure application local account that has its credentials managed by the application. This includes managed user accounts created by activity sessions. The Credentials -dashboard displays the same information as the [Credentials Page](../policy/page/credentials.md). +dashboard displays the same information as the [Credentials Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentials.md). -![Credentials Dashboard Page](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) +![Credentials Dashboard Page](/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) The dashboard has the following features: @@ -25,20 +25,20 @@ The dashboard has the following features: - Manage — Set the selected account to be managed by Privilege Secure. This button is only available when the account Managed Type is Standard or Internal. For an Internal account, a pop up window will display. See the - [Manage Internal Service Accounts](../policy/window/credentials/manageinternalserviceaccount.md) + [Manage Internal Service Accounts](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/manageinternalserviceaccount.md) section for additional information. - Unmanage — Remove the account from being managed by Privilege Secure - Rotate Service Account — Opens the Account Dependencies window. This button is only available when the Managed Type is Service. See the - [Account Dependencies Window](../policy/window/credentials/accountdependencies.md) topic for + [Account Dependencies Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/accountdependencies.md) topic for additional information. - Schedule Rotation — Add the credential rotation task to the queue. This button is only available when the Method is Automatic managed. See the - [Scheduled Tasks Page](../configuration/page/scheduledtasks.md) topic for additional information. + [Scheduled Tasks Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/scheduledtasks.md) topic for additional information. - Verify — Checks that the credentials for the selected account match the credentials set by Privilege Secure - View History — Opens the Password History window to displays the password history for the account. - See the [Password History Window](../policy/window/credentials/passwordhistory.md) topic for + See the [Password History Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/passwordhistory.md) topic for additional information. - Refresh — Reload the information displayed @@ -49,12 +49,12 @@ The table has the following columns: - Set Password icon — Opens the Set Password for Credential window to set a new password for the selected account.See the - [Manage Internal Service Accounts](../policy/window/credentials/manageinternalserviceaccount.md) + [Manage Internal Service Accounts](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/manageinternalserviceaccount.md) topic for more information. - Clipboard icon — Copies the password for the selected account - Information icon — Opens the View Password window to view the password and copy it to the clipboard. The window stays open for 20 seconds. See the - [View Password Window](../policy/window/credentials/viewpassword.md) topic for additional + [View Password Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/viewpassword.md) topic for additional information. - Resource — Name of the resource that the account is on. Click the link to view additional details. @@ -63,23 +63,23 @@ The table has the following columns: - Method — Indicates how the account is managed: - Automatic — Credential rotation is managed by Privilege Secure according to the change policy - for that platform type. See the [Platforms Page](../policy/page/platforms/overview.md) topic + for that platform type. See the [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information. - Manual — Credential rotation must be initiated manually with the Rotate Service Account button, or the credential must be manually updated on both the resource and in Privilege - Secure. See the [Service Accounts Page](../configuration/page/serviceaccounts.md) section for + Secure. See the [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) section for information on updating credentials for Internal service accounts. - Not Managed — Not currently managed by Privilege Secure and no credentials have ever been stored - **NOTE:** See the [Rotation Methods](../policy/credentialrotationmethod.md) topic for additional + **NOTE:** See the [Rotation Methods](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/credentialrotationmethod.md) topic for additional information. - Managed Type — Type of managed account: - Standard — Local or domain user account, including managed users created by activity sessions - Internal — Internal service account used by Privilege Secure with no dependencies. See the - [Service Accounts Page](../configuration/page/serviceaccounts.md) topic for additional + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Service — Local or domain service account with one or more dependencies. Includes Internal service accounts with one or more dependencies. @@ -89,7 +89,7 @@ The table has the following columns: - Age — Number of days since the last credential rotation or from when the password was first created - Status — Indicates if the account credentials have been verified by Privilege Secure. See the - [Platforms Page](../policy/page/platforms/overview.md) topic for additional information on + [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information on configuring a verification schedule. - Unspecified — Verification check has not run diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/historical.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/historical.md index f0af31bb6a..d144c0b86d 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/historical.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/historical.md @@ -3,7 +3,7 @@ The Historical sessions dashboard shows all created sessions and their status. Only users with the Administrator role can view recordings of historical sessions. -![historical](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/historical.webp) +![historical](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/historical.webp) The dashboard has the following features: @@ -18,7 +18,7 @@ The dashboard has the following features: - User Name — Filter by Session User - User Type — Filter by type of user: All, User, Application, or Local User - Recording data — Filter by keystroke data and, when enabled, RDP Windows event activity. See - the [Install Remote Desktop Monitor Service on Target RDP Hosts](../../install/rdpmonitor.md) + the [Install Remote Desktop Monitor Service on Target RDP Hosts](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/rdpmonitor.md) topic for additional information. - Requested date — Filter by session start and/or end dates @@ -30,16 +30,16 @@ The table has the following columns: - Actions — Contains icons for available actions: - - Expand icon — Click the expand (>) icon to show additional information for the session: + - Expand icon — Click the expand () icon to show additional information for the session: - If a recording of the session is available, the replay viewer allows an admin to watch a - replay of the remote session. See the [Replay Viewer Window](window/replayviewer.md) topic + replay of the remote session. See the [Replay Viewer Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/replayviewer.md) topic for additional information. - Rocket icon — Launches the same session (same activity on the same resource with the same connection profile) for any historical session that is not a Credential-based session - View logs icon — Opens the Session Logs window to view the action log for the selected - session. See the [Session Logs Window](window/sessionlogs.md) topic for additional + session. See the [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md) topic for additional information. - Requested — Date and time of when the session was created @@ -52,22 +52,22 @@ The table has the following columns: the requestor - Session User— User who requested the session. Click the link to view additional details. See the - [User, Group, & Application Details Page](../policy/page/details/usergroupapplication.md) topic + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - Host — Resource that the user will run the activity on. Click the link to view additional details. The details vary based on the type of resource. See the following topics for additional information: - - [Host Details Page](../policy/page/details/host.md) - - [Domain Details Page](../policy/page/details/domain.md) - - [Website Details Page](../policy/page/details/website.md) - - [Microsoft Entra ID Details Page](../policy/page/details/entraid.md) - - [Secret Vault Details Page](../policy/page/details/secretvault.md) - - [Database Details Page](../policy/page/details/databases.md) + - [Host Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/host.md) + - [Domain Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/domain.md) + - [Website Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/website.md) + - [Microsoft Entra ID Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/entraid.md) + - [Secret Vault Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/secretvault.md) + - [Database Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/databases.md) - Login Account — Displays the account used to log onto the resource - Activity — Displays the name of the activity. Click the link to view additional details. See the - [Activities Page](../policy/page/activities.md) topic for additional information. + [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. - Start — Indicates when the activity started. This refers to when the activity’s actions were executed and not when the user was logged on to the resource. - Duration — Indicates how long the Activity ran for until it either reached its scheduled end time diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/overview.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/overview.md index 6af095b7fa..419f707034 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/overview.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/overview.md @@ -3,7 +3,7 @@ The Dashboard interface displays an overview of activity sessions, users, resources and related information. -![Dashboard Interface](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) +![Dashboard Interface](/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) The overview section shows information for the following: @@ -13,11 +13,11 @@ The overview section shows information for the following: additional information. - Approvals Dashboard – Shows sessions waiting for approval. See the Approvals Dashboard topic for additional information. -- Historical Dashboard – Shows previous sessions. See the [Historical Dashboard](historical.md) +- Historical Dashboard – Shows previous sessions. See the [Historical Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/historical.md) topic for additional information. -- Users Dashboard – Shows the users added to Privilege Secure. See the [Users Dashboard](users.md) +- Users Dashboard – Shows the users added to Privilege Secure. See the [Users Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/users.md) topic for additional information. - Resources Dashboard – Shows resources added to Privilege Secure. See the - [Resources Dashboard](resources.md) topic for additional information. + [Resources Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/resources.md) topic for additional information. - Credentials Dashboard – Shows access activity by resource. See the - [Credentials Dashboard](credentials.md) topic for additional information. + [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/resources.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/resources.md index fd9b33ed84..b85358f4bf 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/resources.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/resources.md @@ -3,39 +3,39 @@ The Resources dashboard shows information for onboarded resources, such as active and scheduled sessions, policies, and service accounts for the host resources and domain resources that have been added to the console. The Resources dashboard displays the same information as the -[Resources Page](../policy/page/resources.md). +[Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md). -![Resources Dashboard Page](../../../../../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) +![Resources Dashboard Page](/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) The Resources table has the following features: - Add — Opens a list of available resources to add. The Add list contains the following options: - New Server — Opens the Add Resources window to onboard new servers. See the - [Add Resources Window](../policy/window/resources/addresourcesonboard.md) topic for additional + [Add Resources Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcesonboard.md) topic for additional information. - New Domain — Opens the Domain Details page for a new domain. See the - [Add New Domain](../policy/add/domain.md) topic for additional information. + [Add New Domain](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/domain.md) topic for additional information. - New Website — Opens the Website Details page for a new website. See the - [Add New Website](../policy/add/website.md) topic for additional information. + [Add New Website](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/website.md) topic for additional information. - New Microsoft Entra ID Tenant — Opens the Microsoft Entra ID Tenant Details page for a new - tenant. See the [Add New Microsoft Entra ID Tenant](../policy/add/entraidtenant.md) topic for + tenant. See the [Add New Microsoft Entra ID Tenant](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/entraidtenant.md) topic for additional information. - New Secret Vault — Opens the Secret Vault Details page for a new vault. See the - [Add Secret Vault](../policy/add/secretvault.md) topic for additional information. + [Add Secret Vault](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/secretvault.md) topic for additional information. - New Database — Opens the Databse Details page for a new database. See the - [Add New Database](../policy/add/database.md)topic for additional information. + [Add New Database](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/database.md)topic for additional information. - Remove — Removes the selected resource from being managed by the application. A confirmation window will display. See the - [Remove Resource Window](../policy/window/resources/removeresource.md) topic for additional + [Remove Resource Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/removeresource.md) topic for additional information. - Change Platform — Opens the Change Platform window to modify the type of platform for the selected - host resource. See the [Change Platform Window](../policy/window/resources/changeplatform.md) + host resource. See the [Change Platform Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/changeplatform.md) topic for additional information. - Change Service Account — Opens the Change Service Account window to modify the service account associated with the selected host resource. See the - [Change Service Account Window](../policy/window/resources/changeserviceaccount.md) topic for + [Change Service Account Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/changeserviceaccount.md) topic for additional information. - Scan Resource — Scans a host resource for local users, groups, windows services, and scheduled tasks. A confirmation window will display. @@ -55,12 +55,12 @@ The table has the following columns: - Resource — Displays the name of the resource. Click the link to view additional details. The details vary based on the type of resource. - - [Host Details Page](../policy/page/details/host.md) - - [Domain Details Page](../policy/page/details/domain.md) - - [Website Details Page](../policy/page/details/website.md) - - [Microsoft Entra ID Details Page](../policy/page/details/entraid.md) - - [Secret Vault Details Page](../policy/page/details/secretvault.md) - - [Database Details Page](../policy/page/details/databases.md) + - [Host Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/host.md) + - [Domain Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/domain.md) + - [Website Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/website.md) + - [Microsoft Entra ID Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/entraid.md) + - [Secret Vault Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/secretvault.md) + - [Database Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/databases.md) - Operating System — Displays the operating system of the resource - Active — Displays the number of active sessions on the resource @@ -70,12 +70,12 @@ The table has the following columns: - DNS Host Name — Displays the DNS host name for a host resource or the FQDN for a domain resource - IP Address — Displays the IP address for the resource - Domain — Displays the domain name for the resource. Click the link to view additional details. See - the [Domain Details Page](../policy/page/details/domain.md) topic for additional information. + the [Domain Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/domain.md) topic for additional information. - Service Account — Displays the service account associated with the resource. Click the link to - view additional details. See the [Service Accounts Page](../configuration/page/serviceaccounts.md) + view additional details. See the [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Platform — Displays the type of platform, which defines the resource. See the - [Platforms Page](../policy/page/platforms/overview.md) topic for additional information. + [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information. - Last Scanned — Date timestamp for the last time the resource was scanned The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/scheduled.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/scheduled.md index a0bf9ab6f2..7b7426aedd 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/scheduled.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/scheduled.md @@ -2,14 +2,14 @@ The Scheduled sessions dashboard shows all scheduled sessions. -![Scheduled Dashboard Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/scheduled.webp) +![Scheduled Dashboard Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/scheduled.webp) The Scheduled Sessions table has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Create Session — Open the Activity Request window. See the - [Create Activity Session](../../enduser/dashboard/createsession.md) topic for additional + [Create Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/createsession.md) topic for additional information. - End Session — Cancel the selected session(s) - Refresh — Reload the information displayed @@ -33,14 +33,14 @@ The table has the following columns: - Canceling — The session is either expired or was canceled manually by the user or an Privilege Secure administrator. - Locked — The session has been locked by an Privilege Secure administrator. See the - [Lock Session](window/locksession.md) topic for additional information. + [Lock Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/locksession.md) topic for additional information. - Requested — Date and time of when the session was created - Requested By — User who requested the session - Host — Resource that the user will run the activity on - Login Account — Displays the account used to log onto the resource - Activity — Displays the name of the activity. Click the link to view additional details. See the - [Activities Page](../policy/page/activities.md) topic for additional information. + [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. - Start — Indicates when the activity starts. This refers to when the activity’s actions will be executed and not when the user logs on to the resource. - End — Indicates when the session is scheduled to end the activity, which is determined by the diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/startsession.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/startsession.md index e66f6eb14d..10734c695f 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/startsession.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/startsession.md @@ -4,7 +4,7 @@ On the Active Sessions dashboard, when the status Available is shown, the activi To begin the activity session, click the Connection icon in the Status column for the applicable session to be automatically connected to the resource. -![Connecto to remote session](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/startsession.webp) +![Connecto to remote session](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/startsession.webp) Also note the icons to view and copy the password for the session as plain text, if the option is enabled in the access policy Connection Profiles. @@ -36,11 +36,11 @@ time is 5 minutes or less. **NOTE:** For NPS users with the Administrator role, session extension is always enabled. -![Extend Activity Session](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/extendsession.webp) +![Extend Activity Session](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/extendsession.webp) For RDP, a pop-up message is displayed in the session window. -![extendsessionssh](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/extendsessionssh.webp) +![extendsessionssh](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/extendsessionssh.webp) For SSH the user can extend by typing **Ctrl+X** when prompted. @@ -57,14 +57,14 @@ Ideally the Cisco device should be upgraded to support secure ciphers. If this i is necessary to add additional ciphers to machines with older (insecure) ciphers that need to be managed with SSH. You can “opt-in” by configuring the cipher suites used by the Proxy Service. -See the [Proxy Service Install](../../install/proxyservice.md) topic for additional information. +See the [Proxy Service Install](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/proxyservice.md) topic for additional information. ## DirectConnect Inline Password Prompt RDP DirectConnect now supports the prompting of users for password, removing the old requirement to modify group/local policy to force RDP password prompts. -![Direct Connect password prompt](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/directconnect.webp) +![Direct Connect password prompt](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/directconnect.webp) If a password is entered outside of the RDP session, this will be automatically be used and the inline password prompt will not display, unless there is an authentication error. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/users.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/users.md index a29c21cfaa..6bddcbea05 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/users.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/users.md @@ -2,9 +2,9 @@ The Users dashboard shows session information for onboarded users and groups. Onboarded users and can log into the application to manage policies or run sessions. The Users dashboard displays the -same information as the [Users & Groups Page](../policy/page/usersgroups.md). +same information as the [Users & Groups Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usersgroups.md). -![Users Dashboard Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/usersdashboard.webp) +![Users Dashboard Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/usersdashboard.webp) The Users table has the following features: @@ -12,10 +12,10 @@ The Users table has the following features: table or list is filtered to the matching results. - Filter — Provides options to filter results based on a chosen criterion: User or Groups - Add User — Opens the Add Users and Groups window. See the - [Add Users & Groups Window](../policy/window/usersgroups/addusersandgroups.md) topic for + [Add Users & Groups Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addusersandgroups.md) topic for additional information. - Add Application — Opens the Add Application page. See the - [Add Application](../policy/add/application.md) topic for additional information. + [Add Application](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/application.md) topic for additional information. - Remove — Removes console access from the selected account - Refresh — Reload the information displayed @@ -24,7 +24,7 @@ The table has the following columns: - Checkbox — Check to select one or more items - Type — Icon indicates the type of object - Name — Displays the name of the account. Click the link to view additional details. See the - [User, Group, & Application Details Page](../policy/page/details/usergroupapplication.md) topic + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - User Name — Displays the sAMAccountName for the account - User Principal Name — Displays the UPN value for the account diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/liveviewer.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/liveviewer.md index d9a8057bce..e1e0ac89f8 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/liveviewer.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/liveviewer.md @@ -5,13 +5,13 @@ session. Activity sessions are monitored when the Record Proxy Sessions checkbox connection profile assigned to the access policy. All SSH and RDP keystrokes and local commands are recorded using a granular metadata search that works across both live and recorded sessions. -Click the expand icon for an active session on the [Active Dashboard](../active.md). +Click the expand icon for an active session on the [Active Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/active.md). -![Active Session expanded](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/activesessionexpand.webp) +![Active Session expanded](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/activesessionexpand.webp) If the user has logged into the activity session more than once, multiple session recordings will display. Only the current session can be viewed live. See the -[Replay Viewer Window](replayviewer.md) topic for additional information on recorded sessions. +[Replay Viewer Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/replayviewer.md) topic for additional information on recorded sessions. There are two types of Live Session Viewer windows: @@ -24,17 +24,17 @@ Select the desired recording and the Live Session Viewer window opens. The Live Session Viewer window for RDP sessions is applicable to all resources except the Websites. -![livesessionviewerrdp](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/livesessionviewerrdp.webp) +![livesessionviewerrdp](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/livesessionviewerrdp.webp) The Live Session Viewer for RDP Sessions window has the following features: Action options - Terminate Session icon – Click the icon to disconnect the user and end the session. A confirmation - window will appear. See the [Terminate Proxy Session Window](terminateproxysession.md) topic for + window will appear. See the [Terminate Proxy Session Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/terminateproxysession.md) topic for additional information. - Lock icon – Opens the Lock Session window to prevent the user from interacting with the host but - keeps the session active. See the [Lock Session](locksession.md) topic for additional information. + keeps the session active. See the [Lock Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/locksession.md) topic for additional information. Session Details @@ -55,24 +55,24 @@ Activity Details **NOTE:** If RDP Session Monitoring is enabled, then it will also include Windows metadata activity in the time line. This monitoring requires the Netwrix Privilege Secure Remote Desktop Monitor service to be installed on the target host. See the - [Install Remote Desktop Monitor Service on Target RDP Hosts](../../../install/rdpmonitor.md) + [Install Remote Desktop Monitor Service on Target RDP Hosts](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/rdpmonitor.md) topic for additional information. ## Live Session Viewer for SSH Sessions The Live Session Viewer for SSH sessions is applicable to Linux and Cisco resources. -![livesessionviewerssh](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/livesessionviewerssh.webp) +![livesessionviewerssh](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/livesessionviewerssh.webp) The Live Session Viewer for SSH Sessions window has the following features: Action options - Terminate Session icon – Click the icon to disconnect the user and end the session. A confirmation - window will appear. See the [Terminate Proxy Session Window](terminateproxysession.md) topic for + window will appear. See the [Terminate Proxy Session Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/terminateproxysession.md) topic for additional information. - Lock icon – Opens the Lock Session window to prevent the user from interacting with the host but - keeps the session active. See the [Lock Session](locksession.md) topic for additional information. + keeps the session active. See the [Lock Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/locksession.md) topic for additional information. Session Details @@ -101,17 +101,17 @@ Other Details The Recording Session Viewer window for Website host sessions is applicable only to Website hosts and Microsoft Entra ID. -![recordingsessionviewer](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/recordingsessionviewer.webp) +![recordingsessionviewer](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/recordingsessionviewer.webp) The Live Session Viewer for Recording Sessions window has the following features: Action options - Terminate Session icon – Click the icon to disconnect the user and end the session. A confirmation - window will appear. See the [Terminate Proxy Session Window](terminateproxysession.md) topic for + window will appear. See the [Terminate Proxy Session Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/terminateproxysession.md) topic for additional information. - Lock icon – Opens the Lock Session window to prevent the user from interacting with the host but - keeps the session active. See the [Lock Session](locksession.md) topic for additional information. + keeps the session active. See the [Lock Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/locksession.md) topic for additional information. Recording Details diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/locksession.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/locksession.md index db8afb9444..589e995ba3 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/locksession.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/locksession.md @@ -1,8 +1,8 @@ # Lock Session It is possible to lock out the user in the event that suspicious or unauthorized activity is -observed, either from the [Active Dashboard](../active.md), or the -[Live Session Viewer Window](liveviewer.md). +observed, either from the [Active Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/active.md), or the +[Live Session Viewer Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/liveviewer.md). Follow the steps to lock a session. @@ -14,7 +14,7 @@ Follow the steps to lock a session. - From the Live Session Viewer, click the **lock** icon. -![Lock User Session](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/locksession.webp) +![Lock User Session](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/locksession.webp) **Step 2 –** In the Lock Session window, enter the following information: @@ -39,5 +39,5 @@ or SSH clients. To unlock an active session, either: - From the Live Session Viewer, click the **Unlock** icon. To unlock an account, see the -[User, Group, & Application Details Page](../../policy/page/details/usergroupapplication.md) topic +[User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/replayviewer.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/replayviewer.md index 2c2b0b8121..397890c4ea 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/replayviewer.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/replayviewer.md @@ -6,9 +6,9 @@ connection profile assigned to the access policy. All SSH and RDP keystrokes and recorded using a granular metadata search that works across both live and recorded sessions. When recordings are available for a historical session, the expand icon is enabled on the -[Historical Dashboard](../historical.md). +[Historical Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/historical.md). -![Historical dashboard showing available recordings](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/recordingavailable.webp) +![Historical dashboard showing available recordings](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/recordingavailable.webp) Multiple recording can exist for a session. There are two types of Replay Viewer windows: @@ -21,7 +21,7 @@ Select the desired recording and the Replay Viewer window opens. The Replay Viewer window for RDP sessions is applicable to all resources except the Websites. -![Replay Viewer window for an RDP session](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/replayviewerrdp.webp) +![Replay Viewer window for an RDP session](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/replayviewerrdp.webp) The Replay Viewer for RDP Sessions window has the following features: @@ -53,7 +53,7 @@ Activity Details: **NOTE:** If RDP Session Monitoring is enabled, then it will also include Windows metadata activity in the time line. This monitoring requires the Netwrix Privilege Secure Remote Desktop Monitor service to be installed on the target host. See the - [Install Remote Desktop Monitor Service on Target RDP Hosts](../../../install/rdpmonitor.md) + [Install Remote Desktop Monitor Service on Target RDP Hosts](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/rdpmonitor.md) topic for additional information. ## Replay Viewer for SSH Sessions @@ -63,7 +63,7 @@ The Replay Viewer for SSH sessions is applicable to Linux and Cisco resources. **NOTE:** When a user enters input into a password prompt during an SSH session, the keystrokes will be obscured in the Replay Viewer. -![replayviewerssh](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/replayviewerssh.webp) +![replayviewerssh](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/replayviewerssh.webp) The Replay Viewer for SSH Sessions window has the following features: @@ -96,7 +96,7 @@ Activity Details: The Replay Viewer window for Website host sessions is applicable only to Website hosts. -![Replay Viewer window for a Website host session](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/replayviewerwebsite.webp) +![Replay Viewer window for a Website host session](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/replayviewerwebsite.webp) The Replay Viewer for Website Host Sessions window has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md index 2acbd33e09..b85e2a34eb 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md @@ -3,7 +3,7 @@ The Session Logs window displays the log details for the selected session. Select a session from the Active dashboard and click the View Logs button to open the Session Logs window. -![Session Logs Window](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/window/sessionlogs.webp) +![Session Logs Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/window/sessionlogs.webp) The window has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/terminateproxysession.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/terminateproxysession.md index 73cbe89335..18f4f7cc3d 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/terminateproxysession.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/terminateproxysession.md @@ -7,7 +7,7 @@ Follow the steps to a lock the session. **Step 1 –** In the Live Session Viewer, click the **Terminate Session** icon. -![Terminate Session window](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/terminatesession.webp) +![Terminate Session window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/dashboard/window/terminatesession.webp) **Step 2 –** In the Terminate Proxy Session window, select from the following options: @@ -18,7 +18,7 @@ Follow the steps to a lock the session. **Step 4 –** To prevent the user from creating a new session, navigate to the **Users & Groups Details** page for that user and click **Lock Account**. See the -[User, Group, & Application Details Page](../../policy/page/details/usergroupapplication.md) topic +[User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. The session is terminated. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/importlicense.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/importlicense.md index 1587b074a0..726bf34cdb 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/importlicense.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/importlicense.md @@ -3,7 +3,7 @@ Netwrix Privilege Secure comes with a temporary 30-day trial license. a banner at the top indicates the expiration date of a license about to expire. -![Dashboard interface showing an expiration banner and pointint to the User Options menu with the About page](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/expirationbanner.webp) +![Dashboard interface showing an expiration banner and pointint to the User Options menu with the About page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/expirationbanner.webp) However, you can import your license file on the About page (User Options > About). An expired license does not necessarily prevent users from logging in. If a license is expired, and the login @@ -26,14 +26,14 @@ Options menu. **Step 3 –** Select About. The About page opens. -![About page showing trial license details](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/triallicensedetails.webp) +![About page showing trial license details](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/triallicensedetails.webp) **Step 4 –** In the Upload License File section, click Import License. **Step 5 –** Navigate to the license file and click Open to import the license. -![About page showing successful upload of a license](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/licenseimportsuccess.webp) +![About page showing successful upload of a license](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/licenseimportsuccess.webp) A message indicates the license file uploaded successfully. The license information displays at the top of the page, and the expiration banner disappears from the top. See the -[About Page](aboutpage.md) topic for additional details available on this page. +[About Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/aboutpage.md) topic for additional details available on this page. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/login.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/login.md index 5d64604a82..e3bd44c5a9 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/login.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/login.md @@ -36,13 +36,13 @@ Authentication Connector that is set as the default. DUO, Symantec VIP, etc) for all user accounts unless otherwise configured in the Initial Set Up Wizard. If required, first time users must register with an MFA to use with their login credentials. -![Default Login](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/defaultloginuser.webp) +![Default Login](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/defaultloginuser.webp) **Step 2 –** Either click the default authentication connector button, or click **Log In with a Different Account** to display all of the authentication connectors that are registered with Privilege Secure. -![Alternate Login](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/alternatelogin.webp) +![Alternate Login](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/alternatelogin.webp) **Step 3 –** Login to the Privilege Secure Console with a configured authentication connector, or enter the user credentials. @@ -51,16 +51,16 @@ enter the user credentials. **Step 5 –** Enter the code provided by the registered multi-factor authenticator (MFA). -![Multi Factor Authentication Login](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/mfalogin.webp) +![Multi Factor Authentication Login](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/mfalogin.webp) **Step 6 –** Click MFA Login. The Privilege Secure Console opens on the Dashboard Interface. -![Dashboard Interface](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) +![Dashboard Interface](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) **NOTE:** After five incorrect login attempts, the user will be locked out of the account for five minutes. Additional incorrect login attempts will extend this time by five minutes for each failed login. See the -[User, Group, & Application Details Page](policy/page/details/usergroupapplication.md) topic for +[User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information on how to unlock an account. The Privilege Secure Console is ready to use. Note that the option to view the recovery codes is no diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/navigation.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/navigation.md index 90fefcf8b6..b586bdb219 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/navigation.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/navigation.md @@ -3,24 +3,24 @@ At the top of the Privilege Secure Console lists available in interfaces and provides access to the Help link and the User Menu: -![topbar](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/topbar.webp) +![topbar](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/topbar.webp) - Interfaces: - Access — Grants access to the My Activities page. Activities are be displayed as individual cards, organized alphabetically or by Access Policy. See the - [Access > My Activities Page](access/myactivities.md) topic for additional. information. + [Access > My Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/access/myactivities.md) topic for additional. information. - Dashboard — View summaries of recent activity logs and user sessions. See the - [Dashboard Interface](dashboard/overview.md) topic for additional information. + [Dashboard Interface](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/overview.md) topic for additional information. - Policy — Contains several pages to create and configure policies to enable access, to onboard and manage users, groups, resources, and credentials, and to create and configure activities. - See the [ Policy Interface](policy/interface.md) topic for additional information. + See the [ Policy Interface](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/interface.md) topic for additional information. - Configuration — Contains several pages to configure and manage authentication, integration connectors, service accounts, services, and other settings. See the - [Configuration Interface](configuration/interface.md) topic for additional information. + [Configuration Interface](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/interface.md) topic for additional information. - Audit & Reporting Interface — Audit user access entitlement (Access Certification) and view activity statistics and reports. See the - [Audit & Reporting Interface](auditreporting/interface.md) topic for additional information. + [Audit & Reporting Interface](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/interface.md) topic for additional information. - Help — Opens the Netwrix Privilege Secure documentation in the in another browser tab - User Menu — Click to open the drop-down menu: @@ -28,11 +28,11 @@ Help link and the User Menu: - Dark Mode — Toggle “Dark Mode” for the console. Hover over the toggle switch to see a preview of Dark Mode. - Product Tour — Re-starts walk-through of Privilege Secure features. See the - [Product Tour](producttour.md) topic for additional information. + [Product Tour](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/producttour.md) topic for additional information. - Settings — Opens the settings page to allow the user to register services - Logout — Signs the user out of the current session and opens the Login screen - About — Shows version and license information for the console. See the - [Import the License File](importlicense.md) topic for additional information. + [Import the License File](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/importlicense.md) topic for additional information. On the left side of the console is a Navigation pane where the pages for the selected interface display. Use the Menu button to the left of the logo to collapse / expand the Navigation pane. @@ -46,66 +46,66 @@ Interface Icons | Icon | Interface | | -------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -| ![myactivities](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/myactivities.webp) | My Activities | -| ![dashboard](../../../../../../static/img/product_docs/groupid/groupid/admincenter/general/dashboard.webp) | Dashboard | -| ![policy](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/policy.webp) | Policy | -| ![users](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/users.webp) | Users & Groups | -| ![resources](../../../../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) | Resources | -| ![credentials](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) | Credentials | -| ![activities](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/activities.webp) | Activities | -| ![configuration](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configuration.webp) | Configuration | -| ![servicenodes](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/servicenodes.webp) | Service Nodes | -| ![auditreporting](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/auditreporting.webp) | Audit and Reporting | +| ![myactivities](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/myactivities.webp) | My Activities | +| ![dashboard](/img/product_docs/groupid/groupid/admincenter/general/dashboard.webp) | Dashboard | +| ![policy](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/policy.webp) | Policy | +| ![users](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/users.webp) | Users & Groups | +| ![resources](/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) | Resources | +| ![credentials](/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) | Credentials | +| ![activities](/img/product_docs/accessanalyzer/admin/hostdiscovery/activities.webp) | Activities | +| ![configuration](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configuration.webp) | Configuration | +| ![servicenodes](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/servicenodes.webp) | Service Nodes | +| ![auditreporting](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/auditreporting.webp) | Audit and Reporting | Dashboard Icons | Icon | Session Data | | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -| ![activedashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboard.webp) | Active Sessions | -| ![scheduleddashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/scheduleddashboard.webp) | Scheduled Sessions | -| ![approvalsdashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/approvalsdashboard.webp) | Approvals | -| ![historicaldashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/historicaldashboard.webp) | Historical Sessions | -| ![usersdasshboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/usersdasshboard.webp) | User Activity | -| ![resourcesdashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/resourcesdashboard.webp) | Resources | -| ![credentialsdashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/credentialsdashboard.webp) | Credentials | +| ![activedashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboard.webp) | Active Sessions | +| ![scheduleddashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/scheduleddashboard.webp) | Scheduled Sessions | +| ![approvalsdashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/approvalsdashboard.webp) | Approvals | +| ![historicaldashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/historicaldashboard.webp) | Historical Sessions | +| ![usersdasshboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/usersdasshboard.webp) | User Activity | +| ![resourcesdashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/resourcesdashboard.webp) | Resources | +| ![credentialsdashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/credentialsdashboard.webp) | Credentials | Active Directory Icons | Icon | Object | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -| ![chapter_1_stealthbits_privileged_12](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_12.webp) | User | -| ![chapter_1_stealthbits_privileged_13](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_13.webp) | Group | -| ![chapter_1_stealthbits_privileged_15](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.5.webp) | Application | -| ![Collectionsicon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/collectionsicon.webp) | Collection | -| ![Custom Role](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/customroleicon.webp) | Custom Role | -| ![Domain icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.6.webp) | Computer / Resource | -| ![chapter_1_stealthbits_privileged_15](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.webp) | Domain | -| ![Website icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.7.webp) | Website | -| ![AzureAD icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.8.webp) | Azure AD | -| ![Secret Vault icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.9.webp) | Secret Vault | -| ![Cisco icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.4.webp) | Cisco | -| ![Windows icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.3.webp) | Windows | +| ![chapter_1_stealthbits_privileged_12](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_12.webp) | User | +| ![chapter_1_stealthbits_privileged_13](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_13.webp) | Group | +| ![chapter_1_stealthbits_privileged_15](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.5.webp) | Application | +| ![Collectionsicon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/collectionsicon.webp) | Collection | +| ![Custom Role](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/customroleicon.webp) | Custom Role | +| ![Domain icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.6.webp) | Computer / Resource | +| ![chapter_1_stealthbits_privileged_15](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.webp) | Domain | +| ![Website icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.7.webp) | Website | +| ![AzureAD icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.8.webp) | Azure AD | +| ![Secret Vault icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.9.webp) | Secret Vault | +| ![Cisco icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.4.webp) | Cisco | +| ![Windows icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.3.webp) | Windows | Action Icons | Icon | Action | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------ | -| ![chapter_1_stealthbits_privileged_16](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/chapter_1_stealthbits_privileged_16.webp) | Add | -| ![chapter_1_stealthbits_privileged_17](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/chapter_1_stealthbits_privileged_17.webp) | Edit | -| ![chapter_1_stealthbits_privileged_18](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/chapter_1_stealthbits_privileged_18.webp) | Delete | -| ![chapter_1_stealthbits_privileged_19](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/chapter_1_stealthbits_privileged_19.webp) | Save | -| ![chapter_1_stealthbits_privileged_20](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/chapter_1_stealthbits_privileged_20.webp) | Cancel | -| ![chapter_1_stealthbits_privileged_21](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/chapter_1_stealthbits_privileged_21.webp) | Copy | -| ![chapter_1_stealthbits_privileged_22](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/chapter_1_stealthbits_privileged_22.webp) | Search | +| ![chapter_1_stealthbits_privileged_16](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/chapter_1_stealthbits_privileged_16.webp) | Add | +| ![chapter_1_stealthbits_privileged_17](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/chapter_1_stealthbits_privileged_17.webp) | Edit | +| ![chapter_1_stealthbits_privileged_18](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/chapter_1_stealthbits_privileged_18.webp) | Delete | +| ![chapter_1_stealthbits_privileged_19](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/chapter_1_stealthbits_privileged_19.webp) | Save | +| ![chapter_1_stealthbits_privileged_20](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/chapter_1_stealthbits_privileged_20.webp) | Cancel | +| ![chapter_1_stealthbits_privileged_21](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/chapter_1_stealthbits_privileged_21.webp) | Copy | +| ![chapter_1_stealthbits_privileged_22](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/chapter_1_stealthbits_privileged_22.webp) | Search | Information Icons | Icon | Information | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | -| ![chapter_1_stealthbits_privileged_23](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_23.webp) | Complete / Information | -| ![chapter_1_stealthbits_privileged_24](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_24.webp) | Warning | -| ![chapter_1_stealthbits_privileged_25](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_25.webp) | Failed / Error | -| ![chapter_1_stealthbits_privileged_26](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_26.webp) | Active Sessions | -| ![chapter_1_stealthbits_privileged_27](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_27.webp) | Scheduled Sessions | +| ![chapter_1_stealthbits_privileged_23](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_23.webp) | Complete / Information | +| ![chapter_1_stealthbits_privileged_24](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_24.webp) | Warning | +| ![chapter_1_stealthbits_privileged_25](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_25.webp) | Failed / Error | +| ![chapter_1_stealthbits_privileged_26](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_26.webp) | Active Sessions | +| ![chapter_1_stealthbits_privileged_27](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_27.webp) | Scheduled Sessions | Hover over an icon anywhere within the console for its description. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/activityloginaccounttemplates.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/activityloginaccounttemplates.md index 894de6279d..b695cbe2da 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/activityloginaccounttemplates.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/activityloginaccounttemplates.md @@ -30,8 +30,8 @@ There are three options for Login Account Templates in an Activity: “sblab\jsmith” will be connected to a local account named “sblab_jsmith” **NOTE:** The value of each mask can be customized on the -[Properties Tab](tab/usersgroups/properties.md) of the Application details page. See the -[User, Group, & Application Details Page](page/details/usergroupapplication.md) topic for additional +[Properties Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/properties.md) of the Application details page. See the +[User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. ## Functions for Login Account Templates diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/accesspolicy.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/accesspolicy.md index bc5d990292..8b7b6ee302 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/accesspolicy.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/accesspolicy.md @@ -3,14 +3,14 @@ Follow the steps to add access policies to the console. _Remember,_ a connection profile is required to create an access policy. You can create one ahead of -time on the [Connection Profiles Page](../page/connectionprofiles.md) page or use the arrow button +time on the [Connection Profiles Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/connectionprofiles.md) page or use the arrow button to create one during these steps. **Step 1 –** Navigate to the Policy > Access Policies page. **Step 2 –** In the Access Policy list, click the Plus icon. -![Add Access Policy](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addaccesspolicy.webp) +![Add Access Policy](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addaccesspolicy.webp) **Step 3 –** Enter the following information: @@ -30,12 +30,12 @@ Resources/Credentials to the policy. See the following topics for additional inf - Resource Based Policy - - [Users Tab for Resource Based Access Policies](../tab/policyresource/users.md) - - [Activities Tab for Resource Based Access Policies](../tab/policyresource/activities.md) - - [Resources Tab for Resource Based Access Policies](../tab/policyresource/resources.md) + - [Users Tab for Resource Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/users.md) + - [Activities Tab for Resource Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/activities.md) + - [Resources Tab for Resource Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/resources.md) - Credential Based Policy - - [Users Tab for Credential Based Access Policies](../tab/policycredentials/users.md) - - [Activities Tab for Credential Based Access Policies](../tab/policycredentials/activities.md) - - [Credentials Tab for Credential Based Access Policies](../tab/policycredentials/credentials.md) + - [Users Tab for Credential Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/users.md) + - [Activities Tab for Credential Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/activities.md) + - [Credentials Tab for Credential Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/credentials.md) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activity.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activity.md index bf3653ab22..52cc5ed1d6 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activity.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activity.md @@ -6,7 +6,7 @@ Follow the steps to add activities to the console. **Step 2 –** In the Activities list, click the Add Activity icon. -![Add an Activity](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addactivity.webp) +![Add an Activity](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addactivity.webp) **Step 3 –** Enter the information for the desired activity. The configuration options will vary depending on each selection. @@ -39,7 +39,7 @@ options include: **Step 5 –** Click Save to create the new activity. **Step 6 –** With the new activity selected, configure the following settings. See the -[Add Action Window](../window/activities/addaction.md) topic for additional information: +[Add Action Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/activities/addaction.md) topic for additional information: - Pre-Session (Grant) — List of actions that will run before the session begins. These actions may be paired with a corresponding Post-Session action. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activitygroup.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activitygroup.md index f4cd303bd4..bcbb817315 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activitygroup.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activitygroup.md @@ -6,7 +6,7 @@ Follow the steps to add activity groups to the console. **Step 2 –** In the Activity Groups list, click the Add Activity Group icon. -![addactivitygroup](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/addactivitygroup.webp) +![addactivitygroup](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/addactivitygroup.webp) **Step 3 –** Enter the following information: @@ -18,6 +18,6 @@ Follow the steps to add activity groups to the console. **Step 5 –** With the new activity group selected, configure the following settings: - Add activities to the activity group. See the - [Add Activities Window](../window/activities/addactivities.md) topic for additional information. + [Add Activities Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/activities/addactivities.md) topic for additional information. The new activity group is added to the console and is shown in the Activity Groups list. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activitytokencomplexity.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activitytokencomplexity.md index 2878769749..b66d42c307 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activitytokencomplexity.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activitytokencomplexity.md @@ -8,7 +8,7 @@ page. **Step 2 –** In the Activity Token Complexity list, click the **Plus** icon. -![Add Activity Token](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/add.webp) +![Add Activity Token](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/add.webp) **Step 3 –** Enter the desired information to determine the complexity of the connection profile. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/application.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/application.md index 4b9d603e95..51e2748757 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/application.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/application.md @@ -6,7 +6,7 @@ with the exception that Applications are not able to log on through the product has a unique name that is used to identify the application calling the API; authentication is via a combination of certificate serial number and API key. -![addapplication](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addapplication.webp) +![addapplication](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addapplication.webp) Follow the steps to add an Application to an Access Policy. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/connectionprofile.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/connectionprofile.md index 31a1288ec1..681f9ebe01 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/connectionprofile.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/connectionprofile.md @@ -1,14 +1,14 @@ # Add Connection Profile Follow the steps to add a connection profile to the console. See the -[Connection Profiles Page](../page/connectionprofiles.md) topic for detailed descriptions of the +[Connection Profiles Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/connectionprofiles.md) topic for detailed descriptions of the fields. **Step 1 –** Navigate to the Policy > **Access Policies** > Connection Profiles page. **Step 2 –** In the Connection Profiles list, click the **Plus** icon. -![Add Connection Profile](../../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/addconnectionprofile.webp) +![Add Connection Profile](/img/product_docs/accessanalyzer/admin/settings/connection/profile/addconnectionprofile.webp) **Step 3 –** Enter the desired information to configure a new connection profile. @@ -36,6 +36,6 @@ fields. **Step 4 –** Click Save to create the new connection profile. **Step 5 –** The new connection profile is created. To add an Approval Workflow, see the -[Add Approval Workflow](connectionprofileapproval.md) topic for additional information. +[Add Approval Workflow](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/connectionprofileapproval.md) topic for additional information. The new connection profile is added to the Connection Profiles list. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/connectionprofileapproval.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/connectionprofileapproval.md index de3d56e0c0..e949082641 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/connectionprofileapproval.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/connectionprofileapproval.md @@ -12,15 +12,15 @@ Follow the steps to add an approval workflow to the console. **Step 2 –** Select the **Connection Profile** and click any field to edit. -![addapprovalworkflow](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addapprovalworkflow.webp) +![addapprovalworkflow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addapprovalworkflow.webp) **Step 3 –** In the Approval Workflow section, select Tiered and click Save. -![Add approval teir to workflow](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addapprovalteirtoworkflow.webp) +![Add approval teir to workflow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addapprovalteirtoworkflow.webp) **Step 4 –** Once the policy has been created, click the Add Tier icon to add an Approval Tier. -![Tier 1 Escalation Options](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/tier1escalationoptions.webp) +![Tier 1 Escalation Options](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/tier1escalationoptions.webp) Workflow Tier(s) (only visible when Approval Type is set to Tiered): @@ -37,7 +37,7 @@ Workflow Tier(s) (only visible when Approval Type is set to Tiered): **Step 5 –** Click the **Edit** icon to open the Tier Escalation window. -![tierescalation](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/tierescalation.webp) +![tierescalation](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/tierescalation.webp) **Step 6 –** In the Tier Escalation window, enter the following information: @@ -48,11 +48,11 @@ Workflow Tier(s) (only visible when Approval Type is set to Tiered): **Step 7 –** Click Okay to save the escalation settings. -![Tier 1 Escalation Example](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/tier1escalationexample.webp) +![Tier 1 Escalation Example](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/tier1escalationexample.webp) **Step 8 –** Click the Add Approvers icon to open the Add Users and Groups as Approvers window. -![Add Users and Groups as Approvers](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addusersandgroupsasapprovers.webp) +![Add Users and Groups as Approvers](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addusersandgroupsasapprovers.webp) The Add Users and Groups as Approvers window has the following features: @@ -81,7 +81,7 @@ Available Users/Groups table. **Step 12 –** Click **Add** to add the Approvers to the Approval Tier. -![Tier 1 Example](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/tier1example.webp) +![Tier 1 Example](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/tier1example.webp) **Step 13 –** Set the Approvals Required: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/credentialgroup.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/credentialgroup.md index b5c1808d79..0d93f457fb 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/credentialgroup.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/credentialgroup.md @@ -6,7 +6,7 @@ Follow the steps to add credential groups to the Privilege Secure Console. **Step 2 –** In the Credential Groups list, click the Plus icon. -![Add credential group](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addcredentialgroup.webp) +![Add credential group](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addcredentialgroup.webp) **Step 3 –** Enter or select the following information: @@ -15,16 +15,16 @@ Follow the steps to add credential groups to the Privilege Secure Console. **Step 4 –** Click Save to create the new credential group. -![Credential Group add credentials button](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addcredentialstogroup.webp) +![Credential Group add credentials button](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addcredentialstogroup.webp) **Step 5 –** With the new credential group selected, click the **+ Add Credentials** button to open the Add Credentials window. -![addcredentials](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addcredentials.webp) +![addcredentials](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addcredentials.webp) **Step 6 –** Select the checkbox for the credential and click **Add** to save the credential to the Credential Group. See the -[Add Credentials to a Credential Group](../window/credentials/addcredentials.md#add-credentials-to-a-credential-group) +[Add Credentials to a Credential Group](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/addcredentials.md#add-credentials-to-a-credential-group) topic for additional information. The new credential group is added to the console and is shown in the Credential Groups list. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/credentialpolicyoverrides.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/credentialpolicyoverrides.md index 3e3ca849eb..5b082e59ad 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/credentialpolicyoverrides.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/credentialpolicyoverrides.md @@ -6,7 +6,7 @@ Follow the steps to add Credential Policy Override to the Privilege Secure Conso **Step 2 –** In the Credential Policy Overrides list, click the Plus icon. -![Adding a credential policy override](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addcredentialpolicyoverride.webp) +![Adding a credential policy override](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addcredentialpolicyoverride.webp) **Step 3 –** Enter or select the following information: @@ -14,22 +14,22 @@ Follow the steps to add Credential Policy Override to the Privilege Secure Conso - Description — Description of the policy - Scheduled Change Policy — Select a previously added schedule policy from the drop-down list. How often the credentials for a managed account are changed (credential rotation). See the - [Credentials Dashboard](../../dashboard/credentials.md) and - [Schedule Policies Page](../page/schedulepolicies.md) topic for additional information. + [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) and + [Schedule Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md) topic for additional information. - Verification Schedule — How often to verify the credentials for managed accounts on the resources - defined by the selected platform. See the [Credentials Dashboard](../../dashboard/credentials.md) + defined by the selected platform. See the [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) topic for additional information on managed accounts. **Step 4 –** Click Save to create the new credential policy override. -![cpopageaddcredentials](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/cpopageaddcredentials.webp) +![cpopageaddcredentials](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/cpopageaddcredentials.webp) **Step 5 –** With the new Credential Policy Override selected, click the **Add Credentials** button to open the Add Credentials window. See the -[Add Credentials to a Policy Override](../window/credentials/addcredentials.md#add-credentials-to-a-policy-override) +[Add Credentials to a Policy Override](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/addcredentials.md#add-credentials-to-a-policy-override) topic for additional information. -![Add credential to Credential Policy Override Window](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addcredentialtocpowindow.webp) +![Add credential to Credential Policy Override Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addcredentialtocpowindow.webp) **Step 6 –** Select the checkbox for the credential and click **Add** to save the credential to the Credential Policy Override. @@ -37,7 +37,7 @@ Credential Policy Override. **NOTE:** In order for an account to be added to add credentials window, a credential must be managed with a method of **Automatic**. Only one account can be added to a Credential Policy Override at a time. See the -[Manage Internal Service Accounts](../window/credentials/manageinternalserviceaccount.md) topic for +[Manage Internal Service Accounts](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/manageinternalserviceaccount.md) topic for additional information. The account is added to the console and is shown in the Credential Policy Overrides list. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/customrole.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/customrole.md index 39d1fe6e48..f43a926ceb 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/customrole.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/customrole.md @@ -3,7 +3,7 @@ The Add Role window allows users to add a role to Privilege Secure's Users & Groups Role Management module. -![usersgroupsaddrolewindow](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/usersgroupsaddrolewindow.webp) +![usersgroupsaddrolewindow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/usersgroupsaddrolewindow.webp) The Add Role window has the following features: @@ -25,5 +25,5 @@ Follow the steps below to add a role to the Users & Groups Role Management modu **Step 5 –** Click the Save button. Once saved, the next step is to assign Permissions and users to this role. See the -[Custom Role Details Page](../page/details/rolemanagementcustom.md) topic for additional +[Custom Role Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/rolemanagementcustom.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/database.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/database.md index 57293e3275..f964fb1917 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/database.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/database.md @@ -12,7 +12,7 @@ include: **Step 3 –** In the Enter Database Name box, enter a unique name to identify the database. -![Add Database](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/adddatabase.webp) +![Add Database](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/adddatabase.webp) **Step 4 –** Select **Microsoft SQL Server** or **Oracle** from the Platform drop-down list. @@ -32,7 +32,7 @@ include: **Step 9 –** From the drop-down menu, select a previously added service account with credentials for the database. -- See the [Service Accounts Page](../../configuration/page/serviceaccounts.md) topic for additional +- See the [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Visit icon – Go to the Service Account page to view details of the selected service account. @@ -43,5 +43,5 @@ the database. **Step 11 –** Click **Scan Now** to begin scanning the database. -The new database is now added. See the [Database Details Page](../page/details/databases.md) for +The new database is now added. See the [Database Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/databases.md) for additional details. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/domain.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/domain.md index d3619bff94..e0dabe3d4c 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/domain.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/domain.md @@ -6,14 +6,14 @@ Follow the steps to add a domain to the console. **Step 2 –** Click the Plus icon and select Domain from the drop-down list. -![Add Domian Resource](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/adddomain.webp) +![Add Domian Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/adddomain.webp) **Step 3 –** Enter the following information: - Domain Name – Displays the fully qualified domain name (FQDN) - Service account – From the drop-down menu, select a previously added service account with credentials for the domain. See the - [Service Accounts Page](../../configuration/page/serviceaccounts.md) topic for additional + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Add New Service Account – Open the Add New Service Account window. The fields are identical to @@ -27,5 +27,5 @@ Follow the steps to add a domain to the console. **Step 5 –** When the connection is verified, the Save button is enabled. Click Save to add the domain to the console. -The new domain has been on-boarded. See the [Domain Details Page](../page/details/domain.md) topic +The new domain has been on-boarded. See the [Domain Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/domain.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/entraidtenant.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/entraidtenant.md index ef32808e35..6009f9b890 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/entraidtenant.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/entraidtenant.md @@ -7,7 +7,7 @@ Console. **Step 2 –** Click **Add** > **New Microsoft Entra ID Tenant** -![Add Azure AD Tenant](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addazureadtenant.webp) +![Add Azure AD Tenant](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addazureadtenant.webp) **Step 3 –** Enter the following information: @@ -24,7 +24,7 @@ Console. group membership information. This is unchecked by default. - Synchronize Now button — Scans the domain for users, groups, members, and computers. The Cancel button, which is only visible when scanning can be used to stop the resource scan. This scan can - also be scheduled from the [Platforms Page](../page/platforms/overview.md). + also be scheduled from the [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md). - Service Account — Displays the service account associated with the resource - - Visit icon — Go to the Service Account page to view details of the selected service account. - Add New Service Account icon — Open the Add New Service Account window. The fields are @@ -33,4 +33,4 @@ Console. **Step 4 –** Click **Save** to add the Microsoft Entra ID Tenant to the console. The new Microsoft Entra ID tenant has been on-boarded. See the -[Microsoft Entra ID Details Page](../page/details/entraid.md) topic for additional information. +[Microsoft Entra ID Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/entraid.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/localuser.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/localuser.md index 312f011801..1adc0fcf6e 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/localuser.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/localuser.md @@ -5,7 +5,7 @@ Privilege Secure database, and therefore are not dependent on Active Directory a logging in to Privilege Secure. Local users can be assigned to roles and access policies in exactly the same manner as domain users. -![addlocalusers](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addlocalusers.webp) +![addlocalusers](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addlocalusers.webp) Follow these steps to add a New Local Users. @@ -23,4 +23,4 @@ maintain the password entered in step 4. **Step 6 –** Click the Save button when finished. -Once saved, users can view the new Local User on the [Users & Groups Page](../page/usersgroups.md). +Once saved, users can view the new Local User on the [Users & Groups Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usersgroups.md). diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/passwordcomplexity.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/passwordcomplexity.md index deb84a8f0b..87ef0475ca 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/passwordcomplexity.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/passwordcomplexity.md @@ -6,7 +6,7 @@ Follow the steps to add a password policy to the console. **Step 2 –** In the Password Policy list, click the **Plus** icon. -![Add Password Complexity](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/add.webp) +![Add Password Complexity](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/add.webp) **Step 3 –** Complete the following fields: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/protectionpolicy.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/protectionpolicy.md index a8ef1376e7..032bbbcea1 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/protectionpolicy.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/protectionpolicy.md @@ -6,7 +6,7 @@ Follow the steps to add a Protection policy to the console. **Step 2 –** In the Protection Policy list, click the Plus icon. -![Add Protection Policy](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addprotectionpolicy.webp) +![Add Protection Policy](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addprotectionpolicy.webp) **Step 3 –** Enter the following information: @@ -18,6 +18,6 @@ Follow the steps to add a Protection policy to the console. The new protection policy has been created. The next step is to associate Resources, Users, and Schedule to the policy. See the following topics for additional information: -- [Resources Tab for Protection Policies](../tab/policyprotection/resources.md) -- [Allowed Members Tab for Protection Policies](../tab/policyprotection/allowedmembers.md) -- [Schedule Tab for Protection Policies](../tab/policyprotection/schedule.md) +- [Resources Tab for Protection Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/resources.md) +- [Allowed Members Tab for Protection Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/allowedmembers.md) +- [Schedule Tab for Protection Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/schedule.md) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/resourcegroup.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/resourcegroup.md index 08aedc53d3..e5c1570d80 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/resourcegroup.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/resourcegroup.md @@ -6,7 +6,7 @@ Follow the steps to add resource groups to the console. **Step 2 –** In the Resource Groups list, click the Plus icon. -![Add Resource Group](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addresourcegroup.webp) +![Add Resource Group](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addresourcegroup.webp) **Step 3 –** Enter or select the following information: @@ -39,7 +39,7 @@ Follow the steps to add resource groups to the console. **Step 5 –** With the new resource group selected, configure the following settings: - Add resources to the resource group. See the - [Add Resources Window for Resource Group](../window/resources/addresourcestogroup.md) topic for + [Add Resources Window for Resource Group](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcestogroup.md) topic for additional information. The new resource group is added to the console and is shown in the Resource Groups list. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/schedulepolicy.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/schedulepolicy.md index df0be40f1f..a56321a509 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/schedulepolicy.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/schedulepolicy.md @@ -6,7 +6,7 @@ Follow the steps to add a schedule policy to the console. **Step 2 –** In the Schedule Polices list, click the **Plus** icon. -![Schedule Policy Editor Window](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/edit/schedulepolicyeditor.webp) +![Schedule Policy Editor Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/edit/schedulepolicyeditor.webp) **Step 3 –** Enter the following information: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/secretvault.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/secretvault.md index f49c927f9d..52fea37bbe 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/secretvault.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/secretvault.md @@ -6,7 +6,7 @@ Follow the steps below to add a new secret vault to the console. **Step 2 –** Click the Plus icon and select New Secret Vault from the drop-down list. -![Add secrete Vault Resource](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addsecretvault.webp) +![Add secrete Vault Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/configuration/add/addsecretvault.webp) **Step 3 –** Enter the following information: @@ -17,9 +17,9 @@ Follow the steps below to add a new secret vault to the console. **Step 4 –** Click **Save**. A secret vault has been onboarded. See the -[Secret Vault Details Page](../page/details/secretvault.md) topic for additional information. +[Secret Vault Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/secretvault.md) topic for additional information. **CAUTION:** Next, you will have to manually enter and update credentials for each applicable user. Credentials are assigned through the Credential-based Access Policy for password release. See the -[Credentials Tab for Credential Based Access Policies](../tab/policycredentials/credentials.md) +[Credentials Tab for Credential Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/credentials.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/website.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/website.md index b57c0032ed..35b833c578 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/website.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/website.md @@ -6,7 +6,7 @@ Follow the steps to add a Website Resource to the Privilege Secure Console. **Step 2 –** Click the Plus icon and select New Website from the drop-down list. -![Add New Website Resource](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addnewwebsite.webp) +![Add New Website Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addnewwebsite.webp) **Step 3 –** Enter the following information: @@ -23,7 +23,7 @@ Follow the steps to add a Website Resource to the Privilege Secure Console. - Service Account – _(optional)_ The service account used when activity _actions_ require a provisioned account to interact with the resource, e.g. custom PowerShell. From the drop-down menu, select a previously added service account. See the - [Service Accounts Page](../../configuration/page/serviceaccounts.md) topic for additional + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Add New Service Account — Open the Add New Service Account window. The fields are identical to @@ -31,5 +31,5 @@ Follow the steps to add a Website Resource to the Privilege Secure Console. **Step 4 –** Click **Save** to add the website to the console. -The new website has been onboarded. See the [Website Details Page](../page/details/website.md) topic +The new website has been onboarded. See the [Website Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/website.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/edit/changepermissions.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/edit/changepermissions.md index dadad4d17f..cb0e572ba4 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/edit/changepermissions.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/edit/changepermissions.md @@ -6,7 +6,7 @@ Follow the steps to add or remove permission assignments from a custom role. **Step 2 –** Click a custom role item from the left-hand menu. -![Custome Role Edit Permissions](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/edit/customroleeditpermissions.webp) +![Custome Role Edit Permissions](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/edit/customroleeditpermissions.webp) **Step 3 –** From the left-hand menu, check the boxes of one or more permissions to add to this custom role. Click the add selections Green Arrow. @@ -15,5 +15,5 @@ custom role. Click the add selections Green Arrow. remove from this custom role. Click the remove selections Red Arrow. Selected permissions have been added or removed from the custom role. See the -[Custom Role Details Page](../page/details/rolemanagementcustom.md) topic for additional +[Custom Role Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/rolemanagementcustom.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/edit/schedulepolicy.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/edit/schedulepolicy.md index 35e2fc0305..5a8fb79cab 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/edit/schedulepolicy.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/edit/schedulepolicy.md @@ -6,7 +6,7 @@ Follow the steps to edit the scheduled tasks. **Step 2 –** Click the Edit icon to open the Schedule Policy Editor window. -![schedulepolicyeditor](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/edit/schedulepolicyeditor.webp) +![schedulepolicyeditor](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/edit/schedulepolicyeditor.webp) **Step 3 –** From the Frequency radio buttons, set the frequency of how often the scheduled task is run: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/interface.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/interface.md index 24c2c8a23a..3a9c1f427b 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/interface.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/interface.md @@ -4,38 +4,38 @@ The Policy interface provides users with options for creating access policies, i activity sessions, onboarding and managing users, groups, resources, and credentials. This topic explains the interface features and how to use them. -![Admin Policy Interface](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) +![Admin Policy Interface](/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) Select the Policy interface for related pages: -- [Access Policy Page](page/accesspolicy.md) — Add or modify user and group access to resources +- [Access Policy Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/accesspolicy.md) — Add or modify user and group access to resources - - [Connection Profiles Page](page/connectionprofiles.md) — Add or modify connection profiles - - [Activity Token Complexity Page](page/activitytokencomplexity.md) — Add or modify the + - [Connection Profiles Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/connectionprofiles.md) — Add or modify connection profiles + - [Activity Token Complexity Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activitytokencomplexity.md) — Add or modify the complexity of activity tokens -- [Platforms Page](page/platforms/overview.md) — Add or modify the platforms used +- [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) — Add or modify the platforms used - - [Password Complexity Page](page/passwordcomplexity.md) — Configure the password complexity + - [Password Complexity Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/passwordcomplexity.md) — Configure the password complexity rules for the platform resources - - [Schedule Policies Page](page/schedulepolicies.md) — Add or modify schedules for tasks and + - [Schedule Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md) — Add or modify schedules for tasks and policies -- [Protection Policies Page](page/protectionpolicies.md) — Add or modify protection policies -- [Users & Groups Page](page/usersgroups.md) — Add or modify users, groups, and applications +- [Protection Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/protectionpolicies.md) — Add or modify protection policies +- [Users & Groups Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usersgroups.md) — Add or modify users, groups, and applications - - [Role Management Page](page/rolemanagement.md) — Add or modify roles for users and groups - - [User and Group Collections Page](page/usergroupcollections.md) — Add or modify user and group + - [Role Management Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/rolemanagement.md) — Add or modify roles for users and groups + - [User and Group Collections Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usergroupcollections.md) — Add or modify user and group collections -- [Resources Page](page/resources.md) — Add or modify resources +- [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md) — Add or modify resources - - [Resource Groups Page](page/resourcegroups.md) — Add or modify resource groups + - [Resource Groups Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resourcegroups.md) — Add or modify resource groups -- [Credentials Page](page/credentials.md) — Add or modify credentials +- [Credentials Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentials.md) — Add or modify credentials - - [Credential Groups Page](page/credentialgroups.md) — Add or modify credential groups + - [Credential Groups Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentialgroups.md) — Add or modify credential groups -- [Activities Page](page/activities.md) — Add or modify activities +- [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) — Add or modify activities - - [Activity Groups Page](page/activitygroups.md) — Add or modify activity groups + - [Activity Groups Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activitygroups.md) — Add or modify activity groups diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/accesspolicy.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/accesspolicy.md index c8c6341b34..eefb081e8e 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/accesspolicy.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/accesspolicy.md @@ -4,14 +4,14 @@ The Access Policies page is accessible from the Navigation pane underPolicyPolic configured access policies, which are used to control which users can complete which activities on which resources. -![Access Policy Page](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Access Policy Page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The pane on the left side of the page displays a list of the configured access policies. This pane has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. -- Green + button — Create a new access policy. See the [Add Access Policy](../add/accesspolicy.md) +- Green + button — Create a new access policy. See the [Add Access Policy](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/accesspolicy.md) topic for additional information. - Trashcan icon — Deletes the access policy. Icon appears when policy is hovered over. A confirmation window will display. @@ -22,11 +22,11 @@ The selected access policy details display at the top of the main pane: - Description — Description of the policy - Type — Icon indicates the type of object: Resource Based or Credential Based - Connection Profile — Displays the name of the connection profile associated to the access policy. - The green arrow will open the [Connection Profiles Page](connectionprofiles.md) to add or edit + The green arrow will open the [Connection Profiles Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/connectionprofiles.md) to add or edit connection profiles. - User icon — Shows extra group of users who can manage this access policy. The icon appears only if a custom role has been assigned to a policy. See the - [Custom Role Details Page](details/rolemanagementcustom.md) for additional information. + [Custom Role Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/rolemanagementcustom.md) for additional information. If any of these settings are modified, Save and Cancel buttons are displayed. Click **Save** to commit the modifications. Click **Cancel** to discard the modifications. @@ -38,11 +38,11 @@ See the following topics for additional information: - Resource Based Policy: - Users Tab for Resource Based Access Policies - - [Activities Tab for Resource Based Access Policies](../tab/policyresource/activities.md) - - [Resources Tab for Resource Based Access Policies](../tab/policyresource/resources.md) + - [Activities Tab for Resource Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/activities.md) + - [Resources Tab for Resource Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/resources.md) - Credential Based Policy: - - [Users Tab for Credential Based Access Policies](../tab/policycredentials/users.md) - - [Activities Tab for Credential Based Access Policies](../tab/policycredentials/activities.md) - - [Credentials Tab for Credential Based Access Policies](../tab/policycredentials/credentials.md) + - [Users Tab for Credential Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/users.md) + - [Activities Tab for Credential Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/activities.md) + - [Credentials Tab for Credential Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/credentials.md) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md index 4c053f0666..7ca2a08e7c 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md @@ -6,20 +6,20 @@ privileges. Activities are for singular activities based on a specific platform whereas Activity Groups can be used for cross platform activities such as granting local administrator access. See the -[Activity Groups Page](activitygroups.md) topic for additional information. +[Activity Groups Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activitygroups.md) topic for additional information. It is also possible to configure an activity to automatically run any Protection Policy associated with the resource when the session completes, instead of waiting for the scheduled sync. See the -[Add Action Window](../window/activities/addaction.md) topic for additional information. +[Add Action Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/activities/addaction.md) topic for additional information. -![Activities Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/activitiespage.webp) +![Activities Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/activitiespage.webp) The pane on the left side of the page displays a list of the configured activity. This pane has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. -- Green + button — Create a new activity. See the [Add Activity](../add/activity.md) topic for +- Green + button — Create a new activity. See the [Add Activity](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activity.md) topic for additional information. - Copy icon — Clones the activity and adds a new entry to the Activities list. Icon appears when activity is hovered over. @@ -48,7 +48,7 @@ The selected activity details display at the top of the main pane: - Login Account Template — Template determines the format of the account created for Managed, Activity Token, Resource, and Vault Login Accounts. The template is also used if the Requester login format is set to Custom. See the - [Login Account Templates](../activityloginaccounttemplates.md) topic for additional information. + [Login Account Templates](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/activityloginaccounttemplates.md) topic for additional information. - Create Account checkbox — Indicates whether an account is created at the beginning of the activity if it does not already exist. When the Activity starts, a check is made to determine if an account exists. If the account exists, the user is connected to the account on the resource. If the @@ -69,7 +69,7 @@ The selected activity details display at the top of the main pane: **NOTE:** To view the password fetched from the vault, the Allow User to View Password checkbox must be selected in the connection profile associated with the access policy that gives the - requester rights to the activity. See the [Connection Profiles Page](connectionprofiles.md) + requester rights to the activity. See the [Connection Profiles Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/connectionprofiles.md) topic for additional information. - Application to Launch — Indicates the application that will be launched on the RDS server that the @@ -91,8 +91,8 @@ The selected activity details display at the top of the main pane: is only visible when the Platform is set to Active Directory. - Logon URL — Displays the primary logon page. When this field has a value, it will override the Logon URL defined on the Website resource. This option is only visible when the Platform is set to - Microsoft Entra ID or Website. See the [Microsoft Entra ID Details Page](details/entraid.md) and - [Website Details Page](details/website.md) topics for additional information. + Microsoft Entra ID or Website. See the [Microsoft Entra ID Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/entraid.md) and + [Website Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/website.md) topics for additional information. If any of these settings are modified, Save and Cancel buttons are displayed. Click **Save** to commit the modifications. Click **Cancel** to discard the modifications. @@ -107,7 +107,7 @@ before, during, and after the session: may be paired with a corresponding Pre-Session action. A Link icon shows actions that are linked. Deleting a linked action will delete the corresponding -action it is paired with. See the [Add Action Window](../window/activities/addaction.md) topic for +action it is paired with. See the [Add Action Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/activities/addaction.md) topic for additional information. **NOTE:** It is not possible to edit the Action Type. Delete the existing action and then create a @@ -122,6 +122,6 @@ the environment. See each account type for a description. | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Requester | The Requester login account type will use the user's own account to run the activity. The user will either log onto the resource directly or be connected to the resource via the proxy. In both cases the user will have to enter their user name and password. This login account should be used to avoid having a separately managed account. The user needs to have a matching account on the endpoint and needs to know the password to login. | | Managed | The Managed login account type will used an account managed by Privilege Secure to run the activity. Once created, a Managed account will persist to the endpoint. When a session ends or is canceled, the password is automatically rotated. The account will not be removed afterward, but it will be disabled when at rest. The primary use case is for instances where the user desktop experience should persist across sessions. A Managed account can be a specific account name or based on any variable added to the Login Account Template. The password for a managed account is available to the user via the UI during an active session. | -| Activity Token | The Activity Token login account will use a unique time-limited ephemeral account created when the Activity is started and removed when it is completed. The account name is automatically generated from the user’s sAMAccountName and Session ID, filled out to as many characters as configured for the activity token. See the [Activity Token Complexity Page](activitytokencomplexity.md) topic for additional information. The account name can be entirely random or based on variables or text added to the Login Account Template. The primary use case is where the user profile should be destroyed after each session and have the user log-in to a clean desktop every time they connect; a common use case for remote vendors and contractors. | +| Activity Token | The Activity Token login account will use a unique time-limited ephemeral account created when the Activity is started and removed when it is completed. The account name is automatically generated from the user’s sAMAccountName and Session ID, filled out to as many characters as configured for the activity token. See the [Activity Token Complexity Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activitytokencomplexity.md) topic for additional information. The account name can be entirely random or based on variables or text added to the Login Account Template. The primary use case is where the user profile should be destroyed after each session and have the user log-in to a clean desktop every time they connect; a common use case for remote vendors and contractors. | | Resource | The Resource login account is only available when the Platform is set to Website. It allows manually managed user accounts on website resources to be used to log into activities. The user name is defined in the Requester Login Format field and must exactly match the username defined on the website resource. | | Vault | The Vault login account will use an account that is checked out of the specified vault to run the activity. The password provided by the vault is available to the user via the UI during an active session. When a session ends or is canceled, the password is checked into the vault. | diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activitygroups.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activitygroups.md index e9744957e1..18489b6dd8 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activitygroups.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activitygroups.md @@ -5,9 +5,9 @@ configured activities groups. Activities are for singular activities based on a specific platform whereas Activity Groups can be used for cross platform activities such as granting local administrator access. See the -[Activities Page](activities.md) topic for additional information. +[Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. -![addactivitygroup](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/addactivitygroup.webp) +![addactivitygroup](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/addactivitygroup.webp) The pane on the left side of the page displays a list of the configured activity group. This pane has the following features: @@ -15,7 +15,7 @@ has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Green + button — Create a new activity group. See the - [Add Activity Groups](../add/activitygroup.md) topic for additional information. + [Add Activity Groups](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activitygroup.md) topic for additional information. - Trashcan icon — Deletes the activity group. Icon appears when activity is hovered over. A confirmation window will display. @@ -40,7 +40,7 @@ The table has the following columns: - Checkbox — Check to select one or more items - Name — Displays the name of the activity. Click the link to view additional details. See the - [Activities Page](activities.md) topic for additional details. + [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional details. - Created — Date timestamp when the item was created The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activitytokencomplexity.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activitytokencomplexity.md index 55d939f880..bc16f864d8 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activitytokencomplexity.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activitytokencomplexity.md @@ -4,7 +4,7 @@ The Activity Token Complexity Policy page is accessible from the Navigation pane underPolicyPolicies>Activity Token ComplexityAccess Policies. It shows the configuration options for managing the complexity of activity tokens for connection profiles. -![Activity Token Complexity Page](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Activity Token Complexity Page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The pane on the left side of the page displays a list of the configured activity token complexity policies. This pane has the following features: @@ -12,7 +12,7 @@ policies. This pane has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Green + button — Create a new activity token complexity policy. See the - [Add Activity Token Complexity Policy](../add/activitytokencomplexity.md) topic for additional + [Add Activity Token Complexity Policy](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/activitytokencomplexity.md) topic for additional information. - Trashcan icon — Deletes the activity token complexity policy. Icon appears when profile is hovered over. A confirmation window will display. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/connectionprofiles.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/connectionprofiles.md index 309043549b..6aa597ee27 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/connectionprofiles.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/connectionprofiles.md @@ -5,7 +5,7 @@ Policy** > **Connection Profiles**. It shows the configuration options for manag the selected access policy. An approval workflow can be configured so that the session must be approved before the requester of the session can log in. -![Connection Profiles Page](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Connection Profiles Page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The pane on the left side of the page displays a list of the configured connection profiles. This pane has the following features: @@ -13,7 +13,7 @@ pane has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Blue + button — Create a new connection profile. See the - [Add Connection Profile](../add/connectionprofile.md) topic for additional information. + [Add Connection Profile](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/connectionprofile.md) topic for additional information. - Trashcan icon — Deletes the connection profile. Icon appears when profile is hovered over. A confirmation window will display. @@ -31,10 +31,10 @@ The selected profile details display in the main pane: used. - Allow Proxy Auto Connects — If disabled, the requester will be prompted for secondary authentication (password and MFA) when executing proxy connects from the - [Active Dashboard](../../dashboard/active.md). + [Active Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/active.md). - Record Proxy Sessions — Specify if the proxy will record the session. This will allow a user with the admin role to watch a remote session live, or review it later. See the - [Replay Viewer Window](../../dashboard/window/replayviewer.md) topic for additional + [Replay Viewer Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/replayviewer.md) topic for additional information. - Session Control settings: @@ -45,13 +45,13 @@ The selected profile details display in the main pane: the requester will be notified within their RDP or SSH clients. This option will work whether the requestor logs on directly to the Resource, or connects via the proxy. - Enable Session Extension — Check to allow user to extend their current session. See the - [Start Activity Session](../../../enduser/dashboard/startsession.md) topic for additional + [Start Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/startsession.md) topic for additional information. - Extend By — The additional number of minutes that the session will be extended. See the - [Start Activity Session](../../../enduser/dashboard/startsession.md) topic for additional + [Start Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/startsession.md) topic for additional information. - Session Extension Limit — The number of times the user will be able to extend their session. - See the [Start Activity Session](../../../enduser/dashboard/startsession.md) topic for + See the [Start Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/startsession.md) topic for additional information. - Monitor for Logon — Monitor user logon to the resource - Monitor Interval (minutes) — Indicates how often Privilege Secure will poll a resource to @@ -81,15 +81,15 @@ The selected profile details display in the main pane: Number field when creating a session - Activity Token Complexity Policy — Establishes how complex an activity token must be. Users can choose custom polices created on the - [Activity Token Complexity Page](activitytokencomplexity.md). Left blank, the Console will use + [Activity Token Complexity Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activitytokencomplexity.md). Left blank, the Console will use the default activity token complexity policy. -![Connection Profiles Page Extended](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/pageextended.webp) +![Connection Profiles Page Extended](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/pageextended.webp) - Credential Management settings: - Allow User to Access Password — When checked, the user will be able to view or copy the - password from the [Active Dashboard](../../dashboard/active.md) for the managed account that + password from the [Active Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/active.md) for the managed account that is used for the activity. The password that the user sees is valid only while the session is active. This option is enabled by default. - Enable credential auto-fill in browser extension — When checked, the Console will allow @@ -122,7 +122,7 @@ The selected profile details display in the main pane: - Automatic – No approval is required for the session - Tiered – Approval is required for the session. See the - [Add Approval Workflow](../add/connectionprofileapproval.md) topic for additional information. + [Add Approval Workflow](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/connectionprofileapproval.md) topic for additional information. If any of these settings are modified, Save and Cancel buttons are displayed. Click **Save** to commit the modifications. Click **Cancel** to discard the modifications. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentialgroups.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentialgroups.md index e71089a544..cd020cc19d 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentialgroups.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentialgroups.md @@ -3,10 +3,10 @@ The Credential Groups page is accessible from the Navigation pane under Credentials. It shows the configured credential groups, which are used to control account assignments in Credential Based access policies. See the -[Credentials Tab for Credential Based Access Policies](../tab/policycredentials/credentials.md) +[Credentials Tab for Credential Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/credentials.md) topic for additional information. -![Administrative Credential Group Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/credentialgroupspage.webp) +![Administrative Credential Group Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/credentialgroupspage.webp) The pane on the left side of the page displays a list of the configured credential groups. This pane has the following features: @@ -14,7 +14,7 @@ has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Blue + button — Create a new credential group. See the - [Add Credential Groups](../add/credentialgroup.md) topic for additional information. + [Add Credential Groups](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/credentialgroup.md) topic for additional information. - Trashcan icon — Deletes the access policy. Icon appears when policy is hovered over. A confirmation window will display. @@ -33,7 +33,7 @@ The table has the following features: - Type — Provides options to filter results based on a chosen criterion: Internal, Standard, and Service - Add Credentials — Opens the Add Credentials window. See the - [Add Credentials to a Credential Group](../window/credentials/addcredentials.md#add-credentials-to-a-credential-group) + [Add Credentials to a Credential Group](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/addcredentials.md#add-credentials-to-a-credential-group) topic for additional information. - Remove — Removes the selected item - Refresh — Reload the information displayed @@ -52,23 +52,23 @@ The table has the following columns: - Method — Indicates how the account is managed: - Automatic — Credential rotation is managed by Privilege Secure according to the change policy - for that platform type. See the [Platforms Page](platforms/overview.md) topic for additional + for that platform type. See the [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information. - Manual — Credential rotation must be initiated manually with the Rotate Service Account button, or the credential must be manually updated on both the resource and in Privilege - Secure. See the [Service Accounts Page](../../configuration/page/serviceaccounts.md) topic for + Secure. See the [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for information on updating credentials for Internal service accounts. - Not Managed — Not currently managed by Privilege Secure and no credentials have ever been stored - **NOTE:** See the [Rotation Methods](../credentialrotationmethod.md) topic for additional + **NOTE:** See the [Rotation Methods](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/credentialrotationmethod.md) topic for additional information. - Managed Type — Type of managed account: - Standard — Local or domain user account, including managed users created by activity sessions - Internal — Internal service account used by Privilege Secure with no dependencies. See the - [Service Accounts Page](../../configuration/page/serviceaccounts.md) topic for additional + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Service — Local or domain service account with one or more dependencies. Includes Internal service accounts with one or more dependencies. @@ -78,7 +78,7 @@ The table has the following columns: - Age — Number of days since the last credential rotation or from when the password was first created - Status — Indicates if the account credentials have been verified by Privilege Secure. See the - [Platforms Page](platforms/overview.md) topic for additional information on configuring a + [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information on configuring a verification schedule. - Unspecified — Verification check has not run diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentialpolicyoverrides.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentialpolicyoverrides.md index 7f2b686136..0157c2f250 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentialpolicyoverrides.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentialpolicyoverrides.md @@ -6,7 +6,7 @@ Policy Override, that credential's scheduled change policy and verification sche inherited from the Credential Policy Override, rather than being inherited from the credential's platform. -![Credential Policy Overrides Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/credentialpolicyoverridepage.webp) +![Credential Policy Overrides Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/credentialpolicyoverridepage.webp) The pane on the left side of the page displays a list of the configured Credential Policy Overrides. This pane has the following features: @@ -14,7 +14,7 @@ This pane has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Blue + button — Create a new credential group. See the - [Add Credential Policy Override](../add/credentialpolicyoverrides.md) topic for additional + [Add Credential Policy Override](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/credentialpolicyoverrides.md) topic for additional information. - Trashcan icon — Deletes the policy. Icon appears when policy is hovered over. A confirmation window will display. @@ -32,7 +32,7 @@ The table has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Add Credentials — Opens the Add Credentials window. See the - [Add Credentials Window](../window/credentials/addcredentials.md) topic for additional + [Add Credentials Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/addcredentials.md) topic for additional information. - Remove — Removes the selected item - Refresh — Reload the information displayed @@ -51,7 +51,7 @@ The table has the following columns: - Age — Number of days since the last credential rotation or from when the password was first created - Status — Indicates if the account credentials have been verified by Privilege Secure. See the - [Platforms Page](platforms/overview.md) topic for additional information on configuring a + [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information on configuring a verification schedule. - Unspecified — Verification check has not run diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentials.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentials.md index c8e61445b1..0fda5f6011 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentials.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentials.md @@ -4,9 +4,9 @@ The Credentials page shows all accounts discovered within your environment. It i focused on managing service account password rotation. A managed account is any host local account, domain account, or Privilege Secure application local account that has its credentials managed by the application. This includes managed user accounts created by activity sessions. The Credentials -page displays the same information as the [Credentials Dashboard](../../dashboard/credentials.md). +page displays the same information as the [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md). -![Credentials page](../../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) +![Credentials page](/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) The page has the following features: @@ -25,21 +25,21 @@ The page has the following features: - Manage — Set the selected account to be managed by Privilege Secure. This button is only available when the account Managed Type is Standard or Internal. For an Internal account, a pop up window will display. See the - [Manage Internal Service Accounts](../window/credentials/manageinternalserviceaccount.md) section + [Manage Internal Service Accounts](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/manageinternalserviceaccount.md) section for additional information. - Unmanage — Remove the account from being managed by Privilege Secure - Rotate Service Account — Opens the Account Dependencies window. This button is only available when the Managed Type is Service. See the - [Account Dependencies Window](../window/credentials/accountdependencies.md) topic for additional + [Account Dependencies Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/accountdependencies.md) topic for additional information. - Schedule Rotation — Add the credential rotation task to the queue. This button is only available when the Method is Automatic managed. See the - [Scheduled Tasks Page](../../configuration/page/scheduledtasks.md) topic for additional + [Scheduled Tasks Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/scheduledtasks.md) topic for additional information. - Verify — Checks that the credentials for the selected account match the credentials set by Privilege Secure - View History — Opens the Password History window to displays the password history for the account. - See the [Password History Window](../window/credentials/passwordhistory.md) topic for additional + See the [Password History Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/passwordhistory.md) topic for additional information. - Refresh — Reload the information displayed @@ -50,12 +50,12 @@ The table has the following columns: - Set Password icon — Opens the Set Password for Credential window to set a new password for the selected account. See the - [Manage Internal Service Accounts](../window/credentials/manageinternalserviceaccount.md) + [Manage Internal Service Accounts](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/manageinternalserviceaccount.md) topic for more information. - Clipboard icon — Copies the password for the selected account - Information icon — Opens the View Password window to view the password and copy it to the clipboard. The window stays open for 20 seconds. See the - [View Password Window](../window/credentials/viewpassword.md) topic for additional + [View Password Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/viewpassword.md) topic for additional information. - Resource — Name of the resource that the account is on. Click the link to view additional details. @@ -64,23 +64,23 @@ The table has the following columns: - Method — Indicates how the account is managed: - Automatic — Credential rotation is managed by Privilege Secure according to the change policy - for that platform type. See the [Platforms Page](platforms/overview.md) topic for additional + for that platform type. See the [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information. - Manual — Credential rotation must be initiated manually with the Rotate Service Account button, or the credential must be manually updated on both the resource and in Privilege - Secure. See the [Service Accounts Page](../../configuration/page/serviceaccounts.md) section + Secure. See the [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) section for information on updating credentials for Internal service accounts. - Not Managed — Not currently managed by Privilege Secure and no credentials have ever been stored - **NOTE:** See the [Rotation Methods](../credentialrotationmethod.md) topic for additional + **NOTE:** See the [Rotation Methods](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/credentialrotationmethod.md) topic for additional information. - Managed Type — Type of managed account: - Standard — Local or domain user account, including managed users created by activity sessions - Internal — Internal service account used by Privilege Secure with no dependencies. See the - [Service Accounts Page](../../configuration/page/serviceaccounts.md) topic for additional + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Service — Local or domain service account with one or more dependencies. Includes Internal service accounts with one or more dependencies. @@ -90,7 +90,7 @@ The table has the following columns: - Age — Number of days since the last credential rotation or from when the password was first created - Status — Indicates if the account credentials have been verified by Privilege Secure. See the - [Platforms Page](platforms/overview.md) topic for additional information on configuring a + [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information on configuring a verification schedule. - Unspecified — Verification check has not run diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/databases.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/databases.md index b55f36ed39..d0c0b18c2a 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/databases.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/databases.md @@ -3,7 +3,7 @@ The Database Details page displays information for the selected database resource. This page is opened from any linked resource within the various interfaces. -![Database Details page](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/databasedetailspage.webp) +![Database Details page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/databasedetailspage.webp) The Database Details page shows the following information: @@ -19,11 +19,11 @@ The Database Details page shows the following information: **NOTE:** The domain is used as the default domain for database activities. - Service Account — Displays the service account associated with the resource. See the - [Service Accounts Page](../../../configuration/page/serviceaccounts.md) topic for additional + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Scan Now button — Scans the domain for users, groups, members, and computers. The Cancel button, which is only visible when scanning can be used to stop the resource scan. This scan can also be - scheduled from the [Platforms Page](../platforms/overview.md). + scheduled from the [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md). - Status — During synchronization, the button displays as spinning @@ -35,7 +35,7 @@ commit the modifications. Click **Cancel** to discard the modifications. - Users – Displays database login accounts that are not domain users or local computer users - Groups – Displays login accounts that are domain users or local computer accounts - Databases – Displays a list of discovered databases See the - [Databases Tab](../../tab/resources/databases.md) topic for additional information. + [Databases Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/databases.md) topic for additional information. - Roles – Displays roles and who has those roles on the database and at the server level - Sessions – Displays previous sessions that have used this resource as a target - Access Policies – Displays a list of access policies that this resource belongs to diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/domain.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/domain.md index 5bab5872d8..3bc35360db 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/domain.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/domain.md @@ -3,7 +3,7 @@ The Domain Details page shows additional information for the selected domain resource. This page is opened from any linked resource within the various interfaces. -![Domain Details Page](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/domaindetailspage.webp) +![Domain Details Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/domaindetailspage.webp) The details page shows the following information: @@ -24,7 +24,7 @@ The details page shows the following information: - Synchronize Now button — Scans the domain for users, groups, members, and computers. The Cancel button, which is only visible when scanning can be used to stop the resource scan. This scan can - also be scheduled from the [Platforms Page](../platforms/overview.md). + also be scheduled from the [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md). - Platform — Displays the type of platform, which defines the resource - Service Account — Displays the service account associated with the resource - Use TLS checkbox — Enables a secure connection to the domain @@ -43,8 +43,8 @@ commit the modifications. Click **Cancel** to discard the modifications. The details page has the following tabs: -- [Users Tab for Domain](../../tab/resources/usersdomain.md) -- [Groups Tab for Domain](../../tab/resources/groupsdomain.md) -- [Computers Tab for Domain](../../tab/resources/computersdomain.md) -- [History Tab for Domain](../../tab/resources/historydomain.md) -- [Sync Errors Tab for Domain](../../tab/resources/syncerrorsdomain.md) +- [Users Tab for Domain](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/usersdomain.md) +- [Groups Tab for Domain](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/groupsdomain.md) +- [Computers Tab for Domain](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/computersdomain.md) +- [History Tab for Domain](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historydomain.md) +- [Sync Errors Tab for Domain](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/syncerrorsdomain.md) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/entraid.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/entraid.md index c53dceede0..79e0aa889e 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/entraid.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/entraid.md @@ -4,7 +4,7 @@ The Microsoft Entra ID (formerly Azure AD) Details page shows additional informa selected Microsoft Entra ID Tenant resource. This page is opened from any linked resource within the various interfaces. -![Azure AD Details page](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/azureaddetailspage.webp) +![Azure AD Details page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/azureaddetailspage.webp) The details page shows the following information: @@ -23,7 +23,7 @@ The details page shows the following information: group membership information. This is unchecked by default. - Synchronize Now button — Scans the domain for users, groups, members, and computers. The Cancel button, which is only visible when scanning can be used to stop the resource scan. This scan can - also be scheduled from the [Platforms Page](../platforms/overview.md). + also be scheduled from the [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md). - Service Account — Displays the service account associated with the resource If any of these settings are modified, Save and Cancel buttons are displayed. Click **Save** to @@ -31,10 +31,10 @@ commit the modifications. Click **Cancel** to discard the modifications. The details page has the following tabs: -- [URLs Tab for Microsoft Entra ID](../../tab/resources/urlsentraid.md) -- [Users Tab for Microsoft Entra ID](../../tab/resources/usersentraid.md) -- [Groups Tab for Microsoft Entra ID](../../tab/resources/groupsentraid.md) -- [Sessions Tab for Microsoft Entra ID](../../tab/resources/sessionsentraid.md) -- [Access Policies Tab for Microsoft Entra ID](../../tab/resources/accesspoliciesentraid.md) -- [History Tab for Microsoft Entra ID](../../tab/resources/historyentraid.md) -- [Applications Tab for Microsoft Entra ID](../../tab/resources/applicationsentraid.md) +- [URLs Tab for Microsoft Entra ID](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/urlsentraid.md) +- [Users Tab for Microsoft Entra ID](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/usersentraid.md) +- [Groups Tab for Microsoft Entra ID](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/groupsentraid.md) +- [Sessions Tab for Microsoft Entra ID](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionsentraid.md) +- [Access Policies Tab for Microsoft Entra ID](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspoliciesentraid.md) +- [History Tab for Microsoft Entra ID](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historyentraid.md) +- [Applications Tab for Microsoft Entra ID](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/applicationsentraid.md) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/host.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/host.md index 6d5f813457..4ef0aff915 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/host.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/host.md @@ -3,7 +3,7 @@ The Host Details page shows additional information for the selected host resource. This page is opened from any linked resource within the various interfaces. -![Host Details Page](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/hostdetailspage.webp) +![Host Details Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/hostdetailspage.webp) The details page displays the following information: @@ -13,22 +13,22 @@ The details page displays the following information: - Active — Displays the number of active sessions on the resource - Scheduled — Displays the number of sessions scheduled for the resource - Test button — Opens the Test Resource Connectivity window. See the - [Test Resource Connectivity Window](../../window/resources/testresourceconnectivity.md) topic + [Test Resource Connectivity Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/testresourceconnectivity.md) topic for additional information. - Scan Now button — Scans a host resource for local users, groups, windows services, and scheduled tasks. A confirmation window will display.. The Cancel button, which is only visible when scanning can be used to stop the resource scan. This scan can also be scheduled from the - [Platforms Page](../platforms/overview.md). + [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md). - WinRM Config button — Opens the Configure Secure WinRM Connection window. See the - [Configure Secure WinRM Connection Window](../../window/resources/configuresecurewinrmconnection.md) + [Configure Secure WinRM Connection Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/configuresecurewinrmconnection.md) topic for additional information. - Platform — Displays the type of platform, which defines the resource - Service Account — Displays the service account associated with the resource - Blue arrow button — Opens the Service Account details page. See the - [Service Accounts Page](../../../configuration/page/serviceaccounts.md) topic for additional + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Green plus button — Opens the Add New Service Account window. See the - [Add New Service Account Window](../../window/resources/addnewserviceaccount.md) topic for + [Add New Service Account Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addnewserviceaccount.md) topic for additional information. - IP Address — Displays the IP address for the resource - SSH Port — Displays the SSH port number @@ -55,12 +55,12 @@ commit the modifications. Click **Cancel** to discard the modifications. The details page has the following tabs: -- [Sessions Tab for Host](../../tab/resources/sessionshost.md) -- [Access Policies Tab for Host](../../tab/resources/accesspolicieshost.md) -- [Protection Policies Tab for Host](../../tab/resources/protectionpolicieshost.md) -- [Users Tab for Host](../../tab/resources/usershost.md) -- [Groups Tab for Host](../../tab/resources/groupshost.md) -- [Services Tab for Host](../../tab/resources/serviceshost.md) -- [Scheduled Tasks Tab for Host](../../tab/resources/scheduledtaskshost.md) -- [History Tab for Host](../../tab/resources/historyhost.md) -- [Installed Software Tab for Host](../../tab/resources/installedsoftwarehost.md) +- [Sessions Tab for Host](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionshost.md) +- [Access Policies Tab for Host](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspolicieshost.md) +- [Protection Policies Tab for Host](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/protectionpolicieshost.md) +- [Users Tab for Host](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/usershost.md) +- [Groups Tab for Host](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/groupshost.md) +- [Services Tab for Host](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/serviceshost.md) +- [Scheduled Tasks Tab for Host](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/scheduledtaskshost.md) +- [History Tab for Host](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historyhost.md) +- [Installed Software Tab for Host](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/installedsoftwarehost.md) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/rolemanagementcustom.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/rolemanagementcustom.md index 611462c2af..47487f99ab 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/rolemanagementcustom.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/rolemanagementcustom.md @@ -4,7 +4,7 @@ The Role Management page is accessible from the Navigation pane under Users & Gr details on all available roles for Privilege Secure users. There are default roles, and custom roles can be created. -![Custome Role Page](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/customrolepage.webp) +![Custome Role Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/customrolepage.webp) When a custom role is selected, the selected role details display at the top of the main pane with the following features: @@ -19,7 +19,7 @@ the following features: - Filter — Provides options to filter results based on a chosen criterion: User, Group, Application, Collection, and Local User - Add Role User — Opens Add Role Users window. See the - [Add Role Users Window](../../window/usersgroups/addroleusers.md) topic for additional + [Add Role Users Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addroleusers.md) topic for additional information. - Remove — Removes console access from the selected account. This button is specific to the table in the Users role assignment section at the bottom. @@ -31,7 +31,7 @@ The Users role assignment section table has the following columns: - Checkbox — Check to select one or more items - Type — Icon indicates the type of object - Name — Displays the name of the account. See the - [User, Group, & Application Details Page](usergroupapplication.md) topic for additional + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - User Name — Displays the sAMAccountName for the account - User Principal Name — Displays the UPN value for the account @@ -45,7 +45,7 @@ The table columns can be resized and sorted in ascending or descending order. Each permission gives specific rights to users with the selected role. Permissions on the left are not associated with the role. Permissions on the right are assigned to the selected role. -![Custom Role Permission Assignment](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/customerolepermissionassignment.webp) +![Custom Role Permission Assignment](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/customerolepermissionassignment.webp) Available permissions include: @@ -60,20 +60,20 @@ Available permissions include: the Resources tab to scope the permission to specific Resources. All custom roles, no matter what permissions are granted, can be scoped to specific policies. See -the [Change Permission Assignment](../../edit/changepermissions.md) topic for additional +the [Change Permission Assignment](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/edit/changepermissions.md) topic for additional information. ## Policy Tab The Policy tab for a custom role has the following features: -![Policies Tab for Custom Roles](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/customrolepoliciestab.webp) +![Policies Tab for Custom Roles](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/customrolepoliciestab.webp) - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. This search is specific to the table in the Policies tab. - Add Policies — Opens the Add Policies window. See the - [Add Policies Window](../../window/usersgroups/addpolicies.md) topic for additional information. + [Add Policies Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addpolicies.md) topic for additional information. - Remove — Removes console access from the selected account.This button is specific to the table in the Policies tab. - Refresh — Reload the information displayed. This button is specific to the table in the Policies @@ -83,14 +83,14 @@ The Policies tab table has the following columns: - Checkbox — Check to select one or more items - Name — Displays the name of the policy. Click the link to view additional details. See the - [Access Policy Page](../accesspolicy.md) topic for additional information. + [Access Policy Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/accesspolicy.md) topic for additional information. - Description — Description of the policy ## Users Tab The Users tab for a custom role has the following features: -![Users Tab for Custom Role](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/customroleuserstab.webp) +![Users Tab for Custom Role](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/customroleuserstab.webp) - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. This search is specific to the table in the @@ -98,7 +98,7 @@ The Users tab for a custom role has the following features: - Type — Provides options to filter results based on a chosen criterion: User, Group, Application, Collection, and Local User - Add Users— Opens the Add Users and Groups window. See the - [Add Users & Groups Window](../../window/usersgroups/addusersandgroups.md) topic for additional + [Add Users & Groups Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addusersandgroups.md) topic for additional information. - Remove — Removes console access from the selected account.This button is specific to the table in the Policies tab. @@ -110,7 +110,7 @@ The Users tab table has the following columns: - Checkbox — Check to select one or more items - Type — Icon indicates the type of object - Name — Displays the name of the account. See the - [User, Group, & Application Details Page](usergroupapplication.md) topic for additional + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - User Name — Displays the sAMAccountName for the account - User Principal Name — Displays the UPN value for the account @@ -121,14 +121,14 @@ The Users tab table has the following columns: The Activities tab for a custom role has the following features: -![Activities Tab for Custom Roles](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/customroleactivitiestab.webp) +![Activities Tab for Custom Roles](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/customroleactivitiestab.webp) - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. This search is specific to the table in the Activities tab. - Type — Provides options to filter results based on a chosen criterion: Activity or Activity Group - Add Activities — Opens the Add Activities and Activity Groups window. See the - [Add Activities and Groups Window](../../window/usersgroups/addactivitiesandgroups.md) topic for + [Add Activities and Groups Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addactivitiesandgroups.md) topic for additional information. - Remove — Removes console access from the selected account.This button is specific to the table in the Policies tab. @@ -140,20 +140,20 @@ The Activities tab table has the following columns: - Checkbox — Check to select one or more items - Type — Classification of the activity - Name — Displays the name of the activity. Click the link to view additional details. See the - [Activities Page](../activities.md) topic for additional information. + [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. ## Resources Tab The Resources tab for a custom role has the following features: -![Resources Tab for Custom Role](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/customroleresourcestab.webp) +![Resources Tab for Custom Role](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/customroleresourcestab.webp) - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. This search is specific to the table in the Resources tab. - Type — Provides options to filter results based on a chosen criterion: Resource or Resource Group - Add Resources — Opens the Add Resources and Groups window. See the - [Add Resources and Groups Window](../../window/usersgroups/addresourcesandgroups.md) topic for + [Add Resources and Groups Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addresourcesandgroups.md) topic for additional information. - Remove — Removes console access from the selected account.This button is specific to the table in the Policies tab. @@ -164,7 +164,7 @@ The Resources tab table has the following columns: - Checkbox — Check to select one or more items - Type — Icon indicates the type of object -- Name — Displays the name of the resource. See the [Resources Page](../resources.md) topic for +- Name — Displays the name of the resource. See the [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md) topic for additional information. - Operating System — Displays the operating system of the resource @@ -173,7 +173,7 @@ The Resources tab table has the following columns: Role Users is located at the bottom of the Custom Role details page. This will be the user that has access to the Custom Role. -![Role Users for Custom Role](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/customroleusers.webp) +![Role Users for Custom Role](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/customroleusers.webp) The Role Users has the following features: @@ -183,7 +183,7 @@ The Role Users has the following features: - Type — Provides options to filter results based on a chosen criterion: User, Group, Application, Collection, and Local User - Add Role Users— Opens the Add Users and Groups window. See the - [Add Users & Groups Window](../../window/usersgroups/addusersandgroups.md) topic for additional + [Add Users & Groups Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addusersandgroups.md) topic for additional information. - Remove — Removes console access from the selected account. This button is specific to the table in the Policies tab. @@ -195,7 +195,7 @@ The Role Users table has the following columns: - Checkbox — Check to select one or more items - Type — Icon indicates the type of object - Name — Displays the name of the account. See the - [User, Group, & Application Details Page](usergroupapplication.md) topic for additional + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - User Name — Displays the sAMAccountName for the account - User Principal Name — Displays the UPN value for the account diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/rolemanagementdefault.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/rolemanagementdefault.md index 2c7be3b0f3..4471650a46 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/rolemanagementdefault.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/rolemanagementdefault.md @@ -4,7 +4,7 @@ The Role Management page is accessible from the Navigation pane under Users & Gr details on all available roles for Privilege Secure users. There are default roles, and custom roles can be created. -![rolemanagementpage](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/rolemanagementpage.webp) +![rolemanagementpage](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/rolemanagementpage.webp) When a default role (Administrator, User, or Reviewer) is selected, the selected role details display at the top of the main pane with the following features: @@ -17,20 +17,20 @@ display at the top of the main pane with the following features: - Add User — The Add options change based on the selected role: - Administrator — Opens the Add Administrators window. See the - [Add Administrators Window](../../window/usersgroups/addadministrators.md) topic for + [Add Administrators Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addadministrators.md) topic for additional information. - Users — Opens a list of available user types to add - New Domain Users — Opens the Add Users and Groups window. See the - [Add Users & Groups Window](../../window/usersgroups/addusersandgroups.md) topic for + [Add Users & Groups Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addusersandgroups.md) topic for additional information. - New Application User — Opens the Add Application page. See the - [Add Application](../../add/application.md) for additional information. + [Add Application](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/application.md) for additional information. - New Local User — Opens the Add Local User page. See - [Add Local User](../../add/localuser.md) topic for additional information. + [Add Local User](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/localuser.md) topic for additional information. - Reviewers — Opens the Add Reviewers window. See the - [Add Reviewers Window](../../window/usersgroups/addreviewers.md) topic for additional + [Add Reviewers Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addreviewers.md) topic for additional information. - Remove — Removes console access from the selected account @@ -41,7 +41,7 @@ The table has the following columns: - Checkbox — Check to select one or more items - Type — Icon indicates the type of object - Name — Displays the name of the account. Click the link to view additional details. See the - [User, Group, & Application Details Page](usergroupapplication.md) topic for additional + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - User Name — Displays the sAMAccountName for the account - Email — Displays the associated email address, if available @@ -57,5 +57,5 @@ The default roles provide users with the following permissions: - Users — Creates sessions based on assigned access policy. This role is automatically assigned when a user is onboarded. - Reviewers — Grants ability to review access entitlement. See the - [Access Certification Page](../../../auditreporting/page/accesscertification.md) topic for + [Access Certification Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/accesscertification.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/secretvault.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/secretvault.md index 6d99c338d5..c59e826749 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/secretvault.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/secretvault.md @@ -5,10 +5,10 @@ This page is opened from any linked resource within the various interfaces. Secret Vaults are used to store any manually-managed resource, username, or password combination. Credentials are assigned via Credential Based access policies for password release. See the -[Credentials Tab for Credential Based Access Policies](../../tab/policycredentials/credentials.md) +[Credentials Tab for Credential Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/credentials.md) topic for additional information. -![Secrete Vault Details Page](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/seretvaultdetailspage.webp) +![Secrete Vault Details Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/seretvaultdetailspage.webp) The details page shows the following information: @@ -23,6 +23,6 @@ commit the modifications. Click **Cancel** to discard the modifications. The details page has the following tabs: -- [Accounts Tab for Secret Vault](../../tab/resources/accountssecretvault.md) -- [Sessions Tab for Secret Vault](../../tab/resources/sessionssecretvault.md) -- [History Tab for Secret Vault](../../tab/resources/historysecretvault.md) +- [Accounts Tab for Secret Vault](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accountssecretvault.md) +- [Sessions Tab for Secret Vault](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionssecretvault.md) +- [History Tab for Secret Vault](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historysecretvault.md) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md index 61c3f3cb01..08611820fd 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md @@ -3,7 +3,7 @@ The User, Group, & Application Details page shows additional information on the selected user or group. This page is opened from the link in the user or group column within the various interfaces. -![Users and Groups Details page](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/usersgroupsdetailspage.webp) +![Users and Groups Details page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/usersgroupsdetailspage.webp) The page has the following features: @@ -18,7 +18,7 @@ The page has the following features: be able to create a session. Click the button to unlock the account. - Reset MFA — Click the button to force the user to reset MFA for Privilege Secure login. Resetting the user's MFA will generate a new TOTP secret for the user to register an authenticator. See - [Reset User MFA](../../window/usersgroups/resetmfa.md) topic for additional information. + [Reset User MFA](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/resetmfa.md) topic for additional information. **NOTE:** This button will not be visible if the present user has their Authentication Connector set to Not Required @@ -28,26 +28,26 @@ additional information: - User Details: - - [Sessions Tab](../../tab/usersgroups/sessions.md) - - [Policies Tab](../../tab/usersgroups/policies.md) - - [Local Rights Tab](../../tab/usersgroups/localrights.md) - - [History Tab](../../tab/usersgroups/history.md) - - [Authentication Connector Tab](../../tab/usersgroups/authenticationconnector.md) - - [User Roles Tab](../../tab/usersgroups/userroles.md) + - [Sessions Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/sessions.md) + - [Policies Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/policies.md) + - [Local Rights Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/localrights.md) + - [History Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/history.md) + - [Authentication Connector Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/authenticationconnector.md) + - [User Roles Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/userroles.md) - Group Details: - - [Sessions Tab](../../tab/usersgroups/sessions.md) - - [Members Tab](../../tab/usersgroups/members.md) - - [Policies Tab](../../tab/usersgroups/policies.md) - - [History Tab](../../tab/usersgroups/history.md) - - [Authentication Connector Tab](../../tab/usersgroups/authenticationconnector.md) - - [Group Roles Tab](../../tab/usersgroups/grouproles.md) + - [Sessions Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/sessions.md) + - [Members Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/members.md) + - [Policies Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/policies.md) + - [History Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/history.md) + - [Authentication Connector Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/authenticationconnector.md) + - [Group Roles Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/grouproles.md) - Application Details: - - [Sessions Tab](../../tab/usersgroups/sessions.md) - - [Policies Tab](../../tab/usersgroups/policies.md) - - [History Tab](../../tab/usersgroups/history.md) - - [Authentication Tab](../../tab/usersgroups/authentication.md) - - [Properties Tab](../../tab/usersgroups/properties.md) + - [Sessions Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/sessions.md) + - [Policies Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/policies.md) + - [History Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/history.md) + - [Authentication Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/authentication.md) + - [Properties Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/properties.md) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/website.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/website.md index 6c254bd63c..b76bd4956d 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/website.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/website.md @@ -3,7 +3,7 @@ The Website Details page shows additional information for the selected website resource. This page is opened from any linked resource within the various interfaces. -![Website Resource details page](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/websitedetails.webp) +![Website Resource details page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/websitedetails.webp) The details page shows the following information: @@ -21,10 +21,10 @@ The details page shows the following information: website will reference for authentication. - Service Account — Displays the service account associated with the resource - Blue arrow button — Opens the Service Account details page. See the - [Service Accounts Page](../../../configuration/page/serviceaccounts.md) topic for additional + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Green plus button — Opens the Add New Service Account window. See the - [Add New Service Account Window](../../window/resources/addnewserviceaccount.md) topic for + [Add New Service Account Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addnewserviceaccount.md) topic for additional information. If any of these settings are modified, Save and Cancel buttons are displayed. Click **Save** to @@ -32,8 +32,8 @@ commit the modifications. Click **Cancel** to discard the modifications. The details page has the following tabs: -- [URLs Tab for Website](../../tab/resources/urlswebsite.md) -- [Users Tab for Website](../../tab/resources/userswebsite.md) -- [Sessions Tab for Website](../../tab/resources/sessionswebsite.md) -- [Access Policies Tab for Website](../../tab/resources/accesspolicieswebsite.md) -- [History Tab for Website](../../tab/resources/historywebsite.md) +- [URLs Tab for Website](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/urlswebsite.md) +- [Users Tab for Website](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/userswebsite.md) +- [Sessions Tab for Website](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionswebsite.md) +- [Access Policies Tab for Website](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspolicieswebsite.md) +- [History Tab for Website](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historywebsite.md) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/passwordcomplexity.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/passwordcomplexity.md index bad3f0359f..302bd974c1 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/passwordcomplexity.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/passwordcomplexity.md @@ -6,7 +6,7 @@ shows configured password complexity policies that can be applied to platforms. When Privilege Secure creates a managed account on a local system or domain it also sets the user password. The password that is generated will follow the complexity rules configured in the related password policy associated with that platform. The Default policy is used if a password policy -cannot be determined. See the [Platforms Page](platforms/overview.md) topic for additional +cannot be determined. See the [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information. Password complexity requirements must adhere to any domain or local password policy applied to the @@ -17,7 +17,7 @@ fail. Create password policies and configure the password complexity requirements on this page. The password policy only applies to managed accounts created by Privilege Secure. -![Password Complexity Page](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Password Complexity Page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The pane on the left side of the page displays a list of the configured password complexity policies. This pane has the following features: @@ -25,7 +25,7 @@ policies. This pane has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Blue + button — Create a new password complexity policy. See the - [Add Password Complexity Policy](../add/passwordcomplexity.md) topic for additional information. + [Add Password Complexity Policy](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/passwordcomplexity.md) topic for additional information. - Copy icon — Create a new password complexity policy based on the current selection. Icon appears when policy is hovered over. - Trashcan icon — Deletes the password complexity policy. Icon appears when policy is hovered over. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/activedirectory.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/activedirectory.md index 81bdbefd65..9d491ba2fe 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/activedirectory.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/activedirectory.md @@ -2,7 +2,7 @@ The Active Directory menu displays the configuration options for Active Directory platforms. -![Active Directory Platform Configuration](../../../../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/activedirectory.webp) +![Active Directory Platform Configuration](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/activedirectory.webp) Details for the selected platform are displayed on the right side of the page. Below are the configuration options for an Active Directory Platform. @@ -16,16 +16,16 @@ configuration options for an Active Directory Platform. platform during its discovery process. - Password Complexity Policy — The password complexity rules for managed accounts created on the resources defined by the selected platform. See the - [Password Complexity Page](../passwordcomplexity.md) topic for additional information. + [Password Complexity Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/passwordcomplexity.md) topic for additional information. - Password Length — The number of characters required by the selected password policy - Arrow icon — Show or Hide password policy details. Click the icon to display the password complexity requirements of the selected password policy. - Scheduled Change Policy — How often the credentials for a managed account are changed (credential - rotation). See the [Credentials Dashboard](../../../dashboard/credentials.md) and - [Schedule Policies Page](../schedulepolicies.md) topic for additional information. + rotation). See the [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) and + [Schedule Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md) topic for additional information. - Verification Schedule — How often to verify the credentials for managed accounts on the resources defined by the selected platform. See the - [Credentials Dashboard](../../../dashboard/credentials.md) topic for additional information on + [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) topic for additional information on managed accounts. - Reset on Mismatch — When selected, this option will force a password rotation if the password verification step finds that the existing password for an account does not match what Privilege diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/cisco.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/cisco.md index dfb44ecbb7..29066f3174 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/cisco.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/cisco.md @@ -2,7 +2,7 @@ The Cisco menu displays the configuration options for Cisco platforms. -![Cisco Platform Configuration](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/platforms/cisco.webp) +![Cisco Platform Configuration](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/platforms/cisco.webp) Details for the selected platform are displayed on the right side of the page. Below are the configuration options for a Cisco Platform. @@ -16,19 +16,19 @@ configuration options for a Cisco Platform. platform during its discovery process. - Password Complexity Policy — The password complexity rules for managed accounts created on the resources defined by the selected platform. See the - [Password Complexity Page](../passwordcomplexity.md) topic for additional information. + [Password Complexity Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/passwordcomplexity.md) topic for additional information. - Password Length — The number of characters required by the selected password policy - Arrow icon — Show or Hide password policy details. Click the icon to display the password complexity requirements of the selected password policy. - Scheduled Change Policy — How often the credentials for a managed account are changed (credential - rotation). See the [Credentials Dashboard](../../../dashboard/credentials.md) and - [Schedule Policies Page](../schedulepolicies.md) topic for additional information. + rotation). See the [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) and + [Schedule Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md) topic for additional information. - Scan Schedule — How often to perform a host scan on the resources defined by the selected platform (local users, groups, windows services and scheduled tasks). This scan can also be run ad-hoc from - the [Resources Page](../resources.md). + the [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md). - Verification Schedule — How often to verify the credentials for managed accounts on the resources defined by the selected platform. See the - [Credentials Dashboard](../../../dashboard/credentials.md) topic for additional information on + [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) topic for additional information on managed accounts. - Reset on Mismatch — When selected, this option will force a password rotation if the password verification step finds that the existing password for an account does not match what Privilege diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/entraid.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/entraid.md index 499a3b3333..160640a0cb 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/entraid.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/entraid.md @@ -3,7 +3,7 @@ The Microsoft Entra ID (formerly Azure AD) menu displays the configuration options for Microsoft Entra ID platforms. -![Azure AD Platform Configuration](../../../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/azuread.webp) +![Azure AD Platform Configuration](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/azuread.webp) Details for the selected platform are displayed on the right side of the page. Below are the configuration options for an Microsoft Entra ID Platform. @@ -17,19 +17,19 @@ configuration options for an Microsoft Entra ID Platform. platform during its discovery process. - Password Complexity Policy — The password complexity rules for managed accounts created on the resources defined by the selected platform. See the - [Password Complexity Page](../passwordcomplexity.md) topic for additional information. + [Password Complexity Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/passwordcomplexity.md) topic for additional information. - Password Length — The number of characters required by the selected password policy - Arrow icon — Show or Hide password policy details. Click the icon to display the password complexity requirements of the selected password policy. - Scheduled Change Policy — How often the credentials for a managed account are changed (credential - rotation). See the [Credentials Dashboard](../../../dashboard/credentials.md) and - [Schedule Policies Page](../schedulepolicies.md) topic for additional information. + rotation). See the [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) and + [Schedule Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md) topic for additional information. - Scan Schedule — How often to perform a host scan on the resources defined by the selected platform (local users, groups, windows services and scheduled tasks). This scan can also be run ad-hoc from - the [Resources Page](../resources.md). + the [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md). - Verification Schedule — How often to verify the credentials for managed accounts on the resources defined by the selected platform. See the - [Credentials Dashboard](../../../dashboard/credentials.md) topic for additional information on + [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) topic for additional information on managed accounts. - Reset on Mismatch — When selected, this option will force a password rotation if the password verification step finds that the existing password for an account does not match what Privilege diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/linux.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/linux.md index 1c4a560340..44c5852339 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/linux.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/linux.md @@ -2,7 +2,7 @@ The Linux menu displays the configuration options for Linux platforms. -![Linux Platform Configuration](../../../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/outputs/linux.webp) +![Linux Platform Configuration](/img/product_docs/activitymonitor/activitymonitor/admin/outputs/linux.webp) Details for the selected platform are displayed on the right side of the page. Below are the configuration options for a Linux Platform. @@ -16,21 +16,21 @@ configuration options for a Linux Platform. platform during its discovery process. - Password Complexity Policy — The password complexity rules for managed accounts created on the resources defined by the selected platform. See the - [Password Complexity Page](../passwordcomplexity.md) topic for additional information. + [Password Complexity Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/passwordcomplexity.md) topic for additional information. - Password Length — The number of characters required by the selected password policy - Arrow icon — Show or Hide password policy details. Click the icon to display the password complexity requirements of the selected password policy. - Protection Policy Schedule — How often the Protection Policy is run. See the - [Protection Policies Page](../protectionpolicies.md) topic for additional information. + [Protection Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/protectionpolicies.md) topic for additional information. - Scheduled Change Policy — How often the credentials for a managed account are changed (credential - rotation). See the [Credentials Dashboard](../../../dashboard/credentials.md) and - [Schedule Policies Page](../schedulepolicies.md) topic for additional information. + rotation). See the [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) and + [Schedule Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md) topic for additional information. - Scan Schedule — How often to perform a host scan on the resources defined by the selected platform (local users, groups, windows services and scheduled tasks). This scan can also be run ad-hoc from - the [Resources Page](../resources.md). + the [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md). - Verification Schedule — How often to verify the credentials for managed accounts on the resources defined by the selected platform. See the - [Credentials Dashboard](../../../dashboard/credentials.md) topic for additional information on + [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) topic for additional information on managed accounts. - Reset on Mismatch — When selected, this option will force a password rotation if the password verification step finds that the existing password for an account does not match what Privilege diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/mssql.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/mssql.md index 9e8e709a3f..b2ba2acb06 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/mssql.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/mssql.md @@ -2,7 +2,7 @@ The Microsoft SQL Server menu displays the configuration options for Microsoft SQL Server platforms. -![Microsoft SQL Server Platform Configuration](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/platforms/mssql.webp) +![Microsoft SQL Server Platform Configuration](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/platforms/mssql.webp) Details for the selected platform are displayed on the right side of the page. Below are the configuration options for a Microsoft SQL Server Platform. @@ -16,16 +16,16 @@ configuration options for a Microsoft SQL Server Platform. platform during its discovery process. - Password Complexity Policy — The password complexity rules for managed accounts created on the resources defined by the selected platform. See the - [Password Complexity Page](../passwordcomplexity.md) topic for additional information. + [Password Complexity Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/passwordcomplexity.md) topic for additional information. - Scheduled Change Policy — How often the credentials for a managed account are changed (credential - rotation). See the [Credentials Dashboard](../../../dashboard/credentials.md) and - [Schedule Policies Page](../schedulepolicies.md) topic for additional information. + rotation). See the [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) and + [Schedule Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md) topic for additional information. - Scan Schedule — How often to perform a host scan on the resources defined by the selected platform (local users, groups, windows services and scheduled tasks). This scan can also be run ad-hoc from - the [Resources Page](../resources.md). + the [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md). - Verification Schedule — How often to verify the credentials for managed accounts on the resources defined by the selected platform. See the - [Credentials Dashboard](../../../dashboard/credentials.md) topic for additional information on + [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) topic for additional information on managed accounts. - Reset on Mismatch — When selected, this option will force a password rotation if the password verification step finds that the existing password for an account does not match what Privilege diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/oracle.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/oracle.md index cf3ee862ff..1f0cf6fc1d 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/oracle.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/oracle.md @@ -2,7 +2,7 @@ The Oracle menu displays the configuration options for Oracle platforms. -![Oracle Platform Configuration](../../../../../../../../../static/img/product_docs/accessanalyzer/admin/settings/connection/profile/oracle.webp) +![Oracle Platform Configuration](/img/product_docs/accessanalyzer/admin/settings/connection/profile/oracle.webp) Details for the selected platform are displayed on the right side of the page. Below are the configuration options for an Oracle Platform. @@ -16,16 +16,16 @@ configuration options for an Oracle Platform. platform during its discovery process. - Password Complexity Policy — The password complexity rules for managed accounts created on the resources defined by the selected platform. See the - [Password Complexity Page](../passwordcomplexity.md) topic for additional information. + [Password Complexity Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/passwordcomplexity.md) topic for additional information. - Scheduled Change Policy — How often the credentials for a managed account are changed (credential - rotation). See the [Credentials Dashboard](../../../dashboard/credentials.md) and - [Schedule Policies Page](../schedulepolicies.md) topic for additional information. + rotation). See the [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) and + [Schedule Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md) topic for additional information. - Scan Schedule — How often to perform a host scan on the resources defined by the selected platform (local users, groups, windows services and scheduled tasks). This scan can also be run ad-hoc from - the [Resources Page](../resources.md). + the [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md). - Verification Schedule — How often to verify the credentials for managed accounts on the resources defined by the selected platform. See the - [Credentials Dashboard](../../../dashboard/credentials.md) topic for additional information on + [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) topic for additional information on managed accounts. - Reset on Mismatch — When selected, this option will force a password rotation if the password verification step finds that the existing password for an account does not match what Privilege diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md index dafd4ec6be..a413f5227b 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md @@ -4,7 +4,7 @@ The Platforms page is accessible from the Navigation pane under Policies. The me displays all the supported platform types and previously configured platforms. This allows administrators to apply default configurations across all resources defined by that platform type. -![Platforms Page](../../../../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/activedirectory.webp) +![Platforms Page](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/activedirectory.webp) The pane on the left side of the page displays a list of the configured platforms. The pane has the following features: @@ -19,24 +19,24 @@ following features: Default platforms include: -- Active Directory — See the [Active Directory Platform Policy Configuration](activedirectory.md) +- Active Directory — See the [Active Directory Platform Policy Configuration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/activedirectory.md) topic for additional information on configuration options - Microsoft Entra ID (formerly Azure AD) — See the - [Microsoft Entra ID Platform Policy Configuration](entraid.md) topic for additional information on + [Microsoft Entra ID Platform Policy Configuration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/entraid.md) topic for additional information on configuration options -- Cisco — See the [Cisco Platform Policy Configuration](cisco.md) topic for additional information +- Cisco — See the [Cisco Platform Policy Configuration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/cisco.md) topic for additional information on configuration options -- Linux — See the [Linux Platform Policy Configuration](linux.md) topic for additional information +- Linux — See the [Linux Platform Policy Configuration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/linux.md) topic for additional information on configuration options -- Microsoft SQL Server — See the [Microsoft SQL Server Platform Policy Configuration](mssql.md) +- Microsoft SQL Server — See the [Microsoft SQL Server Platform Policy Configuration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/mssql.md) topic for additional information on configuration options -- Oracle — See the [Oracle Platform Policy Configuration](oracle.md) topic for additional +- Oracle — See the [Oracle Platform Policy Configuration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/oracle.md) topic for additional information on configuration options -- Secret Vault — See the [Secret Vault Platform Policy Configuration](secretvault.md) topic for +- Secret Vault — See the [Secret Vault Platform Policy Configuration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/secretvault.md) topic for additional information on configuration options -- Website — See the [Web Site Platform Policy Configuration](website.md) topic for additional +- Website — See the [Web Site Platform Policy Configuration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/website.md) topic for additional information on configuration options -- Windows — See the [Windows Platform Policy Configuration](windows.md) topic for additional +- Windows — See the [Windows Platform Policy Configuration](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/windows.md) topic for additional information on configuration options See the Configure a Platform Policy topic for additional information on adding a Platform Policy. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/secretvault.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/secretvault.md index a8ca65e107..4a7534b2fd 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/secretvault.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/secretvault.md @@ -2,7 +2,7 @@ The Secrete Vault menu displays the configuration options for Windows platforms. -![Secret Vault Platform Configuration](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/platforms/secretvault.webp) +![Secret Vault Platform Configuration](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/platforms/secretvault.webp) Details for the selected platform are displayed on the right side of the page. Below are the configuration options for a Secret Vault Platform. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/website.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/website.md index 67936cbe93..d730f8ad64 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/website.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/website.md @@ -2,7 +2,7 @@ The Web Site menu displays the configuration options for Web Site platforms. -![Website Platform Configuration](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/platforms/website.webp) +![Website Platform Configuration](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/platforms/website.webp) Details for the selected platform are displayed on the right side of the page. Below are the configuration options for a Website Platform. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/windows.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/windows.md index 2c1618e6e4..d57ad6849b 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/windows.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/windows.md @@ -2,7 +2,7 @@ The Windows menu displays the configuration options for Windows platforms. -![Windows Platform Configuration](../../../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/windows.webp) +![Windows Platform Configuration](/img/product_docs/activitymonitor/activitymonitor/admin/monitoredhosts/properties/windows.webp) Details for the selected platform are displayed on the right side of the page. Below are the configuration options for a Windows Platform. @@ -16,21 +16,21 @@ configuration options for a Windows Platform. onboard for a given platform during its discovery process. - Password Complexity Policy — The password complexity rules for managed accounts created on the resources defined by the selected platform. See the - [Password Complexity Page](../passwordcomplexity.md) topic for additional information. + [Password Complexity Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/passwordcomplexity.md) topic for additional information. - Password Length — The number of characters required by the selected password policy - Arrow icon — Show or Hide password policy details. Click the icon to display the password complexity requirements of the selected password policy. - Protection Policy Schedule — How often the Protection Policy is run. See the - [Protection Policies Page](../protectionpolicies.md) topic for additional information. + [Protection Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/protectionpolicies.md) topic for additional information. - Scheduled Change Policy — How often the credentials for a managed account are changed (credential - rotation). See the [Credentials Dashboard](../../../dashboard/credentials.md) and - [Schedule Policies Page](../schedulepolicies.md) topic for additional information. + rotation). See the [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) and + [Schedule Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md) topic for additional information. - Scan Schedule — How often to perform a host scan on the resources defined by the selected platform (local users, groups, windows services and scheduled tasks). This scan can also be run ad-hoc from - the [Resources Page](../resources.md). + the [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md). - Verification Schedule — How often to verify the credentials for managed accounts on the resources defined by the selected platform. See the - [Credentials Dashboard](../../../dashboard/credentials.md) topic for additional information on + [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) topic for additional information on managed accounts. - Reset on Mismatch — When selected, this option will force a password rotation if the password verification step finds that the existing password for an account does not match what Privilege diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/protectionpolicies.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/protectionpolicies.md index a88e72a582..f238febf7b 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/protectionpolicies.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/protectionpolicies.md @@ -4,15 +4,15 @@ The Protection Policies page is accessible from the Navigation pane under Policy configured protection policies, which are used to monitor local groups on a resource for changes. Only users or groups added to the protection policy are permitted. When the resource is scanned, any local group members that are not listed on the -[Allowed Members Tab for Protection Policies](../tab/policyprotection/allowedmembers.md) are removed +[Allowed Members Tab for Protection Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/allowedmembers.md) are removed from the resource. It is also possible to add the action _Invoke Protection Policy_ to the Post Session group of an activity. This will proactively run all protection policies that apply to the target resource when the session completes, instead of waiting for the scheduled sync. See the -[Activities Page](activities.md) topic for additional information. +[Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. -![Protection policies page](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Protection policies page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The pane on the left side of the page displays a list of the configured protection policies. This pane has the following features: @@ -37,6 +37,6 @@ commit the modifications. Click **Cancel** to discard the modifications. The tabs at the bottom of the main pane are for associating Resource, Members, and Schedule to the protection policy. See the following topics for additional information: -- [Resources Tab for Protection Policies](../tab/policyprotection/resources.md) -- [Allowed Members Tab for Protection Policies](../tab/policyprotection/allowedmembers.md) -- [Schedule Tab for Protection Policies](../tab/policyprotection/schedule.md) +- [Resources Tab for Protection Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/resources.md) +- [Allowed Members Tab for Protection Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/allowedmembers.md) +- [Schedule Tab for Protection Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/schedule.md) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resourcegroups.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resourcegroups.md index f5d0846348..b276958acb 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resourcegroups.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resourcegroups.md @@ -4,14 +4,14 @@ The Resources Groups page is accessible from the Navigation pane under Resources configured all configured resource groups and their details. Resources can be organized into groups to make it easier to manage common settings across them. -![Resource Groups Details Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/resourcegroupspage.webp) +![Resource Groups Details Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/resourcegroupspage.webp) The pane on the left side of the page displays a list of the configured resource groups. This pane has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. -- Blue + button — Create a resource group. See the [Add a Resource Group](../add/resourcegroup.md) +- Blue + button — Create a resource group. See the [Add a Resource Group](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/resourcegroup.md) topic for additional information. - Copy icon — Duplicates the resource group. Icon appears when group is hovered over. - Trashcan icon — Deletes the resource group. Icon appears when group is hovered over. A @@ -37,7 +37,7 @@ based on the type of resource group: - Manage Local Administrator Accounts — Indicates whether or not local Administrator accounts on resources in this group should be automatically managed when the resource is on-boarded. The account to be managed will correspond with the Built-in Account field on the resource's platform. - See the [Platforms Page](platforms/overview.md) topic for additional information. + See the [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information. - Off (Do Not Manage Accounts) — Do not manage any Local Administrator accounts on the resources in the selected group @@ -54,7 +54,7 @@ The table has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Add — Opens the Add Resources window. See the - [Add Resources Window for Resource Group](../window/resources/addresourcestogroup.md) topic for + [Add Resources Window for Resource Group](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcestogroup.md) topic for additional information. - Remove — Removes the selected item from the group - Manage — Set the selected account to be managed by Privilege Secure. This button is only available @@ -62,11 +62,11 @@ The table has the following features: will display.. Password rotation can be set to automatic or manual for managed accounts. - Unmanage — Remove the account from being managed by Privilege Secure - Change Platform — Opens the Change Platform window to modify the type of platform for the selected - host resource. See the [Change Platform Window](../window/resources/changeplatform.md) topic for + host resource. See the [Change Platform Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/changeplatform.md) topic for additional information. - Change Service Account — Opens the Change Service Account window to modify the service account associated with the selected host resource. See the - [Change Service Account Window](../window/resources/changeserviceaccount.md) topic for additional + [Change Service Account Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/changeserviceaccount.md) topic for additional information. - Schedule Rotation — Add the credential rotation task to the queue. This button is only available when the Method is Automatic managed. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md index e40c0b24f8..196d1f3905 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md @@ -3,9 +3,9 @@ The Resources page shows information for onboarded resources, such as active and scheduled sessions, policies, and service accounts for the host resources and domain resources that have been added to the console. The Resources page displays the same information as the -[Resources Dashboard](../../dashboard/resources.md). +[Resources Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/resources.md). -![Resources page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/resourcespage.webp) +![Resources page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/resourcespage.webp) The Resources table has the following features: @@ -19,32 +19,32 @@ The Resources table has the following features: - Add — Opens a list of available resources to add. The Add list contains the following options: - New Server — Opens the Add Resources window to onboard new servers. See the - [Add Resources Window](../window/resources/addresourcesonboard.md) topic for additional + [Add Resources Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcesonboard.md) topic for additional information. - New Domain — Opens the Domain Details page for a new domain. See the - [Add New Domain](../add/domain.md) topic for additional information. + [Add New Domain](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/domain.md) topic for additional information. - New Website — Opens the Website Details page for a new website. See the - [Add New Website](../add/website.md) topic for additional information. + [Add New Website](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/website.md) topic for additional information. - New Microsoft Entra ID (formerly Azure AD) Tenant — Opens the Microsoft Entra ID Tenant Details page for a new tenant. See the - [Add New Microsoft Entra ID Tenant](../add/entraidtenant.md) topic for additional information. + [Add New Microsoft Entra ID Tenant](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/entraidtenant.md) topic for additional information. - New Secret Vault — Opens the Secret Vault Details page for a new vault. See the - [Add Secret Vault](../add/secretvault.md) topic for additional information. + [Add Secret Vault](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/secretvault.md) topic for additional information. - New Database — Opens the Databse Details page for a new database. See the - [Add New Database](../add/database.md)topic for additional information. + [Add New Database](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/database.md)topic for additional information. - Remove — Removes the selected resource from being managed by the application. A confirmation - window will display. See the [Remove Resource Window](../window/resources/removeresource.md) topic + window will display. See the [Remove Resource Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/removeresource.md) topic for additional information. - Change Platform — Opens the Change Platform window to modify the type of platform for the selected - host resource. See the [Change Platform Window](../window/resources/changeplatform.md) topic for + host resource. See the [Change Platform Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/changeplatform.md) topic for additional information. - Change Service Account — Opens the Change Service Account window to modify the service account associated with the selected host resource. See the - [Change Service Account Window](../window/resources/changeserviceaccount.md) topic for additional + [Change Service Account Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/changeserviceaccount.md) topic for additional information. - Scan Resource — Scans a host resource for local users, groups, windows services, and scheduled - tasks. A confirmation window will display.. See the [Platforms Page](platforms/overview.md) topic + tasks. A confirmation window will display.. See the [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information. - Refresh — Reload the information displayed @@ -55,12 +55,12 @@ The table has the following columns: - Resource — Displays the name of the resource. Click the link to view additional details. The details vary based on the type of resource. - - [Host Details Page](details/host.md) - - [Domain Details Page](details/domain.md) - - [Website Details Page](details/website.md) - - [Microsoft Entra ID Details Page](details/entraid.md) - - [Secret Vault Details Page](details/secretvault.md) - - [Database Details Page](details/databases.md) + - [Host Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/host.md) + - [Domain Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/domain.md) + - [Website Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/website.md) + - [Microsoft Entra ID Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/entraid.md) + - [Secret Vault Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/secretvault.md) + - [Database Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/databases.md) - Operating System — Displays the operating system of the resource - Active — Displays the number of active sessions on the resource @@ -70,13 +70,13 @@ The table has the following columns: - DNS Host Name — Displays the DNS host name for a host resource or the FQDN for a domain resource - IP Address — Displays the IP address for the resource - Domain — Displays the domain name for the resource. Click the link to view additional details. See - the [Domain Details Page](details/domain.md) topic for additional information. + the [Domain Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/domain.md) topic for additional information. - Service Account — Displays the service account associated with the resource. Click the link to view additional details. See the - [Service Accounts Page](../../configuration/page/serviceaccounts.md) topic for additional + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Platform — Displays the type of platform, which defines the resource. See the - [Platforms Page](platforms/overview.md) topic for additional information. + [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information. - Last Scanned — Date timestamp for the last time the resource was scanned The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/rolemanagement.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/rolemanagement.md index d6d4ba64e4..dc025202f2 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/rolemanagement.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/rolemanagement.md @@ -4,14 +4,14 @@ The Role Management page is accessible from the Navigation pane under Users & Gr details on all available roles for Privilege Secure users. There are default roles, and custom roles can be created. -![rolemanagementpage](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/rolemanagementpage.webp) +![rolemanagementpage](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/rolemanagementpage.webp) The pane on the left side of the page displays a list of the configured roles. This pane has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. -- Blue + button — Create a new role. See the [Add Custom Role](../add/customrole.md) for additional +- Blue + button — Create a new role. See the [Add Custom Role](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/customrole.md) for additional information. - Copy icon — Clones a role and adds a new entry to the Role list - Trashcan icon — Deletes the access policy. Icon appears when policy is hovered over. A @@ -21,5 +21,5 @@ following features: modified. Only custom roles can be copied, deleted, or modified. The details that display the main pane vary based on the type of role selected. See the -[Default Role Details Page](details/rolemanagementdefault.md) and the -[Custom Role Details Page](details/rolemanagementcustom.md) topics for additional information. +[Default Role Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/rolemanagementdefault.md) and the +[Custom Role Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/rolemanagementcustom.md) topics for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md index 95f47a508e..b8b2415887 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md @@ -6,17 +6,17 @@ shows configured schedule policies. Schedules can be applied: - Platforms — Configure schedules used by resources on a given platform type. See the - [Platforms Page](platforms/overview.md) topic for additional information. -- Protection Policy — See the [Protection Policies Page](protectionpolicies.md) topic for additional + [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information. +- Protection Policy — See the [Protection Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/protectionpolicies.md) topic for additional information. - Change Policy (credential rotation) — How often the password of a managed account is changed. See - the [Credentials Dashboard](../../dashboard/credentials.md) topic for additional information on + the [Credentials Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/credentials.md) topic for additional information on managed accounts. - Host scan — Scan a host resources for local users, groups, windows services and scheduled tasks - Verification — Check that the passwords for managed accounts match the credentials set by Privilege Secure -![Schedule Policies Page](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Schedule Policies Page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The pane on the left side of the page displays a list of the configured schedule policies. This pane has the following features: @@ -24,7 +24,7 @@ has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Green + button — Create a new schedule policy. See the - [Add Schedule Policy](../add/schedulepolicy.md) topic for additional information. + [Add Schedule Policy](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/schedulepolicy.md) topic for additional information. - Trashcan icon — Deletes the schedule policy. Icon appears when profile is hovered over. A confirmation window will display. @@ -34,4 +34,4 @@ The selected schedule policy details display in the main pane: - Name — Displays the schedule recurrence information - Edit icon — Click the icon to edit the selected schedule policy. See the - [Edit Schedule Policy](../edit/schedulepolicy.md) topic for additional information. + [Edit Schedule Policy](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/edit/schedulepolicy.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usergroupcollections.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usergroupcollections.md index 5457fc9a3f..db4929629e 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usergroupcollections.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usergroupcollections.md @@ -2,7 +2,7 @@ The User and Group Collection page is accessible from the Navigation pane under Users & Group. It shows session information for user and group collections. To gain access to the Privilege Secure -console, users or groups have to be added in the top level [Users & Groups Page](usersgroups.md). +console, users or groups have to be added in the top level [Users & Groups Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usersgroups.md). Collections are conglomerated users and groups (that have already been granted rights in the console) that will gain the same rights collectively. Like users and groups individually, @@ -10,7 +10,7 @@ collections can also be added to policies. Collections are helpful as they allow be assigned in a single action in the console. The information in the User and Group Collections table is also displayed on the **Users Dashboard**. -![Users and Group Collections Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/userandgroupcollectionspage.webp) +![Users and Group Collections Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/userandgroupcollectionspage.webp) The pane on the left side of the page displays a list of the configured collections. This pane has the following features: @@ -18,7 +18,7 @@ the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Blue + button — Create a new collection. See the - [Add Users & Groups Window](../window/usersgroups/addusersandgroups.md) topic for additional + [Add Users & Groups Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addusersandgroups.md) topic for additional information. - Trashcan icon — Deletes the access policy. Icon appears when policy is hovered over. A confirmation window will display. @@ -40,7 +40,7 @@ The table has the following columns: - Checkbox — Check to select one or more items - Type — Icon indicates the type of object - Name — Displays the name of the account. Click the link to view additional details. See the - [User, Group, & Application Details Page](details/usergroupapplication.md) topic for additional + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - User Name — Displays the sAMAccountName for the account - User Principal Name — Displays the UPN value for the account diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usersgroups.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usersgroups.md index 7494194cd4..13c2ac6bc1 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usersgroups.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usersgroups.md @@ -2,9 +2,9 @@ The Users & Groups page shows session information for onboarded users and groups. Onboarded users and can log into the application to manage policies or run sessions. The Users & Groups page -displays the same information as the [Users Dashboard](../../dashboard/users.md). +displays the same information as the [Users Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/users.md). -![Users and Groups Page](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/usersgroupspage.webp) +![Users and Groups Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/usersgroupspage.webp) The Users table has the following features: @@ -13,11 +13,11 @@ The Users table has the following features: - Filter — Provides options to filter results based on a chosen criterion: User, Group, Application, and Local User - Add User — Opens the Add Users and Groups window. See the - [Add Users & Groups Window](../window/usersgroups/addusersandgroups.md) topic for additional + [Add Users & Groups Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addusersandgroups.md) topic for additional information. -- Add Application — Opens the Add Application page. See the [Add Application](../add/application.md) +- Add Application — Opens the Add Application page. See the [Add Application](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/application.md) for additional information. -- Add Local User — Opens the Add Local User page. See [Add Local User](../add/localuser.md) topic +- Add Local User — Opens the Add Local User page. See [Add Local User](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/localuser.md) topic for additional information. - Remove — Removes console access from the selected account - Refresh — Reload the information displayed @@ -27,7 +27,7 @@ The table has the following columns: - Checkbox — Check to select one or more items - Type — Icon indicates the type of object - Name — Displays the name of the account. Click the link to view additional details. See the - [User, Group, & Application Details Page](details/usergroupapplication.md) topic for additional + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - User Name — Displays the sAMAccountName for the account - User Principal Name — Displays the UPN value for the account diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/resourceimportcsv.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/resourceimportcsv.md index ee2ff6be7d..a072be61e3 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/resourceimportcsv.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/resourceimportcsv.md @@ -7,10 +7,10 @@ Resources can be onboarded via a CSV import process. Create a CSV file with the - IP Address — Displays the IP address for the resource - Platform — Displays the type of platform, which defines the resource. This is an optional value, but it must be an exact match to known platforms on the - [Platforms Page](page/platforms/overview.md). + [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md). - Credential — Displays the service account associated with the resource. This is an optional value, but it must be an exact match to known service accounts on the - [Service Accounts Page](../configuration/page/serviceaccounts.md). + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md). The CSV file must contain one resource per row. Each resource must be identified by either a DNS Host Name or an IP Address. All other values are optional. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/activities.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/activities.md index a56060ee7c..fe194528d6 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/activities.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/activities.md @@ -3,7 +3,7 @@ The Activities tab shows the activities associated with the selected access policy. Only the Credential Release activity is associated with a Credential Based Access Policy. -![Credential based resource Activities tab](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/activitiestabcredentials.webp) +![Credential based resource Activities tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/activitiestabcredentials.webp) The Activities tab has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/credentials.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/credentials.md index 0072de217d..1ff1717c9c 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/credentials.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/credentials.md @@ -2,12 +2,12 @@ The Credentials tab shows credentials associated with the selected Credential Based access policy. -![Credential based policy credential tab](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/accesspolicycredentialstab.webp) +![Credential based policy credential tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/accesspolicycredentialstab.webp) The Credentials table has the following features: - Add — Opens the Add Credentials window. See the - [Add Credentials Window](../../window/accesspolicy/addcredentials.md) topic for additional + [Add Credentials Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/accesspolicy/addcredentials.md) topic for additional information. - Remove — Removes the selected item from being associated with the policy - Search — Searches the table or list for matches to the search string. When matches are found, the diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/users.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/users.md index 2c6cbc84ac..f8727e5262 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/users.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/users.md @@ -2,12 +2,12 @@ The Users tab shows the users and groups associated with the selected access policy. -![Credential based policy users tab](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/userstabcredentials.webp) +![Credential based policy users tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/userstabcredentials.webp) The Users tab has the following features: - Add — Opens the Add Users and Groups window. See the - [Add Users & Groups Window](../../window/usersgroups/addusersandgroups.md) topic for additional + [Add Users & Groups Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addusersandgroups.md) topic for additional information. - Remove — Removes the selected item from being associated with the policy - Search — Searches the table or list for matches to the search string. When matches are found, the @@ -26,16 +26,16 @@ The Users tab has the following features: The table has the following columns: - Checkbox — Check to select one or more items -- Expand — Click the expand (>) icon to show additional information about the activities and +- Expand — Click the expand () icon to show additional information about the activities and resources authorized for the selected user or group - Name — Displays the name of the account. Click the link to view additional details.See the - [User, Group, & Application Details Page](../../page/details/usergroupapplication.md) topic for + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - Email — Displays the associated email address, if available - User Name — Displays the sAMAccountName for the account - Type — Icon indicates the type of object - Certified — Indicates the access entitlement for the user or group. See the - [Access Certification Page](../../../auditreporting/page/accesscertification.md) topic for + [Access Certification Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/accesscertification.md) topic for additional information. - Approved — Access entitlements have been approved diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/allowedmembers.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/allowedmembers.md index eb65a93884..6171e7205f 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/allowedmembers.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/allowedmembers.md @@ -4,7 +4,7 @@ The Allowed Members tab shows the configuration options for managing the groups selected protection policy. Any group member(s) discovered that are not in the list will be removed from the local group on the resource during the next scheduled sync. -![Protection Policy Allowed Member Tab](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/allowedmembers.webp) +![Protection Policy Allowed Member Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/allowedmembers.webp) The Allowed Members tab has the following features: @@ -31,7 +31,7 @@ Allowed Members tab. **Step 3 –** Click Add Group to open the Add Protected Group and Member window. -![Add Protected Group and Member Window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/addprotectedgroupandmember.webp) +![Add Protected Group and Member Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/addprotectedgroupandmember.webp) **Step 4 –** Enter the following information: @@ -59,7 +59,7 @@ Allowed Members tab. **Step 3 –** Click Edit Members to open the Add Protected Group and Member window. -![Edit Protected Group Members Window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/editprotectedgroupmembers.webp) +![Edit Protected Group Members Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/editprotectedgroupmembers.webp) **Step 4 –** Click the Trashcan icon next to a member to remove them from a Protected Group. A confirmation window will appear. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/resources.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/resources.md index cd91ae65da..eec2950fb8 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/resources.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/resources.md @@ -2,12 +2,12 @@ The Resources tab shows the resources associated with the selected protection policy. -![Protection policy resources tab](../../../../../../../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) +![Protection policy resources tab](/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) The Resources table has the following features: - Add — Opens the Add Resources window. See the - [Add Resources Window for Protected Policy](../../window/protectionpolicies/addresources.md) topic + [Add Resources Window for Protected Policy](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/protectionpolicies/addresources.md) topic for additional information. - Remove — Removes the selected item from being associated with the policy @@ -15,7 +15,7 @@ The table has the following columns: - Checkbox — Check to select one or more items - Name — Displays the name of the resource. Click the link to view additional details. The details - vary based on the type of resource. See the [Resources Page](../../page/resources.md) topic for + vary based on the type of resource. See the [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md) topic for additional information. - DNS Host Name — Displays the DNS host name for a host resource or the FQDN for a domain resource - Operating System — Displays the operating system of the resource diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/schedule.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/schedule.md index 1352602ce3..73a4c1fe12 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/schedule.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/schedule.md @@ -2,9 +2,9 @@ The Schedule tab shows the schedule tasks for the resources in the selected protection policy. The protection policy schedule is run based on the platform type configuration on the -[Platforms Page](../../page/platforms/overview.md). +[Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md). -![schedule](../../../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) +![schedule](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) The Schedule tab has the following features: @@ -16,7 +16,7 @@ The Schedule tab has the following features: The table has the following columns: - Task Name — Displays the name of the scheduled task. See the - [Schedule Policies Page](../../page/schedulepolicies.md) topic for additional information. + [Schedule Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md) topic for additional information. - Last Run Time — Date timestamp of the previous scheduled task - Next Run Time — Date timestamp of the next scheduled task - Recurrence — Indicates the scheduled recurrence diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/activities.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/activities.md index dd63d22f66..259e82c720 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/activities.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/activities.md @@ -2,7 +2,7 @@ The Activities tab shows the activities associated with the selected access policy. -![Activities Tab for Resource based Policies](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policyresource/activitiestab.webp) +![Activities Tab for Resource based Policies](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policyresource/activitiestab.webp) The Activities tab has the following features: @@ -15,7 +15,7 @@ The Activities tab has the following features: - Activity Group — Displays group activity - Add — Opens the Add Activities and Activity Groups window. See the - [Add Activities and Activity Groups Window](../../window/accesspolicy/addactivitiesandactivitygroups.md) + [Add Activities and Activity Groups Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/accesspolicy/addactivitiesandactivitygroups.md) topic for additional information. - Remove — Removes the selected item from being associated with the policy - Refresh — Reload the information displayed @@ -24,7 +24,7 @@ The table has the following columns: - Checkbox — Check to select one or more items - Name — Displays the name of the activity . Click the link to view additional details. See the - [Activities Page](../../page/activities.md) topic for additional information. + [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. - Type — Classification of the activity. Click the link to view additional details. - Description — Description of the policy diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/resources.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/resources.md index f355228b0d..10eab201d8 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/resources.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/resources.md @@ -2,12 +2,12 @@ The Resources tab shows the resources associated with the selected access policy. -![Resource based policy resources tab](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policyresource/resourcestab.webp) +![Resource based policy resources tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/policyresource/resourcestab.webp) The Resources table has the following features: - Add — Opens the Add Resources and Resource Groups window. See the - [Add Resources and Resource Groups Window](../../window/accesspolicy/addresourcesandresourcegroups.md) + [Add Resources and Resource Groups Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/accesspolicy/addresourcesandresourcegroups.md) topic for additional information. - Remove — Removes the selected item from being associated with the policy - Search — Searches the table or list for matches to the search string. When matches are found, the @@ -24,7 +24,7 @@ The table has the following columns: - Checkbox — Check to select one or more items - Name — Displays the name of the resource. Click the link to view additional details. The details - vary based on the type of resource. See the [Resources Page](../../page/resources.md) topic for + vary based on the type of resource. See the [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md) topic for additional information. - Type — Icon indicates the type of object - DNS Host Name — Displays the DNS host name for a host resource or the FQDN for a domain resource diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/users.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/users.md index 76d1628058..bb9c53ae39 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/users.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/users.md @@ -2,12 +2,12 @@ The Users tab shows the users and groups associated with the selected access policy. -![Resource based policy users tab](../../../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) +![Resource based policy users tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) The Users tab has the following features: - Add — Opens the Add Users and Groups window. See the - [Add Users & Groups Window](../../window/usersgroups/addusersandgroups.md) topic for additional + [Add Users & Groups Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addusersandgroups.md) topic for additional information. - Remove — Removes the selected item from being associated with the policy - Search — Searches the table or list for matches to the search string. When matches are found, the @@ -26,16 +26,16 @@ The Users tab has the following features: The table has the following columns: - Checkbox — Check to select one or more items -- Expand — Click the expand (>) icon to show additional information about the activities and +- Expand — Click the expand () icon to show additional information about the activities and resources authorized for the selected user or group - Name — Displays the name of the account. See the - [User, Group, & Application Details Page](../../page/details/usergroupapplication.md) topic for + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - Email — Displays the associated email address, if available - User Name — Displays the sAMAccountName for the account - Type — Icon indicates the type of object - Certified — Indicates the access entitlement for the user or group. See the - [Access Certification Page](../../../auditreporting/page/accesscertification.md) topic for + [Access Certification Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/auditreporting/page/accesscertification.md) topic for additional information. - Approved — Access entitlements have been approved diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspoliciesentraid.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspoliciesentraid.md index 888de8f913..841ecf81fb 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspoliciesentraid.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspoliciesentraid.md @@ -3,7 +3,7 @@ The Access Policies tab Sessions Tab for Microsoft Entra ID shows information about the policies associated with the selected resource. -![Access Policies Tab Azure AD](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspoliciesazuread.webp) +![Access Policies Tab Azure AD](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspoliciesazuread.webp) The Access Policies tab has the following features: @@ -13,7 +13,7 @@ The Access Policies tab has the following features: The table has the following columns: -- Name — Displays the name of the policy. See the [Access Policy Page](../../page/accesspolicy.md) +- Name — Displays the name of the policy. See the [Access Policy Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/accesspolicy.md) topic for additional information. - Description — Description of the policy diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspolicieshost.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspolicieshost.md index a00f66cc9f..968502addc 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspolicieshost.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspolicieshost.md @@ -2,7 +2,7 @@ The Access Policies tab shows information about the policies associated with the selected resource. -![Host Access Policies Tab](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspolicieshost.webp) +![Host Access Policies Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspolicieshost.webp) The Access Policies tab has the following features: @@ -13,7 +13,7 @@ The Access Policies tab has the following features: The table has the following columns: - Name — Displays the name of the policy. Click the link to view additional details. See the - [Access Policy Page](../../page/accesspolicy.md) topic for additional information. + [Access Policy Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/accesspolicy.md) topic for additional information. - Description — Description of the policy The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspolicieswebsite.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspolicieswebsite.md index 7b8bb23749..63188263e5 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspolicieswebsite.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accesspolicieswebsite.md @@ -2,7 +2,7 @@ The Access Policies tab shows information about the policies associated with the selected resource. -![websitedetailsaccesspolicytab](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/websitedetailsaccesspolicytab.webp) +![websitedetailsaccesspolicytab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/websitedetailsaccesspolicytab.webp) The Access Policies tab has the following features: @@ -13,7 +13,7 @@ The Access Policies tab has the following features: The table has the following columns: - Name — Displays the name of the policy. Click the link to view additional details. See the - [Access Policy Page](../../page/accesspolicy.md) topic for additional information. + [Access Policy Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/accesspolicy.md) topic for additional information. - Description — Description of the policy The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accountssecretvault.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accountssecretvault.md index f48ea43f4f..dac83abbc3 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accountssecretvault.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/accountssecretvault.md @@ -2,17 +2,17 @@ The Accounts tab shows information about the accounts associated to the selected resource. -![Accounts Tab for Secret Vault Resource](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/accountssecretvault.webp) +![Accounts Tab for Secret Vault Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/accountssecretvault.webp) The Accounts tab has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Add — Opens the Add a Managed Account window. See the - [Add a Managed Account Window](../../window/resources/addamanagedaccount.md) topic for additional + [Add a Managed Account Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addamanagedaccount.md) topic for additional information. - Edit — Opens the Edit a Managed Account window. See the - [Edit a Managed Account Window](../../window/resources/editamanagedaccount.md) topic for + [Edit a Managed Account Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/editamanagedaccount.md) topic for additional information. - Delete — Removes the selected item. A confirmation window will appear. - Refresh — Reload the information displayed diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/applicationsentraid.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/applicationsentraid.md index 1d38531098..1b26282921 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/applicationsentraid.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/applicationsentraid.md @@ -3,7 +3,7 @@ The Applications tab for Microsoft Entra ID (formerly Azure AD) shows information about the applications installed on the selected resource. -![Applications Tab Entra ID](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/applicationsazuread.webp) +![Applications Tab Entra ID](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/applicationsazuread.webp) The Applications tab has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/computersdomain.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/computersdomain.md index 18a3d2f627..07297996eb 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/computersdomain.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/computersdomain.md @@ -2,7 +2,7 @@ The Computers tab shows information about the domain computer objects on the selected resource. -![Domain Resource Computers Tab](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/computersdomain.webp) +![Domain Resource Computers Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/computersdomain.webp) The Computers tab has the following features: @@ -11,7 +11,7 @@ The Computers tab has the following features: - Type — Provides options to filter results based on a chosen criterion: Resource and Not On-boarded - Add as NPS Managed Resource — Opens the Enroll Hosts in Management window to onboards the selected resource. See - [Enroll Hosts in Management Window](../../window/resources/enrollhostsinmanagement.md) for + [Enroll Hosts in Management Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/enrollhostsinmanagement.md) for additional information. - Remove as NPS Managed Resource — Removes the selected resource from being managed by the application. A confirmation window will display. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/databases.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/databases.md index de5386fa84..561931151a 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/databases.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/databases.md @@ -2,7 +2,7 @@ The Databases tab shows information about the server database on the selected resource. -![Database Details page](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/databasedetailspage.webp) +![Database Details page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/databasedetailspage.webp) The Databases tab has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/groupsdomain.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/groupsdomain.md index 726dac002d..61e2069085 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/groupsdomain.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/groupsdomain.md @@ -2,7 +2,7 @@ The Groups tab shows information about the domain groups on the selected resource. -![Domain Resource Groups Tab](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/groupsdomain.webp) +![Domain Resource Groups Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/groupsdomain.webp) The Groups tab has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/groupsentraid.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/groupsentraid.md index 2e5bc50384..4f90375f57 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/groupsentraid.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/groupsentraid.md @@ -7,7 +7,7 @@ selected resource. domain resource (if the on-premises domain has been synced by Privilege Secure). This view will show cloud-only EntraID groups. -![Groups Tab Entra ID](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/groupsazuread.webp) +![Groups Tab Entra ID](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/groupsazuread.webp) The table has the following columns: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/groupshost.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/groupshost.md index 505da36144..e8544e9240 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/groupshost.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/groupshost.md @@ -2,7 +2,7 @@ The Groups tab shows information about the local groups on the selected resource. -![Group Tab for Host Resource](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/groupshost.webp) +![Group Tab for Host Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/groupshost.webp) The table has the following columns: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historydomain.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historydomain.md index cd60c0df80..2cfe4af173 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historydomain.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historydomain.md @@ -2,7 +2,7 @@ The History tab shows information about the synchronization history of the selected resource. -![History Tab for Domain Resource](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/historydomain.webp) +![History Tab for Domain Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/historydomain.webp) The History tab has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historyentraid.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historyentraid.md index bcc0264698..49a1fd8913 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historyentraid.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historyentraid.md @@ -3,14 +3,14 @@ The History tab Access Policies tab for Microsoft Entra ID (formerly Azure AD) shows information about the session history of the selected resource. -![History Tab Entra ID](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/historyazuread.webp) +![History Tab Entra ID](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/historyazuread.webp) The History tab has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - View Logs — Opens the Session Logs window to view the action log for the selected session. See the - [Session Logs Window](../../../dashboard/window/sessionlogs.md) topic for additional information. + [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md) topic for additional information. - Refresh — Reload the information displayed The table has the following columns: @@ -23,7 +23,7 @@ The table has the following columns: - Time — Date timestamp for when the event occurred - User — User who requested the session. See the - [User, Group, & Application Details Page](../../page/details/usergroupapplication.md) topic for + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - Access Policy — Displays the name of the policy - Event Message — Description of the event diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historyhost.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historyhost.md index e3a322764f..d09c1c4530 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historyhost.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historyhost.md @@ -2,14 +2,14 @@ The History tab shows information about the session history of the selected resource. -![History Tab for Host Resource](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/historyhost.webp) +![History Tab for Host Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/historyhost.webp) The History tab has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - View Logs — Opens the Session Logs window to view the action log for the selected session. See the - [Session Logs Window](../../../dashboard/window/sessionlogs.md) topic for additional information. + [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md) topic for additional information. - Refresh — Reload the information displayed The table has the following columns: @@ -22,10 +22,10 @@ The table has the following columns: - Time — Date timestamp for when the event occurred - User — User who requested the session. Click the link to view additional details. See the - [User, Group, & Application Details Page](../../page/details/usergroupapplication.md) topic for + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - Access Policy — Displays the name of the policy. Click the link to view additional details. See - the [Access Policy Page](../../page/accesspolicy.md) topic for additional information. + the [Access Policy Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/accesspolicy.md) topic for additional information. - Event Message — Description of the event - Session ID — Unique identifier for the session diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historysecretvault.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historysecretvault.md index a15ddcbf99..b5af5e6064 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historysecretvault.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historysecretvault.md @@ -2,14 +2,14 @@ The History tab shows information about the session history of the selected resource. -![History Tab for Secret Vault Recource](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/historysecretvault.webp) +![History Tab for Secret Vault Recource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/historysecretvault.webp) The History tab has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - View Logs — Opens the Session Logs window to view the action log for the selected session. See the - [Session Logs Window](../../../dashboard/window/sessionlogs.md) topic for additional information. + [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md) topic for additional information. - Refresh — Reload the information displayed The table has the following columns: @@ -21,7 +21,7 @@ The table has the following columns: - Time — Date timestamp for when the event occurred - User — User who requested the session. Click the link to view additional details. See the - [User, Group, & Application Details Page](../../page/details/usergroupapplication.md) topic for + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - Access Policy — Displays the name of the policy - Event Message — Description of the event diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historywebsite.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historywebsite.md index 8f9f51b4b2..17772cf923 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historywebsite.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/historywebsite.md @@ -2,14 +2,14 @@ The History tab shows information about the session history of the selected resource. -![websitedetailshistorytab](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/websitedetailshistorytab.webp) +![websitedetailshistorytab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/websitedetailshistorytab.webp) The History tab has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - View Logs — Opens the Session Logs window to view the action log for the selected session. See the - [Session Logs Window](../../../dashboard/window/sessionlogs.md) topic for additional information. + [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md) topic for additional information. - Refresh — Reload the information displayed The table has the following columns: @@ -21,7 +21,7 @@ The table has the following columns: - Time — Date timestamp for when the event occurred - User — User who requested the session. Click the link to view additional details. See the - [User, Group, & Application Details Page](../../page/details/usergroupapplication.md) topic for + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - Access Policy — Displays the name of the policy - Event Message — Description of the event diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/installedsoftwarehost.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/installedsoftwarehost.md index 763fea1f73..12ee224a77 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/installedsoftwarehost.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/installedsoftwarehost.md @@ -3,7 +3,7 @@ The Installed Software tab shows information about the software installed on the selected host resource. -![Installed Software Tab for Host Resource](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/installedsoftwarehost.webp) +![Installed Software Tab for Host Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/installedsoftwarehost.webp) The History tab has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/protectionpolicieshost.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/protectionpolicieshost.md index fa81710c24..28e4d97623 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/protectionpolicieshost.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/protectionpolicieshost.md @@ -3,7 +3,7 @@ The Protection Policies tab shows information about the protection policies associated with the selected resource. -![Host Protection Policies Tab](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/protectionpolicieshost.webp) +![Host Protection Policies Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/protectionpolicieshost.webp) The Protection Policies tab has the following feature: @@ -13,7 +13,7 @@ The Protection Policies tab has the following feature: The table has the following columns: - Name — Displays the name of the policy. Click the link to view additional details. See the - [Protection Policies Page](../../page/protectionpolicies.md) topic for additional information. + [Protection Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/protectionpolicies.md) topic for additional information. - Description — Description of the policy The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/scheduledtaskshost.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/scheduledtaskshost.md index f3d618f534..20fd7ccc69 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/scheduledtaskshost.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/scheduledtaskshost.md @@ -3,7 +3,7 @@ The Scheduled Tasks tab shows information about the tasks that are scheduled to run on the selected resource. -![Scheduled Tasks Tab for Host Resource](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/scheduledtaskshost.webp) +![Scheduled Tasks Tab for Host Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/scheduledtaskshost.webp) The Scheduled Tasks tab has the following features: @@ -17,7 +17,7 @@ The table has the following columns: - Task Name — Displays the name of the task - Run As Account — Account used to run the task - Managed — Indicates if the account is managed by Privilege Secure. See the - [Credentials Page](../../page/credentials.md) topic for additional information. + [Credentials Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentials.md) topic for additional information. - Description — Description of the policy The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/serviceshost.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/serviceshost.md index c837939371..5fde22a61c 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/serviceshost.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/serviceshost.md @@ -2,7 +2,7 @@ The Services tab shows information about the services running on the selected resource. -![Services Tab for Host Resource](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/serviceshost.webp) +![Services Tab for Host Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/serviceshost.webp) The Services tab has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionsentraid.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionsentraid.md index 93f2978892..3a5235b690 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionsentraid.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionsentraid.md @@ -3,24 +3,24 @@ The Sessions tab for Microsoft Entra ID (formerly Azure AD) shows information about the sessions of the selected resource. -![Sessions Tab Entra ID](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionsazuread.webp) +![Sessions Tab Entra ID](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionsazuread.webp) The Sessions tab has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - View Logs — Opens the Session Logs window to view the action log for the selected session. See the - [Session Logs Window](../../../dashboard/window/sessionlogs.md) topic for additional information. + [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md) topic for additional information. - Refresh — Reload the information displayed The table has the following columns: - Requested — Date and time of when the session was created - Requested By — User who requested the session. See the - [User, Group, & Application Details Page](../../page/details/usergroupapplication.md) topic for + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - Login Account — Displays the account used to log onto the resource -- Activity — Displays the name of the activity. See the [Activities Page](../../page/activities.md) +- Activity — Displays the name of the activity. See the [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. - Start — Indicates when the activity started. This refers to when the activity’s actions were executed and not when the user was logged on to the resource. @@ -42,6 +42,6 @@ The table has the following columns: Secure administrator. - Failed — Pre-Session stage of the Activity has encountered an error - Locked — The session has been locked by an Privilege Secure administrator. See the - [Lock Session](../../../dashboard/window/locksession.md) topic for additional information. + [Lock Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/locksession.md) topic for additional information. The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionshost.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionshost.md index f156037559..40c409209b 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionshost.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionshost.md @@ -2,25 +2,25 @@ The Sessions tab shows information about the sessions of the selected resource. -![Sessions Tab for Host Resource](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionshost.webp) +![Sessions Tab for Host Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionshost.webp) The Sessions tab has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - View Logs — Opens the Session Logs window to view the action log for the selected session. See the - [Session Logs Window](../../../dashboard/window/sessionlogs.md) topic for additional information. + [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md) topic for additional information. - Refresh — Reload the information displayed The table has the following columns: - Requested — Date and time of when the session was created - Requested By — User who requested the session. Click the link to view additional details. See the - [User, Group, & Application Details Page](../../page/details/usergroupapplication.md) topic for + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - Login Account — Displays the account used to log onto the resource - Activity — Displays the name of the activity. Click the link to view additional details. See the - [Activities Page](../../page/activities.md) topic for additional information. + [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. - Start — Indicates when the activity started. This refers to when the activity’s actions were executed and not when the user was logged on to the resource. - End — Indicates when the session is scheduled to end the activity, which is determined by the @@ -41,6 +41,6 @@ The table has the following columns: Secure administrator. - Failed — Pre-Session stage of the Activity has encountered an error - Locked — The session has been locked by an Privilege Secure administrator. See the - [Lock Session](../../../dashboard/window/locksession.md) topic for additional information. + [Lock Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/locksession.md) topic for additional information. The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionssecretvault.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionssecretvault.md index e155048534..39c03c7502 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionssecretvault.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionssecretvault.md @@ -2,25 +2,25 @@ The Sessions tab shows information about the sessions of the selected resource. -![Sessions Tab for Secret Vault Resource](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionstabforsecretvault.webp) +![Sessions Tab for Secret Vault Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionstabforsecretvault.webp) The Sessions tab has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - View Logs — Opens the Session Logs window to view the action log for the selected session. See the - [Session Logs Window](../../../dashboard/window/sessionlogs.md) topic for additional information. + [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md) topic for additional information. - Refresh — Reload the information displayed The table has the following columns: - Requested — Date and time of when the session was created - Requested By — User who requested the session. Click the link to view additional details. See the - [User, Group, & Application Details Page](../../page/details/usergroupapplication.md) topic for + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - Login Account — Displays the account used to log onto the resource - Activity — Displays the name of the activity. Click the link to view additional details. See the - [Activities Page](../../page/activities.md) topic for additional information. + [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. - Start — Indicates when the activity started. This refers to when the activity’s actions were executed and not when the user was logged on to the resource. - End — Indicates when the session is scheduled to end the activity, which is determined by the @@ -41,6 +41,6 @@ The table has the following columns: Secure administrator. - Failed — Pre-Session stage of the Activity has encountered an error - Locked — The session has been locked by an Privilege Secure administrator. See the - [Lock Session](../../../dashboard/window/locksession.md) topic for additional information. + [Lock Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/locksession.md) topic for additional information. The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionswebsite.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionswebsite.md index 80221cd861..a3e4263ccf 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionswebsite.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/sessionswebsite.md @@ -2,25 +2,25 @@ The Sessions tab shows information about the sessions of the selected resource. -![Sessions Tab for Website Resource](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/websitedetailssessionstab.webp) +![Sessions Tab for Website Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/websitedetailssessionstab.webp) The Sessions tab has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - View Logs — Opens the Session Logs window to view the action log for the selected session. See the - [Session Logs Window](../../../dashboard/window/sessionlogs.md) topic for additional information. + [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md) topic for additional information. - Refresh — Reload the information displayed The table has the following columns: - Requested — Date and time of when the session was created - Requested By — User who requested the session. Click the link to view additional details. See the - [User, Group, & Application Details Page](../../page/details/usergroupapplication.md) topic for + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - Login Account — Displays the account used to log onto the resource - Activity — Displays the name of the activity. Click the link to view additional details. See the - [Activities Page](../../page/activities.md) topic for additional information. + [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. - Start — Indicates when the activity started. This refers to when the activity’s actions were executed and not when the user was logged on to the resource. - End — Indicates when the session is scheduled to end the activity, which is determined by the @@ -41,6 +41,6 @@ The table has the following columns: Secure administrator. - Failed — Pre-Session stage of the Activity has encountered an error - Locked — The session has been locked by an Privilege Secure administrator. See the - [Lock Session](../../../dashboard/window/locksession.md) topic for additional information. + [Lock Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/locksession.md) topic for additional information. The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/syncerrorsdomain.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/syncerrorsdomain.md index b7eedd2b8c..f0e610cb4e 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/syncerrorsdomain.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/syncerrorsdomain.md @@ -2,7 +2,7 @@ The Sync Errors tab displays the synchronization error log for the selected resource. -![Sync Errors Tab for Domain Recource](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/syncerrorsdomain.webp) +![Sync Errors Tab for Domain Recource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/syncerrorsdomain.webp) The table has the following columns: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/urlsentraid.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/urlsentraid.md index cf4b10fc3a..a23bed6bf0 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/urlsentraid.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/urlsentraid.md @@ -5,12 +5,12 @@ to the selected resource. URLs are correlated to launching activities in the bro given site is not listed here, the activity login may fail as it is not an authorized site for login. -![URLs Tab for Entra ID](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/azureaddetailspage.webp) +![URLs Tab for Entra ID](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/page/details/azureaddetailspage.webp) The URLs tab has the following features: - Add — Opens the Add Website URL window. See the - [Add Website URL Window](../../window/resources/addwebsiteurl.md) topic for additional + [Add Website URL Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addwebsiteurl.md) topic for additional information. - Edit — Opens the Edit Website URL window. See Edit Website URL for additional information. - Remove — Removes the selected item diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/urlswebsite.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/urlswebsite.md index 398d13ff37..3d51a6897d 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/urlswebsite.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/urlswebsite.md @@ -4,14 +4,14 @@ The URLs tab shows information about the URLs associated to the selected resourc `https://company.lightning.force.com` and `https://salesforce.com` are both URLs associated to the same website. -![URLs tab for Website Resource](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/websitedetailsurlstab.webp) +![URLs tab for Website Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/websitedetailsurlstab.webp) The URLs tab has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Add — Opens the Add Website URL window. See the - [Add Website URL Window](../../window/resources/addwebsiteurl.md) topic for additional + [Add Website URL Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addwebsiteurl.md) topic for additional information. - Edit — Opens the Edit Website URL window. See Edit Website URL for additional information. - Remove — Removes the selected item diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/usersdomain.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/usersdomain.md index 12d8992cae..bb692d7ea8 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/usersdomain.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/usersdomain.md @@ -2,7 +2,7 @@ The Users tab shows information about the domain users on the selected resource. -![Domian Users Tab](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/usersdomain.webp) +![Domian Users Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/usersdomain.webp) The Users tab has the following features: @@ -23,7 +23,7 @@ The Users tab has the following features: - View History — Opens the Password History window to displays the password history for the account - Password Reset Options — Customize password rotation options. This option is only available for managed accounts. See - [Password Reset Options Window](../../window/resources/passwordresetoptions.md) for additional + [Password Reset Options Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/passwordresetoptions.md) for additional information. - Refresh — Reload the information displayed @@ -39,12 +39,12 @@ The table has the following columns: created - NPS Role — Indicates the assigned Privilege Secure role - Managed — Indicates if the account is managed by Privilege Secure. See the - [Credentials Page](../../page/credentials.md) topic for additional information. + [Credentials Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentials.md) topic for additional information. - Rotate Start | End — Indicates if the account will have a password rotation on session start, end, both, or neither - Dependents — Number of scheduled tasks or Windows services using this account. - Status — Indicates if the account credentials have been verified by Privilege Secure. See the - [Platforms Page](../../page/platforms/overview.md) topic for additional information on configuring + [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information on configuring a verification schedule. - Unspecified — Verification check has not run @@ -59,9 +59,9 @@ The table has the following columns: - Last Checked — Date timestamp of the last verification check - Next Change — Date timestamp for the next credential password rotation - Schedule — Shows the schedule policy used to change the password of a manged account, the - credential rotation. See the [Schedule Policies Page](../../page/schedulepolicies.md) topic for + credential rotation. See the [Schedule Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md) topic for additional information. - Complexity — Indicates the password complexity policy used for the account. See the - [Password Complexity Page](../../page/passwordcomplexity.md) topic for additional information. + [Password Complexity Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/passwordcomplexity.md) topic for additional information. The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/usersentraid.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/usersentraid.md index fc0567b0ce..b002e20e7a 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/usersentraid.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/usersentraid.md @@ -7,7 +7,7 @@ selected resource. domain resource (if the on-premises domain has been synced by Privilege Secure). This view will show cloud-only EntraID users. -![Users Tab Entra ID](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/usersazuread.webp) +![Users Tab Entra ID](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/usersazuread.webp) The Users tab has the following features: @@ -22,7 +22,7 @@ The Users tab has the following features: - View History — Opens the Password History window to displays the password history for the account - Password Reset Options — Customize password rotation options. This option is only available for managed accounts. See the - [Password Reset Options Window](../../window/resources/passwordresetoptions.md) topic for + [Password Reset Options Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/passwordresetoptions.md) topic for additional information. - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. @@ -38,11 +38,11 @@ The table has the following columns: - Age — Number of days since the last credential rotation or from when the password was first created - Managed — Indicates if the account is managed by Privilege Secure. See the - [Credentials Page](../../page/credentials.md) topic for additional information. + [Credentials Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentials.md) topic for additional information. - Rotate Start | End — Indicates if the account will have a password rotation on session start, end, both, or neither - Status — Indicates if the account credentials have been verified by Privilege Secure. See the - [Platforms Page](../../page/platforms/overview.md) topic for additional information on configuring + [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information on configuring a verification schedule. - Unspecified — Verification check has not run diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/usershost.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/usershost.md index 4f8011e410..d395e5cc39 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/usershost.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/usershost.md @@ -2,7 +2,7 @@ The Users tab shows information about the local users on the selected resource. -![Host Users Tab](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/usershost.webp) +![Host Users Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/usershost.webp) The Users tab has the following features: @@ -20,7 +20,7 @@ The Users tab has the following features: - View History — Opens the Password History window to displays the password history for the account - Password Reset Options — Customize password rotation options. This option is only available for managed accounts. See - [Password Reset Options Window](../../window/resources/passwordresetoptions.md) topic for + [Password Reset Options Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/passwordresetoptions.md) topic for additional information. - Refresh — Reload the information displayed @@ -35,12 +35,12 @@ The table has the following columns: - Age — Number of days since the last credential rotation or from when the password was first created - Managed — Indicates if the account is managed by Privilege Secure. See the - [Credentials Page](../../page/credentials.md) topic for additional information. + [Credentials Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentials.md) topic for additional information. - Rotate Start | End — Indicates if the account will have a password rotation on session start, end, both, or neither - Dependents — Number of scheduled tasks or Windows services using this account. - Status — Indicates if the account credentials have been verified by Privilege Secure. See the - [Platforms Page](../../page/platforms/overview.md) topic for additional information on configuring + [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information on configuring a verification schedule. - Unspecified — Verification check has not run @@ -55,9 +55,9 @@ The table has the following columns: - Last Checked — Date timestamp of the last verification check - Next Change — Date timestamp for the next credential password rotation - Schedule — Shows the schedule policy used to change the password of a manged account, the - credential rotation. See the [Schedule Policies Page](../../page/schedulepolicies.md) topic for + credential rotation. See the [Schedule Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/schedulepolicies.md) topic for additional information. - Complexity — Indicates the password complexity policy used for the account. See the - [Password Complexity Page](../../page/passwordcomplexity.md) topic for additional information. + [Password Complexity Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/passwordcomplexity.md) topic for additional information. The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/userswebsite.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/userswebsite.md index e0f2bd4f32..36d76c6775 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/userswebsite.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/resources/userswebsite.md @@ -5,16 +5,16 @@ The Users tab shows information about the users on the selected resource. Manually managed user accounts can be added to the website resource. These accounts are used for activities on the resource. The format in the Username field must be identical to the username format specified in the “Login Account Template” field of the activity. See the -[Activities Page](../../page/activities.md) topic for additional information. +[Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. -![Users Tab for Website Resource](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/websitedetailsuserstab.webp) +![Users Tab for Website Resource](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/resources/websitedetailsuserstab.webp) The Users tab has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Add — Opens the Add a Managed User window. See the - [Add a Managed User Window](../../window/resources/addamanageduser.md) topic for additional + [Add a Managed User Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addamanageduser.md) topic for additional information. - Edit — Opens the Edit a Managed User window. See Edit a Managed User for additional information. - Delete — Removes the selected item from the resource. A confirmation window will display. @@ -26,7 +26,7 @@ The table has the following columns: - Name — Displays the name of the account - User Name — Displays the account name in the exact format specified in the “Login Account Template” field of the Activity, e.g. `domain\user` or `user@domain.com`. See the - [Activities Page](../../page/activities.md) topic for additional information. + [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. - Created — Date timestamp when the account was created The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/authentication.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/authentication.md index 756b9c0709..fa0df4ffb6 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/authentication.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/authentication.md @@ -2,7 +2,7 @@ The Authentication tab for applications shows authentication information about the application. -![Authentication Tab for Application User](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/applicationauthenticationtab.webp) +![Authentication Tab for Application User](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/applicationauthenticationtab.webp) The tab displays the following information: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/authenticationconnector.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/authenticationconnector.md index b8ce545765..7dea351d83 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/authenticationconnector.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/authenticationconnector.md @@ -5,10 +5,10 @@ The Authentication Connector tab for a user or group shows the type of multi-fac displayed on the login page for the user. The list is populated from the previously configured authentication connectors on the -Authentications page. See the [Authentication Page](../../../configuration/page/authentication.md) +Authentications page. See the [Authentication Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/authentication.md) topic for additional information. -![Users Authentication Connector Tab](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/userauthenticationtab.webp) +![Users Authentication Connector Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/userauthenticationtab.webp) Select the method of authentication for the user or group: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/grouproles.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/grouproles.md index d79e63683e..f2b41a3e98 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/grouproles.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/grouproles.md @@ -2,7 +2,7 @@ The Group Roles tab shows whether the current group has been assigned an application role. -![Group Roles Tab for User Groups](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/usergroupsgrouproletab.webp) +![Group Roles Tab for User Groups](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/usergroupsgrouproletab.webp) The Group Roles tab has the following features: @@ -15,7 +15,7 @@ The Group Roles tab has the following features: The table has the following columns: - Checkbox — Check to select one or more items -- Role — List of available roles. See the [Role Management Page](../../page/rolemanagement.md) topic +- Role — List of available roles. See the [Role Management Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/rolemanagement.md) topic for additional details. - Assigned — Indicates whether the role has been assigned diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/history.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/history.md index b1e855fbe8..78c5e9052f 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/history.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/history.md @@ -3,14 +3,14 @@ The History tab shows information about the session history of the selected user, group, or application. -![History Tab for Application User](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/userhistorytab.webp) +![History Tab for Application User](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/userhistorytab.webp) The History tab has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - View Logs — Opens the Session Logs window to view the action log for the selected session. See the - [Session Logs Window](../../../dashboard/window/sessionlogs.md) topic for additional information. + [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md) topic for additional information. - Refresh — Reload the information displayed The table has the following columns: @@ -22,7 +22,7 @@ The table has the following columns: - Time — Date timestamp for when the event occurred - User— Displays the name of the account. Click the link to view additional details. See the - [User, Group, & Application Details Page](../../page/details/usergroupapplication.md) topic for + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - Access Policy — Displays the number of access policies associated - Event Message — Description of the event diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/localrights.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/localrights.md index 70a0c5fb4b..c296b2c2e4 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/localrights.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/localrights.md @@ -2,7 +2,7 @@ The Local Rights tab shows information about the local rights granted for the selected user. -![Local Rights Tab for Application User](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/userlocalrightstab.webp) +![Local Rights Tab for Application User](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/userlocalrightstab.webp) The Local Rights tab has the following feature: @@ -13,6 +13,6 @@ The table has the following columns: - Name — Displays the name of the group the user is a member of - Host — Resource where the local group resides. Click the link to view - [Host Details Page](../../page/details/host.md). + [Host Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/host.md). The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/members.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/members.md index d0648899d7..d4738b2830 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/members.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/members.md @@ -2,7 +2,7 @@ The Members tab shows information about the members for the selected group. -![Group Members Tab](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/usergroupsmemberstab.webp) +![Group Members Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/usergroupsmemberstab.webp) The Members tab has the following features: @@ -14,7 +14,7 @@ The table has the following columns: - Type — Icon indicates the type of object - Name — Displays the name of the account. See the - [User, Group, & Application Details Page](../../page/details/usergroupapplication.md) topic for + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. - User Principal Name — Displays the UPN value for the account - SID — Security identifier for the user or group diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/policies.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/policies.md index 3f61328e50..4d0223124b 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/policies.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/policies.md @@ -3,14 +3,14 @@ The Policies tab shows information about the session policies for the selected user, group, or application. -![Policies Tab for Application Users](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/userpoliciestab.webp) +![Policies Tab for Application Users](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/userpoliciestab.webp) The Policies tab has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Add — Opens the Add Account to Policies window. See - [Add Account to Policies Window](../../window/usersgroups/addaccounttopolicies.md) topic for + [Add Account to Policies Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addaccounttopolicies.md) topic for additional information. - Remove — Removes the selected item from being associated with the user group, or application - Refresh — Reload the information displayed @@ -19,9 +19,9 @@ The table has the following columns: - Checkbox — Check to select one or more items - Name — Displays the name of the policy. Click the link to view additional details. See the - [Access Policy Page](../../page/accesspolicy.md) topic for additional information. + [Access Policy Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/accesspolicy.md) topic for additional information. - Activity — Displays the name of the activity. Click the link to view additional details. See the - [Activities Page](../../page/activities.md) topic for additional information. + [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. - Last Session — Date and timestamp for the last time the user used that activity and policy. This column is only on the User Details page. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/properties.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/properties.md index fa226570ad..783331efd0 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/properties.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/properties.md @@ -3,7 +3,7 @@ The Properties Tab enables Privilege Secure administrators to provide additional metadata for the application according to the use case. -![Properties Tab for Application User](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/applicationpropertiestab.webp) +![Properties Tab for Application User](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/applicationpropertiestab.webp) The Properties tab has the following fields: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/sessions.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/sessions.md index 847369107a..122299b349 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/sessions.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/sessions.md @@ -2,7 +2,7 @@ The Sessions tab shows information about the sessions of the selected user, group, or application. -![Sessions Tab for Application Users](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/usersessionstab.webp) +![Sessions Tab for Application Users](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/usersessionstab.webp) The Sessions tab has the following features: @@ -10,7 +10,7 @@ The Sessions tab has the following features: table or list is filtered to the matching results. - End Session — Cancel the selected session(s) - View Logs — Opens the Session Logs window to view the action log for the selected session. See the - [Session Logs Window](../../../dashboard/window/sessionlogs.md) topic for additional information. + [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/sessionlogs.md) topic for additional information. - Refresh — Reload the information displayed The table has the following columns: @@ -18,7 +18,7 @@ The table has the following columns: - Requested — Date and time of when the session was created - User — Displays the account used to log onto the resource - Host — Resource that the user will run the activity on. The details vary based on the type of - resource. See the [Resources Page](../../page/resources.md) topic for additional information. + resource. See the [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md) topic for additional information. - Start — Indicates when the activity started. This refers to when the activity’s actions were executed and not when the user was logged on to the resource. - End — Indicates when the session is scheduled to end the activity, which is determined by the @@ -41,9 +41,9 @@ The table has the following columns: - Canceling — The session is either expired or was canceled manually by the user or an Privilege Secure administrator. - Locked — The session has been locked by an Privilege Secure administrator. See the - [Lock Session](../../../dashboard/window/locksession.md) topic for additional information. + [Lock Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/locksession.md) topic for additional information. - Activity — Displays the name of the activity. Click the link to view additional details. See the - [Activities Page](../../page/activities.md) topic for additional information. + [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. The table columns can be resized and sorted in ascending or descending order. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/userroles.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/userroles.md index 331e5cf3e5..987de38abe 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/userroles.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/userroles.md @@ -2,7 +2,7 @@ The User Roles tab shows whether the current user has been assigned an application role. -![User Roles Tab for Application User](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/userroletab.webp) +![User Roles Tab for Application User](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/userroletab.webp) The User Roles tab has the following features: @@ -15,7 +15,7 @@ The User Roles tab has the following features: The table has the following columns: - Checkbox — Check to select one or more items -- Role — List of available roles. See the [Role Management Page](../../page/rolemanagement.md) topic +- Role — List of available roles. See the [Role Management Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/rolemanagement.md) topic for additional details. - Assigned — Indicates whether the role has been assigned diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/accesspolicy/addactivitiesandactivitygroups.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/accesspolicy/addactivitiesandactivitygroups.md index 56463f3df6..2a9a9368c3 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/accesspolicy/addactivitiesandactivitygroups.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/accesspolicy/addactivitiesandactivitygroups.md @@ -1,9 +1,9 @@ # Add Activities and Activity Groups Window The Add Activities and Activity Groups window provides a list of Activities that have been created. -Activities are created in the [Activities Page](../../page/activities.md). +Activities are created in the [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md). -![Add Activities and Activity Groups Window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addactivitiesandactivitygroups.webp) +![Add Activities and Activity Groups Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addactivitiesandactivitygroups.webp) The window has the following features: @@ -56,4 +56,4 @@ Available Activities list. **Step 6 –** Click Add to add the activities and activity groups to the access policy. The new activities and activity groups are added to the access policy and are shown in the -[Activities Tab for Resource Based Access Policies](../../tab/policyresource/activities.md). +[Activities Tab for Resource Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/activities.md). diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/accesspolicy/addcredentials.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/accesspolicy/addcredentials.md index 25cb9ee23f..9b50f5ba93 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/accesspolicy/addcredentials.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/accesspolicy/addcredentials.md @@ -1,9 +1,9 @@ # Add Credentials Window The Add Credentials window provides a list of Credentials that have been onboarded. Credentials are -onboarded in the [Credentials Page](../../page/credentials.md). +onboarded in the [Credentials Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentials.md). -![Add credentials window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addcredentials.webp) +![Add credentials window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addcredentials.webp) The window has the following features: @@ -60,4 +60,4 @@ table and it is immediately moved to the Credentials to Add table. **Step 6 –** Click Add to add the credential(s) to the access policy. The new credential(s) are added to the access policy and are shown in the -[Credentials Tab for Credential Based Access Policies](../../tab/policycredentials/credentials.md). +[Credentials Tab for Credential Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policycredentials/credentials.md). diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/accesspolicy/addresourcesandresourcegroups.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/accesspolicy/addresourcesandresourcegroups.md index c572775a48..299cb7766f 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/accesspolicy/addresourcesandresourcegroups.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/accesspolicy/addresourcesandresourcegroups.md @@ -1,9 +1,9 @@ # Add Resources and Resource Groups Window The Add Resources and Resource Groups window provides a list of resources that have been onboarded. -Resources are onboarded in the [Resources Page](../../page/resources.md). +Resources are onboarded in the [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md). -![Add resources and resource groups window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addresourcesandresourcegroups.webp) +![Add resources and resource groups window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addresourcesandresourcegroups.webp) The window has the following features: @@ -56,4 +56,4 @@ back to the Available Resources / Resource Groups table. **Step 7 –** Click Add to add the resource(s) and resource group(s) to the access policy. The new resource(s) and resource group(s) are added to the access policy and are shown in the -[Resources Tab for Resource Based Access Policies](../../tab/policyresource/resources.md). +[Resources Tab for Resource Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/resources.md). diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/activities/addaction.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/activities/addaction.md index bc9708e8f2..9d899c0f4e 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/activities/addaction.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/activities/addaction.md @@ -16,7 +16,7 @@ part. Follow the instructions to add actions to the activity. These actions may be paired with a corresponding Pre-Session action. -![addactionwindow](../../../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/actions/addactionwindow.webp) +![addactionwindow](/img/product_docs/threatprevention/threatprevention/admin/policies/actions/addactionwindow.webp) **Step 4 –** Complete the following fields: @@ -32,7 +32,7 @@ These actions may be paired with a corresponding Pre-Session action. - Action Name - Action Name — (Optional) Edit the name of the action. - Paired Actions Name - Paired Action's Name — (Optional) Edit the name of the paired action -See the [Action Types](../../activityactiontypes.md) section for detailed descriptions of the +See the [Action Types](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/activityactiontypes.md) section for detailed descriptions of the fields. **NOTE:** The fields will change depending on the selected Action Type. @@ -47,7 +47,7 @@ existing action and then create a new action to get a new Action Type. **Step 7 –** If desired, it is possible to automatically run any Protection Policies associated with the resource when the session completes. Simply add the _Invoke Protection Policies_ action to the -Post-Session group. See the [Protection Policies Page](../../page/protectionpolicies.md) topic for +Post-Session group. See the [Protection Policies Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/protectionpolicies.md) topic for additional information. **NOTE:** It is not necessary to select a protection policy. All protection policies that apply to diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/activities/addactivities.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/activities/addactivities.md index 08f21f1d95..9968e77020 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/activities/addactivities.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/activities/addactivities.md @@ -1,9 +1,9 @@ # Add Activities Window The Add Activities window provides a list of Activities that have been created. Activities are -created in the [Activities Page](../../page/activities.md). +created in the [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md). -![Add activities and activity groups window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addactivitiesandactivitygroups.webp) +![Add activities and activity groups window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addactivitiesandactivitygroups.webp) The window has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/accountdependencies.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/accountdependencies.md index 349bf37c9c..d49ac595f2 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/accountdependencies.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/accountdependencies.md @@ -3,7 +3,7 @@ The Account Dependencies window shows all of the dependent services and scheduled tasks for the selected service account. -![Account Dependencies Window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/credentials/accountdependencies.webp) +![Account Dependencies Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/credentials/accountdependencies.webp) The window has the following details displayed at the top: @@ -14,7 +14,7 @@ The window has the following details displayed at the top: - Age — Number of days since the last credential rotation or from when the password was first created - Status — Indicates if the account credentials have been verified by Privilege Secure. See the - [Platforms Page](../../page/platforms/overview.md) topic for additional information on configuring + [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information on configuring a verification schedule. - Unspecified — Verification check has not run @@ -56,7 +56,7 @@ The window has the following columns: - Last Scan — Date timestamp for the last time the resource was scanned - Last Change — Date timestamp for the last time the password was changed - Status — Indicates if the account credentials have been verified by Privilege Secure. See the - [Platforms Page](../../page/platforms/overview.md) topic for additional information on configuring + [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information on configuring a verification schedule. - Unspecified — Verification check has not run diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/addcredentials.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/addcredentials.md index bca3ff3a82..888e550864 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/addcredentials.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/addcredentials.md @@ -2,9 +2,9 @@ The Add Credentials window provides a list of Credentials that have been onboarded and are not already present in the collection. Credentials are onboarded in the -[Credentials Page](../../page/credentials.md). +[Credentials Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentials.md). -![Add Credentials Window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addcredentials.webp) +![Add Credentials Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/addcredentials.webp) The window has the following features: @@ -25,23 +25,23 @@ Both tables have the following columns: - Method — Indicates how the account is managed: - Automatic — Credential rotation is managed by Privilege Secure according to the change policy - for that platform type. See the [Platforms Page](../../page/platforms/overview.md) topic for + for that platform type. See the [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information. - Manual — Credential rotation must be initiated manually with the Rotate Service Account button, or the credential must be manually updated on both the resource and in Privilege - Secure. See the [Service Accounts Page](../../../configuration/page/serviceaccounts.md) + Secure. See the [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) section for information on updating credentials for Internal service accounts. - Not Managed — Not currently managed by Privilege Secure and no credentials have ever been stored - **NOTE:** See the [Rotation Methods](../../credentialrotationmethod.md) topic for additional + **NOTE:** See the [Rotation Methods](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/credentialrotationmethod.md) topic for additional information. - Managed Type — Type of managed account: - Standard — Local or domain user account, including managed users created by activity sessions - Internal — Internal service account used by Privilege Secure with no dependencies. See the - [Service Accounts Page](../../../configuration/page/serviceaccounts.md) topic for additional + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Service — Local or domain service account with one or more dependencies. Includes Internal service accounts with one or more dependencies. @@ -51,7 +51,7 @@ Both tables have the following columns: - Age — Number of days since the last credential rotation or from when the password was first created - Status — Indicates if the account credentials have been verified by Privilege Secure. See the - [Platforms Page](../../page/platforms/overview.md) topic for additional information on configuring + [Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information on configuring a verification schedule. - Unspecified — Verification check has not run @@ -93,7 +93,7 @@ The new credentials are added to the applicable group. Follow the steps to add credentials to a Credential Policy Override. In order for an account to be added to add credentials window, a credential must be managed with a method of **Automatic**. Only one account can be added to a Credential Policy Override at a time. See the -[Manage Internal Service Accounts](manageinternalserviceaccount.md) topic for additional +[Manage Internal Service Accounts](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/manageinternalserviceaccount.md) topic for additional information. **Step 1 –** Navigate to the **Policy** > **Credentials** > Credential Groups page. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/manageinternalserviceaccount.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/manageinternalserviceaccount.md index ce9c9270b7..db5cd8abf4 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/manageinternalserviceaccount.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/manageinternalserviceaccount.md @@ -5,7 +5,7 @@ dependencies (windows services or scheduled tasks). When an internal service acc _Internal_) is selected and set to be managed by Privilege Secure, a pop up window will display and Privilege Secure searches for a matching user. -![Manage internal service account](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/credentials/manageinternalserviceaccount.webp) +![Manage internal service account](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/credentials/manageinternalserviceaccount.webp) If a matching user is found, there are three options to manage the selected account. @@ -16,16 +16,16 @@ If a matching user is found, there are three options to manage the selected acco If the message “No matching user found” is displayed, Privilege Secure is unable to find a matching user in Active Directory. -![No matching user found](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/credentials/matchinguserfalse.webp) +![No matching user found](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/credentials/matchinguserfalse.webp) Try the following possible solutions to resolve: - Perform an AD Sync to collect the latest AD data from the domain. See the - [Domain Details Page](../../page/details/domain.md) topic for additional information. + [Domain Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/domain.md) topic for additional information. - Check the user is added to the Privilege Secure console. See the - [Users & Groups Page](../../page/usersgroups.md) topic for additional information. + [Users & Groups Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usersgroups.md) topic for additional information. - Check the spelling of the Username associated with the service account. See the - [Service Accounts Page](../../../configuration/page/serviceaccounts.md) topic for additional + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Make sure the user is in Active Directory in the expected domain @@ -33,12 +33,12 @@ Try the following possible solutions to resolve: If the manual option is selected, a new window will open to set the password for the credential. -![Set password for credential window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/credentials/setpasswordcredential.webp) +![Set password for credential window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/credentials/setpasswordcredential.webp) After the password is created, click **Save** to update the password. The account password has been updated and the service account can be manually managed. -![Manually Managed Account](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/credentials/credentialsmanuallymanageaccount.webp) +![Manually Managed Account](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/credentials/credentialsmanuallymanageaccount.webp) The selected account will now display the following options. @@ -46,5 +46,5 @@ The selected account will now display the following options. selected account. - Clipboard icon — Copies the password for the selected account - Information icon — Opens the View Password window to view the password and copy it to the - clipboard. The window stays open for 20 seconds. See the [View Password Window](viewpassword.md) + clipboard. The window stays open for 20 seconds. See the [View Password Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/viewpassword.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/passwordhistory.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/passwordhistory.md index cf1cb2dab1..f6ee6fbf53 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/passwordhistory.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/passwordhistory.md @@ -2,7 +2,7 @@ The Password History window shows all historical passwords for the selected managed account. -![Passwrod History window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/credentials/passwordhistory.webp) +![Passwrod History window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/credentials/passwordhistory.webp) The window has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/viewpassword.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/viewpassword.md index d612ed2335..105a16f320 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/viewpassword.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/viewpassword.md @@ -3,7 +3,7 @@ The View Password window shows the current passwords for the selected managed account. This window remains open for only 20 seconds. -![View Password window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/credentials/viewpassword.webp) +![View Password window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/credentials/viewpassword.webp) The window has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/protectionpolicies/addresources.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/protectionpolicies/addresources.md index 306f63a314..d9e2606683 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/protectionpolicies/addresources.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/protectionpolicies/addresources.md @@ -1,9 +1,9 @@ # Add Resources Window for Protected Policy The Add Resources window provides a list of resources that have been onboarded. Resources are -onboarded in the [Resources Page](../../page/resources.md). +onboarded in the [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md). -![Protection policy add resource window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addresources.webp) +![Protection policy add resource window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addresources.webp) The window has the following features: @@ -20,7 +20,7 @@ Both tables have the following columns: - Checkbox — Check to select one or more items - Type — Classification of the activity - Name — Displays the name of the resource. Click the link to view additional details. See the - [Resources Page](../../page/resources.md) topic for addition information. + [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md) topic for addition information. - DNS Host Name — Displays the DNS host name for a host resource or the FQDN for a domain resource - Operating System— Displays the operating system of the resource @@ -57,4 +57,4 @@ Resources table. **Step 6 –** Click Add to add the resources to the protection policy. The new resource(s) are added to the protection policy and are shown on the -[Resources Tab for Protection Policies](../../tab/policyprotection/resources.md). +[Resources Tab for Protection Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyprotection/resources.md). diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addamanagedaccount.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addamanagedaccount.md index 57f8811859..571920aeb3 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addamanagedaccount.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addamanagedaccount.md @@ -4,7 +4,7 @@ Follow the steps below to add a managed account to the secret vault. **Step 1 –** Click the **Add** button. -![addmanagedaccount](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addmanagedaccount.webp) +![addmanagedaccount](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addmanagedaccount.webp) **Step 2 –** Enter the following information: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addamanageduser.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addamanageduser.md index ee2b3bee46..c3c5898188 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addamanageduser.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addamanageduser.md @@ -2,7 +2,7 @@ Manually managed user accounts may be added to the website resource. These accounts can be used for activities on the resource by specifying the username value in the “Login Account Template” field of -the Activity. See the [Activities Page](../../page/activities.md) topic for additional information. +the Activity. See the [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. Follow the steps to add or edit a managed user account for the resource. @@ -18,7 +18,7 @@ Follow the steps to add or edit a managed user account for the resource. - To add a new managed user, click **Add**. - To modify an existing managed user, select the User from the list and click **Edit**. -![addmanageduser](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addmanageduser.webp) +![addmanageduser](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addmanageduser.webp) **Step 4 –** Specify the username/password combination that will be used to log users onto the website. Enter the following information: @@ -26,7 +26,7 @@ website. Enter the following information: - Display Name – The friendly name for the account - Username – The account in the exact format specified in the “Login Account Template” field of the Activity, e.g. `domain\user` or `user@domain.com`. See the - [Activities Page](../../page/activities.md) topic for additional information. + [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. - Password – Contains the service account password. The Eye icon can be used to view the password. **Step 5 –** Click **Okay** to accept changes. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addnewserviceaccount.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addnewserviceaccount.md index 74673415f8..951f909962 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addnewserviceaccount.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addnewserviceaccount.md @@ -8,7 +8,7 @@ Follow the steps to add a new Service Account to a host resource: **Step 3 –** Click the Green Plus Button to add a new Service Account. -![addnewserviceaccount](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addnewserviceaccount.webp) +![addnewserviceaccount](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addnewserviceaccount.webp) **Step 4 –** Complete the following fields: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcesonboard.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcesonboard.md index 6a88cad79f..e01580350f 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcesonboard.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcesonboard.md @@ -12,7 +12,7 @@ the onboarding method: When the Import from AD option is selected, the Add Resources window provides a list of resources found via Active Directory sync. -![Add Resources window showing the Import from AD option](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcesonboardad.webp) +![Add Resources window showing the Import from AD option](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcesonboardad.webp) The window has the following features: @@ -21,7 +21,7 @@ The window has the following features: - Available Resources — Shows all available resources - Resources And Groups to Add — Shows selected resources - Service Account — Provides a list of available Service Accounts. See the - [Service Accounts Page](../../../configuration/page/serviceaccounts.md) topic for additional + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Add — Onboards resources and closes the window - Cancel — Discards modifications and closes the window @@ -60,17 +60,17 @@ The new resource(s) have been onboarded and can be added to Access Policies. When the Import from AD option is selected, the Add Resources window provides import options. -![Add Resources window showing the Import from CSV option](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcesonboardcsv.webp) +![Add Resources window showing the Import from CSV option](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcesonboardcsv.webp) The window has the following features: - Import CSV — Opens Window Explore to select the file - Download CSV Template — Downloads the `nps-resource-import-template.csv` file with required - columns. See the [Create Resource Import CSV File](../../resourceimportcsv.md) topic for + columns. See the [Create Resource Import CSV File](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/resourceimportcsv.md) topic for additional information. - Remove — Removes the selected item - Service Account — Provides a list of available Service Accounts. See the - [Service Accounts Page](../../../configuration/page/serviceaccounts.md) topic for additional + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Add — Onboards resources and closes the window - Cancel — Discards modifications and closes the window @@ -128,7 +128,7 @@ The new resource(s) have been onboarded and can be added to Access Policies. When the Add Manually option is selected, the Add Resources window provides options for entering resources. -![Add Resources window showing the Add Manually option](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcesonboardmanually.webp) +![Add Resources window showing the Add Manually option](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcesonboardmanually.webp) The window has the following features: @@ -136,7 +136,7 @@ The window has the following features: - Add — Adds the resource in the textbox to the table - Remove — Removes the selected item - Service Account — Provides a list of available Service Accounts. See the - [Service Accounts Page](../../../configuration/page/serviceaccounts.md) topic for additional + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. - Add — Onboards resources and closes the window - Cancel — Discards modifications and closes the window diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcestogroup.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcestogroup.md index 2526ec64db..04f342a2b1 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcestogroup.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcestogroup.md @@ -8,7 +8,7 @@ Follow the steps to add resources to a resource group. **Step 3 –** In the Resource Groups table, click Add. -![addresources](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addresources.webp) +![addresources](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addresources.webp) The Add Resources window has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addwebsiteurl.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addwebsiteurl.md index d29904c5ae..6c01304a4c 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addwebsiteurl.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addwebsiteurl.md @@ -13,7 +13,7 @@ Follow the steps to add or edit a Website URL used by a resource. - To add a new URL, click **Add**. -![addwebsiteurl](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addwebsiteurl.webp) +![addwebsiteurl](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/addwebsiteurl.webp) **Step 4 –** Enter the following information: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/changeplatform.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/changeplatform.md index c52bb29dee..8fa4b152dc 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/changeplatform.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/changeplatform.md @@ -8,10 +8,10 @@ Follow the steps to change the platform type for a host resource. **Step 3 –** Click Change Platform to open the Change Platform window. -![Change Resource Platform Window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/changeplatform.webp) +![Change Resource Platform Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/changeplatform.webp) **Step 4 –** In the Platform drop-down menu, select a previously added platform. See the -[Platforms Page](../../page/platforms/overview.md) topic for additional information. +[Platforms Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/platforms/overview.md) topic for additional information. **Step 5 –** When a platform is entered, the Okay button is enabled. Click **Okay** to update the platform type for the selected resource(s). diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/changeserviceaccount.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/changeserviceaccount.md index 2937d4c37c..367edb289e 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/changeserviceaccount.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/changeserviceaccount.md @@ -8,13 +8,13 @@ Follow the steps to change the service account for a host resource. **Step 3 –** Click Change Service Account to open the Change Service Account window. -![Change Resource Service Account Window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/changeserviceaccount.webp) +![Change Resource Service Account Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/changeserviceaccount.webp) **Step 4 –** In the Service Account drop-down menu, select a previously added service account with credentials for the resource. - To add a service account, see the - [Service Accounts Page](../../../configuration/page/serviceaccounts.md) topic for additional + [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) topic for additional information. **Step 5 –** When a service account is entered, the Okay button is enabled. Click **Okay** to use diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/configuresecurewinrmconnection.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/configuresecurewinrmconnection.md index 7100e68fc6..93d1dfbc48 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/configuresecurewinrmconnection.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/configuresecurewinrmconnection.md @@ -8,7 +8,7 @@ Follow the steps to configure secure WinRM connection for the selected host: **Step 3 –** Click the **WinRM Config** button. -![winrmconfig](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/winrmconfig.webp) +![winrmconfig](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/winrmconfig.webp) **Step 4 –** Perform the following steps: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/editamanagedaccount.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/editamanagedaccount.md index f727fef304..3602273d19 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/editamanagedaccount.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/editamanagedaccount.md @@ -6,7 +6,7 @@ Follow the steps below to edit a managed account in a secret vault. **Step 2 –** Click **Edit**. -![Edit a Managed Account for Resources](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/editmanagedaccount.webp) +![Edit a Managed Account for Resources](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/editmanagedaccount.webp) **Step 3 –** Enter the following information: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/enrollhostsinmanagement.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/enrollhostsinmanagement.md index 5571d2ddc2..585b49d8a1 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/enrollhostsinmanagement.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/enrollhostsinmanagement.md @@ -10,7 +10,7 @@ Follow these steps to add a computer as NPS Managed Resource: **Step 4 –** Click the **Add as NPS Managed Resource** button. -![enrollhostsinmanagement](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/enrollhostsinmanagement.webp) +![enrollhostsinmanagement](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/enrollhostsinmanagement.webp) **Step 5 –** Provide the Service Account in the **Use Service Account** field. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/passwordresetoptions.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/passwordresetoptions.md index 87134db160..296662fee1 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/passwordresetoptions.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/passwordresetoptions.md @@ -4,7 +4,7 @@ The Password Reset option control password resets for the selected account. Click the **Password Reset Options** button to open the window and configure the following: -![passwordresetoptions](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/passwordresetoptions.webp) +![passwordresetoptions](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/passwordresetoptions.webp) Select options to rotate the account password when the session starts or ends. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/removeresource.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/removeresource.md index c2f3cdbe05..c08138e3e5 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/removeresource.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/removeresource.md @@ -10,7 +10,7 @@ Follow the steps to remove a resource. **Step 3 –** Click Remove to open the Remove Resource window. -![Remove Resource Window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/removeresource.webp) +![Remove Resource Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/removeresource.webp) **Step 4 –** Select the **Remove from Database** checkbox to remove the selected resource(s) from the database. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/testresourceconnectivity.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/testresourceconnectivity.md index 94a87a8454..16f206da04 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/testresourceconnectivity.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/testresourceconnectivity.md @@ -8,7 +8,7 @@ Follow the steps to test the host resource connectivity: **Step 3 –** Click the **Test** button. -![Test Resource Connectivity Window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/testresourceconnectivity.webp) +![Test Resource Connectivity Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/resources/testresourceconnectivity.webp) **Step 4 –** Review the test status and messages (if any). diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addaccounttopolicies.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addaccounttopolicies.md index e7289c86d8..f202c84a0e 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addaccounttopolicies.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addaccounttopolicies.md @@ -1,9 +1,9 @@ # Add Account to Policies Window The Add Account to Policies window provides a list of Policies that have been created. Policies are -created in the [ Policy Interface](../../interface.md). +created in the [ Policy Interface](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/interface.md). -![usersgroupsaddaccounttopoliciespage](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/usersgroupsaddaccounttopoliciespage.webp) +![usersgroupsaddaccounttopoliciespage](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/usersgroupsaddaccounttopoliciespage.webp) The window has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addactivitiesandgroups.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addactivitiesandgroups.md index 36daff16cb..ed34609bff 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addactivitiesandgroups.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addactivitiesandgroups.md @@ -1,9 +1,9 @@ # Add Activities and Groups Window The Add Activities and Groups window provides a list of Activities that have been created. -Activities are created in the [Activities Page](../../page/activities.md). +Activities are created in the [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md). -![Add activities and activity groups window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addactivitiesandactivitygroups.webp) +![Add activities and activity groups window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addactivitiesandactivitygroups.webp) The window has the following features: @@ -53,4 +53,4 @@ Available Activities list. **Step 6 –** Click Add to add the activities and activity groups to the access policy. The new activities and activity groups are added to the access policy and are shown in the -[Activities Tab for Resource Based Access Policies](../../tab/policyresource/activities.md). +[Activities Tab for Resource Based Access Policies](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/policyresource/activities.md). diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addadministrators.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addadministrators.md index cbfe914c0a..69f6b6b640 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addadministrators.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addadministrators.md @@ -1,9 +1,9 @@ # Add Administrators Window The Add Administrators window provides a list of users that have been onboarded. Users are onboarded -in the [Users & Groups Page](../../page/usersgroups.md). +in the [Users & Groups Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usersgroups.md). -![Add Administrators Window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addadministrators.webp) +![Add Administrators Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addadministrators.webp) The window has the following features: @@ -29,7 +29,7 @@ The tables in both sections have the following columns: ## Select Users Follow the steps to grant users the Administrator role. See the -[Role Management Page](../../page/rolemanagement.md) section for a list of roles and their +[Role Management Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/rolemanagement.md) section for a list of roles and their functions. **Step 1 –** Navigate to the **Users & Groups** > Role Management page. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addpolicies.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addpolicies.md index 00cbfe3b95..60415044e4 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addpolicies.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addpolicies.md @@ -1,9 +1,9 @@ # Add Policies Window The Add Policies window provides a list of Policies that have been created. Policies are created in -the [ Policy Interface](../../interface.md). +the [ Policy Interface](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/interface.md). -![Add Policies to a Custom Role Window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addaccounttopolicies.webp) +![Add Policies to a Custom Role Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addaccounttopolicies.webp) The window has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addresourcesandgroups.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addresourcesandgroups.md index c432825afe..09b76b5c21 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addresourcesandgroups.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addresourcesandgroups.md @@ -1,9 +1,9 @@ # Add Resources and Groups Window The Add Resources And Groups window provides a list of resources that have been onboarded. Resources -are onboarded in the [Resources Page](../../page/resources.md). +are onboarded in the [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md). -![Add resources and rescource groups window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addresourcesandresourcegroups.webp) +![Add resources and rescource groups window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addresourcesandresourcegroups.webp) The window has the following features: @@ -22,7 +22,7 @@ Both tables have the following columns: - Checkbox — Check to select one or more items - Type — Classification of the activity - Name — Displays the name of the resource. Click the link to view additional details. See the - [Resources Page](../../page/resources.md) topic for addition information. + [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md) topic for addition information. - Operating System— Displays the operating system of the resource ## Add Resources diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addreviewers.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addreviewers.md index dbd6453c89..356f1611cb 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addreviewers.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addreviewers.md @@ -1,9 +1,9 @@ # Add Reviewers Window The Add Reviewers window provides a list of users that have been onboarded. Users are onboarded in -the [Users & Groups Page](../../page/usersgroups.md). +the [Users & Groups Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usersgroups.md). -![Add Reviews Window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addreviewers.webp) +![Add Reviews Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addreviewers.webp) The window has the following features: @@ -29,7 +29,7 @@ The tables in both sections have the following columns: ## Select Users Follow the steps to grant users the Reviewer role. See the -[Role Management Page](../../page/rolemanagement.md) section for a list of roles and their +[Role Management Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/rolemanagement.md) section for a list of roles and their functions. **Step 1 –** Navigate to the **Users & Groups** > Role Management page. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addroleusers.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addroleusers.md index 858fab96ec..0d4e199add 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addroleusers.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addroleusers.md @@ -1,9 +1,9 @@ # Add Role Users Window The Add Role Users window provides a list of users that have been onboarded. Users are onboarded in -the [Users & Groups Page](../../page/usersgroups.md). It allows users to be added to a custom role. +the [Users & Groups Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usersgroups.md). It allows users to be added to a custom role. -![Add Role Users Window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addroleusers.webp) +![Add Role Users Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addroleusers.webp) The window has the following features: @@ -34,7 +34,7 @@ Follow the steps below to add a role user to a custom role. **Step 1 –** Navigate to the **Users & Groups** > **Role Management** page. **Step 2 –** In the Role list, click the name of the desired custom role to open the -[Custom Role Details Page](../../page/details/rolemanagementcustom.md). +[Custom Role Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/rolemanagementcustom.md). **Step 3 –** Click the **Add Role Users** button. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addusersandgroups.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addusersandgroups.md index 28fbdf7ab8..12e9978b6b 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addusersandgroups.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addusersandgroups.md @@ -1,10 +1,10 @@ # Add Users & Groups Window The Add Users & Groups window allows you to select users. From the -[Users & Groups Page](../../page/usersgroups.md), this window is used to onboard users. From other +[Users & Groups Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usersgroups.md), this window is used to onboard users. From other interfaces, this window is used to select onboarded users. -![Add Users and Groups to the console](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addusersgroupstoconsole.webp) +![Add Users and Groups to the console](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/addusersgroupstoconsole.webp) The window has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/resetmfa.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/resetmfa.md index 016d5d14f5..0d08fd3bb6 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/resetmfa.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/usersgroups/resetmfa.md @@ -3,7 +3,7 @@ Privilege Secure allows administrators to reset a user MFA directly from the Users page. Resetting the user's MFA will generate a TOTP secret for the user and force them to register an authenticator. This option is only available when the Internal MFA option is enabled on the User Details page. See -[Authentication Connector Tab](../../tab/usersgroups/authenticationconnector.md) for additional +[Authentication Connector Tab](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/tab/usersgroups/authenticationconnector.md) for additional information. Follow the steps below to reset a user's MFA. @@ -12,11 +12,11 @@ Follow the steps below to reset a user's MFA. **Step 2 –** Select the desired user or group account. -![Reset MFA for Users and Groups Account](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/usersgroupsresetmfa.webp) +![Reset MFA for Users and Groups Account](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/usersgroupsresetmfa.webp) **Step 3 –** Click the **Reset MFA** button. -![Reset MFA for Account Confermation Window](../../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/usersgroupsresetmfawindow.webp) +![Reset MFA for Account Confermation Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/window/usersgroups/usersgroupsresetmfawindow.webp) **Step 4 –** Click the **Reset MFA** button in the confirmation window. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/producttour.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/producttour.md index 2b9cd5af7b..3fed234f50 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/producttour.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/producttour.md @@ -3,7 +3,7 @@ New users now experience a product tour on first login. Standard users and users with the Privilege Secure administrator role are walked through features that are relevant to their role. -![producttour](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/producttour.webp) +![producttour](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/producttour.webp) At any time, the tour can be stopped by clicking the **X** icon at the top-right of the Console. By default, the tour will not display on next login unless the **Do not display again** checkbox is @@ -11,6 +11,6 @@ unchecked. The product tour may be re-started at any time via the user menu. -![usermenu](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/usermenu.webp) +![usermenu](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/usermenu.webp) -See the [Navigation](navigation.md) topic for additional information. +See the [Navigation](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/navigation.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/sessiontimeout.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/sessiontimeout.md index a8fb1eca7b..703537725f 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/sessiontimeout.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/sessiontimeout.md @@ -2,7 +2,7 @@ For security reasons, the Privilege Secure Console automatically logs out the user after 10 minutes of inactivity. A Session Timeout warning message displays after 5 -minutes.![Session time out window](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/sessiontimeout.webp)If +minutes.![Session time out window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/sessiontimeout.webp)If the timeout message displays, click Stay Logged In to continue using the console.See the -[Global Settings Page](configuration/page/globalsettings.md) topic for additional information on +[Global Settings Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/globalsettings.md) topic for additional information on changing the UI idle timeout settings. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/troubleshooting.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/troubleshooting.md index 25cc9a1157..e5a620b96d 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/troubleshooting.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/troubleshooting.md @@ -9,7 +9,7 @@ The Enablement Toolkit is a utility that offers a GUI for common testing scenari troubleshooting the application. The Toolkit is available to download as a .zip file from the Privilege Secure installer's Extras -folder. See the [Install Components & Methods](../install/components.md) topic for additional +folder. See the [Install Components & Methods](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/components.md) topic for additional information. ## Prerequisites @@ -27,7 +27,7 @@ Enablement Toolkit.exe from the **Privilege Secure Installer Package** > **Extr account running the toolkit is not a local administrator, Windows will request administrator credentials. -![SbPAM Enablement Toolkit - EULA Agreement window](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/sbpamenablementtoolkit_-_1_-_eula_agreement.webp) +![SbPAM Enablement Toolkit - EULA Agreement window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/sbpamenablementtoolkit_-_1_-_eula_agreement.webp) **Step 2 –** Click **I Accept** on the Enablement Toolkit EULA window. The Enablement Toolkit window opens. @@ -37,7 +37,7 @@ opens. The Enablement Toolkit window fields vary depending on the selected operation. The window has the following fields for all operations: -![SbPAM Enablement Toolkit - Default Interface](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/sbpamenablementtoolkit_-_2_-_main_interface.webp) +![SbPAM Enablement Toolkit - Default Interface](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/sbpamenablementtoolkit_-_2_-_main_interface.webp) - File Menu Options: @@ -84,7 +84,7 @@ Follow the steps to execute an operation. **Step 2 –** _Optional_: Open the Help menu for the selected operation by clicking **Help** > **Help (Selected Operation)** or pressing **F1**. Click **Close** to close the Help menu. -![Stealthbits Enablement Toolkit - Help Menu](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/sbpamenablementtoolkit_-_3_-_help_window.webp) +![Stealthbits Enablement Toolkit - Help Menu](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/sbpamenablementtoolkit_-_3_-_help_window.webp) **NOTE:** The Help menu displays key information regarding the selected operation. The Help menu for the Enumerate Active Directory Objects operation displays the operation name, required fields, @@ -93,7 +93,7 @@ for each operation you intend to execute. **Step 3 –** Configure the fields for the selected operation. -![Stealthbits Enablement Toolkit - Execution Complete](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/sbpamenablementtoolkit_-_4_-_execution_complete.webp) +![Stealthbits Enablement Toolkit - Execution Complete](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/sbpamenablementtoolkit_-_4_-_execution_complete.webp) **Step 4 –** Click **Execute**. The interface will display the results of the selected operation. @@ -141,7 +141,7 @@ Follow the steps below to obtain a certificate thumbprint. **Step 6 –** Navigate to **Configuration** > **System Settings** > **Global Settings**. **Step 7 –** Paste the thumbprint in the Certificate Thumbprint field of the Netwrix Privilege -Secure console. See the [Global Settings Page](configuration/page/globalsettings.md) topic for +Secure console. See the [Global Settings Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/globalsettings.md) topic for additional information. **Step 8 –** Click **Save**. @@ -161,14 +161,14 @@ Components** > **Remote Desktop Services** > **Remote Desktop Connection Client* **NOTE:** Do not expand the Remote Desktop Connection Client folder. -![Troubleshooting - GPO Settings](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/troubleshootinggposettings.webp) +![Troubleshooting - GPO Settings](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/troubleshootinggposettings.webp) **Step 3 –** Click **Specify SHA1 thumbprints of certificates representing trusted .rdp publishers**. **Step 4 –** Click **Policy Settings** in the upper left-hand corner. -![Troubleshooting - SHA1](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/troubleshootingsha1.webp) +![Troubleshooting - SHA1](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/troubleshootingsha1.webp) **Step 5 –** Click the **Enabled** radio button. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/access/createsession.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/access/createsession.md index 4c31eec4fd..a2b27e9be9 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/access/createsession.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/access/createsession.md @@ -4,7 +4,7 @@ Follow the steps to create an activity session. **Step 1 –** Select an **Activity** to expand the session ribbon. -![myactivityuser](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/myactivityuser.webp) +![myactivityuser](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/myactivityuser.webp) **Step 2 –** Click **Create Session** to start a new activity session. @@ -17,7 +17,7 @@ Follow the steps to create an activity session. - **CAUTION:** If your license is expired and you can still log in, you will not be able to create activity sessions. -![configuresessionuser](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/configuresessionuser.webp) +![configuresessionuser](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/configuresessionuser.webp) **Step 3 –** Enter the following information: @@ -30,12 +30,12 @@ Follow the steps to create an activity session. resource list. - Click **Start Session** to start the provisioning process. -![startsessionuser](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/startsessionuser.webp) +![startsessionuser](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/startsessionuser.webp) **NOTE:** If an approval is required, the Waiting for approval message will display until it has been granted. -![stopsession](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/stopsession.webp) +![stopsession](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/stopsession.webp) **Step 4 –** When provisioned, an activity session will display an Available status with a green icon. Click **Available** to launch the session. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/access/myactivities.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/access/myactivities.md index 38d8db1f05..446b1ab346 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/access/myactivities.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/access/myactivities.md @@ -3,7 +3,7 @@ The Access > My Activities page displays activities mapped to the user as individual cards, organized alphabetically or by Access Policy. -![My Activiy Dashboard for End User](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/myactivityuser.webp) +![My Activiy Dashboard for End User](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/myactivityuser.webp) To access the My Activities page, open the Access interface. If there is only a single activity card present on this page that activity will open automatically. @@ -18,4 +18,4 @@ one Access Policy. When sorted by Access Policy, the list of resources displayed the resource list of the Access Policy. To create an Activity Session, click the **plus** button to begin. See the -[Create Activity Session](../dashboard/createsession.md) topic for additional information. +[Create Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/createsession.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/endwebsession.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/endwebsession.md index 37e4835d33..64d3a2d3ce 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/endwebsession.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/endwebsession.md @@ -7,7 +7,7 @@ Follow the steps to end a Web Session. **Step 1 –** Open the browser extension interface to display the green session page -![Browser Extension Start Web Session](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensionstartsession.webp) +![Browser Extension Start Web Session](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensionstartsession.webp) A count-down timer indicates how much time is remaining for the web session. A REC icon will be overlayed on the extension if the current page is being recorded. @@ -17,7 +17,7 @@ overlayed on the extension if the current page is being recorded. **Step 3 –** A notification is displayed to indicate that the session has ended. Click the **Close Tab** button on the page or close the tab manually. -![Browser Extension End Session Message](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensionendsession.webp) +![Browser Extension End Session Message](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensionendsession.webp) If the browser extension is configured to automatically end the Activity when all sessions are closed, the Activity will automatically be canceled if there are no remaining browser tabs for the diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/interface.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/interface.md index 488ff12737..ea7b565a6f 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/interface.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/interface.md @@ -1,10 +1,10 @@ # Browser Extension Interface The browser extension interface can be launched at any time with the Netwrix Privilege Secure icon -in the browser. See the [Log Into the Privilege Secure Console](../../admin/login.md) topic for +in the browser. See the [Log Into the Privilege Secure Console](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/login.md) topic for additional information. -![browserextensioninterface](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensioninterface.webp) +![browserextensioninterface](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensioninterface.webp) The browser interface has 3 tabs: @@ -15,10 +15,10 @@ The browser interface has 3 tabs: ## Activities Tab for the Browser Extension The Activities tab displays all website activities mapped to the user via the Privilege Secure -Access Policies. See the [Access Policy Page](../../admin/policy/page/accesspolicy.md) topic for +Access Policies. See the [Access Policy Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/accesspolicy.md) topic for additional information. -![Browser extension Activities tab](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensionactivities.webp) +![Browser extension Activities tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensionactivities.webp) The Activities tab has the following features: @@ -27,11 +27,11 @@ The Activities tab has the following features: expand it and show associated Activities. - Activities — Click an Activity to start an Activity Session. See the - [Start Web Session](startwebsession.md) topic for additional information. + [Start Web Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/startwebsession.md) topic for additional information. - Favorite icon — Click the favorite icon to move the Activity to the top of the list. - Settings icon — Click to open the browser extension settings - Session icon — If a session is active, the following icons are shown (see the - [Start Web Session](startwebsession.md) topic for additional information): + [Start Web Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/startwebsession.md) topic for additional information): - Green icon – Select to launch the web session - Red icon – Select to end the current web session @@ -40,13 +40,13 @@ The Activities tab has the following features: The Current tab displays any website activity matching the current URL in the browser. -![Browser Extension Current tab](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensioncurrenttab.webp) +![Browser Extension Current tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensioncurrenttab.webp) The Current tab shows the resource that matches the current URL at the top, with all of the activities available for that resource expanded. It has the following features: - Activities — Click an Activity to start an Activity Session. See the - [Start Web Session](startwebsession.md) topic for additional information. + [Start Web Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/startwebsession.md) topic for additional information. - Favorite icon — Click the favorite icon to move the Activity to the top of the list. - Settings icon — Click to open the browser extension settings @@ -55,7 +55,7 @@ activities available for that resource expanded. It has the following features: Configure basic settings for the browser extension. For additional settings, log in to the Privilege Secure Console. -![Browser Extension Settings Tab](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensionsettings.webp) +![Browser Extension Settings Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensionsettings.webp) The Settings tab has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/startwebsession.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/startwebsession.md index 122521ac18..83acb27db5 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/startwebsession.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/startwebsession.md @@ -9,7 +9,7 @@ tab. **Step 3 –** Click an **Activity** in the list to start an Activity Session. -![Browser Extension Activity Session](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensionactivitysession.webp) +![Browser Extension Activity Session](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensionactivitysession.webp) **Step 4 –** When the session icons are enabled to the right of the Activity, the session is ready: @@ -18,7 +18,7 @@ tab. **Step 5 –** Click the green icon to launch the web session in the current browser tab. -![Browser Extension Starting a Web Session](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensionstartsession.webp) +![Browser Extension Starting a Web Session](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/browserextension/browserextensionstartsession.webp) A count-down timer indicates how much time is remaining for the web session. A REC icon will be overlayed on the extension if the current page is being recorded. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/configure/rdcmanager.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/configure/rdcmanager.md index c0dc2abc68..ffa36ee187 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/configure/rdcmanager.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/configure/rdcmanager.md @@ -42,7 +42,7 @@ Netwrix\JonSmith+Local Admin+SQL1.netwrix.com++Server Maintenance Configuration parameters for PuTTY (SSH). -![appendices_stealthbits_privileged](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged.webp) +![appendices_stealthbits_privileged](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged.webp) Host Name Format: @@ -61,7 +61,7 @@ Port: Configuration parameters for MobaXterm (SSH). -![MobaXterm SSH configuration](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_1.webp) +![MobaXterm SSH configuration](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_1.webp) Remote Host Format: @@ -78,14 +78,14 @@ Port: Uncheck the checkboxes under Advanced SSH Settings and Bookmark Settings. -| ![appendices_stealthbits_privileged_2](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_2.webp) | ![appendices_stealthbits_privileged_3](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_3.webp) | +| ![appendices_stealthbits_privileged_2](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_2.webp) | ![appendices_stealthbits_privileged_3](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_3.webp) | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ## MobaXterm (RDP) Configuration parameters for MobaXterm (RDP). -![MobaXtermRDP configuration](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_5.webp) +![MobaXtermRDP configuration](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_5.webp) Remote Host: @@ -108,7 +108,7 @@ Port: - Port – The RDP listening port on the proxy - Default port – 4489 -![appendices_stealthbits_privileged_6](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_6.webp) +![appendices_stealthbits_privileged_6](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_6.webp) Check the Redirect Clipboard checkbox on the Advanced RDP Settings tab to enable pasting of the 2FA token. @@ -117,7 +117,7 @@ token. Configuration parameters for Microsoft Remote Desktop Connection (RDP). -![appendices_stealthbits_privileged_4](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_4.webp) +![appendices_stealthbits_privileged_4](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_4.webp) Computer: @@ -142,7 +142,7 @@ Configure Remote Desktop Connection to Prompt for Password topic for additional Configure the Microsoft Remote Desktop Connection Manager (RDC Manager). -| ![appendices_stealthbits_privileged_7](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_7.webp) | ![appendices_stealthbits_privileged_8](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_8.webp) | +| ![appendices_stealthbits_privileged_7](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_7.webp) | ![appendices_stealthbits_privileged_8](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_8.webp) | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | Server name: @@ -180,12 +180,12 @@ password. **Step 2 –** Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client -![Configure Remote Desktop Connection to Prompt for Password](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_9.webp) +![Configure Remote Desktop Connection to Prompt for Password](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_9.webp) **Step 3 –** Right click on Prompt for credentials on the client computer and select Edit from the context menu. -![appendices_stealthbits_privileged_10](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_10.webp) +![appendices_stealthbits_privileged_10](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configure/appendices_stealthbits_privileged_10.webp) **Step 4 –** In the Prompt for Credentials on the Client Computer window, select Enabled. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/active.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/active.md index 5ebb6b4f2d..15bf963720 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/active.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/active.md @@ -4,31 +4,31 @@ The Active sessions dashboard shows all currently active sessions. Create an Act grant temporary privileges and gain access to the resources defined by a previously created Access Policy. -![End User Active Dashboard](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) +![End User Active Dashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) The Active Sessions table has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Create Session — Open the Activity Request window. See the - [Create My Activity Session](../access/createsession.md) topic for additional information. + [Create My Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/access/createsession.md) topic for additional information. - End Session — Cancel the selected session(s) - View Logs — Opens the Session Logs window to view the action log for the selected session. See the - [Session Logs Window](window/sessionlogs.md) topic for additional information. + [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/window/sessionlogs.md) topic for additional information. - Refresh — Reload the information displayed The table has the following columns: - Checkbox — Check to select one or more items -- Expand icon — Click the expand (>) icon to show additional information for the session +- Expand icon — Click the expand () icon to show additional information for the session - Status — Shows status information for the session: - Provisioning — Pre-Session stage of the Activity is processing and assigning permissions to the login account - Waiting for Approval — The session requires approval to begin. See the - [Approvals Dashboard](approvals.md) topic for additional information. + [Approvals Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/approvals.md) topic for additional information. - Available — The activity session is ready. Click the icon to begin the session, or log in - through a client. See the [Start Activity Session](startsession.md) topic for additional + through a client. See the [Start Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/startsession.md) topic for additional information. - Failed — Pre-Session stage of the Activity has encountered an error - Logged In — User is successfully logged in to the Resource either directly or via the Proxy. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/approvals.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/approvals.md index c961787352..bef867dd8b 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/approvals.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/approvals.md @@ -4,7 +4,7 @@ The Approvals Dashboard displays requested sessions that require approval. Users designated as approvers will see the pending sessions queued here. The session must be approved before the requestor can log in to the session. -![Approvals Dashboard](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/approvalsdashboarduser.webp) +![Approvals Dashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/approvalsdashboarduser.webp) The Approvals Dashboard has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/createsession.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/createsession.md index 8176f36cb7..842f1fff28 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/createsession.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/createsession.md @@ -6,7 +6,7 @@ Follow the steps to create an activity session. **Step 2 –** In the Active Session table, click Create Session to open the Activity Request window. -![Create Activity Session Interface](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionuser.webp) +![Create Activity Session Interface](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionuser.webp) **Step 3 –** On the Request Type page, enter the following information: @@ -14,7 +14,7 @@ Follow the steps to create an activity session. **Step 4 –** Click Next to go to the Resource Selection page. -![Create Session window Resource Selection](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionresourceselection.webp) +![Create Session window Resource Selection](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionresourceselection.webp) **Step 5 –** On the Resource Selection page, enter the following information: @@ -23,7 +23,7 @@ Follow the steps to create an activity session. **Step 6 –** Click **Next** to go to the Notes page. -![Create Session Notes Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionnotes.webp) +![Create Session Notes Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionnotes.webp) **Step 7 –** On the Notes page, enter the following information: @@ -32,7 +32,7 @@ Follow the steps to create an activity session. **Step 8 –** Click Next to go to the Scheduling page. -![Create Session Schedule Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionscheduling.webp) +![Create Session Schedule Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionscheduling.webp) **Step 9 –** On the Scheduling page, enter the following information: @@ -40,7 +40,7 @@ Follow the steps to create an activity session. **Step 10 –** Click Next to go to the Review page. -![Create Session Review Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionreview.webp) +![Create Session Review Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionreview.webp) **Step 11 –** On the Review page, review the summary of the new session. @@ -53,4 +53,4 @@ session until the request is approved and the status changes to Available. When the status Available is shown, the remote session is ready. Click the Connection icon to begin the session, or log in through a client. -See the [Start Activity Session](startsession.md) topic for additional information. +See the [Start Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/startsession.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/historical.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/historical.md index 0e5a071a07..1fc1b0a197 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/historical.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/historical.md @@ -2,7 +2,7 @@ The Historical sessions dashboard shows all created sessions and their status. -![Historical Dashboard](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/historicaldashboard.webp) +![Historical Dashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/historicaldashboard.webp) The Historical Sessions table has the following features: @@ -21,11 +21,11 @@ The table has the following columns: - Actions — Contains icons for available actions: - - Expand icon — Click the expand (>) icon to show additional information + - Expand icon — Click the expand () icon to show additional information - Rocket icon — Launches the same session (same activity on the same resource with the same connection profile) for any historical session that is not a Credential-based session - View logs icon — Opens the Session Logs window to view the action log for the selected - session. See the [Session Logs Window](window/sessionlogs.md) topic for additional + session. See the [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/window/sessionlogs.md) topic for additional information. - Requested — Date and time of when the session was created diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/overview.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/overview.md index 14688755db..780a04aeaf 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/overview.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/overview.md @@ -3,17 +3,17 @@ The Dashboard interface displays an overview of activity sessions, users, resources and related information. -![Dashboard Interface](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) +![Dashboard Interface](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) The overview section shows information for the following: -- Active Dashboard – Shows all currently active sessions. See the [Active Dashboard](active.md) +- Active Dashboard – Shows all currently active sessions. See the [Active Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/active.md) topic for additional information. -- Scheduled Dashboard – Shows all scheduled sessions. See the [Scheduled Dashboard](scheduled.md) +- Scheduled Dashboard – Shows all scheduled sessions. See the [Scheduled Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/scheduled.md) topic for additional information. - Approvals Dashboard – Shows sessions waiting for approval. See the - [Approvals Dashboard](approvals.md) topic for additional information. -- Historical Dashboard – Shows previous sessions. See the [Historical Dashboard](historical.md) + [Approvals Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/approvals.md) topic for additional information. +- Historical Dashboard – Shows previous sessions. See the [Historical Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/historical.md) topic for additional information. The table shows information on the selected activity session. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/scheduled.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/scheduled.md index d502200067..656e104fb9 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/scheduled.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/scheduled.md @@ -2,14 +2,14 @@ The Scheduled sessions dashboard shows all scheduled sessions. -![Scheduled Dashboard](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/scheduleddashboarduser.webp) +![Scheduled Dashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/scheduleddashboarduser.webp) The Scheduled Sessions table has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Create Session — Open the Activity Request window. See the - [Create Activity Session](createsession.md) topic for additional information. + [Create Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/createsession.md) topic for additional information. - End Session — Cancel the selected session(s) - Refresh — Reload the information displayed @@ -22,9 +22,9 @@ The table has the following columns: the login account - Pending — Session scheduled start time is still in the future, session is waiting to start - Waiting for Approval — The session requires approval to begin. See the - [Approvals Dashboard](approvals.md) topic for additional information. + [Approvals Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/approvals.md) topic for additional information. - Available — The activity session is ready. Click the icon to begin the session, or log in - through a client. See the [Start Activity Session](startsession.md) topic for additional + through a client. See the [Start Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/startsession.md) topic for additional information. - Failed — Pre-Session stage of the Activity has encountered an error - Logged In — User is successfully logged in to the Resource either directly or via the Proxy. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/startsession.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/startsession.md index 3a989192a7..a5bd8b05cd 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/startsession.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/startsession.md @@ -4,7 +4,7 @@ On the Active Sessions dashboard, when the status Available is shown, the activi To begin the activity session, click the Connection icon in the Status column for the applicable session to be automatically connected to the resource. -![Connecto to remote session](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/remotesessionlaunch.webp) +![Connecto to remote session](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/remotesessionlaunch.webp) Also note the icons to view and copy the password for the session as plain text, if the option is enabled in the access policy Connection Profiles. @@ -25,7 +25,7 @@ Alternatively, configure any RDP / SSH Manager for remote login, including: - MS Remote Desktop Connection Manager - MS Terminal Services Client (Remote Desktop) -See the [Configure DirectConnect for Remote Desktop Connection](../configure/rdcmanager.md) topic +See the [Configure DirectConnect for Remote Desktop Connection](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/configure/rdcmanager.md) topic for additional information. ## Session Extension @@ -39,10 +39,10 @@ time is 5 minutes or less. **NOTE:** For NPS users with the Administrator role, session extension is always enabled. -![Extend Activity Session](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/extendsession.webp) +![Extend Activity Session](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/extendsession.webp) For RDP, a pop-up message is displayed in the session window. -![extendsessionssh](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/extendsessionssh.webp) +![extendsessionssh](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/extendsessionssh.webp) For SSH the user can extend by typing **Ctrl+X** when prompted. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/window/sessionlogs.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/window/sessionlogs.md index 2acbd33e09..b85e2a34eb 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/window/sessionlogs.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/window/sessionlogs.md @@ -3,7 +3,7 @@ The Session Logs window displays the log details for the selected session. Select a session from the Active dashboard and click the View Logs button to open the Session Logs window. -![Session Logs Window](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/window/sessionlogs.webp) +![Session Logs Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/window/sessionlogs.webp) The window has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/navigation.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/navigation.md index 832a391f7b..131d5deb3a 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/navigation.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/navigation.md @@ -3,7 +3,7 @@ At the top of the Privilege Secure Console lists available in interfaces and provides access to the Help link and the User Menu: -![End User Dashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/enduserdashboard.webp) +![End User Dashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/enduserdashboard.webp) The buttons have these functions: @@ -11,9 +11,9 @@ The buttons have these functions: - Access — Grants access to the My Activities page. Activities are be displayed as individual cards, organized alphabetically or by Access Policy. See the - [My Activities Page](access/myactivities.md) topic for additional. information. + [My Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/access/myactivities.md) topic for additional. information. - Dashboard — View summaries of recent activity logs and user sessions. See the - [Dashboard Interface](dashboard/overview.md) topic for additional information. + [Dashboard Interface](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/overview.md) topic for additional information. - Help — Opens the [Netwrix Privilege Secure Documentation](https://helpcenter.netwrix.com/category/sbpam) in the in @@ -23,7 +23,7 @@ The buttons have these functions: - Dark Mode — Toggle “Dark Mode” for the console. Hover over the toggle switch to see a preview of Dark Mode. - Product Tour — Re-starts walk-through of Privilege Secure features. See the - [Product Tour](producttour.md) topic for additional information. + [Product Tour](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/producttour.md) topic for additional information. - Logout — Signs the user out of the current session and opens the Login screen - About — Shows version and license information for the console @@ -39,54 +39,54 @@ Interface Icons | Icon | Interface | | -------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -| ![myactivities](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/myactivities.webp) | My Activities | -| ![dashboard](../../../../../../static/img/product_docs/groupid/groupid/admincenter/general/dashboard.webp) | Dashboard | -| ![policy](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/policy.webp) | Policy | -| ![users](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/users.webp) | Users & Groups | -| ![resources](../../../../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) | Resources | -| ![credentials](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) | Credentials | -| ![activities](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/activities.webp) | Activities | -| ![configuration](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configuration.webp) | Configuration | -| ![servicenodes](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/servicenodes.webp) | Service Nodes | -| ![auditreporting](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/auditreporting.webp) | Audit and Reporting | +| ![myactivities](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/myactivities.webp) | My Activities | +| ![dashboard](/img/product_docs/groupid/groupid/admincenter/general/dashboard.webp) | Dashboard | +| ![policy](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/policy.webp) | Policy | +| ![users](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/users.webp) | Users & Groups | +| ![resources](/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) | Resources | +| ![credentials](/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) | Credentials | +| ![activities](/img/product_docs/accessanalyzer/admin/hostdiscovery/activities.webp) | Activities | +| ![configuration](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configuration.webp) | Configuration | +| ![servicenodes](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/servicenodes.webp) | Service Nodes | +| ![auditreporting](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/auditreporting.webp) | Audit and Reporting | Dashboard Icons | Icon | Session Data | | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -| ![activedashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboard.webp) | Active Sessions | -| ![scheduleddashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/scheduleddashboard.webp) | Scheduled Sessions | -| ![approvalsdashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/approvalsdashboard.webp) | Approvals | -| ![historicaldashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/historicaldashboard.webp) | Historical Sessions | -| ![usersdasshboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/usersdasshboard.webp) | User Activity | -| ![resourcesdashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/resourcesdashboard.webp) | Resources | -| ![credentialsdashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/credentialsdashboard.webp) | Credentials | +| ![activedashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboard.webp) | Active Sessions | +| ![scheduleddashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/scheduleddashboard.webp) | Scheduled Sessions | +| ![approvalsdashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/approvalsdashboard.webp) | Approvals | +| ![historicaldashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/historicaldashboard.webp) | Historical Sessions | +| ![usersdasshboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/usersdasshboard.webp) | User Activity | +| ![resourcesdashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/resourcesdashboard.webp) | Resources | +| ![credentialsdashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/credentialsdashboard.webp) | Credentials | Active Directory Icons | Icon | Object | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -| ![chapter_1_stealthbits_privileged_12](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_12.webp) | User | -| ![chapter_1_stealthbits_privileged_13](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_13.webp) | Group | -| ![chapter_1_stealthbits_privileged_15](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.5.webp) | Application | -| ![Collectionsicon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/collectionsicon.webp) | Collection | -| ![Custom Role](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/customroleicon.webp) | Custom Role | -| ![Domain icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.6.webp) | Computer / Resource | -| ![chapter_1_stealthbits_privileged_15](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.webp) | Domain | -| ![Website icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.7.webp) | Website | -| ![AzureAD icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.8.webp) | Azure AD | -| ![Secret Vault icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.9.webp) | Secret Vault | -| ![Cisco icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.4.webp) | Cisco | -| ![Windows icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.3.webp) | Windows | +| ![chapter_1_stealthbits_privileged_12](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_12.webp) | User | +| ![chapter_1_stealthbits_privileged_13](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_13.webp) | Group | +| ![chapter_1_stealthbits_privileged_15](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.5.webp) | Application | +| ![Collectionsicon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/collectionsicon.webp) | Collection | +| ![Custom Role](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/customroleicon.webp) | Custom Role | +| ![Domain icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.6.webp) | Computer / Resource | +| ![chapter_1_stealthbits_privileged_15](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.webp) | Domain | +| ![Website icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.7.webp) | Website | +| ![AzureAD icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.8.webp) | Azure AD | +| ![Secret Vault icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.9.webp) | Secret Vault | +| ![Cisco icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.4.webp) | Cisco | +| ![Windows icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.3.webp) | Windows | Information Icons | Icon | Information | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | -| ![chapter_1_stealthbits_privileged_23](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_23.webp) | Complete / Information | -| ![chapter_1_stealthbits_privileged_24](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_24.webp) | Warning | -| ![chapter_1_stealthbits_privileged_25](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_25.webp) | Failed / Error | -| ![chapter_1_stealthbits_privileged_26](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_26.webp) | Active Sessions | -| ![chapter_1_stealthbits_privileged_27](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_27.webp) | Scheduled Sessions | +| ![chapter_1_stealthbits_privileged_23](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_23.webp) | Complete / Information | +| ![chapter_1_stealthbits_privileged_24](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_24.webp) | Warning | +| ![chapter_1_stealthbits_privileged_25](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_25.webp) | Failed / Error | +| ![chapter_1_stealthbits_privileged_26](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_26.webp) | Active Sessions | +| ![chapter_1_stealthbits_privileged_27](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_27.webp) | Scheduled Sessions | Hover over an icon anywhere within the console for its description. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/overview.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/overview.md index 4d8813e392..3dbd33ec7e 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/overview.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/overview.md @@ -10,7 +10,7 @@ in order to proceed with using Privilege Secure. It is recommended to check with Administrators for login requirements. There is also a Browser Extension that can be installed for Privilege Secure users. See the -[Browser Extension App](browserextension/browserextension.md) topic for additional information. +[Browser Extension App](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/browserextension.md) topic for additional information. ## First Time Login @@ -39,13 +39,13 @@ Authentication Connector that is set as the default. DUO, Symantec VIP, etc) for all user accounts unless otherwise configured by an Administrator. If required, first time users must register with an MFA to use with their login credentials. -![Default Login](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/defaultloginuser.webp) +![Default Login](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/defaultloginuser.webp) **Step 2 –** Either click the default authentication connector button, or click **Log In with a Different Account** to display all of the authentication connectors that are registered with Privilege Secure. -![Alternate Login](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/alternatelogin.webp) +![Alternate Login](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/alternatelogin.webp) **Step 3 –** Login to Privilege Secure with a configured authentication connector, or enter the user credentials. @@ -53,7 +53,7 @@ credentials. - When using an authentication connector, there's no 'username' or 'password' field for the user to enter. Instead there's just a single button to login. -![Okta authentication connector](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/oktadefault.webp) +![Okta authentication connector](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/oktadefault.webp) - Clicking the authentication connector will redirect the user to the IdP login screen, which will log the user in (with whatever MFA is set up in the IdP) and then revert the user back to the @@ -65,10 +65,10 @@ credentials. **Step 6 –** Enter the code provided by the registered multi-factor authenticator (MFA). -![Multi Factor Authentication Login](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/mfalogin.webp) +![Multi Factor Authentication Login](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/mfalogin.webp) **Step 7 –** Click MFA Login. Privilege Secure opens on the Dashboard Interface. -![Dashboard Interface](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) +![Dashboard Interface](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) Privilege Secure is ready to use. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/producttour.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/producttour.md index 2b9cd5af7b..279b42c13b 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/producttour.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/producttour.md @@ -3,7 +3,7 @@ New users now experience a product tour on first login. Standard users and users with the Privilege Secure administrator role are walked through features that are relevant to their role. -![producttour](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/producttour.webp) +![producttour](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/producttour.webp) At any time, the tour can be stopped by clicking the **X** icon at the top-right of the Console. By default, the tour will not display on next login unless the **Do not display again** checkbox is @@ -11,6 +11,6 @@ unchecked. The product tour may be re-started at any time via the user menu. -![usermenu](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/usermenu.webp) +![usermenu](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/usermenu.webp) -See the [Navigation](navigation.md) topic for additional information. +See the [Navigation](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/navigation.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/sessiontimeout.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/sessiontimeout.md index 6cec1b4adf..cef046c7cc 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/sessiontimeout.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/sessiontimeout.md @@ -2,5 +2,5 @@ For security reasons, the Privilege Secure Console automatically logs out the user after 10 minutes of inactivity. A Session Timeout warning message displays after 5 -minutes.![Session time out window](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/sessiontimeout.webp)If +minutes.![Session time out window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/sessiontimeout.webp)If the timeout message displays, click Stay Logged In to continue using the console. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/gettingstarted.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/gettingstarted.md index 60cb54e50b..6854205a25 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/gettingstarted.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/gettingstarted.md @@ -12,17 +12,17 @@ Privilege Secure requires a multi-factor authentication (MFA) solution (Authenti VIP, etc.) for all user accounts. First time users must register an MFA to use with their Active Directory credentials: -- Configure multi-factor authentication (MFA). See the [First Launch](install/firstlaunch.md) topic +- Configure multi-factor authentication (MFA). See the [First Launch](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/firstlaunch.md) topic for additional information. - Login to the Privilege Secure Console. See the - [Log Into the Privilege Secure Console](admin/login.md) topic for additional information. + [Log Into the Privilege Secure Console](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/login.md) topic for additional information. ## Update the License Netwrix Privilege Secure comes with a temporary 30-day license. Contact the organization’s Netwrix sales representative to purchase a license: -- Import the license file. See the [Import the License File](admin/importlicense.md) topic for +- Import the license file. See the [Import the License File](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/importlicense.md) topic for additional information. Privilege Secure licensing is done according to user count. Any user who is provisioned access to @@ -34,9 +34,9 @@ regardless of role (Administrator, Reviewer, User, or Custom Role). Prior to using Privilege Secure, it is necessary to add the service accounts and domains that contain the users, groups and resources: -- [Service Accounts Page](admin/configuration/page/serviceaccounts.md) — Add the account credentials +- [Service Accounts Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/page/serviceaccounts.md) — Add the account credentials that will grant access to the required resources -- [Add New Domain](admin/policy/add/domain.md) — Add the Active Directory domains that contain the +- [Add New Domain](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/domain.md) — Add the Active Directory domains that contain the users, groups, resources and service accounts that Privilege Secure will use to grant access ## Add Users, Resources & Activities @@ -46,11 +46,11 @@ of an access policy to create a session. The access policy determines what activ perform and on what resources. An Access Policy consists of three parts that must be configured first: -- [Users & Groups Page](admin/policy/page/usersgroups.md) — Add the Users and Groups from AD that +- [Users & Groups Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/usersgroups.md) — Add the Users and Groups from AD that will use the Privilege Secure Console -- [Resources Page](admin/policy/page/resources.md) — Add the resources such as Windows or Linux +- [Resources Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/resources.md) — Add the resources such as Windows or Linux servers that the users will access via the Privilege Secure Console -- [Activities Page](admin/policy/page/activities.md) — Add the actions that Privilege Secure will +- [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) — Add the actions that Privilege Secure will perform before, during and after a session, such as temporarily adding the user to a local admins group @@ -59,17 +59,17 @@ first: Once the users, groups and resources are added to the console, it is now possible to create access policies to control privileged access: -- [Connection Profiles Page](admin/policy/page/connectionprofiles.md) — Add the connection profile +- [Connection Profiles Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/connectionprofiles.md) — Add the connection profile that will be used with the access policy -- [Access Policy Page](admin/policy/page/accesspolicy.md) — Create the access policies to control +- [Access Policy Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/accesspolicy.md) — Create the access policies to control privileged access to resources ## Create Sessions Privilege Secure is configured and ready to use: -- [Create My Activity Session](enduser/access/createsession.md) — Create a session to grant +- [Create My Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/access/createsession.md) — Create a session to grant temporary privileges and gain access to the resources defined by the previously created access policy -- [Browser Extension Interface](enduser/browserextension/interface.md) — Conveniently access all of +- [Browser Extension Interface](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/interface.md) — Conveniently access all of your previously created activities from within an internet browser diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/actionservice.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/actionservice.md index e3a7cd96ba..37c1073831 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/actionservice.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/actionservice.md @@ -5,13 +5,13 @@ It can also be installed on additional servers. This provides the option to run different locations within an organization. The NPS Proxy Service installer is in the Extras folder of the ZIP file downloaded from the Netwrix -Customer portal. See the [Install Components & Methods](components.md) topic for additional +Customer portal. See the [Install Components & Methods](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/components.md) topic for additional information. **NOTE:** Before you begin, the NPS Proxy Service must be registered with a corresponding application server on the server you will be installing the Action Service prior to installation. The Proxy Service is installed as part of the Action Service installation package. See the -[Proxy Service Install](proxyservice.md) topic for installation instructions. +[Proxy Service Install](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/proxyservice.md) topic for installation instructions. Follow the steps to install the NPS Action Service on another server. @@ -29,11 +29,11 @@ server. **Step 3 –** Open the NPS.ActionService.exe and the Netwrix Privilege Secure Action Service Setup wizard will open. -![licenseagreement](../../../../../../static/img/product_docs/threatprevention/threatprevention/install/licenseagreement.webp) +![licenseagreement](/img/product_docs/threatprevention/threatprevention/install/licenseagreement.webp) **Step 4 –** To install the Action Service in an alternate location, click **Options**. -![installlocation](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/installlocation.webp) +![installlocation](/img/product_docs/activitymonitor/activitymonitor/install/agent/installlocation.webp) **Step 5 –** Enter the destination folder for installation and click OK. @@ -43,7 +43,7 @@ Agreement checkbox. **Step 7 –** Click Install to begin the installation. The setup wizard displays the installation progress. -![installcomplete](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/installcomplete.webp) +![installcomplete](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/installcomplete.webp) **Step 8 –** When the installation is complete, click Close to exit the installer. @@ -61,7 +61,7 @@ Follow the steps to configure the key exchange. **Step 2 –** Type the following commands to export the encryption keys for the secondary: -[Copy]() +[Copy](javascript:void(0);) Encryption Key Export @@ -82,7 +82,7 @@ server. **Step 6 –** Type the following commands to import the encryption keys: -[Copy]() +[Copy](javascript:void(0);) Encryption Key Import diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/components.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/components.md index eed275c2bd..2bed0af19a 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/components.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/components.md @@ -2,7 +2,7 @@ The `NPS.zip` file that can be downloaded from the Netwrix Customer portal contains the following: -![Contents of the NPS.zip file download](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/npszip.webp) +![Contents of the NPS.zip file download](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/npszip.webp) - NPS_Setup.exe – Opens the Netwrix Setup Launcher to install the Privilege Secure components: @@ -21,10 +21,10 @@ The `NPS.zip` file that can be downloaded from the Netwrix Customer portal conta - Enablement Toolkit.exe – Installs a utility that offers a GUI for common testing scenarios used when troubleshooting the application. See the - [Troubleshooting](../admin/troubleshooting.md) topic for additional information. + [Troubleshooting](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/troubleshooting.md) topic for additional information. - NPS.ActionService.exe – Installs the NPS Action Service nodes. By default, this service is installed on the application server. This executable can be copied to other servers to install - the service. See the [Action Service Install](actionservice.md) topic for additional + the service. See the [Action Service Install](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/actionservice.md) topic for additional information. - NPS.DbCfg.msi – Installs NPS Windows database configuration - NPS.exe – Installs the Privilege Secure application. By default, this installer is run as part @@ -50,18 +50,18 @@ The `NPS.zip` file that can be downloaded from the Netwrix Customer portal conta - NPS.ProxyService – Installs the NPS Proxy Service nodes. It is available as both an EXE and MSI format. By default, this service is installed on the application server. This executable can be copied to other servers to install the service. The MSI can be used with a software - deployment tool. See the [Proxy Service Install](proxyservice.md) topic for additional + deployment tool. See the [Proxy Service Install](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/proxyservice.md) topic for additional information. - NPS.SchedulerService.exe – Installs the NPS Scheduler Service nodes. By default, this service is installed on the application server. This executable can be copied to other servers to - install the service. See the [Scheduler Service Install](schedulerservice.md) topic for + install the service. See the [Scheduler Service Install](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/schedulerservice.md) topic for additional information. - NPS.SiemService.exe – Installs the NPS SIEM Service nodes. This executable can be copied to other servers to install the service. See the SIEM Service Install topic for additional information. - NPS.TSMon.exe – Installs the Netwrix Privilege Secure Remote Desktop Service. This service is used to monitor Windows events during an RDP session. See the - [Install Remote Desktop Monitor Service on Target RDP Hosts](rdpmonitor.md) topic for + [Install Remote Desktop Monitor Service on Target RDP Hosts](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/rdpmonitor.md) topic for additional information. - SbPAMPowershellModules.msi – Installs the Netwrix Privilege Secure PowerShell modules. These modules allow for custom PowerShell scripting tasks to be run against the application API. @@ -86,19 +86,19 @@ The `NPS.zip` file that can be downloaded from the Netwrix Customer portal conta **_RECOMMENDED:_** Antivirus software should be disabled during the component installation. The Netwrix Setup Launcher checks for prerequisites and installs both the database and application -on the sames server. See the [Netwrix Setup Launcher](setuplauncher.md) topic for instructions. If +on the sames server. See the [Netwrix Setup Launcher](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/setuplauncher.md) topic for instructions. If the desire is to install the database on a different server, use the appropriate EXE files from the Extras folder. The application also has a silent installation option. When installing by command line, the directory path is respected only when the installer is run in silent mode. See the -[Application Silent Installer Option](silent.md) topic for additional information. +[Application Silent Installer Option](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/silent.md) topic for additional information. There is also a Browser Extension that can be installed for Privilege Secure users. See the -[Browser Extension App](../enduser/browserextension/browserextension.md) topic for additional +[Browser Extension App](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/browserextension/browserextension.md) topic for additional information. _Remember,_ Privilege Secure licensing is done according to user count. Any user who is provisioned access to Privilege Secure will consume a license after their first login. This is true for all users, regardless of role (Administrator, Reviewer, User, or Custom Role). See -[Import the License File](../admin/importlicense.md) topic for additional information. +[Import the License File](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/importlicense.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/firstlaunch.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/firstlaunch.md index 91d96379df..40540087f9 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/firstlaunch.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/firstlaunch.md @@ -2,7 +2,7 @@ Once the database and application are installed, the next step is to walk through the Setup Wizard. -![Netwrix Setup Launcher showing the Netwrix Privilege Secure with a green checkmark](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/launcherstep4.webp) +![Netwrix Setup Launcher showing the Netwrix Privilege Secure with a green checkmark](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/launcherstep4.webp) The Netwrix Setup Launcher can be closed, if it was used during installation. @@ -12,7 +12,7 @@ Symantec VIP, etc.) ready to setup for this account through the wizard. There are two methods for launching the Setup Wizard: -![Netwrix Privilege Secure desktop icon](../../../../../../static/img/product_docs/threatprevention/threatprevention/install/desktopicon.webp) +![Netwrix Privilege Secure desktop icon](/img/product_docs/threatprevention/threatprevention/install/desktopicon.webp) - Double-click the desktop icon. Your default browser opens to the Setup Wizard. - Open a supported browser window and navigate to the following URL, which opens the Setup Wizard: @@ -43,11 +43,11 @@ Follow the steps to walk through the Setup Wizard. **Step 1 –** Launch the  Setup Wizard. -![Setup Wizard on the Welcome page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Setup Wizard on the Welcome page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) **Step 2 –** Click **Let's get started**. -![Setup Wizard on the Step 1 page](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/administratoruser.webp) +![Setup Wizard on the Step 1 page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/administratoruser.webp) **Step 3 –** On the Step 1 page, you identify your primary application Administrator account. Enter the following information and then click Next: @@ -56,7 +56,7 @@ the following information and then click Next: - Username – Enter the account. The domain will auto-populate from the field above. - Password – Enter the account's password. The eye icon can be used to view the entry. -![Setup Wizard on the Step 2 page](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/authenticator.webp) +![Setup Wizard on the Step 2 page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/authenticator.webp) **Step 4 –** On the Step 2 page, you register your primary application Administrator account with an MFA provider. @@ -69,16 +69,16 @@ MFA provider. **NOTE:** MFA for this account can be done at a later time through the User details page. If that is desired, click Setup Later and skip to Step 6 of these instructions. The initial account will be set to Not Required MFA. See the - [User, Group, & Application Details Page](../admin/policy/page/details/usergroupapplication.md) + [User, Group, & Application Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/usergroupapplication.md) topic for additional information. -![Setup Wizard on the Step 2 page displaying the recovery codes](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/authenticatorcodes.webp) +![Setup Wizard on the Step 2 page displaying the recovery codes](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/authenticatorcodes.webp) **Step 5 –** One-time recovery codes are provided for the registered authenticator. It is recommended to copy these codes with the Copy to clipboard link and save them in a secure location in case you lose your phone with the authenticator app. Click **Next**. -![Setup Wizard on the Step 3 page](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/adserviceaccount.webp) +![Setup Wizard on the Step 3 page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/adserviceaccount.webp) **Step 6 –** On the Step 3 page, you identify the Active Directory service account with domain administrator privileges. Enter the following information and then click **Next**: @@ -90,7 +90,7 @@ administrator privileges. Enter the following information and then click **Next* account with domain administrator privileges ready when walking through the Setup Wizard, you can click the Exit Wizard link. See the Exit Wizard Early topic for additional information. -![Setup Wizard on the Step 4 page](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/sync.webp) +![Setup Wizard on the Step 4 page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/sync.webp) **Step 7 –** On the Step 4 page, click **Sync**. The Active Directory domain synchronization begins and is tracked by the status bar. When synchronization is complete, the Step 5 page opens. @@ -99,7 +99,7 @@ and is tracked by the status bar. When synchronization is complete, the Step 5 p IP address. If this does occur during domain synchronization, you will be redirected to a dedicated error page, which allows you to ignore certificate errors during the initial configuration. -![Setup Wizard on the Step 5 page](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/resource.webp) +![Setup Wizard on the Step 5 page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/resource.webp) **Step 8 –** On the Step 5 page, select the first resource to be onboarded. The Setup Wizard will create your first access policy to grant Domain Admin Access with an Activity Token to this @@ -109,19 +109,19 @@ resource**. **NOTE:** Available resources were discovered on the domain during the synchronization completed on the Step 3 page. You can use the Search resources box to filter the list. -![Check resources window](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/checkresource.webp) +![Check resources window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/checkresource.webp) **Step 9 –** The Check resources window opens. The application is checking DNS resolution and WinRM requirements. If a test fails you can fix the configuration and click Retest. To cancel the test, click **Close**. When all tests are successful, the window and the Setup Wizard close automatically. -![My Activities interfacing displaying the Activity Token for Domain Admin Access activity created by the Setup Wizard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/myactivities.webp) +![My Activities interfacing displaying the Activity Token for Domain Admin Access activity created by the Setup Wizard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/myactivities.webp) When the Setup Wizard closes, you are redirected to the My Activities interfacing . The activity created by the Setup Wizard, Activity Token for Domain Admin Access, is displayed. -Take a [Product Tour](../admin/producttour.md) of the console or onboard more users and resources. -See the [Getting Started](../gettingstarted.md) topic for additional information. +Take a [Product Tour](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/producttour.md) of the console or onboard more users and resources. +See the [Getting Started](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/gettingstarted.md) topic for additional information. ## Exit Wizard Early @@ -133,22 +133,22 @@ you exited from: Exit From Step 3 Page – Domain Service Account Navigate to the domain details page and add a new service account. See the -[Domain Details Page](../admin/policy/page/details/domain.md) topic for additional information. +[Domain Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/domain.md) topic for additional information. Complete the onboarding process misses on the Step 4 and Step 5 pages. Exit From Step 4 Page – Active Directory Sync Navigate to the domain details page and click Synchronize Now. See the -[Domain Details Page](../admin/policy/page/details/domain.md) topic for additional information. +[Domain Details Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/details/domain.md) topic for additional information. Complete the onboarding process misses on the Step 4 and Step 5 pages. Exit From Step 5 Page – Onboard First Resource and Create Access Policy Navigate to the Resources page and add a new server. See the -[Add Resources Window](../admin/policy/window/resources/addresourcesonboard.md) topic for additional +[Add Resources Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/addresourcesonboard.md) topic for additional information. Navigate to the Access Policies page and create a new access policy. See the -[Add Access Policy](../admin/policy/add/accesspolicy.md) topic for additional information. +[Add Access Policy](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/add/accesspolicy.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/overview.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/overview.md index dc7349a4bb..d9126b746e 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/overview.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/overview.md @@ -2,7 +2,7 @@ These topics describes the installation and initial configuration process of Netwrix Privilege Secure. Prior to installing Privilege Secure, ensure that all installation requirements have been -met. See the [Requirements](../requirements/overview.md) topic for additional information. +met. See the [Requirements](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/overview.md) topic for additional information. Privilege Secure comes with a temporary 30-day license. Please contact the organization’s sales representative to purchase a license. @@ -55,7 +55,7 @@ on activity: When a session begins, the service attaches to the session when it identifies the channel used by the Privilege Secure Proxy service and sends the Windows events back to the application. It specifically monitors what windows are opened and what menus are selected during an RDP session. - See the [Install Remote Desktop Monitor Service on Target RDP Hosts](rdpmonitor.md) topic for + See the [Install Remote Desktop Monitor Service on Target RDP Hosts](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/rdpmonitor.md) topic for additional information. ## Single Privilege Secure Server @@ -65,7 +65,7 @@ architecture is only used for Proof of Concepts or testing purposes. All compone the application server. This scenario provides rapid start capability, and in most cases, installation and initial configuration can be completed in as little as 20 minutes. -![Single Server Deployment](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/singleserverdeployment.webp) +![Single Server Deployment](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/singleserverdeployment.webp) ## Privilege Secure Server with Remote Services @@ -74,7 +74,7 @@ install Proxy and Action Services on additional hosts for scalability, redundanc segmentation. Adding these services to other hosts provides the option to disable these services on the application server. -![Distributed Architecture Data Flow Diagram](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/distributedarchitecture.webp) +![Distributed Architecture Data Flow Diagram](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/distributedarchitecture.webp) The user can contact the Web service over port 6500, illustrated with a blue arrow. They can also talk directly to the Proxy service, illustrated with a green arrow over port: @@ -94,7 +94,7 @@ remoting over: - SSH port 22 The Action service also needs to communicate with Active Directory on a variety of different ports. -See the [Ports](../requirements/ports.md) topic for additional information. +See the [Ports](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/ports.md) topic for additional information. The Service Mesh connects remote services to the central Web service. Each remote “leaf” node is configured as a mesh so traffic may be routed via the most efficient route back to the web service. @@ -111,7 +111,7 @@ redundancy, with a replicated database pair. When the Primary becomes unavailabl high-availability configuration tool is used to manually instigate failover. All external components on operational resources continue to service requests. -![Active-Passive Database Deployment Diagram](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/activepassivedatabase.webp) +![Active-Passive Database Deployment Diagram](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/activepassivedatabase.webp) The Active-Passive configuration, which is only available with the PostgreSQL database, allows you to leverage the embedded database. It is also the simplest option for configuring high-availability. @@ -124,7 +124,7 @@ Server database options. No manual intervention is required. Many application se to the database for redundancy and scalability. However, setup is more complex than an Active-Passive configuration. Also, you will need an additional server for the database. -![Active-Active Database Deployment Diagram](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/activeactivedatabase.webp) +![Active-Active Database Deployment Diagram](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/activeactivedatabase.webp) ## Cloud-Native Database Deployment @@ -133,7 +133,7 @@ built-in high-availability and auto-scaling. AWS supports databases for PostgreS PostgreSQL) and SQL Server (RDS SQL Server). Azure also supports databases for PostgreSQL and SQL Server. -![AWS Acrive-Active Database Deployment Diagram](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/awsdatabase.webp) +![AWS Acrive-Active Database Deployment Diagram](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/awsdatabase.webp) ## Third-Party Vault Integration @@ -145,7 +145,7 @@ activities. Benefits include: - Onboard credentials without having to change API references in applications - Build on existing infrastructure -![Bring Your Own Vault Integration Diagram](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/byovdatabase.webp) +![Bring Your Own Vault Integration Diagram](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/byovdatabase.webp) ## LAPS Integration @@ -156,4 +156,4 @@ integration allows those passwords to be utilized for Privilege Secure activitie - Faster deployment time - Offboard password changing process to Active Directory -![Bring Your Own Vault LAPS Integration Diagram](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/byovlapsdatabase.webp) +![Bring Your Own Vault LAPS Integration Diagram](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/byovlapsdatabase.webp) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/proxyservice.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/proxyservice.md index b86c7a91c2..34162552ae 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/proxyservice.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/proxyservice.md @@ -12,7 +12,7 @@ Service, the NPS Scheduler Service, and NPS SIEM Service. This provides the opt defined in the application from different locations within your organization. The NPS Proxy Service installer is in the Extras folder of the ZIP file downloaded from the Netwrix -Customer portal. See the [Install Components & Methods](components.md) topic for additional +Customer portal. See the [Install Components & Methods](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/components.md) topic for additional information. Follow the steps to install the NPS Proxy Service on another server that will run services for the @@ -27,14 +27,14 @@ knowledge base article. **Step 2 –** Right-click on the installer and select Run as administrator. The Netwrix Privilege Secure Proxy Service Setup wizard opens. -![Netwrix Privileged Secure Proxy Service Setup wizard on the EULA page](../../../../../../static/img/product_docs/threatprevention/threatprevention/install/licenseagreement.webp) +![Netwrix Privileged Secure Proxy Service Setup wizard on the EULA page](/img/product_docs/threatprevention/threatprevention/install/licenseagreement.webp) **Step 3 –** On the End User License Agreement page, check the I agree to the license terms and conditions box and click Options. _Remember,_ it is a best practice to read the agreement before accepting it. -![Netwrix Privileged Secure Proxy Service Setup wizard on the Setup Options page](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/setupoptions.webp) +![Netwrix Privileged Secure Proxy Service Setup wizard on the Setup Options page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/setupoptions.webp) **Step 4 –** The default installation location for Install Folder is: @@ -48,7 +48,7 @@ _Remember,_ it is a best practice to read the agreement before accepting it. **NOTE:** The installation process begins and the wizard displays the its Progress. This may take a few moments. -![Netwrix Privileged Secure Proxy Service Setup wizard on the Successfully Completed page](../../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Netwrix Privileged Secure Proxy Service Setup wizard on the Successfully Completed page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 6 –** When installation is complete, click Close. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/rdpmonitor.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/rdpmonitor.md index 17c1724810..d5470e0fe5 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/rdpmonitor.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/rdpmonitor.md @@ -6,8 +6,8 @@ on the target host to install and enable this service. The EXE file is located of the Privilege Secure installation download ZIP file. The Windows event activity that occurs during an RDP session is then displayed and is searchable -within the [Live Session Viewer Window](../admin/dashboard/window/liveviewer.md) and the -[Replay Viewer Window](../admin/dashboard/window/replayviewer.md) with keystroke details, which are +within the [Live Session Viewer Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/liveviewer.md) and the +[Replay Viewer Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/replayviewer.md) with keystroke details, which are monitored and recorded without this service. Follow the steps to install the Remote Desktop Monitor service. @@ -36,5 +36,5 @@ The service is now listening for terminal services connections. **NOTE:** It is necessary for the Record Proxy Sessions option to be enabled on the connection profile for the associated access policy. See the -[Connection Profiles Page](../admin/policy/page/connectionprofiles.md) topic for additional +[Connection Profiles Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/connectionprofiles.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/schedulerservice.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/schedulerservice.md index 2596054877..f262e9a60b 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/schedulerservice.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/schedulerservice.md @@ -7,7 +7,7 @@ Privilege Secure Console installer. It is also available for download from the S if required. **NOTE:** Before you begin, the Proxy Service must be installed on any server running services for -Privilege Secure. See the [Proxy Service Install](proxyservice.md) topic for installation +Privilege Secure. See the [Proxy Service Install](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/proxyservice.md) topic for installation instructions. Follow the steps to install the Scheduler Service. @@ -22,11 +22,11 @@ server. **Step 3 –** Open the NPS.SchedulerService.exe and thePrivilege Secure Scheduler Service Setup wizard will open. -![licenseagreement](../../../../../../static/img/product_docs/threatprevention/threatprevention/install/licenseagreement.webp) +![licenseagreement](/img/product_docs/threatprevention/threatprevention/install/licenseagreement.webp) **Step 4 –** To install the Scheduler Service in an alternate location, click **Options**. -![scheduleoptions](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/scheduleoptions.webp) +![scheduleoptions](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/scheduleoptions.webp) **Step 5 –** Enter the destination folder for installation and click OK. @@ -36,7 +36,7 @@ Agreement checkbox. **Step 7 –** Click Install to begin the installation. The setup wizard displays the installation progress. -![installcompleted](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/installcompleted.webp) +![installcompleted](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/installcompleted.webp) **Step 8 –** When the installation is complete, click Close to exit the installer. @@ -55,7 +55,7 @@ Follow the steps to configure the key exchange. **Step 2 –** Type the following commands to export the encryption keys for the secondary: -[Copy]() +[Copy](javascript:void(0);) Encryption Key Export @@ -76,7 +76,7 @@ server. **Step 6 –** Type the following commands to import the encryption keys: -[Copy]() +[Copy](javascript:void(0);) Encryption Key Import diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/setuplauncher.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/setuplauncher.md index f3bc6d20cd..3e0f5f2765 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/setuplauncher.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/setuplauncher.md @@ -7,7 +7,7 @@ require a server reboot at the end of the installation. The Netwrix Setup Launcher checks for and installs missing prerequisites in addition to installing the database and application. -![Netwrix Setup Launcher showing the Prequisites Setup with a green checkmark](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/launcherstep2.webp) +![Netwrix Setup Launcher showing the Prequisites Setup with a green checkmark](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/launcherstep2.webp) **_RECOMMENDED:_** Antivirus software should be disabled on this computer during the installation. @@ -30,18 +30,18 @@ wizard opens. **NOTE:** If PostgreSQL v16 is already installed, a green checkmark is displayed to the left of the Install PostgreSQL 16 button and you can install the Privilege Secure application. -![Stealthbits PostgreSQL v12 Setup Wizard on the Install page](../../../../../../static/img/product_docs/threatprevention/threatprevention/install/upgrade/install.webp) +![Stealthbits PostgreSQL v12 Setup Wizard on the Install page](/img/product_docs/threatprevention/threatprevention/install/upgrade/install.webp) **Step 2 –** On the Install page, click **Install**. -![Stealthbits PostgreSQL v12 Setup Wizard on the License Agreement page](../../../../../../static/img/product_docs/threatprevention/threatprevention/install/licenseagreement.webp) +![Stealthbits PostgreSQL v12 Setup Wizard on the License Agreement page](/img/product_docs/threatprevention/threatprevention/install/licenseagreement.webp) **Step 3 –** On the End User License Agreement page, check the **I accept the license agreement** box and click **Next**. _Remember,_ it is a best practice to read the agreement before accepting it. -![Stealthbits PostgreSQL v12 Setup Wizard on the Install and Data Folder page](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/installfolder.webp) +![Stealthbits PostgreSQL v12 Setup Wizard on the Install and Data Folder page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/installfolder.webp) **Step 4 –** The default installation location for both the Install Folder and the Data Folder is: @@ -53,7 +53,7 @@ C:\Program Files\Stealthbits\Postgres16 **NOTE:** The installation process begins and the Setup wizard displays the its Progress. This may take a few moments. -![Stealthbits PostgreSQL v12 Setup Wizard on the Completed Successfully page](../../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Stealthbits PostgreSQL v12 Setup Wizard on the Completed Successfully page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 5 –** When installation is complete, click **Exit**. The Stealthbits PostgeSQL v16 Setup wizard closes. @@ -68,21 +68,21 @@ The PostgreSQL database is successfully installed. It is time to install the app Follow the steps to install Privilege Secure application. -![Netwrix Setup Launcher showing the PostgreSQL Setup with a green checkmark](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/launcherstep3.webp) +![Netwrix Setup Launcher showing the PostgreSQL Setup with a green checkmark](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/launcherstep3.webp) **Step 1 –** If you are using the Netwrix Setup Launcher, it displays a green checkmark for the PostgreSQL Setup. Click Netwrix Privilege Secure Setup. **NOTE:** This window remains open in the background while the database is installed. -![Netwrix Privilege Secure Setup wizard on the License Agreement page](../../../../../../static/img/product_docs/threatprevention/threatprevention/install/licenseagreement.webp) +![Netwrix Privilege Secure Setup wizard on the License Agreement page](/img/product_docs/threatprevention/threatprevention/install/licenseagreement.webp) **Step 2 –** On the End User License Agreement page, check the **I agree to the license terms and conditions** box and click **Options**. _Remember,_ it is a best practice to read the agreement before accepting it. -![Netwrix Privilege Secure Setup wizard on the Setup Options page](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/setupoptions.webp) +![Netwrix Privilege Secure Setup wizard on the Setup Options page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/setupoptions.webp) **Step 3 –** The default installation location for Install Folder is: @@ -96,7 +96,7 @@ C:\Program Files\Stealthbits\PAM **NOTE:** The installation process begins and the wizard displays the its Progress. This may take a few moments. -![Netwrix Privilege Secure Setup wizard on the Completed Successfully page](../../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Netwrix Privilege Secure Setup wizard on the Completed Successfully page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 5 –** When installation is complete, click **Close**. @@ -105,4 +105,4 @@ server reboot at the end of the installation. Once installation is complete, open and walk through the Netwrix Privilege Secure Setup Wizard. The Wizard can be accessed through the Netwrix Privilege Secure desktop icon or locally on the default -port. See the [First Launch](firstlaunch.md) topic for additional information. +port. See the [First Launch](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/firstlaunch.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/awskey.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/awskey.md index a154572d46..31c6056150 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/awskey.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/awskey.md @@ -28,26 +28,26 @@ Follow the steps to create a policy in AWS. **Step 3 –** Select **Create Policy**. -![Search for KMS Service](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/searchkms.webp) +![Search for KMS Service](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/searchkms.webp) **Step 4 –** On the Specify permissions page, navigate to the Select a service box and search for the ‘KMS’ service. -![Select KMS option](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/selectkms.webp) +![Select KMS option](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/selectkms.webp) **Step 5 –** Select the **KMS** option. -![Select Decrypt permission checkbox](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/selectdecryptioncheckbox.webp) +![Select Decrypt permission checkbox](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/selectdecryptioncheckbox.webp) **Step 6 –** Under the Write dropdown menu, locate and select the **Decrypt permission** checkbox. -![Select Any In This Account](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/selectanyinthisaccount.webp) +![Select Any In This Account](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/selectanyinthisaccount.webp) **Step 7 –** Under the Resources dropdown menu, select the **Any in this account** checkbox. **NOTE:** This can be limited to a specific key when the key has been created. -![Review and Create the Policy](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/reviewandcreate.webp) +![Review and Create the Policy](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/reviewandcreate.webp) **Step 8 –** Enter a name for the policy and a description (optional). @@ -63,12 +63,12 @@ Follow the steps to create a user in AWS. **Step 2 –** Select **Create User**. -![Create User Name](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/enterusername.webp) +![Create User Name](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/enterusername.webp) **Step 3 –** On the Specify user details page, enter a user name. Optionally, select the **Provide user access to the AWS Management Console** checkbox. -![Select Attach Policies Directly](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/selectattachpoliciesdirectly.webp) +![Select Attach Policies Directly](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/selectattachpoliciesdirectly.webp) **Step 4 –** In the Permissions options section, select **Attach policies directly** in the Permission options. @@ -76,28 +76,28 @@ Permission options. **Step 5 –** In the Permissions policies section, search for the NPS key policy you previously created and select the checkbox to the left of the policy. Click **Next**. -![Review and Create the User Cofiguration](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/reviewandcreate.webp) +![Review and Create the User Cofiguration](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/reviewandcreate.webp) **Step 6 –** On the Review and create window, review the policy configuration and click **Create now**. -![User Security Credentials Tab](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/usersecuritycredentialstab.webp) +![User Security Credentials Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/usersecuritycredentialstab.webp) **Step 7 –** Once the user has been created, select the user and navigate to the **Security credentials** tab. **Step 8 –** Select **Create access key**. -![Select Application Running Outside AWS](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/selectapplicationrunningoutsideaws.webp) +![Select Application Running Outside AWS](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/selectapplicationrunningoutsideaws.webp) **Step 9 –** Once the creation window opens, select the **Application running outside of AWS** option. -![Set Tag and Create Key](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/settagcreatekey.webp) +![Set Tag and Create Key](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/settagcreatekey.webp) **Step 10 –** Set an optional description tag if required, and then select **Create access key**. -![Copy Access Key](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/copyaccesskey.webp) +![Copy Access Key](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/copyaccesskey.webp) **Step 11 –** Once the Key has been created, copy or download the Access key and Secret access key. These keys will be used by Privilege Secure to access the AWS KMS key encryption and decryption @@ -124,35 +124,35 @@ Follow the steps to create a managed key in AWS. **Step 2 –** Select **Customer Managed Keys**. -![Select Create Key](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/selectcreatekey.webp) +![Select Create Key](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/selectcreatekey.webp) **Step 3 –** Select **Create Key**. -![Configure Key Window](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/configurekeywindow.webp) +![Configure Key Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/configurekeywindow.webp) **Step 4 –** For Key Type, Select **Symmetric**. For Key Usage, select **Encrypt and decrypt**. Click **Next** to continue. -![Add Alias Key Name](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/addaliaskeyname.webp) +![Add Alias Key Name](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/addaliaskeyname.webp) **Step 5 –** Add an Alias for the key. The Description and Tags are optional. Click **Next** to continue. -![Add Key Admin](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/addkeyadmin.webp) +![Add Key Admin](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/addkeyadmin.webp) **Step 6 –** Add a Key Administrator if required. **NOTE:** The NPS Key user created earlier does not require administrative permissions at this level. -![Add Key User](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/addkeyuser.webp) +![Add Key User](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/addkeyuser.webp) **Step 7 –** Select the checkbox for the Privilege Secure key user created earlier as a Key user. Click **Next** to continue. **Step 8 –** Review the key configuration and click **Create Key** to continue. -![ANR Key Completed](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arnkeycomplete.webp) +![ANR Key Completed](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arnkeycomplete.webp) **Step 9 –** Click the **Copy** button from the newly created key, and store the ARN from the details. @@ -166,34 +166,34 @@ to create a least privilege policy. **Step 1 –** Navigate to the IAM Policies page and select the KMS policy created in earlier steps. -![AIM Policy Permissions Tab](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/aimpolicypermissionstab.webp) +![AIM Policy Permissions Tab](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/aimpolicypermissionstab.webp) **Step 2 –** Select the **Permissions** tab. **Step 3 –** Click the **Edit** button. -![Policy Editor Window](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/policyeditorwindow.webp) +![Policy Editor Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/policyeditorwindow.webp) **Step 4 –** Once the policy editor window opens, switch to the Visual display mode and expand the KMS item dropdown. -![Expand Resources Item](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/expandresourcesitem.webp) +![Expand Resources Item](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/expandresourcesitem.webp) **Step 5 –** Expand the Resources item and remove the selection from **Any in this account** checkbox. **Step 6 –** Click **Add Arn** to restrict access. -![Add ARN KMS Policy Key](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/addarn.webp) +![Add ARN KMS Policy Key](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/addarn.webp) **Step 7 –** Paste the copied ARN for the NPS key into the bottom box then **Step 8 –** Click **Add ARNs**. -![Review and Save Policy Changes](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/reviewandsavepolicychanges.webp) +![Review and Save Policy Changes](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/reviewandsavepolicychanges.webp) **Step 9 –** Review configuration and click **Save changes** to the NPS_KMS_Policy. The policy will now be limited to only the specified KMS key. The KMS is ready to be roated in -Privilege Secure. See the [AWS KMS Key Rotation](awskeyrotation.md) topic for additional +Privilege Secure. See the [AWS KMS Key Rotation](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/awskeyrotation.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/awskeyrotation.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/awskeyrotation.md index 76b621cf08..0c4eed6010 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/awskeyrotation.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/awskeyrotation.md @@ -18,7 +18,7 @@ C:\Program Files\Stealthbits\PAM\KeyTools **Step 2 –** Run the `SbPAM.RotateAwsKey` executable to launch the Rotate AWS Key wizard. -![AWS Connection Settings](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/awsconnectionsettings.webp) +![AWS Connection Settings](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/awsconnectionsettings.webp) **Step 3 –** Enter the **Access key** and **Secret key** created for the AWS user assigned to the AWS KMS key into the AWS Connection settings fields. @@ -27,7 +27,7 @@ AWS KMS key into the AWS Connection settings fields. **Step 5 –** Select the appropriate AWS region from the dropdown list. -![AWS Connection Settings Complete](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/awsconnectionsettingscomplete.webp) +![AWS Connection Settings Complete](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/awsconnectionsettingscomplete.webp) **Step 6 –** When all fields are completed, click the **Rotate** button to update all encrypted values in the Privilege Secure system. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/overview.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/overview.md index b0548ef079..27cc3eeb51 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/overview.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/overview.md @@ -19,7 +19,7 @@ The following servers are required for installation of the product: See the following sections for additional information: -- [Application Server](applicationserver.md) -- [Client](client.md) -- [Remote Service Node](proxyserver.md) -- [Target Environments](target.md) +- [Application Server](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/applicationserver.md) +- [Client](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/client.md) +- [Remote Service Node](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/proxyserver.md) +- [Target Environments](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/target.md) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/ports.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/ports.md index 65972e85df..8ad19bc16d 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/ports.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/ports.md @@ -31,12 +31,12 @@ The requirements for the (Privilege Secure) application server are: | Port | Protocol | Source | Direction | Target | Purpose | | -------- | -------- | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| 135 | TCP | Privilege Secure server | ![arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Domain Controller | MS-RPC | -| 389 636 | TCP UDP | Privilege Secure server | ![arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Domain Controller | LDAP/LDAPS | -| 53 | TCP UDP | Privilege Secure server | ![arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | DNS Service | DNS | -| 137 138 | UDP | Privilege Secure server | ![arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Domain Controller | Net BIOS related | -| **9389** | TCP | Privilege Secure server | ![single_direction_arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/single_direction_arrow.webp) | Domain Controller | Active Directory Web Services Make sure that you have configured the Antivirus exclusions according to the following Netwrix knowledge base article: [SbPAM: Exclusions for Antivirus (AV) & Endpoint Software](https://kb.netwrix.com/5938) | -| **88** | UDP | Privilege Secure server | ![arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Domain Controller | Kerberos | +| 135 | TCP | Privilege Secure server | ![arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Domain Controller | MS-RPC | +| 389 636 | TCP UDP | Privilege Secure server | ![arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Domain Controller | LDAP/LDAPS | +| 53 | TCP UDP | Privilege Secure server | ![arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | DNS Service | DNS | +| 137 138 | UDP | Privilege Secure server | ![arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Domain Controller | Net BIOS related | +| **9389** | TCP | Privilege Secure server | ![single_direction_arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/single_direction_arrow.webp) | Domain Controller | Active Directory Web Services Make sure that you have configured the Antivirus exclusions according to the following Netwrix knowledge base article: [SbPAM: Exclusions for Antivirus (AV) & Endpoint Software](https://kb.netwrix.com/5938) | +| **88** | UDP | Privilege Secure server | ![arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Domain Controller | Kerberos | **NOTE:** Privilege Secure must be able to reach the following URLs via HTTPS (port 443) @@ -61,8 +61,8 @@ The following ports must be open for communication between the Client and Privil | Port | Protocol | Source | Direction | Target | Purpose | | ---- | -------- | ---------- | ------------------------------------------------------------------------------------------------------------------------- | ------------ | --------- | -| 4422 | TCP | SSH Client | ![arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | SbPAM server | SSH Proxy | -| 4489 | TCP | RDP Client | ![arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | SbPAM server | RDP Proxy | +| 4422 | TCP | SSH Client | ![arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | SbPAM server | SSH Proxy | +| 4489 | TCP | RDP Client | ![arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | SbPAM server | RDP Proxy | ## Target Environment Firewall Rules @@ -70,12 +70,12 @@ The following ports must be open for communication between Privilege Secure and | Port | Protocol | Source | Direction | Target | Purpose | | --------- | ----------- | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | --------------------------------------- | -| 3389 | TCP | Privilege Secure server | ![arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Windows Hosts | RDP Proxy | -| 5985 5986 | TCP | Privilege Secure server | ![arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Windows Hosts | PowerShell Remoting | -| 5985 5986 | TCP | Privilege Secure server | ![arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Windows Hosts | Password Change via Powershell Remoting | -| 22 | TCP | Privilege Secure server | ![single_direction_arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/single_direction_arrow.webp) | Linux Hosts | SSH Proxy / Password change | -| 6520 | TCP | Privilege Secure server | ![arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Remote Proxy | Register Proxy Service | -| 6500 | TCP | Privilege Secure server | ![arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Remote Action Service | Register Action Service | -| **443** | HTTPS (TCP) | Privilege Secure Server | ![arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Azure | Azure Graph API Access | -| 6523 | TCP | Privilege Secure Server | ![arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Remote Proxy | Leaf Nodes | -| 6524 | TCP | Privilege Secure Server | ![arrow](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Remote Proxy | Cluster Nodes | +| 3389 | TCP | Privilege Secure server | ![arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Windows Hosts | RDP Proxy | +| 5985 5986 | TCP | Privilege Secure server | ![arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Windows Hosts | PowerShell Remoting | +| 5985 5986 | TCP | Privilege Secure server | ![arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Windows Hosts | Password Change via Powershell Remoting | +| 22 | TCP | Privilege Secure server | ![single_direction_arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/single_direction_arrow.webp) | Linux Hosts | SSH Proxy / Password change | +| 6520 | TCP | Privilege Secure server | ![arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Remote Proxy | Register Proxy Service | +| 6500 | TCP | Privilege Secure server | ![arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Remote Action Service | Register Action Service | +| **443** | HTTPS (TCP) | Privilege Secure Server | ![arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Azure | Azure Graph API Access | +| 6523 | TCP | Privilege Secure Server | ![arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Remote Proxy | Leaf Nodes | +| 6524 | TCP | Privilege Secure Server | ![arrow](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/requirements/arrow.webp) | Remote Proxy | Cluster Nodes | diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/proxyserver.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/proxyserver.md index 81d9739e6c..03506f1386 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/proxyserver.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/requirements/proxyserver.md @@ -36,6 +36,6 @@ Exclusions for Remote Services: See the following topics for specific installation instructions for remote services: -- [Proxy Service Install](../install/proxyservice.md) -- [Action Service Install](../install/actionservice.md) -- [Scheduler Service Install](../install/schedulerservice.md) +- [Proxy Service Install](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/proxyservice.md) +- [Action Service Install](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/actionservice.md) +- [Scheduler Service Install](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/install/schedulerservice.md) diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/access/createsession.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/access/createsession.md index 4c31eec4fd..a2b27e9be9 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/access/createsession.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/access/createsession.md @@ -4,7 +4,7 @@ Follow the steps to create an activity session. **Step 1 –** Select an **Activity** to expand the session ribbon. -![myactivityuser](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/myactivityuser.webp) +![myactivityuser](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/myactivityuser.webp) **Step 2 –** Click **Create Session** to start a new activity session. @@ -17,7 +17,7 @@ Follow the steps to create an activity session. - **CAUTION:** If your license is expired and you can still log in, you will not be able to create activity sessions. -![configuresessionuser](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/configuresessionuser.webp) +![configuresessionuser](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/configuresessionuser.webp) **Step 3 –** Enter the following information: @@ -30,12 +30,12 @@ Follow the steps to create an activity session. resource list. - Click **Start Session** to start the provisioning process. -![startsessionuser](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/startsessionuser.webp) +![startsessionuser](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/startsessionuser.webp) **NOTE:** If an approval is required, the Waiting for approval message will display until it has been granted. -![stopsession](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/stopsession.webp) +![stopsession](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/stopsession.webp) **Step 4 –** When provisioned, an activity session will display an Available status with a green icon. Click **Available** to launch the session. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/access/myactivities.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/access/myactivities.md index 1bf5d27b95..b0c2f47d96 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/access/myactivities.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/access/myactivities.md @@ -3,7 +3,7 @@ The Access > My Activities page displays activities mapped to the user as individual cards, organized alphabetically or by Access Policy. -![My Activiy Dashboard for End User](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/myactivityuser.webp) +![My Activiy Dashboard for End User](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/myactivityuser.webp) To access the My Activities page, open the Access interface. If there is only a single activity card present on this page that activity will open automatically. @@ -18,5 +18,5 @@ one Access Policy. When sorted by Access Policy, the list of resources displayed the resource list of the Access Policy. To create an Activity Session, click the **plus** button to begin. See the -[Create Activity Session](../../enduser/dashboard/createsession.md) topic for additional +[Create Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/createsession.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/active.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/active.md index 62056e5992..9b4a9634c3 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/active.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/active.md @@ -4,31 +4,31 @@ The Active sessions dashboard shows all currently active sessions. Create an Act grant temporary privileges and gain access to the resources defined by a previously created Access Policy. -![Active Dashboard](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/revieweruser/dashboard/reviweractivedashboard.webp) +![Active Dashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/revieweruser/dashboard/reviweractivedashboard.webp) The Active Sessions table has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Create Session — Open the Activity Request window. See the - [Create My Activity Session](../access/createsession.md) topic for additional information. + [Create My Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/access/createsession.md) topic for additional information. - End Session — Cancel the selected session(s) - View Logs — Opens the Session Logs window to view the action log for the selected session. See the - [Session Logs Window](window/sessionlogs.md) topic for additional information. + [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/window/sessionlogs.md) topic for additional information. - Refresh — Reload the information displayed The table has the following columns: - Checkbox — Check to select one or more items -- Expand icon — Click the expand (>) icon to show additional information for the session +- Expand icon — Click the expand () icon to show additional information for the session - Status — Shows status information for the session: - Provisioning — Pre-Session stage of the Activity is processing and assigning permissions to the login account - Waiting for Approval — The session requires approval to begin. See the - [Approvals Dashboard](approvals.md) topic for additional information. + [Approvals Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/approvals.md) topic for additional information. - Available — The activity session is ready. Click the icon to begin the session, or log in - through a client. See the [Start Activity Session](startsession.md) topic for additional + through a client. See the [Start Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/startsession.md) topic for additional information. - Failed — Pre-Session stage of the Activity has encountered an error - Logged In — User is successfully logged in to the Resource either directly or via the Proxy. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/approvals.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/approvals.md index d99e491eb8..2894f680e6 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/approvals.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/approvals.md @@ -4,7 +4,7 @@ The Approvals Dashboard displays requested sessions that require approval. Users designated as approvers will see the pending sessions queued here. The session must be approved before the requestor can log in to the session. -![Approvals Dashboard](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/revieweruser/dashboard/reviwerapprovalsdashboard.webp) +![Approvals Dashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/revieweruser/dashboard/reviwerapprovalsdashboard.webp) The Approvals Dashboard has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/createsession.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/createsession.md index 8176f36cb7..2d202967b5 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/createsession.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/createsession.md @@ -6,7 +6,7 @@ Follow the steps to create an activity session. **Step 2 –** In the Active Session table, click Create Session to open the Activity Request window. -![Create Activity Session Interface](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionuser.webp) +![Create Activity Session Interface](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionuser.webp) **Step 3 –** On the Request Type page, enter the following information: @@ -14,7 +14,7 @@ Follow the steps to create an activity session. **Step 4 –** Click Next to go to the Resource Selection page. -![Create Session window Resource Selection](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionresourceselection.webp) +![Create Session window Resource Selection](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionresourceselection.webp) **Step 5 –** On the Resource Selection page, enter the following information: @@ -23,7 +23,7 @@ Follow the steps to create an activity session. **Step 6 –** Click **Next** to go to the Notes page. -![Create Session Notes Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionnotes.webp) +![Create Session Notes Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionnotes.webp) **Step 7 –** On the Notes page, enter the following information: @@ -32,7 +32,7 @@ Follow the steps to create an activity session. **Step 8 –** Click Next to go to the Scheduling page. -![Create Session Schedule Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionscheduling.webp) +![Create Session Schedule Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionscheduling.webp) **Step 9 –** On the Scheduling page, enter the following information: @@ -40,7 +40,7 @@ Follow the steps to create an activity session. **Step 10 –** Click Next to go to the Review page. -![Create Session Review Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionreview.webp) +![Create Session Review Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionreview.webp) **Step 11 –** On the Review page, review the summary of the new session. @@ -53,4 +53,4 @@ session until the request is approved and the status changes to Available. When the status Available is shown, the remote session is ready. Click the Connection icon to begin the session, or log in through a client. -See the [Start Activity Session](startsession.md) topic for additional information. +See the [Start Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/startsession.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/historical.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/historical.md index d9494529d1..d31674f432 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/historical.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/historical.md @@ -2,7 +2,7 @@ The Historical sessions dashboard shows all created sessions and their status. -![Historical Dashboard](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/revieweruser/dashboard/reviwerhistoricaldashboard.webp) +![Historical Dashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/revieweruser/dashboard/reviwerhistoricaldashboard.webp) The Historical Sessions table has the following features: @@ -21,11 +21,11 @@ The table has the following columns: - Actions — Contains icons for available actions: - - Expand icon — Click the expand (>) icon to show additional information + - Expand icon — Click the expand () icon to show additional information - Rocket icon — Launches the same session (same activity on the same resource with the same connection profile) for any historical session that is not a Credential-based session - View logs icon — Opens the Session Logs window to view the action log for the selected - session. See the [Session Logs Window](window/sessionlogs.md) topic for additional + session. See the [Session Logs Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/window/sessionlogs.md) topic for additional information. - Requested — Date and time of when the session was created diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/overview.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/overview.md index 486c53cd73..a9e4728d5c 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/overview.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/overview.md @@ -3,17 +3,17 @@ The Dashboard interface displays an overview of activity sessions, users, resources and related information. -![Dashboard Interface](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) +![Dashboard Interface](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) The overview section shows information for the following: - Active Dashboard – Shows all currently active sessions. See the - [Active Dashboard](../../enduser/dashboard/active.md) topic for additional information. + [Active Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/active.md) topic for additional information. - Scheduled Dashboard – Shows all scheduled sessions. See the - [Scheduled Dashboard](../../enduser/dashboard/scheduled.md) topic for additional information. + [Scheduled Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/scheduled.md) topic for additional information. - Approvals Dashboard – Shows sessions waiting for approval. See the - [Approvals Dashboard](../../enduser/dashboard/approvals.md) topic for additional information. + [Approvals Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/approvals.md) topic for additional information. - Historical Dashboard – Shows previous sessions. See the - [Historical Dashboard](../../enduser/dashboard/historical.md) topic for additional information. + [Historical Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/dashboard/historical.md) topic for additional information. The table shows information on the selected activity session. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/scheduled.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/scheduled.md index 07578272e4..441fa1b34c 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/scheduled.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/scheduled.md @@ -2,14 +2,14 @@ The Scheduled sessions dashboard shows all scheduled sessions. -![Scheduled Dashboard](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/revieweruser/dashboard/reviwerscheduleddashboard.webp) +![Scheduled Dashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/revieweruser/dashboard/reviwerscheduleddashboard.webp) The Scheduled Sessions table has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Create Session — Open the Activity Request window. See the - [Create Activity Session](createsession.md) topic for additional information. + [Create Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/createsession.md) topic for additional information. - End Session — Cancel the selected session(s) - Refresh — Reload the information displayed @@ -22,9 +22,9 @@ The table has the following columns: the login account - Pending — Session scheduled start time is still in the future, session is waiting to start - Waiting for Approval — The session requires approval to begin. See the - [Approvals Dashboard](approvals.md) topic for additional information. + [Approvals Dashboard](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/approvals.md) topic for additional information. - Available — The activity session is ready. Click the icon to begin the session, or log in - through a client. See the [Start Activity Session](startsession.md) topic for additional + through a client. See the [Start Activity Session](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/startsession.md) topic for additional information. - Failed — Pre-Session stage of the Activity has encountered an error - Logged In — User is successfully logged in to the Resource either directly or via the Proxy. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/startsession.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/startsession.md index 30654b04e7..70403f0ead 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/startsession.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/startsession.md @@ -4,7 +4,7 @@ On the Active Sessions dashboard, when the status Available is shown, the activi To begin the activity session, click the Connection icon in the Status column for the applicable session to be automatically connected to the resource. -![Connecto to remote session](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/revieweruser/dashboard/startactivitysession.webp) +![Connecto to remote session](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/revieweruser/dashboard/startactivitysession.webp) Also note the icons to view and copy the password for the session as plain text, if the option is enabled in the access policy Connection Profiles. @@ -36,10 +36,10 @@ time is 5 minutes or less. **NOTE:** For NPS users with the Administrator role, session extension is always enabled. -![Extend Activity Session](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/extendsession.webp) +![Extend Activity Session](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/extendsession.webp) For RDP, a pop-up message is displayed in the session window. -![extendsessionssh](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/extendsessionssh.webp) +![extendsessionssh](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/extendsessionssh.webp) For SSH the user can extend by typing **Ctrl+X** when prompted. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/window/sessionlogs.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/window/sessionlogs.md index 2acbd33e09..b85e2a34eb 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/window/sessionlogs.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/window/sessionlogs.md @@ -3,7 +3,7 @@ The Session Logs window displays the log details for the selected session. Select a session from the Active dashboard and click the View Logs button to open the Session Logs window. -![Session Logs Window](../../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/window/sessionlogs.webp) +![Session Logs Window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/window/sessionlogs.webp) The window has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/navigation.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/navigation.md index 8392c7e212..3b69200b33 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/navigation.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/navigation.md @@ -3,7 +3,7 @@ At the top of the Privilege Secure Console lists available in interfaces and provides access to the Help link and the User Menu: -![Access Dashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/revieweruser/reviweraccessdashboard.webp) +![Access Dashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/revieweruser/reviweraccessdashboard.webp) The buttons have these functions: @@ -11,9 +11,9 @@ The buttons have these functions: - Access — Grants access to the My Activities page. Activities are be displayed as individual cards, organized alphabetically or by Access Policy. See the - [My Activities Page](access/myactivities.md) topic for additional. information. + [My Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/access/myactivities.md) topic for additional. information. - Dashboard — View summaries of recent activity logs and user sessions. See the - [Dashboard Interface](dashboard/overview.md) topic for additional information. + [Dashboard Interface](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/dashboard/overview.md) topic for additional information. - Audit & Reporting Interface — Audit user access entitlement (Access Certification). This interface is limited to Reviewers. See the Audit and Reporting Page topic for additional information. @@ -26,7 +26,7 @@ The buttons have these functions: - Dark Mode — Toggle “Dark Mode” for the console. Hover over the toggle switch to see a preview of Dark Mode. - Product Tour — Re-starts walk-through of Privilege Secure features. See the - [Product Tour](producttour.md) topic for additional information. + [Product Tour](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/producttour.md) topic for additional information. - Logout — Signs the user out of the current session and opens the Login screen - About — Shows version and license information for the console @@ -42,54 +42,54 @@ Interface Icons | Icon | Interface | | -------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -| ![myactivities](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/myactivities.webp) | My Activities | -| ![dashboard](../../../../../../static/img/product_docs/groupid/groupid/admincenter/general/dashboard.webp) | Dashboard | -| ![policy](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/policy.webp) | Policy | -| ![users](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/users.webp) | Users & Groups | -| ![resources](../../../../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) | Resources | -| ![credentials](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) | Credentials | -| ![activities](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/activities.webp) | Activities | -| ![configuration](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configuration.webp) | Configuration | -| ![servicenodes](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/servicenodes.webp) | Service Nodes | -| ![auditreporting](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/auditreporting.webp) | Audit and Reporting | +| ![myactivities](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/install/myactivities.webp) | My Activities | +| ![dashboard](/img/product_docs/groupid/groupid/admincenter/general/dashboard.webp) | Dashboard | +| ![policy](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/policy.webp) | Policy | +| ![users](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/users.webp) | Users & Groups | +| ![resources](/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) | Resources | +| ![credentials](/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) | Credentials | +| ![activities](/img/product_docs/accessanalyzer/admin/hostdiscovery/activities.webp) | Activities | +| ![configuration](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/configuration.webp) | Configuration | +| ![servicenodes](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/servicenodes.webp) | Service Nodes | +| ![auditreporting](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/auditreporting.webp) | Audit and Reporting | Dashboard Icons | Icon | Session Data | | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -| ![activedashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboard.webp) | Active Sessions | -| ![scheduleddashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/scheduleddashboard.webp) | Scheduled Sessions | -| ![approvalsdashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/approvalsdashboard.webp) | Approvals | -| ![historicaldashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/historicaldashboard.webp) | Historical Sessions | -| ![usersdasshboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/usersdasshboard.webp) | User Activity | -| ![resourcesdashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/resourcesdashboard.webp) | Resources | -| ![credentialsdashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/credentialsdashboard.webp) | Credentials | +| ![activedashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboard.webp) | Active Sessions | +| ![scheduleddashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/scheduleddashboard.webp) | Scheduled Sessions | +| ![approvalsdashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/approvalsdashboard.webp) | Approvals | +| ![historicaldashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/historicaldashboard.webp) | Historical Sessions | +| ![usersdasshboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/usersdasshboard.webp) | User Activity | +| ![resourcesdashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/resourcesdashboard.webp) | Resources | +| ![credentialsdashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/credentialsdashboard.webp) | Credentials | Active Directory Icons | Icon | Object | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -| ![chapter_1_stealthbits_privileged_12](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_12.webp) | User | -| ![chapter_1_stealthbits_privileged_13](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_13.webp) | Group | -| ![chapter_1_stealthbits_privileged_15](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.5.webp) | Application | -| ![Collectionsicon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/collectionsicon.webp) | Collection | -| ![Custom Role](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/customroleicon.webp) | Custom Role | -| ![Domain icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.6.webp) | Computer / Resource | -| ![chapter_1_stealthbits_privileged_15](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.webp) | Domain | -| ![Website icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.7.webp) | Website | -| ![AzureAD icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.8.webp) | Azure AD | -| ![Secret Vault icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.9.webp) | Secret Vault | -| ![Cisco icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.4.webp) | Cisco | -| ![Windows icon](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.3.webp) | Windows | +| ![chapter_1_stealthbits_privileged_12](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_12.webp) | User | +| ![chapter_1_stealthbits_privileged_13](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_13.webp) | Group | +| ![chapter_1_stealthbits_privileged_15](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.5.webp) | Application | +| ![Collectionsicon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/collectionsicon.webp) | Collection | +| ![Custom Role](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/customroleicon.webp) | Custom Role | +| ![Domain icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.6.webp) | Computer / Resource | +| ![chapter_1_stealthbits_privileged_15](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.webp) | Domain | +| ![Website icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.7.webp) | Website | +| ![AzureAD icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.8.webp) | Azure AD | +| ![Secret Vault icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.9.webp) | Secret Vault | +| ![Cisco icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.4.webp) | Cisco | +| ![Windows icon](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_15.3.webp) | Windows | Information Icons | Icon | Information | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | -| ![chapter_1_stealthbits_privileged_23](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_23.webp) | Complete / Information | -| ![chapter_1_stealthbits_privileged_24](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_24.webp) | Warning | -| ![chapter_1_stealthbits_privileged_25](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_25.webp) | Failed / Error | -| ![chapter_1_stealthbits_privileged_26](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_26.webp) | Active Sessions | -| ![chapter_1_stealthbits_privileged_27](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_27.webp) | Scheduled Sessions | +| ![chapter_1_stealthbits_privileged_23](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_23.webp) | Complete / Information | +| ![chapter_1_stealthbits_privileged_24](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_24.webp) | Warning | +| ![chapter_1_stealthbits_privileged_25](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_25.webp) | Failed / Error | +| ![chapter_1_stealthbits_privileged_26](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_26.webp) | Active Sessions | +| ![chapter_1_stealthbits_privileged_27](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/chapter_1_stealthbits_privileged_27.webp) | Scheduled Sessions | Hover over an icon anywhere within the console for its description. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/overview.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/overview.md index 9e149bea7d..6e199eacd7 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/overview.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/overview.md @@ -36,13 +36,13 @@ Authentication Connector that is set as the default. DUO, Symantec VIP, etc) for all Reviewer accounts unless otherwise configured by an Administrator. If required, first time Reviewers must register with an MFA to use with their login credentials. -![Default Login](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/defaultloginuser.webp) +![Default Login](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/defaultloginuser.webp) **Step 2 –** Either click the default authentication connector button, or click **Log In with a Different Account** to display all of the authentication connectors that are registered with Privilege Secure. -![Alternate Login](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/alternatelogin.webp) +![Alternate Login](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/alternatelogin.webp) **Step 3 –** Login to Privilege Secure with a configured authentication connector, or enter the user credentials. @@ -50,7 +50,7 @@ credentials. - When using an authentication connector, there's no 'username' or 'password' field for the user to enter. Instead there's just a single button to login. -![Okta authentication connector](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/oktadefault.webp) +![Okta authentication connector](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/oktadefault.webp) - Clicking the authentication connector will redirect the user to the IdP login screen, which will log the user in (with whatever MFA is set up in the IdP) and then revert the user back to the @@ -62,10 +62,10 @@ credentials. **Step 6 –** Enter the code provided by the registered multi-factor authenticator (MFA). -![Multi Factor Authentication Login](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/mfalogin.webp) +![Multi Factor Authentication Login](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/mfalogin.webp) **Step 7 –** Click MFA Login. Privilege Secure opens on the Dashboard Interface. -![Dashboard Interface](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) +![Dashboard Interface](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) Privilege Secure is ready to use. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/producttour.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/producttour.md index 8f0798f521..279b42c13b 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/producttour.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/producttour.md @@ -3,7 +3,7 @@ New users now experience a product tour on first login. Standard users and users with the Privilege Secure administrator role are walked through features that are relevant to their role. -![producttour](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/producttour.webp) +![producttour](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/producttour.webp) At any time, the tour can be stopped by clicking the **X** icon at the top-right of the Console. By default, the tour will not display on next login unless the **Do not display again** checkbox is @@ -11,6 +11,6 @@ unchecked. The product tour may be re-started at any time via the user menu. -![usermenu](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/usermenu.webp) +![usermenu](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/usermenu.webp) -See the [Navigation](../enduser/navigation.md) topic for additional information. +See the [Navigation](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/enduser/navigation.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/sessiontimeout.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/sessiontimeout.md index 6cec1b4adf..cef046c7cc 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/sessiontimeout.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/revieweruser/sessiontimeout.md @@ -2,5 +2,5 @@ For security reasons, the Privilege Secure Console automatically logs out the user after 10 minutes of inactivity. A Session Timeout warning message displays after 5 -minutes.![Session time out window](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/sessiontimeout.webp)If +minutes.![Session time out window](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/sessiontimeout.webp)If the timeout message displays, click Stay Logged In to continue using the console. diff --git a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/whatsnew.md b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/whatsnew.md index 38bb847aef..412b38cdfa 100644 --- a/docs/privilegesecure/4.2/privilegesecure/accessmanagement/whatsnew.md +++ b/docs/privilegesecure/4.2/privilegesecure/accessmanagement/whatsnew.md @@ -54,7 +54,7 @@ Netwrix Secure Remote Access ensures secure, efficient, and policy-driven remote New: Obscured Passwords in Replay Viewer Protect sensitive information during session replays, ensuring compliance with stricter security -regulations. See the [Replay Viewer Window](admin/dashboard/window/replayviewer.md) topic for +regulations. See the [Replay Viewer Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/dashboard/window/replayviewer.md) topic for additional information. New: Proxy Auditing for SCP and SFTP @@ -79,21 +79,21 @@ threat detection and investigation. New: Customizable Login Formats Create login account templates with custom formats, streamlining user provisioning and access -management. See the [Activities Page](admin/policy/page/activities.md) and -[Login Account Templates](admin/policy/activityloginaccounttemplates.md) topics for additional +management. See the [Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) and +[Login Account Templates](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/activityloginaccounttemplates.md) topics for additional information. New: "Delete Permanently" Option Provides a clear confirmation step when removing resources, preventing accidental data loss. See the -[Remove Resource Window](admin/policy/window/resources/removeresource.md) topic for additional +[Remove Resource Window](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/resources/removeresource.md) topic for additional information. New: Advanced Login Account Templates Expanded string manipulation functions and a name field increase to 20 characters offer greater flexibility in user provisioning. See the -[Login Account Templates](admin/policy/activityloginaccounttemplates.md) topic for additional +[Login Account Templates](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/activityloginaccounttemplates.md) topic for additional information. New: Optional Linux Software Scans @@ -103,24 +103,24 @@ Disable "Installed Software" functionality by default to optimize scans for spec New: Connect Account for Interactive App Launch Simplifies application launching by pre-configuring connection accounts. See the -[Activities Page](admin/policy/page/activities.md) topic for additional information. +[Activities Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/activities.md) topic for additional information. New: View Password on Set Password Allows users to confirm password entries during credential creation, reducing errors. See the -[Manage Internal Service Accounts](admin/policy/window/credentials/manageinternalserviceaccount.md) +[Manage Internal Service Accounts](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/window/credentials/manageinternalserviceaccount.md) topic for additional information. New: Customizable Connection Profiles Add custom input fields to connection profiles for improved data collection and organization. See -the [Connection Profiles Page](admin/policy/page/connectionprofiles.md) topic for additional +the [Connection Profiles Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/connectionprofiles.md) topic for additional information. Enhancement: Improved Scheduler Visibility The "Statistics" tab now precedes the "Action Queues" tab in Service Nodes for easier workflow -management. See the [Scheduler Service](admin/configuration/servicetype/scheduler.md) topic for +management. See the [Scheduler Service](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/configuration/servicetype/scheduler.md) topic for additional information. ### Additional Enhancements @@ -133,5 +133,5 @@ New: Credential Policy Overrides Enable credential groups to override platform-level credential schedules for more granular control over privileged credential life cycles. See the -[Credential Policy Overrides Page](admin/policy/page/credentialpolicyoverrides.md) topic for +[Credential Policy Overrides Page](/docs/privilegesecure/4.2/privilegesecure/accessmanagement/admin/policy/page/credentialpolicyoverrides.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/discovery/admin/configuration/applyserviceaccount.md b/docs/privilegesecure/4.2/privilegesecure/discovery/admin/configuration/applyserviceaccount.md index 2360c9372b..cbdf7e08cc 100644 --- a/docs/privilegesecure/4.2/privilegesecure/discovery/admin/configuration/applyserviceaccount.md +++ b/docs/privilegesecure/4.2/privilegesecure/discovery/admin/configuration/applyserviceaccount.md @@ -70,7 +70,7 @@ machines within Privilege Secure. In order to populate the Provision Account column the following formula can be entered. =IF(ISNA(INDEX('Admin List'!D:D,MATCH(1,(B2= 'Admin List'!B:B)\*("Domain Admins"='Admin -List'!D:D),0))),"","Service Account;true") +List'!D:D),0),"","Service Account;true") This formula must be entered using `` `` `` (unless using Office 365). This will enter the formula as an array formula and the {} curly braces will appear around the formula. This @@ -124,7 +124,7 @@ Creating the upload file: Computer Data tab: =IF(ISNA(INDEX('Admin List'!D:D,MATCH(1,(B2= 'Admin -List'!$B$1:$B$40000)\*("TARGET_GROUP"='Admin List'!$D$1:$D$40000),0))),"","Service +List'!$B$1:$B$40000)\*("TARGET_GROUP"='Admin List'!$D$1:$D$40000),0),"","Service Account;true,Service Account2;true") - Change TARGET_GROUP to the group that contains the service accounts. diff --git a/docs/privilegesecure/4.2/privilegesecure/discovery/admin/configuration/logchanges2.20.md b/docs/privilegesecure/4.2/privilegesecure/discovery/admin/configuration/logchanges2.20.md index 1e7f841745..ca6babceab 100644 --- a/docs/privilegesecure/4.2/privilegesecure/discovery/admin/configuration/logchanges2.20.md +++ b/docs/privilegesecure/4.2/privilegesecure/discovery/admin/configuration/logchanges2.20.md @@ -155,8 +155,8 @@ Removed various low level Windows log messages (use new “connector action” l - "Adding user to local admin group: ((user))" - "Successfully added user to local admin group: ((user))" - "Successfully removed user from local admin group: ((user))" - - "User already removed from admins (((e.type_name))): ((e)), user=((user))" - - "User does not exist to remove from admins (((e.type_name))): ((e)), user=((user))" + - "User already removed from admins (((e.type_name): ((e)), user=((user))" + - "User does not exist to remove from admins (((e.type_name): ((e)), user=((user))" - Added "debugging": true flag and possibly changed other fields in the following log messages (use new “connector action” logs). diff --git a/docs/privilegesecure/4.2/privilegesecure/discovery/admin/configuration/sessiontimeouts.md b/docs/privilegesecure/4.2/privilegesecure/discovery/admin/configuration/sessiontimeouts.md index 7f69f10ece..c234ddb981 100644 --- a/docs/privilegesecure/4.2/privilegesecure/discovery/admin/configuration/sessiontimeouts.md +++ b/docs/privilegesecure/4.2/privilegesecure/discovery/admin/configuration/sessiontimeouts.md @@ -49,7 +49,7 @@ There are three primary paths for solving this problem: Microsoft has designed RDP to have incredibly granular controls regarding specific policies and actions which can be explored for additional layers of control over the RDP interface, specifically: -- [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754272(v=ws.11)?redirectedfrom=MSDN]() +- [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754272(v=ws.11)?redirectedfrom=MSDN](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754272(v=ws.11)?redirectedfrom=MSDN) In this context, it is important to set a policy that forces a disconnected or idle session to also log off. diff --git a/docs/privilegesecure/4.2/privilegesecure/discovery/admin/maintenance/operational.md b/docs/privilegesecure/4.2/privilegesecure/discovery/admin/maintenance/operational.md index 043d8f54a1..78d3a992fb 100644 --- a/docs/privilegesecure/4.2/privilegesecure/discovery/admin/maintenance/operational.md +++ b/docs/privilegesecure/4.2/privilegesecure/discovery/admin/maintenance/operational.md @@ -68,7 +68,7 @@ Test (suggested minimum yearly) - Typically a SIEM solution is best placed to report any issues that can be captured in Privilege Secure logs. - An example set of queries for Splunk is included here: - [Splunk and SIEM Queries](../../integrations/siem/splunkqueries.md) + [Splunk and SIEM Queries](/docs/privilegesecure/4.2/privilegesecure/discovery/integrations/siem/splunkqueries.md) - The "change system policy" output should be reviewed for any removal of protect mode. - The "slow JITA access" and "time it takes for JITA access" can give an indication if users are being slowed down in their ability to elevate privilege when utilizing Privilege Secure. diff --git a/docs/privilegesecure/4.2/privilegesecure/discovery/admin/systemmanagement/postmanlinuxregistration.md b/docs/privilegesecure/4.2/privilegesecure/discovery/admin/systemmanagement/postmanlinuxregistration.md index 510ba028ba..1d60cb7b06 100644 --- a/docs/privilegesecure/4.2/privilegesecure/discovery/admin/systemmanagement/postmanlinuxregistration.md +++ b/docs/privilegesecure/4.2/privilegesecure/discovery/admin/systemmanagement/postmanlinuxregistration.md @@ -17,7 +17,7 @@ prerequisites: [Linux Registrations Prerequisites](/docs/privilegesecure/4.2/pr Use Postman to craft the following GET: -[Copy]() +[Copy](javascript:void(0);) ``` https:///api/v1/ping diff --git a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/access/createsession.md b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/access/createsession.md index 4c31eec4fd..a2b27e9be9 100644 --- a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/access/createsession.md +++ b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/access/createsession.md @@ -4,7 +4,7 @@ Follow the steps to create an activity session. **Step 1 –** Select an **Activity** to expand the session ribbon. -![myactivityuser](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/myactivityuser.webp) +![myactivityuser](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/myactivityuser.webp) **Step 2 –** Click **Create Session** to start a new activity session. @@ -17,7 +17,7 @@ Follow the steps to create an activity session. - **CAUTION:** If your license is expired and you can still log in, you will not be able to create activity sessions. -![configuresessionuser](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/configuresessionuser.webp) +![configuresessionuser](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/configuresessionuser.webp) **Step 3 –** Enter the following information: @@ -30,12 +30,12 @@ Follow the steps to create an activity session. resource list. - Click **Start Session** to start the provisioning process. -![startsessionuser](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/startsessionuser.webp) +![startsessionuser](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/startsessionuser.webp) **NOTE:** If an approval is required, the Waiting for approval message will display until it has been granted. -![stopsession](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/stopsession.webp) +![stopsession](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/access/stopsession.webp) **Step 4 –** When provisioned, an activity session will display an Available status with a green icon. Click **Available** to launch the session. diff --git a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/access/myactivities.md b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/access/myactivities.md index cbabc0a1d1..0a987da55d 100644 --- a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/access/myactivities.md +++ b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/access/myactivities.md @@ -3,7 +3,7 @@ The Access > My Activities page displays activities mapped to the user as individual cards, organized alphabetically or by Access Policy. -![myactivitiesrag](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/access/myactivitiesrag.webp) +![myactivitiesrag](/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/access/myactivitiesrag.webp) To access the My Activities page, open the Access interface. If there is only a single activity card present on this page that activity will open automatically. @@ -18,4 +18,4 @@ one Access Policy. When sorted by Access Policy, the list of resources displayed the resource list of the Access Policy. To create an Activity Session, click the **plus** button to begin. See the -[Create My Activity Session](createsession.md) topic for additional information. +[Create My Activity Session](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/access/createsession.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/active.md b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/active.md index 7ce0f77207..49a700e78e 100644 --- a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/active.md +++ b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/active.md @@ -4,12 +4,12 @@ The Active sessions dashboard shows all currently active sessions. Create an Act grant temporary privileges and gain access to the resources defined by an Access Policy created by your administrator. -![End User Active Dashboard](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) +![End User Active Dashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) The Active Sessions table has the following features: - Create Session — Open the Activity Request window. See the - [Create My Activity Session](../access/createsession.md) topic for additional information. + [Create My Activity Session](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/access/createsession.md) topic for additional information. - End Session — Cancel the selected session(s) - View Logs — Opens the Session Logs window to view the action log for the selected session. - Refresh — Reload the information displayed @@ -20,15 +20,15 @@ The Active Sessions table has the following features: The table has the following columns: - Checkbox — Check to select one or more items -- Expand icon — Click the expand (>) icon to show additional information for the session +- Expand icon — Click the expand () icon to show additional information for the session - Status — Shows status information for the session: - Provisioning — Pre-Session stage of the Activity is processing and assigning permissions to the login account - Waiting for Approval — The session requires approval to begin. See the - [Approvals Dashboard](approvals.md) topic for additional information. + [Approvals Dashboard](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/approvals.md) topic for additional information. - Available — The activity session is ready. Click the icon to begin the session, or log in - through a client. See the [Sessions Interface](sessions.md) topic for additional information. + through a client. See the [Sessions Interface](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/sessions.md) topic for additional information. - Failed — Pre-Session stage of the Activity has encountered an error - Logged In — User is successfully logged in to the Resource either directly or via the Proxy. Direct log-in is detected by polling the Resource at regular intervals and may not update diff --git a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/approvals.md b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/approvals.md index e0a5b5c65c..48a467bcc3 100644 --- a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/approvals.md +++ b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/approvals.md @@ -7,7 +7,7 @@ before the requestor can log in to the session. **NOTE:** For security reasons, Remote Access Gateway can only be used by approvers to view pending approvals. Submitting an approval must be done through Netwrix Privilege Secure. -![Approvals Dashboard](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/approvalsdashboarduser.webp) +![Approvals Dashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/approvalsdashboarduser.webp) The Approvals Dashboard has the following features: diff --git a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/createsession.md b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/createsession.md index d4949ddff2..5c1c021060 100644 --- a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/createsession.md +++ b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/createsession.md @@ -6,7 +6,7 @@ Follow the steps to create an activity session. **Step 2 –** In the Active Session table, click Create Session to open the Activity Request window. -![Create Activity Session Interface](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionuser.webp) +![Create Activity Session Interface](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionuser.webp) **Step 3 –** On the Request Type page, enter the following information: @@ -14,7 +14,7 @@ Follow the steps to create an activity session. **Step 4 –** Click Next to go to the Resource Selection page. -![Create Session window Resource Selection](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionresourceselection.webp) +![Create Session window Resource Selection](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionresourceselection.webp) **Step 5 –** On the Resource Selection page, enter the following information: @@ -23,7 +23,7 @@ Follow the steps to create an activity session. **Step 6 –** Click **Next** to go to the Notes page. -![Create Session Notes Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionnotes.webp) +![Create Session Notes Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionnotes.webp) **Step 7 –** On the Notes page, enter the following information: @@ -32,7 +32,7 @@ Follow the steps to create an activity session. **Step 8 –** Click Next to go to the Scheduling page. -![Create Session Schedule Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionscheduling.webp) +![Create Session Schedule Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionscheduling.webp) **Step 9 –** On the Scheduling page, enter the following information: @@ -40,7 +40,7 @@ Follow the steps to create an activity session. **Step 10 –** Click Next to go to the Review page. -![Create Session Review Page](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionreview.webp) +![Create Session Review Page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/createsessionreview.webp) **Step 11 –** On the Review page, review the summary of the new session. @@ -53,4 +53,4 @@ session until the request is approved and the status changes to Available. When the status Available is shown, the remote session is ready. Click the Connection icon to begin the session, or log in through a client. -See the [Sessions Interface](sessions.md) topic for additional information. +See the [Sessions Interface](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/sessions.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/historical.md b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/historical.md index 777020ded6..0483d69068 100644 --- a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/historical.md +++ b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/historical.md @@ -2,7 +2,7 @@ The Historical sessions dashboard shows all created sessions and their status. -![historicaldashboardrag](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/dashboard/historicaldashboardrag.webp) +![historicaldashboardrag](/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/dashboard/historicaldashboardrag.webp) The Historical Sessions table has the following features: @@ -21,7 +21,7 @@ The table has the following columns: - Actions — Contains icons for available actions: - - Expand icon — Click the expand (>) icon to show additional information + - Expand icon — Click the expand () icon to show additional information - Rocket icon — Launches the same session (same activity on the same resource with the same connection profile) for any historical session that is not a Credential-based session diff --git a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/overview.md b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/overview.md index 14688755db..64f52391a0 100644 --- a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/overview.md +++ b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/overview.md @@ -3,17 +3,17 @@ The Dashboard interface displays an overview of activity sessions, users, resources and related information. -![Dashboard Interface](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) +![Dashboard Interface](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/activedashboarduser.webp) The overview section shows information for the following: -- Active Dashboard – Shows all currently active sessions. See the [Active Dashboard](active.md) +- Active Dashboard – Shows all currently active sessions. See the [Active Dashboard](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/active.md) topic for additional information. -- Scheduled Dashboard – Shows all scheduled sessions. See the [Scheduled Dashboard](scheduled.md) +- Scheduled Dashboard – Shows all scheduled sessions. See the [Scheduled Dashboard](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/scheduled.md) topic for additional information. - Approvals Dashboard – Shows sessions waiting for approval. See the - [Approvals Dashboard](approvals.md) topic for additional information. -- Historical Dashboard – Shows previous sessions. See the [Historical Dashboard](historical.md) + [Approvals Dashboard](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/approvals.md) topic for additional information. +- Historical Dashboard – Shows previous sessions. See the [Historical Dashboard](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/historical.md) topic for additional information. The table shows information on the selected activity session. diff --git a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/scheduled.md b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/scheduled.md index 42ddf9f697..970d675b7d 100644 --- a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/scheduled.md +++ b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/scheduled.md @@ -2,14 +2,14 @@ The Scheduled sessions dashboard shows all scheduled sessions. -![Scheduled Dashboard](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/scheduleddashboarduser.webp) +![Scheduled Dashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/dashboard/scheduleddashboarduser.webp) The Scheduled Sessions table has the following features: - Search — Searches the table or list for matches to the search string. When matches are found, the table or list is filtered to the matching results. - Create Session — Open the Activity Request window. See the - [Create Activity Session](createsession.md) topic for additional information. + [Create Activity Session](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/createsession.md) topic for additional information. - End Session — Cancel the selected session(s) - Refresh — Reload the information displayed @@ -22,9 +22,9 @@ The table has the following columns: the login account - Pending — Session scheduled start time is still in the future, session is waiting to start - Waiting for Approval — The session requires approval to begin. See the - [Approvals Dashboard](approvals.md) topic for additional information. + [Approvals Dashboard](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/approvals.md) topic for additional information. - Available — The activity session is ready. Click the icon to begin the session, or log in - through a client. See the [Sessions Interface](sessions.md) topic for additional information. + through a client. See the [Sessions Interface](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/sessions.md) topic for additional information. - Failed — Pre-Session stage of the Activity has encountered an error - Logged In — User is successfully logged in to the Resource either directly or via the Proxy. Direct log-in is detected by polling the Resource at regular intervals and may not update diff --git a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/sessions.md b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/sessions.md index 647203fdb5..b82893c1fe 100644 --- a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/sessions.md +++ b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/sessions.md @@ -4,11 +4,11 @@ On the Active Sessions dashboard, when the status Available is shown, the activi To begin the activity session, click the Connection icon in the Status column for the applicable session to be automatically connected to the resource. -![startsessionrag](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/dashboard/startsessionrag.webp) +![startsessionrag](/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/dashboard/startsessionrag.webp) Clicking the **Session** icon via the Active Dashboard will launch a session on the Sessions tab. -![sessionwindowrag](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/dashboard/sessionwindowrag.webp) +![sessionwindowrag](/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/dashboard/sessionwindowrag.webp) The Rec icon is displayed in the top right corner of the session to indicate that the Proxy Service is recording the session. @@ -26,7 +26,7 @@ The following controls are available in the top right corner of the Sessions int - Ctrl+Alt+Delete — Sends a Ctrl+Alt+Delete command to the session - Close — Closes the session -![sessionstabrag](../../../../../../../static/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/dashboard/sessionstabrag.webp) +![sessionstabrag](/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/dashboard/sessionstabrag.webp) Clicking on the **Sessions** tab will display a list of all available sessions and allow the user to switch between sessions. diff --git a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/login.md b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/login.md index 8d94dae0c0..fe2216ed64 100644 --- a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/login.md +++ b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/login.md @@ -18,7 +18,7 @@ required, first time users must register with an MFA to use with their login cre Different Account** to display all of the authentication connectors that are registered with Privilege Secure. -![loginrag](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/loginrag.webp) +![loginrag](/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/loginrag.webp) **Step 3 –** Login to the Remote Access Gateway using federated login, or entering the AD or NPS local user credentials. (The method will depend on how the Remote Access Gateway has been configured @@ -27,7 +27,7 @@ by your administrator). - When using an authentication connector, there's no 'username' or 'password' field for the user to enter. Instead there's just a single button to login. - ![mfaloginrag](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/mfaloginrag.webp) + ![mfaloginrag](/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/mfaloginrag.webp) - Clicking the authentication connector will redirect the user to the IdP login screen, which will log the user in (with whatever MFA is set up in the IdP) and then revert the user back to @@ -40,11 +40,11 @@ by your administrator). **Step 6 –** Enter the code provided by the registered multi-factor authenticator (MFA). -![authcoderag](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/authcoderag.webp) +![authcoderag](/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/authcoderag.webp) **Step 7 –** Click **MFA Login**. Privilege Secure opens on the Access Interface. -![accessdashboardrag](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/accessdashboardrag.webp) +![accessdashboardrag](/img/product_docs/privilegesecure/privilegesecure/remoteaccessgateway/enduser/accessdashboardrag.webp) **Step 8 –** Once the authentication is complete, the Access dashboard is displayed. diff --git a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/navigation.md b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/navigation.md index cee6e8905a..413fcc32bb 100644 --- a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/navigation.md +++ b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/navigation.md @@ -3,7 +3,7 @@ At the top of the Privilege Secure Console lists available in interfaces and provides access to the Help link and the User Menu: -![End User Dashboard](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/enduserdashboard.webp) +![End User Dashboard](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/enduserdashboard.webp) The buttons have these functions: @@ -11,9 +11,9 @@ The buttons have these functions: - Access — Grants access to the My Activities page. Activities are be displayed as individual cards, organized alphabetically or by Access Policy. See the - [My Activities Page](access/myactivities.md) topic for additional information. + [My Activities Page](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/access/myactivities.md) topic for additional information. - Dashboard — View summaries of recent activity logs and user sessions. See the - [Dashboard Interface](dashboard/overview.md) topic for additional information. + [Dashboard Interface](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/dashboard/overview.md) topic for additional information. - Help — Opens the [Netwrix Privilege Secure Documentation](https://helpcenter.netwrix.com/category/sbpam) in the in @@ -23,6 +23,6 @@ The buttons have these functions: - Dark Mode — Toggle “Dark Mode” for the console. Hover over the toggle switch to see a preview of Dark Mode. - Product Tour — Re-starts walk-through of Privilege Secure features. See the - [Product Tour](producttour.md) topic for additional information. + [Product Tour](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/producttour.md) topic for additional information. - Logout — Signs the user out of the current session and opens the Login screen - About — Shows version and license information for the console diff --git a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/producttour.md b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/producttour.md index 2b9cd5af7b..6b5244ac64 100644 --- a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/producttour.md +++ b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/producttour.md @@ -3,7 +3,7 @@ New users now experience a product tour on first login. Standard users and users with the Privilege Secure administrator role are walked through features that are relevant to their role. -![producttour](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/producttour.webp) +![producttour](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/producttour.webp) At any time, the tour can be stopped by clicking the **X** icon at the top-right of the Console. By default, the tour will not display on next login unless the **Do not display again** checkbox is @@ -11,6 +11,6 @@ unchecked. The product tour may be re-started at any time via the user menu. -![usermenu](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/usermenu.webp) +![usermenu](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/usermenu.webp) -See the [Navigation](navigation.md) topic for additional information. +See the [Navigation](/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/navigation.md) topic for additional information. diff --git a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/sessiontimeout.md b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/sessiontimeout.md index 2f46e8f70a..dfec44ed92 100644 --- a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/sessiontimeout.md +++ b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/enduser/sessiontimeout.md @@ -5,6 +5,6 @@ inactivity. A Session Timeout warning message appears after 15 minutes. **NOTE:** The session timeout setting may differ if it has been customized by your administrator. -![Session Timeout ](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/sessiontimeout.webp) +![Session Timeout ](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/enduser/sessiontimeout.webp) If the timeout message appears, click **Stay Logged In** to continue using the console. diff --git a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/overview.md b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/overview.md index db44dce099..1a478594ea 100644 --- a/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/overview.md +++ b/docs/privilegesecure/4.2/privilegesecure/remoteaccessgateway/overview.md @@ -4,7 +4,7 @@ The Remote Access Gateway (RAG) may be added to any Netwrix Privilege Secure ins securely extend access to external users such as remote workers or third-party vendors. VPN-less access is provided via web page with browser-based sessions for RDP and SSH. -![architecture](../../../../../static/img/product_docs/changetracker/changetracker/architecture.webp) +![architecture](/img/product_docs/changetracker/changetracker/architecture.webp) The RAG is made up of two components: diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/domainbackupconfig.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/domainbackupconfig.md index 1a72896709..d44ea71d94 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/domainbackupconfig.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/domainbackupconfig.md @@ -3,10 +3,10 @@ When you sign into the Recovery Console for the first time, the Domain Backup Configuration interface is displayed. -![Domain Backup Configuration Page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/domainbackupconfig.webp) +![Domain Backup Configuration Page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/domainbackupconfig.webp) You must add a domain and it's backup configurations before you can start using the product. Once this is configured, the Domain Backup Configuration interface is not displayed again. Click the **here** link to launch the Add Domain Configuration wizard. Then follow the steps in the -[Domains Page](../configuration/domain.md) topic to add a domain and its backup configurations. +[Domains Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/domain.md) topic to add a domain and its backup configurations. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/overview.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/overview.md index 3cee2b50af..2f85bfbcbb 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/overview.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/overview.md @@ -1,11 +1,11 @@ # Active Directory Page On the Active Directory page, you can access all the domains that you have configured through the -[Domains Page](../configuration/domain.md). +[Domains Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/domain.md). Click **Active Directory** in the left pane to open the Active Directory page. -![Active Directory page](../../../../../../static/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/activedirectory.webp) +![Active Directory page](/img/product_docs/accessanalyzer/admin/hostdiscovery/wizard/activedirectory.webp) Select a domain from the drop-down menu and expand it to view the domain tree and container structure, which is exactly the same as you get in Active Directory Users and Computers. Objects in @@ -35,14 +35,14 @@ There are several ways to find an object: Rollback an Object Select and expand a domain in the left pane and locate the object you want to rollback. Right-click -this object and select **Rollback** on the menu. See the [Rollback Objects](rollback.md) topic for +this object and select **Rollback** on the menu. See the [Rollback Objects](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/rollback.md) topic for additional information. Recover Deleted Objects On expanding a domain in the left pane, you will notice that Recycle Bin is in blue, indicating that this is a virtual container specific to Recovery for Active Directory. Use the Recycle Bin to -recover deleted objects in Active Directory. See the [Recover Objects](recover.md) topic for +recover deleted objects in Active Directory. See the [Recover Objects](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/recover.md) topic for additional information. ## Integration with Threat Prevention @@ -50,14 +50,14 @@ additional information. When you right-click an object in a domain on the Active Directory page, the right-click menu is displayed as: -![Right-click menu on the Active Directory page](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/rightclickmenu.webp) +![Right-click menu on the Active Directory page](/img/product_docs/threatprevention/threatprevention/admin/agents/rightclickmenu.webp) The Show audit history and Show activity options are enabled only when both the following conditions are met: - Threat Prevention data is tied with Recovery for Active Directory data - The user is logged in with an account that is specified in the Account section of the - [Netwrix Integrations Page](../configuration/integration.md) + [Netwrix Integrations Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/integration.md) These options display data from Threat Prevention. @@ -69,7 +69,7 @@ On the Active Directory page, select and expand a domain in the left pane and lo want to view the audit history for. Right-click this object and select **Show audit history** on the menu. The Audit History window is displayed. -![Audit History window](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/audithistory.webp) +![Audit History window](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/audithistory.webp) The following information is displayed for every action performed on the object: @@ -92,7 +92,7 @@ On the Active Directory page, select and expand a domain in the left pane and lo whose activity you want to view. Right-click this object and select **Show activity** on the menu. The Audit Activity window is displayed. -![Audit Activity window](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/auditactivity.webp) +![Audit Activity window](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/auditactivity.webp) The following information is displayed for the actions performed by the object: diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/recover.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/recover.md index e4fe51ba61..3ea6e70018 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/recover.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/recover.md @@ -3,11 +3,11 @@ The Recycle Bin enables you to view the objects deleted in domains monitored by Recovery for Active Directory. You can recover these deleted Active Directory objects from the Recycle Bin. -Click **Active Directory** in the left pane to open the [Active Directory Page](overview.md). Select +Click **Active Directory** in the left pane to open the [Active Directory Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/overview.md). Select and expand a domain in the left pane and click Recycle Bin to get a list of deleted objects in the domain. -![Recycle Bin](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/recyclebin.webp) +![Recycle Bin](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/recyclebin.webp) You can recover deleted objects. @@ -36,7 +36,7 @@ There are several ways to find an object: Follow the steps to recover a deleted object. **Step 1 –** Click Active Directory in the left pane to open the -[Active Directory Page](overview.md). +[Active Directory Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/overview.md). **Step 2 –** Select and expand a domain in the left pane and click Recycle Bin. @@ -47,11 +47,11 @@ Follow the steps to recover a deleted object. The Object Restore wizard opens. -![Object Restore wizard - Object Backups page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/objectbackups.webp) +![Object Restore wizard - Object Backups page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/objectbackups.webp) **Step 4 –** In the Backup Data section, select a backup date to restore from. Then click **Next**. -![Object Restore wizard - Domain Controller page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/domaincontroller.webp) +![Object Restore wizard - Domain Controller page](/img/product_docs/activitymonitor/activitymonitor/install/agent/domaincontroller.webp) **Step 5 –** Select a domain controller where the restore operation will get affected. Options are: @@ -62,7 +62,7 @@ The Object Restore wizard opens. **Step 6 –** Click **Next**. -![Object Restore wizard - Recovery Options page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/recoveryoptions.webp) +![Object Restore wizard - Recovery Options page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/recoveryoptions.webp) **Step 7 –** On the Recovery Options page, select the Container and Naming Conflict actions for the recovery process. @@ -88,7 +88,7 @@ recovery process. **Step 8 –** Click **Next**. -![Object Restore wizard - User Options page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/useroptions.webp) +![Object Restore wizard - User Options page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/useroptions.webp) **Step 9 –** The User Options page is displayed when user objects are being restored. When a user object is included as a child object being restored, this page is also displayed. Select the check @@ -105,7 +105,7 @@ boxes to configure the necessary options for the user. **Step 10 –** Click **Next**. -![Object Restore wizard - Credentials page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) +![Object Restore wizard - Credentials page](/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) **Step 11 –** The account preforming the operation must have Domain Admin privileges to access the domain tree area where the object resides. On the Credentials page: @@ -117,16 +117,16 @@ domain tree area where the object resides. On the Credentials page: For a Least Privilege Access Model to provision an Active Directory security group with the permissions that are necessary to perform backups, rollbacks and recovery, see the -[Least Privilege Access Model](../../requirements/targetdomain.md#least-privilege-access-model) +[Least Privilege Access Model](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetdomain.md#least-privilege-access-model) topic. -![Object Restore wizard - Confirm page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) +![Object Restore wizard - Confirm page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) **Step 12 –** The Confirm page displays a summary of the settings you provided on the pages of the wizard. Use the Back button to return to a previous page and change any setting. Click **Complete** to finish the wizard. -![Object Restore Complete message](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/objectrestorecompleted.webp) +![Object Restore Complete message](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/objectrestorecompleted.webp) **Step 13 –** A completed message is displayed when the restore is successful. Click **OK**.d diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/rollback.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/rollback.md index 07f9508442..ab3f7ebc9b 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/rollback.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/rollback.md @@ -6,7 +6,7 @@ Follow the steps to roll back an Active Directory object, including user account organizational units. **Step 1 –** Click Active Directory in the left pane to open the -[Active Directory Page](overview.md). +[Active Directory Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/overview.md). **Step 2 –** Select and expand a domain in the left pane and locate the object you want to rollback. @@ -17,12 +17,12 @@ organizational units. The Object Rollback wizard opens. -![Object Rollback wizard - Object Backup page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/objectbackups.webp) +![Object Rollback wizard - Object Backup page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/objectbackups.webp) **Step 4 –** In the Backup Date section, select a backup to use for the rollback operation. Then select the checkbox(es) for the attributes you want to roll back. Click **Next**. -![Object Rollback wizard - Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Object Rollback wizard - Options page](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 5 –** Select a domain controller where the rollback changes will get affected. Options are: @@ -33,7 +33,7 @@ select the checkbox(es) for the attributes you want to roll back. Click **Next** **Step 6 –** Click **Next**. -![Object Rollback wizard - Credentials page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) +![Object Rollback wizard - Credentials page](/img/product_docs/activitymonitor/activitymonitor/install/agent/credentials.webp) **Step 7 –** The account preforming the operation must have Domain Admin privileges to access the domain tree area where the object resides. On the Credentials page: @@ -45,16 +45,16 @@ domain tree area where the object resides. On the Credentials page: For a Least Privilege Access Model to provision an Active Directory security group with the permissions that are necessary to perform backups, rollbacks and recovery, see the -[Least Privilege Access Model](../../requirements/targetdomain.md#least-privilege-access-model) +[Least Privilege Access Model](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetdomain.md#least-privilege-access-model) topic. -![Object Rollback wizard - Confirm page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) +![Object Rollback wizard - Confirm page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) **Step 8 –** The Confirm page displays a summary of the settings you provided on the pages of the wizard. Use the Back button to return to a previous page and change any setting. Click **Complete** to finish the wizard. -![Object Rollback Sucessful message](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/objectrollbackcompleted.webp) +![Object Rollback Sucessful message](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/objectrollbackcompleted.webp) **Step 9 –** A completed message is displayed when the rollback is successful. Click **OK**. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/audit.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/audit.md index 4d70413a10..fa8a5e208c 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/audit.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/audit.md @@ -5,7 +5,7 @@ Directory. Click **Audit Logs** in the left pane to open the Audit Logs page. -![Audit Logs Page](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/auditlog.webp) +![Audit Logs Page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/auditlog.webp) The following information is displayed for an event: @@ -16,4 +16,4 @@ The following information is displayed for an event: To view the details of an event, click the arrow next to it to expand it. -![Audit Event Details](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/auditeventdetails.webp) +![Audit Event Details](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/auditeventdetails.webp) diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/dataretention.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/dataretention.md index 42fc7b259e..1726d23a32 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/dataretention.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/dataretention.md @@ -7,7 +7,7 @@ have been purged. Click **Configuration** in the left pane. Then click the **Data Retention Policy** tab on the Configuration page to open the Data Retention Policy page. -![Data Retention Policy Page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/configuration/dataretention.webp) +![Data Retention Policy Page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/configuration/dataretention.webp) Follow the steps to specify a data retention policy. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/domain.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/domain.md index 3c73ac2a98..f960c73894 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/domain.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/domain.md @@ -7,7 +7,7 @@ domains. Click **Configuration** in the left pane. Then click the **Domains** tab on the Configuration page to open the Domains page. -![Domains Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/domains.webp) +![Domains Page](/img/product_docs/activitymonitor/activitymonitor/install/agent/domains.webp) The table displays the following information: @@ -31,14 +31,14 @@ additional information. ### Add a Domain To add a domain, provide domain details and configure the backup schedule. For a list of the -supported Windows Servers, see the [Target Domains](../../requirements/targetdomain.md) topic. +supported Windows Servers, see the [Target Domains](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetdomain.md) topic. Follow the steps to add a domain. **Step 1 –** Click the **Add domain configuration** button on the Domains page to launch the Add Domain Configuration wizard. -![Add Domain Configuration wizard - Domain page](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/domain.webp) +![Add Domain Configuration wizard - Domain page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/domain.webp) **Step 2 –** Enter a domain [example.domain.com] in the Domain field. @@ -52,18 +52,18 @@ order to back up, rollback, and restore objects in Active Directory. If the acco only, it will be able to back up the domain but unable to rollback and restore objects. In this case, alternate credentials with read and write access to objects will have to be provided on the Credentials page of the Object Rollback and Object Restore wizards. See the -[Rollback Objects](../activedirectory/rollback.md) and -[Recover an Object](../activedirectory/recover.md#recover-an-object) topics for information on the +[Rollback Objects](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/rollback.md) and +[Recover an Object](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/recover.md#recover-an-object) topics for information on the wizards. For a Least Privilege Access Model to provision an Active Directory security group with the permissions that are necessary to perform backups, rollbacks and recovery, see the -[Least Privilege Access Model](../../requirements/targetdomain.md#least-privilege-access-model) +[Least Privilege Access Model](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetdomain.md#least-privilege-access-model) topic. **Step 5 –** Click **Next**. -![Add Domain Configuration wizard - Backup Schedule page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/configuration/backupschedule.webp) +![Add Domain Configuration wizard - Backup Schedule page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/configuration/backupschedule.webp) **Step 6 –** Select the days of the week in the Run the backup on section to indicate the days when backups will be run. @@ -79,7 +79,7 @@ Click **Next**. the backups will run at the desired frequency but will skip from midnight until the selected start time. -![Add Domain Configuration wizard - Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Add Domain Configuration wizard - Options page](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 9 –** (_Optional_) Select the **Collect GPOs** checkbox to enable GPO rollback and recovery. This setting requires Group Policy Management Console (GMPC). If GPO collection is not desired, skip @@ -93,18 +93,18 @@ backup. **Step 11 –** Click **Next**. -![Add Domain Configuration wizard - Notification page](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/notification.webp) +![Add Domain Configuration wizard - Notification page](/img/product_docs/accessanalyzer/admin/settings/notification.webp) **Step 12 –** To set notifications, select the Send email notifications check box and enter the email address of one or more users and/or groups to receive the job start and end notifications. Use -a semicolon (;) to separate multiple recipients. See the [Notifications Page](notifications.md) +a semicolon (;) to separate multiple recipients. See the [Notifications Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/notifications.md) topic for additional information. If notifications are not desired, skip this step. **Step 13 –** Click **Next**. -![Add Domain Configuration wizard - Confirm page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) +![Add Domain Configuration wizard - Confirm page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) **Step 14 –** The Confirm page displays a summary of the settings you provided on the pages of the wizard. Use the Back button to return to a previous page and change any setting. Click **Complete** @@ -123,7 +123,7 @@ Follow the steps to edit a domain. **Step 1 –** On the Domains page, click the **Edit configuration** icon for a domain. The Edit Domain Configuration wizard opens. -![Edit Domain Configuration wizard - Domain page](../../../../../../static/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/domain.webp) +![Edit Domain Configuration wizard - Domain page](/img/product_docs/accessinformationcenter/access/informationcenter/resourceaudit/navigate/domain.webp) **Step 2 –** Modify the domain in the Domain field, as needed. @@ -135,7 +135,7 @@ credentials will take effect on next domain backup. **Step 5 –** Click **Next**. -![Edit Domain Configuration wizard - Backup Schedule page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/configuration/backupschedule.webp) +![Edit Domain Configuration wizard - Backup Schedule page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/configuration/backupschedule.webp) **Step 6 –** Modify the selection of the check boxes in the Run the backup on section to indicate the days when backups will be run, as needed. @@ -153,7 +153,7 @@ time. **Step 9 –** Click **Next**. -![Edit Domain Configuration wizard - Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Edit Domain Configuration wizard - Options page](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 10 –** (_Optional_) Select or deselect the **Collect GPOs** checkbox to enable or disable GPO rollback and recovery. This setting requires Group Policy Management Console (GMPC). If GPO @@ -168,16 +168,16 @@ backup. **Step 12 –** Click **Next**. -![Edit Domain Configuration wizard - Notification page](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/notification.webp) +![Edit Domain Configuration wizard - Notification page](/img/product_docs/accessanalyzer/admin/settings/notification.webp) **Step 13 –** To set notifications, select the Send email notifications check box and enter the email address of one or more users and/or groups to receive the job start and end notifications. Use -a semicolon (;) to separate multiple recipients. See the [Notifications Page](notifications.md) +a semicolon (;) to separate multiple recipients. See the [Notifications Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/notifications.md) topic for additional information. If notifications are not desired, skip this step. -![Edit Domain Configuration wizard - Confirm page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) +![Edit Domain Configuration wizard - Confirm page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) **Step 14 –** The Confirm page displays a summary of the settings you provided on the pages of the wizard. Use the Back button to return to a previous page and change any setting. Click **Complete** diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/integration.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/integration.md index 8e822a7564..d57fc0110e 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/integration.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/integration.md @@ -4,12 +4,12 @@ The Netwrix Integrations page provides the ability to configure access to the da products. At present, only Netwrix Threat Prevention is supported. This enables Recovery for Active Directory to pull object data from the integrated product and tie it with that same object's data in Recovery for Active Directory. Users can then view the audit history and activity data coming from -Threat Prevention for objects on the [Active Directory Page](../activedirectory/overview.md). +Threat Prevention for objects on the [Active Directory Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/overview.md). Click **Configuration** in the left pane. Then click the **Netwrix Integrations** tab on the Configuration page to open the Netwrix Integrations page. -![Netwrix Integrations page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/configuration/integrations.webp) +![Netwrix Integrations page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/configuration/integrations.webp) Follow the steps to configure access to the data of a Netwrix product. @@ -25,7 +25,7 @@ set the authentication mode. - Windows authentication uses the credentials provided on the Netwrix Recovery Server Configuration page of the Recovery for Active Directory Setup wizard. See the - [Install the Application](../../install/application.md) topic for additional information. + [Install the Application](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/application.md) topic for additional information. - For SQL Server authentication, provide SQL credentials in the Account and Password fields. The account requires Read permissions on the Threat Prevention database. @@ -40,20 +40,20 @@ activity data from Threat Prevention for domain objects. - Click the Add account access button to add an account. The Add Account Access wizard is displayed. - ![Add Account Access wizard - Account page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/configuration/account.webp) + ![Add Account Access wizard - Account page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/configuration/account.webp) - Enter a user's first or last name, display name, sAMAccountName, or group name in the **Search** field. As you type, the system will find matches in Active Directory and display the results. Select the desired user and click **Next**. - ![Add Account Access wizard - Confirm page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) + ![Add Account Access wizard - Confirm page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) - The Confirm page displays a summary of the settings you provided on the pages of the wizard. Use the Back button to return to a previous page and change any setting. Click **Complete** to finish the wizard. The added account is displayed under Account on the Netwrix Integrations page. See the -[Integration with Threat Prevention](../activedirectory/overview.md#integration-with-threat-prevention) +[Integration with Threat Prevention](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/overview.md#integration-with-threat-prevention) topic for additional information. **Step 6 –** Click **Save**. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/licensing.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/licensing.md index 5603ba726a..63f5ddbd0e 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/licensing.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/licensing.md @@ -6,7 +6,7 @@ import a license file. Click **Configuration** in the left pane. Then click the **Licensing tab** on the Configuration page to open the Licensing page. -![Licensing page](../../../../../../static/img/product_docs/dataclassification/ndc/configuration/licensing.webp) +![Licensing page](/img/product_docs/dataclassification/ndc/configuration/licensing.webp) You can view whether the license is valid and when it will expire. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/notifications.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/notifications.md index 1d9fa8aa88..d186a9bff1 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/notifications.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/notifications.md @@ -7,7 +7,7 @@ configure notifications. Click **Configuration** in the left pane. Then click the **Notification tab** on the Configuration page to open the Notification page. -![Notifications Page](../../../../../../static/img/product_docs/1secure/admin/notifications.webp) +![Notifications Page](/img/product_docs/1secure/admin/notifications.webp) Follow the steps to configure notifications. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/overview.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/overview.md index f9c8beb673..c4443ca947 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/overview.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/overview.md @@ -5,22 +5,22 @@ notifications, integrations, data retention policy, and licensing for Recovery f **NOTE:** Only users with Administrator rights have access to the Configuration interface. -![Domains Page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/domains.webp) +![Domains Page](/img/product_docs/activitymonitor/activitymonitor/install/agent/domains.webp) The Configuration interface contains the following pages: -- [Domains Page](domain.md) – The Domains page provides a list of the domains backed up by Recovery +- [Domains Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/domain.md) – The Domains page provides a list of the domains backed up by Recovery for Active Directory. It displays the backup schedule settings for each added domain. You can also add and configure new domains. -- [Users and Roles Page](roles.md) – The Users and Roles page displays the accounts with access to +- [Users and Roles Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/roles.md) – The Users and Roles page displays the accounts with access to Recovery for Active Directory. -- [Notifications Page](notifications.md) – The Notifications page allows the configuration of +- [Notifications Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/notifications.md) – The Notifications page allows the configuration of notifications, which is required for sending an email when a collection (backup) job is completed. -- [Netwrix Integrations Page](integration.md) – The Netwrix Integrations page provides the ability +- [Netwrix Integrations Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/integration.md) – The Netwrix Integrations page provides the ability to configure access to the data in other Netwrix products. At present, only Netwrix Threat Prevention is supported. -- [Data Retention Policy Page](dataretention.md) – The Data Retention Policy page provides settings +- [Data Retention Policy Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/dataretention.md) – The Data Retention Policy page provides settings for deleting backup data that of domains and domain controllers has aged by X number of days, and for deleting backup data for tombstone objects that have been purged. -- [Licensing Page](licensing.md) – The Licensing page provides an overview of the organization's +- [Licensing Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/licensing.md) – The Licensing page provides an overview of the organization's license status and the ability to import a license file. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/roles.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/roles.md index 666228e547..af40a56ee4 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/roles.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/roles.md @@ -5,7 +5,7 @@ The Users and Roles page displays the accounts with access to Recovery for Activ Click **Configuration** in the left pane. Then click the **Users and Roles tab** on the Configuration page to open the Users and Roles page. -![Users and Roles page](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/roles.webp) +![Users and Roles page](/img/product_docs/accessanalyzer/requirements/target/config/roles.webp) The table displays the following information: @@ -32,7 +32,7 @@ all its members can log in. **Step 1 –** Click the **Add Account Role** button on the Users and Roles page. The Add Account Role wizard opens. -![Add Account Role wizard – Account page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/configuration/account.webp) +![Add Account Role wizard – Account page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/configuration/account.webp) **Step 2 –** Enter a user's first or last name, display name, sAMAccountName, or group name in the **Search** field. As you type, the system will find matches in Active Directory and display the @@ -40,7 +40,7 @@ results. **Step 3 –** Select the desired user and click **Next**. -![Add Account Role wizard – Role page](../../../../../../static/img/product_docs/groupid/groupid/configureentraid/register/role.webp) +![Add Account Role wizard – Role page](/img/product_docs/groupid/groupid/configureentraid/register/role.webp) **Step 4 –** Select the Administrator or Operator role for the account from the **Role** drop-down menu. @@ -53,7 +53,7 @@ menu. **Step 5 –** Click **Next**. -![Add Account Role wizard – Confirm page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) +![Add Account Role wizard – Confirm page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) **Step 6 –** The Confirm page displays a summary of the settings you provided on the pages of the wizard. Use the Back button to return to a previous page and change any setting. Click **Complete** @@ -82,7 +82,7 @@ Follow the steps below to remove a user's or group's access to the Recovery Cons **Step 2 –** Click the **Remove** button to remove that user or group from the table. -![Delete Role Confirmation](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/configuration/deleterole.webp) +![Delete Role Confirmation](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/configuration/deleterole.webp) **Step 3 –** Click **OK** to confirm the action. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuremfa.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuremfa.md index d6daab36f5..9f1496575e 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuremfa.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuremfa.md @@ -11,7 +11,7 @@ phone. Follow the steps to enable the authenticator option for MFA. -![Enable MFA page](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/enablemfa.webp) +![Enable MFA page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/enablemfa.webp) **Step 1 –** In the Recovery Console, click your profile icon in the top right corner of the page and select **Manage**. The MFA page opens. @@ -19,7 +19,7 @@ and select **Manage**. The MFA page opens. **Step 2 –** Click the **Add authenticator app** button. The Configure authenticator app page is displayed, showing the instructions for setting up the app. -![Configure authenticator app page](../../../../../static/img/product_docs/accessanalyzer/admin/analysis/configure.webp) +![Configure authenticator app page](/img/product_docs/accessanalyzer/admin/analysis/configure.webp) **Step 3 –** Open the authenticator app on your phone and scan the QR code with it. A new account is created in the app for the Recovery application and a verification code is displayed under the @@ -35,13 +35,13 @@ seconds. MFA has been enabled for your account. Now you must authenticate your account using the Authenticator app every time you sign into Recovery for Active Directory. See the -[Sign In](../install/login.md#sign-in) topic for additional information. +[Sign In](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/login.md#sign-in) topic for additional information. ## Disable Authenticator for MFA Follow the steps to disable MFA for your Recovery for Active Directory account. -![Disable MFA page](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/disablemfa.webp) +![Disable MFA page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/disablemfa.webp) **Step 1 –** In the Recovery Console, click your profile icon in the top right corner of the page and select **Manage**. The MFA page opens. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/forest.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/forest.md index 7fad750821..f2d6577308 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/forest.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/forest.md @@ -14,14 +14,14 @@ Click **Forest** in the left pane to open the Forest page. - When no forest has been added, the Forest Configuration page is displayed. -> ![Forest Configuration page](../../../../../../static/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/add.webp) +> ![Forest Configuration page](/img/product_docs/privilegesecure/privilegesecure/accessmanagement/admin/policy/add/add.webp) > > You must add a forest first. See the [Add a Forest](#add-a-forest) topic for additional > information. - Once a forest is added, the page is displayed as follows: -![Forest Page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/forest.webp) +![Forest Page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/forest.webp) The domains in the configured forests are shown in a hierarchal tree. The domain controllers for the selected forest are shown in the adjacent pane, with information such as backup status and last @@ -63,7 +63,7 @@ steps to add a forest. **Step 1 –** On the Forest Configuration page, click the **here** link. Or on the Forest page, click the **Add** link. The Add Forest window is displayed. -![ Add Forest window](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/addforest.webp) +![ Add Forest window](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/addforest.webp) **Step 2 –** In the Domain field, enter the name of the root domain in the forest [example.domain.com]. @@ -89,7 +89,7 @@ Netwrix Server Backup Configuration agent on that domain controller. **NOTE:** Ensure that the domain controller has the firewall rules configured before configuring backup settings for it. See the -[Firewall Rules for Forest Server Backups](../../requirements/firewallrules.md) topic for additional +[Firewall Rules for Forest Server Backups](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/firewallrules.md) topic for additional information. Follow the steps to specify backup settings for a domain controller. @@ -101,7 +101,7 @@ adjacent pane displays the domain controllers in that domain. **Step 1 –** Enable the Backup toggle button for a domain controller to launch the Server Backup Configuration wizard. -![Server Backup Configuration wizard - Server page](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/server.webp) +![Server Backup Configuration wizard - Server page](/img/product_docs/accessanalyzer/admin/settings/server.webp) **Step 2 –** In the Server field, the domain controller to be backed up is displayed as read-only in the following format: server.domain.com. @@ -120,7 +120,7 @@ using this account. **Step 4 –** Click **Next**. -![Server Backup Configuration wizard - Schedule page](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) +![Server Backup Configuration wizard - Schedule page](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) **Step 5 –** Select the days of the week in the Run the backup on section to indicate the days when backups will be run. @@ -130,7 +130,7 @@ default time is 12:00 AM. **Step 7 –** Click **Next**. -![Server Backup Configuration wizard - Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Server Backup Configuration wizard - Options page](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 8 –** In the Specify where you would like to store the backup data field, enter a path to a network share on the domain controller to store the backup data. @@ -146,13 +146,13 @@ checkbox to uncompress the generated backup file. **Step 11 –** Click **Next**. -![Server Backup Configuration wizard - Confirm page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) +![Server Backup Configuration wizard - Confirm page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) **Step 12 –** The Confirm page displays a summary of the settings you provided on the pages of the wizard. Use the Back button to return to a previous page and change any setting. Click **Complete** to finish the wizard. -![Server Backup Configuration Saved](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/serverbackupconfiguration.webp) +![Server Backup Configuration Saved](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/serverbackupconfiguration.webp) **Step 13 –** The Server backup configuration has been saved. Click **OK**. @@ -199,7 +199,7 @@ adjacent pane displays the domain controllers in that domain. **Step 2 –** Click the arrow next to the name of a domain controller to expand it. -![Forest Server Backup History](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/serverbackuphistory.webp) +![Forest Server Backup History](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/serverbackuphistory.webp) On expanding a domain controller, you can view a list of backups for it. The following information is displayed for each backup: @@ -212,4 +212,4 @@ is displayed for each backup: ## Forest Recovery -See the [Recover a Forest](recover.md) topic for information on how to recover a forest. +See the [Recover a Forest](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/recover.md) topic for information on how to recover a forest. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/recover.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/recover.md index 6a86c25821..f3650e1be1 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/recover.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/recover.md @@ -23,7 +23,7 @@ To perform a forest recovery, the following prerequisites must be in place: - Configure backups for one or more domain controllers in each domain in a forest. - Next, ensure that backups run as scheduled. You can also force-run a backup. -See the [Forest Page](forest.md) topic for additional information. +See the [Forest Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/forest.md) topic for additional information. ## Recover a Forest @@ -31,7 +31,7 @@ Follow the steps to recover a forest. - **Step 1 –** Prepare an isolated environment to restore the forest to. - See the [Target Server Considerations](../../requirements/targetserver.md) topic to understand + See the [Target Server Considerations](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetserver.md) topic to understand the requirements for a target environment and target servers for restoring domain controllers. - **Step 2 –** Add the desired domain controllers to create a recovery playbook, also called a @@ -77,7 +77,7 @@ adjacent pane displays the domain controllers in that domain. controller to add it to the recovery playbook. The Add to Recovery Playbook wizard opens, where you can specify the restore settings for the domain controller. -![Add to Recovery Playbook wizard - Domain Controller page](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/domaincontroller.webp) +![Add to Recovery Playbook wizard - Domain Controller page](/img/product_docs/activitymonitor/activitymonitor/install/agent/domaincontroller.webp) **Step 4 –** On the Domain Controller page, the Source Domain Controller section displays information for the domain controller that is being added to the playbook. It displays the domain it @@ -91,12 +91,12 @@ In the Target Server section: administrator account for the target server. See the -[Target Server and Operating System Requirements](../../requirements/targetserver.md#target-server-and-operating-system-requirements) +[Target Server and Operating System Requirements](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetserver.md#target-server-and-operating-system-requirements) topic for additional information. **Step 5 –** Click **Next**. -![Add to Recovery Playbook wizard - Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Add to Recovery Playbook wizard - Options page](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 6 –** From the **Backup** drop-down menu, select the backup to use for restoring the domain controller. The drop-down menu lists the backups available for the domain controller. @@ -124,7 +124,7 @@ the to-be-restored domain controller. **Step 10 –** Click **Next**. -![Add to Recovery Playbook wizard - Confirm page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) +![Add to Recovery Playbook wizard - Confirm page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) **Step 11 –** The Confirm page displays a summary of the settings you provided on the pages of the wizard. Use the Back button to return to a previous page and change any setting. Click **Complete** @@ -136,7 +136,7 @@ Repeat this process for all the domain controllers you wish to restore in the ta When you add another domain controller, it appears as a new tab added to the playbook. Click the tab representing a domain controller to view its details. -![Recovery Playbook created on the Forest Page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/recoveryplaybook.webp) +![Recovery Playbook created on the Forest Page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/recoveryplaybook.webp) The following information is displayed for a domain controller in the playbook: @@ -158,7 +158,7 @@ Your new forest is ready for you to log in using any Administrator credentials f Notice that the Forest page displays the operations performed during the restore process. -![Forest page showing a restored forest](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/forestrecovered.webp) +![Forest page showing a restored forest](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/forestrecovered.webp) From here, you can proceed to restore additional domain controllers or promote new ones to the forest. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/navigation.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/navigation.md index 8afb148dcd..38dbfd646f 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/navigation.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/navigation.md @@ -5,7 +5,7 @@ In the Recovery Console, navigation options are displayed in the: - Application header - Left navigation pane -![Navigation Options in the Recovery Console](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/navigation.webp) +![Navigation Options in the Recovery Console](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/navigation.webp) ## Application Header @@ -18,40 +18,40 @@ The application header contains the following icons in the top right corner: - Manage – Click it to open the MFA page, where you can set up multi-factor authentication for your Recovery for Active Directory account. See the - [Configure Multi-Factor Authentication](configuremfa.md) topic for additional information. + [Configure Multi-Factor Authentication](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuremfa.md) topic for additional information. - Log out – Click it to sign out of the Recovery Console ## Navigation Pane The navigation pane contains the following links: -- [Active Directory Page](activedirectory/overview.md) – The Active Directory page lists the domains +- [Active Directory Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/overview.md) – The Active Directory page lists the domains configured in Recovery for Active Directory. You can perform object rollback and recovery operations on this page. -- [Forest Page](forest/forest.md) – The Forest page displays your Active Directory forest with its +- [Forest Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/forest.md) – The Forest page displays your Active Directory forest with its domains and domain controllers. Administrators can set up backup configurations for domain controllers as well as recover the forest from those backups. -- [Audit Logs Page](audit.md) – The Audit Logs page provides an audit trail of the actions performed +- [Audit Logs Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/audit.md) – The Audit Logs page provides an audit trail of the actions performed by users in Recovery for Active Directory. -- [Configuration Interface](configuration/overview.md) – The Configuration interface provides access +- [Configuration Interface](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/overview.md) – The Configuration interface provides access to configure the domains, users and roles, notifications, integrations, data retention policy, and licensing for Recovery for Active Directory. **NOTE:** Only users with Administrator rights have access to the Configuration interface. - - [Domains Page](configuration/domain.md) – The Domains page provides a list of the domains + - [Domains Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/domain.md) – The Domains page provides a list of the domains backed up by Recovery for Active Directory. It displays the backup schedule settings for each added domain. You can also add and configure new domains. - - [Users and Roles Page](configuration/roles.md) – The Users and Roles page displays the + - [Users and Roles Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/roles.md) – The Users and Roles page displays the accounts with access to Recovery for Active Directory. - - [Notifications Page](configuration/notifications.md) – The Notifications page allows the + - [Notifications Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/notifications.md) – The Notifications page allows the configuration of notifications, which is required for sending an email when a collection (backup) job is completed. - - [Netwrix Integrations Page](configuration/integration.md) – The Netwrix Integrations page + - [Netwrix Integrations Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/integration.md) – The Netwrix Integrations page provides the ability to configure access to the data in other Netwrix products. At present, only Netwrix Threat Prevention is supported. - - [Data Retention Policy Page](configuration/dataretention.md) – The Data Retention Policy page + - [Data Retention Policy Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/dataretention.md) – The Data Retention Policy page provides settings for deleting backup data that of domains and domain controllers has aged by X number of days, and for deleting backup data for tombstone objects that have been purged. - - [Licensing Page](configuration/licensing.md) – The Licensing page provides an overview of the + - [Licensing Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/licensing.md) – The Licensing page provides an overview of the organization's license status and the ability to import a license file. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/overview.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/overview.md index e25c4ba777..ea1dfb9f8e 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/overview.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/overview.md @@ -28,5 +28,5 @@ DNS Records DNS records must be stored in Active Directory in order to backup, restore, and view DNS objects in Recovery for Active Directory. See the Microsoft -[Change the Zone Type]() article +[Change the Zone Type](https://technet.microsoft.com/en-us/library/cc771150(v=ws.11).aspx) article for additional information. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/gettingstarted.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/gettingstarted.md index 20a1682f7f..28ac61999d 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/gettingstarted.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/gettingstarted.md @@ -8,19 +8,19 @@ Installation Requirements Before installing Recovery for Active Directory, review the recommended configuration of the servers needed to install this product in a production environment. See the -[Requirements ](requirements/overview.md)topic for additional information. +[Requirements ](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/overview.md)topic for additional information. Installation Install and configure Recovery for Active Directory. See the -[Install the Application](install/application.md) topic for additional information. +[Install the Application](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/application.md) topic for additional information. **NOTE:** Installing the server automatically installs the RSAT Extension locally. First Launch Launch Recovery for Active Directory using the desktop icon and sign in with the administrator role -account that was configured during installation. See the [First Launch](install/firstlaunch.md) +account that was configured during installation. See the [First Launch](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/firstlaunch.md) topic for additional information on signing in for the first time. Initial Configuration @@ -29,24 +29,24 @@ Several Recovery for Active Directory components require configuration after the product. - Configure Domain Backup – On logging into the Recovery Console, you land on the - [Domain Backup Configuration Page](admin/activedirectory/domainbackupconfig.md), that directs you + [Domain Backup Configuration Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/domainbackupconfig.md), that directs you to configure a domain to be backed up. It is recommended a start a backup of the domain after - configuring it. See the [Domains Page](admin/configuration/domain.md) topic for additional + configuring it. See the [Domains Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/domain.md) topic for additional information on configuring a domain to backup. - Configure Forest Backup – Configure a forest and then configure backup settings for domain controllers in the forest. It is recommended a start a backup of the domain controllers after - configuring backup settings. See the [Forest Page](admin/forest/forest.md) topic for additional + configuring backup settings. See the [Forest Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/forest.md) topic for additional information on configuring a domain controller backup. - _(Optional)_ Install RSAT Extension on Additional Servers – The `RSAT Extension.msi` is automatically installed with the Recovery for Active Directory application on the application server. The extension can also be installed on other servers where ADUC is installed. See the - [Install the RSAT Extension](rsatextension/installation.md) topic for additional information. + [Install the RSAT Extension](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/installation.md) topic for additional information. - Configure Additional Users – The user or group configured during installation of the product has administrator access to the Recovery Console. Additional users and groups can be added and - assigned roles. See the [Users and Roles Page](admin/configuration/roles.md) topic for additional + assigned roles. See the [Users and Roles Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/roles.md) topic for additional information. - _(Optional)_ Configure Notifications – Email notifications require configuration before they can - be enabled. See the [Notifications Page](admin/configuration/notifications.md) topic for + be enabled. See the [Notifications Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/notifications.md) topic for additional information on configuring email notifications. Rollback and Restore Operations diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/application.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/application.md index 3dca3a5778..8ddc857dc4 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/application.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/application.md @@ -27,19 +27,19 @@ Follow the steps to install Recovery for Active Directory. **Step 1 –** Run the `NetwrixRecovery_Setup.exe` executable as an administrator to launch the Recovery for Active Directory Setup wizard. -![Recovery for Active Directory Setup wizard - Initial EULA page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) +![Recovery for Active Directory Setup wizard - Initial EULA page](/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) **Step 2 –** On the Netwrix Recovery for Active Directory page, read the End User License Agreement. Then check the **I agree to the license terms and conditions** checkbox and click **Install**. The Setup Progress page displays the setup progress bar and then the Welcome page is displayed. -![Installation Welcome Page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![Installation Welcome Page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) **Step 3 –** On the Welcome page of the Recovery for Active Directory Setup wizard, click Next to begin the installation. -![Installation Destination Folder Page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/destinationfolder.webp) +![Installation Destination Folder Page](/img/product_docs/activitymonitor/activitymonitor/install/destinationfolder.webp) **Step 4 –** On the Destination Folder page, confirm the destination path where the wizard will install Recovery for Active Directory. The default installation location is: @@ -49,14 +49,14 @@ C:\Program Files\Netwrix\Recovery for Active Directory\ - (Optional) Click Change… to change the installation location. The Change destination folder page opens. -![Recovery for Active Directory Setup wizard - Change destination folder page](../../../../../static/img/product_docs/threatprevention/threatprevention/install/changedestinationfolder.webp) +![Recovery for Active Directory Setup wizard - Change destination folder page](/img/product_docs/threatprevention/threatprevention/install/changedestinationfolder.webp) > - Use the Look in field to select the desired installation folder. > - When the Folder name box is set as desired, click **OK**. The wizard returns to the Destination Folder page. Click **Next** to continue. -![Installation License File Page](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/licensefile.webp) +![Installation License File Page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/licensefile.webp) **Step 5 –** On the License File page, select the licensing option for your installation. @@ -67,7 +67,7 @@ The wizard returns to the Destination Folder page. Click **Next** to continue. Click Next. -![Installation SQL Server Configuration](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/sqlserverconfiguration.webp) +![Installation SQL Server Configuration](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/sqlserverconfiguration.webp) **Step 6 –** On the SQL Server Configuration page, specify the SQL server and credentials to use for database communication. @@ -86,12 +86,12 @@ of the wizard. Click **Next**. -![Installation SQL Server Database Name](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/sqlserverdatabase.webp) +![Installation SQL Server Database Name](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/sqlserverdatabase.webp) **Step 7 –** On the SQL Server Database page, specify the SQL Server database to use. Use the default database name or provide a unique, descriptive name in the box. Click **Next** to continue. -![serverconfiguration](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/serverconfiguration.webp) +![serverconfiguration](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/serverconfiguration.webp) **Step 8 –** On the Netwrix Recovery Server Configuration page, enter the port and credentials to be used for running the application server. @@ -105,7 +105,7 @@ used for running the application server. Click **Next**. -![Installation Admin Role Page](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/administratorrole.webp) +![Installation Admin Role Page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/administratorrole.webp) **Step 9 –** On the Administrator Role page, specify the administrator account to use. By default, this is set to the Domain Admins account from the domain the product is being installed into. @@ -119,7 +119,7 @@ this is set to the Domain Admins account from the domain the product is being in Click **Next**. -![Installation Web Host Configuration](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/webhost.webp) +![Installation Web Host Configuration](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/webhost.webp) **Step 10 –** On the Web Host page, specify the web host configuration for the Recovery for Active Directory Console. @@ -129,7 +129,7 @@ Directory Console. Certificate section on the page. Click **Select certificate...**. The Certificates window is displayed. -![Installation Certificates Window](../../../../../static/img/product_docs/threatprevention/threatprevention/install/agent/certificates.webp) +![Installation Certificates Window](/img/product_docs/threatprevention/threatprevention/install/agent/certificates.webp) - The Certificates window displays installed certificates on either the local machine or the current user. Select the desired certificate and click **Use Selected Certificate**. This automatically @@ -137,16 +137,16 @@ Directory Console. Click **Next**. Recovery for Active Directory is ready to install. -![Installation Ready to Install](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) +![Installation Ready to Install](/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) **Step 11 –** Click **Install** to begin the installation process. -![completed](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![completed](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 12 –** The installation process begins and the Setup wizard displays the installation progress. Depending on the Active Directory size, installation may take time to complete. When installation is complete, click Finish to exit the wizard. The installer does not automatically open the Recovery Console web page after installation. The -Recovery Console icon is located on the desktop. See the [First Launch](firstlaunch.md) topic for +Recovery Console icon is located on the desktop. See the [First Launch](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/firstlaunch.md) topic for the next step. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/configurationutility.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/configurationutility.md index 9b50872ede..f4c9e5e85e 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/configurationutility.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/configurationutility.md @@ -7,7 +7,7 @@ To launch the Recovery Configuration Utility, double-click the Recovery_Config.e following location in the Recovery for Active Directory installation directory: `...Netwrix\Recovery for Active Directory\Recovery_Config.exe` -![ Recovery Configuration Utility](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/configurationutility.webp) +![ Recovery Configuration Utility](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/configurationutility.webp) The Recovery Configuration Utility window has options to: @@ -28,7 +28,7 @@ for restoring deleted objects. Consider the following: - The Extension can be manually installed on a remote server where ADUC is installed. The Extension connects to the Recovery Application Server using the server name or IP address you provide while installing the Extension on the remote machine. See the - [Install the RSAT Extension](../rsatextension/installation.md) topic for additional information. + [Install the RSAT Extension](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/installation.md) topic for additional information. ### Register the RSAT Extension @@ -41,7 +41,7 @@ Follow the steps to register the RSAT Extension. the RSAT Extension. On registration, the following message is displayed and the button changes to Unregister. -![RSAT Extension Registered message](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/rsatextensionregistered.webp) +![RSAT Extension Registered message](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/rsatextensionregistered.webp) **Step 2 –** Click **OK**. @@ -56,7 +56,7 @@ Follow the steps to unregister the RSAT Extension. unregister the RSAT Extension. The following message is displayed and the button changes to Register. -![RSAT Extension Not Registered message](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/rsatextensionunregistered.webp) +![RSAT Extension Not Registered message](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/rsatextensionunregistered.webp) **Step 2 –** Click **OK**. @@ -74,7 +74,7 @@ The Recovery Configuration Utility window displays the following information for - Save – After making any changes, click the **Save** button to save the configuration To update the password for the SQL server service account, see the -[Update SQL Server Service Account Password](../troubleshooting/updatepassword/sqlserverserviceaccount.md) +[Update SQL Server Service Account Password](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/updatepassword/sqlserverserviceaccount.md) topic. ## View License Information diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/firstlaunch.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/firstlaunch.md index 4d8ffc9873..e571b8ea91 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/firstlaunch.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/firstlaunch.md @@ -15,10 +15,10 @@ Follow the steps to login to Recovery for Active Directory. **Step 1 –** Launch the Recovery Console. The Log in page is displayed. -![ Recovery for Active Directory - Login page](../../../../../static/img/product_docs/threatprevention/threatprevention/eperestsite/login.webp) +![ Recovery for Active Directory - Login page](/img/product_docs/threatprevention/threatprevention/eperestsite/login.webp) **Step 2 –** Log in with credentials configured on the Administrator Role page of the Recovery for -Active Directory Setup wizard during installation. See the [Install the Application](application.md) +Active Directory Setup wizard during installation. See the [Install the Application](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/application.md) topic for additional information on the administrator role. The username must be entered in the following format: @@ -27,9 +27,9 @@ following format: **Step 3 –** Click **Log in**. Once logged in, the first step is to configure a domain. See the -[Domain Backup Configuration Page](../admin/activedirectory/domainbackupconfig.md) topic for +[Domain Backup Configuration Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/domainbackupconfig.md) topic for additional information. The administrator must also add users who can access the application. Once these users have access, -see the [Log into the Recovery Console](login.md) topic for information on accessing and signing +see the [Log into the Recovery Console](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/login.md) topic for information on accessing and signing into the Recovery Console. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/login.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/login.md index 3f99ddc23e..c0163244a2 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/login.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/login.md @@ -2,7 +2,7 @@ When Recovery for Active Directory is installed, the following icon is displayed on the desktop. -![Recovery Desktop Icon](../../../../../static/img/product_docs/threatprevention/threatprevention/install/desktopicon.webp) +![Recovery Desktop Icon](/img/product_docs/threatprevention/threatprevention/install/desktopicon.webp) ## Access the Recovery Console Locally @@ -28,7 +28,7 @@ process, use the port and protocol configured from the install. ## Sign In -On [First Launch](firstlaunch.md) of the Recovery Console, the administrator must add users who can +On [First Launch](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/firstlaunch.md) of the Recovery Console, the administrator must add users who can sign into the application and use it. Follow the steps to sign into the Recovery Console. @@ -37,7 +37,7 @@ Follow the steps to sign into the Recovery Console. **NOTE:** The URL may need to be added to the browser's list of trusted sites. -![Recovery for Active Directory - Login page](../../../../../static/img/product_docs/threatprevention/threatprevention/eperestsite/login.webp) +![Recovery for Active Directory - Login page](/img/product_docs/threatprevention/threatprevention/eperestsite/login.webp) **Step 2 –** Enter your credentials in the Username and Password fields. The username must be in the following format: @@ -48,7 +48,7 @@ following format: If you have enabled multi-factor authentication for your account, the following is displayed: -![MFA at Login](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/loginmfa.webp) +![MFA at Login](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/loginmfa.webp) **Step 4 –** Launch the Authenticator app on your phone to get the verification code generated for the Recovery application account. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/overview.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/overview.md index 5711b0b2b2..b2583f69cf 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/overview.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/overview.md @@ -18,19 +18,19 @@ The following services are also installed on the Recovery Application Server: To install the application, see the following topics: -- [Install the Application](application.md) -- [Configuration Utility](configurationutility.md) -- [Install the RSAT Extension](../rsatextension/installation.md) +- [Install the Application](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/application.md) +- [Configuration Utility](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/configurationutility.md) +- [Install the RSAT Extension](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/installation.md) Prior to installing, ensure that all prerequisites have been met, as described in the -[Requirements ](../requirements/overview.md)topic. +[Requirements ](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/overview.md)topic. ## Licensing Recovery for Active Directory comes with a temporary 7-day license. Please contact the Netwrix sales representative for a license. -See the [Licensing Page](../admin/configuration/licensing.md) topic to license the product. +See the [Licensing Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/licensing.md) topic to license the product. ## Software Download diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/upgrade.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/upgrade.md index 7dae62f4bf..fa14ac7f4f 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/upgrade.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/upgrade.md @@ -6,7 +6,7 @@ v2.6. ## Upgrade Recovery for Active Directory v2.5 to v2.6 Run the `NetwrixRecovery_Setup.exe` on the Netwrix Recovery for Active Directory server to upgrade -to the newer version of the product. See the [Install the Application](application.md) topic for +to the newer version of the product. See the [Install the Application](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/application.md) topic for additional information. **NOTE:** The database does not change between versions, so the same can be used for the new diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/overview.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/overview.md index f07fd3f604..ea738e5106 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/overview.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/overview.md @@ -21,21 +21,21 @@ Core Component See the following topics for server requirements: -- [Application Server Requirements](server.md) -- [SQL Server Requirements](sqlserver.md) -- [RSAT Extension Requirements](rsatextension.md) +- [Application Server Requirements](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/server.md) +- [SQL Server Requirements](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/sqlserver.md) +- [RSAT Extension Requirements](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/rsatextension.md) Target Domain Considerations The target domains include the Active Directory domains that can be added through the -[Domains Page](../admin/configuration/domain.md). See the following topic for target domain +[Domains Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/domain.md). See the following topic for target domain considerations: -- [Target Domains](targetdomain.md) +- [Target Domains](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetdomain.md) Target Server Considerations Target servers include the servers and environments where you want to restore a domain controller or an entire forest. See the following topic for target server requirements: -- [Target Server Considerations](targetserver.md) +- [Target Server Considerations](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetserver.md) diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetdomain.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetdomain.md index 1a01d56496..33b3b12f64 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetdomain.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetdomain.md @@ -1,8 +1,8 @@ # Target Domains Target domains include the Active Directory domains that can be added through the -[Domains Page](../admin/configuration/domain.md). You can rollback and recover objects in these -domains through the [Active Directory Page](../admin/activedirectory/overview.md). +[Domains Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/domain.md). You can rollback and recover objects in these +domains through the [Active Directory Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/overview.md). Recovery for Active Directory can backup domains on servers with the Active Directory role on the following operating system versions: diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetserver.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetserver.md index 4c8be65c26..ae92047cc5 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetserver.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetserver.md @@ -1,7 +1,7 @@ # Target Server Considerations This topic lists the requirements for the target servers where you want to restore the domain -controllers for performing a forest recovery. See the [Recover a Forest](../admin/forest/recover.md) +controllers for performing a forest recovery. See the [Recover a Forest](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/recover.md) topic for additional information. _Remember,_ target server refers to a server where you intent to restore a domain controller. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/installation.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/installation.md index e75a65d67c..7215a4e4af 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/installation.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/installation.md @@ -14,16 +14,16 @@ install it. **Step 2 –** Run `NetwrixRecovery_RSAT_Extension.msi` . The RSAT Extension Setup wizard opens. -![RSAT Extension Installation Wizard - Welcome Page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) +![RSAT Extension Installation Wizard - Welcome Page](/img/product_docs/activitymonitor/activitymonitor/install/welcome.webp) **Step 3 –** On the Welcome page, click **Next**. -![RSAT Extension Installation Wizard - License Agreement page](../../../../../static/img/product_docs/threatprevention/threatprevention/install/licenseagreement.webp) +![RSAT Extension Installation Wizard - License Agreement page](/img/product_docs/threatprevention/threatprevention/install/licenseagreement.webp) **Step 4 –** On the End-User License Agreement page, read the End User License Agreement and check the **I accept the terms in the License Agreement** box. Click **Next**. -![RSAT Extension Installation Wizard - Destination Folder page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/destinationfolder.webp) +![RSAT Extension Installation Wizard - Destination Folder page](/img/product_docs/activitymonitor/activitymonitor/install/destinationfolder.webp) **Step 5 –** On the Destination Folder page, specify the file path to install the RSAT Extension. The default path is: @@ -33,14 +33,14 @@ C:\Program Files\Netwrix\Recovery for Active Directory RSAT Extension\ Optionally, you can change the installation directory location for the RSAT Extension. Click **Change** to open the Change destination folder page. -![RSAT Extension Setup Wizard - Change destination folder page](../../../../../static/img/product_docs/threatprevention/threatprevention/install/changedestinationfolder.webp) +![RSAT Extension Setup Wizard - Change destination folder page](/img/product_docs/threatprevention/threatprevention/install/changedestinationfolder.webp) > - Use the Look in field to select the desired installation folder. > - When the Folder name box is set as desired, click **OK**. The wizard returns to the Destination Folder page. Click **Next** to proceed. -![RSAT Extension Installation Wizard - Netwrix Recovery Server Connection page](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/serverconnection.webp) +![RSAT Extension Installation Wizard - Netwrix Recovery Server Connection page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/serverconnection.webp) **Step 6 –** In the Server name field, enter the name or IP address of the Recovery Application Server, so the RSAT Extension identifies it in the environment. @@ -51,11 +51,11 @@ application, then that specific port is applicable here. Click **Next**. -![ready](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) +![ready](/img/product_docs/activitymonitor/activitymonitor/install/ready.webp) **Step 7 –** Click **Install** to begin the installation process. -![RSAT Extension Installation Complete](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![RSAT Extension Installation Complete](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 8 –** The installation process begins and the Setup Wizard displays the Setup Progress. When installation is complete, click Finish to exit the wizard. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/overview.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/overview.md index 7cff79b0a7..fe013a97d0 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/overview.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/overview.md @@ -11,7 +11,7 @@ for restoring deleted objects. Consider the following: - The Extension can be manually installed on a remote server where ADUC is installed. The Extension connects to the Recovery Application Server using the server name or IP address you provide while installing the Extension on the remote machine. See the - [Install the RSAT Extension](installation.md) topic for additional information. + [Install the RSAT Extension](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/installation.md) topic for additional information. You must register the RSAT Extension on the Recovery Application Server to add the Rollback and Restore options to the ADUC console. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/recovery.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/recovery.md index f4a3ab83eb..e79dcb749e 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/recovery.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/recovery.md @@ -9,10 +9,10 @@ The following prerequisites must be met before you can rollback or recover an ob - You must register the RSAT Extension on the Recovery Application Server to add the Rollback and Restore options to the ADUC console. See the - [Register/Unregister the RSAT Extension](../install/configurationutility.md#registerunregister-the-rsat-extension) + [Register/Unregister the RSAT Extension](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/configurationutility.md#registerunregister-the-rsat-extension) topic for additional information. - At least one backup of the domain must be available in the Recovery for Active Directory Console. - See the [Domains Page](../admin/configuration/domain.md) topic for additional information. + See the [Domains Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/domain.md) topic for additional information. ## Restore an Object Using ADUC @@ -20,18 +20,18 @@ Follow the steps to restore a deleted object. **Step 1 –** Open ADUC and select the Recycle Bin. -![ADUC with the Restore option selected](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/aducrestore.webp) +![ADUC with the Restore option selected](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/aducrestore.webp) **Step 2 –** In the Recycle Bin, right-click on the object to be restored and select **Restore** on the menu. The Object Recovery wizard opens. -![Object Recovery Wizard - Object Backups page](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/objectbackups.webp) +![Object Recovery Wizard - Object Backups page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/objectbackups.webp) **Step 3 –** On the Object Backups page, select the desired date timestamp to identify the backup for recovery. Multiple backups may be available for a single day depending on the configured schedule. Click **Next** to continue. -![Object Recovery Wizard - Recovery Options page](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/recoveryoptions.webp) +![Object Recovery Wizard - Recovery Options page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/recoveryoptions.webp) **Step 4 –** On the Recovery Options page, select the Container and Naming Conflict actions for the recovery process. @@ -57,7 +57,7 @@ recovery process. Click **Next**. -![Object Recovery Wizard - User Options page](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/useroptions.webp) +![Object Recovery Wizard - User Options page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/useroptions.webp) **Step 5 –** The User Options page is displayed when user objects are being restored. When a user object is included as a child object being restored, this page is also displayed. Consider the @@ -81,7 +81,7 @@ Select the desired checkboxes relating to the state of a user password upon rest Click **Next**. -![Object Recovery Wizard - Domain Controller page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/agent/domaincontroller.webp) +![Object Recovery Wizard - Domain Controller page](/img/product_docs/activitymonitor/activitymonitor/install/agent/domaincontroller.webp) **Step 6 –** On the Domain Controller page, select the Domain Controller to run the restoration action. This page consists of two sections: @@ -96,7 +96,7 @@ action. This page consists of two sections: Click **Next**. -![Object Recovery Wizard - Alternate Credentials page](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/alternatecredentials.webp) +![Object Recovery Wizard - Alternate Credentials page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/alternatecredentials.webp) **Step 7 –** The account preforming the operation must have Domain Admin privileges to access the domain tree area where the object resides. On the Alternate Credentials page: @@ -108,14 +108,14 @@ domain tree area where the object resides. On the Alternate Credentials page: For a Least Privilege Access Model to provision an Active Directory security group with the permissions that are necessary to perform backups, rollbacks and recovery, see the -[Least Privilege Access Model](../requirements/targetdomain.md#least-privilege-access-model) topic. +[Least Privilege Access Model](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetdomain.md#least-privilege-access-model) topic. -![Object Recovery Wizard - Confirm page](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) +![Object Recovery Wizard - Confirm page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) **Step 8 –** On the Confirm page, review the summarized object restore settings. Click **Finish** to start the recovery. -![Recovery Success Status](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/recvoerysuccessful.webp) +![Recovery Success Status](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/recvoerysuccessful.webp) **Step 9 –** The Recovery window displays the action status. Click **Close** to exit. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/rollback.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/rollback.md index 845e14be7c..2e6a2c2bea 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/rollback.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/rsatextension/rollback.md @@ -9,10 +9,10 @@ The following prerequisites must be met before you can rollback or recover an ob - You must register the RSAT Extension on the Recovery Application Server to add the Rollback and Restore options to the ADUC console. See the - [Register/Unregister the RSAT Extension](../install/configurationutility.md#registerunregister-the-rsat-extension) + [Register/Unregister the RSAT Extension](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/install/configurationutility.md#registerunregister-the-rsat-extension) topic for additional information. - At least one backup of the domain must be available in the Recovery for Active Directory Console. - See the [Domains Page](../admin/configuration/domain.md) topic for additional information. + See the [Domains Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/domain.md) topic for additional information. ## Rollback an Object Using ADUC @@ -24,11 +24,11 @@ organizational units. **Step 1 –** Open ADUC and select one or more objects to rollback. Right-click on the object(s) and select **Rollback** on the menu. -![Rollback selection in ADUC](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/aducrollback.webp) +![Rollback selection in ADUC](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/aducrollback.webp) The Object Rollback wizard opens. -![Object Rollback wizard - Object Backups Page](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/objectbackups.webp) +![Object Rollback wizard - Object Backups Page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/activedirectory/objectbackups.webp) **Step 2 –** On the Object Backups page, select a backup date and then select the object and attribute(s) to rollback. This page consists of two sections: @@ -48,7 +48,7 @@ However, only one backup date can be selected in order to select attributes for Click **Next**. -![Object Rollback wizard - Domian Controller Page](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/domiancontroller.webp) +![Object Rollback wizard - Domian Controller Page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/domiancontroller.webp) **Step 3 –** On the Domain Controller page, select the Domain Controller to run the rollback action. This page consists of two sections: @@ -63,7 +63,7 @@ This page consists of two sections: Click **Next**. -![Object Rollback wizard - Alternate Credentials Page](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/alternatecredentials.webp) +![Object Rollback wizard - Alternate Credentials Page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/alternatecredentials.webp) **Step 4 –** The account preforming the operation must have Domain Admin privileges to access the domain tree area where the object resides. On the Alternate Credentials page: @@ -75,14 +75,14 @@ domain tree area where the object resides. On the Alternate Credentials page: For a Least Privilege Access Model to provision an Active Directory security group with the permissions that are necessary to perform backups, rollbacks and recovery, see the -[Least Privilege Access Model](../requirements/targetdomain.md#least-privilege-access-model) topic. +[Least Privilege Access Model](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/requirements/targetdomain.md#least-privilege-access-model) topic. -![Object Rollback wizard - Confirm Page](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) +![Object Rollback wizard - Confirm Page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) **Step 5 –** On the Confirm page, review the object information, changes, and the domain controller selection. Click **Finish** to rollback the object. -![Successful Rollback window](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/rollbacksuccessful.webp) +![Successful Rollback window](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/rsatextension/rollbacksuccessful.webp) **Step 6 –** The Rollback window displays the action status. Click **Close** to exit. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/troubleshooting.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/troubleshooting.md index 34a0421f13..b8abb2cf9c 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/troubleshooting.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/troubleshooting.md @@ -13,14 +13,14 @@ Directory components: The RSAT Extension Recovery Diagnostics flow chart helps diagnose issues when the Recycle Bin is missing or empty in Active Directory Users and Computers (ADUC). -![RSAT Extension Recover Diagnostics](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/troubleshooting/recoverrsat.webp) +![RSAT Extension Recover Diagnostics](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/troubleshooting/recoverrsat.webp) ## RSAT Extension Rollback The RSAT Extension Rollback Diagnostics flow chart helps diagnose issues when the rollback right-click menu option is missing in ADUC. -![RSAT Extension Rollback Diagnostics](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/troubleshooting/rollbackrsat.webp) +![RSAT Extension Rollback Diagnostics](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/troubleshooting/rollbackrsat.webp) ## RSAT Extension Registration Validation @@ -68,7 +68,7 @@ If the GUID matches the number above, the RSAT Extension is successfully registe The Recovery Application Server Diagnostics flow chart helps diagnose issues when the Netwrix Recovery Server service is not running. -![Application Server Diagnostics](../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/troubleshooting/applicationserver.webp) +![Application Server Diagnostics](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/troubleshooting/applicationserver.webp) ## Log Files diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/updatepassword/credentialpasswords.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/updatepassword/credentialpasswords.md index 2ed738a29c..196e3e9a3e 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/updatepassword/credentialpasswords.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/updatepassword/credentialpasswords.md @@ -12,19 +12,19 @@ impacted by password changes or security policies: The SQL Server service account grants access to the SQL Server database. It can be updated through the Recovery for Active Directory Configuration Utility. See the -[Update SQL Server Service Account Password](sqlserverserviceaccount.md) topic for additional +[Update SQL Server Service Account Password](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/updatepassword/sqlserverserviceaccount.md) topic for additional information. ## Recovry Service Account The Recovery service account is used to run the Recovery Console service and preform the domain backups. It can be updated on the Domains page in the Recovery Console. See the -[Edit Domain Configuration](../../admin/configuration/domain.md#edit-domain-configuration) topic for +[Edit Domain Configuration](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/domain.md#edit-domain-configuration) topic for additional information. ## Domain Controller Backup Service Account The backup service account for a domain controller is used to write the backup file of the domain controller to a network share of the destination server. It can be updated on the Forest page in the -Recovery Console. See the [Update Domain Controller Backup Account Password](serverbackupaccount.md) +Recovery Console. See the [Update Domain Controller Backup Account Password](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/updatepassword/serverbackupaccount.md) topic for additional information. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/updatepassword/serverbackupaccount.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/updatepassword/serverbackupaccount.md index 6248907020..c21d4fab20 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/updatepassword/serverbackupaccount.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/updatepassword/serverbackupaccount.md @@ -8,7 +8,7 @@ Follow the steps to update the backup account password for a domain controller. **Step 1 –** Click **Forest** in the left pane to open the Forest page. -![Forest Page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/forest.webp) +![Forest Page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/forest.webp) **Step 2 –** On the Forest page, select a forest to view the domain controllers in it. To locate a domain controller in a specific domain, expand the forest in the left pane and select a domain. The @@ -17,31 +17,31 @@ adjacent pane displays the domain controllers in that domain. **Step 3 –** Click the **Edit** button for a domain controller, which is available in the far right of the domain controller row. The Server Backup Configuration wizard opens. -![Server Backup Configuration Wizard - Server page](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/server.webp) +![Server Backup Configuration Wizard - Server page](/img/product_docs/accessanalyzer/admin/settings/server.webp) **Step 4 –** On the Server page, the fields are populated with the information you provided when configuring the domain controller backup. See the -[Add Backup Configurations for a Domain Controller](../../admin/forest/forest.md#add-backup-configurations-for-a-domain-controller) +[Add Backup Configurations for a Domain Controller](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/forest.md#add-backup-configurations-for-a-domain-controller) topic for additional information. Enter the new password in the Password field and click **Next**. The next server backup will take into account the new password. -![Server Backup Configuration wizard - Schedule page](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) +![Server Backup Configuration wizard - Schedule page](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) **Step 5 –** Modify the schedule if needed, then click **Next**. -![Server Backup Configuration wizard - Options page](../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Server Backup Configuration wizard - Options page](/img/product_docs/accessanalyzer/install/application/options.webp) **Step 6 –** Modify the options if needed, then click **Next**. -![Server Backup Configuration wizard - Confirm page](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) +![Server Backup Configuration wizard - Confirm page](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/confirm.webp) **Step 7 –** The Confirm page displays a summary of the settings you provided on the pages of the wizard. Use the Back button to return to a previous page and change any setting. Click **Complete** to finish the wizard. -![Server Backup Configuration has been Saved](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/serverbackupconfiguration.webp) +![Server Backup Configuration has been Saved](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/admin/forest/serverbackupconfiguration.webp) **Step 8 –** Click **OK**. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/updatepassword/sqlserverserviceaccount.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/updatepassword/sqlserverserviceaccount.md index b637dfdc70..553e8701f4 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/updatepassword/sqlserverserviceaccount.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/updatepassword/sqlserverserviceaccount.md @@ -6,7 +6,7 @@ Follow the steps to update the password for the SQL Server service account. executable at the following location in the Recovery for Active Directory installation directory: `...Netwrix\Recovery for Active Directory\Recovery_Config.exe` -![ Recovery Configuration Utility](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/configurationutility.webp) +![ Recovery Configuration Utility](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/install/configurationutility.webp) **Step 2 –** Update the account password for SQL Server Authentication in the Login and Password fields. @@ -14,13 +14,13 @@ fields. **Step 3 –** Click the **Test** button to validate the connection. On success, the following message is displayed: -![Connection Test Successful](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/troubleshooting/updatepassword/connectiontest.webp) +![Connection Test Successful](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/troubleshooting/updatepassword/connectiontest.webp) **Step 4 –** Click **OK**. **Step 5 –** Once the connection has been established, click **Save** to update the account. -![Configuration Utility Saved Confirm](../../../../../../static/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/troubleshooting/updatepassword/sqlsettings.webp) +![Configuration Utility Saved Confirm](/img/product_docs/recoveryforactivedirectory/recoveryforactivedirectory/troubleshooting/updatepassword/sqlsettings.webp) **Step 6 –** Click **OK**. diff --git a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/usecases.md b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/usecases.md index d5fafcceff..1f7c82df70 100644 --- a/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/usecases.md +++ b/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/troubleshooting/usecases.md @@ -15,10 +15,10 @@ object may need to be restored is: Restoring a deleted object can be accomplished through the following interface in the Recovery for Active Directory Console: -- [Active Directory Page](../admin/activedirectory/overview.md) +- [Active Directory Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/overview.md) - Locate the desired object in the Recycle Bin. - Recover the object by following the steps in the - [Recover an Object](../admin/activedirectory/recover.md#recover-an-object) topic. + [Recover an Object](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/recover.md#recover-an-object) topic. ## Rollback Changes to an Object @@ -31,10 +31,10 @@ change to an object may need to be rolled back is: Rolling back object changes can be accomplished through the following interface in the Recovery for Active Directory Console: -- [Active Directory Page](../admin/activedirectory/overview.md) +- [Active Directory Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/overview.md) - Locate the desired object - Rollback changes to the object by following the steps in the - [Rollback Objects](../admin/activedirectory/rollback.md) topic + [Rollback Objects](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/rollback.md) topic ## Rollback Attribute Changes @@ -49,10 +49,10 @@ are: Rolling back attribute changes can be accomplished through the following interface within the Recovery for Active Directory Console: -- [Active Directory Page](../admin/activedirectory/overview.md) +- [Active Directory Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/overview.md) - Locate the desired object - Rollback changes to the object by following the steps in the - [Rollback Objects](../admin/activedirectory/rollback.md) topic + [Rollback Objects](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/rollback.md) topic > Remember to select the desired attribute for rollback @@ -61,7 +61,7 @@ Recovery for Active Directory Console: Group Policy Objects (GPOs) control many aspects of operations, security, and software deployment. Recovery for Active Directory can rollback GPOs to any state captured within a backup. For this, Group Policy Management Console must be installed on the Recovery for Active Directory server. See -Steps 9 and 10 in the [Add a Domain](../admin/configuration/domain.md#add-a-domain) topic for +Steps 9 and 10 in the [Add a Domain](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/configuration/domain.md#add-a-domain) topic for additional information. An example of when a GPO change may need to be rolled back is: - A GPO change caused users to lose access to a server or application @@ -69,15 +69,15 @@ additional information. An example of when a GPO change may need to be rolled ba Rolling back GPO changes can be accomplished through the following interface in the Recovery for Active Directory Console: -- [Active Directory Page](../admin/activedirectory/overview.md) +- [Active Directory Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/overview.md) - Locate the desired object - Rollback changes to the object by following the steps in the - [Rollback Objects](../admin/activedirectory/rollback.md) topic + [Rollback Objects](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/activedirectory/rollback.md) topic ## Domain Controller Backup and Forest Restore from Backup Recovery for Active Directory can backup domain controllers to prevent data loss. The -[Forest Page](../admin/forest/forest.md) allows administrators to configure and manage backups for a +[Forest Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/forest.md) allows administrators to configure and manage backups for a domain controller. You can then restore a domain controller backup using the backup file created by Recovery for Active Directory. To restore a forest, you can create a playbook to restore the domain controllers in a desired sequence. Some examples of when a server may need to be backed up or @@ -90,7 +90,7 @@ restored are: Server backup and restore can be accomplished through the following interfaces: -- [Forest Page](../admin/forest/forest.md) +- [Forest Page](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/forest.md) - Configure backup settings for domain controllers - Restore one or more domain controllers in a forest by following the steps in the - [Create a Recovery Playbook](../admin/forest/recover.md#create-a-recovery-playbook) topic + [Create a Recovery Playbook](/docs/recoveryforactivedirectory/2.6/recoveryforactivedirectory/admin/forest/recover.md#create-a-recovery-playbook) topic diff --git a/docs/strongpointfornetsuite/api/api_overview.md b/docs/strongpointfornetsuite/api/api_overview.md index aecbdb6ea7..8cc4cf70a6 100644 --- a/docs/strongpointfornetsuite/api/api_overview.md +++ b/docs/strongpointfornetsuite/api/api_overview.md @@ -7,25 +7,25 @@ application are able to integrate via these APIs. - **Change Requests** can be created, updated, retrieved and deleted. - **ERD** and **Impact Analysis** tools are available. -- [Customizations API](customizations_api.md) can be retrieved from your NetSuite account and can be +- [Customizations API](/docs/strongpointfornetsuite/api/customizations_api.md) can be retrieved from your NetSuite account and can be added and removed from your Change Requests. Here is the Customization API command: - - [Get Customizations](get_customizations.md): Returns customizations based on your filters. + - [Get Customizations](/docs/strongpointfornetsuite/api/get_customizations.md): Returns customizations based on your filters. -- [Change Request API](change_request_api.md) can be created, updated, retrieved and deleted. The +- [Change Request API](/docs/strongpointfornetsuite/api/change_request_api.md) can be created, updated, retrieved and deleted. The ERD and Impact Analysis tools are available. Here are the Change Request API commands: - - [Get Change Request](get_change_request.md): Returns the change request associated with an + - [Get Change Request](/docs/strongpointfornetsuite/api/get_change_request.md): Returns the change request associated with an External ID. - - [Add/Update Customizations in a Change Request](add_update_change_request.md): adds/updates + - [Add/Update Customizations in a Change Request](/docs/strongpointfornetsuite/api/add_update_change_request.md): adds/updates customization and/or proposed customizations. - - [Delete Customizations in a Change Request](delete_customizations_change_request.md): removes + - [Delete Customizations in a Change Request](/docs/strongpointfornetsuite/api/delete_customizations_change_request.md): removes customizations and/or proposed customizations. - - [Get ERD](get_erd.md): returns ERD URL links for each customization. - - [Get Impact Analysis](get_impact_analysis.md): returns the impact analysis data for each + - [Get ERD](/docs/strongpointfornetsuite/api/get_erd.md): returns ERD URL links for each customization. + - [Get Impact Analysis](/docs/strongpointfornetsuite/api/get_impact_analysis.md): returns the impact analysis data for each customization. Customizations are categorized as _Safe to Modify_, _Not Safe to Modify_, and _Inactive_. - - [Push Change Request](push_change_request.md): pushes the external ticket details and creates + - [Push Change Request](/docs/strongpointfornetsuite/api/push_change_request.md): pushes the external ticket details and creates an equivalent change request. ## Postman Links diff --git a/docs/strongpointfornetsuite/api/change_request_api.md b/docs/strongpointfornetsuite/api/change_request_api.md index 63debeed31..ebfdde93a7 100644 --- a/docs/strongpointfornetsuite/api/change_request_api.md +++ b/docs/strongpointfornetsuite/api/change_request_api.md @@ -4,17 +4,17 @@ The Change Request API provides external access to retrieve customization from Here are the Change Request API commands: -- [Get Change Request](get_change_request.md): Returns the change request associated with an +- [Get Change Request](/docs/strongpointfornetsuite/api/get_change_request.md): Returns the change request associated with an External ID. -- [Add/Update Customizations in a Change Request](add_update_change_request.md): adds/updates +- [Add/Update Customizations in a Change Request](/docs/strongpointfornetsuite/api/add_update_change_request.md): adds/updates customization and/or proposed customizations. -- [Delete Customizations in a Change Request](delete_customizations_change_request.md): removes +- [Delete Customizations in a Change Request](/docs/strongpointfornetsuite/api/delete_customizations_change_request.md): removes customizations and/or proposed customizations. -- [Get ERD](get_erd.md): returns ERD URL links for each customization. -- [Get Impact Analysis](get_impact_analysis.md): returns the impact analysis data for each +- [Get ERD](/docs/strongpointfornetsuite/api/get_erd.md): returns ERD URL links for each customization. +- [Get Impact Analysis](/docs/strongpointfornetsuite/api/get_impact_analysis.md): returns the impact analysis data for each customization. Customizations are categorized as _Safe to Modify_, _Not Safe to Modify_, and _Inactive_. -- [Push Change Request](push_change_request.md): pushes the external ticket details and creates an +- [Push Change Request](/docs/strongpointfornetsuite/api/push_change_request.md): pushes the external ticket details and creates an equivalent change request. Try the [Change Requests](https://documenter.getpostman.com/view/30883336/2s9YeABubr) API in diff --git a/docs/strongpointfornetsuite/api/customizations_api.md b/docs/strongpointfornetsuite/api/customizations_api.md index 832c900467..8fa73478e6 100644 --- a/docs/strongpointfornetsuite/api/customizations_api.md +++ b/docs/strongpointfornetsuite/api/customizations_api.md @@ -4,7 +4,7 @@ The Customizations API provides external access to retrieve customization from Customizations API command: -- [Get Customizations](get_customizations.md) +- [Get Customizations](/docs/strongpointfornetsuite/api/get_customizations.md) Try the [Customizations](https://documenter.getpostman.com/view/30883336/2s9YeABubu) API in Postman. The **Get Customizations** API is published to Postman, where you can try it out and test it. diff --git a/docs/strongpointfornetsuite/bundle_removal/categorizing_customizations.md b/docs/strongpointfornetsuite/bundle_removal/categorizing_customizations.md index 1ab0c560b3..2d6c4636f4 100644 --- a/docs/strongpointfornetsuite/bundle_removal/categorizing_customizations.md +++ b/docs/strongpointfornetsuite/bundle_removal/categorizing_customizations.md @@ -42,13 +42,13 @@ summary criteria for this type of search. `{custrecord_flo_searches.custrecord_flo_cleanup_status}` = 'To Be Cleaned Up' THEN 1 ELSE 0 END | 6. Click **Preview**.This step takes some time.Troubleshooting: - [Saved Search Times Out](../troubleshooting/saved_search_times_out.md) + [Saved Search Times Out](/docs/strongpointfornetsuite/troubleshooting/saved_search_times_out.md) ## Export and Import the CSV File 1. Export as a CSV file. - ![Export to a CSV file](../../../static/img/product_docs/strongpointfornetsuite/bundle_removal/export_csv.webp) + ![Export to a CSV file](/img/product_docs/strongpointfornetsuite/bundle_removal/export_csv.webp) 2. Open the CSV file and delete the **Overall Total row**. 3. **Save** the CSV. @@ -109,7 +109,7 @@ summary criteria for this type of search. Sum | CASE WHEN`{custrecord_flo_searches.custrecord_flo_cleanup_status}` = 'To Be Cleaned Up' OR TO_NUMBER(NVL(`{custrecord_flo_searches}`,0)) < 1 THEN 0 ELSE 1 END | 6. Click **Preview**.This step takes some time.Troubleshooting: - [Saved Search Times Out](../troubleshooting/saved_search_times_out.md) + [Saved Search Times Out](/docs/strongpointfornetsuite/troubleshooting/saved_search_times_out.md) ## Export and Import the CSV File @@ -136,4 +136,4 @@ summary criteria for this type of search. 12. Choose **Save & Run**. **Next Step:** -[](creating_four_mass_updates.md)[Creating Four Mass Updates](creating_four_mass_updates.md) +[](/docs/strongpointfornetsuite/bundle_removal/creating_four_mass_updates.md)[Creating Four Mass Updates](/docs/strongpointfornetsuite/bundle_removal/creating_four_mass_updates.md) diff --git a/docs/strongpointfornetsuite/bundle_removal/creating_custom_list_and_fields.md b/docs/strongpointfornetsuite/bundle_removal/creating_custom_list_and_fields.md index 908d133a3c..ea97dbdb4e 100644 --- a/docs/strongpointfornetsuite/bundle_removal/creating_custom_list_and_fields.md +++ b/docs/strongpointfornetsuite/bundle_removal/creating_custom_list_and_fields.md @@ -18,7 +18,7 @@ belongs to and six different check boxes, one for each scenario. 5. Outside bundle referencing inside 6. In bundle referenced by outside - ![Create a Custom List](../../../static/img/product_docs/strongpointfornetsuite/bundle_removal/customlist.webp) + ![Create a Custom List](/img/product_docs/strongpointfornetsuite/bundle_removal/customlist.webp) ## Create Custom Fields @@ -39,4 +39,4 @@ belongs to and six different check boxes, one for each scenario. 6. Click **Save** -**Next Step:** [Categorizing Customizations](categorizing_customizations.md) +**Next Step:** [Categorizing Customizations](/docs/strongpointfornetsuite/bundle_removal/categorizing_customizations.md) diff --git a/docs/strongpointfornetsuite/bundle_removal/creating_four_mass_updates.md b/docs/strongpointfornetsuite/bundle_removal/creating_four_mass_updates.md index 49072864c0..23f8e77527 100644 --- a/docs/strongpointfornetsuite/bundle_removal/creating_four_mass_updates.md +++ b/docs/strongpointfornetsuite/bundle_removal/creating_four_mass_updates.md @@ -82,4 +82,4 @@ This mass update captures all the bundle components referenced by non bundle com 9. Click **Save** **Next Step:** -[](investigating_through_saved_searches.md)[Investigating Through Saved Searches](investigating_through_saved_searches.md) +[](/docs/strongpointfornetsuite/bundle_removal/investigating_through_saved_searches.md)[Investigating Through Saved Searches](/docs/strongpointfornetsuite/bundle_removal/investigating_through_saved_searches.md) diff --git a/docs/strongpointfornetsuite/bundle_removal/creating_two_mass_updates.md b/docs/strongpointfornetsuite/bundle_removal/creating_two_mass_updates.md index 17d2dab99b..e4a3e7520e 100644 --- a/docs/strongpointfornetsuite/bundle_removal/creating_two_mass_updates.md +++ b/docs/strongpointfornetsuite/bundle_removal/creating_two_mass_updates.md @@ -11,7 +11,7 @@ To create the first mass update: 2. Open **General Updates** > **Custom Records** > **Customization**. 3. Check **Use Expressions** on the **Criteria** tab. - ![Select Use Expressions](../../../static/img/product_docs/strongpointfornetsuite/bundle_removal/bundle_removal_use_expressions.webp) + ![Select Use Expressions](/img/product_docs/strongpointfornetsuite/bundle_removal/bundle_removal_use_expressions.webp) 4. Add the following filters on the **Criteria** tab: | | Parens | Filter | Description | Parens | And/Or | | --- | --- | --- | --- | --- | --- | | Filter 1 | | Inactive | Is false | | and | | @@ -19,13 +19,13 @@ To create the first mass update: You can remove more than one bundle at a time. -![Mass Update Filters](../../../static/img/product_docs/strongpointfornetsuite/bundle_removal/mass_update_filters.webp) +![Mass Update Filters](/img/product_docs/strongpointfornetsuite/bundle_removal/mass_update_filters.webp) 1. Open the **Mass Update Fields** tab. 2. Scroll down and check the box for **Clean Up Status**. 3. Enter the **Clean Up Status**: **To Be Cleaned Up**. - ![Set Clean Up Status](../../../static/img/product_docs/strongpointfornetsuite/bundle_removal/clean_up_status.webp) + ![Set Clean Up Status](/img/product_docs/strongpointfornetsuite/bundle_removal/clean_up_status.webp) 4. Click **Save**. @@ -46,11 +46,11 @@ Customization to **To Be Investigated**. It identifies everything needing invest Status | Is To Be Cleaned Up | | or | | Filter 8 | | Searches/Mass Updates: Clean-Up Status | Is To Be Cleaned Up | ) | | -![Adding filters](../../../static/img/product_docs/strongpointfornetsuite/bundle_removal/mass_update_filters2.webp) +![Adding filters](/img/product_docs/strongpointfornetsuite/bundle_removal/mass_update_filters2.webp) 5. Open the **Mass Update Fields** tab. 6. Scroll down and check the box for **Clean Up Status** 7. Enter the **Clean Up Status**: **Under Investigation** 8. Click **Save** -**Next Step:** [Creating a Custom List and Fields](creating_custom_list_and_fields.md) +**Next Step:** [Creating a Custom List and Fields](/docs/strongpointfornetsuite/bundle_removal/creating_custom_list_and_fields.md) diff --git a/docs/strongpointfornetsuite/bundle_removal/exporting_information_to_excel.md b/docs/strongpointfornetsuite/bundle_removal/exporting_information_to_excel.md index fb26ef15e8..0c6b7833a8 100644 --- a/docs/strongpointfornetsuite/bundle_removal/exporting_information_to_excel.md +++ b/docs/strongpointfornetsuite/bundle_removal/exporting_information_to_excel.md @@ -27,4 +27,4 @@ To find the relationships that only exist within the bundle: 3. This shows you the bundle components that are being used so you are aware of what will be removed when the bundle is gone. These are the records that need to be replicated. -**Next Step:** [](final_tasks.md)[Final Tasks](final_tasks.md) +**Next Step:** [](/docs/strongpointfornetsuite/bundle_removal/final_tasks.md)[Final Tasks](/docs/strongpointfornetsuite/bundle_removal/final_tasks.md) diff --git a/docs/strongpointfornetsuite/bundle_removal/final_tasks.md b/docs/strongpointfornetsuite/bundle_removal/final_tasks.md index 395981854b..d5fb28af49 100644 --- a/docs/strongpointfornetsuite/bundle_removal/final_tasks.md +++ b/docs/strongpointfornetsuite/bundle_removal/final_tasks.md @@ -16,7 +16,7 @@ broken. Testing should occur in the sandbox environment first. Retest functionality after the bundle removal to ensure everything is working as expected. As part of the testing, run the -[Comparing Environments](../change_management/comparing_environments.md) tool to see all the +[Comparing Environments](/docs/strongpointfornetsuite/change_management/comparing_environments.md) tool to see all the differences after the bundle removal (sandbox vs. production). It helps you determine what needs to be moved to the production environment. diff --git a/docs/strongpointfornetsuite/bundle_removal/investigating_through_saved_searches.md b/docs/strongpointfornetsuite/bundle_removal/investigating_through_saved_searches.md index 53118cb631..0591176397 100644 --- a/docs/strongpointfornetsuite/bundle_removal/investigating_through_saved_searches.md +++ b/docs/strongpointfornetsuite/bundle_removal/investigating_through_saved_searches.md @@ -9,7 +9,7 @@ Included in the results columns of these saved searches, you will find the follo - **Name**: to identify the customization. - **ScriptID**: to locate the customization. - **Type**: to know more about the customization. -- **Date Last Used ([DLU](../clean_up/date_last_used.md))**: to know the last time the customization +- **Date Last Used ([DLU](/docs/strongpointfornetsuite/clean_up/date_last_used.md))**: to know the last time the customization was used. The columns show the existing relationships for the customizations that use: @@ -21,7 +21,7 @@ The columns show the existing relationships for the customizations that use: - Data Sources - Forms - List - ![Results columns of Saved Searches](../../../static/img/product_docs/strongpointfornetsuite/bundle_removal/results_saved_searches.webp) + ![Results columns of Saved Searches](/img/product_docs/strongpointfornetsuite/bundle_removal/results_saved_searches.webp) **Next Step:** -[](exporting_information_to_excel.md)[Exporting Information to Excel](exporting_information_to_excel.md) +[](/docs/strongpointfornetsuite/bundle_removal/exporting_information_to_excel.md)[Exporting Information to Excel](/docs/strongpointfornetsuite/bundle_removal/exporting_information_to_excel.md) diff --git a/docs/strongpointfornetsuite/change_management/approving_change_request.md b/docs/strongpointfornetsuite/change_management/approving_change_request.md index da5f2851b1..6174653835 100644 --- a/docs/strongpointfornetsuite/change_management/approving_change_request.md +++ b/docs/strongpointfornetsuite/change_management/approving_change_request.md @@ -2,12 +2,12 @@ Approvers are populated from the Change/Approval Policy for the Change Request. Approval notifications are sent when the Change Request owner advances the status to **Pending Approval**. -Approvers must be [licensed](../installing_strongpoint/license_manager.md) Platform Governance for +Approvers must be [licensed](/docs/strongpointfornetsuite/installing_strongpoint/license_manager.md) Platform Governance for NetSuite users and have the correct -[role permissions](../installing_strongpoint/setting_permissions.md) if they are using a custom +[role permissions](/docs/strongpointfornetsuite/installing_strongpoint/setting_permissions.md) if they are using a custom (non-Strongpoint) role. -![change_request_approving_change_request](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_approving_change_request.webp) +![change_request_approving_change_request](/img/product_docs/strongpointfornetsuite/change_management/change_request_approving_change_request.webp) 1. Approver receives an email with a link to the Change Request. 2. When the Change Request opens, **Approve** and **Reject** buttons are available at the top of the @@ -21,7 +21,7 @@ NetSuite users and have the correct there are errors or omissions. 3. Change Request owner - [Completes and Validates the Change Request](completing_validating_change_request.md). + [Completes and Validates the Change Request](/docs/strongpointfornetsuite/change_management/completing_validating_change_request.md). Administrators can approve a Change Request. The status is set to **Approved (Override)** and the administrator's name is displayed in the **Approval Override By** field. diff --git a/docs/strongpointfornetsuite/change_management/approving_policy_changes.md b/docs/strongpointfornetsuite/change_management/approving_policy_changes.md index a9b430148d..ab0ebfc160 100644 --- a/docs/strongpointfornetsuite/change_management/approving_policy_changes.md +++ b/docs/strongpointfornetsuite/change_management/approving_policy_changes.md @@ -1,7 +1,7 @@ # Approving Policy Changes 1. Open **Strongpoint** > **Change Management Tools** > **Policy Change Approval (Beta) - ![policy_approval_new](../../../static/img/product_docs/strongpointfornetsuite/change_management/policy_approval_new.webp)** + ![policy_approval_new](/img/product_docs/strongpointfornetsuite/change_management/policy_approval_new.webp)** 2. Enter information into the required **Name**, **Change Overview** and **Policies** fields. **Change Type** is preset to **Policy Change Approval**. 3. Click **In Progress** on the status bar. @@ -10,11 +10,11 @@ themselves as an additional approver and set the Approval Status to Approved to immediately approve the request. The status bar shows **Approved (Override)**. - ![change_request_bar_approved_override](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_override.webp) + ![change_request_bar_approved_override](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_override.webp) 6. Click **Pending Approval** to begin the normal approval process. Approvers must be - [licensed](../installing_strongpoint/license_manager.md) Platform Governance for NetSuite users - and have the correct [role permissions](../installing_strongpoint/setting_permissions.md) if they + [licensed](/docs/strongpointfornetsuite/installing_strongpoint/license_manager.md) Platform Governance for NetSuite users + and have the correct [role permissions](/docs/strongpointfornetsuite/installing_strongpoint/setting_permissions.md) if they are using a custom (non-Strongpoint) role. 7. Approvers can use the link in the email notification to **Approve** or **Reject** the Policy Change. diff --git a/docs/strongpointfornetsuite/change_management/change_and_approval_policy.md b/docs/strongpointfornetsuite/change_management/change_and_approval_policy.md index afa621bf2f..cae12687ab 100644 --- a/docs/strongpointfornetsuite/change_management/change_and_approval_policy.md +++ b/docs/strongpointfornetsuite/change_management/change_and_approval_policy.md @@ -8,7 +8,7 @@ Policies. These Change and Approval Policies define: - Level of approval required - Approvers -The [Setting Up Policies](setting_up_policies.md) topic has details on setting up the Change / +The [Setting Up Policies](/docs/strongpointfornetsuite/change_management/setting_up_policies.md) topic has details on setting up the Change / Approval Policies. When Process Issues or Change Requests are created, the impacted customizations and processes are @@ -36,14 +36,14 @@ Once in place, the policies remind users of the level of change management requi monitors the changes that do occur and raises alerts to IT if there are any change violations. You can create a custom change request form for a Policy Approval. Refer to -[Using Custom Change Request Forms](use_custom_cr_forms.md) for information on implementing your +[Using Custom Change Request Forms](/docs/strongpointfornetsuite/change_management/use_custom_cr_forms.md) for information on implementing your custom form. ## Non-Material Changes Non-material changes are changes detected in objects that are not performed by a human and do not have functional impact. You can review these changes on the -[Non-Material Changes report](change_management_reports.md). +[Non-Material Changes report](/docs/strongpointfornetsuite/change_management/change_management_reports.md). Here is the criteria for non-material changes: diff --git a/docs/strongpointfornetsuite/change_management/change_management_overview.md b/docs/strongpointfornetsuite/change_management/change_management_overview.md index 60135829a5..f326a7dd76 100644 --- a/docs/strongpointfornetsuite/change_management/change_management_overview.md +++ b/docs/strongpointfornetsuite/change_management/change_management_overview.md @@ -48,10 +48,10 @@ They allow for common actions associated with change requests including: The **Advanced Change Management** Module provides additional functionality: - Automatically define the change level required for compliance based on the appropriate - [Change and Approval Policy](change_and_approval_policy.md). + [Change and Approval Policy](/docs/strongpointfornetsuite/change_management/change_and_approval_policy.md). - Identify impacts on other customizations. - Attach and manage test scripts. -- Manage and record Pre and Post-Deployment [Environment Comparisons](comparing_environments.md). +- Manage and record Pre and Post-Deployment [Environment Comparisons](/docs/strongpointfornetsuite/change_management/comparing_environments.md). - Archive fields. - Delete customizations. diff --git a/docs/strongpointfornetsuite/change_management/changing_deactivating_policies.md b/docs/strongpointfornetsuite/change_management/changing_deactivating_policies.md index bb9b5ed697..2d52f9be17 100644 --- a/docs/strongpointfornetsuite/change_management/changing_deactivating_policies.md +++ b/docs/strongpointfornetsuite/change_management/changing_deactivating_policies.md @@ -6,7 +6,7 @@ modifications. You can deactivate or modify policies with an open and approved c This diagram shows the overall process of what happens when you update a policy: -![modifypolicy-cr](../../../static/img/product_docs/strongpointfornetsuite/change_management/modifypolicy-cr.webp) +![modifypolicy-cr](/img/product_docs/strongpointfornetsuite/change_management/modifypolicy-cr.webp) ## Change a Policy @@ -35,8 +35,8 @@ To deactivate a policy: - **Change Type**: Policy Change Approval - **Policies**: Select the policy you want to deactivate. -![deactivatepolicy](../../../static/img/product_docs/strongpointfornetsuite/change_management/deactivatepolicy.webp)3. +![deactivatepolicy](/img/product_docs/strongpointfornetsuite/change_management/deactivatepolicy.webp)3. Get the Change Request **Approved**. 4. Click **Save** 5. Check the **Inactive** box. -![inactivebox](../../../static/img/product_docs/strongpointfornetsuite/change_management/inactivebox.webp)6. +![inactivebox](/img/product_docs/strongpointfornetsuite/change_management/inactivebox.webp)6. Click **Save** diff --git a/docs/strongpointfornetsuite/change_management/comparing_environments.md b/docs/strongpointfornetsuite/change_management/comparing_environments.md index c9fa1f5189..315c506ed4 100644 --- a/docs/strongpointfornetsuite/change_management/comparing_environments.md +++ b/docs/strongpointfornetsuite/change_management/comparing_environments.md @@ -17,11 +17,11 @@ Environments and to use the **Change Account** feature on a Change Requests. 1. Open **Strongpoint** > **Change Management Tools** > **Compare Environments** - ![Set up your TBA Credentials](../../../static/img/product_docs/strongpointfornetsuite/change_management/tba_cred_1.webp) + ![Set up your TBA Credentials](/img/product_docs/strongpointfornetsuite/change_management/tba_cred_1.webp) 2. Click New (**+**) beside the **Source** field. - ![TBA Credentials](../../../static/img/product_docs/strongpointfornetsuite/change_management/tba_cred_2.webp) + ![TBA Credentials](/img/product_docs/strongpointfornetsuite/change_management/tba_cred_2.webp) 3. Enter the information for the environment: @@ -37,7 +37,7 @@ Environments and to use the **Change Account** feature on a Change Requests. Repeat this process for all environments you use for environment compare or looking up customizations with the **Change Account** feature on a Change Request. Refer to -[Creating a Change Request](creating_change_request.md). +[Creating a Change Request](/docs/strongpointfornetsuite/change_management/creating_change_request.md). ## Run Compare Environments @@ -48,7 +48,7 @@ TBA Credentials** section the first time you use this feature. 1. Open **Strongpoint** > **Change Management Tools** > **Compare Environments** - ![Compare Environments](../../../static/img/product_docs/strongpointfornetsuite/change_management/comp_env.webp) + ![Compare Environments](/img/product_docs/strongpointfornetsuite/change_management/comp_env.webp) 2. Enter the information for the target account and source accounts. Tokens are persistent between your sessions. @@ -173,15 +173,15 @@ In this example, **Cash Register** appears in both environments. On the **Source** tab: -![Source target](../../../static/img/product_docs/strongpointfornetsuite/change_management/comp_env_source.webp) +![Source target](/img/product_docs/strongpointfornetsuite/change_management/comp_env_source.webp) On the **Target** tab: -![compare_accounts_-_target_ss](../../../static/img/product_docs/strongpointfornetsuite/change_management/compare_accounts_-_target_ss.webp) +![compare_accounts_-_target_ss](/img/product_docs/strongpointfornetsuite/change_management/compare_accounts_-_target_ss.webp) On the **Diff** tab: -![compare_accounts_-_diff_ss](../../../static/img/product_docs/strongpointfornetsuite/change_management/compare_accounts_-_diff_ss.webp) +![compare_accounts_-_diff_ss](/img/product_docs/strongpointfornetsuite/change_management/compare_accounts_-_diff_ss.webp) ### Search Exists in Only One Environment @@ -189,4 +189,4 @@ In this example, **Special Scheme Code** body field only exists in the **Target* On the **Diff** tab: -![compare_accounts_-_diff_only_one_ss](../../../static/img/product_docs/strongpointfornetsuite/change_management/compare_accounts_-_diff_only_one_ss.webp) +![compare_accounts_-_diff_only_one_ss](/img/product_docs/strongpointfornetsuite/change_management/compare_accounts_-_diff_only_one_ss.webp) diff --git a/docs/strongpointfornetsuite/change_management/completing_validating_change_request.md b/docs/strongpointfornetsuite/change_management/completing_validating_change_request.md index 3123a7c621..071ad8a4a1 100644 --- a/docs/strongpointfornetsuite/change_management/completing_validating_change_request.md +++ b/docs/strongpointfornetsuite/change_management/completing_validating_change_request.md @@ -8,13 +8,13 @@ Once the changes are complete, validate the Change Request and mark it **Complet 3. Click **Respider Now** to start the change documentation process. 4. Click the **Deployment Validation** tab. - ![deployment_validation](../../../static/img/product_docs/strongpointfornetsuite/change_management/deployment_validation.webp) + ![deployment_validation](/img/product_docs/strongpointfornetsuite/change_management/deployment_validation.webp) 5. Click **Run Compare Tool**. Validate the changes are what you expected. Refer to - [Comparing Environments](comparing_environments.md) for details. + [Comparing Environments](/docs/strongpointfornetsuite/change_management/comparing_environments.md) for details. 6. View the **Open Non-Compliant Changes** or **Compliant Changes** - [Change Management Reports](change_management_reports.md). + [Change Management Reports](/docs/strongpointfornetsuite/change_management/change_management_reports.md). 7. When all changes are validated, click **Complete** on the Change Request status bar to mark it **Completed**. - ![change_request_bar_approved_completed](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_completed.webp) + ![change_request_bar_approved_completed](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_completed.webp) diff --git a/docs/strongpointfornetsuite/change_management/creating_change_request.md b/docs/strongpointfornetsuite/change_management/creating_change_request.md index 200822fccf..fdb3d61e27 100644 --- a/docs/strongpointfornetsuite/change_management/creating_change_request.md +++ b/docs/strongpointfornetsuite/change_management/creating_change_request.md @@ -2,8 +2,8 @@ Before making any changes, it is important to understand the scope of the planned change, potential impacts and the level of change required. Documentation is also available if you are using the old -[Change Request](creating_change_request_old_form.md) form. Refer to -[Setting Preferred Forms](../customizations/setting_preferred_forms.md) for information on +[Change Request](/docs/strongpointfornetsuite/change_management/creating_change_request_old_form.md) form. Refer to +[Setting Preferred Forms](/docs/strongpointfornetsuite/customizations/setting_preferred_forms.md) for information on designating your preferred Change Request form. SuiteCloud Development Framework (SDF) users can upload their Sandbox development file directly into @@ -20,7 +20,7 @@ request in your sandbox account. Started_. 2. Enter information in the **Main** and **Scope** sections: - ![change_request_new](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_new.webp) + ![change_request_new](/img/product_docs/strongpointfornetsuite/change_management/change_request_new.webp) - **Name**: Add a name to the change request. - **Stage**: Select the type of change you want to make. @@ -29,7 +29,7 @@ request in your sandbox account. current account or a different account: - Click **Change Account** to log into another account or sandbox and look up customizations. You can use the **Set up TBA Credentials** procedure in - [Comparing Environments](comparing_environments.md) to save your credentials for each + [Comparing Environments](/docs/strongpointfornetsuite/change_management/comparing_environments.md) to save your credentials for each environment you use. - Enter a **Name** and click **Lookup** to find a customization by all or part of a name. For example, **a** shows everything beginning with **A**. @@ -71,7 +71,7 @@ request in your sandbox account. automatic ReSpidering is turned off, there is a risk of changes being marked as non-compliant if the change logs are not complete when the user changes the status to **Completed**. The default for the **Do Not ReSpider Automically** is set on the - [Configuration and Stats Change Management](../installing_strongpoint/installation_settings_report.md) + [Configuration and Stats Change Management](/docs/strongpointfornetsuite/installing_strongpoint/installation_settings_report.md) tab. - **Proposed Customizations**: Use this field when you are adding customizations that do not yet exist in your account. You can add multiple Script IDs by separating them with commas. Can be @@ -95,8 +95,8 @@ request in your sandbox account. 4. **Save** the Change Request. New sections and tabs are available once you save: 1. **Push to Jira** button is available if the - [Jira integration](../integrations/jira_integration.md) is available, and - [Allow NS to Push to Jira](../integrations/jira_integration.md) is enabled. When prompted, + [Jira integration](/docs/strongpointfornetsuite/integrations/jira_integration.md) is available, and + [Allow NS to Push to Jira](/docs/strongpointfornetsuite/integrations/jira_integration.md) is enabled. When prompted, select the Jira project and click **Push**. A Jira ticket is created. The ticket number is added to the **Related Change Records** tab as an **External Change Request Number**. The customizations are added to the new Jira ticket. @@ -104,7 +104,7 @@ request in your sandbox account. 3. The **Approval** section is visible. Click **Edit to** add **Additional Approvers** or **Approver Notes**. Click **Save** if you make changes. - ![change_request_new_saved](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_new_saved.webp) + ![change_request_new_saved](/img/product_docs/strongpointfornetsuite/change_management/change_request_new_saved.webp) 4. **Impact Analysis** is automatically run. The results are shown on the **Impact Analysis** tab. In addition to all of the direct dependencies, indirect dependencies are also considered @@ -145,12 +145,12 @@ request in your sandbox account. confirmation prompt is displayed. When confirmed, Approval Notifications are sent to the approvers. - ![change_request_new_pendapprove](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_new_pendapprove.webp) + ![change_request_new_pendapprove](/img/product_docs/strongpointfornetsuite/change_management/change_request_new_pendapprove.webp) 6. Approvers approve or reject the Change Request. **Deploy** is available for approved Change Requests. - ![change_request_new_approved](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_new_approved.webp) + ![change_request_new_approved](/img/product_docs/strongpointfornetsuite/change_management/change_request_new_approved.webp) 7. Validate the Change Request. @@ -167,13 +167,13 @@ Status is changed to **Cancelled CR**. ## Status Bar States -![change_request_bar_not_started](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_not_started.webp) +![change_request_bar_not_started](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_not_started.webp) New Change Request. Click **In Progress** to advance the status. Impact Analysis is run when the Change Request is Saved. -![change_request_bar_inprogress](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_inprogress.webp) +![change_request_bar_inprogress](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_inprogress.webp) Change Request **In Progress**. @@ -183,7 +183,7 @@ Impact Analysis is run when the Change Request is Saved. When ready for approval, click **Pending Approval**. -![change_request_bar_pending](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_pending.webp) +![change_request_bar_pending](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_pending.webp) Approvers are notified. @@ -193,7 +193,7 @@ Status can be demoted. Status promoted based on Approvers actions. -![change_request_bar_approved](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved.webp) +![change_request_bar_approved](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved.webp) Status when all approvers have approved. @@ -201,11 +201,11 @@ Can be returned to a previous status or rejected. **Deploy** button is available. -![change_request_bar_approved_partial](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_partial.webp) +![change_request_bar_approved_partial](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_partial.webp) Status when Change Request is partially approved. Wait for all approvers to finish. -![change_request_bar_approved_override](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_override.webp) +![change_request_bar_approved_override](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_override.webp) Status when an administrator has approved in place of a specified approver. @@ -213,7 +213,7 @@ Status when an administrator has approved in place of a specified approver. **Deploy** button is available. -![change_request_bar_approved_completed](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_completed.webp) +![change_request_bar_approved_completed](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_completed.webp) Approved and Completed. @@ -221,7 +221,7 @@ Can be returned to a previous status. **Deploy** button not available. -![change_request_bar_approved_canceled](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_canceled.webp) +![change_request_bar_approved_canceled](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_canceled.webp) Approved and Canceled. @@ -229,7 +229,7 @@ Can be returned to a previous status. **Deploy** button not available. -![change_request_bar_rejected](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_rejected.webp) +![change_request_bar_rejected](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_rejected.webp) Rejected and Completed. diff --git a/docs/strongpointfornetsuite/change_management/creating_change_request_from_case.md b/docs/strongpointfornetsuite/change_management/creating_change_request_from_case.md index 2d6df70867..fe485ed84f 100644 --- a/docs/strongpointfornetsuite/change_management/creating_change_request_from_case.md +++ b/docs/strongpointfornetsuite/change_management/creating_change_request_from_case.md @@ -1,7 +1,7 @@ # Creating a Change Request from a Case If -[Enable Case to Change Request Workflow](../installing_strongpoint/installation_settings_report.md) +[Enable Case to Change Request Workflow](/docs/strongpointfornetsuite/installing_strongpoint/installation_settings_report.md) is enabled, you can automatically create a Change Request directly from your Case: 1. Open **Lists** > **Support** > **Cases**. @@ -9,9 +9,9 @@ is enabled, you can automatically create a Change Request directly from your Cas 3. Click **Create Change Request**. The Change Request is created, populating the fields specified in the -[Case to Change Request Field Mapping](../installing_strongpoint/installation_settings_report.md) +[Case to Change Request Field Mapping](/docs/strongpointfornetsuite/installing_strongpoint/installation_settings_report.md) set up. The Change Request status is set to **Not Started**. If the **Create Change Request** button is not visible on the Case, the -[Enable Case to Change Request Workflow](../installing_strongpoint/installation_settings_report.md) +[Enable Case to Change Request Workflow](/docs/strongpointfornetsuite/installing_strongpoint/installation_settings_report.md) is not enabled. Contact your system administrator. diff --git a/docs/strongpointfornetsuite/change_management/creating_change_request_old_form.md b/docs/strongpointfornetsuite/change_management/creating_change_request_old_form.md index 7ecc3f7245..f04682ca6a 100644 --- a/docs/strongpointfornetsuite/change_management/creating_change_request_old_form.md +++ b/docs/strongpointfornetsuite/change_management/creating_change_request_old_form.md @@ -1,8 +1,8 @@ # Creating a Change Request with the Old Form These are the steps to create a Change Request using the old form. Refer to -[Creating a Change Request](creating_change_request.md) for the new form. Refer to -[Setting Preferred Forms](../customizations/setting_preferred_forms.md) for information on +[Creating a Change Request](/docs/strongpointfornetsuite/change_management/creating_change_request.md) for the new form. Refer to +[Setting Preferred Forms](/docs/strongpointfornetsuite/customizations/setting_preferred_forms.md) for information on designating your preferred Change Request form. Before making any changes, it is important to understand the scope of the planned change, potential @@ -23,7 +23,7 @@ To do this, in your **production** account: - **Completion Status (optional)**: Add the stage of completion for the change request. - **Parent Change Request (optional)**: link to other change requests. - ![changerequestmain1](../../../static/img/product_docs/strongpointfornetsuite/change_management/changerequestmain1.webp) + ![changerequestmain1](/img/product_docs/strongpointfornetsuite/change_management/changerequestmain1.webp) 3. Fill in the following fields in the **Scope** section of the change request: @@ -38,9 +38,9 @@ To do this, in your **production** account: - **Affected Bundle ID**: If you are using a bundle to move objects from sandbox to production, use this field to add the bundle ID. - ![scope-1](../../../static/img/product_docs/strongpointfornetsuite/change_management/scope-1.webp) + ![scope-1](/img/product_docs/strongpointfornetsuite/change_management/scope-1.webp) - ![scope-3](../../../static/img/product_docs/strongpointfornetsuite/change_management/scope-3.webp) + ![scope-3](/img/product_docs/strongpointfornetsuite/change_management/scope-3.webp) 4. **Save** the Change Request. 5. In the upper right hand corner, see the **Change Control Level Required** and choose either: @@ -55,7 +55,7 @@ To do this, in your **production** account: inactive. You see a list of the customization record(s) that have been included, and warnings for impacted customization record(s) that need to be investigated before you make a change. - ![impactanalysissubtab](../../../static/img/product_docs/strongpointfornetsuite/change_management/impactanalysissubtab.webp) + ![impactanalysissubtab](/img/product_docs/strongpointfornetsuite/change_management/impactanalysissubtab.webp) If you want to see if the change would have an impact in your sandbox, you can also create a change request in your sandbox account. diff --git a/docs/strongpointfornetsuite/change_management/example_deploy_script_related_approved_change.md b/docs/strongpointfornetsuite/change_management/example_deploy_script_related_approved_change.md index cec514f199..b8b0059f5e 100644 --- a/docs/strongpointfornetsuite/change_management/example_deploy_script_related_approved_change.md +++ b/docs/strongpointfornetsuite/change_management/example_deploy_script_related_approved_change.md @@ -6,7 +6,7 @@ A developer plans to make changes to a Suitelet, including the Suitelet library 1. Developer creates a Change Request and attaches the Suitelet: - ![opp_clearance_case1-1](../../../static/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case1-1.webp) + ![opp_clearance_case1-1](/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case1-1.webp) 2. IT Approvers approve the change. 3. Developer makes necessary changes to the script. @@ -16,8 +16,8 @@ A developer plans to make changes to a Suitelet, including the Suitelet library 1. The change logs for the Suitelet, the Suitelet library script and deployment are attached to the related script approved Change Request. - ![opp_clearance_case1-2](../../../static/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case1-2.webp) + ![opp_clearance_case1-2](/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case1-2.webp) 2. The logs are compliant. - ![opp_clearance_case1-3](../../../static/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case1-3.webp) + ![opp_clearance_case1-3](/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case1-3.webp) diff --git a/docs/strongpointfornetsuite/change_management/example_field_changes_related_approved_change.md b/docs/strongpointfornetsuite/change_management/example_field_changes_related_approved_change.md index f335ff7100..6a3212c3e7 100644 --- a/docs/strongpointfornetsuite/change_management/example_field_changes_related_approved_change.md +++ b/docs/strongpointfornetsuite/change_management/example_field_changes_related_approved_change.md @@ -7,7 +7,7 @@ An Administrator needs to create a new record type. 1. Administrator creates a new Change Request to create a Wish List record type, and adds the record type's ScriptID in the **Proposed Customization**. - ![opp_clearance_case2-1](../../../static/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case2-1.webp) + ![opp_clearance_case2-1](/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case2-1.webp) 2. IT Approvers approve the change. 3. Administrator creates the record type. @@ -18,8 +18,8 @@ An Administrator needs to create a new record type. 1. Change Logs of the Wish List Record and all of the fields are related to the approved Change Request. - ![opp_clearance_case2-2](../../../static/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case2-2.webp) + ![opp_clearance_case2-2](/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case2-2.webp) 2. The logs are compliant. - ![opp_clearance_case2-3](../../../static/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case2-3.webp) + ![opp_clearance_case2-3](/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case2-3.webp) diff --git a/docs/strongpointfornetsuite/change_management/example_record_changes_related_approved_change.md b/docs/strongpointfornetsuite/change_management/example_record_changes_related_approved_change.md index 85e413a0a1..3eb39e23fd 100644 --- a/docs/strongpointfornetsuite/change_management/example_record_changes_related_approved_change.md +++ b/docs/strongpointfornetsuite/change_management/example_record_changes_related_approved_change.md @@ -7,7 +7,7 @@ Administrator needs to enable custom record field's Show in List option. 1. Administrator creates a new Change Request and adds the field customization to enable the Show in List option. - ![opp_clearance_case3-1](../../../static/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case3-1.webp) + ![opp_clearance_case3-1](/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case3-1.webp) 2. IT Approvers approve the change. 3. updates the custom field. No script is using the parent record of the field. @@ -17,4 +17,4 @@ Administrator needs to enable custom record field's Show in List option. 1. The parent record on the field is attached to the related field's approved Change Request. 2. The change is compliant. - ![opp_clearance_case3-2](../../../static/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case3-2.webp) + ![opp_clearance_case3-2](/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case3-2.webp) diff --git a/docs/strongpointfornetsuite/change_management/example_search_changes_related_approved_change.md b/docs/strongpointfornetsuite/change_management/example_search_changes_related_approved_change.md index 239a08e47a..b0620f8b06 100644 --- a/docs/strongpointfornetsuite/change_management/example_search_changes_related_approved_change.md +++ b/docs/strongpointfornetsuite/change_management/example_search_changes_related_approved_change.md @@ -8,7 +8,7 @@ An administrator needs to change a workflow and search condition. 2. Administrator only attaches the workflow to the Change Request, forgetting to attach the search condition. - ![opp_clearance_case4-1](../../../static/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case4-1.webp). + ![opp_clearance_case4-1](/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case4-1.webp). 3. IT Approvers approve the change. 4. Administrator updates the workflow and search filter. @@ -17,6 +17,6 @@ An administrator needs to change a workflow and search condition. 1. The Search change is attached to the related workflow's approved Change Request. - ![opp_clearance_case4-2](../../../static/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case4-2.webp) + ![opp_clearance_case4-2](/img/product_docs/strongpointfornetsuite/change_management/opp_clearance_case4-2.webp) 2. The change is compliant. diff --git a/docs/strongpointfornetsuite/change_management/multi_environment_change_management.md b/docs/strongpointfornetsuite/change_management/multi_environment_change_management.md index 1b256ce940..dd03e4f8f9 100644 --- a/docs/strongpointfornetsuite/change_management/multi_environment_change_management.md +++ b/docs/strongpointfornetsuite/change_management/multi_environment_change_management.md @@ -30,7 +30,7 @@ they have an audit trail and approvals can be shown. 9. Set the **Account ID Target** (this is automatically loaded upon selecting Target account). 10. Set the **Account Target Role**. 11. Click **Push**. - ![push_change_request](../../../static/img/product_docs/strongpointfornetsuite/change_management/push_change_request.webp) + ![push_change_request](/img/product_docs/strongpointfornetsuite/change_management/push_change_request.webp) ## Update the Change Request in Testing/Development @@ -39,12 +39,12 @@ they have an audit trail and approvals can be shown. - Attach **customizations created/updated**. - ![multi_env_1](../../../static/img/product_docs/strongpointfornetsuite/change_management/multi_env_1.webp) + ![multi_env_1](/img/product_docs/strongpointfornetsuite/change_management/multi_env_1.webp) - **Stage**: **Deployment Record** - **Set Approval Status**: **Approved** (this is optional) - ![multi_env_2](../../../static/img/product_docs/strongpointfornetsuite/change_management/multi_env_2.webp) + ![multi_env_2](/img/product_docs/strongpointfornetsuite/change_management/multi_env_2.webp) 3. Open the **Sync Tool** tab. 4. **Push** the updated Change Request back into Production. This adds a related deployment record @@ -56,7 +56,7 @@ they have an audit trail and approvals can be shown. 2. Enter the login credentials of the **Target** and **Source** Accounts. 3. Set the **Comparison Type** to **Target Newer than Source**. 4. Click the **Compare** button. - Refer to [Comparing Environments](comparing_environments.md) for more details. + Refer to [Comparing Environments](/docs/strongpointfornetsuite/change_management/comparing_environments.md) for more details. ## Create the Deployment Record @@ -71,7 +71,7 @@ In your Production environment: 4. Open **Change Request** tab. 5. Click **Edit** (deployment record). - ![multi_env_3](../../../static/img/product_docs/strongpointfornetsuite/change_management/multi_env_3.webp) + ![multi_env_3](/img/product_docs/strongpointfornetsuite/change_management/multi_env_3.webp) 6. Push the Change Request from Production to Development/Testing. 7. Install any customizations in Development/Testing. @@ -82,7 +82,7 @@ In your Production environment: 2. Enter the login credentials of the **Target** and **Source** Accounts. 3. Set the **Comparison Type** to **Target Newer than Source**. 4. Click the **Compare** button. - Refer to [Comparing Environments](comparing_environments.md) for more details. + Refer to [Comparing Environments](/docs/strongpointfornetsuite/change_management/comparing_environments.md) for more details. ## Completing the Process diff --git a/docs/strongpointfornetsuite/change_management/opportunistic_clearance.md b/docs/strongpointfornetsuite/change_management/opportunistic_clearance.md index f2375800f3..e97fe5ee7b 100644 --- a/docs/strongpointfornetsuite/change_management/opportunistic_clearance.md +++ b/docs/strongpointfornetsuite/change_management/opportunistic_clearance.md @@ -27,14 +27,14 @@ Deployment or library script changes must meet these rules to be automatically c - Customization is a deployment or library script with one of the following: - Script has an Open Approved Change Request. - Main script has an Open Approved Change Request. -- Change Request **Stage** meets the required [Policy Change Level](setting_up_policies.md). +- Change Request **Stage** meets the required [Policy Change Level](/docs/strongpointfornetsuite/change_management/setting_up_policies.md). If all rules are met, the Change Request is attached to the Change Log and the log is compliant. The **Resolution Description** in the Change Log is set to **Automatically cleared in existing Open Approved CR via related customization [\_**Object Name\* \*\*(**\*ScriptID**_)]\*\*. The \_Object Name_ and _ScriptID_ are inserted from the original Change Request. The deployment or library script does not need to be present in any Open Approved Change Request. -[Example Script Use Case](example_deploy_script_related_approved_change.md) +[Example Script Use Case](/docs/strongpointfornetsuite/change_management/example_deploy_script_related_approved_change.md) ### Field Changes related to an Approved Record Change @@ -44,13 +44,13 @@ Field changes must meet these rules to be automatically cleared: - Field has an Open Approved Change Request - Field has no script or workflow dependencies and the parent record has an Open Approved Change Request. -- Change Request **Stage** meets the required [Policy Change Level](setting_up_policies.md). +- Change Request **Stage** meets the required [Policy Change Level](/docs/strongpointfornetsuite/change_management/setting_up_policies.md). If all rules are met, the Change Request is attached to the Change Log and the log is compliant. The **Resolution Description** in the Change Log is set to **Automatically cleared in existing Open Approved CR via related customization [\_**Field Name**\_]**. The _Field Name_ is inserted from the original Change Request. The field does not need to be present in any Open Approved Change Request. -[Example Field Change Use Case](example_field_changes_related_approved_change.md) +[Example Field Change Use Case](/docs/strongpointfornetsuite/change_management/example_field_changes_related_approved_change.md) ### Record Changes related to an Approved Field Change @@ -60,13 +60,13 @@ Record changes must meet these rules to be automatically cleared: - Record has an Open Approved Change Request - Record has no script **or** workflow dependencies and any field that has the record as a parent has an Open Approved Change Request. -- Change Request **Stage** meets the required [Policy Change Level](setting_up_policies.md). +- Change Request **Stage** meets the required [Policy Change Level](/docs/strongpointfornetsuite/change_management/setting_up_policies.md). If all rules are met, the Change Request is attached to the Change Log and the log is compliant. The **Resolution Description** in the Change Log is set to **Automatically cleared in existing Open Approved CR via related customization [\_**Record Name**\_]**. The _Record Name_ is inserted from the original Change Request. The record does not need to be present in any Open Approved Change -Request. [Example Record Change Use Case](example_record_changes_related_approved_change.md) +Request. [Example Record Change Use Case](/docs/strongpointfornetsuite/change_management/example_record_changes_related_approved_change.md) ### Search Changes related to an Approved Workflow Change @@ -76,10 +76,10 @@ Approved Workflow changes must meet these rules to be automatically cleared: - Search is used in a workflow. - Search is not used by any script. - Related Workflow has an Open Approved Change Request. -- Change Request **Stage** meets the required [Policy Change Level](setting_up_policies.md). +- Change Request **Stage** meets the required [Policy Change Level](/docs/strongpointfornetsuite/change_management/setting_up_policies.md). If all rules are met, the Change Request is attached to the Change Log and the log is compliant. The **Resolution Description** in the Change Log is set to **Automatically cleared in existing Open Approved CR via related customization** **[\_**Search Name**\_]**. The _Search Name_ is inserted from the original Change Request.The search does not need to be present in any Open Approved Change -Request.[ Example Search Change Use Case](example_search_changes_related_approved_change.md) +Request.[ Example Search Change Use Case](/docs/strongpointfornetsuite/change_management/example_search_changes_related_approved_change.md) diff --git a/docs/strongpointfornetsuite/change_management/resolving_non_compliant_changes.md b/docs/strongpointfornetsuite/change_management/resolving_non_compliant_changes.md index 7bbe9f1eb2..a1209b9a1d 100644 --- a/docs/strongpointfornetsuite/change_management/resolving_non_compliant_changes.md +++ b/docs/strongpointfornetsuite/change_management/resolving_non_compliant_changes.md @@ -3,18 +3,18 @@ To access the Open Non-Compliant Changes Report: 1. Open **Strongpoint** > **Change Management Reports** > **Open NonCompliant Changes** - The Non-Compliant Changes Report gives you a list of the [Change Logs](using_change_logs.md). You + The Non-Compliant Changes Report gives you a list of the [Change Logs](/docs/strongpointfornetsuite/change_management/using_change_logs.md). You can filter the report or sort by the column heads. - ![Non-Compliant Change Report](../../../static/img/product_docs/strongpointfornetsuite/change_management/noncompliantreport.webp) - ![NonCompliant Flags](../../../static/img/product_docs/strongpointfornetsuite/change_management/noncompliant_flags.webp) + ![Non-Compliant Change Report](/img/product_docs/strongpointfornetsuite/change_management/noncompliantreport.webp) + ![NonCompliant Flags](/img/product_docs/strongpointfornetsuite/change_management/noncompliant_flags.webp) 2. A noncompliant change means something got changed without the required approvals. **View** each change log record to investigate the change, or use the Mass Update procedure. You can retroactively attach a change request to a noncompliant change and get the necessary approvals for the change to be compliant. - 1. Create a New [Change Request](creating_change_request.md) or open an existing one. + 1. Create a New [Change Request](/docs/strongpointfornetsuite/change_management/creating_change_request.md) or open an existing one. 2. Set it to **Pending Approval**. 3. Once it is approved and complete, set the **Status** of the Change Request to **Complete**. 4. **Edit** the Change Log from the report. @@ -43,7 +43,7 @@ Update** to resolve all applicable incidents. - **Change Level** is **Change Request** - **Date Created** is [_applicable range_] - ![Set the Title of Action and the Filters](../../../static/img/product_docs/strongpointfornetsuite/change_management/mass_update_filters_3.webp) + ![Set the Title of Action and the Filters](/img/product_docs/strongpointfornetsuite/change_management/mass_update_filters_3.webp) 6. Open the **Results** tab. 7. Set **Sort By** to **Date Created** @@ -54,7 +54,7 @@ Update** to resolve all applicable incidents. - **Actual Change Date** - **Noncompliance** - ![Select the Soft By and add Fields to Reults tab](../../../static/img/product_docs/strongpointfornetsuite/change_management/mass_update_filters_4.webp) + ![Select the Soft By and add Fields to Reults tab](/img/product_docs/strongpointfornetsuite/change_management/mass_update_filters_4.webp) 9. Open the **Mass Update Fields** tab. 10. Check these Fields: @@ -62,7 +62,7 @@ Update** to resolve all applicable incidents. - **Resolution Description** and add a meaningful description of the Mass Update for **Value**. - **Status** and select **Closed** for the **Value**. - ![Add the information on the Mass Update Fields tab](../../../static/img/product_docs/strongpointfornetsuite/change_management/mass_update_filters_5.webp) + ![Add the information on the Mass Update Fields tab](/img/product_docs/strongpointfornetsuite/change_management/mass_update_filters_5.webp) 11. **Save** the Mass Update. 12. Open **Lists** > **Mass Update** > **Saved Mass Updates** diff --git a/docs/strongpointfornetsuite/change_management/setting_up_multi_stream_approval.md b/docs/strongpointfornetsuite/change_management/setting_up_multi_stream_approval.md index b09e0ca85e..2743fe1bdb 100644 --- a/docs/strongpointfornetsuite/change_management/setting_up_multi_stream_approval.md +++ b/docs/strongpointfornetsuite/change_management/setting_up_multi_stream_approval.md @@ -21,13 +21,13 @@ Change Request, where the mandated approvers are included. 4. Ctrl-Click to select one or more **Additional Approvers**. NOTE: Select the additional approvers in the order you want them to approve. - ![multi_stream_new_process](../../../static/img/product_docs/strongpointfornetsuite/change_management/multi_stream_new_process.webp) + ![multi_stream_new_process](/img/product_docs/strongpointfornetsuite/change_management/multi_stream_new_process.webp) 5. Click **Save**. Note the approvers are listed in the order selected, not the order they appeared in the list. If you need to reorder the approvers, **Edit** the record, de-select and re-select the additional approvers. - ![multi_stream_new_process_save](../../../static/img/product_docs/strongpointfornetsuite/change_management/multi_stream_new_process_save.webp) + ![multi_stream_new_process_save](/img/product_docs/strongpointfornetsuite/change_management/multi_stream_new_process_save.webp) ### Create a new Policy Record @@ -39,18 +39,18 @@ Change Request, where the mandated approvers are included. 5. Make sure **Require Affected Process Approval** is selected on the **Process Policies** tab. 6. Click **Save**. Leave the new policy open and continue with the next steps. - ![multi_stream_new_policy](../../../static/img/product_docs/strongpointfornetsuite/change_management/multi_stream_new_policy.webp) + ![multi_stream_new_policy](/img/product_docs/strongpointfornetsuite/change_management/multi_stream_new_policy.webp) ### Attach the new Process Record 1. Set **View** to **Strongpoint View** on the **Process Policies** tab. 2. Select the **Process** you created. For this example, it is **Provision Multi-Stream Approval**. - ![multi_stream_attach](../../../static/img/product_docs/strongpointfornetsuite/change_management/multi_stream_attach.webp) + ![multi_stream_attach](/img/product_docs/strongpointfornetsuite/change_management/multi_stream_attach.webp) 3. Click **Attach**. The process is now shown on the **Process Policies** tab. - ![multi_stream_attach_result](../../../static/img/product_docs/strongpointfornetsuite/change_management/multi_stream_attach_result.webp) + ![multi_stream_attach_result](/img/product_docs/strongpointfornetsuite/change_management/multi_stream_attach_result.webp) ### Create a Change Request diff --git a/docs/strongpointfornetsuite/change_management/setting_up_policies.md b/docs/strongpointfornetsuite/change_management/setting_up_policies.md index 1927d7f7b5..3147521619 100644 --- a/docs/strongpointfornetsuite/change_management/setting_up_policies.md +++ b/docs/strongpointfornetsuite/change_management/setting_up_policies.md @@ -34,7 +34,7 @@ internal changes.Recommended to leave this unchecked due to the volume of false positives you would need to manage. -![changeandapprovalpolicy1](../../../static/img/product_docs/strongpointfornetsuite/change_management/changeandapprovalpolicy1.webp) +![changeandapprovalpolicy1](/img/product_docs/strongpointfornetsuite/change_management/changeandapprovalpolicy1.webp) ## Set Up a Default Policy @@ -44,7 +44,7 @@ - **Header**: Everything in the Header should remain the same including the name Default. - **Change Controls:** - ![Policy Default Change Controls](../../../static/img/product_docs/strongpointfornetsuite/change_management/policy_default_change_controls2.webp) + ![Policy Default Change Controls](/img/product_docs/strongpointfornetsuite/change_management/policy_default_change_controls2.webp) - **Approvals**: Select the policy approvers on the Approvals tab. @@ -122,15 +122,15 @@ To add new change levels, select **New** or use the **+** next to a field when e segments, enabled features and preferences. Default: Log Changes Only - **Accounting Lists**: Changes to accounting lists. Default: Log Changes Only - **Custom Segments**: Changes to custom segments. Default: Log Changes Only -- **User Offboarding**: Available when [Enhanced User Provisioning](user_provisioning.md) is +- **User Offboarding**: Available when [Enhanced User Provisioning](/docs/strongpointfornetsuite/change_management/user_provisioning.md) is enabled. -- **User Onboarding**: Available when [Enhanced User Provisioning](user_provisioning.md) is enabled. +- **User Onboarding**: Available when [Enhanced User Provisioning](/docs/strongpointfornetsuite/change_management/user_provisioning.md) is enabled. ## Approvals Approvers initiate the change request and enable it to move to the next stage. -![Policy Approvals tab](../../../static/img/product_docs/strongpointfornetsuite/change_management/policy_approvals_tab.webp) +![Policy Approvals tab](/img/product_docs/strongpointfornetsuite/change_management/policy_approvals_tab.webp) Policy Change Approvers @@ -145,7 +145,7 @@ This section is only applies to the default policy. user attempts to change a policy, a notice is displayed. Click **Request Approval**. The form is launched, with your proposed changes populated. - ![Record Save Blocked](../../../static/img/product_docs/strongpointfornetsuite/change_management/record_save_blocked.webp) + ![Record Save Blocked](/img/product_docs/strongpointfornetsuite/change_management/record_save_blocked.webp) ITGC Approvers @@ -237,7 +237,7 @@ To set up additional policies: 6. Click **Edit** 7. Open the **Customization Policies** tab. -![policy_add_customizations](../../../static/img/product_docs/strongpointfornetsuite/change_management/policy_add_customizations.webp) +![policy_add_customizations](/img/product_docs/strongpointfornetsuite/change_management/policy_add_customizations.webp) - Check **Require Object Owner Approval** if needed. - Check **Require Impacted Customization Approval** if needed. diff --git a/docs/strongpointfornetsuite/change_management/use_custom_cr_forms.md b/docs/strongpointfornetsuite/change_management/use_custom_cr_forms.md index 00ba5fac8b..b73b62cb7c 100644 --- a/docs/strongpointfornetsuite/change_management/use_custom_cr_forms.md +++ b/docs/strongpointfornetsuite/change_management/use_custom_cr_forms.md @@ -7,12 +7,12 @@ Script Deployment Parameters to use your forms. 1. Open **Customization** > **Scripting** > **Scripts** 2. Search for **customdeploy_flo_display_cr** - ![Search for the script](../../../static/img/product_docs/strongpointfornetsuite/change_management/custom_cr1.webp) + ![Search for the script](/img/product_docs/strongpointfornetsuite/change_management/custom_cr1.webp) 3. Click **Menu: customdeploy_flow_display_cr > Edit** 4. Open the **Parameters** tab. 5. Select your custom forms from the drop down lists for each type of Change Request - ![Select your custom forms](../../../static/img/product_docs/strongpointfornetsuite/change_management/custom_cr2.webp) + ![Select your custom forms](/img/product_docs/strongpointfornetsuite/change_management/custom_cr2.webp) 6. Click **Save**. diff --git a/docs/strongpointfornetsuite/change_management/user_provisioning.md b/docs/strongpointfornetsuite/change_management/user_provisioning.md index 0df3048172..c34ca39324 100644 --- a/docs/strongpointfornetsuite/change_management/user_provisioning.md +++ b/docs/strongpointfornetsuite/change_management/user_provisioning.md @@ -17,7 +17,7 @@ Tools** > **ITGC Change Request**. When you view the Change Log, you see **Chan **User Role Assignment Change** instead of **User Onboarding**. You can create a custom change request form for User Provisioning. Refer to -[Using Custom Change Request Forms](use_custom_cr_forms.md) for information on implementing your +[Using Custom Change Request Forms](/docs/strongpointfornetsuite/change_management/use_custom_cr_forms.md) for information on implementing your custom form. ## Enable Enhanced User Provisioning @@ -25,7 +25,7 @@ custom form. 1. Open **Strongpoint** > **Strongpoint Support** > **Installation Settings**. 2. Open the **Change Management** tab. - ![Enabling Enhanced User Provisioning](../../../static/img/product_docs/strongpointfornetsuite/change_management/enhanced_user_provisioning.webp) + ![Enabling Enhanced User Provisioning](/img/product_docs/strongpointfornetsuite/change_management/enhanced_user_provisioning.webp) 3. Enable **Enhanced User Provisioning**. 4. Enable the **Auto-Provisioning** and **Auto-Role Removal** options to automatically implement the @@ -33,13 +33,13 @@ custom form. 5. When **Enhanced User Provisioning** is enabled, there are new **Access and Setup** controls added to the **Policy Change Controls** tab: **User Offboarding** and **User Onboarding**: - ![New provisioning change controls](../../../static/img/product_docs/strongpointfornetsuite/change_management/provisioning_change_controls.webp) + ![New provisioning change controls](/img/product_docs/strongpointfornetsuite/change_management/provisioning_change_controls.webp) ## Onboarding Users 1. Open **Strongpoint** > **Change Management Tools** > **User Provisioning Change Request**. - ![New User Access Change Request form](../../../static/img/product_docs/strongpointfornetsuite/change_management/user_access_change_request.webp) + ![New User Access Change Request form](/img/product_docs/strongpointfornetsuite/change_management/user_access_change_request.webp) 2. Enter a descriptive **Name** and **Change Overview**. 3. Select **Role Additions** for **Access type**. @@ -54,7 +54,7 @@ request is approved, you need to manually add the roles and update the status. A compliant Change Log is generated: -![A compliant change log is created](../../../static/img/product_docs/strongpointfornetsuite/change_management/provisioning_change_log.webp) +![A compliant change log is created](/img/product_docs/strongpointfornetsuite/change_management/provisioning_change_log.webp) The **Values** tab shows the details of the role changes. @@ -68,12 +68,12 @@ The **Values** tab shows the details of the role changes. 5. Enter one or more **Affected Employees**. The **Get Roles for Affected Employees** button is now visible. - ![Provisioning role reductions](../../../static/img/product_docs/strongpointfornetsuite/change_management/provisioning_role_reductions.webp) + ![Provisioning role reductions](/img/product_docs/strongpointfornetsuite/change_management/provisioning_role_reductions.webp) 6. Enter one or more **Affected Roles**. Or, click **Get Roles for Affected Employees** to select from the current roles. - ![Select the roles to remove](../../../static/img/product_docs/strongpointfornetsuite/change_management/provisioning_role_reductions_selector.webp) + ![Select the roles to remove](/img/product_docs/strongpointfornetsuite/change_management/provisioning_role_reductions_selector.webp) 7. Enter an **Offboarding Date** (YYYY-MM-DD) or select a date using the Calendar icon. 8. Enter an **Offboarding Time** (hh:mm am/pm). diff --git a/docs/strongpointfornetsuite/change_management/using_change_logs.md b/docs/strongpointfornetsuite/change_management/using_change_logs.md index 9699ff42b8..3c32fa02cf 100644 --- a/docs/strongpointfornetsuite/change_management/using_change_logs.md +++ b/docs/strongpointfornetsuite/change_management/using_change_logs.md @@ -2,7 +2,7 @@ Change Logs allow you to see the type of change, who made the change and view the system notes of the NetSuite record. Change Logs are accessed from the -[Change Management Reports](change_management_reports.md). +[Change Management Reports](/docs/strongpointfornetsuite/change_management/change_management_reports.md). Once a change request is complete, best practice is to change the status to **Completed**. If there are multiple open change requests referencing the same object, any changes to the object result in @@ -13,7 +13,7 @@ To open a Change Log: 1. Open **Strongpoint** > **Change Management Reports** and select a report. 2. Click **View** beside the Change Log to open. -![changelog-1](../../../static/img/product_docs/strongpointfornetsuite/change_management/changelog-1.webp) +![changelog-1](/img/product_docs/strongpointfornetsuite/change_management/changelog-1.webp) If the **Actual Change Date** is empty or **Change By** is set to **Could Not Be Determined** or **Pending Autospider**, a **Refresh Changed By** button is available. When clicked, it populates @@ -22,7 +22,7 @@ If the **Actual Change Date** is empty or **Change By** is set to **Could Not Be The button is only available for Object types where the **Actual Change Date** and **Change By** fields can be retrieved. -![Refresh Changed By](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_log_refresh.webp) +![Refresh Changed By](/img/product_docs/strongpointfornetsuite/change_management/change_log_refresh.webp) ## Change Log Header @@ -101,7 +101,7 @@ The **Values** tab displays the changes that occurred in the Change Log. **Data Error**: Checked if a data error occurred. -![values_tab](../../../static/img/product_docs/strongpointfornetsuite/change_management/values_tab.webp) +![values_tab](/img/product_docs/strongpointfornetsuite/change_management/values_tab.webp) ## Finding Users Who Have Made Changes @@ -132,9 +132,9 @@ In an open Change Log: 1. Click on a linked **Customization** to open the Customization Record. **Strongpoint Return Jira Ticket Info (Suitelet Script)** in this example. - ![Change Log Customization link](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_log_customization_link.webp) + ![Change Log Customization link](/img/product_docs/strongpointfornetsuite/change_management/change_log_customization_link.webp) 2. Click **Go to Record** 3. Open **System Notes** -![systemsnotes](../../../static/img/product_docs/strongpointfornetsuite/change_management/systemsnotes.webp) +![systemsnotes](/img/product_docs/strongpointfornetsuite/change_management/systemsnotes.webp) diff --git a/docs/strongpointfornetsuite/clean_up/archive_fields.md b/docs/strongpointfornetsuite/clean_up/archive_fields.md index 97e26af74c..e0079df40e 100644 --- a/docs/strongpointfornetsuite/clean_up/archive_fields.md +++ b/docs/strongpointfornetsuite/clean_up/archive_fields.md @@ -20,10 +20,10 @@ To create a change request: - Cannot Be Safely Deleted or Modified or - Inactive Customizations (Already Deleted) -![archivefields1](../../../static/img/product_docs/strongpointfornetsuite/clean_up/archivefields1.webp)6. +![archivefields1](/img/product_docs/strongpointfornetsuite/clean_up/archivefields1.webp)6. Click on the **Archive Customizations** if you find your customizations under **Cannot Be Safely Deleted or Modified** and under **Warning it says Not Archived** -![archivefields2](../../../static/img/product_docs/strongpointfornetsuite/clean_up/archivefields2.webp)7. +![archivefields2](/img/product_docs/strongpointfornetsuite/clean_up/archivefields2.webp)7. Once your customizations are processed and archived, your customizations are listed under **Can be -Safely Deleted or Modified**. Your [archive folder](set_up_archive_folder.md) has the CSV file you +Safely Deleted or Modified**. Your [archive folder](/docs/strongpointfornetsuite/clean_up/set_up_archive_folder.md) has the CSV file you can download. The file name has the field type and the script ID. diff --git a/docs/strongpointfornetsuite/clean_up/automated_search_cleanup.md b/docs/strongpointfornetsuite/clean_up/automated_search_cleanup.md index 506d45a6b4..9684464f87 100644 --- a/docs/strongpointfornetsuite/clean_up/automated_search_cleanup.md +++ b/docs/strongpointfornetsuite/clean_up/automated_search_cleanup.md @@ -3,7 +3,7 @@ The Automated Search Clean Up feature runs as scheduled, or on demand, using custom rules to find and manage Saved Searches. Accumulated searches contribute to inefficiency in NetSuite accounts. -Review the [Automated Search Clean Up Considerations](automated_search_cleanup_considerations.md) +Review the [Automated Search Clean Up Considerations](/docs/strongpointfornetsuite/clean_up/automated_search_cleanup_considerations.md) prior to using this feature. Saved Searches are powerful customizations used throughout NetSuite and interconnected to other @@ -48,7 +48,7 @@ the rule criteria. Search Clean Up rules are used for both Automatic and Run Now To create or edit rules, access **Strongpoint**> **Automated Search Clean Up** > **Search Clean Up Rules** -![autocleanup](../../../static/img/product_docs/strongpointfornetsuite/clean_up/autocleanup.webp) +![autocleanup](/img/product_docs/strongpointfornetsuite/clean_up/autocleanup.webp) - **Name** is the assigned name for the **Search Clean Up Rule Record**. - **Rule Owner(s)** is the administrator or owners for the rule record. @@ -70,7 +70,7 @@ Rules** This section is available when **Automatic** is checked. -![autocleanupscheduler](../../../static/img/product_docs/strongpointfornetsuite/clean_up/autocleanupscheduler.webp) +![autocleanupscheduler](/img/product_docs/strongpointfornetsuite/clean_up/autocleanupscheduler.webp) - **Weekly Event**: check and enter the **Repeat** frequency to schedule clean up weekly. - **Monthly Event**: check and enter the **Repeat** frequency to schedule clean up monthly. @@ -138,7 +138,7 @@ included for clean up. The Run Now feature begins an immediate run for the rule. 5. After previewing, you can click **Automatic** on the Search Clean Up Rule to include the rule for automatic searches. -![cleanup_preview](../../../static/img/product_docs/strongpointfornetsuite/clean_up/cleanup_preview.webp) +![cleanup_preview](/img/product_docs/strongpointfornetsuite/clean_up/cleanup_preview.webp) ### Run Now @@ -191,7 +191,7 @@ searches**, **retained searches**, **scheduled to be archived searches** and **a - Archive notifications are sent to rule owner and all search owners/users. - Search is added to administrator's Archived Searches list. -![cleanup_tab](../../../static/img/product_docs/strongpointfornetsuite/clean_up/cleanup_tab.webp) +![cleanup_tab](/img/product_docs/strongpointfornetsuite/clean_up/cleanup_tab.webp) ## Search Clean Up Status @@ -207,11 +207,11 @@ Open **Strongpoint**> **Search Auto Clean Up** > **Search Clean Up Status** to v administrator. **Canceled** - **Automatic** checkbox was turned off for the rule. -![cleanup_status](../../../static/img/product_docs/strongpointfornetsuite/clean_up/cleanup_status.webp) +![cleanup_status](/img/product_docs/strongpointfornetsuite/clean_up/cleanup_status.webp) Click **Notification Tracker** on the **Notifications** tab to launch the tracker. -![cleanup_notifications_tab](../../../static/img/product_docs/strongpointfornetsuite/clean_up/cleanup_notifications_tab.webp) +![cleanup_notifications_tab](/img/product_docs/strongpointfornetsuite/clean_up/cleanup_notifications_tab.webp) ### Notification Tracker @@ -219,25 +219,25 @@ Accesses all of the communications and history for search clean ups. You can lis sent by rule or by the job. Provides traceability between the clean up rules, clean up jobs, and email notifications. -![cleanup_notification_tracker](../../../static/img/product_docs/strongpointfornetsuite/clean_up/cleanup_notification_tracker.webp) +![cleanup_notification_tracker](/img/product_docs/strongpointfornetsuite/clean_up/cleanup_notification_tracker.webp) ## Retaining a Search Notification emails contain a link to **Retain this search** for each listed search or **Retain All** to keep all of them. Use the **Preview** link to view each Search. -![cleanup_warning](../../../static/img/product_docs/strongpointfornetsuite/clean_up/cleanup_warning.webp) +![cleanup_warning](/img/product_docs/strongpointfornetsuite/clean_up/cleanup_warning.webp) **Retain this search** prevents archiving an individual search. The **Retain Search** form is displayed so you can add the **Reason for Retaining** the search. Click **Save and Exit** when complete. -![Provide a reason to retain an individual search](../../../static/img/product_docs/strongpointfornetsuite/clean_up/clean_up_retain_search.webp) +![Provide a reason to retain an individual search](/img/product_docs/strongpointfornetsuite/clean_up/clean_up_retain_search.webp) **Retain All** opens a page where you can provide the **Reason** to retain each search. Check the Apply box for each search. When finished, click **Retain Search**. -![Retain All dialog to provide retention Reason](../../../static/img/product_docs/strongpointfornetsuite/clean_up/clean_up_retain_all.webp) +![Retain All dialog to provide retention Reason](/img/product_docs/strongpointfornetsuite/clean_up/clean_up_retain_all.webp) The Retain process: @@ -270,7 +270,7 @@ owner and administrators. - Updates the **Date Last Used, Retained/Restored** to the current date. - Adds the search to the **Automated Search Clean Up** > **Retained Searches** list. -![cleanup_restore](../../../static/img/product_docs/strongpointfornetsuite/clean_up/cleanup_restore.webp) +![cleanup_restore](/img/product_docs/strongpointfornetsuite/clean_up/cleanup_restore.webp) ### Limitations to Restoring Auto Archived Searches @@ -296,4 +296,4 @@ restored: - Audit Trail: the restored search is assigned a new Internal ID. The audit trail only contains entries for the new Internal ID. -![Search form](../../../static/img/product_docs/strongpointfornetsuite/clean_up/limitation_restoring_searches.webp) +![Search form](/img/product_docs/strongpointfornetsuite/clean_up/limitation_restoring_searches.webp) diff --git a/docs/strongpointfornetsuite/clean_up/automated_search_cleanup_considerations.md b/docs/strongpointfornetsuite/clean_up/automated_search_cleanup_considerations.md index 3c8b06bd24..5e317c68c7 100644 --- a/docs/strongpointfornetsuite/clean_up/automated_search_cleanup_considerations.md +++ b/docs/strongpointfornetsuite/clean_up/automated_search_cleanup_considerations.md @@ -1,7 +1,7 @@ # Automated Search Clean Up Considerations This list describes some of the special cases encountered when using the -[Automated Search Clean Up](automated_search_cleanup.md) tool +[Automated Search Clean Up](/docs/strongpointfornetsuite/clean_up/automated_search_cleanup.md) tool 1. When an archived search contains **Date** filters, you must have the same date format preference as the Company’s date preference to accurately restore the filter. @@ -36,4 +36,4 @@ restored: - Audit Trail: the restored search is assigned a new Internal ID. The audit trail only contains entries for the new Internal ID. -![Search form](../../../static/img/product_docs/strongpointfornetsuite/clean_up/limitation_restoring_searches.webp) +![Search form](/img/product_docs/strongpointfornetsuite/clean_up/limitation_restoring_searches.webp) diff --git a/docs/strongpointfornetsuite/clean_up/cleanup_customizations_no_active_owner.md b/docs/strongpointfornetsuite/clean_up/cleanup_customizations_no_active_owner.md index 840e265cbb..037262cccc 100644 --- a/docs/strongpointfornetsuite/clean_up/cleanup_customizations_no_active_owner.md +++ b/docs/strongpointfornetsuite/clean_up/cleanup_customizations_no_active_owner.md @@ -2,7 +2,7 @@ Ownership of the customizations is important for clean up and accountability in the system. Owners can become inactive if they quit using the system, or if their licenses have been marked -[Inactive](../installing_strongpoint/managing_users.md). The report criteria excludes Customization +[Inactive](/docs/strongpointfornetsuite/installing_strongpoint/managing_users.md). The report criteria excludes Customization types where owner does not apply. 1. Open **Strongpoint** > **Clean Up** > **Inactive Owner** diff --git a/docs/strongpointfornetsuite/clean_up/cleanup_overview.md b/docs/strongpointfornetsuite/clean_up/cleanup_overview.md index 9bd6e91d51..2bda43a4d7 100644 --- a/docs/strongpointfornetsuite/clean_up/cleanup_overview.md +++ b/docs/strongpointfornetsuite/clean_up/cleanup_overview.md @@ -56,7 +56,7 @@ used by any other customization, before moving onto other clean up activities. Most of the tools have the following columns. They might be in slightly different orders or omitted based on the type of clean up. -![cleanupfields](../../../static/img/product_docs/strongpointfornetsuite/clean_up/cleanupfields.webp) +![cleanupfields](/img/product_docs/strongpointfornetsuite/clean_up/cleanupfields.webp) Sample Result: @@ -112,7 +112,7 @@ The statuses are: - **Ignore**: Removes it from the searches. - **Specific tasks**: Fix Script Id and Reassign Owner. -![faq-clean-up-status](../../../static/img/product_docs/strongpointfornetsuite/clean_up/faq-clean-up-status.webp) +![faq-clean-up-status](/img/product_docs/strongpointfornetsuite/clean_up/faq-clean-up-status.webp) You can report on these statuses to organize your work. @@ -126,7 +126,7 @@ the results view, “Create Change Request” creates a new change request. Once customization it will appear under “Related Change Requests”. You can have multiple customizations assigned to multiple change requests as appropriate. -![faq-clean-up-create-change-req](../../../static/img/product_docs/strongpointfornetsuite/clean_up/faq-clean-up-create-change-req.webp) +![faq-clean-up-create-change-req](/img/product_docs/strongpointfornetsuite/clean_up/faq-clean-up-create-change-req.webp) ### Manage the Change or Clean Up as Appropriate @@ -138,7 +138,7 @@ Some of the items being changed, such as the description or owner, can be direct edited like any other NetSuite data directly in a view such as Unused Fields. The Change Request has archiving and deletion tools to help clean up the account, for example, -[deleting unused customizations](cleanup_unused_customizations.md). +[deleting unused customizations](/docs/strongpointfornetsuite/clean_up/cleanup_unused_customizations.md). ### ReSpider diff --git a/docs/strongpointfornetsuite/clean_up/cleanup_unused_customizations.md b/docs/strongpointfornetsuite/clean_up/cleanup_unused_customizations.md index 4f4a1f3435..2135e5f80b 100644 --- a/docs/strongpointfornetsuite/clean_up/cleanup_unused_customizations.md +++ b/docs/strongpointfornetsuite/clean_up/cleanup_unused_customizations.md @@ -38,21 +38,21 @@ The basic clean up process: 2. Enter filtering information to streamline your search. Searching on all unused customizations can take a long time to load and can time out. - ![Enter criteria prior to searching for unused customizations](../../../static/img/product_docs/strongpointfornetsuite/clean_up/customizations_cleanup_unused_filters.webp) + ![Enter criteria prior to searching for unused customizations](/img/product_docs/strongpointfornetsuite/clean_up/customizations_cleanup_unused_filters.webp) 3. Click **Search**. The results are coded with a flag in the first column and the text either blue (Inactive owner) or black. - ![Cleanup Key](../../../static/img/product_docs/strongpointfornetsuite/clean_up/customizations_cleanup_key.webp) + ![Cleanup Key](/img/product_docs/strongpointfornetsuite/clean_up/customizations_cleanup_key.webp) You can hover over the flag for more information. If the text is blue, **Inactive Owner** is displayed regardless of the flag color. - ![customizations_cleanup_list](../../../static/img/product_docs/strongpointfornetsuite/clean_up/customizations_cleanup_list.webp) + ![customizations_cleanup_list](/img/product_docs/strongpointfornetsuite/clean_up/customizations_cleanup_list.webp) 4. Click **View** next to each Customization to investigate. You can right-click on **View** and select **Open in a new tab or window** to keep your results page available. - ![View the Customization Record](../../../static/img/product_docs/strongpointfornetsuite/clean_up/customizations_cleanup_view_record.webp) + ![View the Customization Record](/img/product_docs/strongpointfornetsuite/clean_up/customizations_cleanup_view_record.webp) 5. Use the **ERD**, **Base Record** and **Related Objects** links to review the dependencies. If you have a **Documentation and Optimization** license: @@ -75,7 +75,7 @@ The Impact Analysis is available in the Advanced Change Management Module. This Up** or **Impact Analysis** as a tab at the bottom of the Change Request. It provides specific warnings and status for each customization attached to the Change Request. -![cleanupimpactanalysis](../../../static/img/product_docs/strongpointfornetsuite/clean_up/cleanupimpactanalysis.webp) +![cleanupimpactanalysis](/img/product_docs/strongpointfornetsuite/clean_up/cleanupimpactanalysis.webp) The **Impact Analysis** tab has the following elements: @@ -111,7 +111,7 @@ practices to determine if it is appropriate to delete any of the customizations. Once a Change Request has been approved the **Archive Customizations** button is available. When clicked, any fields in the change request are archived and stored in the **File Cabinet**. -![archive](../../../static/img/product_docs/strongpointfornetsuite/clean_up/archive.webp) +![archive](/img/product_docs/strongpointfornetsuite/clean_up/archive.webp) The status of those fields changes to **Archived**. The customization moves to the **Can Be Safely Deleted or Modified** tab. diff --git a/docs/strongpointfornetsuite/clean_up/date_last_used.md b/docs/strongpointfornetsuite/clean_up/date_last_used.md index 89594d0989..118caac0ff 100644 --- a/docs/strongpointfornetsuite/clean_up/date_last_used.md +++ b/docs/strongpointfornetsuite/clean_up/date_last_used.md @@ -57,7 +57,7 @@ Used field. - For scripts the DLU is the last execution date as determined by audit, error or debug logs in server execution log. In order to get accurate data while maximizing performance, Netwrix recommends setting all deployments to AUDIT logging status and setting at least one Audit tag. See - [Script Management](../script_management/script_mgmt_overview.md) for details. + [Script Management](/docs/strongpointfornetsuite/script_management/script_mgmt_overview.md) for details. - Blank DLU for scripts indicates that it has not been used since Platform Governance for NetSuite was installed OR it is set in error mode and has not thrown an error. @@ -82,4 +82,4 @@ Key columns in the search results: yet. The DLU spider can take several days to finish It executes daily on a subset of dates until it reaches 6 months. -![Unused Workflow Customizations Search Results](../../../static/img/product_docs/strongpointfornetsuite/clean_up/unused_workflow_results.webp) +![Unused Workflow Customizations Search Results](/img/product_docs/strongpointfornetsuite/clean_up/unused_workflow_results.webp) diff --git a/docs/strongpointfornetsuite/clean_up/restore_fields.md b/docs/strongpointfornetsuite/clean_up/restore_fields.md index 729889bc39..829ddb239d 100644 --- a/docs/strongpointfornetsuite/clean_up/restore_fields.md +++ b/docs/strongpointfornetsuite/clean_up/restore_fields.md @@ -12,12 +12,12 @@ There is not a direct restore tool for fields, however you can get your archived of Accounts. 4. Click **Select** - ![importassistant-2](../../../static/img/product_docs/strongpointfornetsuite/clean_up/importassistant-2.webp) + ![importassistant-2](/img/product_docs/strongpointfornetsuite/clean_up/importassistant-2.webp) 5. Select your CSV archive file. and click **Open** 6. Click **Next** - ![importoptions](../../../static/img/product_docs/strongpointfornetsuite/clean_up/importoptions.webp) + ![importoptions](/img/product_docs/strongpointfornetsuite/clean_up/importoptions.webp) 7. Under **Data Handling**, choose **UPDATE** 8. Click **Next** @@ -26,19 +26,19 @@ There is not a direct restore tool for fields, however you can get your archived 11. Under **Your Fields**, select the column from your CSV archive file that you want to restore and select the relevant NetSuite Field where you want them restored. - ![fieldmapping](../../../static/img/product_docs/strongpointfornetsuite/clean_up/fieldmapping.webp) + ![fieldmapping](/img/product_docs/strongpointfornetsuite/clean_up/fieldmapping.webp) 12. Click **Next** 13. Click **Run** - ![savemapping](../../../static/img/product_docs/strongpointfornetsuite/clean_up/savemapping.webp) + ![savemapping](/img/product_docs/strongpointfornetsuite/clean_up/savemapping.webp) A finished screen appears with a confirmation message and a link to the **Import Job Status**. 14. Click **Import Job Status**. - ![jobstatus](../../../static/img/product_docs/strongpointfornetsuite/clean_up/jobstatus.webp) + ![jobstatus](/img/product_docs/strongpointfornetsuite/clean_up/jobstatus.webp) 15. Click **Refresh** until the import process is completed. - ![jobstatus-1](../../../static/img/product_docs/strongpointfornetsuite/clean_up/jobstatus-1.webp) + ![jobstatus-1](/img/product_docs/strongpointfornetsuite/clean_up/jobstatus-1.webp) diff --git a/docs/strongpointfornetsuite/clean_up/set_up_archive_folder.md b/docs/strongpointfornetsuite/clean_up/set_up_archive_folder.md index 57df4269e8..ee7ad5d70c 100644 --- a/docs/strongpointfornetsuite/clean_up/set_up_archive_folder.md +++ b/docs/strongpointfornetsuite/clean_up/set_up_archive_folder.md @@ -16,7 +16,7 @@ process. An archive folder must be created before the Clean Up process. 9. Note the **Internal ID** for your new **Strongpoint Archived Data Files** folder. **48783** in this example. - ![Finding the Internal ID of the Archive Folder](../../../static/img/product_docs/strongpointfornetsuite/clean_up/internal_id.webp) + ![Finding the Internal ID of the Archive Folder](/img/product_docs/strongpointfornetsuite/clean_up/internal_id.webp) ## Assign the Internal ID to the Deployed Script @@ -26,17 +26,17 @@ To assign the internal ID to a deployed script: 2. Change the **Type** Filter to **Scheduled** and **From Bundle** to **294336** 3. Click **View** by the **Strongpoint Auto Archive** -![scripts-1](../../../static/img/product_docs/strongpointfornetsuite/clean_up/scripts-1.webp) +![scripts-1](/img/product_docs/strongpointfornetsuite/clean_up/scripts-1.webp) 4. Open the **Deployments** tab. 5. Click on **Strongpoint Auto Archive – OD**. - ![scripts-2](../../../static/img/product_docs/strongpointfornetsuite/clean_up/scripts-2.webp) + ![scripts-2](/img/product_docs/strongpointfornetsuite/clean_up/scripts-2.webp) 6. Click **Edit** 7. Open the **Parameters** tab, add the internal ID of your **Archive Folder** 8. Click Save - ![scripts-3](../../../static/img/product_docs/strongpointfornetsuite/clean_up/scripts-3.webp) + ![scripts-3](/img/product_docs/strongpointfornetsuite/clean_up/scripts-3.webp) The archiving function on Change Requests is now set up and ready to use. diff --git a/docs/strongpointfornetsuite/clean_up/update_field_description_and_help.md b/docs/strongpointfornetsuite/clean_up/update_field_description_and_help.md index 56d0f24fe0..687273cd9d 100644 --- a/docs/strongpointfornetsuite/clean_up/update_field_description_and_help.md +++ b/docs/strongpointfornetsuite/clean_up/update_field_description_and_help.md @@ -1,7 +1,7 @@ # Update Field Description and Help Documentation only changes are always compliant. If -[Opportunistic Clearance](../change_management/opportunistic_clearance.md) is on, this object change +[Opportunistic Clearance](/docs/strongpointfornetsuite/change_management/opportunistic_clearance.md) is on, this object change is reported in the Change Log as **Documentation Change** for the **Change Type** and the **Resolution** set to _Automatically cleared documentation change. Only Help or Description changed_. The Change Log is closed. @@ -10,7 +10,7 @@ changed_. The Change Log is closed. results or check **Description/Help is Empty** to focus the **Field List**. Click on a column heading in the **Field List** to sort the list by the selected column. - ![cust_ui_help_update](../../../static/img/product_docs/strongpointfornetsuite/clean_up/cust_ui_help_update.webp) + ![cust_ui_help_update](/img/product_docs/strongpointfornetsuite/clean_up/cust_ui_help_update.webp) 2. Add or edit **Description** and **Help** text. 3. Click **Update** diff --git a/docs/strongpointfornetsuite/customizations/identify_impacted_objects.md b/docs/strongpointfornetsuite/customizations/identify_impacted_objects.md index 6be87e6090..d717a7a27b 100644 --- a/docs/strongpointfornetsuite/customizations/identify_impacted_objects.md +++ b/docs/strongpointfornetsuite/customizations/identify_impacted_objects.md @@ -34,7 +34,7 @@ To access the customization list: 1. Open **Strongpoint**> **Customizations** > **Customization** 2. The recommended view is **Strongpoint Filter** to enable the filters to narrow down your search. -![customization-list](../../../static/img/product_docs/strongpointfornetsuite/customizations/customization-list.webp) +![customization-list](/img/product_docs/strongpointfornetsuite/customizations/customization-list.webp) ## Customization Quick Search @@ -44,7 +44,7 @@ Quick Search** You can search using several factors and submit. When looking up by **Name**, using **Contains** helps if you do not have the exact name. -![custquicksearch](../../../static/img/product_docs/strongpointfornetsuite/customizations/custquicksearch.webp) +![custquicksearch](/img/product_docs/strongpointfornetsuite/customizations/custquicksearch.webp) ## ERD View @@ -67,20 +67,20 @@ name brings up the customization record. 4. Click **Show Record ERD**. - ![erd-view](../../../static/img/product_docs/strongpointfornetsuite/customizations/erd-view.webp) + ![erd-view](/img/product_docs/strongpointfornetsuite/customizations/erd-view.webp) 5. Click on any item to expand the view. For large lists, click **More** to see the additional items. External sources headers are highlighted in green. - ![ERD with an External Source](../../../static/img/product_docs/strongpointfornetsuite/customizations/celigo_erd.webp) + ![ERD with an External Source](/img/product_docs/strongpointfornetsuite/customizations/celigo_erd.webp) 6. Click **Open Record** on any Customization to open the actual record. ## ERD Search Form The ERD search form enables you to search by different record types. You can also use it to create a -Process Issue or a Change Request. Refer to [Enabling the ERD Search](using_erd.md). +Process Issue or a Change Request. Refer to [Enabling the ERD Search](/docs/strongpointfornetsuite/customizations/using_erd.md). From the ERD Search Form, you can search by: @@ -90,12 +90,12 @@ From the ERD Search Form, you can search by: - Parent - Quick Add -![erdsearchform-2](../../../static/img/product_docs/strongpointfornetsuite/customizations/erdsearchform-2.webp) +![erdsearchform-2](/img/product_docs/strongpointfornetsuite/customizations/erdsearchform-2.webp) Once you have finished your search, you can create a Process Issue or a Change Request from the results. -![erdsearchform-3](../../../static/img/product_docs/strongpointfornetsuite/customizations/erdsearchform-3.webp) +![erdsearchform-3](/img/product_docs/strongpointfornetsuite/customizations/erdsearchform-3.webp) ## Customization Impact Search @@ -108,7 +108,7 @@ To access a customization quick search: 1. Select **Strongpoint** > **Customizations** > **Customization Impact Search Form**. 2. Enter any criteria to narrow the results as required. -![impactsearchform](../../../static/img/product_docs/strongpointfornetsuite/customizations/impactsearchform.webp) +![impactsearchform](/img/product_docs/strongpointfornetsuite/customizations/impactsearchform.webp) ## Other Customizations diff --git a/docs/strongpointfornetsuite/customizations/integration_record.md b/docs/strongpointfornetsuite/customizations/integration_record.md index 08642fc251..c9eb53172e 100644 --- a/docs/strongpointfornetsuite/customizations/integration_record.md +++ b/docs/strongpointfornetsuite/customizations/integration_record.md @@ -13,8 +13,8 @@ name, description, state, and change history. The **Authentication** tab enables you to specify additional authorization for the integration: -![Integration record example](../../../static/img/product_docs/strongpointfornetsuite/customizations/integration_record.webp) +![Integration record example](/img/product_docs/strongpointfornetsuite/customizations/integration_record.webp) When you make changes to this record, a change log is created. Here is an example: -![Access token change log](../../../static/img/product_docs/strongpointfornetsuite/customizations/access_token_change_log.webp) +![Access token change log](/img/product_docs/strongpointfornetsuite/customizations/access_token_change_log.webp) diff --git a/docs/strongpointfornetsuite/customizations/pdf_html_templates.md b/docs/strongpointfornetsuite/customizations/pdf_html_templates.md index eec169b6fd..3cab554d11 100644 --- a/docs/strongpointfornetsuite/customizations/pdf_html_templates.md +++ b/docs/strongpointfornetsuite/customizations/pdf_html_templates.md @@ -18,12 +18,12 @@ Open **Customization** > **Forms** > **Advanced PDF / HTML Templates** to creat ## PDF / HTML Customization Referenced by a Script Example -![Example PDF/HTML customization referenced by a script](../../../static/img/product_docs/strongpointfornetsuite/customizations/pdf-html_template.webp) +![Example PDF/HTML customization referenced by a script](/img/product_docs/strongpointfornetsuite/customizations/pdf-html_template.webp) ## Script Customization Referencing a PDF / HTML Template Example -![Example of Script referencing an Advanced PDF/HTML template](../../../static/img/product_docs/strongpointfornetsuite/customizations/pdf-html_template2.webp) +![Example of Script referencing an Advanced PDF/HTML template](/img/product_docs/strongpointfornetsuite/customizations/pdf-html_template2.webp) ## PDF / HTML Customization Record for a Saved Search Example -![Example of an Advanced PDF/HTML Customization Record for a Saved Search](../../../static/img/product_docs/strongpointfornetsuite/customizations/pdf-html_template3.webp) +![Example of an Advanced PDF/HTML Customization Record for a Saved Search](/img/product_docs/strongpointfornetsuite/customizations/pdf-html_template3.webp) diff --git a/docs/strongpointfornetsuite/customizations/setting_preferred_forms.md b/docs/strongpointfornetsuite/customizations/setting_preferred_forms.md index e3f5980568..61ff42e33f 100644 --- a/docs/strongpointfornetsuite/customizations/setting_preferred_forms.md +++ b/docs/strongpointfornetsuite/customizations/setting_preferred_forms.md @@ -5,11 +5,11 @@ You can set the preferred form to use for specific tasks. 1. Open **Customization** > **Lists, Records, & Fields** > **Record Types** 2. Select a form from the list. For this example, select **Change Request**. - ![Setting the preferred form.](../../../static/img/product_docs/strongpointfornetsuite/customizations/preferred_form1.webp) + ![Setting the preferred form.](/img/product_docs/strongpointfornetsuite/customizations/preferred_form1.webp) 3. Open the **Forms** tab. - ![Setting the preferred form.](../../../static/img/product_docs/strongpointfornetsuite/customizations/preferred_form2.webp) + ![Setting the preferred form.](/img/product_docs/strongpointfornetsuite/customizations/preferred_form2.webp) 4. Click the **Preferred** radio button to make the new **ITGC** Change Request form the preferred form. diff --git a/docs/strongpointfornetsuite/customizations/understanding_customization_record.md b/docs/strongpointfornetsuite/customizations/understanding_customization_record.md index 4cbfb51ca4..db3121344f 100644 --- a/docs/strongpointfornetsuite/customizations/understanding_customization_record.md +++ b/docs/strongpointfornetsuite/customizations/understanding_customization_record.md @@ -38,7 +38,7 @@ The main section of the Customization Record summarizes the key information for open detailed view. For example, there could be multiple scripts and workflows that depend on this object. Click links to open detailed view as shown. -![cust_ui_related_objects](../../../static/img/product_docs/strongpointfornetsuite/customizations/cust_ui_related_objects.webp) +![cust_ui_related_objects](/img/product_docs/strongpointfornetsuite/customizations/cust_ui_related_objects.webp) ### Buttons @@ -54,7 +54,7 @@ The main section of the Customization Record summarizes the key information for The tabs provide detailed information about the customization: - **Detailed Metadata**: Details about the customization including Fields, Values, Bundle / SuiteApp - information, [Date Last Used](../clean_up/date_last_used.md), Last Used Status, and who uses the + information, [Date Last Used](/docs/strongpointfornetsuite/clean_up/date_last_used.md), Last Used Status, and who uses the customization. Information varies depending on the customization type. For example, Workflow customizations include States, Actions, and Workflow Fields not applicable when viewing Field customizations. @@ -70,7 +70,7 @@ The tabs provide detailed information about the customization: This information is available on the Detailed Metadata tab for all customization types. They appear on the -[Managed Bundle/App Updates](../change_management/change_management_reports.md#managed-bundleapp-updates) +[Managed Bundle/App Updates](/docs/strongpointfornetsuite/change_management/change_management_reports.md#managed-bundleapp-updates) report. - _Managed Bundle/SuiteApps_ are pushed to target accounts by a third-party provider. @@ -84,12 +84,12 @@ report. #### Detailed Metadata tab -![cust_ui_detailed_metadata](../../../static/img/product_docs/strongpointfornetsuite/customizations/cust_ui_detailed_metadata.webp) +![cust_ui_detailed_metadata](/img/product_docs/strongpointfornetsuite/customizations/cust_ui_detailed_metadata.webp) #### Detailed Metadata tab for Script Customizations -![cust_ui_detailed_metadata_scripts](../../../static/img/product_docs/strongpointfornetsuite/customizations/cust_ui_detailed_metadata_scripts.webp) +![cust_ui_detailed_metadata_scripts](/img/product_docs/strongpointfornetsuite/customizations/cust_ui_detailed_metadata_scripts.webp) #### Detailed Metadata tab with Data Sources Integration -![cust_ui_detailed_metadata_data_sources](../../../static/img/product_docs/strongpointfornetsuite/customizations/cust_ui_detailed_metadata_data_sources.webp) +![cust_ui_detailed_metadata_data_sources](/img/product_docs/strongpointfornetsuite/customizations/cust_ui_detailed_metadata_data_sources.webp) diff --git a/docs/strongpointfornetsuite/customizations/using_erd.md b/docs/strongpointfornetsuite/customizations/using_erd.md index 993fb36621..2c85cc7270 100644 --- a/docs/strongpointfornetsuite/customizations/using_erd.md +++ b/docs/strongpointfornetsuite/customizations/using_erd.md @@ -26,13 +26,13 @@ name brings up the customization record. 4. Click **Show Record ERD**. - ![erd-view](../../../static/img/product_docs/strongpointfornetsuite/customizations/erd-view.webp) + ![erd-view](/img/product_docs/strongpointfornetsuite/customizations/erd-view.webp) 5. Click on any item to expand the view. For large lists, click **More** to see the additional items. External sources headers are highlighted in green. - ![ERD with an External Source](../../../static/img/product_docs/strongpointfornetsuite/customizations/celigo_erd.webp) + ![ERD with an External Source](/img/product_docs/strongpointfornetsuite/customizations/celigo_erd.webp) 6. Click **Open Record** on any Customization to open the actual record. @@ -46,7 +46,7 @@ To enable the ERD Search: 4. Under **Custom Content**, select **Strongpoint ERD Search Form** 5. Click **Save** -![erdsearchform-1](../../../static/img/product_docs/strongpointfornetsuite/customizations/erdsearchform-1.webp) +![erdsearchform-1](/img/product_docs/strongpointfornetsuite/customizations/erdsearchform-1.webp) From the ERD Search Form, you can search by: diff --git a/docs/strongpointfornetsuite/financial_controls/agent_clear_incident.md b/docs/strongpointfornetsuite/financial_controls/agent_clear_incident.md index 34423d9142..d43e6e1a9b 100644 --- a/docs/strongpointfornetsuite/financial_controls/agent_clear_incident.md +++ b/docs/strongpointfornetsuite/financial_controls/agent_clear_incident.md @@ -9,7 +9,7 @@ Here is the process to clear/resolve a control incident: 2. Click on the **Customization** to display the incidents. 3. Click **Edit** on the Incident record to clear/resolve. - ![Clearing a Control Incident](../../../static/img/product_docs/strongpointfornetsuite/financial_controls/agent_clear_incident.webp) + ![Clearing a Control Incident](/img/product_docs/strongpointfornetsuite/financial_controls/agent_clear_incident.webp) 4. Add the **Resolution Description**. 5. Set **Status** to **Closed**. @@ -25,4 +25,4 @@ Report:: edited. 3. Click in the column to open a text box. -![Clearing an incident with inline editing](../../../static/img/product_docs/strongpointfornetsuite/financial_controls/agent_clear_incident_inline.webp) +![Clearing an incident with inline editing](/img/product_docs/strongpointfornetsuite/financial_controls/agent_clear_incident_inline.webp) diff --git a/docs/strongpointfornetsuite/financial_controls/agent_creating_preapproved_change_request.md b/docs/strongpointfornetsuite/financial_controls/agent_creating_preapproved_change_request.md index 6a0c1a1251..5f10f8f870 100644 --- a/docs/strongpointfornetsuite/financial_controls/agent_creating_preapproved_change_request.md +++ b/docs/strongpointfornetsuite/financial_controls/agent_creating_preapproved_change_request.md @@ -1,14 +1,14 @@ # Creating an Agent Preapproved Change Request You can create a custom change request form for an Agent Preapproved Change Request. Refer to -[Using Custom Change Request Forms](../change_management/use_custom_cr_forms.md) for information on +[Using Custom Change Request Forms](/docs/strongpointfornetsuite/change_management/use_custom_cr_forms.md) for information on implementing your custom form. Here are the steps to create a pre-approved change request for a control: 1. Open **Strongpoint** > **Financial Controls** > **New Agent Control Approval** - ![agent_pre_app_not_started](../../../static/img/product_docs/strongpointfornetsuite/financial_controls/agent_pre_app_not_started.webp) + ![agent_pre_app_not_started](/img/product_docs/strongpointfornetsuite/financial_controls/agent_pre_app_not_started.webp) 2. Enter the **Name** and **Overview** for the Control. 3. Set a combination of two or more filters. Using one filter can create a blanket approval or too @@ -27,7 +27,7 @@ Here are the steps to create a pre-approved change request for a control: **Approver Notes**. Click **Save**. if you make - changes.![agent_pre_app_approval_section](../../../static/img/product_docs/strongpointfornetsuite/financial_controls/agent_pre_app_approval_section.webp) + changes.![agent_pre_app_approval_section](/img/product_docs/strongpointfornetsuite/financial_controls/agent_pre_app_approval_section.webp) Related Change Record information is added when you save. The results are shown on the **Related Change Records** tab. @@ -49,11 +49,11 @@ Here are the steps to create a pre-approved change request for a control: ### Status Bar States -![change_request_bar_not_started](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_not_started.webp) +![change_request_bar_not_started](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_not_started.webp) New Change Request. Click **In Progress** to advance the status. -![change_request_bar_inprogress](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_inprogress.webp) +![change_request_bar_inprogress](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_inprogress.webp) Change Request **In Progress**. @@ -63,7 +63,7 @@ Approval section is added when the Change Request is saved. When ready for approval, click **Pending Approval**. -![change_request_bar_pending](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_pending.webp) +![change_request_bar_pending](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_pending.webp) Approvers are notified. @@ -71,35 +71,35 @@ Status can be demoted. Status promoted based on Approvers actions. -![change_request_bar_approved](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved.webp) +![change_request_bar_approved](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved.webp) Status when all approvers have approved. Can be returned to a previous status or rejected. -![change_request_bar_approved_partial](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_partial.webp) +![change_request_bar_approved_partial](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_partial.webp) Status when Change Request is partially approved. Wait for all approvers to finish. -![change_request_bar_approved_override](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_override.webp) +![change_request_bar_approved_override](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_override.webp) Status when an administrator has approved in place of a specified approver. **Approval Override by** field displays the approver. -![change_request_bar_approved_completed](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_completed.webp) +![change_request_bar_approved_completed](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_completed.webp) Approved and Completed. Can be returned to a previous status. -![change_request_bar_approved_canceled](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_canceled.webp) +![change_request_bar_approved_canceled](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_approved_canceled.webp) Approved and Canceled. Can be returned to a previous status. -![change_request_bar_rejected](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_rejected.webp) +![change_request_bar_rejected](/img/product_docs/strongpointfornetsuite/change_management/change_request_bar_rejected.webp) Rejected and Completed. diff --git a/docs/strongpointfornetsuite/financial_controls/agent_example_set_control.md b/docs/strongpointfornetsuite/financial_controls/agent_example_set_control.md index f561f232c2..ec561db07e 100644 --- a/docs/strongpointfornetsuite/financial_controls/agent_example_set_control.md +++ b/docs/strongpointfornetsuite/financial_controls/agent_example_set_control.md @@ -14,7 +14,7 @@ Here is the process to create a control to monitor changes: 4. Check **Public** 5. Add filters on the **Criteria** tab: - ![Create the Saved Search for the Example](../../../static/img/product_docs/strongpointfornetsuite/financial_controls/agent_example1.webp) + ![Create the Saved Search for the Example](/img/product_docs/strongpointfornetsuite/financial_controls/agent_example1.webp) | Select Filter | What to Set | Resulting Description | Formula To Set | | ----------------------- | -------------------------------------------------------------------------------------------------- | ------------------------------------------------- | ---------------------------------------- | @@ -34,7 +34,7 @@ Here is the process to create a control to monitor changes: 6. Open the **Results** tab. You can Remove all to clear the defaults. Add the following fields: - ![Adding the Results columns](../../../static/img/product_docs/strongpointfornetsuite/financial_controls/agent_example2.webp) + ![Adding the Results columns](/img/product_docs/strongpointfornetsuite/financial_controls/agent_example2.webp) 7. **Save** the search. 8. Note the assigned **ID** for your new Search. For example, **customsearch5673** @@ -54,7 +54,7 @@ You can wait until the next AutoSpider run, or manually create the customization - **Type**: Select **Search** - **Script ID**: Enter the **ID** from your Saved Search. For example, **customsearch5673** - ![Create the Customization for the Example](../../../static/img/product_docs/strongpointfornetsuite/financial_controls/agent_example3.webp) + ![Create the Customization for the Example](/img/product_docs/strongpointfornetsuite/financial_controls/agent_example3.webp) 3. **Save** the customization. 4. Click **Respider Now** @@ -88,7 +88,7 @@ From the customization record: 5. **Save** the record. - ![Designating the customization as a control](../../../static/img/product_docs/strongpointfornetsuite/financial_controls/agent_example4.webp) + ![Designating the customization as a control](/img/product_docs/strongpointfornetsuite/financial_controls/agent_example4.webp) The control is triggered as configured and all instances are logged under **Unresolved Control Incidents**, **Resolved Control Incidents** or **Pre-approved Control Incidents**. diff --git a/docs/strongpointfornetsuite/financial_controls/agent_example_unresolved_control_incident.md b/docs/strongpointfornetsuite/financial_controls/agent_example_unresolved_control_incident.md index ee8cae5cc5..b44c06d02c 100644 --- a/docs/strongpointfornetsuite/financial_controls/agent_example_unresolved_control_incident.md +++ b/docs/strongpointfornetsuite/financial_controls/agent_example_unresolved_control_incident.md @@ -9,12 +9,12 @@ To view unresolved control incidents: 1. Open **Strongpoint** > **Financial Controls** > **Unresolved Control Incidents** - ![Viewing Unresolved Control Incidents](../../../static/img/product_docs/strongpointfornetsuite/financial_controls/agent_unresolved_example1.webp) + ![Viewing Unresolved Control Incidents](/img/product_docs/strongpointfornetsuite/financial_controls/agent_unresolved_example1.webp) 2. Click View by the record with the **Purchase Limit** and **Purchase Approval Limit** changes to open the Change Log. - ![Open the Change Log](../../../static/img/product_docs/strongpointfornetsuite/financial_controls/agent_unresolved_example2.webp) + ![Open the Change Log](/img/product_docs/strongpointfornetsuite/financial_controls/agent_unresolved_example2.webp) **Change Overview** shows what change was made and who made the change. The **Diff View** on the **Values** tab displays both the old and new values. diff --git a/docs/strongpointfornetsuite/financial_controls/agent_lookback.md b/docs/strongpointfornetsuite/financial_controls/agent_lookback.md index 17130cb898..07215500e5 100644 --- a/docs/strongpointfornetsuite/financial_controls/agent_lookback.md +++ b/docs/strongpointfornetsuite/financial_controls/agent_lookback.md @@ -10,7 +10,7 @@ The Agent Lookback is accessed from the Customization record for the control. 2. **Edit** the control to run. 3. Open the **Controls** tab. - ![New Agent Lookback](../../../static/img/product_docs/strongpointfornetsuite/financial_controls/agent_lookback.webp) + ![New Agent Lookback](/img/product_docs/strongpointfornetsuite/financial_controls/agent_lookback.webp) 4. Set **Control Type** to **Lookback Control** or **Lookback Control with Admin Verification**. 5. Click **Go to Record**. @@ -30,7 +30,7 @@ Administrators can initiate and cancel Lookback Runs from the **Controls** tab o record. The control search must have at least one date filter set to be used by the Lookback run. Controls cannot be grouped by run. -![Schedule or initiate a Lookback run.](../../../static/img/product_docs/strongpointfornetsuite/financial_controls/lookback_run.webp) +![Schedule or initiate a Lookback run.](/img/product_docs/strongpointfornetsuite/financial_controls/lookback_run.webp) - **Run Status** is the status of the last run: @@ -54,11 +54,11 @@ and the Lookback Run date. The **Lookback Run History** tab is available on the **Controls** tab on a Customization record. -![View the Lookback Run history.](../../../static/img/product_docs/strongpointfornetsuite/financial_controls/lookback_run_history.webp) +![View the Lookback Run history.](/img/product_docs/strongpointfornetsuite/financial_controls/lookback_run_history.webp) ### Lookback Run Incidents You can filter your Control Incidents reports by setting **Log Origin** in the report **Filters**. **Agent Lookback Run** is available as a filter option. -![Filter Incident Results on Lookback Run](../../../static/img/product_docs/strongpointfornetsuite/financial_controls/lookback_run_incidents.webp) +![Filter Incident Results on Lookback Run](/img/product_docs/strongpointfornetsuite/financial_controls/lookback_run_incidents.webp) diff --git a/docs/strongpointfornetsuite/installing_strongpoint/go_live_faq.md b/docs/strongpointfornetsuite/installing_strongpoint/go_live_faq.md index cdc07ce4cf..1570dc6b24 100644 --- a/docs/strongpointfornetsuite/installing_strongpoint/go_live_faq.md +++ b/docs/strongpointfornetsuite/installing_strongpoint/go_live_faq.md @@ -51,7 +51,7 @@ Customizations can be added to any open Change Request. On the Change Request, c Customization** to launch a window where you can search for customizations, or enter existing customizations in the **Customizations** field. The **Proposed Customizations** are for new customizations that do not exist in any account. Refer to -[Creating a Change Request](../change_management/creating_change_request.md) for details. +[Creating a Change Request](/docs/strongpointfornetsuite/change_management/creating_change_request.md) for details. ## Search for Customizations @@ -61,7 +61,7 @@ Quick Search** You can search using several factors and submit. When looking up by **Name**, using **Contains** helps if you do not have the exact name. -![custquicksearch](../../../static/img/product_docs/strongpointfornetsuite/customizations/custquicksearch.webp) +![custquicksearch](/img/product_docs/strongpointfornetsuite/customizations/custquicksearch.webp) ## Prototype Customizations @@ -87,7 +87,7 @@ Administrators can perform Approval Overrides on a Change Request. 2. Click **Edit**. 3. Select **Approved** from the **Approval Status** list. - ![Change Status to Approved](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/golive_approval_override.webp) + ![Change Status to Approved](/img/product_docs/strongpointfornetsuite/installing_strongpoint/golive_approval_override.webp) The Status bar is set to **Approved (Override)** and the administrator's name is displayed in the **Approval Override By** field. @@ -98,7 +98,7 @@ If the AutoSpider is not run, your Change Logs will be missing the **Changed by* Change Date** fields. When the Change Log is newly created, the fields contain **Pending AutoSpider**. If too many days go by, the fields change to **Could not be determined**. -Refer to [Setting Up the AutoSpider and Alerts](running_the_spider.md) for details. +Refer to [Setting Up the AutoSpider and Alerts](/docs/strongpointfornetsuite/installing_strongpoint/running_the_spider.md) for details. ## New Script Deployments on Non-Compliant Changes Report @@ -111,7 +111,7 @@ Deployment Record on the Change Request. To properly add and deploy a script: 4. Add the Deployment Record to the Change Request. 5. Deploy the script. -If your site uses [Opportunistic Clearance](../change_management/opportunistic_clearance.md), the +If your site uses [Opportunistic Clearance](/docs/strongpointfornetsuite/change_management/opportunistic_clearance.md), the deployment record is handled automatically. You should make sure you understand all of the ramifications of Opportunistic Clearance prior to enabling it for your account. @@ -134,4 +134,4 @@ No action is required to fix this situation. ## You do not have a Valid License Message If a user sees a License message, you need to grant them a license. Refer to the -[License Manager](license_manager.md) topic. +[License Manager](/docs/strongpointfornetsuite/installing_strongpoint/license_manager.md) topic. diff --git a/docs/strongpointfornetsuite/installing_strongpoint/installation_overview.md b/docs/strongpointfornetsuite/installing_strongpoint/installation_overview.md index 57e5f04371..1b45ce5418 100644 --- a/docs/strongpointfornetsuite/installing_strongpoint/installation_overview.md +++ b/docs/strongpointfornetsuite/installing_strongpoint/installation_overview.md @@ -7,16 +7,16 @@ There is a **Next Step** link at the end of each installation topic. The bundle is installed using processor architecture for scheduled scripts. All deployments are set to low priority. -1. [Installing Strongpoint](installing_strongpoint.md) -2. [Running the Spider](running_the_spider.md) -3. [Setting Up AutoSpider and Alerts](setting_up_auto_spider_alerts.md) -4. [Managing Users](managing_users.md) -5. [Setting Access to the Strongpoint Tab](setting_strongpoint_tab_access.md) -6. [Setting Role Permissions](setting_permissions.md) +1. [Installing Strongpoint](/docs/strongpointfornetsuite/installing_strongpoint/installing_strongpoint.md) +2. [Running the Spider](/docs/strongpointfornetsuite/installing_strongpoint/running_the_spider.md) +3. [Setting Up AutoSpider and Alerts](/docs/strongpointfornetsuite/installing_strongpoint/setting_up_auto_spider_alerts.md) +4. [Managing Users](/docs/strongpointfornetsuite/installing_strongpoint/managing_users.md) +5. [Setting Access to the Strongpoint Tab](/docs/strongpointfornetsuite/installing_strongpoint/setting_strongpoint_tab_access.md) +6. [Setting Role Permissions](/docs/strongpointfornetsuite/installing_strongpoint/setting_permissions.md) Once your installation is complete, you can review the -[Installation Settings](installation_settings_report.md) report. +[Installation Settings](/docs/strongpointfornetsuite/installing_strongpoint/installation_settings_report.md) report. Optional menu items are hidden by default to keep the menus clean and easy to use. If users do not -see a menu item, they can turn it on through [Menu Management](managing_menus.md), assuming the -feature is included in your [License Type](features_by_license_type.md). +see a menu item, they can turn it on through [Menu Management](/docs/strongpointfornetsuite/installing_strongpoint/managing_menus.md), assuming the +feature is included in your [License Type](/docs/strongpointfornetsuite/installing_strongpoint/features_by_license_type.md). diff --git a/docs/strongpointfornetsuite/installing_strongpoint/installation_settings_report.md b/docs/strongpointfornetsuite/installing_strongpoint/installation_settings_report.md index 78c0e62af8..84a85c5ef0 100644 --- a/docs/strongpointfornetsuite/installing_strongpoint/installation_settings_report.md +++ b/docs/strongpointfornetsuite/installing_strongpoint/installation_settings_report.md @@ -69,16 +69,16 @@ Accesses change management features: - **Enable Opportunistic Clearance**: enables automatic clearance of qualifying low risk non-compliant changes. Default is off. - **Enable Case to Change Request Workflow**: enables the workflow - [Create Change Request from Case](../change_management/creating_change_request_from_case.md), + [Create Change Request from Case](/docs/strongpointfornetsuite/change_management/creating_change_request_from_case.md), based on the provided mappings. **Change Request Field Mapping** includes an optional Formula to handle complex fields. After the **Enable Case to Change Request Workflow** is enabled, a **Create Change Request** button is available on the **Case** record (**Lists** > **Support** > **Cases**). Here is an example using a **Formula** for the **Case to Change Request Field Mapping**: - ![Example of a Formula in the Case to Change Request Field Mapping](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/casetocrformula.webp) + ![Example of a Formula in the Case to Change Request Field Mapping](/img/product_docs/strongpointfornetsuite/installing_strongpoint/casetocrformula.webp) - **Do Not ReSpider Automatically**: sets the default condition for the **Do Not ReSpider Automatically** setting on the - [ITGC Change Request](../change_management/creating_change_request.md). The default is + [ITGC Change Request](/docs/strongpointfornetsuite/change_management/creating_change_request.md). The default is unchecked. When enabled, an automatic ReSpider occurs when a Change Request status is changed to **Completed**. This starts the ReSpider and ensures that all change logs are complete prior to @@ -86,7 +86,7 @@ Accesses change management features: marked as non-compliant if the change logs are not complete when the user changes the status to **Completed**. - **Enhanced User Provisioning**: enables access management for onboarding/offboarding and access - change using the **[User Access Change Request](../change_management/user_provisioning.md)**. + change using the **[User Access Change Request](/docs/strongpointfornetsuite/change_management/user_provisioning.md)**. - **Enable Auto-Provisioning**: automatically implement the onboarding changes approved though the **User Provisioning Change Request** when **Enhanced User Provisioning** is enabled. - **Enable Auto-Role Removal**: automatically implement the offboarding changes approved though the @@ -101,8 +101,8 @@ Accesses change management features: - **SoD Rule Change** - **CR Email Template**: if you customize your **SoD Exemption Approval** or **SoD Rule Change Approval** CR Templates, add them here so they are not overwritten when the next bundle is - installed. Refer to [Advanced PDF / HTML Templates](../customizations/pdf_html_templates.md). - ![CR Email Template section on the Installation Settings Change Management tab](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/change_management_cr_email_template.webp) + installed. Refer to [Advanced PDF / HTML Templates](/docs/strongpointfornetsuite/customizations/pdf_html_templates.md). + ![CR Email Template section on the Installation Settings Change Management tab](/img/product_docs/strongpointfornetsuite/installing_strongpoint/change_management_cr_email_template.webp) ### Installation @@ -140,15 +140,15 @@ the page drop down icon to create a new User Note. ### Jira Integration Specifies the Jira credentials to use when Jira and Platform Governance for NetSuite are integrated. -Refer to [Jira Integration](../integrations/jira_integration.md) for more information. +Refer to [Jira Integration](/docs/strongpointfornetsuite/integrations/jira_integration.md) for more information. ### ServiceNow Integration Specifies the ServiceNow credentials to use when ServiceNow and Platform Governance for NetSuite are -integrated. Refer to [ServiceNow Integration](../integrations/servicenow_integration.md) for more +integrated. Refer to [ServiceNow Integration](/docs/strongpointfornetsuite/integrations/servicenow_integration.md) for more information. ### Menu Management Enables hiding menu items you do not use, to improve navigation. Refer to -[Managing Menus](managing_menus.md) for more information. +[Managing Menus](/docs/strongpointfornetsuite/installing_strongpoint/managing_menus.md) for more information. diff --git a/docs/strongpointfornetsuite/installing_strongpoint/installing_strongpoint.md b/docs/strongpointfornetsuite/installing_strongpoint/installing_strongpoint.md index 1daba9aa0a..2ac515f5fb 100644 --- a/docs/strongpointfornetsuite/installing_strongpoint/installing_strongpoint.md +++ b/docs/strongpointfornetsuite/installing_strongpoint/installing_strongpoint.md @@ -22,7 +22,7 @@ The Bundle ID has been updated due to NetSuite changes. 3. Enter **294336** in **Keywords** 4. Click **Search** - ![Search for the Strongpoint Bundle](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/searchandinstallbundles.webp) + ![Search for the Strongpoint Bundle](/img/product_docs/strongpointfornetsuite/installing_strongpoint/searchandinstallbundles.webp) 5. Click **Strongpoint** 6. Click **Install** to start the bundle installation. @@ -31,14 +31,14 @@ The Bundle ID has been updated due to NetSuite changes. In the **Installed Bundles** list, the **Strongpoint** bundle is marked with a green check in the **Status** column when the bundle is installed. - ![Verify Strongpoint Bundle Installation](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/verify_bundle_install.webp) + ![Verify Strongpoint Bundle Installation](/img/product_docs/strongpointfornetsuite/installing_strongpoint/verify_bundle_install.webp) ## Set the Number of Row in List Segments It is important that you set your NUMBER OF ROWS IN LIST SEGMENTS to 1,000. This is a NetSuite best practice and critical for the proper spidering of your workflows. If you are unable to edit this field, refer to -[Cannot Change the Number of Rows in List Segments](../troubleshooting/list_segments_not_editable) +[Cannot Change the Number of Rows in List Segments](/docs/strongpointfornetsuite/troubleshooting/list_segments_not_editable) To set the Number of Rows in List Segments: diff --git a/docs/strongpointfornetsuite/installing_strongpoint/license_manager.md b/docs/strongpointfornetsuite/installing_strongpoint/license_manager.md index 570e88ac7f..3fb9e945c5 100644 --- a/docs/strongpointfornetsuite/installing_strongpoint/license_manager.md +++ b/docs/strongpointfornetsuite/installing_strongpoint/license_manager.md @@ -12,13 +12,13 @@ If the **Take Web Site Offline for Maintenance** option is changed, you must use 1. Open **Strongpoint** > **Strongpoint Support** > **License Manager** 2. Depending on your account settings, you may have to click **View** to see the account record. - ![Add a New License.](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/license_new.webp) + ![Add a New License.](/img/product_docs/strongpointfornetsuite/installing_strongpoint/license_new.webp) 3. Click **Get Lic. Number** if the **License Number** is blank. If the License Number is not blank, continue with the next step. 4. Click **New Licensed User**. - ![Add a licensed user](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/license_new_user.webp) + ![Add a licensed user](/img/product_docs/strongpointfornetsuite/installing_strongpoint/license_new_user.webp) 5. Select a **User**. 6. Set **License Type** to **Full**. @@ -28,7 +28,7 @@ If the **Take Web Site Offline for Maintenance** option is changed, you must use 1. Open **Strongpoint** > **Strongpoint Support** > **License Manager** 2. Click **Edit** if you need to modify your **Weekly Reports Recipients** or your **License - Number** or click **View** to [Manage Users](managing_users.md). + Number** or click **View** to [Manage Users](/docs/strongpointfornetsuite/installing_strongpoint/managing_users.md). 3. Click **Save** if you make changes. ## License Manager Buttons and Fields @@ -43,7 +43,7 @@ Some buttons and fields are only visible when you **Edit** the License. - **Full License Count**: displays the number of **Full** licenses active in your account. - **License Number**: displays your license. - **License Type**: displays your purchased License Type, controlling what - [Features](features_by_license_type.md) you can access. License Types are **Documentation and + [Features](/docs/strongpointfornetsuite/installing_strongpoint/features_by_license_type.md) you can access. License Types are **Documentation and Optimization**, **Intelligent Change Management** and **Enterprise**. - **Edition**: displays your NetSuite Edition. - **Subsidiaries**: displays the number of operating subsidiaries you have in your OneWorld account. diff --git a/docs/strongpointfornetsuite/installing_strongpoint/managing_menus.md b/docs/strongpointfornetsuite/installing_strongpoint/managing_menus.md index 4bbe1922be..6b57f05320 100644 --- a/docs/strongpointfornetsuite/installing_strongpoint/managing_menus.md +++ b/docs/strongpointfornetsuite/installing_strongpoint/managing_menus.md @@ -13,9 +13,9 @@ To Hide or Show menu items: 2. Click **Edit** to edit the installation settings. 3. Open the **Menu Management tab**. You only see the categories available for your license type. All of the optional **Menu Items** are hidden by default. - ![Default Setting for Documentation and Optimization Optional Menus](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/menu_mgmt.webp) - ![Default Setting for Intellgient Change Management Optional Menus](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/menu_mgmt_cm.webp) - ![Default Setting for Enterprise Compliance Optional Menus](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/menu_mgmt_ec.webp) + ![Default Setting for Documentation and Optimization Optional Menus](/img/product_docs/strongpointfornetsuite/installing_strongpoint/menu_mgmt.webp) + ![Default Setting for Intellgient Change Management Optional Menus](/img/product_docs/strongpointfornetsuite/installing_strongpoint/menu_mgmt_cm.webp) + ![Default Setting for Enterprise Compliance Optional Menus](/img/product_docs/strongpointfornetsuite/installing_strongpoint/menu_mgmt_ec.webp) 4. To **Hide** items: Select an item from the left and click **>** to move it to the right. Use Ctrl-Click or Shift-Click to select multiple items. Use **>>** to move all the items. To **Show** items that have been hidden: Select one or more from the right and click \< to move diff --git a/docs/strongpointfornetsuite/installing_strongpoint/managing_users.md b/docs/strongpointfornetsuite/installing_strongpoint/managing_users.md index f00bf6a4c0..6ed8744804 100644 --- a/docs/strongpointfornetsuite/installing_strongpoint/managing_users.md +++ b/docs/strongpointfornetsuite/installing_strongpoint/managing_users.md @@ -1,6 +1,6 @@ # Managing Users -Users are managed through the **[**License Manager**](license_manager.md)**. +Users are managed through the **[**License Manager**](/docs/strongpointfornetsuite/installing_strongpoint/license_manager.md)**. ## Add a User: @@ -29,4 +29,4 @@ Users are managed through the **[**License Manager**](license_manager.md)**. 5. Click to mark the **Inactive** box. 6. Click **Save**. -**Next Step:** [Setting Tab Access](setting_strongpoint_tab_access.md) +**Next Step:** [Setting Tab Access](/docs/strongpointfornetsuite/installing_strongpoint/setting_strongpoint_tab_access.md) diff --git a/docs/strongpointfornetsuite/installing_strongpoint/redeploy_scripts_sandbox.md b/docs/strongpointfornetsuite/installing_strongpoint/redeploy_scripts_sandbox.md index 443cce98d3..bfa429d815 100644 --- a/docs/strongpointfornetsuite/installing_strongpoint/redeploy_scripts_sandbox.md +++ b/docs/strongpointfornetsuite/installing_strongpoint/redeploy_scripts_sandbox.md @@ -10,14 +10,14 @@ status after a sandbox refresh. 2. Open **Customization** > **Scripting** > **Scripts**. 3. Set the Filter **Type** to **Suitelet** and the **Bundle ID** to **294336**. - ![Find the Suitelet](../../../static/img/product_docs/strongpointfornetsuite/release_notes/scripts.webp) + ![Find the Suitelet](/img/product_docs/strongpointfornetsuite/release_notes/scripts.webp) 4. Click **View** by the **Strongpoint Reset Schedule Deployments** suitelet. 5. Open the **Deployments** tab. - ![Open the Deployment tab](../../../static/img/product_docs/strongpointfornetsuite/release_notes/script_deploy_tab.webp) + ![Open the Deployment tab](/img/product_docs/strongpointfornetsuite/release_notes/script_deploy_tab.webp) 6. Click the Suitelet name: **Strongpoint Reset Schedule Deployments**. 7. Click on the Script **URL**. - ![Click the Script URL](../../../static/img/product_docs/strongpointfornetsuite/release_notes/script_deploy_url.webp) + ![Click the Script URL](/img/product_docs/strongpointfornetsuite/release_notes/script_deploy_url.webp) diff --git a/docs/strongpointfornetsuite/installing_strongpoint/running_the_spider.md b/docs/strongpointfornetsuite/installing_strongpoint/running_the_spider.md index 68a8c466d1..e50e3f7d9d 100644 --- a/docs/strongpointfornetsuite/installing_strongpoint/running_the_spider.md +++ b/docs/strongpointfornetsuite/installing_strongpoint/running_the_spider.md @@ -4,7 +4,7 @@ The first time the spider is run the entire account is scanned. Subsequent spide changes since the last run. The **Strongpoint** tab is only available to Administrators unless you specifically add it to other -roles. Refer to [Setting Access and Permissions](setting_strongpoint_tab_access.md) for more +roles. Refer to [Setting Access and Permissions](/docs/strongpointfornetsuite/installing_strongpoint/setting_strongpoint_tab_access.md) for more information. You must keep this window open for the spider to complete. Do not change roles or accounts during @@ -49,7 +49,7 @@ any issues that arise are captured during the data validation phase. Open **Strongpoint** > **Strongpoint Support** > **Installation Settings** and review the **Spider Status** tab to confirm the **Last Completed Spider** shows a date. -![Review the Spider Status tab of the Installation Settings](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/install_settings_spider_status.webp) +![Review the Spider Status tab of the Installation Settings](/img/product_docs/strongpointfornetsuite/installing_strongpoint/install_settings_spider_status.webp) - **Strongpoint Record Server Side Spider Scheduled Script** is no longer running. - **Strongpoint Search Customization to Make Join (By Join Proc)** should not have any results. If @@ -158,4 +158,4 @@ Spiders that run during off peak hours begin running at the hour set on the scri 5:00 pm based on the company timezone if not set. Negative Spiders are run sequentially. -**Next Step:** [ Setting Up the AutoSpider and Alerts](setting_up_auto_spider_alerts.md) +**Next Step:** [ Setting Up the AutoSpider and Alerts](/docs/strongpointfornetsuite/installing_strongpoint/setting_up_auto_spider_alerts.md) diff --git a/docs/strongpointfornetsuite/installing_strongpoint/setting_permissions.md b/docs/strongpointfornetsuite/installing_strongpoint/setting_permissions.md index caa6a944af..fb41b4193c 100644 --- a/docs/strongpointfornetsuite/installing_strongpoint/setting_permissions.md +++ b/docs/strongpointfornetsuite/installing_strongpoint/setting_permissions.md @@ -5,8 +5,8 @@ Permission List**. This controls access using Roles, Permission Lists and Strong verification to prevent unauthorized users from changing the records. Users with Roles not included in the Permission List for a record type are denied access. -Remember to give your [licensed](license_manager.md) users access to the -[Strongpoint tab](setting_strongpoint_tab_access.md). +Remember to give your [licensed](/docs/strongpointfornetsuite/installing_strongpoint/license_manager.md) users access to the +[Strongpoint tab](/docs/strongpointfornetsuite/installing_strongpoint/setting_strongpoint_tab_access.md). To use Platform Governance for NetSuite with your custom roles, add the record types to the permission list for each role. The Strongpoint roles have the correct access levels by default. @@ -15,7 +15,7 @@ permission list for each role. The Strongpoint roles have the correct access lev 2. Edit each custom role your targeted Users use for their tasks. 3. Open the **Permissions** tab. - ![Setting Permissions for Custom Roles](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/permissions_tab.webp) + ![Setting Permissions for Custom Roles](/img/product_docs/strongpointfornetsuite/installing_strongpoint/permissions_tab.webp) 4. Open the **Custom Record** tab and add the Record Types and access levels to your custom roles. @@ -32,7 +32,7 @@ Here are the Custom Permissions needed for each role. #### Change Request Approvers -> Assign a [User License](license_manager.md) +> Assign a [User License](/docs/strongpointfornetsuite/installing_strongpoint/license_manager.md) #### Process Issue @@ -40,7 +40,7 @@ Here are the Custom Permissions needed for each role. #### Manage ITGC -> [Strongpoint License](license_manager.md) + +> [Strongpoint License](/docs/strongpointfornetsuite/installing_strongpoint/license_manager.md) + > Account Role: **Edit** > Change / Approval Policy: **Full** > Change Log: **Edit** @@ -61,7 +61,7 @@ Here are the Custom Permissions needed for each role. On the Custom Role, you must check **Do Not Restrict Employee Fields**. -> [Strongpoint License](license_manager.md) + +> [Strongpoint License](/docs/strongpointfornetsuite/installing_strongpoint/license_manager.md) + > Account Role: **Edit** > Change / Approval Policy: **Edit** > Change Log: **Edit** @@ -81,13 +81,13 @@ On the Custom Role, you must check **Do Not Restrict Employee Fields**. #### User Access Review (UAR) -> [Strongpoint License](license_manager.md) + +> [Strongpoint License](/docs/strongpointfornetsuite/installing_strongpoint/license_manager.md) + > Audit Trail: **Full** > Find Transaction: **Full** #### Manage Internal Audit - **View** Only -> [Strongpoint License](license_manager.md) + +> [Strongpoint License](/docs/strongpointfornetsuite/installing_strongpoint/license_manager.md) + > Account Role: **View** > Change / Approval Policy: **View** > Change Log: **View** diff --git a/docs/strongpointfornetsuite/installing_strongpoint/setting_strongpoint_tab_access.md b/docs/strongpointfornetsuite/installing_strongpoint/setting_strongpoint_tab_access.md index 82e9c6431c..228f930ea1 100644 --- a/docs/strongpointfornetsuite/installing_strongpoint/setting_strongpoint_tab_access.md +++ b/docs/strongpointfornetsuite/installing_strongpoint/setting_strongpoint_tab_access.md @@ -39,7 +39,7 @@ updates. After you create the copy, you must add all of the appropriate category Leave this window open so you can see all of the categories. This example shows **Engineering** as the new **Center** - ![Saving to Engineering Center.](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/engineeringexample.webp) + ![Saving to Engineering Center.](/img/product_docs/strongpointfornetsuite/installing_strongpoint/engineeringexample.webp) 5. Create the Category links: @@ -47,7 +47,7 @@ updates. After you create the copy, you must add all of the appropriate category Click **Edit** by the Label of your first category **(Strongpoint Support** in the example) and your selected **Center Type** (**Engineering** in the example). - ![Select Category for New Center.](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/copy_categories.webp) + ![Select Category for New Center.](/img/product_docs/strongpointfornetsuite/installing_strongpoint/copy_categories.webp) 2. Open **Customization** > **Centers and Tabs** > **Center Categories** in a second new window. @@ -56,7 +56,7 @@ updates. After you create the copy, you must add all of the appropriate category as a guide. A drop down completion list is shown as you type. Click **Add** after each addition. - ![Two category windows open to copy links to your new Center.](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/copy_categories2.webp) + ![Two category windows open to copy links to your new Center.](/img/product_docs/strongpointfornetsuite/installing_strongpoint/copy_categories2.webp) 4. When complete, click **Save** in your new **Center** and **Cancel** in the **Classic Center**. @@ -73,6 +73,6 @@ updates. After you create the copy, you must add all of the appropriate category 4. Assign the audience. This can be role(s) or specific employees. 5. Click **Save** - ![Assigning permissions.](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/engineeringexample2.webp) + ![Assigning permissions.](/img/product_docs/strongpointfornetsuite/installing_strongpoint/engineeringexample2.webp) -**Next Step:** [ Setting Role Permissions](setting_permissions.md) +**Next Step:** [ Setting Role Permissions](/docs/strongpointfornetsuite/installing_strongpoint/setting_permissions.md) diff --git a/docs/strongpointfornetsuite/installing_strongpoint/setting_up_auto_spider_alerts.md b/docs/strongpointfornetsuite/installing_strongpoint/setting_up_auto_spider_alerts.md index c1c9fe6dff..b0e35ec88a 100644 --- a/docs/strongpointfornetsuite/installing_strongpoint/setting_up_auto_spider_alerts.md +++ b/docs/strongpointfornetsuite/installing_strongpoint/setting_up_auto_spider_alerts.md @@ -40,7 +40,7 @@ To add the auto spider portlet: Any objects not captured by the AutoSpider are picked up by the Customizations to ReSpider alert. -![Auto-Spider Portlet](../../../static/img/product_docs/strongpointfornetsuite/installing_strongpoint/auto-spider_portlet.webp) +![Auto-Spider Portlet](/img/product_docs/strongpointfornetsuite/installing_strongpoint/auto-spider_portlet.webp) Stay on your **Home** page until you see **Spider Triggered** to ensure the spider starts. @@ -51,4 +51,4 @@ workflows identify when the Customization Records have not been updated. To ensu your account are updating, set up the Customizations to ReSpider search to provide alerts to the appropriate people in your company. -**Next Step:** [Managing Users](managing_users.md) +**Next Step:** [Managing Users](/docs/strongpointfornetsuite/installing_strongpoint/managing_users.md) diff --git a/docs/strongpointfornetsuite/integrations/integration_mapping.md b/docs/strongpointfornetsuite/integrations/integration_mapping.md index 17dad20cc9..a30f87feee 100644 --- a/docs/strongpointfornetsuite/integrations/integration_mapping.md +++ b/docs/strongpointfornetsuite/integrations/integration_mapping.md @@ -37,7 +37,7 @@ NetSuite. The file is uploaded when you run the tool. You can create a file with headings, or download the template with the link on the first page of the Integration Mapping tool. Do not change the specified headings. Here is the template: -![int_map_csv_template](../../../static/img/product_docs/strongpointfornetsuite/integrations/int_map_csv_template.webp) +![int_map_csv_template](/img/product_docs/strongpointfornetsuite/integrations/int_map_csv_template.webp) - **External Name** is the Object’s **Name** in the external system. - **External Script ID** is the Object’s **Identifier** in the external system. @@ -51,12 +51,12 @@ Do not change the specified headings. Here is the template: ## Step 3: Open Integration Mapping tool The Mapping Tool menu item is hidden by default. If you do not see the option in your menu, refer to -the [Managing Menus](../installing_strongpoint/managing_menus.md) topic for information on making it +the [Managing Menus](/docs/strongpointfornetsuite/installing_strongpoint/managing_menus.md) topic for information on making it available. Open **Strongpoint** > **Integrations** > **Mapping Tool** -**![int_mapping_menu](../../../static/img/product_docs/strongpointfornetsuite/integrations/int_mapping_menu.webp)** +**![int_mapping_menu](/img/product_docs/strongpointfornetsuite/integrations/int_mapping_menu.webp)** ## Step 4: Select or Enter the External System @@ -64,7 +64,7 @@ Open **Strongpoint** > **Integrations** > **Mapping Tool** name to have the tool automatically create a new External System, for example: _Salesforce_. Strongpoint appends (External System) to the Name. For example, _Salesforce (External System)_. - ![int_map_ext_sys](../../../static/img/product_docs/strongpointfornetsuite/integrations/int_map_ext_sys.webp) + ![int_map_ext_sys](/img/product_docs/strongpointfornetsuite/integrations/int_map_ext_sys.webp) 2. You can use the link to download the **.csv** template if you have not already created the file. 3. Click **Next** to continue. @@ -73,7 +73,7 @@ Open **Strongpoint** > **Integrations** > **Mapping Tool** 1. Click **Choose File**. - ![int_map_upload_csv](../../../static/img/product_docs/strongpointfornetsuite/integrations/int_map_upload_csv.webp) + ![int_map_upload_csv](/img/product_docs/strongpointfornetsuite/integrations/int_map_upload_csv.webp) 2. Navigate to the**.csv file** containing your mappings. 3. Click **Next** to continue. @@ -83,17 +83,17 @@ Open **Strongpoint** > **Integrations** > **Mapping Tool** 1. Review customization mappings. If you entered a **ScriptID** in your **.csv**, the associated **Link Object** is shown. - ![int_map_map_cust](../../../static/img/product_docs/strongpointfornetsuite/integrations/int_map_map_cust.webp) + ![int_map_map_cust](/img/product_docs/strongpointfornetsuite/integrations/int_map_map_cust.webp) 2. Click **Search** to open the search form and select or research additional **Link Objects**. - ![int_map_search](../../../static/img/product_docs/strongpointfornetsuite/integrations/int_map_search.webp) + ![int_map_search](/img/product_docs/strongpointfornetsuite/integrations/int_map_search.webp) 3. Search by all or part of a **Name**, **Type** or all or part of a **ScriptID**. For example, enter _cust_ for **Name** and click **Search** to find all customizations containing the search term: - ![int_map_search_results](../../../static/img/product_docs/strongpointfornetsuite/integrations/int_map_search_results.webp) + ![int_map_search_results](/img/product_docs/strongpointfornetsuite/integrations/int_map_search_results.webp) - Click in the **Add** column to select one or more objects. - Click **Select**. @@ -106,11 +106,11 @@ Open **Strongpoint** > **Integrations** > **Mapping Tool** 1. Check the Summary for any **Import Errors**. - ![int_map_summary](../../../static/img/product_docs/strongpointfornetsuite/integrations/int_map_summary.webp) + ![int_map_summary](/img/product_docs/strongpointfornetsuite/integrations/int_map_summary.webp) 2. Click the linked **Internal ID** to display the ERD for each mapped customization. Here is an example of an expanded ERD showing **Integrations**, **Sources**, and **External Dependent Fields**. Note the **External Dependent Fields** is highlighted with a green header. -![int_mapping_ext_erd](../../../static/img/product_docs/strongpointfornetsuite/integrations/int_mapping_ext_erd.webp) +![int_mapping_ext_erd](/img/product_docs/strongpointfornetsuite/integrations/int_mapping_ext_erd.webp) diff --git a/docs/strongpointfornetsuite/integrations/integrations.md b/docs/strongpointfornetsuite/integrations/integrations.md index f0d6fc266e..fd7c7c866d 100644 --- a/docs/strongpointfornetsuite/integrations/integrations.md +++ b/docs/strongpointfornetsuite/integrations/integrations.md @@ -8,13 +8,13 @@ including the impact analysis, release management and change reconciliation feat Integrations with NetSuite include: -- [Jira](jira_integration.md) ticketing System Integration -- [ServiceNow](servicenow_integration.md) ticketing System Integration -- [Zendesk](zendesk_integration.md) ticketing System integration -- Our [Integration API](../api/api_overview.md) enables your developers to support your ticketing +- [Jira](/docs/strongpointfornetsuite/integrations/jira_integration.md) ticketing System Integration +- [ServiceNow](/docs/strongpointfornetsuite/integrations/servicenow_integration.md) ticketing System Integration +- [Zendesk](/docs/strongpointfornetsuite/integrations/zendesk_integration.md) ticketing System integration +- Our [Integration API](/docs/strongpointfornetsuite/api/api_overview.md) enables your developers to support your ticketing systems, making the integration functionality available to everyone. Integrating your systems with your Platform Governance for NetSuite account helps you make the most of your change management and ticketing strategies. -The [Integration Mapping](integration_mapping.md) tool helps you map customizations between your +The [Integration Mapping](/docs/strongpointfornetsuite/integrations/integration_mapping.md) tool helps you map customizations between your External Systems and NetSuite. diff --git a/docs/strongpointfornetsuite/integrations/jira_integration.md b/docs/strongpointfornetsuite/integrations/jira_integration.md index 7c9364de75..65f5017490 100644 --- a/docs/strongpointfornetsuite/integrations/jira_integration.md +++ b/docs/strongpointfornetsuite/integrations/jira_integration.md @@ -50,7 +50,7 @@ Review these considerations prior to deploying the Jira integration: ### Jira Process Flow -![Jira Integration Process Flow](../../../static/img/product_docs/strongpointfornetsuite/integrations/strongpointjiraflow.webp) +![Jira Integration Process Flow](/img/product_docs/strongpointfornetsuite/integrations/strongpointjiraflow.webp) ## Set Up the Integration @@ -110,7 +110,7 @@ Refer to the Atlassian documentation for instructions on Change Request, leave this unchecked so you can do your research or testing without generating Change Requests. - ![Jira Integration settings with mapped statues](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_example_integration.webp) + ![Jira Integration settings with mapped statues](/img/product_docs/strongpointfornetsuite/release_notes/jira_example_integration.webp) 7. Check **Allow NS to Jira Push** to enable pushing NetSuite change requests into Jira. 8. Click **Save**. @@ -120,7 +120,7 @@ Refer to the Atlassian documentation for instructions on 12. Click the script **Title** to edit it. 13. Open the **Parameters** tab and enter the domain you use to access Jira. - ![Enter your domain on the Parameters tab](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_parameters.webp) + ![Enter your domain on the Parameters tab](/img/product_docs/strongpointfornetsuite/integrations/jira_parameters.webp) 14. Click **Save**. @@ -128,11 +128,11 @@ Refer to the Atlassian documentation for instructions on 1. From Jira, open **Settings** > **Apps**. - ![Open Jira Apps settings](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_settings_cloud.webp) + ![Open Jira Apps settings](/img/product_docs/strongpointfornetsuite/integrations/jira_settings_cloud.webp) 2. Search for _Strongpoint for NetSuite_. - ![Jira Search.](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_search.webp) + ![Jira Search.](/img/product_docs/strongpointfornetsuite/integrations/jira_search.webp) 3. Click on the **Strongpoint for NetSuite** tile to open the details and follow the installation prompts. @@ -162,17 +162,17 @@ Token Based Authentication is set up through NetSuite. Here is the basic process 3. Open **Jira**. 4. Open your **Projects** page: - ![Open your Jira Projects page to find Add-ons](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_projects_menu.webp) + ![Open your Jira Projects page to find Add-ons](/img/product_docs/strongpointfornetsuite/release_notes/jira_projects_menu.webp) 5. Expand **Add-ons**. 6. Select **Strongpoint Settings**. - ![Jira Strongpoint Settings](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_strongpoint_settings.webp) + ![Jira Strongpoint Settings](/img/product_docs/strongpointfornetsuite/release_notes/jira_strongpoint_settings.webp) 7. Click **New Token Based Authentication** to add your credentials. This needs to be done once for each of your accounts. - ![Add tokens for Jira](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_add_token.webp) + ![Add tokens for Jira](/img/product_docs/strongpointfornetsuite/release_notes/jira_add_token.webp) 8. Enter your credentials and click **Add Token Based Authentication Credential**. 9. When logging into Platform Governance for NetSuite from Jira you can select your credentials. @@ -198,4 +198,4 @@ This process is performed by the Jira Administrator. changes in the Jira ticket. 5. Start a Respider to create the Change Log and documents. -**Next Step:** [ Jira Walkthrough Example](jira_walkthrough_example.md) +**Next Step:** [ Jira Walkthrough Example](/docs/strongpointfornetsuite/integrations/jira_walkthrough_example.md) diff --git a/docs/strongpointfornetsuite/integrations/jira_upload_addon_not_showing.md b/docs/strongpointfornetsuite/integrations/jira_upload_addon_not_showing.md index f04f405cae..4acb756796 100644 --- a/docs/strongpointfornetsuite/integrations/jira_upload_addon_not_showing.md +++ b/docs/strongpointfornetsuite/integrations/jira_upload_addon_not_showing.md @@ -9,4 +9,4 @@ To enable development mode: 2. Click **Settings** 3. Click **Enable development mode**. -![Jira Enable Development Mode](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_enable_dev_mode.webp) +![Jira Enable Development Mode](/img/product_docs/strongpointfornetsuite/integrations/jira_enable_dev_mode.webp) diff --git a/docs/strongpointfornetsuite/integrations/jira_walkthrough_example.md b/docs/strongpointfornetsuite/integrations/jira_walkthrough_example.md index 7e090c7787..ed7beb20af 100644 --- a/docs/strongpointfornetsuite/integrations/jira_walkthrough_example.md +++ b/docs/strongpointfornetsuite/integrations/jira_walkthrough_example.md @@ -1,8 +1,8 @@ # Jira Walkthrough Example This walkthrough is one example based on our test account. You must -[install and configure](jira_integration.md) the Jira integration, including setting up the -**[Jira Statuses](jira_integration.md)** prior to using this walkthrough. +[install and configure](/docs/strongpointfornetsuite/integrations/jira_integration.md) the Jira integration, including setting up the +**[Jira Statuses](/docs/strongpointfornetsuite/integrations/jira_integration.md)** prior to using this walkthrough. The walkthrough demonstrates these steps: @@ -19,7 +19,7 @@ The walkthrough demonstrates these steps: 2. Open a Project. 3. Click **Create** (**+**). - ![jira_example_create_issue](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_create_issue.webp) + ![jira_example_create_issue](/img/product_docs/strongpointfornetsuite/integrations/jira_example_create_issue.webp) 4. Enter your information on the **Create issue** form: @@ -39,13 +39,13 @@ example, override alert, notifications for approvers, and notification for the c in your account**. 2. Expand **Comments** and select **Strongpoint NetSuite**. - ![jira_example_credentials](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_credentials.webp) + ![jira_example_credentials](/img/product_docs/strongpointfornetsuite/integrations/jira_example_credentials.webp) 3. Select your NetSuite **Account** and enter your **Consumer Key**/**Secret** and **Token - ID**/**Secret**. If your account has an optional _[Integration User](jira_integration.md)_ role, + ID**/**Secret**. If your account has an optional _[Integration User](/docs/strongpointfornetsuite/integrations/jira_integration.md)_ role, enter the Email and Password credentials supplied by your administrator - ![Check Token Based Authentication](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_token_authentication.webp) + ![Check Token Based Authentication](/img/product_docs/strongpointfornetsuite/integrations/jira_token_authentication.webp) 4. Click **Connect**. If the connection is successful, the form is displayed (see Add Customizations section). The **Synchronized with**status displays the account you are logged into for NetSuite. @@ -55,12 +55,12 @@ You cannot login if you do not have the **appropriate role permissions to create If you do not enter the correct email or password, an error is displayed. After six unsuccessful consecutive attempts to login, your account is suspended for 30 minutes. -![jira_example_credentials_error](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_credentials_error.webp) +![jira_example_credentials_error](/img/product_docs/strongpointfornetsuite/integrations/jira_example_credentials_error.webp) ## Add Customizations Once you have logged in, the form is displayed. -![Jira Strongpoint form](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_strongpoint_form.webp) +![Jira Strongpoint form](/img/product_docs/strongpointfornetsuite/release_notes/jira_strongpoint_form.webp) - **Synchronized with** displays the connected account. Click **Change Account** to switch to a different Account. @@ -68,7 +68,7 @@ Once you have logged in, the form is displayed. Customization with the strictest policy. - **Affected Bundle ID** can be added to the ticket. Enter the ID in the **Add Bundle ID** entry box and click (**+**) to add it. You can delete an Affected Bundle ID with the - ![delete](../../../static/img/product_docs/strongpointfornetsuite/integrations/delete.webp)icon. + ![delete](/img/product_docs/strongpointfornetsuite/integrations/delete.webp)icon. - **Change Level Required** is **Log Changes Only** until Customizations have been added. If there are multiple change levels, the most stringent one is applied. - Specify the Customizations you are changing or adding. @@ -81,9 +81,9 @@ Once you have logged in, the form is displayed. are added to the **Proposed Customizations** list. - **Add Proposed Customization** adds a new customizations are added to the **Proposed Customizations** list. You can delete added Customizations with the - ![delete](../../../static/img/product_docs/strongpointfornetsuite/integrations/delete.webp)icon. + ![delete](/img/product_docs/strongpointfornetsuite/integrations/delete.webp)icon. - **Push** creates the Change Request in NetSuite. **Push** is also used to manually update your - Change Request if you are not using the [Automatic Synchronization](jira_integration.md) feature. + Change Request if you are not using the [Automatic Synchronization](/docs/strongpointfornetsuite/integrations/jira_integration.md) feature. - **Push External** same as **Push** except you can specify a different Jira account. - **Impact Analysis** and **View ERD** are tools to Perform Risk Assessment. @@ -94,14 +94,14 @@ Once you have logged in, the form is displayed. 3. Click **+** to search for matching Customizations. **View** displays the **Type** and **Script ID** for a Customization. - ![Add a Customization by Name](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_add_name.webp) + ![Add a Customization by Name](/img/product_docs/strongpointfornetsuite/integrations/jira_example_add_name.webp) 4. Select one or more Customizations. For this example, select **New Opportunities Created (Search)**. 5. Click **Add Selected Customizations**. The selected Customization is added to the **Existing Customizations** list. - ![New Opportunities Created (Search) added to Existing Customizations](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_new_opp.webp) + ![New Opportunities Created (Search) added to Existing Customizations](/img/product_docs/strongpointfornetsuite/integrations/jira_example_new_opp.webp) 6. Enter the Script ID **custentity_fmt_cust_credit_on_hold** in **Add Customizations** and click **+**. @@ -119,7 +119,7 @@ In this procedure, we are adding a new Customization. 2. Click (**+**) to add it. If the Script ID is valid, and does not match an existing Script ID, the new Customization is added to the **Proposed Customizations** list. - ![Customization added to Proposed Customization list](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_proposed_customization.webp) + ![Customization added to Proposed Customization list](/img/product_docs/strongpointfornetsuite/integrations/jira_example_proposed_customization.webp) ### Create the Change Request @@ -135,7 +135,7 @@ Strongpoint**. 3. Expand the **Change Request** field on the right. The status is now **In Progress**. There is a link to open the Change Request in NetSuite. - ![Change Request set to In Progress](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_in_progress.webp) + ![Change Request set to In Progress](/img/product_docs/strongpointfornetsuite/integrations/jira_example_in_progress.webp) ### Import Customizations from Jira @@ -144,12 +144,12 @@ is an alternative if you have a lot of customizations. 1. Click **Import Customization**. - ![Import customizations from an xml file.](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_import_cust.webp) + ![Import customizations from an xml file.](/img/product_docs/strongpointfornetsuite/integrations/jira_import_cust.webp) 2. Click **Choose File**, navigate to your xml file and click **Open**. 3. Click **Import**. The customizations appear in the **Existing Customizations** list. - ![The customizations appear in the Existing Customizations list.](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_import_cust2.webp) + ![The customizations appear in the Existing Customizations list.](/img/product_docs/strongpointfornetsuite/integrations/jira_import_cust2.webp) ## Perform Risk Assessment @@ -158,7 +158,7 @@ is an alternative if you have a lot of customizations. The impact analysis tool reviews your customizations for dependencies or risks. Click **Impact Analysis** to run the tool. Here is an example report: -![Impact analysis report](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_impact_analysis.webp) +![Impact analysis report](/img/product_docs/strongpointfornetsuite/integrations/jira_example_impact_analysis.webp) Before proceeding with your changes, review each warning to ensure your change does not break something. Dependencies can easily be reviewed with the ERD tool. @@ -174,7 +174,7 @@ dependencies. 3. When the diagram opens, you can explore the dependencies to evaluate the effect of your intended changes. - ![Run the ERD to view dependencies](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_erd.webp) + ![Run the ERD to view dependencies](/img/product_docs/strongpointfornetsuite/integrations/jira_example_erd.webp) ## Ready for Development @@ -182,16 +182,16 @@ Once you have resolved any risk or conflicts, your changes are ready for develop 1. Change the Jira status of your ticket to match the status set up for **Jira Statuses for Pending Approval Status**. For example, **Selected for Development**. -2. Click **Push** if you are not using [Automatic Synchronization](jira_integration.md) to push +2. Click **Push** if you are not using [Automatic Synchronization](/docs/strongpointfornetsuite/integrations/jira_integration.md) to push status changes. A confirmation your Change Request was Created/Updated is displayed. 3. Expand the **Change Request** field on the right. The status is now **Pending Approval**. There is a link to open the Change Request in NetSuite. - ![Change Request is set to Pending Approval](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_pending_approval.webp) + ![Change Request is set to Pending Approval](/img/product_docs/strongpointfornetsuite/integrations/jira_example_pending_approval.webp) 4. Click the **Go To Record** link to view the Change Request. - ![Change Request is Pending Approval](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_change_request.webp) + ![Change Request is Pending Approval](/img/product_docs/strongpointfornetsuite/integrations/jira_example_change_request.webp) ## Deploy Changes and Complete the Ticket @@ -199,13 +199,13 @@ When development is done, and the Change Request is approved according to your p ticket is ready to be updated. 1. Expand the **Change Request** field on the right. The status is **Approved**. - ![Change Request is now Approved](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_approved.webp) + ![Change Request is now Approved](/img/product_docs/strongpointfornetsuite/integrations/jira_example_approved.webp) 2. Change the Jira status of your ticket to match the status set up for **Jira Statuses for Approved Status**. In our example set up, we have two possible statuses: **Ready for Deployment** and **Done**. Setting up two statuses enables you to split up the deployment and the ticket closure if you want to monitor the deployment task separately. Both statuses are valid for Deployment, but only **Done** closes the Jira ticket and updates the Change Request to **Completed**. -3. Click **Push** if you are not using [Automatic Synchronization](jira_integration.md) to push +3. Click **Push** if you are not using [Automatic Synchronization](/docs/strongpointfornetsuite/integrations/jira_integration.md) to push status changes. A confirmation your Change Request was Created/Updated is displayed. 4. If you used **Ready for Deployment**, update your Jira status to **Done** once your deployment and verification activities are complete. @@ -220,4 +220,4 @@ If you open the Change Request in NetSuite: are populated on the **Related Change Records** tab. - If the Jira status is **Done**, the Change Request shows as **Completed**. - ![The completed change request](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_completed.webp) + ![The completed change request](/img/product_docs/strongpointfornetsuite/integrations/jira_example_completed.webp) diff --git a/docs/strongpointfornetsuite/integrations/servicenow_create_ticket.md b/docs/strongpointfornetsuite/integrations/servicenow_create_ticket.md index 21e23e4ec1..f233539274 100644 --- a/docs/strongpointfornetsuite/integrations/servicenow_create_ticket.md +++ b/docs/strongpointfornetsuite/integrations/servicenow_create_ticket.md @@ -1,6 +1,6 @@ # Creating a Ticket and Change Request for ServiceNow -The [ServiceNow integration](servicenow_install_configure_netsuite.md) must be installed and +The [ServiceNow integration](/docs/strongpointfornetsuite/integrations/servicenow_install_configure_netsuite.md) must be installed and configured prior to use. 1. Open **ServiceNow**. @@ -8,31 +8,31 @@ configured prior to use. 3. Enter your ServiceNow **User Name** and **Password**. 4. Click **Change** > **Create New** in the menu to begin a new ticket. - ![servicenow_create_new](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenow_create_new.webp) + ![servicenow_create_new](/img/product_docs/strongpointfornetsuite/integrations/servicenow_create_new.webp) 5. Open the **Strongpoint NetSuite** tab. 6. Click **Select Account** from the menu bar. - ![servicenow_menu_bar](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenow_menu_bar.webp) + ![servicenow_menu_bar](/img/product_docs/strongpointfornetsuite/integrations/servicenow_menu_bar.webp) 7. Enter your NetSuite credentials. You must set up Token-based authentication. Check if you are using a **Sandbox Account**. Click **Connect**. - ![servicenow_sp_login](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenow_sp_login.webp) + ![servicenow_sp_login](/img/product_docs/strongpointfornetsuite/integrations/servicenow_sp_login.webp) 8. Click **Select Customizations**. - ![servicenow_select_customizations](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenow_select_customizations.webp) + ![servicenow_select_customizations](/img/product_docs/strongpointfornetsuite/integrations/servicenow_select_customizations.webp) 9. Enter one or more filters and click **Lookup Customization** to bring up a matching list. For example, entering **test** brings up the list of customizations containing _test_. - ![servicenow_select_customizations_add](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenow_select_customizations_add.webp) + ![servicenow_select_customizations_add](/img/product_docs/strongpointfornetsuite/integrations/servicenow_select_customizations_add.webp) 10. Check one or more customizations. Click **Add Customization**. 11. Click **Add Proposed Customization** to add a new customization: - ![Add a Proposed Customization](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenow_add_proposed_customization.webp) + ![Add a Proposed Customization](/img/product_docs/strongpointfornetsuite/integrations/servicenow_add_proposed_customization.webp) 1. Select the customization **Type**. 2. Enter a Script ID for the proposed customization. @@ -40,16 +40,16 @@ configured prior to use. 12. Click **Impact Analysis** in the menu bar. The impact analysis runs and displays any warnings. - ![servicenow_impact_analysis](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenow_impact_analysis.webp) + ![servicenow_impact_analysis](/img/product_docs/strongpointfornetsuite/integrations/servicenow_impact_analysis.webp) Click on the links to open the record in NetSuite for further research. - ![servicenow_impact_analysis_ns](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenow_impact_analysis_ns.webp) + ![servicenow_impact_analysis_ns](/img/product_docs/strongpointfornetsuite/integrations/servicenow_impact_analysis_ns.webp) 13. Click **ERD** in the menu bar. The list is populated with the customizations added to the ticket. Select a customization to view the ERDs as needed. - ![servicenow_erd](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenow_erd.webp) + ![servicenow_erd](/img/product_docs/strongpointfornetsuite/integrations/servicenow_erd.webp) 14. Click **Submit**. The list of change requests is displayed. 15. Once the change request is moved to the Authorize state, click **Push Deployment Record** in the diff --git a/docs/strongpointfornetsuite/integrations/servicenow_install_configure_netsuite.md b/docs/strongpointfornetsuite/integrations/servicenow_install_configure_netsuite.md index 840c9c5287..1dce36afdd 100644 --- a/docs/strongpointfornetsuite/integrations/servicenow_install_configure_netsuite.md +++ b/docs/strongpointfornetsuite/integrations/servicenow_install_configure_netsuite.md @@ -7,7 +7,7 @@ 3. Click on bundle name **ServiceNow Integration** 4. When the **Bundle Details** opens, click **Install**. - ![servicenowinstall2](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall2.webp) + ![servicenowinstall2](/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall2.webp) 5. When **Preview Bundle** opens, review the bundle and click **Install** to finish. 6. Open **Strongpoint** > **Strongpoint Support** > **Installation Settings** > **View** @@ -24,7 +24,7 @@ 2. Click **New**. 3. Select **Basic Auth Credentials**. - ![Create a Credentials Record](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenow_credentials_record.webp) + ![Create a Credentials Record](/img/product_docs/strongpointfornetsuite/integrations/servicenow_credentials_record.webp) 4. Enter the user credentials: **User Name**: **sp-integrations** @@ -32,14 +32,14 @@ Click **Submit** when complete. 5. Open **System Applications** > **Studio** or enter **Studio** in the Menu Search box. - ![servicenowinstall4](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall4.webp) + ![servicenowinstall4](/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall4.webp) 6. If a pop-up window appears, click **Import From Source Control**. - ![servicenowinstall5](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall5.webp) + ![servicenowinstall5](/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall5.webp) Otherwise, open **File** > **Import From Source Control**. - ![servicenowinstall6](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall6.webp) + ![servicenowinstall6](/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall6.webp) 7. Enter the required information: @@ -51,11 +51,11 @@ **Branch**: master - ![servicenowinstall7](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall7.webp) + ![servicenowinstall7](/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall7.webp) 8. Click **Import**. You see the **Strongpoint NetSuite Integration**. - ![Select Strongpoint NetSuite Integration](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall7-2.webp) + ![Select Strongpoint NetSuite Integration](/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall7-2.webp) 9. Click **Strongpoint NetSuite Integration** to open the Application Explorer. You use this for the **Configure ServiceNow** procedure. @@ -86,7 +86,7 @@ administrator for help. 1. In the ServiceNow Application Explorer for the NetSuite Integration, open **Server Development** > **UI Action** > **Select Account** - ![servicenowinstall8](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall8.webp) + ![servicenowinstall8](/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall8.webp) To open the Application Explorer, open **System Applications** > **Studio** and select **Strongpoint NetSuite Integration** @@ -97,7 +97,7 @@ administrator for help. condition to be: **current.cmdb_ci == 'configuration_item_sys_id'** - ![servicenowinstall9](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall9.webp) + ![servicenowinstall9](/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall9.webp) 3. Click **Update**. 4. Repeat these steps to complete the setup on the other UI Actions: **ERD**, **Push Deployment @@ -117,7 +117,7 @@ Service Now Administrator. 3. Open **Server Development** > **UI Action** > **Push Deployment Record** 4. Set **Condition** to **current.state > -3** - ![servicenowinstall10](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall10.webp) + ![servicenowinstall10](/img/product_docs/strongpointfornetsuite/integrations/servicenowinstall10.webp) If you set action button conditions in the Display Action Buttons Only for Specific Conditions procedure, add this condition to the existing ones. For example, @@ -130,7 +130,7 @@ Service Now Administrator. By default, all user can see the Strongpoint NetSuite tab in ServiceNow Change Requests. You can modify this to only allow configured users to see the tab. -![Strongpoint NetSuite tab](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenow_tab.webp) +![Strongpoint NetSuite tab](/img/product_docs/strongpointfornetsuite/integrations/servicenow_tab.webp) 1. Log in to ServiceNow as an administrator to manage your instance. 2. Obtain the system identifiers for each user you want to have access to the Strongpoint NetSuite @@ -139,12 +139,12 @@ modify this to only allow configured users to see the tab. 1. Filter for **configuration** 2. Open **Base Items** > **Computers** - ![Open the ServiceNow Configuration items](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenow_tab1.webp) + ![Open the ServiceNow Configuration items](/img/product_docs/strongpointfornetsuite/integrations/servicenow_tab1.webp) 3. Select the system for the user to grant access to the tab. 4. Select **Copy sys_id** from the drop down menu. - ![Select Copy sys_id from the drop down menu](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenow_tab2.webp) + ![Select Copy sys_id from the drop down menu](/img/product_docs/strongpointfornetsuite/integrations/servicenow_tab2.webp) 5. Paste the identifier in a file where you can access it to add to the script when you are finished locating the system identifiers. An example identifer is @@ -154,7 +154,7 @@ modify this to only allow configured users to see the tab. 4. Select **Strongpoint NetSuite Integration**. 5. Open **Client Development** > **Client Scripts** > **Strongpoint Initialize** - ![Open the Strongpoint Initialize Script](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenow_tab3.webp) + ![Open the Strongpoint Initialize Script](/img/product_docs/strongpointfornetsuite/integrations/servicenow_tab3.webp) 6. Add all of your copied System Identifiers to the **allowedCIs**. Separate multiple IDs with a comma (,). For example: diff --git a/docs/strongpointfornetsuite/integrations/servicenow_integration.md b/docs/strongpointfornetsuite/integrations/servicenow_integration.md index ce7b08e93b..8988bb6852 100644 --- a/docs/strongpointfornetsuite/integrations/servicenow_integration.md +++ b/docs/strongpointfornetsuite/integrations/servicenow_integration.md @@ -35,7 +35,7 @@ The following should be considered prior to deploying the ServiceNow integration ## ServiceNow Integration process Flow -![servicenowflow](../../../static/img/product_docs/strongpointfornetsuite/integrations/servicenowflow.webp) +![servicenowflow](/img/product_docs/strongpointfornetsuite/integrations/servicenowflow.webp) ## Deployment Process diff --git a/docs/strongpointfornetsuite/integrations/ticketing_integrations.md b/docs/strongpointfornetsuite/integrations/ticketing_integrations.md index eb98ee5987..75b1c4b801 100644 --- a/docs/strongpointfornetsuite/integrations/ticketing_integrations.md +++ b/docs/strongpointfornetsuite/integrations/ticketing_integrations.md @@ -8,10 +8,10 @@ including the impact analysis, release management and change reconciliation feat Ticketing Integrations with NetSuite include: -- [Jira](jira_integration.md) -- [ServiceNow](servicenow_integration.md) -- [Zendesk](zendesk_integration.md) -- [Integration API](../api/api_overview.md) enables your developers to support your ticketing +- [Jira](/docs/strongpointfornetsuite/integrations/jira_integration.md) +- [ServiceNow](/docs/strongpointfornetsuite/integrations/servicenow_integration.md) +- [Zendesk](/docs/strongpointfornetsuite/integrations/zendesk_integration.md) +- [Integration API](/docs/strongpointfornetsuite/api/api_overview.md) enables your developers to support your ticketing systems, making the integration functionality available to everyone. Integrating your systems with your Platform Governance for NetSuite account helps you make the most of your change management and ticketing strategies. diff --git a/docs/strongpointfornetsuite/integrations/zendesk_integration.md b/docs/strongpointfornetsuite/integrations/zendesk_integration.md index 0fb7dc8309..5b9b6b8ba8 100644 --- a/docs/strongpointfornetsuite/integrations/zendesk_integration.md +++ b/docs/strongpointfornetsuite/integrations/zendesk_integration.md @@ -39,27 +39,27 @@ app. 2. Click the **Admin** icon in the left panel. 3. Navigate to **Apps** > **Marketplace**. - ![Open the Zendesk Marketplace](../../../static/img/product_docs/strongpointfornetsuite/integrations/zendesk_admin_marketplace.webp) + ![Open the Zendesk Marketplace](/img/product_docs/strongpointfornetsuite/integrations/zendesk_admin_marketplace.webp) 4. Search for **Strongpoint**. 5. Click **Strongpoint for NetSuite** when it is displayed. - ![Strongpoint for NetSuite app in the Marketplace](../../../static/img/product_docs/strongpointfornetsuite/integrations/zendesk_strongpoint.webp) + ![Strongpoint for NetSuite app in the Marketplace](/img/product_docs/strongpointfornetsuite/integrations/zendesk_strongpoint.webp) 6. Click **Install**. When installation is complete, you are prompted to sign in to your Zendesk dashboard to continue. 7. Click the **Admin** icon in the left panel. 8. Navigate to **Apps** > **Manage**. - ![Configure the Strongpoint Zendesk app](../../../static/img/product_docs/strongpointfornetsuite/integrations/zendesk_configure_app.webp) + ![Configure the Strongpoint Zendesk app](/img/product_docs/strongpointfornetsuite/integrations/zendesk_configure_app.webp) 9. Hover on the **Strongpoint for NetSuite** tile to access the **Settings** menu. - ![Hover to access the Settings](../../../static/img/product_docs/strongpointfornetsuite/integrations/zendesk_configure_app_menu.webp) + ![Hover to access the Settings](/img/product_docs/strongpointfornetsuite/integrations/zendesk_configure_app_menu.webp) 10. Click **Change settings**. - ![Set up the Strongpoint for NetSuite Zendesk app](../../../static/img/product_docs/strongpointfornetsuite/integrations/zendesk_change_settings.webp) + ![Set up the Strongpoint for NetSuite Zendesk app](/img/product_docs/strongpointfornetsuite/integrations/zendesk_change_settings.webp) - **Title**: the name associated with the app. The default is **Strongpoint for NetSuite**. - Account ID: enter the NetSuite account ID. The **Account ID** must be a lowercase string. For @@ -104,4 +104,4 @@ After you install the Zendesk app, set up the approvals. - **Approval process** select the approval process to use. **Strongpoint Approval in Zendesk**, **Strongpoint Approval in NetSuite**, **No Appoval Needed**, or **Not set**. -**Next Step:** [ Zendesk Walkthrough Example](zendesk_walkthrough_example.md) +**Next Step:** [ Zendesk Walkthrough Example](/docs/strongpointfornetsuite/integrations/zendesk_walkthrough_example.md) diff --git a/docs/strongpointfornetsuite/integrations/zendesk_walkthrough_example.md b/docs/strongpointfornetsuite/integrations/zendesk_walkthrough_example.md index 0fe49f3027..41f06d1588 100644 --- a/docs/strongpointfornetsuite/integrations/zendesk_walkthrough_example.md +++ b/docs/strongpointfornetsuite/integrations/zendesk_walkthrough_example.md @@ -1,7 +1,7 @@ # Zendesk Walkthrough Example This walkthrough is one example based on our test account. You must -[install and configure](zendesk_integration.md) the Zendesk integration, prior to using this +[install and configure](/docs/strongpointfornetsuite/integrations/zendesk_integration.md) the Zendesk integration, prior to using this walkthrough. Alerts and notifications may occur during this walkthrough, and are not included in these steps. For @@ -17,11 +17,11 @@ The walkthrough demonstrates these steps: 1. Login in to your Zendesk dashboard. 2. Open your **Views**. - ![Open the Zendesk Views](../../../static/img/product_docs/strongpointfornetsuite/integrations/zendesk_views.webp) + ![Open the Zendesk Views](/img/product_docs/strongpointfornetsuite/integrations/zendesk_views.webp) 3. Click **+ Add** > **Ticket**. - ![Add a ticket](../../../static/img/product_docs/strongpointfornetsuite/integrations/zendesk_add_ticket.webp) + ![Add a ticket](/img/product_docs/strongpointfornetsuite/integrations/zendesk_add_ticket.webp) 4. Enter your information for the **Ticket**: @@ -44,18 +44,18 @@ The app information is not available until the ticket is created. 6. Click **Submit as New**. - ![New ticket in the Ticket view](../../../static/img/product_docs/strongpointfornetsuite/integrations/zendesk_ticket_view.webp) + ![New ticket in the Ticket view](/img/product_docs/strongpointfornetsuite/integrations/zendesk_ticket_view.webp) ## Create the Change Request Open your new Zendesk ticket. **Test Ticket** in this example. If you do not see the app, make sure the Apps are toggled on using the Apps icon -![Zendesk Apps visibility icon](../../../static/img/product_docs/strongpointfornetsuite/integrations/zendesk_apps_icon.webp) +![Zendesk Apps visibility icon](/img/product_docs/strongpointfornetsuite/integrations/zendesk_apps_icon.webp) and verify you are a member of a group or role -[authorized to access the app](zendesk_integration.md). +[authorized to access the app](/docs/strongpointfornetsuite/integrations/zendesk_integration.md). -![The Strongpoint app is available after you create the ticket.](../../../static/img/product_docs/strongpointfornetsuite/integrations/zendesk_strongpoint_app_ticket.webp) +![The Strongpoint app is available after you create the ticket.](/img/product_docs/strongpointfornetsuite/integrations/zendesk_strongpoint_app_ticket.webp) ### Use Bundles for the Scope of Change @@ -66,12 +66,12 @@ Specify a Bundle to use a bundle for the scope of change. This is optional. 3. Click + to add the bundle. 232111 in this example. You can remove a bundle using the drop down toggle. - ![Specify an optional Bundle ID](../../../static/img/product_docs/strongpointfornetsuite/integrations/zendesk_bundleid.webp) + ![Specify an optional Bundle ID](/img/product_docs/strongpointfornetsuite/integrations/zendesk_bundleid.webp) Once you have made a change, the **Request Approval** button is available if you are a member of a group with the [Set up Approvals](zendesk_integration.md#set-up-approvals) permission. -![Request Approval button appears when a change has been made.](../../../static/img/product_docs/strongpointfornetsuite/integrations/zendesk_request_approval.webp) +![Request Approval button appears when a change has been made.](/img/product_docs/strongpointfornetsuite/integrations/zendesk_request_approval.webp) ### Add Existing Customizations @@ -80,7 +80,7 @@ feature. 1. Click **Look up Customization**. - ![Add customizations to the Change Request](../../../static/img/product_docs/strongpointfornetsuite/integrations/zendesk_lookup_customization.webp) + ![Add customizations to the Change Request](/img/product_docs/strongpointfornetsuite/integrations/zendesk_lookup_customization.webp) 2. Enter the search information in one or more of the available filters. For example, enter **new** for **Name** and select **Body Field** for **Type** to search for all body fields containing the @@ -88,13 +88,13 @@ feature. 3. Click **Lookup**. 4. Select one or more customizations to attach to the change request. - ![Select one or more customizations.](../../../static/img/product_docs/strongpointfornetsuite/integrations/zendesk_select_customizations.webp) + ![Select one or more customizations.](/img/product_docs/strongpointfornetsuite/integrations/zendesk_select_customizations.webp) 5. Click **Add selected Customizations**. There is an options menu available for each added customization. Options include **Remove** and **ERD**. Selecting **ERD** launches the -[Entity Relationship Diagram](../customizations/using_erd.md) for the customization. +[Entity Relationship Diagram](/docs/strongpointfornetsuite/customizations/using_erd.md) for the customization. ### Add Proposed Customizations @@ -102,14 +102,14 @@ There is an options menu available for each added customization. Options include 2. Click **+** to search for matching Customizations. **View** displays the **Type** and **Script ID** for a Customization. - ![Add a Customization by Name](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_add_name.webp) + ![Add a Customization by Name](/img/product_docs/strongpointfornetsuite/integrations/jira_example_add_name.webp) 3. Select one or more Customizations. For this example, select **New Opportunities Created (Search)**. 4. Click **Add Selected Customizations**. The selected Customization is added to the **Existing Customizations** list. - ![New Opportunities Created (Search) added to Existing Customizations](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_new_opp.webp) + ![New Opportunities Created (Search) added to Existing Customizations](/img/product_docs/strongpointfornetsuite/integrations/jira_example_new_opp.webp) 5. Enter the Script ID **custentity_fmt_cust_credit_on_hold** in **Add Customizations** and click **+**. @@ -119,6 +119,6 @@ There is an options menu available for each added customization. Options include Software Development Lifecycle**, which is the policy for the **Set Customer Credit on Hold** field. - ![Add a Customization by Script ID](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_scriptid.webp) + ![Add a Customization by Script ID](/img/product_docs/strongpointfornetsuite/integrations/jira_example_scriptid.webp) - **Impact Analysis** and **View ERD** are tools to Zendesk Walkthrough Example. diff --git a/docs/strongpointfornetsuite/navigating_strongpoint.md b/docs/strongpointfornetsuite/navigating_strongpoint.md index 1996794ae6..98d14ec8ff 100644 --- a/docs/strongpointfornetsuite/navigating_strongpoint.md +++ b/docs/strongpointfornetsuite/navigating_strongpoint.md @@ -2,18 +2,18 @@ There are two ways to access Platform Governance for NetSuite's functionality: the **Strongpoint** tab on the NetSuite tab bar or from the **Strongpoint Overview**. Menu options are available based -on your [License Type](installing_strongpoint/features_by_license_type.md). In addition, menu items -can be hidden for each account through [Menu Management](installing_strongpoint/managing_menus.md). +on your [License Type](/docs/strongpointfornetsuite/installing_strongpoint/features_by_license_type.md). In addition, menu items +can be hidden for each account through [Menu Management](/docs/strongpointfornetsuite/installing_strongpoint/managing_menus.md). These examples show all the options for an **Enterprise Compliance** license. If you do not see the **Strongpoint** tab, contact your Administrator regarding -[Setting Tab Access](installing_strongpoint/setting_strongpoint_tab_access.md). +[Setting Tab Access](/docs/strongpointfornetsuite/installing_strongpoint/setting_strongpoint_tab_access.md). ## Strongpoint Tab Menu The Strongpoint tab menu provides navigation to all the key tools: -![strongpoint_menu](../../static/img/product_docs/strongpointfornetsuite/strongpoint_menu.webp) +![strongpoint_menu](/img/product_docs/strongpointfornetsuite/strongpoint_menu.webp) Strongpoint Menu tab includes: @@ -43,4 +43,4 @@ Strongpoint Menu tab includes: Click **Strongpoint** > **Strongpoint Overview** to open the dashboard, providing an at-a-glance overview of your reminders, automated documentation summary and easy access to all the features. -![Strongpoint Overview Dashboard](../../static/img/product_docs/strongpointfornetsuite/dashboard_overview.webp) +![Strongpoint Overview Dashboard](/img/product_docs/strongpointfornetsuite/dashboard_overview.webp) diff --git a/docs/strongpointfornetsuite/processes/using_process_issues.md b/docs/strongpointfornetsuite/processes/using_process_issues.md index 42d5fa4666..171eb13688 100644 --- a/docs/strongpointfornetsuite/processes/using_process_issues.md +++ b/docs/strongpointfornetsuite/processes/using_process_issues.md @@ -17,7 +17,7 @@ continue to use that and reference the external ticket in the Change Request. 1. Open **Strongpoint** > **Process Issue** > **New** - ![Initiate a Process Issue](../../../static/img/product_docs/strongpointfornetsuite/processes/process_issue.webp) + ![Initiate a Process Issue](/img/product_docs/strongpointfornetsuite/processes/process_issue.webp) 2. Select a **Custom Form** or use the default **Process Issue Form**. 3. Assign a **Number** for the Process Issue. This is any alphanumeric code you use to identify this @@ -92,7 +92,7 @@ functionality, or edit the issue to update status information. Use the ERD tab to visually view the records and see the relationships. -![processissue4](../../../static/img/product_docs/strongpointfornetsuite/processes/processissue4.webp) +![processissue4](/img/product_docs/strongpointfornetsuite/processes/processissue4.webp) ## View Process Issues @@ -110,4 +110,4 @@ You can also edit some fields inline: edited. 3. Click in the column to open a text box. -![Process Issue Reports](../../../static/img/product_docs/strongpointfornetsuite/processes/process_issue_overview.webp) +![Process Issue Reports](/img/product_docs/strongpointfornetsuite/processes/process_issue_overview.webp) diff --git a/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-0_release_notes.md b/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-0_release_notes.md index 7d0249cdb0..91acad083b 100644 --- a/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-0_release_notes.md +++ b/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-0_release_notes.md @@ -9,7 +9,7 @@ July 28, 2023 - Added a warning on the change request for generic deployment script IDs. Using the generic ID fetches all deployment customizations that share this non-unique ID. - ![Generic deployment ID warning](../../../static/img/product_docs/strongpointfornetsuite/release_notes/deployment_id_warning.webp) + ![Generic deployment ID warning](/img/product_docs/strongpointfornetsuite/release_notes/deployment_id_warning.webp) - **Bill of Materials** and **Inventory Number** fields are deprecated and inactive in the policy record and list views. @@ -38,7 +38,7 @@ June 16, 2023 - Click to select a **Field**. Use Ctrl-Click to select subsequent fields. - Click **Add**. - ![Add No HTML fields](../../../static/img/product_docs/strongpointfornetsuite/release_notes/no_html_options.webp) + ![Add No HTML fields](/img/product_docs/strongpointfornetsuite/release_notes/no_html_options.webp) - Click **Save**. @@ -73,20 +73,20 @@ you are considering changing these associated scripts to a lower priority. **Mass Update** can be selected as a **Type** under **Proposed Customizations**. Specify the **Name** of the Mass Update you want to create. -![Mass Update can be created as a Proposed Customization](../../../static/img/product_docs/strongpointfornetsuite/release_notes/change_request_mass_update.webp) +![Mass Update can be created as a Proposed Customization](/img/product_docs/strongpointfornetsuite/release_notes/change_request_mass_update.webp) ### **NetSuite Make Copy Creates Content and Resets Status** Strongpoint ensures the **Make Copy** command found under the **Actions** option only copies the content, not the status. Copied change requests are set to the **Not Started** status. -![Make Copy does not copy the status](../../../static/img/product_docs/strongpointfornetsuite/release_notes/change_request_make_copy.webp) +![Make Copy does not copy the status](/img/product_docs/strongpointfornetsuite/release_notes/change_request_make_copy.webp) ## Jira 1.2.14 - Added the ability to receive and store images attached in the Jira description by Jira ticket ID. - ![Strongpoint stores attached Jira images](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_images.webp) + ![Strongpoint stores attached Jira images](/img/product_docs/strongpointfornetsuite/release_notes/jira_images.webp) ## Jira 1.2.13 @@ -109,7 +109,7 @@ Here are the enhancements for the release: An **Import Customization** button has been added to the Jira Strongpoint form. You can import an xml file exported from a Jira ticket. -![Jira Strongpoint form](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_strongpoint_form.webp) +![Jira Strongpoint form](/img/product_docs/strongpointfornetsuite/release_notes/jira_strongpoint_form.webp) ### Enable Allow NS to Jira Push @@ -119,7 +119,7 @@ This feature must be enabled before you can create tickets from NetSuite to Jira 2. Open the **Jira Integration** tab 3. Check **Allow NS to Jira Push** to enable pushing NetSuite change requests into Jira. - ![Enable Allow NS to Push to Jira](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_example_integration.webp) + ![Enable Allow NS to Push to Jira](/img/product_docs/strongpointfornetsuite/release_notes/jira_example_integration.webp) ### Create Ticket from NetSuite to Jira @@ -130,16 +130,16 @@ Jira. 2. Add your information and customizations. 3. Click **Push to Jira**. 4. Select your Jira project. - ![Select a Jira Project](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_ns_jira_push2.webp) + ![Select a Jira Project](/img/product_docs/strongpointfornetsuite/release_notes/jira_ns_jira_push2.webp) 5. Click **Push**. A Change Request Pushed message is displayed. Click **Close**. 6. Open the **Related Change Records** tab. The ticket number is added as an **External Change Request Number**. **CM-15** in this example. - ![The ticket number is on the Related Change Records tab](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_create_cr_related_change.webp) + ![The ticket number is on the Related Change Records tab](/img/product_docs/strongpointfornetsuite/release_notes/jira_create_cr_related_change.webp) 7. Open Jira. 8. Navigate to **CM-15** ticket. - ![Open the ticket in Jira](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_ns_jira_push3.webp) + ![Open the ticket in Jira](/img/product_docs/strongpointfornetsuite/release_notes/jira_ns_jira_push3.webp) 9. Click **Strongpoint NetSuite**. The customizations from the change request are added. - ![Customizations are added to the ticket](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_ns_jira_push4.webp) + ![Customizations are added to the ticket](/img/product_docs/strongpointfornetsuite/release_notes/jira_ns_jira_push4.webp) ## Jira 1.2.10 @@ -155,21 +155,21 @@ Authentication (TBA) credentials for your account. Once created, they are availa selection when performing your tasks. Token-Based Authentication is set up through NetSuite. Refer to -[Setting up Token-Based Authentication](../integrations/jira_integration.md). +[Setting up Token-Based Authentication](/docs/strongpointfornetsuite/integrations/jira_integration.md). 1. Open **Jira**. 2. Open your **Projects** page: - ![Open your Jira Projects page to find Add-ons](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_projects_menu.webp) + ![Open your Jira Projects page to find Add-ons](/img/product_docs/strongpointfornetsuite/release_notes/jira_projects_menu.webp) 3. Expand **Add-ons**. 4. Select **Strongpoint Settings**. - ![Jira Strongpoint Settings](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_strongpoint_settings.webp) + ![Jira Strongpoint Settings](/img/product_docs/strongpointfornetsuite/release_notes/jira_strongpoint_settings.webp) 5. Click **New Token Based Authentication** to add your credentials. This needs to be done once for each of your accounts. - ![Add tokens for Jira](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_add_token.webp) + ![Add tokens for Jira](/img/product_docs/strongpointfornetsuite/release_notes/jira_add_token.webp) 6. Enter your credentials and click **Add Token Based Authentication Credential**. diff --git a/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-1_release_notes.md b/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-1_release_notes.md index 0815e2869e..8ba76ee5ac 100644 --- a/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-1_release_notes.md +++ b/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-1_release_notes.md @@ -11,7 +11,7 @@ November 30, 2023 - Improved handling of custom employee center roles across the Strongpoint spiders. - Bundle updates were enabling **Automatic Synchronization** between Strongpoint and Jira, changing settings where **Automatic Synchronization** was disabled. **Automatic Synchronization** defaults - to enabled for new installations. Refer to [Jira](../integrations/jira_integration.md) topic for + to enabled for new installations. Refer to [Jira](/docs/strongpointfornetsuite/integrations/jira_integration.md) topic for more information. - Enhanced handling of nonmaterial changes for fields using html coding. Special symbols ( < > & " ) in fields do not generate non-compliant change logs. @@ -59,7 +59,7 @@ September 20, 2023 The button is only available for Object types where Strongpoint can retrieve the **Actual Change Date** and **Change By** fields. - ![Refresh Changed By](../../../static/img/product_docs/strongpointfornetsuite/change_management/change_log_refresh.webp) + ![Refresh Changed By](/img/product_docs/strongpointfornetsuite/change_management/change_log_refresh.webp) - Removed extraneous Customization record link in Search Clean Up notification emails. Non-Strongpoint users receive the notification and cannot use the link. @@ -89,7 +89,7 @@ If you have custom searches, you must update them to support the NetSuite change of saved searches in your account that contain code in **Formula(Text)** fields, open: **Lists** > **Search** > **Saved Searches with HTML in Formula(Text)** -![Run the Saved Search to view changes](../../../static/img/product_docs/strongpointfornetsuite/release_notes/formulahtml.webp) +![Run the Saved Search to view changes](/img/product_docs/strongpointfornetsuite/release_notes/formulahtml.webp) ## SoD 1.6.2 @@ -159,7 +159,7 @@ September 27, 2023 - Added the ability to receive and store images attached in the Jira description by Jira ticket ID. - ![Strongpoint stores attached Jira images](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_images.webp) + ![Strongpoint stores attached Jira images](/img/product_docs/strongpointfornetsuite/release_notes/jira_images.webp) ## Jira 1.2.13 @@ -182,7 +182,7 @@ Import Customizations from Jira An **Import Customization** button has been added to the Jira Strongpoint form. You can import an xml file exported from a Jira ticket. -![Jira Strongpoint form](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_strongpoint_form.webp) +![Jira Strongpoint form](/img/product_docs/strongpointfornetsuite/release_notes/jira_strongpoint_form.webp) Enable Allow NS to Jira Push @@ -192,7 +192,7 @@ This feature must be enabled before you can create tickets from NetSuite to Jira 2. Open the **Jira Integration** tab 3. Check **Allow NS to Jira Push** to enable pushing NetSuite change requests into Jira. - ![Enable Allow NS to Push to Jira](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_example_integration.webp) + ![Enable Allow NS to Push to Jira](/img/product_docs/strongpointfornetsuite/release_notes/jira_example_integration.webp) Create Ticket from NetSuite to Jira @@ -203,16 +203,16 @@ Jira. 2. Add your information and customizations. 3. Click **Push to Jira**. 4. Select your Jira project. - ![Select a Jira Project](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_ns_jira_push2.webp) + ![Select a Jira Project](/img/product_docs/strongpointfornetsuite/release_notes/jira_ns_jira_push2.webp) 5. Click **Push**. A Change Request Pushed message is displayed. Click **Close**. 6. Open the **Related Change Records** tab. The ticket number is added as an **External Change Request Number**. **CM-15** in this example. - ![The ticket number is on the Related Change Records tab](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_create_cr_related_change.webp) + ![The ticket number is on the Related Change Records tab](/img/product_docs/strongpointfornetsuite/release_notes/jira_create_cr_related_change.webp) 7. Open Jira. 8. Navigate to **CM-15** ticket. - ![Open the ticket in Jira](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_ns_jira_push3.webp) + ![Open the ticket in Jira](/img/product_docs/strongpointfornetsuite/release_notes/jira_ns_jira_push3.webp) 9. Click **Strongpoint NetSuite**. The customizations from the change request are added. - ![Customizations are added to the ticket](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_ns_jira_push4.webp) + ![Customizations are added to the ticket](/img/product_docs/strongpointfornetsuite/release_notes/jira_ns_jira_push4.webp) ## Jira 1.2.10 @@ -228,22 +228,22 @@ Authentication (TBA) credentials for your account. Once created, they are availa selection when performing your tasks. Token-Based Authentication is set up through NetSuite. Refer to -[Setting up Token-Based Authentication](../integrations/jira_integration.md). +[Setting up Token-Based Authentication](/docs/strongpointfornetsuite/integrations/jira_integration.md). 1. Open **Jira**. 2. Open your **Projects** page: - ![Open your Jira Projects page to find Add-ons](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_projects_menu.webp) + ![Open your Jira Projects page to find Add-ons](/img/product_docs/strongpointfornetsuite/release_notes/jira_projects_menu.webp) 3. Expand **Add-ons**. 4. Select **Strongpoint Settings**. - ![Jira Strongpoint Settings](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_strongpoint_settings.webp) + ![Jira Strongpoint Settings](/img/product_docs/strongpointfornetsuite/release_notes/jira_strongpoint_settings.webp) 5. Click **New Token Based Authentication** to add your credentials. This needs to be done once for each of your accounts. - ![Add tokens for Jira](../../../static/img/product_docs/strongpointfornetsuite/release_notes/jira_add_token.webp) + ![Add tokens for Jira](/img/product_docs/strongpointfornetsuite/release_notes/jira_add_token.webp) 6. Enter your credentials and click **Add Token Based Authentication Credential**. @@ -266,7 +266,7 @@ October 13, 2023 - Added **GL Impact** and **Permission Risk Severity** filters to the Permission Revews lists. - Added **GL Impact** and **Permission Risk Severity** columns to the Permission Review. - ![UAR GL Impact](../../../static/img/product_docs/strongpointfornetsuite/release_notes/uar_gl_impact.webp) + ![UAR GL Impact](/img/product_docs/strongpointfornetsuite/release_notes/uar_gl_impact.webp) - Added new roles and permissions for UAR users: diff --git a/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-2_release_notes.md b/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-2_release_notes.md index f4dc3b2226..cbe2490e9c 100644 --- a/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-2_release_notes.md +++ b/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-2_release_notes.md @@ -8,7 +8,7 @@ December 22, 2023 **New:** **Strongpoint Integration API** -Strongpoint is excited to release an [Integration API](../api/api_overview.md) to enable your +Strongpoint is excited to release an [Integration API](/docs/strongpointfornetsuite/api/api_overview.md) to enable your developers to support your ticketing systems! Customers enthusiastically embraced our Strongpoint pre-built integrations for Jira, ServiceNow and Zendesk. The API makes this integration functionality available to everyone. Integrating your systems with your Strongpoint account helps @@ -20,7 +20,7 @@ Here are the API highlights: your Change Requests. - **Change Requests** can be created, updated, retrieved and deleted. - **ERD** and **Impact Analysis** tools are available. -- API commands are documented in the [Integration API](../api/api_overview.md) section of this +- API commands are documented in the [Integration API](/docs/strongpointfornetsuite/api/api_overview.md) section of this guide. - API commands are available in [Postman](http://postman.com/), where you can try them out and test them. There are Postman links in this guide. @@ -37,17 +37,17 @@ after a sandbox refresh. 2. Open **Customization** > **Scripting** > **Scripts**. 3. Set the Filter **Type** to **Suitelet** and the **Bundle ID** to **294336**. - ![Find the Suitelet](../../../static/img/product_docs/strongpointfornetsuite/release_notes/scripts.webp) + ![Find the Suitelet](/img/product_docs/strongpointfornetsuite/release_notes/scripts.webp) 4. Click **View** by the **Strongpoint Reset Schedule Deployments** suitelet. 5. Open the **Deployments** tab. - ![Open the Deployment tab](../../../static/img/product_docs/strongpointfornetsuite/release_notes/script_deploy_tab.webp) + ![Open the Deployment tab](/img/product_docs/strongpointfornetsuite/release_notes/script_deploy_tab.webp) 6. Click the Suitelet name: **Strongpoint Reset Schedule Deployments**. 7. Click on the Script **URL**. - ![Click the Script URL](../../../static/img/product_docs/strongpointfornetsuite/release_notes/script_deploy_url.webp) + ![Click the Script URL](/img/product_docs/strongpointfornetsuite/release_notes/script_deploy_url.webp) ## SoD 1.6.3 @@ -68,4 +68,4 @@ If you have custom searches, you must update them to support the NetSuite change of saved searches in your account that contain code in **Formula(Text)** fields, open: **Lists** > **Search** > **Saved Searches with HTML in Formula(Text)** -![Run the Saved Search to view changes](../../../static/img/product_docs/strongpointfornetsuite/release_notes/formulahtml.webp) +![Run the Saved Search to view changes](/img/product_docs/strongpointfornetsuite/release_notes/formulahtml.webp) diff --git a/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-3_release_notes.md b/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-3_release_notes.md index 79e8005012..ce3875e718 100644 --- a/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-3_release_notes.md +++ b/docs/strongpointfornetsuite/release_notes/netwrix_strongpoint_netsuite_7-3_release_notes.md @@ -69,7 +69,7 @@ information will not have changed. New: Jira On-Prem Atlassian is discontinuing support for the Jira On-Prem solution. Jira Cloud will be the only -supported option. You can use the Strongpoint [Integration API](../api/api_overview.md) to create +supported option. You can use the Strongpoint [Integration API](/docs/strongpointfornetsuite/api/api_overview.md) to create your own integration with your ticketing system. **Resolved Issues** @@ -111,7 +111,7 @@ January 25, 2024 - Added **Supervisor** column to the Membership Review. - ![UAR Membership Review](../../../static/img/product_docs/strongpointfornetsuite/release_notes/uar_review_supervisor.webp) + ![UAR Membership Review](/img/product_docs/strongpointfornetsuite/release_notes/uar_review_supervisor.webp) - New filters are available. **Permission Reviews** now have a **Status** filter. Membership Reviews now have **Status** and **Supervisor** filters. diff --git a/docs/strongpointfornetsuite/script_management/analyzing_script_performance.md b/docs/strongpointfornetsuite/script_management/analyzing_script_performance.md index 2c44eb68b0..f3e2bb2ad6 100644 --- a/docs/strongpointfornetsuite/script_management/analyzing_script_performance.md +++ b/docs/strongpointfornetsuite/script_management/analyzing_script_performance.md @@ -42,7 +42,7 @@ to unlocked scripts. 7. Enter **Strongpoint Add Audit Tag** for Name. 8. Paste the **Internal ID** of the **Archive** folder. - ![Add Audit Tag Mass Update](../../../static/img/product_docs/strongpointfornetsuite/script_management/audittag.webp) + ![Add Audit Tag Mass Update](/img/product_docs/strongpointfornetsuite/script_management/audittag.webp) 9. Click **Preview** to review the actions. Click **Perform Update** to add the Start tags. 10. End tags are used to measure script average run time. In many cases, there is no systematic way diff --git a/docs/strongpointfornetsuite/script_management/script_mgmt_overview.md b/docs/strongpointfornetsuite/script_management/script_mgmt_overview.md index deee4e6002..d60168caef 100644 --- a/docs/strongpointfornetsuite/script_management/script_mgmt_overview.md +++ b/docs/strongpointfornetsuite/script_management/script_mgmt_overview.md @@ -150,13 +150,13 @@ provide data when the scripts are in Audit or Debug mode. It is important to swi to one of those two levels if appropriate.The Add Audit Tags mass update backs up and then adds start tags to all of your unlocked scripts. This enables tracking frequency of execution. You can manually add end tags for script execution time tracking. -[Analyzing Script Performance](analyzing_script_performance.md). +[Analyzing Script Performance](/docs/strongpointfornetsuite/script_management/analyzing_script_performance.md). ## Schedule the Script Utilization Data Update Script This scheduled script captures the script execution data such as how many times it was triggered, who used it and how long it took to execute. Schedule the Script Utilization Data Update Script -[Schedule the Script Monitor](scheduling_script_monitor.md) +[Schedule the Script Monitor](/docs/strongpointfornetsuite/script_management/scheduling_script_monitor.md) ## Track Progress @@ -168,7 +168,7 @@ list are not being executed. ## Review Script Performance and Error Reports There are several searches that provide data about script performance and errors. -[Review Script Performance and Error Reports](reviewing_script_performance_errors.md) +[Review Script Performance and Error Reports](/docs/strongpointfornetsuite/script_management/reviewing_script_performance_errors.md) Another critical script is the **Strongpoint Parse Script Files SS** (note there is also an on demand version OD). This reads each unlocked script file to check for changes, updates the diff --git a/docs/strongpointfornetsuite/sod/approving_exceptions_sod_rules.md b/docs/strongpointfornetsuite/sod/approving_exceptions_sod_rules.md index fb371b5ae3..8984427e2a 100644 --- a/docs/strongpointfornetsuite/sod/approving_exceptions_sod_rules.md +++ b/docs/strongpointfornetsuite/sod/approving_exceptions_sod_rules.md @@ -6,7 +6,7 @@ To create a change request: 1. Open **SoD** > **Change Management** > **New SoD Approval** - ![sod_new_change_request](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_new_change_request.webp) + ![sod_new_change_request](/img/product_docs/strongpointfornetsuite/sod/sod_new_change_request.webp) 2. Enter information in the following fields: @@ -23,7 +23,7 @@ To create a change request: 5. **Save** the Change Request. 6. The Approval section is now available. Click **Edit** to add **Additional Approvers** or **Approver Notes**. Click **Save** if you make changes. Refer to - [Create a Change Request](../change_management/creating_change_request.md) for more details about + [Create a Change Request](/docs/strongpointfornetsuite/change_management/creating_change_request.md) for more details about the status bar. 7. Click **Pending Approval** on the status bar. diff --git a/docs/strongpointfornetsuite/sod/assigning_role_with_preapproved_change_request.md b/docs/strongpointfornetsuite/sod/assigning_role_with_preapproved_change_request.md index 025b91dd04..6de3f7178c 100644 --- a/docs/strongpointfornetsuite/sod/assigning_role_with_preapproved_change_request.md +++ b/docs/strongpointfornetsuite/sod/assigning_role_with_preapproved_change_request.md @@ -4,7 +4,7 @@ 1. Open **SoD** > **SoD Change Management** > **New SoD Approval** - ![sod_new_change_request](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_new_change_request.webp) + ![sod_new_change_request](/img/product_docs/strongpointfornetsuite/sod/sod_new_change_request.webp) 2. **Enter information in the following fields:** @@ -21,11 +21,11 @@ 5. **Save** the Change Request. 6. The Approval section is now available. Click **Edit** to add **Additional Approvers** or **Approver Notes**. Click **Save** if you make changes. Refer to - [Create a Change Request](../change_management/creating_change_request.md) for more details about + [Create a Change Request](/docs/strongpointfornetsuite/change_management/creating_change_request.md) for more details about the status bar. 7. Click **Pending Approval** on the status bar. - ![sod_new_change_request_pending](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_new_change_request_pending.webp) + ![sod_new_change_request_pending](/img/product_docs/strongpointfornetsuite/sod/sod_new_change_request_pending.webp) ## Assign a Non-Compliant Role to an Employee diff --git a/docs/strongpointfornetsuite/sod/creating_an_approved_change_request_clear_violation.md b/docs/strongpointfornetsuite/sod/creating_an_approved_change_request_clear_violation.md index f63c36d782..5c6322aa5e 100644 --- a/docs/strongpointfornetsuite/sod/creating_an_approved_change_request_clear_violation.md +++ b/docs/strongpointfornetsuite/sod/creating_an_approved_change_request_clear_violation.md @@ -33,7 +33,7 @@ To create an approved change request: 4. **Save** the Change Request. 5. The Approval section is now available. Click **Edit** to add **Additional Approvers** or **Approver Notes**. Click **Save** if you make changes. Refer to - [Create a Change Request](../change_management/creating_change_request.md) for more details about + [Create a Change Request](/docs/strongpointfornetsuite/change_management/creating_change_request.md) for more details about the status bar. The violation clears in the employee record after the approved Change Request is saved. diff --git a/docs/strongpointfornetsuite/sod/creating_sod_approval_request.md b/docs/strongpointfornetsuite/sod/creating_sod_approval_request.md index c0a438cfa8..eb900ad247 100644 --- a/docs/strongpointfornetsuite/sod/creating_sod_approval_request.md +++ b/docs/strongpointfornetsuite/sod/creating_sod_approval_request.md @@ -1,7 +1,7 @@ # Creating an SoD Approval Request You can create a custom change request form for an SoD Approval Request. Refer to -[Using Custom Change Request Forms](../change_management/use_custom_cr_forms.md) for information on +[Using Custom Change Request Forms](/docs/strongpointfornetsuite/change_management/use_custom_cr_forms.md) for information on implementing your custom form. To create an SoD Approval request: @@ -35,7 +35,7 @@ To create an SoD Approval request: 6. **Save** the Change Request. 7. The Approval section is now available. Click **Edit** to add **Additional Approvers** or **Approver Notes**. Click **Save** if you make changes. Refer to - [Create a Change Request](../change_management/creating_change_request.md) for more details about + [Create a Change Request](/docs/strongpointfornetsuite/change_management/creating_change_request.md) for more details about the status bar. ## Adding Employees to an Approved SoD Exemption @@ -43,21 +43,21 @@ To create an SoD Approval request: Employees can be added to an Approved and Open SoD Approval request. The **Add Employees to SoD Exemption** button is available after the request is Approved. -![Add Employees to Approved SoD Exemption](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_add_employee.webp) +![Add Employees to Approved SoD Exemption](/img/product_docs/strongpointfornetsuite/sod/sod_add_employee.webp) 1. Click **Add Employees to SoD Exemption**. 2. Select one or more **Affected Employee(s)** to add. - ![Select Affected Employees](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_add_employee_select.webp) + ![Select Affected Employees](/img/product_docs/strongpointfornetsuite/sod/sod_add_employee_select.webp) 3. Click **Request Approval**. Approvers must be - [licensed](../installing_strongpoint/license_manager.md) Platform Governance for NetSuite users - and have the correct [role permissions](../installing_strongpoint/setting_permissions.md) if they + [licensed](/docs/strongpointfornetsuite/installing_strongpoint/license_manager.md) Platform Governance for NetSuite users + and have the correct [role permissions](/docs/strongpointfornetsuite/installing_strongpoint/setting_permissions.md) if they are using a custom (non-Strongpoint) role. A new request is created with **Add to SoD Exemption** prepended to the Name of the original request. The new request is set to **Pending Approval**. - ![New Request created from Add Employee to SoD Exemption button](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_add_employee_new.webp) + ![New Request created from Add Employee to SoD Exemption button](/img/product_docs/strongpointfornetsuite/sod/sod_add_employee_new.webp) When the new Request is approved, the employees are added to the **Open** and **Approved** parent Change Request and the new Request is **Closed**. If the parent request status has changed, the diff --git a/docs/strongpointfornetsuite/sod/creating_sod_rules.md b/docs/strongpointfornetsuite/sod/creating_sod_rules.md index cd55b1f063..c31087c081 100644 --- a/docs/strongpointfornetsuite/sod/creating_sod_rules.md +++ b/docs/strongpointfornetsuite/sod/creating_sod_rules.md @@ -16,7 +16,7 @@ exist and approvals are closely monitored, exemptions can be made. Exceptions mu the company’s auditors. You can create a custom change request form for SoD Rule Changes. Refer to -[Using Custom Change Request Forms](../change_management/use_custom_cr_forms.md) for information on +[Using Custom Change Request Forms](/docs/strongpointfornetsuite/change_management/use_custom_cr_forms.md) for information on implementing your custom form. ### Access Levels @@ -35,7 +35,7 @@ The following are general definitions of access levels for permissions in NetSui 1. Open **SoD** > **SoD Rule** > **SoD Rule Library** > **New** - ![sod_rule_new](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_rule_new.webp) + ![sod_rule_new](/img/product_docs/strongpointfornetsuite/sod/sod_rule_new.webp) 2. **External ID** is assigned by Platform Governance for NetSuite. Custom rules are numbered 1000 or above. External IDs for custom rules can be edited. SoD Library rule External IDs are 1 @@ -53,7 +53,7 @@ The following are general definitions of access levels for permissions in NetSui permissions/roles violates this rule (optional). 9. Select the **Access Control Type**: - ![SoD Access Controls](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_access_controls.webp) + ![SoD Access Controls](/img/product_docs/strongpointfornetsuite/sod/sod_access_controls.webp) - **Role-based** - Select one or more **Roles** from the displayed list. The Permissions and Advanced Permission Controls are not available for this option. @@ -80,7 +80,7 @@ The following are general definitions of access levels for permissions in NetSui 10. Add Restrictions to limit the SoD rule to employees associated in one or more of the categories: **Subsidiaries**, **Departments**, **Classes**, and **Locations**. - ![SoD Classifications](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_classifications.webp) + ![SoD Classifications](/img/product_docs/strongpointfornetsuite/sod/sod_classifications.webp) 11. **Save** the rule. @@ -96,7 +96,7 @@ There are four tabs to access details: a new control. Compensating Controls are defined on the Customization record. - **Workflow**: displays Active Workflows and Workflow History. -![SoD Processing Status](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_proc_status_tab.webp) +![SoD Processing Status](/img/product_docs/strongpointfornetsuite/sod/sod_proc_status_tab.webp) When you add or change a rule, you can manually start the evaluation process, or wait until the Spider runs overnight. To manually run the process: @@ -111,7 +111,7 @@ To view the updates to your SoD rules: **SoD** > **SoD Rule** > **Updates to SoD Rules** -![Updates to SoD Rules report](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_rules_update_report.webp) +![Updates to SoD Rules report](/img/product_docs/strongpointfornetsuite/sod/sod_rules_update_report.webp) With this report, you can easily identify modified pre-defined SoD rules. There is a saved import SoD Rule Import available to enable bulk add or update SoD rules to your production environment. diff --git a/docs/strongpointfornetsuite/sod/installing_sod.md b/docs/strongpointfornetsuite/sod/installing_sod.md index cad6e1d281..d44c8fbd62 100644 --- a/docs/strongpointfornetsuite/sod/installing_sod.md +++ b/docs/strongpointfornetsuite/sod/installing_sod.md @@ -8,7 +8,7 @@ Note the SoD Bundle ID has been updated due to NetSuite changes. 2. Under **KEYWORDS**, type **311215**. 3. Click **Search**. - ![Search for the SoD Bundle](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_install-2.webp) + ![Search for the SoD Bundle](/img/product_docs/strongpointfornetsuite/sod/sod_install-2.webp) 4. Select**Strongpoint SoD** 5. Install the Bundle as usual. @@ -20,9 +20,9 @@ Note the SoD Bundle ID has been updated due to NetSuite changes. 3. Click **Search**. 4. Select**Strongpoint SoD Library** - ![Install the Strongpoint SoD Library Bundle](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_install_lib1.webp) + ![Install the Strongpoint SoD Library Bundle](/img/product_docs/strongpointfornetsuite/sod/sod_install_lib1.webp) 5. Install the Bundle as usual. 6. Review the - [Default SoD Custom Record Types and Permission Lists](../installing_strongpoint/setting_permissions.md) + [Default SoD Custom Record Types and Permission Lists](/docs/strongpointfornetsuite/installing_strongpoint/setting_permissions.md) table and add any permissions needed to your Custom Roles. diff --git a/docs/strongpointfornetsuite/sod/sod_notifications.md b/docs/strongpointfornetsuite/sod/sod_notifications.md index 5ae6db5aa8..9781428148 100644 --- a/docs/strongpointfornetsuite/sod/sod_notifications.md +++ b/docs/strongpointfornetsuite/sod/sod_notifications.md @@ -6,11 +6,11 @@ information to approvers for SoD violations. 1. When a task causes an SoD violation, a dialog box is displayed with an option to request an approval. - ![sod_nonblocking_msg](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_nonblocking_msg.webp) + ![sod_nonblocking_msg](/img/product_docs/strongpointfornetsuite/sod/sod_nonblocking_msg.webp) 2. Click **Yes** to begin an Approval. - ![sod_approve_req_msg](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_approve_req_msg.webp) + ![sod_approve_req_msg](/img/product_docs/strongpointfornetsuite/sod/sod_approve_req_msg.webp) 3. Add the reason for the approval request. Click **OK**. 4. A confirmation is displayed when the change request is created. You can click the link to view @@ -18,4 +18,4 @@ information to approvers for SoD violations. 5. Once a change request is generated,Platform Governance for NetSuite sends email to the approvers. The email shows the requested change, the SoD violation(s) and links to the change request. - ![sod_email_msg](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_email_msg.webp) + ![sod_email_msg](/img/product_docs/strongpointfornetsuite/sod/sod_email_msg.webp) diff --git a/docs/strongpointfornetsuite/sod/sod_overview.md b/docs/strongpointfornetsuite/sod/sod_overview.md index 7b62220b8e..d5f56e423c 100644 --- a/docs/strongpointfornetsuite/sod/sod_overview.md +++ b/docs/strongpointfornetsuite/sod/sod_overview.md @@ -39,11 +39,11 @@ You can create rules that: Advanced SoD works through the following System Process Flow: -![SoD Diagram](../../../static/img/product_docs/strongpointfornetsuite/sod/howsodworks.webp) +![SoD Diagram](/img/product_docs/strongpointfornetsuite/sod/howsodworks.webp) Advanced SoD's also works through the following Functional Process Flow: -![logviolations](../../../static/img/product_docs/strongpointfornetsuite/sod/logviolations.webp) +![logviolations](/img/product_docs/strongpointfornetsuite/sod/logviolations.webp) ## SoD Exemption Handling for Onboarding, Offboarding, and Cross Role Conflicts diff --git a/docs/strongpointfornetsuite/sod/sod_testing.md b/docs/strongpointfornetsuite/sod/sod_testing.md index 190f3d3ee0..393cc874a6 100644 --- a/docs/strongpointfornetsuite/sod/sod_testing.md +++ b/docs/strongpointfornetsuite/sod/sod_testing.md @@ -62,6 +62,6 @@ Test Reports are available for both **User Role Test Violations** and **Employee 4. Select **SoD Testing** and one of the tabs:. There are links to **View Violation Details** and to open the Role Record. - ![SoD Test Report](../../../static/img/product_docs/strongpointfornetsuite/sod/sod_test_report.webp) + ![SoD Test Report](/img/product_docs/strongpointfornetsuite/sod/sod_test_report.webp) Details can be exported in an Excel format. diff --git a/docs/strongpointfornetsuite/tools/standard_field_impact_analysis.md b/docs/strongpointfornetsuite/tools/standard_field_impact_analysis.md index e6dc87ab05..71ec3bb650 100644 --- a/docs/strongpointfornetsuite/tools/standard_field_impact_analysis.md +++ b/docs/strongpointfornetsuite/tools/standard_field_impact_analysis.md @@ -6,13 +6,13 @@ a Change Request. Results can be viewed on the **Impact Analysis** tab on the Ch To manually run the standard field impact analysis tool: 1. Open **Strongpoint** > **Tools** > **Standard Field Impact Analysis - ![tools_menu](../../../static/img/product_docs/strongpointfornetsuite/tools/tools_menu.webp)** + ![tools_menu](/img/product_docs/strongpointfornetsuite/tools/tools_menu.webp)** 2. On the **Impact Analysis Fields** screen, fill out the following: - ![impactanalysisfieldstool-2](../../../static/img/product_docs/strongpointfornetsuite/tools/impactanalysisfieldstool-2.webp) + ![impactanalysisfieldstool-2](/img/product_docs/strongpointfornetsuite/tools/impactanalysisfieldstool-2.webp) - **Customization Type**: Leave this field blank to pull all customizations using the given standard field or select a particular customization type to pull only customizations of that type for a given standard field. - **Standard Field Script ID**: Enter the Standard Field Script ID to find results. 3. Click **Run**. 4. Customizations using standard fields are listed in the results. - ![impactanalysisresults](../../../static/img/product_docs/strongpointfornetsuite/tools/impactanalysisresults.webp) + ![impactanalysisresults](/img/product_docs/strongpointfornetsuite/tools/impactanalysisresults.webp) diff --git a/docs/strongpointfornetsuite/tools/tools_overview.md b/docs/strongpointfornetsuite/tools/tools_overview.md index 741f192e3a..39cfead0af 100644 --- a/docs/strongpointfornetsuite/tools/tools_overview.md +++ b/docs/strongpointfornetsuite/tools/tools_overview.md @@ -2,9 +2,9 @@ The **Strongpoint** > **Tools** menu accesses: -- [Strongpoint Spider](../installing_strongpoint/running_the_spider.md): runs the Spider on your +- [Strongpoint Spider](/docs/strongpointfornetsuite/installing_strongpoint/running_the_spider.md): runs the Spider on your account. - **Strongpoint SQL Library**: accesses the Strongpoint SQL Formula library. Use the available formulas to simply your Customization development. -- [Standard Field Impact Analysis](standard_field_impact_analysis.md): runs an Impact Analysis to +- [Standard Field Impact Analysis](/docs/strongpointfornetsuite/tools/standard_field_impact_analysis.md): runs an Impact Analysis to determine dependencies. diff --git a/docs/strongpointfornetsuite/troubleshooting/list_segments_not_editable.md b/docs/strongpointfornetsuite/troubleshooting/list_segments_not_editable.md index ec0cf6b7d1..044f4773c6 100644 --- a/docs/strongpointfornetsuite/troubleshooting/list_segments_not_editable.md +++ b/docs/strongpointfornetsuite/troubleshooting/list_segments_not_editable.md @@ -9,11 +9,11 @@ To resolve this: 3. Select **General Preferences**. 4. Set the **Number of Rows in List Segments** to 1000. -![rowsinlistsegments](../../../static/img/product_docs/strongpointfornetsuite/troubleshooting/rowsinlistsegments.webp) +![rowsinlistsegments](/img/product_docs/strongpointfornetsuite/troubleshooting/rowsinlistsegments.webp) If the field is still gray: 1. Scroll down the page to the tab **Overriding Preferences** 2. Check the box for Number of Rows in List Segments. -![setlinesegments](../../../static/img/product_docs/strongpointfornetsuite/troubleshooting/setlinesegments.webp) +![setlinesegments](/img/product_docs/strongpointfornetsuite/troubleshooting/setlinesegments.webp) diff --git a/docs/strongpointfornetsuite/troubleshooting/report_a_bug.md b/docs/strongpointfornetsuite/troubleshooting/report_a_bug.md index acb38454ee..a93f1d6c05 100644 --- a/docs/strongpointfornetsuite/troubleshooting/report_a_bug.md +++ b/docs/strongpointfornetsuite/troubleshooting/report_a_bug.md @@ -14,18 +14,18 @@ NetSuite to make it easy to access the Netwrix support site at [https://www.netwrix.com/support.html](https://www.netwrix.com/support.html) - Click **Submit a Support Case** from the - [Strongpoint Overview Dashboard](../navigating_strongpoint.md) in your Production or Sandbox + [Strongpoint Overview Dashboard](/docs/strongpointfornetsuite/navigating_strongpoint.md) in your Production or Sandbox accounts. - Open **Strongpoint** > **Strongpoint Support** > **Contact Support** to open the Netwrix Support site. -![Contact Strongpoint Support](../../../static/img/product_docs/strongpointfornetsuite/troubleshooting/report_bug.webp) +![Contact Strongpoint Support](/img/product_docs/strongpointfornetsuite/troubleshooting/report_bug.webp) ## Comment on a User Guide Topic There is a comment button at the end of each topic, enabling you to easily send feedback to Support on the topic. -![Click to leave feedback on the current topic.](../../../static/img/product_docs/strongpointfornetsuite/troubleshooting/comment_button.webp) +![Click to leave feedback on the current topic.](/img/product_docs/strongpointfornetsuite/troubleshooting/comment_button.webp) -![Enter your feedback on the current topic.](../../../static/img/product_docs/strongpointfornetsuite/troubleshooting/comment_form.webp) +![Enter your feedback on the current topic.](/img/product_docs/strongpointfornetsuite/troubleshooting/comment_form.webp) diff --git a/docs/strongpointfornetsuite/troubleshooting/saved_search_times_out.md b/docs/strongpointfornetsuite/troubleshooting/saved_search_times_out.md index 6216b23c96..5fb20e7cbf 100644 --- a/docs/strongpointfornetsuite/troubleshooting/saved_search_times_out.md +++ b/docs/strongpointfornetsuite/troubleshooting/saved_search_times_out.md @@ -13,7 +13,7 @@ To schedule the saved search to run: 1. Open the **Email** tab of the saved search. 2. Open the **Schedule** tab and schedule the saved search to run. - ![saved_search_timeout1](../../../static/img/product_docs/strongpointfornetsuite/troubleshooting/saved_search_timeout1.webp) + ![saved_search_timeout1](/img/product_docs/strongpointfornetsuite/troubleshooting/saved_search_timeout1.webp) ## Send Results @@ -26,12 +26,12 @@ To send the results to a recipient: - **Recipient**: add their name. - **Check the boxes**: Send emails according to schedule and summarize scheduled emails. - ![saved_search_timeout2](../../../static/img/product_docs/strongpointfornetsuite/troubleshooting/saved_search_timeout2.webp) + ![saved_search_timeout2](/img/product_docs/strongpointfornetsuite/troubleshooting/saved_search_timeout2.webp) 4. Click on **Customize Message** tab. 5. Select **Send as CSV**. - ![saved_search_timeout3](../../../static/img/product_docs/strongpointfornetsuite/troubleshooting/saved_search_timeout3.webp) + ![saved_search_timeout3](/img/product_docs/strongpointfornetsuite/troubleshooting/saved_search_timeout3.webp) 6. Open **Schedule** tab. 7. Schedule the saved search. @@ -43,6 +43,6 @@ To send the results to a recipient: 2. Locate your saved search on the list. 3. Click **Persist (CSV)**. - ![saved_search_timeout4](../../../static/img/product_docs/strongpointfornetsuite/troubleshooting/saved_search_timeout4.webp) + ![saved_search_timeout4](/img/product_docs/strongpointfornetsuite/troubleshooting/saved_search_timeout4.webp) The search is executed in the background and the CSV file saved in the NetSuite File Cabinet. diff --git a/docs/strongpointfornetsuite/uar/access_app.md b/docs/strongpointfornetsuite/uar/access_app.md index 9fc49480a8..b8121d0d3b 100644 --- a/docs/strongpointfornetsuite/uar/access_app.md +++ b/docs/strongpointfornetsuite/uar/access_app.md @@ -1,22 +1,22 @@ # Accessing User Access Review -The User Access Review bundle must be [installed](install_app.md), and users must have NetSuite +The User Access Review bundle must be [installed](/docs/strongpointfornetsuite/uar/install_app.md), and users must have NetSuite accounts and a UAR license to access User Access Review. **User Access Review** is available on the NetSuite menu bar if you have a -[license](install_app.md). If it is not on your menu, contact your Netwrix or NetSuite +[license](/docs/strongpointfornetsuite/uar/install_app.md). If it is not on your menu, contact your Netwrix or NetSuite administrator. -![User Access Review menu](../../../static/img/product_docs/strongpointfornetsuite/uar/uar_menu.webp) +![User Access Review menu](/img/product_docs/strongpointfornetsuite/uar/uar_menu.webp) 1. Select **User Access Review** > **User Access Review** > **Open** from the NetSuite menu bar. 2. Click your **Role** to log in to the UAR app. - ![Select your role](../../../static/img/product_docs/strongpointfornetsuite/uar/uar_role.webp) + ![Select your role](/img/product_docs/strongpointfornetsuite/uar/uar_role.webp) Here is an example of the UAR Admin dashboard: -![UAR Admin Dashboard](../../../static/img/product_docs/strongpointfornetsuite/uar/dashboard_admin.webp) +![UAR Admin Dashboard](/img/product_docs/strongpointfornetsuite/uar/dashboard_admin.webp) ## Dashboard diff --git a/docs/strongpointfornetsuite/uar/install_app.md b/docs/strongpointfornetsuite/uar/install_app.md index d66f177076..99998e311f 100644 --- a/docs/strongpointfornetsuite/uar/install_app.md +++ b/docs/strongpointfornetsuite/uar/install_app.md @@ -14,11 +14,11 @@ The User Access Review app must be installed and licensed before it can be used. 3. Enter **433078** in **Keywords**. 4. Click **Search**. - ![Search for the UAR bundle](../../../static/img/product_docs/strongpointfornetsuite/uar/bundle_uar.webp) + ![Search for the UAR bundle](/img/product_docs/strongpointfornetsuite/uar/bundle_uar.webp) 5. Click **Strongpoint UAR**. - ![Select the bundle](../../../static/img/product_docs/strongpointfornetsuite/uar/bundle_uar2.webp) + ![Select the bundle](/img/product_docs/strongpointfornetsuite/uar/bundle_uar2.webp) 6. Click **Install** to start the bundle installation. 7. Verify the installation is complete. Open **Customization** > **SuiteBundler** > **Search & @@ -38,11 +38,11 @@ Platform Governance for NetSuite. 2. Click **View**. 3. Set the **View** to **Strongpoint Licensed Users**. - ![Set View to Strongpoint Licensed Users](../../../static/img/product_docs/strongpointfornetsuite/uar/licensing_uar.webp) + ![Set View to Strongpoint Licensed Users](/img/product_docs/strongpointfornetsuite/uar/licensing_uar.webp) 4. Click **New Licensed User**. - ![UAR Licensed User](../../../static/img/product_docs/strongpointfornetsuite/uar/app_access.webp) + ![UAR Licensed User](/img/product_docs/strongpointfornetsuite/uar/app_access.webp) 5. Select the **User**. 6. Set **License Type** to **Full**. @@ -62,11 +62,11 @@ Platform Governance for NetSuite. 2. Click **View**. 3. Set the **View** to **Strongpoint Licensed Users**. - ![Set View to Strongpoint Licensed Users](../../../static/img/product_docs/strongpointfornetsuite/uar/licensing_uar.webp) + ![Set View to Strongpoint Licensed Users](/img/product_docs/strongpointfornetsuite/uar/licensing_uar.webp) 4. Click **Edit** beside the User name. - ![UAR Licensed User](../../../static/img/product_docs/strongpointfornetsuite/uar/licensing_uar2.webp) + ![UAR Licensed User](/img/product_docs/strongpointfornetsuite/uar/licensing_uar2.webp) 5. Set **License Type** to **Full**. 6. Assign one or more UAR roles: @@ -87,18 +87,18 @@ Determine the **Roles** and **Center Types** that need access to UAR. listed for each **Role**. For example, if you are adding UAR to the **Controller** role, you can see the **Center Type** is **Accounting Center**. - ![Find the Center Type for each Role](../../../static/img/product_docs/strongpointfornetsuite/uar/role_review.webp) + ![Find the Center Type for each Role](/img/product_docs/strongpointfornetsuite/uar/role_review.webp) 2. Open **Customization** > **Centers and Tabs** > **Center Tabs** 3. Click **Edit** by **User Access Review**. 4. Select the **Center**. This example shows the **Accounting Center**. - ![Assign the Center](../../../static/img/product_docs/strongpointfornetsuite/uar/center_tab.webp) + ![Assign the Center](/img/product_docs/strongpointfornetsuite/uar/center_tab.webp) 5. Open the **Audience** tab. 6. Select the **Role**. This example show the **Controller - Basic** role. - ![Add the role](../../../static/img/product_docs/strongpointfornetsuite/uar/center_tab_audience.webp) + ![Add the role](/img/product_docs/strongpointfornetsuite/uar/center_tab_audience.webp) 7. Select **Save** > **Save a Copy**. 8. Repeat for each **Center Type** and **Role**. diff --git a/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_membership_reviews.md b/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_membership_reviews.md index 1ba7fbf29e..b03aa80d93 100644 --- a/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_membership_reviews.md +++ b/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_membership_reviews.md @@ -11,7 +11,7 @@ you. Reviews open on the **Review** tab. The **Review Notes** tab lists the review details for the review. -![Opening a review as an additional user](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_additional_reviewer/additional_user_review.webp) +![Opening a review as an additional user](/img/product_docs/strongpointfornetsuite/uar/uar_additional_reviewer/additional_user_review.webp) ## Membership Review Actions @@ -42,11 +42,11 @@ This display provides a global view of the user's access. - **Additional Reviewer**: the additional reviewer assigned to the role. 1. Select the user. - ![Reviewing user roles](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_additional_reviewer/additional_user_reviewer_review.webp) + ![Reviewing user roles](/img/product_docs/strongpointfornetsuite/uar/uar_additional_reviewer/additional_user_reviewer_review.webp) 2. Review their Global Permissions, Other Roles, and SoD Violations. The links all open the specific records for further review. If the user should retain the role, click **Mark Completed**. The status is updated. You cannot undo this action. - ![Mark your review complete](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_additional_reviewer/additional_user_reviewer_complete.webp) + ![Mark your review complete](/img/product_docs/strongpointfornetsuite/uar/uar_additional_reviewer/additional_user_reviewer_complete.webp) 3. Click **Submit** or make additional changes. ### Remove Users from the Role @@ -62,10 +62,10 @@ To remove one or more users from the role: from the role. Status is changed to either **Change Request** and the **Change Request ID** added, or **Waiting for CR** if there is an existing change request in progress as part of another review. Click the **Change Request ID** to open the Change Request. - ![Remove a role](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_additional_reviewer/additional_user_review_remove.webp) + ![Remove a role](/img/product_docs/strongpointfornetsuite/uar/uar_additional_reviewer/additional_user_review_remove.webp) If the Change Request is rejected (**CR Rejected status**) or canceled (**CR Cancelled**), the user row is returned to a pending state and can then be reviewed again. - ![Remove a user from a role](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/remove_user_from_role.webp) + ![Remove a user from a role](/img/product_docs/strongpointfornetsuite/uar/uar_owner/remove_user_from_role.webp) If the Change Request is rejected (**CR Rejected status**) or canceled (**CR Cancelled**), the user row is returned to a pending state and can then be reviewed again. @@ -76,7 +76,7 @@ Every record has review notes with details about the changes. Only submitted cha The UAR list opens on the **Review** tab. Click **Review Notes** to open the notes tab. You can **Export** the notes as a CSV or PDF file. -![Open the Review Notes tab](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/review_notes_tab.webp) +![Open the Review Notes tab](/img/product_docs/strongpointfornetsuite/uar/uar_owner/review_notes_tab.webp) The notes have the following fields: diff --git a/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_overview.md b/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_overview.md index 9c294fe7ca..15f1acd8ea 100644 --- a/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_overview.md +++ b/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_overview.md @@ -2,7 +2,7 @@ Additional Reviewers are assigned by the UAR owners to perform reviews. Additional Reviewers are notified with an email message when a new review has been assigned. You can click one of the links -in the email, or login to NetSuite and open [User Access Review](../access_app.md) to access the +in the email, or login to NetSuite and open [User Access Review](/docs/strongpointfornetsuite/uar/access_app.md) to access the dashboard. 1. Open **User Access Review** from NetSuite. @@ -10,13 +10,13 @@ dashboard. Here is an example additional reviewer dashboard showing new assignments. -![Additional Reviewer Dashboard](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_additional_reviewer/dashboard_add_reviewer.webp) +![Additional Reviewer Dashboard](/img/product_docs/strongpointfornetsuite/uar/uar_additional_reviewer/dashboard_add_reviewer.webp) ## Dashboard Controls - **Home** icon is your dashboard overview, and the default display when you log in. -- **UAR List** is your **[User Access Reviews List](add_reviewer_uar_list.md)**. -- **UAR History** is your **[User Access Reviews History](../uar_history.md)**. +- **UAR List** is your **[User Access Reviews List](/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_uar_list.md)**. +- **UAR History** is your **[User Access Reviews History](/docs/strongpointfornetsuite/uar/uar_history.md)**. - **User Access Reviews** shortcut shows the number of open reviews. Opens your **User Access Reviews List**. - **Notifications** is a list of your assignment notifications and reminders: diff --git a/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_uar_list.md b/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_uar_list.md index 080f9fc2b0..230822b9b5 100644 --- a/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_uar_list.md +++ b/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_uar_list.md @@ -6,7 +6,7 @@ controlled with the **Sort By** selection in the Filters section. Here is an example of the **Global** review list: -![UAR list additional reviewer](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_additional_reviewer/additional_user_uar_list.webp) +![UAR list additional reviewer](/img/product_docs/strongpointfornetsuite/uar/uar_additional_reviewer/additional_user_uar_list.webp) ## Filters @@ -30,8 +30,8 @@ Use **Clear** to reset the Filters. ## UAR List - **Name** is a link. For a **global** review, the link opens the Review list showing all of the - associated reviews. For a **single** review the [Membership](add_reviewer_membership_reviews.md) - or [Permission ](../uar_owner/owner_permission_reviews.md)**Review** tab is opened. Reviews can + associated reviews. For a **single** review the [Membership](/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_membership_reviews.md) + or [Permission ](/docs/strongpointfornetsuite/uar/uar_owner/owner_permission_reviews.md)**Review** tab is opened. Reviews can also be opened via links in dashboard or email **Notifications**. - **Number of Reviews** (global) is the number of single reviews in the global review. - **Review Type** is the type of review. Global can be **Both**, **Membership**, or **Permission**. @@ -61,7 +61,7 @@ Use **Clear** to reset the Filters. When you open a global review using the **Name** link in the UAR list, the Review list is displayed, showing all of the single reviews associated with the global review. -![Review list of associated single reviews under a global review](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/review_list.webp) +![Review list of associated single reviews under a global review](/img/product_docs/strongpointfornetsuite/uar/uar_owner/review_list.webp) - **Export** exports the list of selected reviews as either a **CSV** or **PDF** file. The exported file is named _Reviews_Group_List_. @@ -69,7 +69,7 @@ showing all of the single reviews associated with the global review. details for the reviews. - **Extract Permission Detail**creates a CSV file (_Permission_Report.csv_) of the permission details for the reviews. -- **Review Name** is a link to the [Membership](add_reviewer_membership_reviews.md) **Review** tab. +- **Review Name** is a link to the [Membership](/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_membership_reviews.md) **Review** tab. Reviews can also be opened via links in dashboard or email **Notifications**. - **Role Name** the role being reviewed. - **Review Type** is the type of review: **Membership** or **Permission**. The review type is set @@ -96,4 +96,4 @@ showing all of the single reviews associated with the global review. - **Complete Date** the date the review was completed. Continue with the procedures to complete your Additional Reviewer -[Membership](add_reviewer_membership_reviews.md) reviews. +[Membership](/docs/strongpointfornetsuite/uar/uar_additional_reviewer/add_reviewer_membership_reviews.md) reviews. diff --git a/docs/strongpointfornetsuite/uar/uar_admin/admin_overview.md b/docs/strongpointfornetsuite/uar/uar_admin/admin_overview.md index 07a6787a13..b0163e7c1e 100644 --- a/docs/strongpointfornetsuite/uar/uar_admin/admin_overview.md +++ b/docs/strongpointfornetsuite/uar/uar_admin/admin_overview.md @@ -1,7 +1,7 @@ # UAR Admin **UAR Admin**manages the UAR process. Administrators login to NetSuite and open -[User Access Review](../access_app.md) to access the dashboard. UAR administrators can: +[User Access Review](/docs/strongpointfornetsuite/uar/access_app.md) to access the dashboard. UAR administrators can: - Assign owners to a role - Create Reviews to a Role @@ -9,15 +9,15 @@ Here is an example of the Admin dashboard displayed when you log in: -![Admin Dashboard](../../../../static/img/product_docs/strongpointfornetsuite/uar/dashboard_admin.webp) +![Admin Dashboard](/img/product_docs/strongpointfornetsuite/uar/dashboard_admin.webp) ## Dashboard Controls - **Home** icon is your dashboard overview, and the default display when you log in. - **Owner List** displays all reviews with an assigned owner. - **Pending Role Assignments** displays all reviews without an assigned owner. -- **UAR List** is your **[User Access Reviews List](../uar_owner/owner_uar_list.md)**. -- **UAR History** is your **[User Access Reviews History](../uar_history.md)**. +- **UAR List** is your **[User Access Reviews List](/docs/strongpointfornetsuite/uar/uar_owner/owner_uar_list.md)**. +- **UAR History** is your **[User Access Reviews History](/docs/strongpointfornetsuite/uar/uar_history.md)**. - **Open Global Reviews** shortcut shows the number of open reviews. Opens your **User Access Reviews List**. - **Pending Role Assignments** shortcut shows the number of roles without review owners. Opens your diff --git a/docs/strongpointfornetsuite/uar/uar_admin/admin_owner_list.md b/docs/strongpointfornetsuite/uar/uar_admin/admin_owner_list.md index cfc8598d12..f39ca45805 100644 --- a/docs/strongpointfornetsuite/uar/uar_admin/admin_owner_list.md +++ b/docs/strongpointfornetsuite/uar/uar_admin/admin_owner_list.md @@ -1,13 +1,13 @@ # Owner List Access your **Owner List** from your menu bar. This is where Administrators can add or remove owners -from reviews. All changes are captured in the [UAR History](../uar_history.md). +from reviews. All changes are captured in the [UAR History](/docs/strongpointfornetsuite/uar/uar_history.md). Auditors can view the Owner list and Owner notes, but cannot add or remove owners. Here is an example of the **Owner List**: -![Administrator Owner list](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_admin/owner_list.webp) +![Administrator Owner list](/img/product_docs/strongpointfornetsuite/uar/uar_admin/owner_list.webp) ## Filters @@ -45,7 +45,7 @@ Use **Clear** to reset the Filters. 1. Open **Owner List** from your menu bar. 2. Click **Add Owner** to add a new role. - ![Add Owner](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_admin/add_owner.webp) + ![Add Owner](/img/product_docs/strongpointfornetsuite/uar/uar_admin/add_owner.webp) 3. **Select Role** from the drop down. From Bundle, Custom/Standard and Center Type are automatically added. @@ -75,7 +75,7 @@ You can change any of the owners from the Owner List. The **Owner Notes** tab displays the details for each change in the Owner List. Click the **Owner Notes** tab to access this detail. You can filter the Owner Notes by **Create Date**. -![Owner notes](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_admin/owner_notes.webp) +![Owner notes](/img/product_docs/strongpointfornetsuite/uar/uar_admin/owner_notes.webp) 1. Open **Owner List** from your menu bar. 2. Open the **Owner Notes** tab. diff --git a/docs/strongpointfornetsuite/uar/uar_admin/admin_pending_assignments.md b/docs/strongpointfornetsuite/uar/uar_admin/admin_pending_assignments.md index f38dbc91c9..9621c40681 100644 --- a/docs/strongpointfornetsuite/uar/uar_admin/admin_pending_assignments.md +++ b/docs/strongpointfornetsuite/uar/uar_admin/admin_pending_assignments.md @@ -2,11 +2,11 @@ This view makes it easy to identify roles without owners, and facilitates adding owners. Access your **Pending Role Assignments** from your menu bar. All changes are captured in the -[UAR History](../uar_history.md). +[UAR History](/docs/strongpointfornetsuite/uar/uar_history.md). Here is an example of the **Pending Role Assignments**: -![Pending role assignments](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_admin/pending_role_assignments.webp) +![Pending role assignments](/img/product_docs/strongpointfornetsuite/uar/uar_admin/pending_role_assignments.webp) ## Filters @@ -50,11 +50,11 @@ You can assign due dates on the **Pending Role Assignments List**. 1. Open **Pending Role Assignments** from your menu bar. 2. Select a Related Review link. - ![Related review link](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_admin/related_review_link.webp) + ![Related review link](/img/product_docs/strongpointfornetsuite/uar/uar_admin/related_review_link.webp) 3. Select a single review, or select the box in the table header to select all of the reviews. - ![Assign due dates for reviews](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_admin/assign_due_date.webp) + ![Assign due dates for reviews](/img/product_docs/strongpointfornetsuite/uar/uar_admin/assign_due_date.webp) 4. Click in the **Due Date** box and use the date picker to set a date. 5. Click **Save** when your changes are complete. diff --git a/docs/strongpointfornetsuite/uar/uar_admin/admin_uar_list.md b/docs/strongpointfornetsuite/uar/uar_admin/admin_uar_list.md index bf3e53e35a..372b3e7061 100644 --- a/docs/strongpointfornetsuite/uar/uar_admin/admin_uar_list.md +++ b/docs/strongpointfornetsuite/uar/uar_admin/admin_uar_list.md @@ -3,11 +3,11 @@ Access your owner User Access Reviews List from **UAR List** in your menu bar, or one of the review shortcuts. Your UAR List displays either the list of Global Reviews or Single Reviews. The view is controlled with the **Sort By** selection in the Filters section. All changes are captured in the -[UAR History](../uar_history.md). +[UAR History](/docs/strongpointfornetsuite/uar/uar_history.md). Here is an example of the **Global** review list: -![Administrator UAR list](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_admin/admin_uar.webp) +![Administrator UAR list](/img/product_docs/strongpointfornetsuite/uar/uar_admin/admin_uar.webp) ## Filters @@ -73,12 +73,12 @@ Use **Clear** to reset the Filters. 1. Open **UAR List** from your menu bar or a shortcut. 2. Click **Create Review**. - ![Create a review](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_admin/create_review1.webp) + ![Create a review](/img/product_docs/strongpointfornetsuite/uar/uar_admin/create_review1.webp) 3. Select **Single Review** to add to an existing review, or **Global Review** to start a new review. This example shows the Add to an Existing Review option. - ![Create a review](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_admin/create_review2.webp) + ![Create a review](/img/product_docs/strongpointfornetsuite/uar/uar_admin/create_review2.webp) 4. Use the drop down to **Select Global Review** this option is only if you chose **Single**. It is not available if you are creating a new **Global** review. The existing information for the @@ -93,7 +93,7 @@ Use **Clear** to reset the Filters. 8. Assign a **Review Name**. This is only available if you are creating a new **Global** review. 9. Click **Create**. -Owners are assigned on the administrator's [Owner's List](admin_owner_list.md), available on your +Owners are assigned on the administrator's [Owner's List](/docs/strongpointfornetsuite/uar/uar_admin/admin_owner_list.md), available on your menu. ### Cancel a Review @@ -104,7 +104,7 @@ menu. 2. Select one or more Reviews. 3. Click **Cancel Review**. Any open change requests are canceled. - ![Cancel a review](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_admin/cancel_review.webp) + ![Cancel a review](/img/product_docs/strongpointfornetsuite/uar/uar_admin/cancel_review.webp) 4. Click **Accept**. @@ -121,7 +121,7 @@ Reminders can be sent from the administrator's UAR List or from the Review list Clicking on a **Name** in the UAR List opens the Review List. Here is an example. -![Review List](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_admin/admin_review_list.webp) +![Review List](/img/product_docs/strongpointfornetsuite/uar/uar_admin/admin_review_list.webp) ### Filters @@ -157,8 +157,8 @@ There are various actions you can perform from this list: details for the reviews. - **Extract Permission Detail**creates a CSV file (_Permission_Report.csv_) of the permission details for the reviews. -- **Review Name** is a link to the [Membership](../uar_owner/owner_membership_reviews.md) or - [Permission ](../uar_owner/owner_permission_reviews.md)**Review** tab. Reviews can also be opened +- **Review Name** is a link to the [Membership](/docs/strongpointfornetsuite/uar/uar_owner/owner_membership_reviews.md) or + [Permission ](/docs/strongpointfornetsuite/uar/uar_owner/owner_permission_reviews.md)**Review** tab. Reviews can also be opened via links in dashboard or email **Notifications**. The Review tab and Review notes tab is the - **Role Name** the role being reviewed. - **Review Type** is the type of review: **Membership** or **Permission**. The review type is set @@ -170,7 +170,7 @@ There are various actions you can perform from this list: - **Not Started** Email notification has been sent, review has not been started. - **In Progress** Review has been started. - **Additional Reviewer** Review has been assigned to an - [additional reviewer](../uar_owner/owner_membership_reviews.md). + [additional reviewer](/docs/strongpointfornetsuite/uar/uar_owner/owner_membership_reviews.md). - **Change Request** Change request has been created. The **Change Request ID** is added to the row. The link opens the Change Request. **CR Rejected**, **CR Cancelled**, and **CR Complete** are the other Change Request status values. diff --git a/docs/strongpointfornetsuite/uar/uar_admin/changing_review_status.md b/docs/strongpointfornetsuite/uar/uar_admin/changing_review_status.md index f8e54c8eba..c78f564a01 100644 --- a/docs/strongpointfornetsuite/uar/uar_admin/changing_review_status.md +++ b/docs/strongpointfornetsuite/uar/uar_admin/changing_review_status.md @@ -5,21 +5,21 @@ or UAR Admin role is required to make the status change. 1. Note the Name of the review to be changed. This example uses _0001_Membership_SOD Edit Role_. - ![Note the review name](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_admin/uar_change_status1.webp) + ![Note the review name](/img/product_docs/strongpointfornetsuite/uar/uar_admin/uar_change_status1.webp) 2. Open **Customization** > **List, Records, & Field** > **Record Types** 3. Locate **Review** in the list. - ![Locate Review in the Edit column](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_admin/uar_change_status2.webp) + ![Locate Review in the Edit column](/img/product_docs/strongpointfornetsuite/uar/uar_admin/uar_change_status2.webp) 4. Click **List** in the **Review** row. - ![List displayed for Review](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_admin/uar_change_status3.webp) + ![List displayed for Review](/img/product_docs/strongpointfornetsuite/uar/uar_admin/uar_change_status3.webp) 5. Click **Edit** in the row of the review to be changed. _0001_Membership_SOD Edit Role_ for this example. - ![Edit the review](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_admin/uar_change_status4.webp) + ![Edit the review](/img/product_docs/strongpointfornetsuite/uar/uar_admin/uar_change_status4.webp) 6. Change **Status** from **Complete** to **Not Started**. 7. Click **Save**. diff --git a/docs/strongpointfornetsuite/uar/uar_auditor/auditor_overview.md b/docs/strongpointfornetsuite/uar/uar_auditor/auditor_overview.md index 062eb30d1a..a9c31b5865 100644 --- a/docs/strongpointfornetsuite/uar/uar_auditor/auditor_overview.md +++ b/docs/strongpointfornetsuite/uar/uar_auditor/auditor_overview.md @@ -1,22 +1,22 @@ # UAR Auditor Auditors have view only access to specific UAR data. Auditors login to NetSuite and open -[User Access Review](../access_app.md) to access the dashboard. +[User Access Review](/docs/strongpointfornetsuite/uar/access_app.md) to access the dashboard. 1. Open **User Access Review** from NetSuite. 2. Click **UAR Auditor** to log in. Your auditor dashboard is displayed. Here is an example auditor dashboard showing new assignments. -![Auditor Dashboard](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_auditor/dashboard_auditor.webp) +![Auditor Dashboard](/img/product_docs/strongpointfornetsuite/uar/uar_auditor/dashboard_auditor.webp) ## Dashboard Controls - **Home** icon is your dashboard overview, and the default display when you log in. - **Owner List** displays all reviews with an assigned owner. Option to view reviews with no assigned owner. Details are available on the **Owner Notes** tab. This is a read-only view of the - Administrator's [Owner List](../uar_admin/admin_owner_list.md). -- **Global Access Reviews History** is the **[User Access Reviews History](../uar_history.md)**. + Administrator's [Owner List](/docs/strongpointfornetsuite/uar/uar_admin/admin_owner_list.md). +- **Global Access Reviews History** is the **[User Access Reviews History](/docs/strongpointfornetsuite/uar/uar_history.md)**. - **Role Provisioning Reviews** is a list of all Role provisioning reviews. There is a tab to toggle to the **Role Deprovisioning Reviews**. - **Role Deprovisioning Reviews** is a list of all Role deprovisioning reviews. There is a tab to diff --git a/docs/strongpointfornetsuite/uar/uar_history.md b/docs/strongpointfornetsuite/uar/uar_history.md index 72f85321c6..ccda961d9d 100644 --- a/docs/strongpointfornetsuite/uar/uar_history.md +++ b/docs/strongpointfornetsuite/uar/uar_history.md @@ -3,18 +3,18 @@ When reviews are complete, they are added to the **UAR History**. Click **UAR History** in your menu bar to access the list. Completed reviews cannot be modified. You can use **Filters** to narrow down your list. Additional reporting for extracting permission and membership data is available from the -[administrator](uar_admin/admin_uar_list.md) and [owner](uar_owner/owner_uar_list.md) Review lists. +[administrator](/docs/strongpointfornetsuite/uar/uar_admin/admin_uar_list.md) and [owner](/docs/strongpointfornetsuite/uar/uar_owner/owner_uar_list.md) Review lists. UAR Administrators and Auditors see all completed reviews. Owners see their assigned, completed reviews. Additional Reviewers see completed reviews where they were assigned. -![Open UAR History](../../../static/img/product_docs/strongpointfornetsuite/uar/uar_history.webp) +![Open UAR History](/img/product_docs/strongpointfornetsuite/uar/uar_history.webp) Click on a **Review Name** to access details about the review, **Q1 2022_Membership_Buyer** in this example. The Review is opened, displaying the **Review** tab. -![UAR History Review tab](../../../static/img/product_docs/strongpointfornetsuite/uar/uar_history_review.webp) +![UAR History Review tab](/img/product_docs/strongpointfornetsuite/uar/uar_history_review.webp) ## Review Tab @@ -27,4 +27,4 @@ The **Review Notes** tab displays the details for each row in the completed Glob **Review Notes** tab on the to access this detail. Record links are provided in each row to drill down into the data records. -![Review Notes tab provides additional details](../../../static/img/product_docs/strongpointfornetsuite/uar/membership_review_notes_tab.webp) +![Review Notes tab provides additional details](/img/product_docs/strongpointfornetsuite/uar/membership_review_notes_tab.webp) diff --git a/docs/strongpointfornetsuite/uar/uar_owner/owner_membership_reviews.md b/docs/strongpointfornetsuite/uar/uar_owner/owner_membership_reviews.md index eb72af390b..7d3591e59a 100644 --- a/docs/strongpointfornetsuite/uar/uar_owner/owner_membership_reviews.md +++ b/docs/strongpointfornetsuite/uar/uar_owner/owner_membership_reviews.md @@ -8,7 +8,7 @@ your menu bar, or one of the review shortcuts. Reviews open on the **Review** tab. The **Review Notes** tab lists the review details for the review. -![Membership review](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/membership_review.webp) +![Membership review](/img/product_docs/strongpointfornetsuite/uar/uar_owner/membership_review.webp) ## Membership Review Actions @@ -54,7 +54,7 @@ This display provides a global view of the user's access. 2. Review their Global Permissions, Other Roles, and SoD Violations. The links all open the specific records for further review. If the user should retain the role, click **Mark Completed**. The status is updated. You cannot undo this action. - ![Mark user as reviewed](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/mark_complete.webp) + ![Mark user as reviewed](/img/product_docs/strongpointfornetsuite/uar/uar_owner/mark_complete.webp) ### Remove Users from the Role @@ -69,14 +69,14 @@ To remove one or more users from the role: 4. Enter a brief description of why the change is requested when prompted for the **Reason for Change**. Click **Accept** when complete. - ![Reason for change](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/change_request_reason.webp) + ![Reason for change](/img/product_docs/strongpointfornetsuite/uar/uar_owner/change_request_reason.webp) A Change Request is generated for each user removed from the role. Status is changed to either **Change Request** and the **Change Request ID** added, or **Waiting for CR** if there is an existing change request in progress as part of another review. Click the **Change Request ID** to open the Change Request. - ![Remove a user from a role](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/remove_user_from_role.webp) + ![Remove a user from a role](/img/product_docs/strongpointfornetsuite/uar/uar_owner/remove_user_from_role.webp) If the Change Request is rejected (**CR Rejected status**) or canceled (**CR Cancelled**), the user row is returned to a pending state and can then be reviewed again. Use the Change Request @@ -88,11 +88,11 @@ You can add additional reviewers to the review: 1. Select the user. 2. Select an additional reviewer from the drop down list. - ![Assign an additional reviewer](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/additional_user_assign.webp) + ![Assign an additional reviewer](/img/product_docs/strongpointfornetsuite/uar/uar_owner/additional_user_assign.webp) The user line is highlighted. You can click **Undo** to cancel the addition before you click **Submit**. 3. Click **Submit** or make additional changes. - ![Assigning an additional user](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/additional_user_assign2.webp) + ![Assigning an additional user](/img/product_docs/strongpointfornetsuite/uar/uar_owner/additional_user_assign2.webp) The line is highlighted, the status updated, and the email notification is sent to the reviewer. You can no longer undo this action. @@ -107,7 +107,7 @@ Every record has review notes with details about the changes. Only submitted cha The UAR list opens on the **Review** tab. Click **Review Notes** to open the notes tab. You can **Export** the notes as a CSV or PDF file. -![Open the Review Notes tab](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/review_notes_tab.webp) +![Open the Review Notes tab](/img/product_docs/strongpointfornetsuite/uar/uar_owner/review_notes_tab.webp) The notes have the following fields: diff --git a/docs/strongpointfornetsuite/uar/uar_owner/owner_overview.md b/docs/strongpointfornetsuite/uar/uar_owner/owner_overview.md index b3b6febe83..4852e92198 100644 --- a/docs/strongpointfornetsuite/uar/uar_owner/owner_overview.md +++ b/docs/strongpointfornetsuite/uar/uar_owner/owner_overview.md @@ -6,11 +6,11 @@ they are appropriate: - **Role Permission Review**: Review Permissions and Permission Levels granted within the Role - **Membership Review**: Review the individuals assigned to the Role -The [Owner User Access Reviews List](owner_uar_list.md) topic has details for accomplishing your +The [Owner User Access Reviews List](/docs/strongpointfornetsuite/uar/uar_owner/owner_uar_list.md) topic has details for accomplishing your reviews. Owners are notified with an email message when a new review has been assigned. You can click one of -the links in the email, or login to NetSuite and open [User Access Review](../access_app.md) to +the links in the email, or login to NetSuite and open [User Access Review](/docs/strongpointfornetsuite/uar/access_app.md) to access the dashboard. 1. Open **User Access Review** from NetSuite. @@ -18,14 +18,14 @@ access the dashboard. Here is an example owner dashboard showing new assignments. -![UAR Owner dashboard](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/dashboard_owner.webp) +![UAR Owner dashboard](/img/product_docs/strongpointfornetsuite/uar/uar_owner/dashboard_owner.webp) ## Dashboard Controls - **Home** icon is your dashboard overview, and the default display when you log in. -- **UAR List** is your **[User Access Reviews List](owner_uar_list.md)**. -- **UAR History** is your **[User Access Reviews History](../uar_history.md)**. -- **My Roles** is a list of all your assigned [Roles](owner_uar_roles.md). +- **UAR List** is your **[User Access Reviews List](/docs/strongpointfornetsuite/uar/uar_owner/owner_uar_list.md)**. +- **UAR History** is your **[User Access Reviews History](/docs/strongpointfornetsuite/uar/uar_history.md)**. +- **My Roles** is a list of all your assigned [Roles](/docs/strongpointfornetsuite/uar/uar_owner/owner_uar_roles.md). - **Open Global Reviews** shortcut shows the number of open reviews. Opens your **User Access Reviews List**. - **Open Reviews with Additional Reviewers** shortcut shows the number of open reviews. Opens your diff --git a/docs/strongpointfornetsuite/uar/uar_owner/owner_permission_reviews.md b/docs/strongpointfornetsuite/uar/uar_owner/owner_permission_reviews.md index e653bec738..357cffd7dd 100644 --- a/docs/strongpointfornetsuite/uar/uar_owner/owner_permission_reviews.md +++ b/docs/strongpointfornetsuite/uar/uar_owner/owner_permission_reviews.md @@ -7,7 +7,7 @@ bar, or one of the review shortcuts. Reviews open on the **Review** tab. The **Review Notes** tab lists the review details for the review. -![Permission Review](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/permission_review.webp) +![Permission Review](/img/product_docs/strongpointfornetsuite/uar/uar_owner/permission_review.webp) ## Filters @@ -50,7 +50,7 @@ Other available actions: 1. Select one or more **Role Permissions**. 2. Review the **Permission** and the **Level** are appropriate for the role. If correct, click **Mark Completed**. The status is updated. You cannot undo this action. - ![Mark the Permission review complete](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/permission_review_complete.webp) + ![Mark the Permission review complete](/img/product_docs/strongpointfornetsuite/uar/uar_owner/permission_review_complete.webp) ### Change Permission Level @@ -64,14 +64,14 @@ To change a permission level: 4. Enter a brief description of why the change is requested when prompted for the **Reason for Change**. Click **Accept** when complete. - ![Reason for change](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/change_request_reason.webp) + ![Reason for change](/img/product_docs/strongpointfornetsuite/uar/uar_owner/change_request_reason.webp) A Change Request is generated for each level change. Status is changed to either **Change Request** and the **Change Request ID** added, or **Waiting for CR** if there is an existing change request in progress as part of another review. Click the **Change Request ID** to open the Change Request. - ![Change requests for Level changes](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/permission_review_cr.webp) + ![Change requests for Level changes](/img/product_docs/strongpointfornetsuite/uar/uar_owner/permission_review_cr.webp) If the Change Request is approved, the status changes to **CR Approved**. If the Change Request is rejected (**CR Rejected status**) or canceled (**CR Cancelled**), the permission row is @@ -84,7 +84,7 @@ To change a permission level: To add a permission: 1. Click + **Add**. - ![Add a permission](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/permission_review_add.webp) + ![Add a permission](/img/product_docs/strongpointfornetsuite/uar/uar_owner/permission_review_add.webp) 2. Select the **Permission**, **Category**, and **Level**. 3. Click **Submit**. 4. Enter a brief description of why the change is requested when prompted for the **Reason for @@ -95,7 +95,7 @@ To add a permission: change request in progress as part of another review. Click the **Change Request ID** to open the Change Request. - ![Adding a new permission](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/permission_review_add2.webp) + ![Adding a new permission](/img/product_docs/strongpointfornetsuite/uar/uar_owner/permission_review_add2.webp) If the Change Request is rejected or canceled, the added permission row is removed from the list. @@ -106,10 +106,10 @@ Each permission must be in the **Complete** or **CR Complete status**, with all finished before you can click **Complete Review**. Once a review is complete, no further changes can be made. -![Permission review complete when all rows are complete](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/permission_review_complete.webp) +![Permission review complete when all rows are complete](/img/product_docs/strongpointfornetsuite/uar/uar_owner/permission_review_complete.webp) When you click **Complete Review**, the review status is updated to **Complete**, and the review is -added to the [UAR History](../uar_history.md). +added to the [UAR History](/docs/strongpointfornetsuite/uar/uar_history.md). ## Review Notes @@ -117,7 +117,7 @@ Every record has review notes with details about the changes. Only submitted cha The UAR list opens on the **Review** tab. Click **Review Notes** to open the notes tab. You can **Export** the notes as a CSV or PDF file. -![Open the Review Notes tab](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/review_notes_tab.webp) +![Open the Review Notes tab](/img/product_docs/strongpointfornetsuite/uar/uar_owner/review_notes_tab.webp) The notes have the following fields: diff --git a/docs/strongpointfornetsuite/uar/uar_owner/owner_uar_list.md b/docs/strongpointfornetsuite/uar/uar_owner/owner_uar_list.md index 623bba5c18..9348cbb394 100644 --- a/docs/strongpointfornetsuite/uar/uar_owner/owner_uar_list.md +++ b/docs/strongpointfornetsuite/uar/uar_owner/owner_uar_list.md @@ -6,9 +6,9 @@ controlled with the **Sort By** selection in the Filters section. Here are examples of the **Global** and **Single** review lists: -![Owner UAR list](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/uar_list_owner.webp) +![Owner UAR list](/img/product_docs/strongpointfornetsuite/uar/uar_owner/uar_list_owner.webp) -![UAR Single Review list](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/uar_list_owner_single.webp) +![UAR Single Review list](/img/product_docs/strongpointfornetsuite/uar/uar_owner/uar_list_owner_single.webp) ## Filters @@ -37,8 +37,8 @@ Use **Clear** to reset the Filters. - **Export** exports the list of selected reviews as either a **CSV** or **PDF** file. There is an option to **Export All Reviews**. The exported file is named _User_Access_Reviews_List_. - **Name** is a link. For a **global** review, the link opens the Review list showing all of the - associated reviews. For a **single** review the [Membership](owner_membership_reviews.md) or - [Permission ](owner_permission_reviews.md)**Review** tab is opened. Reviews can also be opened via + associated reviews. For a **single** review the [Membership](/docs/strongpointfornetsuite/uar/uar_owner/owner_membership_reviews.md) or + [Permission ](/docs/strongpointfornetsuite/uar/uar_owner/owner_permission_reviews.md)**Review** tab is opened. Reviews can also be opened via links in dashboard or email **Notifications**. - **Number of Reviews** (global) is the number of single reviews in the global review. - **Review Type** is the type of review. Global can be **Both**, **Membership**, or **Permission**. @@ -50,7 +50,7 @@ Use **Clear** to reset the Filters. - **Not Started** Email notification has been sent, review has not been started. - **In Progress** Review has been started. - **Additional Reviewer** Review has been assigned to an - [](#)[additional reviewer](owner_membership_reviews.md). + [](#)[additional reviewer](/docs/strongpointfornetsuite/uar/uar_owner/owner_membership_reviews.md). - **Change Request** Change request has been created. The **Change Request ID** is added to the row. The link opens the Change Request. **CR Rejected**, **CR Cancelled**, and **CR Complete** are the other Change Request status values. @@ -73,7 +73,7 @@ Use **Clear** to reset the Filters. When you open a global review using the **Name** link in the UAR list, the Review list is displayed, showing all of the single reviews associated with the global review. -![Review list of associated single reviews under a global review](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/review_list.webp) +![Review list of associated single reviews under a global review](/img/product_docs/strongpointfornetsuite/uar/uar_owner/review_list.webp) - **Export** exports the list of selected reviews as either a **CSV** or **PDF** file. The exported file is named _Reviews_Group_List_. @@ -81,8 +81,8 @@ showing all of the single reviews associated with the global review. details for the reviews. - **Extract Permission Detail**creates a CSV file (_Permission_Report.csv_) of the permission details for the reviews. -- **Review Name** is a link to the [Membership](owner_membership_reviews.md) or - [Permission ](owner_permission_reviews.md)**Review** tab. Reviews can also be opened via links in +- **Review Name** is a link to the [Membership](/docs/strongpointfornetsuite/uar/uar_owner/owner_membership_reviews.md) or + [Permission ](/docs/strongpointfornetsuite/uar/uar_owner/owner_permission_reviews.md)**Review** tab. Reviews can also be opened via links in dashboard or email **Notifications**. - **Role Name** the role being reviewed. - **Review Type** is the type of review: **Membership** or **Permission**. The review type is set @@ -93,7 +93,7 @@ showing all of the single reviews associated with the global review. - **Not Started** Email notification has been sent, review has not been started. - **In Progress** Review has been started. - **Additional Reviewer** Review has been assigned to an - [additional reviewer](owner_membership_reviews.md). + [additional reviewer](/docs/strongpointfornetsuite/uar/uar_owner/owner_membership_reviews.md). - **Change Request** Change request has been created. The **Change Request ID** is added to the row. The link opens the Change Request. **CR Rejected**, **CR Cancelled**, and **CR Complete** are the other Change Request status values. @@ -109,5 +109,5 @@ showing all of the single reviews associated with the global review. - **Due Date** an optional due date for the review, set by the Administrator. - **Complete Date** the date the review was completed. -Continue with the procedures to complete your [Membership](owner_membership_reviews.md) or -[Permission ](owner_permission_reviews.md)reviews. +Continue with the procedures to complete your [Membership](/docs/strongpointfornetsuite/uar/uar_owner/owner_membership_reviews.md) or +[Permission ](/docs/strongpointfornetsuite/uar/uar_owner/owner_permission_reviews.md)reviews. diff --git a/docs/strongpointfornetsuite/uar/uar_owner/owner_uar_roles.md b/docs/strongpointfornetsuite/uar/uar_owner/owner_uar_roles.md index f9a329ab00..f609f18d93 100644 --- a/docs/strongpointfornetsuite/uar/uar_owner/owner_uar_roles.md +++ b/docs/strongpointfornetsuite/uar/uar_owner/owner_uar_roles.md @@ -7,9 +7,9 @@ UAR Owners. The list is view only. Click **My Roles** in your menu bar. The list opens on the **My Roles List** tab. You can apply **Filters** to focus your roles list. You can **Export** your list to a CSV or PDF file. -![Open the My Roles List](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/my_roles.webp) +![Open the My Roles List](/img/product_docs/strongpointfornetsuite/uar/uar_owner/my_roles.webp) Open the **My Roles Notes** tab to see details about your roles. This list can also be filtered and exported. -![Open the My Roles Notes tab for details on your roles](../../../../static/img/product_docs/strongpointfornetsuite/uar/uar_owner/my_roles_notes.webp) +![Open the My Roles Notes tab for details on your roles](/img/product_docs/strongpointfornetsuite/uar/uar_owner/my_roles_notes.webp) diff --git a/docs/strongpointfornetsuite/uar/welcome.md b/docs/strongpointfornetsuite/uar/welcome.md index 05cf69e16f..2a0341b0e4 100644 --- a/docs/strongpointfornetsuite/uar/welcome.md +++ b/docs/strongpointfornetsuite/uar/welcome.md @@ -3,7 +3,7 @@ Roles and Permissions are not a set once and forget about them activity. Both should be reviewed regularly to ensure your data is secured and users in your organization have the right access. **User Access Review** streamlines this review process, making it easy to manage and review all -access to your NetSuite data. UAR users must have a [license](install_app.md). +access to your NetSuite data. UAR users must have a [license](/docs/strongpointfornetsuite/uar/install_app.md). ## Terminology diff --git a/docs/strongpointfornetsuite/what_is_a_spider.md b/docs/strongpointfornetsuite/what_is_a_spider.md index 3cef980dfc..19ccf83463 100644 --- a/docs/strongpointfornetsuite/what_is_a_spider.md +++ b/docs/strongpointfornetsuite/what_is_a_spider.md @@ -34,7 +34,7 @@ There are three ways to use the Spider: Creates the initial documentation of your account. It has the ability to fully document your account by Spidering all the customization records as well doing a full update on the records in your account (every customization). The initial manual Spider is run during as part of the installation -process: [Running the Spider](installing_strongpoint/running_the_spider.md). +process: [Running the Spider](/docs/strongpointfornetsuite/installing_strongpoint/running_the_spider.md). When running the spider, you must keep the window open for the spider to continue working. Do not change roles or accounts during spidering. NetSuite security standards require an active @@ -56,7 +56,7 @@ created, the fields contain **Pending AutoSpider**. If too many days go by, the ### AutoSpider Portlet The AutoSpider Portlet is set up as part of the installation process: -[Setting Up the AutoSpider and Alerts](installing_strongpoint/setting_up_auto_spider_alerts.md). +[Setting Up the AutoSpider and Alerts](/docs/strongpointfornetsuite/installing_strongpoint/setting_up_auto_spider_alerts.md). The **AutoSpider Portlet** is required to update certain object types in NetSuite. Once triggered through the dashboard portlet, it picks up all changes on custom objects and triggers the scheduled @@ -80,7 +80,7 @@ new/updated objects to your customization record or change request, simply click your form, and your documentation is updated in real time. Here is an example of a customization record with the **ReSpider Now** option: -![ReSpiderNow](../../static/img/product_docs/strongpointfornetsuite/respider_now.webp) +![ReSpiderNow](/img/product_docs/strongpointfornetsuite/respider_now.webp) Proposed customizations do not work for custom forms and custom reports, since they do not have Script IDs. NetSuite is currently working on this, but it is still in development. For searches, diff --git a/docs/strongpointforsalesforce/change_management/approving_change_request.md b/docs/strongpointforsalesforce/change_management/approving_change_request.md index 06e76a7ef5..80616588b3 100644 --- a/docs/strongpointforsalesforce/change_management/approving_change_request.md +++ b/docs/strongpointforsalesforce/change_management/approving_change_request.md @@ -13,7 +13,7 @@ notifications are sent when the Change Request owner advances the status to **Pe return the Change Request to **In Progress**, edit it, and reset it to **Pending Approval** if there are errors or omissions. -3. Change Request owner [Completes and Validates the Change Request](completing_change_request.md). +3. Change Request owner [Completes and Validates the Change Request](/docs/strongpointforsalesforce/change_management/completing_change_request.md). Once the Change Request is approved, you cannot change the customizations attached to the Change Request. diff --git a/docs/strongpointforsalesforce/change_management/change_and_approval_policy.md b/docs/strongpointforsalesforce/change_management/change_and_approval_policy.md index efb0062e0d..5781cb1cc7 100644 --- a/docs/strongpointforsalesforce/change_management/change_and_approval_policy.md +++ b/docs/strongpointforsalesforce/change_management/change_and_approval_policy.md @@ -40,7 +40,7 @@ determines that a script changed and a Full Software Development Lifecycle was r compliance, it looks for an approved Deployment Record. If it does not find one, it flags the change as non-compliant. An alert is sent to the Object owners notifying them of the non-compliant change. -1. **Detect the Change**: [Automated Scanner](../installing_strongpoint/setting_up_initial_scan.md) +1. **Detect the Change**: [Automated Scanner](/docs/strongpointforsalesforce/installing_strongpoint/setting_up_initial_scan.md) must be enabled forPlatform Governance for Salesforce to detect a change. 2. **Log the Change**: creates a Change Log. 3. **Locate the Relevant Policy**: locates the correct policy for the object. @@ -55,5 +55,5 @@ as non-compliant. An alert is sent to the Object owners notifying them of the no and document what needs to be done to make the change compliant. 6. **Change Reporting and Resolution**: Platform Governance for Salesforce provides predefined - [reports](change_management_reports.md) you can review as part of your regular Change Management + [reports](/docs/strongpointforsalesforce/change_management/change_management_reports.md) you can review as part of your regular Change Management Process. diff --git a/docs/strongpointforsalesforce/change_management/change_management_overview.md b/docs/strongpointforsalesforce/change_management/change_management_overview.md index 66cbc046cb..1ee8dddfe9 100644 --- a/docs/strongpointforsalesforce/change_management/change_management_overview.md +++ b/docs/strongpointforsalesforce/change_management/change_management_overview.md @@ -28,11 +28,11 @@ They allow for common actions associated with change requests including: The **Advanced Change Management** Module provides additional functionality: - Automatically define the change level required for compliance based on the appropriate - [Change and Approval Policy](change_and_approval_policy.md). + [Change and Approval Policy](/docs/strongpointforsalesforce/change_management/change_and_approval_policy.md). - Identify impacts on other customizations. - Attach and manage test scripts. - Manage and record Pre and Post-Deployment - [Environment Comparisons](../tools/environment_comparison.md). + [Environment Comparisons](/docs/strongpointforsalesforce/tools/environment_comparison.md). - Archive fields. - Delete customizations. diff --git a/docs/strongpointforsalesforce/change_management/completing_change_request.md b/docs/strongpointforsalesforce/change_management/completing_change_request.md index e5d0cca76f..2a8fbe63e2 100644 --- a/docs/strongpointforsalesforce/change_management/completing_change_request.md +++ b/docs/strongpointforsalesforce/change_management/completing_change_request.md @@ -9,7 +9,7 @@ Once the changes are complete, validate the Change Request and mark it **Complet 2. Locate your Change Request and click the linked **Name**. 3. Click **Rescan** to start the change documentation process. 4. Run **Netwrix Dashboard** > **Tools** > **Environment Comparison**. Validate the changes are what - you expected. Refer to [Comparing Environments](../tools/environment_comparison.md) for details. + you expected. Refer to [Comparing Environments](/docs/strongpointforsalesforce/tools/environment_comparison.md) for details. 5. View the **Open Non-Compliant Changes** or **Compliant Changes** Change Management Reports (**Netwrix Dashboard** > **Reports** > **Change Enablement**). 6. When all changes are validated, click **Complete CR** on the Change Request status bar to mark it diff --git a/docs/strongpointforsalesforce/change_management/creating_change_request.md b/docs/strongpointforsalesforce/change_management/creating_change_request.md index 695b19e6fb..0a70dbf0b0 100644 --- a/docs/strongpointforsalesforce/change_management/creating_change_request.md +++ b/docs/strongpointforsalesforce/change_management/creating_change_request.md @@ -4,16 +4,16 @@ Change requests are the method to plan, analyze, track and approve changes. You types of Change Requests to match the change you want to manage. Here are two options: - **Customization** Change request is used for Metadata changes, such as - [Customizations](../customizations/customizations_overview.md). + [Customizations](/docs/strongpointforsalesforce/customizations/customizations_overview.md). - **Data Record** - Change request is used for Data Changes to Revenue Cloud/ - [CPQ](enhanced_cpq_support.md). + [CPQ](/docs/strongpointforsalesforce/change_management/enhanced_cpq_support.md). Data Record Change Requests are only available with an Enterprise Compliance license. 1. Open the **Change Requests** tab. 2. Click **New** - ![New Change Request](../../../static/img/product_docs/strongpointforsalesforce/change_management/change_request_new_light.webp) + ![New Change Request](/img/product_docs/strongpointforsalesforce/change_management/change_request_new_light.webp) 3. Enter information as needed. @@ -28,7 +28,7 @@ Data Record Change Requests are only available with an Enterprise Compliance lic 4. **Save** the **Change Request**. A confirmation is displayed when the change request is saved. - ![Continue with the Change Request](../../../static/img/product_docs/strongpointforsalesforce/change_management/change_request_new2_light.webp) + ![Continue with the Change Request](/img/product_docs/strongpointforsalesforce/change_management/change_request_new2_light.webp) 5. Add or change information as needed: @@ -45,16 +45,16 @@ Data Record Change Requests are only available with an Enterprise Compliance lic 6. Expand the **Customizations** section. **Customizations** is selected by default. Click **Customizations** to access the **Add/Remove** function. - ![Expand the Customizations section](../../../static/img/product_docs/strongpointforsalesforce/change_management/change_request_new3_light.webp) + ![Expand the Customizations section](/img/product_docs/strongpointforsalesforce/change_management/change_request_new3_light.webp) - Click **Add/Remove** to add existing Customizations to the change request. - ![Add an existing customization to a change request](../../../static/img/product_docs/strongpointforsalesforce/change_management/change_request_new4_light.webp) + ![Add an existing customization to a change request](/img/product_docs/strongpointforsalesforce/change_management/change_request_new4_light.webp) - Enter filters to search for existing customizations. For this example, the **Metadata Type** is set to **CustomField**. The matching customizations are displayed. - ![Enter filters to search for customizations](../../../static/img/product_docs/strongpointforsalesforce/change_management/change_request_new5_light.webp) + ![Enter filters to search for customizations](/img/product_docs/strongpointforsalesforce/change_management/change_request_new5_light.webp) - Select one or more customizations. Use **Search**, **First**, **Previous**, **Next** and **Last** to navigate through the list if needed. @@ -67,11 +67,11 @@ Data Record Change Requests are only available with an Enterprise Compliance lic - Click **Add/Remove**. - ![Add Proposed Customizations to the Change Request](../../../static/img/product_docs/strongpointforsalesforce/change_management/change_request_new6_light.webp) + ![Add Proposed Customizations to the Change Request](/img/product_docs/strongpointforsalesforce/change_management/change_request_new6_light.webp) - Click **+** (Add). - ![Add the information for the proposed customization](../../../static/img/product_docs/strongpointforsalesforce/change_management/change_request_new7_light.webp) + ![Add the information for the proposed customization](/img/product_docs/strongpointforsalesforce/change_management/change_request_new7_light.webp) - Enter the **API Name** and **Salesforce Metadata Type**. Click **+** to add additional proposed customizations. Can be used in conjunction with customizations that already exist. @@ -84,7 +84,7 @@ Data Record Change Requests are only available with an Enterprise Compliance lic Your change request is created. -![Your Change Request is created](../../../static/img/product_docs/strongpointforsalesforce/change_management/change_request_new8_light.webp) +![Your Change Request is created](/img/product_docs/strongpointforsalesforce/change_management/change_request_new8_light.webp) ## Preparing the Change Request for Approval @@ -102,7 +102,7 @@ Modified**, **Cannot Be Safely Deleted or Modified**, and **Inactive Customizati Here is an example of items on the **Cannot Be Safely Deleted or Modified** tab. The Customizations and Impacted Customizations are links to each customization record. -![Impact Analysis Cannot Be Safely Deleted or Modified tab](../../../static/img/product_docs/strongpointforsalesforce/change_management/change_request_new_impact_analysis.webp) +![Impact Analysis Cannot Be Safely Deleted or Modified tab](/img/product_docs/strongpointforsalesforce/change_management/change_request_new_impact_analysis.webp) Use the **Edit** button to return to the change request and make any required modifications. @@ -111,7 +111,7 @@ Use the **Edit** button to return to the change request and make any required mo Open the **DRD** tab to review the dependency diagram. Use the **Edit** button to return to the change request and make any required modifications. -![Open the DRD tab to view the dependency diagram](../../../static/img/product_docs/strongpointforsalesforce/change_management/change_request_drd.webp) +![Open the DRD tab to view the dependency diagram](/img/product_docs/strongpointforsalesforce/change_management/change_request_drd.webp) ### Send the Change Request for Approval @@ -121,7 +121,7 @@ add additional approvers, approver notes and begin the approval process. 1. Click **Edit** to modify the change request. 2. Expand the **Approval** section. - ![Expand Approval section](../../../static/img/product_docs/strongpointforsalesforce/change_management/change_request_new_approvals.webp) + ![Expand Approval section](/img/product_docs/strongpointforsalesforce/change_management/change_request_new_approvals.webp) 3. Add the approval information: @@ -136,7 +136,7 @@ add additional approvers, approver notes and begin the approval process. 4. Click **Save**. - ![Change Request Pending Approval](../../../static/img/product_docs/strongpointforsalesforce/change_management/change_request_new_send_approval.webp) + ![Change Request Pending Approval](/img/product_docs/strongpointforsalesforce/change_management/change_request_new_send_approval.webp) 5. Click **Submit for Approval** to start the process. Approval notifications are sent to the approvers. diff --git a/docs/strongpointforsalesforce/change_management/enhanced_cpq_support.md b/docs/strongpointforsalesforce/change_management/enhanced_cpq_support.md index 406b4c897a..1263b63748 100644 --- a/docs/strongpointforsalesforce/change_management/enhanced_cpq_support.md +++ b/docs/strongpointforsalesforce/change_management/enhanced_cpq_support.md @@ -26,6 +26,6 @@ You must have an Enterprise Compliance license to benefit from this feature. The basic steps for CPQ data tracking: -1. Ensure your org has been [scanned](../installing_strongpoint/running_scanner.md) at least once. -2. [Set up data tracking](set_up_data_tracking.md) for each tracked customization. -3. [Add](set_up_data_tracking.md) the tracked customizations to a policy. +1. Ensure your org has been [scanned](/docs/strongpointforsalesforce/installing_strongpoint/running_scanner.md) at least once. +2. [Set up data tracking](/docs/strongpointforsalesforce/change_management/set_up_data_tracking.md) for each tracked customization. +3. [Add](/docs/strongpointforsalesforce/change_management/set_up_data_tracking.md) the tracked customizations to a policy. diff --git a/docs/strongpointforsalesforce/change_management/resolving_noncompliant_changes.md b/docs/strongpointforsalesforce/change_management/resolving_noncompliant_changes.md index a38bcdd581..40f259ee7d 100644 --- a/docs/strongpointforsalesforce/change_management/resolving_noncompliant_changes.md +++ b/docs/strongpointforsalesforce/change_management/resolving_noncompliant_changes.md @@ -1,16 +1,16 @@ # Resolving Non-Compliant Changes Open **Netwrix Dashboard** > **Reports** > **Change Enablement** > **Open NonCompliant Changes** -The Non-Compliant Changes Report gives you a list of the [Change Logs](using_change_logs.md). You +The Non-Compliant Changes Report gives you a list of the [Change Logs](/docs/strongpointforsalesforce/change_management/using_change_logs.md). You can filter the report or sort by the column heads. -![Non-Compliant Change Management Report](../../../static/img/product_docs/strongpointfornetsuite/change_management/changelog-1.webp) +![Non-Compliant Change Management Report](/img/product_docs/strongpointfornetsuite/change_management/changelog-1.webp) A noncompliant change means something got changed without the required approvals. Open each change log to investigate the change. You can retroactively attach a change request to a noncompliant change and get the necessary approvals for the change to be compliant. -1. Create a New [Change Request](creating_change_request.md) or open an existing one. +1. Create a New [Change Request](/docs/strongpointforsalesforce/change_management/creating_change_request.md) or open an existing one. 2. Set it to Pending Approval. 3. Once it is approved and complete, set the **Status** of the Change Request to **Complete**. 4. Click on the Change Log namet to open it. diff --git a/docs/strongpointforsalesforce/change_management/set_up_data_tracking.md b/docs/strongpointforsalesforce/change_management/set_up_data_tracking.md index c85cca8c99..a0e20e874d 100644 --- a/docs/strongpointforsalesforce/change_management/set_up_data_tracking.md +++ b/docs/strongpointforsalesforce/change_management/set_up_data_tracking.md @@ -17,7 +17,7 @@ Here are the requirements to set up data tracking: **Setup** > **Users** > **Permission Sets** > **Strongpoint Administrator** > **Manage Assignments** - ![You must have these permissions to open the Configuration tool](../../../static/img/product_docs/strongpointforsalesforce/change_management/strongpoint_permissions.webp) + ![You must have these permissions to open the Configuration tool](/img/product_docs/strongpointforsalesforce/change_management/strongpoint_permissions.webp) ## Add Objects to Track @@ -25,7 +25,7 @@ Here are the requirements to set up data tracking: 2. Click **View All** to expand the app list. 3. Select **Strongpoint Configuration**. The **Recommended Objects** list is displayed. - ![Review the recommended objects for data tracking](../../../static/img/product_docs/strongpointforsalesforce/change_management/data_tracking_recommended.webp) + ![Review the recommended objects for data tracking](/img/product_docs/strongpointforsalesforce/change_management/data_tracking_recommended.webp) 4. Click the checkbox to select each **Recommended Object** to track. 5. Set the **Tracking** for each selected Object: @@ -53,7 +53,7 @@ Here are the requirements to set up data tracking: 13. Click **Save All Records**. 14. Wait until the **Deployment Status** is complete, then click **Done**. - ![Wait for the Deployment Status to complete](../../../static/img/product_docs/strongpointforsalesforce/change_management/data_tracking_deployment.webp) + ![Wait for the Deployment Status to complete](/img/product_docs/strongpointforsalesforce/change_management/data_tracking_deployment.webp) 15. Open the App Launcher and return to the **Strongpoint Lightning** app. @@ -62,12 +62,12 @@ Here are the requirements to set up data tracking: 1. Open **Customizations**. 2. Enter **CustomField** in the **Search** box. - ![Open CustomField Tracking](../../../static/img/product_docs/strongpointforsalesforce/change_management/data_tracking_customfield.webp) + ![Open CustomField Tracking](/img/product_docs/strongpointforsalesforce/change_management/data_tracking_customfield.webp) 3. Select **CustomField Tracking**. 4. Select a customization and edit the Data Change Tracking field. - ![Edit the Data Change Tracking](../../../static/img/product_docs/strongpointforsalesforce/change_management/data_tracking_customfield3.webp) + ![Edit the Data Change Tracking](/img/product_docs/strongpointforsalesforce/change_management/data_tracking_customfield3.webp) 5. Click **Save** at the bottom of the form to save your changes. @@ -84,7 +84,7 @@ level for tracked components by adding them to a specific policy. 4. Click **Add Customizations**. 5. Enter **(Data Records** in the Search Customization box. - ![Select the customizations](../../../static/img/product_docs/strongpointfornetsuite/change_management/policy_add_customizations.webp) + ![Select the customizations](/img/product_docs/strongpointfornetsuite/change_management/policy_add_customizations.webp) 6. Select the customization to add. Use Shift-click (contiguous items) or Ctrl-click to select multiple customizations. @@ -93,7 +93,7 @@ level for tracked components by adding them to a specific policy. ## Change Logs -![CPQ Change Log](../../../static/img/product_docs/strongpointforsalesforce/change_management/cpq_discount_change_log.webp) +![CPQ Change Log](/img/product_docs/strongpointforsalesforce/change_management/cpq_discount_change_log.webp) **Tracked, Non-Blocking** generates a Compliant Change Log (CL-11674) if there is an approved Change Request or a Non-Compliant Change Log (CL-11672) for changes made without an approved Change diff --git a/docs/strongpointforsalesforce/change_management/setting_up_policies.md b/docs/strongpointforsalesforce/change_management/setting_up_policies.md index e7e0a05e3d..6df7dfc48a 100644 --- a/docs/strongpointforsalesforce/change_management/setting_up_policies.md +++ b/docs/strongpointforsalesforce/change_management/setting_up_policies.md @@ -55,7 +55,7 @@ information and history. ### Information -![New Policy form](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_new1.webp) +![New Policy form](/img/product_docs/strongpointforsalesforce/change_management/policy_new1.webp) - **Change/Approval Policy Name** - **Default Policy**: Check if this is the default change/approval policy. @@ -73,62 +73,62 @@ Set the required Change Level for each Metadata Type. The Default is shown in th ### Code and Data Model Changes -![Code and Data Model Changes](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_new2.webp) +![Code and Data Model Changes](/img/product_docs/strongpointforsalesforce/change_management/policy_new2.webp) ### Automation Changes -![Automation Change Levels](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_new3.webp) +![Automation Change Levels](/img/product_docs/strongpointforsalesforce/change_management/policy_new3.webp) ### Sharing and Visibility Changes -![Sharing and Visbility Change Level](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_new4.webp) +![Sharing and Visbility Change Level](/img/product_docs/strongpointforsalesforce/change_management/policy_new4.webp) ### Integration Changes -![Integration Change Levels](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_new5.webp) +![Integration Change Levels](/img/product_docs/strongpointforsalesforce/change_management/policy_new5.webp) ### Configuration Changes -![Configuration Change Levels](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_new6.webp) +![Configuration Change Levels](/img/product_docs/strongpointforsalesforce/change_management/policy_new6.webp) ### Display and UI Changes -![Display / UI Change Levels](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_new7.webp) +![Display / UI Change Levels](/img/product_docs/strongpointforsalesforce/change_management/policy_new7.webp) ### Analytics Changes -![Analytics Change Levels](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_new8.webp) +![Analytics Change Levels](/img/product_docs/strongpointforsalesforce/change_management/policy_new8.webp) ### Control Changes -![Control Change Levels](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_new9.webp) +![Control Change Levels](/img/product_docs/strongpointforsalesforce/change_management/policy_new9.webp) Controls the change level required for different types of changes. Health Check Changes affect the way changes are handled for the customization records for each Salesforce Health Check group (session settings, file upload and security settings), so you can track and report on current -settings. There is a [Health Settings](../customizations/understanding_customization_record.md) tab +settings. There is a [Health Settings](/docs/strongpointforsalesforce/customizations/understanding_customization_record.md) tab for the specific records on the customization record. ### Application Configuration Changes (Data) -![Application Configuration Changes (Data)](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_new16.webp) +![Application Configuration Changes (Data)](/img/product_docs/strongpointforsalesforce/change_management/policy_new16.webp) Set objects and fields that are **Tracked Non-blocking** or **Tracked Blocking** to be part of the policy and require a Ticket and an approval. -Refer to [Set Up Data Tracking](set_up_data_tracking.md) for more information on activating and +Refer to [Set Up Data Tracking](/docs/strongpointforsalesforce/change_management/set_up_data_tracking.md) for more information on activating and validating tracked fields. ### Health Check Changes -![Health Check Changes](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_new16_a.webp) +![Health Check Changes](/img/product_docs/strongpointforsalesforce/change_management/policy_new16_a.webp) Select the change level for **Health Check Changes**: **None**, **Log Changes Only**, **Change Request**, **Sandbox Development & Testing**, or **Full Software Development Lifecycle**. ### IT Policies -![Set IT Policies](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_new10.webp) +![Set IT Policies](/img/product_docs/strongpointforsalesforce/change_management/policy_new10.webp) Specify the **Preliminary Approver**. Enter part of the name to see a matching list. For critical changes, you can also set a **Final Approver**. This person must approve all changes affected by the @@ -136,14 +136,14 @@ rule. ### Customization Policies -![Customization Policies](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_new12.webp) +![Customization Policies](/img/product_docs/strongpointforsalesforce/change_management/policy_new12.webp) **Require Impacted Customization Approval**: select this option to require approval from all impacted Customization owners. ### Management Policies -![Set Management Policies](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_new13.webp) +![Set Management Policies](/img/product_docs/strongpointforsalesforce/change_management/policy_new13.webp) **Executive Approver**: a business executive who must approve the change. @@ -155,7 +155,7 @@ approvals occur in the order specified. ### Change Enablement Defaults -![Change Enablement Defaults](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_new15.webp) +![Change Enablement Defaults](/img/product_docs/strongpointforsalesforce/change_management/policy_new15.webp) **Merge Approval Lists**: select this option to merge lists when multiple policies apply to a change. @@ -175,7 +175,7 @@ for easy navigation to each item. Change Logs are created when customizations are added or removed. -![Policy Related tab](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_related_tab.webp) +![Policy Related tab](/img/product_docs/strongpointforsalesforce/change_management/policy_related_tab.webp) ### Add or Remove Customizations @@ -192,14 +192,14 @@ the CustomObject Policy when added. 1. Open the policy and click the **Related** tab. 2. Click **Add Customizations**. - ![Add customizations](../../../static/img/product_docs/strongpointfornetsuite/change_management/policy_add_customizations.webp) + ![Add customizations](/img/product_docs/strongpointfornetsuite/change_management/policy_add_customizations.webp) 3. Select a **Metadata Type** to filter the list. 4. Enter a search term or scroll through the list to locate customizations. 5. Click to select a customization. Use Shift-click or click and drag to select multiple contiguous items or Ctrl-click to select multiple customizations. - ![Selecting Customizations](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_add_customizations2.webp) + ![Selecting Customizations](/img/product_docs/strongpointforsalesforce/change_management/policy_add_customizations2.webp) 6. Click **Add** to add the customizations to the **Selected Customizations** list. For existing customizations, select them in the **Selected Customizations** and click **Remove** to take them @@ -215,18 +215,18 @@ available on the **Related** tab on the policy. 2. Click **Select Change Level by SF Type**. You can set the policy as the **Default** and toggle it as **Active** in the **Policy Details**. - ![Adding customizations by Salesforce Type](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_change_by_sf_type.webp) + ![Adding customizations by Salesforce Type](/img/product_docs/strongpointforsalesforce/change_management/policy_change_by_sf_type.webp) 3. Set **Category** and **Sub-Category** filters if you want to narrow the list. Sub-categories are not available for all Categories. - ![Set filters for Salesforce type](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_add_sf_type2.webp) + ![Set filters for Salesforce type](/img/product_docs/strongpointforsalesforce/change_management/policy_add_sf_type2.webp) 4. Click to select a **Salesforce Type** from the **Available Salesforce Type List**. Use Shift-click or click and drag to select multiple contiguous items or Ctrl-click to select multiple types. - ![Add selections to the Selected Salesforce Type List](../../../static/img/product_docs/strongpointforsalesforce/change_management/policy_add_sf_type3.webp) + ![Add selections to the Selected Salesforce Type List](/img/product_docs/strongpointforsalesforce/change_management/policy_add_sf_type3.webp) 5. Click the right arrow to add selections to the **Selected Salesforce Type List**. Click the left arrow to remove items from the selected list. diff --git a/docs/strongpointforsalesforce/change_management/using_change_logs.md b/docs/strongpointforsalesforce/change_management/using_change_logs.md index 9141cb5735..efde36040a 100644 --- a/docs/strongpointforsalesforce/change_management/using_change_logs.md +++ b/docs/strongpointforsalesforce/change_management/using_change_logs.md @@ -2,7 +2,7 @@ Change Logs allow you to see the type of change, who made the change and view the system notes of the Salesforce record. Change Logs are accessed from the **Change Logs** tab or through -[Change Enablement Reports](change_management_reports.md). +[Change Enablement Reports](/docs/strongpointforsalesforce/change_management/change_management_reports.md). 1. Expand the **Change Logs** tab. 2. Change the **Recently Viewed** pinned list to show the types of Change Logs to view. For @@ -13,11 +13,11 @@ the Salesforce record. Change Logs are accessed from the **Change Logs** tab or You can also open Change Logs from **Netwrix Dashboard** > **Reports** > **Change Enablement**. Select a report, such as **What Changed** to see a list of Change Logs. -![changelog-1](../../../static/img/product_docs/strongpointfornetsuite/change_management/changelog-1.webp) +![changelog-1](/img/product_docs/strongpointfornetsuite/change_management/changelog-1.webp) Here is an example change log for a **Profile** Metadata type. -![changelog_details](../../../static/img/product_docs/strongpointforsalesforce/change_management/changelog_details.webp) +![changelog_details](/img/product_docs/strongpointforsalesforce/change_management/changelog_details.webp) ## Details Tab @@ -83,18 +83,18 @@ There is an **Export to PDF** option. Example Diff Summary for a Data tracking Change Log: -![Diff Summary for data tracking](../../../static/img/product_docs/strongpointforsalesforce/change_management/diffsummary_data.webp) +![Diff Summary for data tracking](/img/product_docs/strongpointforsalesforce/change_management/diffsummary_data.webp) Example Diff Summary for a Profile metadata type Change Log: -![Change Log Diff Summary](../../../static/img/product_docs/strongpointforsalesforce/change_management/changelog_diff.webp) +![Change Log Diff Summary](/img/product_docs/strongpointforsalesforce/change_management/changelog_diff.webp) ### Values The **Values** section displays the **New Value** and **Old Value** of each field after the update. The **Created By** and **Last Modified By** users and dates are displayed at the end of the list. -![changelog_values](../../../static/img/product_docs/strongpointforsalesforce/change_management/changelog_values.webp) +![changelog_values](/img/product_docs/strongpointforsalesforce/change_management/changelog_values.webp) ### Audit diff --git a/docs/strongpointforsalesforce/clean_up/cleanup_customizations.md b/docs/strongpointforsalesforce/clean_up/cleanup_customizations.md index 80a09a29a7..2e32dedc1c 100644 --- a/docs/strongpointforsalesforce/clean_up/cleanup_customizations.md +++ b/docs/strongpointforsalesforce/clean_up/cleanup_customizations.md @@ -24,7 +24,7 @@ Use these processes to Clean up Individual Customization or Clean Up Multiple Cu 6. Assign a **Change/Approval Policy** if there is an object specific policy (optional). 7. Under **Clean-Up Classification**, add an overview of the clean up. -![improvementtab](../../../static/img/product_docs/strongpointforsalesforce/clean_up/improvementtab.webp) +![improvementtab](/img/product_docs/strongpointforsalesforce/clean_up/improvementtab.webp) ## Clean Up Multiple Customizations @@ -43,7 +43,7 @@ Use these processes to Clean up Individual Customization or Clean Up Multiple Cu - **Clean Up Comments** - **Clean Up Status** - ![createlist_view_for_cleanup](../../../static/img/product_docs/strongpointforsalesforce/clean_up/createlist_view_for_cleanup.webp) + ![createlist_view_for_cleanup](/img/product_docs/strongpointforsalesforce/clean_up/createlist_view_for_cleanup.webp) 6. Restrict Visibility. You can choose to have the list view: @@ -55,7 +55,7 @@ Use these processes to Clean up Individual Customization or Clean Up Multiple Cu 8. Once your list view has been created, you can multi-select customizations for clean up by checking the box beside **Action**. - ![multi_select_cleanup](../../../static/img/product_docs/strongpointforsalesforce/clean_up/multi_select_cleanup.webp) + ![multi_select_cleanup](/img/product_docs/strongpointforsalesforce/clean_up/multi_select_cleanup.webp) 9. You can now choose what you want to edit for the multiple customizations selected. For example, if you want to change the clean up status: @@ -64,4 +64,4 @@ Use these processes to Clean up Individual Customization or Clean Up Multiple Cu 12. Choose to **Apply changes to: All the selected records**. 13. Click **Save**. - ![flagging_mass_customizations](../../../static/img/product_docs/strongpointforsalesforce/clean_up/flagging_mass_customizations.webp) + ![flagging_mass_customizations](/img/product_docs/strongpointforsalesforce/clean_up/flagging_mass_customizations.webp) diff --git a/docs/strongpointforsalesforce/clean_up/cleanup_overview.md b/docs/strongpointforsalesforce/clean_up/cleanup_overview.md index 34377ea778..4436ac75e2 100644 --- a/docs/strongpointforsalesforce/clean_up/cleanup_overview.md +++ b/docs/strongpointforsalesforce/clean_up/cleanup_overview.md @@ -89,7 +89,7 @@ requests as appropriate. ### Manage the Change or Clean Up You can find more information about how to use the Change Request under -[Managing Change](../change_management/change_management_overview.md). Once the appropriate +[Managing Change](/docs/strongpointforsalesforce/change_management/change_management_overview.md). Once the appropriate investigations are conducted and approvals are obtained the customization can be changed as appropriate based on company policies and procedures. diff --git a/docs/strongpointforsalesforce/clean_up/date_last_used.md b/docs/strongpointforsalesforce/clean_up/date_last_used.md index bec7fde1a1..92edbf2337 100644 --- a/docs/strongpointforsalesforce/clean_up/date_last_used.md +++ b/docs/strongpointforsalesforce/clean_up/date_last_used.md @@ -54,7 +54,7 @@ DLU analysis should only be performed in Production orgs. Sandbox orgs do not re If **Field History Tracking** is enabled for a CustomField with a **DLU Status** of either **Recent** or **Expired**, the status is changed to **Pending**. Here is an example: -![Example of the DLU status fields for a CustomField](../../../static/img/product_docs/strongpointforsalesforce/clean_up/dlu_status_example_customfield.webp) +![Example of the DLU status fields for a CustomField](/img/product_docs/strongpointforsalesforce/clean_up/dlu_status_example_customfield.webp) ### Notes @@ -77,15 +77,15 @@ has been disabled. To change the time period: 2. Expand **Custom Code** 3. Select **Custom Metadata Types** - ![Open Custom Metadata Types](../../../static/img/product_docs/strongpointforsalesforce/clean_up/custom_metadata_types.webp) + ![Open Custom Metadata Types](/img/product_docs/strongpointforsalesforce/clean_up/custom_metadata_types.webp) 4. Click **Manage Records** by **Strongpoint DLU Parameter** - ![Click Manage Records to open the record](../../../static/img/product_docs/strongpointforsalesforce/clean_up/custom_metadata_types_dlu_exp.webp) + ![Click Manage Records to open the record](/img/product_docs/strongpointforsalesforce/clean_up/custom_metadata_types_dlu_exp.webp) 5. Click **Edit** by **DLU Expiration** - ![Edit the parameters](../../../static/img/product_docs/strongpointforsalesforce/clean_up/custom_metadata_types_dlu_para.webp) + ![Edit the parameters](/img/product_docs/strongpointforsalesforce/clean_up/custom_metadata_types_dlu_para.webp) 6. Set the **DLU Expiration (Months)**. The default is three. 7. Click **Save**. @@ -176,12 +176,12 @@ DLU is not used for the following metadata Extended Types: ## DLU Scheduler -The [Scheduler](../scanners/scheduler.md) is where you can add frequency, day and time for processes +The [Scheduler](/docs/strongpointforsalesforce/scanners/scheduler.md) is where you can add frequency, day and time for processes to run. Under **Field Usage and DLU**, you can set up the scheduler to update the last used date field on customizations with the date the metadata was last used. It populates information for field usage on custom fields and custom objects and catch any permission set assignments related to users. -![scheduler](../../../static/img/product_docs/strongpointforsalesforce/clean_up/scheduler.webp) +![scheduler](/img/product_docs/strongpointforsalesforce/clean_up/scheduler.webp) Once the scheduler has been set up, you can view the DLU under the **Metadata** tab on the customization record. diff --git a/docs/strongpointforsalesforce/customizations/customizations_overview.md b/docs/strongpointforsalesforce/customizations/customizations_overview.md index 4ac7648806..52c3204d68 100644 --- a/docs/strongpointforsalesforce/customizations/customizations_overview.md +++ b/docs/strongpointforsalesforce/customizations/customizations_overview.md @@ -20,4 +20,4 @@ For Change Management and Compliance, the joins between customizations are criti IT risk of making changes to the system. For example, they warn you if changing a search could break a workflow or a script. -![drd](../../../static/img/product_docs/strongpointforsalesforce/customizations/drd.webp) +![drd](/img/product_docs/strongpointforsalesforce/customizations/drd.webp) diff --git a/docs/strongpointforsalesforce/customizations/old_customization_record.md b/docs/strongpointforsalesforce/customizations/old_customization_record.md index 9bb29c1a31..85f38359b4 100644 --- a/docs/strongpointforsalesforce/customizations/old_customization_record.md +++ b/docs/strongpointforsalesforce/customizations/old_customization_record.md @@ -1,7 +1,7 @@ # Old Customization Record This topic details the old-style customization record. Refer to -[Understanding the Customization Record](understanding_customization_record.md) for the updated +[Understanding the Customization Record](/docs/strongpointforsalesforce/customizations/understanding_customization_record.md) for the updated Platform Governance for Salesforce Lightning customization record. The customization detail contains general information about the customization record. The @@ -27,7 +27,7 @@ Customization record fields include: - **Details**: Tabs to access details about the customization. Tabs include **Metadata**, **Improvement**, **Permissions**, **Control**, **DRD**, **Raw Data** and **Related Lists**. -![customization_record](../../../static/img/product_docs/strongpointforsalesforce/customizations/customization_record.webp) +![customization_record](/img/product_docs/strongpointforsalesforce/customizations/customization_record.webp) ## Customization Record Tabs @@ -56,7 +56,7 @@ These are the tabs inside a customization record: The metadata tab provides the metadata information about the customization, including: - **Date Last Used**: date the customization was last used. Refer to - [DLU](../clean_up/date_last_used.md) for more information. + [DLU](/docs/strongpointforsalesforce/clean_up/date_last_used.md) for more information. - **Data type**: data type of the custom field. - **Last Modified Date**: last date the customization was modified. - **Active**: indicates whether the customization is a active. @@ -105,7 +105,7 @@ The Health Settings tab is located on the customization pages for the Salesforce as Session Settings, Password Policies and Certificates. This example shows the **Health Settings** tab for the **PasswordPolicies** customization. -![Example of the PasswordPolicies Health Settings tab](../../../static/img/product_docs/strongpointforsalesforce/customizations/health_settings_tab_example.webp) +![Example of the PasswordPolicies Health Settings tab](/img/product_docs/strongpointforsalesforce/customizations/health_settings_tab_example.webp) ### Data Classification @@ -140,7 +140,7 @@ on a financial report. ### DRD -Dependency Relationship Diagram ([DRD](../tools/viewing_drd.md)) displays objects, customizations +Dependency Relationship Diagram ([DRD](/docs/strongpointforsalesforce/tools/viewing_drd.md)) displays objects, customizations and their relationships and dependencies. ### Raw Data diff --git a/docs/strongpointforsalesforce/customizations/understanding_customization_record.md b/docs/strongpointforsalesforce/customizations/understanding_customization_record.md index 71812618a0..8a46a7b2cd 100644 --- a/docs/strongpointforsalesforce/customizations/understanding_customization_record.md +++ b/docs/strongpointforsalesforce/customizations/understanding_customization_record.md @@ -2,7 +2,7 @@ This topic discusses the new Platform Governance for Salesforce Lightning customization record. It is only available with the Platform Governance for Salesforce Lightning app. Refer to the topic -[Old Customization Record](old_customization_record.md) for the old style customization record. +[Old Customization Record](/docs/strongpointforsalesforce/customizations/old_customization_record.md) for the old style customization record. **NOTE:** For installed orgs, users must load the Strongpoint Home Page first before opening the **Customization** tab for the first time after the 6.0 update. The new form assignment happens in @@ -26,7 +26,7 @@ Customization record fields include: **Update Description and Help Text** to update. - **Related Objects**: Links to related objects. -![Strongpoint Lightning Customization Record](../../../static/img/product_docs/strongpointforsalesforce/customizations/customization_record_lightning.webp) +![Strongpoint Lightning Customization Record](/img/product_docs/strongpointforsalesforce/customizations/customization_record_lightning.webp) ## Customization Record Tabs @@ -65,14 +65,14 @@ The **Custom** tab shows the join, scanner and DLU dates. - **Last Scanner Date**: last date in which the scanner ran and evaluated the current customization. - **Make Join Date**: date customization was last passed to Make Join script. - **Date Last Used**: date the customization was last used. Refer to - [DLU](../clean_up/date_last_used.md) for more information. + [DLU](/docs/strongpointforsalesforce/clean_up/date_last_used.md) for more information. ### DRD -The Dependency Relationship Diagram ([DRD](../tools/viewing_drd.md)) displays objects, +The Dependency Relationship Diagram ([DRD](/docs/strongpointforsalesforce/tools/viewing_drd.md)) displays objects, customizations and their relationships and dependencies. -![DRD Example](../../../static/img/product_docs/strongpointforsalesforce/customizations/drd.webp) +![DRD Example](/img/product_docs/strongpointforsalesforce/customizations/drd.webp) ### Change Enablement diff --git a/docs/strongpointforsalesforce/installing_strongpoint/config_and_stats.md b/docs/strongpointforsalesforce/installing_strongpoint/config_and_stats.md index 40e9bcf0bb..0b3e9b64a2 100644 --- a/docs/strongpointforsalesforce/installing_strongpoint/config_and_stats.md +++ b/docs/strongpointforsalesforce/installing_strongpoint/config_and_stats.md @@ -10,7 +10,7 @@ Click **Configuration and Stats** in the **Resources** section, or open **Settin The **License Type** displays your current license. -![Configuration and Stats report](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/config_stats_overview.webp) +![Configuration and Stats report](/img/product_docs/strongpointforsalesforce/installing_strongpoint/config_stats_overview.webp) The report is divided into multiple tabs: @@ -41,7 +41,7 @@ created for your account. The statistics included the total number of customizat critical relationship information to help you determine if it is safe to delete or change something, and how it affects other items. Click **Download PDF** to export a copy of the report. -![Configuration and Stats - Documentation Stats](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/config_doc_stats.webp) +![Configuration and Stats - Documentation Stats](/img/product_docs/strongpointforsalesforce/installing_strongpoint/config_doc_stats.webp) ### Scanner Logs @@ -56,7 +56,7 @@ The section displays details for each of the scanner logs: running. When the scan is complete, the column matches the total **Scanner Count**. - Scanner Count -![Configuration and Stats - Scanner Logs](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/config_scanner_logs.webp) +![Configuration and Stats - Scanner Logs](/img/product_docs/strongpointforsalesforce/installing_strongpoint/config_scanner_logs.webp) ### Scanner Additional Information @@ -66,7 +66,7 @@ This section only applies to sandbox orgs. It displays each scanner function and - Last Automated Scanner Run Date - Last Scanner Run Status -![Configuration and Stas - Scanner Additional Information](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/config_scan_add_info.webp) +![Configuration and Stas - Scanner Additional Information](/img/product_docs/strongpointforsalesforce/installing_strongpoint/config_scan_add_info.webp) ### Change Log Creation @@ -75,7 +75,7 @@ limits on different [sandbox accounts](https://help.salesforce.com/articleView?id=data_sandbox_environments.htmandtype=5), you may want to disable change logs to save space. -![Control Change Log Creation in Sandbox](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/config_stats_enable_change_log.webp) +![Control Change Log Creation in Sandbox](/img/product_docs/strongpointforsalesforce/installing_strongpoint/config_stats_enable_change_log.webp) ## Jira Configuration @@ -84,7 +84,7 @@ Governance for Salesforce. - Credentials - Status Mapping -- [Jira Field Mapping](../integrations/jira_field_map.md) (separate topic) +- [Jira Field Mapping](/docs/strongpointforsalesforce/integrations/jira_field_map.md) (separate topic) ### Credentials @@ -94,7 +94,7 @@ Jira integration. 1. Open **Netwrix Dashboard** > **Settings** > **Configuration and Stats**. 2. Open the **Jira Configuration** tab. It opens on the **Credentials** tab. - ![Open the credentials](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_sp_credentials.webp) + ![Open the credentials](/img/product_docs/strongpointforsalesforce/integrations/jira_sp_credentials.webp) 3. Enter your credentials: @@ -114,7 +114,7 @@ Jira integration. 2. Open the **Jira Configuration** tab. 3. Open the **Status Mapping** tab. - ![Set up the Jira status mappings for Change Request status](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_status_settings.webp) + ![Set up the Jira status mappings for Change Request status](/img/product_docs/strongpointforsalesforce/integrations/jira_status_settings.webp) 4. Enter the mappings between your Jira statuses and the Change Request statuses. You must define your Jira statuses prior to this step. You can enter multiple Jira statuses for each Change @@ -147,12 +147,12 @@ deployments. 1. Open **Netwrix Dashboard** > **Settings** > **Configuration and Stats**. 2. Open the **Orgs** Credentials tab. - ![Orgs Credentials](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orgs_credentials.webp) + ![Orgs Credentials](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orgs_credentials.webp) 3. Click **New** to enter new credentials. For existing credentials, you can click **Edit** to modify the credential, **Delete** to remove it, or the **credential name** to sync your credentials. - ![New org credentials](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orgs_credentials_new.webp) + ![New org credentials](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orgs_credentials_new.webp) 4. Click **Save**. diff --git a/docs/strongpointforsalesforce/installing_strongpoint/features_by_license_type.md b/docs/strongpointforsalesforce/installing_strongpoint/features_by_license_type.md index 309967ad08..046af4f0b3 100644 --- a/docs/strongpointforsalesforce/installing_strongpoint/features_by_license_type.md +++ b/docs/strongpointforsalesforce/installing_strongpoint/features_by_license_type.md @@ -12,17 +12,17 @@ This table summarizes what is included in each type. | Feature | Automated Documentation | Intelligent Change Enablement | Enterprise Compliance | | ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | -| Customization, Scanners and DRD | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | -| Field-Level Scanner | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | -| Clean Up: Reports, and Scheduler, Processes, DLU | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | -| Profile / Permission Set Comparison | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | -| User Access Assistance | | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | -| User Activity | | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | -| Implementation, Planned Customizations, Map Customizations | | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | -| Change Request (Change Management) | | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | -| Release & Deployment (Deployment, Rollback & Sync Tool) | | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | -| Compare Environments | | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | -| Financial Controls | | | ![orangecheck](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | +| Customization, Scanners and DRD | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | +| Field-Level Scanner | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | +| Clean Up: Reports, and Scheduler, Processes, DLU | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | +| Profile / Permission Set Comparison | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | +| User Access Assistance | | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | +| User Activity | | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | +| Implementation, Planned Customizations, Map Customizations | | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | +| Change Request (Change Management) | | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | +| Release & Deployment (Deployment, Rollback & Sync Tool) | | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | +| Compare Environments | | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | +| Financial Controls | | | ![orangecheck](/img/product_docs/strongpointforsalesforce/installing_strongpoint/orangecheck.webp) | ## Automated Documentation diff --git a/docs/strongpointforsalesforce/installing_strongpoint/installing_strongpoint.md b/docs/strongpointforsalesforce/installing_strongpoint/installing_strongpoint.md index a120758759..fe369868c4 100644 --- a/docs/strongpointforsalesforce/installing_strongpoint/installing_strongpoint.md +++ b/docs/strongpointforsalesforce/installing_strongpoint/installing_strongpoint.md @@ -7,7 +7,7 @@ customer success team. To install: with [http://test.salesforce.com](http://test.salesforce.com) 2. Select **Install for Admins Only** 3. Click **Install** - ![install1](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/install1.webp) + ![install1](/img/product_docs/strongpointforsalesforce/installing_strongpoint/install1.webp) The installation runs in the background. An email notification is sent to you when the installation is complete. @@ -33,7 +33,7 @@ The following items are needed: 6. Set **Call Back URL** to **[https://localhost.com](https://localhost.com)** 7. Set **Selected OAuth Scopes** to **Full access (full)** - ![Setting for Connected App](../../../static/img/product_docs/strongpointforsalesforce/integrations/connected_app.webp) + ![Setting for Connected App](/img/product_docs/strongpointforsalesforce/integrations/connected_app.webp) **The Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows** should not be checked. @@ -41,7 +41,7 @@ The following items are needed: 8. Click **Save**. **Netwrix Platform Governance**is now listed under **Custom Apps**. 9. Click on **Netwrix Platform Governance**. - ![configure-1](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/configure-1.webp) + ![configure-1](/img/product_docs/strongpointforsalesforce/installing_strongpoint/configure-1.webp) 10. Click **Manage Consumer Details**. You must verify your identity before you can proceed. 11. Copy the **Consumer Key** and the **Consumer Secret Key**. @@ -49,4 +49,4 @@ The following items are needed: 13. Locate and select **Netwrix Lightning**. 14. Click **I Accept** for the EULA. -**Next Step:** [Using the Getting Started Wizard](using_getting_started_wizard.md) +**Next Step:** [Using the Getting Started Wizard](/docs/strongpointforsalesforce/installing_strongpoint/using_getting_started_wizard.md) diff --git a/docs/strongpointforsalesforce/installing_strongpoint/license_manager.md b/docs/strongpointforsalesforce/installing_strongpoint/license_manager.md index 13b3760ea5..edec30bd13 100644 --- a/docs/strongpointforsalesforce/installing_strongpoint/license_manager.md +++ b/docs/strongpointforsalesforce/installing_strongpoint/license_manager.md @@ -18,7 +18,7 @@ Click **Configuration and Stats** in the **Resources** section, or open **Settin 3. Copy and paste the **Authorization Token** 4. Click **Accept** - ![input_auth_token](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/input_auth_token.webp) + ![input_auth_token](/img/product_docs/strongpointforsalesforce/installing_strongpoint/input_auth_token.webp) 5. Open **Netwrix Dashboard** > **Scanner** > **Manual Scanners** 6. Click **Name** to select all. diff --git a/docs/strongpointforsalesforce/installing_strongpoint/platform_governor.md b/docs/strongpointforsalesforce/installing_strongpoint/platform_governor.md index 47903f7ac0..ababda642a 100644 --- a/docs/strongpointforsalesforce/installing_strongpoint/platform_governor.md +++ b/docs/strongpointforsalesforce/installing_strongpoint/platform_governor.md @@ -6,7 +6,7 @@ Dashboard** > **Settings** > **Platform Governor Status** When Platform Governance for Salesforce reaches the threshold, executions are reschedule for the next day so the organization limit is not reached. -![governor](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/governor.webp) +![governor](/img/product_docs/strongpointforsalesforce/installing_strongpoint/governor.webp) ## Set a Threshold diff --git a/docs/strongpointforsalesforce/installing_strongpoint/running_scanner.md b/docs/strongpointforsalesforce/installing_strongpoint/running_scanner.md index 2cf7e53824..d4f3d7a618 100644 --- a/docs/strongpointforsalesforce/installing_strongpoint/running_scanner.md +++ b/docs/strongpointforsalesforce/installing_strongpoint/running_scanner.md @@ -17,7 +17,7 @@ To run the scanner: 3. You can select + beside one or more types to scan or you can scan the whole environment by clicking + on the **Name** row to select all the types. - ![scanner](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/scanner.webp) + ![scanner](/img/product_docs/strongpointforsalesforce/installing_strongpoint/scanner.webp) 4. Click **Run Scanner**. 5. The batch runs in the background. You receive an email notification when the scan is complete. @@ -27,16 +27,16 @@ To run the scanner: - Open Salesforce **Setup**. - Search for **apex jobs** or navigate to **Environments** > **Jobs** > **Apex Jobs**. - Click **Create New View**. - ![Set up a Strongpoint scanner view](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/scanner_view.webp) + ![Set up a Strongpoint scanner view](/img/product_docs/strongpointforsalesforce/installing_strongpoint/scanner_view.webp) - Enter a **View Name**. The system assigns **View Unique Name**. _Netwrix Jobs1_ is used in this example. - Select **Apex Class** for the **Field**. - Select **starts with** for the **Operator**. - Assign **FLO, Strongpoint** for the **Value**. - Click **Save**. You can now see the status of all of the Strongpoint jobs. - ![Viewing running Strongpoin jobs](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/scanner_view2.webp) + ![Viewing running Strongpoin jobs](/img/product_docs/strongpointforsalesforce/installing_strongpoint/scanner_view2.webp) 6. From the Netwrix Dashboard: click **Configuration and Stats** in the **Resources** section, or open **Settings** > **Configuration and Stats**. -**Next Step:** [Validate the Data ](validating_data.md) +**Next Step:** [Validate the Data ](/docs/strongpointforsalesforce/installing_strongpoint/validating_data.md) diff --git a/docs/strongpointforsalesforce/installing_strongpoint/sandbox_dev_orgs.md b/docs/strongpointforsalesforce/installing_strongpoint/sandbox_dev_orgs.md index a0d39098fc..c816ae9e7f 100644 --- a/docs/strongpointforsalesforce/installing_strongpoint/sandbox_dev_orgs.md +++ b/docs/strongpointforsalesforce/installing_strongpoint/sandbox_dev_orgs.md @@ -27,7 +27,7 @@ You can enable/disable change log, junction, and report creation for a sandbox f From the Netwrix Dashboard: click **Configuration and Stats** in the **Resources** section, or open **Settings** > **Configuration and Stats**. -![Enabling/Disabling Change Log Creation for Sandboxes](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/config_stats_enable_change_log.webp) +![Enabling/Disabling Change Log Creation for Sandboxes](/img/product_docs/strongpointforsalesforce/installing_strongpoint/config_stats_enable_change_log.webp) -The initial setting is selected on the [Scanner](setting_up_initial_scan.md) page of the **Install +The initial setting is selected on the [Scanner](/docs/strongpointforsalesforce/installing_strongpoint/setting_up_initial_scan.md) page of the **Install Wizard** when installing the sandbox. diff --git a/docs/strongpointforsalesforce/installing_strongpoint/setting_access_permission.md b/docs/strongpointforsalesforce/installing_strongpoint/setting_access_permission.md index 74c4001f9e..d47a7ccd9b 100644 --- a/docs/strongpointforsalesforce/installing_strongpoint/setting_access_permission.md +++ b/docs/strongpointforsalesforce/installing_strongpoint/setting_access_permission.md @@ -4,14 +4,14 @@ Platform Governance for Salesforce access is only granted to system administrati access to other users: 1. Open Salesforce **Setup** > **Users** > **Users** - ![manageusers](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/manageusers.webp)2. + ![manageusers](/img/product_docs/strongpointforsalesforce/installing_strongpoint/manageusers.webp)2. Click on an existing **User** name. 2. Click **Permission Set Assignments** 3. Click **Edit Assignments**. - ![editassignments](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/editassignments.webp)5. + ![editassignments](/img/product_docs/strongpointforsalesforce/installing_strongpoint/editassignments.webp)5. Select **Strongpoint Grant Permissions** from the **Available Permission Sets** 4. Click **Add**. It should now be shown in the **Enabled Permission Sets**. 5. Click **Save**. - ![enablepermissionsets](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/enablepermissionsets.webp) + ![enablepermissionsets](/img/product_docs/strongpointforsalesforce/installing_strongpoint/enablepermissionsets.webp) The user is ready to view and use Platform Governance for Salesforce. diff --git a/docs/strongpointforsalesforce/installing_strongpoint/setting_up_initial_scan.md b/docs/strongpointforsalesforce/installing_strongpoint/setting_up_initial_scan.md index eb7a1ff1cd..cc3ed53bd4 100644 --- a/docs/strongpointforsalesforce/installing_strongpoint/setting_up_initial_scan.md +++ b/docs/strongpointforsalesforce/installing_strongpoint/setting_up_initial_scan.md @@ -2,7 +2,7 @@ The Metadata Scanner form is displayed. -![getting_started_wizard5](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard5.webp) +![getting_started_wizard5](/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard5.webp) ## Sandbox Options @@ -10,18 +10,18 @@ If you are installing in a sandbox, there is an option for **Change Log Creation change logs are created in the sandbox. Due to Salesforce space limits on different [sandbox accounts](https://help.salesforce.com/articleView?id=data_sandbox_environments.htmandtype=5), you may want to disable change logs to save space. This option can also be accessed on the -[Configuration and Stats](config_and_stats.md) page for the sandbox. +[Configuration and Stats](/docs/strongpointforsalesforce/installing_strongpoint/config_and_stats.md) page for the sandbox. Here are the options for a Sandbox installation. Be sure to **Save** each setting you change. Scroll down to find the Scanner options. -![Sandbox installation options](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard5_sandbox.webp) +![Sandbox installation options](/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard5_sandbox.webp) ## Start Initial Scan Scroll down to the Metadata Scanner section. -![Scroll to the Scanner section](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard5_scan.webp) +![Scroll to the Scanner section](/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard5_scan.webp) 1. Click the + by **Name** to select all types for the initial scan. 2. Click **Run Scanner**. A notification message displays when the scan starts. @@ -35,7 +35,7 @@ You can schedule the scanners to auto-scan your environment: 2. Select the **Frequency** and **Day**. If you do not specify a time Platform Governance for Salesforce rescans at midnight. - ![getting_started_wizard6](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard6.webp) + ![getting_started_wizard6](/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard6.webp) Netwrix recommends you schedule at least the following items: @@ -49,10 +49,10 @@ You can schedule the scanners to auto-scan your environment: The final screen is displayed. Click **Done** to close the wizard. -![getting_started_wizard8](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard8.webp) +![getting_started_wizard8](/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard8.webp) If you open the home page, you see the **Scanner Status** is **In Progress**. -![Scanner status on home page](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard11.webp) +![Scanner status on home page](/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard11.webp) -**Next Step:** [Run the Scanner](running_scanner.md) +**Next Step:** [Run the Scanner](/docs/strongpointforsalesforce/installing_strongpoint/running_scanner.md) diff --git a/docs/strongpointforsalesforce/installing_strongpoint/using_getting_started_wizard.md b/docs/strongpointforsalesforce/installing_strongpoint/using_getting_started_wizard.md index f7b23f89f5..08ba08b881 100644 --- a/docs/strongpointforsalesforce/installing_strongpoint/using_getting_started_wizard.md +++ b/docs/strongpointforsalesforce/installing_strongpoint/using_getting_started_wizard.md @@ -1,7 +1,7 @@ # Run the Getting Started Wizard The Getting Started Wizard helps you set up Platform Governance for Salesforce after you have done -the [basic installation](installing_strongpoint.md) and configuration. +the [basic installation](/docs/strongpointforsalesforce/installing_strongpoint/installing_strongpoint.md) and configuration. To use the Getting Started Wizard: @@ -16,7 +16,7 @@ On the Initial Setup Wizard page, choose the package type you have purchased. If Intelligent Change Management or Enterprise Compliance License, enter the **Input Authorization Token** sent to you. Click **Next**. -![getting_started_wizard2](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard2.webp) +![getting_started_wizard2](/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard2.webp) ## Add your Credentials @@ -25,7 +25,7 @@ change, an alert is sent to update the saved credentials. Expired credentials ca scanners to fail. Use **Netwrix Dashboard** > **Settings**> **SP Credentials** to update your credentials. -![getting_started_wizard3](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard3.webp) +![getting_started_wizard3](/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard3.webp) 1. On the Credentials page, add the following values: @@ -41,12 +41,12 @@ credentials. Once you have set up your credentials, you need to configure the remote site settings. -![Testing the connection](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard10.webp) +![Testing the connection](/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_wizard10.webp) 1. Open Salesforce **Setup** > **Security** > **Remote Site Settings**. 2. Click **New Remote Site**. - ![New Remote Site](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_new_rss.webp) + ![New Remote Site](/img/product_docs/strongpointforsalesforce/installing_strongpoint/getting_started_new_rss.webp) 3. Copy/paste the information from the wizard to create the remote sites. 4. Click on **Test Connection**. **Test connection was Successful** is displayed if the connection @@ -54,4 +54,4 @@ Once you have set up your credentials, you need to configure the remote site set issue. 5. Click **Next**. -**Next Step:** [Set Up the Initial Scan](setting_up_initial_scan.md) +**Next Step:** [Set Up the Initial Scan](/docs/strongpointforsalesforce/installing_strongpoint/setting_up_initial_scan.md) diff --git a/docs/strongpointforsalesforce/installing_strongpoint/validating_data.md b/docs/strongpointforsalesforce/installing_strongpoint/validating_data.md index 6622ea296d..e1c3f9c7a7 100644 --- a/docs/strongpointforsalesforce/installing_strongpoint/validating_data.md +++ b/docs/strongpointforsalesforce/installing_strongpoint/validating_data.md @@ -12,7 +12,7 @@ PDF. From the Netwrix Dashboard: click **Configuration and Stats** in the **Resources** section, or open **Settings** > **Configuration and Stats**. -![statusreport](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/statusreport.webp) +![statusreport](/img/product_docs/strongpointforsalesforce/installing_strongpoint/statusreport.webp) ## Dependency Relationship Diagram @@ -25,7 +25,7 @@ To validate data with the DRD: 2. Select an **Object(s) Type** from the pull-down menu. 3. Click on a field and validate the data. -![entity_diagram](../../../static/img/product_docs/strongpointforsalesforce/tools/entity_diagram.webp) +![entity_diagram](/img/product_docs/strongpointforsalesforce/tools/entity_diagram.webp) ## Customization Quick Search @@ -38,4 +38,4 @@ To validate data with the Customization Quick Search: 2. Scroll, **Search** or add **Filter(s)** to locate the customization. 3. Click on the **Customization** and validate the data. -![custquicksearch](../../../static/img/product_docs/strongpointfornetsuite/customizations/custquicksearch.webp) +![custquicksearch](/img/product_docs/strongpointfornetsuite/customizations/custquicksearch.webp) diff --git a/docs/strongpointforsalesforce/integrations/integrations_overview.md b/docs/strongpointforsalesforce/integrations/integrations_overview.md index d6d09ecd2a..f844afa705 100644 --- a/docs/strongpointforsalesforce/integrations/integrations_overview.md +++ b/docs/strongpointforsalesforce/integrations/integrations_overview.md @@ -8,7 +8,7 @@ including the impact analysis, release management and change reconciliation feat Integrations with Salesforce include: -- [Jira](../change_management/creating_change_request.md) +- [Jira](/docs/strongpointforsalesforce/change_management/creating_change_request.md) ## Jira @@ -23,6 +23,6 @@ logs during an audit. This provides the following benefits to your users: - The ability for auditors to track compliant changes and avoid manually reconciling change tickets to change logs during audit. -![Jira Integration](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_overview.webp) +![Jira Integration](/img/product_docs/strongpointforsalesforce/integrations/jira_overview.webp) -**Next Step:** [ Set Up the Jira Integration](jira_integration.md) +**Next Step:** [ Set Up the Jira Integration](/docs/strongpointforsalesforce/integrations/jira_integration.md) diff --git a/docs/strongpointforsalesforce/integrations/jira_field_map.md b/docs/strongpointforsalesforce/integrations/jira_field_map.md index 7e9d34c6f7..0779ef18e7 100644 --- a/docs/strongpointforsalesforce/integrations/jira_field_map.md +++ b/docs/strongpointforsalesforce/integrations/jira_field_map.md @@ -26,7 +26,7 @@ where you added the custom fields to get the field names. This example maps the Version** and **Salesforce Version Number** fields, using the fields from the **Details** section in Jira. -![Identify fields to map](../../../static/img/product_docs/strongpointforsalesforce/integrations/field_map_id_fields.webp) +![Identify fields to map](/img/product_docs/strongpointforsalesforce/integrations/field_map_id_fields.webp) ### Verify Field Creation @@ -43,7 +43,7 @@ For this example, the **Strongpoint Version** and **SF Version Number** fields h **Strongpoint Version** is **Strongpoint_Version**c** and **SF Version Number** is **Salesforce_Version_Number**c**. -![Verify fields exist](../../../static/img/product_docs/strongpointforsalesforce/integrations/field_map_verify_fields.webp) +![Verify fields exist](/img/product_docs/strongpointforsalesforce/integrations/field_map_verify_fields.webp) ### Add Fields to Page Layouts @@ -55,20 +55,20 @@ Add the fields to the Page Layouts. **Strongpoint Version** and **SF Version Number** fields have been added to the **Customizations Layout**. - ![Add to layouts](../../../static/img/product_docs/strongpointforsalesforce/integrations/field_map_layouts.webp) + ![Add to layouts](/img/product_docs/strongpointforsalesforce/integrations/field_map_layouts.webp) 4. Open **Setup** > **Lightning App Builder**. 5. Open your Record Page. This example shows the **Customizations Record** page. Make sure your fields are in the record page and set to visible. - ![Check record page for fields and visibility](../../../static/img/product_docs/strongpointforsalesforce/integrations/field_map_record.webp) + ![Check record page for fields and visibility](/img/product_docs/strongpointforsalesforce/integrations/field_map_record.webp) ### Update Values In Jira, update the details for the fields. This example sets the **Strongpoint Version** field to **2.2800** and the **Salesforce Version** to **6.1**. -![Update the values](../../../static/img/product_docs/strongpointforsalesforce/integrations/field_map_set_values.webp) +![Update the values](/img/product_docs/strongpointforsalesforce/integrations/field_map_set_values.webp) ### Access Mapping Configuration @@ -84,7 +84,7 @@ Open the Field Mapping tool: 4. Enter the **Jira Ticket Id**. 5. Click **Get Fields**. - ![Get Fields for mapping](../../../static/img/product_docs/strongpointforsalesforce/integrations/field_map_get_fields.webp) + ![Get Fields for mapping](/img/product_docs/strongpointforsalesforce/integrations/field_map_get_fields.webp) 6. Review values in each field to locate the Jira API names. In this example, **Salesforce Version Number** is **6.1**, corresponding to **customfield_10071**. **Strongpoint Version** is @@ -98,11 +98,11 @@ The Jira API names are required to create the mapping record. 2. Navigate to **CR CustomFields Mapping**. It is added as a tab on the navigation bar. You can click on the down arrow on the tab and add it to your navigation bar. - ![Launch CR CustomFields Mapping](../../../static/img/product_docs/strongpointforsalesforce/integrations/field_map_launcher.webp) + ![Launch CR CustomFields Mapping](/img/product_docs/strongpointforsalesforce/integrations/field_map_launcher.webp) 3. Click **New** to create the record. - ![Create a new mapping record](../../../static/img/product_docs/strongpointforsalesforce/integrations/field_map_new_record.webp) + ![Create a new mapping record](/img/product_docs/strongpointforsalesforce/integrations/field_map_new_record.webp) 4. Enter a name for **CR CustomField Mapping Name**. **Strongpoint Version** is used in this example. @@ -117,7 +117,7 @@ The Jira API names are required to create the mapping record. The mapping is now complete. In the next update, the information is populated in the fields and shows in the Netwrix Change Request. -![Field Map complete](../../../static/img/product_docs/strongpointforsalesforce/integrations/field_map_complete.webp) +![Field Map complete](/img/product_docs/strongpointforsalesforce/integrations/field_map_complete.webp) ### Verify the Change Request @@ -125,4 +125,4 @@ Open the Change Request that contains your mapped fields. Verify the information the example showing the **Strongpoint Version** and **SF Version Number** fields and data appear on the Change Request. -![Verify the Change Request](../../../static/img/product_docs/strongpointforsalesforce/integrations/field_map_change_request.webp) +![Verify the Change Request](/img/product_docs/strongpointforsalesforce/integrations/field_map_change_request.webp) diff --git a/docs/strongpointforsalesforce/integrations/jira_integration.md b/docs/strongpointforsalesforce/integrations/jira_integration.md index 99b112879e..13795fdff1 100644 --- a/docs/strongpointforsalesforce/integrations/jira_integration.md +++ b/docs/strongpointforsalesforce/integrations/jira_integration.md @@ -26,7 +26,7 @@ To set up the Jira integration: 4. Set Up Status Mapping You can map custom fields between Change Requests and Jira. Refer to -[Jira Field Mapping](jira_field_map.md) for details. +[Jira Field Mapping](/docs/strongpointforsalesforce/integrations/jira_field_map.md) for details. ## Review Your Jira Statuses @@ -54,7 +54,7 @@ your Jira system administrator if you do not have administrative permissions. 2. Select **Apps** > **Explore more Apps >** 3. Search for **Strongpoint**. - ![Strongpoint apps in the Jira Marketplace](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_marketplace.webp) + ![Strongpoint apps in the Jira Marketplace](/img/product_docs/strongpointforsalesforce/integrations/jira_marketplace.webp) 4. Click **Strongpoint for Salesforce** to install the app. @@ -73,7 +73,7 @@ Configure the connected app: 2. Open the Connected App: **Setup** > **Apps** > **App Manager** > **Strongpoint** (where **App Type** = **Connected**) - ![Open the Strongpoint Connected App](../../../static/img/product_docs/strongpointforsalesforce/integrations/connected_app.webp) + ![Open the Strongpoint Connected App](/img/product_docs/strongpointforsalesforce/integrations/connected_app.webp) 3. Click the drop down arrow on the right side and select **Edit**. 4. Set the **Callback URL** to **https://spjira.my.salesforce-sites.com/SpHandleJiraAuth** @@ -86,7 +86,7 @@ Configure the connected app: 7. Click **Manage Consumer Details**. - ![Click Manage Consumer Details](../../../static/img/product_docs/strongpointforsalesforce/integrations/manage_consumer_details.webp) + ![Click Manage Consumer Details](/img/product_docs/strongpointforsalesforce/integrations/manage_consumer_details.webp) 8. Copy the Consumer Key and the Consumer Secret codes to a clipboard. You are prompted for this information when you use the app. @@ -100,7 +100,7 @@ alternative. open **Settings** > **Configuration and Stats**. 2. Open the **Jira Configuration** tab. - ![Open the credentials](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_sp_credentials.webp) + ![Open the credentials](/img/product_docs/strongpointforsalesforce/integrations/jira_sp_credentials.webp) 3. Enter your credentials: @@ -127,7 +127,7 @@ Groups/Profiles Visibility to grant the user appropriate access. 1. Open a Jira project. - ![Open a project](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_restrict_access1.webp) + ![Open a project](/img/product_docs/strongpointforsalesforce/integrations/jira_restrict_access1.webp) 2. Select **Strongpoint Sf Settings**. 3. Select the **Project Visability Settings** tab. @@ -157,7 +157,7 @@ Groups/Profiles Visibility to grant the user appropriate access. **Selected Groups** are groups that can see the Platform Governance for Salesforce Jira integration. If **Selected Groups** is blank, all groups have access to the integration. - ![Profile Visibility Settings](../../../static/img/product_docs/strongpointforsalesforce/integrations/profile_visability1.webp) + ![Profile Visibility Settings](/img/product_docs/strongpointforsalesforce/integrations/profile_visability1.webp) 4. Select an existing group and click **Add** to include it as a **Selected Group**. To remove a group from the selected list, select it and click **Remove**. If **Selected Groups** is blank, @@ -171,7 +171,7 @@ Groups/Profiles Visibility to grant the user appropriate access. 2. Open the **Jira Configuration** tab. 3. Open the **Status Mapping** tab. - ![Set up the Jira status mappings for Change Request status](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_status_settings.webp) + ![Set up the Jira status mappings for Change Request status](/img/product_docs/strongpointforsalesforce/integrations/jira_status_settings.webp) 4. Enter the mappings between your Jira statuses and the Change Request statuses. You must define your Jira statuses prior to this step. You can enter multiple Jira statuses for each Change @@ -196,4 +196,4 @@ Groups/Profiles Visibility to grant the user appropriate access. changes. 7. Click **Save**. -**Next Step:** [Jira Walkthrough Example](jira_walkthrough_example.md) +**Next Step:** [Jira Walkthrough Example](/docs/strongpointforsalesforce/integrations/jira_walkthrough_example.md) diff --git a/docs/strongpointforsalesforce/integrations/jira_troubleshooting.md b/docs/strongpointforsalesforce/integrations/jira_troubleshooting.md index 700d53ae37..365635afb8 100644 --- a/docs/strongpointforsalesforce/integrations/jira_troubleshooting.md +++ b/docs/strongpointforsalesforce/integrations/jira_troubleshooting.md @@ -11,7 +11,7 @@ _>_ **Jira Configuration** _>_ **Credentials** Solution: -Refer to [Credentials](../installing_strongpoint/config_and_stats.md#credentials) for more +Refer to [Credentials](/docs/strongpointforsalesforce/installing_strongpoint/config_and_stats.md#credentials) for more information on entering your credentials. ## Error with Mapping Jira Statuses @@ -23,7 +23,7 @@ _>_ **Jira Configuration** _->_ **Status Mapping** Solution: -Refer to [Status Mapping](../installing_strongpoint/config_and_stats.md#status-mapping) for more +Refer to [Status Mapping](/docs/strongpointforsalesforce/installing_strongpoint/config_and_stats.md#status-mapping) for more information on mapping your statuses. ## Error with Salesforce Credentials @@ -58,7 +58,7 @@ Please verify the Consumers Secret from the Connected App. Solution: -Refer to [Credentials](../installing_strongpoint/config_and_stats.md#credentials) for more +Refer to [Credentials](/docs/strongpointforsalesforce/installing_strongpoint/config_and_stats.md#credentials) for more information on entering your credentials ## URL Errors diff --git a/docs/strongpointforsalesforce/integrations/jira_upload_addon_not_showing.md b/docs/strongpointforsalesforce/integrations/jira_upload_addon_not_showing.md index 8e65167c92..33b8362273 100644 --- a/docs/strongpointforsalesforce/integrations/jira_upload_addon_not_showing.md +++ b/docs/strongpointforsalesforce/integrations/jira_upload_addon_not_showing.md @@ -9,4 +9,4 @@ To enable development mode: 2. Click **Settings** 3. Click **Enable development mode** -![Jira Enable Development Mode](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_enable_dev_mode.webp) +![Jira Enable Development Mode](/img/product_docs/strongpointfornetsuite/integrations/jira_enable_dev_mode.webp) diff --git a/docs/strongpointforsalesforce/integrations/jira_walkthrough_example.md b/docs/strongpointforsalesforce/integrations/jira_walkthrough_example.md index 233b5ab253..9d46324ea4 100644 --- a/docs/strongpointforsalesforce/integrations/jira_walkthrough_example.md +++ b/docs/strongpointforsalesforce/integrations/jira_walkthrough_example.md @@ -1,8 +1,8 @@ # Jira Walkthrough Example This walkthrough is one example based on our test account. You must -[install and configure](jira_integration.md) the Platform Governance for Salesforce Salesforce Jira -integration, including setting up the **[Jira Statuses](jira_integration.md)** prior to using this +[install and configure](/docs/strongpointforsalesforce/integrations/jira_integration.md) the Platform Governance for Salesforce Salesforce Jira +integration, including setting up the **[Jira Statuses](/docs/strongpointforsalesforce/integrations/jira_integration.md)** prior to using this walkthrough. The walkthrough demonstrates these steps: @@ -20,7 +20,7 @@ The walkthrough demonstrates these steps: 2. Open a Project. 3. Click **Create** (**+**). - ![Create a Jira ticket](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_create_issue.webp) + ![Create a Jira ticket](/img/product_docs/strongpointfornetsuite/integrations/jira_example_create_issue.webp) 4. Enter your information on the **Create issue** form: @@ -38,11 +38,11 @@ The walkthrough demonstrates these steps: 1. Open the **Comments** tab and select **Strongpoint Salesforce**. - ![Accessing the Strongpoint Salesforce app](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_comments_open_app.webp) + ![Accessing the Strongpoint Salesforce app](/img/product_docs/strongpointforsalesforce/integrations/jira_comments_open_app.webp) 2. There are two ways to connect: **Login User** or **Connected App** tabs. - ![Connection options](../../../static/img/product_docs/strongpointforsalesforce/integrations/connection_options.webp) + ![Connection options](/img/product_docs/strongpointforsalesforce/integrations/connection_options.webp) ### Connected App @@ -51,7 +51,7 @@ Use the **Connected App** tab if you set up the connected app using the procedur 1. Open the **Connected App** tab. - ![Using the connected app](../../../static/img/product_docs/strongpointforsalesforce/integrations/connection_options_app.webp) + ![Using the connected app](/img/product_docs/strongpointforsalesforce/integrations/connection_options_app.webp) 2. Enter the **Consumer Key** and **Consumer Secret**. 3. Click **Is Sandbox account?** if you are logging in to a sandbox. @@ -65,7 +65,7 @@ If the configuration fails, an error message is displayed. For example, > **error=redirect_uri_mismatch** > > - The 10 minutes timing slot from Salesforce is not completed yet. Please wait -> - If the error persists, check the [Callback URL](jira_integration.md). +> - If the error persists, check the [Callback URL](/docs/strongpointforsalesforce/integrations/jira_integration.md). > > - You may have left a space between the two Callback URLs > - You may have an error in the newly added Callback URL it should be: @@ -77,13 +77,13 @@ Enter your Salesforce **Username**, **Password** and **Security Token**. If you SSO: use your SSO Password. The Security token is the changing 6 digit code from your SSO or MFA app. -![Enter your Jira credentials](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_credentials.webp) +![Enter your Jira credentials](/img/product_docs/strongpointforsalesforce/integrations/jira_credentials.webp) If you do not have your security token, you can use these steps to reset your token: 1. Log in to your Salesforce account. 2. Open **View Profile** > **Settings**. - ![Open your Salesforce Profile settings](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_example_settings.webp) + ![Open your Salesforce Profile settings](/img/product_docs/strongpointforsalesforce/integrations/jira_example_settings.webp) 3. Select **Reset My Security Token** from the menu. 4. Click **Reset Security Token**. Check your email for your new token. 5. Click **Sandbox Account?** if you are using your sandbox. @@ -99,7 +99,7 @@ consecutive attempts to login, your account is suspended for 30 minutes. Once you have logged in, the form is displayed. -![Connection details for the ticket](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_connection.webp) +![Connection details for the ticket](/img/product_docs/strongpointforsalesforce/integrations/jira_connection.webp) - **Synchronized with** displays the connected Org. Click **Change Account** if you need to switch Orgs. @@ -111,10 +111,10 @@ Once you have logged in, the form is displayed. the Customization exists in your account, it is added to the **Select Customizations** list. **Add Proposed Customizations** are added to the **Proposed Customizations** list. You can delete added Customizations with the - ![delete](../../../static/img/product_docs/strongpointfornetsuite/integrations/delete.webp) icon. + ![delete](/img/product_docs/strongpointfornetsuite/integrations/delete.webp) icon. - **View DRD** and **Impact Analysis** are tools to Perform Risk Assessment. - **Push** creates the Change Request in Salesforce. **Push** is also used to manually update your - Change Request if you are not using the [Automatic Synchronization](jira_integration.md) feature. + Change Request if you are not using the [Automatic Synchronization](/docs/strongpointforsalesforce/integrations/jira_integration.md) feature. ### Add Existing Customizations by Name or API Name @@ -123,14 +123,14 @@ Once you have logged in, the form is displayed. 2. Click **+** to search for matching Customizations. Hover over **View** to display the **Type** and **API Name** for a Customization. - ![Add an existing customization](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_customization_add.webp) + ![Add an existing customization](/img/product_docs/strongpointforsalesforce/integrations/jira_customization_add.webp) 3. Select one or more Customizations. This example uses **Maintenance Type (Parent: Account)**, a customization in the _Strongpoint Demo Org_. 4. Click **Add Selected Customizations**. The selected Customization is added to the **Existing Customizations** list. - ![Add an existing customization](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_example_add_existing.webp) + ![Add an existing customization](/img/product_docs/strongpointforsalesforce/integrations/jira_example_add_existing.webp) 5. Enter an **API Name** in **Add customization** for **Existing Customizations** and click **+**. This example uses **UpsellOpportunities**, an API in the _Strongpoint Demo Org_. @@ -138,7 +138,7 @@ Once you have logged in, the form is displayed. Customization is added to the **Existing Customizations** list. This example shows **UpsellOpportunities (ApexClass)**, an API in the _Strongpoint Demo Org_. - ![Add an existing customization by API Name](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_example_add_existing_api.webp) + ![Add an existing customization by API Name](/img/product_docs/strongpointforsalesforce/integrations/jira_example_add_existing_api.webp) ### Add Proposed Customizations @@ -149,29 +149,29 @@ In this procedure, we are adding a new Customization. 2. Click (**+**) to add it. If the API Name is valid, and does not match an existing API Name, the new Customization is added to the **Proposed Customizations** list. - ![Add a proposed customization](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_example_proposed.webp) + ![Add a proposed customization](/img/product_docs/strongpointforsalesforce/integrations/jira_example_proposed.webp) ### Create the Change Request Using the Platform Governance for Salesforce Jira integration, your Change Requests are created automatically when you add a Customization. To setup or update the status mapping, refer to setting -up the **[Jira Statuses](jira_integration.md)** procedure. +up the **[Jira Statuses](/docs/strongpointforsalesforce/integrations/jira_integration.md)** procedure. 1. Change the Jira status of your ticket to match the status set up for **CR In Progress**. For - example, **In Progress**. Refer to setting up the **[Jira Statuses](jira_integration.md)** + example, **In Progress**. Refer to setting up the **[Jira Statuses](/docs/strongpointforsalesforce/integrations/jira_integration.md)** procedure. 2. Click **Push** to create the Change Request if you are not using the - [Automatic Synchronization](jira_integration.md) feature. The change request is created in + [Automatic Synchronization](/docs/strongpointforsalesforce/integrations/jira_integration.md) feature. The change request is created in Salesforce with the **In Progress** status. 3. Expand the **Change Request** field on the right. The status is now **None/In Progress**. There is a link to open the Change Request in Salesforce. - ![Change Request is In Progress](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_example_in_progress_status.webp) + ![Change Request is In Progress](/img/product_docs/strongpointforsalesforce/integrations/jira_example_in_progress_status.webp) Note the **Policy** and **Change Level Req** reflect the most stringent requirement for your selected customizations, in this example, **Change Request**. -![Policy and Change Level Req have been updated](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_example_policy.webp) +![Policy and Change Level Req have been updated](/img/product_docs/strongpointforsalesforce/integrations/jira_example_policy.webp) ## Perform Risk Assessment @@ -181,21 +181,21 @@ The impact analysis tool reviews your customizations for dependencies or risks. Analysis** to run the tool. Here is an example report showing the Customizations that **Cannot be Safely Deleted or Modified** tab: -![Impact analysis report](../../../static/img/product_docs/strongpointfornetsuite/integrations/jira_example_impact_analysis.webp) +![Impact analysis report](/img/product_docs/strongpointfornetsuite/integrations/jira_example_impact_analysis.webp) Before proceeding with your changes, review each warning to ensure your change does not break something. Dependencies can easily be reviewed with the DRD tool. ### View DRD -The [Dependency Relationship Diagram](../tools/viewing_drd.md) (DRD) tool graphically displays your +The [Dependency Relationship Diagram](/docs/strongpointforsalesforce/tools/viewing_drd.md) (DRD) tool graphically displays your Customizations and all dependencies. 1. Click **View DRD**. 2. When the diagram opens, you can explore the dependencies to evaluate the effect of your intended changes. -![Use the DRD to explore dependencies](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_example_drd.webp) +![Use the DRD to explore dependencies](/img/product_docs/strongpointforsalesforce/integrations/jira_example_drd.webp) ## Ready for Development @@ -203,16 +203,16 @@ Once you have resolved any risk or conflicts, your changes are ready for develop 1. Change the Jira status of your ticket to match the status set up for **CR Pending Approval**. For example, **Selected for Development**. -2. Click **Push** if you are not using [Automatic Synchronization](jira_integration.md) to push +2. Click **Push** if you are not using [Automatic Synchronization](/docs/strongpointforsalesforce/integrations/jira_integration.md) to push status changes. 3. Expand the **Change Request** field on the right. The status is now **Pending Approval / In Progress**. There is a link to open the Change Request in Salesforce. - ![Change Request in Pending Approval](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_example_pending_approval_status.webp) + ![Change Request in Pending Approval](/img/product_docs/strongpointforsalesforce/integrations/jira_example_pending_approval_status.webp) 4. Click the **Go To Record** link to view the Change Request. - ![Change Request is In Progress / Pending Approval](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_example_pending_approval_change_request.webp) + ![Change Request is In Progress / Pending Approval](/img/product_docs/strongpointforsalesforce/integrations/jira_example_pending_approval_change_request.webp) ## Deploy Changes and Complete the Ticket @@ -221,11 +221,11 @@ ticket is ready to be updated. 1. Expand the **Change Request** field on the right. The status is **Approved / In Progress**. - ![Change Request is approved](../../../static/img/product_docs/strongpointforsalesforce/integrations/jira_example_approved_status.webp) + ![Change Request is approved](/img/product_docs/strongpointforsalesforce/integrations/jira_example_approved_status.webp) 2. Change the Jira status of your ticket to match the status set up for **CR Approved**. For example, **Ready for Deployment**. -3. Click **Push** if you are not using [Automatic Synchronization](jira_integration.md) to push +3. Click **Push** if you are not using [Automatic Synchronization](/docs/strongpointforsalesforce/integrations/jira_integration.md) to push status changes. 4. Once your deployment and verification activities are complete, change the Jira status of your ticket to match the status set up **CR Complete**. For example, **Done**. @@ -239,4 +239,4 @@ If you open the Change Request in Salesforce: - **External Created By**: is the user that created the Jira ticket . - **External last Modified by**: is the last user who modified the Jira ticket. - ![user_guide_example](../../../static/img/product_docs/strongpointforsalesforce/integrations/user_guide_example.webp) + ![user_guide_example](/img/product_docs/strongpointforsalesforce/integrations/user_guide_example.webp) diff --git a/docs/strongpointforsalesforce/navigate_strongpoint.md b/docs/strongpointforsalesforce/navigate_strongpoint.md index af7407572f..c5e4046144 100644 --- a/docs/strongpointforsalesforce/navigate_strongpoint.md +++ b/docs/strongpointforsalesforce/navigate_strongpoint.md @@ -4,11 +4,11 @@ To access Platform Governance for Salesforce: - Click the Apps Launcher in the upper left of Salesforce. - ![Salesforce App launcher](../../static/img/product_docs/strongpointforsalesforce/app_launcher.webp) + ![Salesforce App launcher](/img/product_docs/strongpointforsalesforce/app_launcher.webp) - Click **Netwrix Lightning**. You may have to click **View All** to see the choices. - ![Select Netwrix Lightning](../../static/img/product_docs/strongpointforsalesforce/app_netwrix_lightning.webp) + ![Select Netwrix Lightning](/img/product_docs/strongpointforsalesforce/app_netwrix_lightning.webp) ## Netwrix Dashboard @@ -25,7 +25,7 @@ Use + to add other tabs. The **Netwrix Dashboard** displays menu tabs, status information, apps, and links. -![sf_home_screen](../../static/img/product_docs/strongpointforsalesforce/sf_home_screen.webp) +![sf_home_screen](/img/product_docs/strongpointforsalesforce/sf_home_screen.webp) Menu tabs access functions through drop down menus: @@ -52,4 +52,4 @@ Click **Find**. **Download Files** opens a list of files created by Platform Governance for Salesforce and the current status. Click on files to download them. -![Download Files](../../static/img/product_docs/strongpointforsalesforce/download_files.webp) +![Download Files](/img/product_docs/strongpointforsalesforce/download_files.webp) diff --git a/docs/strongpointforsalesforce/release_management/deployment_logs.md b/docs/strongpointforsalesforce/release_management/deployment_logs.md index a0ca296e7d..bb091cf27f 100644 --- a/docs/strongpointforsalesforce/release_management/deployment_logs.md +++ b/docs/strongpointforsalesforce/release_management/deployment_logs.md @@ -19,7 +19,7 @@ Deployment logs have these sections: ## Sample Deployment Log -![Successful deployment log example](../../../static/img/product_docs/strongpointforsalesforce/release_management/deployment_log.webp) +![Successful deployment log example](/img/product_docs/strongpointforsalesforce/release_management/deployment_log.webp) ## Deployment Log Detail diff --git a/docs/strongpointforsalesforce/release_management/deployments.md b/docs/strongpointforsalesforce/release_management/deployments.md index 5293d55d8e..54bcf9a25e 100644 --- a/docs/strongpointforsalesforce/release_management/deployments.md +++ b/docs/strongpointforsalesforce/release_management/deployments.md @@ -29,12 +29,12 @@ These steps can be completed after the change request is approved. 1. Open **Change Requests** and select the approved change request. 2. Click **Deploy** in the tool bar. **Deploy** is only available for approved change requests. - ![Deploy Button in Tool Bar](../../../static/img/product_docs/strongpointforsalesforce/release_management/deploy.webp) + ![Deploy Button in Tool Bar](/img/product_docs/strongpointforsalesforce/release_management/deploy.webp) 3. Select the **Source** (from) environment and **Target** (to) environment. 4. Enter your credentials for both environments. - ![Deployment Tool](../../../static/img/product_docs/strongpointforsalesforce/release_management/deployment_tool.webp) + ![Deployment Tool](/img/product_docs/strongpointforsalesforce/release_management/deployment_tool.webp) 5. Click **Test Connection** for both environments to ensure your credentials are correct. If your credentials are not correct, you can click on **Save Credentials** and edit. @@ -43,7 +43,7 @@ These steps can be completed after the change request is approved. 7. **Save** the Deployment Record. 8. Click **Submit for Approval** - ![Submit Deployment Record for Approval](../../../static/img/product_docs/strongpointforsalesforce/release_management/deploy.webp) + ![Submit Deployment Record for Approval](/img/product_docs/strongpointforsalesforce/release_management/deploy.webp) ## Deploy the Changes @@ -52,11 +52,11 @@ These steps can be completed after the deployment record is approved. 1. Open **Change Requests** and select the approved deployment record. 2. Click **Deploy Changes** - ![Deploy the Approved Changes](../../../static/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-2.webp) + ![Deploy the Approved Changes](/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-2.webp) 3. Click **Retrieve Selected Customizations** - ![Retrieve the Selected Customizations](../../../static/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-3.webp) + ![Retrieve the Selected Customizations](/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-3.webp) This creates a package to: @@ -70,14 +70,14 @@ These steps can be completed after the deployment record is approved. 5. Click **Deploy Retrieved Customizations** to start the deployment. This may take some time, since it runs the test cases into the target environment. - ![Run the Deployment](../../../static/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-4.webp) + ![Run the Deployment](/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-4.webp) ## Complete the Process When the deployment process is finished: -1. Check the [Deployment Logs](deployment_logs.md). +1. Check the [Deployment Logs](/docs/strongpointforsalesforce/release_management/deployment_logs.md). 2. Fix any errors and repeat the deployment if needed. 3. Once the deployment is successful, open the change request and set the status to **Completed**. - ![Complete the Process](../../../static/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-5.webp) + ![Complete the Process](/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-5.webp) diff --git a/docs/strongpointforsalesforce/release_management/multiple_env_deployment_tracking.md b/docs/strongpointforsalesforce/release_management/multiple_env_deployment_tracking.md index 92208956c7..d412f957bc 100644 --- a/docs/strongpointforsalesforce/release_management/multiple_env_deployment_tracking.md +++ b/docs/strongpointforsalesforce/release_management/multiple_env_deployment_tracking.md @@ -40,13 +40,13 @@ Once the change request is approved: 1. Click on **Sync CR**. - ![Sync the Change Request](../../../static/img/product_docs/strongpointforsalesforce/release_management/push_pull_sync_cr.webp) + ![Sync the Change Request](/img/product_docs/strongpointforsalesforce/release_management/push_pull_sync_cr.webp) 2. Choose a **Saved Environment**. (Where you plan on developing/testing solutions and/or customizations.) 3. Add your **Credentials**. - ![Enter your credentials](../../../static/img/product_docs/strongpointforsalesforce/release_management/push_pull_popup.webp) + ![Enter your credentials](/img/product_docs/strongpointforsalesforce/release_management/push_pull_popup.webp) 4. Click on **Test Connection** to make sure your credentials are correct. If your credentials are not correct,click on **Save Credentials** and edit. @@ -63,7 +63,7 @@ Once the change request is approved: 5. Click **Push**. 6. Click **Push CR**. -![pushcr](../../../static/img/product_docs/strongpointforsalesforce/release_management/pushcr.webp) +![pushcr](/img/product_docs/strongpointforsalesforce/release_management/pushcr.webp) After the push, the Change Request in Production has a related deployment record. @@ -71,9 +71,9 @@ After the push, the Change Request in Production has a related deployment record 1. Open the **Related Lists** tab on your change request. 2. Click on **Run Compare Tool**. Refer to - [Compare Environments](../tools/environment_comparison.md) for more information. + [Compare Environments](/docs/strongpointforsalesforce/tools/environment_comparison.md) for more information. - ![Run the Compare Environment tool](../../../static/img/product_docs/strongpointforsalesforce/release_management/apex_enviro_comparison.webp) + ![Run the Compare Environment tool](/img/product_docs/strongpointforsalesforce/release_management/apex_enviro_comparison.webp) 3. Click **Deploy** in the change request tool bar. **Deploy** is only available for approved change requests. @@ -88,11 +88,11 @@ These steps can be completed after the deployment record is approved. 1. Open **Change Requests** and select the approved deployment record. 2. Click **Deploy Changes** - ![Deploy the Approved Changes](../../../static/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-2.webp) + ![Deploy the Approved Changes](/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-2.webp) 3. Click **Retrieve Selected Customizations** - ![Retrieve the Selected Customizations](../../../static/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-3.webp) + ![Retrieve the Selected Customizations](/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-3.webp) This creates a package to: @@ -106,7 +106,7 @@ These steps can be completed after the deployment record is approved. 5. Click **Deploy Retrieved Customizations** to start the deployment. This may take some time, since it runs the test cases into the target environment. - ![Run the Deployment](../../../static/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-4.webp) + ![Run the Deployment](/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-4.webp) 6. Run the Compare Tool to verify all changes moved correctly. @@ -114,8 +114,8 @@ These steps can be completed after the deployment record is approved. When the deployment process is finished: -1. Check the [Deployment Logs](deployment_logs.md). +1. Check the [Deployment Logs](/docs/strongpointforsalesforce/release_management/deployment_logs.md). 2. Fix any errors and repeat the deployment if needed. 3. Once the deployment is successful, open the change request and set the status to **Completed**. - ![Complete the Process](../../../static/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-5.webp) + ![Complete the Process](/img/product_docs/strongpointforsalesforce/release_management/deployment_tool-5.webp) diff --git a/docs/strongpointforsalesforce/release_management/multiple_environments.md b/docs/strongpointforsalesforce/release_management/multiple_environments.md index 337cfecd6b..86e53353d9 100644 --- a/docs/strongpointforsalesforce/release_management/multiple_environments.md +++ b/docs/strongpointforsalesforce/release_management/multiple_environments.md @@ -14,20 +14,20 @@ Salesforce is installed, and to deploy changes and promote code from one environ 1. Open **Change Requests** and locate the completed change request to push/pull. - ![Open Completed Change Request](../../../static/img/product_docs/strongpointforsalesforce/release_management/push_pullcr-1.webp) + ![Open Completed Change Request](/img/product_docs/strongpointforsalesforce/release_management/push_pullcr-1.webp) 2. Edit the change request and add all necessary details. - ![Edit the Change Request](../../../static/img/product_docs/strongpointforsalesforce/release_management/push_pull_cr.webp) + ![Edit the Change Request](/img/product_docs/strongpointforsalesforce/release_management/push_pull_cr.webp) 3. Click on **Sync CR**. - ![Sync the Change Request](../../../static/img/product_docs/strongpointforsalesforce/release_management/push_pull_sync_cr.webp) + ![Sync the Change Request](/img/product_docs/strongpointforsalesforce/release_management/push_pull_sync_cr.webp) 4. Choose a **Saved Environment**, where you are planning to push or pull the Change Request. 5. Add your **Credentials**. - ![Enter Credentials](../../../static/img/product_docs/strongpointforsalesforce/release_management/push_pull_popup.webp) + ![Enter Credentials](/img/product_docs/strongpointforsalesforce/release_management/push_pull_popup.webp) 6. Click on **Test Connection** to make sure your credentials are correct. If your credentials are not correct, you can click on **Save Credentials** and edit. @@ -39,7 +39,7 @@ To push a change request into another environment: 1. Click **Push**. 2. Click **Push CR**. - ![pushcr](../../../static/img/product_docs/strongpointforsalesforce/release_management/pushcr.webp) + ![pushcr](/img/product_docs/strongpointforsalesforce/release_management/pushcr.webp) Your Change Request is pushed to your selected environment. @@ -50,11 +50,11 @@ To pull a change request from the selected environment: 1. Select **Pull** 2. Click on **Get Change Requests** - ![pullcr](../../../static/img/product_docs/strongpointforsalesforce/release_management/pullcr.webp) + ![pullcr](/img/product_docs/strongpointforsalesforce/release_management/pullcr.webp) 3. Add the change requests you want to pull from the selected environment. - ![pullchangerequest](../../../static/img/product_docs/strongpointforsalesforce/release_management/pullchangerequest.webp) + ![pullchangerequest](/img/product_docs/strongpointforsalesforce/release_management/pullchangerequest.webp) 4. Click **Pull Change Request.** diff --git a/docs/strongpointforsalesforce/release_management/release_management_overview.md b/docs/strongpointforsalesforce/release_management/release_management_overview.md index fc8104f995..d8836f3ee7 100644 --- a/docs/strongpointforsalesforce/release_management/release_management_overview.md +++ b/docs/strongpointforsalesforce/release_management/release_management_overview.md @@ -7,10 +7,10 @@ deployments are released. Release Management is enabled for Intelligent Change Management and Enterprise Compliance Licenses. -> [Deployments](deployments.md): Documents your deployment process so you can safely moves +> [Deployments](/docs/strongpointforsalesforce/release_management/deployments.md): Documents your deployment process so you can safely moves > deployments from one environment to another. > -> [Rollback](rollback.md): Enables you to safely rollback your deployments. +> [Rollback](/docs/strongpointforsalesforce/release_management/rollback.md): Enables you to safely rollback your deployments. > -> [Multiple Environment Deployment](multiple_environments.md): Manages changes between your +> [Multiple Environment Deployment](/docs/strongpointforsalesforce/release_management/multiple_environments.md): Manages changes between your > Production, Development and Testing accounts. diff --git a/docs/strongpointforsalesforce/release_management/rollback.md b/docs/strongpointforsalesforce/release_management/rollback.md index a2340203a8..dc26927d89 100644 --- a/docs/strongpointforsalesforce/release_management/rollback.md +++ b/docs/strongpointforsalesforce/release_management/rollback.md @@ -17,12 +17,12 @@ The Deployment Record status must be **Completed** to be eligible for Rollback. change the view to **Deployments**. 2. Click **Rollback** - ![Rollback button is only available for Completed Deployment Records](../../../static/img/product_docs/strongpointforsalesforce/release_management/rollback_button.webp) + ![Rollback button is only available for Completed Deployment Records](/img/product_docs/strongpointforsalesforce/release_management/rollback_button.webp) 3. Click **Test Connection** to ensure your credentials are working. If your credentials are not correct, you can click on **Save Credentials** and edit. - ![Rollback selected customizations](../../../static/img/product_docs/strongpointforsalesforce/release_management/rollback_selected.webp) + ![Rollback selected customizations](/img/product_docs/strongpointforsalesforce/release_management/rollback_selected.webp) 4. By default, all of the customizations are selected for rollback. Deselect any customizations to keep. The **Rollback Type** specifies the effect of the rollback: @@ -34,7 +34,7 @@ The Deployment Record status must be **Completed** to be eligible for Rollback. 5. Click **Rollback Selected Customizations**. The **Rollback Confirmation** is displayed. - ![Rollback confirmation](../../../static/img/product_docs/strongpointforsalesforce/release_management/rollback_confirmation.webp) + ![Rollback confirmation](/img/product_docs/strongpointforsalesforce/release_management/rollback_confirmation.webp) 6. Click **Yes** to continue. A Rollback Record is created. 7. Click **Submit for Approval** on the Rollback Record. @@ -49,12 +49,12 @@ The Rollback Record must be approved before it can be executed. 3. Click **Execute Rollback**. A Confirmation is displayed. Click **Yes** to continue. 4. When the rollback is complete, click **Validate Rollback**. - ![Validate the Rollback](../../../static/img/product_docs/strongpointforsalesforce/release_management/rollback_validation.webp) + ![Validate the Rollback](/img/product_docs/strongpointforsalesforce/release_management/rollback_validation.webp) 5. Open **Netwrix Dashboard** > **Reports** > **Release and Deployment** > **Rollback Logs** You can use **Customize** to add the **Status** column to your report. Here is an example of a - failed rollback [deployment log](deployment_logs.md). + failed rollback [deployment log](/docs/strongpointforsalesforce/release_management/deployment_logs.md). - ![Review the Rollback log](../../../static/img/product_docs/strongpointforsalesforce/release_management/rollback_log.webp) + ![Review the Rollback log](/img/product_docs/strongpointforsalesforce/release_management/rollback_log.webp) 6. Click on the report to open it. Check the **Notes & Attachments** for a rollback validation file. diff --git a/docs/strongpointforsalesforce/reports/deployment_logs_environment_compare.md b/docs/strongpointforsalesforce/reports/deployment_logs_environment_compare.md index da3202638a..270be21a6d 100644 --- a/docs/strongpointforsalesforce/reports/deployment_logs_environment_compare.md +++ b/docs/strongpointforsalesforce/reports/deployment_logs_environment_compare.md @@ -57,10 +57,10 @@ indicates the current column and sort order being used for the results. > > **Created Date**: Date of the environment compare. Format is _dd/mm/yyyy_ -![Environment Compare Log Report](../../../static/img/product_docs/strongpointforsalesforce/reports/report_deploy_env_compare.webp) +![Environment Compare Log Report](/img/product_docs/strongpointforsalesforce/reports/report_deploy_env_compare.webp) ## Sample Environment Compare Log Click on a **Log Name** link to open the log. -![Example Environment Compare Log](../../../static/img/product_docs/strongpointforsalesforce/reports/deploy_compare_env_log.webp) +![Example Environment Compare Log](/img/product_docs/strongpointforsalesforce/reports/deploy_compare_env_log.webp) diff --git a/docs/strongpointforsalesforce/reports/deployment_logs_failures.md b/docs/strongpointforsalesforce/reports/deployment_logs_failures.md index d6911839f7..8c912407f3 100644 --- a/docs/strongpointforsalesforce/reports/deployment_logs_failures.md +++ b/docs/strongpointforsalesforce/reports/deployment_logs_failures.md @@ -74,4 +74,4 @@ indicates the current column and sort order being used for the results. > > **# of Test Errors**: Total number of errors. -![Deployment Log Report with Failures](../../../static/img/product_docs/strongpointforsalesforce/reports/report_deploy_failures.webp) +![Deployment Log Report with Failures](/img/product_docs/strongpointforsalesforce/reports/report_deploy_failures.webp) diff --git a/docs/strongpointforsalesforce/reports/deployment_logs_pending_approval.md b/docs/strongpointforsalesforce/reports/deployment_logs_pending_approval.md index b3f3d0ab87..f33c977b6e 100644 --- a/docs/strongpointforsalesforce/reports/deployment_logs_pending_approval.md +++ b/docs/strongpointforsalesforce/reports/deployment_logs_pending_approval.md @@ -68,4 +68,4 @@ indicates the current column and sort order being used for the results. > > **Source Environment**: Source environment for the deployment. -![report_deploy_pend_approval](../../../static/img/product_docs/strongpointforsalesforce/reports/report_deploy_pend_approval.webp) +![report_deploy_pend_approval](/img/product_docs/strongpointforsalesforce/reports/report_deploy_pend_approval.webp) diff --git a/docs/strongpointforsalesforce/reports/deployment_logs_rollback.md b/docs/strongpointforsalesforce/reports/deployment_logs_rollback.md index 16ebbf0d50..1a1f5d5a12 100644 --- a/docs/strongpointforsalesforce/reports/deployment_logs_rollback.md +++ b/docs/strongpointforsalesforce/reports/deployment_logs_rollback.md @@ -59,4 +59,4 @@ indicates the current column and sort order being used for the results. > > **Components Deployed**: Number of components deployed. -![Deployment Rollback Report](../../../static/img/product_docs/strongpointforsalesforce/reports/report_deploy_rollbacks.webp) +![Deployment Rollback Report](/img/product_docs/strongpointforsalesforce/reports/report_deploy_rollbacks.webp) diff --git a/docs/strongpointforsalesforce/reports/deployment_logs_success.md b/docs/strongpointforsalesforce/reports/deployment_logs_success.md index 3ca00cb1b2..2816795619 100644 --- a/docs/strongpointforsalesforce/reports/deployment_logs_success.md +++ b/docs/strongpointforsalesforce/reports/deployment_logs_success.md @@ -68,4 +68,4 @@ indicates the current column and sort order being used for the results. > > **Tests Selected**: Number of selected tests. -![Successful Deployment Logs Report](../../../static/img/product_docs/strongpointforsalesforce/reports/report_deploy_success.webp) +![Successful Deployment Logs Report](/img/product_docs/strongpointforsalesforce/reports/report_deploy_success.webp) diff --git a/docs/strongpointforsalesforce/reports/reports_overview.md b/docs/strongpointforsalesforce/reports/reports_overview.md index a8b75b1d58..3dd7867e6d 100644 --- a/docs/strongpointforsalesforce/reports/reports_overview.md +++ b/docs/strongpointforsalesforce/reports/reports_overview.md @@ -25,7 +25,7 @@ Open **Strongpoint** > **Scanner** > **Scheduler** set to **Daily**. If you have questions, contact your CSM or Salesforce Specialist. -![Enabling reports](../../../static/img/product_docs/strongpointforsalesforce/reports/access_reports_enabled.webp) +![Enabling reports](/img/product_docs/strongpointforsalesforce/reports/access_reports_enabled.webp) ## Access Reports @@ -42,12 +42,12 @@ name. Separate each name with a comma. > **Permissions by Object**: Displays the permissions on each object for all Permission Sets and > Profiles. > -> ![Permission by object](../../../static/img/product_docs/strongpointforsalesforce/reports/access_reports_permission_by_object.webp) +> ![Permission by object](/img/product_docs/strongpointforsalesforce/reports/access_reports_permission_by_object.webp) > > **Object Permission by Profile/PermSet**: Displays the object permissions organized by Permission > Set and Profile. > -> ![Access report by PermissionSet/Profile](../../../static/img/product_docs/strongpointforsalesforce/reports/access_reports_permission_by_permset.webp) +> ![Access report by PermissionSet/Profile](/img/product_docs/strongpointforsalesforce/reports/access_reports_permission_by_permset.webp) > > **Users to Profiles/PermissionSets**: Displays the Profile, PermissionSet and PermissionSet Group > assigned to each user. You can filter the report information. For example, if you want a list of @@ -60,17 +60,17 @@ name. Separate each name with a comma. > Profiles. If your org does not use the **Expires on** feature, you can remove the column from the > report. > -> ![Users to Profile/PermissionSets](../../../static/img/product_docs/strongpointforsalesforce/reports/access_reports_users_to_profile.webp) +> ![Users to Profile/PermissionSets](/img/product_docs/strongpointforsalesforce/reports/access_reports_users_to_profile.webp) > > **Profiles to PermissionsSets Changes**: Displays the changes made to your Profiles, > PermissionSets,and PermissionSet Groups. If there is an active policy, the **Compliance** column > displays whether the change was Compliant or Non-Compliant. If no policy, all changes are > Compliant. > -> ![Access Report Profile Permissions Changes](../../../static/img/product_docs/strongpointforsalesforce/reports/access_reports_profile_changes.webp) +> ![Access Report Profile Permissions Changes](/img/product_docs/strongpointforsalesforce/reports/access_reports_profile_changes.webp) > > **Changes to Users**: Displays the changes to tracked user data fields. Refer to -> [Enhanced CPQ Support](../change_management/enhanced_cpq_support.md) for more information on +> [Enhanced CPQ Support](/docs/strongpointforsalesforce/change_management/enhanced_cpq_support.md) for more information on > setting up tracking. > > If you see the message: _--String too long - Skipped lines due to CPU limit reached--_ it simply @@ -78,23 +78,23 @@ name. Separate each name with a comma. > Platform Governance for Salesforcet skips the record and continues the scan the next day to ensure > there is no impact to your org. > -> ![Changes to Users](../../../static/img/product_docs/strongpointforsalesforce/reports/accses_reports_user_changes.webp) +> ![Changes to Users](/img/product_docs/strongpointforsalesforce/reports/accses_reports_user_changes.webp) > > **Record Types and Page Layout Assignments**: Displays the objects, record types and assigned > layouts organized by profile. > -> ![Access Reports Record Types and Layouts](../../../static/img/product_docs/strongpointforsalesforce/reports/access_reports_record_types.webp) +> ![Access Reports Record Types and Layouts](/img/product_docs/strongpointforsalesforce/reports/access_reports_record_types.webp) > > **System Permissions**: displays the list of System Permissions, the Profile or Permission set > that has access to it and the list of Users that have this system permission enabled. > -> ![System Permissions](../../../static/img/product_docs/strongpointforsalesforce/reports/report_systems_permissions.webp) +> ![System Permissions](/img/product_docs/strongpointforsalesforce/reports/report_systems_permissions.webp) > > **Field Permissions**: Displays the related objects, shows if there is a Read / Edit permission, > the Profile or Permission set that give that field level access and the users related to those > Profiles and permission sets. > -> ![Field Permissions report](../../../static/img/product_docs/strongpointforsalesforce/reports/report_field_permissions.webp) +> ![Field Permissions report](/img/product_docs/strongpointforsalesforce/reports/report_field_permissions.webp) > > To generate this report: > @@ -175,27 +175,27 @@ These reports are available from **Netwrix Dashboard** > **Reports** > **Customi These reports are available from **Netwrix Dashboard** > **Reports** > **Clean Up**. -> [Default Clean Up List View](../clean_up/cleanup_reports.md#default-clean-up-list-view) +> [Default Clean Up List View](/docs/strongpointforsalesforce/clean_up/cleanup_reports.md#default-clean-up-list-view) > -> [Open Clean Up Status](../clean_up/cleanup_reports.md#open-clean-up-status) +> [Open Clean Up Status](/docs/strongpointforsalesforce/clean_up/cleanup_reports.md#open-clean-up-status) > -> [Clean Up Waiting for Info](../clean_up/cleanup_reports.md#clean-up-waiting-for-info) +> [Clean Up Waiting for Info](/docs/strongpointforsalesforce/clean_up/cleanup_reports.md#clean-up-waiting-for-info) > -> [Customizations Excluded from Clean Up](../clean_up/cleanup_reports.md#customizations-excluded-from-clean-up) +> [Customizations Excluded from Clean Up](/docs/strongpointforsalesforce/clean_up/cleanup_reports.md#customizations-excluded-from-clean-up) > -> [Unused Fields](../clean_up/cleanup_reports.md#unused-fields) +> [Unused Fields](/docs/strongpointforsalesforce/clean_up/cleanup_reports.md#unused-fields) > -> [Unused Apex Code](../clean_up/cleanup_reports.md#unused-apex-code) +> [Unused Apex Code](/docs/strongpointforsalesforce/clean_up/cleanup_reports.md#unused-apex-code) > -> [Unused Reports](../clean_up/cleanup_reports.md#unused-reports) +> [Unused Reports](/docs/strongpointforsalesforce/clean_up/cleanup_reports.md#unused-reports) > -> [Customizations with Inactive Owners](../clean_up/cleanup_reports.md#customizations-with-inactive-owners) +> [Customizations with Inactive Owners](/docs/strongpointforsalesforce/clean_up/cleanup_reports.md#customizations-with-inactive-owners) > -> [Customizations without Related Processes](../clean_up/cleanup_reports.md#customizations-without-related-processes) +> [Customizations without Related Processes](/docs/strongpointforsalesforce/clean_up/cleanup_reports.md#customizations-without-related-processes) > -> [Custom Fields without Help Text](../clean_up/cleanup_reports.md#custom-fields-without-help-text) +> [Custom Fields without Help Text](/docs/strongpointforsalesforce/clean_up/cleanup_reports.md#custom-fields-without-help-text) > -> [Custom Fields without Description](../clean_up/cleanup_reports.md#custom-fields-without-description) +> [Custom Fields without Description](/docs/strongpointforsalesforce/clean_up/cleanup_reports.md#custom-fields-without-description) ## Change Enablement @@ -236,13 +236,13 @@ These reports are available from **Netwrix Dashboard** > **Reports** > **Change These reports are available from **Netwrix Dashboard** > **Reports** > **Release and Deployment**. -> [Success Deployments](deployment_logs_success.md) +> [Success Deployments](/docs/strongpointforsalesforce/reports/deployment_logs_success.md) > -> [Deployments with Failures](deployment_logs_failures.md) +> [Deployments with Failures](/docs/strongpointforsalesforce/reports/deployment_logs_failures.md) > -> [Deployments Pending Approval](deployment_logs_pending_approval.md) +> [Deployments Pending Approval](/docs/strongpointforsalesforce/reports/deployment_logs_pending_approval.md) > -> [Rollback Logs](deployment_logs_rollback.md) +> [Rollback Logs](/docs/strongpointforsalesforce/reports/deployment_logs_rollback.md) ## Audit Reports diff --git a/docs/strongpointforsalesforce/scanners/daily_scan.md b/docs/strongpointforsalesforce/scanners/daily_scan.md index d38a960bd4..fb645e1afb 100644 --- a/docs/strongpointforsalesforce/scanners/daily_scan.md +++ b/docs/strongpointforsalesforce/scanners/daily_scan.md @@ -5,7 +5,7 @@ is to scan all objects. Open **Netwrix Dashboard** > **Scanners** > **Daily Scan Configuration** -![Daily Scan configuration](../../../static/img/product_docs/strongpointforsalesforce/scanners/daily_scan.webp) +![Daily Scan configuration](/img/product_docs/strongpointforsalesforce/scanners/daily_scan.webp) 1. Select an optional **Category filter**. 2. Select an optional **Sub-Category filter**. diff --git a/docs/strongpointforsalesforce/scanners/field_level_scanner.md b/docs/strongpointforsalesforce/scanners/field_level_scanner.md index 969d908349..75091d07a6 100644 --- a/docs/strongpointforsalesforce/scanners/field_level_scanner.md +++ b/docs/strongpointforsalesforce/scanners/field_level_scanner.md @@ -7,12 +7,12 @@ Run the scanners before you search to ensure you have the latest data. 1. Open **Netwrix Dashboard** > **Scanner** > Field-Level Security Scanner. - ![Open the Field Level Security Scanner](../../../static/img/product_docs/strongpointforsalesforce/scanners/field_level_scanner.webp) + ![Open the Field Level Security Scanner](/img/product_docs/strongpointforsalesforce/scanners/field_level_scanner.webp) 2. Start typing the name of a **Salesforce Object**. Pick from the completion list. 3. Click **Search Fields**. - ![Field Level Scanner example](../../../static/img/product_docs/strongpointforsalesforce/scanners/field_level_scanner_example.webp) + ![Field Level Scanner example](/img/product_docs/strongpointforsalesforce/scanners/field_level_scanner_example.webp) 4. Select one or more fields to scan. The **Customization Name** is a link to the Customization Record. @@ -22,11 +22,11 @@ Run the scanners before you search to ensure you have the latest data. 5. Selected fields are shown in a list at the bottom of the form. You can uncheck individual fields or all fields from the **Selected Field** list. - ![Removal list](../../../static/img/product_docs/strongpointforsalesforce/scanners/field_level_scanner_remove.webp) + ![Removal list](/img/product_docs/strongpointforsalesforce/scanners/field_level_scanner_remove.webp) 6. Click **Run Scanner**. Once the scan is complete, open the Reports tab and select Field Permissions Report. The report is also available from the Netwrix Dashboard: **Reports** > **Access Reports** > **Field Permissions**. -![Field Permissions Report](../../../static/img/product_docs/strongpointforsalesforce/scanners/field_level_scanner_report.webp) +![Field Permissions Report](/img/product_docs/strongpointforsalesforce/scanners/field_level_scanner_report.webp) diff --git a/docs/strongpointforsalesforce/scanners/scanner_overview.md b/docs/strongpointforsalesforce/scanners/scanner_overview.md index 5e50bc2a05..3cca4e0bec 100644 --- a/docs/strongpointforsalesforce/scanners/scanner_overview.md +++ b/docs/strongpointforsalesforce/scanners/scanner_overview.md @@ -2,11 +2,11 @@ The Scanner menu is located on the Netwrix Dashboard page. -- [Scheduler](scheduler.md) schedules automatic scans. -- [Manual Scanners](../installing_strongpoint/running_scanner.md) accesses the list of scanners +- [Scheduler](/docs/strongpointforsalesforce/scanners/scheduler.md) schedules automatic scans. +- [Manual Scanners](/docs/strongpointforsalesforce/installing_strongpoint/running_scanner.md) accesses the list of scanners where you can select one or more to run. **Manual Scanners** can also be run from **Netwrix Dashboard**. -- [Daily Scan Configuration](daily_scan.md) enables an administrator to select object types for +- [Daily Scan Configuration](/docs/strongpointforsalesforce/scanners/daily_scan.md) enables an administrator to select object types for daily scanning, instead of defaulting to all types. -- [Field Level Security Scanner](field_level_scanner.md) displays all fields using the selected +- [Field Level Security Scanner](/docs/strongpointforsalesforce/scanners/field_level_scanner.md) displays all fields using the selected Salesforce object. diff --git a/docs/strongpointforsalesforce/scanners/scheduler.md b/docs/strongpointforsalesforce/scanners/scheduler.md index 71422e2b0d..169e00779e 100644 --- a/docs/strongpointforsalesforce/scanners/scheduler.md +++ b/docs/strongpointforsalesforce/scanners/scheduler.md @@ -10,7 +10,7 @@ To use the scheduler tool: 1. Open **Netwrix Dashboard** > **Scanner** > **Scheduler** All categories are initially disabled by default. - ![scheduler](../../../static/img/product_docs/strongpointforsalesforce/clean_up/scheduler.webp) + ![scheduler](/img/product_docs/strongpointforsalesforce/clean_up/scheduler.webp) 2. Select the category to automate by clicking on **Disabled** to enable it. There is no save button, automation is turned on and saved by toggling **Disabled**/**Enabled**. diff --git a/docs/strongpointforsalesforce/settings/credentials.md b/docs/strongpointforsalesforce/settings/credentials.md index df38e00fdb..722bfef32e 100644 --- a/docs/strongpointforsalesforce/settings/credentials.md +++ b/docs/strongpointforsalesforce/settings/credentials.md @@ -3,10 +3,10 @@ Credentials organizes your user credentials across all environments It is available from **Netwrix Dashboard** > **Settings** > **SP Credentials** -![credentials_handler](../../../static/img/product_docs/strongpointforsalesforce/settings/credentials_handler.webp) +![credentials_handler](/img/product_docs/strongpointforsalesforce/settings/credentials_handler.webp) You must create a Connected App to run the scanner. Refer to -[Install Platform Governance for Salesforce](../installing_strongpoint/installing_strongpoint.md) +[Install Platform Governance for Salesforce](/docs/strongpointforsalesforce/installing_strongpoint/installing_strongpoint.md) for instructions. Click **New** to add a new credential or **Edit** and existing credential. **Search** finds and @@ -21,12 +21,12 @@ Click **Save** when complete. When you follow the **Click here to proceed** link on the Environment Comparison tool, it opens the Credentials Handler where you can add, edit and sync your credentials. -![Credentials Handler](../../../static/img/product_docs/strongpointforsalesforce/settings/credentials_list.webp) +![Credentials Handler](/img/product_docs/strongpointforsalesforce/settings/credentials_list.webp) Click **New** to add a new credential or **Edit** and existing credential. **Search** finds and filters information from the current credentials list. -![credentials_handler_edit](../../../static/img/product_docs/strongpointforsalesforce/settings/credentials_handler_edit.webp) +![credentials_handler_edit](/img/product_docs/strongpointforsalesforce/settings/credentials_handler_edit.webp) 1. Enter or edit the environment and credential information. Check **Sandbox** if applicable. 2. Click **Save**. diff --git a/docs/strongpointforsalesforce/tech_debt/tech_debt_auto_documentation.md b/docs/strongpointforsalesforce/tech_debt/tech_debt_auto_documentation.md index a7e137732b..8dfb181004 100644 --- a/docs/strongpointforsalesforce/tech_debt/tech_debt_auto_documentation.md +++ b/docs/strongpointforsalesforce/tech_debt/tech_debt_auto_documentation.md @@ -8,7 +8,7 @@ diagrams and clean up tools. You can print or export results for offline referen > **TIP** > > **Learning About the Scanners**: Review the -> [Running the Scanner](../installing_strongpoint/running_scanner.md) topic or reach out to the +> [Running the Scanner](/docs/strongpointforsalesforce/installing_strongpoint/running_scanner.md) topic or reach out to the > Customer Success team. It takes half an hour or so to get set up and on your way. > > The scanning process is a function of size: smaller orgs index in only a few hours, while large @@ -34,36 +34,36 @@ straightforward, simple process. There are a number of ways to do this: ## Dependency Relationship Diagram (DRD) -The [DRD](../tools/viewing_drd.md) is a graphical presentation of an object to help you visualize +The [DRD](/docs/strongpointforsalesforce/tools/viewing_drd.md) is a graphical presentation of an object to help you visualize the dependencies. 1. The DRD can be launched from both the Home tab and the Tools menu. Open **Netwrix Dashboard** > **Tools** > **Dependency Relationship Diagram**, and select an object from the list. - ![Opening an item in the DRD](../../../static/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_10.webp) + ![Opening an item in the DRD](/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_10.webp) From the **Netwrix Dashboard** tab, use the **DRD Generator** to launch the DRD for a particular Customization. You can search by **Name** or **API Name**. - ![Opening an item in the DRD](../../../static/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_1.webp) + ![Opening an item in the DRD](/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_1.webp) 2. Click an attribute to expand the metadata record and view all the dependencies. Drill down for details so you can fully understand the downstream dependencies. - ![Viewing dependencies in the DRD](../../../static/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_13.webp) + ![Viewing dependencies in the DRD](/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_13.webp) 3. The DRD exposes other critical metadata such as the Owner, API Name, Data Type, and Date Last Used (DLU). This data expedites clean up, enabling you to filter and group Customizations in List Views or Reports. - ![Drilling into a dependency in the DRD](../../../static/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_11.webp) + ![Drilling into a dependency in the DRD](/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_11.webp) 4. Click **Open Record** to open the full Customization Record with complete access to the detailed metadata and change history for the Customization. > **PRO TIPS** > -> - Read more about the [Customization Record](../customizations/customizations_overview.md). +> - Read more about the [Customization Record](/docs/strongpointforsalesforce/customizations/customizations_overview.md). > - Click **Show/Hide Standard Fields** to toggle displaying Standard Fields in the DRD. ## Customization Record @@ -88,7 +88,7 @@ If you have Intelligent Change Enablement, you also see: The tabs on each Customization record break out the information you need to fully understand the basic metadata, dependencies by type and change history (requires _Intelligent Change Enablement_ or -_Enterprise Compliance_ [license](../installing_strongpoint/features_by_license_type.md)). Click +_Enterprise Compliance_ [license](/docs/strongpointforsalesforce/installing_strongpoint/features_by_license_type.md)). Click **Go To Record** to open the actual Salesforce record for users with proper access. Customization records can be edited to assist in organizing records for clean up and optimization. @@ -107,7 +107,7 @@ Here are five methods to access Customizations to explore: ## Finder -[Finder](../tools/finder.md) is another flexible tool for understanding dependencies across objects. +[Finder](/docs/strongpointforsalesforce/tools/finder.md) is another flexible tool for understanding dependencies across objects. You can search for Customizations by: - Text / API Name @@ -122,12 +122,12 @@ exported in PDF or Excel formats. ## Object Exporter Object Exporter enables exporting information about entire objects, profiles or users into Excel for -further research. Read more on [Exporting Objects](../tools/export_objects.md), -[Exporting Profiles](../tools/export_profiles.md) and [Exporting Users](../tools/export_users.md). +further research. Read more on [Exporting Objects](/docs/strongpointforsalesforce/tools/export_objects.md), +[Exporting Profiles](/docs/strongpointforsalesforce/tools/export_profiles.md) and [Exporting Users](/docs/strongpointforsalesforce/tools/export_users.md). ## Reports and List Views Platform Governance for Salesforce is fully built into Salesforce so you can take advantage our our libraries of List Views and Reports or build your own. -**Next Technical Debt Topic:** [Change Monitoring](tech_debt_change_monitoring.md) +**Next Technical Debt Topic:** [Change Monitoring](/docs/strongpointforsalesforce/tech_debt/tech_debt_change_monitoring.md) diff --git a/docs/strongpointforsalesforce/tech_debt/tech_debt_change_monitoring.md b/docs/strongpointforsalesforce/tech_debt/tech_debt_change_monitoring.md index f8d3966459..a4bf51a009 100644 --- a/docs/strongpointforsalesforce/tech_debt/tech_debt_change_monitoring.md +++ b/docs/strongpointforsalesforce/tech_debt/tech_debt_change_monitoring.md @@ -42,7 +42,7 @@ Policies can also be used to block unauthorized changes. Netwrix recommends our default policy as a foundational best practice. In addition, consider Specific Monitoring for anything needing special protection. -![Strongpoint Default Policy](../../../static/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_5.webp) +![Strongpoint Default Policy](/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_5.webp) Platform Governance for Salesforce documents **Unresolved Non-Compliant Changes** in both a List View and a Report. Both show you all the changes that should have received approval and the level of @@ -54,7 +54,7 @@ process, you can restrict your review of changes by filtering out object types o do not concern you. Alternatively, you can create different reports for different team members to prioritize what you see. -![Unresolved Non-Compliant Changes Report](../../../static/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_8.webp) +![Unresolved Non-Compliant Changes Report](/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_8.webp) ## Specific Monitoring @@ -80,7 +80,7 @@ Create a List View or Report against one or both: - Change Logs filtered by the **Changed By** field showing the Customization, the date of the change, the person making the change, the resolution explanation and status (requires _Intelligent Change Enablement_ or _Enterprise Compliance_ - [license](../installing_strongpoint/features_by_license_type.md)). Either approach can also be + [license](/docs/strongpointforsalesforce/installing_strongpoint/features_by_license_type.md)). Either approach can also be very useful to monitor new hires. You can filter the Unresolved Non-Compliant Changes List View by the Changed By field. This has the @@ -110,12 +110,12 @@ To apply the policy to Customizations you are concerned about: 3. Include the **Change / Approval Policy** field as a List View column. 4. Select one or more Customizations and select the **Change / Approval Policy**. - ![Applying the policy to Customizations](../../../static/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_7.webp) + ![Applying the policy to Customizations](/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_7.webp) ### Specific Changes Sometimes, you are more concerned about what is being changed than who is doing it. The Technical -Debt topic [Ongoing Monitoring](tech_debt_org_ongoing_monitoring.md) has some specific examples for +Debt topic [Ongoing Monitoring](/docs/strongpointforsalesforce/tech_debt/tech_debt_org_ongoing_monitoring.md) has some specific examples for watching your org to spot problems before they happen. ### Adding Custom Fields and Objects to the Policy @@ -127,14 +127,14 @@ the policy. 1. Open **Customizations**. 2. Search for **Customizations** **CustomObject**. - ![Search for Customizations > CustomObject](../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/search.webp) + ![Search for Customizations > CustomObject](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/search.webp) 3. Open the Customization to add to a policy. 4. Click **Set Policy**. - ![Set Policy is used to add Customizations to a policy](../../../static/img/product_docs/strongpointforsalesforce/tech_debt/policy_set_button.webp) + ![Set Policy is used to add Customizations to a policy](/img/product_docs/strongpointforsalesforce/tech_debt/policy_set_button.webp) 5. Select individual customizations or click the check box in the heading bar to select all. 6. Click **Save**. -**Next Technical Debt Topic:** [Org Clean Up](tech_debt_org_clean_up.md) +**Next Technical Debt Topic:** [Org Clean Up](/docs/strongpointforsalesforce/tech_debt/tech_debt_org_clean_up.md) diff --git a/docs/strongpointforsalesforce/tech_debt/tech_debt_managing_orgs.md b/docs/strongpointforsalesforce/tech_debt/tech_debt_managing_orgs.md index 8605ddd9e5..ba6cbf8f95 100644 --- a/docs/strongpointforsalesforce/tech_debt/tech_debt_managing_orgs.md +++ b/docs/strongpointforsalesforce/tech_debt/tech_debt_managing_orgs.md @@ -45,4 +45,4 @@ stage. | Benefit | Plan your changes confidently with a firm understanding of what is in use | Monitor all changes in all orgs for technical and organizational risk | Simplify and maintain your orgs for future success | Improve time to value with automated tools that assess risk and intelligently distribute work within your team | | How Platform Governance for Salesforce Helps | Creates visual, searchable documentation making it easy to understand complex orgs | Instantiates policies to mitigate risky changes before they are deployed | Simplifies clean up with a combination of automated tools, dependency models and usage data | Ensures changes are made properly, safely and efficiently, resulting in up to 80% reduction in enhancement requests that require a CoE or CI/CD process | -**Next Technical Debt Topic:** [Automated Documentation](tech_debt_auto_documentation.md) +**Next Technical Debt Topic:** [Automated Documentation](/docs/strongpointforsalesforce/tech_debt/tech_debt_auto_documentation.md) diff --git a/docs/strongpointforsalesforce/tech_debt/tech_debt_org_change_enablement.md b/docs/strongpointforsalesforce/tech_debt/tech_debt_org_change_enablement.md index 61f9b6e9d8..992cddc27a 100644 --- a/docs/strongpointforsalesforce/tech_debt/tech_debt_org_change_enablement.md +++ b/docs/strongpointforsalesforce/tech_debt/tech_debt_org_change_enablement.md @@ -5,8 +5,8 @@ is safer. In today’s world, slower is simply not an option. Platform Governanc realized that **Faster** can also be **Safer** and sometimes **Very Fast** can be **Extremely Safe**. -In [Change Monitoring](tech_debt_change_monitoring.md), we discussed setting up automated change -monitoring to deliver instant oversight of your org. [Org Clean Up](tech_debt_org_clean_up.md) +In [Change Monitoring](/docs/strongpointforsalesforce/tech_debt/tech_debt_change_monitoring.md), we discussed setting up automated change +monitoring to deliver instant oversight of your org. [Org Clean Up](/docs/strongpointforsalesforce/tech_debt/tech_debt_org_clean_up.md) described ongoing monitoring of specific changes. Automated Risk Management takes these disciplines and combines them with three goals: diff --git a/docs/strongpointforsalesforce/tech_debt/tech_debt_org_clean_up.md b/docs/strongpointforsalesforce/tech_debt/tech_debt_org_clean_up.md index aa03ff220f..330c2232d9 100644 --- a/docs/strongpointforsalesforce/tech_debt/tech_debt_org_clean_up.md +++ b/docs/strongpointforsalesforce/tech_debt/tech_debt_org_clean_up.md @@ -36,7 +36,7 @@ generic definition is: > _The last date the Customization, or the data it contains, was created, changed, accessed, > processed or used._ -[DLU](../clean_up/date_last_used.md) is calculated differently for each Customization type. +[DLU](/docs/strongpointforsalesforce/clean_up/date_last_used.md) is calculated differently for each Customization type. For all clean up activities, consider the following items: @@ -50,14 +50,14 @@ For all clean up activities, consider the following items: Like all Salesforce Date fields, DLU can be filtered using relative date formats (typically what you will want). You can also filter on specific dates. -![DLU Filter](../../../static/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_2.webp) +![DLU Filter](/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_2.webp) ## Automated Report Clean Up The most common unused Customizations are Reports. In most orgs, new Reports are created every day. Some are critical to ongoing business processes, others are quick solutions to day-to-day problems. These one-time quick reports accumulate in your orgs, causing confusion and inefficiency. Refer to -[Automated Report Clean Up](../tools/automated_report_clean_up.md) for more details. +[Automated Report Clean Up](/docs/strongpointforsalesforce/tools/automated_report_clean_up.md) for more details. Automated Report Clean Up safely archives Reports following the rules and criteria you set up. The process is simple: @@ -122,7 +122,7 @@ the execution history of APEX-related objects. **Users referred to in objects**: Fields are not created for everything, but all the metadata is available. You can identify users (and other things) referred to in dashboard filters, formula fields, SOQL, or even code, by searching the raw XML, JSON or code. The -[Specific Clean Up Approaches](tech_debt_org_specific_clean_up_approaches.md) section contains +[Specific Clean Up Approaches](/docs/strongpointforsalesforce/tech_debt/tech_debt_org_specific_clean_up_approaches.md) section contains examples. ### Owners @@ -137,4 +137,4 @@ cases such as Reports, this is useful to understand who needs to approve a chang > change, is to update the Process record, which then updates the owner for all the affected > Customizations. -**Next Technical Debt Topic:**[ Org Clean Up Example](tech_debt_org_clean_up_example.md) +**Next Technical Debt Topic:**[ Org Clean Up Example](/docs/strongpointforsalesforce/tech_debt/tech_debt_org_clean_up_example.md) diff --git a/docs/strongpointforsalesforce/tech_debt/tech_debt_org_clean_up_example.md b/docs/strongpointforsalesforce/tech_debt/tech_debt_org_clean_up_example.md index 2425819fe6..3aaf7ae052 100644 --- a/docs/strongpointforsalesforce/tech_debt/tech_debt_org_clean_up_example.md +++ b/docs/strongpointforsalesforce/tech_debt/tech_debt_org_clean_up_example.md @@ -11,7 +11,7 @@ Using the steps outlined Org Clean Up, we can proceed quickly, efficiently and w We are going to use the out-of-the-box Default Clean Up List View with these filters: -![Filters](../../../static/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_9.webp) +![Filters](/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_9.webp) - Filter on the single Record Type **Objects & Fields** to enable editing the Customizations directly from the List View. This filter selects all Objects and their related Fields. @@ -49,7 +49,7 @@ complications. 1. Set the **Clean Up Status** on any field without dependencies to **To Be Cleaned Up**. In the List View, click the - ![Edit icon](../../../static/img/product_docs/strongpointforsalesforce/tech_debt/edit_icon.webp) + ![Edit icon](/img/product_docs/strongpointforsalesforce/tech_debt/edit_icon.webp) icon and edit the **Clean Up Status** and other Clean Up Fields. You can select multiple fields using the checkboxes to set the values for the group. 2. For easy reference later, set a project name in the **Clean Up Classification** field such as @@ -116,18 +116,18 @@ a Change Request directly from the List View: **Clean Up**. If you are using an external change approval system such as Jira or ServiceNow, you can enter the **External Change Request Number**. - ![Edit Change Request](../../../static/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_3.webp) + ![Edit Change Request](/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_3.webp) 3. On your List View, set the **Add To Change Request** field for the Customizations you are planning to clean up with this Change Request. - ![Default Clean Up List View](../../../static/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_12.webp) + ![Default Clean Up List View](/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_12.webp) 4. Open your Change Request and view the Impact Analysis for the Customizations you want to clean up. You are warned if there are SOQL, code, workflow, role, profile filter report or List View dependencies or if the field affects actively used Reports. - ![Clean Up Unused Fields](../../../static/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_4.webp) + ![Clean Up Unused Fields](/img/product_docs/strongpointforsalesforce/tech_debt/tech_debt_4.webp) 5. If you need to make changes to the Customizations, **Edit** the Change Request and select **View All** in the Customizations field. You can **Add** or **Remove** Customizations to the **Selected @@ -183,8 +183,8 @@ required by policy, but either not created or not approved. The report includes - Diff Summary (detailed comparison of before and after) - Related Change Requests, if they exist -The [Change Enablement Reports](../change_management/change_management_reports.md) and List Views +The [Change Enablement Reports](/docs/strongpointforsalesforce/change_management/change_management_reports.md) and List Views give you visibility into the changes occurring in your orgs. **Next Technical Debt Topic:** -[Specific Clean Up Approaches](tech_debt_org_specific_clean_up_approaches.md) +[Specific Clean Up Approaches](/docs/strongpointforsalesforce/tech_debt/tech_debt_org_specific_clean_up_approaches.md) diff --git a/docs/strongpointforsalesforce/tech_debt/tech_debt_org_ongoing_monitoring.md b/docs/strongpointforsalesforce/tech_debt/tech_debt_org_ongoing_monitoring.md index cb1d2c16ec..7491834766 100644 --- a/docs/strongpointforsalesforce/tech_debt/tech_debt_org_ongoing_monitoring.md +++ b/docs/strongpointforsalesforce/tech_debt/tech_debt_org_ongoing_monitoring.md @@ -25,4 +25,4 @@ or triggers. To learn more about simplifying governance and audit with Enterprise Compliance tools, reach out to your Customer Success Manager or Account Executive. -**Next Technical Debt Topic:** [Change Enablement](tech_debt_org_change_enablement.md) +**Next Technical Debt Topic:** [Change Enablement](/docs/strongpointforsalesforce/tech_debt/tech_debt_org_change_enablement.md) diff --git a/docs/strongpointforsalesforce/tech_debt/tech_debt_org_specific_clean_up_approaches.md b/docs/strongpointforsalesforce/tech_debt/tech_debt_org_specific_clean_up_approaches.md index 8b9c89eefa..38a7ad689b 100644 --- a/docs/strongpointforsalesforce/tech_debt/tech_debt_org_specific_clean_up_approaches.md +++ b/docs/strongpointforsalesforce/tech_debt/tech_debt_org_specific_clean_up_approaches.md @@ -18,7 +18,7 @@ Here are some guidelines to specific clean up problems: > Value-based Clean Up These guidelines assume you set up your List Views the same way as described -[Step 1: Identify and Prioritize Targets](tech_debt_org_clean_up_example.md). +[Step 1: Identify and Prioritize Targets](/docs/strongpointforsalesforce/tech_debt/tech_debt_org_clean_up_example.md). ## Unused, Risky @@ -138,4 +138,4 @@ Points to consider: lists or record types or is a commonly-used term in Salesforce's XML or is a common company-specific term. -**Next Technical Debt Topic:** [Ongoing Monitoring ](tech_debt_org_ongoing_monitoring.md) +**Next Technical Debt Topic:** [Ongoing Monitoring ](/docs/strongpointforsalesforce/tech_debt/tech_debt_org_ongoing_monitoring.md) diff --git a/docs/strongpointforsalesforce/tech_debt/tech_debt_overview.md b/docs/strongpointforsalesforce/tech_debt/tech_debt_overview.md index e88a215bad..e38f95ea7a 100644 --- a/docs/strongpointforsalesforce/tech_debt/tech_debt_overview.md +++ b/docs/strongpointforsalesforce/tech_debt/tech_debt_overview.md @@ -44,4 +44,4 @@ significant cost and slows down innovation. It is time to tackle your tech debt and unleash your team’s innovation on the task of delivering great solutions to your business. -**Next Technical Debt Topic:** [Managing Orgs in the Real World](tech_debt_managing_orgs.md) +**Next Technical Debt Topic:** [Managing Orgs in the Real World](/docs/strongpointforsalesforce/tech_debt/tech_debt_managing_orgs.md) diff --git a/docs/strongpointforsalesforce/tools/access_review.md b/docs/strongpointforsalesforce/tools/access_review.md index 9e0606614c..9893ba14ef 100644 --- a/docs/strongpointforsalesforce/tools/access_review.md +++ b/docs/strongpointforsalesforce/tools/access_review.md @@ -3,7 +3,7 @@ The Access Review Assistant creates a comprehensive display of permissions and profiles for a selected **Object**, **User**, or **Profile / PermissionSet**. The results can be exported to Excel. The Access Review Assistant feature is available with the Intelligent Change Enablement and -Enterprise Compliance [licenses](../installing_strongpoint/features_by_license_type.md). +Enterprise Compliance [licenses](/docs/strongpointforsalesforce/installing_strongpoint/features_by_license_type.md). Run the scanners before you perform comparisons to ensure you have the latest data. @@ -19,7 +19,7 @@ There are three Access Assistance search types: expansion indicator u to expand the **Access Assistance** panel. Make sure **Search By Object** is selected. - ![Open the Access Review Assistant](../../../static/img/product_docs/strongpointforsalesforce/tools/access_review_assistant.webp) + ![Open the Access Review Assistant](/img/product_docs/strongpointforsalesforce/tools/access_review_assistant.webp) 2. Start typing the name of the **Search Object**. You can pick your object from the displayed completion list. @@ -29,13 +29,13 @@ There are three Access Assistance search types: and **Modify All**. 5. Click **Search**. - ![access_assistance](../../../static/img/product_docs/strongpointforsalesforce/tools/access_assistance.webp) + ![access_assistance](/img/product_docs/strongpointforsalesforce/tools/access_assistance.webp) 6. Click **View Details** to see **System Permissions** and **User Assignments** for the object. - ![Details for the object](../../../static/img/product_docs/strongpointforsalesforce/tools/access_assist_view_details_permission.webp) + ![Details for the object](/img/product_docs/strongpointforsalesforce/tools/access_assist_view_details_permission.webp) - ![Details for the object](../../../static/img/product_docs/strongpointforsalesforce/tools/access_assist_view_details_users.webp) + ![Details for the object](/img/product_docs/strongpointforsalesforce/tools/access_assist_view_details_users.webp) 7. Review the permissions and users for the object. 8. Click **Export Data** to create an Excel file containing the comparison. The @@ -47,12 +47,12 @@ There are three Access Assistance search types: expansion indicator u to expand the **Access Assistance** panel. Make sure **Search By User** is selected. - ![Search By User](../../../static/img/product_docs/strongpointforsalesforce/tools/access_assist_user.webp) + ![Search By User](/img/product_docs/strongpointforsalesforce/tools/access_assist_user.webp) 2. Start typing the user name. Pick from the completion list. 3. Click **Search**. - ![Search by User](../../../static/img/product_docs/strongpointforsalesforce/tools/access_assist_user2.webp) + ![Search by User](/img/product_docs/strongpointforsalesforce/tools/access_assist_user2.webp) 4. Click **View Details** to see **System Permissions** and **User Assignments** for the permission. 5. Review the permissions for the user. @@ -65,12 +65,12 @@ There are three Access Assistance search types: expansion indicator u to expand the **Access Assistance** panel. Make sure **Search By Profile / Permission Set** is selected. - ![Search by Profile / Permission Set](../../../static/img/product_docs/strongpointforsalesforce/tools/access_assist_profile.webp) + ![Search by Profile / Permission Set](/img/product_docs/strongpointforsalesforce/tools/access_assist_profile.webp) 2. Start typing the Profile / Permission Set name. Pick from the completion list. 3. Click **Search**. - ![Search by Profile / Permission Set](../../../static/img/product_docs/strongpointforsalesforce/tools/access_assist_profile2.webp) + ![Search by Profile / Permission Set](/img/product_docs/strongpointforsalesforce/tools/access_assist_profile2.webp) 4. Review the **System Permissions** and **User Assignments**. 5. Click **Export Data** to create an Excel file containing the comparison. The diff --git a/docs/strongpointforsalesforce/tools/automated_report_clean_up.md b/docs/strongpointforsalesforce/tools/automated_report_clean_up.md index 7fe55fd8ff..0a5b3266de 100644 --- a/docs/strongpointforsalesforce/tools/automated_report_clean_up.md +++ b/docs/strongpointforsalesforce/tools/automated_report_clean_up.md @@ -29,7 +29,7 @@ criteria. Report Clean Up rules are used for both Automatic and Run Now. To create or edit rules, access **Netwrix Dashboard**> **Tools** > **Automated Report Clean Up Tool** -![automated_report_cleanup](../../../static/img/product_docs/strongpointforsalesforce/tools/automated_report_cleanup.webp) +![automated_report_cleanup](/img/product_docs/strongpointforsalesforce/tools/automated_report_cleanup.webp) - **Name** is the assigned name for the **Report Clean Up Rule Record**. - **Description** is the purpose of the rule record. An informative description helps administrators @@ -98,7 +98,7 @@ clean up. The Run Now feature begins an immediate run for the rule. 4. After previewing, you can click **Automatic** on the Report Clean Up Rule to include the rule for automatic reports. -![automated_report_cleanup_preview](../../../static/img/product_docs/strongpointforsalesforce/tools/automated_report_cleanup_preview.webp) +![automated_report_cleanup_preview](/img/product_docs/strongpointforsalesforce/tools/automated_report_cleanup_preview.webp) #### Run Now @@ -161,7 +161,7 @@ Status** to view current status. **Canceled** - **Automatic** checkbox was turned off for the rule. - **Automatic**: rule is set to **Automatic** if checked. -![automated_report_cleanup_status](../../../static/img/product_docs/strongpointforsalesforce/tools/automated_report_cleanup_status.webp) +![automated_report_cleanup_status](/img/product_docs/strongpointforsalesforce/tools/automated_report_cleanup_status.webp) ### Retaining a Report @@ -186,7 +186,7 @@ report is archived. The Archive process: - Auto Archive notifications are sent to the rule owner and administrators. A **Restore** link is included in the email. -![automated_report_cleanup_archive](../../../static/img/product_docs/strongpointforsalesforce/tools/automated_report_cleanup_archive.webp) +![automated_report_cleanup_archive](/img/product_docs/strongpointforsalesforce/tools/automated_report_cleanup_archive.webp) ### Restoring an Auto Archived Report diff --git a/docs/strongpointforsalesforce/tools/change_logs_clean_up.md b/docs/strongpointforsalesforce/tools/change_logs_clean_up.md index 1a48bc2f85..a2705fd9a7 100644 --- a/docs/strongpointforsalesforce/tools/change_logs_clean_up.md +++ b/docs/strongpointforsalesforce/tools/change_logs_clean_up.md @@ -9,7 +9,7 @@ retain and how this should be split between live and archived data. 1. Open **Netwrix Dashboard** > **Tools** > **Change Logs Clean Up** - ![Open the Change Logs Clean Up Tool](../../../static/img/product_docs/strongpointforsalesforce/tools/change_logs_clean_up.webp) + ![Open the Change Logs Clean Up Tool](/img/product_docs/strongpointforsalesforce/tools/change_logs_clean_up.webp) 2. Set up the schedule to run the tool: diff --git a/docs/strongpointforsalesforce/tools/environment_comparison.md b/docs/strongpointforsalesforce/tools/environment_comparison.md index 47142140a7..3cb40d8f86 100644 --- a/docs/strongpointforsalesforce/tools/environment_comparison.md +++ b/docs/strongpointforsalesforce/tools/environment_comparison.md @@ -3,9 +3,9 @@ Administrators use this tool to compare environments and generate an Excel report file with the results. This report can be used to troubleshoot processes or data causing errors in a particular account, compare preferences between accounts, or determine if data needs to migrate between -accounts. An [Environment Compare Log](../reports/deployment_logs_environment_compare.md) is +accounts. An [Environment Compare Log](/docs/strongpointforsalesforce/reports/deployment_logs_environment_compare.md) is generated. The comparison can handle up to 10,000 items. You receive an email with a link to the -[Export Object Attachment](export_object_attachment_records.md) record, where you can download your +[Export Object Attachment](/docs/strongpointforsalesforce/tools/export_object_attachment_records.md) record, where you can download your file. Here is the basic process: Open **Netwrix Dashboard** > **Tools** > **Environment Comparison** @@ -22,7 +22,7 @@ View the Report ## Select the Environments to Compare -![compare_env_environments](../../../static/img/product_docs/strongpointforsalesforce/tools/compare_env_environments.webp) +![compare_env_environments](/img/product_docs/strongpointforsalesforce/tools/compare_env_environments.webp) For both the **Source** and **Target** Environments: @@ -50,7 +50,7 @@ Filters determine what is included in the comparison. There are four options to Select a **All** or a specific metadata type to compare from the list. If you select **Report**, only tabular and summary reports are compared. Metric and joined reports are not compared. -![compare_env_filters](../../../static/img/product_docs/strongpointforsalesforce/tools/compare_env_filters.webp) +![compare_env_filters](/img/product_docs/strongpointforsalesforce/tools/compare_env_filters.webp) ### Import Customizations from a Change Request @@ -59,7 +59,7 @@ only tabular and summary reports are compared. Metric and joined reports are not Enter a Change Request ID, or use the drop down to scroll through a list of available Change Requests. -![Import Customizations from a Change Request](../../../static/img/product_docs/strongpointforsalesforce/tools/compare_env_filters3.webp) +![Import Customizations from a Change Request](/img/product_docs/strongpointforsalesforce/tools/compare_env_filters3.webp) ### Select Specific Customizations @@ -71,7 +71,7 @@ Requests. 3. Click the right arrow to move the items to the **Selected Customizations** list. To remove an item from the **Selected Customizations** list, select it and click the left arrow. -![Add Filters with Individual Customizations](../../../static/img/product_docs/strongpointforsalesforce/tools/compare_env_filters2.webp) +![Add Filters with Individual Customizations](/img/product_docs/strongpointforsalesforce/tools/compare_env_filters2.webp) ### Packages to Exclude @@ -80,7 +80,7 @@ Requests. 3. Click the right arrow to move the items to the **Selected** list. To remove an item from the **Selected** list, select it and click the left arrow. -![Select packages to exclude](../../../static/img/product_docs/strongpointforsalesforce/tools/compare_env_filters4.webp) +![Select packages to exclude](/img/product_docs/strongpointforsalesforce/tools/compare_env_filters4.webp) ## Select Export Options @@ -96,18 +96,18 @@ complete. 1. Open the **Export Attachments** tab. Change the Export Attachments from **Recently Viewed** to **All** if necessary to see your report. Refer to - [Export Object Attachment](export_object_attachment_records.md) for details on adding the tab to + [Export Object Attachment](/docs/strongpointforsalesforce/tools/export_object_attachment_records.md) for details on adding the tab to your tool bar if needed. 2. Click on the **Environment Comparison** report in the list. The Export Attachment **Details** are displayed, and your Excel report is downloaded by your browser. 3. Open the _Environment_Compare_export.xls_ file. When you open an exported file, this message may be displayed, as the exported file is in XML instead of the Excel format. Click **Yes** to load the file. - ![Excel error message - Click Yes to continue.](../../../static/img/product_docs/strongpointforsalesforce/tools/export_excel_error_msg.webp) + ![Excel error message - Click Yes to continue.](/img/product_docs/strongpointforsalesforce/tools/export_excel_error_msg.webp) ### Environment_Compare_export.xls -![The Only In Source tab of the Environment_Compare_Export.xls file](../../../static/img/product_docs/strongpointforsalesforce/tools/compare_env_results_excel.webp) +![The Only In Source tab of the Environment_Compare_Export.xls file](/img/product_docs/strongpointforsalesforce/tools/compare_env_results_excel.webp) The _Environment_Compare_export.xls_ file contains a **Summary** tab and individual tabs for each comparison type: @@ -122,7 +122,7 @@ comparison type: **In Both Different**: items present in both Environments with differences. Here is an example: -![Example of Environment Comparison differences](../../../static/img/product_docs/strongpointforsalesforce/tools/compare_env_results_excel_diffs.webp) +![Example of Environment Comparison differences](/img/product_docs/strongpointforsalesforce/tools/compare_env_results_excel_diffs.webp) ## Create a Change Request @@ -133,6 +133,6 @@ and create a Change Request based on the differences. 2. **Select Customization(s)** contains all of the Customizations with Differences. Select one or more and click **Add** to move them to the **Selected Customization(s)** pane. - ![Select Customizations with Differences and create a Change Request](../../../static/img/product_docs/strongpointforsalesforce/tools/compare_env_create_cr.webp) + ![Select Customizations with Differences and create a Change Request](/img/product_docs/strongpointforsalesforce/tools/compare_env_create_cr.webp) 3. Click **Create Change Request** to continue. diff --git a/docs/strongpointforsalesforce/tools/export_object_attachment_records.md b/docs/strongpointforsalesforce/tools/export_object_attachment_records.md index acf6f2438a..57e7f7302b 100644 --- a/docs/strongpointforsalesforce/tools/export_object_attachment_records.md +++ b/docs/strongpointforsalesforce/tools/export_object_attachment_records.md @@ -1,13 +1,13 @@ # Export Object Attachment Records -When an [Environment Comparison](environment_comparison.md) is run, or [Object](export_objects.md), -[Profile](export_profiles.md) or [User](export_profiles.md) information is exported, an **Export +When an [Environment Comparison](/docs/strongpointforsalesforce/tools/environment_comparison.md) is run, or [Object](/docs/strongpointforsalesforce/tools/export_objects.md), +[Profile](/docs/strongpointforsalesforce/tools/export_profiles.md) or [User](/docs/strongpointforsalesforce/tools/export_profiles.md) information is exported, an **Export Object Attachment** Record is created for the export. When an export request is completed, you receive an email notification your export file is ready. The link in the notification opens the **Export Object Attachment** Record in Salesforce. Your download file is available under **Notes & Attachments**. -![Example Export Object Attachment detail](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_attach_record.webp) +![Example Export Object Attachment detail](/img/product_docs/strongpointforsalesforce/tools/export_object_attach_record.webp) The export history is saved in Salesforce. You can view the list, or add the Export Object Attachments tabs to your menu bar. @@ -23,7 +23,7 @@ Attachments tabs to your menu bar. 1. Click the **+** in the menu bar to open the **All Tabs** list (Salesforce Classic). 2. Select **Export Object Attachments**. -![Export Object Attachments list](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_attach_record_list.webp) +![Export Object Attachments list](/img/product_docs/strongpointforsalesforce/tools/export_object_attach_record_list.webp) ### Add the **Export Object Attachments** Tab @@ -32,7 +32,7 @@ Attachments tabs to your menu bar. 3. Select **Export Object Attachments** from the **Available Tabs** and add it to the **Selected Tabs**. - ![Add Export Object Attachments to your menu bar in Classic view](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_attach_record_tab_classic.webp) + ![Add Export Object Attachments to your menu bar in Classic view](/img/product_docs/strongpointforsalesforce/tools/export_object_attach_record_tab_classic.webp) 4. Click **Save**. @@ -49,6 +49,6 @@ Enter **Export Object Attachments** in the **Search Salesforce** entry box on th 3. Select **Export Object Attachments** from the **Available Tabs** and add it to the **Selected Tabs**. - ![Add Export Object Attachments tab to your menu bar in Lightning](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_attach_record_tab_lightning.webp) + ![Add Export Object Attachments tab to your menu bar in Lightning](/img/product_docs/strongpointforsalesforce/tools/export_object_attach_record_tab_lightning.webp) 4. Click **Save**. diff --git a/docs/strongpointforsalesforce/tools/export_objects.md b/docs/strongpointforsalesforce/tools/export_objects.md index c2b2b15f27..174587d625 100644 --- a/docs/strongpointforsalesforce/tools/export_objects.md +++ b/docs/strongpointforsalesforce/tools/export_objects.md @@ -4,7 +4,7 @@ Administrators can use this to export one or more objects, including all child o single view for easy review and management. For each export, you select the settings and optional profiles and permission sets to include in the object details. The export is done in the background to avoid timing out or exceeding the Salesforce Governor Limits. You will receive an email with a -link to the [Export Object Attachment](export_object_attachment_records.md) record, where you can +link to the [Export Object Attachment](/docs/strongpointforsalesforce/tools/export_object_attachment_records.md) record, where you can download your file. You can also use the **Download Files** link on this page or on the Netwrix Dashboard to download your file. @@ -19,7 +19,7 @@ information: Open **Netwrix Dashboard** > **Tools** > **Export Objects** **Objects** is the default tab. -![export_object](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object.webp) +![export_object](/img/product_docs/strongpointforsalesforce/tools/export_object.webp) Objects @@ -28,13 +28,13 @@ Enter all or part of a name in **Filter** to filter the list of objects. Select one or more objects in the list. Selected options are shown below the filter. Click the **X** within the selected option to remove it. You can use the **Select All** and **Clear All** options. -![Select the objects](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_filter.webp) +![Select the objects](/img/product_docs/strongpointforsalesforce/tools/export_object_filter.webp) Settings to be Exported Click the toggles to activate or inactivate the settings you want to export. -![export_object_settings](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_settings.webp) +![export_object_settings](/img/product_docs/strongpointforsalesforce/tools/export_object_settings.webp) Profiles: Object and Field Level Security (Optional) @@ -44,7 +44,7 @@ Select one or more profiles in the list. Selected options are shown below the fi **X** within the selected option to remove it. You can use the **Select All** and **Clear All** options. -![export_object_profiles](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_profiles.webp) +![export_object_profiles](/img/product_docs/strongpointforsalesforce/tools/export_object_profiles.webp) Permission Sets: Object and Field Level Security (Optional) @@ -54,7 +54,7 @@ Select one or more permission sets in the list. Selected options are shown below the **X** within the selected option to remove it. You can use the **Select All** and **Clear All** options. -![export_object_permissions](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_permissions.webp) +![export_object_permissions](/img/product_docs/strongpointforsalesforce/tools/export_object_permissions.webp) Download XLS @@ -66,7 +66,7 @@ Download Files Click **Download Files** to see a list of generated files. The file does not appear in the list until it is complete. -![Download files](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_download.webp) +![Download files](/img/product_docs/strongpointforsalesforce/tools/export_object_download.webp) Click on the export name. The Export Attachments tab is opened, showing the attachment detail for your file. Click **View file** to download it to your Downloads folder. @@ -76,15 +76,15 @@ your file. Click **View file** to download it to your Downloads folder. When you open an exported file, this message may be displayed, as the exported _ObjectExport.xls_ file is in XML instead of the Excel format. Click **Yes** to load the file. -![Excel error message - Click Yes to continue.](../../../static/img/product_docs/strongpointforsalesforce/tools/export_excel_error_msg.webp) +![Excel error message - Click Yes to continue.](/img/product_docs/strongpointforsalesforce/tools/export_excel_error_msg.webp) The _ObjectExport.xls_ file contains a **Summary** tab and a separate tab for each selected object. The **Summary** tab shows who created the export, the creation date and time, list of selected objects, and lists of any selected optional Profiles and Permission Sets. -![export_object_summary](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_summary.webp) +![export_object_summary](/img/product_docs/strongpointforsalesforce/tools/export_object_summary.webp) The **Object** tabs contain all of the requested information for each object. -![export_object_object_tab](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_object_tab.webp) +![export_object_object_tab](/img/product_docs/strongpointforsalesforce/tools/export_object_object_tab.webp) diff --git a/docs/strongpointforsalesforce/tools/export_profiles.md b/docs/strongpointforsalesforce/tools/export_profiles.md index dda924491e..18d7cc3712 100644 --- a/docs/strongpointforsalesforce/tools/export_profiles.md +++ b/docs/strongpointforsalesforce/tools/export_profiles.md @@ -3,13 +3,13 @@ Administrators can use this tool to export all user permissions into a single view for easy review and management. The export is done in the background to avoid timing out or exceeding the Salesforce Governor Limits. You will receive an email with a link to the -[Export Object Attachment](export_object_attachment_records.md) record, where you can download your +[Export Object Attachment](/docs/strongpointforsalesforce/tools/export_object_attachment_records.md) record, where you can download your file. 1. Open **Netwrix Dashboard** > **Tools** > **Export Objects**. 2. Open the **Profiles & Permission Sets** tab. - ![export_profile_ui](../../../static/img/product_docs/strongpointforsalesforce/tools/export_profile_ui.webp) + ![export_profile_ui](/img/product_docs/strongpointforsalesforce/tools/export_profile_ui.webp) 3. Scroll through the **Select Profile to be Exported**. 4. Select one or more objects in the scroll box. Use **Shift** or **Ctrl** to select multiple @@ -18,7 +18,7 @@ file. the **Selected Profiles** list, select it and click the left arrow. 6. Select the **Settings to be exported**. - ![export_profile_ui_settings](../../../static/img/product_docs/strongpointforsalesforce/tools/export_profile_ui_settings.webp) + ![export_profile_ui_settings](/img/product_docs/strongpointforsalesforce/tools/export_profile_ui_settings.webp) 7. Click **Download XLS**. The file _ProfileExport.xls_ is created. @@ -27,7 +27,7 @@ file. When you open an exported file, this message may be displayed, as the exported _ProfilesExport.xls_ file is in XML instead of the Excel format. Click **Yes** to load the file. -![Excel error message - Click Yes to continue.](../../../static/img/product_docs/strongpointforsalesforce/tools/export_excel_error_msg.webp) +![Excel error message - Click Yes to continue.](/img/product_docs/strongpointforsalesforce/tools/export_excel_error_msg.webp) The _ProfilesExport.xls_ file contains a **Summary** tab and a separate tab for each selected profile. @@ -35,8 +35,8 @@ profile. The **Summary** tab shows who created the export, the creation date and time, and the list of selected profiles. -![export_profile_summary](../../../static/img/product_docs/strongpointforsalesforce/tools/export_profile_summary.webp) +![export_profile_summary](/img/product_docs/strongpointforsalesforce/tools/export_profile_summary.webp) The **Profile** tabs contain all of the requested information for each profile. -![export_profile_profile](../../../static/img/product_docs/strongpointforsalesforce/tools/export_profile_profile.webp) +![export_profile_profile](/img/product_docs/strongpointforsalesforce/tools/export_profile_profile.webp) diff --git a/docs/strongpointforsalesforce/tools/export_users.md b/docs/strongpointforsalesforce/tools/export_users.md index 21f04ac59e..49263aef4d 100644 --- a/docs/strongpointforsalesforce/tools/export_users.md +++ b/docs/strongpointforsalesforce/tools/export_users.md @@ -5,13 +5,13 @@ Exports user information to an XLS file. Administrators can use this tool to export all user information into a single view for easy review and management. The export is done in the background to avoid timing out or exceeding the Salesforce Governor Limits. You receive an email with a link to the -[Export Object Attachment](export_object_attachment_records.md) record, where you can download your +[Export Object Attachment](/docs/strongpointforsalesforce/tools/export_object_attachment_records.md) record, where you can download your file. 1. Open **Netwrix Dashboard** > **Tools** > **Export Objects** 2. Open the **Users** tab. - ![export_users](../../../static/img/product_docs/strongpointforsalesforce/tools/export_users.webp) + ![export_users](/img/product_docs/strongpointforsalesforce/tools/export_users.webp) 3. Scroll through the **Select User to be Exported** or enter all of part .of a user name in the **Filter** field. @@ -21,7 +21,7 @@ file. the **Selected Users** list, select it and click the left arrow. 6. Select the **Settings to be exported**. - ![export_users_settings](../../../static/img/product_docs/strongpointforsalesforce/tools/export_users_settings.webp) + ![export_users_settings](/img/product_docs/strongpointforsalesforce/tools/export_users_settings.webp) 7. Click **Download XLS**. The file _UserExport.xls_ is created. @@ -30,15 +30,15 @@ file. When you open an exported file, this message may be displayed, as the exported _UserExport.xls_ file is in XML instead of the Excel format. Click **Yes** to load the file. -![Excel error message - Click Yes to continue.](../../../static/img/product_docs/strongpointforsalesforce/tools/export_excel_error_msg.webp) +![Excel error message - Click Yes to continue.](/img/product_docs/strongpointforsalesforce/tools/export_excel_error_msg.webp) The _UserExport.xls_ file contains a **Summary** tab and a separate tab for each selected user. The **Summary** tab shows who created the export, the creation date and time, and the list of selected users. -![export_users_summary](../../../static/img/product_docs/strongpointforsalesforce/tools/export_users_summary.webp) +![export_users_summary](/img/product_docs/strongpointforsalesforce/tools/export_users_summary.webp) The **User** tabs contain all of the requested information for each exported user. -![export_users_user](../../../static/img/product_docs/strongpointforsalesforce/tools/export_users_user.webp) +![export_users_user](/img/product_docs/strongpointforsalesforce/tools/export_users_user.webp) diff --git a/docs/strongpointforsalesforce/tools/finder.md b/docs/strongpointforsalesforce/tools/finder.md index e64d03428d..126eaf33ca 100644 --- a/docs/strongpointforsalesforce/tools/finder.md +++ b/docs/strongpointforsalesforce/tools/finder.md @@ -15,4 +15,4 @@ Use the Export to XLS option to export your results to an XLS file where you ca analyze your information using the full power of Excel. You can then update your records using Salesforce tools like Import Wizard and Data Loader to save time and effort. -![finder](../../../static/img/product_docs/strongpointforsalesforce/tools/finder.webp) +![finder](/img/product_docs/strongpointforsalesforce/tools/finder.webp) diff --git a/docs/strongpointforsalesforce/tools/package_usage.md b/docs/strongpointforsalesforce/tools/package_usage.md index 1990011763..798112fbac 100644 --- a/docs/strongpointforsalesforce/tools/package_usage.md +++ b/docs/strongpointforsalesforce/tools/package_usage.md @@ -2,11 +2,11 @@ The Package Usage tool provides administrators real-time insights into the usage and allocation of additional product licenses across the organization. This tool enables them to identify potential -cost savings. Used in conjunction with the existing [User Activity](user_activity.md) tool, it +cost savings. Used in conjunction with the existing [User Activity](/docs/strongpointforsalesforce/tools/user_activity.md) tool, it provides a comprehensive overview of who is accessing the environment and for what purpose. The Package Usage tool is available with the Intelligent Change Enablement and Enterprise Compliance -[licenses](../installing_strongpoint/features_by_license_type.md). +[licenses](/docs/strongpointforsalesforce/installing_strongpoint/features_by_license_type.md). Run the scanners first to ensure you have the latest data. @@ -21,12 +21,12 @@ To open the Package Usage tool: 1. Select **Tools** > **User Activity** from the Netwrix Dashboard page. - ![User Activity tool](../../../static/img/product_docs/strongpointforsalesforce/tools/user_activity.webp) + ![User Activity tool](/img/product_docs/strongpointforsalesforce/tools/user_activity.webp) 2. Click the arrow in the left margin to expand the menu pane. 3. Click **Package Usage Tool** in the menu. - ![Package Usage tool](../../../static/img/product_docs/strongpointforsalesforce/tools/package_usage.webp) + ![Package Usage tool](/img/product_docs/strongpointforsalesforce/tools/package_usage.webp) 4. Click **Run Scanner** to ensure you have the latest data. diff --git a/docs/strongpointforsalesforce/tools/profile_permission_comparison.md b/docs/strongpointforsalesforce/tools/profile_permission_comparison.md index 3e4ec7a1b8..8c0f27cb42 100644 --- a/docs/strongpointforsalesforce/tools/profile_permission_comparison.md +++ b/docs/strongpointforsalesforce/tools/profile_permission_comparison.md @@ -24,19 +24,19 @@ To perform a **System Permission** comparison: expansion indicator u to expand the **Comparison** panel. Make sure **System Permission** is selected. - ![Open the Profile / Permission Comparison](../../../static/img/product_docs/strongpointforsalesforce/tools/permission_comparison.webp) + ![Open the Profile / Permission Comparison](/img/product_docs/strongpointforsalesforce/tools/permission_comparison.webp) 2. Select at least two **Profile / Permission Sets**. For each item: - Enter part of the **Profile or Permission Set** name - Check the **View** box for the item to compare. - ![Select a Profile or Permission Set to compare](../../../static/img/product_docs/strongpointforsalesforce/tools/permission_comparison_select.webp) + ![Select a Profile or Permission Set to compare](/img/product_docs/strongpointforsalesforce/tools/permission_comparison_select.webp) 3. Select the **System Permissions Category**: **All**, **API**, **Create**, **Edit**, **Manage**, **Modify**, **User**, or **View**. - ![System Permission Comparison](../../../static/img/product_docs/strongpointforsalesforce/tools/permission_comparison_display.webp) + ![System Permission Comparison](/img/product_docs/strongpointforsalesforce/tools/permission_comparison_display.webp) 4. Review the comparison. If the permissions are identical, you can research whether one or more can be removed. @@ -60,13 +60,13 @@ To perform an **Object Permission** comparison: - Enter part of the **Profile or Permission Set** name - Check the **View** box for the item to compare. - ![Select a Profile or Permission Set to compare](../../../static/img/product_docs/strongpointforsalesforce/tools/permission_comparison_select.webp) + ![Select a Profile or Permission Set to compare](/img/product_docs/strongpointforsalesforce/tools/permission_comparison_select.webp) 3. Set the optional **Filter** for object permissions: **Create**, **Edit**, **Read**, **Delete**, **View All**, and **Modify All**. You can use the **Select All** and **Clear All** shortcuts to set the **Filter**. - ![Object Permission Comparison](../../../static/img/product_docs/strongpointforsalesforce/tools/permission_comparison_display_object.webp) + ![Object Permission Comparison](/img/product_docs/strongpointforsalesforce/tools/permission_comparison_display_object.webp) 4. Review the comparison. If the permissions are identical, you can research whether one or more can be removed. diff --git a/docs/strongpointforsalesforce/tools/user_activity.md b/docs/strongpointforsalesforce/tools/user_activity.md index a6d452e8e4..22e7de4f1b 100644 --- a/docs/strongpointforsalesforce/tools/user_activity.md +++ b/docs/strongpointforsalesforce/tools/user_activity.md @@ -5,16 +5,16 @@ can be run for all users or a selected user. The data can be used to ensure cont prior to deactivating a user. The User Login Activity feature is available with the Intelligent Change Enablement and Enterprise -Compliance [licenses](../installing_strongpoint/features_by_license_type.md). +Compliance [licenses](/docs/strongpointforsalesforce/installing_strongpoint/features_by_license_type.md). Run the scanners before you perform comparisons to ensure you have the latest data. Select **Tools** > **User Activity** from the Netwrix Dashboard page. There is a collapsible menu pane available. Click the u arrow on the left to expand/collapse the -menu. Refer to [Package Usage](package_usage.md) for details on the Package Usage tool. +menu. Refer to [Package Usage](/docs/strongpointforsalesforce/tools/package_usage.md) for details on the Package Usage tool. -![User Activity tool](../../../static/img/product_docs/strongpointforsalesforce/tools/user_activity.webp) +![User Activity tool](/img/product_docs/strongpointforsalesforce/tools/user_activity.webp) ## User Login Activity diff --git a/docs/strongpointforsalesforce/tools/viewing_drd.md b/docs/strongpointforsalesforce/tools/viewing_drd.md index 1bdb490d86..5f4714739f 100644 --- a/docs/strongpointforsalesforce/tools/viewing_drd.md +++ b/docs/strongpointforsalesforce/tools/viewing_drd.md @@ -15,9 +15,9 @@ To use the entity diagram: expand the results. **Next** loads the next 10 entries, **Back** loads the previous list. 5. Click **Open Record** to open the customization record for the item. -![entity_diagram](../../../static/img/product_docs/strongpointforsalesforce/tools/entity_diagram.webp) +![entity_diagram](/img/product_docs/strongpointforsalesforce/tools/entity_diagram.webp) Here is an example showing the Next feature for **Account (StandardObject)** > **Test 1 (Parent:Account)**. -![DRD entry showing Next option if there are more than 10 entries](../../../static/img/product_docs/strongpointforsalesforce/tools/drd_next.webp) +![DRD entry showing Next option if there are more than 10 entries](/img/product_docs/strongpointforsalesforce/tools/drd_next.webp) diff --git a/docs/strongpointforsalesforce/what_does_strongpoint_document.md b/docs/strongpointforsalesforce/what_does_strongpoint_document.md index 76858e4bfb..b3a3756161 100644 --- a/docs/strongpointforsalesforce/what_does_strongpoint_document.md +++ b/docs/strongpointforsalesforce/what_does_strongpoint_document.md @@ -4,7 +4,7 @@ Platform Governance for Salesforce documents over 120 Salesforce metadata types. Metadata is organized into eight categories and 18 subcategories. Policies are set and applied at the -subcategory level. Open [Documented Metadata Types](change_management/documented_metadata_types.md) +subcategory level. Open [Documented Metadata Types](/docs/strongpointforsalesforce/change_management/documented_metadata_types.md) for a complete list of Metadata sorted by **Type** and by **Category**. | Metadata Category | Description | @@ -18,4 +18,4 @@ for a complete list of Metadata sorted by **Type** and by **Category**. | Analytics | Reports, Dashboards, List Views, and Einstein | | Configuration | Data Quality settings such as Duplicate Rules, Matching Rules, and Validation Rules. Other general settings. | -![Metadata Categories documented by Strongpoint](../../static/img/product_docs/strongpointforsalesforce/metadata_categories.webp) +![Metadata Categories documented by Strongpoint](/img/product_docs/strongpointforsalesforce/metadata_categories.webp) diff --git a/docs/strongpointnetsuiteflashlight/getting_started/configuring_account.md b/docs/strongpointnetsuiteflashlight/getting_started/configuring_account.md index 9f3b6d1e0a..5623b2dfd5 100644 --- a/docs/strongpointnetsuiteflashlight/getting_started/configuring_account.md +++ b/docs/strongpointnetsuiteflashlight/getting_started/configuring_account.md @@ -8,8 +8,8 @@ accomplish this configuration: 2. Scroll down to the **Optimizing NetSuite** section. 3. Set **Number of Rows in List Segments** to _1000_ If the field is grayed and cannot be edited, refer to the troubleshooting article - [List Segments Field Cannot be Edited](../troubleshooting/list_segments_not_editable.md). + [List Segments Field Cannot be Edited](/docs/strongpointnetsuiteflashlight/troubleshooting/list_segments_not_editable.md). -![listsegments](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/listsegments.webp) +![listsegments](/img/product_docs/strongpointnetsuiteflashlight/getting_started/listsegments.webp) You are now ready to use Flashlight to document your account. diff --git a/docs/strongpointnetsuiteflashlight/getting_started/dashboard.md b/docs/strongpointnetsuiteflashlight/getting_started/dashboard.md index 8f167c02e7..75908ab0a0 100644 --- a/docs/strongpointnetsuiteflashlight/getting_started/dashboard.md +++ b/docs/strongpointnetsuiteflashlight/getting_started/dashboard.md @@ -21,7 +21,7 @@ Displays the current status of the Spider (Not Started, In Progress, Completed) days since the spider was last run. It is recommended to run the Spider every week so your account documentation is up-to-date. -![Spider Status](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/spider_status.webp) +![Spider Status](/img/product_docs/strongpointnetsuiteflashlight/getting_started/spider_status.webp) ## Reminders @@ -29,7 +29,7 @@ Reminders are key system warnings and metrics that Flashlight has detected in yo last week since the Spider was run last run. You can click on each metric to drill-into the details and take corrective action where needed. -![Reminders](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/reminders_800x88.webp) +![Reminders](/img/product_docs/strongpointnetsuiteflashlight/getting_started/reminders_800x88.webp) The reminders have colors associated with them depending on the nature of the reminder. Reminders highlighted in green represent new and modified customizations in your account since the spider was @@ -132,7 +132,7 @@ dashboard. Links to key resources to help you learn to use Flashlight. -![Resources](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) +![Resources](/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) ## Chart @@ -148,7 +148,7 @@ does not include customizations from Saved Searches and Reports. Click on a segm drill into the details and see the list of specific customizations for the selected Object Type. This allows you to easily understand what customizations have been created over a given time period. -![New Customizations by Type](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/new_customizations_by_type.webp) +![New Customizations by Type](/img/product_docs/strongpointnetsuiteflashlight/getting_started/new_customizations_by_type.webp) ### New Searches and Reports by Type @@ -158,7 +158,7 @@ selected Object Type. Click on a segment in the chart to drill into the details specific customizations for the selected Object Type. This allows you to easily understand what Saved Searches and Reports have been created over a given time period. -![New Searches and Reports by Type](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/new_searches_by_type.webp) +![New Searches and Reports by Type](/img/product_docs/strongpointnetsuiteflashlight/getting_started/new_searches_by_type.webp) ### Customizations Updated by Type @@ -168,13 +168,13 @@ does not include customizations from Saved Searches and Reports. Click on a segm drill into the details and see the list of specific customizations for the selected Object Type. This allows you to easily understand what customizations have been created over a given time period. -![Customizations Updated by Type](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/customizations_updated_by_type.webp) +![Customizations Updated by Type](/img/product_docs/strongpointnetsuiteflashlight/getting_started/customizations_updated_by_type.webp) ## Key Tools Links to useful Flashlight tools to give you more value out of your documentation. -![Key Tools](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/key_tools.webp) +![Key Tools](/img/product_docs/strongpointnetsuiteflashlight/getting_started/key_tools.webp) - **ERD**: Explore your customizations with Flashlight’s visual ERD and understand how customizations relate to each other. @@ -194,7 +194,7 @@ Displays all the key data about your customizations for full visibility and cont account. The metrics are organized into two sections: **Documentation Summary** and **Users Summary**. -![summary_800x207](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/summary_800x207.webp) +![summary_800x207](/img/product_docs/strongpointnetsuiteflashlight/getting_started/summary_800x207.webp) ### Documentation Summary diff --git a/docs/strongpointnetsuiteflashlight/getting_started/documenting_account.md b/docs/strongpointnetsuiteflashlight/getting_started/documenting_account.md index 129c3cd3db..8335c180f0 100644 --- a/docs/strongpointnetsuiteflashlight/getting_started/documenting_account.md +++ b/docs/strongpointnetsuiteflashlight/getting_started/documenting_account.md @@ -19,14 +19,14 @@ how to kick off your first spider: 1. Open **Flashlight** > **Tools** > **Spider**. - ![mainmenu](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/mainmenu.webp) + ![mainmenu](/img/product_docs/strongpointnetsuiteflashlight/getting_started/mainmenu.webp) 2. If you are receive a NetSuite alert about segment preferences, you need to set the **Number of Rows in List Segments** in your account so that the spider can function properly. Refer to - [Configuring your Account](configuring_account.md) for details. Do not update this field while + [Configuring your Account](/docs/strongpointnetsuiteflashlight/getting_started/configuring_account.md) for details. Do not update this field while the spider is running. Once you are ready, start your spider. - ![spider_800x368](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/spider_800x368.webp) + ![spider_800x368](/img/product_docs/strongpointnetsuiteflashlight/getting_started/spider_800x368.webp) 3. Set the following fields: diff --git a/docs/strongpointnetsuiteflashlight/getting_started/install_flashlight.md b/docs/strongpointnetsuiteflashlight/getting_started/install_flashlight.md index 2356b0727b..2eadc12211 100644 --- a/docs/strongpointnetsuiteflashlight/getting_started/install_flashlight.md +++ b/docs/strongpointnetsuiteflashlight/getting_started/install_flashlight.md @@ -9,7 +9,7 @@ Flashlight bundle into your NetSuite account. 4. Enter **297487** in **Keywords** 5. Click **Search** - ![advancedinstall_800x411](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/advancedinstall_800x411.webp) + ![advancedinstall_800x411](/img/product_docs/strongpointnetsuiteflashlight/getting_started/advancedinstall_800x411.webp) 6. Click **Flashlight by Strongpoint** 7. Click **Install** to start the bundle installation. @@ -17,4 +17,4 @@ Flashlight bundle into your NetSuite account. **Flashlight by Strongpoint Status** is **Pending** during the installation process. Click **Refresh** to see installation progress. When complete, the Flashlight bundle is marked with a green check in the **Status** and the **Flashlight** tab is available. -9. Set up a [licensed user](setting_up_licensed_user.md) to complete the installation. +9. Set up a [licensed user](/docs/strongpointnetsuiteflashlight/getting_started/setting_up_licensed_user.md) to complete the installation. diff --git a/docs/strongpointnetsuiteflashlight/getting_started/setting_up_licensed_user.md b/docs/strongpointnetsuiteflashlight/getting_started/setting_up_licensed_user.md index 08314abc0a..cc4b600522 100644 --- a/docs/strongpointnetsuiteflashlight/getting_started/setting_up_licensed_user.md +++ b/docs/strongpointnetsuiteflashlight/getting_started/setting_up_licensed_user.md @@ -6,17 +6,17 @@ Flashlight. You can use this same procedure to switch permissions to an existing 1. Open **Flashlight** > **Support** > **Users & License Manager**. 2. Click **Edit**. - ![Open Users & License Manager List](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/set_up_user1_800x166.webp) + ![Open Users & License Manager List](/img/product_docs/strongpointnetsuiteflashlight/getting_started/set_up_user1_800x166.webp) 3. Select **New Licensed User**. - ![Add or Change a Licensed User](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/set_up_user2_800x142.webp) + ![Add or Change a Licensed User](/img/product_docs/strongpointnetsuiteflashlight/getting_started/set_up_user2_800x142.webp) NOTE: If you are changing permission from one user to another, select **Edit** by the existing **User** name. 4. Select your name from the **User** list and **Full** permission as the **License Type**. - ![Assign the License Type for a User](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/set_up_user3_800x213.webp) + ![Assign the License Type for a User](/img/product_docs/strongpointnetsuiteflashlight/getting_started/set_up_user3_800x213.webp) 5. Click **Save**. diff --git a/docs/strongpointnetsuiteflashlight/getting_started/uninstalling_flashlight.md b/docs/strongpointnetsuiteflashlight/getting_started/uninstalling_flashlight.md index bf737c9fe0..351cc506a9 100644 --- a/docs/strongpointnetsuiteflashlight/getting_started/uninstalling_flashlight.md +++ b/docs/strongpointnetsuiteflashlight/getting_started/uninstalling_flashlight.md @@ -7,6 +7,6 @@ Here is how to uninstall the Flashlight bundle from your account: 2. Locate the Flashlight bundle in installed bundle list. 3. Hover over the icon in the **Action** column and click **Uninstall** - ![uninstall_flashlight_800x226](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/uninstall_flashlight_800x226.webp) + ![uninstall_flashlight_800x226](/img/product_docs/strongpointnetsuiteflashlight/getting_started/uninstall_flashlight_800x226.webp) 4. Follow the standard procedure in NetSuite to remove the bundle. diff --git a/docs/strongpointnetsuiteflashlight/troubleshooting/list_segments_not_editable.md b/docs/strongpointnetsuiteflashlight/troubleshooting/list_segments_not_editable.md index 7afc637924..6fa5cae350 100644 --- a/docs/strongpointnetsuiteflashlight/troubleshooting/list_segments_not_editable.md +++ b/docs/strongpointnetsuiteflashlight/troubleshooting/list_segments_not_editable.md @@ -9,11 +9,11 @@ To resolve this: 3. Select **General Preferences**. 4. Set the **Number of Rows in List Segments** to 1000. -![rowsinlistsegments_800x382](../../../static/img/product_docs/strongpointnetsuiteflashlight/troubleshooting/rowsinlistsegments_800x382.webp) +![rowsinlistsegments_800x382](/img/product_docs/strongpointnetsuiteflashlight/troubleshooting/rowsinlistsegments_800x382.webp) If the field is still gray: 1. Scroll down the page to the tab **Overriding Preferences** 2. Check the box for Number of Rows in List Segments. -![setlinesegments_800x250](../../../static/img/product_docs/strongpointnetsuiteflashlight/troubleshooting/setlinesegments_800x250.webp) +![setlinesegments_800x250](/img/product_docs/strongpointnetsuiteflashlight/troubleshooting/setlinesegments_800x250.webp) diff --git a/docs/strongpointnetsuiteflashlight/troubleshooting/release_note_notifications.md b/docs/strongpointnetsuiteflashlight/troubleshooting/release_note_notifications.md index 034fb73282..f6001f1b25 100644 --- a/docs/strongpointnetsuiteflashlight/troubleshooting/release_note_notifications.md +++ b/docs/strongpointnetsuiteflashlight/troubleshooting/release_note_notifications.md @@ -13,7 +13,7 @@ subscribe or re-subscribe: _Looks like you've opted out of email communication. Click here to get an email and opt back in._ 4. Click on the link. An email is sent to enable you to update your subscription preferences: - ![Resubscribe to receive Release Note notifications.](../../../static/img/product_docs/strongpointnetsuiteflashlight/troubleshooting/resubscribe.webp) + ![Resubscribe to receive Release Note notifications.](/img/product_docs/strongpointnetsuiteflashlight/troubleshooting/resubscribe.webp) 5. Click _update your subscription preferences_. 6. Click **Yes, resubscribe me!** diff --git a/docs/strongpointnetsuiteflashlight/troubleshooting/report_a_bug.md b/docs/strongpointnetsuiteflashlight/troubleshooting/report_a_bug.md index c8e3250736..eb89e5089d 100644 --- a/docs/strongpointnetsuiteflashlight/troubleshooting/report_a_bug.md +++ b/docs/strongpointnetsuiteflashlight/troubleshooting/report_a_bug.md @@ -9,4 +9,4 @@ within Flashlight: 1. Open **Flashlight** > **Support** > **Report a Bug** 2. Click on **Submit a Ticket** and follow the prompts. -![Report a Bug](../../../static/img/product_docs/strongpointnetsuiteflashlight/troubleshooting/report_bug_800x556.webp) +![Report a Bug](/img/product_docs/strongpointnetsuiteflashlight/troubleshooting/report_bug_800x556.webp) diff --git a/docs/strongpointnetsuiteflashlight/troubleshooting/stop_scripts.md b/docs/strongpointnetsuiteflashlight/troubleshooting/stop_scripts.md index b4e203f90d..2e13a06408 100644 --- a/docs/strongpointnetsuiteflashlight/troubleshooting/stop_scripts.md +++ b/docs/strongpointnetsuiteflashlight/troubleshooting/stop_scripts.md @@ -6,4 +6,4 @@ Open **Flashlight** > **Support** > **Stop Scripts** This stops the next execution of the scheduled scripts. -![Stop Scripts](../../../static/img/product_docs/strongpointnetsuiteflashlight/troubleshooting/stop_scripts.webp) +![Stop Scripts](/img/product_docs/strongpointnetsuiteflashlight/troubleshooting/stop_scripts.webp) diff --git a/docs/strongpointnetsuiteflashlight/using_flashlight/customization_reports.md b/docs/strongpointnetsuiteflashlight/using_flashlight/customization_reports.md index 1895b9329e..b3efb2d905 100644 --- a/docs/strongpointnetsuiteflashlight/using_flashlight/customization_reports.md +++ b/docs/strongpointnetsuiteflashlight/using_flashlight/customization_reports.md @@ -21,7 +21,7 @@ NetSuite to apply a default value. This report provides a list of all customizations in the system that have Script IDs not aligned with NetSuite's best practices. -![Customizations with Poor Script IDs](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/poorscriptids_800x284.webp) +![Customizations with Poor Script IDs](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/poorscriptids_800x284.webp) To correct this issue on a specific customization record: @@ -35,7 +35,7 @@ Each object in NetSuite should have a Description that explains what the object used in the system. This report provides a list of all customizations in your account that have no description. -![Customizations with Missing Descriptions](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/missingdescriptions_800x339.webp) +![Customizations with Missing Descriptions](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/missingdescriptions_800x339.webp) To correct this issue on a specific customization record: @@ -50,7 +50,7 @@ the organization. If an inactive employee is the owner of a field or record in t be harmful for your account. This report displays a list of all customizations in the system that currently have inactive employees as owners. -![Customizations with Missing Active Owner](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/activeowners_800x314.webp) +![Customizations with Missing Active Owner](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/activeowners_800x314.webp) To correct this issue on a specific customization record: @@ -65,7 +65,7 @@ It is a best practice to include help text on your fields so that your employees understand what the field does and how to use it. This report displays a list of all the fields in the system that are missing help text. -![Customizations with Missing Help](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/missinghelp_800x316.webp) +![Customizations with Missing Help](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/missinghelp_800x316.webp) To correct this issue on a specific customization record: @@ -79,4 +79,4 @@ To correct this issue on a specific customization record: This report displays a list of all customizations in your account that were deleted. This enables you to easily spot undesired removals and resolve them quickly. -![Deleted Customizations](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/deletedcustos_800x309.webp) +![Deleted Customizations](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/deletedcustos_800x309.webp) diff --git a/docs/strongpointnetsuiteflashlight/using_flashlight/sql_library.md b/docs/strongpointnetsuiteflashlight/using_flashlight/sql_library.md index cecb31e45b..842b2c6ea8 100644 --- a/docs/strongpointnetsuiteflashlight/using_flashlight/sql_library.md +++ b/docs/strongpointnetsuiteflashlight/using_flashlight/sql_library.md @@ -7,7 +7,7 @@ To access the SQL Library: Open **Flashlight** > **Tools** > **SQL Library** -![SQL Library](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/sql_library_800x251.webp) +![SQL Library](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/sql_library_800x251.webp) This report displays a list of all formulas used in Saved Searches. The report contains the following information: diff --git a/docs/strongpointnetsuiteflashlight/using_flashlight/standard_field_impact_analysis.md b/docs/strongpointnetsuiteflashlight/using_flashlight/standard_field_impact_analysis.md index 43ca7a7293..cb7255f6ae 100644 --- a/docs/strongpointnetsuiteflashlight/using_flashlight/standard_field_impact_analysis.md +++ b/docs/strongpointnetsuiteflashlight/using_flashlight/standard_field_impact_analysis.md @@ -8,7 +8,7 @@ To access this report: 1. Open **Flashlight** > **Tools** > **Standard Field Impact Analysis** - ![Standard Field Impact Analysis](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/standardfieldimpactanalysis.webp) + ![Standard Field Impact Analysis](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/standardfieldimpactanalysis.webp) 2. You can optionally filter on the following fields: @@ -20,4 +20,4 @@ To access this report: For example, you can easily understand that a change to a given field in the system has an impact on Scripts and Workflows that leverage the field. - ![Standard Field Impact Analysis Results](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/standardfieldimpactanalysisresults_800x261.webp) + ![Standard Field Impact Analysis Results](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/standardfieldimpactanalysisresults_800x261.webp) diff --git a/docs/strongpointnetsuiteflashlight/using_flashlight/understanding_customization_record.md b/docs/strongpointnetsuiteflashlight/using_flashlight/understanding_customization_record.md index 8c3be2a380..89168de5eb 100644 --- a/docs/strongpointnetsuiteflashlight/using_flashlight/understanding_customization_record.md +++ b/docs/strongpointnetsuiteflashlight/using_flashlight/understanding_customization_record.md @@ -7,7 +7,7 @@ enable us to search customizations and to attach them to processes. Here is an example Customization Record for a Scheduled Script: -![Customization Record](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/customization_record_800x402.webp) +![Customization Record](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/customization_record_800x402.webp) #### Menu diff --git a/docs/strongpointnetsuiteflashlight/using_flashlight/user_mgmt_reports.md b/docs/strongpointnetsuiteflashlight/using_flashlight/user_mgmt_reports.md index 2b8f3c7234..4662cc4ea1 100644 --- a/docs/strongpointnetsuiteflashlight/using_flashlight/user_mgmt_reports.md +++ b/docs/strongpointnetsuiteflashlight/using_flashlight/user_mgmt_reports.md @@ -13,7 +13,7 @@ activities. These reports can be access from the Flashlight main menu under the When new users are added into NetSuite they can be automatically assigned default role permissions. This report provides full transparency into the employees that have standard operational roles. -![Employess with Standard Roles](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/standard_roles_800x171.webp) +![Employess with Standard Roles](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/standard_roles_800x171.webp) We recommend you fully review this report and validate the your employees have the appropriate roles or whether they need a customized role Role (recommended). @@ -23,7 +23,7 @@ or whether they need a customized role Role (recommended). Admins are often asked to confirm whether employees are logging into NetSuite and using the system. This report summarizes the list of employees who have not logged into NetSuite in the last month. -![Employess with Unused Logins](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/unusedlogins_800x222.webp) +![Employess with Unused Logins](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/unusedlogins_800x222.webp) The Administrator should regularly review the employees that do not use their NetSuite account. This is an opportunity to make better use of your NetSuite licenses by revoking access to employees who @@ -34,7 +34,7 @@ do not need to use the system. By clicking on the employee name you see the Empl This report lists all Employees that have been granted access to NetSuite in the past week. -![Employees Granted Access in the Past Week](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/empgranted_800x207.webp) +![Employees Granted Access in the Past Week](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/empgranted_800x207.webp) ## Inactive Users @@ -43,4 +43,4 @@ to validate the employee removal process has been completed and access has been also helpful to troubleshoot cases where an employee cannot log into the system due to the employee being marked as inactive in the system. -![Inactive_Users](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/inactiveusers_800x158.webp) +![Inactive_Users](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/inactiveusers_800x158.webp) diff --git a/docs/strongpointnetsuiteflashlight/using_flashlight/using_customization_impact_analysis.md b/docs/strongpointnetsuiteflashlight/using_flashlight/using_customization_impact_analysis.md index 074ff2dd65..021389febe 100644 --- a/docs/strongpointnetsuiteflashlight/using_flashlight/using_customization_impact_analysis.md +++ b/docs/strongpointnetsuiteflashlight/using_flashlight/using_customization_impact_analysis.md @@ -10,13 +10,13 @@ To access the Customization Quick Search: Impact Search Form. 2. Enter any criteria to filter the results as required. - ![Impact Analysis Filters](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/impactanalysis_800x422.webp) + ![Impact Analysis Filters](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/impactanalysis_800x422.webp) 3. Click **Submit** to run the report. Each row of the report displays a customization with the related dependencies. For example, you can see that a change to a given field in the system will have an impact on Scripts and Workflows that use the field. - ![Impact Analysis Results](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/impactanalysisresults_800x290.webp) + ![Impact Analysis Results](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/impactanalysisresults_800x290.webp) 4. Click on **View** to navigate to the customization record to understand the impact and the dependencies for each customizations. diff --git a/docs/strongpointnetsuiteflashlight/using_flashlight/using_erd.md b/docs/strongpointnetsuiteflashlight/using_flashlight/using_erd.md index 9ff45eeba6..aac2a65b8a 100644 --- a/docs/strongpointnetsuiteflashlight/using_flashlight/using_erd.md +++ b/docs/strongpointnetsuiteflashlight/using_flashlight/using_erd.md @@ -15,11 +15,11 @@ To access the ERD view: 1. Open **Flashlight** > **Tools** > **ERD** 2. Select a **Record Type** - ![ERD Filter Options](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/erd_filters_800x231.webp) + ![ERD Filter Options](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/erd_filters_800x231.webp) 3. Click **Show Record ERD** to generate the diagram. - ![ERD](../../../static/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/erd_800x517.webp) + ![ERD](/img/product_docs/strongpointnetsuiteflashlight/using_flashlight/erd_800x517.webp) 4. The left panel displays your selected **Record Type** 5. Click on any field in the ERD to see: diff --git a/docs/strongpointnetsuiteflashlight/using_flashlight/using_spider.md b/docs/strongpointnetsuiteflashlight/using_flashlight/using_spider.md index 9c5fa11c37..635f78f16b 100644 --- a/docs/strongpointnetsuiteflashlight/using_flashlight/using_spider.md +++ b/docs/strongpointnetsuiteflashlight/using_flashlight/using_spider.md @@ -20,7 +20,7 @@ Run the manual spider: 1. Open **Flashlight** > **Tools** > **Spider** - ![Open the Spider](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/mainmenu.webp) + ![Open the Spider](/img/product_docs/strongpointnetsuiteflashlight/getting_started/mainmenu.webp) 2. You can run the manual spider: @@ -30,11 +30,11 @@ Run the manual spider: updated. The selected record types are added to an index. Strongpoint processes read the index, create customization records, and parse relationships and scripts. - ![Spider Options](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/spider_800x368.webp) + ![Spider Options](/img/product_docs/strongpointnetsuiteflashlight/getting_started/spider_800x368.webp) ## Re-spider Now You can also update the documentation for a specific customization record. Simply click **Respider Now** on the customization record and your documentation is updated in real time. -![Re-Spider Now](../../../static/img/product_docs/strongpointfornetsuite/respider_now.webp) +![Re-Spider Now](/img/product_docs/strongpointfornetsuite/respider_now.webp) diff --git a/docs/strongpointnetsuiteflashlight/welcome.md b/docs/strongpointnetsuiteflashlight/welcome.md index a3c01ee248..d11ce82058 100644 --- a/docs/strongpointnetsuiteflashlight/welcome.md +++ b/docs/strongpointnetsuiteflashlight/welcome.md @@ -22,8 +22,8 @@ Flashlight provides your organization these key benefits: #### Move Faster -- Use the Flashlight [Dashboard](getting_started/dashboard.md) and the - [Entity Relationship Diagrams](using_flashlight/using_erd.md) to spot problems before they happen +- Use the Flashlight [Dashboard](/docs/strongpointnetsuiteflashlight/getting_started/dashboard.md) and the + [Entity Relationship Diagrams](/docs/strongpointnetsuiteflashlight/using_flashlight/using_erd.md) to spot problems before they happen and respond to your users more quickly. - Now you can make better, faster decisions to drive your business forward. diff --git a/docs/strongpointsalesforceflashlight/clean_up/cleanup_customizations.md b/docs/strongpointsalesforceflashlight/clean_up/cleanup_customizations.md index a4c1a1ab21..5e97fb4030 100644 --- a/docs/strongpointsalesforceflashlight/clean_up/cleanup_customizations.md +++ b/docs/strongpointsalesforceflashlight/clean_up/cleanup_customizations.md @@ -24,7 +24,7 @@ Use these processes to Clean up Individual Customization or Clean Up Multiple Cu 6. Assign a **Change/Approval Policy** if there is an object specific policy (optional). 7. Under **Clean-Up Classification**, add an overview of the clean up. -![improvementtab_800x415](../../../static/img/product_docs/strongpointsalesforceflashlight/clean_up/improvementtab_800x415.webp) +![improvementtab_800x415](/img/product_docs/strongpointsalesforceflashlight/clean_up/improvementtab_800x415.webp) ## Clean Up Multiple Customizations @@ -43,7 +43,7 @@ Use these processes to Clean up Individual Customization or Clean Up Multiple Cu - **Clean Up Comments** - **Clean Up Status** -![createlist_view_for_cleanup_800x403](../../../static/img/product_docs/strongpointsalesforceflashlight/clean_up/createlist_view_for_cleanup_800x403.webp)6. +![createlist_view_for_cleanup_800x403](/img/product_docs/strongpointsalesforceflashlight/clean_up/createlist_view_for_cleanup_800x403.webp)6. Restrict Visibility. You can choose to have the list view: - Only visible to you, @@ -53,11 +53,11 @@ Restrict Visibility. You can choose to have the list view: 7. Click **Save**. 8. Once your list view has been created, you can multi-select customizations for clean up by checking the box beside Action. - ![multi_select_cleanup_800x382](../../../static/img/product_docs/strongpointsalesforceflashlight/clean_up/multi_select_cleanup_800x382.webp)9. + ![multi_select_cleanup_800x382](/img/product_docs/strongpointsalesforceflashlight/clean_up/multi_select_cleanup_800x382.webp)9. You can now choose what you want to edit for the multiple customizations selected. For example, if you want to change the clean up status: 9. Go to **Edit Clean Up Status**. 10. Select a status such as To Be Cleaned Up. 11. Choose to **Apply changes to: All the selected records**. 12. Click **Save**. - ![flagging_mass_customizations_800x374](../../../static/img/product_docs/strongpointsalesforceflashlight/clean_up/flagging_mass_customizations_800x374.webp) + ![flagging_mass_customizations_800x374](/img/product_docs/strongpointsalesforceflashlight/clean_up/flagging_mass_customizations_800x374.webp) diff --git a/docs/strongpointsalesforceflashlight/clean_up/cleanup_reports.md b/docs/strongpointsalesforceflashlight/clean_up/cleanup_reports.md index 06a2b5433f..23c271ecaa 100644 --- a/docs/strongpointsalesforceflashlight/clean_up/cleanup_reports.md +++ b/docs/strongpointsalesforceflashlight/clean_up/cleanup_reports.md @@ -18,7 +18,7 @@ report: ## Using the Reports - **Filters** - ![filters_icon](../../../static/img/product_docs/strongpointsalesforceflashlight/clean_up/filters_icon.webp): + ![filters_icon](/img/product_docs/strongpointsalesforceflashlight/clean_up/filters_icon.webp): Open the filters to see the criteria used for the report. You can modify the unlocked filters to narrow the focus of the results. - **Column Sort Order**: Use the toggler in the column heads to change the sort order of the results diff --git a/docs/strongpointsalesforceflashlight/clean_up/date_last_used.md b/docs/strongpointsalesforceflashlight/clean_up/date_last_used.md index cacc23fa25..18d9bdd903 100644 --- a/docs/strongpointsalesforceflashlight/clean_up/date_last_used.md +++ b/docs/strongpointsalesforceflashlight/clean_up/date_last_used.md @@ -53,7 +53,7 @@ Usage data fields: Setting the DLU Expiration. | Older than set time period | Populated | If Field History Tracking is enabled for a CustomField with a **DLU Status** of either **Recent** or **Expired**, the status is changed to **Pending**. Here is an example: - ![Example of the DLU status fields for a CustomField](../../../static/img/product_docs/strongpointsalesforceflashlight/clean_up/dlu_status_example_customfield_800x294.webp) + ![Example of the DLU status fields for a CustomField](/img/product_docs/strongpointsalesforceflashlight/clean_up/dlu_status_example_customfield_800x294.webp) ### Notes @@ -75,11 +75,11 @@ has been disabled. To change the time period: 1. Open **Setup** 2. Expand **Custom Code** 3. Select **Custom Metadata Types** - ![Open Custom Metadata Types](../../../static/img/product_docs/strongpointforsalesforce/clean_up/custom_metadata_types.webp) + ![Open Custom Metadata Types](/img/product_docs/strongpointforsalesforce/clean_up/custom_metadata_types.webp) 4. Click **Manage Records** by **Strongpoint DLU Parameter**. - ![Click Manage Records to open the record](../../../static/img/product_docs/strongpointforsalesforce/clean_up/custom_metadata_types_dlu_exp.webp) + ![Click Manage Records to open the record](/img/product_docs/strongpointforsalesforce/clean_up/custom_metadata_types_dlu_exp.webp) 5. Click **Edit** by **DLU Expiration**. - ![Edit the parameters](../../../static/img/product_docs/strongpointforsalesforce/clean_up/custom_metadata_types_dlu_para.webp) + ![Edit the parameters](/img/product_docs/strongpointforsalesforce/clean_up/custom_metadata_types_dlu_para.webp) 6. Set the **DLU Expiration (Months)**. The default is three. 7. Click **Save**. @@ -169,13 +169,13 @@ DLU is not used for the following metadata Extended Types: ## DLU Scheduler -The [Scheduler](../getting_started/scheduler.md) is where you can add frequency, day and time for +The [Scheduler](/docs/strongpointsalesforceflashlight/getting_started/scheduler.md) is where you can add frequency, day and time for processes to run. Under **Field Usage and DLU**, you can set up the scheduler to update the last used date field on customizations with the date the metadata was last used. It populates information for field usage on custom fields and custom objects and catch any permission set assignments related to users. -![scheduler](../../../static/img/product_docs/strongpointforsalesforce/clean_up/scheduler.webp) +![scheduler](/img/product_docs/strongpointforsalesforce/clean_up/scheduler.webp) Once the scheduler has been set up, you can view the DLU under the **Metadata** tab on the customization record. diff --git a/docs/strongpointsalesforceflashlight/customizations/customizations_overview.md b/docs/strongpointsalesforceflashlight/customizations/customizations_overview.md index 0afe1bd850..b94f4bda65 100644 --- a/docs/strongpointsalesforceflashlight/customizations/customizations_overview.md +++ b/docs/strongpointsalesforceflashlight/customizations/customizations_overview.md @@ -19,7 +19,7 @@ Customization records contain the following information: The joins between customizations are critical to determine the IT risk of making changes to the system. For example, they warn you if changing a search could break a workflow or a -script.![drd_800x155](../../../static/img/product_docs/strongpointsalesforceflashlight/customizations/drd_800x155.webp) +script.![drd_800x155](/img/product_docs/strongpointsalesforceflashlight/customizations/drd_800x155.webp) ## Customization Reports diff --git a/docs/strongpointsalesforceflashlight/customizations/understanding_customization_record.md b/docs/strongpointsalesforceflashlight/customizations/understanding_customization_record.md index 074b8d822d..850e3acb39 100644 --- a/docs/strongpointsalesforceflashlight/customizations/understanding_customization_record.md +++ b/docs/strongpointsalesforceflashlight/customizations/understanding_customization_record.md @@ -23,7 +23,7 @@ Customization record fields include: - **Details**: Tabs to access details about the customization. Tabs include **Metadata**, **Improvement**, **Permissions**, **Control**, **DRD**, **Raw Data** and **Related Lists**. -![customization_record_800x315](../../../static/img/product_docs/strongpointsalesforceflashlight/customizations/customization_record_800x315.webp) +![customization_record_800x315](/img/product_docs/strongpointsalesforceflashlight/customizations/customization_record_800x315.webp) ## Customization Record Tabs @@ -46,7 +46,7 @@ These are the tabs inside a customization record: The metadata tab provides the metadata information about the customization, including: - **Date Last Used**: date the customization was last used. Refer to - [DLU](../clean_up/date_last_used.md) for more information. + [DLU](/docs/strongpointsalesforceflashlight/clean_up/date_last_used.md) for more information. - **Data type**: data type of the custom field. - **Last Modified Date**: last date the customization was modified. - **Active**: indicates whether the customization is a active. @@ -104,7 +104,7 @@ on a financial report. ### DRD -Dependency Relationship Diagram ([DRD](../tools/viewing_drd.md)) displays objects, customizations +Dependency Relationship Diagram ([DRD](/docs/strongpointsalesforceflashlight/tools/viewing_drd.md)) displays objects, customizations and their relationships and dependencies. ### Raw Data diff --git a/docs/strongpointsalesforceflashlight/getting_started/config_and_stats.md b/docs/strongpointsalesforceflashlight/getting_started/config_and_stats.md index 2b7fb41286..ba3d166191 100644 --- a/docs/strongpointsalesforceflashlight/getting_started/config_and_stats.md +++ b/docs/strongpointsalesforceflashlight/getting_started/config_and_stats.md @@ -21,7 +21,7 @@ The report is divided into these sections: This section displays the current status of the scanners. You can click to manually **Start** a scanner or to **Stop** a running Scanner. -![Configuration and Stats - Scanner Status](../../../static/img/product_docs/strongpointsalesforceflashlight/getting_started/config_scanner_status_800x354.webp) +![Configuration and Stats - Scanner Status](/img/product_docs/strongpointsalesforceflashlight/getting_started/config_scanner_status_800x354.webp) ## Documentation Stats @@ -31,7 +31,7 @@ Strongpoint has created to track the relationships between customizations. **Joi critical relationship information to help you determine if it is safe to delete or change something, and how it affects other items. -![Configuration and Stats - Documentation Stats](../../../static/img/product_docs/strongpointsalesforceflashlight/getting_started/config_doc_stats_800x325.webp) +![Configuration and Stats - Documentation Stats](/img/product_docs/strongpointsalesforceflashlight/getting_started/config_doc_stats_800x325.webp) ## Scanner Logs @@ -46,7 +46,7 @@ The section displays details for each of the scanner logs: is running. When the scan is complete, the column matches the total **Scanner Count**. - **Scanner Count** -![Configuration and Stats - Scanner Logs](../../../static/img/product_docs/strongpointsalesforceflashlight/getting_started/config_scanner_logs_800x208.webp) +![Configuration and Stats - Scanner Logs](/img/product_docs/strongpointsalesforceflashlight/getting_started/config_scanner_logs_800x208.webp) ## Scanner Additional Information @@ -56,4 +56,4 @@ This section displays each scanner function and the status: - Last Automated Scanner Run Date - Last Scanner Run Status -![Configuration and Stas - Scanner Additional Information](../../../static/img/product_docs/strongpointsalesforceflashlight/getting_started/config_scan_add_info_800x127.webp) +![Configuration and Stas - Scanner Additional Information](/img/product_docs/strongpointsalesforceflashlight/getting_started/config_scan_add_info_800x127.webp) diff --git a/docs/strongpointsalesforceflashlight/getting_started/dashboard.md b/docs/strongpointsalesforceflashlight/getting_started/dashboard.md index f3d77325d4..19902ecac6 100644 --- a/docs/strongpointsalesforceflashlight/getting_started/dashboard.md +++ b/docs/strongpointsalesforceflashlight/getting_started/dashboard.md @@ -15,37 +15,37 @@ org and action problematic areas as required. Displays the current status of the scanner (Not Started, In Progress, Completed) and the number of days since the scanner was last run. It is recommended to run the scanner every week so your org documentation is up-to-date. -![Scanner status on the dashboard](../../../static/img/product_docs/strongpointsalesforceflashlight/getting_started/scanner_status.webp) +![Scanner status on the dashboard](/img/product_docs/strongpointsalesforceflashlight/getting_started/scanner_status.webp) ## Recent Updates to Customizations Displays the number of New, Changed, and Deleted Customizations over the past seven days. -![Recent Updates to Customizations shown on the Dashboard](../../../static/img/product_docs/strongpointsalesforceflashlight/getting_started/dashboard_updates_800x167.webp) +![Recent Updates to Customizations shown on the Dashboard](/img/product_docs/strongpointsalesforceflashlight/getting_started/dashboard_updates_800x167.webp) Click on number to drill down into a Report for more information. For example, here is the report for the 10 New Analytics Customizations: -![Drill down into a report for each number](../../../static/img/product_docs/strongpointsalesforceflashlight/getting_started/dashboard_updates_report_800x406.webp) +![Drill down into a report for each number](/img/product_docs/strongpointsalesforceflashlight/getting_started/dashboard_updates_report_800x406.webp) ## Resources Links to key resources to help you learn to use Flashlight. -![Resources](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) +![Resources](/img/product_docs/strongpointnetsuiteflashlight/getting_started/resources.webp) ## Key Tools Links to useful Flashlight tools to give you more value out of your documentation. -![Key Tools](../../../static/img/product_docs/strongpointnetsuiteflashlight/getting_started/key_tools.webp) +![Key Tools](/img/product_docs/strongpointnetsuiteflashlight/getting_started/key_tools.webp) - **DRD**: Explore your customizations with Flashlight’s visual DRD and understand how customizations relate to each other. -- **Finder**:[Find](../tools/finder.md) standard and customized objects created by the scanner. -- **Export Objects**: Open the [Export Objects](../tools/export_objects.md) tool. +- **Finder**:[Find](/docs/strongpointsalesforceflashlight/tools/finder.md) standard and customized objects created by the scanner. +- **Export Objects**: Open the [Export Objects](/docs/strongpointsalesforceflashlight/tools/export_objects.md) tool. ## DRD Generator A shortcut to open the DRD for the entered **Name** or **API Name**. -![Shortcut to the DRD tool](../../../static/img/product_docs/strongpointsalesforceflashlight/getting_started/dashboard_drd_gen.webp) +![Shortcut to the DRD tool](/img/product_docs/strongpointsalesforceflashlight/getting_started/dashboard_drd_gen.webp) -**Next Step:**[ Viewing the Status Report](config_and_stats.md) +**Next Step:**[ Viewing the Status Report](/docs/strongpointsalesforceflashlight/getting_started/config_and_stats.md) diff --git a/docs/strongpointsalesforceflashlight/getting_started/getting_started_overview.md b/docs/strongpointsalesforceflashlight/getting_started/getting_started_overview.md index aa76876561..3189eb12a2 100644 --- a/docs/strongpointsalesforceflashlight/getting_started/getting_started_overview.md +++ b/docs/strongpointsalesforceflashlight/getting_started/getting_started_overview.md @@ -2,21 +2,21 @@ It is easy to be up and running with Flashlight by Strongpoint for Salesforce. -1. [Install Flashlight by Strongpoint](installing_flashlight.md) -2. Run the [Getting Started Wizard](using_getting_started_wizard.md) to begin your first scan and +1. [Install Flashlight by Strongpoint](/docs/strongpointsalesforceflashlight/getting_started/installing_flashlight.md) +2. Run the [Getting Started Wizard](/docs/strongpointsalesforceflashlight/getting_started/using_getting_started_wizard.md) to begin your first scan and document your customizations. Once started, wait for the email notification the scan is finished. ## Getting to Know Flashlight There are a variety of informational topics to help you see what Flashlight documents in your org: -- [Using the Dashboard](dashboard.md) describes the items on the Flashlight Home page. -- [Configuration and Status](config_and_stats.md) and the - [Platform Governor Status](platform_governor.md) reports display Flashlight system information. -- [Running the Scheduler](scheduler.md) is where you set up automatic scans after your initial scan +- [Using the Dashboard](/docs/strongpointsalesforceflashlight/getting_started/dashboard.md) describes the items on the Flashlight Home page. +- [Configuration and Status](/docs/strongpointsalesforceflashlight/getting_started/config_and_stats.md) and the + [Platform Governor Status](/docs/strongpointsalesforceflashlight/getting_started/platform_governor.md) reports display Flashlight system information. +- [Running the Scheduler](/docs/strongpointsalesforceflashlight/getting_started/scheduler.md) is where you set up automatic scans after your initial scan is complete. -- [Customizations Overview](../customizations/customizations_overview.md) and - [Understanding the Customization Record](../customizations/understanding_customization_record.md) +- [Customizations Overview](/docs/strongpointsalesforceflashlight/customizations/customizations_overview.md) and + [Understanding the Customization Record](/docs/strongpointsalesforceflashlight/customizations/understanding_customization_record.md) provide insights into what Flashlight documents in your org. -**Next Step:** [Installing Flashlight](installing_flashlight.md) +**Next Step:** [Installing Flashlight](/docs/strongpointsalesforceflashlight/getting_started/installing_flashlight.md) diff --git a/docs/strongpointsalesforceflashlight/getting_started/installing_flashlight.md b/docs/strongpointsalesforceflashlight/getting_started/installing_flashlight.md index bb6eafd8f3..8cdc238d8c 100644 --- a/docs/strongpointsalesforceflashlight/getting_started/installing_flashlight.md +++ b/docs/strongpointsalesforceflashlight/getting_started/installing_flashlight.md @@ -12,9 +12,9 @@ Strongpoint: 2. Log in to Salesforce when prompted. 3. Select **Install for Admins Only** 4. Click **Install** - ![Install Flashlight by Strongpoint](../../../static/img/product_docs/strongpointsalesforceflashlight/getting_started/install_flashlight1_800x399.webp) + ![Install Flashlight by Strongpoint](/img/product_docs/strongpointsalesforceflashlight/getting_started/install_flashlight1_800x399.webp) NOTE: Strongpoint installs in the background. An email notification is sent to you when the installation is complete. -**Next Step:** [Using the Getting Started Wizard](using_getting_started_wizard.md) +**Next Step:** [Using the Getting Started Wizard](/docs/strongpointsalesforceflashlight/getting_started/using_getting_started_wizard.md) diff --git a/docs/strongpointsalesforceflashlight/getting_started/platform_governor.md b/docs/strongpointsalesforceflashlight/getting_started/platform_governor.md index 55afba3936..7174066448 100644 --- a/docs/strongpointsalesforceflashlight/getting_started/platform_governor.md +++ b/docs/strongpointsalesforceflashlight/getting_started/platform_governor.md @@ -6,7 +6,7 @@ This is a live status update of the Strongpoint Usage of SFDC Governor Limit. Ac When Strongpoint reaches the threshold, executions are reschedule for the next day so the organization limit is not reached. -![governor_800x271](../../../static/img/product_docs/strongpointsalesforceflashlight/getting_started/governor_800x271.webp) +![governor_800x271](/img/product_docs/strongpointsalesforceflashlight/getting_started/governor_800x271.webp) ## Setting a Threshold diff --git a/docs/strongpointsalesforceflashlight/getting_started/report_a_bug.md b/docs/strongpointsalesforceflashlight/getting_started/report_a_bug.md index 2cd4f7d137..589761d569 100644 --- a/docs/strongpointsalesforceflashlight/getting_started/report_a_bug.md +++ b/docs/strongpointsalesforceflashlight/getting_started/report_a_bug.md @@ -7,4 +7,4 @@ Follow these simple steps to provide feedback: 1. Open **Flashlight** > **Support** > **Report a Bug** 2. Complete the form and our support team will contact you. -![Report a Bug](../../../static/img/product_docs/strongpointsalesforceflashlight/getting_started/report_bug_800x399.webp) +![Report a Bug](/img/product_docs/strongpointsalesforceflashlight/getting_started/report_bug_800x399.webp) diff --git a/docs/strongpointsalesforceflashlight/getting_started/scheduler.md b/docs/strongpointsalesforceflashlight/getting_started/scheduler.md index 50f4386c3f..ef1c83ee87 100644 --- a/docs/strongpointsalesforceflashlight/getting_started/scheduler.md +++ b/docs/strongpointsalesforceflashlight/getting_started/scheduler.md @@ -6,7 +6,7 @@ Strongpoint's scheduler creates automated scans and documents the Field Usage an To use the scheduler tool: 1. Open **Flashlight** > **Support** > **Scheduler** - ![scheduler](../../../static/img/product_docs/strongpointforsalesforce/clean_up/scheduler.webp)2. + ![scheduler](/img/product_docs/strongpointforsalesforce/clean_up/scheduler.webp)2. Toggle **Enabled**/**Disabled**by the category. Your selections are automatically saved. 2. Select the **Frequency** , **Day** and **Time**. Your selections are automatically saved. 3. Click any menu item to close the **Scheduler**. diff --git a/docs/strongpointsalesforceflashlight/getting_started/uninstalling_flashlight.md b/docs/strongpointsalesforceflashlight/getting_started/uninstalling_flashlight.md index 724e4fc801..08e7e86b49 100644 --- a/docs/strongpointsalesforceflashlight/getting_started/uninstalling_flashlight.md +++ b/docs/strongpointsalesforceflashlight/getting_started/uninstalling_flashlight.md @@ -6,7 +6,7 @@ Here is how to uninstall the Flashlight app from your org: 2. Select **Apps** > **App Manager** 3. Locate **Flashlight** in the installed list. 4. Click the Action icon on the far right of the Flashlight entry and click - **Delete**![uninstall_flashlight_800x285](../../../static/img/product_docs/strongpointsalesforceflashlight/getting_started/uninstall_flashlight_800x285.webp) + **Delete**![uninstall_flashlight_800x285](/img/product_docs/strongpointsalesforceflashlight/getting_started/uninstall_flashlight_800x285.webp) NOTE: Once you uninstall the Flashlight app you must email [flashlight@strongpoint.io](mailto:flashlight@strongpoint.io) to ensure you are not billed diff --git a/docs/strongpointsalesforceflashlight/getting_started/using_getting_started_wizard.md b/docs/strongpointsalesforceflashlight/getting_started/using_getting_started_wizard.md index 695c0e014f..0ca5de39f5 100644 --- a/docs/strongpointsalesforceflashlight/getting_started/using_getting_started_wizard.md +++ b/docs/strongpointsalesforceflashlight/getting_started/using_getting_started_wizard.md @@ -1,18 +1,18 @@ # Using the Getting Started Wizard The Getting Started Wizard is available after you have installed the Flashlight -[app](installing_flashlight.md). +[app](/docs/strongpointsalesforceflashlight/getting_started/installing_flashlight.md). To use the Getting Started Wizard: 1. Open the Salesforce **App Launcher** and select **Flashlight**. - ![Launch the Flashlight app](../../../static/img/product_docs/strongpointsalesforceflashlight/getting_started/install_flashlight2.webp) + ![Launch the Flashlight app](/img/product_docs/strongpointsalesforceflashlight/getting_started/install_flashlight2.webp) 2. Click on the **Flashlight** tab to open the Flashlight homepage. 3. Open **Support** > **Getting Started Wizard** - ![getting_started_wizard](../../../static/img/product_docs/strongpointsalesforceflashlight/getting_started/getting_started_wizard.webp) + ![getting_started_wizard](/img/product_docs/strongpointsalesforceflashlight/getting_started/getting_started_wizard.webp) 4. Click **Run Scanner** to start the process. - ![Run the Scanner to start the documentation process](../../../static/img/product_docs/strongpointsalesforceflashlight/getting_started/run_scanner.webp) + ![Run the Scanner to start the documentation process](/img/product_docs/strongpointsalesforceflashlight/getting_started/run_scanner.webp) 5. Click **Next**. 6. Click **Done**. @@ -20,4 +20,4 @@ Flashlight for Salesforce examines your org and begins the automated documentati process runs in the background. You receive an email notification when it is finished. The length of time depends on the size of your org. -**Next Step:** [Using the Dashboard](dashboard.md) +**Next Step:** [Using the Dashboard](/docs/strongpointsalesforceflashlight/getting_started/dashboard.md) diff --git a/docs/strongpointsalesforceflashlight/tools/automated_report_clean_up.md b/docs/strongpointsalesforceflashlight/tools/automated_report_clean_up.md index 5e3cecf994..3049936388 100644 --- a/docs/strongpointsalesforceflashlight/tools/automated_report_clean_up.md +++ b/docs/strongpointsalesforceflashlight/tools/automated_report_clean_up.md @@ -29,7 +29,7 @@ criteria. Report Clean Up rules are used for both Automatic and Run Now. To create or edit rules, access **Flashlight** > **Tools** > **Automated Report Clean Up Tool** > **Report Clean Up Rules** -![automated_report_cleanup_800x555](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/automated_report_cleanup_800x555.webp) +![automated_report_cleanup_800x555](/img/product_docs/strongpointsalesforceflashlight/tools/automated_report_cleanup_800x555.webp) - **Name** is the assigned name for the **Report Clean Up Rule Record**. - **Description** is the purpose of the rule record. An informative description helps administrators @@ -98,7 +98,7 @@ clean up. The Run Now feature begins an immediate run for the rule. 4. After previewing, you can click **Automatic** on the Report Clean Up Rule to include the rule for automatic reports. -![automated_report_cleanup_preview_800x264](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/automated_report_cleanup_preview_800x264.webp) +![automated_report_cleanup_preview_800x264](/img/product_docs/strongpointsalesforceflashlight/tools/automated_report_cleanup_preview_800x264.webp) #### Run Now @@ -161,7 +161,7 @@ view current status. **Canceled** - **Automatic** checkbox was turned off for the rule. - **Automatic**: rule is set to **Automatic** if checked. -![automated_report_cleanup_status_800x366](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/automated_report_cleanup_status_800x366.webp) +![automated_report_cleanup_status_800x366](/img/product_docs/strongpointsalesforceflashlight/tools/automated_report_cleanup_status_800x366.webp) ### Retaining a Report @@ -186,7 +186,7 @@ report is archived. The Archive process: - Auto Archive notifications are sent to the rule owner and administrators. A **Restore** link is included in the email. -![automated_report_cleanup_archive_800x340](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/automated_report_cleanup_archive_800x340.webp) +![automated_report_cleanup_archive_800x340](/img/product_docs/strongpointsalesforceflashlight/tools/automated_report_cleanup_archive_800x340.webp) ### Restoring an Auto Archived Report diff --git a/docs/strongpointsalesforceflashlight/tools/export_object_attachment_records.md b/docs/strongpointsalesforceflashlight/tools/export_object_attachment_records.md index e1c5e89f05..3d7f24b2c4 100644 --- a/docs/strongpointsalesforceflashlight/tools/export_object_attachment_records.md +++ b/docs/strongpointsalesforceflashlight/tools/export_object_attachment_records.md @@ -1,12 +1,12 @@ # Export Object Attachment Records -When [Object](export_objects.md), [Profile and Permission Set](export_profiles.md) or -[User](export_profiles.md) information is exported, an **Export Object Attachment** Record is +When [Object](/docs/strongpointsalesforceflashlight/tools/export_objects.md), [Profile and Permission Set](/docs/strongpointsalesforceflashlight/tools/export_profiles.md) or +[User](/docs/strongpointsalesforceflashlight/tools/export_profiles.md) information is exported, an **Export Object Attachment** Record is created for the export. When an export request is completed, you receive an email notification your export file is ready. The link in the notification opens the **Export Object Attachment** Record in Salesforce. Your download file is available under **Notes & Attachments**. -![Example Export Object Attachment detail](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/export_object_attach_record_800x226.webp) +![Example Export Object Attachment detail](/img/product_docs/strongpointsalesforceflashlight/tools/export_object_attach_record_800x226.webp) The export history is saved in Salesforce. You can view the list, or add the Export Object Attachments tabs to your menu bar. @@ -22,7 +22,7 @@ Attachments tabs to your menu bar. 1. Click the **+** in the menu bar to open the **All Tabs** list (Salesforce Classic). 2. Select **Export Object Attachments**. -![Export Object Attachments list](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_attach_record_list.webp) +![Export Object Attachments list](/img/product_docs/strongpointforsalesforce/tools/export_object_attach_record_list.webp) ### Add the **Export Object Attachments** Tab @@ -30,7 +30,7 @@ Attachments tabs to your menu bar. 2. Click **Customize My Tabs** 3. Select **Export Object Attachments** from the **Available Tabs** and add it to the **Selected Tabs**. - ![Add Export Object Attachments to your menu bar in Classic view](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_attach_record_tab_classic.webp) + ![Add Export Object Attachments to your menu bar in Classic view](/img/product_docs/strongpointforsalesforce/tools/export_object_attach_record_tab_classic.webp) 4. Click **Save**. ## Salesforce Lightning @@ -45,5 +45,5 @@ Enter **Export Object Attachments** in the **Search Salesforce** entry box on th 2. Locate **Strongpoint** in the list. From the pull down menu on the right, select **Edit**. 3. Select **Export Object Attachments** from the **Available Tabs** and add it to the **Selected Tabs**. - ![Add Export Object Attachments tab to your menu bar in Lightning](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_attach_record_tab_lightning.webp) + ![Add Export Object Attachments tab to your menu bar in Lightning](/img/product_docs/strongpointforsalesforce/tools/export_object_attach_record_tab_lightning.webp) 4. Click **Save**. diff --git a/docs/strongpointsalesforceflashlight/tools/export_objects.md b/docs/strongpointsalesforceflashlight/tools/export_objects.md index c50bb22e50..b648fb6502 100644 --- a/docs/strongpointsalesforceflashlight/tools/export_objects.md +++ b/docs/strongpointsalesforceflashlight/tools/export_objects.md @@ -4,7 +4,7 @@ Administrators can use this to export one or more objects, including all child o single view for easy review and management. For each export, you select the settings and optional profiles and permission sets to include in the object details. The export is done in the background to avoid timing out or exceeding the Salesforce Governor Limits. You will receive an email with a -link to the [Export Object Attachment](export_object_attachment_records.md) record, where you can +link to the [Export Object Attachment](/docs/strongpointsalesforceflashlight/tools/export_object_attachment_records.md) record, where you can download your file. NOTE: Strongpoint stores Object-level permissions in a Custom Object. There are two reports @@ -16,7 +16,7 @@ information: 1. Open **Flashlight** > **Tools** > **Export Objects** **Objects** is the default tab. **Profiles and Permission Sets** and **Users** exports are on their own - tabs.![export_object_800x500](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/export_object_800x500.webp) + tabs.![export_object_800x500](/img/product_docs/strongpointsalesforceflashlight/tools/export_object_800x500.webp) 2. Scroll through the **Select Objects to be Exported**, or enter all or part of a name in **Filter** to filter the list. 3. Select one or more objects in the scroll box. Use **Shift** or **Ctrl** to select multiple @@ -24,11 +24,11 @@ information: 4. Click the right arrow to move the items to the **Selected Objects** list. To remove an item from the **Selected Objects** list, select it and click the left arrow. 5. Select the **Settings to be exported**. - ![export_object_settings](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_settings.webp) + ![export_object_settings](/img/product_docs/strongpointforsalesforce/tools/export_object_settings.webp) 6. Optional: Select one or more profiles to be included for more security - information.![export_object_profiles_800x685](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/export_object_profiles_800x685.webp) + information.![export_object_profiles_800x685](/img/product_docs/strongpointsalesforceflashlight/tools/export_object_profiles_800x685.webp) 7. Optional: Select one or more permission sets to be included for more security - information.![export_object_permissions_800x130](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/export_object_permissions_800x130.webp) + information.![export_object_permissions_800x130](/img/product_docs/strongpointsalesforceflashlight/tools/export_object_permissions_800x130.webp) 8. **Click Download XLS** to export your selections. The file _ObjectExport.xls_ is created in your download folder. @@ -37,13 +37,13 @@ information: When you open an exported file, this message may be displayed, as the exported _ObjectExport.xls_ file is in XML instead of the Excel format. Click **Yes** to load the file. -![Excel error message - Click Yes to continue.](../../../static/img/product_docs/strongpointforsalesforce/tools/export_excel_error_msg.webp) +![Excel error message - Click Yes to continue.](/img/product_docs/strongpointforsalesforce/tools/export_excel_error_msg.webp) The _ObjectExport.xls_ file contains a **Summary** tab and a separate tab for each selected object. The **Summary** tab shows who created the export, the creation date and time, list of selected objects, and lists of any selected optional Profiles and Permission Sets. -![export_object_summary](../../../static/img/product_docs/strongpointforsalesforce/tools/export_object_summary.webp) +![export_object_summary](/img/product_docs/strongpointforsalesforce/tools/export_object_summary.webp) The **Object** tabs contain all of the requested information for each -object.![export_object_object_tab_800x401](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/export_object_object_tab_800x401.webp) +object.![export_object_object_tab_800x401](/img/product_docs/strongpointsalesforceflashlight/tools/export_object_object_tab_800x401.webp) diff --git a/docs/strongpointsalesforceflashlight/tools/export_profiles.md b/docs/strongpointsalesforceflashlight/tools/export_profiles.md index afee5d546e..bf33a8323f 100644 --- a/docs/strongpointsalesforceflashlight/tools/export_profiles.md +++ b/docs/strongpointsalesforceflashlight/tools/export_profiles.md @@ -3,19 +3,19 @@ Administrators can use this tool to export all user permissions into a single view for easy review and management. The export is done in the background to avoid timing out or exceeding the Salesforce Governor Limits. You will receive an email with a link to the -[Export Object Attachment](export_object_attachment_records.md) record, where you can download your +[Export Object Attachment](/docs/strongpointsalesforceflashlight/tools/export_object_attachment_records.md) record, where you can download your file. 1. Open **Flashlight** > **Tools** > **Export Objects**. 2. Open the **Profiles and Permission Sets** tab. - ![export_profile_ui_800x685](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/export_object_profiles_800x685.webp) + ![export_profile_ui_800x685](/img/product_docs/strongpointsalesforceflashlight/tools/export_object_profiles_800x685.webp) 3. Scroll through the **Select Profile to be Exported**. 4. Select one or more objects in the scroll box. Use **Shift** or **Ctrl** to select multiple objects. 5. Click the right arrow to move the items to the **Selected Profiles** list. To remove an item from the **Selected Profiles** list, select it and click the left arrow. 6. Select the **Settings to be exported**. - ![export_profile_ui_settings](../../../static/img/product_docs/strongpointforsalesforce/tools/export_profile_ui_settings.webp) + ![export_profile_ui_settings](/img/product_docs/strongpointforsalesforce/tools/export_profile_ui_settings.webp) 7. Click **Test Connection**. 8. Click **Download XLS**. The file _ProfileExport.xls_ is created. @@ -24,14 +24,14 @@ file. When you open an exported file, this message may be displayed, as the exported _ProfilesExport.xls_ file is in XML instead of the Excel format. Click **Yes** to load the file. -![Excel error message - Click Yes to continue.](../../../static/img/product_docs/strongpointforsalesforce/tools/export_excel_error_msg.webp) +![Excel error message - Click Yes to continue.](/img/product_docs/strongpointforsalesforce/tools/export_excel_error_msg.webp) The _ProfilesExport.xls_ file contains a **Summary** tab and a separate tab for each selected profile. The **Summary** tab shows who created the export, the creation date and time, and the list of selected profiles. -![export_profile_summary](../../../static/img/product_docs/strongpointforsalesforce/tools/export_profile_summary.webp) +![export_profile_summary](/img/product_docs/strongpointforsalesforce/tools/export_profile_summary.webp) The **Profile** tabs contain all of the requested information for each profile. -![export_profile_profile_800x728](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/export_profile_profile_800x728.webp) +![export_profile_profile_800x728](/img/product_docs/strongpointsalesforceflashlight/tools/export_profile_profile_800x728.webp) diff --git a/docs/strongpointsalesforceflashlight/tools/export_users.md b/docs/strongpointsalesforceflashlight/tools/export_users.md index 0b23c03254..6cc1301e32 100644 --- a/docs/strongpointsalesforceflashlight/tools/export_users.md +++ b/docs/strongpointsalesforceflashlight/tools/export_users.md @@ -5,12 +5,12 @@ Exports user information to an XLS file. Administrators can use this tool to export all user information into a single view for easy review and management. The export is done in the background to avoid timing out or exceeding the Salesforce Governor Limits. You receive an email with a link to the -[Export Object Attachment](export_object_attachment_records.md) record, where you can download your +[Export Object Attachment](/docs/strongpointsalesforceflashlight/tools/export_object_attachment_records.md) record, where you can download your file. 1. Open **Flashlight** > **Tools** > **Export Objects** 2. Open the **Users** - tab.![export_users_800x397](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/export_users_800x397.webp) + tab.![export_users_800x397](/img/product_docs/strongpointsalesforceflashlight/tools/export_users_800x397.webp) 3. Scroll through the **Select User to be Exported** or enter all of part .of a user name in the **Filter** field. 4. Select one or more objects in the scroll box. Use **Shift** or **Ctrl** to select multiple @@ -18,7 +18,7 @@ file. 5. Click the right arrow to move the items to the **Selected Users** list. To remove an item from the **Selected Users** list, select it and click the left arrow. 6. Select the **Settings to be exported**. - ![export_users_settings](../../../static/img/product_docs/strongpointforsalesforce/tools/export_users_settings.webp) + ![export_users_settings](/img/product_docs/strongpointforsalesforce/tools/export_users_settings.webp) 7. Click **Download XLS**. The file _UserExport.xls_ is created. #### UserExport.xls File @@ -26,13 +26,13 @@ file. When you open an exported file, this message may be displayed, as the exported _UserExport.xls_ file is in XML instead of the Excel format. Click **Yes** to load the file. -![Excel error message - Click Yes to continue.](../../../static/img/product_docs/strongpointforsalesforce/tools/export_excel_error_msg.webp) +![Excel error message - Click Yes to continue.](/img/product_docs/strongpointforsalesforce/tools/export_excel_error_msg.webp) The _UserExport.xls_ file contains a **Summary** tab and a separate tab for each selected user. The **Summary** tab shows who created the export, the creation date and time, and the list of selected -users.![export_users_summary_800x252](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/export_users_summary_800x252.webp) +users.![export_users_summary_800x252](/img/product_docs/strongpointsalesforceflashlight/tools/export_users_summary_800x252.webp) The **User** tabs contain all of the requested information for each exported -user.![export_users_user_800x675](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/export_users_user_800x675.webp) +user.![export_users_user_800x675](/img/product_docs/strongpointsalesforceflashlight/tools/export_users_user_800x675.webp) diff --git a/docs/strongpointsalesforceflashlight/tools/finder.md b/docs/strongpointsalesforceflashlight/tools/finder.md index 9dddcd7050..968aa197ff 100644 --- a/docs/strongpointsalesforceflashlight/tools/finder.md +++ b/docs/strongpointsalesforceflashlight/tools/finder.md @@ -14,4 +14,4 @@ Use the **Export to XLS** option to export your results to an XLS file where yo and analyze your information using the full power of Excel. You can then update your records using Salesforce tools like Import Wizard and Data Loader to save time and effort. -![finder_800x530](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/finder_800x530.webp) +![finder_800x530](/img/product_docs/strongpointsalesforceflashlight/tools/finder_800x530.webp) diff --git a/docs/strongpointsalesforceflashlight/tools/reports_overview.md b/docs/strongpointsalesforceflashlight/tools/reports_overview.md index 76fff127bb..0c4b41a68b 100644 --- a/docs/strongpointsalesforceflashlight/tools/reports_overview.md +++ b/docs/strongpointsalesforceflashlight/tools/reports_overview.md @@ -29,22 +29,22 @@ These reports are available from **Flashlight** > **Reports / List Views** > **C These reports are available from **Flashlight** > **Reports / List Views** > **Clean Up**. -> [Default Clean Up List View](../clean_up/cleanup_reports.md#default-clean-up-list-view) +> [Default Clean Up List View](/docs/strongpointsalesforceflashlight/clean_up/cleanup_reports.md#default-clean-up-list-view) > -> [Open Clean Up Status](../clean_up/cleanup_reports.md#open-clean-up-status) +> [Open Clean Up Status](/docs/strongpointsalesforceflashlight/clean_up/cleanup_reports.md#open-clean-up-status) > -> [Clean Up Waiting for Info](../clean_up/cleanup_reports.md#clean-up-waiting-for-info) +> [Clean Up Waiting for Info](/docs/strongpointsalesforceflashlight/clean_up/cleanup_reports.md#clean-up-waiting-for-info) > -> [Customizations Excluded from Clean Up](../clean_up/cleanup_reports.md#customizations-excluded-from-clean-up) +> [Customizations Excluded from Clean Up](/docs/strongpointsalesforceflashlight/clean_up/cleanup_reports.md#customizations-excluded-from-clean-up) > -> [Unused Fields](../clean_up/cleanup_reports.md#unused-fields) +> [Unused Fields](/docs/strongpointsalesforceflashlight/clean_up/cleanup_reports.md#unused-fields) > -> [Unused Scripts](../clean_up/cleanup_reports.md#unused-scripts) +> [Unused Scripts](/docs/strongpointsalesforceflashlight/clean_up/cleanup_reports.md#unused-scripts) > -> [Unused Reports](../clean_up/cleanup_reports.md#unused-reports) +> [Unused Reports](/docs/strongpointsalesforceflashlight/clean_up/cleanup_reports.md#unused-reports) > -> [Customizations with Inactive Owners](../clean_up/cleanup_reports.md#customizations-with-inactive-owners) +> [Customizations with Inactive Owners](/docs/strongpointsalesforceflashlight/clean_up/cleanup_reports.md#customizations-with-inactive-owners) > -> [Custom Fields without Help Text](../clean_up/cleanup_reports.md#custom-fields-without-help-text) +> [Custom Fields without Help Text](/docs/strongpointsalesforceflashlight/clean_up/cleanup_reports.md#custom-fields-without-help-text) > -> [Custom Fields without Description](../clean_up/cleanup_reports.md#custom-fields-without-description) +> [Custom Fields without Description](/docs/strongpointsalesforceflashlight/clean_up/cleanup_reports.md#custom-fields-without-description) diff --git a/docs/strongpointsalesforceflashlight/tools/running_scanner.md b/docs/strongpointsalesforceflashlight/tools/running_scanner.md index 6977218840..c4c3d17c47 100644 --- a/docs/strongpointsalesforceflashlight/tools/running_scanner.md +++ b/docs/strongpointsalesforceflashlight/tools/running_scanner.md @@ -15,7 +15,7 @@ To run the scanner: 2. Optional: You can enter all of part of a **Type** in **Search Types** to filter the list. 3. You can select several types to scan or you can scan the whole environment by clicking the **+** by **Name** to select all the types. - ![scanner](../../../static/img/product_docs/strongpointforsalesforce/installing_strongpoint/scanner.webp)4. + ![scanner](/img/product_docs/strongpointforsalesforce/installing_strongpoint/scanner.webp)4. Click **Run Scanner**. 4. The batch runs in the background. You receive an email notification when the scan is complete. 5. You can open **Flashlight** > **Support** > **Status Report** to view the **Flashlight @@ -24,6 +24,6 @@ To run the scanner: If you are missing objects, you can run a scan on a **Customization** from the open record by clicking **Rescan**. -![rescan_example_800x289](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/rescan_example_800x289.webp) +![rescan_example_800x289](/img/product_docs/strongpointsalesforceflashlight/tools/rescan_example_800x289.webp) -**Next Step:**[Validating the Data ](validating_data.md) +**Next Step:**[Validating the Data ](/docs/strongpointsalesforceflashlight/tools/validating_data.md) diff --git a/docs/strongpointsalesforceflashlight/tools/tools_overview.md b/docs/strongpointsalesforceflashlight/tools/tools_overview.md index 41350607d8..2b314e6081 100644 --- a/docs/strongpointsalesforceflashlight/tools/tools_overview.md +++ b/docs/strongpointsalesforceflashlight/tools/tools_overview.md @@ -17,5 +17,5 @@ The Flashlight **Tools** tab accesses: > manage reports. In addition to the menu items, this section contains information fpr -[Accessing Reports](reports_overview.md) from the **Reports / List Views** tab, and an example of -how to [validate your data](validating_data.md). +[Accessing Reports](/docs/strongpointsalesforceflashlight/tools/reports_overview.md) from the **Reports / List Views** tab, and an example of +how to [validate your data](/docs/strongpointsalesforceflashlight/tools/validating_data.md). diff --git a/docs/strongpointsalesforceflashlight/tools/validating_data.md b/docs/strongpointsalesforceflashlight/tools/validating_data.md index 3241a3e1c1..94ad32ff73 100644 --- a/docs/strongpointsalesforceflashlight/tools/validating_data.md +++ b/docs/strongpointsalesforceflashlight/tools/validating_data.md @@ -11,7 +11,7 @@ PDF. Open **Flashlight**> **Support** > **Status Report.** -![statusreport_800x419](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/statusreport_800x419.webp) +![statusreport_800x419](/img/product_docs/strongpointsalesforceflashlight/tools/statusreport_800x419.webp) ## Strongpoint Dependency Relationship Diagram @@ -24,7 +24,7 @@ To validate data with the DRD: 2. Select an **Object** from the pull-down menu. 3. Click on a field and validate the data. -![entity_diagram_800x309](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/entity_diagram_800x309.webp) +![entity_diagram_800x309](/img/product_docs/strongpointsalesforceflashlight/tools/entity_diagram_800x309.webp) ## Strongpoint Customization Quick Search @@ -37,4 +37,4 @@ To validate data with the Customization Quick Search: 2. Scroll, **Search** or add **Filter(s)** to locate the customization. 3. Click on the **Customization** and validate the data. -![custquicksearch_800x200](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/custquicksearch_800x200.webp) +![custquicksearch_800x200](/img/product_docs/strongpointsalesforceflashlight/tools/custquicksearch_800x200.webp) diff --git a/docs/strongpointsalesforceflashlight/tools/viewing_drd.md b/docs/strongpointsalesforceflashlight/tools/viewing_drd.md index 9782ddaf56..cad64df0d1 100644 --- a/docs/strongpointsalesforceflashlight/tools/viewing_drd.md +++ b/docs/strongpointsalesforceflashlight/tools/viewing_drd.md @@ -13,4 +13,4 @@ To use the entity diagram: relationships. 5. Click **Open Record** to open the customization record for the item. -![entity_diagram_800x309](../../../static/img/product_docs/strongpointsalesforceflashlight/tools/entity_diagram_800x309.webp) +![entity_diagram_800x309](/img/product_docs/strongpointsalesforceflashlight/tools/entity_diagram_800x309.webp) diff --git a/docs/strongpointsalesforceflashlight/welcome.md b/docs/strongpointsalesforceflashlight/welcome.md index bd73e8003e..ce52165fae 100644 --- a/docs/strongpointsalesforceflashlight/welcome.md +++ b/docs/strongpointsalesforceflashlight/welcome.md @@ -22,7 +22,7 @@ Flashlight provides your organization these key benefits: #### Move Faster -- Use the Flashlight [Dashboard](getting_started/dashboard.md) and the Dependency Relationship +- Use the Flashlight [Dashboard](/docs/strongpointsalesforceflashlight/getting_started/dashboard.md) and the Dependency Relationship Diagrams to spot problems before they happen and respond to your users more quickly. - Now you can make better, faster decisions to drive your business forward. @@ -38,7 +38,7 @@ subscribe or re-subscribe: 3. If you previously unsubscribed, this link is displayed: _Looks like you've opted out of email communication. Click here to get an email and opt back in._ 4. Click on the link. An email is sent to enable you to update your subscription preferences: - ![Resubscribe to receive Release Note notifications.](../../static/img/product_docs/strongpointsalesforceflashlight/resubscribe.webp) + ![Resubscribe to receive Release Note notifications.](/img/product_docs/strongpointsalesforceflashlight/resubscribe.webp) 5. Click _update your subscription preferences_. 6. Click **Yes, resubscribe me!** You can opt out of the Marketing Information and still receive the Release Note notifications. diff --git a/docs/strongpointsalesforceflashlight/what_flashlight_documents.md b/docs/strongpointsalesforceflashlight/what_flashlight_documents.md index 777b279d93..6a89176494 100644 --- a/docs/strongpointsalesforceflashlight/what_flashlight_documents.md +++ b/docs/strongpointsalesforceflashlight/what_flashlight_documents.md @@ -2,7 +2,7 @@ Flashlight documents over 120 Salesforce metadata types. For display within the Flashlight application, metadata is organized into eight categories.Open the -[Documented Metadata Types](documented_metadata_types.md) topic for a complete list of Metadata +[Documented Metadata Types](/docs/strongpointsalesforceflashlight/documented_metadata_types.md) topic for a complete list of Metadata sorted by Type and by Category. | Metadata Category | Description | @@ -16,4 +16,4 @@ sorted by Type and by Category. | Analytics | Reports, Dashboards, List Views, and Einstein | | Configuration | Data Quality settings such as Duplicate Rules, Matching Rules, and Validation Rules. Other general settings | -![Metadata Categories](../../static/img/product_docs/strongpointsalesforceflashlight/metadata_categories_800x511.webp) +![Metadata Categories](/img/product_docs/strongpointsalesforceflashlight/metadata_categories_800x511.webp) diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/activedirectorysync.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/activedirectorysync.md index aa55306783..354e8dcba3 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/activedirectorysync.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/activedirectorysync.md @@ -3,7 +3,7 @@ The Active Directory Sync page within the Integrations interface lists the domains that are synced to theThreat Manager database. The sync operation gets all information about an Active Directory environment (users, groups, hosts, etc).See the -[Permissions for Active Directory Sync ](../../../requirements/permissions/adsync.md) topic for +[Permissions for Active Directory Sync ](/docs/threatmanager/3.0/threatmanager/requirements/permissions/adsync.md) topic for additional information about the permissions required for Active Directory syncing. Use the gear icon in the upper right corner of the console to open the Configuration menu. Then @@ -12,7 +12,7 @@ select **Integrations** to open the Integrations interface. Click **Active Directory Sync** in the navigation pane to view a list of the already added Active Directory domains, if any. Each added domain represents a sync policy. -![Integrations interface on the Active Directory Sync page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Integrations interface on the Active Directory Sync page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) A service named Active Directory Service continuously runs to collect data for the specified domain(s). It evaluates the USN value of an object and syncs when the object changes. The table @@ -36,8 +36,8 @@ Directory Sync in the navigation pane. **NOTE:** Prior to adding an Active Directory Sync policy, you must first configure a Credential Profile with credentials properly provisioned for running the sync operation for the domain. See the -[Application Server Requirements](../../../requirements/server.md) topic for the permissions. See -the [Credential Profile Page](credentialprofile.md) topic for additional information on creating a +[Application Server Requirements](/docs/threatmanager/3.0/threatmanager/requirements/server.md) topic for the permissions. See +the [Credential Profile Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/credentialprofile.md) topic for additional information on creating a profile. Follow the steps to add a domain/Active Directory sync policy. @@ -48,7 +48,7 @@ menu. Then select **Integrations** to open the Integrations interface. **Step 2 –** On the Integrations interface, click Add New Integration in the navigation pane. The Add New Integration window opens. -![Add New Integration window with Active Directory Sync type selected](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/activedirectorysync.webp) +![Add New Integration window with Active Directory Sync type selected](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/activedirectorysync.webp) **Step 3 –** In the Type drop-down menu, select Active Directory Sync. @@ -98,7 +98,7 @@ represented by the domain for which it is created. **Step 9 –** Select a domain from the table or the navigation pane to view the details of the Active Directory Sync policy created for that domain. -![Active Directory Sync details page for a specific domain](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/details.webp) +![Active Directory Sync details page for a specific domain](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/details.webp) Select the domain from the list to see modification options: @@ -118,7 +118,7 @@ Select the domain from the list to see modification options: The Domain Configuration tab displays the sync policy settings entered for the selected domain. With the exception of the domain itself, these settings can be updated as needed. -![Active Directory Sync details page for a specific domain showing the Domain Configuration tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/domainconfigurationtab.webp) +![Active Directory Sync details page for a specific domain showing the Domain Configuration tab](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/domainconfigurationtab.webp) The Domain Configuration tab displays the following settings: @@ -161,7 +161,7 @@ leaving the page. The Sync History tab displays the information on each synchronization event. This includes general information about user, group, and computer objects within the selected domain. -![Active Directory Sync details page for a specific domain showing the Sync History tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/synchistorytab.webp) +![Active Directory Sync details page for a specific domain showing the Sync History tab](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/synchistorytab.webp) The table provides the following information: @@ -193,7 +193,7 @@ represented by the domain for which it is created. _Remember,_ the domain cannot be modified. -![Active Directory Sync details page for a specific domain showing the Domain Configuration tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/domainconfigurationtab.webp) +![Active Directory Sync details page for a specific domain showing the Domain Configuration tab](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/domainconfigurationtab.webp) **Step 3 –** To modify the Credential Profile, select the Credential Profile by name from the drop-down menu. This was pre-created in the Credential Profiles page. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/apptoken.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/apptoken.md index f3039d50bb..982cd99321 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/apptoken.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/apptoken.md @@ -5,7 +5,7 @@ to Threat Manager. An app token is used by Threat Manager and/or the Activity Mo Directory activity data into the Threat Manager database. An app token is used by Access Analyzer to push a list of files containing sensitive data into the Threat Manager database. -![page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) It is necessary to generate an app token for each product integration. The App Tokens table displays the following information for each generated app token: @@ -21,7 +21,7 @@ Follow the steps to generate an app token. **Step 1 –** On the Integrations page, click **Add New Integration**. -![apptoken](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/apptoken.webp) +![apptoken](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/apptoken.webp) **Step 2 –** In the Type drop-down menu, select **App Token**. @@ -40,7 +40,7 @@ To view the details for an app token, click on the app token name in the Integra of the page displays the app token name and the description. These can be modified by clicking on the name or description and entering the desired information. -![details](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/details.webp) +![details](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/details.webp) Ensure that the app token is enabled for sending data to Threat Manager. In the General box, verify that the status is set to **ON**. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/entraidopenid.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/entraidopenid.md index 1a51286180..f1a0711e63 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/entraidopenid.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/entraidopenid.md @@ -28,7 +28,7 @@ in the application. **Step 2 –** In the Microsoft Entra admin center, go to Microsoft Entra ID > App registration and click **New registration**. -![NTM EntraIDOpenID Connect Application New Registeration page](../../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/entraidnewregister.webp) +![NTM EntraIDOpenID Connect Application New Registeration page](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/entraidnewregister.webp) **Step 3 –** Fill out the Name field, for example, _MyProduct OpenID App._ @@ -62,14 +62,14 @@ The full Redirect URL will be in one of the following format: **Step 8 –** The Overview page is displayed. Copy the Application (client) ID and Directory (Tenant) ID and keep them safe. -![EntraID Application and Tenant IDs page](../../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/appntenantids.webp) +![EntraID Application and Tenant IDs page](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/appntenantids.webp) **Step 9 –** In the left pane, select **Authentication**. **Step 10 –** In the Implicit grant and hybrid section, select the **Access tokens** as necessary to support the implicit flow, especially for Single-Page Application (SPA). -![Entra ID SPA Token option](../../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/entraidtoken.webp) +![Entra ID SPA Token option](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/entraidtoken.webp) **Step 11 –** Click **Save**. @@ -91,7 +91,7 @@ support the implicit flow, especially for Single-Page Application (SPA). **Step 20 –** Click **Add**. -![Optional Claims added](../../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/claims.webp) +![Optional Claims added](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/claims.webp) ## Configure Entra ID OpenID Connect @@ -105,7 +105,7 @@ The page for the OpenID provider had two tabs: - Configuration - Users/Groups -![Entra ID OpenID COnnect Configuration tab](../../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/entraidconfig.webp) +![Entra ID OpenID COnnect Configuration tab](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/entraidconfig.webp) ## Configuration Tab @@ -133,7 +133,7 @@ profile. To give access to the application to new users, click the New Access bu the Add Console Access window. To assign this authentication provider to existing users, go to System Settings > User Access Page. -![UserGroups tab for an authneication provider](../../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/usersgroupssamltab.webp) +![UserGroups tab for an authneication provider](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/usersgroupssamltab.webp) The table displays the following information: @@ -166,7 +166,7 @@ example,` https://jwt.io/`. **Step 2 –** Right click on the Threat Manager login page and select **Inspect**. The Dev Tools page opens. -![Dev Tools page](../../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/devtools.webp) +![Dev Tools page](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/devtools.webp) **Step 3 –** Click the **Network** tab and check the **Preserve log** check box. @@ -176,21 +176,21 @@ opens. **Step 6 –** Log in to Microsoft Entra ID. -![Dev Tools page](../../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/putmethod.webp) +![Dev Tools page](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/putmethod.webp) **Step 7 –** On the Dev Tools page, find a request with the PUT method which has the following format: `{HTTP/S protocol}://{NTM IP address or DNS name}:{port if needed}/oidcSignin/{ID}` -![PayLoad tab](../../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/payloadtab.webp) +![PayLoad tab](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/payloadtab.webp) **Step 8 –** Open the **Payload** tab and copy the value from the Request Payload box. **Step 9 –** Open `https://jwt.io/` and insert the **Request Payload** value in the ENCODED VALUE section. -![Claim verification](../../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/claim.webp) +![Claim verification](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/claim.webp) Check that the field from the claims setting exist and has the value. If claims don’t exist, please check the claims configuration in Microsoft Entra ID. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/openid.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/openid.md index 6f7f4544bc..9c4a50eb5b 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/openid.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/openid.md @@ -7,7 +7,7 @@ allowing users to authenticate with their chosen identity provider. Follow the instructions to integrate the OpenID authentication provider with Threat Manager. -![Integrations interface displaying the details for an OpenID authneication provider](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/openid.webp) +![Integrations interface displaying the details for an OpenID authneication provider](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/openid.webp) The details page for an OpenID authentication provider has two tabs: @@ -18,7 +18,7 @@ The details page for an OpenID authentication provider has two tabs: Configure the following settings for an OpenID provider on the Configuration tab: -![Configuration tab for an OpenID authneication provider](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/configurationopenid.webp) +![Configuration tab for an OpenID authneication provider](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/configurationopenid.webp) - Default – The default profile applied when a user is assigned multiple authentication profiles. When off, the profile will be determined in alphabetical order of the profile name. Toggle off and @@ -42,7 +42,7 @@ profile. To give access to the application to new users, click the New Access bu the Add Console Access window. To assign this authentication provider to existing users, go to System Settings > User Access Page. -![UserGroups tab for an authneication provider](../../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/usersgroupssamltab.webp) +![UserGroups tab for an authneication provider](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/usersgroupssamltab.webp) The table displays the following information: @@ -64,4 +64,4 @@ The table displays the following information: login. This option is only available if an MFA authentication type is applied to the user or group. -See the [User Access Page](../../systemsettings/useraccess.md) topic for additional information. +See the [User Access Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/useraccess.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/page.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/page.md index 5f3e35b91d..ecb05aee39 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/page.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/page.md @@ -6,7 +6,7 @@ providers using RADIUS, OpenID, and SAML integrations. Use the gear icon in the upper right corner of the console to open the Configuration menu. Then select **Integrations** to open the Integrations interface. -![Integrations interface on the Authentication Provider page](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Integrations interface on the Authentication Provider page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) Click **Authentication Provider** in the navigation pane to view a list of already configured authentication providers, if any. @@ -22,7 +22,7 @@ Follow the steps to add an authentication provider. **Step 1 –** On the Integrations interface, click Add New Integration in the navigation pane. The Add New Integration window opens. -![Add New Integration window with Authentication Provider type selected](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/authenticationprovider.webp) +![Add New Integration window with Authentication Provider type selected](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/authenticationprovider.webp) **Step 2 –** In the Type drop-down list, select Authentication Provider. @@ -39,11 +39,11 @@ authentication provider type, i.e., OpenID, RADIUS, or SAML. On the Integrations interface, select an authentication provider under the Authentication Provider node in the navigation pane or from the table to configure, view, or modify its details. -![Integrations interface displaying the details for an Authentication Provider with the type drop-down menu open](../../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/types.webp) +![Integrations interface displaying the details for an Authentication Provider with the type drop-down menu open](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/types.webp) The following authentication provider types are supported; you can configure an authentication provider for any of these: -- RADIUS – See the [RADIUS Authentication Provider](radius.md) topic for additional information. -- OpenID – See the [OpenID Authentication Provider](openid.md) topic for additional information. -- SAML – See the [SAML Authentication Provider](saml.md) topic for additional information. +- RADIUS – See the [RADIUS Authentication Provider](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/radius.md) topic for additional information. +- OpenID – See the [OpenID Authentication Provider](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/openid.md) topic for additional information. +- SAML – See the [SAML Authentication Provider](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/saml.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/radius.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/radius.md index bdb17c4d63..d82a227372 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/radius.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/radius.md @@ -4,7 +4,7 @@ The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol centralized authentication, authorization, and accounting management for users connecting to a network service. -![Integrations interface displaying the details for a Radius authneication provider](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/radius.webp) +![Integrations interface displaying the details for a Radius authneication provider](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/radius.webp) The details page for a RADIUS authentication provider has three tabs: @@ -16,7 +16,7 @@ The details page for a RADIUS authentication provider has three tabs: Configure the following settings for a RADIUS provider on the Configuration tab: -![Configuration tab for a RADIUS authneication provider](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/configurationradius.webp) +![Configuration tab for a RADIUS authneication provider](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/configurationradius.webp) - Default – The default profile applied when a user is assigned multiple authentication profiles. When off, the profile will be determined in alphabetical order of the profile name. Toggle off and @@ -64,7 +64,7 @@ Click Save to commit the configuration settings. The Customization tab is unique to RADIUS authentication providers. It contains the following settings that need to be configured: -![Customization tab for a Radius authneication provider](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/customizationtab.webp) +![Customization tab for a Radius authneication provider](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/customizationtab.webp) - Title for MFA Authentication dialog – The title that is displayed to the user when prompted for MFA @@ -89,7 +89,7 @@ profile. To give access to the application to new users, click the New Access bu the Add Console Access window. To assign this authentication provider to existing users, go to System Settings > User Access Page. -![UserGroups tab for an authneication provider](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/usersgroupstab.webp) +![UserGroups tab for an authneication provider](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/usersgroupstab.webp) The table displays the following information: @@ -111,4 +111,4 @@ The table displays the following information: login. This option is only available if an MFA authentication type is applied to the user or group. -See the [User Access Page](../../systemsettings/useraccess.md) topic for additional information. +See the [User Access Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/useraccess.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/saml.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/saml.md index 5222d6a56c..90c20d6d90 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/saml.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/saml.md @@ -6,7 +6,7 @@ information. This means that you can use one set of credentials to log in to man websites. It is much easier to manage one login per user than separate logins for email, Customer Relationship Management (CRM) software, Active Directory, and more. -![Integrations interface displaying the details for a SAML authneication provider](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/saml.webp) +![Integrations interface displaying the details for a SAML authneication provider](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/saml.webp) The details page for a SAML authentication provider has two tabs: @@ -22,7 +22,7 @@ respective users. Configure the following settings for a SAML provider on the Configuration tab: -![Configuration tab for a SAML authneication provider](../../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/configurationsaml.webp) +![Configuration tab for a SAML authneication provider](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/authenticationprovider/configurationsaml.webp) - Default – The default profile applied when a user is assigned multiple authentication profiles. When off, the profile will be determined in alphabetical order of the profile name. Toggle off and @@ -49,7 +49,7 @@ profile. To give access to the application to new users, click the New Access bu the Add Console Access window. To assign this authentication provider to existing users, go to System Settings > User Access Page. -![UserGroups tab for an authneication provider](../../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/usersgroupssamltab.webp) +![UserGroups tab for an authneication provider](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/authenticationprovider/usersgroupssamltab.webp) The table displays the following information: @@ -71,4 +71,4 @@ The table displays the following information: login. This option is only available if an MFA authentication type is applied to the user or group. -See the [User Access Page](../../systemsettings/useraccess.md) topic for additional information. +See the [User Access Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/useraccess.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/credentialprofile.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/credentialprofile.md index 99e2df2efc..3b1023f406 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/credentialprofile.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/credentialprofile.md @@ -3,12 +3,12 @@ The Credential Profile page within the Integrations interface lists all of the credentials used by the application to complete tasks. These credentials are securely stored. -![Integrations interface on the Credential Profile page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Integrations interface on the Credential Profile page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The table displays the user name for each profile. To view profile details or make modifications, select a profile from the table or under Credential Profile in the navigation pane. -See the [Application Server Requirements](../../../requirements/server.md) topic for information on +See the [Application Server Requirements](/docs/threatmanager/3.0/threatmanager/requirements/server.md) topic for information on permission requirements for each type of task. Best Practice Recommendation @@ -29,7 +29,7 @@ menu. Then select **Integrations** to open the Integrations interface. **Step 2 –** On the Integrations interface, click Add New Integration in the navigation pane. The Add New Integration window opens. -![Add New Integration window with Credential Profile type selected](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/credentialprofile.webp) +![Add New Integration window with Credential Profile type selected](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/credentialprofile.webp) **Step 3 –** In the Type drop-down menu, select Credential Profile. @@ -63,7 +63,7 @@ view a list of the already created Credential Profiles, if any. **Step 3 –** Select a Credential Profile from the table or the navigation pane to view its details. -![Integrations interface displaying the details for a Credenital Profile](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/details.webp) +![Integrations interface displaying the details for a Credenital Profile](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/details.webp) Select the profile from the list to see details and modification options: @@ -99,7 +99,7 @@ view a list of the already created Credential Profiles, if any. **Step 4 –** Click the **Edit** button in the upper right corner of the name and description box. -![Name and Description box for a Credential Profile in Edit mode](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/editprofile.webp) +![Name and Description box for a Credential Profile in Edit mode](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/editprofile.webp) **Step 5 –** To modify the profile name, type in the top field. @@ -120,7 +120,7 @@ view a list of the already created Credential Profiles, if any. Select a Credent **Step 2 –** In the Credentials box, click the edit button to the right of the credential. The Credential Settings window opens. -![Credential Settings window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/credentialsettingswindow.webp) +![Credential Settings window](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/credentialsettingswindow.webp) **Step 3 –** To edit the platform type, select either SQL or Windows from the **Platform** drop-down menu. @@ -170,7 +170,7 @@ view a list of the already created Credential Profiles, if any. **Step 2 –** Click Add Credential. The Add Credentials window opens. -![Add Credentials window](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/addcredentialswindow.webp) +![Add Credentials window](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/addcredentialswindow.webp) **Step 3 –** Enter the following information: diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/email.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/email.md index c47b41e42e..f0b42237e0 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/email.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/email.md @@ -3,7 +3,7 @@ The Email page within the Integrations interface allows users to configure the application to send email notifications. -![Integrations interface on the Email page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Integrations interface on the Email page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The page has the following information: @@ -32,7 +32,7 @@ Follow the steps to configure email notifications. **Step 1 –** On the Integrations interface, click **Email** in the navigation pane. -![Integrations interface on the Email page showing details](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/details.webp) +![Integrations interface on the Email page showing details](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/details.webp) **Step 2 –** Toggle the Enabled button to **ON**, which enables the Send Test Email button. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/entraidsync.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/entraidsync.md index c10a025ed7..71183c3f78 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/entraidsync.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/entraidsync.md @@ -2,10 +2,10 @@ The Entra ID Sync page within the Integrations interface lists all the Entra ID tenants for which the application is configured to sync.See the -[Application Permissions for Entra ID Sync](../../../requirements/permissions/entraidsync.md)topic +[Application Permissions for Entra ID Sync](/docs/threatmanager/3.0/threatmanager/requirements/permissions/entraidsync.md)topic for additional information about the permissions required for Microsoft Entra ID syncing. -![Entra ID Sync Page](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/entraidsync.webp) +![Entra ID Sync Page](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/entraidsync.webp) Microsoft Entra ID Sync schedules the Azure service to collect Microsoft Entra ID data for the specified Microsoft Entra ID tenant(s). The Microsoft Entra ID Sync runs continuously, evaluating @@ -29,8 +29,8 @@ navigation pane from the Microsoft Entra ID Sync drop-down. **NOTE:** Prior to adding a Microsoft Entra ID Sync policy, you must first configure a Credential Profile with a credential properly provisioned for running Microsoft Entra ID Sync within the Microsoft Entra ID tenant. See the -[Application Server Requirements](../../../requirements/server.md) topic for the permissions. See -the [Credential Profile Page](credentialprofile.md) topic for additional information on creating a +[Application Server Requirements](/docs/threatmanager/3.0/threatmanager/requirements/server.md) topic for the permissions. See +the [Credential Profile Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/credentialprofile.md) topic for additional information on creating a profile. Follow the steps to add a policy Microsoft Entra ID Sync. @@ -38,7 +38,7 @@ Follow the steps to add a policy Microsoft Entra ID Sync. **Step 1 –** On the Integrations interface, click Add New Integration in the navigation pane. The Add New Integration window opens. -![Add New Integration window with Entra ID Sync type selected](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/addnewinteg.webp) +![Add New Integration window with Entra ID Sync type selected](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/addnewinteg.webp) **Step 2 –** In the Type drop-down menu, select Entra ID Sync. @@ -66,7 +66,7 @@ tenants. The Microsoft Entra ID Sync policy details can be viewed by selecting the tenant from the table or the navigation pane. -![Tenant Configuration tab](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/entraidsync_tenantconfiguration.webp) +![Tenant Configuration tab](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/entraidsync_tenantconfiguration.webp) Select the tenant from the list to see modification options: @@ -86,7 +86,7 @@ Select the tenant from the list to see modification options: The Tenant Configuration tab displays the sync policy settings entered for the selected tenant. With the exception of the Tenant and Azure Cloud fields, these settings can be updated as needed. -![tenantconfigurationtab](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/tenantconfigurationtab.webp) +![tenantconfigurationtab](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/tenantconfigurationtab.webp) The Tenant Configuration tab displays the following settings: @@ -113,7 +113,7 @@ leaving the page. The Sync History tab displays the information on each synchronization event. This includes general information about user, group, and computer objects within the Entra ID tenant. -![Entra ID Sync details page for a specific Entra ID tenant showing the Sync History tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/synchistorytab.webp) +![Entra ID Sync details page for a specific Entra ID tenant showing the Sync History tab](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/synchistorytab.webp) The table provides the following information: @@ -141,7 +141,7 @@ Follow the steps to modify the Entra ID Sync policy for the selected Microsoft _Remember,_ the Tenant and Azure Cloud fields cannot be modified. -![tenantconfigurationtab](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/tenantconfigurationtab.webp) +![tenantconfigurationtab](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/tenantconfigurationtab.webp) **Step 3 –** To modify the Credential Profile, select the Credential Profile by name from the drop-down menu. This was pre-created in the Credential Profiles page. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/foldersettings.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/foldersettings.md index 84c2fab938..a382d34323 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/foldersettings.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/foldersettings.md @@ -4,7 +4,7 @@ The Folder Settings page within the Integrations interface allows users to desig Investigation exports folder location. Additionally, a shared folder can be provided for subscription purposes. -![Integrations interface on the Folder Settings page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Integrations interface on the Folder Settings page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) By default, Investigation exports are placed in the Downloads folder of the logged in user, on the machine where that user is accessing the application. When a Local Folder path is designated, all @@ -12,7 +12,7 @@ Investigation exports are also stored in the specified folder on the application When shared folders are added, they are displayed in a table at bottom of the page. -![Shared Folder table on the Folders Settings page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/sharedfoldertable.webp) +![Shared Folder table on the Folders Settings page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/sharedfoldertable.webp) The Shared Folders table has the following columns: @@ -27,7 +27,7 @@ Additional Options When you hover over a row within the Shared Folders table, three additional options are displayed: -![Shared Folder table on the Folders Settings page showing additional options](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/additionaloptions.webp) +![Shared Folder table on the Folders Settings page showing additional options](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/additionaloptions.webp) - Refresh Arrow – Tests the shared folder configuration - Edit – Opens the Add New Shared Folder window to edit the configured settings @@ -42,7 +42,7 @@ menu. Then select **Integrations** to open the Integrations interface. **Step 2 –** On the Integrations interface, click **Folder Settings** in the navigation pane. -![Local Folder settings on the Folder Settings page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/localfolder.webp) +![Local Folder settings on the Folder Settings page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/localfolder.webp) **Step 3 –** In the Path field, enter a valid folder path on the server where the application is installed. For example, C:\Reports. @@ -55,7 +55,7 @@ Investigation exports will now be saved to the designated local folder on the ap ## Add a Shared Folder **NOTE:** Prior to adding a shared folder, you must first configure a Credential Profile with Write -access to the shared folder. See the [Credential Profile Page](credentialprofile.md) topic for +access to the shared folder. See the [Credential Profile Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/credentialprofile.md) topic for additional information on creating a profile. You can specify a shared folder for exporting investigations data from subscriptions through the @@ -68,7 +68,7 @@ menu. Then select **Integrations** to open the Integrations interface. **Step 3 –** Click **Add Shared Folder**. The Add New Shared Folder window opens. -![Add New Shared Folder window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/addnewsharedfolderwindow.webp) +![Add New Shared Folder window](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/addnewsharedfolderwindow.webp) **Step 4 –** Enter the following information: diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/netwrixintegrations.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/netwrixintegrations.md index bb44c9213a..96043b9a5d 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/netwrixintegrations.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/netwrixintegrations.md @@ -3,7 +3,7 @@ The Netwrix Integrations page within the Integrations interface lists the products for which the application is configured to connect. -![Integrations interface on the Netwrix Integration page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Integrations interface on the Netwrix Integration page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) Integrations with other Netwrix products enables you to run Investigations on the event data within the connected database. When you add a Netwrixintegration, the selection for Default Data Source @@ -24,7 +24,7 @@ Netwrix Integrations in the navigation pane. **NOTE:** Prior to adding a Netwrix Integration, you must first configure a Credential Profile with credentials properly provisioned for connecting to the database. See the -[Credential Profile Page](credentialprofile.md) topic for additional information on creating a +[Credential Profile Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/credentialprofile.md) topic for additional information on creating a profile. Follow the steps below to add a Netwrix Integration. @@ -32,7 +32,7 @@ Follow the steps below to add a Netwrix Integration. **Step 1 –** On the Integrations interface, click Add New Integration in the navigation pane. The Add New Integration window opens. -![Add New Integrations window with the Netwrix Integration type selected](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/netwrixintegrations.webp) +![Add New Integrations window with the Netwrix Integration type selected](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/netwrixintegrations.webp) **Step 2 –** In the Type drop-down list, select Netwrix Integration. @@ -85,7 +85,7 @@ view a list of the already integrated Netwrix products. **Step 8 –** Select a product from the table or the navigation pane to view the integration details. -![Integrations interface on the Netwrix Integrations details page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/details.webp) +![Integrations interface on the Netwrix Integrations details page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/details.webp) Select the integration from the list to see the details and modification options: @@ -106,7 +106,7 @@ Select the integration from the list to see the details and modification options The Configuration tab displays the settings entered for the selected integration. -![Netwrix Integration Details on the Configuration tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/configurationtab.webp) +![Netwrix Integration Details on the Configuration tab](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/configurationtab.webp) The tab provides the following settings: @@ -128,7 +128,7 @@ leaving the page. The Policy Sync tab displays information on the last policy sync executed. -![Netwrix Integration Details on the Policy Sync tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/policysynctab.webp) +![Netwrix Integration Details on the Policy Sync tab](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/policysynctab.webp) The tab provides the following information: @@ -154,7 +154,7 @@ Netwrix Integration. **Step 3 –** Click the **Edit** button in the upper right corner of the name and description box. -![Name and Description box for a Netwrix Integration in Edit mode](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/editnetwrixintegration.webp) +![Name and Description box for a Netwrix Integration in Edit mode](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/editnetwrixintegration.webp) **Step 4 –** Type in the top field to modify the integration name. @@ -168,7 +168,7 @@ The Netwrix Integration name and/or description have been modified. Follow the steps to modify the configuration for the selected integration. -![Netwrix Integration Details on the Configuration tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/configurationtab.webp) +![Netwrix Integration Details on the Configuration tab](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/configurationtab.webp) **Step 1 –** On the Integrations interface, click Netwrix Integrations and select the desired Netwrix Integration. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md index 1b3dc585cb..438ece8528 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md @@ -6,20 +6,20 @@ and third-party systems and applications. Use the gear icon in the upper right corner of the console to open the Configuration menu. Then select **Integrations** to open the Integrations interface. -![interface](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) +![interface](/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) It contains the following integration pages: -- [Active Directory Sync Page](activedirectorysync.md) -- [Entra ID Sync Page](entraidsync.md) -- [App Tokens Page](apptoken.md) -- [Authentication Provider Page](authenticationprovider/page.md) -- [Credential Profile Page](credentialprofile.md) -- [Email Page](email.md) -- [Folder Settings Page](foldersettings.md) -- [SIEM Page](siem.md) -- [Netwrix Integrations Page](netwrixintegrations.md) -- [Tag Management Page](tagmanagement.md) +- [Active Directory Sync Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/activedirectorysync.md) +- [Entra ID Sync Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/entraidsync.md) +- [App Tokens Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/apptoken.md) +- [Authentication Provider Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/page.md) +- [Credential Profile Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/credentialprofile.md) +- [Email Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/email.md) +- [Folder Settings Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/foldersettings.md) +- [SIEM Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/siem.md) +- [Netwrix Integrations Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/netwrixintegrations.md) +- [Tag Management Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/tagmanagement.md) The Overview page displays a high-level view of all configured integrations. You can return to the Overview page by selecting the **Integrations** header in the navigation pane. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/siem.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/siem.md index 8eaca04ead..7f1f9eb165 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/siem.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/siem.md @@ -6,7 +6,7 @@ SIEM server. Follow the instructions to enable SIEM notifications. -![siempage](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/siempage.webp) +![siempage](/img/product_docs/threatmanager/threatmanager/administration/configuration/integrations/siempage.webp) **Step 1 –** In the Integrations box, click **SIEM**. The SIEM window opens. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/tagmanagement.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/tagmanagement.md index 3892f036dc..d91b185157 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/tagmanagement.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/tagmanagement.md @@ -3,7 +3,7 @@ The Tag Management page displays all tags that are currently managed by the application, including out-of-the-box and custom tags. You can add tags and assign objects to those tags. -![Integrations interface on the Tag Management page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Integrations interface on the Tag Management page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The out-of-the-box tags include: @@ -26,7 +26,7 @@ The out-of-the-box tags include: - Watchlist – Watchlist users **NOTE:** Any users with the Watchlist tag will be displayed on the Threat Manager -[Home Page](../../home.md) Watchlist. +[Home Page](/docs/threatmanager/3.0/threatmanager/administration/home.md) Watchlist. The table displays the following information for available tags: @@ -46,7 +46,7 @@ menu. Then select **Integrations** to open the Integrations interface. **Step 2 –** On the Integrations interface, click Add New Integration in the navigation pane. The Add New Integration window opens. -![Add New Integration window with Tag type selected](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/tagmanagement.webp) +![Add New Integration window with Tag type selected](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/tagmanagement.webp) **Step 3 –** In the Type drop-down menu, select Tag. @@ -71,7 +71,7 @@ a list of tags. **Step 8 –** Select a tag from the table or the navigation pane to view its details. -![Integrations interface displaying the details for a Tag](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/details.webp) +![Integrations interface displaying the details for a Tag](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/details.webp) This page provides the following information: @@ -93,7 +93,7 @@ On the tag details window, click the Type drop-down menu to apply a filter. **_RECOMMENDED:_** Apply the desired Type filters when searching for objects to tag. -![Honeypot tag with the Types drop-down menu open](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/typefilters.webp) +![Honeypot tag with the Types drop-down menu open](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/typefilters.webp) The following types are available: @@ -109,7 +109,7 @@ types. Follow the steps to apply tags to objects. -![Tag details page showing search results](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/searchselect.webp) +![Tag details page showing search results](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/searchselect.webp) **Step 1 –** On the Integrations interface, click **Tag Managemetn** in the navigation pane to view a list of tags. @@ -123,7 +123,7 @@ results. **Step 5 –** In the Untagged Items box, check the box to the left of the desired object(s). -**Step 6 –** Click the arrow (>) between the Untagged Items box and the Tagged Items box to add the +**Step 6 –** Click the arrow () between the Untagged Items box and the Tagged Items box to add the tag to the selected object(s). The tag is applied to the selected objects. @@ -132,7 +132,7 @@ The tag is applied to the selected objects. Follow the steps to remove tags from objects. -![Tag details page showing search results](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/search.webp) +![Tag details page showing search results](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/search.webp) **Step 1 –** On the Integrations interface, click **Tag Managemetn** in the navigation pane to view a list of tags. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/overview.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/overview.md index c359b82547..4ea29e7696 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/overview.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/overview.md @@ -2,22 +2,22 @@ Use the gear icon in the upper right corner of the console to open the Configuration menu. -![configurationmenu](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/configurationmenu.webp) +![configurationmenu](/img/product_docs/threatmanager/threatmanager/administration/configuration/configurationmenu.webp) It contains links to the component configuration and settings interfaces: - Threat Detection – Provides an interface to configure threat monitoring. See the - [Threat Detection Page](threatdetection.md) topic for additional information. + [Threat Detection Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/threatdetection.md) topic for additional information. - Threat Response – Provides the ability to designate playbooks, which contain actions that can be - executed in response to detected threats. See the [Threat Response Page](threatresponse.md) topic + executed in response to detected threats. See the [Threat Response Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/threatresponse.md) topic for additional information. - Integrations – Allows you to configure integrations with a variety of Netwrix products and - third-party systems and applications. See the [Integrations Interface](integrations/overview.md) + third-party systems and applications. See the [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md) topic for additional information. - Policies – Provides a single location to manage a variety of policy object types that define how - processes and operations in Threat Manager function. See the [Policies Page](policies/overview.md) + processes and operations in Threat Manager function. See the [Policies Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/overview.md) topic for additional information. - System Health – Displays the total number of events for all threat types and a summary for each - job. See the [System Health Interface](systemhealth/overview.md) topic for additional information. + job. See the [System Health Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/overview.md) topic for additional information. - System Settings – Provides access to system logs, user access controls, licensing, and more. See - the [System Settings Interface](systemsettings/overview.md) topic for additional information. + the [System Settings Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/overview.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/honeytoken.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/honeytoken.md index 6261af9029..0fb7c845ce 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/honeytoken.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/honeytoken.md @@ -27,14 +27,14 @@ Policies. **Step 2 –** On the Policies page, expand the Honeytokens list and select the related Honeytoken policy from the Policies list. Or, select the policy from the Policies table in the Overview box. -![honeytoken](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/honeytoken.webp) +![honeytoken](/img/product_docs/threatprevention/threatprevention/admin/configuration/honeytoken.webp) **Step 3 –** On the Configuration tab of the policy, fill in the requested information and click **Copy LDAP Filter**. The Copy LDAP Filter button will automatically copy the exact string that is required for Activity Monitor or Threat Prevention to the clipboard to configure the LDAP events for this Honeytoken. -![ldapfiltercopiedtoclipboard](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/eventtype/usecase/ldapfiltercopiedtoclipboard.webp) +![ldapfiltercopiedtoclipboard](/img/product_docs/threatprevention/threatprevention/admin/policies/eventtype/usecase/ldapfiltercopiedtoclipboard.webp) A notification will pop up and the filter will be saved to the clipboard. @@ -47,7 +47,7 @@ Manager** > **Netwrix Threat Manager for AD LDAP**. **Step 5 –** Click the **Event Type** tab. -![Netwrix Threat Manager for AD LDAP template – Event Type tab with LDAP Query filter](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/eventtype/usecase/ldapmonitoringfortm.webp) +![Netwrix Threat Manager for AD LDAP template – Event Type tab with LDAP Query filter](/img/product_docs/threatprevention/threatprevention/admin/policies/eventtype/usecase/ldapmonitoringfortm.webp) **Step 6 –** Under Event Filters select **LDAP Query**. If the Include LDAP Queries list is empty, select the other **LDAP Monitoring** event type in the list above. @@ -58,7 +58,7 @@ select the other **LDAP Monitoring** event type in the list above. Threat Manager. _Remember,_ the Honeytoken tab of the -[Netwrix Threat Manager Configuration Window](../../../../threatprevention/admin/configuration/threatmanagerconfiguration.md) +[Netwrix Threat Manager Configuration Window](/docs/threatmanager/3.0/threatprevention/admin/configuration/threatmanagerconfiguration.md) must be configured in order to successfully send LDAP monitoring data to Threat Manager. ### Configure LDAP Monitoring in the Activity Monitor @@ -68,13 +68,13 @@ Manager. **NOTE:** LDAP Monitoring is not enabled, it must be enabled in the Monitored Domains tab. -![Activity Monitor with SD Only](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/actiivtymonitordomainsdonly.webp) +![Activity Monitor with SD Only](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/actiivtymonitordomainsdonly.webp) **Step 9 –** In the Activity Monitor, click on the **Monitored Domains** tab. **Step 10 –** Select a domain and click **Edit**. -![LDAP Monitoring Configuration for Threat Manager](../../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/sdldapmonitoring.webp) +![LDAP Monitoring Configuration for Threat Manager](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/sdldapmonitoring.webp) **Step 11 –** Select the **LDAP Monitor** tab. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/overview.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/overview.md index e0cfcdf93e..76da0ba588 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/overview.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/overview.md @@ -3,7 +3,7 @@ The Policies Page provides an overview of the policies added to the Policies box and their deployment history. It also provides the ability to add new polices and configure them. -![page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The Polices table displays the following information: @@ -18,13 +18,13 @@ The Deployment History table displays the following information: - Created – When the policy was applied to a host - Host – The host on which the policy was applied. If the host exists in the Threat Manager - database, click on the host link to go to the [Host Details Page](../../threatdetails/host.md) + database, click on the host link to go to the [Host Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/host.md) - User Name – The user account associated with the policy. (In the case of a Honeytoken policy, the user account created by the Honeytoken policy.) - Policy – The policy name. Click on the policy link to go to the Configuration tab for that policy. The Policies page also provides the ability to click on a policy and view information and -configuration options for that policy. See [Policy Configuration](policiesconfiguration.md) for +configuration options for that policy. See [Policy Configuration](/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/policiesconfiguration.md) for additional information. ## Add a Policy for a Honeytoken @@ -35,11 +35,11 @@ account. Policies for Honeytokens are added on the Policies page. **NOTE:** When a Honeytoken name is specified and the policy is enabled, this policy becomes immediately valid for Honeytoken threat detection. Please refer to -[Configure Honeytoken Threats](honeytoken.md) for Honeytoken naming best practices. +[Configure Honeytoken Threats](/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/honeytoken.md) for Honeytoken naming best practices. Follow the steps to add a policy. -![addnewpolicy](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/policies/addnewpolicy.webp) +![addnewpolicy](/img/product_docs/threatmanager/threatmanager/administration/configuration/policies/addnewpolicy.webp) **Step 1 –** In the Policies box, click Add New Policy. The Add Profile window opens. @@ -49,7 +49,7 @@ Follow the steps to add a policy. - Name – The name for the policy - **NOTE:** See [Configure Honeytoken Threats](honeytoken.md) for best practices for naming a + **NOTE:** See [Configure Honeytoken Threats](/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/honeytoken.md) for best practices for naming a Honeytoken. - Description – The description for the policy diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/policiesconfiguration.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/policiesconfiguration.md index 15799d3c72..5b26b100c2 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/policiesconfiguration.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/policies/policiesconfiguration.md @@ -5,7 +5,7 @@ The Policy Details page displays information about the Honeytoken configuration. **NOTE:** Policies for Honeytokens must be enabled by configuring the settings on the Configuration tab. -![detailspage](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/policies/detailspage.webp) +![detailspage](/img/product_docs/threatmanager/threatmanager/administration/configuration/policies/detailspage.webp) The Policies box displays the name of the Honeytoken policy. The Policy Information box displays the Honeytoken policy and a description if specified. Click the Edit button to change the name of the @@ -23,7 +23,7 @@ The Tabs box contains the following tabs: The Configuration tab provides information on the selected policy for a Honeytoken. -![configurationtab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/configurationtab.webp) +![configurationtab](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/integrations/configurationtab.webp) The Configuration tab contains the following configuration options: @@ -51,7 +51,7 @@ The Configuration tab contains the following configuration options: - Token Domain – The domain to be used for the deployed Honeytoken. This can be selected from existing, known domains or a custom domain can be specified. - Select Credential Profile – Lists Credential Profiles added on the - [Integrations Interface](../integrations/overview.md). Select a Credential Profile from the + [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md). Select a Credential Profile from the drop-down list. - Select Preferrred Action Service – Select the Action Service to be used for Honeytoken deployment. - Token Time to Reset Password – All Honeytokens for a policy will share common password. This value @@ -94,7 +94,7 @@ Click Save to update the policy settings. Once saved, threats are detected for t The Hosts tab provides information on hosts that have policies deployed. The Hosts tab displays the following information: -![This screenshot displays the Hosts tab.](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/policies/policieshoststab.webp) +![This screenshot displays the Hosts tab.](/img/product_docs/threatmanager/threatmanager/administration/configuration/policies/policieshoststab.webp) - Host – The host where the policy was deployed to create Honeytokens - Token Name – The name of the Honeytoken user @@ -112,7 +112,7 @@ Action Service can be used to deploy Honeytokens to remote computers, or a Power downloaded to allow either an external mechanism to deploy Honeytokens or for manual deployment of the Honeytokens. -![deploymenttab](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/policies/deploymenttab.webp) +![deploymenttab](/img/product_docs/threatmanager/threatmanager/administration/configuration/policies/deploymenttab.webp) - PowerShell Script Deployment: @@ -146,11 +146,11 @@ When the Deploy Now button is clicked, Threat Manager will immediately deploy th hosts specified in the Hosts lists, utilizing the preferred action service selected for the Honeytoken policy on the Configuration tab. -![honeytokeninprogress](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/policies/honeytokeninprogress.webp) +![honeytokeninprogress](/img/product_docs/threatmanager/threatmanager/administration/configuration/policies/honeytokeninprogress.webp) Closing this window will not cancel the deployment. -![honeytokendeploymentwindowcomplete](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/policies/honeytokendeploymentwindowcomplete.webp) +![honeytokendeploymentwindowcomplete](/img/product_docs/threatmanager/threatmanager/administration/configuration/policies/honeytokendeploymentwindowcomplete.webp) The window will update when the deployment is complete. The hosts and statuses will be listed, viewable by clicking the caret. Deployment status for each host may also be viewed on the Policy @@ -161,7 +161,7 @@ History tab. When finished, click **Close** or the gray x to exit the window. The History tab displays audit history for changes to this policy. It contains a table with the following columns: -![This screenshot displays the History tab.](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/policies/policieshistorytab.webp) +![This screenshot displays the History tab.](/img/product_docs/threatmanager/threatmanager/administration/configuration/policies/policieshistorytab.webp) - TimeStamp – The timestamp for when the activity occurred - Message – A description of the activity that occurred diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/actionqueue.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/actionqueue.md index 0f361cc200..b796d1ca88 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/actionqueue.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/actionqueue.md @@ -3,7 +3,7 @@ The Action Queue Overview shows any pending or in-progress actions taken by the Threat Manager Action Service. -![actionqueue](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/systemhealth/actionqueue.webp) +![actionqueue](/img/product_docs/threatmanager/threatmanager/administration/configuration/systemhealth/actionqueue.webp) This includes Honeytoken deployments and Threat Response Playbook executions. Any actions in the action queue may be stopped by clicking the **Stop** button. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/agents.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/agents.md index 83f3bf2c9e..042417de14 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/agents.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/agents.md @@ -5,7 +5,7 @@ Manager. This requires a minimum version of Threat Prevention7.5. This section m troubleshoot or diagnose agent issues by indicating the connectivity of the Threat Prevention agent to the Threat Manager server. -![System Health Page Agent Overview](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/systemhealth/agentoverview.webp) +![System Health Page Agent Overview](/img/product_docs/threatmanager/threatmanager/administration/configuration/systemhealth/agentoverview.webp) Clicking **Decommission** will remove an agent from the Threat Manager agent list. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/backlog.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/backlog.md index 1ae74d197d..f53053b0ff 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/backlog.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/backlog.md @@ -3,7 +3,7 @@ The Backlog overview displays a summary of all threats and system jobs with the events in queue to be processed. It also displays other job information depending on the job type. -![Backlog Overview](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/systemhealth/backlogoverview.webp) +![Backlog Overview](/img/product_docs/threatmanager/threatmanager/administration/configuration/systemhealth/backlogoverview.webp) In Threat Manager, jobs are used for threat evaluation, maintenance tasks, and operational procedures such as email and SIEM notifications. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/overview.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/overview.md index f26f973944..dc04b95d0a 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/overview.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/overview.md @@ -3,14 +3,14 @@ The System Health interface displays database statistics and the total number of events for all threat types and a summary for each job. -![System Health interface](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) +![System Health interface](/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) **NOTE:** The System Health page only displays threats that are enabled. Jobs that are disabled are not displayed. The System Health interface contains the following pages: -- [Backlog](backlog.md) -- [Action Queue](actionqueue.md) -- [Agents](agents.md) -- [Services Page](services.md) +- [Backlog](/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/backlog.md) +- [Action Queue](/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/actionqueue.md) +- [Agents](/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/agents.md) +- [Services Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/services.md) diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/services.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/services.md index 2614b89e35..36972639d2 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/services.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemhealth/services.md @@ -1,9 +1,9 @@ # Services Page The Services page displays the services associated with the application server. See the -[Installation](../../../install/overview.md) topic for a complete list of application services. +[Installation](/docs/threatmanager/3.0/threatmanager/install/overview.md) topic for a complete list of application services. -![System Health interface showing the Services page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/servicespage.webp) +![System Health interface showing the Services page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/servicespage.webp) The table displays the following information: @@ -16,7 +16,7 @@ The table displays the following information: Select a service from the table or the navigation pane to view its details. -![System Health interface displaying the details for a Service](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/servicesdetails.webp) +![System Health interface displaying the details for a Service](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/servicesdetails.webp) The page displays the following information: diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/about.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/about.md index 30c34a665d..31e4bee427 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/about.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/about.md @@ -3,7 +3,7 @@ The About Threat Manager page in the System Settings interface provides information about the application version and third-party licenses. -![System Settings interfaces on the About Threat Manager page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/about.webp) +![System Settings interfaces on the About Threat Manager page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/about.webp) The About Threat Manager section contains application version information. It also includes the application copyright information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/auditing.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/auditing.md index 93117212bc..81043cfa50 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/auditing.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/auditing.md @@ -3,7 +3,7 @@ The Auditing page within the System Settings interface contains the Audit History table with information about all application events. -![System Settings interface showing the Auditing page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) +![System Settings interface showing the Auditing page](/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) The Audit History table displays the following information: diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/licensing.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/licensing.md index 70825d158e..2aa6bfef6e 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/licensing.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/licensing.md @@ -3,7 +3,7 @@ License information is displayed on the Licensing page of the System Settings interface. Threat Manager comes with a temporary 15-day license. -![System Settings interfaces on the Licensing page](../../../../../../../static/img/product_docs/dataclassification/ndc/configuration/licensing.webp) +![System Settings interfaces on the Licensing page](/img/product_docs/dataclassification/ndc/configuration/licensing.webp) The License Info section displays the following: @@ -20,7 +20,7 @@ header. Follow the steps to import a license key file. -![License section of the Licensing page](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/systemsettings/licensingbrowse.webp) +![License section of the Licensing page](/img/product_docs/threatmanager/threatmanager/administration/configuration/systemsettings/licensingbrowse.webp) **Step 1 –** On the License page of the System Settings interface, click Browse. The Add New Integration window opens. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/overview.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/overview.md index 32ab14f955..e2047860a9 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/overview.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/overview.md @@ -6,12 +6,12 @@ more. Use the gear icon in the upper right corner of the console to open the Configuration menu. Then select **System Settings** to open the System Settings interface. -![System Settings interface](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) +![System Settings interface](/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) It contains the following pages: -- [Auditing Page](auditing.md) -- [User Access Page](useraccess.md) -- [Licensing Page](licensing.md) -- [System Jobs Page](systemjobs.md) -- [About Threat Manager Page](about.md) +- [Auditing Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/auditing.md) +- [User Access Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/useraccess.md) +- [Licensing Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/licensing.md) +- [System Jobs Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/systemjobs.md) +- [About Threat Manager Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/about.md) diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/systemjobs.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/systemjobs.md index 7051472ff7..8ddda0cc30 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/systemjobs.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/systemjobs.md @@ -3,7 +3,7 @@ The System Jobs page within the System Settings interface contains information and configuration options for the application system jobs. -![System Settings interface on the System Jobs page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![System Settings interface on the System Jobs page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The table lists the system maintenance jobs: @@ -18,7 +18,7 @@ The information available varies based on the type of job selected. The Report Maintenance job details page has two tabs that provide configuration options and job health details. -![System Settings interface on the System Jobs page showing the Report Maintenance job Settings tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/reportsettings.webp) +![System Settings interface on the System Jobs page showing the Report Maintenance job Settings tab](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/reportsettings.webp) Settings Tab @@ -40,7 +40,7 @@ Health Tab The Health tab displays the following information: -![Health tab of the Report Maintenance job details page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/reporthealth.webp) +![Health tab of the Report Maintenance job details page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/reporthealth.webp) - Size of Reports Directory – Displays the size of the directory where reports are stored - Next Run Time – Date timestamp for the next time the job will run @@ -50,7 +50,7 @@ The Health tab displays the following information: The Database Maintenance job details page has two tabs that provide configuration options and job health details. -![System Settings interface on the System Jobs page showing the Database Maintenance job Settings tab](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/systemsettings/databasesettings.webp) +![System Settings interface on the System Jobs page showing the Database Maintenance job Settings tab](/img/product_docs/threatmanager/threatmanager/administration/configuration/systemsettings/databasesettings.webp) Settings Tab @@ -85,7 +85,7 @@ Health Tab The Health tab displays the following information: -![Health tab of the Database Maintenance job details page](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/systemsettings/databasehealth.webp) +![Health tab of the Database Maintenance job details page](/img/product_docs/threatmanager/threatmanager/administration/configuration/systemsettings/databasehealth.webp) - Database Size – Displays the size of the database file - Events in queue – Displays the number of events in queue for potential threat detection purposes diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/useraccess.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/useraccess.md index c82ade3f05..df8644b3da 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/useraccess.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/systemsettings/useraccess.md @@ -3,7 +3,7 @@ The User Access page within the System Settings interface displays users and groups with their assigned roles for console access. -![System Settings interface on the User Access page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![System Settings interface on the User Access page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) Roles are assigned by the following methods: @@ -30,7 +30,7 @@ The User Access page includes the following sections: The Users & Groups section provides the ability to allow or deny console access and configure authentication types for users and groups. -![Users and Groups section of the User Access page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/usersgroups.webp) +![Users and Groups section of the User Access page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/usersgroups.webp) The table displays the following information: @@ -126,13 +126,13 @@ The following authentication types can be assigned to users and groups: third-party authentication provider. This must be configure in the Authentication Provider page of the Integrations interface in order to be available for user assignment. -See the [Authentication Provider Page](../integrations/authenticationprovider/page.md) topic for +See the [Authentication Provider Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/authenticationprovider/page.md) topic for additional information. ### Add Console Access **NOTE:** Verify that an Active Directory Sync has completed to ensure that user and group -information is updated. See the [Active Directory Sync Page](../integrations/activedirectorysync.md) +information is updated. See the [Active Directory Sync Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/activedirectorysync.md) for additional information. Follow the steps to add console access for a user or group. @@ -143,7 +143,7 @@ menu. Then select **System Settings** to open the System Settings interface. **Step 2 –** On the User Access page of the System Settings interface, click New Access. The Add Console Access window opens. -![Add Console Access window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/addconsoleaccess.webp) +![Add Console Access window](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/addconsoleaccess.webp) **Step 3 –** Begin typing a user or group name in the **User Access** box. The drop-down menu will populate as you type with available options. Select a user or group from the menu. @@ -169,7 +169,7 @@ menu. Then select **System Settings** to open the System Settings interface. **Step 2 –** On the User Access page of the System Settings interface, click the **Edit** icon for a user or group. -![User and Groups section showing the 3 drop-down menus in Edit mode](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/editaccess.webp) +![User and Groups section showing the 3 drop-down menus in Edit mode](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/editaccess.webp) **Step 3 –** Use the drop-down menus to modify the Access rule type, Role, and/or Authentication Type for this user or group. @@ -188,7 +188,7 @@ menu. Then select **System Settings** to open the System Settings interface. **Step 2 –** On the User Access page of the System Settings interface, click the gear icon for the built-in ADMIN account. The Edit password for built-in admin window opens. -![Edit password for built-in admin window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/editpasswordbuiltinadmin.webp) +![Edit password for built-in admin window](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/editpasswordbuiltinadmin.webp) **Step 3 –** Enter the existing password in the **Old Password** field. @@ -205,7 +205,7 @@ The password for the built-in ADMIN account has been updated. The Settings section provides the ability to customize the user login page and configure the token expiration time for authenticated users. -![Settings section of the User Access page](../../../../../../../static/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) +![Settings section of the User Access page](/img/product_docs/activitymonitor/config/dellpowerscale/settings.webp) - One page login (Login, password, MFA code on one page) – Combines username and password, and multi-factor authentication on a single page diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/threatconfiguration.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/threatconfiguration.md index 551598a131..0c31586676 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/threatconfiguration.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/threatconfiguration.md @@ -3,7 +3,7 @@ Selecting a threat in the Threats list displays details for that threat. The Threat Description box displays the name and description of the threat. -![This screensot displays the Threat Details box.](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/threatdetails.webp) +![This screensot displays the Threat Details box.](/img/product_docs/threatmanager/threatmanager/administration/configuration/threatdetails.webp) The Threat Configuration Box contains a Processing tab, an Exclusions tab, and in some cases a Settings tab. @@ -12,7 +12,7 @@ Settings tab. The Processing tab contains the configuration options for processing the threat. -![This screenshot displays the Processing tab.](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/processingtab.webp) +![This screenshot displays the Processing tab.](/img/product_docs/threatmanager/threatmanager/administration/configuration/processingtab.webp) General: @@ -25,17 +25,17 @@ General: visualizations throughout the console. This setting does not influence the behavior of the threat response. - High – Indicates a serious threat that should be investigated immediately. The high threat - level setting can be used as a filter on the [Threats Page](../threats.md). + level setting can be used as a filter on the [Threats Page](/docs/threatmanager/3.0/threatmanager/administration/threats.md). - Medium – Indicates a potentially serious threat of activities leading to a serious threat that should be investigated. The medium threat level setting can be used as a filter on the - [Threats Page](../threats.md). + [Threats Page](/docs/threatmanager/3.0/threatmanager/administration/threats.md). - Low – Indicates activity that is a potential risk or a bad practice. The low threat level - setting can be used as a filter on the [Threats Page](../threats.md). + setting can be used as a filter on the [Threats Page](/docs/threatmanager/3.0/threatmanager/administration/threats.md). - Audit – Indicates activity that is not necessarily a threat, but should be monitored. The - audit setting can be used as a filter on the [Threats Page](../threats.md). Some threats will + audit setting can be used as a filter on the [Threats Page](/docs/threatmanager/3.0/threatmanager/administration/threats.md). Some threats will auto-escalate from audit to a higher level, for example, threats with a high threat event count or if the perpetrators of the threat are sensitive users. Audit events are also shown on - the [Home Page](../home.md). + the [Home Page](/docs/threatmanager/3.0/threatmanager/administration/home.md). - Informational – Indicates first-time client use or first-time host use, which can be common events but may also indicate a threat @@ -74,7 +74,7 @@ the threat is initially detected regardless of rollup configuration. When a thre also update the detection time of the threat, which will push it to the top of the Threats Page timeline. -![Image is a flow chart visually explaining how a threat is dealt with with or without Rollup enabled.](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/rollupexplanationgraphic.webp) +![Image is a flow chart visually explaining how a threat is dealt with with or without Rollup enabled.](/img/product_docs/threatmanager/threatmanager/administration/configuration/rollupexplanationgraphic.webp) The diagram provides an outline of the rollup process. @@ -83,7 +83,7 @@ The diagram provides an outline of the rollup process. The Exclusions tab lists existing exclusions for the threat. Exclusions allow rule-based definitions to be defined for specific criteria to be excluded from threat detection for the threat type. -![exclusionstab](../../../../../../static/img/product_docs/threatmanager/threatmanager/threats/exclusionstab.webp) +![exclusionstab](/img/product_docs/threatmanager/threatmanager/threats/exclusionstab.webp) To view details of an existing exclusion, click the arrow next to the exclusion or the name of the exclusion. @@ -106,7 +106,7 @@ Click **Add Exclusion** to Add a new Threat Detection Exclusion. Follow the steps to add an exclusion to the threat type. -![This screenshot displays the Add Exclusion for Threat Detection window.](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/addexclusion.webp) +![This screenshot displays the Add Exclusion for Threat Detection window.](/img/product_docs/threatmanager/threatmanager/administration/configuration/addexclusion.webp) **Step 1 –** Click Add Exclusion. The Add Exclusion for [Threat Type] window opens. @@ -144,7 +144,7 @@ The Settings Tab provides additional threat-specific settings that are required **NOTE:** The Settings tab is only displayed for threats that require additional settings. -![This screenshot displays the Settings tab.](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/settingstab.webp) +![This screenshot displays the Settings tab.](/img/product_docs/threatmanager/threatmanager/administration/configuration/settingstab.webp) This tab shows the settings that are required for the Forged Ticket threat. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/threatdetection.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/threatdetection.md index ccbfadec2f..a03969be11 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/threatdetection.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/threatdetection.md @@ -5,7 +5,7 @@ Manager. This page provides a Threats list and an overview table that provides a threats. Clicking on a threat in the Threats list or the Overview table displays details and configuration options for the threat. -![Threat Detection page](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Threat Detection page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) Custom threats can also be created on this page. @@ -15,14 +15,14 @@ The Threats box displays the threats that are pre-configured with Threat Manager with the Investigation page or through the Custom Threat button. Threats that are crossed out are disabled. -![Threats Box](../../../../../../static/img/product_docs/threatmanager/threatmanager/threats/threatsbox.webp) +![Threats Box](/img/product_docs/threatmanager/threatmanager/threats/threatsbox.webp) The Threats list divides the threats into sections: -- [Active Directory Threats](../../threats/activedirectory.md) -- [Entra ID Threats](../../threats/entraid.md) -- [File System Threats](../../threats/filesystem.md) -- [General Threats](../../threats/general.md) +- [Active Directory Threats](/docs/threatmanager/3.0/threatmanager/threats/activedirectory.md) +- [Entra ID Threats](/docs/threatmanager/3.0/threatmanager/threats/entraid.md) +- [File System Threats](/docs/threatmanager/3.0/threatmanager/threats/filesystem.md) +- [General Threats](/docs/threatmanager/3.0/threatmanager/threats/general.md) - Threat Detection Page Select a threat from the list to display the threat's configuration options to the right of the @@ -33,13 +33,13 @@ Threats box. The Overview table provides a high-level status of all threats. The table includes the following information: -![This screenshot displays the Overview table on the Threat Detection page.](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/overviewtable.webp) +![This screenshot displays the Overview table on the Threat Detection page.](/img/product_docs/threatmanager/threatmanager/administration/configuration/overviewtable.webp) - Name – The threat name - Enabled – A green check mark indicates that the threat type is enabled for threat detection. A gray x indicates that the threat type is not enabled for threat detection. - Level – The relative severity level, or risk level, of the threat. See the - [Fine Tune a Threat](threatconfiguration.md) topic for additional information. + [Fine Tune a Threat](/docs/threatmanager/3.0/threatmanager/administration/configuration/threatconfiguration.md) topic for additional information. - Email – A green check mark indicates that email notifications will be sent when the threat is detected. A gray x indicates that emailed notifications are disabled. - SIEM – A green check mark indicates that threat information will be sent to a SIEM service when @@ -48,8 +48,8 @@ information: - Playbook – A green check mark indicates that a Playbook is assigned to the threat. This means that a Playbook will be automatically executed every time a threat of this type is detected. - Rollup – A green check mark indicates that rollups are enabled. A gray x indicates that rollups - are not enabled. See the [Fine Tune a Threat](threatconfiguration.md) topic for additional + are not enabled. See the [Fine Tune a Threat](/docs/threatmanager/3.0/threatmanager/administration/configuration/threatconfiguration.md) topic for additional information. - Exclusions – A green check mark indicates that one or more exclusions are present for this threat type. A gray x indicates that no exclusions are present for this threat. See the - [Fine Tune a Threat](threatconfiguration.md) topic for additional information. + [Fine Tune a Threat](/docs/threatmanager/3.0/threatmanager/administration/configuration/threatconfiguration.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/configuration/threatresponse.md b/docs/threatmanager/3.0/threatmanager/administration/configuration/threatresponse.md index 16a329abb6..1d7644a74b 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/configuration/threatresponse.md +++ b/docs/threatmanager/3.0/threatmanager/administration/configuration/threatresponse.md @@ -10,7 +10,7 @@ existing resources in the organization such as email and helpdesk platforms, Act systems, and custom PowerShell scripts. Playbooks can be executed automatically or ad-hoc by a Threat Manager Administrator when a threat is detected. -![threatresponse](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/threatresponse.webp) +![threatresponse](/img/product_docs/threatmanager/threatmanager/administration/configuration/threatresponse.webp) **NOTE:** Custom playbooks can be created using the PowerShell Script action. However, this feature requires advanced scripting knowledge. @@ -93,5 +93,5 @@ Threat Manager has the following preconfigured third-party applications target a - VirusTotal® Report – Scans the file hashes against the VirusTotal API and emails the results - WebHook – Executes a webhook -See the [Action Configuration for Playbook Steps](../playbooks/action/overview.md) topic for +See the [Action Configuration for Playbook Steps](/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/overview.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/home.md b/docs/threatmanager/3.0/threatmanager/administration/home.md index 1bbed1416d..fb6bfa9ee3 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/home.md +++ b/docs/threatmanager/3.0/threatmanager/administration/home.md @@ -3,7 +3,7 @@ The Home page provides an "at a glance" overview of the possible threats detected in an organization's environment for the past 24 hours. -![homepage](../../../../../static/img/product_docs/threatmanager/threatmanager/administration/homepage.webp) +![homepage](/img/product_docs/threatmanager/threatmanager/administration/homepage.webp) The daily activity summary bar graphs at the top of the page contains the following items: diff --git a/docs/threatmanager/3.0/threatmanager/administration/investigations/auditcompliance.md b/docs/threatmanager/3.0/threatmanager/administration/investigations/auditcompliance.md index 8e682dd431..682b80db17 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/investigations/auditcompliance.md +++ b/docs/threatmanager/3.0/threatmanager/administration/investigations/auditcompliance.md @@ -3,7 +3,7 @@ The Audit and Compliance page in the Investigations interface list of saved out-of-the-box investigations with applied filters for commonly used Audit and Compliance activity reports. -![Investigations interface on the Audit and Compliance page](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/auditcompliance.webp) +![Investigations interface on the Audit and Compliance page](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/auditcompliance.webp) The table displays the list of investigations with the following columns: @@ -13,11 +13,11 @@ The table displays the list of investigations with the following columns: logged in user Click an investigation to view it. You can run the query, modify the configuration, add a -subscription, or export the report. See the [Investigation Options](options/overview.md) topic for +subscription, or export the report. See the [Investigation Options](/docs/threatmanager/3.0/threatmanager/administration/investigations/options/overview.md) topic for additional information on saved investigation options. Every report generated by an investigation query displays the same type of information. See the -[Investigation Reports](reports.md) topic for additional information. +[Investigation Reports](/docs/threatmanager/3.0/threatmanager/administration/investigations/reports.md) topic for additional information. By default, this folder contains the following saved investigations: diff --git a/docs/threatmanager/3.0/threatmanager/administration/investigations/favorites.md b/docs/threatmanager/3.0/threatmanager/administration/investigations/favorites.md index 06e19866e2..e70787722e 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/investigations/favorites.md +++ b/docs/threatmanager/3.0/threatmanager/administration/investigations/favorites.md @@ -6,7 +6,7 @@ has identified as a favorite. Click **Investigate** in the application header bar to open the Investigations interface. Then click **Favorites** in the navigation pane. -![Investigation interface on the Favorites page](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/favorites.webp) +![Investigation interface on the Favorites page](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/favorites.webp) The table displays the list of favorite investigations with the following columns: @@ -24,7 +24,7 @@ pane. Click the investigation there to open it. There is an empty star icon beside the name of an investigation not identified as a favorite. -![Empty star showing that investigation is not a favorite](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/favoriteselectedtm.webp) +![Empty star showing that investigation is not a favorite](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/favoriteselectedtm.webp) Click the star to add the investigation to your Favorites list. @@ -32,6 +32,6 @@ Click the star to add the investigation to your Favorites list. There is a yellow star icon beside the name of an investigation identified as a favorite. -![Favorite investigation star icon selected](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/favoriteselectedtm.webp) +![Favorite investigation star icon selected](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/favoriteselectedtm.webp) Click the yellow star to remove the investigation from your Favorites list. diff --git a/docs/threatmanager/3.0/threatmanager/administration/investigations/myinvestigations.md b/docs/threatmanager/3.0/threatmanager/administration/investigations/myinvestigations.md index e1290235cb..78c9133553 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/investigations/myinvestigations.md +++ b/docs/threatmanager/3.0/threatmanager/administration/investigations/myinvestigations.md @@ -5,7 +5,7 @@ created by the application users. Click **Investigate** in the application header bar to open the Investigations interface. -![Investigations interface on the My Investigations page](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/myinvestigations.webp) +![Investigations interface on the My Investigations page](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/myinvestigations.webp) The table displays the list of investigations with the following columns: @@ -15,8 +15,8 @@ The table displays the list of investigations with the following columns: logged in user Click an investigation to view it. You can run the query, modify the configuration, add a -subscription, or export the report. See the [Investigation Options](options/overview.md) topic for +subscription, or export the report. See the [Investigation Options](/docs/threatmanager/3.0/threatmanager/administration/investigations/options/overview.md) topic for additional information on saved investigation options. Every report generated by an investigation query displays the same type of information. See the -[Investigation Reports](reports.md) topic for additional information. +[Investigation Reports](/docs/threatmanager/3.0/threatmanager/administration/investigations/reports.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/investigations/newinvestigation.md b/docs/threatmanager/3.0/threatmanager/administration/investigations/newinvestigation.md index c8ba23eec6..e63cbf1823 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/investigations/newinvestigation.md +++ b/docs/threatmanager/3.0/threatmanager/administration/investigations/newinvestigation.md @@ -3,19 +3,19 @@ The New Investigation page within the Investigations interface enables you to run queries on available data with desired filters for a specific timeframe. -![Investigations interface on the New Investigation page](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) +![Investigations interface on the New Investigation page](/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) To generate a new investigation report, configure the filters as desired and set the timeframe. See -the [Filters Section](options/filters.md) topic for additional information. +the [Filters Section](/docs/threatmanager/3.0/threatmanager/administration/investigations/options/filters.md) topic for additional information. Then click **Run Query**. The report data is displayed in the sections below the Filters section. -See the [Investigation Reports](reports.md) topic for additional information. +See the [Investigation Reports](/docs/threatmanager/3.0/threatmanager/administration/investigations/reports.md) topic for additional information. **NOTE:** If you run a query without applying filters, the report sections display all activity by all users for the designated timeframe, which is set by default to _Last Hour_. The report generated by a New Investigation can be exported. The Schedule Export option is not -available from the New Investigation page. See the [Export Report](options/export.md) topic for +available from the New Investigation page. See the [Export Report](/docs/threatmanager/3.0/threatmanager/administration/investigations/options/export.md) topic for additional information. The Save option allows you to save your configured filters to run the investigation again later. @@ -31,7 +31,7 @@ roles. **Step 1 –** On the New Investigation page, click **Save** in the upper right corner. The Save Investigation window opens. -![saveinvestigation](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/saveinvestigation.webp) +![saveinvestigation](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/saveinvestigation.webp) **Step 2 –** Enter a unique, descriptive name for this investigation in the **Name** field. @@ -53,4 +53,4 @@ The investigation is saved to the selected folder, and the folder expands in the display the saved item. Users can open this folder from the navigation pane to access the investigation. They can run the investigation, schedule exports, or add subscriptions. -See the [Investigation Options](options/overview.md) topic for additional information. +See the [Investigation Options](/docs/threatmanager/3.0/threatmanager/administration/investigations/options/overview.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/investigations/options/edit.md b/docs/threatmanager/3.0/threatmanager/administration/investigations/options/edit.md index 73c25d13e1..8c2c8a85dd 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/investigations/options/edit.md +++ b/docs/threatmanager/3.0/threatmanager/administration/investigations/options/edit.md @@ -14,7 +14,7 @@ investigation is located in the folder where it was saved. **Step 3 –** Click the Edit option. -![Edit Investigation with Save page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/editinvestigationtm.webp) +![Edit Investigation with Save page](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/editinvestigationtm.webp) **Step 4 –** The Edit option opens the Save Investigation window in edit mode. You can modify the name, description, and folder of the saved investigation. If you save the investigation to a @@ -40,7 +40,7 @@ You can save it as a new investigation. **Step 3 –** Modify the investigation filter statement and click **Save**. The Save Investigation window is displayed. -![Investigation Open as New option](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/investigationduplicate.webp) +![Investigation Open as New option](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/investigationduplicate.webp) The Name box displays the investigation name with the word "copy" appended to it. diff --git a/docs/threatmanager/3.0/threatmanager/administration/investigations/options/export.md b/docs/threatmanager/3.0/threatmanager/administration/investigations/options/export.md index 3c00665067..df6755b9ef 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/investigations/options/export.md +++ b/docs/threatmanager/3.0/threatmanager/administration/investigations/options/export.md @@ -4,7 +4,7 @@ An export puts the report results for an investigation into a desired format. Th provides choices for how you can export the report results for an investigation. The report can be exported in a specified format and can be downloaded, emailed, or scheduled as desired. -![Export option in the Investigation interface](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/export.webp) +![Export option in the Investigation interface](/img/product_docs/threatprevention/threatprevention/admin/navigation/export.webp) After running an investigation query, click **Export**. Then select one of the following from the drop-down menu: @@ -24,13 +24,13 @@ Reports will be downloaded to the Downloads folder on your local machine, accord settings. You can configure a folder on the application server to place copies of all exported reports. -See the [Folder Settings Page](../../configuration/integrations/foldersettings.md) topic for +See the [Folder Settings Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/foldersettings.md) topic for additional information. ## Send as Email **NOTE:** This option requires an email server to be configured. If this requirement is not met, a -message will appear in the window. See the[Email Page](../../configuration/integrations/email.md) +message will appear in the window. See the[Email Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/email.md) section for additional information. You can send the report data of an investigation as an attachment to an email. The attachment can be @@ -44,7 +44,7 @@ investigation is located in the folder where it was saved. **Step 2 –** After running a query and confirming the report data is displayed in the report sections, click the **Export** menu and select **Send as Email**. The Send as Email window opens. -![Send as Email window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/sendasemail.webp) +![Send as Email window](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/sendasemail.webp) **Step 3 –** Begin typing in the **Recipients** textbox. You can enter a user name or email address. Available email addresses read from Active Directory that match the text string will populate in the @@ -65,7 +65,7 @@ The recipients will receive the report as an attachment to an email. **NOTE:** This option requires a shared folder to be configured.If this requirement is not met, a message will appear in the window. See the -[Folder Settings Page](../../configuration/integrations/foldersettings.md) section for additional +[Folder Settings Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/foldersettings.md) section for additional information. You can schedule to save the report data of an investigation to a shared folder. The file format can @@ -81,7 +81,7 @@ sections, click the **Export** menu and select Scheduled export. The Schedule ex The name of the respective investigation is displayed as a link. Click it to view the filter defined for the investigation. -![Schedule export window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/scheduleexport.webp) +![Schedule export window](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/scheduleexport.webp) **Step 3 –** By default the schedule is enabled. You can disable it with the toggle button by the window name. @@ -115,5 +115,5 @@ Viewing. The scheduled export is listed on the Subscriptions and Exports page of the Investigations interface. -See the [Subscriptions and Exports Page](../subscriptionsexports.md) topic for additional +See the [Subscriptions and Exports Page](/docs/threatmanager/3.0/threatmanager/administration/investigations/subscriptionsexports.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/investigations/options/filters.md b/docs/threatmanager/3.0/threatmanager/administration/investigations/options/filters.md index 53fd4b8216..eab747f757 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/investigations/options/filters.md +++ b/docs/threatmanager/3.0/threatmanager/administration/investigations/options/filters.md @@ -5,13 +5,13 @@ Operator, and Filter value. A time period for the report data is also configured data sources have been configured, there is also a Source drop-down menu. Filter statements can be simple with one value statement or complex with multiple value statements. -![Filters section of an investigation](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/investigations/options/filterstm.webp) +![Filters section of an investigation](/img/product_docs/threatmanager/threatmanager/administration/investigations/options/filterstm.webp) The section has the following options for configuring a filter statement: - Source – This menu provides a list of all integrations with the application. If there is only one data source configured, the Source menudisplays that only. See the - [Netwrix Integrations Page](../../configuration/integrations/netwrixintegrations.md) topic for + [Netwrix Integrations Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/netwrixintegrations.md) topic for additional information. - Timeframe – This menu provides several timeframe options as well as a clock and a calendar for setting a custom range. You must set the timeframe for the data to be returned in the report. If @@ -35,7 +35,7 @@ You must set a timeframe for an investigation query. When you run a query, the a available data for activity events that match the set filters for the specified timeframe. By default, the timeframe is set for the "Last Hour" of activity. -![Investigations Interface showing the Timeframe drop-down menu](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/timeframe.webp) +![Investigations Interface showing the Timeframe drop-down menu](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/timeframe.webp) Click the displayed timeframeto open a window, which provides several timeframe options as well as a clock and a calendar for setting a custom range: @@ -88,7 +88,7 @@ to the selected investigation, unless you are running an ad hoc query. The Attribute menu in the Filters section has the following options grouped by the type of attribute: -![attrributemenu](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/attrributemenu.webp) +![attrributemenu](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/attrributemenu.webp) - Event ( group header in the menu): @@ -173,7 +173,7 @@ attribute: - Policy – The set of rules or configurations applied within the integration., which may require Netwrix Threat Preventiondatabase access to be configured on the NetwrixIntegrations page. See - the [Netwrix Integrations Page](../../configuration/integrations/netwrixintegrations.md) page + the [Netwrix Integrations Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/netwrixintegrations.md) page for additional information ## Filter Operator Menu @@ -181,7 +181,7 @@ attribute: The options available for the Operator menu in the Filters section change to match the selected Attribute. The following is a list of all possible operator options: -![Operator Menu in the investigations Filters section](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/operatormenu.webp) +![Operator Menu in the investigations Filters section](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/operatormenu.webp) - Equals - Not Equal To @@ -197,7 +197,7 @@ the steps to build a filter statement. **Step 1 –** Navigate to the desired investigation's Filters section. -![filtersimple](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/filtersimple.webp) +![filtersimple](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/filtersimple.webp) **Step 2 –** If multiple data sources are configure, select a source from the **Source** drop-down menu. @@ -242,4 +242,4 @@ Once the filter is set, you can generate the report ad hoc by clicking **Run Que to test if your filter statement is working as desired. Save the investigation for reuse. You can also add subscriptions or export the report data using the options above the Filters section. -See the [Investigation Reports](../reports.md) topic for additional information. +See the [Investigation Reports](/docs/threatmanager/3.0/threatmanager/administration/investigations/reports.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/investigations/options/overview.md b/docs/threatmanager/3.0/threatmanager/administration/investigations/options/overview.md index ee76fcffbe..5d897fcc3b 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/investigations/options/overview.md +++ b/docs/threatmanager/3.0/threatmanager/administration/investigations/options/overview.md @@ -2,47 +2,47 @@ Every investigation has the following options at the top of the page: -![Investigation interface showing the options at the top of an investigation](../../../../../../../static/img/product_docs/accessanalyzer/install/application/options.webp) +![Investigation interface showing the options at the top of an investigation](/img/product_docs/accessanalyzer/install/application/options.webp) - Edit – The Edit option opens the Save Investigation window in edit mode. You can modify the name, description, and folder of the saved investigation. If you save the investigation to a different folder, it will be moved from the original location to the new folder. You can also update the user roles granted ownership and access to the investigation report. A My Investigation can also be saved as a new Threat in the Investigation Settings page. See the - [Edit or Duplicate an Investigation](edit.md) topic for additional information. + [Edit or Duplicate an Investigation](/docs/threatmanager/3.0/threatmanager/administration/investigations/options/edit.md) topic for additional information. - Create threat – In addition to preconfigured threats, a user can create a custom threat when certain events are considered to be dangerous in the environment, for example, when one of the - privileged users makes file changes. See the [Custom Threats](../../../threats/custom.md)topic for + privileged users makes file changes. See the [Custom Threats](/docs/threatmanager/3.0/threatmanager/threats/custom.md)topic for additional information. - Subscriptions – Click the Subscriptions link to open the Subscription to window. You can specify recipients to receive this report as an email attachment in a specified format. See the - [Add Subscription](subscription.md) topic for additional information. + [Add Subscription](/docs/threatmanager/3.0/threatmanager/administration/investigations/options/subscription.md) topic for additional information. - Export – The Export option provides choices for how you can export the report results for an investigation. The report can be exported in a specified format and can be downloaded, emailed, or - scheduled as desired. See the [Export Report](export.md) topic for additional information. + scheduled as desired. See the [Export Report](/docs/threatmanager/3.0/threatmanager/administration/investigations/options/export.md) topic for additional information. - Three vertical dot icon has the following options: - Copy link – The Copy link option copies the URL of the investigation to your clipboard, so that you can share it with users who have access to the report - Open as new – The Open as New option opens the investigation in Duplicate mode. The filter is the same as that of the base investigation. You can save it as a new investigation. See the - [Edit or Duplicate an Investigation](edit.md) topic for additional information. + [Edit or Duplicate an Investigation](/docs/threatmanager/3.0/threatmanager/administration/investigations/options/edit.md) topic for additional information. - Run Query – The Run Query button pulls available activity data that match the set filters and timeframe. The data is displayed on the Event Details, Events Over Time, and Top Resources tabs. - See the [Investigation Reports](../reports.md) topic for additional information. + See the [Investigation Reports](/docs/threatmanager/3.0/threatmanager/administration/investigations/reports.md) topic for additional information. - Filters – The Filters section provides options to build a filter statement by selecting the Attribute, Operator, and Filter value. A time period for the report data is also configured here. If multiple data sources have been configured, there is also a Source drop-down menu. See the - [Filters Section](filters.md) topic for additional information. + [Filters Section](/docs/threatmanager/3.0/threatmanager/administration/investigations/options/filters.md) topic for additional information. **NOTE:** For an investigations to return information on user display names, groups, or email addresses, the Active Directory Service must be running to collect Active Directory data prior to running an investigation. See the -[Active Directory Sync Page](../../configuration/integrations/activedirectorysync.md) topic for +[Active Directory Sync Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/activedirectorysync.md) topic for additional information. **NOTE:** For an investigation to return information on Entra ID users, groups, roles and applications, the Entra ID Service must be running to collect Entra ID data before running an -investigation. See the [Entra ID Sync Page](../../configuration/integrations/entraidsync.md) topic +investigation. See the [Entra ID Sync Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/entraidsync.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/investigations/options/subscription.md b/docs/threatmanager/3.0/threatmanager/administration/investigations/options/subscription.md index 01189712c0..f01e94e284 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/investigations/options/subscription.md +++ b/docs/threatmanager/3.0/threatmanager/administration/investigations/options/subscription.md @@ -4,10 +4,10 @@ A subscription sends the report results for an investigation to recipients via e attachment. Click the Subscriptions link to open the Subscription to window. You can specify recipients to receive this report as an email attachment in a specified format. -![Subscription window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/subscription.webp) +![Subscription window](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/options/subscription.webp) **NOTE:** This option requires an email server to be configured.If this requirement is not met, a -message will appear in the window. See the[Email Page](../../configuration/integrations/email.md) +message will appear in the window. See the[Email Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/email.md) section for additional information. ## Subscribe to an Investigation @@ -58,5 +58,5 @@ Viewing. The subscription is listed on the Subscriptions and Exports page of the Investigations interface. -See the [Subscriptions and Exports Page](../subscriptionsexports.md) topic for additional +See the [Subscriptions and Exports Page](/docs/threatmanager/3.0/threatmanager/administration/investigations/subscriptionsexports.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/investigations/overview.md b/docs/threatmanager/3.0/threatmanager/administration/investigations/overview.md index 3112a4c252..78d2fafa97 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/investigations/overview.md +++ b/docs/threatmanager/3.0/threatmanager/administration/investigations/overview.md @@ -8,40 +8,40 @@ Manager like out-of-the-box threats. Click **Investigate** in the application header bar to open the Investigations interface. -![Investigations interface](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) +![Investigations interface](/img/product_docs/threatprevention/threatprevention/reportingmodule/interface.webp) The Investigations interface contains the following pages: - New Investigation – Enables you to run queries on available data with desired filters for a - specific timeframe. See the [New Investigation Page](newinvestigation.md) topic for additional + specific timeframe. See the [New Investigation Page](/docs/threatmanager/3.0/threatmanager/administration/investigations/newinvestigation.md) topic for additional information. - Favorites – Provides a list of saved queries the logged in user has tagged as a Favorite. See the - [Favorites Page](favorites.md) topic for additional information. + [Favorites Page](/docs/threatmanager/3.0/threatmanager/administration/investigations/favorites.md) topic for additional information. - Audit and Compliance – Provides a list of saved out-of-the-box investigations with applied filters for commonly used Audit and Compliance activity reports. See the - [Audit and Compliance Page](auditcompliance.md) topic for additional information. + [Audit and Compliance Page](/docs/threatmanager/3.0/threatmanager/administration/investigations/auditcompliance.md) topic for additional information. - Predefined Investigations – Provides a list of saved out-of-the-box investigations with applied filters for Applications, Computers, Groups, iNetOrgPerson, Roles and User activity reports. See - the [ Predefined Investigations Page](predefinedinvestigations.md) topic for additional + the [ Predefined Investigations Page](/docs/threatmanager/3.0/threatmanager/administration/investigations/predefinedinvestigations.md) topic for additional information. - My Investigations – Provides a list of saved investigations created by the application users. See - the [My Investigations Page](myinvestigations.md) topic for additional information. + the [My Investigations Page](/docs/threatmanager/3.0/threatmanager/administration/investigations/myinvestigations.md) topic for additional information. - Subscriptions and Exports – Provides a list of investigations that are either subscribed to or - scheduled for export. See the [Subscriptions and Exports Page](subscriptionsexports.md) topic for + scheduled for export. See the [Subscriptions and Exports Page](/docs/threatmanager/3.0/threatmanager/administration/investigations/subscriptionsexports.md) topic for additional information. Every investigation has the same options at the top of the page. See the -[Investigation Options](options/overview.md) topic for additional information. +[Investigation Options](/docs/threatmanager/3.0/threatmanager/administration/investigations/options/overview.md) topic for additional information. Every report generated by an investigation query displays the same type of information. See the -[Investigation Reports](reports.md) topic for additional information. +[Investigation Reports](/docs/threatmanager/3.0/threatmanager/administration/investigations/reports.md) topic for additional information. ## Search for Saved Investigations The Investigations interface includes a search field in the navigation pane to find saved investigations by name. -![Investigations Search showing matching results](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/investigations/searchtm.webp) +![Investigations Search showing matching results](/img/product_docs/threatmanager/threatmanager/administration/investigations/searchtm.webp) Type in the search box. As you type, a drop-down will populate with saved investigations containing matches. diff --git a/docs/threatmanager/3.0/threatmanager/administration/investigations/predefinedinvestigations.md b/docs/threatmanager/3.0/threatmanager/administration/investigations/predefinedinvestigations.md index 2c37734c28..820963fa73 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/investigations/predefinedinvestigations.md +++ b/docs/threatmanager/3.0/threatmanager/administration/investigations/predefinedinvestigations.md @@ -4,7 +4,7 @@ The Predefined Investigations page in the Investigations interface provides a li out-of-the-box investigations with applied filters for Applications, Computers, Groups, iNetOrgPerson, Roles and User activity reports. -![Investigations interface on the Predefined Investigations page](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/predefinedinvestigations.webp) +![Investigations interface on the Predefined Investigations page](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/predefinedinvestigations.webp) The table displays the list of investigations with the following columns: @@ -14,11 +14,11 @@ The table displays the list of investigations with the following columns: logged in user Click an investigation to view it. You can run the query, modify the configuration, add a -subscription, or export the report. See the [Investigation Options](options/overview.md) topic for +subscription, or export the report. See the [Investigation Options](/docs/threatmanager/3.0/threatmanager/administration/investigations/options/overview.md) topic for additional information on saved investigation options. Every report generated by an investigation query displays the same type of information. See the -[Investigation Reports](reports.md) topic for additional information. +[Investigation Reports](/docs/threatmanager/3.0/threatmanager/administration/investigations/reports.md) topic for additional information. By default, these investigations are grouped in subfolders. Each subfolder page has the same table as the Predefined Investigations page, scoped to the investigations within that folder. diff --git a/docs/threatmanager/3.0/threatmanager/administration/investigations/reports.md b/docs/threatmanager/3.0/threatmanager/administration/investigations/reports.md index 775e815b85..bcb6d754b3 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/investigations/reports.md +++ b/docs/threatmanager/3.0/threatmanager/administration/investigations/reports.md @@ -13,12 +13,12 @@ Every report generated by an investigation query displays the following informat **NOTE:** For an investigations to return information on user display names, groups, or email addresses, the Active Directory Service must be running to collect Active Directory data prior to running an investigation. See the -[Active Directory Sync Page](../configuration/integrations/activedirectorysync.md) topic for +[Active Directory Sync Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/activedirectorysync.md) topic for additional information. **NOTE:** For an investigation to return information on Entra ID users, groups, roles and applications, the Entra ID Service must be running to collect Entra ID data before running an -investigation. See the [Entra ID Sync Page](../configuration/integrations/entraidsync.md) topic for +investigation. See the [Entra ID Sync Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/entraidsync.md) topic for additional information. Click **Investigate** in the application header bar to open the Investigations interface. Then @@ -33,7 +33,7 @@ timeframe, to generate the report. The Event Details tab provides a view of all events matching the criteria specified for the investigation. -![Events Detaisl section of an investigation report](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/eventdetails.webp) +![Events Detaisl section of an investigation report](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/eventdetails.webp) The table displays the following data: @@ -61,17 +61,17 @@ The table displays the following data: details. - Description – A summary of the event -Click the arrow (>) in the table for a specific event to view additional details. +Click the arrow () in the table for a specific event to view additional details. -See the [Host Details Page](../threatdetails/host.md) topic and the -[User Details Page](../threatdetails/user.md) topic for additional information. +See the [Host Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/host.md) topic and the +[User Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/user.md) topic for additional information. ## Events Over Time Section The Events Over Time section displays a bar graph and pie chart for events matching the criteria specified for the investigation. -![Events Over Time section of an Investigations report](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/eventsovertime.webp) +![Events Over Time section of an Investigations report](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/eventsovertime.webp) - Hover over a time period to view the type of event and number of events logged for that timeframe. - Hover over the pie chart to view the total number of each type of event. The total number of all @@ -82,7 +82,7 @@ specified for the investigation. The Top Resources tab displays summary statistics for perpetrators (users) and targets (hosts) associated with the events matching the criteria specified for the investigation. -![Top Resources section of an Investigations report](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/topresources.webp) +![Top Resources section of an Investigations report](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/topresources.webp) The tab contains two tables: @@ -112,5 +112,5 @@ It contains the following columns: - Users – The number of users who generated events - Actions – The number of events generated by all users on the target -Click the link to view target details.See the [Host Details Page](../threatdetails/host.md) topic +Click the link to view target details.See the [Host Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/host.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/investigations/subscriptionsexports.md b/docs/threatmanager/3.0/threatmanager/administration/investigations/subscriptionsexports.md index 1499ee787a..162497dfed 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/investigations/subscriptionsexports.md +++ b/docs/threatmanager/3.0/threatmanager/administration/investigations/subscriptionsexports.md @@ -5,7 +5,7 @@ attachment. An export puts the report results for an investigation into a desire Subscriptions and Exports page provides a list of investigations that are either subscribed to or scheduled for export. -![Investigations interface on the Subscriptions and Exports page](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/subscriptionsexports.webp) +![Investigations interface on the Subscriptions and Exports page](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/subscriptionsexports.webp) The table has the following columns: @@ -24,7 +24,7 @@ The table has the following columns: - Actions – Menu option per table row. This column does not have a header. It is represented by three dots and shows up when you hover over a row. -See the [Add Subscription](options/subscription.md) topic and [Export Report](options/export.md) +See the [Add Subscription](/docs/threatmanager/3.0/threatmanager/administration/investigations/options/subscription.md) topic and [Export Report](/docs/threatmanager/3.0/threatmanager/administration/investigations/options/export.md) topic for additional information. ## Table Features @@ -32,7 +32,7 @@ topic for additional information. The table has several features accessed through the menu button that appears when you hover over a column header. -![Table column menu](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/tableoptions.webp) +![Table column menu](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/tableoptions.webp) In addition to the arrow that appears to sort the table in ascending or descending order, the menu contains the following options: @@ -53,7 +53,7 @@ contains the following options: The Table Filter window opens from the table column menu. -![Table Filter window](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/filterwindow.webp) +![Table Filter window](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/filterwindow.webp) Follow the steps to build a filter statement. @@ -74,7 +74,7 @@ The table is filtered to matches of the filter. The Actions column holds a menu with actions that apply to the selected subscription or export. -![Actions menu](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/subscriptionsexportsactions.webp) +![Actions menu](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/subscriptionsexportsactions.webp) The options include: diff --git a/docs/threatmanager/3.0/threatmanager/administration/overview.md b/docs/threatmanager/3.0/threatmanager/administration/overview.md index 63e056bffd..e66bfd7be3 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/overview.md +++ b/docs/threatmanager/3.0/threatmanager/administration/overview.md @@ -2,20 +2,20 @@ The navigation header contains the following links on the top left side of the page: -![headerbarleft](../../../../../static/img/product_docs/threatmanager/threatmanager/administration/headerbarleft.webp) +![headerbarleft](/img/product_docs/threatmanager/threatmanager/administration/headerbarleft.webp) - Threat Manager – Opens the Home page for the Threat Manager Console -- Threats – Opens the [Threats Page](threats.md) -- Investigate – Opens the [Investigations Interface](investigations/overview.md) +- Threats – Opens the [Threats Page](/docs/threatmanager/3.0/threatmanager/administration/threats.md) +- Investigate – Opens the [Investigations Interface](/docs/threatmanager/3.0/threatmanager/administration/investigations/overview.md) **NOTE:** For mobile users, only the icons are displayed for the Threats and Investigate links. The header bar contains the following links on the top right side of the page: -![This screenshot displays the right header bar.](../../../../../static/img/product_docs/threatmanager/threatmanager/administration/headerbarright.webp) +![This screenshot displays the right header bar.](/img/product_docs/threatmanager/threatmanager/administration/headerbarright.webp) - Search – Enter a user, computer, or group and click the Search icon -- [Configuration Menu](configuration/overview.md) – Displays a menu with the configuration pages +- [Configuration Menu](/docs/threatmanager/3.0/threatmanager/administration/configuration/overview.md) – Displays a menu with the configuration pages - Help – Accesses help - Logout – Click the person icon and select Logout from the drop-down list to log out of the Threat Manager Console. The drop-down list also displays the user logged in. @@ -23,7 +23,7 @@ The header bar contains the following links on the top right side of the page: A magenta alert banner will display below the navigation header if one of the following scenarios occurs: -![banneragentunresponsive](../../../../../static/img/product_docs/threatmanager/threatmanager/administration/banneragentunresponsive.webp) +![banneragentunresponsive](/img/product_docs/threatmanager/threatmanager/administration/banneragentunresponsive.webp) - Service outage - Agent outage @@ -33,14 +33,14 @@ This banner contains a link to the page relevant to the issue. ## Home Page -The Threat Manager [Home Page](home.md) provides an “at a glance” overview of the possible threats +The Threat Manager [Home Page](/docs/threatmanager/3.0/threatmanager/administration/home.md) provides an “at a glance” overview of the possible threats detected in an organization's environment for the past 24 hours. This is displayed with interactive graphs and a rollup count that will allow easy tracking and response capabilities for new threats, and users with risky activity. ## Threats Page -The Threat Manager [Threats Page](threats.md) is where end users and analysts investigate possible +The Threat Manager [Threats Page](/docs/threatmanager/3.0/threatmanager/administration/threats.md) is where end users and analysts investigate possible threats in their environment. This page displays a historical timeline of the detected threats and advanced filtering that allows users to find threats with ease. An end user can drill down into threats and view additional details. Threats have a response workflow that enables teams to assign a @@ -59,16 +59,16 @@ mechanism that will be monitored by Threat Manager like out-of-the-box threats. The threat types listed for bar charts are interactive. -![excludeathreat](../../../../../static/img/product_docs/threatmanager/threatmanager/administration/excludeathreat.webp) +![excludeathreat](/img/product_docs/threatmanager/threatmanager/administration/excludeathreat.webp) Click a threat to exclude it from the chart. The threat will have a black line through it to show that it has been excluded. Click the threat again to add it to the chart. -![trendline](../../../../../static/img/product_docs/threatmanager/threatmanager/administration/trendline.webp) +![trendline](/img/product_docs/threatmanager/threatmanager/administration/trendline.webp) Hover over a trend line to see the number of threats detected in the selected time increment. -![bargraphhover](../../../../../static/img/product_docs/threatmanager/threatmanager/administration/bargraphhover.webp) +![bargraphhover](/img/product_docs/threatmanager/threatmanager/administration/bargraphhover.webp) Hover over a bar graph to view the number of each type of threat created in the time frame. Hover over slices in a pie chart to view the number of threats for each threat type. @@ -78,7 +78,7 @@ over slices in a pie chart to view the number of threats for each threat type. Anywhere in the Console where a link to a user, group, or host details page is displayed, hover over the link to display a preview window. -![hover](../../../../../static/img/product_docs/threatmanager/threatmanager/administration/hover.webp) +![hover](/img/product_docs/threatmanager/threatmanager/administration/hover.webp) Preview windows display cards that provide information about the selected object without having to navigate off of the current page. These cards provide information about users, groups, and hosts, @@ -88,7 +88,7 @@ including any associated tags. Data grids provide the ability to search for data and also to configure the presentation of data. -![This screenshot displays interactive elements in a grid.](../../../../../static/img/product_docs/threatmanager/threatmanager/administration/datagrids.webp) +![This screenshot displays interactive elements in a grid.](/img/product_docs/threatmanager/threatmanager/administration/datagrids.webp) The top bar in a data grid contains the following options: diff --git a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/activedirectory.md b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/activedirectory.md index a8262dcbb9..6814a4842a 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/activedirectory.md +++ b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/activedirectory.md @@ -7,7 +7,7 @@ The following actions target Active Directory. The Active Directory Group Membership action provides configuration options to add or remove Active Directory group membership. -![adgroupmembership](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/adgroupmembership.webp) +![adgroupmembership](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/adgroupmembership.webp) - Users – Select the users for whom to alter group membership. If not specified, the user who triggered the threat will be used. @@ -18,7 +18,7 @@ Directory group membership. threat will be used. - Credential – Select a credential profile that contains valid Active Directory credentials. Credential profiles are configured on the - [Integrations Interface](../../configuration/integrations/overview.md). If not specified, the + [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md). If not specified, the action will be run as the credentials of the Action Service. ## Change Password at Next Logon @@ -26,24 +26,24 @@ Directory group membership. The Change Password at Next Logon action forces the user to change their password the next time the user logs on. -![changepassword](../../../../../../../static/img/product_docs/groupid/groupid/admincenter/general/changepassword.webp) +![changepassword](/img/product_docs/groupid/groupid/admincenter/general/changepassword.webp) - Users – Select the users for whom to reset passwords at next logon. If not specified, the user who triggered the threat will be used. - Credential – Select a credential profile that contains valid Active Directory credentials. Credential profiles are configured on the - [Integrations Interface](../../configuration/integrations/overview.md). If not specified, the + [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md). If not specified, the action will be run as the credentials of the Action Service. ## Disable Active Directory Account The Disable Active Directory Account action disables the specified account. -![disableadaccount](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/disableadaccount.webp) +![disableadaccount](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/disableadaccount.webp) - Active Directory Credentials – Select a credential profile that contains valid Active Directory credentials. Credential profiles are configured on the - [Integrations Interface](../../configuration/integrations/overview.md). If not specified, the + [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md). If not specified, the action will be run as the credentials of the Action Service. - Users – Select users to disable. If not specified, the user who triggered the threat will be used. @@ -52,12 +52,12 @@ The Disable Active Directory Account action disables the specified account. The Disable Active Directory Computer action disables the specified computer object in Active Directory. -![disableadcomputer](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/disableadcomputer.webp) +![disableadcomputer](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/disableadcomputer.webp) - Disable Domain Controllers – When selected, allows domain controllers to be disabled. - Active Directory Credentials – Select a credential profile that contains valid Active Directory credentials. Credential profiles are configured on the - [Integrations Interface](../../configuration/integrations/overview.md). If not specified, the + [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md). If not specified, the action will be run as the credentials of the Action Service. - Computer – Select the computer to disable. If not selected, the host computer will be used. @@ -65,24 +65,24 @@ Directory. The Reset Password action resets the password of the specified account. -![resetpassword](../../../../../../../static/img/product_docs/groupid/groupid/portal/resetpassword.webp) +![resetpassword](/img/product_docs/groupid/groupid/portal/resetpassword.webp) - Users – Select the users for whom to reset passwords. If not specified, the user who triggered the threat will be used. - Credential – Select a credential profile that contains valid Active Directory credentials. Credential profiles are configured on the - [Integrations Interface](../../configuration/integrations/overview.md) . If not specified, the + [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md) . If not specified, the action will be run as the credentials of the Action Service. ## Revert Permission Change The Revert Permission Change action reverts a permission change on an Active Directory Object. -![revertpermissionchange](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/revertpermissionchange.webp) +![revertpermissionchange](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/revertpermissionchange.webp) - Credential – Select a credential profile that contains valid Active Directory credentials. Credential profiles are configured on the Integrations Interface. If not specified, the action will be run as the credentials of the Action Service. -See the [Integrations Interface](../../configuration/integrations/overview.md) topic for additional +See the [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/entraid.md b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/entraid.md index f48eca0b35..2ff05921f9 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/entraid.md +++ b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/entraid.md @@ -6,7 +6,7 @@ The following actions target an Entra ID application. Manages an Entra ID group's membership by adding or removing an object from a group. -![entraidmembership](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/entraidmembership.webp) +![entraidmembership](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/entraidmembership.webp) - Users – Select the users for whom to alter group membership. If not specified, the user who triggered the threat will be used. @@ -21,14 +21,14 @@ Manages an Entra ID group's membership by adding or removing an object from a gr - Remove – Remove the user from the specified group - Credential – Select a credential profile that contains valid Entra ID credentials. Credential profiles are configured on the - [Integrations Interface](../../configuration/integrations/overview.md). If not specified, the + [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md). If not specified, the action will be run as the credentials of the Action Service. ## Flag Entra ID User as Confirmed Compromised Flag a user as confirmed compromised within your Entra ID tenant. -![confirmcompromised](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/confirmcompromised.webp) +![confirmcompromised](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/confirmcompromised.webp) - Users – The users to flag as confirmed compromised. If not specified, the user who triggered the threat will be used. @@ -40,14 +40,14 @@ Flag a user as confirmed compromised within your Entra ID tenant. - Credential – Select a credential profile that will mark the user as confirmed compromised. Credential profiles are configured on the - [Integrations Interface](../../configuration/integrations/overview.md). If not specified, the + [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md). If not specified, the action will be run as the credentials of the Action Service. ## Disable Entra ID User This actions disables a user in your Entra ID tenant. -![disableuser](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/disableuser.webp) +![disableuser](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/disableuser.webp) - Users –The users to disable. If not specified, the user who triggered the threat will be used @@ -57,7 +57,7 @@ This actions disables a user in your Entra ID tenant. affected by the threat - Credential – Select a credential profile that will execute this action. Credential profiles are - configured on the [Integrations Interface](../../configuration/integrations/overview.md). If not + configured on the [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md). If not specified, the action will be run as the credentials of the Action Service. ## Reset Entra ID Password @@ -65,7 +65,7 @@ This actions disables a user in your Entra ID tenant. Resets an Entra ID user's password to a specified password. If no password is specified, resets a user's password to a random group of letters, numbers, and special characters. -![entraidresetpassword](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/entraidresetpassword.webp) +![entraidresetpassword](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/entraidresetpassword.webp) - New Password – Password will be reset to this value. If not specified, generates a random password. @@ -78,5 +78,5 @@ user's password to a random group of letters, numbers, and special characters. affected by the threat - Credential – Select a credential profile that will execute this action. Credential profiles are - configured on the [Integrations Interface](../../configuration/integrations/overview.md). If not + configured on the [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md). If not specified, the action will be run as the credentials of the Action Service. diff --git a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/localhost.md b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/localhost.md index 86f68887d0..a3b3fc1649 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/localhost.md +++ b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/localhost.md @@ -8,7 +8,7 @@ The PowerShell Script action executes a specified PowerShell script. This action build a custom threat response, using PowerShell, to handle scenarios not covered by other preconfigured action steps. -![powershellscriptactionstep](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/powershellscriptactionstep.webp) +![powershellscriptactionstep](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/powershellscriptactionstep.webp) - PowerShell Script – Select the PowerShell script to execute. By default, the PowerShell script includes a comment section which includes Threat Manager threat variables that can be used in @@ -25,7 +25,7 @@ preconfigured action steps. The Send Email action sends an email. -![sendemail](../../../../../../../static/img/product_docs/groupid/groupid/portal/sendemail.webp) +![sendemail](/img/product_docs/groupid/groupid/portal/sendemail.webp) - Subject – The subject of the email - To – Specify the email addresses receiving the email @@ -35,11 +35,11 @@ The Send Email action sends an email. The Stop Process action stops a process running locally on the host associated with the threat. -![stopprocess](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/stopprocess.webp) +![stopprocess](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/stopprocess.webp) - Credential – Select a credential profile that contains valid Active Directory credentials. Credential profiles are configured on the - [Credential Profile Page](../../configuration/integrations/credentialprofile.md). If not + [Credential Profile Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/credentialprofile.md). If not specified, the action will be run as the credentials of the Action Service. ## End User Session @@ -47,7 +47,7 @@ The Stop Process action stops a process running locally on the host associated w The End User Session action attempts to log the specified user out of any active RDP sessions on the target client. -![endusersession](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/endusersession.webp) +![endusersession](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/endusersession.webp) - Users – The users to log out of RDP sessions. If not specified, only the perpetrator will be used. Select the users from the drop-down list: @@ -66,5 +66,5 @@ target client. - Credential – The domain credential used to run the action. Domain credentials are populated by credential profiles that are created on the Integrations page. If not specified, the action will be run under the credentials of the action. Select the credentials from the drop-down list. See - the [Credential Profile Page](../../configuration/integrations/credentialprofile.md) topic for + the [Credential Profile Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/credentialprofile.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/overview.md b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/overview.md index 151cdb6206..a4a93642bf 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/overview.md +++ b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/overview.md @@ -4,7 +4,7 @@ When adding preconfigured actions as steps in a playbook, the configuration info depends upon the action selected. When Add Step is selected on the Playbooks page, a box with the following information is displayed: -![genericactionstep](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/genericactionstep.webp) +![genericactionstep](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/genericactionstep.webp) - Display Name – Populates with the name of the Action Type selected - Action Type – A drop-down list containing all preconfigured actions that can be selected to add as @@ -16,10 +16,10 @@ Once an Action Type is selected, additional configuration options are displayed. Threat Manager has the following preconfigured actions: -- [Active Directory Target Actions](activedirectory.md) -- [Entra ID Target Actions](entraid.md) -- [Local Host Target Actions](localhost.md) -- [Tag Threat Actions](tag.md) -- [Third-Party Applications Target Actions](thirdparty.md) -- [Windows File System Target Actions](windowsfileserver.md) -- [Windows Server Target Actions](windowsserver.md) +- [Active Directory Target Actions](/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/activedirectory.md) +- [Entra ID Target Actions](/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/entraid.md) +- [Local Host Target Actions](/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/localhost.md) +- [Tag Threat Actions](/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/tag.md) +- [Third-Party Applications Target Actions](/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/thirdparty.md) +- [Windows File System Target Actions](/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/windowsfileserver.md) +- [Windows Server Target Actions](/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/windowsserver.md) diff --git a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/tag.md b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/tag.md index e2a1074a73..3d6f1f96a4 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/tag.md +++ b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/tag.md @@ -6,7 +6,7 @@ The following action targets Threat Manager. This action adds tags to objects associated with a threat. -![tagobject](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/tagobject.webp) +![tagobject](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/tagobject.webp) - Tags – Select the tags to be applied to the object. - Action – Specify whether to add or remove tags. If not specified, the tag will be added. @@ -17,7 +17,7 @@ This action adds tags to objects associated with a threat. This action adds or removes a user from a blocking policy. -![manageblockingpolicy](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/manageblockingpolicy.webp) +![manageblockingpolicy](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/manageblockingpolicy.webp) - Users – The users to have their RDP Session ended. If not specified, the user who triggered the threat will be used. Select the users from the drop-down list. diff --git a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/thirdparty.md b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/thirdparty.md index 15c62dae28..2fc703e0bd 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/thirdparty.md +++ b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/thirdparty.md @@ -6,7 +6,7 @@ The following actions target third-party applications. This action creates an incident in ServiceNow®. -![createservicenow](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/createservicenow.webp) +![createservicenow](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/createservicenow.webp) - Instance – Specify the ServiceNow instance. Only enter a name and the .servicenow.com instance is automatically applied. For example, entering "company" will automatically become @@ -19,7 +19,7 @@ This action creates an incident in ServiceNow®. This action sends an authentication push to the Duo API. -![duoauthenticationpush](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/duoauthenticationpush.webp) +![duoauthenticationpush](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/duoauthenticationpush.webp) - Users – Select the users to authenticate. If not specified, the user who triggered the threat will be used. @@ -48,7 +48,7 @@ This action sends an authentication push to the Duo API. This action posts to a Microsoft Teams channel. -![microsoftteams](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/microsoftteams.webp) +![microsoftteams](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/microsoftteams.webp) - Message – Specify the optional message to display - URI – Specify the URI for the Microsoft Teams incoming webhook @@ -57,7 +57,7 @@ This action posts to a Microsoft Teams channel. This action utilizes RADIUS profiles to authenticate user activity. -![radiusauthentication](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/radiusauthentication.webp) +![radiusauthentication](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/radiusauthentication.webp) - User Not Found Behavior – Select how to handle a user not configured for RADIUS authentication. If not specified, the authentication will fail. @@ -72,10 +72,10 @@ This action utilizes RADIUS profiles to authenticate user activity. ## Send Syslog This action sends a Syslog message to a server. This action utilizes the current SIEM settings, -specified on the [Integrations Interface](../../configuration/integrations/overview.md), to send the +specified on the [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md), to send the threat information via Syslog. -![sendsyslog](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/sendsyslog.webp) +![sendsyslog](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/sendsyslog.webp) ## Set Forescout Property On Host @@ -83,7 +83,7 @@ This action adds a property to a Forescout host record. Forescout collections ca monitor this property. This allows Threat Manager to integrate with the Forescout platform to enable the use of the capabilities of Forescout for threat response. -![forescoutproperty](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/forescoutproperty.webp) +![forescoutproperty](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/forescoutproperty.webp) - Forescout Server IP – The IP address of the Forescout server - Forescout Property String – The value of the Forescout property string to be added to the host @@ -96,7 +96,7 @@ the use of the capabilities of Forescout for threat response. This action sends a message to Slack. -![slack](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/slack.webp) +![slack](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/slack.webp) - Message – The optional message to display - URI – The URI for the Slack incoming webhook @@ -105,7 +105,7 @@ This action sends a message to Slack. This action sends an SMS message through Twilio. -![twiliosms](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/twiliosms.webp) +![twiliosms](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/twiliosms.webp) - To – The phone number receiving threat notifications. Include the country code. - SID – The Twilio SID @@ -118,7 +118,7 @@ This action sends an SMS message through Twilio. This action scans the file hashes against the VirusTotal API and emails the results. -![virustotalreport](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/virustotalreport.webp) +![virustotalreport](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/virustotalreport.webp) - Subject – The optional custom email subject. If a subject is not specified, a default email subject will be used. @@ -130,7 +130,7 @@ This action scans the file hashes against the VirusTotal API and emails the resu This action executes a webhook via a HTTP request from Threat Manager. Webhooks are used by a variety of web applications to trigger actions or receive data from external sources. -![webhook](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/webhook.webp) +![webhook](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/webhook.webp) - Method – The HTTP method for the webhook. Select a method from the drop-down list: - GET diff --git a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/windowsfileserver.md b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/windowsfileserver.md index 486c4cd50c..ff86792031 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/windowsfileserver.md +++ b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/windowsfileserver.md @@ -6,33 +6,33 @@ The following actions target Windows File System. This action deletes the file associated with the threat. -![deletefile](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/deletefile.webp) +![deletefile](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/deletefile.webp) - Credential – Select a credential profile that contains valid Active Directory credentials. Credential profiles are configured on the - [Integrations Interface](../../configuration/integrations/overview.md). If not specified, the + [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md). If not specified, the action will be run as the credentials of the Action Service. ## Revert Permission Change The Revert Permission Change action reverts a permission change on an Active Directory Object. -![revertpermissionchange](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/revertpermissionchange.webp) +![revertpermissionchange](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/revertpermissionchange.webp) - Credential – Select a credential profile that contains valid Active Directory credentials. Credential profiles are configured on the Integrations Interface. If not specified, the action will be run as the credentials of the Action Service. -See the [Integrations Interface](../../configuration/integrations/overview.md) topic for additional +See the [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md) topic for additional information. ## Save File Hash This action saves the file hash to the properties of the threat. -![savefilehash](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/savefilehash.webp) +![savefilehash](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/savefilehash.webp) - Credential – Select a credential profile that contains valid Active Directory credentials. Credential profiles are configured on the - [Integrations Interface](../../configuration/integrations/overview.md). If not specified, the + [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md). If not specified, the action will be run as the credentials of the Action Service. diff --git a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/windowsserver.md b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/windowsserver.md index 3ea96e09fc..b5187f8b4a 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/windowsserver.md +++ b/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/windowsserver.md @@ -4,18 +4,18 @@ The following actions target Windows servers. ## Close SMB Session -![closesmbsession](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/closesmbsession.webp) +![closesmbsession](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/closesmbsession.webp) This action closes any active SMB sessions for the threat perpetrator on a target host. - Credential – Select a credential profile that contains valid Active Directory credentials. Credential profiles are configured on the - [Integrations Interface](../../configuration/integrations/overview.md). If not specified, the + [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md). If not specified, the action will be run as the credentials of the Action Service. ## Create Windows Firewall Rule -![windowsfirewall](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/windowsfirewall.webp) +![windowsfirewall](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/windowsfirewall.webp) This action adds a Windows Firewall Rule to block inbound or outbound network protocol traffic for specified hosts. @@ -38,18 +38,18 @@ specified hosts. - Threat Host – The host associated with a threat (typically a domain controller or file server) - Credential – Select a credential profile that contains valid Active Directory credentials. Credential profiles are configured on the - [Integrations Interface](../../configuration/integrations/overview.md). If not specified, the + [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md). If not specified, the action will be run as the credentials of the Action Service. ## Disable User Remote Desktop Access -![disableuserremote](../../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/disableuserremote.webp) +![disableuserremote](/img/product_docs/threatmanager/threatmanager/administration/playbooks/action/disableuserremote.webp) This action disconnects the user from the host and disables login rights for the user. - Credential – Select a credential profile that contains valid Active Directory credentials. Credential profiles are configured on the - [Integrations Interface](../../configuration/integrations/overview.md). If not specified, the + [Integrations Interface](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/overview.md). If not specified, the action will be run as the credentials of the Action Service. - Users – Select the users for whom to disable remote desktop access. If not specified, those user who triggered the threat will be used. diff --git a/docs/threatmanager/3.0/threatmanager/administration/playbooks/editstep.md b/docs/threatmanager/3.0/threatmanager/administration/playbooks/editstep.md index 7ad23fec8c..ca4d91e6da 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/playbooks/editstep.md +++ b/docs/threatmanager/3.0/threatmanager/administration/playbooks/editstep.md @@ -2,7 +2,7 @@ Follow the steps to edit a playbook step. -![playbookstep](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/playbookstep.webp) +![playbookstep](/img/product_docs/threatmanager/threatmanager/administration/playbooks/playbookstep.webp) **Step 1 –** Click the step in the playbook to expand it. diff --git a/docs/threatmanager/3.0/threatmanager/administration/playbooks/export.md b/docs/threatmanager/3.0/threatmanager/administration/playbooks/export.md index d1362a4660..bca66784e2 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/playbooks/export.md +++ b/docs/threatmanager/3.0/threatmanager/administration/playbooks/export.md @@ -4,7 +4,7 @@ Playbooks can be exported from the Threat Manager Console. Follow the steps to export a playbook. -![exportplaybook](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/exportplaybook.webp) +![exportplaybook](/img/product_docs/threatmanager/threatmanager/administration/playbooks/exportplaybook.webp) **Step 1 –** Select the playbook to export. diff --git a/docs/threatmanager/3.0/threatmanager/administration/playbooks/import.md b/docs/threatmanager/3.0/threatmanager/administration/playbooks/import.md index 5177693b5d..41fddb7e91 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/playbooks/import.md +++ b/docs/threatmanager/3.0/threatmanager/administration/playbooks/import.md @@ -6,7 +6,7 @@ that file for import to Threat Manager. Follow the steps to import a playbook. -![importbutton](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/importbutton.webp) +![importbutton](/img/product_docs/threatmanager/threatmanager/administration/playbooks/importbutton.webp) **Step 1 –** Go to the Playbooks tab and select Import. This opens the Windows File Explorer. diff --git a/docs/threatmanager/3.0/threatmanager/administration/playbooks/importsteps.md b/docs/threatmanager/3.0/threatmanager/administration/playbooks/importsteps.md index 4ff885a44a..a8b7d9563f 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/playbooks/importsteps.md +++ b/docs/threatmanager/3.0/threatmanager/administration/playbooks/importsteps.md @@ -6,7 +6,7 @@ as Playbook steps. Follow the steps to import an action. -![importbutton](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/importbutton.webp) +![importbutton](/img/product_docs/threatmanager/threatmanager/administration/playbooks/importbutton.webp) **Step 1 –** In the Threat Response box, click Import. diff --git a/docs/threatmanager/3.0/threatmanager/administration/playbooks/overview.md b/docs/threatmanager/3.0/threatmanager/administration/playbooks/overview.md index 6f7131e491..99802f8afd 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/playbooks/overview.md +++ b/docs/threatmanager/3.0/threatmanager/administration/playbooks/overview.md @@ -3,7 +3,7 @@ The first step in designating steps to run in response to a threat is to add a playbook. A playbook is used to tie a threat or "trigger type" to the desired step(s) to take in response to that threat. A threat response can be assigned to a playbook on the -[Threat Detection Page](../configuration/threatdetection.md). Once a playbook has been created, +[Threat Detection Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/threatdetection.md). Once a playbook has been created, steps that specify the desired action for the threat response are then added. **_RECOMMENDED:_** Execute playbooks in a test environment and review the results prior to executing @@ -17,7 +17,7 @@ Threat Manager threats and threat responses, automatic triggering of playbooks c Follow the steps to add a playbook. -![threatresponse](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/threatresponse.webp) +![threatresponse](/img/product_docs/threatmanager/threatmanager/administration/configuration/threatresponse.webp) **Step 1 –** In the Threat Response box, click New Playbook. A new playbook called "My Playbook 1" is created. As additional Playbooks are added, sequential numbers are appended to My Playbook. @@ -40,7 +40,7 @@ Tab topic for additional information. Playbooks are configured using the tabs on the Threat Response page. -![playbooktabs](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/playbooktabs.webp) +![playbooktabs](/img/product_docs/threatmanager/threatmanager/administration/playbooks/playbooktabs.webp) The Threat Response page contains the following configuration tabs: @@ -54,7 +54,7 @@ The Threat Response page contains the following configuration tabs: The General Tab contains the Allowed Threats box which allows customization of which threats are applicable for the selected playbook. -![generaltab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/generaltab.webp) +![generaltab](/img/product_docs/threatprevention/threatprevention/admin/policies/generaltab.webp) The General tab has the following configuration options: @@ -71,12 +71,12 @@ The General tab has the following configuration options: Once a playbook is created or imported, add steps to the playbook using the Actions tab. Steps are actions that are taken in response to a threat. See the -[Preconfigured Actions](../configuration/threatresponse.md#preconfigured-actions) topic for +[Preconfigured Actions](/docs/threatmanager/3.0/threatmanager/administration/configuration/threatresponse.md#preconfigured-actions) topic for additional information. Follow the instructions to add steps to a Playbook. -![actionstab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/actions/actionstab.webp) +![actionstab](/img/product_docs/threatprevention/threatprevention/admin/policies/actions/actionstab.webp) **Step 1 –** Select the playbook from the Playbooks list in the Threat Response box or on the Playbooks overview. @@ -86,12 +86,12 @@ playbook. **Step 3 –** Enter the following information in the box: -![addstep](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/addstep.webp) +![addstep](/img/product_docs/threatmanager/threatmanager/administration/playbooks/addstep.webp) - Display Name – The desired name for the step - Action Type – The type of action to take for the threat response. Select the desired action from the drop-down list. Additional configuration information is required depending upon the type of - action selected. See the [Action Configuration for Playbook Steps](action/overview.md) topic for + action selected. See the [Action Configuration for Playbook Steps](/docs/threatmanager/3.0/threatmanager/administration/playbooks/action/overview.md) topic for additional information. - Continue on Error – Select this checkbox to execute the next step if the current step fails @@ -105,7 +105,7 @@ Follow-Up Playbooks can be configured on the Follow-Up tab. Follow-Up playbooks playbooks to run once the playbook has completed. This allows a (Undefined variable: SD.Product Short Name) administrator to sequence a series of playbooks together as part of a threat response. -![followuptab](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/followuptab.webp) +![followuptab](/img/product_docs/threatmanager/threatmanager/administration/playbooks/followuptab.webp) The Follow-Up tab has the following configuration options: @@ -121,12 +121,12 @@ Click **Save** to save the configured settings. Click the Logs tab to access the Playbook Execution History table. The table lists all playbook executions and also provides the ability to search the table. -![This screenshot displays the Logs tab on the Threat Response page.](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/logstab.webp) +![This screenshot displays the Logs tab on the Threat Response page.](/img/product_docs/threatmanager/threatmanager/administration/playbooks/logstab.webp) The table provides the following information: - Threat – The threat type that triggered the playbook - - Click the threat link to open the [Threat Details Page](../threatdetails/overview.md) and view + - Click the threat link to open the [Threat Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/overview.md) and view information about the threat. - Threat Detected – The time that the threat was detected - Time Started – The time that the playbook was executed @@ -149,7 +149,7 @@ The Action Log window contains a Logs tab and a Step Details tab. The Logs tab displays logs for the playbook execution. -![This screenshot displays the Logs tab on the Action Log window.](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/logstab.webp) +![This screenshot displays the Logs tab on the Action Log window.](/img/product_docs/threatmanager/threatmanager/administration/playbooks/logstab.webp) The Logs tab displays a table with the following columns: @@ -161,7 +161,7 @@ The Logs tab displays a table with the following columns: The Step Details tab displays information about the action steps in the playbook execution. -![This screenshot displays the Step Details tab on the Action Log window.](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/stepdetailstab.webp) +![This screenshot displays the Step Details tab on the Action Log window.](/img/product_docs/threatmanager/threatmanager/administration/playbooks/stepdetailstab.webp) The Step Details tab contains a table with the following columns: diff --git a/docs/threatmanager/3.0/threatmanager/administration/playbooks/save.md b/docs/threatmanager/3.0/threatmanager/administration/playbooks/save.md index 8e75a0ff59..60e190cf50 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/playbooks/save.md +++ b/docs/threatmanager/3.0/threatmanager/administration/playbooks/save.md @@ -5,7 +5,7 @@ recreating the step. Follow the steps to save a step to the My Steps list. -![playbookstep](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/playbookstep.webp) +![playbookstep](/img/product_docs/threatmanager/threatmanager/administration/playbooks/playbookstep.webp) **Step 1 –** Click the step in the playbook to expand it. diff --git a/docs/threatmanager/3.0/threatmanager/administration/playbooks/trigger.md b/docs/threatmanager/3.0/threatmanager/administration/playbooks/trigger.md index d0b34be881..a86bcfd317 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/playbooks/trigger.md +++ b/docs/threatmanager/3.0/threatmanager/administration/playbooks/trigger.md @@ -5,7 +5,7 @@ the allowed threat. Follow the steps to trigger a playbook manually. -![threatresponsebutton](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/playbooks/threatresponsebutton.webp) +![threatresponsebutton](/img/product_docs/threatmanager/threatmanager/administration/playbooks/threatresponsebutton.webp) **Step 1 –** Navigate to the Threat Details Page for a user with a threat type associated with a playbook. diff --git a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/abnormalbehavior.md b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/abnormalbehavior.md index 950f568891..13d618003f 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/abnormalbehavior.md +++ b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/abnormalbehavior.md @@ -6,7 +6,7 @@ behaviors that deviate from the user's normal behavioral profile. Abnormal behav when a user has been active for a minimum of 30 days, with up to 120 days of activity used to establish the baseline behavior for a user. -![abnormalbehavior](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/abnormalbehavior.webp) +![abnormalbehavior](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/abnormalbehavior.webp) The top of the page shows the number of each of the following: diff --git a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/activedirectoryobjects.md b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/activedirectoryobjects.md index d7cd5479d1..7dd71cb17b 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/activedirectoryobjects.md +++ b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/activedirectoryobjects.md @@ -4,20 +4,20 @@ Active Directory Object details pages provide details on Active Directory object groups,  and hosts (computers). These pages can be used to discover more information about the various resources related to threats and events in Threat Manager. Pages include: -- [User Details Page](user.md) -- [Group Details Page](group.md) -- [Host Details Page](host.md) +- [User Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/user.md) +- [Group Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/group.md) +- [Host Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/host.md) -![threatlist](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatlist.webp) +![threatlist](/img/product_docs/threatmanager/threatmanager/administration/threatlist.webp) -The [Threats Page](../threats.md) contains a threats list with hyperlinks which can be clicked to +The [Threats Page](/docs/threatmanager/3.0/threatmanager/administration/threats.md) contains a threats list with hyperlinks which can be clicked to access these pages. Common Details Page Elements The User Details, Group Details, and Host Details pages contain some common page elements. -![page](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) Common details page elements include: @@ -29,7 +29,7 @@ Common details page elements include: The profile card displays information about the selected user, group, or host. -![This screenshot displays a Profile Card.](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/profilecard.webp) +![This screenshot displays a Profile Card.](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/profilecard.webp) The type information displayed depends on the information available for the user, group, or host. @@ -37,7 +37,7 @@ Profile Card Icons The following icons may be displayed in the profile card for user accounts and computers: -![profileicon](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/profileicon.webp) +![profileicon](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/profileicon.webp) 1. Non-Synced object icon : This icon appears when an object was not found in a sync but was created by an event. @@ -50,7 +50,7 @@ The following icons may be displayed in the profile card for user accounts and c Depending on the selected user, group, or host, the following tabs may be displayed: -![This screenshot displays the tabs for the Active Directory Objects page. Tabs include Threats, Activity Summary, and Group Membership.](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/adobjecttabs.webp) +![This screenshot displays the tabs for the Active Directory Objects page. Tabs include Threats, Activity Summary, and Group Membership.](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/adobjecttabs.webp) - Threats Tab – Displays a chart with threats detected for the user, group, or host - Activity Summary Tab – Depending on the selected user, group, or host, the page may display the @@ -73,12 +73,12 @@ Add an Existing Tag Follow the steps to add a tag to a user, group, or computer. -![addtagbutton](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/addtagbutton.webp) +![addtagbutton](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/addtagbutton.webp) **Step 1 –** Click the Add Tag button. **Step 2 –** Click the desired tag to add from the list of existing tags. The selected tag is added to the user, group, or computer. See the -[Tag Management Page](../configuration/integrations/tagmanagement.md) topic for additional +[Tag Management Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/tagmanagement.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidapplication.md b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidapplication.md index cbeb9f6304..a720e15d10 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidapplication.md +++ b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidapplication.md @@ -3,7 +3,7 @@ The Application Details page provides information about an application registered in Microsoft Entra ID. -![Entra ID Application Page](../../../../../../static/img/product_docs/accessanalyzer/admin/settings/application/application.webp) +![Entra ID Application Page](/img/product_docs/accessanalyzer/admin/settings/application/application.webp) The top of the page displays a profile card which may contain the following information about the application: @@ -25,7 +25,7 @@ The page has the following tabs: The Threats tab for an application displays the threats for the application by timeframe. -![Application Threat Tab](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/threatstab.webp) +![Application Threat Tab](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/threatstab.webp) ## Activity Summary Tab @@ -33,13 +33,13 @@ The Activity Summary tab displays charts for an application's activity over diff The Activity Overview (Past 12 Months) shows a color-coded heat map of user activity. -![Entra ID Application Activity Summary Tab](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/activitysummarytab.webp) +![Entra ID Application Activity Summary Tab](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/activitysummarytab.webp) ## Group Membership Tab The Group Membership tab displays groups in which the application is a member. -![Entra ID Group Membership Tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/groupmembershiptab.webp) +![Entra ID Group Membership Tab](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/groupmembershiptab.webp) The Group Membership tab displays two tables: @@ -49,7 +49,7 @@ The Group Membership tab displays two tables: Each table has the following columns: - Name – The name of the group. Click the link to view group details. See the - [Group Details Page](entraidgroup.md) topic for additional information. + [Group Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidgroup.md) topic for additional information. - Group Type – The type of group within Microsoft Entra ID - Membership Type - How the group membership was assigned @@ -67,9 +67,9 @@ Each table has the following columns: The role assignments tab displays a table that lists the roles that have been assigned to the Entra ID application. -![Entra ID User Role Assignment Eligible page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraiduserrolestabeligible.webp) +![Entra ID User Role Assignment Eligible page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraiduserrolestabeligible.webp) -![Entra ID User Role Assignment Eligible page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraiduserrolestabeligible.webp) +![Entra ID User Role Assignment Eligible page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraiduserrolestabeligible.webp) The Roles tab displays two tables: diff --git a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidgroup.md b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidgroup.md index 94cc60a5fb..2140368f34 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidgroup.md +++ b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidgroup.md @@ -4,7 +4,7 @@ The Microsoft Entra ID Group Details page provides information about the group i generated by it's members, a list of members, the groups that the group is part of, the group owners, and the roles assigned to the group. -![Entra ID Group Page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidgroup.webp) +![Entra ID Group Page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidgroup.webp) The top of the page displays a profile card which may contain the following information about the group: @@ -29,7 +29,7 @@ The page has the following tabs: The Threats tab for a user displays the threats for the user by timeframe. -![Entra ID Group Threats Page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidgroupthreats.webp) +![Entra ID Group Threats Page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidgroupthreats.webp) A key for threat types is displayed below the chart. @@ -37,7 +37,7 @@ A key for threat types is displayed below the chart. The Members tab displays information of Entra ID group members. -![Entra ID Group Members Tab](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidgroupmemberstab.webp) +![Entra ID Group Members Tab](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidgroupmemberstab.webp) The table displays the following columns: @@ -55,9 +55,9 @@ The table displays the following columns: The Group Membership tab displays groups in which the group is a member. -![Entra ID Group - Group Membership Tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/groupmembershiptab.webp) +![Entra ID Group - Group Membership Tab](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/groupmembershiptab.webp) -![Group Membership Indirect Member of Page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/groupmembershiptabindirect.webp) +![Group Membership Indirect Member of Page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/groupmembershiptabindirect.webp) The Group Membership tab displays two tables: @@ -82,7 +82,7 @@ Each table has the following columns: The Owners tab shows which objects can manage the group, these are the "owners". -![Group Membership Owners Tab](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/groupmembershipownerstab.webp) +![Group Membership Owners Tab](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/groupmembershipownerstab.webp) The table displays the following columns: @@ -94,7 +94,7 @@ The table displays the following columns: The Roles tab displays information about roles assigned to the group. -![Entra ID Group Roles Tab Page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidgrouprolestab.webp) +![Entra ID Group Roles Tab Page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidgrouprolestab.webp) The Roles tab displays two tables: @@ -116,7 +116,7 @@ The eligible assignments table has the following columns The active assignments table has the following columns -![Roles Active Assignment Page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/groupmembershiprolesactiveassignment.webp) +![Roles Active Assignment Page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/groupmembershiprolesactiveassignment.webp) - Role - Roles that are currently active - Scope - Defines the boundary within which the assigned role permissions are valid diff --git a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidobjects.md b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidobjects.md index 270ea7861f..6366a0e8a1 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidobjects.md +++ b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidobjects.md @@ -4,17 +4,17 @@ The Microsoft Entra ID Object details pages provide details on Microsoft Entra I users, groups, applications, devices and roles. These pages can be used to discover more information about the various resources related to threats and events in Threat Manager. Pages include: -- [User Details Page](entraiduser.md) +- [User Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraiduser.md) -- [Group Details Page](entraidgroup.md) +- [Group Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidgroup.md) -- [Role Details Page](entraidrole.md) +- [Role Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidrole.md) -- [Application Details Page](entraidapplication.md) +- [Application Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidapplication.md) -![threatlist](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatlist.webp) +![threatlist](/img/product_docs/threatmanager/threatmanager/administration/threatlist.webp) -The [Threats Page](../threats.md) contains a threats list with hyperlinks which can be clicked to +The [Threats Page](/docs/threatmanager/3.0/threatmanager/administration/threats.md) contains a threats list with hyperlinks which can be clicked to access these pages. Common Details Page Elements @@ -26,7 +26,7 @@ elements. The profile card displays information about the selected user, application, group, or role. -![Entra ID User Profile Card](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraiduserprofilecard.webp) +![Entra ID User Profile Card](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraiduserprofilecard.webp) - Name - UPN @@ -42,7 +42,7 @@ The profile card displays information about the selected user, application, grou Depending on the selected user, group, application or role, the following tabs may be displayed: -![Tabs](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/tabs.webp) +![Tabs](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/tabs.webp) - Threats Tab – Displays a chart with threats detected for a Microsoft Entra ID object - Activity Summary Tab – Depending on the selected object, the page may display the following @@ -71,12 +71,12 @@ Add an Existing Tag Follow the steps to add a tag to a user, group, or computer -![Existing Tags List](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/addtagbutton.webp) +![Existing Tags List](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/addtagbutton.webp) **Step 1 –** Click the Add Tag button. **Step 2 –** Click the desired tag to add from the list of existing tags. The selected tag is added to the user, group, application or role. See the -[Tag Management Page](../configuration/integrations/tagmanagement.md) topic for additional +[Tag Management Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/tagmanagement.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidrole.md b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidrole.md index b7b5367424..6f9e0fdede 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidrole.md +++ b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidrole.md @@ -3,7 +3,7 @@ The Role Details page provides information about a role including its description and role membership. -![Roles Page](../../../../../../static/img/product_docs/accessanalyzer/requirements/target/config/roles.webp) +![Roles Page](/img/product_docs/accessanalyzer/requirements/target/config/roles.webp) The top of the page displays a profile card which may contain the following information about the role: @@ -24,7 +24,7 @@ The members tab displays two tables: active. - Active Assignments – Lists roles that are currently active and usable to a user. -![Role Members Tab Active Assignement Page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/rolesactiveassignments.webp) +![Role Members Tab Active Assignement Page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/rolesactiveassignments.webp) Both tables have the following columns: diff --git a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraiduser.md b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraiduser.md index 15e4478271..1eb1afa8d0 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraiduser.md +++ b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraiduser.md @@ -3,7 +3,7 @@ The Microsoft Entra ID User Details page provides information about the user including threats generated by the user, user activity, group membership, and role assignments for the user. -![Entra ID User Details Page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidpage.webp) +![Entra ID User Details Page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidpage.webp) The top of the page displays a user profile card which may contain the following information about the user: @@ -30,7 +30,7 @@ The page has the following tabs: The Threats tab for a user displays the threats for the user by timeframe. -![threats](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/threats.webp) +![threats](/img/product_docs/threatprevention/threatprevention/reportingmodule/threats.webp) A key for threat types is displayed below the chart. @@ -38,7 +38,7 @@ A key for threat types is displayed below the chart. The Activity Summary tab displays charts for a user's activity over different time periods. -![Entra ID User ACtivity Summary Tab](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidactivitysummarytab.webp) +![Entra ID User ACtivity Summary Tab](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidactivitysummarytab.webp) The Activity Overview (Past 12 Months) shows a color-coded heat map of user activity. Other metrics include Average Activity by Day, and Events by Type. @@ -49,7 +49,7 @@ Activity by Host Table The Activity by Host table displays the user's activity by host. -![Entra ID User Activity Summary Tab Activity By Host Table](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidactivitybyhost.webp) +![Entra ID User Activity Summary Tab Activity By Host Table](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidactivitybyhost.webp) The table has the following columns: @@ -65,7 +65,7 @@ Activity by Client Table The Activity by Client table displays the user's activity by client. -![Entra ID User Activity Summary Tab Activity By Client Table](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraiduseractivitybyclient.webp) +![Entra ID User Activity Summary Tab Activity By Client Table](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraiduseractivitybyclient.webp) The table has the following columns: @@ -81,7 +81,7 @@ the current rows displayed on the page into a CSV file. The Group Membership tab displays groups in which the user is a member. -![Entra ID User Group Membership page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidusergroupmembershiptab.webp) +![Entra ID User Group Membership page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraidusergroupmembershiptab.webp) The Group Membership tab displays the groups the user is a member of. It has the following sub-tabs: @@ -91,7 +91,7 @@ The Group Membership tab displays the groups the user is a member of. It has the Each table has the following columns: - Name – The name of the group. Click the link to view group details. See the - [Group Details Page](entraidgroup.md) topic for additional information. + [Group Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/entraidgroup.md) topic for additional information. - Group Type – The type of group within Microsoft Entra ID - Membership Type - How the group membership was assigned @@ -109,9 +109,9 @@ Each table has the following columns: The role assignments tab displays a table that lists the roles that have been assigned to the Microsoft Entra ID user. -![Entra ID User Role Assignment Eligible page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraiduserrolestabeligible.webp) +![Entra ID User Role Assignment Eligible page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraiduserrolestabeligible.webp) -![Entra ID User Roles tab Activity Assignments Page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraiduserrolesactiveassignment.webp) +![Entra ID User Roles tab Activity Assignments Page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/entraiduserrolesactiveassignment.webp) The Roles tab displays two tables: diff --git a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/group.md b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/group.md index 33c5d641f6..021d4c4c12 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/group.md +++ b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/group.md @@ -3,7 +3,7 @@ The Group Details page provides information about the selected Active Directory group, threats generated by the group, and group membership. -![AD Group Details page](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![AD Group Details page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The top of the page displays a group profile card which may contain the following information about the group: @@ -26,7 +26,7 @@ The Group Details page has the following tabs: The Threats tab for a group displays the threats detected for the group by timeframe. -![Threats tab for on the Group Details page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/threatstab.webp) +![Threats tab for on the Group Details page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/threatstab.webp) A key for threat types is displayed below the chart. @@ -34,9 +34,9 @@ A key for threat types is displayed below the chart. The Members tab displays information about its members. -![AD Group Details Members Page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/memberstab.webp) +![AD Group Details Members Page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/memberstab.webp) -![Group Members Tab All Members Page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/memberstaballmembers.webp) +![Group Members Tab All Members Page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/memberstaballmembers.webp) The Membership tab displays two tables: @@ -58,9 +58,9 @@ Each table has the following columns: The Group Membership tab displays a table that lists the users who are members of the group. -![Group Membership tab for on the Group Details page](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/groupmembershiptab.webp) +![Group Membership tab for on the Group Details page](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/groupmembershiptab.webp) -![Group Membership Tab Indirect Memberof Page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/groupmembershiptabindirect.webp) +![Group Membership Tab Indirect Memberof Page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/groupmembershiptabindirect.webp) The Group Membership tab displays the groups that _the group_ is a member of. Here, 'the group' refers to the group whose details you are viewing. diff --git a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/host.md b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/host.md index 41d3b0028d..073a51cc00 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/host.md +++ b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/host.md @@ -2,7 +2,7 @@ The Host Details page displays all threats on the selected host. -![Host Details page](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![Host Details page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The top of the page displays a host profile card which may contain the following information about the host: @@ -28,7 +28,7 @@ The page has the following tabs: The Threats tab for a host displays the threats for the host by timeframe. -![Threats tab of the Host Details page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/threatstab.webp) +![Threats tab of the Host Details page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/threatstab.webp) The Threats tab contains a bar chart that displays each type of threat on the host and a pie chart that shows the total number of threats on the host. The Threats List displayed below the Historical @@ -38,7 +38,7 @@ Events section displays all threats that occurred on the host for the selected t The Activity Summary tab displays charts for host activity over different time periods. -![Activity Summary tab of the Host Details page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/activitysummarytab.webp) +![Activity Summary tab of the Host Details page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/activitysummarytab.webp) The Activity Overview (Past 12 Months) shows a color-coded heat map of host activity. Other metrics include Average Activity by Hour, and Average Activity by Day, and Events by Type. @@ -50,13 +50,13 @@ The Group Membership tab displays the groups the host is a member of. It has the - Direct Member Of – Lists groups the host is a direct member of - Indirect Member Of – Lists groups the host is a member of via membership in a nested group -![groupmembershiptab](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/groupmembershiptab.webp) +![groupmembershiptab](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/groupmembershiptab.webp) -![Group Membership Tab Indirect Member of Page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/groupmembershiptabindirect.webp) +![Group Membership Tab Indirect Member of Page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/groupmembershiptabindirect.webp) Each table has the following columns: - Name – The name of the group. Click the link to view group details. See the - [Group Details Page](group.md) topic for additional information. + [Group Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/group.md) topic for additional information. - Domain – Name of the domain. This may be either the domain DNS name or domain controller hostname. - Tags – The tag present on the perpetrator, file, or host associated with the event diff --git a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/overview.md b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/overview.md index a9de0e5286..4134420d09 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/overview.md +++ b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/overview.md @@ -1,9 +1,9 @@ # Threat Details Page The Threat Details page provides details on the selected threat. View the details for a threat by -selecting the threat from the list on the [Threats Page](../threats.md) and clicking View Details. +selecting the threat from the list on the [Threats Page](/docs/threatmanager/3.0/threatmanager/administration/threats.md) and clicking View Details. -![threatdetails](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/threatdetails.webp) +![threatdetails](/img/product_docs/threatmanager/threatmanager/administration/configuration/threatdetails.webp) The top of the page displays a Threat Overview box, Threat Activity diagram, and an Evidence box. @@ -18,13 +18,13 @@ The Threat Overview box that contains the following information: The Threat Activity diagram contains a diagram that displays the flow of the threat activity. -![threatactivity](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/threatactivity.webp) +![threatactivity](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/threatactivity.webp) The Evidence box below the Threat Activity diagram provides specific information about the threat. The Threats page displays three buttons in the top right corner: -![evidencebox](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/evidencebox.webp) +![evidencebox](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/evidencebox.webp) - Unassigned – If the threat has not been assigned to an owner, the button will display as Unassigned. If a user has been assigned to an owner, the button will display the username. Click @@ -40,7 +40,7 @@ The Threats page displays three buttons in the top right corner: The Workflow window displays the owner of a threat, or provides settings to assign an owner to a threat. -![Workflow window](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/workflow.webp) +![Workflow window](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/workflow.webp) The Workflow window contains the following configuration settings: @@ -68,8 +68,8 @@ The Workflow window contains the following configuration settings: from the selected user - Submit – Click to update the workflow -In the Threat Activity Diagram, click the user to view the [User Details Page](user.md) page. Click -the host to view the [Host Details Page](host.md) page. +In the Threat Activity Diagram, click the user to view the [User Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/user.md) page. Click +the host to view the [Host Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/host.md) page. hhhhh @@ -77,7 +77,7 @@ hhhhh The Threat Response window contains the following configuration options: -![Threat Response window](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/configuration/threatresponse.webp) +![Threat Response window](/img/product_docs/threatmanager/threatmanager/administration/configuration/threatresponse.webp) - Select Playbook – Select a playbook for the threat response - Description – Description of the playbook that has been selected @@ -95,7 +95,7 @@ The Threat Details Overview contains the following tabs: The Event Details tab shows details for the selected threat. -![eventdetails](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/eventdetails.webp) +![eventdetails](/img/product_docs/threatprevention/threatprevention/reportingmodule/investigations/eventdetails.webp) - Time Stamp – The exact date and time when the event occurred - Target – The specific object, resource, or entity that was the focus of the event @@ -118,7 +118,7 @@ file. The Related Threats tab lists other threats generated by the same user that may be related to the threat listed in the Event Details tab. -![relatedthreats](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/relatedthreats.webp) +![relatedthreats](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/relatedthreats.webp) The Related Threats table has the following columns: @@ -134,7 +134,7 @@ Use the Search icon to search for data in the table. The Related Activity tab lists activity by the selected user that may be related to the threat. -![relatedactivity](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/relatedactivity.webp) +![relatedactivity](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/relatedactivity.webp) - Time Stamp – The exact date and time when the event occurred - Target – The specific object, resource, or entity that was the focus of the event @@ -157,7 +157,7 @@ file. The History tab lists updates made to the threat in the Update box and provides a section to add comments. -![history](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/policies/history.webp) +![history](/img/product_docs/threatprevention/threatprevention/admin/policies/history.webp) The History table has the following columns: diff --git a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/user.md b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/user.md index c98980ef29..d085f2368d 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/threatdetails/user.md +++ b/docs/threatmanager/3.0/threatmanager/administration/threatdetails/user.md @@ -3,7 +3,7 @@ The Active Directory User Details page provides information about the user including threats generated by the user, user activity, and group membership for the user. -![page](../../../../../../static/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) +![page](/img/product_docs/threatprevention/threatprevention/reportingmodule/configuration/systemsettings/page.webp) The top of the page displays a user profile card which may contain the following information about the user: @@ -27,7 +27,7 @@ The page has the following tabs: The Threats tab for a user displays the threats for the user by timeframe. -![Active Directory User Threats tab](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/aduserthreats.webp) +![Active Directory User Threats tab](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/aduserthreats.webp) A key for threat types is displayed below the chart. @@ -35,7 +35,7 @@ A key for threat types is displayed below the chart. The Activity Summary tab displays charts for a user's activity over different time periods. -![activitysummary](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/activitysummary.webp) +![activitysummary](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/activitysummary.webp) The Activity Overview (Past 12 Months) shows a color-coded heat map of user activity. Other metrics include, Average Activity by Day, and Events by Type. @@ -47,7 +47,7 @@ Activity by Host Table The Activity by Host table displays the user's activity by host. -![activitybyhost](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/activitybyhost.webp) +![activitybyhost](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/activitybyhost.webp) - Server – Server where the activity occurred - First Access – First date and time that the server was accessed @@ -61,7 +61,7 @@ Activity by Client Table The Activity by Client table displays the user's activity by host. -![activitybyclient](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/activitybyclient.webp) +![activitybyclient](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/activitybyclient.webp) - Client IP – IP address for the client - Client Name– Client where the activity occurred @@ -76,9 +76,9 @@ export the current rows displayed on the page into a CSV file. The Group Membership tab displays groups in which the user is a member. -![groupmembership](../../../../../../static/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/groupmembership.webp) +![groupmembership](/img/product_docs/accessanalyzer/admin/action/activedirectory/operations/groupmembership.webp) -![Group Membership Indirect Member of Page](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatdetails/groupmembershipindirect.webp) +![Group Membership Indirect Member of Page](/img/product_docs/threatmanager/threatmanager/administration/threatdetails/groupmembershipindirect.webp) The Group Membership tab displays the groups the user is a member of. It has the following sub-tabs: @@ -88,6 +88,6 @@ The Group Membership tab displays the groups the user is a member of. It has the Each table has the following columns: - Name – The name of the group. Click the link to view group details. See the - [Group Details Page](group.md) topic for additional information. + [Group Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/group.md) topic for additional information. - Domain – Name of the domain. This may be either the domain DNS name or domain controller hostname. - Tags – The tag present on the perpetrator, file, or host associated with the event diff --git a/docs/threatmanager/3.0/threatmanager/administration/threats.md b/docs/threatmanager/3.0/threatmanager/administration/threats.md index 749c315a12..7082a8f1e4 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/threats.md +++ b/docs/threatmanager/3.0/threatmanager/administration/threats.md @@ -10,7 +10,7 @@ The Threats section contains a bar chart and a pie chart. The Threats bar chart of each type of threat by date range increments of one week, over a 13-week time span. The Threats pie chart displays the total number of threats by type of threat. -![threatspage](../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatspage.webp) +![threatspage](/img/product_docs/threatmanager/threatmanager/administration/threatspage.webp) Hover over the bar chart or pie chart to view the number of threats by threat type. @@ -20,7 +20,7 @@ The Historical Events section provides a drop-down menu to select threats for a Threats can also be filtered by specifying a timeframe. A predefined time span can also be selected from the menu options in the right pane. -![historicalevents](../../../../../static/img/product_docs/threatmanager/threatmanager/administration/historicalevents.webp) +![historicalevents](/img/product_docs/threatmanager/threatmanager/administration/historicalevents.webp) These threats are displayed in a list format below the Historical Events section. @@ -28,14 +28,14 @@ These threats are displayed in a list format below the Historical Events section The Threats list is displayed below the Historical Events section. -![threatlist](../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatlist.webp) +![threatlist](/img/product_docs/threatmanager/threatmanager/administration/threatlist.webp) The list displays threats that have a threat level of Low, Medium, High, or Audit for the selected timeframe. Each threat in the list contains a link which opens the -[User Details Page](threatdetails/user.md) or the [Group Details Page](threatdetails/group.md) and a -host link which opens the [Host Details Page](threatdetails/host.md). In addition, threats have an +[User Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/user.md) or the [Group Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/group.md) and a +host link which opens the [Host Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/host.md). In addition, threats have an Edit button which opens the Edit Threats window. The View Details button opens the -[Threat Details Page](threatdetails/overview.md). +[Threat Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/overview.md). ## Filter Threats @@ -50,15 +50,15 @@ The Type section displays the threat types which can be selected for filtering. to filter by is dynamic, depending upon the type of threats detected. See the following topics for additional information: -- [Active Directory Threats](../threats/activedirectory.md) -- [Entra ID Threats](../threats/entraid.md) -- [File System Threats](../threats/filesystem.md) -- [General Threats](../threats/general.md) +- [Active Directory Threats](/docs/threatmanager/3.0/threatmanager/threats/activedirectory.md) +- [Entra ID Threats](/docs/threatmanager/3.0/threatmanager/threats/entraid.md) +- [File System Threats](/docs/threatmanager/3.0/threatmanager/threats/filesystem.md) +- [General Threats](/docs/threatmanager/3.0/threatmanager/threats/general.md) ### Level The Level section displays the threat types which can be selected for filtering. Levels are assigned -or configured on the [Threat Detection Page](configuration/threatdetection.md). +or configured on the [Threat Detection Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/threatdetection.md). ### Tags @@ -71,14 +71,14 @@ Sensitive Data tags are displayed in threats containing sensitive data when Acce Sensitive Data Discovery Add-on are installed in addition to Threat Manager. When installed with the Sensitive Data Discovery Add-on, Access Analyzer scans for sensitive data using File System Sensitive Data Discovery Auditing. See the -[Netwrix Access Analyzer (formerly Enterprise Auditor) Integration](../install/integration/enterpriseauditor.md) +[Netwrix Access Analyzer (formerly Enterprise Auditor) Integration](/docs/threatmanager/3.0/threatmanager/install/integration/enterpriseauditor.md) topic for additional information. See the File System Solution topic in the [Netwrix Access Analyzer Documentation](https://helpcenter.netwrix.com/category/accessanalyzer) for additional information on Access Analyzer Sensitive Data Discovery capabilities. When a threat event contains sensitive data, a Sensitive Data tag is displayed next to the threat: -![threatsensitivedatafilter](../../../../../static/img/product_docs/threatmanager/threatmanager/administration/threatsensitivedatafilter.webp) +![threatsensitivedatafilter](/img/product_docs/threatmanager/threatmanager/administration/threatsensitivedatafilter.webp) To view the type of sensitive data contain in a threat, click View Details on the threat containing a Sensitive Data tag. The type of sensitive data is displayed in the Sensitive Data column. @@ -130,7 +130,7 @@ Follow the steps to edit a threat. **Step 1 –** Select a threat from the list and click Edit. The Workflow window opens. -![editthreats](../../../../../static/img/product_docs/threatmanager/threatmanager/administration/editthreats.webp) +![editthreats](/img/product_docs/threatmanager/threatmanager/administration/editthreats.webp) **Step 2 –** Enter the following information: @@ -155,4 +155,4 @@ Follow the steps to edit a threat. **Step 3 –** Click Submit to save the changes. -Threats can also be edited from the [Threat Details Page](threatdetails/overview.md). +Threats can also be edited from the [Threat Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/overview.md). diff --git a/docs/threatmanager/3.0/threatmanager/administration/troubleshooting/overview.md b/docs/threatmanager/3.0/threatmanager/administration/troubleshooting/overview.md index 8d4fe17594..db18cbc47c 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/troubleshooting/overview.md +++ b/docs/threatmanager/3.0/threatmanager/administration/troubleshooting/overview.md @@ -3,5 +3,5 @@ In case you are experiencing issues with the Netwrix Threat Manager, see the following topics for additional information: -- [Log Files](log.md) -- [Updating Passwords](updatepasswords.md) +- [Log Files](/docs/threatmanager/3.0/threatmanager/administration/troubleshooting/log.md) +- [Updating Passwords](/docs/threatmanager/3.0/threatmanager/administration/troubleshooting/updatepasswords.md) diff --git a/docs/threatmanager/3.0/threatmanager/administration/troubleshooting/updatepasswords.md b/docs/threatmanager/3.0/threatmanager/administration/troubleshooting/updatepasswords.md index 957027c831..e3b6111f60 100644 --- a/docs/threatmanager/3.0/threatmanager/administration/troubleshooting/updatepasswords.md +++ b/docs/threatmanager/3.0/threatmanager/administration/troubleshooting/updatepasswords.md @@ -15,11 +15,11 @@ Follow the steps below to update passwords for a Credential Profile. **Step 2 –** Select the account under the **Credential Profile** drop-down list. -![credentialprofileedit](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/troubleshooting/credentialprofileedit.webp) +![credentialprofileedit](/img/product_docs/threatmanager/threatmanager/administration/troubleshooting/credentialprofileedit.webp) **Step 3 –** Click the **Edit** icon. -![credentialprofilepasswordupdate](../../../../../../static/img/product_docs/threatmanager/threatmanager/administration/troubleshooting/credentialprofilepasswordupdate.webp) +![credentialprofilepasswordupdate](/img/product_docs/threatmanager/threatmanager/administration/troubleshooting/credentialprofilepasswordupdate.webp) **Step 4 –** Enter a new Password for the account. diff --git a/docs/threatmanager/3.0/threatmanager/install/actionservice.md b/docs/threatmanager/3.0/threatmanager/install/actionservice.md index 50620231a8..cc8a770bca 100644 --- a/docs/threatmanager/3.0/threatmanager/install/actionservice.md +++ b/docs/threatmanager/3.0/threatmanager/install/actionservice.md @@ -8,17 +8,17 @@ downloaded from within the Threat Manager Console. Follow the steps to install the Action Service. -![install](../../../../../static/img/product_docs/threatprevention/threatprevention/install/upgrade/install.webp) +![install](/img/product_docs/threatprevention/threatprevention/install/upgrade/install.webp) **Step 1 –** Run the StealthDEFEND.ActionService MSI installation package and the Threat Manager Action Service Setup wizard will open. -![settupprogress](../../../../../static/img/product_docs/threatmanager/threatmanager/install/settupprogress.webp) +![settupprogress](/img/product_docs/threatmanager/threatmanager/install/settupprogress.webp) **Step 2 –** Click Install to begin the installation. The setup wizard displays installation progress. -![completed](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![completed](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 3 –** When the installation is complete, click Close to exit the installer. @@ -76,19 +76,19 @@ the proper permissions required to complete successfully. **NOTE:** If an Action Step has been configured to use a specific Credential Profile, the Action Step will utilize those credentials in the Action Step Script. See the -[Credential Profile Page](../administration/configuration/integrations/credentialprofile.md) topic +[Credential Profile Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/credentialprofile.md) topic for additional information. Follow the steps to configure the Action Service to run as a service account. **Step 1 –** Open Services (`services.msc`). -![services](../../../../../static/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) +![services](/img/product_docs/activitymonitor/config/dellpowerstore/services.webp) **Step 2 –** Double-click on the Netwrix Threat Manager Action Service. The Threat Manager Action Service Properties window opens. -![serviceaccountproperties](../../../../../static/img/product_docs/threatmanager/threatmanager/install/serviceaccountproperties.webp) +![serviceaccountproperties](/img/product_docs/threatmanager/threatmanager/install/serviceaccountproperties.webp) **Step 3 –** Click the Log On tab. @@ -99,7 +99,7 @@ account. **Step 5 –** Click Apply and then OK. This sets the Action Service to “run as” the specified account. -![servicesrestart](../../../../../static/img/product_docs/threatmanager/threatmanager/install/servicesrestart.webp) +![servicesrestart](/img/product_docs/threatmanager/threatmanager/install/servicesrestart.webp) **Step 6 –** Restart the Threat Manager Action Service by right-clicking on the Netwrix Threat Manager Action Service in the Services window and clicking Restart. diff --git a/docs/threatmanager/3.0/threatmanager/install/application.md b/docs/threatmanager/3.0/threatmanager/install/application.md index 6c3eb0249b..26a507ff2e 100644 --- a/docs/threatmanager/3.0/threatmanager/install/application.md +++ b/docs/threatmanager/3.0/threatmanager/install/application.md @@ -13,20 +13,20 @@ installed. (`Netwrix_Setup.exe`). If you are not using it, right-click on `NetwrixThreatManager.exe` and select Run as administrator. Then skip to Step 2. -![Netwrix Setup Launcher showing PostgreSQL Setup completed](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/postgresqlcheck.webp) +![Netwrix Setup Launcher showing PostgreSQL Setup completed](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/postgresqlcheck.webp) **Step 1 –** Click **Netwrix Threat Manager Setup**. The Netwrix Threat Manager Setup wizard opens. -![Netwrix Threat Manager Setup wizard ](../../../../../static/img/product_docs/threatmanager/threatmanager/install/installtm3.0.webp) +![Netwrix Threat Manager Setup wizard ](/img/product_docs/threatmanager/threatmanager/install/installtm3.0.webp) **Step 2 –** Click **Install**. -![Netwrix Threat Manager Setup wizard EULA page](../../../../../static/img/product_docs/threatmanager/threatmanager/install/tm3eula.webp) +![Netwrix Threat Manager Setup wizard EULA page](/img/product_docs/threatmanager/threatmanager/install/tm3eula.webp) **Step 3 –** Read the End User License Agreement and select the I accept the license agreement checkbox. Click **Next**. -![Netwrix Threat Manager Setup wizard Install Folder page](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/folder.webp) +![Netwrix Threat Manager Setup wizard Install Folder page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/folder.webp) **Step 4 –** By default, the installation directory is set to: @@ -34,7 +34,7 @@ checkbox. Click **Next**. Optionally, enter a new path or use the **Browse** button to modify as desired. Click Next. -![Netwrix Threat Manager Setup wizard Connect to the Database page](../../../../../static/img/product_docs/threatprevention/threatprevention/install/database.webp) +![Netwrix Threat Manager Setup wizard Connect to the Database page](/img/product_docs/threatprevention/threatprevention/install/database.webp) **Step 5 –** On the Database page, ensure the host and port are set correctly. If installing on the same server where the PostgreSQL database application was installed, this information will be @@ -44,7 +44,7 @@ desired. Click **Test** to validate the connection information. For example, if you change the default database name from stealthdefend to threatmanager and click **Test**. -![Warning message that the database does not exist, Create?](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/databasecreatemessage.webp) +![Warning message that the database does not exist, Create?](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/databasecreatemessage.webp) **Step 6 –** If a successful connection is made, a message window displays confirming the database does not exist and you want to create it. Click **OK** and the window closes. @@ -55,19 +55,19 @@ Next button is enabled. Click **Next**. **NOTE:** If PostgreSQL is installed on a different host, then the connection details should be updated accordingly. -![Netwrix Threat Manager Setup wizard Firewall Rules page](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/firewallrules.webp) +![Netwrix Threat Manager Setup wizard Firewall Rules page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/firewallrules.webp) **Step 8 –** By default, the **Create Inbound Windows Firewall Rules** checkbox is selected, indicating that the installer will create these. Deselect the checkbox if you do not want the installer to automatically create these rules because you have already created them. Click **Next**. -![Netwrix Threat Manager Setup wizard Completed Successfully page](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Netwrix Threat Manager Setup wizard Completed Successfully page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 9 –** The installation process will begin and the Setup wizard will display the progress. Click Exit when the installation completes successfully. The Netwrix Threat Manager Setup wizard closes. -![Netwrix Setup Launcher with Threat Manager Setup check](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/applicationcheck.webp) +![Netwrix Setup Launcher with Threat Manager Setup check](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/applicationcheck.webp) **Step 10 –** Now that both components have been installed, close the Netwrix Setup Launcher. @@ -75,7 +75,7 @@ The Threat Manager application is now installed and the database has been create post-installation tasks that you may need to complete, depending on your environment. See the following topics for additional information: -- [Optionally Install the Action Service on Additional Servers](actionservice.md) -- [Secure the Threat Manager Console](secure.md) +- [Optionally Install the Action Service on Additional Servers](/docs/threatmanager/3.0/threatmanager/install/actionservice.md) +- [Secure the Threat Manager Console](/docs/threatmanager/3.0/threatmanager/install/secure.md) - During the first launch, you will set up the built-in Administrator account. See the - [First Launch](firstlaunch.md) topic for additional information. + [First Launch](/docs/threatmanager/3.0/threatmanager/install/firstlaunch.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/install/database.md b/docs/threatmanager/3.0/threatmanager/install/database.md index 297124760d..8109345690 100644 --- a/docs/threatmanager/3.0/threatmanager/install/database.md +++ b/docs/threatmanager/3.0/threatmanager/install/database.md @@ -12,20 +12,20 @@ Follow the steps to install the PostgreSQL database application. `(Netwrix_Setup.exe`). If you are not using the launcher, right-click on `NetwrixPostgreSQL14.exe` and select Run as administrator. Then skip to Step 2. -![Netwrix Setup Launcher](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/setuplauncher.webp) +![Netwrix Setup Launcher](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/setuplauncher.webp) **Step 1 –** Click PostgreSQL Setup. The Netwrix PostgreSQL Setup wizard opens. -![Netwrix PostgreSQL Setup wizard](../../../../../static/img/product_docs/threatprevention/threatprevention/install/upgrade/install.webp) +![Netwrix PostgreSQL Setup wizard](/img/product_docs/threatprevention/threatprevention/install/upgrade/install.webp) **Step 2 –** Click Install. -![Netwrix PostgreSQL Setup wizard on the EULA page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) +![Netwrix PostgreSQL Setup wizard on the EULA page](/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) **Step 3 –** Read the End User License Agreement and select the I accept the license agreement checkbox. Click Next. -![Netwrix PostgreSQL Setup wizard on the Folder Location page](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/folder.webp) +![Netwrix PostgreSQL Setup wizard on the Folder Location page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/folder.webp) **Step 4 –** By default, the installation directories are set to: @@ -34,15 +34,15 @@ checkbox. Click Next. Optionally, enter a new path or use the **Browse** buttons to modify as desired. Click Next. -![Netwrix PostgreSQL Setup wizard on the Successfully Installed page](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Netwrix PostgreSQL Setup wizard on the Successfully Installed page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 5 –** The installation begins and the installer displays a Setup Progress window. Click Exit when the installation is successful. The Netwrix PostgreSQL Setup wizard closes. -![Netwrix Setup Launcher showing PostgreSQL Setup completed](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/postgresqlcheck.webp) +![Netwrix Setup Launcher showing PostgreSQL Setup completed](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/postgresqlcheck.webp) The PostgreSQL database application is now installed. Now you can install the Threat Manager -application. See the [Install the Threat Manager Application](application.md) topic for additional +application. See the [Install the Threat Manager Application](/docs/threatmanager/3.0/threatmanager/install/application.md) topic for additional information. ## Optionally Configure the Postgres.conf File diff --git a/docs/threatmanager/3.0/threatmanager/install/firstlaunch.md b/docs/threatmanager/3.0/threatmanager/install/firstlaunch.md index 73778a5f9a..2b5f6c6eaf 100644 --- a/docs/threatmanager/3.0/threatmanager/install/firstlaunch.md +++ b/docs/threatmanager/3.0/threatmanager/install/firstlaunch.md @@ -2,12 +2,12 @@ The installer places the following icon on the desktop, which opens the Threat Manager console: -![Desktop icon](../../../../../static/img/product_docs/threatprevention/threatprevention/install/desktopicon.webp) +![Desktop icon](/img/product_docs/threatprevention/threatprevention/install/desktopicon.webp) **Step 1 –** Double-click the **Netwrix Threat Manager Dashboard** icon to open the console for the first time. -![First launch showing fields for setting up the builtin Administrator account](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/builtinadminpassword.webp) +![First launch showing fields for setting up the builtin Administrator account](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/builtinadminpassword.webp) There is a built-in ADMIN account used for the initial configuration steps and granting user access. The User Name is "admin". You will set the password and optionally enable MFA for this account @@ -32,7 +32,7 @@ password will be required to sign in. The built-in ADMIN account password is now set. If the Enable MFA option is set to OFF, no additional configuration is required and the Threat -Manager Console opens. See the [Getting Started with Threat Manager](../gettingstarted.md) topic for +Manager Console opens. See the [Getting Started with Threat Manager](/docs/threatmanager/3.0/threatmanager/gettingstarted.md) topic for next steps. If the Enable MFA option is set to ON, registration of an MFA authenticator is required. Proceed to @@ -43,7 +43,7 @@ the Configure MFA for the Bultin Administrator Account topic. If MFA was enabled for the buildtin Administrator account during first launch, follow the steps to configure MFA for the account. -![registerauthenticator](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/registerauthenticator.webp) +![registerauthenticator](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/registerauthenticator.webp) **Step 1 –** Register the MFA authenticator. The Register Authenticator prompt will provide instructions to configure multi-factor authentication with an external or third-party application. @@ -58,4 +58,4 @@ of codes to access for account recovery, if needed. **Step 4 –** Click **Continue**. Once MFA is configured for this account, the Threat Manager Console opens. See the -[Getting Started with Threat Manager](../gettingstarted.md) topic for next steps. +[Getting Started with Threat Manager](/docs/threatmanager/3.0/threatmanager/gettingstarted.md) topic for next steps. diff --git a/docs/threatmanager/3.0/threatmanager/install/integration/overview.md b/docs/threatmanager/3.0/threatmanager/install/integration/overview.md index 54a1ea54ff..f44cb3f2da 100644 --- a/docs/threatmanager/3.0/threatmanager/install/integration/overview.md +++ b/docs/threatmanager/3.0/threatmanager/install/integration/overview.md @@ -2,19 +2,19 @@ The following Netwrix products can be configured to send data to Threat Manager: -- [Netwrix Activity Monitor Integration](activitymonitor.md) – Activity Monitor can be configured to +- [Netwrix Activity Monitor Integration](/docs/threatmanager/3.0/threatmanager/install/integration/activitymonitor.md) – Activity Monitor can be configured to send file system data and/or Active Directory data to Threat Manager. - The Active Directory data stream requires a unique App Token to be generated within Threat Manager. -- [Netwrix Threat Prevention Integration](threatprevention.md) – Threat Prevention can be configured +- [Netwrix Threat Prevention Integration](/docs/threatmanager/3.0/threatmanager/install/integration/threatprevention.md) – Threat Prevention can be configured to send file system data and/or Active Directory data to Threat Manager. - Requires a unique App Token to be generated within Threat Manager. -- [Netwrix Access Analyzer (formerly Enterprise Auditor) Integration](enterpriseauditor.md) – Access +- [Netwrix Access Analyzer (formerly Enterprise Auditor) Integration](/docs/threatmanager/3.0/threatmanager/install/integration/enterpriseauditor.md) – Access Analyzer, formerly Netwrix StealthAUDIT, can be configured to send File System Sensitive Data to Threat Manager - Requires a unique App Token to be generated within Threat Manager. Configure the desired product to feed data into the Threat Manager Console. Depending upon the data source, a Threat Manager app token may need to be generated. See the -[App Tokens Page](../../administration/configuration/integrations/apptoken.md) topic for additional +[App Tokens Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/apptoken.md) topic for additional information. diff --git a/docs/threatmanager/3.0/threatmanager/install/overview.md b/docs/threatmanager/3.0/threatmanager/install/overview.md index b124247b7b..4af64b0b19 100644 --- a/docs/threatmanager/3.0/threatmanager/install/overview.md +++ b/docs/threatmanager/3.0/threatmanager/install/overview.md @@ -1,7 +1,7 @@ # Installation Prior to installing Threat Manager, please ensure that all of the prerequisites have been met in -accordance with the [Requirements](../requirements/overview.md) topic. Additionally, the monitoring +accordance with the [Requirements](/docs/threatmanager/3.0/threatmanager/requirements/overview.md) topic. Additionally, the monitoring agents need to be deployed through either Netwrix Threat Prevention or Netwrix Activity Monitor and configured to send data to Threat Manager. @@ -77,35 +77,35 @@ you should at least exclude postgres.exe and the data directories so the scanner Follow the steps to install the Threat Manager application on a single server. -![setuplauncher](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/setuplauncher.webp) +![setuplauncher](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/setuplauncher.webp) **Step 1 –** Right-click on `Netwrix_Setup.exe` and select Run as administrator. The Netwrix Setup launcher opens. You can now install the following components on the same server: - Click PostgreSQL Setup to install the database. See the - [Install the PostgreSQL Database Application](database.md) topic for additional information. + [Install the PostgreSQL Database Application](/docs/threatmanager/3.0/threatmanager/install/database.md) topic for additional information. - Run the Threat Manager Setup to install the application. See the - [Install the Threat Manager Application](application.md) topic for additional information. + [Install the Threat Manager Application](/docs/threatmanager/3.0/threatmanager/install/application.md) topic for additional information. **Step 2 –** Complete all post-installation tasks that apply to your configured environment: - Optional: Install the Action Service on additional servers. See the - [Optionally Install the Action Service on Additional Servers](actionservice.md) topic for + [Optionally Install the Action Service on Additional Servers](/docs/threatmanager/3.0/threatmanager/install/actionservice.md) topic for additional information. - Configure a remote Action Service to register with Threat Manager. - Configure a service account to run actions. -**Step 3 –** Log into the console for the first time. See the [First Launch](firstlaunch.md) topic +**Step 3 –** Log into the console for the first time. See the [First Launch](/docs/threatmanager/3.0/threatmanager/install/firstlaunch.md) topic for additional information. **Step 4 –** Configure integration with one or more Netwrix products to feed the desired type of data into Threat Manager: -- [Netwrix Activity Monitor Integration](integration/activitymonitor.md) – Configure Netwrix +- [Netwrix Activity Monitor Integration](/docs/threatmanager/3.0/threatmanager/install/integration/activitymonitor.md) – Configure Netwrix Activity Monitor to send file system data and/or Active Directory data and/or Microsoft Entra ID data to Threat Manager -- [Netwrix Threat Prevention Integration](integration/threatprevention.md) – Configure Netwrix +- [Netwrix Threat Prevention Integration](/docs/threatmanager/3.0/threatmanager/install/integration/threatprevention.md) – Configure Netwrix Threat Prevention to send Active Directory data to Threat Manager -- [Netwrix Access Analyzer (formerly Enterprise Auditor) Integration](integration/enterpriseauditor.md) +- [Netwrix Access Analyzer (formerly Enterprise Auditor) Integration](/docs/threatmanager/3.0/threatmanager/install/integration/enterpriseauditor.md) – Configure Netwrix Access Analyzer (formerly Enterprise Auditor) to send Sensitive Data to Threat Manager diff --git a/docs/threatmanager/3.0/threatmanager/install/upgrade.md b/docs/threatmanager/3.0/threatmanager/install/upgrade.md index d8a6bf51e1..8686c0ab8a 100644 --- a/docs/threatmanager/3.0/threatmanager/install/upgrade.md +++ b/docs/threatmanager/3.0/threatmanager/install/upgrade.md @@ -2,7 +2,7 @@ This topic describes the steps needed for upgrading Threat Manager to the latest version. -See the [What's New](../whatsnew.md) topic for details on new and improved features included with +See the [What's New](/docs/threatmanager/3.0/threatmanager/whatsnew.md) topic for details on new and improved features included with each release. ## Considerations @@ -50,5 +50,5 @@ server where Netwrix Threat Manageris installed. You can: -- [Upgrade Threat Manager from 2.8 to 3.0](upgrade3.0.md) -- [Upgrade Threat Manager from 2.6/2.7 To 2.8](upgrade2.8.md) +- [Upgrade Threat Manager from 2.8 to 3.0](/docs/threatmanager/3.0/threatmanager/install/upgrade3.0.md) +- [Upgrade Threat Manager from 2.6/2.7 To 2.8](/docs/threatmanager/3.0/threatmanager/install/upgrade2.8.md) diff --git a/docs/threatmanager/3.0/threatmanager/install/upgrade2.8.md b/docs/threatmanager/3.0/threatmanager/install/upgrade2.8.md index 43f2a75e22..7707dbf7e4 100644 --- a/docs/threatmanager/3.0/threatmanager/install/upgrade2.8.md +++ b/docs/threatmanager/3.0/threatmanager/install/upgrade2.8.md @@ -4,7 +4,7 @@ Follow the steps to upgrade Threat Manager 2.6/2.7 to 2.8 or to apply a hotfix t **Step 1 –** Install the new version of PostreSQL. -![postgresql](../../../../../static/img/product_docs/threatmanager/threatmanager/install/postgresql.webp) +![postgresql](/img/product_docs/threatmanager/threatmanager/install/postgresql.webp) **NOTE:** The migration of PostgreSQL 10 to 14 will require a migration of theThreat Manager database. You may proceed through the migration process in the following menu. @@ -17,7 +17,7 @@ database. You may proceed through the migration process in the following menu. - PG Tools Directory – Path to the directory where PostgreSQL binaries are located - ![postgresqlcompression](../../../../../static/img/product_docs/threatmanager/threatmanager/install/postgresqlcompression.webp) + ![postgresqlcompression](/img/product_docs/threatmanager/threatmanager/install/postgresqlcompression.webp) - Compression Level – Select the compression level to be applied to the data. It contains the following options: @@ -32,7 +32,7 @@ database. You may proceed through the migration process in the following menu. **NOTE:** The compression algorithm option is used on the exported data. It does not affect either the old or the new database. - ![postgresqlthreads](../../../../../static/img/product_docs/threatmanager/threatmanager/install/postgresqlthreads.webp) + ![postgresqlthreads](/img/product_docs/threatmanager/threatmanager/install/postgresqlthreads.webp) - Number of Threads – Select the number of threads to be applied. Adding more threads can considerably reduce the time to import data to the target server. It contains the following @@ -66,18 +66,18 @@ database. You may proceed through the migration process in the following menu. **NOTE:** The migration of PostgreSQL 10 to 14 may require significant disk space to perform safely. The disk space required for the backup does not need to be on the same disk as the database itself. -![updatentm](../../../../../static/img/product_docs/threatmanager/threatmanager/install/updatentm.webp) +![updatentm](/img/product_docs/threatmanager/threatmanager/install/updatentm.webp) **Step 4 –** Install the new version of Threat Manager. **Step 5 –** Click **Test** on the **Connect to a Threat Manager Database** page. The installer should see the existing PostgreSQL database and prompt to migrate. -![postgresqlwarning](../../../../../static/img/product_docs/threatmanager/threatmanager/install/postgresqlwarning.webp) +![postgresqlwarning](/img/product_docs/threatmanager/threatmanager/install/postgresqlwarning.webp) **Step 6 –** Click **OK**, click **Next**, then click **Test**. You will see the following message. -![readyformigration](../../../../../static/img/product_docs/threatmanager/threatmanager/install/readyformigration.webp) +![readyformigration](/img/product_docs/threatmanager/threatmanager/install/readyformigration.webp) **Step 7 –** Click **Next**. @@ -98,8 +98,8 @@ the Threat Manager. To do this, uninstall the following dependencies: Complete any post-installation tasks required for your configured environment. See the following topics for additional information: -- [Optionally Install the Action Service on Additional Servers](actionservice.md) -- [Secure the Threat Manager Console](secure.md) +- [Optionally Install the Action Service on Additional Servers](/docs/threatmanager/3.0/threatmanager/install/actionservice.md) +- [Secure the Threat Manager Console](/docs/threatmanager/3.0/threatmanager/install/secure.md) Clear the cache of the browser that will be used to view the Threat Manager Console prior to launching Threat Manager. @@ -123,14 +123,14 @@ presence of a red warning triangle. **NOTE:** Non-local action services will need their app tokens updated. Local action services will be automatically updated. -![apptokensdep](../../../../../static/img/product_docs/threatmanager/threatmanager/install/apptokensdep.webp) +![apptokensdep](/img/product_docs/threatmanager/threatmanager/install/apptokensdep.webp) **Step 3 –** Take note of the app token name and description and create a new one to be used with the application. See the -[App Tokens Page](../administration/configuration/integrations/apptoken.md) topic for additional +[App Tokens Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/apptoken.md) topic for additional information. **Step 4 –** Update the application to use the new app token. See the -[Integration with Other Netwrix Products](integration/overview.md) topic for additional information. +[Integration with Other Netwrix Products](/docs/threatmanager/3.0/threatmanager/install/integration/overview.md) topic for additional information. **Step 5 –** Delete the old, deprecated app token. diff --git a/docs/threatmanager/3.0/threatmanager/install/upgrade3.0.md b/docs/threatmanager/3.0/threatmanager/install/upgrade3.0.md index c9d1225733..c1a723d8c4 100644 --- a/docs/threatmanager/3.0/threatmanager/install/upgrade3.0.md +++ b/docs/threatmanager/3.0/threatmanager/install/upgrade3.0.md @@ -13,20 +13,20 @@ Follow the steps to upgrade from PostgreSQL 14.8.x to 14.13.x. **Step 1 –** Run `Netwrix_Setup.exe` as an administrator. The Netwrix Setup Launcher window is displayed. -![Netwrix Threat Manager Setup window](../../../../../static/img/product_docs/threatprevention/threatprevention/install/upgrade/tm3installation.webp) +![Netwrix Threat Manager Setup window](/img/product_docs/threatprevention/threatprevention/install/upgrade/tm3installation.webp) **Step 2 –** Click **PostgreSQL Setup** to upgrade the PostgreSQL version. The following message is displayed, indicating the currently installed version: -![Threat Manager Reporting - Upgrade DB Confirmation dialog box](../../../../../static/img/product_docs/threatprevention/threatprevention/install/upgrade/upgradedbprompt.webp) +![Threat Manager Reporting - Upgrade DB Confirmation dialog box](/img/product_docs/threatprevention/threatprevention/install/upgrade/upgradedbprompt.webp) **Step 3 –** Click **OK** to upgrade. The Netwrix PostgreSQL Setup wizard opens. -![Netwrix PostgreSQL Setup wizard](../../../../../static/img/product_docs/threatprevention/threatprevention/install/upgrade/install.webp) +![Netwrix PostgreSQL Setup wizard](/img/product_docs/threatprevention/threatprevention/install/upgrade/install.webp) **Step 4 –** Click **Install**. -![Netwrix PostgreSQL Setup wizard on the EULA page](../../../../../static/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) +![Netwrix PostgreSQL Setup wizard on the EULA page](/img/product_docs/activitymonitor/activitymonitor/install/eula.webp) **Step 5 –** Read the End User License Agreement and select the I accept the license agreement checkbox. Click Next. @@ -51,20 +51,20 @@ PostgreSQL may fail to start or behave unexpectedly when monitored by any tool. **Step 1 –** Click the Netwrix Threat Manager **Setup** button on the Netwrix Threat Manager setup window. The following message displays: -![Existing Threat Manager version message](../../../../../static/img/product_docs/threatmanager/threatmanager/install/existingtmvver.webp) +![Existing Threat Manager version message](/img/product_docs/threatmanager/threatmanager/install/existingtmvver.webp) **Step 2 –** Click **OK**. The following window is displayed: -![Install Threat Manager 3.0 Page](../../../../../static/img/product_docs/threatmanager/threatmanager/install/installtm3.0.webp) +![Install Threat Manager 3.0 Page](/img/product_docs/threatmanager/threatmanager/install/installtm3.0.webp) **Step 3 –** Click **Install**. -![Install Netwrix Threat Manager 3.0 page](../../../../../static/img/product_docs/threatmanager/threatmanager/install/tm3eula.webp) +![Install Netwrix Threat Manager 3.0 page](/img/product_docs/threatmanager/threatmanager/install/tm3eula.webp) **Step 4 –** On the End User License Agreement page, review and accept the licensing agreement and then click **Next**. -![Threat Manager 3.0 Defalt Setup Folder](../../../../../static/img/product_docs/threatmanager/threatmanager/install/tm3defaultfolder.webp) +![Threat Manager 3.0 Defalt Setup Folder](/img/product_docs/threatmanager/threatmanager/install/tm3defaultfolder.webp) **Step 5 –** By default, the installation directory is set to: @@ -72,7 +72,7 @@ C:\Program Files\STEALTHbits\StealthDEFEND\ Enter a new path or use the Browse button to modify as desired. Click **Next**. -![Connect to a Threat Manager Database page](../../../../../static/img/product_docs/threatmanager/threatmanager/install/tmdatababse.webp) +![Connect to a Threat Manager Database page](/img/product_docs/threatmanager/threatmanager/install/tmdatababse.webp) **Step 6 –** On the database page, ensure the host and port are set correctly. @@ -84,17 +84,17 @@ it can be modified as desired. **Step 8 –** After successful validation, click **Next**. -![Firewall Rules Page of Threat Manager Installation wizard](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/firewallrules.webp) +![Firewall Rules Page of Threat Manager Installation wizard](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/firewallrules.webp) **Step 9 –** By default, the installer will Create Inbound Windows Firewall Rules. Deselect the checkbox if you do not want the installer to automatically create these rules, because you have already created them. Click **Next**. -![Threat Manager Installation Progress page](../../../../../static/img/product_docs/threatmanager/threatmanager/install/installprogress.webp) +![Threat Manager Installation Progress page](/img/product_docs/threatmanager/threatmanager/install/installprogress.webp) **Step 10 –** The installation process will begin and the Setup wizard will display the progress. -![Threat Manager 3.0 Installed Successfully page](../../../../../static/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) +![Threat Manager 3.0 Installed Successfully page](/img/product_docs/threatprevention/threatprevention/install/reportingmodule/completed.webp) **Step 11 –** Click **Exit** when the installation completes successfully. The Netwrix Threat Manager Setup wizard closes. diff --git a/docs/threatmanager/3.0/threatmanager/overview.md b/docs/threatmanager/3.0/threatmanager/overview.md index 393fabde15..27dc13d52f 100644 --- a/docs/threatmanager/3.0/threatmanager/overview.md +++ b/docs/threatmanager/3.0/threatmanager/overview.md @@ -14,7 +14,7 @@ including Microsoft Teams, Slack, ServiceNow, and a wide variety of SIEM platfor The following diagram is a visual representation of Threat Manager architecture. It maps out the physical implementation of Threat Manager components. -![Netwrix Threat Manager Architecture diagram](../../../../static/img/product_docs/threatmanager/threatmanager/tmarch.webp) +![Netwrix Threat Manager Architecture diagram](/img/product_docs/threatmanager/threatmanager/tmarch.webp) ## Administration @@ -40,7 +40,7 @@ documentation for additional information: Threat Manager monitors the following threats. See each section for information on monitored threat types. -- [Active Directory Threats](threats/activedirectory.md) -- [Entra ID Threats](threats/entraid.md) -- [File System Threats](threats/filesystem.md) -- [General Threats](threats/general.md) +- [Active Directory Threats](/docs/threatmanager/3.0/threatmanager/threats/activedirectory.md) +- [Entra ID Threats](/docs/threatmanager/3.0/threatmanager/threats/entraid.md) +- [File System Threats](/docs/threatmanager/3.0/threatmanager/threats/filesystem.md) +- [General Threats](/docs/threatmanager/3.0/threatmanager/threats/general.md) diff --git a/docs/threatmanager/3.0/threatmanager/requirements/overview.md b/docs/threatmanager/3.0/threatmanager/requirements/overview.md index 8ca3c4efc1..6392b86ee7 100644 --- a/docs/threatmanager/3.0/threatmanager/requirements/overview.md +++ b/docs/threatmanager/3.0/threatmanager/requirements/overview.md @@ -22,11 +22,11 @@ Core Component See the following topics for server requirements: -- [Database Server Requirements](database.md) -- [Application Server Requirements](server.md) -- [Action Service Requirements](actionservice.md) -- [Client Requirements](client.md) -- [Ports Requirements](ports.md) +- [Database Server Requirements](/docs/threatmanager/3.0/threatmanager/requirements/database.md) +- [Application Server Requirements](/docs/threatmanager/3.0/threatmanager/requirements/server.md) +- [Action Service Requirements](/docs/threatmanager/3.0/threatmanager/requirements/actionservice.md) +- [Client Requirements](/docs/threatmanager/3.0/threatmanager/requirements/client.md) +- [Ports Requirements](/docs/threatmanager/3.0/threatmanager/requirements/ports.md) Target Environment Considerations diff --git a/docs/threatmanager/3.0/threatmanager/requirements/permissions/adsync.md b/docs/threatmanager/3.0/threatmanager/requirements/permissions/adsync.md index 6c213a126a..185430088f 100644 --- a/docs/threatmanager/3.0/threatmanager/requirements/permissions/adsync.md +++ b/docs/threatmanager/3.0/threatmanager/requirements/permissions/adsync.md @@ -2,7 +2,7 @@ The following permissions are required for the credential used by Threat Manager for Active Directory Sync. See the -[Entra ID Sync Page](../../administration/configuration/integrations/entraidsync.md) topic for +[Entra ID Sync Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/entraidsync.md) topic for additional information about syncing the configured Active Directory domain(s) in Threat Manager. | Object Type | Function | Access Requirements | diff --git a/docs/threatmanager/3.0/threatmanager/requirements/permissions/entraidsync.md b/docs/threatmanager/3.0/threatmanager/requirements/permissions/entraidsync.md index 6e61bb3879..6cfacaacde 100644 --- a/docs/threatmanager/3.0/threatmanager/requirements/permissions/entraidsync.md +++ b/docs/threatmanager/3.0/threatmanager/requirements/permissions/entraidsync.md @@ -2,7 +2,7 @@ The following permissions are required for the credential used by Threat Manager for Microsoft Entra ID Sync. See the -[Active Directory Sync Page](../../administration/configuration/integrations/activedirectorysync.md) +[Active Directory Sync Page](/docs/threatmanager/3.0/threatmanager/administration/configuration/integrations/activedirectorysync.md) topic for additional information about syncing the configured Microsoft Entra ID tenant(s) in Threat Manager. diff --git a/docs/threatmanager/3.0/threatmanager/requirements/permissions/overview.md b/docs/threatmanager/3.0/threatmanager/requirements/permissions/overview.md index d9eaa4e88a..c750d8f2b8 100644 --- a/docs/threatmanager/3.0/threatmanager/requirements/permissions/overview.md +++ b/docs/threatmanager/3.0/threatmanager/requirements/permissions/overview.md @@ -4,5 +4,5 @@ To sync Active Directory domain(s) and Microsoft Entra ID tenant(s) in Threat Ma service accounts with the required permissions. See the following topics for details on these permission. -- [Permissions for Active Directory Sync ](adsync.md) -- [Application Permissions for Entra ID Sync](entraidsync.md) +- [Permissions for Active Directory Sync ](/docs/threatmanager/3.0/threatmanager/requirements/permissions/adsync.md) +- [Application Permissions for Entra ID Sync](/docs/threatmanager/3.0/threatmanager/requirements/permissions/entraidsync.md) diff --git a/docs/threatmanager/3.0/threatmanager/requirements/ports.md b/docs/threatmanager/3.0/threatmanager/requirements/ports.md index 2844518f66..204a41a9b0 100644 --- a/docs/threatmanager/3.0/threatmanager/requirements/ports.md +++ b/docs/threatmanager/3.0/threatmanager/requirements/ports.md @@ -2,7 +2,7 @@ Netwrix Threat Manager architecture and components interactions are shown in the figure below. -![threatmanagerserver](../../../../../static/img/product_docs/threatmanager/threatmanager/requirements/threatmanagerserver.webp) +![threatmanagerserver](/img/product_docs/threatmanager/threatmanager/requirements/threatmanagerserver.webp) Configure appropriate firewall rules to allow these connections. diff --git a/docs/threatmanager/3.0/threatmanager/threats/activedirectory.md b/docs/threatmanager/3.0/threatmanager/threats/activedirectory.md index c8e9912d7d..68313399b0 100644 --- a/docs/threatmanager/3.0/threatmanager/threats/activedirectory.md +++ b/docs/threatmanager/3.0/threatmanager/threats/activedirectory.md @@ -27,7 +27,7 @@ The following threats are monitored for Active Directory: | Definition | Replication from a non-domain controller account can be evidence of a Mimikatz DCSync attack. Performing a DCSync remotely extracts the NTLM password hash for the account that is the target of the attack. | **NOTE:** The domain monitoring policy must be configured to exclude domain controllers. See the -[Integration with Other Netwrix Products](../install/integration/overview.md) topic for additional +[Integration with Other Netwrix Products](/docs/threatmanager/3.0/threatmanager/install/integration/overview.md) topic for additional information. ## Domain Backup Key Compromise diff --git a/docs/threatmanager/3.0/threatmanager/threats/custom.md b/docs/threatmanager/3.0/threatmanager/threats/custom.md index c46514e02f..715d527777 100644 --- a/docs/threatmanager/3.0/threatmanager/threats/custom.md +++ b/docs/threatmanager/3.0/threatmanager/threats/custom.md @@ -23,19 +23,19 @@ Follow the steps to create a custom threat. - Select an existing investigation, or - Save a new one. See the - [New Investigation Page](../administration/investigations/newinvestigation.md) for additional + [New Investigation Page](/docs/threatmanager/3.0/threatmanager/administration/investigations/newinvestigation.md) for additional information. **Step 5 –** In the selected investigation, click the **Create Threat** option. -![CreateThreat Option](../../../../../static/img/product_docs/threatmanager/threatmanager/threats/createthreat.webp) +![CreateThreat Option](/img/product_docs/threatmanager/threatmanager/threats/createthreat.webp) The Custom Threat page opens. -![Create Threat Dialog Box](../../../../../static/img/product_docs/threatmanager/threatmanager/threats/createthreatdialogbox.webp) +![Create Threat Dialog Box](/img/product_docs/threatmanager/threatmanager/threats/createthreatdialogbox.webp) **Step 6 –** Severity – The relative severity level, or risk level, of the threat. See the -[Fine Tune a Threat](../administration/configuration/threatconfiguration.md) topic for additional +[Fine Tune a Threat](/docs/threatmanager/3.0/threatmanager/administration/configuration/threatconfiguration.md) topic for additional information. **Step 7 –** Description – Description of the threat. @@ -45,7 +45,7 @@ associate the user that committed the threat. **Step 8 –** Definition – The threat definition is a detailed explanation of the threat providing insight into why the incident is a potential risk. It appears at the top of the Threat Details page. -See the [Threat Details Page](../administration/threatdetails/overview.md) topic for additional +See the [Threat Details Page](/docs/threatmanager/3.0/threatmanager/administration/threatdetails/overview.md) topic for additional information. **Step 9 –** The Custom Threat page has two tabs for threat configuration: @@ -74,7 +74,7 @@ Exclusions Tab The Exclusions tab lists existing exclusions for the threat. Exclusions allow rule-based definitions to be defined for specific criteria to be excluded from threat detection for the threat type. -![Threat Exclusion Tab](../../../../../static/img/product_docs/threatmanager/threatmanager/threats/exclusionstab.webp) +![Threat Exclusion Tab](/img/product_docs/threatmanager/threatmanager/threats/exclusionstab.webp) **Step 10 –** Click **Save**. The investigation is now saved as a custom threat. diff --git a/docs/threatmanager/3.0/threatmanager/threats/overview.md b/docs/threatmanager/3.0/threatmanager/threats/overview.md index 747aed791a..a08dae0f67 100644 --- a/docs/threatmanager/3.0/threatmanager/threats/overview.md +++ b/docs/threatmanager/3.0/threatmanager/threats/overview.md @@ -5,15 +5,15 @@ threats using the Custom option or through the Create Threat option on the Inves pre-defined and custom threats are listed in the Threat box. Threats that are crossed out are disabled threats. -![Threats Box](../../../../../static/img/product_docs/threatmanager/threatmanager/threats/threatsbox.webp) +![Threats Box](/img/product_docs/threatmanager/threatmanager/threats/threatsbox.webp) The Threats list divides the threats into the following sections: -- [Active Directory Threats](activedirectory.md) -- [Entra ID Threats](entraid.md) -- [File System Threats](filesystem.md) -- [General Threats](general.md) -- [Custom Threats](custom.md) +- [Active Directory Threats](/docs/threatmanager/3.0/threatmanager/threats/activedirectory.md) +- [Entra ID Threats](/docs/threatmanager/3.0/threatmanager/threats/entraid.md) +- [File System Threats](/docs/threatmanager/3.0/threatmanager/threats/filesystem.md) +- [General Threats](/docs/threatmanager/3.0/threatmanager/threats/general.md) +- [Custom Threats](/docs/threatmanager/3.0/threatmanager/threats/custom.md) Select a threat from the list to display the threat's configuration options to the right of the Threats box. diff --git a/docs/threatmanager/3.0/threatprevention/admin/configuration/threatmanagerconfiguration.md b/docs/threatmanager/3.0/threatprevention/admin/configuration/threatmanagerconfiguration.md index 2daded8b98..201b3d8b40 100644 --- a/docs/threatmanager/3.0/threatprevention/admin/configuration/threatmanagerconfiguration.md +++ b/docs/threatmanager/3.0/threatprevention/admin/configuration/threatmanagerconfiguration.md @@ -27,7 +27,7 @@ Follow the steps to configure Threat Prevention to send event data to Threat Man Configuration** on the menu. The Netwrix Threat Manager Configuration window opens with the Event Sink tab displayed by default. -![Netwrix Threat Manager Configuration window - Event Sink tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/threatmanagerconfiguration.webp) +![Netwrix Threat Manager Configuration window - Event Sink tab](/img/product_docs/threatprevention/threatprevention/admin/configuration/threatmanagerconfiguration.webp) **Step 3 –** In the Netwrix Threat Manager URI box, enter the Threat Manager hostname or IP address and port in the following format. The default port for Threat Manager is **10001**. @@ -96,7 +96,7 @@ Configuration** on the menu. The Netwrix Threat Manager Configuration window ope **Step 4 –** Click the **Honey Token** tab. -![Netwrix Threat Manager Configuration Window - Honey Tokem tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/honeytoken.webp) +![Netwrix Threat Manager Configuration Window - Honey Tokem tab](/img/product_docs/threatprevention/threatprevention/admin/configuration/honeytoken.webp) **Step 5 –** Check the **Enable LDAP substitution** checkbox to enable the options on the tab. @@ -137,7 +137,7 @@ PAC Analytic Type topic for additional information. **Step 6 –** In Threat Prevention, click **Configuration** > **Netwrix Threat Manager Configuration** on the menu. The Netwrix Threat Manager Configuration window opens. -![Netwrix Threat Manager Configuration Window - Forged PAC tab](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/forgedpac.webp) +![Netwrix Threat Manager Configuration Window - Forged PAC tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/forgedpac.webp) **Step 7 –** Ensure the Event Sink tab is properly set up to send event data to Threat Manager. diff --git a/docs/threatprevention/7.4/threatprevention/admin/agents/deploy/selectcomputers.md b/docs/threatprevention/7.4/threatprevention/admin/agents/deploy/selectcomputers.md index 6f8f4bb49c..7fdc91335c 100644 --- a/docs/threatprevention/7.4/threatprevention/admin/agents/deploy/selectcomputers.md +++ b/docs/threatprevention/7.4/threatprevention/admin/agents/deploy/selectcomputers.md @@ -31,7 +31,7 @@ want to deploy the Agent. - Domain to Browse – Displays the domain where the Enterprise Manager resides. If unpopulated, type the desired domain in the textbox. Click Connect to connect to the domain. - List of Domain Controllers/Computers – Populates with computers found in Active Directory -- Add (>>) button – Adds the selected computer(s) to the Deploy Agents to These Computers box +- Add (>) button – Adds the selected computer(s) to the Deploy Agents to These Computers box > **NOTE:** Multiple computers can be selected and moved to the Deploy Agents to These Computers > box. Checking a top-level node automatically selects all child objects. @@ -48,7 +48,7 @@ CSV file with comma-separated values. - Text File to Read – Click Open to browse and select the required file. The box displays the path to the file. - List of Hosts/IP Addresses – Populates with computers from the text/CSV file -- Add (>>) button – Adds the selected computer(s) to the Deploy Agents to These Computers box +- Add (>) button – Adds the selected computer(s) to the Deploy Agents to These Computers box Once the list in the Deploy Agents to These Computers box is complete, you can continue through the wizard to deploy the Agent. See the diff --git a/docs/threatprevention/7.4/threatprevention/admin/agents/overview.md b/docs/threatprevention/7.4/threatprevention/admin/agents/overview.md index 0f0562a92a..2ee76dd92e 100644 --- a/docs/threatprevention/7.4/threatprevention/admin/agents/overview.md +++ b/docs/threatprevention/7.4/threatprevention/admin/agents/overview.md @@ -166,7 +166,7 @@ the configuration files, and restart the Agent. See the [Firewall Ports](/docs/threatprevention/7.4/threatprevention/requirements/ports.md) topic for default ports required for WMI communication. See the Microsoft -[WMI Diagnosis Utility]() +[WMI Diagnosis Utility](https://docs.microsoft.com/en-us/previous-versions/tn-archive/ff404265(v=msdn.10)?redirectedfrom=MSDN) article for additional information. ## Additional Agent Considerations diff --git a/docs/threatprevention/7.4/threatprevention/admin/policies/actions/netscript.md b/docs/threatprevention/7.4/threatprevention/admin/policies/actions/netscript.md index e59ccd60f2..3cc9788299 100644 --- a/docs/threatprevention/7.4/threatprevention/admin/policies/actions/netscript.md +++ b/docs/threatprevention/7.4/threatprevention/admin/policies/actions/netscript.md @@ -291,27 +291,27 @@ try { sw = new System.IO.StreamWriter("c:\\si_eventdata.txt", true); sw.WriteLine("==========================================="); -sw.WriteLine(("TimeLogged:  " + helper.TimeLogged.ToString())); -sw.WriteLine(("TimeLoggedUtc:  " + helper.TimeLoggedUtc.ToString())); +sw.WriteLine(("TimeLogged:  " + helper.TimeLogged.ToString(); +sw.WriteLine(("TimeLoggedUtc:  " + helper.TimeLoggedUtc.ToString(); sw.WriteLine(("EventSourceType: " + helper.EventSourceType)); sw.WriteLine(("EventSourceName: " + helper.EventSourceName)); sw.WriteLine(("SettingName: " + helper.SettingName)); sw.WriteLine(("EventName: " + helper.EventName)); -sw.WriteLine(("DN:  " + helper.DN.ToString())); +sw.WriteLine(("DN:  " + helper.DN.ToString(); sw.WriteLine(("ClassName: " + helper.ClassName)); sw.WriteLine(("Perpetrator: " + helper.Perpetrator)); sw.WriteLine(("OriginatingServer: " + helper.OriginatingServer)); sw.WriteLine(("OriginatingClient: " + helper.OriginatingClient)); -sw.WriteLine(("Success: " + helper.Success.ToString())); +sw.WriteLine(("Success: " + helper.Success.ToString(); sw.WriteLine(("Status: " + helper.Status)); -sw.WriteLine(("BlockedEvent: " + helper.BlockedEvent.ToString())); -sw.WriteLine(("EventsCount: " + helper.EventsCount.ToString())); +sw.WriteLine(("BlockedEvent: " + helper.BlockedEvent.ToString(); +sw.WriteLine(("EventsCount: " + helper.EventsCount.ToString(); sw.WriteLine(("OriginatingClientProtocol: " + helper.OriginatingClientProtocol)); sw.WriteLine(("FromHost: " + helper.FromHost)); sw.WriteLine(("FromHostIp: " + helper.FromHostIp)); sw.WriteLine(("ToHost: " + helper.ToHost)); sw.WriteLine(("ToHostIp: " + helper.ToHostIp)); -sw.WriteLine(("LoginType: " + helper.LoginType.ToString())); +sw.WriteLine(("LoginType: " + helper.LoginType.ToString(); sw.WriteLine(("AffectedObjectSid: " + helper.AffectedObjectSid)); sw.WriteLine(("OriginatingServerIp: " + helper.OriginatingServerIp)); sw.WriteLine(("PerpetratorName: " + helper.PerpetratorName)); @@ -363,7 +363,7 @@ sb.Append(attrName); sb.Append(": "); if ((de.Value != null)) { -if ((de.Value.GetType() == typeof(SI.Common.Messages.NvMessageArray))) +if ((de.Value.GetType() == typeof(SI.Common.Messages.NvMessageArray) { SI.Common.Messages.NvMessageArray values = ((SI.Common.Messages.NvMessageArray)(de.Value)); if ((values.Count > 0)) diff --git a/docs/threatprevention/7.4/threatprevention/admin/policies/actions/powershell.md b/docs/threatprevention/7.4/threatprevention/admin/policies/actions/powershell.md index b62fb326b4..90059f4ee6 100644 --- a/docs/threatprevention/7.4/threatprevention/admin/policies/actions/powershell.md +++ b/docs/threatprevention/7.4/threatprevention/admin/policies/actions/powershell.md @@ -87,9 +87,9 @@ Try { $sw = New-Object System.IO.StreamWriter ("C:\si_eventdata.txt", $true) $sw.WriteLine("===========================================") -$sw.WriteLine(("TimeLogged:  " + $helper.TimeLogged.ToString())) +$sw.WriteLine(("TimeLogged:  " + $helper.TimeLogged.ToString() $sw.Flush() -$sw.WriteLine(("TimeLoggedUtc:  " + $helper.TimeLoggedUtc.ToString())) +$sw.WriteLine(("TimeLoggedUtc:  " + $helper.TimeLoggedUtc.ToString() $sw.Flush() $sw.WriteLine(("EventSourceType: " + $helper.EventSourceType)) $sw.Flush() @@ -97,21 +97,21 @@ $sw.WriteLine(("EventSourceName: " + $helper.EventSourceName)) $sw.Flush() $sw.WriteLine(("SettingName: " + $helper.SettingName)) $sw.WriteLine(("EventName: " + $helper.EventName)) -$sw.WriteLine(("DN:  " + $helper.DN.ToString())) +$sw.WriteLine(("DN:  " + $helper.DN.ToString() $sw.WriteLine(("ClassName: " + $helper.ClassName)) $sw.WriteLine(("Perpetrator: " + $helper.Perpetrator)) $sw.WriteLine(("OriginatingServer: " + $helper.OriginatingServer)) $sw.WriteLine(("OriginatingClient: " + $helper.OriginatingClient)) -$sw.WriteLine(("Success: " + $helper.Success.ToString())) +$sw.WriteLine(("Success: " + $helper.Success.ToString() $sw.WriteLine(("Status: " + $helper.Status)) -$sw.WriteLine(("BlockedEvent: " + $helper.BlockedEvent.ToString())) -$sw.WriteLine(("EventsCount: " + $helper.EventsCount.ToString())) +$sw.WriteLine(("BlockedEvent: " + $helper.BlockedEvent.ToString() +$sw.WriteLine(("EventsCount: " + $helper.EventsCount.ToString() $sw.WriteLine(("OriginatingClientProtocol: " + $helper.OriginatingClientProtocol)) $sw.WriteLine(("FromHost: " + $helper.FromHost)) $sw.WriteLine(("FromHostIp: " + $helper.FromHostIp)) $sw.WriteLine(("ToHost: " + $helper.ToHost)) $sw.WriteLine(("ToHostIp: " + $helper.ToHostIp)) -$sw.WriteLine(("LoginType: " + $helper.LoginType.ToString())) +$sw.WriteLine(("LoginType: " + $helper.LoginType.ToString() $sw.WriteLine(("AffectedObjectSid: " + $helper.AffectedObjectSid)) $sw.WriteLine(("OriginatingServerIp: " + $helper.OriginatingServerIp)) $sw.WriteLine(("PerpetratorName: " + $helper.PerpetratorName)) diff --git a/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/accountenablement.md b/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/accountenablement.md index 7d3a2143c5..733acb354a 100644 --- a/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/accountenablement.md +++ b/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/accountenablement.md @@ -64,7 +64,7 @@ sb.AppendLine(""); sb.AppendLine(""); sb.AppendLine(String.Format("EventName: {0}
", helper.EventName)); sb.AppendLine(String.Format("EventNameTranslated: {0}
", helper.EventNameTranslated)); -sb.AppendLine(String.Format("TimeLoggedUtc: {0}
", helper.TimeLoggedUtc.ToString("MMMM d, yyyy h:mm:ss tt"))); +sb.AppendLine(String.Format("TimeLoggedUtc: {0}
", helper.TimeLoggedUtc.ToString("MMMM d, yyyy h:mm:ss tt"); sb.AppendLine(String.Format("Account: {0}
", helper.DN)); sb.AppendLine(String.Format("Perpetrator: {0}
", helper.PerpetratorName)); sb.AppendLine(""); diff --git a/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/lockunlockaccount.md b/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/lockunlockaccount.md index c86c9bf6cb..ed1b4678b7 100644 --- a/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/lockunlockaccount.md +++ b/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/lockunlockaccount.md @@ -65,7 +65,7 @@ sb.AppendLine(""); sb.AppendLine(""); sb.AppendLine(String.Format("EventName: {0}
", helper.EventName)); sb.AppendLine(String.Format("EventNameTranslated: {0}
", helper.EventNameTranslated)); -sb.AppendLine(String.Format("TimeLoggedUtc: {0}
", helper.TimeLoggedUtc.ToString("MMMM d, yyyy h:mm:ss tt"))); +sb.AppendLine(String.Format("TimeLoggedUtc: {0}
", helper.TimeLoggedUtc.ToString("MMMM d, yyyy h:mm:ss tt"); sb.AppendLine(String.Format("DN: {0}
", helper.DN)); sb.AppendLine(String.Format("Perpetrator: {0}
", helper.PerpetratorName)); sb.AppendLine(""); diff --git a/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/passwordchanges.md b/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/passwordchanges.md index 9a729751c2..6d016806b4 100644 --- a/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/passwordchanges.md +++ b/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/passwordchanges.md @@ -66,7 +66,7 @@ sb.AppendLine(""); sb.AppendLine(""); sb.AppendLine(String.Format("EventName: {0}
", helper.EventName)); sb.AppendLine(String.Format("EventNameTranslated: {0}
", helper.EventNameTranslated)); -sb.AppendLine(String.Format("TimeLoggedUtc: {0}
", helper.TimeLoggedUtc.ToString("MMMM d, yyyy h:mm:ss tt"))); +sb.AppendLine(String.Format("TimeLoggedUtc: {0}
", helper.TimeLoggedUtc.ToString("MMMM d, yyyy h:mm:ss tt"); sb.AppendLine(String.Format("DN: {0}
", helper.DN)); sb.AppendLine(String.Format("Perpetrator: {0}
", helper.PerpetratorName)); sb.AppendLine(""); diff --git a/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/passwordneverexpires.md b/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/passwordneverexpires.md index f7c51f7f35..439c2d1f0e 100644 --- a/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/passwordneverexpires.md +++ b/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/passwordneverexpires.md @@ -17,7 +17,7 @@ The following environmental variables must be added to the script prior to execu In the Templates > Actions folder in the Navigation pane, the _ADChanges: Notify Admin that account now has Password Never Expires_ template is preconfigured to use this action script. -[Copy]() +[Copy](javascript:void(0);) ``` namespace ScriptNamespace @@ -73,7 +73,7 @@ StringBuilder sb = new StringBuilder(); sb.AppendLine(""); sb.AppendLine(""); sb.AppendLine(String.Format("EventName: {0}
", helper.EventName)); -sb.AppendLine(String.Format("TimeLoggedUtc: {0}
", helper.TimeLoggedUtc.ToString("MMMM d, yyyy h:mm:ss tt"))); +sb.AppendLine(String.Format("TimeLoggedUtc: {0}
", helper.TimeLoggedUtc.ToString("MMMM d, yyyy h:mm:ss tt"); sb.AppendLine(String.Format("Account: {0} now has 'Password Never Expires' option
", helper.DN)); sb.AppendLine(String.Format("Perpetrator: {0}
", helper.PerpetratorName)); sb.AppendLine(""); diff --git a/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/passwordrejection.md b/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/passwordrejection.md index 09d3e4bd38..ff82db6f0d 100644 --- a/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/passwordrejection.md +++ b/docs/threatprevention/7.4/threatprevention/admin/templates/folder/scripts/passwordrejection.md @@ -19,7 +19,7 @@ The following environmental variables must be added to the script prior to execu In the Templates > Actions folder in the Navigation pane, the _EPE: Notify Perpetrator that password was rejected_ template is preconfigured to use this action script. -[Copy]() +[Copy](javascript:void(0);) ``` namespace ScriptNamespace @@ -65,7 +65,7 @@ sb.AppendLine(""); sb.AppendLine(""); sb.AppendLine(String.Format("EventName: {0}
", helper.EventName)); sb.AppendLine(String.Format("EventNameTranslated: {0}
", helper.EventNameTranslated)); -sb.AppendLine(String.Format("TimeLoggedUtc: {0}
", helper.TimeLoggedUtc.ToString("MMMM d, yyyy h:mm:ss tt"))); +sb.AppendLine(String.Format("TimeLoggedUtc: {0}
", helper.TimeLoggedUtc.ToString("MMMM d, yyyy h:mm:ss tt"); sb.AppendLine(String.Format("DN: {0}
", helper.Perpetrator)); sb.AppendLine(String.Format("Perpetrator: {0}
", helper.PerpetratorName)); sb.AppendLine(""); diff --git a/docs/threatprevention/7.4/threatprevention/install/agent/silent.md b/docs/threatprevention/7.4/threatprevention/install/agent/silent.md index 27271af66a..7585794082 100644 --- a/docs/threatprevention/7.4/threatprevention/install/agent/silent.md +++ b/docs/threatprevention/7.4/threatprevention/install/agent/silent.md @@ -11,7 +11,7 @@ Therefore, standard MSI command-line options can be used with the “threatprevention-agent-7.4.0.xxx.exe” install. Available command-line options can be found in the -[Microsoft Standard Installer Command-Line Options]() +[Microsoft Standard Installer Command-Line Options](https://msdn.microsoft.com/en-us/library/windows/desktop/aa372024(v=vs.85).aspx) article. Two of the more useful options are: diff --git a/docs/threatprevention/7.4/threatprevention/reportingmodule/configuration/integrations/tagmanagement.md b/docs/threatprevention/7.4/threatprevention/reportingmodule/configuration/integrations/tagmanagement.md index d470fdd335..14ec0eec49 100644 --- a/docs/threatprevention/7.4/threatprevention/reportingmodule/configuration/integrations/tagmanagement.md +++ b/docs/threatprevention/7.4/threatprevention/reportingmodule/configuration/integrations/tagmanagement.md @@ -125,7 +125,7 @@ results. **Step 5 –** In the Untagged Items box, check the box to the left of the desired object(s). -**Step 6 –** Click the arrow (>) between the Untagged Items box and the Tagged Items box to add the +**Step 6 –** Click the arrow () between the Untagged Items box and the Tagged Items box to add the tag to the selected object(s). The tag is applied to the selected objects. diff --git a/docs/threatprevention/7.4/threatprevention/reportingmodule/investigations/reports.md b/docs/threatprevention/7.4/threatprevention/reportingmodule/investigations/reports.md index 1d69358bbb..5cc1352f07 100644 --- a/docs/threatprevention/7.4/threatprevention/reportingmodule/investigations/reports.md +++ b/docs/threatprevention/7.4/threatprevention/reportingmodule/investigations/reports.md @@ -57,7 +57,7 @@ The table displays the following data: details. - Description – A summary of the event -Click the arrow (>) in the table for a specific event to view additional details. +Click the arrow () in the table for a specific event to view additional details. See the [Host Details Page](/docs/threatprevention/7.4/threatprevention/reportingmodule/investigations/host.md) diff --git a/docs/threatprevention/7.4/threatprevention/requirements/ports.md b/docs/threatprevention/7.4/threatprevention/requirements/ports.md index 72c6b57e2a..bdc7a59b68 100644 --- a/docs/threatprevention/7.4/threatprevention/requirements/ports.md +++ b/docs/threatprevention/7.4/threatprevention/requirements/ports.md @@ -118,7 +118,7 @@ are required for communication between the Agent server and the Netwrix Activity The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft -[Connecting to WMI on a Remote Computer]() +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. Dell Celerra & Dell VNX Devices Additional Firewall Rules diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/installing.md b/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/installing.md index 7eaff35c34..3b6dddea2e 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/installing.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/installing.md @@ -4,7 +4,7 @@ The Deploy Agents wizard's Installing window is the last in a sequence of four w Agent on a computer. This window performs the desired action, tracks the deployment process, and displays a successful or failed status. -![Deploy Agents wizard – Installing page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/installing.webp) +![Deploy Agents wizard – Installing page](/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/installing.webp) It displays the working and completed status of the action. Depending on whether the Agent is deployed successfully, the Message column displays a failed message with additional text or a diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/overview.md b/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/overview.md index 8e17bc992b..f0a1f94d5e 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/overview.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/overview.md @@ -9,7 +9,7 @@ The Threat Prevention Agent can be deployed through any of the following methods - Manually through the Windows Agent Setup Wizard – Run the Agent executable to launch this wizard -See the [Manual Agent Deployment](../../../install/agent/manual.md) topic for additional +See the [Manual Agent Deployment](/docs/threatprevention/7.5/threatprevention/install/agent/manual.md) topic for additional information. ## Deploy Agents Wizard @@ -18,7 +18,7 @@ The Deploy Agents wizard enables you to deploy Agents from the Administration Co targeted for Agent deployment must meet the minimum .NET Framework version required by the Agent or the deployment fails. Remember to check server requirements before deploying the Agent, including compatibility with other security products. See the -[Agent Server Requirements](../../../requirements/agent.md) topic for additional information. +[Agent Server Requirements](/docs/threatprevention/7.5/threatprevention/requirements/agent.md) topic for additional information. **NOTE:** The wizard does not block access to the Administration Console and can be minimized while actions are in progress. If this wizard is hidden by clicking outside of the dialog box, a flashing @@ -40,36 +40,36 @@ data collection. corner. To re-install a previously uninstalled Agent, select the **Install Agent** right-click menu option for that machine in the grid. The Select Computers window opens. -![Deploy Agents wizard – Select Computers page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/selectcomputers.webp) +![Deploy Agents wizard – Select Computers page](/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/selectcomputers.webp) **Step 3 –** On the Select Computers window, add the host or IP addresses of the target machines to the Deploy Agents to These Computers box. Use any of the three methods, as represented by the three -tabs on the window. See the [Select Computers Window](selectcomputers.md) topic for additional +tabs on the window. See the [Select Computers Window](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/selectcomputers.md) topic for additional information. Click **Next**. -If you open this window through the [Right-Click Menu](../overview.md#right-click-menu) action, the +If you open this window through the [Right-Click Menu](/docs/threatprevention/7.5/threatprevention/admin/agents/overview.md#right-click-menu) action, the list is auto-populated with the computer(s) selected on the Agents interface. -![Deploy Agents wizard – Set Options page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/setoptions.webp) +![Deploy Agents wizard – Set Options page](/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/setoptions.webp) **Step 4 –** On the Set Options window, enter the credentials required to deploy the Agent on the selected machine(s). Review the Enterprise Manager IP address/name and port for accuracy and select the desired modules to install for this Agent. You can also set other properties for the Agent. See -the [Set Options Window ](setoptions.md)topic for additional information. +the [Set Options Window ](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/setoptions.md)topic for additional information. **Step 5 –** Once configurations are set, click **Next**. -![Deploy Agents wizard – Prerequisites Check page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/prerequisitescheck.webp) +![Deploy Agents wizard – Prerequisites Check page](/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/prerequisitescheck.webp) **Step 6 –** On the Prerequisites Check window, the credentials provided on the Set Options window either succeed or fail during a prerequisites or verification check. It also initiates a -prerequisite check for the Agent. See the [Prerequisites Check Window](prerequisitescheck.md) topic +prerequisite check for the Agent. See the [Prerequisites Check Window](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/prerequisitescheck.md) topic for additional information. -![Deploy Agents wizard – Installing page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/installing.webp) +![Deploy Agents wizard – Installing page](/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/installing.webp) **Step 7 –** The Installing window performs the installation and displays whether or not the action -was successful. See the [Installing Window ](installing.md) topic for additional information. +was successful. See the [Installing Window ](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/installing.md) topic for additional information. **Step 8 –** When the task is successfully completed, click **Finish** to close the window. @@ -77,7 +77,7 @@ The Agent will be listed in the table on the Agents interface. **NOTE:** If the server where the Agent is deployed has multiple network adapters (multi-homed), then it is necessary to bind the Agent to an adapter that can communicate with the Enterprise -Manager. See the [Bind To](../../../troubleshooting/agentcommunication.md#bind-to) topic for +Manager. See the [Bind To](/docs/threatprevention/7.5/threatprevention/troubleshooting/agentcommunication.md#bind-to) topic for additional information. ## Update Agent Settings @@ -87,20 +87,20 @@ Follow the steps to update the settings for a deployed Agent through the Agents **Step 1 –** Click Agents in the left pane to launch the Agents interface. **Step 2 –** On the Agents interface, right-click the Agent and select Update Agent Settings on the -[Right-Click Menu](../overview.md#right-click-menu). The Select Computers window opens. +[Right-Click Menu](/docs/threatprevention/7.5/threatprevention/admin/agents/overview.md#right-click-menu). The Select Computers window opens. **Step 3 –** On the Select Computers window, the computer where the Agent is deployed is automatically added to the Update Agent settings on These Computers box. See the -[Select Computers Window](selectcomputers.md) topic for additional information. Click **Next**. +[Select Computers Window](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/selectcomputers.md) topic for additional information. Click **Next**. **Step 4 –** On the Set Options window, ensure the proper credentials, modules, and Enterprise Manager location are accurate alongside additional options. To make changes to the settings, uncheck the **Keep Existing Settings** box. Make necessary updates as needed. See the -[Set Options Window ](setoptions.md) topic for additional information. +[Set Options Window ](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/setoptions.md) topic for additional information. **Step 5 –** On the Prerequisites Check window, the credentials provided on the Set Options window either succeed or fail during a prerequisites or verification check. See the -[Prerequisites Check Window](prerequisitescheck.md) topic for additional information. Click +[Prerequisites Check Window](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/prerequisitescheck.md) topic for additional information. Click **Next**. **Step 6 –** On the Updating Settings window, the Agent will be stopped and restarted. One of two diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/prerequisitescheck.md b/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/prerequisitescheck.md index 1e379aa2dd..14af04170d 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/prerequisitescheck.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/prerequisitescheck.md @@ -4,7 +4,7 @@ The Deploy Agents wizard's Prerequisites Check window is the third in a sequence deploy the Agent on a computer. On this window, Threat Prevention checks if the provided credentials successfully allow Agent deployment. -![Deploy Agents wizard – Prerequisites Check page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/prerequisitescheck.webp) +![Deploy Agents wizard – Prerequisites Check page](/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/prerequisitescheck.webp) After the check is run, the status registers as either Success or Failed. Select a host to view the full message in the box at the bottom of the window. @@ -19,4 +19,4 @@ full message in the box at the bottom of the window. In addition to confirming access, Threat Prevention also verifies if the target machine has the minimum .NET Framework version needed by the Agent already installed; else the deployment fails. -See the [Installing Window ](installing.md)topic for the next step. +See the [Installing Window ](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/installing.md)topic for the next step. diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/selectcomputers.md b/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/selectcomputers.md index 7114baa5ba..45f14b9ab9 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/selectcomputers.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/selectcomputers.md @@ -14,7 +14,7 @@ Any combination of these three methods can be used to select computers. The Add Single Host tab is displayed by default when the Select Computer window opens. -![Deploy Agents wizard – Select Computers page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/selectcomputers.webp) +![Deploy Agents wizard – Select Computers page](/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/selectcomputers.webp) Manually enter and select the host name or IP address of a computer. Use the double-arrow button to add it to the Deploy Agents to These Computers box. @@ -23,7 +23,7 @@ add it to the Deploy Agents to These Computers box. Click the Add From AD tab. -![Deploy Agents wizard – Select Computers page: Add from AD tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/addfromad.webp) +![Deploy Agents wizard – Select Computers page: Add from AD tab](/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/addfromad.webp) Browse the domain's computer objects (Domain Controllers and Computers) to select those where you want to deploy the Agent. @@ -31,7 +31,7 @@ want to deploy the Agent. - Domain to Browse – Displays the domain where the Enterprise Manager resides. If unpopulated, type the desired domain in the textbox. Click Connect to connect to the domain. - List of Domain Controllers/Computers – Populates with computers found in Active Directory -- Add (>>) button – Adds the selected computer(s) to the Deploy Agents to These Computers box +- Add (>) button – Adds the selected computer(s) to the Deploy Agents to These Computers box > **NOTE:** Multiple computers can be selected and moved to the Deploy Agents to These Computers > box. Checking a top-level node automatically selects all child objects. @@ -40,7 +40,7 @@ want to deploy the Agent. Click the Add From File tab. -![Deploy Agents wizard – Select Computers page: Add from File tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/addfromfile.webp) +![Deploy Agents wizard – Select Computers page: Add from File tab](/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/addfromfile.webp) You can import a text file with a list of computer names or IP addresses with carriage returns, or a CSV file with comma-separated values. @@ -48,7 +48,7 @@ CSV file with comma-separated values. - Text File to Read – Click Open to browse and select the required file. The box displays the path to the file. - List of Hosts/IP Addresses – Populates with computers from the text/CSV file -- Add (>>) button – Adds the selected computer(s) to the Deploy Agents to These Computers box +- Add (>) button – Adds the selected computer(s) to the Deploy Agents to These Computers box Once the list in the Deploy Agents to These Computers box is complete, you can continue through the -wizard to deploy the Agent. See the [Set Options Window ](setoptions.md)topic for the next step. +wizard to deploy the Agent. See the [Set Options Window ](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/setoptions.md)topic for the next step. diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/setoptions.md b/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/setoptions.md index 27d6c706d0..db77c0b6c4 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/setoptions.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/setoptions.md @@ -6,7 +6,7 @@ the Agent on a computer. On the Set Options window, you can manage Agent settings, such as credentials, Enterprise Manager information, modules, DNS host name resolution, and safe mode. -![Deploy Agents wizard - Set Options page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/setoptions.webp) +![Deploy Agents wizard - Set Options page](/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/setoptions.webp) The Set Options window provides the following options: @@ -25,7 +25,7 @@ The Set Options window provides the following options: - Safe Mode – The Agent checks LSASS versions on start up. Any changes in LSASS since the previous start prevents the AD Events monitoring module from loading. See the - [Agent Safe Mode](../safemode.md) topic for additional information. + [Agent Safe Mode](/docs/threatprevention/7.5/threatprevention/admin/agents/safemode.md) topic for additional information. - Use local Pwned hash DB – A local copy of the Pwned hash database is sent to the Agent after installation from the Enterprise Manager. Any updates to the database are sent from the Enterprise Manager to the Agent(s) as long as the Agent service is enabled. @@ -40,7 +40,7 @@ The Set Options window provides the following options: - Install to default location – Installs the Agent on the machine to the default location or a specified location. -![Deploy Agents wizard – Set Options page: Agent Install Path box](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/installpath.webp) +![Deploy Agents wizard – Set Options page: Agent Install Path box](/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/installpath.webp) If checked, the Agent is installed to the default location: ...\Netwrix\Netwrix Threat Prevention\SIWindowsAgent @@ -48,9 +48,9 @@ Prevention\SIWindowsAgent If unchecked, specify the desired installation location, e.g. d:\myagent. The installation location applies to all computers where the Agent is being deployed in this session -(as specified on the [Select Computers Window](selectcomputers.md) of the Deploy Agents wizard). +(as specified on the [Select Computers Window](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/selectcomputers.md) of the Deploy Agents wizard). Once these settings are configured as desired, the Agent is ready for deployment on the selected -machines. See the [Prerequisites Check Window](prerequisitescheck.md) topic for the next step. +machines. See the [Prerequisites Check Window](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/prerequisitescheck.md) topic for the next step. ##### DNS Host Name Resolution @@ -74,15 +74,15 @@ name resolution is not handled locally by that machine. ## Set Options Window for Update Agent Settings On the Agents interface, when you open the Set Options window through the Update Agent Settings -option on the [Right-Click Menu](../overview.md#right-click-menu), the window appears as follows: +option on the [Right-Click Menu](/docs/threatprevention/7.5/threatprevention/admin/agents/overview.md#right-click-menu), the window appears as follows: -![Update Agent Settings > Set Options page](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/updatesetoptions.webp) +![Update Agent Settings > Set Options page](/img/product_docs/threatprevention/threatprevention/admin/agents/deploy/updatesetoptions.webp) This window displays the default selections in the Modules to Set and Additional Options areas; they do not represent the actual current state of the Agent. **NOTE:** To view the current state and configured options for an Agent, hover over the Version -String column on the [Agents Interface](../overview.md) data grid for the tool tip. The AD Agent +String column on the [Agents Interface](/docs/threatprevention/7.5/threatprevention/admin/agents/overview.md) data grid for the tool tip. The AD Agent column indicates the Agent’s mode. This Set Options window is the same as discussed above, with the exception of the following: diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/management/clearqueue.md b/docs/threatprevention/7.5/threatprevention/admin/agents/management/clearqueue.md index 862d748ca8..0b0ba5d414 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/management/clearqueue.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/management/clearqueue.md @@ -13,7 +13,7 @@ reconnection. This option is for diagnostic and troubleshooting purposes only. **Step 2 –** Right-click a server/Agent and select **Clear SQLite Agent Queue** on the menu. -![Enter Credentials window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/upgrade/entercredentials.webp) +![Enter Credentials window](/img/product_docs/threatprevention/threatprevention/install/upgrade/entercredentials.webp) **Step 3 –** On the Enter Credentials window, enter a username and password with sufficient rights to connect to the target machine and query information about shares. A local Administrator account diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/management/start.md b/docs/threatprevention/7.5/threatprevention/admin/agents/management/start.md index 7c5f5014df..20a47e52ba 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/management/start.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/management/start.md @@ -9,7 +9,7 @@ Follow the steps to start a stopped Agent on a server. **Step 2 –** Right-click a server/Agent and select **Start Agent** on the menu. -![Enter Credentials window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/upgrade/entercredentials.webp) +![Enter Credentials window](/img/product_docs/threatprevention/threatprevention/install/upgrade/entercredentials.webp) **Step 3 –** On the Enter Credentials window, enter a username and password with sufficient rights to connect to the target machine and query information about shares. A local Administrator account diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/management/startpendingmodules.md b/docs/threatprevention/7.5/threatprevention/admin/agents/management/startpendingmodules.md index 1d6801b097..5998848796 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/management/startpendingmodules.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/management/startpendingmodules.md @@ -4,7 +4,7 @@ If the Agent was deployed using the Safe Mode option, then it could enter a _Sta state, in which the AD Events monitoring module is not loaded on the machine where the Agent is deployed. This happens due to a change in the DLL versions. To exit this state, the Threat Prevention administrator must start the Active Directory module. See the -[Agent Safe Mode](../safemode.md) topic for additional information. +[Agent Safe Mode](/docs/threatprevention/7.5/threatprevention/admin/agents/safemode.md) topic for additional information. **_RECOMMENDED:_** If multiple DCs are in the Start Pending Modules state, this means one of the monitored system DLLs was changed from when the Agent was last run. This could impact the operation diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/management/stop.md b/docs/threatprevention/7.5/threatprevention/admin/agents/management/stop.md index 22532ff9ce..84d8b702c8 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/management/stop.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/management/stop.md @@ -6,7 +6,7 @@ Follow the steps to stop the Agent on a server. **Step 1 –** Click **Agents** in the left pane to launch the Agents interface. -![Enter Credentials window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/install/upgrade/entercredentials.webp) +![Enter Credentials window](/img/product_docs/threatprevention/threatprevention/install/upgrade/entercredentials.webp) **Step 2 –** Right-click a server/Agent and select **Stop Agent** on the menu. diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/management/upgradeadmonitor.md b/docs/threatprevention/7.5/threatprevention/admin/agents/management/upgradeadmonitor.md index 96c44f6236..dd26919b41 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/management/upgradeadmonitor.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/management/upgradeadmonitor.md @@ -2,7 +2,7 @@ You can update the instrumentation DLL, SI.ActiveDirectoryMonitor.dll (commonly known as ADMonitor DLL), in LSASS without having to upgrade the entire Agent. To facilitate this, the -[Agents Interface](../overview.md) displays the currently installed versions of the Agent and the +[Agents Interface](/docs/threatprevention/7.5/threatprevention/admin/agents/overview.md) displays the currently installed versions of the Agent and the ADMonitor DLL. **NOTE:** The Agent and the ADMonitor DLL should have the same major/minor version, such as 7.5.x.x, diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/overview.md b/docs/threatprevention/7.5/threatprevention/admin/agents/overview.md index 4a631773e2..8423859e08 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/overview.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/overview.md @@ -14,12 +14,12 @@ The Threat Prevention Agent can be deployed through any of the following methods - Manually through the Windows Agent Setup Wizard – Run the Agent executable to launch this wizard -See the [Deploy Agents](deploy/overview.md) and -[Manual Agent Deployment](../../install/agent/manual.md) topics for additional information. +See the [Deploy Agents](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/overview.md) and +[Manual Agent Deployment](/docs/threatprevention/7.5/threatprevention/install/agent/manual.md) topics for additional information. Click **Agents** in the left pane to open the Agents interface. -![Agents Interface](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/agentsinterface.webp) +![Agents Interface](/img/product_docs/threatprevention/threatprevention/admin/agents/agentsinterface.webp) ## Agents Data Grid @@ -37,13 +37,13 @@ information for an Agent: Manager - Last Agent Heartbeat – Last time the Enterprise Manager received a heartbeat from the Agent - ![Warning Symbol for an Agent](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/warningsymbol.webp) + ![Warning Symbol for an Agent](/img/product_docs/threatprevention/threatprevention/admin/agents/warningsymbol.webp) - AD Event Latency – Time difference between when the event was detected by the Agent and when the Enterprise Manager received it **NOTE:** When the **Send Latency Alerts** option is enabled in the - [Event Filtering Configuration Window](../configuration/eventfilteringconfiguration.md), a + [Event Filtering Configuration Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/eventfilteringconfiguration.md), a warning symbol appears to indicate excessive latency. This warning symbol also appears when the Agent fails to load the instrumentation DLL, SI.ActiveDirectoryMonitor.dll (commonly known as ADMonitor DLL), into the LSASS process or when it fails to load the instrumentation @@ -55,21 +55,21 @@ information for an Agent: names. **NOTE:** You can use the FSMO roles information in combination with a policy created for the - [FSMO Role Monitoring Event Type](../policies/eventtype/fsmorolemonitoring.md) to view events + [FSMO Role Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/fsmorolemonitoring.md) to view events about which machine acquired a FSMO role and which machine relinquished it. - Operating System – Operating system for the machine where the Agent is deployed with version information, including service pack details. For example, Windows Server 2022 Standard.. For example, Windows Server 2019 Standard - ![Agents Interface - Agent Statuses](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/agentstatuses.webp) + ![Agents Interface - Agent Statuses](/img/product_docs/threatprevention/threatprevention/admin/agents/agentstatuses.webp) - Status – the Agent’s current status: - Active (green) – The Agent is actively monitoring/blocking events and communicating with the Enterprise Manager - Active (Modules Pending) – The Agent is active, but the Windows AD Events module has not been - loaded due to Safe Mode. See the [Agent Safe Mode](safemode.md) topic for additional + loaded due to Safe Mode. See the [Agent Safe Mode](/docs/threatprevention/7.5/threatprevention/admin/agents/safemode.md) topic for additional information. - Stopped (orange) – The Agent has been stopped and is not monitoring/blocking events - Lost Connection (red) – The Agent is not actively communicating with the Enterprise Manager @@ -111,7 +111,7 @@ information for an Agent: Windows This data grid employs features for sorting, filtering, searching, and more. See the -[ Data Grid Functionality](../navigation/datagrid.md) topic for additional information. +[ Data Grid Functionality](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md) topic for additional information. ## Agents Action Buttons @@ -120,38 +120,38 @@ interface | Icon | Label | Action | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| ![Agents Interface - Export Agent List icon](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/exporticon.webp) | Export Agent List… | Save the information to an XML file for export | -| ![Agents Interface - Refresh Agent List icon](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/refreshicon.webp) | Refresh Agent List… | Refresh the Agent information | -| ![Agents Interface - Update Logging Levels icon](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/updateloggingicon.webp) | Update Logging Levels… | Configure the log levels for the Agent(s). It opens the [Log Level Configuration Window](window/loglevelconfiguration.md). | -| ![Agents Interface - Get Agent Log icon](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/getagentlogicon.webp) | Get Agent Log… | Access Agent log files. See the [Access Agent Log Files](window/loglevelconfiguration.md#access-agent-log-files) topic for additional information. | -| ![Agents Interface - Update Agent Installer icon](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/updateinstallericon.webp) | Update Agent Installer | Check with Netwrix for a newer version of the Agent Installer according to the version in use. It opens the [Agent Installer Update Window](window/agentinstallerupdate.md). | -| ![Agents Interface - Configure Auto Deploy icon](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/autodeployicon.webp) | Configure Auto Deploy | If enabled, the Agent is automatically deployed to all domain controllers without an Agent. This feature requires at least one Agent to be present in the domain in order to detect additional domain controllers. It opens the [Configure Auto Deploy Window](window/configureautodeploy.md). | -| ![Agents Interface - Agent Enrollment Secret icon](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/enrollmentsecreticon.webp) | Agent Enrollment Secret | Generate the enrollment secret used to deploy the Agent. Opens the [Enrollment Secret Configuration Window](window/enrollmentsecretconfiguration.md). | -| ![Agents Interface - Deploy Agent icon](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/deployagent.webp) | Deploy Agent | Deploy the Agent to selected servers. It opens the Deploy Agents wizard. See the [Deploy Agents](deploy/overview.md) topic for additional information. | +| ![Agents Interface - Export Agent List icon](/img/product_docs/threatprevention/threatprevention/admin/agents/exporticon.webp) | Export Agent List… | Save the information to an XML file for export | +| ![Agents Interface - Refresh Agent List icon](/img/product_docs/threatprevention/threatprevention/admin/agents/refreshicon.webp) | Refresh Agent List… | Refresh the Agent information | +| ![Agents Interface - Update Logging Levels icon](/img/product_docs/threatprevention/threatprevention/admin/agents/updateloggingicon.webp) | Update Logging Levels… | Configure the log levels for the Agent(s). It opens the [Log Level Configuration Window](/docs/threatprevention/7.5/threatprevention/admin/agents/window/loglevelconfiguration.md). | +| ![Agents Interface - Get Agent Log icon](/img/product_docs/threatprevention/threatprevention/admin/agents/getagentlogicon.webp) | Get Agent Log… | Access Agent log files. See the [Access Agent Log Files](window/loglevelconfiguration.md#access-agent-log-files) topic for additional information. | +| ![Agents Interface - Update Agent Installer icon](/img/product_docs/threatprevention/threatprevention/admin/agents/updateinstallericon.webp) | Update Agent Installer | Check with Netwrix for a newer version of the Agent Installer according to the version in use. It opens the [Agent Installer Update Window](/docs/threatprevention/7.5/threatprevention/admin/agents/window/agentinstallerupdate.md). | +| ![Agents Interface - Configure Auto Deploy icon](/img/product_docs/threatprevention/threatprevention/admin/agents/autodeployicon.webp) | Configure Auto Deploy | If enabled, the Agent is automatically deployed to all domain controllers without an Agent. This feature requires at least one Agent to be present in the domain in order to detect additional domain controllers. It opens the [Configure Auto Deploy Window](/docs/threatprevention/7.5/threatprevention/admin/agents/window/configureautodeploy.md). | +| ![Agents Interface - Agent Enrollment Secret icon](/img/product_docs/threatprevention/threatprevention/admin/agents/enrollmentsecreticon.webp) | Agent Enrollment Secret | Generate the enrollment secret used to deploy the Agent. Opens the [Enrollment Secret Configuration Window](/docs/threatprevention/7.5/threatprevention/admin/agents/window/enrollmentsecretconfiguration.md). | +| ![Agents Interface - Deploy Agent icon](/img/product_docs/threatprevention/threatprevention/admin/agents/deployagent.webp) | Deploy Agent | Deploy the Agent to selected servers. It opens the Deploy Agents wizard. See the [Deploy Agents](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/overview.md) topic for additional information. | ## Right-Click Menu A right-click menu is available for each row in the data grid. Options not applicable to the selected Agent are grayed-out. -![Agents Interface - Right-Click Menu](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/rightclickmenu.webp) +![Agents Interface - Right-Click Menu](/img/product_docs/threatprevention/threatprevention/admin/agents/rightclickmenu.webp) The right-click menu contains the following selections: | Right-Click Command | Description | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| Install Agent | Deploys the Agent to the desired machines. Opens the Deploy Agent wizard. See the [Deploy Agents](deploy/overview.md) topic for additional information. | -| Uninstall Agent | Uninstalls a previously deployed Agent from its server. See the [Uninstall Agent](../../install/upgrade/uninstallagent.md) topic for additional information. | -| Upgrade Agent | Upgrades the Agent to a newer version. See the [Upgrade Agent](../../install/upgrade/agent.md) topic for additional information. | -| Upgrade ADMonitor | Updates the SI.ActiveDirectoryMonitor.dll (LSASS module) only rather than the entire Agent. See the [Upgrade ADMonitor](management/upgradeadmonitor.md) topic for additional information. | +| Install Agent | Deploys the Agent to the desired machines. Opens the Deploy Agent wizard. See the [Deploy Agents](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/overview.md) topic for additional information. | +| Uninstall Agent | Uninstalls a previously deployed Agent from its server. See the [Uninstall Agent](/docs/threatprevention/7.5/threatprevention/install/upgrade/uninstallagent.md) topic for additional information. | +| Upgrade Agent | Upgrades the Agent to a newer version. See the [Upgrade Agent](/docs/threatprevention/7.5/threatprevention/install/upgrade/agent.md) topic for additional information. | +| Upgrade ADMonitor | Updates the SI.ActiveDirectoryMonitor.dll (LSASS module) only rather than the entire Agent. See the [Upgrade ADMonitor](/docs/threatprevention/7.5/threatprevention/admin/agents/management/upgradeadmonitor.md) topic for additional information. | | Update Agent Settings | Allows for modification of the Agent settings, such as the modules, Enterprise Manager address, or enabling/disabling the DNS Host Name Resolution option. It opens the Deploy Agent wizard. See the [Update Agent Settings](deploy/overview.md#update-agent-settings) topic for additional information. | -| Start Agent | Starts the Agent service on the selected machine(s). See the [Start Agent](management/start.md) topic for additional information. | -| Stop Agent | Stops the Agent service on the selected machine(s). See the [Stop Agent](management/stop.md) sections for additional information. | -| Start Pending Modules | Starts Agent service modules that did not start with the Agent due to a change in LSASS (only available on Agents configured to use Safe Mode). See the [Agent Safe Mode](safemode.md) topic and the [Start Pending Modules](management/startpendingmodules.md) topic for additional information. | -| Harden Agent | Protects an Agent from being altered, stopped, or started from within the local Service Control Manager. See the [Harden Agent](management/harden.md) topic for additional information. | -| Soften Agent | Unlocks the Agent so it can be controlled from within the local Service Control Manager. See the [Soften Agent](management/soften.md) topic for additional information. | -| Remove Server from List | Removes a server from the Agent data grid. If the server has a deployed Agent, it will be added back to the list the next time the Agent sends information to the Enterprise Manager. See the [Remove Server from List](management/removeserver.md) topic for additional information. | -| Clear SQLite Agent Queue | When the Agent is unable to communicate with the Enterprise Manager, Agent events queue up in the Agents local SQLite database until the Enterprise Manager is available to accept events. The Clear SQLite Agent Queue option dumps the queue and all pending events are lost. See the [Clear SQLite Agent Queue](management/clearqueue.md) topic for additional information. | +| Start Agent | Starts the Agent service on the selected machine(s). See the [Start Agent](/docs/threatprevention/7.5/threatprevention/admin/agents/management/start.md) topic for additional information. | +| Stop Agent | Stops the Agent service on the selected machine(s). See the [Stop Agent](/docs/threatprevention/7.5/threatprevention/admin/agents/management/stop.md) sections for additional information. | +| Start Pending Modules | Starts Agent service modules that did not start with the Agent due to a change in LSASS (only available on Agents configured to use Safe Mode). See the [Agent Safe Mode](/docs/threatprevention/7.5/threatprevention/admin/agents/safemode.md) topic and the [Start Pending Modules](/docs/threatprevention/7.5/threatprevention/admin/agents/management/startpendingmodules.md) topic for additional information. | +| Harden Agent | Protects an Agent from being altered, stopped, or started from within the local Service Control Manager. See the [Harden Agent](/docs/threatprevention/7.5/threatprevention/admin/agents/management/harden.md) topic for additional information. | +| Soften Agent | Unlocks the Agent so it can be controlled from within the local Service Control Manager. See the [Soften Agent](/docs/threatprevention/7.5/threatprevention/admin/agents/management/soften.md) topic for additional information. | +| Remove Server from List | Removes a server from the Agent data grid. If the server has a deployed Agent, it will be added back to the list the next time the Agent sends information to the Enterprise Manager. See the [Remove Server from List](/docs/threatprevention/7.5/threatprevention/admin/agents/management/removeserver.md) topic for additional information. | +| Clear SQLite Agent Queue | When the Agent is unable to communicate with the Enterprise Manager, Agent events queue up in the Agents local SQLite database until the Enterprise Manager is available to accept events. The Clear SQLite Agent Queue option dumps the queue and all pending events are lost. See the [Clear SQLite Agent Queue](/docs/threatprevention/7.5/threatprevention/admin/agents/management/clearqueue.md) topic for additional information. | For certain actions, you can select multiple Agents listed in the data grid, to perform that action on all the selected Agents. The appropriate right-click menu options will not be grayed out if @@ -166,9 +166,9 @@ WMI to remotely query the registry on the target Agent machine(s) to understand configuration files are located (install path). Next, WMI is used to stop the Agent service, modify the configuration files, and restart the Agent. -See the [Firewall Ports](../../requirements/ports.md) topic for default ports required for WMI +See the [Firewall Ports](/docs/threatprevention/7.5/threatprevention/requirements/ports.md) topic for default ports required for WMI communication. See the Microsoft -[WMI Diagnosis Utility]() +[WMI Diagnosis Utility](https://docs.microsoft.com/en-us/previous-versions/tn-archive/ff404265(v=msdn.10)?redirectedfrom=MSDN) article for additional information. ## Additional Agent Considerations @@ -178,15 +178,15 @@ Below are some considerations: - Occasionally a Microsoft Security Bulletin impacting LSASS can interfere with the Agent instrumentation resulting in LSASS shutting down. The Agent is configured to monitor for an LSASS process termination shortly after a server reboot. The - [LSASS Process Terminated](../../troubleshooting/lsass.md) alert (Operations alert) is triggered + [LSASS Process Terminated](/docs/threatprevention/7.5/threatprevention/troubleshooting/lsass.md) alert (Operations alert) is triggered in this event and the Agent is stopped. As a result, all monitoring/blocking by that Agent stops. To resolve the issue, either upgrade to the latest version of the Agent or simply upgrade SI.ActiveDirectoryMonitor.dll - commonly known as ADMonitor DLL (recommended). See the - [Upgrade ADMonitor](management/upgradeadmonitor.md)topic for additional information. + [Upgrade ADMonitor](/docs/threatprevention/7.5/threatprevention/admin/agents/management/upgradeadmonitor.md)topic for additional information. **_RECOMMENDED:_** Activate an email notification for the _LSASS process terminated_ alert. See the - [Enable the 'LSASS Process Terminated' Email Alert](../../troubleshooting/lsass.md#enable-the-lsass-process-terminated-email-alert) + [Enable the 'LSASS Process Terminated' Email Alert](/docs/threatprevention/7.5/threatprevention/troubleshooting/lsass.md#enable-the-lsass-process-terminated-email-alert) topic for additional information. - In addition to the LSASS process termination check, the Agent can be configured for a Safe Mode. @@ -197,11 +197,11 @@ Below are some considerations: monitoring/blocking by that Agent stops. The 'Agent Started in AD Monitor pending mode' alert (Operations alert) is triggered in this event. To resolve the issue temporarily, the Threat Prevention administrator should start the pending modules. See the - [Start Pending Modules](management/startpendingmodules.md) topic for additional information. It is + [Start Pending Modules](/docs/threatprevention/7.5/threatprevention/admin/agents/management/startpendingmodules.md) topic for additional information. It is also recommended to upgrade SI.ActiveDirectoryMonitor.dll (commonly known as ADMonitor DLL) to - resolve the issue permanently. See the [Upgrade ADMonitor](management/upgradeadmonitor.md) + resolve the issue permanently. See the [Upgrade ADMonitor](/docs/threatprevention/7.5/threatprevention/admin/agents/management/upgradeadmonitor.md) topic for additional information. **_RECOMMENDED:_** Activate an email notification for this alert. See the [Enable Agent Started in AD Monitor Pending Mode Email Alert](safemode.md#enable-agent-started-in-ad-monitor-pending-mode-email-alert) - topic and the [Agent Safe Mode](safemode.md) topic for additional information. + topic and the [Agent Safe Mode](/docs/threatprevention/7.5/threatprevention/admin/agents/safemode.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/safemode.md b/docs/threatprevention/7.5/threatprevention/admin/agents/safemode.md index 993fc09b6a..0755ab9230 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/safemode.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/safemode.md @@ -6,15 +6,15 @@ LSASS process. Below are some considerations: - Occasionally a Microsoft Security Bulletin impacting LSASS can interfere with the Agent instrumentation resulting in LSASS shutting down. The Agent is configured to monitor for an LSASS process termination shortly after a server reboot. The - [LSASS Process Terminated](../../troubleshooting/lsass.md) alert (Operations alert) is triggered + [LSASS Process Terminated](/docs/threatprevention/7.5/threatprevention/troubleshooting/lsass.md) alert (Operations alert) is triggered in this event and the Agent is stopped. As a result, all monitoring/blocking by that Agent stops. To resolve the issue, either upgrade to the latest version of the Agent or simply upgrade SI.ActiveDirectoryMonitor.dll - commonly known as ADMonitor DLL (recommended). See the - [Upgrade ADMonitor](management/upgradeadmonitor.md)topic for additional information. + [Upgrade ADMonitor](/docs/threatprevention/7.5/threatprevention/admin/agents/management/upgradeadmonitor.md)topic for additional information. **_RECOMMENDED:_** Activate an email notification for the _LSASS process terminated_ alert. See the - [Enable the 'LSASS Process Terminated' Email Alert](../../troubleshooting/lsass.md#enable-the-lsass-process-terminated-email-alert) + [Enable the 'LSASS Process Terminated' Email Alert](/docs/threatprevention/7.5/threatprevention/troubleshooting/lsass.md#enable-the-lsass-process-terminated-email-alert) topic for additional information. - In addition to the LSASS process termination check, the Agent can be configured for a Safe Mode. @@ -25,9 +25,9 @@ LSASS process. Below are some considerations: monitoring/blocking by that Agent stops. The 'Agent Started in AD Monitor pending mode' alert (Operations alert) is triggered in this event. To resolve the issue temporarily, the Threat Prevention administrator should start the pending modules. See the - [Start Pending Modules](management/startpendingmodules.md) topic for additional information. It is + [Start Pending Modules](/docs/threatprevention/7.5/threatprevention/admin/agents/management/startpendingmodules.md) topic for additional information. It is also recommended to upgrade SI.ActiveDirectoryMonitor.dll (commonly known as ADMonitor DLL) to - resolve the issue permanently. See the [Upgrade ADMonitor](management/upgradeadmonitor.md) + resolve the issue permanently. See the [Upgrade ADMonitor](/docs/threatprevention/7.5/threatprevention/admin/agents/management/upgradeadmonitor.md) topic for additional information. **_RECOMMENDED:_** Activate an email notification for this alert. See the Enable Agent Started @@ -42,7 +42,7 @@ instrumentation. Active Directory monitoring/blocking will not resume until the pending modules are started. To determine if the LSASS changes will conflict with the Agent instrumentation, start the pending -modules on one domain controller (see the [Start Pending Modules](management/startpendingmodules.md) +modules on one domain controller (see the [Start Pending Modules](/docs/threatprevention/7.5/threatprevention/admin/agents/management/startpendingmodules.md) topic). If there are no issues after five minutes, it is unlikely that the changes are conflicting with the Agent instrumentation. If there are any concerns about the changes, reach out to [](mailto:support@stealthbits.com)[Netwrix Support](https://www.netwrix.com/support.html) for more @@ -58,7 +58,7 @@ Follow the steps to enable email notifications for the Agent Started in AD Monit Operations alert. **NOTE:** These steps require the Threat Prevention administrator role. They also assume that the -[System Alerting Window](../configuration/systemalerting/overview.md) has been configured and email +[System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) has been configured and email alerts have been enabled. **Step 1 –** Clck **Configuration** > **Alerts** on the menu. The Netwrix Threat Prevention System @@ -68,15 +68,15 @@ Alerting window opens. **Step 3 –** Create a message profile for the Safe Mode notification with the recipient(s) to be notified when the AD modules are pending. See the -[Create Message Profiles](../configuration/systemalerting/email.md#create-message-profiles) topic +[Create Message Profiles](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/email.md#create-message-profiles) topic for additional information. -![Netwrix Threat Prevention System Alerting window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/adpendingmodealert.webp) +![Netwrix Threat Prevention System Alerting window](/img/product_docs/threatprevention/threatprevention/admin/agents/adpendingmodealert.webp) **Step 4 –** Select **Events**, and then **Operations** on the left. Check the **Agent Started in AD Monitor pending mode** event alert and select the message profile you created in Step 3 from the drop-down menu to assign it to the alert. See the -[Email Tab](../configuration/systemalerting/email.md) topic for additional information. +[Email Tab](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/email.md) topic for additional information. **Step 5 –** Ensure that the email alerts are **Enabled** and click **OK**. diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/window/agentinstallerupdate.md b/docs/threatprevention/7.5/threatprevention/admin/agents/window/agentinstallerupdate.md index c94a46221b..f9f0191246 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/window/agentinstallerupdate.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/window/agentinstallerupdate.md @@ -2,7 +2,7 @@ Netwrix periodically releases updated Agent installation packages. Typically these updates are associated with Microsoft KBs (hot-fixes) which alter the LSASS components interfering with the -Agent instrumentation. See the [Agent Information](../../../install/agent/overview.md) topic for +Agent instrumentation. See the [Agent Information](/docs/threatprevention/7.5/threatprevention/install/agent/overview.md) topic for additional information. To download an installation package, the Threat Prevention server must be connected to the internet. @@ -16,18 +16,18 @@ Follow the steps to download the updated Agent installer. **Step 1 –** Click **Agents** in the left pane to launch the Agents interface. Then click **Update Agent Installer** to launch the Agent Installer Update window. -![Agent Installer Update window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/window/checkfornewversion.webp) +![Agent Installer Update window](/img/product_docs/threatprevention/threatprevention/admin/agents/window/checkfornewversion.webp) **Step 2 –** Click **Check for Newer Version of the Netwrix Threat Prevention Agent**. Threat Prevention downloads the Agent installer from a static URL and then compares the Agent installer currently in use to the installer downloaded. -![Agent Installer Update window showing that Agent Installer is up-to-date](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/window/uptodate.webp) +![Agent Installer Update window showing that Agent Installer is up-to-date](/img/product_docs/threatprevention/threatprevention/admin/agents/window/uptodate.webp) - If the versions are the same, the message specifies **Agent Installer is up-to-date…** and displays the Agent version number. Click **Close** to close the window. -![Agent Installer Update window showing that Agent version is outdated](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/window/agentversionmismatch.webp) +![Agent Installer Update window showing that Agent version is outdated](/img/product_docs/threatprevention/threatprevention/admin/agents/window/agentversionmismatch.webp) - If the downloaded version is newer, the message displays both version numbers and provides an option to apply the update. Click **Apply Update**. diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/window/configureautodeploy.md b/docs/threatprevention/7.5/threatprevention/admin/agents/window/configureautodeploy.md index 4d0d0cdd7a..54deb99e1e 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/window/configureautodeploy.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/window/configureautodeploy.md @@ -8,7 +8,7 @@ Follow the steps to auto deploy the Agent. **Step 1 –** Click **Agents** in the left pane to launch the Agents interface. Then click **Configure Auto Deploy** to launch the Configure Auto Deploy window. -![Configure Auto Deploy window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/window/autodeploy.webp) +![Configure Auto Deploy window](/img/product_docs/threatprevention/threatprevention/admin/agents/window/autodeploy.webp) **Step 2 –** Select the **Enable Auto Deploy** checkbox to enable the following configuration options: @@ -24,7 +24,7 @@ options: - Textbox – Enter the desired installation location, e.g. d:\myagent - Safe Mode – If selected, the Agent checks LSASS versions on start up. Any changes in LSASS since the previous start prevents the Windows AD Events monitoring module from loading. See - the [Agent Safe Mode](../safemode.md) topic for additional information. + the [Agent Safe Mode](/docs/threatprevention/7.5/threatprevention/admin/agents/safemode.md) topic for additional information. - EM IP Address/Name – Displays the IP address of the machine where Enterprise Manager is installed - Port – Displays the port the Enterprise Manager uses to communicate with the Agent diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/window/enrollmentsecretconfiguration.md b/docs/threatprevention/7.5/threatprevention/admin/agents/window/enrollmentsecretconfiguration.md index 6fff29b1f9..d305b0aaa6 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/window/enrollmentsecretconfiguration.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/window/enrollmentsecretconfiguration.md @@ -9,14 +9,14 @@ enrollment secret is applied depends on the method used to install the Agent. and use a new enrollment secret as part of automated Agent installation. - If installing the Agent manually, the enrollment secret must be entered in the Certificates window of the Agent Setup wizard during installation. See the - [Manual Agent Deployment](../../../install/agent/manual.md) topic for additional information. + [Manual Agent Deployment](/docs/threatprevention/7.5/threatprevention/install/agent/manual.md) topic for additional information. Follow the steps to generate the enrollment secret. **Step 1 –** Click **Agents** in the left pane to launch the Agents interface. Then click **Agent Enrollment Secret** to launch the Enrollment Secret Configuration window. -![Enrollment Secret Configuration window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/window/enrollmentsecret.webp) +![Enrollment Secret Configuration window](/img/product_docs/threatprevention/threatprevention/admin/agents/window/enrollmentsecret.webp) The Enrollment Secret Configuration window enables you to generate the enrollment secret required to manually deploy the Agent. It has the following fields: diff --git a/docs/threatprevention/7.5/threatprevention/admin/agents/window/loglevelconfiguration.md b/docs/threatprevention/7.5/threatprevention/admin/agents/window/loglevelconfiguration.md index 574ff42a1f..813cc46148 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/agents/window/loglevelconfiguration.md +++ b/docs/threatprevention/7.5/threatprevention/admin/agents/window/loglevelconfiguration.md @@ -13,7 +13,7 @@ Follow the steps to set log levels. **Step 1 –** Click **Agents** in the left pane to launch the Agents interface. Then click **Update Logging Levels** on the top bar to launch the Log Level Configuration window. -![Log Level Configuration Window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/window/loglevelconfiguration.webp) +![Log Level Configuration Window](/img/product_docs/threatprevention/threatprevention/admin/agents/window/loglevelconfiguration.webp) **Step 2 –** To update the logging level for an Agent: @@ -57,12 +57,12 @@ Logging Levels** on the top bar to launch the Log Level Configuration window. Follow the steps to access the Agent log files. -![Get Agent Log icon](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/window/getagentlog.webp) +![Get Agent Log icon](/img/product_docs/threatprevention/threatprevention/admin/agents/window/getagentlog.webp) **Step 1 –** Click **Agents** in the left pane to launch the Agents interface. Select a server/Agent and click **Get Agent Log** . -![Save As window for Agent logs](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/window/saveaswindow.webp) +![Save As window for Agent logs](/img/product_docs/threatprevention/threatprevention/admin/agents/window/saveaswindow.webp) **Step 2 –** The Save As window opens with the selected Agent’s log already selected from its original location. Select the new location and click **Save**. @@ -79,7 +79,7 @@ Log files are stored in the following locations: Enterprise Manager Log Files -![Enterprise Manager Log File Location](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/window/emlogs.webp) +![Enterprise Manager Log File Location](/img/product_docs/threatprevention/threatprevention/admin/agents/window/emlogs.webp) The default location is: @@ -87,7 +87,7 @@ The default location is: Administration Console Log Files -![Administration Console Log File Location](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/agents/window/consolelogs.webp) +![Administration Console Log File Location](/img/product_docs/threatprevention/threatprevention/admin/agents/window/consolelogs.webp) The default location is: diff --git a/docs/threatprevention/7.5/threatprevention/admin/alerts/overview.md b/docs/threatprevention/7.5/threatprevention/admin/alerts/overview.md index 15a9cf1971..df2692690e 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/alerts/overview.md +++ b/docs/threatprevention/7.5/threatprevention/admin/alerts/overview.md @@ -5,12 +5,12 @@ Configuration events for Threat Prevention - all of which are known as alerts. T system-generated and do not require any prior configuration. You can choose to view alerts related to analytics configuration and monitoring status on the Alerts -interface. See the [Alerts Cleanup Window](window/alertscleanup.md) topic for options to display +interface. See the [Alerts Cleanup Window](/docs/threatprevention/7.5/threatprevention/admin/alerts/window/alertscleanup.md) topic for options to display this data. Click **Alerts** in the left pane to launch the Alerts interface. -![Alerts interface](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/alerts/alertsinterface.webp) +![Alerts interface](/img/product_docs/threatprevention/threatprevention/admin/alerts/alertsinterface.webp) The following options are available on the toolbar: @@ -57,7 +57,7 @@ The data grid displays the following information for each event: - Threat Prevention Configuration events For a list of the events that fall under each component, see the - [System Alerting Window](../configuration/systemalerting/overview.md) + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) - Machine – Name of the originating host - Alert – Name of the event that triggered the alert @@ -65,12 +65,12 @@ The data grid displays the following information for each event: - Message – Description and details about the event. The **Policy updated on server Changeset #[number]** link is displayed for events that represent a change to a policy, be it a policy under the Policies node or one defined for analytics. Click it to open the - [Policy Comparison Window](window/policycomparison.md) where you can view any changes made to the + [Policy Comparison Window](/docs/threatprevention/7.5/threatprevention/admin/alerts/window/policycomparison.md) where you can view any changes made to the policy. Alerts generated for an archive database maintenance job have "Archive DB:" as the message prefix to differentiate them from those generated for the database maintenance job. This data grid employs features for sorting, filtering, searching, and more. See the -[ Data Grid Functionality](../navigation/datagrid.md) topic for additional information. +[ Data Grid Functionality](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md) topic for additional information. Select an event in the data grid to view its details. @@ -83,15 +83,15 @@ Below are some considerations: - Occasionally a Microsoft Security Bulletin impacting LSASS can interfere with the Agent instrumentation resulting in LSASS shutting down. The Agent is configured to monitor for an LSASS process termination shortly after a server reboot. The - [LSASS Process Terminated](../../troubleshooting/lsass.md) alert (Operations alert) is triggered + [LSASS Process Terminated](/docs/threatprevention/7.5/threatprevention/troubleshooting/lsass.md) alert (Operations alert) is triggered in this event and the Agent is stopped. As a result, all monitoring/blocking by that Agent stops. To resolve the issue, either upgrade to the latest version of the Agent or simply upgrade SI.ActiveDirectoryMonitor.dll - commonly known as ADMonitor DLL (recommended). See the - [Upgrade ADMonitor](../agents/management/upgradeadmonitor.md)topic for additional information. + [Upgrade ADMonitor](/docs/threatprevention/7.5/threatprevention/admin/agents/management/upgradeadmonitor.md)topic for additional information. **_RECOMMENDED:_** Activate an email notification for the _LSASS process terminated_ alert. See the - [Enable the 'LSASS Process Terminated' Email Alert](../../troubleshooting/lsass.md#enable-the-lsass-process-terminated-email-alert) + [Enable the 'LSASS Process Terminated' Email Alert](/docs/threatprevention/7.5/threatprevention/troubleshooting/lsass.md#enable-the-lsass-process-terminated-email-alert) topic for additional information. - In addition to the LSASS process termination check, the Agent can be configured for a Safe Mode. @@ -102,11 +102,11 @@ Below are some considerations: monitoring/blocking by that Agent stops. The 'Agent Started in AD Monitor pending mode' alert (Operations alert) is triggered in this event. To resolve the issue temporarily, the Threat Prevention administrator should start the pending modules. See the - [Start Pending Modules](../agents/management/startpendingmodules.md) topic for additional + [Start Pending Modules](/docs/threatprevention/7.5/threatprevention/admin/agents/management/startpendingmodules.md) topic for additional information. It is also recommended to upgrade SI.ActiveDirectoryMonitor.dll (commonly known as ADMonitor DLL) to resolve the issue permanently. See the - [Upgrade ADMonitor](../agents/management/upgradeadmonitor.md) topic for additional information. + [Upgrade ADMonitor](/docs/threatprevention/7.5/threatprevention/admin/agents/management/upgradeadmonitor.md) topic for additional information. **_RECOMMENDED:_** Activate an email notification for this alert. See the - [Enable Agent Started in AD Monitor Pending Mode Email Alert](../agents/safemode.md#enable-agent-started-in-ad-monitor-pending-mode-email-alert) - topic and the [Agent Safe Mode](../agents/safemode.md) topic for additional information. + [Enable Agent Started in AD Monitor Pending Mode Email Alert](/docs/threatprevention/7.5/threatprevention/admin/agents/safemode.md#enable-agent-started-in-ad-monitor-pending-mode-email-alert) + topic and the [Agent Safe Mode](/docs/threatprevention/7.5/threatprevention/admin/agents/safemode.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/alerts/window/alertscleanup.md b/docs/threatprevention/7.5/threatprevention/admin/alerts/window/alertscleanup.md index e32934464b..688ecd1e1c 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/alerts/window/alertscleanup.md +++ b/docs/threatprevention/7.5/threatprevention/admin/alerts/window/alertscleanup.md @@ -1,10 +1,10 @@ # Alerts Cleanup Window -You can clear alert data displayed on the [Alerts Interface](../overview.md) as well as schedule +You can clear alert data displayed on the [Alerts Interface](/docs/threatprevention/7.5/threatprevention/admin/alerts/overview.md) as well as schedule cleanups for this data. **_RECOMMENDED:_** Export alert data before using the Clear option. See the -[Alerts Export Window](alertsexport.md) topic for additional information. +[Alerts Export Window](/docs/threatprevention/7.5/threatprevention/admin/alerts/window/alertsexport.md) topic for additional information. Follow the steps to clear the alerts data. @@ -12,7 +12,7 @@ Follow the steps to clear the alerts data. **Step 2 –** On the Alerts interface, click the **Clear** icon in the top right corner. -![Alerts Cleanup window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/alerts/window/alertscleanup.webp) +![Alerts Cleanup window](/img/product_docs/threatprevention/threatprevention/admin/alerts/window/alertscleanup.webp) **Step 3 –** The Alerts Cleanup window has these options: @@ -21,7 +21,7 @@ Follow the steps to clear the alerts data. number of days. - Log Level – Deletes alerts that have the log levels that are checked. The log levels are equivalent to the alert severity levels in the data grid on the - [Alerts Interface](../overview.md). + [Alerts Interface](/docs/threatprevention/7.5/threatprevention/admin/alerts/overview.md). - Save deleted to File – Saves alert data to a CSV file before it is deleted from the database. On clicking Start, the Save As window appears. Specify a file name and location; the default name is “Alerts*Backup*[date]\_[timestamp]”. Then click Save. diff --git a/docs/threatprevention/7.5/threatprevention/admin/alerts/window/alertsexport.md b/docs/threatprevention/7.5/threatprevention/admin/alerts/window/alertsexport.md index 8e332c5c31..2d4fa05810 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/alerts/window/alertsexport.md +++ b/docs/threatprevention/7.5/threatprevention/admin/alerts/window/alertsexport.md @@ -9,7 +9,7 @@ Follow the steps to export the alerts data. **Step 2 –** On the Alerts interface, click the **Export Data** icon in the top right corner; the Alerts Export window is displayed. -![Alerts Export window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/export.webp) +![Alerts Export window](/img/product_docs/threatprevention/threatprevention/admin/navigation/export.webp) **Step 3 –** Export options include: diff --git a/docs/threatprevention/7.5/threatprevention/admin/alerts/window/policycomparison.md b/docs/threatprevention/7.5/threatprevention/admin/alerts/window/policycomparison.md index 3ebbf88bdd..2e932d696a 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/alerts/window/policycomparison.md +++ b/docs/threatprevention/7.5/threatprevention/admin/alerts/window/policycomparison.md @@ -13,7 +13,7 @@ Follow the steps to run a comparison. link in the Message column for an alert. The Policy Comparison window opens, where you can view the changes made to the policy against the respective alert. -![olicy Comparison window ](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/alerts/window/policycomparison.webp) +![olicy Comparison window ](/img/product_docs/threatprevention/threatprevention/admin/alerts/window/policycomparison.webp) **Step 3 –** On the Policy Comparison windowthe old xml displays on the left and the modified xml on the right. diff --git a/docs/threatprevention/7.5/threatprevention/admin/analytics/baduseridsourcehost.md b/docs/threatprevention/7.5/threatprevention/admin/analytics/baduseridsourcehost.md index 8f07ff0e24..a9ec2e75e4 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/analytics/baduseridsourcehost.md +++ b/docs/threatprevention/7.5/threatprevention/admin/analytics/baduseridsourcehost.md @@ -23,7 +23,7 @@ Analytic Workflow 1. Configure the analytic policy 2. Enable the analytic policy 3. Enable alerting on incidents through the - [System Alerting Window](../configuration/systemalerting/overview.md). + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md). See the Bad User ID (by Source Host) Analytic Data Grid topic for information on event data collected per incident. @@ -45,7 +45,7 @@ The Configure Analytics window has two tabs: Settings Tab -![Bad User ID (by Source Host) Analytic Type - Settings tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/baduseridsettings.webp) +![Bad User ID (by Source Host) Analytic Type - Settings tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/baduseridsettings.webp) Set the Number of Days for which repeated authentication attempts by a machine using a bad user account will be tallied. An incident will be triggered for every previously unseen host that has a @@ -56,16 +56,16 @@ new count. Policy Tab -![Bad User ID (by Source Host) Analytic Type - Policy tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) +![Bad User ID (by Source Host) Analytic Type - Policy tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) The Policy tab for configuring analytics consists of three sub-tabs: -- General tab – Configured the same way a regular policy’s [General Tab](../policies/general.md) is +- General tab – Configured the same way a regular policy’s [General Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/general.md) is configured. The only exception is that the Name and Description are hard coded, and cannot be modified. The Tags field is disabled for analytics. - Event Type tab – Configured the same way a regular policy’s - [Event Type Tab](../policies/eventtype/overview.md) is configured. The only exception is that the - [Authentication Monitoring Event Type](../policies/eventtype/authenticationmonitoring.md) is hard + [Event Type Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/overview.md) is configured. The only exception is that the + [Authentication Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/authenticationmonitoring.md) is hard coded, and the Success filter cannot be modified. Additionally, there is no AD Perpetrator filter. - _Optional:_ Scope the protocol to be monitored on the Authentication Protocol filter. If @@ -86,12 +86,12 @@ The Policy tab for configuring analytics consists of three sub-tabs: filter values. - Actions tab – Configured the same way a regular policy’s - [Actions Tab](../policies/actions/overview.md) is configured. The only exceptions are that the + [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) is configured. The only exceptions are that the “Send to Event DB” and “Email Notifications” options are disabled. The event data collected by analytic policies are stored in memory until an incident is triggered. For the “Send Raw Data to SIEM” option, use _caution_, as this will send all event data not the triggered incident, which could be a large volume of data. To send notifications on incidents, use the - [System Alerting Window](../configuration/systemalerting/overview.md) to configure Email and SIEM + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) to configure Email and SIEM alerts. ## Bad User ID (by Source Host) Analytic Data Grid @@ -99,10 +99,10 @@ The Policy tab for configuring analytics consists of three sub-tabs: The data grid on the **Bad User ID (by source host)** node lists one row per incident identified. These incidences are grouped per unique source machine. -![Bad User ID by Source Host window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/baduseridsourcehost.webp) +![Bad User ID by Source Host window](/img/product_docs/threatprevention/threatprevention/admin/analytics/baduseridsourcehost.webp) The data grid can be filtered according to the Event Tracker status: All, New, or Reviewed. See the -[Event Tracker Window](../policies/recentevents/eventtracker.md) topic for additional information. +[Event Tracker Window](/docs/threatprevention/7.5/threatprevention/admin/policies/recentevents/eventtracker.md) topic for additional information. The top data grid includes the following information for each incident: @@ -132,4 +132,4 @@ incident: the Enterprise Manager time (displayed in the Date/Time column) due to latency. This data grid employs features for sorting, filtering, searching, and more. See the -[ Data Grid Functionality](../navigation/datagrid.md) topic for additional information. +[ Data Grid Functionality](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/analytics/baduseriduser.md b/docs/threatprevention/7.5/threatprevention/admin/analytics/baduseriduser.md index 952b8e2fe0..fc93b8bced 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/analytics/baduseriduser.md +++ b/docs/threatprevention/7.5/threatprevention/admin/analytics/baduseriduser.md @@ -23,7 +23,7 @@ Analytic Workflow 1. Configure the analytic policy 2. Enable the analytic policy 3. Enable alerting on incidents through the - [System Alerting Window](../configuration/systemalerting/overview.md). + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md). See the Bad User ID (by User) Analytic Data Grid topic for information on event data collected per incident. @@ -45,7 +45,7 @@ The Configure Analytics window has two tabs: Settings Tab -![Bad User ID (by User) Analytic Type - Settings tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/baduseridsettings.webp) +![Bad User ID (by User) Analytic Type - Settings tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/baduseridsettings.webp) Set the **Number of Days** for which repeated use of the same bad user account will be tallied. An incident will be triggered for every previously unseen bad user account that attempts login. Each @@ -55,16 +55,16 @@ first attempt, a new incident will be triggered for any additional attempt with Policy Tab -![Bad User ID (by User) Analytic Type - Policy tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) +![Bad User ID (by User) Analytic Type - Policy tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) The **Policy** tab for configuring analytics consists of three sub-tabs: -- General tab – Configured the same way a regular policy’s [General Tab](../policies/general.md) is +- General tab – Configured the same way a regular policy’s [General Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/general.md) is configured. The only exception is that the Name and Description are hard coded, and cannot be modified. The Tags field is disabled for analytics. - Event Type tab – Configured the same way a regular policy’s - [Event Type Tab](../policies/eventtype/overview.md) is configured. The only exception is that the - [Authentication Monitoring Event Type](../policies/eventtype/authenticationmonitoring.md) is hard + [Event Type Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/overview.md) is configured. The only exception is that the + [Authentication Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/authenticationmonitoring.md) is hard coded, and the Success filter cannot be modified. Additionally, there is no AD Perpetrator filter. - *Optional:* Scope the protocol to be monitored on the Authentication Protocol filter. If @@ -85,12 +85,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs: filter values. - Actions tab – Configured the same way a regular policy’s - [Actions Tab](../policies/actions/overview.md) is configured. The only exceptions are that the + [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) is configured. The only exceptions are that the “Send to Event DB” and “Email Notifications” options are disabled. The event data collected by analytic policies are stored in memory until an incident is triggered. For the “Send Raw Data to SIEM” option, use _caution_, as this will send all event data not the triggered incident, which could be a large volume of data. To send notifications on incidents, use the - [System Alerting Window](../configuration/systemalerting/overview.md) to configure Email and SIEM + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) to configure Email and SIEM alerts. ## Bad User ID (by User) Analytic Data Grid @@ -98,10 +98,10 @@ The **Policy** tab for configuring analytics consists of three sub-tabs: The data grid on the **Bad User ID (by user)** node lists one row per incident identified. These incidences are grouped per unique bad user name. -![Bad User ID (by User) Analytic Type window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/baduseriduser.webp) +![Bad User ID (by User) Analytic Type window](/img/product_docs/threatprevention/threatprevention/admin/analytics/baduseriduser.webp) The data grid can be filtered according to the Event Tracker status: All, New, or Reviewed. See the -[Event Tracker Window](../policies/recentevents/eventtracker.md) topic for additional information. +[Event Tracker Window](/docs/threatprevention/7.5/threatprevention/admin/policies/recentevents/eventtracker.md) topic for additional information. The top data grid includes the following information for each incident: @@ -130,4 +130,4 @@ incident: the Enterprise Manager time (displayed in the Date/Time column) due to latency. This data grid employs features for sorting, filtering, searching, and more. See the -[ Data Grid Functionality](../navigation/datagrid.md) topic for additional information. +[ Data Grid Functionality](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/analytics/breachedpassword.md b/docs/threatprevention/7.5/threatprevention/admin/analytics/breachedpassword.md index 21dbf066bb..546271da1d 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/analytics/breachedpassword.md +++ b/docs/threatprevention/7.5/threatprevention/admin/analytics/breachedpassword.md @@ -15,7 +15,7 @@ Analytic Workflow 1. Configure the analytic policy 2. Enable the analytic policy 3. Enable alerting on incidents through the - [System Alerting Window](../configuration/systemalerting/overview.md). + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md). See the Breached Password Analytic Data Grid topic for information on event data collected per incident. @@ -37,7 +37,7 @@ The Configure Analytics window has two tabs: Settings Tab -![Breached Password Analytic Type - Settings tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/breachedpasswordsettings.webp) +![Breached Password Analytic Type - Settings tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/breachedpasswordsettings.webp) Set the Number of Failed Attempts preceding a successful login and the Interval Duration that will trigger the incident. The interval duration is set for (Hours:Minutes) and is capped at 23:59. When @@ -51,16 +51,16 @@ memory once they are more than 24 hours old. Policy Tab -![Breached Password Analytic Type - Policy tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) +![Breached Password Analytic Type - Policy tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) The **Policy** tab for configuring analytics consists of three sub-tabs: -- General tab – Configured the same way a regular policy’s [General Tab](../policies/general.md) is +- General tab – Configured the same way a regular policy’s [General Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/general.md) is configured. The only exception is that the Name and Description are hard coded, and cannot be modified. The Tags field is disabled for analytics. - Event Type tab – Configured the same way a regular policy’s - [Event Type Tab](../policies/eventtype/overview.md) is configured. The only exception is that the - [Authentication Monitoring Event Type](../policies/eventtype/authenticationmonitoring.md) is hard + [Event Type Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/overview.md) is configured. The only exception is that the + [Authentication Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/authenticationmonitoring.md) is hard coded, and the Success filter cannot be modified. - Scope the protocol to be monitored on the Authentication Protocol filter. If enabling the @@ -83,22 +83,22 @@ The **Policy** tab for configuring analytics consists of three sub-tabs: filter values. - Actions tab – Configured the same way a regular policy’s - [Actions Tab](../policies/actions/overview.md) is configured. The only exceptions are that the + [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) is configured. The only exceptions are that the “Send to Event DB” and “Email Notifications” options are disabled. The event data collected by analytic policies are stored in memory until an incident is triggered. For the “Send Raw Data to SIEM” option, use _caution_, as this will send all event data not the triggered incident, which could be a large volume of data. To send notifications on incidents, use the - [System Alerting Window](../configuration/systemalerting/overview.md) to configure Email and SIEM + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) to configure Email and SIEM alerts. ## Breached Password Analytic Data Grid The data grid on the **Breached Password** node lists one row per incident identified. -![Breached Password Analytic Type window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/breachedpassword.webp) +![Breached Password Analytic Type window](/img/product_docs/threatprevention/threatprevention/admin/analytics/breachedpassword.webp) The data grid can be filtered according to the Event Tracker status: All, New, or Reviewed. See the -[Event Tracker Window](../policies/recentevents/eventtracker.md) topic for additional information. +[Event Tracker Window](/docs/threatprevention/7.5/threatprevention/admin/policies/recentevents/eventtracker.md) topic for additional information. The top data grid includes the following information for each incident: @@ -139,4 +139,4 @@ incident: the Enterprise Manager time (displayed in the Date/Time column) due to latency. This data grid employs features for sorting, filtering, searching, and more. See the -[ Data Grid Functionality](../navigation/datagrid.md) topic for additional information. +[ Data Grid Functionality](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/analytics/bruteforceattacks.md b/docs/threatprevention/7.5/threatprevention/admin/analytics/bruteforceattacks.md index c83464ce42..a00f87eaa5 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/analytics/bruteforceattacks.md +++ b/docs/threatprevention/7.5/threatprevention/admin/analytics/bruteforceattacks.md @@ -18,7 +18,7 @@ Analytic Workflow 1. Configure the analytic policy 2. Enable the analytic policy 3. Enable alerting on incidents through the - [System Alerting Window](../configuration/systemalerting/overview.md). + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md). See the Brute Force Attacks Analytic Data Grid topic for information on event data collected per incident. @@ -40,7 +40,7 @@ The Configure Analytics window has two tabs: Settings Tab -![Brute Force Attacks Analytic Type - Settings tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/bruteforceattackssettings.webp) +![Brute Force Attacks Analytic Type - Settings tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/bruteforceattackssettings.webp) Set the Number of Failed Attempts preceding a successful login and the Interval Duration that will trigger the incident. The interval duration is set for (Hours:Minutes) and is capped at 23:59. When @@ -59,16 +59,16 @@ from contributing to Brute Force Attacks incidents. Policy Tab -![Brute Force Attacks Analytic Type - Policy tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) +![Brute Force Attacks Analytic Type - Policy tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) The **Policy** tab for configuring analytics consists of three sub-tabs: -- General tab – Configured the same way a regular policy’s [General Tab](../policies/general.md) is +- General tab – Configured the same way a regular policy’s [General Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/general.md) is configured. The only exception is that the Name and Description are hard coded, and cannot be modified. The Tags field is disabled for analytics. - Event Type tab – Configured the same way a regular policy’s - [Event Type Tab](../policies/eventtype/overview.md) is configured. The only exception is that the - [Authentication Monitoring Event Type](../policies/eventtype/authenticationmonitoring.md) is hard + [Event Type Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/overview.md) is configured. The only exception is that the + [Authentication Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/authenticationmonitoring.md) is hard coded, and the Success filter cannot be modified. - Scope the servers to be included in or excluded from monitoring on the IP Addresses (from) @@ -91,22 +91,22 @@ The **Policy** tab for configuring analytics consists of three sub-tabs: Perpetrator filter. - Actions tab – Configured the same way a regular policy’s - [Actions Tab](../policies/actions/overview.md) is configured. The only exceptions are that the + [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) is configured. The only exceptions are that the “Send to Event DB” and “Email Notifications” options are disabled. The event data collected by analytic policies are stored in memory until an incident is triggered. For the “Send Raw Data to SIEM” option, use _caution_, as this will send all event data not the triggered incident, which could be a large volume of data. To send notifications on incidents, use the - [System Alerting Window](../configuration/systemalerting/overview.md) to configure Email and SIEM + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) to configure Email and SIEM alerts. ## Brute Force Attacks Analytic Data Grid The data grid on the **Brute Force Attacks** node lists one row per incident identified. -![Brute Force Attacks Analytic Type window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/bruteforce.webp) +![Brute Force Attacks Analytic Type window](/img/product_docs/threatprevention/threatprevention/admin/analytics/bruteforce.webp) The data grid can be filtered according to the Event Tracker status: All, New, or Reviewed. See the -[Event Tracker Window](../policies/recentevents/eventtracker.md) topic for additional information. +[Event Tracker Window](/docs/threatprevention/7.5/threatprevention/admin/policies/recentevents/eventtracker.md) topic for additional information. The top data grid includes the following information for each incident: @@ -138,4 +138,4 @@ incident: the Enterprise Manager time (displayed in the Date/Time column) due to latency. This data grid employs features for sorting, filtering, searching, and more. See the -[ Data Grid Functionality](../navigation/datagrid.md) topic for additional information. +[ Data Grid Functionality](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/analytics/concurrentlogins.md b/docs/threatprevention/7.5/threatprevention/admin/analytics/concurrentlogins.md index ac6a66ff67..e2647e32dc 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/analytics/concurrentlogins.md +++ b/docs/threatprevention/7.5/threatprevention/admin/analytics/concurrentlogins.md @@ -18,7 +18,7 @@ Analytic Workflow 1. Configure the analytic policy 2. Enable the analytic policy 3. Enable alerting on incidents through the - [System Alerting Window](../configuration/systemalerting/overview.md). + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md). See the Concurrent Logins Analytic Data Grid topic for information on event data collected per incident. @@ -40,7 +40,7 @@ The Configure Analytics window has two tabs: Settings Tab -![Concurrent Logins Analytic Type - Settings tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/concurrentloginssettings.webp) +![Concurrent Logins Analytic Type - Settings tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/concurrentloginssettings.webp) Set the Number of Hosts and the Interval Duration that will trigger the incident. The interval duration is set for (Hours:Minutes) and is capped at 23:59. When the specified number of hosts have @@ -54,16 +54,16 @@ memory once they are more than 24 hours old. Policy Tab -![Concurrent Logins Analytic Type - Policy tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) +![Concurrent Logins Analytic Type - Policy tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) The **Policy** tab for configuring analytics consists of three sub-tabs: -- General tab – Configured the same way a regular policy’s [General Tab](../policies/general.md) is +- General tab – Configured the same way a regular policy’s [General Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/general.md) is configured. The only exception is that the Name and Description are hard coded, and cannot be modified. The Tags field is disabled for analytics. - Event Type tab – Configured the same way a regular policy’s - [Event Type Tab](../policies/eventtype/overview.md) is configured. The only exception is that the - [Authentication Monitoring Event Type](../policies/eventtype/authenticationmonitoring.md) is hard + [Event Type Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/overview.md) is configured. The only exception is that the + [Authentication Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/authenticationmonitoring.md) is hard coded, and the Success filter cannot be modified. - _Optional:_ Scope the protocol to be monitored on the Authentication Protocol filter. If @@ -86,22 +86,22 @@ The **Policy** tab for configuring analytics consists of three sub-tabs: filter values. - Actions tab – Configured the same way a regular policy’s - [Actions Tab](../policies/actions/overview.md) is configured. The only exceptions are that the + [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) is configured. The only exceptions are that the “Send to Event DB” and “Email Notifications” options are disabled. The event data collected by analytic policies are stored in memory until an incident is triggered. For the “Send Raw Data to SIEM” option, use _caution_, as this will send all event data not the triggered incident, which could be a large volume of data. To send notifications on incidents, use the - [System Alerting Window](../configuration/systemalerting/overview.md) to configure Email and SIEM + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) to configure Email and SIEM alerts. ## Concurrent Logins Analytic Data Grid The data grid on the **Concurrent Logins** node lists one row per incident identified. -![Concurrent Logins Analytic Type window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/concurrentlogins.webp) +![Concurrent Logins Analytic Type window](/img/product_docs/threatprevention/threatprevention/admin/analytics/concurrentlogins.webp) The data grid can be filtered according to the Event Tracker status: All, New, or Reviewed. See the -[Event Tracker Window](../policies/recentevents/eventtracker.md) topic for additional information. +[Event Tracker Window](/docs/threatprevention/7.5/threatprevention/admin/policies/recentevents/eventtracker.md) topic for additional information. The top data grid includes the following information for each incident: @@ -139,4 +139,4 @@ incident: the Enterprise Manager time (displayed in the Date/Time column) due to latency. This data grid employs features for sorting, filtering, searching, and more. See the -[ Data Grid Functionality](../navigation/datagrid.md) topic for additional information. +[ Data Grid Functionality](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/analytics/filesystemattacksuser.md b/docs/threatprevention/7.5/threatprevention/admin/analytics/filesystemattacksuser.md index ab38a71f7f..5a1e981f78 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/analytics/filesystemattacksuser.md +++ b/docs/threatprevention/7.5/threatprevention/admin/analytics/filesystemattacksuser.md @@ -20,7 +20,7 @@ Analytic Workflow 1. Configure the analytic policy 2. Enable the analytic policy 3. Enable alerting on incidents through the - [System Alerting Window](../configuration/systemalerting/overview.md). + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md). See the File System Attacks (by User) Analytic Data Grid topic for information on event data collected per incident. @@ -42,7 +42,7 @@ The Configure Analytics window has two tabs: Settings Tab -![File System Attacks (by User) Analytic Type - Settings tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/filesystemattackssettings.webp) +![File System Attacks (by User) Analytic Type - Settings tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/filesystemattackssettings.webp) Set the Number of Accessed Files and the Interval Duration that will trigger the incident. The interval duration is set for (Hours:Minutes) and is capped at 1:00. When a particular user causes @@ -68,15 +68,15 @@ list and blocked from initiating future events. Policy Tab for Monitoring Only -![File System Attacks (by User) Analytic Type - Policy tab for Monitoring Only](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/policytabfsmonitoring.webp) +![File System Attacks (by User) Analytic Type - Policy tab for Monitoring Only](/img/product_docs/threatprevention/threatprevention/admin/analytics/policytabfsmonitoring.webp) The **Policy** tab for configuring analytics consists of the following sub-tabs: -- General tab – Configured the same way a regular policy’s [General Tab](../policies/general.md) is +- General tab – Configured the same way a regular policy’s [General Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/general.md) is configured. The only exception is that the Name and Description are hard coded, and cannot be modified. The Tags field is disabled for analytics. - Event Type tab – Configured the same way a regular policy’s - [Event Type Tab](../policies/eventtype/overview.md) is configured. For monitoring only, it + [Event Type Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/overview.md) is configured. For monitoring only, it contains the File System Changes event type. The only exception is that the Success filter cannot be modified. @@ -99,17 +99,17 @@ The **Policy** tab for configuring analytics consists of the following sub-tabs: Perpetrator filter. - Actions tab – Configured the same way a regular policy’s - [Actions Tab](../policies/actions/overview.md) is configured. The only exceptions are that the + [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) is configured. The only exceptions are that the “Send to Event DB” and “Email Notifications” options are disabled. The event data collected by analytic policies are stored in memory until an incident is triggered. For the “Send Raw Data to SIEM” option, use _caution_, as this will send all event data not the triggered incident, which could be a large volume of data. To send notifications on incidents, use the - [System Alerting Window](../configuration/systemalerting/overview.md) to configure Email and SIEM + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) to configure Email and SIEM alerts. Policy Tab for Monitoring & Lockdown -![File System Attacks (by User) Analytic Type - Policy tab for Monitoring and Lockdown](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/policytabfsmonitoringlockdown.webp) +![File System Attacks (by User) Analytic Type - Policy tab for Monitoring and Lockdown](/img/product_docs/threatprevention/threatprevention/admin/analytics/policytabfsmonitoringlockdown.webp) When the **Enable Automatic Lockdown** option is selected on the **Settings** tab, the **Policy** tab > **Event Type** tab includes both the File System Lockdown Event Type and the File System @@ -117,13 +117,13 @@ Changes Event Type. The **Policy** tab for configuring analytics consists of the following sub-tabs: -- General tab – Configured the same way a regular policy’s [General Tab](../policies/general.md) is +- General tab – Configured the same way a regular policy’s [General Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/general.md) is configured. The only exception is that the Name and Description are hard coded, and cannot be modified. The Tags field is disabled for analytics. - Event Type tab – Configured the same way a regular policy’s - [Event Type Tab](../policies/eventtype/overview.md) is configured. It contains both the - [File System Lockdown Event Type](../policies/eventtype/filesystemlockdown.md) and the - [File System Changes Event Type](../policies/eventtype/filesystemchanges.md). The only exception + [Event Type Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/overview.md) is configured. It contains both the + [File System Lockdown Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/filesystemlockdown.md) and the + [File System Changes Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/filesystemchanges.md). The only exception is that for the Lockdown Event Type, the File System filter is hard coded to mirror the configuration of the File System Changes Event Type settings. @@ -138,22 +138,22 @@ The **Policy** tab for configuring analytics consists of the following sub-tabs: they trigger another incident - Actions tab – Configured the same way a regular policy’s - [Actions Tab](../policies/actions/overview.md) is configured. The only exceptions are that the + [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) is configured. The only exceptions are that the “Send to Event DB” and “Email Notifications” options are disabled. The event data collected by analytic policies are stored in memory until an incident is triggered. For the “Send Raw Data to SIEM” option, use _caution_, as this will send all event data not the triggered incident, which could be a large volume of data. To send notifications on incidents, use the - [System Alerting Window](../configuration/systemalerting/overview.md) to configure Email and SIEM + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) to configure Email and SIEM alerts. ## File System Attacks (by User) Analytic Data Grid The data grid on the **File System Attacks (by user)** node lists one row per incident identified. -![File System Attacks (by User) Analytic Type window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/fsattacks.webp) +![File System Attacks (by User) Analytic Type window](/img/product_docs/threatprevention/threatprevention/admin/analytics/fsattacks.webp) The data grid can be filtered according to the Event Tracker status: All, New, or Reviewed. See the -[Event Tracker Window](../policies/recentevents/eventtracker.md) topic for additional information. +[Event Tracker Window](/docs/threatprevention/7.5/threatprevention/admin/policies/recentevents/eventtracker.md) topic for additional information. The top data grid includes the following information for each incident: @@ -209,4 +209,4 @@ Select an incident in the top data grid to view information on the events that t the Enterprise Manager time (displayed in the Date/Time column) due to latency. This data grid employs features for sorting, filtering, searching, and more. See the -[ Data Grid Functionality](../navigation/datagrid.md) topic for additional information. +[ Data Grid Functionality](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/analytics/forgedpac.md b/docs/threatprevention/7.5/threatprevention/admin/analytics/forgedpac.md index d91d381ea4..59a4595871 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/analytics/forgedpac.md +++ b/docs/threatprevention/7.5/threatprevention/admin/analytics/forgedpac.md @@ -17,7 +17,7 @@ Analytic Workflow 1. Configure the analytic policy 2. Enable the analytic policy 3. Enable alerting on incidents through the - [System Alerting Window](../configuration/systemalerting/overview.md). + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md). See the Forged PAC Analytic Data Grid topic for information on event data collected per incident. @@ -38,7 +38,7 @@ The Configure Analytics window has two tabs: Settings Tab -![Forged PAC Analytic Type - Settings tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/forgedpacsettings.webp) +![Forged PAC Analytic Type - Settings tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/forgedpacsettings.webp) Remember, the Forged PAC analytic is monitoring for when the user is not a member of a group that is listed in the PAC section of the user’s Kerberos ticket. This analytic can be scoped to monitor @@ -49,23 +49,23 @@ You can select specific RIDs that Threat Prevention compares against the PAC and for a mismatch to trigger the incident. - Click the **Add** (**+**) button to open the - [Select AD Groups Window](../policies/eventtype/window/selectactivedirectory/groups.md), where you + [Select AD Groups Window](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/window/selectactivedirectory/groups.md), where you can select the desired Active Directory group(s). On selection, the RID of that group is monitored for modifications. - The **Remove** (**x**) button removes the selected item(s) from the incident criteria. Policy Tab -![Forged PAC Analytic Type - Policy tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) +![Forged PAC Analytic Type - Policy tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) The **Policy** tab for configuring analytics consists of three sub-tabs: -- General tab – Configured the same way a regular policy’s [General Tab](../policies/general.md) is +- General tab – Configured the same way a regular policy’s [General Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/general.md) is configured. The only exception is that the Name and Description are hard coded, and cannot be modified. The Tags field is disabled for analytics. - Event Type tab – Configured the same way a regular policy’s - [Event Type Tab](../policies/eventtype/overview.md) is configured. The only exception is that the - [Authentication Monitoring Event Type](../policies/eventtype/authenticationmonitoring.md) is hard + [Event Type Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/overview.md) is configured. The only exception is that the + [Authentication Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/authenticationmonitoring.md) is hard coded, and the Success filter cannot be modified. - Scope the servers to be included in or excluded from monitoring on the IP Addresses (from) @@ -89,22 +89,22 @@ The **Policy** tab for configuring analytics consists of three sub-tabs: Perpetrator filter. - Actions tab – Configured the same way a regular policy’s - [Actions Tab](../policies/actions/overview.md) is configured. The only exceptions are that the + [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) is configured. The only exceptions are that the “Send to Event DB” and “Email Notifications” options are disabled. The event data collected by analytic policies are stored in memory until an incident is triggered. For the “Send Raw Data to SIEM” option, use _caution_, as this will send all event data not the triggered incident, which could be a large volume of data. To send notifications on incidents, use the - [System Alerting Window](../configuration/systemalerting/overview.md) to configure Email and SIEM + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) to configure Email and SIEM alerts. ## Forged PAC Analytic Data Grid The data grid on the **Forged PAC** node lists one row per incident identified. -![Forged PAC Analytic Type window](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/forgedpac.webp) +![Forged PAC Analytic Type window](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/forgedpac.webp) The data grid can be filtered according to the Event Tracker status: All, New, or Reviewed. See the -[Event Tracker Window](../policies/recentevents/eventtracker.md) topic for additional information. +[Event Tracker Window](/docs/threatprevention/7.5/threatprevention/admin/policies/recentevents/eventtracker.md) topic for additional information. The top data grid includes the following information for each incident: @@ -125,4 +125,4 @@ The top data grid includes the following information for each incident: the Enterprise Manager time (displayed in the Date/Time column) due to latency. This data grid employs features for sorting, filtering, searching, and more. See the -[ Data Grid Functionality](../navigation/datagrid.md) topic for additional information. +[ Data Grid Functionality](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/analytics/goldenticket.md b/docs/threatprevention/7.5/threatprevention/admin/analytics/goldenticket.md index 5672b3da4e..a412c60c32 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/analytics/goldenticket.md +++ b/docs/threatprevention/7.5/threatprevention/admin/analytics/goldenticket.md @@ -18,7 +18,7 @@ Analytic Workflow 1. Configure the analytic policy 2. Enable the analytic policy 3. Enable alerting on incidents through the - [System Alerting Window](../configuration/systemalerting/overview.md). + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md). See the Golden Tickets Analytic Data Grid topic for information on event data collected per incident. @@ -40,7 +40,7 @@ The Configure Analytics window has two tabs: Settings Tab -![Golden Ticket Analytic Type - Settings tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/goldenticketsettings.webp) +![Golden Ticket Analytic Type - Settings tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/goldenticketsettings.webp) Set the _Maximum Lifetime for User Ticket [value] Hours_ and the _Maximum Lifetime for User Ticket Renewal [value] Days_ to trigger the incident. The default Microsoft Windows lifetime for user @@ -50,16 +50,16 @@ ticket exceeds either of these values, an incident is triggered. Policy Tab -![Golden Ticket Analytic Type - Policy tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) +![Golden Ticket Analytic Type - Policy tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) The **Policy** tab for configuring analytics consists of three sub-tabs: -- General tab – Configured the same way a regular policy’s [General Tab](../policies/general.md) is +- General tab – Configured the same way a regular policy’s [General Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/general.md) is configured. The only exception is that the Name and Description are hard coded, and cannot be modified. The Tags field is disabled for analytics. - Event Type tab – Configured the same way a regular policy’s - [Event Type Tab](../policies/eventtype/overview.md) is configured. The only exception is that the - [Authentication Monitoring Event Type](../policies/eventtype/authenticationmonitoring.md) is hard + [Event Type Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/overview.md) is configured. The only exception is that the + [Authentication Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/authenticationmonitoring.md) is hard coded, and the Success filter cannot be modified. **_RECOMMENDED:_** Do not configure any filters for this analytic type. @@ -84,22 +84,22 @@ The **Policy** tab for configuring analytics consists of three sub-tabs: filter values. - Actions tab – Configured the same way a regular policy’s - [Actions Tab](../policies/actions/overview.md) is configured. The only exceptions are that the + [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) is configured. The only exceptions are that the “Send to Event DB” and “Email Notifications” options are disabled. The event data collected by analytic policies are stored in memory until an incident is triggered. For the “Send Raw Data to SIEM” option, use _caution_, as this will send all event data not the triggered incident, which could be a large volume of data. To send notifications on incidents, use the - [System Alerting Window](../configuration/systemalerting/overview.md) to configure Email and SIEM + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) to configure Email and SIEM alerts. ## Golden Tickets Analytic Data Grid The data grid on the **Golden Tickets** node lists one row per incident identified. -![Golden Ticket Analytic Type window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/goldenticket.webp) +![Golden Ticket Analytic Type window](/img/product_docs/threatprevention/threatprevention/admin/analytics/goldenticket.webp) The data grid can be filtered according to the Event Tracker status: All, New, or Reviewed. See the -[Event Tracker Window](../policies/recentevents/eventtracker.md) topic for additional information. +[Event Tracker Window](/docs/threatprevention/7.5/threatprevention/admin/policies/recentevents/eventtracker.md) topic for additional information. The top data grid includes the following information for each incident: @@ -124,4 +124,4 @@ The top data grid includes the following information for each incident: the Enterprise Manager time (displayed in the Date/Time column) due to latency. This data grid employs features for sorting, filtering, searching, and more. See the -[ Data Grid Functionality](../navigation/datagrid.md) topic for additional information. +[ Data Grid Functionality](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/analytics/horizontalmovementattacks.md b/docs/threatprevention/7.5/threatprevention/admin/analytics/horizontalmovementattacks.md index 5da161f71b..cb781ac3f3 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/analytics/horizontalmovementattacks.md +++ b/docs/threatprevention/7.5/threatprevention/admin/analytics/horizontalmovementattacks.md @@ -18,7 +18,7 @@ Analytic Workflow 1. Configure the analytic policy 2. Enable the analytic policy 3. Enable alerting on incidents through the - [System Alerting Window](../configuration/systemalerting/overview.md). + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md). See the Horizontal Movement Attacks Analytic Data Grid topic for information on event data collected per incident. @@ -40,7 +40,7 @@ The Configure Analytics window has two tabs: Settings Tab -![Horizontal Movement Attacks Analytic Type - Settings tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/horizontalattackssettings.webp) +![Horizontal Movement Attacks Analytic Type - Settings tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/horizontalattackssettings.webp) Set the Number of Hosts and the Interval Duration to trigger the incident. The interval duration is set for (hours:minutes) and is capped at 23:59. When successful or failed authentications of a given @@ -57,16 +57,16 @@ contributing to Horizontal Movement Attacks incidents. Policy Tab -![Horizontal Movement Attacks Analytic Type - Policy tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) +![Horizontal Movement Attacks Analytic Type - Policy tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) The **Policy** tab for configuring analytics consists of three sub-tabs: -- General tab – Configured the same way a regular policy’s [General Tab](../policies/general.md) is +- General tab – Configured the same way a regular policy’s [General Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/general.md) is configured. The only exception is that the Name and Description are hard coded, and cannot be modified. The Tags field is disabled for analytics. - Event Type tab – Configured the same way a regular policy’s - [Event Type Tab](../policies/eventtype/overview.md) is configured. The only exception is that the - [Authentication Monitoring Event Type](../policies/eventtype/authenticationmonitoring.md) is hard + [Event Type Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/overview.md) is configured. The only exception is that the + [Authentication Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/authenticationmonitoring.md) is hard coded, and the Success filter cannot be modified. - Scope the accounts to include in or exclude from being monitored on the AD Perpetrator filter. @@ -88,22 +88,22 @@ The **Policy** tab for configuring analytics consists of three sub-tabs: filter values. - Actions tab – Configured the same way a regular policy’s - [Actions Tab](../policies/actions/overview.md) is configured. The only exceptions are that the + [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) is configured. The only exceptions are that the “Send to Event DB” and “Email Notifications” options are disabled. The event data collected by analytic policies are stored in memory until an incident is triggered. For the “Send Raw Data to SIEM” option, use _caution_, as this will send all event data not the triggered incident, which could be a large volume of data. To send notifications on incidents, use the - [System Alerting Window](../configuration/systemalerting/overview.md) to configure Email and SIEM + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) to configure Email and SIEM alerts. ## Horizontal Movement Attacks Analytic Data Grid The data grid on the **Horizontal Movement Attacks** node lists one row per incident identified. -![Horizontal Movement Attacks Analytic Type window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/horizontalmovement.webp) +![Horizontal Movement Attacks Analytic Type window](/img/product_docs/threatprevention/threatprevention/admin/analytics/horizontalmovement.webp) The data grid can be filtered according to the Event Tracker status: All, New, or Reviewed. See the -[Event Tracker Window](../policies/recentevents/eventtracker.md) topic for additional information. +[Event Tracker Window](/docs/threatprevention/7.5/threatprevention/admin/policies/recentevents/eventtracker.md) topic for additional information. The top data grid includes the following information for each incident: @@ -139,4 +139,4 @@ incident: the Enterprise Manager time (displayed in the Date/Time column) due to latency. This data grid employs features for sorting, filtering, searching, and more. See the -[ Data Grid Functionality](../navigation/datagrid.md) topic for additional information. +[ Data Grid Functionality](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/analytics/impersonationlogins.md b/docs/threatprevention/7.5/threatprevention/admin/analytics/impersonationlogins.md index 7ed4214952..6e9c88bbbe 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/analytics/impersonationlogins.md +++ b/docs/threatprevention/7.5/threatprevention/admin/analytics/impersonationlogins.md @@ -18,7 +18,7 @@ Analytic Workflow 1. Configure the analytic policy 2. Enable the analytic policy 3. Enable alerting on incidents through the - [System Alerting Window](../configuration/systemalerting/overview.md). + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md). See the Impersonation Logins Analytic Data Grid topic for information on event data collected per incident. @@ -40,7 +40,7 @@ The Configure Analytics window has two tabs: Settings Tab -![Impersonation Logins Analytic Type - Settings tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/concurrentloginssettings.webp) +![Impersonation Logins Analytic Type - Settings tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/concurrentloginssettings.webp) Set the Number of Accounts and the Interval Duration to trigger the incident. The interval duration is set for (hours:minutes) and is capped at 23:59. When the specified number of account credentials @@ -54,16 +54,16 @@ memory once they are more than 24 hours old. Policy Tab -![Impersonation Logins Analytic Type - Policy tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) +![Impersonation Logins Analytic Type - Policy tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) The **Policy** tab for configuring analytics consists of three sub-tabs: -- General tab – Configured the same way a regular policy’s [General Tab](../policies/general.md) is +- General tab – Configured the same way a regular policy’s [General Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/general.md) is configured. The only exception is that the Name and Description are hard coded, and cannot be modified. The Tags field is disabled for analytics. - Event Type tab – Configured the same way a regular policy’s - [Event Type Tab](../policies/eventtype/overview.md) is configured. The only exception is that the - [Authentication Monitoring Event Type](../policies/eventtype/authenticationmonitoring.md) is hard + [Event Type Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/overview.md) is configured. The only exception is that the + [Authentication Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/authenticationmonitoring.md) is hard coded, and the Success filter cannot be modified. - _Optional:_ Scope the protocol to be monitored on the Authentication Protocol filter. If @@ -86,22 +86,22 @@ The **Policy** tab for configuring analytics consists of three sub-tabs: filter values. - Actions tab – Configured the same way a regular policy’s - [Actions Tab](../policies/actions/overview.md) is configured. The only exceptions are that the + [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) is configured. The only exceptions are that the “Send to Event DB” and “Email Notifications” options are disabled. The event data collected by analytic policies are stored in memory until an incident is triggered. For the “Send Raw Data to SIEM” option, use _caution_, as this will send all event data not the triggered incident, which could be a large volume of data. To send notifications on incidents, use the - [System Alerting Window](../configuration/systemalerting/overview.md) to configure Email and SIEM + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) to configure Email and SIEM alerts. ## Impersonation Logins Analytic Data Grid The data grid on the **Impersonation Logins** node lists one row per incident identified. -![Impersonation Logins Analytic Type window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/impersonationlogins.webp) +![Impersonation Logins Analytic Type window](/img/product_docs/threatprevention/threatprevention/admin/analytics/impersonationlogins.webp) The data grid can be filtered according to the Event Tracker status: All, New, or Reviewed. See the -[Event Tracker Window](../policies/recentevents/eventtracker.md) topic for additional information. +[Event Tracker Window](/docs/threatprevention/7.5/threatprevention/admin/policies/recentevents/eventtracker.md) topic for additional information. The top data grid includes the following information for each incident: @@ -137,4 +137,4 @@ incident: the Enterprise Manager time (displayed in the Date/Time column) due to latency. This data grid employs features for sorting, filtering, searching, and more. See the -[ Data Grid Functionality](../navigation/datagrid.md) topic for additional information. +[ Data Grid Functionality](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/analytics/kerberosweakencryption.md b/docs/threatprevention/7.5/threatprevention/admin/analytics/kerberosweakencryption.md index ac2756c73d..669f42e018 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/analytics/kerberosweakencryption.md +++ b/docs/threatprevention/7.5/threatprevention/admin/analytics/kerberosweakencryption.md @@ -16,7 +16,7 @@ Analytic Workflow 1. Configure the analytic policy 2. Enable the analytic policy 3. Enable alerting on incidents through the - [System Alerting Window](../configuration/systemalerting/overview.md). + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md). See the Kerberos Weak Encryption Analytic Data Grid topic for information on event data collected per incident. @@ -37,16 +37,16 @@ The Configure Analytics window has one tab: Policy Tab -![Kerberos Weak Encryption Analytic Type - Policy tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) +![Kerberos Weak Encryption Analytic Type - Policy tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) The **Policy** tab for configuring analytics consists of three sub-tabs: -- General tab – Configured the same way a regular policy’s [General Tab](../policies/general.md) is +- General tab – Configured the same way a regular policy’s [General Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/general.md) is configured. The only exception is that the Name and Description are hard coded, and cannot be modified. The Tags field is disabled for analytics. - Event Type tab – Configured the same way a regular policy’s - [Event Type Tab](../policies/eventtype/overview.md) is configured. The only exception is that the - [Authentication Monitoring Event Type](../policies/eventtype/authenticationmonitoring.md) is hard + [Event Type Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/overview.md) is configured. The only exception is that the + [Authentication Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/authenticationmonitoring.md) is hard coded, and the Success filter cannot be modified. - Scope the servers to be included in or excluded from monitoring on the IP Addresses (from) @@ -70,22 +70,22 @@ The **Policy** tab for configuring analytics consists of three sub-tabs: Perpetrator filter. - Actions tab – Configured the same way a regular policy’s - [Actions Tab](../policies/actions/overview.md) is configured. The only exceptions are that the + [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) is configured. The only exceptions are that the “Send to Event DB” and “Email Notifications” options are disabled. The event data collected by analytic policies are stored in memory until an incident is triggered. For the “Send Raw Data to SIEM” option, use _caution_, as this will send all event data not the triggered incident, which could be a large volume of data. To send notifications on incidents, use the - [System Alerting Window](../configuration/systemalerting/overview.md) to configure Email and SIEM + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) to configure Email and SIEM alerts. ## Kerberos Weak Encryption Analytic Data Grid The data grid on the **Kerberos Weak Encryption** node lists one row per incident identified. -![kerberosweakencryption](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/kerberosweakencryption.webp) +![kerberosweakencryption](/img/product_docs/threatprevention/threatprevention/admin/analytics/kerberosweakencryption.webp) The data grid can be filtered according to the Event Tracker status: All, New, or Reviewed. See the -[Event Tracker Window](../policies/recentevents/eventtracker.md) topic for additional information. +[Event Tracker Window](/docs/threatprevention/7.5/threatprevention/admin/policies/recentevents/eventtracker.md) topic for additional information. The top data grid includes the following information for each incident: @@ -107,4 +107,4 @@ The top data grid includes the following information for each incident: the Enterprise Manager time (displayed in the Date/Time column) due to latency. This data grid employs features for sorting, filtering, searching, and more. See the -[ Data Grid Functionality](../navigation/datagrid.md) topic for additional information. +[ Data Grid Functionality](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/analytics/overview.md b/docs/threatprevention/7.5/threatprevention/admin/analytics/overview.md index 925a7f7164..bcb23d5ffc 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/analytics/overview.md +++ b/docs/threatprevention/7.5/threatprevention/admin/analytics/overview.md @@ -17,7 +17,7 @@ along with definitions and examples to better understand each analytic. Click **Analytics** in the left pane to launch the Analytics interface. -![Analytics interface](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/analyticsinterface.webp) +![Analytics interface](/img/product_docs/threatprevention/threatprevention/admin/analytics/analyticsinterface.webp) At the top of the interface is a graphical display of incidents monitored by Threat Prevention. Use the color key on the left to toggle off and on results for desired analytics. In the upper-right @@ -42,39 +42,39 @@ list. The Permissions section at the bottom of the interface allows you to protect Analytic policies at the Analytics node. Once a user is assigned permission, all analytic policies, configurations, and data are protected from any user not included in the permissions list. See the -[Protect Policies](../policies/dataprotection.md#protect-policies) topic for instructions on how to +[Protect Policies](/docs/threatprevention/7.5/threatprevention/admin/policies/dataprotection.md#protect-policies) topic for instructions on how to protect analytic policies. -![Analytics node](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/analyticslist.webp) +![Analytics node](/img/product_docs/threatprevention/threatprevention/admin/analytics/analyticslist.webp) Directly under the Analytics node are the individual analytics nodes for accessing information on the monitored incidents and configuring the analytic type: -- [Brute Force Attacks Analytic Type](bruteforceattacks.md) – Reports on failed attempts from a +- [Brute Force Attacks Analytic Type](/docs/threatprevention/7.5/threatprevention/admin/analytics/bruteforceattacks.md) – Reports on failed attempts from a single host to access a given host. It can be triggered by different user accounts with bad passwords or invalid account names. -- [User Account Hacking Analytic Type](useraccounthacking.md) – Reports on multiple bad passwords +- [User Account Hacking Analytic Type](/docs/threatprevention/7.5/threatprevention/admin/analytics/useraccounthacking.md) – Reports on multiple bad passwords provided for a given valid user account -- [Horizontal Movement Attacks Analytic Type](horizontalmovementattacks.md) – Reports on security +- [Horizontal Movement Attacks Analytic Type](/docs/threatprevention/7.5/threatprevention/admin/analytics/horizontalmovementattacks.md) – Reports on security principals that are accessing more than the threshold of resources during a specified time interval. This may be indicative of a person trying to obtain information from as many servers as possible which they normally would not be accessing. -- [Bad User ID (by User) Analytic Type](baduseriduser.md) – Reports on pre-authentication failures +- [Bad User ID (by User) Analytic Type](/docs/threatprevention/7.5/threatprevention/admin/analytics/baduseriduser.md) – Reports on pre-authentication failures due to using account names that cannot be found in Active Directory. These incidents are grouped per account name. -- [Bad User ID (by Source Host) Analytic Type](baduseridsourcehost.md) – Reports on +- [Bad User ID (by Source Host) Analytic Type](/docs/threatprevention/7.5/threatprevention/admin/analytics/baduseridsourcehost.md) – Reports on pre-authentication failures due to using account names that cannot be found in Active Directory. These incidents are grouped per source host. -- [Breached Password Analytic Type](breachedpassword.md) – Reports on multiple failed +- [Breached Password Analytic Type](/docs/threatprevention/7.5/threatprevention/admin/analytics/breachedpassword.md) – Reports on multiple failed authentications followed by a successful authentication in a specified time frame -- [Concurrent Logins Analytic Type](concurrentlogins.md) – Reports on logins from multiple locations +- [Concurrent Logins Analytic Type](/docs/threatprevention/7.5/threatprevention/admin/analytics/concurrentlogins.md) – Reports on logins from multiple locations within a specified time frame -- [Impersonation Logins Analytic Type](impersonationlogins.md) – Reports on multiple authenticated +- [Impersonation Logins Analytic Type](/docs/threatprevention/7.5/threatprevention/admin/analytics/impersonationlogins.md) – Reports on multiple authenticated accounts from a single system within a specified time frame -- [Golden Ticket Analytic Type](goldenticket.md) – Reports on Kerberos tickets that exceed the +- [Golden Ticket Analytic Type](/docs/threatprevention/7.5/threatprevention/admin/analytics/goldenticket.md) – Reports on Kerberos tickets that exceed the specified maximum lifetimes for a user ticket or maximum lifetimes for a user ticket renewal -- [File System Attacks (by User) Analytic Type](filesystemattacksuser.md) – Reports on significant +- [File System Attacks (by User) Analytic Type](/docs/threatprevention/7.5/threatprevention/admin/analytics/filesystemattacksuser.md) – Reports on significant number of file changes made by an account in a short time period -- [Kerberos Weak Encryption Analytic Type](kerberosweakencryption.md) – Reports on Kerberos tickets +- [Kerberos Weak Encryption Analytic Type](/docs/threatprevention/7.5/threatprevention/admin/analytics/kerberosweakencryption.md) – Reports on Kerberos tickets with RC4_HMAC_MD5 encryption -- [Forged PAC Analytic Type](forgedpac.md) – Reports on Kerberos tickets with modified PAC +- [Forged PAC Analytic Type](/docs/threatprevention/7.5/threatprevention/admin/analytics/forgedpac.md) – Reports on Kerberos tickets with modified PAC diff --git a/docs/threatprevention/7.5/threatprevention/admin/analytics/useraccounthacking.md b/docs/threatprevention/7.5/threatprevention/admin/analytics/useraccounthacking.md index 6180f57196..07c3d8096a 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/analytics/useraccounthacking.md +++ b/docs/threatprevention/7.5/threatprevention/admin/analytics/useraccounthacking.md @@ -18,7 +18,7 @@ Analytic Workflow 1. Configure the analytic policy 2. Enable the analytic policy 3. Enable alerting on incidents through the - [System Alerting Window](../configuration/systemalerting/overview.md). + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md). See the User Account Hacking Analytic Data Grid topic for information on event data collected per incident. @@ -40,7 +40,7 @@ The Configure Analytics window has two tabs: Settings Tab -![User Account Hacking Analytic Type - Settings tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/accounthackingsettings.webp) +![User Account Hacking Analytic Type - Settings tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/accounthackingsettings.webp) Set the Number of Failed Logins and the Interval Duration to trigger the incident. The interval duration is set for (hours:minutes) and is capped at 23:59. When the specified number of failed @@ -67,16 +67,16 @@ from contributing to User Account Hacking incidents. Policy Tab -![User Account Hacking Analytic Type - Policy tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) +![User Account Hacking Analytic Type - Policy tab](/img/product_docs/threatprevention/threatprevention/admin/analytics/policytab.webp) The **Policy** tab for configuring analytics consists of three sub-tabs: -- General tab – Configured the same way a regular policy’s [General Tab](../policies/general.md) is +- General tab – Configured the same way a regular policy’s [General Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/general.md) is configured. The only exception is that the Name and Description are hard coded, and cannot be modified. The Tags field is disabled for analytics. - Event Type tab – Configured the same way a regular policy’s - [Event Type Tab](../policies/eventtype/overview.md) is configured. The only exception is that the - [Authentication Monitoring Event Type](../policies/eventtype/authenticationmonitoring.md) is hard + [Event Type Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/overview.md) is configured. The only exception is that the + [Authentication Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/authenticationmonitoring.md) is hard coded, and the Success filter cannot be modified. - Scope the accounts to include in or exclude from being monitored on the AD Perpetrator filter. @@ -98,22 +98,22 @@ The **Policy** tab for configuring analytics consists of three sub-tabs: filter values. - Actions tab – Configured the same way a regular policy’s - [Actions Tab](../policies/actions/overview.md) is configured. The only exceptions are that the + [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) is configured. The only exceptions are that the “Send to Event DB” and “Email Notifications” options are disabled. The event data collected by analytic policies are stored in memory until an incident is triggered. For the “Send Raw Data to SIEM” option, use _caution_, as this will send all event data not the triggered incident, which could be a large volume of data. To send notifications on incidents, use the - [System Alerting Window](../configuration/systemalerting/overview.md) to configure Email and SIEM + [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) to configure Email and SIEM alerts. ## User Account Hacking Analytic Data Grid The data grid on the **User Account Hacking** node lists one row per incident identified. -![User Account Hacking Analytic Type window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/analytics/useraccounthacking.webp) +![User Account Hacking Analytic Type window](/img/product_docs/threatprevention/threatprevention/admin/analytics/useraccounthacking.webp) The data grid can be filtered according to the Event Tracker status: All, New, or Reviewed. See the -[Event Tracker Window](../policies/recentevents/eventtracker.md) topic for additional information. +[Event Tracker Window](/docs/threatprevention/7.5/threatprevention/admin/policies/recentevents/eventtracker.md) topic for additional information. The top data grid includes the following information for each incident: @@ -145,4 +145,4 @@ incident: the Enterprise Manager time (displayed in the Date/Time column) due to latency. This data grid employs features for sorting, filtering, searching, and more. See the -[ Data Grid Functionality](../navigation/datagrid.md) topic for additional information. +[ Data Grid Functionality](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/dynamic.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/dynamic.md index a7b9e6ff76..056591dfdc 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/dynamic.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/dynamic.md @@ -11,7 +11,7 @@ following collection categories: - Hosts – Dynamic Hosts Collection Table Requirements - File Paths – Dynamic File Paths Collection Table Requirements -![Options on the Add New Collection window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/addcollectionoptions.webp) +![Options on the Add New Collection window](/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/addcollectionoptions.webp) - The _I will provide a list_ option button enables the default setting for a static collection. See the [Add New Collection Window](listcollections.md#add-new-collection-window) topic to manually diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/listcollections.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/listcollections.md index 6a085271b1..63197462ed 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/listcollections.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/listcollections.md @@ -4,10 +4,10 @@ Use the List of Collections window to add new items to a collection as well as e existing items. Click **Configuration** > **Collections** on the menu to launch the -[Collection Manager Window](overview.md). Then either double-click a Collection or select a +[Collection Manager Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/overview.md). Then either double-click a Collection or select a Collection and click the Manage button to open the List of Collections window. -![List of Collections window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/listofcollections.webp) +![List of Collections window](/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/listofcollections.webp) At the top of the window, the Collection Category is displayed. Each item in the list displays: @@ -23,14 +23,14 @@ Follow the steps to add a static collection. **Step 1 –** Click **Add** on the List of Collections window to open the Add New Collection window. -![Add New Collections window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/addnewcollection.webp) +![Add New Collections window](/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/addnewcollection.webp) **Step 2 –** Select an option: - The _I will provide a list_ option button enables the default setting for a static collection. - The _I want a list to come from the database table_ option button enables a dynamic collection. Enter the table name in the textbox that appears or select it from the drop-down menu. See the - [Dynamic Collections](dynamic.md) topic for additional information. + [Dynamic Collections](/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/dynamic.md) topic for additional information. **Step 3 –** Provide a unique, descriptive name for the collection in the name box. @@ -43,15 +43,15 @@ populated when collections are created or changed. The Select… window opens. Select a server/Agent from the drop-down menu and click **Connect**. Expand the domain tree in the navigation pane. Select an item in the Results pane on the right and -click **OK**. See the [Selection Windows](../../policies/eventtype/window/overview.md) topic for +click **OK**. See the [Selection Windows](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/window/overview.md) topic for additional information. -![Select window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/selectadobjects.webp) +![Select window](/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/selectadobjects.webp) Use the **Remove** (x) button to remove Items from the list on the Add New Collection window. Some collection can be configured to be dynamic collections. See the -[Dynamic Collections](dynamic.md) topic for additional information. The Perpetrators and Lockdown +[Dynamic Collections](/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/dynamic.md) topic for additional information. The Perpetrators and Lockdown Perpetrators collections also have the option to expand group membership. See the Expand Groups Option for Perpetrators & Objects Collection topic for additional information. @@ -67,7 +67,7 @@ collections: - Objects - Lockdown Objects -![Expand Groups option on the Add New Collection window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/expandgroups.webp) +![Expand Groups option on the Add New Collection window](/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/expandgroups.webp) - For Perpetrators – If checked, the groups and nested-groups are expanded to monitor effective group membership at the user level. This means the Agent monitors/blocks based on the user’s token @@ -94,7 +94,7 @@ groups’ tokens. **Step 1 –** Select a collection on the List of Collections window and click **Edit**. The Edit Collection window opens. -![Edit Collection Window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/editcollection.webp) +![Edit Collection Window](/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/editcollection.webp) **Step 2 –** You can modify the name, description, and items in the collection. See the Add New Collection Window topic for additional information on these settings. @@ -107,7 +107,7 @@ Collection Window topic for additional information on these settings. Dependency Count column. Remove a collection from all policies it has been assigned to before deleting it. -![Confirm Removal window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/confirmremoval.webp) +![Confirm Removal window](/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/confirmremoval.webp) **Step 2 –** Click **Yes** on the Confirm Removal window to delete the collection. @@ -116,7 +116,7 @@ deleting it. **Step 1 –** Select a collection on the List of Collections window and click **Dependencies** to open the Collection Dependencies window. -![Collection Dependencies Window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/dependencies.webp) +![Collection Dependencies Window](/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/dependencies.webp) **Step 2 –** This window displays a list of all policy templates and policies the selected collection is assigned to. View the list and click **OK**. diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/overview.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/overview.md index 9f0a1d4c9f..809142e64d 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/overview.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/overview.md @@ -4,12 +4,12 @@ The Collection Manager window enables you to manage all Microsoft Collections. C **Configuration** > **Collections** on the menu to launch it. This window is only available to Threat Prevention administrators. -![Collection Manager Window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/collectionmanager.webp) +![Collection Manager Window](/img/product_docs/threatprevention/threatprevention/admin/configuration/collectionmanager/collectionmanager.webp) Collections are reusable lists of policy filter settings that help streamline the task of associating filters with event types on the Event Type tab during -[Policy Configuration](../../policies/configuration.md) or -[Template Configuration](../../templates/configuration.md). They are configured globally and can be +[Policy Configuration](/docs/threatprevention/7.5/threatprevention/admin/policies/configuration.md) or +[Template Configuration](/docs/threatprevention/7.5/threatprevention/admin/templates/configuration.md). They are configured globally and can be used in multiple policies in place of or in conjunction with individual filters. These collections are empty until you populate them with your environment information. When a collection is modified, the modifications affect all policies referencing the collection. At least one Agent must be @@ -38,7 +38,7 @@ Collections are organized into the following categories for Microsoft Collection - File Paths – List of file paths for Windows file systems to be used with multiple agents Select a collection category and click **Manage…** i to open the -[List of Collections Window](listcollections.md). +[List of Collections Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/listcollections.md). ## Preconfigured Collections diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/archive.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/archive.md index 9ea2ea3dc7..59fbe89633 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/archive.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/archive.md @@ -1,6 +1,6 @@ # Archive Data -To use the Move operation on the [Database Maintenance Window](overview.md), you must specify a +To use the Move operation on the [Database Maintenance Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/overview.md), you must specify a database where data is archived. You can also define settings to delete data aged beyond a specified threshold from the archive database. @@ -14,7 +14,7 @@ Follow the steps to configure settings for the archive database. **Step 1 –** Click **Configuration** > **Database** > **Maintenance** on the menu. The Database Maintenance window is displayed. Click the **Archive DB** tab. -![Database Maintenance window - Archive DB tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/archivedb.webp) +![Database Maintenance window - Archive DB tab](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/archivedb.webp) **Step 2 –** Enter the following information for the database where data is to be archived: @@ -29,7 +29,7 @@ Maintenance window is displayed. Click the **Archive DB** tab. **Step 3 –** Click **Save** to save the configurations. To query archived event data, use the Investigate interface. See the -[Investigate Interface](../../investigate/overview.md) topic for additional information. +[Investigate Interface](/docs/threatprevention/7.5/threatprevention/admin/investigate/overview.md) topic for additional information. ## Enable Database Maintenance for the Archive Database @@ -39,7 +39,7 @@ three options can be enabled with different retention periods, the Event Type ma take precedence over Policy maintenance settings where the selected policy employs that event type. Alerts generated for the archive database maintenance job are displayed on the -[Alerts Interface](../../alerts/overview.md) with "Archive DB:" as prefix in the Message column. +[Alerts Interface](/docs/threatprevention/7.5/threatprevention/admin/alerts/overview.md) with "Archive DB:" as prefix in the Message column. This helps differnciate between alerts generated for database maintenance and archive database maintenance. @@ -54,7 +54,7 @@ once. **Step 2 –** Click the **Configure Archive DB Maintenance** button. The Archive DB Maintenance window is displayed. -![Archive DB Maintenance window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/archivedbmaintenance.webp) +![Archive DB Maintenance window](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/archivedbmaintenance.webp) The following information is displayed at the top of the window: @@ -86,7 +86,7 @@ Agent that will run the maintenance job. NVMonitorData database. **Step 4 –** On the Event Type, Analytics, and/or Policy tabs, enable maintenance for all or some of -the options. See the [Enable Database Maintenance](enable.md) topic for additional information. +the options. See the [Enable Database Maintenance](/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/enable.md) topic for additional information. The [Event Type Tab](overview.md#event-type-tab), [Analytics Tab](overview.md#analytics-tab), and [Policy Tab](overview.md#policy-tab) on the Archive DB Maintenance window are the same as on the @@ -94,7 +94,7 @@ Database Maintenance window, except that only the 'Delete' operation is availabl database. **Step 5 –** On the Schedule tab, set the frequency and time when the database maintenance job runs. -See the [Schedule Database Maintenance](schedule.md) topic for additional information. +See the [Schedule Database Maintenance](/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/schedule.md) topic for additional information. **Step 6 –** Click **OK** on the Archive DB Maintenance window. diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/enable.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/enable.md index dac786acb3..b4fc0c9c7d 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/enable.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/enable.md @@ -14,7 +14,7 @@ Maintenance window is displayed. **Step 1 –** Select the desired tab (Event Type, Analytics, or Policy) and check the **Enabled** box at the top of the tab. -![Database Maintenance window - Event Type tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/enablesettings.webp) +![Database Maintenance window - Event Type tab](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/enablesettings.webp) **Step 2 –** Select a maintenance task (Event Type, Analytic, or Policy). To set the same operation and retention period for multiple tasks, use the **ctrl-left click** command. @@ -22,7 +22,7 @@ and retention period for multiple tasks, use the **ctrl-left click** command. **Step 3 –** Select either **Move** or **Delete** from the Operation drop-down menu. - The Move operation requires the Archive DB tab to be configured. See the - [Archive Data](archive.md) topic for additional information. + [Archive Data](/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/archive.md) topic for additional information. **Step 4 –** Set the Retention Period value and unit (Day, Week, or Month). This value indicates the age of the data to be kept when the database maintenance job is run. Older data is deleted or diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/overview.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/overview.md index 73dac84eb3..907ec754a9 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/overview.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/overview.md @@ -11,9 +11,9 @@ archiving. For this database, you can also define settings to delete data aged b threshold. _Remember,_ See the Database Maintenance Permission details in the -[Database Maintenance Feature Requirements](../../../requirements/dbmaintenance.md) topic. +[Database Maintenance Feature Requirements](/docs/threatprevention/7.5/threatprevention/requirements/dbmaintenance.md) topic. -See the [Stored Procedures](storedprocedures.md) topic for additional information on stored +See the [Stored Procedures](/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/storedprocedures.md) topic for additional information on stored procedures Threat Prevention uses on its SQL Server databases. Follow the steps to configure database maintenance. @@ -23,7 +23,7 @@ Maintenance window is displayed. This window is only available to Threat Prevention administrators. -![Threat Prevention WinConsole Warning window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/warning.webp) +![Threat Prevention WinConsole Warning window](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/warning.webp) The database maintenance feature is only available if the SQL Server Agent service is running on the SQL Server host. A warning message displays instead of the Database Maintenance window if this @@ -34,7 +34,7 @@ the SQL Server Agent (MSSQLSERVER). When the SQL Server Agent service is running, the Database Maintenance window opens. -![Database Maintenance window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/databasemaintenance.webp) +![Database Maintenance window](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/databasemaintenance.webp) The following information is displayed at the top of the window: @@ -58,19 +58,19 @@ The following information is displayed at the top of the window: The Refresh button in the upper-right corner refreshes this database and job information. **Step 2 –** On the Event Type, Analytics, and/or Policy tabs, enable maintenance for all or some of -the options. See the [Enable Database Maintenance](enable.md) topic for additional information. +the options. See the [Enable Database Maintenance](/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/enable.md) topic for additional information. **Step 3 –** On the Schedule tab, set the frequency and time when the database maintenance job runs. -See the [Schedule Database Maintenance](schedule.md) topic for additional information. +See the [Schedule Database Maintenance](/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/schedule.md) topic for additional information. **Step 4 –** To use the Move operation, you must specify a database on the Archive DB tab. You can also define settings to delete data aged beyond a specified threshold from the archive database. See -the [Archive Data](archive.md) topic for additional information. +the [Archive Data](/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/archive.md) topic for additional information. **Step 5 –** Click **Save** to save the changes. **_RECOMMENDED:_** The SQL Server databases should be configured to use 'Simple Recovery Mode' in -the [SQL Server Requirements](../../../requirements/sqlserver.md). This configuration has a direct +the [SQL Server Requirements](/docs/threatprevention/7.5/threatprevention/requirements/sqlserver.md). This configuration has a direct impact on the size of the transaction log during database maintenance delete tasks. If Simple Recovery Mode is not configured on the databases, the transaction log may get quite large during delete tasks. @@ -79,7 +79,7 @@ delete tasks. The Event Type tab is displayed by default when the Database Maintenance window opens. -![Database Maintenance window - Event Type tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/eventtype.webp) +![Database Maintenance window - Event Type tab](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/eventtype.webp) Check the **Enabled** box at the top to set database maintenance by event type. The table contains the following information: @@ -108,7 +108,7 @@ the following information: Click the **Analytics** tab on the Database Maintenance window. -![Database Maintenance window - Analytics tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/analytics.webp) +![Database Maintenance window - Analytics tab](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/analytics.webp) Check the **Enabled** box at the top to set database maintenance by analytic. The table contains the following information: @@ -133,7 +133,7 @@ Above the table is a cumulative count of: Click the **Policy** tab on the Database Maintenance window. -![Database Maintenance window - Policy tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/policy.webp) +![Database Maintenance window - Policy tab](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/policy.webp) Check the **Enabled** box at the top to set database maintenance by policy. The table contains the following information: diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/schedule.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/schedule.md index 11498a479d..8e01c05b84 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/schedule.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/schedule.md @@ -7,7 +7,7 @@ on a regular rotation. Follow the steps to configure a schedule. -![Database Maintenance window - Schedule tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) +![Database Maintenance window - Schedule tab](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/schedule.webp) **Step 1 –** Click **Configuration** > **Database** > **Maintenance** on the menu. The Database Maintenance window is displayed. @@ -44,4 +44,4 @@ tasks at the time when the job runs are executed. This scheduled job can be viewed through the Microsoft SQL Server Management Studio within the **SQL Server Agent** > **Jobs** folder (SiDbMainJob). -![Database Maintenance job in Microsoft SQL Server Management Studio](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/dbmaintenancejob.webp) +![Database Maintenance job in Microsoft SQL Server Management Studio](/img/product_docs/threatprevention/threatprevention/admin/configuration/databasemaintenance/dbmaintenancejob.webp) diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/storedprocedures.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/storedprocedures.md index 3595807236..c5be597962 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/storedprocedures.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/storedprocedures.md @@ -1,7 +1,7 @@ # Stored Procedures The table contains a list of the stored procedures Threat Prevention uses on its SQL Server -databases. See the [Database Maintenance Window](overview.md) topic for additional information. +databases. See the [Database Maintenance Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/overview.md) topic for additional information. | Name | When Threat Prevention Uses the Procedure | What the Stored Procedure Does | | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/epesettings.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/epesettings.md index 462fba8920..5f6fef1bbd 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/epesettings.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/epesettings.md @@ -11,7 +11,7 @@ The HIBP database must be initially deployed to the Enterprise Manager. Once the Threat Prevention Agent(s) can be configured to obtain and use a local copy of the HIBP database. In order to give Threat Prevention Agent(s) a local copy of the database, enable the **Use Local Pwned hash DB** setting in the Deploy Agents wizard's -[Set Options Window ](../agents/deploy/setoptions.md). +[Set Options Window ](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/setoptions.md). Password hashes can be authenticated against the stored HIBP database in the following places across the environment: @@ -60,7 +60,7 @@ Click **Configuration > EPE Settings** on the menu to open the EPE Settings wind **NOTE:** The EPE Settings window is only available to Threat Prevention administrators. -![EPE Settings window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/epesettings.webp) +![EPE Settings window](/img/product_docs/threatprevention/threatprevention/admin/configuration/epesettings.webp) The window displays current hash database information and has the following configuration settings, displayed in sections on the window. @@ -188,7 +188,7 @@ The User Feedback Module section has the following check boxes: Messages Editor window, where you can customize password rejection messages for the EPE User Feedback module. -![Custom Messages Editor window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/custommessageseditor.webp) +![Custom Messages Editor window](/img/product_docs/threatprevention/threatprevention/admin/configuration/custommessageseditor.webp) By default, messages are available in the English language. @@ -209,7 +209,7 @@ The following windows are global settings for the EPE Password Rules filter with window. Whatever is configured in these windows is applied across all EPE Password Rules filter(s) in the Administration Console. -![EPE Settings window - Rules area](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/rules.webp) +![EPE Settings window - Rules area](/img/product_docs/threatprevention/threatprevention/admin/configuration/rules.webp) You can monitor or block an event with these global settings: @@ -232,7 +232,7 @@ password in the Password Dictionary list. Click the **Modify Passwords Dictionary** button in the Rules area on the EPE Settings window. The Password Dictionary window is displayed. -![Password Dictionary window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/passworddictionary.webp) +![Password Dictionary window](/img/product_docs/threatprevention/threatprevention/admin/configuration/passworddictionary.webp) The buttons on the right have the following functions: @@ -259,7 +259,7 @@ password matches a substitution rule, it is blocked. Click the **Modify List of Words for Character Substitution** button in the Rules area on the EPE Settings window. The Words List Dictionary window is displayed. -![Words List Dictionary window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/wordslistdictionary.webp) +![Words List Dictionary window](/img/product_docs/threatprevention/threatprevention/admin/configuration/wordslistdictionary.webp) You can add, remove, and modify passwords here. The buttons on the right have the following functions: @@ -289,7 +289,7 @@ substitutions editor, then the pending passwords of “Go@l” and “G0al” wi Click the Modify Character Substitution Mapping button in the Rules area on the EPE Settings window. The Substitution Editor window is displayed. -![Substitution Editor window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/substitutioneditor.webp) +![Substitution Editor window](/img/product_docs/threatprevention/threatprevention/admin/configuration/substitutioneditor.webp) The Substitutions Editor has the following options: @@ -349,7 +349,7 @@ Follow the steps to install the Pwnd Passwords Downloader. dotnet tool install --global haveibeenpwned-downloader ``` -![hibp_installation_0](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/hibp_installation_0.webp) +![hibp_installation_0](/img/product_docs/threatprevention/threatprevention/admin/configuration/hibp_installation_0.webp) **Step 3 –** Close the command prompt. @@ -365,7 +365,7 @@ Follow the steps to update an installed Pwnd Passwords Downloader. dotnet tool update --global haveibeenpwned-downloader ``` -![hibp_installation_1](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/hibp_installation_1.webp) +![hibp_installation_1](/img/product_docs/threatprevention/threatprevention/admin/configuration/hibp_installation_1.webp) Download NTML Hashes with the Pwnd Passwords Downloader @@ -382,7 +382,7 @@ Run: haveibeenpwned-downloader.exe -n pwnedpasswords_ntlm ``` -![hibp_installation_3](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/hibp_installation_3.webp) +![hibp_installation_3](/img/product_docs/threatprevention/threatprevention/admin/configuration/hibp_installation_3.webp) This screenshot shows the completed download. diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/eventfilteringconfiguration.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/eventfilteringconfiguration.md index 64813d37de..0d9486e5a1 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/eventfilteringconfiguration.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/eventfilteringconfiguration.md @@ -11,7 +11,7 @@ Follow the steps to enable event filtering. **Step 1 –** Click **Configuration** > **Event Filtering** on the menu to open the Event Filtering Configuration window. -![Event Filtering Configuration Window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/eventfiltering.webp) +![Event Filtering Configuration Window](/img/product_docs/threatprevention/threatprevention/admin/configuration/eventfiltering.webp) **Step 2 –** The filter options are grouped by AD Global Pre Filters, Authentication Global Pre Filters, and Alerts. Check the checkboxes to activate the filters and click **Save**. @@ -79,11 +79,11 @@ The Exclude Logins from Machine Accounts option is enabled by default to filter These events can result in a bloating of the database. Click the **configure** link to open the Edit Collection window. -![Edit Collection window - For Machine Accounts](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/editcollectionmachineaccounts.webp) +![Edit Collection window - For Machine Accounts](/img/product_docs/threatprevention/threatprevention/admin/configuration/editcollectionmachineaccounts.webp) The Exclude Logins from Machine Accounts collection is only accessible through the Event Filtering Configuration window. Either use the **Add** (+) button to open the -[Select Active Directory Perpetrators Window](../policies/eventtype/window/selectactivedirectory/perpetrators.md) +[Select Active Directory Perpetrators Window](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/window/selectactivedirectory/perpetrators.md) to browse for machine accounts or type the account name in the textbox. Only perpetrators with accounts ending in “$” are considered for this filter. Wild cards (\*) can be @@ -119,7 +119,7 @@ The Exclude Authentication Events from Selected Hosts option is disabled by defa configuration before it can be enabled. Click the **selected hosts** link to open the Edit Collection window. -![Edit Collection window - For Hosts](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/editcollectionhosts.webp) +![Edit Collection window - For Hosts](/img/product_docs/threatprevention/threatprevention/admin/configuration/editcollectionhosts.webp) The Exclude Authentication Events from Hosts collection is only accessible through the Event Filtering Configuration window. All three methods of identification for a host (IP address, NETBIOS @@ -139,11 +139,11 @@ The Exclude Authentication Events from Selected Accounts option is disabled by d requires configuration before it can be enabled. Click the selected accounts link to open the Edit Collection window. -![Edit Collection window - For Selected Accounts](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/editcollectionaccounts.webp) +![Edit Collection window - For Selected Accounts](/img/product_docs/threatprevention/threatprevention/admin/configuration/editcollectionaccounts.webp) The Exclude Authentication Events from Selected Accounts collection is only accessible through the Event Filtering Configuration window. Use the **Add** (+) button to open the -[Select Active Directory Perpetrators Window](../policies/eventtype/window/selectactivedirectory/perpetrators.md) +[Select Active Directory Perpetrators Window](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/window/selectactivedirectory/perpetrators.md) to browse for the desired accounts. Account names [domain name\account] can also be typed in the textbox. Wild cards (\*) can be used as part of either the domain name or account. An asterisk (\*) appearing anywhere other than as the first character or the last character are treated as a literal @@ -166,6 +166,6 @@ database especially if the latency threshold is set too low. Select the Send Latency Alerts checkbox to enable this option. Use the arrows, or type into the textbox, to set the latency threshold in minutes for the time when the Agent detects the event and the Enterprise Manager receives it. When events exceed the timeframe, alerts are displayed in the -[Alerts Interface](../alerts/overview.md). Email or SIEM alerts can be generated by selecting the +[Alerts Interface](/docs/threatprevention/7.5/threatprevention/admin/alerts/overview.md). Email or SIEM alerts can be generated by selecting the Agent Latency checkbox in the Operations tab of the -[System Alerting Window](systemalerting/overview.md). +[System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md). diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/eventsdatabaseconfiguration.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/eventsdatabaseconfiguration.md index d00cd18e10..085bccc0fc 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/eventsdatabaseconfiguration.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/eventsdatabaseconfiguration.md @@ -5,12 +5,12 @@ Events database. Click **Configuration** > **Database** > **Server** on the menu This window is only available to Threat Prevention administrators. -![Events Database Configuration Window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/eventsdatabaseconfig.webp) +![Events Database Configuration Window](/img/product_docs/threatprevention/threatprevention/admin/configuration/eventsdatabaseconfig.webp) The Event database is originally configured when installing the Threat Prevention Enterprise Manager -package. See the [Application Server Install](../../install/application.md) topic for additional +package. See the [Application Server Install](/docs/threatprevention/7.5/threatprevention/install/application.md) topic for additional information. This window displays the current connection settings for the Event database. Credentials and/or SQL Server host information can be changed in the DB Connection Manager -application. See the [DB Connection Manager Wizard](../../install/dbconnectionmanager.md) topic for +application. See the [DB Connection Manager Wizard](/docs/threatprevention/7.5/threatprevention/install/dbconnectionmanager.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/filemonitorsettings.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/filemonitorsettings.md index d501156fe8..359f60dce8 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/filemonitorsettings.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/filemonitorsettings.md @@ -9,7 +9,7 @@ Follow the steps to configure file system monitoring. **Step 1 –** Click **Configuration** > **File Monitor Settings** on the menu; the File Monitor Settings window opens. This window is only available to Threat Prevention administrators. -![File Monitor Settings window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/filemonitorsettings.webp) +![File Monitor Settings window](/img/product_docs/threatprevention/threatprevention/admin/configuration/filemonitorsettings.webp) **Step 2 –** Enable or disable the following options: @@ -57,10 +57,10 @@ Monitor Settings window. **Step 2 –** Check the **Exclude selected accounts** checkbox and then click **accounts**. The Edit Collection window opens. -![File Monitor Settings > Edit Collection window (for accounts)](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/editcollectionaccounts.webp) +![File Monitor Settings > Edit Collection window (for accounts)](/img/product_docs/threatprevention/threatprevention/admin/configuration/editcollectionaccounts.webp) **Step 3 –** Use the **Add** (+) button to open the -[Select Active Directory Perpetrators Window](../policies/eventtype/window/selectactivedirectory/perpetrators.md) +[Select Active Directory Perpetrators Window](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/window/selectactivedirectory/perpetrators.md) to browse for and select AD accounts. **Step 4 –** Click **OK** to save your changes. @@ -82,7 +82,7 @@ Monitor Settings window. **Step 2 –** Check the **Exclude selected processes** checkbox and then click **processes**. The Edit Collection window opens. -![File Monitor Settings > Edit Collection window (for processes)](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/editcollectionprocesses.webp) +![File Monitor Settings > Edit Collection window (for processes)](/img/product_docs/threatprevention/threatprevention/admin/configuration/editcollectionprocesses.webp) **Step 3 –** Use the Items textbox to enter process names. You must enter a process name exactly as is; for example, as it appears on the Details tab of Windows Task Manager. diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/siemoutputviewer.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/siemoutputviewer.md index d57d916bf8..598b691118 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/siemoutputviewer.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/siemoutputviewer.md @@ -5,12 +5,12 @@ syslog (SIEM) in real time. - Event data generated for a policy is sent to SIEM if the 'Send to SIEM' option is selected for that policy on the Actions tab. See the - [Send to SIEM](../policies/actions/overview.md#send-to-siem) topic for additional information. + [Send to SIEM](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md#send-to-siem) topic for additional information. - Event data generated for an analytic is sent to SIEM if the 'Send Raw Data to SIEM' option is selected for that analytic on the Actions tab. See the - [Send to SIEM](../policies/actions/overview.md#send-to-siem) topic for additional information. + [Send to SIEM](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md#send-to-siem) topic for additional information. - Event data generated for an event/incident/policy is sent to SIEM if a SIEM profile has been - assigned to it on the [SIEM Tab](systemalerting/siem.md) of the System Alerting Window. + assigned to it on the [SIEM Tab](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/siem.md) of the System Alerting Window. While you can also use third-party tools like [Kiwi Syslog Server](https://www.solarwinds.com/free-tools/kiwi-free-syslog-server) to view the @@ -22,7 +22,7 @@ Follow the steps to view real time data (messages) that Threat Prevention sends **Step 1 –** Click **Configuration** > **SIEM Output Viewer** on the menu; the SIEM Output Viewer window opens. This window is only available to Threat Prevention administrators. -![SIEM Output Viewer window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/siemoutputviewer.webp) +![SIEM Output Viewer window](/img/product_docs/threatprevention/threatprevention/admin/configuration/siemoutputviewer.webp) **Step 2 –** Click **Start**. As events occur and Threat Prevention writes to syslog (sends event/policy/analytics data to SIEM) in real time, they are displayed on the window. @@ -59,14 +59,14 @@ This data grid employs features for sorting, filtering, searching, and more. - Right-click anywhere in the column header to get a menu with several options to sort the data in the grid. See the - [Data Grid Right-Click Menu](../navigation/rightclickmenus.md#data-grid-right-click-menu) topic + [Data Grid Right-Click Menu](/docs/threatprevention/7.5/threatprevention/admin/navigation/rightclickmenus.md#data-grid-right-click-menu) topic for additional information. - The Group by Box ribbon just above the header row impacts how much data is displayed. See the - [Sort Data](../navigation/datagrid.md#sort-data) topic for additional information. + [Sort Data](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md#sort-data) topic for additional information. - Columns can be reordered as desired as well as removed from the data grid. Removed columns can be - added back through the [Customization Window](../navigation/datagrid.md#customization-window). + added back through the [Customization Window](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md#customization-window). - The Search icon opens the **Enter text to search…** textbox where you can search for the required - data in the data grid. See the [Search Data](../navigation/datagrid.md#search-data) topic for + data in the data grid. See the [Search Data](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md#search-data) topic for additional information. **Step 5 –** Click **Save** to save the displayed data to a text file or **Clear** to clear the diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/email.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/email.md index ebd222ca25..9eefc07e99 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/email.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/email.md @@ -8,7 +8,7 @@ Follow the steps to configure the Email tab of the System Alerting window. **Step 1 –** Click **Configuration** > **Alerts** on the menu. The Netwrix Threat Prevention System Alerting window opens. The Email tab is displayed by default. -![Netwrix Threat Prevention System Alerting window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/systemalerting.webp) +![Netwrix Threat Prevention System Alerting window](/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/systemalerting.webp) **Step 2 –** Configure the following prior to enabling email alerting: @@ -72,7 +72,7 @@ Follow the steps to configure the SMTP host information for email alerting. _Remember,_ this is a one-time setting to enable email alerts from the Administration Console. -![System Alerting window - Email tab - Configure SMTP Host and Message Profile](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/smtphost.webp) +![System Alerting window - Email tab - Configure SMTP Host and Message Profile](/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/smtphost.webp) **Step 1 –** Click **Configuration** > **Alerts** on the menu. The Netwrix Threat Prevention System Alerting window opens. @@ -102,7 +102,7 @@ Profile. **NOTE:** When the Message Profile is modified for an alert, all policies referencing the alert use the updated information. -![System Alerting window - Email tab - Configure SMTP Host and Message Profile](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/smtphost.webp) +![System Alerting window - Email tab - Configure SMTP Host and Message Profile](/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/smtphost.webp) **Step 1 –** Click **Configuration** > **Alerts** on the menu. The Netwrix Threat Prevention System Alerting window opens. @@ -117,7 +117,7 @@ The default profile name (New Email Notification) is displayed. **Step 4 –** Choose between **Plain Text** and **HTML** email options. The Email Template window displays when selecting either radio button. -![Email Template window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/emailtemplate.webp) +![Email Template window](/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/emailtemplate.webp) Changing the message template provides the option to load the default message template. Choose between: @@ -188,5 +188,5 @@ can be removed, but partial tokens do not retrieve data from the database. Now that at least one Message Profile has been created, it can be assigned to an event either through the System Altering window’s Email tab or assigned to a policy on the -[Actions Tab](../../policies/actions/overview.md) of the policy configuration or the -[Actions Tab](../../templates/actions.md) of the template configuration. +[Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) of the policy configuration or the +[Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/templates/actions.md) of the template configuration. diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/eventlog.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/eventlog.md index 24ffbc4b29..cd8c11c740 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/eventlog.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/eventlog.md @@ -3,7 +3,7 @@ Alert notification via Event Log sends event notifications to the Windows Event Log. Follow the steps to enable Event Log alerting. -![System Alerting window – Event Log tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/eventlog.webp) +![System Alerting window – Event Log tab](/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/eventlog.webp) **Step 1 –** Click **Configuration** > **Alerts** on the menu. The Netwrix Threat Prevention System Alerting window opens. diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md index 57016e9419..92b34c8501 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md @@ -3,7 +3,7 @@ The System Alerting window is only available to administrators, enabling them to configure and manage all alerting avenues. Click **Configuration** > **Alerts** on the menu to open it. -![Netwrix Threat Prevention System Alerting window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/systemalerting.webp) +![Netwrix Threat Prevention System Alerting window](/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/systemalerting.webp) Alerts can be sent to recipients via email, to Windows Event Log, and to SIEM products. Alerts are grouped into five types: @@ -27,11 +27,11 @@ grouped into five types: Email and SIEM alert notifications for policy events can be enabled through: - The System Alerting window -- The [Actions Tab](../../policies/actions/overview.md) of a policy -- The [Actions Tab](../../templates/actions.md) of a policy template +- The [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) of a policy +- The [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/templates/actions.md) of a policy template In any case, configuration must first be set through the System Alerting window. The -[Alerts Interface](../../alerts/overview.md) allows you to quickly view recent alerts in a +[Alerts Interface](/docs/threatprevention/7.5/threatprevention/admin/alerts/overview.md) allows you to quickly view recent alerts in a centralized location. ## Email and SIEM Alert Notifications for Analytic Incidents @@ -45,9 +45,9 @@ reminders of an ongoing attack if it continues after the initial notification ha Notifications are generated for the alerts you enable on the the System Alerting window. - All Security, Configuration, and Operation alert notifications are displayed on the - [Alerts Interface](../../alerts/overview.md). -- All Analytics incidents are displayed on the [Analytics Interface](../../analytics/overview.md). -- All Policies events are displayed on the [Investigate Interface](../../investigate/overview.md). + [Alerts Interface](/docs/threatprevention/7.5/threatprevention/admin/alerts/overview.md). +- All Analytics incidents are displayed on the [Analytics Interface](/docs/threatprevention/7.5/threatprevention/admin/analytics/overview.md). +- All Policies events are displayed on the [Investigate Interface](/docs/threatprevention/7.5/threatprevention/admin/investigate/overview.md). ## General Considerations @@ -56,15 +56,15 @@ Below are some considerations: - Occasionally a Microsoft Security Bulletin impacting LSASS can interfere with the Agent instrumentation resulting in LSASS shutting down. The Agent is configured to monitor for an LSASS process termination shortly after a server reboot. The - [LSASS Process Terminated](../../../troubleshooting/lsass.md) alert (Operations alert) is + [LSASS Process Terminated](/docs/threatprevention/7.5/threatprevention/troubleshooting/lsass.md) alert (Operations alert) is triggered in this event and the Agent is stopped. As a result, all monitoring/blocking by that Agent stops. To resolve the issue, either upgrade to the latest version of the Agent or simply upgrade SI.ActiveDirectoryMonitor.dll - commonly known as ADMonitor DLL (recommended). See the - [Upgrade ADMonitor](../../agents/management/upgradeadmonitor.md)topic for additional information. + [Upgrade ADMonitor](/docs/threatprevention/7.5/threatprevention/admin/agents/management/upgradeadmonitor.md)topic for additional information. **_RECOMMENDED:_** Activate an email notification for the _LSASS process terminated_ alert. See the - [Enable the 'LSASS Process Terminated' Email Alert](../../../troubleshooting/lsass.md#enable-the-lsass-process-terminated-email-alert) + [Enable the 'LSASS Process Terminated' Email Alert](/docs/threatprevention/7.5/threatprevention/troubleshooting/lsass.md#enable-the-lsass-process-terminated-email-alert) topic for additional information. - In addition to the LSASS process termination check, the Agent can be configured for a Safe Mode. @@ -75,11 +75,11 @@ Below are some considerations: monitoring/blocking by that Agent stops. The 'Agent Started in AD Monitor pending mode' alert (Operations alert) is triggered in this event. To resolve the issue temporarily, the Threat Prevention administrator should start the pending modules. See the - [Start Pending Modules](../../agents/management/startpendingmodules.md) topic for additional + [Start Pending Modules](/docs/threatprevention/7.5/threatprevention/admin/agents/management/startpendingmodules.md) topic for additional information. It is also recommended to upgrade SI.ActiveDirectoryMonitor.dll (commonly known as ADMonitor DLL) to resolve the issue permanently. See the - [Upgrade ADMonitor](../../agents/management/upgradeadmonitor.md) topic for additional information. + [Upgrade ADMonitor](/docs/threatprevention/7.5/threatprevention/admin/agents/management/upgradeadmonitor.md) topic for additional information. **_RECOMMENDED:_** Activate an email notification for this alert. See the - [Enable Agent Started in AD Monitor Pending Mode Email Alert](../../agents/safemode.md#enable-agent-started-in-ad-monitor-pending-mode-email-alert) - topic and the [Agent Safe Mode](../../agents/safemode.md) topic for additional information. + [Enable Agent Started in AD Monitor Pending Mode Email Alert](/docs/threatprevention/7.5/threatprevention/admin/agents/safemode.md#enable-agent-started-in-ad-monitor-pending-mode-email-alert) + topic and the [Agent Safe Mode](/docs/threatprevention/7.5/threatprevention/admin/agents/safemode.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/siem.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/siem.md index 370674b7d1..67c838a456 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/siem.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/siem.md @@ -15,7 +15,7 @@ for additional information. **Step 3 –** Once configured, click **Events** on the **SIEM** tab. -![Netwrix Threat Prevention System Alerting window - SEIM tab](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/seim.webp) +![Netwrix Threat Prevention System Alerting window - SEIM tab](/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/seim.webp) **Step 4 –** Click the button next to Disabled to toggle the setting to **Enabled**. @@ -66,14 +66,14 @@ notification has been sent. Threat Prevention now sends SIEM notifications for the selected events/incidents/policies to the SIEM product configured in the assigned SIEM profile. All notifications sent to SIEM are also -displayed on the [SIEM Output Viewer](../siemoutputviewer.md) window. +displayed on the [SIEM Output Viewer](/docs/threatprevention/7.5/threatprevention/admin/configuration/siemoutputviewer.md) window. ## Configure a SIEM Server Multiple profiles can be created across SIEM servers to serve different alerting functions. Follow the steps to configure one or more SIEM servers for alerting. -![Netwrix Threat Prevention System Alerting window – SEIM tab – Configure SEIM Server](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/seimserver.webp) +![Netwrix Threat Prevention System Alerting window – SEIM tab – Configure SEIM Server](/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/seimserver.webp) **Step 1 –** Click **Configuration** > **Alerts** on the menu. The Netwrix Threat Prevention System Alerting window opens. @@ -124,13 +124,13 @@ mapping file formats are specifically designed for Analytics incidents. **Step 11 –** Click **OK** to save the settings. Once a SIEM server is configured, assign it to events using the System Alerting window’s SIEM Tab or -the [Actions Tab](../../policies/actions/overview.md) of a policy or the -[Actions Tab](../../templates/actions.md) of a policy template. +the [Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/policies/actions/overview.md) of a policy or the +[Actions Tab](/docs/threatprevention/7.5/threatprevention/admin/templates/actions.md) of a policy template. IBM QRadar Integration Netwrix has created a custom app for integration between Threat Prevention and QRadar. See the -[Active Directory App for QRadar](../../../siemdashboard/qradar/overview.md) topic for additional +[Active Directory App for QRadar](/docs/threatprevention/7.5/threatprevention/siemdashboard/qradar/overview.md) topic for additional information. There is also a custom app for File Activity, that can receive data from either Threat Prevention or Netwrix Activity Monitor. See the [Netwrix Activity Monitor Documentation](https://helpcenter.netwrix.com/category/activitymonitor) @@ -139,8 +139,8 @@ for additional information. Splunk Integration Netwrix has created custom apps for integration between Threat Prevention and Splunk. See the -[Active Directory App for Splunk](../../../siemdashboard/splunk/activedirectory/overview.md) topic -and the [Threat Hunting App for Splunk](../../../siemdashboard/splunk/threathunting/overview.md) +[Active Directory App for Splunk](/docs/threatprevention/7.5/threatprevention/siemdashboard/splunk/activedirectory/overview.md) topic +and the [Threat Hunting App for Splunk](/docs/threatprevention/7.5/threatprevention/siemdashboard/splunk/threathunting/overview.md) topic for additional information. There is also a custom app for File Activity, that can receive data from either Threat Prevention or Netwrix Activity Monitor. See the [Netwrix Activity Monitor Documentation](https://helpcenter.netwrix.com/category/activitymonitor) @@ -156,7 +156,7 @@ folder: Follow the steps to add a custom SIEM mapping file. -![SIEM tab - Gear icon for Custom Mapping File](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/geariconformappingfile.webp) +![SIEM tab - Gear icon for Custom Mapping File](/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/geariconformappingfile.webp) **Step 1 –** Click **Configuration** > **Alerts** on the menu. The Netwrix Threat Prevention System Alerting window opens. @@ -166,11 +166,11 @@ Alerting window opens. **Step 3 –** Click the **gear** icon for an alert type to open the SIEM Templates window. The new mapping file will only be available for the specific type selected. -![SIEM Templates window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/siemtemplates.webp) +![SIEM Templates window](/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/siemtemplates.webp) **Step 4 –** Click **Add** (+) to open the Import SIEM Mapping File window. -![Import SIEM Mapping File window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/importfile.webp) +![Import SIEM Mapping File window](/img/product_docs/threatprevention/threatprevention/admin/configuration/systemalerting/importfile.webp) **Step 5 –** Select the desired mapping file and click **Open**. The SIEM Mapping File window closes and the selected mapping file appears in the SIEM Templates window. It is now available in the diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/threatmanagerconfiguration.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/threatmanagerconfiguration.md index d17c29b438..79b6f85ef6 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/threatmanagerconfiguration.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/threatmanagerconfiguration.md @@ -27,7 +27,7 @@ Follow the steps to configure Threat Prevention to send event data to Threat Man Configuration** on the menu. The Netwrix Threat Manager Configuration window opens with the Event Sink tab displayed by default. -![Netwrix Threat Manager Configuration window - Event Sink tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/threatmanagerconfiguration.webp) +![Netwrix Threat Manager Configuration window - Event Sink tab](/img/product_docs/threatprevention/threatprevention/admin/configuration/threatmanagerconfiguration.webp) **Step 3 –** In the Netwrix Threat Manager URI box, enter the Threat Manager hostname or IP address and port in the following format. The default port for Threat Manager is **10001**. @@ -96,7 +96,7 @@ Configuration** on the menu. The Netwrix Threat Manager Configuration window ope **Step 4 –** Click the **Honey Token** tab. -![Netwrix Threat Manager Configuration Window - Honey Tokem tab](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/honeytoken.webp) +![Netwrix Threat Manager Configuration Window - Honey Tokem tab](/img/product_docs/threatprevention/threatprevention/admin/configuration/honeytoken.webp) **Step 5 –** Check the **Enable LDAP substitution** checkbox to enable the options on the tab. @@ -124,7 +124,7 @@ Follow the steps to include the Forged PAC information in events. the window to open the Configure Analytics window. **Step 3 –** Add or remove the RIDs of groups to be monitored on the Settings tab. See the -[Forged PAC Analytic Type](../analytics/forgedpac.md) topic for additional information. +[Forged PAC Analytic Type](/docs/threatprevention/7.5/threatprevention/admin/analytics/forgedpac.md) topic for additional information. **Step 4 –** On the Policy tab, configure the following: @@ -137,7 +137,7 @@ the window to open the Configure Analytics window. **Step 6 –** In Threat Prevention, click **Configuration** > **Netwrix Threat Manager Configuration** on the menu. The Netwrix Threat Manager Configuration window opens. -![Netwrix Threat Manager Configuration Window - Forged PAC tab](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/forgedpac.webp) +![Netwrix Threat Manager Configuration Window - Forged PAC tab](/img/product_docs/activitymonitor/activitymonitor/admin/monitoreddomains/admonitoringconfiguration/forgedpac.webp) **Step 7 –** Ensure the Event Sink tab is properly set up to send event data to Threat Manager. diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/add.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/add.md index 73524e4ecd..81747f4904 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/add.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/add.md @@ -2,14 +2,14 @@ Follow the steps to add a user and assign access rights. -![Add User button on the Users and Groups window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/userroles/addbutton.webp) +![Add User button on the Users and Groups window](/img/product_docs/threatprevention/threatprevention/admin/configuration/userroles/addbutton.webp) **Step 1 –** Click **Configuration** > **Users** on the menu to open the Users and Roles window. **Step 2 –** Click the **Add** (+) button in the upper-right corner; the Select Users or Groups window opens. -![Select Users or Groups window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/userroles/selectusersorgroups.webp) +![Select Users or Groups window](/img/product_docs/threatprevention/threatprevention/admin/configuration/userroles/selectusersorgroups.webp) **Step 3 –** Enter the name of the desired user in the Enter the object names to select box and click Check Name. On the next window, select the required Active Directory user and click **OK**. @@ -22,7 +22,7 @@ Administrator automatically checks the Console Operator role. _Remember,_ the Report User role was a legacy role for the IIS-based SI Reporting Console and does not apply to the Netwrix Threat Manager Reporting Module console. See the -[User Access Page](../../../reportingmodule/configuration/systemsettings/useraccess.md) topic for +[User Access Page](/docs/threatprevention/7.5/threatprevention/reportingmodule/configuration/systemsettings/useraccess.md) topic for information on granting report access. **Step 5 –** _(Optional)_ Create as many users as required before clicking OK. diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/delete.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/delete.md index 6c30e769ec..ffc2d68de2 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/delete.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/delete.md @@ -7,7 +7,7 @@ Follow the steps to delete a user. **Step 1 –** Click **Configuration** > **Users** on the menu to open the Users and Roles window. -![Remove User button on the Users and Groups window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/userroles/removeuser.webp) +![Remove User button on the Users and Groups window](/img/product_docs/threatprevention/threatprevention/admin/configuration/userroles/removeuser.webp) **Step 2 –** Select a user and click the **Remove** (x) button in the upper-right corner to delete it. diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/modify.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/modify.md index 294dafa5b1..c8055379fe 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/modify.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/modify.md @@ -4,7 +4,7 @@ Follow the steps to modify a user’s assigned rights. **Step 1 –** Click **Configuration** > **Users** on the menu to open the Users and Roles window. -![Users and Roles window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/userroles/usersroleswindow.webp) +![Users and Roles window](/img/product_docs/threatprevention/threatprevention/admin/configuration/userroles/usersroleswindow.webp) **Step 2 –** Select a user to modify its assigned rights. diff --git a/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/overview.md b/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/overview.md index 391945837c..264374e266 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/overview.md +++ b/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/overview.md @@ -2,12 +2,12 @@ On the Users and Roles window, you can grant role based access to users on the Administration Console. See the -[User Access Page](../../../reportingmodule/configuration/systemsettings/useraccess.md) topic for +[User Access Page](/docs/threatprevention/7.5/threatprevention/reportingmodule/configuration/systemsettings/useraccess.md) topic for information on granting access to the Netwrix Threat Manager Reporting Module console. Click **Configuration** > **Users** on the menu to open the Users and Roles window. -![Users and Roles window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/userroles/usersroleswindow.webp) +![Users and Roles window](/img/product_docs/threatprevention/threatprevention/admin/configuration/userroles/usersroleswindow.webp) **NOTE:** This window is only available to Threat Prevention administrators. @@ -24,7 +24,7 @@ There are two roles that can be applied to a Threat Prevention user: - Console Operator – Can create and run policies, and view event data. **NOTE:** The Report User role was a legacy feature for the IIS-based Reporting Console and is no -longer applicable. See the [Reporting Module](../../../reportingmodule/overview.md) topic for +longer applicable. See the [Reporting Module](/docs/threatprevention/7.5/threatprevention/reportingmodule/overview.md) topic for information on the new reporting console. Administration Console Rights @@ -46,7 +46,7 @@ Administration Console Rights \*If an administrator changes permissions on protected policies they do not own, a system alert is generated. -See the [Policies Interface](../../policies/overview.md) topic for information on protected and +See the [Policies Interface](/docs/threatprevention/7.5/threatprevention/admin/policies/overview.md) topic for information on protected and unprotected policies. A user must have the following minimum permissions on the SQL Server databases, both the @@ -55,7 +55,7 @@ NVMonitorConfig and NVMonitorData databases, according to the assigned role: - Administrator Role - Read/Write data - - If using [Database Maintenance Window](../databasemaintenance/overview.md) – SQL Admin (sa) + - If using [Database Maintenance Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/overview.md) – SQL Admin (sa) rights are required - Console Operator Role @@ -67,7 +67,7 @@ NVMonitorConfig and NVMonitorData databases, according to the assigned role: The Features button is enabled for users with the Administrator role. It provides options to limit Administrator permissions to manage features, stop the Agent, or uninstall the Agent. -![Users and Roles window showing the Edit Features window](../../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/configuration/userroles/featuresbutton.webp) +![Users and Roles window showing the Edit Features window](/img/product_docs/threatprevention/threatprevention/admin/configuration/userroles/featuresbutton.webp) Follow the steps to edit the features for the selected user. All listed features are enabled by default. diff --git a/docs/threatprevention/7.5/threatprevention/admin/investigate/datagrid.md b/docs/threatprevention/7.5/threatprevention/admin/investigate/datagrid.md index 5cbd52f2dc..8a6aa401bd 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/investigate/datagrid.md +++ b/docs/threatprevention/7.5/threatprevention/admin/investigate/datagrid.md @@ -12,14 +12,14 @@ Follow the steps to view events in the data grid. - Use the arrow between the filter categories and the grid view to collapse the entire filter category section -![Investigate interface - Data Grid](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/investigate/datagrid.webp) +![Investigate interface - Data Grid](/img/product_docs/threatprevention/threatprevention/admin/investigate/datagrid.webp) **Step 3 –** Select the **Production** or **Archive** option button to view events from the respective database. The archive database is part of the Threat Prevention Database Maintenance feature and it can only be queried from the Administration Console. See the -[Archive Data](../configuration/databasemaintenance/archive.md) topic for additional information. +[Archive Data](/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/archive.md) topic for additional information. **Step 4 –** Use the **Get Top [number] Events** box to specify the number of events to be displayed. @@ -36,7 +36,7 @@ from view. Each column in the data grid has a prefix identifying the type of information displayed. Double-click a populated grid column to access the -[Event Viewer Window](../policies/recentevents/eventviewer.md) with detailed information on the +[Event Viewer Window](/docs/threatprevention/7.5/threatprevention/admin/policies/recentevents/eventviewer.md) with detailed information on the event. The columns display the following information for each event: - Event: Policy Name – Policy which monitored or blocked the event @@ -103,7 +103,7 @@ event. The columns display the following information for each event: Select an event in the data grid to view additional information for it at the bottom of the Investigate interface. -![Investigate Interface - Attributes area](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/investigate/attributes.webp) +![Investigate Interface - Attributes area](/img/product_docs/threatprevention/threatprevention/admin/investigate/attributes.webp) The following information (as applicable to the event) is displayed: @@ -113,7 +113,7 @@ The following information (as applicable to the event) is displayed: - New Value – Value after the monitored change This data grid employs features for sorting, filtering, searching, and more. See the -[ Data Grid Functionality](../navigation/datagrid.md) topic for additional information. +[ Data Grid Functionality](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md) topic for additional information. To export the data displayed in the grid to a CSV file, see the -[Export Data](../navigation/datagrid.md#export-data) topic. +[Export Data](/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md#export-data) topic. diff --git a/docs/threatprevention/7.5/threatprevention/admin/investigate/filters.md b/docs/threatprevention/7.5/threatprevention/admin/investigate/filters.md index 4e4c26f312..54566220bb 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/investigate/filters.md +++ b/docs/threatprevention/7.5/threatprevention/admin/investigate/filters.md @@ -1,13 +1,13 @@ # Investigate Filters -On the [Investigate Interface](overview.md), there are six filter categories that can be applied to +On the [Investigate Interface](/docs/threatprevention/7.5/threatprevention/admin/investigate/overview.md), there are six filter categories that can be applied to the recent events available in the data grid. By default, no filters are applied. For the Policy filter, all enabled unprotected policies and any protected policies the current user has rights to view are selected, and the other filter categories are blank. Filters can be applied using any combination of the filter categories. Use the Refresh button to repopulate the data grid with the current information for the selected filter(s). -![Investigate Interface - Filter Categories](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/investigate/filtercategories.webp) +![Investigate Interface - Filter Categories](/img/product_docs/threatprevention/threatprevention/admin/investigate/filtercategories.webp) Filter categories are discussed below. @@ -104,4 +104,4 @@ slow for large databases. Click the arrow on the filter category header ribbon to expand or collapse the category. You can also clear all filters by clicking the Reset Filters button on the ribbon between the filter categories and the data grid. Filtered views can also be saved. See the -[Saved Investigations](saved.md) topic for additional information. +[Saved Investigations](/docs/threatprevention/7.5/threatprevention/admin/investigate/saved.md) topic for additional information. diff --git a/docs/threatprevention/7.5/threatprevention/admin/investigate/overview.md b/docs/threatprevention/7.5/threatprevention/admin/investigate/overview.md index 63a61ca457..1760dd2bf7 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/investigate/overview.md +++ b/docs/threatprevention/7.5/threatprevention/admin/investigate/overview.md @@ -2,19 +2,19 @@ The Investigate interface allows you to quickly view recent events in a centralized location. You can investigate either Production events or Archive events. The data is limited by any protection -applied at the Policy folder-level. See the [Policies Interface](../policies/overview.md) topic for +applied at the Policy folder-level. See the [Policies Interface](/docs/threatprevention/7.5/threatprevention/admin/policies/overview.md) topic for additional information on the protection feature. Click **Investigate** in the left pane to launch the Investigate interface. -![Investigate Interface](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/investigate/investigateinterface.webp) +![Investigate Interface](/img/product_docs/threatprevention/threatprevention/admin/investigate/investigateinterface.webp) Next to the Investigate title, use the drop-down menu to select LDAP Policies or All Other Policies to be shown in the data grid. Select the Show Deleted Policies checkbox to view deleted policies too. -The top section of the window provides filtering options. See the [Investigate Filters](filters.md) +The top section of the window provides filtering options. See the [Investigate Filters](/docs/threatprevention/7.5/threatprevention/admin/investigate/filters.md) topic for additional information. The recent events are displayed in the bottom section. -For an understanding of the data displayed in the grid, see the [Investigate Data Grid](datagrid.md) +For an understanding of the data displayed in the grid, see the [Investigate Data Grid](/docs/threatprevention/7.5/threatprevention/admin/investigate/datagrid.md) topic. diff --git a/docs/threatprevention/7.5/threatprevention/admin/investigate/saved.md b/docs/threatprevention/7.5/threatprevention/admin/investigate/saved.md index 73d0557b4f..81d27bedd2 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/investigate/saved.md +++ b/docs/threatprevention/7.5/threatprevention/admin/investigate/saved.md @@ -1,20 +1,20 @@ # Saved Investigations -You can apply filters on the [Investigate Interface](overview.md) to filter event data as desired. +You can apply filters on the [Investigate Interface](/docs/threatprevention/7.5/threatprevention/admin/investigate/overview.md) to filter event data as desired. Filters settings can be saved. Follow the steps to save a filtered view. -![Investigate Interface - Save a Filtered View](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/investigate/saveview.webp) +![Investigate Interface - Save a Filtered View](/img/product_docs/threatprevention/threatprevention/admin/investigate/saveview.webp) **Step 1 –** Click **Investigate** in the left pane to launch the Investigate interface. **Step 2 –** Set the filter [1] as desired, Refresh the data grid [2], and click **Save Filter Settings and Layout** [3]. The Filter Set Name window opens. -![Filter Set Name window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/investigate/filtersetname.webp) +![Filter Set Name window](/img/product_docs/threatprevention/threatprevention/admin/investigate/filtersetname.webp) **Step 3 –** Type a name for this filtered view and click **OK**. -![Saved filter view in the navigation pane](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/investigate/savedview.webp) +![Saved filter view in the navigation pane](/img/product_docs/threatprevention/threatprevention/admin/investigate/savedview.webp) The saved filtered view becomes a node in the Navigation pane under the Investigate node. Select the node to return to the saved filtered Investigate view. diff --git a/docs/threatprevention/7.5/threatprevention/admin/investigate/summaryfolders.md b/docs/threatprevention/7.5/threatprevention/admin/investigate/summaryfolders.md index 94daaef203..06f84b3661 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/investigate/summaryfolders.md +++ b/docs/threatprevention/7.5/threatprevention/admin/investigate/summaryfolders.md @@ -4,7 +4,7 @@ The EPE Summary and LDAP Summary folders under Investigate in the navigation pan reports that allow you to view consolidated recent event activity for EPE or LDAP which spans all EPE or LDAP policies. The reports include default grouping(s) that best show the consolidated data. -![EPE Summary and LDAP Summary folders](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/investigate/summaryfolders.webp) +![EPE Summary and LDAP Summary folders](/img/product_docs/threatprevention/threatprevention/admin/investigate/summaryfolders.webp) The investigate summary folders have the following reports: @@ -27,7 +27,7 @@ The investigate summary folders have the following reports: Click a report to view it. -![Summary Report](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/investigate/summaryreport.webp) +![Summary Report](/img/product_docs/threatprevention/threatprevention/admin/investigate/summaryreport.webp) By default, the data grid is blank. Select **Refresh** to display results on the data grid. @@ -44,7 +44,7 @@ available below the report name: Parameter Window -![Parameter Window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/investigate/parameter.webp) +![Parameter Window](/img/product_docs/threatprevention/threatprevention/admin/investigate/parameter.webp) The Parameters window displays the following options. Select the desired options and click **OK** to display data in the report accordingly. diff --git a/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md b/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md index 94857989c5..0b8fca8325 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md +++ b/docs/threatprevention/7.5/threatprevention/admin/navigation/datagrid.md @@ -3,7 +3,7 @@ Result data is displayed using data grids on several interfaces in the Administration Console. These grids employ features for data sorting, filtering, searching, and more. -![Data Grid Functionality pointers](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/datagridfunctionality.webp) +![Data Grid Functionality pointers](/img/product_docs/threatprevention/threatprevention/admin/navigation/datagridfunctionality.webp) - The Group by Box [1] ribbon impacts how much data is displayed. See the Sort Data topic for additional information. @@ -23,7 +23,7 @@ grids employ features for data sorting, filtering, searching, and more. Right-click on a column header and select **Column Chooser** to open the Customization window, that lists the column(s) that were removed from the data grid display. -![Customization Window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/customization.webp) +![Customization Window](/img/product_docs/threatprevention/threatprevention/admin/navigation/customization.webp) You can remove a columns from the data grid in any of these ways: @@ -37,7 +37,7 @@ dragging-and-dropping it from this window onto the column header row. Data can be grouped by columns using the Group by Box ribbon above the data grid. -![Sort Data function in the data grid](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/sortdatafunction.webp) +![Sort Data function in the data grid](/img/product_docs/threatprevention/threatprevention/admin/navigation/sortdatafunction.webp) Drag a column header into the Group by Box area to group data from that perspective. You can group by a single header or by tiered headers. @@ -50,7 +50,7 @@ arrow displays in the right corner of the column header indicating the type of s Several methods are available for filtering data in data grids. There can only be one active filter per column. -![Filter Data functions in a Data Grid](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/filterdata.webp) +![Filter Data functions in a Data Grid](/img/product_docs/threatprevention/threatprevention/admin/navigation/filterdata.webp) - Auto Filter Row [A] – Uses the comparison operator to filter the grid against a single attribute - Filter Statement Bar [B] – Displays enabled filter statements at the bottom of the display area @@ -79,7 +79,7 @@ Notice the Edit Filter option on the right side of the filter statement bar. Cli Filter Editor window, where you can build complex filter statements. It can employ multiple comparison operators and/or multiple column filters. -![Filter Editor](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/filtereditor.webp) +![Filter Editor](/img/product_docs/threatprevention/threatprevention/admin/navigation/filtereditor.webp) Pin Icon @@ -89,7 +89,7 @@ Auto Filter Row filter is enabled. Click the **pin icon** to open additional filtration options in a filter window. The options displayed depend on the column it is opened from. -![Window with filtration options](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/valuesfilter.webp) +![Window with filtration options](/img/product_docs/threatprevention/threatprevention/admin/navigation/valuesfilter.webp) - Values – Displays for every column in the data grid. Multiple values can be selected. - Text/Numeric – This is linked to the Auto filter Row filter with the addition of three new @@ -108,7 +108,7 @@ Find Panel option on the On clicking the magnifying glass icon, the Find box appears as: -![Search function for data grid](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/searchfunction.webp) +![Search function for data grid](/img/product_docs/threatprevention/threatprevention/admin/navigation/searchfunction.webp) - Type a search criteria and click **Find**. The data grid filters to events where the search criteria is matched, highlighting the match. @@ -116,7 +116,7 @@ On clicking the magnifying glass icon, the Find box appears as: - Click **Clear** to clear both the search criteria and the filtered view. - The **X** at the far left of the panel closes the Find Panel. -![Search Results](../../../../../../static/img/product_docs/activitymonitor/activitymonitor/admin/search/results/searchresults.webp) +![Search Results](/img/product_docs/activitymonitor/activitymonitor/admin/search/results/searchresults.webp) ## Export Data @@ -125,13 +125,13 @@ The data grids provide an option to export data. - Data grids on the Agents interface and on the Analytics windows export all available data from the grid to a CSV file. Clicking the **Export** button from these interfaces opens a Save As window. - Clicking the Export button from the Alerts interface opens the Alerts Export window. See the - [Alerts Export Window](../alerts/window/alertsexport.md) topic for additional information. + [Alerts Export Window](/docs/threatprevention/7.5/threatprevention/admin/alerts/window/alertsexport.md) topic for additional information. - Clicking the Export button from the Investigate interface or the Recent Events tab of a policy opens the Export window. **NOTE:** Ensure that all desired filters are set on the data grid before export. -![Export window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/export.webp) +![Export window](/img/product_docs/threatprevention/threatprevention/admin/navigation/export.webp) The Export window provides options for what is exported and what action(s) to take. @@ -152,4 +152,4 @@ Locally and/or Email to and populate the required fields. **NOTE:** The Email to action requires the SMTP host Information to be configured. This can only be done by a Threat Prevention administrator through the -[Email Tab](../configuration/systemalerting/email.md) of the System Alerting window. +[Email Tab](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/email.md) of the System Alerting window. diff --git a/docs/threatprevention/7.5/threatprevention/admin/navigation/licensemanager.md b/docs/threatprevention/7.5/threatprevention/admin/navigation/licensemanager.md index 5ec4050e03..6960fc4263 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/navigation/licensemanager.md +++ b/docs/threatprevention/7.5/threatprevention/admin/navigation/licensemanager.md @@ -13,7 +13,7 @@ You can configure alerts to be sent when the.Threat Prevention license nears exp alerts serve as a reminder for license renewal. To generate license expiration alerts 14 days prior to license expiry, enable the **License** option -on the [System Alerting Window](../configuration/systemalerting/overview.md). Go to the Email, Event +on the [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md). Go to the Email, Event Log or SIEM tab depending on how you want to receive alerts (i.e., by email, in the Windows event log, or in a SIEM product) and click Configuration in the left pane to locate the License option for enabling it. @@ -33,7 +33,7 @@ Follow the steps to view your Threat Prevention license details. Click **Help > License Manager** on the menu. The Netwrix Threat Prevention License Manager window is displayed. -![License Manager window](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/licensemanager.webp) +![License Manager window](/img/product_docs/threatprevention/threatprevention/admin/navigation/licensemanager.webp) This window lists the modules that you are licensed for. Each module is linked to a Threat Prevention solution. @@ -58,19 +58,19 @@ The Active Directory solution comes with the following licensed modules: See the following topics for additional information: -- [Active Directory Changes Event Type](../policies/eventtype/activedirectorychanges.md) -- [Active Directory Lockdown Event Type](../policies/eventtype/activedirectorylockdown.md) -- [Active Directory Read Monitoring Event Type](../policies/eventtype/activedirectoryreadmonitoring.md) -- [AD Replication Monitoring Event Type](../policies/eventtype/adreplicationmonitoring.md) -- [AD Replication Lockdown Event Type](../policies/eventtype/adreplicationlockdown.md) -- [Authentication Monitoring Event Type](../policies/eventtype/authenticationmonitoring.md) -- [Authentication Lockdown Event Type](../policies/eventtype/authenticationlockdown.md) -- [Effective Group Membership Event Type](../policies/eventtype/effectivegroupmembership.md) -- [FSMO Role Monitoring Event Type](../policies/eventtype/fsmorolemonitoring.md) -- [GPO Setting Changes Event Type](../policies/eventtype/gposettingchanges.md) -- [GPO Setting Lockdown Event Type](../policies/eventtype/gposettinglockdown.md) -- [LSASS Guardian – Monitor Event Type](../policies/eventtype/lsassguardianmonitor.md) -- [LSASS Guardian – Protect Event Type](../policies/eventtype/lsassguardianprotect.md) +- [Active Directory Changes Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/activedirectorychanges.md) +- [Active Directory Lockdown Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/activedirectorylockdown.md) +- [Active Directory Read Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/activedirectoryreadmonitoring.md) +- [AD Replication Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/adreplicationmonitoring.md) +- [AD Replication Lockdown Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/adreplicationlockdown.md) +- [Authentication Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/authenticationmonitoring.md) +- [Authentication Lockdown Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/authenticationlockdown.md) +- [Effective Group Membership Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/effectivegroupmembership.md) +- [FSMO Role Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/fsmorolemonitoring.md) +- [GPO Setting Changes Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/gposettingchanges.md) +- [GPO Setting Lockdown Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/gposettinglockdown.md) +- [LSASS Guardian – Monitor Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/lsassguardianmonitor.md) +- [LSASS Guardian – Protect Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/lsassguardianprotect.md) #### Enterprise Password Enforcer Solution @@ -80,7 +80,7 @@ The Enterprise Password Enforcer solution comes with the following licensed modu | --------------------------- | -------------------- | | Password Enforcement Module | Password Enforcement | -See the [Password Enforcement Event Type](../policies/eventtype/passwordenforcement.md) topics for +See the [Password Enforcement Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/passwordenforcement.md) topics for additional information. #### Exchange Solution @@ -94,8 +94,8 @@ The Exchange solution comes with the following licensed modules: See the following topics for additional information: -- [Exchange Changes Event Type](../policies/eventtype/exchangechanges.md) -- [Exchange Lockdown Event Type](../policies/eventtype/exchangelockdown.md) +- [Exchange Changes Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/exchangechanges.md) +- [Exchange Lockdown Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/exchangelockdown.md) #### File System Solution @@ -113,11 +113,11 @@ event types assigned. See the following topics for additional information: -- [File System Changes Event Type](../policies/eventtype/filesystemchanges.md) – For Windows file +- [File System Changes Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/filesystemchanges.md) – For Windows file servers and/or NAS devices -- [File System Lockdown Event Type](../policies/eventtype/filesystemlockdown.md) – For Windows file +- [File System Lockdown Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/filesystemlockdown.md) – For Windows file servers -- [File System Enterprise Auditor Event Type](../policies/eventtype/filesystementerpriseauditor.md) +- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/filesystementerpriseauditor.md) – For Windows file servers #### LDAP Solution @@ -130,6 +130,6 @@ The LDAP solution comes with the following licensed modules: See the following topics for additional information: -- [LDAP Monitoring Event Type](../policies/eventtype/ldapmonitoring.md) -- [LDAP Lockdown Event Type](../policies/eventtype/ldaplockdown.md) -- [LDAP Bind Monitoring Event Type](../policies/eventtype/ldapbindmonitoring.md) +- [LDAP Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/ldapmonitoring.md) +- [LDAP Lockdown Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/ldaplockdown.md) +- [LDAP Bind Monitoring Event Type](/docs/threatprevention/7.5/threatprevention/admin/policies/eventtype/ldapbindmonitoring.md) diff --git a/docs/threatprevention/7.5/threatprevention/admin/navigation/overview.md b/docs/threatprevention/7.5/threatprevention/admin/navigation/overview.md index 66d5bf2d93..492c701a36 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/navigation/overview.md +++ b/docs/threatprevention/7.5/threatprevention/admin/navigation/overview.md @@ -20,19 +20,19 @@ The Administration Console has the following components: - Policy Center - Status Bar -![Threat Prevention Administration Console – Components](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/adminconsole.webp) +![Threat Prevention Administration Console – Components](/img/product_docs/threatprevention/threatprevention/admin/navigation/adminconsole.webp) There are also right-click commands available within different sections of the Policy Center. If the Administration Console user interface or windows do not display properly, see the -[Troubleshooting FAQs](../../troubleshooting/overview.md#troubleshooting-faqs) topic for +[Troubleshooting FAQs](/docs/threatprevention/7.5/threatprevention/troubleshooting/overview.md#troubleshooting-faqs) topic for information. ## Menu The Menu contains the following selections: -![Administration Console - Menu](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/menu.webp) +![Administration Console - Menu](/img/product_docs/threatprevention/threatprevention/admin/navigation/menu.webp) | Menu Item | Option | Description | | ------------- | ------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -40,19 +40,19 @@ The Menu contains the following selections: | | Rename | Opens a textbox to rename the selected policy, template, or folder in the Policy Center | | | Remove | Removes the selected policy, template, or folder from the Policy Center | | | Exit | Exit the Administration Console | -| Tools | Export … | Export (Alt+X) policies and templates through the [Export Policies and Templates Window](../tools/exportpoliciestemplates.md) | -| | Import … | Import (Alt+I) policies/templates, collections, and event consumers/alerts from an exported file through the [Import Window](../tools/import.md) | -| Configuration | Alerts | Configure and manage all email, event log, and SEIM alerts in the [System Alerting Window](../configuration/systemalerting/overview.md) | -| | Users | A security feature for configuring access to the Administration Console. Users are added and assigned rights through the [Users and Roles Window](../configuration/userroles/overview.md). | -| | Database > Server | Manage the events database in the [Events Database Configuration Window](../configuration/eventsdatabaseconfiguration.md). You can view the information, but cannot make changes. | -| | Database > Maintenance | Use database maintenance to automatically groom the database to optimize performance by archiving and/or deleting data aged beyond a specified threshold. This can be configured to run by Event Type, Analytic, or Policy. It is configured in the [Database Maintenance Window](../configuration/databasemaintenance/overview.md). | -| | Collections | Manage all Microsoft Collections in the [Collection Manager Window](../configuration/collectionmanager/overview.md) | -| | Event Filtering | Filters Active Directory events to remove “noise” from collected event data and/or exclude logins from machine accounts. Both settings are ON by default. It also allows authentication events from selected hosts or from selected accounts to be excluded, which require configuration before being enabled. A latency threshold can be set to generate alerts when the delivery of AD Events are delayed beyond the threshold. These options are configured in the [Event Filtering Configuration Window](../configuration/eventfilteringconfiguration.md). | -| | Netwrix Threat Manager Configuration | Enables integration between Threat Prevention and Threat Manager in a global setting. The Threat Manager URI is set in the [Netwrix Threat Manager Configuration Window](../configuration/threatmanagerconfiguration.md). Choose policies through the Policy checkboxes in this window or the Actions tab of each policy for sending event data to Threat Manager. | -| | File Monitor Settings | Manages the log retention, inherited permissions filtering, disables office file filtering, and the ability to exclude AD accounts and processes for Threat Prevention file monitoring and blocking policies in a global setting. These options are set in the [File Monitor Settings Window](../configuration/filemonitorsettings.md). | -| | EPE Settings | Manages the Have I Been Pwned password hash database configuration and update options as well as global Password Rules filter configurations. These options are configured in the [EPE Settings Window](../configuration/epesettings.md). | +| Tools | Export … | Export (Alt+X) policies and templates through the [Export Policies and Templates Window](/docs/threatprevention/7.5/threatprevention/admin/tools/exportpoliciestemplates.md) | +| | Import … | Import (Alt+I) policies/templates, collections, and event consumers/alerts from an exported file through the [Import Window](/docs/threatprevention/7.5/threatprevention/admin/tools/import.md) | +| Configuration | Alerts | Configure and manage all email, event log, and SEIM alerts in the [System Alerting Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/systemalerting/overview.md) | +| | Users | A security feature for configuring access to the Administration Console. Users are added and assigned rights through the [Users and Roles Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/userroles/overview.md). | +| | Database > Server | Manage the events database in the [Events Database Configuration Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/eventsdatabaseconfiguration.md). You can view the information, but cannot make changes. | +| | Database > Maintenance | Use database maintenance to automatically groom the database to optimize performance by archiving and/or deleting data aged beyond a specified threshold. This can be configured to run by Event Type, Analytic, or Policy. It is configured in the [Database Maintenance Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/databasemaintenance/overview.md). | +| | Collections | Manage all Microsoft Collections in the [Collection Manager Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/collectionmanager/overview.md) | +| | Event Filtering | Filters Active Directory events to remove “noise” from collected event data and/or exclude logins from machine accounts. Both settings are ON by default. It also allows authentication events from selected hosts or from selected accounts to be excluded, which require configuration before being enabled. A latency threshold can be set to generate alerts when the delivery of AD Events are delayed beyond the threshold. These options are configured in the [Event Filtering Configuration Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/eventfilteringconfiguration.md). | +| | Netwrix Threat Manager Configuration | Enables integration between Threat Prevention and Threat Manager in a global setting. The Threat Manager URI is set in the [Netwrix Threat Manager Configuration Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/threatmanagerconfiguration.md). Choose policies through the Policy checkboxes in this window or the Actions tab of each policy for sending event data to Threat Manager. | +| | File Monitor Settings | Manages the log retention, inherited permissions filtering, disables office file filtering, and the ability to exclude AD accounts and processes for Threat Prevention file monitoring and blocking policies in a global setting. These options are set in the [File Monitor Settings Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/filemonitorsettings.md). | +| | EPE Settings | Manages the Have I Been Pwned password hash database configuration and update options as well as global Password Rules filter configurations. These options are configured in the [EPE Settings Window](/docs/threatprevention/7.5/threatprevention/admin/configuration/epesettings.md). | | Help | Administration Console Help | Opens the internal help documentation | -| | License Manager | Opens the Threat Prevention [License Manager Window](licensemanager.md) where the customer name, license expiry date, and licensed modules are displayed | +| | License Manager | Opens the Threat Prevention [License Manager Window](/docs/threatprevention/7.5/threatprevention/admin/navigation/licensemanager.md) where the customer name, license expiry date, and licensed modules are displayed | | | About Netwrix Threat Prevention Administration Console | Opens the Administration Console window where the product version, copyright, and the Netwrix website link are displayed | ## Policy Center @@ -60,18 +60,18 @@ The Menu contains the following selections: The Policy Center is the primary interface of the Administration Console. It is divided into two sections: the Navigation pane and the Display area. -![Administration Console – Policy Center](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/policycenter.webp) +![Administration Console – Policy Center](/img/product_docs/threatprevention/threatprevention/admin/navigation/policycenter.webp) The Navigation pane provides interface options while the Display area displays the selected interface. The following interface options are available: -- [Agents Interface](../agents/overview.md) -- [Alerts Interface](../alerts/overview.md) -- [Investigate Interface](../investigate/overview.md) -- [Analytics Interface](../analytics/overview.md) -- [Policies Interface](../policies/overview.md) -- [Templates Interface](../templates/overview.md) -- [Tags Node](../tags/overview.md) +- [Agents Interface](/docs/threatprevention/7.5/threatprevention/admin/agents/overview.md) +- [Alerts Interface](/docs/threatprevention/7.5/threatprevention/admin/alerts/overview.md) +- [Investigate Interface](/docs/threatprevention/7.5/threatprevention/admin/investigate/overview.md) +- [Analytics Interface](/docs/threatprevention/7.5/threatprevention/admin/analytics/overview.md) +- [Policies Interface](/docs/threatprevention/7.5/threatprevention/admin/policies/overview.md) +- [Templates Interface](/docs/threatprevention/7.5/threatprevention/admin/templates/overview.md) +- [Tags Node](/docs/threatprevention/7.5/threatprevention/admin/tags/overview.md) Several right-click menus and additional features are available within these interfaces. @@ -137,6 +137,6 @@ node. The Status Bar is located at the bottom of the Administration Console. -![statusbar](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/statusbar.webp) +![statusbar](/img/product_docs/threatprevention/threatprevention/admin/navigation/statusbar.webp) It displays the current user account logged into Threat Prevention and current session details. diff --git a/docs/threatprevention/7.5/threatprevention/admin/navigation/rightclickmenus.md b/docs/threatprevention/7.5/threatprevention/admin/navigation/rightclickmenus.md index 4e32988335..d3ebac35ea 100644 --- a/docs/threatprevention/7.5/threatprevention/admin/navigation/rightclickmenus.md +++ b/docs/threatprevention/7.5/threatprevention/admin/navigation/rightclickmenus.md @@ -7,18 +7,18 @@ Alerts Node From the Agents node, the right-click menu can be used to install the Agent. -![Agents node - Right-click Menu](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/agentsmenu.webp) +![Agents node - Right-click Menu](/img/product_docs/threatprevention/threatprevention/admin/navigation/agentsmenu.webp) | Right-Click Command | Description | | ------------------- | ----------------------------------------------------------------------------------- | -| Install Agent | Opens the [Deploy Agents Wizard](../agents/deploy/overview.md#deploy-agents-wizard) | +| Install Agent | Opens the [Deploy Agents Wizard](/docs/threatprevention/7.5/threatprevention/admin/agents/deploy/overview.md#deploy-agents-wizard) | Saved ‘Filtered Investigate’ Nodes From the node of a saved ‘Filtered Investigate’ view, the right-click menu allows you to delete the saved view. -![Saved ‘Filtered Investigate’ Nodes - Right-click Menu](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/savedinvestigateviewnode.webp) +![Saved ‘Filtered Investigate’ Nodes - Right-click Menu](/img/product_docs/threatprevention/threatprevention/admin/navigation/savedinvestigateviewnode.webp) | Right-Click Command | Description | | ------------------- | --------------------------------------------- | @@ -29,7 +29,7 @@ Policies and Templates Nodes From the Policies and Templates nodes, the right-click menu is limited to adding new folders to the selected section. -![Policies and Templates Nodes - Right-click Menu](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/policiestemplatesnodes.webp) +![Policies and Templates Nodes - Right-click Menu](/img/product_docs/threatprevention/threatprevention/admin/navigation/policiestemplatesnodes.webp) | Right-Click Command | Description | | --------------------- | --------------------------------------------- | @@ -39,7 +39,7 @@ Folder Node From a Folder node, the right-click menu contains these commands. -![Folder Node - Right-click Menu](../../../../../../static/img/product_docs/threatprevention/threatprevention/admin/navigation/foldermenu.webp) +![Folder Node - Right-click Menu](/img/product_docs/threatprevention/threatprevention/admin/navigation/foldermenu.webp) | Right-Click Command | Description | | ----------------------- | ----------------------------------------------------------------------------------------------------- | @@ -51,14 +51,14 @@ From a Folder node, the right-click menu contains these commands. | Paste | Pastes a copied policy/template into the selected folder | **NOTE:** If the logged in user does not have the **Manage Policies** permissions for a protected -policy, these options are grayed-out. See the [Policies Interface](../policies/overview.md) topic +policy, these options are grayed-out. See the [Policies Interface](/docs/threatprevention/7.5/threatprevention/admin/policies/overview.md) topic for additional information on protection. `` and `